1 #include <darwintest.h>
2 #include <darwintest_utils.h>
3 #include <dispatch/dispatch.h>
4 #include <net/if_var_private.h>
5 #include <System/net/pfkeyv2.h>
6 #include <netinet6/ipsec.h>
7 #include <arpa/inet.h>
8
9 T_GLOBAL_META(
10 T_META_NAMESPACE("xnu.pfkey"),
11 T_META_ASROOT(true),
12 T_META_RADAR_COMPONENT_NAME("xnu"),
13 T_META_RADAR_COMPONENT_VERSION("NetworkExtension"),
14 T_META_CHECK_LEAKS(false));
15
16 #define MAX_SPD_CHECK 100
17 #define TEST_SRC_ADDRESS_IPv4 "192.168.2.2"
18 #define TEST_DST_ADDRESS_IPv4 "192.168.2.3"
19 #define TEST_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0002"
20 #define TEST_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0000:0003"
21 #define TEST_MIGRATE_SRC_ADDRESS_IPv4 "192.168.2.10"
22 #define TEST_MIGRATE_DST_ADDRESS_IPv4 "192.168.2.11"
23 #define TEST_MIGRATE_SRC_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0002:0000"
24 #define TEST_MIGRATE_DST_ADDRESS_IPv6 "fd04:5c6b:8df7:7092:0000:0000:0003:0000"
25
26 typedef enum {
27 TEST_INVALID = 0,
28 TEST_SADB_X_GET_OVERFLOW_60822136 = 1,
29 TEST_SADB_X_SPDENABLE_OVERFLOW_60822924 = 2,
30 TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956 = 3,
31 TEST_SADB_UPDATE_USE_AFTER_FREE_60679513 = 4,
32 TEST_SADB_DUMP_HEAP_OVERFLOW_60768729 = 5,
33 TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680 = 6,
34 TEST_SADB_GETSASTAT_OOB_READ_60822823 = 7,
35 TEST_SADB_GETSASTAT_OOB_READ_SUCCESS = 8,
36 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4 = 9,
37 TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6 = 10,
38 TEST_SADB_EXT_MIGRATE_BAD_ADDRESS = 11,
39 TEST_TCP_INPUT_IPSEC_COPY_POLICY = 12,
40 TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570 = 13,
41 } test_identifier;
42
43 static test_identifier test_id = TEST_INVALID;
44 static dispatch_source_t pfkey_source = NULL;
45
46 static void pfkey_cleanup(void);
47
48 static void pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket);
49 static void pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket);
50 static void pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket);
51 static void pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket);
52 static void pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket);
53 static void pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket);
54 static void pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket);
55 static void pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket);
56 static void pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket);
57 static void pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket);
58 static void pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket);
59 static void pfkey_process_message_test_78944570(uint8_t **mhp, int pfkey_socket);
60
61 static void(*const process_pfkey_message_tests[])(uint8_t * *mhp, int pfkey_socket) =
62 {
63 NULL,
64 pfkey_process_message_test_60822136, // TEST_SADB_X_GET_OVERFLOW_60822136
65 pfkey_process_message_test_60822924, // TEST_SADB_X_SPDENABLE_OVERFLOW_60822924
66 pfkey_process_message_test_60822956, // TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956
67 pfkey_process_message_test_60679513, // TEST_SADB_UPDATE_USE_AFTER_FREE_60679513
68 pfkey_process_message_test_60768729, // TEST_SADB_DUMP_HEAP_OVERFLOW_60768729
69 pfkey_process_message_test_60769680, // TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680
70 pfkey_process_message_test_60822823, // TEST_SADB_GETSASTAT_OOB_READ_60822823
71 pfkey_process_message_test_60822823_1, // TEST_SADB_GETSASTAT_OOB_READ_SUCCESS
72 pfkey_process_message_test_60687183, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4
73 pfkey_process_message_test_60687183_1, // TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6
74 pfkey_process_message_test_60687183_2, // TEST_SADB_EXT_MIGRATE_BAD_ADDRESS
75 NULL, // TEST_TCP_INPUT_IPSEC_COPY_POLICY
76 pfkey_process_message_test_78944570, // TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570
77 };
78
79 static void
pfkey_align(struct sadb_msg * msg,uint8_t ** mhp)80 pfkey_align(struct sadb_msg *msg, uint8_t **mhp)
81 {
82 struct sadb_ext *ext;
83 int i;
84 uint8_t *p;
85 uint8_t *ep; /* XXX should be passed from upper layer */
86
87 /* validity check */
88 T_QUIET; T_ASSERT_NOTNULL(msg, "pfkey align msg");
89 T_QUIET; T_ASSERT_NOTNULL(mhp, "pfkey align mhp");
90
91 /* initialize */
92 for (i = 0; i < SADB_EXT_MAX + 1; i++) {
93 mhp[i] = NULL;
94 }
95
96 mhp[0] = (void *)msg;
97
98 /* initialize */
99 p = (void *) msg;
100 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
101
102 /* skip base header */
103 p += sizeof(struct sadb_msg);
104
105 while (p < ep) {
106 ext = (void *)p;
107 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + sizeof(*ext)), "pfkey extension header beyond end of buffer");
108 T_QUIET; T_ASSERT_GE_ULONG((unsigned long)PFKEY_EXTLEN(ext), sizeof(*ext), "pfkey extension shorter than extension header");
109 T_QUIET; T_ASSERT_GE_PTR((void *)ep, (void *)(p + PFKEY_EXTLEN(ext)), "pfkey extension length beyond end of buffer");
110
111 T_QUIET; T_EXPECT_NULL(mhp[ext->sadb_ext_type], "duplicate extension type %u payload", ext->sadb_ext_type);
112
113 /* set pointer */
114 switch (ext->sadb_ext_type) {
115 case SADB_EXT_SA:
116 case SADB_EXT_LIFETIME_CURRENT:
117 case SADB_EXT_LIFETIME_HARD:
118 case SADB_EXT_LIFETIME_SOFT:
119 case SADB_EXT_ADDRESS_SRC:
120 case SADB_EXT_ADDRESS_DST:
121 case SADB_EXT_ADDRESS_PROXY:
122 case SADB_EXT_KEY_AUTH:
123 /* XXX should to be check weak keys. */
124 case SADB_EXT_KEY_ENCRYPT:
125 /* XXX should to be check weak keys. */
126 case SADB_EXT_IDENTITY_SRC:
127 case SADB_EXT_IDENTITY_DST:
128 case SADB_EXT_SENSITIVITY:
129 case SADB_EXT_PROPOSAL:
130 case SADB_EXT_SUPPORTED_AUTH:
131 case SADB_EXT_SUPPORTED_ENCRYPT:
132 case SADB_EXT_SPIRANGE:
133 case SADB_X_EXT_POLICY:
134 case SADB_X_EXT_SA2:
135 case SADB_EXT_SESSION_ID:
136 case SADB_EXT_SASTAT:
137 #ifdef SADB_X_EXT_NAT_T_TYPE
138 case SADB_X_EXT_NAT_T_TYPE:
139 case SADB_X_EXT_NAT_T_SPORT:
140 case SADB_X_EXT_NAT_T_DPORT:
141 case SADB_X_EXT_NAT_T_OA:
142 #endif
143 #ifdef SADB_X_EXT_TAG
144 case SADB_X_EXT_TAG:
145 #endif
146 #ifdef SADB_X_EXT_PACKET
147 case SADB_X_EXT_PACKET:
148 #endif
149 case SADB_X_EXT_IPSECIF:
150 case SADB_X_EXT_ADDR_RANGE_SRC_START:
151 case SADB_X_EXT_ADDR_RANGE_SRC_END:
152 case SADB_X_EXT_ADDR_RANGE_DST_START:
153 case SADB_X_EXT_ADDR_RANGE_DST_END:
154 #ifdef SADB_MIGRATE
155 case SADB_EXT_MIGRATE_ADDRESS_SRC:
156 case SADB_EXT_MIGRATE_ADDRESS_DST:
157 case SADB_X_EXT_MIGRATE_IPSECIF:
158 #endif
159 mhp[ext->sadb_ext_type] = (void *)ext;
160 break;
161 default:
162 T_FAIL("bad extension type %u", ext->sadb_ext_type);
163 T_END;
164 }
165
166 p += PFKEY_EXTLEN(ext);
167 }
168
169 T_QUIET; T_EXPECT_EQ_PTR((void *)ep, (void *)p, "invalid pfkey message length");
170 return;
171 }
172
173
174 static void
recv_pfkey_message(int pfkey_socket)175 recv_pfkey_message(int pfkey_socket)
176 {
177 uint8_t buffer[8192] __attribute__((aligned(4)));
178 struct iovec iovecs[1] = {
179 { buffer, sizeof(buffer) },
180 };
181 struct msghdr msg = {
182 NULL,
183 0,
184 iovecs,
185 sizeof(iovecs) / sizeof(iovecs[0]),
186 NULL,
187 0,
188 0,
189 };
190
191 do {
192 ssize_t result = -1;
193 memset(buffer, 0, sizeof(buffer));
194 T_QUIET; T_ASSERT_POSIX_SUCCESS(result = recvmsg(pfkey_socket, &msg, 0), NULL);
195
196 if (result > 0) {
197 T_QUIET; T_ASSERT_GE_ULONG((size_t)result, sizeof(struct sadb_msg), "Invalid PFKey message size: %zu", result);
198 struct sadb_msg *hdr = (struct sadb_msg *)buffer;
199 uint8_t *mhp[SADB_EXT_MAX + 1];
200 pfkey_align(hdr, mhp);
201 (*process_pfkey_message_tests[test_id])(mhp, pfkey_socket);
202 } else if (result == 0) {
203 T_LOG("PFKey socket received EOF");
204 break;
205 }
206 } while (1);
207 }
208
209 static void
send_pfkey_spd_add_message(int pfkey_socket,uint8_t proto)210 send_pfkey_spd_add_message(int pfkey_socket, uint8_t proto)
211 {
212 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
213 bzero(payload, sizeof(payload));
214 uint16_t tlen = 0;
215
216 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
217 msg_payload->sadb_msg_version = PF_KEY_V2;
218 msg_payload->sadb_msg_type = SADB_X_SPDADD;
219 msg_payload->sadb_msg_errno = 0;
220 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
221 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
222 msg_payload->sadb_msg_reserved = 0;
223 msg_payload->sadb_msg_seq = 0;
224 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
225 tlen += sizeof(*msg_payload);
226
227 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
228 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
229 src_address_payload->sadb_address_proto = proto & 0xff;
230 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
231 src_address_payload->sadb_address_reserved = 0;
232 tlen += sizeof(*src_address_payload);
233
234 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
235 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
236 src->sin_family = AF_INET;
237 src->sin_len = sizeof(*src);
238 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
239 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
240 tlen += PFKEY_ALIGN8(src->sin_len);
241
242 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
243 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
244 dst_address_payload->sadb_address_proto = proto & 0xff;
245 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
246 dst_address_payload->sadb_address_reserved = 0;
247 tlen += sizeof(*dst_address_payload);
248
249 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
250 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
251 dst->sin_family = AF_INET;
252 dst->sin_len = sizeof(*dst);
253 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
254 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
255 tlen += PFKEY_ALIGN8(dst->sin_len);
256
257 struct sadb_lifetime *lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
258 lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*lifetime_payload));
259 lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
260 tlen += sizeof(*lifetime_payload);
261
262 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
263 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
264 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
265 policy_payload->sadb_x_policy_type = IPSEC_POLICY_DISCARD;
266 if (test_id == TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570) {
267 policy_payload->sadb_x_policy_dir = IPSEC_DIR_INVALID;
268 } else {
269 policy_payload->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
270 }
271 tlen += sizeof(*policy_payload);
272
273 // Update the total length
274 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
275 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd add");
276 }
277
278 static void
send_pfkey_spd_get_message(int pfkey_socket,uint32_t policy_id)279 send_pfkey_spd_get_message(int pfkey_socket, uint32_t policy_id)
280 {
281 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
282 bzero(payload, sizeof(payload));
283 uint16_t tlen = 0;
284
285 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
286 msg_payload->sadb_msg_version = PF_KEY_V2;
287 msg_payload->sadb_msg_type = SADB_X_SPDGET;
288 msg_payload->sadb_msg_errno = 0;
289 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
290 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
291 msg_payload->sadb_msg_reserved = 0;
292 msg_payload->sadb_msg_seq = 0;
293 msg_payload->sadb_msg_pid = (uint32_t)getpid();
294 tlen += sizeof(*msg_payload);
295
296 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
297 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
298 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
299 policy_payload->sadb_x_policy_id = policy_id;
300 tlen += sizeof(*policy_payload);
301
302 // Update the total length
303 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
304 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd get failed");
305 }
306
307 static void
send_pfkey_spd_enable_message(int pfkey_socket,uint32_t policy_id)308 send_pfkey_spd_enable_message(int pfkey_socket, uint32_t policy_id)
309 {
310 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
311 bzero(payload, sizeof(payload));
312 uint16_t tlen = 0;
313
314 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
315 msg_payload->sadb_msg_version = PF_KEY_V2;
316 msg_payload->sadb_msg_type = SADB_X_SPDENABLE;
317 msg_payload->sadb_msg_errno = 0;
318 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
319 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
320 msg_payload->sadb_msg_reserved = 0;
321 msg_payload->sadb_msg_seq = 0;
322 msg_payload->sadb_msg_pid = (uint32_t)getpid();
323 tlen += sizeof(*msg_payload);
324
325 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
326 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
327 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
328 policy_payload->sadb_x_policy_id = policy_id;
329 tlen += sizeof(*policy_payload);
330
331 // Update the total length
332 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
333 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd enable failed");
334 }
335
336 static void
send_pfkey_spd_disable_message(int pfkey_socket,uint32_t policy_id)337 send_pfkey_spd_disable_message(int pfkey_socket, uint32_t policy_id)
338 {
339 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
340 bzero(payload, sizeof(payload));
341 uint16_t tlen = 0;
342
343 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
344 msg_payload->sadb_msg_version = PF_KEY_V2;
345 msg_payload->sadb_msg_type = SADB_X_SPDDISABLE;
346 msg_payload->sadb_msg_errno = 0;
347 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
348 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
349 msg_payload->sadb_msg_reserved = 0;
350 msg_payload->sadb_msg_seq = 0;
351 msg_payload->sadb_msg_pid = (uint32_t)getpid();
352 tlen += sizeof(*msg_payload);
353
354 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
355 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
356 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
357 policy_payload->sadb_x_policy_id = policy_id;
358 tlen += sizeof(*policy_payload);
359
360 // Update the total length
361 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
362 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd disable failed");
363 }
364
365 static void
send_pfkey_spd_delete_message(int pfkey_socket,uint32_t policy_id)366 send_pfkey_spd_delete_message(int pfkey_socket, uint32_t policy_id)
367 {
368 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
369 bzero(payload, sizeof(payload));
370 uint16_t tlen = 0;
371
372 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
373 msg_payload->sadb_msg_version = PF_KEY_V2;
374 msg_payload->sadb_msg_type = SADB_X_SPDDELETE2;
375 msg_payload->sadb_msg_errno = 0;
376 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
377 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
378 msg_payload->sadb_msg_reserved = 0;
379 msg_payload->sadb_msg_seq = 0;
380 msg_payload->sadb_msg_pid = (uint32_t)getpid();
381 tlen += sizeof(*msg_payload);
382
383 struct sadb_x_policy *policy_payload = (struct sadb_x_policy *)(void *)(payload + tlen);
384 policy_payload->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*policy_payload));
385 policy_payload->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
386 policy_payload->sadb_x_policy_id = policy_id;
387 tlen += sizeof(*policy_payload);
388
389 // Update the total length
390 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
391 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd delete failed");
392 }
393
394 static void
send_pfkey_spd_dump_message(int pfkey_socket)395 send_pfkey_spd_dump_message(int pfkey_socket)
396 {
397 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
398 bzero(payload, sizeof(payload));
399 uint16_t tlen = 0;
400
401 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
402 msg_payload->sadb_msg_version = PF_KEY_V2;
403 msg_payload->sadb_msg_type = SADB_X_SPDDUMP;
404 msg_payload->sadb_msg_errno = 0;
405 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
406 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
407 msg_payload->sadb_msg_reserved = 0;
408 msg_payload->sadb_msg_seq = 0;
409 msg_payload->sadb_msg_pid = (uint32_t)getpid();
410 tlen += sizeof(*msg_payload);
411
412 // Update the total length
413 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
414 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send spd dump failed");
415 }
416
417 static void
send_pfkey_flush_sp(int pfkey_socket)418 send_pfkey_flush_sp(int pfkey_socket)
419 {
420 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
421 bzero(payload, sizeof(payload));
422 uint16_t tlen = 0;
423
424 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
425 msg_payload->sadb_msg_version = PF_KEY_V2;
426 msg_payload->sadb_msg_type = SADB_X_SPDFLUSH;
427 msg_payload->sadb_msg_errno = 0;
428 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
429 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
430 msg_payload->sadb_msg_reserved = 0;
431 msg_payload->sadb_msg_seq = 0;
432 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
433 tlen += sizeof(*msg_payload);
434
435 // Update the total length
436 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
437 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush security policies");
438 }
439
440 static void
send_pkey_get_spi(int pfkey_socket)441 send_pkey_get_spi(int pfkey_socket)
442 {
443 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
444 bzero(payload, sizeof(payload));
445 uint16_t tlen = 0;
446
447 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
448 msg_payload->sadb_msg_version = PF_KEY_V2;
449 msg_payload->sadb_msg_type = SADB_GETSPI;
450 msg_payload->sadb_msg_errno = 0;
451 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
452 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
453 msg_payload->sadb_msg_reserved = 0;
454 msg_payload->sadb_msg_seq = 0;
455 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
456 tlen += sizeof(*msg_payload);
457
458 struct sadb_x_sa2 *sa2_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
459 sa2_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_payload));
460 sa2_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
461 sa2_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
462 sa2_payload->sadb_x_sa2_reqid = 0;
463 tlen += sizeof(*sa2_payload);
464
465 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
466 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
467 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
468 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
469 src_address_payload->sadb_address_reserved = 0;
470 tlen += sizeof(*src_address_payload);
471
472 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
473 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
474 src->sin_family = AF_INET;
475 src->sin_len = sizeof(*src);
476 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
477 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
478 tlen += PFKEY_ALIGN8(src->sin_len);
479
480 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
481 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
482 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
483 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
484 dst_address_payload->sadb_address_reserved = 0;
485 tlen += sizeof(*dst_address_payload);
486
487 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
488 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
489 dst->sin_family = AF_INET;
490 dst->sin_len = sizeof(*dst);
491 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
492 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
493 tlen += PFKEY_ALIGN8(dst->sin_len);
494
495 // Update the total length
496 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
497 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get spi");
498 }
499
500 static void
send_pkey_add_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family)501 send_pkey_add_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family)
502 {
503 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
504 bzero(payload, sizeof(payload));
505 uint16_t tlen = 0;
506
507 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
508 msg_payload->sadb_msg_version = PF_KEY_V2;
509 msg_payload->sadb_msg_type = SADB_ADD;
510 msg_payload->sadb_msg_errno = 0;
511 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
512 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
513 msg_payload->sadb_msg_reserved = 0;
514 msg_payload->sadb_msg_seq = 0;
515 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
516 tlen += sizeof(*msg_payload);
517
518 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
519 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
520 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
521 sa2_payload->sa.sadb_sa_spi = htonl(spi);
522 sa2_payload->sa.sadb_sa_replay = 4;
523 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
524 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
525 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
526 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
527 sa2_payload->sadb_sa_natt_src_port = htons(4500);
528 sa2_payload->sadb_sa_natt_port = 4500;
529 sa2_payload->sadb_sa_natt_interval = 20;
530 sa2_payload->sadb_sa_natt_offload_interval = 0;
531 tlen += sizeof(*sa2_payload);
532
533 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
534 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
535 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
536 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
537 sa2_x_payload->sadb_x_sa2_reqid = 0;
538 tlen += sizeof(*sa2_x_payload);
539
540 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
541
542 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
543 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
544 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
545 src_address_payload->sadb_address_prefixlen = prefixlen;
546 src_address_payload->sadb_address_reserved = 0;
547 tlen += sizeof(*src_address_payload);
548
549 if (family == AF_INET) {
550 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
551 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
552 src4->sin_family = AF_INET;
553 src4->sin_len = sizeof(*src4);
554 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
555 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
556 tlen += PFKEY_ALIGN8(src4->sin_len);
557 } else {
558 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
559 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
560 src6->sin6_family = AF_INET6;
561 src6->sin6_len = sizeof(*src6);
562 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
563 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
564 tlen += PFKEY_ALIGN8(src6->sin6_len);
565 }
566
567 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
568 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
569 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
570 dst_address_payload->sadb_address_prefixlen = prefixlen;
571 dst_address_payload->sadb_address_reserved = 0;
572 tlen += sizeof(*dst_address_payload);
573
574 if (family == AF_INET) {
575 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
576 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
577 dst4->sin_family = AF_INET;
578 dst4->sin_len = sizeof(*dst4);
579 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
580 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
581 tlen += PFKEY_ALIGN8(dst4->sin_len);
582 } else {
583 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
584 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
585 dst6->sin6_family = AF_INET6;
586 dst6->sin6_len = sizeof(*dst6);
587 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
588 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
589 tlen += PFKEY_ALIGN8(dst6->sin6_len);
590 }
591
592 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
593 uint16_t len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
594 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
595 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
596 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
597 encrypt_key_payload->sadb_key_reserved = 0;
598 tlen += sizeof(*encrypt_key_payload);
599 arc4random_buf(payload + tlen, 32);
600 tlen += PFKEY_ALIGN8(32);
601
602 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
603 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
604 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
605 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
606 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
607 auth_key_payload->sadb_key_reserved = 0;
608 tlen += sizeof(*auth_key_payload);
609 arc4random_buf(payload + tlen, 32);
610 tlen += PFKEY_ALIGN8(32);
611
612 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
613 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
614 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
615 tlen += sizeof(*hard_lifetime_payload);
616
617 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
618 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
619 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
620 tlen += sizeof(*soft_lifetime_payload);
621
622 // Update the total length
623 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
624 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
625 }
626
627 static void
send_pkey_update_sa(int pfkey_socket,uint32_t spi)628 send_pkey_update_sa(int pfkey_socket, uint32_t spi)
629 {
630 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
631 bzero(payload, sizeof(payload));
632 uint16_t tlen = 0;
633
634 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
635 msg_payload->sadb_msg_version = PF_KEY_V2;
636 msg_payload->sadb_msg_type = SADB_UPDATE;
637 msg_payload->sadb_msg_errno = 0;
638 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
639 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
640 msg_payload->sadb_msg_reserved = 0;
641 msg_payload->sadb_msg_seq = 0;
642 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
643 tlen += sizeof(*msg_payload);
644
645 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
646 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
647 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
648 sa2_payload->sa.sadb_sa_spi = htonl(spi);
649 sa2_payload->sa.sadb_sa_replay = 4;
650 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
651 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
652 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
653 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
654 sa2_payload->sadb_sa_natt_src_port = htons(4500);
655 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
656 sa2_payload->sadb_sa_natt_interval = 20;
657 sa2_payload->sadb_sa_natt_offload_interval = 0;
658 tlen += sizeof(*sa2_payload);
659
660 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
661 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
662 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
663 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
664 sa2_x_payload->sadb_x_sa2_reqid = 0;
665 tlen += sizeof(*sa2_x_payload);
666
667 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
668 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
669 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
670 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
671 src_address_payload->sadb_address_reserved = 0;
672 tlen += sizeof(*src_address_payload);
673
674 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
675 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "src address fail");
676 src->sin_family = AF_INET;
677 src->sin_len = sizeof(*src);
678 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
679 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
680 tlen += PFKEY_ALIGN8(src->sin_len);
681
682 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
683 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
684 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
685 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
686 dst_address_payload->sadb_address_reserved = 0;
687 tlen += sizeof(*dst_address_payload);
688
689 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
690 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "dst address fail");
691 dst->sin_family = AF_INET;
692 dst->sin_len = sizeof(*dst);
693 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
694 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
695 tlen += PFKEY_ALIGN8(dst->sin_len);
696
697 struct sadb_key *encrypt_key_payload = (struct sadb_key *)(void *)(payload + tlen);
698 len = sizeof(*encrypt_key_payload) + PFKEY_ALIGN8(32);
699 encrypt_key_payload->sadb_key_len = PFKEY_UNIT64(len);
700 encrypt_key_payload->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
701 encrypt_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
702 encrypt_key_payload->sadb_key_reserved = 0;
703 tlen += sizeof(*encrypt_key_payload);
704 arc4random_buf(payload + tlen, 32);
705 tlen += PFKEY_ALIGN8(32);
706
707 struct sadb_key *auth_key_payload = (struct sadb_key *)(void *)(payload + tlen);
708 len = sizeof(*auth_key_payload) + PFKEY_ALIGN8(32);
709 auth_key_payload->sadb_key_len = PFKEY_UNIT64(len);
710 auth_key_payload->sadb_key_exttype = SADB_EXT_KEY_AUTH;
711 auth_key_payload->sadb_key_bits = (uint16_t)(32 << 3);
712 auth_key_payload->sadb_key_reserved = 0;
713 tlen += sizeof(*auth_key_payload);
714 arc4random_buf(payload + tlen, 32);
715 tlen += PFKEY_ALIGN8(32);
716
717 struct sadb_lifetime *hard_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
718 hard_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*hard_lifetime_payload));
719 hard_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
720 tlen += sizeof(*hard_lifetime_payload);
721
722 struct sadb_lifetime *soft_lifetime_payload = (struct sadb_lifetime *)(void *)(payload + tlen);
723 soft_lifetime_payload->sadb_lifetime_len = PFKEY_UNIT64(sizeof(*soft_lifetime_payload));
724 soft_lifetime_payload->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
725 tlen += sizeof(*soft_lifetime_payload);
726
727 // Update the total length
728 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
729 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send update sa");
730 }
731
732 static void
send_pkey_migrate_sa(int pfkey_socket,uint32_t spi,const char * src,const char * dst,int family,const char * migrate_src,const char * migrate_dst,int migrate_family)733 send_pkey_migrate_sa(int pfkey_socket, uint32_t spi, const char *src, const char *dst, int family,
734 const char *migrate_src, const char *migrate_dst, int migrate_family)
735 {
736 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
737 bzero(payload, sizeof(payload));
738 uint16_t tlen = 0;
739
740 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
741 msg_payload->sadb_msg_version = PF_KEY_V2;
742 msg_payload->sadb_msg_type = SADB_MIGRATE;
743 msg_payload->sadb_msg_errno = 0;
744 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
745 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
746 msg_payload->sadb_msg_reserved = 0;
747 msg_payload->sadb_msg_seq = 0;
748 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
749 tlen += sizeof(*msg_payload);
750
751 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
752 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
753 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
754 sa2_payload->sa.sadb_sa_spi = htonl(spi);
755 sa2_payload->sa.sadb_sa_replay = 4;
756 sa2_payload->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
757 sa2_payload->sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
758 sa2_payload->sa.sadb_sa_encrypt = SADB_X_EALG_AESCBC;
759 sa2_payload->sa.sadb_sa_flags |= (SADB_X_EXT_NATT | SADB_X_EXT_NATT_KEEPALIVE);
760 sa2_payload->sadb_sa_natt_src_port = htons(4500);
761 sa2_payload->sadb_sa_natt_port = 0; // Bad value to trigger failure
762 sa2_payload->sadb_sa_natt_interval = 20;
763 sa2_payload->sadb_sa_natt_offload_interval = 0;
764 tlen += sizeof(*sa2_payload);
765
766 struct sadb_x_sa2 *sa2_x_payload = (struct sadb_x_sa2 *)(void *)(payload + tlen);
767 sa2_x_payload->sadb_x_sa2_len = PFKEY_UNIT64(sizeof(*sa2_x_payload));
768 sa2_x_payload->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
769 sa2_x_payload->sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
770 sa2_x_payload->sadb_x_sa2_reqid = 0;
771 tlen += sizeof(*sa2_x_payload);
772
773 uint8_t prefixlen = (family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
774
775 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
776 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
777 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
778 src_address_payload->sadb_address_prefixlen = prefixlen;
779 src_address_payload->sadb_address_reserved = 0;
780 tlen += sizeof(*src_address_payload);
781
782 if (family == AF_INET) {
783 struct sockaddr_in *src4 = (struct sockaddr_in *)(void *)(payload + tlen);
784 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, src, &src4->sin_addr), 1, "src address fail");
785 src4->sin_family = AF_INET;
786 src4->sin_len = sizeof(*src4);
787 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src4->sin_len);
788 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
789 tlen += PFKEY_ALIGN8(src4->sin_len);
790 } else {
791 struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
792 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, src, &src6->sin6_addr), 1, "src address fail");
793 src6->sin6_family = AF_INET6;
794 src6->sin6_len = sizeof(*src6);
795 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src6->sin6_len);
796 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
797 tlen += PFKEY_ALIGN8(src6->sin6_len);
798 }
799
800 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
801 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
802 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
803 dst_address_payload->sadb_address_prefixlen = prefixlen;
804 dst_address_payload->sadb_address_reserved = 0;
805 tlen += sizeof(*dst_address_payload);
806
807 if (family == AF_INET) {
808 struct sockaddr_in *dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
809 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, dst, &dst4->sin_addr), 1, "dst address fail");
810 dst4->sin_family = AF_INET;
811 dst4->sin_len = sizeof(*dst4);
812 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst4->sin_len);
813 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
814 tlen += PFKEY_ALIGN8(dst4->sin_len);
815 } else {
816 struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
817 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, dst, &dst6->sin6_addr), 1, "dst address fail");
818 dst6->sin6_family = AF_INET6;
819 dst6->sin6_len = sizeof(*dst6);
820 uint16_t len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst6->sin6_len);
821 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
822 tlen += PFKEY_ALIGN8(dst6->sin6_len);
823 }
824
825 prefixlen = (migrate_family == AF_INET) ? (sizeof(struct in_addr) << 3) : (sizeof(struct in6_addr) << 3);
826
827 struct sadb_address *migrate_src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
828 migrate_src_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_SRC & 0xffff;
829 migrate_src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
830 migrate_src_address_payload->sadb_address_prefixlen = prefixlen;
831 migrate_src_address_payload->sadb_address_reserved = 0;
832 tlen += sizeof(*migrate_src_address_payload);
833
834 if (migrate_family == AF_INET) {
835 struct sockaddr_in *migrate_src4 = (struct sockaddr_in *)(void *)(payload + tlen);
836 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_src, &migrate_src4->sin_addr), 1, "migrate src fail");
837 migrate_src4->sin_family = AF_INET;
838 migrate_src4->sin_len = sizeof(*migrate_src4);
839 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src4->sin_len);
840 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
841 tlen += PFKEY_ALIGN8(migrate_src4->sin_len);
842 } else if (migrate_family == AF_INET6) {
843 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
844 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
845 migrate_src6->sin6_family = AF_INET6;
846 migrate_src6->sin6_len = sizeof(*migrate_src6);
847 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
848 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
849 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
850 } else if (migrate_family == AF_CHAOS) {
851 struct sockaddr_in6 *migrate_src6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
852 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_src, &migrate_src6->sin6_addr), 1, "migrate src fail");
853 migrate_src6->sin6_family = AF_INET6;
854 migrate_src6->sin6_len = sizeof(*migrate_src6) + 100; // Bad value to trigger exploit
855 uint16_t len = sizeof(*migrate_src_address_payload) + PFKEY_ALIGN8(migrate_src6->sin6_len);
856 migrate_src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
857 tlen += PFKEY_ALIGN8(migrate_src6->sin6_len);
858 }
859
860 struct sadb_address *migrate_dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
861 migrate_dst_address_payload->sadb_address_exttype = SADB_EXT_MIGRATE_ADDRESS_DST & 0xffff;
862 migrate_dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
863 migrate_dst_address_payload->sadb_address_prefixlen = prefixlen;
864 migrate_dst_address_payload->sadb_address_reserved = 0;
865
866 tlen += sizeof(*migrate_dst_address_payload);
867
868 if (migrate_family == AF_INET) {
869 struct sockaddr_in *migrate_dst4 = (struct sockaddr_in *)(void *)(payload + tlen);
870 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, migrate_dst, &migrate_dst4->sin_addr), 1, "migrate dst fail");
871 migrate_dst4->sin_family = AF_INET;
872 migrate_dst4->sin_len = sizeof(*migrate_dst4);
873 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst4->sin_len);
874 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
875 tlen += PFKEY_ALIGN8(migrate_dst4->sin_len);
876 } else if (migrate_family == AF_INET6) {
877 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
878 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
879 migrate_dst6->sin6_family = AF_INET6;
880 migrate_dst6->sin6_len = sizeof(*migrate_dst6);
881 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
882 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
883 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
884 } else if (migrate_family == AF_CHAOS) {
885 struct sockaddr_in6 *migrate_dst6 = (struct sockaddr_in6 *)(void *)(payload + tlen);
886 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET6, migrate_dst, &migrate_dst6->sin6_addr), 1, "migrate dst fail");
887 migrate_dst6->sin6_family = AF_INET6;
888 migrate_dst6->sin6_len = sizeof(*migrate_dst6) + 100; // Bad value to trigger exploit
889 uint16_t len = sizeof(*migrate_dst_address_payload) + PFKEY_ALIGN8(migrate_dst6->sin6_len);
890 migrate_dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
891 tlen += PFKEY_ALIGN8(migrate_dst6->sin6_len);
892 }
893
894 // Update the total length
895 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
896 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send migrate sa");
897 }
898
899 static void
send_pfkey_get_sa_stat(int pfkey_socket,uint32_t spi,uint32_t stat_length)900 send_pfkey_get_sa_stat(int pfkey_socket, uint32_t spi, uint32_t stat_length)
901 {
902 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
903 bzero(payload, sizeof(payload));
904 uint16_t tlen = 0;
905
906 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
907 msg_payload->sadb_msg_version = PF_KEY_V2;
908 msg_payload->sadb_msg_type = SADB_GETSASTAT;
909 msg_payload->sadb_msg_errno = 0;
910 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
911 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
912 msg_payload->sadb_msg_reserved = 0;
913 msg_payload->sadb_msg_seq = 0;
914 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
915 tlen += sizeof(*msg_payload);
916
917 struct sadb_session_id *session_id_payload = (struct sadb_session_id *)(void *)(payload + tlen);
918 session_id_payload->sadb_session_id_len = PFKEY_UNIT64(sizeof(*session_id_payload));
919 session_id_payload->sadb_session_id_exttype = SADB_EXT_SESSION_ID;
920 session_id_payload->sadb_session_id_v[0] = 1;
921 tlen += sizeof(*session_id_payload);
922
923 struct sadb_sastat *sadb_stat_payload = (struct sadb_sastat *)(void *)(payload + tlen);
924 uint16_t length = sizeof(*sadb_stat_payload) + PFKEY_ALIGN8(sizeof(struct sastat));
925 sadb_stat_payload->sadb_sastat_len = PFKEY_UNIT64(length);
926 sadb_stat_payload->sadb_sastat_exttype = SADB_EXT_SASTAT;
927 sadb_stat_payload->sadb_sastat_dir = IPSEC_DIR_OUTBOUND;
928 sadb_stat_payload->sadb_sastat_list_len = stat_length;
929 tlen += sizeof(*sadb_stat_payload);
930
931 struct sastat *sastat_payload = (struct sastat *)(void *)(payload + tlen);
932 sastat_payload->spi = htonl(spi);
933 tlen += PFKEY_ALIGN8(sizeof(*sastat_payload));
934
935 // Update the total length
936 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
937 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send get sa stat");
938 }
939
940 static void
send_pkey_delete_sa(int pfkey_socket,uint32_t spi)941 send_pkey_delete_sa(int pfkey_socket, uint32_t spi)
942 {
943 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
944 bzero(payload, sizeof(payload));
945 uint16_t tlen = 0;
946
947 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
948 msg_payload->sadb_msg_version = PF_KEY_V2;
949 msg_payload->sadb_msg_type = SADB_DELETE;
950 msg_payload->sadb_msg_errno = 0;
951 msg_payload->sadb_msg_satype = SADB_SATYPE_ESP;
952 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
953 msg_payload->sadb_msg_reserved = 0;
954 msg_payload->sadb_msg_seq = 0;
955 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
956 tlen += sizeof(*msg_payload);
957
958 struct sadb_sa_2 *sa2_payload = (struct sadb_sa_2 *)(void *)(payload + tlen);
959 sa2_payload->sa.sadb_sa_len = PFKEY_UNIT64(sizeof(*sa2_payload));
960 sa2_payload->sa.sadb_sa_exttype = SADB_EXT_SA;
961 sa2_payload->sa.sadb_sa_spi = htonl(spi);
962 tlen += sizeof(*sa2_payload);
963
964 struct sadb_address *src_address_payload = (struct sadb_address *)(void *)(payload + tlen);
965 src_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_SRC & 0xffff;
966 src_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
967 src_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
968 src_address_payload->sadb_address_reserved = 0;
969 tlen += sizeof(*src_address_payload);
970
971 struct sockaddr_in *src = (struct sockaddr_in *)(void *)(payload + tlen);
972 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_SRC_ADDRESS_IPv4, &src->sin_addr), 1, "migrate src fail");
973 src->sin_family = AF_INET;
974 src->sin_len = sizeof(*src);
975 uint16_t len = sizeof(*src_address_payload) + PFKEY_ALIGN8(src->sin_len);
976 src_address_payload->sadb_address_len = PFKEY_UNIT64(len);
977 tlen += PFKEY_ALIGN8(src->sin_len);
978
979 struct sadb_address *dst_address_payload = (struct sadb_address *)(void *)(payload + tlen);
980 dst_address_payload->sadb_address_exttype = SADB_EXT_ADDRESS_DST & 0xffff;
981 dst_address_payload->sadb_address_proto = IPSEC_ULPROTO_ANY & 0xff;
982 dst_address_payload->sadb_address_prefixlen = (sizeof(struct in_addr) << 3);
983 dst_address_payload->sadb_address_reserved = 0;
984 tlen += sizeof(*dst_address_payload);
985
986 struct sockaddr_in *dst = (struct sockaddr_in *)(void *)(payload + tlen);
987 T_QUIET; T_ASSERT_EQ_INT(inet_pton(AF_INET, TEST_DST_ADDRESS_IPv4, &dst->sin_addr), 1, "migrate dst fail");
988 dst->sin_family = AF_INET;
989 dst->sin_len = sizeof(*dst);
990 len = sizeof(*dst_address_payload) + PFKEY_ALIGN8(dst->sin_len);
991 dst_address_payload->sadb_address_len = PFKEY_UNIT64(len);
992 tlen += PFKEY_ALIGN8(dst->sin_len);
993
994 // Update the total length
995 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
996 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send delete sa");
997 }
998
999 static void
send_pfkey_sa_dump_message(int pfkey_socket)1000 send_pfkey_sa_dump_message(int pfkey_socket)
1001 {
1002 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
1003 bzero(payload, sizeof(payload));
1004 uint16_t tlen = 0;
1005
1006 struct sadb_msg *msg_payload = (struct sadb_msg *)(void *)payload;
1007 msg_payload->sadb_msg_version = PF_KEY_V2;
1008 msg_payload->sadb_msg_type = SADB_DUMP;
1009 msg_payload->sadb_msg_errno = 0;
1010 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1011 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1012 msg_payload->sadb_msg_reserved = 0;
1013 msg_payload->sadb_msg_seq = 0;
1014 msg_payload->sadb_msg_pid = (uint32_t)getpid();
1015 tlen += sizeof(*msg_payload);
1016
1017 // Update the total length
1018 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1019 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey send sa dump failed");
1020 }
1021
1022 static void
send_pfkey_flush_sa(int pfkey_socket)1023 send_pfkey_flush_sa(int pfkey_socket)
1024 {
1025 uint8_t payload[MCLBYTES] __attribute__ ((aligned(32)));
1026 bzero(payload, sizeof(payload));
1027 uint16_t tlen = 0;
1028
1029 struct sadb_msg *msg_payload = (struct sadb_msg *)payload;
1030 msg_payload->sadb_msg_version = PF_KEY_V2;
1031 msg_payload->sadb_msg_type = SADB_FLUSH;
1032 msg_payload->sadb_msg_errno = 0;
1033 msg_payload->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1034 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1035 msg_payload->sadb_msg_reserved = 0;
1036 msg_payload->sadb_msg_seq = 0;
1037 msg_payload->sadb_msg_pid = (u_int32_t)getpid();
1038 tlen += sizeof(*msg_payload);
1039
1040 // Update the total length
1041 msg_payload->sadb_msg_len = PFKEY_UNIT64(tlen);
1042 T_QUIET; T_ASSERT_POSIX_SUCCESS(send(pfkey_socket, payload, (size_t)PFKEY_UNUNIT64(msg_payload->sadb_msg_len), 0), "pfkey flush sa");
1043 }
1044
1045 static void
pfkey_cleanup(void)1046 pfkey_cleanup(void)
1047 {
1048 if (pfkey_source != NULL) {
1049 int pfkey_socket = (int)dispatch_source_get_handle(pfkey_source);
1050 if (pfkey_socket > 0) {
1051 send_pfkey_flush_sa(pfkey_socket);
1052 send_pfkey_flush_sp(pfkey_socket);
1053 }
1054 dispatch_source_cancel(pfkey_source);
1055 pfkey_source = NULL;
1056 }
1057 }
1058
1059 static int
pfkey_setup_socket(void)1060 pfkey_setup_socket(void)
1061 {
1062 int pfkey_socket = -1;
1063 int bufsiz = 0;
1064 const unsigned long newbufk = 1536;
1065 unsigned long oldmax;
1066 size_t oldmaxsize = sizeof(oldmax);
1067 unsigned long newmax = newbufk * (1024 + 128);
1068
1069 T_QUIET; T_ASSERT_POSIX_SUCCESS(pfkey_socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2), NULL);
1070
1071 if (sysctlbyname("kern.ipc.maxsockbuf", &oldmax, &oldmaxsize, &newmax, sizeof(newmax)) != 0) {
1072 bufsiz = 233016; /* Max allowed by default */
1073 } else {
1074 bufsiz = newbufk * 1024;
1075 }
1076
1077 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)), "pfkey set snd socket buf failed %d", bufsiz);
1078 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(pfkey_socket, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)), "pfkey set recv socket buf failed %d", bufsiz);
1079
1080 pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, (uintptr_t)pfkey_socket, 0, dispatch_get_main_queue());
1081 T_QUIET; T_ASSERT_NOTNULL(pfkey_source, "dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, ...)");
1082 dispatch_source_set_event_handler(pfkey_source, ^{
1083 recv_pfkey_message(pfkey_socket);
1084 });
1085 dispatch_source_set_cancel_handler(pfkey_source, ^{
1086 close(pfkey_socket);
1087 });
1088 dispatch_resume(pfkey_source);
1089 return pfkey_socket;
1090 }
1091
1092 static void
pfkey_process_message_test_60822136(uint8_t ** mhp,int pfkey_socket)1093 pfkey_process_message_test_60822136(uint8_t **mhp, int pfkey_socket)
1094 {
1095 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1096 static int counter = 0;
1097 static uint32_t policy_id = 0;
1098
1099 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1100 return;
1101 }
1102
1103 if (message->sadb_msg_errno) {
1104 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1105 pfkey_cleanup();
1106 T_END;
1107 }
1108
1109 switch (message->sadb_msg_type) {
1110 case SADB_X_SPDADD:
1111 {
1112 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1113 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1114 policy_id = policy_message->sadb_x_policy_id;
1115 T_LOG("Added policy id %u", policy_id);
1116 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1117 break;
1118 }
1119 case SADB_X_SPDGET:
1120 {
1121 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1122 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd get policy message is NULL");
1123 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_get: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1124 if (counter < MAX_SPD_CHECK) {
1125 counter++;
1126 send_pfkey_spd_get_message(pfkey_socket, policy_id);
1127 } else {
1128 T_LOG("Deleting policy id %u", policy_id);
1129 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1130 }
1131 break;
1132 }
1133 case SADB_X_SPDDELETE2:
1134 {
1135 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1136 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1137 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1138 T_LOG("Deleted policy id %u", policy_id);
1139 sleep(2);
1140 send_pfkey_spd_dump_message(pfkey_socket);
1141 break;
1142 }
1143 case SADB_X_SPDDUMP:
1144 {
1145 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1146 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1147 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1148 T_FAIL("Policy id %u still exists", policy_id);
1149 pfkey_cleanup();
1150 T_END;
1151 }
1152 case SADB_FLUSH:
1153 case SADB_X_SPDFLUSH:
1154 break;
1155 default:
1156 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1157 T_END;
1158 }
1159 return;
1160 }
1161
1162 static void
pfkey_process_message_test_60822924(uint8_t ** mhp,int pfkey_socket)1163 pfkey_process_message_test_60822924(uint8_t **mhp, int pfkey_socket)
1164 {
1165 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1166 static int counter = 0;
1167 static uint32_t policy_id = 0;
1168
1169 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1170 return;
1171 }
1172
1173 if (message->sadb_msg_errno) {
1174 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1175 pfkey_cleanup();
1176 T_END;
1177 }
1178
1179 switch (message->sadb_msg_type) {
1180 case SADB_X_SPDADD:
1181 {
1182 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1183 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1184 policy_id = policy_message->sadb_x_policy_id;
1185 T_LOG("Added policy id %u", policy_id);
1186 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1187 break;
1188 }
1189 case SADB_X_SPDENABLE:
1190 {
1191 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1192 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd enable policy message is NULL");
1193 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_enable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1194 if (counter < MAX_SPD_CHECK) {
1195 counter++;
1196 send_pfkey_spd_enable_message(pfkey_socket, policy_id);
1197 } else {
1198 T_LOG("Deleting policy id %u", policy_id);
1199 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1200 }
1201 break;
1202 }
1203 case SADB_X_SPDDELETE2:
1204 {
1205 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1206 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1207 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1208 T_LOG("Deleted policy id %u", policy_id);
1209 sleep(2);
1210 send_pfkey_spd_dump_message(pfkey_socket);
1211 break;
1212 }
1213 case SADB_X_SPDDUMP:
1214 {
1215 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1216 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1217 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1218 T_FAIL("Policy id %u still exists", policy_id);
1219 pfkey_cleanup();
1220 T_END;
1221 }
1222 case SADB_FLUSH:
1223 case SADB_X_SPDFLUSH:
1224 break;
1225 default:
1226 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1227 T_END;
1228 }
1229 return;
1230 }
1231
1232 static void
pfkey_process_message_test_60822956(uint8_t ** mhp,int pfkey_socket)1233 pfkey_process_message_test_60822956(uint8_t **mhp, int pfkey_socket)
1234 {
1235 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1236 static int counter = 0;
1237 static uint32_t policy_id = 0;
1238
1239 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1240 return;
1241 }
1242
1243 if (message->sadb_msg_errno) {
1244 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_X_SPDDUMP, "SADB error for type %u", message->sadb_msg_type);
1245 pfkey_cleanup();
1246 T_END;
1247 }
1248
1249 switch (message->sadb_msg_type) {
1250 case SADB_X_SPDADD:
1251 {
1252 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1253 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1254 policy_id = policy_message->sadb_x_policy_id;
1255 T_LOG("Added policy id %u", policy_id);
1256 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1257 break;
1258 }
1259 case SADB_X_SPDDISABLE:
1260 {
1261 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1262 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd disable policy message is NULL");
1263 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_disable: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1264 if (counter < MAX_SPD_CHECK) {
1265 counter++;
1266 send_pfkey_spd_disable_message(pfkey_socket, policy_id);
1267 } else {
1268 T_LOG("Deleting policy id %u", policy_id);
1269 send_pfkey_spd_delete_message(pfkey_socket, policy_id);
1270 }
1271 break;
1272 }
1273 case SADB_X_SPDDELETE2:
1274 {
1275 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1276 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd delete2 policy message is NULL");
1277 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_delete2: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1278 T_LOG("Deleted policy id %u", policy_id);
1279 sleep(2);
1280 send_pfkey_spd_dump_message(pfkey_socket);
1281 break;
1282 }
1283 case SADB_X_SPDDUMP:
1284 {
1285 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1286 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd dump policy message is NULL");
1287 T_QUIET; T_ASSERT_EQ(policy_id, policy_message->sadb_x_policy_id, "spd_dump: spid mismatch %u != %u", policy_id, policy_message->sadb_x_policy_id);
1288 T_FAIL("Policy id %u still exists", policy_id);
1289 pfkey_cleanup();
1290 T_END;
1291 }
1292 case SADB_FLUSH:
1293 case SADB_X_SPDFLUSH:
1294 break;
1295 default:
1296 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1297 T_END;
1298 }
1299 return;
1300 }
1301
1302 static void
pfkey_process_message_test_60679513(uint8_t ** mhp,int pfkey_socket)1303 pfkey_process_message_test_60679513(uint8_t **mhp, int pfkey_socket)
1304 {
1305 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1306 static uint32_t spi = 0;
1307
1308 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1309 return;
1310 }
1311
1312 if (message->sadb_msg_errno) {
1313 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_UPDATE, "SADB error for type %u", message->sadb_msg_type);
1314 }
1315
1316 switch (message->sadb_msg_type) {
1317 case SADB_GETSPI:
1318 {
1319 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1320 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1321 spi = ntohl(sa_message->sadb_sa_spi);
1322 T_LOG("get spi 0x%x", spi);
1323 send_pkey_update_sa(pfkey_socket, spi);
1324 break;
1325 }
1326 case SADB_UPDATE:
1327 {
1328 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1329 T_QUIET; T_ASSERT_NOTNULL(sa_message, "update sa message is NULL");
1330 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb update: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1331 T_LOG("update sa 0x%x", spi);
1332 send_pkey_delete_sa(pfkey_socket, spi);
1333 break;
1334 }
1335 case SADB_DELETE:
1336 {
1337 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1338 T_QUIET; T_ASSERT_NOTNULL(sa_message, "delete sa message is NULL");
1339 T_QUIET; T_ASSERT_EQ(spi, ntohl(sa_message->sadb_sa_spi), "sadb delete: spi mismatch %u != %u", spi, ntohl(sa_message->sadb_sa_spi));
1340 T_LOG("delete sa 0x%x", spi);
1341 pfkey_cleanup();
1342 T_END;
1343 }
1344 case SADB_FLUSH:
1345 case SADB_X_SPDFLUSH:
1346 break;
1347 default:
1348 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1349 T_END;
1350 }
1351 return;
1352 }
1353
1354 static void
pfkey_process_message_test_60768729(uint8_t ** mhp,int pfkey_socket)1355 pfkey_process_message_test_60768729(uint8_t **mhp, int pfkey_socket)
1356 {
1357 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1358 uint32_t spi = 0;
1359 static int counter = 0;
1360
1361 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1362 return;
1363 }
1364
1365 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u", message->sadb_msg_type);
1366
1367 switch (message->sadb_msg_type) {
1368 case SADB_GETSPI:
1369 {
1370 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1371 T_QUIET; T_ASSERT_NOTNULL(sa_message, "sa get spi message is NULL");
1372 spi = ntohl(sa_message->sadb_sa_spi);
1373 counter++;
1374 if (counter <= 1000) {
1375 send_pkey_get_spi(pfkey_socket);
1376 } else {
1377 T_LOG("SADB added 1000 Larval SPIs");
1378 send_pfkey_sa_dump_message(pfkey_socket);
1379 }
1380 break;
1381 }
1382 case SADB_DUMP:
1383 {
1384 counter--;
1385 if (counter == 0) {
1386 T_PASS("SADB dump successful");
1387 pfkey_cleanup();
1388 T_END;
1389 }
1390 break;
1391 }
1392
1393 case SADB_FLUSH:
1394 case SADB_X_SPDFLUSH:
1395 break;
1396 default:
1397 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1398 T_END;
1399 }
1400 return;
1401 }
1402
1403 static void
pfkey_process_message_test_60769680(uint8_t ** mhp,int pfkey_socket)1404 pfkey_process_message_test_60769680(uint8_t **mhp, int pfkey_socket)
1405 {
1406 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1407 static uint8_t counter = 0;
1408
1409 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1410 return;
1411 }
1412
1413 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1414
1415 switch (message->sadb_msg_type) {
1416 case SADB_X_SPDADD:
1417 {
1418 struct sadb_x_policy *policy_message = (struct sadb_x_policy *)(void *)mhp[SADB_X_EXT_POLICY];
1419 T_QUIET; T_ASSERT_NOTNULL(policy_message, "spd add policy message is NULL");
1420 counter++;
1421 if (counter <= 240) {
1422 send_pfkey_spd_add_message(pfkey_socket, counter + 1);
1423 } else {
1424 T_LOG("SADB added 240 security policies");
1425 send_pfkey_spd_dump_message(pfkey_socket);
1426 }
1427 break;
1428 }
1429 case SADB_X_SPDDUMP:
1430 {
1431 counter--;
1432 if (counter == 0) {
1433 T_PASS("SADB policy dump successful");
1434 pfkey_cleanup();
1435 T_END;
1436 }
1437 break;
1438 }
1439
1440 case SADB_FLUSH:
1441 case SADB_X_SPDFLUSH:
1442 break;
1443 default:
1444 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1445 T_END;
1446 }
1447 return;
1448 }
1449
1450 static void
pfkey_process_message_test_60822823(uint8_t ** mhp,int pfkey_socket)1451 pfkey_process_message_test_60822823(uint8_t **mhp, int pfkey_socket)
1452 {
1453 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1454 static uint32_t spi = 0;
1455
1456 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1457 return;
1458 }
1459
1460 if (message->sadb_msg_errno != 0) {
1461 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_GETSASTAT, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1462 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1463 T_PASS("SADB get SA Stat received EINVAL");
1464 T_END;
1465 }
1466
1467 switch (message->sadb_msg_type) {
1468 case SADB_ADD:
1469 {
1470 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1471 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1472 spi = ntohl(sa_message->sadb_sa_spi);
1473 T_LOG("added sa 0x%x", spi);
1474 send_pfkey_get_sa_stat(pfkey_socket, spi, 5);
1475 break;
1476 }
1477 case SADB_GETSASTAT:
1478 {
1479 T_FAIL("get sa stat should fail %u", message->sadb_msg_type);
1480 T_END;
1481 }
1482 case SADB_FLUSH:
1483 case SADB_X_SPDFLUSH:
1484 break;
1485 default:
1486 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1487 T_END;
1488 }
1489 return;
1490 }
1491
1492 static void
pfkey_process_message_test_60822823_1(uint8_t ** mhp,int pfkey_socket)1493 pfkey_process_message_test_60822823_1(uint8_t **mhp, int pfkey_socket)
1494 {
1495 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1496 static uint32_t spi = 0;
1497
1498 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1499 return;
1500 }
1501
1502 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1503
1504 switch (message->sadb_msg_type) {
1505 case SADB_ADD:
1506 {
1507 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1508 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1509 spi = ntohl(sa_message->sadb_sa_spi);
1510 T_LOG("added sa 0x%x", spi);
1511 send_pfkey_get_sa_stat(pfkey_socket, spi, 1);
1512 break;
1513 }
1514 case SADB_GETSASTAT:
1515 {
1516 struct sadb_session_id *session_id = (struct sadb_session_id *)(void *)mhp[SADB_EXT_SESSION_ID];
1517 T_QUIET; T_ASSERT_NOTNULL(session_id, "session id is NULL");
1518 T_QUIET; T_EXPECT_EQ_ULLONG(session_id->sadb_session_id_v[0], 1ULL, "Session id is not equal");
1519 T_PASS("get sa stat success %u", message->sadb_msg_type);
1520 T_END;
1521 }
1522 case SADB_FLUSH:
1523 case SADB_X_SPDFLUSH:
1524 break;
1525 default:
1526 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1527 T_END;
1528 }
1529 return;
1530 }
1531
1532 static void
pfkey_process_message_test_60687183(uint8_t ** mhp,int pfkey_socket)1533 pfkey_process_message_test_60687183(uint8_t **mhp, int pfkey_socket)
1534 {
1535 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1536 static uint32_t spi = 0;
1537
1538 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1539 return;
1540 }
1541
1542 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1543
1544 switch (message->sadb_msg_type) {
1545 case SADB_ADD:
1546 {
1547 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1548 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1549 spi = ntohl(sa_message->sadb_sa_spi);
1550 T_LOG("added sa 0x%x", spi);
1551 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET,
1552 TEST_MIGRATE_SRC_ADDRESS_IPv4, TEST_MIGRATE_DST_ADDRESS_IPv4, AF_INET);
1553 break;
1554 }
1555 case SADB_MIGRATE:
1556 {
1557 T_PASS("migrate SA success");
1558 T_END;
1559 }
1560 case SADB_FLUSH:
1561 case SADB_X_SPDFLUSH:
1562 break;
1563 default:
1564 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1565 T_END;
1566 }
1567 return;
1568 }
1569
1570 static void
pfkey_process_message_test_60687183_1(uint8_t ** mhp,int pfkey_socket)1571 pfkey_process_message_test_60687183_1(uint8_t **mhp, int pfkey_socket)
1572 {
1573 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1574 static uint32_t spi = 0;
1575
1576 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1577 return;
1578 }
1579
1580 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1581
1582 switch (message->sadb_msg_type) {
1583 case SADB_ADD:
1584 {
1585 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1586 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1587 spi = ntohl(sa_message->sadb_sa_spi);
1588 T_LOG("added sa 0x%x", spi);
1589 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1590 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_INET6);
1591 break;
1592 }
1593 case SADB_MIGRATE:
1594 {
1595 T_PASS("migrate SA success");
1596 T_END;
1597 }
1598 case SADB_FLUSH:
1599 case SADB_X_SPDFLUSH:
1600 break;
1601 default:
1602 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1603 T_END;
1604 }
1605 return;
1606 }
1607
1608 static void
pfkey_process_message_test_60687183_2(uint8_t ** mhp,int pfkey_socket)1609 pfkey_process_message_test_60687183_2(uint8_t **mhp, int pfkey_socket)
1610 {
1611 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1612 static uint32_t spi = 0;
1613
1614 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1615 return;
1616 }
1617
1618 if (message->sadb_msg_errno != 0) {
1619 T_QUIET; T_ASSERT_EQ(message->sadb_msg_type, SADB_MIGRATE, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1620 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1621 T_PASS("SADB migrate SA received EINVAL");
1622 T_END;
1623 }
1624
1625 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, 0, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1626
1627 switch (message->sadb_msg_type) {
1628 case SADB_ADD:
1629 {
1630 struct sadb_sa *sa_message = (struct sadb_sa *)(void *)mhp[SADB_EXT_SA];
1631 T_QUIET; T_ASSERT_NOTNULL(sa_message, "add sa message is NULL");
1632 spi = ntohl(sa_message->sadb_sa_spi);
1633 T_LOG("added sa 0x%x", spi);
1634 send_pkey_migrate_sa(pfkey_socket, spi, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6,
1635 TEST_MIGRATE_SRC_ADDRESS_IPv6, TEST_MIGRATE_DST_ADDRESS_IPv6, AF_CHAOS);
1636 break;
1637 }
1638 case SADB_MIGRATE:
1639 {
1640 T_FAIL("migrate SA test for bad address failed");
1641 T_END;
1642 }
1643 case SADB_FLUSH:
1644 case SADB_X_SPDFLUSH:
1645 break;
1646 default:
1647 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1648 T_END;
1649 }
1650 return;
1651 }
1652
1653 static void
pfkey_process_message_test_78944570(uint8_t ** mhp,int pfkey_socket)1654 pfkey_process_message_test_78944570(uint8_t **mhp, int pfkey_socket)
1655 {
1656 struct sadb_msg *message = (struct sadb_msg *)(void *)mhp[0];
1657
1658 if (message->sadb_msg_pid != (uint32_t)getpid()) {
1659 return;
1660 }
1661
1662 switch (message->sadb_msg_type) {
1663 case SADB_X_SPDADD:
1664 {
1665 if (message->sadb_msg_errno != 0) {
1666 T_QUIET; T_ASSERT_EQ(message->sadb_msg_errno, EINVAL, "SADB error for type %u error %d", message->sadb_msg_type, message->sadb_msg_errno);
1667 T_PASS("SADB spd add received EINVAL");
1668 T_END;
1669 } else {
1670 T_FAIL("SADB spd add received success");
1671 T_END;
1672 }
1673 break;
1674 }
1675 case SADB_FLUSH:
1676 case SADB_X_SPDFLUSH:
1677 break;
1678 default:
1679 T_FAIL("bad SADB message type %u", message->sadb_msg_type);
1680 T_END;
1681 }
1682 return;
1683 }
1684
1685 static int
setup_tcp_server(uint16_t port)1686 setup_tcp_server(uint16_t port)
1687 {
1688 struct sockaddr_in server_addr = {};
1689 int server_fd = -1;
1690
1691 T_QUIET; T_ASSERT_POSIX_SUCCESS(server_fd = socket(AF_INET, SOCK_STREAM, 0),
1692 "tcp server socket creation failed");
1693
1694 server_addr.sin_family = AF_INET;
1695 server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
1696 server_addr.sin_port = htons(port);
1697
1698 T_QUIET; T_ASSERT_POSIX_SUCCESS(bind(server_fd, (struct sockaddr *)&server_addr,
1699 sizeof(server_addr)), "tcp server bind failed");
1700
1701 T_QUIET; T_ASSERT_POSIX_SUCCESS(listen(server_fd, 2), "tcp server listen failed");
1702 return server_fd;
1703 }
1704
1705 static int
setup_loopback_tcp_client(uint16_t server_port)1706 setup_loopback_tcp_client(uint16_t server_port)
1707 {
1708 struct sockaddr_in conn_addr = {};
1709 int client_fd = -1;
1710
1711 T_QUIET; T_ASSERT_POSIX_SUCCESS(client_fd = socket(AF_INET, SOCK_STREAM, 0),
1712 "tcp client socket creation failed");
1713 T_QUIET; T_ASSERT_POSIX_SUCCESS(inet_pton(AF_INET, "127.0.0.1", &conn_addr.sin_addr),
1714 "loopback address inet_pton failed");
1715
1716 conn_addr.sin_family = AF_INET;
1717 conn_addr.sin_port = htons(server_port);
1718
1719 T_QUIET; T_ASSERT_POSIX_SUCCESS(connect(client_fd, (struct sockaddr *)&conn_addr, sizeof(conn_addr)),
1720 "tcp loopback client connect failed");
1721 return client_fd;
1722 }
1723
1724 static void
setup_socket_policy(int socket_fd)1725 setup_socket_policy(int socket_fd)
1726 {
1727 uint8_t buf[
1728 sizeof(struct sadb_x_policy) +
1729 sizeof(struct sadb_x_ipsecrequest) +
1730 sizeof(struct sockaddr_in) +
1731 sizeof(struct sockaddr_in)
1732 ];
1733
1734 struct sadb_x_policy *xpl = (struct sadb_x_policy *)buf;
1735 struct sadb_x_ipsecrequest *xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
1736 struct sockaddr *sa;
1737
1738
1739 bzero(buf, sizeof(buf));
1740 /* xpl: */
1741 xpl->sadb_x_policy_len = sizeof(buf) >> 3;
1742 xpl->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1743 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1744 /* xisr: */
1745 xisr->sadb_x_ipsecrequest_len = sizeof(buf) - sizeof(*xpl);
1746 xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
1747 xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
1748 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_DEFAULT;
1749 /* src sockaddr: */
1750 sa = (struct sockaddr *)(xisr + 1);
1751 sa->sa_len = sizeof(struct sockaddr_in);
1752 /* dst sockaddr: */
1753 sa = (struct sockaddr *)((void *)(xisr + 1) + sa->sa_len);
1754 sa->sa_len = sizeof(struct sockaddr_in);
1755
1756 T_QUIET; T_ASSERT_POSIX_SUCCESS(setsockopt(socket_fd, IPPROTO_IP, IP_IPSEC_POLICY,
1757 buf, sizeof(buf)), "tcp server listen failed");
1758 }
1759
1760 T_DECL(sadb_x_get_60822136, "security policy reference count overflow")
1761 {
1762 test_id = TEST_SADB_X_GET_OVERFLOW_60822136;
1763
1764 int pfkey_socket = pfkey_setup_socket();
1765 send_pfkey_flush_sa(pfkey_socket);
1766 send_pfkey_flush_sp(pfkey_socket);
1767 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1768
1769 dispatch_main();
1770 }
1771
1772 T_DECL(sadb_x_spd_enable_60822924, "security policy reference count overflow")
1773 {
1774 test_id = TEST_SADB_X_SPDENABLE_OVERFLOW_60822924;
1775
1776 int pfkey_socket = pfkey_setup_socket();
1777 send_pfkey_flush_sa(pfkey_socket);
1778 send_pfkey_flush_sp(pfkey_socket);
1779 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1780
1781 dispatch_main();
1782 }
1783
1784 T_DECL(sadb_x_spd_disable_60822956, "security policy reference count overflow")
1785 {
1786 test_id = TEST_SADB_X_SPDDISABLE_OVERFLOW_60822956;
1787
1788 int pfkey_socket = pfkey_setup_socket();
1789 send_pfkey_flush_sa(pfkey_socket);
1790 send_pfkey_flush_sp(pfkey_socket);
1791 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1792
1793 dispatch_main();
1794 }
1795
1796 T_DECL(sadb_update_60679513, "security association use after free")
1797 {
1798 test_id = TEST_SADB_UPDATE_USE_AFTER_FREE_60679513;
1799
1800 int pfkey_socket = pfkey_setup_socket();
1801 send_pfkey_flush_sa(pfkey_socket);
1802 send_pfkey_flush_sp(pfkey_socket);
1803 send_pkey_get_spi(pfkey_socket);
1804
1805 dispatch_main();
1806 }
1807
1808 T_DECL(sadb_dump_60768729, "security association sa dump heap overflow", T_META_ENABLED(false))
1809 {
1810 test_id = TEST_SADB_DUMP_HEAP_OVERFLOW_60768729;
1811
1812 int pfkey_socket = pfkey_setup_socket();
1813 T_ATEND(pfkey_cleanup);
1814 send_pfkey_flush_sa(pfkey_socket);
1815 send_pfkey_flush_sp(pfkey_socket);
1816 send_pkey_get_spi(pfkey_socket);
1817
1818 dispatch_main();
1819 }
1820
1821 // Disabled due to rdar://92910783
1822 T_DECL(sadb_policy_dump_60769680, "security association sa policy dump heap overflow", T_META_ENABLED(false))
1823 {
1824 test_id = TEST_SADB_POLICY_DUMP_HEAP_OVERFLOW_60769680;
1825
1826 int pfkey_socket = pfkey_setup_socket();
1827 T_ATEND(pfkey_cleanup);
1828 send_pfkey_flush_sa(pfkey_socket);
1829 send_pfkey_flush_sp(pfkey_socket);
1830 send_pfkey_spd_add_message(pfkey_socket, 1);
1831
1832 dispatch_main();
1833 }
1834
1835 T_DECL(sadb_get_sastat_oob_60769680, "security association get sa stat oob read")
1836 {
1837 test_id = TEST_SADB_GETSASTAT_OOB_READ_60822823;
1838
1839 int pfkey_socket = pfkey_setup_socket();
1840 T_ATEND(pfkey_cleanup);
1841 send_pfkey_flush_sa(pfkey_socket);
1842 send_pfkey_flush_sp(pfkey_socket);
1843 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1844
1845 dispatch_main();
1846 }
1847
1848 T_DECL(sadb_get_sastat_success, "security association get sa stat")
1849 {
1850 test_id = TEST_SADB_GETSASTAT_OOB_READ_SUCCESS;
1851
1852 int pfkey_socket = pfkey_setup_socket();
1853 T_ATEND(pfkey_cleanup);
1854 send_pfkey_flush_sa(pfkey_socket);
1855 send_pfkey_flush_sp(pfkey_socket);
1856 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1857
1858 dispatch_main();
1859 }
1860
1861 T_DECL(sadb_key_migrate_address_ipv4, "security association migrate address ipv4")
1862 {
1863 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv4;
1864
1865 int pfkey_socket = pfkey_setup_socket();
1866 T_ATEND(pfkey_cleanup);
1867 send_pfkey_flush_sa(pfkey_socket);
1868 send_pfkey_flush_sp(pfkey_socket);
1869 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv4, TEST_DST_ADDRESS_IPv4, AF_INET);
1870
1871 dispatch_main();
1872 }
1873
1874 T_DECL(sadb_key_migrate_address_ipv6, "security association migrate address ipv6")
1875 {
1876 test_id = TEST_SADB_EXT_MIGRATE_ADDRESS_IPv6;
1877
1878 int pfkey_socket = pfkey_setup_socket();
1879 T_ATEND(pfkey_cleanup);
1880 send_pfkey_flush_sa(pfkey_socket);
1881 send_pfkey_flush_sp(pfkey_socket);
1882 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1883
1884 dispatch_main();
1885 }
1886
1887 T_DECL(sadb_key_migrate_bad_address, "security association migrate bad address")
1888 {
1889 test_id = TEST_SADB_EXT_MIGRATE_BAD_ADDRESS;
1890
1891 int pfkey_socket = pfkey_setup_socket();
1892 T_ATEND(pfkey_cleanup);
1893 send_pfkey_flush_sa(pfkey_socket);
1894 send_pfkey_flush_sp(pfkey_socket);
1895 send_pkey_add_sa(pfkey_socket, 0x12345678, TEST_SRC_ADDRESS_IPv6, TEST_DST_ADDRESS_IPv6, AF_INET6);
1896
1897 dispatch_main();
1898 }
1899
1900 T_DECL(tcp_input_ipsec_copy_policy, "listener policy copied to child")
1901 {
1902 test_id = TEST_TCP_INPUT_IPSEC_COPY_POLICY;
1903
1904 int server_fd = setup_tcp_server(4000);
1905 setup_socket_policy(server_fd);
1906 int client_fd = setup_loopback_tcp_client(4000);
1907
1908 sleep(3);
1909 close(client_fd);
1910 close(server_fd);
1911
1912 T_PASS("listener policy copied to child");
1913 }
1914
1915 T_DECL(sadb_x_spd_add_78944570, "security policy add failure")
1916 {
1917 test_id = TEST_SADB_X_SPDADD_MEMORY_LEAK_78944570;
1918
1919 int pfkey_socket = pfkey_setup_socket();
1920 send_pfkey_flush_sa(pfkey_socket);
1921 send_pfkey_flush_sp(pfkey_socket);
1922 send_pfkey_spd_add_message(pfkey_socket, IPSEC_ULPROTO_ANY);
1923
1924 dispatch_main();
1925 }
1926