]> git.ipfire.org Git - people/ms/strongswan.git/blob - src/charon/sa/tasks/ike_natd.c
projects / people / ms / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
removed trailing spaces ([[:space:]]+$)
[people/ms/strongswan.git] / src / charon / sa / tasks / ike_natd.c
1 /*
2 * Copyright (C) 2006-2007 Martin Willi
3 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "ike_natd.h"
18
19 #include <string.h>
20
21 #include <daemon.h>
22 #include <config/peer_cfg.h>
23 #include <crypto/hashers/hasher.h>
24 #include <encoding/payloads/notify_payload.h>
25
26
27 typedef struct private_ike_natd_t private_ike_natd_t;
28
29 /**
30 * Private members of a ike_natd_t task.
31 */
32 struct private_ike_natd_t {
33
34 /**
35 * Public methods and task_t interface.
36 */
37 ike_natd_t public;
38
39 /**
40 * Assigned IKE_SA.
41 */
42 ike_sa_t *ike_sa;
43
44 /**
45 * Are we the initiator?
46 */
47 bool initiator;
48
49 /**
50 * Hasher used to build NAT detection hashes
51 */
52 hasher_t *hasher;
53
54 /**
55 * Did we process any NAT detection notifys for a source address?
56 */
57 bool src_seen;
58
59 /**
60 * Did we process any NAT detection notifys for a destination address?
61 */
62 bool dst_seen;
63
64 /**
65 * Have we found a matching source address NAT hash?
66 */
67 bool src_matched;
68
69 /**
70 * Have we found a matching destination address NAT hash?
71 */
72 bool dst_matched;
73
74 /**
75 * whether NAT mappings for our NATed address has changed
76 */
77 bool mapping_changed;
78 };
79
80
81 /**
82 * Build NAT detection hash for a host
83 */
84 static chunk_t generate_natd_hash(private_ike_natd_t *this,
85 ike_sa_id_t *ike_sa_id, host_t *host)
86 {
87 chunk_t natd_chunk, spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk;
88 chunk_t natd_hash;
89 u_int64_t spi_i, spi_r;
90 u_int16_t port;
91
92 /* prepare all required chunks */
93 spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
94 spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
95 spi_i_chunk.ptr = (void*)&spi_i;
96 spi_i_chunk.len = sizeof(spi_i);
97 spi_r_chunk.ptr = (void*)&spi_r;
98 spi_r_chunk.len = sizeof(spi_r);
99 port = htons(host->get_port(host));
100 port_chunk.ptr = (void*)&port;
101 port_chunk.len = sizeof(port);
102 addr_chunk = host->get_address(host);
103
104 /* natd_hash = SHA1( spi_i | spi_r | address | port ) */
105 natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
106 this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
107 DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
108 DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
109
110 chunk_free(&natd_chunk);
111 return natd_hash;
112 }
113
114 /**
115 * build a faked NATD payload to enforce UDP encap
116 */
117 static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
118 {
119 rng_t *rng;
120 chunk_t chunk;
121
122 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
123 if (!rng)
124 {
125 DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
126 return chunk_empty;
127 }
128 rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk);
129 rng->destroy(rng);
130 return chunk;
131 }
132
133 /**
134 * Build a NAT detection notify payload.
135 */
136 static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
137 notify_type_t type, host_t *host)
138 {
139 chunk_t hash;
140 notify_payload_t *notify;
141 ike_sa_id_t *ike_sa_id;
142 ike_cfg_t *config;
143
144 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
145 config = this->ike_sa->get_ike_cfg(this->ike_sa);
146 if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
147 {
148 hash = generate_natd_hash_faked(this);
149 }
150 else
151 {
152 hash = generate_natd_hash(this, ike_sa_id, host);
153 }
154 notify = notify_payload_create();
155 notify->set_notify_type(notify, type);
156 notify->set_notification_data(notify, hash);
157 chunk_free(&hash);
158
159 return notify;
160 }
161
162 /**
163 * read notifys from message and evaluate them
164 */
165 static void process_payloads(private_ike_natd_t *this, message_t *message)
166 {
167 enumerator_t *enumerator;
168 payload_t *payload;
169 notify_payload_t *notify;
170 chunk_t hash, src_hash, dst_hash;
171 ike_sa_id_t *ike_sa_id;
172 host_t *me, *other;
173 ike_cfg_t *config;
174
175 /* Precompute NAT-D hashes for incoming NAT notify comparison */
176 ike_sa_id = message->get_ike_sa_id(message);
177 me = message->get_destination(message);
178 other = message->get_source(message);
179 dst_hash = generate_natd_hash(this, ike_sa_id, me);
180 src_hash = generate_natd_hash(this, ike_sa_id, other);
181
182 DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
183 DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
184
185 enumerator = message->create_payload_enumerator(message);
186 while (enumerator->enumerate(enumerator, &payload))
187 {
188 if (payload->get_type(payload) != NOTIFY)
189 {
190 continue;
191 }
192 notify = (notify_payload_t*)payload;
193 switch (notify->get_notify_type(notify))
194 {
195 case NAT_DETECTION_DESTINATION_IP:
196 {
197 this->dst_seen = TRUE;
198 hash = notify->get_notification_data(notify);
199 if (!this->dst_matched)
200 {
201 DBG3(DBG_IKE, "received dst_hash %B", &hash);
202 if (chunk_equals(hash, dst_hash))
203 {
204 this->dst_matched = TRUE;
205 }
206 }
207 /* RFC4555 says we should also compare against IKE_SA_INIT
208 * NATD payloads, but this does not work: We are running
209 * there at port 500, but use 4500 afterwards... */
210 if (message->get_exchange_type(message) == INFORMATIONAL &&
211 this->initiator && !this->dst_matched)
212 {
213 this->mapping_changed = this->ike_sa->has_mapping_changed(
214 this->ike_sa, hash);
215 }
216 break;
217 }
218 case NAT_DETECTION_SOURCE_IP:
219 {
220 this->src_seen = TRUE;
221 if (!this->src_matched)
222 {
223 hash = notify->get_notification_data(notify);
224 DBG3(DBG_IKE, "received src_hash %B", &hash);
225 if (chunk_equals(hash, src_hash))
226 {
227 this->src_matched = TRUE;
228 }
229 }
230 break;
231 }
232 default:
233 break;
234 }
235 }
236 enumerator->destroy(enumerator);
237
238 chunk_free(&src_hash);
239 chunk_free(&dst_hash);
240
241 if (this->src_seen && this->dst_seen)
242 {
243 this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
244
245 this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
246 !this->dst_matched);
247 this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
248 !this->src_matched);
249 config = this->ike_sa->get_ike_cfg(this->ike_sa);
250 if (this->dst_matched && this->src_matched &&
251 config->force_encap(config))
252 {
253 this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
254 }
255 }
256 }
257
258 /**
259 * Implementation of task_t.process for initiator
260 */
261 static status_t process_i(private_ike_natd_t *this, message_t *message)
262 {
263 process_payloads(this, message);
264
265 if (message->get_exchange_type(message) == IKE_SA_INIT)
266 {
267 peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
268
269 #ifdef ME
270 /* if we are on a mediated connection we have already switched to
271 * port 4500 and the correct destination port is already configured,
272 * therefore we must not switch again */
273 if (peer_cfg->get_mediated_by(peer_cfg))
274 {
275 return SUCCESS;
276 }
277 #endif /* ME */
278
279 if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
280 #ifdef ME
281 /* if we are on a mediation connection we switch to port 4500 even
282 * if no NAT is detected. */
283 peer_cfg->is_mediation(peer_cfg) ||
284 #endif /* ME */
285 /* if peer supports NAT-T, we switch to port 4500 even
286 * if no NAT is detected. MOBIKE requires this. */
287 (peer_cfg->use_mobike(peer_cfg) &&
288 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
289 {
290 host_t *me, *other;
291
292 /* do not switch if we have a custom port from mobike/NAT */
293 me = this->ike_sa->get_my_host(this->ike_sa);
294 if (me->get_port(me) == IKEV2_UDP_PORT)
295 {
296 me->set_port(me, IKEV2_NATT_PORT);
297 }
298 other = this->ike_sa->get_other_host(this->ike_sa);
299 if (other->get_port(other) == IKEV2_UDP_PORT)
300 {
301 other->set_port(other, IKEV2_NATT_PORT);
302 }
303 }
304 }
305
306 return SUCCESS;
307 }
308
309 /**
310 * Implementation of task_t.process for initiator
311 */
312 static status_t build_i(private_ike_natd_t *this, message_t *message)
313 {
314 notify_payload_t *notify;
315 enumerator_t *enumerator;
316 host_t *host;
317
318 if (this->hasher == NULL)
319 {
320 DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
321 return NEED_MORE;
322 }
323
324 /* destination is always set */
325 host = message->get_destination(message);
326 notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
327 message->add_payload(message, (payload_t*)notify);
328
329 /* source may be any, we have 3 possibilities to get our source address:
330 * 1. It is defined in the config => use the one of the IKE_SA
331 * 2. We do a routing lookup in the kernel interface
332 * 3. Include all possbile addresses
333 */
334 host = message->get_source(message);
335 if (!host->is_anyaddr(host))
336 { /* 1. */
337 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
338 message->add_payload(message, (payload_t*)notify);
339 }
340 else
341 {
342 host = charon->kernel_interface->get_source_addr(charon->kernel_interface,
343 this->ike_sa->get_other_host(this->ike_sa), NULL);
344 if (host)
345 { /* 2. */
346 host->set_port(host, IKEV2_UDP_PORT);
347 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
348 message->add_payload(message, (payload_t*)notify);
349 host->destroy(host);
350 }
351 else
352 { /* 3. */
353 enumerator = charon->kernel_interface->create_address_enumerator(
354 charon->kernel_interface, FALSE, FALSE);
355 while (enumerator->enumerate(enumerator, (void**)&host))
356 {
357 /* apply port 500 to host, but work on a copy */
358 host = host->clone(host);
359 host->set_port(host, IKEV2_UDP_PORT);
360 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
361 host->destroy(host);
362 message->add_payload(message, (payload_t*)notify);
363 }
364 enumerator->destroy(enumerator);
365 }
366 }
367 return NEED_MORE;
368 }
369
370 /**
371 * Implementation of task_t.build for responder
372 */
373 static status_t build_r(private_ike_natd_t *this, message_t *message)
374 {
375 notify_payload_t *notify;
376 host_t *me, *other;
377
378 /* only add notifies on successfull responses. */
379 if (message->get_exchange_type(message) == IKE_SA_INIT &&
380 message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
381 {
382 return SUCCESS;
383 }
384
385 if (this->src_seen && this->dst_seen)
386 {
387 if (this->hasher == NULL)
388 {
389 DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
390 return SUCCESS;
391 }
392
393 /* initiator seems to support NAT detection, add response */
394 me = message->get_source(message);
395 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
396 message->add_payload(message, (payload_t*)notify);
397
398 other = message->get_destination(message);
399 notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
400 message->add_payload(message, (payload_t*)notify);
401 }
402 return SUCCESS;
403 }
404
405 /**
406 * Implementation of task_t.process for responder
407 */
408 static status_t process_r(private_ike_natd_t *this, message_t *message)
409 {
410 process_payloads(this, message);
411
412 return NEED_MORE;
413 }
414
415 /**
416 * Implementation of task_t.get_type
417 */
418 static task_type_t get_type(private_ike_natd_t *this)
419 {
420 return IKE_NATD;
421 }
422
423 /**
424 * Implementation of task_t.migrate
425 */
426 static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa)
427 {
428 this->ike_sa = ike_sa;
429 this->src_seen = FALSE;
430 this->dst_seen = FALSE;
431 this->src_matched = FALSE;
432 this->dst_matched = FALSE;
433 this->mapping_changed = FALSE;
434 }
435
436 /**
437 * Implementation of ike_natd_t.has_mapping_changed
438 */
439 static bool has_mapping_changed(private_ike_natd_t *this)
440 {
441 return this->mapping_changed;
442 }
443
444 /**
445 * Implementation of task_t.destroy
446 */
447 static void destroy(private_ike_natd_t *this)
448 {
449 DESTROY_IF(this->hasher);
450 free(this);
451 }
452
453 /*
454 * Described in header.
455 */
456 ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
457 {
458 private_ike_natd_t *this = malloc_thing(private_ike_natd_t);
459
460 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
461 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
462 this->public.task.destroy = (void(*)(task_t*))destroy;
463
464 if (initiator)
465 {
466 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
467 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
468 }
469 else
470 {
471 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
472 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
473 }
474
475 this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed;
476
477 this->ike_sa = ike_sa;
478 this->initiator = initiator;
479 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
480 this->src_seen = FALSE;
481 this->dst_seen = FALSE;
482 this->src_matched = FALSE;
483 this->dst_matched = FALSE;
484 this->mapping_changed = FALSE;
485
486 return &this->public;
487 }
Michael's strongswan development tree