[apple/ipsec.git] / ipsec-tools / racoon / vpn_control.c

/* $Id: vpn_control.c,v 1.17.2.4 2005/07/12 11:49:44 manubsd Exp $ */

/*
 * Copyright (c) 2006 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "config.h"

#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/signal.h>
#include <sys/stat.h>
#include <sys/un.h>

#include <System/net/pfkeyv2.h>

#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#include <netinet/ipsec.h>
#else 
#include <netinet6/ipsec.h>
#endif


#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <netdb.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif

#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "debug.h"

#include "schedule.h"
#include "localconf.h"
#include "remoteconf.h"
#include "grabmyaddr.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "oakley.h"
#include "handler.h"
#include "evt.h"
#include "pfkey.h"
#include "ipsec_doi.h"
#include "vpn_control.h"
#include "vpn_control_var.h"
#include "isakmp_inf.h"
#include "session.h"
#include "gcmalloc.h"

#ifdef ENABLE_VPNCONTROL_PORT
char *vpncontrolsock_path = VPNCONTROLSOCK_PATH;
uid_t vpncontrolsock_owner = 0;
gid_t vpncontrolsock_group = 0;
mode_t vpncontrolsock_mode = 0600;

static struct sockaddr_un sunaddr;
static int vpncontrol_process(struct vpnctl_socket_elem *, char *);
static int vpncontrol_reply(int, char *);
static void vpncontrol_close_comm(struct vpnctl_socket_elem *);

int
vpncontrol_handler()
{
	struct sockaddr_storage from;
	socklen_t fromlen = sizeof(from);

	struct vpnctl_socket_elem *sock_elem;
	
	sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem));
	if (sock_elem == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"memory error: %s\n", strerror(errno));
		return -1;
	}
	LIST_INIT(&sock_elem->bound_addresses);

	sock_elem->sock = accept(lcconf->sock_vpncontrol, (struct sockaddr *)&from, &fromlen);
	if (sock_elem->sock < 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to accept vpn_control command: %s\n", strerror(errno));
		racoon_free(sock_elem);
		return -1;
	}
	LIST_INSERT_HEAD(&lcconf->vpnctl_comm_socks, sock_elem, chain);
	plog(LLV_NOTIFY, LOCATION, NULL,
		"accepted connection on vpn control socket.\n");
		
	check_auto_exit();
		
	return 0;
}

int
vpncontrol_comm_handler(struct vpnctl_socket_elem *elem)
{
	struct vpnctl_hdr hdr;
	char *combuf = NULL;
	int len;

	/* get buffer length */
	while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) {
		if (errno == EINTR)
			continue;
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to recv vpn_control command: %s\n", strerror(errno));
		goto end;
	}
	if (len == 0) {
		plog(LLV_NOTIFY, LOCATION, NULL,
			"vpn_control socket closed by peer.\n");
		vpncontrol_close_comm(elem);
		return -1;
	}
		
	/* sanity check */
	if (len < sizeof(hdr)) {
		plog(LLV_ERROR, LOCATION, NULL,
			"invalid header length of vpn_control command - len=%d - expected %d\n", len, sizeof(hdr));
		goto end;
	}

	/* get buffer to receive */
	if ((combuf = racoon_malloc(ntohs(hdr.len) + sizeof(hdr))) == 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to alloc buffer for vpn_control command\n");
		goto end;
	}

	/* get real data */
	while ((len = recv(elem->sock, combuf, ntohs(hdr.len) + sizeof(hdr), 0)) < 0) {
		if (errno == EINTR)
			continue;
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to recv vpn_control command: %s\n",
			strerror(errno));
		goto end;
	}

	(void)vpncontrol_process(elem, combuf);

end:
	if (combuf)
		racoon_free(combuf);
	return 0;		// return -1 only if a socket is closed
}

static int
vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf)
{
	u_int16_t	error = 0;
	struct vpnctl_hdr *hdr = (struct vpnctl_hdr *)combuf;

	switch (ntohs(hdr->msg_type)) {
	
		case VPNCTL_CMD_BIND:
			{
				struct vpnctl_cmd_bind *pkt = (struct vpnctl_cmd_bind *)combuf;
				struct bound_addr *addr;
			
				plog(LLV_DEBUG, LOCATION, NULL,
					"received bind command on vpn control socket.\n");
				addr = racoon_malloc(sizeof(struct bound_addr));
				if (addr == NULL) {
					plog(LLV_ERROR, LOCATION, NULL,	
						"memory error: %s\n", strerror(errno));
					error = -1;
					break;
				}
				addr->address = pkt->address;
				LIST_INSERT_HEAD(&elem->bound_addresses, addr, chain);
				lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT;	/* client side */
			}
			break;
			
		case VPNCTL_CMD_UNBIND:
			{
				struct vpnctl_cmd_unbind *pkt = (struct vpnctl_cmd_unbind *)combuf;
				struct bound_addr *addr;
				struct bound_addr *t_addr;

				plog(LLV_DEBUG, LOCATION, NULL,
					"received unbind command on vpn control socket.\n");
				LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
					if (pkt->address == 0xFFFFFFFF ||
						pkt->address == addr->address) {
						LIST_REMOVE(addr, chain);
						racoon_free(addr);
					}
				}
			}
			break;

		case VPNCTL_CMD_REDIRECT:
			{
				struct vpnctl_cmd_redirect *redirect_msg = (struct vpnctl_cmd_redirect *)combuf;
				struct redirect *raddr;
				struct redirect *t_raddr;
				int found = 0;
				
				plog(LLV_DEBUG, LOCATION, NULL,
					"received redirect command on vpn control socket - address = %x.\n", ntohl(redirect_msg->redirect_address));
				
				LIST_FOREACH_SAFE(raddr, &lcconf->redirect_addresses, chain, t_raddr) {
					if (raddr->cluster_address == redirect_msg->address) {
						if (redirect_msg->redirect_address == 0) {
							LIST_REMOVE(raddr, chain);
							racoon_free(raddr);
						} else {
							raddr->redirect_address = redirect_msg->redirect_address;
							raddr->force = ntohs(redirect_msg->force);
						}
						found = 1;
						break;
					}
				}
				if (!found) {
					raddr = racoon_malloc(sizeof(struct redirect));
					if (raddr == NULL) {
						plog(LLV_DEBUG, LOCATION, NULL,
							"cannot allcoate memory for redirect address.\n");					
						error = -1;
						break;
					}
					raddr->cluster_address = redirect_msg->address;
					raddr->redirect_address = redirect_msg->redirect_address;
					raddr->force = ntohs(redirect_msg->force);
					LIST_INSERT_HEAD(&lcconf->redirect_addresses, raddr, chain);
					
				}
			}
			break;
			
		case VPNCTL_CMD_PING:
			break;	// just reply for now

		default:
			plog(LLV_ERROR, LOCATION, NULL,
				"invalid command: %d\n", ntohs(hdr->msg_type));
			error = -1;		// for now
			break;
	}

	hdr->len = 0;
	hdr->result = htons(error);
	if (vpncontrol_reply(elem->sock, combuf) < 0)
		return -1;

	return 0;

}

static int
vpncontrol_reply(int so, char *combuf)
{
	size_t tlen;

	tlen = send(so, combuf, sizeof(struct vpnctl_hdr), 0);
	if (tlen < 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to send vpn_control message: %s\n", strerror(errno));
		return -1;
	}

	return 0;
}

int
vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t address, u_int16_t data_len, u_int8_t *data)
{
	struct vpnctl_status_failed *msg; 
	struct vpnctl_socket_elem *sock_elem;
	struct bound_addr *bound_addr;
	size_t tlen, len;
	
	len = sizeof(struct vpnctl_status_failed) + data_len;
	
	msg = (struct vpnctl_status_failed *)racoon_malloc(len);
	if (msg == NULL) {
		plog(LLV_DEBUG, LOCATION, NULL,
				"unable to allcate memory for vpn control status message.\n");
		return -1;
	}
		
	msg->hdr.msg_type = htons(VPNCTL_STATUS_IKE_FAILED);
	msg->hdr.flags = msg->hdr.cookie = msg->hdr.reserved = msg->hdr.result = 0;
	msg->hdr.len = htons(len - sizeof(struct vpnctl_hdr));
	msg->address = address;
	msg->ike_code = htons(notify_code);
	msg->from = htons(from);
	if (data_len > 0)
		memcpy(msg->data, data, data_len);	
	plog(LLV_DEBUG, LOCATION, NULL,
			"sending vpn_control ike notify failed message - code=%d  from=%s.\n", notify_code,
					(from == FROM_LOCAL ? "local" : "remote"));

	LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
		LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
			if (bound_addr->address == 0xFFFFFFFF ||
				bound_addr->address == address) {
				tlen = send(sock_elem->sock, msg, len, 0);
				if (tlen < 0) {
					plog(LLV_ERROR, LOCATION, NULL,
						"unable to send vpn_control ike notify failed: %s\n", strerror(errno));
				}
				break;
			}
		}
	}
	return 0;
}


int
vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle *iph1, struct ph2handle *iph2)
{
	struct vpnctl_status_phase_change msg; 
	struct vpnctl_socket_elem *sock_elem;
	struct bound_addr *bound_addr;
	size_t tlen;	
	u_int32_t address;
		
	if (iph1) {
		if (iph1->remote->sa_family == AF_INET)
			address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
		else
			return 0;		// for now
		msg.hdr.msg_type = htons(start ? 
			(from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER) 
			: VPNCTL_STATUS_PH1_ESTABLISHED);
	} else {
		if (iph2->dst->sa_family == AF_INET)
			address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
		else
			return 0;		// for now
		msg.hdr.msg_type = htons(start ? VPNCTL_STATUS_PH2_START : VPNCTL_STATUS_PH2_ESTABLISHED);
	}
	msg.hdr.flags = msg.hdr.cookie = msg.hdr.reserved = msg.hdr.result = 0;
	msg.hdr.len = htons(sizeof(struct vpnctl_status_phase_change) - sizeof(struct vpnctl_hdr));
	msg.address = address;

	LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
		LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
			if (bound_addr->address == 0xFFFFFFFF ||
				bound_addr->address == address) {
				tlen = send(sock_elem->sock, &msg, sizeof(struct vpnctl_status_phase_change), 0);
				if (tlen < 0) {
					plog(LLV_ERROR, LOCATION, NULL,
						"failed to send vpn_control phase change status: %s\n", strerror(errno));
				}
				break;
			}
		}
	}

	return 0;
}


int
vpncontrol_init()
{
	if (vpncontrolsock_path == NULL) {
		lcconf->sock_vpncontrol = -1;
		return 0;
	}

	memset(&sunaddr, 0, sizeof(sunaddr));
	sunaddr.sun_family = AF_UNIX;
	snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
		"%s", vpncontrolsock_path);

	lcconf->sock_vpncontrol = socket(AF_UNIX, SOCK_STREAM, 0);
	if (lcconf->sock_vpncontrol == -1) {
		plog(LLV_ERROR, LOCATION, NULL,
			"socket: %s\n", strerror(errno));
		return -1;
	}

	unlink(sunaddr.sun_path);
	if (bind(lcconf->sock_vpncontrol, (struct sockaddr *)&sunaddr,
			sizeof(sunaddr)) != 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			"bind(sockname:%s): %s\n",
			sunaddr.sun_path, strerror(errno));
		(void)close(lcconf->sock_vpncontrol);
		return -1;
	}

	if (chown(sunaddr.sun_path, vpncontrolsock_owner, vpncontrolsock_group) != 0) {
		plog(LLV_ERROR, LOCATION, NULL, 
		    "chown(%s, %d, %d): %s\n", 
		    sunaddr.sun_path, vpncontrolsock_owner, 
		    vpncontrolsock_group, strerror(errno));
		(void)close(lcconf->sock_vpncontrol);
		return -1;
	}

	if (chmod(sunaddr.sun_path, vpncontrolsock_mode) != 0) {
		plog(LLV_ERROR, LOCATION, NULL, 
		    "chmod(%s, 0%03o): %s\n", 
		    sunaddr.sun_path, vpncontrolsock_mode, strerror(errno));
		(void)close(lcconf->sock_vpncontrol);
		return -1;
	}

	if (listen(lcconf->sock_vpncontrol, 5) != 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			"listen(sockname:%s): %s\n",
			sunaddr.sun_path, strerror(errno));
		(void)close(lcconf->sock_vpncontrol);
		return -1;
	}
	plog(LLV_DEBUG, LOCATION, NULL,
		"opened %s as racoon management.\n", sunaddr.sun_path);

	return 0;
}


void
vpncontrol_close()
{
	struct vpnctl_socket_elem *elem;
	struct vpnctl_socket_elem *t_elem;
	
	if (lcconf->sock_vpncontrol != -1) {
		close(lcconf->sock_vpncontrol);
		lcconf->sock_vpncontrol = -1;
	}
	LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem)
		vpncontrol_close_comm(elem);
}

static void
vpncontrol_close_comm(struct vpnctl_socket_elem *elem)
{
	struct bound_addr *addr;
	struct bound_addr *t_addr;
	
	LIST_REMOVE(elem, chain);
	if (elem->sock != -1)	
		close(elem->sock);
	LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
		LIST_REMOVE(addr, chain);
		racoon_free(addr);
	}
	racoon_free(elem);
	check_auto_exit();
}

int
vpn_control_connected(void)
{
	if (LIST_EMPTY(&lcconf->vpnctl_comm_socks))
		return 0;
	else
		return 1;
}

#endif
Commit	Line	Data
52b7d2ce A	1	/* $Id: vpn_control.c,v 1.17.2.4 2005/07/12 11:49:44 manubsd Exp $ */
	2
	3	/*
	4	* Copyright (c) 2006 Apple Computer, Inc. All rights reserved.
	5	*
	6	* @APPLE_LICENSE_HEADER_START@
	7	*
	8	* The contents of this file constitute Original Code as defined in and
	9	* are subject to the Apple Public Source License Version 1.1 (the
	10	* "License"). You may not use this file except in compliance with the
	11	* License. Please obtain a copy of the License at
	12	* http://www.apple.com/publicsource and read it before using this file.
	13	*
	14	* This Original Code and all software distributed under the License are
	15	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	16	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	17	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	18	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	19	* License for the specific language governing rights and limitations
	20	* under the License.
	21	*
	22	* @APPLE_LICENSE_HEADER_END@
	23	*/
	24
	25	/*
	26	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	27	* All rights reserved.
	28	*
	29	* Redistribution and use in source and binary forms, with or without
	30	* modification, are permitted provided that the following conditions
	31	* are met:
	32	* 1. Redistributions of source code must retain the above copyright
	33	* notice, this list of conditions and the following disclaimer.
	34	* 2. Redistributions in binary form must reproduce the above copyright
	35	* notice, this list of conditions and the following disclaimer in the
	36	* documentation and/or other materials provided with the distribution.
	37	* 3. Neither the name of the project nor the names of its contributors
	38	* may be used to endorse or promote products derived from this software
	39	* without specific prior written permission.
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*/
	53
	54	#include "config.h"
	55
	56	#include <sys/types.h>
	57	#include <sys/param.h>
	58	#include <sys/socket.h>
	59	#include <sys/signal.h>
	60	#include <sys/stat.h>
	61	#include <sys/un.h>
	62
	63	#include <System/net/pfkeyv2.h>
	64
65	#include <netinet/in.h>
66	#ifndef HAVE_NETINET6_IPSEC
67	#include <netinet/ipsec.h>
68	#else
69	#include <netinet6/ipsec.h>
70	#endif
71
72
73	#include <stdlib.h>
74	#include <stdio.h>
75	#include <string.h>
76	#include <errno.h>
77	#include <netdb.h>
78	#ifdef HAVE_UNISTD_H
79	#include <unistd.h>
80	#endif
81
82	#include "var.h"
83	#include "misc.h"
84	#include "vmbuf.h"
85	#include "plog.h"
86	#include "sockmisc.h"
87	#include "debug.h"
88
89	#include "schedule.h"
90	#include "localconf.h"
91	#include "remoteconf.h"
92	#include "grabmyaddr.h"
93	#include "isakmp_var.h"
94	#include "isakmp.h"
95	#include "oakley.h"
96	#include "handler.h"
97	#include "evt.h"
98	#include "pfkey.h"
99	#include "ipsec_doi.h"
100	#include "vpn_control.h"
101	#include "vpn_control_var.h"
102	#include "isakmp_inf.h"
103	#include "session.h"
104	#include "gcmalloc.h"
105
106	#ifdef ENABLE_VPNCONTROL_PORT
107	char *vpncontrolsock_path = VPNCONTROLSOCK_PATH;
108	uid_t vpncontrolsock_owner = 0;
109	gid_t vpncontrolsock_group = 0;
110	mode_t vpncontrolsock_mode = 0600;
111
112	static struct sockaddr_un sunaddr;
113	static int vpncontrol_process(struct vpnctl_socket_elem , char );
114	static int vpncontrol_reply(int, char *);
115	static void vpncontrol_close_comm(struct vpnctl_socket_elem *);
116
117	int
118	vpncontrol_handler()
119	{
120	struct sockaddr_storage from;
121	socklen_t fromlen = sizeof(from);
122
123	struct vpnctl_socket_elem *sock_elem;
124
125	sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem));
126	if (sock_elem == NULL) {
127	plog(LLV_ERROR, LOCATION, NULL,
128	"memory error: %s\n", strerror(errno));
129	return -1;
130	}
131	LIST_INIT(&sock_elem->bound_addresses);
132
133	sock_elem->sock = accept(lcconf->sock_vpncontrol, (struct sockaddr *)&from, &fromlen);
134	if (sock_elem->sock < 0) {
135	plog(LLV_ERROR, LOCATION, NULL,
136	"failed to accept vpn_control command: %s\n", strerror(errno));
137	racoon_free(sock_elem);
138	return -1;
139	}
140	LIST_INSERT_HEAD(&lcconf->vpnctl_comm_socks, sock_elem, chain);
141	plog(LLV_NOTIFY, LOCATION, NULL,
142	"accepted connection on vpn control socket.\n");
143
144	check_auto_exit();
145
146	return 0;
147	}
148
149	int
150	vpncontrol_comm_handler(struct vpnctl_socket_elem *elem)
151	{
152	struct vpnctl_hdr hdr;
153	char *combuf = NULL;
154	int len;
155
156	/* get buffer length */
157	while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) {
158	if (errno == EINTR)
159	continue;
160	plog(LLV_ERROR, LOCATION, NULL,
161	"failed to recv vpn_control command: %s\n", strerror(errno));
162	goto end;
163	}
164	if (len == 0) {
165	plog(LLV_NOTIFY, LOCATION, NULL,
166	"vpn_control socket closed by peer.\n");
167	vpncontrol_close_comm(elem);
168	return -1;
169	}
170
171	/* sanity check */
172	if (len < sizeof(hdr)) {
173	plog(LLV_ERROR, LOCATION, NULL,
174	"invalid header length of vpn_control command - len=%d - expected %d\n", len, sizeof(hdr));
175	goto end;
176	}
177
178	/* get buffer to receive */
179	if ((combuf = racoon_malloc(ntohs(hdr.len) + sizeof(hdr))) == 0) {
180	plog(LLV_ERROR, LOCATION, NULL,
181	"failed to alloc buffer for vpn_control command\n");
182	goto end;
183	}
184
185	/* get real data */
186	while ((len = recv(elem->sock, combuf, ntohs(hdr.len) + sizeof(hdr), 0)) < 0) {
187	if (errno == EINTR)
188	continue;
189	plog(LLV_ERROR, LOCATION, NULL,
190	"failed to recv vpn_control command: %s\n",
191	strerror(errno));
192	goto end;
193	}
194
195	(void)vpncontrol_process(elem, combuf);
196
197	end:
198	if (combuf)
199	racoon_free(combuf);
200	return 0; // return -1 only if a socket is closed
201	}
202
203	static int
204	vpncontrol_process(struct vpnctl_socket_elem elem, char combuf)
205	{
206	u_int16_t error = 0;
207	struct vpnctl_hdr hdr = (struct vpnctl_hdr )combuf;
208
209	switch (ntohs(hdr->msg_type)) {
210
211	case VPNCTL_CMD_BIND:
212	{
213	struct vpnctl_cmd_bind pkt = (struct vpnctl_cmd_bind )combuf;
214	struct bound_addr *addr;
215
216	plog(LLV_DEBUG, LOCATION, NULL,
217	"received bind command on vpn control socket.\n");
218	addr = racoon_malloc(sizeof(struct bound_addr));
219	if (addr == NULL) {
220	plog(LLV_ERROR, LOCATION, NULL,
221	"memory error: %s\n", strerror(errno));
222	error = -1;
223	break;
224	}
225	addr->address = pkt->address;
226	LIST_INSERT_HEAD(&elem->bound_addresses, addr, chain);
227	lcconf->auto_exit_state \|= LC_AUTOEXITSTATE_CLIENT; /* client side */
228	}
229	break;
230
231	case VPNCTL_CMD_UNBIND:
232	{
233	struct vpnctl_cmd_unbind pkt = (struct vpnctl_cmd_unbind )combuf;
234	struct bound_addr *addr;
235	struct bound_addr *t_addr;
236
237	plog(LLV_DEBUG, LOCATION, NULL,
238	"received unbind command on vpn control socket.\n");
239	LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
240	if (pkt->address == 0xFFFFFFFF \|\|
241	pkt->address == addr->address) {
242	LIST_REMOVE(addr, chain);
243	racoon_free(addr);
244	}
245	}
246	}
247	break;
248
249	case VPNCTL_CMD_REDIRECT:
250	{
251	struct vpnctl_cmd_redirect redirect_msg = (struct vpnctl_cmd_redirect )combuf;
252	struct redirect *raddr;
253	struct redirect *t_raddr;
254	int found = 0;
255
256	plog(LLV_DEBUG, LOCATION, NULL,
257	"received redirect command on vpn control socket - address = %x.\n", ntohl(redirect_msg->redirect_address));
258
259	LIST_FOREACH_SAFE(raddr, &lcconf->redirect_addresses, chain, t_raddr) {
260	if (raddr->cluster_address == redirect_msg->address) {
261	if (redirect_msg->redirect_address == 0) {
262	LIST_REMOVE(raddr, chain);
263	racoon_free(raddr);
264	} else {
265	raddr->redirect_address = redirect_msg->redirect_address;
266	raddr->force = ntohs(redirect_msg->force);
267	}
268	found = 1;
269	break;
270	}
271	}
272	if (!found) {
273	raddr = racoon_malloc(sizeof(struct redirect));
274	if (raddr == NULL) {
275	plog(LLV_DEBUG, LOCATION, NULL,
276	"cannot allcoate memory for redirect address.\n");
277	error = -1;
278	break;
279	}
280	raddr->cluster_address = redirect_msg->address;
281	raddr->redirect_address = redirect_msg->redirect_address;
282	raddr->force = ntohs(redirect_msg->force);
283	LIST_INSERT_HEAD(&lcconf->redirect_addresses, raddr, chain);
284
285	}
286	}
287	break;
288
289	case VPNCTL_CMD_PING:
290	break; // just reply for now
291
292	default:
293	plog(LLV_ERROR, LOCATION, NULL,
294	"invalid command: %d\n", ntohs(hdr->msg_type));
295	error = -1; // for now
296	break;
297	}
298
299	hdr->len = 0;
300	hdr->result = htons(error);
301	if (vpncontrol_reply(elem->sock, combuf) < 0)
302	return -1;
303
304	return 0;
305
306	}
307
308	static int
309	vpncontrol_reply(int so, char *combuf)
310	{
311	size_t tlen;
312
313	tlen = send(so, combuf, sizeof(struct vpnctl_hdr), 0);
314	if (tlen < 0) {
315	plog(LLV_ERROR, LOCATION, NULL,
316	"failed to send vpn_control message: %s\n", strerror(errno));
317	return -1;
318	}
319
320	return 0;
321	}
322
323	int
324	vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t address, u_int16_t data_len, u_int8_t *data)
325	{
326	struct vpnctl_status_failed *msg;
327	struct vpnctl_socket_elem *sock_elem;
328	struct bound_addr *bound_addr;
329	size_t tlen, len;
330
331	len = sizeof(struct vpnctl_status_failed) + data_len;
332
333	msg = (struct vpnctl_status_failed *)racoon_malloc(len);
334	if (msg == NULL) {
335	plog(LLV_DEBUG, LOCATION, NULL,
336	"unable to allcate memory for vpn control status message.\n");
337	return -1;
338	}
339
340	msg->hdr.msg_type = htons(VPNCTL_STATUS_IKE_FAILED);
341	msg->hdr.flags = msg->hdr.cookie = msg->hdr.reserved = msg->hdr.result = 0;
342	msg->hdr.len = htons(len - sizeof(struct vpnctl_hdr));
343	msg->address = address;
344	msg->ike_code = htons(notify_code);
345	msg->from = htons(from);
346	if (data_len > 0)
347	memcpy(msg->data, data, data_len);
348	plog(LLV_DEBUG, LOCATION, NULL,
349	"sending vpn_control ike notify failed message - code=%d from=%s.\n", notify_code,
350	(from == FROM_LOCAL ? "local" : "remote"));
351
352	LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
353	LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
354	if (bound_addr->address == 0xFFFFFFFF \|\|
355	bound_addr->address == address) {
356	tlen = send(sock_elem->sock, msg, len, 0);
357	if (tlen < 0) {
358	plog(LLV_ERROR, LOCATION, NULL,
359	"unable to send vpn_control ike notify failed: %s\n", strerror(errno));
360	}
361	break;
362	}
363	}
364	}
365	return 0;
366	}
367
368
369	int
370	vpncontrol_notify_phase_change(int start, u_int16_t from, struct ph1handle iph1, struct ph2handle iph2)
371	{
372	struct vpnctl_status_phase_change msg;
373	struct vpnctl_socket_elem *sock_elem;
374	struct bound_addr *bound_addr;
375	size_t tlen;
376	u_int32_t address;
377
378	if (iph1) {
379	if (iph1->remote->sa_family == AF_INET)
380	address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
381	else
382	return 0; // for now
383	msg.hdr.msg_type = htons(start ?
384	(from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER)
385	: VPNCTL_STATUS_PH1_ESTABLISHED);
386	} else {
387	if (iph2->dst->sa_family == AF_INET)
388	address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
389	else
390	return 0; // for now
391	msg.hdr.msg_type = htons(start ? VPNCTL_STATUS_PH2_START : VPNCTL_STATUS_PH2_ESTABLISHED);
392	}
393	msg.hdr.flags = msg.hdr.cookie = msg.hdr.reserved = msg.hdr.result = 0;
394	msg.hdr.len = htons(sizeof(struct vpnctl_status_phase_change) - sizeof(struct vpnctl_hdr));
395	msg.address = address;
396
397	LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
398	LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
399	if (bound_addr->address == 0xFFFFFFFF \|\|
400	bound_addr->address == address) {
401	tlen = send(sock_elem->sock, &msg, sizeof(struct vpnctl_status_phase_change), 0);
402	if (tlen < 0) {
403	plog(LLV_ERROR, LOCATION, NULL,
404	"failed to send vpn_control phase change status: %s\n", strerror(errno));
405	}
406	break;
407	}
408	}
409	}
410
411	return 0;
412	}
413
414
415	int
416	vpncontrol_init()
417	{
418	if (vpncontrolsock_path == NULL) {
419	lcconf->sock_vpncontrol = -1;
420	return 0;
421	}
422
423	memset(&sunaddr, 0, sizeof(sunaddr));
424	sunaddr.sun_family = AF_UNIX;
425	snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
426	"%s", vpncontrolsock_path);
427
428	lcconf->sock_vpncontrol = socket(AF_UNIX, SOCK_STREAM, 0);
429	if (lcconf->sock_vpncontrol == -1) {
430	plog(LLV_ERROR, LOCATION, NULL,
431	"socket: %s\n", strerror(errno));
432	return -1;
433	}
434
435	unlink(sunaddr.sun_path);
436	if (bind(lcconf->sock_vpncontrol, (struct sockaddr *)&sunaddr,
437	sizeof(sunaddr)) != 0) {
438	plog(LLV_ERROR, LOCATION, NULL,
439	"bind(sockname:%s): %s\n",
440	sunaddr.sun_path, strerror(errno));
441	(void)close(lcconf->sock_vpncontrol);
442	return -1;
443	}
444
445	if (chown(sunaddr.sun_path, vpncontrolsock_owner, vpncontrolsock_group) != 0) {
446	plog(LLV_ERROR, LOCATION, NULL,
447	"chown(%s, %d, %d): %s\n",
448	sunaddr.sun_path, vpncontrolsock_owner,
449	vpncontrolsock_group, strerror(errno));
450	(void)close(lcconf->sock_vpncontrol);
451	return -1;
452	}
453
454	if (chmod(sunaddr.sun_path, vpncontrolsock_mode) != 0) {
455	plog(LLV_ERROR, LOCATION, NULL,
456	"chmod(%s, 0%03o): %s\n",
457	sunaddr.sun_path, vpncontrolsock_mode, strerror(errno));
458	(void)close(lcconf->sock_vpncontrol);
459	return -1;
460	}
461
462	if (listen(lcconf->sock_vpncontrol, 5) != 0) {
463	plog(LLV_ERROR, LOCATION, NULL,
464	"listen(sockname:%s): %s\n",
465	sunaddr.sun_path, strerror(errno));
466	(void)close(lcconf->sock_vpncontrol);
467	return -1;
468	}
469	plog(LLV_DEBUG, LOCATION, NULL,
470	"opened %s as racoon management.\n", sunaddr.sun_path);
471
472	return 0;
473	}
474
475
476	void
477	vpncontrol_close()
478	{
479	struct vpnctl_socket_elem *elem;
480	struct vpnctl_socket_elem *t_elem;
481
482	if (lcconf->sock_vpncontrol != -1) {
483	close(lcconf->sock_vpncontrol);
484	lcconf->sock_vpncontrol = -1;
485	}
486	LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem)
487	vpncontrol_close_comm(elem);
488	}
489
490	static void
491	vpncontrol_close_comm(struct vpnctl_socket_elem *elem)
492	{
493	struct bound_addr *addr;
494	struct bound_addr *t_addr;
495
496	LIST_REMOVE(elem, chain);
497	if (elem->sock != -1)
498	close(elem->sock);
499	LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
500	LIST_REMOVE(addr, chain);
501	racoon_free(addr);
502	}
503	racoon_free(elem);
504	check_auto_exit();
505	}
506
507	int
508	vpn_control_connected(void)
509	{
510	if (LIST_EMPTY(&lcconf->vpnctl_comm_socks))
511	return 0;
512	else
513	return 1;
514	}
515
516	#endif