]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/sa/ikev1/tasks/isakmp_natd.c
projects / thirdparty / strongswan.git / blob
? search:


b8af6f67bf5377d02c1bec0046666eff09e1c675
[thirdparty/strongswan.git] / src / libcharon / sa / ikev1 / tasks / isakmp_natd.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner,
3 * Copyright (C) 2006-2007 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /*
19 * Copyright (C) 2012 Volker RĂ¼melin
20 *
21 * Permission is hereby granted, free of charge, to any person obtaining a copy
22 * of this software and associated documentation files (the "Software"), to deal
23 * in the Software without restriction, including without limitation the rights
24 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
25 * copies of the Software, and to permit persons to whom the Software is
26 * furnished to do so, subject to the following conditions:
27 *
28 * The above copyright notice and this permission notice shall be included in
29 * all copies or substantial portions of the Software.
30 *
31 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
32 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
33 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
34 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
36 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
37 * THE SOFTWARE.
38 */
39
40 #include "isakmp_natd.h"
41
42 #include <string.h>
43
44 #include <hydra.h>
45 #include <daemon.h>
46 #include <sa/ikev1/keymat_v1.h>
47 #include <config/peer_cfg.h>
48 #include <crypto/hashers/hasher.h>
49 #include <encoding/payloads/hash_payload.h>
50
51 typedef struct private_isakmp_natd_t private_isakmp_natd_t;
52
53 /**
54 * Private members of a ike_natt_t task.
55 */
56 struct private_isakmp_natd_t {
57
58 /**
59 * Public interface.
60 */
61 isakmp_natd_t public;
62
63 /**
64 * Assigned IKE_SA.
65 */
66 ike_sa_t *ike_sa;
67
68 /**
69 * Are we the initiator?
70 */
71 bool initiator;
72
73 /**
74 * Keymat derivation (from SA)
75 */
76 keymat_v1_t *keymat;
77
78 /**
79 * Did we process any NAT detection payloads for a source address?
80 */
81 bool src_seen;
82
83 /**
84 * Did we process any NAT detection payloads for a destination address?
85 */
86 bool dst_seen;
87
88 /**
89 * Have we found a matching source address NAT hash?
90 */
91 bool src_matched;
92
93 /**
94 * Have we found a matching destination address NAT hash?
95 */
96 bool dst_matched;
97 };
98
99 /**
100 * Check if UDP encapsulation has to be forced either by config or required
101 * by the kernel interface
102 */
103 static bool force_encap(ike_cfg_t *ike_cfg)
104 {
105 if (!ike_cfg->force_encap(ike_cfg))
106 {
107 return hydra->kernel_interface->get_features(hydra->kernel_interface) &
108 KERNEL_REQUIRE_UDP_ENCAPSULATION;
109 }
110 return TRUE;
111 }
112
113 /**
114 * Get NAT-D payload type (RFC 3947 or RFC 3947 drafts).
115 */
116 static payload_type_t get_nat_d_payload_type(ike_sa_t *ike_sa)
117 {
118 if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
119 {
120 return PLV1_NAT_D_DRAFT_00_03;
121 }
122 return PLV1_NAT_D;
123 }
124
125 /**
126 * Build NAT detection hash for a host.
127 */
128 static chunk_t generate_natd_hash(private_isakmp_natd_t *this,
129 ike_sa_id_t *ike_sa_id, host_t *host)
130 {
131 hasher_t *hasher;
132 chunk_t natd_chunk, natd_hash;
133 u_int64_t spi_i, spi_r;
134 u_int16_t port;
135
136 hasher = this->keymat->get_hasher(this->keymat);
137 if (!hasher)
138 {
139 DBG1(DBG_IKE, "no hasher available to build NAT-D payload");
140 return chunk_empty;
141 }
142
143 spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
144 spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
145 port = htons(host->get_port(host));
146
147 /* natd_hash = HASH(CKY-I | CKY-R | IP | Port) */
148 natd_chunk = chunk_cata("cccc", chunk_from_thing(spi_i),
149 chunk_from_thing(spi_r), host->get_address(host),
150 chunk_from_thing(port));
151 if (!hasher->allocate_hash(hasher, natd_chunk, &natd_hash))
152 {
153 DBG1(DBG_IKE, "creating NAT-D payload hash failed");
154 return chunk_empty;
155 }
156 DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
157 DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
158
159 return natd_hash;
160 }
161
162 /**
163 * Build a faked NAT-D payload to enforce UDP encapsulation.
164 */
165 static chunk_t generate_natd_hash_faked(private_isakmp_natd_t *this)
166 {
167 hasher_t *hasher;
168 chunk_t chunk;
169 rng_t *rng;
170
171 hasher = this->keymat->get_hasher(this->keymat);
172 if (!hasher)
173 {
174 DBG1(DBG_IKE, "no hasher available to build NAT-D payload");
175 return chunk_empty;
176 }
177 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
178 if (!rng ||
179 !rng->allocate_bytes(rng, hasher->get_hash_size(hasher), &chunk))
180 {
181 DBG1(DBG_IKE, "unable to get random bytes for NAT-D fake");
182 DESTROY_IF(rng);
183 return chunk_empty;
184 }
185 rng->destroy(rng);
186 return chunk;
187 }
188
189 /**
190 * Build a NAT-D payload.
191 */
192 static hash_payload_t *build_natd_payload(private_isakmp_natd_t *this, bool src,
193 host_t *host)
194 {
195 hash_payload_t *payload;
196 ike_cfg_t *config;
197 chunk_t hash;
198
199 config = this->ike_sa->get_ike_cfg(this->ike_sa);
200 if (src && force_encap(config))
201 {
202 hash = generate_natd_hash_faked(this);
203 }
204 else
205 {
206 ike_sa_id_t *ike_sa_id = this->ike_sa->get_id(this->ike_sa);
207 hash = generate_natd_hash(this, ike_sa_id, host);
208 }
209 if (!hash.len)
210 {
211 return NULL;
212 }
213 payload = hash_payload_create(get_nat_d_payload_type(this->ike_sa));
214 payload->set_hash(payload, hash);
215 chunk_free(&hash);
216 return payload;
217 }
218
219 /**
220 * Add NAT-D payloads to the message.
221 */
222 static void add_natd_payloads(private_isakmp_natd_t *this, message_t *message)
223 {
224 hash_payload_t *payload;
225 host_t *host;
226
227 /* destination has to be added first */
228 host = message->get_destination(message);
229 payload = build_natd_payload(this, FALSE, host);
230 if (payload)
231 {
232 message->add_payload(message, (payload_t*)payload);
233 }
234
235 /* source is added second, compared with IKEv2 we always know the source,
236 * as these payloads are added in the second Phase 1 exchange or the
237 * response to the first */
238 host = message->get_source(message);
239 payload = build_natd_payload(this, TRUE, host);
240 if (payload)
241 {
242 message->add_payload(message, (payload_t*)payload);
243 }
244 }
245
246 /**
247 * Read NAT-D payloads from message and evaluate them.
248 */
249 static void process_payloads(private_isakmp_natd_t *this, message_t *message)
250 {
251 enumerator_t *enumerator;
252 payload_t *payload;
253 hash_payload_t *hash_payload;
254 chunk_t hash, src_hash, dst_hash;
255 ike_sa_id_t *ike_sa_id;
256 host_t *me, *other;
257 ike_cfg_t *config;
258
259 /* precompute hashes for incoming NAT-D comparison */
260 ike_sa_id = message->get_ike_sa_id(message);
261 me = message->get_destination(message);
262 other = message->get_source(message);
263 dst_hash = generate_natd_hash(this, ike_sa_id, me);
264 src_hash = generate_natd_hash(this, ike_sa_id, other);
265
266 DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
267 DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
268
269 enumerator = message->create_payload_enumerator(message);
270 while (enumerator->enumerate(enumerator, &payload))
271 {
272 if (payload->get_type(payload) != PLV1_NAT_D &&
273 payload->get_type(payload) != PLV1_NAT_D_DRAFT_00_03)
274 {
275 continue;
276 }
277 hash_payload = (hash_payload_t*)payload;
278 if (!this->dst_seen)
279 { /* the first NAT-D payload contains the destination hash */
280 this->dst_seen = TRUE;
281 hash = hash_payload->get_hash(hash_payload);
282 DBG3(DBG_IKE, "received dst_hash %B", &hash);
283 if (chunk_equals(hash, dst_hash))
284 {
285 this->dst_matched = TRUE;
286 }
287 continue;
288 }
289 /* the other NAT-D payloads contain source hashes */
290 this->src_seen = TRUE;
291 if (!this->src_matched)
292 {
293 hash = hash_payload->get_hash(hash_payload);
294 DBG3(DBG_IKE, "received src_hash %B", &hash);
295 if (chunk_equals(hash, src_hash))
296 {
297 this->src_matched = TRUE;
298 }
299 }
300 }
301 enumerator->destroy(enumerator);
302
303 chunk_free(&src_hash);
304 chunk_free(&dst_hash);
305
306 if (this->src_seen && this->dst_seen)
307 {
308 this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
309 !this->dst_matched);
310 this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
311 !this->src_matched);
312 config = this->ike_sa->get_ike_cfg(this->ike_sa);
313 if (this->dst_matched && this->src_matched &&
314 force_encap(config))
315 {
316 this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
317 }
318 }
319 }
320
321 METHOD(task_t, build_i, status_t,
322 private_isakmp_natd_t *this, message_t *message)
323 {
324 status_t result = NEED_MORE;
325
326 switch (message->get_exchange_type(message))
327 {
328 case AGGRESSIVE:
329 { /* add NAT-D payloads to the second request, already processed
330 * those by the responder contained in the first response */
331 result = SUCCESS;
332 /* fall */
333 }
334 case ID_PROT:
335 { /* add NAT-D payloads to the second request, need to process
336 * those by the responder contained in the second response */
337 if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION))
338 { /* wait for the second exchange */
339 return NEED_MORE;
340 }
341 add_natd_payloads(this, message);
342 return result;
343 }
344 default:
345 break;
346 }
347 return SUCCESS;
348 }
349
350 METHOD(task_t, process_i, status_t,
351 private_isakmp_natd_t *this, message_t *message)
352 {
353 status_t result = NEED_MORE;
354
355 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))
356 { /* we didn't receive VIDs inidcating support for NAT-T */
357 return SUCCESS;
358 }
359
360 switch (message->get_exchange_type(message))
361 {
362 case ID_PROT:
363 { /* process NAT-D payloads in the second response, added them in the
364 * second request already, so we're done afterwards */
365 if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION))
366 { /* wait for the second exchange */
367 return NEED_MORE;
368 }
369 result = SUCCESS;
370 /* fall */
371 }
372 case AGGRESSIVE:
373 { /* process NAT-D payloads in the first response, add them in the
374 * following second request */
375 process_payloads(this, message);
376
377 if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
378 {
379 this->ike_sa->float_ports(this->ike_sa);
380 }
381 return result;
382 }
383 default:
384 break;
385 }
386 return SUCCESS;
387 }
388
389 METHOD(task_t, process_r, status_t,
390 private_isakmp_natd_t *this, message_t *message)
391 {
392 status_t result = NEED_MORE;
393
394 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))
395 { /* we didn't receive VIDs indicating NAT-T support */
396 return SUCCESS;
397 }
398
399 switch (message->get_exchange_type(message))
400 {
401 case AGGRESSIVE:
402 { /* process NAT-D payloads in the second request, already added ours
403 * in the first response */
404 result = SUCCESS;
405 /* fall */
406 }
407 case ID_PROT:
408 { /* process NAT-D payloads in the second request, need to add ours
409 * to the second response */
410 if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION))
411 { /* wait for the second exchange */
412 return NEED_MORE;
413 }
414 process_payloads(this, message);
415 return result;
416 }
417 default:
418 break;
419 }
420 return SUCCESS;
421 }
422
423 METHOD(task_t, build_r, status_t,
424 private_isakmp_natd_t *this, message_t *message)
425 {
426 switch (message->get_exchange_type(message))
427 {
428 case ID_PROT:
429 { /* add NAT-D payloads to second response, already processed those
430 * contained in the second request */
431 if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION))
432 { /* wait for the second exchange */
433 return NEED_MORE;
434 }
435 add_natd_payloads(this, message);
436 return SUCCESS;
437 }
438 case AGGRESSIVE:
439 { /* add NAT-D payloads to the first response, process those contained
440 * in the following second request */
441 add_natd_payloads(this, message);
442 return NEED_MORE;
443 }
444 default:
445 break;
446 }
447 return SUCCESS;
448 }
449
450 METHOD(task_t, get_type, task_type_t,
451 private_isakmp_natd_t *this)
452 {
453 return TASK_ISAKMP_NATD;
454 }
455
456 METHOD(task_t, migrate, void,
457 private_isakmp_natd_t *this, ike_sa_t *ike_sa)
458 {
459 this->ike_sa = ike_sa;
460 this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
461 this->src_seen = FALSE;
462 this->dst_seen = FALSE;
463 this->src_matched = FALSE;
464 this->dst_matched = FALSE;
465 }
466
467 METHOD(task_t, destroy, void,
468 private_isakmp_natd_t *this)
469 {
470 free(this);
471 }
472
473 /*
474 * Described in header.
475 */
476 isakmp_natd_t *isakmp_natd_create(ike_sa_t *ike_sa, bool initiator)
477 {
478 private_isakmp_natd_t *this;
479
480 INIT(this,
481 .public = {
482 .task = {
483 .get_type = _get_type,
484 .migrate = _migrate,
485 .destroy = _destroy,
486 },
487 },
488 .ike_sa = ike_sa,
489 .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
490 .initiator = initiator,
491 );
492
493 if (initiator)
494 {
495 this->public.task.build = _build_i;
496 this->public.task.process = _process_i;
497 }
498 else
499 {
500 this->public.task.build = _build_r;
501 this->public.task.process = _process_r;
502 }
503
504 return &this->public;
505 }
Unnamed repository; edit this file 'description' to name the repository.