3408d86696c070517f842b6d12c93fc62e650356
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.61 2005-05-13 09:23:00 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype);
28
29 // Process PAP messages
30 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
31 {
32 char user[MAXUSER];
33 char pass[MAXPASS];
34 uint16_t hl;
35
36 CSTAT(processpap);
37
38 LOG_HEX(5, "PAP", p, l);
39 if (l < 4)
40 {
41 LOG(1, s, t, "Short PAP %u bytes\n", l);
42 STAT(tunnel_rx_errors);
43 sessionshutdown(s, "Short PAP packet.", 3, 0);
44 return;
45 }
46
47 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
48 {
49 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
50 STAT(tunnel_rx_errors);
51 sessionshutdown(s, "PAP length mismatch.", 3, 0);
52 return;
53 }
54 l = hl;
55
56 if (*p != 1)
57 {
58 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
59 STAT(tunnel_rx_errors);
60 sessionshutdown(s, "Unexpected PAP code.", 3, 0);
61 return;
62 }
63
64 {
65 uint8_t *b = p;
66 b += 4;
67 user[0] = pass[0] = 0;
68 if (*b && *b < sizeof(user))
69 {
70 memcpy(user, b + 1, *b);
71 user[*b] = 0;
72 b += 1 + *b;
73 if (*b && *b < sizeof(pass))
74 {
75 memcpy(pass, b + 1, *b);
76 pass[*b] = 0;
77 }
78 }
79 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
80 }
81 if (session[s].ip || !sess_local[s].radius)
82 {
83 // respond now, either no RADIUS available or already authenticated
84 uint8_t b[MAXCONTROL];
85 uint8_t id = p[1];
86 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
87 if (!p) return;
88
89 if (session[s].ip)
90 *p = 2; // ACK
91 else
92 *p = 3; // cant authorise
93 p[1] = id;
94 *(uint16_t *) (p + 2) = htons(5); // length
95 p[4] = 0; // no message
96 if (session[s].ip)
97 {
98 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
99 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
100
101 session[s].flags &= ~SF_IPCP_ACKED;
102 }
103 else
104 {
105 LOG(1, s, t, "No radius session available to authenticate session...\n");
106 }
107 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
108 tunnelsend(b, 5 + (p - b), t); // send it
109 sessionshutdown(s, "PAP authentication failed.", 3, 0);
110 }
111 else
112 {
113 // set up RADIUS request
114 uint16_t r = sess_local[s].radius;
115
116 // Run PRE_AUTH plugins
117 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
118 run_plugins(PLUGIN_PRE_AUTH, &packet);
119 if (!packet.continue_auth)
120 {
121 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
122 if (packet.username) free(packet.username);
123 if (packet.password) free(packet.password);
124 return;
125 }
126
127 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
128 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
129
130 free(packet.username);
131 free(packet.password);
132
133 radius[r].id = p[1];
134 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
135 radiussend(r, RADIUSAUTH);
136 }
137 }
138
139 // Process CHAP messages
140 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
141 {
142 uint16_t r;
143 uint16_t hl;
144
145 CSTAT(processchap);
146
147 LOG_HEX(5, "CHAP", p, l);
148 r = sess_local[s].radius;
149 if (!r)
150 {
151 LOG(1, s, t, "Unexpected CHAP message\n");
152 STAT(tunnel_rx_errors);
153 return;
154 }
155
156 if (l < 4)
157 {
158 LOG(1, s, t, "Short CHAP %u bytes\n", l);
159 STAT(tunnel_rx_errors);
160 sessionshutdown(s, "Short CHAP packet.", 3, 0);
161 return;
162 }
163
164 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
165 {
166 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
167 STAT(tunnel_rx_errors);
168 sessionshutdown(s, "CHAP length mismatch.", 3, 0);
169 return;
170 }
171 l = hl;
172
173 if (*p != 2)
174 {
175 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
176 STAT(tunnel_rx_errors);
177 sessionshutdown(s, "CHAP length mismatch.", 3, 0);
178 return;
179 }
180 if (p[1] != radius[r].id)
181 {
182 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
183 STAT(tunnel_rx_errors);
184 sessionshutdown(s, "Unexpected CHAP response ID.", 3, 0);
185 return;
186 }
187
188 if (l < 5 || p[4] != 16)
189 {
190 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
191 STAT(tunnel_rx_errors);
192 sessionshutdown(s, "Bad CHAP response length.", 3, 0);
193 return;
194 }
195
196 l -= 5;
197 p += 5;
198 if (l < 16 || l - 16 >= sizeof(session[s].user))
199 {
200 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
201 STAT(tunnel_rx_errors);
202 sessionshutdown(s, "CHAP username too long.", 3, 0);
203 return;
204 }
205
206 // Run PRE_AUTH plugins
207 {
208 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
209
210 packet.password = calloc(17, 1);
211 memcpy(packet.password, p, 16);
212
213 p += 16;
214 l -= 16;
215
216 packet.username = calloc(l + 1, 1);
217 memcpy(packet.username, p, l);
218
219 run_plugins(PLUGIN_PRE_AUTH, &packet);
220 if (!packet.continue_auth)
221 {
222 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
223 if (packet.username) free(packet.username);
224 if (packet.password) free(packet.password);
225 return;
226 }
227
228 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
229 memcpy(radius[r].pass, packet.password, 16);
230
231 free(packet.username);
232 free(packet.password);
233 }
234
235 radius[r].chap = 1;
236 LOG(3, s, t, "CHAP login %s\n", session[s].user);
237 radiussend(r, RADIUSAUTH);
238 }
239
240 static void dumplcp(uint8_t *p, int l)
241 {
242 int x = l - 4;
243 uint8_t *o = (p + 4);
244
245 LOG_HEX(5, "PPP LCP Packet", p, l);
246 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
247 LOG(4, 0, 0, "Length: %d\n", l);
248 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
249 return;
250
251 while (x > 2)
252 {
253 int type = o[0];
254 int length = o[1];
255 if (length < 2)
256 {
257 LOG(4, 0, 0, " Option length is %d...\n", length);
258 break;
259 }
260 if (type == 0)
261 {
262 LOG(4, 0, 0, " Option type is 0...\n");
263 x -= length;
264 o += length;
265 continue;
266 }
267 switch (type)
268 {
269 case 1: // Maximum-Receive-Unit
270 if (length == 4)
271 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
272 else
273 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
274 break;
275 case 2: // Async-Control-Character-Map
276 if (length == 6)
277 {
278 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
279 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
280 }
281 else
282 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
283 break;
284 case 3: // Authentication-Protocol
285 if (length == 4)
286 {
287 int proto = ntohs(*(uint16_t *)(o + 2));
288 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
289 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
290 }
291 else if (length == 5)
292 {
293 int proto = ntohs(*(uint16_t *)(o + 2));
294 int algo = *(uint8_t *)(o + 4);
295 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", lcp_type(type), proto, algo,
296 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
297 }
298 else
299 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
300 break;
301 case 4: // Quality-Protocol
302 {
303 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
304 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
305 }
306 break;
307 case 5: // Magic-Number
308 if (length == 6)
309 {
310 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
311 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
312 }
313 else
314 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
315 break;
316 case 7: // Protocol-Field-Compression
317 case 8: // Address-And-Control-Field-Compression
318 LOG(4, 0, 0, " %s\n", lcp_type(type));
319 break;
320 default:
321 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
322 break;
323 }
324 x -= length;
325 o += length;
326 }
327 }
328
329 // Process LCP messages
330 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
331 {
332 uint8_t b[MAXCONTROL];
333 uint8_t *q = NULL;
334 uint32_t magicno = 0;
335 uint16_t hl;
336
337 CSTAT(processlcp);
338
339 LOG_HEX(5, "LCP", p, l);
340 if (l < 4)
341 {
342 LOG(1, s, t, "Short LCP %d bytes\n", l);
343 STAT(tunnel_rx_errors);
344 return ;
345 }
346
347 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
348 {
349 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
350 STAT(tunnel_rx_errors);
351 return ;
352 }
353 l = hl;
354
355 if (*p == ConfigAck)
356 {
357 int x = l - 4;
358 uint8_t *o = (p + 4);
359
360 LOG(3, s, t, "LCP: ConfigAck (%d bytes)...\n", l);
361 if (config->debug > 3) dumplcp(p, l);
362
363 while (x > 2)
364 {
365 int type = o[0];
366 int length = o[1];
367
368 if (length == 0 || type == 0 || x < length) break;
369 switch (type)
370 {
371 case 3: // Authentication-Protocol
372 {
373 int proto = ntohs(*(uint16_t *)(o + 2));
374 if (proto == PPPCHAP && *(o + 4) == 5)
375 sendchap(t, s);
376 }
377
378 break;
379 }
380 x -= length;
381 o += length;
382 }
383
384 session[s].flags |= SF_LCP_ACKED;
385 }
386 else if (*p == ConfigReq)
387 {
388 int x = l - 4;
389 uint8_t *o = (p + 4);
390 uint8_t *response = 0;
391
392 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
393 if (config->debug > 3) dumplcp(p, l);
394
395 while (x > 2)
396 {
397 int type = o[0];
398 int length = o[1];
399
400 if (length == 0 || type == 0 || x < length) break;
401 switch (type)
402 {
403 case 1: // Maximum-Receive-Unit
404 session[s].mru = ntohs(*(uint16_t *)(o + 2));
405 break;
406
407 case 2: // Async-Control-Character-Map
408 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
409 break;
410
411 if (response && *response != ConfigNak) // rej already queued
412 break;
413
414 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
415 if (!response)
416 {
417 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
418 if (!q) break;
419 *q = ConfigNak;
420 q += 4;
421 }
422
423 if ((q - b + 11) > sizeof(b))
424 {
425 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
426 break;
427 }
428
429 *q++ = type;
430 *q++ = 6;
431 memset(q, 0, 4); // asyncmap 0
432 q += 4;
433 break;
434
435 case 3: // Authentication-Protocol
436 {
437 int proto = ntohs(*(uint16_t *)(o + 2));
438 char proto_name[] = "0x0000";
439 uint8_t *a;
440
441 if (proto == PPPPAP)
442 {
443 if (config->radius_authtypes & AUTHPAP)
444 break;
445
446 strcpy(proto_name, "PAP");
447 }
448 else if (proto == PPPCHAP)
449 {
450 if (config->radius_authtypes & AUTHCHAP
451 && *(o + 4) == 5) // MD5
452 break;
453
454 strcpy(proto_name, "CHAP");
455 }
456 else
457 sprintf(proto_name, "%#4.4x", proto);
458
459 if (response && *response != ConfigNak) // rej already queued
460 break;
461
462 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
463
464 if (!response)
465 {
466 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
467 if (!q) break;
468 *q = ConfigNak;
469 q += 4;
470 }
471
472 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authprefer);
473 if (!a)
474 {
475 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
476 break;
477 }
478
479 q = a;
480
481 if (config->radius_authtypes != config->radius_authprefer)
482 {
483 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authtypes & ~config->radius_authprefer);
484 if (!a)
485 {
486 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
487 break;
488 }
489
490 q = a;
491 }
492
493 break;
494 }
495 break;
496
497 case 5: // Magic-Number
498 magicno = ntohl(*(uint32_t *)(o + 2));
499 break;
500
501 case 4: // Quality-Protocol
502 case 7: // Protocol-Field-Compression
503 case 8: // Address-And-Control-Field-Compression
504 break;
505
506 default: // Reject any unknown options
507 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
508 if (!response || *response != ConfigRej) // drop nak in favour of rej
509 {
510 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
511 if (!q) break;
512 *q = ConfigRej;
513 q += 4;
514 }
515
516 if ((q - b + length) > sizeof(b))
517 {
518 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
519 break;
520 }
521
522 memcpy(q, o, length);
523 q += length;
524 }
525 x -= length;
526 o += length;
527 }
528
529 if (response)
530 {
531 l = q - response; // LCP packet length
532 *((uint16_t *) (response + 2)) = htons(l); // update header
533 }
534 else
535 {
536 // Send packet back as ConfigAck
537 response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
538 if (!response) return;
539 *response = ConfigAck;
540 }
541
542 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
543 tunnelsend(b, l + response - b, t);
544
545 if (!(session[s].flags & SF_LCP_ACKED))
546 sendlcp(t, s, config->radius_authprefer);
547 }
548 else if (*p == ConfigNak)
549 {
550 int x = l - 4;
551 uint8_t *o = (p + 4);
552 int authtype = -1;
553
554 LOG(3, s, t, "LCP: ConfigNak (%d bytes)...\n", l);
555 if (config->debug > 3) dumplcp(p, l);
556
557 while (x > 2)
558 {
559 int type = o[0];
560 int length = o[1];
561
562 if (length == 0 || type == 0 || x < length) break;
563 switch (type)
564 {
565 case 1: // Maximum-Receive-Unit
566 session[s].mru = ntohs(*(uint16_t *)(o + 2));
567 LOG(3, s, t, " Remote requested MRU of %u\n", session[s].mru);
568 break;
569
570 case 3: // Authentication-Protocol
571 if (authtype > 0)
572 break;
573
574 {
575 int proto = ntohs(*(uint16_t *)(o + 2));
576 if (proto == PPPPAP)
577 {
578 authtype = config->radius_authtypes & AUTHPAP;
579 LOG(3, s, t, " Remote requested PAP authentication...%sing\n",
580 authtype ? "accept" : "reject");
581 }
582 else if (proto == PPPCHAP && *(o + 4) == 5)
583 {
584 authtype = config->radius_authtypes & AUTHCHAP;
585 LOG(3, s, t, " Remote requested CHAP authentication...%sing\n",
586 authtype ? "accept" : "reject");
587 }
588 else
589 {
590 LOG(3, s, t, " Rejecting unsupported authentication %#4x\n",
591 proto);
592 }
593 }
594
595 break;
596
597 default:
598 LOG(2, s, t, " Remote NAKed LCP type %u?\n", type);
599 break;
600 }
601 x -= length;
602 o += length;
603 }
604
605 if (!authtype)
606 {
607 sessionshutdown(s, "Unsupported authentication.", 3, 0);
608 return;
609 }
610
611 if (authtype == -1)
612 authtype = config->radius_authprefer;
613
614 sendlcp(t, s, authtype);
615 }
616 else if (*p == TerminateReq)
617 {
618 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
619 *p = TerminateAck; // close
620 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
621 if (!q) return;
622 tunnelsend(b, l + (q - b), t); // send it
623 sessionshutdown(s, "Remote end closed connection.", 3, 0);
624 }
625 else if (*p == TerminateAck)
626 {
627 sessionshutdown(s, "Connection closed.", 3, 0);
628 }
629 else if (*p == ProtocolRej)
630 {
631 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
632 {
633 LOG(3, s, t, "IPv6 rejected\n");
634 session[s].flags |= SF_IPV6_NACKED;
635 }
636 else
637 {
638 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
639 ntohs(*(uint16_t *) (p+4)));
640 STAT(tunnel_rx_errors);
641 }
642 }
643 else if (*p == EchoReq)
644 {
645 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
646 *p = EchoReply; // reply
647 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
648 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
649 if (!q) return;
650 tunnelsend(b, l + (q - b), t); // send it
651 }
652 else if (*p == EchoReply)
653 {
654 // Ignore it, last_packet time is set earlier than this.
655 }
656 else if (*p == IdentRequest)
657 {
658 *p = CodeRej;
659 if (l > MAXCONTROL)
660 {
661 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
662 l = 1400;
663 }
664 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
665 if (!q) return;
666 LOG_HEX(5, "LCPIdentRej", q, l + 4);
667 tunnelsend(b, 12 + 4 + l, t);
668 }
669 else
670 {
671 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
672 STAT(tunnel_rx_errors);
673 }
674 }
675
676 // find a PPP option, returns point to option, or 0 if not found
677 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
678 {
679 uint16_t l = ntohs(*(uint16_t *) (b + 2));
680 if (l < 4)
681 return 0;
682 b += 4;
683 l -= 4;
684 while (l)
685 {
686 if (l < b[1] || !b[1])
687 return 0; // faulty
688 if (*b == mtype)
689 return b;
690 l -= b[1];
691 b += b[1];
692 }
693 return 0;
694 }
695
696 // Process IPCP messages
697 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
698 {
699 uint16_t hl;
700
701 CSTAT(processipcp);
702
703 LOG_HEX(5, "IPCP", p, l);
704 if (l < 5)
705 {
706 LOG(1, s, t, "Short IPCP %d bytes\n", l);
707 STAT(tunnel_rx_errors);
708 return ;
709 }
710
711 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
712 {
713 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
714 STAT(tunnel_rx_errors);
715 return ;
716 }
717 l = hl;
718
719 if (*p == ConfigAck)
720 {
721 // happy with our IPCP
722 uint16_t r = sess_local[s].radius;
723 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
724 {
725 if (!r)
726 r = radiusnew(s);
727 if (r)
728 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
729 }
730 session[s].flags |= SF_IPCP_ACKED;
731
732 LOG(3, s, t, "IPCP Acked, session is now active\n");
733
734 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
735 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
736
737 return;
738 }
739 if (*p != ConfigReq)
740 {
741 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
742 STAT(tunnel_rx_errors);
743 return ;
744 }
745 LOG(4, s, t, "IPCP ConfigReq received\n");
746
747 if (!session[s].ip)
748 {
749 LOG(3, s, t, "Waiting on radius reply\n");
750 return; // have to wait on RADIUS reply
751 }
752 // form a config reply quoting the IP in the session
753 {
754 uint8_t b[MAXCONTROL];
755 uint8_t *i, *q;
756
757 q = p + 4;
758 i = p + l;
759 while (q < i && q[1])
760 {
761 if (*q != 0x81 && *q != 0x83 && *q != 3)
762 break;
763 q += q[1];
764 }
765 if (q < i)
766 {
767 // reject
768 uint16_t n = 4;
769 i = p + l;
770 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
771 return;
772
773 *q = ConfigRej;
774 p += 4;
775 while (p < i && p[1])
776 {
777 if (*p != 0x81 && *p != 0x83 && *p != 3)
778 {
779 LOG(2, s, t, "IPCP reject %d\n", *p);
780 memcpy(q + n, p, p[1]);
781 n += p[1];
782 }
783 p += p[1];
784 }
785 *(uint16_t *) (q + 2) = htons(n);
786 LOG(4, s, t, "Sending ConfigRej\n");
787 tunnelsend(b, n + (q - b), t); // send it
788 }
789 else
790 {
791 LOG(4, s, t, "Sending ConfigAck\n");
792 *p = ConfigAck;
793 if ((i = findppp(p, 0x81))) // Primary DNS address
794 {
795 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
796 {
797 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
798 *p = ConfigNak;
799 LOG(5, s, t, " DNS1 = %s\n",
800 fmtaddr(htonl(session[s].dns1), 0));
801 }
802 }
803 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
804 {
805 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
806 {
807 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
808 *p = ConfigNak;
809 LOG(5, s, t, " DNS2 = %s\n",
810 fmtaddr(htonl(session[s].dns2), 0));
811 }
812 }
813 i = findppp(p, 3); // IP address
814 if (!i || i[1] != 6)
815 {
816 LOG(1, s, t, "No IP in IPCP request\n");
817 STAT(tunnel_rx_errors);
818 return ;
819 }
820 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
821 {
822 *(uint32_t *) (i + 2) = htonl(session[s].ip);
823 *p = ConfigNak;
824 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
825 fmtaddr(htonl(session[s].ip), 0));
826 }
827 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
828 return;
829
830 tunnelsend(b, l + (q - b), t); // send it
831 }
832 }
833 }
834
835 // Process IPV6CP messages
836 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
837 {
838
839 CSTAT(processipv6cp);
840
841 LOG_HEX(5, "IPV6CP", p, l);
842 if (l < 4)
843 {
844 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
845 STAT(tunnel_rx_errors);
846 return ;
847 }
848 if (*p == ConfigAck)
849 {
850 // happy with our IPV6CP
851 session[s].flags |= SF_IPV6CP_ACKED;
852
853 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
854 // Add a routed block if configured.
855 if (session[s].ipv6prefixlen)
856 {
857 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
858 session[s].flags |= SF_IPV6_ROUTED;
859 }
860
861 // Send an initial RA (TODO: Should we send these regularly?)
862 send_ipv6_ra(t, s, NULL);
863 return;
864 }
865 if (*p != ConfigReq)
866 {
867 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
868 STAT(tunnel_rx_errors);
869 return;
870 }
871
872 LOG(4, s, t, "IPV6CP ConfigReq received\n");
873 if (ntohs(*(uint16_t *) (p + 2)) > l)
874 {
875 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
876 STAT(tunnel_rx_errors);
877 return ;
878 }
879 if (!session[s].ip)
880 {
881 LOG(3, s, t, "Waiting on radius reply\n");
882 return; // have to wait on RADIUS reply
883 }
884 // form a config reply quoting the IP in the session
885 {
886 uint8_t b[MAXCONTROL];
887 uint8_t *i,
888 *q;
889
890 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
891 q = p + 4;
892 i = p + l;
893 while (q < i && q[1])
894 {
895 if (*q != 1)
896 break;
897 q += q[1];
898 }
899 if (q < i)
900 {
901 // reject
902 uint16_t n = 4;
903 i = p + l;
904 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
905 {
906 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
907 return;
908 }
909 *q = ConfigRej;
910 p += 4;
911 while (p < i && p[1])
912 {
913 if (*p != 1)
914 {
915 LOG(2, s, t, "IPV6CP reject %d\n", *p);
916 memcpy(q + n, p, p[1]);
917 n += p[1];
918 }
919 p += p[1];
920 }
921 *(uint16_t *) (q + 2) = htons(n);
922 LOG(4, s, t, "Sending ConfigRej\n");
923 tunnelsend(b, n + (q - b), t); // send it
924 }
925 else
926 {
927 LOG(4, s, t, "Sending ConfigAck\n");
928 *p = ConfigAck;
929 i = findppp(p, 1); // IP address
930 if (!i || i[1] != 10)
931 {
932 LOG(1, s, t, "No IP in IPV6CP request\n");
933 STAT(tunnel_rx_errors);
934 return ;
935 }
936 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
937 (*(uint32_t *) (i + 6) != 0))
938 {
939 *(uint32_t *) (i + 2) = htonl(session[s].ip);
940 *(uint32_t *) (i + 6) = 0;
941 *p = ConfigNak;
942 LOG(4, s, t,
943 " No, a ConfigNak, client is "
944 "requesting IP - sending %s\n",
945 fmtaddr(htonl(session[s].ip), 0));
946 }
947 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
948 {
949 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
950 return;
951 }
952 tunnelsend(b, l + (q - b), t); // send it
953 }
954 }
955 }
956
957 // process IP packet received
958 //
959 // This MUST be called with at least 4 byte behind 'p'.
960 // (i.e. this routine writes to p[-4]).
961 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
962 {
963 in_addr_t ip;
964
965 CSTAT(processipin);
966
967 LOG_HEX(5, "IP", p, l);
968
969 ip = ntohl(*(uint32_t *)(p + 12));
970
971 if (l > MAXETHER)
972 {
973 LOG(1, s, t, "IP packet too long %d\n", l);
974 STAT(tunnel_rx_errors);
975 return ;
976 }
977
978 // no spoof (do sessionbyip to handled statically routed subnets)
979 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
980 {
981 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
982 return;
983 }
984
985 // run access-list if any
986 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
987 return;
988
989 // Add on the tun header
990 p -= 4;
991 *(uint32_t *) p = htonl(PKTIP);
992 l += 4;
993
994 // Are we throttled and a slave?
995 if (session[s].tbf_in && !config->cluster_iam_master) {
996 // Pass it to the master for handling.
997 master_throttle_packet(session[s].tbf_in, p, l);
998 return;
999 }
1000
1001 // Are we throttled and a master??
1002 if (session[s].tbf_in && config->cluster_iam_master) {
1003 // Actually handle the throttled packets.
1004 tbf_queue_packet(session[s].tbf_in, p, l);
1005 return;
1006 }
1007
1008 // send to ethernet
1009 if (tun_write(p, l) < 0)
1010 {
1011 STAT(tun_tx_errors);
1012 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1013 l, strerror(errno), tunfd, p);
1014
1015 return;
1016 }
1017
1018 if (session[s].snoop_ip && session[s].snoop_port)
1019 {
1020 // Snooping this session
1021 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
1022 }
1023
1024 session[s].cin += l - 4;
1025 session[s].total_cin += l - 4;
1026 sess_local[s].cin += l - 4;
1027
1028 session[s].pin++;
1029 eth_tx += l - 4;
1030
1031 STAT(tun_tx_packets);
1032 INC_STAT(tun_tx_bytes, l - 4);
1033 }
1034
1035 // process IPv6 packet received
1036 //
1037 // This MUST be called with at least 4 byte behind 'p'.
1038 // (i.e. this routine writes to p[-4]).
1039 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1040 {
1041 struct in6_addr ip;
1042 in_addr_t ipv4;
1043
1044 CSTAT(processipv6in);
1045
1046 LOG_HEX(5, "IPv6", p, l);
1047
1048 ip = *(struct in6_addr *) (p + 8);
1049 ipv4 = ntohl(*(uint32_t *)(p + 16));
1050
1051 if (l > MAXETHER)
1052 {
1053 LOG(1, s, t, "IP packet too long %d\n", l);
1054 STAT(tunnel_rx_errors);
1055 return ;
1056 }
1057
1058 // no spoof
1059 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
1060 {
1061 char str[INET6_ADDRSTRLEN];
1062 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
1063 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
1064 return;
1065 }
1066
1067 // Check if it's a Router Solicition message.
1068 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
1069 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
1070 *(uint32_t *)(p + 34) == 0 &&
1071 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
1072 LOG(3, s, t, "Got IPv6 RS\n");
1073 send_ipv6_ra(t, s, &ip);
1074 return;
1075 }
1076
1077 // Add on the tun header
1078 p -= 4;
1079 *(uint32_t *) p = htonl(PKTIPV6);
1080 l += 4;
1081
1082 // Are we throttled and a slave?
1083 if (session[s].tbf_in && !config->cluster_iam_master) {
1084 // Pass it to the master for handling.
1085 master_throttle_packet(session[s].tbf_in, p, l);
1086 return;
1087 }
1088
1089 // Are we throttled and a master??
1090 if (session[s].tbf_in && config->cluster_iam_master) {
1091 // Actually handle the throttled packets.
1092 tbf_queue_packet(session[s].tbf_in, p, l);
1093 return;
1094 }
1095
1096 // send to ethernet
1097 if (tun_write(p, l) < 0)
1098 {
1099 STAT(tun_tx_errors);
1100 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1101 l, strerror(errno), tunfd, p);
1102
1103 return;
1104 }
1105
1106 if (session[s].snoop_ip && session[s].snoop_port)
1107 {
1108 // Snooping this session
1109 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
1110 }
1111
1112 session[s].cin += l - 4;
1113 session[s].total_cin += l - 4;
1114 sess_local[s].cin += l - 4;
1115
1116 session[s].pin++;
1117 eth_tx += l - 4;
1118
1119 STAT(tun_tx_packets);
1120 INC_STAT(tun_tx_bytes, l - 4);
1121 }
1122
1123 //
1124 // Helper routine for the TBF filters.
1125 // Used to send queued data in from the user.
1126 //
1127 void send_ipin(sessionidt s, uint8_t *buf, int len)
1128 {
1129 LOG_HEX(5, "IP in throttled", buf, len);
1130
1131 if (write(tunfd, buf, len) < 0)
1132 {
1133 STAT(tun_tx_errors);
1134 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1135 len, strerror(errno), tunfd, buf);
1136
1137 return;
1138 }
1139
1140 if (session[s].snoop_ip && session[s].snoop_port)
1141 {
1142 // Snooping this session
1143 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
1144 }
1145
1146 // Increment packet counters
1147 session[s].cin += len - 4;
1148 session[s].total_cin += len - 4;
1149 sess_local[s].cin += len - 4;
1150
1151 session[s].pin++;
1152 eth_tx += len - 4;
1153
1154 STAT(tun_tx_packets);
1155 INC_STAT(tun_tx_bytes, len - 4);
1156 }
1157
1158
1159 // Process CCP messages
1160 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1161 {
1162 uint8_t b[MAXCONTROL];
1163 uint8_t *q;
1164
1165 CSTAT(processccp);
1166
1167 LOG_HEX(5, "CCP", p, l);
1168 switch (l > 1 ? *p : 0)
1169 {
1170 case ConfigAck:
1171 session[s].flags |= SF_CCP_ACKED;
1172 return;
1173
1174 case ConfigReq:
1175 if (l < 6) // accept no compression
1176 {
1177 *p = ConfigAck;
1178 break;
1179 }
1180
1181 // compression requested--reject
1182 *p = ConfigRej;
1183
1184 // send CCP request for no compression for our end if not negotiated
1185 if (!(session[s].flags & SF_CCP_ACKED))
1186 initccp(t, s);
1187
1188 break;
1189
1190 case TerminateReq:
1191 *p = TerminateAck;
1192 break;
1193
1194 default:
1195 if (l > 1)
1196 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1197 else
1198 LOG(1, s, t, "Short CCP packet\n");
1199
1200 STAT(tunnel_rx_errors);
1201 return;
1202 }
1203
1204 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1205 return;
1206
1207 tunnelsend(b, l + (q - b), t); // send it
1208 }
1209
1210 // send a CHAP challenge
1211 void sendchap(tunnelidt t, sessionidt s)
1212 {
1213 uint8_t b[MAXCONTROL];
1214 uint16_t r = sess_local[s].radius;
1215 uint8_t *q;
1216
1217 CSTAT(sendchap);
1218
1219 if (!r)
1220 {
1221 LOG(1, s, t, "No RADIUS to send challenge\n");
1222 STAT(tunnel_tx_errors);
1223 return;
1224 }
1225
1226 LOG(1, s, t, "Send CHAP challenge\n");
1227
1228 radius[r].chap = 1; // CHAP not PAP
1229 radius[r].id++;
1230 if (radius[r].state != RADIUSCHAP)
1231 radius[r].try = 0;
1232
1233 radius[r].state = RADIUSCHAP;
1234 radius[r].retry = backoff(radius[r].try++);
1235 if (radius[r].try > 5)
1236 {
1237 sessionshutdown(s, "CHAP timeout.", 3, 0);
1238 STAT(tunnel_tx_errors);
1239 return ;
1240 }
1241 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1242 if (!q) return;
1243
1244 *q = 1; // challenge
1245 q[1] = radius[r].id; // ID
1246 q[4] = 16; // value size (size of challenge)
1247 memcpy(q + 5, radius[r].auth, 16); // challenge
1248 strcpy(q + 21, hostname); // our name
1249 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1250 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1251 }
1252
1253 // fill in a L2TP message with a PPP frame,
1254 // copies existing PPP message and changes magic number if seen
1255 // returns start of PPP frame
1256 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1257 {
1258 if (size < 12) // Need more space than this!!
1259 {
1260 static int backtrace_count = 0;
1261 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1262 log_backtrace(backtrace_count, 5)
1263 return NULL;
1264 }
1265
1266 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1267 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1268 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1269 b += 6;
1270 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1271 {
1272 *(uint16_t *) b = htons(0xFF03); // HDLC header
1273 b += 2;
1274 }
1275 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1276 *b++ = mtype;
1277 else
1278 {
1279 *(uint16_t *) b = htons(mtype);
1280 b += 2;
1281 }
1282
1283 if (l + 12 > size)
1284 {
1285 static int backtrace_count = 0;
1286 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1287 log_backtrace(backtrace_count, 5)
1288 return NULL;
1289 }
1290
1291 if (p && l)
1292 memcpy(b, p, l);
1293
1294 return b;
1295 }
1296
1297 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype)
1298 {
1299 if ((authtype == AUTHCHAP && size < 5) || size < 4)
1300 return 0;
1301
1302 *b++ = 3; // Authentication-Protocol
1303 if (authtype == AUTHCHAP)
1304 {
1305 *b++ = 5; // length
1306 *(uint16_t *) b = htons(PPPCHAP); b += 2;
1307 *b++ = 5; // MD5
1308 }
1309 else if (authtype == AUTHPAP)
1310 {
1311 *b++ = 4; // length
1312 *(uint16_t *) b = htons(PPPPAP); b += 2;
1313 }
1314 else
1315 {
1316 LOG(0, 0, 0, "add_lcp_auth called with unsupported auth type %d\n", authtype);
1317 }
1318
1319 return b;
1320 }
1321
1322 // Send initial LCP ConfigReq for MRU, authentication type and magic no
1323 void sendlcp(tunnelidt t, sessionidt s, int authtype)
1324 {
1325 char b[500], *q, *l;
1326
1327 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1328 return;
1329
1330 LOG(4, s, t, "Sending LCP ConfigReq for %s\n",
1331 authtype == AUTHCHAP ? "CHAP" : "PAP");
1332
1333 if (!session[s].mru)
1334 session[s].mru = DEFAULT_MRU;
1335
1336 l = q;
1337 *l++ = ConfigReq;
1338 *l++ = (time_now % 255) + 1; // ID
1339
1340 l += 2; //Save space for length
1341
1342 *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4)
1343 *(uint16_t *) l = htons(session[s].mru); l += 2;
1344
1345 l = add_lcp_auth(l, sizeof(b) - (l - b), authtype);
1346
1347 *l++ = 5; *l++ = 6; // Magic-Number (length 6)
1348 *(uint32_t *) l = htonl(session[s].magic);
1349 l += 4;
1350
1351 *(uint16_t *)(q + 2) = htons(l - q); // Length
1352
1353 LOG_HEX(5, "PPPLCP", q, l - q);
1354 tunnelsend(b, (l - b), t);
1355 }
1356
1357 // Send CCP request for no compression
1358 static void initccp(tunnelidt t, sessionidt s)
1359 {
1360 char b[500], *q;
1361
1362 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1363 return;
1364
1365 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1366 *q = ConfigReq;
1367 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1368 *(uint16_t *)(q + 2) = htons(4); // Length
1369
1370 LOG_HEX(5, "PPPCCP", q, 4);
1371 tunnelsend(b, (q - b) + 4 , t);
1372 }