1 /* $Id: pfkey.c,v 1.31.2.10 2005/10/03 14:52:19 manubsd Exp $ */
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
43 #include <netinet/in.h>
44 #include <arpa/inet.h>
48 # include <linux/udp.h>
50 # if defined(__NetBSD__) || defined(__FreeBSD__)
51 # include <netinet/udp.h>
55 #include <sys/types.h>
56 #include <sys/param.h>
57 #include <sys/socket.h>
58 #include <sys/queue.h>
59 #include <sys/sysctl.h>
61 #include <net/route.h>
63 #include <System/net/pfkeyv2.h>
65 #include <net/pfkeyv2.h>
68 #include <netinet/in.h>
69 #ifndef HAVE_NETINET6_IPSEC
70 #include <netinet/ipsec.h>
72 #include <netinet6/ipsec.h>
85 #include "localconf.h"
86 #include "remoteconf.h"
87 #include "isakmp_var.h"
89 #include "isakmp_inf.h"
90 #include "ipsec_doi.h"
95 #include "algorithm.h"
100 #include "strnames.h"
101 #include "backupsa.h"
102 #include "gcmalloc.h"
103 #include "nattraversal.h"
104 #include "crypto_openssl.h"
105 #include "grabmyaddr.h"
106 #include "vpn_control.h"
107 #include "vpn_control_var.h"
109 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
110 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
114 static u_int ipsecdoi2pfkey_aalg
__P((u_int
));
115 static u_int ipsecdoi2pfkey_ealg
__P((u_int
));
116 static u_int ipsecdoi2pfkey_calg
__P((u_int
));
117 static u_int ipsecdoi2pfkey_alg
__P((u_int
, u_int
));
118 static u_int keylen_aalg
__P((u_int
));
119 static u_int keylen_ealg
__P((u_int
, int));
121 static int pk_recvgetspi
__P((caddr_t
*));
122 static int pk_recvupdate
__P((caddr_t
*));
123 static int pk_recvadd
__P((caddr_t
*));
124 static int pk_recvdelete
__P((caddr_t
*));
125 static int pk_recvacquire
__P((caddr_t
*));
126 static int pk_recvexpire
__P((caddr_t
*));
127 static int pk_recvflush
__P((caddr_t
*));
128 static int getsadbpolicy
__P((caddr_t
*, int *, int, struct ph2handle
*));
129 static int pk_recvspdupdate
__P((caddr_t
*));
130 static int pk_recvspdadd
__P((caddr_t
*));
131 static int pk_recvspddelete
__P((caddr_t
*));
132 static int pk_recvspdexpire
__P((caddr_t
*));
133 static int pk_recvspdget
__P((caddr_t
*));
134 static int pk_recvspddump
__P((caddr_t
*));
135 static int pk_recvspdflush
__P((caddr_t
*));
136 static struct sadb_msg
*pk_recv
__P((int, int *));
138 static int (*pkrecvf
[]) __P((caddr_t
*)) = {
146 NULL
, /* SABD_REGISTER */
149 NULL
, /* SADB_DUMP */
150 NULL
, /* SADB_X_PROMISC */
151 NULL
, /* SADB_X_PCHANGE */
156 NULL
, /* SADB_X_SPDACQUIRE */
159 NULL
, /* SADB_X_SPDSETIDX */
161 NULL
, /* SADB_X_SPDDELETE2 */
162 NULL
, /* SADB_X_NAT_T_NEW_MAPPING */
163 NULL
, /* SADB_X_MIGRATE */
165 #error "SADB extra message?"
169 static int addnewsp
__P((caddr_t
*));
171 /* cope with old kame headers - ugly */
172 #ifndef SADB_X_AALG_MD5
173 #define SADB_X_AALG_MD5 SADB_AALG_MD5
175 #ifndef SADB_X_AALG_SHA
176 #define SADB_X_AALG_SHA SADB_AALG_SHA
178 #ifndef SADB_X_AALG_NULL
179 #define SADB_X_AALG_NULL SADB_AALG_NULL
182 #ifndef SADB_X_EALG_BLOWFISHCBC
183 #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
185 #ifndef SADB_X_EALG_CAST128CBC
186 #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
188 #ifndef SADB_X_EALG_RC5CBC
189 #ifdef SADB_EALG_RC5CBC
190 #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
195 * PF_KEY packet handler
202 struct sadb_msg
*msg
;
204 caddr_t mhp
[SADB_EXT_MAX
+ 1];
207 /* receive pfkey message. */
209 msg
= (struct sadb_msg
*)pk_recv(lcconf
->sock_pfkey
, &len
);
212 plog(LLV_ERROR
, LOCATION
, NULL
,
213 "failed to recv from pfkey (%s)\n",
217 /* short message - msg not ready */
222 plog(LLV_DEBUG
, LOCATION
, NULL
, "get pfkey %s message\n",
223 s_pfkey_type(msg
->sadb_msg_type
));
224 plogdump(LLV_DEBUG2
, msg
, msg
->sadb_msg_len
<< 3);
227 if (msg
->sadb_msg_errno
) {
230 /* when SPD is empty, treat the state as no error. */
231 if (msg
->sadb_msg_type
== SADB_X_SPDDUMP
&&
232 msg
->sadb_msg_errno
== ENOENT
)
237 plog(pri
, LOCATION
, NULL
,
238 "pfkey %s failed: %s\n",
239 s_pfkey_type(msg
->sadb_msg_type
),
240 strerror(msg
->sadb_msg_errno
));
245 /* check pfkey message. */
246 if (pfkey_align(msg
, mhp
)) {
247 plog(LLV_ERROR
, LOCATION
, NULL
,
248 "libipsec failed pfkey align (%s)\n",
252 if (pfkey_check(mhp
)) {
253 plog(LLV_ERROR
, LOCATION
, NULL
,
254 "libipsec failed pfkey check (%s)\n",
258 msg
= (struct sadb_msg
*)mhp
[0];
261 if (msg
->sadb_msg_type
>= ARRAYLEN(pkrecvf
)) {
262 plog(LLV_ERROR
, LOCATION
, NULL
,
263 "unknown PF_KEY message type=%u\n",
268 if (pkrecvf
[msg
->sadb_msg_type
] == NULL
) {
269 plog(LLV_INFO
, LOCATION
, NULL
,
270 "unsupported PF_KEY message %s\n",
271 s_pfkey_type(msg
->sadb_msg_type
));
275 if ((pkrecvf
[msg
->sadb_msg_type
])(mhp
) < 0)
289 pfkey_dump_sadb(satype
)
294 pid_t pid
= getpid();
295 struct sadb_msg
*msg
= NULL
;
299 if ((s
= privsep_pfkey_open()) < 0) {
300 plog(LLV_ERROR
, LOCATION
, NULL
,
301 "libipsec failed pfkey open: %s\n",
306 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_dump\n");
307 if (pfkey_send_dump(s
, satype
) < 0) {
308 plog(LLV_ERROR
, LOCATION
, NULL
,
309 "libipsec failed dump: %s\n", ipsec_strerror());
316 msg
= pk_recv(s
, &len
);
324 if (msg
->sadb_msg_type
!= SADB_DUMP
|| msg
->sadb_msg_pid
!= pid
)
327 ml
= msg
->sadb_msg_len
<< 3;
328 bl
= buf
? buf
->l
: 0;
329 buf
= vrealloc(buf
, bl
+ ml
);
331 plog(LLV_ERROR
, LOCATION
, NULL
,
332 "failed to reallocate buffer to dump.\n");
335 memcpy(buf
->v
+ bl
, msg
, ml
);
337 if (msg
->sadb_msg_seq
== 0)
350 privsep_pfkey_close(s
);
354 #ifdef ENABLE_ADMINPORT
359 pfkey_flush_sadb(proto
)
364 /* convert to SADB_SATYPE */
365 if ((satype
= admin2pfkey_proto(proto
)) < 0)
368 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_flush\n");
369 if (pfkey_send_flush(lcconf
->sock_pfkey
, satype
) < 0) {
370 plog(LLV_ERROR
, LOCATION
, NULL
,
371 "libipsec failed send flush (%s)\n", ipsec_strerror());
380 * These are the SATYPEs that we manage. We register to get
381 * PF_KEY messages related to these SATYPEs, and we also use
382 * this list to determine which SATYPEs to delete SAs for when
383 * we receive an INITIAL-CONTACT.
385 const struct pfkey_satype pfkey_satypes
[] = {
386 { SADB_SATYPE_AH
, "AH" },
387 { SADB_SATYPE_ESP
, "ESP" },
388 { SADB_X_SATYPE_IPCOMP
, "IPCOMP" },
390 const int pfkey_nsatypes
=
391 sizeof(pfkey_satypes
) / sizeof(pfkey_satypes
[0]);
394 * PF_KEY initialization
401 if ((lcconf
->sock_pfkey
= privsep_pfkey_open()) < 0) {
402 plog(LLV_ERROR
, LOCATION
, NULL
,
403 "libipsec failed pfkey open (%s)\n", ipsec_strerror());
407 for (i
= 0, reg_fail
= 0; i
< pfkey_nsatypes
; i
++) {
408 plog(LLV_DEBUG
, LOCATION
, NULL
,
409 "call pfkey_send_register for %s\n",
410 pfkey_satypes
[i
].ps_name
);
411 if (pfkey_send_register(lcconf
->sock_pfkey
,
412 pfkey_satypes
[i
].ps_satype
) < 0 ||
413 pfkey_recv_register(lcconf
->sock_pfkey
) < 0) {
414 plog(LLV_WARNING
, LOCATION
, NULL
,
415 "failed to register %s (%s)\n",
416 pfkey_satypes
[i
].ps_name
,
422 if (reg_fail
== pfkey_nsatypes
) {
423 plog(LLV_ERROR
, LOCATION
, NULL
,
424 "failed to regist any protocol.\n");
425 pfkey_close(lcconf
->sock_pfkey
);
431 if (pfkey_send_spddump(lcconf
->sock_pfkey
) < 0) {
432 plog(LLV_ERROR
, LOCATION
, NULL
,
433 "libipsec sending spddump failed: %s\n",
435 pfkey_close(lcconf
->sock_pfkey
);
439 if (pfkey_promisc_toggle(1) < 0) {
440 pfkey_close(lcconf
->sock_pfkey
);
447 /* %%% for conversion */
448 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */
450 ipsecdoi2pfkey_aalg(hashtype
)
454 case IPSECDOI_ATTR_AUTH_HMAC_MD5
:
455 return SADB_AALG_MD5HMAC
;
456 case IPSECDOI_ATTR_AUTH_HMAC_SHA1
:
457 return SADB_AALG_SHA1HMAC
;
458 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256
:
459 #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
460 return SADB_X_AALG_SHA2_256
;
462 return SADB_X_AALG_SHA2_256HMAC
;
464 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384
:
465 #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
466 return SADB_X_AALG_SHA2_384
;
468 return SADB_X_AALG_SHA2_384HMAC
;
470 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512
:
471 #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
472 return SADB_X_AALG_SHA2_512
;
474 return SADB_X_AALG_SHA2_512HMAC
;
476 case IPSECDOI_ATTR_AUTH_KPDK
: /* need special care */
477 return SADB_AALG_NONE
;
480 case IPSECDOI_ATTR_AUTH_DES_MAC
:
481 plog(LLV_ERROR
, LOCATION
, NULL
,
482 "Not supported hash type: %u\n", hashtype
);
485 case 0: /* reserved */
487 return SADB_AALG_NONE
;
489 plog(LLV_ERROR
, LOCATION
, NULL
,
490 "Invalid hash type: %u\n", hashtype
);
496 /* IPSECDOI_ESP -> SADB_EALG */
498 ipsecdoi2pfkey_ealg(t_id
)
502 case IPSECDOI_ESP_DES_IV64
: /* sa_flags |= SADB_X_EXT_OLD */
503 return SADB_EALG_DESCBC
;
504 case IPSECDOI_ESP_DES
:
505 return SADB_EALG_DESCBC
;
506 case IPSECDOI_ESP_3DES
:
507 return SADB_EALG_3DESCBC
;
508 #ifdef SADB_X_EALG_RC5CBC
509 case IPSECDOI_ESP_RC5
:
510 return SADB_X_EALG_RC5CBC
;
512 case IPSECDOI_ESP_CAST
:
513 return SADB_X_EALG_CAST128CBC
;
514 case IPSECDOI_ESP_BLOWFISH
:
515 return SADB_X_EALG_BLOWFISHCBC
;
516 case IPSECDOI_ESP_DES_IV32
: /* flags |= (SADB_X_EXT_OLD|
518 return SADB_EALG_DESCBC
;
519 case IPSECDOI_ESP_NULL
:
520 return SADB_EALG_NULL
;
521 #ifdef SADB_X_EALG_AESCBC
522 case IPSECDOI_ESP_AES
:
523 return SADB_X_EALG_AESCBC
;
525 #ifdef SADB_X_EALG_TWOFISHCBC
526 case IPSECDOI_ESP_TWOFISH
:
527 return SADB_X_EALG_TWOFISHCBC
;
531 case IPSECDOI_ESP_3IDEA
:
532 case IPSECDOI_ESP_IDEA
:
533 case IPSECDOI_ESP_RC4
:
534 plog(LLV_ERROR
, LOCATION
, NULL
,
535 "Not supported transform: %u\n", t_id
);
538 case 0: /* reserved */
540 plog(LLV_ERROR
, LOCATION
, NULL
,
541 "Invalid transform id: %u\n", t_id
);
547 /* IPCOMP -> SADB_CALG */
549 ipsecdoi2pfkey_calg(t_id
)
553 case IPSECDOI_IPCOMP_OUI
:
554 return SADB_X_CALG_OUI
;
555 case IPSECDOI_IPCOMP_DEFLATE
:
556 return SADB_X_CALG_DEFLATE
;
557 case IPSECDOI_IPCOMP_LZS
:
558 return SADB_X_CALG_LZS
;
560 case 0: /* reserved */
562 plog(LLV_ERROR
, LOCATION
, NULL
,
563 "Invalid transform id: %u\n", t_id
);
569 /* IPSECDOI_PROTO -> SADB_SATYPE */
571 ipsecdoi2pfkey_proto(proto
)
575 case IPSECDOI_PROTO_IPSEC_AH
:
576 return SADB_SATYPE_AH
;
577 case IPSECDOI_PROTO_IPSEC_ESP
:
578 return SADB_SATYPE_ESP
;
579 case IPSECDOI_PROTO_IPCOMP
:
580 return SADB_X_SATYPE_IPCOMP
;
583 plog(LLV_ERROR
, LOCATION
, NULL
,
584 "Invalid ipsec_doi proto: %u\n", proto
);
591 ipsecdoi2pfkey_alg(algclass
, type
)
592 u_int algclass
, type
;
595 case IPSECDOI_ATTR_AUTH
:
596 return ipsecdoi2pfkey_aalg(type
);
597 case IPSECDOI_PROTO_IPSEC_ESP
:
598 return ipsecdoi2pfkey_ealg(type
);
599 case IPSECDOI_PROTO_IPCOMP
:
600 return ipsecdoi2pfkey_calg(type
);
602 plog(LLV_ERROR
, LOCATION
, NULL
,
603 "Invalid ipsec_doi algclass: %u\n", algclass
);
609 /* SADB_SATYPE -> IPSECDOI_PROTO */
611 pfkey2ipsecdoi_proto(satype
)
616 return IPSECDOI_PROTO_IPSEC_AH
;
617 case SADB_SATYPE_ESP
:
618 return IPSECDOI_PROTO_IPSEC_ESP
;
619 case SADB_X_SATYPE_IPCOMP
:
620 return IPSECDOI_PROTO_IPCOMP
;
623 plog(LLV_ERROR
, LOCATION
, NULL
,
624 "Invalid pfkey proto: %u\n", satype
);
630 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
632 ipsecdoi2pfkey_mode(mode
)
636 case IPSECDOI_ATTR_ENC_MODE_TUNNEL
:
638 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC
:
639 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT
:
641 return IPSEC_MODE_TUNNEL
;
642 case IPSECDOI_ATTR_ENC_MODE_TRNS
:
644 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC
:
645 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT
:
647 return IPSEC_MODE_TRANSPORT
;
649 plog(LLV_ERROR
, LOCATION
, NULL
, "Invalid mode type: %u\n", mode
);
655 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
657 pfkey2ipsecdoi_mode(mode
)
661 case IPSEC_MODE_TUNNEL
:
662 return IPSECDOI_ATTR_ENC_MODE_TUNNEL
;
663 case IPSEC_MODE_TRANSPORT
:
664 return IPSECDOI_ATTR_ENC_MODE_TRNS
;
666 return IPSECDOI_ATTR_ENC_MODE_ANY
;
668 plog(LLV_ERROR
, LOCATION
, NULL
, "Invalid mode type: %u\n", mode
);
674 /* default key length for encryption algorithm */
676 keylen_aalg(hashtype
)
682 return SADB_AALG_NONE
;
684 res
= alg_ipsec_hmacdef_hashlen(hashtype
);
686 plog(LLV_ERROR
, LOCATION
, NULL
,
687 "invalid hmac algorithm %u.\n", hashtype
);
693 /* default key length for encryption algorithm */
695 keylen_ealg(enctype
, encklen
)
701 res
= alg_ipsec_encdef_keylen(enctype
, encklen
);
703 plog(LLV_ERROR
, LOCATION
, NULL
,
704 "invalid encryption algorithm %u.\n", enctype
);
711 pfkey_convertfromipsecdoi(proto_id
, t_id
, hashtype
,
712 e_type
, e_keylen
, a_type
, a_keylen
, flags
)
724 case IPSECDOI_PROTO_IPSEC_ESP
:
725 if ((*e_type
= ipsecdoi2pfkey_ealg(t_id
)) == ~0)
727 if ((*e_keylen
= keylen_ealg(t_id
, *e_keylen
)) == ~0)
731 if ((*a_type
= ipsecdoi2pfkey_aalg(hashtype
)) == ~0)
733 if ((*a_keylen
= keylen_aalg(hashtype
)) == ~0)
737 if (*e_type
== SADB_EALG_NONE
) {
738 plog(LLV_ERROR
, LOCATION
, NULL
, "no ESP algorithm.\n");
743 case IPSECDOI_PROTO_IPSEC_AH
:
744 if ((*a_type
= ipsecdoi2pfkey_aalg(hashtype
)) == ~0)
746 if ((*a_keylen
= keylen_aalg(hashtype
)) == ~0)
750 if (t_id
== IPSECDOI_ATTR_AUTH_HMAC_MD5
751 && hashtype
== IPSECDOI_ATTR_AUTH_KPDK
) {
752 /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
753 *a_type
= SADB_X_AALG_MD5
;
754 *flags
|= SADB_X_EXT_OLD
;
756 *e_type
= SADB_EALG_NONE
;
758 if (*a_type
== SADB_AALG_NONE
) {
759 plog(LLV_ERROR
, LOCATION
, NULL
, "no AH algorithm.\n");
764 case IPSECDOI_PROTO_IPCOMP
:
765 if ((*e_type
= ipsecdoi2pfkey_calg(t_id
)) == ~0)
769 *flags
= SADB_X_EXT_RAWCPI
;
771 *a_type
= SADB_AALG_NONE
;
773 if (*e_type
== SADB_X_CALG_NONE
) {
774 plog(LLV_ERROR
, LOCATION
, NULL
, "no IPCOMP algorithm.\n");
780 plog(LLV_ERROR
, LOCATION
, NULL
, "unknown IPsec protocol.\n");
791 /* called from scheduler */
793 pfkey_timeover_stub(p
)
797 pfkey_timeover((struct ph2handle
*)p
);
802 struct ph2handle
*iph2
;
804 plog(LLV_ERROR
, LOCATION
, NULL
,
805 "%s give up to get IPsec-SA due to time up to wait.\n",
806 saddrwop2str(iph2
->dst
));
807 SCHED_KILL(iph2
->sce
);
809 /* If initiator side, send error to kernel by SADB_ACQUIRE. */
810 if (iph2
->side
== INITIATOR
)
811 pk_sendeacquire(iph2
);
821 /* send getspi message per ipsec protocol per remote address */
823 * the local address and remote address in ph1handle are dealed
824 * with destination address and source address respectively.
825 * Because SPI is decided by responder.
829 struct ph2handle
*iph2
;
831 struct sockaddr
*src
= NULL
, *dst
= NULL
;
835 u_int32_t minspi
, maxspi
;
838 if (iph2
->side
== INITIATOR
) {
840 proxy
= iph2
->ph1
->rmconf
->support_proxy
;
843 if (iph2
->sainfo
&& iph2
->sainfo
->id_i
)
847 /* for mobile IPv6 */
848 if (proxy
&& iph2
->src_id
&& iph2
->dst_id
&&
849 ipsecdoi_transportmode(pp
)) {
857 for (pr
= pp
->head
; pr
!= NULL
; pr
= pr
->next
) {
860 satype
= ipsecdoi2pfkey_proto(pr
->proto_id
);
862 plog(LLV_ERROR
, LOCATION
, NULL
,
863 "invalid proto_id %d\n", pr
->proto_id
);
866 /* this works around a bug in Linux kernel where it allocates 4 byte
868 else if (satype
== SADB_X_SATYPE_IPCOMP
) {
876 mode
= ipsecdoi2pfkey_mode(pr
->encmode
);
878 plog(LLV_ERROR
, LOCATION
, NULL
,
879 "invalid encmode %d\n", pr
->encmode
);
883 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_getspi\n");
884 if (pfkey_send_getspi(
891 pr
->reqid_in
, iph2
->seq
) < 0) {
892 plog(LLV_ERROR
, LOCATION
, NULL
,
893 "ipseclib failed send getspi (%s)\n",
897 plog(LLV_DEBUG
, LOCATION
, NULL
,
898 "pfkey GETSPI sent: %s\n",
899 sadbsecas2str(dst
, src
, satype
, 0, mode
));
906 * receive GETSPI from kernel.
912 struct sadb_msg
*msg
;
914 struct ph2handle
*iph2
;
915 struct sockaddr
*dst
;
917 int allspiok
, notfound
;
922 if (mhp
[SADB_EXT_SA
] == NULL
923 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
) {
924 plog(LLV_ERROR
, LOCATION
, NULL
,
925 "inappropriate sadb getspi message passed.\n");
928 msg
= (struct sadb_msg
*)mhp
[0];
929 sa
= (struct sadb_sa
*)mhp
[SADB_EXT_SA
];
930 dst
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]); /* note SA dir */
932 /* the message has to be processed or not ? */
933 if (msg
->sadb_msg_pid
!= getpid()) {
934 plog(LLV_DEBUG
, LOCATION
, NULL
,
935 "%s message is not interesting "
936 "because pid %d is not mine.\n",
937 s_pfkey_type(msg
->sadb_msg_type
),
942 iph2
= getph2byseq(msg
->sadb_msg_seq
);
944 plog(LLV_DEBUG
, LOCATION
, NULL
,
945 "seq %d of %s message not interesting.\n",
947 s_pfkey_type(msg
->sadb_msg_type
));
951 if (iph2
->status
!= PHASE2ST_GETSPISENT
) {
952 plog(LLV_ERROR
, LOCATION
, NULL
,
953 "status mismatch (db:%d msg:%d)\n",
954 iph2
->status
, PHASE2ST_GETSPISENT
);
958 /* set SPI, and check to get all spi whether or not */
961 proto_id
= pfkey2ipsecdoi_proto(msg
->sadb_msg_satype
);
962 pp
= iph2
->side
== INITIATOR
? iph2
->proposal
: iph2
->approval
;
964 for (pr
= pp
->head
; pr
!= NULL
; pr
= pr
->next
) {
965 if (pr
->proto_id
== proto_id
&& pr
->spi
== 0) {
966 pr
->spi
= sa
->sadb_sa_spi
;
968 plog(LLV_DEBUG
, LOCATION
, NULL
,
969 "pfkey GETSPI succeeded: %s\n",
970 sadbsecas2str(iph2
->dst
, iph2
->src
,
971 msg
->sadb_msg_satype
,
973 ipsecdoi2pfkey_mode(pr
->encmode
)));
976 allspiok
= 0; /* not get all spi */
980 plog(LLV_ERROR
, LOCATION
, NULL
,
981 "get spi for unknown address %s\n",
982 saddrwop2str(iph2
->dst
));
988 iph2
->status
= PHASE2ST_GETSPIDONE
;
989 if (isakmp_post_getspi(iph2
) < 0) {
990 plog(LLV_ERROR
, LOCATION
, NULL
,
991 "failed to start post getspi.\n");
1008 struct ph2handle
*iph2
;
1011 struct sockaddr
*src
= NULL
, *dst
= NULL
;
1012 u_int e_type
, e_keylen
, a_type
, a_keylen
, flags
;
1014 u_int64_t lifebyte
= 0;
1015 u_int wsize
= 4; /* XXX static size of window */
1017 struct ph2natt natt
;
1020 if (iph2
->approval
== NULL
) {
1021 plog(LLV_ERROR
, LOCATION
, NULL
,
1022 "no approvaled SAs found.\n");
1025 if (iph2
->side
== INITIATOR
)
1026 proxy
= iph2
->ph1
->rmconf
->support_proxy
;
1027 else if (iph2
->sainfo
&& iph2
->sainfo
->id_i
)
1030 /* for mobile IPv6 */
1031 if (proxy
&& iph2
->src_id
&& iph2
->dst_id
&&
1032 ipsecdoi_transportmode(iph2
->approval
)) {
1040 for (pr
= iph2
->approval
->head
; pr
!= NULL
; pr
= pr
->next
) {
1041 /* validity check */
1042 satype
= ipsecdoi2pfkey_proto(pr
->proto_id
);
1044 plog(LLV_ERROR
, LOCATION
, NULL
,
1045 "invalid proto_id %d\n", pr
->proto_id
);
1048 else if (satype
== SADB_X_SATYPE_IPCOMP
) {
1049 /* IPCOMP has no replay window */
1052 #ifdef ENABLE_SAMODE_UNSPECIFIED
1053 mode
= IPSEC_MODE_ANY
;
1055 mode
= ipsecdoi2pfkey_mode(pr
->encmode
);
1057 plog(LLV_ERROR
, LOCATION
, NULL
,
1058 "invalid encmode %d\n", pr
->encmode
);
1063 /* set algorithm type and key length */
1064 e_keylen
= pr
->head
->encklen
;
1065 if (pfkey_convertfromipsecdoi(
1070 &a_type
, &a_keylen
, &flags
) < 0)
1074 lifebyte
= iph2
->approval
->lifebyte
* 1024,
1081 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_update\n");
1082 if (pr
->udp_encap
) {
1083 memset (&natt
, 0, sizeof (natt
));
1084 natt
.sport
= extract_port (iph2
->ph1
->remote
);
1085 flags
|= SADB_X_EXT_NATT
;
1086 if (iph2
->ph1
->natt_flags
& NAT_DETECTED_ME
)
1087 flags
|= SADB_X_EXT_NATT_KEEPALIVE
;
1088 else if (iph2
->ph1
->rmconf
->natt_multiple_user
== TRUE
&&
1089 mode
== IPSEC_MODE_TRANSPORT
&&
1090 src
->sa_family
== AF_INET
)
1091 flags
|= SADB_X_EXT_NATT_MULTIPLEUSERS
;
1093 memset (&natt
, 0, sizeof (natt
));
1096 if (pfkey_send_update(
1106 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1107 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1108 iph2
->seq
, natt
.sport
) < 0) {
1109 plog(LLV_ERROR
, LOCATION
, NULL
,
1110 "libipsec failed send update (%s)\n",
1115 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_update\n");
1116 if (pfkey_send_update(
1126 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1127 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1128 iph2
->seq
, 0) < 0) {
1129 plog(LLV_ERROR
, LOCATION
, NULL
,
1130 "libipsec failed send update (%s)\n",
1134 #endif /* ENABLE_NATT */
1137 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_update_nat\n");
1138 if (pr
->udp_encap
) {
1139 memset (&natt
, 0, sizeof (natt
));
1140 natt
.type
= iph2
->ph1
->natt_options
->encaps_type
;
1141 natt
.sport
= extract_port (iph2
->ph1
->remote
);
1142 natt
.dport
= extract_port (iph2
->ph1
->local
);
1143 natt
.oa
= NULL
; // FIXME: Here comes OA!!!
1144 natt
.frag
= iph2
->ph1
->rmconf
->esp_frag
;
1146 memset (&natt
, 0, sizeof (natt
));
1149 if (pfkey_send_update_nat(
1159 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1160 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1162 natt
.type
, natt
.sport
, natt
.dport
, natt
.oa
,
1164 plog(LLV_ERROR
, LOCATION
, NULL
,
1165 "libipsec failed send update_nat (%s)\n",
1170 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_update\n");
1171 if (pfkey_send_update(
1181 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1182 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1184 plog(LLV_ERROR
, LOCATION
, NULL
,
1185 "libipsec failed send update (%s)\n",
1189 #endif /* ENABLE_NATT */
1190 #endif /* __APPLE__ */
1192 if (!lcconf
->pathinfo
[LC_PATHTYPE_BACKUPSA
])
1196 * It maybe good idea to call backupsa_to_file() after
1197 * racoon will receive the sadb_update messages.
1198 * But it is impossible because there is not key in the
1199 * information from the kernel.
1201 if (backupsa_to_file(satype
, mode
, dst
, src
,
1202 pr
->spi
, pr
->reqid_in
, 4,
1204 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1205 0, iph2
->approval
->lifebyte
* 1024,
1206 iph2
->approval
->lifetime
, 0,
1208 plog(LLV_ERROR
, LOCATION
, NULL
,
1209 "backuped SA failed: %s\n",
1210 sadbsecas2str(dst
, src
,
1211 satype
, pr
->spi
, mode
));
1213 plog(LLV_DEBUG
, LOCATION
, NULL
,
1214 "backuped SA: %s\n",
1215 sadbsecas2str(dst
, src
,
1216 satype
, pr
->spi
, mode
));
1226 struct sadb_msg
*msg
;
1228 struct sockaddr
*src
, *dst
;
1229 struct ph2handle
*iph2
;
1230 u_int proto_id
, encmode
, sa_mode
;
1234 /* ignore this message because of local test mode. */
1240 || mhp
[SADB_EXT_SA
] == NULL
1241 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
1242 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
) {
1243 plog(LLV_ERROR
, LOCATION
, NULL
,
1244 "inappropriate sadb update message passed.\n");
1247 msg
= (struct sadb_msg
*)mhp
[0];
1248 src
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]);
1249 dst
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_DST
]);
1250 sa
= (struct sadb_sa
*)mhp
[SADB_EXT_SA
];
1252 sa_mode
= mhp
[SADB_X_EXT_SA2
] == NULL
1254 : ((struct sadb_x_sa2
*)mhp
[SADB_X_EXT_SA2
])->sadb_x_sa2_mode
;
1256 /* the message has to be processed or not ? */
1257 if (msg
->sadb_msg_pid
!= getpid()) {
1258 plog(LLV_DEBUG
, LOCATION
, NULL
,
1259 "%s message is not interesting "
1260 "because pid %d is not mine.\n",
1261 s_pfkey_type(msg
->sadb_msg_type
),
1266 iph2
= getph2byseq(msg
->sadb_msg_seq
);
1268 plog(LLV_DEBUG
, LOCATION
, NULL
,
1269 "seq %d of %s message not interesting.\n",
1271 s_pfkey_type(msg
->sadb_msg_type
));
1275 if (iph2
->status
!= PHASE2ST_ADDSA
) {
1276 plog(LLV_ERROR
, LOCATION
, NULL
,
1277 "status mismatch (db:%d msg:%d)\n",
1278 iph2
->status
, PHASE2ST_ADDSA
);
1282 /* check to complete all keys ? */
1283 for (pr
= iph2
->approval
->head
; pr
!= NULL
; pr
= pr
->next
) {
1284 proto_id
= pfkey2ipsecdoi_proto(msg
->sadb_msg_satype
);
1285 if (proto_id
== ~0) {
1286 plog(LLV_ERROR
, LOCATION
, NULL
,
1287 "invalid proto_id %d\n", msg
->sadb_msg_satype
);
1290 encmode
= pfkey2ipsecdoi_mode(sa_mode
);
1291 if (encmode
== ~0) {
1292 plog(LLV_ERROR
, LOCATION
, NULL
,
1293 "invalid encmode %d\n", sa_mode
);
1297 if (pr
->proto_id
== proto_id
1298 && pr
->spi
== sa
->sadb_sa_spi
) {
1300 plog(LLV_DEBUG
, LOCATION
, NULL
,
1301 "pfkey UPDATE succeeded: %s\n",
1302 sadbsecas2str(iph2
->dst
, iph2
->src
,
1303 msg
->sadb_msg_satype
,
1307 plog(LLV_INFO
, LOCATION
, NULL
,
1308 "IPsec-SA established: %s\n",
1309 sadbsecas2str(iph2
->dst
, iph2
->src
,
1310 msg
->sadb_msg_satype
, sa
->sadb_sa_spi
,
1321 /* turn off the timer for calling pfkey_timeover() */
1322 SCHED_KILL(iph2
->sce
);
1325 iph2
->status
= PHASE2ST_ESTABLISHED
;
1328 gettimeofday(&iph2
->end
, NULL
);
1329 syslog(LOG_NOTICE
, "%s(%s): %8.6f",
1330 "phase2", "quick", timedelta(&iph2
->start
, &iph2
->end
));
1334 iph2
->ph1
->ph2cnt
++;
1336 /* turn off schedule */
1338 SCHED_KILL(iph2
->scr
);
1341 * since we are going to reuse the phase2 handler, we need to
1342 * remain it and refresh all the references between ph1 and ph2 to use.
1346 iph2
->sce
= sched_new(iph2
->approval
->lifetime
,
1347 isakmp_ph2expire_stub
, iph2
);
1349 plog(LLV_DEBUG
, LOCATION
, NULL
, "===\n");
1358 struct ph2handle
*iph2
;
1361 struct sockaddr
*src
= NULL
, *dst
= NULL
;
1362 u_int e_type
, e_keylen
, a_type
, a_keylen
, flags
;
1364 u_int64_t lifebyte
= 0;
1365 u_int wsize
= 4; /* XXX static size of window */
1367 struct ph2natt natt
;
1370 if (iph2
->approval
== NULL
) {
1371 plog(LLV_ERROR
, LOCATION
, NULL
,
1372 "no approvaled SAs found.\n");
1375 if (iph2
->side
== INITIATOR
)
1376 proxy
= iph2
->ph1
->rmconf
->support_proxy
;
1377 else if (iph2
->sainfo
&& iph2
->sainfo
->id_i
)
1380 /* for mobile IPv6 */
1381 if (proxy
&& iph2
->src_id
&& iph2
->dst_id
&&
1382 ipsecdoi_transportmode(iph2
->approval
)) {
1390 for (pr
= iph2
->approval
->head
; pr
!= NULL
; pr
= pr
->next
) {
1391 /* validity check */
1392 satype
= ipsecdoi2pfkey_proto(pr
->proto_id
);
1394 plog(LLV_ERROR
, LOCATION
, NULL
,
1395 "invalid proto_id %d\n", pr
->proto_id
);
1398 else if (satype
== SADB_X_SATYPE_IPCOMP
) {
1399 /* no replay window for IPCOMP */
1402 #ifdef ENABLE_SAMODE_UNSPECIFIED
1403 mode
= IPSEC_MODE_ANY
;
1405 mode
= ipsecdoi2pfkey_mode(pr
->encmode
);
1407 plog(LLV_ERROR
, LOCATION
, NULL
,
1408 "invalid encmode %d\n", pr
->encmode
);
1413 /* set algorithm type and key length */
1414 e_keylen
= pr
->head
->encklen
;
1415 if (pfkey_convertfromipsecdoi(
1420 &a_type
, &a_keylen
, &flags
) < 0)
1424 lifebyte
= iph2
->approval
->lifebyte
* 1024,
1431 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_add\n");
1433 if (pr
->udp_encap
) {
1434 memset (&natt
, 0, sizeof (natt
));
1435 natt
.dport
= extract_port (iph2
->ph1
->remote
);
1436 flags
|= SADB_X_EXT_NATT
;
1437 if (iph2
->ph1
->natt_flags
& NAT_DETECTED_ME
)
1438 flags
|= SADB_X_EXT_NATT_KEEPALIVE
;
1439 else if (iph2
->ph1
->rmconf
->natt_multiple_user
== TRUE
&&
1440 mode
== IPSEC_MODE_TRANSPORT
&&
1441 dst
->sa_family
== AF_INET
)
1442 flags
|= SADB_X_EXT_NATT_MULTIPLEUSERS
;
1444 memset (&natt
, 0, sizeof (natt
));
1446 /* Remove port information, that SA doesn't use it */
1461 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1462 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1463 iph2
->seq
,natt
.dport
) < 0) {
1464 plog(LLV_ERROR
, LOCATION
, NULL
,
1465 "libipsec failed send add (%s)\n",
1470 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_add\n");
1472 /* Remove port information, it is not used without NAT-T */
1486 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1487 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1488 iph2
->seq
, 0) < 0) {
1489 plog(LLV_ERROR
, LOCATION
, NULL
,
1490 "libipsec failed send add (%s)\n",
1494 #endif /* ENABLE_NATT */
1495 #else /* __APPLE__ */
1497 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_add_nat\n");
1499 if (pr
->udp_encap
) {
1500 memset (&natt
, 0, sizeof (natt
));
1501 natt
.type
= UDP_ENCAP_ESPINUDP
;
1502 natt
.sport
= extract_port (iph2
->ph1
->local
);
1503 natt
.dport
= extract_port (iph2
->ph1
->remote
);
1504 natt
.oa
= NULL
; // FIXME: Here comes OA!!!
1505 natt
.frag
= iph2
->ph1
->rmconf
->esp_frag
;
1507 memset (&natt
, 0, sizeof (natt
));
1509 /* Remove port information, that SA doesn't use it */
1514 if (pfkey_send_add_nat(
1524 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1525 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1527 natt
.type
, natt
.sport
, natt
.dport
, natt
.oa
,
1529 plog(LLV_ERROR
, LOCATION
, NULL
,
1530 "libipsec failed send add_nat (%s)\n",
1535 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_add\n");
1537 /* Remove port information, it is not used without NAT-T */
1551 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1552 0, lifebyte
, iph2
->approval
->lifetime
, 0,
1554 plog(LLV_ERROR
, LOCATION
, NULL
,
1555 "libipsec failed send add (%s)\n",
1559 #endif /* ENABLE_NATT */
1560 #endif /* __APPLE__ */
1562 if (!lcconf
->pathinfo
[LC_PATHTYPE_BACKUPSA
])
1566 * It maybe good idea to call backupsa_to_file() after
1567 * racoon will receive the sadb_update messages.
1568 * But it is impossible because there is not key in the
1569 * information from the kernel.
1571 if (backupsa_to_file(satype
, mode
, src
, dst
,
1572 pr
->spi_p
, pr
->reqid_out
, 4,
1574 e_type
, e_keylen
, a_type
, a_keylen
, flags
,
1575 0, iph2
->approval
->lifebyte
* 1024,
1576 iph2
->approval
->lifetime
, 0,
1578 plog(LLV_ERROR
, LOCATION
, NULL
,
1579 "backuped SA failed: %s\n",
1580 sadbsecas2str(src
, dst
,
1581 satype
, pr
->spi_p
, mode
));
1583 plog(LLV_DEBUG
, LOCATION
, NULL
,
1584 "backuped SA: %s\n",
1585 sadbsecas2str(src
, dst
,
1586 satype
, pr
->spi_p
, mode
));
1596 struct sadb_msg
*msg
;
1598 struct sockaddr
*src
, *dst
;
1599 struct ph2handle
*iph2
;
1602 /* ignore this message because of local test mode. */
1608 || mhp
[SADB_EXT_SA
] == NULL
1609 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
1610 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
) {
1611 plog(LLV_ERROR
, LOCATION
, NULL
,
1612 "inappropriate sadb add message passed.\n");
1615 msg
= (struct sadb_msg
*)mhp
[0];
1616 src
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]);
1617 dst
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_DST
]);
1618 sa
= (struct sadb_sa
*)mhp
[SADB_EXT_SA
];
1620 sa_mode
= mhp
[SADB_X_EXT_SA2
] == NULL
1622 : ((struct sadb_x_sa2
*)mhp
[SADB_X_EXT_SA2
])->sadb_x_sa2_mode
;
1624 /* the message has to be processed or not ? */
1625 if (msg
->sadb_msg_pid
!= getpid()) {
1626 plog(LLV_DEBUG
, LOCATION
, NULL
,
1627 "%s message is not interesting "
1628 "because pid %d is not mine.\n",
1629 s_pfkey_type(msg
->sadb_msg_type
),
1634 iph2
= getph2byseq(msg
->sadb_msg_seq
);
1636 plog(LLV_DEBUG
, LOCATION
, NULL
,
1637 "seq %d of %s message not interesting.\n",
1639 s_pfkey_type(msg
->sadb_msg_type
));
1644 * NOTE don't update any status of phase2 handle
1645 * because they must be updated by SADB_UPDATE message
1648 plog(LLV_INFO
, LOCATION
, NULL
,
1649 "IPsec-SA established: %s\n",
1650 sadbsecas2str(iph2
->src
, iph2
->dst
,
1651 msg
->sadb_msg_satype
, sa
->sadb_sa_spi
, sa_mode
));
1653 #ifdef ENABLE_VPNCONTROL_PORT
1657 if (iph2
->dst
->sa_family
== AF_INET
)
1658 address
= ((struct sockaddr_in
*)iph2
->dst
)->sin_addr
.s_addr
;
1661 vpncontrol_notify_phase_change(0, FROM_LOCAL
, NULL
, iph2
);
1665 plog(LLV_DEBUG
, LOCATION
, NULL
, "===\n");
1673 struct sadb_msg
*msg
;
1675 struct sockaddr
*src
, *dst
;
1676 struct ph2handle
*iph2
;
1677 u_int proto_id
, sa_mode
;
1681 || mhp
[SADB_EXT_SA
] == NULL
1682 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
1683 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
1684 || (mhp
[SADB_EXT_LIFETIME_HARD
] != NULL
1685 && mhp
[SADB_EXT_LIFETIME_SOFT
] != NULL
)) {
1686 plog(LLV_ERROR
, LOCATION
, NULL
,
1687 "inappropriate sadb expire message passed.\n");
1690 msg
= (struct sadb_msg
*)mhp
[0];
1691 sa
= (struct sadb_sa
*)mhp
[SADB_EXT_SA
];
1692 src
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]);
1693 dst
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_DST
]);
1695 sa_mode
= mhp
[SADB_X_EXT_SA2
] == NULL
1697 : ((struct sadb_x_sa2
*)mhp
[SADB_X_EXT_SA2
])->sadb_x_sa2_mode
;
1699 proto_id
= pfkey2ipsecdoi_proto(msg
->sadb_msg_satype
);
1700 if (proto_id
== ~0) {
1701 plog(LLV_ERROR
, LOCATION
, NULL
,
1702 "invalid proto_id %d\n", msg
->sadb_msg_satype
);
1706 plog(LLV_INFO
, LOCATION
, NULL
,
1707 "IPsec-SA expired: %s\n",
1708 sadbsecas2str(src
, dst
,
1709 msg
->sadb_msg_satype
, sa
->sadb_sa_spi
, sa_mode
));
1711 iph2
= getph2bysaidx(src
, dst
, proto_id
, sa
->sadb_sa_spi
);
1714 * Ignore it because two expire messages are come up.
1715 * phase2 handler has been deleted already when 2nd message
1718 plog(LLV_DEBUG
, LOCATION
, NULL
,
1719 "no such a SA found: %s\n",
1720 sadbsecas2str(src
, dst
,
1721 msg
->sadb_msg_satype
, sa
->sadb_sa_spi
,
1725 if (iph2
->status
!= PHASE2ST_ESTABLISHED
) {
1727 * If the status is not equal to PHASE2ST_ESTABLISHED,
1728 * racoon ignores this expire message. There are two reason.
1729 * One is that the phase 2 probably starts because there is
1730 * a potential that racoon receives the acquire message
1731 * without receiving a expire message. Another is that racoon
1732 * may receive the multiple expire messages from the kernel.
1734 plog(LLV_WARNING
, LOCATION
, NULL
,
1735 "the expire message is received "
1736 "but the handler has not been established.\n");
1740 /* turn off the timer for calling isakmp_ph2expire() */
1741 SCHED_KILL(iph2
->sce
);
1743 iph2
->status
= PHASE2ST_EXPIRED
;
1745 /* INITIATOR, begin phase 2 exchange. */
1746 /* allocate buffer for status management of pfkey message */
1747 if (iph2
->side
== INITIATOR
) {
1751 /* update status for re-use */
1752 iph2
->status
= PHASE2ST_STATUS2
;
1754 /* start isakmp initiation by using ident exchange */
1755 if (isakmp_post_acquire(iph2
) < 0) {
1756 plog(LLV_ERROR
, LOCATION
, iph2
->dst
,
1757 "failed to begin ipsec sa "
1758 "re-negotication.\n");
1769 /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
1770 /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
1771 * manage IPsec SA, so delete the list */
1783 struct sadb_msg
*msg
;
1784 struct sadb_x_policy
*xpl
;
1785 struct secpolicy
*sp_out
= NULL
, *sp_in
= NULL
;
1786 #define MAXNESTEDSA 5 /* XXX */
1787 struct ph2handle
*iph2
[MAXNESTEDSA
];
1788 struct sockaddr
*src
, *dst
;
1789 int n
; /* # of phase 2 handler */
1791 /* ignore this message because of local test mode. */
1797 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
1798 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
1799 || mhp
[SADB_X_EXT_POLICY
] == NULL
) {
1800 plog(LLV_ERROR
, LOCATION
, NULL
,
1801 "inappropriate sadb acquire message passed.\n");
1804 msg
= (struct sadb_msg
*)mhp
[0];
1805 xpl
= (struct sadb_x_policy
*)mhp
[SADB_X_EXT_POLICY
];
1806 src
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]);
1807 dst
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_DST
]);
1809 /* ignore if type is not IPSEC_POLICY_IPSEC */
1810 if (xpl
->sadb_x_policy_type
!= IPSEC_POLICY_IPSEC
) {
1811 plog(LLV_DEBUG
, LOCATION
, NULL
,
1812 "ignore ACQUIRE message. type is not IPsec.\n");
1816 /* ignore it if src is multicast address */
1818 struct sockaddr
*sa
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_DST
]);
1820 if ((sa
->sa_family
== AF_INET
1821 && IN_MULTICAST(ntohl(((struct sockaddr_in
*)sa
)->sin_addr
.s_addr
)))
1823 || (sa
->sa_family
== AF_INET6
1824 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6
*)sa
)->sin6_addr
))
1827 plog(LLV_DEBUG
, LOCATION
, NULL
,
1828 "ignore due to multicast address: %s.\n",
1834 /* ignore, if we do not listen on source address */
1837 * - if we'll contact peer from address we do not listen -
1838 * we will be unable to complete negotiation;
1839 * - if we'll negotiate using address we're listening -
1840 * remote peer will send packets to address different
1841 * than one in the policy, so kernel will drop them;
1842 * => therefore this acquire is not for us! --Aidas
1844 struct sockaddr
*sa
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]);
1847 for (p
= lcconf
->myaddrs
; p
; p
= p
->next
) {
1848 if (!cmpsaddrwop(p
->addr
, sa
)) {
1855 plog(LLV_DEBUG
, LOCATION
, NULL
,
1856 "ignore because do not listen on source address : %s.\n",
1863 * If there is a phase 2 handler against the policy identifier in
1864 * the acquire message, and if
1865 * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
1866 * should ignore such a acquire message because the phase 2
1867 * is just negotiating.
1868 * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
1869 * has to prcesss such a acquire message because racoon may
1870 * lost the expire message.
1872 iph2
[0] = getph2byid(src
, dst
, xpl
->sadb_x_policy_id
);
1873 if (iph2
[0] != NULL
) {
1874 if (iph2
[0]->status
< PHASE2ST_ESTABLISHED
) {
1875 plog(LLV_DEBUG
, LOCATION
, NULL
,
1876 "ignore the acquire because ph2 found\n");
1879 if (iph2
[0]->status
== PHASE2ST_EXPIRED
)
1884 /* search for proper policyindex */
1885 sp_out
= getspbyspid(xpl
->sadb_x_policy_id
);
1886 if (sp_out
== NULL
) {
1887 plog(LLV_ERROR
, LOCATION
, NULL
, "no policy found: id:%d.\n",
1888 xpl
->sadb_x_policy_id
);
1891 plog(LLV_DEBUG
, LOCATION
, NULL
,
1892 "suitable outbound SP found: %s.\n", spidx2str(&sp_out
->spidx
));
1894 /* get inbound policy */
1896 struct policyindex spidx
;
1898 spidx
.dir
= IPSEC_DIR_INBOUND
;
1899 memcpy(&spidx
.src
, &sp_out
->spidx
.dst
, sizeof(spidx
.src
));
1900 memcpy(&spidx
.dst
, &sp_out
->spidx
.src
, sizeof(spidx
.dst
));
1901 spidx
.prefs
= sp_out
->spidx
.prefd
;
1902 spidx
.prefd
= sp_out
->spidx
.prefs
;
1903 spidx
.ul_proto
= sp_out
->spidx
.ul_proto
;
1905 sp_in
= getsp(&spidx
);
1907 plog(LLV_DEBUG
, LOCATION
, NULL
,
1908 "suitable inbound SP found: %s.\n",
1909 spidx2str(&sp_in
->spidx
));
1911 plog(LLV_NOTIFY
, LOCATION
, NULL
,
1912 "no in-bound policy found: %s\n",
1917 memset(iph2
, 0, MAXNESTEDSA
);
1921 /* allocate a phase 2 */
1923 if (iph2
[n
] == NULL
) {
1924 plog(LLV_ERROR
, LOCATION
, NULL
,
1925 "failed to allocate phase2 entry.\n");
1928 iph2
[n
]->side
= INITIATOR
;
1929 iph2
[n
]->spid
= xpl
->sadb_x_policy_id
;
1930 iph2
[n
]->satype
= msg
->sadb_msg_satype
;
1931 iph2
[n
]->seq
= msg
->sadb_msg_seq
;
1932 iph2
[n
]->status
= PHASE2ST_STATUS2
;
1934 /* set end addresses of SA */
1935 iph2
[n
]->dst
= dupsaddr(PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_DST
]));
1936 if (iph2
[n
]->dst
== NULL
) {
1940 iph2
[n
]->src
= dupsaddr(PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]));
1941 if (iph2
[n
]->src
== NULL
) {
1946 plog(LLV_DEBUG
, LOCATION
, NULL
,
1947 "new acquire %s\n", spidx2str(&sp_out
->spidx
));
1951 vchar_t
*idsrc
, *iddst
;
1953 idsrc
= ipsecdoi_sockaddr2id((struct sockaddr
*)&sp_out
->spidx
.src
,
1954 sp_out
->spidx
.prefs
, sp_out
->spidx
.ul_proto
);
1955 if (idsrc
== NULL
) {
1956 plog(LLV_ERROR
, LOCATION
, NULL
,
1957 "failed to get ID for %s\n",
1958 spidx2str(&sp_out
->spidx
));
1962 iddst
= ipsecdoi_sockaddr2id((struct sockaddr
*)&sp_out
->spidx
.dst
,
1963 sp_out
->spidx
.prefd
, sp_out
->spidx
.ul_proto
);
1964 if (iddst
== NULL
) {
1965 plog(LLV_ERROR
, LOCATION
, NULL
,
1966 "failed to get ID for %s\n",
1967 spidx2str(&sp_out
->spidx
));
1972 iph2
[n
]->sainfo
= getsainfo(idsrc
, iddst
, NULL
);
1975 if (iph2
[n
]->sainfo
== NULL
) {
1976 plog(LLV_ERROR
, LOCATION
, NULL
,
1977 "failed to get sainfo.\n");
1980 /* XXX should use the algorithm list from register message */
1984 if (set_proposal_from_policy(iph2
[n
], sp_out
, sp_in
) < 0) {
1985 plog(LLV_ERROR
, LOCATION
, NULL
,
1986 "failed to create saprop.\n");
1992 /* start isakmp initiation by using ident exchange */
1993 /* XXX should be looped if there are multiple phase 2 handler. */
1994 if (isakmp_post_acquire(iph2
[n
]) < 0) {
1995 plog(LLV_ERROR
, LOCATION
, NULL
,
1996 "failed to begin ipsec sa negotication.\n");
2004 unbindph12(iph2
[n
]);
2017 struct sadb_msg
*msg
;
2019 struct sockaddr
*src
, *dst
;
2020 struct ph2handle
*iph2
= NULL
;
2023 /* ignore this message because of local test mode. */
2029 || mhp
[SADB_EXT_SA
] == NULL
2030 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
2031 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
) {
2032 plog(LLV_ERROR
, LOCATION
, NULL
,
2033 "inappropriate sadb delete message passed.\n");
2036 msg
= (struct sadb_msg
*)mhp
[0];
2037 sa
= (struct sadb_sa
*)mhp
[SADB_EXT_SA
];
2038 src
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_SRC
]);
2039 dst
= PFKEY_ADDR_SADDR(mhp
[SADB_EXT_ADDRESS_DST
]);
2041 /* the message has to be processed or not ? */
2042 if (msg
->sadb_msg_pid
== getpid()) {
2043 plog(LLV_DEBUG
, LOCATION
, NULL
,
2044 "%s message is not interesting "
2045 "because the message was originated by me.\n",
2046 s_pfkey_type(msg
->sadb_msg_type
));
2050 proto_id
= pfkey2ipsecdoi_proto(msg
->sadb_msg_satype
);
2051 if (proto_id
== ~0) {
2052 plog(LLV_ERROR
, LOCATION
, NULL
,
2053 "invalid proto_id %d\n", msg
->sadb_msg_satype
);
2057 iph2
= getph2bysaidx(src
, dst
, proto_id
, sa
->sadb_sa_spi
);
2060 plog(LLV_ERROR
, LOCATION
, NULL
,
2061 "no iph2 found: %s\n",
2062 sadbsecas2str(src
, dst
, msg
->sadb_msg_satype
,
2063 sa
->sadb_sa_spi
, IPSEC_MODE_ANY
));
2067 plog(LLV_ERROR
, LOCATION
, NULL
,
2068 "pfkey DELETE received: %s\n",
2069 sadbsecas2str(iph2
->src
, iph2
->dst
,
2070 msg
->sadb_msg_satype
, sa
->sadb_sa_spi
, IPSEC_MODE_ANY
));
2072 /* send delete information */
2073 if (iph2
->status
== PHASE2ST_ESTABLISHED
)
2074 isakmp_info_send_d2(iph2
);
2087 /* ignore this message because of local test mode. */
2092 if (mhp
[0] == NULL
) {
2093 plog(LLV_ERROR
, LOCATION
, NULL
,
2094 "inappropriate sadb flush message passed.\n");
2104 getsadbpolicy(policy0
, policylen0
, type
, iph2
)
2106 int *policylen0
, type
;
2107 struct ph2handle
*iph2
;
2109 struct policyindex
*spidx
= (struct policyindex
*)iph2
->spidx_gen
;
2110 struct sadb_x_policy
*xpl
;
2111 struct sadb_x_ipsecrequest
*xisr
;
2118 /* get policy buffer size */
2119 policylen
= sizeof(struct sadb_x_policy
);
2120 if (type
!= SADB_X_SPDDELETE
) {
2121 for (pr
= iph2
->approval
->head
; pr
; pr
= pr
->next
) {
2122 xisrlen
= sizeof(*xisr
);
2123 if (pr
->encmode
== IPSECDOI_ATTR_ENC_MODE_TUNNEL
) {
2124 xisrlen
+= (sysdep_sa_len(iph2
->src
)
2125 + sysdep_sa_len(iph2
->dst
));
2128 policylen
+= PFKEY_ALIGN8(xisrlen
);
2132 /* make policy structure */
2133 policy
= racoon_malloc(policylen
);
2135 plog(LLV_ERROR
, LOCATION
, NULL
,
2136 "buffer allocation failed.\n");
2140 xpl
= (struct sadb_x_policy
*)policy
;
2141 xpl
->sadb_x_policy_len
= PFKEY_UNIT64(policylen
);
2142 xpl
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2143 xpl
->sadb_x_policy_type
= IPSEC_POLICY_IPSEC
;
2144 xpl
->sadb_x_policy_dir
= spidx
->dir
;
2145 xpl
->sadb_x_policy_id
= 0;
2146 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2147 xpl
->sadb_x_policy_priority
= PRIORITY_DEFAULT
;
2150 /* no need to append policy information any more if type is SPDDELETE */
2151 if (type
== SADB_X_SPDDELETE
)
2154 xisr
= (struct sadb_x_ipsecrequest
*)(xpl
+ 1);
2156 for (pr
= iph2
->approval
->head
; pr
; pr
= pr
->next
) {
2158 satype
= doi2ipproto(pr
->proto_id
);
2160 plog(LLV_ERROR
, LOCATION
, NULL
,
2161 "invalid proto_id %d\n", pr
->proto_id
);
2164 mode
= ipsecdoi2pfkey_mode(pr
->encmode
);
2166 plog(LLV_ERROR
, LOCATION
, NULL
,
2167 "invalid encmode %d\n", pr
->encmode
);
2172 * the policy level cannot be unique because the policy
2173 * is defined later than SA, so req_id cannot be bound to SA.
2175 xisr
->sadb_x_ipsecrequest_proto
= satype
;
2176 xisr
->sadb_x_ipsecrequest_mode
= mode
;
2177 xisr
->sadb_x_ipsecrequest_level
= IPSEC_LEVEL_REQUIRE
;
2178 xisr
->sadb_x_ipsecrequest_reqid
= 0;
2179 p
= (caddr_t
)(xisr
+ 1);
2181 xisrlen
= sizeof(*xisr
);
2183 if (pr
->encmode
== IPSECDOI_ATTR_ENC_MODE_TUNNEL
) {
2184 int src_len
, dst_len
;
2186 src_len
= sysdep_sa_len(iph2
->src
);
2187 dst_len
= sysdep_sa_len(iph2
->dst
);
2188 xisrlen
+= src_len
+ dst_len
;
2190 memcpy(p
, iph2
->src
, src_len
);
2193 memcpy(p
, iph2
->dst
, dst_len
);
2197 xisr
->sadb_x_ipsecrequest_len
= PFKEY_ALIGN8(xisrlen
);
2202 *policylen0
= policylen
;
2208 racoon_free(policy
);
2214 pk_sendspdupdate2(iph2
)
2215 struct ph2handle
*iph2
;
2217 struct policyindex
*spidx
= (struct policyindex
*)iph2
->spidx_gen
;
2218 caddr_t policy
= NULL
;
2220 u_int64_t ltime
, vtime
;
2222 ltime
= iph2
->approval
->lifetime
;
2225 if (getsadbpolicy(&policy
, &policylen
, SADB_X_SPDUPDATE
, iph2
)) {
2226 plog(LLV_ERROR
, LOCATION
, NULL
,
2227 "getting sadb policy failed.\n");
2231 if (pfkey_send_spdupdate2(
2233 (struct sockaddr
*)&spidx
->src
,
2235 (struct sockaddr
*)&spidx
->dst
,
2239 policy
, policylen
, 0) < 0) {
2240 plog(LLV_ERROR
, LOCATION
, NULL
,
2241 "libipsec failed send spdupdate2 (%s)\n",
2245 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_spdupdate2\n");
2249 racoon_free(policy
);
2255 pk_recvspdupdate(mhp
)
2258 struct sadb_address
*saddr
, *daddr
;
2259 struct sadb_x_policy
*xpl
;
2260 struct policyindex spidx
;
2261 struct secpolicy
*sp
;
2265 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
2266 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
2267 || mhp
[SADB_X_EXT_POLICY
] == NULL
) {
2268 plog(LLV_ERROR
, LOCATION
, NULL
,
2269 "inappropriate sadb spdupdate message passed.\n");
2272 saddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_SRC
];
2273 daddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_DST
];
2274 xpl
= (struct sadb_x_policy
*)mhp
[SADB_X_EXT_POLICY
];
2276 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2277 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2280 saddr
->sadb_address_prefixlen
,
2281 daddr
->sadb_address_prefixlen
,
2282 saddr
->sadb_address_proto
,
2283 xpl
->sadb_x_policy_priority
,
2286 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2289 saddr
->sadb_address_prefixlen
,
2290 daddr
->sadb_address_prefixlen
,
2291 saddr
->sadb_address_proto
,
2297 plog(LLV_ERROR
, LOCATION
, NULL
,
2298 "such policy does not already exist: \"%s\"\n",
2305 if (addnewsp(mhp
) < 0)
2312 * this function has to be used by responder side.
2315 pk_sendspdadd2(iph2
)
2316 struct ph2handle
*iph2
;
2318 struct policyindex
*spidx
= (struct policyindex
*)iph2
->spidx_gen
;
2319 caddr_t policy
= NULL
;
2321 u_int64_t ltime
, vtime
;
2323 ltime
= iph2
->approval
->lifetime
;
2326 if (getsadbpolicy(&policy
, &policylen
, SADB_X_SPDADD
, iph2
)) {
2327 plog(LLV_ERROR
, LOCATION
, NULL
,
2328 "getting sadb policy failed.\n");
2332 if (pfkey_send_spdadd2(
2334 (struct sockaddr
*)&spidx
->src
,
2336 (struct sockaddr
*)&spidx
->dst
,
2340 policy
, policylen
, 0) < 0) {
2341 plog(LLV_ERROR
, LOCATION
, NULL
,
2342 "libipsec failed send spdadd2 (%s)\n",
2346 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_spdadd2\n");
2350 racoon_free(policy
);
2359 struct sadb_address
*saddr
, *daddr
;
2360 struct sadb_x_policy
*xpl
;
2361 struct policyindex spidx
;
2362 struct secpolicy
*sp
;
2366 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
2367 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
2368 || mhp
[SADB_X_EXT_POLICY
] == NULL
) {
2369 plog(LLV_ERROR
, LOCATION
, NULL
,
2370 "inappropriate sadb spdadd message passed.\n");
2373 saddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_SRC
];
2374 daddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_DST
];
2375 xpl
= (struct sadb_x_policy
*)mhp
[SADB_X_EXT_POLICY
];
2377 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2378 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2381 saddr
->sadb_address_prefixlen
,
2382 daddr
->sadb_address_prefixlen
,
2383 saddr
->sadb_address_proto
,
2384 xpl
->sadb_x_policy_priority
,
2387 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2390 saddr
->sadb_address_prefixlen
,
2391 daddr
->sadb_address_prefixlen
,
2392 saddr
->sadb_address_proto
,
2398 plog(LLV_ERROR
, LOCATION
, NULL
,
2399 "such policy already exists. "
2400 "anyway replace it: %s\n",
2406 if (addnewsp(mhp
) < 0)
2413 * this function has to be used by responder side.
2416 pk_sendspddelete(iph2
)
2417 struct ph2handle
*iph2
;
2419 struct policyindex
*spidx
= (struct policyindex
*)iph2
->spidx_gen
;
2420 caddr_t policy
= NULL
;
2423 if (getsadbpolicy(&policy
, &policylen
, SADB_X_SPDDELETE
, iph2
)) {
2424 plog(LLV_ERROR
, LOCATION
, NULL
,
2425 "getting sadb policy failed.\n");
2429 if (pfkey_send_spddelete(
2431 (struct sockaddr
*)&spidx
->src
,
2433 (struct sockaddr
*)&spidx
->dst
,
2436 policy
, policylen
, 0) < 0) {
2437 plog(LLV_ERROR
, LOCATION
, NULL
,
2438 "libipsec failed send spddelete (%s)\n",
2442 plog(LLV_DEBUG
, LOCATION
, NULL
, "call pfkey_send_spddelete\n");
2446 racoon_free(policy
);
2452 pk_recvspddelete(mhp
)
2455 struct sadb_address
*saddr
, *daddr
;
2456 struct sadb_x_policy
*xpl
;
2457 struct policyindex spidx
;
2458 struct secpolicy
*sp
;
2462 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
2463 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
2464 || mhp
[SADB_X_EXT_POLICY
] == NULL
) {
2465 plog(LLV_ERROR
, LOCATION
, NULL
,
2466 "inappropriate sadb spddelete message passed.\n");
2469 saddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_SRC
];
2470 daddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_DST
];
2471 xpl
= (struct sadb_x_policy
*)mhp
[SADB_X_EXT_POLICY
];
2473 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2474 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2477 saddr
->sadb_address_prefixlen
,
2478 daddr
->sadb_address_prefixlen
,
2479 saddr
->sadb_address_proto
,
2480 xpl
->sadb_x_policy_priority
,
2483 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2486 saddr
->sadb_address_prefixlen
,
2487 daddr
->sadb_address_prefixlen
,
2488 saddr
->sadb_address_proto
,
2494 plog(LLV_ERROR
, LOCATION
, NULL
,
2495 "no policy found: %s\n",
2507 pk_recvspdexpire(mhp
)
2510 struct sadb_address
*saddr
, *daddr
;
2511 struct sadb_x_policy
*xpl
;
2512 struct policyindex spidx
;
2513 struct secpolicy
*sp
;
2517 || mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
2518 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
2519 || mhp
[SADB_X_EXT_POLICY
] == NULL
) {
2520 plog(LLV_ERROR
, LOCATION
, NULL
,
2521 "inappropriate sadb spdexpire message passed.\n");
2524 saddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_SRC
];
2525 daddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_DST
];
2526 xpl
= (struct sadb_x_policy
*)mhp
[SADB_X_EXT_POLICY
];
2528 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2529 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2532 saddr
->sadb_address_prefixlen
,
2533 daddr
->sadb_address_prefixlen
,
2534 saddr
->sadb_address_proto
,
2535 xpl
->sadb_x_policy_priority
,
2538 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2541 saddr
->sadb_address_prefixlen
,
2542 daddr
->sadb_address_prefixlen
,
2543 saddr
->sadb_address_proto
,
2549 plog(LLV_ERROR
, LOCATION
, NULL
,
2550 "no policy found: %s\n",
2566 if (mhp
[0] == NULL
) {
2567 plog(LLV_ERROR
, LOCATION
, NULL
,
2568 "inappropriate sadb spdget message passed.\n");
2579 struct sadb_msg
*msg
;
2580 struct sadb_address
*saddr
, *daddr
;
2581 struct sadb_x_policy
*xpl
;
2582 struct policyindex spidx
;
2583 struct secpolicy
*sp
;
2586 if (mhp
[0] == NULL
) {
2587 plog(LLV_ERROR
, LOCATION
, NULL
,
2588 "inappropriate sadb spddump message passed.\n");
2591 msg
= (struct sadb_msg
*)mhp
[0];
2593 saddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_SRC
];
2594 daddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_DST
];
2595 xpl
= (struct sadb_x_policy
*)mhp
[SADB_X_EXT_POLICY
];
2597 if (saddr
== NULL
|| daddr
== NULL
|| xpl
== NULL
) {
2598 plog(LLV_ERROR
, LOCATION
, NULL
,
2599 "inappropriate sadb spddump message passed.\n");
2603 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2604 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2607 saddr
->sadb_address_prefixlen
,
2608 daddr
->sadb_address_prefixlen
,
2609 saddr
->sadb_address_proto
,
2610 xpl
->sadb_x_policy_priority
,
2613 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2616 saddr
->sadb_address_prefixlen
,
2617 daddr
->sadb_address_prefixlen
,
2618 saddr
->sadb_address_proto
,
2624 plog(LLV_ERROR
, LOCATION
, NULL
,
2625 "such policy already exists. "
2626 "anyway replace it: %s\n",
2632 if (addnewsp(mhp
) < 0)
2639 pk_recvspdflush(mhp
)
2643 if (mhp
[0] == NULL
) {
2644 plog(LLV_ERROR
, LOCATION
, NULL
,
2645 "inappropriate sadb spdflush message passed.\n");
2655 * send error against acquire message to kenrel.
2658 pk_sendeacquire(iph2
)
2659 struct ph2handle
*iph2
;
2661 struct sadb_msg
*newmsg
;
2664 len
= sizeof(struct sadb_msg
);
2665 newmsg
= racoon_calloc(1, len
);
2666 if (newmsg
== NULL
) {
2667 plog(LLV_ERROR
, LOCATION
, NULL
,
2668 "failed to get buffer to send acquire.\n");
2672 memset(newmsg
, 0, len
);
2673 newmsg
->sadb_msg_version
= PF_KEY_V2
;
2674 newmsg
->sadb_msg_type
= SADB_ACQUIRE
;
2675 newmsg
->sadb_msg_errno
= ENOENT
; /* XXX */
2676 newmsg
->sadb_msg_satype
= iph2
->satype
;
2677 newmsg
->sadb_msg_len
= PFKEY_UNIT64(len
);
2678 newmsg
->sadb_msg_reserved
= 0;
2679 newmsg
->sadb_msg_seq
= iph2
->seq
;
2680 newmsg
->sadb_msg_pid
= (u_int32_t
)getpid();
2683 len
= pfkey_send(lcconf
->sock_pfkey
, newmsg
, len
);
2685 racoon_free(newmsg
);
2691 * check if the algorithm is supported or not.
2696 pk_checkalg(class, calg
, keylen
)
2697 int class, calg
, keylen
;
2701 struct sadb_alg alg0
;
2703 switch (algclass2doi(class)) {
2704 case IPSECDOI_PROTO_IPSEC_ESP
:
2705 sup
= SADB_EXT_SUPPORTED_ENCRYPT
;
2707 case IPSECDOI_ATTR_AUTH
:
2708 sup
= SADB_EXT_SUPPORTED_AUTH
;
2710 case IPSECDOI_PROTO_IPCOMP
:
2711 plog(LLV_DEBUG
, LOCATION
, NULL
,
2712 "compression algorithm can not be checked "
2713 "because sadb message doesn't support it.\n");
2716 plog(LLV_ERROR
, LOCATION
, NULL
,
2717 "invalid algorithm class.\n");
2720 alg
= ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg
));
2725 if (ipsec_get_keylen(sup
, alg
, &alg0
)) {
2726 plog(LLV_ERROR
, LOCATION
, NULL
,
2727 "%s.\n", ipsec_strerror());
2730 keylen
= alg0
.sadb_alg_minbits
;
2733 error
= ipsec_check_keylen(sup
, alg
, keylen
);
2735 plog(LLV_ERROR
, LOCATION
, NULL
,
2736 "%s.\n", ipsec_strerror());
2742 * differences with pfkey_recv() in libipsec/pfkey.c:
2743 * - never performs busy wait loop.
2744 * - returns NULL and set *lenp to negative on fatal failures
2745 * - returns NULL and set *lenp to non-negative on non-fatal failures
2746 * - returns non-NULL on success
2748 static struct sadb_msg
*
2753 struct sadb_msg buf
, *newmsg
;
2756 *lenp
= recv(so
, (caddr_t
)&buf
, sizeof(buf
), MSG_PEEK
);
2758 return NULL
; /*fatal*/
2759 else if (*lenp
< sizeof(buf
))
2762 reallen
= PFKEY_UNUNIT64(buf
.sadb_msg_len
);
2763 if ((newmsg
= racoon_calloc(1, reallen
)) == NULL
)
2766 *lenp
= recv(so
, (caddr_t
)newmsg
, reallen
, MSG_PEEK
);
2768 racoon_free(newmsg
);
2769 return NULL
; /*fatal*/
2770 } else if (*lenp
!= reallen
) {
2771 racoon_free(newmsg
);
2775 *lenp
= recv(so
, (caddr_t
)newmsg
, reallen
, 0);
2777 racoon_free(newmsg
);
2778 return NULL
; /*fatal*/
2779 } else if (*lenp
!= reallen
) {
2780 racoon_free(newmsg
);
2791 return eay_random();
2798 struct secpolicy
*new;
2799 struct sadb_address
*saddr
, *daddr
;
2800 struct sadb_x_policy
*xpl
;
2803 if (mhp
[SADB_EXT_ADDRESS_SRC
] == NULL
2804 || mhp
[SADB_EXT_ADDRESS_DST
] == NULL
2805 || mhp
[SADB_X_EXT_POLICY
] == NULL
) {
2806 plog(LLV_ERROR
, LOCATION
, NULL
,
2807 "inappropriate sadb spd management message passed.\n");
2811 saddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_SRC
];
2812 daddr
= (struct sadb_address
*)mhp
[SADB_EXT_ADDRESS_DST
];
2813 xpl
= (struct sadb_x_policy
*)mhp
[SADB_X_EXT_POLICY
];
2816 /* bsd skips over per-socket policies because there will be no
2817 * src and dst extensions in spddump messages. On Linux the only
2818 * way to achieve the same is check for policy id.
2820 if (xpl
->sadb_x_policy_id
% 8 >= 3) return 0;
2825 plog(LLV_ERROR
, LOCATION
, NULL
,
2826 "failed to allocate buffer\n");
2830 new->spidx
.dir
= xpl
->sadb_x_policy_dir
;
2831 new->id
= xpl
->sadb_x_policy_id
;
2832 new->policy
= xpl
->sadb_x_policy_type
;
2836 switch (xpl
->sadb_x_policy_type
) {
2837 case IPSEC_POLICY_DISCARD
:
2838 case IPSEC_POLICY_GENERATE
:
2839 case IPSEC_POLICY_NONE
:
2840 case IPSEC_POLICY_ENTRUST
:
2841 case IPSEC_POLICY_BYPASS
:
2844 case IPSEC_POLICY_IPSEC
:
2847 struct sadb_x_ipsecrequest
*xisr
;
2848 struct ipsecrequest
**p_isr
= &new->req
;
2850 /* validity check */
2851 if (PFKEY_EXTLEN(xpl
) < sizeof(*xpl
)) {
2852 plog(LLV_ERROR
, LOCATION
, NULL
,
2853 "invalid msg length.\n");
2857 tlen
= PFKEY_EXTLEN(xpl
) - sizeof(*xpl
);
2858 xisr
= (struct sadb_x_ipsecrequest
*)(xpl
+ 1);
2863 if (xisr
->sadb_x_ipsecrequest_len
< sizeof(*xisr
)) {
2864 plog(LLV_ERROR
, LOCATION
, NULL
,
2865 "invalid msg length.\n");
2869 /* allocate request buffer */
2870 *p_isr
= newipsecreq();
2871 if (*p_isr
== NULL
) {
2872 plog(LLV_ERROR
, LOCATION
, NULL
,
2873 "failed to get new ipsecreq.\n");
2878 (*p_isr
)->next
= NULL
;
2880 switch (xisr
->sadb_x_ipsecrequest_proto
) {
2883 case IPPROTO_IPCOMP
:
2886 plog(LLV_ERROR
, LOCATION
, NULL
,
2887 "invalid proto type: %u\n",
2888 xisr
->sadb_x_ipsecrequest_proto
);
2891 (*p_isr
)->saidx
.proto
= xisr
->sadb_x_ipsecrequest_proto
;
2893 switch (xisr
->sadb_x_ipsecrequest_mode
) {
2894 case IPSEC_MODE_TRANSPORT
:
2895 case IPSEC_MODE_TUNNEL
:
2897 case IPSEC_MODE_ANY
:
2899 plog(LLV_ERROR
, LOCATION
, NULL
,
2900 "invalid mode: %u\n",
2901 xisr
->sadb_x_ipsecrequest_mode
);
2904 (*p_isr
)->saidx
.mode
= xisr
->sadb_x_ipsecrequest_mode
;
2906 switch (xisr
->sadb_x_ipsecrequest_level
) {
2907 case IPSEC_LEVEL_DEFAULT
:
2908 case IPSEC_LEVEL_USE
:
2909 case IPSEC_LEVEL_REQUIRE
:
2911 case IPSEC_LEVEL_UNIQUE
:
2912 (*p_isr
)->saidx
.reqid
=
2913 xisr
->sadb_x_ipsecrequest_reqid
;
2917 plog(LLV_ERROR
, LOCATION
, NULL
,
2918 "invalid level: %u\n",
2919 xisr
->sadb_x_ipsecrequest_level
);
2922 (*p_isr
)->level
= xisr
->sadb_x_ipsecrequest_level
;
2924 /* set IP addresses if there */
2925 if (xisr
->sadb_x_ipsecrequest_len
> sizeof(*xisr
)) {
2926 struct sockaddr
*paddr
;
2928 paddr
= (struct sockaddr
*)(xisr
+ 1);
2929 bcopy(paddr
, &(*p_isr
)->saidx
.src
,
2930 sysdep_sa_len(paddr
));
2932 paddr
= (struct sockaddr
*)((caddr_t
)paddr
2933 + sysdep_sa_len(paddr
));
2934 bcopy(paddr
, &(*p_isr
)->saidx
.dst
,
2935 sysdep_sa_len(paddr
));
2940 /* initialization for the next. */
2941 p_isr
= &(*p_isr
)->next
;
2942 tlen
-= xisr
->sadb_x_ipsecrequest_len
;
2944 /* validity check */
2946 plog(LLV_ERROR
, LOCATION
, NULL
,
2947 "becoming tlen < 0\n");
2950 xisr
= (struct sadb_x_ipsecrequest
*)((caddr_t
)xisr
2951 + xisr
->sadb_x_ipsecrequest_len
);
2956 plog(LLV_ERROR
, LOCATION
, NULL
,
2957 "invalid policy type.\n");
2961 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2962 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2965 saddr
->sadb_address_prefixlen
,
2966 daddr
->sadb_address_prefixlen
,
2967 saddr
->sadb_address_proto
,
2968 xpl
->sadb_x_policy_priority
,
2971 KEY_SETSECSPIDX(xpl
->sadb_x_policy_dir
,
2974 saddr
->sadb_address_prefixlen
,
2975 daddr
->sadb_address_prefixlen
,
2976 saddr
->sadb_address_proto
,
2985 /* proto/mode/src->dst spi */
2987 sadbsecas2str(src
, dst
, proto
, spi
, mode
)
2988 struct sockaddr
*src
, *dst
;
2993 static char buf
[256];
2994 u_int doi_proto
, doi_mode
= 0;
2998 doi_proto
= pfkey2ipsecdoi_proto(proto
);
2999 if (doi_proto
== ~0)
3002 doi_mode
= pfkey2ipsecdoi_mode(mode
);
3007 blen
= sizeof(buf
) - 1;
3010 i
= snprintf(p
, blen
, "%s%s%s ",
3011 s_ipsecdoi_proto(doi_proto
),
3013 mode
? s_ipsecdoi_encmode(doi_mode
) : "");
3014 if (i
< 0 || i
>= blen
)
3019 i
= snprintf(p
, blen
, "%s->", saddr2str(src
));
3020 if (i
< 0 || i
>= blen
)
3025 i
= snprintf(p
, blen
, "%s ", saddr2str(dst
));
3026 if (i
< 0 || i
>= blen
)
3032 snprintf(p
, blen
, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi
),
3033 (unsigned long)ntohl(spi
));