blob: 9301717ffec0c13dabef47016c3e47a37b52f147 [file] [log] [blame]
/* $NetBSD: sockmisc.c,v 1.19 2011/03/14 17:18:13 tteras Exp $ */
/* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <netinet/in.h>
#include PATH_IPSEC_H
#if defined(INET6) && !defined(INET6_ADVAPI) && \
defined(IP_RECVDSTADDR) && !defined(IPV6_RECVDSTADDR)
#define IPV6_RECVDSTADDR IP_RECVDSTADDR
#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "debug.h"
#include "gcmalloc.h"
#include "debugrm.h"
#include "libpfkey.h"
#include "isakmp_var.h"
#ifdef NOUSE_PRIVSEP
#define BIND bind
#define SOCKET socket
#define SETSOCKOPT setsockopt
#else
#include "admin.h"
#include "privsep.h"
#define BIND privsep_bind
#define SOCKET privsep_socket
#define SETSOCKOPT privsep_setsockopt
#endif
const int niflags = 0;
/*
* compare two sockaddr with port, taking care wildcard.
* addr1 is a subject address, addr2 is in a database entry.
* OUT: 0: equal.
* 1: not equal.
*/
int
cmpsaddr(addr1, addr2)
const struct sockaddr *addr1;
const struct sockaddr *addr2;
{
caddr_t sa1, sa2;
u_short port1 = IPSEC_PORT_ANY;
u_short port2 = IPSEC_PORT_ANY;
if (addr1 == NULL && addr2 == NULL)
return CMPSADDR_MATCH;
if (addr1 == NULL || addr2 == NULL)
return CMPSADDR_MISMATCH;
if (addr1->sa_family != addr2->sa_family ||
sysdep_sa_len(addr1) != sysdep_sa_len(addr2))
return CMPSADDR_MISMATCH;
switch (addr1->sa_family) {
case AF_UNSPEC:
break;
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
port1 = ((struct sockaddr_in *)addr1)->sin_port;
port2 = ((struct sockaddr_in *)addr2)->sin_port;
if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
return CMPSADDR_MISMATCH;
break;
#ifdef INET6
case AF_INET6:
sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
return CMPSADDR_MISMATCH;
if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
((struct sockaddr_in6 *)addr2)->sin6_scope_id)
return CMPSADDR_MISMATCH;
break;
#endif
default:
return CMPSADDR_MISMATCH;
}
if (port1 == port2)
return CMPSADDR_MATCH;
if (port1 == IPSEC_PORT_ANY ||
port2 == IPSEC_PORT_ANY)
return CMPSADDR_WILDPORT_MATCH;
return CMPSADDR_WOP_MATCH;
}
#ifdef ANDROID_PATCHED
struct sockaddr *getlocaladdr(struct sockaddr *remote)
{
struct sockaddr_storage local;
socklen_t len = sysdep_sa_len(remote);
int s = privsep_socket(remote->sa_family, SOCK_DGRAM, 0);
if (s == -1 || connect(s, remote, len) == -1 ||
getsockname(s, (struct sockaddr *)&local, &len) == -1) {
close(s);
return NULL;
}
close(s);
return dupsaddr((struct sockaddr *)&local);
}
int recvfromto(int s, void *buf, size_t len, int flags, struct sockaddr *from,
socklen_t *fromlen, struct sockaddr *to, unsigned int *tolen)
{
if (getsockname(s, to, (socklen_t *)tolen) == -1) {
return -1;
}
return recvfrom(s, buf, len, flags, from, fromlen);
}
int sendfromto(int s, const void *buf, size_t len, struct sockaddr *from,
struct sockaddr *to, int count)
{
int i;
for (i = 0; i < count; ++i) {
if (sendto(s, buf, len, 0, to, sysdep_sa_len(to)) == -1) {
return -1;
}
}
return len;
}
int setsockopt_bypass(int s, int family)
{
struct sadb_x_policy p = {
.sadb_x_policy_len = PFKEY_UNIT64(sizeof(struct sadb_x_policy)),
.sadb_x_policy_exttype = SADB_X_EXT_POLICY,
.sadb_x_policy_type = IPSEC_POLICY_BYPASS,
.sadb_x_policy_dir = IPSEC_DIR_INBOUND,
#ifdef HAVE_PFKEY_POLICY_PRIORITY
.sadb_x_policy_priority = PRIORITY_DEFAULT,
#endif
};
int level = (family == AF_INET) ? IPPROTO_IP : IPPROTO_IPV6;
int option = (family == AF_INET) ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY;
int len = PFKEY_EXTLEN(&p);
if (setsockopt(s, level, option, &p, len) == -1) {
plog(LLV_WARNING, LOCATION, NULL, "setsockopt in bypass: %s\n",
strerror(errno));
}
p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
if (setsockopt(s, level, option, &p, len) == -1) {
plog(LLV_WARNING, LOCATION, NULL, "setsockopt out bypass: %s\n",
strerror(errno));
}
return 0;
}
#else
/* get local address against the destination. */
struct sockaddr *
getlocaladdr(remote)
struct sockaddr *remote;
{
struct sockaddr *local;
u_int local_len = sizeof(struct sockaddr_storage);
int s; /* for dummy connection */
/* allocate buffer */
if ((local = racoon_calloc(1, local_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get address buffer.\n");
goto err;
}
/* get real interface received packet */
if ((s = SOCKET(remote->sa_family, SOCK_DGRAM, 0)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"socket (%s)\n", strerror(errno));
goto err;
}
setsockopt_bypass(s, remote->sa_family);
if (connect(s, remote, sysdep_sa_len(remote)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"connect (%s)\n", strerror(errno));
close(s);
goto err;
}
if (getsockname(s, local, &local_len) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"getsockname (%s)\n", strerror(errno));
close(s);
return NULL;
}
close(s);
return local;
err:
if (local != NULL)
racoon_free(local);
return NULL;
}
/*
* Receive packet, with src/dst information. It is assumed that necessary
* setsockopt() have already performed on socket.
*/
int
recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen)
int s;
void *buf;
size_t buflen;
int flags;
struct sockaddr *from;
socklen_t *fromlen;
struct sockaddr *to;
u_int *tolen;
{
int otolen;
socklen_t slen;
int len;
union sockaddr_any sa;
struct msghdr m;
struct cmsghdr *cm;
struct iovec iov[2];
u_char cmsgbuf[256];
#if defined(INET6) && defined(INET6_ADVAPI)
struct in6_pktinfo *pi;
#endif /*INET6_ADVAPI*/
struct sockaddr_in *sin;
#ifdef INET6
struct sockaddr_in6 *sin6;
#endif
slen = sizeof(sa);
if (getsockname(s, &sa.sa, &slen) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"getsockname (%s)\n", strerror(errno));
return -1;
}
m.msg_name = (caddr_t)from;
m.msg_namelen = *fromlen;
iov[0].iov_base = (caddr_t)buf;
iov[0].iov_len = buflen;
m.msg_iov = iov;
m.msg_iovlen = 1;
memset(cmsgbuf, 0, sizeof(cmsgbuf));
cm = (struct cmsghdr *)cmsgbuf;
m.msg_control = (caddr_t)cm;
m.msg_controllen = sizeof(cmsgbuf);
if ((len = recvmsg(s, &m, flags)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"recvmsg (%s)\n", strerror(errno));
return -1;
}
*fromlen = m.msg_namelen;
otolen = *tolen;
*tolen = 0;
for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m);
m.msg_controllen != 0 && cm;
cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) {
#if 0
plog(LLV_ERROR, LOCATION, NULL,
"cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);)
#endif
#if defined(INET6) && defined(INET6_ADVAPI)
if (sa.sa.sa_family == AF_INET6
&& cm->cmsg_level == IPPROTO_IPV6
&& cm->cmsg_type == IPV6_PKTINFO
&& otolen >= sizeof(*sin6)) {
pi = (struct in6_pktinfo *)(CMSG_DATA(cm));
*tolen = sizeof(*sin6);
sin6 = (struct sockaddr_in6 *)to;
memset(sin6, 0, sizeof(*sin6));
sin6->sin6_family = AF_INET6;
#ifndef __linux__
sin6->sin6_len = sizeof(*sin6);
#endif
memcpy(&sin6->sin6_addr, &pi->ipi6_addr,
sizeof(sin6->sin6_addr));
/* XXX other cases, such as site-local? */
if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
sin6->sin6_scope_id = pi->ipi6_ifindex;
else
sin6->sin6_scope_id = 0;
sin6->sin6_port = sa.sin6.sin6_port;
otolen = -1; /* "to" already set */
continue;
}
#endif
#ifdef __linux__
if (sa.sa.sa_family == AF_INET
&& cm->cmsg_level == IPPROTO_IP
&& cm->cmsg_type == IP_PKTINFO
&& otolen >= sizeof(sin)) {
struct in_pktinfo *pi = (struct in_pktinfo *)(CMSG_DATA(cm));
*tolen = sizeof(*sin);
sin = (struct sockaddr_in *)to;
memset(sin, 0, sizeof(*sin));
sin->sin_family = AF_INET;
memcpy(&sin->sin_addr, &pi->ipi_addr,
sizeof(sin->sin_addr));
sin->sin_port = sa.sin.sin_port;
otolen = -1; /* "to" already set */
continue;
}
#endif
#if defined(INET6) && defined(IPV6_RECVDSTADDR)
if (sa.sa.sa_family == AF_INET6
&& cm->cmsg_level == IPPROTO_IPV6
&& cm->cmsg_type == IPV6_RECVDSTADDR
&& otolen >= sizeof(*sin6)) {
*tolen = sizeof(*sin6);
sin6 = (struct sockaddr_in6 *)to;
memset(sin6, 0, sizeof(*sin6));
sin6->sin6_family = AF_INET6;
sin6->sin6_len = sizeof(*sin6);
memcpy(&sin6->sin6_addr, CMSG_DATA(cm),
sizeof(sin6->sin6_addr));
sin6->sin6_port = sa.sin6.sin6_port;
otolen = -1; /* "to" already set */
continue;
}
#endif
#ifndef __linux__
if (sa.sa.sa_family == AF_INET
&& cm->cmsg_level == IPPROTO_IP
&& cm->cmsg_type == IP_RECVDSTADDR
&& otolen >= sizeof(*sin)) {
*tolen = sizeof(*sin);
sin = (struct sockaddr_in *)to;
memset(sin, 0, sizeof(*sin));
sin->sin_family = AF_INET;
sin->sin_len = sizeof(*sin);
memcpy(&sin->sin_addr, CMSG_DATA(cm),
sizeof(sin->sin_addr));
sin->sin_port = sa.sin.sin_port;
otolen = -1; /* "to" already set */
continue;
}
#endif
}
return len;
}
/* send packet, with fixing src/dst address pair. */
int
sendfromto(s, buf, buflen, src, dst, cnt)
int s, cnt;
const void *buf;
size_t buflen;
struct sockaddr *src;
struct sockaddr *dst;
{
struct sockaddr_storage ss;
socklen_t slen;
int len = 0;
int i;
if (src->sa_family != dst->sa_family) {
plog(LLV_ERROR, LOCATION, NULL,
"address family mismatch\n");
return -1;
}
slen = sizeof(ss);
if (getsockname(s, (struct sockaddr *)&ss, &slen) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"getsockname (%s)\n", strerror(errno));
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
"sockname %s\n", saddr2str((struct sockaddr *)&ss));
plog(LLV_DEBUG, LOCATION, NULL,
"send packet from %s\n", saddr2str(src));
plog(LLV_DEBUG, LOCATION, NULL,
"send packet to %s\n", saddr2str(dst));
if (src->sa_family != ss.ss_family) {
plog(LLV_ERROR, LOCATION, NULL,
"address family mismatch\n");
return -1;
}
switch (src->sa_family) {
#if defined(INET6) && defined(INET6_ADVAPI)
// XXX: This block wasn't compiled on Linux - does it work?
case AF_INET6:
{
struct msghdr m;
struct cmsghdr *cm;
struct iovec iov[2];
u_char cmsgbuf[256];
struct in6_pktinfo *pi;
int ifindex;
struct sockaddr_in6 src6, dst6;
memcpy(&src6, src, sizeof(src6));
memcpy(&dst6, dst, sizeof(dst6));
/* XXX take care of other cases, such as site-local */
ifindex = 0;
if (IN6_IS_ADDR_LINKLOCAL(&src6.sin6_addr)
|| IN6_IS_ADDR_MULTICAST(&src6.sin6_addr)) {
ifindex = src6.sin6_scope_id; /*???*/
}
/* XXX some sanity check on dst6.sin6_scope_id */
/* flowinfo for IKE? mmm, maybe useful but for now make it 0 */
src6.sin6_flowinfo = dst6.sin6_flowinfo = 0;
memset(&m, 0, sizeof(m));
m.msg_name = (caddr_t)&dst6;
m.msg_namelen = sizeof(dst6);
iov[0].iov_base = (char *)buf;
iov[0].iov_len = buflen;
m.msg_iov = iov;
m.msg_iovlen = 1;
memset(cmsgbuf, 0, sizeof(cmsgbuf));
cm = (struct cmsghdr *)cmsgbuf;
m.msg_control = (caddr_t)cm;
m.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
cm->cmsg_level = IPPROTO_IPV6;
cm->cmsg_type = IPV6_PKTINFO;
pi = (struct in6_pktinfo *)CMSG_DATA(cm);
memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr));
pi->ipi6_ifindex = ifindex;
plog(LLV_DEBUG, LOCATION, NULL,
"src6 %s %d\n",
saddr2str((struct sockaddr *)&src6),
src6.sin6_scope_id);
plog(LLV_DEBUG, LOCATION, NULL,
"dst6 %s %d\n",
saddr2str((struct sockaddr *)&dst6),
dst6.sin6_scope_id);
for (i = 0; i < cnt; i++) {
len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendmsg (%s)\n", strerror(errno));
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"to %s\n",
i + 1, len, saddr2str(dst));
}
plogdump(LLV_DEBUG, (char *)buf, buflen);
return len;
}
#endif
#ifdef __linux__
case AF_INET:
{
struct msghdr m;
struct cmsghdr *cm;
struct iovec iov[2];
u_char cmsgbuf[256];
struct in_pktinfo *pi;
int ifindex = 0;
struct sockaddr_in src6, dst6;
memcpy(&src6, src, sizeof(src6));
memcpy(&dst6, dst, sizeof(dst6));
memset(&m, 0, sizeof(m));
m.msg_name = (caddr_t)&dst6;
m.msg_namelen = sizeof(dst6);
iov[0].iov_base = (char *)buf;
iov[0].iov_len = buflen;
m.msg_iov = iov;
m.msg_iovlen = 1;
memset(cmsgbuf, 0, sizeof(cmsgbuf));
cm = (struct cmsghdr *)cmsgbuf;
m.msg_control = (caddr_t)cm;
m.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
cm->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
cm->cmsg_level = IPPROTO_IP;
cm->cmsg_type = IP_PKTINFO;
pi = (struct in_pktinfo *)CMSG_DATA(cm);
memcpy(&pi->ipi_spec_dst, &src6.sin_addr, sizeof(src6.sin_addr));
pi->ipi_ifindex = ifindex;
plog(LLV_DEBUG, LOCATION, NULL,
"src4 %s\n",
saddr2str((struct sockaddr *)&src6));
plog(LLV_DEBUG, LOCATION, NULL,
"dst4 %s\n",
saddr2str((struct sockaddr *)&dst6));
for (i = 0; i < cnt; i++) {
len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendmsg (%s)\n", strerror(errno));
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"to %s\n",
i + 1, len, saddr2str(dst));
}
plogdump(LLV_DEBUG, (char *)buf, buflen);
return len;
}
#endif /* __linux__ */
default:
{
int needclose = 0;
int sendsock;
if (ss.ss_family == src->sa_family && memcmp(&ss, src, sysdep_sa_len(src)) == 0) {
sendsock = s;
needclose = 0;
} else {
int yes = 1;
/*
* Use newly opened socket for sending packets.
* NOTE: this is unsafe, because if the peer is quick enough
* the packet from the peer may be queued into sendsock.
* Better approach is to prepare bind'ed udp sockets for
* each of the interface addresses.
*/
sendsock = SOCKET(src->sa_family, SOCK_DGRAM, 0);
if (sendsock < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"socket (%s)\n", strerror(errno));
return -1;
}
if (setsockopt(sendsock, SOL_SOCKET,
#ifdef __linux__
SO_REUSEADDR,
#else
SO_REUSEPORT,
#endif
(void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt SO_REUSEPORT (%s)\n",
strerror(errno));
close(sendsock);
return -1;
}
#ifdef IPV6_USE_MIN_MTU
if (src->sa_family == AF_INET6 &&
setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
(void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt IPV6_USE_MIN_MTU (%s)\n",
strerror(errno));
close(sendsock);
return -1;
}
#endif
if (setsockopt_bypass(sendsock, src->sa_family) < 0) {
close(sendsock);
return -1;
}
if (BIND(sendsock, (struct sockaddr *)src,
sysdep_sa_len(src)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"bind 1 (%s)\n", strerror(errno));
close(sendsock);
return -1;
}
needclose = 1;
}
for (i = 0; i < cnt; i++) {
len = sendto(sendsock, buf, buflen, 0, dst, sysdep_sa_len(dst));
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendto (%s)\n", strerror(errno));
if (needclose)
close(sendsock);
return len;
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"to %s\n",
i + 1, len, saddr2str(dst));
}
plogdump(LLV_DEBUG, (char *)buf, buflen);
if (needclose)
close(sendsock);
return len;
}
}
}
int
setsockopt_bypass(so, family)
int so, family;
{
int level;
char *buf;
char *policy;
switch (family) {
case AF_INET:
level = IPPROTO_IP;
break;
#ifdef INET6
case AF_INET6:
level = IPPROTO_IPV6;
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"unsupported address family %d\n", family);
return -1;
}
policy = "in bypass";
buf = ipsec_set_policy(policy, strlen(policy));
if (buf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"ipsec_set_policy (%s)\n",
ipsec_strerror());
return -1;
}
if (SETSOCKOPT(so, level,
(level == IPPROTO_IP ?
IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
buf, ipsec_get_policylen(buf)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt IP_IPSEC_POLICY (%s)\n",
strerror(errno));
return -1;
}
racoon_free(buf);
policy = "out bypass";
buf = ipsec_set_policy(policy, strlen(policy));
if (buf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"ipsec_set_policy (%s)\n",
ipsec_strerror());
return -1;
}
if (SETSOCKOPT(so, level,
(level == IPPROTO_IP ?
IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
buf, ipsec_get_policylen(buf)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt IP_IPSEC_POLICY (%s)\n",
strerror(errno));
return -1;
}
racoon_free(buf);
return 0;
}
#endif
struct sockaddr *
newsaddr(len)
int len;
{
struct sockaddr *new;
if ((new = racoon_calloc(1, len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"%s\n", strerror(errno));
goto out;
}
#ifdef __linux__
if (len == sizeof (struct sockaddr_in6))
new->sa_family = AF_INET6;
else
new->sa_family = AF_INET;
#else
/* initial */
new->sa_len = len;
#endif
out:
return new;
}
struct sockaddr *
dupsaddr(src)
struct sockaddr *src;
{
struct sockaddr *dst;
dst = racoon_calloc(1, sysdep_sa_len(src));
if (dst == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"%s\n", strerror(errno));
return NULL;
}
memcpy(dst, src, sysdep_sa_len(src));
return dst;
}
char *
saddr2str(saddr)
const struct sockaddr *saddr;
{
static char buf[NI_MAXHOST + NI_MAXSERV + 10];
char addr[NI_MAXHOST], port[NI_MAXSERV];
if (saddr == NULL)
return NULL;
if (saddr->sa_family == AF_UNSPEC)
snprintf (buf, sizeof(buf), "%s", "anonymous");
else {
GETNAMEINFO(saddr, addr, port);
snprintf(buf, sizeof(buf), "%s[%s]", addr, port);
}
return buf;
}
char *
saddrwop2str(saddr)
const struct sockaddr *saddr;
{
static char buf[NI_MAXHOST + NI_MAXSERV + 10];
char addr[NI_MAXHOST];
if (saddr == NULL)
return NULL;
GETNAMEINFO_NULL(saddr, addr);
snprintf(buf, sizeof(buf), "%s", addr);
return buf;
}
char *
naddrwop2str(const struct netaddr *naddr)
{
static char buf[NI_MAXHOST + 10];
static const struct sockaddr sa_any; /* this is initialized to all zeros */
if (naddr == NULL)
return NULL;
if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0)
snprintf(buf, sizeof(buf), "%s", "any");
else {
snprintf(buf, sizeof(buf), "%s", saddrwop2str(&naddr->sa.sa));
snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix);
}
return buf;
}
char *
naddrwop2str_fromto(const char *format, const struct netaddr *saddr,
const struct netaddr *daddr)
{
static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
char *src, *dst;
src = racoon_strdup(naddrwop2str(saddr));
dst = racoon_strdup(naddrwop2str(daddr));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
/* WARNING: Be careful about the format string! Don't
ever pass in something that a user can modify!!! */
snprintf (buf, sizeof(buf), format, src, dst);
racoon_free (src);
racoon_free (dst);
return buf;
}
char *
saddr2str_fromto(format, saddr, daddr)
const char *format;
const struct sockaddr *saddr;
const struct sockaddr *daddr;
{
static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
char *src, *dst;
src = racoon_strdup(saddr2str(saddr));
dst = racoon_strdup(saddr2str(daddr));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
/* WARNING: Be careful about the format string! Don't
ever pass in something that a user can modify!!! */
snprintf (buf, sizeof(buf), format, src, dst);
racoon_free (src);
racoon_free (dst);
return buf;
}
struct sockaddr *
str2saddr(host, port)
char *host;
char *port;
{
struct addrinfo hints, *res;
struct sockaddr *saddr;
int error;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags = AI_NUMERICHOST;
error = getaddrinfo(host, port, &hints, &res);
if (error != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"getaddrinfo(%s%s%s): %s\n",
host, port ? "," : "", port ? port : "",
gai_strerror(error));
return NULL;
}
if (res->ai_next != NULL) {
plog(LLV_WARNING, LOCATION, NULL,
"getaddrinfo(%s%s%s): "
"resolved to multiple address, "
"taking the first one\n",
host, port ? "," : "", port ? port : "");
}
saddr = racoon_malloc(res->ai_addrlen);
if (saddr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
freeaddrinfo(res);
return NULL;
}
memcpy(saddr, res->ai_addr, res->ai_addrlen);
freeaddrinfo(res);
return saddr;
}
void
mask_sockaddr(a, b, l)
struct sockaddr *a;
const struct sockaddr *b;
size_t l;
{
size_t i;
u_int8_t *p, alen;
switch (b->sa_family) {
case AF_INET:
alen = sizeof(struct in_addr);
p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr;
break;
#ifdef INET6
case AF_INET6:
alen = sizeof(struct in6_addr);
p = (u_int8_t *)&((struct sockaddr_in6 *)a)->sin6_addr;
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n", b->sa_family);
exit(1);
}
if ((alen << 3) < l) {
plog(LLV_ERROR, LOCATION, NULL,
"unexpected inconsistency: %d %zu\n", b->sa_family, l);
exit(1);
}
memcpy(a, b, sysdep_sa_len(b));
p[l / 8] &= (0xff00 >> (l % 8)) & 0xff;
for (i = l / 8 + 1; i < alen; i++)
p[i] = 0x00;
}
/* Compute a score describing how "accurate" a netaddr is for a given sockaddr.
* Examples:
* Return values for address 10.20.30.40 [port 500] and given netaddresses...
* 10.10.0.0/16 => -1 ... doesn't match
* 0.0.0.0/0 => 0 ... matches, but only 0 bits.
* 10.20.0.0/16 => 16 ... 16 bits match
* 10.20.30.0/24 => 24 ... guess what ;-)
* 10.20.30.40/32 => 32 ... whole address match
* 10.20.30.40:500 => 33 ... both address and port match
* 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any)
*/
int
naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr)
{
static const struct netaddr naddr_any; /* initialized to all-zeros */
struct sockaddr sa;
u_int16_t naddr_port, saddr_port;
int port_score;
if (!naddr || !saddr) {
plog(LLV_ERROR, LOCATION, NULL,
"Call with null args: naddr=%p, saddr=%p\n",
naddr, saddr);
return -1;
}
/* Wildcard address matches, but only 0 bits. */
if (memcmp(naddr, &naddr_any, sizeof(naddr_any)) == 0)
return 0;
/* If families don't match we really can't do much... */
if (naddr->sa.sa.sa_family != saddr->sa_family)
return -1;
/* If port check fail don't bother to check addresses. */
naddr_port = extract_port(&naddr->sa.sa);
saddr_port = extract_port(saddr);
if (naddr_port == 0 || saddr_port == 0) /* wildcard match */
port_score = 0;
else if (naddr_port == saddr_port) /* exact match */
port_score = 1;
else /* mismatch :-) */
return -1;
/* Here it comes - compare network addresses. */
mask_sockaddr(&sa, saddr, naddr->prefix);
if (loglevel >= LLV_DEBUG) { /* debug only */
char *a1, *a2, *a3;
a1 = racoon_strdup(naddrwop2str(naddr));
a2 = racoon_strdup(saddrwop2str(saddr));
a3 = racoon_strdup(saddrwop2str(&sa));
STRDUP_FATAL(a1);
STRDUP_FATAL(a2);
STRDUP_FATAL(a3);
plog(LLV_DEBUG, LOCATION, NULL,
"naddr=%s, saddr=%s (masked=%s)\n",
a1, a2, a3);
free(a1);
free(a2);
free(a3);
}
if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH)
return naddr->prefix + port_score;
return -1;
}
/* Some useful functions for sockaddr port manipulations. */
u_int16_t
extract_port (const struct sockaddr *addr)
{
u_int16_t port = 0;
if (!addr)
return port;
switch (addr->sa_family) {
case AF_UNSPEC:
break;
case AF_INET:
port = ((struct sockaddr_in *)addr)->sin_port;
break;
case AF_INET6:
port = ((struct sockaddr_in6 *)addr)->sin6_port;
break;
default:
plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
break;
}
return ntohs(port);
}
u_int16_t *
get_port_ptr (struct sockaddr *addr)
{
u_int16_t *port_ptr;
if (!addr)
return NULL;
switch (addr->sa_family) {
case AF_INET:
port_ptr = &(((struct sockaddr_in *)addr)->sin_port);
break;
case AF_INET6:
port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port);
break;
default:
plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
return NULL;
break;
}
return port_ptr;
}
u_int16_t *
set_port (struct sockaddr *addr, u_int16_t new_port)
{
u_int16_t *port_ptr;
port_ptr = get_port_ptr (addr);
if (port_ptr)
*port_ptr = htons(new_port);
return port_ptr;
}