Enabling UDP encapsulation via setsockopt fails on Mac OS X (it is also not required...
[strongswan.git] / src / charon / network / socket.c
1 /*
2 * Copyright (C) 2006-2009 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /* for struct in6_pktinfo */
20 #define _GNU_SOURCE
21
22 #include <pthread.h>
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <string.h>
26 #include <errno.h>
27 #include <unistd.h>
28 #include <stdlib.h>
29 #include <fcntl.h>
30 #include <sys/ioctl.h>
31 #include <netinet/in_systm.h>
32 #include <netinet/in.h>
33 #include <netinet/ip.h>
34 #include <netinet/ip6.h>
35 #include <netinet/udp.h>
36 #include <net/if.h>
37 #ifdef __APPLE__
38 #include <sys/sysctl.h>
39 #endif
40
41 #include "socket.h"
42
43 #include <daemon.h>
44
45 /* length of non-esp marker */
46 #define MARKER_LEN sizeof(u_int32_t)
47
48 /* from linux/udp.h */
49 #ifndef UDP_ENCAP
50 #define UDP_ENCAP 100
51 #endif /*UDP_ENCAP*/
52
53 #ifndef UDP_ENCAP_ESPINUDP
54 #define UDP_ENCAP_ESPINUDP 2
55 #endif /*UDP_ENCAP_ESPINUDP*/
56
57 /* these are not defined on some platforms */
58 #ifndef SOL_IP
59 #define SOL_IP IPPROTO_IP
60 #endif
61 #ifndef SOL_IPV6
62 #define SOL_IPV6 IPPROTO_IPV6
63 #endif
64 #ifndef SOL_UDP
65 #define SOL_UDP IPPROTO_UDP
66 #endif
67
68 /* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
69 * previously defined IPV6_PKTINFO */
70 #ifndef IPV6_RECVPKTINFO
71 #define IPV6_RECVPKTINFO IPV6_PKTINFO;
72 #endif
73
74
75 typedef struct private_socket_t private_socket_t;
76
77 /**
78 * Private data of an socket_t object
79 */
80 struct private_socket_t {
81 /**
82 * public functions
83 */
84 socket_t public;
85
86 /**
87 * IPv4 socket (500)
88 */
89 int ipv4;
90
91 /**
92 * IPv4 socket for NATT (4500)
93 */
94 int ipv4_natt;
95
96 /**
97 * IPv6 socket (500)
98 */
99 int ipv6;
100
101 /**
102 * IPv6 socket for NATT (4500)
103 */
104 int ipv6_natt;
105 };
106
107 /**
108 * implementation of socket_t.receive
109 */
110 static status_t receiver(private_socket_t *this, packet_t **packet)
111 {
112 char buffer[MAX_PACKET];
113 chunk_t data;
114 packet_t *pkt;
115 host_t *source = NULL, *dest = NULL;
116 int bytes_read = 0;
117 int data_offset, oldstate;
118 fd_set rfds;
119 int max_fd = 0, selected = 0;
120 u_int16_t port = 0;
121
122 FD_ZERO(&rfds);
123
124 if (this->ipv4)
125 {
126 FD_SET(this->ipv4, &rfds);
127 }
128 if (this->ipv4_natt)
129 {
130 FD_SET(this->ipv4_natt, &rfds);
131 }
132 if (this->ipv6)
133 {
134 FD_SET(this->ipv6, &rfds);
135 }
136 if (this->ipv6_natt)
137 {
138 FD_SET(this->ipv6_natt, &rfds);
139 }
140 max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
141
142 DBG2(DBG_NET, "waiting for data on sockets");
143 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
144 if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
145 {
146 pthread_setcancelstate(oldstate, NULL);
147 return FAILED;
148 }
149 pthread_setcancelstate(oldstate, NULL);
150
151 if (FD_ISSET(this->ipv4, &rfds))
152 {
153 port = IKEV2_UDP_PORT;
154 selected = this->ipv4;
155 }
156 if (FD_ISSET(this->ipv4_natt, &rfds))
157 {
158 port = IKEV2_NATT_PORT;
159 selected = this->ipv4_natt;
160 }
161 if (FD_ISSET(this->ipv6, &rfds))
162 {
163 port = IKEV2_UDP_PORT;
164 selected = this->ipv6;
165 }
166 if (FD_ISSET(this->ipv6_natt, &rfds))
167 {
168 port = IKEV2_NATT_PORT;
169 selected = this->ipv6_natt;
170 }
171 if (selected)
172 {
173 struct msghdr msg;
174 struct cmsghdr *cmsgptr;
175 struct iovec iov;
176 char ancillary[64];
177 union {
178 struct sockaddr_in in4;
179 struct sockaddr_in6 in6;
180 } src;
181
182 msg.msg_name = &src;
183 msg.msg_namelen = sizeof(src);
184 iov.iov_base = buffer;
185 iov.iov_len = sizeof(buffer);
186 msg.msg_iov = &iov;
187 msg.msg_iovlen = 1;
188 msg.msg_control = ancillary;
189 msg.msg_controllen = sizeof(ancillary);
190 msg.msg_flags = 0;
191 bytes_read = recvmsg(selected, &msg, 0);
192 if (bytes_read < 0)
193 {
194 DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
195 return FAILED;
196 }
197 DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
198
199 if (bytes_read < MARKER_LEN)
200 {
201 DBG3(DBG_NET, "received packet too short (%d bytes)",
202 bytes_read);
203 return FAILED;
204 }
205
206 /* read ancillary data to get destination address */
207 for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
208 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
209 {
210 if (cmsgptr->cmsg_len == 0)
211 {
212 DBG1(DBG_NET, "error reading ancillary data");
213 return FAILED;
214 }
215
216 if (cmsgptr->cmsg_level == SOL_IPV6 &&
217 cmsgptr->cmsg_type == IPV6_PKTINFO)
218 {
219 struct in6_pktinfo *pktinfo;
220 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
221 struct sockaddr_in6 dst;
222
223 memset(&dst, 0, sizeof(dst));
224 memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
225 dst.sin6_family = AF_INET6;
226 dst.sin6_port = htons(port);
227 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
228 }
229 if (cmsgptr->cmsg_level == SOL_IP &&
230 #ifdef IP_PKTINFO
231 cmsgptr->cmsg_type == IP_PKTINFO
232 #elif defined(IP_RECVDSTADDR)
233 cmsgptr->cmsg_type == IP_RECVDSTADDR
234 #else
235 FALSE
236 #endif
237 )
238 {
239 struct in_addr *addr;
240 struct sockaddr_in dst;
241
242 #ifdef IP_PKTINFO
243 struct in_pktinfo *pktinfo;
244 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
245 addr = &pktinfo->ipi_addr;
246 #elif defined(IP_RECVDSTADDR)
247 addr = (struct in_addr*)CMSG_DATA(cmsgptr);
248 #endif
249 memset(&dst, 0, sizeof(dst));
250 memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
251
252 dst.sin_family = AF_INET;
253 dst.sin_port = htons(port);
254 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
255 }
256 if (dest)
257 {
258 break;
259 }
260 }
261 if (dest == NULL)
262 {
263 DBG1(DBG_NET, "error reading IP header");
264 return FAILED;
265 }
266 source = host_create_from_sockaddr((sockaddr_t*)&src);
267
268 pkt = packet_create();
269 pkt->set_source(pkt, source);
270 pkt->set_destination(pkt, dest);
271 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
272 data_offset = 0;
273 /* remove non esp marker */
274 if (dest->get_port(dest) == IKEV2_NATT_PORT)
275 {
276 data_offset += MARKER_LEN;
277 }
278 /* fill in packet */
279 data.len = bytes_read - data_offset;
280 data.ptr = malloc(data.len);
281 memcpy(data.ptr, buffer + data_offset, data.len);
282 pkt->set_data(pkt, data);
283 }
284 else
285 {
286 /* oops, shouldn't happen */
287 return FAILED;
288 }
289 /* return packet */
290 *packet = pkt;
291 return SUCCESS;
292 }
293
294 /**
295 * implementation of socket_t.send
296 */
297 status_t sender(private_socket_t *this, packet_t *packet)
298 {
299 int sport, skt, family;
300 ssize_t bytes_sent;
301 chunk_t data, marked;
302 host_t *src, *dst;
303 struct msghdr msg;
304 struct cmsghdr *cmsg;
305 struct iovec iov;
306
307 src = packet->get_source(packet);
308 dst = packet->get_destination(packet);
309 data = packet->get_data(packet);
310
311 DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
312
313 /* send data */
314 sport = src->get_port(src);
315 family = dst->get_family(dst);
316 if (sport == IKEV2_UDP_PORT)
317 {
318 if (family == AF_INET)
319 {
320 skt = this->ipv4;
321 }
322 else
323 {
324 skt = this->ipv6;
325 }
326 }
327 else if (sport == IKEV2_NATT_PORT)
328 {
329 if (family == AF_INET)
330 {
331 skt = this->ipv4_natt;
332 }
333 else
334 {
335 skt = this->ipv6_natt;
336 }
337 /* NAT keepalives without marker */
338 if (data.len != 1 || data.ptr[0] != 0xFF)
339 {
340 /* add non esp marker to packet */
341 if (data.len > MAX_PACKET - MARKER_LEN)
342 {
343 DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
344 data.len);
345 return FAILED;
346 }
347 marked = chunk_alloc(data.len + MARKER_LEN);
348 memset(marked.ptr, 0, MARKER_LEN);
349 memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
350 /* let the packet do the clean up for us */
351 packet->set_data(packet, marked);
352 data = marked;
353 }
354 }
355 else
356 {
357 DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
358 return FAILED;
359 }
360
361 memset(&msg, 0, sizeof(struct msghdr));
362 msg.msg_name = dst->get_sockaddr(dst);;
363 msg.msg_namelen = *dst->get_sockaddr_len(dst);
364 iov.iov_base = data.ptr;
365 iov.iov_len = data.len;
366 msg.msg_iov = &iov;
367 msg.msg_iovlen = 1;
368 msg.msg_flags = 0;
369
370 if (!src->is_anyaddr(src))
371 {
372 if (family == AF_INET)
373 {
374 #if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
375 struct in_addr *addr;
376 struct sockaddr_in *sin;
377 #ifdef IP_PKTINFO
378 char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
379 struct in_pktinfo *pktinfo;
380 #elif defined(IP_SENDSRCADDR)
381 char buf[CMSG_SPACE(sizeof(struct in_addr))];
382 #endif
383 msg.msg_control = buf;
384 msg.msg_controllen = sizeof(buf);
385 cmsg = CMSG_FIRSTHDR(&msg);
386 cmsg->cmsg_level = SOL_IP;
387 #ifdef IP_PKTINFO
388 cmsg->cmsg_type = IP_PKTINFO;
389 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
390 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
391 memset(pktinfo, 0, sizeof(struct in_pktinfo));
392 addr = &pktinfo->ipi_spec_dst;
393 #elif defined(IP_SENDSRCADDR)
394 cmsg->cmsg_type = IP_SENDSRCADDR;
395 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
396 addr = (struct in_addr*)CMSG_DATA(cmsg);
397 #endif
398 sin = (struct sockaddr_in*)src->get_sockaddr(src);
399 memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
400 #endif /* IP_PKTINFO || IP_SENDSRCADDR */
401 }
402 else
403 {
404 char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
405 struct in6_pktinfo *pktinfo;
406 struct sockaddr_in6 *sin;
407
408 msg.msg_control = buf;
409 msg.msg_controllen = sizeof(buf);
410 cmsg = CMSG_FIRSTHDR(&msg);
411 cmsg->cmsg_level = SOL_IPV6;
412 cmsg->cmsg_type = IPV6_PKTINFO;
413 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
414 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
415 memset(pktinfo, 0, sizeof(struct in6_pktinfo));
416 sin = (struct sockaddr_in6*)src->get_sockaddr(src);
417 memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
418 }
419 }
420
421 bytes_sent = sendmsg(skt, &msg, 0);
422
423 if (bytes_sent != data.len)
424 {
425 DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
426 return FAILED;
427 }
428 return SUCCESS;
429 }
430
431 /**
432 * open a socket to send and receive packets
433 */
434 static int open_socket(private_socket_t *this, int family, u_int16_t port)
435 {
436 int on = TRUE;
437 struct sockaddr_storage addr;
438 socklen_t addrlen;
439 u_int sol, pktinfo = 0;
440 int skt;
441
442 memset(&addr, 0, sizeof(addr));
443 /* precalculate constants depending on address family */
444 switch (family)
445 {
446 case AF_INET:
447 {
448 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
449 sin->sin_family = AF_INET;
450 sin->sin_addr.s_addr = INADDR_ANY;
451 sin->sin_port = htons(port);
452 addrlen = sizeof(struct sockaddr_in);
453 sol = SOL_IP;
454 #ifdef IP_PKTINFO
455 pktinfo = IP_PKTINFO;
456 #elif defined(IP_RECVDSTADDR)
457 pktinfo = IP_RECVDSTADDR;
458 #endif
459 break;
460 }
461 case AF_INET6:
462 {
463 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
464 sin6->sin6_family = AF_INET6;
465 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
466 sin6->sin6_port = htons(port);
467 addrlen = sizeof(struct sockaddr_in6);
468 sol = SOL_IPV6;
469 pktinfo = IPV6_RECVPKTINFO;
470 break;
471 }
472 default:
473 return 0;
474 }
475
476 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
477 if (skt < 0)
478 {
479 DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
480 return 0;
481 }
482 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
483 {
484 DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
485 close(skt);
486 return 0;
487 }
488
489 /* bind the socket */
490 if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
491 {
492 DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
493 close(skt);
494 return 0;
495 }
496
497 /* get additional packet info on receive */
498 if (pktinfo > 0)
499 {
500 if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
501 {
502 DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
503 close(skt);
504 return 0;
505 }
506 }
507
508 #ifndef __APPLE__
509 {
510 /* enable UDP decapsulation globally, only for one socket needed */
511 int type = UDP_ENCAP_ESPINUDP;
512 if (family == AF_INET && port == IKEV2_NATT_PORT &&
513 setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
514 {
515 DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
516 }
517 }
518 #endif
519 return skt;
520 }
521
522 /**
523 * enumerator for underlying sockets
524 */
525 typedef struct {
526 /** implements enumerator_t */
527 enumerator_t public;
528 /** sockets we enumerate */
529 private_socket_t *socket;
530 /** counter */
531 int index;
532 } socket_enumerator_t;
533
534 /**
535 * enumerate function for socket_enumerator_t
536 */
537 static bool enumerate(socket_enumerator_t *this, int *fd, int *family, int *port)
538 {
539 static const struct {
540 int fd_offset;
541 int family;
542 int port;
543 } sockets[] = {
544 { offsetof(private_socket_t, ipv4), AF_INET, IKEV2_UDP_PORT },
545 { offsetof(private_socket_t, ipv6), AF_INET6, IKEV2_UDP_PORT },
546 { offsetof(private_socket_t, ipv4_natt), AF_INET, IKEV2_NATT_PORT },
547 { offsetof(private_socket_t, ipv6_natt), AF_INET6, IKEV2_NATT_PORT }
548 };
549
550 while(++this->index < countof(sockets))
551 {
552 int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
553 if (!sock)
554 {
555 continue;
556 }
557 *fd = sock;
558 *family = sockets[this->index].family;
559 *port = sockets[this->index].port;
560 return TRUE;
561 }
562 return FALSE;
563 }
564
565 /**
566 * implementation of socket_t.create_enumerator
567 */
568 static enumerator_t *create_enumerator(private_socket_t *this)
569 {
570 socket_enumerator_t *enumerator;
571
572 enumerator = malloc_thing(socket_enumerator_t);
573 enumerator->index = -1;
574 enumerator->socket = this;
575 enumerator->public.enumerate = (void*)enumerate;
576 enumerator->public.destroy = (void*)free;
577 return &enumerator->public;
578 }
579
580 /**
581 * implementation of socket_t.destroy
582 */
583 static void destroy(private_socket_t *this)
584 {
585 if (this->ipv4)
586 {
587 close(this->ipv4);
588 }
589 if (this->ipv4_natt)
590 {
591 close(this->ipv4_natt);
592 }
593 if (this->ipv6)
594 {
595 close(this->ipv6);
596 }
597 if (this->ipv6_natt)
598 {
599 close(this->ipv6_natt);
600 }
601 free(this);
602 }
603
604 /*
605 * See header for description
606 */
607 socket_t *socket_create()
608 {
609 private_socket_t *this = malloc_thing(private_socket_t);
610
611 /* public functions */
612 this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
613 this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
614 this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
615 this->public.destroy = (void(*)(socket_t*)) destroy;
616
617 this->ipv4 = 0;
618 this->ipv6 = 0;
619 this->ipv4_natt = 0;
620 this->ipv6_natt = 0;
621
622 #ifdef __APPLE__
623 {
624 int natt_port = IKEV2_NATT_PORT;
625 if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port,
626 sizeof(natt_port)) != 0)
627 {
628 DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s",
629 natt_port, strerror(errno));
630 }
631 }
632 #endif
633
634 this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
635 if (this->ipv4 == 0)
636 {
637 DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
638 }
639 else
640 {
641 this->ipv4_natt = open_socket(this, AF_INET, IKEV2_NATT_PORT);
642 if (this->ipv4_natt == 0)
643 {
644 DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
645 }
646 }
647
648 this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
649 if (this->ipv6 == 0)
650 {
651 DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
652 }
653 else
654 {
655 this->ipv6_natt = open_socket(this, AF_INET6, IKEV2_NATT_PORT);
656 if (this->ipv6_natt == 0)
657 {
658 DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
659 }
660 }
661
662 if (!this->ipv4 && !this->ipv6)
663 {
664 DBG1(DBG_NET, "could not create any sockets");
665 destroy(this);
666 charon->kill(charon, "socket initialization failed");
667 }
668 return (socket_t*)this;
669 }
670