1 /*
2 * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
3 * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of the project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31 #include <config.h>
32
33 #include <sys/types.h>
34 #include <sys/param.h>
35
36 #include <netinet/in.h>
37 #ifdef __linux__
38 #include <linux/udp.h>
39 #endif
40 #if defined(__NetBSD__) || defined (__FreeBSD__)
41 #include <netinet/udp.h>
42 #endif
43
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <string.h>
47 #include <errno.h>
48
49 #include "racoon.h"
50
51 #include "var.h"
52 /* #include "misc.h" */
53 /* #include "vmbuf.h" */
54 #include "plog.h"
55 #include "debug.h"
56
57 /* #include "localconf.h" */
58 #include "remoteconf.h"
59 #include "sockmisc.h"
60 #include "isakmp.h"
61 #include "isakmp_var.h"
62 #include "isakmp_impl.h"
63 #include "ikev1_impl.h"
64 #include "oakley.h"
65 #include "ipsec_doi.h"
66 #include "vendorid.h"
67 #include "handler.h"
68 #include "crypto_impl.h"
69 #include "ikev1_natt.h"
70 /* #include "grabmyaddr.h" */
71
72 #include "ike_conf.h"
73
74 int ikev1_natt_ka_interval = IKEV1_DEFAULT_NATK_INTERVAL;
75
76 struct natt_ka_addrs {
77 struct sockaddr *src;
78 struct sockaddr *dst;
79 unsigned in_use;
80
81 TAILQ_ENTRY(natt_ka_addrs) chain;
82 };
83
84 static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree;
85
86 /*
87 * check if the given vid is NAT-T.
88 */
89 int
90 natt_vendorid(int vid)
91 {
92 return (
93 #ifdef ENABLE_NATT_00
94 vid == VENDORID_NATT_00 ||
95 #endif
96 #ifdef ENABLE_NATT_01
97 vid == VENDORID_NATT_01 ||
98 #endif
99 #ifdef ENABLE_NATT_02
100 vid == VENDORID_NATT_02 ||
101 vid == VENDORID_NATT_02_N ||
102 #endif
103 #ifdef ENABLE_NATT_03
104 vid == VENDORID_NATT_03 ||
105 #endif
106 #ifdef ENABLE_NATT_04
107 vid == VENDORID_NATT_04 ||
108 #endif
109 #ifdef ENABLE_NATT_05
110 vid == VENDORID_NATT_05 ||
111 #endif
112 #ifdef ENABLE_NATT_06
113 vid == VENDORID_NATT_06 ||
114 #endif
115 #ifdef ENABLE_NATT_07
116 vid == VENDORID_NATT_07 ||
117 #endif
118 #ifdef ENABLE_NATT_08
119 vid == VENDORID_NATT_08 ||
120 #endif
121 /* Always enable NATT RFC if ENABLE_NATT
122 */
123 vid == VENDORID_NATT_RFC);
124 }
125
126 rc_vchar_t *
127 ikev1_natt_hash_addr(struct ph1handle *iph1, struct sockaddr *addr)
128 {
129 rc_vchar_t *natd;
130 rc_vchar_t *buf;
131 char *ptr;
132 void *addr_ptr, *addr_port;
133 size_t buf_size, addr_size;
134
135 plog(PLOG_INFO, PLOGLOC, 0, "Hashing %s with algo #%d %s\n",
136 rcs_sa2str(addr), iph1->approval->hashtype,
137 ikev1_nat_traversal(iph1->rmconf) ==
138 NATT_FORCE ? "(NAT-T forced)" : "");
139
140 if (addr->sa_family == AF_INET) {
141 addr_size = sizeof(struct in_addr); /* IPv4 address */
142 addr_ptr = &((struct sockaddr_in *)addr)->sin_addr;
143 addr_port = &((struct sockaddr_in *)addr)->sin_port;
144 } else if (addr->sa_family == AF_INET6) {
145 addr_size = sizeof(struct in6_addr); /* IPv6 address */
146 addr_ptr = &((struct sockaddr_in6 *)addr)->sin6_addr;
147 addr_port = &((struct sockaddr_in6 *)addr)->sin6_port;
148 } else {
149 plog(PLOG_INTERR, PLOGLOC, 0,
150 "Unsupported address family #0x%x\n", addr->sa_family);
151 return NULL;
152 }
153
154 buf_size = 2 * sizeof(isakmp_cookie_t); /* CKY-I + CKY+R */
155 buf_size += addr_size + 2; /* Address + Port */
156
157 if ((buf = rc_vmalloc(buf_size)) == NULL)
158 return NULL;
159
160 ptr = buf->v;
161
162 /* Copy-in CKY-I */
163 memcpy(ptr, iph1->index.i_ck, sizeof(isakmp_cookie_t));
164 ptr += sizeof(isakmp_cookie_t);
165
166 /* Copy-in CKY-I */
167 memcpy(ptr, iph1->index.r_ck, sizeof(isakmp_cookie_t));
168 ptr += sizeof(isakmp_cookie_t);
169
170 /* Copy-in Address (or zeroes if NATT_FORCE) */
171 if (ikev1_nat_traversal(iph1->rmconf) == NATT_FORCE)
172 memset(ptr, 0, addr_size);
173 else
174 memcpy(ptr, addr_ptr, addr_size);
175
176 ptr += addr_size;
177
178 /* Copy-in Port number */
179 memcpy(ptr, addr_port, 2);
180
181 natd = oakley_hash(buf, iph1);
182 rc_vfree(buf);
183
184 return natd;
185 }
186
187 int
188 ikev1_natt_compare_addr_hash(struct ph1handle *iph1, rc_vchar_t *natd_received,
189 int natd_seq)
190 {
191 rc_vchar_t *natd_computed;
192 uint32_t flag;
193 int verified = 0;
194
195 if (ikev1_nat_traversal(iph1->rmconf) == NATT_FORCE)
196 return verified;
197
198 if (natd_seq == 0) {
199 natd_computed = ikev1_natt_hash_addr(iph1, iph1->local);
200 flag = NAT_DETECTED_ME;
201 } else {
202 natd_computed = ikev1_natt_hash_addr(iph1, iph1->remote);
203 flag = NAT_DETECTED_PEER;
204 }
205
206 if (natd_received->l == natd_computed->l &&
207 memcmp(natd_received->v, natd_computed->v, natd_received->l) == 0) {
208 iph1->natt_flags &= ~flag;
209 verified = 1;
210 }
211
212 rc_vfree(natd_computed);
213
214 return verified;
215 }
216
217 int
218 ikev1_natt_udp_encap(int encmode)
219 {
220 return (encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC ||
221 encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC ||
222 encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT ||
223 encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT);
224 }
225
226 static int
227 natt_fill_options(struct ph1natt_options *opts, int version)
228 {
229 uint16_t port_isakmp_natt = PORT_ISAKMP_NATT;
230
231 if (!opts)
232 return -1;
233
234 opts->version = version;
235
236 switch (version) {
237 case VENDORID_NATT_00:
238 case VENDORID_NATT_01:
239 opts->float_port = 0; /* No port floating for those drafts */
240 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
241 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
242 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
243 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
244 opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
245 break;
246
247 case VENDORID_NATT_02:
248 case VENDORID_NATT_02_N:
249 case VENDORID_NATT_03:
250 opts->float_port = port_isakmp_natt;
251 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
252 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
253 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
254 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
255 opts->encaps_type = UDP_ENCAP_ESPINUDP;
256 break;
257
258 case VENDORID_NATT_04:
259 case VENDORID_NATT_05:
260 case VENDORID_NATT_06:
261 case VENDORID_NATT_07:
262 case VENDORID_NATT_08:
263 opts->float_port = port_isakmp_natt;
264 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_BADDRAFT;
265 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_BADDRAFT;
266 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC;
267 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC;
268 opts->encaps_type = UDP_ENCAP_ESPINUDP;
269 break;
270
271 case VENDORID_NATT_RFC:
272 opts->float_port = port_isakmp_natt;
273 opts->payload_nat_d = ISAKMP_NPTYPE_NATD_RFC;
274 opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_RFC;
275 opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC;
276 opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC;
277 opts->encaps_type = UDP_ENCAP_ESPINUDP;
278 break;
279
280 default:
281 plog(PLOG_INTERR, PLOGLOC, NULL,
282 "unsupported NAT-T version: %s\n",
283 vid_string_by_id(version));
284 return -1;
285 }
286
287 opts->mode_udp_diff =
288 opts->mode_udp_tunnel - IPSECDOI_ATTR_ENC_MODE_TUNNEL;
289
290 return 0;
291 }
292
293 void
294 ikev1_natt_float_ports(struct ph1handle *iph1)
295 {
296 if (!(iph1->natt_flags && NAT_DETECTED))
297 return;
298 if (!iph1->natt_options->float_port) {
299 /* Drafts 00 / 01, just schedule keepalive */
300 natt_keepalive_add_ph1(iph1);
301 return;
302 }
303
304 set_port(iph1->local, iph1->natt_options->float_port);
305 set_port(iph1->remote, iph1->natt_options->float_port);
306 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
307
308 natt_keepalive_add_ph1(iph1);
309 }
310
311 void
312 ikev1_natt_handle_vendorid(struct ph1handle *iph1, int vid_numeric)
313 {
314 if (!iph1->natt_options)
315 iph1->natt_options =
316 racoon_calloc(1, sizeof(*iph1->natt_options));
317
318 if (!iph1->natt_options) {
319 plog(PLOG_INTERR, PLOGLOC, NULL,
320 "Allocating memory for natt_options failed!\n");
321 return;
322 }
323
324 if (iph1->natt_options->version < vid_numeric)
325 if (natt_fill_options(iph1->natt_options, vid_numeric) == 0)
326 iph1->natt_flags |= NAT_ANNOUNCED;
327 }
328
329 /* NAT keepalive functions */
330 static void
331 natt_keepalive_send(void *param)
332 {
333 struct natt_ka_addrs *ka, *next = NULL;
334 char keepalive_packet[] = { 0xff };
335 int len;
336 int s;
337
338 for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
339 next = TAILQ_NEXT(ka, chain);
340
341 s = getsockmyaddr(ka->src);
342 if (s == -1) {
343 TAILQ_REMOVE(&ka_tree, ka, chain);
344 racoon_free(ka);
345 continue;
346 }
347 plog(PLOG_DEBUG, PLOGLOC, NULL, "KA: %s->%s\n",
348 rcs_sa2str(ka->src), rcs_sa2str(ka->dst));
349 len = sendfromto(s, keepalive_packet, sizeof(keepalive_packet),
350 ka->src, ka->dst, 1);
351 if (len == -1)
352 plog(PLOG_INTERR, PLOGLOC, NULL,
353 "KA: sendfromto failed: %s\n", strerror(errno));
354 }
355
356 sched_new(ikev1_natt_ka_interval, natt_keepalive_send, NULL);
357 }
358
359 void
360 natt_keepalive_init(void)
361 {
362 TAILQ_INIT(&ka_tree);
363
364 /* To disable sending KAs set natt_ka_interval=0 */
365 if (ikev1_natt_ka_interval > 0)
366 sched_new(ikev1_natt_ka_interval, natt_keepalive_send, NULL);
367 }
368
369 int
370 natt_keepalive_add(struct sockaddr *src, struct sockaddr *dst)
371 {
372 struct natt_ka_addrs *ka = NULL, *new_addr;
373
374 TAILQ_FOREACH(ka, &ka_tree, chain) {
375 if (rcs_cmpsa(ka->src, src) == 0 &&
376 rcs_cmpsa(ka->dst, dst) == 0) {
377 ka->in_use++;
378 plog(PLOG_INFO, PLOGLOC, NULL,
379 "KA found: %s->%s (in_use=%u)\n", rcs_sa2str(src),
380 rcs_sa2str(dst), ka->in_use);
381 return 0;
382 }
383 }
384
385 plog(PLOG_INFO, PLOGLOC, NULL, "KA list add: %s->%s\n",
386 rcs_sa2str(src), rcs_sa2str(dst));
387
388 new_addr = (struct natt_ka_addrs *)racoon_malloc(sizeof(*new_addr));
389 if (!new_addr) {
390 plog(PLOG_INTERR, PLOGLOC, NULL,
391 "Can't allocate new KA list item\n");
392 return -1;
393 }
394
395 new_addr->src = rcs_sadup(src);
396 new_addr->dst = rcs_sadup(dst);
397 new_addr->in_use = 1;
398 TAILQ_INSERT_TAIL(&ka_tree, new_addr, chain);
399
400 return 0;
401 }
402
403 int
404 natt_keepalive_add_ph1(struct ph1handle *iph1)
405 {
406 int ret = 0;
407
408 /* Should only the NATed host send keepalives?
409 * If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
410 * to the following condition. */
411 if (iph1->natt_flags & NAT_DETECTED &&
412 !(iph1->natt_flags & NAT_KA_QUEUED)) {
413 ret = natt_keepalive_add(iph1->local, iph1->remote);
414 if (ret == 0)
415 iph1->natt_flags |= NAT_KA_QUEUED;
416 }
417
418 return ret;
419 }
420
421 void
422 natt_keepalive_remove(struct sockaddr *src, struct sockaddr *dst)
423 {
424 struct natt_ka_addrs *ka, *next = NULL;
425
426 plog(PLOG_INFO, PLOGLOC, NULL, "KA remove: %s->%s\n",
427 rcs_sa2str(src), rcs_sa2str(dst));
428
429 for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
430 next = TAILQ_NEXT(ka, chain);
431
432 plog(PLOG_DEBUG, PLOGLOC, NULL,
433 "KA tree dump: %s->%s (in_use=%u)\n", rcs_sa2str(src),
434 rcs_sa2str(dst), ka->in_use);
435
436 if (rcs_cmpsa(ka->src, src) == 0 &&
437 rcs_cmpsa(ka->dst, dst) == 0 && --ka->in_use <= 0) {
438
439 plog(PLOG_DEBUG, PLOGLOC, NULL,
440 "KA removing this one...\n");
441
442 TAILQ_REMOVE(&ka_tree, ka, chain);
443 racoon_free(ka);
444 /* Should we break here? Every pair of addresses should
445 * be inserted only once, but who knows :-) Lets traverse
446 * the whole list... */
447 }
448 }
449 }
450
451 #ifdef notyet
452 static struct remoteconf *
453 natt_enabled_in_rmconf_stub(struct remoteconf *rmconf, void *data)
454 {
455 return (ikev1_nat_traversal(rmconf) == NATT_OFF ? NULL : rmconf);
456 }
457
458 int
459 natt_enabled_in_rmconf()
460 {
461 return foreachrmconf(natt_enabled_in_rmconf_stub, NULL) != NULL;
462 }
463 #endif
464
465 struct payload_list *
466 isakmp_plist_append_natt_vids(struct payload_list *plist,
467 rc_vchar_t *vid_natt[MAX_NATT_VID_COUNT])
468 {
469 int i, vid_natt_i = 0;
470
471 if (vid_natt == NULL)
472 return NULL;
473
474 for (i = 0; i < MAX_NATT_VID_COUNT; i++)
475 vid_natt[i] = NULL;
476
477 /*
478 * Puts the olders VIDs last, as some implementations may choose
479 * the first NATT VID given.
480 */
481
482 /* Always set RFC VID
483 */
484 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
485 vid_natt_i++;
486 #ifdef ENABLE_NATT_08
487 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_08)) != NULL)
488 vid_natt_i++;
489 #endif
490 #ifdef ENABLE_NATT_07
491 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_07)) != NULL)
492 vid_natt_i++;
493 #endif
494 #ifdef ENABLE_NATT_06
495 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_06)) != NULL)
496 vid_natt_i++;
497 #endif
498 #ifdef ENABLE_NATT_05
499 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_05)) != NULL)
500 vid_natt_i++;
501 #endif
502 #ifdef ENABLE_NATT_04
503 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_04)) != NULL)
504 vid_natt_i++;
505 #endif
506 #ifdef ENABLE_NATT_03
507 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_03)) != NULL)
508 vid_natt_i++;
509 #endif
510 #ifdef ENABLE_NATT_02
511 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
512 vid_natt_i++;
513 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
514 vid_natt_i++;
515 #endif
516 #ifdef ENABLE_NATT_01
517 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_01)) != NULL)
518 vid_natt_i++;
519 #endif
520 #ifdef ENABLE_NATT_00
521 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
522 vid_natt_i++;
523 #endif
524 /* set VID payload for NAT-T */
525 for (i = 0; i < vid_natt_i; i++)
526 plist = isakmp_plist_append(plist, vid_natt[i],
527 ISAKMP_NPTYPE_VID);
528
529 return plist;
530 }