Annotation of embedaddon/ipsec-tools/src/racoon/pfkey.c, revision 1.1
1.1 ! misho 1: /* $NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
! 2:
! 3: /* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
! 4:
! 5: /*
! 6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
! 7: * All rights reserved.
! 8: *
! 9: * Redistribution and use in source and binary forms, with or without
! 10: * modification, are permitted provided that the following conditions
! 11: * are met:
! 12: * 1. Redistributions of source code must retain the above copyright
! 13: * notice, this list of conditions and the following disclaimer.
! 14: * 2. Redistributions in binary form must reproduce the above copyright
! 15: * notice, this list of conditions and the following disclaimer in the
! 16: * documentation and/or other materials provided with the distribution.
! 17: * 3. Neither the name of the project nor the names of its contributors
! 18: * may be used to endorse or promote products derived from this software
! 19: * without specific prior written permission.
! 20: *
! 21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 31: * SUCH DAMAGE.
! 32: */
! 33:
! 34: #include "config.h"
! 35:
! 36: #include <stdlib.h>
! 37: #include <string.h>
! 38: #include <stdio.h>
! 39: #include <netdb.h>
! 40: #include <errno.h>
! 41: #ifdef HAVE_UNISTD_H
! 42: #include <unistd.h>
! 43: #endif
! 44: #include <netdb.h>
! 45: #include <netinet/in.h>
! 46: #include <arpa/inet.h>
! 47:
! 48: #ifdef ENABLE_NATT
! 49: # ifdef __linux__
! 50: # include <linux/udp.h>
! 51: # endif
! 52: # if defined(__NetBSD__) || defined(__FreeBSD__) || \
! 53: (defined(__APPLE__) && defined(__MACH__))
! 54: # include <netinet/udp.h>
! 55: # endif
! 56: #endif
! 57:
! 58: #include <sys/types.h>
! 59: #include <sys/param.h>
! 60: #include <sys/socket.h>
! 61: #include <sys/queue.h>
! 62: #include <sys/sysctl.h>
! 63:
! 64: #include <net/route.h>
! 65: #include <net/pfkeyv2.h>
! 66:
! 67: #include <netinet/in.h>
! 68: #include PATH_IPSEC_H
! 69: #include <fcntl.h>
! 70:
! 71: #include "libpfkey.h"
! 72:
! 73: #include "var.h"
! 74: #include "misc.h"
! 75: #include "vmbuf.h"
! 76: #include "plog.h"
! 77: #include "sockmisc.h"
! 78: #include "session.h"
! 79: #include "debug.h"
! 80:
! 81: #include "schedule.h"
! 82: #include "localconf.h"
! 83: #include "remoteconf.h"
! 84: #include "handler.h"
! 85: #include "policy.h"
! 86: #include "proposal.h"
! 87: #include "isakmp_var.h"
! 88: #include "isakmp.h"
! 89: #include "isakmp_inf.h"
! 90: #include "ipsec_doi.h"
! 91: #include "oakley.h"
! 92: #include "pfkey.h"
! 93: #include "algorithm.h"
! 94: #include "sainfo.h"
! 95: #include "admin.h"
! 96: #include "evt.h"
! 97: #include "privsep.h"
! 98: #include "strnames.h"
! 99: #include "backupsa.h"
! 100: #include "gcmalloc.h"
! 101: #include "nattraversal.h"
! 102: #include "crypto_openssl.h"
! 103: #include "grabmyaddr.h"
! 104:
! 105: #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
! 106: #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
! 107: #endif
! 108:
! 109: /* prototype */
! 110: static u_int ipsecdoi2pfkey_aalg __P((u_int));
! 111: static u_int ipsecdoi2pfkey_ealg __P((u_int));
! 112: static u_int ipsecdoi2pfkey_calg __P((u_int));
! 113: static u_int ipsecdoi2pfkey_alg __P((u_int, u_int));
! 114: static u_int keylen_aalg __P((u_int));
! 115: static u_int keylen_ealg __P((u_int, int));
! 116:
! 117: static int pk_recvgetspi __P((caddr_t *));
! 118: static int pk_recvupdate __P((caddr_t *));
! 119: static int pk_recvadd __P((caddr_t *));
! 120: static int pk_recvdelete __P((caddr_t *));
! 121: static int pk_recvacquire __P((caddr_t *));
! 122: static int pk_recvexpire __P((caddr_t *));
! 123: static int pk_recvflush __P((caddr_t *));
! 124: static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *));
! 125: static int pk_recvspdupdate __P((caddr_t *));
! 126: static int pk_recvspdadd __P((caddr_t *));
! 127: static int pk_recvspddelete __P((caddr_t *));
! 128: static int pk_recvspdexpire __P((caddr_t *));
! 129: static int pk_recvspdget __P((caddr_t *));
! 130: static int pk_recvspddump __P((caddr_t *));
! 131: static int pk_recvspdflush __P((caddr_t *));
! 132: #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
! 133: static int pk_recvmigrate __P((caddr_t *));
! 134: #endif
! 135: static struct sadb_msg *pk_recv __P((int, int *));
! 136:
! 137: static int (*pkrecvf[]) __P((caddr_t *)) = {
! 138: NULL,
! 139: pk_recvgetspi,
! 140: pk_recvupdate,
! 141: pk_recvadd,
! 142: pk_recvdelete,
! 143: NULL, /* SADB_GET */
! 144: pk_recvacquire,
! 145: NULL, /* SABD_REGISTER */
! 146: pk_recvexpire,
! 147: pk_recvflush,
! 148: NULL, /* SADB_DUMP */
! 149: NULL, /* SADB_X_PROMISC */
! 150: NULL, /* SADB_X_PCHANGE */
! 151: pk_recvspdupdate,
! 152: pk_recvspdadd,
! 153: pk_recvspddelete,
! 154: pk_recvspdget,
! 155: NULL, /* SADB_X_SPDACQUIRE */
! 156: pk_recvspddump,
! 157: pk_recvspdflush,
! 158: NULL, /* SADB_X_SPDSETIDX */
! 159: pk_recvspdexpire,
! 160: NULL, /* SADB_X_SPDDELETE2 */
! 161: NULL, /* SADB_X_NAT_T_NEW_MAPPING */
! 162: #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
! 163: pk_recvmigrate,
! 164: #else
! 165: NULL, /* SADB_X_MIGRATE */
! 166: #endif
! 167: #if (SADB_MAX > 24)
! 168: #error "SADB extra message?"
! 169: #endif
! 170: };
! 171:
! 172: static int addnewsp __P((caddr_t *, struct sockaddr *, struct sockaddr *));
! 173:
! 174: /* cope with old kame headers - ugly */
! 175: #ifndef SADB_X_AALG_MD5
! 176: #define SADB_X_AALG_MD5 SADB_AALG_MD5
! 177: #endif
! 178: #ifndef SADB_X_AALG_SHA
! 179: #define SADB_X_AALG_SHA SADB_AALG_SHA
! 180: #endif
! 181: #ifndef SADB_X_AALG_NULL
! 182: #define SADB_X_AALG_NULL SADB_AALG_NULL
! 183: #endif
! 184:
! 185: #ifndef SADB_X_EALG_BLOWFISHCBC
! 186: #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
! 187: #endif
! 188: #ifndef SADB_X_EALG_CAST128CBC
! 189: #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
! 190: #endif
! 191: #ifndef SADB_X_EALG_RC5CBC
! 192: #ifdef SADB_EALG_RC5CBC
! 193: #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
! 194: #endif
! 195: #endif
! 196:
! 197: /*
! 198: * PF_KEY packet handler
! 199: * 0: success
! 200: * -1: fail
! 201: */
! 202: static int
! 203: pfkey_handler(ctx, fd)
! 204: void *ctx;
! 205: int fd;
! 206: {
! 207: struct sadb_msg *msg;
! 208: int len;
! 209: caddr_t mhp[SADB_EXT_MAX + 1];
! 210: int error = -1;
! 211:
! 212: /* receive pfkey message. */
! 213: len = 0;
! 214: msg = (struct sadb_msg *) pk_recv(fd, &len);
! 215: if (msg == NULL) {
! 216: if (len < 0) {
! 217: /* do not report EAGAIN as error; well get
! 218: * called from main loop later. and it's normal
! 219: * when spd dump is received during reload and
! 220: * this function is called in loop. */
! 221: if (errno == EAGAIN)
! 222: goto end;
! 223:
! 224: plog(LLV_ERROR, LOCATION, NULL,
! 225: "failed to recv from pfkey (%s)\n",
! 226: strerror(errno));
! 227: goto end;
! 228: } else {
! 229: /* short message - msg not ready */
! 230: return 0;
! 231: }
! 232: }
! 233:
! 234: plog(LLV_DEBUG, LOCATION, NULL, "got pfkey %s message\n",
! 235: s_pfkey_type(msg->sadb_msg_type));
! 236: plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3);
! 237:
! 238: /* validity check */
! 239: if (msg->sadb_msg_errno) {
! 240: int pri;
! 241:
! 242: /* when SPD is empty, treat the state as no error. */
! 243: if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
! 244: msg->sadb_msg_errno == ENOENT)
! 245: pri = LLV_DEBUG;
! 246: else
! 247: pri = LLV_ERROR;
! 248:
! 249: plog(pri, LOCATION, NULL,
! 250: "pfkey %s failed: %s\n",
! 251: s_pfkey_type(msg->sadb_msg_type),
! 252: strerror(msg->sadb_msg_errno));
! 253:
! 254: goto end;
! 255: }
! 256:
! 257: /* check pfkey message. */
! 258: if (pfkey_align(msg, mhp)) {
! 259: plog(LLV_ERROR, LOCATION, NULL,
! 260: "libipsec failed pfkey align (%s)\n",
! 261: ipsec_strerror());
! 262: goto end;
! 263: }
! 264: if (pfkey_check(mhp)) {
! 265: plog(LLV_ERROR, LOCATION, NULL,
! 266: "libipsec failed pfkey check (%s)\n",
! 267: ipsec_strerror());
! 268: goto end;
! 269: }
! 270: msg = (struct sadb_msg *)mhp[0];
! 271:
! 272: /* safety check */
! 273: if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
! 274: plog(LLV_ERROR, LOCATION, NULL,
! 275: "unknown PF_KEY message type=%u\n",
! 276: msg->sadb_msg_type);
! 277: goto end;
! 278: }
! 279:
! 280: if (pkrecvf[msg->sadb_msg_type] == NULL) {
! 281: plog(LLV_INFO, LOCATION, NULL,
! 282: "unsupported PF_KEY message %s\n",
! 283: s_pfkey_type(msg->sadb_msg_type));
! 284: goto end;
! 285: }
! 286:
! 287: if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
! 288: goto end;
! 289:
! 290: error = 1;
! 291: end:
! 292: if (msg)
! 293: racoon_free(msg);
! 294: return(error);
! 295: }
! 296:
! 297: /*
! 298: * dump SADB
! 299: */
! 300: vchar_t *
! 301: pfkey_dump_sadb(satype)
! 302: int satype;
! 303: {
! 304: int s;
! 305: vchar_t *buf = NULL;
! 306: pid_t pid = getpid();
! 307: struct sadb_msg *msg = NULL;
! 308: size_t bl, ml;
! 309: int len;
! 310: int bufsiz;
! 311:
! 312: if ((s = privsep_socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
! 313: plog(LLV_ERROR, LOCATION, NULL,
! 314: "libipsec failed pfkey open: %s\n",
! 315: ipsec_strerror());
! 316: return NULL;
! 317: }
! 318:
! 319: if ((bufsiz = pfkey_set_buffer_size(s, lcconf->pfkey_buffer_size)) < 0) {
! 320: plog(LLV_ERROR, LOCATION, NULL,
! 321: "libipsec failed pfkey set buffer size to %d: %s\n",
! 322: lcconf->pfkey_buffer_size, ipsec_strerror());
! 323: return NULL;
! 324: } else if (bufsiz < lcconf->pfkey_buffer_size) {
! 325: plog(LLV_WARNING, LOCATION, NULL,
! 326: "pfkey socket receive buffer set to %dKB, instead of %d\n",
! 327: bufsiz, lcconf->pfkey_buffer_size);
! 328: }
! 329:
! 330: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n");
! 331: if (pfkey_send_dump(s, satype) < 0) {
! 332: plog(LLV_ERROR, LOCATION, NULL,
! 333: "libipsec failed dump: %s\n", ipsec_strerror());
! 334: goto fail;
! 335: }
! 336:
! 337: while (1) {
! 338: if (msg)
! 339: racoon_free(msg);
! 340: msg = pk_recv(s, &len);
! 341: if (msg == NULL) {
! 342: if (len < 0)
! 343: goto done;
! 344: else
! 345: continue;
! 346: }
! 347:
! 348: if (msg->sadb_msg_type != SADB_DUMP || msg->sadb_msg_pid != pid)
! 349: {
! 350: plog(LLV_DEBUG, LOCATION, NULL,
! 351: "discarding non-sadb dump msg %p, our pid=%i\n", msg, pid);
! 352: plog(LLV_DEBUG, LOCATION, NULL,
! 353: "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
! 354: continue;
! 355: }
! 356:
! 357:
! 358: ml = msg->sadb_msg_len << 3;
! 359: bl = buf ? buf->l : 0;
! 360: buf = vrealloc(buf, bl + ml);
! 361: if (buf == NULL) {
! 362: plog(LLV_ERROR, LOCATION, NULL,
! 363: "failed to reallocate buffer to dump.\n");
! 364: goto fail;
! 365: }
! 366: memcpy(buf->v + bl, msg, ml);
! 367:
! 368: if (msg->sadb_msg_seq == 0)
! 369: break;
! 370: }
! 371: goto done;
! 372:
! 373: fail:
! 374: if (buf)
! 375: vfree(buf);
! 376: buf = NULL;
! 377: done:
! 378: if (msg)
! 379: racoon_free(msg);
! 380: close(s);
! 381: return buf;
! 382: }
! 383:
! 384: #ifdef ENABLE_ADMINPORT
! 385: /*
! 386: * flush SADB
! 387: */
! 388: void
! 389: pfkey_flush_sadb(proto)
! 390: u_int proto;
! 391: {
! 392: int satype;
! 393:
! 394: /* convert to SADB_SATYPE */
! 395: if ((satype = admin2pfkey_proto(proto)) < 0)
! 396: return;
! 397:
! 398: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n");
! 399: if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) {
! 400: plog(LLV_ERROR, LOCATION, NULL,
! 401: "libipsec failed send flush (%s)\n", ipsec_strerror());
! 402: return;
! 403: }
! 404:
! 405: return;
! 406: }
! 407: #endif
! 408:
! 409: /*
! 410: * These are the SATYPEs that we manage. We register to get
! 411: * PF_KEY messages related to these SATYPEs, and we also use
! 412: * this list to determine which SATYPEs to delete SAs for when
! 413: * we receive an INITIAL-CONTACT.
! 414: */
! 415: const struct pfkey_satype pfkey_satypes[] = {
! 416: { SADB_SATYPE_AH, "AH" },
! 417: { SADB_SATYPE_ESP, "ESP" },
! 418: { SADB_X_SATYPE_IPCOMP, "IPCOMP" },
! 419: };
! 420: const int pfkey_nsatypes =
! 421: sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
! 422:
! 423: /*
! 424: * PF_KEY initialization
! 425: */
! 426: int
! 427: pfkey_init()
! 428: {
! 429: int i, reg_fail;
! 430: int bufsiz;
! 431:
! 432: if ((lcconf->sock_pfkey = pfkey_open()) < 0) {
! 433: plog(LLV_ERROR, LOCATION, NULL,
! 434: "libipsec failed pfkey open (%s)\n", ipsec_strerror());
! 435: return -1;
! 436: }
! 437: if ((bufsiz = pfkey_set_buffer_size(lcconf->sock_pfkey,
! 438: lcconf->pfkey_buffer_size)) < 0) {
! 439: plog(LLV_ERROR, LOCATION, NULL,
! 440: "libipsec failed to set pfkey buffer size to %d (%s)\n",
! 441: lcconf->pfkey_buffer_size, ipsec_strerror());
! 442: return -1;
! 443: } else if (bufsiz < lcconf->pfkey_buffer_size) {
! 444: plog(LLV_WARNING, LOCATION, NULL,
! 445: "pfkey socket receive buffer set to %dKB, instead of %d\n",
! 446: bufsiz, lcconf->pfkey_buffer_size);
! 447: }
! 448:
! 449: if (fcntl(lcconf->sock_pfkey, F_SETFL, O_NONBLOCK) == -1)
! 450: plog(LLV_WARNING, LOCATION, NULL,
! 451: "failed to set the pfkey socket to NONBLOCK\n");
! 452:
! 453: for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
! 454: plog(LLV_DEBUG, LOCATION, NULL,
! 455: "call pfkey_send_register for %s\n",
! 456: pfkey_satypes[i].ps_name);
! 457: if (pfkey_send_register(lcconf->sock_pfkey,
! 458: pfkey_satypes[i].ps_satype) < 0 ||
! 459: pfkey_recv_register(lcconf->sock_pfkey) < 0) {
! 460: plog(LLV_WARNING, LOCATION, NULL,
! 461: "failed to register %s (%s)\n",
! 462: pfkey_satypes[i].ps_name,
! 463: ipsec_strerror());
! 464: reg_fail++;
! 465: }
! 466: }
! 467:
! 468: if (reg_fail == pfkey_nsatypes) {
! 469: plog(LLV_ERROR, LOCATION, NULL,
! 470: "failed to regist any protocol.\n");
! 471: pfkey_close(lcconf->sock_pfkey);
! 472: return -1;
! 473: }
! 474:
! 475: initsp();
! 476:
! 477: if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
! 478: plog(LLV_ERROR, LOCATION, NULL,
! 479: "libipsec sending spddump failed: %s\n",
! 480: ipsec_strerror());
! 481: pfkey_close(lcconf->sock_pfkey);
! 482: return -1;
! 483: }
! 484: #if 0
! 485: if (pfkey_promisc_toggle(1) < 0) {
! 486: pfkey_close(lcconf->sock_pfkey);
! 487: return -1;
! 488: }
! 489: #endif
! 490: monitor_fd(lcconf->sock_pfkey, pfkey_handler, NULL, 0);
! 491: return 0;
! 492: }
! 493:
! 494: int
! 495: pfkey_reload()
! 496: {
! 497: flushsp();
! 498:
! 499: if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
! 500: plog(LLV_ERROR, LOCATION, NULL,
! 501: "libipsec sending spddump failed: %s\n",
! 502: ipsec_strerror());
! 503: return -1;
! 504: }
! 505:
! 506: while (pfkey_handler(NULL, lcconf->sock_pfkey) > 0)
! 507: continue;
! 508:
! 509: return 0;
! 510: }
! 511:
! 512: /* %%% for conversion */
! 513: /* IPSECDOI_ATTR_AUTH -> SADB_AALG */
! 514: static u_int
! 515: ipsecdoi2pfkey_aalg(hashtype)
! 516: u_int hashtype;
! 517: {
! 518: switch (hashtype) {
! 519: case IPSECDOI_ATTR_AUTH_HMAC_MD5:
! 520: return SADB_AALG_MD5HMAC;
! 521: case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
! 522: return SADB_AALG_SHA1HMAC;
! 523: case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
! 524: #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
! 525: return SADB_X_AALG_SHA2_256;
! 526: #else
! 527: return SADB_X_AALG_SHA2_256HMAC;
! 528: #endif
! 529: case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
! 530: #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
! 531: return SADB_X_AALG_SHA2_384;
! 532: #else
! 533: return SADB_X_AALG_SHA2_384HMAC;
! 534: #endif
! 535: case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
! 536: #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
! 537: return SADB_X_AALG_SHA2_512;
! 538: #else
! 539: return SADB_X_AALG_SHA2_512HMAC;
! 540: #endif
! 541: case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */
! 542: return SADB_AALG_NONE;
! 543:
! 544: /* not supported */
! 545: case IPSECDOI_ATTR_AUTH_DES_MAC:
! 546: plog(LLV_ERROR, LOCATION, NULL,
! 547: "Not supported hash type: %u\n", hashtype);
! 548: return ~0;
! 549:
! 550: case 0: /* reserved */
! 551: default:
! 552: return SADB_AALG_NONE;
! 553:
! 554: plog(LLV_ERROR, LOCATION, NULL,
! 555: "Invalid hash type: %u\n", hashtype);
! 556: return ~0;
! 557: }
! 558: /*NOTREACHED*/
! 559: }
! 560:
! 561: /* IPSECDOI_ESP -> SADB_EALG */
! 562: static u_int
! 563: ipsecdoi2pfkey_ealg(t_id)
! 564: u_int t_id;
! 565: {
! 566: switch (t_id) {
! 567: case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */
! 568: return SADB_EALG_DESCBC;
! 569: case IPSECDOI_ESP_DES:
! 570: return SADB_EALG_DESCBC;
! 571: case IPSECDOI_ESP_3DES:
! 572: return SADB_EALG_3DESCBC;
! 573: #ifdef SADB_X_EALG_RC5CBC
! 574: case IPSECDOI_ESP_RC5:
! 575: return SADB_X_EALG_RC5CBC;
! 576: #endif
! 577: case IPSECDOI_ESP_CAST:
! 578: return SADB_X_EALG_CAST128CBC;
! 579: case IPSECDOI_ESP_BLOWFISH:
! 580: return SADB_X_EALG_BLOWFISHCBC;
! 581: case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD|
! 582: SADB_X_EXT_IV4B)*/
! 583: return SADB_EALG_DESCBC;
! 584: case IPSECDOI_ESP_NULL:
! 585: return SADB_EALG_NULL;
! 586: #ifdef SADB_X_EALG_AESCBC
! 587: case IPSECDOI_ESP_AES:
! 588: return SADB_X_EALG_AESCBC;
! 589: #endif
! 590: #ifdef SADB_X_EALG_TWOFISHCBC
! 591: case IPSECDOI_ESP_TWOFISH:
! 592: return SADB_X_EALG_TWOFISHCBC;
! 593: #endif
! 594: #ifdef SADB_X_EALG_CAMELLIACBC
! 595: case IPSECDOI_ESP_CAMELLIA:
! 596: return SADB_X_EALG_CAMELLIACBC;
! 597: #endif
! 598:
! 599: /* not supported */
! 600: case IPSECDOI_ESP_3IDEA:
! 601: case IPSECDOI_ESP_IDEA:
! 602: case IPSECDOI_ESP_RC4:
! 603: plog(LLV_ERROR, LOCATION, NULL,
! 604: "Not supported transform: %u\n", t_id);
! 605: return ~0;
! 606:
! 607: case 0: /* reserved */
! 608: default:
! 609: plog(LLV_ERROR, LOCATION, NULL,
! 610: "Invalid transform id: %u\n", t_id);
! 611: return ~0;
! 612: }
! 613: /*NOTREACHED*/
! 614: }
! 615:
! 616: /* IPCOMP -> SADB_CALG */
! 617: static u_int
! 618: ipsecdoi2pfkey_calg(t_id)
! 619: u_int t_id;
! 620: {
! 621: switch (t_id) {
! 622: case IPSECDOI_IPCOMP_OUI:
! 623: return SADB_X_CALG_OUI;
! 624: case IPSECDOI_IPCOMP_DEFLATE:
! 625: return SADB_X_CALG_DEFLATE;
! 626: case IPSECDOI_IPCOMP_LZS:
! 627: return SADB_X_CALG_LZS;
! 628:
! 629: case 0: /* reserved */
! 630: default:
! 631: plog(LLV_ERROR, LOCATION, NULL,
! 632: "Invalid transform id: %u\n", t_id);
! 633: return ~0;
! 634: }
! 635: /*NOTREACHED*/
! 636: }
! 637:
! 638: /* IPSECDOI_PROTO -> SADB_SATYPE */
! 639: u_int
! 640: ipsecdoi2pfkey_proto(proto)
! 641: u_int proto;
! 642: {
! 643: switch (proto) {
! 644: case IPSECDOI_PROTO_IPSEC_AH:
! 645: return SADB_SATYPE_AH;
! 646: case IPSECDOI_PROTO_IPSEC_ESP:
! 647: return SADB_SATYPE_ESP;
! 648: case IPSECDOI_PROTO_IPCOMP:
! 649: return SADB_X_SATYPE_IPCOMP;
! 650:
! 651: default:
! 652: plog(LLV_ERROR, LOCATION, NULL,
! 653: "Invalid ipsec_doi proto: %u\n", proto);
! 654: return ~0;
! 655: }
! 656: /*NOTREACHED*/
! 657: }
! 658:
! 659: static u_int
! 660: ipsecdoi2pfkey_alg(algclass, type)
! 661: u_int algclass, type;
! 662: {
! 663: switch (algclass) {
! 664: case IPSECDOI_ATTR_AUTH:
! 665: return ipsecdoi2pfkey_aalg(type);
! 666: case IPSECDOI_PROTO_IPSEC_ESP:
! 667: return ipsecdoi2pfkey_ealg(type);
! 668: case IPSECDOI_PROTO_IPCOMP:
! 669: return ipsecdoi2pfkey_calg(type);
! 670: default:
! 671: plog(LLV_ERROR, LOCATION, NULL,
! 672: "Invalid ipsec_doi algclass: %u\n", algclass);
! 673: return ~0;
! 674: }
! 675: /*NOTREACHED*/
! 676: }
! 677:
! 678: /* SADB_SATYPE -> IPSECDOI_PROTO */
! 679: u_int
! 680: pfkey2ipsecdoi_proto(satype)
! 681: u_int satype;
! 682: {
! 683: switch (satype) {
! 684: case SADB_SATYPE_AH:
! 685: return IPSECDOI_PROTO_IPSEC_AH;
! 686: case SADB_SATYPE_ESP:
! 687: return IPSECDOI_PROTO_IPSEC_ESP;
! 688: case SADB_X_SATYPE_IPCOMP:
! 689: return IPSECDOI_PROTO_IPCOMP;
! 690:
! 691: default:
! 692: plog(LLV_ERROR, LOCATION, NULL,
! 693: "Invalid pfkey proto: %u\n", satype);
! 694: return ~0;
! 695: }
! 696: /*NOTREACHED*/
! 697: }
! 698:
! 699: /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
! 700: u_int
! 701: ipsecdoi2pfkey_mode(mode)
! 702: u_int mode;
! 703: {
! 704: switch (mode) {
! 705: case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
! 706: #ifdef ENABLE_NATT
! 707: case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
! 708: case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
! 709: #endif
! 710: return IPSEC_MODE_TUNNEL;
! 711: case IPSECDOI_ATTR_ENC_MODE_TRNS:
! 712: #ifdef ENABLE_NATT
! 713: case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
! 714: case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
! 715: #endif
! 716: return IPSEC_MODE_TRANSPORT;
! 717: default:
! 718: plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
! 719: return ~0;
! 720: }
! 721: /*NOTREACHED*/
! 722: }
! 723:
! 724: /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
! 725: u_int
! 726: pfkey2ipsecdoi_mode(mode)
! 727: u_int mode;
! 728: {
! 729: switch (mode) {
! 730: case IPSEC_MODE_TUNNEL:
! 731: return IPSECDOI_ATTR_ENC_MODE_TUNNEL;
! 732: case IPSEC_MODE_TRANSPORT:
! 733: return IPSECDOI_ATTR_ENC_MODE_TRNS;
! 734: case IPSEC_MODE_ANY:
! 735: return IPSECDOI_ATTR_ENC_MODE_ANY;
! 736: default:
! 737: plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
! 738: return ~0;
! 739: }
! 740: /*NOTREACHED*/
! 741: }
! 742:
! 743: /* default key length for encryption algorithm */
! 744: static u_int
! 745: keylen_aalg(hashtype)
! 746: u_int hashtype;
! 747: {
! 748: int res;
! 749:
! 750: if (hashtype == 0)
! 751: return SADB_AALG_NONE;
! 752:
! 753: res = alg_ipsec_hmacdef_hashlen(hashtype);
! 754: if (res == -1) {
! 755: plog(LLV_ERROR, LOCATION, NULL,
! 756: "invalid hmac algorithm %u.\n", hashtype);
! 757: return ~0;
! 758: }
! 759: return res;
! 760: }
! 761:
! 762: /* default key length for encryption algorithm */
! 763: static u_int
! 764: keylen_ealg(enctype, encklen)
! 765: u_int enctype;
! 766: int encklen;
! 767: {
! 768: int res;
! 769:
! 770: res = alg_ipsec_encdef_keylen(enctype, encklen);
! 771: if (res == -1) {
! 772: plog(LLV_ERROR, LOCATION, NULL,
! 773: "invalid encryption algorithm %u.\n", enctype);
! 774: return ~0;
! 775: }
! 776: return res;
! 777: }
! 778:
! 779: void
! 780: pk_fixup_sa_addresses(mhp)
! 781: caddr_t *mhp;
! 782: {
! 783: struct sockaddr *src, *dst;
! 784:
! 785: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 786: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 787: set_port(src, PORT_ISAKMP);
! 788: set_port(dst, PORT_ISAKMP);
! 789:
! 790: #ifdef ENABLE_NATT
! 791: if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
! 792: /* NAT-T is enabled for this SADB entry; copy
! 793: * the ports from NAT-T extensions */
! 794: if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
! 795: set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
! 796: if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
! 797: set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
! 798: }
! 799: #endif
! 800: }
! 801:
! 802: int
! 803: pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
! 804: e_type, e_keylen, a_type, a_keylen, flags)
! 805: u_int proto_id;
! 806: u_int t_id;
! 807: u_int hashtype;
! 808: u_int *e_type;
! 809: u_int *e_keylen;
! 810: u_int *a_type;
! 811: u_int *a_keylen;
! 812: u_int *flags;
! 813: {
! 814: *flags = 0;
! 815: switch (proto_id) {
! 816: case IPSECDOI_PROTO_IPSEC_ESP:
! 817: if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0)
! 818: goto bad;
! 819: if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0)
! 820: goto bad;
! 821: *e_keylen >>= 3;
! 822:
! 823: if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
! 824: goto bad;
! 825: if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
! 826: goto bad;
! 827: *a_keylen >>= 3;
! 828:
! 829: if (*e_type == SADB_EALG_NONE) {
! 830: plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n");
! 831: goto bad;
! 832: }
! 833: break;
! 834:
! 835: case IPSECDOI_PROTO_IPSEC_AH:
! 836: if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
! 837: goto bad;
! 838: if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
! 839: goto bad;
! 840: *a_keylen >>= 3;
! 841:
! 842: if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
! 843: && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
! 844: /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
! 845: *a_type = SADB_X_AALG_MD5;
! 846: *flags |= SADB_X_EXT_OLD;
! 847: }
! 848: *e_type = SADB_EALG_NONE;
! 849: *e_keylen = 0;
! 850: if (*a_type == SADB_AALG_NONE) {
! 851: plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n");
! 852: goto bad;
! 853: }
! 854: break;
! 855:
! 856: case IPSECDOI_PROTO_IPCOMP:
! 857: if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0)
! 858: goto bad;
! 859: *e_keylen = 0;
! 860:
! 861: *flags = SADB_X_EXT_RAWCPI;
! 862:
! 863: *a_type = SADB_AALG_NONE;
! 864: *a_keylen = 0;
! 865: if (*e_type == SADB_X_CALG_NONE) {
! 866: plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n");
! 867: goto bad;
! 868: }
! 869: break;
! 870:
! 871: default:
! 872: plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n");
! 873: goto bad;
! 874: }
! 875:
! 876: return 0;
! 877:
! 878: bad:
! 879: errno = EINVAL;
! 880: return -1;
! 881: }
! 882:
! 883: /*%%%*/
! 884: /* send getspi message per ipsec protocol per remote address */
! 885: /*
! 886: * the local address and remote address in ph1handle are dealed
! 887: * with destination address and source address respectively.
! 888: * Because SPI is decided by responder.
! 889: */
! 890: int
! 891: pk_sendgetspi(iph2)
! 892: struct ph2handle *iph2;
! 893: {
! 894: struct sockaddr *src = NULL, *dst = NULL;
! 895: u_int satype, mode;
! 896: struct saprop *pp;
! 897: struct saproto *pr;
! 898: u_int32_t minspi, maxspi;
! 899: u_int8_t natt_type = 0;
! 900: u_int16_t sport = 0, dport = 0;
! 901:
! 902: if (iph2->side == INITIATOR)
! 903: pp = iph2->proposal;
! 904: else
! 905: pp = iph2->approval;
! 906:
! 907: if (iph2->sa_src && iph2->sa_dst) {
! 908: /* MIPv6: Use SA addresses, not IKE ones */
! 909: src = dupsaddr(iph2->sa_src);
! 910: dst = dupsaddr(iph2->sa_dst);
! 911: } else {
! 912: /* Common case: SA addresses and IKE ones are the same */
! 913: src = dupsaddr(iph2->src);
! 914: dst = dupsaddr(iph2->dst);
! 915: }
! 916:
! 917: if (src == NULL || dst == NULL) {
! 918: racoon_free(src);
! 919: racoon_free(dst);
! 920: return -1;
! 921: }
! 922:
! 923: for (pr = pp->head; pr != NULL; pr = pr->next) {
! 924:
! 925: /* validity check */
! 926: satype = ipsecdoi2pfkey_proto(pr->proto_id);
! 927: if (satype == ~0) {
! 928: plog(LLV_ERROR, LOCATION, NULL,
! 929: "invalid proto_id %d\n", pr->proto_id);
! 930: racoon_free(src);
! 931: racoon_free(dst);
! 932: return -1;
! 933: }
! 934: /* this works around a bug in Linux kernel where it allocates 4 byte
! 935: spi's for IPCOMP */
! 936: else if (satype == SADB_X_SATYPE_IPCOMP) {
! 937: minspi = 0x100;
! 938: maxspi = 0xffff;
! 939: }
! 940: else {
! 941: minspi = 0;
! 942: maxspi = 0;
! 943: }
! 944: mode = ipsecdoi2pfkey_mode(pr->encmode);
! 945: if (mode == ~0) {
! 946: plog(LLV_ERROR, LOCATION, NULL,
! 947: "invalid encmode %d\n", pr->encmode);
! 948: racoon_free(src);
! 949: racoon_free(dst);
! 950: return -1;
! 951: }
! 952:
! 953: #ifdef ENABLE_NATT
! 954: if (pr->udp_encap) {
! 955: natt_type = iph2->ph1->natt_options->encaps_type;
! 956: sport=extract_port(src);
! 957: dport=extract_port(dst);
! 958: }
! 959: #endif
! 960:
! 961: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
! 962: if (pfkey_send_getspi_nat(
! 963: lcconf->sock_pfkey,
! 964: satype,
! 965: mode,
! 966: dst, /* src of SA */
! 967: src, /* dst of SA */
! 968: natt_type,
! 969: dport,
! 970: sport,
! 971: minspi, maxspi,
! 972: pr->reqid_in, iph2->seq) < 0) {
! 973: plog(LLV_ERROR, LOCATION, NULL,
! 974: "ipseclib failed send getspi (%s)\n",
! 975: ipsec_strerror());
! 976: racoon_free(src);
! 977: racoon_free(dst);
! 978: return -1;
! 979: }
! 980: plog(LLV_DEBUG, LOCATION, NULL,
! 981: "pfkey GETSPI sent: %s\n",
! 982: sadbsecas2str(dst, src, satype, 0, mode));
! 983: }
! 984:
! 985: racoon_free(src);
! 986: racoon_free(dst);
! 987: return 0;
! 988: }
! 989:
! 990: /*
! 991: * receive GETSPI from kernel.
! 992: */
! 993: static int
! 994: pk_recvgetspi(mhp)
! 995: caddr_t *mhp;
! 996: {
! 997: struct sadb_msg *msg;
! 998: struct sadb_sa *sa;
! 999: struct ph2handle *iph2;
! 1000: struct sockaddr *src, *dst;
! 1001: int proto_id;
! 1002: int allspiok, notfound;
! 1003: struct saprop *pp;
! 1004: struct saproto *pr;
! 1005:
! 1006: /* validity check */
! 1007: if (mhp[SADB_EXT_SA] == NULL
! 1008: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 1009: || mhp[SADB_EXT_ADDRESS_SRC] == NULL) {
! 1010: plog(LLV_ERROR, LOCATION, NULL,
! 1011: "inappropriate sadb getspi message passed.\n");
! 1012: return -1;
! 1013: }
! 1014: msg = (struct sadb_msg *)mhp[0];
! 1015: sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
! 1016: pk_fixup_sa_addresses(mhp);
! 1017: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
! 1018: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 1019:
! 1020: /* the message has to be processed or not ? */
! 1021: if (msg->sadb_msg_pid != getpid()) {
! 1022: plog(LLV_DEBUG, LOCATION, NULL,
! 1023: "%s message is not interesting "
! 1024: "because pid %d is not mine.\n",
! 1025: s_pfkey_type(msg->sadb_msg_type),
! 1026: msg->sadb_msg_pid);
! 1027: return -1;
! 1028: }
! 1029:
! 1030: iph2 = getph2byseq(msg->sadb_msg_seq);
! 1031: if (iph2 == NULL) {
! 1032: plog(LLV_DEBUG, LOCATION, NULL,
! 1033: "seq %d of %s message not interesting.\n",
! 1034: msg->sadb_msg_seq,
! 1035: s_pfkey_type(msg->sadb_msg_type));
! 1036: return -1;
! 1037: }
! 1038:
! 1039: if (iph2->status != PHASE2ST_GETSPISENT) {
! 1040: plog(LLV_ERROR, LOCATION, NULL,
! 1041: "status mismatch (db:%d msg:%d)\n",
! 1042: iph2->status, PHASE2ST_GETSPISENT);
! 1043: return -1;
! 1044: }
! 1045:
! 1046: /* set SPI, and check to get all spi whether or not */
! 1047: allspiok = 1;
! 1048: notfound = 1;
! 1049: proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
! 1050: pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval;
! 1051:
! 1052: for (pr = pp->head; pr != NULL; pr = pr->next) {
! 1053: if (pr->proto_id == proto_id && pr->spi == 0) {
! 1054: pr->spi = sa->sadb_sa_spi;
! 1055: notfound = 0;
! 1056: plog(LLV_DEBUG, LOCATION, NULL,
! 1057: "pfkey GETSPI succeeded: %s\n",
! 1058: sadbsecas2str(dst, src,
! 1059: msg->sadb_msg_satype,
! 1060: sa->sadb_sa_spi,
! 1061: ipsecdoi2pfkey_mode(pr->encmode)));
! 1062: }
! 1063: if (pr->spi == 0)
! 1064: allspiok = 0; /* not get all spi */
! 1065: }
! 1066:
! 1067: if (notfound) {
! 1068: plog(LLV_ERROR, LOCATION, NULL,
! 1069: "get spi for unknown address %s\n",
! 1070: saddrwop2str(dst));
! 1071: return -1;
! 1072: }
! 1073:
! 1074: if (allspiok) {
! 1075: /* update status */
! 1076: iph2->status = PHASE2ST_GETSPIDONE;
! 1077: if (isakmp_post_getspi(iph2) < 0) {
! 1078: plog(LLV_ERROR, LOCATION, NULL,
! 1079: "failed to start post getspi.\n");
! 1080: remph2(iph2);
! 1081: delph2(iph2);
! 1082: iph2 = NULL;
! 1083: return -1;
! 1084: }
! 1085: }
! 1086:
! 1087: return 0;
! 1088: }
! 1089:
! 1090: /*
! 1091: * set inbound SA
! 1092: */
! 1093: int
! 1094: pk_sendupdate(iph2)
! 1095: struct ph2handle *iph2;
! 1096: {
! 1097: struct saproto *pr;
! 1098: struct pfkey_send_sa_args sa_args;
! 1099:
! 1100: /* sanity check */
! 1101: if (iph2->approval == NULL) {
! 1102: plog(LLV_ERROR, LOCATION, NULL,
! 1103: "no approvaled SAs found.\n");
! 1104: return -1;
! 1105: }
! 1106:
! 1107: /* fill in some needed for pfkey_send_update2 */
! 1108: memset (&sa_args, 0, sizeof (sa_args));
! 1109: sa_args.so = lcconf->sock_pfkey;
! 1110: if (iph2->lifetime_secs)
! 1111: sa_args.l_addtime = iph2->lifetime_secs;
! 1112: else
! 1113: sa_args.l_addtime = iph2->approval->lifetime;
! 1114: sa_args.seq = iph2->seq;
! 1115: sa_args.wsize = 4;
! 1116:
! 1117: if (iph2->sa_src && iph2->sa_dst) {
! 1118: /* MIPv6: Use SA addresses, not IKE ones */
! 1119: sa_args.dst = dupsaddr(iph2->sa_src);
! 1120: sa_args.src = dupsaddr(iph2->sa_dst);
! 1121: } else {
! 1122: /* Common case: SA addresses and IKE ones are the same */
! 1123: sa_args.dst = dupsaddr(iph2->src);
! 1124: sa_args.src = dupsaddr(iph2->dst);
! 1125: }
! 1126:
! 1127: if (sa_args.src == NULL || sa_args.dst == NULL) {
! 1128: racoon_free(sa_args.src);
! 1129: racoon_free(sa_args.dst);
! 1130: return -1;
! 1131: }
! 1132:
! 1133: for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
! 1134: /* validity check */
! 1135: sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
! 1136: if (sa_args.satype == ~0) {
! 1137: plog(LLV_ERROR, LOCATION, NULL,
! 1138: "invalid proto_id %d\n", pr->proto_id);
! 1139: racoon_free(sa_args.src);
! 1140: racoon_free(sa_args.dst);
! 1141: return -1;
! 1142: }
! 1143: else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
! 1144: /* IPCOMP has no replay window */
! 1145: sa_args.wsize = 0;
! 1146: }
! 1147: #ifdef ENABLE_SAMODE_UNSPECIFIED
! 1148: sa_args.mode = IPSEC_MODE_ANY;
! 1149: #else
! 1150: sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
! 1151: if (sa_args.mode == ~0) {
! 1152: plog(LLV_ERROR, LOCATION, NULL,
! 1153: "invalid encmode %d\n", pr->encmode);
! 1154: racoon_free(sa_args.src);
! 1155: racoon_free(sa_args.dst);
! 1156: return -1;
! 1157: }
! 1158: #endif
! 1159: /* set algorithm type and key length */
! 1160: sa_args.e_keylen = pr->head->encklen;
! 1161: if (pfkey_convertfromipsecdoi(
! 1162: pr->proto_id,
! 1163: pr->head->trns_id,
! 1164: pr->head->authtype,
! 1165: &sa_args.e_type, &sa_args.e_keylen,
! 1166: &sa_args.a_type, &sa_args.a_keylen,
! 1167: &sa_args.flags) < 0){
! 1168: racoon_free(sa_args.src);
! 1169: racoon_free(sa_args.dst);
! 1170: return -1;
! 1171: }
! 1172:
! 1173: #if 0
! 1174: sa_args.l_bytes = iph2->approval->lifebyte * 1024,
! 1175: #else
! 1176: sa_args.l_bytes = 0;
! 1177: #endif
! 1178:
! 1179: #ifdef HAVE_SECCTX
! 1180: if (*iph2->approval->sctx.ctx_str) {
! 1181: sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
! 1182: sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
! 1183: sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
! 1184: sa_args.ctxstr = iph2->approval->sctx.ctx_str;
! 1185: }
! 1186: #endif /* HAVE_SECCTX */
! 1187:
! 1188: #ifdef ENABLE_NATT
! 1189: if (pr->udp_encap) {
! 1190: sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
! 1191: sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
! 1192: sa_args.l_natt_dport = extract_port(iph2->ph1->local);
! 1193: sa_args.l_natt_oa = iph2->natoa_src;
! 1194: #ifdef SADB_X_EXT_NAT_T_FRAG
! 1195: sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
! 1196: #endif
! 1197: }
! 1198: #endif
! 1199:
! 1200: /* more info to fill in */
! 1201: sa_args.spi = pr->spi;
! 1202: sa_args.reqid = pr->reqid_in;
! 1203: sa_args.keymat = pr->keymat->v;
! 1204:
! 1205: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update2\n");
! 1206: if (pfkey_send_update2(&sa_args) < 0) {
! 1207: plog(LLV_ERROR, LOCATION, NULL,
! 1208: "libipsec failed send update (%s)\n",
! 1209: ipsec_strerror());
! 1210: racoon_free(sa_args.src);
! 1211: racoon_free(sa_args.dst);
! 1212: return -1;
! 1213: }
! 1214:
! 1215: if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
! 1216: continue;
! 1217:
! 1218: /*
! 1219: * It maybe good idea to call backupsa_to_file() after
! 1220: * racoon will receive the sadb_update messages.
! 1221: * But it is impossible because there is not key in the
! 1222: * information from the kernel.
! 1223: */
! 1224:
! 1225: /* change some things before backing up */
! 1226: sa_args.wsize = 4;
! 1227: sa_args.l_bytes = iph2->approval->lifebyte * 1024;
! 1228:
! 1229: if (backupsa_to_file(&sa_args) < 0) {
! 1230: plog(LLV_ERROR, LOCATION, NULL,
! 1231: "backuped SA failed: %s\n",
! 1232: sadbsecas2str(sa_args.src, sa_args.dst,
! 1233: sa_args.satype, sa_args.spi, sa_args.mode));
! 1234: }
! 1235: plog(LLV_DEBUG, LOCATION, NULL,
! 1236: "backuped SA: %s\n",
! 1237: sadbsecas2str(sa_args.src, sa_args.dst,
! 1238: sa_args.satype, sa_args.spi, sa_args.mode));
! 1239: }
! 1240:
! 1241: racoon_free(sa_args.src);
! 1242: racoon_free(sa_args.dst);
! 1243: return 0;
! 1244: }
! 1245:
! 1246: static int
! 1247: pk_recvupdate(mhp)
! 1248: caddr_t *mhp;
! 1249: {
! 1250: struct sadb_msg *msg;
! 1251: struct sadb_sa *sa;
! 1252: struct sockaddr *src, *dst;
! 1253: struct ph2handle *iph2;
! 1254: u_int proto_id, encmode, sa_mode;
! 1255: int incomplete = 0;
! 1256: struct saproto *pr;
! 1257:
! 1258: /* ignore this message because of local test mode. */
! 1259: if (f_local)
! 1260: return 0;
! 1261:
! 1262: /* sanity check */
! 1263: if (mhp[0] == NULL
! 1264: || mhp[SADB_EXT_SA] == NULL
! 1265: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 1266: || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
! 1267: plog(LLV_ERROR, LOCATION, NULL,
! 1268: "inappropriate sadb update message passed.\n");
! 1269: return -1;
! 1270: }
! 1271: msg = (struct sadb_msg *)mhp[0];
! 1272: pk_fixup_sa_addresses(mhp);
! 1273: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 1274: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 1275: sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
! 1276:
! 1277: sa_mode = mhp[SADB_X_EXT_SA2] == NULL
! 1278: ? IPSEC_MODE_ANY
! 1279: : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
! 1280:
! 1281: /* the message has to be processed or not ? */
! 1282: if (msg->sadb_msg_pid != getpid()) {
! 1283: plog(LLV_DEBUG, LOCATION, NULL,
! 1284: "%s message is not interesting "
! 1285: "because pid %d is not mine.\n",
! 1286: s_pfkey_type(msg->sadb_msg_type),
! 1287: msg->sadb_msg_pid);
! 1288: return -1;
! 1289: }
! 1290:
! 1291: iph2 = getph2byseq(msg->sadb_msg_seq);
! 1292: if (iph2 == NULL) {
! 1293: plog(LLV_DEBUG, LOCATION, NULL,
! 1294: "seq %d of %s message not interesting.\n",
! 1295: msg->sadb_msg_seq,
! 1296: s_pfkey_type(msg->sadb_msg_type));
! 1297: return -1;
! 1298: }
! 1299:
! 1300: if (iph2->status != PHASE2ST_ADDSA) {
! 1301: plog(LLV_ERROR, LOCATION, NULL,
! 1302: "status mismatch (db:%d msg:%d)\n",
! 1303: iph2->status, PHASE2ST_ADDSA);
! 1304: return -1;
! 1305: }
! 1306:
! 1307: /* check to complete all keys ? */
! 1308: for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
! 1309: proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
! 1310: if (proto_id == ~0) {
! 1311: plog(LLV_ERROR, LOCATION, NULL,
! 1312: "invalid proto_id %d\n", msg->sadb_msg_satype);
! 1313: return -1;
! 1314: }
! 1315: encmode = pfkey2ipsecdoi_mode(sa_mode);
! 1316: if (encmode == ~0) {
! 1317: plog(LLV_ERROR, LOCATION, NULL,
! 1318: "invalid encmode %d\n", sa_mode);
! 1319: return -1;
! 1320: }
! 1321:
! 1322: if (pr->proto_id == proto_id
! 1323: && pr->spi == sa->sadb_sa_spi) {
! 1324: pr->ok = 1;
! 1325: plog(LLV_DEBUG, LOCATION, NULL,
! 1326: "pfkey UPDATE succeeded: %s\n",
! 1327: sadbsecas2str(dst, src,
! 1328: msg->sadb_msg_satype,
! 1329: sa->sadb_sa_spi,
! 1330: sa_mode));
! 1331:
! 1332: plog(LLV_INFO, LOCATION, NULL,
! 1333: "IPsec-SA established: %s\n",
! 1334: sadbsecas2str(dst, src,
! 1335: msg->sadb_msg_satype, sa->sadb_sa_spi,
! 1336: sa_mode));
! 1337: }
! 1338:
! 1339: if (pr->ok == 0)
! 1340: incomplete = 1;
! 1341: }
! 1342:
! 1343: if (incomplete)
! 1344: return 0;
! 1345:
! 1346: /* turn off the timer for calling pfkey_timeover() */
! 1347: sched_cancel(&iph2->sce);
! 1348:
! 1349: /* update status */
! 1350: iph2->status = PHASE2ST_ESTABLISHED;
! 1351: evt_phase2(iph2, EVT_PHASE2_UP, NULL);
! 1352:
! 1353: #ifdef ENABLE_STATS
! 1354: gettimeofday(&iph2->end, NULL);
! 1355: syslog(LOG_NOTICE, "%s(%s): %8.6f",
! 1356: "phase2", "quick", timedelta(&iph2->start, &iph2->end));
! 1357: #endif
! 1358:
! 1359: /* turn off schedule */
! 1360: sched_cancel(&iph2->scr);
! 1361:
! 1362: /*
! 1363: * since we are going to reuse the phase2 handler, we need to
! 1364: * remain it and refresh all the references between ph1 and ph2 to use.
! 1365: */
! 1366: sched_schedule(&iph2->sce, iph2->approval->lifetime,
! 1367: isakmp_ph2expire_stub);
! 1368:
! 1369: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
! 1370: return 0;
! 1371: }
! 1372:
! 1373: /*
! 1374: * set outbound SA
! 1375: */
! 1376: int
! 1377: pk_sendadd(iph2)
! 1378: struct ph2handle *iph2;
! 1379: {
! 1380: struct saproto *pr;
! 1381: struct pfkey_send_sa_args sa_args;
! 1382:
! 1383: /* sanity check */
! 1384: if (iph2->approval == NULL) {
! 1385: plog(LLV_ERROR, LOCATION, NULL,
! 1386: "no approvaled SAs found.\n");
! 1387: return -1;
! 1388: }
! 1389:
! 1390: /* fill in some needed for pfkey_send_update2 */
! 1391: memset (&sa_args, 0, sizeof (sa_args));
! 1392: sa_args.so = lcconf->sock_pfkey;
! 1393: if (iph2->lifetime_secs)
! 1394: sa_args.l_addtime = iph2->lifetime_secs;
! 1395: else
! 1396: sa_args.l_addtime = iph2->approval->lifetime;
! 1397: sa_args.seq = iph2->seq;
! 1398: sa_args.wsize = 4;
! 1399:
! 1400: if (iph2->sa_src && iph2->sa_dst) {
! 1401: /* MIPv6: Use SA addresses, not IKE ones */
! 1402: sa_args.src = dupsaddr(iph2->sa_src);
! 1403: sa_args.dst = dupsaddr(iph2->sa_dst);
! 1404: } else {
! 1405: /* Common case: SA addresses and IKE ones are the same */
! 1406: sa_args.src = dupsaddr(iph2->src);
! 1407: sa_args.dst = dupsaddr(iph2->dst);
! 1408: }
! 1409:
! 1410: if (sa_args.src == NULL || sa_args.dst == NULL) {
! 1411: racoon_free(sa_args.src);
! 1412: racoon_free(sa_args.dst);
! 1413: return -1;
! 1414: }
! 1415:
! 1416: for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
! 1417: /* validity check */
! 1418: sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
! 1419: if (sa_args.satype == ~0) {
! 1420: plog(LLV_ERROR, LOCATION, NULL,
! 1421: "invalid proto_id %d\n", pr->proto_id);
! 1422: racoon_free(sa_args.src);
! 1423: racoon_free(sa_args.dst);
! 1424: return -1;
! 1425: }
! 1426: else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
! 1427: /* no replay window for IPCOMP */
! 1428: sa_args.wsize = 0;
! 1429: }
! 1430: #ifdef ENABLE_SAMODE_UNSPECIFIED
! 1431: sa_args.mode = IPSEC_MODE_ANY;
! 1432: #else
! 1433: sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
! 1434: if (sa_args.mode == ~0) {
! 1435: plog(LLV_ERROR, LOCATION, NULL,
! 1436: "invalid encmode %d\n", pr->encmode);
! 1437: racoon_free(sa_args.src);
! 1438: racoon_free(sa_args.dst);
! 1439: return -1;
! 1440: }
! 1441: #endif
! 1442:
! 1443: /* set algorithm type and key length */
! 1444: sa_args.e_keylen = pr->head->encklen;
! 1445: if (pfkey_convertfromipsecdoi(
! 1446: pr->proto_id,
! 1447: pr->head->trns_id,
! 1448: pr->head->authtype,
! 1449: &sa_args.e_type, &sa_args.e_keylen,
! 1450: &sa_args.a_type, &sa_args.a_keylen,
! 1451: &sa_args.flags) < 0){
! 1452: racoon_free(sa_args.src);
! 1453: racoon_free(sa_args.dst);
! 1454: return -1;
! 1455: }
! 1456:
! 1457: #if 0
! 1458: sa_args.l_bytes = iph2->approval->lifebyte * 1024,
! 1459: #else
! 1460: sa_args.l_bytes = 0;
! 1461: #endif
! 1462:
! 1463: #ifdef HAVE_SECCTX
! 1464: if (*iph2->approval->sctx.ctx_str) {
! 1465: sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
! 1466: sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
! 1467: sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
! 1468: sa_args.ctxstr = iph2->approval->sctx.ctx_str;
! 1469: }
! 1470: #endif /* HAVE_SECCTX */
! 1471:
! 1472: #ifdef ENABLE_NATT
! 1473: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2 "
! 1474: "(NAT flavor)\n");
! 1475:
! 1476: if (pr->udp_encap) {
! 1477: sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
! 1478: sa_args.l_natt_sport = extract_port(iph2->ph1->local);
! 1479: sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
! 1480: sa_args.l_natt_oa = iph2->natoa_dst;
! 1481: #ifdef SADB_X_EXT_NAT_T_FRAG
! 1482: sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
! 1483: #endif
! 1484: }
! 1485: #endif
! 1486: /* more info to fill in */
! 1487: sa_args.spi = pr->spi_p;
! 1488: sa_args.reqid = pr->reqid_out;
! 1489: sa_args.keymat = pr->keymat_p->v;
! 1490:
! 1491: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2\n");
! 1492: if (pfkey_send_add2(&sa_args) < 0) {
! 1493: plog(LLV_ERROR, LOCATION, NULL,
! 1494: "libipsec failed send add (%s)\n",
! 1495: ipsec_strerror());
! 1496: racoon_free(sa_args.src);
! 1497: racoon_free(sa_args.dst);
! 1498: return -1;
! 1499: }
! 1500:
! 1501: if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
! 1502: continue;
! 1503:
! 1504: /*
! 1505: * It maybe good idea to call backupsa_to_file() after
! 1506: * racoon will receive the sadb_update messages.
! 1507: * But it is impossible because there is not key in the
! 1508: * information from the kernel.
! 1509: */
! 1510: if (backupsa_to_file(&sa_args) < 0) {
! 1511: plog(LLV_ERROR, LOCATION, NULL,
! 1512: "backuped SA failed: %s\n",
! 1513: sadbsecas2str(sa_args.src, sa_args.dst,
! 1514: sa_args.satype, sa_args.spi, sa_args.mode));
! 1515: }
! 1516: plog(LLV_DEBUG, LOCATION, NULL,
! 1517: "backuped SA: %s\n",
! 1518: sadbsecas2str(sa_args.src, sa_args.dst,
! 1519: sa_args.satype, sa_args.spi, sa_args.mode));
! 1520: }
! 1521: racoon_free(sa_args.src);
! 1522: racoon_free(sa_args.dst);
! 1523: return 0;
! 1524: }
! 1525:
! 1526: static int
! 1527: pk_recvadd(mhp)
! 1528: caddr_t *mhp;
! 1529: {
! 1530: struct sadb_msg *msg;
! 1531: struct sadb_sa *sa;
! 1532: struct sockaddr *src, *dst;
! 1533: struct ph2handle *iph2;
! 1534: u_int sa_mode;
! 1535:
! 1536: /* ignore this message because of local test mode. */
! 1537: if (f_local)
! 1538: return 0;
! 1539:
! 1540: /* sanity check */
! 1541: if (mhp[0] == NULL
! 1542: || mhp[SADB_EXT_SA] == NULL
! 1543: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 1544: || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
! 1545: plog(LLV_ERROR, LOCATION, NULL,
! 1546: "inappropriate sadb add message passed.\n");
! 1547: return -1;
! 1548: }
! 1549: msg = (struct sadb_msg *)mhp[0];
! 1550: pk_fixup_sa_addresses(mhp);
! 1551: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 1552: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 1553: sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
! 1554:
! 1555: sa_mode = mhp[SADB_X_EXT_SA2] == NULL
! 1556: ? IPSEC_MODE_ANY
! 1557: : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
! 1558:
! 1559: /* the message has to be processed or not ? */
! 1560: if (msg->sadb_msg_pid != getpid()) {
! 1561: plog(LLV_DEBUG, LOCATION, NULL,
! 1562: "%s message is not interesting "
! 1563: "because pid %d is not mine.\n",
! 1564: s_pfkey_type(msg->sadb_msg_type),
! 1565: msg->sadb_msg_pid);
! 1566: return -1;
! 1567: }
! 1568:
! 1569: iph2 = getph2byseq(msg->sadb_msg_seq);
! 1570: if (iph2 == NULL) {
! 1571: plog(LLV_DEBUG, LOCATION, NULL,
! 1572: "seq %d of %s message not interesting.\n",
! 1573: msg->sadb_msg_seq,
! 1574: s_pfkey_type(msg->sadb_msg_type));
! 1575: return -1;
! 1576: }
! 1577:
! 1578: /*
! 1579: * NOTE don't update any status of phase2 handle
! 1580: * because they must be updated by SADB_UPDATE message
! 1581: */
! 1582:
! 1583: plog(LLV_INFO, LOCATION, NULL,
! 1584: "IPsec-SA established: %s\n",
! 1585: sadbsecas2str(src, dst,
! 1586: msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
! 1587:
! 1588: plog(LLV_DEBUG, LOCATION, NULL, "===\n");
! 1589: return 0;
! 1590: }
! 1591:
! 1592: static int
! 1593: pk_recvexpire(mhp)
! 1594: caddr_t *mhp;
! 1595: {
! 1596: struct sadb_msg *msg;
! 1597: struct sadb_sa *sa;
! 1598: struct sockaddr *src, *dst;
! 1599: struct ph2handle *iph2;
! 1600: u_int proto_id, sa_mode;
! 1601:
! 1602: /* sanity check */
! 1603: if (mhp[0] == NULL
! 1604: || mhp[SADB_EXT_SA] == NULL
! 1605: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 1606: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 1607: || (mhp[SADB_EXT_LIFETIME_HARD] != NULL
! 1608: && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) {
! 1609: plog(LLV_ERROR, LOCATION, NULL,
! 1610: "inappropriate sadb expire message passed.\n");
! 1611: return -1;
! 1612: }
! 1613: msg = (struct sadb_msg *)mhp[0];
! 1614: sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
! 1615: pk_fixup_sa_addresses(mhp);
! 1616: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 1617: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 1618:
! 1619: sa_mode = mhp[SADB_X_EXT_SA2] == NULL
! 1620: ? IPSEC_MODE_ANY
! 1621: : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
! 1622:
! 1623: proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
! 1624: if (proto_id == ~0) {
! 1625: plog(LLV_ERROR, LOCATION, NULL,
! 1626: "invalid proto_id %d\n", msg->sadb_msg_satype);
! 1627: return -1;
! 1628: }
! 1629:
! 1630: plog(LLV_INFO, LOCATION, NULL,
! 1631: "IPsec-SA expired: %s\n",
! 1632: sadbsecas2str(src, dst,
! 1633: msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
! 1634:
! 1635: iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
! 1636: if (iph2 == NULL) {
! 1637: /*
! 1638: * Ignore it because two expire messages are come up.
! 1639: * phase2 handler has been deleted already when 2nd message
! 1640: * is received.
! 1641: */
! 1642: plog(LLV_DEBUG, LOCATION, NULL,
! 1643: "no such a SA found: %s\n",
! 1644: sadbsecas2str(src, dst,
! 1645: msg->sadb_msg_satype, sa->sadb_sa_spi,
! 1646: sa_mode));
! 1647: return 0;
! 1648: }
! 1649:
! 1650: /* resent expiry message? */
! 1651: if (iph2->status > PHASE2ST_ESTABLISHED)
! 1652: return 0;
! 1653:
! 1654: /* still negotiating? */
! 1655: if (iph2->status < PHASE2ST_ESTABLISHED) {
! 1656: /* not a hard timeout? */
! 1657: if (mhp[SADB_EXT_LIFETIME_HARD] == NULL)
! 1658: return 0;
! 1659:
! 1660: /*
! 1661: * We were negotiating for that SA (w/o much success
! 1662: * from current status) and kernel has decided our time
! 1663: * is over trying (xfrm_larval_drop controls that and
! 1664: * is enabled by default on Linux >= 2.6.28 kernels).
! 1665: */
! 1666: plog(LLV_WARNING, LOCATION, NULL,
! 1667: "PF_KEY EXPIRE message received from kernel for SA"
! 1668: " being negotiated. Stopping negotiation.\n");
! 1669: }
! 1670:
! 1671: /* turn off the timer for calling isakmp_ph2expire() */
! 1672: sched_cancel(&iph2->sce);
! 1673:
! 1674: if (iph2->status == PHASE2ST_ESTABLISHED &&
! 1675: iph2->side == INITIATOR) {
! 1676: struct ph1handle *iph1hint;
! 1677: /*
! 1678: * Active phase 2 expired and we were initiator.
! 1679: * Begin new phase 2 exchange, so we can keep on sending
! 1680: * traffic.
! 1681: */
! 1682:
! 1683: /* update status for re-use */
! 1684: iph1hint = iph2->ph1;
! 1685: initph2(iph2);
! 1686: iph2->status = PHASE2ST_STATUS2;
! 1687:
! 1688: /* start quick exchange */
! 1689: if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
! 1690: plog(LLV_ERROR, LOCATION, iph2->dst,
! 1691: "failed to begin ipsec sa "
! 1692: "re-negotication.\n");
! 1693: remph2(iph2);
! 1694: delph2(iph2);
! 1695: return -1;
! 1696: }
! 1697:
! 1698: return 0;
! 1699: }
! 1700:
! 1701: /*
! 1702: * We are responder or the phase 2 was not established.
! 1703: * Just remove the ph2handle to reflect SADB.
! 1704: */
! 1705: iph2->status = PHASE2ST_EXPIRED;
! 1706: remph2(iph2);
! 1707: delph2(iph2);
! 1708:
! 1709: return 0;
! 1710: }
! 1711:
! 1712: static int
! 1713: pk_recvacquire(mhp)
! 1714: caddr_t *mhp;
! 1715: {
! 1716: struct sadb_msg *msg;
! 1717: struct sadb_x_policy *xpl;
! 1718: struct secpolicy *sp_out = NULL, *sp_in = NULL;
! 1719: struct ph2handle *iph2;
! 1720: struct sockaddr *src, *dst; /* IKE addresses (for exchanges) */
! 1721: struct sockaddr *sp_src, *sp_dst; /* SP addresses (selectors). */
! 1722: struct sockaddr *sa_src = NULL, *sa_dst = NULL ; /* SA addresses */
! 1723: #ifdef HAVE_SECCTX
! 1724: struct sadb_x_sec_ctx *m_sec_ctx;
! 1725: #endif /* HAVE_SECCTX */
! 1726: struct policyindex spidx;
! 1727:
! 1728: /* ignore this message because of local test mode. */
! 1729: if (f_local)
! 1730: return 0;
! 1731:
! 1732: /* sanity check */
! 1733: if (mhp[0] == NULL
! 1734: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 1735: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 1736: || mhp[SADB_X_EXT_POLICY] == NULL) {
! 1737: plog(LLV_ERROR, LOCATION, NULL,
! 1738: "inappropriate sadb acquire message passed.\n");
! 1739: return -1;
! 1740: }
! 1741: msg = (struct sadb_msg *)mhp[0];
! 1742: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 1743: /* acquire does not have nat-t ports; so do not bother setting
! 1744: * the default port 500; just use the port zero for wildcard
! 1745: * matching the get a valid natted destination */
! 1746: sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 1747: sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 1748:
! 1749: #ifdef HAVE_SECCTX
! 1750: m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
! 1751:
! 1752: if (m_sec_ctx != NULL) {
! 1753: plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
! 1754: m_sec_ctx->sadb_x_ctx_doi);
! 1755: plog(LLV_INFO, LOCATION, NULL,
! 1756: "security context algorithm: %u\n",
! 1757: m_sec_ctx->sadb_x_ctx_alg);
! 1758: plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
! 1759: m_sec_ctx->sadb_x_ctx_len);
! 1760: plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
! 1761: ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
! 1762: }
! 1763: #endif /* HAVE_SECCTX */
! 1764:
! 1765: /* ignore if type is not IPSEC_POLICY_IPSEC */
! 1766: if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
! 1767: plog(LLV_DEBUG, LOCATION, NULL,
! 1768: "ignore ACQUIRE message. type is not IPsec.\n");
! 1769: return 0;
! 1770: }
! 1771:
! 1772: /* ignore it if src or dst are multicast addresses. */
! 1773: if ((sp_dst->sa_family == AF_INET
! 1774: && IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_dst)->sin_addr.s_addr)))
! 1775: #ifdef INET6
! 1776: || (sp_dst->sa_family == AF_INET6
! 1777: && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_dst)->sin6_addr))
! 1778: #endif
! 1779: ) {
! 1780: plog(LLV_DEBUG, LOCATION, NULL,
! 1781: "ignore due to multicast destination address: %s.\n",
! 1782: saddrwop2str(sp_dst));
! 1783: return 0;
! 1784: }
! 1785:
! 1786: if ((sp_src->sa_family == AF_INET
! 1787: && IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_src)->sin_addr.s_addr)))
! 1788: #ifdef INET6
! 1789: || (sp_src->sa_family == AF_INET6
! 1790: && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_src)->sin6_addr))
! 1791: #endif
! 1792: ) {
! 1793: plog(LLV_DEBUG, LOCATION, NULL,
! 1794: "ignore due to multicast source address: %s.\n",
! 1795: saddrwop2str(sp_src));
! 1796: return 0;
! 1797: }
! 1798:
! 1799: /* search for proper policyindex */
! 1800: sp_out = getspbyspid(xpl->sadb_x_policy_id);
! 1801: if (sp_out == NULL) {
! 1802: plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n",
! 1803: xpl->sadb_x_policy_id);
! 1804: return -1;
! 1805: }
! 1806: plog(LLV_DEBUG, LOCATION, NULL,
! 1807: "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
! 1808:
! 1809: /* Before going further, let first get the source and destination
! 1810: * address that would be used for IKE negotiation. The logic is:
! 1811: * - if SP from SPD image contains local and remote hints, we
! 1812: * use them (provided by MIGRATE).
! 1813: * - otherwise, we use the ones from the ipsecrequest, which means:
! 1814: * - the addresses from the request for transport mode
! 1815: * - the endpoints addresses for tunnel mode
! 1816: *
! 1817: * Note that:
! 1818: * 1) racoon does not support negotiation of bundles which
! 1819: * simplifies the lookup for the addresses in the ipsecrequest
! 1820: * list, as we expect only one.
! 1821: * 2) We do source and destination parts all together and do not
! 1822: * accept semi-defined information. This is just a decision,
! 1823: * there might be needs.
! 1824: *
! 1825: * --arno
! 1826: */
! 1827: if (sp_out->req && sp_out->req->saidx.mode == IPSEC_MODE_TUNNEL) {
! 1828: /* For Tunnel mode, SA addresses are the endpoints */
! 1829: src = (struct sockaddr *) &sp_out->req->saidx.src;
! 1830: dst = (struct sockaddr *) &sp_out->req->saidx.dst;
! 1831: } else {
! 1832: /* Otherwise use requested addresses.
! 1833: *
! 1834: * We need to explicitly setup sa_src and sa_dst too,
! 1835: * since the SA ports are different from IKE port. And
! 1836: * src/dst ports will be overwritten when the matching
! 1837: * phase1 is found. */
! 1838: src = sa_src = sp_src;
! 1839: dst = sa_dst = sp_dst;
! 1840: }
! 1841: if (sp_out->local && sp_out->remote) {
! 1842: /* hints available, let's use them */
! 1843: sa_src = src;
! 1844: sa_dst = dst;
! 1845: src = (struct sockaddr *) sp_out->local;
! 1846: dst = (struct sockaddr *) sp_out->remote;
! 1847: }
! 1848:
! 1849: /*
! 1850: * If there is a phase 2 handler against the policy identifier in
! 1851: * the acquire message, and if
! 1852: * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
! 1853: * should ignore such a acquire message because the phase 2
! 1854: * is just negotiating.
! 1855: * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
! 1856: * has to prcesss such a acquire message because racoon may
! 1857: * lost the expire message.
! 1858: */
! 1859: iph2 = getph2byid(src, dst, xpl->sadb_x_policy_id);
! 1860: if (iph2 != NULL) {
! 1861: if (iph2->status < PHASE2ST_ESTABLISHED) {
! 1862: plog(LLV_DEBUG, LOCATION, NULL,
! 1863: "ignore the acquire because ph2 found\n");
! 1864: return -1;
! 1865: }
! 1866: if (iph2->status == PHASE2ST_EXPIRED)
! 1867: iph2 = NULL;
! 1868: /*FALLTHROUGH*/
! 1869: }
! 1870:
! 1871: /* Check we are listening on source address. If not, ignore. */
! 1872: if (myaddr_getsport(src) == -1) {
! 1873: plog(LLV_DEBUG, LOCATION, NULL,
! 1874: "Not listening on source address %s. Ignoring ACQUIRE.\n",
! 1875: saddrwop2str(src));
! 1876: return 0;
! 1877: }
! 1878:
! 1879: /* get inbound policy */
! 1880: {
! 1881:
! 1882: memset(&spidx, 0, sizeof(spidx));
! 1883: spidx.dir = IPSEC_DIR_INBOUND;
! 1884: memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
! 1885: memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
! 1886: spidx.prefs = sp_out->spidx.prefd;
! 1887: spidx.prefd = sp_out->spidx.prefs;
! 1888: spidx.ul_proto = sp_out->spidx.ul_proto;
! 1889:
! 1890: #ifdef HAVE_SECCTX
! 1891: if (m_sec_ctx) {
! 1892: spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
! 1893: spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
! 1894: spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
! 1895: memcpy(spidx.sec_ctx.ctx_str,
! 1896: ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
! 1897: spidx.sec_ctx.ctx_strlen);
! 1898: }
! 1899: #endif /* HAVE_SECCTX */
! 1900:
! 1901: sp_in = getsp(&spidx);
! 1902: if (sp_in) {
! 1903: plog(LLV_DEBUG, LOCATION, NULL,
! 1904: "suitable inbound SP found: %s.\n",
! 1905: spidx2str(&sp_in->spidx));
! 1906: } else {
! 1907: plog(LLV_NOTIFY, LOCATION, NULL,
! 1908: "no in-bound policy found: %s\n",
! 1909: spidx2str(&spidx));
! 1910: }
! 1911: }
! 1912:
! 1913: /* allocate a phase 2 */
! 1914: iph2 = newph2();
! 1915: if (iph2 == NULL) {
! 1916: plog(LLV_ERROR, LOCATION, NULL,
! 1917: "failed to allocate phase2 entry.\n");
! 1918: return -1;
! 1919: }
! 1920: iph2->side = INITIATOR;
! 1921: iph2->spid = xpl->sadb_x_policy_id;
! 1922: iph2->satype = msg->sadb_msg_satype;
! 1923: iph2->seq = msg->sadb_msg_seq;
! 1924: iph2->status = PHASE2ST_STATUS2;
! 1925:
! 1926: /* set address used by IKE for the negotiation (might differ from
! 1927: * SA address, i.e. might not be tunnel endpoints or addresses
! 1928: * of transport mode SA) */
! 1929: iph2->dst = dupsaddr(dst);
! 1930: if (iph2->dst == NULL) {
! 1931: delph2(iph2);
! 1932: return -1;
! 1933: }
! 1934: iph2->src = dupsaddr(src);
! 1935: if (iph2->src == NULL) {
! 1936: delph2(iph2);
! 1937: return -1;
! 1938: }
! 1939:
! 1940: /* If sa_src and sa_dst have been set, this mean we have to
! 1941: * set iph2->sa_src and iph2->sa_dst to provide the addresses
! 1942: * of the SA because iph2->src and iph2->dst are only the ones
! 1943: * used for the IKE exchanges. Those that need these addresses
! 1944: * are for instance pk_sendupdate() or pk_sendgetspi() */
! 1945: if (sa_src) {
! 1946: iph2->sa_src = dupsaddr(sa_src);
! 1947: iph2->sa_dst = dupsaddr(sa_dst);
! 1948: }
! 1949:
! 1950: if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
! 1951: delph2(iph2);
! 1952: return -1;
! 1953: }
! 1954:
! 1955: #ifdef HAVE_SECCTX
! 1956: if (m_sec_ctx) {
! 1957: set_secctx_in_proposal(iph2, spidx);
! 1958: }
! 1959: #endif /* HAVE_SECCTX */
! 1960:
! 1961: insph2(iph2);
! 1962:
! 1963: /* start isakmp initiation by using ident exchange */
! 1964: /* XXX should be looped if there are multiple phase 2 handler. */
! 1965: if (isakmp_post_acquire(iph2, NULL, TRUE) < 0) {
! 1966: plog(LLV_ERROR, LOCATION, NULL,
! 1967: "failed to begin ipsec sa negotication.\n");
! 1968: remph2(iph2);
! 1969: delph2(iph2);
! 1970: return -1;
! 1971: }
! 1972:
! 1973: return 0;
! 1974: }
! 1975:
! 1976: static int
! 1977: pk_recvdelete(mhp)
! 1978: caddr_t *mhp;
! 1979: {
! 1980: struct sadb_msg *msg;
! 1981: struct sadb_sa *sa;
! 1982: struct sockaddr *src, *dst;
! 1983: struct ph2handle *iph2 = NULL;
! 1984: u_int proto_id;
! 1985:
! 1986: /* ignore this message because of local test mode. */
! 1987: if (f_local)
! 1988: return 0;
! 1989:
! 1990: /* sanity check */
! 1991: if (mhp[0] == NULL
! 1992: || mhp[SADB_EXT_SA] == NULL
! 1993: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 1994: || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
! 1995: plog(LLV_ERROR, LOCATION, NULL,
! 1996: "inappropriate sadb delete message passed.\n");
! 1997: return -1;
! 1998: }
! 1999: msg = (struct sadb_msg *)mhp[0];
! 2000: sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
! 2001: pk_fixup_sa_addresses(mhp);
! 2002: src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
! 2003: dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
! 2004:
! 2005: /* the message has to be processed or not ? */
! 2006: if (msg->sadb_msg_pid == getpid()) {
! 2007: plog(LLV_DEBUG, LOCATION, NULL,
! 2008: "%s message is not interesting "
! 2009: "because the message was originated by me.\n",
! 2010: s_pfkey_type(msg->sadb_msg_type));
! 2011: return -1;
! 2012: }
! 2013:
! 2014: proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
! 2015: if (proto_id == ~0) {
! 2016: plog(LLV_ERROR, LOCATION, NULL,
! 2017: "invalid proto_id %d\n", msg->sadb_msg_satype);
! 2018: return -1;
! 2019: }
! 2020:
! 2021: iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
! 2022: if (iph2 == NULL) {
! 2023: /* ignore */
! 2024: plog(LLV_ERROR, LOCATION, NULL,
! 2025: "no iph2 found: %s\n",
! 2026: sadbsecas2str(src, dst, msg->sadb_msg_satype,
! 2027: sa->sadb_sa_spi, IPSEC_MODE_ANY));
! 2028: return 0;
! 2029: }
! 2030:
! 2031: plog(LLV_ERROR, LOCATION, NULL,
! 2032: "pfkey DELETE received: %s\n",
! 2033: sadbsecas2str(src, dst,
! 2034: msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY));
! 2035:
! 2036: /* send delete information */
! 2037: if (iph2->status == PHASE2ST_ESTABLISHED)
! 2038: isakmp_info_send_d2(iph2);
! 2039:
! 2040: remph2(iph2);
! 2041: delph2(iph2);
! 2042:
! 2043: return 0;
! 2044: }
! 2045:
! 2046: static int
! 2047: pk_recvflush(mhp)
! 2048: caddr_t *mhp;
! 2049: {
! 2050: /* ignore this message because of local test mode. */
! 2051: if (f_local)
! 2052: return 0;
! 2053:
! 2054: /* sanity check */
! 2055: if (mhp[0] == NULL) {
! 2056: plog(LLV_ERROR, LOCATION, NULL,
! 2057: "inappropriate sadb flush message passed.\n");
! 2058: return -1;
! 2059: }
! 2060:
! 2061: flushph2();
! 2062:
! 2063: return 0;
! 2064: }
! 2065:
! 2066: static int
! 2067: getsadbpolicy(policy0, policylen0, type, iph2)
! 2068: caddr_t *policy0;
! 2069: int *policylen0, type;
! 2070: struct ph2handle *iph2;
! 2071: {
! 2072: struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
! 2073: struct sockaddr *src = NULL, *dst = NULL;
! 2074: struct sadb_x_policy *xpl;
! 2075: struct sadb_x_ipsecrequest *xisr;
! 2076: struct saproto *pr;
! 2077: struct saproto **pr_rlist;
! 2078: int rlist_len = 0;
! 2079: caddr_t policy, p;
! 2080: int policylen;
! 2081: int xisrlen;
! 2082: u_int satype, mode;
! 2083: int len = 0;
! 2084: #ifdef HAVE_SECCTX
! 2085: int ctxlen = 0;
! 2086: #endif /* HAVE_SECCTX */
! 2087:
! 2088:
! 2089: /* get policy buffer size */
! 2090: policylen = sizeof(struct sadb_x_policy);
! 2091: if (type != SADB_X_SPDDELETE) {
! 2092: if (iph2->sa_src && iph2->sa_dst) {
! 2093: src = iph2->sa_src; /* MIPv6: Use SA addresses, */
! 2094: dst = iph2->sa_dst; /* not IKE ones */
! 2095: } else {
! 2096: src = iph2->src; /* Common case: SA addresses */
! 2097: dst = iph2->dst; /* and IKE ones are the same */
! 2098: }
! 2099:
! 2100: for (pr = iph2->approval->head; pr; pr = pr->next) {
! 2101: xisrlen = sizeof(*xisr);
! 2102: if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
! 2103: xisrlen += (sysdep_sa_len(src) +
! 2104: sysdep_sa_len(dst));
! 2105: }
! 2106:
! 2107: policylen += PFKEY_ALIGN8(xisrlen);
! 2108: }
! 2109: }
! 2110:
! 2111: #ifdef HAVE_SECCTX
! 2112: if (*spidx->sec_ctx.ctx_str) {
! 2113: ctxlen = sizeof(struct sadb_x_sec_ctx)
! 2114: + PFKEY_ALIGN8(spidx->sec_ctx.ctx_strlen);
! 2115: policylen += ctxlen;
! 2116: }
! 2117: #endif /* HAVE_SECCTX */
! 2118:
! 2119: /* make policy structure */
! 2120: policy = racoon_malloc(policylen);
! 2121: memset((void*)policy, 0xcd, policylen);
! 2122: if (!policy) {
! 2123: plog(LLV_ERROR, LOCATION, NULL,
! 2124: "buffer allocation failed.\n");
! 2125: return -1;
! 2126: }
! 2127:
! 2128: xpl = (struct sadb_x_policy *)policy;
! 2129: xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
! 2130: xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
! 2131: xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
! 2132: xpl->sadb_x_policy_dir = spidx->dir;
! 2133: xpl->sadb_x_policy_id = 0;
! 2134: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 2135: xpl->sadb_x_policy_priority = PRIORITY_DEFAULT;
! 2136: #endif
! 2137: len++;
! 2138:
! 2139: #ifdef HAVE_SECCTX
! 2140: if (*spidx->sec_ctx.ctx_str) {
! 2141: struct sadb_x_sec_ctx *p;
! 2142:
! 2143: p = (struct sadb_x_sec_ctx *)(xpl + len);
! 2144: memset(p, 0, ctxlen);
! 2145: p->sadb_x_sec_len = PFKEY_UNIT64(ctxlen);
! 2146: p->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;
! 2147: p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
! 2148: p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
! 2149: p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
! 2150:
! 2151: memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
! 2152: len += ctxlen;
! 2153: }
! 2154: #endif /* HAVE_SECCTX */
! 2155:
! 2156: /* no need to append policy information any more if type is SPDDELETE */
! 2157: if (type == SADB_X_SPDDELETE)
! 2158: goto end;
! 2159:
! 2160: xisr = (struct sadb_x_ipsecrequest *)(xpl + len);
! 2161:
! 2162: /* The order of things is reversed for use in add policy messages */
! 2163: for (pr = iph2->approval->head; pr; pr = pr->next) rlist_len++;
! 2164: pr_rlist = racoon_malloc((rlist_len+1)*sizeof(struct saproto*));
! 2165: if (!pr_rlist) {
! 2166: plog(LLV_ERROR, LOCATION, NULL,
! 2167: "buffer allocation failed.\n");
! 2168: return -1;
! 2169: }
! 2170: pr_rlist[rlist_len--] = NULL;
! 2171: for (pr = iph2->approval->head; pr; pr = pr->next) pr_rlist[rlist_len--] = pr;
! 2172: rlist_len = 0;
! 2173:
! 2174: for (pr = pr_rlist[rlist_len++]; pr; pr = pr_rlist[rlist_len++]) {
! 2175:
! 2176: satype = doi2ipproto(pr->proto_id);
! 2177: if (satype == ~0) {
! 2178: plog(LLV_ERROR, LOCATION, NULL,
! 2179: "invalid proto_id %d\n", pr->proto_id);
! 2180: goto err;
! 2181: }
! 2182: mode = ipsecdoi2pfkey_mode(pr->encmode);
! 2183: if (mode == ~0) {
! 2184: plog(LLV_ERROR, LOCATION, NULL,
! 2185: "invalid encmode %d\n", pr->encmode);
! 2186: goto err;
! 2187: }
! 2188:
! 2189: /*
! 2190: * the policy level cannot be unique because the policy
! 2191: * is defined later than SA, so req_id cannot be bound to SA.
! 2192: */
! 2193: xisr->sadb_x_ipsecrequest_proto = satype;
! 2194: xisr->sadb_x_ipsecrequest_mode = mode;
! 2195: if(iph2->proposal->head->reqid_in > 0){
! 2196: xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
! 2197: xisr->sadb_x_ipsecrequest_reqid = iph2->proposal->head->reqid_in;
! 2198: }else{
! 2199: xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
! 2200: xisr->sadb_x_ipsecrequest_reqid = 0;
! 2201: }
! 2202: p = (caddr_t)(xisr + 1);
! 2203:
! 2204: xisrlen = sizeof(*xisr);
! 2205:
! 2206: if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
! 2207: int src_len, dst_len;
! 2208:
! 2209: src_len = sysdep_sa_len(src);
! 2210: dst_len = sysdep_sa_len(dst);
! 2211: xisrlen += src_len + dst_len;
! 2212:
! 2213: memcpy(p, src, src_len);
! 2214: p += src_len;
! 2215:
! 2216: memcpy(p, dst, dst_len);
! 2217: p += dst_len;
! 2218: }
! 2219:
! 2220: xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
! 2221: xisr = (struct sadb_x_ipsecrequest *)p;
! 2222:
! 2223: }
! 2224: racoon_free(pr_rlist);
! 2225:
! 2226: end:
! 2227: *policy0 = policy;
! 2228: *policylen0 = policylen;
! 2229:
! 2230: return 0;
! 2231:
! 2232: err:
! 2233: if (policy)
! 2234: racoon_free(policy);
! 2235: if (pr_rlist) racoon_free(pr_rlist);
! 2236:
! 2237: return -1;
! 2238: }
! 2239:
! 2240: int
! 2241: pk_sendspdupdate2(iph2)
! 2242: struct ph2handle *iph2;
! 2243: {
! 2244: struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
! 2245: caddr_t policy = NULL;
! 2246: int policylen = 0;
! 2247: u_int64_t ltime, vtime;
! 2248:
! 2249: ltime = iph2->approval->lifetime;
! 2250: vtime = 0;
! 2251:
! 2252: if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) {
! 2253: plog(LLV_ERROR, LOCATION, NULL,
! 2254: "getting sadb policy failed.\n");
! 2255: return -1;
! 2256: }
! 2257:
! 2258: if (pfkey_send_spdupdate2(
! 2259: lcconf->sock_pfkey,
! 2260: (struct sockaddr *)&spidx->src,
! 2261: spidx->prefs,
! 2262: (struct sockaddr *)&spidx->dst,
! 2263: spidx->prefd,
! 2264: spidx->ul_proto,
! 2265: ltime, vtime,
! 2266: policy, policylen, 0) < 0) {
! 2267: plog(LLV_ERROR, LOCATION, NULL,
! 2268: "libipsec failed send spdupdate2 (%s)\n",
! 2269: ipsec_strerror());
! 2270: goto end;
! 2271: }
! 2272: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n");
! 2273:
! 2274: end:
! 2275: if (policy)
! 2276: racoon_free(policy);
! 2277:
! 2278: return 0;
! 2279: }
! 2280:
! 2281: static int
! 2282: pk_recvspdupdate(mhp)
! 2283: caddr_t *mhp;
! 2284: {
! 2285: struct sadb_address *saddr, *daddr;
! 2286: struct sadb_x_policy *xpl;
! 2287: struct sadb_lifetime *lt;
! 2288: struct policyindex spidx;
! 2289: struct secpolicy *sp;
! 2290: struct sockaddr *local=NULL, *remote=NULL;
! 2291: u_int64_t created;
! 2292: int ret;
! 2293:
! 2294: /* sanity check */
! 2295: if (mhp[0] == NULL
! 2296: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 2297: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 2298: || mhp[SADB_X_EXT_POLICY] == NULL) {
! 2299: plog(LLV_ERROR, LOCATION, NULL,
! 2300: "inappropriate sadb spdupdate message passed.\n");
! 2301: return -1;
! 2302: }
! 2303: saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
! 2304: daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
! 2305: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 2306: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 2307: if(lt != NULL)
! 2308: created = lt->sadb_lifetime_addtime;
! 2309: else
! 2310: created = 0;
! 2311:
! 2312: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 2313: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2314: saddr + 1,
! 2315: daddr + 1,
! 2316: saddr->sadb_address_prefixlen,
! 2317: daddr->sadb_address_prefixlen,
! 2318: saddr->sadb_address_proto,
! 2319: xpl->sadb_x_policy_priority,
! 2320: created,
! 2321: &spidx);
! 2322: #else
! 2323: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2324: saddr + 1,
! 2325: daddr + 1,
! 2326: saddr->sadb_address_prefixlen,
! 2327: daddr->sadb_address_prefixlen,
! 2328: saddr->sadb_address_proto,
! 2329: created,
! 2330: &spidx);
! 2331: #endif
! 2332:
! 2333: #ifdef HAVE_SECCTX
! 2334: if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
! 2335: struct sadb_x_sec_ctx *ctx;
! 2336:
! 2337: ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
! 2338: spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
! 2339: spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
! 2340: spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
! 2341: memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
! 2342: }
! 2343: #endif /* HAVE_SECCTX */
! 2344:
! 2345: sp = getsp(&spidx);
! 2346: if (sp == NULL) {
! 2347: plog(LLV_DEBUG, LOCATION, NULL,
! 2348: "this policy did not exist for removal: \"%s\"\n",
! 2349: spidx2str(&spidx));
! 2350: } else {
! 2351: /* preserve hints before deleting the SP */
! 2352: local = sp->local;
! 2353: remote = sp->remote;
! 2354: sp->local = NULL;
! 2355: sp->remote = NULL;
! 2356:
! 2357: remsp(sp);
! 2358: delsp(sp);
! 2359: }
! 2360:
! 2361: /* Add new SP (with old hints) */
! 2362: ret = addnewsp(mhp, local, remote);
! 2363:
! 2364: if (local != NULL)
! 2365: racoon_free(local);
! 2366: if (remote != NULL)
! 2367: racoon_free(remote);
! 2368:
! 2369: if (ret < 0)
! 2370: return -1;
! 2371:
! 2372: return 0;
! 2373: }
! 2374:
! 2375: /*
! 2376: * this function has to be used by responder side.
! 2377: */
! 2378: int
! 2379: pk_sendspdadd2(iph2)
! 2380: struct ph2handle *iph2;
! 2381: {
! 2382: struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
! 2383: caddr_t policy = NULL;
! 2384: int policylen = 0;
! 2385: u_int64_t ltime, vtime;
! 2386:
! 2387: ltime = iph2->approval->lifetime;
! 2388: vtime = 0;
! 2389:
! 2390: if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) {
! 2391: plog(LLV_ERROR, LOCATION, NULL,
! 2392: "getting sadb policy failed.\n");
! 2393: return -1;
! 2394: }
! 2395:
! 2396: if (pfkey_send_spdadd2(
! 2397: lcconf->sock_pfkey,
! 2398: (struct sockaddr *)&spidx->src,
! 2399: spidx->prefs,
! 2400: (struct sockaddr *)&spidx->dst,
! 2401: spidx->prefd,
! 2402: spidx->ul_proto,
! 2403: ltime, vtime,
! 2404: policy, policylen, 0) < 0) {
! 2405: plog(LLV_ERROR, LOCATION, NULL,
! 2406: "libipsec failed send spdadd2 (%s)\n",
! 2407: ipsec_strerror());
! 2408: goto end;
! 2409: }
! 2410: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n");
! 2411:
! 2412: end:
! 2413: if (policy)
! 2414: racoon_free(policy);
! 2415:
! 2416: return 0;
! 2417: }
! 2418:
! 2419: static int
! 2420: pk_recvspdadd(mhp)
! 2421: caddr_t *mhp;
! 2422: {
! 2423: struct sadb_address *saddr, *daddr;
! 2424: struct sadb_x_policy *xpl;
! 2425: struct sadb_lifetime *lt;
! 2426: struct policyindex spidx;
! 2427: struct secpolicy *sp;
! 2428: struct sockaddr *local = NULL, *remote = NULL;
! 2429: u_int64_t created;
! 2430: int ret;
! 2431:
! 2432: /* sanity check */
! 2433: if (mhp[0] == NULL
! 2434: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 2435: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 2436: || mhp[SADB_X_EXT_POLICY] == NULL) {
! 2437: plog(LLV_ERROR, LOCATION, NULL,
! 2438: "inappropriate sadb spdadd message passed.\n");
! 2439: return -1;
! 2440: }
! 2441: saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
! 2442: daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
! 2443: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 2444: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 2445: if(lt != NULL)
! 2446: created = lt->sadb_lifetime_addtime;
! 2447: else
! 2448: created = 0;
! 2449:
! 2450: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 2451: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2452: saddr + 1,
! 2453: daddr + 1,
! 2454: saddr->sadb_address_prefixlen,
! 2455: daddr->sadb_address_prefixlen,
! 2456: saddr->sadb_address_proto,
! 2457: xpl->sadb_x_policy_priority,
! 2458: created,
! 2459: &spidx);
! 2460: #else
! 2461: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2462: saddr + 1,
! 2463: daddr + 1,
! 2464: saddr->sadb_address_prefixlen,
! 2465: daddr->sadb_address_prefixlen,
! 2466: saddr->sadb_address_proto,
! 2467: created,
! 2468: &spidx);
! 2469: #endif
! 2470:
! 2471: #ifdef HAVE_SECCTX
! 2472: if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
! 2473: struct sadb_x_sec_ctx *ctx;
! 2474:
! 2475: ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
! 2476: spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
! 2477: spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
! 2478: spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
! 2479: memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
! 2480: }
! 2481: #endif /* HAVE_SECCTX */
! 2482:
! 2483: sp = getsp(&spidx);
! 2484: if (sp != NULL) {
! 2485: plog(LLV_ERROR, LOCATION, NULL,
! 2486: "such policy already exists. "
! 2487: "anyway replace it: %s\n",
! 2488: spidx2str(&spidx));
! 2489:
! 2490: /* preserve hints before deleting the SP */
! 2491: local = sp->local;
! 2492: remote = sp->remote;
! 2493: sp->local = NULL;
! 2494: sp->remote = NULL;
! 2495:
! 2496: remsp(sp);
! 2497: delsp(sp);
! 2498: }
! 2499:
! 2500: /* Add new SP (with old hints) */
! 2501: ret = addnewsp(mhp, local, remote);
! 2502:
! 2503: if (local != NULL)
! 2504: racoon_free(local);
! 2505: if (remote != NULL)
! 2506: racoon_free(remote);
! 2507:
! 2508: if (ret < 0)
! 2509: return -1;
! 2510:
! 2511: return 0;
! 2512: }
! 2513:
! 2514: /*
! 2515: * this function has to be used by responder side.
! 2516: */
! 2517: int
! 2518: pk_sendspddelete(iph2)
! 2519: struct ph2handle *iph2;
! 2520: {
! 2521: struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
! 2522: caddr_t policy = NULL;
! 2523: int policylen;
! 2524:
! 2525: if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) {
! 2526: plog(LLV_ERROR, LOCATION, NULL,
! 2527: "getting sadb policy failed.\n");
! 2528: return -1;
! 2529: }
! 2530:
! 2531: if (pfkey_send_spddelete(
! 2532: lcconf->sock_pfkey,
! 2533: (struct sockaddr *)&spidx->src,
! 2534: spidx->prefs,
! 2535: (struct sockaddr *)&spidx->dst,
! 2536: spidx->prefd,
! 2537: spidx->ul_proto,
! 2538: policy, policylen, 0) < 0) {
! 2539: plog(LLV_ERROR, LOCATION, NULL,
! 2540: "libipsec failed send spddelete (%s)\n",
! 2541: ipsec_strerror());
! 2542: goto end;
! 2543: }
! 2544: plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n");
! 2545:
! 2546: end:
! 2547: if (policy)
! 2548: racoon_free(policy);
! 2549:
! 2550: return 0;
! 2551: }
! 2552:
! 2553: static int
! 2554: pk_recvspddelete(mhp)
! 2555: caddr_t *mhp;
! 2556: {
! 2557: struct sadb_address *saddr, *daddr;
! 2558: struct sadb_x_policy *xpl;
! 2559: struct sadb_lifetime *lt;
! 2560: struct policyindex spidx;
! 2561: struct secpolicy *sp;
! 2562: u_int64_t created;
! 2563:
! 2564: /* sanity check */
! 2565: if (mhp[0] == NULL
! 2566: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 2567: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 2568: || mhp[SADB_X_EXT_POLICY] == NULL) {
! 2569: plog(LLV_ERROR, LOCATION, NULL,
! 2570: "inappropriate sadb spddelete message passed.\n");
! 2571: return -1;
! 2572: }
! 2573: saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
! 2574: daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
! 2575: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 2576: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 2577: if(lt != NULL)
! 2578: created = lt->sadb_lifetime_addtime;
! 2579: else
! 2580: created = 0;
! 2581:
! 2582: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 2583: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2584: saddr + 1,
! 2585: daddr + 1,
! 2586: saddr->sadb_address_prefixlen,
! 2587: daddr->sadb_address_prefixlen,
! 2588: saddr->sadb_address_proto,
! 2589: xpl->sadb_x_policy_priority,
! 2590: created,
! 2591: &spidx);
! 2592: #else
! 2593: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2594: saddr + 1,
! 2595: daddr + 1,
! 2596: saddr->sadb_address_prefixlen,
! 2597: daddr->sadb_address_prefixlen,
! 2598: saddr->sadb_address_proto,
! 2599: created,
! 2600: &spidx);
! 2601: #endif
! 2602:
! 2603: #ifdef HAVE_SECCTX
! 2604: if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
! 2605: struct sadb_x_sec_ctx *ctx;
! 2606:
! 2607: ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
! 2608: spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
! 2609: spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
! 2610: spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
! 2611: memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
! 2612: }
! 2613: #endif /* HAVE_SECCTX */
! 2614:
! 2615: sp = getsp(&spidx);
! 2616: if (sp == NULL) {
! 2617: plog(LLV_ERROR, LOCATION, NULL,
! 2618: "no policy found: %s\n",
! 2619: spidx2str(&spidx));
! 2620: return -1;
! 2621: }
! 2622:
! 2623: remsp(sp);
! 2624: delsp(sp);
! 2625:
! 2626: return 0;
! 2627: }
! 2628:
! 2629: static int
! 2630: pk_recvspdexpire(mhp)
! 2631: caddr_t *mhp;
! 2632: {
! 2633: struct sadb_address *saddr, *daddr;
! 2634: struct sadb_x_policy *xpl;
! 2635: struct sadb_lifetime *lt;
! 2636: struct policyindex spidx;
! 2637: struct secpolicy *sp;
! 2638: u_int64_t created;
! 2639:
! 2640: /* sanity check */
! 2641: if (mhp[0] == NULL
! 2642: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 2643: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 2644: || mhp[SADB_X_EXT_POLICY] == NULL) {
! 2645: plog(LLV_ERROR, LOCATION, NULL,
! 2646: "inappropriate sadb spdexpire message passed.\n");
! 2647: return -1;
! 2648: }
! 2649: saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
! 2650: daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
! 2651: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 2652: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 2653: if(lt != NULL)
! 2654: created = lt->sadb_lifetime_addtime;
! 2655: else
! 2656: created = 0;
! 2657:
! 2658: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 2659: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2660: saddr + 1,
! 2661: daddr + 1,
! 2662: saddr->sadb_address_prefixlen,
! 2663: daddr->sadb_address_prefixlen,
! 2664: saddr->sadb_address_proto,
! 2665: xpl->sadb_x_policy_priority,
! 2666: created,
! 2667: &spidx);
! 2668: #else
! 2669: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2670: saddr + 1,
! 2671: daddr + 1,
! 2672: saddr->sadb_address_prefixlen,
! 2673: daddr->sadb_address_prefixlen,
! 2674: saddr->sadb_address_proto,
! 2675: created,
! 2676: &spidx);
! 2677: #endif
! 2678:
! 2679: #ifdef HAVE_SECCTX
! 2680: if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
! 2681: struct sadb_x_sec_ctx *ctx;
! 2682:
! 2683: ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
! 2684: spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
! 2685: spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
! 2686: spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
! 2687: memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
! 2688: }
! 2689: #endif /* HAVE_SECCTX */
! 2690:
! 2691: sp = getsp(&spidx);
! 2692: if (sp == NULL) {
! 2693: plog(LLV_ERROR, LOCATION, NULL,
! 2694: "no policy found: %s\n",
! 2695: spidx2str(&spidx));
! 2696: return -1;
! 2697: }
! 2698:
! 2699: remsp(sp);
! 2700: delsp(sp);
! 2701:
! 2702: return 0;
! 2703: }
! 2704:
! 2705: static int
! 2706: pk_recvspdget(mhp)
! 2707: caddr_t *mhp;
! 2708: {
! 2709: /* sanity check */
! 2710: if (mhp[0] == NULL) {
! 2711: plog(LLV_ERROR, LOCATION, NULL,
! 2712: "inappropriate sadb spdget message passed.\n");
! 2713: return -1;
! 2714: }
! 2715:
! 2716: return 0;
! 2717: }
! 2718:
! 2719: static int
! 2720: pk_recvspddump(mhp)
! 2721: caddr_t *mhp;
! 2722: {
! 2723: struct sadb_msg *msg;
! 2724: struct sadb_address *saddr, *daddr;
! 2725: struct sadb_x_policy *xpl;
! 2726: struct sadb_lifetime *lt;
! 2727: struct policyindex spidx;
! 2728: struct secpolicy *sp;
! 2729: struct sockaddr *local=NULL, *remote=NULL;
! 2730: u_int64_t created;
! 2731: int ret;
! 2732:
! 2733: /* sanity check */
! 2734: if (mhp[0] == NULL) {
! 2735: plog(LLV_ERROR, LOCATION, NULL,
! 2736: "inappropriate sadb spddump message passed.\n");
! 2737: return -1;
! 2738: }
! 2739: msg = (struct sadb_msg *)mhp[0];
! 2740: saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
! 2741: daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
! 2742: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 2743: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 2744: if(lt != NULL)
! 2745: created = lt->sadb_lifetime_addtime;
! 2746: else
! 2747: created = 0;
! 2748:
! 2749: if (saddr == NULL || daddr == NULL || xpl == NULL) {
! 2750: plog(LLV_ERROR, LOCATION, NULL,
! 2751: "inappropriate sadb spddump message passed.\n");
! 2752: return -1;
! 2753: }
! 2754:
! 2755: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 2756: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2757: saddr + 1,
! 2758: daddr + 1,
! 2759: saddr->sadb_address_prefixlen,
! 2760: daddr->sadb_address_prefixlen,
! 2761: saddr->sadb_address_proto,
! 2762: xpl->sadb_x_policy_priority,
! 2763: created,
! 2764: &spidx);
! 2765: #else
! 2766: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 2767: saddr + 1,
! 2768: daddr + 1,
! 2769: saddr->sadb_address_prefixlen,
! 2770: daddr->sadb_address_prefixlen,
! 2771: saddr->sadb_address_proto,
! 2772: created,
! 2773: &spidx);
! 2774: #endif
! 2775:
! 2776: #ifdef HAVE_SECCTX
! 2777: if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
! 2778: struct sadb_x_sec_ctx *ctx;
! 2779:
! 2780: ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
! 2781: spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
! 2782: spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
! 2783: spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
! 2784: memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
! 2785: }
! 2786: #endif /* HAVE_SECCTX */
! 2787:
! 2788: sp = getsp(&spidx);
! 2789: if (sp != NULL) {
! 2790: plog(LLV_ERROR, LOCATION, NULL,
! 2791: "such policy already exists. "
! 2792: "anyway replace it: %s\n",
! 2793: spidx2str(&spidx));
! 2794:
! 2795: /* preserve hints before deleting the SP */
! 2796: local = sp->local;
! 2797: remote = sp->remote;
! 2798: sp->local = NULL;
! 2799: sp->remote = NULL;
! 2800:
! 2801: remsp(sp);
! 2802: delsp(sp);
! 2803: }
! 2804:
! 2805: /* Add new SP (with old hints) */
! 2806: ret = addnewsp(mhp, local, remote);
! 2807:
! 2808: if (local != NULL)
! 2809: racoon_free(local);
! 2810: if (remote != NULL)
! 2811: racoon_free(remote);
! 2812:
! 2813: if (ret < 0)
! 2814: return -1;
! 2815:
! 2816: return 0;
! 2817: }
! 2818:
! 2819: static int
! 2820: pk_recvspdflush(mhp)
! 2821: caddr_t *mhp;
! 2822: {
! 2823: /* sanity check */
! 2824: if (mhp[0] == NULL) {
! 2825: plog(LLV_ERROR, LOCATION, NULL,
! 2826: "inappropriate sadb spdflush message passed.\n");
! 2827: return -1;
! 2828: }
! 2829:
! 2830: flushsp();
! 2831:
! 2832: return 0;
! 2833: }
! 2834:
! 2835: #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
! 2836:
! 2837: /* MIGRATE support (pk_recvmigrate() is the handler of MIGRATE message).
! 2838: *
! 2839: * pk_recvmigrate()
! 2840: * 1) some preprocessing and checks
! 2841: * 2) parsing of sadb_x_kmaddress extension
! 2842: * 3) SP lookup using selectors and content of policy extension from MIGRATE
! 2843: * 4) resolution of current local and remote IKE addresses
! 2844: * 5) Use of addresses to get Phase 1 handler if any
! 2845: * 6) Update of IKE addresses in Phase 1 (iph1->local and iph1->remote)
! 2846: * 7) Update of IKE addresses in Phase 2 (iph2->src and iph2->dst)
! 2847: * 8) Update of IKE addresses in SP (sp->local and sp->remote)
! 2848: * 9) Loop on sadb_x_ipsecrequests pairs from MIGRATE
! 2849: * - update of associated ipsecrequests entries in sp->req (should be
! 2850: * only one as racoon does not support bundles), i.e. update of
! 2851: * tunnel endpoints when required.
! 2852: * - If tunnel mode endpoints have been updated, lookup of associated
! 2853: * Phase 2 handle to also update sa_src and sa_dst entries
! 2854: *
! 2855: * XXX Note that we do not support yet the update of SA addresses for transport
! 2856: * mode, but only the update of SA addresses for tunnel mode (endpoints).
! 2857: * Reasons are:
! 2858: * - there is no initial need for MIPv6
! 2859: * - racoon does not support bundles
! 2860: * - this would imply more work to deal with sainfo update (if feasible).
! 2861: */
! 2862:
! 2863: /* Generic argument structure for migration callbacks */
! 2864: struct migrate_args {
! 2865: struct sockaddr *local;
! 2866: struct sockaddr *remote;
! 2867: };
! 2868:
! 2869: /*
! 2870: * Update local and remote addresses of given Phase 1. Schedule removal
! 2871: * if negotiation was going on and restart a one from updated address.
! 2872: *
! 2873: * -1 is returned on error. 0 if everything went right.
! 2874: */
! 2875: static int
! 2876: migrate_ph1_ike_addresses(iph1, arg)
! 2877: struct ph1handle *iph1;
! 2878: void *arg;
! 2879: {
! 2880: struct migrate_args *ma = (struct migrate_args *) arg;
! 2881: struct remoteconf *rmconf;
! 2882: u_int16_t port;
! 2883:
! 2884: /* Already up-to-date? */
! 2885: if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH &&
! 2886: cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH)
! 2887: return 0;
! 2888:
! 2889: if (iph1->status < PHASE1ST_ESTABLISHED) {
! 2890: /* Bad luck! We received a MIGRATE *while* negotiating
! 2891: * Phase 1 (i.e. it was not established yet). If we act as
! 2892: * initiator we need to restart the negotiation. As
! 2893: * responder, our best bet is to update our addresses
! 2894: * and wait for the initiator to do something */
! 2895: plog(LLV_WARNING, LOCATION, NULL, "MIGRATE received *during* "
! 2896: "Phase 1 negotiation (%s).\n",
! 2897: saddr2str_fromto("%s => %s", ma->local, ma->remote));
! 2898:
! 2899: /* If we are not acting as initiator, let's just leave and
! 2900: * let the remote peer handle the restart */
! 2901: rmconf = getrmconf(ma->remote, 0);
! 2902: if (rmconf == NULL || !rmconf->passive) {
! 2903: iph1->status = PHASE1ST_EXPIRED;
! 2904: isakmp_ph1delete(iph1);
! 2905:
! 2906: /* This is unlikely, but let's just check if a Phase 1
! 2907: * for the new addresses already exist */
! 2908: if (getph1byaddr(ma->local, ma->remote, 0)) {
! 2909: plog(LLV_WARNING, LOCATION, NULL, "No need "
! 2910: "to start a new Phase 1 negotiation. One "
! 2911: "already exists.\n");
! 2912: return 0;
! 2913: }
! 2914:
! 2915: plog(LLV_WARNING, LOCATION, NULL, "As initiator, "
! 2916: "restarting it.\n");
! 2917: /* Note that the insertion of the new Phase 1 will not
! 2918: * interfere with the fact we are called from enumph1,
! 2919: * because it is inserted as first element. --arno */
! 2920: isakmp_ph1begin_i(rmconf, ma->local, ma->remote);
! 2921:
! 2922: return 0;
! 2923: }
! 2924: }
! 2925:
! 2926: if (iph1->local != NULL) {
! 2927: plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 local "
! 2928: "address from %s\n",
! 2929: saddr2str_fromto("%s to %s", iph1->local, ma->local));
! 2930: port = extract_port(iph1->local);
! 2931: racoon_free(iph1->local);
! 2932: } else
! 2933: port = 0;
! 2934:
! 2935: iph1->local = dupsaddr(ma->local);
! 2936: if (iph1->local == NULL) {
! 2937: plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
! 2938: "Phase 1 local address.\n");
! 2939: return -1;
! 2940: }
! 2941: set_port(iph1->local, port);
! 2942:
! 2943: if (iph1->remote != NULL) {
! 2944: plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 remote "
! 2945: "address from %s\n",
! 2946: saddr2str_fromto("%s to %s", iph1->remote, ma->remote));
! 2947: port = extract_port(iph1->remote);
! 2948: racoon_free(iph1->remote);
! 2949: } else
! 2950: port = 0;
! 2951:
! 2952: iph1->remote = dupsaddr(ma->remote);
! 2953: if (iph1->remote == NULL) {
! 2954: plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
! 2955: "Phase 1 remote address.\n");
! 2956: return -1;
! 2957: }
! 2958: set_port(iph1->remote, port);
! 2959:
! 2960: return 0;
! 2961: }
! 2962:
! 2963: /* Update src and dst of all current Phase 2 handles.
! 2964: * with provided local and remote addresses.
! 2965: * Our intent is NOT to modify IPsec SA endpoints but IKE
! 2966: * addresses so we need to take care to separate those if
! 2967: * they are different. -1 is returned on error. 0 if everything
! 2968: * went right.
! 2969: *
! 2970: * Note: we do not maintain port information as it is not
! 2971: * expected to be meaningful --arno
! 2972: */
! 2973: static int
! 2974: migrate_ph2_ike_addresses(iph2, arg)
! 2975: struct ph2handle *iph2;
! 2976: void *arg;
! 2977: {
! 2978: struct migrate_args *ma = (struct migrate_args *) arg;
! 2979: struct ph1handle *iph1;
! 2980:
! 2981: /* If Phase 2 has an associated Phase 1, migrate addresses */
! 2982: if (iph2->ph1)
! 2983: migrate_ph1_ike_addresses(iph2->ph1, arg);
! 2984:
! 2985: /* Already up-to-date? */
! 2986: if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH &&
! 2987: cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH)
! 2988: return 0;
! 2989:
! 2990: /* save src/dst as sa_src/sa_dst before rewriting */
! 2991: if (iph2->sa_src == NULL && iph2->sa_dst == NULL) {
! 2992: iph2->sa_src = iph2->src;
! 2993: iph2->sa_dst = iph2->dst;
! 2994: iph2->src = NULL;
! 2995: iph2->dst = NULL;
! 2996: }
! 2997:
! 2998: if (iph2->src != NULL)
! 2999: racoon_free(iph2->src);
! 3000: iph2->src = dupsaddr(ma->local);
! 3001: if (iph2->src == NULL) {
! 3002: plog(LLV_ERROR, LOCATION, NULL,
! 3003: "unable to allocate Phase 2 src address.\n");
! 3004: return -1;
! 3005: }
! 3006:
! 3007: if (iph2->dst != NULL)
! 3008: racoon_free(iph2->dst);
! 3009: iph2->dst = dupsaddr(ma->remote);
! 3010: if (iph2->dst == NULL) {
! 3011: plog(LLV_ERROR, LOCATION, NULL,
! 3012: "unable to allocate Phase 2 dst address.\n");
! 3013: return -1;
! 3014: }
! 3015:
! 3016: return 0;
! 3017: }
! 3018:
! 3019: /* Consider existing Phase 2 handles with given spid and update their source
! 3020: * and destination addresses for SA. As racoon does not support bundles, if
! 3021: * we modify multiple occurrences, this probably imply rekeying has happened.
! 3022: *
! 3023: * Both addresses passed to the function are expected not to be NULL and of
! 3024: * same family. -1 is returned on error. 0 if everything went right.
! 3025: *
! 3026: * Specific care is needed to support Phase 2 for which negotiation has
! 3027: * already started but are which not yet established.
! 3028: */
! 3029: static int
! 3030: migrate_ph2_sa_addresses(iph2, args)
! 3031: struct ph2handle *iph2;
! 3032: void *args;
! 3033: {
! 3034: struct migrate_args *ma = (struct migrate_args *) args;
! 3035:
! 3036: if (iph2->sa_src != NULL) {
! 3037: racoon_free(iph2->sa_src);
! 3038: iph2->sa_src = NULL;
! 3039: }
! 3040:
! 3041: if (iph2->sa_dst != NULL) {
! 3042: racoon_free(iph2->sa_dst);
! 3043: iph2->sa_dst = NULL;
! 3044: }
! 3045:
! 3046: iph2->sa_src = dupsaddr(ma->local);
! 3047: if (iph2->sa_src == NULL) {
! 3048: plog(LLV_ERROR, LOCATION, NULL,
! 3049: "unable to allocate Phase 2 sa_src address.\n");
! 3050: return -1;
! 3051: }
! 3052:
! 3053: iph2->sa_dst = dupsaddr(ma->remote);
! 3054: if (iph2->sa_dst == NULL) {
! 3055: plog(LLV_ERROR, LOCATION, NULL,
! 3056: "unable to allocate Phase 2 sa_dst address.\n");
! 3057: return -1;
! 3058: }
! 3059:
! 3060: if (iph2->status < PHASE2ST_ESTABLISHED) {
! 3061: struct remoteconf *rmconf;
! 3062: /* We were negotiating for that SA when we received the MIGRATE.
! 3063: * We cannot simply update the addresses and let the exchange
! 3064: * go on. We have to restart the whole negotiation if we are
! 3065: * the initiator. Otherwise (acting as responder), we just need
! 3066: * to delete our ph2handle and wait for the initiator to start
! 3067: * a new negotiation. */
! 3068:
! 3069: if (iph2->ph1 && iph2->ph1->rmconf)
! 3070: rmconf = iph2->ph1->rmconf;
! 3071: else
! 3072: rmconf = getrmconf(iph2->dst, 0);
! 3073:
! 3074: if (rmconf && !rmconf->passive) {
! 3075: struct ph1handle *iph1hint;
! 3076:
! 3077: plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
! 3078: "*during* IPsec SA negotiation. As initiator, "
! 3079: "restarting it.\n");
! 3080:
! 3081: /* Turn off expiration timer ...*/
! 3082: sched_cancel(&iph2->sce);
! 3083: iph2->status = PHASE2ST_EXPIRED;
! 3084:
! 3085: /* ... clean Phase 2 handle ... */
! 3086: iph1hint = iph2->ph1;
! 3087: initph2(iph2);
! 3088: iph2->status = PHASE2ST_STATUS2;
! 3089:
! 3090: /* and start a new negotiation */
! 3091: if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
! 3092: plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
! 3093: "to begin IPsec SA renegotiation after "
! 3094: "MIGRATE reception.\n");
! 3095: remph2(iph2);
! 3096: delph2(iph2);
! 3097: return -1;
! 3098: }
! 3099: } else {
! 3100: plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
! 3101: "*during* IPsec SA negotiation. As responder, let's"
! 3102: "wait for the initiator to act.\n");
! 3103:
! 3104: /* Simply schedule deletion */
! 3105: isakmp_ph2expire(iph2);
! 3106: }
! 3107: }
! 3108:
! 3109: return 0;
! 3110: }
! 3111:
! 3112: /* Update SP hints (local and remote addresses) for future IKE
! 3113: * negotiations of SA associated with that SP. -1 is returned
! 3114: * on error. 0 if everything went right.
! 3115: *
! 3116: * Note: we do not maintain port information as it is not
! 3117: * expected to be meaningful --arno
! 3118: */
! 3119: static int
! 3120: migrate_sp_ike_addresses(sp, local, remote)
! 3121: struct secpolicy *sp;
! 3122: struct sockaddr *local, *remote;
! 3123: {
! 3124: if (sp == NULL || local == NULL || remote == NULL)
! 3125: return -1;
! 3126:
! 3127: if (sp->local != NULL)
! 3128: racoon_free(sp->local);
! 3129:
! 3130: sp->local = dupsaddr(local);
! 3131: if (sp->local == NULL) {
! 3132: plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
! 3133: "local hint for SP.\n");
! 3134: return -1;
! 3135: }
! 3136:
! 3137: if (sp->remote != NULL)
! 3138: racoon_free(sp->remote);
! 3139:
! 3140: sp->remote = dupsaddr(remote);
! 3141: if (sp->remote == NULL) {
! 3142: plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
! 3143: "remote hint for SP.\n");
! 3144: return -1;
! 3145: }
! 3146:
! 3147: return 0;
! 3148: }
! 3149:
! 3150: /* Given current ipsecrequest (isr_cur) to be migrated in considered
! 3151: tree, the function first checks that it matches the expected one
! 3152: (xisr_old) provided in MIGRATE message and then updates the addresses
! 3153: if it is tunnel mode (with content of xisr_new). Various other checks
! 3154: are performed. For transport mode, structures are not modified, only
! 3155: the checks are done. -1 is returned on error. */
! 3156: static int
! 3157: migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new)
! 3158: u_int32_t spid;
! 3159: struct ipsecrequest *isr_cur;
! 3160: struct sadb_x_ipsecrequest *xisr_old, *xisr_new;
! 3161: {
! 3162: struct secasindex *saidx = &isr_cur->saidx;
! 3163: struct sockaddr *osaddr, *odaddr, *nsaddr, *ndaddr;
! 3164: struct ph2selector ph2sel;
! 3165: struct migrate_args ma;
! 3166:
! 3167: /* First, check that mode and proto do match */
! 3168: if (xisr_old->sadb_x_ipsecrequest_proto != saidx->proto ||
! 3169: xisr_old->sadb_x_ipsecrequest_mode != saidx->mode ||
! 3170: xisr_new->sadb_x_ipsecrequest_proto != saidx->proto ||
! 3171: xisr_new->sadb_x_ipsecrequest_mode != saidx->mode)
! 3172: return -1;
! 3173:
! 3174: /* Then, verify reqid if necessary */
! 3175: if (isr_cur->saidx.reqid &&
! 3176: (xisr_old->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
! 3177: xisr_new->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
! 3178: isr_cur->saidx.reqid != xisr_old->sadb_x_ipsecrequest_reqid ||
! 3179: isr_cur->saidx.reqid != xisr_new->sadb_x_ipsecrequest_reqid))
! 3180: return -1;
! 3181:
! 3182: /* If not tunnel mode, our work is over */
! 3183: if (saidx->mode != IPSEC_MODE_TUNNEL) {
! 3184: plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3185: "non tunnel mode isr, skipping SA address migration.\n");
! 3186: return 0;
! 3187: }
! 3188:
! 3189: /* Tunnel mode: let's check addresses do match and then update them. */
! 3190: osaddr = (struct sockaddr *)(xisr_old + 1);
! 3191: odaddr = (struct sockaddr *)(((u_int8_t *)osaddr) + sysdep_sa_len(osaddr));
! 3192: nsaddr = (struct sockaddr *)(xisr_new + 1);
! 3193: ndaddr = (struct sockaddr *)(((u_int8_t *)nsaddr) + sysdep_sa_len(nsaddr));
! 3194:
! 3195: /* Check family does match */
! 3196: if (osaddr->sa_family != odaddr->sa_family ||
! 3197: nsaddr->sa_family != ndaddr->sa_family)
! 3198: return -1;
! 3199:
! 3200: /* Check family does match */
! 3201: if (saidx->src.ss_family != osaddr->sa_family)
! 3202: return -1;
! 3203:
! 3204: /* We log IPv4 to IPv6 and IPv6 to IPv4 switches */
! 3205: if (nsaddr->sa_family != osaddr->sa_family)
! 3206: plog(LLV_INFO, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3207: "changing address families (%d to %d) for endpoints.\n",
! 3208: osaddr->sa_family, nsaddr->sa_family);
! 3209:
! 3210: if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH ||
! 3211: cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) {
! 3212: plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3213: "mismatch of addresses in saidx and xisr.\n");
! 3214: return -1;
! 3215: }
! 3216:
! 3217: /* Excellent. Let's grab associated Phase 2 handle (if any)
! 3218: * and update its sa_src and sa_dst entries. Note that we
! 3219: * make the assumption that racoon does not support bundles
! 3220: * and make the lookup using spid: we blindly update
! 3221: * sa_src and sa_dst for _all_ found Phase 2 handles */
! 3222: memset(&ph2sel, 0, sizeof(ph2sel));
! 3223: ph2sel.spid = spid;
! 3224:
! 3225: memset(&ma, 0, sizeof(ma));
! 3226: ma.local = nsaddr;
! 3227: ma.remote = ndaddr;
! 3228:
! 3229: if (enumph2(&ph2sel, migrate_ph2_sa_addresses, &ma) < 0)
! 3230: return -1;
! 3231:
! 3232: /* Now we can do the update of endpoints in secasindex */
! 3233: memcpy(&saidx->src, nsaddr, sysdep_sa_len(nsaddr));
! 3234: memcpy(&saidx->dst, ndaddr, sysdep_sa_len(ndaddr));
! 3235:
! 3236: return 0;
! 3237: }
! 3238:
! 3239: /* Process the raw (unparsed yet) list of sadb_x_ipsecrequests of MIGRATE
! 3240: * message. For each sadb_x_ipsecrequest pair (old followed by new),
! 3241: * the corresponding ipsecrequest entry in the SP is updated. Associated
! 3242: * existing Phase 2 handle is also updated (if any) */
! 3243: static int
! 3244: migrate_sp_isr_list(sp, xisr_list, xisr_list_len)
! 3245: struct secpolicy *sp;
! 3246: struct sadb_x_ipsecrequest *xisr_list;
! 3247: int xisr_list_len;
! 3248: {
! 3249: struct sadb_x_ipsecrequest *xisr_new, *xisr_old = xisr_list;
! 3250: int xisr_old_len, xisr_new_len;
! 3251: struct ipsecrequest *isr_cur;
! 3252:
! 3253: isr_cur = sp->req; /* ipsecrequest list from from sp */
! 3254:
! 3255: while (xisr_list_len > 0 && isr_cur != NULL) {
! 3256: /* Get old xisr (length field is in bytes) */
! 3257: xisr_old_len = xisr_old->sadb_x_ipsecrequest_len;
! 3258: if (xisr_old_len < sizeof(*xisr_old) ||
! 3259: xisr_old_len + sizeof(*xisr_new) > xisr_list_len) {
! 3260: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3261: "invalid ipsecrequest length. Exiting.\n");
! 3262: return -1;
! 3263: }
! 3264:
! 3265: /* Get new xisr with updated info */
! 3266: xisr_new = (struct sadb_x_ipsecrequest *)(((u_int8_t *)xisr_old) + xisr_old_len);
! 3267: xisr_new_len = xisr_new->sadb_x_ipsecrequest_len;
! 3268: if (xisr_new_len < sizeof(*xisr_new) ||
! 3269: xisr_new_len + xisr_old_len > xisr_list_len) {
! 3270: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3271: "invalid ipsecrequest length. Exiting.\n");
! 3272: return -1;
! 3273: }
! 3274:
! 3275: /* Start by migrating current ipsecrequest from SP */
! 3276: if (migrate_ph2_one_isr(sp->id, isr_cur, xisr_old, xisr_new) == -1) {
! 3277: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3278: "Unable to match and migrate isr. Exiting.\n");
! 3279: return -1;
! 3280: }
! 3281:
! 3282: /* Update pointers for next round */
! 3283: xisr_list_len -= xisr_old_len + xisr_new_len;
! 3284: xisr_old = (struct sadb_x_ipsecrequest *)(((u_int8_t *)xisr_new) +
! 3285: xisr_new_len);
! 3286:
! 3287: isr_cur = isr_cur->next; /* Get next ipsecrequest from SP */
! 3288: }
! 3289:
! 3290: /* Check we had the same amount of pairs in the MIGRATE
! 3291: as the number of ipsecrequests in the SP */
! 3292: if ((xisr_list_len != 0) || isr_cur != NULL) {
! 3293: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3294: "number of ipsecrequest does not match the one in SP.\n");
! 3295: return -1;
! 3296: }
! 3297:
! 3298: return 0;
! 3299: }
! 3300:
! 3301: /* Parse sadb_x_kmaddress extension and make local and remote
! 3302: * parameters point to the new addresses (zero copy). -1 is
! 3303: * returned on error, meaning that addresses are not usable */
! 3304: static int
! 3305: parse_kmaddress(kmaddr, local, remote)
! 3306: struct sadb_x_kmaddress *kmaddr;
! 3307: struct sockaddr **local, **remote;
! 3308: {
! 3309: int addrslen, local_len=0;
! 3310: struct ph1handle *iph1;
! 3311:
! 3312: if (kmaddr == NULL)
! 3313: return -1;
! 3314:
! 3315: /* Grab addresses in sadb_x_kmaddress extension */
! 3316: addrslen = PFKEY_EXTLEN(kmaddr) - sizeof(*kmaddr);
! 3317: if (addrslen < sizeof(struct sockaddr))
! 3318: return -1;
! 3319:
! 3320: *local = (struct sockaddr *)(kmaddr + 1);
! 3321:
! 3322: switch ((*local)->sa_family) {
! 3323: case AF_INET:
! 3324: local_len = sizeof(struct sockaddr_in);
! 3325: break;
! 3326: #ifdef INET6
! 3327: case AF_INET6:
! 3328: local_len = sizeof(struct sockaddr_in6);
! 3329: break;
! 3330: #endif
! 3331: default:
! 3332: return -1;
! 3333: }
! 3334:
! 3335: if (addrslen != PFKEY_ALIGN8(2*local_len))
! 3336: return -1;
! 3337:
! 3338: *remote = (struct sockaddr *)(((u_int8_t *)(*local)) + local_len);
! 3339:
! 3340: if ((*local)->sa_family != (*remote)->sa_family)
! 3341: return -1;
! 3342:
! 3343: return 0;
! 3344: }
! 3345:
! 3346: /* Handler of PF_KEY MIGRATE message. Helpers are above */
! 3347: static int
! 3348: pk_recvmigrate(mhp)
! 3349: caddr_t *mhp;
! 3350: {
! 3351: struct sadb_address *saddr, *daddr;
! 3352: struct sockaddr *old_saddr, *new_saddr;
! 3353: struct sockaddr *old_daddr, *new_daddr;
! 3354: struct sockaddr *old_local, *old_remote;
! 3355: struct sockaddr *local, *remote;
! 3356: struct sadb_x_kmaddress *kmaddr;
! 3357: struct sadb_x_policy *xpl;
! 3358: struct sadb_x_ipsecrequest *xisr_list;
! 3359: struct sadb_lifetime *lt;
! 3360: struct policyindex spidx;
! 3361: struct secpolicy *sp;
! 3362: struct ipsecrequest *isr_cur;
! 3363: struct secasindex *oldsaidx;
! 3364: struct ph2handle *iph2;
! 3365: struct ph1handle *iph1;
! 3366: struct ph2selector ph2sel;
! 3367: struct ph1selector ph1sel;
! 3368: u_int32_t spid;
! 3369: u_int64_t created;
! 3370: int xisr_list_len;
! 3371: int ulproto;
! 3372: struct migrate_args ma;
! 3373:
! 3374: /* Some sanity checks */
! 3375:
! 3376: if (mhp[0] == NULL
! 3377: || mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 3378: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 3379: || mhp[SADB_X_EXT_KMADDRESS] == NULL
! 3380: || mhp[SADB_X_EXT_POLICY] == NULL) {
! 3381: plog(LLV_ERROR, LOCATION, NULL,
! 3382: "SADB_X_MIGRATE: invalid MIGRATE message received.\n");
! 3383: return -1;
! 3384: }
! 3385: kmaddr = (struct sadb_x_kmaddress *)mhp[SADB_X_EXT_KMADDRESS];
! 3386: saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
! 3387: daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
! 3388: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 3389: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 3390: if (lt != NULL)
! 3391: created = lt->sadb_lifetime_addtime;
! 3392: else
! 3393: created = 0;
! 3394:
! 3395: if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
! 3396: plog(LLV_WARNING, LOCATION, NULL,"SADB_X_MIGRATE: "
! 3397: "found non IPsec policy in MIGRATE message. Exiting.\n");
! 3398: return -1;
! 3399: }
! 3400:
! 3401: if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
! 3402: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3403: "invalid size for sadb_x_policy. Exiting.\n");
! 3404: return -1;
! 3405: }
! 3406:
! 3407: /* Some logging to help debbugging */
! 3408: if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND)
! 3409: plog(LLV_DEBUG, LOCATION, NULL,
! 3410: "SADB_X_MIGRATE: Outbound SA being migrated.\n");
! 3411: else
! 3412: plog(LLV_DEBUG, LOCATION, NULL,
! 3413: "SADB_X_MIGRATE: Inbound SA being migrated.\n");
! 3414:
! 3415: /* validity check */
! 3416: xisr_list = (struct sadb_x_ipsecrequest *)(xpl + 1);
! 3417: xisr_list_len = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
! 3418: if (xisr_list_len < sizeof(*xisr_list)) {
! 3419: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3420: "invalid sadb_x_policy message length. Exiting.\n");
! 3421: return -1;
! 3422: }
! 3423:
! 3424: if (parse_kmaddress(kmaddr, &local, &remote) == -1) {
! 3425: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
! 3426: "invalid sadb_x_kmaddress extension. Exiting.\n");
! 3427: return -1;
! 3428: }
! 3429:
! 3430: /* 0 means ANY */
! 3431: if (saddr->sadb_address_proto == 0)
! 3432: ulproto = IPSEC_ULPROTO_ANY;
! 3433: else
! 3434: ulproto = saddr->sadb_address_proto;
! 3435:
! 3436: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 3437: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 3438: saddr + 1,
! 3439: daddr + 1,
! 3440: saddr->sadb_address_prefixlen,
! 3441: daddr->sadb_address_prefixlen,
! 3442: ulproto,
! 3443: xpl->sadb_x_policy_priority,
! 3444: created,
! 3445: &spidx);
! 3446: #else
! 3447: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 3448: saddr + 1,
! 3449: daddr + 1,
! 3450: saddr->sadb_address_prefixlen,
! 3451: daddr->sadb_address_prefixlen,
! 3452: ulproto,
! 3453: created,
! 3454: &spidx);
! 3455: #endif
! 3456:
! 3457: /* Everything seems ok, let's get the SP.
! 3458: *
! 3459: * XXX We could also do the lookup using the spid from xpl.
! 3460: * I don't know which one is better. --arno */
! 3461: sp = getsp(&spidx);
! 3462: if (sp == NULL) {
! 3463: plog(LLV_ERROR, LOCATION, NULL,
! 3464: "SADB_X_MIGRATE: Passed policy does not exist: %s\n",
! 3465: spidx2str(&spidx));
! 3466: return -1;
! 3467: }
! 3468:
! 3469: /* Get the best source and destination addresses used for IKE
! 3470: * negotiation, to find and migrate existing Phase 1 */
! 3471: if (sp->local && sp->remote) {
! 3472: /* hints available, let's use them */
! 3473: old_local = (struct sockaddr *)sp->local;
! 3474: old_remote = (struct sockaddr *)sp->remote;
! 3475: } else if (sp->req && sp->req->saidx.mode == IPSEC_MODE_TUNNEL) {
! 3476: /* Tunnel mode and no hint, use endpoints */
! 3477: old_local = (struct sockaddr *)&sp->req->saidx.src;
! 3478: old_remote = (struct sockaddr *)&sp->req->saidx.dst;
! 3479: } else {
! 3480: /* default, use selectors as fallback */
! 3481: old_local = (struct sockaddr *)&sp->spidx.src;
! 3482: old_remote = (struct sockaddr *)&sp->spidx.dst;
! 3483: }
! 3484:
! 3485: /* We migrate all Phase 1 that match our old local and remote
! 3486: * addresses (no matter their state).
! 3487: *
! 3488: * XXX In fact, we should probably havea special treatment for
! 3489: * Phase 1 that are being established when we receive a MIGRATE.
! 3490: * This can happen if a movement occurs during the initial IKE
! 3491: * negotiation. In that case, I wonder if should restart the
! 3492: * negotiation from the new address or just update things like
! 3493: * we do it now.
! 3494: *
! 3495: * XXX while looking at getph1byaddr(), the comment at the
! 3496: * beginning of the function expects comparison to happen
! 3497: * without ports considerations but it uses CMPSADDR() which
! 3498: * relies either on cmpsaddrstrict() or cmpsaddrwop() based
! 3499: * on NAT-T support being activated. That make me wonder if I
! 3500: * should force ports to 0 (ANY) in local and remote values
! 3501: * used below.
! 3502: *
! 3503: * -- arno */
! 3504:
! 3505: /* Apply callback data ...*/
! 3506: memset(&ma, 0, sizeof(ma));
! 3507: ma.local = local;
! 3508: ma.remote = remote;
! 3509:
! 3510: /* Fill phase1 match criteria ... */
! 3511: memset(&ph1sel, 0, sizeof(ph1sel));
! 3512: ph1sel.local = old_local;
! 3513: ph1sel.remote = old_remote;
! 3514:
! 3515:
! 3516: /* Have matching Phase 1 found and addresses updated. As this is a
! 3517: * time consuming task on a busy responder, and MIGRATE messages
! 3518: * are always sent for *both* inbound and outbound (and possibly
! 3519: * forward), we only do that for outbound SP. */
! 3520: if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND &&
! 3521: enumph1(&ph1sel, migrate_ph1_ike_addresses, &ma) < 0) {
! 3522: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable "
! 3523: "to migrate Phase 1 addresses.\n");
! 3524: return -1;
! 3525: }
! 3526:
! 3527: /* We can now update IKE addresses in Phase 2 handle. */
! 3528: memset(&ph2sel, 0, sizeof(ph2sel));
! 3529: ph2sel.spid = sp->id;
! 3530: if (enumph2(&ph2sel, migrate_ph2_ike_addresses, &ma) < 0) {
! 3531: plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable "
! 3532: "to migrate Phase 2 IKE addresses.\n");
! 3533: return -1;
! 3534: }
! 3535:
! 3536: /* and _then_ in SP. */
! 3537: if (migrate_sp_ike_addresses(sp, local, remote) < 0) {
! 3538: plog(LLV_ERROR, LOCATION, NULL,
! 3539: "SADB_X_MIGRATE: Unable to migrate SP IKE addresses.\n");
! 3540: return -1;
! 3541: }
! 3542:
! 3543: /* Loop on sadb_x_ipsecrequest list to possibly update sp->req
! 3544: * entries and associated live Phase 2 handles (their sa_src
! 3545: * and sa_dst) */
! 3546: if (migrate_sp_isr_list(sp, xisr_list, xisr_list_len) < 0) {
! 3547: plog(LLV_ERROR, LOCATION, NULL,
! 3548: "SADB_X_MIGRATE: Unable to migrate isr list.\n");
! 3549: return -1;
! 3550: }
! 3551:
! 3552: return 0;
! 3553: }
! 3554: #endif
! 3555:
! 3556: /*
! 3557: * send error against acquire message to kernel.
! 3558: */
! 3559: int
! 3560: pk_sendeacquire(iph2)
! 3561: struct ph2handle *iph2;
! 3562: {
! 3563: struct sadb_msg *newmsg;
! 3564: int len;
! 3565:
! 3566: len = sizeof(struct sadb_msg);
! 3567: newmsg = racoon_calloc(1, len);
! 3568: if (newmsg == NULL) {
! 3569: plog(LLV_ERROR, LOCATION, NULL,
! 3570: "failed to get buffer to send acquire.\n");
! 3571: return -1;
! 3572: }
! 3573:
! 3574: memset(newmsg, 0, len);
! 3575: newmsg->sadb_msg_version = PF_KEY_V2;
! 3576: newmsg->sadb_msg_type = SADB_ACQUIRE;
! 3577: newmsg->sadb_msg_errno = ENOENT; /* XXX */
! 3578: newmsg->sadb_msg_satype = iph2->satype;
! 3579: newmsg->sadb_msg_len = PFKEY_UNIT64(len);
! 3580: newmsg->sadb_msg_reserved = 0;
! 3581: newmsg->sadb_msg_seq = iph2->seq;
! 3582: newmsg->sadb_msg_pid = (u_int32_t)getpid();
! 3583:
! 3584: /* send message */
! 3585: len = pfkey_send(lcconf->sock_pfkey, newmsg, len);
! 3586:
! 3587: racoon_free(newmsg);
! 3588:
! 3589: return 0;
! 3590: }
! 3591:
! 3592: /*
! 3593: * check if the algorithm is supported or not.
! 3594: * OUT 0: ok
! 3595: * -1: ng
! 3596: */
! 3597: int
! 3598: pk_checkalg(class, calg, keylen)
! 3599: int class, calg, keylen;
! 3600: {
! 3601: int sup, error;
! 3602: u_int alg;
! 3603: struct sadb_alg alg0;
! 3604:
! 3605: switch (algclass2doi(class)) {
! 3606: case IPSECDOI_PROTO_IPSEC_ESP:
! 3607: sup = SADB_EXT_SUPPORTED_ENCRYPT;
! 3608: break;
! 3609: case IPSECDOI_ATTR_AUTH:
! 3610: sup = SADB_EXT_SUPPORTED_AUTH;
! 3611: break;
! 3612: case IPSECDOI_PROTO_IPCOMP:
! 3613: plog(LLV_DEBUG, LOCATION, NULL,
! 3614: "no check of compression algorithm; "
! 3615: "not supported in sadb message.\n");
! 3616: return 0;
! 3617: default:
! 3618: plog(LLV_ERROR, LOCATION, NULL,
! 3619: "invalid algorithm class.\n");
! 3620: return -1;
! 3621: }
! 3622: alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg));
! 3623: if (alg == ~0)
! 3624: return -1;
! 3625:
! 3626: if (keylen == 0) {
! 3627: if (ipsec_get_keylen(sup, alg, &alg0)) {
! 3628: plog(LLV_ERROR, LOCATION, NULL,
! 3629: "%s.\n", ipsec_strerror());
! 3630: return -1;
! 3631: }
! 3632: keylen = alg0.sadb_alg_minbits;
! 3633: }
! 3634:
! 3635: error = ipsec_check_keylen(sup, alg, keylen);
! 3636: if (error)
! 3637: plog(LLV_ERROR, LOCATION, NULL,
! 3638: "%s.\n", ipsec_strerror());
! 3639:
! 3640: return error;
! 3641: }
! 3642:
! 3643: /*
! 3644: * differences with pfkey_recv() in libipsec/pfkey.c:
! 3645: * - never performs busy wait loop.
! 3646: * - returns NULL and set *lenp to negative on fatal failures
! 3647: * - returns NULL and set *lenp to non-negative on non-fatal failures
! 3648: * - returns non-NULL on success
! 3649: */
! 3650: static struct sadb_msg *
! 3651: pk_recv(so, lenp)
! 3652: int so;
! 3653: int *lenp;
! 3654: {
! 3655: struct sadb_msg buf, *newmsg;
! 3656: int reallen;
! 3657: int retry = 0;
! 3658:
! 3659: *lenp = -1;
! 3660: do
! 3661: {
! 3662: plog(LLV_DEBUG, LOCATION, NULL, "pk_recv: retry[%d] recv() \n", retry );
! 3663: *lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK | MSG_DONTWAIT);
! 3664: retry++;
! 3665: }
! 3666: while (*lenp < 0 && errno == EAGAIN && retry < 3);
! 3667:
! 3668: if (*lenp < 0)
! 3669: return NULL; /*fatal*/
! 3670:
! 3671: else if (*lenp < sizeof(buf))
! 3672: return NULL;
! 3673:
! 3674: reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
! 3675: if (reallen < sizeof(buf)) {
! 3676: *lenp = -1;
! 3677: errno = EIO;
! 3678: return NULL; /*fatal*/
! 3679: }
! 3680: if ((newmsg = racoon_calloc(1, reallen)) == NULL)
! 3681: return NULL;
! 3682:
! 3683: *lenp = recv(so, (caddr_t)newmsg, reallen, MSG_PEEK);
! 3684: if (*lenp < 0) {
! 3685: racoon_free(newmsg);
! 3686: return NULL; /*fatal*/
! 3687: } else if (*lenp != reallen) {
! 3688: racoon_free(newmsg);
! 3689: return NULL;
! 3690: }
! 3691:
! 3692: *lenp = recv(so, (caddr_t)newmsg, reallen, 0);
! 3693: if (*lenp < 0) {
! 3694: racoon_free(newmsg);
! 3695: return NULL; /*fatal*/
! 3696: } else if (*lenp != reallen) {
! 3697: racoon_free(newmsg);
! 3698: return NULL;
! 3699: }
! 3700:
! 3701: return newmsg;
! 3702: }
! 3703:
! 3704: /* see handler.h */
! 3705: u_int32_t
! 3706: pk_getseq()
! 3707: {
! 3708: return eay_random();
! 3709: }
! 3710:
! 3711: static int
! 3712: addnewsp(mhp, local, remote)
! 3713: caddr_t *mhp;
! 3714: struct sockaddr *local, *remote;
! 3715: {
! 3716: struct secpolicy *new = NULL;
! 3717: struct sadb_address *saddr, *daddr;
! 3718: struct sadb_x_policy *xpl;
! 3719: struct sadb_lifetime *lt;
! 3720: u_int64_t created;
! 3721:
! 3722: /* sanity check */
! 3723: if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
! 3724: || mhp[SADB_EXT_ADDRESS_DST] == NULL
! 3725: || mhp[SADB_X_EXT_POLICY] == NULL) {
! 3726: plog(LLV_ERROR, LOCATION, NULL,
! 3727: "inappropriate sadb spd management message passed.\n");
! 3728: goto bad;
! 3729: }
! 3730:
! 3731: saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
! 3732: daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
! 3733: xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
! 3734: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 3735: if(lt != NULL)
! 3736: created = lt->sadb_lifetime_addtime;
! 3737: else
! 3738: created = 0;
! 3739: lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
! 3740: if(lt != NULL)
! 3741: created = lt->sadb_lifetime_addtime;
! 3742: else
! 3743: created = 0;
! 3744:
! 3745: #ifdef __linux__
! 3746: /* bsd skips over per-socket policies because there will be no
! 3747: * src and dst extensions in spddump messages. On Linux the only
! 3748: * way to achieve the same is check for policy id.
! 3749: */
! 3750: if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
! 3751: #endif
! 3752:
! 3753: new = newsp();
! 3754: if (new == NULL) {
! 3755: plog(LLV_ERROR, LOCATION, NULL,
! 3756: "failed to allocate buffer\n");
! 3757: goto bad;
! 3758: }
! 3759:
! 3760: new->spidx.dir = xpl->sadb_x_policy_dir;
! 3761: new->id = xpl->sadb_x_policy_id;
! 3762: new->policy = xpl->sadb_x_policy_type;
! 3763: new->req = NULL;
! 3764:
! 3765: /* check policy */
! 3766: switch (xpl->sadb_x_policy_type) {
! 3767: case IPSEC_POLICY_DISCARD:
! 3768: case IPSEC_POLICY_NONE:
! 3769: case IPSEC_POLICY_ENTRUST:
! 3770: case IPSEC_POLICY_BYPASS:
! 3771: break;
! 3772:
! 3773: case IPSEC_POLICY_IPSEC:
! 3774: {
! 3775: int tlen;
! 3776: struct sadb_x_ipsecrequest *xisr;
! 3777: struct ipsecrequest **p_isr = &new->req;
! 3778:
! 3779: /* validity check */
! 3780: if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
! 3781: plog(LLV_ERROR, LOCATION, NULL,
! 3782: "invalid msg length.\n");
! 3783: goto bad;
! 3784: }
! 3785:
! 3786: tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
! 3787: xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
! 3788:
! 3789: while (tlen > 0) {
! 3790:
! 3791: /* length check */
! 3792: if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
! 3793: plog(LLV_ERROR, LOCATION, NULL,
! 3794: "invalid msg length.\n");
! 3795: goto bad;
! 3796: }
! 3797:
! 3798: /* allocate request buffer */
! 3799: *p_isr = newipsecreq();
! 3800: if (*p_isr == NULL) {
! 3801: plog(LLV_ERROR, LOCATION, NULL,
! 3802: "failed to get new ipsecreq.\n");
! 3803: goto bad;
! 3804: }
! 3805:
! 3806: /* set values */
! 3807: (*p_isr)->next = NULL;
! 3808:
! 3809: switch (xisr->sadb_x_ipsecrequest_proto) {
! 3810: case IPPROTO_ESP:
! 3811: case IPPROTO_AH:
! 3812: case IPPROTO_IPCOMP:
! 3813: break;
! 3814: default:
! 3815: plog(LLV_ERROR, LOCATION, NULL,
! 3816: "invalid proto type: %u\n",
! 3817: xisr->sadb_x_ipsecrequest_proto);
! 3818: goto bad;
! 3819: }
! 3820: (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
! 3821:
! 3822: switch (xisr->sadb_x_ipsecrequest_mode) {
! 3823: case IPSEC_MODE_TRANSPORT:
! 3824: case IPSEC_MODE_TUNNEL:
! 3825: break;
! 3826: case IPSEC_MODE_ANY:
! 3827: default:
! 3828: plog(LLV_ERROR, LOCATION, NULL,
! 3829: "invalid mode: %u\n",
! 3830: xisr->sadb_x_ipsecrequest_mode);
! 3831: goto bad;
! 3832: }
! 3833: (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
! 3834:
! 3835: switch (xisr->sadb_x_ipsecrequest_level) {
! 3836: case IPSEC_LEVEL_DEFAULT:
! 3837: case IPSEC_LEVEL_USE:
! 3838: case IPSEC_LEVEL_REQUIRE:
! 3839: break;
! 3840: case IPSEC_LEVEL_UNIQUE:
! 3841: (*p_isr)->saidx.reqid =
! 3842: xisr->sadb_x_ipsecrequest_reqid;
! 3843: break;
! 3844:
! 3845: default:
! 3846: plog(LLV_ERROR, LOCATION, NULL,
! 3847: "invalid level: %u\n",
! 3848: xisr->sadb_x_ipsecrequest_level);
! 3849: goto bad;
! 3850: }
! 3851: (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
! 3852:
! 3853: /* set IP addresses if there */
! 3854: if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
! 3855: struct sockaddr *paddr;
! 3856:
! 3857: paddr = (struct sockaddr *)(xisr + 1);
! 3858: bcopy(paddr, &(*p_isr)->saidx.src,
! 3859: sysdep_sa_len(paddr));
! 3860:
! 3861: paddr = (struct sockaddr *)((caddr_t)paddr
! 3862: + sysdep_sa_len(paddr));
! 3863: bcopy(paddr, &(*p_isr)->saidx.dst,
! 3864: sysdep_sa_len(paddr));
! 3865: }
! 3866:
! 3867: (*p_isr)->sp = new;
! 3868:
! 3869: /* initialization for the next. */
! 3870: p_isr = &(*p_isr)->next;
! 3871: tlen -= xisr->sadb_x_ipsecrequest_len;
! 3872:
! 3873: /* validity check */
! 3874: if (tlen < 0) {
! 3875: plog(LLV_ERROR, LOCATION, NULL,
! 3876: "becoming tlen < 0\n");
! 3877: }
! 3878:
! 3879: xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
! 3880: + xisr->sadb_x_ipsecrequest_len);
! 3881: }
! 3882: }
! 3883: break;
! 3884: default:
! 3885: plog(LLV_ERROR, LOCATION, NULL,
! 3886: "invalid policy type.\n");
! 3887: goto bad;
! 3888: }
! 3889:
! 3890: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 3891: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 3892: saddr + 1,
! 3893: daddr + 1,
! 3894: saddr->sadb_address_prefixlen,
! 3895: daddr->sadb_address_prefixlen,
! 3896: saddr->sadb_address_proto,
! 3897: xpl->sadb_x_policy_priority,
! 3898: created,
! 3899: &new->spidx);
! 3900: #else
! 3901: KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
! 3902: saddr + 1,
! 3903: daddr + 1,
! 3904: saddr->sadb_address_prefixlen,
! 3905: daddr->sadb_address_prefixlen,
! 3906: saddr->sadb_address_proto,
! 3907: created,
! 3908: &new->spidx);
! 3909: #endif
! 3910:
! 3911: #ifdef HAVE_SECCTX
! 3912: if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
! 3913: struct sadb_x_sec_ctx *ctx;
! 3914:
! 3915: ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
! 3916: new->spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
! 3917: new->spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
! 3918: new->spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
! 3919: memcpy(new->spidx.sec_ctx.ctx_str,ctx + 1,ctx->sadb_x_ctx_len);
! 3920: }
! 3921: #endif /* HAVE_SECCTX */
! 3922:
! 3923: /* Set local and remote hints for that SP, if available */
! 3924: if (local && remote) {
! 3925: new->local = dupsaddr(local);
! 3926: new->remote = dupsaddr(remote);
! 3927: }
! 3928:
! 3929: inssp(new);
! 3930:
! 3931: return 0;
! 3932: bad:
! 3933: if (new != NULL) {
! 3934: if (new->req != NULL)
! 3935: racoon_free(new->req);
! 3936: racoon_free(new);
! 3937: }
! 3938: return -1;
! 3939: }
! 3940:
! 3941: /* proto/mode/src->dst spi */
! 3942: const char *
! 3943: sadbsecas2str(src, dst, proto, spi, mode)
! 3944: struct sockaddr *src, *dst;
! 3945: int proto;
! 3946: u_int32_t spi;
! 3947: int mode;
! 3948: {
! 3949: static char buf[256];
! 3950: u_int doi_proto, doi_mode = 0;
! 3951: char *p;
! 3952: int blen, i;
! 3953:
! 3954: doi_proto = pfkey2ipsecdoi_proto(proto);
! 3955: if (doi_proto == ~0)
! 3956: return NULL;
! 3957: if (mode) {
! 3958: doi_mode = pfkey2ipsecdoi_mode(mode);
! 3959: if (doi_mode == ~0)
! 3960: return NULL;
! 3961: }
! 3962:
! 3963: blen = sizeof(buf) - 1;
! 3964: p = buf;
! 3965:
! 3966: i = snprintf(p, blen, "%s%s%s ",
! 3967: s_ipsecdoi_proto(doi_proto),
! 3968: mode ? "/" : "",
! 3969: mode ? s_ipsecdoi_encmode(doi_mode) : "");
! 3970: if (i < 0 || i >= blen)
! 3971: return NULL;
! 3972: p += i;
! 3973: blen -= i;
! 3974:
! 3975: i = snprintf(p, blen, "%s->", saddr2str(src));
! 3976: if (i < 0 || i >= blen)
! 3977: return NULL;
! 3978: p += i;
! 3979: blen -= i;
! 3980:
! 3981: i = snprintf(p, blen, "%s ", saddr2str(dst));
! 3982: if (i < 0 || i >= blen)
! 3983: return NULL;
! 3984: p += i;
! 3985: blen -= i;
! 3986:
! 3987: if (spi) {
! 3988: snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
! 3989: (unsigned long)ntohl(spi));
! 3990: }
! 3991:
! 3992: return buf;
! 3993: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pfkey.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon