1 /* $NetBSD: pfkey.c,v 1.18.4.5 2008/03/05 22:14:24 mgrooms Exp $ */ 2 3 /* $Id: pfkey.c,v 1.18.4.5 2008/03/05 22:14:24 mgrooms Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <stdlib.h> 37 #include <string.h> 38 #include <stdio.h> 39 #include <netdb.h> 40 #include <errno.h> 41 #ifdef HAVE_UNISTD_H 42 #include <unistd.h> 43 #endif 44 #include <netdb.h> 45 #include <netinet/in.h> 46 #include <arpa/inet.h> 47 48 #ifdef ENABLE_NATT 49 # ifdef __linux__ 50 # include <linux/udp.h> 51 # endif 52 # if defined(__NetBSD__) || defined(__FreeBSD__) || \ 53 (defined(__APPLE__) && defined(__MACH__)) 54 # include <netinet/udp.h> 55 # endif 56 #endif 57 58 #include <sys/types.h> 59 #include <sys/param.h> 60 #include <sys/socket.h> 61 #include <sys/queue.h> 62 #ifndef ANDROID_CHANGES 63 #include <sys/sysctl.h> 64 #endif 65 66 #include <net/route.h> 67 #include <net/pfkeyv2.h> 68 69 #include <netinet/in.h> 70 #include PATH_IPSEC_H 71 #include <fcntl.h> 72 73 #include "libpfkey.h" 74 75 #include "var.h" 76 #include "misc.h" 77 #include "vmbuf.h" 78 #include "plog.h" 79 #include "sockmisc.h" 80 #include "debug.h" 81 82 #include "schedule.h" 83 #include "localconf.h" 84 #include "remoteconf.h" 85 #include "handler.h" 86 #include "policy.h" 87 #include "proposal.h" 88 #include "isakmp_var.h" 89 #include "isakmp.h" 90 #include "isakmp_inf.h" 91 #include "ipsec_doi.h" 92 #include "oakley.h" 93 #include "pfkey.h" 94 #include "algorithm.h" 95 #include "sainfo.h" 96 #include "admin.h" 97 #include "privsep.h" 98 #include "strnames.h" 99 #include "backupsa.h" 100 #include "gcmalloc.h" 101 #include "nattraversal.h" 102 #include "crypto_openssl.h" 103 #include "grabmyaddr.h" 104 105 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) 106 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC 107 #endif 108 109 /* prototype */ 110 static u_int ipsecdoi2pfkey_aalg __P((u_int)); 111 static u_int ipsecdoi2pfkey_ealg __P((u_int)); 112 static u_int ipsecdoi2pfkey_calg __P((u_int)); 113 static u_int ipsecdoi2pfkey_alg __P((u_int, u_int)); 114 static u_int keylen_aalg __P((u_int)); 115 static u_int keylen_ealg __P((u_int, int)); 116 117 static int pk_recvgetspi __P((caddr_t *)); 118 static int pk_recvupdate __P((caddr_t *)); 119 static int pk_recvadd __P((caddr_t *)); 120 static int pk_recvdelete __P((caddr_t *)); 121 static int pk_recvacquire __P((caddr_t *)); 122 static int pk_recvexpire __P((caddr_t *)); 123 static int pk_recvflush __P((caddr_t *)); 124 static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *)); 125 static int pk_recvspdupdate __P((caddr_t *)); 126 static int pk_recvspdadd __P((caddr_t *)); 127 static int pk_recvspddelete __P((caddr_t *)); 128 static int pk_recvspdexpire __P((caddr_t *)); 129 static int pk_recvspdget __P((caddr_t *)); 130 static int pk_recvspddump __P((caddr_t *)); 131 static int pk_recvspdflush __P((caddr_t *)); 132 static struct sadb_msg *pk_recv __P((int, int *)); 133 134 static int (*pkrecvf[]) __P((caddr_t *)) = { 135 NULL, 136 pk_recvgetspi, 137 pk_recvupdate, 138 pk_recvadd, 139 pk_recvdelete, 140 NULL, /* SADB_GET */ 141 pk_recvacquire, 142 NULL, /* SABD_REGISTER */ 143 pk_recvexpire, 144 pk_recvflush, 145 NULL, /* SADB_DUMP */ 146 NULL, /* SADB_X_PROMISC */ 147 NULL, /* SADB_X_PCHANGE */ 148 pk_recvspdupdate, 149 pk_recvspdadd, 150 pk_recvspddelete, 151 pk_recvspdget, 152 NULL, /* SADB_X_SPDACQUIRE */ 153 pk_recvspddump, 154 pk_recvspdflush, 155 NULL, /* SADB_X_SPDSETIDX */ 156 pk_recvspdexpire, 157 NULL, /* SADB_X_SPDDELETE2 */ 158 NULL, /* SADB_X_NAT_T_NEW_MAPPING */ 159 NULL, /* SADB_X_MIGRATE */ 160 #if (SADB_MAX > 24) 161 #error "SADB extra message?" 162 #endif 163 }; 164 165 static int addnewsp __P((caddr_t *)); 166 167 /* cope with old kame headers - ugly */ 168 #ifndef SADB_X_AALG_MD5 169 #define SADB_X_AALG_MD5 SADB_AALG_MD5 170 #endif 171 #ifndef SADB_X_AALG_SHA 172 #define SADB_X_AALG_SHA SADB_AALG_SHA 173 #endif 174 #ifndef SADB_X_AALG_NULL 175 #define SADB_X_AALG_NULL SADB_AALG_NULL 176 #endif 177 178 #ifndef SADB_X_EALG_BLOWFISHCBC 179 #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC 180 #endif 181 #ifndef SADB_X_EALG_CAST128CBC 182 #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC 183 #endif 184 #ifndef SADB_X_EALG_RC5CBC 185 #ifdef SADB_EALG_RC5CBC 186 #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC 187 #endif 188 #endif 189 190 /* 191 * PF_KEY packet handler 192 * 0: success 193 * -1: fail 194 */ 195 int 196 pfkey_handler() 197 { 198 struct sadb_msg *msg; 199 int len; 200 caddr_t mhp[SADB_EXT_MAX + 1]; 201 int error = -1; 202 203 /* receive pfkey message. */ 204 len = 0; 205 msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len); 206 if (msg == NULL) { 207 if (len < 0) { 208 plog(LLV_ERROR, LOCATION, NULL, 209 "failed to recv from pfkey (%s)\n", 210 strerror(errno)); 211 goto end; 212 } else { 213 /* short message - msg not ready */ 214 return 0; 215 } 216 } 217 218 plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n", 219 s_pfkey_type(msg->sadb_msg_type)); 220 plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3); 221 222 /* validity check */ 223 if (msg->sadb_msg_errno) { 224 int pri; 225 226 /* when SPD is empty, treat the state as no error. */ 227 if (msg->sadb_msg_type == SADB_X_SPDDUMP && 228 msg->sadb_msg_errno == ENOENT) 229 pri = LLV_DEBUG; 230 else 231 pri = LLV_ERROR; 232 233 plog(pri, LOCATION, NULL, 234 "pfkey %s failed: %s\n", 235 s_pfkey_type(msg->sadb_msg_type), 236 strerror(msg->sadb_msg_errno)); 237 238 goto end; 239 } 240 241 /* check pfkey message. */ 242 if (pfkey_align(msg, mhp)) { 243 plog(LLV_ERROR, LOCATION, NULL, 244 "libipsec failed pfkey align (%s)\n", 245 ipsec_strerror()); 246 goto end; 247 } 248 if (pfkey_check(mhp)) { 249 plog(LLV_ERROR, LOCATION, NULL, 250 "libipsec failed pfkey check (%s)\n", 251 ipsec_strerror()); 252 goto end; 253 } 254 msg = (struct sadb_msg *)mhp[0]; 255 256 /* safety check */ 257 if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) { 258 plog(LLV_ERROR, LOCATION, NULL, 259 "unknown PF_KEY message type=%u\n", 260 msg->sadb_msg_type); 261 goto end; 262 } 263 264 if (pkrecvf[msg->sadb_msg_type] == NULL) { 265 plog(LLV_INFO, LOCATION, NULL, 266 "unsupported PF_KEY message %s\n", 267 s_pfkey_type(msg->sadb_msg_type)); 268 goto end; 269 } 270 271 if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0) 272 goto end; 273 274 error = 0; 275 end: 276 if (msg) 277 racoon_free(msg); 278 return(error); 279 } 280 281 /* 282 * dump SADB 283 */ 284 vchar_t * 285 pfkey_dump_sadb(satype) 286 int satype; 287 { 288 int s = -1; 289 vchar_t *buf = NULL; 290 pid_t pid = getpid(); 291 struct sadb_msg *msg = NULL; 292 size_t bl, ml; 293 int len; 294 295 if ((s = privsep_pfkey_open()) < 0) { 296 plog(LLV_ERROR, LOCATION, NULL, 297 "libipsec failed pfkey open: %s\n", 298 ipsec_strerror()); 299 return NULL; 300 } 301 302 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n"); 303 if (pfkey_send_dump(s, satype) < 0) { 304 plog(LLV_ERROR, LOCATION, NULL, 305 "libipsec failed dump: %s\n", ipsec_strerror()); 306 goto fail; 307 } 308 309 while (1) { 310 if (msg) 311 racoon_free(msg); 312 msg = pk_recv(s, &len); 313 if (msg == NULL) { 314 if (len < 0) 315 goto done; 316 else 317 continue; 318 } 319 320 if (msg->sadb_msg_type != SADB_DUMP || msg->sadb_msg_pid != pid) 321 { 322 plog(LLV_DEBUG, LOCATION, NULL, 323 "discarding non-sadb dump msg %p, our pid=%i\n", msg, pid); 324 plog(LLV_DEBUG, LOCATION, NULL, 325 "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); 326 continue; 327 } 328 329 330 ml = msg->sadb_msg_len << 3; 331 bl = buf ? buf->l : 0; 332 buf = vrealloc(buf, bl + ml); 333 if (buf == NULL) { 334 plog(LLV_ERROR, LOCATION, NULL, 335 "failed to reallocate buffer to dump.\n"); 336 goto fail; 337 } 338 memcpy(buf->v + bl, msg, ml); 339 340 if (msg->sadb_msg_seq == 0) 341 break; 342 } 343 goto done; 344 345 fail: 346 if (buf) 347 vfree(buf); 348 buf = NULL; 349 done: 350 if (msg) 351 racoon_free(msg); 352 if (s >= 0) 353 privsep_pfkey_close(s); 354 return buf; 355 } 356 357 #ifdef ENABLE_ADMINPORT 358 /* 359 * flush SADB 360 */ 361 void 362 pfkey_flush_sadb(proto) 363 u_int proto; 364 { 365 int satype; 366 367 /* convert to SADB_SATYPE */ 368 if ((satype = admin2pfkey_proto(proto)) < 0) 369 return; 370 371 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n"); 372 if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) { 373 plog(LLV_ERROR, LOCATION, NULL, 374 "libipsec failed send flush (%s)\n", ipsec_strerror()); 375 return; 376 } 377 378 return; 379 } 380 #endif 381 382 /* 383 * These are the SATYPEs that we manage. We register to get 384 * PF_KEY messages related to these SATYPEs, and we also use 385 * this list to determine which SATYPEs to delete SAs for when 386 * we receive an INITIAL-CONTACT. 387 */ 388 const struct pfkey_satype pfkey_satypes[] = { 389 { SADB_SATYPE_AH, "AH" }, 390 { SADB_SATYPE_ESP, "ESP" }, 391 { SADB_X_SATYPE_IPCOMP, "IPCOMP" }, 392 }; 393 const int pfkey_nsatypes = 394 sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]); 395 396 /* 397 * PF_KEY initialization 398 */ 399 int 400 pfkey_init() 401 { 402 int i, reg_fail; 403 404 if ((lcconf->sock_pfkey = privsep_pfkey_open()) < 0) { 405 plog(LLV_ERROR, LOCATION, NULL, 406 "libipsec failed pfkey open (%s)\n", ipsec_strerror()); 407 return -1; 408 } 409 if (fcntl(lcconf->sock_pfkey, F_SETFL, O_NONBLOCK) == -1) 410 plog(LLV_WARNING, LOCATION, NULL, 411 "failed to set the pfkey socket to NONBLOCK\n"); 412 413 for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) { 414 plog(LLV_DEBUG, LOCATION, NULL, 415 "call pfkey_send_register for %s\n", 416 pfkey_satypes[i].ps_name); 417 if (pfkey_send_register(lcconf->sock_pfkey, 418 pfkey_satypes[i].ps_satype) < 0 || 419 pfkey_recv_register(lcconf->sock_pfkey) < 0) { 420 plog(LLV_WARNING, LOCATION, NULL, 421 "failed to register %s (%s)\n", 422 pfkey_satypes[i].ps_name, 423 ipsec_strerror()); 424 reg_fail++; 425 } 426 } 427 428 if (reg_fail == pfkey_nsatypes) { 429 plog(LLV_ERROR, LOCATION, NULL, 430 "failed to regist any protocol.\n"); 431 pfkey_close(lcconf->sock_pfkey); 432 return -1; 433 } 434 435 initsp(); 436 437 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { 438 plog(LLV_ERROR, LOCATION, NULL, 439 "libipsec sending spddump failed: %s\n", 440 ipsec_strerror()); 441 pfkey_close(lcconf->sock_pfkey); 442 return -1; 443 } 444 #if 0 445 if (pfkey_promisc_toggle(1) < 0) { 446 pfkey_close(lcconf->sock_pfkey); 447 return -1; 448 } 449 #endif 450 return 0; 451 } 452 453 /* %%% for conversion */ 454 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */ 455 static u_int 456 ipsecdoi2pfkey_aalg(hashtype) 457 u_int hashtype; 458 { 459 switch (hashtype) { 460 case IPSECDOI_ATTR_AUTH_HMAC_MD5: 461 return SADB_AALG_MD5HMAC; 462 case IPSECDOI_ATTR_AUTH_HMAC_SHA1: 463 return SADB_AALG_SHA1HMAC; 464 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256: 465 #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC) 466 return SADB_X_AALG_SHA2_256; 467 #else 468 return SADB_X_AALG_SHA2_256HMAC; 469 #endif 470 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384: 471 #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC) 472 return SADB_X_AALG_SHA2_384; 473 #else 474 return SADB_X_AALG_SHA2_384HMAC; 475 #endif 476 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512: 477 #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC) 478 return SADB_X_AALG_SHA2_512; 479 #else 480 return SADB_X_AALG_SHA2_512HMAC; 481 #endif 482 case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */ 483 return SADB_AALG_NONE; 484 485 /* not supported */ 486 case IPSECDOI_ATTR_AUTH_DES_MAC: 487 plog(LLV_ERROR, LOCATION, NULL, 488 "Not supported hash type: %u\n", hashtype); 489 return ~0; 490 491 case 0: /* reserved */ 492 default: 493 return SADB_AALG_NONE; 494 495 plog(LLV_ERROR, LOCATION, NULL, 496 "Invalid hash type: %u\n", hashtype); 497 return ~0; 498 } 499 /*NOTREACHED*/ 500 } 501 502 /* IPSECDOI_ESP -> SADB_EALG */ 503 static u_int 504 ipsecdoi2pfkey_ealg(t_id) 505 u_int t_id; 506 { 507 switch (t_id) { 508 case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */ 509 return SADB_EALG_DESCBC; 510 case IPSECDOI_ESP_DES: 511 return SADB_EALG_DESCBC; 512 case IPSECDOI_ESP_3DES: 513 return SADB_EALG_3DESCBC; 514 #ifdef SADB_X_EALG_RC5CBC 515 case IPSECDOI_ESP_RC5: 516 return SADB_X_EALG_RC5CBC; 517 #endif 518 case IPSECDOI_ESP_CAST: 519 return SADB_X_EALG_CAST128CBC; 520 case IPSECDOI_ESP_BLOWFISH: 521 return SADB_X_EALG_BLOWFISHCBC; 522 case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD| 523 SADB_X_EXT_IV4B)*/ 524 return SADB_EALG_DESCBC; 525 case IPSECDOI_ESP_NULL: 526 return SADB_EALG_NULL; 527 #ifdef SADB_X_EALG_AESCBC 528 case IPSECDOI_ESP_AES: 529 return SADB_X_EALG_AESCBC; 530 #endif 531 #ifdef SADB_X_EALG_TWOFISHCBC 532 case IPSECDOI_ESP_TWOFISH: 533 return SADB_X_EALG_TWOFISHCBC; 534 #endif 535 #ifdef SADB_X_EALG_CAMELLIACBC 536 case IPSECDOI_ESP_CAMELLIA: 537 return SADB_X_EALG_CAMELLIACBC; 538 #endif 539 540 /* not supported */ 541 case IPSECDOI_ESP_3IDEA: 542 case IPSECDOI_ESP_IDEA: 543 case IPSECDOI_ESP_RC4: 544 plog(LLV_ERROR, LOCATION, NULL, 545 "Not supported transform: %u\n", t_id); 546 return ~0; 547 548 case 0: /* reserved */ 549 default: 550 plog(LLV_ERROR, LOCATION, NULL, 551 "Invalid transform id: %u\n", t_id); 552 return ~0; 553 } 554 /*NOTREACHED*/ 555 } 556 557 /* IPCOMP -> SADB_CALG */ 558 static u_int 559 ipsecdoi2pfkey_calg(t_id) 560 u_int t_id; 561 { 562 switch (t_id) { 563 case IPSECDOI_IPCOMP_OUI: 564 return SADB_X_CALG_OUI; 565 case IPSECDOI_IPCOMP_DEFLATE: 566 return SADB_X_CALG_DEFLATE; 567 case IPSECDOI_IPCOMP_LZS: 568 return SADB_X_CALG_LZS; 569 570 case 0: /* reserved */ 571 default: 572 plog(LLV_ERROR, LOCATION, NULL, 573 "Invalid transform id: %u\n", t_id); 574 return ~0; 575 } 576 /*NOTREACHED*/ 577 } 578 579 /* IPSECDOI_PROTO -> SADB_SATYPE */ 580 u_int 581 ipsecdoi2pfkey_proto(proto) 582 u_int proto; 583 { 584 switch (proto) { 585 case IPSECDOI_PROTO_IPSEC_AH: 586 return SADB_SATYPE_AH; 587 case IPSECDOI_PROTO_IPSEC_ESP: 588 return SADB_SATYPE_ESP; 589 case IPSECDOI_PROTO_IPCOMP: 590 return SADB_X_SATYPE_IPCOMP; 591 592 default: 593 plog(LLV_ERROR, LOCATION, NULL, 594 "Invalid ipsec_doi proto: %u\n", proto); 595 return ~0; 596 } 597 /*NOTREACHED*/ 598 } 599 600 static u_int 601 ipsecdoi2pfkey_alg(algclass, type) 602 u_int algclass, type; 603 { 604 switch (algclass) { 605 case IPSECDOI_ATTR_AUTH: 606 return ipsecdoi2pfkey_aalg(type); 607 case IPSECDOI_PROTO_IPSEC_ESP: 608 return ipsecdoi2pfkey_ealg(type); 609 case IPSECDOI_PROTO_IPCOMP: 610 return ipsecdoi2pfkey_calg(type); 611 default: 612 plog(LLV_ERROR, LOCATION, NULL, 613 "Invalid ipsec_doi algclass: %u\n", algclass); 614 return ~0; 615 } 616 /*NOTREACHED*/ 617 } 618 619 /* SADB_SATYPE -> IPSECDOI_PROTO */ 620 u_int 621 pfkey2ipsecdoi_proto(satype) 622 u_int satype; 623 { 624 switch (satype) { 625 case SADB_SATYPE_AH: 626 return IPSECDOI_PROTO_IPSEC_AH; 627 case SADB_SATYPE_ESP: 628 return IPSECDOI_PROTO_IPSEC_ESP; 629 case SADB_X_SATYPE_IPCOMP: 630 return IPSECDOI_PROTO_IPCOMP; 631 632 default: 633 plog(LLV_ERROR, LOCATION, NULL, 634 "Invalid pfkey proto: %u\n", satype); 635 return ~0; 636 } 637 /*NOTREACHED*/ 638 } 639 640 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */ 641 u_int 642 ipsecdoi2pfkey_mode(mode) 643 u_int mode; 644 { 645 switch (mode) { 646 case IPSECDOI_ATTR_ENC_MODE_TUNNEL: 647 #ifdef ENABLE_NATT 648 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC: 649 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT: 650 #endif 651 return IPSEC_MODE_TUNNEL; 652 case IPSECDOI_ATTR_ENC_MODE_TRNS: 653 #ifdef ENABLE_NATT 654 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC: 655 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT: 656 #endif 657 return IPSEC_MODE_TRANSPORT; 658 default: 659 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); 660 return ~0; 661 } 662 /*NOTREACHED*/ 663 } 664 665 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */ 666 u_int 667 pfkey2ipsecdoi_mode(mode) 668 u_int mode; 669 { 670 switch (mode) { 671 case IPSEC_MODE_TUNNEL: 672 return IPSECDOI_ATTR_ENC_MODE_TUNNEL; 673 case IPSEC_MODE_TRANSPORT: 674 return IPSECDOI_ATTR_ENC_MODE_TRNS; 675 case IPSEC_MODE_ANY: 676 return IPSECDOI_ATTR_ENC_MODE_ANY; 677 default: 678 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); 679 return ~0; 680 } 681 /*NOTREACHED*/ 682 } 683 684 /* default key length for encryption algorithm */ 685 static u_int 686 keylen_aalg(hashtype) 687 u_int hashtype; 688 { 689 int res; 690 691 if (hashtype == 0) 692 return SADB_AALG_NONE; 693 694 res = alg_ipsec_hmacdef_hashlen(hashtype); 695 if (res == -1) { 696 plog(LLV_ERROR, LOCATION, NULL, 697 "invalid hmac algorithm %u.\n", hashtype); 698 return ~0; 699 } 700 return res; 701 } 702 703 /* default key length for encryption algorithm */ 704 static u_int 705 keylen_ealg(enctype, encklen) 706 u_int enctype; 707 int encklen; 708 { 709 int res; 710 711 res = alg_ipsec_encdef_keylen(enctype, encklen); 712 if (res == -1) { 713 plog(LLV_ERROR, LOCATION, NULL, 714 "invalid encryption algorithm %u.\n", enctype); 715 return ~0; 716 } 717 return res; 718 } 719 720 int 721 pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, 722 e_type, e_keylen, a_type, a_keylen, flags) 723 u_int proto_id; 724 u_int t_id; 725 u_int hashtype; 726 u_int *e_type; 727 u_int *e_keylen; 728 u_int *a_type; 729 u_int *a_keylen; 730 u_int *flags; 731 { 732 *flags = 0; 733 switch (proto_id) { 734 case IPSECDOI_PROTO_IPSEC_ESP: 735 if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0) 736 goto bad; 737 if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0) 738 goto bad; 739 *e_keylen >>= 3; 740 741 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0) 742 goto bad; 743 if ((*a_keylen = keylen_aalg(hashtype)) == ~0) 744 goto bad; 745 *a_keylen >>= 3; 746 747 if (*e_type == SADB_EALG_NONE) { 748 plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n"); 749 goto bad; 750 } 751 break; 752 753 case IPSECDOI_PROTO_IPSEC_AH: 754 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0) 755 goto bad; 756 if ((*a_keylen = keylen_aalg(hashtype)) == ~0) 757 goto bad; 758 *a_keylen >>= 3; 759 760 if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 761 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { 762 /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ 763 *a_type = SADB_X_AALG_MD5; 764 *flags |= SADB_X_EXT_OLD; 765 } 766 *e_type = SADB_EALG_NONE; 767 *e_keylen = 0; 768 if (*a_type == SADB_AALG_NONE) { 769 plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n"); 770 goto bad; 771 } 772 break; 773 774 case IPSECDOI_PROTO_IPCOMP: 775 if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0) 776 goto bad; 777 *e_keylen = 0; 778 779 *flags = SADB_X_EXT_RAWCPI; 780 781 *a_type = SADB_AALG_NONE; 782 *a_keylen = 0; 783 if (*e_type == SADB_X_CALG_NONE) { 784 plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n"); 785 goto bad; 786 } 787 break; 788 789 default: 790 plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n"); 791 goto bad; 792 } 793 794 return 0; 795 796 bad: 797 errno = EINVAL; 798 return -1; 799 } 800 801 /* called from scheduler */ 802 void 803 pfkey_timeover_stub(p) 804 void *p; 805 { 806 807 pfkey_timeover((struct ph2handle *)p); 808 } 809 810 void 811 pfkey_timeover(iph2) 812 struct ph2handle *iph2; 813 { 814 plog(LLV_ERROR, LOCATION, NULL, 815 "%s give up to get IPsec-SA due to time up to wait.\n", 816 saddrwop2str(iph2->dst)); 817 SCHED_KILL(iph2->sce); 818 819 /* If initiator side, send error to kernel by SADB_ACQUIRE. */ 820 if (iph2->side == INITIATOR) 821 pk_sendeacquire(iph2); 822 823 unbindph12(iph2); 824 remph2(iph2); 825 delph2(iph2); 826 827 return; 828 } 829 830 /*%%%*/ 831 /* send getspi message per ipsec protocol per remote address */ 832 /* 833 * the local address and remote address in ph1handle are dealed 834 * with destination address and source address respectively. 835 * Because SPI is decided by responder. 836 */ 837 int 838 pk_sendgetspi(iph2) 839 struct ph2handle *iph2; 840 { 841 struct sockaddr *src = NULL, *dst = NULL; 842 u_int satype, mode; 843 struct saprop *pp; 844 struct saproto *pr; 845 u_int32_t minspi, maxspi; 846 int proxy = 0; 847 848 if (iph2->side == INITIATOR) { 849 pp = iph2->proposal; 850 proxy = iph2->ph1->rmconf->support_proxy; 851 } else { 852 pp = iph2->approval; 853 if (iph2->sainfo && iph2->sainfo->id_i) 854 proxy = 1; 855 } 856 857 /* for mobile IPv6 */ 858 if (proxy && iph2->src_id && iph2->dst_id && 859 ipsecdoi_transportmode(pp)) { 860 src = iph2->src_id; 861 dst = iph2->dst_id; 862 } else { 863 src = iph2->src; 864 dst = iph2->dst; 865 } 866 867 for (pr = pp->head; pr != NULL; pr = pr->next) { 868 869 /* validity check */ 870 satype = ipsecdoi2pfkey_proto(pr->proto_id); 871 if (satype == ~0) { 872 plog(LLV_ERROR, LOCATION, NULL, 873 "invalid proto_id %d\n", pr->proto_id); 874 return -1; 875 } 876 /* this works around a bug in Linux kernel where it allocates 4 byte 877 spi's for IPCOMP */ 878 else if (satype == SADB_X_SATYPE_IPCOMP) { 879 minspi = 0x100; 880 maxspi = 0xffff; 881 } 882 else { 883 minspi = 0; 884 maxspi = 0; 885 } 886 mode = ipsecdoi2pfkey_mode(pr->encmode); 887 if (mode == ~0) { 888 plog(LLV_ERROR, LOCATION, NULL, 889 "invalid encmode %d\n", pr->encmode); 890 return -1; 891 } 892 893 #ifdef ENABLE_NATT 894 /* XXX should we do a copy of src/dst for each pr ? 895 */ 896 if (! pr->udp_encap) { 897 /* Remove port information, that SA doesn't use it */ 898 set_port(src, 0); 899 set_port(dst, 0); 900 } 901 #endif 902 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); 903 if (pfkey_send_getspi( 904 lcconf->sock_pfkey, 905 satype, 906 mode, 907 dst, /* src of SA */ 908 src, /* dst of SA */ 909 minspi, maxspi, 910 pr->reqid_in, iph2->seq) < 0) { 911 plog(LLV_ERROR, LOCATION, NULL, 912 "ipseclib failed send getspi (%s)\n", 913 ipsec_strerror()); 914 return -1; 915 } 916 plog(LLV_DEBUG, LOCATION, NULL, 917 "pfkey GETSPI sent: %s\n", 918 sadbsecas2str(dst, src, satype, 0, mode)); 919 } 920 921 return 0; 922 } 923 924 /* 925 * receive GETSPI from kernel. 926 */ 927 static int 928 pk_recvgetspi(mhp) 929 caddr_t *mhp; 930 { 931 struct sadb_msg *msg; 932 struct sadb_sa *sa; 933 struct ph2handle *iph2; 934 struct sockaddr *dst; 935 int proto_id; 936 int allspiok, notfound; 937 struct saprop *pp; 938 struct saproto *pr; 939 940 /* validity check */ 941 if (mhp[SADB_EXT_SA] == NULL 942 || mhp[SADB_EXT_ADDRESS_DST] == NULL) { 943 plog(LLV_ERROR, LOCATION, NULL, 944 "inappropriate sadb getspi message passed.\n"); 945 return -1; 946 } 947 msg = (struct sadb_msg *)mhp[0]; 948 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 949 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ 950 951 /* the message has to be processed or not ? */ 952 if (msg->sadb_msg_pid != getpid()) { 953 plog(LLV_DEBUG, LOCATION, NULL, 954 "%s message is not interesting " 955 "because pid %d is not mine.\n", 956 s_pfkey_type(msg->sadb_msg_type), 957 msg->sadb_msg_pid); 958 return -1; 959 } 960 961 iph2 = getph2byseq(msg->sadb_msg_seq); 962 if (iph2 == NULL) { 963 plog(LLV_DEBUG, LOCATION, NULL, 964 "seq %d of %s message not interesting.\n", 965 msg->sadb_msg_seq, 966 s_pfkey_type(msg->sadb_msg_type)); 967 return -1; 968 } 969 970 if (iph2->status != PHASE2ST_GETSPISENT) { 971 plog(LLV_ERROR, LOCATION, NULL, 972 "status mismatch (db:%d msg:%d)\n", 973 iph2->status, PHASE2ST_GETSPISENT); 974 return -1; 975 } 976 977 /* set SPI, and check to get all spi whether or not */ 978 allspiok = 1; 979 notfound = 1; 980 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 981 pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval; 982 983 for (pr = pp->head; pr != NULL; pr = pr->next) { 984 if (pr->proto_id == proto_id && pr->spi == 0) { 985 pr->spi = sa->sadb_sa_spi; 986 notfound = 0; 987 plog(LLV_DEBUG, LOCATION, NULL, 988 "pfkey GETSPI succeeded: %s\n", 989 sadbsecas2str(iph2->dst, iph2->src, 990 msg->sadb_msg_satype, 991 sa->sadb_sa_spi, 992 ipsecdoi2pfkey_mode(pr->encmode))); 993 } 994 if (pr->spi == 0) 995 allspiok = 0; /* not get all spi */ 996 } 997 998 if (notfound) { 999 plog(LLV_ERROR, LOCATION, NULL, 1000 "get spi for unknown address %s\n", 1001 saddrwop2str(iph2->dst)); 1002 return -1; 1003 } 1004 1005 if (allspiok) { 1006 /* update status */ 1007 iph2->status = PHASE2ST_GETSPIDONE; 1008 if (isakmp_post_getspi(iph2) < 0) { 1009 plog(LLV_ERROR, LOCATION, NULL, 1010 "failed to start post getspi.\n"); 1011 unbindph12(iph2); 1012 remph2(iph2); 1013 delph2(iph2); 1014 iph2 = NULL; 1015 return -1; 1016 } 1017 } 1018 1019 return 0; 1020 } 1021 1022 /* 1023 * set inbound SA 1024 */ 1025 int 1026 pk_sendupdate(iph2) 1027 struct ph2handle *iph2; 1028 { 1029 struct saproto *pr; 1030 struct pfkey_send_sa_args sa_args; 1031 int proxy = 0; 1032 1033 /* sanity check */ 1034 if (iph2->approval == NULL) { 1035 plog(LLV_ERROR, LOCATION, NULL, 1036 "no approvaled SAs found.\n"); 1037 } 1038 1039 if (iph2->side == INITIATOR) 1040 proxy = iph2->ph1->rmconf->support_proxy; 1041 else if (iph2->sainfo && iph2->sainfo->id_i) 1042 proxy = 1; 1043 1044 /* fill in some needed for pfkey_send_update2 */ 1045 memset (&sa_args, 0, sizeof (sa_args)); 1046 sa_args.so = lcconf->sock_pfkey; 1047 sa_args.l_addtime = iph2->approval->lifetime; 1048 sa_args.seq = iph2->seq; 1049 sa_args.wsize = 4; 1050 1051 /* for mobile IPv6 */ 1052 if (proxy && iph2->src_id && iph2->dst_id && 1053 ipsecdoi_transportmode(iph2->approval)) { 1054 sa_args.dst = iph2->src_id; 1055 sa_args.src = iph2->dst_id; 1056 } else { 1057 sa_args.dst = iph2->src; 1058 sa_args.src = iph2->dst; 1059 } 1060 1061 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 1062 /* validity check */ 1063 sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id); 1064 if (sa_args.satype == ~0) { 1065 plog(LLV_ERROR, LOCATION, NULL, 1066 "invalid proto_id %d\n", pr->proto_id); 1067 return -1; 1068 } 1069 else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) { 1070 /* IPCOMP has no replay window */ 1071 sa_args.wsize = 0; 1072 } 1073 #ifdef ENABLE_SAMODE_UNSPECIFIED 1074 sa_args.mode = IPSEC_MODE_ANY; 1075 #else 1076 sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode); 1077 if (sa_args.mode == ~0) { 1078 plog(LLV_ERROR, LOCATION, NULL, 1079 "invalid encmode %d\n", pr->encmode); 1080 return -1; 1081 } 1082 #endif 1083 /* set algorithm type and key length */ 1084 sa_args.e_keylen = pr->head->encklen; 1085 if (pfkey_convertfromipsecdoi( 1086 pr->proto_id, 1087 pr->head->trns_id, 1088 pr->head->authtype, 1089 &sa_args.e_type, &sa_args.e_keylen, 1090 &sa_args.a_type, &sa_args.a_keylen, 1091 &sa_args.flags) < 0) 1092 return -1; 1093 1094 #if 0 1095 sa_args.l_bytes = iph2->approval->lifebyte * 1024, 1096 #else 1097 sa_args.l_bytes = 0; 1098 #endif 1099 1100 #ifdef HAVE_SECCTX 1101 if (*iph2->approval->sctx.ctx_str) { 1102 sa_args.ctxdoi = iph2->approval->sctx.ctx_doi; 1103 sa_args.ctxalg = iph2->approval->sctx.ctx_alg; 1104 sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen; 1105 sa_args.ctxstr = iph2->approval->sctx.ctx_str; 1106 } 1107 #endif /* HAVE_SECCTX */ 1108 1109 #ifdef ENABLE_NATT 1110 if (pr->udp_encap) { 1111 sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; 1112 sa_args.l_natt_sport = extract_port (iph2->ph1->remote); 1113 sa_args.l_natt_dport = extract_port (iph2->ph1->local); 1114 sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!! 1115 #ifdef SADB_X_EXT_NAT_T_FRAG 1116 sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; 1117 #endif 1118 } else { 1119 /* Remove port information, that SA doesn't use it */ 1120 set_port(sa_args.src, 0); 1121 set_port(sa_args.dst, 0); 1122 } 1123 1124 #endif 1125 /* more info to fill in */ 1126 sa_args.spi = pr->spi; 1127 sa_args.reqid = pr->reqid_in; 1128 sa_args.keymat = pr->keymat->v; 1129 1130 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update2\n"); 1131 if (pfkey_send_update2(&sa_args) < 0) { 1132 plog(LLV_ERROR, LOCATION, NULL, 1133 "libipsec failed send update (%s)\n", 1134 ipsec_strerror()); 1135 return -1; 1136 } 1137 1138 #ifndef ANDROID_PATCHED 1139 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) 1140 continue; 1141 1142 /* 1143 * It maybe good idea to call backupsa_to_file() after 1144 * racoon will receive the sadb_update messages. 1145 * But it is impossible because there is not key in the 1146 * information from the kernel. 1147 */ 1148 1149 /* change some things before backing up */ 1150 sa_args.wsize = 4; 1151 sa_args.l_bytes = iph2->approval->lifebyte * 1024; 1152 1153 if (backupsa_to_file(&sa_args) < 0) { 1154 plog(LLV_ERROR, LOCATION, NULL, 1155 "backuped SA failed: %s\n", 1156 sadbsecas2str(sa_args.src, sa_args.dst, 1157 sa_args.satype, sa_args.spi, sa_args.mode)); 1158 } 1159 plog(LLV_DEBUG, LOCATION, NULL, 1160 "backuped SA: %s\n", 1161 sadbsecas2str(sa_args.src, sa_args.dst, 1162 sa_args.satype, sa_args.spi, sa_args.mode)); 1163 #endif 1164 } 1165 1166 return 0; 1167 } 1168 1169 static int 1170 pk_recvupdate(mhp) 1171 caddr_t *mhp; 1172 { 1173 struct sadb_msg *msg; 1174 struct sadb_sa *sa; 1175 struct sockaddr *src, *dst; 1176 struct ph2handle *iph2; 1177 u_int proto_id, encmode, sa_mode; 1178 int incomplete = 0; 1179 struct saproto *pr; 1180 1181 /* ignore this message because of local test mode. */ 1182 if (f_local) 1183 return 0; 1184 1185 /* sanity check */ 1186 if (mhp[0] == NULL 1187 || mhp[SADB_EXT_SA] == NULL 1188 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1189 || mhp[SADB_EXT_ADDRESS_DST] == NULL) { 1190 plog(LLV_ERROR, LOCATION, NULL, 1191 "inappropriate sadb update message passed.\n"); 1192 return -1; 1193 } 1194 msg = (struct sadb_msg *)mhp[0]; 1195 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1196 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1197 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1198 1199 sa_mode = mhp[SADB_X_EXT_SA2] == NULL 1200 ? IPSEC_MODE_ANY 1201 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 1202 1203 /* the message has to be processed or not ? */ 1204 if (msg->sadb_msg_pid != getpid()) { 1205 plog(LLV_DEBUG, LOCATION, NULL, 1206 "%s message is not interesting " 1207 "because pid %d is not mine.\n", 1208 s_pfkey_type(msg->sadb_msg_type), 1209 msg->sadb_msg_pid); 1210 return -1; 1211 } 1212 1213 iph2 = getph2byseq(msg->sadb_msg_seq); 1214 if (iph2 == NULL) { 1215 plog(LLV_DEBUG, LOCATION, NULL, 1216 "seq %d of %s message not interesting.\n", 1217 msg->sadb_msg_seq, 1218 s_pfkey_type(msg->sadb_msg_type)); 1219 return -1; 1220 } 1221 1222 if (iph2->status != PHASE2ST_ADDSA) { 1223 plog(LLV_ERROR, LOCATION, NULL, 1224 "status mismatch (db:%d msg:%d)\n", 1225 iph2->status, PHASE2ST_ADDSA); 1226 return -1; 1227 } 1228 1229 /* check to complete all keys ? */ 1230 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 1231 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1232 if (proto_id == ~0) { 1233 plog(LLV_ERROR, LOCATION, NULL, 1234 "invalid proto_id %d\n", msg->sadb_msg_satype); 1235 return -1; 1236 } 1237 encmode = pfkey2ipsecdoi_mode(sa_mode); 1238 if (encmode == ~0) { 1239 plog(LLV_ERROR, LOCATION, NULL, 1240 "invalid encmode %d\n", sa_mode); 1241 return -1; 1242 } 1243 1244 if (pr->proto_id == proto_id 1245 && pr->spi == sa->sadb_sa_spi) { 1246 pr->ok = 1; 1247 plog(LLV_DEBUG, LOCATION, NULL, 1248 "pfkey UPDATE succeeded: %s\n", 1249 sadbsecas2str(iph2->dst, iph2->src, 1250 msg->sadb_msg_satype, 1251 sa->sadb_sa_spi, 1252 sa_mode)); 1253 1254 plog(LLV_INFO, LOCATION, NULL, 1255 "IPsec-SA established: %s\n", 1256 sadbsecas2str(iph2->dst, iph2->src, 1257 msg->sadb_msg_satype, sa->sadb_sa_spi, 1258 sa_mode)); 1259 } 1260 1261 if (pr->ok == 0) 1262 incomplete = 1; 1263 } 1264 1265 if (incomplete) 1266 return 0; 1267 1268 /* turn off the timer for calling pfkey_timeover() */ 1269 SCHED_KILL(iph2->sce); 1270 1271 /* update status */ 1272 iph2->status = PHASE2ST_ESTABLISHED; 1273 1274 #ifdef ENABLE_STATS 1275 gettimeofday(&iph2->end, NULL); 1276 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1277 "phase2", "quick", timedelta(&iph2->start, &iph2->end)); 1278 #endif 1279 1280 /* count up */ 1281 iph2->ph1->ph2cnt++; 1282 1283 /* turn off schedule */ 1284 SCHED_KILL(iph2->scr); 1285 1286 /* Force the update of ph2's ports, as there is at least one 1287 * situation where they'll mismatch with ph1's values 1288 */ 1289 1290 #ifdef ENABLE_NATT 1291 set_port(iph2->src, extract_port(iph2->ph1->local)); 1292 set_port(iph2->dst, extract_port(iph2->ph1->remote)); 1293 #endif 1294 1295 /* 1296 * since we are going to reuse the phase2 handler, we need to 1297 * remain it and refresh all the references between ph1 and ph2 to use. 1298 */ 1299 unbindph12(iph2); 1300 1301 iph2->sce = sched_new(iph2->approval->lifetime, 1302 isakmp_ph2expire_stub, iph2); 1303 1304 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1305 return 0; 1306 } 1307 1308 /* 1309 * set outbound SA 1310 */ 1311 int 1312 pk_sendadd(iph2) 1313 struct ph2handle *iph2; 1314 { 1315 struct saproto *pr; 1316 int proxy = 0; 1317 struct pfkey_send_sa_args sa_args; 1318 1319 /* sanity check */ 1320 if (iph2->approval == NULL) { 1321 plog(LLV_ERROR, LOCATION, NULL, 1322 "no approvaled SAs found.\n"); 1323 return -1; 1324 } 1325 1326 if (iph2->side == INITIATOR) 1327 proxy = iph2->ph1->rmconf->support_proxy; 1328 else if (iph2->sainfo && iph2->sainfo->id_i) 1329 proxy = 1; 1330 1331 /* fill in some needed for pfkey_send_update2 */ 1332 memset (&sa_args, 0, sizeof (sa_args)); 1333 sa_args.so = lcconf->sock_pfkey; 1334 sa_args.l_addtime = iph2->approval->lifetime; 1335 sa_args.seq = iph2->seq; 1336 sa_args.wsize = 4; 1337 1338 /* for mobile IPv6 */ 1339 if (proxy && iph2->src_id && iph2->dst_id && 1340 ipsecdoi_transportmode(iph2->approval)) { 1341 sa_args.src = iph2->src_id; 1342 sa_args.dst = iph2->dst_id; 1343 } else { 1344 sa_args.src = iph2->src; 1345 sa_args.dst = iph2->dst; 1346 } 1347 1348 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 1349 /* validity check */ 1350 sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id); 1351 if (sa_args.satype == ~0) { 1352 plog(LLV_ERROR, LOCATION, NULL, 1353 "invalid proto_id %d\n", pr->proto_id); 1354 return -1; 1355 } 1356 else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) { 1357 /* no replay window for IPCOMP */ 1358 sa_args.wsize = 0; 1359 } 1360 #ifdef ENABLE_SAMODE_UNSPECIFIED 1361 sa_args.mode = IPSEC_MODE_ANY; 1362 #else 1363 sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode); 1364 if (sa_args.mode == ~0) { 1365 plog(LLV_ERROR, LOCATION, NULL, 1366 "invalid encmode %d\n", pr->encmode); 1367 return -1; 1368 } 1369 #endif 1370 1371 /* set algorithm type and key length */ 1372 sa_args.e_keylen = pr->head->encklen; 1373 if (pfkey_convertfromipsecdoi( 1374 pr->proto_id, 1375 pr->head->trns_id, 1376 pr->head->authtype, 1377 &sa_args.e_type, &sa_args.e_keylen, 1378 &sa_args.a_type, &sa_args.a_keylen, 1379 &sa_args.flags) < 0) 1380 return -1; 1381 1382 #if 0 1383 sa_args.l_bytes = iph2->approval->lifebyte * 1024, 1384 #else 1385 sa_args.l_bytes = 0; 1386 #endif 1387 1388 #ifdef HAVE_SECCTX 1389 if (*iph2->approval->sctx.ctx_str) { 1390 sa_args.ctxdoi = iph2->approval->sctx.ctx_doi; 1391 sa_args.ctxalg = iph2->approval->sctx.ctx_alg; 1392 sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen; 1393 sa_args.ctxstr = iph2->approval->sctx.ctx_str; 1394 } 1395 #endif /* HAVE_SECCTX */ 1396 1397 #ifdef ENABLE_NATT 1398 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2 " 1399 "(NAT flavor)\n"); 1400 1401 if (pr->udp_encap) { 1402 sa_args.l_natt_type = UDP_ENCAP_ESPINUDP; 1403 sa_args.l_natt_sport = extract_port(iph2->ph1->local); 1404 sa_args.l_natt_dport = extract_port(iph2->ph1->remote); 1405 sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!! 1406 #ifdef SADB_X_EXT_NAT_T_FRAG 1407 sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; 1408 #endif 1409 } else { 1410 /* Remove port information, that SA doesn't use it */ 1411 set_port(sa_args.src, 0); 1412 set_port(sa_args.dst, 0); 1413 } 1414 1415 #else 1416 /* Remove port information, it is not used without NAT-T */ 1417 set_port(sa_args.src, 0); 1418 set_port(sa_args.dst, 0); 1419 #endif 1420 1421 /* more info to fill in */ 1422 sa_args.spi = pr->spi_p; 1423 sa_args.reqid = pr->reqid_out; 1424 sa_args.keymat = pr->keymat_p->v; 1425 1426 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2\n"); 1427 if (pfkey_send_add2(&sa_args) < 0) { 1428 plog(LLV_ERROR, LOCATION, NULL, 1429 "libipsec failed send add (%s)\n", 1430 ipsec_strerror()); 1431 return -1; 1432 } 1433 1434 #ifndef ANDROID_PATCHED 1435 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) 1436 continue; 1437 1438 /* 1439 * It maybe good idea to call backupsa_to_file() after 1440 * racoon will receive the sadb_update messages. 1441 * But it is impossible because there is not key in the 1442 * information from the kernel. 1443 */ 1444 if (backupsa_to_file(&sa_args) < 0) { 1445 plog(LLV_ERROR, LOCATION, NULL, 1446 "backuped SA failed: %s\n", 1447 sadbsecas2str(sa_args.src, sa_args.dst, 1448 sa_args.satype, sa_args.spi, sa_args.mode)); 1449 } 1450 plog(LLV_DEBUG, LOCATION, NULL, 1451 "backuped SA: %s\n", 1452 sadbsecas2str(sa_args.src, sa_args.dst, 1453 sa_args.satype, sa_args.spi, sa_args.mode)); 1454 #endif 1455 } 1456 return 0; 1457 } 1458 1459 static int 1460 pk_recvadd(mhp) 1461 caddr_t *mhp; 1462 { 1463 struct sadb_msg *msg; 1464 struct sadb_sa *sa; 1465 struct sockaddr *src, *dst; 1466 struct ph2handle *iph2; 1467 u_int sa_mode; 1468 1469 /* ignore this message because of local test mode. */ 1470 if (f_local) 1471 return 0; 1472 1473 /* sanity check */ 1474 if (mhp[0] == NULL 1475 || mhp[SADB_EXT_SA] == NULL 1476 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1477 || mhp[SADB_EXT_ADDRESS_DST] == NULL) { 1478 plog(LLV_ERROR, LOCATION, NULL, 1479 "inappropriate sadb add message passed.\n"); 1480 return -1; 1481 } 1482 msg = (struct sadb_msg *)mhp[0]; 1483 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1484 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1485 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1486 1487 sa_mode = mhp[SADB_X_EXT_SA2] == NULL 1488 ? IPSEC_MODE_ANY 1489 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 1490 1491 /* the message has to be processed or not ? */ 1492 if (msg->sadb_msg_pid != getpid()) { 1493 plog(LLV_DEBUG, LOCATION, NULL, 1494 "%s message is not interesting " 1495 "because pid %d is not mine.\n", 1496 s_pfkey_type(msg->sadb_msg_type), 1497 msg->sadb_msg_pid); 1498 return -1; 1499 } 1500 1501 iph2 = getph2byseq(msg->sadb_msg_seq); 1502 if (iph2 == NULL) { 1503 plog(LLV_DEBUG, LOCATION, NULL, 1504 "seq %d of %s message not interesting.\n", 1505 msg->sadb_msg_seq, 1506 s_pfkey_type(msg->sadb_msg_type)); 1507 return -1; 1508 } 1509 1510 /* 1511 * NOTE don't update any status of phase2 handle 1512 * because they must be updated by SADB_UPDATE message 1513 */ 1514 1515 plog(LLV_INFO, LOCATION, NULL, 1516 "IPsec-SA established: %s\n", 1517 sadbsecas2str(iph2->src, iph2->dst, 1518 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); 1519 1520 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1521 return 0; 1522 } 1523 1524 static int 1525 pk_recvexpire(mhp) 1526 caddr_t *mhp; 1527 { 1528 struct sadb_msg *msg; 1529 struct sadb_sa *sa; 1530 struct sockaddr *src, *dst; 1531 struct ph2handle *iph2; 1532 u_int proto_id, sa_mode; 1533 1534 /* sanity check */ 1535 if (mhp[0] == NULL 1536 || mhp[SADB_EXT_SA] == NULL 1537 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1538 || mhp[SADB_EXT_ADDRESS_DST] == NULL 1539 || (mhp[SADB_EXT_LIFETIME_HARD] != NULL 1540 && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) { 1541 plog(LLV_ERROR, LOCATION, NULL, 1542 "inappropriate sadb expire message passed.\n"); 1543 return -1; 1544 } 1545 msg = (struct sadb_msg *)mhp[0]; 1546 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1547 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1548 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1549 1550 sa_mode = mhp[SADB_X_EXT_SA2] == NULL 1551 ? IPSEC_MODE_ANY 1552 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 1553 1554 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1555 if (proto_id == ~0) { 1556 plog(LLV_ERROR, LOCATION, NULL, 1557 "invalid proto_id %d\n", msg->sadb_msg_satype); 1558 return -1; 1559 } 1560 1561 plog(LLV_INFO, LOCATION, NULL, 1562 "IPsec-SA expired: %s\n", 1563 sadbsecas2str(src, dst, 1564 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); 1565 1566 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 1567 if (iph2 == NULL) { 1568 /* 1569 * Ignore it because two expire messages are come up. 1570 * phase2 handler has been deleted already when 2nd message 1571 * is received. 1572 */ 1573 plog(LLV_DEBUG, LOCATION, NULL, 1574 "no such a SA found: %s\n", 1575 sadbsecas2str(src, dst, 1576 msg->sadb_msg_satype, sa->sadb_sa_spi, 1577 sa_mode)); 1578 return 0; 1579 } 1580 if (iph2->status != PHASE2ST_ESTABLISHED) { 1581 /* 1582 * If the status is not equal to PHASE2ST_ESTABLISHED, 1583 * racoon ignores this expire message. There are two reason. 1584 * One is that the phase 2 probably starts because there is 1585 * a potential that racoon receives the acquire message 1586 * without receiving a expire message. Another is that racoon 1587 * may receive the multiple expire messages from the kernel. 1588 */ 1589 plog(LLV_WARNING, LOCATION, NULL, 1590 "the expire message is received " 1591 "but the handler has not been established.\n"); 1592 return 0; 1593 } 1594 1595 /* turn off the timer for calling isakmp_ph2expire() */ 1596 SCHED_KILL(iph2->sce); 1597 1598 iph2->status = PHASE2ST_EXPIRED; 1599 1600 /* INITIATOR, begin phase 2 exchange. */ 1601 /* allocate buffer for status management of pfkey message */ 1602 if (iph2->side == INITIATOR) { 1603 1604 initph2(iph2); 1605 1606 /* update status for re-use */ 1607 iph2->status = PHASE2ST_STATUS2; 1608 1609 /* start isakmp initiation by using ident exchange */ 1610 if (isakmp_post_acquire(iph2) < 0) { 1611 plog(LLV_ERROR, LOCATION, iph2->dst, 1612 "failed to begin ipsec sa " 1613 "re-negotication.\n"); 1614 unbindph12(iph2); 1615 remph2(iph2); 1616 delph2(iph2); 1617 return -1; 1618 } 1619 1620 return 0; 1621 /*NOTREACHED*/ 1622 } 1623 1624 /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ 1625 /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't 1626 * manage IPsec SA, so delete the list */ 1627 unbindph12(iph2); 1628 remph2(iph2); 1629 delph2(iph2); 1630 1631 return 0; 1632 } 1633 1634 static int 1635 pk_recvacquire(mhp) 1636 caddr_t *mhp; 1637 { 1638 struct sadb_msg *msg; 1639 struct sadb_x_policy *xpl; 1640 struct secpolicy *sp_out = NULL, *sp_in = NULL; 1641 #define MAXNESTEDSA 5 /* XXX */ 1642 struct ph2handle *iph2[MAXNESTEDSA]; 1643 struct sockaddr *src, *dst; 1644 int n; /* # of phase 2 handler */ 1645 int remoteid=0; 1646 #ifdef HAVE_SECCTX 1647 struct sadb_x_sec_ctx *m_sec_ctx; 1648 #endif /* HAVE_SECCTX */ 1649 struct policyindex spidx; 1650 1651 1652 /* ignore this message because of local test mode. */ 1653 if (f_local) 1654 return 0; 1655 1656 /* sanity check */ 1657 if (mhp[0] == NULL 1658 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1659 || mhp[SADB_EXT_ADDRESS_DST] == NULL 1660 || mhp[SADB_X_EXT_POLICY] == NULL) { 1661 plog(LLV_ERROR, LOCATION, NULL, 1662 "inappropriate sadb acquire message passed.\n"); 1663 return -1; 1664 } 1665 msg = (struct sadb_msg *)mhp[0]; 1666 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 1667 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1668 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1669 1670 #ifdef HAVE_SECCTX 1671 m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 1672 1673 if (m_sec_ctx != NULL) { 1674 plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", 1675 m_sec_ctx->sadb_x_ctx_doi); 1676 plog(LLV_INFO, LOCATION, NULL, 1677 "security context algorithm: %u\n", 1678 m_sec_ctx->sadb_x_ctx_alg); 1679 plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", 1680 m_sec_ctx->sadb_x_ctx_len); 1681 plog(LLV_INFO, LOCATION, NULL, "security context: %s\n", 1682 ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx))); 1683 } 1684 #endif /* HAVE_SECCTX */ 1685 1686 /* ignore if type is not IPSEC_POLICY_IPSEC */ 1687 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { 1688 plog(LLV_DEBUG, LOCATION, NULL, 1689 "ignore ACQUIRE message. type is not IPsec.\n"); 1690 return 0; 1691 } 1692 1693 /* ignore it if src is multicast address */ 1694 { 1695 struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1696 1697 if ((sa->sa_family == AF_INET 1698 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr))) 1699 #ifdef INET6 1700 || (sa->sa_family == AF_INET6 1701 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr)) 1702 #endif 1703 ) { 1704 plog(LLV_DEBUG, LOCATION, NULL, 1705 "ignore due to multicast address: %s.\n", 1706 saddrwop2str(sa)); 1707 return 0; 1708 } 1709 } 1710 1711 /* ignore, if we do not listen on source address */ 1712 { 1713 /* reasons behind: 1714 * - if we'll contact peer from address we do not listen - 1715 * we will be unable to complete negotiation; 1716 * - if we'll negotiate using address we're listening - 1717 * remote peer will send packets to address different 1718 * than one in the policy, so kernel will drop them; 1719 * => therefore this acquire is not for us! --Aidas 1720 */ 1721 struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1722 struct myaddrs *p; 1723 int do_listen = 0; 1724 for (p = lcconf->myaddrs; p; p = p->next) { 1725 if (!cmpsaddrwop(p->addr, sa)) { 1726 do_listen = 1; 1727 break; 1728 } 1729 } 1730 1731 if (!do_listen) { 1732 plog(LLV_DEBUG, LOCATION, NULL, 1733 "ignore because do not listen on source address : %s.\n", 1734 saddrwop2str(sa)); 1735 return 0; 1736 } 1737 } 1738 1739 /* 1740 * If there is a phase 2 handler against the policy identifier in 1741 * the acquire message, and if 1742 * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon 1743 * should ignore such a acquire message because the phase 2 1744 * is just negotiating. 1745 * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon 1746 * has to prcesss such a acquire message because racoon may 1747 * lost the expire message. 1748 */ 1749 iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id); 1750 if (iph2[0] != NULL) { 1751 if (iph2[0]->status < PHASE2ST_ESTABLISHED) { 1752 plog(LLV_DEBUG, LOCATION, NULL, 1753 "ignore the acquire because ph2 found\n"); 1754 return -1; 1755 } 1756 if (iph2[0]->status == PHASE2ST_EXPIRED) 1757 iph2[0] = NULL; 1758 /*FALLTHROUGH*/ 1759 } 1760 1761 /* search for proper policyindex */ 1762 sp_out = getspbyspid(xpl->sadb_x_policy_id); 1763 if (sp_out == NULL) { 1764 plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n", 1765 xpl->sadb_x_policy_id); 1766 return -1; 1767 } 1768 plog(LLV_DEBUG, LOCATION, NULL, 1769 "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx)); 1770 1771 /* get inbound policy */ 1772 { 1773 1774 memset(&spidx, 0, sizeof(spidx)); 1775 spidx.dir = IPSEC_DIR_INBOUND; 1776 memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src)); 1777 memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst)); 1778 spidx.prefs = sp_out->spidx.prefd; 1779 spidx.prefd = sp_out->spidx.prefs; 1780 spidx.ul_proto = sp_out->spidx.ul_proto; 1781 1782 #ifdef HAVE_SECCTX 1783 if (m_sec_ctx) { 1784 spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi; 1785 spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg; 1786 spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len; 1787 memcpy(spidx.sec_ctx.ctx_str, 1788 ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)), 1789 spidx.sec_ctx.ctx_strlen); 1790 } 1791 #endif /* HAVE_SECCTX */ 1792 1793 sp_in = getsp(&spidx); 1794 if (sp_in) { 1795 plog(LLV_DEBUG, LOCATION, NULL, 1796 "suitable inbound SP found: %s.\n", 1797 spidx2str(&sp_in->spidx)); 1798 } else { 1799 plog(LLV_NOTIFY, LOCATION, NULL, 1800 "no in-bound policy found: %s\n", 1801 spidx2str(&spidx)); 1802 } 1803 } 1804 1805 memset(iph2, 0, MAXNESTEDSA); 1806 1807 n = 0; 1808 1809 /* allocate a phase 2 */ 1810 iph2[n] = newph2(); 1811 if (iph2[n] == NULL) { 1812 plog(LLV_ERROR, LOCATION, NULL, 1813 "failed to allocate phase2 entry.\n"); 1814 return -1; 1815 } 1816 iph2[n]->side = INITIATOR; 1817 iph2[n]->spid = xpl->sadb_x_policy_id; 1818 iph2[n]->satype = msg->sadb_msg_satype; 1819 iph2[n]->seq = msg->sadb_msg_seq; 1820 iph2[n]->status = PHASE2ST_STATUS2; 1821 1822 /* set end addresses of SA */ 1823 iph2[n]->dst = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); 1824 if (iph2[n]->dst == NULL) { 1825 delph2(iph2[n]); 1826 return -1; 1827 } 1828 iph2[n]->src = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); 1829 if (iph2[n]->src == NULL) { 1830 delph2(iph2[n]); 1831 return -1; 1832 } 1833 1834 plog(LLV_DEBUG, LOCATION, NULL, 1835 "new acquire %s\n", spidx2str(&sp_out->spidx)); 1836 1837 /* get sainfo */ 1838 { 1839 vchar_t *idsrc, *iddst; 1840 1841 idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src, 1842 sp_out->spidx.prefs, sp_out->spidx.ul_proto); 1843 if (idsrc == NULL) { 1844 plog(LLV_ERROR, LOCATION, NULL, 1845 "failed to get ID for %s\n", 1846 spidx2str(&sp_out->spidx)); 1847 delph2(iph2[n]); 1848 return -1; 1849 } 1850 iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst, 1851 sp_out->spidx.prefd, sp_out->spidx.ul_proto); 1852 if (iddst == NULL) { 1853 plog(LLV_ERROR, LOCATION, NULL, 1854 "failed to get ID for %s\n", 1855 spidx2str(&sp_out->spidx)); 1856 vfree(idsrc); 1857 delph2(iph2[n]); 1858 return -1; 1859 } 1860 { 1861 struct remoteconf *conf; 1862 conf = getrmconf(iph2[n]->dst); 1863 if (conf != NULL) 1864 remoteid=conf->ph1id; 1865 else{ 1866 plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n"); 1867 remoteid=0; 1868 } 1869 } 1870 iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL, remoteid); 1871 vfree(idsrc); 1872 vfree(iddst); 1873 if (iph2[n]->sainfo == NULL) { 1874 plog(LLV_ERROR, LOCATION, NULL, 1875 "failed to get sainfo.\n"); 1876 delph2(iph2[n]); 1877 return -1; 1878 /* XXX should use the algorithm list from register message */ 1879 } 1880 1881 plog(LLV_DEBUG, LOCATION, NULL, 1882 "selected sainfo: %s\n", sainfo2str(iph2[n]->sainfo)); 1883 } 1884 1885 if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) { 1886 plog(LLV_ERROR, LOCATION, NULL, 1887 "failed to create saprop.\n"); 1888 delph2(iph2[n]); 1889 return -1; 1890 } 1891 #ifdef HAVE_SECCTX 1892 if (m_sec_ctx) { 1893 set_secctx_in_proposal(iph2[n], spidx); 1894 } 1895 #endif /* HAVE_SECCTX */ 1896 1897 insph2(iph2[n]); 1898 1899 /* start isakmp initiation by using ident exchange */ 1900 /* XXX should be looped if there are multiple phase 2 handler. */ 1901 if (isakmp_post_acquire(iph2[n]) < 0) { 1902 plog(LLV_ERROR, LOCATION, NULL, 1903 "failed to begin ipsec sa negotication.\n"); 1904 goto err; 1905 } 1906 1907 return 0; 1908 1909 err: 1910 while (n >= 0) { 1911 unbindph12(iph2[n]); 1912 remph2(iph2[n]); 1913 delph2(iph2[n]); 1914 iph2[n] = NULL; 1915 n--; 1916 } 1917 return -1; 1918 } 1919 1920 static int 1921 pk_recvdelete(mhp) 1922 caddr_t *mhp; 1923 { 1924 struct sadb_msg *msg; 1925 struct sadb_sa *sa; 1926 struct sockaddr *src, *dst; 1927 struct ph2handle *iph2 = NULL; 1928 u_int proto_id; 1929 1930 /* ignore this message because of local test mode. */ 1931 if (f_local) 1932 return 0; 1933 1934 /* sanity check */ 1935 if (mhp[0] == NULL 1936 || mhp[SADB_EXT_SA] == NULL 1937 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1938 || mhp[SADB_EXT_ADDRESS_DST] == NULL) { 1939 plog(LLV_ERROR, LOCATION, NULL, 1940 "inappropriate sadb delete message passed.\n"); 1941 return -1; 1942 } 1943 msg = (struct sadb_msg *)mhp[0]; 1944 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1945 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1946 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1947 1948 /* the message has to be processed or not ? */ 1949 if (msg->sadb_msg_pid == getpid()) { 1950 plog(LLV_DEBUG, LOCATION, NULL, 1951 "%s message is not interesting " 1952 "because the message was originated by me.\n", 1953 s_pfkey_type(msg->sadb_msg_type)); 1954 return -1; 1955 } 1956 1957 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1958 if (proto_id == ~0) { 1959 plog(LLV_ERROR, LOCATION, NULL, 1960 "invalid proto_id %d\n", msg->sadb_msg_satype); 1961 return -1; 1962 } 1963 1964 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 1965 if (iph2 == NULL) { 1966 /* ignore */ 1967 plog(LLV_ERROR, LOCATION, NULL, 1968 "no iph2 found: %s\n", 1969 sadbsecas2str(src, dst, msg->sadb_msg_satype, 1970 sa->sadb_sa_spi, IPSEC_MODE_ANY)); 1971 return 0; 1972 } 1973 1974 plog(LLV_ERROR, LOCATION, NULL, 1975 "pfkey DELETE received: %s\n", 1976 sadbsecas2str(iph2->src, iph2->dst, 1977 msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY)); 1978 1979 /* send delete information */ 1980 if (iph2->status == PHASE2ST_ESTABLISHED) 1981 isakmp_info_send_d2(iph2); 1982 1983 unbindph12(iph2); 1984 remph2(iph2); 1985 delph2(iph2); 1986 1987 return 0; 1988 } 1989 1990 static int 1991 pk_recvflush(mhp) 1992 caddr_t *mhp; 1993 { 1994 /* ignore this message because of local test mode. */ 1995 if (f_local) 1996 return 0; 1997 1998 /* sanity check */ 1999 if (mhp[0] == NULL) { 2000 plog(LLV_ERROR, LOCATION, NULL, 2001 "inappropriate sadb flush message passed.\n"); 2002 return -1; 2003 } 2004 2005 flushph2(); 2006 2007 return 0; 2008 } 2009 2010 static int 2011 getsadbpolicy(policy0, policylen0, type, iph2) 2012 caddr_t *policy0; 2013 int *policylen0, type; 2014 struct ph2handle *iph2; 2015 { 2016 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2017 struct sadb_x_policy *xpl; 2018 struct sadb_x_ipsecrequest *xisr; 2019 struct saproto *pr; 2020 struct saproto **pr_rlist; 2021 int rlist_len = 0; 2022 caddr_t policy, p; 2023 int policylen; 2024 int xisrlen; 2025 u_int satype, mode; 2026 int len = 0; 2027 #ifdef HAVE_SECCTX 2028 int ctxlen = 0; 2029 #endif /* HAVE_SECCTX */ 2030 2031 2032 /* get policy buffer size */ 2033 policylen = sizeof(struct sadb_x_policy); 2034 if (type != SADB_X_SPDDELETE) { 2035 for (pr = iph2->approval->head; pr; pr = pr->next) { 2036 xisrlen = sizeof(*xisr); 2037 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { 2038 xisrlen += (sysdep_sa_len(iph2->src) 2039 + sysdep_sa_len(iph2->dst)); 2040 } 2041 2042 policylen += PFKEY_ALIGN8(xisrlen); 2043 } 2044 } 2045 2046 #ifdef HAVE_SECCTX 2047 if (*spidx->sec_ctx.ctx_str) { 2048 ctxlen = sizeof(struct sadb_x_sec_ctx) 2049 + PFKEY_ALIGN8(spidx->sec_ctx.ctx_strlen); 2050 policylen += ctxlen; 2051 } 2052 #endif /* HAVE_SECCTX */ 2053 2054 /* make policy structure */ 2055 policy = racoon_malloc(policylen); 2056 memset((void*)policy, 0xcd, policylen); 2057 if (!policy) { 2058 plog(LLV_ERROR, LOCATION, NULL, 2059 "buffer allocation failed.\n"); 2060 return -1; 2061 } 2062 2063 xpl = (struct sadb_x_policy *)policy; 2064 xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen); 2065 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 2066 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC; 2067 xpl->sadb_x_policy_dir = spidx->dir; 2068 xpl->sadb_x_policy_id = 0; 2069 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2070 xpl->sadb_x_policy_priority = PRIORITY_DEFAULT; 2071 #endif 2072 len++; 2073 2074 #ifdef HAVE_SECCTX 2075 if (*spidx->sec_ctx.ctx_str) { 2076 struct sadb_x_sec_ctx *p; 2077 2078 p = (struct sadb_x_sec_ctx *)(xpl + len); 2079 memset(p, 0, ctxlen); 2080 p->sadb_x_sec_len = PFKEY_UNIT64(ctxlen); 2081 p->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX; 2082 p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; 2083 p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; 2084 p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; 2085 2086 memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); 2087 len += ctxlen; 2088 } 2089 #endif /* HAVE_SECCTX */ 2090 2091 /* no need to append policy information any more if type is SPDDELETE */ 2092 if (type == SADB_X_SPDDELETE) 2093 goto end; 2094 2095 xisr = (struct sadb_x_ipsecrequest *)(xpl + len); 2096 2097 /* The order of things is reversed for use in add policy messages */ 2098 for (pr = iph2->approval->head; pr; pr = pr->next) rlist_len++; 2099 pr_rlist = racoon_malloc((rlist_len+1)*sizeof(struct saproto*)); 2100 if (!pr_rlist) { 2101 plog(LLV_ERROR, LOCATION, NULL, 2102 "buffer allocation failed.\n"); 2103 return -1; 2104 } 2105 pr_rlist[rlist_len--] = NULL; 2106 for (pr = iph2->approval->head; pr; pr = pr->next) pr_rlist[rlist_len--] = pr; 2107 rlist_len = 0; 2108 2109 for (pr = pr_rlist[rlist_len++]; pr; pr = pr_rlist[rlist_len++]) { 2110 2111 satype = doi2ipproto(pr->proto_id); 2112 if (satype == ~0) { 2113 plog(LLV_ERROR, LOCATION, NULL, 2114 "invalid proto_id %d\n", pr->proto_id); 2115 goto err; 2116 } 2117 mode = ipsecdoi2pfkey_mode(pr->encmode); 2118 if (mode == ~0) { 2119 plog(LLV_ERROR, LOCATION, NULL, 2120 "invalid encmode %d\n", pr->encmode); 2121 goto err; 2122 } 2123 2124 /* 2125 * the policy level cannot be unique because the policy 2126 * is defined later than SA, so req_id cannot be bound to SA. 2127 */ 2128 xisr->sadb_x_ipsecrequest_proto = satype; 2129 xisr->sadb_x_ipsecrequest_mode = mode; 2130 if(iph2->proposal->head->reqid_in > 0){ 2131 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE; 2132 xisr->sadb_x_ipsecrequest_reqid = iph2->proposal->head->reqid_in; 2133 }else{ 2134 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE; 2135 xisr->sadb_x_ipsecrequest_reqid = 0; 2136 } 2137 p = (caddr_t)(xisr + 1); 2138 2139 xisrlen = sizeof(*xisr); 2140 2141 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { 2142 int src_len, dst_len; 2143 2144 src_len = sysdep_sa_len(iph2->src); 2145 dst_len = sysdep_sa_len(iph2->dst); 2146 xisrlen += src_len + dst_len; 2147 2148 memcpy(p, iph2->src, src_len); 2149 p += src_len; 2150 2151 memcpy(p, iph2->dst, dst_len); 2152 p += dst_len; 2153 } 2154 2155 xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); 2156 xisr = (struct sadb_x_ipsecrequest *)p; 2157 2158 } 2159 racoon_free(pr_rlist); 2160 2161 end: 2162 *policy0 = policy; 2163 *policylen0 = policylen; 2164 2165 return 0; 2166 2167 err: 2168 if (policy) 2169 racoon_free(policy); 2170 if (pr_rlist) racoon_free(pr_rlist); 2171 2172 return -1; 2173 } 2174 2175 int 2176 pk_sendspdupdate2(iph2) 2177 struct ph2handle *iph2; 2178 { 2179 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2180 caddr_t policy = NULL; 2181 int policylen = 0; 2182 u_int64_t ltime, vtime; 2183 2184 ltime = iph2->approval->lifetime; 2185 vtime = 0; 2186 2187 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) { 2188 plog(LLV_ERROR, LOCATION, NULL, 2189 "getting sadb policy failed.\n"); 2190 return -1; 2191 } 2192 2193 if (pfkey_send_spdupdate2( 2194 lcconf->sock_pfkey, 2195 (struct sockaddr *)&spidx->src, 2196 spidx->prefs, 2197 (struct sockaddr *)&spidx->dst, 2198 spidx->prefd, 2199 spidx->ul_proto, 2200 ltime, vtime, 2201 policy, policylen, 0) < 0) { 2202 plog(LLV_ERROR, LOCATION, NULL, 2203 "libipsec failed send spdupdate2 (%s)\n", 2204 ipsec_strerror()); 2205 goto end; 2206 } 2207 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n"); 2208 2209 end: 2210 if (policy) 2211 racoon_free(policy); 2212 2213 return 0; 2214 } 2215 2216 static int 2217 pk_recvspdupdate(mhp) 2218 caddr_t *mhp; 2219 { 2220 struct sadb_address *saddr, *daddr; 2221 struct sadb_x_policy *xpl; 2222 struct sadb_lifetime *lt; 2223 struct policyindex spidx; 2224 struct secpolicy *sp; 2225 u_int64_t created; 2226 2227 /* sanity check */ 2228 if (mhp[0] == NULL 2229 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2230 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2231 || mhp[SADB_X_EXT_POLICY] == NULL) { 2232 plog(LLV_ERROR, LOCATION, NULL, 2233 "inappropriate sadb spdupdate message passed.\n"); 2234 return -1; 2235 } 2236 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2237 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2238 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2239 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2240 if(lt != NULL) 2241 created = lt->sadb_lifetime_addtime; 2242 else 2243 created = 0; 2244 2245 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2246 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2247 saddr + 1, 2248 daddr + 1, 2249 saddr->sadb_address_prefixlen, 2250 daddr->sadb_address_prefixlen, 2251 saddr->sadb_address_proto, 2252 xpl->sadb_x_policy_priority, 2253 created, 2254 &spidx); 2255 #else 2256 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2257 saddr + 1, 2258 daddr + 1, 2259 saddr->sadb_address_prefixlen, 2260 daddr->sadb_address_prefixlen, 2261 saddr->sadb_address_proto, 2262 created, 2263 &spidx); 2264 #endif 2265 2266 #ifdef HAVE_SECCTX 2267 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2268 struct sadb_x_sec_ctx *ctx; 2269 2270 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2271 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2272 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2273 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2274 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2275 } 2276 #endif /* HAVE_SECCTX */ 2277 2278 sp = getsp(&spidx); 2279 if (sp == NULL) { 2280 plog(LLV_ERROR, LOCATION, NULL, 2281 "such policy does not already exist: \"%s\"\n", 2282 spidx2str(&spidx)); 2283 } else { 2284 remsp(sp); 2285 delsp(sp); 2286 } 2287 2288 if (addnewsp(mhp) < 0) 2289 return -1; 2290 2291 return 0; 2292 } 2293 2294 /* 2295 * this function has to be used by responder side. 2296 */ 2297 int 2298 pk_sendspdadd2(iph2) 2299 struct ph2handle *iph2; 2300 { 2301 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2302 caddr_t policy = NULL; 2303 int policylen = 0; 2304 u_int64_t ltime, vtime; 2305 2306 ltime = iph2->approval->lifetime; 2307 vtime = 0; 2308 2309 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) { 2310 plog(LLV_ERROR, LOCATION, NULL, 2311 "getting sadb policy failed.\n"); 2312 return -1; 2313 } 2314 2315 if (pfkey_send_spdadd2( 2316 lcconf->sock_pfkey, 2317 (struct sockaddr *)&spidx->src, 2318 spidx->prefs, 2319 (struct sockaddr *)&spidx->dst, 2320 spidx->prefd, 2321 spidx->ul_proto, 2322 ltime, vtime, 2323 policy, policylen, 0) < 0) { 2324 plog(LLV_ERROR, LOCATION, NULL, 2325 "libipsec failed send spdadd2 (%s)\n", 2326 ipsec_strerror()); 2327 goto end; 2328 } 2329 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n"); 2330 2331 end: 2332 if (policy) 2333 racoon_free(policy); 2334 2335 return 0; 2336 } 2337 2338 static int 2339 pk_recvspdadd(mhp) 2340 caddr_t *mhp; 2341 { 2342 struct sadb_address *saddr, *daddr; 2343 struct sadb_x_policy *xpl; 2344 struct sadb_lifetime *lt; 2345 struct policyindex spidx; 2346 struct secpolicy *sp; 2347 u_int64_t created; 2348 2349 /* sanity check */ 2350 if (mhp[0] == NULL 2351 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2352 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2353 || mhp[SADB_X_EXT_POLICY] == NULL) { 2354 plog(LLV_ERROR, LOCATION, NULL, 2355 "inappropriate sadb spdadd message passed.\n"); 2356 return -1; 2357 } 2358 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2359 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2360 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2361 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2362 if(lt != NULL) 2363 created = lt->sadb_lifetime_addtime; 2364 else 2365 created = 0; 2366 2367 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2368 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2369 saddr + 1, 2370 daddr + 1, 2371 saddr->sadb_address_prefixlen, 2372 daddr->sadb_address_prefixlen, 2373 saddr->sadb_address_proto, 2374 xpl->sadb_x_policy_priority, 2375 created, 2376 &spidx); 2377 #else 2378 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2379 saddr + 1, 2380 daddr + 1, 2381 saddr->sadb_address_prefixlen, 2382 daddr->sadb_address_prefixlen, 2383 saddr->sadb_address_proto, 2384 created, 2385 &spidx); 2386 #endif 2387 2388 #ifdef HAVE_SECCTX 2389 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2390 struct sadb_x_sec_ctx *ctx; 2391 2392 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2393 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2394 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2395 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2396 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2397 } 2398 #endif /* HAVE_SECCTX */ 2399 2400 sp = getsp(&spidx); 2401 if (sp != NULL) { 2402 plog(LLV_ERROR, LOCATION, NULL, 2403 "such policy already exists. " 2404 "anyway replace it: %s\n", 2405 spidx2str(&spidx)); 2406 remsp(sp); 2407 delsp(sp); 2408 } 2409 2410 if (addnewsp(mhp) < 0) 2411 return -1; 2412 2413 return 0; 2414 } 2415 2416 /* 2417 * this function has to be used by responder side. 2418 */ 2419 int 2420 pk_sendspddelete(iph2) 2421 struct ph2handle *iph2; 2422 { 2423 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2424 caddr_t policy = NULL; 2425 int policylen; 2426 2427 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) { 2428 plog(LLV_ERROR, LOCATION, NULL, 2429 "getting sadb policy failed.\n"); 2430 return -1; 2431 } 2432 2433 if (pfkey_send_spddelete( 2434 lcconf->sock_pfkey, 2435 (struct sockaddr *)&spidx->src, 2436 spidx->prefs, 2437 (struct sockaddr *)&spidx->dst, 2438 spidx->prefd, 2439 spidx->ul_proto, 2440 policy, policylen, 0) < 0) { 2441 plog(LLV_ERROR, LOCATION, NULL, 2442 "libipsec failed send spddelete (%s)\n", 2443 ipsec_strerror()); 2444 goto end; 2445 } 2446 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n"); 2447 2448 end: 2449 if (policy) 2450 racoon_free(policy); 2451 2452 return 0; 2453 } 2454 2455 static int 2456 pk_recvspddelete(mhp) 2457 caddr_t *mhp; 2458 { 2459 struct sadb_address *saddr, *daddr; 2460 struct sadb_x_policy *xpl; 2461 struct sadb_lifetime *lt; 2462 struct policyindex spidx; 2463 struct secpolicy *sp; 2464 u_int64_t created; 2465 2466 /* sanity check */ 2467 if (mhp[0] == NULL 2468 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2469 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2470 || mhp[SADB_X_EXT_POLICY] == NULL) { 2471 plog(LLV_ERROR, LOCATION, NULL, 2472 "inappropriate sadb spddelete message passed.\n"); 2473 return -1; 2474 } 2475 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2476 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2477 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2478 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2479 if(lt != NULL) 2480 created = lt->sadb_lifetime_addtime; 2481 else 2482 created = 0; 2483 2484 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2485 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2486 saddr + 1, 2487 daddr + 1, 2488 saddr->sadb_address_prefixlen, 2489 daddr->sadb_address_prefixlen, 2490 saddr->sadb_address_proto, 2491 xpl->sadb_x_policy_priority, 2492 created, 2493 &spidx); 2494 #else 2495 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2496 saddr + 1, 2497 daddr + 1, 2498 saddr->sadb_address_prefixlen, 2499 daddr->sadb_address_prefixlen, 2500 saddr->sadb_address_proto, 2501 created, 2502 &spidx); 2503 #endif 2504 2505 #ifdef HAVE_SECCTX 2506 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2507 struct sadb_x_sec_ctx *ctx; 2508 2509 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2510 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2511 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2512 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2513 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2514 } 2515 #endif /* HAVE_SECCTX */ 2516 2517 sp = getsp(&spidx); 2518 if (sp == NULL) { 2519 plog(LLV_ERROR, LOCATION, NULL, 2520 "no policy found: %s\n", 2521 spidx2str(&spidx)); 2522 return -1; 2523 } 2524 2525 remsp(sp); 2526 delsp(sp); 2527 2528 return 0; 2529 } 2530 2531 static int 2532 pk_recvspdexpire(mhp) 2533 caddr_t *mhp; 2534 { 2535 struct sadb_address *saddr, *daddr; 2536 struct sadb_x_policy *xpl; 2537 struct sadb_lifetime *lt; 2538 struct policyindex spidx; 2539 struct secpolicy *sp; 2540 u_int64_t created; 2541 2542 /* sanity check */ 2543 if (mhp[0] == NULL 2544 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2545 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2546 || mhp[SADB_X_EXT_POLICY] == NULL) { 2547 plog(LLV_ERROR, LOCATION, NULL, 2548 "inappropriate sadb spdexpire message passed.\n"); 2549 return -1; 2550 } 2551 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2552 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2553 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2554 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2555 if(lt != NULL) 2556 created = lt->sadb_lifetime_addtime; 2557 else 2558 created = 0; 2559 2560 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2561 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2562 saddr + 1, 2563 daddr + 1, 2564 saddr->sadb_address_prefixlen, 2565 daddr->sadb_address_prefixlen, 2566 saddr->sadb_address_proto, 2567 xpl->sadb_x_policy_priority, 2568 created, 2569 &spidx); 2570 #else 2571 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2572 saddr + 1, 2573 daddr + 1, 2574 saddr->sadb_address_prefixlen, 2575 daddr->sadb_address_prefixlen, 2576 saddr->sadb_address_proto, 2577 created, 2578 &spidx); 2579 #endif 2580 2581 #ifdef HAVE_SECCTX 2582 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2583 struct sadb_x_sec_ctx *ctx; 2584 2585 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2586 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2587 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2588 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2589 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2590 } 2591 #endif /* HAVE_SECCTX */ 2592 2593 sp = getsp(&spidx); 2594 if (sp == NULL) { 2595 plog(LLV_ERROR, LOCATION, NULL, 2596 "no policy found: %s\n", 2597 spidx2str(&spidx)); 2598 return -1; 2599 } 2600 2601 remsp(sp); 2602 delsp(sp); 2603 2604 return 0; 2605 } 2606 2607 static int 2608 pk_recvspdget(mhp) 2609 caddr_t *mhp; 2610 { 2611 /* sanity check */ 2612 if (mhp[0] == NULL) { 2613 plog(LLV_ERROR, LOCATION, NULL, 2614 "inappropriate sadb spdget message passed.\n"); 2615 return -1; 2616 } 2617 2618 return 0; 2619 } 2620 2621 static int 2622 pk_recvspddump(mhp) 2623 caddr_t *mhp; 2624 { 2625 struct sadb_msg *msg; 2626 struct sadb_address *saddr, *daddr; 2627 struct sadb_x_policy *xpl; 2628 struct sadb_lifetime *lt; 2629 struct policyindex spidx; 2630 struct secpolicy *sp; 2631 u_int64_t created; 2632 2633 /* sanity check */ 2634 if (mhp[0] == NULL) { 2635 plog(LLV_ERROR, LOCATION, NULL, 2636 "inappropriate sadb spddump message passed.\n"); 2637 return -1; 2638 } 2639 msg = (struct sadb_msg *)mhp[0]; 2640 2641 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2642 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2643 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2644 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2645 if(lt != NULL) 2646 created = lt->sadb_lifetime_addtime; 2647 else 2648 created = 0; 2649 2650 if (saddr == NULL || daddr == NULL || xpl == NULL) { 2651 plog(LLV_ERROR, LOCATION, NULL, 2652 "inappropriate sadb spddump message passed.\n"); 2653 return -1; 2654 } 2655 2656 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2657 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2658 saddr + 1, 2659 daddr + 1, 2660 saddr->sadb_address_prefixlen, 2661 daddr->sadb_address_prefixlen, 2662 saddr->sadb_address_proto, 2663 xpl->sadb_x_policy_priority, 2664 created, 2665 &spidx); 2666 #else 2667 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2668 saddr + 1, 2669 daddr + 1, 2670 saddr->sadb_address_prefixlen, 2671 daddr->sadb_address_prefixlen, 2672 saddr->sadb_address_proto, 2673 created, 2674 &spidx); 2675 #endif 2676 2677 #ifdef HAVE_SECCTX 2678 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2679 struct sadb_x_sec_ctx *ctx; 2680 2681 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2682 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2683 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2684 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2685 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2686 } 2687 #endif /* HAVE_SECCTX */ 2688 2689 sp = getsp(&spidx); 2690 if (sp != NULL) { 2691 plog(LLV_ERROR, LOCATION, NULL, 2692 "such policy already exists. " 2693 "anyway replace it: %s\n", 2694 spidx2str(&spidx)); 2695 remsp(sp); 2696 delsp(sp); 2697 } 2698 2699 if (addnewsp(mhp) < 0) 2700 return -1; 2701 2702 return 0; 2703 } 2704 2705 static int 2706 pk_recvspdflush(mhp) 2707 caddr_t *mhp; 2708 { 2709 /* sanity check */ 2710 if (mhp[0] == NULL) { 2711 plog(LLV_ERROR, LOCATION, NULL, 2712 "inappropriate sadb spdflush message passed.\n"); 2713 return -1; 2714 } 2715 2716 flushsp(); 2717 2718 return 0; 2719 } 2720 2721 #ifndef ANDROID_PATCHED 2722 2723 /* 2724 * send error against acquire message to kenrel. 2725 */ 2726 int 2727 pk_sendeacquire(iph2) 2728 struct ph2handle *iph2; 2729 { 2730 struct sadb_msg *newmsg; 2731 int len; 2732 2733 len = sizeof(struct sadb_msg); 2734 newmsg = racoon_calloc(1, len); 2735 if (newmsg == NULL) { 2736 plog(LLV_ERROR, LOCATION, NULL, 2737 "failed to get buffer to send acquire.\n"); 2738 return -1; 2739 } 2740 2741 memset(newmsg, 0, len); 2742 newmsg->sadb_msg_version = PF_KEY_V2; 2743 newmsg->sadb_msg_type = SADB_ACQUIRE; 2744 newmsg->sadb_msg_errno = ENOENT; /* XXX */ 2745 newmsg->sadb_msg_satype = iph2->satype; 2746 newmsg->sadb_msg_len = PFKEY_UNIT64(len); 2747 newmsg->sadb_msg_reserved = 0; 2748 newmsg->sadb_msg_seq = iph2->seq; 2749 newmsg->sadb_msg_pid = (u_int32_t)getpid(); 2750 2751 /* send message */ 2752 len = pfkey_send(lcconf->sock_pfkey, newmsg, len); 2753 2754 racoon_free(newmsg); 2755 2756 return 0; 2757 } 2758 2759 #else 2760 2761 int pk_sendeacquire(struct ph2handle *iph2) 2762 { 2763 exit(1); 2764 } 2765 2766 #endif 2767 2768 /* 2769 * check if the algorithm is supported or not. 2770 * OUT 0: ok 2771 * -1: ng 2772 */ 2773 int 2774 pk_checkalg(class, calg, keylen) 2775 int class, calg, keylen; 2776 { 2777 int sup, error; 2778 u_int alg; 2779 struct sadb_alg alg0; 2780 2781 switch (algclass2doi(class)) { 2782 case IPSECDOI_PROTO_IPSEC_ESP: 2783 sup = SADB_EXT_SUPPORTED_ENCRYPT; 2784 break; 2785 case IPSECDOI_ATTR_AUTH: 2786 sup = SADB_EXT_SUPPORTED_AUTH; 2787 break; 2788 case IPSECDOI_PROTO_IPCOMP: 2789 plog(LLV_DEBUG, LOCATION, NULL, 2790 "compression algorithm can not be checked " 2791 "because sadb message doesn't support it.\n"); 2792 return 0; 2793 default: 2794 plog(LLV_ERROR, LOCATION, NULL, 2795 "invalid algorithm class.\n"); 2796 return -1; 2797 } 2798 alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg)); 2799 if (alg == ~0) 2800 return -1; 2801 2802 if (keylen == 0) { 2803 if (ipsec_get_keylen(sup, alg, &alg0)) { 2804 plog(LLV_ERROR, LOCATION, NULL, 2805 "%s.\n", ipsec_strerror()); 2806 return -1; 2807 } 2808 keylen = alg0.sadb_alg_minbits; 2809 } 2810 2811 error = ipsec_check_keylen(sup, alg, keylen); 2812 if (error) 2813 plog(LLV_ERROR, LOCATION, NULL, 2814 "%s.\n", ipsec_strerror()); 2815 2816 return error; 2817 } 2818 2819 /* 2820 * differences with pfkey_recv() in libipsec/pfkey.c: 2821 * - never performs busy wait loop. 2822 * - returns NULL and set *lenp to negative on fatal failures 2823 * - returns NULL and set *lenp to non-negative on non-fatal failures 2824 * - returns non-NULL on success 2825 */ 2826 static struct sadb_msg * 2827 pk_recv(so, lenp) 2828 int so; 2829 int *lenp; 2830 { 2831 struct sadb_msg buf, *newmsg; 2832 int reallen; 2833 int retry = 0; 2834 2835 *lenp = -1; 2836 do 2837 { 2838 plog(LLV_DEBUG, LOCATION, NULL, "pk_recv: retry[%d] recv() \n", retry ); 2839 *lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK | MSG_DONTWAIT); 2840 retry++; 2841 } 2842 while (*lenp < 0 && errno == EAGAIN && retry < 3); 2843 2844 if (*lenp < 0) 2845 return NULL; /*fatal*/ 2846 2847 else if (*lenp < sizeof(buf)) 2848 return NULL; 2849 2850 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); 2851 if ((newmsg = racoon_calloc(1, reallen)) == NULL) 2852 return NULL; 2853 2854 *lenp = recv(so, (caddr_t)newmsg, reallen, MSG_PEEK); 2855 if (*lenp < 0) { 2856 racoon_free(newmsg); 2857 return NULL; /*fatal*/ 2858 } else if (*lenp != reallen) { 2859 racoon_free(newmsg); 2860 return NULL; 2861 } 2862 2863 *lenp = recv(so, (caddr_t)newmsg, reallen, 0); 2864 if (*lenp < 0) { 2865 racoon_free(newmsg); 2866 return NULL; /*fatal*/ 2867 } else if (*lenp != reallen) { 2868 racoon_free(newmsg); 2869 return NULL; 2870 } 2871 2872 return newmsg; 2873 } 2874 2875 /* see handler.h */ 2876 u_int32_t 2877 pk_getseq() 2878 { 2879 return eay_random(); 2880 } 2881 2882 static int 2883 addnewsp(mhp) 2884 caddr_t *mhp; 2885 { 2886 struct secpolicy *new = NULL; 2887 struct sadb_address *saddr, *daddr; 2888 struct sadb_x_policy *xpl; 2889 struct sadb_lifetime *lt; 2890 u_int64_t created; 2891 2892 /* sanity check */ 2893 if (mhp[SADB_EXT_ADDRESS_SRC] == NULL 2894 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2895 || mhp[SADB_X_EXT_POLICY] == NULL) { 2896 plog(LLV_ERROR, LOCATION, NULL, 2897 "inappropriate sadb spd management message passed.\n"); 2898 goto bad; 2899 } 2900 2901 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2902 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2903 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2904 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2905 if(lt != NULL) 2906 created = lt->sadb_lifetime_addtime; 2907 else 2908 created = 0; 2909 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2910 if(lt != NULL) 2911 created = lt->sadb_lifetime_addtime; 2912 else 2913 created = 0; 2914 2915 #ifdef __linux__ 2916 /* bsd skips over per-socket policies because there will be no 2917 * src and dst extensions in spddump messages. On Linux the only 2918 * way to achieve the same is check for policy id. 2919 */ 2920 if (xpl->sadb_x_policy_id % 8 >= 3) return 0; 2921 #endif 2922 2923 new = newsp(); 2924 if (new == NULL) { 2925 plog(LLV_ERROR, LOCATION, NULL, 2926 "failed to allocate buffer\n"); 2927 goto bad; 2928 } 2929 2930 new->spidx.dir = xpl->sadb_x_policy_dir; 2931 new->id = xpl->sadb_x_policy_id; 2932 new->policy = xpl->sadb_x_policy_type; 2933 new->req = NULL; 2934 2935 /* check policy */ 2936 switch (xpl->sadb_x_policy_type) { 2937 case IPSEC_POLICY_DISCARD: 2938 case IPSEC_POLICY_NONE: 2939 case IPSEC_POLICY_ENTRUST: 2940 case IPSEC_POLICY_BYPASS: 2941 break; 2942 2943 case IPSEC_POLICY_IPSEC: 2944 { 2945 int tlen; 2946 struct sadb_x_ipsecrequest *xisr; 2947 struct ipsecrequest **p_isr = &new->req; 2948 2949 /* validity check */ 2950 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { 2951 plog(LLV_ERROR, LOCATION, NULL, 2952 "invalid msg length.\n"); 2953 goto bad; 2954 } 2955 2956 tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); 2957 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); 2958 2959 while (tlen > 0) { 2960 2961 /* length check */ 2962 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { 2963 plog(LLV_ERROR, LOCATION, NULL, 2964 "invalid msg length.\n"); 2965 goto bad; 2966 } 2967 2968 /* allocate request buffer */ 2969 *p_isr = newipsecreq(); 2970 if (*p_isr == NULL) { 2971 plog(LLV_ERROR, LOCATION, NULL, 2972 "failed to get new ipsecreq.\n"); 2973 goto bad; 2974 } 2975 2976 /* set values */ 2977 (*p_isr)->next = NULL; 2978 2979 switch (xisr->sadb_x_ipsecrequest_proto) { 2980 case IPPROTO_ESP: 2981 case IPPROTO_AH: 2982 case IPPROTO_IPCOMP: 2983 break; 2984 default: 2985 plog(LLV_ERROR, LOCATION, NULL, 2986 "invalid proto type: %u\n", 2987 xisr->sadb_x_ipsecrequest_proto); 2988 goto bad; 2989 } 2990 (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto; 2991 2992 switch (xisr->sadb_x_ipsecrequest_mode) { 2993 case IPSEC_MODE_TRANSPORT: 2994 case IPSEC_MODE_TUNNEL: 2995 break; 2996 case IPSEC_MODE_ANY: 2997 default: 2998 plog(LLV_ERROR, LOCATION, NULL, 2999 "invalid mode: %u\n", 3000 xisr->sadb_x_ipsecrequest_mode); 3001 goto bad; 3002 } 3003 (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode; 3004 3005 switch (xisr->sadb_x_ipsecrequest_level) { 3006 case IPSEC_LEVEL_DEFAULT: 3007 case IPSEC_LEVEL_USE: 3008 case IPSEC_LEVEL_REQUIRE: 3009 break; 3010 case IPSEC_LEVEL_UNIQUE: 3011 (*p_isr)->saidx.reqid = 3012 xisr->sadb_x_ipsecrequest_reqid; 3013 break; 3014 3015 default: 3016 plog(LLV_ERROR, LOCATION, NULL, 3017 "invalid level: %u\n", 3018 xisr->sadb_x_ipsecrequest_level); 3019 goto bad; 3020 } 3021 (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; 3022 3023 /* set IP addresses if there */ 3024 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { 3025 struct sockaddr *paddr; 3026 3027 paddr = (struct sockaddr *)(xisr + 1); 3028 bcopy(paddr, &(*p_isr)->saidx.src, 3029 sysdep_sa_len(paddr)); 3030 3031 paddr = (struct sockaddr *)((caddr_t)paddr 3032 + sysdep_sa_len(paddr)); 3033 bcopy(paddr, &(*p_isr)->saidx.dst, 3034 sysdep_sa_len(paddr)); 3035 } 3036 3037 (*p_isr)->sp = new; 3038 3039 /* initialization for the next. */ 3040 p_isr = &(*p_isr)->next; 3041 tlen -= xisr->sadb_x_ipsecrequest_len; 3042 3043 /* validity check */ 3044 if (tlen < 0) { 3045 plog(LLV_ERROR, LOCATION, NULL, 3046 "becoming tlen < 0\n"); 3047 } 3048 3049 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr 3050 + xisr->sadb_x_ipsecrequest_len); 3051 } 3052 } 3053 break; 3054 default: 3055 plog(LLV_ERROR, LOCATION, NULL, 3056 "invalid policy type.\n"); 3057 goto bad; 3058 } 3059 3060 #ifdef HAVE_PFKEY_POLICY_PRIORITY 3061 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 3062 saddr + 1, 3063 daddr + 1, 3064 saddr->sadb_address_prefixlen, 3065 daddr->sadb_address_prefixlen, 3066 saddr->sadb_address_proto, 3067 xpl->sadb_x_policy_priority, 3068 created, 3069 &new->spidx); 3070 #else 3071 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 3072 saddr + 1, 3073 daddr + 1, 3074 saddr->sadb_address_prefixlen, 3075 daddr->sadb_address_prefixlen, 3076 saddr->sadb_address_proto, 3077 created, 3078 &new->spidx); 3079 #endif 3080 3081 #ifdef HAVE_SECCTX 3082 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 3083 struct sadb_x_sec_ctx *ctx; 3084 3085 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 3086 new->spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 3087 new->spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 3088 new->spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 3089 memcpy(new->spidx.sec_ctx.ctx_str,ctx + 1,ctx->sadb_x_ctx_len); 3090 } 3091 #endif /* HAVE_SECCTX */ 3092 3093 inssp(new); 3094 3095 return 0; 3096 bad: 3097 if (new != NULL) { 3098 if (new->req != NULL) 3099 racoon_free(new->req); 3100 racoon_free(new); 3101 } 3102 return -1; 3103 } 3104 3105 /* proto/mode/src->dst spi */ 3106 const char * 3107 sadbsecas2str(src, dst, proto, spi, mode) 3108 struct sockaddr *src, *dst; 3109 int proto; 3110 u_int32_t spi; 3111 int mode; 3112 { 3113 static char buf[256]; 3114 u_int doi_proto, doi_mode = 0; 3115 char *p; 3116 int blen, i; 3117 3118 doi_proto = pfkey2ipsecdoi_proto(proto); 3119 if (doi_proto == ~0) 3120 return NULL; 3121 if (mode) { 3122 doi_mode = pfkey2ipsecdoi_mode(mode); 3123 if (doi_mode == ~0) 3124 return NULL; 3125 } 3126 3127 blen = sizeof(buf) - 1; 3128 p = buf; 3129 3130 i = snprintf(p, blen, "%s%s%s ", 3131 s_ipsecdoi_proto(doi_proto), 3132 mode ? "/" : "", 3133 mode ? s_ipsecdoi_encmode(doi_mode) : ""); 3134 if (i < 0 || i >= blen) 3135 return NULL; 3136 p += i; 3137 blen -= i; 3138 3139 i = snprintf(p, blen, "%s->", saddr2str(src)); 3140 if (i < 0 || i >= blen) 3141 return NULL; 3142 p += i; 3143 blen -= i; 3144 3145 i = snprintf(p, blen, "%s ", saddr2str(dst)); 3146 if (i < 0 || i >= blen) 3147 return NULL; 3148 p += i; 3149 blen -= i; 3150 3151 if (spi) { 3152 snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi), 3153 (unsigned long)ntohl(spi)); 3154 } 3155 3156 return buf; 3157 } 3158
