Annotation of embedaddon/ipsec-tools/src/racoon/sockmisc.c, revision 1.1
1.1 ! misho 1: /* $NetBSD: sockmisc.c,v 1.19 2011/03/14 17:18:13 tteras Exp $ */
! 2:
! 3: /* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */
! 4:
! 5: /*
! 6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
! 7: * All rights reserved.
! 8: *
! 9: * Redistribution and use in source and binary forms, with or without
! 10: * modification, are permitted provided that the following conditions
! 11: * are met:
! 12: * 1. Redistributions of source code must retain the above copyright
! 13: * notice, this list of conditions and the following disclaimer.
! 14: * 2. Redistributions in binary form must reproduce the above copyright
! 15: * notice, this list of conditions and the following disclaimer in the
! 16: * documentation and/or other materials provided with the distribution.
! 17: * 3. Neither the name of the project nor the names of its contributors
! 18: * may be used to endorse or promote products derived from this software
! 19: * without specific prior written permission.
! 20: *
! 21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 31: * SUCH DAMAGE.
! 32: */
! 33:
! 34: #include "config.h"
! 35:
! 36: #include <sys/types.h>
! 37: #include <sys/param.h>
! 38: #include <sys/socket.h>
! 39: #include <sys/uio.h>
! 40:
! 41: #include <netinet/in.h>
! 42: #include PATH_IPSEC_H
! 43:
! 44: #if defined(INET6) && !defined(INET6_ADVAPI) && \
! 45: defined(IP_RECVDSTADDR) && !defined(IPV6_RECVDSTADDR)
! 46: #define IPV6_RECVDSTADDR IP_RECVDSTADDR
! 47: #endif
! 48:
! 49: #include <stdlib.h>
! 50: #include <stdio.h>
! 51: #include <string.h>
! 52: #include <errno.h>
! 53: #ifdef HAVE_UNISTD_H
! 54: #include <unistd.h>
! 55: #endif
! 56:
! 57: #include "var.h"
! 58: #include "misc.h"
! 59: #include "vmbuf.h"
! 60: #include "plog.h"
! 61: #include "sockmisc.h"
! 62: #include "debug.h"
! 63: #include "gcmalloc.h"
! 64: #include "debugrm.h"
! 65: #include "libpfkey.h"
! 66: #include "isakmp_var.h"
! 67:
! 68: #ifdef NOUSE_PRIVSEP
! 69: #define BIND bind
! 70: #define SOCKET socket
! 71: #define SETSOCKOPT setsockopt
! 72: #else
! 73: #include "admin.h"
! 74: #include "privsep.h"
! 75: #define BIND privsep_bind
! 76: #define SOCKET privsep_socket
! 77: #define SETSOCKOPT privsep_setsockopt
! 78: #endif
! 79:
! 80: const int niflags = 0;
! 81:
! 82: /*
! 83: * compare two sockaddr with port, taking care wildcard.
! 84: * addr1 is a subject address, addr2 is in a database entry.
! 85: * OUT: 0: equal.
! 86: * 1: not equal.
! 87: */
! 88: int
! 89: cmpsaddr(addr1, addr2)
! 90: const struct sockaddr *addr1;
! 91: const struct sockaddr *addr2;
! 92: {
! 93: caddr_t sa1, sa2;
! 94: u_short port1 = IPSEC_PORT_ANY;
! 95: u_short port2 = IPSEC_PORT_ANY;
! 96:
! 97: if (addr1 == NULL && addr2 == NULL)
! 98: return CMPSADDR_MATCH;
! 99:
! 100: if (addr1 == NULL || addr2 == NULL)
! 101: return CMPSADDR_MISMATCH;
! 102:
! 103: if (addr1->sa_family != addr2->sa_family ||
! 104: sysdep_sa_len(addr1) != sysdep_sa_len(addr2))
! 105: return CMPSADDR_MISMATCH;
! 106:
! 107: switch (addr1->sa_family) {
! 108: case AF_UNSPEC:
! 109: break;
! 110: case AF_INET:
! 111: sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
! 112: sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
! 113: port1 = ((struct sockaddr_in *)addr1)->sin_port;
! 114: port2 = ((struct sockaddr_in *)addr2)->sin_port;
! 115: if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
! 116: return CMPSADDR_MISMATCH;
! 117: break;
! 118: #ifdef INET6
! 119: case AF_INET6:
! 120: sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
! 121: sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
! 122: port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
! 123: port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
! 124: if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
! 125: return CMPSADDR_MISMATCH;
! 126: if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
! 127: ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
! 128: return CMPSADDR_MISMATCH;
! 129: break;
! 130: #endif
! 131: default:
! 132: return CMPSADDR_MISMATCH;
! 133: }
! 134:
! 135: if (port1 == port2)
! 136: return CMPSADDR_MATCH;
! 137:
! 138: if (port1 == IPSEC_PORT_ANY ||
! 139: port2 == IPSEC_PORT_ANY)
! 140: return CMPSADDR_WILDPORT_MATCH;
! 141:
! 142: return CMPSADDR_WOP_MATCH;
! 143: }
! 144:
! 145: /* get local address against the destination. */
! 146: struct sockaddr *
! 147: getlocaladdr(remote)
! 148: struct sockaddr *remote;
! 149: {
! 150: struct sockaddr *local;
! 151: u_int local_len = sizeof(struct sockaddr_storage);
! 152: int s; /* for dummy connection */
! 153:
! 154: /* allocate buffer */
! 155: if ((local = racoon_calloc(1, local_len)) == NULL) {
! 156: plog(LLV_ERROR, LOCATION, NULL,
! 157: "failed to get address buffer.\n");
! 158: goto err;
! 159: }
! 160:
! 161: /* get real interface received packet */
! 162: if ((s = SOCKET(remote->sa_family, SOCK_DGRAM, 0)) < 0) {
! 163: plog(LLV_ERROR, LOCATION, NULL,
! 164: "socket (%s)\n", strerror(errno));
! 165: goto err;
! 166: }
! 167:
! 168: setsockopt_bypass(s, remote->sa_family);
! 169:
! 170: if (connect(s, remote, sysdep_sa_len(remote)) < 0) {
! 171: plog(LLV_ERROR, LOCATION, NULL,
! 172: "connect (%s)\n", strerror(errno));
! 173: close(s);
! 174: goto err;
! 175: }
! 176:
! 177: if (getsockname(s, local, &local_len) < 0) {
! 178: plog(LLV_ERROR, LOCATION, NULL,
! 179: "getsockname (%s)\n", strerror(errno));
! 180: close(s);
! 181: return NULL;
! 182: }
! 183:
! 184: close(s);
! 185: return local;
! 186:
! 187: err:
! 188: if (local != NULL)
! 189: racoon_free(local);
! 190: return NULL;
! 191: }
! 192:
! 193: /*
! 194: * Receive packet, with src/dst information. It is assumed that necessary
! 195: * setsockopt() have already performed on socket.
! 196: */
! 197: int
! 198: recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen)
! 199: int s;
! 200: void *buf;
! 201: size_t buflen;
! 202: int flags;
! 203: struct sockaddr *from;
! 204: socklen_t *fromlen;
! 205: struct sockaddr *to;
! 206: u_int *tolen;
! 207: {
! 208: int otolen;
! 209: socklen_t slen;
! 210: int len;
! 211: union sockaddr_any sa;
! 212: struct msghdr m;
! 213: struct cmsghdr *cm;
! 214: struct iovec iov[2];
! 215: u_char cmsgbuf[256];
! 216: #if defined(INET6) && defined(INET6_ADVAPI)
! 217: struct in6_pktinfo *pi;
! 218: #endif /*INET6_ADVAPI*/
! 219: struct sockaddr_in *sin;
! 220: #ifdef INET6
! 221: struct sockaddr_in6 *sin6;
! 222: #endif
! 223:
! 224: slen = sizeof(sa);
! 225: if (getsockname(s, &sa.sa, &slen) < 0) {
! 226: plog(LLV_ERROR, LOCATION, NULL,
! 227: "getsockname (%s)\n", strerror(errno));
! 228: return -1;
! 229: }
! 230:
! 231: m.msg_name = (caddr_t)from;
! 232: m.msg_namelen = *fromlen;
! 233: iov[0].iov_base = (caddr_t)buf;
! 234: iov[0].iov_len = buflen;
! 235: m.msg_iov = iov;
! 236: m.msg_iovlen = 1;
! 237: memset(cmsgbuf, 0, sizeof(cmsgbuf));
! 238: cm = (struct cmsghdr *)cmsgbuf;
! 239: m.msg_control = (caddr_t)cm;
! 240: m.msg_controllen = sizeof(cmsgbuf);
! 241: if ((len = recvmsg(s, &m, flags)) < 0) {
! 242: plog(LLV_ERROR, LOCATION, NULL,
! 243: "recvmsg (%s)\n", strerror(errno));
! 244: return -1;
! 245: }
! 246: *fromlen = m.msg_namelen;
! 247:
! 248: otolen = *tolen;
! 249: *tolen = 0;
! 250: for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m);
! 251: m.msg_controllen != 0 && cm;
! 252: cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) {
! 253: #if 0
! 254: plog(LLV_ERROR, LOCATION, NULL,
! 255: "cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);)
! 256: #endif
! 257: #if defined(INET6) && defined(INET6_ADVAPI)
! 258: if (sa.sa.sa_family == AF_INET6
! 259: && cm->cmsg_level == IPPROTO_IPV6
! 260: && cm->cmsg_type == IPV6_PKTINFO
! 261: && otolen >= sizeof(*sin6)) {
! 262: pi = (struct in6_pktinfo *)(CMSG_DATA(cm));
! 263: *tolen = sizeof(*sin6);
! 264: sin6 = (struct sockaddr_in6 *)to;
! 265: memset(sin6, 0, sizeof(*sin6));
! 266: sin6->sin6_family = AF_INET6;
! 267: #ifndef __linux__
! 268: sin6->sin6_len = sizeof(*sin6);
! 269: #endif
! 270: memcpy(&sin6->sin6_addr, &pi->ipi6_addr,
! 271: sizeof(sin6->sin6_addr));
! 272: /* XXX other cases, such as site-local? */
! 273: if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
! 274: sin6->sin6_scope_id = pi->ipi6_ifindex;
! 275: else
! 276: sin6->sin6_scope_id = 0;
! 277: sin6->sin6_port = sa.sin6.sin6_port;
! 278: otolen = -1; /* "to" already set */
! 279: continue;
! 280: }
! 281: #endif
! 282: #ifdef __linux__
! 283: if (sa.sa.sa_family == AF_INET
! 284: && cm->cmsg_level == IPPROTO_IP
! 285: && cm->cmsg_type == IP_PKTINFO
! 286: && otolen >= sizeof(sin)) {
! 287: struct in_pktinfo *pi = (struct in_pktinfo *)(CMSG_DATA(cm));
! 288: *tolen = sizeof(*sin);
! 289: sin = (struct sockaddr_in *)to;
! 290: memset(sin, 0, sizeof(*sin));
! 291: sin->sin_family = AF_INET;
! 292: memcpy(&sin->sin_addr, &pi->ipi_addr,
! 293: sizeof(sin->sin_addr));
! 294: sin->sin_port = sa.sin.sin_port;
! 295: otolen = -1; /* "to" already set */
! 296: continue;
! 297: }
! 298: #endif
! 299: #if defined(INET6) && defined(IPV6_RECVDSTADDR)
! 300: if (sa.sa.sa_family == AF_INET6
! 301: && cm->cmsg_level == IPPROTO_IPV6
! 302: && cm->cmsg_type == IPV6_RECVDSTADDR
! 303: && otolen >= sizeof(*sin6)) {
! 304: *tolen = sizeof(*sin6);
! 305: sin6 = (struct sockaddr_in6 *)to;
! 306: memset(sin6, 0, sizeof(*sin6));
! 307: sin6->sin6_family = AF_INET6;
! 308: sin6->sin6_len = sizeof(*sin6);
! 309: memcpy(&sin6->sin6_addr, CMSG_DATA(cm),
! 310: sizeof(sin6->sin6_addr));
! 311: sin6->sin6_port = sa.sin6.sin6_port;
! 312: otolen = -1; /* "to" already set */
! 313: continue;
! 314: }
! 315: #endif
! 316: #ifndef __linux__
! 317: if (sa.sa.sa_family == AF_INET
! 318: && cm->cmsg_level == IPPROTO_IP
! 319: && cm->cmsg_type == IP_RECVDSTADDR
! 320: && otolen >= sizeof(*sin)) {
! 321: *tolen = sizeof(*sin);
! 322: sin = (struct sockaddr_in *)to;
! 323: memset(sin, 0, sizeof(*sin));
! 324: sin->sin_family = AF_INET;
! 325: sin->sin_len = sizeof(*sin);
! 326: memcpy(&sin->sin_addr, CMSG_DATA(cm),
! 327: sizeof(sin->sin_addr));
! 328: sin->sin_port = sa.sin.sin_port;
! 329: otolen = -1; /* "to" already set */
! 330: continue;
! 331: }
! 332: #endif
! 333: }
! 334:
! 335: return len;
! 336: }
! 337:
! 338: /* send packet, with fixing src/dst address pair. */
! 339: int
! 340: sendfromto(s, buf, buflen, src, dst, cnt)
! 341: int s, cnt;
! 342: const void *buf;
! 343: size_t buflen;
! 344: struct sockaddr *src;
! 345: struct sockaddr *dst;
! 346: {
! 347: struct sockaddr_storage ss;
! 348: socklen_t slen;
! 349: int len = 0;
! 350: int i;
! 351:
! 352: if (src->sa_family != dst->sa_family) {
! 353: plog(LLV_ERROR, LOCATION, NULL,
! 354: "address family mismatch\n");
! 355: return -1;
! 356: }
! 357:
! 358: slen = sizeof(ss);
! 359: if (getsockname(s, (struct sockaddr *)&ss, &slen) < 0) {
! 360: plog(LLV_ERROR, LOCATION, NULL,
! 361: "getsockname (%s)\n", strerror(errno));
! 362: return -1;
! 363: }
! 364:
! 365: plog(LLV_DEBUG, LOCATION, NULL,
! 366: "sockname %s\n", saddr2str((struct sockaddr *)&ss));
! 367: plog(LLV_DEBUG, LOCATION, NULL,
! 368: "send packet from %s\n", saddr2str(src));
! 369: plog(LLV_DEBUG, LOCATION, NULL,
! 370: "send packet to %s\n", saddr2str(dst));
! 371:
! 372: if (src->sa_family != ss.ss_family) {
! 373: plog(LLV_ERROR, LOCATION, NULL,
! 374: "address family mismatch\n");
! 375: return -1;
! 376: }
! 377:
! 378: switch (src->sa_family) {
! 379: #if defined(INET6) && defined(INET6_ADVAPI)
! 380: // XXX: This block wasn't compiled on Linux - does it work?
! 381: case AF_INET6:
! 382: {
! 383: struct msghdr m;
! 384: struct cmsghdr *cm;
! 385: struct iovec iov[2];
! 386: u_char cmsgbuf[256];
! 387: struct in6_pktinfo *pi;
! 388: int ifindex;
! 389: struct sockaddr_in6 src6, dst6;
! 390:
! 391: memcpy(&src6, src, sizeof(src6));
! 392: memcpy(&dst6, dst, sizeof(dst6));
! 393:
! 394: /* XXX take care of other cases, such as site-local */
! 395: ifindex = 0;
! 396: if (IN6_IS_ADDR_LINKLOCAL(&src6.sin6_addr)
! 397: || IN6_IS_ADDR_MULTICAST(&src6.sin6_addr)) {
! 398: ifindex = src6.sin6_scope_id; /*???*/
! 399: }
! 400:
! 401: /* XXX some sanity check on dst6.sin6_scope_id */
! 402:
! 403: /* flowinfo for IKE? mmm, maybe useful but for now make it 0 */
! 404: src6.sin6_flowinfo = dst6.sin6_flowinfo = 0;
! 405:
! 406: memset(&m, 0, sizeof(m));
! 407: m.msg_name = (caddr_t)&dst6;
! 408: m.msg_namelen = sizeof(dst6);
! 409: iov[0].iov_base = (char *)buf;
! 410: iov[0].iov_len = buflen;
! 411: m.msg_iov = iov;
! 412: m.msg_iovlen = 1;
! 413:
! 414: memset(cmsgbuf, 0, sizeof(cmsgbuf));
! 415: cm = (struct cmsghdr *)cmsgbuf;
! 416: m.msg_control = (caddr_t)cm;
! 417: m.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
! 418:
! 419: cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
! 420: cm->cmsg_level = IPPROTO_IPV6;
! 421: cm->cmsg_type = IPV6_PKTINFO;
! 422: pi = (struct in6_pktinfo *)CMSG_DATA(cm);
! 423: memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr));
! 424: pi->ipi6_ifindex = ifindex;
! 425:
! 426: plog(LLV_DEBUG, LOCATION, NULL,
! 427: "src6 %s %d\n",
! 428: saddr2str((struct sockaddr *)&src6),
! 429: src6.sin6_scope_id);
! 430: plog(LLV_DEBUG, LOCATION, NULL,
! 431: "dst6 %s %d\n",
! 432: saddr2str((struct sockaddr *)&dst6),
! 433: dst6.sin6_scope_id);
! 434:
! 435: for (i = 0; i < cnt; i++) {
! 436: len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
! 437: if (len < 0) {
! 438: plog(LLV_ERROR, LOCATION, NULL,
! 439: "sendmsg (%s)\n", strerror(errno));
! 440: return -1;
! 441: }
! 442: plog(LLV_DEBUG, LOCATION, NULL,
! 443: "%d times of %d bytes message will be sent "
! 444: "to %s\n",
! 445: i + 1, len, saddr2str(dst));
! 446: }
! 447: plogdump(LLV_DEBUG, (char *)buf, buflen);
! 448:
! 449: return len;
! 450: }
! 451: #endif
! 452: #ifdef __linux__
! 453: case AF_INET:
! 454: {
! 455: struct msghdr m;
! 456: struct cmsghdr *cm;
! 457: struct iovec iov[2];
! 458: u_char cmsgbuf[256];
! 459: struct in_pktinfo *pi;
! 460: int ifindex = 0;
! 461: struct sockaddr_in src6, dst6;
! 462:
! 463: memcpy(&src6, src, sizeof(src6));
! 464: memcpy(&dst6, dst, sizeof(dst6));
! 465:
! 466: memset(&m, 0, sizeof(m));
! 467: m.msg_name = (caddr_t)&dst6;
! 468: m.msg_namelen = sizeof(dst6);
! 469: iov[0].iov_base = (char *)buf;
! 470: iov[0].iov_len = buflen;
! 471: m.msg_iov = iov;
! 472: m.msg_iovlen = 1;
! 473:
! 474: memset(cmsgbuf, 0, sizeof(cmsgbuf));
! 475: cm = (struct cmsghdr *)cmsgbuf;
! 476: m.msg_control = (caddr_t)cm;
! 477: m.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
! 478:
! 479: cm->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
! 480: cm->cmsg_level = IPPROTO_IP;
! 481: cm->cmsg_type = IP_PKTINFO;
! 482: pi = (struct in_pktinfo *)CMSG_DATA(cm);
! 483: memcpy(&pi->ipi_spec_dst, &src6.sin_addr, sizeof(src6.sin_addr));
! 484: pi->ipi_ifindex = ifindex;
! 485:
! 486: plog(LLV_DEBUG, LOCATION, NULL,
! 487: "src4 %s\n",
! 488: saddr2str((struct sockaddr *)&src6));
! 489: plog(LLV_DEBUG, LOCATION, NULL,
! 490: "dst4 %s\n",
! 491: saddr2str((struct sockaddr *)&dst6));
! 492:
! 493: for (i = 0; i < cnt; i++) {
! 494: len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
! 495: if (len < 0) {
! 496: plog(LLV_ERROR, LOCATION, NULL,
! 497: "sendmsg (%s)\n", strerror(errno));
! 498: return -1;
! 499: }
! 500: plog(LLV_DEBUG, LOCATION, NULL,
! 501: "%d times of %d bytes message will be sent "
! 502: "to %s\n",
! 503: i + 1, len, saddr2str(dst));
! 504: }
! 505: plogdump(LLV_DEBUG, (char *)buf, buflen);
! 506:
! 507: return len;
! 508: }
! 509: #endif /* __linux__ */
! 510: default:
! 511: {
! 512: int needclose = 0;
! 513: int sendsock;
! 514:
! 515: if (ss.ss_family == src->sa_family && memcmp(&ss, src, sysdep_sa_len(src)) == 0) {
! 516: sendsock = s;
! 517: needclose = 0;
! 518: } else {
! 519: int yes = 1;
! 520: /*
! 521: * Use newly opened socket for sending packets.
! 522: * NOTE: this is unsafe, because if the peer is quick enough
! 523: * the packet from the peer may be queued into sendsock.
! 524: * Better approach is to prepare bind'ed udp sockets for
! 525: * each of the interface addresses.
! 526: */
! 527: sendsock = SOCKET(src->sa_family, SOCK_DGRAM, 0);
! 528: if (sendsock < 0) {
! 529: plog(LLV_ERROR, LOCATION, NULL,
! 530: "socket (%s)\n", strerror(errno));
! 531: return -1;
! 532: }
! 533: if (setsockopt(sendsock, SOL_SOCKET,
! 534: #ifdef __linux__
! 535: SO_REUSEADDR,
! 536: #else
! 537: SO_REUSEPORT,
! 538: #endif
! 539: (void *)&yes, sizeof(yes)) < 0) {
! 540: plog(LLV_ERROR, LOCATION, NULL,
! 541: "setsockopt SO_REUSEPORT (%s)\n",
! 542: strerror(errno));
! 543: close(sendsock);
! 544: return -1;
! 545: }
! 546: #ifdef IPV6_USE_MIN_MTU
! 547: if (src->sa_family == AF_INET6 &&
! 548: setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
! 549: (void *)&yes, sizeof(yes)) < 0) {
! 550: plog(LLV_ERROR, LOCATION, NULL,
! 551: "setsockopt IPV6_USE_MIN_MTU (%s)\n",
! 552: strerror(errno));
! 553: close(sendsock);
! 554: return -1;
! 555: }
! 556: #endif
! 557: if (setsockopt_bypass(sendsock, src->sa_family) < 0) {
! 558: close(sendsock);
! 559: return -1;
! 560: }
! 561:
! 562: if (BIND(sendsock, (struct sockaddr *)src,
! 563: sysdep_sa_len(src)) < 0) {
! 564: plog(LLV_ERROR, LOCATION, NULL,
! 565: "bind 1 (%s)\n", strerror(errno));
! 566: close(sendsock);
! 567: return -1;
! 568: }
! 569: needclose = 1;
! 570: }
! 571:
! 572: for (i = 0; i < cnt; i++) {
! 573: len = sendto(sendsock, buf, buflen, 0, dst, sysdep_sa_len(dst));
! 574: if (len < 0) {
! 575: plog(LLV_ERROR, LOCATION, NULL,
! 576: "sendto (%s)\n", strerror(errno));
! 577: if (needclose)
! 578: close(sendsock);
! 579: return len;
! 580: }
! 581: plog(LLV_DEBUG, LOCATION, NULL,
! 582: "%d times of %d bytes message will be sent "
! 583: "to %s\n",
! 584: i + 1, len, saddr2str(dst));
! 585: }
! 586: plogdump(LLV_DEBUG, (char *)buf, buflen);
! 587:
! 588: if (needclose)
! 589: close(sendsock);
! 590:
! 591: return len;
! 592: }
! 593: }
! 594: }
! 595:
! 596: int
! 597: setsockopt_bypass(so, family)
! 598: int so, family;
! 599: {
! 600: int level;
! 601: char *buf;
! 602: char *policy;
! 603:
! 604: switch (family) {
! 605: case AF_INET:
! 606: level = IPPROTO_IP;
! 607: break;
! 608: #ifdef INET6
! 609: case AF_INET6:
! 610: level = IPPROTO_IPV6;
! 611: break;
! 612: #endif
! 613: default:
! 614: plog(LLV_ERROR, LOCATION, NULL,
! 615: "unsupported address family %d\n", family);
! 616: return -1;
! 617: }
! 618:
! 619: policy = "in bypass";
! 620: buf = ipsec_set_policy(policy, strlen(policy));
! 621: if (buf == NULL) {
! 622: plog(LLV_ERROR, LOCATION, NULL,
! 623: "ipsec_set_policy (%s)\n",
! 624: ipsec_strerror());
! 625: return -1;
! 626: }
! 627: if (SETSOCKOPT(so, level,
! 628: (level == IPPROTO_IP ?
! 629: IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
! 630: buf, ipsec_get_policylen(buf)) < 0) {
! 631: plog(LLV_ERROR, LOCATION, NULL,
! 632: "setsockopt IP_IPSEC_POLICY (%s)\n",
! 633: strerror(errno));
! 634: return -1;
! 635: }
! 636: racoon_free(buf);
! 637:
! 638: policy = "out bypass";
! 639: buf = ipsec_set_policy(policy, strlen(policy));
! 640: if (buf == NULL) {
! 641: plog(LLV_ERROR, LOCATION, NULL,
! 642: "ipsec_set_policy (%s)\n",
! 643: ipsec_strerror());
! 644: return -1;
! 645: }
! 646: if (SETSOCKOPT(so, level,
! 647: (level == IPPROTO_IP ?
! 648: IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
! 649: buf, ipsec_get_policylen(buf)) < 0) {
! 650: plog(LLV_ERROR, LOCATION, NULL,
! 651: "setsockopt IP_IPSEC_POLICY (%s)\n",
! 652: strerror(errno));
! 653: return -1;
! 654: }
! 655: racoon_free(buf);
! 656:
! 657: return 0;
! 658: }
! 659:
! 660: struct sockaddr *
! 661: newsaddr(len)
! 662: int len;
! 663: {
! 664: struct sockaddr *new;
! 665:
! 666: if ((new = racoon_calloc(1, len)) == NULL) {
! 667: plog(LLV_ERROR, LOCATION, NULL,
! 668: "%s\n", strerror(errno));
! 669: goto out;
! 670: }
! 671:
! 672: #ifdef __linux__
! 673: if (len == sizeof (struct sockaddr_in6))
! 674: new->sa_family = AF_INET6;
! 675: else
! 676: new->sa_family = AF_INET;
! 677: #else
! 678: /* initial */
! 679: new->sa_len = len;
! 680: #endif
! 681: out:
! 682: return new;
! 683: }
! 684:
! 685: struct sockaddr *
! 686: dupsaddr(src)
! 687: struct sockaddr *src;
! 688: {
! 689: struct sockaddr *dst;
! 690:
! 691: dst = racoon_calloc(1, sysdep_sa_len(src));
! 692: if (dst == NULL) {
! 693: plog(LLV_ERROR, LOCATION, NULL,
! 694: "%s\n", strerror(errno));
! 695: return NULL;
! 696: }
! 697:
! 698: memcpy(dst, src, sysdep_sa_len(src));
! 699:
! 700: return dst;
! 701: }
! 702:
! 703: char *
! 704: saddr2str(saddr)
! 705: const struct sockaddr *saddr;
! 706: {
! 707: static char buf[NI_MAXHOST + NI_MAXSERV + 10];
! 708: char addr[NI_MAXHOST], port[NI_MAXSERV];
! 709:
! 710: if (saddr == NULL)
! 711: return NULL;
! 712:
! 713: if (saddr->sa_family == AF_UNSPEC)
! 714: snprintf (buf, sizeof(buf), "%s", "anonymous");
! 715: else {
! 716: GETNAMEINFO(saddr, addr, port);
! 717: snprintf(buf, sizeof(buf), "%s[%s]", addr, port);
! 718: }
! 719:
! 720: return buf;
! 721: }
! 722:
! 723: char *
! 724: saddrwop2str(saddr)
! 725: const struct sockaddr *saddr;
! 726: {
! 727: static char buf[NI_MAXHOST + NI_MAXSERV + 10];
! 728: char addr[NI_MAXHOST];
! 729:
! 730: if (saddr == NULL)
! 731: return NULL;
! 732:
! 733: GETNAMEINFO_NULL(saddr, addr);
! 734: snprintf(buf, sizeof(buf), "%s", addr);
! 735:
! 736: return buf;
! 737: }
! 738:
! 739: char *
! 740: naddrwop2str(const struct netaddr *naddr)
! 741: {
! 742: static char buf[NI_MAXHOST + 10];
! 743: static const struct sockaddr sa_any; /* this is initialized to all zeros */
! 744:
! 745: if (naddr == NULL)
! 746: return NULL;
! 747:
! 748: if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0)
! 749: snprintf(buf, sizeof(buf), "%s", "any");
! 750: else {
! 751: snprintf(buf, sizeof(buf), "%s", saddrwop2str(&naddr->sa.sa));
! 752: snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix);
! 753: }
! 754: return buf;
! 755: }
! 756:
! 757: char *
! 758: naddrwop2str_fromto(const char *format, const struct netaddr *saddr,
! 759: const struct netaddr *daddr)
! 760: {
! 761: static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
! 762: char *src, *dst;
! 763:
! 764: src = racoon_strdup(naddrwop2str(saddr));
! 765: dst = racoon_strdup(naddrwop2str(daddr));
! 766: STRDUP_FATAL(src);
! 767: STRDUP_FATAL(dst);
! 768: /* WARNING: Be careful about the format string! Don't
! 769: ever pass in something that a user can modify!!! */
! 770: snprintf (buf, sizeof(buf), format, src, dst);
! 771: racoon_free (src);
! 772: racoon_free (dst);
! 773:
! 774: return buf;
! 775: }
! 776:
! 777: char *
! 778: saddr2str_fromto(format, saddr, daddr)
! 779: const char *format;
! 780: const struct sockaddr *saddr;
! 781: const struct sockaddr *daddr;
! 782: {
! 783: static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
! 784: char *src, *dst;
! 785:
! 786: src = racoon_strdup(saddr2str(saddr));
! 787: dst = racoon_strdup(saddr2str(daddr));
! 788: STRDUP_FATAL(src);
! 789: STRDUP_FATAL(dst);
! 790: /* WARNING: Be careful about the format string! Don't
! 791: ever pass in something that a user can modify!!! */
! 792: snprintf (buf, sizeof(buf), format, src, dst);
! 793: racoon_free (src);
! 794: racoon_free (dst);
! 795:
! 796: return buf;
! 797: }
! 798:
! 799: struct sockaddr *
! 800: str2saddr(host, port)
! 801: char *host;
! 802: char *port;
! 803: {
! 804: struct addrinfo hints, *res;
! 805: struct sockaddr *saddr;
! 806: int error;
! 807:
! 808: memset(&hints, 0, sizeof(hints));
! 809: hints.ai_family = PF_UNSPEC;
! 810: hints.ai_socktype = SOCK_DGRAM;
! 811: hints.ai_flags = AI_NUMERICHOST;
! 812: error = getaddrinfo(host, port, &hints, &res);
! 813: if (error != 0) {
! 814: plog(LLV_ERROR, LOCATION, NULL,
! 815: "getaddrinfo(%s%s%s): %s\n",
! 816: host, port ? "," : "", port ? port : "",
! 817: gai_strerror(error));
! 818: return NULL;
! 819: }
! 820: if (res->ai_next != NULL) {
! 821: plog(LLV_WARNING, LOCATION, NULL,
! 822: "getaddrinfo(%s%s%s): "
! 823: "resolved to multiple address, "
! 824: "taking the first one\n",
! 825: host, port ? "," : "", port ? port : "");
! 826: }
! 827: saddr = racoon_malloc(res->ai_addrlen);
! 828: if (saddr == NULL) {
! 829: plog(LLV_ERROR, LOCATION, NULL,
! 830: "failed to allocate buffer.\n");
! 831: freeaddrinfo(res);
! 832: return NULL;
! 833: }
! 834: memcpy(saddr, res->ai_addr, res->ai_addrlen);
! 835: freeaddrinfo(res);
! 836:
! 837: return saddr;
! 838: }
! 839:
! 840: void
! 841: mask_sockaddr(a, b, l)
! 842: struct sockaddr *a;
! 843: const struct sockaddr *b;
! 844: size_t l;
! 845: {
! 846: size_t i;
! 847: u_int8_t *p, alen;
! 848:
! 849: switch (b->sa_family) {
! 850: case AF_INET:
! 851: alen = sizeof(struct in_addr);
! 852: p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr;
! 853: break;
! 854: #ifdef INET6
! 855: case AF_INET6:
! 856: alen = sizeof(struct in6_addr);
! 857: p = (u_int8_t *)&((struct sockaddr_in6 *)a)->sin6_addr;
! 858: break;
! 859: #endif
! 860: default:
! 861: plog(LLV_ERROR, LOCATION, NULL,
! 862: "invalid family: %d\n", b->sa_family);
! 863: exit(1);
! 864: }
! 865:
! 866: if ((alen << 3) < l) {
! 867: plog(LLV_ERROR, LOCATION, NULL,
! 868: "unexpected inconsistency: %d %zu\n", b->sa_family, l);
! 869: exit(1);
! 870: }
! 871:
! 872: memcpy(a, b, sysdep_sa_len(b));
! 873: p[l / 8] &= (0xff00 >> (l % 8)) & 0xff;
! 874: for (i = l / 8 + 1; i < alen; i++)
! 875: p[i] = 0x00;
! 876: }
! 877:
! 878: /* Compute a score describing how "accurate" a netaddr is for a given sockaddr.
! 879: * Examples:
! 880: * Return values for address 10.20.30.40 [port 500] and given netaddresses...
! 881: * 10.10.0.0/16 => -1 ... doesn't match
! 882: * 0.0.0.0/0 => 0 ... matches, but only 0 bits.
! 883: * 10.20.0.0/16 => 16 ... 16 bits match
! 884: * 10.20.30.0/24 => 24 ... guess what ;-)
! 885: * 10.20.30.40/32 => 32 ... whole address match
! 886: * 10.20.30.40:500 => 33 ... both address and port match
! 887: * 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any)
! 888: */
! 889: int
! 890: naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr)
! 891: {
! 892: static const struct netaddr naddr_any; /* initialized to all-zeros */
! 893: struct sockaddr sa;
! 894: u_int16_t naddr_port, saddr_port;
! 895: int port_score;
! 896:
! 897: if (!naddr || !saddr) {
! 898: plog(LLV_ERROR, LOCATION, NULL,
! 899: "Call with null args: naddr=%p, saddr=%p\n",
! 900: naddr, saddr);
! 901: return -1;
! 902: }
! 903:
! 904: /* Wildcard address matches, but only 0 bits. */
! 905: if (memcmp(naddr, &naddr_any, sizeof(naddr_any)) == 0)
! 906: return 0;
! 907:
! 908: /* If families don't match we really can't do much... */
! 909: if (naddr->sa.sa.sa_family != saddr->sa_family)
! 910: return -1;
! 911:
! 912: /* If port check fail don't bother to check addresses. */
! 913: naddr_port = extract_port(&naddr->sa.sa);
! 914: saddr_port = extract_port(saddr);
! 915: if (naddr_port == 0 || saddr_port == 0) /* wildcard match */
! 916: port_score = 0;
! 917: else if (naddr_port == saddr_port) /* exact match */
! 918: port_score = 1;
! 919: else /* mismatch :-) */
! 920: return -1;
! 921:
! 922: /* Here it comes - compare network addresses. */
! 923: mask_sockaddr(&sa, saddr, naddr->prefix);
! 924: if (loglevel >= LLV_DEBUG) { /* debug only */
! 925: char *a1, *a2, *a3;
! 926: a1 = racoon_strdup(naddrwop2str(naddr));
! 927: a2 = racoon_strdup(saddrwop2str(saddr));
! 928: a3 = racoon_strdup(saddrwop2str(&sa));
! 929: STRDUP_FATAL(a1);
! 930: STRDUP_FATAL(a2);
! 931: STRDUP_FATAL(a3);
! 932: plog(LLV_DEBUG, LOCATION, NULL,
! 933: "naddr=%s, saddr=%s (masked=%s)\n",
! 934: a1, a2, a3);
! 935: free(a1);
! 936: free(a2);
! 937: free(a3);
! 938: }
! 939: if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH)
! 940: return naddr->prefix + port_score;
! 941:
! 942: return -1;
! 943: }
! 944:
! 945: /* Some useful functions for sockaddr port manipulations. */
! 946: u_int16_t
! 947: extract_port (const struct sockaddr *addr)
! 948: {
! 949: u_int16_t port = 0;
! 950:
! 951: if (!addr)
! 952: return port;
! 953:
! 954: switch (addr->sa_family) {
! 955: case AF_UNSPEC:
! 956: break;
! 957: case AF_INET:
! 958: port = ((struct sockaddr_in *)addr)->sin_port;
! 959: break;
! 960: case AF_INET6:
! 961: port = ((struct sockaddr_in6 *)addr)->sin6_port;
! 962: break;
! 963: default:
! 964: plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
! 965: break;
! 966: }
! 967:
! 968: return ntohs(port);
! 969: }
! 970:
! 971: u_int16_t *
! 972: get_port_ptr (struct sockaddr *addr)
! 973: {
! 974: u_int16_t *port_ptr;
! 975:
! 976: if (!addr)
! 977: return NULL;
! 978:
! 979: switch (addr->sa_family) {
! 980: case AF_INET:
! 981: port_ptr = &(((struct sockaddr_in *)addr)->sin_port);
! 982: break;
! 983: case AF_INET6:
! 984: port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port);
! 985: break;
! 986: default:
! 987: plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
! 988: return NULL;
! 989: break;
! 990: }
! 991:
! 992: return port_ptr;
! 993: }
! 994:
! 995: u_int16_t *
! 996: set_port (struct sockaddr *addr, u_int16_t new_port)
! 997: {
! 998: u_int16_t *port_ptr;
! 999:
! 1000: port_ptr = get_port_ptr (addr);
! 1001:
! 1002: if (port_ptr)
! 1003: *port_ptr = htons(new_port);
! 1004:
! 1005: return port_ptr;
! 1006: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sockmisc.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon