projects / l2tpns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Update debian changelog
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 #include <stdio.h>
4 #include <string.h>
5 #include <unistd.h>
6 #include <errno.h>
7 #include <stdlib.h>
8 #include "l2tpns.h"
9 #include "constants.h"
10 #include "plugin.h"
11 #include "util.h"
12 #include "tbf.h"
13 #include "cluster.h"
14
15 #ifdef LAC
16 #include "l2tplac.h"
17 #endif
18 #include "pppoe.h"
19
20 extern tunnelt *tunnel;
21 extern bundlet *bundle;
22 extern fragmentationt *frag;
23 extern sessiont *session;
24 extern radiust *radius;
25 extern int tunfd;
26 extern char hostname[];
27 extern uint32_t eth_tx;
28 extern time_t time_now;
29 extern uint64_t time_now_ms;
30 extern configt *config;
31
32 static int add_lcp_auth(uint8_t *b, int size, int authtype);
33 static bundleidt new_bundle(void);
34 static int epdiscmp(epdist, epdist);
35 static void setepdis(epdist *, epdist);
36 static void ipcp_open(sessionidt s, tunnelidt t);
37
38 static int first_session_in_bundle(sessionidt s)
39 {
40 bundleidt i;
41 for (i = 1; i < MAXBUNDLE; i++)
42 if (bundle[i].state != BUNDLEFREE)
43 if (epdiscmp(session[s].epdis,bundle[i].epdis) && !strcmp(session[s].user, bundle[i].user))
44 return 0;
45 return 1;
46 }
47
48 // Process PAP messages
49 void processpap(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
50 {
51 char user[MAXUSER];
52 char pass[MAXPASS];
53 uint16_t hl;
54 uint16_t r;
55
56 CSTAT(processpap);
57
58 LOG_HEX(5, "PAP", p, l);
59 if (l < 4)
60 {
61 LOG(1, s, t, "Short PAP %u bytes\n", l);
62 STAT(tunnel_rx_errors);
63 sessionshutdown(s, "Short PAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
64 return;
65 }
66
67 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
68 {
69 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
70 STAT(tunnel_rx_errors);
71 sessionshutdown(s, "PAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
72 return;
73 }
74 l = hl;
75
76 if (*p != 1)
77 {
78 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
79 STAT(tunnel_rx_errors);
80 sessionshutdown(s, "Unexpected PAP code.", CDN_ADMIN_DISC, TERM_USER_ERROR);
81 return;
82 }
83
84 if (session[s].ppp.phase != Authenticate)
85 {
86 LOG(2, s, t, "PAP ignored in %s phase\n", ppp_phase(session[s].ppp.phase));
87 return;
88 }
89
90 {
91 uint8_t *b = p;
92 b += 4;
93 user[0] = pass[0] = 0;
94 if (*b && *b < sizeof(user))
95 {
96 memcpy(user, b + 1, *b);
97 user[*b] = 0;
98 b += 1 + *b;
99 if (*b && *b < sizeof(pass))
100 {
101 memcpy(pass, b + 1, *b);
102 pass[*b] = 0;
103 }
104 }
105 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
106 }
107
108 #ifdef LAC
109 if ((!config->disable_lac_func) && lac_conf_forwardtoremotelns(s, user))
110 {
111 // Creating a tunnel/session has been started
112 return;
113 }
114 #endif
115
116 if (session[s].ip || !(r = radiusnew(s)))
117 {
118 // respond now, either no RADIUS available or already authenticated
119 uint8_t b[MAXETHER];
120 uint8_t id = p[1];
121 uint8_t *p = makeppp(b, sizeof(b), 0, 0, s, t, PPPPAP, 0, 0, 0);
122 if (!p) return;
123
124 if (session[s].ip)
125 *p = 2; // ACK
126 else
127 *p = 3; // cant authorise
128 p[1] = id;
129 *(uint16_t *) (p + 2) = htons(5); // length
130 p[4] = 0; // no message
131 tunnelsend(b, 5 + (p - b), t); // send it
132
133 if (session[s].ip)
134 {
135 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
136 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
137 }
138 else
139 {
140 LOG(1, s, t, "No RADIUS session available to authenticate session...\n");
141 sessionshutdown(s, "No free RADIUS sessions.", CDN_UNAVAILABLE, TERM_SERVICE_UNAVAILABLE);
142 }
143 }
144 else
145 {
146 // Run PRE_AUTH plugins
147 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
148 run_plugins(PLUGIN_PRE_AUTH, &packet);
149 if (!packet.continue_auth)
150 {
151 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
152 if (packet.username) free(packet.username);
153 if (packet.password) free(packet.password);
154 return;
155 }
156
157 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
158 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
159
160 free(packet.username);
161 free(packet.password);
162
163 radius[r].id = p[1];
164 LOG(3, s, t, "Sending login for %s/%s to RADIUS\n", user, pass);
165 if ((session[s].mrru) && (!first_session_in_bundle(s)))
166 radiussend(r, RADIUSJUSTAUTH);
167 else
168 radiussend(r, RADIUSAUTH);
169 }
170 }
171
172 // Process CHAP messages
173 void processchap(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
174 {
175 uint16_t r;
176 uint16_t hl;
177
178 CSTAT(processchap);
179
180 LOG_HEX(5, "CHAP", p, l);
181
182 if (l < 4)
183 {
184 LOG(1, s, t, "Short CHAP %u bytes\n", l);
185 STAT(tunnel_rx_errors);
186 sessionshutdown(s, "Short CHAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
187 return;
188 }
189
190 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
191 {
192 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
193 STAT(tunnel_rx_errors);
194 sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
195 return;
196 }
197 l = hl;
198
199 if (*p != 2)
200 {
201 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
202 STAT(tunnel_rx_errors);
203 sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
204 return;
205 }
206
207 if (session[s].ppp.phase != Authenticate)
208 {
209 LOG(2, s, t, "CHAP ignored in %s phase\n", ppp_phase(session[s].ppp.phase));
210 return;
211 }
212
213 r = sess_local[s].radius;
214 if (!r)
215 {
216 LOG(3, s, t, "Unexpected CHAP message\n");
217
218 // Some modems (Netgear DM602, possibly others) persist in using CHAP even
219 // after ACKing our ConfigReq for PAP.
220 if (sess_local[s].lcp_authtype == AUTHPAP && config->radius_authtypes & AUTHCHAP)
221 {
222 sess_local[s].lcp_authtype = AUTHCHAP;
223 sendchap(s, t);
224 }
225 return;
226 }
227
228 if (p[1] != radius[r].id)
229 {
230 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
231 STAT(tunnel_rx_errors);
232 sessionshutdown(s, "Unexpected CHAP response ID.", CDN_ADMIN_DISC, TERM_USER_ERROR);
233 return;
234 }
235
236 if (l < 5 || p[4] != 16)
237 {
238 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
239 STAT(tunnel_rx_errors);
240 sessionshutdown(s, "Bad CHAP response length.", CDN_ADMIN_DISC, TERM_USER_ERROR);
241 return;
242 }
243
244 l -= 5;
245 p += 5;
246 if (l < 16 || l - 16 >= sizeof(session[s].user))
247 {
248 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
249 STAT(tunnel_rx_errors);
250 sessionshutdown(s, "CHAP username too long.", CDN_ADMIN_DISC, TERM_USER_ERROR);
251 return;
252 }
253
254 // Run PRE_AUTH plugins
255 {
256 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
257
258 packet.password = calloc(17, 1);
259 memcpy(packet.password, p, 16);
260
261 p += 16;
262 l -= 16;
263
264 packet.username = calloc(l + 1, 1);
265 memcpy(packet.username, p, l);
266
267 #ifdef LAC
268 if ((!config->disable_lac_func) && lac_conf_forwardtoremotelns(s, packet.username))
269 {
270 free(packet.username);
271 free(packet.password);
272 // Creating a tunnel/session has been started
273 return;
274 }
275 #endif
276
277 run_plugins(PLUGIN_PRE_AUTH, &packet);
278 if (!packet.continue_auth)
279 {
280 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
281 if (packet.username) free(packet.username);
282 if (packet.password) free(packet.password);
283 return;
284 }
285
286 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
287 memcpy(radius[r].pass, packet.password, 16);
288
289 free(packet.username);
290 free(packet.password);
291 }
292
293 radius[r].chap = 1;
294 LOG(3, s, t, "CHAP login %s\n", session[s].user);
295 if ((session[s].mrru) && (!first_session_in_bundle(s)))
296 radiussend(r, RADIUSJUSTAUTH);
297 else
298 radiussend(r, RADIUSAUTH);
299 }
300
301 static void dumplcp(uint8_t *p, int l)
302 {
303 int x = l - 4;
304 uint8_t *o = (p + 4);
305
306 LOG_HEX(5, "PPP LCP Packet", p, l);
307 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_code((int)*p), ntohs( ((uint16_t *) p)[1]) );
308 LOG(4, 0, 0, "Length: %d\n", l);
309 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
310 return;
311
312 while (x > 2)
313 {
314 int type = o[0];
315 int length = o[1];
316 if (length < 2)
317 {
318 LOG(4, 0, 0, " Option length is %d...\n", length);
319 break;
320 }
321 if (type == 0)
322 {
323 LOG(4, 0, 0, " Option type is 0...\n");
324 x -= length;
325 o += length;
326 continue;
327 }
328 switch (type)
329 {
330 case 1: // Maximum-Receive-Unit
331 if (length == 4)
332 LOG(4, 0, 0, " %s %d\n", ppp_lcp_option(type), ntohs(*(uint16_t *)(o + 2)));
333 else
334 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
335 break;
336 case 2: // Async-Control-Character-Map
337 if (length == 6)
338 {
339 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
340 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), asyncmap);
341 }
342 else
343 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
344 break;
345 case 3: // Authentication-Protocol
346 if (length == 4)
347 {
348 int proto = ntohs(*(uint16_t *)(o + 2));
349 LOG(4, 0, 0, " %s 0x%x (%s)\n", ppp_lcp_option(type), proto,
350 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
351 }
352 else if (length == 5)
353 {
354 int proto = ntohs(*(uint16_t *)(o + 2));
355 int algo = *(o + 4);
356 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", ppp_lcp_option(type), proto, algo,
357 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
358 }
359 else
360 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
361 break;
362 case 4: // Quality-Protocol
363 {
364 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
365 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), qp);
366 }
367 break;
368 case 5: // Magic-Number
369 if (length == 6)
370 {
371 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
372 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), magicno);
373 }
374 else
375 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
376 break;
377 case 7: // Protocol-Field-Compression
378 case 8: // Address-And-Control-Field-Compression
379 LOG(4, 0, 0, " %s\n", ppp_lcp_option(type));
380 break;
381 default:
382 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
383 break;
384 }
385 x -= length;
386 o += length;
387 }
388 }
389
390 void lcp_open(sessionidt s, tunnelidt t)
391 {
392 // transition to Authentication or Network phase:
393 session[s].ppp.phase = sess_local[s].lcp_authtype ? Authenticate : Network;
394
395 LOG(3, s, t, "LCP: Opened, phase %s\n", ppp_phase(session[s].ppp.phase));
396
397 // LCP now Opened
398 change_state(s, lcp, Opened);
399
400 if (session[s].ppp.phase == Authenticate)
401 {
402 if (sess_local[s].lcp_authtype == AUTHCHAP)
403 sendchap(s, t);
404 }
405 else
406 {
407 if(session[s].bundle == 0 || bundle[session[s].bundle].num_of_links == 1)
408 {
409 // This-Layer-Up
410 sendipcp(s, t);
411 change_state(s, ipcp, RequestSent);
412 // move to passive state for IPv6 (if configured), CCP
413 if (config->ipv6_prefix.s6_addr[0])
414 change_state(s, ipv6cp, Stopped);
415 else
416 change_state(s, ipv6cp, Closed);
417
418 change_state(s, ccp, Stopped);
419 }
420 else
421 {
422 sessionidt first_ses = bundle[session[s].bundle].members[0];
423 LOG(3, s, t, "MPPP: Skipping IPCP negotiation for session:%d, first session of bundle is:%d\n",s,first_ses);
424 ipcp_open(s, t);
425 }
426 }
427 }
428
429 void lcp_restart(sessionidt s)
430 {
431 session[s].ppp.phase = Establish;
432 // This-Layer-Down
433 change_state(s, ipcp, Dead);
434 change_state(s, ipv6cp, Dead);
435 change_state(s, ccp, Dead);
436 }
437
438 static uint8_t *ppp_conf_rej(sessionidt s, uint8_t *buf, size_t blen, uint16_t mtype,
439 uint8_t **response, uint8_t *queued, uint8_t *packet, uint8_t *option)
440 {
441 if (!*response || **response != ConfigRej)
442 {
443 queued = *response = makeppp(buf, blen, packet, 2, s, session[s].tunnel, mtype, 0, 0, 0);
444 if (!queued)
445 return 0;
446
447 *queued = ConfigRej;
448 queued += 4;
449 }
450
451 if ((queued - buf + option[1]) > blen)
452 {
453 LOG(2, s, session[s].tunnel, "PPP overflow for ConfigRej (proto %u, option %u).\n", mtype, *option);
454 return 0;
455 }
456
457 memcpy(queued, option, option[1]);
458 return queued + option[1];
459 }
460
461 static uint8_t *ppp_conf_nak(sessionidt s, uint8_t *buf, size_t blen, uint16_t mtype,
462 uint8_t **response, uint8_t *queued, uint8_t *packet, uint8_t *option,
463 uint8_t *value, size_t vlen)
464 {
465 int *nak_sent;
466 switch (mtype)
467 {
468 case PPPLCP: nak_sent = &sess_local[s].lcp.nak_sent; break;
469 case PPPIPCP: nak_sent = &sess_local[s].ipcp.nak_sent; break;
470 case PPPIPV6CP: nak_sent = &sess_local[s].ipv6cp.nak_sent; break;
471 default: return 0; // ?
472 }
473
474 if (*response && **response != ConfigNak)
475 {
476 if (*nak_sent < config->ppp_max_failure) // reject queued
477 return queued;
478
479 return ppp_conf_rej(s, buf, blen, mtype, response, 0, packet, option);
480 }
481
482 if (!*response)
483 {
484 if (*nak_sent >= config->ppp_max_failure)
485 return ppp_conf_rej(s, buf, blen, mtype, response, 0, packet, option);
486
487 queued = *response = makeppp(buf, blen, packet, 2, s, session[s].tunnel, mtype, 0, 0, 0);
488 if (!queued)
489 return 0;
490
491 (*nak_sent)++;
492 *queued = ConfigNak;
493 queued += 4;
494 }
495
496 if ((queued - buf + vlen + 2) > blen)
497 {
498 LOG(2, s, session[s].tunnel, "PPP overflow for ConfigNak (proto %u, option %u).\n", mtype, *option);
499 return 0;
500 }
501
502 *queued++ = *option;
503 *queued++ = vlen + 2;
504 memcpy(queued, value, vlen);
505 return queued + vlen;
506 }
507
508 static void ppp_code_rej(sessionidt s, tunnelidt t, uint16_t proto,
509 char *pname, uint8_t *p, uint16_t l, uint8_t *buf, size_t size)
510 {
511 uint8_t *q;
512 int mru = session[s].mru;
513 if (mru < MINMTU) mru = MINMTU;
514 if (mru > size) mru = size;
515
516 l += 4;
517 if (l > mru) l = mru;
518
519 q = makeppp(buf, size, 0, 0, s, t, proto, 0, 0, 0);
520 if (!q) return;
521
522 *q = CodeRej;
523 *(q + 1) = ++sess_local[s].lcp_ident;
524 *(uint16_t *)(q + 2) = htons(l);
525 memcpy(q + 4, p, l - 4);
526
527 LOG(2, s, t, "Unexpected %s code %s\n", pname, ppp_code(*p));
528 LOG(3, s, t, "%s: send %s\n", pname, ppp_code(*q));
529 if (config->debug > 3) dumplcp(q, l);
530
531 tunnelsend(buf, l + (q - buf), t);
532 }
533
534 // Process LCP messages
535 void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
536 {
537 uint8_t b[MAXETHER];
538 uint8_t *q = NULL;
539 uint16_t hl;
540
541 CSTAT(processlcp);
542
543 LOG_HEX(5, "LCP", p, l);
544 if (l < 4)
545 {
546 LOG(1, s, t, "Short LCP %d bytes\n", l);
547 STAT(tunnel_rx_errors);
548 return ;
549 }
550
551 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
552 {
553 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
554 STAT(tunnel_rx_errors);
555 return ;
556 }
557 l = hl;
558
559 if (session[s].die) // going down...
560 return;
561
562 LOG(((*p == EchoReq || *p == EchoReply) ? 4 : 3), s, t,
563 "LCP: recv %s\n", ppp_code(*p));
564
565 if (config->debug > 3) dumplcp(p, l);
566
567 if (*p == ConfigAck)
568 {
569 int x = l - 4;
570 uint8_t *o = (p + 4);
571 int authtype = 0;
572
573 while (x > 2)
574 {
575 int type = o[0];
576 int length = o[1];
577
578 if (length == 0 || type == 0 || x < length) break;
579 switch (type)
580 {
581 case 3: // Authentication-Protocol
582 {
583 int proto = ntohs(*(uint16_t *)(o + 2));
584 if (proto == PPPPAP)
585 authtype = AUTHPAP;
586 else if (proto == PPPCHAP && *(o + 4) == 5)
587 authtype = AUTHCHAP;
588 }
589
590 break;
591 }
592 x -= length;
593 o += length;
594 }
595
596 if (!session[s].ip && authtype)
597 sess_local[s].lcp_authtype = authtype;
598
599 switch (session[s].ppp.lcp)
600 {
601 case RequestSent:
602 initialise_restart_count(s, lcp);
603 change_state(s, lcp, AckReceived);
604 break;
605
606 case AckReceived:
607 case Opened:
608 LOG(2, s, t, "LCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.lcp));
609 if (session[s].ppp.lcp == Opened)
610 lcp_restart(s);
611
612 sendlcp(s, t);
613 change_state(s, lcp, RequestSent);
614 break;
615
616 case AckSent:
617 lcp_open(s, t);
618 break;
619
620 default:
621 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
622 }
623 }
624 else if (*p == ConfigReq)
625 {
626 int x = l - 4;
627 uint8_t *o = (p + 4);
628 uint8_t *response = 0;
629 static uint8_t asyncmap[4] = { 0, 0, 0, 0 }; // all zero
630 static uint8_t authproto[5];
631 int changed = 0;
632
633 while (x > 2)
634 {
635 int type = o[0];
636 int length = o[1];
637
638 if (length == 0 || type == 0 || x < length) break;
639 switch (type)
640 {
641 case 1: // Maximum-Receive-Unit
642 {
643 uint16_t mru = ntohs(*(uint16_t *)(o + 2));
644 if (mru >= MINMTU)
645 {
646 session[s].mru = mru;
647 changed++;
648 break;
649 }
650
651 LOG(3, s, t, " Remote requesting MRU of %u. Rejecting.\n", mru);
652 mru = htons(MRU);
653 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, (uint8_t *) &mru, sizeof(mru));
654 }
655 break;
656
657 case 2: // Async-Control-Character-Map
658 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
659 break;
660
661 LOG(3, s, t, " Remote requesting asyncmap. Rejecting.\n");
662 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, asyncmap, sizeof(asyncmap));
663 break;
664
665 case 3: // Authentication-Protocol
666 {
667 int proto = ntohs(*(uint16_t *)(o + 2));
668 char proto_name[] = "0x0000";
669 int alen;
670
671 if (proto == PPPPAP)
672 {
673 if (config->radius_authtypes & AUTHPAP)
674 {
675 sess_local[s].lcp_authtype = AUTHPAP;
676 break;
677 }
678
679 strcpy(proto_name, "PAP");
680 }
681 else if (proto == PPPCHAP)
682 {
683 if (config->radius_authtypes & AUTHCHAP
684 && *(o + 4) == 5) // MD5
685 {
686 sess_local[s].lcp_authtype = AUTHCHAP;
687 break;
688 }
689
690 strcpy(proto_name, "CHAP");
691 }
692 else
693 sprintf(proto_name, "%#4.4x", proto);
694
695 LOG(3, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
696
697 alen = add_lcp_auth(authproto, sizeof(authproto), config->radius_authprefer);
698 if (alen < 2) break; // paranoia
699
700 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, authproto + 2, alen - 2);
701 if (q && *response == ConfigNak &&
702 config->radius_authtypes != config->radius_authprefer)
703 {
704 // alternate type
705 alen = add_lcp_auth(authproto, sizeof(authproto), config->radius_authtypes & ~config->radius_authprefer);
706 if (alen < 2) break;
707 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, authproto + 2, alen - 2);
708 }
709
710 break;
711 }
712 break;
713
714 case 4: // Quality-Protocol
715 case 5: // Magic-Number
716 case 7: // Protocol-Field-Compression
717 case 8: // Address-And-Control-Field-Compression
718 break;
719
720 case 17: // Multilink Max-Receive-Reconstructed-Unit
721 {
722 uint16_t mrru = ntohs(*(uint16_t *)(o + 2));
723 session[s].mrru = mrru;
724 changed++;
725 LOG(3, s, t, " Received PPP LCP option MRRU: %d\n",mrru);
726 }
727 break;
728
729 case 18: // Multilink Short Sequence Number Header Format
730 {
731 session[s].mssf = 1;
732 changed++;
733 LOG(3, s, t, " Received PPP LCP option MSSN format\n");
734 }
735 break;
736
737 case 19: // Multilink Endpoint Discriminator
738 {
739 uint8_t epdis_class = o[2];
740 int addr;
741
742 session[s].epdis.addr_class = epdis_class;
743 session[s].epdis.length = length - 3;
744 if (session[s].epdis.length > 20)
745 {
746 LOG(1, s, t, "Error: received EndDis Address Length more than 20: %d\n", session[s].epdis.length);
747 session[s].epdis.length = 20;
748 }
749
750 for (addr = 0; addr < session[s].epdis.length; addr++)
751 session[s].epdis.address[addr] = o[3+addr];
752
753 changed++;
754
755 switch (epdis_class)
756 {
757 case LOCALADDR:
758 LOG(3, s, t, " Received PPP LCP option Multilink EndDis Local Address Class: %d\n",epdis_class);
759 break;
760 case IPADDR:
761 LOG(3, s, t, " Received PPP LCP option Multilink EndDis IP Address Class: %d\n",epdis_class);
762 break;
763 case IEEEMACADDR:
764 LOG(3, s, t, " Received PPP LCP option Multilink EndDis IEEE MAC Address Class: %d\n",epdis_class);
765 break;
766 case PPPMAGIC:
767 LOG(3, s, t, " Received PPP LCP option Multilink EndDis PPP Magic No Class: %d\n",epdis_class);
768 break;
769 case PSNDN:
770 LOG(3, s, t, " Received PPP LCP option Multilink EndDis PSND No Class: %d\n",epdis_class);
771 break;
772 default:
773 LOG(3, s, t, " Received PPP LCP option Multilink EndDis NULL Class %d\n",epdis_class);
774 }
775 }
776 break;
777
778 default: // Reject any unknown options
779 LOG(3, s, t, " Rejecting unknown PPP LCP option %d\n", type);
780 q = ppp_conf_rej(s, b, sizeof(b), PPPLCP, &response, q, p, o);
781 }
782 x -= length;
783 o += length;
784 }
785
786 if (changed)
787 cluster_send_session(s);
788
789 if (response)
790 {
791 l = q - response; // LCP packet length
792 *((uint16_t *) (response + 2)) = htons(l); // update header
793 }
794 else
795 {
796 // Send packet back as ConfigAck
797 response = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
798 if (!response) return;
799 *response = ConfigAck;
800 }
801
802 switch (session[s].ppp.lcp)
803 {
804 case Closed:
805 response = makeppp(b, sizeof(b), p, 2, s, t, PPPLCP, 0, 0, 0);
806 if (!response) return;
807 *response = TerminateAck;
808 *((uint16_t *) (response + 2)) = htons(l = 4);
809 break;
810
811 case Stopped:
812 initialise_restart_count(s, lcp);
813 sendlcp(s, t);
814 if (*response == ConfigAck)
815 change_state(s, lcp, AckSent);
816 else
817 change_state(s, lcp, RequestSent);
818
819 break;
820
821 case RequestSent:
822 if (*response == ConfigAck)
823 change_state(s, lcp, AckSent);
824
825 break;
826
827 case AckReceived:
828 if (*response == ConfigAck)
829 lcp_open(s, t);
830
831 break;
832
833 case Opened:
834 lcp_restart(s);
835 sendlcp(s, t);
836 /* fallthrough */
837
838 case AckSent:
839 if (*response == ConfigAck)
840 change_state(s, lcp, AckSent);
841 else
842 change_state(s, lcp, RequestSent);
843
844 break;
845
846 case Closing:
847 sessionshutdown(s, "LCP: ConfigReq in state Closing. This should not happen. Killing session.", CDN_ADMIN_DISC, TERM_LOST_SERVICE);
848 break;
849
850 default:
851 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
852 return;
853 }
854
855 LOG(3, s, t, "LCP: send %s\n", ppp_code(*response));
856 if (config->debug > 3) dumplcp(response, l);
857
858 tunnelsend(b, l + (response - b), t);
859 }
860 else if (*p == ConfigNak || *p == ConfigRej)
861 {
862 int x = l - 4;
863 uint8_t *o = (p + 4);
864 int authtype = -1;
865
866 while (x > 2)
867 {
868 int type = o[0];
869 int length = o[1];
870
871 if (length == 0 || type == 0 || x < length) break;
872 switch (type)
873 {
874 case 1: // Maximum-Receive-Unit
875 if (*p == ConfigNak)
876 {
877 if (length < 4) break;
878 sess_local[s].ppp_mru = ntohs(*(uint16_t *)(o + 2));
879 LOG(3, s, t, " Remote requested MRU of %u\n", sess_local[s].ppp_mru);
880 }
881 else
882 {
883 sess_local[s].ppp_mru = 0;
884 LOG(3, s, t, " Remote rejected MRU negotiation\n");
885 }
886
887 break;
888
889 case 3: // Authentication-Protocol
890 if (authtype > 0)
891 break;
892
893 if (*p == ConfigNak)
894 {
895 int proto;
896
897 if (length < 4) break;
898 proto = ntohs(*(uint16_t *)(o + 2));
899
900 if (proto == PPPPAP)
901 {
902 authtype = config->radius_authtypes & AUTHPAP;
903 LOG(3, s, t, " Remote requested PAP authentication...%sing\n",
904 authtype ? "accept" : "reject");
905 }
906 else if (proto == PPPCHAP && length > 4 && *(o + 4) == 5)
907 {
908 authtype = config->radius_authtypes & AUTHCHAP;
909 LOG(3, s, t, " Remote requested CHAP authentication...%sing\n",
910 authtype ? "accept" : "reject");
911 }
912 else
913 {
914 LOG(3, s, t, " Rejecting unsupported authentication %#4x\n",
915 proto);
916 }
917 }
918 else
919 {
920 LOG(2, s, t, "LCP: remote rejected auth negotiation\n");
921 authtype = 0; // shutdown
922 }
923
924 break;
925
926 case 5: // Magic-Number
927 session[s].magic = 0;
928 if (*p == ConfigNak)
929 {
930 if (length < 6) break;
931 session[s].magic = ntohl(*(uint32_t *)(o + 2));
932 }
933
934 if (session[s].magic)
935 LOG(3, s, t, " Remote requested magic-no %x\n", session[s].magic);
936 else
937 LOG(3, s, t, " Remote rejected magic-no\n");
938
939 cluster_send_session(s);
940 break;
941
942 case 17: // Multilink Max-Receive-Reconstructed-Unit
943 {
944 if (*p == ConfigNak)
945 {
946 sess_local[s].mp_mrru = ntohs(*(uint16_t *)(o + 2));
947 LOG(3, s, t, " Remote requested MRRU of %u\n", sess_local[s].mp_mrru);
948 }
949 else
950 {
951 sess_local[s].mp_mrru = 0;
952 LOG(3, s, t, " Remote rejected MRRU negotiation\n");
953 }
954 }
955 break;
956
957 case 18: // Multilink Short Sequence Number Header Format
958 {
959 if (*p == ConfigNak)
960 {
961 sess_local[s].mp_mssf = 0;
962 LOG(3, s, t, " Remote requested Naked mssf\n");
963 }
964 else
965 {
966 sess_local[s].mp_mssf = 0;
967 LOG(3, s, t, " Remote rejected mssf\n");
968 }
969 }
970 break;
971
972 case 19: // Multilink Endpoint Discriminator
973 {
974 if (*p == ConfigNak)
975 {
976 LOG(2, s, t, " Remote should not configNak Endpoint Dis!\n");
977 }
978 else
979 {
980 sess_local[s].mp_epdis = 0;
981 LOG(3, s, t, " Remote rejected Endpoint Discriminator\n");
982 }
983 }
984 break;
985
986 default:
987 LOG(2, s, t, "LCP: remote sent %s for type %u?\n", ppp_code(*p), type);
988 sessionshutdown(s, "Unable to negotiate LCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
989 return;
990 }
991 x -= length;
992 o += length;
993 }
994
995 if (!authtype)
996 {
997 sessionshutdown(s, "Unsupported authentication.", CDN_ADMIN_DISC, TERM_USER_ERROR);
998 return;
999 }
1000
1001 if (authtype > 0)
1002 sess_local[s].lcp_authtype = authtype;
1003
1004 switch (session[s].ppp.lcp)
1005 {
1006 case Closed:
1007 case Stopped:
1008 {
1009 uint8_t *response = makeppp(b, sizeof(b), p, 2, s, t, PPPLCP, 0, 0, 0);
1010 if (!response) return;
1011 *response = TerminateAck;
1012 *((uint16_t *) (response + 2)) = htons(l = 4);
1013
1014 LOG(3, s, t, "LCP: send %s\n", ppp_code(*response));
1015 if (config->debug > 3) dumplcp(response, l);
1016
1017 tunnelsend(b, l + (response - b), t);
1018 }
1019 break;
1020
1021 case RequestSent:
1022 case AckSent:
1023 initialise_restart_count(s, lcp);
1024 sendlcp(s, t);
1025 break;
1026
1027 case AckReceived:
1028 LOG(2, s, t, "LCP: ConfigNak in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.lcp));
1029 sendlcp(s, t);
1030 break;
1031
1032 case Opened:
1033 lcp_restart(s);
1034 sendlcp(s, t);
1035 break;
1036
1037 default:
1038 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
1039 return;
1040 }
1041 }
1042 else if (*p == TerminateReq)
1043 {
1044 switch (session[s].ppp.lcp)
1045 {
1046 case Closed:
1047 case Stopped:
1048 case Closing:
1049 case Stopping:
1050 case RequestSent:
1051 case AckReceived:
1052 case AckSent:
1053 break;
1054
1055 case Opened:
1056 lcp_restart(s);
1057 zero_restart_count(s, lcp);
1058 change_state(s, lcp, Closing);
1059 break;
1060
1061 default:
1062 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
1063 return;
1064 }
1065
1066 *p = TerminateAck; // send ack
1067 q = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
1068 if (!q) return;
1069
1070 LOG(3, s, t, "LCP: send %s\n", ppp_code(*q));
1071 if (config->debug > 3) dumplcp(q, l);
1072
1073 tunnelsend(b, l + (q - b), t); // send it
1074 }
1075 else if (*p == ProtocolRej)
1076 {
1077 uint16_t proto = 0;
1078
1079 if (l > 4)
1080 {
1081 proto = *(p+4);
1082 if (l > 5 && !(proto & 1))
1083 {
1084 proto <<= 8;
1085 proto |= *(p+5);
1086 }
1087 }
1088
1089 if (proto == PPPIPV6CP)
1090 {
1091 LOG(3, s, t, "IPv6 rejected\n");
1092 change_state(s, ipv6cp, Closed);
1093 }
1094 else
1095 {
1096 LOG(3, s, t, "LCP protocol reject: 0x%04X\n", proto);
1097 }
1098 }
1099 else if (*p == EchoReq)
1100 {
1101 *p = EchoReply; // reply
1102 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
1103 q = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
1104 if (!q) return;
1105
1106 LOG(4, s, t, "LCP: send %s\n", ppp_code(*q));
1107 if (config->debug > 3) dumplcp(q, l);
1108
1109 tunnelsend(b, l + (q - b), t); // send it
1110 }
1111 else if (*p == EchoReply)
1112 {
1113 // Ignore it, last_packet time is set earlier than this.
1114 }
1115 else if (*p != CodeRej)
1116 {
1117 ppp_code_rej(s, t, PPPLCP, "LCP", p, l, b, sizeof(b));
1118 }
1119 }
1120
1121 int join_bundle(sessionidt s)
1122 {
1123 // Search for a bundle to join
1124 bundleidt i;
1125 bundleidt b;
1126 for (i = 1; i < MAXBUNDLE; i++)
1127 {
1128 if (bundle[i].state != BUNDLEFREE)
1129 {
1130 if (epdiscmp(session[s].epdis,bundle[i].epdis) && !strcmp(session[s].user, bundle[i].user))
1131 {
1132 sessionidt first_ses = bundle[i].members[0];
1133 if (bundle[i].mssf != session[s].mssf)
1134 {
1135 // uniformity of sequence number format must be insured
1136 LOG(3, s, session[s].tunnel, "MPPP: unable to bundle session %d in bundle %d cause of different mssf\n", s, i);
1137 return -1;
1138 }
1139 session[s].bundle = i;
1140 session[s].ip = session[first_ses].ip;
1141 session[s].dns1 = session[first_ses].dns1;
1142 session[s].dns2 = session[first_ses].dns2;
1143 session[s].timeout = session[first_ses].timeout;
1144
1145 if(session[s].epdis.length > 0)
1146 setepdis(&bundle[i].epdis, session[s].epdis);
1147
1148 strcpy(bundle[i].user, session[s].user);
1149 bundle[i].members[bundle[i].num_of_links] = s;
1150 bundle[i].num_of_links++;
1151 LOG(3, s, session[s].tunnel, "MPPP: Bundling additional line in bundle (%d), lines:%d\n",i,bundle[i].num_of_links);
1152 return i;
1153 }
1154 }
1155 }
1156
1157 // No previously created bundle was found for this session, so create a new one
1158 if (!(b = new_bundle())) return 0;
1159
1160 session[s].bundle = b;
1161 bundle[b].mrru = session[s].mrru;
1162 bundle[b].mssf = session[s].mssf;
1163 // FIXME !!! to enable l2tpns reading mssf frames receiver_max_seq, sender_max_seq must be introduce
1164 // now session[s].mssf flag indecates that the receiver wish to receive frames in mssf, so max_seq (i.e. recv_max_seq) = 1<<24
1165 /*
1166 if (bundle[b].mssf)
1167 bundle[b].max_seq = 1 << 12;
1168 else */
1169 bundle[b].max_seq = 1 << 24;
1170 if(session[s].epdis.length > 0)
1171 setepdis(&bundle[b].epdis, session[s].epdis);
1172
1173 strcpy(bundle[b].user, session[s].user);
1174 bundle[b].members[0] = s;
1175 bundle[b].timeout = session[s].timeout;
1176 LOG(3, s, session[s].tunnel, "MPPP: Created a new bundle (%d)\n", b);
1177 return b;
1178 }
1179
1180 static int epdiscmp(epdist ep1, epdist ep2)
1181 {
1182 int ad;
1183 if (ep1.length != ep2.length)
1184 return 0;
1185
1186 if (ep1.addr_class != ep2.addr_class)
1187 return 0;
1188
1189 for (ad = 0; ad < ep1.length; ad++)
1190 if (ep1.address[ad] != ep2.address[ad])
1191 return 0;
1192
1193 return 1;
1194 }
1195
1196 static void setepdis(epdist *ep1, epdist ep2)
1197 {
1198 int ad;
1199 ep1->length = ep2.length;
1200 ep1->addr_class = ep2.addr_class;
1201 for (ad = 0; ad < ep2.length; ad++)
1202 ep1->address[ad] = ep2.address[ad];
1203 }
1204
1205 static bundleidt new_bundle()
1206 {
1207 bundleidt i;
1208 for (i = 1; i < MAXBUNDLE; i++)
1209 {
1210 if (bundle[i].state == BUNDLEFREE)
1211 {
1212 LOG(4, 0, 0, "MPPP: Assigning bundle ID %d\n", i);
1213 bundle[i].num_of_links = 1;
1214 bundle[i].last_check = time_now; // Initialize last_check value
1215 bundle[i].state = BUNDLEOPEN;
1216 bundle[i].current_ses = -1; // This is to enforce the first session 0 to be used at first
1217 memset(&frag[i], 0, sizeof(fragmentationt));
1218 if (i > config->cluster_highest_bundleid)
1219 config->cluster_highest_bundleid = i;
1220 return i;
1221 }
1222 }
1223 LOG(0, 0, 0, "MPPP: Can't find a free bundle! There shouldn't be this many in use!\n");
1224 return 0;
1225 }
1226
1227 static void ipcp_open(sessionidt s, tunnelidt t)
1228 {
1229 LOG(3, s, t, "IPCP: Opened, session is now active\n");
1230
1231 change_state(s, ipcp, Opened);
1232
1233 if (!(session[s].walled_garden || session[s].flags & SESSION_STARTED))
1234 {
1235 uint16_t r = radiusnew(s);
1236 if (r)
1237 {
1238 radiussend(r, RADIUSSTART); // send radius start
1239
1240 // don't send further Start records if IPCP is restarted
1241 session[s].flags |= SESSION_STARTED;
1242 cluster_send_session(s);
1243 }
1244 }
1245
1246 // start IPv6 if configured and still in passive state
1247 if (session[s].ppp.ipv6cp == Stopped)
1248 {
1249 sendipv6cp(s, t);
1250 change_state(s, ipv6cp, RequestSent);
1251 }
1252 }
1253
1254 // Process IPCP messages
1255 void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1256 {
1257 uint8_t b[MAXETHER];
1258 uint8_t *q = 0;
1259 uint16_t hl;
1260
1261 CSTAT(processipcp);
1262
1263 LOG_HEX(5, "IPCP", p, l);
1264 if (l < 4)
1265 {
1266 LOG(1, s, t, "Short IPCP %d bytes\n", l);
1267 STAT(tunnel_rx_errors);
1268 return ;
1269 }
1270
1271 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
1272 {
1273 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
1274 STAT(tunnel_rx_errors);
1275 return ;
1276 }
1277 l = hl;
1278
1279 if (session[s].ppp.phase < Network)
1280 {
1281 LOG(2, s, t, "IPCP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
1282 return;
1283 }
1284
1285 LOG(3, s, t, "IPCP: recv %s\n", ppp_code(*p));
1286
1287 if (*p == ConfigAck)
1288 {
1289 switch (session[s].ppp.ipcp)
1290 {
1291 case RequestSent:
1292 initialise_restart_count(s, ipcp);
1293 change_state(s, ipcp, AckReceived);
1294 break;
1295
1296 case AckReceived:
1297 case Opened:
1298 LOG(2, s, t, "IPCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ipcp));
1299 sendipcp(s, t);
1300 change_state(s, ipcp, RequestSent);
1301 break;
1302
1303 case AckSent:
1304 ipcp_open(s, t);
1305 break;
1306
1307 default:
1308 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1309 }
1310 }
1311 else if (*p == ConfigReq)
1312 {
1313 uint8_t *response = 0;
1314 uint8_t *o = p + 4;
1315 int length = l - 4;
1316 int gotip = 0;
1317 in_addr_t addr;
1318
1319 while (length > 2)
1320 {
1321 if (!o[1] || o[1] > length) return;
1322
1323 switch (*o)
1324 {
1325 case 3: // ip address
1326 gotip++; // seen address
1327 if (o[1] != 6) return;
1328
1329 addr = htonl(session[s].ip);
1330 if (memcmp(o + 2, &addr, (sizeof addr)))
1331 {
1332 uint8_t *oq = q;
1333 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1334 if (!q || (q != oq && *response == ConfigRej))
1335 {
1336 sessionshutdown(s, "Can't negotiate IPCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
1337 return;
1338 }
1339 }
1340
1341 break;
1342
1343 case 129: // primary DNS
1344 if (o[1] != 6) return;
1345
1346 addr = htonl(session[s].dns1);
1347 if (memcmp(o + 2, &addr, (sizeof addr)))
1348 {
1349 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1350 if (!q) return;
1351 }
1352
1353 break;
1354
1355 case 131: // secondary DNS
1356 if (o[1] != 6) return;
1357
1358 addr = htonl(session[s].dns2);
1359 if (memcmp(o + 2, &addr, sizeof(addr)))
1360 {
1361 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1362 if (!q) return;
1363 }
1364
1365 break;
1366
1367 default:
1368 LOG(2, s, t, " Rejecting PPP IPCP Option type %d\n", *o);
1369 q = ppp_conf_rej(s, b, sizeof(b), PPPIPCP, &response, q, p, o);
1370 if (!q) return;
1371 }
1372
1373 length -= o[1];
1374 o += o[1];
1375 }
1376
1377 if (response)
1378 {
1379 l = q - response; // IPCP packet length
1380 *((uint16_t *) (response + 2)) = htons(l); // update header
1381 }
1382 else if (gotip)
1383 {
1384 // Send packet back as ConfigAck
1385 response = makeppp(b, sizeof(b), p, l, s, t, PPPIPCP, 0, 0, 0);
1386 if (!response) return;
1387 *response = ConfigAck;
1388 }
1389 else
1390 {
1391 LOG(1, s, t, "No IP in IPCP request\n");
1392 STAT(tunnel_rx_errors);
1393 return;
1394 }
1395
1396 switch (session[s].ppp.ipcp)
1397 {
1398 case Closed:
1399 response = makeppp(b, sizeof(b), p, 2, s, t, PPPIPCP, 0, 0, 0);
1400 if (!response) return;
1401 *response = TerminateAck;
1402 *((uint16_t *) (response + 2)) = htons(l = 4);
1403 break;
1404
1405 case Stopped:
1406 initialise_restart_count(s, ipcp);
1407 sendipcp(s, t);
1408 if (*response == ConfigAck)
1409 change_state(s, ipcp, AckSent);
1410 else
1411 change_state(s, ipcp, RequestSent);
1412
1413 break;
1414
1415 case RequestSent:
1416 if (*response == ConfigAck)
1417 change_state(s, ipcp, AckSent);
1418
1419 break;
1420
1421 case AckReceived:
1422 if (*response == ConfigAck)
1423 ipcp_open(s, t);
1424
1425 break;
1426
1427 case Opened:
1428 initialise_restart_count(s, ipcp);
1429 sendipcp(s, t);
1430 /* fallthrough */
1431
1432 case AckSent:
1433 if (*response == ConfigAck)
1434 change_state(s, ipcp, AckSent);
1435 else
1436 change_state(s, ipcp, RequestSent);
1437
1438 break;
1439
1440 default:
1441 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1442 return;
1443 }
1444
1445 LOG(3, s, t, "IPCP: send %s\n", ppp_code(*response));
1446 tunnelsend(b, l + (response - b), t);
1447 }
1448 else if (*p == TerminateReq)
1449 {
1450 switch (session[s].ppp.ipcp)
1451 {
1452 case Closed:
1453 case Stopped:
1454 case Closing:
1455 case Stopping:
1456 case RequestSent:
1457 case AckReceived:
1458 case AckSent:
1459 break;
1460
1461 case Opened:
1462 zero_restart_count(s, ipcp);
1463 change_state(s, ipcp, Closing);
1464 break;
1465
1466 default:
1467 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1468 return;
1469 }
1470
1471 *p = TerminateAck; // send ack
1472 q = makeppp(b, sizeof(b), p, l, s, t, PPPIPCP, 0, 0, 0);
1473 if (!q) return;
1474
1475 LOG(3, s, t, "IPCP: send %s\n", ppp_code(*q));
1476 tunnelsend(b, l + (q - b), t); // send it
1477 }
1478 else if (*p != CodeRej)
1479 {
1480 ppp_code_rej(s, t, PPPIPCP, "IPCP", p, l, b, sizeof(b));
1481 }
1482 }
1483
1484 static void ipv6cp_open(sessionidt s, tunnelidt t)
1485 {
1486 LOG(3, s, t, "IPV6CP: Opened\n");
1487
1488 change_state(s, ipv6cp, Opened);
1489 if (session[s].ipv6prefixlen)
1490 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
1491
1492 // Send an initial RA (TODO: Should we send these regularly?)
1493 send_ipv6_ra(s, t, NULL);
1494 }
1495
1496 // Process IPV6CP messages
1497 void processipv6cp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1498 {
1499 uint8_t b[MAXETHER];
1500 uint8_t *q = 0;
1501 uint16_t hl;
1502
1503 CSTAT(processipv6cp);
1504
1505 LOG_HEX(5, "IPV6CP", p, l);
1506 if (l < 4)
1507 {
1508 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
1509 STAT(tunnel_rx_errors);
1510 return ;
1511 }
1512
1513 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
1514 {
1515 LOG(1, s, t, "Length mismatch IPV6CP %u/%u\n", hl, l);
1516 STAT(tunnel_rx_errors);
1517 return ;
1518 }
1519 l = hl;
1520
1521 if (session[s].ppp.phase < Network)
1522 {
1523 LOG(2, s, t, "IPV6CP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
1524 return;
1525 }
1526
1527 LOG(3, s, t, "IPV6CP: recv %s\n", ppp_code(*p));
1528
1529 if (!session[s].ip)
1530 {
1531 LOG(3, s, t, "IPV6CP: no IPv4 address (IPCP in state %s)\n", ppp_state(session[s].ppp.ipcp));
1532 return; // need IPCP to complete...
1533 }
1534
1535 if (*p == ConfigAck)
1536 {
1537 switch (session[s].ppp.ipv6cp)
1538 {
1539 case RequestSent:
1540 initialise_restart_count(s, ipv6cp);
1541 change_state(s, ipv6cp, AckReceived);
1542 break;
1543
1544 case AckReceived:
1545 case Opened:
1546 LOG(2, s, t, "IPV6CP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ipv6cp));
1547 sendipv6cp(s, t);
1548 change_state(s, ipv6cp, RequestSent);
1549 break;
1550
1551 case AckSent:
1552 ipv6cp_open(s, t);
1553 break;
1554
1555 default:
1556 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1557 }
1558 }
1559 else if (*p == ConfigReq)
1560 {
1561 uint8_t *response = 0;
1562 uint8_t *o = p + 4;
1563 int length = l - 4;
1564 int gotip = 0;
1565 uint32_t ident[2];
1566
1567 while (length > 2)
1568 {
1569 if (!o[1] || o[1] > length) return;
1570
1571 switch (*o)
1572 {
1573 case 1: // interface identifier
1574 gotip++; // seen address
1575 if (o[1] != 10) return;
1576
1577 ident[0] = htonl(session[s].ip);
1578 ident[1] = 0;
1579
1580 if (memcmp(o + 2, ident, sizeof(ident)))
1581 {
1582 q = ppp_conf_nak(s, b, sizeof(b), PPPIPV6CP, &response, q, p, o, (uint8_t *)ident, sizeof(ident));
1583 if (!q) return;
1584 }
1585
1586 break;
1587
1588 default:
1589 LOG(2, s, t, " Rejecting PPP IPV6CP Option type %d\n", *o);
1590 q = ppp_conf_rej(s, b, sizeof(b), PPPIPV6CP, &response, q, p, o);
1591 if (!q) return;
1592 }
1593
1594 length -= o[1];
1595 o += o[1];
1596 }
1597
1598 if (response)
1599 {
1600 l = q - response; // IPV6CP packet length
1601 *((uint16_t *) (response + 2)) = htons(l); // update header
1602 }
1603 else if (gotip)
1604 {
1605 // Send packet back as ConfigAck
1606 response = makeppp(b, sizeof(b), p, l, s, t, PPPIPV6CP, 0, 0, 0);
1607 if (!response) return;
1608 *response = ConfigAck;
1609 }
1610 else
1611 {
1612 LOG(1, s, t, "No interface identifier in IPV6CP request\n");
1613 STAT(tunnel_rx_errors);
1614 return;
1615 }
1616
1617 switch (session[s].ppp.ipv6cp)
1618 {
1619 case Closed:
1620 response = makeppp(b, sizeof(b), p, 2, s, t, PPPIPV6CP, 0, 0, 0);
1621 if (!response) return;
1622 *response = TerminateAck;
1623 *((uint16_t *) (response + 2)) = htons(l = 4);
1624 break;
1625
1626 case Stopped:
1627 initialise_restart_count(s, ipv6cp);
1628 sendipv6cp(s, t);
1629 if (*response == ConfigAck)
1630 change_state(s, ipv6cp, AckSent);
1631 else
1632 change_state(s, ipv6cp, RequestSent);
1633
1634 break;
1635
1636 case RequestSent:
1637 if (*response == ConfigAck)
1638 change_state(s, ipv6cp, AckSent);
1639
1640 break;
1641
1642 case AckReceived:
1643 if (*response == ConfigAck)
1644 ipv6cp_open(s, t);
1645
1646 break;
1647
1648 case Opened:
1649 initialise_restart_count(s, ipv6cp);
1650 sendipv6cp(s, t);
1651 /* fallthrough */
1652
1653 case AckSent:
1654 if (*response == ConfigAck)
1655 change_state(s, ipv6cp, AckSent);
1656 else
1657 change_state(s, ipv6cp, RequestSent);
1658
1659 break;
1660
1661 default:
1662 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1663 return;
1664 }
1665
1666 LOG(3, s, t, "IPV6CP: send %s\n", ppp_code(*response));
1667 tunnelsend(b, l + (response - b), t);
1668 }
1669 else if (*p == TerminateReq)
1670 {
1671 switch (session[s].ppp.ipv6cp)
1672 {
1673 case Closed:
1674 case Stopped:
1675 case Closing:
1676 case Stopping:
1677 case RequestSent:
1678 case AckReceived:
1679 case AckSent:
1680 break;
1681
1682 case Opened:
1683 zero_restart_count(s, ipv6cp);
1684 change_state(s, ipv6cp, Closing);
1685 break;
1686
1687 default:
1688 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1689 return;
1690 }
1691
1692 *p = TerminateAck; // send ack
1693 q = makeppp(b, sizeof(b), p, l, s, t, PPPIPV6CP, 0, 0, 0);
1694 if (!q) return;
1695
1696 LOG(3, s, t, "IPV6CP: send %s\n", ppp_code(*q));
1697 tunnelsend(b, l + (q - b), t); // send it
1698 }
1699 else if (*p != CodeRej)
1700 {
1701 ppp_code_rej(s, t, PPPIPV6CP, "IPV6CP", p, l, b, sizeof(b));
1702 }
1703 }
1704
1705 static void update_sessions_in_stat(sessionidt s, uint16_t l)
1706 {
1707 bundleidt b = session[s].bundle;
1708 if (!b)
1709 {
1710 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1711 session[s].cin_delta += l;
1712 session[s].pin++;
1713
1714 sess_local[s].cin += l;
1715 sess_local[s].pin++;
1716 }
1717 else
1718 {
1719 int i = frag[b].re_frame_begin_index;
1720 int end = frag[b].re_frame_end_index;
1721 for (;;)
1722 {
1723 l = frag[b].fragment[i].length;
1724 s = frag[b].fragment[i].sid;
1725 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1726 session[s].cin_delta += l;
1727 session[s].pin++;
1728
1729 sess_local[s].cin += l;
1730 sess_local[s].pin++;
1731 if (i == end)
1732 return;
1733 i = (i + 1) & MAXFRAGNUM_MASK;
1734 }
1735 }
1736 }
1737
1738 // process IP packet received
1739 //
1740 // This MUST be called with at least 4 byte behind 'p'.
1741 // (i.e. this routine writes to p[-4]).
1742 void processipin(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1743 {
1744 in_addr_t ip;
1745
1746 CSTAT(processipin);
1747
1748 LOG_HEX(5, "IP", p, l);
1749
1750 if (l < 20)
1751 {
1752 LOG(1, s, t, "IP packet too short %d\n", l);
1753 STAT(tunnel_rx_errors);
1754 return ;
1755 }
1756
1757 ip = ntohl(*(uint32_t *)(p + 12));
1758
1759 if (l > MAXETHER)
1760 {
1761 LOG(1, s, t, "IP packet too long %d\n", l);
1762 STAT(tunnel_rx_errors);
1763 return ;
1764 }
1765
1766 if (session[s].ppp.phase != Network || session[s].ppp.ipcp != Opened)
1767 return;
1768
1769 if (!session[s].bundle || bundle[session[s].bundle].num_of_links < 2) // FIXME:
1770 {
1771 // no spoof (do sessionbyip to handled statically routed subnets)
1772 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
1773 {
1774 LOG(4, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
1775 return;
1776 }
1777 }
1778
1779 // run access-list if any
1780 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
1781 return;
1782
1783 // adjust MSS on SYN and SYN,ACK packets with options
1784 if ((ntohs(*(uint16_t *) (p + 6)) & 0x1fff) == 0 && p[9] == IPPROTO_TCP) // first tcp fragment
1785 {
1786 int ihl = (p[0] & 0xf) * 4; // length of IP header
1787 if (l >= ihl + 20 && (p[ihl + 13] & TCP_FLAG_SYN) && ((p[ihl + 12] >> 4) > 5))
1788 adjust_tcp_mss(s, t, p, l, p + ihl);
1789 }
1790
1791 // Add on the tun header
1792 p -= 4;
1793 *(uint32_t *) p = htonl(PKTIP);
1794 l += 4;
1795
1796 if (session[s].tbf_in)
1797 {
1798 // Are we throttling this session?
1799 if (config->cluster_iam_master)
1800 tbf_queue_packet(session[s].tbf_in, p, l);
1801 else
1802 master_throttle_packet(session[s].tbf_in, p, l);
1803 return;
1804 }
1805
1806 // send to ethernet
1807 if (tun_write(p, l) < 0)
1808 {
1809 STAT(tun_tx_errors);
1810 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1811 l, strerror(errno), tunfd, p);
1812
1813 return;
1814 }
1815
1816 p += 4;
1817 l -= 4;
1818
1819 if (session[s].snoop_ip && session[s].snoop_port)
1820 {
1821 // Snooping this session
1822 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
1823 }
1824
1825 update_sessions_in_stat(s, l);
1826
1827 eth_tx += l;
1828
1829 STAT(tun_tx_packets);
1830 INC_STAT(tun_tx_bytes, l);
1831 }
1832
1833 // process Multilink PPP packet received
1834 void processmpin(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1835 {
1836 bundleidt b = session[s].bundle;
1837 bundlet * this_bundle = &bundle[b];
1838 uint32_t maskSeq, max_seq;
1839 int frag_offset;
1840 uint16_t frag_index, frag_index_next, frag_index_prev;
1841 fragmentationt *this_fragmentation = &frag[b];
1842 uint8_t begin_frame = (*p & MP_BEGIN);
1843 uint8_t end_frame = (*p & MP_END);
1844 uint32_t seq_num, seq_num_next, seq_num_prev;
1845 uint32_t i;
1846 uint8_t flags = *p;
1847 uint16_t begin_index, end_index;
1848
1849 // Perform length checking
1850 if(l > MAXFRAGLEN)
1851 {
1852 LOG(2, s, t, "MPPP: discarding fragment larger than MAXFRAGLEN\n");
1853 return;
1854 }
1855
1856 if(!b)
1857 {
1858 LOG(2, s, t, "MPPP: Invalid bundle id: 0\n");
1859 return;
1860 }
1861 // FIXME !! session[s].mssf means that the receiver wants to receive frames in mssf not means the receiver will send frames in mssf
1862 /* if(session[s].mssf)
1863 {
1864 // Get 12 bit for seq number
1865 seq_num = ntohs((*(uint16_t *) p) & 0xFF0F);
1866 p += 2;
1867 l -= 2;
1868 // After this point the pointer should be advanced 2 bytes
1869 LOG(3, s, t, "MPPP: 12 bits, sequence number: %d\n",seq_num);
1870 }
1871 else */
1872 {
1873 // Get 24 bit for seq number
1874 seq_num = ntohl((*(uint32_t *) p) & 0xFFFFFF00);
1875 p += 4;
1876 l -= 4;
1877 // After this point the pointer should be advanced 4 bytes
1878 LOG(4, s, t, "MPPP: 24 bits sequence number:%d\n",seq_num);
1879 }
1880
1881 max_seq = this_bundle->max_seq;
1882 maskSeq = max_seq - 1;
1883
1884 /*
1885 * Expand sequence number to 32 bits, making it as close
1886 * as possible to this_fragmentation->M.
1887 */
1888 seq_num |= this_fragmentation->M & ~maskSeq;
1889 if ((int)(this_fragmentation->M - seq_num) > (int)(maskSeq >> 1))
1890 {
1891 seq_num += maskSeq + 1;
1892 }
1893 else if ((int)(seq_num - this_fragmentation->M) > (int)(maskSeq >> 1))
1894 {
1895 seq_num -= maskSeq + 1; /* should never happen */
1896 }
1897
1898 // calculate this fragment's offset from the begin seq in the bundle
1899 frag_offset = (int) (seq_num - this_fragmentation->start_seq);
1900
1901 sess_local[s].last_seq = seq_num;
1902
1903 // calculate the jitter average
1904 uint32_t ljitter = time_now_ms - sess_local[s].prev_time;
1905 if (ljitter > 0)
1906 {
1907 sess_local[s].jitteravg = (sess_local[s].jitteravg + ljitter)>>1;
1908 sess_local[s].prev_time = time_now_ms;
1909 }
1910
1911 uint32_t Mmin;
1912
1913 if (seq_num < this_fragmentation->M)
1914 {
1915 Mmin = seq_num;
1916 this_fragmentation->M = seq_num;
1917 }
1918 else
1919 {
1920 Mmin = sess_local[(this_bundle->members[0])].last_seq;
1921 for (i = 1; i < this_bundle->num_of_links; i++)
1922 {
1923 uint32_t s_seq = sess_local[(this_bundle->members[i])].last_seq;
1924 if (s_seq < Mmin)
1925 Mmin = s_seq;
1926 }
1927 this_fragmentation->M = Mmin;
1928 }
1929
1930 // calculate M offset of the M seq in the bundle
1931 int M_offset = (int) (Mmin - this_fragmentation->start_seq);
1932
1933 if (M_offset >= MAXFRAGNUM)
1934 {
1935 // There have a long break of the link !!!!!!!!
1936 // M_offset is bigger that the fragmentation buffer size
1937 LOG(3, s, t, "MPPP: M_offset out of range, min:%d, begin_seq:%d, jitteravg:%d\n", Mmin, this_fragmentation->start_seq, sess_local[s].jitteravg);
1938
1939 // Calculate the new start index, the previous frag are lost
1940 begin_index = (M_offset + this_fragmentation->start_index) & MAXFRAGNUM_MASK;
1941
1942 // Set new Start sequence
1943 this_fragmentation->start_index = begin_index;
1944 this_fragmentation->start_seq = Mmin;
1945 M_offset = 0;
1946 // recalculate the fragment offset from the new begin seq in the bundle
1947 frag_offset = (int) (seq_num - Mmin);
1948 }
1949
1950 // discard this fragment if the packet comes before the start sequence
1951 if (frag_offset < 0)
1952 {
1953 // this packet comes before the next
1954 LOG(3, s, t, "MPPP: packet comes before the next, seq:%d, begin_seq:%d, size frag:%d\n", seq_num, this_fragmentation->start_seq, l);
1955 return;
1956 }
1957
1958 // discard if frag_offset is bigger that the fragmentation buffer size
1959 if (frag_offset >= MAXFRAGNUM)
1960 {
1961 // frag_offset is bigger that the fragmentation buffer size
1962 LOG(3, s, t, "MPPP: Index out of range, seq:%d, begin_seq:%d, jitteravg:%d\n", seq_num, this_fragmentation->start_seq, sess_local[s].jitteravg);
1963 return;
1964 }
1965
1966 //caculate received fragment's index in the fragment array
1967 frag_index = (frag_offset + this_fragmentation->start_index) & MAXFRAGNUM_MASK;
1968
1969 // insert the frame in it's place
1970 fragmentt *this_frag = &this_fragmentation->fragment[frag_index];
1971
1972 if (this_frag->length > 0)
1973 // This fragment is lost, It was around the buffer and it was never completed the packet.
1974 LOG(3, this_frag->sid, this_frag->tid, "MPPP: (INSERT) seq_num:%d frag_index:%d flags:%d jitteravg:%d is LOST\n",
1975 this_frag->seq, frag_index, this_frag->flags, this_frag->jitteravg);
1976
1977 this_frag->length = l;
1978 this_frag->sid = s;
1979 this_frag->tid = t;
1980 this_frag->flags = flags;
1981 this_frag->seq = seq_num;
1982 this_frag->jitteravg = sess_local[s].jitteravg;
1983 memcpy(this_frag->data, p, l);
1984
1985 LOG(4, s, t, "MPPP: seq_num:%d frag_index:%d INSERTED flags: %02X\n", seq_num, frag_index, flags);
1986
1987 //next frag index
1988 frag_index_next = (frag_index + 1) & MAXFRAGNUM_MASK;
1989 //previous frag index
1990 frag_index_prev = (frag_index - 1) & MAXFRAGNUM_MASK;
1991 // next seq
1992 seq_num_next = seq_num + 1;
1993 // previous seq
1994 seq_num_prev = seq_num - 1;
1995
1996 // Clean the buffer and log the lost fragments
1997 if ((frag_index_next != this_fragmentation->start_index) && this_fragmentation->fragment[frag_index_next].length)
1998 {
1999 // check if the next frag is a lost fragment
2000 if (this_fragmentation->fragment[frag_index_next].seq != seq_num_next)
2001 {
2002 // This fragment is lost, It was around the buffer and it was never completed the packet.
2003 LOG(3, this_fragmentation->fragment[frag_index_next].sid, this_fragmentation->fragment[frag_index_next].tid,
2004 "MPPP: (NEXT) seq_num:%d frag_index:%d flags:%d jitteravg:%d is LOST\n",
2005 this_fragmentation->fragment[frag_index_next].seq, frag_index_next,
2006 this_fragmentation->fragment[frag_index_next].flags, this_fragmentation->fragment[frag_index_next].jitteravg);
2007 // this frag is lost
2008 this_fragmentation->fragment[frag_index_next].length = 0;
2009 this_fragmentation->fragment[frag_index_next].flags = 0;
2010
2011 if (begin_frame && (!end_frame)) return; // assembling frame failed
2012 }
2013 }
2014
2015 // Clean the buffer and log the lost fragments
2016 if ((frag_index != this_fragmentation->start_index) && this_fragmentation->fragment[frag_index_prev].length)
2017 {
2018 // check if the next frag is a lost fragment
2019 if (this_fragmentation->fragment[frag_index_prev].seq != seq_num_prev)
2020 {
2021 // This fragment is lost, It was around the buffer and it was never completed the packet.
2022 LOG(3, this_fragmentation->fragment[frag_index_prev].sid, this_fragmentation->fragment[frag_index_prev].tid,
2023 "MPPP: (PREV) seq_num:%d frag_index:%d flags:%d jitteravg:%d is LOST\n",
2024 this_fragmentation->fragment[frag_index_prev].seq, frag_index_prev,
2025 this_fragmentation->fragment[frag_index_prev].flags, this_fragmentation->fragment[frag_index_prev].jitteravg);
2026
2027 this_fragmentation->fragment[frag_index_prev].length = 0;
2028 this_fragmentation->fragment[frag_index_prev].flags = 0;
2029
2030 if (end_frame && (!begin_frame)) return; // assembling frame failed
2031 }
2032 }
2033
2034 find_frame:
2035 begin_index = this_fragmentation->start_index;
2036 uint32_t b_seq = this_fragmentation->start_seq;
2037 // Try to find a Begin sequence from the start_seq sequence to M sequence
2038 while (b_seq < Mmin)
2039 {
2040 if (this_fragmentation->fragment[begin_index].length)
2041 {
2042 if (b_seq == this_fragmentation->fragment[begin_index].seq)
2043 {
2044 if (this_fragmentation->fragment[begin_index].flags & MP_BEGIN)
2045 {
2046 int isfoundE = 0;
2047 // Adjust the new start sequence and start index
2048 this_fragmentation->start_index = begin_index;
2049 this_fragmentation->start_seq = b_seq;
2050 // Begin Sequence found, now try to found the End Sequence to complete the frame
2051 end_index = begin_index;
2052 while (b_seq < Mmin)
2053 {
2054 if (this_fragmentation->fragment[end_index].length)
2055 {
2056 if (b_seq == this_fragmentation->fragment[end_index].seq)
2057 {
2058 if (this_fragmentation->fragment[end_index].flags & MP_END)
2059 {
2060 // The End sequence was found and the frame is complete
2061 isfoundE = 1;
2062 break;
2063 }
2064 }
2065 else
2066 {
2067 // This fragment is lost, it was never completed the packet.
2068 LOG(3, this_fragmentation->fragment[end_index].sid, this_fragmentation->fragment[end_index].tid,
2069 "MPPP: (FIND END) seq_num:%d frag_index:%d flags:%d jitteravg:%d is LOST\n",
2070 this_fragmentation->fragment[end_index].seq, begin_index,
2071 this_fragmentation->fragment[end_index].flags, this_fragmentation->fragment[end_index].jitteravg);
2072 // this frag is lost
2073 this_fragmentation->fragment[end_index].length = 0;
2074 this_fragmentation->fragment[end_index].flags = 0;
2075 // This frame is not complete find the next Begin
2076 break;
2077 }
2078 }
2079 else
2080 {
2081 // This frame is not complete find the next Begin if exist
2082 break;
2083 }
2084 end_index = (end_index +1) & MAXFRAGNUM_MASK;
2085 b_seq++;
2086 }
2087
2088 if (isfoundE)
2089 // The End sequence was found and the frame is complete
2090 break;
2091 else
2092 // find the next Begin
2093 begin_index = end_index;
2094 }
2095 }
2096 else
2097 {
2098 // This fragment is lost, it was never completed the packet.
2099 LOG(3, this_fragmentation->fragment[begin_index].sid, this_fragmentation->fragment[begin_index].tid,
2100 "MPPP: (FIND BEGIN) seq_num:%d frag_index:%d flags:%d jitteravg:%d is LOST\n",
2101 this_fragmentation->fragment[begin_index].seq, begin_index,
2102 this_fragmentation->fragment[begin_index].flags, this_fragmentation->fragment[begin_index].jitteravg);
2103 // this frag is lost
2104 this_fragmentation->fragment[begin_index].length = 0;
2105 this_fragmentation->fragment[begin_index].flags = 0;
2106 }
2107 }
2108 begin_index = (begin_index +1) & MAXFRAGNUM_MASK;
2109 b_seq++;
2110 }
2111
2112 assembling_frame:
2113 // try to assemble the frame that has the received fragment as a member
2114 // get the beginning of this frame
2115 begin_index = end_index = this_fragmentation->start_index;
2116 if (this_fragmentation->fragment[begin_index].length)
2117 {
2118 if (!(this_fragmentation->fragment[begin_index].flags & MP_BEGIN))
2119 {
2120 // should occur only after an "M_Offset out of range"
2121 // The start sequence must be a begin sequence
2122 this_fragmentation->start_index = (begin_index +1) & MAXFRAGNUM_MASK;
2123 this_fragmentation->start_seq++;
2124 return; // assembling frame failed
2125 }
2126 }
2127 else
2128 return; // assembling frame failed
2129
2130 // get the end of his frame
2131 while (this_fragmentation->fragment[end_index].length)
2132 {
2133 if (this_fragmentation->fragment[end_index].flags & MP_END)
2134 break;
2135
2136 end_index = (end_index +1) & MAXFRAGNUM_MASK;
2137
2138 if (end_index == this_fragmentation->start_index)
2139 return; // assembling frame failed
2140 }
2141
2142 // return if a lost fragment is found
2143 if (!(this_fragmentation->fragment[end_index].length))
2144 return; // assembling frame failed
2145
2146 // assemble the packet
2147 //assemble frame, process it, reset fragmentation
2148 uint16_t cur_len = 4; // This is set to 4 to leave 4 bytes for function processipin
2149
2150 LOG(4, s, t, "MPPP: processing fragments from %d to %d\n", begin_index, end_index);
2151 // Push to the receive buffer
2152
2153 for (i = begin_index;; i = (i + 1) & MAXFRAGNUM_MASK)
2154 {
2155 this_frag = &this_fragmentation->fragment[i];
2156 if(cur_len + this_frag->length > MAXETHER)
2157 {
2158 LOG(2, s, t, "MPPP: discarding reassembled frames larger than MAXETHER\n");
2159 break;
2160 }
2161
2162 memcpy(this_fragmentation->reassembled_frame+cur_len, this_frag->data, this_frag->length);
2163 LOG(5, s, t, "MPPP: processing frame at %d, with len %d\n", i, this_frag->length);
2164
2165 cur_len += this_frag->length;
2166 if (i == end_index)
2167 {
2168 this_fragmentation->re_frame_len = cur_len;
2169 this_fragmentation->re_frame_begin_index = begin_index;
2170 this_fragmentation->re_frame_end_index = end_index;
2171 // Process the resassembled frame
2172 LOG(5, s, t, "MPPP: Process the reassembled frame, len=%d\n",cur_len);
2173 processmpframe(s, t, this_fragmentation->reassembled_frame, this_fragmentation->re_frame_len, 1);
2174 break;
2175 }
2176 }
2177
2178 // Set reassembled frame length to zero after processing it
2179 this_fragmentation->re_frame_len = 0;
2180 for (i = begin_index;; i = (i + 1) & MAXFRAGNUM_MASK)
2181 {
2182 this_fragmentation->fragment[i].length = 0; // Indicates that this fragment has been consumed
2183 this_fragmentation->fragment[i].flags = 0;
2184 if (i == end_index)
2185 break;
2186 }
2187
2188 // Set the new start_index and start_seq
2189 this_fragmentation->start_index = (end_index + 1) & MAXFRAGNUM_MASK;
2190 this_fragmentation->start_seq = this_fragmentation->fragment[end_index].seq + 1;
2191 LOG(4, s, t, "MPPP after assembling: start index is = %d, start seq=%d\n", this_fragmentation->start_index, this_fragmentation->start_seq);
2192
2193 begin_index = this_fragmentation->start_index;
2194 if ((this_fragmentation->fragment[begin_index].length) &&
2195 (this_fragmentation->fragment[begin_index].seq != this_fragmentation->start_seq))
2196 {
2197 LOG(3, this_fragmentation->fragment[begin_index].sid, this_fragmentation->fragment[begin_index].tid,
2198 "MPPP: (START) seq_num:%d frag_index:%d flags:%d jitteravg:%d is LOST\n",
2199 this_fragmentation->fragment[begin_index].seq, begin_index,
2200 this_fragmentation->fragment[begin_index].flags, this_fragmentation->fragment[begin_index].jitteravg);
2201 this_fragmentation->fragment[begin_index].length = 0;
2202 this_fragmentation->fragment[begin_index].flags = 0;
2203 }
2204
2205 if (this_fragmentation->start_seq <= Mmin)
2206 // It's possible to find other complete frame or lost frame.
2207 goto find_frame;
2208 else if ((this_fragmentation->fragment[begin_index].length) &&
2209 (this_fragmentation->fragment[begin_index].flags & MP_BEGIN))
2210 // may be that the next frame is completed
2211 goto assembling_frame;
2212
2213 return;
2214 }
2215
2216 // process IPv6 packet received
2217 //
2218 // This MUST be called with at least 4 byte behind 'p'.
2219 // (i.e. this routine writes to p[-4]).
2220 void processipv6in(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
2221 {
2222 struct in6_addr ip;
2223 in_addr_t ipv4;
2224
2225 CSTAT(processipv6in);
2226
2227 LOG_HEX(5, "IPv6", p, l);
2228
2229 ip = *(struct in6_addr *) (p + 8);
2230 ipv4 = ntohl(*(uint32_t *)(p + 16));
2231
2232 if (l > MAXETHER)
2233 {
2234 LOG(1, s, t, "IP packet too long %d\n", l);
2235 STAT(tunnel_rx_errors);
2236 return ;
2237 }
2238
2239 if (session[s].ppp.phase != Network || session[s].ppp.ipv6cp != Opened)
2240 return;
2241
2242 // no spoof
2243 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
2244 {
2245 char str[INET6_ADDRSTRLEN];
2246 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
2247 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
2248 return;
2249 }
2250
2251 // Check if it's a Router Solicition message.
2252 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
2253 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
2254 *(uint32_t *)(p + 34) == 0 &&
2255 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
2256 LOG(3, s, t, "Got IPv6 RS\n");
2257 send_ipv6_ra(s, t, &ip);
2258 return;
2259 }
2260
2261 // Add on the tun header
2262 p -= 4;
2263 *(uint32_t *) p = htonl(PKTIPV6);
2264 l += 4;
2265
2266 // Are we throttled and a slave?
2267 if (session[s].tbf_in && !config->cluster_iam_master) {
2268 // Pass it to the master for handling.
2269 master_throttle_packet(session[s].tbf_in, p, l);
2270 return;
2271 }
2272
2273 // Are we throttled and a master??
2274 if (session[s].tbf_in && config->cluster_iam_master) {
2275 // Actually handle the throttled packets.
2276 tbf_queue_packet(session[s].tbf_in, p, l);
2277 return;
2278 }
2279
2280 // send to ethernet
2281 if (tun_write(p, l) < 0)
2282 {
2283 STAT(tun_tx_errors);
2284 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
2285 l, strerror(errno), tunfd, p);
2286
2287 return;
2288 }
2289
2290 p += 4;
2291 l -= 4;
2292
2293 if (session[s].snoop_ip && session[s].snoop_port)
2294 {
2295 // Snooping this session
2296 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
2297 }
2298
2299 update_sessions_in_stat(s, l);
2300
2301 eth_tx += l;
2302
2303 STAT(tun_tx_packets);
2304 INC_STAT(tun_tx_bytes, l);
2305 }
2306
2307 //
2308 // Helper routine for the TBF filters.
2309 // Used to send queued data in from the user.
2310 //
2311 void send_ipin(sessionidt s, uint8_t *buf, int len)
2312 {
2313 LOG_HEX(5, "IP in throttled", buf, len);
2314
2315 if (write(tunfd, buf, len) < 0)
2316 {
2317 STAT(tun_tx_errors);
2318 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
2319 len, strerror(errno), tunfd, buf);
2320
2321 return;
2322 }
2323
2324 buf += 4;
2325 len -= 4;
2326
2327 if (session[s].snoop_ip && session[s].snoop_port)
2328 {
2329 // Snooping this session
2330 snoop_send_packet(buf, len, session[s].snoop_ip, session[s].snoop_port);
2331 }
2332
2333 // Increment packet counters
2334 increment_counter(&session[s].cin, &session[s].cin_wrap, len);
2335 session[s].cin_delta += len;
2336 session[s].pin++;
2337
2338 sess_local[s].cin += len;
2339 sess_local[s].pin++;
2340
2341 eth_tx += len;
2342
2343 STAT(tun_tx_packets);
2344 INC_STAT(tun_tx_bytes, len - 4);
2345 }
2346
2347
2348 // Process CCP messages
2349 void processccp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
2350 {
2351 uint8_t b[MAXETHER];
2352 uint8_t *q;
2353
2354 CSTAT(processccp);
2355
2356 LOG_HEX(5, "CCP", p, l);
2357
2358 if (session[s].ppp.phase < Network)
2359 {
2360 LOG(2, s, t, "CCP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
2361 return;
2362 }
2363
2364 if (l < 1)
2365 {
2366 LOG(1, s, t, "Short CCP packet\n");
2367 STAT(tunnel_rx_errors);
2368 }
2369
2370 LOG(4, s, t, "CCP: recv %s\n", ppp_code(*p));
2371 if (*p == ConfigAck)
2372 {
2373 switch (session[s].ppp.ccp)
2374 {
2375 case RequestSent:
2376 initialise_restart_count(s, ccp);
2377 change_state(s, ccp, AckReceived);
2378 break;
2379
2380 case AckReceived:
2381 case Opened:
2382 LOG(2, s, t, "CCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ccp));
2383 sendccp(s, t);
2384 change_state(s, ccp, RequestSent);
2385 break;
2386
2387 case AckSent:
2388 LOG(3, s, t, "CCP: Opened\n");
2389 change_state(s, ccp, Opened);
2390 break;
2391
2392 default:
2393 LOG(2, s, t, "CCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ccp));
2394 }
2395 }
2396 else if (*p == ConfigReq)
2397 {
2398 if (l < 6) // accept no compression
2399 *p = ConfigAck;
2400 else // compression requested--reject
2401 *p = ConfigRej;
2402
2403 q = makeppp(b, sizeof(b), p, l, s, t, PPPCCP, 0, 0, 0);
2404 if (!q) return;
2405
2406 switch (session[s].ppp.ccp)
2407 {
2408 case Closed:
2409 q = makeppp(b, sizeof(b), p, 2, s, t, PPPCCP, 0, 0, 0);
2410 if (!q) return;
2411 *q = TerminateAck;
2412 *((uint16_t *) (q + 2)) = htons(l = 4);
2413 break;
2414
2415 case Stopped:
2416 initialise_restart_count(s, ccp);
2417 sendccp(s, t);
2418 if (*q == ConfigAck)
2419 change_state(s, ccp, AckSent);
2420 else
2421 change_state(s, ccp, RequestSent);
2422
2423 break;
2424
2425 case RequestSent:
2426 if (*q == ConfigAck)
2427 change_state(s, ccp, AckSent);
2428
2429 break;
2430
2431 case AckReceived:
2432 if (*q == ConfigAck)
2433 change_state(s, ccp, Opened);
2434
2435 break;
2436
2437 case Opened:
2438 initialise_restart_count(s, ccp);
2439 sendccp(s, t);
2440 /* fallthrough */
2441
2442 case AckSent:
2443 if (*q == ConfigAck)
2444 change_state(s, ccp, AckSent);
2445 else
2446 change_state(s, ccp, RequestSent);
2447
2448 break;
2449
2450 default:
2451 LOG(2, s, t, "CCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ccp));
2452 return;
2453 }
2454
2455 LOG(4, s, t, "CCP: send %s\n", ppp_code(*q));
2456 tunnelsend(b, l + (q - b), t);
2457 }
2458 else if (*p == TerminateReq)
2459 {
2460 *p = TerminateAck;
2461 q = makeppp(b, sizeof(b), p, l, s, t, PPPCCP, 0, 0, 0);
2462 if (!q) return;
2463 LOG(3, s, t, "CCP: send %s\n", ppp_code(*q));
2464 tunnelsend(b, l + (q - b), t);
2465 change_state(s, ccp, Stopped);
2466 }
2467 else if (*p != CodeRej)
2468 {
2469 ppp_code_rej(s, t, PPPCCP, "CCP", p, l, b, sizeof(b));
2470 }
2471 }
2472
2473 // send a CHAP challenge
2474 void sendchap(sessionidt s, tunnelidt t)
2475 {
2476 uint8_t b[MAXETHER];
2477 uint16_t r;
2478 uint8_t *q;
2479
2480 CSTAT(sendchap);
2481
2482 r = radiusnew(s);
2483 if (!r)
2484 {
2485 LOG(1, s, t, "No RADIUS to send challenge\n");
2486 STAT(tunnel_tx_errors);
2487 return;
2488 }
2489
2490 LOG(1, s, t, "Send CHAP challenge\n");
2491
2492 radius[r].chap = 1; // CHAP not PAP
2493 radius[r].id++;
2494 if (radius[r].state != RADIUSCHAP)
2495 radius[r].try = 0;
2496
2497 radius[r].state = RADIUSCHAP;
2498 radius[r].retry = backoff(radius[r].try++);
2499 if (radius[r].try > 5)
2500 {
2501 sessionshutdown(s, "CHAP timeout.", CDN_ADMIN_DISC, TERM_REAUTHENTICATION_FAILURE);
2502 STAT(tunnel_tx_errors);
2503 return ;
2504 }
2505 q = makeppp(b, sizeof(b), 0, 0, s, t, PPPCHAP, 0, 0, 0);
2506 if (!q) return;
2507
2508 *q = 1; // challenge
2509 q[1] = radius[r].id; // ID
2510 q[4] = 16; // value size (size of challenge)
2511 memcpy(q + 5, radius[r].auth, 16); // challenge
2512 strcpy((char *) q + 21, hostname); // our name
2513 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
2514 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
2515 }
2516
2517 // fill in a L2TP message with a PPP frame,
2518 // returns start of PPP frame
2519 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, sessionidt s, tunnelidt t, uint16_t mtype, uint8_t prio, bundleidt bid, uint8_t mp_bits)
2520 {
2521 uint16_t hdr = 0x0002; // L2TP with no options
2522 uint16_t type = mtype;
2523 uint8_t *start = b;
2524
2525 if (t == TUNNEL_ID_PPPOE)
2526 {
2527 return pppoe_makeppp(b, size, p, l, s, t, mtype, prio, bid, mp_bits);
2528 }
2529
2530 if (size < 16) // Need more space than this!!
2531 {
2532 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
2533 return NULL;
2534 }
2535
2536 if (prio) hdr |= 0x0100; // set priority bit
2537
2538 *(uint16_t *) (b + 0) = htons(hdr);
2539 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
2540 *(uint16_t *) (b + 4) = htons(session[s].far); // session
2541 b += 6;
2542
2543 // Check whether this session is part of multilink
2544 if (bid)
2545 {
2546 if (bundle[bid].num_of_links > 1)
2547 type = PPPMP; // Change PPP message type to the PPPMP
2548 else
2549 bid = 0;
2550 }
2551
2552 if (type == PPPLCP || !(session[s].flags & SESSION_ACFC))
2553 {
2554 *(uint16_t *) b = htons(0xFF03); // HDLC header
2555 b += 2;
2556 }
2557
2558 if (type < 0x100 && session[s].flags & SESSION_PFC)
2559 {
2560 *b++ = type;
2561 }
2562 else
2563 {
2564 *(uint16_t *) b = htons(type);
2565 b += 2;
2566 }
2567
2568 if (bid)
2569 {
2570 // Set the sequence number and (B)egin (E)nd flags
2571 if (session[s].mssf)
2572 {
2573 // Set the multilink bits
2574 uint16_t bits_send = mp_bits;
2575 *(uint16_t *) b = htons((bundle[bid].seq_num_t & 0x0FFF)|bits_send);
2576 b += 2;
2577 }
2578 else
2579 {
2580 *(uint32_t *) b = htonl(bundle[bid].seq_num_t);
2581 // Set the multilink bits
2582 *b = mp_bits;
2583 b += 4;
2584 }
2585
2586 bundle[bid].seq_num_t++;
2587
2588 // Add the message type if this fragment has the begin bit set
2589 if (mp_bits & MP_BEGIN)
2590 {
2591 //*b++ = mtype; // The next two lines are instead of this
2592 *(uint16_t *) b = htons(mtype); // Message type
2593 b += 2;
2594 }
2595 }
2596
2597 if ((b - start) + l > size)
2598 {
2599 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%td)\n", size, (b - start) + l);
2600 return NULL;
2601 }
2602
2603 // Copy the payload
2604 if (p && l)
2605 memcpy(b, p, l);
2606
2607 return b;
2608 }
2609
2610 static int add_lcp_auth(uint8_t *b, int size, int authtype)
2611 {
2612 int len = 0;
2613 if ((authtype == AUTHCHAP && size < 5) || size < 4)
2614 return 0;
2615
2616 *b++ = 3; // Authentication-Protocol
2617 if (authtype == AUTHCHAP)
2618 {
2619 len = *b++ = 5; // length
2620 *(uint16_t *) b = htons(PPPCHAP); b += 2;
2621 *b++ = 5; // MD5
2622 }
2623 else if (authtype == AUTHPAP)
2624 {
2625 len = *b++ = 4; // length
2626 *(uint16_t *) b = htons(PPPPAP); b += 2;
2627 }
2628 else
2629 {
2630 LOG(0, 0, 0, "add_lcp_auth called with unsupported auth type %d\n", authtype);
2631 }
2632
2633 return len;
2634 }
2635
2636 // Send LCP ConfigReq for MRU, authentication type and magic no
2637 void sendlcp(sessionidt s, tunnelidt t)
2638 {
2639 uint8_t b[500], *q, *l;
2640 int authtype = sess_local[s].lcp_authtype;
2641
2642 if (!(q = makeppp(b, sizeof(b), NULL, 0, s, t, PPPLCP, 0, 0, 0)))
2643 return;
2644
2645 LOG(3, s, t, "LCP: send ConfigReq%s%s%s including MP options\n",
2646 authtype ? " (" : "",
2647 authtype ? (authtype == AUTHCHAP ? "CHAP" : "PAP") : "",
2648 authtype ? ")" : "");
2649
2650 l = q;
2651 *l++ = ConfigReq;
2652 *l++ = ++sess_local[s].lcp_ident; // ID
2653
2654 l += 2; //Save space for length
2655
2656 if (sess_local[s].ppp_mru)
2657 {
2658 *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4)
2659 *(uint16_t *) l = htons(sess_local[s].ppp_mru); l += 2;
2660 }
2661
2662 if (authtype)
2663 l += add_lcp_auth(l, sizeof(b) - (l - b), authtype);
2664
2665 if (session[s].magic)
2666 {
2667 *l++ = 5; *l++ = 6; // Magic-Number (length 6)
2668 *(uint32_t *) l = htonl(session[s].magic);
2669 l += 4;
2670 }
2671
2672 if (sess_local[s].mp_mrru)
2673 {
2674 *l++ = 17; *l++ = 4; // Multilink Max-Receive-Reconstructed-Unit (length 4)
2675 *(uint16_t *) l = htons(sess_local[s].mp_mrru); l += 2;
2676 }
2677
2678 if (sess_local[s].mp_epdis)
2679 {
2680 *l++ = 19; *l++ = 7; // Multilink Endpoint Discriminator (length 7)
2681 *l++ = IPADDR; // Endpoint Discriminator class
2682 *(uint32_t *) l = htonl(sess_local[s].mp_epdis);
2683 l += 4;
2684 }
2685
2686 *(uint16_t *)(q + 2) = htons(l - q); // Length
2687
2688 LOG_HEX(5, "PPPLCP", q, l - q);
2689 if (config->debug > 3) dumplcp(q, l - q);
2690
2691 tunnelsend(b, (l - b), t);
2692 restart_timer(s, lcp);
2693 }
2694
2695 // Send CCP request for no compression
2696 void sendccp(sessionidt s, tunnelidt t)
2697 {
2698 uint8_t b[500], *q;
2699
2700 if (!(q = makeppp(b, sizeof(b), NULL, 0, s, t, PPPCCP, 0, 0, 0)))
2701 return;
2702
2703 LOG(3, s, t, "CCP: send ConfigReq (no compression)\n");
2704
2705 *q = ConfigReq;
2706 *(q + 1) = ++sess_local[s].lcp_ident; // ID
2707 *(uint16_t *)(q + 2) = htons(4); // Length
2708
2709 LOG_HEX(5, "PPPCCP", q, 4);
2710 tunnelsend(b, (q - b) + 4 , t);
2711 restart_timer(s, ccp);
2712 }
2713
2714 // Reject unknown/unconfigured protocols
2715 void protoreject(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l, uint16_t proto)
2716 {
2717
2718 uint8_t buf[MAXETHER];
2719 uint8_t *q;
2720 int mru = session[s].mru;
2721 if (mru < MINMTU) mru = MINMTU;
2722 if (mru > sizeof(buf)) mru = sizeof(buf);
2723
2724 l += 6;
2725 if (l > mru) l = mru;
2726
2727 q = makeppp(buf, sizeof(buf), 0, 0, s, t, PPPLCP, 0, 0, 0);
2728 if (!q) return;
2729
2730 *q = ProtocolRej;
2731 *(q + 1) = ++sess_local[s].lcp_ident;
2732 *(uint16_t *)(q + 2) = htons(l);
2733 *(uint16_t *)(q + 4) = htons(proto);
2734 memcpy(q + 6, p, l - 6);
2735
2736 if (proto == PPPIPV6CP)
2737 LOG(3, s, t, "LCP: send ProtocolRej (IPV6CP: not configured)\n");
2738 else
2739 LOG(2, s, t, "LCP: sent ProtocolRej (0x%04X: unsupported)\n", proto);
2740
2741 tunnelsend(buf, l + (q - buf), t);
2742 }
for cloning use: "git clone git://git.sameswireless.fr/l2tpns.git" ; For add to your sources.list: "deb http://package.sameswifi.fr/ jessie main"