]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/sockmisc.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-317.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / sockmisc.c
CommitLineData
52b7d2ce
A		 1/* $Id: sockmisc.c,v 1.17.4.4 2005/10/04 09:54:27 manubsd Exp $ */
2
3/*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include "config.h"
33
34#include <sys/types.h>
35#include <sys/param.h>
36#include <sys/socket.h>
37#include <sys/uio.h>
38
39#include <netinet/in.h>
40#ifndef HAVE_NETINET6_IPSEC
41#include <netinet/ipsec.h>
42#else
43#include <netinet6/ipsec.h>
44#endif
45
d1e348cf
A		 46#if defined(INET6) && !defined(INET6_ADVAPI) && \
47 defined(IP_RECVDSTADDR) && !defined(IPV6_RECVDSTADDR)
52b7d2ce
A		 48#define IPV6_RECVDSTADDR IP_RECVDSTADDR
49#endif
50
51#include <stdlib.h>
52#include <stdio.h>
53#include <string.h>
54#include <errno.h>
55#ifdef HAVE_UNISTD_H
56#include <unistd.h>
57#endif
85f41bec 58#include <fcntl.h>
52b7d2ce
A		 59
60#include "var.h"
61#include "misc.h"
62#include "plog.h"
63#include "sockmisc.h"
64#include "debug.h"
65#include "gcmalloc.h"
66#include "libpfkey.h"
67
68#ifndef IP_IPSEC_POLICY
69#define IP_IPSEC_POLICY 16 /* XXX: from linux/in.h */
70#endif
71
72#ifndef IPV6_IPSEC_POLICY
73#define IPV6_IPSEC_POLICY 34 /* XXX: from linux/???.h per
74 "Tom Lendacky" <toml@us.ibm.com> */
75#endif
76
77const int niflags = 0;
78
79/*
80 * compare two sockaddr without port number.
81 * OUT: 0: equal.
82 * 1: not equal.
83 */
84int
85cmpsaddrwop(addr1, addr2)
85f41bec
A		 86 const struct sockaddr_storage *addr1;
87 const struct sockaddr_storage *addr2;
52b7d2ce
A		 88{
89 caddr_t sa1, sa2;
90
91 if (addr1 == 0 && addr2 == 0)
92 return 0;
93 if (addr1 == 0 || addr2 == 0)
94 return 1;
95
85f41bec
A		 96 if (addr1->ss_len != addr2->ss_len
97 || addr1->ss_family != addr2->ss_family)
52b7d2ce 98 return 1;
85f41bec 99 switch (addr1->ss_family) {
52b7d2ce
A		 100 case AF_INET:
101 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
102 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
103 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
104 return 1;
105 break;
106#ifdef INET6
107 case AF_INET6:
108 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
109 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
110 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
111 return 1;
112 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
113 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
114 return 1;
115 break;
116#endif
117 default:
118 return 1;
119 }
120
121 return 0;
122}
123
85f41bec
A		 124/*
125 * compare two sockaddr without port number using prefix.
126 * OUT: 0: equal.
127 * 1: not equal.
128 */
129int
130cmpsaddrwop_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix)
131{
132 u_int32_t mask;
133 int i;
134
135 if (addr1 == 0 && addr2 == 0)
136 return 0;
137 if (addr1 == 0 || addr2 == 0)
138 return 1;
139
140 if (addr1->ss_len != addr2->ss_len
141 || addr1->ss_family != addr2->ss_family)
142 return 1;
143 switch (addr1->ss_family) {
144 case AF_INET:
145 mask = ~0;
146 mask <<= 32-prefix;
147 if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) !=
148 (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask)))
149 return 1;
150 break;
151#ifdef INET6
152 case AF_INET6:
153 for (i = 0; i < 4; i++) {
154 if (prefix >= 32) {
155 mask = ~0;
156 prefix -= 32;
157 } else if (prefix == 0)
158 mask = 0;
159 else {
160 mask = ~0;
161 mask <<= 32-prefix;
162 prefix = 0;
163 }
164 if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) !=
165 (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)))
166 return 1;
167 }
168 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
169 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
170 return 1;
171 break;
172#endif
173 default:
174 return 1;
175 }
176
177 return 0;
178}
179
180
52b7d2ce
A		 181/*
182 * compare two sockaddr with port, taking care wildcard.
183 * addr1 is a subject address, addr2 is in a database entry.
184 * OUT: 0: equal.
185 * 1: not equal.
186 */
187int
188cmpsaddrwild(addr1, addr2)
85f41bec
A		 189 const struct sockaddr_storage *addr1;
190 const struct sockaddr_storage *addr2;
52b7d2ce
A		 191{
192 caddr_t sa1, sa2;
193 u_short port1, port2;
194
195 if (addr1 == 0 && addr2 == 0)
196 return 0;
197 if (addr1 == 0 || addr2 == 0)
198 return 1;
199
85f41bec
A		 200 if (addr1->ss_len != addr2->ss_len
201 || addr1->ss_family != addr2->ss_family)
52b7d2ce
A		 202 return 1;
203
85f41bec 204 switch (addr1->ss_family) {
52b7d2ce
A		 205 case AF_INET:
206 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
207 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
208 port1 = ((struct sockaddr_in *)addr1)->sin_port;
209 port2 = ((struct sockaddr_in *)addr2)->sin_port;
210 if (!(port1 == IPSEC_PORT_ANY ||
211 port2 == IPSEC_PORT_ANY ||
212 port1 == port2))
213 return 1;
214 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
215 return 1;
216 break;
217#ifdef INET6
218 case AF_INET6:
219 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
220 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
221 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
222 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
223 if (!(port1 == IPSEC_PORT_ANY ||
224 port2 == IPSEC_PORT_ANY ||
225 port1 == port2))
226 return 1;
227 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
228 return 1;
229 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
230 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
231 return 1;
232 break;
233#endif
234 default:
235 return 1;
236 }
237
238 return 0;
239}
240
241/*
242 * compare two sockaddr with strict match on port.
243 * OUT: 0: equal.
244 * 1: not equal.
245 */
246int
65c25746 247cmpsaddrstrict(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2)
52b7d2ce
A		 248{
249 caddr_t sa1, sa2;
250 u_short port1, port2;
251
252 if (addr1 == 0 && addr2 == 0)
253 return 0;
254 if (addr1 == 0 || addr2 == 0)
255 return 1;
256
85f41bec
A		 257 if (addr1->ss_len != addr2->ss_len
258 || addr1->ss_family != addr2->ss_family)
52b7d2ce
A		 259 return 1;
260
85f41bec 261 switch (addr1->ss_family) {
52b7d2ce
A		 262 case AF_INET:
263 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
264 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
265 port1 = ((struct sockaddr_in *)addr1)->sin_port;
266 port2 = ((struct sockaddr_in *)addr2)->sin_port;
267 if (port1 != port2)
268 return 1;
269 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
270 return 1;
271 break;
272#ifdef INET6
273 case AF_INET6:
274 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
275 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
276 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
277 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
278 if (port1 != port2)
279 return 1;
280 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
281 return 1;
282 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
283 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
284 return 1;
285 break;
286#endif
287 default:
288 return 1;
289 }
290
291 return 0;
292}
293
85f41bec
A		 294/*
295 * compare two sockaddr with strict match on port using prefix.
296 * OUT: 0: equal.
297 * 1: not equal.
298 */
299int
300cmpsaddrstrict_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix)
301{
302 u_short port1, port2;
303 u_int32_t mask;
304 int i;
305
306 if (addr1 == 0 && addr2 == 0)
307 return 0;
308 if (addr1 == 0 || addr2 == 0)
309 return 1;
310
311 if (addr1->ss_len != addr2->ss_len
312 || addr1->ss_family != addr2->ss_family)
313 return 1;
314
315 switch (addr1->ss_family) {
316 case AF_INET:
317 port1 = ((struct sockaddr_in *)addr1)->sin_port;
318 port2 = ((struct sockaddr_in *)addr2)->sin_port;
319 if (port1 != port2)
320 return 1;
321 mask = ~0;
322 mask <<= 32-prefix;
323 if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) !=
324 (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask)))
325 return 1;
326 break;
327#ifdef INET6
328 case AF_INET6:
329 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
330 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
331 if (port1 != port2)
332 return 1;
333 for (i = 0; i < 4; i++) {
334 if (prefix >= 32) {
335 mask = ~0;
336 prefix -= 32;
337 } else if (prefix == 0)
338 mask = 0;
339 else {
340 mask = ~0;
341 mask <<= 32-prefix;
342 prefix = 0;
343 }
344 if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) !=
345 (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)))
346 return 1;
347 }
348 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
349 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
350 return 1;
351 break;
352#endif
353 default:
354 return 1;
355 }
356
357 return 0;
358}
359
360
52b7d2ce 361/* get local address against the destination. */
85f41bec 362struct sockaddr_storage *
65c25746 363getlocaladdr(struct sockaddr *remote)
52b7d2ce 364{
85f41bec 365 struct sockaddr_storage *local;
d06a7ccb 366 u_int local_len = sizeof(struct sockaddr_storage);
52b7d2ce
A		 367 int s; /* for dummy connection */
368
369 /* allocate buffer */
370 if ((local = racoon_calloc(1, local_len)) == NULL) {
65c25746 371 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 372 "failed to get address buffer.\n");
373 goto err;
374 }
375
376 /* get real interface received packet */
377 if ((s = socket(remote->sa_family, SOCK_DGRAM, 0)) < 0) {
65c25746 378 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 379 "socket (%s)\n", strerror(errno));
380 goto err;
381 }
382
85f41bec 383 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) {
65c25746 384 plog(ASL_LEVEL_ERR, "failed to put localaddr socket in non-blocking mode\n");
85f41bec 385 }
65c25746 386
52b7d2ce
A		 387 setsockopt_bypass(s, remote->sa_family);
388
389 if (connect(s, remote, sysdep_sa_len(remote)) < 0) {
65c25746 390 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 391 "connect (%s)\n", strerror(errno));
392 close(s);
393 goto err;
394 }
395
85f41bec 396 if (getsockname(s, (struct sockaddr *)local, &local_len) < 0) {
65c25746 397 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 398 "getsockname (%s)\n", strerror(errno));
399 close(s);
400 return NULL;
401 }
402
403 close(s);
404 return local;
405
406 err:
407 if (local != NULL)
408 racoon_free(local);
409 return NULL;
410}
411
412/*
413 * Receive packet, with src/dst information. It is assumed that necessary
414 * setsockopt() have already performed on socket.
415 */
416int
65c25746
A		 417recvfromto(int s,
418 void *buf,
419 size_t buflen,
420 int flags,
421 struct sockaddr_storage *from,
422 socklen_t *fromlen,
423 struct sockaddr_storage *to,
424 u_int *tolen)
52b7d2ce
A		 425{
426 int otolen;
85f41bec 427 ssize_t len;
52b7d2ce
A		 428 struct sockaddr_storage ss;
429 struct msghdr m;
d1e348cf 430 struct cmsghdr *cm, *cm_prev;
52b7d2ce 431 struct iovec iov[2];
85f41bec 432 u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment
52b7d2ce
A		 433#if defined(INET6) && defined(INET6_ADVAPI)
434 struct in6_pktinfo *pi;
435#endif /*INET6_ADVAPI*/
436 struct sockaddr_in *sin;
437#ifdef INET6
438 struct sockaddr_in6 *sin6;
439#endif
440
441 len = sizeof(ss);
65c25746
A		 442 if (getsockname(s, (struct sockaddr *)&ss, (socklen_t*)&len) < 0) {
443 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 444 "getsockname (%s)\n", strerror(errno));
445 return -1;
446 }
447
448 m.msg_name = (caddr_t)from;
449 m.msg_namelen = *fromlen;
450 iov[0].iov_base = (caddr_t)buf;
451 iov[0].iov_len = buflen;
452 m.msg_iov = iov;
453 m.msg_iovlen = 1;
454 memset(cmsgbuf, 0, sizeof(cmsgbuf));
455 cm = (struct cmsghdr *)cmsgbuf;
456 m.msg_control = (caddr_t)cm;
457 m.msg_controllen = sizeof(cmsgbuf);
7ebaebe2 458 m.msg_flags = 0;
85f41bec
A		 459 while ((len = recvmsg(s, &m, flags)) < 0) {
460 if (errno == EINTR)
461 continue;
65c25746 462 plog(ASL_LEVEL_ERR, "recvmsg (%s)\n", strerror(errno));
52b7d2ce 463 return -1;
85f41bec
A		 464 }
465 if (len == 0) {
466 return 0;
52b7d2ce
A		 467 }
468 *fromlen = m.msg_namelen;
469
470 otolen = *tolen;
471 *tolen = 0;
d1e348cf
A		 472 for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m), cm_prev = NULL;
473 m.msg_controllen != 0 && cm && cm != cm_prev;
474 cm_prev = cm, cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) {
52b7d2ce 475#if 0
65c25746 476 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 477 "cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);)
478#endif
479#if defined(INET6) && defined(INET6_ADVAPI)
480 if (ss.ss_family == AF_INET6
481 && cm->cmsg_level == IPPROTO_IPV6
482 && cm->cmsg_type == IPV6_PKTINFO
483 && otolen >= sizeof(*sin6)) {
85f41bec 484 pi = ALIGNED_CAST(struct in6_pktinfo *)(CMSG_DATA(cm));
52b7d2ce
A		 485 *tolen = sizeof(*sin6);
486 sin6 = (struct sockaddr_in6 *)to;
487 memset(sin6, 0, sizeof(*sin6));
488 sin6->sin6_family = AF_INET6;
52b7d2ce 489 sin6->sin6_len = sizeof(*sin6);
52b7d2ce
A		 490 memcpy(&sin6->sin6_addr, &pi->ipi6_addr,
491 sizeof(sin6->sin6_addr));
492 /* XXX other cases, such as site-local? */
493 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
494 sin6->sin6_scope_id = pi->ipi6_ifindex;
495 else
496 sin6->sin6_scope_id = 0;
497 sin6->sin6_port =
498 ((struct sockaddr_in6 *)&ss)->sin6_port;
499 otolen = -1; /* "to" already set */
500 continue;
501 }
502#endif
52b7d2ce
A		 503#if defined(INET6) && defined(IPV6_RECVDSTADDR)
504 if (ss.ss_family == AF_INET6
505 && cm->cmsg_level == IPPROTO_IPV6
506 && cm->cmsg_type == IPV6_RECVDSTADDR
507 && otolen >= sizeof(*sin6)) {
508 *tolen = sizeof(*sin6);
509 sin6 = (struct sockaddr_in6 *)to;
510 memset(sin6, 0, sizeof(*sin6));
511 sin6->sin6_family = AF_INET6;
512 sin6->sin6_len = sizeof(*sin6);
513 memcpy(&sin6->sin6_addr, CMSG_DATA(cm),
514 sizeof(sin6->sin6_addr));
515 sin6->sin6_port =
516 ((struct sockaddr_in6 *)&ss)->sin6_port;
517 otolen = -1; /* "to" already set */
518 continue;
519 }
520#endif
52b7d2ce
A		 521 if (ss.ss_family == AF_INET
522 && cm->cmsg_level == IPPROTO_IP
523 && cm->cmsg_type == IP_RECVDSTADDR
524 && otolen >= sizeof(*sin)) {
525 *tolen = sizeof(*sin);
526 sin = (struct sockaddr_in *)to;
527 memset(sin, 0, sizeof(*sin));
528 sin->sin_family = AF_INET;
529 sin->sin_len = sizeof(*sin);
530 memcpy(&sin->sin_addr, CMSG_DATA(cm),
531 sizeof(sin->sin_addr));
532 sin->sin_port = ((struct sockaddr_in *)&ss)->sin_port;
533 otolen = -1; /* "to" already set */
534 continue;
535 }
52b7d2ce 536 }
65c25746 537 plogdump(ASL_LEVEL_DEBUG, buf, buflen, "@@@@@@ data from readmsg:\n");
52b7d2ce
A		 538 return len;
539}
540
541/* send packet, with fixing src/dst address pair. */
542int
543sendfromto(s, buf, buflen, src, dst, cnt)
544 int s, cnt;
545 const void *buf;
546 size_t buflen;
85f41bec
A		 547 struct sockaddr_storage *src;
548 struct sockaddr_storage *dst;
52b7d2ce
A		 549{
550 struct sockaddr_storage ss;
e8d9021d 551 int len;
52b7d2ce
A		 552 int i;
553
85f41bec 554 if (src->ss_family != dst->ss_family) {
65c25746 555 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 556 "address family mismatch\n");
557 return -1;
558 }
559
560 len = sizeof(ss);
65c25746
A		 561 if (getsockname(s, (struct sockaddr *)&ss, (socklen_t*)&len) < 0) {
562 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 563 "getsockname (%s)\n", strerror(errno));
564 return -1;
565 }
566
65c25746 567 plog(ASL_LEVEL_DEBUG,
52b7d2ce 568 "sockname %s\n", saddr2str((struct sockaddr *)&ss));
65c25746 569 plog(ASL_LEVEL_DEBUG,
85f41bec 570 "send packet from %s\n", saddr2str((struct sockaddr *)src));
65c25746 571 plog(ASL_LEVEL_DEBUG,
85f41bec 572 "send packet to %s\n", saddr2str((struct sockaddr *)dst));
52b7d2ce 573
85f41bec 574 if (src->ss_family != ss.ss_family) {
65c25746 575 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 576 "address family mismatch\n");
577 return -1;
578 }
579
85f41bec 580 switch (src->ss_family) {
52b7d2ce 581#if defined(INET6) && defined(INET6_ADVAPI)
52b7d2ce
A		 582 case AF_INET6:
583 {
584 struct msghdr m;
585 struct cmsghdr *cm;
586 struct iovec iov[2];
85f41bec 587 u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment
52b7d2ce
A		 588 struct in6_pktinfo *pi;
589 int ifindex;
590 struct sockaddr_in6 src6, dst6;
591
592 memcpy(&src6, src, sizeof(src6));
593 memcpy(&dst6, dst, sizeof(dst6));
594
595 /* XXX take care of other cases, such as site-local */
596 ifindex = 0;
597 if (IN6_IS_ADDR_LINKLOCAL(&src6.sin6_addr)
598 || IN6_IS_ADDR_MULTICAST(&src6.sin6_addr)) {
599 ifindex = src6.sin6_scope_id; /*???*/
600 }
601
602 /* XXX some sanity check on dst6.sin6_scope_id */
603
604 /* flowinfo for IKE? mmm, maybe useful but for now make it 0 */
605 src6.sin6_flowinfo = dst6.sin6_flowinfo = 0;
606
607 memset(&m, 0, sizeof(m));
608 m.msg_name = (caddr_t)&dst6;
609 m.msg_namelen = sizeof(dst6);
610 iov[0].iov_base = (char *)buf;
611 iov[0].iov_len = buflen;
612 m.msg_iov = iov;
613 m.msg_iovlen = 1;
614
615 memset(cmsgbuf, 0, sizeof(cmsgbuf));
616 cm = (struct cmsghdr *)cmsgbuf;
617 m.msg_control = (caddr_t)cm;
618 m.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
619
620 cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
621 cm->cmsg_level = IPPROTO_IPV6;
622 cm->cmsg_type = IPV6_PKTINFO;
85f41bec 623 pi = ALIGNED_CAST(struct in6_pktinfo *)CMSG_DATA(cm);
52b7d2ce
A		 624 memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr));
625 pi->ipi6_ifindex = ifindex;
626
65c25746 627 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A		 628 "src6 %s %d\n",
629 saddr2str((struct sockaddr *)&src6),
630 src6.sin6_scope_id);
65c25746 631 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A		 632 "dst6 %s %d\n",
633 saddr2str((struct sockaddr *)&dst6),
634 dst6.sin6_scope_id);
65c25746 635
52b7d2ce
A		 636 for (i = 0; i < cnt; i++) {
637 len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
638 if (len < 0) {
65c25746 639 plog(ASL_LEVEL_ERR,
52b7d2ce 640 "sendmsg (%s)\n", strerror(errno));
e8d9021d
A		 641 if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) {
642 return -1;
643 }
644 // <rdar://problem/6609744> treat these failures like
645 // packet loss, in case the network interface is flaky
646 len = 0;
52b7d2ce 647 }
65c25746 648 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A		 649 "%d times of %d bytes message will be sent "
650 "to %s\n",
85f41bec 651 i + 1, len, saddr2str((struct sockaddr *)dst));
52b7d2ce 652 }
52b7d2ce
A		 653
654 return len;
655 }
656#endif
52b7d2ce
A		 657 default:
658 {
659 int needclose = 0;
660 int sendsock;
661
85f41bec 662 if (ss.ss_family == src->ss_family && memcmp(&ss, src, sysdep_sa_len((struct sockaddr *)src)) == 0) {
52b7d2ce
A		 663 sendsock = s;
664 needclose = 0;
665 } else {
666 int yes = 1;
667 /*
668 * Use newly opened socket for sending packets.
669 * NOTE: this is unsafe, because if the peer is quick enough
670 * the packet from the peer may be queued into sendsock.
671 * Better approach is to prepare bind'ed udp sockets for
672 * each of the interface addresses.
673 */
85f41bec 674 sendsock = socket(src->ss_family, SOCK_DGRAM, 0);
52b7d2ce 675 if (sendsock < 0) {
65c25746 676 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 677 "socket (%s)\n", strerror(errno));
678 return -1;
679 }
85f41bec 680 if (fcntl(sendsock, F_SETFL, O_NONBLOCK) == -1) {
65c25746 681 plog(ASL_LEVEL_ERR, "failed to put sendsock socket in non-blocking mode\n");
85f41bec 682 }
52b7d2ce 683 if (setsockopt(sendsock, SOL_SOCKET,
52b7d2ce 684 SO_REUSEPORT,
52b7d2ce 685 (void *)&yes, sizeof(yes)) < 0) {
65c25746 686 plog(ASL_LEVEL_ERR,
d1e348cf
A		 687 "setsockopt SO_REUSEPORT (%s)\n",
688 strerror(errno));
52b7d2ce
A		 689 close(sendsock);
690 return -1;
691 }
692#ifdef IPV6_USE_MIN_MTU
85f41bec 693 if (src->ss_family == AF_INET6 &&
52b7d2ce
A		 694 setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
695 (void *)&yes, sizeof(yes)) < 0) {
65c25746 696 plog(ASL_LEVEL_ERR,
d1e348cf
A		 697 "setsockopt IPV6_USE_MIN_MTU (%s)\n",
698 strerror(errno));
52b7d2ce
A		 699 close(sendsock);
700 return -1;
701 }
702#endif
85f41bec 703 if (setsockopt_bypass(sendsock, src->ss_family) < 0) {
52b7d2ce
A		 704 close(sendsock);
705 return -1;
706 }
707
85f41bec 708 if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len((struct sockaddr *)src)) < 0) {
65c25746 709 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 710 "bind 1 (%s)\n", strerror(errno));
711 close(sendsock);
712 return -1;
713 }
714 needclose = 1;
715 }
65c25746
A		 716
717 plogdump(ASL_LEVEL_DEBUG, (void*)buf, buflen, "@@@@@@ data being sent:\n");
718
719 for (i = 0; i < cnt; i++) {
85f41bec 720 len = sendto(sendsock, buf, buflen, 0, (struct sockaddr *)dst, sysdep_sa_len((struct sockaddr *)dst));
52b7d2ce 721 if (len < 0) {
65c25746 722 plog(ASL_LEVEL_ERR,
52b7d2ce 723 "sendto (%s)\n", strerror(errno));
e8d9021d
A		 724 if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) {
725 if (needclose)
726 close(sendsock);
727 return -1;
728 }
65c25746 729 plog(ASL_LEVEL_ERR,
e8d9021d
A		 730 "treating socket error (%s) like packet loss\n", strerror(errno));
731 // else treat these failures like a packet loss
732 len = 0;
52b7d2ce 733 }
65c25746 734 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A		 735 "%d times of %d bytes message will be sent "
736 "to %s\n",
85f41bec 737 i + 1, len, saddr2str((struct sockaddr *)dst));
52b7d2ce 738 }
65c25746 739 //plog(ASL_LEVEL_DEBUG, "sent %d bytes", buflen);
52b7d2ce
A		 740
741 if (needclose)
742 close(sendsock);
743
744 return len;
745 }
746 }
747}
748
749int
65c25746 750setsockopt_bypass(int so, int family)
52b7d2ce
A		 751{
752 int level;
753 char *buf;
754 char *policy;
755
756 switch (family) {
757 case AF_INET:
758 level = IPPROTO_IP;
759 break;
760#ifdef INET6
761 case AF_INET6:
762 level = IPPROTO_IPV6;
763 break;
764#endif
765 default:
65c25746 766 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 767 "unsupported address family %d\n", family);
768 return -1;
769 }
770
771 policy = "in bypass";
772 buf = ipsec_set_policy(policy, strlen(policy));
773 if (buf == NULL) {
65c25746 774 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 775 "ipsec_set_policy (%s)\n",
776 ipsec_strerror());
777 return -1;
778 }
779 if (setsockopt(so, level,
780 (level == IPPROTO_IP ?
781 IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
782 buf, ipsec_get_policylen(buf)) < 0) {
65c25746 783 plog(ASL_LEVEL_ERR,
d1e348cf 784 "setsockopt IP_IPSEC_POLICY (%s)\n",
52b7d2ce
A		 785 strerror(errno));
786 return -1;
787 }
788 racoon_free(buf);
789
790 policy = "out bypass";
791 buf = ipsec_set_policy(policy, strlen(policy));
792 if (buf == NULL) {
65c25746 793 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 794 "ipsec_set_policy (%s)\n",
795 ipsec_strerror());
796 return -1;
797 }
798 if (setsockopt(so, level,
799 (level == IPPROTO_IP ?
800 IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
801 buf, ipsec_get_policylen(buf)) < 0) {
65c25746 802 plog(ASL_LEVEL_ERR,
d1e348cf 803 "setsockopt IP_IPSEC_POLICY (%s)\n",
52b7d2ce
A		 804 strerror(errno));
805 return -1;
806 }
807 racoon_free(buf);
808
809 return 0;
810}
811
85f41bec 812struct sockaddr_storage *
65c25746 813newsaddr(int len)
52b7d2ce 814{
85f41bec 815 struct sockaddr_storage *new;
52b7d2ce 816
65c25746
A		 817 if ((new = racoon_calloc(1, sizeof(*new))) == NULL) {
818 plog(ASL_LEVEL_ERR,
52b7d2ce 819 "%s\n", strerror(errno));
d1e348cf
A		 820 goto out;
821 }
52b7d2ce 822 /* initial */
85f41bec 823 new->ss_len = len;
d1e348cf 824out:
52b7d2ce
A		 825 return new;
826}
827
85f41bec 828struct sockaddr_storage *
65c25746 829dupsaddr(struct sockaddr_storage *addr)
52b7d2ce 830{
65c25746 831 struct sockaddr_storage *new;
52b7d2ce 832
65c25746
A		 833 new = racoon_calloc(1, sizeof(*new));
834 if (new == NULL) {
835 plog(ASL_LEVEL_ERR, "%s\n", strerror(errno));
52b7d2ce
A		 836 return NULL;
837 }
838
65c25746
A		 839 memcpy(new, addr, addr->ss_len);
840
841 return new;
52b7d2ce
A		 842}
843
844char *
65c25746 845saddr2str(const struct sockaddr *saddr)
52b7d2ce
A		 846{
847 static char buf[NI_MAXHOST + NI_MAXSERV + 10];
848 char addr[NI_MAXHOST], port[NI_MAXSERV];
849
e8d9021d
A		 850 if (saddr == NULL) {
851 buf[0] = '\0';
852 return buf;
853 }
52b7d2ce
A		 854
855 if (saddr->sa_family == AF_UNSPEC)
856 snprintf (buf, sizeof(buf), "%s", "anonymous");
857 else {
858 GETNAMEINFO(saddr, addr, port);
859 snprintf(buf, sizeof(buf), "%s[%s]", addr, port);
860 }
861
862 return buf;
863}
864
85f41bec 865char *
65c25746 866saddr2str_with_prefix(const struct sockaddr *saddr, int prefix)
85f41bec
A		 867{
868 static char buf[NI_MAXHOST + NI_MAXSERV + 10];
869 char addr[NI_MAXHOST], port[NI_MAXSERV];
870
871 if (saddr == NULL) {
872 buf[0] = '\0';
873 return buf;
874 }
875
876 if (saddr->sa_family == AF_UNSPEC)
877 snprintf (buf, sizeof(buf), "%s", "anonymous");
878 else {
879 GETNAMEINFO(saddr, addr, port);
880 snprintf(buf, sizeof(buf), "%s/%d[%s]", addr, prefix, port);
881 }
882
883 return buf;
884}
885
886
52b7d2ce 887char *
65c25746 888saddrwop2str(const struct sockaddr *saddr)
52b7d2ce
A		 889{
890 static char buf[NI_MAXHOST + NI_MAXSERV + 10];
891 char addr[NI_MAXHOST];
892
e8d9021d
A		 893 if (saddr == NULL) {
894 buf[0] = '\0';
895 return buf;
896 }
897
52b7d2ce
A		 898 GETNAMEINFO_NULL(saddr, addr);
899 snprintf(buf, sizeof(buf), "%s", addr);
900
901 return buf;
902}
903
904char *
905naddrwop2str(const struct netaddr *naddr)
906{
907 static char buf[NI_MAXHOST + 10];
908 static const struct sockaddr sa_any; /* this is initialized to all zeros */
909
e8d9021d
A		 910 if (naddr == NULL) {
911 buf[0] = '\0';
912 return buf;
913 }
914
52b7d2ce
A		 915 if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0)
916 snprintf(buf, sizeof(buf), "%s", "any");
917 else {
85f41bec 918 snprintf(buf, sizeof(buf), "%s", saddrwop2str((struct sockaddr *)&naddr->sa.sa));
52b7d2ce
A		 919 snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix);
920 }
921 return buf;
922}
923
924char *
925naddrwop2str_fromto(const char *format, const struct netaddr *saddr,
926 const struct netaddr *daddr)
927{
928 static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
929 char *src, *dst;
930
d1e348cf
A		 931 src = racoon_strdup(naddrwop2str(saddr));
932 dst = racoon_strdup(naddrwop2str(daddr));
933 STRDUP_FATAL(src);
934 STRDUP_FATAL(dst);
52b7d2ce
A		 935 /* WARNING: Be careful about the format string! Don't
936 ever pass in something that a user can modify!!! */
937 snprintf (buf, sizeof(buf), format, src, dst);
938 racoon_free (src);
939 racoon_free (dst);
940
941 return buf;
942}
943
944char *
945saddr2str_fromto(format, saddr, daddr)
946 const char *format;
947 const struct sockaddr *saddr;
948 const struct sockaddr *daddr;
949{
950 static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
951 char *src, *dst;
952
e8d9021d
A		 953 if (saddr) {
954 src = racoon_strdup(saddr2str(saddr));
955 STRDUP_FATAL(src);
956 } else {
957 src = NULL;
958 }
959 if (daddr) {
960 dst = racoon_strdup(saddr2str(daddr));
961 STRDUP_FATAL(dst);
962 } else {
963 dst = NULL;
964 }
52b7d2ce
A		 965 /* WARNING: Be careful about the format string! Don't
966 ever pass in something that a user can modify!!! */
e8d9021d
A		 967 snprintf (buf, sizeof(buf), format, src? src:"[null]", dst? dst:"[null]");
968 if (src) {
969 racoon_free (src);
970 }
971 if (dst) {
972 racoon_free (dst);
973 }
52b7d2ce
A		 974
975 return buf;
976}
977
85f41bec 978struct sockaddr_storage *
65c25746 979str2saddr(char *host, char *port)
52b7d2ce
A		 980{
981 struct addrinfo hints, *res;
85f41bec 982 struct sockaddr_storage *saddr;
52b7d2ce
A		 983 int error;
984
985 memset(&hints, 0, sizeof(hints));
986 hints.ai_family = PF_UNSPEC;
987 hints.ai_socktype = SOCK_DGRAM;
988 hints.ai_flags = AI_NUMERICHOST;
989 error = getaddrinfo(host, port, &hints, &res);
990 if (error != 0) {
65c25746 991 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 992 "getaddrinfo(%s%s%s): %s\n",
993 host, port ? "," : "", port ? port : "",
994 gai_strerror(error));
995 return NULL;
996 }
997 if (res->ai_next != NULL) {
65c25746 998 plog(ASL_LEVEL_WARNING,
52b7d2ce
A		 999 "getaddrinfo(%s%s%s): "
1000 "resolved to multiple address, "
1001 "taking the first one\n",
1002 host, port ? "," : "", port ? port : "");
1003 }
85f41bec 1004 saddr = newsaddr(sizeof(*saddr));
52b7d2ce 1005 if (saddr == NULL) {
65c25746 1006 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1007 "failed to allocate buffer.\n");
1008 freeaddrinfo(res);
1009 return NULL;
1010 }
1011 memcpy(saddr, res->ai_addr, res->ai_addrlen);
1012 freeaddrinfo(res);
1013
1014 return saddr;
1015}
1016
1017void
1018mask_sockaddr(a, b, l)
85f41bec
A		 1019 struct sockaddr_storage *a;
1020 const struct sockaddr_storage *b;
52b7d2ce
A		 1021 size_t l;
1022{
1023 size_t i;
1024 u_int8_t *p, alen;
1025
85f41bec 1026 switch (b->ss_family) {
52b7d2ce
A		 1027 case AF_INET:
1028 alen = sizeof(struct in_addr);
1029 p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr;
1030 break;
1031#ifdef INET6
1032 case AF_INET6:
1033 alen = sizeof(struct in6_addr);
1034 p = (u_int8_t *)&((struct sockaddr_in6 *)a)->sin6_addr;
1035 break;
1036#endif
1037 default:
65c25746 1038 plog(ASL_LEVEL_ERR,
85f41bec 1039 "invalid address family: %d\n", b->ss_family);
52b7d2ce
A		 1040 exit(1);
1041 }
1042
1043 if ((alen << 3) < l) {
65c25746 1044 plog(ASL_LEVEL_ERR,
85f41bec 1045 "unexpected inconsistency: %d %zu\n", b->ss_family, l);
52b7d2ce
A		 1046 exit(1);
1047 }
1048
85f41bec 1049 memcpy(a, b, sysdep_sa_len((struct sockaddr *)b));
52b7d2ce
A		 1050 p[l / 8] &= (0xff00 >> (l % 8)) & 0xff;
1051 for (i = l / 8 + 1; i < alen; i++)
1052 p[i] = 0x00;
1053}
1054
1055/* Compute a score describing how "accurate" a netaddr is for a given sockaddr.
1056 * Examples:
1057 * Return values for address 10.20.30.40 [port 500] and given netaddresses...
1058 * 10.10.0.0/16 => -1 ... doesn't match
1059 * 0.0.0.0/0 => 0 ... matches, but only 0 bits.
1060 * 10.20.0.0/16 => 16 ... 16 bits match
1061 * 10.20.30.0/24 => 24 ... guess what ;-)
1062 * 10.20.30.40/32 => 32 ... whole address match
1063 * 10.20.30.40:500 => 33 ... both address and port match
1064 * 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any)
1065 */
1066int
85f41bec 1067naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr)
52b7d2ce
A		 1068{
1069 static const struct netaddr naddr_any; /* initialized to all-zeros */
85f41bec 1070 struct sockaddr_storage sa;
d1e348cf 1071 u_int16_t naddr_port, saddr_port;
52b7d2ce
A		 1072 int port_score;
1073
1074 if (!naddr || !saddr) {
65c25746 1075 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1076 "Call with null args: naddr=%p, saddr=%p\n",
1077 naddr, saddr);
1078 return -1;
1079 }
1080
1081 /* Wildcard address matches, but only 0 bits. */
1082 if (memcmp(naddr, &naddr_any, sizeof(naddr_any)) == 0)
1083 return 0;
1084
1085 /* If families don't match we really can't do much... */
85f41bec 1086 if (naddr->sa.sa.ss_family != saddr->ss_family)
52b7d2ce
A		 1087 return -1;
1088
1089 /* If port check fail don't bother to check addresses. */
1090 naddr_port = extract_port(&naddr->sa.sa);
1091 saddr_port = extract_port(saddr);
1092 if (naddr_port == 0 || saddr_port == 0) /* wildcard match */
1093 port_score = 0;
1094 else if (naddr_port == saddr_port) /* exact match */
1095 port_score = 1;
1096 else /* mismatch :-) */
1097 return -1;
1098
1099 /* Here it comes - compare network addresses. */
1100 mask_sockaddr(&sa, saddr, naddr->prefix);
65c25746 1101 if (loglevel >= ASL_LEVEL_DEBUG) { /* debug only */
52b7d2ce 1102 char *a1, *a2, *a3;
d1e348cf 1103 a1 = racoon_strdup(naddrwop2str(naddr));
85f41bec
A		 1104 a2 = racoon_strdup(saddrwop2str((struct sockaddr *)saddr));
1105 a3 = racoon_strdup(saddrwop2str((struct sockaddr *)&sa));
d1e348cf
A		 1106 STRDUP_FATAL(a1);
1107 STRDUP_FATAL(a2);
1108 STRDUP_FATAL(a3);
65c25746 1109 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A		 1110 "naddr=%s, saddr=%s (masked=%s)\n",
1111 a1, a2, a3);
1112 free(a1);
1113 free(a2);
1114 free(a3);
1115 }
1116 if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0)
1117 return naddr->prefix + port_score;
1118
1119 return -1;
1120}
1121
65c25746 1122/* Some useful functions for sockaddr_storage port manipulations. */
52b7d2ce 1123u_int16_t
85f41bec 1124extract_port (const struct sockaddr_storage *addr)
52b7d2ce
A		 1125{
1126 u_int16_t port = -1;
1127
1128 if (!addr)
1129 return port;
1130
85f41bec 1131 switch (addr->ss_family) {
52b7d2ce
A		 1132 case AF_INET:
1133 port = ((struct sockaddr_in *)addr)->sin_port;
1134 break;
1135 case AF_INET6:
1136 port = ((struct sockaddr_in6 *)addr)->sin6_port;
1137 break;
1138 default:
65c25746 1139 plog(ASL_LEVEL_ERR, "unknown AF: %u\n", addr->ss_family);
52b7d2ce
A		 1140 break;
1141 }
1142
1143 return ntohs(port);
1144}
1145
1146u_int16_t *
85f41bec 1147get_port_ptr (struct sockaddr_storage *addr)
52b7d2ce
A		 1148{
1149 u_int16_t *port_ptr;
1150
1151 if (!addr)
1152 return NULL;
1153
85f41bec 1154 switch (addr->ss_family) {
52b7d2ce
A		 1155 case AF_INET:
1156 port_ptr = &(((struct sockaddr_in *)addr)->sin_port);
1157 break;
1158 case AF_INET6:
1159 port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port);
1160 break;
1161 default:
65c25746 1162 plog(ASL_LEVEL_ERR, "unknown AF: %u\n", addr->ss_family);
52b7d2ce
A		 1163 return NULL;
1164 break;
1165 }
1166
1167 return port_ptr;
1168}
1169
1170u_int16_t *
85f41bec 1171set_port (struct sockaddr_storage *addr, u_int16_t new_port)
52b7d2ce
A		 1172{
1173 u_int16_t *port_ptr;
1174
1175 port_ptr = get_port_ptr (addr);
1176
1177 if (port_ptr)
1178 *port_ptr = htons(new_port);
1179
1180 return port_ptr;
1181}
mirror of ipsec