/*
This file is part of GNUnet.
Copyright (C) 2010 GNUnet e.V.
GNUnet is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.
GNUnet is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see .
*/
/**
* @file src/nat/gnunet-helper-nat-client.c
* @brief Tool to help bypass NATs using ICMP method; must run as root (SUID will do)
* This code will work under GNU/Linux only.
* @author Christian Grothoff
*
* This program will send ONE ICMP message using RAW sockets
* to the IP address specified as the second argument. Since
* it uses RAW sockets, it must be installed SUID or run as 'root'.
* In order to keep the security risk of the resulting SUID binary
* minimal, the program ONLY opens the RAW socket with root
* privileges, then drops them and only then starts to process
* command line arguments. The code also does not link against
* any shared libraries (except libc) and is strictly minimal
* (except for checking for errors). The following list of people
* have reviewed this code and considered it safe since the last
* modification (if you reviewed it, please have your name added
* to the list):
*
* - Christian Grothoff
* - Nathan Evans
* - Benjamin Kuperman (22 Aug 2010)
*/
#if HAVE_CONFIG_H
/* Just needed for HAVE_SOCKADDR_IN_SIN_LEN test macro! */
#include "gnunet_config.h"
#else
#define _GNU_SOURCE
#endif
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* The following constant is missing from FreeBSD 9.2 */
#ifndef ICMP_TIME_EXCEEDED
#define ICMP_TIME_EXCEEDED 11
#endif
/**
* Call memcpy() but check for @a n being 0 first. In the latter
* case, it is now safe to pass NULL for @a src or @a dst.
* Unlike traditional memcpy(), returns nothing.
*
* @param dst destination of the copy, may be NULL if @a n is zero
* @param src source of the copy, may be NULL if @a n is zero
* @param n number of bytes to copy
*/
#define GNUNET_memcpy(dst,src,n) do { if (0 != n) { (void) memcpy (dst,src,n); } } while (0)
/**
* Must match IP given in the server.
*/
#define DUMMY_IP "192.0.2.86"
#define NAT_TRAV_PORT 22225
/**
* Must match packet ID used by gnunet-helper-nat-server.c
*/
#define PACKET_ID 256
/**
* IPv4 header.
*/
struct ip_header
{
/**
* Version (4 bits) + Internet header length (4 bits)
*/
uint8_t vers_ihl;
/**
* Type of service
*/
uint8_t tos;
/**
* Total length
*/
uint16_t pkt_len;
/**
* Identification
*/
uint16_t id;
/**
* Flags (3 bits) + Fragment offset (13 bits)
*/
uint16_t flags_frag_offset;
/**
* Time to live
*/
uint8_t ttl;
/**
* Protocol
*/
uint8_t proto;
/**
* Header checksum
*/
uint16_t checksum;
/**
* Source address
*/
uint32_t src_ip;
/**
* Destination address
*/
uint32_t dst_ip;
};
/**
* Format of ICMP packet.
*/
struct icmp_ttl_exceeded_header
{
uint8_t type;
uint8_t code;
uint16_t checksum;
uint32_t unused;
/* followed by original payload */
};
struct icmp_echo_header
{
uint8_t type;
uint8_t code;
uint16_t checksum;
uint32_t reserved;
};
/**
* Beginning of UDP packet.
*/
struct udp_header
{
uint16_t src_port;
uint16_t dst_port;
uint16_t length;
uint16_t crc;
};
/**
* Socket we use to send our fake ICMP replies.
*/
static int rawsock;
/**
* Target "dummy" address of the packet we pretend to respond to.
*/
static struct in_addr dummy;
/**
* Our "source" port.
*/
static uint16_t port;
/**
* CRC-16 for IP/ICMP headers.
*
* @param data what to calculate the CRC over
* @param bytes number of bytes in data (must be multiple of 2)
* @return the CRC 16.
*/
static uint16_t
calc_checksum (const uint16_t * data, unsigned int bytes)
{
uint32_t sum;
unsigned int i;
sum = 0;
for (i = 0; i < bytes / 2; i++)
sum += data[i];
sum = (sum & 0xffff) + (sum >> 16);
sum = htons (0xffff - sum);
return sum;
}
/**
* Send an ICMP message to the target.
*
* @param my_ip source address
* @param other target address
*/
static void
send_icmp_udp (const struct in_addr *my_ip, const struct in_addr *other)
{
char packet[sizeof (struct ip_header) * 2 +
sizeof (struct icmp_ttl_exceeded_header) +
sizeof (struct udp_header)];
struct ip_header ip_pkt;
struct icmp_ttl_exceeded_header icmp_pkt;
struct udp_header udp_pkt;
struct sockaddr_in dst;
size_t off;
int err;
/* ip header: send to (known) ip address */
off = 0;
ip_pkt.vers_ihl = 0x45;
ip_pkt.tos = 0;
#ifdef FREEBSD
ip_pkt.pkt_len = sizeof (packet); /* Workaround PR kern/21737 */
#else
ip_pkt.pkt_len = htons (sizeof (packet));
#endif
ip_pkt.id = htons (PACKET_ID);
ip_pkt.flags_frag_offset = 0;
ip_pkt.ttl = 128;
ip_pkt.proto = IPPROTO_ICMP;
ip_pkt.checksum = 0;
ip_pkt.src_ip = my_ip->s_addr;
ip_pkt.dst_ip = other->s_addr;
ip_pkt.checksum =
htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
GNUNET_memcpy (&packet[off],
&ip_pkt,
sizeof (struct ip_header));
off += sizeof (struct ip_header);
icmp_pkt.type = ICMP_TIME_EXCEEDED;
icmp_pkt.code = 0;
icmp_pkt.checksum = 0;
icmp_pkt.unused = 0;
GNUNET_memcpy (&packet[off],
&icmp_pkt,
sizeof (struct icmp_ttl_exceeded_header));
off += sizeof (struct icmp_ttl_exceeded_header);
/* ip header of the presumably 'lost' udp packet */
ip_pkt.vers_ihl = 0x45;
ip_pkt.tos = 0;
ip_pkt.pkt_len =
htons (sizeof (struct ip_header) + sizeof (struct udp_header));
ip_pkt.id = htons (0);
ip_pkt.flags_frag_offset = 0;
ip_pkt.ttl = 128;
ip_pkt.proto = IPPROTO_UDP;
ip_pkt.checksum = 0;
ip_pkt.src_ip = other->s_addr;
ip_pkt.dst_ip = dummy.s_addr;
ip_pkt.checksum =
htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
GNUNET_memcpy (&packet[off],
&ip_pkt,
sizeof (struct ip_header));
off += sizeof (struct ip_header);
/* build UDP header */
udp_pkt.src_port = htons (NAT_TRAV_PORT);
udp_pkt.dst_port = htons (NAT_TRAV_PORT);
udp_pkt.length = htons (port);
udp_pkt.crc = 0;
GNUNET_memcpy (&packet[off],
&udp_pkt,
sizeof (struct udp_header));
off += sizeof (struct udp_header);
/* set ICMP checksum */
icmp_pkt.checksum =
htons (calc_checksum
((uint16_t *) & packet[sizeof (struct ip_header)],
sizeof (struct icmp_ttl_exceeded_header) +
sizeof (struct ip_header) + sizeof (struct udp_header)));
GNUNET_memcpy (&packet[sizeof (struct ip_header)],
&icmp_pkt,
sizeof (struct icmp_ttl_exceeded_header));
memset (&dst, 0, sizeof (dst));
dst.sin_family = AF_INET;
#if HAVE_SOCKADDR_IN_SIN_LEN
dst.sin_len = sizeof (struct sockaddr_in);
#endif
dst.sin_addr = *other;
err =
sendto (rawsock, packet, sizeof (packet), 0, (struct sockaddr *) &dst,
sizeof (dst));
if (err < 0)
{
fprintf (stderr, "sendto failed: %s\n", strerror (errno));
}
else if (sizeof (packet) != (size_t) err)
{
fprintf (stderr, "Error: partial send of ICMP message with size %lu\n", (unsigned long) off);
}
}
/**
* Send an ICMP message to the target.
*
* @param my_ip source address
* @param other target address
*/
static void
send_icmp (const struct in_addr *my_ip, const struct in_addr *other)
{
struct ip_header ip_pkt;
struct icmp_ttl_exceeded_header icmp_ttl;
struct icmp_echo_header icmp_echo;
struct sockaddr_in dst;
char packet[sizeof (struct ip_header) * 2 +
sizeof (struct icmp_ttl_exceeded_header) +
sizeof (struct icmp_echo_header)];
size_t off;
int err;
/* ip header: send to (known) ip address */
off = 0;
ip_pkt.vers_ihl = 0x45;
ip_pkt.tos = 0;
#ifdef FREEBSD
ip_pkt.pkt_len = sizeof (packet); /* Workaround PR kern/21737 */
#else
ip_pkt.pkt_len = htons (sizeof (packet));
#endif
ip_pkt.id = htons (PACKET_ID);
ip_pkt.flags_frag_offset = 0;
ip_pkt.ttl = IPDEFTTL;
ip_pkt.proto = IPPROTO_ICMP;
ip_pkt.checksum = 0;
ip_pkt.src_ip = my_ip->s_addr;
ip_pkt.dst_ip = other->s_addr;
ip_pkt.checksum =
htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
GNUNET_memcpy (&packet[off],
&ip_pkt,
sizeof (struct ip_header));
off = sizeof (ip_pkt);
/* icmp reply: time exceeded */
icmp_ttl.type = ICMP_TIME_EXCEEDED;
icmp_ttl.code = 0;
icmp_ttl.checksum = 0;
icmp_ttl.unused = 0;
GNUNET_memcpy (&packet[off],
&icmp_ttl,
sizeof (struct icmp_ttl_exceeded_header));
off += sizeof (struct icmp_ttl_exceeded_header);
/* ip header of the presumably 'lost' udp packet */
ip_pkt.vers_ihl = 0x45;
ip_pkt.tos = 0;
ip_pkt.pkt_len =
htons (sizeof (struct ip_header) + sizeof (struct icmp_echo_header));
ip_pkt.id = htons (PACKET_ID);
ip_pkt.flags_frag_offset = 0;
ip_pkt.ttl = 1; /* real TTL would be 1 on a time exceeded packet */
ip_pkt.proto = IPPROTO_ICMP;
ip_pkt.src_ip = other->s_addr;
ip_pkt.dst_ip = dummy.s_addr;
ip_pkt.checksum = 0;
ip_pkt.checksum =
htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
GNUNET_memcpy (&packet[off],
&ip_pkt,
sizeof (struct ip_header));
off += sizeof (struct ip_header);
icmp_echo.type = ICMP_ECHO;
icmp_echo.code = 0;
icmp_echo.reserved = htonl (port);
icmp_echo.checksum = 0;
icmp_echo.checksum =
htons (calc_checksum
((uint16_t *) &icmp_echo, sizeof (struct icmp_echo_header)));
GNUNET_memcpy (&packet[off],
&icmp_echo,
sizeof (struct icmp_echo_header));
/* no go back to calculate ICMP packet checksum */
off = sizeof (struct ip_header);
icmp_ttl.checksum =
htons (calc_checksum
((uint16_t *) & packet[off],
sizeof (struct icmp_ttl_exceeded_header) +
sizeof (struct ip_header) + sizeof (struct icmp_echo_header)));
GNUNET_memcpy (&packet[off],
&icmp_ttl,
sizeof (struct icmp_ttl_exceeded_header));
/* prepare for transmission */
memset (&dst, 0, sizeof (dst));
dst.sin_family = AF_INET;
#if HAVE_SOCKADDR_IN_SIN_LEN
dst.sin_len = sizeof (struct sockaddr_in);
#endif
dst.sin_addr = *other;
err =
sendto (rawsock, packet, sizeof (packet), 0, (struct sockaddr *) &dst,
sizeof (dst));
if (err < 0)
{
fprintf (stderr, "sendto failed: %s\n", strerror (errno));
}
else if (sizeof (packet) != (size_t) err)
{
fprintf (stderr, "Error: partial send of ICMP message\n");
}
}
int
main (int argc, char *const *argv)
{
const int one = 1;
struct in_addr external;
struct in_addr target;
uid_t uid;
unsigned int p;
int raw_eno;
int global_ret;
/* Create an ICMP raw socket for writing (only operation that requires root) */
rawsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
raw_eno = errno; /* for later error checking */
/* now drop root privileges */
uid = getuid ();
#ifdef HAVE_SETRESUID
if (0 != setresuid (uid, uid, uid))
{
fprintf (stderr, "Failed to setresuid: %s\n", strerror (errno));
global_ret = 1;
goto cleanup;
}
#else
if (0 != (setuid (uid) | seteuid (uid)))
{
fprintf (stderr, "Failed to setuid: %s\n", strerror (errno));
global_ret = 2;
goto cleanup;
}
#endif
if (-1 == rawsock)
{
fprintf (stderr, "Error opening RAW socket: %s\n", strerror (raw_eno));
global_ret = 3;
goto cleanup;
}
if (0 !=
setsockopt (rawsock, SOL_SOCKET, SO_BROADCAST, (char *) &one, sizeof (one)))
{
fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
global_ret = 4;
goto cleanup;
}
if (0 !=
setsockopt (rawsock, IPPROTO_IP, IP_HDRINCL, (char *) &one, sizeof (one)))
{
fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
global_ret = 5;
goto cleanup;
}
if (4 != argc)
{
fprintf (stderr,
"This program must be started with our IP, the targets external IP, and our port as arguments.\n");
global_ret = 6;
goto cleanup;
}
if ((1 != inet_pton (AF_INET, argv[1], &external)) ||
(1 != inet_pton (AF_INET, argv[2], &target)))
{
fprintf (stderr, "Error parsing IPv4 address: %s\n", strerror (errno));
global_ret = 7;
goto cleanup;
}
if ((1 != sscanf (argv[3], "%u", &p)) || (0 == p) || (0xFFFF < p))
{
fprintf (stderr, "Error parsing port value `%s'\n", argv[3]);
global_ret = 8;
goto cleanup;
}
port = (uint16_t) p;
if (1 != inet_pton (AF_INET, DUMMY_IP, &dummy))
{
fprintf (stderr, "Internal error converting dummy IP to binary.\n");
global_ret = 9;
goto cleanup;
}
send_icmp (&external, &target);
send_icmp_udp (&external, &target);
global_ret = 0;
cleanup:
if (-1 != rawsock)
(void) close (rawsock);
return global_ret;
}
/* end of gnunet-helper-nat-client.c */