1/* $NetBSD: nattraversal.c,v 1.6.6.2 2009/05/18 17:01:07 tteras Exp $ */ 2 3/* 4 * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. 5 * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33#include "config.h" 34 35#include <sys/types.h> 36#include <sys/param.h> 37 38#ifdef __linux__ 39#include <linux/udp.h> 40#endif 41#if defined(__NetBSD__) || defined (__FreeBSD__) 42#include <netinet/udp.h> 43#endif 44 45#include <stdlib.h> 46#include <stdio.h> 47#include <string.h> 48#include <errno.h> 49#include <ctype.h> 50 51#include "var.h" 52#include "misc.h" 53#include "vmbuf.h" 54#include "plog.h" 55#include "debug.h" 56 57#include "localconf.h" 58#include "remoteconf.h" 59#include "sockmisc.h" 60#include "isakmp_var.h" 61#include "isakmp.h" 62#include "oakley.h" 63#include "ipsec_doi.h" 64#include "vendorid.h" 65#include "handler.h" 66#include "crypto_openssl.h" 67#include "schedule.h" 68#include "nattraversal.h" 69#include "grabmyaddr.h" 70 71struct natt_ka_addrs { 72 struct sockaddr *src; 73 struct sockaddr *dst; 74 unsigned in_use; 75 76 TAILQ_ENTRY(natt_ka_addrs) chain; 77}; 78 79static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree; 80 81/* 82 * check if the given vid is NAT-T. 83 */ 84int 85natt_vendorid (int vid) 86{ 87 return ( 88#ifdef ENABLE_NATT_00 89 vid == VENDORID_NATT_00 || 90#endif 91#ifdef ENABLE_NATT_01 92 vid == VENDORID_NATT_01 || 93#endif 94#ifdef ENABLE_NATT_02 95 vid == VENDORID_NATT_02 || 96 vid == VENDORID_NATT_02_N || 97#endif 98#ifdef ENABLE_NATT_03 99 vid == VENDORID_NATT_03 || 100#endif 101#ifdef ENABLE_NATT_04 102 vid == VENDORID_NATT_04 || 103#endif 104#ifdef ENABLE_NATT_05 105 vid == VENDORID_NATT_05 || 106#endif 107#ifdef ENABLE_NATT_06 108 vid == VENDORID_NATT_06 || 109#endif 110#ifdef ENABLE_NATT_07 111 vid == VENDORID_NATT_07 || 112#endif 113#ifdef ENABLE_NATT_08 114 vid == VENDORID_NATT_08 || 115#endif 116 /* Always enable NATT RFC if ENABLE_NATT 117 */ 118 vid == VENDORID_NATT_RFC); 119} 120 121vchar_t * 122natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr) 123{ 124 vchar_t *natd; 125 vchar_t *buf; 126 char *ptr; 127 void *addr_ptr, *addr_port; 128 size_t buf_size, addr_size; 129 130 plog (LLV_INFO, LOCATION, addr, "Hashing %s with algo #%d %s\n", 131 saddr2str(addr), iph1->approval->hashtype, 132 (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":""); 133 134 if (addr->sa_family == AF_INET) { 135 addr_size = sizeof (struct in_addr); /* IPv4 address */ 136 addr_ptr = &((struct sockaddr_in *)addr)->sin_addr; 137 addr_port = &((struct sockaddr_in *)addr)->sin_port; 138 } 139 else if (addr->sa_family == AF_INET6) { 140 addr_size = sizeof (struct in6_addr); /* IPv6 address */ 141 addr_ptr = &((struct sockaddr_in6 *)addr)->sin6_addr; 142 addr_port = &((struct sockaddr_in6 *)addr)->sin6_port; 143 } 144 else { 145 plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->sa_family); 146 return NULL; 147 } 148 149 buf_size = 2 * sizeof (cookie_t); /* CKY-I + CKY+R */ 150 buf_size += addr_size + 2; /* Address + Port */ 151 152 if ((buf = vmalloc (buf_size)) == NULL) 153 return NULL; 154 155 ptr = buf->v; 156 157 /* Copy-in CKY-I */ 158 memcpy (ptr, iph1->index.i_ck, sizeof (cookie_t)); 159 ptr += sizeof (cookie_t); 160 161 /* Copy-in CKY-I */ 162 memcpy (ptr, iph1->index.r_ck, sizeof (cookie_t)); 163 ptr += sizeof (cookie_t); 164 165 /* Copy-in Address (or zeroes if NATT_FORCE) */ 166 if (iph1->rmconf->nat_traversal == NATT_FORCE) 167 memset (ptr, 0, addr_size); 168 else 169 memcpy (ptr, addr_ptr, addr_size); 170 ptr += addr_size; 171 172 /* Copy-in Port number */ 173 memcpy (ptr, addr_port, 2); 174 175 natd = oakley_hash (buf, iph1); 176 vfree(buf); 177 178 return natd; 179} 180 181int 182natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, 183 int natd_seq) 184{ 185 vchar_t *natd_computed; 186 u_int32_t flag; 187 int verified = 0; 188 189 if (iph1->rmconf->nat_traversal == NATT_FORCE) 190 return verified; 191 192 if (natd_seq == 0) { 193 natd_computed = natt_hash_addr (iph1, iph1->local); 194 flag = NAT_DETECTED_ME; 195 } 196 else { 197 natd_computed = natt_hash_addr (iph1, iph1->remote); 198 flag = NAT_DETECTED_PEER; 199 } 200 201 if (natd_computed == NULL) { 202 plog(LLV_ERROR, LOCATION, NULL, "natd_computed allocation failed\n"); 203 return verified; /* XXX should abort */ 204 } 205 206 if (natd_received->l == natd_computed->l && 207 memcmp (natd_received->v, natd_computed->v, natd_received->l) == 0) { 208 iph1->natt_flags &= ~flag; 209 verified = 1; 210 } 211 212 vfree (natd_computed); 213 214 return verified; 215} 216 217int 218natt_udp_encap (int encmode) 219{ 220 return (encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC || 221 encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC || 222 encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT || 223 encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT); 224} 225 226int 227natt_fill_options (struct ph1natt_options *opts, int version) 228{ 229 if (! opts) 230 return -1; 231 232 opts->version = version; 233 234 switch (version) { 235 case VENDORID_NATT_00: 236 case VENDORID_NATT_01: 237 opts->float_port = 0; /* No port floating for those drafts */ 238 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT; 239 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT; 240 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT; 241 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT; 242 opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE; 243 break; 244 245 case VENDORID_NATT_02: 246 case VENDORID_NATT_02_N: 247 case VENDORID_NATT_03: 248 opts->float_port = lcconf->port_isakmp_natt; 249 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT; 250 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT; 251 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT; 252 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT; 253 opts->encaps_type = UDP_ENCAP_ESPINUDP; 254 break; 255 case VENDORID_NATT_04: 256 case VENDORID_NATT_05: 257 case VENDORID_NATT_06: 258 case VENDORID_NATT_07: 259 case VENDORID_NATT_08: 260 opts->float_port = lcconf->port_isakmp_natt; 261 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_BADDRAFT; 262 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_BADDRAFT; 263 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC; 264 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC; 265 opts->encaps_type = UDP_ENCAP_ESPINUDP; 266 break; 267 case VENDORID_NATT_RFC: 268 opts->float_port = lcconf->port_isakmp_natt; 269 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_RFC; 270 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_RFC; 271 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC; 272 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC; 273 opts->encaps_type = UDP_ENCAP_ESPINUDP; 274 break; 275 default: 276 plog(LLV_ERROR, LOCATION, NULL, 277 "unsupported NAT-T version: %s\n", 278 vid_string_by_id(version)); 279 return -1; 280 } 281 282 opts->mode_udp_diff = opts->mode_udp_tunnel - IPSECDOI_ATTR_ENC_MODE_TUNNEL; 283 284 return 0; 285} 286 287void 288natt_float_ports (struct ph1handle *iph1) 289{ 290 if (! (iph1->natt_flags & NAT_DETECTED) ) 291 return; 292 if (! iph1->natt_options->float_port){ 293 /* Drafts 00 / 01, just schedule keepalive */ 294 natt_keepalive_add_ph1 (iph1); 295 return; 296 } 297 298 set_port (iph1->local, iph1->natt_options->float_port); 299 set_port (iph1->remote, iph1->natt_options->float_port); 300 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; 301 302 natt_keepalive_add_ph1 (iph1); 303} 304 305void 306natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric) 307{ 308 if (! iph1->natt_options) 309 iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options)); 310 311 if (! iph1->natt_options) { 312 plog (LLV_ERROR, LOCATION, NULL, 313 "Allocating memory for natt_options failed!\n"); 314 return; 315 } 316 317 if (iph1->natt_options->version < vid_numeric) 318 if (natt_fill_options (iph1->natt_options, vid_numeric) == 0) 319 iph1->natt_flags |= NAT_ANNOUNCED; 320} 321 322static void 323natt_keepalive_delete (struct natt_ka_addrs *ka) 324{ 325 TAILQ_REMOVE (&ka_tree, ka, chain); 326 racoon_free (ka->src); 327 racoon_free (ka->dst); 328 racoon_free (ka); 329} 330 331/* NAT keepalive functions */ 332static void 333natt_keepalive_send (void *param) 334{ 335 struct natt_ka_addrs *ka, *next = NULL; 336 char keepalive_packet[] = { 0xff }; 337 size_t len; 338 int s; 339 340 for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) { 341 next = TAILQ_NEXT(ka, chain); 342 343 s = getsockmyaddr(ka->src); 344 if (s == -1) { 345 natt_keepalive_delete(ka); 346 continue; 347 } 348 plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", 349 saddr2str_fromto("%s->%s", ka->src, ka->dst)); 350 len = sendfromto(s, keepalive_packet, sizeof (keepalive_packet), 351 ka->src, ka->dst, 1); 352 if (len == -1) 353 plog(LLV_ERROR, LOCATION, NULL, "KA: sendfromto failed: %s\n", 354 strerror (errno)); 355 } 356 357 sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL); 358} 359 360void 361natt_keepalive_init (void) 362{ 363 TAILQ_INIT(&ka_tree); 364 365 /* To disable sending KAs set natt_ka_interval=0 */ 366 if (lcconf->natt_ka_interval > 0) 367 sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL); 368} 369 370int 371natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst) 372{ 373 struct natt_ka_addrs *ka = NULL, *new_addr; 374 375 TAILQ_FOREACH (ka, &ka_tree, chain) { 376 if (cmpsaddrstrict(ka->src, src) == 0 && 377 cmpsaddrstrict(ka->dst, dst) == 0) { 378 ka->in_use++; 379 plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", 380 saddr2str_fromto("%s->%s", src, dst), ka->in_use); 381 return 0; 382 } 383 } 384 385 plog (LLV_INFO, LOCATION, NULL, "KA list add: %s\n", saddr2str_fromto("%s->%s", src, dst)); 386 387 new_addr = (struct natt_ka_addrs *)racoon_malloc(sizeof(*new_addr)); 388 if (! new_addr) { 389 plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); 390 return -1; 391 } 392 393 if ((new_addr->src = dupsaddr(src)) == NULL) { 394 racoon_free(new_addr); 395 plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); 396 return -1; 397 } 398 if ((new_addr->dst = dupsaddr(dst)) == NULL) { 399 racoon_free(new_addr); 400 plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); 401 return -1; 402 } 403 new_addr->in_use = 1; 404 TAILQ_INSERT_TAIL(&ka_tree, new_addr, chain); 405 406 return 0; 407} 408 409int 410natt_keepalive_add_ph1 (struct ph1handle *iph1) 411{ 412 int ret = 0; 413 414 /* Should only the NATed host send keepalives? 415 If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)' 416 to the following condition. */ 417 if (iph1->natt_flags & NAT_DETECTED && 418 ! (iph1->natt_flags & NAT_KA_QUEUED)) { 419 ret = natt_keepalive_add (iph1->local, iph1->remote); 420 if (ret == 0) 421 iph1->natt_flags |= NAT_KA_QUEUED; 422 } 423 424 return ret; 425} 426 427void 428natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst) 429{ 430 struct natt_ka_addrs *ka, *next = NULL; 431 432 plog (LLV_INFO, LOCATION, NULL, "KA remove: %s\n", saddr2str_fromto("%s->%s", src, dst)); 433 434 for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) { 435 next = TAILQ_NEXT(ka, chain); 436 437 plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", 438 saddr2str_fromto("%s->%s", src, dst), ka->in_use); 439 440 if (cmpsaddrstrict(ka->src, src) == 0 && 441 cmpsaddrstrict(ka->dst, dst) == 0 && 442 -- ka->in_use <= 0) { 443 444 plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); 445 446 natt_keepalive_delete (ka); 447 /* Should we break here? Every pair of addresses should 448 be inserted only once, but who knows :-) Lets traverse 449 the whole list... */ 450 } 451 } 452} 453 454static struct remoteconf * 455natt_enabled_in_rmconf_stub (struct remoteconf *rmconf, void *data) 456{ 457 return (rmconf->nat_traversal ? rmconf : NULL); 458} 459 460int 461natt_enabled_in_rmconf () 462{ 463 return foreachrmconf (natt_enabled_in_rmconf_stub, NULL) != NULL; 464} 465 466 467struct payload_list * 468isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]){ 469 int i, vid_natt_i = 0; 470 471 if(vid_natt == NULL) 472 return NULL; 473 474 for (i = 0; i < MAX_NATT_VID_COUNT; i++) 475 vid_natt[i]=NULL; 476 477 /* Puts the olders VIDs last, as some implementations may choose the first 478 * NATT VID given 479 */ 480 481 /* Always set RFC VID 482 */ 483 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL) 484 vid_natt_i++; 485#ifdef ENABLE_NATT_08 486 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_08)) != NULL) 487 vid_natt_i++; 488#endif 489#ifdef ENABLE_NATT_07 490 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_07)) != NULL) 491 vid_natt_i++; 492#endif 493#ifdef ENABLE_NATT_06 494 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_06)) != NULL) 495 vid_natt_i++; 496#endif 497#ifdef ENABLE_NATT_05 498 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_05)) != NULL) 499 vid_natt_i++; 500#endif 501#ifdef ENABLE_NATT_04 502 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_04)) != NULL) 503 vid_natt_i++; 504#endif 505#ifdef ENABLE_NATT_03 506 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_03)) != NULL) 507 vid_natt_i++; 508#endif 509#ifdef ENABLE_NATT_02 510 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL) 511 vid_natt_i++; 512 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL) 513 vid_natt_i++; 514#endif 515#ifdef ENABLE_NATT_01 516 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_01)) != NULL) 517 vid_natt_i++; 518#endif 519#ifdef ENABLE_NATT_00 520 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL) 521 vid_natt_i++; 522#endif 523 /* set VID payload for NAT-T */ 524 for (i = 0; i < vid_natt_i; i++) 525 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID); 526 527 return plist; 528} 529