1 /* $OpenBSD: util.c,v 1.30 2015/11/23 19:28:34 reyk Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/types.h> 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/uio.h> 23 24 #include <netdb.h> 25 #include <stdio.h> 26 #include <stdlib.h> 27 #include <unistd.h> 28 #include <string.h> 29 #include <errno.h> 30 #include <limits.h> 31 #include <fcntl.h> 32 #include <ctype.h> 33 #include <event.h> 34 35 #include "iked.h" 36 #include "ikev2.h" 37 38 /* log.c */ 39 extern int debug; 40 extern int verbose; 41 42 int 43 socket_af(struct sockaddr *sa, in_port_t port) 44 { 45 errno = 0; 46 switch (sa->sa_family) { 47 case AF_INET: 48 ((struct sockaddr_in *)sa)->sin_port = port; 49 ((struct sockaddr_in *)sa)->sin_len = 50 sizeof(struct sockaddr_in); 51 break; 52 case AF_INET6: 53 ((struct sockaddr_in6 *)sa)->sin6_port = port; 54 ((struct sockaddr_in6 *)sa)->sin6_len = 55 sizeof(struct sockaddr_in6); 56 break; 57 default: 58 errno = EPFNOSUPPORT; 59 return (-1); 60 } 61 62 return (0); 63 } 64 65 in_port_t 66 socket_getport(struct sockaddr *sa) 67 { 68 switch (sa->sa_family) { 69 case AF_INET: 70 return (ntohs(((struct sockaddr_in *)sa)->sin_port)); 71 case AF_INET6: 72 return (ntohs(((struct sockaddr_in6 *)sa)->sin6_port)); 73 default: 74 return (0); 75 } 76 77 /* NOTREACHED */ 78 return (0); 79 } 80 81 int 82 socket_setport(struct sockaddr *sa, in_port_t port) 83 { 84 switch (sa->sa_family) { 85 case AF_INET: 86 ((struct sockaddr_in *)sa)->sin_port = htons(port); 87 break; 88 case AF_INET6: 89 ((struct sockaddr_in6 *)sa)->sin6_port = htons(port); 90 break; 91 default: 92 return (-1); 93 } 94 return (0); 95 } 96 97 int 98 socket_getaddr(int s, struct sockaddr_storage *ss) 99 { 100 socklen_t sslen; 101 102 return (getsockname(s, (struct sockaddr *)ss, &sslen)); 103 } 104 105 int 106 socket_bypass(int s, struct sockaddr *sa) 107 { 108 int v, *a; 109 int a4[] = { 110 IPPROTO_IP, 111 IP_AUTH_LEVEL, 112 IP_ESP_TRANS_LEVEL, 113 IP_ESP_NETWORK_LEVEL, 114 #ifdef IPV6_IPCOMP_LEVEL 115 IP_IPCOMP_LEVEL 116 #endif 117 }; 118 int a6[] = { 119 IPPROTO_IPV6, 120 IPV6_AUTH_LEVEL, 121 IPV6_ESP_TRANS_LEVEL, 122 IPV6_ESP_NETWORK_LEVEL, 123 #ifdef IPV6_IPCOMP_LEVEL 124 IPV6_IPCOMP_LEVEL 125 #endif 126 }; 127 128 switch (sa->sa_family) { 129 case AF_INET: 130 a = a4; 131 break; 132 case AF_INET6: 133 a = a6; 134 break; 135 default: 136 log_warn("%s: invalid address family", __func__); 137 return (-1); 138 } 139 140 v = IPSEC_LEVEL_BYPASS; 141 if (setsockopt(s, a[0], a[1], &v, sizeof(v)) == -1) { 142 log_warn("%s: AUTH_LEVEL", __func__); 143 return (-1); 144 } 145 if (setsockopt(s, a[0], a[2], &v, sizeof(v)) == -1) { 146 log_warn("%s: ESP_TRANS_LEVEL", __func__); 147 return (-1); 148 } 149 if (setsockopt(s, a[0], a[3], &v, sizeof(v)) == -1) { 150 log_warn("%s: ESP_NETWORK_LEVEL", __func__); 151 return (-1); 152 } 153 #ifdef IP_IPCOMP_LEVEL 154 if (setsockopt(s, a[0], a[4], &v, sizeof(v)) == -1) { 155 log_warn("%s: IPCOMP_LEVEL", __func__); 156 return (-1); 157 } 158 #endif 159 160 return (0); 161 } 162 163 int 164 udp_bind(struct sockaddr *sa, in_port_t port) 165 { 166 int s, val; 167 168 if (socket_af(sa, port) == -1) { 169 log_warn("%s: failed to set UDP port", __func__); 170 return (-1); 171 } 172 173 if ((s = socket(sa->sa_family, 174 SOCK_DGRAM | SOCK_NONBLOCK, IPPROTO_UDP)) == -1) { 175 log_warn("%s: failed to get UDP socket", __func__); 176 return (-1); 177 } 178 179 /* Skip IPsec processing (don't encrypt) for IKE messages */ 180 if (socket_bypass(s, sa) == -1) { 181 log_warn("%s: failed to bypass IPsec on IKE socket", 182 __func__); 183 goto bad; 184 } 185 186 val = 1; 187 if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val, sizeof(int)) == -1) { 188 log_warn("%s: failed to set reuseport", __func__); 189 goto bad; 190 } 191 val = 1; 192 if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(int)) == -1) { 193 log_warn("%s: failed to set reuseaddr", __func__); 194 goto bad; 195 } 196 197 if (sa->sa_family == AF_INET) { 198 val = 1; 199 if (setsockopt(s, IPPROTO_IP, IP_RECVDSTADDR, 200 &val, sizeof(int)) == -1) { 201 log_warn("%s: failed to set IPv4 packet info", 202 __func__); 203 goto bad; 204 } 205 } else { 206 val = 1; 207 if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVPKTINFO, 208 &val, sizeof(int)) == -1) { 209 log_warn("%s: failed to set IPv6 packet info", 210 __func__); 211 goto bad; 212 } 213 } 214 215 if (bind(s, sa, sa->sa_len) == -1) { 216 log_warn("%s: failed to bind UDP socket", __func__); 217 goto bad; 218 } 219 220 return (s); 221 bad: 222 close(s); 223 return (-1); 224 } 225 226 int 227 sockaddr_cmp(struct sockaddr *a, struct sockaddr *b, int prefixlen) 228 { 229 struct sockaddr_in *a4, *b4; 230 struct sockaddr_in6 *a6, *b6; 231 uint32_t av[4], bv[4], mv[4]; 232 233 if (a->sa_family == AF_UNSPEC || b->sa_family == AF_UNSPEC) 234 return (0); 235 else if (a->sa_family > b->sa_family) 236 return (1); 237 else if (a->sa_family < b->sa_family) 238 return (-1); 239 240 if (prefixlen == -1) 241 memset(&mv, 0xff, sizeof(mv)); 242 243 switch (a->sa_family) { 244 case AF_INET: 245 a4 = (struct sockaddr_in *)a; 246 b4 = (struct sockaddr_in *)b; 247 248 av[0] = a4->sin_addr.s_addr; 249 bv[0] = b4->sin_addr.s_addr; 250 if (prefixlen != -1) 251 mv[0] = prefixlen2mask(prefixlen); 252 253 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 254 return (1); 255 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 256 return (-1); 257 break; 258 case AF_INET6: 259 a6 = (struct sockaddr_in6 *)a; 260 b6 = (struct sockaddr_in6 *)b; 261 262 memcpy(&av, &a6->sin6_addr.s6_addr, 16); 263 memcpy(&bv, &b6->sin6_addr.s6_addr, 16); 264 if (prefixlen != -1) 265 prefixlen2mask6(prefixlen, mv); 266 267 if ((av[3] & mv[3]) > (bv[3] & mv[3])) 268 return (1); 269 if ((av[3] & mv[3]) < (bv[3] & mv[3])) 270 return (-1); 271 if ((av[2] & mv[2]) > (bv[2] & mv[2])) 272 return (1); 273 if ((av[2] & mv[2]) < (bv[2] & mv[2])) 274 return (-1); 275 if ((av[1] & mv[1]) > (bv[1] & mv[1])) 276 return (1); 277 if ((av[1] & mv[1]) < (bv[1] & mv[1])) 278 return (-1); 279 if ((av[0] & mv[0]) > (bv[0] & mv[0])) 280 return (1); 281 if ((av[0] & mv[0]) < (bv[0] & mv[0])) 282 return (-1); 283 break; 284 } 285 286 return (0); 287 } 288 289 ssize_t 290 recvfromto(int s, void *buf, size_t len, int flags, struct sockaddr *from, 291 socklen_t *fromlen, struct sockaddr *to, socklen_t *tolen) 292 { 293 struct iovec iov; 294 struct msghdr msg; 295 struct cmsghdr *cmsg; 296 struct in6_pktinfo *pkt6; 297 struct sockaddr_in *in; 298 struct sockaddr_in6 *in6; 299 ssize_t ret; 300 union { 301 struct cmsghdr hdr; 302 char buf[CMSG_SPACE(sizeof(struct sockaddr_storage))]; 303 } cmsgbuf; 304 305 bzero(&msg, sizeof(msg)); 306 bzero(&cmsgbuf.buf, sizeof(cmsgbuf.buf)); 307 308 iov.iov_base = buf; 309 iov.iov_len = len; 310 msg.msg_iov = &iov; 311 msg.msg_iovlen = 1; 312 msg.msg_name = from; 313 msg.msg_namelen = *fromlen; 314 msg.msg_control = &cmsgbuf.buf; 315 msg.msg_controllen = sizeof(cmsgbuf.buf); 316 317 if ((ret = recvmsg(s, &msg, 0)) == -1) 318 return (-1); 319 320 *fromlen = from->sa_len; 321 *tolen = 0; 322 323 if (getsockname(s, to, tolen) != 0) 324 *tolen = 0; 325 326 for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; 327 cmsg = CMSG_NXTHDR(&msg, cmsg)) { 328 switch (from->sa_family) { 329 case AF_INET: 330 if (cmsg->cmsg_level == IPPROTO_IP && 331 cmsg->cmsg_type == IP_RECVDSTADDR) { 332 in = (struct sockaddr_in *)to; 333 in->sin_family = AF_INET; 334 in->sin_len = *tolen = sizeof(*in); 335 memcpy(&in->sin_addr, CMSG_DATA(cmsg), 336 sizeof(struct in_addr)); 337 } 338 break; 339 case AF_INET6: 340 if (cmsg->cmsg_level == IPPROTO_IPV6 && 341 cmsg->cmsg_type == IPV6_PKTINFO) { 342 in6 = (struct sockaddr_in6 *)to; 343 in6->sin6_family = AF_INET6; 344 in6->sin6_len = *tolen = sizeof(*in6); 345 pkt6 = (struct in6_pktinfo *)CMSG_DATA(cmsg); 346 memcpy(&in6->sin6_addr, &pkt6->ipi6_addr, 347 sizeof(struct in6_addr)); 348 if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)) 349 in6->sin6_scope_id = 350 pkt6->ipi6_ifindex; 351 } 352 break; 353 } 354 } 355 356 return (ret); 357 } 358 359 const char * 360 print_spi(uint64_t spi, int size) 361 { 362 static char buf[IKED_CYCLE_BUFFERS][32]; 363 static int i = 0; 364 char *ptr; 365 366 ptr = buf[i]; 367 368 switch (size) { 369 case 2: 370 snprintf(ptr, 32, "0x%04x", (uint16_t)spi); 371 break; 372 case 4: 373 snprintf(ptr, 32, "0x%08x", (uint32_t)spi); 374 break; 375 case 8: 376 snprintf(ptr, 32, "0x%016llx", spi); 377 break; 378 default: 379 snprintf(ptr, 32, "%llu", spi); 380 break; 381 } 382 383 if (++i >= IKED_CYCLE_BUFFERS) 384 i = 0; 385 386 return (ptr); 387 } 388 389 const char * 390 print_map(unsigned int type, struct iked_constmap *map) 391 { 392 unsigned int i; 393 static char buf[IKED_CYCLE_BUFFERS][32]; 394 static int idx = 0; 395 const char *name = NULL; 396 397 if (idx >= IKED_CYCLE_BUFFERS) 398 idx = 0; 399 bzero(buf[idx], sizeof(buf[idx])); 400 401 for (i = 0; map[i].cm_name != NULL; i++) { 402 if (map[i].cm_type == type) 403 name = map[i].cm_name; 404 } 405 406 if (name == NULL) 407 snprintf(buf[idx], sizeof(buf[idx]), "<UNKNOWN:%u>", type); 408 else 409 strlcpy(buf[idx], name, sizeof(buf[idx])); 410 411 return (buf[idx++]); 412 } 413 414 void 415 lc_string(char *str) 416 { 417 for (; *str != '\0'; str++) 418 *str = tolower((unsigned char)*str); 419 } 420 421 void 422 print_hex(uint8_t *buf, off_t offset, size_t length) 423 { 424 unsigned int i; 425 extern int verbose; 426 427 if (verbose < 3 || !length) 428 return; 429 430 for (i = 0; i < length; i++) { 431 if (i && (i % 4) == 0) { 432 if ((i % 32) == 0) 433 print_debug("\n"); 434 else 435 print_debug(" "); 436 } 437 print_debug("%02x", buf[offset + i]); 438 } 439 print_debug("\n"); 440 } 441 442 void 443 print_hexval(uint8_t *buf, off_t offset, size_t length) 444 { 445 unsigned int i; 446 extern int verbose; 447 448 if (verbose < 2 || !length) 449 return; 450 451 print_debug("0x"); 452 for (i = 0; i < length; i++) 453 print_debug("%02x", buf[offset + i]); 454 print_debug("\n"); 455 } 456 457 const char * 458 print_bits(unsigned short v, unsigned char *bits) 459 { 460 static char buf[IKED_CYCLE_BUFFERS][BUFSIZ]; 461 static int idx = 0; 462 unsigned int i, any = 0, j = 0; 463 unsigned char c; 464 465 if (!bits) 466 return (""); 467 468 if (++idx >= IKED_CYCLE_BUFFERS) 469 idx = 0; 470 471 bzero(buf[idx], sizeof(buf[idx])); 472 473 bits++; 474 while ((i = *bits++)) { 475 if (v & (1 << (i-1))) { 476 if (any) { 477 buf[idx][j++] = ','; 478 if (j >= sizeof(buf[idx])) 479 return (buf[idx]); 480 } 481 any = 1; 482 for (; (c = *bits) > 32; bits++) { 483 buf[idx][j++] = tolower((unsigned char)c); 484 if (j >= sizeof(buf[idx])) 485 return (buf[idx]); 486 } 487 } else 488 for (; *bits > 32; bits++) 489 ; 490 } 491 492 return (buf[idx]); 493 } 494 495 uint8_t 496 mask2prefixlen(struct sockaddr *sa) 497 { 498 struct sockaddr_in *sa_in = (struct sockaddr_in *)sa; 499 in_addr_t ina = sa_in->sin_addr.s_addr; 500 501 if (ina == 0) 502 return (0); 503 else 504 return (33 - ffs(ntohl(ina))); 505 } 506 507 uint8_t 508 mask2prefixlen6(struct sockaddr *sa) 509 { 510 struct sockaddr_in6 *sa_in6 = (struct sockaddr_in6 *)sa; 511 uint8_t l = 0, *ap, *ep; 512 513 /* 514 * sin6_len is the size of the sockaddr so substract the offset of 515 * the possibly truncated sin6_addr struct. 516 */ 517 ap = (uint8_t *)&sa_in6->sin6_addr; 518 ep = (uint8_t *)sa_in6 + sa_in6->sin6_len; 519 for (; ap < ep; ap++) { 520 /* this "beauty" is adopted from sbin/route/show.c ... */ 521 switch (*ap) { 522 case 0xff: 523 l += 8; 524 break; 525 case 0xfe: 526 l += 7; 527 return (l); 528 case 0xfc: 529 l += 6; 530 return (l); 531 case 0xf8: 532 l += 5; 533 return (l); 534 case 0xf0: 535 l += 4; 536 return (l); 537 case 0xe0: 538 l += 3; 539 return (l); 540 case 0xc0: 541 l += 2; 542 return (l); 543 case 0x80: 544 l += 1; 545 return (l); 546 case 0x00: 547 return (l); 548 default: 549 return (0); 550 } 551 } 552 553 return (l); 554 } 555 556 uint32_t 557 prefixlen2mask(uint8_t prefixlen) 558 { 559 if (prefixlen == 0) 560 return (0); 561 562 if (prefixlen > 32) 563 prefixlen = 32; 564 565 return (htonl(0xffffffff << (32 - prefixlen))); 566 } 567 568 struct in6_addr * 569 prefixlen2mask6(uint8_t prefixlen, uint32_t *mask) 570 { 571 static struct in6_addr s6; 572 int i; 573 574 if (prefixlen > 128) 575 prefixlen = 128; 576 577 bzero(&s6, sizeof(s6)); 578 for (i = 0; i < prefixlen / 8; i++) 579 s6.s6_addr[i] = 0xff; 580 i = prefixlen % 8; 581 if (i) 582 s6.s6_addr[prefixlen / 8] = 0xff00 >> i; 583 584 memcpy(mask, &s6, sizeof(s6)); 585 586 return (&s6); 587 } 588 589 const char * 590 print_host(struct sockaddr *sa, char *buf, size_t len) 591 { 592 static char sbuf[IKED_CYCLE_BUFFERS][NI_MAXHOST + 7]; 593 static int idx = 0; 594 char pbuf[7]; 595 in_port_t port; 596 597 if (buf == NULL) { 598 buf = sbuf[idx]; 599 len = sizeof(sbuf[idx]); 600 if (++idx >= IKED_CYCLE_BUFFERS) 601 idx = 0; 602 } 603 604 if (sa->sa_family == AF_UNSPEC) { 605 strlcpy(buf, "any", len); 606 return (buf); 607 } 608 609 if (getnameinfo(sa, sa->sa_len, 610 buf, len, NULL, 0, NI_NUMERICHOST) != 0) { 611 buf[0] = '\0'; 612 return (NULL); 613 } 614 615 if ((port = socket_getport(sa)) != 0) { 616 snprintf(pbuf, sizeof(pbuf), ":%d", port); 617 (void)strlcat(buf, pbuf, len); 618 } 619 620 return (buf); 621 } 622 623 char * 624 get_string(uint8_t *ptr, size_t len) 625 { 626 size_t i; 627 628 for (i = 0; i < len; i++) 629 if (!isprint(ptr[i])) 630 break; 631 632 return strndup(ptr, i); 633 } 634 635 const char * 636 print_proto(uint8_t proto) 637 { 638 struct protoent *p; 639 static char buf[IKED_CYCLE_BUFFERS][BUFSIZ]; 640 static int idx = 0; 641 642 if (idx >= IKED_CYCLE_BUFFERS) 643 idx = 0; 644 645 if ((p = getprotobynumber(proto)) != NULL) 646 strlcpy(buf[idx], p->p_name, sizeof(buf[idx])); 647 else 648 snprintf(buf[idx], sizeof(buf), "%u", proto); 649 650 651 return (buf[idx++]); 652 } 653 654 int 655 expand_string(char *label, size_t len, const char *srch, const char *repl) 656 { 657 char *tmp; 658 char *p, *q; 659 660 if ((tmp = calloc(1, len)) == NULL) { 661 log_debug("expand_string: calloc"); 662 return (-1); 663 } 664 p = q = label; 665 while ((q = strstr(p, srch)) != NULL) { 666 *q = '\0'; 667 if ((strlcat(tmp, p, len) >= len) || 668 (strlcat(tmp, repl, len) >= len)) { 669 log_debug("expand_string: string too long"); 670 free(tmp); 671 return (-1); 672 } 673 q += strlen(srch); 674 p = q; 675 } 676 if (strlcat(tmp, p, len) >= len) { 677 log_debug("expand_string: string too long"); 678 free(tmp); 679 return (-1); 680 } 681 strlcpy(label, tmp, len); /* always fits */ 682 free(tmp); 683 684 return (0); 685 } 686 687 uint8_t * 688 string2unicode(const char *ascii, size_t *outlen) 689 { 690 uint8_t *uc = NULL; 691 size_t i, len = strlen(ascii); 692 693 if ((uc = calloc(1, (len * 2) + 2)) == NULL) 694 return (NULL); 695 696 for (i = 0; i < len; i++) { 697 /* XXX what about the byte order? */ 698 uc[i * 2] = ascii[i]; 699 } 700 *outlen = len * 2; 701 702 return (uc); 703 } 704 705 void 706 print_debug(const char *emsg, ...) 707 { 708 va_list ap; 709 710 if (debug && verbose > 2) { 711 va_start(ap, emsg); 712 vfprintf(stderr, emsg, ap); 713 va_end(ap); 714 } 715 } 716 717 void 718 print_verbose(const char *emsg, ...) 719 { 720 va_list ap; 721 722 if (verbose) { 723 va_start(ap, emsg); 724 vfprintf(stderr, emsg, ap); 725 va_end(ap); 726 } 727 } 728