1 /* $NetBSD: sockmisc.c,v 1.8.6.1 2007/08/01 11:52:22 vanhu Exp $ */ 2 3 /* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/uio.h> 40 41 #include <netinet/in.h> 42 #include PATH_IPSEC_H 43 44 #if defined(INET6) && !defined(INET6_ADVAPI) && \ 45 defined(IP_RECVDSTADDR) && !defined(IPV6_RECVDSTADDR) 46 #define IPV6_RECVDSTADDR IP_RECVDSTADDR 47 #endif 48 49 #include <stdlib.h> 50 #include <stdio.h> 51 #include <string.h> 52 #include <errno.h> 53 #ifdef HAVE_UNISTD_H 54 #include <unistd.h> 55 #endif 56 57 #include "var.h" 58 #include "misc.h" 59 #include "plog.h" 60 #include "sockmisc.h" 61 #include "debug.h" 62 #include "gcmalloc.h" 63 #include "debugrm.h" 64 #include "libpfkey.h" 65 66 #ifdef ANDROID_CHANGES 67 #include "NetdClient.h" 68 #endif 69 70 #ifndef IP_IPSEC_POLICY 71 #define IP_IPSEC_POLICY 16 /* XXX: from linux/in.h */ 72 #endif 73 74 #ifndef IPV6_IPSEC_POLICY 75 #define IPV6_IPSEC_POLICY 34 /* XXX: from linux/???.h per 76 "Tom Lendacky" <toml (at) us.ibm.com> */ 77 #endif 78 79 const int niflags = 0; 80 81 /* 82 * compare two sockaddr without port number. 83 * OUT: 0: equal. 84 * 1: not equal. 85 */ 86 int 87 cmpsaddrwop(addr1, addr2) 88 const struct sockaddr *addr1; 89 const struct sockaddr *addr2; 90 { 91 caddr_t sa1, sa2; 92 93 if (addr1 == 0 && addr2 == 0) 94 return 0; 95 if (addr1 == 0 || addr2 == 0) 96 return 1; 97 98 #ifdef __linux__ 99 if (addr1->sa_family != addr2->sa_family) 100 return 1; 101 #else 102 if (addr1->sa_len != addr2->sa_len 103 || addr1->sa_family != addr2->sa_family) 104 return 1; 105 106 #endif /* __linux__ */ 107 108 switch (addr1->sa_family) { 109 case AF_INET: 110 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; 111 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; 112 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) 113 return 1; 114 break; 115 #ifdef INET6 116 case AF_INET6: 117 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; 118 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; 119 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) 120 return 1; 121 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != 122 ((struct sockaddr_in6 *)addr2)->sin6_scope_id) 123 return 1; 124 break; 125 #endif 126 default: 127 return 1; 128 } 129 130 return 0; 131 } 132 133 /* 134 * compare two sockaddr with port, taking care wildcard. 135 * addr1 is a subject address, addr2 is in a database entry. 136 * OUT: 0: equal. 137 * 1: not equal. 138 */ 139 int 140 cmpsaddrwild(addr1, addr2) 141 const struct sockaddr *addr1; 142 const struct sockaddr *addr2; 143 { 144 caddr_t sa1, sa2; 145 u_short port1, port2; 146 147 if (addr1 == 0 && addr2 == 0) 148 return 0; 149 if (addr1 == 0 || addr2 == 0) 150 return 1; 151 152 #ifdef __linux__ 153 if (addr1->sa_family != addr2->sa_family) 154 return 1; 155 #else 156 if (addr1->sa_len != addr2->sa_len 157 || addr1->sa_family != addr2->sa_family) 158 return 1; 159 160 #endif /* __linux__ */ 161 162 switch (addr1->sa_family) { 163 case AF_INET: 164 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; 165 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; 166 port1 = ((struct sockaddr_in *)addr1)->sin_port; 167 port2 = ((struct sockaddr_in *)addr2)->sin_port; 168 if (!(port1 == IPSEC_PORT_ANY || 169 port2 == IPSEC_PORT_ANY || 170 port1 == port2)) 171 return 1; 172 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) 173 return 1; 174 break; 175 #ifdef INET6 176 case AF_INET6: 177 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; 178 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; 179 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; 180 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; 181 if (!(port1 == IPSEC_PORT_ANY || 182 port2 == IPSEC_PORT_ANY || 183 port1 == port2)) 184 return 1; 185 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) 186 return 1; 187 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != 188 ((struct sockaddr_in6 *)addr2)->sin6_scope_id) 189 return 1; 190 break; 191 #endif 192 default: 193 return 1; 194 } 195 196 return 0; 197 } 198 199 /* 200 * compare two sockaddr with strict match on port. 201 * OUT: 0: equal. 202 * 1: not equal. 203 */ 204 int 205 cmpsaddrstrict(addr1, addr2) 206 const struct sockaddr *addr1; 207 const struct sockaddr *addr2; 208 { 209 caddr_t sa1, sa2; 210 u_short port1, port2; 211 212 if (addr1 == 0 && addr2 == 0) 213 return 0; 214 if (addr1 == 0 || addr2 == 0) 215 return 1; 216 217 #ifdef __linux__ 218 if (addr1->sa_family != addr2->sa_family) 219 return 1; 220 #else 221 if (addr1->sa_len != addr2->sa_len 222 || addr1->sa_family != addr2->sa_family) 223 return 1; 224 225 #endif /* __linux__ */ 226 227 switch (addr1->sa_family) { 228 case AF_INET: 229 sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; 230 sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; 231 port1 = ((struct sockaddr_in *)addr1)->sin_port; 232 port2 = ((struct sockaddr_in *)addr2)->sin_port; 233 if (port1 != port2) 234 return 1; 235 if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) 236 return 1; 237 break; 238 #ifdef INET6 239 case AF_INET6: 240 sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; 241 sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; 242 port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; 243 port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; 244 if (port1 != port2) 245 return 1; 246 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) 247 return 1; 248 if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != 249 ((struct sockaddr_in6 *)addr2)->sin6_scope_id) 250 return 1; 251 break; 252 #endif 253 default: 254 return 1; 255 } 256 257 return 0; 258 } 259 260 #ifdef ANDROID_PATCHED 261 262 struct sockaddr *getlocaladdr(struct sockaddr *remote) 263 { 264 struct sockaddr_storage local; 265 socklen_t len = sysdep_sa_len(remote); 266 int s = socket(remote->sa_family, SOCK_DGRAM, 0); 267 #ifdef ANDROID_CHANGES 268 protectFromVpn(s); 269 #endif 270 271 if (s == -1 || connect(s, remote, len) == -1 || 272 getsockname(s, (struct sockaddr *)&local, &len) == -1) { 273 close(s); 274 return NULL; 275 } 276 close(s); 277 return dupsaddr((struct sockaddr *)&local); 278 } 279 280 int recvfromto(int s, void *buf, size_t len, int flags, struct sockaddr *from, 281 socklen_t *fromlen, struct sockaddr *to, unsigned int *tolen) 282 { 283 if (getsockname(s, to, (socklen_t *)tolen) == -1) { 284 return -1; 285 } 286 return recvfrom(s, buf, len, flags, from, fromlen); 287 } 288 289 int sendfromto(int s, const void *buf, size_t len, struct sockaddr *from, 290 struct sockaddr *to, int count) 291 { 292 int i; 293 for (i = 0; i < count; ++i) { 294 if (sendto(s, buf, len, 0, to, sysdep_sa_len(to)) == -1) { 295 return -1; 296 } 297 } 298 return len; 299 } 300 301 int setsockopt_bypass(int s, int family) 302 { 303 struct sadb_x_policy p = { 304 .sadb_x_policy_len = PFKEY_UNIT64(sizeof(struct sadb_x_policy)), 305 .sadb_x_policy_exttype = SADB_X_EXT_POLICY, 306 .sadb_x_policy_type = IPSEC_POLICY_BYPASS, 307 .sadb_x_policy_dir = IPSEC_DIR_INBOUND, 308 #ifdef HAVE_PFKEY_POLICY_PRIORITY 309 .sadb_x_policy_priority = PRIORITY_DEFAULT, 310 #endif 311 }; 312 int level = (family == AF_INET) ? IPPROTO_IP : IPPROTO_IPV6; 313 int option = (family == AF_INET) ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY; 314 int len = PFKEY_EXTLEN(&p); 315 if (setsockopt(s, level, option, &p, len) == -1) { 316 plog(LLV_WARNING, LOCATION, NULL, "setsockopt in bypass: %s\n", 317 strerror(errno)); 318 } 319 p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; 320 if (setsockopt(s, level, option, &p, len) == -1) { 321 plog(LLV_WARNING, LOCATION, NULL, "setsockopt out bypass: %s\n", 322 strerror(errno)); 323 } 324 return 0; 325 } 326 327 #else 328 329 /* get local address against the destination. */ 330 struct sockaddr * 331 getlocaladdr(remote) 332 struct sockaddr *remote; 333 { 334 struct sockaddr *local; 335 u_int local_len = sizeof(struct sockaddr_storage); 336 int s; /* for dummy connection */ 337 338 /* allocate buffer */ 339 if ((local = racoon_calloc(1, local_len)) == NULL) { 340 plog(LLV_ERROR, LOCATION, NULL, 341 "failed to get address buffer.\n"); 342 goto err; 343 } 344 345 /* get real interface received packet */ 346 if ((s = socket(remote->sa_family, SOCK_DGRAM, 0)) < 0) { 347 plog(LLV_ERROR, LOCATION, NULL, 348 "socket (%s)\n", strerror(errno)); 349 goto err; 350 } 351 #ifdef ANDROID_CHANGES 352 protectFromVpn(s); 353 #endif 354 355 setsockopt_bypass(s, remote->sa_family); 356 357 if (connect(s, remote, sysdep_sa_len(remote)) < 0) { 358 plog(LLV_ERROR, LOCATION, NULL, 359 "connect (%s)\n", strerror(errno)); 360 close(s); 361 goto err; 362 } 363 364 if (getsockname(s, local, &local_len) < 0) { 365 plog(LLV_ERROR, LOCATION, NULL, 366 "getsockname (%s)\n", strerror(errno)); 367 close(s); 368 return NULL; 369 } 370 371 close(s); 372 return local; 373 374 err: 375 if (local != NULL) 376 racoon_free(local); 377 return NULL; 378 } 379 380 /* 381 * Receive packet, with src/dst information. It is assumed that necessary 382 * setsockopt() have already performed on socket. 383 */ 384 int 385 recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) 386 int s; 387 void *buf; 388 size_t buflen; 389 int flags; 390 struct sockaddr *from; 391 socklen_t *fromlen; 392 struct sockaddr *to; 393 u_int *tolen; 394 { 395 int otolen; 396 u_int len; 397 struct sockaddr_storage ss; 398 struct msghdr m; 399 struct cmsghdr *cm; 400 struct iovec iov[2]; 401 u_char cmsgbuf[256]; 402 #if defined(INET6) && defined(INET6_ADVAPI) 403 struct in6_pktinfo *pi; 404 #endif /*INET6_ADVAPI*/ 405 struct sockaddr_in *sin; 406 #ifdef INET6 407 struct sockaddr_in6 *sin6; 408 #endif 409 410 len = sizeof(ss); 411 if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) { 412 plog(LLV_ERROR, LOCATION, NULL, 413 "getsockname (%s)\n", strerror(errno)); 414 return -1; 415 } 416 417 m.msg_name = (caddr_t)from; 418 m.msg_namelen = *fromlen; 419 iov[0].iov_base = (caddr_t)buf; 420 iov[0].iov_len = buflen; 421 m.msg_iov = iov; 422 m.msg_iovlen = 1; 423 memset(cmsgbuf, 0, sizeof(cmsgbuf)); 424 cm = (struct cmsghdr *)cmsgbuf; 425 m.msg_control = (caddr_t)cm; 426 m.msg_controllen = sizeof(cmsgbuf); 427 if ((len = recvmsg(s, &m, flags)) < 0) { 428 plog(LLV_ERROR, LOCATION, NULL, 429 "recvmsg (%s)\n", strerror(errno)); 430 return -1; 431 } 432 *fromlen = m.msg_namelen; 433 434 otolen = *tolen; 435 *tolen = 0; 436 for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m); 437 m.msg_controllen != 0 && cm; 438 cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) { 439 #if 0 440 plog(LLV_ERROR, LOCATION, NULL, 441 "cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);) 442 #endif 443 #if defined(INET6) && defined(INET6_ADVAPI) 444 if (ss.ss_family == AF_INET6 445 && cm->cmsg_level == IPPROTO_IPV6 446 && cm->cmsg_type == IPV6_PKTINFO 447 && otolen >= sizeof(*sin6)) { 448 pi = (struct in6_pktinfo *)(CMSG_DATA(cm)); 449 *tolen = sizeof(*sin6); 450 sin6 = (struct sockaddr_in6 *)to; 451 memset(sin6, 0, sizeof(*sin6)); 452 sin6->sin6_family = AF_INET6; 453 #ifndef __linux__ 454 sin6->sin6_len = sizeof(*sin6); 455 #endif 456 memcpy(&sin6->sin6_addr, &pi->ipi6_addr, 457 sizeof(sin6->sin6_addr)); 458 /* XXX other cases, such as site-local? */ 459 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 460 sin6->sin6_scope_id = pi->ipi6_ifindex; 461 else 462 sin6->sin6_scope_id = 0; 463 sin6->sin6_port = 464 ((struct sockaddr_in6 *)&ss)->sin6_port; 465 otolen = -1; /* "to" already set */ 466 continue; 467 } 468 #endif 469 #ifdef __linux__ 470 if (ss.ss_family == AF_INET 471 && cm->cmsg_level == IPPROTO_IP 472 && cm->cmsg_type == IP_PKTINFO 473 && otolen >= sizeof(sin)) { 474 struct in_pktinfo *pi = (struct in_pktinfo *)(CMSG_DATA(cm)); 475 *tolen = sizeof(*sin); 476 sin = (struct sockaddr_in *)to; 477 memset(sin, 0, sizeof(*sin)); 478 sin->sin_family = AF_INET; 479 memcpy(&sin->sin_addr, &pi->ipi_addr, 480 sizeof(sin->sin_addr)); 481 sin->sin_port = 482 ((struct sockaddr_in *)&ss)->sin_port; 483 otolen = -1; /* "to" already set */ 484 continue; 485 } 486 #endif 487 #if defined(INET6) && defined(IPV6_RECVDSTADDR) 488 if (ss.ss_family == AF_INET6 489 && cm->cmsg_level == IPPROTO_IPV6 490 && cm->cmsg_type == IPV6_RECVDSTADDR 491 && otolen >= sizeof(*sin6)) { 492 *tolen = sizeof(*sin6); 493 sin6 = (struct sockaddr_in6 *)to; 494 memset(sin6, 0, sizeof(*sin6)); 495 sin6->sin6_family = AF_INET6; 496 sin6->sin6_len = sizeof(*sin6); 497 memcpy(&sin6->sin6_addr, CMSG_DATA(cm), 498 sizeof(sin6->sin6_addr)); 499 sin6->sin6_port = 500 ((struct sockaddr_in6 *)&ss)->sin6_port; 501 otolen = -1; /* "to" already set */ 502 continue; 503 } 504 #endif 505 #ifndef __linux__ 506 if (ss.ss_family == AF_INET 507 && cm->cmsg_level == IPPROTO_IP 508 && cm->cmsg_type == IP_RECVDSTADDR 509 && otolen >= sizeof(*sin)) { 510 *tolen = sizeof(*sin); 511 sin = (struct sockaddr_in *)to; 512 memset(sin, 0, sizeof(*sin)); 513 sin->sin_family = AF_INET; 514 sin->sin_len = sizeof(*sin); 515 memcpy(&sin->sin_addr, CMSG_DATA(cm), 516 sizeof(sin->sin_addr)); 517 sin->sin_port = ((struct sockaddr_in *)&ss)->sin_port; 518 otolen = -1; /* "to" already set */ 519 continue; 520 } 521 #endif 522 } 523 524 return len; 525 } 526 527 /* send packet, with fixing src/dst address pair. */ 528 int 529 sendfromto(s, buf, buflen, src, dst, cnt) 530 int s, cnt; 531 const void *buf; 532 size_t buflen; 533 struct sockaddr *src; 534 struct sockaddr *dst; 535 { 536 struct sockaddr_storage ss; 537 u_int len; 538 int i; 539 540 if (src->sa_family != dst->sa_family) { 541 plog(LLV_ERROR, LOCATION, NULL, 542 "address family mismatch\n"); 543 return -1; 544 } 545 546 len = sizeof(ss); 547 if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) { 548 plog(LLV_ERROR, LOCATION, NULL, 549 "getsockname (%s)\n", strerror(errno)); 550 return -1; 551 } 552 553 plog(LLV_DEBUG, LOCATION, NULL, 554 "sockname %s\n", saddr2str((struct sockaddr *)&ss)); 555 plog(LLV_DEBUG, LOCATION, NULL, 556 "send packet from %s\n", saddr2str(src)); 557 plog(LLV_DEBUG, LOCATION, NULL, 558 "send packet to %s\n", saddr2str(dst)); 559 560 if (src->sa_family != ss.ss_family) { 561 plog(LLV_ERROR, LOCATION, NULL, 562 "address family mismatch\n"); 563 return -1; 564 } 565 566 switch (src->sa_family) { 567 #if defined(INET6) && defined(INET6_ADVAPI) 568 // XXX: This block wasn't compiled on Linux - does it work? 569 case AF_INET6: 570 { 571 struct msghdr m; 572 struct cmsghdr *cm; 573 struct iovec iov[2]; 574 u_char cmsgbuf[256]; 575 struct in6_pktinfo *pi; 576 int ifindex; 577 struct sockaddr_in6 src6, dst6; 578 579 memcpy(&src6, src, sizeof(src6)); 580 memcpy(&dst6, dst, sizeof(dst6)); 581 582 /* XXX take care of other cases, such as site-local */ 583 ifindex = 0; 584 if (IN6_IS_ADDR_LINKLOCAL(&src6.sin6_addr) 585 || IN6_IS_ADDR_MULTICAST(&src6.sin6_addr)) { 586 ifindex = src6.sin6_scope_id; /*???*/ 587 } 588 589 /* XXX some sanity check on dst6.sin6_scope_id */ 590 591 /* flowinfo for IKE? mmm, maybe useful but for now make it 0 */ 592 src6.sin6_flowinfo = dst6.sin6_flowinfo = 0; 593 594 memset(&m, 0, sizeof(m)); 595 m.msg_name = (caddr_t)&dst6; 596 m.msg_namelen = sizeof(dst6); 597 iov[0].iov_base = (char *)buf; 598 iov[0].iov_len = buflen; 599 m.msg_iov = iov; 600 m.msg_iovlen = 1; 601 602 memset(cmsgbuf, 0, sizeof(cmsgbuf)); 603 cm = (struct cmsghdr *)cmsgbuf; 604 m.msg_control = (caddr_t)cm; 605 m.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); 606 607 cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); 608 cm->cmsg_level = IPPROTO_IPV6; 609 cm->cmsg_type = IPV6_PKTINFO; 610 pi = (struct in6_pktinfo *)CMSG_DATA(cm); 611 memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr)); 612 pi->ipi6_ifindex = ifindex; 613 614 plog(LLV_DEBUG, LOCATION, NULL, 615 "src6 %s %d\n", 616 saddr2str((struct sockaddr *)&src6), 617 src6.sin6_scope_id); 618 plog(LLV_DEBUG, LOCATION, NULL, 619 "dst6 %s %d\n", 620 saddr2str((struct sockaddr *)&dst6), 621 dst6.sin6_scope_id); 622 623 for (i = 0; i < cnt; i++) { 624 len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/); 625 if (len < 0) { 626 plog(LLV_ERROR, LOCATION, NULL, 627 "sendmsg (%s)\n", strerror(errno)); 628 return -1; 629 } 630 plog(LLV_DEBUG, LOCATION, NULL, 631 "%d times of %d bytes message will be sent " 632 "to %s\n", 633 i + 1, len, saddr2str(dst)); 634 } 635 plogdump(LLV_DEBUG, (char *)buf, buflen); 636 637 return len; 638 } 639 #endif 640 #ifdef __linux__ 641 case AF_INET: 642 { 643 struct msghdr m; 644 struct cmsghdr *cm; 645 struct iovec iov[2]; 646 u_char cmsgbuf[256]; 647 struct in_pktinfo *pi; 648 int ifindex = 0; 649 struct sockaddr_in src6, dst6; 650 651 memcpy(&src6, src, sizeof(src6)); 652 memcpy(&dst6, dst, sizeof(dst6)); 653 654 memset(&m, 0, sizeof(m)); 655 m.msg_name = (caddr_t)&dst6; 656 m.msg_namelen = sizeof(dst6); 657 iov[0].iov_base = (char *)buf; 658 iov[0].iov_len = buflen; 659 m.msg_iov = iov; 660 m.msg_iovlen = 1; 661 662 memset(cmsgbuf, 0, sizeof(cmsgbuf)); 663 cm = (struct cmsghdr *)cmsgbuf; 664 m.msg_control = (caddr_t)cm; 665 m.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); 666 667 cm->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); 668 cm->cmsg_level = IPPROTO_IP; 669 cm->cmsg_type = IP_PKTINFO; 670 pi = (struct in_pktinfo *)CMSG_DATA(cm); 671 memcpy(&pi->ipi_spec_dst, &src6.sin_addr, sizeof(src6.sin_addr)); 672 pi->ipi_ifindex = ifindex; 673 674 plog(LLV_DEBUG, LOCATION, NULL, 675 "src4 %s\n", 676 saddr2str((struct sockaddr *)&src6)); 677 plog(LLV_DEBUG, LOCATION, NULL, 678 "dst4 %s\n", 679 saddr2str((struct sockaddr *)&dst6)); 680 681 for (i = 0; i < cnt; i++) { 682 len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/); 683 if (len < 0) { 684 plog(LLV_ERROR, LOCATION, NULL, 685 "sendmsg (%s)\n", strerror(errno)); 686 return -1; 687 } 688 plog(LLV_DEBUG, LOCATION, NULL, 689 "%d times of %d bytes message will be sent " 690 "to %s\n", 691 i + 1, len, saddr2str(dst)); 692 } 693 plogdump(LLV_DEBUG, (char *)buf, buflen); 694 695 return len; 696 } 697 #endif /* __linux__ */ 698 default: 699 { 700 int needclose = 0; 701 int sendsock; 702 703 if (ss.ss_family == src->sa_family && memcmp(&ss, src, sysdep_sa_len(src)) == 0) { 704 sendsock = s; 705 needclose = 0; 706 } else { 707 int yes = 1; 708 /* 709 * Use newly opened socket for sending packets. 710 * NOTE: this is unsafe, because if the peer is quick enough 711 * the packet from the peer may be queued into sendsock. 712 * Better approach is to prepare bind'ed udp sockets for 713 * each of the interface addresses. 714 */ 715 sendsock = socket(src->sa_family, SOCK_DGRAM, 0); 716 if (sendsock < 0) { 717 plog(LLV_ERROR, LOCATION, NULL, 718 "socket (%s)\n", strerror(errno)); 719 return -1; 720 } 721 #ifdef ANDROID_CHANGES 722 protectFromVpn(sendsock); 723 #endif 724 725 if (setsockopt(sendsock, SOL_SOCKET, 726 #ifdef __linux__ 727 SO_REUSEADDR, 728 #else 729 SO_REUSEPORT, 730 #endif 731 (void *)&yes, sizeof(yes)) < 0) { 732 plog(LLV_ERROR, LOCATION, NULL, 733 "setsockopt SO_REUSEPORT (%s)\n", 734 strerror(errno)); 735 close(sendsock); 736 return -1; 737 } 738 #ifdef IPV6_USE_MIN_MTU 739 if (src->sa_family == AF_INET6 && 740 setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, 741 (void *)&yes, sizeof(yes)) < 0) { 742 plog(LLV_ERROR, LOCATION, NULL, 743 "setsockopt IPV6_USE_MIN_MTU (%s)\n", 744 strerror(errno)); 745 close(sendsock); 746 return -1; 747 } 748 #endif 749 if (setsockopt_bypass(sendsock, src->sa_family) < 0) { 750 close(sendsock); 751 return -1; 752 } 753 754 if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len(src)) < 0) { 755 plog(LLV_ERROR, LOCATION, NULL, 756 "bind 1 (%s)\n", strerror(errno)); 757 close(sendsock); 758 return -1; 759 } 760 needclose = 1; 761 } 762 763 for (i = 0; i < cnt; i++) { 764 len = sendto(sendsock, buf, buflen, 0, dst, sysdep_sa_len(dst)); 765 if (len < 0) { 766 plog(LLV_ERROR, LOCATION, NULL, 767 "sendto (%s)\n", strerror(errno)); 768 if (needclose) 769 close(sendsock); 770 return len; 771 } 772 plog(LLV_DEBUG, LOCATION, NULL, 773 "%d times of %d bytes message will be sent " 774 "to %s\n", 775 i + 1, len, saddr2str(dst)); 776 } 777 plogdump(LLV_DEBUG, (char *)buf, buflen); 778 779 if (needclose) 780 close(sendsock); 781 782 return len; 783 } 784 } 785 } 786 787 int 788 setsockopt_bypass(so, family) 789 int so, family; 790 { 791 int level; 792 char *buf; 793 char *policy; 794 795 switch (family) { 796 case AF_INET: 797 level = IPPROTO_IP; 798 break; 799 #ifdef INET6 800 case AF_INET6: 801 level = IPPROTO_IPV6; 802 break; 803 #endif 804 default: 805 plog(LLV_ERROR, LOCATION, NULL, 806 "unsupported address family %d\n", family); 807 return -1; 808 } 809 810 policy = "in bypass"; 811 buf = ipsec_set_policy(policy, strlen(policy)); 812 if (buf == NULL) { 813 plog(LLV_ERROR, LOCATION, NULL, 814 "ipsec_set_policy (%s)\n", 815 ipsec_strerror()); 816 return -1; 817 } 818 if (setsockopt(so, level, 819 (level == IPPROTO_IP ? 820 IP_IPSEC_POLICY : IPV6_IPSEC_POLICY), 821 buf, ipsec_get_policylen(buf)) < 0) { 822 plog(LLV_ERROR, LOCATION, NULL, 823 "setsockopt IP_IPSEC_POLICY (%s)\n", 824 strerror(errno)); 825 return -1; 826 } 827 racoon_free(buf); 828 829 policy = "out bypass"; 830 buf = ipsec_set_policy(policy, strlen(policy)); 831 if (buf == NULL) { 832 plog(LLV_ERROR, LOCATION, NULL, 833 "ipsec_set_policy (%s)\n", 834 ipsec_strerror()); 835 return -1; 836 } 837 if (setsockopt(so, level, 838 (level == IPPROTO_IP ? 839 IP_IPSEC_POLICY : IPV6_IPSEC_POLICY), 840 buf, ipsec_get_policylen(buf)) < 0) { 841 plog(LLV_ERROR, LOCATION, NULL, 842 "setsockopt IP_IPSEC_POLICY (%s)\n", 843 strerror(errno)); 844 return -1; 845 } 846 racoon_free(buf); 847 848 return 0; 849 } 850 851 struct sockaddr * 852 newsaddr(len) 853 int len; 854 { 855 struct sockaddr *new; 856 857 if ((new = racoon_calloc(1, len)) == NULL) { 858 plog(LLV_ERROR, LOCATION, NULL, 859 "%s\n", strerror(errno)); 860 goto out; 861 } 862 863 #ifdef __linux__ 864 if (len == sizeof (struct sockaddr_in6)) 865 new->sa_family = AF_INET6; 866 else 867 new->sa_family = AF_INET; 868 #else 869 /* initial */ 870 new->sa_len = len; 871 #endif 872 out: 873 return new; 874 } 875 876 #endif 877 878 struct sockaddr * 879 dupsaddr(src) 880 struct sockaddr *src; 881 { 882 struct sockaddr *dst; 883 884 dst = racoon_calloc(1, sysdep_sa_len(src)); 885 if (dst == NULL) { 886 plog(LLV_ERROR, LOCATION, NULL, 887 "%s\n", strerror(errno)); 888 return NULL; 889 } 890 891 memcpy(dst, src, sysdep_sa_len(src)); 892 893 return dst; 894 } 895 896 char * 897 saddr2str(saddr) 898 const struct sockaddr *saddr; 899 { 900 static char buf[NI_MAXHOST + NI_MAXSERV + 10]; 901 char addr[NI_MAXHOST], port[NI_MAXSERV]; 902 903 if (saddr == NULL) 904 return NULL; 905 906 if (saddr->sa_family == AF_UNSPEC) 907 snprintf (buf, sizeof(buf), "%s", "anonymous"); 908 else { 909 GETNAMEINFO(saddr, addr, port); 910 snprintf(buf, sizeof(buf), "%s[%s]", addr, port); 911 } 912 913 return buf; 914 } 915 916 char * 917 saddrwop2str(saddr) 918 const struct sockaddr *saddr; 919 { 920 static char buf[NI_MAXHOST + NI_MAXSERV + 10]; 921 char addr[NI_MAXHOST]; 922 923 if (saddr == NULL) 924 return NULL; 925 926 GETNAMEINFO_NULL(saddr, addr); 927 snprintf(buf, sizeof(buf), "%s", addr); 928 929 return buf; 930 } 931 932 char * 933 naddrwop2str(const struct netaddr *naddr) 934 { 935 static char buf[NI_MAXHOST + 10]; 936 static const struct sockaddr sa_any; /* this is initialized to all zeros */ 937 938 if (naddr == NULL) 939 return NULL; 940 941 if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0) 942 snprintf(buf, sizeof(buf), "%s", "any"); 943 else { 944 snprintf(buf, sizeof(buf), "%s", saddrwop2str(&naddr->sa.sa)); 945 snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix); 946 } 947 return buf; 948 } 949 950 char * 951 naddrwop2str_fromto(const char *format, const struct netaddr *saddr, 952 const struct netaddr *daddr) 953 { 954 static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100]; 955 char *src, *dst; 956 957 src = racoon_strdup(naddrwop2str(saddr)); 958 dst = racoon_strdup(naddrwop2str(daddr)); 959 STRDUP_FATAL(src); 960 STRDUP_FATAL(dst); 961 /* WARNING: Be careful about the format string! Don't 962 ever pass in something that a user can modify!!! */ 963 snprintf (buf, sizeof(buf), format, src, dst); 964 racoon_free (src); 965 racoon_free (dst); 966 967 return buf; 968 } 969 970 char * 971 saddr2str_fromto(format, saddr, daddr) 972 const char *format; 973 const struct sockaddr *saddr; 974 const struct sockaddr *daddr; 975 { 976 static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100]; 977 char *src, *dst; 978 979 src = racoon_strdup(saddr2str(saddr)); 980 dst = racoon_strdup(saddr2str(daddr)); 981 STRDUP_FATAL(src); 982 STRDUP_FATAL(dst); 983 /* WARNING: Be careful about the format string! Don't 984 ever pass in something that a user can modify!!! */ 985 snprintf (buf, sizeof(buf), format, src, dst); 986 racoon_free (src); 987 racoon_free (dst); 988 989 return buf; 990 } 991 992 struct sockaddr * 993 str2saddr(host, port) 994 char *host; 995 char *port; 996 { 997 struct addrinfo hints, *res; 998 struct sockaddr *saddr; 999 int error; 1000 1001 memset(&hints, 0, sizeof(hints)); 1002 hints.ai_family = PF_UNSPEC; 1003 hints.ai_socktype = SOCK_DGRAM; 1004 hints.ai_flags = AI_NUMERICHOST; 1005 error = getaddrinfo(host, port, &hints, &res); 1006 if (error != 0) { 1007 plog(LLV_ERROR, LOCATION, NULL, 1008 "getaddrinfo(%s%s%s): %s\n", 1009 host, port ? "," : "", port ? port : "", 1010 gai_strerror(error)); 1011 return NULL; 1012 } 1013 if (res->ai_next != NULL) { 1014 plog(LLV_WARNING, LOCATION, NULL, 1015 "getaddrinfo(%s%s%s): " 1016 "resolved to multiple address, " 1017 "taking the first one\n", 1018 host, port ? "," : "", port ? port : ""); 1019 } 1020 saddr = racoon_malloc(res->ai_addrlen); 1021 if (saddr == NULL) { 1022 plog(LLV_ERROR, LOCATION, NULL, 1023 "failed to allocate buffer.\n"); 1024 freeaddrinfo(res); 1025 return NULL; 1026 } 1027 memcpy(saddr, res->ai_addr, res->ai_addrlen); 1028 freeaddrinfo(res); 1029 1030 return saddr; 1031 } 1032 1033 void 1034 mask_sockaddr(a, b, l) 1035 struct sockaddr *a; 1036 const struct sockaddr *b; 1037 size_t l; 1038 { 1039 size_t i; 1040 u_int8_t *p, alen; 1041 1042 switch (b->sa_family) { 1043 case AF_INET: 1044 alen = sizeof(struct in_addr); 1045 p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr; 1046 break; 1047 #ifdef INET6 1048 case AF_INET6: 1049 alen = sizeof(struct in6_addr); 1050 p = (u_int8_t *)&((struct sockaddr_in6 *)a)->sin6_addr; 1051 break; 1052 #endif 1053 default: 1054 plog(LLV_ERROR, LOCATION, NULL, 1055 "invalid family: %d\n", b->sa_family); 1056 exit(1); 1057 } 1058 1059 if ((alen << 3) < l) { 1060 plog(LLV_ERROR, LOCATION, NULL, 1061 "unexpected inconsistency: %d %zu\n", b->sa_family, l); 1062 exit(1); 1063 } 1064 1065 memcpy(a, b, sysdep_sa_len(b)); 1066 p[l / 8] &= (0xff00 >> (l % 8)) & 0xff; 1067 for (i = l / 8 + 1; i < alen; i++) 1068 p[i] = 0x00; 1069 } 1070 1071 /* Compute a score describing how "accurate" a netaddr is for a given sockaddr. 1072 * Examples: 1073 * Return values for address 10.20.30.40 [port 500] and given netaddresses... 1074 * 10.10.0.0/16 => -1 ... doesn't match 1075 * 0.0.0.0/0 => 0 ... matches, but only 0 bits. 1076 * 10.20.0.0/16 => 16 ... 16 bits match 1077 * 10.20.30.0/24 => 24 ... guess what ;-) 1078 * 10.20.30.40/32 => 32 ... whole address match 1079 * 10.20.30.40:500 => 33 ... both address and port match 1080 * 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any) 1081 */ 1082 int 1083 naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr) 1084 { 1085 static const struct netaddr naddr_any; /* initialized to all-zeros */ 1086 struct sockaddr sa; 1087 u_int16_t naddr_port, saddr_port; 1088 int port_score; 1089 1090 if (!naddr || !saddr) { 1091 plog(LLV_ERROR, LOCATION, NULL, 1092 "Call with null args: naddr=%p, saddr=%p\n", 1093 naddr, saddr); 1094 return -1; 1095 } 1096 1097 /* Wildcard address matches, but only 0 bits. */ 1098 if (memcmp(naddr, &naddr_any, sizeof(naddr_any)) == 0) 1099 return 0; 1100 1101 /* If families don't match we really can't do much... */ 1102 if (naddr->sa.sa.sa_family != saddr->sa_family) 1103 return -1; 1104 1105 /* If port check fail don't bother to check addresses. */ 1106 naddr_port = extract_port(&naddr->sa.sa); 1107 saddr_port = extract_port(saddr); 1108 if (naddr_port == 0 || saddr_port == 0) /* wildcard match */ 1109 port_score = 0; 1110 else if (naddr_port == saddr_port) /* exact match */ 1111 port_score = 1; 1112 else /* mismatch :-) */ 1113 return -1; 1114 1115 /* Here it comes - compare network addresses. */ 1116 mask_sockaddr(&sa, saddr, naddr->prefix); 1117 if (loglevel >= LLV_DEBUG) { /* debug only */ 1118 char *a1, *a2, *a3; 1119 a1 = racoon_strdup(naddrwop2str(naddr)); 1120 a2 = racoon_strdup(saddrwop2str(saddr)); 1121 a3 = racoon_strdup(saddrwop2str(&sa)); 1122 STRDUP_FATAL(a1); 1123 STRDUP_FATAL(a2); 1124 STRDUP_FATAL(a3); 1125 plog(LLV_DEBUG, LOCATION, NULL, 1126 "naddr=%s, saddr=%s (masked=%s)\n", 1127 a1, a2, a3); 1128 free(a1); 1129 free(a2); 1130 free(a3); 1131 } 1132 if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0) 1133 return naddr->prefix + port_score; 1134 1135 return -1; 1136 } 1137 1138 /* Some usefull functions for sockaddr port manipulations. */ 1139 u_int16_t 1140 extract_port (const struct sockaddr *addr) 1141 { 1142 u_int16_t port = 0; 1143 1144 if (!addr) 1145 return port; 1146 1147 switch (addr->sa_family) { 1148 case AF_INET: 1149 port = ((struct sockaddr_in *)addr)->sin_port; 1150 break; 1151 case AF_INET6: 1152 port = ((struct sockaddr_in6 *)addr)->sin6_port; 1153 break; 1154 default: 1155 plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family); 1156 break; 1157 } 1158 1159 return ntohs(port); 1160 } 1161 1162 u_int16_t * 1163 get_port_ptr (struct sockaddr *addr) 1164 { 1165 u_int16_t *port_ptr; 1166 1167 if (!addr) 1168 return NULL; 1169 1170 switch (addr->sa_family) { 1171 case AF_INET: 1172 port_ptr = &(((struct sockaddr_in *)addr)->sin_port); 1173 break; 1174 case AF_INET6: 1175 port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port); 1176 break; 1177 default: 1178 plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family); 1179 return NULL; 1180 break; 1181 } 1182 1183 return port_ptr; 1184 } 1185 1186 u_int16_t * 1187 set_port (struct sockaddr *addr, u_int16_t new_port) 1188 { 1189 u_int16_t *port_ptr; 1190 1191 port_ptr = get_port_ptr (addr); 1192 1193 if (port_ptr) 1194 *port_ptr = htons(new_port); 1195 1196 return port_ptr; 1197 } 1198
