2b854c6e6a645135d6e1ca42d5840b5fde517fad
[strongswan.git] / src / charon / network / socket.c
1 /*
2 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /* for struct in6_pktinfo */
21 #define _GNU_SOURCE
22
23 #include <pthread.h>
24 #include <sys/types.h>
25 #include <sys/socket.h>
26 #include <string.h>
27 #include <errno.h>
28 #include <unistd.h>
29 #include <stdlib.h>
30 #include <fcntl.h>
31 #include <sys/ioctl.h>
32 #include <netinet/in.h>
33 #include <netinet/ip.h>
34 #include <netinet/ip6.h>
35 #include <netinet/udp.h>
36 #include <linux/ipsec.h>
37 #include <linux/filter.h>
38 #include <net/if.h>
39
40 #include "socket.h"
41
42 #include <daemon.h>
43
44 /* length of non-esp marker */
45 #define MARKER_LEN sizeof(u_int32_t)
46
47 /* from linux/in.h */
48 #ifndef IP_IPSEC_POLICY
49 #define IP_IPSEC_POLICY 16
50 #endif /*IP_IPSEC_POLICY*/
51
52 /* from linux/udp.h */
53 #ifndef UDP_ENCAP
54 #define UDP_ENCAP 100
55 #endif /*UDP_ENCAP*/
56
57 #ifndef UDP_ENCAP_ESPINUDP
58 #define UDP_ENCAP_ESPINUDP 2
59 #endif /*UDP_ENCAP_ESPINUDP*/
60
61 /* needed for older kernel headers */
62 #ifndef IPV6_2292PKTINFO
63 #define IPV6_2292PKTINFO 2
64 #endif /*IPV6_2292PKTINFO*/
65
66 /* missing on uclibc */
67 #ifndef IPV6_IPSEC_POLICY
68 #define IPV6_IPSEC_POLICY 34
69 #endif /*IPV6_IPSEC_POLICY*/
70
71 typedef struct private_socket_t private_socket_t;
72
73 /**
74 * Private data of an socket_t object
75 */
76 struct private_socket_t {
77 /**
78 * public functions
79 */
80 socket_t public;
81
82 /**
83 * IPv4 socket (500)
84 */
85 int ipv4;
86
87 /**
88 * IPv4 socket for NATT (4500)
89 */
90 int ipv4_natt;
91
92 /**
93 * IPv6 socket (500)
94 */
95 int ipv6;
96
97 /**
98 * IPv6 socket for NATT (4500)
99 */
100 int ipv6_natt;
101 };
102
103 /**
104 * implementation of socket_t.receive
105 */
106 static status_t receiver(private_socket_t *this, packet_t **packet)
107 {
108 char buffer[MAX_PACKET];
109 chunk_t data;
110 packet_t *pkt;
111 host_t *source = NULL, *dest = NULL;
112 int bytes_read = 0;
113 int data_offset, oldstate;
114 fd_set rfds;
115 int max_fd = 0, selected = 0;
116 u_int16_t port;
117
118 FD_ZERO(&rfds);
119
120 if (this->ipv4)
121 {
122 FD_SET(this->ipv4, &rfds);
123 }
124 if (this->ipv4_natt)
125 {
126 FD_SET(this->ipv4_natt, &rfds);
127 }
128 if (this->ipv6)
129 {
130 FD_SET(this->ipv6, &rfds);
131 }
132 if (this->ipv6_natt)
133 {
134 FD_SET(this->ipv6_natt, &rfds);
135 }
136 max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
137
138 DBG2(DBG_NET, "waiting for data on sockets");
139 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
140 if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
141 {
142 pthread_setcancelstate(oldstate, NULL);
143 return FAILED;
144 }
145 pthread_setcancelstate(oldstate, NULL);
146
147 if (FD_ISSET(this->ipv4, &rfds))
148 {
149 port = IKEV2_UDP_PORT;
150 selected = this->ipv4;
151 }
152 if (FD_ISSET(this->ipv4_natt, &rfds))
153 {
154 port = IKEV2_NATT_PORT;
155 selected = this->ipv4_natt;
156 }
157 if (FD_ISSET(this->ipv6, &rfds))
158 {
159 port = IKEV2_UDP_PORT;
160 selected = this->ipv6;
161 }
162 if (FD_ISSET(this->ipv6_natt, &rfds))
163 {
164 port = IKEV2_NATT_PORT;
165 selected = this->ipv6_natt;
166 }
167 if (selected)
168 {
169 struct msghdr msg;
170 struct cmsghdr *cmsgptr;
171 struct iovec iov;
172 char ancillary[64];
173 union {
174 struct sockaddr_in in4;
175 struct sockaddr_in6 in6;
176 } src;
177
178 msg.msg_name = &src;
179 msg.msg_namelen = sizeof(src);
180 iov.iov_base = buffer;
181 iov.iov_len = sizeof(buffer);
182 msg.msg_iov = &iov;
183 msg.msg_iovlen = 1;
184 msg.msg_control = ancillary;
185 msg.msg_controllen = sizeof(ancillary);
186 msg.msg_flags = 0;
187 bytes_read = recvmsg(selected, &msg, 0);
188 if (bytes_read < 0)
189 {
190 DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
191 return FAILED;
192 }
193 DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
194
195 if (bytes_read < MARKER_LEN)
196 {
197 DBG3(DBG_NET, "received packet too short (%d bytes)",
198 bytes_read);
199 return FAILED;
200 }
201
202 /* read ancillary data to get destination address */
203 for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
204 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
205 {
206 if (cmsgptr->cmsg_len == 0)
207 {
208 DBG1(DBG_NET, "error reading ancillary data");
209 return FAILED;
210 }
211
212 if (cmsgptr->cmsg_level == SOL_IPV6 &&
213 cmsgptr->cmsg_type == IPV6_2292PKTINFO)
214 {
215 struct in6_pktinfo *pktinfo;
216 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
217 struct sockaddr_in6 dst;
218
219 memset(&dst, 0, sizeof(dst));
220 memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
221 dst.sin6_family = AF_INET6;
222 dst.sin6_port = htons(port);
223 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
224 }
225 if (cmsgptr->cmsg_level == SOL_IP &&
226 cmsgptr->cmsg_type == IP_PKTINFO)
227 {
228 struct in_pktinfo *pktinfo;
229 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
230 struct sockaddr_in dst;
231
232 memset(&dst, 0, sizeof(dst));
233 memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
234 dst.sin_family = AF_INET;
235 dst.sin_port = htons(port);
236 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
237 }
238 if (dest)
239 {
240 break;
241 }
242 }
243 if (dest == NULL)
244 {
245 DBG1(DBG_NET, "error reading IP header");
246 return FAILED;
247 }
248 source = host_create_from_sockaddr((sockaddr_t*)&src);
249
250 pkt = packet_create();
251 pkt->set_source(pkt, source);
252 pkt->set_destination(pkt, dest);
253 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
254 data_offset = 0;
255 /* remove non esp marker */
256 if (dest->get_port(dest) == IKEV2_NATT_PORT)
257 {
258 data_offset += MARKER_LEN;
259 }
260 /* fill in packet */
261 data.len = bytes_read - data_offset;
262 data.ptr = malloc(data.len);
263 memcpy(data.ptr, buffer + data_offset, data.len);
264 pkt->set_data(pkt, data);
265 }
266 else
267 {
268 /* oops, shouldn't happen */
269 return FAILED;
270 }
271 /* return packet */
272 *packet = pkt;
273 return SUCCESS;
274 }
275
276 /**
277 * implementation of socket_t.send
278 */
279 status_t sender(private_socket_t *this, packet_t *packet)
280 {
281 int sport, skt, family;
282 ssize_t bytes_sent;
283 chunk_t data, marked;
284 host_t *src, *dst;
285 struct msghdr msg;
286 struct cmsghdr *cmsg;
287 struct iovec iov;
288
289 src = packet->get_source(packet);
290 dst = packet->get_destination(packet);
291 data = packet->get_data(packet);
292
293 DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
294
295 /* send data */
296 sport = src->get_port(src);
297 family = dst->get_family(dst);
298 if (sport == IKEV2_UDP_PORT)
299 {
300 if (family == AF_INET)
301 {
302 skt = this->ipv4;
303 }
304 else
305 {
306 skt = this->ipv6;
307 }
308 }
309 else if (sport == IKEV2_NATT_PORT)
310 {
311 if (family == AF_INET)
312 {
313 skt = this->ipv4_natt;
314 }
315 else
316 {
317 skt = this->ipv6_natt;
318 }
319 /* NAT keepalives without marker */
320 if (data.len != 1 || data.ptr[0] != 0xFF)
321 {
322 /* add non esp marker to packet */
323 if (data.len > MAX_PACKET - MARKER_LEN)
324 {
325 DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
326 data.len);
327 return FAILED;
328 }
329 marked = chunk_alloc(data.len + MARKER_LEN);
330 memset(marked.ptr, 0, MARKER_LEN);
331 memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
332 /* let the packet do the clean up for us */
333 packet->set_data(packet, marked);
334 data = marked;
335 }
336 }
337 else
338 {
339 DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
340 return FAILED;
341 }
342
343 memset(&msg, 0, sizeof(struct msghdr));
344 msg.msg_name = dst->get_sockaddr(dst);;
345 msg.msg_namelen = *dst->get_sockaddr_len(dst);
346 iov.iov_base = data.ptr;
347 iov.iov_len = data.len;
348 msg.msg_iov = &iov;
349 msg.msg_iovlen = 1;
350 msg.msg_flags = 0;
351
352 if (!dst->is_anyaddr(dst))
353 {
354 if (family == AF_INET)
355 {
356 char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
357 struct in_pktinfo *pktinfo;
358 struct sockaddr_in *sin;
359
360 msg.msg_control = buf;
361 msg.msg_controllen = sizeof(buf);
362 cmsg = CMSG_FIRSTHDR(&msg);
363 cmsg->cmsg_level = SOL_IP;
364 cmsg->cmsg_type = IP_PKTINFO;
365 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
366 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
367 memset(pktinfo, 0, sizeof(struct in_pktinfo));
368 sin = (struct sockaddr_in*)src->get_sockaddr(src);
369 memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
370 }
371 else
372 {
373 char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
374 struct in6_pktinfo *pktinfo;
375 struct sockaddr_in6 *sin;
376
377 msg.msg_control = buf;
378 msg.msg_controllen = sizeof(buf);
379 cmsg = CMSG_FIRSTHDR(&msg);
380 cmsg->cmsg_level = SOL_IPV6;
381 cmsg->cmsg_type = IPV6_2292PKTINFO;
382 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
383 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
384 memset(pktinfo, 0, sizeof(struct in6_pktinfo));
385 sin = (struct sockaddr_in6*)src->get_sockaddr(src);
386 memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
387 }
388 }
389
390 bytes_sent = sendmsg(skt, &msg, 0);
391
392 if (bytes_sent != data.len)
393 {
394 DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
395 return FAILED;
396 }
397 return SUCCESS;
398 }
399
400 /**
401 * open a socket to send packets
402 */
403 static int open_socket(private_socket_t *this, int family, u_int16_t port)
404 {
405 int on = TRUE;
406 int type = UDP_ENCAP_ESPINUDP;
407 struct sockaddr_storage addr;
408 u_int sol, ipsec_policy, pktinfo;
409 struct sadb_x_policy policy;
410 int skt;
411
412 memset(&addr, 0, sizeof(addr));
413 /* precalculate constants depending on address family */
414 switch (family)
415 {
416 case AF_INET:
417 {
418 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
419 sin->sin_family = AF_INET;
420 sin->sin_addr.s_addr = INADDR_ANY;
421 sin->sin_port = htons(port);
422 sol = SOL_IP;
423 ipsec_policy = IP_IPSEC_POLICY;
424 pktinfo = IP_PKTINFO;
425 break;
426 }
427 case AF_INET6:
428 {
429 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
430 sin6->sin6_family = AF_INET6;
431 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
432 sin6->sin6_port = htons(port);
433 sol = SOL_IPV6;
434 ipsec_policy = IPV6_IPSEC_POLICY;
435 pktinfo = IPV6_2292PKTINFO;
436 break;
437 }
438 default:
439 return 0;
440 }
441
442 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
443 if (skt < 0)
444 {
445 DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
446 return 0;
447 }
448 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
449 {
450 DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
451 close(skt);
452 return 0;
453 }
454
455 /* bypass IKE traffic on socket */
456 memset(&policy, 0, sizeof(policy));
457 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
458 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
459 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
460
461 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
462 if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
463 {
464 DBG1(DBG_NET, "unable to set IPSEC_POLICY on socket: %s",
465 strerror(errno));
466 close(skt);
467 return 0;
468 }
469 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
470 if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
471 {
472 DBG1(DBG_NET, "unable to set IPSEC_POLICY on socket: %s",
473 strerror(errno));
474 close(skt);
475 return 0;
476 }
477
478 /* bind the send socket */
479 if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
480 {
481 DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
482 close(skt);
483 return 0;
484 }
485
486 /* get additional packet info on receive */
487 if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
488 {
489 DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
490 close(skt);
491 return 0;
492 }
493
494 /* enable UDP decapsulation globally, only for one socket needed */
495 if (family == AF_INET && port == IKEV2_NATT_PORT &&
496 setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
497 {
498 DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
499 }
500 return skt;
501 }
502
503 /**
504 * implementation of socket_t.destroy
505 */
506 static void destroy(private_socket_t *this)
507 {
508 if (this->ipv4)
509 {
510 close(this->ipv4);
511 }
512 if (this->ipv4_natt)
513 {
514 close(this->ipv4_natt);
515 }
516 if (this->ipv6)
517 {
518 close(this->ipv6);
519 }
520 if (this->ipv6_natt)
521 {
522 close(this->ipv6_natt);
523 }
524 free(this);
525 }
526
527 /*
528 * See header for description
529 */
530 socket_t *socket_create()
531 {
532 int key;
533 private_socket_t *this = malloc_thing(private_socket_t);
534
535 /* public functions */
536 this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
537 this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
538 this->public.destroy = (void(*)(socket_t*)) destroy;
539
540 this->ipv4 = 0;
541 this->ipv6 = 0;
542 this->ipv4_natt = 0;
543 this->ipv6_natt = 0;
544
545 /* we open a AF_KEY socket to autoload the af_key module. Otherwise
546 * setsockopt(IPSEC_POLICY) won't work. */
547 key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
548 if (key == 0)
549 {
550 charon->kill(charon, "could not open AF_KEY socket");
551 }
552 close(key);
553
554 this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
555 if (this->ipv4 == 0)
556 {
557 DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
558 }
559 else
560 {
561 this->ipv4_natt = open_socket(this, AF_INET, IKEV2_NATT_PORT);
562 if (this->ipv4_natt == 0)
563 {
564 DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
565 }
566 }
567
568 this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
569 if (this->ipv6 == 0)
570 {
571 DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
572 }
573 else
574 {
575 this->ipv6_natt = open_socket(this, AF_INET6, IKEV2_NATT_PORT);
576 if (this->ipv6_natt == 0)
577 {
578 DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
579 }
580 }
581
582 if (!this->ipv4 && !this->ipv6)
583 {
584 DBG1(DBG_NET, "could not create any sockets");
585 destroy(this);
586 charon->kill(charon, "socket initialization failed");
587 }
588 return (socket_t*)this;
589 }
590