a9501ecb9c1a5a89fcceeb67487f78d69f85f64a
[strongswan.git] / src / pluto / nat_traversal.c
1 /* FreeS/WAN NAT-Traversal
2 * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <ctype.h>
18 #include <stdarg.h>
19 #include <syslog.h>
20 #include <errno.h>
21 #include <string.h>
22 #include <unistd.h>
23 #include <signal.h> /* used only if MSG_NOSIGNAL not defined */
24 #include <sys/queue.h>
25
26 #include <freeswan.h>
27 #include <ipsec_policy.h>
28 #include <pfkeyv2.h>
29 #include <pfkey.h>
30
31 #include <library.h>
32 #include <crypto/hashers/hasher.h>
33
34 #include "constants.h"
35 #include "defs.h"
36 #include "log.h"
37 #include "server.h"
38 #include "state.h"
39 #include "connections.h"
40 #include "packet.h"
41 #include "demux.h"
42 #include "kernel.h"
43 #include "whack.h"
44 #include "timer.h"
45 #include "cookie.h"
46 #include "crypto.h"
47 #include "vendor.h"
48 #include "ike_alg.h"
49 #include "nat_traversal.h"
50
51 /* #define FORCE_NAT_TRAVERSAL */
52 #define NAT_D_DEBUG
53 #define NAT_T_SUPPORT_LAST_DRAFTS
54
55 #ifndef SOL_UDP
56 #define SOL_UDP 17
57 #endif
58
59 #ifndef UDP_ESPINUDP
60 #define UDP_ESPINUDP 100
61 #endif
62
63 #define DEFAULT_KEEP_ALIVE_PERIOD 20
64
65 #ifdef _IKE_ALG_H
66 /* Alg patch: hash_digest_len -> hash_digest_size */
67 #define hash_digest_len hash_digest_size
68 #endif
69
70 bool nat_traversal_enabled = FALSE;
71 bool nat_traversal_support_non_ike = FALSE;
72 bool nat_traversal_support_port_floating = FALSE;
73
74 static unsigned int _kap = 0;
75 static unsigned int _ka_evt = 0;
76 static bool _force_ka = 0;
77
78 static const char *natt_version = "0.6c";
79
80 void init_nat_traversal (bool activate, unsigned int keep_alive_period,
81 bool fka, bool spf)
82 {
83 nat_traversal_enabled = activate;
84 nat_traversal_support_non_ike = activate;
85 #ifdef NAT_T_SUPPORT_LAST_DRAFTS
86 nat_traversal_support_port_floating = activate ? spf : FALSE;
87 #endif
88 _force_ka = fka;
89 _kap = keep_alive_period ? keep_alive_period : DEFAULT_KEEP_ALIVE_PERIOD;
90 plog(" including NAT-Traversal patch (Version %s)%s%s%s"
91 , natt_version, activate ? "" : " [disabled]"
92 , activate & fka ? " [Force KeepAlive]" : ""
93 , activate & !spf ? " [Port Floating disabled]" : "");
94 }
95
96 static void disable_nat_traversal (int type)
97 {
98 if (type == ESPINUDP_WITH_NON_IKE)
99 nat_traversal_support_non_ike = FALSE;
100 else
101 nat_traversal_support_port_floating = FALSE;
102
103 if (!nat_traversal_support_non_ike &&
104 !nat_traversal_support_port_floating)
105 nat_traversal_enabled = FALSE;
106 }
107
108 static void _natd_hash(const struct hash_desc *oakley_hasher, char *hash,
109 u_int8_t *icookie, u_int8_t *rcookie,
110 const ip_address *ip, u_int16_t port)
111 {
112 if (is_zero_cookie(icookie))
113 {
114 DBG_log("_natd_hash: Warning, icookie is zero !!");
115 }
116 if (is_zero_cookie(rcookie))
117 {
118 DBG_log("_natd_hash: Warning, rcookie is zero !!");
119 }
120
121 /**
122 * draft-ietf-ipsec-nat-t-ike-01.txt
123 *
124 * HASH = HASH(CKY-I | CKY-R | IP | Port)
125 *
126 * All values in network order
127 */
128 {
129 chunk_t icookie_chunk = { icookie, COOKIE_SIZE };
130 chunk_t rcookie_chunk = { rcookie, COOKIE_SIZE };
131 chunk_t port_chunk = chunk_from_thing(port);
132 chunk_t addr_chunk;
133 hash_algorithm_t hash_alg;
134 hasher_t *hasher;
135 size_t hash_size;
136
137 hash_alg = oakley_to_hash_algorithm(oakley_hasher->algo_id);
138 hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
139 hasher->get_hash(hasher, icookie_chunk, NULL);
140 hasher->get_hash(hasher, rcookie_chunk, NULL);
141 switch (addrtypeof(ip))
142 {
143 case AF_INET:
144 addr_chunk = chunk_from_thing(ip->u.v4.sin_addr.s_addr);
145 break;
146 case AF_INET6:
147 addr_chunk = chunk_from_thing(ip->u.v6.sin6_addr.s6_addr);
148 }
149 hasher->get_hash(hasher, addr_chunk, NULL);
150 hasher->get_hash(hasher, port_chunk, hash);
151 hash_size = hasher->get_hash_size(hasher);
152 hasher->destroy(hasher);
153 #ifdef NAT_D_DEBUG
154 DBG(DBG_NATT,
155 DBG_dump_chunk("_natd_hash: icookie=", icookie_chunk);
156 DBG_dump_chunk("_natd_hash: rcookie=", rcookie_chunk);
157 DBG_dump_chunk("_natd_hash: ip=", addr_chunk);
158 DBG_log("_natd_hash: port=%d", port);
159 DBG_dump("_natd_hash: hash=", hash, hash_size);
160 )
161 #endif
162 }
163 }
164
165 /* Add NAT-Traversal VIDs (supported ones)
166 * used when we are Initiator
167 */
168 bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs)
169 {
170 bool r = TRUE;
171
172 if (nat_traversal_support_port_floating)
173 {
174 u_int8_t last_np = nat_traversal_support_non_ike ?
175 ISAKMP_NEXT_VID : np;
176
177 if (r)
178 r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_RFC);
179 if (r)
180 r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03);
181 if (r)
182 r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_02);
183 if (r)
184 r = out_vendorid(last_np, outs, VID_NATT_IETF_02_N);
185 }
186 if (nat_traversal_support_non_ike)
187 {
188 if (r)
189 r = out_vendorid(np, outs, VID_NATT_IETF_00);
190 }
191 return r;
192 }
193
194 u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid)
195 {
196 switch (nat_t_vid)
197 {
198 case VID_NATT_IETF_00:
199 return LELEM(NAT_TRAVERSAL_IETF_00_01);
200 case VID_NATT_IETF_02:
201 case VID_NATT_IETF_02_N:
202 case VID_NATT_IETF_03:
203 return LELEM(NAT_TRAVERSAL_IETF_02_03);
204 case VID_NATT_RFC:
205 return LELEM(NAT_TRAVERSAL_RFC);
206 }
207 return 0;
208 }
209
210 void nat_traversal_natd_lookup(struct msg_digest *md)
211 {
212 char hash[MAX_DIGEST_LEN];
213 struct payload_digest *p;
214 struct state *st = md->st;
215 int i;
216
217 if (!st || !md->iface || !st->st_oakley.hasher)
218 {
219 loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
220 , __FILE__, __LINE__);
221 return;
222 }
223
224 /** Count NAT-D **/
225 for (p = md->chain[ISAKMP_NEXT_NATD_RFC], i=0; p != NULL; p = p->next, i++);
226
227 /*
228 * We need at least 2 NAT-D (1 for us, many for peer)
229 */
230 if (i < 2)
231 {
232 loglog(RC_LOG_SERIOUS,
233 "NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negociation", i);
234 st->nat_traversal = 0;
235 return;
236 }
237
238 /*
239 * First one with my IP & port
240 */
241 p = md->chain[ISAKMP_NEXT_NATD_RFC];
242 _natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
243 &(md->iface->addr), ntohs(st->st_connection->spd.this.host_port));
244
245 if (!(pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
246 memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len)))
247 {
248 #ifdef NAT_D_DEBUG
249 DBG(DBG_NATT,
250 DBG_log("NAT_TRAVERSAL_NAT_BHND_ME");
251 DBG_dump("expected NAT-D:", hash
252 , st->st_oakley.hasher->hash_digest_len);
253 DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
254 )
255 #endif
256 st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
257 }
258
259 /*
260 * The others with sender IP & port
261 */
262 _natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
263 &(md->sender), ntohs(md->sender_port));
264 for (p = p->next, i=0 ; p != NULL; p = p->next)
265 {
266 if (pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
267 memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len))
268 {
269 i++;
270 }
271 }
272 if (!i)
273 {
274 #ifdef NAT_D_DEBUG
275 DBG(DBG_NATT,
276 DBG_log("NAT_TRAVERSAL_NAT_BHND_PEER");
277 DBG_dump("expected NAT-D:", hash
278 , st->st_oakley.hasher->hash_digest_len);
279 p = md->chain[ISAKMP_NEXT_NATD_RFC];
280 for (p = p->next, i=0 ; p != NULL; p = p->next)
281 {
282 DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
283 }
284 )
285 #endif
286 st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
287 }
288 #ifdef FORCE_NAT_TRAVERSAL
289 st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
290 st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
291 #endif
292 }
293
294 bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
295 struct msg_digest *md)
296 {
297 char hash[MAX_DIGEST_LEN];
298 struct state *st = md->st;
299
300 if (!st || !st->st_oakley.hasher)
301 {
302 loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
303 , __FILE__, __LINE__);
304 return FALSE;
305 }
306
307 DBG(DBG_EMITTING,
308 DBG_log("sending NATD payloads")
309 )
310
311 /*
312 * First one with sender IP & port
313 */
314 _natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
315 is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
316 &(md->sender),
317 #ifdef FORCE_NAT_TRAVERSAL
318 0
319 #else
320 ntohs(md->sender_port)
321 #endif
322 );
323 if (!out_generic_raw((st->nat_traversal & NAT_T_WITH_RFC_VALUES
324 ? ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS), &isakmp_nat_d, outs,
325 hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"))
326 {
327 return FALSE;
328 }
329
330 /*
331 * Second one with my IP & port
332 */
333 _natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
334 is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
335 &(md->iface->addr),
336 #ifdef FORCE_NAT_TRAVERSAL
337 0
338 #else
339 ntohs(st->st_connection->spd.this.host_port)
340 #endif
341 );
342 return (out_generic_raw(np, &isakmp_nat_d, outs,
343 hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"));
344 }
345
346 /*
347 * nat_traversal_natoa_lookup()
348 *
349 * Look for NAT-OA in message
350 */
351 void nat_traversal_natoa_lookup(struct msg_digest *md)
352 {
353 struct payload_digest *p;
354 struct state *st = md->st;
355 int i;
356 ip_address ip;
357
358 if (!st || !md->iface)
359 {
360 loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
361 , __FILE__, __LINE__);
362 return;
363 }
364
365 /* Initialize NAT-OA */
366 anyaddr(AF_INET, &st->nat_oa);
367
368 /* Count NAT-OA **/
369 for (p = md->chain[ISAKMP_NEXT_NATOA_RFC], i=0; p != NULL; p = p->next, i++);
370
371 DBG(DBG_NATT,
372 DBG_log("NAT-Traversal: received %d NAT-OA.", i)
373 )
374
375 if (i == 0)
376 return;
377
378 if (!(st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER)))
379 {
380 loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
381 "ignored because peer is not NATed", i);
382 return;
383 }
384
385 if (i > 1)
386 {
387 loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
388 "using first, ignoring others", i);
389 }
390
391 /* Take first */
392 p = md->chain[ISAKMP_NEXT_NATOA_RFC];
393
394 DBG(DBG_PARSING,
395 DBG_dump("NAT-OA:", p->pbs.start, pbs_room(&p->pbs));
396 );
397
398 switch (p->payload.nat_oa.isanoa_idtype)
399 {
400 case ID_IPV4_ADDR:
401 if (pbs_left(&p->pbs) == sizeof(struct in_addr))
402 {
403 initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET, &ip);
404 }
405 else
406 {
407 loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv4 NAT-OA "
408 "with invalid IP size (%d)", (int)pbs_left(&p->pbs));
409 return;
410 }
411 break;
412 case ID_IPV6_ADDR:
413 if (pbs_left(&p->pbs) == sizeof(struct in6_addr))
414 {
415 initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET6, &ip);
416 }
417 else
418 {
419 loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv6 NAT-OA "
420 "with invalid IP size (%d)", (int)pbs_left(&p->pbs));
421 return;
422 }
423 break;
424 default:
425 loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
426 "invalid ID Type (%d) in NAT-OA - ignored",
427 p->payload.nat_oa.isanoa_idtype);
428 return;
429 }
430
431 DBG(DBG_NATT,
432 {
433 char ip_t[ADDRTOT_BUF];
434 addrtot(&ip, 0, ip_t, sizeof(ip_t));
435
436 DBG_log("received NAT-OA: %s", ip_t);
437 }
438 )
439
440 if (isanyaddr(&ip))
441 loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %%any NAT-OA...");
442 else
443 st->nat_oa = ip;
444 }
445
446 bool nat_traversal_add_natoa(u_int8_t np, pb_stream *outs,
447 struct state *st)
448 {
449 struct isakmp_nat_oa natoa;
450 pb_stream pbs;
451 unsigned char ip_val[sizeof(struct in6_addr)];
452 size_t ip_len = 0;
453 ip_address *ip;
454
455 if ((!st) || (!st->st_connection))
456 {
457 loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
458 , __FILE__, __LINE__);
459 return FALSE;
460 }
461 ip = &(st->st_connection->spd.this.host_addr);
462
463 memset(&natoa, 0, sizeof(natoa));
464 natoa.isanoa_np = np;
465
466 switch (addrtypeof(ip))
467 {
468 case AF_INET:
469 ip_len = sizeof(ip->u.v4.sin_addr.s_addr);
470 memcpy(ip_val, &ip->u.v4.sin_addr.s_addr, ip_len);
471 natoa.isanoa_idtype = ID_IPV4_ADDR;
472 break;
473 case AF_INET6:
474 ip_len = sizeof(ip->u.v6.sin6_addr.s6_addr);
475 memcpy(ip_val, &ip->u.v6.sin6_addr.s6_addr, ip_len);
476 natoa.isanoa_idtype = ID_IPV6_ADDR;
477 break;
478 default:
479 loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
480 "invalid addrtypeof()=%d", addrtypeof(ip));
481 return FALSE;
482 }
483
484 if (!out_struct(&natoa, &isakmp_nat_oa, outs, &pbs))
485 return FALSE;
486
487 if (!out_raw(ip_val, ip_len, &pbs, "NAT-OA"))
488 return FALSE;
489
490 DBG(DBG_NATT,
491 DBG_dump("NAT-OA (S):", ip_val, ip_len)
492 )
493
494 close_output_pbs(&pbs);
495 return TRUE;
496 }
497
498 void nat_traversal_show_result (u_int32_t nt, u_int16_t sport)
499 {
500 const char *mth = NULL, *rslt = NULL;
501
502 switch (nt & NAT_TRAVERSAL_METHOD)
503 {
504 case LELEM(NAT_TRAVERSAL_IETF_00_01):
505 mth = natt_type_bitnames[0];
506 break;
507 case LELEM(NAT_TRAVERSAL_IETF_02_03):
508 mth = natt_type_bitnames[1];
509 break;
510 case LELEM(NAT_TRAVERSAL_RFC):
511 mth = natt_type_bitnames[2];
512 break;
513 }
514
515 switch (nt & NAT_T_DETECTED)
516 {
517 case 0:
518 rslt = "no NAT detected";
519 break;
520 case LELEM(NAT_TRAVERSAL_NAT_BHND_ME):
521 rslt = "i am NATed";
522 break;
523 case LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
524 rslt = "peer is NATed";
525 break;
526 case LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
527 rslt = "both are NATed";
528 break;
529 }
530
531 loglog(RC_LOG_SERIOUS,
532 "NAT-Traversal: Result using %s: %s",
533 mth ? mth : "unknown method",
534 rslt ? rslt : "unknown result"
535 );
536
537 if ((nt & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER))
538 && (sport == IKE_UDP_PORT)
539 && ((nt & NAT_T_WITH_PORT_FLOATING)==0))
540 {
541 loglog(RC_LOG_SERIOUS,
542 "Warning: peer is NATed but source port is still udp/%d. "
543 "Ipsec-passthrough NAT device suspected -- NAT-T may not work.",
544 IKE_UDP_PORT
545 );
546 }
547 }
548
549 int nat_traversal_espinudp_socket (int sk, u_int32_t type)
550 {
551 int r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
552
553 if (r < 0 && errno == ENOPROTOOPT)
554 {
555 loglog(RC_LOG_SERIOUS,
556 "NAT-Traversal: ESPINUDP(%d) not supported by kernel -- "
557 "NAT-T disabled", type);
558 disable_nat_traversal(type);
559 }
560 return r;
561 }
562
563 void nat_traversal_new_ka_event (void)
564 {
565 if (_ka_evt)
566 return; /* event already scheduled */
567
568 event_schedule(EVENT_NAT_T_KEEPALIVE, _kap, NULL);
569 _ka_evt = 1;
570 }
571
572 static void nat_traversal_send_ka (struct state *st)
573 {
574 static unsigned char ka_payload = 0xff;
575 chunk_t sav;
576
577 DBG(DBG_NATT,
578 DBG_log("ka_event: send NAT-KA to %s:%d",
579 ip_str(&st->st_connection->spd.that.host_addr),
580 st->st_connection->spd.that.host_port);
581 )
582
583 /* save state chunk */
584 sav = st->st_tpacket;
585
586 /* send keep alive */
587 st->st_tpacket = chunk_create(&ka_payload, 1);
588 send_packet(st, "NAT-T Keep Alive");
589
590 /* restore state chunk */
591 st->st_tpacket = sav;
592 }
593
594 /**
595 * Find ISAKMP States with NAT-T and send keep-alive
596 */
597 static void nat_traversal_ka_event_state (struct state *st, void *data)
598 {
599 unsigned int *_kap_st = (unsigned int *)data;
600 const struct connection *c = st->st_connection;
601
602 if (!c)
603 return;
604
605 if ((st->st_state == STATE_MAIN_R3 || st->st_state == STATE_MAIN_I4)
606 && (st->nat_traversal & NAT_T_DETECTED)
607 && ((st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
608 {
609 /*
610 * - ISAKMP established
611 * - NAT-Traversal detected
612 * - NAT-KeepAlive needed (we are NATed)
613 */
614 if (c->newest_isakmp_sa != st->st_serialno)
615 {
616 /*
617 * if newest is also valid, ignore this one, we will only use
618 * newest.
619 */
620 struct state *st_newest;
621
622 st_newest = state_with_serialno(c->newest_isakmp_sa);
623 if (st_newest
624 && (st_newest->st_state == STATE_MAIN_R3 || st_newest->st_state == STATE_MAIN_I4)
625 && (st_newest->nat_traversal & NAT_T_DETECTED)
626 && ((st_newest->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
627 {
628 return;
629 }
630 }
631 set_cur_state(st);
632 nat_traversal_send_ka(st);
633 reset_cur_state();
634 (*_kap_st)++;
635 }
636 }
637
638 void nat_traversal_ka_event (void)
639 {
640 unsigned int _kap_st = 0;
641
642 _ka_evt = 0; /* ready to be reschedule */
643
644 for_each_state((void *)nat_traversal_ka_event_state, &_kap_st);
645
646 /* if there are still states who needs Keep-Alive, schedule new event */
647 if (_kap_st)
648 nat_traversal_new_ka_event();
649 }
650
651 struct _new_mapp_nfo {
652 ip_address addr;
653 u_int16_t sport, dport;
654 };
655
656 static void nat_traversal_find_new_mapp_state (struct state *st, void *data)
657 {
658 struct connection *c = st->st_connection;
659 struct _new_mapp_nfo *nfo = (struct _new_mapp_nfo *)data;
660
661 if (c != NULL
662 && sameaddr(&c->spd.that.host_addr, &(nfo->addr))
663 && c->spd.that.host_port == nfo->sport)
664 {
665
666 /* change host port */
667 c->spd.that.host_port = nfo->dport;
668
669 if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
670 || IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
671 {
672 if (!update_ipsec_sa(st))
673 {
674 /*
675 * If ipsec update failed, restore old port or we'll
676 * not be able to update anymore.
677 */
678 c->spd.that.host_port = nfo->sport;
679 }
680 }
681 }
682 }
683
684 static int nat_traversal_new_mapping(const ip_address *src, u_int16_t sport,
685 const ip_address *dst, u_int16_t dport)
686 {
687 char srca[ADDRTOT_BUF], dsta[ADDRTOT_BUF];
688 struct _new_mapp_nfo nfo;
689
690 addrtot(src, 0, srca, ADDRTOT_BUF);
691 addrtot(dst, 0, dsta, ADDRTOT_BUF);
692
693 if (!sameaddr(src, dst))
694 {
695 loglog(RC_LOG_SERIOUS, "nat_traversal_new_mapping: "
696 "address change currently not supported [%s:%d,%s:%d]",
697 srca, sport, dsta, dport);
698 return -1;
699 }
700
701 if (sport == dport)
702 {
703 /* no change */
704 return 0;
705 }
706
707 DBG_log("NAT-T: new mapping %s:%d/%d)", srca, sport, dport);
708
709 nfo.addr = *src;
710 nfo.sport = sport;
711 nfo.dport = dport;
712
713 for_each_state((void *)nat_traversal_find_new_mapp_state, &nfo);
714
715 return 0;
716 }
717
718 void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st)
719 {
720 struct connection *c = st ? st->st_connection : NULL;
721 struct iface *i = NULL;
722
723 if ((st == NULL) || (c == NULL))
724 return;
725
726 if (md)
727 {
728 /*
729 * If source port has changed, update (including other states and
730 * established kernel SA)
731 */
732 if (c->spd.that.host_port != md->sender_port)
733 {
734 nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
735 &c->spd.that.host_addr, md->sender_port);
736 }
737
738 /*
739 * If interface type has changed, update local port (500/4500)
740 */
741 if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !md->iface->ike_float)
742 || (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT && md->iface->ike_float))
743 {
744 c->spd.this.host_port = (md->iface->ike_float)
745 ? NAT_T_IKE_FLOAT_PORT : pluto_port;
746
747 DBG(DBG_NATT,
748 DBG_log("NAT-T: updating local port to %d", c->spd.this.host_port);
749 );
750 }
751 }
752
753 /*
754 * If we're initiator and NAT-T (with port floating) is detected, we
755 * need to change port (MAIN_I3 or QUICK_I1)
756 */
757 if ((st->st_state == STATE_MAIN_I3 || st->st_state == STATE_QUICK_I1)
758 && (st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
759 && (st->nat_traversal & NAT_T_DETECTED)
760 && (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT))
761 {
762 DBG(DBG_NATT,
763 DBG_log("NAT-T: floating to port %d", NAT_T_IKE_FLOAT_PORT);
764 )
765 c->spd.this.host_port = NAT_T_IKE_FLOAT_PORT;
766 c->spd.that.host_port = NAT_T_IKE_FLOAT_PORT;
767 /*
768 * Also update pending connections or they will be deleted if uniqueids
769 * option is set.
770 */
771 update_pending(st, st);
772 }
773
774 /*
775 * Find valid interface according to local port (500/4500)
776 */
777 if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !c->interface->ike_float)
778 || (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT && c->interface->ike_float))
779 {
780 for (i = interfaces; i != NULL; i = i->next)
781 {
782 if (sameaddr(&c->interface->addr, &i->addr)
783 && i->ike_float != c->interface->ike_float)
784 {
785 DBG(DBG_NATT,
786 DBG_log("NAT-T: using interface %s:%d", i->rname,
787 i->ike_float ? NAT_T_IKE_FLOAT_PORT : pluto_port);
788 )
789 c->interface = i;
790 break;
791 }
792 }
793 }
794 }
795
796 struct _new_klips_mapp_nfo {
797 struct sadb_sa *sa;
798 ip_address src, dst;
799 u_int16_t sport, dport;
800 };
801
802 static void nat_t_new_klips_mapp (struct state *st, void *data)
803 {
804 struct connection *c = st->st_connection;
805 struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data;
806
807 if (c != NULL && st->st_esp.present
808 && sameaddr(&c->spd.that.host_addr, &(nfo->src))
809 && st->st_esp.our_spi == nfo->sa->sadb_sa_spi)
810 {
811 nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
812 &(nfo->dst), nfo->dport);
813 }
814 }
815
816 void process_pfkey_nat_t_new_mapping(
817 struct sadb_msg *msg __attribute__ ((unused)),
818 struct sadb_ext *extensions[SADB_EXT_MAX + 1])
819 {
820 struct _new_klips_mapp_nfo nfo;
821 struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
822 struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
823 struct sockaddr *srca, *dsta;
824 err_t ugh = NULL;
825
826 nfo.sa = (void *) extensions[SADB_EXT_SA];
827
828 if (!nfo.sa || !srcx || !dstx)
829 {
830 plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: "
831 "got NULL params");
832 return;
833 }
834
835 srca = ((struct sockaddr *)(void *)&srcx[1]);
836 dsta = ((struct sockaddr *)(void *)&dstx[1]);
837
838 if (srca->sa_family != AF_INET || dsta->sa_family != AF_INET)
839 {
840 ugh = "only AF_INET supported";
841 }
842 else
843 {
844 char text_said[SATOT_BUF];
845 char _srca[ADDRTOT_BUF], _dsta[ADDRTOT_BUF];
846 ip_said said;
847
848 initaddr((const void *) &((const struct sockaddr_in *)srca)->sin_addr,
849 sizeof(((const struct sockaddr_in *)srca)->sin_addr),
850 srca->sa_family, &(nfo.src));
851 nfo.sport = ntohs(((const struct sockaddr_in *)srca)->sin_port);
852 initaddr((const void *) &((const struct sockaddr_in *)dsta)->sin_addr,
853 sizeof(((const struct sockaddr_in *)dsta)->sin_addr),
854 dsta->sa_family, &(nfo.dst));
855 nfo.dport = ntohs(((const struct sockaddr_in *)dsta)->sin_port);
856
857 DBG(DBG_NATT,
858 initsaid(&nfo.src, nfo.sa->sadb_sa_spi, SA_ESP, &said);
859 satot(&said, 0, text_said, SATOT_BUF);
860 addrtot(&nfo.src, 0, _srca, ADDRTOT_BUF);
861 addrtot(&nfo.dst, 0, _dsta, ADDRTOT_BUF);
862 DBG_log("new klips mapping %s %s:%d %s:%d",
863 text_said, _srca, nfo.sport, _dsta, nfo.dport);
864 )
865
866 for_each_state((void *)nat_t_new_klips_mapp, &nfo);
867 }
868
869 if (ugh != NULL)
870 plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
871 }
872