X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/d1e348cfd503b08e7d34b7683d23aae209af0a71..7685aad60c1b188a3f84904e9b609a7438e833c9:/ipsec-tools/racoon/nattraversal.c diff --git a/ipsec-tools/racoon/nattraversal.c b/ipsec-tools/racoon/nattraversal.c index 4bd1f1f..b04ccfb 100644 --- a/ipsec-tools/racoon/nattraversal.c +++ b/ipsec-tools/racoon/nattraversal.c @@ -33,12 +33,7 @@ #include #include -#ifdef __linux__ -#include -#endif -#if defined(__NetBSD__) || defined (__FreeBSD__) #include -#endif #include #include @@ -68,15 +63,13 @@ #include "ike_session.h" struct natt_ka_addrs { - struct sockaddr *src; - struct sockaddr *dst; + struct sockaddr_storage *src; + struct sockaddr_storage *dst; unsigned in_use; TAILQ_ENTRY(natt_ka_addrs) chain; }; -static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree; - /* * check if the given vid is NAT-T. */ @@ -121,7 +114,7 @@ natt_vendorid (int vid) } vchar_t * -natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr) +natt_hash_addr (phase1_handle_t *iph1, struct sockaddr_storage *addr) { vchar_t *natd; vchar_t *buf; @@ -129,22 +122,24 @@ natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr) void *addr_ptr, *addr_port; size_t buf_size, addr_size; - plog (LLV_INFO, LOCATION, addr, "Hashing %s with algo #%d %s\n", - saddr2str(addr), iph1->approval->hashtype, - (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":""); + if (iph1->approval) { + plog(ASL_LEVEL_NOTICE, "Hashing %s with algo #%d %s\n", + saddr2str((struct sockaddr *)addr), iph1->approval->hashtype, + (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":""); + } - if (addr->sa_family == AF_INET) { + if (addr->ss_family == AF_INET) { addr_size = sizeof (struct in_addr); /* IPv4 address */ addr_ptr = &((struct sockaddr_in *)addr)->sin_addr; addr_port = &((struct sockaddr_in *)addr)->sin_port; } - else if (addr->sa_family == AF_INET6) { + else if (addr->ss_family == AF_INET6) { addr_size = sizeof (struct in6_addr); /* IPv6 address */ addr_ptr = &((struct sockaddr_in6 *)addr)->sin6_addr; addr_port = &((struct sockaddr_in6 *)addr)->sin6_port; } else { - plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->sa_family); + plog(ASL_LEVEL_ERR, "Unsupported address family #0x%x\n", addr->ss_family); return NULL; } @@ -181,7 +176,7 @@ natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr) } int -natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, +natt_compare_addr_hash (phase1_handle_t *iph1, vchar_t *natd_received, int natd_seq) { vchar_t *natd_computed; @@ -191,7 +186,6 @@ natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, if (iph1->rmconf->nat_traversal == NATT_FORCE) return verified; -#ifdef __APPLE__ /* old APPLE version sends natd payload in the wrong order */ if (iph1->natt_options->version == VENDORID_NATT_APPLE) { if (natd_seq == 0) { @@ -203,7 +197,6 @@ natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, flag = NAT_DETECTED_ME; } } else -#endif { if (natd_seq == 0) { natd_computed = natt_hash_addr (iph1, iph1->local); @@ -247,18 +240,6 @@ natt_fill_options (struct ph1natt_options *opts, int version) opts->version = version; switch (version) { -#ifndef __APPLE__ - case VENDORID_NATT_00: - case VENDORID_NATT_01: - opts->float_port = 0; /* No port floating for those drafts */ - opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT; - opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT; - opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT; - opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT; - opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE; - break; -#endif - case VENDORID_NATT_02: case VENDORID_NATT_02_N: case VENDORID_NATT_03: @@ -274,7 +255,6 @@ natt_fill_options (struct ph1natt_options *opts, int version) case VENDORID_NATT_06: case VENDORID_NATT_07: case VENDORID_NATT_08: -#ifdef __APPLE__ case VENDORID_NATT_APPLE: opts->float_port = lcconf->port_isakmp_natt; opts->payload_nat_d = ISAKMP_NPTYPE_NATD_BADDRAFT; @@ -283,7 +263,6 @@ natt_fill_options (struct ph1natt_options *opts, int version) opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC; opts->encaps_type = UDP_ENCAP_ESPINUDP; break; -#endif case VENDORID_NATT_RFC: opts->float_port = lcconf->port_isakmp_natt; opts->payload_nat_d = ISAKMP_NPTYPE_NATD_RFC; @@ -293,7 +272,7 @@ natt_fill_options (struct ph1natt_options *opts, int version) opts->encaps_type = UDP_ENCAP_ESPINUDP; break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unsupported NAT-T version: %s\n", vid_string_by_id(version)); return -1; @@ -305,14 +284,14 @@ natt_fill_options (struct ph1natt_options *opts, int version) } int -create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa_r) +create_natoa_payloads(phase2_handle_t *iph2, vchar_t **natoa_i, vchar_t **natoa_r) { int natoa_type = 0; vchar_t *i; vchar_t *r; u_int8_t *p; - struct sockaddr *i_addr; - struct sockaddr *r_addr; + struct sockaddr_storage *i_addr; + struct sockaddr_storage *r_addr; size_t i_size; size_t r_size; @@ -336,7 +315,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa r_addr = iph2->src; } - switch (i_addr->sa_family) { + switch (i_addr->ss_family) { case AF_INET: i_size = sizeof(in_addr_t); break; @@ -346,12 +325,12 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid address family: %d\n", i_addr->sa_family); + plog(ASL_LEVEL_ERR, + "invalid address family: %d\n", i_addr->ss_family); return -1; } - switch (r_addr->sa_family) { + switch (r_addr->ss_family) { case AF_INET: r_size = sizeof(in_addr_t); break; @@ -361,21 +340,21 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid address family: %d\n", r_addr->sa_family); + plog(ASL_LEVEL_ERR, + "invalid address family: %d\n", r_addr->ss_family); return -1; } i = vmalloc(sizeof(struct isakmp_pl_natoa) + i_size - sizeof(struct isakmp_gen)); if (i == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer for natoa payload.\n"); return -1; } r = vmalloc(sizeof(struct isakmp_pl_natoa) + r_size - sizeof(struct isakmp_gen)); if (r == NULL) { vfree(i); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer for natoa payload.\n"); return -1; } @@ -383,7 +362,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa /* copy src address */ p = (__typeof__(p))i->v; - switch (i_addr->sa_family) { + switch (i_addr->ss_family) { case AF_INET: *p = IPSECDOI_ID_IPV4_ADDR; bcopy(&(((struct sockaddr_in *)i_addr)->sin_addr.s_addr), p + sizeof(u_int32_t), i_size); @@ -399,7 +378,7 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa /* copy dst address */ p = (__typeof__(p))r->v; - switch (r_addr->sa_family) { + switch (r_addr->ss_family) { case AF_INET: *p = IPSECDOI_ID_IPV4_ADDR; bcopy(&(((struct sockaddr_in *)r_addr)->sin_addr.s_addr), p + sizeof(u_int32_t), r_size); @@ -417,22 +396,22 @@ create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa return natoa_type; } -struct sockaddr * +struct sockaddr_storage * process_natoa_payload(vchar_t *buf) { - struct sockaddr *saddr = NULL; - struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v; + struct sockaddr_storage *saddr = NULL; + struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)buf->v; switch (id_b->type) { case IPSECDOI_ID_IPV4_ADDR: saddr = racoon_malloc(sizeof(struct sockaddr_in)); if (!saddr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "error allocating addr for NAT-OA payload\n"); return NULL; } - saddr->sa_len = sizeof(struct sockaddr_in); - saddr->sa_family = AF_INET; + saddr->ss_len = sizeof(struct sockaddr_in); + saddr->ss_family = AF_INET; ((struct sockaddr_in *)saddr)->sin_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in *)saddr)->sin_addr, buf->v + sizeof(*id_b), sizeof(struct in_addr)); @@ -441,19 +420,19 @@ process_natoa_payload(vchar_t *buf) case IPSECDOI_ID_IPV6_ADDR: saddr = racoon_malloc(sizeof(struct sockaddr_in6)); if (!saddr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "error allocating addr for NAT-OA payload\n"); return NULL; } - saddr->sa_len = sizeof(struct sockaddr_in6); - saddr->sa_family = AF_INET6; + saddr->ss_len = sizeof(struct sockaddr_in6); + saddr->ss_family = AF_INET6; ((struct sockaddr_in6 *)saddr)->sin6_port = IPSEC_PORT_ANY; memcpy(&((struct sockaddr_in6 *)saddr)->sin6_addr, buf->v + sizeof(*id_b), sizeof(struct in6_addr)); break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid NAT-OA payload %d\n", id_b->type); return NULL; } @@ -461,16 +440,13 @@ process_natoa_payload(vchar_t *buf) } void -natt_float_ports (struct ph1handle *iph1) +natt_float_ports (phase1_handle_t *iph1) { - if (! (iph1->natt_flags && NAT_DETECTED) ) + if (! (iph1->natt_flags & NAT_DETECTED) ) return; if (! iph1->natt_options->float_port){ /* Drafts 00 / 01, just schedule keepalive */ -#ifndef __APPLE__ - natt_keepalive_add_ph1 (iph1); -#endif return; } @@ -486,156 +462,34 @@ natt_float_ports (struct ph1handle *iph1) set_port (iph1->remote, iph1->natt_options->float_port); iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; - ike_session_ikev1_float_ports(iph1); - -#ifndef __APPLE__ - natt_keepalive_add_ph1 (iph1); -#endif + if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) + ike_session_ikev1_float_ports(iph1); } void -natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric) +natt_handle_vendorid (phase1_handle_t *iph1, int vid_numeric) { + int version; + if (! iph1->natt_options) iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options)); if (! iph1->natt_options) { - plog (LLV_ERROR, LOCATION, NULL, + plog (ASL_LEVEL_ERR, "Allocating memory for natt_options failed!\n"); return; } - - if (iph1->natt_options->version < vid_numeric) - if (natt_fill_options (iph1->natt_options, vid_numeric) == 0) - iph1->natt_flags |= NAT_ANNOUNCED; -} -#ifndef __APPLE__ -/* NAT keepalive functions */ -static void -natt_keepalive_send (void *param) -{ - struct natt_ka_addrs *ka, *next = NULL; - char keepalive_packet[] = { 0xff }; - size_t len; - int s; - - for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) { - next = TAILQ_NEXT(ka, chain); - - s = getsockmyaddr(ka->src); - if (s == -1) { - TAILQ_REMOVE (&ka_tree, ka, chain); - racoon_free (ka); - continue; - } - plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", - saddr2str_fromto("%s->%s", ka->src, ka->dst)); - len = sendfromto(s, keepalive_packet, sizeof (keepalive_packet), - ka->src, ka->dst, 1); - if (len == -1) - plog(LLV_ERROR, LOCATION, NULL, "KA: sendfromto failed: %s\n", - strerror (errno)); + // stick to the version we already selected on a previous phase1 + version = ike_session_get_natt_version(iph1); + if (version) { + vid_numeric = version; } - - sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL); -} -void -natt_keepalive_init (void) -{ - TAILQ_INIT(&ka_tree); - - /* To disable sending KAs set natt_ka_interval=0 */ - if (lcconf->natt_ka_interval > 0) - sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL); -} - -int -natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst) -{ - struct natt_ka_addrs *ka = NULL, *new_addr; - - TAILQ_FOREACH (ka, &ka_tree, chain) { - if (cmpsaddrstrict(ka->src, src) == 0 && - cmpsaddrstrict(ka->dst, dst) == 0) { - ka->in_use++; - plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); - return 0; - } - } - - plog (LLV_INFO, LOCATION, NULL, "KA list add: %s\n", saddr2str_fromto("%s->%s", src, dst)); - - new_addr = (struct natt_ka_addrs *)racoon_malloc(sizeof(*new_addr)); - if (! new_addr) { - plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); - return -1; - } - - if ((new_addr->src = dupsaddr(src)) == NULL) { - racoon_free(new_addr); - plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); - return -1; - } - if ((new_addr->dst = dupsaddr(dst)) == NULL) { - racoon_free(new_addr); - plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n"); - return -1; - } - new_addr->in_use = 1; - TAILQ_INSERT_TAIL(&ka_tree, new_addr, chain); - - return 0; -} - -int -natt_keepalive_add_ph1 (struct ph1handle *iph1) -{ - int ret = 0; - - /* Should only the NATed host send keepalives? - If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)' - to the following condition. */ - if (iph1->natt_flags & NAT_DETECTED && - ! (iph1->natt_flags & NAT_KA_QUEUED)) { - ret = natt_keepalive_add (iph1->local, iph1->remote); - if (ret == 0) - iph1->natt_flags |= NAT_KA_QUEUED; - } - - return ret; -} - -void -natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst) -{ - struct natt_ka_addrs *ka, *next = NULL; - - plog (LLV_INFO, LOCATION, NULL, "KA remove: %s\n", saddr2str_fromto("%s->%s", src, dst)); - - for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) { - next = TAILQ_NEXT(ka, chain); - - plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); - - if (cmpsaddrstrict(ka->src, src) == 0 && - cmpsaddrstrict(ka->dst, dst) == 0 && - -- ka->in_use <= 0) { - - plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); - - TAILQ_REMOVE (&ka_tree, ka, chain); - racoon_free (ka); - /* Should we break here? Every pair of addresses should - be inserted only once, but who knows :-) Lets traverse - the whole list... */ - } - } + if (iph1->natt_options->version < vid_numeric) + if (natt_fill_options (iph1->natt_options, vid_numeric) == 0) + iph1->natt_flags |= NAT_ANNOUNCED; } -#endif /* __APPLE__ */ static struct remoteconf * natt_enabled_in_rmconf_stub (struct remoteconf *rmconf, void *data)