0832f97801c199e244c17d21757dee19cda206bc
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.49 2005-05-07 08:17:25 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
30 {
31 char user[MAXUSER];
32 char pass[MAXPASS];
33 uint16_t hl;
34
35 CSTAT(processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 sessionshutdown(s, "Short PAP packet.", 3, 0);
43 return ;
44 }
45
46 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
47 {
48 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
49 STAT(tunnel_rx_errors);
50 sessionshutdown(s, "PAP length mismatch.", 3, 0);
51 return ;
52 }
53 l = hl;
54
55 if (*p != 1)
56 {
57 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
58 STAT(tunnel_rx_errors);
59 sessionshutdown(s, "Unexpected PAP code.", 3, 0);
60 return ;
61 }
62
63 {
64 uint8_t *b = p;
65 b += 4;
66 user[0] = pass[0] = 0;
67 if (*b && *b < sizeof(user))
68 {
69 memcpy(user, b + 1, *b);
70 user[*b] = 0;
71 b += 1 + *b;
72 if (*b && *b < sizeof(pass))
73 {
74 memcpy(pass, b + 1, *b);
75 pass[*b] = 0;
76 }
77 }
78 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
79 }
80 if (session[s].ip || !sess_local[s].radius)
81 {
82 // respond now, either no RADIUS available or already authenticated
83 uint8_t b[MAXCONTROL];
84 uint8_t id = p[1];
85 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
86 if (!p) return;
87
88 if (session[s].ip)
89 *p = 2; // ACK
90 else
91 *p = 3; // cant authorise
92 p[1] = id;
93 *(uint16_t *) (p + 2) = htons(5); // length
94 p[4] = 0; // no message
95 if (session[s].ip)
96 {
97 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
98 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
99
100 session[s].flags &= ~SF_IPCP_ACKED;
101 }
102 else
103 {
104 LOG(1, s, t, "No radius session available to authenticate session...\n");
105 }
106 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
107 tunnelsend(b, 5 + (p - b), t); // send it
108 sessionshutdown(s, "PAP authentication failed.", 3, 0);
109 }
110 else
111 {
112 // set up RADIUS request
113 uint16_t r = sess_local[s].radius;
114
115 // Run PRE_AUTH plugins
116 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
117 run_plugins(PLUGIN_PRE_AUTH, &packet);
118 if (!packet.continue_auth)
119 {
120 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
121 if (packet.username) free(packet.username);
122 if (packet.password) free(packet.password);
123 return;
124 }
125
126 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
127 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
128
129 free(packet.username);
130 free(packet.password);
131
132 radius[r].id = p[1];
133 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
134 radiussend(r, RADIUSAUTH);
135 }
136 }
137
138 // Process CHAP messages
139 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
140 {
141 uint16_t r;
142 uint16_t hl;
143
144 CSTAT(processchap);
145
146 LOG_HEX(5, "CHAP", p, l);
147 r = sess_local[s].radius;
148 if (!r)
149 {
150 LOG(1, s, t, "Unexpected CHAP message\n");
151 STAT(tunnel_rx_errors);
152 return;
153 }
154
155 if (l < 4)
156 {
157 LOG(1, s, t, "Short CHAP %u bytes\n", l);
158 STAT(tunnel_rx_errors);
159 return ;
160 }
161
162 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
163 {
164 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
165 STAT(tunnel_rx_errors);
166 return ;
167 }
168 l = hl;
169
170 if (*p != 2)
171 {
172 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
173 STAT(tunnel_rx_errors);
174 return;
175 }
176 if (p[1] != radius[r].id)
177 {
178 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
179 STAT(tunnel_rx_errors);
180 return ;
181 }
182
183 if (l < 5 || p[4] != 16)
184 {
185 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
186 STAT(tunnel_rx_errors);
187 return ;
188 }
189
190 l -= 5;
191 p += 5;
192 if (l < 16 || l - 16 >= sizeof(session[s].user))
193 {
194 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
195 STAT(tunnel_rx_errors);
196 return ;
197 }
198
199 // Run PRE_AUTH plugins
200 {
201 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
202
203 packet.password = calloc(17, 1);
204 memcpy(packet.password, p, 16);
205
206 p += 16;
207 l -= 16;
208
209 packet.username = calloc(l + 1, 1);
210 memcpy(packet.username, p, l);
211
212 run_plugins(PLUGIN_PRE_AUTH, &packet);
213 if (!packet.continue_auth)
214 {
215 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
216 if (packet.username) free(packet.username);
217 if (packet.password) free(packet.password);
218 return;
219 }
220
221 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
222 memcpy(radius[r].pass, packet.password, 16);
223
224 free(packet.username);
225 free(packet.password);
226 }
227
228 radius[r].chap = 1;
229 LOG(3, s, t, "CHAP login %s\n", session[s].user);
230 radiussend(r, RADIUSAUTH);
231 }
232
233 static void dumplcp(uint8_t *p, int l)
234 {
235 int x = l - 4;
236 uint8_t *o = (p + 4);
237
238 LOG_HEX(5, "PPP LCP Packet", p, l);
239 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
240 LOG(4, 0, 0, "Length: %d\n", l);
241 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
242 return;
243
244 while (x > 2)
245 {
246 int type = o[0];
247 int length = o[1];
248 if (length < 2)
249 {
250 LOG(4, 0, 0, " Option length is %d...\n", length);
251 break;
252 }
253 if (type == 0)
254 {
255 LOG(4, 0, 0, " Option type is 0...\n");
256 x -= length;
257 o += length;
258 continue;
259 }
260 switch (type)
261 {
262 case 1: // Maximum-Receive-Unit
263 if (length == 4)
264 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
265 else
266 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
267 break;
268 case 2: // Async-Control-Character-Map
269 if (length == 6)
270 {
271 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
272 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
273 }
274 else
275 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
276 break;
277 case 3: // Authentication-Protocol
278 if (length == 4)
279 {
280 int proto = ntohs(*(uint16_t *)(o + 2));
281 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
282 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
283 }
284 else if (length == 5)
285 {
286 int proto = ntohs(*(uint16_t *)(o + 2));
287 int algo = *(uint8_t *)(o + 4);
288 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", lcp_types[type], proto, algo,
289 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
290 }
291 else
292 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
293 break;
294 case 4: // Quality-Protocol
295 {
296 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
297 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
298 }
299 break;
300 case 5: // Magic-Number
301 if (length == 6)
302 {
303 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
304 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
305 }
306 else
307 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
308 break;
309 case 7: // Protocol-Field-Compression
310 case 8: // Address-And-Control-Field-Compression
311 LOG(4, 0, 0, " %s\n", lcp_type(type));
312 break;
313 default:
314 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
315 break;
316 }
317 x -= length;
318 o += length;
319 }
320 }
321
322 // Process LCP messages
323 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
324 {
325 uint8_t b[MAXCONTROL];
326 uint8_t *q = NULL;
327 uint32_t magicno = 0;
328 uint16_t hl;
329
330 CSTAT(processlcp);
331
332 LOG_HEX(5, "LCP", p, l);
333 if (l < 4)
334 {
335 LOG(1, s, t, "Short LCP %d bytes\n", l);
336 STAT(tunnel_rx_errors);
337 return ;
338 }
339
340 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
341 {
342 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
343 STAT(tunnel_rx_errors);
344 return ;
345 }
346 l = hl;
347
348 if (*p == ConfigAck)
349 {
350 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
351 session[s].flags |= SF_LCP_ACKED;
352 }
353 else if (*p == ConfigReq)
354 {
355 int x = l - 4;
356 uint8_t *o = (p + 4);
357 uint8_t *response = 0;
358
359 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
360 if (config->debug > 3) dumplcp(p, l);
361
362 while (x > 2)
363 {
364 int type = o[0];
365 int length = o[1];
366
367 if (length == 0 || type == 0 || x < length) break;
368 switch (type)
369 {
370 case 1: // Maximum-Receive-Unit
371 session[s].mru = ntohs(*(uint16_t *)(o + 2));
372 break;
373
374 case 2: // Async-Control-Character-Map
375 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
376 break;
377
378 if (response && *response != ConfigNak) // rej already queued
379 break;
380
381 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
382 if (!response)
383 {
384 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
385 if (!q) break;
386 *q = ConfigNak;
387 q += 4;
388 }
389
390 if ((q - b + 11) > sizeof(b))
391 {
392 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
393 break;
394 }
395
396 *q++ = type;
397 *q++ = 6;
398 memset(q, 0, 4); // asyncmap 0
399 q += 4;
400 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
401 break;
402
403 case 3: // Authentication-Protocol
404 {
405 int proto = ntohs(*(uint16_t *)(o + 2));
406 uint16_t wanted_proto;
407 char proto_name[] = "0x0000";
408
409 if (proto == PPPPAP)
410 {
411 if (config->radius_authtypes & AUTHPAP)
412 break;
413
414 strcpy(proto_name, "PAP");
415 }
416 else if (proto == PPPCHAP)
417 {
418 if (config->radius_authtypes & AUTHCHAP
419 && *(o + 4) == 5) // MD5
420 break;
421
422 strcpy(proto_name, "CHAP");
423 }
424 else
425 sprintf(proto_name, "%#4.4x", proto);
426
427 if (response && *response != ConfigNak) // rej already queued
428 break;
429
430 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
431
432 if (!response)
433 {
434 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
435 if (!q) break;
436 *q = ConfigNak;
437 q += 4;
438 }
439
440 if ((q - b + 5) > sizeof(b)) // 5 is the larger (CHAP+MD5) of the two NAKs
441 {
442 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
443 break;
444 }
445
446 *q++ = type;
447 if (config->radius_authprefer == AUTHCHAP)
448 {
449 *q++ = 5;
450 *(uint16_t *) q = htons(PPPCHAP); q += 2;
451 *q++ = 5; // MD5
452 }
453 else
454 {
455 *q++ = 4;
456 *(uint16_t *) q = htons(PPPPAP); q += 2;
457 }
458
459 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
460 break;
461 }
462 break;
463
464 case 5: // Magic-Number
465 magicno = ntohl(*(uint32_t *)(o + 2));
466 break;
467
468 case 4: // Quality-Protocol
469 case 7: // Protocol-Field-Compression
470 case 8: // Address-And-Control-Field-Compression
471 break;
472
473 default: // Reject any unknown options
474 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
475 if (!response || *response != ConfigRej) // drop nak in favour of rej
476 {
477 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
478 if (!q) break;
479 *q = ConfigRej;
480 q += 4;
481 }
482
483 if ((q - b + length) > sizeof(b))
484 {
485 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
486 break;
487 }
488
489 memcpy(q, o, length);
490 q += length;
491 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
492 }
493 x -= length;
494 o += length;
495 }
496
497 if (!response)
498 {
499 // Send back a ConfigAck
500 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
501 if (!q) return;
502 *q = ConfigAck;
503 }
504
505 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
506 tunnelsend(b, l + (q - b), t);
507
508 if (!(session[s].flags & SF_LCP_ACKED))
509 initlcp(t, s);
510 }
511 else if (*p == ConfigNak)
512 {
513 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
514 if (config->debug > 3) dumplcp(p, l);
515 return;
516 }
517 else if (*p == TerminateReq)
518 {
519 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
520 *p = TerminateAck; // close
521 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
522 if (!q) return;
523 tunnelsend(b, l + (q - b), t); // send it
524 sessionshutdown(s, "Remote end closed connection.", 3, 0);
525 }
526 else if (*p == TerminateAck)
527 {
528 sessionshutdown(s, "Connection closed.", 3, 0);
529 }
530 else if (*p == ProtocolRej)
531 {
532 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
533 {
534 LOG(3, s, t, "IPv6 rejected\n");
535 session[s].flags |= SF_IPV6_NACKED;
536 }
537 else
538 {
539 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
540 ntohs(*(uint16_t *) (p+4)));
541 STAT(tunnel_rx_errors);
542 }
543 }
544 else if (*p == EchoReq)
545 {
546 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
547 *p = EchoReply; // reply
548 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
549 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
550 if (!q) return;
551 tunnelsend(b, l + (q - b), t); // send it
552 }
553 else if (*p == EchoReply)
554 {
555 // Ignore it, last_packet time is set earlier than this.
556 }
557 else if (*p == IdentRequest)
558 {
559 *p = CodeRej;
560 if (l > MAXCONTROL)
561 {
562 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
563 l = 1400;
564 }
565 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
566 if (!q) return;
567 LOG_HEX(5, "LCPIdentRej", q, l + 4);
568 tunnelsend(b, 12 + 4 + l, t);
569 }
570 else
571 {
572 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
573 STAT(tunnel_rx_errors);
574 return ;
575 }
576 }
577
578 // find a PPP option, returns point to option, or 0 if not found
579 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
580 {
581 uint16_t l = ntohs(*(uint16_t *) (b + 2));
582 if (l < 4)
583 return 0;
584 b += 4;
585 l -= 4;
586 while (l)
587 {
588 if (l < b[1] || !b[1])
589 return 0; // faulty
590 if (*b == mtype)
591 return b;
592 l -= b[1];
593 b += b[1];
594 }
595 return 0;
596 }
597
598 // Process IPCP messages
599 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
600 {
601 uint16_t hl;
602
603 CSTAT(processipcp);
604
605 LOG_HEX(5, "IPCP", p, l);
606 if (l < 5)
607 {
608 LOG(1, s, t, "Short IPCP %d bytes\n", l);
609 STAT(tunnel_rx_errors);
610 return ;
611 }
612
613 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
614 {
615 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
616 STAT(tunnel_rx_errors);
617 return ;
618 }
619 l = hl;
620
621 if (*p == ConfigAck)
622 {
623 // happy with our IPCP
624 uint16_t r = sess_local[s].radius;
625 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
626 {
627 if (!r)
628 r = radiusnew(s);
629 if (r)
630 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
631 }
632 session[s].flags |= SF_IPCP_ACKED;
633
634 LOG(3, s, t, "IPCP Acked, session is now active\n");
635
636 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
637 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
638
639 return;
640 }
641 if (*p != ConfigReq)
642 {
643 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
644 STAT(tunnel_rx_errors);
645 return ;
646 }
647 LOG(4, s, t, "IPCP ConfigReq received\n");
648
649 if (!session[s].ip)
650 {
651 LOG(3, s, t, "Waiting on radius reply\n");
652 return; // have to wait on RADIUS reply
653 }
654 // form a config reply quoting the IP in the session
655 {
656 uint8_t b[MAXCONTROL];
657 uint8_t *i, *q;
658
659 q = p + 4;
660 i = p + l;
661 while (q < i && q[1])
662 {
663 if (*q != 0x81 && *q != 0x83 && *q != 3)
664 break;
665 q += q[1];
666 }
667 if (q < i)
668 {
669 // reject
670 uint16_t n = 4;
671 i = p + l;
672 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
673 return;
674
675 *q = ConfigRej;
676 p += 4;
677 while (p < i && p[1])
678 {
679 if (*p != 0x81 && *p != 0x83 && *p != 3)
680 {
681 LOG(2, s, t, "IPCP reject %d\n", *p);
682 memcpy(q + n, p, p[1]);
683 n += p[1];
684 }
685 p += p[1];
686 }
687 *(uint16_t *) (q + 2) = htons(n);
688 LOG(4, s, t, "Sending ConfigRej\n");
689 tunnelsend(b, n + (q - b), t); // send it
690 }
691 else
692 {
693 LOG(4, s, t, "Sending ConfigAck\n");
694 *p = ConfigAck;
695 if ((i = findppp(p, 0x81))) // Primary DNS address
696 {
697 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
698 {
699 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
700 *p = ConfigNak;
701 LOG(5, s, t, " DNS1 = %s\n",
702 fmtaddr(htonl(session[s].dns1), 0));
703 }
704 }
705 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
706 {
707 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
708 {
709 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
710 *p = ConfigNak;
711 LOG(5, s, t, " DNS2 = %s\n",
712 fmtaddr(htonl(session[s].dns2), 0));
713 }
714 }
715 i = findppp(p, 3); // IP address
716 if (!i || i[1] != 6)
717 {
718 LOG(1, s, t, "No IP in IPCP request\n");
719 STAT(tunnel_rx_errors);
720 return ;
721 }
722 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
723 {
724 *(uint32_t *) (i + 2) = htonl(session[s].ip);
725 *p = ConfigNak;
726 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
727 fmtaddr(htonl(session[s].ip), 0));
728 }
729 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
730 return;
731
732 tunnelsend(b, l + (q - b), t); // send it
733 }
734 }
735 }
736
737 // Process IPV6CP messages
738 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
739 {
740
741 CSTAT(processipv6cp);
742
743 LOG_HEX(5, "IPV6CP", p, l);
744 if (l < 4)
745 {
746 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
747 STAT(tunnel_rx_errors);
748 return ;
749 }
750 if (*p == ConfigAck)
751 {
752 // happy with our IPV6CP
753 session[s].flags |= SF_IPV6CP_ACKED;
754
755 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
756 // Add a routed block if configured.
757 if (session[s].ipv6prefixlen)
758 {
759 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
760 session[s].flags |= SF_IPV6_ROUTED;
761 }
762
763 // Send an initial RA (TODO: Should we send these regularly?)
764 send_ipv6_ra(t, s, NULL);
765 return;
766 }
767 if (*p != ConfigReq)
768 {
769 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
770 STAT(tunnel_rx_errors);
771 return;
772 }
773
774 LOG(4, s, t, "IPV6CP ConfigReq received\n");
775 if (ntohs(*(uint16_t *) (p + 2)) > l)
776 {
777 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
778 STAT(tunnel_rx_errors);
779 return ;
780 }
781 if (!session[s].ip)
782 {
783 LOG(3, s, t, "Waiting on radius reply\n");
784 return; // have to wait on RADIUS reply
785 }
786 // form a config reply quoting the IP in the session
787 {
788 uint8_t b[MAXCONTROL];
789 uint8_t *i,
790 *q;
791
792 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
793 q = p + 4;
794 i = p + l;
795 while (q < i && q[1])
796 {
797 if (*q != 1)
798 break;
799 q += q[1];
800 }
801 if (q < i)
802 {
803 // reject
804 uint16_t n = 4;
805 i = p + l;
806 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
807 {
808 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
809 return;
810 }
811 *q = ConfigRej;
812 p += 4;
813 while (p < i && p[1])
814 {
815 if (*p != 1)
816 {
817 LOG(2, s, t, "IPV6CP reject %d\n", *p);
818 memcpy(q + n, p, p[1]);
819 n += p[1];
820 }
821 p += p[1];
822 }
823 *(uint16_t *) (q + 2) = htons(n);
824 LOG(4, s, t, "Sending ConfigRej\n");
825 tunnelsend(b, n + (q - b), t); // send it
826 }
827 else
828 {
829 LOG(4, s, t, "Sending ConfigAck\n");
830 *p = ConfigAck;
831 i = findppp(p, 1); // IP address
832 if (!i || i[1] != 10)
833 {
834 LOG(1, s, t, "No IP in IPV6CP request\n");
835 STAT(tunnel_rx_errors);
836 return ;
837 }
838 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
839 (*(uint32_t *) (i + 6) != 0))
840 {
841 *(uint32_t *) (i + 2) = htonl(session[s].ip);
842 *(uint32_t *) (i + 6) = 0;
843 *p = ConfigNak;
844 LOG(4, s, t,
845 " No, a ConfigNak, client is "
846 "requesting IP - sending %s\n",
847 fmtaddr(htonl(session[s].ip), 0));
848 }
849 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
850 {
851 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
852 return;
853 }
854 tunnelsend(b, l + (q - b), t); // send it
855 }
856 }
857 }
858
859 // process IP packet received
860 //
861 // This MUST be called with at least 4 byte behind 'p'.
862 // (i.e. this routine writes to p[-4]).
863 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
864 {
865 in_addr_t ip;
866
867 CSTAT(processipin);
868
869 LOG_HEX(5, "IP", p, l);
870
871 ip = ntohl(*(uint32_t *)(p + 12));
872
873 if (l > MAXETHER)
874 {
875 LOG(1, s, t, "IP packet too long %d\n", l);
876 STAT(tunnel_rx_errors);
877 return ;
878 }
879
880 // no spoof (do sessionbyip to handled statically routed subnets)
881 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
882 {
883 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
884 return;
885 }
886
887 // run access-list if any
888 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
889 return;
890
891 // Add on the tun header
892 p -= 4;
893 *(uint32_t *) p = htonl(PKTIP);
894 l += 4;
895
896 // Are we throttled and a slave?
897 if (session[s].tbf_in && !config->cluster_iam_master) {
898 // Pass it to the master for handling.
899 master_throttle_packet(session[s].tbf_in, p, l);
900 return;
901 }
902
903 // Are we throttled and a master??
904 if (session[s].tbf_in && config->cluster_iam_master) {
905 // Actually handle the throttled packets.
906 tbf_queue_packet(session[s].tbf_in, p, l);
907 return;
908 }
909
910 // send to ethernet
911 if (tun_write(p, l) < 0)
912 {
913 STAT(tun_tx_errors);
914 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
915 l, strerror(errno), tunfd, p);
916
917 return;
918 }
919
920 if (session[s].snoop_ip && session[s].snoop_port)
921 {
922 // Snooping this session
923 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
924 }
925
926 session[s].cin += l - 4;
927 session[s].total_cin += l - 4;
928 sess_local[s].cin += l - 4;
929
930 session[s].pin++;
931 eth_tx += l - 4;
932
933 STAT(tun_tx_packets);
934 INC_STAT(tun_tx_bytes, l - 4);
935 }
936
937 // process IPv6 packet received
938 //
939 // This MUST be called with at least 4 byte behind 'p'.
940 // (i.e. this routine writes to p[-4]).
941 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
942 {
943 struct in6_addr ip;
944 in_addr_t ipv4;
945
946 CSTAT(processipv6in);
947
948 LOG_HEX(5, "IPv6", p, l);
949
950 ip = *(struct in6_addr *) (p + 8);
951 ipv4 = ntohl(*(uint32_t *)(p + 16));
952
953 if (l > MAXETHER)
954 {
955 LOG(1, s, t, "IP packet too long %d\n", l);
956 STAT(tunnel_rx_errors);
957 return ;
958 }
959
960 // no spoof
961 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
962 {
963 char str[INET6_ADDRSTRLEN];
964 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
965 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
966 return;
967 }
968
969 // Check if it's a Router Solicition message.
970 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
971 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
972 *(uint32_t *)(p + 34) == 0 &&
973 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
974 LOG(3, s, t, "Got IPv6 RS\n");
975 send_ipv6_ra(t, s, &ip);
976 return;
977 }
978
979 // Add on the tun header
980 p -= 4;
981 *(uint32_t *) p = htonl(PKTIPV6);
982 l += 4;
983
984 // Are we throttled and a slave?
985 if (session[s].tbf_in && !config->cluster_iam_master) {
986 // Pass it to the master for handling.
987 master_throttle_packet(session[s].tbf_in, p, l);
988 return;
989 }
990
991 // Are we throttled and a master??
992 if (session[s].tbf_in && config->cluster_iam_master) {
993 // Actually handle the throttled packets.
994 tbf_queue_packet(session[s].tbf_in, p, l);
995 return;
996 }
997
998 // send to ethernet
999 if (tun_write(p, l) < 0)
1000 {
1001 STAT(tun_tx_errors);
1002 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1003 l, strerror(errno), tunfd, p);
1004
1005 return;
1006 }
1007
1008 if (session[s].snoop_ip && session[s].snoop_port)
1009 {
1010 // Snooping this session
1011 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
1012 }
1013
1014 session[s].cin += l - 4;
1015 session[s].total_cin += l - 4;
1016 sess_local[s].cin += l - 4;
1017
1018 session[s].pin++;
1019 eth_tx += l - 4;
1020
1021 STAT(tun_tx_packets);
1022 INC_STAT(tun_tx_bytes, l - 4);
1023 }
1024
1025 //
1026 // Helper routine for the TBF filters.
1027 // Used to send queued data in from the user.
1028 //
1029 void send_ipin(sessionidt s, uint8_t *buf, int len)
1030 {
1031 LOG_HEX(5, "IP in throttled", buf, len);
1032
1033 if (write(tunfd, buf, len) < 0)
1034 {
1035 STAT(tun_tx_errors);
1036 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1037 len, strerror(errno), tunfd, buf);
1038
1039 return;
1040 }
1041
1042 if (session[s].snoop_ip && session[s].snoop_port)
1043 {
1044 // Snooping this session
1045 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
1046 }
1047
1048 // Increment packet counters
1049 session[s].cin += len - 4;
1050 session[s].total_cin += len - 4;
1051 sess_local[s].cin += len - 4;
1052
1053 session[s].pin++;
1054 eth_tx += len - 4;
1055
1056 STAT(tun_tx_packets);
1057 INC_STAT(tun_tx_bytes, len - 4);
1058 }
1059
1060
1061 // Process CCP messages
1062 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1063 {
1064 uint8_t b[MAXCONTROL];
1065 uint8_t *q;
1066
1067 CSTAT(processccp);
1068
1069 LOG_HEX(5, "CCP", p, l);
1070 switch (l > 1 ? *p : 0)
1071 {
1072 case ConfigAck:
1073 session[s].flags |= SF_CCP_ACKED;
1074 return;
1075
1076 case ConfigReq:
1077 if (l < 6) // accept no compression
1078 {
1079 *p = ConfigAck;
1080 break;
1081 }
1082
1083 // compression requested--reject
1084 *p = ConfigRej;
1085
1086 // send CCP request for no compression for our end if not negotiated
1087 if (!(session[s].flags & SF_CCP_ACKED))
1088 initccp(t, s);
1089
1090 break;
1091
1092 case TerminateReq:
1093 *p = TerminateAck;
1094 break;
1095
1096 default:
1097 if (l > 1)
1098 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1099 else
1100 LOG(1, s, t, "Short CCP packet\n");
1101
1102 STAT(tunnel_rx_errors);
1103 return;
1104 }
1105
1106 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1107 return;
1108
1109 tunnelsend(b, l + (q - b), t); // send it
1110 }
1111
1112 // send a CHAP challenge
1113 void sendchap(tunnelidt t, sessionidt s)
1114 {
1115 uint8_t b[MAXCONTROL];
1116 uint16_t r = sess_local[s].radius;
1117 uint8_t *q;
1118
1119 CSTAT(sendchap);
1120
1121 if (!r)
1122 {
1123 LOG(1, s, t, "No RADIUS to send challenge\n");
1124 STAT(tunnel_tx_errors);
1125 return;
1126 }
1127
1128 LOG(1, s, t, "Send CHAP challenge\n");
1129
1130 radius[r].chap = 1; // CHAP not PAP
1131 radius[r].id++;
1132 if (radius[r].state != RADIUSCHAP)
1133 radius[r].try = 0;
1134
1135 radius[r].state = RADIUSCHAP;
1136 radius[r].retry = backoff(radius[r].try++);
1137 if (radius[r].try > 5)
1138 {
1139 sessionshutdown(s, "CHAP timeout.", 3, 0);
1140 STAT(tunnel_tx_errors);
1141 return ;
1142 }
1143 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1144 if (!q) return;
1145
1146 *q = 1; // challenge
1147 q[1] = radius[r].id; // ID
1148 q[4] = 16; // value size (size of challenge)
1149 memcpy(q + 5, radius[r].auth, 16); // challenge
1150 strcpy(q + 21, hostname); // our name
1151 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1152 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1153 }
1154
1155 // fill in a L2TP message with a PPP frame,
1156 // copies existing PPP message and changes magic number if seen
1157 // returns start of PPP frame
1158 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1159 {
1160 if (size < 12) // Need more space than this!!
1161 {
1162 static int backtrace_count = 0;
1163 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1164 log_backtrace(backtrace_count, 5)
1165 return NULL;
1166 }
1167
1168 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1169 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1170 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1171 b += 6;
1172 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1173 {
1174 *(uint16_t *) b = htons(0xFF03); // HDLC header
1175 b += 2;
1176 }
1177 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1178 *b++ = mtype;
1179 else
1180 {
1181 *(uint16_t *) b = htons(mtype);
1182 b += 2;
1183 }
1184
1185 if (l + 12 > size)
1186 {
1187 static int backtrace_count = 0;
1188 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1189 log_backtrace(backtrace_count, 5)
1190 return NULL;
1191 }
1192
1193 if (p && l)
1194 memcpy(b, p, l);
1195
1196 return b;
1197 }
1198
1199 // Send initial LCP ConfigReq for PAP, set magic no.
1200 void initlcp(tunnelidt t, sessionidt s)
1201 {
1202 char b[500], *q;
1203 int size;
1204
1205 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1206 return;
1207
1208 LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
1209 *q = ConfigReq;
1210 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1211 *(uint16_t *)(q + 2) = htons(14); // Length
1212 *(uint8_t *)(q + 4) = 5;
1213 *(uint8_t *)(q + 5) = 6;
1214 *(uint32_t *)(q + 6) = htonl(session[s].magic);
1215 *(uint8_t *)(q + 10) = 3;
1216 if (config->radius_authprefer == AUTHCHAP)
1217 {
1218 *(uint8_t *)(q + 11) = 5;
1219 *(uint16_t *)(q + 12) = htons(PPPCHAP);
1220 *(uint8_t *)(q + 14) = 5; // MD5
1221 size = 15;
1222 }
1223 else
1224 {
1225 *(uint8_t *)(q + 11) = 4;
1226 *(uint16_t *)(q + 12) = htons(PPPPAP);
1227 size = 14;
1228 }
1229
1230 LOG_HEX(5, "PPPLCP", q, size);
1231 tunnelsend(b, (q - b) + size, t);
1232 }
1233
1234 // Send CCP request for no compression
1235 static void initccp(tunnelidt t, sessionidt s)
1236 {
1237 char b[500], *q;
1238
1239 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1240 return;
1241
1242 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1243 *q = ConfigReq;
1244 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1245 *(uint16_t *)(q + 2) = htons(4); // Length
1246
1247 LOG_HEX(5, "PPPCCP", q, 4);
1248 tunnelsend(b, (q - b) + 4 , t);
1249 }