Context Navigation

pfkey.c @ ff36f5e

55-freebsd-126-freebsd-12

Last change on this file since ff36f5e was ff36f5e, checked in by Christian Mauderer <christian.mauderer@…>, on 05/30/18 at 12:27:35

Import ipsec-tools 0.8.2.

Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.

Property mode set to 100644

File size: 99.5 KB

Line
1	/* $NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
2
3	/* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
4
5	/*
6	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7	* All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	* 2. Redistributions in binary form must reproduce the above copyright
15	* notice, this list of conditions and the following disclaimer in the
16	* documentation and/or other materials provided with the distribution.
17	* 3. Neither the name of the project nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include "config.h"
35
36	#include <stdlib.h>
37	#include <string.h>
38	#include <stdio.h>
39	#include <netdb.h>
40	#include <errno.h>
41	#ifdef HAVE_UNISTD_H
42	#include <unistd.h>
43	#endif
44	#include <netdb.h>
45	#include <netinet/in.h>
46	#include <arpa/inet.h>
47
48	#ifdef ENABLE_NATT
49	# ifdef __linux__
50	# include <linux/udp.h>
51	# endif
52	# if defined(__NetBSD__) \|\| defined(__FreeBSD__) \|\| \
53	(defined(__APPLE__) && defined(__MACH__))
54	# include <netinet/udp.h>
55	# endif
56	#endif
57
58	#include <sys/types.h>
59	#include <sys/param.h>
60	#include <sys/socket.h>
61	#include <sys/queue.h>
62	#include <sys/sysctl.h>
63
64	#include <net/route.h>
65	#include <net/pfkeyv2.h>
66
67	#include <netinet/in.h>
68	#include PATH_IPSEC_H
69	#include <fcntl.h>
70
71	#include "libpfkey.h"
72
73	#include "var.h"
74	#include "misc.h"
75	#include "vmbuf.h"
76	#include "plog.h"
77	#include "sockmisc.h"
78	#include "session.h"
79	#include "debug.h"
80
81	#include "schedule.h"
82	#include "localconf.h"
83	#include "remoteconf.h"
84	#include "handler.h"
85	#include "policy.h"
86	#include "proposal.h"
87	#include "isakmp_var.h"
88	#include "isakmp.h"
89	#include "isakmp_inf.h"
90	#include "ipsec_doi.h"
91	#include "oakley.h"
92	#include "pfkey.h"
93	#include "algorithm.h"
94	#include "sainfo.h"
95	#include "admin.h"
96	#include "evt.h"
97	#include "privsep.h"
98	#include "strnames.h"
99	#include "backupsa.h"
100	#include "gcmalloc.h"
101	#include "nattraversal.h"
102	#include "crypto_openssl.h"
103	#include "grabmyaddr.h"
104
105	#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
106	#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
107	#endif
108
109	/* prototype */
110	static u_int ipsecdoi2pfkey_aalg __P((u_int));
111	static u_int ipsecdoi2pfkey_ealg __P((u_int));
112	static u_int ipsecdoi2pfkey_calg __P((u_int));
113	static u_int ipsecdoi2pfkey_alg __P((u_int, u_int));
114	static u_int keylen_aalg __P((u_int));
115	static u_int keylen_ealg __P((u_int, int));
116
117	static int pk_recvgetspi __P((caddr_t *));
118	static int pk_recvupdate __P((caddr_t *));
119	static int pk_recvadd __P((caddr_t *));
120	static int pk_recvdelete __P((caddr_t *));
121	static int pk_recvacquire __P((caddr_t *));
122	static int pk_recvexpire __P((caddr_t *));
123	static int pk_recvflush __P((caddr_t *));
124	static int getsadbpolicy __P((caddr_t , int , int, struct ph2handle *));
125	static int pk_recvspdupdate __P((caddr_t *));
126	static int pk_recvspdadd __P((caddr_t *));
127	static int pk_recvspddelete __P((caddr_t *));
128	static int pk_recvspdexpire __P((caddr_t *));
129	static int pk_recvspdget __P((caddr_t *));
130	static int pk_recvspddump __P((caddr_t *));
131	static int pk_recvspdflush __P((caddr_t *));
132	#if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
133	static int pk_recvmigrate __P((caddr_t *));
134	#endif
135	static struct sadb_msg pk_recv __P((int, int ));
136
137	static int (pkrecvf[]) __P((caddr_t )) = {
138	NULL,
139	pk_recvgetspi,
140	pk_recvupdate,
141	pk_recvadd,
142	pk_recvdelete,
143	NULL, /* SADB_GET */
144	pk_recvacquire,
145	NULL, /* SABD_REGISTER */
146	pk_recvexpire,
147	pk_recvflush,
148	NULL, /* SADB_DUMP */
149	NULL, /* SADB_X_PROMISC */
150	NULL, /* SADB_X_PCHANGE */
151	pk_recvspdupdate,
152	pk_recvspdadd,
153	pk_recvspddelete,
154	pk_recvspdget,
155	NULL, /* SADB_X_SPDACQUIRE */
156	pk_recvspddump,
157	pk_recvspdflush,
158	NULL, /* SADB_X_SPDSETIDX */
159	pk_recvspdexpire,
160	NULL, /* SADB_X_SPDDELETE2 */
161	NULL, /* SADB_X_NAT_T_NEW_MAPPING */
162	#if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
163	pk_recvmigrate,
164	#else
165	NULL, /* SADB_X_MIGRATE */
166	#endif
167	#if (SADB_MAX > 24)
168	#error "SADB extra message?"
169	#endif
170	};
171
172	static int addnewsp __P((caddr_t , struct sockaddr , struct sockaddr *));
173
174	/* cope with old kame headers - ugly */
175	#ifndef SADB_X_AALG_MD5
176	#define SADB_X_AALG_MD5 SADB_AALG_MD5
177	#endif
178	#ifndef SADB_X_AALG_SHA
179	#define SADB_X_AALG_SHA SADB_AALG_SHA
180	#endif
181	#ifndef SADB_X_AALG_NULL
182	#define SADB_X_AALG_NULL SADB_AALG_NULL
183	#endif
184
185	#ifndef SADB_X_EALG_BLOWFISHCBC
186	#define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
187	#endif
188	#ifndef SADB_X_EALG_CAST128CBC
189	#define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
190	#endif
191	#ifndef SADB_X_EALG_RC5CBC
192	#ifdef SADB_EALG_RC5CBC
193	#define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
194	#endif
195	#endif
196
197	/*
198	* PF_KEY packet handler
199	* 0: success
200	* -1: fail
201	*/
202	static int
203	pfkey_handler(ctx, fd)
204	void *ctx;
205	int fd;
206	{
207	struct sadb_msg *msg;
208	int len;
209	caddr_t mhp[SADB_EXT_MAX + 1];
210	int error = -1;
211
212	/* receive pfkey message. */
213	len = 0;
214	msg = (struct sadb_msg *) pk_recv(fd, &len);
215	if (msg == NULL) {
216	if (len < 0) {
217	/* do not report EAGAIN as error; well get
218	* called from main loop later. and it's normal
219	* when spd dump is received during reload and
220	* this function is called in loop. */
221	if (errno == EAGAIN)
222	goto end;
223
224	plog(LLV_ERROR, LOCATION, NULL,
225	"failed to recv from pfkey (%s)\n",
226	strerror(errno));
227	goto end;
228	} else {
229	/* short message - msg not ready */
230	return 0;
231	}
232	}
233
234	plog(LLV_DEBUG, LOCATION, NULL, "got pfkey %s message\n",
235	s_pfkey_type(msg->sadb_msg_type));
236	plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3);
237
238	/* validity check */
239	if (msg->sadb_msg_errno) {
240	int pri;
241
242	/* when SPD is empty, treat the state as no error. */
243	if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
244	msg->sadb_msg_errno == ENOENT)
245	pri = LLV_DEBUG;
246	else
247	pri = LLV_ERROR;
248
249	plog(pri, LOCATION, NULL,
250	"pfkey %s failed: %s\n",
251	s_pfkey_type(msg->sadb_msg_type),
252	strerror(msg->sadb_msg_errno));
253
254	goto end;
255	}
256
257	/* check pfkey message. */
258	if (pfkey_align(msg, mhp)) {
259	plog(LLV_ERROR, LOCATION, NULL,
260	"libipsec failed pfkey align (%s)\n",
261	ipsec_strerror());
262	goto end;
263	}
264	if (pfkey_check(mhp)) {
265	plog(LLV_ERROR, LOCATION, NULL,
266	"libipsec failed pfkey check (%s)\n",
267	ipsec_strerror());
268	goto end;
269	}
270	msg = (struct sadb_msg *)mhp[0];
271
272	/* safety check */
273	if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
274	plog(LLV_ERROR, LOCATION, NULL,
275	"unknown PF_KEY message type=%u\n",
276	msg->sadb_msg_type);
277	goto end;
278	}
279
280	if (pkrecvf[msg->sadb_msg_type] == NULL) {
281	plog(LLV_INFO, LOCATION, NULL,
282	"unsupported PF_KEY message %s\n",
283	s_pfkey_type(msg->sadb_msg_type));
284	goto end;
285	}
286
287	if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
288	goto end;
289
290	error = 1;
291	end:
292	if (msg)
293	racoon_free(msg);
294	return(error);
295	}
296
297	/*
298	* dump SADB
299	*/
300	vchar_t *
301	pfkey_dump_sadb(satype)
302	int satype;
303	{
304	int s;
305	vchar_t *buf = NULL;
306	pid_t pid = getpid();
307	struct sadb_msg *msg = NULL;
308	size_t bl, ml;
309	int len;
310	int bufsiz;
311
312	if ((s = privsep_socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
313	plog(LLV_ERROR, LOCATION, NULL,
314	"libipsec failed pfkey open: %s\n",
315	ipsec_strerror());
316	return NULL;
317	}
318
319	if ((bufsiz = pfkey_set_buffer_size(s, lcconf->pfkey_buffer_size)) < 0) {
320	plog(LLV_ERROR, LOCATION, NULL,
321	"libipsec failed pfkey set buffer size to %d: %s\n",
322	lcconf->pfkey_buffer_size, ipsec_strerror());
323	return NULL;
324	} else if (bufsiz < lcconf->pfkey_buffer_size) {
325	plog(LLV_WARNING, LOCATION, NULL,
326	"pfkey socket receive buffer set to %dKB, instead of %d\n",
327	bufsiz, lcconf->pfkey_buffer_size);
328	}
329
330	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n");
331	if (pfkey_send_dump(s, satype) < 0) {
332	plog(LLV_ERROR, LOCATION, NULL,
333	"libipsec failed dump: %s\n", ipsec_strerror());
334	goto fail;
335	}
336
337	while (1) {
338	if (msg)
339	racoon_free(msg);
340	msg = pk_recv(s, &len);
341	if (msg == NULL) {
342	if (len < 0)
343	goto done;
344	else
345	continue;
346	}
347
348	if (msg->sadb_msg_type != SADB_DUMP \|\| msg->sadb_msg_pid != pid)
349	{
350	plog(LLV_DEBUG, LOCATION, NULL,
351	"discarding non-sadb dump msg %p, our pid=%i\n", msg, pid);
352	plog(LLV_DEBUG, LOCATION, NULL,
353	"type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
354	continue;
355	}
356
357
358	ml = msg->sadb_msg_len << 3;
359	bl = buf ? buf->l : 0;
360	buf = vrealloc(buf, bl + ml);
361	if (buf == NULL) {
362	plog(LLV_ERROR, LOCATION, NULL,
363	"failed to reallocate buffer to dump.\n");
364	goto fail;
365	}
366	memcpy(buf->v + bl, msg, ml);
367
368	if (msg->sadb_msg_seq == 0)
369	break;
370	}
371	goto done;
372
373	fail:
374	if (buf)
375	vfree(buf);
376	buf = NULL;
377	done:
378	if (msg)
379	racoon_free(msg);
380	close(s);
381	return buf;
382	}
383
384	#ifdef ENABLE_ADMINPORT
385	/*
386	* flush SADB
387	*/
388	void
389	pfkey_flush_sadb(proto)
390	u_int proto;
391	{
392	int satype;
393
394	/* convert to SADB_SATYPE */
395	if ((satype = admin2pfkey_proto(proto)) < 0)
396	return;
397
398	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n");
399	if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) {
400	plog(LLV_ERROR, LOCATION, NULL,
401	"libipsec failed send flush (%s)\n", ipsec_strerror());
402	return;
403	}
404
405	return;
406	}
407	#endif
408
409	/*
410	* These are the SATYPEs that we manage. We register to get
411	* PF_KEY messages related to these SATYPEs, and we also use
412	* this list to determine which SATYPEs to delete SAs for when
413	* we receive an INITIAL-CONTACT.
414	*/
415	const struct pfkey_satype pfkey_satypes[] = {
416	{ SADB_SATYPE_AH, "AH" },
417	{ SADB_SATYPE_ESP, "ESP" },
418	{ SADB_X_SATYPE_IPCOMP, "IPCOMP" },
419	};
420	const int pfkey_nsatypes =
421	sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
422
423	/*
424	* PF_KEY initialization
425	*/
426	int
427	pfkey_init()
428	{
429	int i, reg_fail;
430	int bufsiz;
431
432	if ((lcconf->sock_pfkey = pfkey_open()) < 0) {
433	plog(LLV_ERROR, LOCATION, NULL,
434	"libipsec failed pfkey open (%s)\n", ipsec_strerror());
435	return -1;
436	}
437	if ((bufsiz = pfkey_set_buffer_size(lcconf->sock_pfkey,
438	lcconf->pfkey_buffer_size)) < 0) {
439	plog(LLV_ERROR, LOCATION, NULL,
440	"libipsec failed to set pfkey buffer size to %d (%s)\n",
441	lcconf->pfkey_buffer_size, ipsec_strerror());
442	return -1;
443	} else if (bufsiz < lcconf->pfkey_buffer_size) {
444	plog(LLV_WARNING, LOCATION, NULL,
445	"pfkey socket receive buffer set to %dKB, instead of %d\n",
446	bufsiz, lcconf->pfkey_buffer_size);
447	}
448
449	if (fcntl(lcconf->sock_pfkey, F_SETFL, O_NONBLOCK) == -1)
450	plog(LLV_WARNING, LOCATION, NULL,
451	"failed to set the pfkey socket to NONBLOCK\n");
452
453	for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
454	plog(LLV_DEBUG, LOCATION, NULL,
455	"call pfkey_send_register for %s\n",
456	pfkey_satypes[i].ps_name);
457	if (pfkey_send_register(lcconf->sock_pfkey,
458	pfkey_satypes[i].ps_satype) < 0 \|\|
459	pfkey_recv_register(lcconf->sock_pfkey) < 0) {
460	plog(LLV_WARNING, LOCATION, NULL,
461	"failed to register %s (%s)\n",
462	pfkey_satypes[i].ps_name,
463	ipsec_strerror());
464	reg_fail++;
465	}
466	}
467
468	if (reg_fail == pfkey_nsatypes) {
469	plog(LLV_ERROR, LOCATION, NULL,
470	"failed to regist any protocol.\n");
471	pfkey_close(lcconf->sock_pfkey);
472	return -1;
473	}
474
475	initsp();
476
477	if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
478	plog(LLV_ERROR, LOCATION, NULL,
479	"libipsec sending spddump failed: %s\n",
480	ipsec_strerror());
481	pfkey_close(lcconf->sock_pfkey);
482	return -1;
483	}
484	#if 0
485	if (pfkey_promisc_toggle(1) < 0) {
486	pfkey_close(lcconf->sock_pfkey);
487	return -1;
488	}
489	#endif
490	monitor_fd(lcconf->sock_pfkey, pfkey_handler, NULL, 0);
491	return 0;
492	}
493
494	int
495	pfkey_reload()
496	{
497	flushsp();
498
499	if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
500	plog(LLV_ERROR, LOCATION, NULL,
501	"libipsec sending spddump failed: %s\n",
502	ipsec_strerror());
503	return -1;
504	}
505
506	while (pfkey_handler(NULL, lcconf->sock_pfkey) > 0)
507	continue;
508
509	return 0;
510	}
511
512	/* %%% for conversion */
513	/* IPSECDOI_ATTR_AUTH -> SADB_AALG */
514	static u_int
515	ipsecdoi2pfkey_aalg(hashtype)
516	u_int hashtype;
517	{
518	switch (hashtype) {
519	case IPSECDOI_ATTR_AUTH_HMAC_MD5:
520	return SADB_AALG_MD5HMAC;
521	case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
522	return SADB_AALG_SHA1HMAC;
523	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
524	#if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
525	return SADB_X_AALG_SHA2_256;
526	#else
527	return SADB_X_AALG_SHA2_256HMAC;
528	#endif
529	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
530	#if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
531	return SADB_X_AALG_SHA2_384;
532	#else
533	return SADB_X_AALG_SHA2_384HMAC;
534	#endif
535	case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
536	#if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
537	return SADB_X_AALG_SHA2_512;
538	#else
539	return SADB_X_AALG_SHA2_512HMAC;
540	#endif
541	case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */
542	return SADB_AALG_NONE;
543
544	/* not supported */
545	case IPSECDOI_ATTR_AUTH_DES_MAC:
546	plog(LLV_ERROR, LOCATION, NULL,
547	"Not supported hash type: %u\n", hashtype);
548	return ~0;
549
550	case 0: /* reserved */
551	default:
552	return SADB_AALG_NONE;
553
554	plog(LLV_ERROR, LOCATION, NULL,
555	"Invalid hash type: %u\n", hashtype);
556	return ~0;
557	}
558	/NOTREACHED/
559	}
560
561	/* IPSECDOI_ESP -> SADB_EALG */
562	static u_int
563	ipsecdoi2pfkey_ealg(t_id)
564	u_int t_id;
565	{
566	switch (t_id) {
567	case IPSECDOI_ESP_DES_IV64: /* sa_flags \|= SADB_X_EXT_OLD */
568	return SADB_EALG_DESCBC;
569	case IPSECDOI_ESP_DES:
570	return SADB_EALG_DESCBC;
571	case IPSECDOI_ESP_3DES:
572	return SADB_EALG_3DESCBC;
573	#ifdef SADB_X_EALG_RC5CBC
574	case IPSECDOI_ESP_RC5:
575	return SADB_X_EALG_RC5CBC;
576	#endif
577	case IPSECDOI_ESP_CAST:
578	return SADB_X_EALG_CAST128CBC;
579	case IPSECDOI_ESP_BLOWFISH:
580	return SADB_X_EALG_BLOWFISHCBC;
581	case IPSECDOI_ESP_DES_IV32: /* flags \|= (SADB_X_EXT_OLD\|
582	SADB_X_EXT_IV4B)*/
583	return SADB_EALG_DESCBC;
584	case IPSECDOI_ESP_NULL:
585	return SADB_EALG_NULL;
586	#ifdef SADB_X_EALG_AESCBC
587	case IPSECDOI_ESP_AES:
588	return SADB_X_EALG_AESCBC;
589	#endif
590	#ifdef SADB_X_EALG_TWOFISHCBC
591	case IPSECDOI_ESP_TWOFISH:
592	return SADB_X_EALG_TWOFISHCBC;
593	#endif
594	#ifdef SADB_X_EALG_CAMELLIACBC
595	case IPSECDOI_ESP_CAMELLIA:
596	return SADB_X_EALG_CAMELLIACBC;
597	#endif
598
599	/* not supported */
600	case IPSECDOI_ESP_3IDEA:
601	case IPSECDOI_ESP_IDEA:
602	case IPSECDOI_ESP_RC4:
603	plog(LLV_ERROR, LOCATION, NULL,
604	"Not supported transform: %u\n", t_id);
605	return ~0;
606
607	case 0: /* reserved */
608	default:
609	plog(LLV_ERROR, LOCATION, NULL,
610	"Invalid transform id: %u\n", t_id);
611	return ~0;
612	}
613	/NOTREACHED/
614	}
615
616	/* IPCOMP -> SADB_CALG */
617	static u_int
618	ipsecdoi2pfkey_calg(t_id)
619	u_int t_id;
620	{
621	switch (t_id) {
622	case IPSECDOI_IPCOMP_OUI:
623	return SADB_X_CALG_OUI;
624	case IPSECDOI_IPCOMP_DEFLATE:
625	return SADB_X_CALG_DEFLATE;
626	case IPSECDOI_IPCOMP_LZS:
627	return SADB_X_CALG_LZS;
628
629	case 0: /* reserved */
630	default:
631	plog(LLV_ERROR, LOCATION, NULL,
632	"Invalid transform id: %u\n", t_id);
633	return ~0;
634	}
635	/NOTREACHED/
636	}
637
638	/* IPSECDOI_PROTO -> SADB_SATYPE */
639	u_int
640	ipsecdoi2pfkey_proto(proto)
641	u_int proto;
642	{
643	switch (proto) {
644	case IPSECDOI_PROTO_IPSEC_AH:
645	return SADB_SATYPE_AH;
646	case IPSECDOI_PROTO_IPSEC_ESP:
647	return SADB_SATYPE_ESP;
648	case IPSECDOI_PROTO_IPCOMP:
649	return SADB_X_SATYPE_IPCOMP;
650
651	default:
652	plog(LLV_ERROR, LOCATION, NULL,
653	"Invalid ipsec_doi proto: %u\n", proto);
654	return ~0;
655	}
656	/NOTREACHED/
657	}
658
659	static u_int
660	ipsecdoi2pfkey_alg(algclass, type)
661	u_int algclass, type;
662	{
663	switch (algclass) {
664	case IPSECDOI_ATTR_AUTH:
665	return ipsecdoi2pfkey_aalg(type);
666	case IPSECDOI_PROTO_IPSEC_ESP:
667	return ipsecdoi2pfkey_ealg(type);
668	case IPSECDOI_PROTO_IPCOMP:
669	return ipsecdoi2pfkey_calg(type);
670	default:
671	plog(LLV_ERROR, LOCATION, NULL,
672	"Invalid ipsec_doi algclass: %u\n", algclass);
673	return ~0;
674	}
675	/NOTREACHED/
676	}
677
678	/* SADB_SATYPE -> IPSECDOI_PROTO */
679	u_int
680	pfkey2ipsecdoi_proto(satype)
681	u_int satype;
682	{
683	switch (satype) {
684	case SADB_SATYPE_AH:
685	return IPSECDOI_PROTO_IPSEC_AH;
686	case SADB_SATYPE_ESP:
687	return IPSECDOI_PROTO_IPSEC_ESP;
688	case SADB_X_SATYPE_IPCOMP:
689	return IPSECDOI_PROTO_IPCOMP;
690
691	default:
692	plog(LLV_ERROR, LOCATION, NULL,
693	"Invalid pfkey proto: %u\n", satype);
694	return ~0;
695	}
696	/NOTREACHED/
697	}
698
699	/* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
700	u_int
701	ipsecdoi2pfkey_mode(mode)
702	u_int mode;
703	{
704	switch (mode) {
705	case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
706	#ifdef ENABLE_NATT
707	case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
708	case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
709	#endif
710	return IPSEC_MODE_TUNNEL;
711	case IPSECDOI_ATTR_ENC_MODE_TRNS:
712	#ifdef ENABLE_NATT
713	case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
714	case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
715	#endif
716	return IPSEC_MODE_TRANSPORT;
717	default:
718	plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
719	return ~0;
720	}
721	/NOTREACHED/
722	}
723
724	/* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
725	u_int
726	pfkey2ipsecdoi_mode(mode)
727	u_int mode;
728	{
729	switch (mode) {
730	case IPSEC_MODE_TUNNEL:
731	return IPSECDOI_ATTR_ENC_MODE_TUNNEL;
732	case IPSEC_MODE_TRANSPORT:
733	return IPSECDOI_ATTR_ENC_MODE_TRNS;
734	case IPSEC_MODE_ANY:
735	return IPSECDOI_ATTR_ENC_MODE_ANY;
736	default:
737	plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
738	return ~0;
739	}
740	/NOTREACHED/
741	}
742
743	/* default key length for encryption algorithm */
744	static u_int
745	keylen_aalg(hashtype)
746	u_int hashtype;
747	{
748	int res;
749
750	if (hashtype == 0)
751	return SADB_AALG_NONE;
752
753	res = alg_ipsec_hmacdef_hashlen(hashtype);
754	if (res == -1) {
755	plog(LLV_ERROR, LOCATION, NULL,
756	"invalid hmac algorithm %u.\n", hashtype);
757	return ~0;
758	}
759	return res;
760	}
761
762	/* default key length for encryption algorithm */
763	static u_int
764	keylen_ealg(enctype, encklen)
765	u_int enctype;
766	int encklen;
767	{
768	int res;
769
770	res = alg_ipsec_encdef_keylen(enctype, encklen);
771	if (res == -1) {
772	plog(LLV_ERROR, LOCATION, NULL,
773	"invalid encryption algorithm %u.\n", enctype);
774	return ~0;
775	}
776	return res;
777	}
778
779	void
780	pk_fixup_sa_addresses(mhp)
781	caddr_t *mhp;
782	{
783	struct sockaddr src, dst;
784
785	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
786	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
787	set_port(src, PORT_ISAKMP);
788	set_port(dst, PORT_ISAKMP);
789
790	#ifdef ENABLE_NATT
791	if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
792	/* NAT-T is enabled for this SADB entry; copy
793	* the ports from NAT-T extensions */
794	if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
795	set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
796	if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
797	set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
798	}
799	#endif
800	}
801
802	int
803	pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
804	e_type, e_keylen, a_type, a_keylen, flags)
805	u_int proto_id;
806	u_int t_id;
807	u_int hashtype;
808	u_int *e_type;
809	u_int *e_keylen;
810	u_int *a_type;
811	u_int *a_keylen;
812	u_int *flags;
813	{
814	*flags = 0;
815	switch (proto_id) {
816	case IPSECDOI_PROTO_IPSEC_ESP:
817	if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0)
818	goto bad;
819	if ((e_keylen = keylen_ealg(t_id, e_keylen)) == ~0)
820	goto bad;
821	*e_keylen >>= 3;
822
823	if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
824	goto bad;
825	if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
826	goto bad;
827	*a_keylen >>= 3;
828
829	if (*e_type == SADB_EALG_NONE) {
830	plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n");
831	goto bad;
832	}
833	break;
834
835	case IPSECDOI_PROTO_IPSEC_AH:
836	if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
837	goto bad;
838	if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
839	goto bad;
840	*a_keylen >>= 3;
841
842	if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
843	&& hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
844	/* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
845	*a_type = SADB_X_AALG_MD5;
846	*flags \|= SADB_X_EXT_OLD;
847	}
848	*e_type = SADB_EALG_NONE;
849	*e_keylen = 0;
850	if (*a_type == SADB_AALG_NONE) {
851	plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n");
852	goto bad;
853	}
854	break;
855
856	case IPSECDOI_PROTO_IPCOMP:
857	if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0)
858	goto bad;
859	*e_keylen = 0;
860
861	*flags = SADB_X_EXT_RAWCPI;
862
863	*a_type = SADB_AALG_NONE;
864	*a_keylen = 0;
865	if (*e_type == SADB_X_CALG_NONE) {
866	plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n");
867	goto bad;
868	}
869	break;
870
871	default:
872	plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n");
873	goto bad;
874	}
875
876	return 0;
877
878	bad:
879	errno = EINVAL;
880	return -1;
881	}
882
883	/%%%/
884	/* send getspi message per ipsec protocol per remote address */
885	/*
886	* the local address and remote address in ph1handle are dealed
887	* with destination address and source address respectively.
888	* Because SPI is decided by responder.
889	*/
890	int
891	pk_sendgetspi(iph2)
892	struct ph2handle *iph2;
893	{
894	struct sockaddr src = NULL, dst = NULL;
895	u_int satype, mode;
896	struct saprop *pp;
897	struct saproto *pr;
898	u_int32_t minspi, maxspi;
899	u_int8_t natt_type = 0;
900	u_int16_t sport = 0, dport = 0;
901
902	if (iph2->side == INITIATOR)
903	pp = iph2->proposal;
904	else
905	pp = iph2->approval;
906
907	if (iph2->sa_src && iph2->sa_dst) {
908	/* MIPv6: Use SA addresses, not IKE ones */
909	src = dupsaddr(iph2->sa_src);
910	dst = dupsaddr(iph2->sa_dst);
911	} else {
912	/* Common case: SA addresses and IKE ones are the same */
913	src = dupsaddr(iph2->src);
914	dst = dupsaddr(iph2->dst);
915	}
916
917	if (src == NULL \|\| dst == NULL) {
918	racoon_free(src);
919	racoon_free(dst);
920	return -1;
921	}
922
923	for (pr = pp->head; pr != NULL; pr = pr->next) {
924
925	/* validity check */
926	satype = ipsecdoi2pfkey_proto(pr->proto_id);
927	if (satype == ~0) {
928	plog(LLV_ERROR, LOCATION, NULL,
929	"invalid proto_id %d\n", pr->proto_id);
930	racoon_free(src);
931	racoon_free(dst);
932	return -1;
933	}
934	/* this works around a bug in Linux kernel where it allocates 4 byte
935	spi's for IPCOMP */
936	else if (satype == SADB_X_SATYPE_IPCOMP) {
937	minspi = 0x100;
938	maxspi = 0xffff;
939	}
940	else {
941	minspi = 0;
942	maxspi = 0;
943	}
944	mode = ipsecdoi2pfkey_mode(pr->encmode);
945	if (mode == ~0) {
946	plog(LLV_ERROR, LOCATION, NULL,
947	"invalid encmode %d\n", pr->encmode);
948	racoon_free(src);
949	racoon_free(dst);
950	return -1;
951	}
952
953	#ifdef ENABLE_NATT
954	if (pr->udp_encap) {
955	natt_type = iph2->ph1->natt_options->encaps_type;
956	sport=extract_port(src);
957	dport=extract_port(dst);
958	}
959	#endif
960
961	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
962	if (pfkey_send_getspi_nat(
963	lcconf->sock_pfkey,
964	satype,
965	mode,
966	dst, /* src of SA */
967	src, /* dst of SA */
968	natt_type,
969	dport,
970	sport,
971	minspi, maxspi,
972	pr->reqid_in, iph2->seq) < 0) {
973	plog(LLV_ERROR, LOCATION, NULL,
974	"ipseclib failed send getspi (%s)\n",
975	ipsec_strerror());
976	racoon_free(src);
977	racoon_free(dst);
978	return -1;
979	}
980	plog(LLV_DEBUG, LOCATION, NULL,
981	"pfkey GETSPI sent: %s\n",
982	sadbsecas2str(dst, src, satype, 0, mode));
983	}
984
985	racoon_free(src);
986	racoon_free(dst);
987	return 0;
988	}
989
990	/*
991	* receive GETSPI from kernel.
992	*/
993	static int
994	pk_recvgetspi(mhp)
995	caddr_t *mhp;
996	{
997	struct sadb_msg *msg;
998	struct sadb_sa *sa;
999	struct ph2handle *iph2;
1000	struct sockaddr src, dst;
1001	int proto_id;
1002	int allspiok, notfound;
1003	struct saprop *pp;
1004	struct saproto *pr;
1005
1006	/* validity check */
1007	if (mhp[SADB_EXT_SA] == NULL
1008	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
1009	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL) {
1010	plog(LLV_ERROR, LOCATION, NULL,
1011	"inappropriate sadb getspi message passed.\n");
1012	return -1;
1013	}
1014	msg = (struct sadb_msg *)mhp[0];
1015	sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1016	pk_fixup_sa_addresses(mhp);
1017	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
1018	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1019
1020	/* the message has to be processed or not ? */
1021	if (msg->sadb_msg_pid != getpid()) {
1022	plog(LLV_DEBUG, LOCATION, NULL,
1023	"%s message is not interesting "
1024	"because pid %d is not mine.\n",
1025	s_pfkey_type(msg->sadb_msg_type),
1026	msg->sadb_msg_pid);
1027	return -1;
1028	}
1029
1030	iph2 = getph2byseq(msg->sadb_msg_seq);
1031	if (iph2 == NULL) {
1032	plog(LLV_DEBUG, LOCATION, NULL,
1033	"seq %d of %s message not interesting.\n",
1034	msg->sadb_msg_seq,
1035	s_pfkey_type(msg->sadb_msg_type));
1036	return -1;
1037	}
1038
1039	if (iph2->status != PHASE2ST_GETSPISENT) {
1040	plog(LLV_ERROR, LOCATION, NULL,
1041	"status mismatch (db:%d msg:%d)\n",
1042	iph2->status, PHASE2ST_GETSPISENT);
1043	return -1;
1044	}
1045
1046	/* set SPI, and check to get all spi whether or not */
1047	allspiok = 1;
1048	notfound = 1;
1049	proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1050	pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval;
1051
1052	for (pr = pp->head; pr != NULL; pr = pr->next) {
1053	if (pr->proto_id == proto_id && pr->spi == 0) {
1054	pr->spi = sa->sadb_sa_spi;
1055	notfound = 0;
1056	plog(LLV_DEBUG, LOCATION, NULL,
1057	"pfkey GETSPI succeeded: %s\n",
1058	sadbsecas2str(dst, src,
1059	msg->sadb_msg_satype,
1060	sa->sadb_sa_spi,
1061	ipsecdoi2pfkey_mode(pr->encmode)));
1062	}
1063	if (pr->spi == 0)
1064	allspiok = 0; /* not get all spi */
1065	}
1066
1067	if (notfound) {
1068	plog(LLV_ERROR, LOCATION, NULL,
1069	"get spi for unknown address %s\n",
1070	saddrwop2str(dst));
1071	return -1;
1072	}
1073
1074	if (allspiok) {
1075	/* update status */
1076	iph2->status = PHASE2ST_GETSPIDONE;
1077	if (isakmp_post_getspi(iph2) < 0) {
1078	plog(LLV_ERROR, LOCATION, NULL,
1079	"failed to start post getspi.\n");
1080	remph2(iph2);
1081	delph2(iph2);
1082	iph2 = NULL;
1083	return -1;
1084	}
1085	}
1086
1087	return 0;
1088	}
1089
1090	/*
1091	* set inbound SA
1092	*/
1093	int
1094	pk_sendupdate(iph2)
1095	struct ph2handle *iph2;
1096	{
1097	struct saproto *pr;
1098	struct pfkey_send_sa_args sa_args;
1099
1100	/* sanity check */
1101	if (iph2->approval == NULL) {
1102	plog(LLV_ERROR, LOCATION, NULL,
1103	"no approvaled SAs found.\n");
1104	return -1;
1105	}
1106
1107	/* fill in some needed for pfkey_send_update2 */
1108	memset (&sa_args, 0, sizeof (sa_args));
1109	sa_args.so = lcconf->sock_pfkey;
1110	if (iph2->lifetime_secs)
1111	sa_args.l_addtime = iph2->lifetime_secs;
1112	else
1113	sa_args.l_addtime = iph2->approval->lifetime;
1114	sa_args.seq = iph2->seq;
1115	sa_args.wsize = 4;
1116
1117	if (iph2->sa_src && iph2->sa_dst) {
1118	/* MIPv6: Use SA addresses, not IKE ones */
1119	sa_args.dst = dupsaddr(iph2->sa_src);
1120	sa_args.src = dupsaddr(iph2->sa_dst);
1121	} else {
1122	/* Common case: SA addresses and IKE ones are the same */
1123	sa_args.dst = dupsaddr(iph2->src);
1124	sa_args.src = dupsaddr(iph2->dst);
1125	}
1126
1127	if (sa_args.src == NULL \|\| sa_args.dst == NULL) {
1128	racoon_free(sa_args.src);
1129	racoon_free(sa_args.dst);
1130	return -1;
1131	}
1132
1133	for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1134	/* validity check */
1135	sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
1136	if (sa_args.satype == ~0) {
1137	plog(LLV_ERROR, LOCATION, NULL,
1138	"invalid proto_id %d\n", pr->proto_id);
1139	racoon_free(sa_args.src);
1140	racoon_free(sa_args.dst);
1141	return -1;
1142	}
1143	else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
1144	/* IPCOMP has no replay window */
1145	sa_args.wsize = 0;
1146	}
1147	#ifdef ENABLE_SAMODE_UNSPECIFIED
1148	sa_args.mode = IPSEC_MODE_ANY;
1149	#else
1150	sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
1151	if (sa_args.mode == ~0) {
1152	plog(LLV_ERROR, LOCATION, NULL,
1153	"invalid encmode %d\n", pr->encmode);
1154	racoon_free(sa_args.src);
1155	racoon_free(sa_args.dst);
1156	return -1;
1157	}
1158	#endif
1159	/* set algorithm type and key length */
1160	sa_args.e_keylen = pr->head->encklen;
1161	if (pfkey_convertfromipsecdoi(
1162	pr->proto_id,
1163	pr->head->trns_id,
1164	pr->head->authtype,
1165	&sa_args.e_type, &sa_args.e_keylen,
1166	&sa_args.a_type, &sa_args.a_keylen,
1167	&sa_args.flags) < 0){
1168	racoon_free(sa_args.src);
1169	racoon_free(sa_args.dst);
1170	return -1;
1171	}
1172
1173	#if 0
1174	sa_args.l_bytes = iph2->approval->lifebyte * 1024,
1175	#else
1176	sa_args.l_bytes = 0;
1177	#endif
1178
1179	#ifdef HAVE_SECCTX
1180	if (*iph2->approval->sctx.ctx_str) {
1181	sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
1182	sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
1183	sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
1184	sa_args.ctxstr = iph2->approval->sctx.ctx_str;
1185	}
1186	#endif /* HAVE_SECCTX */
1187
1188	#ifdef ENABLE_NATT
1189	if (pr->udp_encap) {
1190	sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
1191	sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
1192	sa_args.l_natt_dport = extract_port(iph2->ph1->local);
1193	sa_args.l_natt_oa = iph2->natoa_src;
1194	#ifdef SADB_X_EXT_NAT_T_FRAG
1195	sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
1196	#endif
1197	}
1198	#endif
1199
1200	/* more info to fill in */
1201	sa_args.spi = pr->spi;
1202	sa_args.reqid = pr->reqid_in;
1203	sa_args.keymat = pr->keymat->v;
1204
1205	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update2\n");
1206	if (pfkey_send_update2(&sa_args) < 0) {
1207	plog(LLV_ERROR, LOCATION, NULL,
1208	"libipsec failed send update (%s)\n",
1209	ipsec_strerror());
1210	racoon_free(sa_args.src);
1211	racoon_free(sa_args.dst);
1212	return -1;
1213	}
1214
1215	if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
1216	continue;
1217
1218	/*
1219	* It maybe good idea to call backupsa_to_file() after
1220	* racoon will receive the sadb_update messages.
1221	* But it is impossible because there is not key in the
1222	* information from the kernel.
1223	*/
1224
1225	/* change some things before backing up */
1226	sa_args.wsize = 4;
1227	sa_args.l_bytes = iph2->approval->lifebyte * 1024;
1228
1229	if (backupsa_to_file(&sa_args) < 0) {
1230	plog(LLV_ERROR, LOCATION, NULL,
1231	"backuped SA failed: %s\n",
1232	sadbsecas2str(sa_args.src, sa_args.dst,
1233	sa_args.satype, sa_args.spi, sa_args.mode));
1234	}
1235	plog(LLV_DEBUG, LOCATION, NULL,
1236	"backuped SA: %s\n",
1237	sadbsecas2str(sa_args.src, sa_args.dst,
1238	sa_args.satype, sa_args.spi, sa_args.mode));
1239	}
1240
1241	racoon_free(sa_args.src);
1242	racoon_free(sa_args.dst);
1243	return 0;
1244	}
1245
1246	static int
1247	pk_recvupdate(mhp)
1248	caddr_t *mhp;
1249	{
1250	struct sadb_msg *msg;
1251	struct sadb_sa *sa;
1252	struct sockaddr src, dst;
1253	struct ph2handle *iph2;
1254	u_int proto_id, encmode, sa_mode;
1255	int incomplete = 0;
1256	struct saproto *pr;
1257
1258	/* ignore this message because of local test mode. */
1259	if (f_local)
1260	return 0;
1261
1262	/* sanity check */
1263	if (mhp[0] == NULL
1264	\|\| mhp[SADB_EXT_SA] == NULL
1265	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
1266	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1267	plog(LLV_ERROR, LOCATION, NULL,
1268	"inappropriate sadb update message passed.\n");
1269	return -1;
1270	}
1271	msg = (struct sadb_msg *)mhp[0];
1272	pk_fixup_sa_addresses(mhp);
1273	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1274	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1275	sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1276
1277	sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1278	? IPSEC_MODE_ANY
1279	: ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1280
1281	/* the message has to be processed or not ? */
1282	if (msg->sadb_msg_pid != getpid()) {
1283	plog(LLV_DEBUG, LOCATION, NULL,
1284	"%s message is not interesting "
1285	"because pid %d is not mine.\n",
1286	s_pfkey_type(msg->sadb_msg_type),
1287	msg->sadb_msg_pid);
1288	return -1;
1289	}
1290
1291	iph2 = getph2byseq(msg->sadb_msg_seq);
1292	if (iph2 == NULL) {
1293	plog(LLV_DEBUG, LOCATION, NULL,
1294	"seq %d of %s message not interesting.\n",
1295	msg->sadb_msg_seq,
1296	s_pfkey_type(msg->sadb_msg_type));
1297	return -1;
1298	}
1299
1300	if (iph2->status != PHASE2ST_ADDSA) {
1301	plog(LLV_ERROR, LOCATION, NULL,
1302	"status mismatch (db:%d msg:%d)\n",
1303	iph2->status, PHASE2ST_ADDSA);
1304	return -1;
1305	}
1306
1307	/* check to complete all keys ? */
1308	for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1309	proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1310	if (proto_id == ~0) {
1311	plog(LLV_ERROR, LOCATION, NULL,
1312	"invalid proto_id %d\n", msg->sadb_msg_satype);
1313	return -1;
1314	}
1315	encmode = pfkey2ipsecdoi_mode(sa_mode);
1316	if (encmode == ~0) {
1317	plog(LLV_ERROR, LOCATION, NULL,
1318	"invalid encmode %d\n", sa_mode);
1319	return -1;
1320	}
1321
1322	if (pr->proto_id == proto_id
1323	&& pr->spi == sa->sadb_sa_spi) {
1324	pr->ok = 1;
1325	plog(LLV_DEBUG, LOCATION, NULL,
1326	"pfkey UPDATE succeeded: %s\n",
1327	sadbsecas2str(dst, src,
1328	msg->sadb_msg_satype,
1329	sa->sadb_sa_spi,
1330	sa_mode));
1331
1332	plog(LLV_INFO, LOCATION, NULL,
1333	"IPsec-SA established: %s\n",
1334	sadbsecas2str(dst, src,
1335	msg->sadb_msg_satype, sa->sadb_sa_spi,
1336	sa_mode));
1337	}
1338
1339	if (pr->ok == 0)
1340	incomplete = 1;
1341	}
1342
1343	if (incomplete)
1344	return 0;
1345
1346	/* turn off the timer for calling pfkey_timeover() */
1347	sched_cancel(&iph2->sce);
1348
1349	/* update status */
1350	iph2->status = PHASE2ST_ESTABLISHED;
1351	evt_phase2(iph2, EVT_PHASE2_UP, NULL);
1352
1353	#ifdef ENABLE_STATS
1354	gettimeofday(&iph2->end, NULL);
1355	syslog(LOG_NOTICE, "%s(%s): %8.6f",
1356	"phase2", "quick", timedelta(&iph2->start, &iph2->end));
1357	#endif
1358
1359	/* turn off schedule */
1360	sched_cancel(&iph2->scr);
1361
1362	/*
1363	* since we are going to reuse the phase2 handler, we need to
1364	* remain it and refresh all the references between ph1 and ph2 to use.
1365	*/
1366	sched_schedule(&iph2->sce, iph2->approval->lifetime,
1367	isakmp_ph2expire_stub);
1368
1369	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1370	return 0;
1371	}
1372
1373	/*
1374	* set outbound SA
1375	*/
1376	int
1377	pk_sendadd(iph2)
1378	struct ph2handle *iph2;
1379	{
1380	struct saproto *pr;
1381	struct pfkey_send_sa_args sa_args;
1382
1383	/* sanity check */
1384	if (iph2->approval == NULL) {
1385	plog(LLV_ERROR, LOCATION, NULL,
1386	"no approvaled SAs found.\n");
1387	return -1;
1388	}
1389
1390	/* fill in some needed for pfkey_send_update2 */
1391	memset (&sa_args, 0, sizeof (sa_args));
1392	sa_args.so = lcconf->sock_pfkey;
1393	if (iph2->lifetime_secs)
1394	sa_args.l_addtime = iph2->lifetime_secs;
1395	else
1396	sa_args.l_addtime = iph2->approval->lifetime;
1397	sa_args.seq = iph2->seq;
1398	sa_args.wsize = 4;
1399
1400	if (iph2->sa_src && iph2->sa_dst) {
1401	/* MIPv6: Use SA addresses, not IKE ones */
1402	sa_args.src = dupsaddr(iph2->sa_src);
1403	sa_args.dst = dupsaddr(iph2->sa_dst);
1404	} else {
1405	/* Common case: SA addresses and IKE ones are the same */
1406	sa_args.src = dupsaddr(iph2->src);
1407	sa_args.dst = dupsaddr(iph2->dst);
1408	}
1409
1410	if (sa_args.src == NULL \|\| sa_args.dst == NULL) {
1411	racoon_free(sa_args.src);
1412	racoon_free(sa_args.dst);
1413	return -1;
1414	}
1415
1416	for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1417	/* validity check */
1418	sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
1419	if (sa_args.satype == ~0) {
1420	plog(LLV_ERROR, LOCATION, NULL,
1421	"invalid proto_id %d\n", pr->proto_id);
1422	racoon_free(sa_args.src);
1423	racoon_free(sa_args.dst);
1424	return -1;
1425	}
1426	else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
1427	/* no replay window for IPCOMP */
1428	sa_args.wsize = 0;
1429	}
1430	#ifdef ENABLE_SAMODE_UNSPECIFIED
1431	sa_args.mode = IPSEC_MODE_ANY;
1432	#else
1433	sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
1434	if (sa_args.mode == ~0) {
1435	plog(LLV_ERROR, LOCATION, NULL,
1436	"invalid encmode %d\n", pr->encmode);
1437	racoon_free(sa_args.src);
1438	racoon_free(sa_args.dst);
1439	return -1;
1440	}
1441	#endif
1442
1443	/* set algorithm type and key length */
1444	sa_args.e_keylen = pr->head->encklen;
1445	if (pfkey_convertfromipsecdoi(
1446	pr->proto_id,
1447	pr->head->trns_id,
1448	pr->head->authtype,
1449	&sa_args.e_type, &sa_args.e_keylen,
1450	&sa_args.a_type, &sa_args.a_keylen,
1451	&sa_args.flags) < 0){
1452	racoon_free(sa_args.src);
1453	racoon_free(sa_args.dst);
1454	return -1;
1455	}
1456
1457	#if 0
1458	sa_args.l_bytes = iph2->approval->lifebyte * 1024,
1459	#else
1460	sa_args.l_bytes = 0;
1461	#endif
1462
1463	#ifdef HAVE_SECCTX
1464	if (*iph2->approval->sctx.ctx_str) {
1465	sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
1466	sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
1467	sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
1468	sa_args.ctxstr = iph2->approval->sctx.ctx_str;
1469	}
1470	#endif /* HAVE_SECCTX */
1471
1472	#ifdef ENABLE_NATT
1473	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2 "
1474	"(NAT flavor)\n");
1475
1476	if (pr->udp_encap) {
1477	sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
1478	sa_args.l_natt_sport = extract_port(iph2->ph1->local);
1479	sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
1480	sa_args.l_natt_oa = iph2->natoa_dst;
1481	#ifdef SADB_X_EXT_NAT_T_FRAG
1482	sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
1483	#endif
1484	}
1485	#endif
1486	/* more info to fill in */
1487	sa_args.spi = pr->spi_p;
1488	sa_args.reqid = pr->reqid_out;
1489	sa_args.keymat = pr->keymat_p->v;
1490
1491	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2\n");
1492	if (pfkey_send_add2(&sa_args) < 0) {
1493	plog(LLV_ERROR, LOCATION, NULL,
1494	"libipsec failed send add (%s)\n",
1495	ipsec_strerror());
1496	racoon_free(sa_args.src);
1497	racoon_free(sa_args.dst);
1498	return -1;
1499	}
1500
1501	if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
1502	continue;
1503
1504	/*
1505	* It maybe good idea to call backupsa_to_file() after
1506	* racoon will receive the sadb_update messages.
1507	* But it is impossible because there is not key in the
1508	* information from the kernel.
1509	*/
1510	if (backupsa_to_file(&sa_args) < 0) {
1511	plog(LLV_ERROR, LOCATION, NULL,
1512	"backuped SA failed: %s\n",
1513	sadbsecas2str(sa_args.src, sa_args.dst,
1514	sa_args.satype, sa_args.spi, sa_args.mode));
1515	}
1516	plog(LLV_DEBUG, LOCATION, NULL,
1517	"backuped SA: %s\n",
1518	sadbsecas2str(sa_args.src, sa_args.dst,
1519	sa_args.satype, sa_args.spi, sa_args.mode));
1520	}
1521	racoon_free(sa_args.src);
1522	racoon_free(sa_args.dst);
1523	return 0;
1524	}
1525
1526	static int
1527	pk_recvadd(mhp)
1528	caddr_t *mhp;
1529	{
1530	struct sadb_msg *msg;
1531	struct sadb_sa *sa;
1532	struct sockaddr src, dst;
1533	struct ph2handle *iph2;
1534	u_int sa_mode;
1535
1536	/* ignore this message because of local test mode. */
1537	if (f_local)
1538	return 0;
1539
1540	/* sanity check */
1541	if (mhp[0] == NULL
1542	\|\| mhp[SADB_EXT_SA] == NULL
1543	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
1544	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1545	plog(LLV_ERROR, LOCATION, NULL,
1546	"inappropriate sadb add message passed.\n");
1547	return -1;
1548	}
1549	msg = (struct sadb_msg *)mhp[0];
1550	pk_fixup_sa_addresses(mhp);
1551	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1552	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1553	sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1554
1555	sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1556	? IPSEC_MODE_ANY
1557	: ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1558
1559	/* the message has to be processed or not ? */
1560	if (msg->sadb_msg_pid != getpid()) {
1561	plog(LLV_DEBUG, LOCATION, NULL,
1562	"%s message is not interesting "
1563	"because pid %d is not mine.\n",
1564	s_pfkey_type(msg->sadb_msg_type),
1565	msg->sadb_msg_pid);
1566	return -1;
1567	}
1568
1569	iph2 = getph2byseq(msg->sadb_msg_seq);
1570	if (iph2 == NULL) {
1571	plog(LLV_DEBUG, LOCATION, NULL,
1572	"seq %d of %s message not interesting.\n",
1573	msg->sadb_msg_seq,
1574	s_pfkey_type(msg->sadb_msg_type));
1575	return -1;
1576	}
1577
1578	/*
1579	* NOTE don't update any status of phase2 handle
1580	* because they must be updated by SADB_UPDATE message
1581	*/
1582
1583	plog(LLV_INFO, LOCATION, NULL,
1584	"IPsec-SA established: %s\n",
1585	sadbsecas2str(src, dst,
1586	msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1587
1588	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1589	return 0;
1590	}
1591
1592	static int
1593	pk_recvexpire(mhp)
1594	caddr_t *mhp;
1595	{
1596	struct sadb_msg *msg;
1597	struct sadb_sa *sa;
1598	struct sockaddr src, dst;
1599	struct ph2handle *iph2;
1600	u_int proto_id, sa_mode;
1601
1602	/* sanity check */
1603	if (mhp[0] == NULL
1604	\|\| mhp[SADB_EXT_SA] == NULL
1605	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
1606	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
1607	\|\| (mhp[SADB_EXT_LIFETIME_HARD] != NULL
1608	&& mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) {
1609	plog(LLV_ERROR, LOCATION, NULL,
1610	"inappropriate sadb expire message passed.\n");
1611	return -1;
1612	}
1613	msg = (struct sadb_msg *)mhp[0];
1614	sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1615	pk_fixup_sa_addresses(mhp);
1616	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1617	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1618
1619	sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1620	? IPSEC_MODE_ANY
1621	: ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1622
1623	proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1624	if (proto_id == ~0) {
1625	plog(LLV_ERROR, LOCATION, NULL,
1626	"invalid proto_id %d\n", msg->sadb_msg_satype);
1627	return -1;
1628	}
1629
1630	plog(LLV_INFO, LOCATION, NULL,
1631	"IPsec-SA expired: %s\n",
1632	sadbsecas2str(src, dst,
1633	msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1634
1635	iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
1636	if (iph2 == NULL) {
1637	/*
1638	* Ignore it because two expire messages are come up.
1639	* phase2 handler has been deleted already when 2nd message
1640	* is received.
1641	*/
1642	plog(LLV_DEBUG, LOCATION, NULL,
1643	"no such a SA found: %s\n",
1644	sadbsecas2str(src, dst,
1645	msg->sadb_msg_satype, sa->sadb_sa_spi,
1646	sa_mode));
1647	return 0;
1648	}
1649
1650	/* resent expiry message? */
1651	if (iph2->status > PHASE2ST_ESTABLISHED)
1652	return 0;
1653
1654	/* still negotiating? */
1655	if (iph2->status < PHASE2ST_ESTABLISHED) {
1656	/* not a hard timeout? */
1657	if (mhp[SADB_EXT_LIFETIME_HARD] == NULL)
1658	return 0;
1659
1660	/*
1661	* We were negotiating for that SA (w/o much success
1662	* from current status) and kernel has decided our time
1663	* is over trying (xfrm_larval_drop controls that and
1664	* is enabled by default on Linux >= 2.6.28 kernels).
1665	*/
1666	plog(LLV_WARNING, LOCATION, NULL,
1667	"PF_KEY EXPIRE message received from kernel for SA"
1668	" being negotiated. Stopping negotiation.\n");
1669	}
1670
1671	/* turn off the timer for calling isakmp_ph2expire() */
1672	sched_cancel(&iph2->sce);
1673
1674	if (iph2->status == PHASE2ST_ESTABLISHED &&
1675	iph2->side == INITIATOR) {
1676	struct ph1handle *iph1hint;
1677	/*
1678	* Active phase 2 expired and we were initiator.
1679	* Begin new phase 2 exchange, so we can keep on sending
1680	* traffic.
1681	*/
1682
1683	/* update status for re-use */
1684	iph1hint = iph2->ph1;
1685	initph2(iph2);
1686	iph2->status = PHASE2ST_STATUS2;
1687
1688	/* start quick exchange */
1689	if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
1690	plog(LLV_ERROR, LOCATION, iph2->dst,
1691	"failed to begin ipsec sa "
1692	"re-negotication.\n");
1693	remph2(iph2);
1694	delph2(iph2);
1695	return -1;
1696	}
1697
1698	return 0;
1699	}
1700
1701	/*
1702	* We are responder or the phase 2 was not established.
1703	* Just remove the ph2handle to reflect SADB.
1704	*/
1705	iph2->status = PHASE2ST_EXPIRED;
1706	remph2(iph2);
1707	delph2(iph2);
1708
1709	return 0;
1710	}
1711
1712	static int
1713	pk_recvacquire(mhp)
1714	caddr_t *mhp;
1715	{
1716	struct sadb_msg *msg;
1717	struct sadb_x_policy *xpl;
1718	struct secpolicy sp_out = NULL, sp_in = NULL;
1719	struct ph2handle *iph2;
1720	struct sockaddr src, dst; /* IKE addresses (for exchanges) */
1721	struct sockaddr sp_src, sp_dst; /* SP addresses (selectors). */
1722	struct sockaddr sa_src = NULL, sa_dst = NULL ; /* SA addresses */
1723	#ifdef HAVE_SECCTX
1724	struct sadb_x_sec_ctx *m_sec_ctx;
1725	#endif /* HAVE_SECCTX */
1726	struct policyindex spidx;
1727
1728	/* ignore this message because of local test mode. */
1729	if (f_local)
1730	return 0;
1731
1732	/* sanity check */
1733	if (mhp[0] == NULL
1734	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
1735	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
1736	\|\| mhp[SADB_X_EXT_POLICY] == NULL) {
1737	plog(LLV_ERROR, LOCATION, NULL,
1738	"inappropriate sadb acquire message passed.\n");
1739	return -1;
1740	}
1741	msg = (struct sadb_msg *)mhp[0];
1742	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
1743	/* acquire does not have nat-t ports; so do not bother setting
1744	* the default port 500; just use the port zero for wildcard
1745	* matching the get a valid natted destination */
1746	sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1747	sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1748
1749	#ifdef HAVE_SECCTX
1750	m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
1751
1752	if (m_sec_ctx != NULL) {
1753	plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
1754	m_sec_ctx->sadb_x_ctx_doi);
1755	plog(LLV_INFO, LOCATION, NULL,
1756	"security context algorithm: %u\n",
1757	m_sec_ctx->sadb_x_ctx_alg);
1758	plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
1759	m_sec_ctx->sadb_x_ctx_len);
1760	plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
1761	((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
1762	}
1763	#endif /* HAVE_SECCTX */
1764
1765	/* ignore if type is not IPSEC_POLICY_IPSEC */
1766	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
1767	plog(LLV_DEBUG, LOCATION, NULL,
1768	"ignore ACQUIRE message. type is not IPsec.\n");
1769	return 0;
1770	}
1771
1772	/* ignore it if src or dst are multicast addresses. */
1773	if ((sp_dst->sa_family == AF_INET
1774	&& IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_dst)->sin_addr.s_addr)))
1775	#ifdef INET6
1776	\|\| (sp_dst->sa_family == AF_INET6
1777	&& IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_dst)->sin6_addr))
1778	#endif
1779	) {
1780	plog(LLV_DEBUG, LOCATION, NULL,
1781	"ignore due to multicast destination address: %s.\n",
1782	saddrwop2str(sp_dst));
1783	return 0;
1784	}
1785
1786	if ((sp_src->sa_family == AF_INET
1787	&& IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_src)->sin_addr.s_addr)))
1788	#ifdef INET6
1789	\|\| (sp_src->sa_family == AF_INET6
1790	&& IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_src)->sin6_addr))
1791	#endif
1792	) {
1793	plog(LLV_DEBUG, LOCATION, NULL,
1794	"ignore due to multicast source address: %s.\n",
1795	saddrwop2str(sp_src));
1796	return 0;
1797	}
1798
1799	/* search for proper policyindex */
1800	sp_out = getspbyspid(xpl->sadb_x_policy_id);
1801	if (sp_out == NULL) {
1802	plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n",
1803	xpl->sadb_x_policy_id);
1804	return -1;
1805	}
1806	plog(LLV_DEBUG, LOCATION, NULL,
1807	"suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
1808
1809	/* Before going further, let first get the source and destination
1810	* address that would be used for IKE negotiation. The logic is:
1811	* - if SP from SPD image contains local and remote hints, we
1812	* use them (provided by MIGRATE).
1813	* - otherwise, we use the ones from the ipsecrequest, which means:
1814	* - the addresses from the request for transport mode
1815	* - the endpoints addresses for tunnel mode
1816	*
1817	* Note that:
1818	* 1) racoon does not support negotiation of bundles which
1819	* simplifies the lookup for the addresses in the ipsecrequest
1820	* list, as we expect only one.
1821	* 2) We do source and destination parts all together and do not
1822	* accept semi-defined information. This is just a decision,
1823	* there might be needs.
1824	*
1825	* --arno
1826	*/
1827	if (sp_out->req && sp_out->req->saidx.mode == IPSEC_MODE_TUNNEL) {
1828	/* For Tunnel mode, SA addresses are the endpoints */
1829	src = (struct sockaddr *) &sp_out->req->saidx.src;
1830	dst = (struct sockaddr *) &sp_out->req->saidx.dst;
1831	} else {
1832	/* Otherwise use requested addresses.
1833	*
1834	* We need to explicitly setup sa_src and sa_dst too,
1835	* since the SA ports are different from IKE port. And
1836	* src/dst ports will be overwritten when the matching
1837	* phase1 is found. */
1838	src = sa_src = sp_src;
1839	dst = sa_dst = sp_dst;
1840	}
1841	if (sp_out->local && sp_out->remote) {
1842	/* hints available, let's use them */
1843	sa_src = src;
1844	sa_dst = dst;
1845	src = (struct sockaddr *) sp_out->local;
1846	dst = (struct sockaddr *) sp_out->remote;
1847	}
1848
1849	/*
1850	* If there is a phase 2 handler against the policy identifier in
1851	* the acquire message, and if
1852	* 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
1853	* should ignore such a acquire message because the phase 2
1854	* is just negotiating.
1855	* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
1856	* has to prcesss such a acquire message because racoon may
1857	* lost the expire message.
1858	*/
1859	iph2 = getph2byid(src, dst, xpl->sadb_x_policy_id);
1860	if (iph2 != NULL) {
1861	if (iph2->status < PHASE2ST_ESTABLISHED) {
1862	plog(LLV_DEBUG, LOCATION, NULL,
1863	"ignore the acquire because ph2 found\n");
1864	return -1;
1865	}
1866	if (iph2->status == PHASE2ST_EXPIRED)
1867	iph2 = NULL;
1868	/FALLTHROUGH/
1869	}
1870
1871	/* Check we are listening on source address. If not, ignore. */
1872	if (myaddr_getsport(src) == -1) {
1873	plog(LLV_DEBUG, LOCATION, NULL,
1874	"Not listening on source address %s. Ignoring ACQUIRE.\n",
1875	saddrwop2str(src));
1876	return 0;
1877	}
1878
1879	/* get inbound policy */
1880	{
1881
1882	memset(&spidx, 0, sizeof(spidx));
1883	spidx.dir = IPSEC_DIR_INBOUND;
1884	memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
1885	memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
1886	spidx.prefs = sp_out->spidx.prefd;
1887	spidx.prefd = sp_out->spidx.prefs;
1888	spidx.ul_proto = sp_out->spidx.ul_proto;
1889
1890	#ifdef HAVE_SECCTX
1891	if (m_sec_ctx) {
1892	spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
1893	spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
1894	spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
1895	memcpy(spidx.sec_ctx.ctx_str,
1896	((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
1897	spidx.sec_ctx.ctx_strlen);
1898	}
1899	#endif /* HAVE_SECCTX */
1900
1901	sp_in = getsp(&spidx);
1902	if (sp_in) {
1903	plog(LLV_DEBUG, LOCATION, NULL,
1904	"suitable inbound SP found: %s.\n",
1905	spidx2str(&sp_in->spidx));
1906	} else {
1907	plog(LLV_NOTIFY, LOCATION, NULL,
1908	"no in-bound policy found: %s\n",
1909	spidx2str(&spidx));
1910	}
1911	}
1912
1913	/* allocate a phase 2 */
1914	iph2 = newph2();
1915	if (iph2 == NULL) {
1916	plog(LLV_ERROR, LOCATION, NULL,
1917	"failed to allocate phase2 entry.\n");
1918	return -1;
1919	}
1920	iph2->side = INITIATOR;
1921	iph2->spid = xpl->sadb_x_policy_id;
1922	iph2->satype = msg->sadb_msg_satype;
1923	iph2->seq = msg->sadb_msg_seq;
1924	iph2->status = PHASE2ST_STATUS2;
1925
1926	/* set address used by IKE for the negotiation (might differ from
1927	* SA address, i.e. might not be tunnel endpoints or addresses
1928	* of transport mode SA) */
1929	iph2->dst = dupsaddr(dst);
1930	if (iph2->dst == NULL) {
1931	delph2(iph2);
1932	return -1;
1933	}
1934	iph2->src = dupsaddr(src);
1935	if (iph2->src == NULL) {
1936	delph2(iph2);
1937	return -1;
1938	}
1939
1940	/* If sa_src and sa_dst have been set, this mean we have to
1941	* set iph2->sa_src and iph2->sa_dst to provide the addresses
1942	* of the SA because iph2->src and iph2->dst are only the ones
1943	* used for the IKE exchanges. Those that need these addresses
1944	* are for instance pk_sendupdate() or pk_sendgetspi() */
1945	if (sa_src) {
1946	iph2->sa_src = dupsaddr(sa_src);
1947	iph2->sa_dst = dupsaddr(sa_dst);
1948	}
1949
1950	if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
1951	delph2(iph2);
1952	return -1;
1953	}
1954
1955	#ifdef HAVE_SECCTX
1956	if (m_sec_ctx) {
1957	set_secctx_in_proposal(iph2, spidx);
1958	}
1959	#endif /* HAVE_SECCTX */
1960
1961	insph2(iph2);
1962
1963	/* start isakmp initiation by using ident exchange */
1964	/* XXX should be looped if there are multiple phase 2 handler. */
1965	if (isakmp_post_acquire(iph2, NULL, TRUE) < 0) {
1966	plog(LLV_ERROR, LOCATION, NULL,
1967	"failed to begin ipsec sa negotication.\n");
1968	remph2(iph2);
1969	delph2(iph2);
1970	return -1;
1971	}
1972
1973	return 0;
1974	}
1975
1976	static int
1977	pk_recvdelete(mhp)
1978	caddr_t *mhp;
1979	{
1980	struct sadb_msg *msg;
1981	struct sadb_sa *sa;
1982	struct sockaddr src, dst;
1983	struct ph2handle *iph2 = NULL;
1984	u_int proto_id;
1985
1986	/* ignore this message because of local test mode. */
1987	if (f_local)
1988	return 0;
1989
1990	/* sanity check */
1991	if (mhp[0] == NULL
1992	\|\| mhp[SADB_EXT_SA] == NULL
1993	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
1994	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1995	plog(LLV_ERROR, LOCATION, NULL,
1996	"inappropriate sadb delete message passed.\n");
1997	return -1;
1998	}
1999	msg = (struct sadb_msg *)mhp[0];
2000	sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
2001	pk_fixup_sa_addresses(mhp);
2002	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
2003	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
2004
2005	/* the message has to be processed or not ? */
2006	if (msg->sadb_msg_pid == getpid()) {
2007	plog(LLV_DEBUG, LOCATION, NULL,
2008	"%s message is not interesting "
2009	"because the message was originated by me.\n",
2010	s_pfkey_type(msg->sadb_msg_type));
2011	return -1;
2012	}
2013
2014	proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
2015	if (proto_id == ~0) {
2016	plog(LLV_ERROR, LOCATION, NULL,
2017	"invalid proto_id %d\n", msg->sadb_msg_satype);
2018	return -1;
2019	}
2020
2021	iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
2022	if (iph2 == NULL) {
2023	/* ignore */
2024	plog(LLV_ERROR, LOCATION, NULL,
2025	"no iph2 found: %s\n",
2026	sadbsecas2str(src, dst, msg->sadb_msg_satype,
2027	sa->sadb_sa_spi, IPSEC_MODE_ANY));
2028	return 0;
2029	}
2030
2031	plog(LLV_ERROR, LOCATION, NULL,
2032	"pfkey DELETE received: %s\n",
2033	sadbsecas2str(src, dst,
2034	msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY));
2035
2036	/* send delete information */
2037	if (iph2->status == PHASE2ST_ESTABLISHED)
2038	isakmp_info_send_d2(iph2);
2039
2040	remph2(iph2);
2041	delph2(iph2);
2042
2043	return 0;
2044	}
2045
2046	static int
2047	pk_recvflush(mhp)
2048	caddr_t *mhp;
2049	{
2050	/* ignore this message because of local test mode. */
2051	if (f_local)
2052	return 0;
2053
2054	/* sanity check */
2055	if (mhp[0] == NULL) {
2056	plog(LLV_ERROR, LOCATION, NULL,
2057	"inappropriate sadb flush message passed.\n");
2058	return -1;
2059	}
2060
2061	flushph2();
2062
2063	return 0;
2064	}
2065
2066	static int
2067	getsadbpolicy(policy0, policylen0, type, iph2)
2068	caddr_t *policy0;
2069	int *policylen0, type;
2070	struct ph2handle *iph2;
2071	{
2072	struct policyindex spidx = (struct policyindex )iph2->spidx_gen;
2073	struct sockaddr src = NULL, dst = NULL;
2074	struct sadb_x_policy *xpl;
2075	struct sadb_x_ipsecrequest *xisr;
2076	struct saproto *pr;
2077	struct saproto **pr_rlist;
2078	int rlist_len = 0;
2079	caddr_t policy, p;
2080	int policylen;
2081	int xisrlen;
2082	u_int satype, mode;
2083	int len = 0;
2084	#ifdef HAVE_SECCTX
2085	int ctxlen = 0;
2086	#endif /* HAVE_SECCTX */
2087
2088
2089	/* get policy buffer size */
2090	policylen = sizeof(struct sadb_x_policy);
2091	if (type != SADB_X_SPDDELETE) {
2092	if (iph2->sa_src && iph2->sa_dst) {
2093	src = iph2->sa_src; /* MIPv6: Use SA addresses, */
2094	dst = iph2->sa_dst; /* not IKE ones */
2095	} else {
2096	src = iph2->src; /* Common case: SA addresses */
2097	dst = iph2->dst; /* and IKE ones are the same */
2098	}
2099
2100	for (pr = iph2->approval->head; pr; pr = pr->next) {
2101	xisrlen = sizeof(*xisr);
2102	if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2103	xisrlen += (sysdep_sa_len(src) +
2104	sysdep_sa_len(dst));
2105	}
2106
2107	policylen += PFKEY_ALIGN8(xisrlen);
2108	}
2109	}
2110
2111	#ifdef HAVE_SECCTX
2112	if (*spidx->sec_ctx.ctx_str) {
2113	ctxlen = sizeof(struct sadb_x_sec_ctx)
2114	+ PFKEY_ALIGN8(spidx->sec_ctx.ctx_strlen);
2115	policylen += ctxlen;
2116	}
2117	#endif /* HAVE_SECCTX */
2118
2119	/* make policy structure */
2120	policy = racoon_malloc(policylen);
2121	memset((void*)policy, 0xcd, policylen);
2122	if (!policy) {
2123	plog(LLV_ERROR, LOCATION, NULL,
2124	"buffer allocation failed.\n");
2125	return -1;
2126	}
2127
2128	xpl = (struct sadb_x_policy *)policy;
2129	xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
2130	xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2131	xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2132	xpl->sadb_x_policy_dir = spidx->dir;
2133	xpl->sadb_x_policy_id = 0;
2134	#ifdef HAVE_PFKEY_POLICY_PRIORITY
2135	xpl->sadb_x_policy_priority = PRIORITY_DEFAULT;
2136	#endif
2137	len++;
2138
2139	#ifdef HAVE_SECCTX
2140	if (*spidx->sec_ctx.ctx_str) {
2141	struct sadb_x_sec_ctx *p;
2142
2143	p = (struct sadb_x_sec_ctx *)(xpl + len);
2144	memset(p, 0, ctxlen);
2145	p->sadb_x_sec_len = PFKEY_UNIT64(ctxlen);
2146	p->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;
2147	p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
2148	p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
2149	p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
2150
2151	memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
2152	len += ctxlen;
2153	}
2154	#endif /* HAVE_SECCTX */
2155
2156	/* no need to append policy information any more if type is SPDDELETE */
2157	if (type == SADB_X_SPDDELETE)
2158	goto end;
2159
2160	xisr = (struct sadb_x_ipsecrequest *)(xpl + len);
2161
2162	/* The order of things is reversed for use in add policy messages */
2163	for (pr = iph2->approval->head; pr; pr = pr->next) rlist_len++;
2164	pr_rlist = racoon_malloc((rlist_len+1)sizeof(struct saproto));
2165	if (!pr_rlist) {
2166	plog(LLV_ERROR, LOCATION, NULL,
2167	"buffer allocation failed.\n");
2168	return -1;
2169	}
2170	pr_rlist[rlist_len--] = NULL;
2171	for (pr = iph2->approval->head; pr; pr = pr->next) pr_rlist[rlist_len--] = pr;
2172	rlist_len = 0;
2173
2174	for (pr = pr_rlist[rlist_len++]; pr; pr = pr_rlist[rlist_len++]) {
2175
2176	satype = doi2ipproto(pr->proto_id);
2177	if (satype == ~0) {
2178	plog(LLV_ERROR, LOCATION, NULL,
2179	"invalid proto_id %d\n", pr->proto_id);
2180	goto err;
2181	}
2182	mode = ipsecdoi2pfkey_mode(pr->encmode);
2183	if (mode == ~0) {
2184	plog(LLV_ERROR, LOCATION, NULL,
2185	"invalid encmode %d\n", pr->encmode);
2186	goto err;
2187	}
2188
2189	/*
2190	* the policy level cannot be unique because the policy
2191	* is defined later than SA, so req_id cannot be bound to SA.
2192	*/
2193	xisr->sadb_x_ipsecrequest_proto = satype;
2194	xisr->sadb_x_ipsecrequest_mode = mode;
2195	if(iph2->proposal->head->reqid_in > 0){
2196	xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
2197	xisr->sadb_x_ipsecrequest_reqid = iph2->proposal->head->reqid_in;
2198	}else{
2199	xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
2200	xisr->sadb_x_ipsecrequest_reqid = 0;
2201	}
2202	p = (caddr_t)(xisr + 1);
2203
2204	xisrlen = sizeof(*xisr);
2205
2206	if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2207	int src_len, dst_len;
2208
2209	src_len = sysdep_sa_len(src);
2210	dst_len = sysdep_sa_len(dst);
2211	xisrlen += src_len + dst_len;
2212
2213	memcpy(p, src, src_len);
2214	p += src_len;
2215
2216	memcpy(p, dst, dst_len);
2217	p += dst_len;
2218	}
2219
2220	xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
2221	xisr = (struct sadb_x_ipsecrequest *)p;
2222
2223	}
2224	racoon_free(pr_rlist);
2225
2226	end:
2227	*policy0 = policy;
2228	*policylen0 = policylen;
2229
2230	return 0;
2231
2232	err:
2233	if (policy)
2234	racoon_free(policy);
2235	if (pr_rlist) racoon_free(pr_rlist);
2236
2237	return -1;
2238	}
2239
2240	int
2241	pk_sendspdupdate2(iph2)
2242	struct ph2handle *iph2;
2243	{
2244	struct policyindex spidx = (struct policyindex )iph2->spidx_gen;
2245	caddr_t policy = NULL;
2246	int policylen = 0;
2247	u_int64_t ltime, vtime;
2248
2249	ltime = iph2->approval->lifetime;
2250	vtime = 0;
2251
2252	if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) {
2253	plog(LLV_ERROR, LOCATION, NULL,
2254	"getting sadb policy failed.\n");
2255	return -1;
2256	}
2257
2258	if (pfkey_send_spdupdate2(
2259	lcconf->sock_pfkey,
2260	(struct sockaddr *)&spidx->src,
2261	spidx->prefs,
2262	(struct sockaddr *)&spidx->dst,
2263	spidx->prefd,
2264	spidx->ul_proto,
2265	ltime, vtime,
2266	policy, policylen, 0) < 0) {
2267	plog(LLV_ERROR, LOCATION, NULL,
2268	"libipsec failed send spdupdate2 (%s)\n",
2269	ipsec_strerror());
2270	goto end;
2271	}
2272	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n");
2273
2274	end:
2275	if (policy)
2276	racoon_free(policy);
2277
2278	return 0;
2279	}
2280
2281	static int
2282	pk_recvspdupdate(mhp)
2283	caddr_t *mhp;
2284	{
2285	struct sadb_address saddr, daddr;
2286	struct sadb_x_policy *xpl;
2287	struct sadb_lifetime *lt;
2288	struct policyindex spidx;
2289	struct secpolicy *sp;
2290	struct sockaddr local=NULL, remote=NULL;
2291	u_int64_t created;
2292	int ret;
2293
2294	/* sanity check */
2295	if (mhp[0] == NULL
2296	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
2297	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
2298	\|\| mhp[SADB_X_EXT_POLICY] == NULL) {
2299	plog(LLV_ERROR, LOCATION, NULL,
2300	"inappropriate sadb spdupdate message passed.\n");
2301	return -1;
2302	}
2303	saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2304	daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2305	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2306	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2307	if(lt != NULL)
2308	created = lt->sadb_lifetime_addtime;
2309	else
2310	created = 0;
2311
2312	#ifdef HAVE_PFKEY_POLICY_PRIORITY
2313	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2314	saddr + 1,
2315	daddr + 1,
2316	saddr->sadb_address_prefixlen,
2317	daddr->sadb_address_prefixlen,
2318	saddr->sadb_address_proto,
2319	xpl->sadb_x_policy_priority,
2320	created,
2321	&spidx);
2322	#else
2323	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2324	saddr + 1,
2325	daddr + 1,
2326	saddr->sadb_address_prefixlen,
2327	daddr->sadb_address_prefixlen,
2328	saddr->sadb_address_proto,
2329	created,
2330	&spidx);
2331	#endif
2332
2333	#ifdef HAVE_SECCTX
2334	if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2335	struct sadb_x_sec_ctx *ctx;
2336
2337	ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2338	spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2339	spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2340	spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2341	memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2342	}
2343	#endif /* HAVE_SECCTX */
2344
2345	sp = getsp(&spidx);
2346	if (sp == NULL) {
2347	plog(LLV_DEBUG, LOCATION, NULL,
2348	"this policy did not exist for removal: \"%s\"\n",
2349	spidx2str(&spidx));
2350	} else {
2351	/* preserve hints before deleting the SP */
2352	local = sp->local;
2353	remote = sp->remote;
2354	sp->local = NULL;
2355	sp->remote = NULL;
2356
2357	remsp(sp);
2358	delsp(sp);
2359	}
2360
2361	/* Add new SP (with old hints) */
2362	ret = addnewsp(mhp, local, remote);
2363
2364	if (local != NULL)
2365	racoon_free(local);
2366	if (remote != NULL)
2367	racoon_free(remote);
2368
2369	if (ret < 0)
2370	return -1;
2371
2372	return 0;
2373	}
2374
2375	/*
2376	* this function has to be used by responder side.
2377	*/
2378	int
2379	pk_sendspdadd2(iph2)
2380	struct ph2handle *iph2;
2381	{
2382	struct policyindex spidx = (struct policyindex )iph2->spidx_gen;
2383	caddr_t policy = NULL;
2384	int policylen = 0;
2385	u_int64_t ltime, vtime;
2386
2387	ltime = iph2->approval->lifetime;
2388	vtime = 0;
2389
2390	if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) {
2391	plog(LLV_ERROR, LOCATION, NULL,
2392	"getting sadb policy failed.\n");
2393	return -1;
2394	}
2395
2396	if (pfkey_send_spdadd2(
2397	lcconf->sock_pfkey,
2398	(struct sockaddr *)&spidx->src,
2399	spidx->prefs,
2400	(struct sockaddr *)&spidx->dst,
2401	spidx->prefd,
2402	spidx->ul_proto,
2403	ltime, vtime,
2404	policy, policylen, 0) < 0) {
2405	plog(LLV_ERROR, LOCATION, NULL,
2406	"libipsec failed send spdadd2 (%s)\n",
2407	ipsec_strerror());
2408	goto end;
2409	}
2410	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n");
2411
2412	end:
2413	if (policy)
2414	racoon_free(policy);
2415
2416	return 0;
2417	}
2418
2419	static int
2420	pk_recvspdadd(mhp)
2421	caddr_t *mhp;
2422	{
2423	struct sadb_address saddr, daddr;
2424	struct sadb_x_policy *xpl;
2425	struct sadb_lifetime *lt;
2426	struct policyindex spidx;
2427	struct secpolicy *sp;
2428	struct sockaddr local = NULL, remote = NULL;
2429	u_int64_t created;
2430	int ret;
2431
2432	/* sanity check */
2433	if (mhp[0] == NULL
2434	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
2435	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
2436	\|\| mhp[SADB_X_EXT_POLICY] == NULL) {
2437	plog(LLV_ERROR, LOCATION, NULL,
2438	"inappropriate sadb spdadd message passed.\n");
2439	return -1;
2440	}
2441	saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2442	daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2443	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2444	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2445	if(lt != NULL)
2446	created = lt->sadb_lifetime_addtime;
2447	else
2448	created = 0;
2449
2450	#ifdef HAVE_PFKEY_POLICY_PRIORITY
2451	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2452	saddr + 1,
2453	daddr + 1,
2454	saddr->sadb_address_prefixlen,
2455	daddr->sadb_address_prefixlen,
2456	saddr->sadb_address_proto,
2457	xpl->sadb_x_policy_priority,
2458	created,
2459	&spidx);
2460	#else
2461	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2462	saddr + 1,
2463	daddr + 1,
2464	saddr->sadb_address_prefixlen,
2465	daddr->sadb_address_prefixlen,
2466	saddr->sadb_address_proto,
2467	created,
2468	&spidx);
2469	#endif
2470
2471	#ifdef HAVE_SECCTX
2472	if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2473	struct sadb_x_sec_ctx *ctx;
2474
2475	ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2476	spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2477	spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2478	spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2479	memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2480	}
2481	#endif /* HAVE_SECCTX */
2482
2483	sp = getsp(&spidx);
2484	if (sp != NULL) {
2485	plog(LLV_ERROR, LOCATION, NULL,
2486	"such policy already exists. "
2487	"anyway replace it: %s\n",
2488	spidx2str(&spidx));
2489
2490	/* preserve hints before deleting the SP */
2491	local = sp->local;
2492	remote = sp->remote;
2493	sp->local = NULL;
2494	sp->remote = NULL;
2495
2496	remsp(sp);
2497	delsp(sp);
2498	}
2499
2500	/* Add new SP (with old hints) */
2501	ret = addnewsp(mhp, local, remote);
2502
2503	if (local != NULL)
2504	racoon_free(local);
2505	if (remote != NULL)
2506	racoon_free(remote);
2507
2508	if (ret < 0)
2509	return -1;
2510
2511	return 0;
2512	}
2513
2514	/*
2515	* this function has to be used by responder side.
2516	*/
2517	int
2518	pk_sendspddelete(iph2)
2519	struct ph2handle *iph2;
2520	{
2521	struct policyindex spidx = (struct policyindex )iph2->spidx_gen;
2522	caddr_t policy = NULL;
2523	int policylen;
2524
2525	if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) {
2526	plog(LLV_ERROR, LOCATION, NULL,
2527	"getting sadb policy failed.\n");
2528	return -1;
2529	}
2530
2531	if (pfkey_send_spddelete(
2532	lcconf->sock_pfkey,
2533	(struct sockaddr *)&spidx->src,
2534	spidx->prefs,
2535	(struct sockaddr *)&spidx->dst,
2536	spidx->prefd,
2537	spidx->ul_proto,
2538	policy, policylen, 0) < 0) {
2539	plog(LLV_ERROR, LOCATION, NULL,
2540	"libipsec failed send spddelete (%s)\n",
2541	ipsec_strerror());
2542	goto end;
2543	}
2544	plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n");
2545
2546	end:
2547	if (policy)
2548	racoon_free(policy);
2549
2550	return 0;
2551	}
2552
2553	static int
2554	pk_recvspddelete(mhp)
2555	caddr_t *mhp;
2556	{
2557	struct sadb_address saddr, daddr;
2558	struct sadb_x_policy *xpl;
2559	struct sadb_lifetime *lt;
2560	struct policyindex spidx;
2561	struct secpolicy *sp;
2562	u_int64_t created;
2563
2564	/* sanity check */
2565	if (mhp[0] == NULL
2566	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
2567	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
2568	\|\| mhp[SADB_X_EXT_POLICY] == NULL) {
2569	plog(LLV_ERROR, LOCATION, NULL,
2570	"inappropriate sadb spddelete message passed.\n");
2571	return -1;
2572	}
2573	saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2574	daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2575	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2576	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2577	if(lt != NULL)
2578	created = lt->sadb_lifetime_addtime;
2579	else
2580	created = 0;
2581
2582	#ifdef HAVE_PFKEY_POLICY_PRIORITY
2583	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2584	saddr + 1,
2585	daddr + 1,
2586	saddr->sadb_address_prefixlen,
2587	daddr->sadb_address_prefixlen,
2588	saddr->sadb_address_proto,
2589	xpl->sadb_x_policy_priority,
2590	created,
2591	&spidx);
2592	#else
2593	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2594	saddr + 1,
2595	daddr + 1,
2596	saddr->sadb_address_prefixlen,
2597	daddr->sadb_address_prefixlen,
2598	saddr->sadb_address_proto,
2599	created,
2600	&spidx);
2601	#endif
2602
2603	#ifdef HAVE_SECCTX
2604	if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2605	struct sadb_x_sec_ctx *ctx;
2606
2607	ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2608	spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2609	spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2610	spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2611	memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2612	}
2613	#endif /* HAVE_SECCTX */
2614
2615	sp = getsp(&spidx);
2616	if (sp == NULL) {
2617	plog(LLV_ERROR, LOCATION, NULL,
2618	"no policy found: %s\n",
2619	spidx2str(&spidx));
2620	return -1;
2621	}
2622
2623	remsp(sp);
2624	delsp(sp);
2625
2626	return 0;
2627	}
2628
2629	static int
2630	pk_recvspdexpire(mhp)
2631	caddr_t *mhp;
2632	{
2633	struct sadb_address saddr, daddr;
2634	struct sadb_x_policy *xpl;
2635	struct sadb_lifetime *lt;
2636	struct policyindex spidx;
2637	struct secpolicy *sp;
2638	u_int64_t created;
2639
2640	/* sanity check */
2641	if (mhp[0] == NULL
2642	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
2643	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
2644	\|\| mhp[SADB_X_EXT_POLICY] == NULL) {
2645	plog(LLV_ERROR, LOCATION, NULL,
2646	"inappropriate sadb spdexpire message passed.\n");
2647	return -1;
2648	}
2649	saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2650	daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2651	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2652	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2653	if(lt != NULL)
2654	created = lt->sadb_lifetime_addtime;
2655	else
2656	created = 0;
2657
2658	#ifdef HAVE_PFKEY_POLICY_PRIORITY
2659	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2660	saddr + 1,
2661	daddr + 1,
2662	saddr->sadb_address_prefixlen,
2663	daddr->sadb_address_prefixlen,
2664	saddr->sadb_address_proto,
2665	xpl->sadb_x_policy_priority,
2666	created,
2667	&spidx);
2668	#else
2669	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2670	saddr + 1,
2671	daddr + 1,
2672	saddr->sadb_address_prefixlen,
2673	daddr->sadb_address_prefixlen,
2674	saddr->sadb_address_proto,
2675	created,
2676	&spidx);
2677	#endif
2678
2679	#ifdef HAVE_SECCTX
2680	if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2681	struct sadb_x_sec_ctx *ctx;
2682
2683	ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2684	spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2685	spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2686	spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2687	memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2688	}
2689	#endif /* HAVE_SECCTX */
2690
2691	sp = getsp(&spidx);
2692	if (sp == NULL) {
2693	plog(LLV_ERROR, LOCATION, NULL,
2694	"no policy found: %s\n",
2695	spidx2str(&spidx));
2696	return -1;
2697	}
2698
2699	remsp(sp);
2700	delsp(sp);
2701
2702	return 0;
2703	}
2704
2705	static int
2706	pk_recvspdget(mhp)
2707	caddr_t *mhp;
2708	{
2709	/* sanity check */
2710	if (mhp[0] == NULL) {
2711	plog(LLV_ERROR, LOCATION, NULL,
2712	"inappropriate sadb spdget message passed.\n");
2713	return -1;
2714	}
2715
2716	return 0;
2717	}
2718
2719	static int
2720	pk_recvspddump(mhp)
2721	caddr_t *mhp;
2722	{
2723	struct sadb_msg *msg;
2724	struct sadb_address saddr, daddr;
2725	struct sadb_x_policy *xpl;
2726	struct sadb_lifetime *lt;
2727	struct policyindex spidx;
2728	struct secpolicy *sp;
2729	struct sockaddr local=NULL, remote=NULL;
2730	u_int64_t created;
2731	int ret;
2732
2733	/* sanity check */
2734	if (mhp[0] == NULL) {
2735	plog(LLV_ERROR, LOCATION, NULL,
2736	"inappropriate sadb spddump message passed.\n");
2737	return -1;
2738	}
2739	msg = (struct sadb_msg *)mhp[0];
2740	saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2741	daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2742	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2743	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2744	if(lt != NULL)
2745	created = lt->sadb_lifetime_addtime;
2746	else
2747	created = 0;
2748
2749	if (saddr == NULL \|\| daddr == NULL \|\| xpl == NULL) {
2750	plog(LLV_ERROR, LOCATION, NULL,
2751	"inappropriate sadb spddump message passed.\n");
2752	return -1;
2753	}
2754
2755	#ifdef HAVE_PFKEY_POLICY_PRIORITY
2756	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2757	saddr + 1,
2758	daddr + 1,
2759	saddr->sadb_address_prefixlen,
2760	daddr->sadb_address_prefixlen,
2761	saddr->sadb_address_proto,
2762	xpl->sadb_x_policy_priority,
2763	created,
2764	&spidx);
2765	#else
2766	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2767	saddr + 1,
2768	daddr + 1,
2769	saddr->sadb_address_prefixlen,
2770	daddr->sadb_address_prefixlen,
2771	saddr->sadb_address_proto,
2772	created,
2773	&spidx);
2774	#endif
2775
2776	#ifdef HAVE_SECCTX
2777	if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2778	struct sadb_x_sec_ctx *ctx;
2779
2780	ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2781	spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2782	spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2783	spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2784	memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2785	}
2786	#endif /* HAVE_SECCTX */
2787
2788	sp = getsp(&spidx);
2789	if (sp != NULL) {
2790	plog(LLV_ERROR, LOCATION, NULL,
2791	"such policy already exists. "
2792	"anyway replace it: %s\n",
2793	spidx2str(&spidx));
2794
2795	/* preserve hints before deleting the SP */
2796	local = sp->local;
2797	remote = sp->remote;
2798	sp->local = NULL;
2799	sp->remote = NULL;
2800
2801	remsp(sp);
2802	delsp(sp);
2803	}
2804
2805	/* Add new SP (with old hints) */
2806	ret = addnewsp(mhp, local, remote);
2807
2808	if (local != NULL)
2809	racoon_free(local);
2810	if (remote != NULL)
2811	racoon_free(remote);
2812
2813	if (ret < 0)
2814	return -1;
2815
2816	return 0;
2817	}
2818
2819	static int
2820	pk_recvspdflush(mhp)
2821	caddr_t *mhp;
2822	{
2823	/* sanity check */
2824	if (mhp[0] == NULL) {
2825	plog(LLV_ERROR, LOCATION, NULL,
2826	"inappropriate sadb spdflush message passed.\n");
2827	return -1;
2828	}
2829
2830	flushsp();
2831
2832	return 0;
2833	}
2834
2835	#if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
2836
2837	/* MIGRATE support (pk_recvmigrate() is the handler of MIGRATE message).
2838	*
2839	* pk_recvmigrate()
2840	* 1) some preprocessing and checks
2841	* 2) parsing of sadb_x_kmaddress extension
2842	* 3) SP lookup using selectors and content of policy extension from MIGRATE
2843	* 4) resolution of current local and remote IKE addresses
2844	* 5) Use of addresses to get Phase 1 handler if any
2845	* 6) Update of IKE addresses in Phase 1 (iph1->local and iph1->remote)
2846	* 7) Update of IKE addresses in Phase 2 (iph2->src and iph2->dst)
2847	* 8) Update of IKE addresses in SP (sp->local and sp->remote)
2848	* 9) Loop on sadb_x_ipsecrequests pairs from MIGRATE
2849	* - update of associated ipsecrequests entries in sp->req (should be
2850	* only one as racoon does not support bundles), i.e. update of
2851	* tunnel endpoints when required.
2852	* - If tunnel mode endpoints have been updated, lookup of associated
2853	* Phase 2 handle to also update sa_src and sa_dst entries
2854	*
2855	* XXX Note that we do not support yet the update of SA addresses for transport
2856	* mode, but only the update of SA addresses for tunnel mode (endpoints).
2857	* Reasons are:
2858	* - there is no initial need for MIPv6
2859	* - racoon does not support bundles
2860	* - this would imply more work to deal with sainfo update (if feasible).
2861	*/
2862
2863	/* Generic argument structure for migration callbacks */
2864	struct migrate_args {
2865	struct sockaddr *local;
2866	struct sockaddr *remote;
2867	};
2868
2869	/*
2870	* Update local and remote addresses of given Phase 1. Schedule removal
2871	* if negotiation was going on and restart a one from updated address.
2872	*
2873	* -1 is returned on error. 0 if everything went right.
2874	*/
2875	static int
2876	migrate_ph1_ike_addresses(iph1, arg)
2877	struct ph1handle *iph1;
2878	void *arg;
2879	{
2880	struct migrate_args ma = (struct migrate_args ) arg;
2881	struct remoteconf *rmconf;
2882	u_int16_t port;
2883
2884	/* Already up-to-date? */
2885	if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH &&
2886	cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH)
2887	return 0;
2888
2889	if (iph1->status < PHASE1ST_ESTABLISHED) {
2890	/* Bad luck! We received a MIGRATE while negotiating
2891	* Phase 1 (i.e. it was not established yet). If we act as
2892	* initiator we need to restart the negotiation. As
2893	* responder, our best bet is to update our addresses
2894	* and wait for the initiator to do something */
2895	plog(LLV_WARNING, LOCATION, NULL, "MIGRATE received during "
2896	"Phase 1 negotiation (%s).\n",
2897	saddr2str_fromto("%s => %s", ma->local, ma->remote));
2898
2899	/* If we are not acting as initiator, let's just leave and
2900	* let the remote peer handle the restart */
2901	rmconf = getrmconf(ma->remote, 0);
2902	if (rmconf == NULL \|\| !rmconf->passive) {
2903	iph1->status = PHASE1ST_EXPIRED;
2904	isakmp_ph1delete(iph1);
2905
2906	/* This is unlikely, but let's just check if a Phase 1
2907	* for the new addresses already exist */
2908	if (getph1byaddr(ma->local, ma->remote, 0)) {
2909	plog(LLV_WARNING, LOCATION, NULL, "No need "
2910	"to start a new Phase 1 negotiation. One "
2911	"already exists.\n");
2912	return 0;
2913	}
2914
2915	plog(LLV_WARNING, LOCATION, NULL, "As initiator, "
2916	"restarting it.\n");
2917	/* Note that the insertion of the new Phase 1 will not
2918	* interfere with the fact we are called from enumph1,
2919	* because it is inserted as first element. --arno */
2920	isakmp_ph1begin_i(rmconf, ma->local, ma->remote);
2921
2922	return 0;
2923	}
2924	}
2925
2926	if (iph1->local != NULL) {
2927	plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 local "
2928	"address from %s\n",
2929	saddr2str_fromto("%s to %s", iph1->local, ma->local));
2930	port = extract_port(iph1->local);
2931	racoon_free(iph1->local);
2932	} else
2933	port = 0;
2934
2935	iph1->local = dupsaddr(ma->local);
2936	if (iph1->local == NULL) {
2937	plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
2938	"Phase 1 local address.\n");
2939	return -1;
2940	}
2941	set_port(iph1->local, port);
2942
2943	if (iph1->remote != NULL) {
2944	plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 remote "
2945	"address from %s\n",
2946	saddr2str_fromto("%s to %s", iph1->remote, ma->remote));
2947	port = extract_port(iph1->remote);
2948	racoon_free(iph1->remote);
2949	} else
2950	port = 0;
2951
2952	iph1->remote = dupsaddr(ma->remote);
2953	if (iph1->remote == NULL) {
2954	plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
2955	"Phase 1 remote address.\n");
2956	return -1;
2957	}
2958	set_port(iph1->remote, port);
2959
2960	return 0;
2961	}
2962
2963	/* Update src and dst of all current Phase 2 handles.
2964	* with provided local and remote addresses.
2965	* Our intent is NOT to modify IPsec SA endpoints but IKE
2966	* addresses so we need to take care to separate those if
2967	* they are different. -1 is returned on error. 0 if everything
2968	* went right.
2969	*
2970	* Note: we do not maintain port information as it is not
2971	* expected to be meaningful --arno
2972	*/
2973	static int
2974	migrate_ph2_ike_addresses(iph2, arg)
2975	struct ph2handle *iph2;
2976	void *arg;
2977	{
2978	struct migrate_args ma = (struct migrate_args ) arg;
2979	struct ph1handle *iph1;
2980
2981	/* If Phase 2 has an associated Phase 1, migrate addresses */
2982	if (iph2->ph1)
2983	migrate_ph1_ike_addresses(iph2->ph1, arg);
2984
2985	/* Already up-to-date? */
2986	if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH &&
2987	cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH)
2988	return 0;
2989
2990	/* save src/dst as sa_src/sa_dst before rewriting */
2991	if (iph2->sa_src == NULL && iph2->sa_dst == NULL) {
2992	iph2->sa_src = iph2->src;
2993	iph2->sa_dst = iph2->dst;
2994	iph2->src = NULL;
2995	iph2->dst = NULL;
2996	}
2997
2998	if (iph2->src != NULL)
2999	racoon_free(iph2->src);
3000	iph2->src = dupsaddr(ma->local);
3001	if (iph2->src == NULL) {
3002	plog(LLV_ERROR, LOCATION, NULL,
3003	"unable to allocate Phase 2 src address.\n");
3004	return -1;
3005	}
3006
3007	if (iph2->dst != NULL)
3008	racoon_free(iph2->dst);
3009	iph2->dst = dupsaddr(ma->remote);
3010	if (iph2->dst == NULL) {
3011	plog(LLV_ERROR, LOCATION, NULL,
3012	"unable to allocate Phase 2 dst address.\n");
3013	return -1;
3014	}
3015
3016	return 0;
3017	}
3018
3019	/* Consider existing Phase 2 handles with given spid and update their source
3020	* and destination addresses for SA. As racoon does not support bundles, if
3021	* we modify multiple occurrences, this probably imply rekeying has happened.
3022	*
3023	* Both addresses passed to the function are expected not to be NULL and of
3024	* same family. -1 is returned on error. 0 if everything went right.
3025	*
3026	* Specific care is needed to support Phase 2 for which negotiation has
3027	* already started but are which not yet established.
3028	*/
3029	static int
3030	migrate_ph2_sa_addresses(iph2, args)
3031	struct ph2handle *iph2;
3032	void *args;
3033	{
3034	struct migrate_args ma = (struct migrate_args ) args;
3035
3036	if (iph2->sa_src != NULL) {
3037	racoon_free(iph2->sa_src);
3038	iph2->sa_src = NULL;
3039	}
3040
3041	if (iph2->sa_dst != NULL) {
3042	racoon_free(iph2->sa_dst);
3043	iph2->sa_dst = NULL;
3044	}
3045
3046	iph2->sa_src = dupsaddr(ma->local);
3047	if (iph2->sa_src == NULL) {
3048	plog(LLV_ERROR, LOCATION, NULL,
3049	"unable to allocate Phase 2 sa_src address.\n");
3050	return -1;
3051	}
3052
3053	iph2->sa_dst = dupsaddr(ma->remote);
3054	if (iph2->sa_dst == NULL) {
3055	plog(LLV_ERROR, LOCATION, NULL,
3056	"unable to allocate Phase 2 sa_dst address.\n");
3057	return -1;
3058	}
3059
3060	if (iph2->status < PHASE2ST_ESTABLISHED) {
3061	struct remoteconf *rmconf;
3062	/* We were negotiating for that SA when we received the MIGRATE.
3063	* We cannot simply update the addresses and let the exchange
3064	* go on. We have to restart the whole negotiation if we are
3065	* the initiator. Otherwise (acting as responder), we just need
3066	* to delete our ph2handle and wait for the initiator to start
3067	* a new negotiation. */
3068
3069	if (iph2->ph1 && iph2->ph1->rmconf)
3070	rmconf = iph2->ph1->rmconf;
3071	else
3072	rmconf = getrmconf(iph2->dst, 0);
3073
3074	if (rmconf && !rmconf->passive) {
3075	struct ph1handle *iph1hint;
3076
3077	plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
3078	"during IPsec SA negotiation. As initiator, "
3079	"restarting it.\n");
3080
3081	/* Turn off expiration timer ...*/
3082	sched_cancel(&iph2->sce);
3083	iph2->status = PHASE2ST_EXPIRED;
3084
3085	/* ... clean Phase 2 handle ... */
3086	iph1hint = iph2->ph1;
3087	initph2(iph2);
3088	iph2->status = PHASE2ST_STATUS2;
3089
3090	/* and start a new negotiation */
3091	if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
3092	plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
3093	"to begin IPsec SA renegotiation after "
3094	"MIGRATE reception.\n");
3095	remph2(iph2);
3096	delph2(iph2);
3097	return -1;
3098	}
3099	} else {
3100	plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
3101	"during IPsec SA negotiation. As responder, let's"
3102	"wait for the initiator to act.\n");
3103
3104	/* Simply schedule deletion */
3105	isakmp_ph2expire(iph2);
3106	}
3107	}
3108
3109	return 0;
3110	}
3111
3112	/* Update SP hints (local and remote addresses) for future IKE
3113	* negotiations of SA associated with that SP. -1 is returned
3114	* on error. 0 if everything went right.
3115	*
3116	* Note: we do not maintain port information as it is not
3117	* expected to be meaningful --arno
3118	*/
3119	static int
3120	migrate_sp_ike_addresses(sp, local, remote)
3121	struct secpolicy *sp;
3122	struct sockaddr local, remote;
3123	{
3124	if (sp == NULL \|\| local == NULL \|\| remote == NULL)
3125	return -1;
3126
3127	if (sp->local != NULL)
3128	racoon_free(sp->local);
3129
3130	sp->local = dupsaddr(local);
3131	if (sp->local == NULL) {
3132	plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
3133	"local hint for SP.\n");
3134	return -1;
3135	}
3136
3137	if (sp->remote != NULL)
3138	racoon_free(sp->remote);
3139
3140	sp->remote = dupsaddr(remote);
3141	if (sp->remote == NULL) {
3142	plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
3143	"remote hint for SP.\n");
3144	return -1;
3145	}
3146
3147	return 0;
3148	}
3149
3150	/* Given current ipsecrequest (isr_cur) to be migrated in considered
3151	tree, the function first checks that it matches the expected one
3152	(xisr_old) provided in MIGRATE message and then updates the addresses
3153	if it is tunnel mode (with content of xisr_new). Various other checks
3154	are performed. For transport mode, structures are not modified, only
3155	the checks are done. -1 is returned on error. */
3156	static int
3157	migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new)
3158	u_int32_t spid;
3159	struct ipsecrequest *isr_cur;
3160	struct sadb_x_ipsecrequest xisr_old, xisr_new;
3161	{
3162	struct secasindex *saidx = &isr_cur->saidx;
3163	struct sockaddr osaddr, odaddr, nsaddr, ndaddr;
3164	struct ph2selector ph2sel;
3165	struct migrate_args ma;
3166
3167	/* First, check that mode and proto do match */
3168	if (xisr_old->sadb_x_ipsecrequest_proto != saidx->proto \|\|
3169	xisr_old->sadb_x_ipsecrequest_mode != saidx->mode \|\|
3170	xisr_new->sadb_x_ipsecrequest_proto != saidx->proto \|\|
3171	xisr_new->sadb_x_ipsecrequest_mode != saidx->mode)
3172	return -1;
3173
3174	/* Then, verify reqid if necessary */
3175	if (isr_cur->saidx.reqid &&
3176	(xisr_old->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE \|\|
3177	xisr_new->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE \|\|
3178	isr_cur->saidx.reqid != xisr_old->sadb_x_ipsecrequest_reqid \|\|
3179	isr_cur->saidx.reqid != xisr_new->sadb_x_ipsecrequest_reqid))
3180	return -1;
3181
3182	/* If not tunnel mode, our work is over */
3183	if (saidx->mode != IPSEC_MODE_TUNNEL) {
3184	plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
3185	"non tunnel mode isr, skipping SA address migration.\n");
3186	return 0;
3187	}
3188
3189	/* Tunnel mode: let's check addresses do match and then update them. */
3190	osaddr = (struct sockaddr *)(xisr_old + 1);
3191	odaddr = (struct sockaddr )(((u_int8_t )osaddr) + sysdep_sa_len(osaddr));
3192	nsaddr = (struct sockaddr *)(xisr_new + 1);
3193	ndaddr = (struct sockaddr )(((u_int8_t )nsaddr) + sysdep_sa_len(nsaddr));
3194
3195	/* Check family does match */
3196	if (osaddr->sa_family != odaddr->sa_family \|\|
3197	nsaddr->sa_family != ndaddr->sa_family)
3198	return -1;
3199
3200	/* Check family does match */
3201	if (saidx->src.ss_family != osaddr->sa_family)
3202	return -1;
3203
3204	/* We log IPv4 to IPv6 and IPv6 to IPv4 switches */
3205	if (nsaddr->sa_family != osaddr->sa_family)
3206	plog(LLV_INFO, LOCATION, NULL, "SADB_X_MIGRATE: "
3207	"changing address families (%d to %d) for endpoints.\n",
3208	osaddr->sa_family, nsaddr->sa_family);
3209
3210	if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH \|\|
3211	cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) {
3212	plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
3213	"mismatch of addresses in saidx and xisr.\n");
3214	return -1;
3215	}
3216
3217	/* Excellent. Let's grab associated Phase 2 handle (if any)
3218	* and update its sa_src and sa_dst entries. Note that we
3219	* make the assumption that racoon does not support bundles
3220	* and make the lookup using spid: we blindly update
3221	* sa_src and sa_dst for _all_ found Phase 2 handles */
3222	memset(&ph2sel, 0, sizeof(ph2sel));
3223	ph2sel.spid = spid;
3224
3225	memset(&ma, 0, sizeof(ma));
3226	ma.local = nsaddr;
3227	ma.remote = ndaddr;
3228
3229	if (enumph2(&ph2sel, migrate_ph2_sa_addresses, &ma) < 0)
3230	return -1;
3231
3232	/* Now we can do the update of endpoints in secasindex */
3233	memcpy(&saidx->src, nsaddr, sysdep_sa_len(nsaddr));
3234	memcpy(&saidx->dst, ndaddr, sysdep_sa_len(ndaddr));
3235
3236	return 0;
3237	}
3238
3239	/* Process the raw (unparsed yet) list of sadb_x_ipsecrequests of MIGRATE
3240	* message. For each sadb_x_ipsecrequest pair (old followed by new),
3241	* the corresponding ipsecrequest entry in the SP is updated. Associated
3242	* existing Phase 2 handle is also updated (if any) */
3243	static int
3244	migrate_sp_isr_list(sp, xisr_list, xisr_list_len)
3245	struct secpolicy *sp;
3246	struct sadb_x_ipsecrequest *xisr_list;
3247	int xisr_list_len;
3248	{
3249	struct sadb_x_ipsecrequest xisr_new, xisr_old = xisr_list;
3250	int xisr_old_len, xisr_new_len;
3251	struct ipsecrequest *isr_cur;
3252
3253	isr_cur = sp->req; /* ipsecrequest list from from sp */
3254
3255	while (xisr_list_len > 0 && isr_cur != NULL) {
3256	/* Get old xisr (length field is in bytes) */
3257	xisr_old_len = xisr_old->sadb_x_ipsecrequest_len;
3258	if (xisr_old_len < sizeof(*xisr_old) \|\|
3259	xisr_old_len + sizeof(*xisr_new) > xisr_list_len) {
3260	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3261	"invalid ipsecrequest length. Exiting.\n");
3262	return -1;
3263	}
3264
3265	/* Get new xisr with updated info */
3266	xisr_new = (struct sadb_x_ipsecrequest )(((u_int8_t )xisr_old) + xisr_old_len);
3267	xisr_new_len = xisr_new->sadb_x_ipsecrequest_len;
3268	if (xisr_new_len < sizeof(*xisr_new) \|\|
3269	xisr_new_len + xisr_old_len > xisr_list_len) {
3270	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3271	"invalid ipsecrequest length. Exiting.\n");
3272	return -1;
3273	}
3274
3275	/* Start by migrating current ipsecrequest from SP */
3276	if (migrate_ph2_one_isr(sp->id, isr_cur, xisr_old, xisr_new) == -1) {
3277	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3278	"Unable to match and migrate isr. Exiting.\n");
3279	return -1;
3280	}
3281
3282	/* Update pointers for next round */
3283	xisr_list_len -= xisr_old_len + xisr_new_len;
3284	xisr_old = (struct sadb_x_ipsecrequest )(((u_int8_t )xisr_new) +
3285	xisr_new_len);
3286
3287	isr_cur = isr_cur->next; /* Get next ipsecrequest from SP */
3288	}
3289
3290	/* Check we had the same amount of pairs in the MIGRATE
3291	as the number of ipsecrequests in the SP */
3292	if ((xisr_list_len != 0) \|\| isr_cur != NULL) {
3293	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3294	"number of ipsecrequest does not match the one in SP.\n");
3295	return -1;
3296	}
3297
3298	return 0;
3299	}
3300
3301	/* Parse sadb_x_kmaddress extension and make local and remote
3302	* parameters point to the new addresses (zero copy). -1 is
3303	* returned on error, meaning that addresses are not usable */
3304	static int
3305	parse_kmaddress(kmaddr, local, remote)
3306	struct sadb_x_kmaddress *kmaddr;
3307	struct sockaddr local, remote;
3308	{
3309	int addrslen, local_len=0;
3310	struct ph1handle *iph1;
3311
3312	if (kmaddr == NULL)
3313	return -1;
3314
3315	/* Grab addresses in sadb_x_kmaddress extension */
3316	addrslen = PFKEY_EXTLEN(kmaddr) - sizeof(*kmaddr);
3317	if (addrslen < sizeof(struct sockaddr))
3318	return -1;
3319
3320	local = (struct sockaddr )(kmaddr + 1);
3321
3322	switch ((*local)->sa_family) {
3323	case AF_INET:
3324	local_len = sizeof(struct sockaddr_in);
3325	break;
3326	#ifdef INET6
3327	case AF_INET6:
3328	local_len = sizeof(struct sockaddr_in6);
3329	break;
3330	#endif
3331	default:
3332	return -1;
3333	}
3334
3335	if (addrslen != PFKEY_ALIGN8(2*local_len))
3336	return -1;
3337
3338	remote = (struct sockaddr )(((u_int8_t )(local)) + local_len);
3339
3340	if ((local)->sa_family != (remote)->sa_family)
3341	return -1;
3342
3343	return 0;
3344	}
3345
3346	/* Handler of PF_KEY MIGRATE message. Helpers are above */
3347	static int
3348	pk_recvmigrate(mhp)
3349	caddr_t *mhp;
3350	{
3351	struct sadb_address saddr, daddr;
3352	struct sockaddr old_saddr, new_saddr;
3353	struct sockaddr old_daddr, new_daddr;
3354	struct sockaddr old_local, old_remote;
3355	struct sockaddr local, remote;
3356	struct sadb_x_kmaddress *kmaddr;
3357	struct sadb_x_policy *xpl;
3358	struct sadb_x_ipsecrequest *xisr_list;
3359	struct sadb_lifetime *lt;
3360	struct policyindex spidx;
3361	struct secpolicy *sp;
3362	struct ipsecrequest *isr_cur;
3363	struct secasindex *oldsaidx;
3364	struct ph2handle *iph2;
3365	struct ph1handle *iph1;
3366	struct ph2selector ph2sel;
3367	struct ph1selector ph1sel;
3368	u_int32_t spid;
3369	u_int64_t created;
3370	int xisr_list_len;
3371	int ulproto;
3372	struct migrate_args ma;
3373
3374	/* Some sanity checks */
3375
3376	if (mhp[0] == NULL
3377	\|\| mhp[SADB_EXT_ADDRESS_SRC] == NULL
3378	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
3379	\|\| mhp[SADB_X_EXT_KMADDRESS] == NULL
3380	\|\| mhp[SADB_X_EXT_POLICY] == NULL) {
3381	plog(LLV_ERROR, LOCATION, NULL,
3382	"SADB_X_MIGRATE: invalid MIGRATE message received.\n");
3383	return -1;
3384	}
3385	kmaddr = (struct sadb_x_kmaddress *)mhp[SADB_X_EXT_KMADDRESS];
3386	saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
3387	daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
3388	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
3389	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
3390	if (lt != NULL)
3391	created = lt->sadb_lifetime_addtime;
3392	else
3393	created = 0;
3394
3395	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
3396	plog(LLV_WARNING, LOCATION, NULL,"SADB_X_MIGRATE: "
3397	"found non IPsec policy in MIGRATE message. Exiting.\n");
3398	return -1;
3399	}
3400
3401	if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
3402	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3403	"invalid size for sadb_x_policy. Exiting.\n");
3404	return -1;
3405	}
3406
3407	/* Some logging to help debbugging */
3408	if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND)
3409	plog(LLV_DEBUG, LOCATION, NULL,
3410	"SADB_X_MIGRATE: Outbound SA being migrated.\n");
3411	else
3412	plog(LLV_DEBUG, LOCATION, NULL,
3413	"SADB_X_MIGRATE: Inbound SA being migrated.\n");
3414
3415	/* validity check */
3416	xisr_list = (struct sadb_x_ipsecrequest *)(xpl + 1);
3417	xisr_list_len = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
3418	if (xisr_list_len < sizeof(*xisr_list)) {
3419	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3420	"invalid sadb_x_policy message length. Exiting.\n");
3421	return -1;
3422	}
3423
3424	if (parse_kmaddress(kmaddr, &local, &remote) == -1) {
3425	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3426	"invalid sadb_x_kmaddress extension. Exiting.\n");
3427	return -1;
3428	}
3429
3430	/* 0 means ANY */
3431	if (saddr->sadb_address_proto == 0)
3432	ulproto = IPSEC_ULPROTO_ANY;
3433	else
3434	ulproto = saddr->sadb_address_proto;
3435
3436	#ifdef HAVE_PFKEY_POLICY_PRIORITY
3437	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3438	saddr + 1,
3439	daddr + 1,
3440	saddr->sadb_address_prefixlen,
3441	daddr->sadb_address_prefixlen,
3442	ulproto,
3443	xpl->sadb_x_policy_priority,
3444	created,
3445	&spidx);
3446	#else
3447	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3448	saddr + 1,
3449	daddr + 1,
3450	saddr->sadb_address_prefixlen,
3451	daddr->sadb_address_prefixlen,
3452	ulproto,
3453	created,
3454	&spidx);
3455	#endif
3456
3457	/* Everything seems ok, let's get the SP.
3458	*
3459	* XXX We could also do the lookup using the spid from xpl.
3460	* I don't know which one is better. --arno */
3461	sp = getsp(&spidx);
3462	if (sp == NULL) {
3463	plog(LLV_ERROR, LOCATION, NULL,
3464	"SADB_X_MIGRATE: Passed policy does not exist: %s\n",
3465	spidx2str(&spidx));
3466	return -1;
3467	}
3468
3469	/* Get the best source and destination addresses used for IKE
3470	* negotiation, to find and migrate existing Phase 1 */
3471	if (sp->local && sp->remote) {
3472	/* hints available, let's use them */
3473	old_local = (struct sockaddr *)sp->local;
3474	old_remote = (struct sockaddr *)sp->remote;
3475	} else if (sp->req && sp->req->saidx.mode == IPSEC_MODE_TUNNEL) {
3476	/* Tunnel mode and no hint, use endpoints */
3477	old_local = (struct sockaddr *)&sp->req->saidx.src;
3478	old_remote = (struct sockaddr *)&sp->req->saidx.dst;
3479	} else {
3480	/* default, use selectors as fallback */
3481	old_local = (struct sockaddr *)&sp->spidx.src;
3482	old_remote = (struct sockaddr *)&sp->spidx.dst;
3483	}
3484
3485	/* We migrate all Phase 1 that match our old local and remote
3486	* addresses (no matter their state).
3487	*
3488	* XXX In fact, we should probably havea special treatment for
3489	* Phase 1 that are being established when we receive a MIGRATE.
3490	* This can happen if a movement occurs during the initial IKE
3491	* negotiation. In that case, I wonder if should restart the
3492	* negotiation from the new address or just update things like
3493	* we do it now.
3494	*
3495	* XXX while looking at getph1byaddr(), the comment at the
3496	* beginning of the function expects comparison to happen
3497	* without ports considerations but it uses CMPSADDR() which
3498	* relies either on cmpsaddrstrict() or cmpsaddrwop() based
3499	* on NAT-T support being activated. That make me wonder if I
3500	* should force ports to 0 (ANY) in local and remote values
3501	* used below.
3502	*
3503	* -- arno */
3504
3505	/* Apply callback data ...*/
3506	memset(&ma, 0, sizeof(ma));
3507	ma.local = local;
3508	ma.remote = remote;
3509
3510	/* Fill phase1 match criteria ... */
3511	memset(&ph1sel, 0, sizeof(ph1sel));
3512	ph1sel.local = old_local;
3513	ph1sel.remote = old_remote;
3514
3515
3516	/* Have matching Phase 1 found and addresses updated. As this is a
3517	* time consuming task on a busy responder, and MIGRATE messages
3518	* are always sent for both inbound and outbound (and possibly
3519	* forward), we only do that for outbound SP. */
3520	if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND &&
3521	enumph1(&ph1sel, migrate_ph1_ike_addresses, &ma) < 0) {
3522	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable "
3523	"to migrate Phase 1 addresses.\n");
3524	return -1;
3525	}
3526
3527	/* We can now update IKE addresses in Phase 2 handle. */
3528	memset(&ph2sel, 0, sizeof(ph2sel));
3529	ph2sel.spid = sp->id;
3530	if (enumph2(&ph2sel, migrate_ph2_ike_addresses, &ma) < 0) {
3531	plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable "
3532	"to migrate Phase 2 IKE addresses.\n");
3533	return -1;
3534	}
3535
3536	/* and _then_ in SP. */
3537	if (migrate_sp_ike_addresses(sp, local, remote) < 0) {
3538	plog(LLV_ERROR, LOCATION, NULL,
3539	"SADB_X_MIGRATE: Unable to migrate SP IKE addresses.\n");
3540	return -1;
3541	}
3542
3543	/* Loop on sadb_x_ipsecrequest list to possibly update sp->req
3544	* entries and associated live Phase 2 handles (their sa_src
3545	* and sa_dst) */
3546	if (migrate_sp_isr_list(sp, xisr_list, xisr_list_len) < 0) {
3547	plog(LLV_ERROR, LOCATION, NULL,
3548	"SADB_X_MIGRATE: Unable to migrate isr list.\n");
3549	return -1;
3550	}
3551
3552	return 0;
3553	}
3554	#endif
3555
3556	/*
3557	* send error against acquire message to kernel.
3558	*/
3559	int
3560	pk_sendeacquire(iph2)
3561	struct ph2handle *iph2;
3562	{
3563	struct sadb_msg *newmsg;
3564	int len;
3565
3566	len = sizeof(struct sadb_msg);
3567	newmsg = racoon_calloc(1, len);
3568	if (newmsg == NULL) {
3569	plog(LLV_ERROR, LOCATION, NULL,
3570	"failed to get buffer to send acquire.\n");
3571	return -1;
3572	}
3573
3574	memset(newmsg, 0, len);
3575	newmsg->sadb_msg_version = PF_KEY_V2;
3576	newmsg->sadb_msg_type = SADB_ACQUIRE;
3577	newmsg->sadb_msg_errno = ENOENT; /* XXX */
3578	newmsg->sadb_msg_satype = iph2->satype;
3579	newmsg->sadb_msg_len = PFKEY_UNIT64(len);
3580	newmsg->sadb_msg_reserved = 0;
3581	newmsg->sadb_msg_seq = iph2->seq;
3582	newmsg->sadb_msg_pid = (u_int32_t)getpid();
3583
3584	/* send message */
3585	len = pfkey_send(lcconf->sock_pfkey, newmsg, len);
3586
3587	racoon_free(newmsg);
3588
3589	return 0;
3590	}
3591
3592	/*
3593	* check if the algorithm is supported or not.
3594	* OUT 0: ok
3595	* -1: ng
3596	*/
3597	int
3598	pk_checkalg(class, calg, keylen)
3599	int class, calg, keylen;
3600	{
3601	int sup, error;
3602	u_int alg;
3603	struct sadb_alg alg0;
3604
3605	switch (algclass2doi(class)) {
3606	case IPSECDOI_PROTO_IPSEC_ESP:
3607	sup = SADB_EXT_SUPPORTED_ENCRYPT;
3608	break;
3609	case IPSECDOI_ATTR_AUTH:
3610	sup = SADB_EXT_SUPPORTED_AUTH;
3611	break;
3612	case IPSECDOI_PROTO_IPCOMP:
3613	plog(LLV_DEBUG, LOCATION, NULL,
3614	"no check of compression algorithm; "
3615	"not supported in sadb message.\n");
3616	return 0;
3617	default:
3618	plog(LLV_ERROR, LOCATION, NULL,
3619	"invalid algorithm class.\n");
3620	return -1;
3621	}
3622	alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg));
3623	if (alg == ~0)
3624	return -1;
3625
3626	if (keylen == 0) {
3627	if (ipsec_get_keylen(sup, alg, &alg0)) {
3628	plog(LLV_ERROR, LOCATION, NULL,
3629	"%s.\n", ipsec_strerror());
3630	return -1;
3631	}
3632	keylen = alg0.sadb_alg_minbits;
3633	}
3634
3635	error = ipsec_check_keylen(sup, alg, keylen);
3636	if (error)
3637	plog(LLV_ERROR, LOCATION, NULL,
3638	"%s.\n", ipsec_strerror());
3639
3640	return error;
3641	}
3642
3643	/*
3644	* differences with pfkey_recv() in libipsec/pfkey.c:
3645	* - never performs busy wait loop.
3646	* - returns NULL and set *lenp to negative on fatal failures
3647	* - returns NULL and set *lenp to non-negative on non-fatal failures
3648	* - returns non-NULL on success
3649	*/
3650	static struct sadb_msg *
3651	pk_recv(so, lenp)
3652	int so;
3653	int *lenp;
3654	{
3655	struct sadb_msg buf, *newmsg;
3656	int reallen;
3657	int retry = 0;
3658
3659	*lenp = -1;
3660	do
3661	{
3662	plog(LLV_DEBUG, LOCATION, NULL, "pk_recv: retry[%d] recv() \n", retry );
3663	*lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK \| MSG_DONTWAIT);
3664	retry++;
3665	}
3666	while (*lenp < 0 && errno == EAGAIN && retry < 3);
3667
3668	if (*lenp < 0)
3669	return NULL; /fatal/
3670
3671	else if (*lenp < sizeof(buf))
3672	return NULL;
3673
3674	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
3675	if (reallen < sizeof(buf)) {
3676	*lenp = -1;
3677	errno = EIO;
3678	return NULL; /fatal/
3679	}
3680	if ((newmsg = racoon_calloc(1, reallen)) == NULL)
3681	return NULL;
3682
3683	*lenp = recv(so, (caddr_t)newmsg, reallen, MSG_PEEK);
3684	if (*lenp < 0) {
3685	racoon_free(newmsg);
3686	return NULL; /fatal/
3687	} else if (*lenp != reallen) {
3688	racoon_free(newmsg);
3689	return NULL;
3690	}
3691
3692	*lenp = recv(so, (caddr_t)newmsg, reallen, 0);
3693	if (*lenp < 0) {
3694	racoon_free(newmsg);
3695	return NULL; /fatal/
3696	} else if (*lenp != reallen) {
3697	racoon_free(newmsg);
3698	return NULL;
3699	}
3700
3701	return newmsg;
3702	}
3703
3704	/* see handler.h */
3705	u_int32_t
3706	pk_getseq()
3707	{
3708	return eay_random();
3709	}
3710
3711	static int
3712	addnewsp(mhp, local, remote)
3713	caddr_t *mhp;
3714	struct sockaddr local, remote;
3715	{
3716	struct secpolicy *new = NULL;
3717	struct sadb_address saddr, daddr;
3718	struct sadb_x_policy *xpl;
3719	struct sadb_lifetime *lt;
3720	u_int64_t created;
3721
3722	/* sanity check */
3723	if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
3724	\|\| mhp[SADB_EXT_ADDRESS_DST] == NULL
3725	\|\| mhp[SADB_X_EXT_POLICY] == NULL) {
3726	plog(LLV_ERROR, LOCATION, NULL,
3727	"inappropriate sadb spd management message passed.\n");
3728	goto bad;
3729	}
3730
3731	saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
3732	daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
3733	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
3734	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
3735	if(lt != NULL)
3736	created = lt->sadb_lifetime_addtime;
3737	else
3738	created = 0;
3739	lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
3740	if(lt != NULL)
3741	created = lt->sadb_lifetime_addtime;
3742	else
3743	created = 0;
3744
3745	#ifdef __linux__
3746	/* bsd skips over per-socket policies because there will be no
3747	* src and dst extensions in spddump messages. On Linux the only
3748	* way to achieve the same is check for policy id.
3749	*/
3750	if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
3751	#endif
3752
3753	new = newsp();
3754	if (new == NULL) {
3755	plog(LLV_ERROR, LOCATION, NULL,
3756	"failed to allocate buffer\n");
3757	goto bad;
3758	}
3759
3760	new->spidx.dir = xpl->sadb_x_policy_dir;
3761	new->id = xpl->sadb_x_policy_id;
3762	new->policy = xpl->sadb_x_policy_type;
3763	new->req = NULL;
3764
3765	/* check policy */
3766	switch (xpl->sadb_x_policy_type) {
3767	case IPSEC_POLICY_DISCARD:
3768	case IPSEC_POLICY_NONE:
3769	case IPSEC_POLICY_ENTRUST:
3770	case IPSEC_POLICY_BYPASS:
3771	break;
3772
3773	case IPSEC_POLICY_IPSEC:
3774	{
3775	int tlen;
3776	struct sadb_x_ipsecrequest *xisr;
3777	struct ipsecrequest **p_isr = &new->req;
3778
3779	/* validity check */
3780	if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
3781	plog(LLV_ERROR, LOCATION, NULL,
3782	"invalid msg length.\n");
3783	goto bad;
3784	}
3785
3786	tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
3787	xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
3788
3789	while (tlen > 0) {
3790
3791	/* length check */
3792	if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
3793	plog(LLV_ERROR, LOCATION, NULL,
3794	"invalid msg length.\n");
3795	goto bad;
3796	}
3797
3798	/* allocate request buffer */
3799	*p_isr = newipsecreq();
3800	if (*p_isr == NULL) {
3801	plog(LLV_ERROR, LOCATION, NULL,
3802	"failed to get new ipsecreq.\n");
3803	goto bad;
3804	}
3805
3806	/* set values */
3807	(*p_isr)->next = NULL;
3808
3809	switch (xisr->sadb_x_ipsecrequest_proto) {
3810	case IPPROTO_ESP:
3811	case IPPROTO_AH:
3812	case IPPROTO_IPCOMP:
3813	break;
3814	default:
3815	plog(LLV_ERROR, LOCATION, NULL,
3816	"invalid proto type: %u\n",
3817	xisr->sadb_x_ipsecrequest_proto);
3818	goto bad;
3819	}
3820	(*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
3821
3822	switch (xisr->sadb_x_ipsecrequest_mode) {
3823	case IPSEC_MODE_TRANSPORT:
3824	case IPSEC_MODE_TUNNEL:
3825	break;
3826	case IPSEC_MODE_ANY:
3827	default:
3828	plog(LLV_ERROR, LOCATION, NULL,
3829	"invalid mode: %u\n",
3830	xisr->sadb_x_ipsecrequest_mode);
3831	goto bad;
3832	}
3833	(*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
3834
3835	switch (xisr->sadb_x_ipsecrequest_level) {
3836	case IPSEC_LEVEL_DEFAULT:
3837	case IPSEC_LEVEL_USE:
3838	case IPSEC_LEVEL_REQUIRE:
3839	break;
3840	case IPSEC_LEVEL_UNIQUE:
3841	(*p_isr)->saidx.reqid =
3842	xisr->sadb_x_ipsecrequest_reqid;
3843	break;
3844
3845	default:
3846	plog(LLV_ERROR, LOCATION, NULL,
3847	"invalid level: %u\n",
3848	xisr->sadb_x_ipsecrequest_level);
3849	goto bad;
3850	}
3851	(*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
3852
3853	/* set IP addresses if there */
3854	if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
3855	struct sockaddr *paddr;
3856
3857	paddr = (struct sockaddr *)(xisr + 1);
3858	bcopy(paddr, &(*p_isr)->saidx.src,
3859	sysdep_sa_len(paddr));
3860
3861	paddr = (struct sockaddr *)((caddr_t)paddr
3862	+ sysdep_sa_len(paddr));
3863	bcopy(paddr, &(*p_isr)->saidx.dst,
3864	sysdep_sa_len(paddr));
3865	}
3866
3867	(*p_isr)->sp = new;
3868
3869	/* initialization for the next. */
3870	p_isr = &(*p_isr)->next;
3871	tlen -= xisr->sadb_x_ipsecrequest_len;
3872
3873	/* validity check */
3874	if (tlen < 0) {
3875	plog(LLV_ERROR, LOCATION, NULL,
3876	"becoming tlen < 0\n");
3877	}
3878
3879	xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
3880	+ xisr->sadb_x_ipsecrequest_len);
3881	}
3882	}
3883	break;
3884	default:
3885	plog(LLV_ERROR, LOCATION, NULL,
3886	"invalid policy type.\n");
3887	goto bad;
3888	}
3889
3890	#ifdef HAVE_PFKEY_POLICY_PRIORITY
3891	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3892	saddr + 1,
3893	daddr + 1,
3894	saddr->sadb_address_prefixlen,
3895	daddr->sadb_address_prefixlen,
3896	saddr->sadb_address_proto,
3897	xpl->sadb_x_policy_priority,
3898	created,
3899	&new->spidx);
3900	#else
3901	KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3902	saddr + 1,
3903	daddr + 1,
3904	saddr->sadb_address_prefixlen,
3905	daddr->sadb_address_prefixlen,
3906	saddr->sadb_address_proto,
3907	created,
3908	&new->spidx);
3909	#endif
3910
3911	#ifdef HAVE_SECCTX
3912	if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
3913	struct sadb_x_sec_ctx *ctx;
3914
3915	ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
3916	new->spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
3917	new->spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
3918	new->spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
3919	memcpy(new->spidx.sec_ctx.ctx_str,ctx + 1,ctx->sadb_x_ctx_len);
3920	}
3921	#endif /* HAVE_SECCTX */
3922
3923	/* Set local and remote hints for that SP, if available */
3924	if (local && remote) {
3925	new->local = dupsaddr(local);
3926	new->remote = dupsaddr(remote);
3927	}
3928
3929	inssp(new);
3930
3931	return 0;
3932	bad:
3933	if (new != NULL) {
3934	if (new->req != NULL)
3935	racoon_free(new->req);
3936	racoon_free(new);
3937	}
3938	return -1;
3939	}
3940
3941	/* proto/mode/src->dst spi */
3942	const char *
3943	sadbsecas2str(src, dst, proto, spi, mode)
3944	struct sockaddr src, dst;
3945	int proto;
3946	u_int32_t spi;
3947	int mode;
3948	{
3949	static char buf[256];
3950	u_int doi_proto, doi_mode = 0;
3951	char *p;
3952	int blen, i;
3953
3954	doi_proto = pfkey2ipsecdoi_proto(proto);
3955	if (doi_proto == ~0)
3956	return NULL;
3957	if (mode) {
3958	doi_mode = pfkey2ipsecdoi_mode(mode);
3959	if (doi_mode == ~0)
3960	return NULL;
3961	}
3962
3963	blen = sizeof(buf) - 1;
3964	p = buf;
3965
3966	i = snprintf(p, blen, "%s%s%s ",
3967	s_ipsecdoi_proto(doi_proto),
3968	mode ? "/" : "",
3969	mode ? s_ipsecdoi_encmode(doi_mode) : "");
3970	if (i < 0 \|\| i >= blen)
3971	return NULL;
3972	p += i;
3973	blen -= i;
3974
3975	i = snprintf(p, blen, "%s->", saddr2str(src));
3976	if (i < 0 \|\| i >= blen)
3977	return NULL;
3978	p += i;
3979	blen -= i;
3980
3981	i = snprintf(p, blen, "%s ", saddr2str(dst));
3982	if (i < 0 \|\| i >= blen)
3983	return NULL;
3984	p += i;
3985	blen -= i;
3986
3987	if (spi) {
3988	snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
3989	(unsigned long)ntohl(spi));
3990	}
3991
3992	return buf;
3993	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: rtems-libbsd/ipsec-tools/src/racoon/pfkey.c @ ff36f5e

Download in other formats: