1 #include <darwintest.h>
2 #include <darwintest_utils.h>
3 #include <dispatch/dispatch.h>
4 #include <net/pfkeyv2.h>
5 #include <netinet6/ipsec.h>
6 #include <arpa/inet.h>
7
8 T_GLOBAL_META(
9 T_META_NAMESPACE("xnu.pfkey"),
10 T_META_ASROOT(true),
11 T_META_CHECK_LEAKS(false));
12
13 #define MAX_SPD_CHECK 100
14 #define TEST_SRC_ADDRESS_IPv4 "192.168.2.2"
15 #define TEST_DST_ADDRESS_IPv4 "192.168.2.3"
16 #define TEST_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0002"
17 #define TEST_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0003"
18 #define TEST_MIGRATE_SRC_ADDRESS_IPv4 "192.168.2.10"
19 #define TEST_MIGRATE_DST_ADDRESS_IPv4 "192.168.2.11"
20 #define TEST_MIGRATE_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0002:0000"
21 #define TEST_MIGRATE_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0003:0000"
22
23 typedef enum {
24 TEST_INVALID = 0,
25 TEST_SADB_X_GET_OVERFLOW_60822136 = 1,
26 TEST_SADB_X_SPDENABLE_OVERFLOW_60822924 = 2,
27 TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956 = 3,
28 TEST_SADB_UPDATE_USE_AFTER_FREE_60679513 = 4,
29 TEST_SADB_DUMP_HEAP_OVERFLOW_60768729 = 5,
30 TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680 = 6,
31 TEST_SADB_GETSASTAT_OOB_READ_60822823 = 7,
32 TEST_SADB_GETSASTAT_OOB_READ_SUCCESS = 8,
33 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4 = 9,
34 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6 = 10,
35 TEST_SADB_EXT_MIGRATE_BAD_ADDRESS = 11,
36 TEST_TCP_INPUT_IPSEC_COPY_POLICY = 12,
37 } test_identifier;
38
39 static test_identifier test_id = TEST_INVALID;
40 static dispatch_source_t pfkey_source = NULL;
41
42 static void pfkey_cleanup(void);
43
44 static void pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket);
45 static void pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket);
46 static void pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket);
47 static void pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket);
48 static void pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket);
49 static void pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket);
50 static void pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket);
51 static void pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket);
52 static void pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket);
53 static void pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket);
54 static void pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket);
55
56 static void(*const process_pfkey_message_tests[])(uint8_t * *mhp, int pfkey_socket) =
57 {
58 NULL,
59 pfkey_process_message_test_60822136, // TEST_SADB_X_GET_OVERFLOW_60822136
60 pfkey_process_message_test_60822924, // TEST_SADB_X_SPDENABLE_OVERFLOW_60822924
61 pfkey_process_message_test_60822956, // TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956
62 pfkey_process_message_test_60679513, // TEST_SADB_UPDATE_USE_AFTER_FREE_60679513
63 pfkey_process_message_test_60768729, // TEST_SADB_DUMP_HEAP_OVERFLOW_60768729
64 pfkey_process_message_test_60769680, // TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680
65 pfkey_process_message_test_60822823, // TEST_SADB_GETSASTAT_OOB_READ_60822823
66 pfkey_process_message_test_60822823_1, // TEST_SADB_GETSASTAT_OOB_READ_SUCCESS
67 pfkey_process_message_test_60687183, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4
68 pfkey_process_message_test_60687183_1, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6
69 pfkey_process_message_test_60687183_2, // TEST_SADB_EXT_MIGRATE_BAD_ADDRESS
70 };
71
72 static void
pfkey_align(struct sadb_msg * msg,uint8_t ** mhp)73 pfkey_align(struct sadb_msg *msg, uint8_t **mhp)
74 {
75 struct sadb_ext *ext;
76 int i;
77 uint8_t *p;
78 uint8_t *ep; /* XXX should be passed from upper layer */
79
80 /* validity check */
81 T_QUIET; T_ASSERT_NOTNULL(msg, "pfkey align msg");
82 T_QUIET; T_ASSERT_NOTNULL(mhp, "pfkey align mhp");
83
84 /* initialize */
85 for (i = 0; i < SADB_EXT_MAX + 1; i++) {
86 mhp[i] = NULL;
87 }
88
89 mhp[0] = (void *)msg;
90
91 /* initialize */
92 p = (void *) msg;
93 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
94
95 /* skip base header */
96 p += sizeof(struct sadb_msg);
97
98 while (p < ep) {
99 ext = (void *)p;
100 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + sizeof(*ext)), "pfkey extension header beyond end of buffer");
101 T_QUIET; T_ASSERT_GE_ULONG((unsigned long)PFKEY_EXTLEN(ext), sizeof(*ext), "pfkey extension shorter than extension header");
102 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + PFKEY_EXTLEN(ext)), "pfkey extension length beyond end of buffer");
103
104 T_QUIET; T_EXPECT_NULL(mhp[ext->sadb_ext_type], "duplicate extension type %u payload", ext->sadb_ext_type);
105
106 /* set pointer */
107 switch (ext->sadb_ext_type) {
108 case SADB_EXT_SA:
109 case SADB_EXT_LIFETIME_CURRENT:
110 case SADB_EXT_LIFETIME_HARD:
111 case SADB_EXT_LIFETIME_SOFT:
112 case SADB_EXT_ADDRESS_SRC:
113 case SADB_EXT_ADDRESS_DST:
114 case SADB_EXT_ADDRESS_PROXY:
115 case SADB_EXT_KEY_AUTH:
116 /* XXX should to be check weak keys. */
117 case SADB_EXT_KEY_ENCRYPT:
118 /* XXX should to be check weak keys. */
119 case SADB_EXT_IDENTITY_SRC:
120 case SADB_EXT_IDENTITY_DST:
121 case SADB_EXT_SENSITIVITY:
122 case SADB_EXT_PROPOSAL:
123 case SADB_EXT_SUPPORTED_AUTH:
124 case SADB_EXT_SUPPORTED_ENCRYPT:
125 case SADB_EXT_SPIRANGE:
126 case SADB_X_EXT_POLICY:
127 case SADB_X_EXT_SA2:
128 case SADB_EXT_SESSION_ID:
129 case SADB_EXT_SASTAT:
130 #ifdef SADB_X_EXT_NAT_T_TYPE
131 case SADB_X_EXT_NAT_T_TYPE:
132 case SADB_X_EXT_NAT_T_SPORT:
133 case SADB_X_EXT_NAT_T_DPORT:
134 case SADB_X_EXT_NAT_T_OA:
135 #endif
136 #ifdef SADB_X_EXT_TAG
137 case SADB_X_EXT_TAG:
138 #endif
139 #ifdef SADB_X_EXT_PACKET
140 case SADB_X_EXT_PACKET:
141 #endif
142 case SADB_X_EXT_IPSECIF:
143 case SADB_X_EXT_ADDR_RANGE_SRC_START:
144 case SADB_X_EXT_ADDR_RANGE_SRC_END:
145 case SADB_X_EXT_ADDR_RANGE_DST_START:
146 case SADB_X_EXT_ADDR_RANGE_DST_END:
147 #ifdef SADB_MIGRATE
148 case SADB_EXT_MIGRATE_ADDRESS_SRC:
149 case SADB_EXT_MIGRATE_ADDRESS_DST:
150 case SADB_X_EXT_MIGRATE_IPSECIF:
151 #endif
152 mhp[ext->sadb_ext_type] = (void *)ext;
153 break;
154 default:
155 T_FAIL("bad extension type %u", ext->sadb_ext_type);
156 T_END;
157 }
158
159 p += PFKEY_EXTLEN(ext);
160 }
161
162 T_QUIET; T_EXPECT_EQ_PTR((void *)ep, (void *)p, "invalid pfkey message length");
163 return;
164 }
165
166
167 static void
recv_pfkey_message(int pfkey_socket)168 recv_pfkey_message(int pfkey_socket)
169 {
170 uint8_t buffer[8192] __attribute__((aligned(4)));
171 struct iovec iovecs[1] = {
172 { buffer, sizeof(buffer) },
173 };
174 struct msghdr msg = {
175 NULL,
176 0,
177 iovecs,
178 sizeof(iovecs) / sizeof(iovecs[0]),
179 NULL,
180 0,
181 0,
182 };
183
184 do {
185 ssize_t result = -1;
186 memset(buffer, 0, sizeof(buffer));
187 T_QUIET; T_ASSERT_POSIX_SUCCESS(result = recvmsg(pfkey_socket, &msg, 0), NULL);
188
189 if (result > 0) {
190 T_QUIET; T_ASSERT_GE_ULONG((size_t)result, sizeof(struct sadb_msg), "Invalid PFKey message size: %zu", result);
191 struct sadb_msg *hdr = (struct sadb_msg *)buffer;
192 uint8_t *mhp[SADB_EXT_MAX + 1];
193 pfkey_align(hdr, mhp);
194 (*process_pfkey_message_tests[test_id])(mhp, pfkey_socket);
195 } else if (result == 0) {
196 T_LOG("PFKey socket received EOF");
197 break;
198 }
199 } while (1);
200 }
201
202 static void
send_pfkey_spd_add_message(int pfkey_socket,uint8_t proto)203 send_pfkey_spd_add_message(int pfkey_socket, uint8_t proto)
204 {
205 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
206 bzero(payload, sizeof(payload));
207 uint16_t tlen = 0;
208
209 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
210 msg_payload->sadb_msg_version = PF_KEY_V2;
211 msg_payload->sadb_msg_type = SADB_X_SPDADD;
212 msg_payload->sadb_msg_errno = 0;
213 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
214 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
215 msg_payload->sadb_msg_reserved = 0;
216 msg_payload->sadb_msg_seq = 0;
217 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
218 tlen += sizeof(*msg_payload);
219
220 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
221 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
222 src_address_payload->sadb_address_proto = proto & 0xff;
223 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
224 src_address_payload->sadb_address_reserved = 0;
225 tlen += sizeof(*src_address_payload);
226
227 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
228 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
229 src->sin_family = AF_INET;
230 src->sin_len = sizeof(*src);
231 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
232 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
233 tlen += PFKEY_ALIGN8(src->sin_len);
234
235 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
236 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
237 dst_address_payload->sadb_address_proto = proto & 0xff;
238 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
239 dst_address_payload->sadb_address_reserved = 0;
240 tlen += sizeof(*dst_address_payload);
241
242 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
243 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
244 dst->sin_family = AF_INET;
245 dst->sin_len = sizeof(*dst);
246 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
247 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
248 tlen += PFKEY_ALIGN8(dst->sin_len);
249
250 struct sadb_lifetime *lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
251 lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*lifetime_payload));
252 lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
253 tlen += sizeof(*lifetime_payload);
254
255 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
256 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
257 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
258 policy_payload->sadb_x_policy_type = IPSEC_POLICY_DISCARD;
259 policy_payload->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
260 tlen += sizeof(*policy_payload);
261
262 // Update the total length
263 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
264 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd add");
265 }
266
267 static void
send_pfkey_spd_get_message(int pfkey_socket,uint32_t policy_id)268 send_pfkey_spd_get_message(int pfkey_socket, uint32_t policy_id)
269 {
270 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
271 bzero(payload, sizeof(payload));
272 uint16_t tlen = 0;
273
274 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
275 msg_payload->sadb_msg_version = PF_KEY_V2;
276 msg_payload->sadb_msg_type = SADB_X_SPDGET;
277 msg_payload->sadb_msg_errno = 0;
278 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
279 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
280 msg_payload->sadb_msg_reserved = 0;
281 msg_payload->sadb_msg_seq = 0;
282 msg_payload->sadb_msg_pid = (uint32_t)getpid();
283 tlen += sizeof(*msg_payload);
284
285 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
286 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
287 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
288 policy_payload->sadb_x_policy_id = policy_id;
289 tlen += sizeof(*policy_payload);
290
291 // Update the total length
292 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
293 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd get failed");
294 }
295
296 static void
send_pfkey_spd_enable_message(int pfkey_socket,uint32_t policy_id)297 send_pfkey_spd_enable_message(int pfkey_socket, uint32_t policy_id)
298 {
299 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
300 bzero(payload, sizeof(payload));
301 uint16_t tlen = 0;
302
303 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
304 msg_payload->sadb_msg_version = PF_KEY_V2;
305 msg_payload->sadb_msg_type = SADB_X_SPDENABLE;
306 msg_payload->sadb_msg_errno = 0;
307 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
308 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
309 msg_payload->sadb_msg_reserved = 0;
310 msg_payload->sadb_msg_seq = 0;
311 msg_payload->sadb_msg_pid = (uint32_t)getpid();
312 tlen += sizeof(*msg_payload);
313
314 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
315 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
316 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
317 policy_payload->sadb_x_policy_id = policy_id;
318 tlen += sizeof(*policy_payload);
319
320 // Update the total length
321 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
322 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd enable failed");
323 }
324
325 static void
send_pfkey_spd_disable_message(int pfkey_socket,uint32_t policy_id)326 send_pfkey_spd_disable_message(int pfkey_socket, uint32_t policy_id)
327 {
328 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
329 bzero(payload, sizeof(payload));
330 uint16_t tlen = 0;
331
332 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
333 msg_payload->sadb_msg_version = PF_KEY_V2;
334 msg_payload->sadb_msg_type = SADB_X_SPDDISABLE;
335 msg_payload->sadb_msg_errno = 0;
336 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
337 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
338 msg_payload->sadb_msg_reserved = 0;
339 msg_payload->sadb_msg_seq = 0;
340 msg_payload->sadb_msg_pid = (uint32_t)getpid();
341 tlen += sizeof(*msg_payload);
342
343 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
344 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
345 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
346 policy_payload->sadb_x_policy_id = policy_id;
347 tlen += sizeof(*policy_payload);
348
349 // Update the total length
350 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
351 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd disable failed");
352 }
353
354 static void
send_pfkey_spd_delete_message(int pfkey_socket,uint32_t policy_id)355 send_pfkey_spd_delete_message(int pfkey_socket, uint32_t policy_id)
356 {
357 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
358 bzero(payload, sizeof(payload));
359 uint16_t tlen = 0;
360
361 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
362 msg_payload->sadb_msg_version = PF_KEY_V2;
363 msg_payload->sadb_msg_type = SADB_X_SPDDELETE2;
364 msg_payload->sadb_msg_errno = 0;
365 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
366 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
367 msg_payload->sadb_msg_reserved = 0;
368 msg_payload->sadb_msg_seq = 0;
369 msg_payload->sadb_msg_pid = (uint32_t)getpid();
370 tlen += sizeof(*msg_payload);
371
372 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
373 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
374 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
375 policy_payload->sadb_x_policy_id = policy_id;
376 tlen += sizeof(*policy_payload);
377
378 // Update the total length
379 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
380 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd delete failed");
381 }
382
383 static void
send_pfkey_spd_dump_message(int pfkey_socket)384 send_pfkey_spd_dump_message(int pfkey_socket)
385 {
386 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
387 bzero(payload, sizeof(payload));
388 uint16_t tlen = 0;
389
390 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
391 msg_payload->sadb_msg_version = PF_KEY_V2;
392 msg_payload->sadb_msg_type = SADB_X_SPDDUMP;
393 msg_payload->sadb_msg_errno = 0;
394 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
395 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
396 msg_payload->sadb_msg_reserved = 0;
397 msg_payload->sadb_msg_seq = 0;
398 msg_payload->sadb_msg_pid = (uint32_t)getpid();
399 tlen += sizeof(*msg_payload);
400
401 // Update the total length
402 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
403 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd dump failed");
404 }
405
406 static void
send_pfkey_flush_sp(int pfkey_socket)407 send_pfkey_flush_sp(int pfkey_socket)
408 {
409 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
410 bzero(payload, sizeof(payload));
411 uint16_t tlen = 0;
412
413 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
414 msg_payload->sadb_msg_version = PF_KEY_V2;
415 msg_payload->sadb_msg_type = SADB_X_SPDFLUSH;
416 msg_payload->sadb_msg_errno = 0;
417 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
418 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
419 msg_payload->sadb_msg_reserved = 0;
420 msg_payload->sadb_msg_seq = 0;
421 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
422 tlen += sizeof(*msg_payload);
423
424 // Update the total length
425 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
426 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush security policies");
427 }
428
429 static void
send_pkey_get_spi(int pfkey_socket)430 send_pkey_get_spi(int pfkey_socket)
431 {
432 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
433 bzero(payload, sizeof(payload));
434 uint16_t tlen = 0;
435
436 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
437 msg_payload->sadb_msg_version = PF_KEY_V2;
438 msg_payload->sadb_msg_type = SADB_GETSPI;
439 msg_payload->sadb_msg_errno = 0;
440 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
441 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
442 msg_payload->sadb_msg_reserved = 0;
443 msg_payload->sadb_msg_seq = 0;
444 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
445 tlen += sizeof(*msg_payload);
446
447 struct sadb_x_sa2 *sa2_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
448 sa2_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_payload));
449 sa2_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
450 sa2_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
451 sa2_payload->sadb_x_sa2_reqid = 0;
452 tlen += sizeof(*sa2_payload);
453
454 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
455 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
456 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
457 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
458 src_address_payload->sadb_address_reserved = 0;
459 tlen += sizeof(*src_address_payload);
460
461 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
462 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
463 src->sin_family = AF_INET;
464 src->sin_len = sizeof(*src);
465 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
466 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
467 tlen += PFKEY_ALIGN8(src->sin_len);
468
469 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
470 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
471 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
472 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
473 dst_address_payload->sadb_address_reserved = 0;
474 tlen += sizeof(*dst_address_payload);
475
476 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
477 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
478 dst->sin_family = AF_INET;
479 dst->sin_len = sizeof(*dst);
480 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
481 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
482 tlen += PFKEY_ALIGN8(dst->sin_len);
483
484 // Update the total length
485 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
486 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get spi");
487 }
488
489 static void
send_pkey_add_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family)490 send_pkey_add_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family)
491 {
492 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
493 bzero(payload, sizeof(payload));
494 uint16_t tlen = 0;
495
496 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
497 msg_payload->sadb_msg_version = PF_KEY_V2;
498 msg_payload->sadb_msg_type = SADB_ADD;
499 msg_payload->sadb_msg_errno = 0;
500 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
501 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
502 msg_payload->sadb_msg_reserved = 0;
503 msg_payload->sadb_msg_seq = 0;
504 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
505 tlen += sizeof(*msg_payload);
506
507 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
508 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
509 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
510 sa2_payload->sa.sadb_sa_spi = htonl(spi);
511 sa2_payload->sa.sadb_sa_replay = 4;
512 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
513 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
514 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
515 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
516 sa2_payload->sadb_sa_natt_src_port = htons(4500);
517 sa2_payload->sadb_sa_natt_port = 4500;
518 sa2_payload->sadb_sa_natt_interval = 20;
519 sa2_payload->sadb_sa_natt_offload_interval = 0;
520 tlen += sizeof(*sa2_payload);
521
522 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
523 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
524 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
525 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
526 sa2_x_payload->sadb_x_sa2_reqid = 0;
527 tlen += sizeof(*sa2_x_payload);
528
529 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
530
531 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
532 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
533 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
534 src_address_payload->sadb_address_prefixlen = prefixlen;
535 src_address_payload->sadb_address_reserved = 0;
536 tlen += sizeof(*src_address_payload);
537
538 if (family == AF_INET) {
539 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
540 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
541 src4->sin_family = AF_INET;
542 src4->sin_len = sizeof(*src4);
543 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
544 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
545 tlen += PFKEY_ALIGN8(src4->sin_len);
546 } else {
547 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
548 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
549 src6->sin6_family = AF_INET6;
550 src6->sin6_len = sizeof(*src6);
551 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
552 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
553 tlen += PFKEY_ALIGN8(src6->sin6_len);
554 }
555
556 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
557 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
558 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
559 dst_address_payload->sadb_address_prefixlen = prefixlen;
560 dst_address_payload->sadb_address_reserved = 0;
561 tlen += sizeof(*dst_address_payload);
562
563 if (family == AF_INET) {
564 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
565 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
566 dst4->sin_family = AF_INET;
567 dst4->sin_len = sizeof(*dst4);
568 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
569 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
570 tlen += PFKEY_ALIGN8(dst4->sin_len);
571 } else {
572 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
573 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
574 dst6->sin6_family = AF_INET6;
575 dst6->sin6_len = sizeof(*dst6);
576 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
577 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
578 tlen += PFKEY_ALIGN8(dst6->sin6_len);
579 }
580
581 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
582 uint16_t len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
583 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
584 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
585 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
586 encrypt_key_payload->sadb_key_reserved = 0;
587 tlen += sizeof(*encrypt_key_payload);
588 arc4random_buf(payload + tlen, 32);
589 tlen += PFKEY_ALIGN8(32);
590
591 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
592 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
593 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
594 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
595 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
596 auth_key_payload->sadb_key_reserved = 0;
597 tlen += sizeof(*auth_key_payload);
598 arc4random_buf(payload + tlen, 32);
599 tlen += PFKEY_ALIGN8(32);
600
601 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
602 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
603 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
604 tlen += sizeof(*hard_lifetime_payload);
605
606 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
607 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
608 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
609 tlen += sizeof(*soft_lifetime_payload);
610
611 // Update the total length
612 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
613 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
614 }
615
616 static void
send_pkey_update_sa(int pfkey_socket,uint32_t spi)617 send_pkey_update_sa(int pfkey_socket, uint32_t spi)
618 {
619 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
620 bzero(payload, sizeof(payload));
621 uint16_t tlen = 0;
622
623 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
624 msg_payload->sadb_msg_version = PF_KEY_V2;
625 msg_payload->sadb_msg_type = SADB_UPDATE;
626 msg_payload->sadb_msg_errno = 0;
627 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
628 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
629 msg_payload->sadb_msg_reserved = 0;
630 msg_payload->sadb_msg_seq = 0;
631 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
632 tlen += sizeof(*msg_payload);
633
634 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
635 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
636 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
637 sa2_payload->sa.sadb_sa_spi = htonl(spi);
638 sa2_payload->sa.sadb_sa_replay = 4;
639 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
640 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
641 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
642 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
643 sa2_payload->sadb_sa_natt_src_port = htons(4500);
644 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
645 sa2_payload->sadb_sa_natt_interval = 20;
646 sa2_payload->sadb_sa_natt_offload_interval = 0;
647 tlen += sizeof(*sa2_payload);
648
649 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
650 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
651 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
652 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
653 sa2_x_payload->sadb_x_sa2_reqid = 0;
654 tlen += sizeof(*sa2_x_payload);
655
656 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
657 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
658 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
659 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
660 src_address_payload->sadb_address_reserved = 0;
661 tlen += sizeof(*src_address_payload);
662
663 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
664 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
665 src->sin_family = AF_INET;
666 src->sin_len = sizeof(*src);
667 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
668 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
669 tlen += PFKEY_ALIGN8(src->sin_len);
670
671 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
672 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
673 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
674 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
675 dst_address_payload->sadb_address_reserved = 0;
676 tlen += sizeof(*dst_address_payload);
677
678 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
679 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
680 dst->sin_family = AF_INET;
681 dst->sin_len = sizeof(*dst);
682 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
683 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
684 tlen += PFKEY_ALIGN8(dst->sin_len);
685
686 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
687 len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
688 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
689 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
690 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
691 encrypt_key_payload->sadb_key_reserved = 0;
692 tlen += sizeof(*encrypt_key_payload);
693 arc4random_buf(payload + tlen, 32);
694 tlen += PFKEY_ALIGN8(32);
695
696 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
697 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
698 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
699 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
700 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
701 auth_key_payload->sadb_key_reserved = 0;
702 tlen += sizeof(*auth_key_payload);
703 arc4random_buf(payload + tlen, 32);
704 tlen += PFKEY_ALIGN8(32);
705
706 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
707 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
708 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
709 tlen += sizeof(*hard_lifetime_payload);
710
711 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
712 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
713 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
714 tlen += sizeof(*soft_lifetime_payload);
715
716 // Update the total length
717 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
718 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
719 }
720
721 static void
send_pkey_migrate_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family,const char * migrate_src,const char * migrate_dst,int migrate_family)722 send_pkey_migrate_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family,
723 const char *migrate_src, const char *migrate_dst, int migrate_family)
724 {
725 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
726 bzero(payload, sizeof(payload));
727 uint16_t tlen = 0;
728
729 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
730 msg_payload->sadb_msg_version = PF_KEY_V2;
731 msg_payload->sadb_msg_type = SADB_MIGRATE;
732 msg_payload->sadb_msg_errno = 0;
733 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
734 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
735 msg_payload->sadb_msg_reserved = 0;
736 msg_payload->sadb_msg_seq = 0;
737 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
738 tlen += sizeof(*msg_payload);
739
740 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
741 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
742 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
743 sa2_payload->sa.sadb_sa_spi = htonl(spi);
744 sa2_payload->sa.sadb_sa_replay = 4;
745 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
746 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
747 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
748 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
749 sa2_payload->sadb_sa_natt_src_port = htons(4500);
750 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
751 sa2_payload->sadb_sa_natt_interval = 20;
752 sa2_payload->sadb_sa_natt_offload_interval = 0;
753 tlen += sizeof(*sa2_payload);
754
755 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
756 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
757 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
758 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
759 sa2_x_payload->sadb_x_sa2_reqid = 0;
760 tlen += sizeof(*sa2_x_payload);
761
762 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
763
764 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
765 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
766 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
767 src_address_payload->sadb_address_prefixlen = prefixlen;
768 src_address_payload->sadb_address_reserved = 0;
769 tlen += sizeof(*src_address_payload);
770
771 if (family == AF_INET) {
772 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
773 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
774 src4->sin_family = AF_INET;
775 src4->sin_len = sizeof(*src4);
776 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
777 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
778 tlen += PFKEY_ALIGN8(src4->sin_len);
779 } else {
780 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
781 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
782 src6->sin6_family = AF_INET6;
783 src6->sin6_len = sizeof(*src6);
784 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
785 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
786 tlen += PFKEY_ALIGN8(src6->sin6_len);
787 }
788
789 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
790 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
791 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
792 dst_address_payload->sadb_address_prefixlen = prefixlen;
793 dst_address_payload->sadb_address_reserved = 0;
794 tlen += sizeof(*dst_address_payload);
795
796 if (family == AF_INET) {
797 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
798 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
799 dst4->sin_family = AF_INET;
800 dst4->sin_len = sizeof(*dst4);
801 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
802 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
803 tlen += PFKEY_ALIGN8(dst4->sin_len);
804 } else {
805 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
806 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
807 dst6->sin6_family = AF_INET6;
808 dst6->sin6_len = sizeof(*dst6);
809 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
810 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
811 tlen += PFKEY_ALIGN8(dst6->sin6_len);
812 }
813
814 prefixlen = (migrate_family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
815
816 struct sadb_address *migrate_src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
817 migrate_src_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_SRC & 0xffff;
818 migrate_src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
819 migrate_src_address_payload->sadb_address_prefixlen = prefixlen;
820 migrate_src_address_payload->sadb_address_reserved = 0;
821 tlen += sizeof(*migrate_src_address_payload);
822
823 if (migrate_family == AF_INET) {
824 struct sockaddr_in *migrate_src4 = (struct sockaddr_in *)(void *)(payload + tlen);
825 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_src, &migrate_src4->sin_addr), 1, "migrate src fail");
826 migrate_src4->sin_family = AF_INET;
827 migrate_src4->sin_len = sizeof(*migrate_src4);
828 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src4->sin_len);
829 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
830 tlen += PFKEY_ALIGN8(migrate_src4->sin_len);
831 } else if (migrate_family == AF_INET6) {
832 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
833 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
834 migrate_src6->sin6_family = AF_INET6;
835 migrate_src6->sin6_len = sizeof(*migrate_src6);
836 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
837 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
838 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
839 } else if (migrate_family == AF_CHAOS) {
840 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
841 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
842 migrate_src6->sin6_family = AF_INET6;
843 migrate_src6->sin6_len = sizeof(*migrate_src6) + 100; // Bad value to trigger exploit
844 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
845 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
846 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
847 }
848
849 struct sadb_address *migrate_dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
850 migrate_dst_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_DST & 0xffff;
851 migrate_dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
852 migrate_dst_address_payload->sadb_address_prefixlen = prefixlen;
853 migrate_dst_address_payload->sadb_address_reserved = 0;
854
855 tlen += sizeof(*migrate_dst_address_payload);
856
857 if (migrate_family == AF_INET) {
858 struct sockaddr_in *migrate_dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
859 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_dst, &migrate_dst4->sin_addr), 1, "migrate dst fail");
860 migrate_dst4->sin_family = AF_INET;
861 migrate_dst4->sin_len = sizeof(*migrate_dst4);
862 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst4->sin_len);
863 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
864 tlen += PFKEY_ALIGN8(migrate_dst4->sin_len);
865 } else if (migrate_family == AF_INET6) {
866 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
867 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
868 migrate_dst6->sin6_family = AF_INET6;
869 migrate_dst6->sin6_len = sizeof(*migrate_dst6);
870 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
871 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
872 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
873 } else if (migrate_family == AF_CHAOS) {
874 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
875 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
876 migrate_dst6->sin6_family = AF_INET6;
877 migrate_dst6->sin6_len = sizeof(*migrate_dst6) + 100; // Bad value to trigger exploit
878 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
879 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
880 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
881 }
882
883 // Update the total length
884 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
885 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send migrate sa");
886 }
887
888 static void
send_pfkey_get_sa_stat(int pfkey_socket,uint32_t spi,uint32_t stat_length)889 send_pfkey_get_sa_stat(int pfkey_socket, uint32_t spi, uint32_t stat_length)
890 {
891 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
892 bzero(payload, sizeof(payload));
893 uint16_t tlen = 0;
894
895 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
896 msg_payload->sadb_msg_version = PF_KEY_V2;
897 msg_payload->sadb_msg_type = SADB_GETSASTAT;
898 msg_payload->sadb_msg_errno = 0;
899 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
900 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
901 msg_payload->sadb_msg_reserved = 0;
902 msg_payload->sadb_msg_seq = 0;
903 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
904 tlen += sizeof(*msg_payload);
905
906 struct sadb_session_id *session_id_payload = (struct sadb_session_id *)(void *)(payload + tlen);
907 session_id_payload->sadb_session_id_len = PFKEY_UNIT64(sizeof(*session_id_payload));
908 session_id_payload->sadb_session_id_exttype = SADB_EXT_SESSION_ID;
909 session_id_payload->sadb_session_id_v[0] = 1;
910 tlen += sizeof(*session_id_payload);
911
912 struct sadb_sastat *sadb_stat_payload = (struct sadb_sastat *)(void *)(payload + tlen);
913 uint16_t length = sizeof(*sadb_stat_payload) + PFKEY_ALIGN8(sizeof(struct sastat));
914 sadb_stat_payload->sadb_sastat_len = PFKEY_UNIT64(length);
915 sadb_stat_payload->sadb_sastat_exttype = SADB_EXT_SASTAT;
916 sadb_stat_payload->sadb_sastat_dir = IPSEC_DIR_OUTBOUND;
917 sadb_stat_payload->sadb_sastat_list_len = stat_length;
918 tlen += sizeof(*sadb_stat_payload);
919
920 struct sastat *sastat_payload = (struct sastat *)(void *)(payload + tlen);
921 sastat_payload->spi = htonl(spi);
922 tlen += PFKEY_ALIGN8(sizeof(*sastat_payload));
923
924 // Update the total length
925 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
926 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get sa stat");
927 }
928
929 static void
send_pkey_delete_sa(int pfkey_socket,uint32_t spi)930 send_pkey_delete_sa(int pfkey_socket, uint32_t spi)
931 {
932 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
933 bzero(payload, sizeof(payload));
934 uint16_t tlen = 0;
935
936 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
937 msg_payload->sadb_msg_version = PF_KEY_V2;
938 msg_payload->sadb_msg_type = SADB_DELETE;
939 msg_payload->sadb_msg_errno = 0;
940 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
941 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
942 msg_payload->sadb_msg_reserved = 0;
943 msg_payload->sadb_msg_seq = 0;
944 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
945 tlen += sizeof(*msg_payload);
946
947 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
948 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
949 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
950 sa2_payload->sa.sadb_sa_spi = htonl(spi);
951 tlen += sizeof(*sa2_payload);
952
953 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
954 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
955 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
956 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
957 src_address_payload->sadb_address_reserved = 0;
958 tlen += sizeof(*src_address_payload);
959
960 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
961 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "migrate src fail");
962 src->sin_family = AF_INET;
963 src->sin_len = sizeof(*src);
964 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
965 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
966 tlen += PFKEY_ALIGN8(src->sin_len);
967
968 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
969 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
970 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
971 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
972 dst_address_payload->sadb_address_reserved = 0;
973 tlen += sizeof(*dst_address_payload);
974
975 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
976 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "migrate dst fail");
977 dst->sin_family = AF_INET;
978 dst->sin_len = sizeof(*dst);
979 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
980 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
981 tlen += PFKEY_ALIGN8(dst->sin_len);
982
983 // Update the total length
984 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
985 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send delete sa");
986 }
987
988 static void
send_pfkey_sa_dump_message(int pfkey_socket)989 send_pfkey_sa_dump_message(int pfkey_socket)
990 {
991 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
992 bzero(payload, sizeof(payload));
993 uint16_t tlen = 0;
994
995 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
996 msg_payload->sadb_msg_version = PF_KEY_V2;
997 msg_payload->sadb_msg_type = SADB_DUMP;
998 msg_payload->sadb_msg_errno = 0;
999 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1000 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1001 msg_payload->sadb_msg_reserved = 0;
1002 msg_payload->sadb_msg_seq = 0;
1003 msg_payload->sadb_msg_pid = (uint32_t)getpid();
1004 tlen += sizeof(*msg_payload);
1005
1006 // Update the total length
1007 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1008 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send sa dump failed");
1009 }
1010
1011 static void
send_pfkey_flush_sa(int pfkey_socket)1012 send_pfkey_flush_sa(int pfkey_socket)
1013 {
1014 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
1015 bzero(payload, sizeof(payload));
1016 uint16_t tlen = 0;
1017
1018 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
1019 msg_payload->sadb_msg_version = PF_KEY_V2;
1020 msg_payload->sadb_msg_type = SADB_FLUSH;
1021 msg_payload->sadb_msg_errno = 0;
1022 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1023 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1024 msg_payload->sadb_msg_reserved = 0;
1025 msg_payload->sadb_msg_seq = 0;
1026 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
1027 tlen += sizeof(*msg_payload);
1028
1029 // Update the total length
1030 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1031 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush sa");
1032 }
1033
1034 static void
pfkey_cleanup(void)1035 pfkey_cleanup(void)
1036 {
1037 if (pfkey_source != NULL) {
1038 int pfkey_socket = (int)dispatch_source_get_handle(pfkey_source);
1039 if (pfkey_socket > 0) {
1040 send_pfkey_flush_sa(pfkey_socket);
1041 send_pfkey_flush_sp(pfkey_socket);
1042 }
1043 dispatch_source_cancel(pfkey_source);
1044 pfkey_source = NULL;
1045 }
1046 }
1047
1048 static int
pfkey_setup_socket(void)1049 pfkey_setup_socket(void)
1050 {
1051 int pfkey_socket = -1;
1052 int bufsiz = 0;
1053 const unsigned long newbufk = 1536;
1054 unsigned long oldmax;
1055 size_t oldmaxsize = sizeof(oldmax);
1056 unsigned long newmax = newbufk * (1024 + 128);
1057
1058 T_QUIET; T_ASSERT_POSIX_SUCCESS(pfkey_socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2), NULL);
1059
1060 if (sysctlbyname("kern.ipc.maxsockbuf", &oldmax, &oldmaxsize, &newmax, sizeof(newmax)) != 0) {
1061 bufsiz = 233016; /* Max allowed by default */
1062 } else {
1063 bufsiz = newbufk * 1024;
1064 }
1065
1066 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)), "pfkey set snd socket buf failed %d", bufsiz);
1067 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)), "pfkey set recv socket buf failed %d", bufsiz);
1068
1069 pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, (uintptr_t)pfkey_socket, 0, dispatch_get_main_queue());
1070 T_QUIET; T_ASSERT_NOTNULL(pfkey_source, "dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, ...)");
1071 dispatch_source_set_event_handler(pfkey_source, ^{
1072 recv_pfkey_message(pfkey_socket);
1073 });
1074 dispatch_source_set_cancel_handler(pfkey_source, ^{
1075 close(pfkey_socket);
1076 });
1077 dispatch_resume(pfkey_source);
1078 return pfkey_socket;
1079 }
1080
1081 static void
pfkey_process_message_test_60822136(uint8_t ** mhp,int pfkey_socket)1082 pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket)
1083 {
1084 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1085 static int counter = 0;
1086 static uint32_t policy_id = 0;
1087
1088 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1089 return;
1090 }
1091
1092 if (message->sadb_msg_errno) {
1093 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1094 pfkey_cleanup();
1095 T_END;
1096 }
1097
1098 switch (message->sadb_msg_type) {
1099 case SADB_X_SPDADD:
1100 {
1101 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1102 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1103 policy_id = policy_message->sadb_x_policy_id;
1104 T_LOG("Added policy id %u", policy_id);
1105 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1106 break;
1107 }
1108 case SADB_X_SPDGET:
1109 {
1110 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1111 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd get policy message is NULL");
1112 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_get: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1113 if (counter < MAX_SPD_CHECK) {
1114 counter++;
1115 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1116 } else {
1117 T_LOG("Deleting policy id %u", policy_id);
1118 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1119 }
1120 break;
1121 }
1122 case SADB_X_SPDDELETE2:
1123 {
1124 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1125 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1126 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1127 T_LOG("Deleted policy id %u", policy_id);
1128 sleep(2);
1129 send_pfkey_spd_dump_message(pfkey_socket);
1130 break;
1131 }
1132 case SADB_X_SPDDUMP:
1133 {
1134 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1135 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1136 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1137 T_FAIL("Policy id %u still exists", policy_id);
1138 pfkey_cleanup();
1139 T_END;
1140 }
1141 case SADB_FLUSH:
1142 case SADB_X_SPDFLUSH:
1143 break;
1144 default:
1145 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1146 T_END;
1147 }
1148 return;
1149 }
1150
1151 static void
pfkey_process_message_test_60822924(uint8_t ** mhp,int pfkey_socket)1152 pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket)
1153 {
1154 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1155 static int counter = 0;
1156 static uint32_t policy_id = 0;
1157
1158 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1159 return;
1160 }
1161
1162 if (message->sadb_msg_errno) {
1163 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1164 pfkey_cleanup();
1165 T_END;
1166 }
1167
1168 switch (message->sadb_msg_type) {
1169 case SADB_X_SPDADD:
1170 {
1171 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1172 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1173 policy_id = policy_message->sadb_x_policy_id;
1174 T_LOG("Added policy id %u", policy_id);
1175 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1176 break;
1177 }
1178 case SADB_X_SPDENABLE:
1179 {
1180 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1181 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd enable policy message is NULL");
1182 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_enable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1183 if (counter < MAX_SPD_CHECK) {
1184 counter++;
1185 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1186 } else {
1187 T_LOG("Deleting policy id %u", policy_id);
1188 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1189 }
1190 break;
1191 }
1192 case SADB_X_SPDDELETE2:
1193 {
1194 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1195 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1196 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1197 T_LOG("Deleted policy id %u", policy_id);
1198 sleep(2);
1199 send_pfkey_spd_dump_message(pfkey_socket);
1200 break;
1201 }
1202 case SADB_X_SPDDUMP:
1203 {
1204 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1205 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1206 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1207 T_FAIL("Policy id %u still exists", policy_id);
1208 pfkey_cleanup();
1209 T_END;
1210 }
1211 case SADB_FLUSH:
1212 case SADB_X_SPDFLUSH:
1213 break;
1214 default:
1215 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1216 T_END;
1217 }
1218 return;
1219 }
1220
1221 static void
pfkey_process_message_test_60822956(uint8_t ** mhp,int pfkey_socket)1222 pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket)
1223 {
1224 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1225 static int counter = 0;
1226 static uint32_t policy_id = 0;
1227
1228 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1229 return;
1230 }
1231
1232 if (message->sadb_msg_errno) {
1233 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1234 pfkey_cleanup();
1235 T_END;
1236 }
1237
1238 switch (message->sadb_msg_type) {
1239 case SADB_X_SPDADD:
1240 {
1241 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1242 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1243 policy_id = policy_message->sadb_x_policy_id;
1244 T_LOG("Added policy id %u", policy_id);
1245 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1246 break;
1247 }
1248 case SADB_X_SPDDISABLE:
1249 {
1250 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1251 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd disable policy message is NULL");
1252 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_disable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1253 if (counter < MAX_SPD_CHECK) {
1254 counter++;
1255 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1256 } else {
1257 T_LOG("Deleting policy id %u", policy_id);
1258 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1259 }
1260 break;
1261 }
1262 case SADB_X_SPDDELETE2:
1263 {
1264 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1265 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1266 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1267 T_LOG("Deleted policy id %u", policy_id);
1268 sleep(2);
1269 send_pfkey_spd_dump_message(pfkey_socket);
1270 break;
1271 }
1272 case SADB_X_SPDDUMP:
1273 {
1274 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1275 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1276 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1277 T_FAIL("Policy id %u still exists", policy_id);
1278 pfkey_cleanup();
1279 T_END;
1280 }
1281 case SADB_FLUSH:
1282 case SADB_X_SPDFLUSH:
1283 break;
1284 default:
1285 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1286 T_END;
1287 }
1288 return;
1289 }
1290
1291 static void
pfkey_process_message_test_60679513(uint8_t ** mhp,int pfkey_socket)1292 pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket)
1293 {
1294 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1295 static uint32_t spi = 0;
1296
1297 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1298 return;
1299 }
1300
1301 if (message->sadb_msg_errno) {
1302 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_UPDATE, "SADB error for type %u", message->sadb_msg_type);
1303 }
1304
1305 switch (message->sadb_msg_type) {
1306 case SADB_GETSPI:
1307 {
1308 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1309 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1310 spi = ntohl(sa_message->sadb_sa_spi);
1311 T_LOG("get spi 0x%x", spi);
1312 send_pkey_update_sa(pfkey_socket, spi);
1313 break;
1314 }
1315 case SADB_UPDATE:
1316 {
1317 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1318 T_QUIET; T_ASSERT_NOTNULL(sa_message, "update sa message is NULL");
1319 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb update: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1320 T_LOG("update sa 0x%x", spi);
1321 send_pkey_delete_sa(pfkey_socket, spi);
1322 break;
1323 }
1324 case SADB_DELETE:
1325 {
1326 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1327 T_QUIET; T_ASSERT_NOTNULL(sa_message, "delete sa message is NULL");
1328 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb delete: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1329 T_LOG("delete sa 0x%x", spi);
1330 pfkey_cleanup();
1331 T_END;
1332 }
1333 case SADB_FLUSH:
1334 case SADB_X_SPDFLUSH:
1335 break;
1336 default:
1337 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1338 T_END;
1339 }
1340 return;
1341 }
1342
1343 static void
pfkey_process_message_test_60768729(uint8_t ** mhp,int pfkey_socket)1344 pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket)
1345 {
1346 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1347 uint32_t spi = 0;
1348 static int counter = 0;
1349
1350 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1351 return;
1352 }
1353
1354 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u", message->sadb_msg_type);
1355
1356 switch (message->sadb_msg_type) {
1357 case SADB_GETSPI:
1358 {
1359 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1360 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1361 spi = ntohl(sa_message->sadb_sa_spi);
1362 counter++;
1363 if (counter <= 1000) {
1364 send_pkey_get_spi(pfkey_socket);
1365 } else {
1366 T_LOG("SADB added 1000 Larval SPIs");
1367 send_pfkey_sa_dump_message(pfkey_socket);
1368 }
1369 break;
1370 }
1371 case SADB_DUMP:
1372 {
1373 counter--;
1374 if (counter == 0) {
1375 T_PASS("SADB dump successful");
1376 pfkey_cleanup();
1377 T_END;
1378 }
1379 break;
1380 }
1381
1382 case SADB_FLUSH:
1383 case SADB_X_SPDFLUSH:
1384 break;
1385 default:
1386 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1387 T_END;
1388 }
1389 return;
1390 }
1391
1392 static void
pfkey_process_message_test_60769680(uint8_t ** mhp,int pfkey_socket)1393 pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket)
1394 {
1395 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1396 static uint8_t counter = 0;
1397
1398 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1399 return;
1400 }
1401
1402 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1403
1404 switch (message->sadb_msg_type) {
1405 case SADB_X_SPDADD:
1406 {
1407 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1408 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1409 counter++;
1410 if (counter <= 240) {
1411 send_pfkey_spd_add_message(pfkey_socket, counter + 1);
1412 } else {
1413 T_LOG("SADB added 240 security policies");
1414 send_pfkey_spd_dump_message(pfkey_socket);
1415 }
1416 break;
1417 }
1418 case SADB_X_SPDDUMP:
1419 {
1420 counter--;
1421 if (counter == 0) {
1422 T_PASS("SADB policy dump successful");
1423 pfkey_cleanup();
1424 T_END;
1425 }
1426 break;
1427 }
1428
1429 case SADB_FLUSH:
1430 case SADB_X_SPDFLUSH:
1431 break;
1432 default:
1433 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1434 T_END;
1435 }
1436 return;
1437 }
1438
1439 static void
pfkey_process_message_test_60822823(uint8_t ** mhp,int pfkey_socket)1440 pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket)
1441 {
1442 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1443 static uint32_t spi = 0;
1444
1445 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1446 return;
1447 }
1448
1449 if (message->sadb_msg_errno != 0) {
1450 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_GETSASTAT, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1451 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1452 T_PASS("SADB get SA Stat received EINVAL");
1453 T_END;
1454 }
1455
1456 switch (message->sadb_msg_type) {
1457 case SADB_ADD:
1458 {
1459 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1460 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1461 spi = ntohl(sa_message->sadb_sa_spi);
1462 T_LOG("added sa 0x%x", spi);
1463 send_pfkey_get_sa_stat(pfkey_socket, spi, 5);
1464 break;
1465 }
1466 case SADB_GETSASTAT:
1467 {
1468 T_FAIL("get sa stat should fail %u", message->sadb_msg_type);
1469 T_END;
1470 }
1471 case SADB_FLUSH:
1472 case SADB_X_SPDFLUSH:
1473 break;
1474 default:
1475 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1476 T_END;
1477 }
1478 return;
1479 }
1480
1481 static void
pfkey_process_message_test_60822823_1(uint8_t ** mhp,int pfkey_socket)1482 pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket)
1483 {
1484 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1485 static uint32_t spi = 0;
1486
1487 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1488 return;
1489 }
1490
1491 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1492
1493 switch (message->sadb_msg_type) {
1494 case SADB_ADD:
1495 {
1496 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1497 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1498 spi = ntohl(sa_message->sadb_sa_spi);
1499 T_LOG("added sa 0x%x", spi);
1500 send_pfkey_get_sa_stat(pfkey_socket, spi, 1);
1501 break;
1502 }
1503 case SADB_GETSASTAT:
1504 {
1505 struct sadb_session_id *session_id = (struct sadb_session_id *)(void *)mhp[SADB_EXT_SESSION_ID];
1506 T_QUIET; T_ASSERT_NOTNULL(session_id, "session id is NULL");
1507 T_QUIET; T_EXPECT_EQ_ULLONG(session_id->sadb_session_id_v[0], 1ULL, "Session id is not equal");
1508 T_PASS("get sa stat success %u", message->sadb_msg_type);
1509 T_END;
1510 }
1511 case SADB_FLUSH:
1512 case SADB_X_SPDFLUSH:
1513 break;
1514 default:
1515 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1516 T_END;
1517 }
1518 return;
1519 }
1520
1521 static void
pfkey_process_message_test_60687183(uint8_t ** mhp,int pfkey_socket)1522 pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket)
1523 {
1524 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1525 static uint32_t spi = 0;
1526
1527 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1528 return;
1529 }
1530
1531 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1532
1533 switch (message->sadb_msg_type) {
1534 case SADB_ADD:
1535 {
1536 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1537 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1538 spi = ntohl(sa_message->sadb_sa_spi);
1539 T_LOG("added sa 0x%x", spi);
1540 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET,
1541 TEST_MIGRATE_SRC_ADDRESS_IPv4, TEST_MIGRATE_DST_ADDRESS_IPv4, AF_INET);
1542 break;
1543 }
1544 case SADB_MIGRATE:
1545 {
1546 T_PASS("migrate SA success");
1547 T_END;
1548 }
1549 case SADB_FLUSH:
1550 case SADB_X_SPDFLUSH:
1551 break;
1552 default:
1553 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1554 T_END;
1555 }
1556 return;
1557 }
1558
1559 static void
pfkey_process_message_test_60687183_1(uint8_t ** mhp,int pfkey_socket)1560 pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket)
1561 {
1562 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1563 static uint32_t spi = 0;
1564
1565 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1566 return;
1567 }
1568
1569 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1570
1571 switch (message->sadb_msg_type) {
1572 case SADB_ADD:
1573 {
1574 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1575 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1576 spi = ntohl(sa_message->sadb_sa_spi);
1577 T_LOG("added sa 0x%x", spi);
1578 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1579 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_INET6);
1580 break;
1581 }
1582 case SADB_MIGRATE:
1583 {
1584 T_PASS("migrate SA success");
1585 T_END;
1586 }
1587 case SADB_FLUSH:
1588 case SADB_X_SPDFLUSH:
1589 break;
1590 default:
1591 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1592 T_END;
1593 }
1594 return;
1595 }
1596
1597 static void
pfkey_process_message_test_60687183_2(uint8_t ** mhp,int pfkey_socket)1598 pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket)
1599 {
1600 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1601 static uint32_t spi = 0;
1602
1603 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1604 return;
1605 }
1606
1607 if (message->sadb_msg_errno != 0) {
1608 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_MIGRATE, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1609 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1610 T_PASS("SADB migrate SA received EINVAL");
1611 T_END;
1612 }
1613
1614 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1615
1616 switch (message->sadb_msg_type) {
1617 case SADB_ADD:
1618 {
1619 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1620 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1621 spi = ntohl(sa_message->sadb_sa_spi);
1622 T_LOG("added sa 0x%x", spi);
1623 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1624 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_CHAOS);
1625 break;
1626 }
1627 case SADB_MIGRATE:
1628 {
1629 T_FAIL("migrate SA test for bad address failed");
1630 T_END;
1631 }
1632 case SADB_FLUSH:
1633 case SADB_X_SPDFLUSH:
1634 break;
1635 default:
1636 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1637 T_END;
1638 }
1639 return;
1640 }
1641
1642 static int
setup_tcp_server(uint16_t port)1643 setup_tcp_server(uint16_t port)
1644 {
1645 struct sockaddr_in server_addr = {};
1646 int server_fd = -1;
1647
1648 T_QUIET; T_ASSERT_POSIX_SUCCESS(server_fd = socket(AF_INET, SOCK_STREAM, 0),
1649 "tcp server socket creation failed");
1650
1651 server_addr.sin_family = AF_INET;
1652 server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
1653 server_addr.sin_port = htons(port);
1654
1655 T_QUIET; T_ASSERT_POSIX_SUCCESS(bind(server_fd, (struct sockaddr *)&server_addr,
1656 sizeof(server_addr)), "tcp server bind failed");
1657
1658 T_QUIET; T_ASSERT_POSIX_SUCCESS(listen(server_fd, 2), "tcp server listen failed");
1659 return server_fd;
1660 }
1661
1662 static int
setup_loopback_tcp_client(uint16_t server_port)1663 setup_loopback_tcp_client(uint16_t server_port)
1664 {
1665 struct sockaddr_in conn_addr = {};
1666 int client_fd = -1;
1667
1668 T_QUIET; T_ASSERT_POSIX_SUCCESS(client_fd = socket(AF_INET, SOCK_STREAM, 0),
1669 "tcp client socket creation failed");
1670 T_QUIET; T_ASSERT_POSIX_SUCCESS(inet_pton(AF_INET, "127.0.0.1", &conn_addr.sin_addr),
1671 "loopback address inet_pton failed");
1672
1673 conn_addr.sin_family = AF_INET;
1674 conn_addr.sin_port = htons(server_port);
1675
1676 T_QUIET; T_ASSERT_POSIX_SUCCESS(connect(client_fd, (struct sockaddr *)&conn_addr, sizeof(conn_addr)),
1677 "tcp loopback client connect failed");
1678 return client_fd;
1679 }
1680
1681 static void
setup_socket_policy(int socket_fd)1682 setup_socket_policy(int socket_fd)
1683 {
1684 uint8_t buf[
1685 sizeof(struct sadb_x_policy) +
1686 sizeof(struct sadb_x_ipsecrequest) +
1687 sizeof(struct sockaddr_in) +
1688 sizeof(struct sockaddr_in)
1689 ];
1690
1691 struct sadb_x_policy *xpl = (struct sadb_x_policy *)buf;
1692 struct sadb_x_ipsecrequest *xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
1693 struct sockaddr *sa;
1694
1695
1696 bzero(buf, sizeof(buf));
1697 /* xpl: */
1698 xpl->sadb_x_policy_len = sizeof(buf) >> 3;
1699 xpl->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1700 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1701 /* xisr: */
1702 xisr->sadb_x_ipsecrequest_len = sizeof(buf) - sizeof(*xpl);
1703 xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
1704 xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
1705 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_DEFAULT;
1706 /* src sockaddr: */
1707 sa = (struct sockaddr *)(xisr + 1);
1708 sa->sa_len = sizeof(struct sockaddr_in);
1709 /* dst sockaddr: */
1710 sa = (struct sockaddr *)((void *)(xisr + 1) + sa->sa_len);
1711 sa->sa_len = sizeof(struct sockaddr_in);
1712
1713 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(socket_fd, IPPROTO_IP, IP_IPSEC_POLICY,
1714 buf, sizeof(buf)), "tcp server listen failed");
1715 }
1716
1717 T_DECL(sadb_x_get_60822136, "security policy reference count overflow")
1718 {
1719 test_id = TEST_SADB_X_GET_OVERFLOW_60822136;
1720
1721 int pfkey_socket = pfkey_setup_socket();
1722 send_pfkey_flush_sa(pfkey_socket);
1723 send_pfkey_flush_sp(pfkey_socket);
1724 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1725
1726 dispatch_main();
1727 }
1728
1729 T_DECL(sadb_x_spd_enable_60822924, "security policy reference count overflow")
1730 {
1731 test_id = TEST_SADB_X_SPDENABLE_OVERFLOW_60822924;
1732
1733 int pfkey_socket = pfkey_setup_socket();
1734 send_pfkey_flush_sa(pfkey_socket);
1735 send_pfkey_flush_sp(pfkey_socket);
1736 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1737
1738 dispatch_main();
1739 }
1740
1741 T_DECL(sadb_x_spd_disable_60822956, "security policy reference count overflow")
1742 {
1743 test_id = TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956;
1744
1745 int pfkey_socket = pfkey_setup_socket();
1746 send_pfkey_flush_sa(pfkey_socket);
1747 send_pfkey_flush_sp(pfkey_socket);
1748 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1749
1750 dispatch_main();
1751 }
1752
1753 T_DECL(sadb_update_60679513, "security association use after free")
1754 {
1755 test_id = TEST_SADB_UPDATE_USE_AFTER_FREE_60679513;
1756
1757 int pfkey_socket = pfkey_setup_socket();
1758 send_pfkey_flush_sa(pfkey_socket);
1759 send_pfkey_flush_sp(pfkey_socket);
1760 send_pkey_get_spi(pfkey_socket);
1761
1762 dispatch_main();
1763 }
1764
1765 T_DECL(sadb_dump_60768729, "security association sa dump heap overflow")
1766 {
1767 test_id = TEST_SADB_DUMP_HEAP_OVERFLOW_60768729;
1768
1769 int pfkey_socket = pfkey_setup_socket();
1770 T_ATEND(pfkey_cleanup);
1771 send_pfkey_flush_sa(pfkey_socket);
1772 send_pfkey_flush_sp(pfkey_socket);
1773 send_pkey_get_spi(pfkey_socket);
1774
1775 dispatch_main();
1776 }
1777
1778 T_DECL(sadb_policy_dump_60769680, "security association sa policy dump heap overflow")
1779 {
1780 test_id = TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680;
1781
1782 int pfkey_socket = pfkey_setup_socket();
1783 T_ATEND(pfkey_cleanup);
1784 send_pfkey_flush_sa(pfkey_socket);
1785 send_pfkey_flush_sp(pfkey_socket);
1786 send_pfkey_spd_add_message(pfkey_socket, 1);
1787
1788 dispatch_main();
1789 }
1790
1791 T_DECL(sadb_get_sastat_oob_60769680, "security association get sa stat oob read")
1792 {
1793 test_id = TEST_SADB_GETSASTAT_OOB_READ_60822823;
1794
1795 int pfkey_socket = pfkey_setup_socket();
1796 T_ATEND(pfkey_cleanup);
1797 send_pfkey_flush_sa(pfkey_socket);
1798 send_pfkey_flush_sp(pfkey_socket);
1799 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1800
1801 dispatch_main();
1802 }
1803
1804 T_DECL(sadb_get_sastat_success, "security association get sa stat")
1805 {
1806 test_id = TEST_SADB_GETSASTAT_OOB_READ_SUCCESS;
1807
1808 int pfkey_socket = pfkey_setup_socket();
1809 T_ATEND(pfkey_cleanup);
1810 send_pfkey_flush_sa(pfkey_socket);
1811 send_pfkey_flush_sp(pfkey_socket);
1812 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1813
1814 dispatch_main();
1815 }
1816
1817 T_DECL(sadb_key_migrate_address_ipv4, "security association migrate address ipv4")
1818 {
1819 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4;
1820
1821 int pfkey_socket = pfkey_setup_socket();
1822 T_ATEND(pfkey_cleanup);
1823 send_pfkey_flush_sa(pfkey_socket);
1824 send_pfkey_flush_sp(pfkey_socket);
1825 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1826
1827 dispatch_main();
1828 }
1829
1830 T_DECL(sadb_key_migrate_address_ipv6, "security association migrate address ipv6")
1831 {
1832 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6;
1833
1834 int pfkey_socket = pfkey_setup_socket();
1835 T_ATEND(pfkey_cleanup);
1836 send_pfkey_flush_sa(pfkey_socket);
1837 send_pfkey_flush_sp(pfkey_socket);
1838 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1839
1840 dispatch_main();
1841 }
1842
1843 T_DECL(sadb_key_migrate_bad_address, "security association migrate bad address")
1844 {
1845 test_id = TEST_SADB_EXT_MIGRATE_BAD_ADDRESS;
1846
1847 int pfkey_socket = pfkey_setup_socket();
1848 T_ATEND(pfkey_cleanup);
1849 send_pfkey_flush_sa(pfkey_socket);
1850 send_pfkey_flush_sp(pfkey_socket);
1851 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1852
1853 dispatch_main();
1854 }
1855
1856 T_DECL(tcp_input_ipsec_copy_policy, "listener policy copied to child")
1857 {
1858 test_id = TEST_TCP_INPUT_IPSEC_COPY_POLICY;
1859
1860 int server_fd = setup_tcp_server(4000);
1861 setup_socket_policy(server_fd);
1862 int client_fd = setup_loopback_tcp_client(4000);
1863
1864 sleep(3);
1865 close(client_fd);
1866 close(server_fd);
1867
1868 T_PASS("listener policy copied to child");
1869 }
1870