90a5b81fabe510e59e9dc2389caba350d73820b2
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.50 2005/05/07 08:53:23 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
30 {
31 char user[MAXUSER];
32 char pass[MAXPASS];
33 uint16_t hl;
34
35 CSTAT(processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 sessionshutdown(s, "Short PAP packet.", 3, 0);
43 return ;
44 }
45
46 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
47 {
48 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
49 STAT(tunnel_rx_errors);
50 sessionshutdown(s, "PAP length mismatch.", 3, 0);
51 return ;
52 }
53 l = hl;
54
55 if (*p != 1)
56 {
57 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
58 STAT(tunnel_rx_errors);
59 sessionshutdown(s, "Unexpected PAP code.", 3, 0);
60 return ;
61 }
62
63 {
64 uint8_t *b = p;
65 b += 4;
66 user[0] = pass[0] = 0;
67 if (*b && *b < sizeof(user))
68 {
69 memcpy(user, b + 1, *b);
70 user[*b] = 0;
71 b += 1 + *b;
72 if (*b && *b < sizeof(pass))
73 {
74 memcpy(pass, b + 1, *b);
75 pass[*b] = 0;
76 }
77 }
78 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
79 }
80 if (session[s].ip || !sess_local[s].radius)
81 {
82 // respond now, either no RADIUS available or already authenticated
83 uint8_t b[MAXCONTROL];
84 uint8_t id = p[1];
85 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
86 if (!p) return;
87
88 if (session[s].ip)
89 *p = 2; // ACK
90 else
91 *p = 3; // cant authorise
92 p[1] = id;
93 *(uint16_t *) (p + 2) = htons(5); // length
94 p[4] = 0; // no message
95 if (session[s].ip)
96 {
97 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
98 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
99
100 session[s].flags &= ~SF_IPCP_ACKED;
101 }
102 else
103 {
104 LOG(1, s, t, "No radius session available to authenticate session...\n");
105 }
106 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
107 tunnelsend(b, 5 + (p - b), t); // send it
108 sessionshutdown(s, "PAP authentication failed.", 3, 0);
109 }
110 else
111 {
112 // set up RADIUS request
113 uint16_t r = sess_local[s].radius;
114
115 // Run PRE_AUTH plugins
116 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
117 run_plugins(PLUGIN_PRE_AUTH, &packet);
118 if (!packet.continue_auth)
119 {
120 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
121 if (packet.username) free(packet.username);
122 if (packet.password) free(packet.password);
123 return;
124 }
125
126 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
127 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
128
129 free(packet.username);
130 free(packet.password);
131
132 radius[r].id = p[1];
133 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
134 radiussend(r, RADIUSAUTH);
135 }
136 }
137
138 // Process CHAP messages
139 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
140 {
141 uint16_t r;
142 uint16_t hl;
143
144 CSTAT(processchap);
145
146 LOG_HEX(5, "CHAP", p, l);
147 r = sess_local[s].radius;
148 if (!r)
149 {
150 LOG(1, s, t, "Unexpected CHAP message\n");
151 STAT(tunnel_rx_errors);
152 return;
153 }
154
155 if (l < 4)
156 {
157 LOG(1, s, t, "Short CHAP %u bytes\n", l);
158 STAT(tunnel_rx_errors);
159 return ;
160 }
161
162 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
163 {
164 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
165 STAT(tunnel_rx_errors);
166 return ;
167 }
168 l = hl;
169
170 if (*p != 2)
171 {
172 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
173 STAT(tunnel_rx_errors);
174 return;
175 }
176 if (p[1] != radius[r].id)
177 {
178 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
179 STAT(tunnel_rx_errors);
180 return ;
181 }
182
183 if (l < 5 || p[4] != 16)
184 {
185 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
186 STAT(tunnel_rx_errors);
187 return ;
188 }
189
190 l -= 5;
191 p += 5;
192 if (l < 16 || l - 16 >= sizeof(session[s].user))
193 {
194 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
195 STAT(tunnel_rx_errors);
196 return ;
197 }
198
199 // Run PRE_AUTH plugins
200 {
201 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
202
203 packet.password = calloc(17, 1);
204 memcpy(packet.password, p, 16);
205
206 p += 16;
207 l -= 16;
208
209 packet.username = calloc(l + 1, 1);
210 memcpy(packet.username, p, l);
211
212 run_plugins(PLUGIN_PRE_AUTH, &packet);
213 if (!packet.continue_auth)
214 {
215 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
216 if (packet.username) free(packet.username);
217 if (packet.password) free(packet.password);
218 return;
219 }
220
221 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
222 memcpy(radius[r].pass, packet.password, 16);
223
224 free(packet.username);
225 free(packet.password);
226 }
227
228 radius[r].chap = 1;
229 LOG(3, s, t, "CHAP login %s\n", session[s].user);
230 radiussend(r, RADIUSAUTH);
231 }
232
233 static void dumplcp(uint8_t *p, int l)
234 {
235 int x = l - 4;
236 uint8_t *o = (p + 4);
237
238 LOG_HEX(5, "PPP LCP Packet", p, l);
239 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
240 LOG(4, 0, 0, "Length: %d\n", l);
241 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
242 return;
243
244 while (x > 2)
245 {
246 int type = o[0];
247 int length = o[1];
248 if (length < 2)
249 {
250 LOG(4, 0, 0, " Option length is %d...\n", length);
251 break;
252 }
253 if (type == 0)
254 {
255 LOG(4, 0, 0, " Option type is 0...\n");
256 x -= length;
257 o += length;
258 continue;
259 }
260 switch (type)
261 {
262 case 1: // Maximum-Receive-Unit
263 if (length == 4)
264 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
265 else
266 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
267 break;
268 case 2: // Async-Control-Character-Map
269 if (length == 6)
270 {
271 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
272 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
273 }
274 else
275 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
276 break;
277 case 3: // Authentication-Protocol
278 if (length == 4)
279 {
280 int proto = ntohs(*(uint16_t *)(o + 2));
281 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
282 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
283 }
284 else if (length == 5)
285 {
286 int proto = ntohs(*(uint16_t *)(o + 2));
287 int algo = *(uint8_t *)(o + 4);
288 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", lcp_type(type), proto, algo,
289 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
290 }
291 else
292 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
293 break;
294 case 4: // Quality-Protocol
295 {
296 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
297 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
298 }
299 break;
300 case 5: // Magic-Number
301 if (length == 6)
302 {
303 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
304 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
305 }
306 else
307 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
308 break;
309 case 7: // Protocol-Field-Compression
310 case 8: // Address-And-Control-Field-Compression
311 LOG(4, 0, 0, " %s\n", lcp_type(type));
312 break;
313 default:
314 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
315 break;
316 }
317 x -= length;
318 o += length;
319 }
320 }
321
322 // Process LCP messages
323 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
324 {
325 uint8_t b[MAXCONTROL];
326 uint8_t *q = NULL;
327 uint32_t magicno = 0;
328 uint16_t hl;
329
330 CSTAT(processlcp);
331
332 LOG_HEX(5, "LCP", p, l);
333 if (l < 4)
334 {
335 LOG(1, s, t, "Short LCP %d bytes\n", l);
336 STAT(tunnel_rx_errors);
337 return ;
338 }
339
340 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
341 {
342 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
343 STAT(tunnel_rx_errors);
344 return ;
345 }
346 l = hl;
347
348 if (*p == ConfigAck)
349 {
350 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
351 session[s].flags |= SF_LCP_ACKED;
352 }
353 else if (*p == ConfigReq)
354 {
355 int x = l - 4;
356 uint8_t *o = (p + 4);
357 uint8_t *response = 0;
358
359 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
360 if (config->debug > 3) dumplcp(p, l);
361
362 while (x > 2)
363 {
364 int type = o[0];
365 int length = o[1];
366
367 if (length == 0 || type == 0 || x < length) break;
368 switch (type)
369 {
370 case 1: // Maximum-Receive-Unit
371 session[s].mru = ntohs(*(uint16_t *)(o + 2));
372 break;
373
374 case 2: // Async-Control-Character-Map
375 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
376 break;
377
378 if (response && *response != ConfigNak) // rej already queued
379 break;
380
381 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
382 if (!response)
383 {
384 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
385 if (!q) break;
386 *q = ConfigNak;
387 q += 4;
388 }
389
390 if ((q - b + 11) > sizeof(b))
391 {
392 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
393 break;
394 }
395
396 *q++ = type;
397 *q++ = 6;
398 memset(q, 0, 4); // asyncmap 0
399 q += 4;
400 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
401 break;
402
403 case 3: // Authentication-Protocol
404 {
405 int proto = ntohs(*(uint16_t *)(o + 2));
406 char proto_name[] = "0x0000";
407
408 if (proto == PPPPAP)
409 {
410 if (config->radius_authtypes & AUTHPAP)
411 break;
412
413 strcpy(proto_name, "PAP");
414 }
415 else if (proto == PPPCHAP)
416 {
417 if (config->radius_authtypes & AUTHCHAP
418 && *(o + 4) == 5) // MD5
419 break;
420
421 strcpy(proto_name, "CHAP");
422 }
423 else
424 sprintf(proto_name, "%#4.4x", proto);
425
426 if (response && *response != ConfigNak) // rej already queued
427 break;
428
429 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
430
431 if (!response)
432 {
433 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
434 if (!q) break;
435 *q = ConfigNak;
436 q += 4;
437 }
438
439 if ((q - b + 5) > sizeof(b)) // 5 is the larger (CHAP+MD5) of the two NAKs
440 {
441 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
442 break;
443 }
444
445 *q++ = type;
446 if (config->radius_authprefer == AUTHCHAP)
447 {
448 *q++ = 5;
449 *(uint16_t *) q = htons(PPPCHAP); q += 2;
450 *q++ = 5; // MD5
451 }
452 else
453 {
454 *q++ = 4;
455 *(uint16_t *) q = htons(PPPPAP); q += 2;
456 }
457
458 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
459 break;
460 }
461 break;
462
463 case 5: // Magic-Number
464 magicno = ntohl(*(uint32_t *)(o + 2));
465 break;
466
467 case 4: // Quality-Protocol
468 case 7: // Protocol-Field-Compression
469 case 8: // Address-And-Control-Field-Compression
470 break;
471
472 default: // Reject any unknown options
473 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
474 if (!response || *response != ConfigRej) // drop nak in favour of rej
475 {
476 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
477 if (!q) break;
478 *q = ConfigRej;
479 q += 4;
480 }
481
482 if ((q - b + length) > sizeof(b))
483 {
484 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
485 break;
486 }
487
488 memcpy(q, o, length);
489 q += length;
490 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
491 }
492 x -= length;
493 o += length;
494 }
495
496 if (!response)
497 {
498 // Send back a ConfigAck
499 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
500 if (!q) return;
501 *q = ConfigAck;
502 }
503
504 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
505 tunnelsend(b, l + (q - b), t);
506
507 if (!(session[s].flags & SF_LCP_ACKED))
508 initlcp(t, s);
509 }
510 else if (*p == ConfigNak)
511 {
512 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
513 if (config->debug > 3) dumplcp(p, l);
514 return;
515 }
516 else if (*p == TerminateReq)
517 {
518 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
519 *p = TerminateAck; // close
520 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
521 if (!q) return;
522 tunnelsend(b, l + (q - b), t); // send it
523 sessionshutdown(s, "Remote end closed connection.", 3, 0);
524 }
525 else if (*p == TerminateAck)
526 {
527 sessionshutdown(s, "Connection closed.", 3, 0);
528 }
529 else if (*p == ProtocolRej)
530 {
531 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
532 {
533 LOG(3, s, t, "IPv6 rejected\n");
534 session[s].flags |= SF_IPV6_NACKED;
535 }
536 else
537 {
538 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
539 ntohs(*(uint16_t *) (p+4)));
540 STAT(tunnel_rx_errors);
541 }
542 }
543 else if (*p == EchoReq)
544 {
545 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
546 *p = EchoReply; // reply
547 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
548 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
549 if (!q) return;
550 tunnelsend(b, l + (q - b), t); // send it
551 }
552 else if (*p == EchoReply)
553 {
554 // Ignore it, last_packet time is set earlier than this.
555 }
556 else if (*p == IdentRequest)
557 {
558 *p = CodeRej;
559 if (l > MAXCONTROL)
560 {
561 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
562 l = 1400;
563 }
564 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
565 if (!q) return;
566 LOG_HEX(5, "LCPIdentRej", q, l + 4);
567 tunnelsend(b, 12 + 4 + l, t);
568 }
569 else
570 {
571 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
572 STAT(tunnel_rx_errors);
573 return ;
574 }
575 }
576
577 // find a PPP option, returns point to option, or 0 if not found
578 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
579 {
580 uint16_t l = ntohs(*(uint16_t *) (b + 2));
581 if (l < 4)
582 return 0;
583 b += 4;
584 l -= 4;
585 while (l)
586 {
587 if (l < b[1] || !b[1])
588 return 0; // faulty
589 if (*b == mtype)
590 return b;
591 l -= b[1];
592 b += b[1];
593 }
594 return 0;
595 }
596
597 // Process IPCP messages
598 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
599 {
600 uint16_t hl;
601
602 CSTAT(processipcp);
603
604 LOG_HEX(5, "IPCP", p, l);
605 if (l < 5)
606 {
607 LOG(1, s, t, "Short IPCP %d bytes\n", l);
608 STAT(tunnel_rx_errors);
609 return ;
610 }
611
612 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
613 {
614 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
615 STAT(tunnel_rx_errors);
616 return ;
617 }
618 l = hl;
619
620 if (*p == ConfigAck)
621 {
622 // happy with our IPCP
623 uint16_t r = sess_local[s].radius;
624 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
625 {
626 if (!r)
627 r = radiusnew(s);
628 if (r)
629 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
630 }
631 session[s].flags |= SF_IPCP_ACKED;
632
633 LOG(3, s, t, "IPCP Acked, session is now active\n");
634
635 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
636 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
637
638 return;
639 }
640 if (*p != ConfigReq)
641 {
642 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
643 STAT(tunnel_rx_errors);
644 return ;
645 }
646 LOG(4, s, t, "IPCP ConfigReq received\n");
647
648 if (!session[s].ip)
649 {
650 LOG(3, s, t, "Waiting on radius reply\n");
651 return; // have to wait on RADIUS reply
652 }
653 // form a config reply quoting the IP in the session
654 {
655 uint8_t b[MAXCONTROL];
656 uint8_t *i, *q;
657
658 q = p + 4;
659 i = p + l;
660 while (q < i && q[1])
661 {
662 if (*q != 0x81 && *q != 0x83 && *q != 3)
663 break;
664 q += q[1];
665 }
666 if (q < i)
667 {
668 // reject
669 uint16_t n = 4;
670 i = p + l;
671 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
672 return;
673
674 *q = ConfigRej;
675 p += 4;
676 while (p < i && p[1])
677 {
678 if (*p != 0x81 && *p != 0x83 && *p != 3)
679 {
680 LOG(2, s, t, "IPCP reject %d\n", *p);
681 memcpy(q + n, p, p[1]);
682 n += p[1];
683 }
684 p += p[1];
685 }
686 *(uint16_t *) (q + 2) = htons(n);
687 LOG(4, s, t, "Sending ConfigRej\n");
688 tunnelsend(b, n + (q - b), t); // send it
689 }
690 else
691 {
692 LOG(4, s, t, "Sending ConfigAck\n");
693 *p = ConfigAck;
694 if ((i = findppp(p, 0x81))) // Primary DNS address
695 {
696 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
697 {
698 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
699 *p = ConfigNak;
700 LOG(5, s, t, " DNS1 = %s\n",
701 fmtaddr(htonl(session[s].dns1), 0));
702 }
703 }
704 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
705 {
706 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
707 {
708 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
709 *p = ConfigNak;
710 LOG(5, s, t, " DNS2 = %s\n",
711 fmtaddr(htonl(session[s].dns2), 0));
712 }
713 }
714 i = findppp(p, 3); // IP address
715 if (!i || i[1] != 6)
716 {
717 LOG(1, s, t, "No IP in IPCP request\n");
718 STAT(tunnel_rx_errors);
719 return ;
720 }
721 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
722 {
723 *(uint32_t *) (i + 2) = htonl(session[s].ip);
724 *p = ConfigNak;
725 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
726 fmtaddr(htonl(session[s].ip), 0));
727 }
728 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
729 return;
730
731 tunnelsend(b, l + (q - b), t); // send it
732 }
733 }
734 }
735
736 // Process IPV6CP messages
737 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
738 {
739
740 CSTAT(processipv6cp);
741
742 LOG_HEX(5, "IPV6CP", p, l);
743 if (l < 4)
744 {
745 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
746 STAT(tunnel_rx_errors);
747 return ;
748 }
749 if (*p == ConfigAck)
750 {
751 // happy with our IPV6CP
752 session[s].flags |= SF_IPV6CP_ACKED;
753
754 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
755 // Add a routed block if configured.
756 if (session[s].ipv6prefixlen)
757 {
758 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
759 session[s].flags |= SF_IPV6_ROUTED;
760 }
761
762 // Send an initial RA (TODO: Should we send these regularly?)
763 send_ipv6_ra(t, s, NULL);
764 return;
765 }
766 if (*p != ConfigReq)
767 {
768 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
769 STAT(tunnel_rx_errors);
770 return;
771 }
772
773 LOG(4, s, t, "IPV6CP ConfigReq received\n");
774 if (ntohs(*(uint16_t *) (p + 2)) > l)
775 {
776 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
777 STAT(tunnel_rx_errors);
778 return ;
779 }
780 if (!session[s].ip)
781 {
782 LOG(3, s, t, "Waiting on radius reply\n");
783 return; // have to wait on RADIUS reply
784 }
785 // form a config reply quoting the IP in the session
786 {
787 uint8_t b[MAXCONTROL];
788 uint8_t *i,
789 *q;
790
791 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
792 q = p + 4;
793 i = p + l;
794 while (q < i && q[1])
795 {
796 if (*q != 1)
797 break;
798 q += q[1];
799 }
800 if (q < i)
801 {
802 // reject
803 uint16_t n = 4;
804 i = p + l;
805 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
806 {
807 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
808 return;
809 }
810 *q = ConfigRej;
811 p += 4;
812 while (p < i && p[1])
813 {
814 if (*p != 1)
815 {
816 LOG(2, s, t, "IPV6CP reject %d\n", *p);
817 memcpy(q + n, p, p[1]);
818 n += p[1];
819 }
820 p += p[1];
821 }
822 *(uint16_t *) (q + 2) = htons(n);
823 LOG(4, s, t, "Sending ConfigRej\n");
824 tunnelsend(b, n + (q - b), t); // send it
825 }
826 else
827 {
828 LOG(4, s, t, "Sending ConfigAck\n");
829 *p = ConfigAck;
830 i = findppp(p, 1); // IP address
831 if (!i || i[1] != 10)
832 {
833 LOG(1, s, t, "No IP in IPV6CP request\n");
834 STAT(tunnel_rx_errors);
835 return ;
836 }
837 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
838 (*(uint32_t *) (i + 6) != 0))
839 {
840 *(uint32_t *) (i + 2) = htonl(session[s].ip);
841 *(uint32_t *) (i + 6) = 0;
842 *p = ConfigNak;
843 LOG(4, s, t,
844 " No, a ConfigNak, client is "
845 "requesting IP - sending %s\n",
846 fmtaddr(htonl(session[s].ip), 0));
847 }
848 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
849 {
850 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
851 return;
852 }
853 tunnelsend(b, l + (q - b), t); // send it
854 }
855 }
856 }
857
858 // process IP packet received
859 //
860 // This MUST be called with at least 4 byte behind 'p'.
861 // (i.e. this routine writes to p[-4]).
862 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
863 {
864 in_addr_t ip;
865
866 CSTAT(processipin);
867
868 LOG_HEX(5, "IP", p, l);
869
870 ip = ntohl(*(uint32_t *)(p + 12));
871
872 if (l > MAXETHER)
873 {
874 LOG(1, s, t, "IP packet too long %d\n", l);
875 STAT(tunnel_rx_errors);
876 return ;
877 }
878
879 // no spoof (do sessionbyip to handled statically routed subnets)
880 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
881 {
882 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
883 return;
884 }
885
886 // run access-list if any
887 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
888 return;
889
890 // Add on the tun header
891 p -= 4;
892 *(uint32_t *) p = htonl(PKTIP);
893 l += 4;
894
895 // Are we throttled and a slave?
896 if (session[s].tbf_in && !config->cluster_iam_master) {
897 // Pass it to the master for handling.
898 master_throttle_packet(session[s].tbf_in, p, l);
899 return;
900 }
901
902 // Are we throttled and a master??
903 if (session[s].tbf_in && config->cluster_iam_master) {
904 // Actually handle the throttled packets.
905 tbf_queue_packet(session[s].tbf_in, p, l);
906 return;
907 }
908
909 // send to ethernet
910 if (tun_write(p, l) < 0)
911 {
912 STAT(tun_tx_errors);
913 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
914 l, strerror(errno), tunfd, p);
915
916 return;
917 }
918
919 if (session[s].snoop_ip && session[s].snoop_port)
920 {
921 // Snooping this session
922 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
923 }
924
925 session[s].cin += l - 4;
926 session[s].total_cin += l - 4;
927 sess_local[s].cin += l - 4;
928
929 session[s].pin++;
930 eth_tx += l - 4;
931
932 STAT(tun_tx_packets);
933 INC_STAT(tun_tx_bytes, l - 4);
934 }
935
936 // process IPv6 packet received
937 //
938 // This MUST be called with at least 4 byte behind 'p'.
939 // (i.e. this routine writes to p[-4]).
940 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
941 {
942 struct in6_addr ip;
943 in_addr_t ipv4;
944
945 CSTAT(processipv6in);
946
947 LOG_HEX(5, "IPv6", p, l);
948
949 ip = *(struct in6_addr *) (p + 8);
950 ipv4 = ntohl(*(uint32_t *)(p + 16));
951
952 if (l > MAXETHER)
953 {
954 LOG(1, s, t, "IP packet too long %d\n", l);
955 STAT(tunnel_rx_errors);
956 return ;
957 }
958
959 // no spoof
960 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
961 {
962 char str[INET6_ADDRSTRLEN];
963 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
964 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
965 return;
966 }
967
968 // Check if it's a Router Solicition message.
969 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
970 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
971 *(uint32_t *)(p + 34) == 0 &&
972 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
973 LOG(3, s, t, "Got IPv6 RS\n");
974 send_ipv6_ra(t, s, &ip);
975 return;
976 }
977
978 // Add on the tun header
979 p -= 4;
980 *(uint32_t *) p = htonl(PKTIPV6);
981 l += 4;
982
983 // Are we throttled and a slave?
984 if (session[s].tbf_in && !config->cluster_iam_master) {
985 // Pass it to the master for handling.
986 master_throttle_packet(session[s].tbf_in, p, l);
987 return;
988 }
989
990 // Are we throttled and a master??
991 if (session[s].tbf_in && config->cluster_iam_master) {
992 // Actually handle the throttled packets.
993 tbf_queue_packet(session[s].tbf_in, p, l);
994 return;
995 }
996
997 // send to ethernet
998 if (tun_write(p, l) < 0)
999 {
1000 STAT(tun_tx_errors);
1001 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1002 l, strerror(errno), tunfd, p);
1003
1004 return;
1005 }
1006
1007 if (session[s].snoop_ip && session[s].snoop_port)
1008 {
1009 // Snooping this session
1010 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
1011 }
1012
1013 session[s].cin += l - 4;
1014 session[s].total_cin += l - 4;
1015 sess_local[s].cin += l - 4;
1016
1017 session[s].pin++;
1018 eth_tx += l - 4;
1019
1020 STAT(tun_tx_packets);
1021 INC_STAT(tun_tx_bytes, l - 4);
1022 }
1023
1024 //
1025 // Helper routine for the TBF filters.
1026 // Used to send queued data in from the user.
1027 //
1028 void send_ipin(sessionidt s, uint8_t *buf, int len)
1029 {
1030 LOG_HEX(5, "IP in throttled", buf, len);
1031
1032 if (write(tunfd, buf, len) < 0)
1033 {
1034 STAT(tun_tx_errors);
1035 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1036 len, strerror(errno), tunfd, buf);
1037
1038 return;
1039 }
1040
1041 if (session[s].snoop_ip && session[s].snoop_port)
1042 {
1043 // Snooping this session
1044 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
1045 }
1046
1047 // Increment packet counters
1048 session[s].cin += len - 4;
1049 session[s].total_cin += len - 4;
1050 sess_local[s].cin += len - 4;
1051
1052 session[s].pin++;
1053 eth_tx += len - 4;
1054
1055 STAT(tun_tx_packets);
1056 INC_STAT(tun_tx_bytes, len - 4);
1057 }
1058
1059
1060 // Process CCP messages
1061 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1062 {
1063 uint8_t b[MAXCONTROL];
1064 uint8_t *q;
1065
1066 CSTAT(processccp);
1067
1068 LOG_HEX(5, "CCP", p, l);
1069 switch (l > 1 ? *p : 0)
1070 {
1071 case ConfigAck:
1072 session[s].flags |= SF_CCP_ACKED;
1073 return;
1074
1075 case ConfigReq:
1076 if (l < 6) // accept no compression
1077 {
1078 *p = ConfigAck;
1079 break;
1080 }
1081
1082 // compression requested--reject
1083 *p = ConfigRej;
1084
1085 // send CCP request for no compression for our end if not negotiated
1086 if (!(session[s].flags & SF_CCP_ACKED))
1087 initccp(t, s);
1088
1089 break;
1090
1091 case TerminateReq:
1092 *p = TerminateAck;
1093 break;
1094
1095 default:
1096 if (l > 1)
1097 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1098 else
1099 LOG(1, s, t, "Short CCP packet\n");
1100
1101 STAT(tunnel_rx_errors);
1102 return;
1103 }
1104
1105 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1106 return;
1107
1108 tunnelsend(b, l + (q - b), t); // send it
1109 }
1110
1111 // send a CHAP challenge
1112 void sendchap(tunnelidt t, sessionidt s)
1113 {
1114 uint8_t b[MAXCONTROL];
1115 uint16_t r = sess_local[s].radius;
1116 uint8_t *q;
1117
1118 CSTAT(sendchap);
1119
1120 if (!r)
1121 {
1122 LOG(1, s, t, "No RADIUS to send challenge\n");
1123 STAT(tunnel_tx_errors);
1124 return;
1125 }
1126
1127 LOG(1, s, t, "Send CHAP challenge\n");
1128
1129 radius[r].chap = 1; // CHAP not PAP
1130 radius[r].id++;
1131 if (radius[r].state != RADIUSCHAP)
1132 radius[r].try = 0;
1133
1134 radius[r].state = RADIUSCHAP;
1135 radius[r].retry = backoff(radius[r].try++);
1136 if (radius[r].try > 5)
1137 {
1138 sessionshutdown(s, "CHAP timeout.", 3, 0);
1139 STAT(tunnel_tx_errors);
1140 return ;
1141 }
1142 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1143 if (!q) return;
1144
1145 *q = 1; // challenge
1146 q[1] = radius[r].id; // ID
1147 q[4] = 16; // value size (size of challenge)
1148 memcpy(q + 5, radius[r].auth, 16); // challenge
1149 strcpy(q + 21, hostname); // our name
1150 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1151 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1152 }
1153
1154 // fill in a L2TP message with a PPP frame,
1155 // copies existing PPP message and changes magic number if seen
1156 // returns start of PPP frame
1157 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1158 {
1159 if (size < 12) // Need more space than this!!
1160 {
1161 static int backtrace_count = 0;
1162 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1163 log_backtrace(backtrace_count, 5)
1164 return NULL;
1165 }
1166
1167 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1168 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1169 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1170 b += 6;
1171 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1172 {
1173 *(uint16_t *) b = htons(0xFF03); // HDLC header
1174 b += 2;
1175 }
1176 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1177 *b++ = mtype;
1178 else
1179 {
1180 *(uint16_t *) b = htons(mtype);
1181 b += 2;
1182 }
1183
1184 if (l + 12 > size)
1185 {
1186 static int backtrace_count = 0;
1187 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1188 log_backtrace(backtrace_count, 5)
1189 return NULL;
1190 }
1191
1192 if (p && l)
1193 memcpy(b, p, l);
1194
1195 return b;
1196 }
1197
1198 // Send initial LCP ConfigReq for PAP, set magic no.
1199 void initlcp(tunnelidt t, sessionidt s)
1200 {
1201 char b[500], *q;
1202 int size;
1203
1204 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1205 return;
1206
1207 LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
1208 *q = ConfigReq;
1209 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1210 *(uint16_t *)(q + 2) = htons(14); // Length
1211 *(uint8_t *)(q + 4) = 5;
1212 *(uint8_t *)(q + 5) = 6;
1213 *(uint32_t *)(q + 6) = htonl(session[s].magic);
1214 *(uint8_t *)(q + 10) = 3;
1215 if (config->radius_authprefer == AUTHCHAP)
1216 {
1217 *(uint8_t *)(q + 11) = 5;
1218 *(uint16_t *)(q + 12) = htons(PPPCHAP);
1219 *(uint8_t *)(q + 14) = 5; // MD5
1220 size = 15;
1221 }
1222 else
1223 {
1224 *(uint8_t *)(q + 11) = 4;
1225 *(uint16_t *)(q + 12) = htons(PPPPAP);
1226 size = 14;
1227 }
1228
1229 LOG_HEX(5, "PPPLCP", q, size);
1230 tunnelsend(b, (q - b) + size, t);
1231 }
1232
1233 // Send CCP request for no compression
1234 static void initccp(tunnelidt t, sessionidt s)
1235 {
1236 char b[500], *q;
1237
1238 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1239 return;
1240
1241 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1242 *q = ConfigReq;
1243 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1244 *(uint16_t *)(q + 2) = htons(4); // Length
1245
1246 LOG_HEX(5, "PPPCCP", q, 4);
1247 tunnelsend(b, (q - b) + 4 , t);
1248 }