1 | /* -*- Mode: C; tab-width: 4 -*- |
---|
2 | * |
---|
3 | * Copyright (c) 2007-2015 Apple Inc. All rights reserved. |
---|
4 | * |
---|
5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
6 | * you may not use this file except in compliance with the License. |
---|
7 | * You may obtain a copy of the License at |
---|
8 | * |
---|
9 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
10 | * |
---|
11 | * Unless required by applicable law or agreed to in writing, software |
---|
12 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
14 | * See the License for the specific language governing permissions and |
---|
15 | * limitations under the License. |
---|
16 | */ |
---|
17 | |
---|
18 | #include <sys/cdefs.h> |
---|
19 | #include <arpa/inet.h> |
---|
20 | #include <bsm/libbsm.h> |
---|
21 | #include <net/if.h> |
---|
22 | #include <net/route.h> |
---|
23 | #include <net/if_dl.h> |
---|
24 | #include <net/if_types.h> |
---|
25 | #include <netinet/in.h> |
---|
26 | #include <netinet/if_ether.h> |
---|
27 | #include <netinet6/in6_var.h> |
---|
28 | #include <netinet6/nd6.h> |
---|
29 | #include <netinet6/ipsec.h> |
---|
30 | #include <sys/ioctl.h> |
---|
31 | #include <sys/param.h> |
---|
32 | #include <sys/socket.h> |
---|
33 | #include <ctype.h> |
---|
34 | #include <dirent.h> |
---|
35 | #include <errno.h> |
---|
36 | #include <fcntl.h> |
---|
37 | #include <signal.h> |
---|
38 | #include <stdarg.h> |
---|
39 | #include <stdbool.h> |
---|
40 | #include <string.h> |
---|
41 | #include <unistd.h> |
---|
42 | #include <Security/Security.h> |
---|
43 | #include <SystemConfiguration/SystemConfiguration.h> |
---|
44 | #include <SystemConfiguration/SCPreferencesSetSpecific.h> |
---|
45 | #include <TargetConditionals.h> |
---|
46 | #include <IOKit/pwr_mgt/IOPMLib.h> |
---|
47 | #include <net/bpf.h> |
---|
48 | #include <sys/sysctl.h> |
---|
49 | |
---|
50 | #include "mDNSEmbeddedAPI.h" |
---|
51 | #include "dns_sd.h" |
---|
52 | #include "dnssd_ipc.h" |
---|
53 | #include "libpfkey.h" |
---|
54 | #include "helper.h" |
---|
55 | #include "helper-server.h" |
---|
56 | #include "P2PPacketFilter.h" |
---|
57 | |
---|
58 | #include <netinet/ip.h> |
---|
59 | #include <netinet/tcp.h> |
---|
60 | |
---|
61 | #include <IOKit/pwr_mgt/IOPMLibPrivate.h> |
---|
62 | |
---|
63 | #ifndef RTF_IFSCOPE |
---|
64 | #define RTF_IFSCOPE 0x1000000 |
---|
65 | #endif |
---|
66 | |
---|
67 | #if TARGET_OS_EMBEDDED |
---|
68 | #ifndef MDNS_NO_IPSEC |
---|
69 | #define MDNS_NO_IPSEC 1 |
---|
70 | #endif |
---|
71 | |
---|
72 | #define NO_CFUSERNOTIFICATION 1 |
---|
73 | #define NO_SECURITYFRAMEWORK 1 |
---|
74 | #endif |
---|
75 | |
---|
76 | // Embed the client stub code here, so we can access private functions like ConnectToServer, create_hdr, deliver_request |
---|
77 | #include "../mDNSShared/dnssd_ipc.c" |
---|
78 | #include "../mDNSShared/dnssd_clientstub.c" |
---|
79 | |
---|
80 | typedef struct sadb_x_policy *ipsec_policy_t; |
---|
81 | |
---|
82 | uid_t mDNSResponderUID; |
---|
83 | gid_t mDNSResponderGID; |
---|
84 | |
---|
85 | void helper_exit() |
---|
86 | { |
---|
87 | os_log_info(log_handle,"mDNSResponderHelper exiting"); |
---|
88 | exit(0); |
---|
89 | } |
---|
90 | |
---|
91 | mDNSexport void RequestBPF() |
---|
92 | { |
---|
93 | DNSServiceRef ref; |
---|
94 | |
---|
95 | DNSServiceErrorType err = ConnectToServer(&ref, 0, send_bpf, NULL, NULL, NULL); |
---|
96 | if (err) |
---|
97 | { |
---|
98 | os_log(log_handle, "RequestBPF: ConnectToServer %d", err); |
---|
99 | return; |
---|
100 | } |
---|
101 | |
---|
102 | char *ptr; |
---|
103 | size_t len = sizeof(DNSServiceFlags); |
---|
104 | ipc_msg_hdr *hdr = create_hdr(send_bpf, &len, &ptr, 0, ref); |
---|
105 | if (!hdr) |
---|
106 | { |
---|
107 | os_log(log_handle, "RequestBPF: No mem to allocate"); |
---|
108 | DNSServiceRefDeallocate(ref); |
---|
109 | return; |
---|
110 | } |
---|
111 | |
---|
112 | put_flags(0, &ptr); |
---|
113 | deliver_request(hdr, ref); // Will free hdr for us |
---|
114 | DNSServiceRefDeallocate(ref); |
---|
115 | update_idle_timer(); |
---|
116 | |
---|
117 | os_log_info(log_handle,"RequestBPF: Successful"); |
---|
118 | } |
---|
119 | |
---|
120 | |
---|
121 | void PowerRequest(int key, int interval, int *err) |
---|
122 | { |
---|
123 | *err = kHelperErr_DefaultErr; |
---|
124 | |
---|
125 | os_log_info(log_handle,"PowerRequest: key %d interval %d, err %d", key, interval, *err); |
---|
126 | |
---|
127 | CFArrayRef events = IOPMCopyScheduledPowerEvents(); |
---|
128 | if (events) |
---|
129 | { |
---|
130 | int i; |
---|
131 | CFIndex count = CFArrayGetCount(events); |
---|
132 | for (i=0; i<count; i++) |
---|
133 | { |
---|
134 | CFDictionaryRef dict = CFArrayGetValueAtIndex(events, i); |
---|
135 | CFStringRef id = CFDictionaryGetValue(dict, CFSTR(kIOPMPowerEventAppNameKey)); |
---|
136 | if (CFEqual(id, CFSTR("mDNSResponderHelper"))) |
---|
137 | { |
---|
138 | CFDateRef EventTime = CFDictionaryGetValue(dict, CFSTR(kIOPMPowerEventTimeKey)); |
---|
139 | CFStringRef EventType = CFDictionaryGetValue(dict, CFSTR(kIOPMPowerEventTypeKey)); |
---|
140 | IOReturn result = IOPMCancelScheduledPowerEvent(EventTime, id, EventType); |
---|
141 | //os_log(log_handle, "Deleting old event %s"); |
---|
142 | if (result) |
---|
143 | os_log(log_handle, "IOPMCancelScheduledPowerEvent %d failed %d", i, result); |
---|
144 | } |
---|
145 | } |
---|
146 | CFRelease(events); |
---|
147 | } |
---|
148 | |
---|
149 | if (key < 0) // mDNSPowerRequest(-1,-1) means "clear any stale schedules" (see above) |
---|
150 | { |
---|
151 | *err = kHelperErr_NoErr; |
---|
152 | } |
---|
153 | else if (key == 0) // mDNSPowerRequest(0, 0) means "sleep now" |
---|
154 | { |
---|
155 | IOReturn r = IOPMSleepSystem(IOPMFindPowerManagement(MACH_PORT_NULL)); |
---|
156 | if (r) |
---|
157 | { |
---|
158 | usleep(100000); |
---|
159 | os_log_info(log_handle, "IOPMSleepSystem %d", r); |
---|
160 | } |
---|
161 | *err = r; |
---|
162 | } |
---|
163 | else if (key > 0) |
---|
164 | { |
---|
165 | CFDateRef wakeTime = CFDateCreate(NULL, CFAbsoluteTimeGetCurrent() + interval); |
---|
166 | if (wakeTime) |
---|
167 | { |
---|
168 | CFMutableDictionaryRef scheduleDict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); |
---|
169 | |
---|
170 | CFDictionaryAddValue(scheduleDict, CFSTR(kIOPMPowerEventTimeKey), wakeTime); |
---|
171 | CFDictionaryAddValue(scheduleDict, CFSTR(kIOPMPowerEventAppNameKey), CFSTR("mDNSResponderHelper")); |
---|
172 | CFDictionaryAddValue(scheduleDict, CFSTR(kIOPMPowerEventTypeKey), key ? CFSTR(kIOPMAutoWake) : CFSTR(kIOPMAutoSleep)); |
---|
173 | |
---|
174 | IOReturn r = IOPMRequestSysWake(scheduleDict); |
---|
175 | if (r) |
---|
176 | { |
---|
177 | usleep(100000); |
---|
178 | os_log_info(log_handle, "IOPMRequestSysWake(%d) %d %x", interval, r, r); |
---|
179 | } |
---|
180 | *err = r; |
---|
181 | CFRelease(wakeTime); |
---|
182 | CFRelease(scheduleDict); |
---|
183 | } |
---|
184 | } |
---|
185 | |
---|
186 | update_idle_timer(); |
---|
187 | } |
---|
188 | |
---|
189 | void SetLocalAddressCacheEntry(int ifindex, int family, const v6addr_t ip, const ethaddr_t eth, int *err) |
---|
190 | { |
---|
191 | |
---|
192 | #define IPv6FMTSTRING "%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X" |
---|
193 | #define IPv6FMTARGS ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7], ip[8], ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15] |
---|
194 | |
---|
195 | if (family == 4) |
---|
196 | { |
---|
197 | os_log_info(log_handle,"SetLocalAddressCacheEntry %d IPv%d %d.%d.%d.%d %02X:%02X:%02X:%02X:%02X:%02X", |
---|
198 | ifindex, family, ip[0], ip[1], ip[2], ip[3], eth[0], eth[1], eth[2], eth[3], eth[4], eth[5]); |
---|
199 | } |
---|
200 | else |
---|
201 | { |
---|
202 | os_log_info(log_handle,"SetLocalAddressCacheEntry %d IPv%d " IPv6FMTSTRING " %02X:%02X:%02X:%02X:%02X:%02X", |
---|
203 | ifindex, family, IPv6FMTARGS, eth[0], eth[1], eth[2], eth[3], eth[4], eth[5]); |
---|
204 | } |
---|
205 | |
---|
206 | *err = kHelperErr_DefaultErr; |
---|
207 | |
---|
208 | static int s = -1, seq = 0; |
---|
209 | if (s < 0) |
---|
210 | { |
---|
211 | s = socket(PF_ROUTE, SOCK_RAW, 0); |
---|
212 | if (s < 0) |
---|
213 | os_log(log_handle, "SetLocalAddressCacheEntry: socket(PF_ROUTE, SOCK_RAW, 0) failed %d (%s)", errno, strerror(errno)); |
---|
214 | } |
---|
215 | |
---|
216 | if (s >= 0) |
---|
217 | { |
---|
218 | struct timeval tv; |
---|
219 | gettimeofday(&tv, 0); |
---|
220 | if (family == 4) |
---|
221 | { |
---|
222 | struct { struct rt_msghdr hdr; struct sockaddr_inarp dst; struct sockaddr_dl sdl; } rtmsg; |
---|
223 | memset(&rtmsg, 0, sizeof(rtmsg)); |
---|
224 | |
---|
225 | rtmsg.hdr.rtm_msglen = sizeof(rtmsg); |
---|
226 | rtmsg.hdr.rtm_version = RTM_VERSION; |
---|
227 | rtmsg.hdr.rtm_type = RTM_ADD; |
---|
228 | rtmsg.hdr.rtm_index = ifindex; |
---|
229 | rtmsg.hdr.rtm_flags = RTF_HOST | RTF_STATIC | RTF_IFSCOPE; |
---|
230 | rtmsg.hdr.rtm_addrs = RTA_DST | RTA_GATEWAY; |
---|
231 | rtmsg.hdr.rtm_pid = 0; |
---|
232 | rtmsg.hdr.rtm_seq = seq++; |
---|
233 | rtmsg.hdr.rtm_errno = 0; |
---|
234 | rtmsg.hdr.rtm_use = 0; |
---|
235 | rtmsg.hdr.rtm_inits = RTV_EXPIRE; |
---|
236 | rtmsg.hdr.rtm_rmx.rmx_expire = tv.tv_sec + 30; |
---|
237 | |
---|
238 | rtmsg.dst.sin_len = sizeof(rtmsg.dst); |
---|
239 | rtmsg.dst.sin_family = AF_INET; |
---|
240 | rtmsg.dst.sin_port = 0; |
---|
241 | rtmsg.dst.sin_addr.s_addr = *(in_addr_t*)ip; |
---|
242 | rtmsg.dst.sin_srcaddr.s_addr = 0; |
---|
243 | rtmsg.dst.sin_tos = 0; |
---|
244 | rtmsg.dst.sin_other = 0; |
---|
245 | |
---|
246 | rtmsg.sdl.sdl_len = sizeof(rtmsg.sdl); |
---|
247 | rtmsg.sdl.sdl_family = AF_LINK; |
---|
248 | rtmsg.sdl.sdl_index = ifindex; |
---|
249 | rtmsg.sdl.sdl_type = IFT_ETHER; |
---|
250 | rtmsg.sdl.sdl_nlen = 0; |
---|
251 | rtmsg.sdl.sdl_alen = ETHER_ADDR_LEN; |
---|
252 | rtmsg.sdl.sdl_slen = 0; |
---|
253 | |
---|
254 | // Target MAC address goes in rtmsg.sdl.sdl_data[0..5]; (See LLADDR() in /usr/include/net/if_dl.h) |
---|
255 | memcpy(rtmsg.sdl.sdl_data, eth, sizeof(ethaddr_t)); |
---|
256 | |
---|
257 | int len = write(s, (char *)&rtmsg, sizeof(rtmsg)); |
---|
258 | if (len < 0) |
---|
259 | os_log(log_handle, "SetLocalAddressCacheEntry: write(%zu) interface %d address %d.%d.%d.%d seq %d result %d errno %d (%s)", |
---|
260 | sizeof(rtmsg), ifindex, ip[0], ip[1], ip[2], ip[3], rtmsg.hdr.rtm_seq, len, errno, strerror(errno)); |
---|
261 | len = read(s, (char *)&rtmsg, sizeof(rtmsg)); |
---|
262 | if (len < 0 || rtmsg.hdr.rtm_errno) |
---|
263 | os_log(log_handle, "SetLocalAddressCacheEntry: read (%zu) interface %d address %d.%d.%d.%d seq %d result %d errno %d (%s) %d", |
---|
264 | sizeof(rtmsg), ifindex, ip[0], ip[1], ip[2], ip[3], rtmsg.hdr.rtm_seq, len, errno, strerror(errno), rtmsg.hdr.rtm_errno); |
---|
265 | |
---|
266 | *err = kHelperErr_NoErr; |
---|
267 | } |
---|
268 | else |
---|
269 | { |
---|
270 | struct { struct rt_msghdr hdr; struct sockaddr_in6 dst; struct sockaddr_dl sdl; } rtmsg; |
---|
271 | memset(&rtmsg, 0, sizeof(rtmsg)); |
---|
272 | |
---|
273 | rtmsg.hdr.rtm_msglen = sizeof(rtmsg); |
---|
274 | rtmsg.hdr.rtm_version = RTM_VERSION; |
---|
275 | rtmsg.hdr.rtm_type = RTM_ADD; |
---|
276 | rtmsg.hdr.rtm_index = ifindex; |
---|
277 | rtmsg.hdr.rtm_flags = RTF_HOST | RTF_STATIC | RTF_IFSCOPE; |
---|
278 | rtmsg.hdr.rtm_addrs = RTA_DST | RTA_GATEWAY; |
---|
279 | rtmsg.hdr.rtm_pid = 0; |
---|
280 | rtmsg.hdr.rtm_seq = seq++; |
---|
281 | rtmsg.hdr.rtm_errno = 0; |
---|
282 | rtmsg.hdr.rtm_use = 0; |
---|
283 | rtmsg.hdr.rtm_inits = RTV_EXPIRE; |
---|
284 | rtmsg.hdr.rtm_rmx.rmx_expire = tv.tv_sec + 30; |
---|
285 | |
---|
286 | rtmsg.dst.sin6_len = sizeof(rtmsg.dst); |
---|
287 | rtmsg.dst.sin6_family = AF_INET6; |
---|
288 | rtmsg.dst.sin6_port = 0; |
---|
289 | rtmsg.dst.sin6_flowinfo = 0; |
---|
290 | rtmsg.dst.sin6_addr = *(struct in6_addr*)ip; |
---|
291 | rtmsg.dst.sin6_scope_id = ifindex; |
---|
292 | |
---|
293 | rtmsg.sdl.sdl_len = sizeof(rtmsg.sdl); |
---|
294 | rtmsg.sdl.sdl_family = AF_LINK; |
---|
295 | rtmsg.sdl.sdl_index = ifindex; |
---|
296 | rtmsg.sdl.sdl_type = IFT_ETHER; |
---|
297 | rtmsg.sdl.sdl_nlen = 0; |
---|
298 | rtmsg.sdl.sdl_alen = ETHER_ADDR_LEN; |
---|
299 | rtmsg.sdl.sdl_slen = 0; |
---|
300 | |
---|
301 | // Target MAC address goes in rtmsg.sdl.sdl_data[0..5]; (See LLADDR() in /usr/include/net/if_dl.h) |
---|
302 | memcpy(rtmsg.sdl.sdl_data, eth, sizeof(ethaddr_t)); |
---|
303 | |
---|
304 | int len = write(s, (char *)&rtmsg, sizeof(rtmsg)); |
---|
305 | if (len < 0) |
---|
306 | os_log(log_handle, "SetLocalAddressCacheEntry: write(%zu) interface %d address " IPv6FMTSTRING " seq %d result %d errno %d (%s)", |
---|
307 | sizeof(rtmsg), ifindex, IPv6FMTARGS, rtmsg.hdr.rtm_seq, len, errno, strerror(errno)); |
---|
308 | len = read(s, (char *)&rtmsg, sizeof(rtmsg)); |
---|
309 | if (len < 0 || rtmsg.hdr.rtm_errno) |
---|
310 | os_log(log_handle, "SetLocalAddressCacheEntry: read (%zu) interface %d address " IPv6FMTSTRING " seq %d result %d errno %d (%s) %d", |
---|
311 | sizeof(rtmsg), ifindex, IPv6FMTARGS, rtmsg.hdr.rtm_seq, len, errno, strerror(errno), rtmsg.hdr.rtm_errno); |
---|
312 | |
---|
313 | *err = kHelperErr_NoErr; |
---|
314 | } |
---|
315 | } |
---|
316 | |
---|
317 | update_idle_timer(); |
---|
318 | } |
---|
319 | |
---|
320 | |
---|
321 | void UserNotify(const char *title, const char *msg) |
---|
322 | { |
---|
323 | |
---|
324 | #ifndef NO_CFUSERNOTIFICATION |
---|
325 | static const char footer[] = "(Note: This message only appears on machines with 17.x.x.x IP addresses" |
---|
326 | " or on debugging builds with ForceAlerts set â i.e. only at Apple â not on customer machines.)"; |
---|
327 | CFStringRef alertHeader = CFStringCreateWithCString(NULL, title, kCFStringEncodingUTF8); |
---|
328 | CFStringRef alertBody = CFStringCreateWithCString(NULL, msg, kCFStringEncodingUTF8); |
---|
329 | CFStringRef alertFooter = CFStringCreateWithCString(NULL, footer, kCFStringEncodingUTF8); |
---|
330 | CFStringRef alertMessage = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@\r\r%@"), alertBody, alertFooter); |
---|
331 | CFRelease(alertBody); |
---|
332 | CFRelease(alertFooter); |
---|
333 | int err = CFUserNotificationDisplayNotice(0.0, kCFUserNotificationStopAlertLevel, NULL, NULL, NULL, alertHeader, alertMessage, NULL); |
---|
334 | if (err) |
---|
335 | os_log(log_handle, "CFUserNotificationDisplayNotice returned %d", err); |
---|
336 | CFRelease(alertHeader); |
---|
337 | CFRelease(alertMessage); |
---|
338 | #else |
---|
339 | (void)title; |
---|
340 | (void)msg; |
---|
341 | #endif /* NO_CFUSERNOTIFICATION */ |
---|
342 | |
---|
343 | update_idle_timer(); |
---|
344 | } |
---|
345 | |
---|
346 | |
---|
347 | char usercompname[MAX_DOMAIN_LABEL+1] = {0}; // the last computer name the user saw |
---|
348 | char userhostname[MAX_DOMAIN_LABEL+1] = {0}; // the last local host name the user saw |
---|
349 | char lastcompname[MAX_DOMAIN_LABEL+1] = {0}; // the last computer name saved to preferences |
---|
350 | char lasthostname[MAX_DOMAIN_LABEL+1] = {0}; // the last local host name saved to preferences |
---|
351 | |
---|
352 | #ifndef NO_CFUSERNOTIFICATION |
---|
353 | static CFStringRef CFS_OQ = NULL; |
---|
354 | static CFStringRef CFS_CQ = NULL; |
---|
355 | static CFStringRef CFS_Format = NULL; |
---|
356 | static CFStringRef CFS_ComputerName = NULL; |
---|
357 | static CFStringRef CFS_ComputerNameMsg = NULL; |
---|
358 | static CFStringRef CFS_LocalHostName = NULL; |
---|
359 | static CFStringRef CFS_LocalHostNameMsg = NULL; |
---|
360 | static CFStringRef CFS_Problem = NULL; |
---|
361 | |
---|
362 | static CFUserNotificationRef gNotification = NULL; |
---|
363 | static CFRunLoopSourceRef gNotificationRLS = NULL; |
---|
364 | |
---|
365 | static void NotificationCallBackDismissed(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) |
---|
366 | { |
---|
367 | os_log_debug(log_handle,"entry"); |
---|
368 | (void)responseFlags; // Unused |
---|
369 | if (userNotification != gNotification) os_log(log_handle, "NotificationCallBackDismissed: Wrong CFUserNotificationRef"); |
---|
370 | if (gNotificationRLS) |
---|
371 | { |
---|
372 | // Caution: don't use CFRunLoopGetCurrent() here, because the currently executing thread may not be our "CFRunLoopRun" thread. |
---|
373 | // We need to explicitly specify the desired CFRunLoop from which we want to remove this event source. |
---|
374 | CFRunLoopRemoveSource(gRunLoop, gNotificationRLS, kCFRunLoopDefaultMode); |
---|
375 | CFRelease(gNotificationRLS); |
---|
376 | gNotificationRLS = NULL; |
---|
377 | CFRelease(gNotification); |
---|
378 | gNotification = NULL; |
---|
379 | } |
---|
380 | // By dismissing the alert, the user has conceptually acknowleged the rename. |
---|
381 | // (e.g. the machine's name is now officially "computer-2.local", not "computer.local".) |
---|
382 | // If we get *another* conflict, the new alert should refer to the 'old' name |
---|
383 | // as now being "computer-2.local", not "computer.local" |
---|
384 | usercompname[0] = 0; |
---|
385 | userhostname[0] = 0; |
---|
386 | lastcompname[0] = 0; |
---|
387 | lasthostname[0] = 0; |
---|
388 | update_idle_timer(); |
---|
389 | unpause_idle_timer(); |
---|
390 | } |
---|
391 | |
---|
392 | static void ShowNameConflictNotification(CFMutableArrayRef header, CFStringRef subtext) |
---|
393 | { |
---|
394 | CFMutableDictionaryRef dictionary = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); |
---|
395 | if (!dictionary) return; |
---|
396 | |
---|
397 | os_log_debug(log_handle,"entry"); |
---|
398 | |
---|
399 | CFDictionarySetValue(dictionary, kCFUserNotificationAlertHeaderKey, header); |
---|
400 | CFDictionarySetValue(dictionary, kCFUserNotificationAlertMessageKey, subtext); |
---|
401 | |
---|
402 | CFURLRef urlRef = CFURLCreateWithFileSystemPath(NULL, CFSTR("/System/Library/CoreServices/mDNSResponder.bundle"), kCFURLPOSIXPathStyle, true); |
---|
403 | if (urlRef) { CFDictionarySetValue(dictionary, kCFUserNotificationLocalizationURLKey, urlRef); CFRelease(urlRef); } |
---|
404 | |
---|
405 | if (gNotification) // If notification already on-screen, update it in place |
---|
406 | CFUserNotificationUpdate(gNotification, 0, kCFUserNotificationCautionAlertLevel, dictionary); |
---|
407 | else // else, we need to create it |
---|
408 | { |
---|
409 | SInt32 error; |
---|
410 | gNotification = CFUserNotificationCreate(NULL, 0, kCFUserNotificationCautionAlertLevel, &error, dictionary); |
---|
411 | if (!gNotification || error) { os_log(log_handle, "ShowNameConflictNotification: CFUserNotificationRef: Error %d", error); return; } |
---|
412 | gNotificationRLS = CFUserNotificationCreateRunLoopSource(NULL, gNotification, NotificationCallBackDismissed, 0); |
---|
413 | if (!gNotificationRLS) { os_log(log_handle, "ShowNameConflictNotification: RLS"); CFRelease(gNotification); gNotification = NULL; return; } |
---|
414 | // Caution: don't use CFRunLoopGetCurrent() here, because the currently executing thread may not be our "CFRunLoopRun" thread. |
---|
415 | // We need to explicitly specify the desired CFRunLoop to which we want to add this event source. |
---|
416 | CFRunLoopAddSource(gRunLoop, gNotificationRLS, kCFRunLoopDefaultMode); |
---|
417 | os_log_debug(log_handle,"gRunLoop=%p gNotification=%p gNotificationRLS=%p", gRunLoop, gNotification, gNotificationRLS); |
---|
418 | pause_idle_timer(); |
---|
419 | } |
---|
420 | |
---|
421 | CFRelease(dictionary); |
---|
422 | } |
---|
423 | |
---|
424 | static CFMutableArrayRef CreateAlertHeader(const char* oldname, const char* newname, const CFStringRef msg, const char* suffix) |
---|
425 | { |
---|
426 | CFMutableArrayRef alertHeader = NULL; |
---|
427 | |
---|
428 | const CFStringRef cfoldname = CFStringCreateWithCString(NULL, oldname, kCFStringEncodingUTF8); |
---|
429 | // NULL newname means we've given up trying to construct a name that doesn't conflict |
---|
430 | const CFStringRef cfnewname = newname ? CFStringCreateWithCString(NULL, newname, kCFStringEncodingUTF8) : NULL; |
---|
431 | // We tag a zero-width non-breaking space at the end of the literal text to guarantee that, no matter what |
---|
432 | // arbitrary computer name the user may choose, this exact text (with zero-width non-breaking space added) |
---|
433 | // can never be one that occurs in the Localizable.strings translation file. |
---|
434 | if (!cfoldname) |
---|
435 | { |
---|
436 | os_log(log_handle, "Could not construct CFStrings for old=%s", newname); |
---|
437 | } |
---|
438 | else if (newname && !cfnewname) |
---|
439 | { |
---|
440 | os_log(log_handle, "Could not construct CFStrings for new=%s", newname); |
---|
441 | } |
---|
442 | else |
---|
443 | { |
---|
444 | const CFStringRef s1 = CFStringCreateWithFormat(NULL, NULL, CFS_Format, cfoldname, suffix); |
---|
445 | const CFStringRef s2 = cfnewname ? CFStringCreateWithFormat(NULL, NULL, CFS_Format, cfnewname, suffix) : NULL; |
---|
446 | |
---|
447 | alertHeader = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); |
---|
448 | |
---|
449 | if (!s1) |
---|
450 | { |
---|
451 | os_log(log_handle, "Could not construct secondary CFString for old=%s", oldname); |
---|
452 | } |
---|
453 | else if (cfnewname && !s2) |
---|
454 | { |
---|
455 | os_log(log_handle, "Could not construct secondary CFString for new=%s", newname); |
---|
456 | } |
---|
457 | else if (!alertHeader) |
---|
458 | { |
---|
459 | os_log(log_handle, "Could not construct CFArray for notification"); |
---|
460 | } |
---|
461 | else |
---|
462 | { |
---|
463 | // Make sure someone is logged in. We don't want this popping up over the login window |
---|
464 | uid_t uid; |
---|
465 | gid_t gid; |
---|
466 | CFStringRef userName = SCDynamicStoreCopyConsoleUser(NULL, &uid, &gid); |
---|
467 | if (userName) |
---|
468 | { |
---|
469 | if (!CFEqual(userName, CFSTR("_mbsetupuser"))) |
---|
470 | { |
---|
471 | CFArrayAppendValue(alertHeader, msg); // Opening phrase of message, provided by caller |
---|
472 | CFArrayAppendValue(alertHeader, CFS_OQ); CFArrayAppendValue(alertHeader, s1); CFArrayAppendValue(alertHeader, CFS_CQ); |
---|
473 | CFArrayAppendValue(alertHeader, CFSTR(" is already in use on this network. ")); |
---|
474 | if (s2) |
---|
475 | { |
---|
476 | CFArrayAppendValue(alertHeader, CFSTR("The name has been changed to ")); |
---|
477 | CFArrayAppendValue(alertHeader, CFS_OQ); CFArrayAppendValue(alertHeader, s2); CFArrayAppendValue(alertHeader, CFS_CQ); |
---|
478 | CFArrayAppendValue(alertHeader, CFSTR(".")); |
---|
479 | } |
---|
480 | else |
---|
481 | { |
---|
482 | CFArrayAppendValue(alertHeader, CFSTR("All attempts to find an available name by adding a number to the name were also unsuccessful.")); |
---|
483 | } |
---|
484 | } |
---|
485 | CFRelease(userName); |
---|
486 | } |
---|
487 | } |
---|
488 | if (s1) CFRelease(s1); |
---|
489 | if (s2) CFRelease(s2); |
---|
490 | } |
---|
491 | if (cfoldname) CFRelease(cfoldname); |
---|
492 | if (cfnewname) CFRelease(cfnewname); |
---|
493 | |
---|
494 | return alertHeader; |
---|
495 | } |
---|
496 | #endif /* ndef NO_CFUSERNOTIFICATION */ |
---|
497 | |
---|
498 | static void update_notification(void) |
---|
499 | { |
---|
500 | #ifndef NO_CFUSERNOTIFICATION |
---|
501 | os_log_debug(log_handle,"entry ucn=%s, uhn=%s, lcn=%s, lhn=%s", usercompname, userhostname, lastcompname, lasthostname); |
---|
502 | if (!CFS_OQ) |
---|
503 | { |
---|
504 | // Note: The "\xEF\xBB\xBF" byte sequence (U+FEFF) in the CFS_Format string is the UTF-8 encoding of the zero-width non-breaking space character. |
---|
505 | // By appending this invisible character on the end of literal names, we ensure the these strings cannot inadvertently match any string |
---|
506 | // in the localization file -- since we know for sure that none of our strings in the localization file contain the ZWNBS character. |
---|
507 | CFS_Format = CFStringCreateWithCString(NULL, "%@%s\xEF\xBB\xBF", kCFStringEncodingUTF8); |
---|
508 | |
---|
509 | // The strings CFS_OQ, CFS_CQ and the others below are the localization keys for the âLocalizable.stringsâ files, |
---|
510 | // and MUST NOT BE CHANGED, or localization substitution will be broken. |
---|
511 | // To change the text displayed to the user, edit the values in the appropriate âLocalizable.stringsâ file, not the keys here. |
---|
512 | // This includes making changes for adding appropriate directionality overrides like LRM, LRE, RLE, PDF, etc. These need to go in the values |
---|
513 | // in the appropriate âLocalizable.stringsâ entries, not in the keys here (which then wonât match *any* entry in the localization files). |
---|
514 | // These localization keys here were broken in <rdar://problem/8629082> and then subsequently repaired in |
---|
515 | // <rdar://problem/21071535> [mDNSResponder]: TA: Gala15A185: Incorrect punctuation marks when Change the host name to an exist one |
---|
516 | CFS_OQ = CFStringCreateWithCString(NULL, "â", kCFStringEncodingUTF8); // DO NOT CHANGE THIS STRING |
---|
517 | CFS_CQ = CFStringCreateWithCString(NULL, "â", kCFStringEncodingUTF8); // DO NOT CHANGE THIS STRING |
---|
518 | CFS_ComputerName = CFStringCreateWithCString(NULL, "The name of your computer ", kCFStringEncodingUTF8); |
---|
519 | CFS_ComputerNameMsg = CFStringCreateWithCString(NULL, "To change the name of your computer, " |
---|
520 | "open System Preferences and click Sharing, then type the name in the Computer Name field.", kCFStringEncodingUTF8); |
---|
521 | CFS_LocalHostName = CFStringCreateWithCString(NULL, "This computerâs local hostname ", kCFStringEncodingUTF8); |
---|
522 | CFS_LocalHostNameMsg = CFStringCreateWithCString(NULL, "To change the local hostname, " |
---|
523 | "open System Preferences and click Sharing, then click âEditâ and type the name in the Local Hostname field.", kCFStringEncodingUTF8); |
---|
524 | CFS_Problem = CFStringCreateWithCString(NULL, "This may indicate a problem with the local network. " |
---|
525 | "Please inform your network administrator.", kCFStringEncodingUTF8); |
---|
526 | } |
---|
527 | |
---|
528 | if (!usercompname[0] && !userhostname[0]) |
---|
529 | { |
---|
530 | if (gNotificationRLS) |
---|
531 | { |
---|
532 | os_log_debug(log_handle,"canceling notification %p", gNotification); |
---|
533 | CFUserNotificationCancel(gNotification); |
---|
534 | unpause_idle_timer(); |
---|
535 | } |
---|
536 | } |
---|
537 | else |
---|
538 | { |
---|
539 | CFMutableArrayRef header = NULL; |
---|
540 | CFStringRef* subtext = NULL; |
---|
541 | if (userhostname[0] && !lasthostname[0]) // we've given up trying to construct a name that doesn't conflict |
---|
542 | { |
---|
543 | header = CreateAlertHeader(userhostname, NULL, CFS_LocalHostName, ".local"); |
---|
544 | subtext = &CFS_Problem; |
---|
545 | } |
---|
546 | else if (usercompname[0]) |
---|
547 | { |
---|
548 | header = CreateAlertHeader(usercompname, lastcompname, CFS_ComputerName, ""); |
---|
549 | subtext = &CFS_ComputerNameMsg; |
---|
550 | } |
---|
551 | else |
---|
552 | { |
---|
553 | header = CreateAlertHeader(userhostname, lasthostname, CFS_LocalHostName, ".local"); |
---|
554 | subtext = &CFS_LocalHostNameMsg; |
---|
555 | } |
---|
556 | ShowNameConflictNotification(header, *subtext); |
---|
557 | CFRelease(header); |
---|
558 | } |
---|
559 | #endif |
---|
560 | } |
---|
561 | |
---|
562 | void PreferencesSetName(int key, const char* old, const char* new) |
---|
563 | { |
---|
564 | SCPreferencesRef session = NULL; |
---|
565 | Boolean ok = FALSE; |
---|
566 | Boolean locked = FALSE; |
---|
567 | CFStringRef cfstr = NULL; |
---|
568 | char* user = NULL; |
---|
569 | char* last = NULL; |
---|
570 | Boolean needUpdate = FALSE; |
---|
571 | |
---|
572 | os_log_info(log_handle,"PreferencesSetName: entry %s old=%s new=%s", |
---|
573 | key==kmDNSComputerName ? "ComputerName" : (key==kmDNSLocalHostName ? "LocalHostName" : "UNKNOWN"), old, new); |
---|
574 | |
---|
575 | switch ((enum mDNSPreferencesSetNameKey)key) |
---|
576 | { |
---|
577 | case kmDNSComputerName: |
---|
578 | user = usercompname; |
---|
579 | last = lastcompname; |
---|
580 | break; |
---|
581 | case kmDNSLocalHostName: |
---|
582 | user = userhostname; |
---|
583 | last = lasthostname; |
---|
584 | break; |
---|
585 | default: |
---|
586 | os_log(log_handle, "PreferencesSetName: unrecognized key: %d", key); |
---|
587 | goto fin; |
---|
588 | } |
---|
589 | |
---|
590 | if (!last) |
---|
591 | { |
---|
592 | os_log(log_handle, "PreferencesSetName: no last ptr"); |
---|
593 | goto fin; |
---|
594 | } |
---|
595 | |
---|
596 | if (!user) |
---|
597 | { |
---|
598 | os_log(log_handle, "PreferencesSetName:: no user ptr"); |
---|
599 | goto fin; |
---|
600 | } |
---|
601 | |
---|
602 | if (0 == strncmp(old, new, MAX_DOMAIN_LABEL+1)) |
---|
603 | { |
---|
604 | // old and new are same means the config changed i.e, the user has set something in the preferences pane. |
---|
605 | // This means the conflict has been resolved. We need to dismiss the dialogue. |
---|
606 | if (last[0] && 0 != strncmp(last, new, MAX_DOMAIN_LABEL+1)) |
---|
607 | { |
---|
608 | last[0] = 0; |
---|
609 | user[0] = 0; |
---|
610 | needUpdate = TRUE; |
---|
611 | } |
---|
612 | goto fin; |
---|
613 | } |
---|
614 | else |
---|
615 | { |
---|
616 | // old and new are not same, this means there is a conflict. For the first conflict, we show |
---|
617 | // the old value and the new value. For all subsequent conflicts, while the dialogue is still |
---|
618 | // up, we do a real time update of the "new" value in the dialogue. That's why we update just |
---|
619 | // "last" here and not "user". |
---|
620 | if (strncmp(last, new, MAX_DOMAIN_LABEL+1)) |
---|
621 | { |
---|
622 | strncpy(last, new, MAX_DOMAIN_LABEL); |
---|
623 | needUpdate = TRUE; |
---|
624 | } |
---|
625 | } |
---|
626 | |
---|
627 | // If we are not showing the dialogue, we need to remember the first "old" value so that |
---|
628 | // we maintain the same through the lifetime of the dialogue. Subsequent conflicts don't |
---|
629 | // update the "old" value. |
---|
630 | if (!user[0]) |
---|
631 | { |
---|
632 | strncpy(user, old, MAX_DOMAIN_LABEL); |
---|
633 | needUpdate = TRUE; |
---|
634 | } |
---|
635 | |
---|
636 | if (!new[0]) // we've given up trying to construct a name that doesn't conflict |
---|
637 | goto fin; |
---|
638 | |
---|
639 | cfstr = CFStringCreateWithCString(NULL, new, kCFStringEncodingUTF8); |
---|
640 | |
---|
641 | session = SCPreferencesCreate(NULL, CFSTR(kHelperService), NULL); |
---|
642 | |
---|
643 | if (cfstr == NULL || session == NULL) |
---|
644 | { |
---|
645 | os_log(log_handle, "PreferencesSetName: SCPreferencesCreate failed"); |
---|
646 | goto fin; |
---|
647 | } |
---|
648 | if (!SCPreferencesLock(session, 0)) |
---|
649 | { |
---|
650 | os_log(log_handle,"PreferencesSetName: lock failed"); |
---|
651 | goto fin; |
---|
652 | } |
---|
653 | locked = TRUE; |
---|
654 | |
---|
655 | switch ((enum mDNSPreferencesSetNameKey)key) |
---|
656 | { |
---|
657 | case kmDNSComputerName: |
---|
658 | { |
---|
659 | // We want to write the new Computer Name to System Preferences, without disturbing the user-selected |
---|
660 | // system-wide default character set used for things like AppleTalk NBP and NETBIOS service advertising. |
---|
661 | // Note that this encoding is not used for the computer name, but since both are set by the same call, |
---|
662 | // we need to take care to set the name without changing the character set. |
---|
663 | CFStringEncoding encoding = kCFStringEncodingUTF8; |
---|
664 | CFStringRef unused = SCDynamicStoreCopyComputerName(NULL, &encoding); |
---|
665 | if (unused) |
---|
666 | { |
---|
667 | CFRelease(unused); |
---|
668 | unused = NULL; |
---|
669 | } |
---|
670 | else |
---|
671 | { |
---|
672 | encoding = kCFStringEncodingUTF8; |
---|
673 | } |
---|
674 | |
---|
675 | ok = SCPreferencesSetComputerName(session, cfstr, encoding); |
---|
676 | } |
---|
677 | break; |
---|
678 | |
---|
679 | case kmDNSLocalHostName: |
---|
680 | ok = SCPreferencesSetLocalHostName(session, cfstr); |
---|
681 | break; |
---|
682 | |
---|
683 | default: |
---|
684 | break; |
---|
685 | } |
---|
686 | |
---|
687 | if (!ok || !SCPreferencesCommitChanges(session) || |
---|
688 | !SCPreferencesApplyChanges(session)) |
---|
689 | { |
---|
690 | os_log(log_handle, "PreferencesSetName: SCPreferences update failed"); |
---|
691 | goto fin; |
---|
692 | } |
---|
693 | os_log_info(log_handle,"PreferencesSetName: succeeded"); |
---|
694 | |
---|
695 | fin: |
---|
696 | if (NULL != cfstr) |
---|
697 | CFRelease(cfstr); |
---|
698 | if (NULL != session) |
---|
699 | { |
---|
700 | if (locked) |
---|
701 | SCPreferencesUnlock(session); |
---|
702 | CFRelease(session); |
---|
703 | } |
---|
704 | update_idle_timer(); |
---|
705 | if (needUpdate) |
---|
706 | update_notification(); |
---|
707 | |
---|
708 | } |
---|
709 | |
---|
710 | |
---|
711 | enum DNSKeyFormat |
---|
712 | { |
---|
713 | formatNotDNSKey, formatDdnsTypeItem, formatDnsPrefixedServiceItem, formatBtmmPrefixedServiceItem |
---|
714 | }; |
---|
715 | |
---|
716 | // On Mac OS X on Intel, the four-character string seems to be stored backwards, at least sometimes. |
---|
717 | // I suspect some overenthusiastic inexperienced engineer said, "On Intel everything's backwards, |
---|
718 | // therefore I need to add some byte swapping in this API to make this four-character string backwards too." |
---|
719 | // To cope with this we allow *both* "ddns" and "sndd" as valid item types. |
---|
720 | |
---|
721 | |
---|
722 | #ifndef NO_SECURITYFRAMEWORK |
---|
723 | static const char btmmprefix[] = "btmmdns:"; |
---|
724 | static const char dnsprefix[] = "dns:"; |
---|
725 | static const char ddns[] = "ddns"; |
---|
726 | static const char ddnsrev[] = "sndd"; |
---|
727 | |
---|
728 | static enum DNSKeyFormat getDNSKeyFormat(SecKeychainItemRef item, SecKeychainAttributeList **attributesp) |
---|
729 | { |
---|
730 | static UInt32 tags[4] = |
---|
731 | { |
---|
732 | kSecTypeItemAttr, kSecServiceItemAttr, kSecAccountItemAttr, kSecLabelItemAttr |
---|
733 | }; |
---|
734 | static SecKeychainAttributeInfo attributeInfo = |
---|
735 | { |
---|
736 | sizeof(tags)/sizeof(tags[0]), tags, NULL |
---|
737 | }; |
---|
738 | SecKeychainAttributeList *attributes = NULL; |
---|
739 | enum DNSKeyFormat format; |
---|
740 | Boolean malformed = FALSE; |
---|
741 | OSStatus status = noErr; |
---|
742 | int i = 0; |
---|
743 | |
---|
744 | *attributesp = NULL; |
---|
745 | if (noErr != (status = SecKeychainItemCopyAttributesAndData(item, &attributeInfo, NULL, &attributes, NULL, NULL))) |
---|
746 | { |
---|
747 | os_log_info(log_handle,"getDNSKeyFormat: SecKeychainItemCopyAttributesAndData %d - skipping", status); |
---|
748 | goto skip; |
---|
749 | } |
---|
750 | if (attributeInfo.count != attributes->count) |
---|
751 | malformed = TRUE; |
---|
752 | for (i = 0; !malformed && i < (int)attributeInfo.count; ++i) |
---|
753 | if (attributeInfo.tag[i] != attributes->attr[i].tag) |
---|
754 | malformed = TRUE; |
---|
755 | if (malformed) |
---|
756 | { |
---|
757 | os_log(log_handle, "getDNSKeyFormat: malformed result from SecKeychainItemCopyAttributesAndData - skipping"); |
---|
758 | goto skip; |
---|
759 | } |
---|
760 | |
---|
761 | os_log_info(log_handle,"getDNSKeyFormat: entry (\"%.*s\", \"%.*s\", \"%.*s\")", |
---|
762 | (int)attributes->attr[0].length, attributes->attr[0].data, |
---|
763 | (int)attributes->attr[1].length, attributes->attr[1].data, |
---|
764 | (int)attributes->attr[2].length, attributes->attr[2].data); |
---|
765 | |
---|
766 | if (attributes->attr[1].length >= MAX_ESCAPED_DOMAIN_NAME + |
---|
767 | sizeof(dnsprefix)-1) |
---|
768 | { |
---|
769 | os_log(log_handle, "getDNSKeyFormat: kSecServiceItemAttr too long (%u) - skipping", |
---|
770 | (unsigned int)attributes->attr[1].length); |
---|
771 | goto skip; |
---|
772 | } |
---|
773 | if (attributes->attr[2].length >= MAX_ESCAPED_DOMAIN_NAME) |
---|
774 | { |
---|
775 | os_log(log_handle, "getDNSKeyFormat: kSecAccountItemAttr too long (%u) - skipping", |
---|
776 | (unsigned int)attributes->attr[2].length); |
---|
777 | goto skip; |
---|
778 | } |
---|
779 | if (attributes->attr[1].length >= sizeof(dnsprefix)-1 && 0 == strncasecmp(attributes->attr[1].data, dnsprefix, sizeof(dnsprefix)-1)) |
---|
780 | format = formatDnsPrefixedServiceItem; |
---|
781 | else if (attributes->attr[1].length >= sizeof(btmmprefix)-1 && 0 == strncasecmp(attributes->attr[1].data, btmmprefix, sizeof(btmmprefix)-1)) |
---|
782 | format = formatBtmmPrefixedServiceItem; |
---|
783 | else if (attributes->attr[0].length == sizeof(ddns)-1 && 0 == strncasecmp(attributes->attr[0].data, ddns, sizeof(ddns)-1)) |
---|
784 | format = formatDdnsTypeItem; |
---|
785 | else if (attributes->attr[0].length == sizeof(ddnsrev)-1 && 0 == strncasecmp(attributes->attr[0].data, ddnsrev, sizeof(ddnsrev)-1)) |
---|
786 | format = formatDdnsTypeItem; |
---|
787 | else |
---|
788 | { |
---|
789 | os_log_info(log_handle,"getDNSKeyFormat: uninterested in this entry"); |
---|
790 | goto skip; |
---|
791 | } |
---|
792 | |
---|
793 | *attributesp = attributes; |
---|
794 | os_log_info(log_handle,"getDNSKeyFormat: accepting this entry"); |
---|
795 | return format; |
---|
796 | |
---|
797 | skip: |
---|
798 | SecKeychainItemFreeAttributesAndData(attributes, NULL); |
---|
799 | return formatNotDNSKey; |
---|
800 | } |
---|
801 | |
---|
802 | // Insert the attributes as defined by mDNSKeyChainAttributes |
---|
803 | static CFPropertyListRef copyKeychainItemInfo(SecKeychainItemRef item, SecKeychainAttributeList *attributes, enum DNSKeyFormat format) |
---|
804 | { |
---|
805 | CFMutableArrayRef entry = NULL; |
---|
806 | CFDataRef data = NULL; |
---|
807 | OSStatus status = noErr; |
---|
808 | UInt32 keylen = 0; |
---|
809 | void *keyp = 0; |
---|
810 | |
---|
811 | if (NULL == (entry = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks))) |
---|
812 | { |
---|
813 | os_log(log_handle, "copyKeychainItemInfo: CFArrayCreateMutable failed"); |
---|
814 | goto error; |
---|
815 | } |
---|
816 | |
---|
817 | // Insert the Account attribute (kmDNSKcWhere) |
---|
818 | switch ((enum DNSKeyFormat)format) |
---|
819 | { |
---|
820 | case formatDdnsTypeItem: |
---|
821 | data = CFDataCreate(kCFAllocatorDefault, attributes->attr[1].data, attributes->attr[1].length); |
---|
822 | break; |
---|
823 | case formatDnsPrefixedServiceItem: |
---|
824 | case formatBtmmPrefixedServiceItem: |
---|
825 | data = CFDataCreate(kCFAllocatorDefault, attributes->attr[1].data, attributes->attr[1].length); |
---|
826 | break; |
---|
827 | default: |
---|
828 | os_log(log_handle, "copyKeychainItemInfo: unknown DNSKeyFormat value"); |
---|
829 | break; |
---|
830 | } |
---|
831 | if (NULL == data) |
---|
832 | { |
---|
833 | os_log(log_handle, "copyKeychainItemInfo: CFDataCreate for attr[1] failed"); |
---|
834 | goto error; |
---|
835 | } |
---|
836 | CFArrayAppendValue(entry, data); |
---|
837 | CFRelease(data); |
---|
838 | |
---|
839 | // Insert the Where attribute (kmDNSKcAccount) |
---|
840 | if (NULL == (data = CFDataCreate(kCFAllocatorDefault, attributes->attr[2].data, attributes->attr[2].length))) |
---|
841 | { |
---|
842 | os_log(log_handle, "copyKeychainItemInfo: CFDataCreate for attr[2] failed"); |
---|
843 | goto error; |
---|
844 | } |
---|
845 | |
---|
846 | CFArrayAppendValue(entry, data); |
---|
847 | CFRelease(data); |
---|
848 | |
---|
849 | // Insert the Key attribute (kmDNSKcKey) |
---|
850 | if (noErr != (status = SecKeychainItemCopyAttributesAndData(item, NULL, NULL, NULL, &keylen, &keyp))) |
---|
851 | { |
---|
852 | os_log(log_handle, "copyKeychainItemInfo: could not retrieve key for \"%.*s\": %d", |
---|
853 | (int)attributes->attr[1].length, attributes->attr[1].data, status); |
---|
854 | goto error; |
---|
855 | } |
---|
856 | |
---|
857 | data = CFDataCreate(kCFAllocatorDefault, keyp, keylen); |
---|
858 | SecKeychainItemFreeAttributesAndData(NULL, keyp); |
---|
859 | if (NULL == data) |
---|
860 | { |
---|
861 | os_log(log_handle, "copyKeychainItemInfo: CFDataCreate for keyp failed"); |
---|
862 | goto error; |
---|
863 | } |
---|
864 | CFArrayAppendValue(entry, data); |
---|
865 | CFRelease(data); |
---|
866 | |
---|
867 | // Insert the Name attribute (kmDNSKcName) |
---|
868 | if (NULL == (data = CFDataCreate(kCFAllocatorDefault, attributes->attr[3].data, attributes->attr[3].length))) |
---|
869 | { |
---|
870 | os_log(log_handle, "copyKeychainItemInfo: CFDataCreate for attr[3] failed"); |
---|
871 | goto error; |
---|
872 | } |
---|
873 | |
---|
874 | CFArrayAppendValue(entry, data); |
---|
875 | CFRelease(data); |
---|
876 | return entry; |
---|
877 | |
---|
878 | error: |
---|
879 | if (NULL != entry) |
---|
880 | CFRelease(entry); |
---|
881 | return NULL; |
---|
882 | } |
---|
883 | #endif |
---|
884 | |
---|
885 | void KeychainGetSecrets(__unused unsigned int *numsecrets,__unused unsigned long *secrets, __unused unsigned int *secretsCnt, __unused int *err) |
---|
886 | { |
---|
887 | #ifndef NO_SECURITYFRAMEWORK |
---|
888 | CFWriteStreamRef stream = NULL; |
---|
889 | CFDataRef result = NULL; |
---|
890 | CFPropertyListRef entry = NULL; |
---|
891 | CFMutableArrayRef keys = NULL; |
---|
892 | SecKeychainRef skc = NULL; |
---|
893 | SecKeychainItemRef item = NULL; |
---|
894 | SecKeychainSearchRef search = NULL; |
---|
895 | SecKeychainAttributeList *attributes = NULL; |
---|
896 | enum DNSKeyFormat format; |
---|
897 | OSStatus status = 0; |
---|
898 | |
---|
899 | os_log_info(log_handle,"KeychainGetSecrets: entry"); |
---|
900 | *err = kHelperErr_NoErr; |
---|
901 | *numsecrets = 0; |
---|
902 | *secrets = (vm_offset_t)NULL; |
---|
903 | |
---|
904 | if (NULL == (keys = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks))) |
---|
905 | { |
---|
906 | os_log(log_handle, "KeychainGetSecrets: CFArrayCreateMutable failed"); |
---|
907 | *err = kHelperErr_ApiErr; |
---|
908 | goto fin; |
---|
909 | } |
---|
910 | if (noErr != (status = SecKeychainCopyDefault(&skc))) |
---|
911 | { |
---|
912 | *err = kHelperErr_ApiErr; |
---|
913 | goto fin; |
---|
914 | } |
---|
915 | #pragma clang diagnostic push |
---|
916 | #pragma clang diagnostic ignored "-Wdeprecated-declarations" |
---|
917 | if (noErr != (status = SecKeychainSearchCreateFromAttributes(skc, kSecGenericPasswordItemClass, NULL, &search))) |
---|
918 | { |
---|
919 | *err = kHelperErr_ApiErr; |
---|
920 | goto fin; |
---|
921 | } |
---|
922 | for (status = SecKeychainSearchCopyNext(search, &item); noErr == status; status = SecKeychainSearchCopyNext(search, &item)) |
---|
923 | { |
---|
924 | if (formatNotDNSKey != (format = getDNSKeyFormat(item, &attributes)) && |
---|
925 | NULL != (entry = copyKeychainItemInfo(item, attributes, format))) |
---|
926 | { |
---|
927 | CFArrayAppendValue(keys, entry); |
---|
928 | CFRelease(entry); |
---|
929 | } |
---|
930 | SecKeychainItemFreeAttributesAndData(attributes, NULL); |
---|
931 | CFRelease(item); |
---|
932 | } |
---|
933 | #pragma clang diagnostic pop |
---|
934 | if (errSecItemNotFound != status) |
---|
935 | os_log(log_handle, "KeychainGetSecrets: SecKeychainSearchCopyNext failed: %d", status); |
---|
936 | |
---|
937 | if (NULL == (stream = CFWriteStreamCreateWithAllocatedBuffers(kCFAllocatorDefault, kCFAllocatorDefault))) |
---|
938 | { |
---|
939 | *err = kHelperErr_ApiErr; |
---|
940 | os_log(log_handle, "KeychainGetSecrets:CFWriteStreamCreateWithAllocatedBuffers failed"); |
---|
941 | goto fin; |
---|
942 | } |
---|
943 | |
---|
944 | CFWriteStreamOpen(stream); |
---|
945 | if (0 == CFPropertyListWrite(keys, stream, kCFPropertyListBinaryFormat_v1_0, 0, NULL)) |
---|
946 | { |
---|
947 | *err = kHelperErr_ApiErr; |
---|
948 | os_log(log_handle, "KeychainGetSecrets:CFPropertyListWriteToStream failed"); |
---|
949 | goto fin; |
---|
950 | } |
---|
951 | result = CFWriteStreamCopyProperty(stream, kCFStreamPropertyDataWritten); |
---|
952 | |
---|
953 | if (KERN_SUCCESS != vm_allocate(mach_task_self(), secrets, CFDataGetLength(result), VM_FLAGS_ANYWHERE)) |
---|
954 | { |
---|
955 | *err = kHelperErr_ApiErr; |
---|
956 | os_log(log_handle, "KeychainGetSecrets: vm_allocate failed"); |
---|
957 | goto fin; |
---|
958 | } |
---|
959 | |
---|
960 | CFDataGetBytes(result, CFRangeMake(0, CFDataGetLength(result)), (void *)*secrets); |
---|
961 | *secretsCnt = CFDataGetLength(result); |
---|
962 | *numsecrets = CFArrayGetCount(keys); |
---|
963 | |
---|
964 | os_log_info(log_handle,"KeychainGetSecrets: succeeded"); |
---|
965 | |
---|
966 | fin: |
---|
967 | os_log_info(log_handle,"KeychainGetSecrets: returning numsecrets[%u] secrets[%lu] secrets addr[%p] secretscount[%u]", |
---|
968 | *numsecrets, *secrets, secrets, *secretsCnt); |
---|
969 | |
---|
970 | if (NULL != stream) |
---|
971 | { |
---|
972 | CFWriteStreamClose(stream); |
---|
973 | CFRelease(stream); |
---|
974 | } |
---|
975 | if (NULL != result) |
---|
976 | CFRelease(result); |
---|
977 | if (NULL != keys) |
---|
978 | CFRelease(keys); |
---|
979 | if (NULL != search) |
---|
980 | CFRelease(search); |
---|
981 | if (NULL != skc) |
---|
982 | CFRelease(skc); |
---|
983 | update_idle_timer(); |
---|
984 | |
---|
985 | *err = KERN_SUCCESS; |
---|
986 | |
---|
987 | #else |
---|
988 | |
---|
989 | *err = KERN_FAILURE; |
---|
990 | |
---|
991 | #endif |
---|
992 | |
---|
993 | } |
---|
994 | |
---|
995 | |
---|
996 | CF_EXPORT CFDictionaryRef _CFCopySystemVersionDictionary(void); |
---|
997 | CF_EXPORT const CFStringRef _kCFSystemVersionBuildVersionKey; |
---|
998 | |
---|
999 | |
---|
1000 | void SendWakeupPacket(unsigned int ifid, const char *eth_addr, const char *ip_addr, int iteration) |
---|
1001 | { |
---|
1002 | int bpf_fd, i, j; |
---|
1003 | struct ifreq ifr; |
---|
1004 | char ifname[IFNAMSIZ]; |
---|
1005 | char packet[512]; |
---|
1006 | char *ptr = packet; |
---|
1007 | char bpf_device[12]; |
---|
1008 | struct ether_addr *ea; |
---|
1009 | // (void) ip_addr; // unused |
---|
1010 | // (void) iteration; // unused |
---|
1011 | |
---|
1012 | os_log_info(log_handle,"SendWakeupPacket() ether_addr[%s] ip_addr[%s] if_id[%d] iteration[%d]", |
---|
1013 | eth_addr, ip_addr, ifid, iteration); |
---|
1014 | |
---|
1015 | if (if_indextoname(ifid, ifname) == NULL) |
---|
1016 | { |
---|
1017 | os_log(log_handle, "SendWakeupPacket: invalid interface index %u", ifid); |
---|
1018 | return; |
---|
1019 | } |
---|
1020 | |
---|
1021 | ea = ether_aton(eth_addr); |
---|
1022 | if (ea == NULL) |
---|
1023 | { |
---|
1024 | os_log(log_handle, "SendWakeupPacket: invalid ethernet address %s", eth_addr); |
---|
1025 | return; |
---|
1026 | } |
---|
1027 | |
---|
1028 | for (i = 0; i < 100; i++) |
---|
1029 | { |
---|
1030 | snprintf(bpf_device, sizeof(bpf_device), "/dev/bpf%d", i); |
---|
1031 | bpf_fd = open(bpf_device, O_RDWR, 0); |
---|
1032 | |
---|
1033 | if (bpf_fd == -1) |
---|
1034 | continue; |
---|
1035 | else |
---|
1036 | break; |
---|
1037 | } |
---|
1038 | |
---|
1039 | if (bpf_fd == -1) |
---|
1040 | { |
---|
1041 | os_log(log_handle, "SendWakeupPacket: cannot find a bpf device"); |
---|
1042 | return; |
---|
1043 | } |
---|
1044 | |
---|
1045 | memset(&ifr, 0, sizeof(ifr)); |
---|
1046 | strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); |
---|
1047 | |
---|
1048 | if (ioctl(bpf_fd, BIOCSETIF, (char *)&ifr) < 0) |
---|
1049 | { |
---|
1050 | os_log(log_handle, "SendWakeupPacket: BIOCSETIF failed %s", strerror(errno)); |
---|
1051 | return; |
---|
1052 | } |
---|
1053 | |
---|
1054 | // 0x00 Destination address |
---|
1055 | for (i=0; i<6; i++) |
---|
1056 | *ptr++ = ea->octet[i]; |
---|
1057 | |
---|
1058 | // 0x06 Source address (Note: Since we don't currently set the BIOCSHDRCMPLT option, |
---|
1059 | // BPF will fill in the real interface address for us) |
---|
1060 | for (i=0; i<6; i++) |
---|
1061 | *ptr++ = 0; |
---|
1062 | |
---|
1063 | // 0x0C Ethertype (0x0842) |
---|
1064 | *ptr++ = 0x08; |
---|
1065 | *ptr++ = 0x42; |
---|
1066 | |
---|
1067 | // 0x0E Wakeup sync sequence |
---|
1068 | for (i=0; i<6; i++) |
---|
1069 | *ptr++ = 0xFF; |
---|
1070 | |
---|
1071 | // 0x14 Wakeup data |
---|
1072 | for (j=0; j<16; j++) |
---|
1073 | for (i=0; i<6; i++) |
---|
1074 | *ptr++ = ea->octet[i]; |
---|
1075 | |
---|
1076 | // 0x74 Password |
---|
1077 | for (i=0; i<6; i++) |
---|
1078 | *ptr++ = 0; |
---|
1079 | |
---|
1080 | if (write(bpf_fd, packet, ptr - packet) < 0) |
---|
1081 | { |
---|
1082 | os_log(log_handle, "SendWakeupPacket: write failed %s", strerror(errno)); |
---|
1083 | return; |
---|
1084 | } |
---|
1085 | os_log(log_handle, "SendWakeupPacket: sent unicast eth_addr %s, ip_addr %s", eth_addr, ip_addr); |
---|
1086 | |
---|
1087 | // Send a broadcast one to handle ethernet switches that don't flood forward packets with |
---|
1088 | // unknown mac addresses. |
---|
1089 | for (i=0; i<6; i++) |
---|
1090 | packet[i] = 0xFF; |
---|
1091 | |
---|
1092 | if (write(bpf_fd, packet, ptr - packet) < 0) |
---|
1093 | { |
---|
1094 | os_log(log_handle, "SendWakeupPacket: write failed %s", strerror(errno)); |
---|
1095 | return; |
---|
1096 | } |
---|
1097 | os_log(log_handle, "SendWakeupPacket: sent broadcast eth_addr %s, ip_addr %s", eth_addr, ip_addr); |
---|
1098 | |
---|
1099 | close(bpf_fd); |
---|
1100 | |
---|
1101 | } |
---|
1102 | |
---|
1103 | |
---|
1104 | // Open the specified port for protocol in the P2P firewall. |
---|
1105 | void PacketFilterControl(uint32_t command, const char * ifname, uint32_t count, pfArray_t portArray, pfArray_t protocolArray) |
---|
1106 | { |
---|
1107 | int error; |
---|
1108 | |
---|
1109 | os_log_info(log_handle,"PacketFilterControl: command %d ifname %s, count %d", |
---|
1110 | command, ifname, count); |
---|
1111 | os_log_info(log_handle,"PacketFilterControl: portArray0[%d] portArray1[%d] portArray2[%d] portArray3[%d] protocolArray0[%d] protocolArray1[%d] protocolArray2[%d] protocolArray3[%d]", portArray[0], portArray[1], portArray[2], portArray[3], protocolArray[0], protocolArray[1], protocolArray[2], protocolArray[3]); |
---|
1112 | |
---|
1113 | switch (command) |
---|
1114 | { |
---|
1115 | case PF_SET_RULES: |
---|
1116 | error = P2PPacketFilterAddBonjourRuleSet(ifname, count, portArray, protocolArray); |
---|
1117 | if (error) |
---|
1118 | os_log(log_handle, "P2PPacketFilterAddBonjourRuleSet failed %s", strerror(error)); |
---|
1119 | break; |
---|
1120 | |
---|
1121 | case PF_CLEAR_RULES: |
---|
1122 | error = P2PPacketFilterClearBonjourRules(); |
---|
1123 | if (error) |
---|
1124 | os_log(log_handle, "P2PPacketFilterClearBonjourRules failed %s", strerror(error)); |
---|
1125 | break; |
---|
1126 | |
---|
1127 | default: |
---|
1128 | os_log(log_handle, "PacketFilterControl: invalid command %d", command); |
---|
1129 | break; |
---|
1130 | } |
---|
1131 | |
---|
1132 | } |
---|
1133 | |
---|
1134 | static unsigned long in_cksum(unsigned short *ptr, int nbytes) |
---|
1135 | { |
---|
1136 | unsigned long sum; |
---|
1137 | u_short oddbyte; |
---|
1138 | |
---|
1139 | /* |
---|
1140 | * Our algorithm is simple, using a 32-bit accumulator (sum), |
---|
1141 | * we add sequential 16-bit words to it, and at the end, fold back |
---|
1142 | * all the carry bits from the top 16 bits into the lower 16 bits. |
---|
1143 | */ |
---|
1144 | sum = 0; |
---|
1145 | while (nbytes > 1) |
---|
1146 | { |
---|
1147 | sum += *ptr++; |
---|
1148 | nbytes -= 2; |
---|
1149 | } |
---|
1150 | |
---|
1151 | /* mop up an odd byte, if necessary */ |
---|
1152 | if (nbytes == 1) |
---|
1153 | { |
---|
1154 | /* make sure top half is zero */ |
---|
1155 | oddbyte = 0; |
---|
1156 | |
---|
1157 | /* one byte only */ |
---|
1158 | *((u_char *)&oddbyte) = *(u_char *)ptr; |
---|
1159 | sum += oddbyte; |
---|
1160 | } |
---|
1161 | /* Add back carry outs from top 16 bits to low 16 bits. */ |
---|
1162 | sum = (sum >> 16) + (sum & 0xffff); |
---|
1163 | |
---|
1164 | /* add carry */ |
---|
1165 | sum += (sum >> 16); |
---|
1166 | |
---|
1167 | return sum; |
---|
1168 | } |
---|
1169 | |
---|
1170 | static unsigned short InetChecksum(unsigned short *ptr, int nbytes) |
---|
1171 | { |
---|
1172 | unsigned long sum; |
---|
1173 | |
---|
1174 | sum = in_cksum(ptr, nbytes); |
---|
1175 | return (unsigned short)~sum; |
---|
1176 | } |
---|
1177 | |
---|
1178 | static void TCPCheckSum(int af, struct tcphdr *t, int tcplen, const v6addr_t sadd6, const v6addr_t dadd6) |
---|
1179 | { |
---|
1180 | unsigned long sum = 0; |
---|
1181 | unsigned short *ptr; |
---|
1182 | |
---|
1183 | /* TCP header checksum */ |
---|
1184 | sum = in_cksum((unsigned short *)t, tcplen); |
---|
1185 | |
---|
1186 | if (af == AF_INET) |
---|
1187 | { |
---|
1188 | /* Pseudo header */ |
---|
1189 | ptr = (unsigned short *)sadd6; |
---|
1190 | sum += *ptr++; |
---|
1191 | sum += *ptr++; |
---|
1192 | ptr = (unsigned short *)dadd6; |
---|
1193 | sum += *ptr++; |
---|
1194 | sum += *ptr++; |
---|
1195 | } |
---|
1196 | else if (af == AF_INET6) |
---|
1197 | { |
---|
1198 | /* Pseudo header */ |
---|
1199 | ptr = (unsigned short *)sadd6; |
---|
1200 | sum += *ptr++; |
---|
1201 | sum += *ptr++; |
---|
1202 | sum += *ptr++; |
---|
1203 | sum += *ptr++; |
---|
1204 | sum += *ptr++; |
---|
1205 | sum += *ptr++; |
---|
1206 | sum += *ptr++; |
---|
1207 | sum += *ptr++; |
---|
1208 | ptr = (unsigned short *)dadd6; |
---|
1209 | sum += *ptr++; |
---|
1210 | sum += *ptr++; |
---|
1211 | sum += *ptr++; |
---|
1212 | sum += *ptr++; |
---|
1213 | sum += *ptr++; |
---|
1214 | sum += *ptr++; |
---|
1215 | sum += *ptr++; |
---|
1216 | sum += *ptr++; |
---|
1217 | } |
---|
1218 | |
---|
1219 | sum += htons(tcplen); |
---|
1220 | sum += htons(IPPROTO_TCP); |
---|
1221 | |
---|
1222 | while (sum >> 16) |
---|
1223 | sum = (sum >> 16) + (sum & 0xFFFF); |
---|
1224 | |
---|
1225 | t->th_sum = ~sum; |
---|
1226 | |
---|
1227 | } |
---|
1228 | |
---|
1229 | void SendKeepalive(const v6addr_t sadd6, const v6addr_t dadd6, uint16_t lport, uint16_t rport, uint32_t seq, uint32_t ack, uint16_t win) |
---|
1230 | { |
---|
1231 | |
---|
1232 | #define IPv6FMTSTRING "%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X" |
---|
1233 | #define IPv6FMTSARGS sadd6[0], sadd6[1], sadd6[2], sadd6[3], sadd6[4], sadd6[5], sadd6[6], sadd6[7], sadd6[8], sadd6[9], sadd6[10], sadd6[11], sadd6[12], sadd6[13], sadd6[14], sadd6[15] |
---|
1234 | #define IPv6FMTDARGS dadd6[0], dadd6[1], dadd6[2], dadd6[3], dadd6[4], dadd6[5], dadd6[6], dadd6[7], dadd6[8], dadd6[9], dadd6[10], dadd6[11], dadd6[12], dadd6[13], dadd6[14], dadd6[15] |
---|
1235 | |
---|
1236 | os_log_info(log_handle, "SendKeepalive: "IPv6FMTSTRING" :space: "IPv6FMTSTRING"", |
---|
1237 | IPv6FMTSARGS, IPv6FMTDARGS); |
---|
1238 | |
---|
1239 | struct packet4 |
---|
1240 | { |
---|
1241 | struct ip ip; |
---|
1242 | struct tcphdr tcp; |
---|
1243 | } packet4; |
---|
1244 | struct packet6 |
---|
1245 | { |
---|
1246 | struct tcphdr tcp; |
---|
1247 | } packet6; |
---|
1248 | int sock, on; |
---|
1249 | struct tcphdr *t; |
---|
1250 | int af; |
---|
1251 | struct sockaddr_storage ss_to; |
---|
1252 | struct sockaddr_in *sin_to = (struct sockaddr_in *)&ss_to; |
---|
1253 | struct sockaddr_in6 *sin6_to = (struct sockaddr_in6 *)&ss_to; |
---|
1254 | void *packet; |
---|
1255 | ssize_t packetlen; |
---|
1256 | char ctlbuf[CMSG_SPACE(sizeof(struct in6_pktinfo))]; |
---|
1257 | struct msghdr msghdr; |
---|
1258 | struct iovec iov; |
---|
1259 | ssize_t len; |
---|
1260 | |
---|
1261 | os_log_info(log_handle,"SendKeepalive invoked: lport is[%d] rport is[%d] seq is[%d] ack is[%d] win is[%d]", |
---|
1262 | lport, rport, seq, ack, win); |
---|
1263 | |
---|
1264 | char buf1[INET6_ADDRSTRLEN]; |
---|
1265 | char buf2[INET6_ADDRSTRLEN]; |
---|
1266 | |
---|
1267 | buf1[0] = 0; |
---|
1268 | buf2[0] = 0; |
---|
1269 | |
---|
1270 | inet_ntop(AF_INET6, sadd6, buf1, sizeof(buf1)); |
---|
1271 | inet_ntop(AF_INET6, dadd6, buf2, sizeof(buf2)); |
---|
1272 | |
---|
1273 | os_log_info(log_handle,"SendKeepalive invoked: sadd6 is %s, dadd6 is %s", buf1, buf2); |
---|
1274 | |
---|
1275 | // all the incoming arguments are in network order |
---|
1276 | if ((*(unsigned *)(sadd6 +4) == 0) && (*(unsigned *)(sadd6 + 8) == 0) && (*(unsigned *)(sadd6 + 12) == 0)) |
---|
1277 | { |
---|
1278 | af = AF_INET; |
---|
1279 | memset(&packet4, 0, sizeof (packet4)); |
---|
1280 | |
---|
1281 | /* Fill in all the IP header information - should be in host order*/ |
---|
1282 | packet4.ip.ip_v = 4; /* 4-bit Version */ |
---|
1283 | packet4.ip.ip_hl = 5; /* 4-bit Header Length */ |
---|
1284 | packet4.ip.ip_tos = 0; /* 8-bit Type of service */ |
---|
1285 | packet4.ip.ip_len = 40; /* 16-bit Total length */ |
---|
1286 | packet4.ip.ip_id = 9864; /* 16-bit ID field */ |
---|
1287 | packet4.ip.ip_off = 0; /* 13-bit Fragment offset */ |
---|
1288 | packet4.ip.ip_ttl = 63; /* 8-bit Time To Live */ |
---|
1289 | packet4.ip.ip_p = IPPROTO_TCP; /* 8-bit Protocol */ |
---|
1290 | packet4.ip.ip_sum = 0; /* 16-bit Header checksum (below) */ |
---|
1291 | memcpy(&packet4.ip.ip_src.s_addr, sadd6, 4); |
---|
1292 | memcpy(&packet4.ip.ip_dst.s_addr, dadd6, 4); |
---|
1293 | |
---|
1294 | /* IP header checksum */ |
---|
1295 | packet4.ip.ip_sum = InetChecksum((unsigned short *)&packet4.ip, 20); |
---|
1296 | t = &packet4.tcp; |
---|
1297 | packet = &packet4; |
---|
1298 | packetlen = 40; // sum of IPv4 header len(20) and TCP header len(20) |
---|
1299 | } |
---|
1300 | else |
---|
1301 | { |
---|
1302 | af = AF_INET6; |
---|
1303 | memset(&packet6, 0, sizeof (packet6)); |
---|
1304 | t = &packet6.tcp; |
---|
1305 | packet = &packet6; |
---|
1306 | // We don't send IPv6 header, hence just the TCP header len (20) |
---|
1307 | packetlen = 20; |
---|
1308 | } |
---|
1309 | |
---|
1310 | /* Fill in all the TCP header information */ |
---|
1311 | t->th_sport = lport; /* 16-bit Source port number */ |
---|
1312 | t->th_dport = rport; /* 16-bit Destination port */ |
---|
1313 | t->th_seq = seq; /* 32-bit Sequence Number */ |
---|
1314 | t->th_ack = ack; /* 32-bit Acknowledgement Number */ |
---|
1315 | t->th_off = 5; /* Data offset */ |
---|
1316 | t->th_flags = TH_ACK; |
---|
1317 | t->th_win = win; |
---|
1318 | t->th_sum = 0; /* 16-bit checksum (below) */ |
---|
1319 | t->th_urp = 0; /* 16-bit urgent offset */ |
---|
1320 | |
---|
1321 | TCPCheckSum(af, t, 20, sadd6, dadd6); |
---|
1322 | |
---|
1323 | /* Open up a RAW socket */ |
---|
1324 | if ((sock = socket(af, SOCK_RAW, IPPROTO_TCP)) < 0) |
---|
1325 | { |
---|
1326 | os_log(log_handle, "SendKeepalive: socket %s", strerror(errno)); |
---|
1327 | return; |
---|
1328 | } |
---|
1329 | |
---|
1330 | if (af == AF_INET) |
---|
1331 | { |
---|
1332 | on = 1; |
---|
1333 | if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on))) |
---|
1334 | { |
---|
1335 | close(sock); |
---|
1336 | os_log(log_handle, "SendKeepalive: setsockopt %s", strerror(errno)); |
---|
1337 | return; |
---|
1338 | } |
---|
1339 | |
---|
1340 | memset(sin_to, 0, sizeof(struct sockaddr_in)); |
---|
1341 | sin_to->sin_len = sizeof(struct sockaddr_in); |
---|
1342 | sin_to->sin_family = AF_INET; |
---|
1343 | memcpy(&sin_to->sin_addr, sadd6, sizeof(struct in_addr)); |
---|
1344 | sin_to->sin_port = rport; |
---|
1345 | |
---|
1346 | msghdr.msg_control = NULL; |
---|
1347 | msghdr.msg_controllen = 0; |
---|
1348 | |
---|
1349 | } |
---|
1350 | else |
---|
1351 | { |
---|
1352 | struct cmsghdr *ctl; |
---|
1353 | |
---|
1354 | memset(sin6_to, 0, sizeof(struct sockaddr_in6)); |
---|
1355 | sin6_to->sin6_len = sizeof(struct sockaddr_in6); |
---|
1356 | sin6_to->sin6_family = AF_INET6; |
---|
1357 | memcpy(&sin6_to->sin6_addr, dadd6, sizeof(struct in6_addr)); |
---|
1358 | |
---|
1359 | sin6_to->sin6_port = rport; |
---|
1360 | sin6_to->sin6_flowinfo = 0; |
---|
1361 | |
---|
1362 | |
---|
1363 | msghdr.msg_control = ctlbuf; |
---|
1364 | msghdr.msg_controllen = sizeof(ctlbuf); |
---|
1365 | ctl = CMSG_FIRSTHDR(&msghdr); |
---|
1366 | ctl->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); |
---|
1367 | ctl->cmsg_level = IPPROTO_IPV6; |
---|
1368 | ctl->cmsg_type = IPV6_PKTINFO; |
---|
1369 | struct in6_pktinfo *pktinfo = (struct in6_pktinfo *) CMSG_DATA(ctl); |
---|
1370 | memcpy(&pktinfo->ipi6_addr, sadd6, sizeof(struct in6_addr)); |
---|
1371 | pktinfo->ipi6_ifindex = 0; |
---|
1372 | } |
---|
1373 | |
---|
1374 | msghdr.msg_name = (struct sockaddr *)&ss_to; |
---|
1375 | msghdr.msg_namelen = ss_to.ss_len; |
---|
1376 | iov.iov_base = packet; |
---|
1377 | iov.iov_len = packetlen; |
---|
1378 | msghdr.msg_iov = &iov; |
---|
1379 | msghdr.msg_iovlen = 1; |
---|
1380 | msghdr.msg_flags = 0; |
---|
1381 | |
---|
1382 | again: |
---|
1383 | len = sendmsg(sock, &msghdr, 0); |
---|
1384 | if (len == -1) |
---|
1385 | { |
---|
1386 | if (errno == EINTR) |
---|
1387 | goto again; |
---|
1388 | } |
---|
1389 | |
---|
1390 | if (len != packetlen) |
---|
1391 | { |
---|
1392 | os_log(log_handle, "SendKeepalive: sendmsg failed %s", strerror(errno)); |
---|
1393 | } |
---|
1394 | else |
---|
1395 | { |
---|
1396 | char source[INET6_ADDRSTRLEN], dest[INET6_ADDRSTRLEN]; |
---|
1397 | |
---|
1398 | inet_ntop(af, (void *)sadd6, source, sizeof(source)); |
---|
1399 | inet_ntop(af, (void *)dadd6, dest, sizeof(dest)); |
---|
1400 | |
---|
1401 | os_log(log_handle, "SendKeepalive: Success Source %s:%d, Dest %s:%d, %u, %u, %u", |
---|
1402 | source, ntohs(lport), dest, ntohs(rport), ntohl(seq), ntohl(ack), ntohs(win)); |
---|
1403 | |
---|
1404 | } |
---|
1405 | close(sock); |
---|
1406 | |
---|
1407 | } |
---|
1408 | |
---|
1409 | |
---|
1410 | void RetrieveTCPInfo(int family, const v6addr_t laddr, uint16_t lport, const v6addr_t raddr, uint16_t rport, uint32_t *seq, uint32_t *ack, uint16_t *win, int32_t *intfid, int *err) |
---|
1411 | { |
---|
1412 | |
---|
1413 | struct tcp_info ti; |
---|
1414 | struct info_tuple itpl; |
---|
1415 | int mib[4]; |
---|
1416 | unsigned int miblen; |
---|
1417 | size_t len; |
---|
1418 | size_t sz; |
---|
1419 | |
---|
1420 | memset(&itpl, 0, sizeof(struct info_tuple)); |
---|
1421 | memset(&ti, 0, sizeof(struct tcp_info)); |
---|
1422 | |
---|
1423 | char buf1[INET6_ADDRSTRLEN]; |
---|
1424 | char buf2[INET6_ADDRSTRLEN]; |
---|
1425 | |
---|
1426 | buf1[0] = 0; |
---|
1427 | buf2[0] = 0; |
---|
1428 | |
---|
1429 | inet_ntop(AF_INET6, laddr, buf1, sizeof(buf1)); |
---|
1430 | inet_ntop(AF_INET6, raddr, buf2, sizeof(buf2)); |
---|
1431 | |
---|
1432 | os_log_info(log_handle, "RetrieveTCPInfo invoked: laddr is %s, raddr is %s", buf1, buf2); |
---|
1433 | |
---|
1434 | os_log_info(log_handle,"RetrieveTCPInfo invoked: lport is[%d] rport is[%d] family is [%d]", |
---|
1435 | lport, rport, family); |
---|
1436 | |
---|
1437 | if (family == AF_INET) |
---|
1438 | { |
---|
1439 | memcpy(&itpl.itpl_local_sin.sin_addr, laddr, sizeof(struct in_addr)); |
---|
1440 | memcpy(&itpl.itpl_remote_sin.sin_addr, raddr, sizeof(struct in_addr)); |
---|
1441 | itpl.itpl_local_sin.sin_port = lport; |
---|
1442 | itpl.itpl_remote_sin.sin_port = rport; |
---|
1443 | itpl.itpl_local_sin.sin_family = AF_INET; |
---|
1444 | itpl.itpl_remote_sin.sin_family = AF_INET; |
---|
1445 | } |
---|
1446 | else |
---|
1447 | { |
---|
1448 | memcpy(&itpl.itpl_local_sin6.sin6_addr, laddr, sizeof(struct in6_addr)); |
---|
1449 | memcpy(&itpl.itpl_remote_sin6.sin6_addr, raddr, sizeof(struct in6_addr)); |
---|
1450 | itpl.itpl_local_sin6.sin6_port = lport; |
---|
1451 | itpl.itpl_remote_sin6.sin6_port = rport; |
---|
1452 | itpl.itpl_local_sin6.sin6_family = AF_INET6; |
---|
1453 | itpl.itpl_remote_sin6.sin6_family = AF_INET6; |
---|
1454 | } |
---|
1455 | itpl.itpl_proto = IPPROTO_TCP; |
---|
1456 | sz = sizeof(mib)/sizeof(mib[0]); |
---|
1457 | if (sysctlnametomib("net.inet.tcp.info", mib, &sz) == -1) |
---|
1458 | { |
---|
1459 | const int sysctl_errno = errno; |
---|
1460 | os_log(log_handle, "RetrieveTCPInfo: sysctlnametomib failed %d, %s", sysctl_errno, strerror(sysctl_errno)); |
---|
1461 | *err = sysctl_errno; |
---|
1462 | } |
---|
1463 | miblen = (unsigned int)sz; |
---|
1464 | len = sizeof(struct tcp_info); |
---|
1465 | if (sysctl(mib, miblen, &ti, &len, &itpl, sizeof(struct info_tuple)) == -1) |
---|
1466 | { |
---|
1467 | const int sysctl_errno = errno; |
---|
1468 | os_log(log_handle, "RetrieveTCPInfo: sysctl failed %d, %s", sysctl_errno, strerror(sysctl_errno)); |
---|
1469 | *err = sysctl_errno; |
---|
1470 | } |
---|
1471 | |
---|
1472 | *seq = ti.tcpi_snd_nxt - 1; |
---|
1473 | *ack = ti.tcpi_rcv_nxt; |
---|
1474 | *win = ti.tcpi_rcv_space >> ti.tcpi_rcv_wscale; |
---|
1475 | *intfid = ti.tcpi_last_outif; |
---|
1476 | *err = KERN_SUCCESS; |
---|
1477 | |
---|
1478 | } |
---|
1479 | |
---|
1480 | #ifndef MDNS_NO_IPSEC |
---|
1481 | |
---|
1482 | static const char configHeader[] = "# BackToMyMac\n"; |
---|
1483 | static const char g_racoon_config_dir[] = "/var/run/racoon/"; |
---|
1484 | static const char g_racoon_config_dir_old[] = "/etc/racoon/remote/"; |
---|
1485 | |
---|
1486 | static int MacOSXSystemBuildNumber(char* letter_out, int* minor_out) |
---|
1487 | { |
---|
1488 | int major = 0, minor = 0; |
---|
1489 | char letter = 0, buildver[256]="<Unknown>"; |
---|
1490 | CFDictionaryRef vers = _CFCopySystemVersionDictionary(); |
---|
1491 | if (vers) |
---|
1492 | { |
---|
1493 | CFStringRef cfbuildver = CFDictionaryGetValue(vers, _kCFSystemVersionBuildVersionKey); |
---|
1494 | if (cfbuildver) CFStringGetCString(cfbuildver, buildver, sizeof(buildver), kCFStringEncodingUTF8); |
---|
1495 | sscanf(buildver, "%d%c%d", &major, &letter, &minor); |
---|
1496 | CFRelease(vers); |
---|
1497 | } |
---|
1498 | else |
---|
1499 | os_log_info(log_handle, "_CFCopySystemVersionDictionary failed"); |
---|
1500 | |
---|
1501 | if (!major) { major=16; letter = 'A'; minor = 300; os_log_info(log_handle, "Note: No Major Build Version number found; assuming 16A300"); } |
---|
1502 | if (letter_out) *letter_out = letter; |
---|
1503 | if (minor_out) *minor_out = minor; |
---|
1504 | return(major); |
---|
1505 | } |
---|
1506 | |
---|
1507 | static int UseOldRacoon() |
---|
1508 | { |
---|
1509 | static int g_oldRacoon = -1; |
---|
1510 | |
---|
1511 | if (g_oldRacoon == -1) |
---|
1512 | { |
---|
1513 | char letter = 0; |
---|
1514 | int minor = 0; |
---|
1515 | g_oldRacoon = (MacOSXSystemBuildNumber(&letter, &minor) < 10); |
---|
1516 | os_log_debug(log_handle, "%s", g_oldRacoon ? "old" : "new"); |
---|
1517 | } |
---|
1518 | |
---|
1519 | return g_oldRacoon; |
---|
1520 | } |
---|
1521 | |
---|
1522 | static int RacoonSignal() |
---|
1523 | { |
---|
1524 | return UseOldRacoon() ? SIGHUP : SIGUSR1; |
---|
1525 | } |
---|
1526 | |
---|
1527 | static int notifyRacoon(void) |
---|
1528 | { |
---|
1529 | os_log_debug(log_handle,"entry"); |
---|
1530 | static const char racoon_pid_path[] = "/var/run/racoon.pid"; |
---|
1531 | char buf[] = "18446744073709551615"; /* largest 64-bit integer */ |
---|
1532 | char *p = NULL; |
---|
1533 | ssize_t n = 0; |
---|
1534 | unsigned long m = 0; |
---|
1535 | int fd = open(racoon_pid_path, O_RDONLY); |
---|
1536 | |
---|
1537 | if (0 > fd) |
---|
1538 | { |
---|
1539 | os_log_debug(log_handle,"open \"%s\" failed, and that's OK: %s", racoon_pid_path, |
---|
1540 | strerror(errno)); |
---|
1541 | return kHelperErr_RacoonNotificationFailed; |
---|
1542 | } |
---|
1543 | n = read(fd, buf, sizeof(buf)-1); |
---|
1544 | close(fd); |
---|
1545 | if (1 > n) |
---|
1546 | { |
---|
1547 | os_log_debug(log_handle,"read of \"%s\" failed: %s", racoon_pid_path, |
---|
1548 | n == 0 ? "empty file" : strerror(errno)); |
---|
1549 | return kHelperErr_RacoonNotificationFailed; |
---|
1550 | } |
---|
1551 | buf[n] = '\0'; |
---|
1552 | m = strtoul(buf, &p, 10); |
---|
1553 | if (*p != '\0' && !isspace(*p)) |
---|
1554 | { |
---|
1555 | os_log_debug(log_handle,"invalid PID \"%s\" (around '%c')", buf, *p); |
---|
1556 | return kHelperErr_RacoonNotificationFailed; |
---|
1557 | } |
---|
1558 | if (2 > m) |
---|
1559 | { |
---|
1560 | os_log_debug(log_handle,"refusing to kill PID %lu", m); |
---|
1561 | return kHelperErr_RacoonNotificationFailed; |
---|
1562 | } |
---|
1563 | if (0 != kill(m, RacoonSignal())) |
---|
1564 | { |
---|
1565 | os_log_debug(log_handle,"Could not signal racoon (%lu): %s", m, strerror(errno)); |
---|
1566 | return kHelperErr_RacoonNotificationFailed; |
---|
1567 | } |
---|
1568 | |
---|
1569 | os_log_debug(log_handle, "Sent racoon (%lu) signal %d", m, RacoonSignal()); |
---|
1570 | return 0; |
---|
1571 | } |
---|
1572 | |
---|
1573 | static const char* GetRacoonConfigDir() |
---|
1574 | { |
---|
1575 | return UseOldRacoon() ? g_racoon_config_dir_old : g_racoon_config_dir; |
---|
1576 | } |
---|
1577 | /* |
---|
1578 | static const char* GetOldRacoonConfigDir() |
---|
1579 | { |
---|
1580 | return UseOldRacoon() ? NULL : g_racoon_config_dir_old; |
---|
1581 | } |
---|
1582 | */ |
---|
1583 | |
---|
1584 | static void closefds(int from) |
---|
1585 | { |
---|
1586 | int fd = 0; |
---|
1587 | struct dirent entry, *entryp = NULL; |
---|
1588 | DIR *dirp = opendir("/dev/fd"); |
---|
1589 | |
---|
1590 | if (dirp == NULL) |
---|
1591 | { |
---|
1592 | /* fall back to the erroneous getdtablesize method */ |
---|
1593 | for (fd = from; fd < getdtablesize(); ++fd) |
---|
1594 | close(fd); |
---|
1595 | return; |
---|
1596 | } |
---|
1597 | while (0 == readdir_r(dirp, &entry, &entryp) && NULL != entryp) |
---|
1598 | { |
---|
1599 | fd = atoi(entryp->d_name); |
---|
1600 | if (fd >= from && fd != dirfd(dirp)) |
---|
1601 | close(fd); |
---|
1602 | } |
---|
1603 | closedir(dirp); |
---|
1604 | } |
---|
1605 | |
---|
1606 | |
---|
1607 | static int startRacoonOld(void) |
---|
1608 | { |
---|
1609 | os_log_debug(log_handle,"entry"); |
---|
1610 | char * const racoon_args[] = { "/usr/sbin/racoon", "-e", NULL }; |
---|
1611 | ssize_t n = 0; |
---|
1612 | pid_t pid = 0; |
---|
1613 | int status = 0; |
---|
1614 | |
---|
1615 | if (0 == (pid = fork())) |
---|
1616 | { |
---|
1617 | closefds(0); |
---|
1618 | execve(racoon_args[0], racoon_args, NULL); |
---|
1619 | os_log_info(log_handle, "execve of \"%s\" failed: %s", |
---|
1620 | racoon_args[0], strerror(errno)); |
---|
1621 | exit(2); |
---|
1622 | } |
---|
1623 | os_log_info(log_handle,"racoon (pid=%lu) started", |
---|
1624 | (unsigned long)pid); |
---|
1625 | n = waitpid(pid, &status, 0); |
---|
1626 | if (-1 == n) |
---|
1627 | { |
---|
1628 | os_log(log_handle, "Unexpected waitpid failure: %s", |
---|
1629 | strerror(errno)); |
---|
1630 | return kHelperErr_RacoonStartFailed; |
---|
1631 | } |
---|
1632 | else if (pid != n) |
---|
1633 | { |
---|
1634 | os_log(log_handle, "Unexpected waitpid return value %d", (int)n); |
---|
1635 | return kHelperErr_RacoonStartFailed; |
---|
1636 | } |
---|
1637 | else if (WIFSIGNALED(status)) |
---|
1638 | { |
---|
1639 | os_log(log_handle, |
---|
1640 | "racoon (pid=%lu) terminated due to signal %d", |
---|
1641 | (unsigned long)pid, WTERMSIG(status)); |
---|
1642 | return kHelperErr_RacoonStartFailed; |
---|
1643 | } |
---|
1644 | else if (WIFSTOPPED(status)) |
---|
1645 | { |
---|
1646 | os_log(log_handle, |
---|
1647 | "racoon (pid=%lu) has stopped due to signal %d", |
---|
1648 | (unsigned long)pid, WSTOPSIG(status)); |
---|
1649 | return kHelperErr_RacoonStartFailed; |
---|
1650 | } |
---|
1651 | else if (0 != WEXITSTATUS(status)) |
---|
1652 | { |
---|
1653 | os_log(log_handle, |
---|
1654 | "racoon (pid=%lu) exited with status %d", |
---|
1655 | (unsigned long)pid, WEXITSTATUS(status)); |
---|
1656 | return kHelperErr_RacoonStartFailed; |
---|
1657 | } |
---|
1658 | os_log_debug(log_handle, "racoon (pid=%lu) daemonized normally", (unsigned long)pid); |
---|
1659 | return 0; |
---|
1660 | } |
---|
1661 | |
---|
1662 | // constant and structure for the racoon control socket |
---|
1663 | #define VPNCTL_CMD_PING 0x0004 |
---|
1664 | typedef struct vpnctl_hdr_struct |
---|
1665 | { |
---|
1666 | u_int16_t msg_type; |
---|
1667 | u_int16_t flags; |
---|
1668 | u_int32_t cookie; |
---|
1669 | u_int32_t reserved; |
---|
1670 | u_int16_t result; |
---|
1671 | u_int16_t len; |
---|
1672 | } vpnctl_hdr; |
---|
1673 | |
---|
1674 | static int startRacoon(void) |
---|
1675 | { |
---|
1676 | os_log_debug(log_handle,"entry"); |
---|
1677 | int fd = socket(PF_UNIX, SOCK_STREAM, 0); |
---|
1678 | if (0 > fd) |
---|
1679 | { |
---|
1680 | os_log(log_handle,"Could not create endpoint for racoon control socket: %d %s", |
---|
1681 | errno, strerror(errno)); |
---|
1682 | return kHelperErr_RacoonStartFailed; |
---|
1683 | } |
---|
1684 | |
---|
1685 | struct sockaddr_un saddr; |
---|
1686 | memset(&saddr, 0, sizeof(saddr)); |
---|
1687 | saddr.sun_family = AF_UNIX; |
---|
1688 | saddr.sun_len = sizeof(saddr); |
---|
1689 | static const char racoon_control_sock_path[] = "/var/run/vpncontrol.sock"; |
---|
1690 | strcpy(saddr.sun_path, racoon_control_sock_path); |
---|
1691 | int result = connect(fd, (struct sockaddr*) &saddr, saddr.sun_len); |
---|
1692 | if (0 > result) |
---|
1693 | { |
---|
1694 | os_log(log_handle, "Could not connect racoon control socket %s: %d %s", |
---|
1695 | racoon_control_sock_path, errno, strerror(errno)); |
---|
1696 | return kHelperErr_RacoonStartFailed; |
---|
1697 | } |
---|
1698 | |
---|
1699 | u_int32_t btmm_cookie = 0x4d4d5442; |
---|
1700 | vpnctl_hdr h = { htons(VPNCTL_CMD_PING), 0, btmm_cookie, 0, 0, 0 }; |
---|
1701 | size_t bytes = 0; |
---|
1702 | ssize_t ret = 0; |
---|
1703 | |
---|
1704 | while (bytes < sizeof(vpnctl_hdr)) |
---|
1705 | { |
---|
1706 | ret = write(fd, ((unsigned char*)&h)+bytes, sizeof(vpnctl_hdr) - bytes); |
---|
1707 | if (ret == -1) |
---|
1708 | { |
---|
1709 | os_log(log_handle, "Could not write to racoon control socket: %d %s", errno, strerror(errno)); |
---|
1710 | return kHelperErr_RacoonStartFailed; |
---|
1711 | } |
---|
1712 | bytes += ret; |
---|
1713 | } |
---|
1714 | |
---|
1715 | int nfds = fd + 1; |
---|
1716 | fd_set fds; |
---|
1717 | int counter = 0; |
---|
1718 | struct timeval tv; |
---|
1719 | bytes = 0; |
---|
1720 | h.cookie = 0; |
---|
1721 | |
---|
1722 | for (counter = 0; counter < 100; counter++) |
---|
1723 | { |
---|
1724 | FD_ZERO(&fds); |
---|
1725 | FD_SET(fd, &fds); |
---|
1726 | tv = (struct timeval){ 0, 10000 }; // 10 milliseconds * 100 iterations = 1 second max wait time |
---|
1727 | |
---|
1728 | result = select(nfds, &fds, (fd_set*)NULL, (fd_set*)NULL, &tv); |
---|
1729 | if (result > 0) |
---|
1730 | { |
---|
1731 | if (FD_ISSET(fd, &fds)) |
---|
1732 | { |
---|
1733 | ret = read(fd, ((unsigned char*)&h)+bytes, sizeof(vpnctl_hdr) - bytes); |
---|
1734 | |
---|
1735 | if (ret == -1) |
---|
1736 | { |
---|
1737 | os_log(log_handle,"Could not read from racoon control socket: %d %s", errno, strerror(errno)); |
---|
1738 | break; |
---|
1739 | } |
---|
1740 | bytes += ret; |
---|
1741 | if (bytes >= sizeof(vpnctl_hdr)) break; |
---|
1742 | } |
---|
1743 | else |
---|
1744 | { |
---|
1745 | os_log_debug(log_handle, "select returned but fd_isset not on expected fd"); |
---|
1746 | } |
---|
1747 | } |
---|
1748 | else if (result < 0) |
---|
1749 | { |
---|
1750 | const int select_errno = errno; |
---|
1751 | os_log_debug(log_handle, "select returned %d errno %d %s", result, select_errno, strerror(select_errno)); |
---|
1752 | if (select_errno != EINTR) break; |
---|
1753 | } |
---|
1754 | } |
---|
1755 | |
---|
1756 | close(fd); |
---|
1757 | |
---|
1758 | if (bytes < sizeof(vpnctl_hdr) || h.cookie != btmm_cookie) |
---|
1759 | return kHelperErr_RacoonStartFailed; |
---|
1760 | |
---|
1761 | os_log_debug(log_handle, "racoon started"); |
---|
1762 | return 0; |
---|
1763 | } |
---|
1764 | |
---|
1765 | static int kickRacoon(void) |
---|
1766 | { |
---|
1767 | if ( 0 == notifyRacoon() ) |
---|
1768 | return 0; |
---|
1769 | return UseOldRacoon() ? startRacoonOld() : startRacoon(); |
---|
1770 | } |
---|
1771 | |
---|
1772 | typedef enum _mDNSTunnelPolicyWhich |
---|
1773 | { |
---|
1774 | kmDNSTunnelPolicySetup, |
---|
1775 | kmDNSTunnelPolicyTeardown, |
---|
1776 | kmDNSTunnelPolicyGenerate |
---|
1777 | } mDNSTunnelPolicyWhich; |
---|
1778 | |
---|
1779 | // For kmDNSTunnelPolicySetup, you can setup IPv6-in-IPv6 tunnel or IPv6-in-IPv4 tunnel |
---|
1780 | // kmDNSNoTunnel is used for other Policy types |
---|
1781 | typedef enum _mDNSTunnelType |
---|
1782 | { |
---|
1783 | kmDNSNoTunnel, |
---|
1784 | kmDNSIPv6IPv4Tunnel, |
---|
1785 | kmDNSIPv6IPv6Tunnel |
---|
1786 | } mDNSTunnelType; |
---|
1787 | |
---|
1788 | static const uint8_t kWholeV6Mask = 128; |
---|
1789 | |
---|
1790 | static unsigned int routeSeq = 1; |
---|
1791 | |
---|
1792 | static int setupTunnelRoute(const v6addr_t local, const v6addr_t remote) |
---|
1793 | { |
---|
1794 | struct |
---|
1795 | { |
---|
1796 | struct rt_msghdr hdr; |
---|
1797 | struct sockaddr_in6 dst; |
---|
1798 | struct sockaddr_in6 gtwy; |
---|
1799 | } msg; |
---|
1800 | int err = 0; |
---|
1801 | int s = -1; |
---|
1802 | |
---|
1803 | if (0 > (s = socket(PF_ROUTE, SOCK_RAW, AF_INET))) |
---|
1804 | { |
---|
1805 | os_log(log_handle,"socket(PF_ROUTE, ...) failed: %s", strerror(errno)); |
---|
1806 | |
---|
1807 | err = kHelperErr_RoutingSocketCreationFailed; |
---|
1808 | goto fin; |
---|
1809 | } |
---|
1810 | |
---|
1811 | memset(&msg, 0, sizeof(msg)); |
---|
1812 | msg.hdr.rtm_msglen = sizeof(msg); |
---|
1813 | msg.hdr.rtm_type = RTM_ADD; |
---|
1814 | /* The following flags are set by `route add -inet6 -host ...` */ |
---|
1815 | msg.hdr.rtm_flags = RTF_UP | RTF_GATEWAY | RTF_HOST | RTF_STATIC; |
---|
1816 | msg.hdr.rtm_version = RTM_VERSION; |
---|
1817 | msg.hdr.rtm_seq = routeSeq++; |
---|
1818 | msg.hdr.rtm_addrs = RTA_DST | RTA_GATEWAY; |
---|
1819 | msg.hdr.rtm_inits = RTV_MTU; |
---|
1820 | msg.hdr.rtm_rmx.rmx_mtu = 1280; |
---|
1821 | |
---|
1822 | msg.dst.sin6_len = sizeof(msg.dst); |
---|
1823 | msg.dst.sin6_family = AF_INET6; |
---|
1824 | memcpy(&msg.dst.sin6_addr, remote, sizeof(msg.dst.sin6_addr)); |
---|
1825 | |
---|
1826 | msg.gtwy.sin6_len = sizeof(msg.gtwy); |
---|
1827 | msg.gtwy.sin6_family = AF_INET6; |
---|
1828 | memcpy(&msg.gtwy.sin6_addr, local, sizeof(msg.gtwy.sin6_addr)); |
---|
1829 | |
---|
1830 | /* send message, ignore error when route already exists */ |
---|
1831 | if (0 > write(s, &msg, msg.hdr.rtm_msglen)) |
---|
1832 | { |
---|
1833 | const int errno_ = errno; |
---|
1834 | |
---|
1835 | os_log_info(log_handle,"write to routing socket failed: %s", strerror(errno_)); |
---|
1836 | if (EEXIST != errno_) |
---|
1837 | { |
---|
1838 | err = kHelperErr_RouteAdditionFailed; |
---|
1839 | goto fin; |
---|
1840 | } |
---|
1841 | } |
---|
1842 | |
---|
1843 | fin: |
---|
1844 | if (0 <= s) |
---|
1845 | close(s); |
---|
1846 | return err; |
---|
1847 | } |
---|
1848 | |
---|
1849 | static int teardownTunnelRoute(const v6addr_t remote) |
---|
1850 | { |
---|
1851 | struct |
---|
1852 | { |
---|
1853 | struct rt_msghdr hdr; |
---|
1854 | struct sockaddr_in6 dst; |
---|
1855 | } msg; |
---|
1856 | int err = 0; |
---|
1857 | int s = -1; |
---|
1858 | |
---|
1859 | if (0 > (s = socket(PF_ROUTE, SOCK_RAW, AF_INET))) |
---|
1860 | { |
---|
1861 | os_log(log_handle, "socket(PF_ROUTE, ...) failed: %s", strerror(errno)); |
---|
1862 | err = kHelperErr_RoutingSocketCreationFailed; |
---|
1863 | goto fin; |
---|
1864 | } |
---|
1865 | memset(&msg, 0, sizeof(msg)); |
---|
1866 | |
---|
1867 | msg.hdr.rtm_msglen = sizeof(msg); |
---|
1868 | msg.hdr.rtm_type = RTM_DELETE; |
---|
1869 | msg.hdr.rtm_version = RTM_VERSION; |
---|
1870 | msg.hdr.rtm_seq = routeSeq++; |
---|
1871 | msg.hdr.rtm_addrs = RTA_DST; |
---|
1872 | |
---|
1873 | msg.dst.sin6_len = sizeof(msg.dst); |
---|
1874 | msg.dst.sin6_family = AF_INET6; |
---|
1875 | memcpy(&msg.dst.sin6_addr, remote, sizeof(msg.dst.sin6_addr)); |
---|
1876 | if (0 > write(s, &msg, msg.hdr.rtm_msglen)) |
---|
1877 | { |
---|
1878 | const int errno_ = errno; |
---|
1879 | |
---|
1880 | os_log_debug(log_handle,"write to routing socket failed: %s", strerror(errno_)); |
---|
1881 | |
---|
1882 | if (ESRCH != errno_) |
---|
1883 | { |
---|
1884 | err = kHelperErr_RouteDeletionFailed; |
---|
1885 | goto fin; |
---|
1886 | } |
---|
1887 | } |
---|
1888 | |
---|
1889 | fin: |
---|
1890 | if (0 <= s) |
---|
1891 | close(s); |
---|
1892 | return err; |
---|
1893 | } |
---|
1894 | |
---|
1895 | static int v4addr_to_string(v4addr_t addr, char *buf, size_t buflen) |
---|
1896 | { |
---|
1897 | if (NULL == inet_ntop(AF_INET, addr, buf, buflen)) |
---|
1898 | { |
---|
1899 | os_log(log_handle, "v4addr_to_string() inet_ntop failed: %s", strerror(errno)); |
---|
1900 | return kHelperErr_InvalidNetworkAddress; |
---|
1901 | } |
---|
1902 | else |
---|
1903 | { |
---|
1904 | return 0; |
---|
1905 | } |
---|
1906 | } |
---|
1907 | |
---|
1908 | static int v6addr_to_string(const v6addr_t addr, char *buf, size_t buflen) |
---|
1909 | { |
---|
1910 | if (NULL == inet_ntop(AF_INET6, addr, buf, buflen)) |
---|
1911 | { |
---|
1912 | os_log(log_handle, "v6addr_to_string inet_ntop failed: %s", strerror(errno)); |
---|
1913 | return kHelperErr_InvalidNetworkAddress; |
---|
1914 | } |
---|
1915 | else |
---|
1916 | { |
---|
1917 | return 0; |
---|
1918 | } |
---|
1919 | } |
---|
1920 | |
---|
1921 | static int ensureExistenceOfRacoonConfigDir(const char* const racoon_config_dir) |
---|
1922 | { |
---|
1923 | struct stat s; |
---|
1924 | int ret = stat(racoon_config_dir, &s); |
---|
1925 | if (ret != 0) |
---|
1926 | { |
---|
1927 | if (errno != ENOENT) |
---|
1928 | { |
---|
1929 | os_log(log_handle, "stat of \"%s\" failed (%d): %s", |
---|
1930 | racoon_config_dir, ret, strerror(errno)); |
---|
1931 | return -1; |
---|
1932 | } |
---|
1933 | else |
---|
1934 | { |
---|
1935 | ret = mkdir(racoon_config_dir, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); |
---|
1936 | if (ret != 0) |
---|
1937 | { |
---|
1938 | os_log(log_handle, "mkdir \"%s\" failed: %s", |
---|
1939 | racoon_config_dir, strerror(errno)); |
---|
1940 | return -1; |
---|
1941 | } |
---|
1942 | else |
---|
1943 | { |
---|
1944 | os_log_info(log_handle, "created directory \"%s\"", racoon_config_dir); |
---|
1945 | } |
---|
1946 | } |
---|
1947 | } |
---|
1948 | else if (!(s.st_mode & S_IFDIR)) |
---|
1949 | { |
---|
1950 | os_log(log_handle, "\"%s\" is not a directory!", |
---|
1951 | racoon_config_dir); |
---|
1952 | return -1; |
---|
1953 | } |
---|
1954 | |
---|
1955 | return 0; |
---|
1956 | } |
---|
1957 | |
---|
1958 | |
---|
1959 | |
---|
1960 | /* Caller owns object returned in `policy' */ |
---|
1961 | static int generateTunnelPolicy(mDNSTunnelPolicyWhich which, mDNSTunnelType type, int in, |
---|
1962 | v4addr_t src, uint16_t src_port, |
---|
1963 | v4addr_t dst, uint16_t dst_port, |
---|
1964 | const v6addr_t src6, const v6addr_t dst6, |
---|
1965 | ipsec_policy_t *policy, size_t *len) |
---|
1966 | { |
---|
1967 | char srcs[INET_ADDRSTRLEN], dsts[INET_ADDRSTRLEN]; |
---|
1968 | char srcs6[INET6_ADDRSTRLEN], dsts6[INET6_ADDRSTRLEN]; |
---|
1969 | char buf[512]; |
---|
1970 | char *inOut = in ? "in" : "out"; |
---|
1971 | ssize_t n = 0; |
---|
1972 | int err = 0; |
---|
1973 | |
---|
1974 | *policy = NULL; |
---|
1975 | *len = 0; |
---|
1976 | |
---|
1977 | switch (which) |
---|
1978 | { |
---|
1979 | case kmDNSTunnelPolicySetup: |
---|
1980 | if (type == kmDNSIPv6IPv4Tunnel) |
---|
1981 | { |
---|
1982 | if (0 != (err = v4addr_to_string(src, srcs, sizeof(srcs)))) |
---|
1983 | goto fin; |
---|
1984 | if (0 != (err = v4addr_to_string(dst, dsts, sizeof(dsts)))) |
---|
1985 | goto fin; |
---|
1986 | n = snprintf(buf, sizeof(buf), |
---|
1987 | "%s ipsec esp/tunnel/%s[%u]-%s[%u]/require", |
---|
1988 | inOut, srcs, src_port, dsts, dst_port); |
---|
1989 | } |
---|
1990 | else if (type == kmDNSIPv6IPv6Tunnel) |
---|
1991 | { |
---|
1992 | if (0 != (err = v6addr_to_string(src6, srcs6, sizeof(srcs6)))) |
---|
1993 | goto fin; |
---|
1994 | if (0 != (err = v6addr_to_string(dst6, dsts6, sizeof(dsts6)))) |
---|
1995 | goto fin; |
---|
1996 | n = snprintf(buf, sizeof(buf), |
---|
1997 | "%s ipsec esp/tunnel/%s-%s/require", |
---|
1998 | inOut, srcs6, dsts6); |
---|
1999 | } |
---|
2000 | break; |
---|
2001 | case kmDNSTunnelPolicyTeardown: |
---|
2002 | n = strlcpy(buf, inOut, sizeof(buf)); |
---|
2003 | break; |
---|
2004 | case kmDNSTunnelPolicyGenerate: |
---|
2005 | n = snprintf(buf, sizeof(buf), "%s generate", inOut); |
---|
2006 | break; |
---|
2007 | default: |
---|
2008 | err = kHelperErr_IPsecPolicyCreationFailed; |
---|
2009 | goto fin; |
---|
2010 | } |
---|
2011 | |
---|
2012 | if (n >= (int)sizeof(buf)) |
---|
2013 | { |
---|
2014 | err = kHelperErr_ResultTooLarge; |
---|
2015 | goto fin; |
---|
2016 | } |
---|
2017 | |
---|
2018 | os_log_info(log_handle, "policy=\"%s\"", buf); |
---|
2019 | |
---|
2020 | if (NULL == (*policy = (ipsec_policy_t)ipsec_set_policy(buf, n))) |
---|
2021 | { |
---|
2022 | os_log_info(log_handle, "Could not create IPsec policy from \"%s\"", buf); |
---|
2023 | err = kHelperErr_IPsecPolicyCreationFailed; |
---|
2024 | goto fin; |
---|
2025 | } |
---|
2026 | *len = ((ipsec_policy_t)(*policy))->sadb_x_policy_len * 8; |
---|
2027 | |
---|
2028 | fin: |
---|
2029 | return err; |
---|
2030 | } |
---|
2031 | |
---|
2032 | static int sendPolicy(int s, int setup, |
---|
2033 | struct sockaddr *src, uint8_t src_bits, |
---|
2034 | struct sockaddr *dst, uint8_t dst_bits, |
---|
2035 | ipsec_policy_t policy, size_t len) |
---|
2036 | { |
---|
2037 | static unsigned int policySeq = 0; |
---|
2038 | int err = 0; |
---|
2039 | |
---|
2040 | os_log_debug(log_handle, "entry, setup=%d", setup); |
---|
2041 | |
---|
2042 | if (setup) |
---|
2043 | err = pfkey_send_spdadd(s, src, src_bits, dst, dst_bits, -1, |
---|
2044 | (char *)policy, len, policySeq++); |
---|
2045 | else |
---|
2046 | err = pfkey_send_spddelete(s, src, src_bits, dst, dst_bits, -1, |
---|
2047 | (char *)policy, len, policySeq++); |
---|
2048 | |
---|
2049 | if (0 > err) |
---|
2050 | { |
---|
2051 | os_log(log_handle, "Could not set IPsec policy: %s", ipsec_strerror()); |
---|
2052 | err = kHelperErr_IPsecPolicySetFailed; |
---|
2053 | goto fin; |
---|
2054 | } |
---|
2055 | else |
---|
2056 | { |
---|
2057 | err = 0; |
---|
2058 | } |
---|
2059 | |
---|
2060 | os_log_debug(log_handle, "succeeded"); |
---|
2061 | |
---|
2062 | fin: |
---|
2063 | return err; |
---|
2064 | } |
---|
2065 | |
---|
2066 | static int removeSA(int s, struct sockaddr *src, struct sockaddr *dst) |
---|
2067 | { |
---|
2068 | int err = 0; |
---|
2069 | |
---|
2070 | os_log_debug(log_handle, "entry"); |
---|
2071 | |
---|
2072 | err = pfkey_send_delete_all(s, SADB_SATYPE_ESP, IPSEC_MODE_ANY, src, dst); |
---|
2073 | if (0 > err) |
---|
2074 | { |
---|
2075 | os_log(log_handle, "Could not remove IPsec SA: %s", ipsec_strerror()); |
---|
2076 | err = kHelperErr_IPsecRemoveSAFailed; |
---|
2077 | goto fin; |
---|
2078 | } |
---|
2079 | err = pfkey_send_delete_all(s, SADB_SATYPE_ESP, IPSEC_MODE_ANY, dst, src); |
---|
2080 | if (0 > err) |
---|
2081 | { |
---|
2082 | os_log(log_handle, "Could not remove IPsec SA: %s", ipsec_strerror()); |
---|
2083 | err = kHelperErr_IPsecRemoveSAFailed; |
---|
2084 | goto fin; |
---|
2085 | } |
---|
2086 | else |
---|
2087 | err = 0; |
---|
2088 | |
---|
2089 | os_log_debug(log_handle, "succeeded"); |
---|
2090 | |
---|
2091 | fin: |
---|
2092 | return err; |
---|
2093 | } |
---|
2094 | |
---|
2095 | static int doTunnelPolicy(mDNSTunnelPolicyWhich which, mDNSTunnelType type, |
---|
2096 | const v6addr_t loc_inner, uint8_t loc_bits, |
---|
2097 | v4addr_t loc_outer, uint16_t loc_port, |
---|
2098 | const v6addr_t rmt_inner, uint8_t rmt_bits, |
---|
2099 | v4addr_t rmt_outer, uint16_t rmt_port, |
---|
2100 | const v6addr_t loc_outer6, const v6addr_t rmt_outer6) |
---|
2101 | { |
---|
2102 | struct sockaddr_in6 sin6_loc; |
---|
2103 | struct sockaddr_in6 sin6_rmt; |
---|
2104 | ipsec_policy_t policy = NULL; |
---|
2105 | size_t len = 0; |
---|
2106 | int s = -1; |
---|
2107 | int err = 0; |
---|
2108 | |
---|
2109 | os_log_debug(log_handle,"entry"); |
---|
2110 | if (0 > (s = pfkey_open())) |
---|
2111 | { |
---|
2112 | os_log(log_handle, "Could not create IPsec policy socket: %s", ipsec_strerror()); |
---|
2113 | err = kHelperErr_IPsecPolicySocketCreationFailed; |
---|
2114 | goto fin; |
---|
2115 | } |
---|
2116 | |
---|
2117 | memset(&sin6_loc, 0, sizeof(sin6_loc)); |
---|
2118 | sin6_loc.sin6_len = sizeof(sin6_loc); |
---|
2119 | sin6_loc.sin6_family = AF_INET6; |
---|
2120 | sin6_loc.sin6_port = htons(0); |
---|
2121 | memcpy(&sin6_loc.sin6_addr, loc_inner, sizeof(sin6_loc.sin6_addr)); |
---|
2122 | |
---|
2123 | memset(&sin6_rmt, 0, sizeof(sin6_rmt)); |
---|
2124 | sin6_rmt.sin6_len = sizeof(sin6_rmt); |
---|
2125 | sin6_rmt.sin6_family = AF_INET6; |
---|
2126 | sin6_rmt.sin6_port = htons(0); |
---|
2127 | memcpy(&sin6_rmt.sin6_addr, rmt_inner, sizeof(sin6_rmt.sin6_addr)); |
---|
2128 | |
---|
2129 | int setup = which != kmDNSTunnelPolicyTeardown; |
---|
2130 | |
---|
2131 | if (0 != (err = generateTunnelPolicy(which, type, 1, |
---|
2132 | rmt_outer, rmt_port, |
---|
2133 | loc_outer, loc_port, |
---|
2134 | rmt_outer6, loc_outer6, |
---|
2135 | &policy, &len))) |
---|
2136 | goto fin; |
---|
2137 | |
---|
2138 | if (0 != (err = sendPolicy(s, setup, |
---|
2139 | (struct sockaddr *)&sin6_rmt, rmt_bits, |
---|
2140 | (struct sockaddr *)&sin6_loc, loc_bits, |
---|
2141 | policy, len))) |
---|
2142 | goto fin; |
---|
2143 | |
---|
2144 | if (NULL != policy) |
---|
2145 | { |
---|
2146 | free(policy); |
---|
2147 | policy = NULL; |
---|
2148 | } |
---|
2149 | |
---|
2150 | if (0 != (err = generateTunnelPolicy(which, type, 0, |
---|
2151 | loc_outer, loc_port, |
---|
2152 | rmt_outer, rmt_port, |
---|
2153 | loc_outer6, rmt_outer6, |
---|
2154 | &policy, &len))) |
---|
2155 | goto fin; |
---|
2156 | if (0 != (err = sendPolicy(s, setup, |
---|
2157 | (struct sockaddr *)&sin6_loc, loc_bits, |
---|
2158 | (struct sockaddr *)&sin6_rmt, rmt_bits, |
---|
2159 | policy, len))) |
---|
2160 | goto fin; |
---|
2161 | |
---|
2162 | if (which == kmDNSTunnelPolicyTeardown) |
---|
2163 | { |
---|
2164 | if (rmt_port) // Outer tunnel is IPv4 |
---|
2165 | { |
---|
2166 | if (loc_outer && rmt_outer) |
---|
2167 | { |
---|
2168 | struct sockaddr_in sin_loc; |
---|
2169 | struct sockaddr_in sin_rmt; |
---|
2170 | memset(&sin_loc, 0, sizeof(sin_loc)); |
---|
2171 | sin_loc.sin_len = sizeof(sin_loc); |
---|
2172 | sin_loc.sin_family = AF_INET; |
---|
2173 | memcpy(&sin_loc.sin_addr, loc_outer, sizeof(sin_loc.sin_addr)); |
---|
2174 | |
---|
2175 | memset(&sin_rmt, 0, sizeof(sin_rmt)); |
---|
2176 | sin_rmt.sin_len = sizeof(sin_rmt); |
---|
2177 | sin_rmt.sin_family = AF_INET; |
---|
2178 | memcpy(&sin_rmt.sin_addr, rmt_outer, sizeof(sin_rmt.sin_addr)); |
---|
2179 | if (0 != (err = removeSA(s, (struct sockaddr *)&sin_loc, (struct sockaddr *)&sin_rmt))) |
---|
2180 | goto fin; |
---|
2181 | } |
---|
2182 | } |
---|
2183 | else |
---|
2184 | { |
---|
2185 | if (loc_outer6 && rmt_outer6) |
---|
2186 | { |
---|
2187 | struct sockaddr_in6 sin6_lo; |
---|
2188 | struct sockaddr_in6 sin6_rm; |
---|
2189 | |
---|
2190 | memset(&sin6_lo, 0, sizeof(sin6_lo)); |
---|
2191 | sin6_lo.sin6_len = sizeof(sin6_lo); |
---|
2192 | sin6_lo.sin6_family = AF_INET6; |
---|
2193 | memcpy(&sin6_lo.sin6_addr, loc_outer6, sizeof(sin6_lo.sin6_addr)); |
---|
2194 | |
---|
2195 | memset(&sin6_rm, 0, sizeof(sin6_rm)); |
---|
2196 | sin6_rm.sin6_len = sizeof(sin6_rm); |
---|
2197 | sin6_rm.sin6_family = AF_INET6; |
---|
2198 | memcpy(&sin6_rm.sin6_addr, rmt_outer6, sizeof(sin6_rm.sin6_addr)); |
---|
2199 | if (0 != (err = removeSA(s, (struct sockaddr *)&sin6_lo, (struct sockaddr *)&sin6_rm))) |
---|
2200 | goto fin; |
---|
2201 | } |
---|
2202 | } |
---|
2203 | } |
---|
2204 | |
---|
2205 | os_log_debug(log_handle,"succeeded"); |
---|
2206 | |
---|
2207 | fin: |
---|
2208 | if (s >= 0) |
---|
2209 | pfkey_close(s); |
---|
2210 | if (NULL != policy) |
---|
2211 | free(policy); |
---|
2212 | return err; |
---|
2213 | } |
---|
2214 | |
---|
2215 | #endif /* ndef MDNS_NO_IPSEC */ |
---|
2216 | |
---|
2217 | int HelperAutoTunnelSetKeys(int replacedelete, const v6addr_t loc_inner, const v6addr_t loc_outer6, uint16_t loc_port, const v6addr_t rmt_inner, |
---|
2218 | const v6addr_t rmt_outer6, uint16_t rmt_port, const char *id, int *err) |
---|
2219 | { |
---|
2220 | #ifndef MDNS_NO_IPSEC |
---|
2221 | static const char config[] = |
---|
2222 | "%s" |
---|
2223 | "remote %s [%u] {\n" |
---|
2224 | " disconnect_on_idle idle_timeout 600 idle_direction idle_outbound;\n" |
---|
2225 | " exchange_mode aggressive;\n" |
---|
2226 | " doi ipsec_doi;\n" |
---|
2227 | " situation identity_only;\n" |
---|
2228 | " verify_identifier off;\n" |
---|
2229 | " generate_policy on;\n" |
---|
2230 | " my_identifier user_fqdn \"%s\";\n" |
---|
2231 | " shared_secret keychain \"%s\";\n" |
---|
2232 | " nonce_size 16;\n" |
---|
2233 | " lifetime time 15 min;\n" |
---|
2234 | " initial_contact on;\n" |
---|
2235 | " support_proxy on;\n" |
---|
2236 | " nat_traversal force;\n" |
---|
2237 | " proposal_check claim;\n" |
---|
2238 | " proposal {\n" |
---|
2239 | " encryption_algorithm aes;\n" |
---|
2240 | " hash_algorithm sha256;\n" |
---|
2241 | " authentication_method pre_shared_key;\n" |
---|
2242 | " dh_group 2;\n" |
---|
2243 | " lifetime time 15 min;\n" |
---|
2244 | " }\n" |
---|
2245 | " proposal {\n" |
---|
2246 | " encryption_algorithm aes;\n" |
---|
2247 | " hash_algorithm sha1;\n" |
---|
2248 | " authentication_method pre_shared_key;\n" |
---|
2249 | " dh_group 2;\n" |
---|
2250 | " lifetime time 15 min;\n" |
---|
2251 | " }\n" |
---|
2252 | "}\n\n" |
---|
2253 | "sainfo address %s any address %s any {\n" |
---|
2254 | " pfs_group 2;\n" |
---|
2255 | " lifetime time 10 min;\n" |
---|
2256 | " encryption_algorithm aes;\n" |
---|
2257 | " authentication_algorithm hmac_sha256,hmac_sha1;\n" |
---|
2258 | " compression_algorithm deflate;\n" |
---|
2259 | "}\n\n" |
---|
2260 | "sainfo address %s any address %s any {\n" |
---|
2261 | " pfs_group 2;\n" |
---|
2262 | " lifetime time 10 min;\n" |
---|
2263 | " encryption_algorithm aes;\n" |
---|
2264 | " authentication_algorithm hmac_sha256,hmac_sha1;\n" |
---|
2265 | " compression_algorithm deflate;\n" |
---|
2266 | "}\n"; |
---|
2267 | char path[PATH_MAX] = ""; |
---|
2268 | char li[INET6_ADDRSTRLEN], lo[INET_ADDRSTRLEN], lo6[INET6_ADDRSTRLEN], |
---|
2269 | ri[INET6_ADDRSTRLEN], ro[INET_ADDRSTRLEN], ro6[INET6_ADDRSTRLEN]; |
---|
2270 | FILE *fp = NULL; |
---|
2271 | int fd = -1; |
---|
2272 | char tmp_path[PATH_MAX] = ""; |
---|
2273 | v4addr_t loc_outer, rmt_outer; |
---|
2274 | |
---|
2275 | os_log_debug(log_handle,"HelperAutoTunnelSetKeys: entry"); |
---|
2276 | *err = kHelperErr_NoErr; |
---|
2277 | |
---|
2278 | char buf1[INET6_ADDRSTRLEN]; |
---|
2279 | char buf2[INET6_ADDRSTRLEN]; |
---|
2280 | char buf3[INET6_ADDRSTRLEN]; |
---|
2281 | char buf4[INET6_ADDRSTRLEN]; |
---|
2282 | |
---|
2283 | buf1[0] = 0; |
---|
2284 | buf2[0] = 0; |
---|
2285 | buf3[0] = 0; |
---|
2286 | buf4[0] = 0; |
---|
2287 | |
---|
2288 | inet_ntop(AF_INET6, loc_inner, buf1, sizeof(buf1)); |
---|
2289 | inet_ntop(AF_INET6, loc_outer6, buf2, sizeof(buf2)); |
---|
2290 | inet_ntop(AF_INET6, rmt_inner, buf3, sizeof(buf3)); |
---|
2291 | inet_ntop(AF_INET6, rmt_outer6, buf4, sizeof(buf4)); |
---|
2292 | |
---|
2293 | os_log_info(log_handle, "HelperAutoTunnelSetKeys: Parameters are local_inner is %s, local_outer is %s, remote_inner is %s, remote_outer is %s id is %s", |
---|
2294 | buf1, buf2, buf3, buf4, id); |
---|
2295 | |
---|
2296 | switch ((enum mDNSAutoTunnelSetKeysReplaceDelete)replacedelete) |
---|
2297 | { |
---|
2298 | case kmDNSAutoTunnelSetKeysReplace: |
---|
2299 | case kmDNSAutoTunnelSetKeysDelete: |
---|
2300 | break; |
---|
2301 | default: |
---|
2302 | *err = kHelperErr_InvalidTunnelSetKeysOperation; |
---|
2303 | goto fin; |
---|
2304 | } |
---|
2305 | |
---|
2306 | if (0 != (*err = v6addr_to_string(loc_inner, li, sizeof(li)))) |
---|
2307 | goto fin; |
---|
2308 | if (0 != (*err = v6addr_to_string(rmt_inner, ri, sizeof(ri)))) |
---|
2309 | goto fin; |
---|
2310 | |
---|
2311 | os_log_debug(log_handle, "loc_inner=%s rmt_inner=%s", li, ri); |
---|
2312 | |
---|
2313 | if (!rmt_port) |
---|
2314 | { |
---|
2315 | loc_outer[0] = loc_outer[1] = loc_outer[2] = loc_outer[3] = 0; |
---|
2316 | rmt_outer[0] = rmt_outer[1] = rmt_outer[2] = rmt_outer[3] = 0; |
---|
2317 | |
---|
2318 | if (0 != (*err = v6addr_to_string(loc_outer6, lo6, sizeof(lo6)))) |
---|
2319 | goto fin; |
---|
2320 | if (0 != (*err = v6addr_to_string(rmt_outer6, ro6, sizeof(ro6)))) |
---|
2321 | goto fin; |
---|
2322 | |
---|
2323 | os_log_debug(log_handle, "IPv6 outer tunnel: loc_outer6=%s rmt_outer6=%s", lo6, ro6); |
---|
2324 | |
---|
2325 | if ((int)sizeof(path) <= snprintf(path, sizeof(path), "%s%s.conf", GetRacoonConfigDir(), ro6)) |
---|
2326 | { |
---|
2327 | *err = kHelperErr_ResultTooLarge; |
---|
2328 | goto fin; |
---|
2329 | } |
---|
2330 | } |
---|
2331 | else |
---|
2332 | { |
---|
2333 | loc_outer[0] = loc_outer6[0]; |
---|
2334 | loc_outer[1] = loc_outer6[1]; |
---|
2335 | loc_outer[2] = loc_outer6[2]; |
---|
2336 | loc_outer[3] = loc_outer6[3]; |
---|
2337 | |
---|
2338 | rmt_outer[0] = rmt_outer6[0]; |
---|
2339 | rmt_outer[1] = rmt_outer6[1]; |
---|
2340 | rmt_outer[2] = rmt_outer6[2]; |
---|
2341 | rmt_outer[3] = rmt_outer6[3]; |
---|
2342 | |
---|
2343 | if (0 != (*err = v4addr_to_string(loc_outer, lo, sizeof(lo)))) |
---|
2344 | goto fin; |
---|
2345 | if (0 != (*err = v4addr_to_string(rmt_outer, ro, sizeof(ro)))) |
---|
2346 | goto fin; |
---|
2347 | |
---|
2348 | os_log_debug(log_handle, "IPv4 outer tunnel: loc_outer=%s loc_port=%u rmt_outer=%s rmt_port=%u", |
---|
2349 | lo, loc_port, ro, rmt_port); |
---|
2350 | |
---|
2351 | if ((int)sizeof(path) <= snprintf(path, sizeof(path), "%s%s.%u.conf", GetRacoonConfigDir(), ro, rmt_port)) |
---|
2352 | { |
---|
2353 | *err = kHelperErr_ResultTooLarge; |
---|
2354 | goto fin; |
---|
2355 | } |
---|
2356 | } |
---|
2357 | |
---|
2358 | if (kmDNSAutoTunnelSetKeysReplace == replacedelete) |
---|
2359 | { |
---|
2360 | if (0 > ensureExistenceOfRacoonConfigDir(GetRacoonConfigDir())) |
---|
2361 | { |
---|
2362 | *err = kHelperErr_RacoonConfigCreationFailed; |
---|
2363 | goto fin; |
---|
2364 | } |
---|
2365 | if ((int)sizeof(tmp_path) <= |
---|
2366 | snprintf(tmp_path, sizeof(tmp_path), "%s.XXXXXX", path)) |
---|
2367 | { |
---|
2368 | *err = kHelperErr_ResultTooLarge; |
---|
2369 | goto fin; |
---|
2370 | } |
---|
2371 | if (0 > (fd = mkstemp(tmp_path))) |
---|
2372 | { |
---|
2373 | os_log(log_handle, "mkstemp \"%s\" failed: %s", tmp_path, strerror(errno)); |
---|
2374 | *err = kHelperErr_RacoonConfigCreationFailed; |
---|
2375 | goto fin; |
---|
2376 | } |
---|
2377 | if (NULL == (fp = fdopen(fd, "w"))) |
---|
2378 | { |
---|
2379 | os_log(log_handle, "fdopen: %s", strerror(errno)); |
---|
2380 | *err = kHelperErr_RacoonConfigCreationFailed; |
---|
2381 | goto fin; |
---|
2382 | } |
---|
2383 | |
---|
2384 | fd = -1; |
---|
2385 | fprintf(fp, config, configHeader, (!rmt_port ? ro6 : ro), rmt_port, id, id, ri, li, li, ri); |
---|
2386 | fclose(fp); |
---|
2387 | fp = NULL; |
---|
2388 | |
---|
2389 | if (0 > rename(tmp_path, path)) |
---|
2390 | { |
---|
2391 | os_log(log_handle, "rename \"%s\" \"%s\" failed: %s", tmp_path, path, strerror(errno)); |
---|
2392 | *err = kHelperErr_RacoonConfigCreationFailed; |
---|
2393 | goto fin; |
---|
2394 | } |
---|
2395 | } |
---|
2396 | else |
---|
2397 | { |
---|
2398 | if (0 != unlink(path)) |
---|
2399 | os_log_debug(log_handle, "unlink \"%s\" failed: %s", path, strerror(errno)); |
---|
2400 | } |
---|
2401 | |
---|
2402 | if (0 != (*err = doTunnelPolicy(kmDNSTunnelPolicyTeardown, kmDNSNoTunnel, |
---|
2403 | loc_inner, kWholeV6Mask, loc_outer, loc_port, |
---|
2404 | rmt_inner, kWholeV6Mask, rmt_outer, rmt_port, loc_outer6, rmt_outer6))) |
---|
2405 | goto fin; |
---|
2406 | if (kmDNSAutoTunnelSetKeysReplace == replacedelete && |
---|
2407 | 0 != (*err = doTunnelPolicy(kmDNSTunnelPolicySetup, (!rmt_port ? kmDNSIPv6IPv6Tunnel : kmDNSIPv6IPv4Tunnel), |
---|
2408 | loc_inner, kWholeV6Mask, loc_outer, loc_port, |
---|
2409 | rmt_inner, kWholeV6Mask, rmt_outer, rmt_port, loc_outer6, rmt_outer6))) |
---|
2410 | goto fin; |
---|
2411 | |
---|
2412 | if (0 != (*err = teardownTunnelRoute(rmt_inner))) |
---|
2413 | goto fin; |
---|
2414 | |
---|
2415 | if (kmDNSAutoTunnelSetKeysReplace == replacedelete && |
---|
2416 | 0 != (*err = setupTunnelRoute(loc_inner, rmt_inner))) |
---|
2417 | goto fin; |
---|
2418 | |
---|
2419 | if (kmDNSAutoTunnelSetKeysReplace == replacedelete && |
---|
2420 | 0 != (*err = kickRacoon())) |
---|
2421 | goto fin; |
---|
2422 | |
---|
2423 | os_log_debug(log_handle, "succeeded"); |
---|
2424 | |
---|
2425 | fin: |
---|
2426 | if (NULL != fp) |
---|
2427 | fclose(fp); |
---|
2428 | if (0 <= fd) |
---|
2429 | close(fd); |
---|
2430 | unlink(tmp_path); |
---|
2431 | #else |
---|
2432 | (void)replacedelete; (void)loc_inner; (void)loc_outer6; (void)loc_port; (void)rmt_inner; |
---|
2433 | (void)rmt_outer6; (void)rmt_port; (void)id; |
---|
2434 | |
---|
2435 | *err = kHelperErr_IPsecDisabled; |
---|
2436 | #endif /* MDNS_NO_IPSEC */ |
---|
2437 | update_idle_timer(); |
---|
2438 | return KERN_SUCCESS; |
---|
2439 | } |
---|
2440 | |
---|
2441 | |
---|
2442 | |
---|
2443 | |
---|