2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
25 #include <sys/types.h>
27 #include <sys/socket.h>
30 # include <sys/sockio.h> /* for Solaris 2.6: defines SIOCGIFCONF */
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
39 #include <sys/ioctl.h>
41 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
45 #include "constants.h"
50 #include "connections.h" /* needs id.h */
51 #include "kernel.h" /* for no_klips */
56 #include "demux.h" /* needs packet.h */
57 #include "kernel_comm.h"
58 #include "preshared.h"
59 #include "adns.h" /* needs <resolv.h> */
60 #include "dnskey.h" /* needs preshared.h and adns.h */
61 #include "whack.h" /* for RC_LOG_SERIOUS */
67 #include "nat_traversal.h"
71 * Server main loop and socket initialization routines.
74 static const int on = TRUE; /* by-reference parameter; constant, we hope */
76 /* control (whack) socket */
77 int ctl_fd = NULL_FD; /* file descriptor of control (whack) socket */
78 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
80 /* Initialize the control socket.
81 * Note: this is called very early, so little infrastructure is available.
82 * It is important that the socket is created before the original
83 * Pluto process returns.
90 delete_ctl_socket(); /* preventative medicine */
91 ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
94 else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
95 failed = "fcntl FD+CLOEXEC";
96 else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
97 failed = "setsockopt";
100 /* to keep control socket secure, use umask */
101 mode_t ou = umask(~S_IRWXU);
103 if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
104 , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
109 /* 5 is a haphazardly chosen limit for the backlog.
110 * Rumour has it that this is the max on BSD systems.
112 if (failed == NULL && listen(ctl_fd, 5) < 0)
113 failed = "listen() on";
115 return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
116 , failed, errno, strerror(errno));
120 delete_ctl_socket(void)
122 /* Is noting failure useful? Not when used as preventative medicine. */
123 unlink(ctl_addr.sun_path);
126 bool listening = FALSE; /* should we pay attention to IKE messages? */
128 struct iface *interfaces = NULL; /* public interfaces */
130 /* Initialize the interface sockets. */
133 mark_ifaces_dead(void)
137 for (p = interfaces; p != NULL; p = p->next)
138 p->change = IFN_DELETE;
142 free_dead_ifaces(void)
145 bool some_dead = FALSE
148 for (p = interfaces; p != NULL; p = p->next)
150 if (p->change == IFN_DELETE)
152 log("shutting down interface %s/%s %s"
153 , p->vname, p->rname, ip_str(&p->addr));
156 else if (p->change == IFN_ADD)
166 release_dead_interfaces();
167 for (pp = &interfaces; (p = *pp) != NULL; )
169 if (p->change == IFN_DELETE)
171 *pp = p->next; /* advance *pp */
179 pp = &p->next; /* advance pp */
184 /* this must be done after the release_dead_interfaces
185 * in case some to the newly unoriented connections can
186 * become oriented here.
188 if (some_dead || some_new)
189 check_orientations();
201 char name[IFNAMSIZ + 20]; /* what would be a safe size? */
202 struct raw_iface *next;
205 /* Called to handle --interface <ifname>
206 * Semantics: if specified, only these (real) interfaces are considered.
208 static const char *pluto_ifn[10];
209 static int pluto_ifn_roof = 0;
212 use_interface(const char *rifn)
214 if (pluto_ifn_roof >= (int)elemsof(pluto_ifn))
220 pluto_ifn[pluto_ifn_roof++] = rifn;
225 #ifndef IPSECDEVPREFIX
226 # define IPSECDEVPREFIX "ipsec"
229 static struct raw_iface *
230 find_raw_ifaces4(void)
232 int j; /* index into buf */
233 int num; /* number of interfaces */
234 struct ifconf ifconf;
235 struct ifreq *buf; /* for list of interfaces */
236 struct raw_iface *rifaces = NULL;
237 int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
239 /* get list of interfaces with assigned IPv4 addresses from system */
241 if (master_sock == -1)
242 exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
244 if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
245 , (const void *)&on, sizeof(on)) < 0)
246 exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
248 /* bind the socket */
252 happy(anyaddr(AF_INET, &any));
253 setportof(htons(pluto_port), &any);
254 if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
255 exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
261 /* Get local interfaces. See netdevice(7). */
262 ifconf.ifc_len = num * sizeof(struct ifreq);
263 buf = (void *) realloc(buf, ifconf.ifc_len);
264 memset(buf, 0, num*sizeof(struct ifreq));
265 ifconf.ifc_buf = (void *) buf;
267 if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
268 exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
270 /* if we got back less than we asked for, we have them all */
271 if (ifconf.ifc_len < num * sizeof(struct ifreq))
274 /* try again and ask for more this time */
278 /* Add an entry to rifaces for each interesting interface. */
279 for (j = 0; (j+1) * sizeof(struct ifreq) <= ifconf.ifc_len; j++)
282 const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
283 struct ifreq auxinfo;
285 /* ignore all but AF_INET interfaces */
286 if (rs->sin_family != AF_INET)
287 continue; /* not interesting */
289 /* build a NUL-terminated copy of the rname field */
290 memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
291 ri.name[IFNAMSIZ] = '\0';
293 /* ignore if our interface names were specified, and this isn't one */
294 if (pluto_ifn_roof != 0)
298 for (i = 0; i != pluto_ifn_roof; i++)
299 if (streq(ri.name, pluto_ifn[i]))
301 if (i == pluto_ifn_roof)
302 continue; /* not found -- skip */
305 /* Find out stuff about this interface. See netdevice(7). */
306 zero(&auxinfo); /* paranoia */
307 memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
308 if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
310 , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
312 if (!(auxinfo.ifr_flags & IFF_UP))
313 continue; /* ignore an interface that isn't UP */
315 /* ignore unconfigured interfaces */
316 if (rs->sin_addr.s_addr == 0)
323 for (i = 0; i < NUM_INTERFACES; i++) {
324 if (((phys_interfaces[i] && !strcmp(phys_interfaces[i], ri.name))) ||
325 !strncmp("ipsec", ri.name, 5))
333 happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
334 , AF_INET, &ri.addr));
336 DBG(DBG_CONTROL, DBG_log("found %s with address %s"
337 , ri.name, ip_str(&ri.addr)));
339 rifaces = clone_thing(ri, "struct raw_iface");
350 static struct raw_iface *
351 find_raw_ifaces6(void)
354 /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
356 * Documentation of format?
357 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
358 * linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
360 * Sample from Gerhard's laptop:
361 * 00000000000000000000000000000001 01 80 10 80 lo
362 * 30490009000000000000000000010002 02 40 00 80 ipsec0
363 * 30490009000000000000000000010002 07 40 00 80 eth0
364 * fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
365 * fe80000000000000025004fffefd5484 07 0a 20 80 eth0
367 * Each line contains:
368 * - IPv6 address: 16 bytes, in hex, no punctuation
369 * - ifindex: 1 byte, in hex
370 * - prefix_len: 1 byte, in hex
371 * - scope (e.g. global, link local): 1 byte, in hex
372 * - flags: 1 byte, in hex
373 * - device name: string, followed by '\n'
375 struct raw_iface *rifaces = NULL;
376 static const char proc_name[] = "/proc/net/if_inet6";
377 FILE *proc_sock = fopen(proc_name, "r");
379 if (proc_sock == NULL)
381 DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
388 unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
389 char sb[8*5]; /* IPv6 address as string-with-colons */
390 unsigned int if_idx; /* proc field, not used */
391 unsigned int plen; /* proc field, not used */
392 unsigned int scope; /* proc field, used to exclude link-local */
393 unsigned int dad_status; /* proc field, not used */
394 /* ??? I hate and distrust scanf -- DHR */
395 int r = fscanf(proc_sock
396 , "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
397 " %02x %02x %02x %02x %20s\n"
398 , xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
399 , &if_idx, &plen, &scope, &dad_status, ri.name);
401 /* ??? we should diagnose any problems */
405 /* ignore addresses with link local scope.
406 * From linux-2.4.9-13/include/net/ipv6.h:
407 * IPV6_ADDR_LINKLOCAL 0x0020U
408 * IPV6_ADDR_SCOPE_MASK 0x00f0U
410 if ((scope & 0x00f0U) == 0x0020U)
413 snprintf(sb, sizeof(sb)
414 , "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
415 , xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
417 happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
419 if (!isunspecaddr(&ri.addr))
422 , DBG_log("found %s with address %s"
425 rifaces = clone_thing(ri, "struct raw_iface");
436 create_socket(struct raw_iface *ifp, const char *v_name, int port)
438 int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
443 log_errno((e, "socket() in process_raw_ifaces()"));
448 /* Set socket Nonblocking */
449 if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
450 if (!(fcntl_flags & O_NONBLOCK)) {
451 fcntl_flags |= O_NONBLOCK;
452 fcntl(fd, F_SETFL, fcntl_flags);
457 if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
459 log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
464 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
465 , (const void *)&on, sizeof(on)) < 0)
467 log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
472 /* To improve error reporting. See ip(7). */
473 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
474 if (setsockopt(fd, SOL_IP, IP_RECVERR
475 , (const void *)&on, sizeof(on)) < 0)
477 log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
483 /* With IPv6, there is no fragmentation after
484 * it leaves our interface. PMTU discovery
485 * is mandatory but doesn't work well with IKE (why?).
486 * So we must set the IPV6_USE_MIN_MTU option.
487 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
489 #ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
490 if (addrtypeof(&ifp->addr) == AF_INET6
491 && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
492 , (const void *)&on, sizeof(on)) < 0)
494 log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
500 setportof(htons(port), &ifp->addr);
501 if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
503 log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
505 , ip_str(&ifp->addr), (unsigned) port));
509 setportof(htons(pluto_port), &ifp->addr);
515 process_raw_ifaces(struct raw_iface *rifaces)
517 struct raw_iface *ifp;
519 /* Find all virtual/real interface pairs.
520 * For each real interface...
522 for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
524 struct raw_iface *v = NULL; /* matching ipsecX interface */
525 struct raw_iface fake_v;
526 bool after = FALSE; /* has vfp passed ifp on the list? */
528 struct raw_iface *vfp;
530 /* ignore if virtual (ipsec*) interface */
531 if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
534 for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
540 else if (sameaddr(&ifp->addr, &vfp->addr))
542 /* Different entries with matching IP addresses.
543 * Many interesting cases.
545 if (strncmp(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
554 for (i = 0; i < NUM_INTERFACES; i++) {
555 if (phys_interfaces[i])
556 if (!strcmp(phys_interfaces[i], v->name))
560 for (i = 0; i < NUM_INTERFACES; i++) {
561 if (phys_interfaces[i])
562 if (!strcmp(phys_interfaces[i], vfp->name))
566 if (found && found2) {
567 loglog(RC_LOG_SERIOUS
568 , "ipsec interfaces %s and %s share same address %s"
569 , v->name, vfp->name, ip_str(&ifp->addr));
573 if (!found && found2) {
580 v = vfp; /* current winner */
585 /* ugh: a second real interface with the same IP address
586 * "after" allows us to avoid double reporting.
590 loglog(RC_LOG_SERIOUS
591 , "IP interfaces %s and %s share address %s!"
592 , ifp->name, vfp->name, ip_str(&ifp->addr));
602 /* what if we didn't find a virtual interface? */
607 /* kludge for testing: invent a virtual device */
608 static const char fvp[] = "virtual";
610 passert(sizeof(fake_v.name) > sizeof(fvp));
611 strcpy(fake_v.name, fvp);
612 addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
613 , sizeof(fake_v.name) - (sizeof(fvp) - 1));
619 DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
620 , ifp->name, ip_str(&ifp->addr)));
625 /* We've got all we need; see if this is a new thing:
626 * search old interfaces list.
629 struct iface **p = &interfaces;
633 struct iface *q = *p;
635 /* search is over if at end of list */
638 /* matches nothing -- create a new entry */
639 int fd = create_socket(ifp, v->name, pluto_port);
644 if (nat_traversal_enabled) {
645 nat_traversal_espinudp_socket(fd,
646 ESPINUDP_WITH_NON_IKE);
650 q = alloc_thing(struct iface, "struct iface");
651 q->rname = clone_str(ifp->name, "real device name");
652 q->vname = clone_str(v->name, "virtual device name");
655 q->next = interfaces;
658 log("adding interface %s/%s %s"
659 , q->vname, q->rname, ip_str(&q->addr));
662 if (nat_traversal_support_port_floating) {
663 fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
666 nat_traversal_espinudp_socket(fd,
667 ESPINUDP_WITH_NON_ESP);
668 q = alloc_thing(struct iface, "struct iface");
669 q->rname = clone_str(ifp->name, "real device name");
670 q->vname = clone_str(v->name, "virtual device name");
672 setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
674 q->next = interfaces;
678 log("adding interface %s/%s %s:%d",
679 q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
685 /* search over if matching old entry found */
686 if (streq(q->rname, ifp->name)
687 && streq(q->vname, v->name)
688 && sameaddr(&q->addr, &ifp->addr))
690 /* matches -- rejuvinate old entry */
691 q->change = IFN_KEEP;
693 /* look for other interfaces to keep (due to NAT-T) */
694 for (q = q->next ; q ; q = q->next) {
695 if (streq(q->rname, ifp->name)
696 && streq(q->vname, v->name)
697 && sameaddr(&q->addr, &ifp->addr)) {
698 q->change = IFN_KEEP;
711 /* delete the raw interfaces list */
712 while (rifaces != NULL)
714 struct raw_iface *t = rifaces;
725 process_raw_ifaces(find_raw_ifaces4());
726 process_raw_ifaces(find_raw_ifaces6());
728 free_dead_ifaces(); /* ditch remaining old entries */
730 if (interfaces == NULL)
731 loglog(RC_LOG_SERIOUS, "no public interfaces found");
735 show_ifaces_status(void)
739 for (p = interfaces; p != NULL; p = p->next)
740 whack_log(RC_COMMENT, "interface %s/%s %s"
741 , p->vname, p->rname, ip_str(&p->addr));
744 static volatile sig_atomic_t sighupflag = FALSE;
747 huphandler(int sig UNUSED)
752 static volatile sig_atomic_t sigtermflag = FALSE;
755 termhandler(int sig UNUSED)
760 /* call_server listens for incoming ISAKMP packets and Whack messages,
761 * and handles timer events.
768 /* catch SIGHUP and SIGTERM */
771 struct sigaction act;
773 act.sa_handler = &huphandler;
774 sigemptyset(&act.sa_mask);
775 act.sa_flags = 0; /* no SA_ONESHOT, no SA_RESTART, no nothing */
776 r = sigaction(SIGHUP, &act, NULL);
779 act.sa_handler = &termhandler;
780 r = sigaction(SIGTERM, &act, NULL);
789 /* wait for next interesting thing */
793 long next_time = next_event(); /* time to any pending timer event */
801 /* Ignorant folks think poking any daemon with SIGHUP
802 * is polite. We catch it and tell them otherwise.
803 * There is one use: unsticking a hung recvfrom.
804 * This sticking happens sometimes -- kernel bug?
807 log("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
811 FD_SET(ctl_fd, &readfds);
813 if (adns_afd != NULL_FD)
815 if (maxfd < adns_afd)
817 FD_SET(adns_afd, &readfds);
826 passert(!FD_ISSET(pfkeyfd, &readfds));
827 FD_SET(pfkeyfd, &readfds);
833 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
837 passert(!FD_ISSET(ifp->fd, &readfds));
838 FD_SET(ifp->fd, &readfds);
844 /* select without timer */
846 ndes = select(maxfd + 1, &readfds, NULL, NULL, NULL);
848 else if (next_time == 0)
850 /* timer without select: there is a timer event pending,
851 * and it should fire now so don't bother to do the select.
853 ndes = 0; /* signify timer expiration */
857 /* select with timer */
861 tm.tv_sec = next_time;
863 ndes = select(maxfd + 1, &readfds, NULL, NULL, &tm);
870 exit_log_errno((e, "select() failed in call_server()"));
872 /* retry if terminated by signal */
875 /* figure out what is interesting */
882 DBG_log(BLANK_FORMAT);
883 DBG_log("*time to handle event"));
885 handle_timer_event();
886 passert(GLOBALS_ARE_RESET());
890 /* at least one file descriptor is ready */
892 if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
896 DBG_log(BLANK_FORMAT);
897 DBG_log("*received adns message"));
898 handle_adns_answer();
899 passert(GLOBALS_ARE_RESET());
904 if (!no_klips && FD_ISSET(pfkeyfd, &readfds))
908 DBG_log(BLANK_FORMAT);
909 DBG_log("*received pfkey message"));
911 passert(GLOBALS_ARE_RESET());
916 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
918 if (FD_ISSET(ifp->fd, &readfds))
920 /* comm_handle will print DBG_CONTROL intro,
921 * with more info than we have here.
926 passert(GLOBALS_ARE_RESET());
931 if (FD_ISSET(ctl_fd, &readfds))
935 DBG_log(BLANK_FORMAT);
936 DBG_log("*received whack message"));
937 whack_handle(ctl_fd);
938 passert(GLOBALS_ARE_RESET());
OSDN Git Service
