[mirror_frr.git] / nhrpd / vici.c

// SPDX-License-Identifier: GPL-2.0-or-later
/* strongSwan VICI protocol implementation for NHRP
 * Copyright (c) 2014-2015 Timo Teräs
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <string.h>
#include <sys/socket.h>
#include <sys/un.h>

#include "event.h"
#include "zbuf.h"
#include "log.h"
#include "lib_errors.h"

#include "nhrpd.h"
#include "vici.h"
#include "nhrp_errors.h"

#define ERRNO_IO_RETRY(EN) (((EN) == EAGAIN) || ((EN) == EWOULDBLOCK) || ((EN) == EINTR))

struct blob {
	char *ptr;
	int len;
};

static int blob_equal(const struct blob *b, const char *str)
{
	if (!b || b->len != (int)strlen(str))
		return 0;
	return memcmp(b->ptr, str, b->len) == 0;
}

static int blob2buf(const struct blob *b, char *buf, size_t n)
{
	if (!b || b->len >= (int)n)
		return 0;
	memcpy(buf, b->ptr, b->len);
	buf[b->len] = 0;
	return 1;
}

struct vici_conn {
	struct event *t_reconnect, *t_read, *t_write;
	struct zbuf ibuf;
	struct zbuf_queue obuf;
	int fd;
	uint8_t ibuf_data[VICI_MAX_MSGLEN];
};

struct vici_message_ctx {
	const char *sections[8];
	int nsections;
};

static void vici_reconnect(struct event *t);
static void vici_submit_request(struct vici_conn *vici, const char *name, ...);

static void vici_zbuf_puts(struct zbuf *obuf, const char *str)
{
	size_t len = strlen(str);
	zbuf_put8(obuf, len);
	zbuf_put(obuf, str, len);
}

static void vici_connection_error(struct vici_conn *vici)
{
	nhrp_vc_reset();

	THREAD_OFF(vici->t_read);
	THREAD_OFF(vici->t_write);
	zbuf_reset(&vici->ibuf);
	zbufq_reset(&vici->obuf);

	close(vici->fd);
	vici->fd = -1;
	event_add_timer(master, vici_reconnect, vici, 2, &vici->t_reconnect);
}

static void vici_parse_message(struct vici_conn *vici, struct zbuf *msg,
			       void (*parser)(struct vici_message_ctx *ctx,
					      enum vici_type_t msgtype,
					      const struct blob *key,
					      const struct blob *val),
			       struct vici_message_ctx *ctx)
{
	uint8_t *type;
	struct blob key = {0};
	struct blob val = {0};

	while ((type = zbuf_may_pull(msg, uint8_t)) != NULL) {
		switch (*type) {
		case VICI_SECTION_START:
			key.len = zbuf_get8(msg);
			key.ptr = zbuf_pulln(msg, key.len);
			debugf(NHRP_DEBUG_VICI, "VICI: Section start '%.*s'",
			       key.len, key.ptr);
			parser(ctx, *type, &key, NULL);
			ctx->nsections++;
			break;
		case VICI_SECTION_END:
			debugf(NHRP_DEBUG_VICI, "VICI: Section end");
			parser(ctx, *type, NULL, NULL);
			ctx->nsections--;
			break;
		case VICI_KEY_VALUE:
			key.len = zbuf_get8(msg);
			key.ptr = zbuf_pulln(msg, key.len);
			val.len = zbuf_get_be16(msg);
			val.ptr = zbuf_pulln(msg, val.len);
			debugf(NHRP_DEBUG_VICI, "VICI: Key '%.*s'='%.*s'",
			       key.len, key.ptr, val.len, val.ptr);
			parser(ctx, *type, &key, &val);
			break;
		case VICI_LIST_START:
			key.len = zbuf_get8(msg);
			key.ptr = zbuf_pulln(msg, key.len);
			debugf(NHRP_DEBUG_VICI, "VICI: List start '%.*s'",
			       key.len, key.ptr);
			break;
		case VICI_LIST_ITEM:
			val.len = zbuf_get_be16(msg);
			val.ptr = zbuf_pulln(msg, val.len);
			debugf(NHRP_DEBUG_VICI, "VICI: List item: '%.*s'",
			       val.len, val.ptr);
			parser(ctx, *type, &key, &val);
			break;
		case VICI_LIST_END:
			debugf(NHRP_DEBUG_VICI, "VICI: List end");
			break;
		}
	}
}

struct handle_sa_ctx {
	struct vici_message_ctx msgctx;
	int event;
	int child_ok;
	int kill_ikesa;
	uint32_t child_uniqueid, ike_uniqueid;
	struct {
		union sockunion host;
		struct blob id, cert;
	} local, remote;
};

static void parse_sa_message(struct vici_message_ctx *ctx,
			     enum vici_type_t msgtype, const struct blob *key,
			     const struct blob *val)
{
	struct handle_sa_ctx *sactx =
		container_of(ctx, struct handle_sa_ctx, msgctx);
	struct nhrp_vc *vc;
	char buf[512];

	switch (msgtype) {
	case VICI_SECTION_START:
		if (ctx->nsections == 3) {
			/* Begin of child-sa section, reset child vars */
			sactx->child_uniqueid = 0;
			sactx->child_ok = 0;
		}
		break;
	case VICI_SECTION_END:
		if (ctx->nsections == 3) {
			/* End of child-sa section, update nhrp_vc */
			int up = sactx->child_ok || sactx->event == 1;
			if (up) {
				vc = nhrp_vc_get(&sactx->local.host,
						 &sactx->remote.host, up);
				if (vc) {
					blob2buf(&sactx->local.id, vc->local.id,
						 sizeof(vc->local.id));
					if (blob2buf(&sactx->local.cert,
						     (char *)vc->local.cert,
						     sizeof(vc->local.cert)))
						vc->local.certlen =
							sactx->local.cert.len;
					blob2buf(&sactx->remote.id,
						 vc->remote.id,
						 sizeof(vc->remote.id));
					if (blob2buf(&sactx->remote.cert,
						     (char *)vc->remote.cert,
						     sizeof(vc->remote.cert)))
						vc->remote.certlen =
							sactx->remote.cert.len;
					sactx->kill_ikesa |=
						nhrp_vc_ipsec_updown(
							sactx->child_uniqueid,
							vc);
					vc->ike_uniqueid = sactx->ike_uniqueid;
				}
			} else {
				nhrp_vc_ipsec_updown(sactx->child_uniqueid, 0);
			}
		}
		break;
	case VICI_START:
	case VICI_KEY_VALUE:
	case VICI_LIST_START:
	case VICI_LIST_ITEM:
	case VICI_LIST_END:
	case VICI_END:
		if (!key || !key->ptr)
			break;

		switch (key->ptr[0]) {
		case 'l':
			if (blob_equal(key, "local-host")
			    && ctx->nsections == 1) {
				if (blob2buf(val, buf, sizeof(buf)))
					if (str2sockunion(buf,
							  &sactx->local.host)
					    < 0)
						flog_err(
							EC_NHRP_SWAN,
							"VICI: bad strongSwan local-host: %s",
							buf);
			} else if (blob_equal(key, "local-id")
				   && ctx->nsections == 1) {
				sactx->local.id = *val;
			} else if (blob_equal(key, "local-cert-data")
				   && ctx->nsections == 1) {
				sactx->local.cert = *val;
			}
			break;
		case 'r':
			if (blob_equal(key, "remote-host")
			    && ctx->nsections == 1) {
				if (blob2buf(val, buf, sizeof(buf)))
					if (str2sockunion(buf,
							  &sactx->remote.host)
					    < 0)
						flog_err(
							EC_NHRP_SWAN,
							"VICI: bad strongSwan remote-host: %s",
							buf);
			} else if (blob_equal(key, "remote-id")
				   && ctx->nsections == 1) {
				sactx->remote.id = *val;
			} else if (blob_equal(key, "remote-cert-data")
				   && ctx->nsections == 1) {
				sactx->remote.cert = *val;
			}
			break;
		case 'u':
			if (blob_equal(key, "uniqueid")
			    && blob2buf(val, buf, sizeof(buf))) {
				if (ctx->nsections == 3)
					sactx->child_uniqueid =
						strtoul(buf, NULL, 0);
				else if (ctx->nsections == 1)
					sactx->ike_uniqueid =
						strtoul(buf, NULL, 0);
			}
			break;
		case 's':
			if (blob_equal(key, "state") && ctx->nsections == 3) {
				sactx->child_ok =
					(sactx->event == 0
					 && (blob_equal(val, "INSTALLED")
					     || blob_equal(val, "REKEYED")));
			}
			break;
		}
		break;
	}
}

static void parse_cmd_response(struct vici_message_ctx *ctx,
			       enum vici_type_t msgtype, const struct blob *key,
			       const struct blob *val)
{
	char buf[512];

	switch (msgtype) {
	case VICI_KEY_VALUE:
		if (blob_equal(key, "errmsg")
		    && blob2buf(val, buf, sizeof(buf)))
			flog_err(EC_NHRP_SWAN, "VICI: strongSwan: %s", buf);
		break;
	case VICI_START:
	case VICI_SECTION_START:
	case VICI_SECTION_END:
	case VICI_LIST_START:
	case VICI_LIST_ITEM:
	case VICI_LIST_END:
	case VICI_END:
		break;
	}
}

static void vici_recv_sa(struct vici_conn *vici, struct zbuf *msg, int event)
{
	char buf[32];
	struct handle_sa_ctx ctx = {
		.event = event,
		.msgctx.nsections = 0
	};

	vici_parse_message(vici, msg, parse_sa_message, &ctx.msgctx);

	if (ctx.kill_ikesa && ctx.ike_uniqueid) {
		debugf(NHRP_DEBUG_COMMON, "VICI: Deleting IKE_SA %u",
		       ctx.ike_uniqueid);
		snprintf(buf, sizeof(buf), "%u", ctx.ike_uniqueid);
		vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
				    strlen(buf), buf, VICI_END);
	}
}

static void vici_recv_message(struct vici_conn *vici, struct zbuf *msg)
{
	uint32_t msglen;
	uint8_t msgtype;
	struct blob name;
	struct vici_message_ctx ctx = { .nsections = 0 };

	msglen = zbuf_get_be32(msg);
	msgtype = zbuf_get8(msg);
	debugf(NHRP_DEBUG_VICI, "VICI: Message %d, %d bytes", msgtype, msglen);

	switch (msgtype) {
	case VICI_EVENT:
		name.len = zbuf_get8(msg);
		name.ptr = zbuf_pulln(msg, name.len);

		debugf(NHRP_DEBUG_VICI, "VICI: Event '%.*s'", name.len,
		       name.ptr);
		if (blob_equal(&name, "list-sa")
		    || blob_equal(&name, "child-updown")
		    || blob_equal(&name, "child-rekey"))
			vici_recv_sa(vici, msg, 0);
		else if (blob_equal(&name, "child-state-installed")
			 || blob_equal(&name, "child-state-rekeyed"))
			vici_recv_sa(vici, msg, 1);
		else if (blob_equal(&name, "child-state-destroying"))
			vici_recv_sa(vici, msg, 2);
		break;
	case VICI_CMD_RESPONSE:
		vici_parse_message(vici, msg, parse_cmd_response, &ctx);
		break;
	case VICI_EVENT_UNKNOWN:
	case VICI_CMD_UNKNOWN:
		flog_err(
			EC_NHRP_SWAN,
			"VICI: StrongSwan does not support mandatory events (unpatched?)");
		break;
	case VICI_EVENT_CONFIRM:
		break;
	default:
		zlog_notice("VICI: Unrecognized message type %d", msgtype);
		break;
	}
}

static void vici_read(struct event *t)
{
	struct vici_conn *vici = THREAD_ARG(t);
	struct zbuf *ibuf = &vici->ibuf;
	struct zbuf pktbuf;

	if (zbuf_read(ibuf, vici->fd, (size_t)-1) < 0) {
		vici_connection_error(vici);
		return;
	}

	/* Process all messages in buffer */
	do {
		uint32_t *hdrlen = zbuf_may_pull(ibuf, uint32_t);
		if (!hdrlen)
			break;
		if (!zbuf_may_pulln(ibuf, ntohl(*hdrlen))) {
			zbuf_reset_head(ibuf, hdrlen);
			break;
		}

		/* Handle packet */
		zbuf_init(&pktbuf, hdrlen, htonl(*hdrlen) + 4,
			  htonl(*hdrlen) + 4);
		vici_recv_message(vici, &pktbuf);
	} while (1);

	event_add_read(master, vici_read, vici, vici->fd, &vici->t_read);
}

static void vici_write(struct event *t)
{
	struct vici_conn *vici = THREAD_ARG(t);
	int r;

	r = zbufq_write(&vici->obuf, vici->fd);
	if (r > 0) {
		event_add_write(master, vici_write, vici, vici->fd,
				&vici->t_write);
	} else if (r < 0) {
		vici_connection_error(vici);
	}
}

static void vici_submit(struct vici_conn *vici, struct zbuf *obuf)
{
	if (vici->fd < 0) {
		zbuf_free(obuf);
		return;
	}

	zbufq_queue(&vici->obuf, obuf);
	event_add_write(master, vici_write, vici, vici->fd, &vici->t_write);
}

static void vici_submit_request(struct vici_conn *vici, const char *name, ...)
{
	struct zbuf *obuf;
	uint32_t *hdrlen;
	va_list va;
	size_t len;
	int type;

	obuf = zbuf_alloc(256);
	if (!obuf)
		return;

	hdrlen = zbuf_push(obuf, uint32_t);
	zbuf_put8(obuf, VICI_CMD_REQUEST);
	vici_zbuf_puts(obuf, name);

	va_start(va, name);
	for (type = va_arg(va, int); type != VICI_END; type = va_arg(va, int)) {
		zbuf_put8(obuf, type);
		switch (type) {
		case VICI_KEY_VALUE:
			vici_zbuf_puts(obuf, va_arg(va, const char *));
			len = va_arg(va, size_t);
			zbuf_put_be16(obuf, len);
			zbuf_put(obuf, va_arg(va, void *), len);
			break;
		default:
			break;
		}
	}
	va_end(va);
	*hdrlen = htonl(zbuf_used(obuf) - 4);
	vici_submit(vici, obuf);
}

static void vici_register_event(struct vici_conn *vici, const char *name)
{
	struct zbuf *obuf;
	uint32_t *hdrlen;
	uint8_t namelen;

	namelen = strlen(name);
	obuf = zbuf_alloc(4 + 1 + 1 + namelen);
	if (!obuf)
		return;

	hdrlen = zbuf_push(obuf, uint32_t);
	zbuf_put8(obuf, VICI_EVENT_REGISTER);
	zbuf_put8(obuf, namelen);
	zbuf_put(obuf, name, namelen);
	*hdrlen = htonl(zbuf_used(obuf) - 4);

	vici_submit(vici, obuf);
}

static bool vici_charon_filepath_done;
static bool vici_charon_not_found;

static char *vici_get_charon_filepath(void)
{
	static char buff[1200];
	FILE *fp;
	char *ptr;
	char line[1024];

	if (vici_charon_filepath_done)
		return (char *)buff;
	fp = popen("ipsec --piddir", "r");
	if (!fp) {
		if (!vici_charon_not_found) {
			flog_err(EC_NHRP_SWAN,
				 "VICI: Failed to retrieve charon file path");
			vici_charon_not_found = true;
		}
		return NULL;
	}
	/* last line of output is used to get vici path */
	while (fgets(line, sizeof(line), fp) != NULL) {
		ptr = strchr(line, '\n');
		if (ptr)
			*ptr = '\0';
		snprintf(buff, sizeof(buff), "%s/charon.vici", line);
	}
	pclose(fp);
	vici_charon_filepath_done = true;
	return buff;
}

static void vici_reconnect(struct event *t)
{
	struct vici_conn *vici = THREAD_ARG(t);
	int fd;
	char *file_path;

	if (vici->fd >= 0)
		return;

	fd = sock_open_unix(VICI_SOCKET);
	if (fd < 0) {
		file_path = vici_get_charon_filepath();
		if (file_path)
			fd = sock_open_unix(file_path);
	}
	if (fd < 0) {
		debugf(NHRP_DEBUG_VICI,
		       "%s: failure connecting VICI socket: %s", __func__,
		       strerror(errno));
		event_add_timer(master, vici_reconnect, vici, 2,
				&vici->t_reconnect);
		return;
	}

	debugf(NHRP_DEBUG_COMMON, "VICI: Connected");
	vici->fd = fd;
	event_add_read(master, vici_read, vici, vici->fd, &vici->t_read);

	/* Send event subscribtions */
	// vici_register_event(vici, "child-updown");
	// vici_register_event(vici, "child-rekey");
	vici_register_event(vici, "child-state-installed");
	vici_register_event(vici, "child-state-rekeyed");
	vici_register_event(vici, "child-state-destroying");
	vici_register_event(vici, "list-sa");
	vici_submit_request(vici, "list-sas", VICI_END);
}

static struct vici_conn vici_connection;

void vici_init(void)
{
	struct vici_conn *vici = &vici_connection;

	vici->fd = -1;
	zbuf_init(&vici->ibuf, vici->ibuf_data, sizeof(vici->ibuf_data), 0);
	zbufq_init(&vici->obuf);
	event_add_timer_msec(master, vici_reconnect, vici, 10,
			     &vici->t_reconnect);
}

void vici_terminate(void)
{
}

void vici_terminate_vc_by_profile_name(char *profile_name)
{
	struct vici_conn *vici = &vici_connection;

	debugf(NHRP_DEBUG_VICI, "Terminate profile = %s", profile_name);
	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike",
		    strlen(profile_name), profile_name, VICI_END);
}

void vici_terminate_vc_by_ike_id(unsigned int ike_id)
{
	struct vici_conn *vici = &vici_connection;
	char ike_id_str[10];

	snprintf(ike_id_str, sizeof(ike_id_str), "%d", ike_id);
	debugf(NHRP_DEBUG_VICI, "Terminate ike_id_str = %s", ike_id_str);
	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
		    strlen(ike_id_str), ike_id_str, VICI_END);
}

void vici_request_vc(const char *profile, union sockunion *src,
		     union sockunion *dst, int prio)
{
	struct vici_conn *vici = &vici_connection;
	char buf[2][SU_ADDRSTRLEN];

	sockunion2str(src, buf[0], sizeof(buf[0]));
	sockunion2str(dst, buf[1], sizeof(buf[1]));

	vici_submit_request(vici, "initiate", VICI_KEY_VALUE, "child",
			    strlen(profile), profile, VICI_KEY_VALUE, "timeout",
			    (size_t)2, "-1", VICI_KEY_VALUE, "async", (size_t)1,
			    "1", VICI_KEY_VALUE, "init-limits", (size_t)1,
			    prio ? "0" : "1", VICI_KEY_VALUE, "my-host",
			    strlen(buf[0]), buf[0], VICI_KEY_VALUE,
			    "other-host", strlen(buf[1]), buf[1], VICI_END);
}

int sock_open_unix(const char *path)
{
	int ret, fd;
	struct sockaddr_un addr;

	fd = socket(AF_UNIX, SOCK_STREAM, 0);
	if (fd < 0)
		return -1;

	memset(&addr, 0, sizeof(addr));
	addr.sun_family = AF_UNIX;
	strlcpy(addr.sun_path, path, sizeof(addr.sun_path));

	ret = connect(fd, (struct sockaddr *)&addr,
		      sizeof(addr.sun_family) + strlen(addr.sun_path));
	if (ret < 0) {
		close(fd);
		return -1;
	}

	ret = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
	if (ret < 0) {
		close(fd);
		return -1;
	}

	return fd;
}
Commit	Line	Data
acddc0ed	1	// SPDX-License-Identifier: GPL-2.0-or-later
2fb975da TT	2	/* strongSwan VICI protocol implementation for NHRP
2fb975da TT	3	* Copyright (c) 2014-2015 Timo Teräs
2fb975da TT	4	*/
2fb975da TT	5
b45ac5f5 DL	6	#ifdef HAVE_CONFIG_H
	7	#include "config.h"
	8	#endif
	9
2fb975da TT	10	#include <string.h>
	11	#include <sys/socket.h>
	12	#include <sys/un.h>
	13
cb37cb33	14	#include "event.h"
2fb975da TT	15	#include "zbuf.h"
2fb975da TT	16	#include "log.h"
aed07011	17	#include "lib_errors.h"
2fb975da	18
aed07011	19	#include "nhrpd.h"
2fb975da	20	#include "vici.h"
aed07011	21	#include "nhrp_errors.h"
2fb975da TT	22
	23	#define ERRNO_IO_RETRY(EN) (((EN) == EAGAIN) \|\| ((EN) == EWOULDBLOCK) \|\| ((EN) == EINTR))
	24
	25	struct blob {
	26	char *ptr;
	27	int len;
	28	};
	29
	30	static int blob_equal(const struct blob b, const char str)
	31	{
996c9314 LB	32	if (!b \|\| b->len != (int)strlen(str))
996c9314 LB	33	return 0;
2fb975da TT	34	return memcmp(b->ptr, str, b->len) == 0;
	35	}
	36
	37	static int blob2buf(const struct blob b, char buf, size_t n)
	38	{
996c9314 LB	39	if (!b \|\| b->len >= (int)n)
996c9314 LB	40	return 0;
2fb975da TT	41	memcpy(buf, b->ptr, b->len);
	42	buf[b->len] = 0;
	43	return 1;
	44	}
	45
	46	struct vici_conn {
e6685141	47	struct event t_reconnect, t_read, *t_write;
2fb975da TT	48	struct zbuf ibuf;
	49	struct zbuf_queue obuf;
	50	int fd;
	51	uint8_t ibuf_data[VICI_MAX_MSGLEN];
	52	};
	53
	54	struct vici_message_ctx {
	55	const char *sections[8];
	56	int nsections;
	57	};
	58
e6685141	59	static void vici_reconnect(struct event *t);
2fb975da TT	60	static void vici_submit_request(struct vici_conn vici, const char name, ...);
	61
	62	static void vici_zbuf_puts(struct zbuf obuf, const char str)
	63	{
	64	size_t len = strlen(str);
	65	zbuf_put8(obuf, len);
	66	zbuf_put(obuf, str, len);
	67	}
	68
	69	static void vici_connection_error(struct vici_conn *vici)
	70	{
	71	nhrp_vc_reset();
	72
	73	THREAD_OFF(vici->t_read);
	74	THREAD_OFF(vici->t_write);
	75	zbuf_reset(&vici->ibuf);
	76	zbufq_reset(&vici->obuf);
	77
	78	close(vici->fd);
	79	vici->fd = -1;
907a2395	80	event_add_timer(master, vici_reconnect, vici, 2, &vici->t_reconnect);
2fb975da TT	81	}
2fb975da TT	82
996c9314 LB	83	static void vici_parse_message(struct vici_conn vici, struct zbuf msg,
	84	void (parser)(struct vici_message_ctx ctx,
	85	enum vici_type_t msgtype,
	86	const struct blob *key,
	87	const struct blob *val),
	88	struct vici_message_ctx *ctx)
2fb975da TT	89	{
2fb975da TT	90	uint8_t *type;
996c9314 LB	91	struct blob key = {0};
996c9314 LB	92	struct blob val = {0};
2fb975da TT	93
	94	while ((type = zbuf_may_pull(msg, uint8_t)) != NULL) {
	95	switch (*type) {
	96	case VICI_SECTION_START:
	97	key.len = zbuf_get8(msg);
	98	key.ptr = zbuf_pulln(msg, key.len);
996c9314 LB	99	debugf(NHRP_DEBUG_VICI, "VICI: Section start '%.*s'",
996c9314 LB	100	key.len, key.ptr);
2fb975da TT	101	parser(ctx, *type, &key, NULL);
	102	ctx->nsections++;
	103	break;
	104	case VICI_SECTION_END:
	105	debugf(NHRP_DEBUG_VICI, "VICI: Section end");
	106	parser(ctx, *type, NULL, NULL);
	107	ctx->nsections--;
	108	break;
	109	case VICI_KEY_VALUE:
	110	key.len = zbuf_get8(msg);
	111	key.ptr = zbuf_pulln(msg, key.len);
	112	val.len = zbuf_get_be16(msg);
	113	val.ptr = zbuf_pulln(msg, val.len);
996c9314 LB	114	debugf(NHRP_DEBUG_VICI, "VICI: Key '%.s'='%.s'",
996c9314 LB	115	key.len, key.ptr, val.len, val.ptr);
2fb975da TT	116	parser(ctx, *type, &key, &val);
	117	break;
	118	case VICI_LIST_START:
	119	key.len = zbuf_get8(msg);
	120	key.ptr = zbuf_pulln(msg, key.len);
996c9314 LB	121	debugf(NHRP_DEBUG_VICI, "VICI: List start '%.*s'",
996c9314 LB	122	key.len, key.ptr);
2fb975da TT	123	break;
	124	case VICI_LIST_ITEM:
	125	val.len = zbuf_get_be16(msg);
	126	val.ptr = zbuf_pulln(msg, val.len);
996c9314 LB	127	debugf(NHRP_DEBUG_VICI, "VICI: List item: '%.*s'",
996c9314 LB	128	val.len, val.ptr);
2fb975da TT	129	parser(ctx, *type, &key, &val);
	130	break;
	131	case VICI_LIST_END:
	132	debugf(NHRP_DEBUG_VICI, "VICI: List end");
	133	break;
2fb975da TT	134	}
	135	}
	136	}
	137
	138	struct handle_sa_ctx {
	139	struct vici_message_ctx msgctx;
	140	int event;
	141	int child_ok;
	142	int kill_ikesa;
	143	uint32_t child_uniqueid, ike_uniqueid;
	144	struct {
	145	union sockunion host;
	146	struct blob id, cert;
	147	} local, remote;
	148	};
	149
996c9314 LB	150	static void parse_sa_message(struct vici_message_ctx *ctx,
	151	enum vici_type_t msgtype, const struct blob *key,
	152	const struct blob *val)
2fb975da	153	{
996c9314 LB	154	struct handle_sa_ctx *sactx =
996c9314 LB	155	container_of(ctx, struct handle_sa_ctx, msgctx);
2fb975da TT	156	struct nhrp_vc *vc;
	157	char buf[512];
	158
	159	switch (msgtype) {
	160	case VICI_SECTION_START:
	161	if (ctx->nsections == 3) {
	162	/* Begin of child-sa section, reset child vars */
	163	sactx->child_uniqueid = 0;
	164	sactx->child_ok = 0;
	165	}
	166	break;
	167	case VICI_SECTION_END:
	168	if (ctx->nsections == 3) {
	169	/* End of child-sa section, update nhrp_vc */
	170	int up = sactx->child_ok \|\| sactx->event == 1;
	171	if (up) {
996c9314 LB	172	vc = nhrp_vc_get(&sactx->local.host,
996c9314 LB	173	&sactx->remote.host, up);
2fb975da	174	if (vc) {
996c9314 LB	175	blob2buf(&sactx->local.id, vc->local.id,
	176	sizeof(vc->local.id));
	177	if (blob2buf(&sactx->local.cert,
	178	(char *)vc->local.cert,
	179	sizeof(vc->local.cert)))
	180	vc->local.certlen =
	181	sactx->local.cert.len;
	182	blob2buf(&sactx->remote.id,
	183	vc->remote.id,
	184	sizeof(vc->remote.id));
	185	if (blob2buf(&sactx->remote.cert,
	186	(char *)vc->remote.cert,
	187	sizeof(vc->remote.cert)))
	188	vc->remote.certlen =
	189	sactx->remote.cert.len;
	190	sactx->kill_ikesa \|=
	191	nhrp_vc_ipsec_updown(
	192	sactx->child_uniqueid,
	193	vc);
4cbaf956	194	vc->ike_uniqueid = sactx->ike_uniqueid;
2fb975da TT	195	}
	196	} else {
	197	nhrp_vc_ipsec_updown(sactx->child_uniqueid, 0);
	198	}
	199	}
	200	break;
d0038397 DS	201	case VICI_START:
	202	case VICI_KEY_VALUE:
	203	case VICI_LIST_START:
	204	case VICI_LIST_ITEM:
	205	case VICI_LIST_END:
	206	case VICI_END:
fa3bf3a2	207	if (!key \|\| !key->ptr)
6b07f6e1 JB	208	break;
6b07f6e1 JB	209
2fb975da TT	210	switch (key->ptr[0]) {
2fb975da TT	211	case 'l':
996c9314 LB	212	if (blob_equal(key, "local-host")
996c9314 LB	213	&& ctx->nsections == 1) {
2fb975da	214	if (blob2buf(val, buf, sizeof(buf)))
996c9314 LB	215	if (str2sockunion(buf,
	216	&sactx->local.host)
	217	< 0)
1c50c1c0 QY	218	flog_err(
	219	EC_NHRP_SWAN,
	220	"VICI: bad strongSwan local-host: %s",
	221	buf);
996c9314 LB	222	} else if (blob_equal(key, "local-id")
996c9314 LB	223	&& ctx->nsections == 1) {
2fb975da	224	sactx->local.id = *val;
996c9314 LB	225	} else if (blob_equal(key, "local-cert-data")
996c9314 LB	226	&& ctx->nsections == 1) {
2fb975da TT	227	sactx->local.cert = *val;
	228	}
	229	break;
	230	case 'r':
996c9314 LB	231	if (blob_equal(key, "remote-host")
996c9314 LB	232	&& ctx->nsections == 1) {
2fb975da	233	if (blob2buf(val, buf, sizeof(buf)))
996c9314 LB	234	if (str2sockunion(buf,
	235	&sactx->remote.host)
	236	< 0)
1c50c1c0 QY	237	flog_err(
	238	EC_NHRP_SWAN,
	239	"VICI: bad strongSwan remote-host: %s",
	240	buf);
996c9314 LB	241	} else if (blob_equal(key, "remote-id")
996c9314 LB	242	&& ctx->nsections == 1) {
2fb975da	243	sactx->remote.id = *val;
996c9314 LB	244	} else if (blob_equal(key, "remote-cert-data")
996c9314 LB	245	&& ctx->nsections == 1) {
2fb975da TT	246	sactx->remote.cert = *val;
	247	}
	248	break;
	249	case 'u':
996c9314 LB	250	if (blob_equal(key, "uniqueid")
996c9314 LB	251	&& blob2buf(val, buf, sizeof(buf))) {
2fb975da	252	if (ctx->nsections == 3)
996c9314 LB	253	sactx->child_uniqueid =
996c9314 LB	254	strtoul(buf, NULL, 0);
2fb975da	255	else if (ctx->nsections == 1)
996c9314 LB	256	sactx->ike_uniqueid =
996c9314 LB	257	strtoul(buf, NULL, 0);
2fb975da TT	258	}
	259	break;
	260	case 's':
	261	if (blob_equal(key, "state") && ctx->nsections == 3) {
	262	sactx->child_ok =
996c9314 LB	263	(sactx->event == 0
	264	&& (blob_equal(val, "INSTALLED")
	265	\|\| blob_equal(val, "REKEYED")));
2fb975da TT	266	}
	267	break;
	268	}
	269	break;
	270	}
	271	}
	272
996c9314 LB	273	static void parse_cmd_response(struct vici_message_ctx *ctx,
	274	enum vici_type_t msgtype, const struct blob *key,
	275	const struct blob *val)
d139786a TT	276	{
	277	char buf[512];
	278
	279	switch (msgtype) {
	280	case VICI_KEY_VALUE:
996c9314 LB	281	if (blob_equal(key, "errmsg")
996c9314 LB	282	&& blob2buf(val, buf, sizeof(buf)))
2b84a521	283	flog_err(EC_NHRP_SWAN, "VICI: strongSwan: %s", buf);
d139786a	284	break;
d0038397 DS	285	case VICI_START:
	286	case VICI_SECTION_START:
	287	case VICI_SECTION_END:
	288	case VICI_LIST_START:
	289	case VICI_LIST_ITEM:
	290	case VICI_LIST_END:
	291	case VICI_END:
d139786a TT	292	break;
	293	}
	294	}
	295
2fb975da TT	296	static void vici_recv_sa(struct vici_conn vici, struct zbuf msg, int event)
	297	{
	298	char buf[32];
	299	struct handle_sa_ctx ctx = {
	300	.event = event,
0a939f4f	301	.msgctx.nsections = 0
2fb975da TT	302	};
	303
	304	vici_parse_message(vici, msg, parse_sa_message, &ctx.msgctx);
	305
	306	if (ctx.kill_ikesa && ctx.ike_uniqueid) {
996c9314 LB	307	debugf(NHRP_DEBUG_COMMON, "VICI: Deleting IKE_SA %u",
996c9314 LB	308	ctx.ike_uniqueid);
0d6f7fd6	309	snprintf(buf, sizeof(buf), "%u", ctx.ike_uniqueid);
996c9314 LB	310	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
996c9314 LB	311	strlen(buf), buf, VICI_END);
2fb975da TT	312	}
	313	}
	314
	315	static void vici_recv_message(struct vici_conn vici, struct zbuf msg)
	316	{
	317	uint32_t msglen;
	318	uint8_t msgtype;
	319	struct blob name;
7ea5df54	320	struct vici_message_ctx ctx = { .nsections = 0 };
2fb975da TT	321
	322	msglen = zbuf_get_be32(msg);
	323	msgtype = zbuf_get8(msg);
	324	debugf(NHRP_DEBUG_VICI, "VICI: Message %d, %d bytes", msgtype, msglen);
	325
	326	switch (msgtype) {
	327	case VICI_EVENT:
	328	name.len = zbuf_get8(msg);
	329	name.ptr = zbuf_pulln(msg, name.len);
	330
996c9314 LB	331	debugf(NHRP_DEBUG_VICI, "VICI: Event '%.*s'", name.len,
	332	name.ptr);
	333	if (blob_equal(&name, "list-sa")
	334	\|\| blob_equal(&name, "child-updown")
	335	\|\| blob_equal(&name, "child-rekey"))
2fb975da	336	vici_recv_sa(vici, msg, 0);
996c9314 LB	337	else if (blob_equal(&name, "child-state-installed")
996c9314 LB	338	\|\| blob_equal(&name, "child-state-rekeyed"))
2fb975da TT	339	vici_recv_sa(vici, msg, 1);
	340	else if (blob_equal(&name, "child-state-destroying"))
	341	vici_recv_sa(vici, msg, 2);
	342	break;
d139786a	343	case VICI_CMD_RESPONSE:
6c8ca260	344	vici_parse_message(vici, msg, parse_cmd_response, &ctx);
d139786a	345	break;
2fb975da	346	case VICI_EVENT_UNKNOWN:
d139786a	347	case VICI_CMD_UNKNOWN:
1c50c1c0 QY	348	flog_err(
1c50c1c0 QY	349	EC_NHRP_SWAN,
996c9314	350	"VICI: StrongSwan does not support mandatory events (unpatched?)");
2fb975da TT	351	break;
2fb975da TT	352	case VICI_EVENT_CONFIRM:
2fb975da TT	353	break;
	354	default:
	355	zlog_notice("VICI: Unrecognized message type %d", msgtype);
	356	break;
	357	}
	358	}
	359
e6685141	360	static void vici_read(struct event *t)
2fb975da TT	361	{
	362	struct vici_conn *vici = THREAD_ARG(t);
	363	struct zbuf *ibuf = &vici->ibuf;
	364	struct zbuf pktbuf;
	365
996c9314	366	if (zbuf_read(ibuf, vici->fd, (size_t)-1) < 0) {
2fb975da	367	vici_connection_error(vici);
cc9f21da	368	return;
2fb975da TT	369	}
	370
	371	/* Process all messages in buffer */
	372	do {
	373	uint32_t *hdrlen = zbuf_may_pull(ibuf, uint32_t);
	374	if (!hdrlen)
	375	break;
	376	if (!zbuf_may_pulln(ibuf, ntohl(*hdrlen))) {
	377	zbuf_reset_head(ibuf, hdrlen);
	378	break;
	379	}
	380
	381	/* Handle packet */
996c9314 LB	382	zbuf_init(&pktbuf, hdrlen, htonl(*hdrlen) + 4,
996c9314 LB	383	htonl(*hdrlen) + 4);
2fb975da TT	384	vici_recv_message(vici, &pktbuf);
	385	} while (1);
	386
907a2395	387	event_add_read(master, vici_read, vici, vici->fd, &vici->t_read);
2fb975da TT	388	}
2fb975da TT	389
e6685141	390	static void vici_write(struct event *t)
2fb975da TT	391	{
	392	struct vici_conn *vici = THREAD_ARG(t);
	393	int r;
	394
2fb975da TT	395	r = zbufq_write(&vici->obuf, vici->fd);
2fb975da TT	396	if (r > 0) {
907a2395 DS	397	event_add_write(master, vici_write, vici, vici->fd,
907a2395 DS	398	&vici->t_write);
2fb975da TT	399	} else if (r < 0) {
	400	vici_connection_error(vici);
	401	}
2fb975da TT	402	}
	403
	404	static void vici_submit(struct vici_conn vici, struct zbuf obuf)
	405	{
	406	if (vici->fd < 0) {
	407	zbuf_free(obuf);
	408	return;
	409	}
	410
	411	zbufq_queue(&vici->obuf, obuf);
907a2395	412	event_add_write(master, vici_write, vici, vici->fd, &vici->t_write);
2fb975da TT	413	}
	414
	415	static void vici_submit_request(struct vici_conn vici, const char name, ...)
	416	{
	417	struct zbuf *obuf;
	418	uint32_t *hdrlen;
	419	va_list va;
	420	size_t len;
	421	int type;
	422
	423	obuf = zbuf_alloc(256);
996c9314 LB	424	if (!obuf)
996c9314 LB	425	return;
2fb975da TT	426
	427	hdrlen = zbuf_push(obuf, uint32_t);
	428	zbuf_put8(obuf, VICI_CMD_REQUEST);
	429	vici_zbuf_puts(obuf, name);
	430
	431	va_start(va, name);
	432	for (type = va_arg(va, int); type != VICI_END; type = va_arg(va, int)) {
	433	zbuf_put8(obuf, type);
	434	switch (type) {
	435	case VICI_KEY_VALUE:
	436	vici_zbuf_puts(obuf, va_arg(va, const char *));
	437	len = va_arg(va, size_t);
	438	zbuf_put_be16(obuf, len);
	439	zbuf_put(obuf, va_arg(va, void *), len);
	440	break;
2fb975da TT	441	default:
	442	break;
	443	}
	444	}
	445	va_end(va);
	446	*hdrlen = htonl(zbuf_used(obuf) - 4);
	447	vici_submit(vici, obuf);
	448	}
	449
	450	static void vici_register_event(struct vici_conn vici, const char name)
	451	{
	452	struct zbuf *obuf;
	453	uint32_t *hdrlen;
	454	uint8_t namelen;
	455
	456	namelen = strlen(name);
	457	obuf = zbuf_alloc(4 + 1 + 1 + namelen);
996c9314 LB	458	if (!obuf)
996c9314 LB	459	return;
2fb975da TT	460
	461	hdrlen = zbuf_push(obuf, uint32_t);
	462	zbuf_put8(obuf, VICI_EVENT_REGISTER);
	463	zbuf_put8(obuf, namelen);
	464	zbuf_put(obuf, name, namelen);
	465	*hdrlen = htonl(zbuf_used(obuf) - 4);
	466
	467	vici_submit(vici, obuf);
	468	}
	469
40307370 PG	470	static bool vici_charon_filepath_done;
	471	static bool vici_charon_not_found;
	472
	473	static char *vici_get_charon_filepath(void)
	474	{
	475	static char buff[1200];
	476	FILE *fp;
	477	char *ptr;
	478	char line[1024];
	479
	480	if (vici_charon_filepath_done)
	481	return (char *)buff;
	482	fp = popen("ipsec --piddir", "r");
	483	if (!fp) {
	484	if (!vici_charon_not_found) {
	485	flog_err(EC_NHRP_SWAN,
	486	"VICI: Failed to retrieve charon file path");
	487	vici_charon_not_found = true;
	488	}
	489	return NULL;
	490	}
	491	/* last line of output is used to get vici path */
	492	while (fgets(line, sizeof(line), fp) != NULL) {
	493	ptr = strchr(line, '\n');
	494	if (ptr)
	495	*ptr = '\0';
	496	snprintf(buff, sizeof(buff), "%s/charon.vici", line);
	497	}
	498	pclose(fp);
	499	vici_charon_filepath_done = true;
	500	return buff;
	501	}
	502
e6685141	503	static void vici_reconnect(struct event *t)
2fb975da TT	504	{
	505	struct vici_conn *vici = THREAD_ARG(t);
	506	int fd;
40307370	507	char *file_path;
2fb975da	508
996c9314	509	if (vici->fd >= 0)
cc9f21da	510	return;
2fb975da	511
354196c0	512	fd = sock_open_unix(VICI_SOCKET);
40307370 PG	513	if (fd < 0) {
	514	file_path = vici_get_charon_filepath();
	515	if (file_path)
	516	fd = sock_open_unix(file_path);
	517	}
2fb975da	518	if (fd < 0) {
996c9314	519	debugf(NHRP_DEBUG_VICI,
15569c58 DA	520	"%s: failure connecting VICI socket: %s", __func__,
15569c58 DA	521	strerror(errno));
907a2395 DS	522	event_add_timer(master, vici_reconnect, vici, 2,
907a2395 DS	523	&vici->t_reconnect);
cc9f21da	524	return;
2fb975da TT	525	}
	526
	527	debugf(NHRP_DEBUG_COMMON, "VICI: Connected");
	528	vici->fd = fd;
907a2395	529	event_add_read(master, vici_read, vici, vici->fd, &vici->t_read);
2fb975da TT	530
2fb975da TT	531	/* Send event subscribtions */
996c9314 LB	532	// vici_register_event(vici, "child-updown");
996c9314 LB	533	// vici_register_event(vici, "child-rekey");
2fb975da TT	534	vici_register_event(vici, "child-state-installed");
	535	vici_register_event(vici, "child-state-rekeyed");
	536	vici_register_event(vici, "child-state-destroying");
	537	vici_register_event(vici, "list-sa");
	538	vici_submit_request(vici, "list-sas", VICI_END);
2fb975da TT	539	}
	540
	541	static struct vici_conn vici_connection;
	542
	543	void vici_init(void)
	544	{
	545	struct vici_conn *vici = &vici_connection;
	546
	547	vici->fd = -1;
	548	zbuf_init(&vici->ibuf, vici->ibuf_data, sizeof(vici->ibuf_data), 0);
	549	zbufq_init(&vici->obuf);
907a2395 DS	550	event_add_timer_msec(master, vici_reconnect, vici, 10,
907a2395 DS	551	&vici->t_reconnect);
2fb975da TT	552	}
	553
	554	void vici_terminate(void)
	555	{
	556	}
	557
083bbfae GG	558	void vici_terminate_vc_by_profile_name(char *profile_name)
	559	{
	560	struct vici_conn *vici = &vici_connection;
74e5ba3a	561
58ef1668	562	debugf(NHRP_DEBUG_VICI, "Terminate profile = %s", profile_name);
083bbfae GG	563	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike",
	564	strlen(profile_name), profile_name, VICI_END);
	565	}
	566
	567	void vici_terminate_vc_by_ike_id(unsigned int ike_id)
4cbaf956 GG	568	{
4cbaf956 GG	569	struct vici_conn *vici = &vici_connection;
74e5ba3a RD	570	char ike_id_str[10];
74e5ba3a RD	571
4cbaf956	572	snprintf(ike_id_str, sizeof(ike_id_str), "%d", ike_id);
58ef1668	573	debugf(NHRP_DEBUG_VICI, "Terminate ike_id_str = %s", ike_id_str);
4cbaf956 GG	574	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
	575	strlen(ike_id_str), ike_id_str, VICI_END);
	576	}
	577
996c9314 LB	578	void vici_request_vc(const char profile, union sockunion src,
996c9314 LB	579	union sockunion *dst, int prio)
2fb975da TT	580	{
	581	struct vici_conn *vici = &vici_connection;
	582	char buf[2][SU_ADDRSTRLEN];
	583
0d6f7fd6 DA	584	sockunion2str(src, buf[0], sizeof(buf[0]));
0d6f7fd6 DA	585	sockunion2str(dst, buf[1], sizeof(buf[1]));
2fb975da	586
996c9314 LB	587	vici_submit_request(vici, "initiate", VICI_KEY_VALUE, "child",
	588	strlen(profile), profile, VICI_KEY_VALUE, "timeout",
	589	(size_t)2, "-1", VICI_KEY_VALUE, "async", (size_t)1,
	590	"1", VICI_KEY_VALUE, "init-limits", (size_t)1,
	591	prio ? "0" : "1", VICI_KEY_VALUE, "my-host",
	592	strlen(buf[0]), buf[0], VICI_KEY_VALUE,
	593	"other-host", strlen(buf[1]), buf[1], VICI_END);
2fb975da TT	594	}
	595
	596	int sock_open_unix(const char *path)
	597	{
	598	int ret, fd;
	599	struct sockaddr_un addr;
	600
	601	fd = socket(AF_UNIX, SOCK_STREAM, 0);
	602	if (fd < 0)
	603	return -1;
	604
6006b807	605	memset(&addr, 0, sizeof(addr));
2fb975da	606	addr.sun_family = AF_UNIX;
fa3bf3a2	607	strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
2fb975da	608
996c9314 LB	609	ret = connect(fd, (struct sockaddr *)&addr,
996c9314 LB	610	sizeof(addr.sun_family) + strlen(addr.sun_path));
2fb975da TT	611	if (ret < 0) {
	612	close(fd);
	613	return -1;
	614	}
	615
6c8ca260 JB	616	ret = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) \| O_NONBLOCK);
	617	if (ret < 0) {
	618	close(fd);
	619	return -1;
	620	}
2fb975da TT	621
	622	return fd;
	623	}