bbd22446020e9434b08f835fd19321995ee34132
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 #include <stdio.h>
4 #include <string.h>
5 #include <unistd.h>
6 #include <errno.h>
7 #include <stdlib.h>
8 #include "l2tpns.h"
9 #include "constants.h"
10 #include "plugin.h"
11 #include "util.h"
12 #include "tbf.h"
13 #include "cluster.h"
14
15 extern tunnelt *tunnel;
16 extern bundlet *bundle;
17 extern fragmentationt *frag;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static int add_lcp_auth(uint8_t *b, int size, int authtype);
27 static bundleidt new_bundle(void);
28 static int epdiscmp(epdist, epdist);
29 static void setepdis(epdist *, epdist);
30 static void ipcp_open(sessionidt s, tunnelidt t);
31
32 static int first_session_in_bundle(sessionidt s)
33 {
34 bundleidt i;
35 for (i = 1; i < MAXBUNDLE; i++)
36 if (bundle[i].state != BUNDLEFREE)
37 if (epdiscmp(session[s].epdis,bundle[i].epdis) && !strcmp(session[s].user, bundle[i].user))
38 return 0;
39 return 1;
40 }
41
42 // Process PAP messages
43 void processpap(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
44 {
45 char user[MAXUSER];
46 char pass[MAXPASS];
47 uint16_t hl;
48 uint16_t r;
49
50 CSTAT(processpap);
51
52 LOG_HEX(5, "PAP", p, l);
53 if (l < 4)
54 {
55 LOG(1, s, t, "Short PAP %u bytes\n", l);
56 STAT(tunnel_rx_errors);
57 sessionshutdown(s, "Short PAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
58 return;
59 }
60
61 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
62 {
63 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
64 STAT(tunnel_rx_errors);
65 sessionshutdown(s, "PAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
66 return;
67 }
68 l = hl;
69
70 if (*p != 1)
71 {
72 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
73 STAT(tunnel_rx_errors);
74 sessionshutdown(s, "Unexpected PAP code.", CDN_ADMIN_DISC, TERM_USER_ERROR);
75 return;
76 }
77
78 if (session[s].ppp.phase != Authenticate)
79 {
80 LOG(2, s, t, "PAP ignored in %s phase\n", ppp_phase(session[s].ppp.phase));
81 return;
82 }
83
84 {
85 uint8_t *b = p;
86 b += 4;
87 user[0] = pass[0] = 0;
88 if (*b && *b < sizeof(user))
89 {
90 memcpy(user, b + 1, *b);
91 user[*b] = 0;
92 b += 1 + *b;
93 if (*b && *b < sizeof(pass))
94 {
95 memcpy(pass, b + 1, *b);
96 pass[*b] = 0;
97 }
98 }
99 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
100 }
101
102 if (session[s].ip || !(r = radiusnew(s)))
103 {
104 // respond now, either no RADIUS available or already authenticated
105 uint8_t b[MAXETHER];
106 uint8_t id = p[1];
107 uint8_t *p = makeppp(b, sizeof(b), 0, 0, s, t, PPPPAP, 0, 0, 0);
108 if (!p) return;
109
110 if (session[s].ip)
111 *p = 2; // ACK
112 else
113 *p = 3; // cant authorise
114 p[1] = id;
115 *(uint16_t *) (p + 2) = htons(5); // length
116 p[4] = 0; // no message
117 tunnelsend(b, 5 + (p - b), t); // send it
118
119 if (session[s].ip)
120 {
121 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
122 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
123 }
124 else
125 {
126 LOG(1, s, t, "No RADIUS session available to authenticate session...\n");
127 sessionshutdown(s, "No free RADIUS sessions.", CDN_UNAVAILABLE, TERM_SERVICE_UNAVAILABLE);
128 }
129 }
130 else
131 {
132 // Run PRE_AUTH plugins
133 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
134 run_plugins(PLUGIN_PRE_AUTH, &packet);
135 if (!packet.continue_auth)
136 {
137 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
138 if (packet.username) free(packet.username);
139 if (packet.password) free(packet.password);
140 return;
141 }
142
143 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
144 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
145
146 free(packet.username);
147 free(packet.password);
148
149 radius[r].id = p[1];
150 LOG(3, s, t, "Sending login for %s/%s to RADIUS\n", user, pass);
151 if ((session[s].mrru) && (!first_session_in_bundle(s)))
152 radiussend(r, RADIUSJUSTAUTH);
153 else
154 radiussend(r, RADIUSAUTH);
155 }
156 }
157
158 // Process CHAP messages
159 void processchap(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
160 {
161 uint16_t r;
162 uint16_t hl;
163
164 CSTAT(processchap);
165
166 LOG_HEX(5, "CHAP", p, l);
167
168 if (l < 4)
169 {
170 LOG(1, s, t, "Short CHAP %u bytes\n", l);
171 STAT(tunnel_rx_errors);
172 sessionshutdown(s, "Short CHAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
173 return;
174 }
175
176 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
177 {
178 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
179 STAT(tunnel_rx_errors);
180 sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
181 return;
182 }
183 l = hl;
184
185 if (*p != 2)
186 {
187 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
188 STAT(tunnel_rx_errors);
189 sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
190 return;
191 }
192
193 if (session[s].ppp.phase != Authenticate)
194 {
195 LOG(2, s, t, "CHAP ignored in %s phase\n", ppp_phase(session[s].ppp.phase));
196 return;
197 }
198
199 r = sess_local[s].radius;
200 if (!r)
201 {
202 LOG(3, s, t, "Unexpected CHAP message\n");
203
204 // Some modems (Netgear DM602, possibly others) persist in using CHAP even
205 // after ACKing our ConfigReq for PAP.
206 if (sess_local[s].lcp_authtype == AUTHPAP && config->radius_authtypes & AUTHCHAP)
207 {
208 sess_local[s].lcp_authtype = AUTHCHAP;
209 sendchap(s, t);
210 }
211 return;
212 }
213
214 if (p[1] != radius[r].id)
215 {
216 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
217 STAT(tunnel_rx_errors);
218 sessionshutdown(s, "Unexpected CHAP response ID.", CDN_ADMIN_DISC, TERM_USER_ERROR);
219 return;
220 }
221
222 if (l < 5 || p[4] != 16)
223 {
224 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
225 STAT(tunnel_rx_errors);
226 sessionshutdown(s, "Bad CHAP response length.", CDN_ADMIN_DISC, TERM_USER_ERROR);
227 return;
228 }
229
230 l -= 5;
231 p += 5;
232 if (l < 16 || l - 16 >= sizeof(session[s].user))
233 {
234 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
235 STAT(tunnel_rx_errors);
236 sessionshutdown(s, "CHAP username too long.", CDN_ADMIN_DISC, TERM_USER_ERROR);
237 return;
238 }
239
240 // Run PRE_AUTH plugins
241 {
242 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
243
244 packet.password = calloc(17, 1);
245 memcpy(packet.password, p, 16);
246
247 p += 16;
248 l -= 16;
249
250 packet.username = calloc(l + 1, 1);
251 memcpy(packet.username, p, l);
252
253 run_plugins(PLUGIN_PRE_AUTH, &packet);
254 if (!packet.continue_auth)
255 {
256 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
257 if (packet.username) free(packet.username);
258 if (packet.password) free(packet.password);
259 return;
260 }
261
262 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
263 memcpy(radius[r].pass, packet.password, 16);
264
265 free(packet.username);
266 free(packet.password);
267 }
268
269 radius[r].chap = 1;
270 LOG(3, s, t, "CHAP login %s\n", session[s].user);
271 if ((session[s].mrru) && (!first_session_in_bundle(s)))
272 radiussend(r, RADIUSJUSTAUTH);
273 else
274 radiussend(r, RADIUSAUTH);
275 }
276
277 static void dumplcp(uint8_t *p, int l)
278 {
279 int x = l - 4;
280 uint8_t *o = (p + 4);
281
282 LOG_HEX(5, "PPP LCP Packet", p, l);
283 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_code((int)*p), ntohs( ((uint16_t *) p)[1]) );
284 LOG(4, 0, 0, "Length: %d\n", l);
285 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
286 return;
287
288 while (x > 2)
289 {
290 int type = o[0];
291 int length = o[1];
292 if (length < 2)
293 {
294 LOG(4, 0, 0, " Option length is %d...\n", length);
295 break;
296 }
297 if (type == 0)
298 {
299 LOG(4, 0, 0, " Option type is 0...\n");
300 x -= length;
301 o += length;
302 continue;
303 }
304 switch (type)
305 {
306 case 1: // Maximum-Receive-Unit
307 if (length == 4)
308 LOG(4, 0, 0, " %s %d\n", ppp_lcp_option(type), ntohs(*(uint16_t *)(o + 2)));
309 else
310 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
311 break;
312 case 2: // Async-Control-Character-Map
313 if (length == 6)
314 {
315 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
316 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), asyncmap);
317 }
318 else
319 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
320 break;
321 case 3: // Authentication-Protocol
322 if (length == 4)
323 {
324 int proto = ntohs(*(uint16_t *)(o + 2));
325 LOG(4, 0, 0, " %s 0x%x (%s)\n", ppp_lcp_option(type), proto,
326 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
327 }
328 else if (length == 5)
329 {
330 int proto = ntohs(*(uint16_t *)(o + 2));
331 int algo = *(o + 4);
332 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", ppp_lcp_option(type), proto, algo,
333 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
334 }
335 else
336 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
337 break;
338 case 4: // Quality-Protocol
339 {
340 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
341 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), qp);
342 }
343 break;
344 case 5: // Magic-Number
345 if (length == 6)
346 {
347 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
348 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), magicno);
349 }
350 else
351 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
352 break;
353 case 7: // Protocol-Field-Compression
354 case 8: // Address-And-Control-Field-Compression
355 LOG(4, 0, 0, " %s\n", ppp_lcp_option(type));
356 break;
357 default:
358 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
359 break;
360 }
361 x -= length;
362 o += length;
363 }
364 }
365
366 void lcp_open(sessionidt s, tunnelidt t)
367 {
368 // transition to Authentication or Network phase:
369 session[s].ppp.phase = sess_local[s].lcp_authtype ? Authenticate : Network;
370
371 LOG(3, s, t, "LCP: Opened, phase %s\n", ppp_phase(session[s].ppp.phase));
372
373 // LCP now Opened
374 change_state(s, lcp, Opened);
375
376 if (session[s].ppp.phase == Authenticate)
377 {
378 if (sess_local[s].lcp_authtype == AUTHCHAP)
379 sendchap(s, t);
380 }
381 else
382 {
383 if(session[s].bundle == 0 || bundle[session[s].bundle].num_of_links == 1)
384 {
385 // This-Layer-Up
386 sendipcp(s, t);
387 change_state(s, ipcp, RequestSent);
388 // move to passive state for IPv6 (if configured), CCP
389 if (config->ipv6_prefix.s6_addr[0])
390 change_state(s, ipv6cp, Stopped);
391 else
392 change_state(s, ipv6cp, Closed);
393
394 change_state(s, ccp, Stopped);
395 }
396 else
397 {
398 sessionidt first_ses = bundle[session[s].bundle].members[0];
399 LOG(3, s, t, "MPPP: Skipping IPCP negotiation for session:%d, first session of bundle is:%d\n",s,first_ses);
400 ipcp_open(s, t);
401 }
402 }
403 }
404
405 static void lcp_restart(sessionidt s)
406 {
407 session[s].ppp.phase = Establish;
408 // This-Layer-Down
409 change_state(s, ipcp, Dead);
410 change_state(s, ipv6cp, Dead);
411 change_state(s, ccp, Dead);
412 }
413
414 static uint8_t *ppp_conf_rej(sessionidt s, uint8_t *buf, size_t blen, uint16_t mtype,
415 uint8_t **response, uint8_t *queued, uint8_t *packet, uint8_t *option)
416 {
417 if (!*response || **response != ConfigRej)
418 {
419 queued = *response = makeppp(buf, blen, packet, 2, s, session[s].tunnel, mtype, 0, 0, 0);
420 if (!queued)
421 return 0;
422
423 *queued = ConfigRej;
424 queued += 4;
425 }
426
427 if ((queued - buf + option[1]) > blen)
428 {
429 LOG(2, s, session[s].tunnel, "PPP overflow for ConfigRej (proto %u, option %u).\n", mtype, *option);
430 return 0;
431 }
432
433 memcpy(queued, option, option[1]);
434 return queued + option[1];
435 }
436
437 static uint8_t *ppp_conf_nak(sessionidt s, uint8_t *buf, size_t blen, uint16_t mtype,
438 uint8_t **response, uint8_t *queued, uint8_t *packet, uint8_t *option,
439 uint8_t *value, size_t vlen)
440 {
441 int *nak_sent;
442 switch (mtype)
443 {
444 case PPPLCP: nak_sent = &sess_local[s].lcp.nak_sent; break;
445 case PPPIPCP: nak_sent = &sess_local[s].ipcp.nak_sent; break;
446 case PPPIPV6CP: nak_sent = &sess_local[s].ipv6cp.nak_sent; break;
447 default: return 0; // ?
448 }
449
450 if (*response && **response != ConfigNak)
451 {
452 if (*nak_sent < config->ppp_max_failure) // reject queued
453 return queued;
454
455 return ppp_conf_rej(s, buf, blen, mtype, response, 0, packet, option);
456 }
457
458 if (!*response)
459 {
460 if (*nak_sent >= config->ppp_max_failure)
461 return ppp_conf_rej(s, buf, blen, mtype, response, 0, packet, option);
462
463 queued = *response = makeppp(buf, blen, packet, 2, s, session[s].tunnel, mtype, 0, 0, 0);
464 if (!queued)
465 return 0;
466
467 (*nak_sent)++;
468 *queued = ConfigNak;
469 queued += 4;
470 }
471
472 if ((queued - buf + vlen + 2) > blen)
473 {
474 LOG(2, s, session[s].tunnel, "PPP overflow for ConfigNak (proto %u, option %u).\n", mtype, *option);
475 return 0;
476 }
477
478 *queued++ = *option;
479 *queued++ = vlen + 2;
480 memcpy(queued, value, vlen);
481 return queued + vlen;
482 }
483
484 static void ppp_code_rej(sessionidt s, tunnelidt t, uint16_t proto,
485 char *pname, uint8_t *p, uint16_t l, uint8_t *buf, size_t size)
486 {
487 uint8_t *q;
488 int mru = session[s].mru;
489 if (mru < MINMTU) mru = MINMTU;
490 if (mru > size) mru = size;
491
492 l += 4;
493 if (l > mru) l = mru;
494
495 q = makeppp(buf, size, 0, 0, s, t, proto, 0, 0, 0);
496 if (!q) return;
497
498 *q = CodeRej;
499 *(q + 1) = ++sess_local[s].lcp_ident;
500 *(uint16_t *)(q + 2) = htons(l);
501 memcpy(q + 4, p, l - 4);
502
503 LOG(2, s, t, "Unexpected %s code %s\n", pname, ppp_code(*p));
504 LOG(3, s, t, "%s: send %s\n", pname, ppp_code(*q));
505 if (config->debug > 3) dumplcp(q, l);
506
507 tunnelsend(buf, l + (q - buf), t);
508 }
509
510 // Process LCP messages
511 void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
512 {
513 uint8_t b[MAXETHER];
514 uint8_t *q = NULL;
515 uint16_t hl;
516
517 CSTAT(processlcp);
518
519 LOG_HEX(5, "LCP", p, l);
520 if (l < 4)
521 {
522 LOG(1, s, t, "Short LCP %d bytes\n", l);
523 STAT(tunnel_rx_errors);
524 return ;
525 }
526
527 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
528 {
529 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
530 STAT(tunnel_rx_errors);
531 return ;
532 }
533 l = hl;
534
535 if (session[s].die) // going down...
536 return;
537
538 LOG((*p == EchoReq || *p == EchoReply) ? 4 : 3, s, t,
539 "LCP: recv %s\n", ppp_code(*p));
540
541 if (config->debug > 3) dumplcp(p, l);
542
543 if (*p == ConfigAck)
544 {
545 int x = l - 4;
546 uint8_t *o = (p + 4);
547 int authtype = 0;
548
549 while (x > 2)
550 {
551 int type = o[0];
552 int length = o[1];
553
554 if (length == 0 || type == 0 || x < length) break;
555 switch (type)
556 {
557 case 3: // Authentication-Protocol
558 {
559 int proto = ntohs(*(uint16_t *)(o + 2));
560 if (proto == PPPPAP)
561 authtype = AUTHPAP;
562 else if (proto == PPPCHAP && *(o + 4) == 5)
563 authtype = AUTHCHAP;
564 }
565
566 break;
567 }
568 x -= length;
569 o += length;
570 }
571
572 if (!session[s].ip && authtype)
573 sess_local[s].lcp_authtype = authtype;
574
575 switch (session[s].ppp.lcp)
576 {
577 case RequestSent:
578 initialise_restart_count(s, lcp);
579 change_state(s, lcp, AckReceived);
580 break;
581
582 case AckReceived:
583 case Opened:
584 LOG(2, s, t, "LCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.lcp));
585 if (session[s].ppp.lcp == Opened)
586 lcp_restart(s);
587
588 sendlcp(s, t);
589 change_state(s, lcp, RequestSent);
590 break;
591
592 case AckSent:
593 lcp_open(s, t);
594 break;
595
596 default:
597 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
598 }
599 }
600 else if (*p == ConfigReq)
601 {
602 int x = l - 4;
603 uint8_t *o = (p + 4);
604 uint8_t *response = 0;
605 static uint8_t asyncmap[4] = { 0, 0, 0, 0 }; // all zero
606 static uint8_t authproto[5];
607 int changed = 0;
608
609 while (x > 2)
610 {
611 int type = o[0];
612 int length = o[1];
613
614 if (length == 0 || type == 0 || x < length) break;
615 switch (type)
616 {
617 case 1: // Maximum-Receive-Unit
618 {
619 uint16_t mru = ntohs(*(uint16_t *)(o + 2));
620 if (mru >= MINMTU)
621 {
622 session[s].mru = mru;
623 changed++;
624 break;
625 }
626
627 LOG(3, s, t, " Remote requesting MRU of %u. Rejecting.\n", mru);
628 mru = htons(MRU);
629 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, (uint8_t *) &mru, sizeof(mru));
630 }
631 break;
632
633 case 2: // Async-Control-Character-Map
634 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
635 break;
636
637 LOG(3, s, t, " Remote requesting asyncmap. Rejecting.\n");
638 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, asyncmap, sizeof(asyncmap));
639 break;
640
641 case 3: // Authentication-Protocol
642 {
643 int proto = ntohs(*(uint16_t *)(o + 2));
644 char proto_name[] = "0x0000";
645 int alen;
646
647 if (proto == PPPPAP)
648 {
649 if (config->radius_authtypes & AUTHPAP)
650 {
651 sess_local[s].lcp_authtype = AUTHPAP;
652 break;
653 }
654
655 strcpy(proto_name, "PAP");
656 }
657 else if (proto == PPPCHAP)
658 {
659 if (config->radius_authtypes & AUTHCHAP
660 && *(o + 4) == 5) // MD5
661 {
662 sess_local[s].lcp_authtype = AUTHCHAP;
663 break;
664 }
665
666 strcpy(proto_name, "CHAP");
667 }
668 else
669 sprintf(proto_name, "%#4.4x", proto);
670
671 LOG(3, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
672
673 alen = add_lcp_auth(authproto, sizeof(authproto), config->radius_authprefer);
674 if (alen < 2) break; // paranoia
675
676 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, authproto + 2, alen - 2);
677 if (q && *response == ConfigNak &&
678 config->radius_authtypes != config->radius_authprefer)
679 {
680 // alternate type
681 alen = add_lcp_auth(authproto, sizeof(authproto), config->radius_authtypes & ~config->radius_authprefer);
682 if (alen < 2) break;
683 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, authproto + 2, alen - 2);
684 }
685
686 break;
687 }
688 break;
689
690 case 4: // Quality-Protocol
691 case 5: // Magic-Number
692 case 7: // Protocol-Field-Compression
693 case 8: // Address-And-Control-Field-Compression
694 break;
695
696 case 17: // Multilink Max-Receive-Reconstructed-Unit
697 {
698 uint16_t mrru = ntohs(*(uint16_t *)(o + 2));
699 session[s].mrru = mrru;
700 changed++;
701 LOG(3, s, t, " Received PPP LCP option MRRU: %d\n",mrru);
702 }
703 break;
704
705 case 18: // Multilink Short Sequence Number Header Format
706 {
707 session[s].mssf = 1;
708 changed++;
709 LOG(3, s, t, " Received PPP LCP option MSSN format\n");
710 }
711 break;
712
713 case 19: // Multilink Endpoint Discriminator
714 {
715 uint8_t epdis_class = o[2];
716 int addr;
717
718 session[s].epdis.addr_class = epdis_class;
719 session[s].epdis.length = length - 3;
720 if (session[s].epdis.length > 20)
721 {
722 LOG(1, s, t, "Error: received EndDis Address Length more than 20: %d\n", session[s].epdis.length);
723 session[s].epdis.length = 20;
724 }
725
726 for (addr = 0; addr < session[s].epdis.length; addr++)
727 session[s].epdis.address[addr] = o[3+addr];
728
729 changed++;
730
731 switch (epdis_class)
732 {
733 case LOCALADDR:
734 LOG(3, s, t, " Received PPP LCP option Multilink EndDis Local Address Class: %d\n",epdis_class);
735 break;
736 case IPADDR:
737 LOG(3, s, t, " Received PPP LCP option Multilink EndDis IP Address Class: %d\n",epdis_class);
738 break;
739 case IEEEMACADDR:
740 LOG(3, s, t, " Received PPP LCP option Multilink EndDis IEEE MAC Address Class: %d\n",epdis_class);
741 break;
742 case PPPMAGIC:
743 LOG(3, s, t, " Received PPP LCP option Multilink EndDis PPP Magic No Class: %d\n",epdis_class);
744 break;
745 case PSNDN:
746 LOG(3, s, t, " Received PPP LCP option Multilink EndDis PSND No Class: %d\n",epdis_class);
747 break;
748 default:
749 LOG(3, s, t, " Received PPP LCP option Multilink EndDis NULL Class %d\n",epdis_class);
750 }
751 }
752 break;
753
754 default: // Reject any unknown options
755 LOG(3, s, t, " Rejecting unknown PPP LCP option %d\n", type);
756 q = ppp_conf_rej(s, b, sizeof(b), PPPLCP, &response, q, p, o);
757 }
758 x -= length;
759 o += length;
760 }
761
762 if (changed)
763 cluster_send_session(s);
764
765 if (response)
766 {
767 l = q - response; // LCP packet length
768 *((uint16_t *) (response + 2)) = htons(l); // update header
769 }
770 else
771 {
772 // Send packet back as ConfigAck
773 response = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
774 if (!response) return;
775 *response = ConfigAck;
776 }
777
778 switch (session[s].ppp.lcp)
779 {
780 case Closed:
781 response = makeppp(b, sizeof(b), p, 2, s, t, PPPLCP, 0, 0, 0);
782 if (!response) return;
783 *response = TerminateAck;
784 *((uint16_t *) (response + 2)) = htons(l = 4);
785 break;
786
787 case Stopped:
788 initialise_restart_count(s, lcp);
789 sendlcp(s, t);
790 if (*response == ConfigAck)
791 change_state(s, lcp, AckSent);
792 else
793 change_state(s, lcp, RequestSent);
794
795 break;
796
797 case RequestSent:
798 if (*response == ConfigAck)
799 change_state(s, lcp, AckSent);
800
801 break;
802
803 case AckReceived:
804 if (*response == ConfigAck)
805 lcp_open(s, t);
806
807 break;
808
809 case Opened:
810 lcp_restart(s);
811 sendlcp(s, t);
812 /* fallthrough */
813
814 case AckSent:
815 if (*response == ConfigAck)
816 change_state(s, lcp, AckSent);
817 else
818 change_state(s, lcp, RequestSent);
819
820 break;
821
822 default:
823 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
824 return;
825 }
826
827 LOG(3, s, t, "LCP: send %s\n", ppp_code(*response));
828 if (config->debug > 3) dumplcp(response, l);
829
830 tunnelsend(b, l + (response - b), t);
831 }
832 else if (*p == ConfigNak || *p == ConfigRej)
833 {
834 int x = l - 4;
835 uint8_t *o = (p + 4);
836 int authtype = -1;
837
838 while (x > 2)
839 {
840 int type = o[0];
841 int length = o[1];
842
843 if (length == 0 || type == 0 || x < length) break;
844 switch (type)
845 {
846 case 1: // Maximum-Receive-Unit
847 if (*p == ConfigNak)
848 {
849 if (length < 4) break;
850 sess_local[s].ppp_mru = ntohs(*(uint16_t *)(o + 2));
851 LOG(3, s, t, " Remote requested MRU of %u\n", sess_local[s].ppp_mru);
852 }
853 else
854 {
855 sess_local[s].ppp_mru = 0;
856 LOG(3, s, t, " Remote rejected MRU negotiation\n");
857 }
858
859 break;
860
861 case 3: // Authentication-Protocol
862 if (authtype > 0)
863 break;
864
865 if (*p == ConfigNak)
866 {
867 int proto;
868
869 if (length < 4) break;
870 proto = ntohs(*(uint16_t *)(o + 2));
871
872 if (proto == PPPPAP)
873 {
874 authtype = config->radius_authtypes & AUTHPAP;
875 LOG(3, s, t, " Remote requested PAP authentication...%sing\n",
876 authtype ? "accept" : "reject");
877 }
878 else if (proto == PPPCHAP && length > 4 && *(o + 4) == 5)
879 {
880 authtype = config->radius_authtypes & AUTHCHAP;
881 LOG(3, s, t, " Remote requested CHAP authentication...%sing\n",
882 authtype ? "accept" : "reject");
883 }
884 else
885 {
886 LOG(3, s, t, " Rejecting unsupported authentication %#4x\n",
887 proto);
888 }
889 }
890 else
891 {
892 LOG(2, s, t, "LCP: remote rejected auth negotiation\n");
893 authtype = 0; // shutdown
894 }
895
896 break;
897
898 case 5: // Magic-Number
899 session[s].magic = 0;
900 if (*p == ConfigNak)
901 {
902 if (length < 6) break;
903 session[s].magic = ntohl(*(uint32_t *)(o + 2));
904 }
905
906 if (session[s].magic)
907 LOG(3, s, t, " Remote requested magic-no %x\n", session[s].magic);
908 else
909 LOG(3, s, t, " Remote rejected magic-no\n");
910
911 cluster_send_session(s);
912 break;
913
914 case 17: // Multilink Max-Receive-Reconstructed-Unit
915 {
916 if (*p == ConfigNak)
917 {
918 sess_local[s].mp_mrru = ntohs(*(uint16_t *)(o + 2));
919 LOG(3, s, t, " Remote requested MRRU of %u\n", sess_local[s].mp_mrru);
920 }
921 else
922 {
923 sess_local[s].mp_mrru = 0;
924 LOG(3, s, t, " Remote rejected MRRU negotiation\n");
925 }
926 }
927 break;
928
929 case 18: // Multilink Short Sequence Number Header Format
930 {
931 if (*p == ConfigNak)
932 {
933 sess_local[s].mp_mssf = 0;
934 LOG(3, s, t, " Remote requested Naked mssf\n");
935 }
936 else
937 {
938 sess_local[s].mp_mssf = 0;
939 LOG(3, s, t, " Remote rejected mssf\n");
940 }
941 }
942 break;
943
944 case 19: // Multilink Endpoint Discriminator
945 {
946 if (*p == ConfigNak)
947 {
948 LOG(2, s, t, " Remote should not configNak Endpoint Dis!\n");
949 }
950 else
951 {
952 sess_local[s].mp_epdis = 0;
953 LOG(3, s, t, " Remote rejected Endpoint Discriminator\n");
954 }
955 }
956 break;
957
958 default:
959 LOG(2, s, t, "LCP: remote sent %s for type %u?\n", ppp_code(*p), type);
960 sessionshutdown(s, "Unable to negotiate LCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
961 return;
962 }
963 x -= length;
964 o += length;
965 }
966
967 if (!authtype)
968 {
969 sessionshutdown(s, "Unsupported authentication.", CDN_ADMIN_DISC, TERM_USER_ERROR);
970 return;
971 }
972
973 if (authtype > 0)
974 sess_local[s].lcp_authtype = authtype;
975
976 switch (session[s].ppp.lcp)
977 {
978 case Closed:
979 case Stopped:
980 {
981 uint8_t *response = makeppp(b, sizeof(b), p, 2, s, t, PPPLCP, 0, 0, 0);
982 if (!response) return;
983 *response = TerminateAck;
984 *((uint16_t *) (response + 2)) = htons(l = 4);
985
986 LOG(3, s, t, "LCP: send %s\n", ppp_code(*response));
987 if (config->debug > 3) dumplcp(response, l);
988
989 tunnelsend(b, l + (response - b), t);
990 }
991 break;
992
993 case RequestSent:
994 case AckSent:
995 initialise_restart_count(s, lcp);
996 sendlcp(s, t);
997 break;
998
999 case AckReceived:
1000 LOG(2, s, t, "LCP: ConfigNak in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.lcp));
1001 sendlcp(s, t);
1002 break;
1003
1004 case Opened:
1005 lcp_restart(s);
1006 sendlcp(s, t);
1007 break;
1008
1009 default:
1010 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
1011 return;
1012 }
1013 }
1014 else if (*p == TerminateReq)
1015 {
1016 switch (session[s].ppp.lcp)
1017 {
1018 case Closed:
1019 case Stopped:
1020 case Closing:
1021 case Stopping:
1022 case RequestSent:
1023 case AckReceived:
1024 case AckSent:
1025 break;
1026
1027 case Opened:
1028 lcp_restart(s);
1029 zero_restart_count(s, lcp);
1030 change_state(s, lcp, Closing);
1031 break;
1032
1033 default:
1034 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
1035 return;
1036 }
1037
1038 *p = TerminateAck; // send ack
1039 q = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
1040 if (!q) return;
1041
1042 LOG(3, s, t, "LCP: send %s\n", ppp_code(*q));
1043 if (config->debug > 3) dumplcp(q, l);
1044
1045 tunnelsend(b, l + (q - b), t); // send it
1046 }
1047 else if (*p == ProtocolRej)
1048 {
1049 uint16_t proto = 0;
1050
1051 if (l > 4)
1052 {
1053 proto = *(p+4);
1054 if (l > 5 && !(proto & 1))
1055 {
1056 proto <<= 8;
1057 proto |= *(p+5);
1058 }
1059 }
1060
1061 if (proto == PPPIPV6CP)
1062 {
1063 LOG(3, s, t, "IPv6 rejected\n");
1064 change_state(s, ipv6cp, Closed);
1065 }
1066 else
1067 {
1068 LOG(3, s, t, "LCP protocol reject: 0x%04X\n", proto);
1069 }
1070 }
1071 else if (*p == EchoReq)
1072 {
1073 *p = EchoReply; // reply
1074 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
1075 q = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
1076 if (!q) return;
1077
1078 LOG(4, s, t, "LCP: send %s\n", ppp_code(*q));
1079 if (config->debug > 3) dumplcp(q, l);
1080
1081 tunnelsend(b, l + (q - b), t); // send it
1082 }
1083 else if (*p == EchoReply)
1084 {
1085 // Ignore it, last_packet time is set earlier than this.
1086 }
1087 else if (*p != CodeRej)
1088 {
1089 ppp_code_rej(s, t, PPPLCP, "LCP", p, l, b, sizeof(b));
1090 }
1091 }
1092
1093 int join_bundle(sessionidt s)
1094 {
1095 // Search for a bundle to join
1096 bundleidt i;
1097 bundleidt b;
1098 for (i = 1; i < MAXBUNDLE; i++)
1099 {
1100 if (bundle[i].state != BUNDLEFREE)
1101 {
1102 if (epdiscmp(session[s].epdis,bundle[i].epdis) && !strcmp(session[s].user, bundle[i].user))
1103 {
1104 sessionidt first_ses = bundle[i].members[0];
1105 if (bundle[i].mssf != session[s].mssf)
1106 {
1107 // uniformity of sequence number format must be insured
1108 LOG(3, s, session[s].tunnel, "MPPP: unable to bundle session %d in bundle %d cause of different mssf\n", s, i);
1109 return -1;
1110 }
1111 session[s].bundle = i;
1112 session[s].ip = session[first_ses].ip;
1113 session[s].dns1 = session[first_ses].dns1;
1114 session[s].dns2 = session[first_ses].dns2;
1115 session[s].timeout = session[first_ses].timeout;
1116
1117 if(session[s].epdis.length > 0)
1118 setepdis(&bundle[i].epdis, session[s].epdis);
1119
1120 strcpy(bundle[i].user, session[s].user);
1121 bundle[i].members[bundle[i].num_of_links] = s;
1122 bundle[i].num_of_links++;
1123 LOG(3, s, session[s].tunnel, "MPPP: Bundling additional line in bundle (%d), lines:%d\n",i,bundle[i].num_of_links);
1124 return i;
1125 }
1126 }
1127 }
1128
1129 // No previously created bundle was found for this session, so create a new one
1130 if (!(b = new_bundle())) return 0;
1131
1132 session[s].bundle = b;
1133 bundle[b].mrru = session[s].mrru;
1134 bundle[b].mssf = session[s].mssf;
1135 // FIXME !!! to enable l2tpns reading mssf frames receiver_max_seq, sender_max_seq must be introduce
1136 // now session[s].mssf flag indecates that the receiver wish to receive frames in mssf, so max_seq (i.e. recv_max_seq) = 1<<24
1137 /*
1138 if (bundle[b].mssf)
1139 bundle[b].max_seq = 1 << 12;
1140 else */
1141 bundle[b].max_seq = 1 << 24;
1142 if(session[s].epdis.length > 0)
1143 setepdis(&bundle[b].epdis, session[s].epdis);
1144
1145 strcpy(bundle[b].user, session[s].user);
1146 bundle[b].members[0] = s;
1147 bundle[b].timeout = session[s].timeout;
1148 LOG(3, s, session[s].tunnel, "MPPP: Created a new bundle (%d)\n", b);
1149 return b;
1150 }
1151
1152 static int epdiscmp(epdist ep1, epdist ep2)
1153 {
1154 int ad;
1155 if (ep1.length != ep2.length)
1156 return 0;
1157
1158 if (ep1.addr_class != ep2.addr_class)
1159 return 0;
1160
1161 for (ad = 0; ad < ep1.length; ad++)
1162 if (ep1.address[ad] != ep2.address[ad])
1163 return 0;
1164
1165 return 1;
1166 }
1167
1168 static void setepdis(epdist *ep1, epdist ep2)
1169 {
1170 int ad;
1171 ep1->length = ep2.length;
1172 ep1->addr_class = ep2.addr_class;
1173 for (ad = 0; ad < ep2.length; ad++)
1174 ep1->address[ad] = ep2.address[ad];
1175 }
1176
1177 static bundleidt new_bundle()
1178 {
1179 bundleidt i;
1180 for (i = 1; i < MAXBUNDLE; i++)
1181 {
1182 if (bundle[i].state == BUNDLEFREE)
1183 {
1184 LOG(4, 0, 0, "MPPP: Assigning bundle ID %d\n", i);
1185 bundle[i].num_of_links = 1;
1186 bundle[i].last_check = time_now; // Initialize last_check value
1187 bundle[i].state = BUNDLEOPEN;
1188 bundle[i].current_ses = -1; // This is to enforce the first session 0 to be used at first
1189 memset(&frag[i], 0, sizeof(fragmentationt));
1190 if (i > config->cluster_highest_bundleid)
1191 config->cluster_highest_bundleid = i;
1192 return i;
1193 }
1194 }
1195 LOG(0, 0, 0, "MPPP: Can't find a free bundle! There shouldn't be this many in use!\n");
1196 return 0;
1197 }
1198
1199 static void ipcp_open(sessionidt s, tunnelidt t)
1200 {
1201 LOG(3, s, t, "IPCP: Opened, session is now active\n");
1202
1203 change_state(s, ipcp, Opened);
1204
1205 if (!(session[s].walled_garden || session[s].flags & SESSION_STARTED))
1206 {
1207 uint16_t r = radiusnew(s);
1208 if (r)
1209 {
1210 radiussend(r, RADIUSSTART); // send radius start
1211
1212 // don't send further Start records if IPCP is restarted
1213 session[s].flags |= SESSION_STARTED;
1214 cluster_send_session(s);
1215 }
1216 }
1217
1218 // start IPv6 if configured and still in passive state
1219 if (session[s].ppp.ipv6cp == Stopped)
1220 {
1221 sendipv6cp(s, t);
1222 change_state(s, ipv6cp, RequestSent);
1223 }
1224 }
1225
1226 // Process IPCP messages
1227 void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1228 {
1229 uint8_t b[MAXETHER];
1230 uint8_t *q = 0;
1231 uint16_t hl;
1232
1233 CSTAT(processipcp);
1234
1235 LOG_HEX(5, "IPCP", p, l);
1236 if (l < 4)
1237 {
1238 LOG(1, s, t, "Short IPCP %d bytes\n", l);
1239 STAT(tunnel_rx_errors);
1240 return ;
1241 }
1242
1243 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
1244 {
1245 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
1246 STAT(tunnel_rx_errors);
1247 return ;
1248 }
1249 l = hl;
1250
1251 if (session[s].ppp.phase < Network)
1252 {
1253 LOG(2, s, t, "IPCP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
1254 return;
1255 }
1256
1257 LOG(3, s, t, "IPCP: recv %s\n", ppp_code(*p));
1258
1259 if (*p == ConfigAck)
1260 {
1261 switch (session[s].ppp.ipcp)
1262 {
1263 case RequestSent:
1264 initialise_restart_count(s, ipcp);
1265 change_state(s, ipcp, AckReceived);
1266 break;
1267
1268 case AckReceived:
1269 case Opened:
1270 LOG(2, s, t, "IPCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ipcp));
1271 sendipcp(s, t);
1272 change_state(s, ipcp, RequestSent);
1273 break;
1274
1275 case AckSent:
1276 ipcp_open(s, t);
1277 break;
1278
1279 default:
1280 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1281 }
1282 }
1283 else if (*p == ConfigReq)
1284 {
1285 uint8_t *response = 0;
1286 uint8_t *o = p + 4;
1287 int length = l - 4;
1288 int gotip = 0;
1289 in_addr_t addr;
1290
1291 while (length > 2)
1292 {
1293 if (!o[1] || o[1] > length) return;
1294
1295 switch (*o)
1296 {
1297 case 3: // ip address
1298 gotip++; // seen address
1299 if (o[1] != 6) return;
1300
1301 addr = htonl(session[s].ip);
1302 if (memcmp(o + 2, &addr, (sizeof addr)))
1303 {
1304 uint8_t *oq = q;
1305 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1306 if (!q || (q != oq && *response == ConfigRej))
1307 {
1308 sessionshutdown(s, "Can't negotiate IPCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
1309 return;
1310 }
1311 }
1312
1313 break;
1314
1315 case 129: // primary DNS
1316 if (o[1] != 6) return;
1317
1318 addr = htonl(session[s].dns1);
1319 if (memcmp(o + 2, &addr, (sizeof addr)))
1320 {
1321 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1322 if (!q) return;
1323 }
1324
1325 break;
1326
1327 case 131: // secondary DNS
1328 if (o[1] != 6) return;
1329
1330 addr = htonl(session[s].dns2);
1331 if (memcmp(o + 2, &addr, sizeof(addr)))
1332 {
1333 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1334 if (!q) return;
1335 }
1336
1337 break;
1338
1339 default:
1340 LOG(2, s, t, " Rejecting PPP IPCP Option type %d\n", *o);
1341 q = ppp_conf_rej(s, b, sizeof(b), PPPIPCP, &response, q, p, o);
1342 if (!q) return;
1343 }
1344
1345 length -= o[1];
1346 o += o[1];
1347 }
1348
1349 if (response)
1350 {
1351 l = q - response; // IPCP packet length
1352 *((uint16_t *) (response + 2)) = htons(l); // update header
1353 }
1354 else if (gotip)
1355 {
1356 // Send packet back as ConfigAck
1357 response = makeppp(b, sizeof(b), p, l, s, t, PPPIPCP, 0, 0, 0);
1358 if (!response) return;
1359 *response = ConfigAck;
1360 }
1361 else
1362 {
1363 LOG(1, s, t, "No IP in IPCP request\n");
1364 STAT(tunnel_rx_errors);
1365 return;
1366 }
1367
1368 switch (session[s].ppp.ipcp)
1369 {
1370 case Closed:
1371 response = makeppp(b, sizeof(b), p, 2, s, t, PPPIPCP, 0, 0, 0);
1372 if (!response) return;
1373 *response = TerminateAck;
1374 *((uint16_t *) (response + 2)) = htons(l = 4);
1375 break;
1376
1377 case Stopped:
1378 initialise_restart_count(s, ipcp);
1379 sendipcp(s, t);
1380 if (*response == ConfigAck)
1381 change_state(s, ipcp, AckSent);
1382 else
1383 change_state(s, ipcp, RequestSent);
1384
1385 break;
1386
1387 case RequestSent:
1388 if (*response == ConfigAck)
1389 change_state(s, ipcp, AckSent);
1390
1391 break;
1392
1393 case AckReceived:
1394 if (*response == ConfigAck)
1395 ipcp_open(s, t);
1396
1397 break;
1398
1399 case Opened:
1400 initialise_restart_count(s, ipcp);
1401 sendipcp(s, t);
1402 /* fallthrough */
1403
1404 case AckSent:
1405 if (*response == ConfigAck)
1406 change_state(s, ipcp, AckSent);
1407 else
1408 change_state(s, ipcp, RequestSent);
1409
1410 break;
1411
1412 default:
1413 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1414 return;
1415 }
1416
1417 LOG(3, s, t, "IPCP: send %s\n", ppp_code(*response));
1418 tunnelsend(b, l + (response - b), t);
1419 }
1420 else if (*p == TerminateReq)
1421 {
1422 switch (session[s].ppp.ipcp)
1423 {
1424 case Closed:
1425 case Stopped:
1426 case Closing:
1427 case Stopping:
1428 case RequestSent:
1429 case AckReceived:
1430 case AckSent:
1431 break;
1432
1433 case Opened:
1434 zero_restart_count(s, ipcp);
1435 change_state(s, ipcp, Closing);
1436 break;
1437
1438 default:
1439 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1440 return;
1441 }
1442
1443 *p = TerminateAck; // send ack
1444 q = makeppp(b, sizeof(b), p, l, s, t, PPPIPCP, 0, 0, 0);
1445 if (!q) return;
1446
1447 LOG(3, s, t, "IPCP: send %s\n", ppp_code(*q));
1448 tunnelsend(b, l + (q - b), t); // send it
1449 }
1450 else if (*p != CodeRej)
1451 {
1452 ppp_code_rej(s, t, PPPIPCP, "IPCP", p, l, b, sizeof(b));
1453 }
1454 }
1455
1456 static void ipv6cp_open(sessionidt s, tunnelidt t)
1457 {
1458 LOG(3, s, t, "IPV6CP: Opened\n");
1459
1460 change_state(s, ipv6cp, Opened);
1461 if (session[s].ipv6prefixlen)
1462 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
1463
1464 // Send an initial RA (TODO: Should we send these regularly?)
1465 send_ipv6_ra(s, t, NULL);
1466 }
1467
1468 // Process IPV6CP messages
1469 void processipv6cp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1470 {
1471 uint8_t b[MAXETHER];
1472 uint8_t *q = 0;
1473 uint16_t hl;
1474
1475 CSTAT(processipv6cp);
1476
1477 LOG_HEX(5, "IPV6CP", p, l);
1478 if (l < 4)
1479 {
1480 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
1481 STAT(tunnel_rx_errors);
1482 return ;
1483 }
1484
1485 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
1486 {
1487 LOG(1, s, t, "Length mismatch IPV6CP %u/%u\n", hl, l);
1488 STAT(tunnel_rx_errors);
1489 return ;
1490 }
1491 l = hl;
1492
1493 if (session[s].ppp.phase < Network)
1494 {
1495 LOG(2, s, t, "IPV6CP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
1496 return;
1497 }
1498
1499 LOG(3, s, t, "IPV6CP: recv %s\n", ppp_code(*p));
1500
1501 if (!session[s].ip)
1502 {
1503 LOG(3, s, t, "IPV6CP: no IPv4 address (IPCP in state %s)\n", ppp_state(session[s].ppp.ipcp));
1504 return; // need IPCP to complete...
1505 }
1506
1507 if (*p == ConfigAck)
1508 {
1509 switch (session[s].ppp.ipv6cp)
1510 {
1511 case RequestSent:
1512 initialise_restart_count(s, ipv6cp);
1513 change_state(s, ipv6cp, AckReceived);
1514 break;
1515
1516 case AckReceived:
1517 case Opened:
1518 LOG(2, s, t, "IPV6CP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ipv6cp));
1519 sendipv6cp(s, t);
1520 change_state(s, ipv6cp, RequestSent);
1521 break;
1522
1523 case AckSent:
1524 ipv6cp_open(s, t);
1525 break;
1526
1527 default:
1528 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1529 }
1530 }
1531 else if (*p == ConfigReq)
1532 {
1533 uint8_t *response = 0;
1534 uint8_t *o = p + 4;
1535 int length = l - 4;
1536 int gotip = 0;
1537 uint8_t ident[8];
1538
1539 while (length > 2)
1540 {
1541 if (!o[1] || o[1] > length) return;
1542
1543 switch (*o)
1544 {
1545 case 1: // interface identifier
1546 gotip++; // seen address
1547 if (o[1] != 10) return;
1548
1549 *(uint32_t *) ident = htonl(session[s].ip);
1550 *(uint32_t *) (ident + 4) = 0;
1551
1552 if (memcmp(o + 2, ident, sizeof(ident)))
1553 {
1554 q = ppp_conf_nak(s, b, sizeof(b), PPPIPV6CP, &response, q, p, o, ident, sizeof(ident));
1555 if (!q) return;
1556 }
1557
1558 break;
1559
1560 default:
1561 LOG(2, s, t, " Rejecting PPP IPV6CP Option type %d\n", *o);
1562 q = ppp_conf_rej(s, b, sizeof(b), PPPIPV6CP, &response, q, p, o);
1563 if (!q) return;
1564 }
1565
1566 length -= o[1];
1567 o += o[1];
1568 }
1569
1570 if (response)
1571 {
1572 l = q - response; // IPV6CP packet length
1573 *((uint16_t *) (response + 2)) = htons(l); // update header
1574 }
1575 else if (gotip)
1576 {
1577 // Send packet back as ConfigAck
1578 response = makeppp(b, sizeof(b), p, l, s, t, PPPIPV6CP, 0, 0, 0);
1579 if (!response) return;
1580 *response = ConfigAck;
1581 }
1582 else
1583 {
1584 LOG(1, s, t, "No interface identifier in IPV6CP request\n");
1585 STAT(tunnel_rx_errors);
1586 return;
1587 }
1588
1589 switch (session[s].ppp.ipv6cp)
1590 {
1591 case Closed:
1592 response = makeppp(b, sizeof(b), p, 2, s, t, PPPIPV6CP, 0, 0, 0);
1593 if (!response) return;
1594 *response = TerminateAck;
1595 *((uint16_t *) (response + 2)) = htons(l = 4);
1596 break;
1597
1598 case Stopped:
1599 initialise_restart_count(s, ipv6cp);
1600 sendipv6cp(s, t);
1601 if (*response == ConfigAck)
1602 change_state(s, ipv6cp, AckSent);
1603 else
1604 change_state(s, ipv6cp, RequestSent);
1605
1606 break;
1607
1608 case RequestSent:
1609 if (*response == ConfigAck)
1610 change_state(s, ipv6cp, AckSent);
1611
1612 break;
1613
1614 case AckReceived:
1615 if (*response == ConfigAck)
1616 ipv6cp_open(s, t);
1617
1618 break;
1619
1620 case Opened:
1621 initialise_restart_count(s, ipv6cp);
1622 sendipv6cp(s, t);
1623 /* fallthrough */
1624
1625 case AckSent:
1626 if (*response == ConfigAck)
1627 change_state(s, ipv6cp, AckSent);
1628 else
1629 change_state(s, ipv6cp, RequestSent);
1630
1631 break;
1632
1633 default:
1634 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1635 return;
1636 }
1637
1638 LOG(3, s, t, "IPV6CP: send %s\n", ppp_code(*response));
1639 tunnelsend(b, l + (response - b), t);
1640 }
1641 else if (*p == TerminateReq)
1642 {
1643 switch (session[s].ppp.ipv6cp)
1644 {
1645 case Closed:
1646 case Stopped:
1647 case Closing:
1648 case Stopping:
1649 case RequestSent:
1650 case AckReceived:
1651 case AckSent:
1652 break;
1653
1654 case Opened:
1655 zero_restart_count(s, ipv6cp);
1656 change_state(s, ipv6cp, Closing);
1657 break;
1658
1659 default:
1660 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1661 return;
1662 }
1663
1664 *p = TerminateAck; // send ack
1665 q = makeppp(b, sizeof(b), p, l, s, t, PPPIPV6CP, 0, 0, 0);
1666 if (!q) return;
1667
1668 LOG(3, s, t, "IPV6CP: send %s\n", ppp_code(*q));
1669 tunnelsend(b, l + (q - b), t); // send it
1670 }
1671 else if (*p != CodeRej)
1672 {
1673 ppp_code_rej(s, t, PPPIPV6CP, "IPV6CP", p, l, b, sizeof(b));
1674 }
1675 }
1676
1677 static void update_sessions_in_stat(sessionidt s, uint16_t l)
1678 {
1679 bundleidt b = session[s].bundle;
1680 if (!b)
1681 {
1682 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1683 session[s].cin_delta += l;
1684 session[s].pin++;
1685
1686 sess_local[s].cin += l;
1687 sess_local[s].pin++;
1688 }
1689 else
1690 {
1691 int i = frag[b].re_frame_begin_index;
1692 int end = frag[b].re_frame_end_index;
1693 for (;;)
1694 {
1695 l = frag[b].fragment[i].length;
1696 s = frag[b].fragment[i].sid;
1697 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1698 session[s].cin_delta += l;
1699 session[s].pin++;
1700
1701 sess_local[s].cin += l;
1702 sess_local[s].pin++;
1703 if (i == end)
1704 return;
1705 i = (i + 1) & MAXFRAGNUM_MASK;
1706 }
1707 }
1708 }
1709
1710 // process IP packet received
1711 //
1712 // This MUST be called with at least 4 byte behind 'p'.
1713 // (i.e. this routine writes to p[-4]).
1714 void processipin(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1715 {
1716 in_addr_t ip;
1717
1718 CSTAT(processipin);
1719
1720 LOG_HEX(5, "IP", p, l);
1721
1722 if (l < 20)
1723 {
1724 LOG(1, s, t, "IP packet too short %d\n", l);
1725 STAT(tunnel_rx_errors);
1726 return ;
1727 }
1728
1729 ip = ntohl(*(uint32_t *)(p + 12));
1730
1731 if (l > MAXETHER)
1732 {
1733 LOG(1, s, t, "IP packet too long %d\n", l);
1734 STAT(tunnel_rx_errors);
1735 return ;
1736 }
1737
1738 if (session[s].ppp.phase != Network || session[s].ppp.ipcp != Opened)
1739 return;
1740
1741 if (!session[s].bundle || bundle[session[s].bundle].num_of_links < 2) // FIXME:
1742 {
1743 // no spoof (do sessionbyip to handled statically routed subnets)
1744 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
1745 {
1746 LOG(4, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
1747 return;
1748 }
1749 }
1750
1751 // run access-list if any
1752 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
1753 return;
1754
1755 // adjust MSS on SYN and SYN,ACK packets with options
1756 if ((ntohs(*(uint16_t *) (p + 6)) & 0x1fff) == 0 && p[9] == IPPROTO_TCP) // first tcp fragment
1757 {
1758 int ihl = (p[0] & 0xf) * 4; // length of IP header
1759 if (l >= ihl + 20 && (p[ihl + 13] & TCP_FLAG_SYN) && ((p[ihl + 12] >> 4) > 5))
1760 adjust_tcp_mss(s, t, p, l, p + ihl);
1761 }
1762
1763 // Add on the tun header
1764 p -= 4;
1765 *(uint32_t *) p = htonl(PKTIP);
1766 l += 4;
1767
1768 if (session[s].tbf_in)
1769 {
1770 // Are we throttling this session?
1771 if (config->cluster_iam_master)
1772 tbf_queue_packet(session[s].tbf_in, p, l);
1773 else
1774 master_throttle_packet(session[s].tbf_in, p, l);
1775 return;
1776 }
1777
1778 // send to ethernet
1779 if (tun_write(p, l) < 0)
1780 {
1781 STAT(tun_tx_errors);
1782 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1783 l, strerror(errno), tunfd, p);
1784
1785 return;
1786 }
1787
1788 p += 4;
1789 l -= 4;
1790
1791 if (session[s].snoop_ip && session[s].snoop_port)
1792 {
1793 // Snooping this session
1794 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
1795 }
1796
1797 update_sessions_in_stat(s, l);
1798
1799 eth_tx += l;
1800
1801 STAT(tun_tx_packets);
1802 INC_STAT(tun_tx_bytes, l);
1803 }
1804
1805 // process Multilink PPP packet received
1806 void processmpin(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1807 {
1808 bundleidt b = session[s].bundle;
1809 bundlet * this_bundle = &bundle[b];
1810 uint32_t frag_offset, M_offset;
1811 uint16_t frag_index, M_index;
1812 fragmentationt *this_fragmentation = &frag[b];
1813 uint8_t begin_frame = (*p & MP_BEGIN);
1814 uint8_t end_frame = (*p & MP_END);
1815 uint32_t seq_num;
1816 uint8_t flags = *p;
1817 uint16_t begin_index, end_index;
1818
1819 // Perform length checking
1820 if(l > MAXFRAGLEN)
1821 {
1822 LOG(2, s, t, "MPPP: discarding fragment larger than MAXFRAGLEN\n");
1823 return;
1824 }
1825
1826 if(!b)
1827 {
1828 LOG(2, s, t, "MPPP: Invalid bundle id: 0\n");
1829 return;
1830 }
1831 // FIXME !! session[s].mssf means that the receiver wants to receive frames in mssf not means the receiver will send frames in mssf
1832 /* if(session[s].mssf)
1833 {
1834 // Get 12 bit for seq number
1835 seq_num = ntohs((*(uint16_t *) p) & 0xFF0F);
1836 p += 2;
1837 l -= 2;
1838 // After this point the pointer should be advanced 2 bytes
1839 LOG(3, s, t, "MPPP: 12 bits, sequence number: %d\n",seq_num);
1840 }
1841 else */
1842 {
1843 // Get 24 bit for seq number
1844 seq_num = ntohl((*(uint32_t *) p) & 0xFFFFFF00);
1845 p += 4;
1846 l -= 4;
1847 // After this point the pointer should be advanced 4 bytes
1848 LOG(4, s, t, "MPPP: 24 bits sequence number:%d\n",seq_num);
1849 }
1850
1851 // calculate this fragment's offset from the begin seq in the bundle
1852 frag_offset = (seq_num + this_bundle->max_seq - this_fragmentation->start_seq) & (this_bundle->max_seq-1);
1853
1854 // discard this fragment if frag_offset is bigger that the fragmentation buffer size
1855 if (frag_offset >= MAXFRAGNUM)
1856 {
1857 LOG(3, s, t, "MPPP: Index out of range, received more than MAXFRAGNUM fragment (lost frag) seq:%d, begin_seq:%d, bundle:%d, max:%d\n",seq_num, this_fragmentation->start_seq, b, this_bundle->max_seq);
1858 return;
1859 }
1860
1861 // update M
1862 sess_local[s].last_seq = seq_num;
1863 if (seq_num < this_fragmentation->M)
1864 this_fragmentation->M = seq_num;
1865 else
1866 {
1867 uint32_t i, min = sess_local[(this_bundle->members[0])].last_seq;;
1868 for (i = 1; i < this_bundle->num_of_links; i++)
1869 {
1870 uint32_t s_seq = sess_local[(this_bundle->members[i])].last_seq;
1871 if (s_seq < min)
1872 min = s_seq;
1873 }
1874 this_fragmentation->M = min;
1875 }
1876
1877 LOG(4, s, t, "MPPP: Setting M to %d\n", this_fragmentation->M);
1878 //calculate M's offset from the begin seq in the bundle
1879 M_offset = (this_fragmentation->M + this_bundle->max_seq - this_fragmentation->start_seq) & (this_bundle->max_seq-1);
1880
1881 //caculate M's index in the fragment array
1882 M_index = (M_offset + this_fragmentation->start_index) & MAXFRAGNUM_MASK;
1883
1884 //caculate received fragment's index in the fragment array
1885 frag_index = (frag_offset + this_fragmentation->start_index) & MAXFRAGNUM_MASK;
1886
1887 //frame with a single fragment
1888 if (begin_frame && end_frame)
1889 {
1890 // process and reset fragmentation
1891 LOG(4, s, t, "MPPP: Both bits are set (Begin and End).\n");
1892 this_fragmentation->fragment[frag_index].length = l;
1893 this_fragmentation->fragment[frag_index].sid = s;
1894 this_fragmentation->fragment[frag_index].flags = flags;
1895 this_fragmentation->fragment[frag_index].seq = seq_num;
1896 this_fragmentation->re_frame_begin_index = frag_index;
1897 this_fragmentation->re_frame_end_index = frag_index;
1898 processmpframe(s, t, p, l, 0);
1899 this_fragmentation->fragment[frag_index].length = 0;
1900 this_fragmentation->fragment[frag_index].flags = 0;
1901 end_index = frag_index;
1902 }
1903 else
1904 {
1905 // insert the frame in it's place
1906 fragmentt *this_frag = &this_fragmentation->fragment[frag_index];
1907 this_frag->length = l;
1908 this_frag->sid = s;
1909 this_frag->flags = flags;
1910 this_frag->seq = seq_num;
1911 memcpy(this_frag->data, p, l);
1912
1913 // try to assemble the frame that has the received fragment as a member
1914 // get the beginning of this frame
1915 begin_index = end_index = frag_index;
1916 while (this_fragmentation->fragment[begin_index].length)
1917 {
1918 if (this_fragmentation->fragment[begin_index].flags & MP_BEGIN)
1919 break;
1920 begin_index = (begin_index ? (begin_index -1) : (MAXFRAGNUM -1));
1921 }
1922
1923 // return if a lost fragment is found
1924 if (!(this_fragmentation->fragment[begin_index].length))
1925 return; // assembling frame failed
1926 // get the end of his frame
1927 while (this_fragmentation->fragment[end_index].length)
1928 {
1929 if (this_fragmentation->fragment[end_index].flags & MP_END)
1930 break;
1931 end_index = (end_index +1) & MAXFRAGNUM_MASK;
1932 }
1933
1934 // return if a lost fragment is found
1935 if (!(this_fragmentation->fragment[end_index].length))
1936 return; // assembling frame failed
1937
1938 // assemble the packet
1939 //assemble frame, process it, reset fragmentation
1940 uint16_t cur_len = 4; // This is set to 4 to leave 4 bytes for function processipin
1941 uint32_t i;
1942
1943 LOG(4, s, t, "MPPP: processing fragments from %d to %d\n", begin_index, end_index);
1944 // Push to the receive buffer
1945
1946 for (i = begin_index;; i = (i + 1) & MAXFRAGNUM_MASK)
1947 {
1948 this_frag = &this_fragmentation->fragment[i];
1949 if(cur_len + this_frag->length > MAXETHER)
1950 {
1951 LOG(2, s, t, "MPPP: discarding reassembled frames larger than MAXETHER\n");
1952 break;
1953 }
1954 memcpy(this_fragmentation->reassembled_frame+cur_len, this_frag->data, this_frag->length);
1955 LOG(5, s, t, "MPPP: processing frame at %d, with len %d\n", i, this_frag->length);
1956 cur_len += this_frag->length;
1957 if (i == end_index)
1958 {
1959 this_fragmentation->re_frame_len = cur_len;
1960 this_fragmentation->re_frame_begin_index = begin_index;
1961 this_fragmentation->re_frame_end_index = end_index;
1962 // Process the resassembled frame
1963 LOG(5, s, t, "MPPP: Process the reassembled frame, len=%d\n",cur_len);
1964 processmpframe(s, t, this_fragmentation->reassembled_frame, this_fragmentation->re_frame_len, 1);
1965 break;
1966 }
1967 }
1968 // Set reassembled frame length to zero after processing it
1969 this_fragmentation->re_frame_len = 0;
1970 for (i = begin_index;; i = (i + 1) & MAXFRAGNUM_MASK)
1971 {
1972 this_fragmentation->fragment[i].length = 0; // Indicates that this fragment has been consumed
1973 this_fragmentation->fragment[i].flags = 0;
1974 if (i == end_index)
1975 break;
1976 }
1977 }
1978 //discard fragments received before the recently assembled frame
1979 begin_index = this_fragmentation->start_index;
1980 this_fragmentation->start_index = (end_index + 1) & MAXFRAGNUM_MASK;
1981 this_fragmentation->start_seq = (this_fragmentation->fragment[end_index].seq + 1) & (this_bundle->max_seq-1);
1982 //clear length and flags of the discarded fragments
1983 while (begin_index != this_fragmentation->start_index)
1984 {
1985 this_fragmentation->fragment[begin_index].flags = 0;
1986 this_fragmentation->fragment[begin_index].length = 0;
1987 begin_index = (begin_index + 1) & MAXFRAGNUM_MASK;
1988 }
1989
1990 LOG(4, s, t, "MPPP after assembling: M index is =%d, start index is = %d, start seq=%d\n",M_index, this_fragmentation->start_index, this_fragmentation->start_seq);
1991 return;
1992 }
1993
1994 // process IPv6 packet received
1995 //
1996 // This MUST be called with at least 4 byte behind 'p'.
1997 // (i.e. this routine writes to p[-4]).
1998 void processipv6in(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1999 {
2000 struct in6_addr ip;
2001 in_addr_t ipv4;
2002
2003 CSTAT(processipv6in);
2004
2005 LOG_HEX(5, "IPv6", p, l);
2006
2007 ip = *(struct in6_addr *) (p + 8);
2008 ipv4 = ntohl(*(uint32_t *)(p + 16));
2009
2010 if (l > MAXETHER)
2011 {
2012 LOG(1, s, t, "IP packet too long %d\n", l);
2013 STAT(tunnel_rx_errors);
2014 return ;
2015 }
2016
2017 if (session[s].ppp.phase != Network || session[s].ppp.ipv6cp != Opened)
2018 return;
2019
2020 // no spoof
2021 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
2022 {
2023 char str[INET6_ADDRSTRLEN];
2024 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
2025 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
2026 return;
2027 }
2028
2029 // Check if it's a Router Solicition message.
2030 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
2031 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
2032 *(uint32_t *)(p + 34) == 0 &&
2033 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
2034 LOG(3, s, t, "Got IPv6 RS\n");
2035 send_ipv6_ra(s, t, &ip);
2036 return;
2037 }
2038
2039 // Add on the tun header
2040 p -= 4;
2041 *(uint32_t *) p = htonl(PKTIPV6);
2042 l += 4;
2043
2044 // Are we throttled and a slave?
2045 if (session[s].tbf_in && !config->cluster_iam_master) {
2046 // Pass it to the master for handling.
2047 master_throttle_packet(session[s].tbf_in, p, l);
2048 return;
2049 }
2050
2051 // Are we throttled and a master??
2052 if (session[s].tbf_in && config->cluster_iam_master) {
2053 // Actually handle the throttled packets.
2054 tbf_queue_packet(session[s].tbf_in, p, l);
2055 return;
2056 }
2057
2058 // send to ethernet
2059 if (tun_write(p, l) < 0)
2060 {
2061 STAT(tun_tx_errors);
2062 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
2063 l, strerror(errno), tunfd, p);
2064
2065 return;
2066 }
2067
2068 p += 4;
2069 l -= 4;
2070
2071 if (session[s].snoop_ip && session[s].snoop_port)
2072 {
2073 // Snooping this session
2074 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
2075 }
2076
2077 update_sessions_in_stat(s, l);
2078
2079 eth_tx += l;
2080
2081 STAT(tun_tx_packets);
2082 INC_STAT(tun_tx_bytes, l);
2083 }
2084
2085 //
2086 // Helper routine for the TBF filters.
2087 // Used to send queued data in from the user.
2088 //
2089 void send_ipin(sessionidt s, uint8_t *buf, int len)
2090 {
2091 LOG_HEX(5, "IP in throttled", buf, len);
2092
2093 if (write(tunfd, buf, len) < 0)
2094 {
2095 STAT(tun_tx_errors);
2096 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
2097 len, strerror(errno), tunfd, buf);
2098
2099 return;
2100 }
2101
2102 buf += 4;
2103 len -= 4;
2104
2105 if (session[s].snoop_ip && session[s].snoop_port)
2106 {
2107 // Snooping this session
2108 snoop_send_packet(buf, len, session[s].snoop_ip, session[s].snoop_port);
2109 }
2110
2111 // Increment packet counters
2112 increment_counter(&session[s].cin, &session[s].cin_wrap, len);
2113 session[s].cin_delta += len;
2114 session[s].pin++;
2115
2116 sess_local[s].cin += len;
2117 sess_local[s].pin++;
2118
2119 eth_tx += len;
2120
2121 STAT(tun_tx_packets);
2122 INC_STAT(tun_tx_bytes, len - 4);
2123 }
2124
2125
2126 // Process CCP messages
2127 void processccp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
2128 {
2129 uint8_t b[MAXETHER];
2130 uint8_t *q;
2131
2132 CSTAT(processccp);
2133
2134 LOG_HEX(5, "CCP", p, l);
2135
2136 if (session[s].ppp.phase < Network)
2137 {
2138 LOG(2, s, t, "CCP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
2139 return;
2140 }
2141
2142 if (l < 1)
2143 {
2144 LOG(1, s, t, "Short CCP packet\n");
2145 STAT(tunnel_rx_errors);
2146 }
2147
2148 LOG(4, s, t, "CCP: recv %s\n", ppp_code(*p));
2149 if (*p == ConfigAck)
2150 {
2151 switch (session[s].ppp.ccp)
2152 {
2153 case RequestSent:
2154 initialise_restart_count(s, ccp);
2155 change_state(s, ccp, AckReceived);
2156 break;
2157
2158 case AckReceived:
2159 case Opened:
2160 LOG(2, s, t, "CCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ccp));
2161 sendccp(s, t);
2162 change_state(s, ccp, RequestSent);
2163 break;
2164
2165 case AckSent:
2166 LOG(3, s, t, "CCP: Opened\n");
2167 change_state(s, ccp, Opened);
2168 break;
2169
2170 default:
2171 LOG(2, s, t, "CCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ccp));
2172 }
2173 }
2174 else if (*p == ConfigReq)
2175 {
2176 if (l < 6) // accept no compression
2177 *p = ConfigAck;
2178 else // compression requested--reject
2179 *p = ConfigRej;
2180
2181 q = makeppp(b, sizeof(b), p, l, s, t, PPPCCP, 0, 0, 0);
2182 if (!q) return;
2183
2184 switch (session[s].ppp.ccp)
2185 {
2186 case Closed:
2187 q = makeppp(b, sizeof(b), p, 2, s, t, PPPCCP, 0, 0, 0);
2188 if (!q) return;
2189 *q = TerminateAck;
2190 *((uint16_t *) (q + 2)) = htons(l = 4);
2191 break;
2192
2193 case Stopped:
2194 initialise_restart_count(s, ccp);
2195 sendccp(s, t);
2196 if (*q == ConfigAck)
2197 change_state(s, ccp, AckSent);
2198 else
2199 change_state(s, ccp, RequestSent);
2200
2201 break;
2202
2203 case RequestSent:
2204 if (*q == ConfigAck)
2205 change_state(s, ccp, AckSent);
2206
2207 break;
2208
2209 case AckReceived:
2210 if (*q == ConfigAck)
2211 change_state(s, ccp, Opened);
2212
2213 break;
2214
2215 case Opened:
2216 initialise_restart_count(s, ccp);
2217 sendccp(s, t);
2218 /* fallthrough */
2219
2220 case AckSent:
2221 if (*q == ConfigAck)
2222 change_state(s, ccp, AckSent);
2223 else
2224 change_state(s, ccp, RequestSent);
2225
2226 break;
2227
2228 default:
2229 LOG(2, s, t, "CCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ccp));
2230 return;
2231 }
2232
2233 LOG(4, s, t, "CCP: send %s\n", ppp_code(*q));
2234 tunnelsend(b, l + (q - b), t);
2235 }
2236 else if (*p == TerminateReq)
2237 {
2238 *p = TerminateAck;
2239 q = makeppp(b, sizeof(b), p, l, s, t, PPPCCP, 0, 0, 0);
2240 if (!q) return;
2241 LOG(3, s, t, "CCP: send %s\n", ppp_code(*q));
2242 tunnelsend(b, l + (q - b), t);
2243 change_state(s, ccp, Stopped);
2244 }
2245 else if (*p != CodeRej)
2246 {
2247 ppp_code_rej(s, t, PPPCCP, "CCP", p, l, b, sizeof(b));
2248 }
2249 }
2250
2251 // send a CHAP challenge
2252 void sendchap(sessionidt s, tunnelidt t)
2253 {
2254 uint8_t b[MAXETHER];
2255 uint16_t r;
2256 uint8_t *q;
2257
2258 CSTAT(sendchap);
2259
2260 r = radiusnew(s);
2261 if (!r)
2262 {
2263 LOG(1, s, t, "No RADIUS to send challenge\n");
2264 STAT(tunnel_tx_errors);
2265 return;
2266 }
2267
2268 LOG(1, s, t, "Send CHAP challenge\n");
2269
2270 radius[r].chap = 1; // CHAP not PAP
2271 radius[r].id++;
2272 if (radius[r].state != RADIUSCHAP)
2273 radius[r].try = 0;
2274
2275 radius[r].state = RADIUSCHAP;
2276 radius[r].retry = backoff(radius[r].try++);
2277 if (radius[r].try > 5)
2278 {
2279 sessionshutdown(s, "CHAP timeout.", CDN_ADMIN_DISC, TERM_REAUTHENTICATION_FAILURE);
2280 STAT(tunnel_tx_errors);
2281 return ;
2282 }
2283 q = makeppp(b, sizeof(b), 0, 0, s, t, PPPCHAP, 0, 0, 0);
2284 if (!q) return;
2285
2286 *q = 1; // challenge
2287 q[1] = radius[r].id; // ID
2288 q[4] = 16; // value size (size of challenge)
2289 memcpy(q + 5, radius[r].auth, 16); // challenge
2290 strcpy((char *) q + 21, hostname); // our name
2291 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
2292 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
2293 }
2294
2295 // fill in a L2TP message with a PPP frame,
2296 // returns start of PPP frame
2297 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, sessionidt s, tunnelidt t, uint16_t mtype, uint8_t prio, bundleidt bid, uint8_t mp_bits)
2298 {
2299 uint16_t hdr = 0x0002; // L2TP with no options
2300 uint16_t type = mtype;
2301 uint8_t *start = b;
2302
2303 if (size < 16) // Need more space than this!!
2304 {
2305 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
2306 return NULL;
2307 }
2308
2309 if (prio) hdr |= 0x0100; // set priority bit
2310
2311 *(uint16_t *) (b + 0) = htons(hdr);
2312 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
2313 *(uint16_t *) (b + 4) = htons(session[s].far); // session
2314 b += 6;
2315
2316 // Check whether this session is part of multilink
2317 if (bid)
2318 {
2319 if (bundle[bid].num_of_links > 1)
2320 type = PPPMP; // Change PPP message type to the PPPMP
2321 else
2322 bid = 0;
2323 }
2324
2325 if (type == PPPLCP || !(session[s].flags & SESSION_ACFC))
2326 {
2327 *(uint16_t *) b = htons(0xFF03); // HDLC header
2328 b += 2;
2329 }
2330
2331 if (type < 0x100 && session[s].flags & SESSION_PFC)
2332 {
2333 *b++ = type;
2334 }
2335 else
2336 {
2337 *(uint16_t *) b = htons(type);
2338 b += 2;
2339 }
2340
2341 if (bid)
2342 {
2343 // Set the sequence number and (B)egin (E)nd flags
2344 if (session[s].mssf)
2345 {
2346 // Set the multilink bits
2347 uint16_t bits_send = mp_bits;
2348 *(uint16_t *) b = htons((bundle[bid].seq_num_t & 0x0FFF)|bits_send);
2349 b += 2;
2350 }
2351 else
2352 {
2353 *(uint32_t *) b = htonl(bundle[bid].seq_num_t);
2354 // Set the multilink bits
2355 *b = mp_bits;
2356 b += 4;
2357 }
2358
2359 bundle[bid].seq_num_t++;
2360
2361 // Add the message type if this fragment has the begin bit set
2362 if (mp_bits & MP_BEGIN)
2363 {
2364 //*b++ = mtype; // The next two lines are instead of this
2365 *(uint16_t *) b = htons(mtype); // Message type
2366 b += 2;
2367 }
2368 }
2369
2370 if ((b - start) + l > size)
2371 {
2372 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, (b - start) + l);
2373 return NULL;
2374 }
2375
2376 // Copy the payload
2377 if (p && l)
2378 memcpy(b, p, l);
2379
2380 return b;
2381 }
2382
2383 static int add_lcp_auth(uint8_t *b, int size, int authtype)
2384 {
2385 int len = 0;
2386 if ((authtype == AUTHCHAP && size < 5) || size < 4)
2387 return 0;
2388
2389 *b++ = 3; // Authentication-Protocol
2390 if (authtype == AUTHCHAP)
2391 {
2392 len = *b++ = 5; // length
2393 *(uint16_t *) b = htons(PPPCHAP); b += 2;
2394 *b++ = 5; // MD5
2395 }
2396 else if (authtype == AUTHPAP)
2397 {
2398 len = *b++ = 4; // length
2399 *(uint16_t *) b = htons(PPPPAP); b += 2;
2400 }
2401 else
2402 {
2403 LOG(0, 0, 0, "add_lcp_auth called with unsupported auth type %d\n", authtype);
2404 }
2405
2406 return len;
2407 }
2408
2409 // Send LCP ConfigReq for MRU, authentication type and magic no
2410 void sendlcp(sessionidt s, tunnelidt t)
2411 {
2412 uint8_t b[500], *q, *l;
2413 int authtype = sess_local[s].lcp_authtype;
2414
2415 if (!(q = makeppp(b, sizeof(b), NULL, 0, s, t, PPPLCP, 0, 0, 0)))
2416 return;
2417
2418 LOG(3, s, t, "LCP: send ConfigReq%s%s%s including MP options\n",
2419 authtype ? " (" : "",
2420 authtype ? (authtype == AUTHCHAP ? "CHAP" : "PAP") : "",
2421 authtype ? ")" : "");
2422
2423 l = q;
2424 *l++ = ConfigReq;
2425 *l++ = ++sess_local[s].lcp_ident; // ID
2426
2427 l += 2; //Save space for length
2428
2429 if (sess_local[s].ppp_mru)
2430 {
2431 *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4)
2432 *(uint16_t *) l = htons(sess_local[s].ppp_mru); l += 2;
2433 }
2434
2435 if (authtype)
2436 l += add_lcp_auth(l, sizeof(b) - (l - b), authtype);
2437
2438 if (session[s].magic)
2439 {
2440 *l++ = 5; *l++ = 6; // Magic-Number (length 6)
2441 *(uint32_t *) l = htonl(session[s].magic);
2442 l += 4;
2443 }
2444
2445 if (sess_local[s].mp_mrru)
2446 {
2447 *l++ = 17; *l++ = 4; // Multilink Max-Receive-Reconstructed-Unit (length 4)
2448 *(uint16_t *) l = htons(sess_local[s].mp_mrru); l += 2;
2449 }
2450
2451 if (sess_local[s].mp_epdis)
2452 {
2453 *l++ = 19; *l++ = 7; // Multilink Endpoint Discriminator (length 7)
2454 *l++ = IPADDR; // Endpoint Discriminator class
2455 *(uint32_t *) l = htonl(sess_local[s].mp_epdis);
2456 l += 4;
2457 }
2458
2459 *(uint16_t *)(q + 2) = htons(l - q); // Length
2460
2461 LOG_HEX(5, "PPPLCP", q, l - q);
2462 if (config->debug > 3) dumplcp(q, l - q);
2463
2464 tunnelsend(b, (l - b), t);
2465 restart_timer(s, lcp);
2466 }
2467
2468 // Send CCP request for no compression
2469 void sendccp(sessionidt s, tunnelidt t)
2470 {
2471 uint8_t b[500], *q;
2472
2473 if (!(q = makeppp(b, sizeof(b), NULL, 0, s, t, PPPCCP, 0, 0, 0)))
2474 return;
2475
2476 LOG(3, s, t, "CCP: send ConfigReq (no compression)\n");
2477
2478 *q = ConfigReq;
2479 *(q + 1) = ++sess_local[s].lcp_ident; // ID
2480 *(uint16_t *)(q + 2) = htons(4); // Length
2481
2482 LOG_HEX(5, "PPPCCP", q, 4);
2483 tunnelsend(b, (q - b) + 4 , t);
2484 restart_timer(s, ccp);
2485 }
2486
2487 // Reject unknown/unconfigured protocols
2488 void protoreject(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l, uint16_t proto)
2489 {
2490
2491 uint8_t buf[MAXETHER];
2492 uint8_t *q;
2493 int mru = session[s].mru;
2494 if (mru < MINMTU) mru = MINMTU;
2495 if (mru > sizeof(buf)) mru = sizeof(buf);
2496
2497 l += 6;
2498 if (l > mru) l = mru;
2499
2500 q = makeppp(buf, sizeof(buf), 0, 0, s, t, PPPLCP, 0, 0, 0);
2501 if (!q) return;
2502
2503 *q = ProtocolRej;
2504 *(q + 1) = ++sess_local[s].lcp_ident;
2505 *(uint16_t *)(q + 2) = htons(l);
2506 *(uint16_t *)(q + 4) = htons(proto);
2507 memcpy(q + 6, p, l - 6);
2508
2509 if (proto == PPPIPV6CP)
2510 LOG(3, s, t, "LCP: send ProtocolRej (IPV6CP: not configured)\n");
2511 else
2512 LOG(2, s, t, "LCP: sent ProtocolRej (0x%04X: unsupported)\n", proto);
2513
2514 tunnelsend(buf, l + (q - buf), t);
2515 }