]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/sa/tasks/ike_natd.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Added a generic TASK_ prefix to all task types
[thirdparty/strongswan.git] / src / libcharon / sa / tasks / ike_natd.c
1 /*
2 * Copyright (C) 2006-2007 Martin Willi
3 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "ike_natd.h"
18
19 #include <string.h>
20
21 #include <hydra.h>
22 #include <daemon.h>
23 #include <config/peer_cfg.h>
24 #include <crypto/hashers/hasher.h>
25 #include <encoding/payloads/notify_payload.h>
26
27
28 typedef struct private_ike_natd_t private_ike_natd_t;
29
30 /**
31 * Private members of a ike_natd_t task.
32 */
33 struct private_ike_natd_t {
34
35 /**
36 * Public methods and task_t interface.
37 */
38 ike_natd_t public;
39
40 /**
41 * Assigned IKE_SA.
42 */
43 ike_sa_t *ike_sa;
44
45 /**
46 * Are we the initiator?
47 */
48 bool initiator;
49
50 /**
51 * Hasher used to build NAT detection hashes
52 */
53 hasher_t *hasher;
54
55 /**
56 * Did we process any NAT detection notifys for a source address?
57 */
58 bool src_seen;
59
60 /**
61 * Did we process any NAT detection notifys for a destination address?
62 */
63 bool dst_seen;
64
65 /**
66 * Have we found a matching source address NAT hash?
67 */
68 bool src_matched;
69
70 /**
71 * Have we found a matching destination address NAT hash?
72 */
73 bool dst_matched;
74
75 /**
76 * whether NAT mappings for our NATed address has changed
77 */
78 bool mapping_changed;
79 };
80
81
82 /**
83 * Build NAT detection hash for a host
84 */
85 static chunk_t generate_natd_hash(private_ike_natd_t *this,
86 ike_sa_id_t *ike_sa_id, host_t *host)
87 {
88 chunk_t natd_chunk, spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk;
89 chunk_t natd_hash;
90 u_int64_t spi_i, spi_r;
91 u_int16_t port;
92
93 /* prepare all required chunks */
94 spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
95 spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
96 spi_i_chunk.ptr = (void*)&spi_i;
97 spi_i_chunk.len = sizeof(spi_i);
98 spi_r_chunk.ptr = (void*)&spi_r;
99 spi_r_chunk.len = sizeof(spi_r);
100 port = htons(host->get_port(host));
101 port_chunk.ptr = (void*)&port;
102 port_chunk.len = sizeof(port);
103 addr_chunk = host->get_address(host);
104
105 /* natd_hash = SHA1( spi_i | spi_r | address | port ) */
106 natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
107 this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
108 DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
109 DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
110
111 chunk_free(&natd_chunk);
112 return natd_hash;
113 }
114
115 /**
116 * build a faked NATD payload to enforce UDP encap
117 */
118 static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
119 {
120 rng_t *rng;
121 chunk_t chunk;
122
123 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
124 if (!rng)
125 {
126 DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
127 return chunk_empty;
128 }
129 rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk);
130 rng->destroy(rng);
131 return chunk;
132 }
133
134 /**
135 * Build a NAT detection notify payload.
136 */
137 static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
138 notify_type_t type, host_t *host)
139 {
140 chunk_t hash;
141 notify_payload_t *notify;
142 ike_sa_id_t *ike_sa_id;
143 ike_cfg_t *config;
144
145 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
146 config = this->ike_sa->get_ike_cfg(this->ike_sa);
147 if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
148 {
149 hash = generate_natd_hash_faked(this);
150 }
151 else
152 {
153 hash = generate_natd_hash(this, ike_sa_id, host);
154 }
155 notify = notify_payload_create(NOTIFY);
156 notify->set_notify_type(notify, type);
157 notify->set_notification_data(notify, hash);
158 chunk_free(&hash);
159
160 return notify;
161 }
162
163 /**
164 * read notifys from message and evaluate them
165 */
166 static void process_payloads(private_ike_natd_t *this, message_t *message)
167 {
168 enumerator_t *enumerator;
169 payload_t *payload;
170 notify_payload_t *notify;
171 chunk_t hash, src_hash, dst_hash;
172 ike_sa_id_t *ike_sa_id;
173 host_t *me, *other;
174 ike_cfg_t *config;
175
176 /* Precompute NAT-D hashes for incoming NAT notify comparison */
177 ike_sa_id = message->get_ike_sa_id(message);
178 me = message->get_destination(message);
179 other = message->get_source(message);
180 dst_hash = generate_natd_hash(this, ike_sa_id, me);
181 src_hash = generate_natd_hash(this, ike_sa_id, other);
182
183 DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
184 DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
185
186 enumerator = message->create_payload_enumerator(message);
187 while (enumerator->enumerate(enumerator, &payload))
188 {
189 if (payload->get_type(payload) != NOTIFY)
190 {
191 continue;
192 }
193 notify = (notify_payload_t*)payload;
194 switch (notify->get_notify_type(notify))
195 {
196 case NAT_DETECTION_DESTINATION_IP:
197 {
198 this->dst_seen = TRUE;
199 hash = notify->get_notification_data(notify);
200 if (!this->dst_matched)
201 {
202 DBG3(DBG_IKE, "received dst_hash %B", &hash);
203 if (chunk_equals(hash, dst_hash))
204 {
205 this->dst_matched = TRUE;
206 }
207 }
208 /* RFC4555 says we should also compare against IKE_SA_INIT
209 * NATD payloads, but this does not work: We are running
210 * there at port 500, but use 4500 afterwards... */
211 if (message->get_exchange_type(message) == INFORMATIONAL &&
212 this->initiator && !this->dst_matched)
213 {
214 this->mapping_changed = this->ike_sa->has_mapping_changed(
215 this->ike_sa, hash);
216 }
217 break;
218 }
219 case NAT_DETECTION_SOURCE_IP:
220 {
221 this->src_seen = TRUE;
222 if (!this->src_matched)
223 {
224 hash = notify->get_notification_data(notify);
225 DBG3(DBG_IKE, "received src_hash %B", &hash);
226 if (chunk_equals(hash, src_hash))
227 {
228 this->src_matched = TRUE;
229 }
230 }
231 break;
232 }
233 default:
234 break;
235 }
236 }
237 enumerator->destroy(enumerator);
238
239 chunk_free(&src_hash);
240 chunk_free(&dst_hash);
241
242 if (this->src_seen && this->dst_seen)
243 {
244 this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
245
246 this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
247 !this->dst_matched);
248 this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
249 !this->src_matched);
250 config = this->ike_sa->get_ike_cfg(this->ike_sa);
251 if (this->dst_matched && this->src_matched &&
252 config->force_encap(config))
253 {
254 this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
255 }
256 }
257 }
258
259 METHOD(task_t, process_i, status_t,
260 private_ike_natd_t *this, message_t *message)
261 {
262 process_payloads(this, message);
263
264 if (message->get_exchange_type(message) == IKE_SA_INIT)
265 {
266 peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
267 if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
268 /* if peer supports NAT-T, we switch to port 4500 even
269 * if no NAT is detected. can't be done later (when we would know
270 * whether the peer supports MOBIKE) because there would be no
271 * exchange to actually do the switch (other than a forced DPD). */
272 (peer_cfg->use_mobike(peer_cfg) &&
273 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
274 {
275 this->ike_sa->float_ports(this->ike_sa);
276 }
277 }
278
279 return SUCCESS;
280 }
281
282 METHOD(task_t, build_i, status_t,
283 private_ike_natd_t *this, message_t *message)
284 {
285 notify_payload_t *notify;
286 enumerator_t *enumerator;
287 ike_cfg_t *ike_cfg;
288 host_t *host;
289
290 if (this->hasher == NULL)
291 {
292 DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
293 return NEED_MORE;
294 }
295
296 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
297
298 /* destination is always set */
299 host = message->get_destination(message);
300 notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
301 message->add_payload(message, (payload_t*)notify);
302
303 /* source may be any, we have 3 possibilities to get our source address:
304 * 1. It is defined in the config => use the one of the IKE_SA
305 * 2. We do a routing lookup in the kernel interface
306 * 3. Include all possbile addresses
307 */
308 host = message->get_source(message);
309 if (!host->is_anyaddr(host))
310 { /* 1. */
311 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
312 message->add_payload(message, (payload_t*)notify);
313 }
314 else
315 {
316 host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
317 this->ike_sa->get_other_host(this->ike_sa), NULL);
318 if (host)
319 { /* 2. */
320 host->set_port(host, ike_cfg->get_my_port(ike_cfg));
321 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
322 message->add_payload(message, (payload_t*)notify);
323 host->destroy(host);
324 }
325 else
326 { /* 3. */
327 enumerator = hydra->kernel_interface->create_address_enumerator(
328 hydra->kernel_interface, FALSE, FALSE);
329 while (enumerator->enumerate(enumerator, (void**)&host))
330 {
331 /* apply port 500 to host, but work on a copy */
332 host = host->clone(host);
333 host->set_port(host, ike_cfg->get_my_port(ike_cfg));
334 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
335 host->destroy(host);
336 message->add_payload(message, (payload_t*)notify);
337 }
338 enumerator->destroy(enumerator);
339 }
340 }
341 return NEED_MORE;
342 }
343
344 METHOD(task_t, build_r, status_t,
345 private_ike_natd_t *this, message_t *message)
346 {
347 notify_payload_t *notify;
348 host_t *me, *other;
349
350 /* only add notifies on successful responses. */
351 if (message->get_exchange_type(message) == IKE_SA_INIT &&
352 message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
353 {
354 return SUCCESS;
355 }
356
357 if (this->src_seen && this->dst_seen)
358 {
359 if (this->hasher == NULL)
360 {
361 DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
362 return SUCCESS;
363 }
364
365 /* initiator seems to support NAT detection, add response */
366 me = message->get_source(message);
367 notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
368 message->add_payload(message, (payload_t*)notify);
369
370 other = message->get_destination(message);
371 notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
372 message->add_payload(message, (payload_t*)notify);
373 }
374 return SUCCESS;
375 }
376
377 METHOD(task_t, process_r, status_t,
378 private_ike_natd_t *this, message_t *message)
379 {
380 process_payloads(this, message);
381
382 return NEED_MORE;
383 }
384
385 METHOD(task_t, get_type, task_type_t,
386 private_ike_natd_t *this)
387 {
388 return TASK_IKE_NATD;
389 }
390
391 METHOD(task_t, migrate, void,
392 private_ike_natd_t *this, ike_sa_t *ike_sa)
393 {
394 this->ike_sa = ike_sa;
395 this->src_seen = FALSE;
396 this->dst_seen = FALSE;
397 this->src_matched = FALSE;
398 this->dst_matched = FALSE;
399 this->mapping_changed = FALSE;
400 }
401
402 METHOD(task_t, destroy, void,
403 private_ike_natd_t *this)
404 {
405 DESTROY_IF(this->hasher);
406 free(this);
407 }
408
409 METHOD(ike_natd_t, has_mapping_changed, bool,
410 private_ike_natd_t *this)
411 {
412 return this->mapping_changed;
413 }
414
415 /*
416 * Described in header.
417 */
418 ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
419 {
420 private_ike_natd_t *this;
421
422 INIT(this,
423 .public = {
424 .task = {
425 .get_type = _get_type,
426 .migrate = _migrate,
427 .destroy = _destroy,
428 },
429 .has_mapping_changed = _has_mapping_changed,
430 },
431 .ike_sa = ike_sa,
432 .initiator = initiator,
433 .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1),
434 );
435
436 if (initiator)
437 {
438 this->public.task.build = _build_i;
439 this->public.task.process = _process_i;
440 }
441 else
442 {
443 this->public.task.build = _build_r;
444 this->public.task.process = _process_r;
445 }
446
447 return &this->public;
448 }
Unnamed repository; edit this file 'description' to name the repository.