]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/pfkey_racoon.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-332.100.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / pfkey_racoon.c
1 /* $Id: pfkey.c,v 1.31.2.10 2005/10/03 14:52:19 manubsd Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include "config.h"
33 #include "racoon_types.h"
34
35 #include <stdlib.h>
36 #include <string.h>
37 #include <stdio.h>
38 #include <netdb.h>
39 #include <errno.h>
40 #ifdef HAVE_UNISTD_H
41 #include <unistd.h>
42 #endif
43 #include <netdb.h>
44 #include <netinet/in.h>
45 #include <arpa/inet.h>
46
47 #ifdef ENABLE_NATT
48 #include <netinet/udp.h>
49 #endif
50
51 #include <sys/types.h>
52 #include <sys/param.h>
53 #include <sys/socket.h>
54 #include <sys/queue.h>
55 #include <sys/sysctl.h>
56
57 #include <net/route.h>
58 #include <net/pfkeyv2.h>
59
60 #include <netinet/in.h>
61 #ifndef HAVE_NETINET6_IPSEC
62 #include <netinet/ipsec.h>
63 #else
64 #include <netinet6/ipsec.h>
65 #endif
66
67 #include "libpfkey.h"
68
69 #include "var.h"
70 #include "misc.h"
71 #include "vmbuf.h"
72 #include "plog.h"
73 #include "sockmisc.h"
74 #include "debug.h"
75 #include "fsm.h"
76 #include "ike_session.h"
77
78 #include "schedule.h"
79 #include "localconf.h"
80 #include "remoteconf.h"
81 #include "isakmp_var.h"
82 #include "isakmp.h"
83 #include "isakmp_inf.h"
84 #include "ipsec_doi.h"
85 #include "oakley.h"
86 #include "pfkey.h"
87 #include "handler.h"
88 #include "policy.h"
89 #include "algorithm.h"
90 #include "sainfo.h"
91 #include "proposal.h"
92 #include "strnames.h"
93 #include "gcmalloc.h"
94 #include "nattraversal.h"
95 #include "crypto_openssl.h"
96 #include "grabmyaddr.h"
97 #include "vpn_control.h"
98 #include "vpn_control_var.h"
99 #include "ike_session.h"
100 #include "power_mgmt.h"
101 #include "session.h"
102
103 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
104 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
105 #endif
106
107 /* prototype */
108 static u_int ipsecdoi2pfkey_aalg (u_int);
109 static u_int ipsecdoi2pfkey_ealg (u_int);
110 static u_int ipsecdoi2pfkey_calg (u_int);
111 static u_int ipsecdoi2pfkey_alg (u_int, u_int);
112 static u_int keylen_aalg (u_int);
113 static u_int keylen_ealg (u_int, int);
114
115 static int pk_recvgetspi (caddr_t *);
116 static int pk_recvupdate (caddr_t *);
117 static int pk_recvadd (caddr_t *);
118 static int pk_recvdelete (caddr_t *);
119 static int pk_recvacquire (caddr_t *);
120 static int pk_recvexpire (caddr_t *);
121 static int pk_recvflush (caddr_t *);
122 static int getsadbpolicy (caddr_t *, int *, int, phase2_handle_t *);
123 static int pk_recvspdupdate (caddr_t *);
124 static int pk_recvspdadd (caddr_t *);
125 static int pk_recvspddelete (caddr_t *);
126 static int pk_recvspdexpire (caddr_t *);
127 static int pk_recvspdget (caddr_t *);
128 static int pk_recvspddump (caddr_t *);
129 static int pk_recvspdflush (caddr_t *);
130 static int pk_recvgetsastat (caddr_t *);
131 static struct sadb_msg *pk_recv (int, ssize_t *);
132
133 static int (*pkrecvf[]) (caddr_t *) = {
134 NULL,
135 pk_recvgetspi,
136 pk_recvupdate,
137 pk_recvadd,
138 pk_recvdelete,
139 NULL, /* SADB_GET */
140 pk_recvacquire,
141 NULL, /* SABD_REGISTER */
142 pk_recvexpire,
143 pk_recvflush,
144 NULL, /* SADB_DUMP */
145 NULL, /* SADB_X_PROMISC */
146 NULL, /* SADB_X_PCHANGE */
147 pk_recvspdupdate,
148 pk_recvspdadd,
149 pk_recvspddelete,
150 pk_recvspdget,
151 NULL, /* SADB_X_SPDACQUIRE */
152 pk_recvspddump,
153 pk_recvspdflush,
154 NULL, /* SADB_X_SPDSETIDX */
155 pk_recvspdexpire,
156 NULL, /* SADB_X_SPDDELETE2 */
157 pk_recvgetsastat, /* SADB_GETSASTAT */
158 NULL, /* SADB_X_SPDENABLE */
159 NULL, /* SADB_X_SPDDISNABLE */
160 NULL, /* SADB_MIGRATE */
161 #if (SADB_MAX > 26)
162 #warning "SADB extra message?"
163 #endif
164 };
165
166 /* cope with old kame headers - ugly */
167 #ifndef SADB_X_AALG_MD5
168 #define SADB_X_AALG_MD5 SADB_AALG_MD5
169 #endif
170 #ifndef SADB_X_AALG_SHA
171 #define SADB_X_AALG_SHA SADB_AALG_SHA
172 #endif
173 #ifndef SADB_X_AALG_NULL
174 #define SADB_X_AALG_NULL SADB_AALG_NULL
175 #endif
176
177 #ifndef SADB_X_EALG_BLOWFISHCBC
178 #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
179 #endif
180 #ifndef SADB_X_EALG_CAST128CBC
181 #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
182 #endif
183 #ifndef SADB_X_EALG_RC5CBC
184 #ifdef SADB_EALG_RC5CBC
185 #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
186 #endif
187 #endif
188
189 int
190 pfkey_process(msg)
191 struct sadb_msg *msg;
192 {
193 caddr_t mhp[SADB_EXT_MAX + 1];
194 int error = -1;
195
196 // Special debug use only - creates large logs
197 // plogdump(ASL_LEVEL_DEBUG, msg, msg->sadb_msg_len << 3, "get pfkey %s message\n",
198 // s_pfkey_type(msg->sadb_msg_type));
199
200 /* validity check */
201 /* check pfkey message. */
202 if (pfkey_align(msg, mhp)) {
203 plog(ASL_LEVEL_ERR,
204 "libipsec failed pfkey align (%s)\n",
205 ipsec_strerror());
206 goto end;
207 }
208 if (pfkey_check(mhp)) {
209 plog(ASL_LEVEL_ERR,
210 "libipsec failed pfkey check (%s)\n",
211 ipsec_strerror());
212 goto end;
213 }
214 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
215
216 if (msg->sadb_msg_errno) {
217 int pri;
218
219 /* when SPD is empty, treat the state as no error. */
220 if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
221 msg->sadb_msg_errno == ENOENT)
222 pri = ASL_LEVEL_NOTICE;
223 else
224 pri = ASL_LEVEL_ERR;
225
226 plog(pri,
227 "pfkey %s failed: %s\n",
228 s_pfkey_type(msg->sadb_msg_type),
229 strerror(msg->sadb_msg_errno));
230 goto end;
231 }
232
233 /* safety check */
234 if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
235 plog(ASL_LEVEL_ERR,
236 "unknown PF_KEY message type=%u\n",
237 msg->sadb_msg_type);
238 goto end;
239 }
240
241 if (pkrecvf[msg->sadb_msg_type] == NULL) {
242 plog(ASL_LEVEL_NOTICE,
243 "unsupported PF_KEY message %s\n",
244 s_pfkey_type(msg->sadb_msg_type));
245 goto end;
246 }
247
248 if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
249 goto end;
250
251 error = 0;
252 end:
253 if (msg)
254 racoon_free(msg);
255 return(error);
256 }
257
258 /*
259 * PF_KEY packet handler
260 * 0: success
261 * -1: fail
262 */
263
264 //%%%%%%%%%%%%%%%%%% need to handle errors encountered here - this no longer returns a result
265 void
266 pfkey_handler(void *unused)
267 {
268 struct sadb_msg *msg;
269 ssize_t len;
270
271 if (slept_at || woke_at) {
272 plog(ASL_LEVEL_DEBUG,
273 "ignoring pfkey port until power-mgmt event is handled.\n");
274 return;
275 }
276
277 /* receive pfkey message. */
278 len = 0;
279 msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len);
280
281 if (msg == NULL) {
282 if (len < 0) {
283 plog(ASL_LEVEL_ERR,
284 "failed to recv from pfkey (%s)\n",
285 strerror(errno));
286 return;
287 } else {
288 /* short message - msg not ready */
289 plog(ASL_LEVEL_NOTICE, "recv short message from pfkey\n");
290 return;
291 }
292 }
293 pfkey_process(msg);
294 }
295
296 void
297 pfkey_post_handler()
298 {
299 struct saved_msg_elem *elem;
300 struct saved_msg_elem *elem_tmp = NULL;
301
302 if (slept_at || woke_at) {
303 plog(ASL_LEVEL_NOTICE,
304 "ignoring (saved) pfkey messages until power-mgmt event is handled.\n");
305 return;
306 }
307
308 TAILQ_FOREACH_SAFE(elem, &lcconf->saved_msg_queue, chain, elem_tmp) {
309 pfkey_process((struct sadb_msg *)elem->msg);
310 TAILQ_REMOVE(&lcconf->saved_msg_queue, elem, chain);
311 racoon_free(elem);
312
313 }
314 }
315
316 int
317 pfkey_save_msg(msg)
318 struct sadb_msg *msg;
319 {
320 struct saved_msg_elem *elem;
321
322 elem = (struct saved_msg_elem *)racoon_calloc(sizeof(struct saved_msg_elem), 1);
323 if (elem == NULL)
324 return -1;
325 elem->msg = msg;
326 TAILQ_INSERT_TAIL(&lcconf->saved_msg_queue, elem, chain);
327 return 0;
328 }
329
330 /*
331 * dump SADB
332 */
333 vchar_t *
334 pfkey_dump_sadb(satype)
335 int satype;
336 {
337 int s = -1;
338 vchar_t *buf = NULL;
339 pid_t pid = getpid();
340 struct sadb_msg *msg = NULL;
341 size_t bl, ml;
342 ssize_t len;
343
344 if ((s = pfkey_open()) < 0) {
345 plog(ASL_LEVEL_ERR,
346 "libipsec failed pfkey open: %s\n",
347 ipsec_strerror());
348 return NULL;
349 }
350
351 plog(ASL_LEVEL_DEBUG, "call pfkey_send_dump\n");
352 if (pfkey_send_dump(s, satype) < 0) {
353 plog(ASL_LEVEL_ERR,
354 "libipsec failed dump: %s\n", ipsec_strerror());
355 goto fail;
356 }
357
358 while (1) {
359 if (msg)
360 racoon_free(msg);
361 msg = pk_recv(s, &len);
362 if (msg == NULL) {
363 if (len < 0)
364 goto done;
365 else
366 continue;
367 }
368
369 /*
370 * for multi-processor system this had to be added because the messages can
371 * be interleaved - they won't all be dump messages
372 */
373 if (msg->sadb_msg_type != SADB_DUMP) { /* save for later processing */
374 pfkey_save_msg(msg);
375 msg = NULL;
376 continue;
377 }
378
379 // ignore dump messages that aren't racoon's
380 if (msg->sadb_msg_pid != pid)
381 continue;
382
383 ml = msg->sadb_msg_len << 3;
384 bl = buf ? buf->l : 0;
385 buf = vrealloc(buf, bl + ml);
386 if (buf == NULL) {
387 plog(ASL_LEVEL_ERR,
388 "failed to reallocate buffer to dump.\n");
389 goto fail;
390 }
391 memcpy(buf->v + bl, msg, ml);
392
393 if (msg->sadb_msg_seq == 0)
394 break;
395 }
396 goto done;
397
398 fail:
399 if (buf)
400 vfree(buf);
401 buf = NULL;
402 done:
403 if (msg)
404 racoon_free(msg);
405 if (s >= 0)
406 pfkey_close_sock(s);
407 return buf;
408 }
409
410
411 /*
412 * These are the SATYPEs that we manage. We register to get
413 * PF_KEY messages related to these SATYPEs, and we also use
414 * this list to determine which SATYPEs to delete SAs for when
415 * we receive an INITIAL-CONTACT.
416 */
417 const struct pfkey_satype pfkey_satypes[] = {
418 { SADB_SATYPE_AH, "AH" },
419 { SADB_SATYPE_ESP, "ESP" },
420 { SADB_X_SATYPE_IPCOMP, "IPCOMP" },
421 };
422 const int pfkey_nsatypes =
423 sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
424
425 /*
426 * PF_KEY initialization
427 */
428 int
429 pfkey_init(void)
430 {
431 int i, reg_fail, sock;
432
433 if ((lcconf->sock_pfkey = pfkey_open()) < 0) {
434 plog(ASL_LEVEL_ERR,
435 "libipsec failed pfkey open (%s)\n", ipsec_strerror());
436 return -1;
437 }
438
439 for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
440 plog(ASL_LEVEL_DEBUG,
441 "call pfkey_send_register for %s\n",
442 pfkey_satypes[i].ps_name);
443 if (pfkey_send_register(lcconf->sock_pfkey,
444 pfkey_satypes[i].ps_satype) < 0 ||
445 pfkey_recv_register(lcconf->sock_pfkey) < 0) {
446 plog(ASL_LEVEL_WARNING,
447 "failed to register %s (%s)\n",
448 pfkey_satypes[i].ps_name,
449 ipsec_strerror());
450 reg_fail++;
451 }
452 }
453
454 if (reg_fail == pfkey_nsatypes) {
455 plog(ASL_LEVEL_ERR,
456 "failed to regist any protocol.\n");
457 close(lcconf->sock_pfkey);
458 return -1;
459 }
460 initsp();
461
462 lcconf->pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->sock_pfkey, 0, dispatch_get_main_queue());
463 if (lcconf->pfkey_source == NULL) {
464 plog(ASL_LEVEL_ERR, "could not create pfkey socket source.");
465 return -1;
466 }
467 dispatch_source_set_event_handler_f(lcconf->pfkey_source, pfkey_handler);
468 sock = lcconf->sock_pfkey;
469 dispatch_source_set_cancel_handler(lcconf->pfkey_source,
470 ^{
471 pfkey_close_sock(sock);
472 });
473 dispatch_resume(lcconf->pfkey_source);
474
475 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
476 plog(ASL_LEVEL_ERR,
477 "libipsec sending spddump failed: %s\n",
478 ipsec_strerror());
479 pfkey_close();
480 return -1;
481 }
482 #if 0
483 if (pfkey_promisc_toggle(1) < 0) {
484 pfkey_close();
485 return -1;
486 }
487 #endif
488
489 return 0;
490 }
491
492 void
493 pfkey_close(void)
494 {
495 dispatch_source_cancel(lcconf->pfkey_source);
496 lcconf->pfkey_source = NULL;
497 }
498
499 /* %%% for conversion */
500 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */
501 static u_int
502 ipsecdoi2pfkey_aalg(hashtype)
503 u_int hashtype;
504 {
505 switch (hashtype) {
506 case IPSECDOI_ATTR_AUTH_HMAC_MD5:
507 case IPSECDOI_ATTR_AUTH_HMAC_MD5_96:
508 return SADB_AALG_MD5HMAC;
509 case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
510 case IPSECDOI_ATTR_AUTH_HMAC_SHA1_96:
511 return SADB_AALG_SHA1HMAC;
512 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
513 #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
514 return SADB_X_AALG_SHA2_256;
515 #else
516 return SADB_X_AALG_SHA2_256HMAC;
517 #endif
518 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
519 #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
520 return SADB_X_AALG_SHA2_384;
521 #else
522 return SADB_X_AALG_SHA2_384HMAC;
523 #endif
524 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
525 #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
526 return SADB_X_AALG_SHA2_512;
527 #else
528 return SADB_X_AALG_SHA2_512HMAC;
529 #endif
530 case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */
531 return SADB_AALG_NONE;
532
533 /* not supported */
534 case IPSECDOI_ATTR_AUTH_DES_MAC:
535 plog(ASL_LEVEL_ERR,
536 "Not supported hash type: %u\n", hashtype);
537 return ~0;
538
539 case 0: /* reserved */
540 default:
541 return SADB_AALG_NONE;
542
543 plog(ASL_LEVEL_ERR,
544 "Invalid hash type: %u\n", hashtype);
545 return ~0;
546 }
547 /*NOTREACHED*/
548 }
549
550 /* IPSECDOI_ESP -> SADB_EALG */
551 static u_int
552 ipsecdoi2pfkey_ealg(t_id)
553 u_int t_id;
554 {
555 switch (t_id) {
556 case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */
557 return SADB_EALG_DESCBC;
558 case IPSECDOI_ESP_DES:
559 return SADB_EALG_DESCBC;
560 case IPSECDOI_ESP_3DES:
561 return SADB_EALG_3DESCBC;
562 #ifdef SADB_X_EALG_RC5CBC
563 case IPSECDOI_ESP_RC5:
564 return SADB_X_EALG_RC5CBC;
565 #endif
566 case IPSECDOI_ESP_CAST:
567 return SADB_X_EALG_CAST128CBC;
568 case IPSECDOI_ESP_BLOWFISH:
569 return SADB_X_EALG_BLOWFISHCBC;
570 case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD|
571 SADB_X_EXT_IV4B)*/
572 return SADB_EALG_DESCBC;
573 case IPSECDOI_ESP_NULL:
574 return SADB_EALG_NULL;
575 #ifdef SADB_X_EALG_AESCBC
576 case IPSECDOI_ESP_AES:
577 return SADB_X_EALG_AESCBC;
578 #endif
579 #ifdef SADB_X_EALG_TWOFISHCBC
580 case IPSECDOI_ESP_TWOFISH:
581 return SADB_X_EALG_TWOFISHCBC;
582 #endif
583
584 /* not supported */
585 case IPSECDOI_ESP_3IDEA:
586 case IPSECDOI_ESP_IDEA:
587 case IPSECDOI_ESP_RC4:
588 plog(ASL_LEVEL_ERR,
589 "Not supported transform: %u\n", t_id);
590 return ~0;
591
592 case 0: /* reserved */
593 default:
594 plog(ASL_LEVEL_ERR,
595 "Invalid transform id: %u\n", t_id);
596 return ~0;
597 }
598 /*NOTREACHED*/
599 }
600
601 /* IPCOMP -> SADB_CALG */
602 static u_int
603 ipsecdoi2pfkey_calg(t_id)
604 u_int t_id;
605 {
606 switch (t_id) {
607 case IPSECDOI_IPCOMP_OUI:
608 return SADB_X_CALG_OUI;
609 case IPSECDOI_IPCOMP_DEFLATE:
610 return SADB_X_CALG_DEFLATE;
611 case IPSECDOI_IPCOMP_LZS:
612 return SADB_X_CALG_LZS;
613
614 case 0: /* reserved */
615 default:
616 plog(ASL_LEVEL_ERR,
617 "Invalid transform id: %u\n", t_id);
618 return ~0;
619 }
620 /*NOTREACHED*/
621 }
622
623 /* IPSECDOI_PROTO -> SADB_SATYPE */
624 u_int
625 ipsecdoi2pfkey_proto(proto)
626 u_int proto;
627 {
628 switch (proto) {
629 case IPSECDOI_PROTO_IPSEC_AH:
630 return SADB_SATYPE_AH;
631 case IPSECDOI_PROTO_IPSEC_ESP:
632 return SADB_SATYPE_ESP;
633 case IPSECDOI_PROTO_IPCOMP:
634 return SADB_X_SATYPE_IPCOMP;
635
636 default:
637 plog(ASL_LEVEL_ERR,
638 "Invalid ipsec_doi proto: %u\n", proto);
639 return ~0;
640 }
641 /*NOTREACHED*/
642 }
643
644 static u_int
645 ipsecdoi2pfkey_alg(algclass, type)
646 u_int algclass, type;
647 {
648 switch (algclass) {
649 case IPSECDOI_ATTR_AUTH:
650 return ipsecdoi2pfkey_aalg(type);
651 case IPSECDOI_PROTO_IPSEC_ESP:
652 return ipsecdoi2pfkey_ealg(type);
653 case IPSECDOI_PROTO_IPCOMP:
654 return ipsecdoi2pfkey_calg(type);
655 default:
656 plog(ASL_LEVEL_ERR,
657 "Invalid ipsec_doi algclass: %u\n", algclass);
658 return ~0;
659 }
660 /*NOTREACHED*/
661 }
662
663 /* SADB_SATYPE -> IPSECDOI_PROTO */
664 u_int
665 pfkey2ipsecdoi_proto(satype)
666 u_int satype;
667 {
668 switch (satype) {
669 case SADB_SATYPE_AH:
670 return IPSECDOI_PROTO_IPSEC_AH;
671 case SADB_SATYPE_ESP:
672 return IPSECDOI_PROTO_IPSEC_ESP;
673 case SADB_X_SATYPE_IPCOMP:
674 return IPSECDOI_PROTO_IPCOMP;
675
676 default:
677 plog(ASL_LEVEL_ERR,
678 "Invalid pfkey proto: %u\n", satype);
679 return ~0;
680 }
681 /*NOTREACHED*/
682 }
683
684 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
685 u_int
686 ipsecdoi2pfkey_mode(mode)
687 u_int mode;
688 {
689 switch (mode) {
690 case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
691 #ifdef ENABLE_NATT
692 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
693 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
694 #endif
695 return IPSEC_MODE_TUNNEL;
696 case IPSECDOI_ATTR_ENC_MODE_TRNS:
697 #ifdef ENABLE_NATT
698 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
699 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
700 #endif
701 return IPSEC_MODE_TRANSPORT;
702 default:
703 plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode);
704 return ~0;
705 }
706 /*NOTREACHED*/
707 }
708
709 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
710 u_int
711 pfkey2ipsecdoi_mode(mode)
712 u_int mode;
713 {
714 switch (mode) {
715 case IPSEC_MODE_TUNNEL:
716 return IPSECDOI_ATTR_ENC_MODE_TUNNEL;
717 case IPSEC_MODE_TRANSPORT:
718 return IPSECDOI_ATTR_ENC_MODE_TRNS;
719 case IPSEC_MODE_ANY:
720 return IPSECDOI_ATTR_ENC_MODE_ANY;
721 default:
722 plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode);
723 return ~0;
724 }
725 /*NOTREACHED*/
726 }
727
728 /* default key length for encryption algorithm */
729 static u_int
730 keylen_aalg(hashtype)
731 u_int hashtype;
732 {
733 int res;
734
735 if (hashtype == 0)
736 return SADB_AALG_NONE;
737
738 res = alg_ipsec_hmacdef_hashlen(hashtype);
739 if (res == -1) {
740 plog(ASL_LEVEL_ERR,
741 "invalid hmac algorithm %u.\n", hashtype);
742 return ~0;
743 }
744 return res;
745 }
746
747 /* default key length for encryption algorithm */
748 static u_int
749 keylen_ealg(enctype, encklen)
750 u_int enctype;
751 int encklen;
752 {
753 int res;
754
755 res = alg_ipsec_encdef_keylen(enctype, encklen);
756 if (res == -1) {
757 plog(ASL_LEVEL_ERR,
758 "invalid encryption algorithm %u.\n", enctype);
759 return ~0;
760 }
761 return res;
762 }
763
764 int
765 pfkey_convertfromipsecdoi(iph2, proto_id, t_id, hashtype,
766 e_type, e_keylen, a_type, a_keylen, flags)
767 phase2_handle_t *iph2;
768 u_int proto_id;
769 u_int t_id;
770 u_int hashtype;
771 u_int *e_type;
772 u_int *e_keylen;
773 u_int *a_type;
774 u_int *a_keylen;
775 u_int *flags;
776 {
777 *flags = 0;
778 switch (proto_id) {
779 case IPSECDOI_PROTO_IPSEC_ESP:
780 if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0)
781 goto bad;
782 if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0)
783 goto bad;
784 *e_keylen >>= 3;
785
786 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
787 goto bad;
788 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
789 goto bad;
790 *a_keylen >>= 3;
791
792 if (*e_type == SADB_EALG_NONE) {
793 plog(ASL_LEVEL_ERR, "no ESP algorithm.\n");
794 goto bad;
795 }
796 break;
797
798 case IPSECDOI_PROTO_IPSEC_AH:
799 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
800 goto bad;
801 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
802 goto bad;
803 *a_keylen >>= 3;
804
805 if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
806 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
807 /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
808 *a_type = SADB_X_AALG_MD5;
809 *flags |= SADB_X_EXT_OLD;
810 }
811 *e_type = SADB_EALG_NONE;
812 *e_keylen = 0;
813 if (*a_type == SADB_AALG_NONE) {
814 plog(ASL_LEVEL_ERR, "no AH algorithm.\n");
815 goto bad;
816 }
817 break;
818
819 case IPSECDOI_PROTO_IPCOMP:
820 if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0)
821 goto bad;
822 *e_keylen = 0;
823
824 *flags = SADB_X_EXT_RAWCPI;
825
826 *a_type = SADB_AALG_NONE;
827 *a_keylen = 0;
828 if (*e_type == SADB_X_CALG_NONE) {
829 plog(ASL_LEVEL_ERR, "no IPCOMP algorithm.\n");
830 goto bad;
831 }
832 break;
833
834 default:
835 plog(ASL_LEVEL_ERR, "unknown IPsec protocol.\n");
836 goto bad;
837 }
838
839 return 0;
840
841 bad:
842 errno = EINVAL;
843 return -1;
844 }
845
846 /* called from scheduler */
847 void
848 pfkey_timeover_stub(p)
849 void *p;
850 {
851
852 pfkey_timeover((phase2_handle_t *)p);
853 }
854
855 void
856 pfkey_timeover(iph2)
857 phase2_handle_t *iph2;
858 {
859 plog(ASL_LEVEL_ERR,
860 "%s give up to get IPsec-SA due to time up to wait.\n",
861 saddrwop2str((struct sockaddr *)iph2->dst));
862 SCHED_KILL(iph2->sce);
863
864 /* If initiator side, send error to kernel by SADB_ACQUIRE. */
865 if (iph2->side == INITIATOR)
866 pk_sendeacquire(iph2);
867
868 ike_session_unlink_phase2(iph2);
869
870 return;
871 }
872
873 /*%%%*/
874 /* send getspi message per ipsec protocol per remote address */
875 /*
876 * the local address and remote address in ph1handle are dealed
877 * with destination address and source address respectively.
878 * Because SPI is decided by responder.
879 */
880 int
881 pk_sendgetspi(iph2)
882 phase2_handle_t *iph2;
883 {
884 struct sockaddr_storage *src = NULL, *dst = NULL;
885 u_int satype, mode;
886 struct saprop *pp;
887 struct saproto *pr;
888 u_int32_t minspi, maxspi;
889 int proxy = 0;
890
891 if (iph2->side == INITIATOR) {
892 pp = iph2->proposal;
893 proxy = iph2->ph1->rmconf->support_proxy;
894 } else {
895 pp = iph2->approval;
896 if (iph2->sainfo && iph2->sainfo->id_i)
897 proxy = 1;
898 }
899
900 /* for mobile IPv6 */
901 if (proxy && iph2->src_id && iph2->dst_id &&
902 ipsecdoi_transportmode(pp)) {
903 src = iph2->src_id;
904 dst = iph2->dst_id;
905 } else {
906 src = iph2->src;
907 dst = iph2->dst;
908 }
909
910 for (pr = pp->head; pr != NULL; pr = pr->next) {
911
912 /* validity check */
913 satype = ipsecdoi2pfkey_proto(pr->proto_id);
914 if (satype == ~0) {
915 plog(ASL_LEVEL_ERR,
916 "invalid proto_id %d\n", pr->proto_id);
917 return -1;
918 }
919 /* this works around a bug in Linux kernel where it allocates 4 byte
920 spi's for IPCOMP */
921 else if (satype == SADB_X_SATYPE_IPCOMP) {
922 minspi = 0x100;
923 maxspi = 0xffff;
924 }
925 else {
926 minspi = 0;
927 maxspi = 0;
928 }
929 mode = ipsecdoi2pfkey_mode(pr->encmode);
930 if (mode == ~0) {
931 plog(ASL_LEVEL_ERR,
932 "invalid encmode %d\n", pr->encmode);
933 return -1;
934 }
935
936 plog(ASL_LEVEL_DEBUG, "call pfkey_send_getspi\n");
937 if (pfkey_send_getspi(
938 lcconf->sock_pfkey,
939 satype,
940 mode,
941 dst, /* src of SA */
942 src, /* dst of SA */
943 minspi, maxspi,
944 pr->reqid_in, 0, 0, iph2->seq, 0) < 0) {
945 plog(ASL_LEVEL_ERR,
946 "ipseclib failed send getspi (%s)\n",
947 ipsec_strerror());
948 return -1;
949 }
950
951 plog(ASL_LEVEL_DEBUG,
952 "pfkey GETSPI sent: %s\n",
953 sadbsecas2str(dst, src, satype, 0, mode));
954 }
955
956 return 0;
957 }
958
959 /*
960 * receive GETSPI from kernel.
961 */
962 static int
963 pk_recvgetspi(mhp)
964 caddr_t *mhp;
965 {
966 struct sadb_msg *msg;
967 struct sadb_sa *sa;
968 phase2_handle_t *iph2;
969 struct sockaddr_storage *dst;
970 int proto_id;
971 int allspiok, notfound;
972 struct saprop *pp;
973 struct saproto *pr;
974
975 /* validity check */
976 if (mhp[SADB_EXT_SA] == NULL
977 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
978 plog(ASL_LEVEL_ERR,
979 "Inappropriate sadb getspi message passed.\n");
980 return -1;
981 }
982 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
983 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
984 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
985
986 /* the message has to be processed or not ? */
987 if (msg->sadb_msg_pid != getpid()) {
988 plog(ASL_LEVEL_DEBUG,
989 "%s message is not interesting "
990 "because pid %d is not mine.\n",
991 s_pfkey_type(msg->sadb_msg_type),
992 msg->sadb_msg_pid);
993 return -1;
994 }
995
996 iph2 = ike_session_getph2byseq(msg->sadb_msg_seq);
997 if (iph2 == NULL) {
998 plog(ASL_LEVEL_DEBUG,
999 "Seq %d of %s message not interesting.\n",
1000 msg->sadb_msg_seq,
1001 s_pfkey_type(msg->sadb_msg_type));
1002 return -1;
1003 }
1004
1005 if (iph2->is_dying) {
1006 plog(ASL_LEVEL_ERR,
1007 "Status mismatch Phase 2 dying (db:%d)\n",
1008 iph2->status);
1009 return -1;
1010 }
1011
1012 switch (iph2->version) {
1013 case ISAKMP_VERSION_NUMBER_IKEV1:
1014 if (iph2->status != IKEV1_STATE_QUICK_I_GETSPISENT &&
1015 iph2->status != IKEV1_STATE_QUICK_R_GETSPISENT) {
1016 plog(ASL_LEVEL_ERR, "Status mismatch (db:%d)\n", iph2->status);
1017 return -1;
1018 }
1019 // check the underlying iph2->ph1
1020 if (!iph2->ph1) {
1021 if (!ike_session_update_ph2_ph1bind(iph2)) {
1022 plog(ASL_LEVEL_ERR,
1023 "Can't proceed with getspi for %s. no suitable ISAKMP-SA found \n",
1024 saddrwop2str((struct sockaddr *)iph2->dst));
1025 ike_session_unlink_phase2(iph2);
1026 return -1;
1027 }
1028 }
1029 break;
1030 default:
1031 plog(ASL_LEVEL_ERR, "Internal error: invalid IKE major version %d\n", iph2->version);
1032 return -1;
1033 }
1034
1035 /* set SPI, and check to get all spi whether or not */
1036 allspiok = 1;
1037 notfound = 1;
1038 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1039 pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval;
1040
1041 for (pr = pp->head; pr != NULL; pr = pr->next) {
1042 if (pr->proto_id == proto_id && pr->spi == 0) {
1043 pr->spi = sa->sadb_sa_spi;
1044 notfound = 0;
1045 plog(ASL_LEVEL_DEBUG,
1046 "pfkey GETSPI succeeded: %s\n",
1047 sadbsecas2str(iph2->dst, iph2->src,
1048 msg->sadb_msg_satype,
1049 sa->sadb_sa_spi,
1050 ipsecdoi2pfkey_mode(pr->encmode)));
1051 }
1052 if (pr->spi == 0)
1053 allspiok = 0; /* not get all spi */
1054 }
1055
1056 if (notfound) {
1057 plog(ASL_LEVEL_ERR,
1058 "Get spi for unknown address %s\n",
1059 saddrwop2str((struct sockaddr *)iph2->dst));
1060 ike_session_unlink_phase2(iph2);
1061 return -1;
1062 }
1063
1064 if (allspiok) {
1065 switch (iph2->version) {
1066 case ISAKMP_VERSION_NUMBER_IKEV1:
1067 if (isakmp_post_getspi(iph2) < 0) {
1068 plog(ASL_LEVEL_ERR, "IKEv1 post getspi failed.\n");
1069 ike_session_unlink_phase2(iph2);
1070 iph2 = NULL;
1071 return -1;
1072 }
1073 break;
1074 }
1075 }
1076 return 0;
1077 }
1078
1079 /*
1080 * set inbound SA
1081 */
1082 int
1083 pk_sendupdate(iph2)
1084 phase2_handle_t *iph2;
1085 {
1086 struct saproto *pr;
1087 struct sockaddr_storage *src = NULL, *dst = NULL;
1088 u_int e_type, e_keylen, a_type, a_keylen, flags;
1089 u_int satype, mode;
1090 u_int64_t lifebyte = 0;
1091 u_int wsize = 4; /* XXX static size of window */
1092 int proxy = 0;
1093 struct ph2natt natt;
1094 int authtype;
1095
1096 /* sanity check */
1097 if (iph2->approval == NULL) {
1098 plog(ASL_LEVEL_ERR,
1099 "No approved SAs found.\n");
1100 }
1101
1102 if (iph2->side == INITIATOR)
1103 proxy = iph2->ph1->rmconf->support_proxy;
1104 else if (iph2->sainfo && iph2->sainfo->id_i)
1105 proxy = 1;
1106
1107 /* for mobile IPv6 */
1108 if (proxy && iph2->src_id && iph2->dst_id &&
1109 ipsecdoi_transportmode(iph2->approval)) {
1110 src = iph2->src_id;
1111 dst = iph2->dst_id;
1112 } else {
1113 src = iph2->src;
1114 dst = iph2->dst;
1115 }
1116
1117 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1118 /* validity check */
1119 satype = ipsecdoi2pfkey_proto(pr->proto_id);
1120 if (satype == ~0) {
1121 plog(ASL_LEVEL_ERR,
1122 "Invalid proto_id %d\n", pr->proto_id);
1123 return -1;
1124 }
1125 else if (satype == SADB_X_SATYPE_IPCOMP) {
1126 /* IPCOMP has no replay window */
1127 wsize = 0;
1128 }
1129 #ifdef ENABLE_SAMODE_UNSPECIFIED
1130 mode = IPSEC_MODE_ANY;
1131 #else
1132 mode = ipsecdoi2pfkey_mode(pr->encmode);
1133 if (mode == ~0) {
1134 plog(ASL_LEVEL_ERR,
1135 "Invalid encmode %d\n", pr->encmode);
1136 return -1;
1137 }
1138 #endif
1139
1140 /* set algorithm type and key length */
1141 e_keylen = pr->head->encklen;
1142 authtype = pr->head->authtype;
1143 a_keylen = 0;
1144 if (pfkey_convertfromipsecdoi(
1145 iph2,
1146 pr->proto_id,
1147 pr->head->trns_id,
1148 authtype,
1149 &e_type, &e_keylen,
1150 &a_type, &a_keylen, &flags) < 0)
1151 return -1;
1152
1153 #if 0
1154 lifebyte = iph2->approval->lifebyte * 1024,
1155 #else
1156 lifebyte = 0;
1157 #endif
1158
1159 #ifdef ENABLE_NATT
1160 //plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n");
1161 plog(ASL_LEVEL_DEBUG, "call pfkey_send_update: e_type %d, e_klen %d, a_type %d, a_klen %d\n",
1162 e_type, e_keylen, a_type, a_keylen);
1163 if (pr->udp_encap) {
1164 memset (&natt, 0, sizeof (natt));
1165 natt.sport = extract_port (iph2->ph1->remote);
1166 flags |= SADB_X_EXT_NATT;
1167 if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
1168 mode == IPSEC_MODE_TRANSPORT &&
1169 src->ss_family == AF_INET) {
1170 flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
1171 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1172 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1173 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1174 }
1175 } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) {
1176 if (iph2->ph1->rmconf->natt_keepalive == TRUE)
1177 flags |= SADB_X_EXT_NATT_KEEPALIVE;
1178 } else {
1179 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1180 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1181 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1182 }
1183 }
1184 } else {
1185 memset (&natt, 0, sizeof (natt));
1186 }
1187
1188 if (pfkey_send_update(
1189 lcconf->sock_pfkey,
1190 satype,
1191 mode,
1192 dst,
1193 src,
1194 pr->spi,
1195 pr->reqid_in,
1196 wsize,
1197 pr->keymat->v,
1198 e_type, e_keylen, a_type, a_keylen, flags,
1199 0, lifebyte, iph2->approval->lifetime, 0,
1200 iph2->seq, natt.sport, 0) < 0) {
1201 plog(ASL_LEVEL_ERR,
1202 "libipsec failed send update (%s)\n",
1203 ipsec_strerror());
1204 return -1;
1205 }
1206 #else
1207 plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n");
1208 if (pfkey_send_update(
1209 lcconf->sock_pfkey,
1210 satype,
1211 mode,
1212 dst,
1213 src,
1214 pr->spi,
1215 pr->reqid_in,
1216 wsize,
1217 pr->keymat->v,
1218 e_type, e_keylen, a_type, a_keylen, flags,
1219 0, lifebyte, iph2->approval->lifetime, 0,
1220 iph2->seq, 0, 0) < 0) {
1221 plog(ASL_LEVEL_ERR,
1222 "libipsec failed send update (%s)\n",
1223 ipsec_strerror());
1224 return -1;
1225 }
1226 #endif /* ENABLE_NATT */
1227
1228
1229 }
1230
1231 return 0;
1232 }
1233
1234 static int
1235 pk_recvupdate(mhp)
1236 caddr_t *mhp;
1237 {
1238 struct sadb_msg *msg;
1239 struct sadb_sa *sa;
1240 struct sockaddr_storage *src, *dst;
1241 phase2_handle_t *iph2;
1242 u_int proto_id, encmode, sa_mode;
1243 int incomplete = 0;
1244 struct saproto *pr;
1245
1246 /* ignore this message because of local test mode. */
1247 if (f_local)
1248 return 0;
1249
1250 /* sanity check */
1251 if (mhp[0] == NULL
1252 || mhp[SADB_EXT_SA] == NULL
1253 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1254 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1255 plog(ASL_LEVEL_ERR,
1256 "inappropriate sadb update message passed.\n");
1257 return -1;
1258 }
1259 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1260 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1261 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1262 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
1263
1264 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1265 ? IPSEC_MODE_ANY
1266 : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1267
1268 /* the message has to be processed or not ? */
1269 if (msg->sadb_msg_pid != getpid()) {
1270 plog(ASL_LEVEL_DEBUG,
1271 "%s message is not interesting "
1272 "because pid %d is not mine.\n",
1273 s_pfkey_type(msg->sadb_msg_type),
1274 msg->sadb_msg_pid);
1275 return -1;
1276 }
1277
1278 iph2 = ike_session_getph2byseq(msg->sadb_msg_seq);
1279 if (iph2 == NULL) {
1280 plog(ASL_LEVEL_DEBUG,
1281 "Seq %d of %s message not interesting.\n",
1282 msg->sadb_msg_seq,
1283 s_pfkey_type(msg->sadb_msg_type));
1284 return -1;
1285 }
1286
1287 if (iph2->is_dying) {
1288 plog(ASL_LEVEL_ERR,
1289 "Status mismatch Phase 2 dying (db:%d)\n",
1290 iph2->status);
1291 return -1;
1292 }
1293 if (iph2->status != IKEV1_STATE_QUICK_I_ADDSA &&
1294 iph2->status != IKEV1_STATE_QUICK_R_ADDSA) {
1295 plog(ASL_LEVEL_ERR,
1296 "Status mismatch (db:%d)\n",
1297 iph2->status);
1298 return -1;
1299 }
1300
1301 /* check to complete all keys ? */
1302 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1303 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1304 if (proto_id == ~0) {
1305 plog(ASL_LEVEL_ERR,
1306 "invalid proto_id %d\n", msg->sadb_msg_satype);
1307 return -1;
1308 }
1309 encmode = pfkey2ipsecdoi_mode(sa_mode);
1310 if (encmode == ~0) {
1311 plog(ASL_LEVEL_ERR,
1312 "invalid encmode %d\n", sa_mode);
1313 return -1;
1314 }
1315
1316 if (pr->proto_id == proto_id
1317 && pr->spi == sa->sadb_sa_spi) {
1318 pr->ok = 1;
1319 plog(ASL_LEVEL_DEBUG,
1320 "pfkey UPDATE succeeded: %s\n",
1321 sadbsecas2str(iph2->dst, iph2->src,
1322 msg->sadb_msg_satype,
1323 sa->sadb_sa_spi,
1324 sa_mode));
1325
1326 plog(ASL_LEVEL_NOTICE,
1327 "IPsec-SA established (update): satype=%u spi=%#x mode=%u\n",
1328 msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
1329 plog(ASL_LEVEL_DEBUG,
1330 "IPsec-SA established (update): %s\n",
1331 sadbsecas2str(iph2->dst, iph2->src,
1332 msg->sadb_msg_satype, sa->sadb_sa_spi,
1333 sa_mode));
1334 }
1335
1336 if (pr->ok == 0)
1337 incomplete = 1;
1338 }
1339
1340 if (incomplete)
1341 return 0;
1342
1343 /* turn off the timer for calling pfkey_timeover() */
1344 SCHED_KILL(iph2->sce);
1345
1346 /* update status */
1347 fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED);
1348
1349 ike_session_ph2_established(iph2);
1350
1351 IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n",
1352 (iph2->side == INITIATOR)? "me" : "peer");
1353
1354 #ifdef ENABLE_STATS
1355 gettimeofday(&iph2->end, NULL);
1356 plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f",
1357 "Phase 2", "quick", timedelta(&iph2->start, &iph2->end));
1358 #endif
1359
1360 /* count up */
1361 if (iph2->ph1)
1362 iph2->ph1->ph2cnt++;
1363
1364 /* turn off schedule */
1365 if (iph2->scr)
1366 SCHED_KILL(iph2->scr);
1367
1368 /*
1369 * since we are going to reuse the phase2 handler, we need to
1370 * remain it and refresh all the references between ph1 and ph2 to use.
1371 */
1372 ike_session_unbindph12(iph2); //%%%%% fix this
1373
1374 iph2->sce = sched_new(iph2->approval->lifetime,
1375 isakmp_ph2expire_stub, iph2);
1376
1377 plog(ASL_LEVEL_DEBUG, "===\n");
1378 return 0;
1379 }
1380
1381 /*
1382 * set outbound SA
1383 */
1384 int
1385 pk_sendadd(iph2)
1386 phase2_handle_t *iph2;
1387 {
1388 struct saproto *pr;
1389 struct sockaddr_storage *src = NULL, *dst = NULL;
1390 u_int e_type, e_keylen, a_type, a_keylen, flags;
1391 u_int satype, mode;
1392 u_int64_t lifebyte = 0;
1393 u_int wsize = 4; /* XXX static size of window */
1394 int proxy = 0;
1395 struct ph2natt natt;
1396 int authtype;
1397
1398 /* sanity check */
1399 if (iph2->approval == NULL) {
1400 plog(ASL_LEVEL_ERR,
1401 "no approvaled SAs found.\n");
1402 }
1403
1404 if (iph2->side == INITIATOR)
1405 proxy = iph2->ph1->rmconf->support_proxy;
1406 else if (iph2->sainfo && iph2->sainfo->id_i)
1407 proxy = 1;
1408
1409 /* for mobile IPv6 */
1410 if (proxy && iph2->src_id && iph2->dst_id &&
1411 ipsecdoi_transportmode(iph2->approval)) {
1412 src = iph2->src_id;
1413 dst = iph2->dst_id;
1414 } else {
1415 src = iph2->src;
1416 dst = iph2->dst;
1417 }
1418
1419 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1420 /* validity check */
1421 satype = ipsecdoi2pfkey_proto(pr->proto_id);
1422 if (satype == ~0) {
1423 plog(ASL_LEVEL_ERR,
1424 "invalid proto_id %d\n", pr->proto_id);
1425 return -1;
1426 }
1427 else if (satype == SADB_X_SATYPE_IPCOMP) {
1428 /* no replay window for IPCOMP */
1429 wsize = 0;
1430 }
1431 #ifdef ENABLE_SAMODE_UNSPECIFIED
1432 mode = IPSEC_MODE_ANY;
1433 #else
1434 mode = ipsecdoi2pfkey_mode(pr->encmode);
1435 if (mode == ~0) {
1436 plog(ASL_LEVEL_ERR,
1437 "invalid encmode %d\n", pr->encmode);
1438 return -1;
1439 }
1440 #endif
1441
1442 /* set algorithm type and key length */
1443 e_keylen = pr->head->encklen;
1444 authtype = pr->head->authtype;
1445 a_keylen = 0;
1446 if (pfkey_convertfromipsecdoi(
1447 iph2,
1448 pr->proto_id,
1449 pr->head->trns_id,
1450 authtype,
1451 &e_type, &e_keylen,
1452 &a_type, &a_keylen, &flags) < 0)
1453 return -1;
1454
1455 #if 0
1456 lifebyte = iph2->approval->lifebyte * 1024,
1457 #else
1458 lifebyte = 0;
1459 #endif
1460
1461 #ifdef ENABLE_NATT
1462 //plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n");
1463 plog(ASL_LEVEL_DEBUG, "call pfkey_send_add: e_type %d, e_klen %d, a_type %d, a_klen %d\n",
1464 e_type, e_keylen, a_type, a_keylen);
1465
1466 if (pr->udp_encap) {
1467 memset (&natt, 0, sizeof (natt));
1468 natt.dport = extract_port (iph2->ph1->remote);
1469 flags |= SADB_X_EXT_NATT;
1470 if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
1471 mode == IPSEC_MODE_TRANSPORT &&
1472 src->ss_family == AF_INET) {
1473 flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
1474 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1475 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1476 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1477 }
1478 } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) {
1479 if (iph2->ph1->rmconf->natt_keepalive == TRUE)
1480 flags |= SADB_X_EXT_NATT_KEEPALIVE;
1481 } else {
1482 if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
1483 // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE
1484 flags |= SADB_X_EXT_NATT_DETECTED_PEER;
1485 }
1486 }
1487 } else {
1488 memset (&natt, 0, sizeof (natt));
1489
1490 /* Remove port information, that SA doesn't use it */
1491 //set_port(src, 0);
1492 //set_port(dst, 0);
1493 }
1494
1495 if (pfkey_send_add(
1496 lcconf->sock_pfkey,
1497 satype,
1498 mode,
1499 src,
1500 dst,
1501 pr->spi_p,
1502 pr->reqid_out,
1503 wsize,
1504 pr->keymat_p->v,
1505 e_type, e_keylen, a_type, a_keylen, flags,
1506 0, lifebyte, iph2->approval->lifetime, 0,
1507 iph2->seq,natt.dport, 0) < 0) {
1508 plog(ASL_LEVEL_ERR,
1509 "libipsec failed send add (%s)\n",
1510 ipsec_strerror());
1511 return -1;
1512 }
1513 #else
1514 plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n");
1515
1516 /* Remove port information, it is not used without NAT-T */
1517 //set_port(src, 0);
1518 //set_port(dst, 0);
1519
1520 if (pfkey_send_add(
1521 lcconf->sock_pfkey,
1522 satype,
1523 mode,
1524 src,
1525 dst,
1526 pr->spi_p,
1527 pr->reqid_out,
1528 wsize,
1529 pr->keymat_p->v,
1530 e_type, e_keylen, a_type, a_keylen, flags,
1531 0, lifebyte, iph2->approval->lifetime, 0,
1532 iph2->seq, 0, 0) < 0) {
1533 plog(ASL_LEVEL_ERR,
1534 "libipsec failed send add (%s)\n",
1535 ipsec_strerror());
1536 return -1;
1537 }
1538 #endif /* ENABLE_NATT */
1539 }
1540
1541 return 0;
1542 }
1543
1544 static int
1545 pk_recvadd(mhp)
1546 caddr_t *mhp;
1547 {
1548 struct sadb_msg *msg;
1549 struct sadb_sa *sa;
1550 struct sockaddr_storage *src, *dst;
1551 phase2_handle_t *iph2;
1552 u_int sa_mode;
1553
1554 /* ignore this message because of local test mode. */
1555 if (f_local)
1556 return 0;
1557
1558 /* sanity check */
1559 if (mhp[0] == NULL
1560 || mhp[SADB_EXT_SA] == NULL
1561 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1562 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1563 plog(ASL_LEVEL_ERR,
1564 "inappropriate sadb add message passed.\n");
1565 return -1;
1566 }
1567 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1568 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1569 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1570 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
1571
1572 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1573 ? IPSEC_MODE_ANY
1574 : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1575
1576 /* the message has to be processed or not ? */
1577 if (msg->sadb_msg_pid != getpid()) {
1578 plog(ASL_LEVEL_DEBUG,
1579 "%s message is not interesting "
1580 "because pid %d is not mine.\n",
1581 s_pfkey_type(msg->sadb_msg_type),
1582 msg->sadb_msg_pid);
1583 return -1;
1584 }
1585
1586 iph2 = ike_session_getph2byseq(msg->sadb_msg_seq);
1587 if (iph2 == NULL) {
1588 plog(ASL_LEVEL_DEBUG,
1589 "seq %d of %s message not interesting.\n",
1590 msg->sadb_msg_seq,
1591 s_pfkey_type(msg->sadb_msg_type));
1592 return -1;
1593 }
1594 /*
1595 * NOTE don't update any status of phase2 handle
1596 * because they must be updated by SADB_UPDATE message
1597 */
1598
1599 plog(ASL_LEVEL_NOTICE,
1600 "IPsec-SA established (add): satype=%u spi=%#x mode=%u\n",
1601 msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
1602 plog(ASL_LEVEL_DEBUG,
1603 "IPsec-SA established (add): %s\n",
1604 sadbsecas2str(iph2->src, iph2->dst,
1605 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1606
1607 ike_session_cleanup_other_established_ph2s(iph2->parent_session, iph2);
1608
1609 #ifdef ENABLE_VPNCONTROL_PORT
1610 {
1611 vpncontrol_notify_phase_change(0, FROM_LOCAL, NULL, iph2);
1612 }
1613 #endif
1614
1615 plog(ASL_LEVEL_DEBUG, "===\n");
1616 return 0;
1617 }
1618
1619 static int
1620 pk_recvexpire(mhp)
1621 caddr_t *mhp;
1622 {
1623 struct sadb_msg *msg;
1624 struct sadb_sa *sa;
1625 struct sockaddr_storage *src, *dst;
1626 phase2_handle_t *iph2;
1627 u_int proto_id, sa_mode;
1628
1629 /* sanity check */
1630 if (mhp[0] == NULL
1631 || mhp[SADB_EXT_SA] == NULL
1632 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1633 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1634 || (mhp[SADB_EXT_LIFETIME_HARD] != NULL
1635 && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) {
1636 plog(ASL_LEVEL_ERR,
1637 "inappropriate sadb expire message passed.\n");
1638 return -1;
1639 }
1640 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1641 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
1642 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1643 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1644
1645 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1646 ? IPSEC_MODE_ANY
1647 : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1648
1649 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1650 if (proto_id == ~0) {
1651 plog(ASL_LEVEL_ERR,
1652 "invalid proto_id %d\n", msg->sadb_msg_satype);
1653 return -1;
1654 }
1655
1656 plog(ASL_LEVEL_NOTICE,
1657 "IPsec-SA expired: satype=%u spi=%#x mode=%u\n",
1658 msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
1659 plog(ASL_LEVEL_DEBUG,
1660 "IPsec-SA expired: %s\n",
1661 sadbsecas2str(src, dst,
1662 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1663
1664 iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
1665 if (iph2 == NULL) {
1666 /*
1667 * Ignore it because two expire messages are come up.
1668 * phase2 handler has been deleted already when 2nd message
1669 * is received.
1670 */
1671 plog(ASL_LEVEL_DEBUG,
1672 "no such a SA found: %s\n",
1673 sadbsecas2str(src, dst,
1674 msg->sadb_msg_satype, sa->sadb_sa_spi,
1675 sa_mode));
1676 return 0;
1677 }
1678 if (iph2->is_dying || !FSM_STATE_IS_ESTABLISHED(iph2->status)) {
1679 /*
1680 * If the status is not equal to PHASE2ST_ESTABLISHED,
1681 * racoon ignores this expire message. There are two reason.
1682 * One is that the phase 2 probably starts because there is
1683 * a potential that racoon receives the acquire message
1684 * without receiving a expire message. Another is that racoon
1685 * may receive the multiple expire messages from the kernel.
1686 */
1687 plog(ASL_LEVEL_WARNING,
1688 "The expire message is received but the handler %s (status = 0x%x).\n",
1689 iph2->is_dying ? "is dying" : "has not been established", iph2->status);
1690 return 0;
1691 }
1692
1693 /* turn off the timer for calling isakmp_ph2expire() */
1694 SCHED_KILL(iph2->sce);
1695
1696 fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED);
1697
1698 /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */
1699 /* allocate buffer for status management of pfkey message */
1700 if (iph2->side == INITIATOR &&
1701 !ike_session_has_other_established_ph2(iph2->parent_session, iph2) &&
1702 !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) {
1703
1704 ike_session_initph2(iph2);
1705
1706 /* start isakmp initiation by using ident exchange */
1707 if (isakmp_post_acquire(iph2) < 0) {
1708 plog(ASL_LEVEL_ERR,
1709 "failed to begin ipsec sa "
1710 "re-negotiation.\n");
1711 ike_session_unlink_phase2(iph2);
1712 return -1;
1713 }
1714
1715 return 0;
1716 /*NOTREACHED*/
1717 }
1718
1719
1720 /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
1721 /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
1722 * manage IPsec SA, so delete the list */
1723 ike_session_unlink_phase2(iph2);
1724
1725 return 0;
1726 }
1727
1728 static int
1729 pk_recvacquire(mhp)
1730 caddr_t *mhp;
1731 {
1732 struct sadb_msg *msg;
1733 struct sadb_x_policy *xpl;
1734 struct secpolicy *sp_out = NULL, *sp_in = NULL;
1735 phase2_handle_t *iph2;
1736 struct sockaddr_storage *src, *dst;
1737 ike_session_t *session = NULL;
1738 struct remoteconf *rmconf;
1739
1740 /* ignore this message because of local test mode. */
1741 if (f_local)
1742 return 0;
1743
1744 /* sanity check */
1745 if (mhp[0] == NULL
1746 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1747 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1748 || mhp[SADB_X_EXT_POLICY] == NULL) {
1749 plog(ASL_LEVEL_ERR,
1750 "inappropriate sadb acquire message passed.\n");
1751 return -1;
1752 }
1753 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1754 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
1755 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1756 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1757
1758 /* ignore if type is not IPSEC_POLICY_IPSEC */
1759 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
1760 plog(ASL_LEVEL_DEBUG,
1761 "ignore ACQUIRE message. type is not IPsec.\n");
1762 return 0;
1763 }
1764
1765 /* ignore it if src is multicast address */
1766 {
1767 struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1768
1769 if ((sa->ss_family == AF_INET
1770 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr)))
1771 #ifdef INET6
1772 || (sa->ss_family == AF_INET6
1773 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr))
1774 #endif
1775 ) {
1776 plog(ASL_LEVEL_DEBUG,
1777 "ignore due to multicast address: %s.\n",
1778 saddrwop2str((struct sockaddr *)sa));
1779 return 0;
1780 }
1781 }
1782
1783 /* ignore, if we do not listen on source address */
1784 {
1785 /* reasons behind:
1786 * - if we'll contact peer from address we do not listen -
1787 * we will be unable to complete negotiation;
1788 * - if we'll negotiate using address we're listening -
1789 * remote peer will send packets to address different
1790 * than one in the policy, so kernel will drop them;
1791 * => therefore this acquire is not for us! --Aidas
1792 */
1793 // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1794 struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1795 struct myaddrs *p;
1796 int do_listen = 0;
1797 char * str;
1798 for (p = lcconf->myaddrs; p; p = p->next) {
1799 str = saddr2str((struct sockaddr *)p->addr);
1800 plog(ASL_LEVEL_DEBUG,
1801 "checking listen addrs: %s", str);
1802
1803 if (!cmpsaddrwop(p->addr, sa)) {
1804 do_listen = 1;
1805 break;
1806 }
1807 }
1808
1809 if (!do_listen) {
1810 plog(ASL_LEVEL_DEBUG,
1811 "ignore because do not listen on source address : %s.\n",
1812 saddrwop2str((struct sockaddr *)sa));
1813 return 0;
1814 }
1815 }
1816
1817 /*
1818 * If there is a phase 2 handler against the policy identifier in
1819 * the acquire message, and if
1820 * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
1821 * should ignore such a acquire message because the phase 2
1822 * is just negotiating.
1823 * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
1824 * has to process such a acquire message because racoon may
1825 * have lost the expire message.
1826 */
1827 iph2 = ike_session_getph2byid(src, dst, xpl->sadb_x_policy_id);
1828 if (iph2 != NULL) {
1829 session = iph2->parent_session;
1830 if (!FSM_STATE_IS_ESTABLISHED(iph2->status)) {
1831 plog(ASL_LEVEL_DEBUG,
1832 "ignore the acquire because ph2 found\n");
1833 return -1;
1834 }
1835 if (FSM_STATE_IS_EXPIRED(iph2->status))
1836 iph2 = NULL;
1837 /*FALLTHROUGH*/
1838 }
1839
1840 /* search for proper policyindex */
1841 sp_out = getspbyspid(xpl->sadb_x_policy_id);
1842 if (sp_out == NULL) {
1843 plog(ASL_LEVEL_ERR, "no policy found: id:%d.\n",
1844 xpl->sadb_x_policy_id);
1845 return -1;
1846 }
1847 plog(ASL_LEVEL_DEBUG,
1848 "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
1849
1850 /* get inbound policy */
1851 {
1852 struct policyindex spidx;
1853
1854 spidx.dir = IPSEC_DIR_INBOUND;
1855 memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
1856 memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
1857 spidx.prefs = sp_out->spidx.prefd;
1858 spidx.prefd = sp_out->spidx.prefs;
1859 spidx.ul_proto = sp_out->spidx.ul_proto;
1860
1861 sp_in = getsp(&spidx);
1862 if (sp_in) {
1863 plog(ASL_LEVEL_DEBUG,
1864 "Suitable inbound SP found: %s.\n",
1865 spidx2str(&sp_in->spidx));
1866 } else {
1867 plog(ASL_LEVEL_NOTICE,
1868 "No in-bound policy found: %s\n",
1869 spidx2str(&spidx));
1870 }
1871 }
1872
1873 /* allocate a phase 2 */
1874 rmconf = getrmconf(dst);
1875 if (rmconf == NULL) {
1876 plog(ASL_LEVEL_ERR, "No configuration found for %s.\n",
1877 saddrwop2str((struct sockaddr *)dst));
1878 return -1;
1879 }
1880
1881 iph2 = ike_session_newph2(rmconf->ike_version, PHASE2_TYPE_SA);
1882 if (iph2 == NULL) {
1883 plog(ASL_LEVEL_ERR,
1884 "Failed to allocate Phase 2 entry.\n");
1885 return -1;
1886 }
1887 plog(ASL_LEVEL_DEBUG, "Got new Phase 2 version %d\n", iph2->version);
1888 iph2->version = rmconf->ike_version;
1889 iph2->side = INITIATOR;
1890 iph2->spid = xpl->sadb_x_policy_id;
1891
1892 iph2->satype = msg->sadb_msg_satype;
1893 iph2->seq = msg->sadb_msg_seq;
1894 vpncontrol_set_nat64_prefix(&iph2->nat64_prefix);
1895 /* set end addresses of SA */
1896 // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
1897 iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
1898 if (iph2->src == NULL) {
1899 ike_session_delph2(iph2);
1900 return -1;
1901 }
1902 iph2->dst = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]));
1903 if (iph2->dst == NULL) {
1904 ike_session_delph2(iph2);
1905 return -1;
1906 }
1907
1908 if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) {
1909 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START);
1910 }
1911
1912 plog(ASL_LEVEL_DEBUG,
1913 "new acquire %s\n", spidx2str(&sp_out->spidx));
1914
1915 /* get sainfo */
1916 {
1917 vchar_t *idsrc, *iddst;
1918
1919 idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src,
1920 sp_out->spidx.prefs, sp_out->spidx.ul_proto);
1921 if (idsrc == NULL) {
1922 plog(ASL_LEVEL_ERR,
1923 "failed to get ID for %s\n",
1924 spidx2str(&sp_out->spidx));
1925 ike_session_delph2(iph2);
1926 return -1;
1927 }
1928 iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst,
1929 sp_out->spidx.prefd, sp_out->spidx.ul_proto);
1930 if (iddst == NULL) {
1931 plog(ASL_LEVEL_ERR,
1932 "failed to get ID for %s\n",
1933 spidx2str(&sp_out->spidx));
1934 vfree(idsrc);
1935 ike_session_delph2(iph2);
1936 return -1;
1937 }
1938 iph2->sainfo = getsainfo(idsrc, iddst, NULL, 0);
1939 vfree(idsrc);
1940 vfree(iddst);
1941 if (iph2->sainfo == NULL) {
1942 plog(ASL_LEVEL_ERR,
1943 "failed to get sainfo.\n");
1944 ike_session_delph2(iph2);
1945 return -1;
1946 /* XXX should use the algorithm list from register message */
1947 }
1948 }
1949 retain_sainfo(iph2->sainfo);
1950
1951 if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) {
1952 plog(ASL_LEVEL_ERR,
1953 "failed to create saprop.\n");
1954 ike_session_delph2(iph2);
1955 return -1;
1956 }
1957
1958 if (session == NULL)
1959 session = ike_session_get_session(iph2->src, iph2->dst, 1, NULL);
1960 if (session == NULL)
1961 fatal_error(-1);
1962
1963 if (ike_session_link_phase2(session, iph2))
1964 fatal_error(-1); //????? fix ???
1965
1966 /* start isakmp initiation by using ident exchange */
1967 /* XXX should be looped if there are multiple phase 2 handler. */
1968 if (isakmp_post_acquire(iph2) < 0) {
1969 plog(ASL_LEVEL_ERR,
1970 "failed to begin ipsec sa negotiation.\n");
1971 goto err;
1972 }
1973
1974 #if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
1975 if ( lcconf->vt == NULL){
1976 if (!(lcconf->vt = vproc_transaction_begin(NULL)))
1977 plog(ASL_LEVEL_ERR,
1978 "vproc_transaction_begin returns NULL.\n");
1979 }
1980 #endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
1981
1982
1983 return 0;
1984
1985 err:
1986 ike_session_unlink_phase2(iph2);
1987 return -1;
1988 }
1989
1990 static int
1991 pk_recvdelete(mhp)
1992 caddr_t *mhp;
1993 {
1994 struct sadb_msg *msg;
1995 struct sadb_sa *sa;
1996 struct sockaddr_storage *src, *dst;
1997 phase2_handle_t *iph2 = NULL;
1998 u_int proto_id;
1999
2000 /* ignore this message because of local test mode. */
2001 if (f_local)
2002 return 0;
2003
2004 /* sanity check */
2005 if (mhp[0] == NULL
2006 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2007 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
2008 plog(ASL_LEVEL_ERR,
2009 "inappropriate sadb delete message passed.\n");
2010 return -1;
2011 }
2012 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2013 sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
2014 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
2015 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
2016
2017 /* the message has to be processed or not ? */
2018 if (msg->sadb_msg_pid == getpid()) {
2019 plog(ASL_LEVEL_DEBUG,
2020 "%s message is not interesting "
2021 "because the message was originated by me.\n",
2022 s_pfkey_type(msg->sadb_msg_type));
2023 return -1;
2024 }
2025
2026 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
2027 if (proto_id == ~0) {
2028 plog(ASL_LEVEL_ERR,
2029 "invalid proto_id %d\n", msg->sadb_msg_satype);
2030 return -1;
2031 }
2032
2033 plog(ASL_LEVEL_DEBUG, "SADB delete message: proto-id %d\n", proto_id);
2034 plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)src));
2035 plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)dst));
2036
2037 if (!sa) {
2038 ike_session_deleteallph2(src, dst, proto_id);
2039 ike_session_deleteallph1(src, dst);
2040 return 0;
2041 }
2042
2043 iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
2044 if (iph2 == NULL) {
2045 /* ignore */
2046 plog(ASL_LEVEL_ERR,
2047 "no iph2 found: %s\n",
2048 sadbsecas2str(src, dst, msg->sadb_msg_satype,
2049 sa->sadb_sa_spi, IPSEC_MODE_ANY));
2050 return 0;
2051 }
2052
2053 plog(ASL_LEVEL_ERR,
2054 "pfkey DELETE received: %s\n",
2055 sadbsecas2str(iph2->src, iph2->dst,
2056 msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY));
2057
2058 /* send delete information */
2059
2060 /* TODO: Look into handling this properly. Currently, if we get here, we can end up sending delete messages to the server for their own SAs, which is rejected. */
2061 /*if (FSM_STATE_IS_ESTABLISHED(iph2->status))
2062 isakmp_info_send_d2(iph2);
2063
2064 ike_session_cleanup_ph1s_by_ph2(iph2);
2065 ike_session_unlink_phase2(iph2);*/
2066
2067 return 0;
2068 }
2069
2070 static int
2071 pk_recvflush(mhp)
2072 caddr_t *mhp;
2073 {
2074 /* sanity check */
2075 if (mhp[0] == NULL) {
2076 plog(ASL_LEVEL_ERR,
2077 "inappropriate sadb flush message passed.\n");
2078 return -1;
2079 }
2080
2081 ike_session_flush_all_phase2(false);
2082 ike_session_flush_all_phase1(false);
2083
2084 return 0;
2085 }
2086
2087 static int
2088 getsadbpolicy(policy0, policylen0, type, iph2)
2089 caddr_t *policy0;
2090 int *policylen0, type;
2091 phase2_handle_t *iph2;
2092 {
2093 struct policyindex *spidx = iph2->spidx_gen;
2094 struct sadb_x_policy *xpl;
2095 struct sadb_x_ipsecrequest *xisr;
2096 struct saproto *pr;
2097 caddr_t policy, p;
2098 int policylen;
2099 int xisrlen;
2100 u_int satype, mode;
2101
2102 /* get policy buffer size */
2103 policylen = sizeof(struct sadb_x_policy);
2104 if (type != SADB_X_SPDDELETE) {
2105 for (pr = iph2->approval->head; pr; pr = pr->next) {
2106 xisrlen = sizeof(*xisr);
2107 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2108 xisrlen += (sysdep_sa_len((struct sockaddr *)iph2->src)
2109 + sysdep_sa_len((struct sockaddr *)iph2->dst));
2110 }
2111
2112 policylen += PFKEY_ALIGN8(xisrlen);
2113 }
2114 }
2115
2116 /* make policy structure */
2117 policy = racoon_malloc(policylen);
2118 if (!policy) {
2119 plog(ASL_LEVEL_ERR,
2120 "buffer allocation failed.\n");
2121 return -1;
2122 }
2123
2124 xpl = ALIGNED_CAST(struct sadb_x_policy *)policy;
2125 xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
2126 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2127 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2128 xpl->sadb_x_policy_dir = spidx->dir;
2129 xpl->sadb_x_policy_id = 0;
2130 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2131 xpl->sadb_x_policy_priority = PRIORITY_DEFAULT;
2132 #endif
2133
2134 /* no need to append policy information any more if type is SPDDELETE */
2135 if (type == SADB_X_SPDDELETE)
2136 goto end;
2137
2138 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
2139
2140 for (pr = iph2->approval->head; pr; pr = pr->next) {
2141
2142 satype = doi2ipproto(pr->proto_id);
2143 if (satype == ~0) {
2144 plog(ASL_LEVEL_ERR,
2145 "invalid proto_id %d\n", pr->proto_id);
2146 goto err;
2147 }
2148 mode = ipsecdoi2pfkey_mode(pr->encmode);
2149 if (mode == ~0) {
2150 plog(ASL_LEVEL_ERR,
2151 "invalid encmode %d\n", pr->encmode);
2152 goto err;
2153 }
2154
2155 /*
2156 * the policy level cannot be unique because the policy
2157 * is defined later than SA, so req_id cannot be bound to SA.
2158 */
2159 xisr->sadb_x_ipsecrequest_proto = satype;
2160 xisr->sadb_x_ipsecrequest_mode = mode;
2161 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
2162 xisr->sadb_x_ipsecrequest_reqid = 0;
2163 p = (caddr_t)(xisr + 1);
2164
2165 xisrlen = sizeof(*xisr);
2166
2167 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2168 int src_len, dst_len;
2169
2170 src_len = sysdep_sa_len((struct sockaddr *)iph2->src);
2171 dst_len = sysdep_sa_len((struct sockaddr *)iph2->dst);
2172 xisrlen += src_len + dst_len;
2173
2174 memcpy(p, iph2->src, src_len);
2175 p += src_len;
2176
2177 memcpy(p, iph2->dst, dst_len);
2178 p += dst_len;
2179 }
2180
2181 xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
2182 }
2183
2184 end:
2185 *policy0 = policy;
2186 *policylen0 = policylen;
2187
2188 return 0;
2189
2190 err:
2191 if (policy)
2192 racoon_free(policy);
2193
2194 return -1;
2195 }
2196
2197 int
2198 pk_sendspdupdate2(iph2)
2199 phase2_handle_t *iph2;
2200 {
2201 struct policyindex *spidx = iph2->spidx_gen;
2202 caddr_t policy = NULL;
2203 int policylen = 0;
2204 u_int64_t ltime, vtime;
2205
2206 ltime = iph2->approval->lifetime;
2207 vtime = 0;
2208
2209 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) {
2210 plog(ASL_LEVEL_ERR,
2211 "getting sadb policy failed.\n");
2212 return -1;
2213 }
2214
2215 if (pfkey_send_spdupdate2(
2216 lcconf->sock_pfkey,
2217 &spidx->src,
2218 spidx->prefs,
2219 &spidx->dst,
2220 spidx->prefd,
2221 spidx->ul_proto,
2222 ltime, vtime,
2223 policy, policylen, 0) < 0) {
2224 plog(ASL_LEVEL_ERR,
2225 "libipsec failed send spdupdate2 (%s)\n",
2226 ipsec_strerror());
2227 goto end;
2228 }
2229 plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdupdate2\n");
2230
2231 end:
2232 if (policy)
2233 racoon_free(policy);
2234
2235 return 0;
2236 }
2237
2238 static int
2239 pk_recvspdupdate(mhp)
2240 caddr_t *mhp;
2241 {
2242 struct sadb_address *saddr, *daddr;
2243 struct sadb_x_policy *xpl;
2244 struct policyindex spidx;
2245 struct secpolicy *sp;
2246
2247 /* sanity check */
2248 if (mhp[0] == NULL
2249 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2250 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2251 || mhp[SADB_X_EXT_POLICY] == NULL) {
2252 plog(ASL_LEVEL_ERR,
2253 "inappropriate sadb spdupdate message passed.\n");
2254 return -1;
2255 }
2256 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2257 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2258 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2259
2260 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2261 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2262 saddr + 1,
2263 daddr + 1,
2264 saddr->sadb_address_prefixlen,
2265 daddr->sadb_address_prefixlen,
2266 saddr->sadb_address_proto,
2267 xpl->sadb_x_policy_priority,
2268 &spidx);
2269 #else
2270 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2271 saddr + 1,
2272 daddr + 1,
2273 saddr->sadb_address_prefixlen,
2274 daddr->sadb_address_prefixlen,
2275 saddr->sadb_address_proto,
2276 &spidx);
2277 #endif
2278
2279 sp = getsp(&spidx);
2280 if (sp == NULL) {
2281 plog(ASL_LEVEL_ERR,
2282 "such policy does not already exist: \"%s\"\n",
2283 spidx2str(&spidx));
2284 } else {
2285 remsp(sp);
2286 delsp(sp);
2287 }
2288
2289 if (addnewsp(mhp) < 0)
2290 return -1;
2291
2292 return 0;
2293 }
2294
2295 /*
2296 * this function has to be used by responder side.
2297 */
2298 int
2299 pk_sendspdadd2(iph2)
2300 phase2_handle_t *iph2;
2301 {
2302 struct policyindex *spidx = iph2->spidx_gen;
2303 caddr_t policy = NULL;
2304 int policylen = 0;
2305 u_int64_t ltime, vtime;
2306
2307 ltime = iph2->approval->lifetime;
2308 vtime = 0;
2309
2310 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) {
2311 plog(ASL_LEVEL_ERR,
2312 "getting sadb policy failed.\n");
2313 return -1;
2314 }
2315
2316 if (pfkey_send_spdadd2(
2317 lcconf->sock_pfkey,
2318 &spidx->src,
2319 spidx->prefs,
2320 &spidx->dst,
2321 spidx->prefd,
2322 spidx->ul_proto,
2323 ltime, vtime,
2324 policy, policylen, 0) < 0) {
2325 plog(ASL_LEVEL_ERR,
2326 "libipsec failed send spdadd2 (%s)\n",
2327 ipsec_strerror());
2328 goto end;
2329 }
2330 plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdadd2\n");
2331
2332 end:
2333 if (policy)
2334 racoon_free(policy);
2335
2336 return 0;
2337 }
2338
2339 static int
2340 pk_recvspdadd(mhp)
2341 caddr_t *mhp;
2342 {
2343 struct sadb_address *saddr, *daddr;
2344 struct sadb_x_policy *xpl;
2345 struct policyindex spidx;
2346 struct secpolicy *sp;
2347
2348 /* sanity check */
2349 if (mhp[0] == NULL
2350 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2351 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2352 || mhp[SADB_X_EXT_POLICY] == NULL) {
2353 plog(ASL_LEVEL_ERR,
2354 "inappropriate sadb spdadd message passed.\n");
2355 return -1;
2356 }
2357 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2358 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2359 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2360
2361 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2362 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2363 saddr + 1,
2364 daddr + 1,
2365 saddr->sadb_address_prefixlen,
2366 daddr->sadb_address_prefixlen,
2367 saddr->sadb_address_proto,
2368 xpl->sadb_x_policy_priority,
2369 &spidx);
2370 #else
2371 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2372 saddr + 1,
2373 daddr + 1,
2374 saddr->sadb_address_prefixlen,
2375 daddr->sadb_address_prefixlen,
2376 saddr->sadb_address_proto,
2377 &spidx);
2378 #endif
2379
2380 sp = getsp(&spidx);
2381 if (sp != NULL) {
2382 plog(ASL_LEVEL_ERR,
2383 "such policy already exists. "
2384 "anyway replace it: %s\n",
2385 spidx2str(&spidx));
2386 remsp(sp);
2387 delsp(sp);
2388 }
2389
2390 if (addnewsp(mhp) < 0)
2391 return -1;
2392
2393 return 0;
2394 }
2395
2396 /*
2397 * this function has to be used by responder side.
2398 */
2399 int
2400 pk_sendspddelete(iph2)
2401 phase2_handle_t *iph2;
2402 {
2403 struct policyindex *spidx = iph2->spidx_gen;
2404 caddr_t policy = NULL;
2405 int policylen;
2406
2407 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) {
2408 plog(ASL_LEVEL_ERR,
2409 "getting sadb policy failed.\n");
2410 return -1;
2411 }
2412
2413 if (pfkey_send_spddelete(
2414 lcconf->sock_pfkey,
2415 &spidx->src,
2416 spidx->prefs,
2417 &spidx->dst,
2418 spidx->prefd,
2419 spidx->ul_proto,
2420 policy, policylen, 0) < 0) {
2421 plog(ASL_LEVEL_ERR,
2422 "libipsec failed send spddelete (%s)\n",
2423 ipsec_strerror());
2424 goto end;
2425 }
2426 plog(ASL_LEVEL_DEBUG, "call pfkey_send_spddelete\n");
2427
2428 end:
2429 if (policy)
2430 racoon_free(policy);
2431
2432 return 0;
2433 }
2434
2435 static int
2436 pk_recvspddelete(mhp)
2437 caddr_t *mhp;
2438 {
2439 struct sadb_address *saddr, *daddr;
2440 struct sadb_x_policy *xpl;
2441 struct policyindex spidx;
2442 struct secpolicy *sp;
2443
2444 /* sanity check */
2445 if (mhp[0] == NULL
2446 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2447 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2448 || mhp[SADB_X_EXT_POLICY] == NULL) {
2449 plog(ASL_LEVEL_ERR,
2450 "inappropriate sadb spddelete message passed.\n");
2451 return -1;
2452 }
2453 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2454 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2455 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2456
2457 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2458 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2459 saddr + 1,
2460 daddr + 1,
2461 saddr->sadb_address_prefixlen,
2462 daddr->sadb_address_prefixlen,
2463 saddr->sadb_address_proto,
2464 xpl->sadb_x_policy_priority,
2465 &spidx);
2466 #else
2467 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2468 saddr + 1,
2469 daddr + 1,
2470 saddr->sadb_address_prefixlen,
2471 daddr->sadb_address_prefixlen,
2472 saddr->sadb_address_proto,
2473 &spidx);
2474 #endif
2475
2476 sp = getsp(&spidx);
2477 if (sp == NULL) {
2478 plog(ASL_LEVEL_ERR,
2479 "no policy found: %s\n",
2480 spidx2str(&spidx));
2481 return -1;
2482 }
2483
2484 ike_session_purgephXbyspid(xpl->sadb_x_policy_id, true);
2485
2486 remsp(sp);
2487 delsp(sp);
2488
2489 return 0;
2490 }
2491
2492 static int
2493 pk_recvspdexpire(mhp)
2494 caddr_t *mhp;
2495 {
2496 struct sadb_address *saddr, *daddr;
2497 struct sadb_x_policy *xpl;
2498 struct policyindex spidx;
2499 struct secpolicy *sp;
2500
2501 /* sanity check */
2502 if (mhp[0] == NULL
2503 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2504 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2505 || mhp[SADB_X_EXT_POLICY] == NULL) {
2506 plog(ASL_LEVEL_ERR,
2507 "inappropriate sadb spdexpire message passed.\n");
2508 return -1;
2509 }
2510 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2511 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2512 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2513
2514 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2515 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2516 saddr + 1,
2517 daddr + 1,
2518 saddr->sadb_address_prefixlen,
2519 daddr->sadb_address_prefixlen,
2520 saddr->sadb_address_proto,
2521 xpl->sadb_x_policy_priority,
2522 &spidx);
2523 #else
2524 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2525 saddr + 1,
2526 daddr + 1,
2527 saddr->sadb_address_prefixlen,
2528 daddr->sadb_address_prefixlen,
2529 saddr->sadb_address_proto,
2530 &spidx);
2531 #endif
2532
2533 sp = getsp(&spidx);
2534 if (sp == NULL) {
2535 plog(ASL_LEVEL_ERR,
2536 "no policy found: %s\n",
2537 spidx2str(&spidx));
2538 return -1;
2539 }
2540
2541 ike_session_purgephXbyspid(xpl->sadb_x_policy_id, false);
2542
2543 remsp(sp);
2544 delsp(sp);
2545
2546 return 0;
2547 }
2548
2549 static int
2550 pk_recvspdget(mhp)
2551 caddr_t *mhp;
2552 {
2553 /* sanity check */
2554 if (mhp[0] == NULL) {
2555 plog(ASL_LEVEL_ERR,
2556 "inappropriate sadb spdget message passed.\n");
2557 return -1;
2558 }
2559
2560 return 0;
2561 }
2562
2563 static int
2564 pk_recvspddump(mhp)
2565 caddr_t *mhp;
2566 {
2567 struct sadb_msg *msg;
2568 struct sadb_address *saddr, *daddr;
2569 struct sadb_x_policy *xpl;
2570 struct policyindex spidx;
2571 struct secpolicy *sp;
2572
2573 /* sanity check */
2574 if (mhp[0] == NULL) {
2575 plog(ASL_LEVEL_ERR,
2576 "inappropriate sadb spddump message passed.\n");
2577 return -1;
2578 }
2579 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2580
2581 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2582 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2583 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2584
2585 if (saddr == NULL || daddr == NULL || xpl == NULL) {
2586 plog(ASL_LEVEL_ERR,
2587 "inappropriate sadb spddump message passed.\n");
2588 return -1;
2589 }
2590
2591 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2592 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2593 saddr + 1,
2594 daddr + 1,
2595 saddr->sadb_address_prefixlen,
2596 daddr->sadb_address_prefixlen,
2597 saddr->sadb_address_proto,
2598 xpl->sadb_x_policy_priority,
2599 &spidx);
2600 #else
2601 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2602 saddr + 1,
2603 daddr + 1,
2604 saddr->sadb_address_prefixlen,
2605 daddr->sadb_address_prefixlen,
2606 saddr->sadb_address_proto,
2607 &spidx);
2608 #endif
2609
2610 sp = getsp(&spidx);
2611 if (sp != NULL) {
2612 plog(ASL_LEVEL_ERR,
2613 "such policy already exists. "
2614 "anyway replace it: %s\n",
2615 spidx2str(&spidx));
2616 remsp(sp);
2617 delsp(sp);
2618 }
2619
2620 if (addnewsp(mhp) < 0)
2621 return -1;
2622
2623 return 0;
2624 }
2625
2626 static int
2627 pk_recvspdflush(mhp)
2628 caddr_t *mhp;
2629 {
2630 /* sanity check */
2631 if (mhp[0] == NULL) {
2632 plog(ASL_LEVEL_ERR,
2633 "inappropriate sadb spdflush message passed.\n");
2634 return -1;
2635 }
2636
2637 ike_session_flush_all_phase2(false);
2638 ike_session_flush_all_phase1(false);
2639 flushsp();
2640
2641 return 0;
2642 }
2643
2644 /*
2645 * send error against acquire message to kenrel.
2646 */
2647 int
2648 pk_sendeacquire(iph2)
2649 phase2_handle_t *iph2;
2650 {
2651 struct sadb_msg *newmsg;
2652 int len;
2653
2654 len = sizeof(struct sadb_msg);
2655 newmsg = racoon_calloc(1, len);
2656 if (newmsg == NULL) {
2657 plog(ASL_LEVEL_ERR,
2658 "failed to get buffer to send acquire.\n");
2659 return -1;
2660 }
2661
2662 memset(newmsg, 0, len);
2663 newmsg->sadb_msg_version = PF_KEY_V2;
2664 newmsg->sadb_msg_type = SADB_ACQUIRE;
2665 newmsg->sadb_msg_errno = ENOENT; /* XXX */
2666 newmsg->sadb_msg_satype = iph2->satype;
2667 newmsg->sadb_msg_len = PFKEY_UNIT64(len);
2668 newmsg->sadb_msg_reserved = 0;
2669 newmsg->sadb_msg_seq = iph2->seq;
2670 newmsg->sadb_msg_pid = (u_int32_t)getpid();
2671
2672 /* send message */
2673 len = pfkey_send(lcconf->sock_pfkey, newmsg, len);
2674
2675 racoon_free(newmsg);
2676
2677 return 0;
2678 }
2679
2680 int
2681 pk_sendget_inbound_sastats(ike_session_t *session)
2682 {
2683 u_int32_t max_stats;
2684 u_int32_t seq;
2685
2686 if (!session) {
2687 plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__);
2688 return -1;
2689 }
2690
2691 session->traffic_monitor.num_in_curr_req = 0;
2692 bzero(session->traffic_monitor.in_curr_req, sizeof(session->traffic_monitor.in_curr_req));
2693 max_stats = (sizeof(session->traffic_monitor.in_curr_req) / sizeof(session->traffic_monitor.in_curr_req[0]));
2694
2695 // get list of SAs
2696 if ((session->traffic_monitor.num_in_curr_req = ike_session_get_sas_for_stats(session,
2697 IPSEC_DIR_INBOUND,
2698 &seq,
2699 session->traffic_monitor.in_curr_req,
2700 max_stats))) {
2701 u_int64_t session_ids[] = {(u_int64_t)session, 0};
2702
2703 //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__);
2704
2705 if (pfkey_send_getsastats(lcconf->sock_pfkey,
2706 seq,
2707 session_ids,
2708 1,
2709 IPSEC_DIR_INBOUND,
2710 session->traffic_monitor.in_curr_req,
2711 session->traffic_monitor.num_in_curr_req) < 0) {
2712 return -1;
2713 }
2714 //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__);
2715
2716 return session->traffic_monitor.num_in_curr_req;
2717 }
2718 return 0;
2719 }
2720
2721 int
2722 pk_sendget_outbound_sastats(ike_session_t *session)
2723 {
2724 u_int32_t max_stats;
2725 u_int32_t seq;
2726
2727 if (!session) {
2728 plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__);
2729 return -1;
2730 }
2731
2732 session->traffic_monitor.num_out_curr_req = 0;
2733 bzero(session->traffic_monitor.out_curr_req, sizeof(session->traffic_monitor.out_curr_req));
2734 max_stats = (sizeof(session->traffic_monitor.out_curr_req) / sizeof(session->traffic_monitor.out_curr_req[0]));
2735
2736 // get list of SAs
2737 if ((session->traffic_monitor.num_out_curr_req = ike_session_get_sas_for_stats(session,
2738 IPSEC_DIR_OUTBOUND,
2739 &seq,
2740 session->traffic_monitor.out_curr_req,
2741 max_stats))) {
2742 u_int64_t session_ids[] = {(u_int64_t)session, 0};
2743
2744 //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__);
2745
2746 if (pfkey_send_getsastats(lcconf->sock_pfkey,
2747 seq,
2748 session_ids,
2749 1,
2750 IPSEC_DIR_OUTBOUND,
2751 session->traffic_monitor.out_curr_req,
2752 session->traffic_monitor.num_out_curr_req) < 0) {
2753 return -1;
2754 }
2755 //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__);
2756
2757 return session->traffic_monitor.num_out_curr_req;
2758 }
2759 return 0;
2760 }
2761
2762 /*
2763 * receive GETSPDSTAT from kernel.
2764 */
2765 static int
2766 pk_recvgetsastat(mhp)
2767 caddr_t *mhp;
2768 {
2769 struct sadb_msg *msg;
2770 struct sadb_session_id *session_id;
2771 struct sadb_sastat *stat_resp;
2772 ike_session_t *session;
2773
2774 /* validity check */
2775 if (mhp[0] == NULL ||
2776 mhp[SADB_EXT_SESSION_ID] == NULL ||
2777 mhp[SADB_EXT_SASTAT] == NULL) {
2778 plog(ASL_LEVEL_ERR,
2779 "inappropriate sadb getsastat response.\n");
2780 return -1;
2781 }
2782 msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to structs in an aligned buffer
2783 session_id = ALIGNED_CAST(struct sadb_session_id *)mhp[SADB_EXT_SESSION_ID];
2784 stat_resp = ALIGNED_CAST(struct sadb_sastat *)mhp[SADB_EXT_SASTAT];
2785
2786 /* the message has to be processed or not ? */
2787 if (msg->sadb_msg_pid != getpid()) {
2788 plog(ASL_LEVEL_DEBUG,
2789 "%s message is not interesting "
2790 "because pid %d is not mine.\n",
2791 s_pfkey_type(msg->sadb_msg_type),
2792 msg->sadb_msg_pid);
2793 return -1;
2794 }
2795 if (!session_id->sadb_session_id_v[0]) {
2796 plog(ASL_LEVEL_DEBUG,
2797 "%s message is bad "
2798 "because session-id[0] is invalid.\n",
2799 s_pfkey_type(msg->sadb_msg_type));
2800 return -1;
2801 }
2802 session = ALIGNED_CAST(__typeof__(session))session_id->sadb_session_id_v[0];
2803
2804 if (!stat_resp->sadb_sastat_list_len) {
2805 plog(ASL_LEVEL_DEBUG,
2806 "%s message is bad "
2807 "because it has no sastats.\n",
2808 s_pfkey_type(msg->sadb_msg_type));
2809 return -1;
2810 }
2811
2812 ike_session_update_traffic_idle_status(session,
2813 stat_resp->sadb_sastat_dir,
2814 (struct sastat *)(stat_resp + 1),
2815 stat_resp->sadb_sastat_list_len);
2816 return 0;
2817 }
2818
2819 /*
2820 * check if the algorithm is supported or not.
2821 * OUT 0: ok
2822 * -1: ng
2823 */
2824 int
2825 pk_checkalg(class, calg, keylen)
2826 int class, calg, keylen;
2827 {
2828 int sup, error;
2829 u_int alg;
2830 struct sadb_alg alg0;
2831
2832 switch (algclass2doi(class)) {
2833 case IPSECDOI_PROTO_IPSEC_ESP:
2834 sup = SADB_EXT_SUPPORTED_ENCRYPT;
2835 break;
2836 case IPSECDOI_ATTR_AUTH:
2837 sup = SADB_EXT_SUPPORTED_AUTH;
2838 break;
2839 case IPSECDOI_PROTO_IPCOMP:
2840 return 0;
2841 default:
2842 plog(ASL_LEVEL_ERR,
2843 "invalid algorithm class.\n");
2844 return -1;
2845 }
2846 alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg));
2847 if (alg == ~0)
2848 return -1;
2849
2850 if (keylen == 0) {
2851 if (ipsec_get_keylen(sup, alg, &alg0)) {
2852 plog(ASL_LEVEL_ERR,
2853 "%s.\n", ipsec_strerror());
2854 return -1;
2855 }
2856 keylen = alg0.sadb_alg_minbits;
2857 }
2858
2859 error = ipsec_check_keylen(sup, alg, keylen);
2860 if (error)
2861 plog(ASL_LEVEL_ERR,
2862 "%s.\n", ipsec_strerror());
2863
2864 return error;
2865 }
2866
2867 /*
2868 * differences with pfkey_recv() in libipsec/pfkey.c:
2869 * - never performs busy wait loop.
2870 * - returns NULL and set *lenp to negative on fatal failures
2871 * - returns NULL and set *lenp to non-negative on non-fatal failures
2872 * - returns non-NULL on success
2873 */
2874 static struct sadb_msg *
2875 pk_recv(so, lenp)
2876 int so;
2877 ssize_t *lenp;
2878 {
2879 struct sadb_msg *newmsg;
2880 int reallen = 0;
2881 socklen_t optlen = sizeof(reallen);
2882
2883 if (getsockopt(so, SOL_SOCKET, SO_NREAD, &reallen, &optlen) < 0)
2884 return NULL; /*fatal*/
2885
2886 if (reallen == 0)
2887 return NULL;
2888
2889 if ((newmsg = racoon_calloc(1, reallen)) == NULL)
2890 return NULL;
2891
2892 while ((*lenp = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
2893 if (errno == EINTR)
2894 continue;
2895 plog(ASL_LEVEL_ERR, "failed to recv pfkey message: %s\n", strerror(errno));
2896 break;
2897 }
2898 if (*lenp < 0) {
2899 racoon_free(newmsg);
2900 return NULL; /*fatal*/
2901 } else if (*lenp != reallen || *lenp < sizeof(struct sadb_msg)) {
2902 racoon_free(newmsg);
2903 return NULL;
2904 }
2905
2906 return newmsg;
2907 }
2908
2909 /* see handler.h */
2910 u_int32_t
2911 pk_getseq()
2912 {
2913 return eay_random();
2914 }
2915
2916 int
2917 addnewsp(mhp)
2918 caddr_t *mhp;
2919 {
2920 struct secpolicy *new;
2921 struct sadb_address *saddr, *daddr;
2922 struct sadb_x_policy *xpl;
2923 struct sadb_ext *ext;
2924
2925 /* sanity check */
2926 if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
2927 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2928 || mhp[SADB_X_EXT_POLICY] == NULL) {
2929 plog(ASL_LEVEL_ERR,
2930 "inappropriate sadb spd management message passed.\n");
2931 return -1;
2932 }
2933
2934 saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
2935 daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2936
2937 xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2938 /* validity check */
2939 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
2940 plog(ASL_LEVEL_ERR,
2941 "invalid msg length.\n");
2942 return -1;
2943 }
2944
2945 new = newsp();
2946 if (new == NULL) {
2947 plog(ASL_LEVEL_ERR,
2948 "failed to allocate buffer\n");
2949 return -1;
2950 }
2951
2952 new->spidx.dir = xpl->sadb_x_policy_dir;
2953 new->id = xpl->sadb_x_policy_id;
2954 new->policy = xpl->sadb_x_policy_type;
2955 new->req = NULL;
2956
2957 /* check policy */
2958 switch (xpl->sadb_x_policy_type) {
2959 case IPSEC_POLICY_DISCARD:
2960 case IPSEC_POLICY_GENERATE:
2961 case IPSEC_POLICY_NONE:
2962 case IPSEC_POLICY_ENTRUST:
2963 case IPSEC_POLICY_BYPASS:
2964 break;
2965
2966 case IPSEC_POLICY_IPSEC:
2967 {
2968 int tlen;
2969 struct sadb_x_ipsecrequest *xisr;
2970 struct ipsecrequest **p_isr = &new->req;
2971
2972 tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
2973 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
2974
2975 while (tlen > 0) {
2976 if (tlen < sizeof(*xisr) ||
2977 tlen < xisr->sadb_x_ipsecrequest_len) {
2978 plog(ASL_LEVEL_ERR,
2979 "invalid msg length for ipsec request.\n");
2980 return -1;
2981 }
2982
2983 /* length check */
2984 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
2985 plog(ASL_LEVEL_ERR,
2986 "invalid msg length.\n");
2987 return -1;
2988 }
2989
2990 /* allocate request buffer */
2991 *p_isr = newipsecreq();
2992 if (*p_isr == NULL) {
2993 plog(ASL_LEVEL_ERR,
2994 "failed to get new ipsecreq.\n");
2995 return -1;
2996 }
2997
2998 /* set values */
2999 (*p_isr)->next = NULL;
3000
3001 switch (xisr->sadb_x_ipsecrequest_proto) {
3002 case IPPROTO_ESP:
3003 case IPPROTO_AH:
3004 case IPPROTO_IPCOMP:
3005 break;
3006 default:
3007 plog(ASL_LEVEL_ERR,
3008 "invalid proto type: %u\n",
3009 xisr->sadb_x_ipsecrequest_proto);
3010 return -1;
3011 }
3012 (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
3013
3014 switch (xisr->sadb_x_ipsecrequest_mode) {
3015 case IPSEC_MODE_TRANSPORT:
3016 case IPSEC_MODE_TUNNEL:
3017 break;
3018 case IPSEC_MODE_ANY:
3019 default:
3020 plog(ASL_LEVEL_ERR,
3021 "invalid mode: %u\n",
3022 xisr->sadb_x_ipsecrequest_mode);
3023 return -1;
3024 }
3025 (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
3026
3027 switch (xisr->sadb_x_ipsecrequest_level) {
3028 case IPSEC_LEVEL_DEFAULT:
3029 case IPSEC_LEVEL_USE:
3030 case IPSEC_LEVEL_REQUIRE:
3031 break;
3032 case IPSEC_LEVEL_UNIQUE:
3033 (*p_isr)->saidx.reqid =
3034 xisr->sadb_x_ipsecrequest_reqid;
3035 break;
3036
3037 default:
3038 plog(ASL_LEVEL_ERR,
3039 "invalid level: %u\n",
3040 xisr->sadb_x_ipsecrequest_level);
3041 return -1;
3042 }
3043 (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
3044
3045 /* set IP addresses if there */
3046 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
3047 struct sockaddr *paddr;
3048 int rem_buf_len = xisr->sadb_x_ipsecrequest_len - sizeof(*xisr);
3049
3050 paddr = (struct sockaddr *)(xisr + 1);
3051 if (rem_buf_len < sizeof(*paddr) ||
3052 rem_buf_len < sysdep_sa_len(paddr)) {
3053 plog(ASL_LEVEL_ERR,
3054 "invalid msg length for src ip address.\n");
3055 return -1;
3056 }
3057 bcopy(paddr, &(*p_isr)->saidx.src,
3058 sysdep_sa_len(paddr));
3059
3060 rem_buf_len -= sysdep_sa_len(paddr);
3061
3062 paddr = (struct sockaddr *)((caddr_t)paddr
3063 + sysdep_sa_len(paddr));
3064 if (rem_buf_len < sizeof(*paddr) ||
3065 rem_buf_len < sysdep_sa_len(paddr)) {
3066 plog(ASL_LEVEL_ERR,
3067 "invalid msg length for dst ip address.\n");
3068 return -1;
3069 }
3070 bcopy(paddr, &(*p_isr)->saidx.dst,
3071 sysdep_sa_len(paddr));
3072 }
3073
3074 (*p_isr)->sp = new;
3075
3076 /* initialization for the next. */
3077 p_isr = &(*p_isr)->next;
3078 tlen -= xisr->sadb_x_ipsecrequest_len;
3079
3080 /* validity check */
3081 if (tlen < 0) {
3082 plog(ASL_LEVEL_ERR,
3083 "becoming tlen < 0\n");
3084 }
3085
3086 xisr = ALIGNED_CAST(struct sadb_x_ipsecrequest *)((caddr_t)xisr
3087 + xisr->sadb_x_ipsecrequest_len);
3088 }
3089 }
3090 break;
3091 default:
3092 plog(ASL_LEVEL_ERR,
3093 "invalid policy type.\n");
3094 delsp(new);
3095 return -1;
3096 }
3097
3098 #ifdef HAVE_PFKEY_POLICY_PRIORITY
3099 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3100 saddr + 1,
3101 daddr + 1,
3102 saddr->sadb_address_prefixlen,
3103 daddr->sadb_address_prefixlen,
3104 saddr->sadb_address_proto,
3105 xpl->sadb_x_policy_priority,
3106 &new->spidx);
3107 #else
3108 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3109 saddr + 1,
3110 daddr + 1,
3111 saddr->sadb_address_prefixlen,
3112 daddr->sadb_address_prefixlen,
3113 saddr->sadb_address_proto,
3114 &new->spidx);
3115 #endif
3116
3117 inssp(new);
3118
3119 return 0;
3120 }
3121
3122 /* proto/mode/src->dst spi */
3123 const char *
3124 sadbsecas2str(src, dst, proto, spi, mode)
3125 struct sockaddr_storage *src, *dst;
3126 int proto;
3127 u_int32_t spi;
3128 int mode;
3129 {
3130 static char buf[256];
3131 u_int doi_proto, doi_mode = 0;
3132 char *p;
3133 int blen, i;
3134
3135 doi_proto = pfkey2ipsecdoi_proto(proto);
3136 if (doi_proto == ~0)
3137 return NULL;
3138 if (mode) {
3139 doi_mode = pfkey2ipsecdoi_mode(mode);
3140 if (doi_mode == ~0)
3141 return NULL;
3142 }
3143
3144 blen = sizeof(buf) - 1;
3145 p = buf;
3146
3147 i = snprintf(p, blen, "%s%s%s ",
3148 s_ipsecdoi_proto(doi_proto),
3149 mode ? "/" : "",
3150 mode ? s_ipsecdoi_encmode(doi_mode) : "");
3151 if (i < 0 || i >= blen)
3152 return NULL;
3153 p += i;
3154 blen -= i;
3155
3156 i = snprintf(p, blen, "%s->", saddr2str((struct sockaddr *)src));
3157 if (i < 0 || i >= blen)
3158 return NULL;
3159 p += i;
3160 blen -= i;
3161
3162 i = snprintf(p, blen, "%s ", saddr2str((struct sockaddr *)dst));
3163 if (i < 0 || i >= blen)
3164 return NULL;
3165 p += i;
3166 blen -= i;
3167
3168 if (spi) {
3169 snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
3170 (unsigned long)ntohl(spi));
3171 }
3172
3173 return buf;
3174 }
mirror of ipsec