projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
dhcp: Only use DHCP server port if explicitly configured
[strongswan.git] / src / libcharon / plugins / dhcp / dhcp_socket.c
1 /*
2 * Copyright (C) 2012-2018 Tobias Brunner
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "dhcp_socket.h"
20
21 #include <unistd.h>
22 #include <errno.h>
23 #include <string.h>
24 #include <netinet/in.h>
25 #include <netinet/ip.h>
26 #include <netinet/udp.h>
27 #include <linux/if_arp.h>
28 #include <linux/if_ether.h>
29 #include <linux/filter.h>
30
31 #include <collections/linked_list.h>
32 #include <utils/identification.h>
33 #include <threading/mutex.h>
34 #include <threading/condvar.h>
35 #include <threading/thread.h>
36
37 #include <daemon.h>
38 #include <processing/jobs/callback_job.h>
39
40 #define DHCP_SERVER_PORT 67
41 #define DHCP_CLIENT_PORT 68
42 #define DHCP_TRIES 5
43
44 typedef struct private_dhcp_socket_t private_dhcp_socket_t;
45
46 /**
47 * Private data of an dhcp_socket_t object.
48 */
49 struct private_dhcp_socket_t {
50
51 /**
52 * Public dhcp_socket_t interface.
53 */
54 dhcp_socket_t public;
55
56 /**
57 * Random number generator
58 */
59 rng_t *rng;
60
61 /**
62 * List of transactions in DISCOVER
63 */
64 linked_list_t *discover;
65
66 /**
67 * List of transactions in REQUEST
68 */
69 linked_list_t *request;
70
71 /**
72 * List of successfully completed transactions
73 */
74 linked_list_t *completed;
75
76 /**
77 * Lock for transactions
78 */
79 mutex_t *mutex;
80
81 /**
82 * Condvar to wait for transaction completion
83 */
84 condvar_t *condvar;
85
86 /**
87 * Threads waiting in condvar
88 */
89 int waiting;
90
91 /**
92 * DHCP send socket
93 */
94 int send;
95
96 /**
97 * DHCP receive socket
98 */
99 int receive;
100
101 /**
102 * Do we use per-identity or random leases (and MAC addresses)
103 */
104 bool identity_lease;
105
106 /**
107 * DHCP server address, or broadcast
108 */
109 host_t *dst;
110
111 /**
112 * Force configured destination address
113 */
114 bool force_dst;
115 };
116
117 /**
118 * DHCP opcode (or BOOTP actually)
119 */
120 typedef enum {
121 BOOTREQUEST = 1,
122 BOOTREPLY = 2,
123 } dhcp_opcode_t;
124
125 /**
126 * Some DHCP options used
127 */
128 typedef enum {
129 DHCP_DNS_SERVER = 6,
130 DHCP_HOST_NAME = 12,
131 DHCP_NBNS_SERVER = 44,
132 DHCP_REQUESTED_IP = 50,
133 DHCP_MESSAGE_TYPE = 53,
134 DHCP_SERVER_ID = 54,
135 DHCP_PARAM_REQ_LIST = 55,
136 DHCP_CLIENT_ID = 61,
137 DHCP_OPTEND = 255,
138 } dhcp_option_type_t;
139
140 /**
141 * DHCP messages types in the DHCP_MESSAGE_TYPE option
142 */
143 typedef enum {
144 DHCP_DISCOVER = 1,
145 DHCP_OFFER = 2,
146 DHCP_REQUEST = 3,
147 DHCP_DECLINE = 4,
148 DHCP_ACK = 5,
149 DHCP_NAK = 6,
150 DHCP_RELEASE = 7,
151 DHCP_INFORM = 8,
152 } dhcp_message_type_t;
153 /**
154 * DHCP option encoding, a TLV
155 */
156 typedef struct __attribute__((packed)) {
157 uint8_t type;
158 uint8_t len;
159 char data[];
160 } dhcp_option_t;
161
162 /**
163 * DHCP message format, with a minimum size options buffer
164 */
165 typedef struct __attribute__((packed)) {
166 uint8_t opcode;
167 uint8_t hw_type;
168 uint8_t hw_addr_len;
169 uint8_t hop_count;
170 uint32_t transaction_id;
171 uint16_t number_of_seconds;
172 uint16_t flags;
173 uint32_t client_address;
174 uint32_t your_address;
175 uint32_t server_address;
176 uint32_t gateway_address;
177 char client_hw_addr[6];
178 char client_hw_padding[10];
179 char server_hostname[64];
180 char boot_filename[128];
181 uint32_t magic_cookie;
182 u_char options[308];
183 } dhcp_t;
184
185 /**
186 * Check if the given address equals the broadcast address
187 */
188 static inline bool is_broadcast(host_t *host)
189 {
190 chunk_t broadcast = chunk_from_chars(0xFF,0xFF,0xFF,0xFF);
191
192 return chunk_equals(broadcast, host->get_address(host));
193 }
194
195 /**
196 * Prepare a DHCP message for a given transaction
197 */
198 static int prepare_dhcp(private_dhcp_socket_t *this,
199 dhcp_transaction_t *transaction,
200 dhcp_message_type_t type, dhcp_t *dhcp)
201 {
202 chunk_t chunk;
203 identification_t *identity;
204 dhcp_option_t *option;
205 int optlen = 0, remaining;
206 host_t *src;
207 uint32_t id;
208
209 memset(dhcp, 0, sizeof(*dhcp));
210 dhcp->opcode = BOOTREQUEST;
211 dhcp->hw_type = ARPHRD_ETHER;
212 dhcp->hw_addr_len = 6;
213 dhcp->transaction_id = transaction->get_id(transaction);
214 if (is_broadcast(this->dst))
215 {
216 /* Set broadcast flag to get broadcasted replies, as we actually
217 * do not own the MAC we request an address for. */
218 dhcp->flags = htons(0x8000);
219 /* TODO: send with 0.0.0.0 source address */
220 }
221 else
222 {
223 /* act as relay agent */
224 src = charon->kernel->get_source_addr(charon->kernel, this->dst, NULL);
225 if (src)
226 {
227 memcpy(&dhcp->gateway_address, src->get_address(src).ptr,
228 sizeof(dhcp->gateway_address));
229 src->destroy(src);
230 }
231 }
232
233 identity = transaction->get_identity(transaction);
234 chunk = identity->get_encoding(identity);
235 /* magic bytes, a locally administered unicast MAC */
236 dhcp->client_hw_addr[0] = 0x7A;
237 dhcp->client_hw_addr[1] = 0xA7;
238 /* with ID specific postfix */
239 if (this->identity_lease)
240 {
241 id = htonl(chunk_hash_static(chunk));
242 }
243 else
244 {
245 id = transaction->get_id(transaction);
246 }
247 memcpy(&dhcp->client_hw_addr[2], &id, sizeof(id));
248
249 dhcp->magic_cookie = htonl(0x63825363);
250
251 option = (dhcp_option_t*)&dhcp->options[optlen];
252 option->type = DHCP_MESSAGE_TYPE;
253 option->len = 1;
254 option->data[0] = type;
255 optlen += sizeof(dhcp_option_t) + option->len;
256
257 /* the REQUEST message has the most static overhead in the 'options' field
258 * with 17 bytes */
259 remaining = sizeof(dhcp->options) - optlen - 17;
260
261 if (identity->get_type(identity) == ID_FQDN)
262 {
263 option = (dhcp_option_t*)&dhcp->options[optlen];
264 option->type = DHCP_HOST_NAME;
265 option->len = min(min(chunk.len, remaining-sizeof(dhcp_option_t)), 255);
266 memcpy(option->data, chunk.ptr, option->len);
267 optlen += sizeof(dhcp_option_t) + option->len;
268 remaining -= sizeof(dhcp_option_t) + option->len;
269 }
270
271 if (this->identity_lease &&
272 remaining >= sizeof(dhcp_option_t) + 2)
273 {
274 option = (dhcp_option_t*)&dhcp->options[optlen];
275 option->type = DHCP_CLIENT_ID;
276 option->len = min(min(chunk.len, remaining-sizeof(dhcp_option_t)), 255);
277 memcpy(option->data, chunk.ptr, option->len);
278 optlen += sizeof(dhcp_option_t) + option->len;
279 }
280 return optlen;
281 }
282
283 /**
284 * Send a DHCP message with given options length
285 */
286 static bool send_dhcp(private_dhcp_socket_t *this,
287 dhcp_transaction_t *transaction, dhcp_t *dhcp, int optlen)
288 {
289 host_t *dst;
290 ssize_t len;
291
292 dst = transaction->get_server(transaction);
293 if (!dst || this->force_dst)
294 {
295 dst = this->dst;
296 }
297 len = offsetof(dhcp_t, magic_cookie) + optlen + 4;
298 return sendto(this->send, dhcp, len, 0, dst->get_sockaddr(dst),
299 *dst->get_sockaddr_len(dst)) == len;
300 }
301
302 /**
303 * Send DHCP discover using a given transaction
304 */
305 static bool discover(private_dhcp_socket_t *this,
306 dhcp_transaction_t *transaction)
307 {
308 dhcp_option_t *option;
309 dhcp_t dhcp;
310 int optlen;
311
312 optlen = prepare_dhcp(this, transaction, DHCP_DISCOVER, &dhcp);
313
314 DBG1(DBG_CFG, "sending DHCP DISCOVER to %H", this->dst);
315
316 option = (dhcp_option_t*)&dhcp.options[optlen];
317 option->type = DHCP_PARAM_REQ_LIST;
318 option->len = 2;
319 option->data[0] = DHCP_DNS_SERVER;
320 option->data[1] = DHCP_NBNS_SERVER;
321 optlen += sizeof(dhcp_option_t) + option->len;
322
323 dhcp.options[optlen++] = DHCP_OPTEND;
324
325 if (!send_dhcp(this, transaction, &dhcp, optlen))
326 {
327 DBG1(DBG_CFG, "sending DHCP DISCOVER failed: %s", strerror(errno));
328 return FALSE;
329 }
330 return TRUE;
331 }
332
333 /**
334 * Send DHCP request using a given transaction
335 */
336 static bool request(private_dhcp_socket_t *this,
337 dhcp_transaction_t *transaction)
338 {
339 dhcp_option_t *option;
340 dhcp_t dhcp;
341 host_t *offer, *server;
342 chunk_t chunk;
343 int optlen;
344
345 optlen = prepare_dhcp(this, transaction, DHCP_REQUEST, &dhcp);
346
347 offer = transaction->get_address(transaction);
348 server = transaction->get_server(transaction);
349 if (!offer || !server)
350 {
351 return FALSE;
352 }
353 DBG1(DBG_CFG, "sending DHCP REQUEST for %H to %H", offer, server);
354
355 option = (dhcp_option_t*)&dhcp.options[optlen];
356 option->type = DHCP_REQUESTED_IP;
357 option->len = 4;
358 chunk = offer->get_address(offer);
359 memcpy(option->data, chunk.ptr, min(chunk.len, option->len));
360 optlen += sizeof(dhcp_option_t) + option->len;
361
362 option = (dhcp_option_t*)&dhcp.options[optlen];
363 option->type = DHCP_SERVER_ID;
364 option->len = 4;
365 chunk = server->get_address(server);
366 memcpy(option->data, chunk.ptr, min(chunk.len, option->len));
367 optlen += sizeof(dhcp_option_t) + option->len;
368
369 option = (dhcp_option_t*)&dhcp.options[optlen];
370 option->type = DHCP_PARAM_REQ_LIST;
371 option->len = 2;
372 option->data[0] = DHCP_DNS_SERVER;
373 option->data[1] = DHCP_NBNS_SERVER;
374 optlen += sizeof(dhcp_option_t) + option->len;
375
376 dhcp.options[optlen++] = DHCP_OPTEND;
377
378 if (!send_dhcp(this, transaction, &dhcp, optlen))
379 {
380 DBG1(DBG_CFG, "sending DHCP REQUEST failed: %s", strerror(errno));
381 return FALSE;
382 }
383 return TRUE;
384 }
385
386 METHOD(dhcp_socket_t, enroll, dhcp_transaction_t*,
387 private_dhcp_socket_t *this, identification_t *identity)
388 {
389 dhcp_transaction_t *transaction;
390 uint32_t id;
391 int try;
392
393 if (!this->rng->get_bytes(this->rng, sizeof(id), (uint8_t*)&id))
394 {
395 DBG1(DBG_CFG, "DHCP DISCOVER failed, no transaction ID");
396 return NULL;
397 }
398 transaction = dhcp_transaction_create(id, identity);
399
400 this->mutex->lock(this->mutex);
401 this->discover->insert_last(this->discover, transaction);
402 try = 1;
403 while (try <= DHCP_TRIES && discover(this, transaction))
404 {
405 if (!this->condvar->timed_wait(this->condvar, this->mutex, 1000 * try) &&
406 this->request->find_first(this->request, NULL, (void**)&transaction))
407 {
408 break;
409 }
410 try++;
411 }
412 if (this->discover->remove(this->discover, transaction, NULL))
413 { /* no OFFER received */
414 this->mutex->unlock(this->mutex);
415 transaction->destroy(transaction);
416 DBG1(DBG_CFG, "DHCP DISCOVER timed out");
417 return NULL;
418 }
419
420 try = 1;
421 while (try <= DHCP_TRIES && request(this, transaction))
422 {
423 if (!this->condvar->timed_wait(this->condvar, this->mutex, 1000 * try) &&
424 this->completed->remove(this->completed, transaction, NULL))
425 {
426 break;
427 }
428 try++;
429 }
430 if (this->request->remove(this->request, transaction, NULL))
431 { /* no ACK received */
432 this->mutex->unlock(this->mutex);
433 transaction->destroy(transaction);
434 DBG1(DBG_CFG, "DHCP REQUEST timed out");
435 return NULL;
436 }
437 this->mutex->unlock(this->mutex);
438
439 return transaction;
440 }
441
442 METHOD(dhcp_socket_t, release, void,
443 private_dhcp_socket_t *this, dhcp_transaction_t *transaction)
444 {
445 dhcp_option_t *option;
446 dhcp_t dhcp;
447 host_t *release, *server;
448 chunk_t chunk;
449 int optlen;
450
451 optlen = prepare_dhcp(this, transaction, DHCP_RELEASE, &dhcp);
452
453 release = transaction->get_address(transaction);
454 server = transaction->get_server(transaction);
455 if (!release || !server)
456 {
457 return;
458 }
459 DBG1(DBG_CFG, "sending DHCP RELEASE for %H to %H", release, server);
460
461 chunk = release->get_address(release);
462 memcpy((char*)&dhcp.client_address, chunk.ptr,
463 min(chunk.len, sizeof(dhcp.client_address)));
464
465 option = (dhcp_option_t*)&dhcp.options[optlen];
466 option->type = DHCP_SERVER_ID;
467 option->len = 4;
468 chunk = server->get_address(server);
469 memcpy(option->data, chunk.ptr, min(chunk.len, option->len));
470 optlen += sizeof(dhcp_option_t) + option->len;
471
472 dhcp.options[optlen++] = DHCP_OPTEND;
473
474 if (!send_dhcp(this, transaction, &dhcp, optlen))
475 {
476 DBG1(DBG_CFG, "sending DHCP RELEASE failed: %s", strerror(errno));
477 }
478 }
479
480 /**
481 * Handle a DHCP OFFER
482 */
483 static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
484 {
485 dhcp_transaction_t *transaction = NULL;
486 enumerator_t *enumerator;
487 host_t *offer, *server = NULL;
488
489 offer = host_create_from_chunk(AF_INET,
490 chunk_from_thing(dhcp->your_address), 0);
491
492 this->mutex->lock(this->mutex);
493 enumerator = this->discover->create_enumerator(this->discover);
494 while (enumerator->enumerate(enumerator, &transaction))
495 {
496 if (transaction->get_id(transaction) == dhcp->transaction_id)
497 {
498 this->discover->remove_at(this->discover, enumerator);
499 this->request->insert_last(this->request, transaction);
500 break;
501 }
502 }
503 enumerator->destroy(enumerator);
504
505 if (transaction)
506 {
507 int optsize, optpos = 0, pos;
508 dhcp_option_t *option;
509
510 while (optlen > sizeof(dhcp_option_t))
511 {
512 option = (dhcp_option_t*)&dhcp->options[optpos];
513 optsize = sizeof(dhcp_option_t) + option->len;
514 if (option->type == DHCP_OPTEND || optlen < optsize)
515 {
516 break;
517 }
518 if (option->type == DHCP_DNS_SERVER ||
519 option->type == DHCP_NBNS_SERVER)
520 {
521 for (pos = 0; pos + 4 <= option->len; pos += 4)
522 {
523 transaction->add_attribute(transaction, option->type ==
524 DHCP_DNS_SERVER ? INTERNAL_IP4_DNS : INTERNAL_IP4_NBNS,
525 chunk_create((char*)&option->data[pos], 4));
526 }
527 }
528 if (!server && option->type == DHCP_SERVER_ID && option->len == 4)
529 {
530 server = host_create_from_chunk(AF_INET,
531 chunk_create(option->data, 4), DHCP_SERVER_PORT);
532 }
533 optlen -= optsize;
534 optpos += optsize;
535 }
536 if (!server)
537 {
538 server = host_create_from_chunk(AF_INET,
539 chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT);
540 }
541 DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server);
542 transaction->set_address(transaction, offer->clone(offer));
543 transaction->set_server(transaction, server);
544 }
545 this->mutex->unlock(this->mutex);
546 this->condvar->broadcast(this->condvar);
547 offer->destroy(offer);
548 }
549
550 /**
551 * Handle a DHCP ACK
552 */
553 static void handle_ack(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
554 {
555 dhcp_transaction_t *transaction;
556 enumerator_t *enumerator;
557 host_t *offer;
558
559 offer = host_create_from_chunk(AF_INET,
560 chunk_from_thing(dhcp->your_address), 0);
561
562 this->mutex->lock(this->mutex);
563 enumerator = this->request->create_enumerator(this->request);
564 while (enumerator->enumerate(enumerator, &transaction))
565 {
566 if (transaction->get_id(transaction) == dhcp->transaction_id)
567 {
568 DBG1(DBG_CFG, "received DHCP ACK for %H", offer);
569 this->request->remove_at(this->request, enumerator);
570 this->completed->insert_last(this->completed, transaction);
571 break;
572 }
573 }
574 enumerator->destroy(enumerator);
575 this->mutex->unlock(this->mutex);
576 this->condvar->broadcast(this->condvar);
577 offer->destroy(offer);
578 }
579
580 /**
581 * Receive DHCP responses
582 */
583 static bool receive_dhcp(private_dhcp_socket_t *this, int fd,
584 watcher_event_t event)
585 {
586 struct sockaddr_ll addr;
587 socklen_t addr_len = sizeof(addr);
588 struct __attribute__((packed)) {
589 struct iphdr ip;
590 struct udphdr udp;
591 dhcp_t dhcp;
592 } packet;
593 int optlen, origoptlen, optsize, optpos = 0;
594 ssize_t len;
595 dhcp_option_t *option;
596
597 len = recvfrom(fd, &packet, sizeof(packet), MSG_DONTWAIT,
598 (struct sockaddr*)&addr, &addr_len);
599
600 if (len >= sizeof(struct iphdr) + sizeof(struct udphdr) +
601 offsetof(dhcp_t, options))
602 {
603 origoptlen = optlen = len - sizeof(struct iphdr) +
604 sizeof(struct udphdr) + offsetof(dhcp_t, options);
605 while (optlen > sizeof(dhcp_option_t))
606 {
607 option = (dhcp_option_t*)&packet.dhcp.options[optpos];
608 optsize = sizeof(dhcp_option_t) + option->len;
609 if (option->type == DHCP_OPTEND || optlen < optsize)
610 {
611 break;
612 }
613 if (option->type == DHCP_MESSAGE_TYPE && option->len == 1)
614 {
615 switch (option->data[0])
616 {
617 case DHCP_OFFER:
618 handle_offer(this, &packet.dhcp, origoptlen);
619 break;
620 case DHCP_ACK:
621 handle_ack(this, &packet.dhcp, origoptlen);
622 default:
623 break;
624 }
625 break;
626 }
627 optlen -= optsize;
628 optpos += optsize;
629 }
630 }
631 return TRUE;
632 }
633
634 METHOD(dhcp_socket_t, destroy, void,
635 private_dhcp_socket_t *this)
636 {
637 while (this->waiting)
638 {
639 this->condvar->signal(this->condvar);
640 }
641 if (this->send > 0)
642 {
643 close(this->send);
644 }
645 if (this->receive > 0)
646 {
647 lib->watcher->remove(lib->watcher, this->receive);
648 close(this->receive);
649 }
650 this->mutex->destroy(this->mutex);
651 this->condvar->destroy(this->condvar);
652 this->discover->destroy_offset(this->discover,
653 offsetof(dhcp_transaction_t, destroy));
654 this->request->destroy_offset(this->request,
655 offsetof(dhcp_transaction_t, destroy));
656 this->completed->destroy_offset(this->completed,
657 offsetof(dhcp_transaction_t, destroy));
658 DESTROY_IF(this->rng);
659 DESTROY_IF(this->dst);
660 free(this);
661 }
662
663 /**
664 * Bind a socket to a particular interface name
665 */
666 static bool bind_to_device(int fd, char *iface)
667 {
668 struct ifreq ifreq;
669
670 if (strlen(iface) > sizeof(ifreq.ifr_name))
671 {
672 DBG1(DBG_CFG, "name for DHCP interface too long: '%s'", iface);
673 return FALSE;
674 }
675 memcpy(ifreq.ifr_name, iface, sizeof(ifreq.ifr_name));
676 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifreq, sizeof(ifreq)))
677 {
678 DBG1(DBG_CFG, "binding DHCP socket to '%s' failed: %s",
679 iface, strerror(errno));
680 return FALSE;
681 }
682 return TRUE;
683 }
684
685 /**
686 * See header
687 */
688 dhcp_socket_t *dhcp_socket_create()
689 {
690 private_dhcp_socket_t *this;
691 struct sockaddr_in src = {
692 .sin_family = AF_INET,
693 .sin_port = htons(DHCP_CLIENT_PORT),
694 .sin_addr = {
695 .s_addr = INADDR_ANY,
696 },
697 };
698 char *iface;
699 int on = 1, rcvbuf = 0;
700 struct sock_filter dhcp_filter_code[] = {
701 BPF_STMT(BPF_LD+BPF_B+BPF_ABS,
702 offsetof(struct iphdr, protocol)),
703 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_UDP, 0, 16),
704 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, sizeof(struct iphdr) +
705 offsetof(struct udphdr, source)),
706 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_SERVER_PORT, 0, 14),
707 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, sizeof(struct iphdr) +
708 offsetof(struct udphdr, dest)),
709 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_CLIENT_PORT, 2, 0),
710 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_SERVER_PORT, 1, 0),
711 BPF_JUMP(BPF_JMP+BPF_JA, 10, 0, 0),
712 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, sizeof(struct iphdr) +
713 sizeof(struct udphdr) + offsetof(dhcp_t, opcode)),
714 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, BOOTREPLY, 0, 8),
715 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, sizeof(struct iphdr) +
716 sizeof(struct udphdr) + offsetof(dhcp_t, hw_type)),
717 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPHRD_ETHER, 0, 6),
718 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, sizeof(struct iphdr) +
719 sizeof(struct udphdr) + offsetof(dhcp_t, hw_addr_len)),
720 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 6, 0, 4),
721 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, sizeof(struct iphdr) +
722 sizeof(struct udphdr) + offsetof(dhcp_t, magic_cookie)),
723 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x63825363, 0, 2),
724 BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
725 BPF_STMT(BPF_RET+BPF_A, 0),
726 BPF_STMT(BPF_RET+BPF_K, 0),
727 };
728 struct sock_fprog dhcp_filter = {
729 sizeof(dhcp_filter_code) / sizeof(struct sock_filter),
730 dhcp_filter_code,
731 };
732
733 INIT(this,
734 .public = {
735 .enroll = _enroll,
736 .release = _release,
737 .destroy = _destroy,
738 },
739 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
740 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
741 .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
742 .discover = linked_list_create(),
743 .request = linked_list_create(),
744 .completed = linked_list_create(),
745 );
746
747 if (!this->rng)
748 {
749 DBG1(DBG_CFG, "unable to create RNG");
750 destroy(this);
751 return NULL;
752 }
753 this->identity_lease = lib->settings->get_bool(lib->settings,
754 "%s.plugins.dhcp.identity_lease", FALSE,
755 lib->ns);
756 this->force_dst = lib->settings->get_str(lib->settings,
757 "%s.plugins.dhcp.force_server_address", FALSE,
758 lib->ns);
759 this->dst = host_create_from_string(lib->settings->get_str(lib->settings,
760 "%s.plugins.dhcp.server", "255.255.255.255",
761 lib->ns), DHCP_SERVER_PORT);
762 iface = lib->settings->get_str(lib->settings, "%s.plugins.dhcp.interface",
763 NULL, lib->ns);
764 if (!this->dst)
765 {
766 DBG1(DBG_CFG, "configured DHCP server address invalid");
767 destroy(this);
768 return NULL;
769 }
770
771 this->send = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
772 if (this->send == -1)
773 {
774 DBG1(DBG_CFG, "unable to create DHCP send socket: %s", strerror(errno));
775 destroy(this);
776 return NULL;
777 }
778 if (setsockopt(this->send, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
779 {
780 DBG1(DBG_CFG, "unable to reuse DHCP socket address: %s", strerror(errno));
781 destroy(this);
782 return NULL;
783 }
784 if (setsockopt(this->send, SOL_SOCKET, SO_BROADCAST, &on, sizeof(on)) == -1)
785 {
786 DBG1(DBG_CFG, "unable to broadcast on DHCP socket: %s", strerror(errno));
787 destroy(this);
788 return NULL;
789 }
790 /* we won't read any data from this socket, so reduce the buffer to save
791 * some memory (there is some minimum, still try 0, though).
792 * note that we might steal some packets from other processes if e.g. a DHCP
793 * client (or server) is running on the same host, but by reducing the
794 * buffer size the impact should be minimized */
795 if (setsockopt(this->send, SOL_SOCKET, SO_RCVBUF, &rcvbuf,
796 sizeof(rcvbuf)) == -1)
797 {
798 DBG1(DBG_CFG, "unable to reduce receive buffer on DHCP send socket: %s",
799 strerror(errno));
800 destroy(this);
801 return NULL;
802 }
803 if (!is_broadcast(this->dst) &&
804 lib->settings->get_bool(lib->settings,
805 "%s.plugins.dhcp.use_server_port", FALSE,
806 lib->ns))
807 {
808 /* when setting giaddr (which we do when we don't broadcast), the server
809 * should respond to the server port on that IP, according to RFC 2131,
810 * section 4.1. while we do receive such messages via raw socket, the
811 * kernel will respond with an ICMP port unreachable if there is no
812 * socket bound to that port, which might be problematic with certain
813 * DHCP servers. instead of opening an additional socket, that we don't
814 * actually use, we can also just send our requests from port 67.
815 * we don't do this by default, as it might cause conflicts with DHCP
816 * servers running on the same host */
817 src.sin_port = htons(DHCP_SERVER_PORT);
818 }
819 if (bind(this->send, (struct sockaddr*)&src, sizeof(src)) == -1)
820 {
821 DBG1(DBG_CFG, "unable to bind DHCP send socket: %s", strerror(errno));
822 destroy(this);
823 return NULL;
824 }
825
826 this->receive = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_IP));
827 if (this->receive == -1)
828 {
829 DBG1(DBG_NET, "opening DHCP receive socket failed: %s", strerror(errno));
830 destroy(this);
831 return NULL;
832 }
833 if (setsockopt(this->receive, SOL_SOCKET, SO_ATTACH_FILTER,
834 &dhcp_filter, sizeof(dhcp_filter)) < 0)
835 {
836 DBG1(DBG_CFG, "installing DHCP socket filter failed: %s",
837 strerror(errno));
838 destroy(this);
839 return NULL;
840 }
841 if (iface)
842 {
843 if (!bind_to_device(this->send, iface) ||
844 !bind_to_device(this->receive, iface))
845 {
846 destroy(this);
847 return NULL;
848 }
849 }
850
851 lib->watcher->add(lib->watcher, this->receive, WATCHER_READ,
852 (watcher_cb_t)receive_dhcp, this);
853
854 return &this->public;
855 }
strongSwan - IPsec VPN