]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/sockmisc.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-332.100.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / sockmisc.c
1 /* $Id: sockmisc.c,v 1.17.4.4 2005/10/04 09:54:27 manubsd Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include "config.h"
33
34 #include <sys/types.h>
35 #include <sys/param.h>
36 #include <sys/socket.h>
37 #include <sys/uio.h>
38
39 #include <netinet/in.h>
40 #ifndef HAVE_NETINET6_IPSEC
41 #include <netinet/ipsec.h>
42 #else
43 #include <netinet6/ipsec.h>
44 #endif
45
46 #if defined(INET6) && !defined(INET6_ADVAPI) && \
47 defined(IP_RECVDSTADDR) && !defined(IPV6_RECVDSTADDR)
48 #define IPV6_RECVDSTADDR IP_RECVDSTADDR
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55 #ifdef HAVE_UNISTD_H
56 #include <unistd.h>
57 #endif
58 #include <fcntl.h>
59
60 #include "var.h"
61 #include "misc.h"
62 #include "plog.h"
63 #include "sockmisc.h"
64 #include "debug.h"
65 #include "gcmalloc.h"
66 #include "libpfkey.h"
67
68 #ifndef IP_IPSEC_POLICY
69 #define IP_IPSEC_POLICY 16 /* XXX: from linux/in.h */
70 #endif
71
72 #ifndef IPV6_IPSEC_POLICY
73 #define IPV6_IPSEC_POLICY 34 /* XXX: from linux/???.h per
74 "Tom Lendacky" <toml@us.ibm.com> */
75 #endif
76
77 const int niflags = 0;
78
79 /*
80 * compare two sockaddr without port number.
81 * OUT: 0: equal.
82 * 1: not equal.
83 */
84 int
85 cmpsaddrwop(addr1, addr2)
86 const struct sockaddr_storage *addr1;
87 const struct sockaddr_storage *addr2;
88 {
89 caddr_t sa1, sa2;
90
91 if (addr1 == 0 && addr2 == 0)
92 return 0;
93 if (addr1 == 0 || addr2 == 0)
94 return 1;
95
96 if (addr1->ss_len != addr2->ss_len
97 || addr1->ss_family != addr2->ss_family)
98 return 1;
99 switch (addr1->ss_family) {
100 case AF_INET:
101 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
102 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
103 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
104 return 1;
105 break;
106 #ifdef INET6
107 case AF_INET6:
108 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
109 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
110 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
111 return 1;
112 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
113 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
114 return 1;
115 break;
116 #endif
117 default:
118 return 1;
119 }
120
121 return 0;
122 }
123
124 /*
125 * compare two sockaddr without port number using prefix.
126 * OUT: 0: equal.
127 * 1: not equal.
128 */
129 int
130 cmpsaddrwop_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix)
131 {
132 u_int32_t mask;
133 int i;
134
135 if (addr1 == 0 && addr2 == 0)
136 return 0;
137 if (addr1 == 0 || addr2 == 0)
138 return 1;
139
140 if (addr1->ss_len != addr2->ss_len
141 || addr1->ss_family != addr2->ss_family)
142 return 1;
143 switch (addr1->ss_family) {
144 case AF_INET:
145 mask = ~0;
146 mask <<= 32-prefix;
147 if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) !=
148 (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask)))
149 return 1;
150 break;
151 #ifdef INET6
152 case AF_INET6:
153 for (i = 0; i < 4; i++) {
154 if (prefix >= 32) {
155 mask = ~0;
156 prefix -= 32;
157 } else if (prefix == 0)
158 mask = 0;
159 else {
160 mask = ~0;
161 mask <<= 32-prefix;
162 prefix = 0;
163 }
164 if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) !=
165 (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)))
166 return 1;
167 }
168 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
169 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
170 return 1;
171 break;
172 #endif
173 default:
174 return 1;
175 }
176
177 return 0;
178 }
179
180
181 /*
182 * compare two sockaddr with port, taking care wildcard.
183 * addr1 is a subject address, addr2 is in a database entry.
184 * OUT: 0: equal.
185 * 1: not equal.
186 */
187 int
188 cmpsaddrwild(addr1, addr2)
189 const struct sockaddr_storage *addr1;
190 const struct sockaddr_storage *addr2;
191 {
192 caddr_t sa1, sa2;
193 u_short port1, port2;
194
195 if (addr1 == 0 && addr2 == 0)
196 return 0;
197 if (addr1 == 0 || addr2 == 0)
198 return 1;
199
200 if (addr1->ss_len != addr2->ss_len
201 || addr1->ss_family != addr2->ss_family)
202 return 1;
203
204 switch (addr1->ss_family) {
205 case AF_INET:
206 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
207 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
208 port1 = ((struct sockaddr_in *)addr1)->sin_port;
209 port2 = ((struct sockaddr_in *)addr2)->sin_port;
210 if (!(port1 == IPSEC_PORT_ANY ||
211 port2 == IPSEC_PORT_ANY ||
212 port1 == port2))
213 return 1;
214 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
215 return 1;
216 break;
217 #ifdef INET6
218 case AF_INET6:
219 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
220 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
221 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
222 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
223 if (!(port1 == IPSEC_PORT_ANY ||
224 port2 == IPSEC_PORT_ANY ||
225 port1 == port2))
226 return 1;
227 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
228 return 1;
229 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
230 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
231 return 1;
232 break;
233 #endif
234 default:
235 return 1;
236 }
237
238 return 0;
239 }
240
241 /*
242 * compare two sockaddr with strict match on port.
243 * OUT: 0: equal.
244 * 1: not equal.
245 */
246 int
247 cmpsaddrstrict(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2)
248 {
249 caddr_t sa1, sa2;
250 u_short port1, port2;
251
252 if (addr1 == 0 && addr2 == 0)
253 return 0;
254 if (addr1 == 0 || addr2 == 0)
255 return 1;
256
257 if (addr1->ss_len != addr2->ss_len
258 || addr1->ss_family != addr2->ss_family)
259 return 1;
260
261 switch (addr1->ss_family) {
262 case AF_INET:
263 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
264 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
265 port1 = ((struct sockaddr_in *)addr1)->sin_port;
266 port2 = ((struct sockaddr_in *)addr2)->sin_port;
267 if (port1 != port2)
268 return 1;
269 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
270 return 1;
271 break;
272 #ifdef INET6
273 case AF_INET6:
274 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
275 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
276 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
277 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
278 if (port1 != port2)
279 return 1;
280 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
281 return 1;
282 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
283 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
284 return 1;
285 break;
286 #endif
287 default:
288 return 1;
289 }
290
291 return 0;
292 }
293
294 /*
295 * compare two sockaddr with strict match on port using prefix.
296 * OUT: 0: equal.
297 * 1: not equal.
298 */
299 int
300 cmpsaddrstrict_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix)
301 {
302 u_short port1, port2;
303 u_int32_t mask;
304 int i;
305
306 if (addr1 == 0 && addr2 == 0)
307 return 0;
308 if (addr1 == 0 || addr2 == 0)
309 return 1;
310
311 if (addr1->ss_len != addr2->ss_len
312 || addr1->ss_family != addr2->ss_family)
313 return 1;
314
315 switch (addr1->ss_family) {
316 case AF_INET:
317 port1 = ((struct sockaddr_in *)addr1)->sin_port;
318 port2 = ((struct sockaddr_in *)addr2)->sin_port;
319 if (port1 != port2)
320 return 1;
321 mask = ~0;
322 mask <<= 32-prefix;
323 if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) !=
324 (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask)))
325 return 1;
326 break;
327 #ifdef INET6
328 case AF_INET6:
329 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
330 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
331 if (port1 != port2)
332 return 1;
333 for (i = 0; i < 4; i++) {
334 if (prefix >= 32) {
335 mask = ~0;
336 prefix -= 32;
337 } else if (prefix == 0)
338 mask = 0;
339 else {
340 mask = ~0;
341 mask <<= 32-prefix;
342 prefix = 0;
343 }
344 if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) !=
345 (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)))
346 return 1;
347 }
348 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
349 ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
350 return 1;
351 break;
352 #endif
353 default:
354 return 1;
355 }
356
357 return 0;
358 }
359
360
361 /* get local address against the destination. */
362 struct sockaddr_storage *
363 getlocaladdr(struct sockaddr *remote)
364 {
365 struct sockaddr_storage *local;
366 u_int local_len = sizeof(struct sockaddr_storage);
367 int s; /* for dummy connection */
368
369 /* allocate buffer */
370 if ((local = racoon_calloc(1, local_len)) == NULL) {
371 plog(ASL_LEVEL_ERR,
372 "failed to get address buffer.\n");
373 goto err;
374 }
375
376 /* get real interface received packet */
377 if ((s = socket(remote->sa_family, SOCK_DGRAM, 0)) < 0) {
378 plog(ASL_LEVEL_ERR,
379 "socket (%s)\n", strerror(errno));
380 goto err;
381 }
382
383 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) {
384 plog(ASL_LEVEL_ERR, "failed to put localaddr socket in non-blocking mode\n");
385 }
386
387 setsockopt_bypass(s, remote->sa_family);
388
389 if (connect(s, remote, sysdep_sa_len(remote)) < 0) {
390 plog(ASL_LEVEL_ERR,
391 "connect (%s)\n", strerror(errno));
392 close(s);
393 goto err;
394 }
395
396 if (getsockname(s, (struct sockaddr *)local, &local_len) < 0) {
397 plog(ASL_LEVEL_ERR,
398 "getsockname (%s)\n", strerror(errno));
399 close(s);
400 return NULL;
401 }
402
403 close(s);
404 return local;
405
406 err:
407 if (local != NULL)
408 racoon_free(local);
409 return NULL;
410 }
411
412 /*
413 * Receive packet, with src/dst information. It is assumed that necessary
414 * setsockopt() have already performed on socket.
415 */
416 int
417 recvfromto(int s,
418 void *buf,
419 size_t buflen,
420 int flags,
421 struct sockaddr_storage *from,
422 socklen_t *fromlen,
423 struct sockaddr_storage *to,
424 u_int *tolen)
425 {
426 int otolen;
427 ssize_t len;
428 struct sockaddr_storage ss;
429 struct msghdr m;
430 struct cmsghdr *cm, *cm_prev;
431 struct iovec iov[2];
432 u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment
433 #if defined(INET6) && defined(INET6_ADVAPI)
434 struct in6_pktinfo *pi;
435 #endif /*INET6_ADVAPI*/
436 struct sockaddr_in *sin;
437 #ifdef INET6
438 struct sockaddr_in6 *sin6;
439 #endif
440
441 len = sizeof(ss);
442 if (getsockname(s, (struct sockaddr *)&ss, (socklen_t*)&len) < 0) {
443 plog(ASL_LEVEL_ERR,
444 "getsockname (%s)\n", strerror(errno));
445 return -1;
446 }
447
448 m.msg_name = (caddr_t)from;
449 m.msg_namelen = *fromlen;
450 iov[0].iov_base = (caddr_t)buf;
451 iov[0].iov_len = buflen;
452 m.msg_iov = iov;
453 m.msg_iovlen = 1;
454 memset(cmsgbuf, 0, sizeof(cmsgbuf));
455 cm = (struct cmsghdr *)cmsgbuf;
456 m.msg_control = (caddr_t)cm;
457 m.msg_controllen = sizeof(cmsgbuf);
458 m.msg_flags = 0;
459 while ((len = recvmsg(s, &m, flags)) < 0) {
460 if (errno == EINTR)
461 continue;
462 plog(ASL_LEVEL_ERR, "recvmsg (%s)\n", strerror(errno));
463 return -1;
464 }
465 if (len == 0) {
466 return 0;
467 }
468 *fromlen = m.msg_namelen;
469
470 otolen = *tolen;
471 *tolen = 0;
472 for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m), cm_prev = NULL;
473 m.msg_controllen != 0 && cm && cm != cm_prev;
474 cm_prev = cm, cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) {
475 #if 0
476 plog(ASL_LEVEL_ERR,
477 "cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);)
478 #endif
479 #if defined(INET6) && defined(INET6_ADVAPI)
480 if (ss.ss_family == AF_INET6
481 && cm->cmsg_level == IPPROTO_IPV6
482 && cm->cmsg_type == IPV6_PKTINFO
483 && otolen >= sizeof(*sin6)) {
484 pi = ALIGNED_CAST(struct in6_pktinfo *)(CMSG_DATA(cm));
485 *tolen = sizeof(*sin6);
486 sin6 = (struct sockaddr_in6 *)to;
487 memset(sin6, 0, sizeof(*sin6));
488 sin6->sin6_family = AF_INET6;
489 sin6->sin6_len = sizeof(*sin6);
490 memcpy(&sin6->sin6_addr, &pi->ipi6_addr,
491 sizeof(sin6->sin6_addr));
492 /* XXX other cases, such as site-local? */
493 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
494 sin6->sin6_scope_id = pi->ipi6_ifindex;
495 else
496 sin6->sin6_scope_id = 0;
497 sin6->sin6_port =
498 ((struct sockaddr_in6 *)&ss)->sin6_port;
499 otolen = -1; /* "to" already set */
500 continue;
501 }
502 #endif
503 #if defined(INET6) && defined(IPV6_RECVDSTADDR)
504 if (ss.ss_family == AF_INET6
505 && cm->cmsg_level == IPPROTO_IPV6
506 && cm->cmsg_type == IPV6_RECVDSTADDR
507 && otolen >= sizeof(*sin6)) {
508 *tolen = sizeof(*sin6);
509 sin6 = (struct sockaddr_in6 *)to;
510 memset(sin6, 0, sizeof(*sin6));
511 sin6->sin6_family = AF_INET6;
512 sin6->sin6_len = sizeof(*sin6);
513 memcpy(&sin6->sin6_addr, CMSG_DATA(cm),
514 sizeof(sin6->sin6_addr));
515 sin6->sin6_port =
516 ((struct sockaddr_in6 *)&ss)->sin6_port;
517 otolen = -1; /* "to" already set */
518 continue;
519 }
520 #endif
521 if (ss.ss_family == AF_INET
522 && cm->cmsg_level == IPPROTO_IP
523 && cm->cmsg_type == IP_RECVDSTADDR
524 && otolen >= sizeof(*sin)) {
525 *tolen = sizeof(*sin);
526 sin = (struct sockaddr_in *)to;
527 memset(sin, 0, sizeof(*sin));
528 sin->sin_family = AF_INET;
529 sin->sin_len = sizeof(*sin);
530 memcpy(&sin->sin_addr, CMSG_DATA(cm),
531 sizeof(sin->sin_addr));
532 sin->sin_port = ((struct sockaddr_in *)&ss)->sin_port;
533 otolen = -1; /* "to" already set */
534 continue;
535 }
536 }
537 plogdump(ASL_LEVEL_DEBUG, buf, buflen, "@@@@@@ data from readmsg:\n");
538 return len;
539 }
540
541 /* send packet, with fixing src/dst address pair. */
542 int
543 sendfromto(s, buf, buflen, src, dst, cnt)
544 int s, cnt;
545 const void *buf;
546 size_t buflen;
547 struct sockaddr_storage *src;
548 struct sockaddr_storage *dst;
549 {
550 struct sockaddr_storage ss;
551 int len;
552 int i;
553
554 if (src->ss_family != dst->ss_family) {
555 plog(ASL_LEVEL_ERR,
556 "address family mismatch\n");
557 return -1;
558 }
559
560 len = sizeof(ss);
561 if (getsockname(s, (struct sockaddr *)&ss, (socklen_t*)&len) < 0) {
562 plog(ASL_LEVEL_ERR,
563 "getsockname (%s)\n", strerror(errno));
564 return -1;
565 }
566
567 plog(ASL_LEVEL_DEBUG,
568 "sockname %s\n", saddr2str((struct sockaddr *)&ss));
569 plog(ASL_LEVEL_DEBUG,
570 "send packet from %s\n", saddr2str((struct sockaddr *)src));
571 plog(ASL_LEVEL_DEBUG,
572 "send packet to %s\n", saddr2str((struct sockaddr *)dst));
573
574 if (src->ss_family != ss.ss_family) {
575 plog(ASL_LEVEL_ERR,
576 "address family mismatch\n");
577 return -1;
578 }
579
580 switch (src->ss_family) {
581 #if defined(INET6) && defined(INET6_ADVAPI)
582 case AF_INET6:
583 {
584 struct msghdr m;
585 struct cmsghdr *cm;
586 struct iovec iov[2];
587 u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment
588 struct in6_pktinfo *pi;
589 int ifindex;
590 struct sockaddr_in6 src6, dst6;
591
592 memcpy(&src6, src, sizeof(src6));
593 memcpy(&dst6, dst, sizeof(dst6));
594
595 /* XXX take care of other cases, such as site-local */
596 ifindex = 0;
597 if (IN6_IS_ADDR_LINKLOCAL(&src6.sin6_addr)
598 || IN6_IS_ADDR_MULTICAST(&src6.sin6_addr)) {
599 ifindex = src6.sin6_scope_id; /*???*/
600 }
601
602 /* XXX some sanity check on dst6.sin6_scope_id */
603
604 /* flowinfo for IKE? mmm, maybe useful but for now make it 0 */
605 src6.sin6_flowinfo = dst6.sin6_flowinfo = 0;
606
607 memset(&m, 0, sizeof(m));
608 m.msg_name = (caddr_t)&dst6;
609 m.msg_namelen = sizeof(dst6);
610 iov[0].iov_base = (char *)buf;
611 iov[0].iov_len = buflen;
612 m.msg_iov = iov;
613 m.msg_iovlen = 1;
614
615 memset(cmsgbuf, 0, sizeof(cmsgbuf));
616 cm = (struct cmsghdr *)cmsgbuf;
617 m.msg_control = (caddr_t)cm;
618 m.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
619
620 cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
621 cm->cmsg_level = IPPROTO_IPV6;
622 cm->cmsg_type = IPV6_PKTINFO;
623 pi = ALIGNED_CAST(struct in6_pktinfo *)CMSG_DATA(cm);
624 memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr));
625 pi->ipi6_ifindex = ifindex;
626
627 plog(ASL_LEVEL_DEBUG,
628 "src6 %s %d\n",
629 saddr2str((struct sockaddr *)&src6),
630 src6.sin6_scope_id);
631 plog(ASL_LEVEL_DEBUG,
632 "dst6 %s %d\n",
633 saddr2str((struct sockaddr *)&dst6),
634 dst6.sin6_scope_id);
635
636 for (i = 0; i < cnt; i++) {
637 len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
638 if (len < 0) {
639 plog(ASL_LEVEL_ERR,
640 "sendmsg (%s)\n", strerror(errno));
641 if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) {
642 return -1;
643 }
644 // <rdar://problem/6609744> treat these failures like
645 // packet loss, in case the network interface is flaky
646 len = 0;
647 }
648 plog(ASL_LEVEL_DEBUG,
649 "%d times of %d bytes message will be sent "
650 "to %s\n",
651 i + 1, len, saddr2str((struct sockaddr *)dst));
652 }
653
654 return len;
655 }
656 #endif
657 default:
658 {
659 int needclose = 0;
660 int sendsock;
661
662 if (ss.ss_family == src->ss_family && memcmp(&ss, src, sysdep_sa_len((struct sockaddr *)src)) == 0) {
663 sendsock = s;
664 needclose = 0;
665 } else {
666 int yes = 1;
667 /*
668 * Use newly opened socket for sending packets.
669 * NOTE: this is unsafe, because if the peer is quick enough
670 * the packet from the peer may be queued into sendsock.
671 * Better approach is to prepare bind'ed udp sockets for
672 * each of the interface addresses.
673 */
674 sendsock = socket(src->ss_family, SOCK_DGRAM, 0);
675 if (sendsock < 0) {
676 plog(ASL_LEVEL_ERR,
677 "socket (%s)\n", strerror(errno));
678 return -1;
679 }
680 if (fcntl(sendsock, F_SETFL, O_NONBLOCK) == -1) {
681 plog(ASL_LEVEL_ERR, "failed to put sendsock socket in non-blocking mode\n");
682 }
683 if (setsockopt(sendsock, SOL_SOCKET,
684 SO_REUSEPORT,
685 (void *)&yes, sizeof(yes)) < 0) {
686 plog(ASL_LEVEL_ERR,
687 "setsockopt SO_REUSEPORT (%s)\n",
688 strerror(errno));
689 close(sendsock);
690 return -1;
691 }
692 #ifdef IPV6_USE_MIN_MTU
693 if (src->ss_family == AF_INET6 &&
694 setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
695 (void *)&yes, sizeof(yes)) < 0) {
696 plog(ASL_LEVEL_ERR,
697 "setsockopt IPV6_USE_MIN_MTU (%s)\n",
698 strerror(errno));
699 close(sendsock);
700 return -1;
701 }
702 #endif
703 if (setsockopt_bypass(sendsock, src->ss_family) < 0) {
704 close(sendsock);
705 return -1;
706 }
707
708 if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len((struct sockaddr *)src)) < 0) {
709 plog(ASL_LEVEL_ERR,
710 "bind 1 (%s)\n", strerror(errno));
711 close(sendsock);
712 return -1;
713 }
714 needclose = 1;
715 }
716
717 plogdump(ASL_LEVEL_DEBUG, (void*)buf, buflen, "@@@@@@ data being sent:\n");
718
719 for (i = 0; i < cnt; i++) {
720 len = sendto(sendsock, buf, buflen, 0, (struct sockaddr *)dst, sysdep_sa_len((struct sockaddr *)dst));
721 if (len < 0) {
722 plog(ASL_LEVEL_ERR,
723 "sendto (%s)\n", strerror(errno));
724 if (errno != EHOSTUNREACH && errno != ENETDOWN && errno != ENETUNREACH) {
725 if (needclose)
726 close(sendsock);
727 return -1;
728 }
729 plog(ASL_LEVEL_ERR,
730 "treating socket error (%s) like packet loss\n", strerror(errno));
731 // else treat these failures like a packet loss
732 len = 0;
733 }
734 plog(ASL_LEVEL_DEBUG,
735 "%d times of %d bytes message will be sent "
736 "to %s\n",
737 i + 1, len, saddr2str((struct sockaddr *)dst));
738 }
739 //plog(ASL_LEVEL_DEBUG, "sent %d bytes", buflen);
740
741 if (needclose)
742 close(sendsock);
743
744 return len;
745 }
746 }
747 }
748
749 int
750 setsockopt_bypass(int so, int family)
751 {
752 int level;
753 char *buf;
754 char *policy;
755
756 switch (family) {
757 case AF_INET:
758 level = IPPROTO_IP;
759 break;
760 #ifdef INET6
761 case AF_INET6:
762 level = IPPROTO_IPV6;
763 break;
764 #endif
765 default:
766 plog(ASL_LEVEL_ERR,
767 "unsupported address family %d\n", family);
768 return -1;
769 }
770
771 policy = "in bypass";
772 buf = ipsec_set_policy(policy, strlen(policy));
773 if (buf == NULL) {
774 plog(ASL_LEVEL_ERR,
775 "ipsec_set_policy (%s)\n",
776 ipsec_strerror());
777 return -1;
778 }
779 if (setsockopt(so, level,
780 (level == IPPROTO_IP ?
781 IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
782 buf, ipsec_get_policylen(buf)) < 0) {
783 plog(ASL_LEVEL_ERR,
784 "setsockopt IP_IPSEC_POLICY (%s)\n",
785 strerror(errno));
786 return -1;
787 }
788 racoon_free(buf);
789
790 policy = "out bypass";
791 buf = ipsec_set_policy(policy, strlen(policy));
792 if (buf == NULL) {
793 plog(ASL_LEVEL_ERR,
794 "ipsec_set_policy (%s)\n",
795 ipsec_strerror());
796 return -1;
797 }
798 if (setsockopt(so, level,
799 (level == IPPROTO_IP ?
800 IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
801 buf, ipsec_get_policylen(buf)) < 0) {
802 plog(ASL_LEVEL_ERR,
803 "setsockopt IP_IPSEC_POLICY (%s)\n",
804 strerror(errno));
805 return -1;
806 }
807 racoon_free(buf);
808
809 return 0;
810 }
811
812 struct sockaddr_storage *
813 newsaddr(int len)
814 {
815 struct sockaddr_storage *new;
816
817 if ((new = racoon_calloc(1, sizeof(*new))) == NULL) {
818 plog(ASL_LEVEL_ERR,
819 "%s\n", strerror(errno));
820 goto out;
821 }
822 /* initial */
823 new->ss_len = len;
824 out:
825 return new;
826 }
827
828 struct sockaddr_storage *
829 dupsaddr(struct sockaddr_storage *addr)
830 {
831 struct sockaddr_storage *new;
832
833 new = racoon_calloc(1, sizeof(*new));
834 if (new == NULL) {
835 plog(ASL_LEVEL_ERR, "%s\n", strerror(errno));
836 return NULL;
837 }
838
839 memcpy(new, addr, addr->ss_len);
840
841 return new;
842 }
843
844 char *
845 saddr2str(const struct sockaddr *saddr)
846 {
847 static char buf[NI_MAXHOST + NI_MAXSERV + 10];
848 char addr[NI_MAXHOST], port[NI_MAXSERV];
849
850 if (saddr == NULL) {
851 buf[0] = '\0';
852 return buf;
853 }
854
855 if (saddr->sa_family == AF_UNSPEC)
856 snprintf (buf, sizeof(buf), "%s", "anonymous");
857 else {
858 GETNAMEINFO(saddr, addr, port);
859 snprintf(buf, sizeof(buf), "%s[%s]", addr, port);
860 }
861
862 return buf;
863 }
864
865 char *
866 saddr2str_with_prefix(const struct sockaddr *saddr, int prefix)
867 {
868 static char buf[NI_MAXHOST + NI_MAXSERV + 10];
869 char addr[NI_MAXHOST], port[NI_MAXSERV];
870
871 if (saddr == NULL) {
872 buf[0] = '\0';
873 return buf;
874 }
875
876 if (saddr->sa_family == AF_UNSPEC)
877 snprintf (buf, sizeof(buf), "%s", "anonymous");
878 else {
879 GETNAMEINFO(saddr, addr, port);
880 snprintf(buf, sizeof(buf), "%s/%d[%s]", addr, prefix, port);
881 }
882
883 return buf;
884 }
885
886
887 char *
888 saddrwop2str(const struct sockaddr *saddr)
889 {
890 static char buf[NI_MAXHOST + NI_MAXSERV + 10];
891 char addr[NI_MAXHOST];
892
893 if (saddr == NULL) {
894 buf[0] = '\0';
895 return buf;
896 }
897
898 GETNAMEINFO_NULL(saddr, addr);
899 snprintf(buf, sizeof(buf), "%s", addr);
900
901 return buf;
902 }
903
904 char *
905 naddrwop2str(const struct netaddr *naddr)
906 {
907 static char buf[NI_MAXHOST + 10];
908 static const struct sockaddr sa_any; /* this is initialized to all zeros */
909
910 if (naddr == NULL) {
911 buf[0] = '\0';
912 return buf;
913 }
914
915 if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0)
916 snprintf(buf, sizeof(buf), "%s", "any");
917 else {
918 snprintf(buf, sizeof(buf), "%s", saddrwop2str((struct sockaddr *)&naddr->sa.sa));
919 snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix);
920 }
921 return buf;
922 }
923
924 char *
925 naddrwop2str_fromto(const char *format, const struct netaddr *saddr,
926 const struct netaddr *daddr)
927 {
928 static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
929 char *src, *dst;
930
931 src = racoon_strdup(naddrwop2str(saddr));
932 dst = racoon_strdup(naddrwop2str(daddr));
933 STRDUP_FATAL(src);
934 STRDUP_FATAL(dst);
935 /* WARNING: Be careful about the format string! Don't
936 ever pass in something that a user can modify!!! */
937 snprintf (buf, sizeof(buf), format, src, dst);
938 racoon_free (src);
939 racoon_free (dst);
940
941 return buf;
942 }
943
944 char *
945 saddr2str_fromto(format, saddr, daddr)
946 const char *format;
947 const struct sockaddr *saddr;
948 const struct sockaddr *daddr;
949 {
950 static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
951 char *src, *dst;
952
953 if (saddr) {
954 src = racoon_strdup(saddr2str(saddr));
955 STRDUP_FATAL(src);
956 } else {
957 src = NULL;
958 }
959 if (daddr) {
960 dst = racoon_strdup(saddr2str(daddr));
961 STRDUP_FATAL(dst);
962 } else {
963 dst = NULL;
964 }
965 /* WARNING: Be careful about the format string! Don't
966 ever pass in something that a user can modify!!! */
967 snprintf (buf, sizeof(buf), format, src? src:"[null]", dst? dst:"[null]");
968 if (src) {
969 racoon_free (src);
970 }
971 if (dst) {
972 racoon_free (dst);
973 }
974
975 return buf;
976 }
977
978 struct sockaddr_storage *
979 str2saddr(char *host, char *port)
980 {
981 struct addrinfo hints, *res;
982 struct sockaddr_storage *saddr;
983 int error;
984
985 memset(&hints, 0, sizeof(hints));
986 hints.ai_family = PF_UNSPEC;
987 hints.ai_socktype = SOCK_DGRAM;
988 hints.ai_flags = AI_NUMERICHOST;
989 error = getaddrinfo(host, port, &hints, &res);
990 if (error != 0) {
991 plog(ASL_LEVEL_ERR,
992 "getaddrinfo(%s%s%s): %s\n",
993 host, port ? "," : "", port ? port : "",
994 gai_strerror(error));
995 return NULL;
996 }
997 if (res->ai_next != NULL) {
998 plog(ASL_LEVEL_WARNING,
999 "getaddrinfo(%s%s%s): "
1000 "resolved to multiple address, "
1001 "taking the first one\n",
1002 host, port ? "," : "", port ? port : "");
1003 }
1004 saddr = newsaddr(sizeof(*saddr));
1005 if (saddr == NULL) {
1006 plog(ASL_LEVEL_ERR,
1007 "failed to allocate buffer.\n");
1008 freeaddrinfo(res);
1009 return NULL;
1010 }
1011 memcpy(saddr, res->ai_addr, res->ai_addrlen);
1012 freeaddrinfo(res);
1013
1014 return saddr;
1015 }
1016
1017 void
1018 mask_sockaddr(a, b, l)
1019 struct sockaddr_storage *a;
1020 const struct sockaddr_storage *b;
1021 size_t l;
1022 {
1023 size_t i;
1024 u_int8_t *p, alen;
1025
1026 switch (b->ss_family) {
1027 case AF_INET:
1028 alen = sizeof(struct in_addr);
1029 p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr;
1030 break;
1031 #ifdef INET6
1032 case AF_INET6:
1033 alen = sizeof(struct in6_addr);
1034 p = (u_int8_t *)&((struct sockaddr_in6 *)a)->sin6_addr;
1035 break;
1036 #endif
1037 default:
1038 plog(ASL_LEVEL_ERR,
1039 "invalid address family: %d\n", b->ss_family);
1040 exit(1);
1041 }
1042
1043 if ((alen << 3) < l) {
1044 plog(ASL_LEVEL_ERR,
1045 "unexpected inconsistency: %d %zu\n", b->ss_family, l);
1046 exit(1);
1047 }
1048
1049 memcpy(a, b, sysdep_sa_len((struct sockaddr *)b));
1050 p[l / 8] &= (0xff00 >> (l % 8)) & 0xff;
1051 for (i = l / 8 + 1; i < alen; i++)
1052 p[i] = 0x00;
1053 }
1054
1055 /* Compute a score describing how "accurate" a netaddr is for a given sockaddr.
1056 * Examples:
1057 * Return values for address 10.20.30.40 [port 500] and given netaddresses...
1058 * 10.10.0.0/16 => -1 ... doesn't match
1059 * 0.0.0.0/0 => 0 ... matches, but only 0 bits.
1060 * 10.20.0.0/16 => 16 ... 16 bits match
1061 * 10.20.30.0/24 => 24 ... guess what ;-)
1062 * 10.20.30.40/32 => 32 ... whole address match
1063 * 10.20.30.40:500 => 33 ... both address and port match
1064 * 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any)
1065 */
1066 int
1067 naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr)
1068 {
1069 static const struct netaddr naddr_any; /* initialized to all-zeros */
1070 struct sockaddr_storage sa;
1071 u_int16_t naddr_port, saddr_port;
1072 int port_score;
1073
1074 if (!naddr || !saddr) {
1075 plog(ASL_LEVEL_ERR,
1076 "Call with null args: naddr=%p, saddr=%p\n",
1077 naddr, saddr);
1078 return -1;
1079 }
1080
1081 /* Wildcard address matches, but only 0 bits. */
1082 if (memcmp(naddr, &naddr_any, sizeof(naddr_any)) == 0)
1083 return 0;
1084
1085 /* If families don't match we really can't do much... */
1086 if (naddr->sa.sa.ss_family != saddr->ss_family)
1087 return -1;
1088
1089 /* If port check fail don't bother to check addresses. */
1090 naddr_port = extract_port(&naddr->sa.sa);
1091 saddr_port = extract_port(saddr);
1092 if (naddr_port == 0 || saddr_port == 0) /* wildcard match */
1093 port_score = 0;
1094 else if (naddr_port == saddr_port) /* exact match */
1095 port_score = 1;
1096 else /* mismatch :-) */
1097 return -1;
1098
1099 /* Here it comes - compare network addresses. */
1100 mask_sockaddr(&sa, saddr, naddr->prefix);
1101 if (loglevel >= ASL_LEVEL_DEBUG) { /* debug only */
1102 char *a1, *a2, *a3;
1103 a1 = racoon_strdup(naddrwop2str(naddr));
1104 a2 = racoon_strdup(saddrwop2str((struct sockaddr *)saddr));
1105 a3 = racoon_strdup(saddrwop2str((struct sockaddr *)&sa));
1106 STRDUP_FATAL(a1);
1107 STRDUP_FATAL(a2);
1108 STRDUP_FATAL(a3);
1109 plog(ASL_LEVEL_DEBUG,
1110 "naddr=%s, saddr=%s (masked=%s)\n",
1111 a1, a2, a3);
1112 free(a1);
1113 free(a2);
1114 free(a3);
1115 }
1116 if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0)
1117 return naddr->prefix + port_score;
1118
1119 return -1;
1120 }
1121
1122 /* Some useful functions for sockaddr_storage port manipulations. */
1123 u_int16_t
1124 extract_port (const struct sockaddr_storage *addr)
1125 {
1126 u_int16_t port = -1;
1127
1128 if (!addr)
1129 return port;
1130
1131 switch (addr->ss_family) {
1132 case AF_INET:
1133 port = ((struct sockaddr_in *)addr)->sin_port;
1134 break;
1135 case AF_INET6:
1136 port = ((struct sockaddr_in6 *)addr)->sin6_port;
1137 break;
1138 default:
1139 plog(ASL_LEVEL_ERR, "unknown AF: %u\n", addr->ss_family);
1140 break;
1141 }
1142
1143 return ntohs(port);
1144 }
1145
1146 u_int16_t *
1147 get_port_ptr (struct sockaddr_storage *addr)
1148 {
1149 u_int16_t *port_ptr;
1150
1151 if (!addr)
1152 return NULL;
1153
1154 switch (addr->ss_family) {
1155 case AF_INET:
1156 port_ptr = &(((struct sockaddr_in *)addr)->sin_port);
1157 break;
1158 case AF_INET6:
1159 port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port);
1160 break;
1161 default:
1162 plog(ASL_LEVEL_ERR, "unknown AF: %u\n", addr->ss_family);
1163 return NULL;
1164 break;
1165 }
1166
1167 return port_ptr;
1168 }
1169
1170 u_int16_t *
1171 set_port (struct sockaddr_storage *addr, u_int16_t new_port)
1172 {
1173 u_int16_t *port_ptr;
1174
1175 port_ptr = get_port_ptr (addr);
1176
1177 if (port_ptr)
1178 *port_ptr = htons(new_port);
1179
1180 return port_ptr;
1181 }
mirror of ipsec