diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2004-06-20 15:24:06 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2004-06-20 15:24:06 +0000 |
commit | 296e43726af7240ad61013d007264b8effec9333 (patch) | |
tree | b4f391ee607488f132ec2354d64361bf9b4e3735 /sbin/isakmpd/udp_encap.c | |
parent | dce4168d7b1745fda1db84e6b445d6e2141503cf (diff) |
NAT-Traversal for isakmpd. Work in progress...
hshoexer@ ok.
Diffstat (limited to 'sbin/isakmpd/udp_encap.c')
-rw-r--r-- | sbin/isakmpd/udp_encap.c | 461 |
1 files changed, 461 insertions, 0 deletions
diff --git a/sbin/isakmpd/udp_encap.c b/sbin/isakmpd/udp_encap.c new file mode 100644 index 00000000000..aa5ba003726 --- /dev/null +++ b/sbin/isakmpd/udp_encap.c @@ -0,0 +1,461 @@ +/* $OpenBSD: udp_encap.c,v 1.1 2004/06/20 15:24:05 ho Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 2004 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/types.h> +#include <sys/ioctl.h> +#include <sys/socket.h> +#ifndef linux +#include <sys/sockio.h> +#endif +#include <net/if.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <ctype.h> +#include <err.h> +#include <limits.h> +#include <netdb.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include "sysdep.h" + +#include "conf.h" +#include "if.h" +#include "ipsec_doi.h" +#include "isakmp.h" +#include "log.h" +#include "message.h" +#include "monitor.h" +#include "sysdep.h" +#include "transport.h" +#include "udp.h" +#include "udp_encap.h" +#include "util.h" +#include "virtual.h" + +#define UDP_SIZE 65536 + +/* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */ +#ifndef SO_REUSEPORT +#define SO_REUSEPORT SO_REUSEADDR +#endif + +/* Reused, from udp.c */ +struct transport *udp_clone (struct transport *, struct sockaddr *); +void udp_get_dst (struct transport *, struct sockaddr **); +void udp_get_src (struct transport *, struct sockaddr **); +char *udp_decode_ids (struct transport *); + +static struct transport *udp_encap_create (char *); +static void udp_encap_remove (struct transport *); +static void udp_encap_report (struct transport *); +static void udp_encap_handle_message (struct transport *); +static struct transport *udp_encap_make (struct sockaddr *); +static int udp_encap_send_message (struct message *, + struct transport *); + +static struct transport_vtbl udp_encap_transport_vtbl = { + { 0 }, "udp_encap", + udp_encap_create, + 0, + udp_encap_remove, + udp_encap_report, + 0, + 0, + udp_encap_handle_message, + udp_encap_send_message, + udp_get_dst, + udp_get_src, + udp_decode_ids, + udp_clone, + 0 +}; + +char *udp_encap_default_port = 0; +char *udp_encap_bind_port = 0; + +void +udp_encap_init(void) +{ + transport_method_add(&udp_encap_transport_vtbl); +} + +/* Create a UDP transport structure bound to LADDR just for listening. */ +static struct transport * +udp_encap_make(struct sockaddr *laddr) +{ + struct udp_transport *t = 0; + int s, on, wildcardaddress = 0; + char *tstr; + + t = calloc(1, sizeof *t); + if (!t) { + log_print("udp_encap_make: malloc (%lu) failed", + (unsigned long)sizeof *t); + return 0; + } + + s = socket(laddr->sa_family, SOCK_DGRAM, IPPROTO_UDP); + if (s == -1) { + log_error("udp_encap_make: socket (%d, %d, %d)", + laddr->sa_family, SOCK_DGRAM, IPPROTO_UDP); + goto err; + } + + /* Make sure we don't get our traffic encrypted. */ + if (sysdep_cleartext(s, laddr->sa_family) == -1) + goto err; + + /* Wildcard address ? */ + switch (laddr->sa_family) { + case AF_INET: + if (((struct sockaddr_in *)laddr)->sin_addr.s_addr + == INADDR_ANY) + wildcardaddress = 1; + break; + case AF_INET6: + if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)laddr)->sin6_addr)) + wildcardaddress = 1; + break; + } + + /* + * In order to have several bound specific address-port combinations + * with the same port SO_REUSEADDR is needed. + * If this is a wildcard socket and we are not listening there, but + * only sending from it make sure it is entirely reuseable with + * SO_REUSEPORT. + */ + on = 1; + if (setsockopt(s, SOL_SOCKET, + wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, + (void *)&on, sizeof on) == -1) { + log_error("udp_encap_make: setsockopt (%d, %d, %d, %p, %lu)", + s, SOL_SOCKET, + wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, &on, + (unsigned long)sizeof on); + goto err; + } + + t->transport.vtbl = &udp_encap_transport_vtbl; + t->src = laddr; + if (monitor_bind(s, t->src, sysdep_sa_len (t->src))) { + if (sockaddr2text(t->src, &tstr, 0)) + log_error("udp_encap_make: bind (%d, %p, %lu)", s, + &t->src, (unsigned long)sizeof t->src); + else { + log_error("udp_encap_make: bind (%d, %s, %lu)", s, + tstr, (unsigned long)sizeof t->src); + free(tstr); + } + goto err; + } + + t->s = s; + if (sockaddr2text(t->src, &tstr, 0)) + LOG_DBG((LOG_MISC, 20, "udp_encap_make: " + "transport %p socket %d family %d", t, s, + t->src->sa_family == AF_INET ? 4 : 6)); + else { + LOG_DBG((LOG_MISC, 20, "udp_encap_make: " + "transport %p socket %d ip %s port %d", t, s, + tstr, ntohs(sockaddr_port(t->src)))); + free(tstr); + } + transport_setup(&t->transport, 0); + transport_reference(&t->transport); + t->transport.flags |= TRANSPORT_LISTEN; + return &t->transport; + + err: + if (s >= 0) + close (s); + if (t) { + /* Already closed. */ + t->s = -1; + udp_encap_remove(&t->transport); + } + return 0; +} + +/* + * Initialize an object of the UDP transport class. Fill in the local + * IP address and port information and create a server socket bound to + * that specific port. Add the polymorphic transport structure to the + * system-wide pools of known ISAKMP transports. + */ +struct transport * +udp_encap_bind(const struct sockaddr *addr) +{ + struct sockaddr *src = + malloc(sysdep_sa_len((struct sockaddr *)addr)); + + if (!src) + return 0; + + memcpy(src, addr, sysdep_sa_len((struct sockaddr *)addr)); + return udp_encap_make(src); +} + +/* + * NAME is a section name found in the config database. Setup and return + * a transport useable to talk to the peer specified by that name. + */ +static struct transport * +udp_encap_create(char *name) +{ + struct virtual_transport *v; + struct udp_transport *u; + struct transport *rv, *t; + struct sockaddr *dst, *addr; + struct conf_list *addr_list = 0; + struct conf_list_node *addr_node; + char *addr_str, *port_str; + + port_str = conf_get_str(name, "Port"); /* XXX "Encap-port" ? */ + if (!port_str) + port_str = udp_encap_default_port; + if (!port_str) + port_str = UDP_ENCAP_DEFAULT_PORT_STR; + + addr_str = conf_get_str(name, "Address"); + if (!addr_str) { + log_print("udp_encap_create: no address configured " + "for \"%s\"", name); + return 0; + } + if (text2sockaddr(addr_str, port_str, &dst)) { + log_print("udp_encap_create: address \"%s\" not understood", + addr_str); + return 0; + } + + addr_str = conf_get_str(name, "Local-address"); + if (!addr_str) + addr_list = conf_get_list("General", "Listen-on"); + if (!addr_str && !addr_list) { + v = virtual_get_default(dst->sa_family); + u = (struct udp_transport *)v->encap; + + if (!u) { + log_print("udp_encap_create: no default transport"); + rv = 0; + goto ret; + } else { + rv = udp_clone((struct transport *)u, dst); + if (rv) + rv->vtbl = &udp_encap_transport_vtbl; + goto ret; + } + } + + if (addr_list) { + for (addr_node = TAILQ_FIRST(&addr_list->fields); + addr_node; addr_node = TAILQ_NEXT(addr_node, link)) + if (text2sockaddr(addr_node->field, port_str, + &addr) == 0) { + v = virtual_listen_lookup(addr); + free(addr); + if (v) { + addr_str = addr_node->field; + break; + } + } + if (!addr_str) { + log_print("udp_encap_create: " + "no matching listener found"); + rv = 0; + goto ret; + } + } + if (text2sockaddr(addr_str, port_str, &addr)) { + log_print("udp_encap_create: " + "address \"%s\" not understood", addr_str); + rv = 0; + goto ret; + } + v = virtual_listen_lookup(addr); + free(addr); + if (!v) { + log_print("udp_encap_create: " + "%s:%s must exist as a listener too", addr_str, port_str); + rv = 0; + goto ret; + } + t = (struct transport *)v; + rv = udp_clone(v->encap, dst); + if (rv) { + rv->vtbl = &udp_encap_transport_vtbl; /* XXX Necessary? */ + transport_reference(rv->virtual); + } + + ret: + if (addr_list) + conf_free_list(addr_list); + free(dst); + return rv; +} + +void +udp_encap_remove(struct transport *t) +{ + struct udp_transport *u = (struct udp_transport *)t; + + if (u->src) + free (u->src); + if (u->dst) + free (u->dst); + if (t->flags & TRANSPORT_LISTEN) { + if (u->s >= 0) + close (u->s); + if (u->link.le_prev) + LIST_REMOVE (u, link); + } + free (t); +} + +/* Report transport-method specifics of the T transport. */ +void +udp_encap_report(struct transport *t) +{ + struct udp_transport *u = (struct udp_transport *)t; + char *src, *dst; + in_port_t sport, dport; + + if (sockaddr2text(u->src, &src, 0)) + goto ret; + sport = sockaddr_port(u->src); + + if (!u->dst || sockaddr2text(u->dst, &dst, 0)) + dst = 0; + dport = dst ? sockaddr_port(u->dst) : 0; + + LOG_DBG ((LOG_REPORT, 0, "udp_encap_report: fd %d src %s:%u dst %s:%u", + u->s, src, ntohs(sport), dst ? dst : "*", ntohs(dport))); + + ret: + if (dst) + free(dst); + if (src) + free(src); +} + +/* + * A message has arrived on transport T's socket. If T is single-ended, + * clone it into a double-ended transport which we will use from now on. + * Package the message as we want it and continue processing in the message + * module. + */ +static void +udp_encap_handle_message(struct transport *t) +{ + struct udp_transport *u = (struct udp_transport *)t; + struct sockaddr_storage from; + struct message *msg; + u_int32_t len = sizeof from; + ssize_t n; + u_int8_t buf[UDP_SIZE]; + + n = recvfrom(u->s, buf, UDP_SIZE, 0, (struct sockaddr *)&from, &len); + if (n == -1) { + log_error("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, + UDP_SIZE, 0, &from, &len); + return; + } + + /* + * Make a specialized UDP transport structure out of the incoming + * transport and the address information we got from recvfrom(2). + */ + t = t->virtual->vtbl->clone(t->virtual, (struct sockaddr *)&from); + if (!t) + return; + + /* Check NULL-ESP marker. */ + if (n < sizeof (u_int32_t) || *(u_int32_t *)buf != 0) { + /* Should never happen. */ + log_print ("udp_encap_handle_message: " + "Null-ESP marker not NULL or short message"); + return; + } + + msg = message_alloc(t, buf + sizeof (u_int32_t), + n - sizeof (u_int32_t)); + if (!msg) { + log_error ("failed to allocate message structure, dropping " + "packet received on transport %p", u); + return; + } + message_recv (msg); +} + +/* Physically send the message MSG over its associated transport. */ +static int +udp_encap_send_message(struct message *msg, struct transport *t) +{ + struct udp_transport *u = (struct udp_transport *)t; + struct msghdr m; + struct iovec *new_iov; + ssize_t n; + u_int32_t marker = 0; /* NULL-ESP Marker */ + + /* Construct new iov array, prefixing NULL-ESP Marker. */ + new_iov = (struct iovec *)calloc (msg->iovlen + 1, sizeof *new_iov); + if (!new_iov) { + log_error ("udp_encap_send_message: calloc (%lu, %lu) failed", + (unsigned long)msg->iovlen + 1, + (unsigned long)sizeof *new_iov); + return -1; + } + new_iov[0].iov_base = ▮ + new_iov[0].iov_len = IPSEC_SPI_SIZE; + memcpy (new_iov + sizeof *new_iov, msg->iov, + msg->iovlen * sizeof *new_iov); + + /* + * Sending on connected sockets requires that no destination address is + * given, or else EISCONN will occur. + */ + m.msg_name = (caddr_t)u->dst; + m.msg_namelen = sysdep_sa_len (u->dst); + m.msg_iov = new_iov; + m.msg_iovlen = msg->iovlen + 1; + m.msg_control = 0; + m.msg_controllen = 0; + m.msg_flags = 0; + n = sendmsg (u->s, &m, 0); + if (n == -1) { + /* XXX We should check whether the address has gone away */ + log_error ("sendmsg (%d, %p, %d)", u->s, &m, 0); + free (new_iov); + return -1; + } + free (new_iov); + return 0; +} |