Change traffic selectors during Quick Mode in case of a NAT in transport mode
[strongswan.git] / src / libcharon / plugins / socket_raw / socket_raw_socket.c
1 /*
2 * Copyright (C) 2006-2012 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /* for struct in6_pktinfo */
20 #define _GNU_SOURCE
21
22 #include "socket_raw_socket.h"
23
24 #include <sys/types.h>
25 #include <sys/socket.h>
26 #include <string.h>
27 #include <errno.h>
28 #include <unistd.h>
29 #include <stdlib.h>
30 #include <fcntl.h>
31 #include <sys/ioctl.h>
32 #include <netinet/in.h>
33 #include <netinet/ip.h>
34 #include <netinet/udp.h>
35 #include <linux/types.h>
36 #include <linux/filter.h>
37 #include <net/if.h>
38
39 #include <hydra.h>
40 #include <daemon.h>
41 #include <threading/thread.h>
42
43 /* Maximum size of a packet */
44 #define MAX_PACKET 10000
45
46 /* constants for packet handling */
47 #define IP_LEN sizeof(struct iphdr)
48 #define IP6_LEN sizeof(struct ip6_hdr)
49 #define UDP_LEN sizeof(struct udphdr)
50 #define MARKER_LEN sizeof(u_int32_t)
51
52 /* offsets for packet handling */
53 #define IP_PROTO_OFFSET 9
54 #define IP6_PROTO_OFFSET 6
55 #define IKE_VERSION_OFFSET 17
56 #define IKE_LENGTH_OFFSET 24
57
58 /* needed for older kernel headers */
59 #ifndef IPV6_2292PKTINFO
60 #define IPV6_2292PKTINFO 2
61 #endif /*IPV6_2292PKTINFO*/
62
63 typedef struct private_socket_raw_socket_t private_socket_raw_socket_t;
64
65 /**
66 * Private data of an socket_t object
67 */
68 struct private_socket_raw_socket_t {
69
70 /**
71 * public functions
72 */
73 socket_raw_socket_t public;
74
75 /**
76 * regular port
77 */
78 int port;
79
80 /**
81 * port used for nat-t
82 */
83 int natt_port;
84
85 /**
86 * raw receiver socket for IPv4
87 */
88 int recv4;
89
90 /**
91 * raw receiver socket for IPv6
92 */
93 int recv6;
94
95 /**
96 * send socket on regular port for IPv4
97 */
98 int send4;
99
100 /**
101 * send socket on regular port for IPv6
102 */
103 int send6;
104
105 /**
106 * send socket on nat-t port for IPv4
107 */
108 int send4_natt;
109
110 /**
111 * send socket on nat-t port for IPv6
112 */
113 int send6_natt;
114
115 /**
116 * Maximum packet size to receive
117 */
118 int max_packet;
119 };
120
121 METHOD(socket_t, receiver, status_t,
122 private_socket_raw_socket_t *this, packet_t **packet)
123 {
124 char buffer[this->max_packet];
125 chunk_t data;
126 packet_t *pkt;
127 struct udphdr *udp;
128 host_t *source = NULL, *dest = NULL;
129 int bytes_read = 0, data_offset;
130 bool oldstate;
131 fd_set rfds;
132
133 FD_ZERO(&rfds);
134
135 if (this->recv4)
136 {
137 FD_SET(this->recv4, &rfds);
138 }
139 if (this->recv6)
140 {
141 FD_SET(this->recv6, &rfds);
142 }
143
144 DBG2(DBG_NET, "waiting for data on raw sockets");
145
146 oldstate = thread_cancelability(TRUE);
147 if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
148 {
149 thread_cancelability(oldstate);
150 return FAILED;
151 }
152 thread_cancelability(oldstate);
153
154 if (this->recv4 && FD_ISSET(this->recv4, &rfds))
155 {
156 /* IPv4 raw sockets return the IP header. We read src/dest
157 * information directly from the raw header */
158 struct iphdr *ip;
159 struct sockaddr_in src, dst;
160
161 bytes_read = recv(this->recv4, buffer, this->max_packet, 0);
162 if (bytes_read < 0)
163 {
164 DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
165 return FAILED;
166 }
167 if (bytes_read == this->max_packet)
168 {
169 DBG1(DBG_NET, "receive buffer too small, packet discarded");
170 return FAILED;
171 }
172 DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
173
174 /* read source/dest from raw IP/UDP header */
175 if (bytes_read < IP_LEN + UDP_LEN)
176 {
177 DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)",
178 bytes_read);
179 return FAILED;
180 }
181 ip = (struct iphdr*) buffer;
182 udp = (struct udphdr*) (buffer + IP_LEN);
183 src.sin_family = AF_INET;
184 src.sin_addr.s_addr = ip->saddr;
185 src.sin_port = udp->source;
186 dst.sin_family = AF_INET;
187 dst.sin_addr.s_addr = ip->daddr;
188 dst.sin_port = udp->dest;
189 source = host_create_from_sockaddr((sockaddr_t*)&src);
190 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
191
192 pkt = packet_create();
193 pkt->set_source(pkt, source);
194 pkt->set_destination(pkt, dest);
195 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
196 data_offset = IP_LEN + UDP_LEN;
197 data.len = bytes_read - data_offset;
198 data.ptr = buffer + data_offset;
199 pkt->set_data(pkt, chunk_clone(data));
200 }
201 else if (this->recv6 && FD_ISSET(this->recv6, &rfds))
202 {
203 /* IPv6 raw sockets return no IP header. We must query
204 * src/dest via socket options/ancillary data */
205 struct msghdr msg;
206 struct cmsghdr *cmsgptr;
207 struct sockaddr_in6 src, dst;
208 struct iovec iov;
209 char ancillary[64];
210
211 msg.msg_name = &src;
212 msg.msg_namelen = sizeof(src);
213 iov.iov_base = buffer;
214 iov.iov_len = this->max_packet;
215 msg.msg_iov = &iov;
216 msg.msg_iovlen = 1;
217 msg.msg_control = ancillary;
218 msg.msg_controllen = sizeof(ancillary);
219 msg.msg_flags = 0;
220
221 bytes_read = recvmsg(this->recv6, &msg, 0);
222 if (bytes_read < 0)
223 {
224 DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno));
225 return FAILED;
226 }
227 DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
228
229 if (bytes_read < IP_LEN + UDP_LEN)
230 {
231 DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
232 bytes_read);
233 return FAILED;
234 }
235
236 /* read ancillary data to get destination address */
237 for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
238 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
239 {
240 if (cmsgptr->cmsg_len == 0)
241 {
242 DBG1(DBG_NET, "error reading IPv6 ancillary data");
243 return FAILED;
244 }
245
246 #ifdef HAVE_IN6_PKTINFO
247 if (cmsgptr->cmsg_level == SOL_IPV6 &&
248 cmsgptr->cmsg_type == IPV6_2292PKTINFO)
249 {
250 struct in6_pktinfo *pktinfo;
251 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
252
253 memset(&dst, 0, sizeof(dst));
254 memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
255 dst.sin6_family = AF_INET6;
256 udp = (struct udphdr*) (buffer);
257 dst.sin6_port = udp->dest;
258 src.sin6_port = udp->source;
259 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
260 }
261 #endif /* HAVE_IN6_PKTINFO */
262 }
263 /* ancillary data missing? */
264 if (dest == NULL)
265 {
266 DBG1(DBG_NET, "error reading IPv6 packet header");
267 return FAILED;
268 }
269
270 source = host_create_from_sockaddr((sockaddr_t*)&src);
271
272 pkt = packet_create();
273 pkt->set_source(pkt, source);
274 pkt->set_destination(pkt, dest);
275 DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
276 data_offset = UDP_LEN;
277 data.len = bytes_read - data_offset;
278 data.ptr = buffer + data_offset;
279 pkt->set_data(pkt, chunk_clone(data));
280 }
281 else
282 {
283 /* oops, shouldn't happen */
284 return FAILED;
285 }
286
287 /* return packet */
288 *packet = pkt;
289 return SUCCESS;
290 }
291
292 METHOD(socket_t, sender, status_t,
293 private_socket_raw_socket_t *this, packet_t *packet)
294 {
295 int sport, skt, family;
296 ssize_t bytes_sent;
297 chunk_t data;
298 host_t *src, *dst;
299 struct msghdr msg;
300 struct cmsghdr *cmsg;
301 struct iovec iov;
302
303 src = packet->get_source(packet);
304 dst = packet->get_destination(packet);
305 data = packet->get_data(packet);
306
307 DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
308
309 /* send data */
310 sport = src->get_port(src);
311 family = dst->get_family(dst);
312 if (sport == 0 || sport == CHARON_UDP_PORT)
313 {
314 if (family == AF_INET)
315 {
316 skt = this->send4;
317 }
318 else
319 {
320 skt = this->send6;
321 }
322 }
323 else if (sport == CHARON_NATT_PORT)
324 {
325 if (family == AF_INET)
326 {
327 skt = this->send4_natt;
328 }
329 else
330 {
331 skt = this->send6_natt;
332 }
333 }
334 else
335 {
336 DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
337 return FAILED;
338 }
339
340 memset(&msg, 0, sizeof(struct msghdr));
341 msg.msg_name = dst->get_sockaddr(dst);;
342 msg.msg_namelen = *dst->get_sockaddr_len(dst);
343 iov.iov_base = data.ptr;
344 iov.iov_len = data.len;
345 msg.msg_iov = &iov;
346 msg.msg_iovlen = 1;
347 msg.msg_flags = 0;
348
349 if (!src->is_anyaddr(src))
350 {
351 if (family == AF_INET)
352 {
353 char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
354 struct in_pktinfo *pktinfo;
355 struct sockaddr_in *sin;
356
357 msg.msg_control = buf;
358 msg.msg_controllen = sizeof(buf);
359 cmsg = CMSG_FIRSTHDR(&msg);
360 cmsg->cmsg_level = SOL_IP;
361 cmsg->cmsg_type = IP_PKTINFO;
362 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
363 pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
364 memset(pktinfo, 0, sizeof(struct in_pktinfo));
365 sin = (struct sockaddr_in*)src->get_sockaddr(src);
366 memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
367 }
368 #ifdef HAVE_IN6_PKTINFO
369 else
370 {
371 char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
372 struct in6_pktinfo *pktinfo;
373 struct sockaddr_in6 *sin;
374
375 msg.msg_control = buf;
376 msg.msg_controllen = sizeof(buf);
377 cmsg = CMSG_FIRSTHDR(&msg);
378 cmsg->cmsg_level = SOL_IPV6;
379 cmsg->cmsg_type = IPV6_2292PKTINFO;
380 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
381 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
382 memset(pktinfo, 0, sizeof(struct in6_pktinfo));
383 sin = (struct sockaddr_in6*)src->get_sockaddr(src);
384 memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
385 }
386 #endif /* HAVE_IN6_PKTINFO */
387 }
388
389 bytes_sent = sendmsg(skt, &msg, 0);
390
391 if (bytes_sent != data.len)
392 {
393 DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
394 return FAILED;
395 }
396 return SUCCESS;
397 }
398
399 /**
400 * open a socket to send packets
401 */
402 static int open_send_socket(private_socket_raw_socket_t *this,
403 int family, u_int16_t port)
404 {
405 int on = TRUE;
406 struct sockaddr_storage addr;
407 int skt;
408
409 memset(&addr, 0, sizeof(addr));
410 addr.ss_family = family;
411 /* precalculate constants depending on address family */
412 switch (family)
413 {
414 case AF_INET:
415 {
416 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
417 htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
418 htoun16(&sin->sin_port, port);
419 break;
420 }
421 case AF_INET6:
422 {
423 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
424 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
425 htoun16(&sin6->sin6_port, port);
426 break;
427 }
428 default:
429 return 0;
430 }
431
432 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
433 if (skt < 0)
434 {
435 DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
436 return 0;
437 }
438
439 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
440 {
441 DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
442 strerror(errno));
443 close(skt);
444 return 0;
445 }
446
447 /* bind the send socket */
448 if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
449 {
450 DBG1(DBG_NET, "unable to bind send socket: %s",
451 strerror(errno));
452 close(skt);
453 return 0;
454 }
455
456 if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
457 skt, family))
458 {
459 DBG1(DBG_NET, "installing bypass policy on send socket failed");
460 }
461
462 /* enable UDP decapsulation for NAT-T sockets */
463 if (port == CHARON_NATT_PORT &&
464 !hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
465 skt, family, port))
466 {
467 DBG1(DBG_NET, "enabling UDP decapsulation failed");
468 }
469
470 return skt;
471 }
472
473 METHOD(socket_t, get_port, u_int16_t,
474 private_socket_raw_socket_t *this, bool nat_t)
475 {
476 return nat_t ? CHARON_NATT_PORT : CHARON_UDP_PORT;
477 }
478
479 /**
480 * open a socket to receive packets
481 */
482 static int open_recv_socket(private_socket_raw_socket_t *this, int family)
483 {
484 int skt;
485 int on = TRUE;
486 u_int ip_len, sol, udp_header, ike_header;
487
488 /* precalculate constants depending on address family */
489 switch (family)
490 {
491 case AF_INET:
492 ip_len = IP_LEN;
493 sol = SOL_IP;
494 break;
495 case AF_INET6:
496 ip_len = 0; /* IPv6 raw sockets contain no IP header */
497 sol = SOL_IPV6;
498 break;
499 default:
500 return 0;
501 }
502 udp_header = ip_len;
503 ike_header = ip_len + UDP_LEN;
504
505 /* This filter code filters out all non-IKEv2 traffic on
506 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
507 * IKE versions is done in pluto.
508 */
509 struct sock_filter ikev2_filter_code[] =
510 {
511 /* Destination Port must be either port or natt_port */
512 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
513 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, CHARON_UDP_PORT, 1, 0),
514 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, CHARON_NATT_PORT, 6, 14),
515 /* port */
516 /* IKE version must be 2.x */
517 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
518 BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4),
519 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 11),
520 /* packet length is length in IKEv2 header + ip header + udp header */
521 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
522 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
523 BPF_STMT(BPF_RET+BPF_A, 0),
524 /* natt_port */
525 /* nat-t: check for marker */
526 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
527 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 6),
528 /* nat-t: IKE version must be 2.x */
529 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
530 BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4),
531 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 3),
532 /* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
533 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
534 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
535 BPF_STMT(BPF_RET+BPF_A, 0),
536 /* packet doesn't match, ignore */
537 BPF_STMT(BPF_RET+BPF_K, 0),
538 };
539
540 /* Filter struct to use with setsockopt */
541 struct sock_fprog ikev2_filter = {
542 sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
543 ikev2_filter_code
544 };
545
546 /* set up a raw socket */
547 skt = socket(family, SOCK_RAW, IPPROTO_UDP);
548 if (skt < 0)
549 {
550 DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
551 return 0;
552 }
553
554 if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
555 &ikev2_filter, sizeof(ikev2_filter)) < 0)
556 {
557 DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s",
558 strerror(errno));
559 close(skt);
560 return 0;
561 }
562
563 if (family == AF_INET6 &&
564 /* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
565 * 2 or 50 depending on kernel header version */
566 setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
567 {
568 DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s",
569 strerror(errno));
570 close(skt);
571 return 0;
572 }
573
574 if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
575 skt, family))
576 {
577 DBG1(DBG_NET, "installing bypass policy on receive socket failed");
578 }
579
580 return skt;
581 }
582
583 METHOD(socket_t, destroy, void,
584 private_socket_raw_socket_t *this)
585 {
586 if (this->recv4)
587 {
588 close(this->recv4);
589 }
590 if (this->recv6)
591 {
592 close(this->recv6);
593 }
594 if (this->send4)
595 {
596 close(this->send4);
597 }
598 if (this->send6)
599 {
600 close(this->send6);
601 }
602 if (this->send4_natt)
603 {
604 close(this->send4_natt);
605 }
606 if (this->send6_natt)
607 {
608 close(this->send6_natt);
609 }
610 free(this);
611 }
612
613 /*
614 * See header for description
615 */
616 socket_raw_socket_t *socket_raw_socket_create()
617 {
618 private_socket_raw_socket_t *this;
619
620 INIT(this,
621 .public = {
622 .socket = {
623 .send = _sender,
624 .receive = _receiver,
625 .get_port = _get_port,
626 .destroy = _destroy,
627 },
628 },
629 .max_packet = lib->settings->get_int(lib->settings,
630 "%s.max_packet", MAX_PACKET, charon->name),
631 );
632
633 this->recv4 = open_recv_socket(this, AF_INET);
634 if (this->recv4 == 0)
635 {
636 DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
637 }
638 else
639 {
640 this->send4 = open_send_socket(this, AF_INET, CHARON_UDP_PORT);
641 if (this->send4 == 0)
642 {
643 DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
644 close(this->recv4);
645 }
646 else
647 {
648 this->send4_natt = open_send_socket(this, AF_INET, CHARON_NATT_PORT);
649 if (this->send4_natt == 0)
650 {
651 DBG1(DBG_NET, "could not open IPv4 NAT-T send socket");
652 }
653 }
654 }
655
656 this->recv6 = open_recv_socket(this, AF_INET6);
657 if (this->recv6 == 0)
658 {
659 DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
660 }
661 else
662 {
663 this->send6 = open_send_socket(this, AF_INET6, CHARON_UDP_PORT);
664 if (this->send6 == 0)
665 {
666 DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
667 close(this->recv6);
668 }
669 else
670 {
671 this->send6_natt = open_send_socket(this, AF_INET6, CHARON_NATT_PORT);
672 if (this->send6_natt == 0)
673 {
674 DBG1(DBG_NET, "could not open IPv6 NAT-T send socket");
675 }
676 }
677 }
678
679 if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
680 {
681 DBG1(DBG_NET, "could not create any sockets");
682 destroy(this);
683 return NULL;
684 }
685
686 return &this->public;
687 }