projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
[strongswan.git] / src / libcharon / plugins / socket_default / socket_default_socket.c
1 /*
2 * Copyright (C) 2006-2010 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2010 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /* for struct in6_pktinfo */
20 #define _GNU_SOURCE
21 #ifdef __sun
22 #define _XPG4_2
23 #define __EXTENSIONS__
24 #endif
25 /* make sure to use the proper defs on Mac OS X */
26 #define __APPLE_USE_RFC_3542
27
28 #include "socket_default_socket.h"
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <string.h>
33 #include <errno.h>
34 #include <unistd.h>
35 #include <stdlib.h>
36 #include <fcntl.h>
37 #include <sys/ioctl.h>
38 #include <netinet/in_systm.h>
39 #include <netinet/in.h>
40 #include <netinet/ip.h>
41 #include <netinet/udp.h>
42 #include <net/if.h>
43 #ifdef __APPLE__
44 #include <sys/sysctl.h>
45 #endif
46
47 #include <hydra.h>
48 #include <daemon.h>
49 #include <threading/thread.h>
50
51 /* Maximum size of a packet */
52 #define MAX_PACKET 10000
53
54 /* length of non-esp marker */
55 #define MARKER_LEN sizeof(u_int32_t)
56
57 /* from linux/udp.h */
58 #ifndef UDP_ENCAP
59 #define UDP_ENCAP 100
60 #endif /*UDP_ENCAP*/
61
62 #ifndef UDP_ENCAP_ESPINUDP
63 #define UDP_ENCAP_ESPINUDP 2
64 #endif /*UDP_ENCAP_ESPINUDP*/
65
66 /* these are not defined on some platforms */
67 #ifndef SOL_IP
68 #define SOL_IP IPPROTO_IP
69 #endif
70 #ifndef SOL_IPV6
71 #define SOL_IPV6 IPPROTO_IPV6
72 #endif
73 #ifndef SOL_UDP
74 #define SOL_UDP IPPROTO_UDP
75 #endif
76
77 /* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
78 * previously defined IPV6_PKTINFO */
79 #ifndef IPV6_RECVPKTINFO
80 #define IPV6_RECVPKTINFO IPV6_PKTINFO
81 #endif
82
83 #ifndef IN6ADDR_ANY_INIT
84 #define IN6ADDR_ANY_INIT {{{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}}
85 #endif
86
87 #ifndef HAVE_IN6ADDR_ANY
88 static const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
89 #endif
90
91 typedef struct private_socket_default_socket_t private_socket_default_socket_t;
92
93 /**
94 * Private data of an socket_t object
95 */
96 struct private_socket_default_socket_t {
97
98 /**
99 * public functions
100 */
101 socket_default_socket_t public;
102
103 /**
104 * IPv4 socket (500)
105 */
106 int ipv4;
107
108 /**
109 * IPv4 socket for NATT (4500)
110 */
111 int ipv4_natt;
112
113 /**
114 * IPv6 socket (500)
115 */
116 int ipv6;
117
118 /**
119 * IPv6 socket for NATT (4500)
120 */
121 int ipv6_natt;
122
123 /**
124 * Maximum packet size to receive
125 */
126 int max_packet;
127 };
128
129 METHOD(socket_t, receiver, status_t,
130 private_socket_default_socket_t *this, packet_t **packet)
131 {
132 char buffer[this->max_packet];
133 chunk_t data;
134 packet_t *pkt;
135 host_t *source = NULL, *dest = NULL;
136 int bytes_read = 0, data_offset;
137 bool oldstate;
138
139 fd_set rfds;
140 int max_fd = 0, selected = 0;
141 u_int16_t port = 0;
142
143 FD_ZERO(&rfds);
144
145 if (this->ipv4)
146 {
147 FD_SET(this->ipv4, &rfds);
148 }
149 if (this->ipv4_natt)
150 {
151 FD_SET(this->ipv4_natt, &rfds);
152 }
153 if (this->ipv6)
154 {
155 FD_SET(this->ipv6, &rfds);
156 }
157 if (this->ipv6_natt)
158 {
159 FD_SET(this->ipv6_natt, &rfds);
160 }
161 max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
162
163 DBG2(DBG_NET, "waiting for data on sockets");
164 oldstate = thread_cancelability(TRUE);
165 if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
166 {
167 thread_cancelability(oldstate);
168 return FAILED;
169 }
170 thread_cancelability(oldstate);
171
172 if (FD_ISSET(this->ipv4, &rfds))
173 {
174 port = CHARON_UDP_PORT;
175 selected = this->ipv4;
176 }
177 if (FD_ISSET(this->ipv4_natt, &rfds))
178 {
179 port = CHARON_NATT_PORT;
180 selected = this->ipv4_natt;
181 }
182 if (FD_ISSET(this->ipv6, &rfds))
183 {
184 port = CHARON_UDP_PORT;
185 selected = this->ipv6;
186 }
187 if (FD_ISSET(this->ipv6_natt, &rfds))
188 {
189 port = CHARON_NATT_PORT;
190 selected = this->ipv6_natt;
191 }
192 if (selected)
193 {
194 struct msghdr msg;
195 struct cmsghdr *cmsgptr;
196 struct iovec iov;
197 char ancillary[64];
198 union {
199 struct sockaddr_in in4;
200 struct sockaddr_in6 in6;
201 } src;
202
203 msg.msg_name = &src;
204 msg.msg_namelen = sizeof(src);
205 iov.iov_base = buffer;
206 iov.iov_len = this->max_packet;
207 msg.msg_iov = &iov;
208 msg.msg_iovlen = 1;
209 msg.msg_control = ancillary;
210 msg.msg_controllen = sizeof(ancillary);
211 msg.msg_flags = 0;
212 bytes_read = recvmsg(selected, &msg, 0);
213 if (bytes_read < 0)
214 {
215 DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
216 return FAILED;
217 }
218 if (msg.msg_flags & MSG_TRUNC)
219 {
220 DBG1(DBG_NET, "receive buffer too small, packet discarded");
221 return FAILED;
222 }
223 DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
224
225 if (bytes_read < MARKER_LEN)
226 {
227 DBG3(DBG_NET, "received packet too short (%d bytes)",
228 bytes_read);
229 return FAILED;
230 }
231
232 /* read ancillary data to get destination address */
233 for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
234 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
235 {
236 if (cmsgptr->cmsg_len == 0)
237 {
238 DBG1(DBG_NET, "error reading ancillary data");
239 return FAILED;
240 }
241
242 #ifdef HAVE_IN6_PKTINFO
243 if (cmsgptr->cmsg_level == SOL_IPV6 &&
244 cmsgptr->cmsg_type == IPV6_PKTINFO)
245 {
246 struct in6_pktinfo *pktinfo;
247 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
248 struct sockaddr_in6 dst;
249
250 memset(&dst, 0, sizeof(dst));
251 memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
252 dst.sin6_family = AF_INET6;
253 dst.sin6_port = htons(port);
254 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
255 }
256 #endif /* HAVE_IN6_PKTINFO */
257 if (cmsgptr->cmsg_level == SOL_IP &&
258 #ifdef IP_PKTINFO
259 cmsgptr->cmsg_type == IP_PKTINFO
260 #elif defined(IP_RECVDSTADDR)
261 cmsgptr->cmsg_type == IP_RECVDSTADDR
262 #else
263 FALSE
264 #endif
265 )
266 {
267 struct in_addr *addr;
268 struct sockaddr_in dst;
269
270 #ifdef IP_PKTINFO
271 struct in_pktinfo *pktinfo;
272 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
273 addr = &pktinfo->ipi_addr;
274 #elif defined(IP_RECVDSTADDR)
275 addr = (struct in_addr*)CMSG_DATA(cmsgptr);
276 #endif
277 memset(&dst, 0, sizeof(dst));
278 memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
279
280 dst.sin_family = AF_INET;
281 dst.sin_port = htons(port);
282 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
283 }
284 if (dest)
285 {
286 break;
287 }
288 }
289 if (dest == NULL)
290 {
291 DBG1(DBG_NET, "error reading IP header");
292 return FAILED;
293 }
294 source = host_create_from_sockaddr((sockaddr_t*)&src);
295
296 pkt = packet_create();
297 pkt->set_source(pkt, source);
298 pkt->set_destination(pkt, dest);
299 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
300 data_offset = 0;
301 /* remove non esp marker */
302 if (dest->get_port(dest) == CHARON_NATT_PORT)
303 {
304 data_offset += MARKER_LEN;
305 }
306 /* fill in packet */
307 data.len = bytes_read - data_offset;
308 data.ptr = malloc(data.len);
309 memcpy(data.ptr, buffer + data_offset, data.len);
310 pkt->set_data(pkt, data);
311 }
312 else
313 {
314 /* oops, shouldn't happen */
315 return FAILED;
316 }
317 /* return packet */
318 *packet = pkt;
319 return SUCCESS;
320 }
321
322 METHOD(socket_t, sender, status_t,
323 private_socket_default_socket_t *this, packet_t *packet)
324 {
325 int sport, skt, family;
326 ssize_t bytes_sent;
327 chunk_t data, marked;
328 host_t *src, *dst;
329 struct msghdr msg;
330 struct cmsghdr *cmsg;
331 struct iovec iov;
332
333 src = packet->get_source(packet);
334 dst = packet->get_destination(packet);
335 data = packet->get_data(packet);
336
337 DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
338
339 /* send data */
340 sport = src->get_port(src);
341 family = dst->get_family(dst);
342 if (sport == CHARON_UDP_PORT)
343 {
344 if (family == AF_INET)
345 {
346 skt = this->ipv4;
347 }
348 else
349 {
350 skt = this->ipv6;
351 }
352 }
353 else if (sport == CHARON_NATT_PORT)
354 {
355 if (family == AF_INET)
356 {
357 skt = this->ipv4_natt;
358 }
359 else
360 {
361 skt = this->ipv6_natt;
362 }
363 /* NAT keepalives without marker */
364 if (data.len != 1 || data.ptr[0] != 0xFF)
365 {
366 /* add non esp marker to packet */
367 marked = chunk_alloc(data.len + MARKER_LEN);
368 memset(marked.ptr, 0, MARKER_LEN);
369 memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
370 /* let the packet do the clean up for us */
371 packet->set_data(packet, marked);
372 data = marked;
373 }
374 }
375 else
376 {
377 DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
378 return FAILED;
379 }
380
381 memset(&msg, 0, sizeof(struct msghdr));
382 msg.msg_name = dst->get_sockaddr(dst);;
383 msg.msg_namelen = *dst->get_sockaddr_len(dst);
384 iov.iov_base = data.ptr;
385 iov.iov_len = data.len;
386 msg.msg_iov = &iov;
387 msg.msg_iovlen = 1;
388 msg.msg_flags = 0;
389
390 if (!src->is_anyaddr(src))
391 {
392 if (family == AF_INET)
393 {
394 #if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
395 struct in_addr *addr;
396 struct sockaddr_in *sin;
397 #ifdef IP_PKTINFO
398 char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
399 struct in_pktinfo *pktinfo;
400 #elif defined(IP_SENDSRCADDR)
401 char buf[CMSG_SPACE(sizeof(struct in_addr))];
402 #endif
403 msg.msg_control = buf;
404 msg.msg_controllen = sizeof(buf);
405 cmsg = CMSG_FIRSTHDR(&msg);
406 cmsg->cmsg_level = SOL_IP;
407 #ifdef IP_PKTINFO
408 cmsg->cmsg_type = IP_PKTINFO;
409 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
410 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
411 memset(pktinfo, 0, sizeof(struct in_pktinfo));
412 addr = &pktinfo->ipi_spec_dst;
413 #elif defined(IP_SENDSRCADDR)
414 cmsg->cmsg_type = IP_SENDSRCADDR;
415 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
416 addr = (struct in_addr*)CMSG_DATA(cmsg);
417 #endif
418 sin = (struct sockaddr_in*)src->get_sockaddr(src);
419 memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
420 #endif /* IP_PKTINFO || IP_SENDSRCADDR */
421 }
422 #ifdef HAVE_IN6_PKTINFO
423 else
424 {
425 char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
426 struct in6_pktinfo *pktinfo;
427 struct sockaddr_in6 *sin;
428
429 msg.msg_control = buf;
430 msg.msg_controllen = sizeof(buf);
431 cmsg = CMSG_FIRSTHDR(&msg);
432 cmsg->cmsg_level = SOL_IPV6;
433 cmsg->cmsg_type = IPV6_PKTINFO;
434 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
435 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
436 memset(pktinfo, 0, sizeof(struct in6_pktinfo));
437 sin = (struct sockaddr_in6*)src->get_sockaddr(src);
438 memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
439 }
440 #endif /* HAVE_IN6_PKTINFO */
441 }
442
443 bytes_sent = sendmsg(skt, &msg, 0);
444
445 if (bytes_sent != data.len)
446 {
447 DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
448 return FAILED;
449 }
450 return SUCCESS;
451 }
452
453 /**
454 * open a socket to send and receive packets
455 */
456 static int open_socket(private_socket_default_socket_t *this,
457 int family, u_int16_t port)
458 {
459 int on = TRUE;
460 struct sockaddr_storage addr;
461 socklen_t addrlen;
462 u_int sol, pktinfo = 0;
463 int skt;
464
465 memset(&addr, 0, sizeof(addr));
466 addr.ss_family = family;
467 /* precalculate constants depending on address family */
468 switch (family)
469 {
470 case AF_INET:
471 {
472 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
473 htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
474 htoun16(&sin->sin_port, port);
475 addrlen = sizeof(struct sockaddr_in);
476 sol = SOL_IP;
477 #ifdef IP_PKTINFO
478 pktinfo = IP_PKTINFO;
479 #elif defined(IP_RECVDSTADDR)
480 pktinfo = IP_RECVDSTADDR;
481 #endif
482 break;
483 }
484 case AF_INET6:
485 {
486 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
487 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
488 htoun16(&sin6->sin6_port, port);
489 addrlen = sizeof(struct sockaddr_in6);
490 sol = SOL_IPV6;
491 pktinfo = IPV6_RECVPKTINFO;
492 break;
493 }
494 default:
495 return 0;
496 }
497
498 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
499 if (skt < 0)
500 {
501 DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
502 return 0;
503 }
504 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
505 {
506 DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
507 close(skt);
508 return 0;
509 }
510
511 /* bind the socket */
512 if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
513 {
514 DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
515 close(skt);
516 return 0;
517 }
518
519 /* get additional packet info on receive */
520 if (pktinfo > 0)
521 {
522 if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
523 {
524 DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
525 close(skt);
526 return 0;
527 }
528 }
529
530 if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
531 skt, family))
532 {
533 DBG1(DBG_NET, "installing IKE bypass policy failed");
534 }
535
536 #ifndef __APPLE__
537 {
538 /* enable UDP decapsulation globally, only for one socket needed */
539 int type = UDP_ENCAP_ESPINUDP;
540 if (family == AF_INET && port == CHARON_NATT_PORT &&
541 setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
542 {
543 DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
544 }
545 }
546 #endif
547 return skt;
548 }
549
550 METHOD(socket_t, destroy, void,
551 private_socket_default_socket_t *this)
552 {
553 if (this->ipv4)
554 {
555 close(this->ipv4);
556 }
557 if (this->ipv4_natt)
558 {
559 close(this->ipv4_natt);
560 }
561 if (this->ipv6)
562 {
563 close(this->ipv6);
564 }
565 if (this->ipv6_natt)
566 {
567 close(this->ipv6_natt);
568 }
569 free(this);
570 }
571
572 /*
573 * See header for description
574 */
575 socket_default_socket_t *socket_default_socket_create()
576 {
577 private_socket_default_socket_t *this;
578
579 INIT(this,
580 .public = {
581 .socket = {
582 .send = _sender,
583 .receive = _receiver,
584 .destroy = _destroy,
585 },
586 },
587 .max_packet = lib->settings->get_int(lib->settings,
588 "%s.max_packet", MAX_PACKET, charon->name),
589 );
590
591 #ifdef __APPLE__
592 {
593 int natt_port = CHARON_NATT_PORT;
594 if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port,
595 sizeof(natt_port)) != 0)
596 {
597 DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s",
598 natt_port, strerror(errno));
599 }
600 }
601 #endif
602
603 this->ipv4 = open_socket(this, AF_INET, CHARON_UDP_PORT);
604 if (this->ipv4 == 0)
605 {
606 DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
607 }
608 else
609 {
610 this->ipv4_natt = open_socket(this, AF_INET, CHARON_NATT_PORT);
611 if (this->ipv4_natt == 0)
612 {
613 DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
614 }
615 }
616
617 this->ipv6 = open_socket(this, AF_INET6, CHARON_UDP_PORT);
618 if (this->ipv6 == 0)
619 {
620 DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
621 }
622 else
623 {
624 this->ipv6_natt = open_socket(this, AF_INET6, CHARON_NATT_PORT);
625 if (this->ipv6_natt == 0)
626 {
627 DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
628 }
629 }
630
631 if (!this->ipv4 && !this->ipv6)
632 {
633 DBG1(DBG_NET, "could not create any sockets");
634 destroy(this);
635 return NULL;
636 }
637 return &this->public;
638 }
639
strongSwan - IPsec VPN