src/stun.c

   1 /*
   2  * netsniff-ng - the packet sniffing beast
   3  * By Daniel Borkmann <daniel@netsniff-ng.org>
   4  * Copyright 2011 Daniel Borkmann.
   5  * Subject to the GPL, version 2.
   6  */
   7
   8 #include <stdio.h>
   9 #include <stdlib.h>
  10 #include <stdint.h>
  11 #include <string.h>
  12 #include <errno.h>
  13 #include <time.h>
  14 #include <unistd.h>
  15 #include <netdb.h>
  16 #include <netinet/in.h>
  17 #include <sys/socket.h>
  18 #include <netinet/in.h>
  19 #include <arpa/inet.h>
  20 #include <sys/select.h>
  21
  22 #include "xmalloc.h"
  23 #include "xutils.h"
  24 #include "die.h"
  25
  26 extern int print_stun_probe(char *server, int sport, int tport);
  27
  28 #define BINDING_REQUEST               0x0001
  29 #define BINDING_RESPONSE              0x0101
  30
  31 #define MAPPED_ADDRESS                0x0001
  32
  33 #define TIMEOUT                       5000
  34 #define REQUEST_LEN                   20
  35
  36 #define ID_COOKIE_FIELD               htonl(((int) 'a' << 24) + \
  37                                             ((int) 'c' << 16) + \
  38                                             ((int) 'd' <<  8) + \
  39                                              (int) 'c')
  40
  41 struct stun_header {
  42         uint16_t type;
  43         uint16_t len;
  44         uint32_t magic_cookie;
  45         uint32_t transid[3];
  46 };
  47
  48 struct stun_attrib {
  49         uint16_t type;
  50         uint16_t len;
  51         uint8_t *value;
  52 };
  53
  54 struct stun_mapped_addr {
  55         uint8_t none;
  56         uint8_t family;
  57         uint16_t port;
  58         uint32_t ip;
  59 };
  60
  61 static int stun_test(const char *server_ip, int server_port,
  62                      int tun_port)
  63 {
  64         int ret, sock, set = 1;
  65         uint8_t pkt[256];
  66         uint8_t rpkt[256];
  67         size_t len, off, max;
  68         struct in_addr in;
  69         struct timeval timeout;
  70         struct stun_header *hdr, *rhdr;
  71         struct stun_attrib *attr;
  72         struct stun_mapped_addr *addr;
  73         struct sockaddr_in saddr, daddr;
  74         fd_set fdset;
  75
  76         if (!server_ip)
  77                 return -EINVAL;
  78
  79         sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
  80         if (sock < 0)
  81                 panic("Cannot obtain socket!\n");
  82
  83         ret = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &set, sizeof(set));
  84         if (ret)
  85                 panic("Cannot set socket option!\n");
  86
  87         saddr.sin_family = PF_INET;
  88         saddr.sin_port = htons(tun_port);
  89         saddr.sin_addr.s_addr = INADDR_ANY;
  90
  91         ret = bind(sock, (struct sockaddr *) &saddr, sizeof(saddr));
  92         if (ret)
  93                 panic("Cannot bind udp socket!\n");
  94
  95         len = REQUEST_LEN;
  96         hdr = (struct stun_header *) pkt;
  97         hdr->type = htons(BINDING_REQUEST);
  98         hdr->len = 0;
  99         hdr->magic_cookie = ID_COOKIE_FIELD;
 100         hdr->transid[0] = htonl(rand());
 101         hdr->transid[1] = htonl(rand());
 102         hdr->transid[2] = htonl(rand());
 103
 104         daddr.sin_family = PF_INET;
 105         daddr.sin_port = htons(server_port);
 106         daddr.sin_addr.s_addr = inet_addr(server_ip);
 107
 108         ret = sendto(sock, pkt, len, 0, (struct sockaddr *) &daddr,
 109                      sizeof(daddr));
 110         if (ret != len) {
 111                 whine("Error sending request (%s)!\n", strerror(errno));
 112                 return -EIO;
 113         }
 114
 115         set_timeout(&timeout, TIMEOUT);
 116
 117         FD_ZERO(&fdset);
 118         FD_SET(sock, &fdset);
 119
 120         ret = select(sock + 1, &fdset, NULL, NULL, &timeout);
 121         if (ret <= 0) {
 122                 whine("STUN server timeout!\n");
 123                 return -EIO;
 124         }
 125
 126         memset(rpkt, 0, sizeof(rpkt));
 127         len = read(sock, rpkt, sizeof(rpkt));
 128
 129         close(sock);
 130
 131         if (len < REQUEST_LEN) {
 132                 whine("Bad STUN response (%s)!\n", strerror(errno));
 133                 return -EIO;
 134         }
 135
 136         rhdr = (struct stun_header *) rpkt;
 137         if (ntohs(rhdr->type) != BINDING_RESPONSE) {
 138                 whine("Wrong STUN response type!\n");
 139                 return -EIO;
 140         }
 141
 142         if (rhdr->len == 0) {
 143                 whine("No attributes in STUN response!\n");
 144                 return -EIO;
 145         }
 146
 147         if (rhdr->magic_cookie != hdr->magic_cookie ||
 148             rhdr->transid[0] != hdr->transid[0] ||
 149             rhdr->transid[1] != hdr->transid[1] ||
 150             rhdr->transid[2] != hdr->transid[2]) {
 151                 whine("Got wrong STUN transaction id!\n");
 152                 return -EIO;
 153         }
 154
 155         off = REQUEST_LEN;
 156         max = ntohs(rhdr->len) + REQUEST_LEN;
 157
 158         while (off + 8 < max) {
 159                 attr = (struct stun_attrib *) (rpkt + off);
 160                 if (ntohs(attr->type) != MAPPED_ADDRESS)
 161                         goto next;
 162
 163                 addr = (struct stun_mapped_addr *) (rpkt + off + 4);
 164                 if (addr->family != 0x1)
 165                         break;
 166
 167                 in.s_addr = addr->ip;
 168                 printf("Public mapping %s:%u!\n",
 169                        inet_ntoa(in), ntohs(addr->port));
 170                 break;
 171 next:
 172                 off += 4;
 173                 off += ntohs(attr->len);
 174         }
 175
 176         return 0;
 177 }
 178
 179 int print_stun_probe(char *server, int sport, int tport)
 180 {
 181         char *address;
 182         struct hostent *hp;
 183
 184         printf("STUN on %s:%u\n", server, sport);
 185
 186         srand(time(NULL));
 187         hp = gethostbyname(server);
 188         if (!hp)
 189                 return -EIO;
 190         address = inet_ntoa(*(struct in_addr *) hp->h_addr_list[0]);
 191         return stun_test(address, sport, tport);
 192 }