0d3b168785ad1317180115703cb051fede40c7d7
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.64 2005-06-24 08:34:53 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype);
28
29 // Process PAP messages
30 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
31 {
32 char user[MAXUSER];
33 char pass[MAXPASS];
34 uint16_t hl;
35
36 CSTAT(processpap);
37
38 LOG_HEX(5, "PAP", p, l);
39 if (l < 4)
40 {
41 LOG(1, s, t, "Short PAP %u bytes\n", l);
42 STAT(tunnel_rx_errors);
43 sessionshutdown(s, "Short PAP packet.", 3, 0);
44 return;
45 }
46
47 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
48 {
49 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
50 STAT(tunnel_rx_errors);
51 sessionshutdown(s, "PAP length mismatch.", 3, 0);
52 return;
53 }
54 l = hl;
55
56 if (*p != 1)
57 {
58 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
59 STAT(tunnel_rx_errors);
60 sessionshutdown(s, "Unexpected PAP code.", 3, 0);
61 return;
62 }
63
64 {
65 uint8_t *b = p;
66 b += 4;
67 user[0] = pass[0] = 0;
68 if (*b && *b < sizeof(user))
69 {
70 memcpy(user, b + 1, *b);
71 user[*b] = 0;
72 b += 1 + *b;
73 if (*b && *b < sizeof(pass))
74 {
75 memcpy(pass, b + 1, *b);
76 pass[*b] = 0;
77 }
78 }
79 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
80 }
81 if (session[s].ip || !sess_local[s].radius)
82 {
83 // respond now, either no RADIUS available or already authenticated
84 uint8_t b[MAXCONTROL];
85 uint8_t id = p[1];
86 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
87 if (!p) return;
88
89 if (session[s].ip)
90 *p = 2; // ACK
91 else
92 *p = 3; // cant authorise
93 p[1] = id;
94 *(uint16_t *) (p + 2) = htons(5); // length
95 p[4] = 0; // no message
96 if (session[s].ip)
97 {
98 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
99 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
100
101 session[s].flags &= ~SF_IPCP_ACKED;
102 }
103 else
104 {
105 LOG(1, s, t, "No radius session available to authenticate session...\n");
106 }
107 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
108 tunnelsend(b, 5 + (p - b), t); // send it
109 sessionshutdown(s, "PAP authentication failed.", 3, 0);
110 }
111 else
112 {
113 // set up RADIUS request
114 uint16_t r = sess_local[s].radius;
115
116 // Run PRE_AUTH plugins
117 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
118 run_plugins(PLUGIN_PRE_AUTH, &packet);
119 if (!packet.continue_auth)
120 {
121 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
122 if (packet.username) free(packet.username);
123 if (packet.password) free(packet.password);
124 return;
125 }
126
127 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
128 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
129
130 free(packet.username);
131 free(packet.password);
132
133 radius[r].id = p[1];
134 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
135 radiussend(r, RADIUSAUTH);
136 }
137 }
138
139 // Process CHAP messages
140 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
141 {
142 uint16_t r;
143 uint16_t hl;
144
145 CSTAT(processchap);
146
147 LOG_HEX(5, "CHAP", p, l);
148 r = sess_local[s].radius;
149 if (!r)
150 {
151 LOG(1, s, t, "Unexpected CHAP message\n");
152 STAT(tunnel_rx_errors);
153 return;
154 }
155
156 if (l < 4)
157 {
158 LOG(1, s, t, "Short CHAP %u bytes\n", l);
159 STAT(tunnel_rx_errors);
160 sessionshutdown(s, "Short CHAP packet.", 3, 0);
161 return;
162 }
163
164 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
165 {
166 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
167 STAT(tunnel_rx_errors);
168 sessionshutdown(s, "CHAP length mismatch.", 3, 0);
169 return;
170 }
171 l = hl;
172
173 if (*p != 2)
174 {
175 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
176 STAT(tunnel_rx_errors);
177 sessionshutdown(s, "CHAP length mismatch.", 3, 0);
178 return;
179 }
180 if (p[1] != radius[r].id)
181 {
182 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
183 STAT(tunnel_rx_errors);
184 sessionshutdown(s, "Unexpected CHAP response ID.", 3, 0);
185 return;
186 }
187
188 if (l < 5 || p[4] != 16)
189 {
190 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
191 STAT(tunnel_rx_errors);
192 sessionshutdown(s, "Bad CHAP response length.", 3, 0);
193 return;
194 }
195
196 l -= 5;
197 p += 5;
198 if (l < 16 || l - 16 >= sizeof(session[s].user))
199 {
200 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
201 STAT(tunnel_rx_errors);
202 sessionshutdown(s, "CHAP username too long.", 3, 0);
203 return;
204 }
205
206 // Run PRE_AUTH plugins
207 {
208 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
209
210 packet.password = calloc(17, 1);
211 memcpy(packet.password, p, 16);
212
213 p += 16;
214 l -= 16;
215
216 packet.username = calloc(l + 1, 1);
217 memcpy(packet.username, p, l);
218
219 run_plugins(PLUGIN_PRE_AUTH, &packet);
220 if (!packet.continue_auth)
221 {
222 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
223 if (packet.username) free(packet.username);
224 if (packet.password) free(packet.password);
225 return;
226 }
227
228 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
229 memcpy(radius[r].pass, packet.password, 16);
230
231 free(packet.username);
232 free(packet.password);
233 }
234
235 radius[r].chap = 1;
236 LOG(3, s, t, "CHAP login %s\n", session[s].user);
237 radiussend(r, RADIUSAUTH);
238 }
239
240 static void dumplcp(uint8_t *p, int l)
241 {
242 int x = l - 4;
243 uint8_t *o = (p + 4);
244
245 LOG_HEX(5, "PPP LCP Packet", p, l);
246 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
247 LOG(4, 0, 0, "Length: %d\n", l);
248 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
249 return;
250
251 while (x > 2)
252 {
253 int type = o[0];
254 int length = o[1];
255 if (length < 2)
256 {
257 LOG(4, 0, 0, " Option length is %d...\n", length);
258 break;
259 }
260 if (type == 0)
261 {
262 LOG(4, 0, 0, " Option type is 0...\n");
263 x -= length;
264 o += length;
265 continue;
266 }
267 switch (type)
268 {
269 case 1: // Maximum-Receive-Unit
270 if (length == 4)
271 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
272 else
273 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
274 break;
275 case 2: // Async-Control-Character-Map
276 if (length == 6)
277 {
278 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
279 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
280 }
281 else
282 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
283 break;
284 case 3: // Authentication-Protocol
285 if (length == 4)
286 {
287 int proto = ntohs(*(uint16_t *)(o + 2));
288 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
289 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
290 }
291 else if (length == 5)
292 {
293 int proto = ntohs(*(uint16_t *)(o + 2));
294 int algo = *(uint8_t *)(o + 4);
295 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", lcp_type(type), proto, algo,
296 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
297 }
298 else
299 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
300 break;
301 case 4: // Quality-Protocol
302 {
303 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
304 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
305 }
306 break;
307 case 5: // Magic-Number
308 if (length == 6)
309 {
310 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
311 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
312 }
313 else
314 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
315 break;
316 case 7: // Protocol-Field-Compression
317 case 8: // Address-And-Control-Field-Compression
318 LOG(4, 0, 0, " %s\n", lcp_type(type));
319 break;
320 default:
321 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
322 break;
323 }
324 x -= length;
325 o += length;
326 }
327 }
328
329 // Process LCP messages
330 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
331 {
332 uint8_t b[MAXCONTROL];
333 uint8_t *q = NULL;
334 uint32_t magicno = 0;
335 uint16_t hl;
336
337 CSTAT(processlcp);
338
339 LOG_HEX(5, "LCP", p, l);
340 if (l < 4)
341 {
342 LOG(1, s, t, "Short LCP %d bytes\n", l);
343 STAT(tunnel_rx_errors);
344 return ;
345 }
346
347 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
348 {
349 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
350 STAT(tunnel_rx_errors);
351 return ;
352 }
353 l = hl;
354
355 if (*p == ConfigAck)
356 {
357 int x = l - 4;
358 uint8_t *o = (p + 4);
359
360 LOG(3, s, t, "LCP: ConfigAck (%d bytes)...\n", l);
361 if (config->debug > 3) dumplcp(p, l);
362
363 while (x > 2)
364 {
365 int type = o[0];
366 int length = o[1];
367
368 if (length == 0 || type == 0 || x < length) break;
369 switch (type)
370 {
371 case 3: // Authentication-Protocol
372 {
373 int proto = ntohs(*(uint16_t *)(o + 2));
374 if (proto == PPPCHAP && *(o + 4) == 5)
375 sendchap(t, s);
376 }
377
378 break;
379 }
380 x -= length;
381 o += length;
382 }
383
384 session[s].flags |= SF_LCP_ACKED;
385 }
386 else if (*p == ConfigReq)
387 {
388 int x = l - 4;
389 uint8_t *o = (p + 4);
390 uint8_t *response = 0;
391
392 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
393 if (config->debug > 3) dumplcp(p, l);
394
395 while (x > 2)
396 {
397 int type = o[0];
398 int length = o[1];
399
400 if (length == 0 || type == 0 || x < length) break;
401 switch (type)
402 {
403 case 1: // Maximum-Receive-Unit
404 session[s].mru = ntohs(*(uint16_t *)(o + 2));
405 break;
406
407 case 2: // Async-Control-Character-Map
408 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
409 break;
410
411 if (response && *response != ConfigNak) // rej already queued
412 break;
413
414 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
415 if (!response)
416 {
417 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
418 if (!q) break;
419 *q = ConfigNak;
420 q += 4;
421 }
422
423 if ((q - b + 11) > sizeof(b))
424 {
425 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
426 break;
427 }
428
429 *q++ = type;
430 *q++ = 6;
431 memset(q, 0, 4); // asyncmap 0
432 q += 4;
433 break;
434
435 case 3: // Authentication-Protocol
436 {
437 int proto = ntohs(*(uint16_t *)(o + 2));
438 char proto_name[] = "0x0000";
439 uint8_t *a;
440
441 if (proto == PPPPAP)
442 {
443 if (config->radius_authtypes & AUTHPAP)
444 break;
445
446 strcpy(proto_name, "PAP");
447 }
448 else if (proto == PPPCHAP)
449 {
450 if (config->radius_authtypes & AUTHCHAP
451 && *(o + 4) == 5) // MD5
452 break;
453
454 strcpy(proto_name, "CHAP");
455 }
456 else
457 sprintf(proto_name, "%#4.4x", proto);
458
459 if (response && *response != ConfigNak) // rej already queued
460 break;
461
462 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
463
464 if (!response)
465 {
466 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
467 if (!q) break;
468 *q = ConfigNak;
469 q += 4;
470 }
471
472 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authprefer);
473 if (!a)
474 {
475 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
476 break;
477 }
478
479 q = a;
480
481 if (config->radius_authtypes != config->radius_authprefer)
482 {
483 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authtypes & ~config->radius_authprefer);
484 if (!a)
485 {
486 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
487 break;
488 }
489
490 q = a;
491 }
492
493 break;
494 }
495 break;
496
497 case 5: // Magic-Number
498 magicno = ntohl(*(uint32_t *)(o + 2));
499 break;
500
501 case 4: // Quality-Protocol
502 case 7: // Protocol-Field-Compression
503 case 8: // Address-And-Control-Field-Compression
504 break;
505
506 default: // Reject any unknown options
507 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
508 if (!response || *response != ConfigRej) // drop nak in favour of rej
509 {
510 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
511 if (!q) break;
512 *q = ConfigRej;
513 q += 4;
514 }
515
516 if ((q - b + length) > sizeof(b))
517 {
518 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
519 break;
520 }
521
522 memcpy(q, o, length);
523 q += length;
524 }
525 x -= length;
526 o += length;
527 }
528
529 if (response)
530 {
531 l = q - response; // LCP packet length
532 *((uint16_t *) (response + 2)) = htons(l); // update header
533 }
534 else
535 {
536 // Send packet back as ConfigAck
537 response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
538 if (!response) return;
539 *response = ConfigAck;
540 }
541
542 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
543 tunnelsend(b, l + response - b, t);
544
545 if (!(session[s].flags & SF_LCP_ACKED))
546 sendlcp(t, s, config->radius_authprefer);
547 }
548 else if (*p == ConfigNak)
549 {
550 int x = l - 4;
551 uint8_t *o = (p + 4);
552 int authtype = -1;
553
554 LOG(3, s, t, "LCP: ConfigNak (%d bytes)...\n", l);
555 if (config->debug > 3) dumplcp(p, l);
556
557 while (x > 2)
558 {
559 int type = o[0];
560 int length = o[1];
561
562 if (length == 0 || type == 0 || x < length) break;
563 switch (type)
564 {
565 case 1: // Maximum-Receive-Unit
566 session[s].mru = ntohs(*(uint16_t *)(o + 2));
567 LOG(3, s, t, " Remote requested MRU of %u\n", session[s].mru);
568 break;
569
570 case 3: // Authentication-Protocol
571 if (authtype > 0)
572 break;
573
574 {
575 int proto = ntohs(*(uint16_t *)(o + 2));
576 if (proto == PPPPAP)
577 {
578 authtype = config->radius_authtypes & AUTHPAP;
579 LOG(3, s, t, " Remote requested PAP authentication...%sing\n",
580 authtype ? "accept" : "reject");
581 }
582 else if (proto == PPPCHAP && *(o + 4) == 5)
583 {
584 authtype = config->radius_authtypes & AUTHCHAP;
585 LOG(3, s, t, " Remote requested CHAP authentication...%sing\n",
586 authtype ? "accept" : "reject");
587 }
588 else
589 {
590 LOG(3, s, t, " Rejecting unsupported authentication %#4x\n",
591 proto);
592 }
593 }
594
595 break;
596
597 default:
598 LOG(2, s, t, " Remote NAKed LCP type %u?\n", type);
599 break;
600 }
601 x -= length;
602 o += length;
603 }
604
605 if (!authtype)
606 {
607 sessionshutdown(s, "Unsupported authentication.", 3, 0);
608 return;
609 }
610
611 if (authtype == -1)
612 authtype = config->radius_authprefer;
613
614 sendlcp(t, s, authtype);
615 }
616 else if (*p == TerminateReq)
617 {
618 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
619 *p = TerminateAck; // close
620 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
621 if (!q) return;
622 tunnelsend(b, l + (q - b), t); // send it
623 sessionshutdown(s, "Remote end closed connection.", 3, 0);
624 }
625 else if (*p == TerminateAck)
626 {
627 sessionshutdown(s, "Connection closed.", 3, 0);
628 }
629 else if (*p == ProtocolRej)
630 {
631 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
632 {
633 LOG(3, s, t, "IPv6 rejected\n");
634 session[s].flags |= SF_IPV6_NACKED;
635 }
636 else
637 {
638 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
639 ntohs(*(uint16_t *) (p+4)));
640 STAT(tunnel_rx_errors);
641 }
642 }
643 else if (*p == EchoReq)
644 {
645 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
646 *p = EchoReply; // reply
647 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
648 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
649 if (!q) return;
650 tunnelsend(b, l + (q - b), t); // send it
651 }
652 else if (*p == EchoReply)
653 {
654 // Ignore it, last_packet time is set earlier than this.
655 }
656 else if (*p == IdentRequest)
657 {
658 *p = CodeRej;
659 if (l > MAXCONTROL)
660 {
661 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
662 l = 1400;
663 }
664 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
665 if (!q) return;
666 LOG_HEX(5, "LCPIdentRej", q, l + 4);
667 tunnelsend(b, 12 + 4 + l, t);
668 }
669 else
670 {
671 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
672 STAT(tunnel_rx_errors);
673 }
674 }
675
676 // find a PPP option, returns point to option, or 0 if not found
677 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
678 {
679 uint16_t l = ntohs(*(uint16_t *) (b + 2));
680 if (l < 4)
681 return 0;
682 b += 4;
683 l -= 4;
684 while (l)
685 {
686 if (l < b[1] || !b[1])
687 return 0; // faulty
688 if (*b == mtype)
689 return b;
690 l -= b[1];
691 b += b[1];
692 }
693 return 0;
694 }
695
696 // Process IPCP messages
697 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
698 {
699 uint16_t hl;
700
701 CSTAT(processipcp);
702
703 LOG_HEX(5, "IPCP", p, l);
704 if (l < 5)
705 {
706 LOG(1, s, t, "Short IPCP %d bytes\n", l);
707 STAT(tunnel_rx_errors);
708 return ;
709 }
710
711 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
712 {
713 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
714 STAT(tunnel_rx_errors);
715 return ;
716 }
717 l = hl;
718
719 if (*p == ConfigAck)
720 {
721 uint16_t r = sess_local[s].radius;
722
723 // ignore duplicate ACKs
724 if (session[s].flags & SF_IPCP_ACKED)
725 return;
726
727 // happy with our IPCP
728 session[s].flags |= SF_IPCP_ACKED;
729
730 LOG(3, s, t, "IPCP Acked, session is now active\n");
731
732 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiation for routers
733 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
734
735 if (r && session[s].walled_garden)
736 {
737 radiusclear(r, s);
738 return;
739 }
740
741 if (!r)
742 r = radiusnew(s);
743
744 if (r)
745 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
746
747 return;
748 }
749 if (*p != ConfigReq)
750 {
751 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
752 STAT(tunnel_rx_errors);
753 return ;
754 }
755 LOG(4, s, t, "IPCP ConfigReq received\n");
756
757 if (!session[s].ip)
758 {
759 LOG(3, s, t, "Waiting on radius reply\n");
760 return; // have to wait on RADIUS reply
761 }
762 // form a config reply quoting the IP in the session
763 {
764 uint8_t b[MAXCONTROL];
765 uint8_t *i, *q;
766
767 q = p + 4;
768 i = p + l;
769 while (q < i && q[1])
770 {
771 if (*q != 0x81 && *q != 0x83 && *q != 3)
772 break;
773 q += q[1];
774 }
775 if (q < i)
776 {
777 // reject
778 uint16_t n = 4;
779 i = p + l;
780 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
781 return;
782
783 *q = ConfigRej;
784 p += 4;
785 while (p < i && p[1])
786 {
787 if (*p != 0x81 && *p != 0x83 && *p != 3)
788 {
789 LOG(2, s, t, "IPCP reject %d\n", *p);
790 memcpy(q + n, p, p[1]);
791 n += p[1];
792 }
793 p += p[1];
794 }
795 *(uint16_t *) (q + 2) = htons(n);
796 LOG(4, s, t, "Sending ConfigRej\n");
797 tunnelsend(b, n + (q - b), t); // send it
798 }
799 else
800 {
801 LOG(4, s, t, "Sending ConfigAck\n");
802 *p = ConfigAck;
803 if ((i = findppp(p, 0x81))) // Primary DNS address
804 {
805 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
806 {
807 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
808 *p = ConfigNak;
809 LOG(5, s, t, " DNS1 = %s\n",
810 fmtaddr(htonl(session[s].dns1), 0));
811 }
812 }
813 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
814 {
815 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
816 {
817 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
818 *p = ConfigNak;
819 LOG(5, s, t, " DNS2 = %s\n",
820 fmtaddr(htonl(session[s].dns2), 0));
821 }
822 }
823 i = findppp(p, 3); // IP address
824 if (!i || i[1] != 6)
825 {
826 LOG(1, s, t, "No IP in IPCP request\n");
827 STAT(tunnel_rx_errors);
828 return ;
829 }
830 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
831 {
832 *(uint32_t *) (i + 2) = htonl(session[s].ip);
833 *p = ConfigNak;
834 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
835 fmtaddr(htonl(session[s].ip), 0));
836 }
837 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
838 return;
839
840 tunnelsend(b, l + (q - b), t); // send it
841 }
842 }
843 }
844
845 // Process IPV6CP messages
846 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
847 {
848
849 CSTAT(processipv6cp);
850
851 LOG_HEX(5, "IPV6CP", p, l);
852 if (l < 4)
853 {
854 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
855 STAT(tunnel_rx_errors);
856 return ;
857 }
858 if (*p == ConfigAck)
859 {
860 // happy with our IPV6CP
861 session[s].flags |= SF_IPV6CP_ACKED;
862
863 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
864 // Add a routed block if configured.
865 if (session[s].ipv6prefixlen)
866 {
867 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
868 session[s].flags |= SF_IPV6_ROUTED;
869 }
870
871 // Send an initial RA (TODO: Should we send these regularly?)
872 send_ipv6_ra(t, s, NULL);
873 return;
874 }
875 if (*p != ConfigReq)
876 {
877 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
878 STAT(tunnel_rx_errors);
879 return;
880 }
881
882 LOG(4, s, t, "IPV6CP ConfigReq received\n");
883 if (ntohs(*(uint16_t *) (p + 2)) > l)
884 {
885 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
886 STAT(tunnel_rx_errors);
887 return ;
888 }
889 if (!session[s].ip)
890 {
891 LOG(3, s, t, "Waiting on radius reply\n");
892 return; // have to wait on RADIUS reply
893 }
894 // form a config reply quoting the IP in the session
895 {
896 uint8_t b[MAXCONTROL];
897 uint8_t *i,
898 *q;
899
900 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
901 q = p + 4;
902 i = p + l;
903 while (q < i && q[1])
904 {
905 if (*q != 1)
906 break;
907 q += q[1];
908 }
909 if (q < i)
910 {
911 // reject
912 uint16_t n = 4;
913 i = p + l;
914 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
915 {
916 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
917 return;
918 }
919 *q = ConfigRej;
920 p += 4;
921 while (p < i && p[1])
922 {
923 if (*p != 1)
924 {
925 LOG(2, s, t, "IPV6CP reject %d\n", *p);
926 memcpy(q + n, p, p[1]);
927 n += p[1];
928 }
929 p += p[1];
930 }
931 *(uint16_t *) (q + 2) = htons(n);
932 LOG(4, s, t, "Sending ConfigRej\n");
933 tunnelsend(b, n + (q - b), t); // send it
934 }
935 else
936 {
937 LOG(4, s, t, "Sending ConfigAck\n");
938 *p = ConfigAck;
939 i = findppp(p, 1); // IP address
940 if (!i || i[1] != 10)
941 {
942 LOG(1, s, t, "No IP in IPV6CP request\n");
943 STAT(tunnel_rx_errors);
944 return ;
945 }
946 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
947 (*(uint32_t *) (i + 6) != 0))
948 {
949 *(uint32_t *) (i + 2) = htonl(session[s].ip);
950 *(uint32_t *) (i + 6) = 0;
951 *p = ConfigNak;
952 LOG(4, s, t,
953 " No, a ConfigNak, client is "
954 "requesting IP - sending %s\n",
955 fmtaddr(htonl(session[s].ip), 0));
956 }
957 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
958 {
959 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
960 return;
961 }
962 tunnelsend(b, l + (q - b), t); // send it
963 }
964 }
965 }
966
967 // process IP packet received
968 //
969 // This MUST be called with at least 4 byte behind 'p'.
970 // (i.e. this routine writes to p[-4]).
971 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
972 {
973 in_addr_t ip;
974
975 CSTAT(processipin);
976
977 LOG_HEX(5, "IP", p, l);
978
979 ip = ntohl(*(uint32_t *)(p + 12));
980
981 if (l > MAXETHER)
982 {
983 LOG(1, s, t, "IP packet too long %d\n", l);
984 STAT(tunnel_rx_errors);
985 return ;
986 }
987
988 // no spoof (do sessionbyip to handled statically routed subnets)
989 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
990 {
991 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
992 return;
993 }
994
995 // run access-list if any
996 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
997 return;
998
999 // Add on the tun header
1000 p -= 4;
1001 *(uint32_t *) p = htonl(PKTIP);
1002 l += 4;
1003
1004 // Are we throttled and a slave?
1005 if (session[s].tbf_in && !config->cluster_iam_master) {
1006 // Pass it to the master for handling.
1007 master_throttle_packet(session[s].tbf_in, p, l);
1008 return;
1009 }
1010
1011 // Are we throttled and a master??
1012 if (session[s].tbf_in && config->cluster_iam_master) {
1013 // Actually handle the throttled packets.
1014 tbf_queue_packet(session[s].tbf_in, p, l);
1015 return;
1016 }
1017
1018 // send to ethernet
1019 if (tun_write(p, l) < 0)
1020 {
1021 STAT(tun_tx_errors);
1022 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1023 l, strerror(errno), tunfd, p);
1024
1025 return;
1026 }
1027
1028 p += 4;
1029 l -= 4;
1030
1031 if (session[s].snoop_ip && session[s].snoop_port)
1032 {
1033 // Snooping this session
1034 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
1035 }
1036
1037 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1038 session[s].cin_delta += l;
1039 session[s].pin++;
1040
1041 sess_local[s].cin += l;
1042 sess_local[s].pin++;
1043
1044 eth_tx += l;
1045
1046 STAT(tun_tx_packets);
1047 INC_STAT(tun_tx_bytes, l);
1048 }
1049
1050 // process IPv6 packet received
1051 //
1052 // This MUST be called with at least 4 byte behind 'p'.
1053 // (i.e. this routine writes to p[-4]).
1054 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1055 {
1056 struct in6_addr ip;
1057 in_addr_t ipv4;
1058
1059 CSTAT(processipv6in);
1060
1061 LOG_HEX(5, "IPv6", p, l);
1062
1063 ip = *(struct in6_addr *) (p + 8);
1064 ipv4 = ntohl(*(uint32_t *)(p + 16));
1065
1066 if (l > MAXETHER)
1067 {
1068 LOG(1, s, t, "IP packet too long %d\n", l);
1069 STAT(tunnel_rx_errors);
1070 return ;
1071 }
1072
1073 // no spoof
1074 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
1075 {
1076 char str[INET6_ADDRSTRLEN];
1077 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
1078 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
1079 return;
1080 }
1081
1082 // Check if it's a Router Solicition message.
1083 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
1084 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
1085 *(uint32_t *)(p + 34) == 0 &&
1086 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
1087 LOG(3, s, t, "Got IPv6 RS\n");
1088 send_ipv6_ra(t, s, &ip);
1089 return;
1090 }
1091
1092 // Add on the tun header
1093 p -= 4;
1094 *(uint32_t *) p = htonl(PKTIPV6);
1095 l += 4;
1096
1097 // Are we throttled and a slave?
1098 if (session[s].tbf_in && !config->cluster_iam_master) {
1099 // Pass it to the master for handling.
1100 master_throttle_packet(session[s].tbf_in, p, l);
1101 return;
1102 }
1103
1104 // Are we throttled and a master??
1105 if (session[s].tbf_in && config->cluster_iam_master) {
1106 // Actually handle the throttled packets.
1107 tbf_queue_packet(session[s].tbf_in, p, l);
1108 return;
1109 }
1110
1111 // send to ethernet
1112 if (tun_write(p, l) < 0)
1113 {
1114 STAT(tun_tx_errors);
1115 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1116 l, strerror(errno), tunfd, p);
1117
1118 return;
1119 }
1120
1121 p += 4;
1122 l -= 4;
1123
1124 if (session[s].snoop_ip && session[s].snoop_port)
1125 {
1126 // Snooping this session
1127 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
1128 }
1129
1130 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1131 session[s].cin_delta += l;
1132 session[s].pin++;
1133
1134 sess_local[s].cin += l;
1135 sess_local[s].pin++;
1136
1137 eth_tx += l;
1138
1139 STAT(tun_tx_packets);
1140 INC_STAT(tun_tx_bytes, l);
1141 }
1142
1143 //
1144 // Helper routine for the TBF filters.
1145 // Used to send queued data in from the user.
1146 //
1147 void send_ipin(sessionidt s, uint8_t *buf, int len)
1148 {
1149 LOG_HEX(5, "IP in throttled", buf, len);
1150
1151 if (write(tunfd, buf, len) < 0)
1152 {
1153 STAT(tun_tx_errors);
1154 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1155 len, strerror(errno), tunfd, buf);
1156
1157 return;
1158 }
1159
1160 buf += 4;
1161 len -= 4;
1162
1163 if (session[s].snoop_ip && session[s].snoop_port)
1164 {
1165 // Snooping this session
1166 snoop_send_packet(buf, len, session[s].snoop_ip, session[s].snoop_port);
1167 }
1168
1169 // Increment packet counters
1170 increment_counter(&session[s].cin, &session[s].cin_wrap, len);
1171 session[s].cin_delta += len;
1172 session[s].pin++;
1173
1174 sess_local[s].cin += len;
1175 sess_local[s].pin++;
1176
1177 eth_tx += len;
1178
1179 STAT(tun_tx_packets);
1180 INC_STAT(tun_tx_bytes, len - 4);
1181 }
1182
1183
1184 // Process CCP messages
1185 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1186 {
1187 uint8_t b[MAXCONTROL];
1188 uint8_t *q;
1189
1190 CSTAT(processccp);
1191
1192 LOG_HEX(5, "CCP", p, l);
1193 switch (l > 1 ? *p : 0)
1194 {
1195 case ConfigAck:
1196 session[s].flags |= SF_CCP_ACKED;
1197 return;
1198
1199 case ConfigReq:
1200 if (l < 6) // accept no compression
1201 {
1202 *p = ConfigAck;
1203 break;
1204 }
1205
1206 // compression requested--reject
1207 *p = ConfigRej;
1208
1209 // send CCP request for no compression for our end if not negotiated
1210 if (!(session[s].flags & SF_CCP_ACKED))
1211 initccp(t, s);
1212
1213 break;
1214
1215 case TerminateReq:
1216 *p = TerminateAck;
1217 break;
1218
1219 default:
1220 if (l > 1)
1221 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1222 else
1223 LOG(1, s, t, "Short CCP packet\n");
1224
1225 STAT(tunnel_rx_errors);
1226 return;
1227 }
1228
1229 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1230 return;
1231
1232 tunnelsend(b, l + (q - b), t); // send it
1233 }
1234
1235 // send a CHAP challenge
1236 void sendchap(tunnelidt t, sessionidt s)
1237 {
1238 uint8_t b[MAXCONTROL];
1239 uint16_t r = sess_local[s].radius;
1240 uint8_t *q;
1241
1242 CSTAT(sendchap);
1243
1244 if (!r)
1245 {
1246 LOG(1, s, t, "No RADIUS to send challenge\n");
1247 STAT(tunnel_tx_errors);
1248 return;
1249 }
1250
1251 LOG(1, s, t, "Send CHAP challenge\n");
1252
1253 radius[r].chap = 1; // CHAP not PAP
1254 radius[r].id++;
1255 if (radius[r].state != RADIUSCHAP)
1256 radius[r].try = 0;
1257
1258 radius[r].state = RADIUSCHAP;
1259 radius[r].retry = backoff(radius[r].try++);
1260 if (radius[r].try > 5)
1261 {
1262 sessionshutdown(s, "CHAP timeout.", 3, 0);
1263 STAT(tunnel_tx_errors);
1264 return ;
1265 }
1266 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1267 if (!q) return;
1268
1269 *q = 1; // challenge
1270 q[1] = radius[r].id; // ID
1271 q[4] = 16; // value size (size of challenge)
1272 memcpy(q + 5, radius[r].auth, 16); // challenge
1273 strcpy(q + 21, hostname); // our name
1274 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1275 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1276 }
1277
1278 // fill in a L2TP message with a PPP frame,
1279 // copies existing PPP message and changes magic number if seen
1280 // returns start of PPP frame
1281 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1282 {
1283 if (size < 12) // Need more space than this!!
1284 {
1285 static int backtrace_count = 0;
1286 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1287 log_backtrace(backtrace_count, 5)
1288 return NULL;
1289 }
1290
1291 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1292 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1293 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1294 b += 6;
1295 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1296 {
1297 *(uint16_t *) b = htons(0xFF03); // HDLC header
1298 b += 2;
1299 }
1300 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1301 *b++ = mtype;
1302 else
1303 {
1304 *(uint16_t *) b = htons(mtype);
1305 b += 2;
1306 }
1307
1308 if (l + 12 > size)
1309 {
1310 static int backtrace_count = 0;
1311 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1312 log_backtrace(backtrace_count, 5)
1313 return NULL;
1314 }
1315
1316 if (p && l)
1317 memcpy(b, p, l);
1318
1319 return b;
1320 }
1321
1322 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype)
1323 {
1324 if ((authtype == AUTHCHAP && size < 5) || size < 4)
1325 return 0;
1326
1327 *b++ = 3; // Authentication-Protocol
1328 if (authtype == AUTHCHAP)
1329 {
1330 *b++ = 5; // length
1331 *(uint16_t *) b = htons(PPPCHAP); b += 2;
1332 *b++ = 5; // MD5
1333 }
1334 else if (authtype == AUTHPAP)
1335 {
1336 *b++ = 4; // length
1337 *(uint16_t *) b = htons(PPPPAP); b += 2;
1338 }
1339 else
1340 {
1341 LOG(0, 0, 0, "add_lcp_auth called with unsupported auth type %d\n", authtype);
1342 }
1343
1344 return b;
1345 }
1346
1347 // Send initial LCP ConfigReq for MRU, authentication type and magic no
1348 void sendlcp(tunnelidt t, sessionidt s, int authtype)
1349 {
1350 char b[500], *q, *l;
1351
1352 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1353 return;
1354
1355 LOG(4, s, t, "Sending LCP ConfigReq for %s\n",
1356 authtype == AUTHCHAP ? "CHAP" : "PAP");
1357
1358 if (!session[s].mru)
1359 session[s].mru = DEFAULT_MRU;
1360
1361 l = q;
1362 *l++ = ConfigReq;
1363 *l++ = (time_now % 255) + 1; // ID
1364
1365 l += 2; //Save space for length
1366
1367 *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4)
1368 *(uint16_t *) l = htons(session[s].mru); l += 2;
1369
1370 l = add_lcp_auth(l, sizeof(b) - (l - b), authtype);
1371
1372 *l++ = 5; *l++ = 6; // Magic-Number (length 6)
1373 *(uint32_t *) l = htonl(session[s].magic);
1374 l += 4;
1375
1376 *(uint16_t *)(q + 2) = htons(l - q); // Length
1377
1378 LOG_HEX(5, "PPPLCP", q, l - q);
1379 tunnelsend(b, (l - b), t);
1380 }
1381
1382 // Send CCP request for no compression
1383 static void initccp(tunnelidt t, sessionidt s)
1384 {
1385 char b[500], *q;
1386
1387 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1388 return;
1389
1390 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1391 *q = ConfigReq;
1392 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1393 *(uint16_t *)(q + 2) = htons(4); // Length
1394
1395 LOG_HEX(5, "PPPCCP", q, 4);
1396 tunnelsend(b, (q - b) + 4 , t);
1397 }