b8973c750cd00c19a9fac791d509c426bf376e78
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.57 2005/05/10 09:57:19 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype);
28
29 // Process PAP messages
30 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
31 {
32 char user[MAXUSER];
33 char pass[MAXPASS];
34 uint16_t hl;
35
36 CSTAT(processpap);
37
38 LOG_HEX(5, "PAP", p, l);
39 if (l < 4)
40 {
41 LOG(1, s, t, "Short PAP %u bytes\n", l);
42 STAT(tunnel_rx_errors);
43 sessionshutdown(s, "Short PAP packet.", 3, 0);
44 return;
45 }
46
47 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
48 {
49 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
50 STAT(tunnel_rx_errors);
51 sessionshutdown(s, "PAP length mismatch.", 3, 0);
52 return;
53 }
54 l = hl;
55
56 if (*p != 1)
57 {
58 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
59 STAT(tunnel_rx_errors);
60 sessionshutdown(s, "Unexpected PAP code.", 3, 0);
61 return;
62 }
63
64 {
65 uint8_t *b = p;
66 b += 4;
67 user[0] = pass[0] = 0;
68 if (*b && *b < sizeof(user))
69 {
70 memcpy(user, b + 1, *b);
71 user[*b] = 0;
72 b += 1 + *b;
73 if (*b && *b < sizeof(pass))
74 {
75 memcpy(pass, b + 1, *b);
76 pass[*b] = 0;
77 }
78 }
79 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
80 }
81 if (session[s].ip || !sess_local[s].radius)
82 {
83 // respond now, either no RADIUS available or already authenticated
84 uint8_t b[MAXCONTROL];
85 uint8_t id = p[1];
86 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
87 if (!p) return;
88
89 if (session[s].ip)
90 *p = 2; // ACK
91 else
92 *p = 3; // cant authorise
93 p[1] = id;
94 *(uint16_t *) (p + 2) = htons(5); // length
95 p[4] = 0; // no message
96 if (session[s].ip)
97 {
98 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
99 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
100
101 session[s].flags &= ~SF_IPCP_ACKED;
102 }
103 else
104 {
105 LOG(1, s, t, "No radius session available to authenticate session...\n");
106 }
107 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
108 tunnelsend(b, 5 + (p - b), t); // send it
109 sessionshutdown(s, "PAP authentication failed.", 3, 0);
110 }
111 else
112 {
113 // set up RADIUS request
114 uint16_t r = sess_local[s].radius;
115
116 // Run PRE_AUTH plugins
117 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
118 run_plugins(PLUGIN_PRE_AUTH, &packet);
119 if (!packet.continue_auth)
120 {
121 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
122 if (packet.username) free(packet.username);
123 if (packet.password) free(packet.password);
124 return;
125 }
126
127 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
128 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
129
130 free(packet.username);
131 free(packet.password);
132
133 radius[r].id = p[1];
134 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
135 radiussend(r, RADIUSAUTH);
136 }
137 }
138
139 // Process CHAP messages
140 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
141 {
142 uint16_t r;
143 uint16_t hl;
144
145 CSTAT(processchap);
146
147 LOG_HEX(5, "CHAP", p, l);
148 r = sess_local[s].radius;
149 if (!r)
150 {
151 LOG(1, s, t, "Unexpected CHAP message\n");
152 STAT(tunnel_rx_errors);
153 sessionshutdown(s, "Unexpected CHAP message.", 3, 0);
154 return;
155 }
156
157 if (l < 4)
158 {
159 LOG(1, s, t, "Short CHAP %u bytes\n", l);
160 STAT(tunnel_rx_errors);
161 sessionshutdown(s, "Short CHAP packet.", 3, 0);
162 return;
163 }
164
165 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
166 {
167 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
168 STAT(tunnel_rx_errors);
169 sessionshutdown(s, "CHAP length mismatch.", 3, 0);
170 return;
171 }
172 l = hl;
173
174 if (*p != 2)
175 {
176 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
177 STAT(tunnel_rx_errors);
178 sessionshutdown(s, "CHAP length mismatch.", 3, 0);
179 return;
180 }
181 if (p[1] != radius[r].id)
182 {
183 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
184 STAT(tunnel_rx_errors);
185 sessionshutdown(s, "Unexpected CHAP response ID.", 3, 0);
186 return;
187 }
188
189 if (l < 5 || p[4] != 16)
190 {
191 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
192 STAT(tunnel_rx_errors);
193 sessionshutdown(s, "Bad CHAP response length.", 3, 0);
194 return;
195 }
196
197 l -= 5;
198 p += 5;
199 if (l < 16 || l - 16 >= sizeof(session[s].user))
200 {
201 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
202 STAT(tunnel_rx_errors);
203 sessionshutdown(s, "CHAP username too long.", 3, 0);
204 return;
205 }
206
207 // Run PRE_AUTH plugins
208 {
209 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
210
211 packet.password = calloc(17, 1);
212 memcpy(packet.password, p, 16);
213
214 p += 16;
215 l -= 16;
216
217 packet.username = calloc(l + 1, 1);
218 memcpy(packet.username, p, l);
219
220 run_plugins(PLUGIN_PRE_AUTH, &packet);
221 if (!packet.continue_auth)
222 {
223 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
224 if (packet.username) free(packet.username);
225 if (packet.password) free(packet.password);
226 return;
227 }
228
229 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
230 memcpy(radius[r].pass, packet.password, 16);
231
232 free(packet.username);
233 free(packet.password);
234 }
235
236 radius[r].chap = 1;
237 LOG(3, s, t, "CHAP login %s\n", session[s].user);
238 radiussend(r, RADIUSAUTH);
239 }
240
241 static void dumplcp(uint8_t *p, int l)
242 {
243 int x = l - 4;
244 uint8_t *o = (p + 4);
245
246 LOG_HEX(5, "PPP LCP Packet", p, l);
247 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
248 LOG(4, 0, 0, "Length: %d\n", l);
249 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
250 return;
251
252 while (x > 2)
253 {
254 int type = o[0];
255 int length = o[1];
256 if (length < 2)
257 {
258 LOG(4, 0, 0, " Option length is %d...\n", length);
259 break;
260 }
261 if (type == 0)
262 {
263 LOG(4, 0, 0, " Option type is 0...\n");
264 x -= length;
265 o += length;
266 continue;
267 }
268 switch (type)
269 {
270 case 1: // Maximum-Receive-Unit
271 if (length == 4)
272 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
273 else
274 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
275 break;
276 case 2: // Async-Control-Character-Map
277 if (length == 6)
278 {
279 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
280 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
281 }
282 else
283 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
284 break;
285 case 3: // Authentication-Protocol
286 if (length == 4)
287 {
288 int proto = ntohs(*(uint16_t *)(o + 2));
289 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
290 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
291 }
292 else if (length == 5)
293 {
294 int proto = ntohs(*(uint16_t *)(o + 2));
295 int algo = *(uint8_t *)(o + 4);
296 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", lcp_type(type), proto, algo,
297 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
298 }
299 else
300 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
301 break;
302 case 4: // Quality-Protocol
303 {
304 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
305 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
306 }
307 break;
308 case 5: // Magic-Number
309 if (length == 6)
310 {
311 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
312 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
313 }
314 else
315 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
316 break;
317 case 7: // Protocol-Field-Compression
318 case 8: // Address-And-Control-Field-Compression
319 LOG(4, 0, 0, " %s\n", lcp_type(type));
320 break;
321 default:
322 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
323 break;
324 }
325 x -= length;
326 o += length;
327 }
328 }
329
330 // Process LCP messages
331 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
332 {
333 uint8_t b[MAXCONTROL];
334 uint8_t *q = NULL;
335 uint32_t magicno = 0;
336 uint16_t hl;
337
338 CSTAT(processlcp);
339
340 LOG_HEX(5, "LCP", p, l);
341 if (l < 4)
342 {
343 LOG(1, s, t, "Short LCP %d bytes\n", l);
344 STAT(tunnel_rx_errors);
345 return ;
346 }
347
348 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
349 {
350 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
351 STAT(tunnel_rx_errors);
352 return ;
353 }
354 l = hl;
355
356 if (*p == ConfigAck)
357 {
358 int x = l - 4;
359 uint8_t *o = (p + 4);
360 int authtype = 0;
361
362 LOG(3, s, t, "LCP: ConfigAck (%d bytes)...\n", l);
363 if (config->debug > 3) dumplcp(p, l);
364
365 while (x > 2)
366 {
367 int type = o[0];
368 int length = o[1];
369
370 if (length == 0 || type == 0 || x < length) break;
371 switch (type)
372 {
373 case 3: // Authentication-Protocol
374 {
375 int proto = ntohs(*(uint16_t *)(o + 2));
376 if (proto == PPPCHAP && *(o + 4) == 5)
377 sendchap(t, s);
378 }
379
380 break;
381 }
382 x -= length;
383 o += length;
384 }
385
386 session[s].flags |= SF_LCP_ACKED;
387 }
388 else if (*p == ConfigReq)
389 {
390 int x = l - 4;
391 uint8_t *o = (p + 4);
392 uint8_t *response = 0;
393
394 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
395 if (config->debug > 3) dumplcp(p, l);
396
397 while (x > 2)
398 {
399 int type = o[0];
400 int length = o[1];
401
402 if (length == 0 || type == 0 || x < length) break;
403 switch (type)
404 {
405 case 1: // Maximum-Receive-Unit
406 session[s].mru = ntohs(*(uint16_t *)(o + 2));
407 break;
408
409 case 2: // Async-Control-Character-Map
410 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
411 break;
412
413 if (response && *response != ConfigNak) // rej already queued
414 break;
415
416 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
417 if (!response)
418 {
419 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
420 if (!q) break;
421 *q = ConfigNak;
422 q += 4;
423 }
424
425 if ((q - b + 11) > sizeof(b))
426 {
427 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
428 break;
429 }
430
431 *q++ = type;
432 *q++ = 6;
433 memset(q, 0, 4); // asyncmap 0
434 q += 4;
435 break;
436
437 case 3: // Authentication-Protocol
438 {
439 int proto = ntohs(*(uint16_t *)(o + 2));
440 char proto_name[] = "0x0000";
441 uint8_t *a;
442
443 if (proto == PPPPAP)
444 {
445 if (config->radius_authtypes & AUTHPAP)
446 break;
447
448 strcpy(proto_name, "PAP");
449 }
450 else if (proto == PPPCHAP)
451 {
452 if (config->radius_authtypes & AUTHCHAP
453 && *(o + 4) == 5) // MD5
454 break;
455
456 strcpy(proto_name, "CHAP");
457 }
458 else
459 sprintf(proto_name, "%#4.4x", proto);
460
461 if (response && *response != ConfigNak) // rej already queued
462 break;
463
464 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
465
466 if (!response)
467 {
468 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
469 if (!q) break;
470 *q = ConfigNak;
471 q += 4;
472 }
473
474 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authprefer);
475 if (!a)
476 {
477 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
478 break;
479 }
480
481 q = a;
482
483 if (config->radius_authtypes != config->radius_authprefer)
484 {
485 a = add_lcp_auth(q, sizeof(b) - (q - b), config->radius_authtypes & ~config->radius_authprefer);
486 if (!a)
487 {
488 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
489 break;
490 }
491
492 q = a;
493 }
494
495 break;
496 }
497 break;
498
499 case 5: // Magic-Number
500 magicno = ntohl(*(uint32_t *)(o + 2));
501 break;
502
503 case 4: // Quality-Protocol
504 case 7: // Protocol-Field-Compression
505 case 8: // Address-And-Control-Field-Compression
506 break;
507
508 default: // Reject any unknown options
509 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
510 if (!response || *response != ConfigRej) // drop nak in favour of rej
511 {
512 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
513 if (!q) break;
514 *q = ConfigRej;
515 q += 4;
516 }
517
518 if ((q - b + length) > sizeof(b))
519 {
520 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
521 break;
522 }
523
524 memcpy(q, o, length);
525 q += length;
526 }
527 x -= length;
528 o += length;
529 }
530
531 if (response)
532 {
533 l = q - response; // LCP packet length
534 *((uint16_t *) (response + 2)) = htons(l); // update header
535 }
536 else
537 {
538 // Send packet back as ConfigAck
539 response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
540 if (!response) return;
541 *response = ConfigAck;
542 }
543
544 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
545 tunnelsend(b, l + response - b, t);
546
547 if (!(session[s].flags & SF_LCP_ACKED))
548 sendlcp(t, s, config->radius_authprefer);
549 }
550 else if (*p == ConfigNak)
551 {
552 int x = l - 4;
553 uint8_t *o = (p + 4);
554 int authtype = 0;
555
556 LOG(3, s, t, "LCP: ConfigNak (%d bytes)...\n", l);
557 if (config->debug > 3) dumplcp(p, l);
558
559 while (x > 2)
560 {
561 int type = o[0];
562 int length = o[1];
563
564 if (length == 0 || type == 0 || x < length) break;
565 switch (type)
566 {
567 case 1: // Maximum-Receive-Unit
568 session[s].mru = ntohs(*(uint16_t *)(o + 2));
569 LOG(3, s, t, " Remote requested MRU of %u\n", session[s].mru);
570 break;
571
572 case 3: // Authentication-Protocol
573 if (authtype)
574 break;
575
576 {
577 int proto = ntohs(*(uint16_t *)(o + 2));
578 if (proto == PPPPAP)
579 {
580 authtype = config->radius_authtypes & AUTHPAP;
581 LOG(3, s, t, " Remote requested PAP authentication...%sing\n",
582 authtype ? "accept" : "reject");
583 }
584 else if (proto == PPPCHAP && *(o + 4) == 5)
585 {
586 authtype = config->radius_authtypes & AUTHCHAP;
587 LOG(3, s, t, " Remote requested CHAP authentication...%sing\n",
588 authtype ? "accept" : "reject");
589 }
590 else
591 {
592 LOG(3, s, t, " Rejecting unsupported authentication %#4x\n",
593 proto);
594 }
595 }
596
597 if (!authtype)
598 {
599 sessionshutdown(s, "Unsupported authentication.", 3, 0);
600 return;
601 }
602
603 break;
604
605 default:
606 LOG(2, s, t, " Remote NAKed LCP type %u?\n", type);
607 break;
608 }
609 }
610
611 if (!authtype)
612 authtype = config->radius_authprefer;
613
614 sendlcp(t, s, authtype);
615 }
616 else if (*p == TerminateReq)
617 {
618 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
619 *p = TerminateAck; // close
620 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
621 if (!q) return;
622 tunnelsend(b, l + (q - b), t); // send it
623 sessionshutdown(s, "Remote end closed connection.", 3, 0);
624 }
625 else if (*p == TerminateAck)
626 {
627 sessionshutdown(s, "Connection closed.", 3, 0);
628 }
629 else if (*p == ProtocolRej)
630 {
631 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
632 {
633 LOG(3, s, t, "IPv6 rejected\n");
634 session[s].flags |= SF_IPV6_NACKED;
635 }
636 else
637 {
638 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
639 ntohs(*(uint16_t *) (p+4)));
640 STAT(tunnel_rx_errors);
641 }
642 }
643 else if (*p == EchoReq)
644 {
645 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
646 *p = EchoReply; // reply
647 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
648 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
649 if (!q) return;
650 tunnelsend(b, l + (q - b), t); // send it
651 }
652 else if (*p == EchoReply)
653 {
654 // Ignore it, last_packet time is set earlier than this.
655 }
656 else if (*p == IdentRequest)
657 {
658 *p = CodeRej;
659 if (l > MAXCONTROL)
660 {
661 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
662 l = 1400;
663 }
664 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
665 if (!q) return;
666 LOG_HEX(5, "LCPIdentRej", q, l + 4);
667 tunnelsend(b, 12 + 4 + l, t);
668 }
669 else
670 {
671 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
672 STAT(tunnel_rx_errors);
673 }
674 }
675
676 // find a PPP option, returns point to option, or 0 if not found
677 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
678 {
679 uint16_t l = ntohs(*(uint16_t *) (b + 2));
680 if (l < 4)
681 return 0;
682 b += 4;
683 l -= 4;
684 while (l)
685 {
686 if (l < b[1] || !b[1])
687 return 0; // faulty
688 if (*b == mtype)
689 return b;
690 l -= b[1];
691 b += b[1];
692 }
693 return 0;
694 }
695
696 // Process IPCP messages
697 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
698 {
699 uint16_t hl;
700
701 CSTAT(processipcp);
702
703 LOG_HEX(5, "IPCP", p, l);
704 if (l < 5)
705 {
706 LOG(1, s, t, "Short IPCP %d bytes\n", l);
707 STAT(tunnel_rx_errors);
708 return ;
709 }
710
711 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
712 {
713 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
714 STAT(tunnel_rx_errors);
715 return ;
716 }
717 l = hl;
718
719 if (*p == ConfigAck)
720 {
721 // happy with our IPCP
722 uint16_t r = sess_local[s].radius;
723 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
724 {
725 if (!r)
726 r = radiusnew(s);
727 if (r)
728 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
729 }
730 session[s].flags |= SF_IPCP_ACKED;
731
732 LOG(3, s, t, "IPCP Acked, session is now active\n");
733
734 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
735 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
736
737 return;
738 }
739 if (*p != ConfigReq)
740 {
741 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
742 STAT(tunnel_rx_errors);
743 return ;
744 }
745 LOG(4, s, t, "IPCP ConfigReq received\n");
746
747 if (!session[s].ip)
748 {
749 LOG(3, s, t, "Waiting on radius reply\n");
750 return; // have to wait on RADIUS reply
751 }
752 // form a config reply quoting the IP in the session
753 {
754 uint8_t b[MAXCONTROL];
755 uint8_t *i, *q;
756
757 q = p + 4;
758 i = p + l;
759 while (q < i && q[1])
760 {
761 if (*q != 0x81 && *q != 0x83 && *q != 3)
762 break;
763 q += q[1];
764 }
765 if (q < i)
766 {
767 // reject
768 uint16_t n = 4;
769 i = p + l;
770 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
771 return;
772
773 *q = ConfigRej;
774 p += 4;
775 while (p < i && p[1])
776 {
777 if (*p != 0x81 && *p != 0x83 && *p != 3)
778 {
779 LOG(2, s, t, "IPCP reject %d\n", *p);
780 memcpy(q + n, p, p[1]);
781 n += p[1];
782 }
783 p += p[1];
784 }
785 *(uint16_t *) (q + 2) = htons(n);
786 LOG(4, s, t, "Sending ConfigRej\n");
787 tunnelsend(b, n + (q - b), t); // send it
788 }
789 else
790 {
791 LOG(4, s, t, "Sending ConfigAck\n");
792 *p = ConfigAck;
793 if ((i = findppp(p, 0x81))) // Primary DNS address
794 {
795 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
796 {
797 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
798 *p = ConfigNak;
799 LOG(5, s, t, " DNS1 = %s\n",
800 fmtaddr(htonl(session[s].dns1), 0));
801 }
802 }
803 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
804 {
805 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
806 {
807 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
808 *p = ConfigNak;
809 LOG(5, s, t, " DNS2 = %s\n",
810 fmtaddr(htonl(session[s].dns2), 0));
811 }
812 }
813 i = findppp(p, 3); // IP address
814 if (!i || i[1] != 6)
815 {
816 LOG(1, s, t, "No IP in IPCP request\n");
817 STAT(tunnel_rx_errors);
818 return ;
819 }
820 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
821 {
822 *(uint32_t *) (i + 2) = htonl(session[s].ip);
823 *p = ConfigNak;
824 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
825 fmtaddr(htonl(session[s].ip), 0));
826 }
827 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
828 return;
829
830 tunnelsend(b, l + (q - b), t); // send it
831 }
832 }
833 }
834
835 // Process IPV6CP messages
836 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
837 {
838
839 CSTAT(processipv6cp);
840
841 LOG_HEX(5, "IPV6CP", p, l);
842 if (l < 4)
843 {
844 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
845 STAT(tunnel_rx_errors);
846 return ;
847 }
848 if (*p == ConfigAck)
849 {
850 // happy with our IPV6CP
851 session[s].flags |= SF_IPV6CP_ACKED;
852
853 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
854 // Add a routed block if configured.
855 if (session[s].ipv6prefixlen)
856 {
857 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
858 session[s].flags |= SF_IPV6_ROUTED;
859 }
860
861 // Send an initial RA (TODO: Should we send these regularly?)
862 send_ipv6_ra(t, s, NULL);
863 return;
864 }
865 if (*p != ConfigReq)
866 {
867 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
868 STAT(tunnel_rx_errors);
869 return;
870 }
871
872 LOG(4, s, t, "IPV6CP ConfigReq received\n");
873 if (ntohs(*(uint16_t *) (p + 2)) > l)
874 {
875 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
876 STAT(tunnel_rx_errors);
877 return ;
878 }
879 if (!session[s].ip)
880 {
881 LOG(3, s, t, "Waiting on radius reply\n");
882 return; // have to wait on RADIUS reply
883 }
884 // form a config reply quoting the IP in the session
885 {
886 uint8_t b[MAXCONTROL];
887 uint8_t *i,
888 *q;
889
890 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
891 q = p + 4;
892 i = p + l;
893 while (q < i && q[1])
894 {
895 if (*q != 1)
896 break;
897 q += q[1];
898 }
899 if (q < i)
900 {
901 // reject
902 uint16_t n = 4;
903 i = p + l;
904 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
905 {
906 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
907 return;
908 }
909 *q = ConfigRej;
910 p += 4;
911 while (p < i && p[1])
912 {
913 if (*p != 1)
914 {
915 LOG(2, s, t, "IPV6CP reject %d\n", *p);
916 memcpy(q + n, p, p[1]);
917 n += p[1];
918 }
919 p += p[1];
920 }
921 *(uint16_t *) (q + 2) = htons(n);
922 LOG(4, s, t, "Sending ConfigRej\n");
923 tunnelsend(b, n + (q - b), t); // send it
924 }
925 else
926 {
927 LOG(4, s, t, "Sending ConfigAck\n");
928 *p = ConfigAck;
929 i = findppp(p, 1); // IP address
930 if (!i || i[1] != 10)
931 {
932 LOG(1, s, t, "No IP in IPV6CP request\n");
933 STAT(tunnel_rx_errors);
934 return ;
935 }
936 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
937 (*(uint32_t *) (i + 6) != 0))
938 {
939 *(uint32_t *) (i + 2) = htonl(session[s].ip);
940 *(uint32_t *) (i + 6) = 0;
941 *p = ConfigNak;
942 LOG(4, s, t,
943 " No, a ConfigNak, client is "
944 "requesting IP - sending %s\n",
945 fmtaddr(htonl(session[s].ip), 0));
946 }
947 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
948 {
949 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
950 return;
951 }
952 tunnelsend(b, l + (q - b), t); // send it
953 }
954 }
955 }
956
957 // process IP packet received
958 //
959 // This MUST be called with at least 4 byte behind 'p'.
960 // (i.e. this routine writes to p[-4]).
961 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
962 {
963 in_addr_t ip;
964
965 CSTAT(processipin);
966
967 LOG_HEX(5, "IP", p, l);
968
969 ip = ntohl(*(uint32_t *)(p + 12));
970
971 if (l > MAXETHER)
972 {
973 LOG(1, s, t, "IP packet too long %d\n", l);
974 STAT(tunnel_rx_errors);
975 return ;
976 }
977
978 // no spoof (do sessionbyip to handled statically routed subnets)
979 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
980 {
981 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
982 return;
983 }
984
985 // run access-list if any
986 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
987 return;
988
989 // Add on the tun header
990 p -= 4;
991 *(uint32_t *) p = htonl(PKTIP);
992 l += 4;
993
994 // Are we throttled and a slave?
995 if (session[s].tbf_in && !config->cluster_iam_master) {
996 // Pass it to the master for handling.
997 master_throttle_packet(session[s].tbf_in, p, l);
998 return;
999 }
1000
1001 // Are we throttled and a master??
1002 if (session[s].tbf_in && config->cluster_iam_master) {
1003 // Actually handle the throttled packets.
1004 tbf_queue_packet(session[s].tbf_in, p, l);
1005 return;
1006 }
1007
1008 // send to ethernet
1009 if (tun_write(p, l) < 0)
1010 {
1011 STAT(tun_tx_errors);
1012 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1013 l, strerror(errno), tunfd, p);
1014
1015 return;
1016 }
1017
1018 if (session[s].snoop_ip && session[s].snoop_port)
1019 {
1020 // Snooping this session
1021 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
1022 }
1023
1024 session[s].cin += l - 4;
1025 session[s].total_cin += l - 4;
1026 sess_local[s].cin += l - 4;
1027
1028 session[s].pin++;
1029 eth_tx += l - 4;
1030
1031 STAT(tun_tx_packets);
1032 INC_STAT(tun_tx_bytes, l - 4);
1033 }
1034
1035 // process IPv6 packet received
1036 //
1037 // This MUST be called with at least 4 byte behind 'p'.
1038 // (i.e. this routine writes to p[-4]).
1039 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1040 {
1041 struct in6_addr ip;
1042 in_addr_t ipv4;
1043
1044 CSTAT(processipv6in);
1045
1046 LOG_HEX(5, "IPv6", p, l);
1047
1048 ip = *(struct in6_addr *) (p + 8);
1049 ipv4 = ntohl(*(uint32_t *)(p + 16));
1050
1051 if (l > MAXETHER)
1052 {
1053 LOG(1, s, t, "IP packet too long %d\n", l);
1054 STAT(tunnel_rx_errors);
1055 return ;
1056 }
1057
1058 // no spoof
1059 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
1060 {
1061 char str[INET6_ADDRSTRLEN];
1062 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
1063 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
1064 return;
1065 }
1066
1067 // Check if it's a Router Solicition message.
1068 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
1069 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
1070 *(uint32_t *)(p + 34) == 0 &&
1071 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
1072 LOG(3, s, t, "Got IPv6 RS\n");
1073 send_ipv6_ra(t, s, &ip);
1074 return;
1075 }
1076
1077 // Add on the tun header
1078 p -= 4;
1079 *(uint32_t *) p = htonl(PKTIPV6);
1080 l += 4;
1081
1082 // Are we throttled and a slave?
1083 if (session[s].tbf_in && !config->cluster_iam_master) {
1084 // Pass it to the master for handling.
1085 master_throttle_packet(session[s].tbf_in, p, l);
1086 return;
1087 }
1088
1089 // Are we throttled and a master??
1090 if (session[s].tbf_in && config->cluster_iam_master) {
1091 // Actually handle the throttled packets.
1092 tbf_queue_packet(session[s].tbf_in, p, l);
1093 return;
1094 }
1095
1096 // send to ethernet
1097 if (tun_write(p, l) < 0)
1098 {
1099 STAT(tun_tx_errors);
1100 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1101 l, strerror(errno), tunfd, p);
1102
1103 return;
1104 }
1105
1106 if (session[s].snoop_ip && session[s].snoop_port)
1107 {
1108 // Snooping this session
1109 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
1110 }
1111
1112 session[s].cin += l - 4;
1113 session[s].total_cin += l - 4;
1114 sess_local[s].cin += l - 4;
1115
1116 session[s].pin++;
1117 eth_tx += l - 4;
1118
1119 STAT(tun_tx_packets);
1120 INC_STAT(tun_tx_bytes, l - 4);
1121 }
1122
1123 //
1124 // Helper routine for the TBF filters.
1125 // Used to send queued data in from the user.
1126 //
1127 void send_ipin(sessionidt s, uint8_t *buf, int len)
1128 {
1129 LOG_HEX(5, "IP in throttled", buf, len);
1130
1131 if (write(tunfd, buf, len) < 0)
1132 {
1133 STAT(tun_tx_errors);
1134 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1135 len, strerror(errno), tunfd, buf);
1136
1137 return;
1138 }
1139
1140 if (session[s].snoop_ip && session[s].snoop_port)
1141 {
1142 // Snooping this session
1143 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
1144 }
1145
1146 // Increment packet counters
1147 session[s].cin += len - 4;
1148 session[s].total_cin += len - 4;
1149 sess_local[s].cin += len - 4;
1150
1151 session[s].pin++;
1152 eth_tx += len - 4;
1153
1154 STAT(tun_tx_packets);
1155 INC_STAT(tun_tx_bytes, len - 4);
1156 }
1157
1158
1159 // Process CCP messages
1160 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1161 {
1162 uint8_t b[MAXCONTROL];
1163 uint8_t *q;
1164
1165 CSTAT(processccp);
1166
1167 LOG_HEX(5, "CCP", p, l);
1168 switch (l > 1 ? *p : 0)
1169 {
1170 case ConfigAck:
1171 session[s].flags |= SF_CCP_ACKED;
1172 return;
1173
1174 case ConfigReq:
1175 if (l < 6) // accept no compression
1176 {
1177 *p = ConfigAck;
1178 break;
1179 }
1180
1181 // compression requested--reject
1182 *p = ConfigRej;
1183
1184 // send CCP request for no compression for our end if not negotiated
1185 if (!(session[s].flags & SF_CCP_ACKED))
1186 initccp(t, s);
1187
1188 break;
1189
1190 case TerminateReq:
1191 *p = TerminateAck;
1192 break;
1193
1194 default:
1195 if (l > 1)
1196 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1197 else
1198 LOG(1, s, t, "Short CCP packet\n");
1199
1200 STAT(tunnel_rx_errors);
1201 return;
1202 }
1203
1204 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1205 return;
1206
1207 tunnelsend(b, l + (q - b), t); // send it
1208 }
1209
1210 // send a CHAP challenge
1211 void sendchap(tunnelidt t, sessionidt s)
1212 {
1213 uint8_t b[MAXCONTROL];
1214 uint16_t r = sess_local[s].radius;
1215 uint8_t *q;
1216
1217 CSTAT(sendchap);
1218
1219 if (!r)
1220 {
1221 LOG(1, s, t, "No RADIUS to send challenge\n");
1222 STAT(tunnel_tx_errors);
1223 return;
1224 }
1225
1226 LOG(1, s, t, "Send CHAP challenge\n");
1227
1228 radius[r].chap = 1; // CHAP not PAP
1229 radius[r].id++;
1230 if (radius[r].state != RADIUSCHAP)
1231 radius[r].try = 0;
1232
1233 radius[r].state = RADIUSCHAP;
1234 radius[r].retry = backoff(radius[r].try++);
1235 if (radius[r].try > 5)
1236 {
1237 sessionshutdown(s, "CHAP timeout.", 3, 0);
1238 STAT(tunnel_tx_errors);
1239 return ;
1240 }
1241 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1242 if (!q) return;
1243
1244 *q = 1; // challenge
1245 q[1] = radius[r].id; // ID
1246 q[4] = 16; // value size (size of challenge)
1247 memcpy(q + 5, radius[r].auth, 16); // challenge
1248 strcpy(q + 21, hostname); // our name
1249 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1250 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1251 }
1252
1253 // fill in a L2TP message with a PPP frame,
1254 // copies existing PPP message and changes magic number if seen
1255 // returns start of PPP frame
1256 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1257 {
1258 if (size < 12) // Need more space than this!!
1259 {
1260 static int backtrace_count = 0;
1261 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1262 log_backtrace(backtrace_count, 5)
1263 return NULL;
1264 }
1265
1266 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1267 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1268 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1269 b += 6;
1270 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1271 {
1272 *(uint16_t *) b = htons(0xFF03); // HDLC header
1273 b += 2;
1274 }
1275 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1276 *b++ = mtype;
1277 else
1278 {
1279 *(uint16_t *) b = htons(mtype);
1280 b += 2;
1281 }
1282
1283 if (l + 12 > size)
1284 {
1285 static int backtrace_count = 0;
1286 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1287 log_backtrace(backtrace_count, 5)
1288 return NULL;
1289 }
1290
1291 if (p && l)
1292 memcpy(b, p, l);
1293
1294 return b;
1295 }
1296
1297 static uint8_t *add_lcp_auth(uint8_t *b, int size, int authtype)
1298 {
1299 if ((authtype == AUTHCHAP && size < 5) || size < 4)
1300 return 0;
1301
1302 *b++ = 3; // Authentication-Protocol
1303 if (authtype == AUTHCHAP)
1304 {
1305 *b++ = 5; // length
1306 *(uint16_t *) b = htons(PPPCHAP); b += 2;
1307 *b++ = 5; // MD5
1308 }
1309 else if (authtype == AUTHPAP)
1310 {
1311 *b++ = 4; // length
1312 *(uint16_t *) b = htons(PPPPAP); b += 2;
1313 }
1314 else
1315 {
1316 LOG(0, 0, 0, "add_lcp_auth called with unsupported auth type %d\n", authtype);
1317 }
1318
1319 return b;
1320 }
1321
1322 // Send initial LCP ConfigReq for MRU, authentication type and magic no
1323 void sendlcp(tunnelidt t, sessionidt s, int authtype)
1324 {
1325 char b[500], *q, *l;
1326
1327 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1328 return;
1329
1330 LOG(4, s, t, "Sending LCP ConfigReq for %s\n",
1331 config->radius_authprefer == AUTHCHAP ? "CHAP" : "PAP");
1332
1333 if (!session[s].mru)
1334 session[s].mru = DEFAULT_MRU;
1335
1336 l = q;
1337 *l++ = ConfigReq;
1338 *l++ = (time_now % 255) + 1; // ID
1339
1340 l += 2; //Save space for length
1341
1342 *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4)
1343 *(uint16_t *) l = htons(session[s].mru); l += 2;
1344
1345 l = add_lcp_auth(l, sizeof(b) - (l - b), authtype);
1346
1347 *l++ = 5; *l++ = 6; // Magic-Number (length 6)
1348 *(uint32_t *) l = htonl(session[s].magic);
1349 l += 4;
1350
1351 *(uint16_t *)(q + 2) = htons(l - q); // Length
1352
1353 LOG_HEX(5, "PPPLCP", q, l - q);
1354 tunnelsend(b, (l - b), t);
1355 }
1356
1357 // Send CCP request for no compression
1358 static void initccp(tunnelidt t, sessionidt s)
1359 {
1360 char b[500], *q;
1361
1362 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1363 return;
1364
1365 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1366 *q = ConfigReq;
1367 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1368 *(uint16_t *)(q + 2) = htons(4); // Length
1369
1370 LOG_HEX(5, "PPPCCP", q, 4);
1371 tunnelsend(b, (q - b) + 4 , t);
1372 }