]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/pfkey_racoon.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-292.40.4.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / pfkey_racoon.c
1 /* $Id: pfkey.c,v 1.31.2.10 2005/10/03 14:52:19 manubsd Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include "config.h"
33 #include "racoon_types.h"
34
35 #include <stdlib.h>
36 #include <string.h>
37 #include <stdio.h>
38 #include <netdb.h>
39 #include <errno.h>
40 #ifdef HAVE_UNISTD_H
41 #include <unistd.h>
42 #endif
43 #include <netdb.h>
44 #include <netinet/in.h>
45 #include <arpa/inet.h>
46
47 #ifdef ENABLE_NATT
48 #include <netinet/udp.h>
49 #endif
50
51 #include <sys/types.h>
52 #include <sys/param.h>
53 #include <sys/socket.h>
54 #include <sys/queue.h>
55 #include <sys/sysctl.h>
56
57 #include <net/route.h>
58 #include <net/pfkeyv2.h>
59
60 #include <netinet/in.h>
61 #ifndef HAVE_NETINET6_IPSEC
62 #include <netinet/ipsec.h>
63 #else
64 #include <netinet6/ipsec.h>
65 #endif
66
67 #include "libpfkey.h"
68
69 #include "var.h"
70 #include "misc.h"
71 #include "vmbuf.h"
72 #include "plog.h"
73 #include "sockmisc.h"
74 #include "debug.h"
75 #include "fsm.h"
76 #include "ike_session.h"
77
78 #include "schedule.h"
79 #include "localconf.h"
80 #include "remoteconf.h"
81 #include "isakmp_var.h"
82 #include "isakmp.h"
83 #include "isakmp_inf.h"
84 #include "ipsec_doi.h"
85 #include "oakley.h"
86 #include "pfkey.h"
87 #include "handler.h"
88 #include "policy.h"
89 #include "algorithm.h"
90 #include "sainfo.h"
91 #include "proposal.h"
92 #include "strnames.h"
93 #include "gcmalloc.h"
94 #include "nattraversal.h"
95 #include "crypto_openssl.h"
96 #include "grabmyaddr.h"
97 #include "vpn_control.h"
98 #include "vpn_control_var.h"
99 #include "ike_session.h"
100 #include "ipsecSessionTracer.h"
101 #include "ipsecMessageTracer.h"
102 #include "power_mgmt.h"
103 #include "session.h"
104
105 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
106 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
107 #endif
108
109 /* prototype */
110 static u_int ipsecdoi2pfkey_aalg (u_int);
111 static u_int ipsecdoi2pfkey_ealg (u_int);
112 static u_int ipsecdoi2pfkey_calg (u_int);
113 static u_int ipsecdoi2pfkey_alg (u_int, u_int);
114 static u_int keylen_aalg (u_int);
115 static u_int keylen_ealg (u_int, int);
116
117 static int pk_recvgetspi (caddr_t *);
118 static int pk_recvupdate (caddr_t *);
119 static int pk_recvadd (caddr_t *);
120 static int pk_recvdelete (caddr_t *);
121 static int pk_recvacquire (caddr_t *);
122 static int pk_recvexpire (caddr_t *);
123 static int pk_recvflush (caddr_t *);
124 static int getsadbpolicy (caddr_t *, int *, int, phase2_handle_t *);
125 static int pk_recvspdupdate (caddr_t *);
126 static int pk_recvspdadd (caddr_t *);
127 static int pk_recvspddelete (caddr_t *);
128 static int pk_recvspdexpire (caddr_t *);
129 static int pk_recvspdget (caddr_t *);
130 static int pk_recvspddump (caddr_t *);
131 static int pk_recvspdflush (caddr_t *);
132 static int pk_recvgetsastat (caddr_t *);
133 static struct sadb_msg *pk_recv (int, ssize_t *);
134
135 static int (*pkrecvf[]) (caddr_t *) = {
136 NULL,
137 pk_recvgetspi,
138 pk_recvupdate,
139 pk_recvadd,
140 pk_recvdelete,
141 NULL, /* SADB_GET */
142 pk_recvacquire,
143 NULL, /* SABD_REGISTER */
144 pk_recvexpire,
145 pk_recvflush,
146 NULL, /* SADB_DUMP */
147 NULL, /* SADB_X_PROMISC */
148 NULL, /* SADB_X_PCHANGE */
149 pk_recvspdupdate,
150 pk_recvspdadd,
151 pk_recvspddelete,
152 pk_recvspdget,
153 NULL, /* SADB_X_SPDACQUIRE */
154 pk_recvspddump,
155 pk_recvspdflush,
156 NULL, /* SADB_X_SPDSETIDX */
157 pk_recvspdexpire,
158 NULL, /* SADB_X_SPDDELETE2 */
159 pk_recvgetsastat, /* SADB_GETSASTAT */
160 NULL, /* SADB_X_SPDENABLE */
161 NULL, /* SADB_X_SPDDISNABLE */
162 NULL, /* SADB_MIGRATE */
163 #if (SADB_MAX > 26)
164 #warning "SADB extra message?"
165 #endif
166 };
167
168 static int addnewsp (caddr_t *);
169
170 /* cope with old kame headers - ugly */
171 #ifndef SADB_X_AALG_MD5
172 #define SADB_X_AALG_MD5 SADB_AALG_MD5
173 #endif
174 #ifndef SADB_X_AALG_SHA
175 #define SADB_X_AALG_SHA SADB_AALG_SHA
176 #endif
177 #ifndef SADB_X_AALG_NULL
178 #define SADB_X_AALG_NULL SADB_AALG_NULL
179 #endif
180
181 #ifndef SADB_X_EALG_BLOWFISHCBC
182 #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
183 #endif
184 #ifndef SADB_X_EALG_CAST128CBC
185 #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
186 #endif
187 #ifndef SADB_X_EALG_RC5CBC
188 #ifdef SADB_EALG_RC5CBC
189 #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
190 #endif
191 #endif
192
193 int
194 pfkey_process(msg)
195 struct sadb_msg *msg;
196 {
197 caddr_t mhp[SADB_EXT_MAX + 1];
198 int error = -1;
199
200 // Special debug use only - creates large logs
201 // plogdump(ASL_LEVEL_DEBUG, msg, msg->sadb_msg_len << 3, "get pfkey %s message\n",
202 // s_pfkey_type(msg->sadb_msg_type));
203
204 /* validity check */
205 /* check pfkey message. */
206 if (pfkey_align(msg, mhp)) {
207 plog(ASL_LEVEL_ERR,
208 "libipsec failed pfkey align (%s)\n",
209 ipsec_strerror());
210 goto end;
211 }
212 if (pfkey_check(mhp)) {
213 plog(ASL_LEVEL_ERR,
214 "libipsec failed pfkey check (%s)\n",
215 ipsec_strerror());
216 goto end;
217 }
218 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
219
220 if (msg->sadb_msg_errno) {
221 int pri;
222
223 /* when SPD is empty, treat the state as no error. */
224 if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
225 msg->sadb_msg_errno == ENOENT)
226 pri = ASL_LEVEL_DEBUG;
227 else
228 pri = ASL_LEVEL_ERR;
229
230 plog(pri,
231 "pfkey %s failed: %s\n",
232 s_pfkey_type(msg->sadb_msg_type),
233 strerror(msg->sadb_msg_errno));
234 goto end;
235 }
236
237 /* safety check */
238 if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
239 plog(ASL_LEVEL_ERR,
240 "unknown PF_KEY message type=%u\n",
241 msg->sadb_msg_type);
242 goto end;
243 }
244
245 if (pkrecvf[msg->sadb_msg_type] == NULL) {
246 plog(ASL_LEVEL_INFO,
247 "unsupported PF_KEY message %s\n",
248 s_pfkey_type(msg->sadb_msg_type));
249 goto end;
250 }
251
252 if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
253 goto end;
254
255 error = 0;
256 end:
257 if (msg)
258 racoon_free(msg);
259 return(error);
260 }
261
262 /*
263 * PF_KEY packet handler
264 * 0: success
265 * -1: fail
266 */
267
268 //%%%%%%%%%%%%%%%%%% need to handle errors encountered here - this no longer returns a result
269 void
270 pfkey_handler(void *unused)
271 {
272 struct sadb_msg *msg;
273 ssize_t len;
274
275 if (slept_at || woke_at) {
276 plog(ASL_LEVEL_DEBUG,
277 "ignoring pfkey port until power-mgmt event is handled.\n");
278 return;
279 }
280
281 /* receive pfkey message. */
282 len = 0;
283 msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len);
284
285 if (msg == NULL) {
286 if (len < 0) {
287 plog(ASL_LEVEL_ERR,
288 "failed to recv from pfkey (%s)\n",
289 strerror(errno));
290 return;
291 } else {
292 /* short message - msg not ready */
293 plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n");
294 return;
295 }
296 }
297 pfkey_process(msg);
298 }
299
300 void
301 pfkey_post_handler()
302 {
303 struct saved_msg_elem *elem;
304 struct saved_msg_elem *elem_tmp = NULL;
305
306 if (slept_at || woke_at) {
307 plog(ASL_LEVEL_DEBUG,
308 "ignoring (saved) pfkey messages until power-mgmt event is handled.\n");
309 return;
310 }
311
312 TAILQ_FOREACH_SAFE(elem, &lcconf->saved_msg_queue, chain, elem_tmp) {
313 pfkey_process((struct sadb_msg *)elem->msg);
314 TAILQ_REMOVE(&lcconf->saved_msg_queue, elem, chain);
315 racoon_free(elem);
316
317 }
318 }
319
320 int
321 pfkey_save_msg(msg)
322 struct sadb_msg *msg;
323 {
324 struct saved_msg_elem *elem;
325
326 elem = (struct saved_msg_elem *)racoon_calloc(sizeof(struct saved_msg_elem), 1);
327 if (elem == NULL)
328 return -1;
329 elem->msg = msg;
330 TAILQ_INSERT_TAIL(&lcconf->saved_msg_queue, elem, chain);
331 return 0;
332 }
333
334 /*
335 * dump SADB
336 */
337 vchar_t *
338 pfkey_dump_sadb(satype)
339 int satype;
340 {
341 int s = -1;
342 vchar_t *buf = NULL;
343 pid_t pid = getpid();
344 struct sadb_msg *msg = NULL;
345 size_t bl, ml;
346 ssize_t len;
347
348 if ((s = pfkey_open()) < 0) {
349 plog(ASL_LEVEL_ERR,
350 "libipsec failed pfkey open: %s\n",
351 ipsec_strerror());
352 return NULL;
353 }
354
355 plog(ASL_LEVEL_DEBUG, "call pfkey_send_dump\n");
356 if (pfkey_send_dump(s, satype) < 0) {
357 plog(ASL_LEVEL_ERR,
358 "libipsec failed dump: %s\n", ipsec_strerror());
359 goto fail;
360 }
361
362 while (1) {
363 if (msg)
364 racoon_free(msg);
365 msg = pk_recv(s, &len);
366 if (msg == NULL) {
367 if (len < 0)
368 goto done;
369 else
370 continue;
371 }
372
373 /*
374 * for multi-processor system this had to be added because the messages can
375 * be interleaved - they won't all be dump messages
376 */
377 if (msg->sadb_msg_type != SADB_DUMP) { /* save for later processing */
378 pfkey_save_msg(msg);
379 msg = NULL;
380 continue;
381 }
382
383 // ignore dump messages that aren't racoon's
384 if (msg->sadb_msg_pid != pid)
385 continue;
386
387 ml = msg->sadb_msg_len << 3;
388 bl = buf ? buf->l : 0;
389 buf = vrealloc(buf, bl + ml);
390 if (buf == NULL) {
391 plog(ASL_LEVEL_ERR,
392 "failed to reallocate buffer to dump.\n");
393 goto fail;
394 }
395 memcpy(buf->v + bl, msg, ml);
396
397 if (msg->sadb_msg_seq == 0)
398 break;
399 }
400 goto done;
401
402 fail:
403 if (buf)
404 vfree(buf);
405 buf = NULL;
406 done:
407 if (msg)
408 racoon_free(msg);
409 if (s >= 0)
410 pfkey_close_sock(s);
411 return buf;
412 }
413
414
415 /*
416 * These are the SATYPEs that we manage. We register to get
417 * PF_KEY messages related to these SATYPEs, and we also use
418 * this list to determine which SATYPEs to delete SAs for when
419 * we receive an INITIAL-CONTACT.
420 */
421 const struct pfkey_satype pfkey_satypes[] = {
422 { SADB_SATYPE_AH, "AH" },
423 { SADB_SATYPE_ESP, "ESP" },
424 { SADB_X_SATYPE_IPCOMP, "IPCOMP" },
425 };
426 const int pfkey_nsatypes =
427 sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
428
429 /*
430 * PF_KEY initialization
431 */
432 int
433 pfkey_init(void)
434 {
435 int i, reg_fail, sock;
436
437 if ((lcconf->sock_pfkey = pfkey_open()) < 0) {
438 plog(ASL_LEVEL_ERR,
439 "libipsec failed pfkey open (%s)\n", ipsec_strerror());
440 return -1;
441 }
442
443 for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
444 plog(ASL_LEVEL_DEBUG,
445 "call pfkey_send_register for %s\n",
446 pfkey_satypes[i].ps_name);
447 if (pfkey_send_register(lcconf->sock_pfkey,
448 pfkey_satypes[i].ps_satype) < 0 ||
449 pfkey_recv_register(lcconf->sock_pfkey) < 0) {
450 plog(ASL_LEVEL_WARNING,
451 "failed to register %s (%s)\n",
452 pfkey_satypes[i].ps_name,
453 ipsec_strerror());
454 reg_fail++;
455 }
456 }
457
458 if (reg_fail == pfkey_nsatypes) {
459 plog(ASL_LEVEL_ERR,
460 "failed to regist any protocol.\n");
461 close(lcconf->sock_pfkey);
462 return -1;
463 }
464 initsp();
465
466 lcconf->pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->sock_pfkey, 0, dispatch_get_main_queue());
467 if (lcconf->pfkey_source == NULL) {
468 plog(ASL_LEVEL_ERR, "could not create pfkey socket source.");
469 return -1;
470 }
471 dispatch_source_set_event_handler_f(lcconf->pfkey_source, pfkey_handler);
472 sock = lcconf->sock_pfkey;
473 dispatch_source_set_cancel_handler(lcconf->pfkey_source,
474 ^{
475 pfkey_close_sock(sock);
476 });
477 dispatch_resume(lcconf->pfkey_source);
478
479 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
480 plog(ASL_LEVEL_ERR,
481 "libipsec sending spddump failed: %s\n",
482 ipsec_strerror());
483 pfkey_close();
484 return -1;
485 }
486 #if 0
487 if (pfkey_promisc_toggle(1) < 0) {
488 pfkey_close();
489 return -1;
490 }
491 #endif
492
493 return 0;
494 }
495
496 void
497 pfkey_close(void)
498 {
499 dispatch_source_cancel(lcconf->pfkey_source);
500 lcconf->pfkey_source = NULL;
501 }
502
503 /* %%% for conversion */
504 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */
505 static u_int
506 ipsecdoi2pfkey_aalg(hashtype)
507 u_int hashtype;
508 {
509 switch (hashtype) {
510 case IPSECDOI_ATTR_AUTH_HMAC_MD5:
511 case IPSECDOI_ATTR_AUTH_HMAC_MD5_96:
512 return SADB_AALG_MD5HMAC;
513 case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
514 case IPSECDOI_ATTR_AUTH_HMAC_SHA1_96:
515 return SADB_AALG_SHA1HMAC;
516 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
517 #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
518 return SADB_X_AALG_SHA2_256;
519 #else
520 return SADB_X_AALG_SHA2_256HMAC;
521 #endif
522 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
523 #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
524 return SADB_X_AALG_SHA2_384;
525 #else
526 return SADB_X_AALG_SHA2_384HMAC;
527 #endif
528 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
529 #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
530 return SADB_X_AALG_SHA2_512;
531 #else
532 return SADB_X_AALG_SHA2_512HMAC;
533 #endif
534 case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */
535 return SADB_AALG_NONE;
536
537 /* not supported */
538 case IPSECDOI_ATTR_AUTH_DES_MAC:
539 plog(ASL_LEVEL_ERR,
540 "Not supported hash type: %u\n", hashtype);
541 return ~0;
542
543 case 0: /* reserved */
544 default:
545 return SADB_AALG_NONE;
546
547 plog(ASL_LEVEL_ERR,
548 "Invalid hash type: %u\n", hashtype);
549 return ~0;
550 }
551 /*NOTREACHED*/
552 }
553
554 /* IPSECDOI_ESP -> SADB_EALG */
555 static u_int
556 ipsecdoi2pfkey_ealg(t_id)
557 u_int t_id;
558 {
559 switch (t_id) {
560 case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */
561 return SADB_EALG_DESCBC;
562 case IPSECDOI_ESP_DES:
563 return SADB_EALG_DESCBC;
564 case IPSECDOI_ESP_3DES:
565 return SADB_EALG_3DESCBC;
566 #ifdef SADB_X_EALG_RC5CBC
567 case IPSECDOI_ESP_RC5:
568 return SADB_X_EALG_RC5CBC;
569 #endif
570 case IPSECDOI_ESP_CAST:
571 return SADB_X_EALG_CAST128CBC;
572 case IPSECDOI_ESP_BLOWFISH:
573 return SADB_X_EALG_BLOWFISHCBC;
574 case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD|
575 SADB_X_EXT_IV4B)*/
576 return SADB_EALG_DESCBC;
577 case IPSECDOI_ESP_NULL:
578 return SADB_EALG_NULL;
579 #ifdef SADB_X_EALG_AESCBC
580 case IPSECDOI_ESP_AES:
581 return SADB_X_EALG_AESCBC;
582 #endif
583 #ifdef SADB_X_EALG_TWOFISHCBC
584 case IPSECDOI_ESP_TWOFISH:
585 return SADB_X_EALG_TWOFISHCBC;
586 #endif
587
588 /* not supported */
589 case IPSECDOI_ESP_3IDEA:
590 case IPSECDOI_ESP_IDEA:
591 case IPSECDOI_ESP_RC4:
592 plog(ASL_LEVEL_ERR,
593 "Not supported transform: %u\n", t_id);
594 return ~0;
595
596 case 0: /* reserved */
597 default:
598 plog(ASL_LEVEL_ERR,
599 "Invalid transform id: %u\n", t_id);
600 return ~0;
601 }
602 /*NOTREACHED*/
603 }
604
605 /* IPCOMP -> SADB_CALG */
606 static u_int
607 ipsecdoi2pfkey_calg(t_id)
608 u_int t_id;
609 {
610 switch (t_id) {
611 case IPSECDOI_IPCOMP_OUI:
612 return SADB_X_CALG_OUI;
613 case IPSECDOI_IPCOMP_DEFLATE:
614 return SADB_X_CALG_DEFLATE;
615 case IPSECDOI_IPCOMP_LZS:
616 return SADB_X_CALG_LZS;
617
618 case 0: /* reserved */
619 default:
620 plog(ASL_LEVEL_ERR,
621 "Invalid transform id: %u\n", t_id);
622 return ~0;
623 }
624 /*NOTREACHED*/
625 }
626
627 /* IPSECDOI_PROTO -> SADB_SATYPE */
628 u_int
629 ipsecdoi2pfkey_proto(proto)
630 u_int proto;
631 {
632 switch (proto) {
633 case IPSECDOI_PROTO_IPSEC_AH:
634 return SADB_SATYPE_AH;
635 case IPSECDOI_PROTO_IPSEC_ESP:
636 return SADB_SATYPE_ESP;
637 case IPSECDOI_PROTO_IPCOMP:
638 return SADB_X_SATYPE_IPCOMP;
639
640 default:
641 plog(ASL_LEVEL_ERR,
642 "Invalid ipsec_doi proto: %u\n", proto);
643 return ~0;
644 }
645 /*NOTREACHED*/
646 }
647
648 static u_int
649 ipsecdoi2pfkey_alg(algclass, type)
650 u_int algclass, type;
651 {
652 switch (algclass) {
653 case IPSECDOI_ATTR_AUTH:
654 return ipsecdoi2pfkey_aalg(type);
655 case IPSECDOI_PROTO_IPSEC_ESP:
656 return ipsecdoi2pfkey_ealg(type);
657 case IPSECDOI_PROTO_IPCOMP:
658 return ipsecdoi2pfkey_calg(type);
659 default:
660 plog(ASL_LEVEL_ERR,
661 "Invalid ipsec_doi algclass: %u\n", algclass);
662 return ~0;
663 }
664 /*NOTREACHED*/
665 }
666
667 /* SADB_SATYPE -> IPSECDOI_PROTO */
668 u_int
669 pfkey2ipsecdoi_proto(satype)
670 u_int satype;
671 {
672 switch (satype) {
673 case SADB_SATYPE_AH:
674 return IPSECDOI_PROTO_IPSEC_AH;
675 case SADB_SATYPE_ESP:
676 return IPSECDOI_PROTO_IPSEC_ESP;
677 case SADB_X_SATYPE_IPCOMP:
678 return IPSECDOI_PROTO_IPCOMP;
679
680 default:
681 plog(ASL_LEVEL_ERR,
682 "Invalid pfkey proto: %u\n", satype);
683 return ~0;
684 }
685 /*NOTREACHED*/
686 }
687
688 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
689 u_int
690 ipsecdoi2pfkey_mode(mode)
691 u_int mode;
692 {
693 switch (mode) {
694 case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
695 #ifdef ENABLE_NATT
696 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
697 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
698 #endif
699 return IPSEC_MODE_TUNNEL;
700 case IPSECDOI_ATTR_ENC_MODE_TRNS:
701 #ifdef ENABLE_NATT
702 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
703 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
704 #endif
705 return IPSEC_MODE_TRANSPORT;
706 default:
707 plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode);
708 return ~0;
709 }
710 /*NOTREACHED*/
711 }
712
713 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
714 u_int
715 pfkey2ipsecdoi_mode(mode)
716 u_int mode;
717 {
718 switch (mode) {
719 case IPSEC_MODE_TUNNEL:
720 return IPSECDOI_ATTR_ENC_MODE_TUNNEL;
721 case IPSEC_MODE_TRANSPORT:
722 return IPSECDOI_ATTR_ENC_MODE_TRNS;
723 case IPSEC_MODE_ANY:
724 return IPSECDOI_ATTR_ENC_MODE_ANY;
725 default:
726 plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode);
727 return ~0;
728 }
729 /*NOTREACHED*/
730 }
731
732 /* default key length for encryption algorithm */
733 static u_int
734 keylen_aalg(hashtype)
735 u_int hashtype;
736 {
737 int res;
738
739 if (hashtype == 0)
740 return SADB_AALG_NONE;
741
742 res = alg_ipsec_hmacdef_hashlen(hashtype);
743 if (res == -1) {
744 plog(ASL_LEVEL_ERR,
745 "invalid hmac algorithm %u.\n", hashtype);
746 return ~0;
747 }
748 return res;
749 }
750
751 /* default key length for encryption algorithm */
752 static u_int
753 keylen_ealg(enctype, encklen)
754 u_int enctype;
755 int encklen;
756 {
757 int res;
758
759 res = alg_ipsec_encdef_keylen(enctype, encklen);
760 if (res == -1) {
761 plog(ASL_LEVEL_ERR,
762 "invalid encryption algorithm %u.\n", enctype);
763 return ~0;
764 }
765 return res;
766 }
767
768 int
769 pfkey_convertfromipsecdoi(iph2, proto_id, t_id, hashtype,
770 e_type, e_keylen, a_type, a_keylen, flags)
771 phase2_handle_t *iph2;
772 u_int proto_id;
773 u_int t_id;
774 u_int hashtype;
775 u_int *e_type;
776 u_int *e_keylen;
777 u_int *a_type;
778 u_int *a_keylen;
779 u_int *flags;
780 {
781 *flags = 0;
782 switch (proto_id) {
783 case IPSECDOI_PROTO_IPSEC_ESP:
784 if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0)
785 goto bad;
786 if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0)
787 goto bad;
788 *e_keylen >>= 3;
789
790 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
791 goto bad;
792 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
793 goto bad;
794 *a_keylen >>= 3;
795
796 if (*e_type == SADB_EALG_NONE) {
797 plog(ASL_LEVEL_ERR, "no ESP algorithm.\n");
798 goto bad;
799 }
800 break;
801
802 case IPSECDOI_PROTO_IPSEC_AH:
803 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
804 goto bad;
805 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
806 goto bad;
807 *a_keylen >>= 3;
808
809 if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
810 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
811 /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
812 *a_type = SADB_X_AALG_MD5;
813 *flags |= SADB_X_EXT_OLD;
814 }
815 *e_type = SADB_EALG_NONE;
816 *e_keylen = 0;
817 if (*a_type == SADB_AALG_NONE) {
818 plog(ASL_LEVEL_ERR, "no AH algorithm.\n");
819 goto bad;
820 }
821 break;
822
823 case IPSECDOI_PROTO_IPCOMP:
824 if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0)
825 goto bad;
826 *e_keylen = 0;
827
828 *flags = SADB_X_EXT_RAWCPI;
829
830 *a_type = SADB_AALG_NONE;
831 *a_keylen = 0;
832 if (*e_type == SADB_X_CALG_NONE) {
833 plog(ASL_LEVEL_ERR, "no IPCOMP algorithm.\n");
834 goto bad;
835 }
836 break;
837
838 default:
839 plog(ASL_LEVEL_ERR, "unknown IPsec protocol.\n");
840 goto bad;
841 }
842
843 return 0;
844
845 bad:
846 errno = EINVAL;
847 return -1;
848 }
849
850 /* called from scheduler */
851 void
852 pfkey_timeover_stub(p)
853 void *p;
854 {
855
856 pfkey_timeover((phase2_handle_t *)p);
857 }
858
859 void
860 pfkey_timeover(iph2)
861 phase2_handle_t *iph2;
862 {
863 plog(ASL_LEVEL_ERR,
864 "%s give up to get IPsec-SA due to time up to wait.\n",
865 saddrwop2str((struct sockaddr *)iph2->dst));
866 SCHED_KILL(iph2->sce);
867
868 /* If initiator side, send error to kernel by SADB_ACQUIRE. */
869 if (iph2->side == INITIATOR)
870 pk_sendeacquire(iph2);
871
872 ike_session_unlink_phase2(iph2);
873
874 return;
875 }
876
877 /*%%%*/
878 /* send getspi message per ipsec protocol per remote address */
879 /*
880 * the local address and remote address in ph1handle are dealed
881 * with destination address and source address respectively.
882 * Because SPI is decided by responder.
883 */
884 int
885 pk_sendgetspi(iph2)
886 phase2_handle_t *iph2;
887 {
888 struct sockaddr_storage *src = NULL, *dst = NULL;
889 u_int satype, mode;
890 struct saprop *pp;
891 struct saproto *pr;
892 u_int32_t minspi, maxspi;
893 int proxy = 0;
894
895 if (iph2->side == INITIATOR) {
896 pp = iph2->proposal;
897 proxy = iph2->ph1->rmconf->support_proxy;
898 } else {
899 pp = iph2->approval;
900 if (iph2->sainfo && iph2->sainfo->id_i)
901 proxy = 1;
902 }
903
904 /* for mobile IPv6 */
905 if (proxy && iph2->src_id && iph2->dst_id &&
906 ipsecdoi_transportmode(pp)) {
907 src = iph2->src_id;
908 dst = iph2->dst_id;
909 } else {
910 src = iph2->src;
911 dst = iph2->dst;
912 }
913
914 for (pr = pp->head; pr != NULL; pr = pr->next) {
915
916 /* validity check */
917 satype = ipsecdoi2pfkey_proto(pr->proto_id);
918 if (satype == ~0) {
919 plog(ASL_LEVEL_ERR,
920 "invalid proto_id %d\n", pr->proto_id);
921 return -1;
922 }
923 /* this works around a bug in Linux kernel where it allocates 4 byte
924 spi's for IPCOMP */
925 else if (satype == SADB_X_SATYPE_IPCOMP) {
926 minspi = 0x100;
927 maxspi = 0xffff;
928 }
929 else {
930 minspi = 0;
931 maxspi = 0;
932 }
933 mode = ipsecdoi2pfkey_mode(pr->encmode);
934 if (mode == ~0) {
935 plog(ASL_LEVEL_ERR,
936 "invalid encmode %d\n", pr->encmode);
937 return -1;
938 }
939
940 plog(ASL_LEVEL_DEBUG, "call pfkey_send_getspi\n");
941 if (pfkey_send_getspi(
942 lcconf->sock_pfkey,
943 satype,
944 mode,
945 dst, /* src of SA */
946 src, /* dst of SA */
947 minspi, maxspi,
948 pr->reqid_in, 0, 0, iph2->seq, 0) < 0) {
949 plog(ASL_LEVEL_ERR,
950 "ipseclib failed send getspi (%s)\n",
951 ipsec_strerror());
952 return -1;
953 }
954
955 plog(ASL_LEVEL_DEBUG,
956 "pfkey GETSPI sent: %s\n",
957 sadbsecas2str(dst, src, satype, 0, mode));
958 }
959
960 return 0;
961 }
962
963 /*
964 * receive GETSPI from kernel.
965 */
966 static int
967 pk_recvgetspi(mhp)
968 caddr_t *mhp;
969 {
970 struct sadb_msg *msg;
971 struct sadb_sa *sa;
972 phase2_handle_t *iph2;
973 struct sockaddr_storage *dst;
974 int proto_id;
975 int allspiok, notfound;
976 struct saprop *pp;
977 struct saproto *pr;
978
979 /* validity check */
980 if (mhp[SADB_EXT_SA] == NULL
981 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
982 plog(ASL_LEVEL_ERR,
983 "Inappropriate sadb getspi message passed.\n");
984 return -1;
985 }
986 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
987 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
988 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
989
990 /* the message has to be processed or not ? */
991 if (msg->sadb_msg_pid != getpid()) {
992 plog(ASL_LEVEL_DEBUG,
993 "%s message is not interesting "
994 "because pid %d is not mine.\n",
995 s_pfkey_type(msg->sadb_msg_type),
996 msg->sadb_msg_pid);
997 return -1;
998 }
999
1000 iph2 = ike_session_getph2byseq(msg->sadb_msg_seq);
1001 if (iph2 == NULL) {
1002 plog(ASL_LEVEL_DEBUG,
1003 "Seq %d of %s message not interesting.\n",
1004 msg->sadb_msg_seq,
1005 s_pfkey_type(msg->sadb_msg_type));
1006 return -1;
1007 }
1008
1009 if (iph2->is_dying) {
1010 plog(ASL_LEVEL_ERR,
1011 "Status mismatch Phase 2 dying (db:%d)\n",
1012 iph2->status);
1013 return -1;
1014 }
1015
1016 switch (iph2->version) {
1017 case ISAKMP_VERSION_NUMBER_IKEV1:
1018 if (iph2->status != IKEV1_STATE_QUICK_I_GETSPISENT &&
1019 iph2->status != IKEV1_STATE_QUICK_R_GETSPISENT) {
1020 plog(ASL_LEVEL_ERR, "Status mismatch (db:%d)\n", iph2->status);
1021 return -1;
1022 }
1023 // check the underlying iph2->ph1
1024 if (!iph2->ph1) {
1025 if (!ike_session_update_ph2_ph1bind(iph2)) {
1026 plog(ASL_LEVEL_ERR,
1027 "Can't proceed with getspi for %s. no suitable ISAKMP-SA found \n",
1028 saddrwop2str((struct sockaddr *)iph2->dst));
1029 ike_session_unlink_phase2(iph2);
1030 return -1;
1031 }
1032 }
1033 break;
1034 default:
1035 plog(ASL_LEVEL_ERR, "Internal error: invalid IKE major version %d\n", iph2->version);
1036 return -1;
1037 }
1038
1039 /* set SPI, and check to get all spi whether or not */
1040 allspiok = 1;
1041 notfound = 1;
1042 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1043 pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval;
1044
1045 for (pr = pp->head; pr != NULL; pr = pr->next) {
1046 if (pr->proto_id == proto_id && pr->spi == 0) {
1047 pr->spi = sa->sadb_sa_spi;
1048 notfound = 0;
1049 plog(ASL_LEVEL_DEBUG,
1050 "pfkey GETSPI succeeded: %s\n",
1051 sadbsecas2str(iph2->dst, iph2->src,
1052 msg->sadb_msg_satype,
1053 sa->sadb_sa_spi,
1054 ipsecdoi2pfkey_mode(pr->encmode)));
1055 }
1056 if (pr->spi == 0)
1057 allspiok = 0; /* not get all spi */
1058 }
1059
1060 if (notfound) {
1061 plog(ASL_LEVEL_ERR,
1062 "Get spi for unknown address %s\n",
1063 saddrwop2str((struct sockaddr *)iph2->dst));
1064 ike_session_unlink_phase2(iph2);
1065 return -1;
1066 }
1067
1068 if (allspiok) {
1069 switch (iph2->version) {
1070 case ISAKMP_VERSION_NUMBER_IKEV1:
1071 if (isakmp_post_getspi(iph2) < 0) {
1072 plog(ASL_LEVEL_ERR, "IKEv1 post getspi failed.\n");
1073 ike_session_unlink_phase2(iph2);
1074 iph2 = NULL;
1075 return -1;
1076 }
1077 break;
1078 }
1079 }
1080 return 0;
1081 }
1082
1083 /*
1084 * set inbound SA
1085 */
1086 int
1087 pk_sendupdate(iph2)
1088 phase2_handle_t *iph2;
1089 {
1090 struct saproto *pr;
1091 struct sockaddr_storage *src = NULL, *dst = NULL;
1092 u_int e_type, e_keylen, a_type, a_keylen, flags;
1093 u_int satype, mode;
1094 u_int64_t lifebyte = 0;
1095 u_int wsize = 4; /* XXX static size of window */
1096 int proxy = 0;
1097 struct ph2natt natt;
1098 int authtype;
1099
1100 /* sanity check */
1101 if (iph2->approval == NULL) {
1102 plog(ASL_LEVEL_ERR,
1103 "No approved SAs found.\n");
1104 }
1105
1106 if (iph2->side == INITIATOR)
1107 proxy = iph2->ph1->rmconf->support_proxy;
1108 else if (iph2->sainfo && iph2->sainfo->id_i)
1109 proxy = 1;
1110
1111 /* for mobile IPv6 */
1112 if (proxy && iph2->src_id && iph2->dst_id &&
1113 ipsecdoi_transportmode(iph2->approval)) {
1114 src = iph2->src_id;
1115 dst = iph2->dst_id;
1116 } else {
1117 src = iph2->src;
1118 dst = iph2->dst;
1119 }
1120
1121 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1122 /* validity check */
1123 satype = ipsecdoi2pfkey_proto(pr->proto_id);
1124 if (satype == ~0) {
1125 plog(ASL_LEVEL_ERR,
1126 "Invalid proto_id %d\n", pr->proto_id);
1127 return -1;
1128 }
1129 else if (satype == SADB_X_SATYPE_IPCOMP) {
1130 /* IPCOMP has no replay window */
1131 wsize = 0;
1132 }
1133 #ifdef ENABLE_SAMODE_UNSPECIFIED
1134 mode = IPSEC_MODE_ANY;
1135 #else
1136 mode = ipsecdoi2pfkey_mode(pr->encmode);
1137 if (mode == ~0) {
1138 plog(ASL_LEVEL_ERR,
1139 "Invalid encmode %d\n", pr->encmode);
1140 return -1;
1141 }
1142 #endif
1143
1144 /* set algorithm type and key length */
1145 e_keylen = pr->head->encklen;
1146 authtype = pr->head->authtype;
1147 a_keylen = 0;
1148 if (pfkey_convertfromipsecdoi(
1149 iph2,
1150 pr->proto_id,
1151 pr->head->trns_id,
1152 authtype,
1153 &e_type, &e_keylen,
1154 &a_type, &a_keylen, &flags) < 0)
1155 return -1;
1156
1157 #if 0
1158 lifebyte = iph2->approval->lifebyte * 1024,
1159 #else
1160 lifebyte = 0;
1161 #endif
1162
1163 #ifdef ENABLE_NATT
1164 //plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n");
1165 plog(ASL_LEVEL_DEBUG, "call pfkey_send_update: e_type %d, e_klen %d, a_type %d, a_klen %d\n",
1166 e_type, e_keylen, a_type, a_keylen);
1167 if (pr->udp_encap) {
1168 memset (&natt, 0, sizeof (natt));
1169 natt.sport = extract_port (iph2->ph1->remote);
1170 flags |= SADB_X_EXT_NATT;
1171 if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
1172 mode == IPSEC_MODE_TRANSPORT &&
1173 src->ss_family == AF_INET) {
1174 flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
1175 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1176 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1177 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1178 }
1179 } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) {
1180 if (iph2->ph1->rmconf->natt_keepalive == TRUE)
1181 flags |= SADB_X_EXT_NATT_KEEPALIVE;
1182 } else {
1183 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1184 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1185 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1186 }
1187 }
1188 } else {
1189 memset (&natt, 0, sizeof (natt));
1190 }
1191
1192 if (pfkey_send_update(
1193 lcconf->sock_pfkey,
1194 satype,
1195 mode,
1196 dst,
1197 src,
1198 pr->spi,
1199 pr->reqid_in,
1200 wsize,
1201 pr->keymat->v,
1202 e_type, e_keylen, a_type, a_keylen, flags,
1203 0, lifebyte, iph2->approval->lifetime, 0,
1204 iph2->seq, natt.sport, 0) < 0) {
1205 plog(ASL_LEVEL_ERR,
1206 "libipsec failed send update (%s)\n",
1207 ipsec_strerror());
1208 return -1;
1209 }
1210 #else
1211 plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n");
1212 if (pfkey_send_update(
1213 lcconf->sock_pfkey,
1214 satype,
1215 mode,
1216 dst,
1217 src,
1218 pr->spi,
1219 pr->reqid_in,
1220 wsize,
1221 pr->keymat->v,
1222 e_type, e_keylen, a_type, a_keylen, flags,
1223 0, lifebyte, iph2->approval->lifetime, 0,
1224 iph2->seq, 0, 0) < 0) {
1225 plog(ASL_LEVEL_ERR,
1226 "libipsec failed send update (%s)\n",
1227 ipsec_strerror());
1228 return -1;
1229 }
1230 #endif /* ENABLE_NATT */
1231
1232
1233 }
1234
1235 return 0;
1236 }
1237
1238 static int
1239 pk_recvupdate(mhp)
1240 caddr_t *mhp;
1241 {
1242 struct sadb_msg *msg;
1243 struct sadb_sa *sa;
1244 struct sockaddr_storage *src, *dst;
1245 phase2_handle_t *iph2;
1246 u_int proto_id, encmode, sa_mode;
1247 int incomplete = 0;
1248 struct saproto *pr;
1249
1250 /* ignore this message because of local test mode. */
1251 if (f_local)
1252 return 0;
1253
1254 /* sanity check */
1255 if (mhp[0] == NULL
1256 || mhp[SADB_EXT_SA] == NULL
1257 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1258 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1259 plog(ASL_LEVEL_ERR,
1260 "inappropriate sadb update message passed.\n");
1261 return -1;
1262 }
1263 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1264 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1265 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1266 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
1267
1268 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1269 ? IPSEC_MODE_ANY
1270 : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1271
1272 /* the message has to be processed or not ? */
1273 if (msg->sadb_msg_pid != getpid()) {
1274 plog(ASL_LEVEL_DEBUG,
1275 "%s message is not interesting "
1276 "because pid %d is not mine.\n",
1277 s_pfkey_type(msg->sadb_msg_type),
1278 msg->sadb_msg_pid);
1279 return -1;
1280 }
1281
1282 iph2 = ike_session_getph2byseq(msg->sadb_msg_seq);
1283 if (iph2 == NULL) {
1284 plog(ASL_LEVEL_DEBUG,
1285 "Seq %d of %s message not interesting.\n",
1286 msg->sadb_msg_seq,
1287 s_pfkey_type(msg->sadb_msg_type));
1288 return -1;
1289 }
1290
1291 if (iph2->is_dying) {
1292 plog(ASL_LEVEL_ERR,
1293 "Status mismatch Phase 2 dying (db:%d)\n",
1294 iph2->status);
1295 return -1;
1296 }
1297 if (iph2->status != IKEV1_STATE_QUICK_I_ADDSA &&
1298 iph2->status != IKEV1_STATE_QUICK_R_ADDSA) {
1299 plog(ASL_LEVEL_ERR,
1300 "Status mismatch (db:%d)\n",
1301 iph2->status);
1302 return -1;
1303 }
1304
1305 /* check to complete all keys ? */
1306 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1307 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1308 if (proto_id == ~0) {
1309 plog(ASL_LEVEL_ERR,
1310 "invalid proto_id %d\n", msg->sadb_msg_satype);
1311 return -1;
1312 }
1313 encmode = pfkey2ipsecdoi_mode(sa_mode);
1314 if (encmode == ~0) {
1315 plog(ASL_LEVEL_ERR,
1316 "invalid encmode %d\n", sa_mode);
1317 return -1;
1318 }
1319
1320 if (pr->proto_id == proto_id
1321 && pr->spi == sa->sadb_sa_spi) {
1322 pr->ok = 1;
1323 plog(ASL_LEVEL_DEBUG,
1324 "pfkey UPDATE succeeded: %s\n",
1325 sadbsecas2str(iph2->dst, iph2->src,
1326 msg->sadb_msg_satype,
1327 sa->sadb_sa_spi,
1328 sa_mode));
1329
1330 plog(ASL_LEVEL_INFO,
1331 "IPsec-SA established: %s\n",
1332 sadbsecas2str(iph2->dst, iph2->src,
1333 msg->sadb_msg_satype, sa->sadb_sa_spi,
1334 sa_mode));
1335 }
1336
1337 if (pr->ok == 0)
1338 incomplete = 1;
1339 }
1340
1341 if (incomplete)
1342 return 0;
1343
1344 /* turn off the timer for calling pfkey_timeover() */
1345 SCHED_KILL(iph2->sce);
1346
1347 /* update status */
1348 fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED);
1349
1350 if (iph2->side == INITIATOR) {
1351 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1352 IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC,
1353 CONSTSTR("Initiator, Quick-Mode"),
1354 CONSTSTR(NULL));
1355 } else {
1356 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1357 IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC,
1358 CONSTSTR("Responder, Quick-Mode"),
1359 CONSTSTR(NULL));
1360 }
1361
1362 ike_session_ph2_established(iph2);
1363
1364 IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n",
1365 (iph2->side == INITIATOR)? "me" : "peer");
1366
1367 #ifdef ENABLE_STATS
1368 gettimeofday(&iph2->end, NULL);
1369 plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f",
1370 "Phase 2", "quick", timedelta(&iph2->start, &iph2->end));
1371 #endif
1372
1373 /* count up */
1374 if (iph2->ph1)
1375 iph2->ph1->ph2cnt++;
1376
1377 /* turn off schedule */
1378 if (iph2->scr)
1379 SCHED_KILL(iph2->scr);
1380
1381 /*
1382 * since we are going to reuse the phase2 handler, we need to
1383 * remain it and refresh all the references between ph1 and ph2 to use.
1384 */
1385 ike_session_unbindph12(iph2); //%%%%% fix this
1386
1387 iph2->sce = sched_new(iph2->approval->lifetime,
1388 isakmp_ph2expire_stub, iph2);
1389
1390 plog(ASL_LEVEL_DEBUG, "===\n");
1391 return 0;
1392 }
1393
1394 /*
1395 * set outbound SA
1396 */
1397 int
1398 pk_sendadd(iph2)
1399 phase2_handle_t *iph2;
1400 {
1401 struct saproto *pr;
1402 struct sockaddr_storage *src = NULL, *dst = NULL;
1403 u_int e_type, e_keylen, a_type, a_keylen, flags;
1404 u_int satype, mode;
1405 u_int64_t lifebyte = 0;
1406 u_int wsize = 4; /* XXX static size of window */
1407 int proxy = 0;
1408 struct ph2natt natt;
1409 int authtype;
1410
1411 /* sanity check */
1412 if (iph2->approval == NULL) {
1413 plog(ASL_LEVEL_ERR,
1414 "no approvaled SAs found.\n");
1415 }
1416
1417 if (iph2->side == INITIATOR)
1418 proxy = iph2->ph1->rmconf->support_proxy;
1419 else if (iph2->sainfo && iph2->sainfo->id_i)
1420 proxy = 1;
1421
1422 /* for mobile IPv6 */
1423 if (proxy && iph2->src_id && iph2->dst_id &&
1424 ipsecdoi_transportmode(iph2->approval)) {
1425 src = iph2->src_id;
1426 dst = iph2->dst_id;
1427 } else {
1428 src = iph2->src;
1429 dst = iph2->dst;
1430 }
1431
1432 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1433 /* validity check */
1434 satype = ipsecdoi2pfkey_proto(pr->proto_id);
1435 if (satype == ~0) {
1436 plog(ASL_LEVEL_ERR,
1437 "invalid proto_id %d\n", pr->proto_id);
1438 return -1;
1439 }
1440 else if (satype == SADB_X_SATYPE_IPCOMP) {
1441 /* no replay window for IPCOMP */
1442 wsize = 0;
1443 }
1444 #ifdef ENABLE_SAMODE_UNSPECIFIED
1445 mode = IPSEC_MODE_ANY;
1446 #else
1447 mode = ipsecdoi2pfkey_mode(pr->encmode);
1448 if (mode == ~0) {
1449 plog(ASL_LEVEL_ERR,
1450 "invalid encmode %d\n", pr->encmode);
1451 return -1;
1452 }
1453 #endif
1454
1455 /* set algorithm type and key length */
1456 e_keylen = pr->head->encklen;
1457 authtype = pr->head->authtype;
1458 a_keylen = 0;
1459 if (pfkey_convertfromipsecdoi(
1460 iph2,
1461 pr->proto_id,
1462 pr->head->trns_id,
1463 authtype,
1464 &e_type, &e_keylen,
1465 &a_type, &a_keylen, &flags) < 0)
1466 return -1;
1467
1468 #if 0
1469 lifebyte = iph2->approval->lifebyte * 1024,
1470 #else
1471 lifebyte = 0;
1472 #endif
1473
1474 #ifdef ENABLE_NATT
1475 //plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n");
1476 plog(ASL_LEVEL_DEBUG, "call pfkey_send_add: e_type %d, e_klen %d, a_type %d, a_klen %d\n",
1477 e_type, e_keylen, a_type, a_keylen);
1478
1479 if (pr->udp_encap) {
1480 memset (&natt, 0, sizeof (natt));
1481 natt.dport = extract_port (iph2->ph1->remote);
1482 flags |= SADB_X_EXT_NATT;
1483 if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
1484 mode == IPSEC_MODE_TRANSPORT &&
1485 src->ss_family == AF_INET) {
1486 flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
1487 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1488 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1489 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1490 }
1491 } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) {
1492 if (iph2->ph1->rmconf->natt_keepalive == TRUE)
1493 flags |= SADB_X_EXT_NATT_KEEPALIVE;
1494 } else {
1495 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1496 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1497 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1498 }
1499 }
1500 } else {
1501 memset (&natt, 0, sizeof (natt));
1502
1503 /* Remove port information, that SA doesn't use it */
1504 //set_port(src, 0);
1505 //set_port(dst, 0);
1506 }
1507
1508 if (pfkey_send_add(
1509 lcconf->sock_pfkey,
1510 satype,
1511 mode,
1512 src,
1513 dst,
1514 pr->spi_p,
1515 pr->reqid_out,
1516 wsize,
1517 pr->keymat_p->v,
1518 e_type, e_keylen, a_type, a_keylen, flags,
1519 0, lifebyte, iph2->approval->lifetime, 0,
1520 iph2->seq,natt.dport, 0) < 0) {
1521 plog(ASL_LEVEL_ERR,
1522 "libipsec failed send add (%s)\n",
1523 ipsec_strerror());
1524 return -1;
1525 }
1526 #else
1527 plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n");
1528
1529 /* Remove port information, it is not used without NAT-T */
1530 //set_port(src, 0);
1531 //set_port(dst, 0);
1532
1533 if (pfkey_send_add(
1534 lcconf->sock_pfkey,
1535 satype,
1536 mode,
1537 src,
1538 dst,
1539 pr->spi_p,
1540 pr->reqid_out,
1541 wsize,
1542 pr->keymat_p->v,
1543 e_type, e_keylen, a_type, a_keylen, flags,
1544 0, lifebyte, iph2->approval->lifetime, 0,
1545 iph2->seq, 0, 0) < 0) {
1546 plog(ASL_LEVEL_ERR,
1547 "libipsec failed send add (%s)\n",
1548 ipsec_strerror());
1549 return -1;
1550 }
1551 #endif /* ENABLE_NATT */
1552 }
1553
1554 return 0;
1555 }
1556
1557 static int
1558 pk_recvadd(mhp)
1559 caddr_t *mhp;
1560 {
1561 struct sadb_msg *msg;
1562 struct sadb_sa *sa;
1563 struct sockaddr_storage *src, *dst;
1564 phase2_handle_t *iph2;
1565 u_int sa_mode;
1566
1567 /* ignore this message because of local test mode. */
1568 if (f_local)
1569 return 0;
1570
1571 /* sanity check */
1572 if (mhp[0] == NULL
1573 || mhp[SADB_EXT_SA] == NULL
1574 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1575 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1576 plog(ASL_LEVEL_ERR,
1577 "inappropriate sadb add message passed.\n");
1578 return -1;
1579 }
1580 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1581 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1582 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1583 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
1584
1585 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1586 ? IPSEC_MODE_ANY
1587 : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1588
1589 /* the message has to be processed or not ? */
1590 if (msg->sadb_msg_pid != getpid()) {
1591 plog(ASL_LEVEL_DEBUG,
1592 "%s message is not interesting "
1593 "because pid %d is not mine.\n",
1594 s_pfkey_type(msg->sadb_msg_type),
1595 msg->sadb_msg_pid);
1596 return -1;
1597 }
1598
1599 iph2 = ike_session_getph2byseq(msg->sadb_msg_seq);
1600 if (iph2 == NULL) {
1601 plog(ASL_LEVEL_DEBUG,
1602 "seq %d of %s message not interesting.\n",
1603 msg->sadb_msg_seq,
1604 s_pfkey_type(msg->sadb_msg_type));
1605 return -1;
1606 }
1607 /*
1608 * NOTE don't update any status of phase2 handle
1609 * because they must be updated by SADB_UPDATE message
1610 */
1611
1612 plog(ASL_LEVEL_INFO,
1613 "IPsec-SA established: %s\n",
1614 sadbsecas2str(iph2->src, iph2->dst,
1615 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1616
1617 ike_session_cleanup_other_established_ph2s(iph2->parent_session, iph2);
1618
1619 #ifdef ENABLE_VPNCONTROL_PORT
1620 {
1621 vpncontrol_notify_phase_change(0, FROM_LOCAL, NULL, iph2);
1622 }
1623 #endif
1624
1625 plog(ASL_LEVEL_DEBUG, "===\n");
1626 return 0;
1627 }
1628
1629 static int
1630 pk_recvexpire(mhp)
1631 caddr_t *mhp;
1632 {
1633 struct sadb_msg *msg;
1634 struct sadb_sa *sa;
1635 struct sockaddr_storage *src, *dst;
1636 phase2_handle_t *iph2;
1637 u_int proto_id, sa_mode;
1638
1639 /* sanity check */
1640 if (mhp[0] == NULL
1641 || mhp[SADB_EXT_SA] == NULL
1642 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1643 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1644 || (mhp[SADB_EXT_LIFETIME_HARD] != NULL
1645 && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) {
1646 plog(ASL_LEVEL_ERR,
1647 "inappropriate sadb expire message passed.\n");
1648 return -1;
1649 }
1650 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1651 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
1652 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1653 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1654
1655 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1656 ? IPSEC_MODE_ANY
1657 : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1658
1659 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1660 if (proto_id == ~0) {
1661 plog(ASL_LEVEL_ERR,
1662 "invalid proto_id %d\n", msg->sadb_msg_satype);
1663 return -1;
1664 }
1665
1666 plog(ASL_LEVEL_INFO,
1667 "IPsec-SA expired: %s\n",
1668 sadbsecas2str(src, dst,
1669 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1670
1671 iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
1672 if (iph2 == NULL) {
1673 /*
1674 * Ignore it because two expire messages are come up.
1675 * phase2 handler has been deleted already when 2nd message
1676 * is received.
1677 */
1678 plog(ASL_LEVEL_DEBUG,
1679 "no such a SA found: %s\n",
1680 sadbsecas2str(src, dst,
1681 msg->sadb_msg_satype, sa->sadb_sa_spi,
1682 sa_mode));
1683 return 0;
1684 }
1685 if (iph2->is_dying || !FSM_STATE_IS_ESTABLISHED(iph2->status)) {
1686 /*
1687 * If the status is not equal to PHASE2ST_ESTABLISHED,
1688 * racoon ignores this expire message. There are two reason.
1689 * One is that the phase 2 probably starts because there is
1690 * a potential that racoon receives the acquire message
1691 * without receiving a expire message. Another is that racoon
1692 * may receive the multiple expire messages from the kernel.
1693 */
1694 plog(ASL_LEVEL_WARNING,
1695 "The expire message is received but the handler %s (status = 0x%x).\n",
1696 iph2->is_dying ? "is dying" : "has not been established", iph2->status);
1697 return 0;
1698 }
1699
1700 /* turn off the timer for calling isakmp_ph2expire() */
1701 SCHED_KILL(iph2->sce);
1702
1703 fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED);
1704
1705 /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */
1706 /* allocate buffer for status management of pfkey message */
1707 if (iph2->side == INITIATOR &&
1708 !ike_session_has_other_established_ph2(iph2->parent_session, iph2) &&
1709 !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) {
1710
1711 ike_session_initph2(iph2);
1712
1713 /* start isakmp initiation by using ident exchange */
1714 if (isakmp_post_acquire(iph2) < 0) {
1715 plog(ASL_LEVEL_ERR,
1716 "failed to begin ipsec sa "
1717 "re-negotiation.\n");
1718 ike_session_unlink_phase2(iph2);
1719 return -1;
1720 }
1721
1722 return 0;
1723 /*NOTREACHED*/
1724 }
1725
1726
1727 /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
1728 /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
1729 * manage IPsec SA, so delete the list */
1730 ike_session_unlink_phase2(iph2);
1731
1732 return 0;
1733 }
1734
1735 static int
1736 pk_recvacquire(mhp)
1737 caddr_t *mhp;
1738 {
1739 struct sadb_msg *msg;
1740 struct sadb_x_policy *xpl;
1741 struct secpolicy *sp_out = NULL, *sp_in = NULL;
1742 phase2_handle_t *iph2;
1743 struct sockaddr_storage *src, *dst;
1744 ike_session_t *session = NULL;
1745 struct remoteconf *rmconf;
1746
1747 /* ignore this message because of local test mode. */
1748 if (f_local)
1749 return 0;
1750
1751 /* sanity check */
1752 if (mhp[0] == NULL
1753 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1754 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1755 || mhp[SADB_X_EXT_POLICY] == NULL) {
1756 plog(ASL_LEVEL_ERR,
1757 "inappropriate sadb acquire message passed.\n");
1758 return -1;
1759 }
1760 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1761 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
1762 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1763 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1764
1765 /* ignore if type is not IPSEC_POLICY_IPSEC */
1766 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
1767 plog(ASL_LEVEL_DEBUG,
1768 "ignore ACQUIRE message. type is not IPsec.\n");
1769 return 0;
1770 }
1771
1772 /* ignore it if src is multicast address */
1773 {
1774 struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1775
1776 if ((sa->ss_family == AF_INET
1777 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr)))
1778 #ifdef INET6
1779 || (sa->ss_family == AF_INET6
1780 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr))
1781 #endif
1782 ) {
1783 plog(ASL_LEVEL_DEBUG,
1784 "ignore due to multicast address: %s.\n",
1785 saddrwop2str((struct sockaddr *)sa));
1786 return 0;
1787 }
1788 }
1789
1790 /* ignore, if we do not listen on source address */
1791 {
1792 /* reasons behind:
1793 * - if we'll contact peer from address we do not listen -
1794 * we will be unable to complete negotiation;
1795 * - if we'll negotiate using address we're listening -
1796 * remote peer will send packets to address different
1797 * than one in the policy, so kernel will drop them;
1798 * => therefore this acquire is not for us! --Aidas
1799 */
1800 // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1801 struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1802 struct myaddrs *p;
1803 int do_listen = 0;
1804 char * str;
1805 for (p = lcconf->myaddrs; p; p = p->next) {
1806 str = saddr2str((struct sockaddr *)p->addr);
1807 plog(ASL_LEVEL_DEBUG,
1808 "checking listen addrs: %s", str);
1809
1810 if (!cmpsaddrwop(p->addr, sa)) {
1811 do_listen = 1;
1812 break;
1813 }
1814 }
1815
1816 if (!do_listen) {
1817 plog(ASL_LEVEL_DEBUG,
1818 "ignore because do not listen on source address : %s.\n",
1819 saddrwop2str((struct sockaddr *)sa));
1820 return 0;
1821 }
1822 }
1823
1824 /*
1825 * If there is a phase 2 handler against the policy identifier in
1826 * the acquire message, and if
1827 * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
1828 * should ignore such a acquire message because the phase 2
1829 * is just negotiating.
1830 * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
1831 * has to process such a acquire message because racoon may
1832 * have lost the expire message.
1833 */
1834 iph2 = ike_session_getph2byid(src, dst, xpl->sadb_x_policy_id);
1835 if (iph2 != NULL) {
1836 session = iph2->parent_session;
1837 if (!FSM_STATE_IS_ESTABLISHED(iph2->status)) {
1838 plog(ASL_LEVEL_DEBUG,
1839 "ignore the acquire because ph2 found\n");
1840 return -1;
1841 }
1842 if (FSM_STATE_IS_EXPIRED(iph2->status))
1843 iph2 = NULL;
1844 /*FALLTHROUGH*/
1845 }
1846
1847 /* search for proper policyindex */
1848 sp_out = getspbyspid(xpl->sadb_x_policy_id);
1849 if (sp_out == NULL) {
1850 plog(ASL_LEVEL_ERR, "no policy found: id:%d.\n",
1851 xpl->sadb_x_policy_id);
1852 return -1;
1853 }
1854 plog(ASL_LEVEL_DEBUG,
1855 "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
1856
1857 /* get inbound policy */
1858 {
1859 struct policyindex spidx;
1860
1861 spidx.dir = IPSEC_DIR_INBOUND;
1862 memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
1863 memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
1864 spidx.prefs = sp_out->spidx.prefd;
1865 spidx.prefd = sp_out->spidx.prefs;
1866 spidx.ul_proto = sp_out->spidx.ul_proto;
1867
1868 sp_in = getsp(&spidx);
1869 if (sp_in) {
1870 plog(ASL_LEVEL_DEBUG,
1871 "Suitable inbound SP found: %s.\n",
1872 spidx2str(&sp_in->spidx));
1873 } else {
1874 plog(ASL_LEVEL_NOTICE,
1875 "No in-bound policy found: %s\n",
1876 spidx2str(&spidx));
1877 }
1878 }
1879
1880 /* allocate a phase 2 */
1881 rmconf = getrmconf(dst);
1882 if (rmconf == NULL) {
1883 plog(ASL_LEVEL_ERR, "No configuration found for %s.\n",
1884 saddrwop2str((struct sockaddr *)dst));
1885 return -1;
1886 }
1887
1888 iph2 = ike_session_newph2(rmconf->ike_version, PHASE2_TYPE_SA);
1889 if (iph2 == NULL) {
1890 plog(ASL_LEVEL_ERR,
1891 "Failed to allocate Phase 2 entry.\n");
1892 return -1;
1893 }
1894 plog(ASL_LEVEL_DEBUG, "Got new Phase 2 version %d\n", iph2->version);
1895 iph2->version = rmconf->ike_version;
1896 iph2->side = INITIATOR;
1897 iph2->spid = xpl->sadb_x_policy_id;
1898
1899 iph2->satype = msg->sadb_msg_satype;
1900 iph2->seq = msg->sadb_msg_seq;
1901 vpncontrol_set_nat64_prefix(&iph2->nat64_prefix);
1902 /* set end addresses of SA */
1903 // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1904 iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
1905 if (iph2->src == NULL) {
1906 ike_session_delph2(iph2);
1907 return -1;
1908 }
1909 iph2->dst = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]));
1910 if (iph2->dst == NULL) {
1911 ike_session_delph2(iph2);
1912 return -1;
1913 }
1914
1915 if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) {
1916 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START);
1917 }
1918
1919 plog(ASL_LEVEL_DEBUG,
1920 "new acquire %s\n", spidx2str(&sp_out->spidx));
1921
1922 /* get sainfo */
1923 {
1924 vchar_t *idsrc, *iddst;
1925
1926 idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src,
1927 sp_out->spidx.prefs, sp_out->spidx.ul_proto);
1928 if (idsrc == NULL) {
1929 plog(ASL_LEVEL_ERR,
1930 "failed to get ID for %s\n",
1931 spidx2str(&sp_out->spidx));
1932 ike_session_delph2(iph2);
1933 return -1;
1934 }
1935 iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst,
1936 sp_out->spidx.prefd, sp_out->spidx.ul_proto);
1937 if (iddst == NULL) {
1938 plog(ASL_LEVEL_ERR,
1939 "failed to get ID for %s\n",
1940 spidx2str(&sp_out->spidx));
1941 vfree(idsrc);
1942 ike_session_delph2(iph2);
1943 return -1;
1944 }
1945 iph2->sainfo = getsainfo(idsrc, iddst, NULL, 0);
1946 vfree(idsrc);
1947 vfree(iddst);
1948 if (iph2->sainfo == NULL) {
1949 plog(ASL_LEVEL_ERR,
1950 "failed to get sainfo.\n");
1951 ike_session_delph2(iph2);
1952 return -1;
1953 /* XXX should use the algorithm list from register message */
1954 }
1955 }
1956 retain_sainfo(iph2->sainfo);
1957
1958 if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) {
1959 plog(ASL_LEVEL_ERR,
1960 "failed to create saprop.\n");
1961 ike_session_delph2(iph2);
1962 return -1;
1963 }
1964
1965 if (session == NULL)
1966 session = ike_session_get_session(iph2->src, iph2->dst, 1, NULL);
1967 if (session == NULL)
1968 fatal_error(-1);
1969
1970 if (ike_session_link_phase2(session, iph2))
1971 fatal_error(-1); //????? fix ???
1972
1973 /* start isakmp initiation by using ident exchange */
1974 /* XXX should be looped if there are multiple phase 2 handler. */
1975 if (isakmp_post_acquire(iph2) < 0) {
1976 plog(ASL_LEVEL_ERR,
1977 "failed to begin ipsec sa negotiation.\n");
1978 goto err;
1979 }
1980
1981 #if !TARGET_OS_EMBEDDED
1982 if ( lcconf->vt == NULL){
1983 if (!(lcconf->vt = vproc_transaction_begin(NULL)))
1984 plog(ASL_LEVEL_ERR,
1985 "vproc_transaction_begin returns NULL.\n");
1986 }
1987 #endif
1988
1989
1990 return 0;
1991
1992 err:
1993 ike_session_unlink_phase2(iph2);
1994 return -1;
1995 }
1996
1997 static int
1998 pk_recvdelete(mhp)
1999 caddr_t *mhp;
2000 {
2001 struct sadb_msg *msg;
2002 struct sadb_sa *sa;
2003 struct sockaddr_storage *src, *dst;
2004 phase2_handle_t *iph2 = NULL;
2005 u_int proto_id;
2006
2007 /* ignore this message because of local test mode. */
2008 if (f_local)
2009 return 0;
2010
2011 /* sanity check */
2012 if (mhp[0] == NULL
2013 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2014 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
2015 plog(ASL_LEVEL_ERR,
2016 "inappropriate sadb delete message passed.\n");
2017 return -1;
2018 }
2019 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2020 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
2021 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
2022 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
2023
2024 /* the message has to be processed or not ? */
2025 if (msg->sadb_msg_pid == getpid()) {
2026 plog(ASL_LEVEL_DEBUG,
2027 "%s message is not interesting "
2028 "because the message was originated by me.\n",
2029 s_pfkey_type(msg->sadb_msg_type));
2030 return -1;
2031 }
2032
2033 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
2034 if (proto_id == ~0) {
2035 plog(ASL_LEVEL_ERR,
2036 "invalid proto_id %d\n", msg->sadb_msg_satype);
2037 return -1;
2038 }
2039
2040 plog(ASL_LEVEL_DEBUG, "SADB delete message: proto-id %d\n", proto_id);
2041 plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)src));
2042 plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)dst));
2043
2044 if (!sa) {
2045 ike_session_deleteallph2(src, dst, proto_id);
2046 ike_session_deleteallph1(src, dst);
2047 return 0;
2048 }
2049
2050 iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
2051 if (iph2 == NULL) {
2052 /* ignore */
2053 plog(ASL_LEVEL_ERR,
2054 "no iph2 found: %s\n",
2055 sadbsecas2str(src, dst, msg->sadb_msg_satype,
2056 sa->sadb_sa_spi, IPSEC_MODE_ANY));
2057 return 0;
2058 }
2059
2060 plog(ASL_LEVEL_ERR,
2061 "pfkey DELETE received: %s\n",
2062 sadbsecas2str(iph2->src, iph2->dst,
2063 msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY));
2064
2065 /* send delete information */
2066
2067 /* TODO: Look into handling this properly. Currently, if we get here, we can end up sending delete messages to the server for their own SAs, which is rejected. */
2068 /*if (FSM_STATE_IS_ESTABLISHED(iph2->status))
2069 isakmp_info_send_d2(iph2);
2070
2071 ike_session_cleanup_ph1s_by_ph2(iph2);
2072 ike_session_unlink_phase2(iph2);*/
2073
2074 return 0;
2075 }
2076
2077 static int
2078 pk_recvflush(mhp)
2079 caddr_t *mhp;
2080 {
2081 /* sanity check */
2082 if (mhp[0] == NULL) {
2083 plog(ASL_LEVEL_ERR,
2084 "inappropriate sadb flush message passed.\n");
2085 return -1;
2086 }
2087
2088 ike_session_flush_all_phase2(false);
2089 ike_session_flush_all_phase1(false);
2090
2091 return 0;
2092 }
2093
2094 static int
2095 getsadbpolicy(policy0, policylen0, type, iph2)
2096 caddr_t *policy0;
2097 int *policylen0, type;
2098 phase2_handle_t *iph2;
2099 {
2100 struct policyindex *spidx = iph2->spidx_gen;
2101 struct sadb_x_policy *xpl;
2102 struct sadb_x_ipsecrequest *xisr;
2103 struct saproto *pr;
2104 caddr_t policy, p;
2105 int policylen;
2106 int xisrlen;
2107 u_int satype, mode;
2108
2109 /* get policy buffer size */
2110 policylen = sizeof(struct sadb_x_policy);
2111 if (type != SADB_X_SPDDELETE) {
2112 for (pr = iph2->approval->head; pr; pr = pr->next) {
2113 xisrlen = sizeof(*xisr);
2114 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2115 xisrlen += (sysdep_sa_len((struct sockaddr *)iph2->src)
2116 + sysdep_sa_len((struct sockaddr *)iph2->dst));
2117 }
2118
2119 policylen += PFKEY_ALIGN8(xisrlen);
2120 }
2121 }
2122
2123 /* make policy structure */
2124 policy = racoon_malloc(policylen);
2125 if (!policy) {
2126 plog(ASL_LEVEL_ERR,
2127 "buffer allocation failed.\n");
2128 return -1;
2129 }
2130
2131 xpl = ALIGNED_CAST(struct sadb_x_policy *)policy;
2132 xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
2133 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2134 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2135 xpl->sadb_x_policy_dir = spidx->dir;
2136 xpl->sadb_x_policy_id = 0;
2137 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2138 xpl->sadb_x_policy_priority = PRIORITY_DEFAULT;
2139 #endif
2140
2141 /* no need to append policy information any more if type is SPDDELETE */
2142 if (type == SADB_X_SPDDELETE)
2143 goto end;
2144
2145 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
2146
2147 for (pr = iph2->approval->head; pr; pr = pr->next) {
2148
2149 satype = doi2ipproto(pr->proto_id);
2150 if (satype == ~0) {
2151 plog(ASL_LEVEL_ERR,
2152 "invalid proto_id %d\n", pr->proto_id);
2153 goto err;
2154 }
2155 mode = ipsecdoi2pfkey_mode(pr->encmode);
2156 if (mode == ~0) {
2157 plog(ASL_LEVEL_ERR,
2158 "invalid encmode %d\n", pr->encmode);
2159 goto err;
2160 }
2161
2162 /*
2163 * the policy level cannot be unique because the policy
2164 * is defined later than SA, so req_id cannot be bound to SA.
2165 */
2166 xisr->sadb_x_ipsecrequest_proto = satype;
2167 xisr->sadb_x_ipsecrequest_mode = mode;
2168 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
2169 xisr->sadb_x_ipsecrequest_reqid = 0;
2170 p = (caddr_t)(xisr + 1);
2171
2172 xisrlen = sizeof(*xisr);
2173
2174 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2175 int src_len, dst_len;
2176
2177 src_len = sysdep_sa_len((struct sockaddr *)iph2->src);
2178 dst_len = sysdep_sa_len((struct sockaddr *)iph2->dst);
2179 xisrlen += src_len + dst_len;
2180
2181 memcpy(p, iph2->src, src_len);
2182 p += src_len;
2183
2184 memcpy(p, iph2->dst, dst_len);
2185 p += dst_len;
2186 }
2187
2188 xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
2189 }
2190
2191 end:
2192 *policy0 = policy;
2193 *policylen0 = policylen;
2194
2195 return 0;
2196
2197 err:
2198 if (policy)
2199 racoon_free(policy);
2200
2201 return -1;
2202 }
2203
2204 int
2205 pk_sendspdupdate2(iph2)
2206 phase2_handle_t *iph2;
2207 {
2208 struct policyindex *spidx = iph2->spidx_gen;
2209 caddr_t policy = NULL;
2210 int policylen = 0;
2211 u_int64_t ltime, vtime;
2212
2213 ltime = iph2->approval->lifetime;
2214 vtime = 0;
2215
2216 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) {
2217 plog(ASL_LEVEL_ERR,
2218 "getting sadb policy failed.\n");
2219 return -1;
2220 }
2221
2222 if (pfkey_send_spdupdate2(
2223 lcconf->sock_pfkey,
2224 &spidx->src,
2225 spidx->prefs,
2226 &spidx->dst,
2227 spidx->prefd,
2228 spidx->ul_proto,
2229 ltime, vtime,
2230 policy, policylen, 0) < 0) {
2231 plog(ASL_LEVEL_ERR,
2232 "libipsec failed send spdupdate2 (%s)\n",
2233 ipsec_strerror());
2234 goto end;
2235 }
2236 plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdupdate2\n");
2237
2238 end:
2239 if (policy)
2240 racoon_free(policy);
2241
2242 return 0;
2243 }
2244
2245 static int
2246 pk_recvspdupdate(mhp)
2247 caddr_t *mhp;
2248 {
2249 struct sadb_address *saddr, *daddr;
2250 struct sadb_x_policy *xpl;
2251 struct policyindex spidx;
2252 struct secpolicy *sp;
2253
2254 /* sanity check */
2255 if (mhp[0] == NULL
2256 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2257 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2258 || mhp[SADB_X_EXT_POLICY] == NULL) {
2259 plog(ASL_LEVEL_ERR,
2260 "inappropriate sadb spdupdate message passed.\n");
2261 return -1;
2262 }
2263 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2264 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2265 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2266
2267 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2268 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2269 saddr + 1,
2270 daddr + 1,
2271 saddr->sadb_address_prefixlen,
2272 daddr->sadb_address_prefixlen,
2273 saddr->sadb_address_proto,
2274 xpl->sadb_x_policy_priority,
2275 &spidx);
2276 #else
2277 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2278 saddr + 1,
2279 daddr + 1,
2280 saddr->sadb_address_prefixlen,
2281 daddr->sadb_address_prefixlen,
2282 saddr->sadb_address_proto,
2283 &spidx);
2284 #endif
2285
2286 sp = getsp(&spidx);
2287 if (sp == NULL) {
2288 plog(ASL_LEVEL_ERR,
2289 "such policy does not already exist: \"%s\"\n",
2290 spidx2str(&spidx));
2291 } else {
2292 remsp(sp);
2293 delsp(sp);
2294 }
2295
2296 if (addnewsp(mhp) < 0)
2297 return -1;
2298
2299 return 0;
2300 }
2301
2302 /*
2303 * this function has to be used by responder side.
2304 */
2305 int
2306 pk_sendspdadd2(iph2)
2307 phase2_handle_t *iph2;
2308 {
2309 struct policyindex *spidx = iph2->spidx_gen;
2310 caddr_t policy = NULL;
2311 int policylen = 0;
2312 u_int64_t ltime, vtime;
2313
2314 ltime = iph2->approval->lifetime;
2315 vtime = 0;
2316
2317 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) {
2318 plog(ASL_LEVEL_ERR,
2319 "getting sadb policy failed.\n");
2320 return -1;
2321 }
2322
2323 if (pfkey_send_spdadd2(
2324 lcconf->sock_pfkey,
2325 &spidx->src,
2326 spidx->prefs,
2327 &spidx->dst,
2328 spidx->prefd,
2329 spidx->ul_proto,
2330 ltime, vtime,
2331 policy, policylen, 0) < 0) {
2332 plog(ASL_LEVEL_ERR,
2333 "libipsec failed send spdadd2 (%s)\n",
2334 ipsec_strerror());
2335 goto end;
2336 }
2337 plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdadd2\n");
2338
2339 end:
2340 if (policy)
2341 racoon_free(policy);
2342
2343 return 0;
2344 }
2345
2346 static int
2347 pk_recvspdadd(mhp)
2348 caddr_t *mhp;
2349 {
2350 struct sadb_address *saddr, *daddr;
2351 struct sadb_x_policy *xpl;
2352 struct policyindex spidx;
2353 struct secpolicy *sp;
2354
2355 /* sanity check */
2356 if (mhp[0] == NULL
2357 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2358 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2359 || mhp[SADB_X_EXT_POLICY] == NULL) {
2360 plog(ASL_LEVEL_ERR,
2361 "inappropriate sadb spdadd message passed.\n");
2362 return -1;
2363 }
2364 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2365 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2366 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2367
2368 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2369 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2370 saddr + 1,
2371 daddr + 1,
2372 saddr->sadb_address_prefixlen,
2373 daddr->sadb_address_prefixlen,
2374 saddr->sadb_address_proto,
2375 xpl->sadb_x_policy_priority,
2376 &spidx);
2377 #else
2378 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2379 saddr + 1,
2380 daddr + 1,
2381 saddr->sadb_address_prefixlen,
2382 daddr->sadb_address_prefixlen,
2383 saddr->sadb_address_proto,
2384 &spidx);
2385 #endif
2386
2387 sp = getsp(&spidx);
2388 if (sp != NULL) {
2389 plog(ASL_LEVEL_ERR,
2390 "such policy already exists. "
2391 "anyway replace it: %s\n",
2392 spidx2str(&spidx));
2393 remsp(sp);
2394 delsp(sp);
2395 }
2396
2397 if (addnewsp(mhp) < 0)
2398 return -1;
2399
2400 return 0;
2401 }
2402
2403 /*
2404 * this function has to be used by responder side.
2405 */
2406 int
2407 pk_sendspddelete(iph2)
2408 phase2_handle_t *iph2;
2409 {
2410 struct policyindex *spidx = iph2->spidx_gen;
2411 caddr_t policy = NULL;
2412 int policylen;
2413
2414 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) {
2415 plog(ASL_LEVEL_ERR,
2416 "getting sadb policy failed.\n");
2417 return -1;
2418 }
2419
2420 if (pfkey_send_spddelete(
2421 lcconf->sock_pfkey,
2422 &spidx->src,
2423 spidx->prefs,
2424 &spidx->dst,
2425 spidx->prefd,
2426 spidx->ul_proto,
2427 policy, policylen, 0) < 0) {
2428 plog(ASL_LEVEL_ERR,
2429 "libipsec failed send spddelete (%s)\n",
2430 ipsec_strerror());
2431 goto end;
2432 }
2433 plog(ASL_LEVEL_DEBUG, "call pfkey_send_spddelete\n");
2434
2435 end:
2436 if (policy)
2437 racoon_free(policy);
2438
2439 return 0;
2440 }
2441
2442 static int
2443 pk_recvspddelete(mhp)
2444 caddr_t *mhp;
2445 {
2446 struct sadb_address *saddr, *daddr;
2447 struct sadb_x_policy *xpl;
2448 struct policyindex spidx;
2449 struct secpolicy *sp;
2450
2451 /* sanity check */
2452 if (mhp[0] == NULL
2453 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2454 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2455 || mhp[SADB_X_EXT_POLICY] == NULL) {
2456 plog(ASL_LEVEL_ERR,
2457 "inappropriate sadb spddelete message passed.\n");
2458 return -1;
2459 }
2460 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2461 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2462 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2463
2464 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2465 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2466 saddr + 1,
2467 daddr + 1,
2468 saddr->sadb_address_prefixlen,
2469 daddr->sadb_address_prefixlen,
2470 saddr->sadb_address_proto,
2471 xpl->sadb_x_policy_priority,
2472 &spidx);
2473 #else
2474 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2475 saddr + 1,
2476 daddr + 1,
2477 saddr->sadb_address_prefixlen,
2478 daddr->sadb_address_prefixlen,
2479 saddr->sadb_address_proto,
2480 &spidx);
2481 #endif
2482
2483 sp = getsp(&spidx);
2484 if (sp == NULL) {
2485 plog(ASL_LEVEL_ERR,
2486 "no policy found: %s\n",
2487 spidx2str(&spidx));
2488 return -1;
2489 }
2490
2491 ike_session_purgephXbyspid(xpl->sadb_x_policy_id, true);
2492
2493 remsp(sp);
2494 delsp(sp);
2495
2496 return 0;
2497 }
2498
2499 static int
2500 pk_recvspdexpire(mhp)
2501 caddr_t *mhp;
2502 {
2503 struct sadb_address *saddr, *daddr;
2504 struct sadb_x_policy *xpl;
2505 struct policyindex spidx;
2506 struct secpolicy *sp;
2507
2508 /* sanity check */
2509 if (mhp[0] == NULL
2510 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2511 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2512 || mhp[SADB_X_EXT_POLICY] == NULL) {
2513 plog(ASL_LEVEL_ERR,
2514 "inappropriate sadb spdexpire message passed.\n");
2515 return -1;
2516 }
2517 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2518 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2519 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2520
2521 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2522 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2523 saddr + 1,
2524 daddr + 1,
2525 saddr->sadb_address_prefixlen,
2526 daddr->sadb_address_prefixlen,
2527 saddr->sadb_address_proto,
2528 xpl->sadb_x_policy_priority,
2529 &spidx);
2530 #else
2531 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2532 saddr + 1,
2533 daddr + 1,
2534 saddr->sadb_address_prefixlen,
2535 daddr->sadb_address_prefixlen,
2536 saddr->sadb_address_proto,
2537 &spidx);
2538 #endif
2539
2540 sp = getsp(&spidx);
2541 if (sp == NULL) {
2542 plog(ASL_LEVEL_ERR,
2543 "no policy found: %s\n",
2544 spidx2str(&spidx));
2545 return -1;
2546 }
2547
2548 ike_session_purgephXbyspid(xpl->sadb_x_policy_id, false);
2549
2550 remsp(sp);
2551 delsp(sp);
2552
2553 return 0;
2554 }
2555
2556 static int
2557 pk_recvspdget(mhp)
2558 caddr_t *mhp;
2559 {
2560 /* sanity check */
2561 if (mhp[0] == NULL) {
2562 plog(ASL_LEVEL_ERR,
2563 "inappropriate sadb spdget message passed.\n");
2564 return -1;
2565 }
2566
2567 return 0;
2568 }
2569
2570 static int
2571 pk_recvspddump(mhp)
2572 caddr_t *mhp;
2573 {
2574 struct sadb_msg *msg;
2575 struct sadb_address *saddr, *daddr;
2576 struct sadb_x_policy *xpl;
2577 struct policyindex spidx;
2578 struct secpolicy *sp;
2579
2580 /* sanity check */
2581 if (mhp[0] == NULL) {
2582 plog(ASL_LEVEL_ERR,
2583 "inappropriate sadb spddump message passed.\n");
2584 return -1;
2585 }
2586 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2587
2588 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2589 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2590 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2591
2592 if (saddr == NULL || daddr == NULL || xpl == NULL) {
2593 plog(ASL_LEVEL_ERR,
2594 "inappropriate sadb spddump message passed.\n");
2595 return -1;
2596 }
2597
2598 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2599 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2600 saddr + 1,
2601 daddr + 1,
2602 saddr->sadb_address_prefixlen,
2603 daddr->sadb_address_prefixlen,
2604 saddr->sadb_address_proto,
2605 xpl->sadb_x_policy_priority,
2606 &spidx);
2607 #else
2608 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2609 saddr + 1,
2610 daddr + 1,
2611 saddr->sadb_address_prefixlen,
2612 daddr->sadb_address_prefixlen,
2613 saddr->sadb_address_proto,
2614 &spidx);
2615 #endif
2616
2617 sp = getsp(&spidx);
2618 if (sp != NULL) {
2619 plog(ASL_LEVEL_ERR,
2620 "such policy already exists. "
2621 "anyway replace it: %s\n",
2622 spidx2str(&spidx));
2623 remsp(sp);
2624 delsp(sp);
2625 }
2626
2627 if (addnewsp(mhp) < 0)
2628 return -1;
2629
2630 return 0;
2631 }
2632
2633 static int
2634 pk_recvspdflush(mhp)
2635 caddr_t *mhp;
2636 {
2637 /* sanity check */
2638 if (mhp[0] == NULL) {
2639 plog(ASL_LEVEL_ERR,
2640 "inappropriate sadb spdflush message passed.\n");
2641 return -1;
2642 }
2643
2644 ike_session_flush_all_phase2(false);
2645 ike_session_flush_all_phase1(false);
2646 flushsp();
2647
2648 return 0;
2649 }
2650
2651 /*
2652 * send error against acquire message to kenrel.
2653 */
2654 int
2655 pk_sendeacquire(iph2)
2656 phase2_handle_t *iph2;
2657 {
2658 struct sadb_msg *newmsg;
2659 int len;
2660
2661 len = sizeof(struct sadb_msg);
2662 newmsg = racoon_calloc(1, len);
2663 if (newmsg == NULL) {
2664 plog(ASL_LEVEL_ERR,
2665 "failed to get buffer to send acquire.\n");
2666 return -1;
2667 }
2668
2669 memset(newmsg, 0, len);
2670 newmsg->sadb_msg_version = PF_KEY_V2;
2671 newmsg->sadb_msg_type = SADB_ACQUIRE;
2672 newmsg->sadb_msg_errno = ENOENT; /* XXX */
2673 newmsg->sadb_msg_satype = iph2->satype;
2674 newmsg->sadb_msg_len = PFKEY_UNIT64(len);
2675 newmsg->sadb_msg_reserved = 0;
2676 newmsg->sadb_msg_seq = iph2->seq;
2677 newmsg->sadb_msg_pid = (u_int32_t)getpid();
2678
2679 /* send message */
2680 len = pfkey_send(lcconf->sock_pfkey, newmsg, len);
2681
2682 racoon_free(newmsg);
2683
2684 return 0;
2685 }
2686
2687 int
2688 pk_sendget_inbound_sastats(ike_session_t *session)
2689 {
2690 u_int32_t max_stats;
2691 u_int32_t seq;
2692
2693 if (!session) {
2694 plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__);
2695 return -1;
2696 }
2697
2698 session->traffic_monitor.num_in_curr_req = 0;
2699 bzero(session->traffic_monitor.in_curr_req, sizeof(session->traffic_monitor.in_curr_req));
2700 max_stats = (sizeof(session->traffic_monitor.in_curr_req) / sizeof(session->traffic_monitor.in_curr_req[0]));
2701
2702 // get list of SAs
2703 if ((session->traffic_monitor.num_in_curr_req = ike_session_get_sas_for_stats(session,
2704 IPSEC_DIR_INBOUND,
2705 &seq,
2706 session->traffic_monitor.in_curr_req,
2707 max_stats))) {
2708 u_int64_t session_ids[] = {(u_int64_t)session, 0};
2709
2710 //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__);
2711
2712 if (pfkey_send_getsastats(lcconf->sock_pfkey,
2713 seq,
2714 session_ids,
2715 1,
2716 IPSEC_DIR_INBOUND,
2717 session->traffic_monitor.in_curr_req,
2718 session->traffic_monitor.num_in_curr_req) < 0) {
2719 return -1;
2720 }
2721 //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__);
2722
2723 return session->traffic_monitor.num_in_curr_req;
2724 }
2725 return 0;
2726 }
2727
2728 int
2729 pk_sendget_outbound_sastats(ike_session_t *session)
2730 {
2731 u_int32_t max_stats;
2732 u_int32_t seq;
2733
2734 if (!session) {
2735 plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__);
2736 return -1;
2737 }
2738
2739 session->traffic_monitor.num_out_curr_req = 0;
2740 bzero(session->traffic_monitor.out_curr_req, sizeof(session->traffic_monitor.out_curr_req));
2741 max_stats = (sizeof(session->traffic_monitor.out_curr_req) / sizeof(session->traffic_monitor.out_curr_req[0]));
2742
2743 // get list of SAs
2744 if ((session->traffic_monitor.num_out_curr_req = ike_session_get_sas_for_stats(session,
2745 IPSEC_DIR_OUTBOUND,
2746 &seq,
2747 session->traffic_monitor.out_curr_req,
2748 max_stats))) {
2749 u_int64_t session_ids[] = {(u_int64_t)session, 0};
2750
2751 //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__);
2752
2753 if (pfkey_send_getsastats(lcconf->sock_pfkey,
2754 seq,
2755 session_ids,
2756 1,
2757 IPSEC_DIR_OUTBOUND,
2758 session->traffic_monitor.out_curr_req,
2759 session->traffic_monitor.num_out_curr_req) < 0) {
2760 return -1;
2761 }
2762 //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__);
2763
2764 return session->traffic_monitor.num_out_curr_req;
2765 }
2766 return 0;
2767 }
2768
2769 /*
2770 * receive GETSPDSTAT from kernel.
2771 */
2772 static int
2773 pk_recvgetsastat(mhp)
2774 caddr_t *mhp;
2775 {
2776 struct sadb_msg *msg;
2777 struct sadb_session_id *session_id;
2778 struct sadb_sastat *stat_resp;
2779 ike_session_t *session;
2780
2781 /* validity check */
2782 if (mhp[0] == NULL ||
2783 mhp[SADB_EXT_SESSION_ID] == NULL ||
2784 mhp[SADB_EXT_SASTAT] == NULL) {
2785 plog(ASL_LEVEL_ERR,
2786 "inappropriate sadb getsastat response.\n");
2787 return -1;
2788 }
2789 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to structs in an aligned buffer
2790 session_id = ALIGNED_CAST(struct sadb_session_id *)mhp[SADB_EXT_SESSION_ID];
2791 stat_resp = ALIGNED_CAST(struct sadb_sastat *)mhp[SADB_EXT_SASTAT];
2792
2793 /* the message has to be processed or not ? */
2794 if (msg->sadb_msg_pid != getpid()) {
2795 plog(ASL_LEVEL_DEBUG,
2796 "%s message is not interesting "
2797 "because pid %d is not mine.\n",
2798 s_pfkey_type(msg->sadb_msg_type),
2799 msg->sadb_msg_pid);
2800 return -1;
2801 }
2802 if (!session_id->sadb_session_id_v[0]) {
2803 plog(ASL_LEVEL_DEBUG,
2804 "%s message is bad "
2805 "because session-id[0] is invalid.\n",
2806 s_pfkey_type(msg->sadb_msg_type));
2807 return -1;
2808 }
2809 session = ALIGNED_CAST(__typeof__(session))session_id->sadb_session_id_v[0];
2810
2811 if (!stat_resp->sadb_sastat_list_len) {
2812 plog(ASL_LEVEL_DEBUG,
2813 "%s message is bad "
2814 "because it has no sastats.\n",
2815 s_pfkey_type(msg->sadb_msg_type));
2816 return -1;
2817 }
2818
2819 ike_session_update_traffic_idle_status(session,
2820 stat_resp->sadb_sastat_dir,
2821 (struct sastat *)(stat_resp + 1),
2822 stat_resp->sadb_sastat_list_len);
2823 return 0;
2824 }
2825
2826 /*
2827 * check if the algorithm is supported or not.
2828 * OUT 0: ok
2829 * -1: ng
2830 */
2831 int
2832 pk_checkalg(class, calg, keylen)
2833 int class, calg, keylen;
2834 {
2835 int sup, error;
2836 u_int alg;
2837 struct sadb_alg alg0;
2838
2839 switch (algclass2doi(class)) {
2840 case IPSECDOI_PROTO_IPSEC_ESP:
2841 sup = SADB_EXT_SUPPORTED_ENCRYPT;
2842 break;
2843 case IPSECDOI_ATTR_AUTH:
2844 sup = SADB_EXT_SUPPORTED_AUTH;
2845 break;
2846 case IPSECDOI_PROTO_IPCOMP:
2847 return 0;
2848 default:
2849 plog(ASL_LEVEL_ERR,
2850 "invalid algorithm class.\n");
2851 return -1;
2852 }
2853 alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg));
2854 if (alg == ~0)
2855 return -1;
2856
2857 if (keylen == 0) {
2858 if (ipsec_get_keylen(sup, alg, &alg0)) {
2859 plog(ASL_LEVEL_ERR,
2860 "%s.\n", ipsec_strerror());
2861 return -1;
2862 }
2863 keylen = alg0.sadb_alg_minbits;
2864 }
2865
2866 error = ipsec_check_keylen(sup, alg, keylen);
2867 if (error)
2868 plog(ASL_LEVEL_ERR,
2869 "%s.\n", ipsec_strerror());
2870
2871 return error;
2872 }
2873
2874 /*
2875 * differences with pfkey_recv() in libipsec/pfkey.c:
2876 * - never performs busy wait loop.
2877 * - returns NULL and set *lenp to negative on fatal failures
2878 * - returns NULL and set *lenp to non-negative on non-fatal failures
2879 * - returns non-NULL on success
2880 */
2881 static struct sadb_msg *
2882 pk_recv(so, lenp)
2883 int so;
2884 ssize_t *lenp;
2885 {
2886 struct sadb_msg *newmsg;
2887 int reallen = 0;
2888 socklen_t optlen = sizeof(reallen);
2889
2890 if (getsockopt(so, SOL_SOCKET, SO_NREAD, &reallen, &optlen) < 0)
2891 return NULL; /*fatal*/
2892
2893 if (reallen == 0)
2894 return NULL;
2895
2896 if ((newmsg = racoon_calloc(1, reallen)) == NULL)
2897 return NULL;
2898
2899 while ((*lenp = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
2900 if (errno == EINTR)
2901 continue;
2902 plog(ASL_LEVEL_ERR, "failed to recv pfkey message: %s\n", strerror(errno));
2903 break;
2904 }
2905 if (*lenp < 0) {
2906 racoon_free(newmsg);
2907 return NULL; /*fatal*/
2908 } else if (*lenp != reallen || *lenp < sizeof(struct sadb_msg)) {
2909 racoon_free(newmsg);
2910 return NULL;
2911 }
2912
2913 return newmsg;
2914 }
2915
2916 /* see handler.h */
2917 u_int32_t
2918 pk_getseq()
2919 {
2920 return eay_random();
2921 }
2922
2923 static int
2924 addnewsp(mhp)
2925 caddr_t *mhp;
2926 {
2927 struct secpolicy *new;
2928 struct sadb_address *saddr, *daddr;
2929 struct sadb_x_policy *xpl;
2930
2931 /* sanity check */
2932 if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
2933 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2934 || mhp[SADB_X_EXT_POLICY] == NULL) {
2935 plog(ASL_LEVEL_ERR,
2936 "inappropriate sadb spd management message passed.\n");
2937 return -1;
2938 }
2939
2940 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2941 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2942 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2943
2944 new = newsp();
2945 if (new == NULL) {
2946 plog(ASL_LEVEL_ERR,
2947 "failed to allocate buffer\n");
2948 return -1;
2949 }
2950
2951 new->spidx.dir = xpl->sadb_x_policy_dir;
2952 new->id = xpl->sadb_x_policy_id;
2953 new->policy = xpl->sadb_x_policy_type;
2954 new->req = NULL;
2955
2956 /* check policy */
2957 switch (xpl->sadb_x_policy_type) {
2958 case IPSEC_POLICY_DISCARD:
2959 case IPSEC_POLICY_GENERATE:
2960 case IPSEC_POLICY_NONE:
2961 case IPSEC_POLICY_ENTRUST:
2962 case IPSEC_POLICY_BYPASS:
2963 break;
2964
2965 case IPSEC_POLICY_IPSEC:
2966 {
2967 int tlen;
2968 struct sadb_x_ipsecrequest *xisr;
2969 struct ipsecrequest **p_isr = &new->req;
2970
2971 /* validity check */
2972 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
2973 plog(ASL_LEVEL_ERR,
2974 "invalid msg length.\n");
2975 return -1;
2976 }
2977
2978 tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
2979 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
2980
2981 while (tlen > 0) {
2982
2983 /* length check */
2984 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
2985 plog(ASL_LEVEL_ERR,
2986 "invalid msg length.\n");
2987 return -1;
2988 }
2989
2990 /* allocate request buffer */
2991 *p_isr = newipsecreq();
2992 if (*p_isr == NULL) {
2993 plog(ASL_LEVEL_ERR,
2994 "failed to get new ipsecreq.\n");
2995 return -1;
2996 }
2997
2998 /* set values */
2999 (*p_isr)->next = NULL;
3000
3001 switch (xisr->sadb_x_ipsecrequest_proto) {
3002 case IPPROTO_ESP:
3003 case IPPROTO_AH:
3004 case IPPROTO_IPCOMP:
3005 break;
3006 default:
3007 plog(ASL_LEVEL_ERR,
3008 "invalid proto type: %u\n",
3009 xisr->sadb_x_ipsecrequest_proto);
3010 return -1;
3011 }
3012 (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
3013
3014 switch (xisr->sadb_x_ipsecrequest_mode) {
3015 case IPSEC_MODE_TRANSPORT:
3016 case IPSEC_MODE_TUNNEL:
3017 break;
3018 case IPSEC_MODE_ANY:
3019 default:
3020 plog(ASL_LEVEL_ERR,
3021 "invalid mode: %u\n",
3022 xisr->sadb_x_ipsecrequest_mode);
3023 return -1;
3024 }
3025 (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
3026
3027 switch (xisr->sadb_x_ipsecrequest_level) {
3028 case IPSEC_LEVEL_DEFAULT:
3029 case IPSEC_LEVEL_USE:
3030 case IPSEC_LEVEL_REQUIRE:
3031 break;
3032 case IPSEC_LEVEL_UNIQUE:
3033 (*p_isr)->saidx.reqid =
3034 xisr->sadb_x_ipsecrequest_reqid;
3035 break;
3036
3037 default:
3038 plog(ASL_LEVEL_ERR,
3039 "invalid level: %u\n",
3040 xisr->sadb_x_ipsecrequest_level);
3041 return -1;
3042 }
3043 (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
3044
3045 /* set IP addresses if there */
3046 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
3047 struct sockaddr *paddr;
3048
3049 paddr = (struct sockaddr *)(xisr + 1);
3050 bcopy(paddr, &(*p_isr)->saidx.src,
3051 sysdep_sa_len(paddr));
3052
3053 paddr = (struct sockaddr *)((caddr_t)paddr
3054 + sysdep_sa_len(paddr));
3055 bcopy(paddr, &(*p_isr)->saidx.dst,
3056 sysdep_sa_len(paddr));
3057 }
3058
3059 (*p_isr)->sp = new;
3060
3061 /* initialization for the next. */
3062 p_isr = &(*p_isr)->next;
3063 tlen -= xisr->sadb_x_ipsecrequest_len;
3064
3065 /* validity check */
3066 if (tlen < 0) {
3067 plog(ASL_LEVEL_ERR,
3068 "becoming tlen < 0\n");
3069 }
3070
3071 xisr = ALIGNED_CAST(struct sadb_x_ipsecrequest *)((caddr_t)xisr
3072 + xisr->sadb_x_ipsecrequest_len);
3073 }
3074 }
3075 break;
3076 default:
3077 plog(ASL_LEVEL_ERR,
3078 "invalid policy type.\n");
3079 return -1;
3080 }
3081
3082 #ifdef HAVE_PFKEY_POLICY_PRIORITY
3083 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3084 saddr + 1,
3085 daddr + 1,
3086 saddr->sadb_address_prefixlen,
3087 daddr->sadb_address_prefixlen,
3088 saddr->sadb_address_proto,
3089 xpl->sadb_x_policy_priority,
3090 &new->spidx);
3091 #else
3092 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3093 saddr + 1,
3094 daddr + 1,
3095 saddr->sadb_address_prefixlen,
3096 daddr->sadb_address_prefixlen,
3097 saddr->sadb_address_proto,
3098 &new->spidx);
3099 #endif
3100
3101 inssp(new);
3102
3103 return 0;
3104 }
3105
3106 /* proto/mode/src->dst spi */
3107 const char *
3108 sadbsecas2str(src, dst, proto, spi, mode)
3109 struct sockaddr_storage *src, *dst;
3110 int proto;
3111 u_int32_t spi;
3112 int mode;
3113 {
3114 static char buf[256];
3115 u_int doi_proto, doi_mode = 0;
3116 char *p;
3117 int blen, i;
3118
3119 doi_proto = pfkey2ipsecdoi_proto(proto);
3120 if (doi_proto == ~0)
3121 return NULL;
3122 if (mode) {
3123 doi_mode = pfkey2ipsecdoi_mode(mode);
3124 if (doi_mode == ~0)
3125 return NULL;
3126 }
3127
3128 blen = sizeof(buf) - 1;
3129 p = buf;
3130
3131 i = snprintf(p, blen, "%s%s%s ",
3132 s_ipsecdoi_proto(doi_proto),
3133 mode ? "/" : "",
3134 mode ? s_ipsecdoi_encmode(doi_mode) : "");
3135 if (i < 0 || i >= blen)
3136 return NULL;
3137 p += i;
3138 blen -= i;
3139
3140 i = snprintf(p, blen, "%s->", saddr2str((struct sockaddr *)src));
3141 if (i < 0 || i >= blen)
3142 return NULL;
3143 p += i;
3144 blen -= i;
3145
3146 i = snprintf(p, blen, "%s ", saddr2str((struct sockaddr *)dst));
3147 if (i < 0 || i >= blen)
3148 return NULL;
3149 p += i;
3150 blen -= i;
3151
3152 if (spi) {
3153 snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
3154 (unsigned long)ntohl(spi));
3155 }
3156
3157 return buf;
3158 }
mirror of ipsec