1 #include <darwintest.h>
2 #include <darwintest_utils.h>
3 #include <dispatch/dispatch.h>
4 #include <net/pfkeyv2.h>
5 #include <netinet6/ipsec.h>
6 #include <arpa/inet.h>
7
8 T_GLOBAL_META(
9 T_META_NAMESPACE("xnu.pfkey"),
10 T_META_ASROOT(true),
11 T_META_CHECK_LEAKS(false));
12
13 #define MAX_SPD_CHECK 100
14 #define TEST_SRC_ADDRESS_IPv4 "192.168.2.2"
15 #define TEST_DST_ADDRESS_IPv4 "192.168.2.3"
16 #define TEST_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0002"
17 #define TEST_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0003"
18 #define TEST_MIGRATE_SRC_ADDRESS_IPv4 "192.168.2.10"
19 #define TEST_MIGRATE_DST_ADDRESS_IPv4 "192.168.2.11"
20 #define TEST_MIGRATE_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0002:0000"
21 #define TEST_MIGRATE_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0003:0000"
22
23 typedef enum {
24 TEST_INVALID = 0,
25 TEST_SADB_X_GET_OVERFLOW_60822136 = 1,
26 TEST_SADB_X_SPDENABLE_OVERFLOW_60822924 = 2,
27 TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956 = 3,
28 TEST_SADB_UPDATE_USE_AFTER_FREE_60679513 = 4,
29 TEST_SADB_DUMP_HEAP_OVERFLOW_60768729 = 5,
30 TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680 = 6,
31 TEST_SADB_GETSASTAT_OOB_READ_60822823 = 7,
32 TEST_SADB_GETSASTAT_OOB_READ_SUCCESS = 8,
33 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4 = 9,
34 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6 = 10,
35 TEST_SADB_EXT_MIGRATE_BAD_ADDRESS = 11,
36 } test_identifier;
37
38 static test_identifier test_id = TEST_INVALID;
39 static dispatch_source_t pfkey_source = NULL;
40
41 static void pfkey_cleanup(void);
42
43 static void pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket);
44 static void pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket);
45 static void pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket);
46 static void pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket);
47 static void pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket);
48 static void pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket);
49 static void pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket);
50 static void pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket);
51 static void pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket);
52 static void pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket);
53 static void pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket);
54
55 static void(*const process_pfkey_message_tests[])(uint8_t * *mhp, int pfkey_socket) =
56 {
57 NULL,
58 pfkey_process_message_test_60822136, // TEST_SADB_X_GET_OVERFLOW_60822136
59 pfkey_process_message_test_60822924, // TEST_SADB_X_SPDENABLE_OVERFLOW_60822924
60 pfkey_process_message_test_60822956, // TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956
61 pfkey_process_message_test_60679513, // TEST_SADB_UPDATE_USE_AFTER_FREE_60679513
62 pfkey_process_message_test_60768729, // TEST_SADB_DUMP_HEAP_OVERFLOW_60768729
63 pfkey_process_message_test_60769680, // TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680
64 pfkey_process_message_test_60822823, // TEST_SADB_GETSASTAT_OOB_READ_60822823
65 pfkey_process_message_test_60822823_1, // TEST_SADB_GETSASTAT_OOB_READ_SUCCESS
66 pfkey_process_message_test_60687183, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4
67 pfkey_process_message_test_60687183_1, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6
68 pfkey_process_message_test_60687183_2, // TEST_SADB_EXT_MIGRATE_BAD_ADDRESS
69 };
70
71 static void
pfkey_align(struct sadb_msg * msg,uint8_t ** mhp)72 pfkey_align(struct sadb_msg *msg, uint8_t **mhp)
73 {
74 struct sadb_ext *ext;
75 int i;
76 uint8_t *p;
77 uint8_t *ep; /* XXX should be passed from upper layer */
78
79 /* validity check */
80 T_QUIET; T_ASSERT_NOTNULL(msg, "pfkey align msg");
81 T_QUIET; T_ASSERT_NOTNULL(mhp, "pfkey align mhp");
82
83 /* initialize */
84 for (i = 0; i < SADB_EXT_MAX + 1; i++) {
85 mhp[i] = NULL;
86 }
87
88 mhp[0] = (void *)msg;
89
90 /* initialize */
91 p = (void *) msg;
92 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
93
94 /* skip base header */
95 p += sizeof(struct sadb_msg);
96
97 while (p < ep) {
98 ext = (void *)p;
99 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + sizeof(*ext)), "pfkey extension header beyond end of buffer");
100 T_QUIET; T_ASSERT_GE_ULONG((unsigned long)PFKEY_EXTLEN(ext), sizeof(*ext), "pfkey extension shorter than extension header");
101 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + PFKEY_EXTLEN(ext)), "pfkey extension length beyond end of buffer");
102
103 T_QUIET; T_EXPECT_NULL(mhp[ext->sadb_ext_type], "duplicate extension type %u payload", ext->sadb_ext_type);
104
105 /* set pointer */
106 switch (ext->sadb_ext_type) {
107 case SADB_EXT_SA:
108 case SADB_EXT_LIFETIME_CURRENT:
109 case SADB_EXT_LIFETIME_HARD:
110 case SADB_EXT_LIFETIME_SOFT:
111 case SADB_EXT_ADDRESS_SRC:
112 case SADB_EXT_ADDRESS_DST:
113 case SADB_EXT_ADDRESS_PROXY:
114 case SADB_EXT_KEY_AUTH:
115 /* XXX should to be check weak keys. */
116 case SADB_EXT_KEY_ENCRYPT:
117 /* XXX should to be check weak keys. */
118 case SADB_EXT_IDENTITY_SRC:
119 case SADB_EXT_IDENTITY_DST:
120 case SADB_EXT_SENSITIVITY:
121 case SADB_EXT_PROPOSAL:
122 case SADB_EXT_SUPPORTED_AUTH:
123 case SADB_EXT_SUPPORTED_ENCRYPT:
124 case SADB_EXT_SPIRANGE:
125 case SADB_X_EXT_POLICY:
126 case SADB_X_EXT_SA2:
127 case SADB_EXT_SESSION_ID:
128 case SADB_EXT_SASTAT:
129 #ifdef SADB_X_EXT_NAT_T_TYPE
130 case SADB_X_EXT_NAT_T_TYPE:
131 case SADB_X_EXT_NAT_T_SPORT:
132 case SADB_X_EXT_NAT_T_DPORT:
133 case SADB_X_EXT_NAT_T_OA:
134 #endif
135 #ifdef SADB_X_EXT_TAG
136 case SADB_X_EXT_TAG:
137 #endif
138 #ifdef SADB_X_EXT_PACKET
139 case SADB_X_EXT_PACKET:
140 #endif
141 case SADB_X_EXT_IPSECIF:
142 case SADB_X_EXT_ADDR_RANGE_SRC_START:
143 case SADB_X_EXT_ADDR_RANGE_SRC_END:
144 case SADB_X_EXT_ADDR_RANGE_DST_START:
145 case SADB_X_EXT_ADDR_RANGE_DST_END:
146 #ifdef SADB_MIGRATE
147 case SADB_EXT_MIGRATE_ADDRESS_SRC:
148 case SADB_EXT_MIGRATE_ADDRESS_DST:
149 case SADB_X_EXT_MIGRATE_IPSECIF:
150 #endif
151 mhp[ext->sadb_ext_type] = (void *)ext;
152 break;
153 default:
154 T_FAIL("bad extension type %u", ext->sadb_ext_type);
155 T_END;
156 }
157
158 p += PFKEY_EXTLEN(ext);
159 }
160
161 T_QUIET; T_EXPECT_EQ_PTR((void *)ep, (void *)p, "invalid pfkey message length");
162 return;
163 }
164
165
166 static void
recv_pfkey_message(int pfkey_socket)167 recv_pfkey_message(int pfkey_socket)
168 {
169 uint8_t buffer[8192] __attribute__((aligned(4)));
170 struct iovec iovecs[1] = {
171 { buffer, sizeof(buffer) },
172 };
173 struct msghdr msg = {
174 NULL,
175 0,
176 iovecs,
177 sizeof(iovecs) / sizeof(iovecs[0]),
178 NULL,
179 0,
180 0,
181 };
182
183 do {
184 ssize_t result = -1;
185 memset(buffer, 0, sizeof(buffer));
186 T_QUIET; T_ASSERT_POSIX_SUCCESS(result = recvmsg(pfkey_socket, &msg, 0), NULL);
187
188 if (result > 0) {
189 T_QUIET; T_ASSERT_GE_ULONG((size_t)result, sizeof(struct sadb_msg), "Invalid PFKey message size: %zu", result);
190 struct sadb_msg *hdr = (struct sadb_msg *)buffer;
191 uint8_t *mhp[SADB_EXT_MAX + 1];
192 pfkey_align(hdr, mhp);
193 (*process_pfkey_message_tests[test_id])(mhp, pfkey_socket);
194 } else if (result == 0) {
195 T_LOG("PFKey socket received EOF");
196 break;
197 }
198 } while (1);
199 }
200
201 static void
send_pfkey_spd_add_message(int pfkey_socket,uint8_t proto)202 send_pfkey_spd_add_message(int pfkey_socket, uint8_t proto)
203 {
204 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
205 bzero(payload, sizeof(payload));
206 uint16_t tlen = 0;
207
208 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
209 msg_payload->sadb_msg_version = PF_KEY_V2;
210 msg_payload->sadb_msg_type = SADB_X_SPDADD;
211 msg_payload->sadb_msg_errno = 0;
212 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
213 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
214 msg_payload->sadb_msg_reserved = 0;
215 msg_payload->sadb_msg_seq = 0;
216 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
217 tlen += sizeof(*msg_payload);
218
219 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
220 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
221 src_address_payload->sadb_address_proto = proto & 0xff;
222 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
223 src_address_payload->sadb_address_reserved = 0;
224 tlen += sizeof(*src_address_payload);
225
226 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
227 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
228 src->sin_family = AF_INET;
229 src->sin_len = sizeof(*src);
230 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
231 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
232 tlen += PFKEY_ALIGN8(src->sin_len);
233
234 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
235 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
236 dst_address_payload->sadb_address_proto = proto & 0xff;
237 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
238 dst_address_payload->sadb_address_reserved = 0;
239 tlen += sizeof(*dst_address_payload);
240
241 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
242 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
243 dst->sin_family = AF_INET;
244 dst->sin_len = sizeof(*dst);
245 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
246 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
247 tlen += PFKEY_ALIGN8(dst->sin_len);
248
249 struct sadb_lifetime *lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
250 lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*lifetime_payload));
251 lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
252 tlen += sizeof(*lifetime_payload);
253
254 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
255 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
256 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
257 policy_payload->sadb_x_policy_type = IPSEC_POLICY_DISCARD;
258 policy_payload->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
259 tlen += sizeof(*policy_payload);
260
261 // Update the total length
262 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
263 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd add");
264 }
265
266 static void
send_pfkey_spd_get_message(int pfkey_socket,uint32_t policy_id)267 send_pfkey_spd_get_message(int pfkey_socket, uint32_t policy_id)
268 {
269 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
270 bzero(payload, sizeof(payload));
271 uint16_t tlen = 0;
272
273 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
274 msg_payload->sadb_msg_version = PF_KEY_V2;
275 msg_payload->sadb_msg_type = SADB_X_SPDGET;
276 msg_payload->sadb_msg_errno = 0;
277 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
278 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
279 msg_payload->sadb_msg_reserved = 0;
280 msg_payload->sadb_msg_seq = 0;
281 msg_payload->sadb_msg_pid = (uint32_t)getpid();
282 tlen += sizeof(*msg_payload);
283
284 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
285 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
286 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
287 policy_payload->sadb_x_policy_id = policy_id;
288 tlen += sizeof(*policy_payload);
289
290 // Update the total length
291 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
292 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd get failed");
293 }
294
295 static void
send_pfkey_spd_enable_message(int pfkey_socket,uint32_t policy_id)296 send_pfkey_spd_enable_message(int pfkey_socket, uint32_t policy_id)
297 {
298 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
299 bzero(payload, sizeof(payload));
300 uint16_t tlen = 0;
301
302 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
303 msg_payload->sadb_msg_version = PF_KEY_V2;
304 msg_payload->sadb_msg_type = SADB_X_SPDENABLE;
305 msg_payload->sadb_msg_errno = 0;
306 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
307 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
308 msg_payload->sadb_msg_reserved = 0;
309 msg_payload->sadb_msg_seq = 0;
310 msg_payload->sadb_msg_pid = (uint32_t)getpid();
311 tlen += sizeof(*msg_payload);
312
313 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
314 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
315 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
316 policy_payload->sadb_x_policy_id = policy_id;
317 tlen += sizeof(*policy_payload);
318
319 // Update the total length
320 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
321 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd enable failed");
322 }
323
324 static void
send_pfkey_spd_disable_message(int pfkey_socket,uint32_t policy_id)325 send_pfkey_spd_disable_message(int pfkey_socket, uint32_t policy_id)
326 {
327 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
328 bzero(payload, sizeof(payload));
329 uint16_t tlen = 0;
330
331 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
332 msg_payload->sadb_msg_version = PF_KEY_V2;
333 msg_payload->sadb_msg_type = SADB_X_SPDDISABLE;
334 msg_payload->sadb_msg_errno = 0;
335 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
336 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
337 msg_payload->sadb_msg_reserved = 0;
338 msg_payload->sadb_msg_seq = 0;
339 msg_payload->sadb_msg_pid = (uint32_t)getpid();
340 tlen += sizeof(*msg_payload);
341
342 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
343 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
344 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
345 policy_payload->sadb_x_policy_id = policy_id;
346 tlen += sizeof(*policy_payload);
347
348 // Update the total length
349 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
350 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd disable failed");
351 }
352
353 static void
send_pfkey_spd_delete_message(int pfkey_socket,uint32_t policy_id)354 send_pfkey_spd_delete_message(int pfkey_socket, uint32_t policy_id)
355 {
356 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
357 bzero(payload, sizeof(payload));
358 uint16_t tlen = 0;
359
360 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
361 msg_payload->sadb_msg_version = PF_KEY_V2;
362 msg_payload->sadb_msg_type = SADB_X_SPDDELETE2;
363 msg_payload->sadb_msg_errno = 0;
364 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
365 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
366 msg_payload->sadb_msg_reserved = 0;
367 msg_payload->sadb_msg_seq = 0;
368 msg_payload->sadb_msg_pid = (uint32_t)getpid();
369 tlen += sizeof(*msg_payload);
370
371 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
372 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
373 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
374 policy_payload->sadb_x_policy_id = policy_id;
375 tlen += sizeof(*policy_payload);
376
377 // Update the total length
378 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
379 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd delete failed");
380 }
381
382 static void
send_pfkey_spd_dump_message(int pfkey_socket)383 send_pfkey_spd_dump_message(int pfkey_socket)
384 {
385 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
386 bzero(payload, sizeof(payload));
387 uint16_t tlen = 0;
388
389 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
390 msg_payload->sadb_msg_version = PF_KEY_V2;
391 msg_payload->sadb_msg_type = SADB_X_SPDDUMP;
392 msg_payload->sadb_msg_errno = 0;
393 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
394 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
395 msg_payload->sadb_msg_reserved = 0;
396 msg_payload->sadb_msg_seq = 0;
397 msg_payload->sadb_msg_pid = (uint32_t)getpid();
398 tlen += sizeof(*msg_payload);
399
400 // Update the total length
401 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
402 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd dump failed");
403 }
404
405 static void
send_pfkey_flush_sp(int pfkey_socket)406 send_pfkey_flush_sp(int pfkey_socket)
407 {
408 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
409 bzero(payload, sizeof(payload));
410 uint16_t tlen = 0;
411
412 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
413 msg_payload->sadb_msg_version = PF_KEY_V2;
414 msg_payload->sadb_msg_type = SADB_X_SPDFLUSH;
415 msg_payload->sadb_msg_errno = 0;
416 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
417 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
418 msg_payload->sadb_msg_reserved = 0;
419 msg_payload->sadb_msg_seq = 0;
420 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
421 tlen += sizeof(*msg_payload);
422
423 // Update the total length
424 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
425 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush security policies");
426 }
427
428 static void
send_pkey_get_spi(int pfkey_socket)429 send_pkey_get_spi(int pfkey_socket)
430 {
431 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
432 bzero(payload, sizeof(payload));
433 uint16_t tlen = 0;
434
435 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
436 msg_payload->sadb_msg_version = PF_KEY_V2;
437 msg_payload->sadb_msg_type = SADB_GETSPI;
438 msg_payload->sadb_msg_errno = 0;
439 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
440 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
441 msg_payload->sadb_msg_reserved = 0;
442 msg_payload->sadb_msg_seq = 0;
443 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
444 tlen += sizeof(*msg_payload);
445
446 struct sadb_x_sa2 *sa2_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
447 sa2_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_payload));
448 sa2_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
449 sa2_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
450 sa2_payload->sadb_x_sa2_reqid = 0;
451 tlen += sizeof(*sa2_payload);
452
453 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
454 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
455 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
456 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
457 src_address_payload->sadb_address_reserved = 0;
458 tlen += sizeof(*src_address_payload);
459
460 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
461 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
462 src->sin_family = AF_INET;
463 src->sin_len = sizeof(*src);
464 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
465 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
466 tlen += PFKEY_ALIGN8(src->sin_len);
467
468 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
469 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
470 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
471 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
472 dst_address_payload->sadb_address_reserved = 0;
473 tlen += sizeof(*dst_address_payload);
474
475 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
476 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
477 dst->sin_family = AF_INET;
478 dst->sin_len = sizeof(*dst);
479 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
480 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
481 tlen += PFKEY_ALIGN8(dst->sin_len);
482
483 // Update the total length
484 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
485 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get spi");
486 }
487
488 static void
send_pkey_add_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family)489 send_pkey_add_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family)
490 {
491 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
492 bzero(payload, sizeof(payload));
493 uint16_t tlen = 0;
494
495 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
496 msg_payload->sadb_msg_version = PF_KEY_V2;
497 msg_payload->sadb_msg_type = SADB_ADD;
498 msg_payload->sadb_msg_errno = 0;
499 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
500 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
501 msg_payload->sadb_msg_reserved = 0;
502 msg_payload->sadb_msg_seq = 0;
503 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
504 tlen += sizeof(*msg_payload);
505
506 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
507 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
508 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
509 sa2_payload->sa.sadb_sa_spi = htonl(spi);
510 sa2_payload->sa.sadb_sa_replay = 4;
511 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
512 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
513 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
514 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
515 sa2_payload->sadb_sa_natt_src_port = htons(4500);
516 sa2_payload->sadb_sa_natt_port = 4500;
517 sa2_payload->sadb_sa_natt_interval = 20;
518 sa2_payload->sadb_sa_natt_offload_interval = 0;
519 tlen += sizeof(*sa2_payload);
520
521 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
522 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
523 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
524 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
525 sa2_x_payload->sadb_x_sa2_reqid = 0;
526 tlen += sizeof(*sa2_x_payload);
527
528 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
529
530 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
531 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
532 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
533 src_address_payload->sadb_address_prefixlen = prefixlen;
534 src_address_payload->sadb_address_reserved = 0;
535 tlen += sizeof(*src_address_payload);
536
537 if (family == AF_INET) {
538 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
539 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
540 src4->sin_family = AF_INET;
541 src4->sin_len = sizeof(*src4);
542 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
543 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
544 tlen += PFKEY_ALIGN8(src4->sin_len);
545 } else {
546 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
547 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
548 src6->sin6_family = AF_INET6;
549 src6->sin6_len = sizeof(*src6);
550 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
551 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
552 tlen += PFKEY_ALIGN8(src6->sin6_len);
553 }
554
555 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
556 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
557 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
558 dst_address_payload->sadb_address_prefixlen = prefixlen;
559 dst_address_payload->sadb_address_reserved = 0;
560 tlen += sizeof(*dst_address_payload);
561
562 if (family == AF_INET) {
563 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
564 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
565 dst4->sin_family = AF_INET;
566 dst4->sin_len = sizeof(*dst4);
567 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
568 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
569 tlen += PFKEY_ALIGN8(dst4->sin_len);
570 } else {
571 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
572 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
573 dst6->sin6_family = AF_INET6;
574 dst6->sin6_len = sizeof(*dst6);
575 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
576 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
577 tlen += PFKEY_ALIGN8(dst6->sin6_len);
578 }
579
580 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
581 uint16_t len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
582 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
583 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
584 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
585 encrypt_key_payload->sadb_key_reserved = 0;
586 tlen += sizeof(*encrypt_key_payload);
587 arc4random_buf(payload + tlen, 32);
588 tlen += PFKEY_ALIGN8(32);
589
590 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
591 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
592 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
593 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
594 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
595 auth_key_payload->sadb_key_reserved = 0;
596 tlen += sizeof(*auth_key_payload);
597 arc4random_buf(payload + tlen, 32);
598 tlen += PFKEY_ALIGN8(32);
599
600 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
601 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
602 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
603 tlen += sizeof(*hard_lifetime_payload);
604
605 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
606 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
607 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
608 tlen += sizeof(*soft_lifetime_payload);
609
610 // Update the total length
611 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
612 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
613 }
614
615 static void
send_pkey_update_sa(int pfkey_socket,uint32_t spi)616 send_pkey_update_sa(int pfkey_socket, uint32_t spi)
617 {
618 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
619 bzero(payload, sizeof(payload));
620 uint16_t tlen = 0;
621
622 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
623 msg_payload->sadb_msg_version = PF_KEY_V2;
624 msg_payload->sadb_msg_type = SADB_UPDATE;
625 msg_payload->sadb_msg_errno = 0;
626 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
627 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
628 msg_payload->sadb_msg_reserved = 0;
629 msg_payload->sadb_msg_seq = 0;
630 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
631 tlen += sizeof(*msg_payload);
632
633 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
634 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
635 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
636 sa2_payload->sa.sadb_sa_spi = htonl(spi);
637 sa2_payload->sa.sadb_sa_replay = 4;
638 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
639 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
640 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
641 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
642 sa2_payload->sadb_sa_natt_src_port = htons(4500);
643 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
644 sa2_payload->sadb_sa_natt_interval = 20;
645 sa2_payload->sadb_sa_natt_offload_interval = 0;
646 tlen += sizeof(*sa2_payload);
647
648 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
649 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
650 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
651 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
652 sa2_x_payload->sadb_x_sa2_reqid = 0;
653 tlen += sizeof(*sa2_x_payload);
654
655 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
656 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
657 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
658 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
659 src_address_payload->sadb_address_reserved = 0;
660 tlen += sizeof(*src_address_payload);
661
662 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
663 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
664 src->sin_family = AF_INET;
665 src->sin_len = sizeof(*src);
666 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
667 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
668 tlen += PFKEY_ALIGN8(src->sin_len);
669
670 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
671 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
672 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
673 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
674 dst_address_payload->sadb_address_reserved = 0;
675 tlen += sizeof(*dst_address_payload);
676
677 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
678 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
679 dst->sin_family = AF_INET;
680 dst->sin_len = sizeof(*dst);
681 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
682 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
683 tlen += PFKEY_ALIGN8(dst->sin_len);
684
685 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
686 len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
687 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
688 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
689 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
690 encrypt_key_payload->sadb_key_reserved = 0;
691 tlen += sizeof(*encrypt_key_payload);
692 arc4random_buf(payload + tlen, 32);
693 tlen += PFKEY_ALIGN8(32);
694
695 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
696 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
697 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
698 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
699 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
700 auth_key_payload->sadb_key_reserved = 0;
701 tlen += sizeof(*auth_key_payload);
702 arc4random_buf(payload + tlen, 32);
703 tlen += PFKEY_ALIGN8(32);
704
705 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
706 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
707 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
708 tlen += sizeof(*hard_lifetime_payload);
709
710 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
711 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
712 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
713 tlen += sizeof(*soft_lifetime_payload);
714
715 // Update the total length
716 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
717 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
718 }
719
720 static void
send_pkey_migrate_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family,const char * migrate_src,const char * migrate_dst,int migrate_family)721 send_pkey_migrate_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family,
722 const char *migrate_src, const char *migrate_dst, int migrate_family)
723 {
724 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
725 bzero(payload, sizeof(payload));
726 uint16_t tlen = 0;
727
728 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
729 msg_payload->sadb_msg_version = PF_KEY_V2;
730 msg_payload->sadb_msg_type = SADB_MIGRATE;
731 msg_payload->sadb_msg_errno = 0;
732 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
733 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
734 msg_payload->sadb_msg_reserved = 0;
735 msg_payload->sadb_msg_seq = 0;
736 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
737 tlen += sizeof(*msg_payload);
738
739 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
740 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
741 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
742 sa2_payload->sa.sadb_sa_spi = htonl(spi);
743 sa2_payload->sa.sadb_sa_replay = 4;
744 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
745 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
746 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
747 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
748 sa2_payload->sadb_sa_natt_src_port = htons(4500);
749 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
750 sa2_payload->sadb_sa_natt_interval = 20;
751 sa2_payload->sadb_sa_natt_offload_interval = 0;
752 tlen += sizeof(*sa2_payload);
753
754 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
755 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
756 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
757 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
758 sa2_x_payload->sadb_x_sa2_reqid = 0;
759 tlen += sizeof(*sa2_x_payload);
760
761 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
762
763 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
764 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
765 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
766 src_address_payload->sadb_address_prefixlen = prefixlen;
767 src_address_payload->sadb_address_reserved = 0;
768 tlen += sizeof(*src_address_payload);
769
770 if (family == AF_INET) {
771 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
772 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
773 src4->sin_family = AF_INET;
774 src4->sin_len = sizeof(*src4);
775 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
776 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
777 tlen += PFKEY_ALIGN8(src4->sin_len);
778 } else {
779 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
780 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
781 src6->sin6_family = AF_INET6;
782 src6->sin6_len = sizeof(*src6);
783 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
784 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
785 tlen += PFKEY_ALIGN8(src6->sin6_len);
786 }
787
788 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
789 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
790 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
791 dst_address_payload->sadb_address_prefixlen = prefixlen;
792 dst_address_payload->sadb_address_reserved = 0;
793 tlen += sizeof(*dst_address_payload);
794
795 if (family == AF_INET) {
796 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
797 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
798 dst4->sin_family = AF_INET;
799 dst4->sin_len = sizeof(*dst4);
800 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
801 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
802 tlen += PFKEY_ALIGN8(dst4->sin_len);
803 } else {
804 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
805 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
806 dst6->sin6_family = AF_INET6;
807 dst6->sin6_len = sizeof(*dst6);
808 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
809 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
810 tlen += PFKEY_ALIGN8(dst6->sin6_len);
811 }
812
813 prefixlen = (migrate_family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
814
815 struct sadb_address *migrate_src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
816 migrate_src_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_SRC & 0xffff;
817 migrate_src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
818 migrate_src_address_payload->sadb_address_prefixlen = prefixlen;
819 migrate_src_address_payload->sadb_address_reserved = 0;
820 tlen += sizeof(*migrate_src_address_payload);
821
822 if (migrate_family == AF_INET) {
823 struct sockaddr_in *migrate_src4 = (struct sockaddr_in *)(void *)(payload + tlen);
824 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_src, &migrate_src4->sin_addr), 1, "migrate src fail");
825 migrate_src4->sin_family = AF_INET;
826 migrate_src4->sin_len = sizeof(*migrate_src4);
827 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src4->sin_len);
828 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
829 tlen += PFKEY_ALIGN8(migrate_src4->sin_len);
830 } else if (migrate_family == AF_INET6) {
831 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
832 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
833 migrate_src6->sin6_family = AF_INET6;
834 migrate_src6->sin6_len = sizeof(*migrate_src6);
835 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
836 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
837 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
838 } else if (migrate_family == AF_CHAOS) {
839 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
840 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
841 migrate_src6->sin6_family = AF_INET6;
842 migrate_src6->sin6_len = sizeof(*migrate_src6) + 100; // Bad value to trigger exploit
843 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
844 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
845 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
846 }
847
848 struct sadb_address *migrate_dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
849 migrate_dst_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_DST & 0xffff;
850 migrate_dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
851 migrate_dst_address_payload->sadb_address_prefixlen = prefixlen;
852 migrate_dst_address_payload->sadb_address_reserved = 0;
853
854 tlen += sizeof(*migrate_dst_address_payload);
855
856 if (migrate_family == AF_INET) {
857 struct sockaddr_in *migrate_dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
858 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_dst, &migrate_dst4->sin_addr), 1, "migrate dst fail");
859 migrate_dst4->sin_family = AF_INET;
860 migrate_dst4->sin_len = sizeof(*migrate_dst4);
861 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst4->sin_len);
862 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
863 tlen += PFKEY_ALIGN8(migrate_dst4->sin_len);
864 } else if (migrate_family == AF_INET6) {
865 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
866 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
867 migrate_dst6->sin6_family = AF_INET6;
868 migrate_dst6->sin6_len = sizeof(*migrate_dst6);
869 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
870 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
871 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
872 } else if (migrate_family == AF_CHAOS) {
873 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
874 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
875 migrate_dst6->sin6_family = AF_INET6;
876 migrate_dst6->sin6_len = sizeof(*migrate_dst6) + 100; // Bad value to trigger exploit
877 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
878 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
879 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
880 }
881
882 // Update the total length
883 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
884 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send migrate sa");
885 }
886
887 static void
send_pfkey_get_sa_stat(int pfkey_socket,uint32_t spi,uint32_t stat_length)888 send_pfkey_get_sa_stat(int pfkey_socket, uint32_t spi, uint32_t stat_length)
889 {
890 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
891 bzero(payload, sizeof(payload));
892 uint16_t tlen = 0;
893
894 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
895 msg_payload->sadb_msg_version = PF_KEY_V2;
896 msg_payload->sadb_msg_type = SADB_GETSASTAT;
897 msg_payload->sadb_msg_errno = 0;
898 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
899 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
900 msg_payload->sadb_msg_reserved = 0;
901 msg_payload->sadb_msg_seq = 0;
902 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
903 tlen += sizeof(*msg_payload);
904
905 struct sadb_session_id *session_id_payload = (struct sadb_session_id *)(void *)(payload + tlen);
906 session_id_payload->sadb_session_id_len = PFKEY_UNIT64(sizeof(*session_id_payload));
907 session_id_payload->sadb_session_id_exttype = SADB_EXT_SESSION_ID;
908 session_id_payload->sadb_session_id_v[0] = 1;
909 tlen += sizeof(*session_id_payload);
910
911 struct sadb_sastat *sadb_stat_payload = (struct sadb_sastat *)(void *)(payload + tlen);
912 uint16_t length = sizeof(*sadb_stat_payload) + PFKEY_ALIGN8(sizeof(struct sastat));
913 sadb_stat_payload->sadb_sastat_len = PFKEY_UNIT64(length);
914 sadb_stat_payload->sadb_sastat_exttype = SADB_EXT_SASTAT;
915 sadb_stat_payload->sadb_sastat_dir = IPSEC_DIR_OUTBOUND;
916 sadb_stat_payload->sadb_sastat_list_len = stat_length;
917 tlen += sizeof(*sadb_stat_payload);
918
919 struct sastat *sastat_payload = (struct sastat *)(void *)(payload + tlen);
920 sastat_payload->spi = htonl(spi);
921 tlen += PFKEY_ALIGN8(sizeof(*sastat_payload));
922
923 // Update the total length
924 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
925 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get sa stat");
926 }
927
928 static void
send_pkey_delete_sa(int pfkey_socket,uint32_t spi)929 send_pkey_delete_sa(int pfkey_socket, uint32_t spi)
930 {
931 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
932 bzero(payload, sizeof(payload));
933 uint16_t tlen = 0;
934
935 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
936 msg_payload->sadb_msg_version = PF_KEY_V2;
937 msg_payload->sadb_msg_type = SADB_DELETE;
938 msg_payload->sadb_msg_errno = 0;
939 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
940 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
941 msg_payload->sadb_msg_reserved = 0;
942 msg_payload->sadb_msg_seq = 0;
943 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
944 tlen += sizeof(*msg_payload);
945
946 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
947 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
948 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
949 sa2_payload->sa.sadb_sa_spi = htonl(spi);
950 tlen += sizeof(*sa2_payload);
951
952 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
953 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
954 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
955 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
956 src_address_payload->sadb_address_reserved = 0;
957 tlen += sizeof(*src_address_payload);
958
959 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
960 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "migrate src fail");
961 src->sin_family = AF_INET;
962 src->sin_len = sizeof(*src);
963 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
964 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
965 tlen += PFKEY_ALIGN8(src->sin_len);
966
967 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
968 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
969 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
970 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
971 dst_address_payload->sadb_address_reserved = 0;
972 tlen += sizeof(*dst_address_payload);
973
974 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
975 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "migrate dst fail");
976 dst->sin_family = AF_INET;
977 dst->sin_len = sizeof(*dst);
978 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
979 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
980 tlen += PFKEY_ALIGN8(dst->sin_len);
981
982 // Update the total length
983 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
984 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send delete sa");
985 }
986
987 static void
send_pfkey_sa_dump_message(int pfkey_socket)988 send_pfkey_sa_dump_message(int pfkey_socket)
989 {
990 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
991 bzero(payload, sizeof(payload));
992 uint16_t tlen = 0;
993
994 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
995 msg_payload->sadb_msg_version = PF_KEY_V2;
996 msg_payload->sadb_msg_type = SADB_DUMP;
997 msg_payload->sadb_msg_errno = 0;
998 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
999 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1000 msg_payload->sadb_msg_reserved = 0;
1001 msg_payload->sadb_msg_seq = 0;
1002 msg_payload->sadb_msg_pid = (uint32_t)getpid();
1003 tlen += sizeof(*msg_payload);
1004
1005 // Update the total length
1006 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1007 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send sa dump failed");
1008 }
1009
1010 static void
send_pfkey_flush_sa(int pfkey_socket)1011 send_pfkey_flush_sa(int pfkey_socket)
1012 {
1013 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
1014 bzero(payload, sizeof(payload));
1015 uint16_t tlen = 0;
1016
1017 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
1018 msg_payload->sadb_msg_version = PF_KEY_V2;
1019 msg_payload->sadb_msg_type = SADB_FLUSH;
1020 msg_payload->sadb_msg_errno = 0;
1021 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1022 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1023 msg_payload->sadb_msg_reserved = 0;
1024 msg_payload->sadb_msg_seq = 0;
1025 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
1026 tlen += sizeof(*msg_payload);
1027
1028 // Update the total length
1029 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1030 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush sa");
1031 }
1032
1033 static void
pfkey_cleanup(void)1034 pfkey_cleanup(void)
1035 {
1036 if (pfkey_source != NULL) {
1037 int pfkey_socket = (int)dispatch_source_get_handle(pfkey_source);
1038 if (pfkey_socket > 0) {
1039 send_pfkey_flush_sa(pfkey_socket);
1040 send_pfkey_flush_sp(pfkey_socket);
1041 }
1042 dispatch_source_cancel(pfkey_source);
1043 pfkey_source = NULL;
1044 }
1045 }
1046
1047 static int
pfkey_setup_socket(void)1048 pfkey_setup_socket(void)
1049 {
1050 int pfkey_socket = -1;
1051 int bufsiz = 0;
1052 const unsigned long newbufk = 1536;
1053 unsigned long oldmax;
1054 size_t oldmaxsize = sizeof(oldmax);
1055 unsigned long newmax = newbufk * (1024 + 128);
1056
1057 T_QUIET; T_ASSERT_POSIX_SUCCESS(pfkey_socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2), NULL);
1058
1059 if (sysctlbyname("kern.ipc.maxsockbuf", &oldmax, &oldmaxsize, &newmax, sizeof(newmax)) != 0) {
1060 bufsiz = 233016; /* Max allowed by default */
1061 } else {
1062 bufsiz = newbufk * 1024;
1063 }
1064
1065 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)), "pfkey set snd socket buf failed %d", bufsiz);
1066 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)), "pfkey set recv socket buf failed %d", bufsiz);
1067
1068 pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, (uintptr_t)pfkey_socket, 0, dispatch_get_main_queue());
1069 T_QUIET; T_ASSERT_NOTNULL(pfkey_source, "dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, ...)");
1070 dispatch_source_set_event_handler(pfkey_source, ^{
1071 recv_pfkey_message(pfkey_socket);
1072 });
1073 dispatch_source_set_cancel_handler(pfkey_source, ^{
1074 close(pfkey_socket);
1075 });
1076 dispatch_resume(pfkey_source);
1077 return pfkey_socket;
1078 }
1079
1080 static void
pfkey_process_message_test_60822136(uint8_t ** mhp,int pfkey_socket)1081 pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket)
1082 {
1083 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1084 static int counter = 0;
1085 static uint32_t policy_id = 0;
1086
1087 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1088 return;
1089 }
1090
1091 if (message->sadb_msg_errno) {
1092 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1093 pfkey_cleanup();
1094 T_END;
1095 }
1096
1097 switch (message->sadb_msg_type) {
1098 case SADB_X_SPDADD:
1099 {
1100 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1101 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1102 policy_id = policy_message->sadb_x_policy_id;
1103 T_LOG("Added policy id %u", policy_id);
1104 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1105 break;
1106 }
1107 case SADB_X_SPDGET:
1108 {
1109 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1110 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd get policy message is NULL");
1111 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_get: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1112 if (counter < MAX_SPD_CHECK) {
1113 counter++;
1114 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1115 } else {
1116 T_LOG("Deleting policy id %u", policy_id);
1117 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1118 }
1119 break;
1120 }
1121 case SADB_X_SPDDELETE2:
1122 {
1123 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1124 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1125 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1126 T_LOG("Deleted policy id %u", policy_id);
1127 sleep(2);
1128 send_pfkey_spd_dump_message(pfkey_socket);
1129 break;
1130 }
1131 case SADB_X_SPDDUMP:
1132 {
1133 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1134 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1135 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1136 T_FAIL("Policy id %u still exists", policy_id);
1137 pfkey_cleanup();
1138 T_END;
1139 }
1140 case SADB_FLUSH:
1141 case SADB_X_SPDFLUSH:
1142 break;
1143 default:
1144 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1145 T_END;
1146 }
1147 return;
1148 }
1149
1150 static void
pfkey_process_message_test_60822924(uint8_t ** mhp,int pfkey_socket)1151 pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket)
1152 {
1153 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1154 static int counter = 0;
1155 static uint32_t policy_id = 0;
1156
1157 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1158 return;
1159 }
1160
1161 if (message->sadb_msg_errno) {
1162 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1163 pfkey_cleanup();
1164 T_END;
1165 }
1166
1167 switch (message->sadb_msg_type) {
1168 case SADB_X_SPDADD:
1169 {
1170 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1171 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1172 policy_id = policy_message->sadb_x_policy_id;
1173 T_LOG("Added policy id %u", policy_id);
1174 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1175 break;
1176 }
1177 case SADB_X_SPDENABLE:
1178 {
1179 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1180 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd enable policy message is NULL");
1181 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_enable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1182 if (counter < MAX_SPD_CHECK) {
1183 counter++;
1184 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1185 } else {
1186 T_LOG("Deleting policy id %u", policy_id);
1187 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1188 }
1189 break;
1190 }
1191 case SADB_X_SPDDELETE2:
1192 {
1193 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1194 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1195 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1196 T_LOG("Deleted policy id %u", policy_id);
1197 sleep(2);
1198 send_pfkey_spd_dump_message(pfkey_socket);
1199 break;
1200 }
1201 case SADB_X_SPDDUMP:
1202 {
1203 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1204 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1205 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1206 T_FAIL("Policy id %u still exists", policy_id);
1207 pfkey_cleanup();
1208 T_END;
1209 }
1210 case SADB_FLUSH:
1211 case SADB_X_SPDFLUSH:
1212 break;
1213 default:
1214 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1215 T_END;
1216 }
1217 return;
1218 }
1219
1220 static void
pfkey_process_message_test_60822956(uint8_t ** mhp,int pfkey_socket)1221 pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket)
1222 {
1223 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1224 static int counter = 0;
1225 static uint32_t policy_id = 0;
1226
1227 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1228 return;
1229 }
1230
1231 if (message->sadb_msg_errno) {
1232 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1233 pfkey_cleanup();
1234 T_END;
1235 }
1236
1237 switch (message->sadb_msg_type) {
1238 case SADB_X_SPDADD:
1239 {
1240 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1241 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1242 policy_id = policy_message->sadb_x_policy_id;
1243 T_LOG("Added policy id %u", policy_id);
1244 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1245 break;
1246 }
1247 case SADB_X_SPDDISABLE:
1248 {
1249 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1250 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd disable policy message is NULL");
1251 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_disable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1252 if (counter < MAX_SPD_CHECK) {
1253 counter++;
1254 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1255 } else {
1256 T_LOG("Deleting policy id %u", policy_id);
1257 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1258 }
1259 break;
1260 }
1261 case SADB_X_SPDDELETE2:
1262 {
1263 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1264 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1265 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1266 T_LOG("Deleted policy id %u", policy_id);
1267 sleep(2);
1268 send_pfkey_spd_dump_message(pfkey_socket);
1269 break;
1270 }
1271 case SADB_X_SPDDUMP:
1272 {
1273 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1274 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1275 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1276 T_FAIL("Policy id %u still exists", policy_id);
1277 pfkey_cleanup();
1278 T_END;
1279 }
1280 case SADB_FLUSH:
1281 case SADB_X_SPDFLUSH:
1282 break;
1283 default:
1284 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1285 T_END;
1286 }
1287 return;
1288 }
1289
1290 static void
pfkey_process_message_test_60679513(uint8_t ** mhp,int pfkey_socket)1291 pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket)
1292 {
1293 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1294 static uint32_t spi = 0;
1295
1296 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1297 return;
1298 }
1299
1300 if (message->sadb_msg_errno) {
1301 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_UPDATE, "SADB error for type %u", message->sadb_msg_type);
1302 }
1303
1304 switch (message->sadb_msg_type) {
1305 case SADB_GETSPI:
1306 {
1307 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1308 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1309 spi = ntohl(sa_message->sadb_sa_spi);
1310 T_LOG("get spi 0x%x", spi);
1311 send_pkey_update_sa(pfkey_socket, spi);
1312 break;
1313 }
1314 case SADB_UPDATE:
1315 {
1316 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1317 T_QUIET; T_ASSERT_NOTNULL(sa_message, "update sa message is NULL");
1318 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb update: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1319 T_LOG("update sa 0x%x", spi);
1320 send_pkey_delete_sa(pfkey_socket, spi);
1321 break;
1322 }
1323 case SADB_DELETE:
1324 {
1325 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1326 T_QUIET; T_ASSERT_NOTNULL(sa_message, "delete sa message is NULL");
1327 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb delete: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1328 T_LOG("delete sa 0x%x", spi);
1329 pfkey_cleanup();
1330 T_END;
1331 }
1332 case SADB_FLUSH:
1333 case SADB_X_SPDFLUSH:
1334 break;
1335 default:
1336 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1337 T_END;
1338 }
1339 return;
1340 }
1341
1342 static void
pfkey_process_message_test_60768729(uint8_t ** mhp,int pfkey_socket)1343 pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket)
1344 {
1345 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1346 uint32_t spi = 0;
1347 static int counter = 0;
1348
1349 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1350 return;
1351 }
1352
1353 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u", message->sadb_msg_type);
1354
1355 switch (message->sadb_msg_type) {
1356 case SADB_GETSPI:
1357 {
1358 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1359 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1360 spi = ntohl(sa_message->sadb_sa_spi);
1361 counter++;
1362 if (counter <= 1000) {
1363 send_pkey_get_spi(pfkey_socket);
1364 } else {
1365 T_LOG("SADB added 1000 Larval SPIs");
1366 send_pfkey_sa_dump_message(pfkey_socket);
1367 }
1368 break;
1369 }
1370 case SADB_DUMP:
1371 {
1372 counter--;
1373 if (counter == 0) {
1374 T_PASS("SADB dump successful");
1375 pfkey_cleanup();
1376 T_END;
1377 }
1378 break;
1379 }
1380
1381 case SADB_FLUSH:
1382 case SADB_X_SPDFLUSH:
1383 break;
1384 default:
1385 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1386 T_END;
1387 }
1388 return;
1389 }
1390
1391 static void
pfkey_process_message_test_60769680(uint8_t ** mhp,int pfkey_socket)1392 pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket)
1393 {
1394 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1395 static uint8_t counter = 0;
1396
1397 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1398 return;
1399 }
1400
1401 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1402
1403 switch (message->sadb_msg_type) {
1404 case SADB_X_SPDADD:
1405 {
1406 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1407 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1408 counter++;
1409 if (counter <= 240) {
1410 send_pfkey_spd_add_message(pfkey_socket, counter + 1);
1411 } else {
1412 T_LOG("SADB added 240 security policies");
1413 send_pfkey_spd_dump_message(pfkey_socket);
1414 }
1415 break;
1416 }
1417 case SADB_X_SPDDUMP:
1418 {
1419 counter--;
1420 if (counter == 0) {
1421 T_PASS("SADB policy dump successful");
1422 pfkey_cleanup();
1423 T_END;
1424 }
1425 break;
1426 }
1427
1428 case SADB_FLUSH:
1429 case SADB_X_SPDFLUSH:
1430 break;
1431 default:
1432 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1433 T_END;
1434 }
1435 return;
1436 }
1437
1438 static void
pfkey_process_message_test_60822823(uint8_t ** mhp,int pfkey_socket)1439 pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket)
1440 {
1441 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1442 static uint32_t spi = 0;
1443
1444 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1445 return;
1446 }
1447
1448 if (message->sadb_msg_errno != 0) {
1449 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_GETSASTAT, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1450 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1451 T_PASS("SADB get SA Stat received EINVAL");
1452 T_END;
1453 }
1454
1455 switch (message->sadb_msg_type) {
1456 case SADB_ADD:
1457 {
1458 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1459 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1460 spi = ntohl(sa_message->sadb_sa_spi);
1461 T_LOG("added sa 0x%x", spi);
1462 send_pfkey_get_sa_stat(pfkey_socket, spi, 5);
1463 break;
1464 }
1465 case SADB_GETSASTAT:
1466 {
1467 T_FAIL("get sa stat should fail %u", message->sadb_msg_type);
1468 T_END;
1469 }
1470 case SADB_FLUSH:
1471 case SADB_X_SPDFLUSH:
1472 break;
1473 default:
1474 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1475 T_END;
1476 }
1477 return;
1478 }
1479
1480 static void
pfkey_process_message_test_60822823_1(uint8_t ** mhp,int pfkey_socket)1481 pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket)
1482 {
1483 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1484 static uint32_t spi = 0;
1485
1486 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1487 return;
1488 }
1489
1490 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1491
1492 switch (message->sadb_msg_type) {
1493 case SADB_ADD:
1494 {
1495 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1496 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1497 spi = ntohl(sa_message->sadb_sa_spi);
1498 T_LOG("added sa 0x%x", spi);
1499 send_pfkey_get_sa_stat(pfkey_socket, spi, 1);
1500 break;
1501 }
1502 case SADB_GETSASTAT:
1503 {
1504 struct sadb_session_id *session_id = (struct sadb_session_id *)(void *)mhp[SADB_EXT_SESSION_ID];
1505 T_QUIET; T_ASSERT_NOTNULL(session_id, "session id is NULL");
1506 T_QUIET; T_EXPECT_EQ_ULLONG(session_id->sadb_session_id_v[0], 1ULL, "Session id is not equal");
1507 T_PASS("get sa stat success %u", message->sadb_msg_type);
1508 T_END;
1509 }
1510 case SADB_FLUSH:
1511 case SADB_X_SPDFLUSH:
1512 break;
1513 default:
1514 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1515 T_END;
1516 }
1517 return;
1518 }
1519
1520 static void
pfkey_process_message_test_60687183(uint8_t ** mhp,int pfkey_socket)1521 pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket)
1522 {
1523 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1524 static uint32_t spi = 0;
1525
1526 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1527 return;
1528 }
1529
1530 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1531
1532 switch (message->sadb_msg_type) {
1533 case SADB_ADD:
1534 {
1535 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1536 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1537 spi = ntohl(sa_message->sadb_sa_spi);
1538 T_LOG("added sa 0x%x", spi);
1539 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET,
1540 TEST_MIGRATE_SRC_ADDRESS_IPv4, TEST_MIGRATE_DST_ADDRESS_IPv4, AF_INET);
1541 break;
1542 }
1543 case SADB_MIGRATE:
1544 {
1545 T_PASS("migrate SA success");
1546 T_END;
1547 }
1548 case SADB_FLUSH:
1549 case SADB_X_SPDFLUSH:
1550 break;
1551 default:
1552 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1553 T_END;
1554 }
1555 return;
1556 }
1557
1558 static void
pfkey_process_message_test_60687183_1(uint8_t ** mhp,int pfkey_socket)1559 pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket)
1560 {
1561 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1562 static uint32_t spi = 0;
1563
1564 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1565 return;
1566 }
1567
1568 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1569
1570 switch (message->sadb_msg_type) {
1571 case SADB_ADD:
1572 {
1573 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1574 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1575 spi = ntohl(sa_message->sadb_sa_spi);
1576 T_LOG("added sa 0x%x", spi);
1577 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1578 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_INET6);
1579 break;
1580 }
1581 case SADB_MIGRATE:
1582 {
1583 T_PASS("migrate SA success");
1584 T_END;
1585 }
1586 case SADB_FLUSH:
1587 case SADB_X_SPDFLUSH:
1588 break;
1589 default:
1590 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1591 T_END;
1592 }
1593 return;
1594 }
1595
1596 static void
pfkey_process_message_test_60687183_2(uint8_t ** mhp,int pfkey_socket)1597 pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket)
1598 {
1599 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1600 static uint32_t spi = 0;
1601
1602 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1603 return;
1604 }
1605
1606 if (message->sadb_msg_errno != 0) {
1607 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_MIGRATE, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1608 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1609 T_PASS("SADB migrate SA received EINVAL");
1610 T_END;
1611 }
1612
1613 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1614
1615 switch (message->sadb_msg_type) {
1616 case SADB_ADD:
1617 {
1618 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1619 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1620 spi = ntohl(sa_message->sadb_sa_spi);
1621 T_LOG("added sa 0x%x", spi);
1622 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1623 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_CHAOS);
1624 break;
1625 }
1626 case SADB_MIGRATE:
1627 {
1628 T_FAIL("migrate SA test for bad address failed");
1629 T_END;
1630 }
1631 case SADB_FLUSH:
1632 case SADB_X_SPDFLUSH:
1633 break;
1634 default:
1635 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1636 T_END;
1637 }
1638 return;
1639 }
1640
1641 T_DECL(sadb_x_get_60822136, "security policy reference count overflow")
1642 {
1643 test_id = TEST_SADB_X_GET_OVERFLOW_60822136;
1644
1645 int pfkey_socket = pfkey_setup_socket();
1646 send_pfkey_flush_sa(pfkey_socket);
1647 send_pfkey_flush_sp(pfkey_socket);
1648 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1649
1650 dispatch_main();
1651 }
1652
1653 T_DECL(sadb_x_spd_enable_60822924, "security policy reference count overflow")
1654 {
1655 test_id = TEST_SADB_X_SPDENABLE_OVERFLOW_60822924;
1656
1657 int pfkey_socket = pfkey_setup_socket();
1658 send_pfkey_flush_sa(pfkey_socket);
1659 send_pfkey_flush_sp(pfkey_socket);
1660 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1661
1662 dispatch_main();
1663 }
1664
1665 T_DECL(sadb_x_spd_disable_60822956, "security policy reference count overflow")
1666 {
1667 test_id = TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956;
1668
1669 int pfkey_socket = pfkey_setup_socket();
1670 send_pfkey_flush_sa(pfkey_socket);
1671 send_pfkey_flush_sp(pfkey_socket);
1672 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1673
1674 dispatch_main();
1675 }
1676
1677 T_DECL(sadb_update_60679513, "security association use after free")
1678 {
1679 test_id = TEST_SADB_UPDATE_USE_AFTER_FREE_60679513;
1680
1681 int pfkey_socket = pfkey_setup_socket();
1682 send_pfkey_flush_sa(pfkey_socket);
1683 send_pfkey_flush_sp(pfkey_socket);
1684 send_pkey_get_spi(pfkey_socket);
1685
1686 dispatch_main();
1687 }
1688
1689 T_DECL(sadb_dump_60768729, "security association sa dump heap overflow")
1690 {
1691 test_id = TEST_SADB_DUMP_HEAP_OVERFLOW_60768729;
1692
1693 int pfkey_socket = pfkey_setup_socket();
1694 T_ATEND(pfkey_cleanup);
1695 send_pfkey_flush_sa(pfkey_socket);
1696 send_pfkey_flush_sp(pfkey_socket);
1697 send_pkey_get_spi(pfkey_socket);
1698
1699 dispatch_main();
1700 }
1701
1702 T_DECL(sadb_policy_dump_60769680, "security association sa policy dump heap overflow")
1703 {
1704 test_id = TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680;
1705
1706 int pfkey_socket = pfkey_setup_socket();
1707 T_ATEND(pfkey_cleanup);
1708 send_pfkey_flush_sa(pfkey_socket);
1709 send_pfkey_flush_sp(pfkey_socket);
1710 send_pfkey_spd_add_message(pfkey_socket, 1);
1711
1712 dispatch_main();
1713 }
1714
1715 T_DECL(sadb_get_sastat_oob_60769680, "security association get sa stat oob read")
1716 {
1717 test_id = TEST_SADB_GETSASTAT_OOB_READ_60822823;
1718
1719 int pfkey_socket = pfkey_setup_socket();
1720 T_ATEND(pfkey_cleanup);
1721 send_pfkey_flush_sa(pfkey_socket);
1722 send_pfkey_flush_sp(pfkey_socket);
1723 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1724
1725 dispatch_main();
1726 }
1727
1728 T_DECL(sadb_get_sastat_success, "security association get sa stat")
1729 {
1730 test_id = TEST_SADB_GETSASTAT_OOB_READ_SUCCESS;
1731
1732 int pfkey_socket = pfkey_setup_socket();
1733 T_ATEND(pfkey_cleanup);
1734 send_pfkey_flush_sa(pfkey_socket);
1735 send_pfkey_flush_sp(pfkey_socket);
1736 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1737
1738 dispatch_main();
1739 }
1740
1741 T_DECL(sadb_key_migrate_address_ipv4, "security association migrate address ipv4")
1742 {
1743 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4;
1744
1745 int pfkey_socket = pfkey_setup_socket();
1746 T_ATEND(pfkey_cleanup);
1747 send_pfkey_flush_sa(pfkey_socket);
1748 send_pfkey_flush_sp(pfkey_socket);
1749 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1750
1751 dispatch_main();
1752 }
1753
1754 T_DECL(sadb_key_migrate_address_ipv6, "security association migrate address ipv6")
1755 {
1756 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6;
1757
1758 int pfkey_socket = pfkey_setup_socket();
1759 T_ATEND(pfkey_cleanup);
1760 send_pfkey_flush_sa(pfkey_socket);
1761 send_pfkey_flush_sp(pfkey_socket);
1762 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1763
1764 dispatch_main();
1765 }
1766
1767 T_DECL(sadb_key_migrate_bad_address, "security association migrate bad address")
1768 {
1769 test_id = TEST_SADB_EXT_MIGRATE_BAD_ADDRESS;
1770
1771 int pfkey_socket = pfkey_setup_socket();
1772 T_ATEND(pfkey_cleanup);
1773 send_pfkey_flush_sa(pfkey_socket);
1774 send_pfkey_flush_sp(pfkey_socket);
1775 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1776
1777 dispatch_main();
1778 }
1779