1/*	$NetBSD: nattraversal.c,v 1.6.6.2 2009/05/18 17:01:07 tteras Exp $	*/
2
3/*
4 * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
5 * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 *    may be used to endorse or promote products derived from this software
18 *    without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33#include "config.h"
34
35#include <sys/types.h>
36#include <sys/param.h>
37
38#ifdef __linux__
39#include <linux/udp.h>
40#endif
41#if defined(__NetBSD__) || defined (__FreeBSD__)
42#include <netinet/udp.h>
43#endif
44
45#include <stdlib.h>
46#include <stdio.h>
47#include <string.h>
48#include <errno.h>
49#include <ctype.h>
50
51#include "var.h"
52#include "misc.h"
53#include "vmbuf.h"
54#include "plog.h"
55#include "debug.h"
56
57#include "localconf.h"
58#include "remoteconf.h"
59#include "sockmisc.h"
60#include "isakmp_var.h"
61#include "isakmp.h"
62#include "oakley.h"
63#include "ipsec_doi.h"
64#include "vendorid.h"
65#include "handler.h"
66#include "crypto_openssl.h"
67#include "schedule.h"
68#include "nattraversal.h"
69#include "grabmyaddr.h"
70
71struct natt_ka_addrs {
72  struct sockaddr	*src;
73  struct sockaddr	*dst;
74  unsigned		in_use;
75
76  TAILQ_ENTRY(natt_ka_addrs) chain;
77};
78
79static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree;
80
81/*
82 * check if the given vid is NAT-T.
83 */
84int
85natt_vendorid (int vid)
86{
87  return (
88#ifdef ENABLE_NATT_00
89	  vid == VENDORID_NATT_00 ||
90#endif
91#ifdef ENABLE_NATT_01
92	  vid == VENDORID_NATT_01 ||
93#endif
94#ifdef ENABLE_NATT_02
95	  vid == VENDORID_NATT_02 ||
96	  vid == VENDORID_NATT_02_N ||
97#endif
98#ifdef ENABLE_NATT_03
99	  vid == VENDORID_NATT_03 ||
100#endif
101#ifdef ENABLE_NATT_04
102	  vid == VENDORID_NATT_04 ||
103#endif
104#ifdef ENABLE_NATT_05
105	  vid == VENDORID_NATT_05 ||
106#endif
107#ifdef ENABLE_NATT_06
108	  vid == VENDORID_NATT_06 ||
109#endif
110#ifdef ENABLE_NATT_07
111	  vid == VENDORID_NATT_07 ||
112#endif
113#ifdef ENABLE_NATT_08
114	  vid == VENDORID_NATT_08 ||
115#endif
116	  /* Always enable NATT RFC if ENABLE_NATT
117	   */
118	  vid == VENDORID_NATT_RFC);
119}
120
121vchar_t *
122natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr)
123{
124  vchar_t *natd;
125  vchar_t *buf;
126  char *ptr;
127  void *addr_ptr, *addr_port;
128  size_t buf_size, addr_size;
129
130  plog (LLV_INFO, LOCATION, addr, "Hashing %s with algo #%d %s\n",
131	saddr2str(addr), iph1->approval->hashtype,
132	(iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":"");
133
134  if (addr->sa_family == AF_INET) {
135    addr_size = sizeof (struct in_addr);	/* IPv4 address */
136    addr_ptr = &((struct sockaddr_in *)addr)->sin_addr;
137    addr_port = &((struct sockaddr_in *)addr)->sin_port;
138  }
139  else if (addr->sa_family == AF_INET6) {
140    addr_size = sizeof (struct in6_addr);	/* IPv6 address */
141    addr_ptr = &((struct sockaddr_in6 *)addr)->sin6_addr;
142    addr_port = &((struct sockaddr_in6 *)addr)->sin6_port;
143  }
144  else {
145    plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->sa_family);
146    return NULL;
147  }
148
149  buf_size = 2 * sizeof (cookie_t);	/* CKY-I + CKY+R */
150  buf_size += addr_size + 2;	/* Address + Port */
151
152  if ((buf = vmalloc (buf_size)) == NULL)
153    return NULL;
154
155  ptr = buf->v;
156
157  /* Copy-in CKY-I */
158  memcpy (ptr, iph1->index.i_ck, sizeof (cookie_t));
159  ptr += sizeof (cookie_t);
160
161  /* Copy-in CKY-I */
162  memcpy (ptr, iph1->index.r_ck, sizeof (cookie_t));
163  ptr += sizeof (cookie_t);
164
165  /* Copy-in Address (or zeroes if NATT_FORCE) */
166  if (iph1->rmconf->nat_traversal == NATT_FORCE)
167    memset (ptr, 0, addr_size);
168  else
169    memcpy (ptr, addr_ptr, addr_size);
170  ptr += addr_size;
171
172  /* Copy-in Port number */
173  memcpy (ptr, addr_port, 2);
174
175  natd = oakley_hash (buf, iph1);
176  vfree(buf);
177
178  return natd;
179}
180
181int
182natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received,
183			int natd_seq)
184{
185  vchar_t *natd_computed;
186  u_int32_t flag;
187  int verified = 0;
188
189  if (iph1->rmconf->nat_traversal == NATT_FORCE)
190    return verified;
191
192  if (natd_seq == 0) {
193    natd_computed = natt_hash_addr (iph1, iph1->local);
194    flag = NAT_DETECTED_ME;
195  }
196  else {
197    natd_computed = natt_hash_addr (iph1, iph1->remote);
198    flag = NAT_DETECTED_PEER;
199  }
200
201  if (natd_computed == NULL) {
202	plog(LLV_ERROR, LOCATION, NULL, "natd_computed allocation failed\n");
203	return verified; /* XXX should abort */
204  }
205
206  if (natd_received->l == natd_computed->l &&
207      memcmp (natd_received->v, natd_computed->v, natd_received->l) == 0) {
208    iph1->natt_flags &= ~flag;
209    verified = 1;
210  }
211
212  vfree (natd_computed);
213
214  return verified;
215}
216
217int
218natt_udp_encap (int encmode)
219{
220  return (encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC ||
221	  encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC ||
222	  encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT ||
223	  encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT);
224}
225
226int
227natt_fill_options (struct ph1natt_options *opts, int version)
228{
229  if (! opts)
230    return -1;
231
232  opts->version = version;
233
234  switch (version) {
235    case VENDORID_NATT_00:
236    case VENDORID_NATT_01:
237      opts->float_port = 0; /* No port floating for those drafts */
238      opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
239      opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
240      opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
241      opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
242      opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
243		break;
244
245    case VENDORID_NATT_02:
246    case VENDORID_NATT_02_N:
247    case VENDORID_NATT_03:
248      opts->float_port = lcconf->port_isakmp_natt;
249      opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
250      opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
251      opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
252      opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
253      opts->encaps_type = UDP_ENCAP_ESPINUDP;
254      break;
255    case VENDORID_NATT_04:
256    case VENDORID_NATT_05:
257    case VENDORID_NATT_06:
258    case VENDORID_NATT_07:
259    case VENDORID_NATT_08:
260      opts->float_port = lcconf->port_isakmp_natt;
261      opts->payload_nat_d = ISAKMP_NPTYPE_NATD_BADDRAFT;
262      opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_BADDRAFT;
263      opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC;
264      opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC;
265      opts->encaps_type = UDP_ENCAP_ESPINUDP;
266      break;
267    case VENDORID_NATT_RFC:
268      opts->float_port = lcconf->port_isakmp_natt;
269      opts->payload_nat_d = ISAKMP_NPTYPE_NATD_RFC;
270      opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_RFC;
271      opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC;
272      opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC;
273      opts->encaps_type = UDP_ENCAP_ESPINUDP;
274	  break;
275    default:
276      plog(LLV_ERROR, LOCATION, NULL,
277	   "unsupported NAT-T version: %s\n",
278	   vid_string_by_id(version));
279      return -1;
280  }
281
282  opts->mode_udp_diff = opts->mode_udp_tunnel - IPSECDOI_ATTR_ENC_MODE_TUNNEL;
283
284  return 0;
285}
286
287void
288natt_float_ports (struct ph1handle *iph1)
289{
290	if (! (iph1->natt_flags & NAT_DETECTED) )
291		return;
292	if (! iph1->natt_options->float_port){
293		/* Drafts 00 / 01, just schedule keepalive */
294		natt_keepalive_add_ph1 (iph1);
295		return;
296	}
297
298	set_port (iph1->local, iph1->natt_options->float_port);
299	set_port (iph1->remote, iph1->natt_options->float_port);
300	iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
301
302	natt_keepalive_add_ph1 (iph1);
303}
304
305void
306natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric)
307{
308  if (! iph1->natt_options)
309    iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options));
310
311  if (! iph1->natt_options) {
312    plog (LLV_ERROR, LOCATION, NULL,
313	  "Allocating memory for natt_options failed!\n");
314    return;
315  }
316
317  if (iph1->natt_options->version < vid_numeric)
318    if (natt_fill_options (iph1->natt_options, vid_numeric) == 0)
319      iph1->natt_flags |= NAT_ANNOUNCED;
320}
321
322static void
323natt_keepalive_delete (struct natt_ka_addrs *ka)
324{
325  TAILQ_REMOVE (&ka_tree, ka, chain);
326  racoon_free (ka->src);
327  racoon_free (ka->dst);
328  racoon_free (ka);
329}
330
331/* NAT keepalive functions */
332static void
333natt_keepalive_send (void *param)
334{
335  struct natt_ka_addrs	*ka, *next = NULL;
336  char keepalive_packet[] = { 0xff };
337  size_t len;
338  int s;
339
340  for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
341    next = TAILQ_NEXT(ka, chain);
342
343    s = getsockmyaddr(ka->src);
344    if (s == -1) {
345      natt_keepalive_delete(ka);
346      continue;
347    }
348    plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n",
349	  saddr2str_fromto("%s->%s", ka->src, ka->dst));
350    len = sendfromto(s, keepalive_packet, sizeof (keepalive_packet),
351		     ka->src, ka->dst, 1);
352    if (len == -1)
353      plog(LLV_ERROR, LOCATION, NULL, "KA: sendfromto failed: %s\n",
354	   strerror (errno));
355  }
356
357  sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
358}
359
360void
361natt_keepalive_init (void)
362{
363  TAILQ_INIT(&ka_tree);
364
365  /* To disable sending KAs set natt_ka_interval=0 */
366  if (lcconf->natt_ka_interval > 0)
367    sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
368}
369
370int
371natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst)
372{
373  struct natt_ka_addrs *ka = NULL, *new_addr;
374
375  TAILQ_FOREACH (ka, &ka_tree, chain) {
376    if (cmpsaddrstrict(ka->src, src) == 0 &&
377	cmpsaddrstrict(ka->dst, dst) == 0) {
378      ka->in_use++;
379      plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
380	    saddr2str_fromto("%s->%s", src, dst), ka->in_use);
381      return 0;
382    }
383  }
384
385  plog (LLV_INFO, LOCATION, NULL, "KA list add: %s\n", saddr2str_fromto("%s->%s", src, dst));
386
387  new_addr = (struct natt_ka_addrs *)racoon_malloc(sizeof(*new_addr));
388  if (! new_addr) {
389    plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
390    return -1;
391  }
392
393  if ((new_addr->src = dupsaddr(src)) == NULL) {
394	racoon_free(new_addr);
395    	plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
396	return -1;
397  }
398  if ((new_addr->dst = dupsaddr(dst)) == NULL) {
399	racoon_free(new_addr);
400    	plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
401	return -1;
402  }
403  new_addr->in_use = 1;
404  TAILQ_INSERT_TAIL(&ka_tree, new_addr, chain);
405
406  return 0;
407}
408
409int
410natt_keepalive_add_ph1 (struct ph1handle *iph1)
411{
412  int ret = 0;
413
414  /* Should only the NATed host send keepalives?
415     If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
416     to the following condition. */
417  if (iph1->natt_flags & NAT_DETECTED &&
418      ! (iph1->natt_flags & NAT_KA_QUEUED)) {
419    ret = natt_keepalive_add (iph1->local, iph1->remote);
420    if (ret == 0)
421      iph1->natt_flags |= NAT_KA_QUEUED;
422  }
423
424  return ret;
425}
426
427void
428natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst)
429{
430  struct natt_ka_addrs *ka, *next = NULL;
431
432  plog (LLV_INFO, LOCATION, NULL, "KA remove: %s\n", saddr2str_fromto("%s->%s", src, dst));
433
434  for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
435    next = TAILQ_NEXT(ka, chain);
436
437    plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
438	  saddr2str_fromto("%s->%s", src, dst), ka->in_use);
439
440    if (cmpsaddrstrict(ka->src, src) == 0 &&
441	cmpsaddrstrict(ka->dst, dst) == 0 &&
442	-- ka->in_use <= 0) {
443
444      plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
445
446      natt_keepalive_delete (ka);
447      /* Should we break here? Every pair of addresses should
448         be inserted only once, but who knows :-) Lets traverse
449	 the whole list... */
450    }
451  }
452}
453
454static struct remoteconf *
455natt_enabled_in_rmconf_stub (struct remoteconf *rmconf, void *data)
456{
457  return (rmconf->nat_traversal ? rmconf : NULL);
458}
459
460int
461natt_enabled_in_rmconf ()
462{
463  return foreachrmconf (natt_enabled_in_rmconf_stub, NULL) != NULL;
464}
465
466
467struct payload_list *
468isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]){
469	int i, vid_natt_i = 0;
470
471	if(vid_natt == NULL)
472		return NULL;
473
474	for (i = 0; i < MAX_NATT_VID_COUNT; i++)
475		vid_natt[i]=NULL;
476
477	/* Puts the olders VIDs last, as some implementations may choose the first
478	 * NATT VID given
479	 */
480
481	/* Always set RFC VID
482	 */
483	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
484		vid_natt_i++;
485#ifdef ENABLE_NATT_08
486	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_08)) != NULL)
487		vid_natt_i++;
488#endif
489#ifdef ENABLE_NATT_07
490	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_07)) != NULL)
491		vid_natt_i++;
492#endif
493#ifdef ENABLE_NATT_06
494	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_06)) != NULL)
495		vid_natt_i++;
496#endif
497#ifdef ENABLE_NATT_05
498	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_05)) != NULL)
499		vid_natt_i++;
500#endif
501#ifdef ENABLE_NATT_04
502	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_04)) != NULL)
503		vid_natt_i++;
504#endif
505#ifdef ENABLE_NATT_03
506	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_03)) != NULL)
507		vid_natt_i++;
508#endif
509#ifdef ENABLE_NATT_02
510	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
511		vid_natt_i++;
512	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
513		vid_natt_i++;
514#endif
515#ifdef ENABLE_NATT_01
516	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_01)) != NULL)
517		vid_natt_i++;
518#endif
519#ifdef ENABLE_NATT_00
520	if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
521		vid_natt_i++;
522#endif
523	/* set VID payload for NAT-T */
524	for (i = 0; i < vid_natt_i; i++)
525		plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
526
527	return plist;
528}
529