summaryrefslogtreecommitdiff
path: root/src/charon/network
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/network')
-rw-r--r--src/charon/network/receiver.c377
-rw-r--r--src/charon/network/receiver.h81
-rw-r--r--src/charon/network/sender.c155
-rw-r--r--src/charon/network/sender.h74
-rw-r--r--src/charon/network/socket.c44
5 files changed, 718 insertions, 13 deletions
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
new file mode 100644
index 000000000..9b4bf71ac
--- /dev/null
+++ b/src/charon/network/receiver.c
@@ -0,0 +1,377 @@
+/**
+ * @file receiver.c
+ *
+ * @brief Implementation of receiver_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <pthread.h>
+
+#include "receiver.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+#include <network/packet.h>
+#include <processing/job_queue.h>
+#include <processing/jobs/job.h>
+#include <processing/jobs/process_message_job.h>
+
+/** length of the full cookie, including time (u_int32_t + SHA1()) */
+#define COOKIE_LENGTH 24
+/** lifetime of a cookie, in seconds */
+#define COOKIE_LIFETIME 10
+/** how many times to reuse the secret */
+#define COOKIE_REUSE 10000
+/** require cookies after half open IKE_SAs */
+#define COOKIE_TRESHOLD 10
+/** how many half open IKE_SAs per peer before blocking */
+#define BLOCK_TRESHOLD 5
+/** length of the secret to use for cookie calculation */
+#define SECRET_LENGTH 16
+
+typedef struct private_receiver_t private_receiver_t;
+
+/**
+ * Private data of a receiver_t object.
+ */
+struct private_receiver_t {
+ /**
+ * Public part of a receiver_t object.
+ */
+ receiver_t public;
+
+ /**
+ * Assigned thread.
+ */
+ pthread_t assigned_thread;
+
+ /**
+ * current secret to use for cookie calculation
+ */
+ char secret[SECRET_LENGTH];
+
+ /**
+ * previous secret used to verify older cookies
+ */
+ char secret_old[SECRET_LENGTH];
+
+ /**
+ * how many times we have used "secret" so far
+ */
+ u_int32_t secret_used;
+
+ /**
+ * time we did the cookie switch
+ */
+ u_int32_t secret_switch;
+
+ /**
+ * time offset to use, hides our system time
+ */
+ u_int32_t secret_offset;
+
+ /**
+ * the randomizer to use for secret generation
+ */
+ randomizer_t *randomizer;
+
+ /**
+ * hasher to use for cookie calculation
+ */
+ hasher_t *hasher;
+};
+
+/**
+ * send a notify back to the sender
+ */
+static void send_notify(message_t *request, notify_type_t type, chunk_t data)
+{
+ if (request->get_request(request) &&
+ request->get_exchange_type(request) == IKE_SA_INIT)
+ {
+ message_t *response;
+ host_t *src, *dst;
+ packet_t *packet;
+ ike_sa_id_t *ike_sa_id;
+
+ response = message_create();
+ dst = request->get_source(request);
+ src = request->get_destination(request);
+ response->set_source(response, src->clone(src));
+ response->set_destination(response, dst->clone(dst));
+ response->set_exchange_type(response, request->get_exchange_type(request));
+ response->set_request(response, FALSE);
+ response->set_message_id(response, 0);
+ ike_sa_id = request->get_ike_sa_id(request);
+ ike_sa_id->switch_initiator(ike_sa_id);
+ response->set_ike_sa_id(response, ike_sa_id);
+ response->add_notify(response, FALSE, type, data);
+ if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
+ {
+ charon->sender->send(charon->sender, packet);
+ response->destroy(response);
+ }
+ }
+}
+
+/**
+ * build a cookie
+ */
+static chunk_t cookie_build(private_receiver_t *this, message_t *message,
+ u_int32_t t, chunk_t secret)
+{
+ u_int64_t spi = message->get_initiator_spi(message);
+ host_t *ip = message->get_source(message);
+ chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
+
+ /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
+ input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
+ chunk_from_thing(t), secret);
+ this->hasher->get_hash(this->hasher, input, hash.ptr);
+ return chunk_cat("cc", chunk_from_thing(t), hash);
+}
+
+/**
+ * verify a received cookie
+ */
+static bool cookie_verify(private_receiver_t *this, message_t *message,
+ chunk_t cookie)
+{
+ u_int32_t t, now;
+ chunk_t reference;
+ chunk_t secret;
+
+ now = time(NULL);
+ t = *(u_int32_t*)cookie.ptr;
+
+ if (cookie.len != COOKIE_LENGTH ||
+ t < now - this->secret_offset - COOKIE_LIFETIME)
+ {
+ DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
+ return FALSE;
+ }
+
+ /* check if cookie is derived from old_secret */
+ if (t + this->secret_offset > this->secret_switch)
+ {
+ secret = chunk_from_thing(this->secret);
+ }
+ else
+ {
+ secret = chunk_from_thing(this->secret_old);
+ }
+
+ /* compare own calculation against received */
+ reference = cookie_build(this, message, t, secret);
+ if (chunk_equals(reference, cookie))
+ {
+ chunk_free(&reference);
+ return TRUE;
+ }
+ chunk_free(&reference);
+ return FALSE;
+}
+
+/**
+ * check if cookies are required, and if so, a valid cookie is included
+ */
+static bool cookie_required(private_receiver_t *this, message_t *message)
+{
+ bool failed = FALSE;
+
+ if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+ NULL) >= COOKIE_TRESHOLD)
+ {
+ /* check for a cookie. We don't use our parser here and do it
+ * quick and dirty for performance reasons.
+ * we assume to cookie is the first payload (which is a MUST), and
+ * the cookies SPI length is zero. */
+ packet_t *packet = message->get_packet(message);
+ chunk_t data = packet->get_data(packet);
+ if (data.len <
+ IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH ||
+ *(data.ptr + 16) != NOTIFY ||
+ *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
+ {
+ /* no cookie found */
+ failed = TRUE;
+ }
+ else
+ {
+ data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
+ data.len = COOKIE_LENGTH;
+ if (!cookie_verify(this, message, data))
+ {
+ DBG2(DBG_NET, "found cookie, but content invalid");
+ failed = TRUE;
+ }
+ }
+ packet->destroy(packet);
+ }
+ return failed;
+}
+
+/**
+ * check if peer has to many half open IKE_SAs
+ */
+static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
+{
+ if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+ message->get_source(message)) >= BLOCK_TRESHOLD)
+ {
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Implementation of receiver_t.receive_packets.
+ */
+static void receive_packets(private_receiver_t *this)
+{
+ packet_t *packet;
+ message_t *message;
+ job_t *job;
+
+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+ DBG1(DBG_NET, "receiver thread running, thread_ID: %06u",
+ (int)pthread_self());
+
+ charon->drop_capabilities(charon, TRUE);
+
+ while (TRUE)
+ {
+ /* read in a packet */
+ if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
+ {
+ DBG2(DBG_NET, "receiving from socket failed!");
+ /* try again after a delay */
+ sleep(1);
+ continue;
+ }
+
+ /* parse message header */
+ message = message_create_from_packet(packet);
+ if (message->parse_header(message) != SUCCESS)
+ {
+ DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
+ packet->get_source(packet));
+ message->destroy(message);
+ continue;
+ }
+
+ /* check IKE major version */
+ if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+ {
+ DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
+ "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
+ message->get_minor_version(message), packet->get_source(packet));
+ send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
+ message->destroy(message);
+ continue;
+ }
+
+ if (message->get_request(message) &&
+ message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ /* check for cookies */
+ if (cookie_required(this, message))
+ {
+ u_int32_t now = time(NULL);
+ chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
+ chunk_from_thing(this->secret));
+
+ DBG2(DBG_NET, "received packet from: %#H to %#H",
+ message->get_source(message),
+ message->get_destination(message));
+ DBG2(DBG_NET, "sending COOKIE notify to %H",
+ message->get_source(message));
+ send_notify(message, COOKIE, cookie);
+ chunk_free(&cookie);
+ if (++this->secret_used > COOKIE_REUSE)
+ {
+ /* create new cookie */
+ DBG1(DBG_NET, "generating new cookie secret after %d uses",
+ this->secret_used);
+ memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+ this->randomizer->get_pseudo_random_bytes(this->randomizer,
+ SECRET_LENGTH, this->secret);
+ this->secret_switch = now;
+ this->secret_used = 0;
+ }
+ message->destroy(message);
+ continue;
+ }
+
+ /* check if peer has not too many IKE_SAs half open */
+ if (peer_to_aggressive(this, message))
+ {
+ DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
+ "peer to aggressive", message->get_source(message));
+ message->destroy(message);
+ continue;
+ }
+ }
+ job = (job_t *)process_message_job_create(message);
+ charon->job_queue->add(charon->job_queue, job);
+ }
+}
+
+/**
+ * Implementation of receiver_t.destroy.
+ */
+static void destroy(private_receiver_t *this)
+{
+ pthread_cancel(this->assigned_thread);
+ pthread_join(this->assigned_thread, NULL);
+ this->randomizer->destroy(this->randomizer);
+ this->hasher->destroy(this->hasher);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+receiver_t *receiver_create()
+{
+ private_receiver_t *this = malloc_thing(private_receiver_t);
+ u_int32_t now = time(NULL);
+
+ this->public.destroy = (void(*)(receiver_t*)) destroy;
+
+ this->randomizer = randomizer_create();
+ this->hasher = hasher_create(HASH_SHA1);
+ this->secret_switch = now;
+ this->secret_offset = random() % now;
+ this->secret_used = 0;
+ this->randomizer->get_pseudo_random_bytes(this->randomizer, SECRET_LENGTH,
+ this->secret);
+ memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+
+ if (pthread_create(&this->assigned_thread, NULL,
+ (void*)receive_packets, this) != 0)
+ {
+ free(this);
+ charon->kill(charon, "unable to create receiver thread");
+ }
+
+ return &this->public;
+}
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
new file mode 100644
index 000000000..1bfa7b764
--- /dev/null
+++ b/src/charon/network/receiver.h
@@ -0,0 +1,81 @@
+/**
+ * @file receiver.h
+ *
+ * @brief Interface of receiver_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RECEIVER_H_
+#define RECEIVER_H_
+
+typedef struct receiver_t receiver_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * @brief Receives packets from the socket and adds them to the job queue.
+ *
+ * The receiver starts a thread, wich reads on the blocking socket. A received
+ * packet is preparsed and a process_message_job is queued in the job queue.
+ *
+ * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
+ * open. The calculation of cookies is slightly different from the proposed
+ * method in RFC4306. We do not include a nonce, because we think the advantage
+ * we gain does not justify the overhead to parse the whole message.
+ * Instead of VersionIdOfSecret, we include a timestamp. This allows us to
+ * find out wich key was used for cookie creation. Further, we can set a
+ * lifetime for the cookie, which allows us to reuse the secret for a longer
+ * time.
+ * COOKIE = time | sha1( IPi | SPIi | time | secret )
+ *
+ * The secret is changed after a certain amount of cookies sent. The old
+ * secret is stored to allow a clean migration between secret changes.
+ *
+ * Further, the number of half-initiated IKE_SAs is limited per peer. This
+ * mades it impossible for a peer to flood the server with its real IP address.
+ *
+ * @b Constructors:
+ * - receiver_create()
+ *
+ * @ingroup network
+ */
+struct receiver_t {
+
+ /**
+ * @brief Destroys a receiver_t object.
+ *
+ * @param receiver receiver object
+ */
+ void (*destroy) (receiver_t *receiver);
+};
+
+/**
+ * @brief Create a receiver_t object.
+ *
+ * The receiver thread will start working, get data
+ * from the socket and add those packets to the job queue.
+ *
+ * @return receiver_t object
+ *
+ * @ingroup network
+ */
+receiver_t * receiver_create(void);
+
+#endif /*RECEIVER_H_*/
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
new file mode 100644
index 000000000..933b8c192
--- /dev/null
+++ b/src/charon/network/sender.c
@@ -0,0 +1,155 @@
+/**
+ * @file sender.c
+ *
+ * @brief Implementation of sender_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <pthread.h>
+
+#include "sender.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+
+
+typedef struct private_sender_t private_sender_t;
+
+/**
+ * Private data of a sender_t object.
+ */
+struct private_sender_t {
+ /**
+ * Public part of a sender_t object.
+ */
+ sender_t public;
+
+ /**
+ * Assigned thread.
+ */
+ pthread_t assigned_thread;
+
+ /**
+ * The packets are stored in a linked list
+ */
+ linked_list_t *list;
+
+ /**
+ * mutex to synchronize access to list
+ */
+ pthread_mutex_t mutex;
+
+ /**
+ * condvar to signal for packets in list
+ */
+ pthread_cond_t condvar;
+};
+
+/**
+ * implements sender_t.send
+ */
+static void send_(private_sender_t *this, packet_t *packet)
+{
+ host_t *src, *dst;
+
+ src = packet->get_source(packet);
+ dst = packet->get_destination(packet);
+ DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+ pthread_mutex_lock(&this->mutex);
+ this->list->insert_last(this->list, packet);
+ pthread_mutex_unlock(&this->mutex);
+ pthread_cond_signal(&this->condvar);
+}
+
+/**
+ * Implementation of private_sender_t.send_packets.
+ */
+static void send_packets(private_sender_t * this)
+{
+ /* cancellation disabled by default */
+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+ DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self());
+
+ charon->drop_capabilities(charon, TRUE);
+
+ while (TRUE)
+ {
+ packet_t *packet;
+ int oldstate;
+
+ pthread_mutex_lock(&this->mutex);
+ /* go to wait while no packets available */
+ while (this->list->get_count(this->list) == 0)
+ {
+ /* add cleanup handler, wait for packet, remove cleanup handler */
+ pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex);
+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+ pthread_cond_wait(&this->condvar, &this->mutex);
+
+ pthread_setcancelstate(oldstate, NULL);
+ pthread_cleanup_pop(0);
+ }
+ this->list->remove_first(this->list, (void**)&packet);
+ pthread_mutex_unlock(&this->mutex);
+
+ charon->socket->send(charon->socket, packet);
+ packet->destroy(packet);
+ }
+}
+
+/**
+ * Implementation of sender_t.destroy.
+ */
+static void destroy(private_sender_t *this)
+{
+ /* send all packets in the queue */
+ while (this->list->get_count(this->list))
+ {
+ sched_yield();
+ }
+ pthread_cancel(this->assigned_thread);
+ pthread_join(this->assigned_thread, NULL);
+ this->list->destroy(this->list);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+sender_t * sender_create()
+{
+ private_sender_t *this = malloc_thing(private_sender_t);
+
+ this->public.send = (void(*)(sender_t*,packet_t*))send_;
+ this->public.destroy = (void(*)(sender_t*)) destroy;
+
+ this->list = linked_list_create();
+ pthread_mutex_init(&this->mutex, NULL);
+ pthread_cond_init(&this->condvar, NULL);
+
+ if (pthread_create(&this->assigned_thread, NULL,
+ (void*)send_packets, this) != 0)
+ {
+ charon->kill(charon, "unable to create sender thread");
+ }
+
+ return &(this->public);
+}
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
new file mode 100644
index 000000000..6f2a06891
--- /dev/null
+++ b/src/charon/network/sender.h
@@ -0,0 +1,74 @@
+/**
+ * @file sender.h
+ *
+ * @brief Interface of sender_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SENDER_H_
+#define SENDER_H_
+
+typedef struct sender_t sender_t;
+
+#include <library.h>
+#include <network/packet.h>
+
+/**
+ * @brief Thread responsible for sending packets over the socket.
+ *
+ * @b Constructors:
+ * - sender_create()
+ *
+ * @ingroup network
+ */
+struct sender_t {
+
+ /**
+ * @brief Send a packet over the network.
+ *
+ * This function is non blocking and adds the packet to a queue.
+ * Whenever the sender thread things it's good to send the packet,
+ * it'll do so.
+ *
+ * @param this calling object
+ * @param packet packet to send
+ */
+ void (*send) (sender_t *this, packet_t *packet);
+
+ /**
+ * @brief Destroys a sender object.
+ *
+ * @param this calling object
+ */
+ void (*destroy) (sender_t *this);
+};
+
+/**
+ * @brief Create the sender thread.
+ *
+ * The thread will start to work, getting packets
+ * from its queue and sends them out.
+ *
+ * @return created sender object
+ *
+ * @ingroup network
+ */
+sender_t * sender_create(void);
+
+#endif /*SENDER_H_*/
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 00ba22d5a..dd231ebed 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -176,7 +176,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
if (bytes_read < 0)
{
- DBG1(DBG_NET, "error reading from IPv4 socket: %m");
+ DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
return FAILED;
}
DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
@@ -238,7 +238,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
bytes_read = recvmsg(this->recv6, &msg, 0);
if (bytes_read < 0)
{
- DBG1(DBG_NET, "error reading from IPv6 socket: %m");
+ DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno));
return FAILED;
}
DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
@@ -428,7 +428,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
if (bytes_sent != data.len)
{
- DBG1(DBG_NET, "error writing to socket: %m");
+ DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
return FAILED;
}
return SUCCESS;
@@ -477,13 +477,14 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
if (skt < 0)
{
- DBG1(DBG_NET, "could not open send socket: %m");
+ DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
return 0;
}
if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
{
- DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %m");
+ DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
+ strerror(errno));
close(skt);
return 0;
}
@@ -497,7 +498,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
- DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
+ DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s",
+ strerror(errno));
close(skt);
return 0;
}
@@ -507,7 +509,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
- DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
+ DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s",
+ strerror(errno));
close(skt);
return 0;
}
@@ -515,7 +518,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
/* bind the send socket */
if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
- DBG1(DBG_NET, "unable to bind send socket: %m");
+ DBG1(DBG_NET, "unable to bind send socket: %s",
+ strerror(errno));
close(skt);
return 0;
}
@@ -525,7 +529,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
/* enable UDP decapsulation globally, only for one socket needed */
if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
{
- DBG1(DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail");
+ DBG1(DBG_NET, "unable to set UDP_ENCAP: %s; NAT-T may fail",
+ strerror(errno));
}
}
@@ -606,14 +611,15 @@ static int open_recv_socket(private_socket_t *this, int family)
skt = socket(family, SOCK_RAW, IPPROTO_UDP);
if (skt < 0)
{
- DBG1(DBG_NET, "unable to create raw socket: %m");
+ DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
return 0;
}
if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
&ikev2_filter, sizeof(ikev2_filter)) < 0)
{
- DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %m");
+ DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s",
+ strerror(errno));
close(skt);
return 0;
}
@@ -623,7 +629,8 @@ static int open_recv_socket(private_socket_t *this, int family)
* 2 or 50 depending on kernel header version */
setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
{
- DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m");
+ DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s",
+ strerror(errno));
close(skt);
return 0;
}
@@ -637,7 +644,8 @@ static int open_recv_socket(private_socket_t *this, int family)
if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
- DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m");
+ DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %s",
+ strerror(errno));
close(skt);
return 0;
}
@@ -682,6 +690,7 @@ static void destroy(private_socket_t *this)
*/
socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
{
+ int key;
private_socket_t *this = malloc_thing(private_socket_t);
/* public functions */
@@ -698,6 +707,15 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
this->send4_natt = 0;
this->send6_natt = 0;
+ /* we open a AF_KEY socket to autoload the af_key module. Otherwise
+ * setsockopt(IPSEC_POLICY) won't work. */
+ key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
+ if (key == 0)
+ {
+ charon->kill(charon, "could not open AF_KEY socket");
+ }
+ close(key);
+
this->recv4 = open_recv_socket(this, AF_INET);
if (this->recv4 == 0)
{