projects / strongswan.git / blob
? search:


0cd57aad30de3518f3d70e31153b2689c048d56e
[strongswan.git] / src / charon / network / socket.c
1 /**
2 * @file socket.c
3 *
4 * @brief Implementation of socket_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
13 * Copyright (C) 1997 Angelos D. Keromytis.
14 *
15 * Some parts of interface lookup code from pluto.
16 *
17 * This program is free software; you can redistribute it and/or modify it
18 * under the terms of the GNU General Public License as published by the
19 * Free Software Foundation; either version 2 of the License, or (at your
20 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
21 *
22 * This program is distributed in the hope that it will be useful, but
23 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
25 * for more details.
26 */
27
28 #include <pthread.h>
29 #include <sys/types.h>
30 #include <sys/socket.h>
31 #include <string.h>
32 #include <errno.h>
33 #include <unistd.h>
34 #include <stdlib.h>
35 #include <fcntl.h>
36 #include <sys/ioctl.h>
37 #include <netinet/in.h>
38 #include <netinet/ip.h>
39 #include <netinet/udp.h>
40 #include <linux/ipsec.h>
41 #include <linux/filter.h>
42
43 #include "socket.h"
44
45 #include <daemon.h>
46 #include <utils/logger_manager.h>
47
48 /* constants for packet handling */
49 #define IP_LEN sizeof(struct iphdr)
50 #define UDP_LEN sizeof(struct udphdr)
51 #define MARKER_LEN sizeof(u_int32_t)
52
53 /* offsets for packet handling */
54 #define IP 0
55 #define UDP IP + IP_LEN
56 #define IKE UDP + UDP_LEN
57
58 /* from linux/in.h */
59 #ifndef IP_IPSEC_POLICY
60 #define IP_IPSEC_POLICY 16
61 #endif /*IP_IPSEC_POLICY*/
62
63 /* from linux/udp.h */
64 #ifndef UDP_ENCAP
65 #define UDP_ENCAP 100
66 #endif /*UDP_ENCAP*/
67
68 #ifndef UDP_ENCAP_ESPINUDP
69 #define UDP_ENCAP_ESPINUDP 2
70 #endif /*UDP_ENCAP_ESPINUDP*/
71
72 typedef struct private_socket_t private_socket_t;
73
74 /**
75 * Private data of an socket_t object
76 */
77 struct private_socket_t{
78 /**
79 * public functions
80 */
81 socket_t public;
82
83 /**
84 * regular port
85 */
86 int port;
87
88 /**
89 * port used for nat-t
90 */
91 int natt_port;
92
93 /**
94 * raw socket (receiver)
95 */
96 int raw_fd;
97
98 /**
99 * send socket on regular port
100 */
101 int send_fd;
102
103 /**
104 * send socket on nat-t port
105 */
106 int natt_fd;
107
108 /**
109 * logger for this socket
110 */
111 logger_t *logger;
112
113 /**
114 * Setup a send socket
115 *
116 * @param this calling object
117 * @param port the port
118 * @param send_fd returns the file descriptor of this new socket
119 */
120 status_t (*setup_send_socket) (private_socket_t *this, u_int16_t port, int *send_fd);
121
122 /**
123 * Initialize
124 *
125 * @param this calling object
126 */
127 status_t (*initialize) (private_socket_t *this);
128 };
129
130 /**
131 * implementation of socket_t.receive
132 */
133 static status_t receiver(private_socket_t *this, packet_t **packet)
134 {
135 char buffer[MAX_PACKET];
136 chunk_t data;
137 packet_t *pkt;
138 struct iphdr *ip;
139 struct udphdr *udp;
140 host_t *source, *dest;
141 int bytes_read = 0;
142 int data_offset, oldstate;
143
144 this->logger->log(this->logger, CONTROL|LEVEL1, "receive from raw socket");
145 /* allow cancellation while blocking on recv() */
146 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
147 bytes_read = recv(this->raw_fd, buffer, MAX_PACKET, 0);
148 pthread_setcancelstate(oldstate, NULL);
149
150 if (bytes_read < 0)
151 {
152 this->logger->log(this->logger, ERROR, "error reading from socket: %s", strerror(errno));
153 return FAILED;
154 }
155
156 /* read source/dest from raw IP/UDP header */
157 ip = (struct iphdr*) buffer;
158 udp = (struct udphdr*) (buffer + IP_LEN);
159
160 source = host_create_from_hdr(ip->saddr, udp->source);
161 dest = host_create_from_hdr(ip->daddr, udp->dest);
162
163 pkt = packet_create();
164 pkt->set_source(pkt, source);
165 pkt->set_destination(pkt, dest);
166
167 this->logger->log(this->logger, CONTROL, "received packet: from %s:%d to %s:%d",
168 source->get_address(source), source->get_port(source),
169 dest->get_address(dest), dest->get_port(dest));
170
171 data_offset = IP_LEN + UDP_LEN;
172
173 /* remove non esp marker */
174 if (dest->get_port(dest) == this->natt_port)
175 {
176 data_offset += MARKER_LEN;
177 }
178
179 /* fill in packet */
180 data.len = bytes_read - data_offset;
181 data.ptr = malloc(data.len);
182 memcpy(data.ptr, buffer + data_offset, data.len);
183 pkt->set_data(pkt, data);
184
185 /* return packet */
186 *packet = pkt;
187
188 return SUCCESS;
189 }
190
191 /**
192 * implementation of socket_t.send
193 */
194 status_t sender(private_socket_t *this, packet_t *packet)
195 {
196 int sport, fd;
197 ssize_t bytes_sent;
198 chunk_t data, marked;
199 host_t *src, *dst;
200
201 src = packet->get_source(packet);
202 dst = packet->get_destination(packet);
203 data = packet->get_data(packet);
204
205 this->logger->log(this->logger, CONTROL, "sending packet: from %s:%d to %s:%d",
206 src->get_address(src), src->get_port(src),
207 dst->get_address(dst), dst->get_port(dst));
208
209 /* send data */
210 sport = src->get_port(src);
211 if (sport == this->port)
212 {
213 fd = this->send_fd;
214 }
215 else if (sport == this->natt_port)
216 {
217 fd = this->natt_fd;
218 /* NAT keepalives without marker */
219 if (data.len != 1 || data.ptr[0] != 0xFF)
220 {
221 /* add non esp marker to packet */
222 if (data.len > MAX_PACKET - MARKER_LEN)
223 {
224 this->logger->log(this->logger, ERROR, "unable to send packet: it's too big");
225 return FAILED;
226 }
227 marked = chunk_alloc(data.len + MARKER_LEN);
228 memset(marked.ptr, 0, MARKER_LEN);
229 memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
230 packet->set_data(packet, marked); /* let the packet do the clean up for us */
231 data = marked;
232 }
233 }
234 else
235 {
236 this->logger->log(this->logger, ERROR, "unable to locate a send socket for port: %d", sport);
237 return FAILED;
238 }
239
240 bytes_sent = sendto(fd, data.ptr, data.len, 0,
241 dst->get_sockaddr(dst), *(dst->get_sockaddr_len(dst)));
242
243 if (bytes_sent != data.len)
244 {
245 this->logger->log(this->logger, ERROR, "error writing to socket: %s", strerror(errno));
246 return FAILED;
247 }
248
249 return SUCCESS;
250 }
251
252 /**
253 * setup a send socket on a specified port
254 */
255 static status_t setup_send_socket(private_socket_t *this, u_int16_t port, int *send_fd) {
256 int on = TRUE;
257 struct sockaddr_in addr;
258 int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
259 if (fd < 0)
260 {
261 this->logger->log(this->logger, ERROR, "could not open IPv4 send socket!");
262 return FAILED;
263 }
264
265 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
266 {
267 this->logger->log(this->logger, ERROR, "unable to set SO_REUSEADDR on send socket!");
268 close(fd);
269 return FAILED;
270 }
271
272 struct sadb_x_policy policy;
273 int level, opt;
274
275 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
276 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
277 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
278 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
279 policy.sadb_x_policy_reserved = 0;
280 policy.sadb_x_policy_id = 0;
281
282 /* ipv6
283 * level = IPPROTO_IPV6;
284 * opt = IPV6_IPSEC_POLICY;
285 */
286 level = IPPROTO_IP;
287 opt = IP_IPSEC_POLICY;
288
289 if (setsockopt(fd, level, opt, &policy, sizeof(policy)) < 0)
290 {
291 this->logger->log(this->logger, ERROR, "unable to set IPSEC_POLICY on send socket!");
292 close(fd);
293 return FAILED;
294 }
295
296 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
297
298 if (setsockopt(fd, level, opt, &policy, sizeof(policy)) < 0)
299 {
300 this->logger->log(this->logger, ERROR, "unable to set IPSEC_POLICY on send socket!");
301 close(fd);
302 return FAILED;
303 }
304
305 /* bind the send socket */
306 addr.sin_family = AF_INET;
307 addr.sin_addr.s_addr = INADDR_ANY;
308 addr.sin_port = htons(port);
309 if (bind(fd, (struct sockaddr*)&addr, sizeof(addr)) < 0)
310 {
311 this->logger->log(this->logger, ERROR, "unable to bind send socket: %s!", strerror(errno));
312 return FAILED;
313 }
314
315 *send_fd = fd;
316 return SUCCESS;
317 }
318
319 /**
320 * Initialize all sub sockets
321 */
322 static status_t initialize(private_socket_t *this)
323 {
324 /* This filter code filters out all non-IKEv2 traffic on
325 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
326 * IKE versions is done in pluto.
327 */
328 struct sock_filter ikev2_filter_code[] =
329 {
330 /* Protocol must be UDP */
331 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, IP + 9),
332 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_UDP, 0, 15),
333 /* Destination Port must be either port or natt_port */
334 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, UDP + 2),
335 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, this->port, 1, 0),
336 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, this->natt_port, 5, 12),
337 /* port */
338 /* IKE version must be 2.0 */
339 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, IKE + 17),
340 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10),
341 /* packet length is length in IKEv2 header + ip header + udp header */
342 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, IKE + 24),
343 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, IP_LEN + UDP_LEN),
344 BPF_STMT(BPF_RET+BPF_A, 0),
345 /* natt_port */
346 /* nat-t: check for marker */
347 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, IKE),
348 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5),
349 /* nat-t: IKE version must be 2.0 */
350 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, IKE + MARKER_LEN + 17),
351 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
352 /* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
353 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, IKE + MARKER_LEN + 24),
354 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, IP_LEN + UDP_LEN + MARKER_LEN),
355 BPF_STMT(BPF_RET+BPF_A, 0),
356 /* packet doesn't match, ignore */
357 BPF_STMT(BPF_RET+BPF_K, 0),
358 };
359
360 /* Filter struct to use with setsockopt */
361 struct sock_fprog ikev2_filter = {
362 sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
363 ikev2_filter_code
364 };
365
366 /* set up raw socket */
367 this->raw_fd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
368 if (this->raw_fd < 0)
369 {
370 this->logger->log(this->logger, ERROR, "unable to create raw socket!");
371 return FAILED;
372 }
373
374 if (setsockopt(this->raw_fd, SOL_SOCKET, SO_ATTACH_FILTER, &ikev2_filter, sizeof(ikev2_filter)) < 0)
375 {
376 this->logger->log(this->logger, ERROR, "unable to attach IKEv2 filter to raw socket!");
377 close(this->raw_fd);
378 return FAILED;
379 }
380
381 /* setup the send sockets */
382 if (this->setup_send_socket(this, this->port, &this->send_fd) != SUCCESS)
383 {
384 this->logger->log(this->logger, ERROR, "unable to setup send socket on port %d!", this->port);
385 return FAILED;
386 }
387
388 if (this->setup_send_socket(this, this->natt_port, &this->natt_fd) != SUCCESS)
389 {
390 this->logger->log(this->logger, ERROR, "unable to setup send socket on port %d!", this->natt_port);
391 return FAILED;
392 } else {
393 int type = UDP_ENCAP_ESPINUDP;
394 if (setsockopt(this->natt_fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0
395 && errno == ENOPROTOOPT)
396 {
397 this->logger->log(this->logger, ERROR, "unable to set UDP_ENCAP on natt send socket!");
398 close(this->natt_fd);
399 close(this->send_fd);
400 close(this->raw_fd);
401 return FAILED;
402 }
403 }
404
405 return SUCCESS;
406 }
407
408 /**
409 * implementation of socket_t.destroy
410 */
411 static void destroy(private_socket_t *this)
412 {
413 close(this->natt_fd);
414 close(this->send_fd);
415 close(this->raw_fd);
416 free(this);
417 }
418
419 /*
420 * See header for description
421 */
422 socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
423 {
424 private_socket_t *this = malloc_thing(private_socket_t);
425
426 /* private functions */
427 this->initialize = (status_t(*)(private_socket_t*))initialize;
428 this->setup_send_socket = (status_t(*)(private_socket_t*,u_int16_t, int*))setup_send_socket;
429
430 /* public functions */
431 this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
432 this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
433 this->public.destroy = (void(*)(socket_t*)) destroy;
434
435 this->logger = logger_manager->get_logger(logger_manager, SOCKET);
436
437 this->port = port;
438 this->natt_port = natt_port;
439
440 if (this->initialize(this) != SUCCESS)
441 {
442 free(this);
443 charon->kill(charon, "could not init socket!");
444 }
445
446 return (socket_t*)this;
447 }
strongSwan - IPsec VPN