loading of subjectPublicKeyInfo wrapped keys using KEY_ANY (openssl format)
[strongswan.git] / src / charon / network / socket-raw.c
1 /*
2 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 #include <pthread.h>
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <string.h>
24 #include <errno.h>
25 #include <unistd.h>
26 #include <stdlib.h>
27 #include <fcntl.h>
28 #include <sys/ioctl.h>
29 #include <netinet/in.h>
30 #include <netinet/ip.h>
31 #include <netinet/ip6.h>
32 #include <netinet/udp.h>
33 #include <linux/ipsec.h>
34 #include <linux/filter.h>
35 #include <net/if.h>
36
37 #include "socket.h"
38
39 #include <daemon.h>
40
41 /* constants for packet handling */
42 #define IP_LEN sizeof(struct iphdr)
43 #define IP6_LEN sizeof(struct ip6_hdr)
44 #define UDP_LEN sizeof(struct udphdr)
45 #define MARKER_LEN sizeof(u_int32_t)
46
47 /* offsets for packet handling */
48 #define IP_PROTO_OFFSET 9
49 #define IP6_PROTO_OFFSET 6
50 #define IKE_VERSION_OFFSET 17
51 #define IKE_LENGTH_OFFSET 24
52
53 /* from linux/in.h */
54 #ifndef IP_IPSEC_POLICY
55 #define IP_IPSEC_POLICY 16
56 #endif /*IP_IPSEC_POLICY*/
57
58 /* from linux/udp.h */
59 #ifndef UDP_ENCAP
60 #define UDP_ENCAP 100
61 #endif /*UDP_ENCAP*/
62
63 #ifndef UDP_ENCAP_ESPINUDP
64 #define UDP_ENCAP_ESPINUDP 2
65 #endif /*UDP_ENCAP_ESPINUDP*/
66
67 /* needed for older kernel headers */
68 #ifndef IPV6_2292PKTINFO
69 #define IPV6_2292PKTINFO 2
70 #endif /*IPV6_2292PKTINFO*/
71
72 /* missing on uclibc */
73 #ifndef IPV6_IPSEC_POLICY
74 #define IPV6_IPSEC_POLICY 34
75 #endif /*IPV6_IPSEC_POLICY*/
76
77 typedef struct private_socket_t private_socket_t;
78
79 /**
80 * Private data of an socket_t object
81 */
82 struct private_socket_t{
83 /**
84 * public functions
85 */
86 socket_t public;
87
88 /**
89 * regular port
90 */
91 int port;
92
93 /**
94 * port used for nat-t
95 */
96 int natt_port;
97
98 /**
99 * raw receiver socket for IPv4
100 */
101 int recv4;
102
103 /**
104 * raw receiver socket for IPv6
105 */
106 int recv6;
107
108 /**
109 * send socket on regular port for IPv4
110 */
111 int send4;
112
113 /**
114 * send socket on regular port for IPv6
115 */
116 int send6;
117
118 /**
119 * send socket on nat-t port for IPv4
120 */
121 int send4_natt;
122
123 /**
124 * send socket on nat-t port for IPv6
125 */
126 int send6_natt;
127 };
128
129 /**
130 * implementation of socket_t.receive
131 */
132 static status_t receiver(private_socket_t *this, packet_t **packet)
133 {
134 char buffer[MAX_PACKET];
135 chunk_t data;
136 packet_t *pkt;
137 struct udphdr *udp;
138 host_t *source = NULL, *dest = NULL;
139 int bytes_read = 0;
140 int data_offset, oldstate;
141 fd_set rfds;
142
143 FD_ZERO(&rfds);
144
145 if (this->recv4)
146 {
147 FD_SET(this->recv4, &rfds);
148 }
149 if (this->recv6)
150 {
151 FD_SET(this->recv6, &rfds);
152 }
153
154 DBG2(DBG_NET, "waiting for data on raw sockets");
155
156 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
157 if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
158 {
159 pthread_setcancelstate(oldstate, NULL);
160 return FAILED;
161 }
162 pthread_setcancelstate(oldstate, NULL);
163
164 if (this->recv4 && FD_ISSET(this->recv4, &rfds))
165 {
166 /* IPv4 raw sockets return the IP header. We read src/dest
167 * information directly from the raw header */
168 struct iphdr *ip;
169 struct sockaddr_in src, dst;
170
171 bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
172 if (bytes_read < 0)
173 {
174 DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
175 return FAILED;
176 }
177 DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
178
179 /* read source/dest from raw IP/UDP header */
180 if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
181 {
182 DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)",
183 bytes_read);
184 return FAILED;
185 }
186 ip = (struct iphdr*) buffer;
187 udp = (struct udphdr*) (buffer + IP_LEN);
188 src.sin_family = AF_INET;
189 src.sin_addr.s_addr = ip->saddr;
190 src.sin_port = udp->source;
191 dst.sin_family = AF_INET;
192 dst.sin_addr.s_addr = ip->daddr;
193 dst.sin_port = udp->dest;
194 source = host_create_from_sockaddr((sockaddr_t*)&src);
195 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
196
197 pkt = packet_create();
198 pkt->set_source(pkt, source);
199 pkt->set_destination(pkt, dest);
200 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
201 data_offset = IP_LEN + UDP_LEN;
202 /* remove non esp marker */
203 if (dest->get_port(dest) == IKEV2_NATT_PORT)
204 {
205 data_offset += MARKER_LEN;
206 }
207 /* fill in packet */
208 data.len = bytes_read - data_offset;
209 data.ptr = malloc(data.len);
210 memcpy(data.ptr, buffer + data_offset, data.len);
211 pkt->set_data(pkt, data);
212 }
213 else if (this->recv6 && FD_ISSET(this->recv6, &rfds))
214 {
215 /* IPv6 raw sockets return no IP header. We must query
216 * src/dest via socket options/ancillary data */
217 struct msghdr msg;
218 struct cmsghdr *cmsgptr;
219 struct sockaddr_in6 src, dst;
220 struct iovec iov;
221 char ancillary[64];
222
223 msg.msg_name = &src;
224 msg.msg_namelen = sizeof(src);
225 iov.iov_base = buffer;
226 iov.iov_len = sizeof(buffer);
227 msg.msg_iov = &iov;
228 msg.msg_iovlen = 1;
229 msg.msg_control = ancillary;
230 msg.msg_controllen = sizeof(ancillary);
231 msg.msg_flags = 0;
232
233 bytes_read = recvmsg(this->recv6, &msg, 0);
234 if (bytes_read < 0)
235 {
236 DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno));
237 return FAILED;
238 }
239 DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
240
241 if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
242 {
243 DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
244 bytes_read);
245 return FAILED;
246 }
247
248 /* read ancillary data to get destination address */
249 for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
250 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
251 {
252 if (cmsgptr->cmsg_len == 0)
253 {
254 DBG1(DBG_NET, "error reading IPv6 ancillary data");
255 return FAILED;
256 }
257 if (cmsgptr->cmsg_level == SOL_IPV6 &&
258 cmsgptr->cmsg_type == IPV6_2292PKTINFO)
259 {
260 struct in6_pktinfo *pktinfo;
261 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
262
263 memset(&dst, 0, sizeof(dst));
264 memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
265 dst.sin6_family = AF_INET6;
266 udp = (struct udphdr*) (buffer);
267 dst.sin6_port = udp->dest;
268 src.sin6_port = udp->source;
269 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
270 }
271 }
272 /* ancillary data missing? */
273 if (dest == NULL)
274 {
275 DBG1(DBG_NET, "error reading IPv6 packet header");
276 return FAILED;
277 }
278
279 source = host_create_from_sockaddr((sockaddr_t*)&src);
280
281 pkt = packet_create();
282 pkt->set_source(pkt, source);
283 pkt->set_destination(pkt, dest);
284 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
285 data_offset = UDP_LEN;
286 /* remove non esp marker */
287 if (dest->get_port(dest) == IKEV2_NATT_PORT)
288 {
289 data_offset += MARKER_LEN;
290 }
291 /* fill in packet */
292 data.len = bytes_read - data_offset;
293 data.ptr = malloc(data.len);
294 memcpy(data.ptr, buffer + data_offset, data.len);
295 pkt->set_data(pkt, data);
296 }
297 else
298 {
299 /* oops, shouldn't happen */
300 return FAILED;
301 }
302
303 /* return packet */
304 *packet = pkt;
305 return SUCCESS;
306 }
307
308 /**
309 * implementation of socket_t.send
310 */
311 status_t sender(private_socket_t *this, packet_t *packet)
312 {
313 int sport, skt, family;
314 ssize_t bytes_sent;
315 chunk_t data, marked;
316 host_t *src, *dst;
317 struct msghdr msg;
318 struct cmsghdr *cmsg;
319 struct iovec iov;
320
321 src = packet->get_source(packet);
322 dst = packet->get_destination(packet);
323 data = packet->get_data(packet);
324
325 DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
326
327 /* send data */
328 sport = src->get_port(src);
329 family = dst->get_family(dst);
330 if (sport == IKEV2_UDP_PORT)
331 {
332 if (family == AF_INET)
333 {
334 skt = this->send4;
335 }
336 else
337 {
338 skt = this->send6;
339 }
340 }
341 else if (sport == IKEV2_NATT_PORT)
342 {
343 if (family == AF_INET)
344 {
345 skt = this->send4_natt;
346 }
347 else
348 {
349 skt = this->send6_natt;
350 }
351 /* NAT keepalives without marker */
352 if (data.len != 1 || data.ptr[0] != 0xFF)
353 {
354 /* add non esp marker to packet */
355 if (data.len > MAX_PACKET - MARKER_LEN)
356 {
357 DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
358 data.len);
359 return FAILED;
360 }
361 marked = chunk_alloc(data.len + MARKER_LEN);
362 memset(marked.ptr, 0, MARKER_LEN);
363 memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
364 /* let the packet do the clean up for us */
365 packet->set_data(packet, marked);
366 data = marked;
367 }
368 }
369 else
370 {
371 DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
372 return FAILED;
373 }
374
375 memset(&msg, 0, sizeof(struct msghdr));
376 msg.msg_name = dst->get_sockaddr(dst);;
377 msg.msg_namelen = *dst->get_sockaddr_len(dst);
378 iov.iov_base = data.ptr;
379 iov.iov_len = data.len;
380 msg.msg_iov = &iov;
381 msg.msg_iovlen = 1;
382 msg.msg_flags = 0;
383
384 if (!dst->is_anyaddr(dst))
385 {
386 if (family == AF_INET)
387 {
388 char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
389 struct in_pktinfo *pktinfo;
390 struct sockaddr_in *sin;
391
392 msg.msg_control = buf;
393 msg.msg_controllen = sizeof(buf);
394 cmsg = CMSG_FIRSTHDR(&msg);
395 cmsg->cmsg_level = SOL_IP;
396 cmsg->cmsg_type = IP_PKTINFO;
397 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
398 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
399 memset(pktinfo, 0, sizeof(struct in_pktinfo));
400 sin = (struct sockaddr_in*)src->get_sockaddr(src);
401 memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
402 }
403 else
404 {
405 char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
406 struct in6_pktinfo *pktinfo;
407 struct sockaddr_in6 *sin;
408
409 msg.msg_control = buf;
410 msg.msg_controllen = sizeof(buf);
411 cmsg = CMSG_FIRSTHDR(&msg);
412 cmsg->cmsg_level = SOL_IPV6;
413 cmsg->cmsg_type = IPV6_2292PKTINFO;
414 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
415 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
416 memset(pktinfo, 0, sizeof(struct in6_pktinfo));
417 sin = (struct sockaddr_in6*)src->get_sockaddr(src);
418 memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
419 }
420 }
421
422 bytes_sent = sendmsg(skt, &msg, 0);
423
424 if (bytes_sent != data.len)
425 {
426 DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
427 return FAILED;
428 }
429 return SUCCESS;
430 }
431
432 /**
433 * open a socket to send packets
434 */
435 static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
436 {
437 int on = TRUE;
438 int type = UDP_ENCAP_ESPINUDP;
439 struct sockaddr_storage addr;
440 u_int sol, ipsec_policy;
441 struct sadb_x_policy policy;
442 int skt;
443
444 memset(&addr, 0, sizeof(addr));
445 /* precalculate constants depending on address family */
446 switch (family)
447 {
448 case AF_INET:
449 {
450 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
451 sin->sin_family = AF_INET;
452 sin->sin_addr.s_addr = INADDR_ANY;
453 sin->sin_port = htons(port);
454 sol = SOL_IP;
455 ipsec_policy = IP_IPSEC_POLICY;
456 break;
457 }
458 case AF_INET6:
459 {
460 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
461 sin6->sin6_family = AF_INET6;
462 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
463 sin6->sin6_port = htons(port);
464 sol = SOL_IPV6;
465 ipsec_policy = IPV6_IPSEC_POLICY;
466 break;
467 }
468 default:
469 return 0;
470 }
471
472 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
473 if (skt < 0)
474 {
475 DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
476 return 0;
477 }
478
479 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
480 {
481 DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
482 strerror(errno));
483 close(skt);
484 return 0;
485 }
486
487 /* bypass outgoung IKE traffic on send socket */
488 memset(&policy, 0, sizeof(policy));
489 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
490 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
491 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
492 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
493
494 if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
495 {
496 DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s",
497 strerror(errno));
498 close(skt);
499 return 0;
500 }
501
502 /* We don't receive packets on the send socket, but we need a INBOUND policy.
503 * Otherwise, UDP decapsulation does not work!!! */
504 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
505 if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
506 {
507 DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s",
508 strerror(errno));
509 close(skt);
510 return 0;
511 }
512
513 /* bind the send socket */
514 if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
515 {
516 DBG1(DBG_NET, "unable to bind send socket: %s",
517 strerror(errno));
518 close(skt);
519 return 0;
520 }
521
522 if (family == AF_INET)
523 {
524 /* enable UDP decapsulation globally, only for one socket needed */
525 if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
526 {
527 DBG1(DBG_NET, "unable to set UDP_ENCAP: %s; NAT-T may fail",
528 strerror(errno));
529 }
530 }
531
532 return skt;
533 }
534
535 /**
536 * open a socket to receive packets
537 */
538 static int open_recv_socket(private_socket_t *this, int family)
539 {
540 int skt;
541 int on = TRUE;
542 u_int proto_offset, ip_len, sol, ipsec_policy, udp_header, ike_header;
543 struct sadb_x_policy policy;
544
545 /* precalculate constants depending on address family */
546 switch (family)
547 {
548 case AF_INET:
549 proto_offset = IP_PROTO_OFFSET;
550 ip_len = IP_LEN;
551 sol = SOL_IP;
552 ipsec_policy = IP_IPSEC_POLICY;
553 break;
554 case AF_INET6:
555 proto_offset = IP6_PROTO_OFFSET;
556 ip_len = 0; /* IPv6 raw sockets contain no IP header */
557 sol = SOL_IPV6;
558 ipsec_policy = IPV6_IPSEC_POLICY;
559 break;
560 default:
561 return 0;
562 }
563 udp_header = ip_len;
564 ike_header = ip_len + UDP_LEN;
565
566 /* This filter code filters out all non-IKEv2 traffic on
567 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
568 * IKE versions is done in pluto.
569 */
570 struct sock_filter ikev2_filter_code[] =
571 {
572 /* Destination Port must be either port or natt_port */
573 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
574 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_UDP_PORT, 1, 0),
575 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 5, 12),
576 /* port */
577 /* IKE version must be 2.0 */
578 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
579 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10),
580 /* packet length is length in IKEv2 header + ip header + udp header */
581 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
582 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
583 BPF_STMT(BPF_RET+BPF_A, 0),
584 /* natt_port */
585 /* nat-t: check for marker */
586 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
587 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5),
588 /* nat-t: IKE version must be 2.0 */
589 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
590 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
591 /* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
592 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
593 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
594 BPF_STMT(BPF_RET+BPF_A, 0),
595 /* packet doesn't match, ignore */
596 BPF_STMT(BPF_RET+BPF_K, 0),
597 };
598
599 /* Filter struct to use with setsockopt */
600 struct sock_fprog ikev2_filter = {
601 sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
602 ikev2_filter_code
603 };
604
605 /* set up a raw socket */
606 skt = socket(family, SOCK_RAW, IPPROTO_UDP);
607 if (skt < 0)
608 {
609 DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
610 return 0;
611 }
612
613 if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
614 &ikev2_filter, sizeof(ikev2_filter)) < 0)
615 {
616 DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s",
617 strerror(errno));
618 close(skt);
619 return 0;
620 }
621
622 if (family == AF_INET6 &&
623 /* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
624 * 2 or 50 depending on kernel header version */
625 setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
626 {
627 DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s",
628 strerror(errno));
629 close(skt);
630 return 0;
631 }
632
633 /* bypass incomining IKE traffic on this socket */
634 memset(&policy, 0, sizeof(policy));
635 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
636 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
637 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
638 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
639
640 if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
641 {
642 DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %s",
643 strerror(errno));
644 close(skt);
645 return 0;
646 }
647
648 return skt;
649 }
650
651 /**
652 * implementation of socket_t.destroy
653 */
654 static void destroy(private_socket_t *this)
655 {
656 if (this->recv4)
657 {
658 close(this->recv4);
659 }
660 if (this->recv6)
661 {
662 close(this->recv6);
663 }
664 if (this->send4)
665 {
666 close(this->send4);
667 }
668 if (this->send6)
669 {
670 close(this->send6);
671 }
672 if (this->send4_natt)
673 {
674 close(this->send4_natt);
675 }
676 if (this->send6_natt)
677 {
678 close(this->send6_natt);
679 }
680 free(this);
681 }
682
683 /*
684 * See header for description
685 */
686 socket_t *socket_create()
687 {
688 int key;
689 private_socket_t *this = malloc_thing(private_socket_t);
690
691 /* public functions */
692 this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
693 this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
694 this->public.destroy = (void(*)(socket_t*)) destroy;
695
696 this->recv4 = 0;
697 this->recv6 = 0;
698 this->send4 = 0;
699 this->send6 = 0;
700 this->send4_natt = 0;
701 this->send6_natt = 0;
702
703 /* we open a AF_KEY socket to autoload the af_key module. Otherwise
704 * setsockopt(IPSEC_POLICY) won't work. */
705 key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
706 if (key == 0)
707 {
708 charon->kill(charon, "could not open AF_KEY socket");
709 }
710 close(key);
711
712 this->recv4 = open_recv_socket(this, AF_INET);
713 if (this->recv4 == 0)
714 {
715 DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
716 }
717 else
718 {
719 this->send4 = open_send_socket(this, AF_INET, IKEV2_UDP_PORT);
720 if (this->send4 == 0)
721 {
722 DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
723 close(this->recv4);
724 }
725 else
726 {
727 this->send4_natt = open_send_socket(this, AF_INET, IKEV2_NATT_PORT);
728 if (this->send4_natt == 0)
729 {
730 DBG1(DBG_NET, "could not open IPv4 NAT-T send socket");
731 }
732 }
733 }
734
735 this->recv6 = open_recv_socket(this, AF_INET6);
736 if (this->recv6 == 0)
737 {
738 DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
739 }
740 else
741 {
742 this->send6 = open_send_socket(this, AF_INET6, IKEV2_UDP_PORT);
743 if (this->send6 == 0)
744 {
745 DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
746 close(this->recv6);
747 }
748 else
749 {
750 this->send6_natt = open_send_socket(this, AF_INET6, IKEV2_NATT_PORT);
751 if (this->send6_natt == 0)
752 {
753 DBG1(DBG_NET, "could not open IPv6 NAT-T send socket");
754 }
755 }
756 }
757
758 if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
759 {
760 DBG1(DBG_NET, "could not create any sockets");
761 destroy(this);
762 charon->kill(charon, "socket initialization failed");
763 }
764
765 return (socket_t*)this;
766 }