Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically.  Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP.  The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

1 files changed, 332 insertions, 0 deletions

diff --git a/sbin/iked/proc.c b/sbin/iked/proc.c
new file mode 100644
index 00000000000..05213b1e083
--- /dev/null
+++ b/sbin/iked/proc.c
@@ -0,0 +1,332 @@
+/*	$OpenBSD: proc.c,v 1.1 2010/06/03 16:41:12 reyk Exp $	*/
+/*	$vantronix: proc.c,v 1.11 2010/06/01 16:45:56 jsg Exp $	*/
+
+/*
+ * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net>
+ * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <sys/tree.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+#include <pwd.h>
+#include <event.h>
+
+#include <openssl/rand.h>
+
+#include "iked.h"
+
+void	 proc_shutdown(struct iked_proc *);
+void	 proc_sig_handler(int, short, void *);
+
+void
+init_procs(struct iked *env, struct iked_proc *p, u_int nproc)
+{
+	u_int	 i;
+
+	iked_process = PROC_PARENT;
+	init_pipes(env);
+
+	for (i = 0; i < nproc; i++, p++) {
+		env->sc_title[p->id] = p->title;
+		env->sc_pid[p->id] = (*p->init)(env, p);
+	}
+}
+
+void
+kill_procs(struct iked *env)
+{
+	u_int	 i;
+
+	if (iked_process != PROC_PARENT)
+		return;
+
+	for (i = 0; i < PROC_MAX; i++) {
+		if (env->sc_pid[i] == 0)
+			continue;
+		kill(env->sc_pid[i], SIGTERM);
+	}
+}
+
+void
+init_pipes(struct iked *env)
+{
+	int	 i, j, fds[2];
+
+	for (i = 0; i < PROC_MAX; i++)
+		for (j = 0; j < PROC_MAX; j++) {
+			if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC,
+			    fds) == -1)
+				fatal("socketpair");
+			env->sc_pipes[i][j] = fds[0];
+			env->sc_pipes[j][i] = fds[1];
+			socket_set_blockmode(env->sc_pipes[i][j],
+			    BM_NONBLOCK);
+			socket_set_blockmode(env->sc_pipes[j][i],
+			    BM_NONBLOCK);
+		}
+}
+
+void
+config_pipes(struct iked *env, struct iked_proc *p, u_int nproc)
+{
+	u_int	 i, j, k, found;
+
+	for (i = 0; i < PROC_MAX; i++) {
+		if (i != iked_process) {
+			for (j = 0; j < PROC_MAX; j++) {
+				close(env->sc_pipes[i][j]);
+				env->sc_pipes[i][j] = -1;
+			}
+		} else {
+			for (j = found = 0; j < PROC_MAX; j++, found = 0) {
+				for (k = 0; k < nproc; k++) {
+					if (p[k].id == j)
+						found++;
+				}
+				if (!found) {
+					close(env->sc_pipes[i][j]);
+					env->sc_pipes[i][j] = -1;
+				}
+			}
+		}
+	}
+}
+
+void
+config_procs(struct iked *env, struct iked_proc *p, u_int nproc)
+{
+	u_int	src, dst, i;
+
+	/*
+	 * listen on appropriate pipes
+	 */
+	for (i = 0; i < nproc; i++, p++) {
+		src = iked_process;
+		dst = p->id;
+		p->env = env;
+
+		imsg_init(&env->sc_ievs[dst].ibuf,
+		    env->sc_pipes[src][dst]);
+		env->sc_ievs[dst].handler = dispatch_proc;
+		env->sc_ievs[dst].events = EV_READ;
+		env->sc_ievs[dst].data = p;
+		env->sc_ievs[dst].name = p->title;
+		event_set(&env->sc_ievs[dst].ev,
+		    env->sc_ievs[dst].ibuf.fd,
+		    env->sc_ievs[dst].events,
+		    env->sc_ievs[dst].handler,
+		    env->sc_ievs[dst].data);
+		event_add(&env->sc_ievs[dst].ev, NULL);
+	}
+}
+
+void
+proc_shutdown(struct iked_proc *p)
+{
+	struct iked	*env = p->env;
+
+	if (p->id == PROC_CONTROL)
+		control_cleanup(&env->sc_csock);
+
+	log_info("%s exiting", p->title);
+	_exit(0);
+}
+
+void
+proc_sig_handler(int sig, short event, void *arg)
+{
+	switch (sig) {
+	case SIGINT:
+	case SIGTERM:
+		proc_shutdown((struct iked_proc *)arg);
+		break;
+	case SIGCHLD:
+	case SIGHUP:
+	case SIGPIPE:
+		/* ignore */
+		break;
+	default:
+		fatalx("proc_sig_handler: unexpected signal");
+		/* NOTREACHED */
+	}
+}
+
+pid_t
+run_proc(struct iked *env, struct iked_proc *p,
+    struct iked_proc *procs, u_int nproc,
+    void (*init)(struct iked *, void *), void *arg)
+{
+	pid_t		 pid;
+	struct passwd	*pw;
+	const char	*root;
+	u_int32_t	 seed[256];
+
+	switch (pid = fork()) {
+	case -1:
+		fatal("run_proc: cannot fork");
+	case 0:
+		break;
+	default:
+		return (pid);
+	}
+
+	pw = env->sc_pw;
+
+	if (p->id == PROC_CONTROL) {
+		if (control_init(env, &env->sc_csock) == -1)
+			fatalx(p->title);
+	}
+
+	/* Change root directory */
+	if (p->chroot != NULL)
+		root = p->chroot;
+	else
+		root = pw->pw_dir;
+
+#ifndef DEBUG
+	if (chroot(root) == -1)
+		fatal("run_proc: chroot");
+	if (chdir("/") == -1)
+		fatal("run_proc: chdir(\"/\")");
+#else
+#warning disabling privilege revocation and chroot in DEBUG MODE
+	if (p->chroot != NULL) {
+		if (chroot(root) == -1)
+			fatal("run_proc: chroot");
+		if (chdir("/") == -1)
+			fatal("run_proc: chdir(\"/\")");
+	}
+#endif
+
+	iked_process = p->id;
+	setproctitle("%s", p->title);
+
+#ifndef DEBUG
+	if (setgroups(1, &pw->pw_gid) ||
+	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
+	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
+		fatal("run_proc: cannot drop privileges");
+#endif
+
+	event_init();
+
+	signal_set(&env->sc_evsigint, SIGINT, proc_sig_handler, env);
+	signal_set(&env->sc_evsigterm, SIGTERM, proc_sig_handler, env);
+	signal_set(&env->sc_evsigchld, SIGCHLD, proc_sig_handler, env);
+	signal_set(&env->sc_evsighup, SIGHUP, proc_sig_handler, env);
+	signal_set(&env->sc_evsigpipe, SIGPIPE, proc_sig_handler, env);
+
+	signal_add(&env->sc_evsigint, NULL);
+	signal_add(&env->sc_evsigterm, NULL);
+	signal_add(&env->sc_evsigchld, NULL);
+	signal_add(&env->sc_evsighup, NULL);
+	signal_add(&env->sc_evsigpipe, NULL);
+
+	config_pipes(env, procs, nproc);
+	config_procs(env, procs, nproc);
+
+	arc4random_buf(seed, sizeof(seed));
+	RAND_seed(seed, sizeof(seed));
+
+	if (p->id == PROC_CONTROL) {
+		TAILQ_INIT(&ctl_conns);
+		if (control_listen(&env->sc_csock) == -1)
+			fatalx(p->title);
+	}
+
+	if (init != NULL)
+		init(env, arg);
+
+	event_dispatch();
+
+	proc_shutdown(p);
+
+	return (0);
+}
+
+void
+dispatch_proc(int fd, short event, void *arg)
+{
+	struct iked_proc	*p = (struct iked_proc *)arg;
+	struct iked		*env = p->env;
+	struct imsgev		*iev;
+	struct imsgbuf		*ibuf;
+	struct imsg		 imsg;
+	ssize_t			 n;
+	int			 verbose;
+
+	iev = &env->sc_ievs[p->id];
+	ibuf = &iev->ibuf;
+
+	if (event & EV_READ) {
+		if ((n = imsg_read(ibuf)) == -1)
+			fatal(p->title);
+		if (n == 0) {
+			/* this pipe is dead, so remove the event handler */
+			event_del(&iev->ev);
+			event_loopexit(NULL);
+			return;
+		}
+	}
+
+	if (event & EV_WRITE) {
+		if (msgbuf_write(&ibuf->w) == -1)
+			fatal(p->title);
+	}
+
+	for (;;) {
+		if ((n = imsg_get(ibuf, &imsg)) == -1)
+			fatal(p->title);
+		if (n == 0)
+			break;
+
+		/*
+		 * Check the message with the program callback
+		 */
+		if ((p->cb)(fd, p, &imsg) == 0) {
+			/* Message was handled by the callback, continue */
+			imsg_free(&imsg);
+			continue;
+		}
+
+		/*
+		 * Generic message handling
+		 */
+		switch (imsg.hdr.type) {
+		case IMSG_CTL_VERBOSE:
+			IMSG_SIZE_CHECK(&imsg, &verbose);
+
+			memcpy(&verbose, imsg.data, sizeof(verbose));
+			log_verbose(verbose);
+			break;
+		default:
+			log_warnx("%s: %s got imsg %d", __func__, p->title,
+			    imsg.hdr.type);
+			fatalx(p->title);
+		}
+		imsg_free(&imsg);
+	}
+	imsg_event_add(iev);
+}