5ccb72ada9d0aa8c6a5e3e46b60535c90dbd2ce7
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.52 2005/05/07 13:12:26 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype);
28
29 // Process PAP messages
30 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
31 {
32 char user[MAXUSER];
33 char pass[MAXPASS];
34 uint16_t hl;
35
36 CSTAT(processpap);
37
38 LOG_HEX(5, "PAP", p, l);
39 if (l < 4)
40 {
41 LOG(1, s, t, "Short PAP %u bytes\n", l);
42 STAT(tunnel_rx_errors);
43 sessionshutdown(s, "Short PAP packet.", 3, 0);
44 return ;
45 }
46
47 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
48 {
49 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
50 STAT(tunnel_rx_errors);
51 sessionshutdown(s, "PAP length mismatch.", 3, 0);
52 return ;
53 }
54 l = hl;
55
56 if (*p != 1)
57 {
58 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
59 STAT(tunnel_rx_errors);
60 sessionshutdown(s, "Unexpected PAP code.", 3, 0);
61 return ;
62 }
63
64 {
65 uint8_t *b = p;
66 b += 4;
67 user[0] = pass[0] = 0;
68 if (*b && *b < sizeof(user))
69 {
70 memcpy(user, b + 1, *b);
71 user[*b] = 0;
72 b += 1 + *b;
73 if (*b && *b < sizeof(pass))
74 {
75 memcpy(pass, b + 1, *b);
76 pass[*b] = 0;
77 }
78 }
79 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
80 }
81 if (session[s].ip || !sess_local[s].radius)
82 {
83 // respond now, either no RADIUS available or already authenticated
84 uint8_t b[MAXCONTROL];
85 uint8_t id = p[1];
86 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
87 if (!p) return;
88
89 if (session[s].ip)
90 *p = 2; // ACK
91 else
92 *p = 3; // cant authorise
93 p[1] = id;
94 *(uint16_t *) (p + 2) = htons(5); // length
95 p[4] = 0; // no message
96 if (session[s].ip)
97 {
98 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
99 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
100
101 session[s].flags &= ~SF_IPCP_ACKED;
102 }
103 else
104 {
105 LOG(1, s, t, "No radius session available to authenticate session...\n");
106 }
107 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
108 tunnelsend(b, 5 + (p - b), t); // send it
109 sessionshutdown(s, "PAP authentication failed.", 3, 0);
110 }
111 else
112 {
113 // set up RADIUS request
114 uint16_t r = sess_local[s].radius;
115
116 // Run PRE_AUTH plugins
117 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
118 run_plugins(PLUGIN_PRE_AUTH, &packet);
119 if (!packet.continue_auth)
120 {
121 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
122 if (packet.username) free(packet.username);
123 if (packet.password) free(packet.password);
124 return;
125 }
126
127 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
128 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
129
130 free(packet.username);
131 free(packet.password);
132
133 radius[r].id = p[1];
134 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
135 radiussend(r, RADIUSAUTH);
136 }
137 }
138
139 // Process CHAP messages
140 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
141 {
142 uint16_t r;
143 uint16_t hl;
144
145 CSTAT(processchap);
146
147 LOG_HEX(5, "CHAP", p, l);
148 r = sess_local[s].radius;
149 if (!r)
150 {
151 LOG(1, s, t, "Unexpected CHAP message\n");
152 STAT(tunnel_rx_errors);
153 return;
154 }
155
156 if (l < 4)
157 {
158 LOG(1, s, t, "Short CHAP %u bytes\n", l);
159 STAT(tunnel_rx_errors);
160 return ;
161 }
162
163 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
164 {
165 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
166 STAT(tunnel_rx_errors);
167 return ;
168 }
169 l = hl;
170
171 if (*p != 2)
172 {
173 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
174 STAT(tunnel_rx_errors);
175 return;
176 }
177 if (p[1] != radius[r].id)
178 {
179 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
180 STAT(tunnel_rx_errors);
181 return ;
182 }
183
184 if (l < 5 || p[4] != 16)
185 {
186 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
187 STAT(tunnel_rx_errors);
188 return ;
189 }
190
191 l -= 5;
192 p += 5;
193 if (l < 16 || l - 16 >= sizeof(session[s].user))
194 {
195 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
196 STAT(tunnel_rx_errors);
197 return ;
198 }
199
200 // Run PRE_AUTH plugins
201 {
202 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
203
204 packet.password = calloc(17, 1);
205 memcpy(packet.password, p, 16);
206
207 p += 16;
208 l -= 16;
209
210 packet.username = calloc(l + 1, 1);
211 memcpy(packet.username, p, l);
212
213 run_plugins(PLUGIN_PRE_AUTH, &packet);
214 if (!packet.continue_auth)
215 {
216 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
217 if (packet.username) free(packet.username);
218 if (packet.password) free(packet.password);
219 return;
220 }
221
222 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
223 memcpy(radius[r].pass, packet.password, 16);
224
225 free(packet.username);
226 free(packet.password);
227 }
228
229 radius[r].chap = 1;
230 LOG(3, s, t, "CHAP login %s\n", session[s].user);
231 radiussend(r, RADIUSAUTH);
232 }
233
234 static void dumplcp(uint8_t *p, int l)
235 {
236 int x = l - 4;
237 uint8_t *o = (p + 4);
238
239 LOG_HEX(5, "PPP LCP Packet", p, l);
240 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
241 LOG(4, 0, 0, "Length: %d\n", l);
242 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
243 return;
244
245 while (x > 2)
246 {
247 int type = o[0];
248 int length = o[1];
249 if (length < 2)
250 {
251 LOG(4, 0, 0, " Option length is %d...\n", length);
252 break;
253 }
254 if (type == 0)
255 {
256 LOG(4, 0, 0, " Option type is 0...\n");
257 x -= length;
258 o += length;
259 continue;
260 }
261 switch (type)
262 {
263 case 1: // Maximum-Receive-Unit
264 if (length == 4)
265 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
266 else
267 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
268 break;
269 case 2: // Async-Control-Character-Map
270 if (length == 6)
271 {
272 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
273 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
274 }
275 else
276 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
277 break;
278 case 3: // Authentication-Protocol
279 if (length == 4)
280 {
281 int proto = ntohs(*(uint16_t *)(o + 2));
282 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
283 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
284 }
285 else if (length == 5)
286 {
287 int proto = ntohs(*(uint16_t *)(o + 2));
288 int algo = *(uint8_t *)(o + 4);
289 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", lcp_type(type), proto, algo,
290 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
291 }
292 else
293 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
294 break;
295 case 4: // Quality-Protocol
296 {
297 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
298 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
299 }
300 break;
301 case 5: // Magic-Number
302 if (length == 6)
303 {
304 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
305 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
306 }
307 else
308 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
309 break;
310 case 7: // Protocol-Field-Compression
311 case 8: // Address-And-Control-Field-Compression
312 LOG(4, 0, 0, " %s\n", lcp_type(type));
313 break;
314 default:
315 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
316 break;
317 }
318 x -= length;
319 o += length;
320 }
321 }
322
323 // Process LCP messages
324 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
325 {
326 uint8_t b[MAXCONTROL];
327 uint8_t *q = NULL;
328 uint32_t magicno = 0;
329 uint16_t hl;
330
331 CSTAT(processlcp);
332
333 LOG_HEX(5, "LCP", p, l);
334 if (l < 4)
335 {
336 LOG(1, s, t, "Short LCP %d bytes\n", l);
337 STAT(tunnel_rx_errors);
338 return ;
339 }
340
341 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
342 {
343 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
344 STAT(tunnel_rx_errors);
345 return ;
346 }
347 l = hl;
348
349 if (*p == ConfigAck)
350 {
351 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
352 session[s].flags |= SF_LCP_ACKED;
353 }
354 else if (*p == ConfigReq)
355 {
356 int x = l - 4;
357 uint8_t *o = (p + 4);
358 uint8_t *response = 0;
359
360 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
361 if (config->debug > 3) dumplcp(p, l);
362
363 while (x > 2)
364 {
365 int type = o[0];
366 int length = o[1];
367
368 if (length == 0 || type == 0 || x < length) break;
369 switch (type)
370 {
371 case 1: // Maximum-Receive-Unit
372 session[s].mru = ntohs(*(uint16_t *)(o + 2));
373 break;
374
375 case 2: // Async-Control-Character-Map
376 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
377 break;
378
379 if (response && *response != ConfigNak) // rej already queued
380 break;
381
382 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
383 if (!response)
384 {
385 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
386 if (!q) break;
387 *q = ConfigNak;
388 q += 4;
389 }
390
391 if ((q - b + 11) > sizeof(b))
392 {
393 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
394 break;
395 }
396
397 *q++ = type;
398 *q++ = 6;
399 memset(q, 0, 4); // asyncmap 0
400 q += 4;
401 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
402 break;
403
404 case 3: // Authentication-Protocol
405 {
406 int proto = ntohs(*(uint16_t *)(o + 2));
407 char proto_name[] = "0x0000";
408 uint8_t *a;
409
410 if (proto == PPPPAP)
411 {
412 if (config->radius_authtypes & AUTHPAP)
413 break;
414
415 strcpy(proto_name, "PAP");
416 }
417 else if (proto == PPPCHAP)
418 {
419 if (config->radius_authtypes & AUTHCHAP
420 && *(o + 4) == 5) // MD5
421 break;
422
423 strcpy(proto_name, "CHAP");
424 }
425 else
426 sprintf(proto_name, "%#4.4x", proto);
427
428 if (response && *response != ConfigNak) // rej already queued
429 break;
430
431 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
432
433 if (!response)
434 {
435 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
436 if (!q) break;
437 *q = ConfigNak;
438 q += 4;
439 }
440
441 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authprefer);
442 if (!a)
443 {
444 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
445 break;
446 }
447
448 q = a;
449
450 if (config->radius_authtypes != config->radius_authprefer)
451 {
452 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authtypes & ~config->radius_authprefer);
453 if (!a)
454 {
455 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
456 break;
457 }
458
459 q = a;
460 }
461
462 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
463 break;
464 }
465 break;
466
467 case 5: // Magic-Number
468 magicno = ntohl(*(uint32_t *)(o + 2));
469 break;
470
471 case 4: // Quality-Protocol
472 case 7: // Protocol-Field-Compression
473 case 8: // Address-And-Control-Field-Compression
474 break;
475
476 default: // Reject any unknown options
477 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
478 if (!response || *response != ConfigRej) // drop nak in favour of rej
479 {
480 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
481 if (!q) break;
482 *q = ConfigRej;
483 q += 4;
484 }
485
486 if ((q - b + length) > sizeof(b))
487 {
488 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
489 break;
490 }
491
492 memcpy(q, o, length);
493 q += length;
494 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
495 }
496 x -= length;
497 o += length;
498 }
499
500 if (!response)
501 {
502 // Send back a ConfigAck
503 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
504 if (!q) return;
505 *q = ConfigAck;
506 }
507
508 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
509 tunnelsend(b, l + (q - b), t);
510
511 if (!(session[s].flags & SF_LCP_ACKED))
512 sendlcp(t, s, config->radius_authprefer);
513 }
514 else if (*p == ConfigNak)
515 {
516 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
517 if (config->debug > 3) dumplcp(p, l);
518 // FIXME: handle MRU, authentication type
519 return;
520 }
521 else if (*p == TerminateReq)
522 {
523 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
524 *p = TerminateAck; // close
525 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
526 if (!q) return;
527 tunnelsend(b, l + (q - b), t); // send it
528 sessionshutdown(s, "Remote end closed connection.", 3, 0);
529 }
530 else if (*p == TerminateAck)
531 {
532 sessionshutdown(s, "Connection closed.", 3, 0);
533 }
534 else if (*p == ProtocolRej)
535 {
536 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
537 {
538 LOG(3, s, t, "IPv6 rejected\n");
539 session[s].flags |= SF_IPV6_NACKED;
540 }
541 else
542 {
543 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
544 ntohs(*(uint16_t *) (p+4)));
545 STAT(tunnel_rx_errors);
546 }
547 }
548 else if (*p == EchoReq)
549 {
550 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
551 *p = EchoReply; // reply
552 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
553 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
554 if (!q) return;
555 tunnelsend(b, l + (q - b), t); // send it
556 }
557 else if (*p == EchoReply)
558 {
559 // Ignore it, last_packet time is set earlier than this.
560 }
561 else if (*p == IdentRequest)
562 {
563 *p = CodeRej;
564 if (l > MAXCONTROL)
565 {
566 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
567 l = 1400;
568 }
569 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
570 if (!q) return;
571 LOG_HEX(5, "LCPIdentRej", q, l + 4);
572 tunnelsend(b, 12 + 4 + l, t);
573 }
574 else
575 {
576 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
577 STAT(tunnel_rx_errors);
578 return ;
579 }
580 }
581
582 // find a PPP option, returns point to option, or 0 if not found
583 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
584 {
585 uint16_t l = ntohs(*(uint16_t *) (b + 2));
586 if (l < 4)
587 return 0;
588 b += 4;
589 l -= 4;
590 while (l)
591 {
592 if (l < b[1] || !b[1])
593 return 0; // faulty
594 if (*b == mtype)
595 return b;
596 l -= b[1];
597 b += b[1];
598 }
599 return 0;
600 }
601
602 // Process IPCP messages
603 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
604 {
605 uint16_t hl;
606
607 CSTAT(processipcp);
608
609 LOG_HEX(5, "IPCP", p, l);
610 if (l < 5)
611 {
612 LOG(1, s, t, "Short IPCP %d bytes\n", l);
613 STAT(tunnel_rx_errors);
614 return ;
615 }
616
617 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
618 {
619 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
620 STAT(tunnel_rx_errors);
621 return ;
622 }
623 l = hl;
624
625 if (*p == ConfigAck)
626 {
627 // happy with our IPCP
628 uint16_t r = sess_local[s].radius;
629 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
630 {
631 if (!r)
632 r = radiusnew(s);
633 if (r)
634 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
635 }
636 session[s].flags |= SF_IPCP_ACKED;
637
638 LOG(3, s, t, "IPCP Acked, session is now active\n");
639
640 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
641 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
642
643 return;
644 }
645 if (*p != ConfigReq)
646 {
647 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
648 STAT(tunnel_rx_errors);
649 return ;
650 }
651 LOG(4, s, t, "IPCP ConfigReq received\n");
652
653 if (!session[s].ip)
654 {
655 LOG(3, s, t, "Waiting on radius reply\n");
656 return; // have to wait on RADIUS reply
657 }
658 // form a config reply quoting the IP in the session
659 {
660 uint8_t b[MAXCONTROL];
661 uint8_t *i, *q;
662
663 q = p + 4;
664 i = p + l;
665 while (q < i && q[1])
666 {
667 if (*q != 0x81 && *q != 0x83 && *q != 3)
668 break;
669 q += q[1];
670 }
671 if (q < i)
672 {
673 // reject
674 uint16_t n = 4;
675 i = p + l;
676 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
677 return;
678
679 *q = ConfigRej;
680 p += 4;
681 while (p < i && p[1])
682 {
683 if (*p != 0x81 && *p != 0x83 && *p != 3)
684 {
685 LOG(2, s, t, "IPCP reject %d\n", *p);
686 memcpy(q + n, p, p[1]);
687 n += p[1];
688 }
689 p += p[1];
690 }
691 *(uint16_t *) (q + 2) = htons(n);
692 LOG(4, s, t, "Sending ConfigRej\n");
693 tunnelsend(b, n + (q - b), t); // send it
694 }
695 else
696 {
697 LOG(4, s, t, "Sending ConfigAck\n");
698 *p = ConfigAck;
699 if ((i = findppp(p, 0x81))) // Primary DNS address
700 {
701 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
702 {
703 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
704 *p = ConfigNak;
705 LOG(5, s, t, " DNS1 = %s\n",
706 fmtaddr(htonl(session[s].dns1), 0));
707 }
708 }
709 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
710 {
711 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
712 {
713 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
714 *p = ConfigNak;
715 LOG(5, s, t, " DNS2 = %s\n",
716 fmtaddr(htonl(session[s].dns2), 0));
717 }
718 }
719 i = findppp(p, 3); // IP address
720 if (!i || i[1] != 6)
721 {
722 LOG(1, s, t, "No IP in IPCP request\n");
723 STAT(tunnel_rx_errors);
724 return ;
725 }
726 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
727 {
728 *(uint32_t *) (i + 2) = htonl(session[s].ip);
729 *p = ConfigNak;
730 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
731 fmtaddr(htonl(session[s].ip), 0));
732 }
733 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
734 return;
735
736 tunnelsend(b, l + (q - b), t); // send it
737 }
738 }
739 }
740
741 // Process IPV6CP messages
742 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
743 {
744
745 CSTAT(processipv6cp);
746
747 LOG_HEX(5, "IPV6CP", p, l);
748 if (l < 4)
749 {
750 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
751 STAT(tunnel_rx_errors);
752 return ;
753 }
754 if (*p == ConfigAck)
755 {
756 // happy with our IPV6CP
757 session[s].flags |= SF_IPV6CP_ACKED;
758
759 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
760 // Add a routed block if configured.
761 if (session[s].ipv6prefixlen)
762 {
763 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
764 session[s].flags |= SF_IPV6_ROUTED;
765 }
766
767 // Send an initial RA (TODO: Should we send these regularly?)
768 send_ipv6_ra(t, s, NULL);
769 return;
770 }
771 if (*p != ConfigReq)
772 {
773 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
774 STAT(tunnel_rx_errors);
775 return;
776 }
777
778 LOG(4, s, t, "IPV6CP ConfigReq received\n");
779 if (ntohs(*(uint16_t *) (p + 2)) > l)
780 {
781 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
782 STAT(tunnel_rx_errors);
783 return ;
784 }
785 if (!session[s].ip)
786 {
787 LOG(3, s, t, "Waiting on radius reply\n");
788 return; // have to wait on RADIUS reply
789 }
790 // form a config reply quoting the IP in the session
791 {
792 uint8_t b[MAXCONTROL];
793 uint8_t *i,
794 *q;
795
796 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
797 q = p + 4;
798 i = p + l;
799 while (q < i && q[1])
800 {
801 if (*q != 1)
802 break;
803 q += q[1];
804 }
805 if (q < i)
806 {
807 // reject
808 uint16_t n = 4;
809 i = p + l;
810 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
811 {
812 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
813 return;
814 }
815 *q = ConfigRej;
816 p += 4;
817 while (p < i && p[1])
818 {
819 if (*p != 1)
820 {
821 LOG(2, s, t, "IPV6CP reject %d\n", *p);
822 memcpy(q + n, p, p[1]);
823 n += p[1];
824 }
825 p += p[1];
826 }
827 *(uint16_t *) (q + 2) = htons(n);
828 LOG(4, s, t, "Sending ConfigRej\n");
829 tunnelsend(b, n + (q - b), t); // send it
830 }
831 else
832 {
833 LOG(4, s, t, "Sending ConfigAck\n");
834 *p = ConfigAck;
835 i = findppp(p, 1); // IP address
836 if (!i || i[1] != 10)
837 {
838 LOG(1, s, t, "No IP in IPV6CP request\n");
839 STAT(tunnel_rx_errors);
840 return ;
841 }
842 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
843 (*(uint32_t *) (i + 6) != 0))
844 {
845 *(uint32_t *) (i + 2) = htonl(session[s].ip);
846 *(uint32_t *) (i + 6) = 0;
847 *p = ConfigNak;
848 LOG(4, s, t,
849 " No, a ConfigNak, client is "
850 "requesting IP - sending %s\n",
851 fmtaddr(htonl(session[s].ip), 0));
852 }
853 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
854 {
855 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
856 return;
857 }
858 tunnelsend(b, l + (q - b), t); // send it
859 }
860 }
861 }
862
863 // process IP packet received
864 //
865 // This MUST be called with at least 4 byte behind 'p'.
866 // (i.e. this routine writes to p[-4]).
867 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
868 {
869 in_addr_t ip;
870
871 CSTAT(processipin);
872
873 LOG_HEX(5, "IP", p, l);
874
875 ip = ntohl(*(uint32_t *)(p + 12));
876
877 if (l > MAXETHER)
878 {
879 LOG(1, s, t, "IP packet too long %d\n", l);
880 STAT(tunnel_rx_errors);
881 return ;
882 }
883
884 // no spoof (do sessionbyip to handled statically routed subnets)
885 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
886 {
887 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
888 return;
889 }
890
891 // run access-list if any
892 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
893 return;
894
895 // Add on the tun header
896 p -= 4;
897 *(uint32_t *) p = htonl(PKTIP);
898 l += 4;
899
900 // Are we throttled and a slave?
901 if (session[s].tbf_in && !config->cluster_iam_master) {
902 // Pass it to the master for handling.
903 master_throttle_packet(session[s].tbf_in, p, l);
904 return;
905 }
906
907 // Are we throttled and a master??
908 if (session[s].tbf_in && config->cluster_iam_master) {
909 // Actually handle the throttled packets.
910 tbf_queue_packet(session[s].tbf_in, p, l);
911 return;
912 }
913
914 // send to ethernet
915 if (tun_write(p, l) < 0)
916 {
917 STAT(tun_tx_errors);
918 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
919 l, strerror(errno), tunfd, p);
920
921 return;
922 }
923
924 if (session[s].snoop_ip && session[s].snoop_port)
925 {
926 // Snooping this session
927 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
928 }
929
930 session[s].cin += l - 4;
931 session[s].total_cin += l - 4;
932 sess_local[s].cin += l - 4;
933
934 session[s].pin++;
935 eth_tx += l - 4;
936
937 STAT(tun_tx_packets);
938 INC_STAT(tun_tx_bytes, l - 4);
939 }
940
941 // process IPv6 packet received
942 //
943 // This MUST be called with at least 4 byte behind 'p'.
944 // (i.e. this routine writes to p[-4]).
945 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
946 {
947 struct in6_addr ip;
948 in_addr_t ipv4;
949
950 CSTAT(processipv6in);
951
952 LOG_HEX(5, "IPv6", p, l);
953
954 ip = *(struct in6_addr *) (p + 8);
955 ipv4 = ntohl(*(uint32_t *)(p + 16));
956
957 if (l > MAXETHER)
958 {
959 LOG(1, s, t, "IP packet too long %d\n", l);
960 STAT(tunnel_rx_errors);
961 return ;
962 }
963
964 // no spoof
965 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
966 {
967 char str[INET6_ADDRSTRLEN];
968 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
969 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
970 return;
971 }
972
973 // Check if it's a Router Solicition message.
974 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
975 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
976 *(uint32_t *)(p + 34) == 0 &&
977 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
978 LOG(3, s, t, "Got IPv6 RS\n");
979 send_ipv6_ra(t, s, &ip);
980 return;
981 }
982
983 // Add on the tun header
984 p -= 4;
985 *(uint32_t *) p = htonl(PKTIPV6);
986 l += 4;
987
988 // Are we throttled and a slave?
989 if (session[s].tbf_in && !config->cluster_iam_master) {
990 // Pass it to the master for handling.
991 master_throttle_packet(session[s].tbf_in, p, l);
992 return;
993 }
994
995 // Are we throttled and a master??
996 if (session[s].tbf_in && config->cluster_iam_master) {
997 // Actually handle the throttled packets.
998 tbf_queue_packet(session[s].tbf_in, p, l);
999 return;
1000 }
1001
1002 // send to ethernet
1003 if (tun_write(p, l) < 0)
1004 {
1005 STAT(tun_tx_errors);
1006 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1007 l, strerror(errno), tunfd, p);
1008
1009 return;
1010 }
1011
1012 if (session[s].snoop_ip && session[s].snoop_port)
1013 {
1014 // Snooping this session
1015 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
1016 }
1017
1018 session[s].cin += l - 4;
1019 session[s].total_cin += l - 4;
1020 sess_local[s].cin += l - 4;
1021
1022 session[s].pin++;
1023 eth_tx += l - 4;
1024
1025 STAT(tun_tx_packets);
1026 INC_STAT(tun_tx_bytes, l - 4);
1027 }
1028
1029 //
1030 // Helper routine for the TBF filters.
1031 // Used to send queued data in from the user.
1032 //
1033 void send_ipin(sessionidt s, uint8_t *buf, int len)
1034 {
1035 LOG_HEX(5, "IP in throttled", buf, len);
1036
1037 if (write(tunfd, buf, len) < 0)
1038 {
1039 STAT(tun_tx_errors);
1040 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1041 len, strerror(errno), tunfd, buf);
1042
1043 return;
1044 }
1045
1046 if (session[s].snoop_ip && session[s].snoop_port)
1047 {
1048 // Snooping this session
1049 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
1050 }
1051
1052 // Increment packet counters
1053 session[s].cin += len - 4;
1054 session[s].total_cin += len - 4;
1055 sess_local[s].cin += len - 4;
1056
1057 session[s].pin++;
1058 eth_tx += len - 4;
1059
1060 STAT(tun_tx_packets);
1061 INC_STAT(tun_tx_bytes, len - 4);
1062 }
1063
1064
1065 // Process CCP messages
1066 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1067 {
1068 uint8_t b[MAXCONTROL];
1069 uint8_t *q;
1070
1071 CSTAT(processccp);
1072
1073 LOG_HEX(5, "CCP", p, l);
1074 switch (l > 1 ? *p : 0)
1075 {
1076 case ConfigAck:
1077 session[s].flags |= SF_CCP_ACKED;
1078 return;
1079
1080 case ConfigReq:
1081 if (l < 6) // accept no compression
1082 {
1083 *p = ConfigAck;
1084 break;
1085 }
1086
1087 // compression requested--reject
1088 *p = ConfigRej;
1089
1090 // send CCP request for no compression for our end if not negotiated
1091 if (!(session[s].flags & SF_CCP_ACKED))
1092 initccp(t, s);
1093
1094 break;
1095
1096 case TerminateReq:
1097 *p = TerminateAck;
1098 break;
1099
1100 default:
1101 if (l > 1)
1102 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1103 else
1104 LOG(1, s, t, "Short CCP packet\n");
1105
1106 STAT(tunnel_rx_errors);
1107 return;
1108 }
1109
1110 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1111 return;
1112
1113 tunnelsend(b, l + (q - b), t); // send it
1114 }
1115
1116 // send a CHAP challenge
1117 void sendchap(tunnelidt t, sessionidt s)
1118 {
1119 uint8_t b[MAXCONTROL];
1120 uint16_t r = sess_local[s].radius;
1121 uint8_t *q;
1122
1123 CSTAT(sendchap);
1124
1125 if (!r)
1126 {
1127 LOG(1, s, t, "No RADIUS to send challenge\n");
1128 STAT(tunnel_tx_errors);
1129 return;
1130 }
1131
1132 LOG(1, s, t, "Send CHAP challenge\n");
1133
1134 radius[r].chap = 1; // CHAP not PAP
1135 radius[r].id++;
1136 if (radius[r].state != RADIUSCHAP)
1137 radius[r].try = 0;
1138
1139 radius[r].state = RADIUSCHAP;
1140 radius[r].retry = backoff(radius[r].try++);
1141 if (radius[r].try > 5)
1142 {
1143 sessionshutdown(s, "CHAP timeout.", 3, 0);
1144 STAT(tunnel_tx_errors);
1145 return ;
1146 }
1147 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1148 if (!q) return;
1149
1150 *q = 1; // challenge
1151 q[1] = radius[r].id; // ID
1152 q[4] = 16; // value size (size of challenge)
1153 memcpy(q + 5, radius[r].auth, 16); // challenge
1154 strcpy(q + 21, hostname); // our name
1155 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1156 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1157 }
1158
1159 // fill in a L2TP message with a PPP frame,
1160 // copies existing PPP message and changes magic number if seen
1161 // returns start of PPP frame
1162 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1163 {
1164 if (size < 12) // Need more space than this!!
1165 {
1166 static int backtrace_count = 0;
1167 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1168 log_backtrace(backtrace_count, 5)
1169 return NULL;
1170 }
1171
1172 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1173 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1174 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1175 b += 6;
1176 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1177 {
1178 *(uint16_t *) b = htons(0xFF03); // HDLC header
1179 b += 2;
1180 }
1181 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1182 *b++ = mtype;
1183 else
1184 {
1185 *(uint16_t *) b = htons(mtype);
1186 b += 2;
1187 }
1188
1189 if (l + 12 > size)
1190 {
1191 static int backtrace_count = 0;
1192 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1193 log_backtrace(backtrace_count, 5)
1194 return NULL;
1195 }
1196
1197 if (p && l)
1198 memcpy(b, p, l);
1199
1200 return b;
1201 }
1202
1203 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype)
1204 {
1205 if ((authtype == AUTHCHAP && size < 5) || size < 4)
1206 return 0;
1207
1208 *b++ = 3; // Authentication-Protocol
1209 if (authtype == AUTHCHAP)
1210 {
1211 *b++ = 5; // length
1212 *(uint16_t *) b = htons(PPPCHAP); b += 2;
1213 *b++ = 5; // MD5
1214 }
1215 else if (authtype == AUTHPAP)
1216 {
1217 *b++ = 4; // length
1218 *(uint16_t *) b = htons(PPPPAP); b += 2;
1219 }
1220 else
1221 {
1222 LOG(0, 0, 0, "add_lcp_auth called with unsupported auth type %d\n", authtype);
1223 }
1224
1225 return b;
1226 }
1227
1228 // Send initial LCP ConfigReq for MRU, authentication type and magic no
1229 void sendlcp(tunnelidt t, sessionidt s, int authtype)
1230 {
1231 char b[500], *q, *l;
1232
1233 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1234 return;
1235
1236 LOG(4, s, t, "Sending LCP ConfigReq for %s\n",
1237 config->radius_authprefer == AUTHCHAP ? "CHAP" : "PAP");
1238
1239 if (!session[s].mru)
1240 session[s].mru = DEFAULT_MRU;
1241
1242 l = q;
1243 *l++ = ConfigReq;
1244 *l++ = (time_now % 255) + 1; // ID
1245
1246 *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4)
1247 *(uint16_t *) l = htons(session[s].mru); l += 2;
1248
1249 l = add_lcp_auth(l, sizeof(b) - (l - b), authtype);
1250
1251 *l++ = 5; *l++ = 6; // Magic-Number (length 6)
1252 *(uint32_t *) l = htonl(session[s].magic);
1253 l += 4;
1254
1255 *(uint16_t *)(q + 2) = htons(l - q); // Length
1256
1257 LOG_HEX(5, "PPPLCP", q, l - q);
1258 tunnelsend(b, (l - b), t);
1259 }
1260
1261 // Send CCP request for no compression
1262 static void initccp(tunnelidt t, sessionidt s)
1263 {
1264 char b[500], *q;
1265
1266 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1267 return;
1268
1269 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1270 *q = ConfigReq;
1271 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1272 *(uint16_t *)(q + 2) = htons(4); // Length
1273
1274 LOG_HEX(5, "PPPCCP", q, 4);
1275 tunnelsend(b, (q - b) + 4 , t);
1276 }