1 #include <darwintest.h>
2 #include <darwintest_utils.h>
3 #include <dispatch/dispatch.h>
4 #include <net/if_var_private.h>
5 #include <System/net/pfkeyv2.h>
6 #include <netinet6/ipsec.h>
7 #include <arpa/inet.h>
8
9 T_GLOBAL_META(
10 T_META_NAMESPACE("xnu.pfkey"),
11 T_META_ASROOT(true),
12 T_META_RADAR_COMPONENT_NAME("xnu"),
13 T_META_RADAR_COMPONENT_VERSION("NetworkExtension"),
14 T_META_CHECK_LEAKS(false));
15
16 #define MAX_SPD_CHECK 100
17 #define TEST_SRC_ADDRESS_IPv4 "192.168.2.2"
18 #define TEST_DST_ADDRESS_IPv4 "192.168.2.3"
19 #define TEST_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0002"
20 #define TEST_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0003"
21 #define TEST_MIGRATE_SRC_ADDRESS_IPv4 "192.168.2.10"
22 #define TEST_MIGRATE_DST_ADDRESS_IPv4 "192.168.2.11"
23 #define TEST_MIGRATE_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0002:0000"
24 #define TEST_MIGRATE_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0003:0000"
25
26 typedef enum {
27 TEST_INVALID = 0,
28 TEST_SADB_X_GET_OVERFLOW_60822136 = 1,
29 TEST_SADB_X_SPDENABLE_OVERFLOW_60822924 = 2,
30 TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956 = 3,
31 TEST_SADB_UPDATE_USE_AFTER_FREE_60679513 = 4,
32 TEST_SADB_DUMP_HEAP_OVERFLOW_60768729 = 5,
33 TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680 = 6,
34 TEST_SADB_GETSASTAT_OOB_READ_60822823 = 7,
35 TEST_SADB_GETSASTAT_OOB_READ_SUCCESS = 8,
36 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4 = 9,
37 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6 = 10,
38 TEST_SADB_EXT_MIGRATE_BAD_ADDRESS = 11,
39 TEST_TCP_INPUT_IPSEC_COPY_POLICY = 12,
40 TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570 = 13,
41 } test_identifier;
42
43 static test_identifier test_id = TEST_INVALID;
44 static dispatch_source_t pfkey_source = NULL;
45 static unsigned long oldmax;
46
47 static void pfkey_cleanup(void);
48
49 static void pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket);
50 static void pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket);
51 static void pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket);
52 static void pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket);
53 static void pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket);
54 static void pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket);
55 static void pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket);
56 static void pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket);
57 static void pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket);
58 static void pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket);
59 static void pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket);
60 static void pfkey_process_message_test_78944570(uint8_t **mhp, int pfkey_socket);
61
62 static void(*const process_pfkey_message_tests[])(uint8_t * *mhp, int pfkey_socket) =
63 {
64 NULL,
65 pfkey_process_message_test_60822136, // TEST_SADB_X_GET_OVERFLOW_60822136
66 pfkey_process_message_test_60822924, // TEST_SADB_X_SPDENABLE_OVERFLOW_60822924
67 pfkey_process_message_test_60822956, // TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956
68 pfkey_process_message_test_60679513, // TEST_SADB_UPDATE_USE_AFTER_FREE_60679513
69 pfkey_process_message_test_60768729, // TEST_SADB_DUMP_HEAP_OVERFLOW_60768729
70 pfkey_process_message_test_60769680, // TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680
71 pfkey_process_message_test_60822823, // TEST_SADB_GETSASTAT_OOB_READ_60822823
72 pfkey_process_message_test_60822823_1, // TEST_SADB_GETSASTAT_OOB_READ_SUCCESS
73 pfkey_process_message_test_60687183, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4
74 pfkey_process_message_test_60687183_1, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6
75 pfkey_process_message_test_60687183_2, // TEST_SADB_EXT_MIGRATE_BAD_ADDRESS
76 NULL, // TEST_TCP_INPUT_IPSEC_COPY_POLICY
77 pfkey_process_message_test_78944570, // TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570
78 };
79
80 static void
pfkey_align(struct sadb_msg * msg,uint8_t ** mhp)81 pfkey_align(struct sadb_msg *msg, uint8_t **mhp)
82 {
83 struct sadb_ext *ext;
84 int i;
85 uint8_t *p;
86 uint8_t *ep; /* XXX should be passed from upper layer */
87
88 /* validity check */
89 T_QUIET; T_ASSERT_NOTNULL(msg, "pfkey align msg");
90 T_QUIET; T_ASSERT_NOTNULL(mhp, "pfkey align mhp");
91
92 /* initialize */
93 for (i = 0; i < SADB_EXT_MAX + 1; i++) {
94 mhp[i] = NULL;
95 }
96
97 mhp[0] = (void *)msg;
98
99 /* initialize */
100 p = (void *) msg;
101 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
102
103 /* skip base header */
104 p += sizeof(struct sadb_msg);
105
106 while (p < ep) {
107 ext = (void *)p;
108 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + sizeof(*ext)), "pfkey extension header beyond end of buffer");
109 T_QUIET; T_ASSERT_GE_ULONG((unsigned long)PFKEY_EXTLEN(ext), sizeof(*ext), "pfkey extension shorter than extension header");
110 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + PFKEY_EXTLEN(ext)), "pfkey extension length beyond end of buffer");
111
112 T_QUIET; T_EXPECT_NULL(mhp[ext->sadb_ext_type], "duplicate extension type %u payload", ext->sadb_ext_type);
113
114 /* set pointer */
115 switch (ext->sadb_ext_type) {
116 case SADB_EXT_SA:
117 case SADB_EXT_LIFETIME_CURRENT:
118 case SADB_EXT_LIFETIME_HARD:
119 case SADB_EXT_LIFETIME_SOFT:
120 case SADB_EXT_ADDRESS_SRC:
121 case SADB_EXT_ADDRESS_DST:
122 case SADB_EXT_ADDRESS_PROXY:
123 case SADB_EXT_KEY_AUTH:
124 /* XXX should to be check weak keys. */
125 case SADB_EXT_KEY_ENCRYPT:
126 /* XXX should to be check weak keys. */
127 case SADB_EXT_IDENTITY_SRC:
128 case SADB_EXT_IDENTITY_DST:
129 case SADB_EXT_SENSITIVITY:
130 case SADB_EXT_PROPOSAL:
131 case SADB_EXT_SUPPORTED_AUTH:
132 case SADB_EXT_SUPPORTED_ENCRYPT:
133 case SADB_EXT_SPIRANGE:
134 case SADB_X_EXT_POLICY:
135 case SADB_X_EXT_SA2:
136 case SADB_EXT_SESSION_ID:
137 case SADB_EXT_SASTAT:
138 #ifdef SADB_X_EXT_NAT_T_TYPE
139 case SADB_X_EXT_NAT_T_TYPE:
140 case SADB_X_EXT_NAT_T_SPORT:
141 case SADB_X_EXT_NAT_T_DPORT:
142 case SADB_X_EXT_NAT_T_OA:
143 #endif
144 #ifdef SADB_X_EXT_TAG
145 case SADB_X_EXT_TAG:
146 #endif
147 #ifdef SADB_X_EXT_PACKET
148 case SADB_X_EXT_PACKET:
149 #endif
150 case SADB_X_EXT_IPSECIF:
151 case SADB_X_EXT_ADDR_RANGE_SRC_START:
152 case SADB_X_EXT_ADDR_RANGE_SRC_END:
153 case SADB_X_EXT_ADDR_RANGE_DST_START:
154 case SADB_X_EXT_ADDR_RANGE_DST_END:
155 #ifdef SADB_MIGRATE
156 case SADB_EXT_MIGRATE_ADDRESS_SRC:
157 case SADB_EXT_MIGRATE_ADDRESS_DST:
158 case SADB_X_EXT_MIGRATE_IPSECIF:
159 #endif
160 mhp[ext->sadb_ext_type] = (void *)ext;
161 break;
162 default:
163 T_FAIL("bad extension type %u", ext->sadb_ext_type);
164 T_END;
165 }
166
167 p += PFKEY_EXTLEN(ext);
168 }
169
170 T_QUIET; T_EXPECT_EQ_PTR((void *)ep, (void *)p, "invalid pfkey message length");
171 return;
172 }
173
174
175 static void
recv_pfkey_message(int pfkey_socket)176 recv_pfkey_message(int pfkey_socket)
177 {
178 uint8_t buffer[8192] __attribute__((aligned(4)));
179 struct iovec iovecs[1] = {
180 { buffer, sizeof(buffer) },
181 };
182 struct msghdr msg = {
183 NULL,
184 0,
185 iovecs,
186 sizeof(iovecs) / sizeof(iovecs[0]),
187 NULL,
188 0,
189 0,
190 };
191
192 do {
193 ssize_t result = -1;
194 memset(buffer, 0, sizeof(buffer));
195 T_QUIET; T_ASSERT_POSIX_SUCCESS(result = recvmsg(pfkey_socket, &msg, 0), NULL);
196
197 if (result > 0) {
198 T_QUIET; T_ASSERT_GE_ULONG((size_t)result, sizeof(struct sadb_msg), "Invalid PFKey message size: %zu", result);
199 struct sadb_msg *hdr = (struct sadb_msg *)buffer;
200 uint8_t *mhp[SADB_EXT_MAX + 1];
201 pfkey_align(hdr, mhp);
202 (*process_pfkey_message_tests[test_id])(mhp, pfkey_socket);
203 } else if (result == 0) {
204 T_LOG("PFKey socket received EOF");
205 break;
206 }
207 } while (1);
208 }
209
210 static void
send_pfkey_spd_add_message(int pfkey_socket,uint8_t proto)211 send_pfkey_spd_add_message(int pfkey_socket, uint8_t proto)
212 {
213 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
214 bzero(payload, sizeof(payload));
215 uint16_t tlen = 0;
216
217 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
218 msg_payload->sadb_msg_version = PF_KEY_V2;
219 msg_payload->sadb_msg_type = SADB_X_SPDADD;
220 msg_payload->sadb_msg_errno = 0;
221 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
222 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
223 msg_payload->sadb_msg_reserved = 0;
224 msg_payload->sadb_msg_seq = 0;
225 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
226 tlen += sizeof(*msg_payload);
227
228 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
229 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
230 src_address_payload->sadb_address_proto = proto & 0xff;
231 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
232 src_address_payload->sadb_address_reserved = 0;
233 tlen += sizeof(*src_address_payload);
234
235 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
236 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
237 src->sin_family = AF_INET;
238 src->sin_len = sizeof(*src);
239 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
240 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
241 tlen += PFKEY_ALIGN8(src->sin_len);
242
243 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
244 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
245 dst_address_payload->sadb_address_proto = proto & 0xff;
246 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
247 dst_address_payload->sadb_address_reserved = 0;
248 tlen += sizeof(*dst_address_payload);
249
250 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
251 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
252 dst->sin_family = AF_INET;
253 dst->sin_len = sizeof(*dst);
254 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
255 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
256 tlen += PFKEY_ALIGN8(dst->sin_len);
257
258 struct sadb_lifetime *lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
259 lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*lifetime_payload));
260 lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
261 tlen += sizeof(*lifetime_payload);
262
263 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
264 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
265 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
266 policy_payload->sadb_x_policy_type = IPSEC_POLICY_DISCARD;
267 if (test_id == TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570) {
268 policy_payload->sadb_x_policy_dir = IPSEC_DIR_INVALID;
269 } else {
270 policy_payload->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
271 }
272 tlen += sizeof(*policy_payload);
273
274 // Update the total length
275 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
276 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd add");
277 }
278
279 static void
send_pfkey_spd_get_message(int pfkey_socket,uint32_t policy_id)280 send_pfkey_spd_get_message(int pfkey_socket, uint32_t policy_id)
281 {
282 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
283 bzero(payload, sizeof(payload));
284 uint16_t tlen = 0;
285
286 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
287 msg_payload->sadb_msg_version = PF_KEY_V2;
288 msg_payload->sadb_msg_type = SADB_X_SPDGET;
289 msg_payload->sadb_msg_errno = 0;
290 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
291 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
292 msg_payload->sadb_msg_reserved = 0;
293 msg_payload->sadb_msg_seq = 0;
294 msg_payload->sadb_msg_pid = (uint32_t)getpid();
295 tlen += sizeof(*msg_payload);
296
297 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
298 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
299 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
300 policy_payload->sadb_x_policy_id = policy_id;
301 tlen += sizeof(*policy_payload);
302
303 // Update the total length
304 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
305 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd get failed");
306 }
307
308 static void
send_pfkey_spd_enable_message(int pfkey_socket,uint32_t policy_id)309 send_pfkey_spd_enable_message(int pfkey_socket, uint32_t policy_id)
310 {
311 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
312 bzero(payload, sizeof(payload));
313 uint16_t tlen = 0;
314
315 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
316 msg_payload->sadb_msg_version = PF_KEY_V2;
317 msg_payload->sadb_msg_type = SADB_X_SPDENABLE;
318 msg_payload->sadb_msg_errno = 0;
319 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
320 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
321 msg_payload->sadb_msg_reserved = 0;
322 msg_payload->sadb_msg_seq = 0;
323 msg_payload->sadb_msg_pid = (uint32_t)getpid();
324 tlen += sizeof(*msg_payload);
325
326 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
327 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
328 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
329 policy_payload->sadb_x_policy_id = policy_id;
330 tlen += sizeof(*policy_payload);
331
332 // Update the total length
333 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
334 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd enable failed");
335 }
336
337 static void
send_pfkey_spd_disable_message(int pfkey_socket,uint32_t policy_id)338 send_pfkey_spd_disable_message(int pfkey_socket, uint32_t policy_id)
339 {
340 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
341 bzero(payload, sizeof(payload));
342 uint16_t tlen = 0;
343
344 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
345 msg_payload->sadb_msg_version = PF_KEY_V2;
346 msg_payload->sadb_msg_type = SADB_X_SPDDISABLE;
347 msg_payload->sadb_msg_errno = 0;
348 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
349 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
350 msg_payload->sadb_msg_reserved = 0;
351 msg_payload->sadb_msg_seq = 0;
352 msg_payload->sadb_msg_pid = (uint32_t)getpid();
353 tlen += sizeof(*msg_payload);
354
355 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
356 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
357 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
358 policy_payload->sadb_x_policy_id = policy_id;
359 tlen += sizeof(*policy_payload);
360
361 // Update the total length
362 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
363 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd disable failed");
364 }
365
366 static void
send_pfkey_spd_delete_message(int pfkey_socket,uint32_t policy_id)367 send_pfkey_spd_delete_message(int pfkey_socket, uint32_t policy_id)
368 {
369 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
370 bzero(payload, sizeof(payload));
371 uint16_t tlen = 0;
372
373 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
374 msg_payload->sadb_msg_version = PF_KEY_V2;
375 msg_payload->sadb_msg_type = SADB_X_SPDDELETE2;
376 msg_payload->sadb_msg_errno = 0;
377 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
378 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
379 msg_payload->sadb_msg_reserved = 0;
380 msg_payload->sadb_msg_seq = 0;
381 msg_payload->sadb_msg_pid = (uint32_t)getpid();
382 tlen += sizeof(*msg_payload);
383
384 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
385 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
386 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
387 policy_payload->sadb_x_policy_id = policy_id;
388 tlen += sizeof(*policy_payload);
389
390 // Update the total length
391 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
392 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd delete failed");
393 }
394
395 static void
send_pfkey_spd_dump_message(int pfkey_socket)396 send_pfkey_spd_dump_message(int pfkey_socket)
397 {
398 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
399 bzero(payload, sizeof(payload));
400 uint16_t tlen = 0;
401
402 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
403 msg_payload->sadb_msg_version = PF_KEY_V2;
404 msg_payload->sadb_msg_type = SADB_X_SPDDUMP;
405 msg_payload->sadb_msg_errno = 0;
406 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
407 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
408 msg_payload->sadb_msg_reserved = 0;
409 msg_payload->sadb_msg_seq = 0;
410 msg_payload->sadb_msg_pid = (uint32_t)getpid();
411 tlen += sizeof(*msg_payload);
412
413 // Update the total length
414 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
415 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd dump failed");
416 }
417
418 static void
send_pfkey_flush_sp(int pfkey_socket)419 send_pfkey_flush_sp(int pfkey_socket)
420 {
421 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
422 bzero(payload, sizeof(payload));
423 uint16_t tlen = 0;
424
425 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
426 msg_payload->sadb_msg_version = PF_KEY_V2;
427 msg_payload->sadb_msg_type = SADB_X_SPDFLUSH;
428 msg_payload->sadb_msg_errno = 0;
429 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
430 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
431 msg_payload->sadb_msg_reserved = 0;
432 msg_payload->sadb_msg_seq = 0;
433 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
434 tlen += sizeof(*msg_payload);
435
436 // Update the total length
437 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
438 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush security policies");
439 }
440
441 static void
send_pkey_get_spi(int pfkey_socket)442 send_pkey_get_spi(int pfkey_socket)
443 {
444 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
445 bzero(payload, sizeof(payload));
446 uint16_t tlen = 0;
447
448 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
449 msg_payload->sadb_msg_version = PF_KEY_V2;
450 msg_payload->sadb_msg_type = SADB_GETSPI;
451 msg_payload->sadb_msg_errno = 0;
452 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
453 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
454 msg_payload->sadb_msg_reserved = 0;
455 msg_payload->sadb_msg_seq = 0;
456 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
457 tlen += sizeof(*msg_payload);
458
459 struct sadb_x_sa2 *sa2_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
460 sa2_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_payload));
461 sa2_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
462 sa2_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
463 sa2_payload->sadb_x_sa2_reqid = 0;
464 tlen += sizeof(*sa2_payload);
465
466 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
467 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
468 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
469 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
470 src_address_payload->sadb_address_reserved = 0;
471 tlen += sizeof(*src_address_payload);
472
473 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
474 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
475 src->sin_family = AF_INET;
476 src->sin_len = sizeof(*src);
477 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
478 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
479 tlen += PFKEY_ALIGN8(src->sin_len);
480
481 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
482 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
483 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
484 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
485 dst_address_payload->sadb_address_reserved = 0;
486 tlen += sizeof(*dst_address_payload);
487
488 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
489 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
490 dst->sin_family = AF_INET;
491 dst->sin_len = sizeof(*dst);
492 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
493 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
494 tlen += PFKEY_ALIGN8(dst->sin_len);
495
496 // Update the total length
497 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
498 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get spi");
499 }
500
501 static void
send_pkey_add_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family)502 send_pkey_add_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family)
503 {
504 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
505 bzero(payload, sizeof(payload));
506 uint16_t tlen = 0;
507
508 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
509 msg_payload->sadb_msg_version = PF_KEY_V2;
510 msg_payload->sadb_msg_type = SADB_ADD;
511 msg_payload->sadb_msg_errno = 0;
512 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
513 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
514 msg_payload->sadb_msg_reserved = 0;
515 msg_payload->sadb_msg_seq = 0;
516 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
517 tlen += sizeof(*msg_payload);
518
519 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
520 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
521 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
522 sa2_payload->sa.sadb_sa_spi = htonl(spi);
523 sa2_payload->sa.sadb_sa_replay = 4;
524 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
525 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
526 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
527 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
528 sa2_payload->sadb_sa_natt_src_port = htons(4500);
529 sa2_payload->sadb_sa_natt_port = 4500;
530 sa2_payload->sadb_sa_natt_interval = 20;
531 sa2_payload->sadb_sa_natt_offload_interval = 0;
532 tlen += sizeof(*sa2_payload);
533
534 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
535 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
536 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
537 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
538 sa2_x_payload->sadb_x_sa2_reqid = 0;
539 tlen += sizeof(*sa2_x_payload);
540
541 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
542
543 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
544 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
545 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
546 src_address_payload->sadb_address_prefixlen = prefixlen;
547 src_address_payload->sadb_address_reserved = 0;
548 tlen += sizeof(*src_address_payload);
549
550 if (family == AF_INET) {
551 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
552 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
553 src4->sin_family = AF_INET;
554 src4->sin_len = sizeof(*src4);
555 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
556 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
557 tlen += PFKEY_ALIGN8(src4->sin_len);
558 } else {
559 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
560 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
561 src6->sin6_family = AF_INET6;
562 src6->sin6_len = sizeof(*src6);
563 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
564 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
565 tlen += PFKEY_ALIGN8(src6->sin6_len);
566 }
567
568 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
569 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
570 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
571 dst_address_payload->sadb_address_prefixlen = prefixlen;
572 dst_address_payload->sadb_address_reserved = 0;
573 tlen += sizeof(*dst_address_payload);
574
575 if (family == AF_INET) {
576 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
577 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
578 dst4->sin_family = AF_INET;
579 dst4->sin_len = sizeof(*dst4);
580 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
581 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
582 tlen += PFKEY_ALIGN8(dst4->sin_len);
583 } else {
584 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
585 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
586 dst6->sin6_family = AF_INET6;
587 dst6->sin6_len = sizeof(*dst6);
588 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
589 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
590 tlen += PFKEY_ALIGN8(dst6->sin6_len);
591 }
592
593 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
594 uint16_t len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
595 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
596 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
597 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
598 encrypt_key_payload->sadb_key_reserved = 0;
599 tlen += sizeof(*encrypt_key_payload);
600 arc4random_buf(payload + tlen, 32);
601 tlen += PFKEY_ALIGN8(32);
602
603 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
604 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
605 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
606 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
607 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
608 auth_key_payload->sadb_key_reserved = 0;
609 tlen += sizeof(*auth_key_payload);
610 arc4random_buf(payload + tlen, 32);
611 tlen += PFKEY_ALIGN8(32);
612
613 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
614 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
615 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
616 tlen += sizeof(*hard_lifetime_payload);
617
618 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
619 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
620 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
621 tlen += sizeof(*soft_lifetime_payload);
622
623 // Update the total length
624 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
625 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
626 }
627
628 static void
send_pkey_update_sa(int pfkey_socket,uint32_t spi)629 send_pkey_update_sa(int pfkey_socket, uint32_t spi)
630 {
631 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
632 bzero(payload, sizeof(payload));
633 uint16_t tlen = 0;
634
635 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
636 msg_payload->sadb_msg_version = PF_KEY_V2;
637 msg_payload->sadb_msg_type = SADB_UPDATE;
638 msg_payload->sadb_msg_errno = 0;
639 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
640 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
641 msg_payload->sadb_msg_reserved = 0;
642 msg_payload->sadb_msg_seq = 0;
643 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
644 tlen += sizeof(*msg_payload);
645
646 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
647 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
648 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
649 sa2_payload->sa.sadb_sa_spi = htonl(spi);
650 sa2_payload->sa.sadb_sa_replay = 4;
651 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
652 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
653 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
654 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
655 sa2_payload->sadb_sa_natt_src_port = htons(4500);
656 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
657 sa2_payload->sadb_sa_natt_interval = 20;
658 sa2_payload->sadb_sa_natt_offload_interval = 0;
659 tlen += sizeof(*sa2_payload);
660
661 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
662 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
663 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
664 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
665 sa2_x_payload->sadb_x_sa2_reqid = 0;
666 tlen += sizeof(*sa2_x_payload);
667
668 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
669 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
670 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
671 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
672 src_address_payload->sadb_address_reserved = 0;
673 tlen += sizeof(*src_address_payload);
674
675 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
676 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
677 src->sin_family = AF_INET;
678 src->sin_len = sizeof(*src);
679 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
680 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
681 tlen += PFKEY_ALIGN8(src->sin_len);
682
683 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
684 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
685 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
686 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
687 dst_address_payload->sadb_address_reserved = 0;
688 tlen += sizeof(*dst_address_payload);
689
690 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
691 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
692 dst->sin_family = AF_INET;
693 dst->sin_len = sizeof(*dst);
694 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
695 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
696 tlen += PFKEY_ALIGN8(dst->sin_len);
697
698 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
699 len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
700 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
701 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
702 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
703 encrypt_key_payload->sadb_key_reserved = 0;
704 tlen += sizeof(*encrypt_key_payload);
705 arc4random_buf(payload + tlen, 32);
706 tlen += PFKEY_ALIGN8(32);
707
708 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
709 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
710 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
711 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
712 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
713 auth_key_payload->sadb_key_reserved = 0;
714 tlen += sizeof(*auth_key_payload);
715 arc4random_buf(payload + tlen, 32);
716 tlen += PFKEY_ALIGN8(32);
717
718 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
719 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
720 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
721 tlen += sizeof(*hard_lifetime_payload);
722
723 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
724 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
725 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
726 tlen += sizeof(*soft_lifetime_payload);
727
728 // Update the total length
729 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
730 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
731 }
732
733 static void
send_pkey_migrate_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family,const char * migrate_src,const char * migrate_dst,int migrate_family)734 send_pkey_migrate_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family,
735 const char *migrate_src, const char *migrate_dst, int migrate_family)
736 {
737 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
738 bzero(payload, sizeof(payload));
739 uint16_t tlen = 0;
740
741 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
742 msg_payload->sadb_msg_version = PF_KEY_V2;
743 msg_payload->sadb_msg_type = SADB_MIGRATE;
744 msg_payload->sadb_msg_errno = 0;
745 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
746 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
747 msg_payload->sadb_msg_reserved = 0;
748 msg_payload->sadb_msg_seq = 0;
749 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
750 tlen += sizeof(*msg_payload);
751
752 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
753 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
754 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
755 sa2_payload->sa.sadb_sa_spi = htonl(spi);
756 sa2_payload->sa.sadb_sa_replay = 4;
757 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
758 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
759 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
760 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
761 sa2_payload->sadb_sa_natt_src_port = htons(4500);
762 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
763 sa2_payload->sadb_sa_natt_interval = 20;
764 sa2_payload->sadb_sa_natt_offload_interval = 0;
765 tlen += sizeof(*sa2_payload);
766
767 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
768 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
769 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
770 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
771 sa2_x_payload->sadb_x_sa2_reqid = 0;
772 tlen += sizeof(*sa2_x_payload);
773
774 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
775
776 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
777 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
778 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
779 src_address_payload->sadb_address_prefixlen = prefixlen;
780 src_address_payload->sadb_address_reserved = 0;
781 tlen += sizeof(*src_address_payload);
782
783 if (family == AF_INET) {
784 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
785 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
786 src4->sin_family = AF_INET;
787 src4->sin_len = sizeof(*src4);
788 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
789 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
790 tlen += PFKEY_ALIGN8(src4->sin_len);
791 } else {
792 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
793 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
794 src6->sin6_family = AF_INET6;
795 src6->sin6_len = sizeof(*src6);
796 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
797 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
798 tlen += PFKEY_ALIGN8(src6->sin6_len);
799 }
800
801 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
802 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
803 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
804 dst_address_payload->sadb_address_prefixlen = prefixlen;
805 dst_address_payload->sadb_address_reserved = 0;
806 tlen += sizeof(*dst_address_payload);
807
808 if (family == AF_INET) {
809 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
810 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
811 dst4->sin_family = AF_INET;
812 dst4->sin_len = sizeof(*dst4);
813 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
814 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
815 tlen += PFKEY_ALIGN8(dst4->sin_len);
816 } else {
817 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
818 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
819 dst6->sin6_family = AF_INET6;
820 dst6->sin6_len = sizeof(*dst6);
821 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
822 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
823 tlen += PFKEY_ALIGN8(dst6->sin6_len);
824 }
825
826 prefixlen = (migrate_family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
827
828 struct sadb_address *migrate_src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
829 migrate_src_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_SRC & 0xffff;
830 migrate_src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
831 migrate_src_address_payload->sadb_address_prefixlen = prefixlen;
832 migrate_src_address_payload->sadb_address_reserved = 0;
833 tlen += sizeof(*migrate_src_address_payload);
834
835 if (migrate_family == AF_INET) {
836 struct sockaddr_in *migrate_src4 = (struct sockaddr_in *)(void *)(payload + tlen);
837 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_src, &migrate_src4->sin_addr), 1, "migrate src fail");
838 migrate_src4->sin_family = AF_INET;
839 migrate_src4->sin_len = sizeof(*migrate_src4);
840 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src4->sin_len);
841 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
842 tlen += PFKEY_ALIGN8(migrate_src4->sin_len);
843 } else if (migrate_family == AF_INET6) {
844 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
845 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
846 migrate_src6->sin6_family = AF_INET6;
847 migrate_src6->sin6_len = sizeof(*migrate_src6);
848 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
849 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
850 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
851 } else if (migrate_family == AF_CHAOS) {
852 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
853 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
854 migrate_src6->sin6_family = AF_INET6;
855 migrate_src6->sin6_len = sizeof(*migrate_src6) + 100; // Bad value to trigger exploit
856 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
857 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
858 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
859 }
860
861 struct sadb_address *migrate_dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
862 migrate_dst_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_DST & 0xffff;
863 migrate_dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
864 migrate_dst_address_payload->sadb_address_prefixlen = prefixlen;
865 migrate_dst_address_payload->sadb_address_reserved = 0;
866
867 tlen += sizeof(*migrate_dst_address_payload);
868
869 if (migrate_family == AF_INET) {
870 struct sockaddr_in *migrate_dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
871 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_dst, &migrate_dst4->sin_addr), 1, "migrate dst fail");
872 migrate_dst4->sin_family = AF_INET;
873 migrate_dst4->sin_len = sizeof(*migrate_dst4);
874 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst4->sin_len);
875 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
876 tlen += PFKEY_ALIGN8(migrate_dst4->sin_len);
877 } else if (migrate_family == AF_INET6) {
878 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
879 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
880 migrate_dst6->sin6_family = AF_INET6;
881 migrate_dst6->sin6_len = sizeof(*migrate_dst6);
882 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
883 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
884 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
885 } else if (migrate_family == AF_CHAOS) {
886 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
887 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
888 migrate_dst6->sin6_family = AF_INET6;
889 migrate_dst6->sin6_len = sizeof(*migrate_dst6) + 100; // Bad value to trigger exploit
890 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
891 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
892 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
893 }
894
895 // Update the total length
896 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
897 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send migrate sa");
898 }
899
900 static void
send_pfkey_get_sa_stat(int pfkey_socket,uint32_t spi,uint32_t stat_length)901 send_pfkey_get_sa_stat(int pfkey_socket, uint32_t spi, uint32_t stat_length)
902 {
903 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
904 bzero(payload, sizeof(payload));
905 uint16_t tlen = 0;
906
907 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
908 msg_payload->sadb_msg_version = PF_KEY_V2;
909 msg_payload->sadb_msg_type = SADB_GETSASTAT;
910 msg_payload->sadb_msg_errno = 0;
911 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
912 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
913 msg_payload->sadb_msg_reserved = 0;
914 msg_payload->sadb_msg_seq = 0;
915 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
916 tlen += sizeof(*msg_payload);
917
918 struct sadb_session_id *session_id_payload = (struct sadb_session_id *)(void *)(payload + tlen);
919 session_id_payload->sadb_session_id_len = PFKEY_UNIT64(sizeof(*session_id_payload));
920 session_id_payload->sadb_session_id_exttype = SADB_EXT_SESSION_ID;
921 session_id_payload->sadb_session_id_v[0] = 1;
922 tlen += sizeof(*session_id_payload);
923
924 struct sadb_sastat *sadb_stat_payload = (struct sadb_sastat *)(void *)(payload + tlen);
925 uint16_t length = sizeof(*sadb_stat_payload) + PFKEY_ALIGN8(sizeof(struct sastat));
926 sadb_stat_payload->sadb_sastat_len = PFKEY_UNIT64(length);
927 sadb_stat_payload->sadb_sastat_exttype = SADB_EXT_SASTAT;
928 sadb_stat_payload->sadb_sastat_dir = IPSEC_DIR_OUTBOUND;
929 sadb_stat_payload->sadb_sastat_list_len = stat_length;
930 tlen += sizeof(*sadb_stat_payload);
931
932 struct sastat *sastat_payload = (struct sastat *)(void *)(payload + tlen);
933 sastat_payload->spi = htonl(spi);
934 tlen += PFKEY_ALIGN8(sizeof(*sastat_payload));
935
936 // Update the total length
937 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
938 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get sa stat");
939 }
940
941 static void
send_pkey_delete_sa(int pfkey_socket,uint32_t spi)942 send_pkey_delete_sa(int pfkey_socket, uint32_t spi)
943 {
944 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
945 bzero(payload, sizeof(payload));
946 uint16_t tlen = 0;
947
948 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
949 msg_payload->sadb_msg_version = PF_KEY_V2;
950 msg_payload->sadb_msg_type = SADB_DELETE;
951 msg_payload->sadb_msg_errno = 0;
952 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
953 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
954 msg_payload->sadb_msg_reserved = 0;
955 msg_payload->sadb_msg_seq = 0;
956 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
957 tlen += sizeof(*msg_payload);
958
959 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
960 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
961 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
962 sa2_payload->sa.sadb_sa_spi = htonl(spi);
963 tlen += sizeof(*sa2_payload);
964
965 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
966 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
967 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
968 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
969 src_address_payload->sadb_address_reserved = 0;
970 tlen += sizeof(*src_address_payload);
971
972 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
973 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "migrate src fail");
974 src->sin_family = AF_INET;
975 src->sin_len = sizeof(*src);
976 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
977 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
978 tlen += PFKEY_ALIGN8(src->sin_len);
979
980 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
981 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
982 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
983 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
984 dst_address_payload->sadb_address_reserved = 0;
985 tlen += sizeof(*dst_address_payload);
986
987 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
988 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "migrate dst fail");
989 dst->sin_family = AF_INET;
990 dst->sin_len = sizeof(*dst);
991 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
992 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
993 tlen += PFKEY_ALIGN8(dst->sin_len);
994
995 // Update the total length
996 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
997 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send delete sa");
998 }
999
1000 static void
send_pfkey_sa_dump_message(int pfkey_socket)1001 send_pfkey_sa_dump_message(int pfkey_socket)
1002 {
1003 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
1004 bzero(payload, sizeof(payload));
1005 uint16_t tlen = 0;
1006
1007 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
1008 msg_payload->sadb_msg_version = PF_KEY_V2;
1009 msg_payload->sadb_msg_type = SADB_DUMP;
1010 msg_payload->sadb_msg_errno = 0;
1011 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1012 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1013 msg_payload->sadb_msg_reserved = 0;
1014 msg_payload->sadb_msg_seq = 0;
1015 msg_payload->sadb_msg_pid = (uint32_t)getpid();
1016 tlen += sizeof(*msg_payload);
1017
1018 // Update the total length
1019 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1020 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send sa dump failed");
1021 }
1022
1023 static void
send_pfkey_flush_sa(int pfkey_socket)1024 send_pfkey_flush_sa(int pfkey_socket)
1025 {
1026 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
1027 bzero(payload, sizeof(payload));
1028 uint16_t tlen = 0;
1029
1030 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
1031 msg_payload->sadb_msg_version = PF_KEY_V2;
1032 msg_payload->sadb_msg_type = SADB_FLUSH;
1033 msg_payload->sadb_msg_errno = 0;
1034 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1035 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1036 msg_payload->sadb_msg_reserved = 0;
1037 msg_payload->sadb_msg_seq = 0;
1038 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
1039 tlen += sizeof(*msg_payload);
1040
1041 // Update the total length
1042 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1043 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush sa");
1044 }
1045
1046 static void
pfkey_cleanup(void)1047 pfkey_cleanup(void)
1048 {
1049 if (pfkey_source != NULL) {
1050 int pfkey_socket = (int)dispatch_source_get_handle(pfkey_source);
1051 if (pfkey_socket > 0) {
1052 send_pfkey_flush_sa(pfkey_socket);
1053 send_pfkey_flush_sp(pfkey_socket);
1054 }
1055 dispatch_source_cancel(pfkey_source);
1056 pfkey_source = NULL;
1057 }
1058
1059 if (oldmax != 0) {
1060 (void)sysctlbyname("kern.ipc.maxsockbuf", NULL, NULL, &oldmax, sizeof(oldmax));
1061 }
1062 }
1063
1064 static int
pfkey_setup_socket(void)1065 pfkey_setup_socket(void)
1066 {
1067 int pfkey_socket = -1;
1068 int bufsiz = 0;
1069 const unsigned long newbufk = 1536;
1070 size_t oldmaxsize = sizeof(oldmax);
1071 unsigned long newmax = newbufk * (1024 + 128);
1072
1073 T_QUIET; T_ASSERT_POSIX_SUCCESS(pfkey_socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2), NULL);
1074
1075 if (sysctlbyname("kern.ipc.maxsockbuf", &oldmax, &oldmaxsize, &newmax, sizeof(newmax)) != 0) {
1076 bufsiz = 233016; /* Max allowed by default */
1077 } else {
1078 bufsiz = newbufk * 800;
1079 }
1080
1081 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)), "pfkey set snd socket buf failed %d", bufsiz);
1082 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)), "pfkey set recv socket buf failed %d", bufsiz);
1083
1084 pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, (uintptr_t)pfkey_socket, 0, dispatch_get_main_queue());
1085 T_QUIET; T_ASSERT_NOTNULL(pfkey_source, "dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, ...)");
1086 dispatch_source_set_event_handler(pfkey_source, ^{
1087 recv_pfkey_message(pfkey_socket);
1088 });
1089 dispatch_source_set_cancel_handler(pfkey_source, ^{
1090 close(pfkey_socket);
1091 });
1092 dispatch_resume(pfkey_source);
1093 return pfkey_socket;
1094 }
1095
1096 static void
pfkey_process_message_test_60822136(uint8_t ** mhp,int pfkey_socket)1097 pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket)
1098 {
1099 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1100 static int counter = 0;
1101 static uint32_t policy_id = 0;
1102
1103 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1104 return;
1105 }
1106
1107 if (message->sadb_msg_errno) {
1108 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1109 pfkey_cleanup();
1110 T_END;
1111 }
1112
1113 switch (message->sadb_msg_type) {
1114 case SADB_X_SPDADD:
1115 {
1116 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1117 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1118 policy_id = policy_message->sadb_x_policy_id;
1119 T_LOG("Added policy id %u", policy_id);
1120 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1121 break;
1122 }
1123 case SADB_X_SPDGET:
1124 {
1125 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1126 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd get policy message is NULL");
1127 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_get: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1128 if (counter < MAX_SPD_CHECK) {
1129 counter++;
1130 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1131 } else {
1132 T_LOG("Deleting policy id %u", policy_id);
1133 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1134 }
1135 break;
1136 }
1137 case SADB_X_SPDDELETE2:
1138 {
1139 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1140 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1141 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1142 T_LOG("Deleted policy id %u", policy_id);
1143 sleep(2);
1144 send_pfkey_spd_dump_message(pfkey_socket);
1145 break;
1146 }
1147 case SADB_X_SPDDUMP:
1148 {
1149 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1150 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1151 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1152 T_FAIL("Policy id %u still exists", policy_id);
1153 pfkey_cleanup();
1154 T_END;
1155 }
1156 case SADB_FLUSH:
1157 case SADB_X_SPDFLUSH:
1158 break;
1159 default:
1160 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1161 T_END;
1162 }
1163 return;
1164 }
1165
1166 static void
pfkey_process_message_test_60822924(uint8_t ** mhp,int pfkey_socket)1167 pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket)
1168 {
1169 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1170 static int counter = 0;
1171 static uint32_t policy_id = 0;
1172
1173 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1174 return;
1175 }
1176
1177 if (message->sadb_msg_errno) {
1178 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1179 pfkey_cleanup();
1180 T_END;
1181 }
1182
1183 switch (message->sadb_msg_type) {
1184 case SADB_X_SPDADD:
1185 {
1186 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1187 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1188 policy_id = policy_message->sadb_x_policy_id;
1189 T_LOG("Added policy id %u", policy_id);
1190 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1191 break;
1192 }
1193 case SADB_X_SPDENABLE:
1194 {
1195 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1196 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd enable policy message is NULL");
1197 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_enable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1198 if (counter < MAX_SPD_CHECK) {
1199 counter++;
1200 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1201 } else {
1202 T_LOG("Deleting policy id %u", policy_id);
1203 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1204 }
1205 break;
1206 }
1207 case SADB_X_SPDDELETE2:
1208 {
1209 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1210 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1211 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1212 T_LOG("Deleted policy id %u", policy_id);
1213 sleep(2);
1214 send_pfkey_spd_dump_message(pfkey_socket);
1215 break;
1216 }
1217 case SADB_X_SPDDUMP:
1218 {
1219 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1220 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1221 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1222 T_FAIL("Policy id %u still exists", policy_id);
1223 pfkey_cleanup();
1224 T_END;
1225 }
1226 case SADB_FLUSH:
1227 case SADB_X_SPDFLUSH:
1228 break;
1229 default:
1230 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1231 T_END;
1232 }
1233 return;
1234 }
1235
1236 static void
pfkey_process_message_test_60822956(uint8_t ** mhp,int pfkey_socket)1237 pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket)
1238 {
1239 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1240 static int counter = 0;
1241 static uint32_t policy_id = 0;
1242
1243 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1244 return;
1245 }
1246
1247 if (message->sadb_msg_errno) {
1248 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1249 pfkey_cleanup();
1250 T_END;
1251 }
1252
1253 switch (message->sadb_msg_type) {
1254 case SADB_X_SPDADD:
1255 {
1256 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1257 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1258 policy_id = policy_message->sadb_x_policy_id;
1259 T_LOG("Added policy id %u", policy_id);
1260 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1261 break;
1262 }
1263 case SADB_X_SPDDISABLE:
1264 {
1265 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1266 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd disable policy message is NULL");
1267 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_disable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1268 if (counter < MAX_SPD_CHECK) {
1269 counter++;
1270 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1271 } else {
1272 T_LOG("Deleting policy id %u", policy_id);
1273 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1274 }
1275 break;
1276 }
1277 case SADB_X_SPDDELETE2:
1278 {
1279 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1280 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1281 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1282 T_LOG("Deleted policy id %u", policy_id);
1283 sleep(2);
1284 send_pfkey_spd_dump_message(pfkey_socket);
1285 break;
1286 }
1287 case SADB_X_SPDDUMP:
1288 {
1289 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1290 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1291 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1292 T_FAIL("Policy id %u still exists", policy_id);
1293 pfkey_cleanup();
1294 T_END;
1295 }
1296 case SADB_FLUSH:
1297 case SADB_X_SPDFLUSH:
1298 break;
1299 default:
1300 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1301 T_END;
1302 }
1303 return;
1304 }
1305
1306 static void
pfkey_process_message_test_60679513(uint8_t ** mhp,int pfkey_socket)1307 pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket)
1308 {
1309 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1310 static uint32_t spi = 0;
1311
1312 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1313 return;
1314 }
1315
1316 if (message->sadb_msg_errno) {
1317 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_UPDATE, "SADB error for type %u", message->sadb_msg_type);
1318 }
1319
1320 switch (message->sadb_msg_type) {
1321 case SADB_GETSPI:
1322 {
1323 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1324 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1325 spi = ntohl(sa_message->sadb_sa_spi);
1326 T_LOG("get spi 0x%x", spi);
1327 send_pkey_update_sa(pfkey_socket, spi);
1328 break;
1329 }
1330 case SADB_UPDATE:
1331 {
1332 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1333 T_QUIET; T_ASSERT_NOTNULL(sa_message, "update sa message is NULL");
1334 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb update: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1335 T_LOG("update sa 0x%x", spi);
1336 send_pkey_delete_sa(pfkey_socket, spi);
1337 break;
1338 }
1339 case SADB_DELETE:
1340 {
1341 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1342 T_QUIET; T_ASSERT_NOTNULL(sa_message, "delete sa message is NULL");
1343 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb delete: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1344 T_LOG("delete sa 0x%x", spi);
1345 pfkey_cleanup();
1346 T_END;
1347 }
1348 case SADB_FLUSH:
1349 case SADB_X_SPDFLUSH:
1350 break;
1351 default:
1352 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1353 T_END;
1354 }
1355 return;
1356 }
1357
1358 static void
pfkey_process_message_test_60768729(uint8_t ** mhp,int pfkey_socket)1359 pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket)
1360 {
1361 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1362 uint32_t spi = 0;
1363 static int counter = 0;
1364
1365 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1366 return;
1367 }
1368
1369 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u", message->sadb_msg_type);
1370
1371 switch (message->sadb_msg_type) {
1372 case SADB_GETSPI:
1373 {
1374 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1375 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1376 spi = ntohl(sa_message->sadb_sa_spi);
1377 counter++;
1378 if (counter <= 1000) {
1379 send_pkey_get_spi(pfkey_socket);
1380 } else {
1381 T_LOG("SADB added 1000 Larval SPIs");
1382 send_pfkey_sa_dump_message(pfkey_socket);
1383 }
1384 break;
1385 }
1386 case SADB_DUMP:
1387 {
1388 counter--;
1389 if (counter == 0) {
1390 T_PASS("SADB dump successful");
1391 pfkey_cleanup();
1392 T_END;
1393 }
1394 break;
1395 }
1396
1397 case SADB_FLUSH:
1398 case SADB_X_SPDFLUSH:
1399 break;
1400 default:
1401 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1402 T_END;
1403 }
1404 return;
1405 }
1406
1407 static void
pfkey_process_message_test_60769680(uint8_t ** mhp,int pfkey_socket)1408 pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket)
1409 {
1410 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1411 static uint8_t counter = 0;
1412
1413 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1414 return;
1415 }
1416
1417 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1418
1419 switch (message->sadb_msg_type) {
1420 case SADB_X_SPDADD:
1421 {
1422 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1423 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1424 counter++;
1425 if (counter <= 240) {
1426 send_pfkey_spd_add_message(pfkey_socket, counter + 1);
1427 } else {
1428 T_LOG("SADB added 240 security policies");
1429 send_pfkey_spd_dump_message(pfkey_socket);
1430 }
1431 break;
1432 }
1433 case SADB_X_SPDDUMP:
1434 {
1435 counter--;
1436 if (counter == 0) {
1437 T_PASS("SADB policy dump successful");
1438 pfkey_cleanup();
1439 T_END;
1440 }
1441 break;
1442 }
1443
1444 case SADB_FLUSH:
1445 case SADB_X_SPDFLUSH:
1446 break;
1447 default:
1448 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1449 T_END;
1450 }
1451 return;
1452 }
1453
1454 static void
pfkey_process_message_test_60822823(uint8_t ** mhp,int pfkey_socket)1455 pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket)
1456 {
1457 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1458 static uint32_t spi = 0;
1459
1460 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1461 return;
1462 }
1463
1464 if (message->sadb_msg_errno != 0) {
1465 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_GETSASTAT, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1466 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1467 T_PASS("SADB get SA Stat received EINVAL");
1468 T_END;
1469 }
1470
1471 switch (message->sadb_msg_type) {
1472 case SADB_ADD:
1473 {
1474 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1475 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1476 spi = ntohl(sa_message->sadb_sa_spi);
1477 T_LOG("added sa 0x%x", spi);
1478 send_pfkey_get_sa_stat(pfkey_socket, spi, 5);
1479 break;
1480 }
1481 case SADB_GETSASTAT:
1482 {
1483 T_FAIL("get sa stat should fail %u", message->sadb_msg_type);
1484 T_END;
1485 }
1486 case SADB_FLUSH:
1487 case SADB_X_SPDFLUSH:
1488 break;
1489 default:
1490 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1491 T_END;
1492 }
1493 return;
1494 }
1495
1496 static void
pfkey_process_message_test_60822823_1(uint8_t ** mhp,int pfkey_socket)1497 pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket)
1498 {
1499 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1500 static uint32_t spi = 0;
1501
1502 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1503 return;
1504 }
1505
1506 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1507
1508 switch (message->sadb_msg_type) {
1509 case SADB_ADD:
1510 {
1511 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1512 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1513 spi = ntohl(sa_message->sadb_sa_spi);
1514 T_LOG("added sa 0x%x", spi);
1515 send_pfkey_get_sa_stat(pfkey_socket, spi, 1);
1516 break;
1517 }
1518 case SADB_GETSASTAT:
1519 {
1520 struct sadb_session_id *session_id = (struct sadb_session_id *)(void *)mhp[SADB_EXT_SESSION_ID];
1521 T_QUIET; T_ASSERT_NOTNULL(session_id, "session id is NULL");
1522 T_QUIET; T_EXPECT_EQ_ULLONG(session_id->sadb_session_id_v[0], 1ULL, "Session id is not equal");
1523 T_PASS("get sa stat success %u", message->sadb_msg_type);
1524 T_END;
1525 }
1526 case SADB_FLUSH:
1527 case SADB_X_SPDFLUSH:
1528 break;
1529 default:
1530 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1531 T_END;
1532 }
1533 return;
1534 }
1535
1536 static void
pfkey_process_message_test_60687183(uint8_t ** mhp,int pfkey_socket)1537 pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket)
1538 {
1539 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1540 static uint32_t spi = 0;
1541
1542 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1543 return;
1544 }
1545
1546 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1547
1548 switch (message->sadb_msg_type) {
1549 case SADB_ADD:
1550 {
1551 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1552 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1553 spi = ntohl(sa_message->sadb_sa_spi);
1554 T_LOG("added sa 0x%x", spi);
1555 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET,
1556 TEST_MIGRATE_SRC_ADDRESS_IPv4, TEST_MIGRATE_DST_ADDRESS_IPv4, AF_INET);
1557 break;
1558 }
1559 case SADB_MIGRATE:
1560 {
1561 T_PASS("migrate SA success");
1562 T_END;
1563 }
1564 case SADB_FLUSH:
1565 case SADB_X_SPDFLUSH:
1566 break;
1567 default:
1568 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1569 T_END;
1570 }
1571 return;
1572 }
1573
1574 static void
pfkey_process_message_test_60687183_1(uint8_t ** mhp,int pfkey_socket)1575 pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket)
1576 {
1577 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1578 static uint32_t spi = 0;
1579
1580 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1581 return;
1582 }
1583
1584 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1585
1586 switch (message->sadb_msg_type) {
1587 case SADB_ADD:
1588 {
1589 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1590 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1591 spi = ntohl(sa_message->sadb_sa_spi);
1592 T_LOG("added sa 0x%x", spi);
1593 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1594 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_INET6);
1595 break;
1596 }
1597 case SADB_MIGRATE:
1598 {
1599 T_PASS("migrate SA success");
1600 T_END;
1601 }
1602 case SADB_FLUSH:
1603 case SADB_X_SPDFLUSH:
1604 break;
1605 default:
1606 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1607 T_END;
1608 }
1609 return;
1610 }
1611
1612 static void
pfkey_process_message_test_60687183_2(uint8_t ** mhp,int pfkey_socket)1613 pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket)
1614 {
1615 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1616 static uint32_t spi = 0;
1617
1618 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1619 return;
1620 }
1621
1622 if (message->sadb_msg_errno != 0) {
1623 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_MIGRATE, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1624 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1625 T_PASS("SADB migrate SA received EINVAL");
1626 T_END;
1627 }
1628
1629 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1630
1631 switch (message->sadb_msg_type) {
1632 case SADB_ADD:
1633 {
1634 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1635 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1636 spi = ntohl(sa_message->sadb_sa_spi);
1637 T_LOG("added sa 0x%x", spi);
1638 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1639 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_CHAOS);
1640 break;
1641 }
1642 case SADB_MIGRATE:
1643 {
1644 T_FAIL("migrate SA test for bad address failed");
1645 T_END;
1646 }
1647 case SADB_FLUSH:
1648 case SADB_X_SPDFLUSH:
1649 break;
1650 default:
1651 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1652 T_END;
1653 }
1654 return;
1655 }
1656
1657 static void
pfkey_process_message_test_78944570(uint8_t ** mhp,__unused int pfkey_socket)1658 pfkey_process_message_test_78944570(uint8_t **mhp, __unused int pfkey_socket)
1659 {
1660 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1661
1662 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1663 return;
1664 }
1665
1666 switch (message->sadb_msg_type) {
1667 case SADB_X_SPDADD:
1668 {
1669 if (message->sadb_msg_errno != 0) {
1670 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1671 T_PASS("SADB spd add received EINVAL");
1672 } else {
1673 T_FAIL("SADB spd add received success");
1674 }
1675 T_END;
1676 break;
1677 }
1678 case SADB_FLUSH:
1679 case SADB_X_SPDFLUSH:
1680 break;
1681 default:
1682 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1683 T_END;
1684 }
1685 return;
1686 }
1687
1688 static int
setup_tcp_server(uint16_t port)1689 setup_tcp_server(uint16_t port)
1690 {
1691 struct sockaddr_in server_addr = {};
1692 int server_fd = -1;
1693
1694 T_QUIET; T_ASSERT_POSIX_SUCCESS(server_fd = socket(AF_INET, SOCK_STREAM, 0),
1695 "tcp server socket creation failed");
1696
1697 server_addr.sin_family = AF_INET;
1698 server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
1699 server_addr.sin_port = htons(port);
1700
1701 T_QUIET; T_ASSERT_POSIX_SUCCESS(bind(server_fd, (struct sockaddr *)&server_addr,
1702 sizeof(server_addr)), "tcp server bind failed");
1703
1704 T_QUIET; T_ASSERT_POSIX_SUCCESS(listen(server_fd, 2), "tcp server listen failed");
1705 return server_fd;
1706 }
1707
1708 static int
setup_loopback_tcp_client(uint16_t server_port)1709 setup_loopback_tcp_client(uint16_t server_port)
1710 {
1711 struct sockaddr_in conn_addr = {};
1712 int client_fd = -1;
1713
1714 T_QUIET; T_ASSERT_POSIX_SUCCESS(client_fd = socket(AF_INET, SOCK_STREAM, 0),
1715 "tcp client socket creation failed");
1716 T_QUIET; T_ASSERT_POSIX_SUCCESS(inet_pton(AF_INET, "127.0.0.1", &conn_addr.sin_addr),
1717 "loopback address inet_pton failed");
1718
1719 conn_addr.sin_family = AF_INET;
1720 conn_addr.sin_port = htons(server_port);
1721
1722 T_QUIET; T_ASSERT_POSIX_SUCCESS(connect(client_fd, (struct sockaddr *)&conn_addr, sizeof(conn_addr)),
1723 "tcp loopback client connect failed");
1724 return client_fd;
1725 }
1726
1727 static void
setup_socket_policy(int socket_fd)1728 setup_socket_policy(int socket_fd)
1729 {
1730 uint8_t __attribute__((aligned(4))) buf[
1731 sizeof(struct sadb_x_policy) +
1732 sizeof(struct sadb_x_ipsecrequest) +
1733 sizeof(struct sockaddr_in) +
1734 sizeof(struct sockaddr_in)
1735 ];
1736
1737 struct sadb_x_policy *xpl = (struct sadb_x_policy *)buf;
1738 struct sadb_x_ipsecrequest *xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
1739 struct sockaddr *sa;
1740
1741
1742 bzero(buf, sizeof(buf));
1743 /* xpl: */
1744 xpl->sadb_x_policy_len = sizeof(buf) >> 3;
1745 xpl->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1746 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1747 /* xisr: */
1748 xisr->sadb_x_ipsecrequest_len = sizeof(buf) - sizeof(*xpl);
1749 xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
1750 xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
1751 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_DEFAULT;
1752 /* src sockaddr: */
1753 sa = (struct sockaddr *)(xisr + 1);
1754 sa->sa_len = sizeof(struct sockaddr_in);
1755 /* dst sockaddr: */
1756 sa = (struct sockaddr *)((char *)(xisr + 1) + sa->sa_len);
1757 sa->sa_len = sizeof(struct sockaddr_in);
1758
1759 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(socket_fd, IPPROTO_IP, IP_IPSEC_POLICY,
1760 buf, sizeof(buf)), "tcp server listen failed");
1761 }
1762
1763 T_DECL(sadb_x_get_60822136, "security policy reference count overflow", T_META_TAG_VM_PREFERRED)
1764 {
1765 test_id = TEST_SADB_X_GET_OVERFLOW_60822136;
1766
1767 int pfkey_socket = pfkey_setup_socket();
1768 send_pfkey_flush_sa(pfkey_socket);
1769 send_pfkey_flush_sp(pfkey_socket);
1770 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1771
1772 dispatch_main();
1773 }
1774
1775 T_DECL(sadb_x_spd_enable_60822924, "security policy reference count overflow", T_META_TAG_VM_PREFERRED)
1776 {
1777 test_id = TEST_SADB_X_SPDENABLE_OVERFLOW_60822924;
1778
1779 int pfkey_socket = pfkey_setup_socket();
1780 send_pfkey_flush_sa(pfkey_socket);
1781 send_pfkey_flush_sp(pfkey_socket);
1782 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1783
1784 dispatch_main();
1785 }
1786
1787 T_DECL(sadb_x_spd_disable_60822956, "security policy reference count overflow", T_META_TAG_VM_PREFERRED)
1788 {
1789 test_id = TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956;
1790
1791 int pfkey_socket = pfkey_setup_socket();
1792 send_pfkey_flush_sa(pfkey_socket);
1793 send_pfkey_flush_sp(pfkey_socket);
1794 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1795
1796 dispatch_main();
1797 }
1798
1799 T_DECL(sadb_update_60679513, "security association use after free", T_META_TAG_VM_PREFERRED)
1800 {
1801 test_id = TEST_SADB_UPDATE_USE_AFTER_FREE_60679513;
1802
1803 int pfkey_socket = pfkey_setup_socket();
1804 send_pfkey_flush_sa(pfkey_socket);
1805 send_pfkey_flush_sp(pfkey_socket);
1806 send_pkey_get_spi(pfkey_socket);
1807
1808 dispatch_main();
1809 }
1810
1811 T_DECL(sadb_dump_60768729, "security association sa dump heap overflow", T_META_ENABLED(false), T_META_TAG_VM_PREFERRED)
1812 {
1813 test_id = TEST_SADB_DUMP_HEAP_OVERFLOW_60768729;
1814
1815 int pfkey_socket = pfkey_setup_socket();
1816 T_ATEND(pfkey_cleanup);
1817 send_pfkey_flush_sa(pfkey_socket);
1818 send_pfkey_flush_sp(pfkey_socket);
1819 send_pkey_get_spi(pfkey_socket);
1820
1821 dispatch_main();
1822 }
1823
1824 // Disabled due to rdar://92910783
1825 T_DECL(sadb_policy_dump_60769680, "security association sa policy dump heap overflow", T_META_ENABLED(false), T_META_TAG_VM_PREFERRED)
1826 {
1827 test_id = TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680;
1828
1829 int pfkey_socket = pfkey_setup_socket();
1830 T_ATEND(pfkey_cleanup);
1831 send_pfkey_flush_sa(pfkey_socket);
1832 send_pfkey_flush_sp(pfkey_socket);
1833 send_pfkey_spd_add_message(pfkey_socket, 1);
1834
1835 dispatch_main();
1836 }
1837
1838 T_DECL(sadb_get_sastat_oob_60769680, "security association get sa stat oob read", T_META_TAG_VM_PREFERRED)
1839 {
1840 test_id = TEST_SADB_GETSASTAT_OOB_READ_60822823;
1841
1842 int pfkey_socket = pfkey_setup_socket();
1843 T_ATEND(pfkey_cleanup);
1844 send_pfkey_flush_sa(pfkey_socket);
1845 send_pfkey_flush_sp(pfkey_socket);
1846 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1847
1848 dispatch_main();
1849 }
1850
1851 T_DECL(sadb_get_sastat_success, "security association get sa stat", T_META_TAG_VM_PREFERRED)
1852 {
1853 test_id = TEST_SADB_GETSASTAT_OOB_READ_SUCCESS;
1854
1855 int pfkey_socket = pfkey_setup_socket();
1856 T_ATEND(pfkey_cleanup);
1857 send_pfkey_flush_sa(pfkey_socket);
1858 send_pfkey_flush_sp(pfkey_socket);
1859 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1860
1861 dispatch_main();
1862 }
1863
1864 T_DECL(sadb_key_migrate_address_ipv4, "security association migrate address ipv4", T_META_TAG_VM_PREFERRED)
1865 {
1866 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4;
1867
1868 int pfkey_socket = pfkey_setup_socket();
1869 T_ATEND(pfkey_cleanup);
1870 send_pfkey_flush_sa(pfkey_socket);
1871 send_pfkey_flush_sp(pfkey_socket);
1872 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1873
1874 dispatch_main();
1875 }
1876
1877 T_DECL(sadb_key_migrate_address_ipv6, "security association migrate address ipv6", T_META_TAG_VM_PREFERRED)
1878 {
1879 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6;
1880
1881 int pfkey_socket = pfkey_setup_socket();
1882 T_ATEND(pfkey_cleanup);
1883 send_pfkey_flush_sa(pfkey_socket);
1884 send_pfkey_flush_sp(pfkey_socket);
1885 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1886
1887 dispatch_main();
1888 }
1889
1890 T_DECL(sadb_key_migrate_bad_address, "security association migrate bad address", T_META_TAG_VM_PREFERRED)
1891 {
1892 test_id = TEST_SADB_EXT_MIGRATE_BAD_ADDRESS;
1893
1894 int pfkey_socket = pfkey_setup_socket();
1895 T_ATEND(pfkey_cleanup);
1896 send_pfkey_flush_sa(pfkey_socket);
1897 send_pfkey_flush_sp(pfkey_socket);
1898 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1899
1900 dispatch_main();
1901 }
1902
1903 T_DECL(tcp_input_ipsec_copy_policy, "listener policy copied to child", T_META_TAG_VM_PREFERRED)
1904 {
1905 test_id = TEST_TCP_INPUT_IPSEC_COPY_POLICY;
1906
1907 int server_fd = setup_tcp_server(4000);
1908 setup_socket_policy(server_fd);
1909 int client_fd = setup_loopback_tcp_client(4000);
1910
1911 sleep(3);
1912 close(client_fd);
1913 close(server_fd);
1914
1915 T_PASS("listener policy copied to child");
1916 }
1917
1918 T_DECL(sadb_x_spd_add_78944570, "security policy add failure", T_META_TAG_VM_PREFERRED)
1919 {
1920 test_id = TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570;
1921
1922 int pfkey_socket = pfkey_setup_socket();
1923 send_pfkey_flush_sa(pfkey_socket);
1924 send_pfkey_flush_sp(pfkey_socket);
1925 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1926
1927 dispatch_main();
1928 }
1929