diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-07-07 05:50:02 +0000 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-07-07 05:50:02 +0000 |
| commit | dc33fee770b7b44eadaf0e9a1eabc3ba94b87d7f (patch) | |
| tree | 4424b5bb89bebbb48d02965944a1ec1a0eafb4d4 /src | |
| parent | ad3dab05200bd088aa25c2be8b7db07de2228b0b (diff) | |
| download | strongswan-dc33fee770b7b44eadaf0e9a1eabc3ba94b87d7f.tar.bz2 strongswan-dc33fee770b7b44eadaf0e9a1eabc3ba94b87d7f.tar.xz | |
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
Diffstat (limited to 'src')
| -rw-r--r-- | src/pluto/Makefile.am | 2 | ||||
| -rw-r--r-- | src/pluto/connections.c | 109 | ||||
| -rw-r--r-- | src/pluto/connections.h | 19 | ||||
| -rw-r--r-- | src/pluto/demux.c | 102 | ||||
| -rw-r--r-- | src/pluto/demux.h | 7 | ||||
| -rw-r--r-- | src/pluto/ipsec_doi.c | 107 | ||||
| -rw-r--r-- | src/pluto/kernel.c | 140 | ||||
| -rw-r--r-- | src/pluto/kernel.h | 6 | ||||
| -rw-r--r-- | src/pluto/kernel_netlink.c | 2 | ||||
| -rw-r--r-- | src/pluto/kernel_pfkey.c | 18 | ||||
| -rw-r--r-- | src/pluto/keys.c | 18 | ||||
| -rw-r--r-- | src/pluto/nat_traversal.c | 9 | ||||
| -rw-r--r-- | src/pluto/plutomain.c | 31 | ||||
| -rw-r--r-- | src/pluto/rcv_whack.c | 40 | ||||
| -rw-r--r-- | src/pluto/server.c | 21 | ||||
| -rw-r--r-- | src/pluto/server.h | 2 | ||||
| -rw-r--r-- | src/pluto/spdb.c | 25 | ||||
| -rw-r--r-- | src/pluto/state.h | 6 | ||||
| -rw-r--r-- | src/pluto/timer.c | 5 | ||||
| -rw-r--r-- | src/pluto/vendor.c | 7 | ||||
| -rw-r--r-- | src/pluto/virtual.c | 4 |
21 files changed, 198 insertions, 482 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index fb07bb89e..825b98220 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -24,7 +24,7 @@ _pluto_adns_SOURCES = adns.c adns.h INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/libcrypto -I$(top_srcdir)/src/whack AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ --DDEBUG -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DNAT_TRAVERSAL -DVIRTUAL_IP -DPLUTO \ +-DDEBUG -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \ -DVENDORID -DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" -DTHREADS -DKLIPS pluto_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a $(top_srcdir)/src/libcrypto/libcrypto.a -lgmp -lresolv -lpthread _pluto_adns_LDADD = -lresolv $(top_srcdir)/src/libfreeswan/libfreeswan.a diff --git a/src/pluto/connections.c b/src/pluto/connections.c index d565fe629..77fd9bf29 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -58,13 +58,8 @@ #include "whack.h" #include "alg_info.h" #include "ike_alg.h" -#ifdef NAT_TRAVERSAL #include "nat_traversal.h" -#endif - -#ifdef VIRTUAL_IP #include "virtual.h" -#endif static void flush_pending_by_connection(struct connection *c); /* forward */ @@ -114,8 +109,8 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport if (hisaddr == NULL) hisaddr = aftoinfo(addrtypeof(myaddr))->any; -#ifdef NAT_TRAVERSAL - if (nat_traversal_enabled) { + if (nat_traversal_enabled) + { /** * port is not relevant in host_pair. with nat_traversal we * always use pluto_port (500) @@ -123,7 +118,6 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport myport = pluto_port; hisport = pluto_port; } -#endif for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { @@ -149,17 +143,17 @@ find_host_pair_connections(const ip_address *myaddr, u_int16_t myport { struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport); -#ifdef NAT_TRAVERSAL - if (nat_traversal_enabled && hp && hisaddr) { + if (nat_traversal_enabled && hp && hisaddr) + { struct connection *c; - for (c = hp->connections; c != NULL; c = c->hp_next) { - if ((c->spd.this.host_port==myport) && (c->spd.that.host_port==hisport)) + + for (c = hp->connections; c != NULL; c = c->hp_next) + { + if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport) return c; } return NULL; } -#endif - return hp == NULL? NULL : hp->connections; } @@ -177,13 +171,8 @@ connect_to_host_pair(struct connection *c) hp = alloc_thing(struct host_pair, "host_pair"); hp->me.addr = c->spd.this.host_addr; hp->him.addr = c->spd.that.host_addr; -#ifdef NAT_TRAVERSAL hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port; hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port; -#else - hp->me.port = c->spd.this.host_port; - hp->him.port = c->spd.that.host_port; -#endif hp->initial_connection_sent = FALSE; hp->connections = NULL; hp->pending = NULL; @@ -333,9 +322,8 @@ delete_connection(struct connection *c, bool relations) } } -#ifdef VIRTUAL_IP - if (c->kind != CK_GOING_AWAY) pfreeany(c->spd.that.virt); -#endif + if (c->kind != CK_GOING_AWAY) + pfreeany(c->spd.that.virt); #ifdef DEBUG cur_debugging = old_cur_debugging; @@ -573,12 +561,10 @@ format_end(char *buf client[0] = '\0'; -#ifdef VIRTUAL_IP if (is_virtual_end(this) && isanyaddr(&this->host_addr)) { host = "%virtual"; } -#endif /* [client===] */ if (this->has_client) @@ -915,14 +901,14 @@ check_connection_end(const whack_end_t *this, const whack_end_t *that return FALSE; } } -#ifdef VIRTUAL_IP + if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client)) { loglog(RC_CLASH, "virtual IP must only be used with %%any and without client"); return FALSE; } -#endif + return TRUE; /* happy */ } @@ -1125,7 +1111,6 @@ add_connection(const whack_message_t *wm) c->gw_info = NULL; -#ifdef VIRTUAL_IP passert(!(wm->left.virt && wm->right.virt)); if (wm->left.virt || wm->right.virt) { @@ -1135,7 +1120,6 @@ add_connection(const whack_message_t *wm) if (c->spd.that.virt) c->spd.that.has_client = TRUE; } -#endif unshare_connection_strings(c); (void)orient(c); @@ -1220,13 +1204,11 @@ add_group_instance(struct connection *group, const ip_subnet *target) t->spd.reqid = gen_reqid(); -#ifdef VIRTUAL_IP if (t->spd.that.virt) { DBG_log("virtual_ip not supported in group instance"); t->spd.that.virt = NULL; } -#endif /* add to connections list */ t->ac_next = connections; @@ -1268,9 +1250,7 @@ remove_group_instance(const struct connection *group USED_BY_DEBUG */ static struct connection * instantiate(struct connection *c, const ip_address *him -#ifdef NAT_TRAVERSAL , u_int16_t his_port -#endif , const struct id *his_id) { struct connection *d; @@ -1295,9 +1275,9 @@ instantiate(struct connection *c, const ip_address *him passert(oriented(*d)); d->spd.that.host_addr = *him; setportof(htons(c->spd.that.port), &d->spd.that.host_addr); -#ifdef NAT_TRAVERSAL + if (his_port) d->spd.that.host_port = his_port; -#endif + default_end(&d->spd.that, &d->spd.this.host_addr); /* We cannot guess what our next_hop should be, but if it was @@ -1327,23 +1307,11 @@ instantiate(struct connection *c, const ip_address *him } struct connection * -rw_instantiate(struct connection *c -, const ip_address *him -#ifdef NAT_TRAVERSAL -, u_int16_t his_port -#endif -#ifdef VIRTUAL_IP -, const ip_subnet *his_net -#endif -, const struct id *his_id) +rw_instantiate(struct connection *c, const ip_address *him, u_int16_t his_port +, const ip_subnet *his_net, const struct id *his_id) { -#ifdef NAT_TRAVERSAL struct connection *d = instantiate(c, him, his_port, his_id); -#else - struct connection *d = instantiate(c, him, his_id); -#endif -#ifdef VIRTUAL_IP if (d && his_net && is_virtual_connection(c)) { d->spd.that.client = *his_net; @@ -1351,7 +1319,6 @@ rw_instantiate(struct connection *c if (subnetishost(his_net) && addrinsubnet(him, his_net)) d->spd.that.has_client = FALSE; } -#endif if (d->policy & POLICY_OPPO) { @@ -1374,11 +1341,7 @@ oppo_instantiate(struct connection *c , const ip_address *our_client USED_BY_DEBUG , const ip_address *peer_client) { -#ifdef NAT_TRAVERSAL struct connection *d = instantiate(c, him, 0, his_id); -#else - struct connection *d = instantiate(c, him, his_id); -#endif passert(d->spd.next == NULL); @@ -1510,13 +1473,12 @@ fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF]) { *p++ = ' '; addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF); -#ifdef NAT_TRAVERSAL +# if (c->spd.that.host_port != pluto_port) { p += strlen(p); sprintf(p, ":%d", c->spd.that.host_port); } -#endif } } } @@ -1775,9 +1737,9 @@ orient(struct connection *c) */ for (p = interfaces; p != NULL; p = p->next) { -#ifdef NAT_TRAVERSAL - if (p->ike_float) continue; -#endif + if (p->ike_float) + continue; + for (;;) { /* check if this interface matches this end */ @@ -3083,18 +3045,11 @@ ISAKMP_SA_established(struct connection *c, so_serial_t serial) { struct connection *next = d->ac_next; /* might move underneath us */ -#ifdef NAT_TRAVERSAL if (d->kind >= CK_PERMANENT && same_id(&c->spd.this.id, &d->spd.this.id) && same_id(&c->spd.that.id, &d->spd.that.id) && (!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr) || - (c->spd.that.host_port != d->spd.that.host_port))) -#else - if (d->kind >= CK_PERMANENT - && same_id(&c->spd.this.id, &d->spd.this.id) - && same_id(&c->spd.that.id, &d->spd.that.id) - && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr)) -#endif + (c->spd.that.host_port != d->spd.that.host_port))) { release_connection(d, FALSE); } @@ -3418,16 +3373,16 @@ refine_host_connection(const struct state *st, const struct id *peer_id if (d->policy & POLICY_GROUP) continue; -#ifdef NAT_TRAVERSAL if (c->spd.that.host_port != d->spd.that.host_port && d->kind == CK_INSTANCE) + { continue; -#endif + } /* authentication used must fit policy of this connection */ if ((d->policy & auth_policy) == LEMPTY) continue; /* our auth isn't OK for this connection */ - + switch (auth) { case OAKLEY_PRESHARED_KEY: @@ -3490,7 +3445,6 @@ refine_host_connection(const struct state *st, const struct id *peer_id } } -#ifdef VIRTUAL_IP /** * With virtual addressing, we must not allow someone to use an already * used (by another id) addr/net. @@ -3528,7 +3482,6 @@ is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id) } return FALSE; /* you can safely use it */ } -#endif /* find_client_connection: given a connection suitable for ISAKMP * (i.e. the hosts match), find a one suitable for IPSEC @@ -3646,18 +3599,12 @@ fc_try(const struct connection *c } else { -#ifdef VIRTUAL_IP - if ((!samesubnet(&sr->that.client, peer_net)) && (!is_virtual_connection(d))) -#else - if (!samesubnet(&sr->that.client, peer_net)) -#endif + if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d)) continue; -#ifdef VIRTUAL_IP if (is_virtual_connection(d) - && ( (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)) + && (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr) || is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id))) continue; -#endif } } else @@ -4296,14 +4243,12 @@ update_pending(struct state *os, struct state *ns) { if (p->isakmp_sa == os) p->isakmp_sa = ns; -#ifdef NAT_TRAVERSAL if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port) { p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port; p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port; } -#endif - } + } } /* a Main Mode negotiation has failed; discard any pending */ diff --git a/src/pluto/connections.h b/src/pluto/connections.h index fd7abaad0..aab5c84db 100644 --- a/src/pluto/connections.h +++ b/src/pluto/connections.h @@ -126,9 +126,7 @@ typedef unsigned long policy_prio_t; #define POLICY_PRIO_BUF (3+1+3+1) extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]); -#ifdef VIRTUAL_IP struct virtual_t; -#endif struct end { struct id id; @@ -151,9 +149,7 @@ struct end { chunk_t ca; /* CA distinguished name */ struct ietfAttrList *groups;/* access control groups */ smartcard_t *sc; /* smartcard reader and key info */ -#ifdef VIRTUAL_IP struct virtual_t *virt; -#endif bool modecfg; /* this end: request local address from server */ /* that end: give local addresses to clients */ bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */ @@ -305,12 +301,8 @@ struct gw_info; /* forward declaration of tag (defined in dnskey.h) */ struct alg_info; /* forward declaration of tag (defined in alg_info.h) */ extern struct connection *rw_instantiate(struct connection *c , const ip_address *him -#ifdef NAT_TRAVERSAL , u_int16_t his_port -#endif -#ifdef VIRTUAL_IP , const ip_subnet *his_net -#endif , const struct id *his_id); extern struct connection *oppo_instantiate(struct connection *c @@ -366,12 +358,9 @@ extern struct connection *eclipsed(struct connection *c, struct spd_route **); extern void show_connections_status(bool all, const char *name); extern int connection_compare(const struct connection *ca - , const struct connection *cb); -#ifdef NAT_TRAVERSAL -void -update_host_pair(const char *why, struct connection *c, - const ip_address *myaddr, u_int16_t myport , - const ip_address *hisaddr, u_int16_t hisport); -#endif /* NAT_TRAVERSAL */ + , const struct connection *cb); +extern void update_host_pair(const char *why, struct connection *c + , const ip_address *myaddr, u_int16_t myport + , const ip_address *hisaddr, u_int16_t hisport); #endif /* _CONNECTIONS_H */ diff --git a/src/pluto/demux.c b/src/pluto/demux.c index eaacd3ed8..10544b2cb 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -142,9 +142,7 @@ #include "timer.h" #include "whack.h" /* requires connections.h */ #include "server.h" -#ifdef NAT_TRAVERSAL #include "nat_traversal.h" -#endif #include "vendor.h" #include "modecfg.h" @@ -273,11 +271,7 @@ static const struct state_microcode state_microcode_table[] = { */ { STATE_MAIN_R1, STATE_MAIN_R2 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY -#ifdef NAT_TRAVERSAL , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE) -#else - , P(KE) | P(NONCE), P(VID) | P(CR), PT(KE) -#endif , EVENT_RETRANSMIT, main_inI2_outR2 }, { STATE_MAIN_R1, STATE_UNDEFINED @@ -302,11 +296,7 @@ static const struct state_microcode state_microcode_table[] = { */ { STATE_MAIN_I2, STATE_MAIN_I3 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY -#ifdef NAT_TRAVERSAL , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID) -#else - , P(KE) | P(NONCE), P(VID) | P(CR), PT(ID) -#endif , EVENT_RETRANSMIT, main_inR2_outI3 }, { STATE_MAIN_I2, STATE_UNDEFINED @@ -397,11 +387,7 @@ static const struct state_microcode state_microcode_table[] = { */ { STATE_QUICK_R0, STATE_QUICK_R1 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY -#ifdef NAT_TRAVERSAL , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE) -#else - , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(NONE) -#endif , EVENT_RETRANSMIT, quick_inI1_outR1 }, /* STATE_QUICK_I1: @@ -412,11 +398,7 @@ static const struct state_microcode state_microcode_table[] = { */ { STATE_QUICK_I1, STATE_QUICK_I2 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY -#ifdef NAT_TRAVERSAL , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH) -#else - , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(HASH) -#endif , EVENT_SA_REPLACE, quick_inR1_outI2 }, /* STATE_QUICK_R1: HDR*, HASH(3) --> done @@ -744,7 +726,6 @@ check_msg_errqueue(const struct iface *ifp, short interest) /* note dirty trick to suppress ~ at start of format * if we know what state to blame. */ -#ifdef NAT_TRAVERSAL if ((packet_len == 1) && (buffer[0] = 0xff) #ifdef DEBUG && ((cur_debugging & DBG_NATT) == 0) @@ -755,7 +736,6 @@ check_msg_errqueue(const struct iface *ifp, short interest) */ } else -#endif plog((sender != NULL) + "~" "ERROR: asynchronous network error report on %s" "%s" @@ -793,24 +773,19 @@ check_msg_errqueue(const struct iface *ifp, short interest) #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */ bool -#ifdef NAT_TRAVERSAL -_send_packet(struct state *st, const char *where, bool verbose) -#else send_packet(struct state *st, const char *where) -#endif { struct connection *c = st->st_connection; int port_buf; bool err; - -#ifdef NAT_TRAVERSAL u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE]; u_int8_t *ptr; unsigned long len; - if ((c->interface->ike_float == TRUE) && (st->st_tpacket.len != 1)) { - if ((unsigned long) st->st_tpacket.len > - (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t))) { + if (c->interface->ike_float && st->st_tpacket.len != 1) + { + if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t))) + { DBG_log("send_packet(): really too big"); return FALSE; } @@ -821,11 +796,11 @@ send_packet(struct state *st, const char *where) (unsigned long)st->st_tpacket.len); len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t); } - else { + else + { ptr = st->st_tpacket.ptr; len = (unsigned long) st->st_tpacket.len; } -#endif DBG(DBG_RAW, { @@ -850,28 +825,19 @@ send_packet(struct state *st, const char *where) (void) check_msg_errqueue(c->interface, POLLOUT); #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */ -#ifdef NAT_TRAVERSAL err = sendto(c->interface->fd , ptr, len, 0 , sockaddrof(&c->spd.that.host_addr) , sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len; -#else - err = sendto(c->interface->fd - , st->st_tpacket.ptr, st->st_tpacket.len, 0 - , sockaddrof(&c->spd.that.host_addr) - , sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)st->st_tpacket.len; -#endif /* restore port */ setportof(port_buf, &c->spd.that.host_addr); if (err) { -#ifdef NAT_TRAVERSAL - /* do not log NAT-T Keep Alive packets */ - if (!verbose) - return FALSE; -#endif + /* do not log NAT-T Keep Alive packets */ + if (streq(where, "NAT-T Keep Alive")) + return FALSE; log_errno((e, "sendto on %s to %s:%u failed in %s" , c->interface->rname , ip_str(&c->spd.that.host_addr) @@ -1141,16 +1107,19 @@ read_packet(struct msg_digest *md) cur_from = &md->sender; cur_from_port = md->sender_port; -#ifdef NAT_TRAVERSAL - if (ifp->ike_float == TRUE) { + if (ifp->ike_float == TRUE) + { u_int32_t non_esp; - if (packet_len < (int)sizeof(u_int32_t)) { + + if (packet_len < (int)sizeof(u_int32_t)) + { plog("recvfrom %s:%u too small packet (%d)" , ip_str(cur_from), (unsigned) cur_from_port, packet_len); return FALSE; } memcpy(&non_esp, buffer, sizeof(u_int32_t)); - if (non_esp != 0) { + if (non_esp != 0) + { plog("recvfrom %s:%u has no Non-ESP marker" , ip_str(cur_from), (unsigned) cur_from_port); return FALSE; @@ -1161,7 +1130,6 @@ read_packet(struct msg_digest *md) pfree(buffer); buffer = buffer_nat; } -#endif /* Clone actual message contents * and set up md->packet_pbs to describe it. @@ -1180,21 +1148,20 @@ read_packet(struct msg_digest *md) DBG(DBG_RAW, DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs))); -#ifdef NAT_TRAVERSAL - if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff)) { - /** - * NAT-T Keep-alive packets should be discared by kernel ESPinUDP - * layer. But boggus keep-alive packets (sent with a non-esp marker) - * can reach this point. Complain and discard them. - */ - DBG(DBG_NATT, - DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. " - "Ignored. Sender: %s:%u", ip_str(cur_from), - (unsigned) cur_from_port); - ); - return FALSE; + if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff)) + { + /** + * NAT-T Keep-alive packets should be discared by kernel ESPinUDP + * layer. But boggus keep-alive packets (sent with a non-esp marker) + * can reach this point. Complain and discard them. + */ + DBG(DBG_NATT, + DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. " + "Ignored. Sender: %s:%u", ip_str(cur_from), + (unsigned) cur_from_port); + ) + return FALSE; } -#endif #define IKEV2_VERSION_OFFSET 17 #define IKEV2_VERSION 0x20 @@ -1809,12 +1776,12 @@ process_packet(struct msg_digest **mdp) return; } -#ifdef NAT_TRAVERSAL switch (np) { case ISAKMP_NEXT_NATD_RFC: case ISAKMP_NEXT_NATOA_RFC: - if ((!st) || (!(st->nat_traversal & NAT_T_WITH_RFC_VALUES))) { + if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES)) + { /* * don't accept NAT-D/NAT-OA reloc directly in message, unless * we're using NAT-T RFC @@ -1823,7 +1790,6 @@ process_packet(struct msg_digest **mdp) } break; } -#endif if (sd == NULL) { @@ -1834,7 +1800,6 @@ process_packet(struct msg_digest **mdp) sd = IS_PHASE1(from_state) ? &isakmp_identification_desc : &isakmp_ipsec_identification_desc; break; -#ifdef NAT_TRAVERSAL case ISAKMP_NEXT_NATD_DRAFTS: np = ISAKMP_NEXT_NATD_RFC; /* NAT-D relocated */ sd = payload_descs[np]; @@ -1843,7 +1808,6 @@ process_packet(struct msg_digest **mdp) np = ISAKMP_NEXT_NATOA_RFC; /* NAT-OA relocated */ sd = payload_descs[np]; break; -#endif default: loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or" " unexpected payload type (%s) at the outermost level" @@ -2107,10 +2071,8 @@ complete_state_transition(struct msg_digest **mdp, stf_status result) clonetochunk(st->st_tpacket, md->reply.start , pbs_offset(&md->reply), "reply packet"); -#ifdef NAT_TRAVERSAL if (nat_traversal_enabled) nat_traversal_change_port_lookup(md, md->st); -#endif /* actually send the packet * Note: this is a great place to implement "impairments" @@ -2293,7 +2255,6 @@ complete_state_transition(struct msg_digest **mdp, stf_status result) /* advance b to end of string */ b = b + strlen(b); -#ifdef NAT_TRAVERSAL if (st->nat_traversal) { char oa[ADDRTOT_BUF]; @@ -2304,7 +2265,6 @@ complete_state_transition(struct msg_digest **mdp, stf_status result) ini = " "; fin = "}"; } -#endif /* advance b to end of string */ b = b + strlen(b); diff --git a/src/pluto/demux.h b/src/pluto/demux.h index 7adac44f3..63a838001 100644 --- a/src/pluto/demux.h +++ b/src/pluto/demux.h @@ -18,12 +18,7 @@ struct state; /* forward declaration of tag */ extern void init_demux(void); -#ifdef NAT_TRAVERSAL -#define send_packet(st,wh) _send_packet(st,wh,TRUE) -extern bool _send_packet(struct state *st, const char *where, bool verbose); -#else extern bool send_packet(struct state *st, const char *where); -#endif extern void comm_handle(const struct iface *ifp); extern u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE]; @@ -74,9 +69,7 @@ struct msg_digest { digest[PAYLIMIT], *digest_roof, *chain[ISAKMP_NEXT_ROOF]; -#ifdef NAT_TRAVERSAL unsigned short nat_traversal_vid; -#endif }; extern void release_md(struct msg_digest *md); diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index a4e86a901..9323427c1 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -67,12 +67,8 @@ #include "alg_info.h" #include "ike_alg.h" #include "kernel_alg.h" -#ifdef NAT_TRAVERSAL #include "nat_traversal.h" -#endif -#ifdef VIRTUAL_IP #include "virtual.h" -#endif /* * are we sending Pluto's Vendor ID? @@ -769,10 +765,10 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p) oldc = cur_connection; set_cur_connection(dst->st_connection); -#ifdef NAT_TRAVERSAL + if (nat_traversal_enabled) nat_traversal_change_port_lookup(md, dst); -#endif + loglog(RC_LOG_SERIOUS, "received Delete SA payload: " "deleting ISAKMP State #%lu", dst->st_serialno); delete_state(dst); @@ -806,10 +802,9 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p) oldc = cur_connection; set_cur_connection(rc); -#ifdef NAT_TRAVERSAL if (nat_traversal_enabled) nat_traversal_change_port_lookup(md, dst); -#endif + if (rc->newest_ipsec_sa == dst->st_serialno && (rc->policy & POLICY_UP)) { @@ -902,10 +897,8 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor vids_to_send++; /* always send DPD Vendor ID */ vids_to_send++; -#ifdef NAT_TRAVERSAL if (nat_traversal_enabled) vids_to_send++; -#endif get_cookie(TRUE, st->st_icookie, COOKIE_SIZE, &c->spd.that.host_addr); @@ -1004,7 +997,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor } } -#ifdef NAT_TRAVERSAL if (nat_traversal_enabled) { /* Add supported NAT-Traversal VID */ @@ -1015,7 +1007,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor return STF_INTERNAL_ERROR; } } -#endif close_message(&rbody); close_output_pbs(&reply); @@ -2043,7 +2034,6 @@ quick_outI1(int whack_sock , replacing , isakmp_sa->st_serialno); -#ifdef NAT_TRAVERSAL if (isakmp_sa->nat_traversal & NAT_T_DETECTED) { /* Duplicate nat_traversal status in new state */ @@ -2066,7 +2056,6 @@ quick_outI1(int whack_sock np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ? ISAKMP_NEXT_NATOA_RFC : ISAKMP_NEXT_NATOA_DRAFTS; } -#endif /* set up reply */ init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet"); @@ -2162,7 +2151,6 @@ quick_outI1(int whack_sock } } -#ifdef NAT_TRAVERSAL /* Send NAT-OA if our address is NATed */ if (send_natoa) { @@ -2172,7 +2160,6 @@ quick_outI1(int whack_sock return STF_INTERNAL_ERROR; } } -#endif /* finish computing HASH(1), inserting it in output */ (void) quick_mode_hash12(r_hashval, r_hash_start, rbody.cur @@ -2341,7 +2328,6 @@ decode_peer_id(struct msg_digest *md, struct id *peer) * Besides, there is no good reason for allowing these to be * other than 0 in Phase 1. */ -#ifdef NAT_TRAVERSAL if ((st->nat_traversal & NAT_T_WITH_PORT_FLOATING) && id->isaid_doi_specific_a == IPPROTO_UDP && (id->isaid_doi_specific_b == 0 || id->isaid_doi_specific_b == NAT_T_IKE_FLOAT_PORT)) @@ -2350,10 +2336,8 @@ decode_peer_id(struct msg_digest *md, struct id *peer) "accepted with port_floating NAT-T", id->isaid_doi_specific_a, id->isaid_doi_specific_b); } - else -#endif - if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0) - && !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT)) + else if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0) + && !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT)) { loglog(RC_LOG_SERIOUS, "protocol/port in Phase 1 ID Payload must be 0/0 or %d/%d" " but are %d/%d" @@ -2527,14 +2511,8 @@ switch_connection(struct msg_digest *md, struct id *peer, bool initiator) if (r->kind == CK_TEMPLATE) { /* instantiate it, filling in peer's ID */ - r = rw_instantiate(r, &c->spd.that.host_addr, -#ifdef NAT_TRAVERSAL - c->spd.that.host_port, -#endif -#ifdef VIRTUAL_IP - NULL, -#endif - peer); + r = rw_instantiate(r, &c->spd.that.host_addr + , c->spd.that.host_port, NULL, peer); } /* copy certificate request info */ @@ -2984,13 +2962,11 @@ main_inI1_outR1(struct msg_digest *md) RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sa_pd->payload.sa , &sa_pd->pbs, &ipsecdoisit, &proposal_pbs, &proposal)); -#ifdef NAT_TRAVERSAL if (c == NULL && md->iface->ike_float) { c = find_host_connection(&md->iface->addr, NAT_T_IKE_FLOAT_PORT , &md->sender, md->sender_port, LEMPTY); } -#endif if (c == NULL) { @@ -3061,14 +3037,7 @@ main_inI1_outR1(struct msg_digest *md) /* Create a temporary connection that is a copy of this one. * His ID isn't declared yet. */ - c = rw_instantiate(c, &md->sender, -#ifdef NAT_TRAVERSAL - md->sender_port, -#endif -#ifdef VIRTUAL_IP - NULL, -#endif - NULL); + c = rw_instantiate(c, &md->sender, md->sender_port, NULL, NULL); } } @@ -3115,10 +3084,8 @@ main_inI1_outR1(struct msg_digest *md) vids_to_send++; /* always send DPD Vendor ID */ vids_to_send++; -#ifdef NAT_TRAVERSAL if (md->nat_traversal_vid && nat_traversal_enabled) vids_to_send++; -#endif /* HDR out. * We can't leave this to comm_handle() because we must @@ -3189,11 +3156,6 @@ main_inI1_outR1(struct msg_digest *md) } } -#ifdef NAT_TRAVERSAL - DBG(DBG_CONTROLMORE, - DBG_log("sender checking NAT-t: %d and %d" - , nat_traversal_enabled, md->nat_traversal_vid) - ) if (md->nat_traversal_vid && nat_traversal_enabled) { /* reply if NAT-Traversal draft is supported */ @@ -3206,7 +3168,6 @@ main_inI1_outR1(struct msg_digest *md) return STF_INTERNAL_ERROR; } } -#endif close_message(&md->rbody); @@ -3252,11 +3213,6 @@ main_inR1_outI2(struct msg_digest *md) , &proposal_pbs, &proposal, NULL, st)); } -#ifdef NAT_TRAVERSAL - DBG(DBG_CONTROLMORE, - DBG_log("sender checking NAT-t: %d and %d" - , nat_traversal_enabled, md->nat_traversal_vid) - ) if (nat_traversal_enabled && md->nat_traversal_vid) { st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid); @@ -3268,7 +3224,6 @@ main_inR1_outI2(struct msg_digest *md) np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ? ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS; } - #endif /**************** build output packet HDR;KE;Ni ****************/ @@ -3306,13 +3261,11 @@ main_inR1_outI2(struct msg_digest *md) return STF_INTERNAL_ERROR; #endif -#ifdef NAT_TRAVERSAL if (st->nat_traversal & NAT_T_WITH_NATD) { if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md)) return STF_INTERNAL_ERROR; } -#endif /* finish message */ close_message(&md->rbody); @@ -3353,11 +3306,6 @@ main_inI2_outR2(struct msg_digest *md) /* Ni in */ RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni")); -#ifdef NAT_TRAVERSAL - DBG(DBG_CONTROLMORE, - DBG_log("inI2: checking NAT-t: %d and %d" - , nat_traversal_enabled, st->nat_traversal) - ) if (st->nat_traversal & NAT_T_WITH_NATD) { nat_traversal_natd_lookup(md); @@ -3373,7 +3321,6 @@ main_inI2_outR2(struct msg_digest *md) { nat_traversal_new_ka_event(); } -#endif /* decode certificate requests */ st->st_connection->got_certrequest = FALSE; @@ -3449,14 +3396,12 @@ main_inI2_outR2(struct msg_digest *md) } } } - -#ifdef NAT_TRAVERSAL + if (st->nat_traversal & NAT_T_WITH_NATD) { if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md)) return STF_INTERNAL_ERROR; } -#endif /* finish message */ close_message(&md->rbody); @@ -3529,17 +3474,18 @@ main_inR2_outI3(struct msg_digest *md) if (!generate_skeyids_iv(st)) return STF_FAIL + AUTHENTICATION_FAILED; -#ifdef NAT_TRAVERSAL - if (st->nat_traversal & NAT_T_WITH_NATD) { + if (st->nat_traversal & NAT_T_WITH_NATD) + { nat_traversal_natd_lookup(md); } - if (st->nat_traversal) { + if (st->nat_traversal) + { nat_traversal_show_result(st->nat_traversal, md->sender_port); } - if (st->nat_traversal & NAT_T_WITH_KA) { + if (st->nat_traversal & NAT_T_WITH_KA) + { nat_traversal_new_ka_event(); } -#endif /*************** build output packet HDR*;IDii;HASH/SIG_I ***************/ /* ??? NOTE: this is almost the same as main_inI3_outR3's code */ @@ -4772,14 +4718,8 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b /* Plain Road Warrior: * instantiate, carrying over authenticated peer ID */ - p = rw_instantiate(p, &c->spd.that.host_addr, -#ifdef NAT_TRAVERSAL - md->sender_port, -#endif -#ifdef VIRTUAL_IP - his_net, -#endif - &c->spd.that.id); + p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port + , his_net, &c->spd.that.id); } } #ifdef DEBUG @@ -4802,8 +4742,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b p->spd.that.client = *his_net; p->spd.that.has_client_wildcard = FALSE; } - -#ifdef VIRTUAL_IP else if (is_virtual_connection(c)) { c->spd.that.client = *his_net; @@ -4811,7 +4749,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net)) c->spd.that.has_client = FALSE; } -#endif /* fill in the client's true port */ if (p->spd.that.has_port_wildcard) @@ -4870,7 +4807,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b st->st_policy = (p1st->st_policy & POLICY_ISAKMP_MASK) | (c->policy & ~POLICY_ISAKMP_MASK); -#ifdef NAT_TRAVERSAL if (p1st->nat_traversal & NAT_T_DETECTED) { st->nat_traversal = p1st->nat_traversal; @@ -4880,12 +4816,11 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b { st->nat_traversal = 0; } - if ((st->nat_traversal & NAT_T_DETECTED) && - (st->nat_traversal & NAT_T_WITH_NATOA)) + if ((st->nat_traversal & NAT_T_DETECTED) + && (st->nat_traversal & NAT_T_WITH_NATOA)) { nat_traversal_natoa_lookup(md); } -#endif /* Start the output packet. * @@ -4973,7 +4908,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b p->isaiid_np = ISAKMP_NEXT_NONE; } -#ifdef NAT_TRAVERSAL if ((st->nat_traversal & NAT_T_WITH_NATOA) && (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) && (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)) @@ -4992,7 +4926,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client); c->spd.that.has_client = FALSE; } -#endif /* Compute reply HASH(2) and insert in output */ (void)quick_mode_hash12(r_hashval, r_hash_start, md->rbody.cur @@ -5132,13 +5065,11 @@ quick_inR1_outI2(struct msg_digest *md) } } -#ifdef NAT_TRAVERSAL if ((st->nat_traversal & NAT_T_DETECTED) && (st->nat_traversal & NAT_T_WITH_NATOA)) { nat_traversal_natoa_lookup(md); } -#endif /* ??? We used to copy the accepted proposal into the state, but it was * never used. From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs). diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index bee185cc3..663fa7230 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -58,12 +58,7 @@ #include "server.h" #include "whack.h" /* for RC_LOG_SERIOUS */ #include "keys.h" - -#ifdef NAT_TRAVERSAL -#include "packet.h" /* for pb_stream in nat_traversal.h */ #include "nat_traversal.h" -#endif - #include "alg_info.h" #include "kernel_alg.h" @@ -686,9 +681,7 @@ could_route(struct connection *c) /* if routing would affect IKE messages, reject */ if (!no_klips -#ifdef NAT_TRAVERSAL && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT -#endif && c->spd.this.host_port != IKE_UDP_PORT && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client)) { @@ -1860,19 +1853,19 @@ setup_half_ipsec_sa(struct state *st, bool inbound) SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC }, }; -#ifdef NAT_TRAVERSAL u_int8_t natt_type = 0; - u_int16_t natt_sport = 0, natt_dport = 0; + u_int16_t natt_sport = 0; + u_int16_t natt_dport = 0; ip_address natt_oa; - if (st->nat_traversal & NAT_T_DETECTED) { + if (st->nat_traversal & NAT_T_DETECTED) + { natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ? ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port; natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; natt_oa = st->nat_oa; } -#endif for (ei = esp_info; ; ei++) { @@ -1903,34 +1896,38 @@ setup_half_ipsec_sa(struct state *st, bool inbound) } key_len = st->st_esp.attrs.key_len/8; - if (key_len) { - /* XXX: must change to check valid _range_ key_len */ - if (key_len > ei->enckeylen) { - loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d", - enum_name(&esp_transformid_names, st->st_esp.attrs.transid), - (int)key_len, (int)ei->enckeylen); - goto fail; - } - } else { - key_len = ei->enckeylen; + if (key_len) + { + /* XXX: must change to check valid _range_ key_len */ + if (key_len > ei->enckeylen) + { + loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d", + enum_name(&esp_transformid_names, st->st_esp.attrs.transid), + (int)key_len, (int)ei->enckeylen); + goto fail; + } + } + else + { + key_len = ei->enckeylen; } /* Grrrrr.... f*cking 7 bits jurassic algos */ /* 168 bits in kernel, need 192 bits for keymat_len */ if (ei->transid == ESP_3DES && key_len == 21) - key_len = 24; + key_len = 24; /* 56 bits in kernel, need 64 bits for keymat_len */ if (ei->transid == ESP_DES && key_len == 7) - key_len = 8; + key_len = 8; /* divide up keying material */ /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */ DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, - if(st->st_esp.keymat_len != key_len + ei->authkeylen) - DBG_log("keymat_len=%d key_len=%d authkeylen=%d", - st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen); - ); + if(st->st_esp.keymat_len != key_len + ei->authkeylen) + DBG_log("keymat_len=%d key_len=%d authkeylen=%d", + st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen); + ) passert(st->st_esp.keymat_len == key_len + ei->authkeylen); set_text_said(text_said, &dst.addr, esp_spi, SA_ESP); @@ -1952,13 +1949,11 @@ setup_half_ipsec_sa(struct state *st, bool inbound) said_next->enckey = esp_dst_keymat; said_next->encapsulation = encapsulation; said_next->reqid = c->spd.reqid + 1; -#ifdef NAT_TRAVERSAL said_next->natt_sport = natt_sport; said_next->natt_dport = natt_dport; said_next->transid = st->st_esp.attrs.transid; said_next->natt_type = natt_type; said_next->natt_oa = &natt_oa; -#endif said_next->text_said = text_said; if (!kernel_ops->add_sa(said_next, replace)) @@ -2826,68 +2821,69 @@ delete_ipsec_sa(struct state *st USED_BY_KLIPS, bool inbound_only USED_BY_KLIPS) DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()")); #endif /* !KLIPS */ } -#ifdef NAT_TRAVERSAL + #ifdef KLIPS static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound) { - struct connection *c = st->st_connection; - char text_said[SATOT_BUF]; - struct kernel_sa sa; - ip_address - src = inbound? c->spd.that.host_addr : c->spd.this.host_addr, - dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr; - + struct connection *c = st->st_connection; + char text_said[SATOT_BUF]; + struct kernel_sa sa; + ip_address + src = inbound? c->spd.that.host_addr : c->spd.this.host_addr, + dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr; - ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi; + ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi; - u_int16_t - natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port, - natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; - - set_text_said(text_said, &dst, esp_spi, SA_ESP); - - memset(&sa, 0, sizeof(sa)); - sa.spi = esp_spi; - sa.src = &src; - sa.dst = &dst; - sa.text_said = text_said; - sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth); - sa.natt_sport = natt_sport; - sa.natt_dport = natt_dport; - sa.transid = st->st_esp.attrs.transid; - - return kernel_ops->add_sa(&sa, TRUE); + u_int16_t + natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port, + natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; + + set_text_said(text_said, &dst, esp_spi, SA_ESP); + memset(&sa, 0, sizeof(sa)); + sa.spi = esp_spi; + sa.src = &src; + sa.dst = &dst; + sa.text_said = text_said; + sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth); + sa.natt_sport = natt_sport; + sa.natt_dport = natt_dport; + sa.transid = st->st_esp.attrs.transid; + + return kernel_ops->add_sa(&sa, TRUE); } #endif bool update_ipsec_sa (struct state *st USED_BY_KLIPS) { #ifdef KLIPS - if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) { - if ((st->st_esp.present) && ( - (!update_nat_t_ipsec_esp_sa (st, TRUE)) || - (!update_nat_t_ipsec_esp_sa (st, FALSE)))) { - return FALSE; - } - } - else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state)) { - if ((st->st_esp.present) && (!update_nat_t_ipsec_esp_sa (st, FALSE))) { - return FALSE; - } + if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) + { + if (st->st_esp.present && ( + (!update_nat_t_ipsec_esp_sa (st, TRUE)) || + (!update_nat_t_ipsec_esp_sa (st, FALSE)))) + { + return FALSE; } - else { - DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, - st->st_state); - return FALSE; + } + else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state)) + { + if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE)) + { + return FALSE; } - return TRUE; + } + else + { + DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state); + return FALSE; + } + return TRUE; #else /* !KLIPS */ DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()")); return TRUE; #endif /* !KLIPS */ } -#endif /* Check if there was traffic on given SA during the last idle_max * seconds. If TRUE, the SA was idle and DPD exchange should be performed. diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h index c01ff31f9..e7ff08c7b 100644 --- a/src/pluto/kernel.h +++ b/src/pluto/kernel.h @@ -69,11 +69,11 @@ struct kernel_sa { unsigned compalg; int encapsulation; -#ifdef NAT_TRAVERSAL + u_int16_t natt_sport, natt_dport; u_int8_t transid, natt_type; ip_address *natt_oa; -#endif + const char *text_said; }; @@ -195,6 +195,4 @@ extern bool was_eroute_idle(struct state *st, time_t idle_max extern bool get_sa_info(struct state *st, bool inbound, u_int *bytes , time_t *use_time); -#ifdef NAT_TRAVERSAL extern bool update_ipsec_sa(struct state *st); -#endif diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c index fd43c4653..1947ddbac 100644 --- a/src/pluto/kernel_netlink.c +++ b/src/pluto/kernel_netlink.c @@ -677,7 +677,6 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) attr = (struct rtattr *)((char *)attr + attr->rta_len); } -#ifdef NAT_TRAVERSAL if (sa->natt_type) { struct xfrm_encap_tmpl natt; @@ -695,7 +694,6 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) req.n.nlmsg_len += attr->rta_len; attr = (struct rtattr *)((char *)attr + attr->rta_len); } -#endif return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said); } diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c index 76bfbaf9a..ced7a1453 100644 --- a/src/pluto/kernel_pfkey.c +++ b/src/pluto/kernel_pfkey.c @@ -41,11 +41,8 @@ #include "kernel_pfkey.h" #include "log.h" #include "whack.h" /* for RC_LOG_SERIOUS */ -#ifdef NAT_TRAVERSAL #include "demux.h" #include "nat_traversal.h" -#endif - #include "alg_info.h" #include "kernel_alg.h" @@ -77,9 +74,7 @@ static sparse_names pfkey_type_names = { NE(SADB_X_ADDFLOW), NE(SADB_X_DELFLOW), NE(SADB_X_DEBUG), -#ifdef NAT_TRAVERSAL NE(SADB_X_NAT_T_NEW_MAPPING), -#endif NE(SADB_MAX), { 0, sparse_end } }; @@ -250,10 +245,7 @@ pfkey_get(pfkey_buf *buf) else if (!(buf->msg.sadb_msg_pid == (unsigned)pid || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE) || (buf->msg.sadb_msg_type == SADB_REGISTER) -#ifdef NAT_TRAVERSAL - || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING) -#endif - )) + || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING))) { /* not for us: ignore */ DBG(DBG_KLIPS, @@ -435,11 +427,9 @@ pfkey_async(pfkey_buf *buf) /* to simulate loss of ACQUIRE, delete this call */ process_pfkey_acquire(buf, extensions); break; -#ifdef NAT_TRAVERSAL case SADB_X_NAT_T_NEW_MAPPING: process_pfkey_nat_t_new_mapping(&(buf->msg), extensions); break; -#endif default: /* ignored */ break; @@ -821,8 +811,7 @@ pfkey_add_sa(const struct kernel_sa *sa, bool replace) , SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE , sa->enckey) , "pfkey_key_e Add SA", sa->text_said, extensions)) - -#ifdef NAT_TRAVERSAL + && (sa->natt_type == 0 || pfkey_build(pfkey_x_nat_t_type_build( &extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type), @@ -840,10 +829,9 @@ pfkey_add_sa(const struct kernel_sa *sa, bool replace) && (sa->natt_type == 0 || isanyaddr(sa->natt_oa) || pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa , "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions)) -#endif && finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL); - + } static bool diff --git a/src/pluto/keys.c b/src/pluto/keys.c index faa3ae38d..106573f33 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -55,11 +55,6 @@ #include "timer.h" #include "fetch.h" -#ifdef NAT_TRAVERSAL -#define PB_STREAM_UNDEFINED -#include "nat_traversal.h" -#endif - const char *shared_secrets_file = SHARED_SECRETS_FILE; typedef struct id_list id_list_t; @@ -185,19 +180,16 @@ get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym) happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr)); his_id = &rw_id; } -#ifdef NAT_TRAVERSAL - else if (nat_traversal_enabled + else if (kind == PPK_PSK && (c->policy & POLICY_PSK) - && kind == PPK_PSK && ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_NONE) || (c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id)))) { - /* roadwarrior: replace him with 0.0.0.0 */ - rw_id.kind = ID_IPV4_ADDR; - happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr)); - his_id = &rw_id; + /* roadwarrior: replace him with 0.0.0.0 */ + rw_id.kind = ID_IPV4_ADDR; + happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr)); + his_id = &rw_id; } -#endif for (s = secrets; s != NULL; s = s->next) { diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c index c95ec6353..ea75e260a 100644 --- a/src/pluto/nat_traversal.c +++ b/src/pluto/nat_traversal.c @@ -14,8 +14,6 @@ * RCSID $Id: nat_traversal.c,v 1.8 2005/01/06 22:36:58 as Exp $ */ -#ifdef NAT_TRAVERSAL - #include <stdio.h> #include <stdlib.h> #include <ctype.h> @@ -31,6 +29,7 @@ #include <ipsec_policy.h> #include <pfkeyv2.h> #include <pfkey.h> + #include "constants.h" #include "defs.h" #include "log.h" @@ -42,8 +41,6 @@ #include "kernel.h" #include "whack.h" #include "timer.h" - - #include "cookie.h" #include "sha1.h" #include "md5.h" @@ -580,7 +577,7 @@ static void nat_traversal_send_ka (struct state *st) /* send keep alive */ setchunk(st->st_tpacket, &ka_payload, 1); - _send_packet(st, "NAT-T Keep Alive", FALSE); + send_packet(st, "NAT-T Keep Alive"); /* restore state chunk */ setchunk(st->st_tpacket, sav.ptr, sav.len); @@ -865,5 +862,3 @@ void process_pfkey_nat_t_new_mapping( plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh); } -#endif - diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index f9badbae3..5d6e7aadf 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -57,18 +57,11 @@ #include "ocsp.h" #include "crl.h" #include "fetch.h" - #include "sha1.h" #include "md5.h" #include "crypto.h" /* requires sha1.h and md5.h */ - -#ifdef VIRTUAL_IP -#include "virtual.h" -#endif - -#ifdef NAT_TRAVERSAL #include "nat_traversal.h" -#endif +#include "virtual.h" static void usage(const char *mess) @@ -123,17 +116,13 @@ usage(const char *mess) " [--debug-controlmore]" " [--debug-private]" #endif -#ifdef NAT_TRAVERSAL " [ --debug-natt]" " \\\n\t" "[--nat_traversal] [--keep_alive <delay_sec>]" " \\\n\t" "[--force_keepalive] [--disable_port_floating]" -#endif -#ifdef VIRTUAL_IP " \\\n\t" "[--virtual_private <network_list>]" -#endif "\n" "strongSwan %s\n" , ipsec_version_code()); @@ -225,15 +214,11 @@ main(int argc, char **argv) { bool fork_desired = TRUE; bool log_to_stderr_desired = FALSE; -#ifdef NAT_TRAVERSAL bool nat_traversal = FALSE; bool nat_t_spf = TRUE; /* support port floating */ unsigned int keep_alive = 0; bool force_keepalive = FALSE; -#endif -#ifdef VIRTUAL_IP char *virtual_private = NULL; -#endif int lockfd; /* handle arguments */ @@ -269,20 +254,15 @@ main(int argc, char **argv) { "pkcs11module", required_argument, NULL, 'm' }, { "pkcs11keepstate", no_argument, NULL, 'k' }, { "pkcs11proxy", no_argument, NULL, 'y' }, -#ifdef NAT_TRAVERSAL { "nat_traversal", no_argument, NULL, '1' }, { "keep_alive", required_argument, NULL, '2' }, { "force_keepalive", no_argument, NULL, '3' }, { "disable_port_floating", no_argument, NULL, '4' }, { "debug-natt", no_argument, NULL, '5' }, -#endif -#ifdef VIRTUAL_IP { "virtual_private", required_argument, NULL, '6' }, -#endif #ifdef DEBUG { "debug-none", no_argument, NULL, 'N' }, { "debug-all", no_argument, NULL, 'A' }, - { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET }, { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET }, { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET }, @@ -460,7 +440,6 @@ main(int argc, char **argv) log_to_perpeer = TRUE; continue; -#ifdef NAT_TRAVERSAL case '1': /* --nat_traversal */ nat_traversal = TRUE; continue; @@ -476,12 +455,9 @@ main(int argc, char **argv) case '5': /* --debug-nat_t */ base_debugging |= DBG_NATT; continue; -#endif -#ifdef VIRTUAL_IP case '6': /* --virtual_private */ virtual_private = optarg; continue; -#endif default: #ifdef DEBUG @@ -620,13 +596,8 @@ main(int argc, char **argv) , ipsec_version_code() , compile_time_interop_options); -#ifdef NAT_TRAVERSAL init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); -#endif - -#ifdef VIRTUAL_IP init_virtual_ip(virtual_private); -#endif scx_init(pkcs11_module_path); /* load and initialize PKCS #11 module */ init_rnd_pool(); init_secret(); diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c index 4bc8bca0a..6a39e7c1f 100644 --- a/src/pluto/rcv_whack.c +++ b/src/pluto/rcv_whack.c @@ -321,28 +321,24 @@ whack_handle(int whackctlfd) || !unpack_str(&msg.left.ca) /* string 4 */ || !unpack_str(&msg.left.groups) /* string 5 */ || !unpack_str(&msg.left.updown) /* string 6 */ -#ifdef VIRTUAL_IP - || !unpack_str(&msg.left.virt) -#endif - || !unpack_str(&msg.right.id) /* string 7 */ - || !unpack_str(&msg.right.cert) /* string 8 */ - || !unpack_str(&msg.right.ca) /* string 9 */ - || !unpack_str(&msg.right.groups) /* string 10 */ - || !unpack_str(&msg.right.updown) /* string 11 */ -#ifdef VIRTUAL_IP - || !unpack_str(&msg.right.virt) -#endif - || !unpack_str(&msg.keyid) /* string 12 */ - || !unpack_str(&msg.myid) /* string 13 */ - || !unpack_str(&msg.cacert) /* string 14 */ - || !unpack_str(&msg.ldaphost) /* string 15 */ - || !unpack_str(&msg.ldapbase) /* string 16 */ - || !unpack_str(&msg.crluri) /* string 17 */ - || !unpack_str(&msg.crluri2) /* string 18 */ - || !unpack_str(&msg.ocspuri) /* string 19 */ - || !unpack_str(&msg.ike) /* string 20 */ - || !unpack_str(&msg.esp) /* string 21 */ - || !unpack_str(&msg.sc_data) /* string 22 */ + || !unpack_str(&msg.left.virt) /* string 7 */ + || !unpack_str(&msg.right.id) /* string 8 */ + || !unpack_str(&msg.right.cert) /* string 9 */ + || !unpack_str(&msg.right.ca) /* string 10 */ + || !unpack_str(&msg.right.groups) /* string 11 */ + || !unpack_str(&msg.right.updown) /* string 12 */ + || !unpack_str(&msg.right.virt) /* string 13 */ + || !unpack_str(&msg.keyid) /* string 14 */ + || !unpack_str(&msg.myid) /* string 15 */ + || !unpack_str(&msg.cacert) /* string 16 */ + || !unpack_str(&msg.ldaphost) /* string 17 */ + || !unpack_str(&msg.ldapbase) /* string 18 */ + || !unpack_str(&msg.crluri) /* string 19 */ + || !unpack_str(&msg.crluri2) /* string 20 */ + || !unpack_str(&msg.ocspuri) /* string 21 */ + || !unpack_str(&msg.ike) /* string 22 */ + || !unpack_str(&msg.esp) /* string 23 */ + || !unpack_str(&msg.sc_data) /* string 24 */ || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */ { ugh = "message from whack contains bad string"; diff --git a/src/pluto/server.c b/src/pluto/server.c index 2defbc042..9cd3e07c0 100644 --- a/src/pluto/server.c +++ b/src/pluto/server.c @@ -62,10 +62,7 @@ #include <pfkeyv2.h> #include <pfkey.h> #include "kameipsec.h" - -#ifdef NAT_TRAVERSAL #include "nat_traversal.h" -#endif /* * Server main loop and socket initialization routines. @@ -702,13 +699,11 @@ add_entry: if (fd < 0) break; -#ifdef NAT_TRAVERSAL if (nat_traversal_support_non_ike && addrtypeof(&ifp->addr) == AF_INET) { nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE); } -#endif q = alloc_thing(struct iface, "struct iface"); q->rname = clone_str(ifp->name, "real device name"); @@ -720,7 +715,7 @@ add_entry: interfaces = q; plog("adding interface %s/%s %s:%d" , q->vname, q->rname, ip_str(&q->addr), pluto_port); -#ifdef NAT_TRAVERSAL + if (nat_traversal_support_port_floating && addrtypeof(&ifp->addr) == AF_INET) { @@ -742,7 +737,6 @@ add_entry: plog("adding interface %s/%s %s:%d", q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT); } -#endif break; } @@ -753,16 +747,17 @@ add_entry: { /* matches -- rejuvinate old entry */ q->change = IFN_KEEP; -#ifdef NAT_TRAVERSAL + /* look for other interfaces to keep (due to NAT-T) */ - for (q = q->next ; q ; q = q->next) { + for (q = q->next ; q ; q = q->next) + { if (streq(q->rname, ifp->name) - && streq(q->vname, v->name) - && sameaddr(&q->addr, &ifp->addr)) { - q->change = IFN_KEEP; + && streq(q->vname, v->name) + && sameaddr(&q->addr, &ifp->addr)) + { + q->change = IFN_KEEP; } } -#endif break; } diff --git a/src/pluto/server.h b/src/pluto/server.h index aa14d5aaa..d90e47c8f 100644 --- a/src/pluto/server.h +++ b/src/pluto/server.h @@ -40,9 +40,7 @@ struct iface { ip_address addr; /* interface IP address */ int fd; /* file descriptor of socket for IKE UDP messages */ struct iface *next; -#ifdef NAT_TRAVERSAL bool ike_float; -#endif enum { IFN_ADD, IFN_KEEP, IFN_DELETE } change; }; diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index 6515ec7ff..6bdc82dae 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -35,23 +35,19 @@ #include "kernel.h" #include "log.h" #include "spdb.h" -#include "whack.h" /* for RC_LOG_SERIOUS */ - +#include "whack.h" #include "sha1.h" #include "md5.h" #include "crypto.h" /* requires sha1.h and md5.h */ - #include "alg_info.h" #include "kernel_alg.h" #include "ike_alg.h" #include "db_ops.h" +#include "nat_traversal.h" + #define AD(x) x, elemsof(x) /* Array Description */ #define AD_NULL NULL, 0 -#ifdef NAT_TRAVERSAL -#include "nat_traversal.h" -#endif - /**************** Oakely (main mode) SA database ****************/ /* arrays of attributes for transforms, preshared key */ @@ -659,7 +655,6 @@ out_sa(pb_stream *outs if (p->protoid != PROTO_IPCOMP || st->st_policy & POLICY_TUNNEL) { -#ifdef NAT_TRAVERSAL #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT if ((st->nat_traversal & NAT_T_DETECTED) && !(st->st_policy & POLICY_TUNNEL)) @@ -672,22 +667,16 @@ out_sa(pb_stream *outs "using Tunnel mode"); } #endif -#endif out_attr(ENCAPSULATION_MODE -#ifdef NAT_TRAVERSAL #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT - , NAT_T_ENCAPSULATION_MODE(st,st->st_policy) + , NAT_T_ENCAPSULATION_MODE(st, st->st_policy) #else /* If NAT-T is detected, use UDP_TUNNEL as long as Transport * Mode has security concerns. * * User has been informed of that */ - , NAT_T_ENCAPSULATION_MODE(st,POLICY_TUNNEL) -#endif -#else /* ! NAT_TRAVERSAL */ - , st->st_policy & POLICY_TUNNEL - ? ENCAPSULATION_MODE_TUNNEL : ENCAPSULATION_MODE_TRANSPORT + , NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL) #endif , attr_desc, attr_val_descs , &trans_pbs); @@ -1557,7 +1546,6 @@ parse_ipsec_transform(struct isakmp_transform *trans break; case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV: ipcomp_inappropriate = FALSE; -#ifdef NAT_TRAVERSAL switch (val) { case ENCAPSULATION_MODE_TUNNEL: @@ -1642,9 +1630,6 @@ parse_ipsec_transform(struct isakmp_transform *trans , "unknown ENCAPSULATION_MODE %d in IPSec SA", val); return FALSE; } -#else - attrs->encapsulation = val; -#endif break; case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV: attrs->auth = val; diff --git a/src/pluto/state.h b/src/pluto/state.h index 2f30d77f1..f4a0bc8aa 100644 --- a/src/pluto/state.h +++ b/src/pluto/state.h @@ -201,7 +201,7 @@ struct state unsigned int st_iv_len; unsigned int st_new_iv_len; unsigned int st_ph1_iv_len; - + chunk_t st_enc_key; /* Oakley Encryption key */ struct event *st_event; /* backpointer for certain events */ @@ -212,11 +212,9 @@ struct state bool vars_set; bool started; } st_modecfg; - -#ifdef NAT_TRAVERSAL + u_int32_t nat_traversal; ip_address nat_oa; -#endif /* RFC 3706 Dead Peer Detection */ bool st_dpd; /* Peer supports DPD */ diff --git a/src/pluto/timer.c b/src/pluto/timer.c index 4d9ef8fab..9d3f90ce3 100644 --- a/src/pluto/timer.c +++ b/src/pluto/timer.c @@ -38,10 +38,7 @@ #include "rnd.h" #include "timer.h" #include "whack.h" - -#ifdef NAT_TRAVERSAL #include "nat_traversal.h" -#endif /* monotonic version of time(3) */ time_t @@ -427,11 +424,9 @@ handle_timer_event(void) case EVENT_DPD_TIMEOUT: dpd_timeout(st); break; -#ifdef NAT_TRAVERSAL case EVENT_NAT_T_KEEPALIVE: nat_traversal_ka_event(); break; -#endif default: loglog(RC_LOG_SERIOUS, "INTERNAL ERROR: ignoring unknown expiring event %s" , enum_show(&timer_event_names, type)); diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index 92116d301..2a53f973d 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -30,10 +30,7 @@ #include "whack.h" #include "vendor.h" #include "kernel.h" - -#ifdef NAT_TRAVERSAL #include "nat_traversal.h" -#endif /** * Unknown/Special VID: @@ -348,7 +345,7 @@ handle_known_vendorid (struct msg_digest *md md->openpgp = TRUE; vid_useful = TRUE; break; -#ifdef NAT_TRAVERSAL + /* * Use most recent supported NAT-Traversal method and ignore the * other ones (implementations will send all supported methods but @@ -376,7 +373,7 @@ handle_known_vendorid (struct msg_digest *md vid_useful = TRUE; } break; -#endif + /* Remote side would like to do DPD with us on this connection */ case VID_MISC_DPD: md->dpd = TRUE; diff --git a/src/pluto/virtual.c b/src/pluto/virtual.c index 58487c1e8..d1553364e 100644 --- a/src/pluto/virtual.c +++ b/src/pluto/virtual.c @@ -14,8 +14,6 @@ * RCSID $Id: virtual.c,v 1.4 2004/04/02 10:38:52 as Exp $ */ -#ifdef VIRTUAL_IP - #include <freeswan.h> #include <stdlib.h> @@ -334,5 +332,3 @@ is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net, return FALSE; } -#endif - |