loading of subjectPublicKeyInfo wrapped keys using KEY_ANY (openssl format)
[strongswan.git] / src / charon / network / socket.c
1 /*
2 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 #include <pthread.h>
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <string.h>
24 #include <errno.h>
25 #include <unistd.h>
26 #include <stdlib.h>
27 #include <fcntl.h>
28 #include <sys/ioctl.h>
29 #include <netinet/in.h>
30 #include <netinet/ip.h>
31 #include <netinet/ip6.h>
32 #include <netinet/udp.h>
33 #include <linux/ipsec.h>
34 #include <linux/filter.h>
35 #include <net/if.h>
36
37 #include "socket.h"
38
39 #include <daemon.h>
40
41 /* length of non-esp marker */
42 #define MARKER_LEN sizeof(u_int32_t)
43
44 /* from linux/in.h */
45 #ifndef IP_IPSEC_POLICY
46 #define IP_IPSEC_POLICY 16
47 #endif /*IP_IPSEC_POLICY*/
48
49 /* from linux/udp.h */
50 #ifndef UDP_ENCAP
51 #define UDP_ENCAP 100
52 #endif /*UDP_ENCAP*/
53
54 #ifndef UDP_ENCAP_ESPINUDP
55 #define UDP_ENCAP_ESPINUDP 2
56 #endif /*UDP_ENCAP_ESPINUDP*/
57
58 /* needed for older kernel headers */
59 #ifndef IPV6_2292PKTINFO
60 #define IPV6_2292PKTINFO 2
61 #endif /*IPV6_2292PKTINFO*/
62
63 /* missing on uclibc */
64 #ifndef IPV6_IPSEC_POLICY
65 #define IPV6_IPSEC_POLICY 34
66 #endif /*IPV6_IPSEC_POLICY*/
67
68 typedef struct private_socket_t private_socket_t;
69
70 /**
71 * Private data of an socket_t object
72 */
73 struct private_socket_t {
74 /**
75 * public functions
76 */
77 socket_t public;
78
79 /**
80 * IPv4 socket (500)
81 */
82 int ipv4;
83
84 /**
85 * IPv4 socket for NATT (4500)
86 */
87 int ipv4_natt;
88
89 /**
90 * IPv6 socket (500)
91 */
92 int ipv6;
93
94 /**
95 * IPv6 socket for NATT (4500)
96 */
97 int ipv6_natt;
98 };
99
100 /**
101 * implementation of socket_t.receive
102 */
103 static status_t receiver(private_socket_t *this, packet_t **packet)
104 {
105 char buffer[MAX_PACKET];
106 chunk_t data;
107 packet_t *pkt;
108 host_t *source = NULL, *dest = NULL;
109 int bytes_read = 0;
110 int data_offset, oldstate;
111 fd_set rfds;
112 int max_fd = 0, selected = 0;
113 u_int16_t port;
114
115 FD_ZERO(&rfds);
116
117 if (this->ipv4)
118 {
119 FD_SET(this->ipv4, &rfds);
120 }
121 if (this->ipv4_natt)
122 {
123 FD_SET(this->ipv4_natt, &rfds);
124 }
125 if (this->ipv6)
126 {
127 FD_SET(this->ipv6, &rfds);
128 }
129 if (this->ipv6_natt)
130 {
131 FD_SET(this->ipv6_natt, &rfds);
132 }
133 max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
134
135 DBG2(DBG_NET, "waiting for data on sockets");
136 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
137 if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
138 {
139 pthread_setcancelstate(oldstate, NULL);
140 return FAILED;
141 }
142 pthread_setcancelstate(oldstate, NULL);
143
144 if (FD_ISSET(this->ipv4, &rfds))
145 {
146 port = IKEV2_UDP_PORT;
147 selected = this->ipv4;
148 }
149 if (FD_ISSET(this->ipv4_natt, &rfds))
150 {
151 port = IKEV2_NATT_PORT;
152 selected = this->ipv4_natt;
153 }
154 if (FD_ISSET(this->ipv6, &rfds))
155 {
156 port = IKEV2_UDP_PORT;
157 selected = this->ipv6;
158 }
159 if (FD_ISSET(this->ipv6_natt, &rfds))
160 {
161 port = IKEV2_NATT_PORT;
162 selected = this->ipv6_natt;
163 }
164 if (selected)
165 {
166 struct msghdr msg;
167 struct cmsghdr *cmsgptr;
168 struct iovec iov;
169 char ancillary[64];
170 union {
171 struct sockaddr_in in4;
172 struct sockaddr_in6 in6;
173 } src;
174
175 msg.msg_name = &src;
176 msg.msg_namelen = sizeof(src);
177 iov.iov_base = buffer;
178 iov.iov_len = sizeof(buffer);
179 msg.msg_iov = &iov;
180 msg.msg_iovlen = 1;
181 msg.msg_control = ancillary;
182 msg.msg_controllen = sizeof(ancillary);
183 msg.msg_flags = 0;
184 bytes_read = recvmsg(selected, &msg, 0);
185 if (bytes_read < 0)
186 {
187 DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
188 return FAILED;
189 }
190 DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
191
192 if (bytes_read < MARKER_LEN)
193 {
194 DBG3(DBG_NET, "received packet too short (%d bytes)",
195 bytes_read);
196 return FAILED;
197 }
198
199 /* read ancillary data to get destination address */
200 for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
201 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
202 {
203 if (cmsgptr->cmsg_len == 0)
204 {
205 DBG1(DBG_NET, "error reading ancillary data");
206 return FAILED;
207 }
208
209 if (cmsgptr->cmsg_level == SOL_IPV6 &&
210 cmsgptr->cmsg_type == IPV6_2292PKTINFO)
211 {
212 struct in6_pktinfo *pktinfo;
213 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
214 struct sockaddr_in6 dst;
215
216 memset(&dst, 0, sizeof(dst));
217 memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
218 dst.sin6_family = AF_INET6;
219 dst.sin6_port = htons(port);
220 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
221 }
222 if (cmsgptr->cmsg_level == SOL_IP &&
223 cmsgptr->cmsg_type == IP_PKTINFO)
224 {
225 struct in_pktinfo *pktinfo;
226 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
227 struct sockaddr_in dst;
228
229 memset(&dst, 0, sizeof(dst));
230 memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
231 dst.sin_family = AF_INET;
232 dst.sin_port = htons(port);
233 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
234 }
235 if (dest)
236 {
237 break;
238 }
239 }
240 if (dest == NULL)
241 {
242 DBG1(DBG_NET, "error reading IP header");
243 return FAILED;
244 }
245 source = host_create_from_sockaddr((sockaddr_t*)&src);
246
247 pkt = packet_create();
248 pkt->set_source(pkt, source);
249 pkt->set_destination(pkt, dest);
250 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
251 data_offset = 0;
252 /* remove non esp marker */
253 if (dest->get_port(dest) == IKEV2_NATT_PORT)
254 {
255 data_offset += MARKER_LEN;
256 }
257 /* fill in packet */
258 data.len = bytes_read - data_offset;
259 data.ptr = malloc(data.len);
260 memcpy(data.ptr, buffer + data_offset, data.len);
261 pkt->set_data(pkt, data);
262 }
263 else
264 {
265 /* oops, shouldn't happen */
266 return FAILED;
267 }
268 /* return packet */
269 *packet = pkt;
270 return SUCCESS;
271 }
272
273 /**
274 * implementation of socket_t.send
275 */
276 status_t sender(private_socket_t *this, packet_t *packet)
277 {
278 int sport, skt, family;
279 ssize_t bytes_sent;
280 chunk_t data, marked;
281 host_t *src, *dst;
282 struct msghdr msg;
283 struct cmsghdr *cmsg;
284 struct iovec iov;
285
286 src = packet->get_source(packet);
287 dst = packet->get_destination(packet);
288 data = packet->get_data(packet);
289
290 DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
291
292 /* send data */
293 sport = src->get_port(src);
294 family = dst->get_family(dst);
295 if (sport == IKEV2_UDP_PORT)
296 {
297 if (family == AF_INET)
298 {
299 skt = this->ipv4;
300 }
301 else
302 {
303 skt = this->ipv6;
304 }
305 }
306 else if (sport == IKEV2_NATT_PORT)
307 {
308 if (family == AF_INET)
309 {
310 skt = this->ipv4_natt;
311 }
312 else
313 {
314 skt = this->ipv6_natt;
315 }
316 /* NAT keepalives without marker */
317 if (data.len != 1 || data.ptr[0] != 0xFF)
318 {
319 /* add non esp marker to packet */
320 if (data.len > MAX_PACKET - MARKER_LEN)
321 {
322 DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
323 data.len);
324 return FAILED;
325 }
326 marked = chunk_alloc(data.len + MARKER_LEN);
327 memset(marked.ptr, 0, MARKER_LEN);
328 memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
329 /* let the packet do the clean up for us */
330 packet->set_data(packet, marked);
331 data = marked;
332 }
333 }
334 else
335 {
336 DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
337 return FAILED;
338 }
339
340 memset(&msg, 0, sizeof(struct msghdr));
341 msg.msg_name = dst->get_sockaddr(dst);;
342 msg.msg_namelen = *dst->get_sockaddr_len(dst);
343 iov.iov_base = data.ptr;
344 iov.iov_len = data.len;
345 msg.msg_iov = &iov;
346 msg.msg_iovlen = 1;
347 msg.msg_flags = 0;
348
349 if (!dst->is_anyaddr(dst))
350 {
351 if (family == AF_INET)
352 {
353 char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
354 struct in_pktinfo *pktinfo;
355 struct sockaddr_in *sin;
356
357 msg.msg_control = buf;
358 msg.msg_controllen = sizeof(buf);
359 cmsg = CMSG_FIRSTHDR(&msg);
360 cmsg->cmsg_level = SOL_IP;
361 cmsg->cmsg_type = IP_PKTINFO;
362 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
363 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
364 memset(pktinfo, 0, sizeof(struct in_pktinfo));
365 sin = (struct sockaddr_in*)src->get_sockaddr(src);
366 memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
367 }
368 else
369 {
370 char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
371 struct in6_pktinfo *pktinfo;
372 struct sockaddr_in6 *sin;
373
374 msg.msg_control = buf;
375 msg.msg_controllen = sizeof(buf);
376 cmsg = CMSG_FIRSTHDR(&msg);
377 cmsg->cmsg_level = SOL_IPV6;
378 cmsg->cmsg_type = IPV6_2292PKTINFO;
379 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
380 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
381 memset(pktinfo, 0, sizeof(struct in6_pktinfo));
382 sin = (struct sockaddr_in6*)src->get_sockaddr(src);
383 memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
384 }
385 }
386
387 bytes_sent = sendmsg(skt, &msg, 0);
388
389 if (bytes_sent != data.len)
390 {
391 DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
392 return FAILED;
393 }
394 return SUCCESS;
395 }
396
397 /**
398 * open a socket to send packets
399 */
400 static int open_socket(private_socket_t *this, int family, u_int16_t port)
401 {
402 int on = TRUE;
403 int type = UDP_ENCAP_ESPINUDP;
404 struct sockaddr_storage addr;
405 u_int sol, ipsec_policy, pktinfo;
406 struct sadb_x_policy policy;
407 int skt;
408
409 memset(&addr, 0, sizeof(addr));
410 /* precalculate constants depending on address family */
411 switch (family)
412 {
413 case AF_INET:
414 {
415 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
416 sin->sin_family = AF_INET;
417 sin->sin_addr.s_addr = INADDR_ANY;
418 sin->sin_port = htons(port);
419 sol = SOL_IP;
420 ipsec_policy = IP_IPSEC_POLICY;
421 pktinfo = IP_PKTINFO;
422 break;
423 }
424 case AF_INET6:
425 {
426 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
427 sin6->sin6_family = AF_INET6;
428 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
429 sin6->sin6_port = htons(port);
430 sol = SOL_IPV6;
431 ipsec_policy = IPV6_IPSEC_POLICY;
432 pktinfo = IPV6_2292PKTINFO;
433 break;
434 }
435 default:
436 return 0;
437 }
438
439 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
440 if (skt < 0)
441 {
442 DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
443 return 0;
444 }
445 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
446 {
447 DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
448 close(skt);
449 return 0;
450 }
451
452 /* bypass IKE traffic on socket */
453 memset(&policy, 0, sizeof(policy));
454 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
455 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
456 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
457
458 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
459 if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
460 {
461 DBG1(DBG_NET, "unable to set IPSEC_POLICY on socket: %s",
462 strerror(errno));
463 close(skt);
464 return 0;
465 }
466 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
467 if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
468 {
469 DBG1(DBG_NET, "unable to set IPSEC_POLICY on socket: %s",
470 strerror(errno));
471 close(skt);
472 return 0;
473 }
474
475 /* bind the send socket */
476 if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
477 {
478 DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
479 close(skt);
480 return 0;
481 }
482
483 /* get additional packet info on receive */
484 if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
485 {
486 DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
487 close(skt);
488 return 0;
489 }
490
491 /* enable UDP decapsulation globally, only for one socket needed */
492 if (family == AF_INET && port == IKEV2_NATT_PORT &&
493 setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
494 {
495 DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
496 }
497 return skt;
498 }
499
500 /**
501 * implementation of socket_t.destroy
502 */
503 static void destroy(private_socket_t *this)
504 {
505 if (this->ipv4)
506 {
507 close(this->ipv4);
508 }
509 if (this->ipv4_natt)
510 {
511 close(this->ipv4_natt);
512 }
513 if (this->ipv6)
514 {
515 close(this->ipv6);
516 }
517 if (this->ipv6_natt)
518 {
519 close(this->ipv6_natt);
520 }
521 free(this);
522 }
523
524 /*
525 * See header for description
526 */
527 socket_t *socket_create()
528 {
529 int key;
530 private_socket_t *this = malloc_thing(private_socket_t);
531
532 /* public functions */
533 this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
534 this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
535 this->public.destroy = (void(*)(socket_t*)) destroy;
536
537 this->ipv4 = 0;
538 this->ipv6 = 0;
539 this->ipv4_natt = 0;
540 this->ipv6_natt = 0;
541
542 /* we open a AF_KEY socket to autoload the af_key module. Otherwise
543 * setsockopt(IPSEC_POLICY) won't work. */
544 key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
545 if (key == 0)
546 {
547 charon->kill(charon, "could not open AF_KEY socket");
548 }
549 close(key);
550
551 this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
552 if (this->ipv4 == 0)
553 {
554 DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
555 }
556 else
557 {
558 this->ipv4_natt = open_socket(this, AF_INET, IKEV2_NATT_PORT);
559 if (this->ipv4_natt == 0)
560 {
561 DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
562 }
563 }
564
565 this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
566 if (this->ipv6 == 0)
567 {
568 DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
569 }
570 else
571 {
572 this->ipv6_natt = open_socket(this, AF_INET6, IKEV2_NATT_PORT);
573 if (this->ipv6_natt == 0)
574 {
575 DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
576 }
577 }
578
579 if (!this->ipv4 && !this->ipv6)
580 {
581 DBG1(DBG_NET, "could not create any sockets");
582 destroy(this);
583 charon->kill(charon, "socket initialization failed");
584 }
585 return (socket_t*)this;
586 }
587