stun.c

   1 /*
   2  * netsniff-ng - the packet sniffing beast
   3  * Copyright 2011 Daniel Borkmann.
   4  * Subject to the GPL, version 2.
   5  */
   6
   7 #include <stdio.h>
   8 #include <stdlib.h>
   9 #include <stdint.h>
  10 #include <string.h>
  11 #include <errno.h>
  12 #include <time.h>
  13 #include <unistd.h>
  14 #include <netdb.h>
  15 #include <netinet/in.h>
  16 #include <sys/socket.h>
  17 #include <netinet/in.h>
  18 #include <arpa/inet.h>
  19 #include <sys/select.h>
  20
  21 #include "xmalloc.h"
  22 #include "xutils.h"
  23 #include "die.h"
  24
  25 extern int print_stun_probe(char *server, int sport, int tport);
  26
  27 #define BINDING_REQUEST               0x0001
  28 #define BINDING_RESPONSE              0x0101
  29
  30 #define MAPPED_ADDRESS                0x0001
  31
  32 #define TIMEOUT                       5000
  33 #define REQUEST_LEN                   20
  34
  35 #define ID_COOKIE_FIELD               htonl(((int) 'a' << 24) + \
  36                                             ((int) 'c' << 16) + \
  37                                             ((int) 'd' <<  8) + \
  38                                              (int) 'c')
  39
  40 struct stun_header {
  41         uint16_t type;
  42         uint16_t len;
  43         uint32_t magic_cookie;
  44         uint32_t transid[3];
  45 };
  46
  47 struct stun_attrib {
  48         uint16_t type;
  49         uint16_t len;
  50         uint8_t *value;
  51 };
  52
  53 struct stun_mapped_addr {
  54         uint8_t none;
  55         uint8_t family;
  56         uint16_t port;
  57         uint32_t ip;
  58 };
  59
  60 static int stun_test(const char *server_ip, int server_port,
  61                      int tun_port)
  62 {
  63         int ret, sock;
  64         uint8_t pkt[256];
  65         uint8_t rpkt[256];
  66         size_t len, off, max;
  67         struct in_addr in;
  68         struct timeval timeout;
  69         struct stun_header *hdr, *rhdr;
  70         struct stun_attrib *attr;
  71         struct stun_mapped_addr *addr;
  72         struct sockaddr_in saddr, daddr;
  73         fd_set fdset;
  74
  75         if (!server_ip)
  76                 return -EINVAL;
  77
  78         sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
  79         if (sock < 0)
  80                 panic("Cannot obtain socket!\n");
  81
  82         set_reuseaddr(sock);
  83
  84         saddr.sin_family = PF_INET;
  85         saddr.sin_port = htons(tun_port);
  86         saddr.sin_addr.s_addr = INADDR_ANY;
  87
  88         ret = bind(sock, (struct sockaddr *) &saddr, sizeof(saddr));
  89         if (ret)
  90                 panic("Cannot bind udp socket!\n");
  91
  92         len = REQUEST_LEN;
  93         hdr = (struct stun_header *) pkt;
  94         hdr->type = htons(BINDING_REQUEST);
  95         hdr->len = 0;
  96         hdr->magic_cookie = ID_COOKIE_FIELD;
  97         hdr->transid[0] = htonl(rand());
  98         hdr->transid[1] = htonl(rand());
  99         hdr->transid[2] = htonl(rand());
 100
 101         daddr.sin_family = PF_INET;
 102         daddr.sin_port = htons(server_port);
 103         daddr.sin_addr.s_addr = inet_addr(server_ip);
 104
 105         ret = sendto(sock, pkt, len, 0, (struct sockaddr *) &daddr,
 106                      sizeof(daddr));
 107         if (ret != len) {
 108                 printf("Error sending request (%s)!\n", strerror(errno));
 109                 return -EIO;
 110         }
 111
 112         timeout.tv_sec = TIMEOUT / 1000;
 113         timeout.tv_usec = (TIMEOUT % 1000) * 1000;
 114
 115         FD_ZERO(&fdset);
 116         FD_SET(sock, &fdset);
 117
 118         ret = select(sock + 1, &fdset, NULL, NULL, &timeout);
 119         if (ret <= 0) {
 120                 printf("STUN server timeout!\n");
 121                 return -EIO;
 122         }
 123
 124         memset(rpkt, 0, sizeof(rpkt));
 125         len = read(sock, rpkt, sizeof(rpkt));
 126
 127         close(sock);
 128
 129         if (len < REQUEST_LEN) {
 130                 printf("Bad STUN response (%s)!\n", strerror(errno));
 131                 return -EIO;
 132         }
 133
 134         rhdr = (struct stun_header *) rpkt;
 135         if (ntohs(rhdr->type) != BINDING_RESPONSE) {
 136                 printf("Wrong STUN response type!\n");
 137                 return -EIO;
 138         }
 139
 140         if (rhdr->len == 0) {
 141                 printf("No attributes in STUN response!\n");
 142                 return -EIO;
 143         }
 144
 145         if (rhdr->magic_cookie != hdr->magic_cookie ||
 146             rhdr->transid[0] != hdr->transid[0] ||
 147             rhdr->transid[1] != hdr->transid[1] ||
 148             rhdr->transid[2] != hdr->transid[2]) {
 149                 printf("Got wrong STUN transaction id!\n");
 150                 return -EIO;
 151         }
 152
 153         off = REQUEST_LEN;
 154         max = ntohs(rhdr->len) + REQUEST_LEN;
 155
 156         while (off + 8 < max) {
 157                 attr = (struct stun_attrib *) (rpkt + off);
 158                 if (ntohs(attr->type) != MAPPED_ADDRESS)
 159                         goto next;
 160
 161                 addr = (struct stun_mapped_addr *) (rpkt + off + 4);
 162                 if (addr->family != 0x1)
 163                         break;
 164
 165                 in.s_addr = addr->ip;
 166                 printf("Public mapping %s:%u!\n",
 167                        inet_ntoa(in), ntohs(addr->port));
 168                 break;
 169 next:
 170                 off += 4;
 171                 off += ntohs(attr->len);
 172         }
 173
 174         return 0;
 175 }
 176
 177 int print_stun_probe(char *server, int sport, int tport)
 178 {
 179         char *address;
 180         struct hostent *hp;
 181
 182         printf("STUN on %s:%u\n", server, sport);
 183
 184         srand(time(NULL));
 185         hp = gethostbyname(server);
 186         if (!hp)
 187                 return -EIO;
 188         address = inet_ntoa(*(struct in_addr *) hp->h_addr_list[0]);
 189         return stun_test(address, sport, tport);
 190 }