[oweals/gnunet.git] / src / nat / gnunet-helper-nat-client.c

/*
     This file is part of GNUnet.
     Copyright (C) 2010 GNUnet e.V.

     GNUnet is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published
     by the Free Software Foundation; either version 3, or (at your
     option) any later version.

     GNUnet is distributed in the hope that it will be useful, but
     WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     General Public License for more details.

     You should have received a copy of the GNU General Public License
     along with GNUnet; see the file COPYING.  If not, write to the
     Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
     Boston, MA 02110-1301, USA.
*/

/**
 * @file src/nat/gnunet-helper-nat-client.c
 * @brief Tool to help bypass NATs using ICMP method; must run as root (SUID will do)
 *        This code will work under GNU/Linux only.
 * @author Christian Grothoff
 *
 * This program will send ONE ICMP message using RAW sockets
 * to the IP address specified as the second argument.  Since
 * it uses RAW sockets, it must be installed SUID or run as 'root'.
 * In order to keep the security risk of the resulting SUID binary
 * minimal, the program ONLY opens the RAW socket with root
 * privileges, then drops them and only then starts to process
 * command line arguments.  The code also does not link against
 * any shared libraries (except libc) and is strictly minimal
 * (except for checking for errors).  The following list of people
 * have reviewed this code and considered it safe since the last
 * modification (if you reviewed it, please have your name added
 * to the list):
 *
 * - Christian Grothoff
 * - Nathan Evans
 * - Benjamin Kuperman (22 Aug 2010)
 */
#if HAVE_CONFIG_H
/* Just needed for HAVE_SOCKADDR_IN_SIN_LEN test macro! */
#include "gnunet_config.h"
#else
#define _GNU_SOURCE
#endif
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <stdint.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>

/* The following constant is missing from FreeBSD 9.2 */
#ifndef ICMP_TIME_EXCEEDED
#define ICMP_TIME_EXCEEDED 11
#endif

/**
 * Call memcpy() but check for @a n being 0 first. In the latter
 * case, it is now safe to pass NULL for @a src or @a dst.
 * Unlike traditional memcpy(), returns nothing.
 *
 * @param dst destination of the copy, may be NULL if @a n is zero
 * @param src source of the copy, may be NULL if @a n is zero
 * @param n number of bytes to copy
 */
#define GNUNET_memcpy(dst,src,n) do { if (0 != n) { (void) memcpy (dst,src,n); } } while (0)

/**
 * Must match IP given in the server.
 */
#define DUMMY_IP "192.0.2.86"

#define NAT_TRAV_PORT 22225

/**
 * Must match packet ID used by gnunet-helper-nat-server.c
 */
#define PACKET_ID 256

/**
 * IPv4 header.
 */
struct ip_header
{

  /**
   * Version (4 bits) + Internet header length (4 bits)
   */
  uint8_t vers_ihl;

  /**
   * Type of service
   */
  uint8_t tos;

  /**
   * Total length
   */
  uint16_t pkt_len;

  /**
   * Identification
   */
  uint16_t id;

  /**
   * Flags (3 bits) + Fragment offset (13 bits)
   */
  uint16_t flags_frag_offset;

  /**
   * Time to live
   */
  uint8_t ttl;

  /**
   * Protocol
   */
  uint8_t proto;

  /**
   * Header checksum
   */
  uint16_t checksum;

  /**
   * Source address
   */
  uint32_t src_ip;

  /**
   * Destination address
   */
  uint32_t dst_ip;
};

/**
 * Format of ICMP packet.
 */
struct icmp_ttl_exceeded_header
{
  uint8_t type;

  uint8_t code;

  uint16_t checksum;

  uint32_t unused;

  /* followed by original payload */
};

struct icmp_echo_header
{
  uint8_t type;

  uint8_t code;

  uint16_t checksum;

  uint32_t reserved;
};

/**
 * Beginning of UDP packet.
 */
struct udp_header
{
  uint16_t src_port;

  uint16_t dst_port;

  uint16_t length;

  uint16_t crc;
};

/**
 * Socket we use to send our fake ICMP replies.
 */
static int rawsock;

/**
 * Target "dummy" address of the packet we pretend to respond to.
 */
static struct in_addr dummy;

/**
 * Our "source" port.
 */
static uint16_t port;


/**
 * CRC-16 for IP/ICMP headers.
 *
 * @param data what to calculate the CRC over
 * @param bytes number of bytes in data (must be multiple of 2)
 * @return the CRC 16.
 */
static uint16_t
calc_checksum (const uint16_t * data, unsigned int bytes)
{
  uint32_t sum;
  unsigned int i;

  sum = 0;
  for (i = 0; i < bytes / 2; i++)
    sum += data[i];
  sum = (sum & 0xffff) + (sum >> 16);
  sum = htons (0xffff - sum);
  return sum;
}


/**
 * Send an ICMP message to the target.
 *
 * @param my_ip source address
 * @param other target address
 */
static void
send_icmp_udp (const struct in_addr *my_ip, const struct in_addr *other)
{
  char packet[sizeof (struct ip_header) * 2 +
              sizeof (struct icmp_ttl_exceeded_header) +
              sizeof (struct udp_header)];
  struct ip_header ip_pkt;
  struct icmp_ttl_exceeded_header icmp_pkt;
  struct udp_header udp_pkt;
  struct sockaddr_in dst;
  size_t off;
  int err;

  /* ip header: send to (known) ip address */
  off = 0;
  ip_pkt.vers_ihl = 0x45;
  ip_pkt.tos = 0;
#ifdef FREEBSD
  ip_pkt.pkt_len = sizeof (packet); /* Workaround PR kern/21737 */
#else
  ip_pkt.pkt_len = htons (sizeof (packet));
#endif
  ip_pkt.id = htons (PACKET_ID);
  ip_pkt.flags_frag_offset = 0;
  ip_pkt.ttl = 128;
  ip_pkt.proto = IPPROTO_ICMP;
  ip_pkt.checksum = 0;
  ip_pkt.src_ip = my_ip->s_addr;
  ip_pkt.dst_ip = other->s_addr;
  ip_pkt.checksum =
      htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
  GNUNET_memcpy (&packet[off],
                 &ip_pkt,
                 sizeof (struct ip_header));
  off += sizeof (struct ip_header);

  icmp_pkt.type = ICMP_TIME_EXCEEDED;
  icmp_pkt.code = 0;
  icmp_pkt.checksum = 0;
  icmp_pkt.unused = 0;
  GNUNET_memcpy (&packet[off],
                 &icmp_pkt,
                 sizeof (struct icmp_ttl_exceeded_header));
  off += sizeof (struct icmp_ttl_exceeded_header);

  /* ip header of the presumably 'lost' udp packet */
  ip_pkt.vers_ihl = 0x45;
  ip_pkt.tos = 0;
  ip_pkt.pkt_len =
      htons (sizeof (struct ip_header) + sizeof (struct udp_header));
  ip_pkt.id = htons (0);
  ip_pkt.flags_frag_offset = 0;
  ip_pkt.ttl = 128;
  ip_pkt.proto = IPPROTO_UDP;
  ip_pkt.checksum = 0;
  ip_pkt.src_ip = other->s_addr;
  ip_pkt.dst_ip = dummy.s_addr;
  ip_pkt.checksum =
      htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
  GNUNET_memcpy (&packet[off],
                 &ip_pkt,
                 sizeof (struct ip_header));
  off += sizeof (struct ip_header);

  /* build UDP header */
  udp_pkt.src_port = htons (NAT_TRAV_PORT);
  udp_pkt.dst_port = htons (NAT_TRAV_PORT);
  udp_pkt.length = htons (port);
  udp_pkt.crc = 0;
  GNUNET_memcpy (&packet[off],
                 &udp_pkt,
                 sizeof (struct udp_header));
  off += sizeof (struct udp_header);

  /* set ICMP checksum */
  icmp_pkt.checksum =
      htons (calc_checksum
             ((uint16_t *) & packet[sizeof (struct ip_header)],
              sizeof (struct icmp_ttl_exceeded_header) +
              sizeof (struct ip_header) + sizeof (struct udp_header)));
  GNUNET_memcpy (&packet[sizeof (struct ip_header)],
                 &icmp_pkt,
                 sizeof (struct icmp_ttl_exceeded_header));

  memset (&dst, 0, sizeof (dst));
  dst.sin_family = AF_INET;
#if HAVE_SOCKADDR_IN_SIN_LEN
  dst.sin_len = sizeof (struct sockaddr_in);
#endif
  dst.sin_addr = *other;
  err =
      sendto (rawsock, packet, sizeof (packet), 0, (struct sockaddr *) &dst,
              sizeof (dst));
  if (err < 0)
  {
    fprintf (stderr, "sendto failed: %s\n", strerror (errno));
  }
  else if (sizeof (packet) != (size_t) err)
  {
    fprintf (stderr, "Error: partial send of ICMP message with size %lu\n", (unsigned long) off);
  }
}


/**
 * Send an ICMP message to the target.
 *
 * @param my_ip source address
 * @param other target address
 */
static void
send_icmp (const struct in_addr *my_ip, const struct in_addr *other)
{
  struct ip_header ip_pkt;
  struct icmp_ttl_exceeded_header icmp_ttl;
  struct icmp_echo_header icmp_echo;
  struct sockaddr_in dst;
  char packet[sizeof (struct ip_header) * 2 +
              sizeof (struct icmp_ttl_exceeded_header) +
              sizeof (struct icmp_echo_header)];
  size_t off;
  int err;

  /* ip header: send to (known) ip address */
  off = 0;
  ip_pkt.vers_ihl = 0x45;
  ip_pkt.tos = 0;
#ifdef FREEBSD
  ip_pkt.pkt_len = sizeof (packet); /* Workaround PR kern/21737 */
#else
  ip_pkt.pkt_len = htons (sizeof (packet));
#endif
  ip_pkt.id = htons (PACKET_ID);
  ip_pkt.flags_frag_offset = 0;
  ip_pkt.ttl = IPDEFTTL;
  ip_pkt.proto = IPPROTO_ICMP;
  ip_pkt.checksum = 0;
  ip_pkt.src_ip = my_ip->s_addr;
  ip_pkt.dst_ip = other->s_addr;
  ip_pkt.checksum =
      htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
  GNUNET_memcpy (&packet[off],
                 &ip_pkt,
                 sizeof (struct ip_header));
  off = sizeof (ip_pkt);

  /* icmp reply: time exceeded */
  icmp_ttl.type = ICMP_TIME_EXCEEDED;
  icmp_ttl.code = 0;
  icmp_ttl.checksum = 0;
  icmp_ttl.unused = 0;
  GNUNET_memcpy (&packet[off],
                 &icmp_ttl,
                 sizeof (struct icmp_ttl_exceeded_header));
  off += sizeof (struct icmp_ttl_exceeded_header);

  /* ip header of the presumably 'lost' udp packet */
  ip_pkt.vers_ihl = 0x45;
  ip_pkt.tos = 0;
  ip_pkt.pkt_len =
      htons (sizeof (struct ip_header) + sizeof (struct icmp_echo_header));
  ip_pkt.id = htons (PACKET_ID);
  ip_pkt.flags_frag_offset = 0;
  ip_pkt.ttl = 1;               /* real TTL would be 1 on a time exceeded packet */
  ip_pkt.proto = IPPROTO_ICMP;
  ip_pkt.src_ip = other->s_addr;
  ip_pkt.dst_ip = dummy.s_addr;
  ip_pkt.checksum = 0;
  ip_pkt.checksum =
      htons (calc_checksum ((uint16_t *) & ip_pkt, sizeof (struct ip_header)));
  GNUNET_memcpy (&packet[off],
                 &ip_pkt,
                 sizeof (struct ip_header));
  off += sizeof (struct ip_header);

  icmp_echo.type = ICMP_ECHO;
  icmp_echo.code = 0;
  icmp_echo.reserved = htonl (port);
  icmp_echo.checksum = 0;
  icmp_echo.checksum =
      htons (calc_checksum
             ((uint16_t *) &icmp_echo, sizeof (struct icmp_echo_header)));
  GNUNET_memcpy (&packet[off],
                 &icmp_echo,
                 sizeof (struct icmp_echo_header));

  /* no go back to calculate ICMP packet checksum */
  off = sizeof (struct ip_header);
  icmp_ttl.checksum =
      htons (calc_checksum
             ((uint16_t *) & packet[off],
              sizeof (struct icmp_ttl_exceeded_header) +
              sizeof (struct ip_header) + sizeof (struct icmp_echo_header)));
  GNUNET_memcpy (&packet[off],
                 &icmp_ttl,
                 sizeof (struct icmp_ttl_exceeded_header));

  /* prepare for transmission */
  memset (&dst, 0, sizeof (dst));
  dst.sin_family = AF_INET;
#if HAVE_SOCKADDR_IN_SIN_LEN
  dst.sin_len = sizeof (struct sockaddr_in);
#endif
  dst.sin_addr = *other;
  err =
      sendto (rawsock, packet, sizeof (packet), 0, (struct sockaddr *) &dst,
              sizeof (dst));
  if (err < 0)
  {
    fprintf (stderr, "sendto failed: %s\n", strerror (errno));
  }
  else if (sizeof (packet) != (size_t) err)
  {
    fprintf (stderr, "Error: partial send of ICMP message\n");
  }
}


int
main (int argc, char *const *argv)
{
  const int one = 1;
  struct in_addr external;
  struct in_addr target;
  uid_t uid;
  unsigned int p;
  int raw_eno;
  int global_ret;

  /* Create an ICMP raw socket for writing (only operation that requires root) */
  rawsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
  raw_eno = errno; /* for later error checking */

  /* now drop root privileges */
  uid = getuid ();
#ifdef HAVE_SETRESUID
  if (0 != setresuid (uid, uid, uid))
  {
    fprintf (stderr, "Failed to setresuid: %s\n", strerror (errno));
    global_ret = 1;
    goto cleanup;
  }
#else
  if (0 != (setuid (uid) | seteuid (uid)))
  {
    fprintf (stderr, "Failed to setuid: %s\n", strerror (errno));
    global_ret = 2;
    goto cleanup;
  }
#endif
  if (-1 == rawsock)
  {
    fprintf (stderr, "Error opening RAW socket: %s\n", strerror (raw_eno));
    global_ret = 3;
    goto cleanup;
  }
  if (0 !=
      setsockopt (rawsock, SOL_SOCKET, SO_BROADCAST, (char *) &one, sizeof (one)))
  {
    fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
    global_ret = 4;
    goto cleanup;
  }
  if (0 !=
      setsockopt (rawsock, IPPROTO_IP, IP_HDRINCL, (char *) &one, sizeof (one)))
  {
    fprintf (stderr, "setsockopt failed: %s\n", strerror (errno));
    global_ret = 5;
    goto cleanup;
  }

  if (4 != argc)
  {
    fprintf (stderr,
             "This program must be started with our IP, the targets external IP, and our port as arguments.\n");
    global_ret = 6;
    goto cleanup;
  }
  if ((1 != inet_pton (AF_INET, argv[1], &external)) ||
      (1 != inet_pton (AF_INET, argv[2], &target)))
  {
    fprintf (stderr, "Error parsing IPv4 address: %s\n", strerror (errno));
    global_ret = 7;
    goto cleanup;
  }
  if ((1 != sscanf (argv[3], "%u", &p)) || (0 == p) || (0xFFFF < p))
  {
    fprintf (stderr, "Error parsing port value `%s'\n", argv[3]);
    global_ret = 8;
    goto cleanup;
  }
  port = (uint16_t) p;
  if (1 != inet_pton (AF_INET, DUMMY_IP, &dummy))
  {
    fprintf (stderr, "Internal error converting dummy IP to binary.\n");
    global_ret = 9;
    goto cleanup;
  }
  send_icmp (&external, &target);
  send_icmp_udp (&external, &target);
  global_ret = 0;
 cleanup:
  if (-1 != rawsock)
    (void) close (rawsock);
  return global_ret;
}

/* end of gnunet-helper-nat-client.c */