]>
Commit | Line | Data |
---|---|---|
8429abe0 RW |
1 | /* $OpenBSD$ */ |
2 | ||
3 | /* | |
4 | * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> | |
5 | * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> | |
6 | * | |
7 | * Permission to use, copy, modify, and distribute this software for any | |
8 | * purpose with or without fee is hereby granted, provided that the above | |
9 | * copyright notice and this permission notice appear in all copies. | |
10 | * | |
11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | |
12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |
13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |
14 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |
15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |
16 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |
17 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
18 | */ | |
19 | ||
b45ac5f5 DL |
20 | #ifdef HAVE_CONFIG_H |
21 | #include "config.h" | |
22 | #endif | |
23 | ||
eac6e3f0 | 24 | #ifdef __OpenBSD__ |
8429abe0 | 25 | #include <sys/types.h> |
eac6e3f0 | 26 | #include <sys/socket.h> |
8429abe0 RW |
27 | #include <errno.h> |
28 | #include <stdlib.h> | |
29 | #include <string.h> | |
30 | #include <unistd.h> | |
31 | ||
32 | #include "ldpd.h" | |
33 | #include "ldpe.h" | |
34 | #include "log.h" | |
35 | ||
36 | static int pfkey_send(int, uint8_t, uint8_t, uint8_t, | |
37 | int, union ldpd_addr *, union ldpd_addr *, | |
38 | uint32_t, uint8_t, int, char *, uint8_t, int, char *, | |
39 | uint16_t, uint16_t); | |
40 | static int pfkey_reply(int, uint32_t *); | |
41 | static int pfkey_sa_add(int, union ldpd_addr *, union ldpd_addr *, | |
42 | uint8_t, char *, uint32_t *); | |
43 | static int pfkey_sa_remove(int, union ldpd_addr *, union ldpd_addr *, | |
44 | uint32_t *); | |
45 | static int pfkey_md5sig_establish(struct nbr *, struct nbr_params *nbrp); | |
46 | static int pfkey_md5sig_remove(struct nbr *); | |
47 | ||
48 | #define PFKEY2_CHUNK sizeof(uint64_t) | |
49 | #define ROUNDUP(x) (((x) + (PFKEY2_CHUNK - 1)) & ~(PFKEY2_CHUNK - 1)) | |
50 | #define IOV_CNT 20 | |
51 | ||
52 | static uint32_t sadb_msg_seq; | |
53 | static uint32_t pid; /* should pid_t but pfkey needs uint32_t */ | |
54 | static int fd; | |
55 | ||
56 | static int | |
57 | pfkey_send(int sd, uint8_t satype, uint8_t mtype, uint8_t dir, | |
58 | int af, union ldpd_addr *src, union ldpd_addr *dst, uint32_t spi, | |
59 | uint8_t aalg, int alen, char *akey, uint8_t ealg, int elen, char *ekey, | |
60 | uint16_t sport, uint16_t dport) | |
61 | { | |
62 | struct sadb_msg smsg; | |
63 | struct sadb_sa sa; | |
64 | struct sadb_address sa_src, sa_dst; | |
65 | struct sadb_key sa_akey, sa_ekey; | |
66 | struct sadb_spirange sa_spirange; | |
67 | struct iovec iov[IOV_CNT]; | |
68 | ssize_t n; | |
69 | int len = 0; | |
70 | int iov_cnt; | |
4149ef7c A |
71 | struct sockaddr_storage smask, dmask; |
72 | union sockunion su_src, su_dst; | |
8429abe0 RW |
73 | |
74 | if (!pid) | |
75 | pid = getpid(); | |
76 | ||
77 | /* we need clean sockaddr... no ports set */ | |
8429abe0 | 78 | memset(&smask, 0, sizeof(smask)); |
4149ef7c A |
79 | |
80 | addr2sa(af, src, 0, &su_src); | |
81 | ||
8429abe0 RW |
82 | switch (af) { |
83 | case AF_INET: | |
84 | memset(&((struct sockaddr_in *)&smask)->sin_addr, 0xff, 32/8); | |
85 | break; | |
86 | case AF_INET6: | |
87 | memset(&((struct sockaddr_in6 *)&smask)->sin6_addr, 0xff, | |
88 | 128/8); | |
89 | break; | |
90 | default: | |
91 | return (-1); | |
92 | } | |
4149ef7c A |
93 | smask.ss_family = su_src.sa.sa_family; |
94 | smask.ss_len = sockaddr_len(&su_src.sa); | |
8429abe0 | 95 | |
8429abe0 | 96 | memset(&dmask, 0, sizeof(dmask)); |
4149ef7c A |
97 | |
98 | addr2sa(af, dst, 0, &su_dst); | |
99 | ||
8429abe0 RW |
100 | switch (af) { |
101 | case AF_INET: | |
102 | memset(&((struct sockaddr_in *)&dmask)->sin_addr, 0xff, 32/8); | |
103 | break; | |
104 | case AF_INET6: | |
105 | memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr, 0xff, | |
106 | 128/8); | |
107 | break; | |
108 | default: | |
109 | return (-1); | |
110 | } | |
4149ef7c A |
111 | dmask.ss_family = su_dst.sa.sa_family; |
112 | dmask.ss_len = sockaddr_len(&su_dst.sa); | |
8429abe0 RW |
113 | |
114 | memset(&smsg, 0, sizeof(smsg)); | |
115 | smsg.sadb_msg_version = PF_KEY_V2; | |
116 | smsg.sadb_msg_seq = ++sadb_msg_seq; | |
117 | smsg.sadb_msg_pid = pid; | |
118 | smsg.sadb_msg_len = sizeof(smsg) / 8; | |
119 | smsg.sadb_msg_type = mtype; | |
120 | smsg.sadb_msg_satype = satype; | |
121 | ||
122 | switch (mtype) { | |
123 | case SADB_GETSPI: | |
124 | memset(&sa_spirange, 0, sizeof(sa_spirange)); | |
125 | sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; | |
126 | sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; | |
127 | sa_spirange.sadb_spirange_min = 0x100; | |
128 | sa_spirange.sadb_spirange_max = 0xffffffff; | |
129 | sa_spirange.sadb_spirange_reserved = 0; | |
130 | break; | |
131 | case SADB_ADD: | |
132 | case SADB_UPDATE: | |
133 | case SADB_DELETE: | |
134 | memset(&sa, 0, sizeof(sa)); | |
135 | sa.sadb_sa_exttype = SADB_EXT_SA; | |
136 | sa.sadb_sa_len = sizeof(sa) / 8; | |
137 | sa.sadb_sa_replay = 0; | |
ffdc293b | 138 | sa.sadb_sa_spi = htonl(spi); |
8429abe0 RW |
139 | sa.sadb_sa_state = SADB_SASTATE_MATURE; |
140 | break; | |
141 | } | |
142 | ||
143 | memset(&sa_src, 0, sizeof(sa_src)); | |
144 | sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; | |
4149ef7c A |
145 | sa_src.sadb_address_len = |
146 | (sizeof(sa_src) + ROUNDUP(sockaddr_len(&su_src.sa))) / 8; | |
8429abe0 RW |
147 | |
148 | memset(&sa_dst, 0, sizeof(sa_dst)); | |
149 | sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; | |
4149ef7c A |
150 | sa_dst.sadb_address_len = |
151 | (sizeof(sa_dst) + ROUNDUP(sockaddr_len(&su_dst.sa))) / 8; | |
8429abe0 RW |
152 | |
153 | sa.sadb_sa_auth = aalg; | |
154 | sa.sadb_sa_encrypt = SADB_X_EALG_AES; /* XXX */ | |
155 | ||
156 | switch (mtype) { | |
157 | case SADB_ADD: | |
158 | case SADB_UPDATE: | |
159 | memset(&sa_akey, 0, sizeof(sa_akey)); | |
160 | sa_akey.sadb_key_exttype = SADB_EXT_KEY_AUTH; | |
161 | sa_akey.sadb_key_len = (sizeof(sa_akey) + | |
162 | ((alen + 7) / 8) * 8) / 8; | |
163 | sa_akey.sadb_key_bits = 8 * alen; | |
164 | ||
165 | memset(&sa_ekey, 0, sizeof(sa_ekey)); | |
166 | sa_ekey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; | |
167 | sa_ekey.sadb_key_len = (sizeof(sa_ekey) + | |
168 | ((elen + 7) / 8) * 8) / 8; | |
169 | sa_ekey.sadb_key_bits = 8 * elen; | |
170 | ||
171 | break; | |
172 | } | |
173 | ||
174 | iov_cnt = 0; | |
175 | ||
176 | /* msghdr */ | |
177 | iov[iov_cnt].iov_base = &smsg; | |
178 | iov[iov_cnt].iov_len = sizeof(smsg); | |
179 | iov_cnt++; | |
180 | ||
181 | switch (mtype) { | |
182 | case SADB_ADD: | |
183 | case SADB_UPDATE: | |
184 | case SADB_DELETE: | |
185 | /* SA hdr */ | |
186 | iov[iov_cnt].iov_base = &sa; | |
187 | iov[iov_cnt].iov_len = sizeof(sa); | |
188 | smsg.sadb_msg_len += sa.sadb_sa_len; | |
189 | iov_cnt++; | |
190 | break; | |
191 | case SADB_GETSPI: | |
192 | /* SPI range */ | |
193 | iov[iov_cnt].iov_base = &sa_spirange; | |
194 | iov[iov_cnt].iov_len = sizeof(sa_spirange); | |
195 | smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; | |
196 | iov_cnt++; | |
197 | break; | |
198 | } | |
199 | ||
200 | /* dest addr */ | |
201 | iov[iov_cnt].iov_base = &sa_dst; | |
202 | iov[iov_cnt].iov_len = sizeof(sa_dst); | |
203 | iov_cnt++; | |
4149ef7c A |
204 | iov[iov_cnt].iov_base = &su_dst; |
205 | iov[iov_cnt].iov_len = ROUNDUP(sockaddr_len(&su_dst.sa)); | |
8429abe0 RW |
206 | smsg.sadb_msg_len += sa_dst.sadb_address_len; |
207 | iov_cnt++; | |
208 | ||
209 | /* src addr */ | |
210 | iov[iov_cnt].iov_base = &sa_src; | |
211 | iov[iov_cnt].iov_len = sizeof(sa_src); | |
212 | iov_cnt++; | |
4149ef7c A |
213 | iov[iov_cnt].iov_base = &su_src; |
214 | iov[iov_cnt].iov_len = ROUNDUP(sockaddr_len(&su_src.sa)); | |
8429abe0 RW |
215 | smsg.sadb_msg_len += sa_src.sadb_address_len; |
216 | iov_cnt++; | |
217 | ||
218 | switch (mtype) { | |
219 | case SADB_ADD: | |
220 | case SADB_UPDATE: | |
221 | if (alen) { | |
222 | /* auth key */ | |
223 | iov[iov_cnt].iov_base = &sa_akey; | |
224 | iov[iov_cnt].iov_len = sizeof(sa_akey); | |
225 | iov_cnt++; | |
226 | iov[iov_cnt].iov_base = akey; | |
227 | iov[iov_cnt].iov_len = ((alen + 7) / 8) * 8; | |
228 | smsg.sadb_msg_len += sa_akey.sadb_key_len; | |
229 | iov_cnt++; | |
230 | } | |
231 | if (elen) { | |
232 | /* encryption key */ | |
233 | iov[iov_cnt].iov_base = &sa_ekey; | |
234 | iov[iov_cnt].iov_len = sizeof(sa_ekey); | |
235 | iov_cnt++; | |
236 | iov[iov_cnt].iov_base = ekey; | |
237 | iov[iov_cnt].iov_len = ((elen + 7) / 8) * 8; | |
238 | smsg.sadb_msg_len += sa_ekey.sadb_key_len; | |
239 | iov_cnt++; | |
240 | } | |
241 | break; | |
242 | } | |
243 | ||
244 | len = smsg.sadb_msg_len * 8; | |
245 | do { | |
246 | n = writev(sd, iov, iov_cnt); | |
247 | } while (n == -1 && (errno == EAGAIN || errno == EINTR)); | |
248 | ||
249 | if (n == -1) { | |
250 | log_warn("writev (%d/%d)", iov_cnt, len); | |
251 | return (-1); | |
252 | } | |
253 | ||
254 | return (0); | |
255 | } | |
256 | ||
257 | int | |
258 | pfkey_read(int sd, struct sadb_msg *h) | |
259 | { | |
260 | struct sadb_msg hdr; | |
261 | ||
262 | if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { | |
263 | if (errno == EAGAIN || errno == EINTR) | |
264 | return (0); | |
265 | log_warn("pfkey peek"); | |
266 | return (-1); | |
267 | } | |
268 | ||
269 | /* XXX: Only one message can be outstanding. */ | |
270 | if (hdr.sadb_msg_seq == sadb_msg_seq && | |
271 | hdr.sadb_msg_pid == pid) { | |
272 | if (h) | |
273 | *h = hdr; | |
274 | return (0); | |
275 | } | |
276 | ||
277 | /* not ours, discard */ | |
278 | if (read(sd, &hdr, sizeof(hdr)) == -1) { | |
279 | if (errno == EAGAIN || errno == EINTR) | |
280 | return (0); | |
281 | log_warn("pfkey read"); | |
282 | return (-1); | |
283 | } | |
284 | ||
285 | return (1); | |
286 | } | |
287 | ||
288 | static int | |
ffdc293b | 289 | pfkey_reply(int sd, uint32_t *spi) |
8429abe0 RW |
290 | { |
291 | struct sadb_msg hdr, *msg; | |
292 | struct sadb_ext *ext; | |
293 | struct sadb_sa *sa; | |
294 | uint8_t *data; | |
295 | ssize_t len; | |
296 | int rv; | |
297 | ||
298 | do { | |
299 | rv = pfkey_read(sd, &hdr); | |
300 | if (rv == -1) | |
301 | return (-1); | |
302 | } while (rv); | |
303 | ||
304 | if (hdr.sadb_msg_errno != 0) { | |
305 | errno = hdr.sadb_msg_errno; | |
306 | if (errno == ESRCH) | |
307 | return (0); | |
308 | else { | |
309 | log_warn("pfkey"); | |
310 | return (-1); | |
311 | } | |
312 | } | |
313 | if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEY2_CHUNK)) == NULL) { | |
314 | log_warn("pfkey malloc"); | |
315 | return (-1); | |
316 | } | |
317 | len = hdr.sadb_msg_len * PFKEY2_CHUNK; | |
318 | if (read(sd, data, len) != len) { | |
319 | log_warn("pfkey read"); | |
320 | explicit_bzero(data, len); | |
321 | free(data); | |
322 | return (-1); | |
323 | } | |
324 | ||
325 | if (hdr.sadb_msg_type == SADB_GETSPI) { | |
ffdc293b | 326 | if (spi == NULL) { |
8429abe0 RW |
327 | explicit_bzero(data, len); |
328 | free(data); | |
329 | return (0); | |
330 | } | |
331 | ||
332 | msg = (struct sadb_msg *)data; | |
333 | for (ext = (struct sadb_ext *)(msg + 1); | |
334 | (size_t)((uint8_t *)ext - (uint8_t *)msg) < | |
335 | msg->sadb_msg_len * PFKEY2_CHUNK; | |
336 | ext = (struct sadb_ext *)((uint8_t *)ext + | |
337 | ext->sadb_ext_len * PFKEY2_CHUNK)) { | |
338 | if (ext->sadb_ext_type == SADB_EXT_SA) { | |
339 | sa = (struct sadb_sa *) ext; | |
ffdc293b | 340 | *spi = ntohl(sa->sadb_sa_spi); |
8429abe0 RW |
341 | break; |
342 | } | |
343 | } | |
344 | } | |
345 | explicit_bzero(data, len); | |
346 | free(data); | |
347 | return (0); | |
348 | } | |
349 | ||
350 | static int | |
351 | pfkey_sa_add(int af, union ldpd_addr *src, union ldpd_addr *dst, uint8_t keylen, | |
352 | char *key, uint32_t *spi) | |
353 | { | |
354 | if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_GETSPI, 0, | |
355 | af, src, dst, 0, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) | |
356 | return (-1); | |
357 | if (pfkey_reply(fd, spi) < 0) | |
358 | return (-1); | |
359 | if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_UPDATE, 0, | |
360 | af, src, dst, *spi, 0, keylen, key, 0, 0, NULL, 0, 0) < 0) | |
361 | return (-1); | |
362 | if (pfkey_reply(fd, NULL) < 0) | |
363 | return (-1); | |
364 | return (0); | |
365 | } | |
366 | ||
367 | static int | |
368 | pfkey_sa_remove(int af, union ldpd_addr *src, union ldpd_addr *dst, | |
369 | uint32_t *spi) | |
370 | { | |
371 | if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_DELETE, 0, | |
372 | af, src, dst, *spi, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) | |
373 | return (-1); | |
374 | if (pfkey_reply(fd, NULL) < 0) | |
375 | return (-1); | |
376 | *spi = 0; | |
377 | return (0); | |
378 | } | |
379 | ||
380 | static int | |
381 | pfkey_md5sig_establish(struct nbr *nbr, struct nbr_params *nbrp) | |
382 | { | |
383 | sleep(1); | |
384 | ||
385 | if (!nbr->auth.spi_out) | |
386 | if (pfkey_sa_add(nbr->af, &nbr->laddr, &nbr->raddr, | |
387 | nbrp->auth.md5key_len, nbrp->auth.md5key, | |
388 | &nbr->auth.spi_out) == -1) | |
389 | return (-1); | |
390 | if (!nbr->auth.spi_in) | |
391 | if (pfkey_sa_add(nbr->af, &nbr->raddr, &nbr->laddr, | |
392 | nbrp->auth.md5key_len, nbrp->auth.md5key, | |
393 | &nbr->auth.spi_in) == -1) | |
394 | return (-1); | |
395 | ||
396 | nbr->auth.established = 1; | |
397 | return (0); | |
398 | } | |
399 | ||
400 | static int | |
401 | pfkey_md5sig_remove(struct nbr *nbr) | |
402 | { | |
403 | if (nbr->auth.spi_out) | |
404 | if (pfkey_sa_remove(nbr->af, &nbr->laddr, &nbr->raddr, | |
405 | &nbr->auth.spi_out) == -1) | |
406 | return (-1); | |
407 | if (nbr->auth.spi_in) | |
408 | if (pfkey_sa_remove(nbr->af, &nbr->raddr, &nbr->laddr, | |
409 | &nbr->auth.spi_in) == -1) | |
410 | return (-1); | |
411 | ||
412 | nbr->auth.established = 0; | |
413 | nbr->auth.spi_in = 0; | |
414 | nbr->auth.spi_out = 0; | |
415 | nbr->auth.method = AUTH_NONE; | |
416 | memset(nbr->auth.md5key, 0, sizeof(nbr->auth.md5key)); | |
417 | ||
418 | return (0); | |
419 | } | |
420 | ||
421 | int | |
422 | pfkey_establish(struct nbr *nbr, struct nbr_params *nbrp) | |
423 | { | |
424 | if (nbrp->auth.method == AUTH_NONE) | |
425 | return (0); | |
426 | ||
8429abe0 RW |
427 | switch (nbr->auth.method) { |
428 | case AUTH_MD5SIG: | |
429 | strlcpy(nbr->auth.md5key, nbrp->auth.md5key, | |
430 | sizeof(nbr->auth.md5key)); | |
431 | return (pfkey_md5sig_establish(nbr, nbrp)); | |
432 | default: | |
433 | break; | |
434 | } | |
435 | ||
436 | return (0); | |
437 | } | |
438 | ||
439 | int | |
440 | pfkey_remove(struct nbr *nbr) | |
441 | { | |
442 | if (nbr->auth.method == AUTH_NONE || !nbr->auth.established) | |
443 | return (0); | |
444 | ||
445 | switch (nbr->auth.method) { | |
446 | case AUTH_MD5SIG: | |
447 | return (pfkey_md5sig_remove(nbr)); | |
448 | default: | |
449 | break; | |
450 | } | |
451 | ||
452 | return (0); | |
453 | } | |
454 | ||
455 | int | |
456 | pfkey_init(void) | |
457 | { | |
458 | if ((fd = socket(PF_KEY, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, | |
459 | PF_KEY_V2)) == -1) { | |
460 | if (errno == EPROTONOSUPPORT) { | |
461 | log_warnx("PF_KEY not available"); | |
462 | sysdep.no_pfkey = 1; | |
463 | return (-1); | |
464 | } else | |
465 | fatal("pfkey setup failed"); | |
466 | } | |
467 | return (fd); | |
468 | } | |
eac6e3f0 | 469 | #endif /* __OpenBSD__ */ |