2 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 /* for struct in6_pktinfo */
24 #include <sys/types.h>
25 #include <sys/socket.h>
31 #include <sys/ioctl.h>
32 #include <netinet/in.h>
33 #include <netinet/ip.h>
34 #include <netinet/ip6.h>
35 #include <netinet/udp.h>
36 #include <linux/ipsec.h>
37 #include <linux/filter.h>
44 /* length of non-esp marker */
45 #define MARKER_LEN sizeof(u_int32_t)
48 #ifndef IP_IPSEC_POLICY
49 #define IP_IPSEC_POLICY 16
50 #endif /*IP_IPSEC_POLICY*/
52 /* from linux/udp.h */
57 #ifndef UDP_ENCAP_ESPINUDP
58 #define UDP_ENCAP_ESPINUDP 2
59 #endif /*UDP_ENCAP_ESPINUDP*/
61 /* needed for older kernel headers */
62 #ifndef IPV6_2292PKTINFO
63 #define IPV6_2292PKTINFO 2
64 #endif /*IPV6_2292PKTINFO*/
66 /* missing on uclibc */
67 #ifndef IPV6_IPSEC_POLICY
68 #define IPV6_IPSEC_POLICY 34
69 #endif /*IPV6_IPSEC_POLICY*/
71 typedef struct private_socket_t private_socket_t
;
74 * Private data of an socket_t object
76 struct private_socket_t
{
88 * IPv4 socket for NATT (4500)
98 * IPv6 socket for NATT (4500)
104 * implementation of socket_t.receive
106 static status_t
receiver(private_socket_t
*this, packet_t
**packet
)
108 char buffer
[MAX_PACKET
];
111 host_t
*source
= NULL
, *dest
= NULL
;
113 int data_offset
, oldstate
;
115 int max_fd
= 0, selected
= 0;
122 FD_SET(this->ipv4
, &rfds
);
126 FD_SET(this->ipv4_natt
, &rfds
);
130 FD_SET(this->ipv6
, &rfds
);
134 FD_SET(this->ipv6_natt
, &rfds
);
136 max_fd
= max(max(this->ipv4
, this->ipv4_natt
), max(this->ipv6
, this->ipv6_natt
));
138 DBG2(DBG_NET
, "waiting for data on sockets");
139 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE
, &oldstate
);
140 if (select(max_fd
+ 1, &rfds
, NULL
, NULL
, NULL
) <= 0)
142 pthread_setcancelstate(oldstate
, NULL
);
145 pthread_setcancelstate(oldstate
, NULL
);
147 if (FD_ISSET(this->ipv4
, &rfds
))
149 port
= IKEV2_UDP_PORT
;
150 selected
= this->ipv4
;
152 if (FD_ISSET(this->ipv4_natt
, &rfds
))
154 port
= IKEV2_NATT_PORT
;
155 selected
= this->ipv4_natt
;
157 if (FD_ISSET(this->ipv6
, &rfds
))
159 port
= IKEV2_UDP_PORT
;
160 selected
= this->ipv6
;
162 if (FD_ISSET(this->ipv6_natt
, &rfds
))
164 port
= IKEV2_NATT_PORT
;
165 selected
= this->ipv6_natt
;
170 struct cmsghdr
*cmsgptr
;
174 struct sockaddr_in in4
;
175 struct sockaddr_in6 in6
;
179 msg
.msg_namelen
= sizeof(src
);
180 iov
.iov_base
= buffer
;
181 iov
.iov_len
= sizeof(buffer
);
184 msg
.msg_control
= ancillary
;
185 msg
.msg_controllen
= sizeof(ancillary
);
187 bytes_read
= recvmsg(selected
, &msg
, 0);
190 DBG1(DBG_NET
, "error reading socket: %s", strerror(errno
));
193 DBG3(DBG_NET
, "received packet %b", buffer
, bytes_read
);
195 if (bytes_read
< MARKER_LEN
)
197 DBG3(DBG_NET
, "received packet too short (%d bytes)",
202 /* read ancillary data to get destination address */
203 for (cmsgptr
= CMSG_FIRSTHDR(&msg
); cmsgptr
!= NULL
;
204 cmsgptr
= CMSG_NXTHDR(&msg
, cmsgptr
))
206 if (cmsgptr
->cmsg_len
== 0)
208 DBG1(DBG_NET
, "error reading ancillary data");
212 if (cmsgptr
->cmsg_level
== SOL_IPV6
&&
213 cmsgptr
->cmsg_type
== IPV6_2292PKTINFO
)
215 struct in6_pktinfo
*pktinfo
;
216 pktinfo
= (struct in6_pktinfo
*)CMSG_DATA(cmsgptr
);
217 struct sockaddr_in6 dst
;
219 memset(&dst
, 0, sizeof(dst
));
220 memcpy(&dst
.sin6_addr
, &pktinfo
->ipi6_addr
, sizeof(dst
.sin6_addr
));
221 dst
.sin6_family
= AF_INET6
;
222 dst
.sin6_port
= htons(port
);
223 dest
= host_create_from_sockaddr((sockaddr_t
*)&dst
);
225 if (cmsgptr
->cmsg_level
== SOL_IP
&&
226 cmsgptr
->cmsg_type
== IP_PKTINFO
)
228 struct in_pktinfo
*pktinfo
;
229 pktinfo
= (struct in_pktinfo
*)CMSG_DATA(cmsgptr
);
230 struct sockaddr_in dst
;
232 memset(&dst
, 0, sizeof(dst
));
233 memcpy(&dst
.sin_addr
, &pktinfo
->ipi_addr
, sizeof(dst
.sin_addr
));
234 dst
.sin_family
= AF_INET
;
235 dst
.sin_port
= htons(port
);
236 dest
= host_create_from_sockaddr((sockaddr_t
*)&dst
);
245 DBG1(DBG_NET
, "error reading IP header");
248 source
= host_create_from_sockaddr((sockaddr_t
*)&src
);
250 pkt
= packet_create();
251 pkt
->set_source(pkt
, source
);
252 pkt
->set_destination(pkt
, dest
);
253 DBG2(DBG_NET
, "received packet: from %#H to %#H", source
, dest
);
255 /* remove non esp marker */
256 if (dest
->get_port(dest
) == IKEV2_NATT_PORT
)
258 data_offset
+= MARKER_LEN
;
261 data
.len
= bytes_read
- data_offset
;
262 data
.ptr
= malloc(data
.len
);
263 memcpy(data
.ptr
, buffer
+ data_offset
, data
.len
);
264 pkt
->set_data(pkt
, data
);
268 /* oops, shouldn't happen */
277 * implementation of socket_t.send
279 status_t
sender(private_socket_t
*this, packet_t
*packet
)
281 int sport
, skt
, family
;
283 chunk_t data
, marked
;
286 struct cmsghdr
*cmsg
;
289 src
= packet
->get_source(packet
);
290 dst
= packet
->get_destination(packet
);
291 data
= packet
->get_data(packet
);
293 DBG2(DBG_NET
, "sending packet: from %#H to %#H", src
, dst
);
296 sport
= src
->get_port(src
);
297 family
= dst
->get_family(dst
);
298 if (sport
== IKEV2_UDP_PORT
)
300 if (family
== AF_INET
)
309 else if (sport
== IKEV2_NATT_PORT
)
311 if (family
== AF_INET
)
313 skt
= this->ipv4_natt
;
317 skt
= this->ipv6_natt
;
319 /* NAT keepalives without marker */
320 if (data
.len
!= 1 || data
.ptr
[0] != 0xFF)
322 /* add non esp marker to packet */
323 if (data
.len
> MAX_PACKET
- MARKER_LEN
)
325 DBG1(DBG_NET
, "unable to send packet: it's too big (%d bytes)",
329 marked
= chunk_alloc(data
.len
+ MARKER_LEN
);
330 memset(marked
.ptr
, 0, MARKER_LEN
);
331 memcpy(marked
.ptr
+ MARKER_LEN
, data
.ptr
, data
.len
);
332 /* let the packet do the clean up for us */
333 packet
->set_data(packet
, marked
);
339 DBG1(DBG_NET
, "unable to locate a send socket for port %d", sport
);
343 memset(&msg
, 0, sizeof(struct msghdr
));
344 msg
.msg_name
= dst
->get_sockaddr(dst
);;
345 msg
.msg_namelen
= *dst
->get_sockaddr_len(dst
);
346 iov
.iov_base
= data
.ptr
;
347 iov
.iov_len
= data
.len
;
352 if (!dst
->is_anyaddr(dst
))
354 if (family
== AF_INET
)
356 char buf
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
357 struct in_pktinfo
*pktinfo
;
358 struct sockaddr_in
*sin
;
360 msg
.msg_control
= buf
;
361 msg
.msg_controllen
= sizeof(buf
);
362 cmsg
= CMSG_FIRSTHDR(&msg
);
363 cmsg
->cmsg_level
= SOL_IP
;
364 cmsg
->cmsg_type
= IP_PKTINFO
;
365 cmsg
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
366 pktinfo
= (struct in_pktinfo
*)CMSG_DATA(cmsg
);
367 memset(pktinfo
, 0, sizeof(struct in_pktinfo
));
368 sin
= (struct sockaddr_in
*)src
->get_sockaddr(src
);
369 memcpy(&pktinfo
->ipi_spec_dst
, &sin
->sin_addr
, sizeof(struct in_addr
));
373 char buf
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
374 struct in6_pktinfo
*pktinfo
;
375 struct sockaddr_in6
*sin
;
377 msg
.msg_control
= buf
;
378 msg
.msg_controllen
= sizeof(buf
);
379 cmsg
= CMSG_FIRSTHDR(&msg
);
380 cmsg
->cmsg_level
= SOL_IPV6
;
381 cmsg
->cmsg_type
= IPV6_2292PKTINFO
;
382 cmsg
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
383 pktinfo
= (struct in6_pktinfo
*)CMSG_DATA(cmsg
);
384 memset(pktinfo
, 0, sizeof(struct in6_pktinfo
));
385 sin
= (struct sockaddr_in6
*)src
->get_sockaddr(src
);
386 memcpy(&pktinfo
->ipi6_addr
, &sin
->sin6_addr
, sizeof(struct in6_addr
));
390 bytes_sent
= sendmsg(skt
, &msg
, 0);
392 if (bytes_sent
!= data
.len
)
394 DBG1(DBG_NET
, "error writing to socket: %s", strerror(errno
));
401 * open a socket to send packets
403 static int open_socket(private_socket_t
*this, int family
, u_int16_t port
)
406 int type
= UDP_ENCAP_ESPINUDP
;
407 struct sockaddr_storage addr
;
408 u_int sol
, ipsec_policy
, pktinfo
;
409 struct sadb_x_policy policy
;
412 memset(&addr
, 0, sizeof(addr
));
413 /* precalculate constants depending on address family */
418 struct sockaddr_in
*sin
= (struct sockaddr_in
*)&addr
;
419 sin
->sin_family
= AF_INET
;
420 sin
->sin_addr
.s_addr
= INADDR_ANY
;
421 sin
->sin_port
= htons(port
);
423 ipsec_policy
= IP_IPSEC_POLICY
;
424 pktinfo
= IP_PKTINFO
;
429 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)&addr
;
430 sin6
->sin6_family
= AF_INET6
;
431 memcpy(&sin6
->sin6_addr
, &in6addr_any
, sizeof(in6addr_any
));
432 sin6
->sin6_port
= htons(port
);
434 ipsec_policy
= IPV6_IPSEC_POLICY
;
435 pktinfo
= IPV6_2292PKTINFO
;
442 skt
= socket(family
, SOCK_DGRAM
, IPPROTO_UDP
);
445 DBG1(DBG_NET
, "could not open socket: %s", strerror(errno
));
448 if (setsockopt(skt
, SOL_SOCKET
, SO_REUSEADDR
, (void*)&on
, sizeof(on
)) < 0)
450 DBG1(DBG_NET
, "unable to set SO_REUSEADDR on socket: %s", strerror(errno
));
455 /* bypass IKE traffic on socket */
456 memset(&policy
, 0, sizeof(policy
));
457 policy
.sadb_x_policy_len
= sizeof(policy
) / sizeof(u_int64_t
);
458 policy
.sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
459 policy
.sadb_x_policy_type
= IPSEC_POLICY_BYPASS
;
461 policy
.sadb_x_policy_dir
= IPSEC_DIR_OUTBOUND
;
462 if (setsockopt(skt
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
464 DBG1(DBG_NET
, "unable to set IPSEC_POLICY on socket: %s",
469 policy
.sadb_x_policy_dir
= IPSEC_DIR_INBOUND
;
470 if (setsockopt(skt
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
472 DBG1(DBG_NET
, "unable to set IPSEC_POLICY on socket: %s",
478 /* bind the send socket */
479 if (bind(skt
, (struct sockaddr
*)&addr
, sizeof(addr
)) < 0)
481 DBG1(DBG_NET
, "unable to bind socket: %s", strerror(errno
));
486 /* get additional packet info on receive */
487 if (setsockopt(skt
, sol
, pktinfo
, &on
, sizeof(on
)) < 0)
489 DBG1(DBG_NET
, "unable to set IP_PKTINFO on socket: %s", strerror(errno
));
494 /* enable UDP decapsulation globally, only for one socket needed */
495 if (family
== AF_INET
&& port
== IKEV2_NATT_PORT
&&
496 setsockopt(skt
, SOL_UDP
, UDP_ENCAP
, &type
, sizeof(type
)) < 0)
498 DBG1(DBG_NET
, "unable to set UDP_ENCAP: %s", strerror(errno
));
504 * implementation of socket_t.destroy
506 static void destroy(private_socket_t
*this)
514 close(this->ipv4_natt
);
522 close(this->ipv6_natt
);
528 * See header for description
530 socket_t
*socket_create()
533 private_socket_t
*this = malloc_thing(private_socket_t
);
535 /* public functions */
536 this->public.send
= (status_t(*)(socket_t
*, packet_t
*))sender
;
537 this->public.receive
= (status_t(*)(socket_t
*, packet_t
**))receiver
;
538 this->public.destroy
= (void(*)(socket_t
*)) destroy
;
545 /* we open a AF_KEY socket to autoload the af_key module. Otherwise
546 * setsockopt(IPSEC_POLICY) won't work. */
547 key
= socket(AF_KEY
, SOCK_RAW
, PF_KEY_V2
);
550 charon
->kill(charon
, "could not open AF_KEY socket");
554 this->ipv4
= open_socket(this, AF_INET
, IKEV2_UDP_PORT
);
557 DBG1(DBG_NET
, "could not open IPv4 socket, IPv4 disabled");
561 this->ipv4_natt
= open_socket(this, AF_INET
, IKEV2_NATT_PORT
);
562 if (this->ipv4_natt
== 0)
564 DBG1(DBG_NET
, "could not open IPv4 NAT-T socket");
568 this->ipv6
= open_socket(this, AF_INET6
, IKEV2_UDP_PORT
);
571 DBG1(DBG_NET
, "could not open IPv6 socket, IPv6 disabled");
575 this->ipv6_natt
= open_socket(this, AF_INET6
, IKEV2_NATT_PORT
);
576 if (this->ipv6_natt
== 0)
578 DBG1(DBG_NET
, "could not open IPv6 NAT-T socket");
582 if (!this->ipv4
&& !this->ipv6
)
584 DBG1(DBG_NET
, "could not create any sockets");
586 charon
->kill(charon
, "socket initialization failed");
588 return (socket_t
*)this;