c369f3755b2adc6c71604ec4f397a4e59ace4046
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.100 2006-04-27 09:53:50 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern bundlet *bundle;
19 extern fragmentationt *frag;
20 extern sessiont *session;
21 extern radiust *radius;
22 extern int tunfd;
23 extern char hostname[];
24 extern uint32_t eth_tx;
25 extern time_t time_now;
26 extern configt *config;
27
28 static int add_lcp_auth(uint8_t *b, int size, int authtype);
29 static bundleidt new_bundle(void);
30 static int epdiscmp(epdist, epdist);
31 static void setepdis(epdist *, epdist);
32 static void ipcp_open(sessionidt s, tunnelidt t);
33
34 // Process PAP messages
35 void processpap(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
36 {
37 char user[MAXUSER];
38 char pass[MAXPASS];
39 uint16_t hl;
40 uint16_t r;
41
42 CSTAT(processpap);
43
44 LOG_HEX(5, "PAP", p, l);
45 if (l < 4)
46 {
47 LOG(1, s, t, "Short PAP %u bytes\n", l);
48 STAT(tunnel_rx_errors);
49 sessionshutdown(s, "Short PAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
50 return;
51 }
52
53 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
54 {
55 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
56 STAT(tunnel_rx_errors);
57 sessionshutdown(s, "PAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
58 return;
59 }
60 l = hl;
61
62 if (*p != 1)
63 {
64 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
65 STAT(tunnel_rx_errors);
66 sessionshutdown(s, "Unexpected PAP code.", CDN_ADMIN_DISC, TERM_USER_ERROR);
67 return;
68 }
69
70 if (session[s].ppp.phase != Authenticate)
71 {
72 LOG(2, s, t, "PAP ignored in %s phase\n", ppp_phase(session[s].ppp.phase));
73 return;
74 }
75
76 {
77 uint8_t *b = p;
78 b += 4;
79 user[0] = pass[0] = 0;
80 if (*b && *b < sizeof(user))
81 {
82 memcpy(user, b + 1, *b);
83 user[*b] = 0;
84 b += 1 + *b;
85 if (*b && *b < sizeof(pass))
86 {
87 memcpy(pass, b + 1, *b);
88 pass[*b] = 0;
89 }
90 }
91 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
92 }
93
94 if (session[s].ip || !(r = radiusnew(s)))
95 {
96 // respond now, either no RADIUS available or already authenticated
97 uint8_t b[MAXETHER];
98 uint8_t id = p[1];
99 uint8_t *p = makeppp(b, sizeof(b), 0, 0, s, t, PPPPAP, 0, 0, 0);
100 if (!p) return;
101
102 if (session[s].ip)
103 *p = 2; // ACK
104 else
105 *p = 3; // cant authorise
106 p[1] = id;
107 *(uint16_t *) (p + 2) = htons(5); // length
108 p[4] = 0; // no message
109 tunnelsend(b, 5 + (p - b), t); // send it
110
111 if (session[s].ip)
112 {
113 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
114 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
115 }
116 else
117 {
118 LOG(1, s, t, "No RADIUS session available to authenticate session...\n");
119 sessionshutdown(s, "No free RADIUS sessions.", CDN_UNAVAILABLE, TERM_SERVICE_UNAVAILABLE);
120 }
121 }
122 else
123 {
124 // Run PRE_AUTH plugins
125 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
126 run_plugins(PLUGIN_PRE_AUTH, &packet);
127 if (!packet.continue_auth)
128 {
129 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
130 if (packet.username) free(packet.username);
131 if (packet.password) free(packet.password);
132 return;
133 }
134
135 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
136 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
137
138 free(packet.username);
139 free(packet.password);
140
141 radius[r].id = p[1];
142 LOG(3, s, t, "Sending login for %s/%s to RADIUS\n", user, pass);
143 radiussend(r, RADIUSAUTH);
144 }
145 }
146
147 // Process CHAP messages
148 void processchap(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
149 {
150 uint16_t r;
151 uint16_t hl;
152
153 CSTAT(processchap);
154
155 LOG_HEX(5, "CHAP", p, l);
156
157 if (l < 4)
158 {
159 LOG(1, s, t, "Short CHAP %u bytes\n", l);
160 STAT(tunnel_rx_errors);
161 sessionshutdown(s, "Short CHAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
162 return;
163 }
164
165 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
166 {
167 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
168 STAT(tunnel_rx_errors);
169 sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
170 return;
171 }
172 l = hl;
173
174 if (*p != 2)
175 {
176 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
177 STAT(tunnel_rx_errors);
178 sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
179 return;
180 }
181
182 r = sess_local[s].radius;
183 if (!r)
184 {
185 LOG(3, s, t, "Unexpected CHAP message\n");
186 return;
187 }
188
189 if (session[s].ppp.phase != Authenticate)
190 {
191 LOG(2, s, t, "CHAP ignored in %s phase\n", ppp_phase(session[s].ppp.phase));
192 return;
193 }
194
195 if (p[1] != radius[r].id)
196 {
197 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
198 STAT(tunnel_rx_errors);
199 sessionshutdown(s, "Unexpected CHAP response ID.", CDN_ADMIN_DISC, TERM_USER_ERROR);
200 return;
201 }
202
203 if (l < 5 || p[4] != 16)
204 {
205 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
206 STAT(tunnel_rx_errors);
207 sessionshutdown(s, "Bad CHAP response length.", CDN_ADMIN_DISC, TERM_USER_ERROR);
208 return;
209 }
210
211 l -= 5;
212 p += 5;
213 if (l < 16 || l - 16 >= sizeof(session[s].user))
214 {
215 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
216 STAT(tunnel_rx_errors);
217 sessionshutdown(s, "CHAP username too long.", CDN_ADMIN_DISC, TERM_USER_ERROR);
218 return;
219 }
220
221 // Run PRE_AUTH plugins
222 {
223 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
224
225 packet.password = calloc(17, 1);
226 memcpy(packet.password, p, 16);
227
228 p += 16;
229 l -= 16;
230
231 packet.username = calloc(l + 1, 1);
232 memcpy(packet.username, p, l);
233
234 run_plugins(PLUGIN_PRE_AUTH, &packet);
235 if (!packet.continue_auth)
236 {
237 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
238 if (packet.username) free(packet.username);
239 if (packet.password) free(packet.password);
240 return;
241 }
242
243 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
244 memcpy(radius[r].pass, packet.password, 16);
245
246 free(packet.username);
247 free(packet.password);
248 }
249
250 radius[r].chap = 1;
251 LOG(3, s, t, "CHAP login %s\n", session[s].user);
252 radiussend(r, RADIUSAUTH);
253 }
254
255 static void dumplcp(uint8_t *p, int l)
256 {
257 int x = l - 4;
258 uint8_t *o = (p + 4);
259
260 LOG_HEX(5, "PPP LCP Packet", p, l);
261 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_code((int)*p), ntohs( ((uint16_t *) p)[1]) );
262 LOG(4, 0, 0, "Length: %d\n", l);
263 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
264 return;
265
266 while (x > 2)
267 {
268 int type = o[0];
269 int length = o[1];
270 if (length < 2)
271 {
272 LOG(4, 0, 0, " Option length is %d...\n", length);
273 break;
274 }
275 if (type == 0)
276 {
277 LOG(4, 0, 0, " Option type is 0...\n");
278 x -= length;
279 o += length;
280 continue;
281 }
282 switch (type)
283 {
284 case 1: // Maximum-Receive-Unit
285 if (length == 4)
286 LOG(4, 0, 0, " %s %d\n", ppp_lcp_option(type), ntohs(*(uint16_t *)(o + 2)));
287 else
288 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
289 break;
290 case 2: // Async-Control-Character-Map
291 if (length == 6)
292 {
293 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
294 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), asyncmap);
295 }
296 else
297 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
298 break;
299 case 3: // Authentication-Protocol
300 if (length == 4)
301 {
302 int proto = ntohs(*(uint16_t *)(o + 2));
303 LOG(4, 0, 0, " %s 0x%x (%s)\n", ppp_lcp_option(type), proto,
304 proto == PPPPAP ? "PAP" : "UNSUPPORTED");
305 }
306 else if (length == 5)
307 {
308 int proto = ntohs(*(uint16_t *)(o + 2));
309 int algo = *(o + 4);
310 LOG(4, 0, 0, " %s 0x%x 0x%x (%s)\n", ppp_lcp_option(type), proto, algo,
311 (proto == PPPCHAP && algo == 5) ? "CHAP MD5" : "UNSUPPORTED");
312 }
313 else
314 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
315 break;
316 case 4: // Quality-Protocol
317 {
318 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
319 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), qp);
320 }
321 break;
322 case 5: // Magic-Number
323 if (length == 6)
324 {
325 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
326 LOG(4, 0, 0, " %s %x\n", ppp_lcp_option(type), magicno);
327 }
328 else
329 LOG(4, 0, 0, " %s odd length %d\n", ppp_lcp_option(type), length);
330 break;
331 case 7: // Protocol-Field-Compression
332 case 8: // Address-And-Control-Field-Compression
333 LOG(4, 0, 0, " %s\n", ppp_lcp_option(type));
334 break;
335 default:
336 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
337 break;
338 }
339 x -= length;
340 o += length;
341 }
342 }
343
344 void lcp_open(sessionidt s, tunnelidt t)
345 {
346 // transition to Authentication or Network phase:
347 session[s].ppp.phase = sess_local[s].lcp_authtype ? Authenticate : Network;
348
349 LOG(3, s, t, "LCP: Opened, phase %s\n", ppp_phase(session[s].ppp.phase));
350
351 // LCP now Opened
352 change_state(s, lcp, Opened);
353
354 if (session[s].ppp.phase == Authenticate)
355 {
356 if (sess_local[s].lcp_authtype == AUTHCHAP)
357 sendchap(s, t);
358 }
359 else
360 {
361 if (session[s].bundle && bundle[session[s].bundle].num_of_links > 1)
362 {
363 sessionidt first_ses = bundle[session[s].bundle].members[0];
364 LOG(3, s, t, "MPPP: Skipping IPCP negotiation for session:%d, first session of bundle is:%d\n", s, first_ses);
365 session[s].ip = session[first_ses].ip;
366 session[s].dns1 = session[first_ses].dns1;
367 session[s].dns2 = session[first_ses].dns2;
368 session[s].timeout = session[first_ses].timeout;
369 ipcp_open(s, t);
370 }
371 else
372 {
373 // This-Layer-Up
374 sendipcp(s, t);
375 change_state(s, ipcp, RequestSent);
376 // move to passive state for IPv6 (if configured), CCP
377 if (config->ipv6_prefix.s6_addr[0])
378 change_state(s, ipv6cp, Stopped);
379 else
380 change_state(s, ipv6cp, Closed);
381
382 change_state(s, ccp, Stopped);
383 }
384 }
385 }
386
387 static void lcp_restart(sessionidt s)
388 {
389 session[s].ppp.phase = Establish;
390 // This-Layer-Down
391 change_state(s, ipcp, Dead);
392 change_state(s, ipv6cp, Dead);
393 change_state(s, ccp, Dead);
394 }
395
396 static uint8_t *ppp_conf_rej(sessionidt s, uint8_t *buf, size_t blen, uint16_t mtype,
397 uint8_t **response, uint8_t *queued, uint8_t *packet, uint8_t *option)
398 {
399 if (!*response || **response != ConfigRej)
400 {
401 queued = *response = makeppp(buf, blen, packet, 2, s, session[s].tunnel, mtype, 0, 0, 0);
402 if (!queued)
403 return 0;
404
405 *queued = ConfigRej;
406 queued += 4;
407 }
408
409 if ((queued - buf + option[1]) > blen)
410 {
411 LOG(2, s, session[s].tunnel, "PPP overflow for ConfigRej (proto %u, option %u).\n", mtype, *option);
412 return 0;
413 }
414
415 memcpy(queued, option, option[1]);
416 return queued + option[1];
417 }
418
419 static uint8_t *ppp_conf_nak(sessionidt s, uint8_t *buf, size_t blen, uint16_t mtype,
420 uint8_t **response, uint8_t *queued, uint8_t *packet, uint8_t *option,
421 uint8_t *value, size_t vlen)
422 {
423 int *nak_sent;
424 switch (mtype)
425 {
426 case PPPLCP: nak_sent = &sess_local[s].lcp.nak_sent; break;
427 case PPPIPCP: nak_sent = &sess_local[s].ipcp.nak_sent; break;
428 case PPPIPV6CP: nak_sent = &sess_local[s].ipv6cp.nak_sent; break;
429 default: return 0; // ?
430 }
431
432 if (*response && **response != ConfigNak)
433 {
434 if (*nak_sent < config->ppp_max_failure) // reject queued
435 return queued;
436
437 return ppp_conf_rej(s, buf, blen, mtype, response, 0, packet, option);
438 }
439
440 if (!*response)
441 {
442 if (*nak_sent >= config->ppp_max_failure)
443 return ppp_conf_rej(s, buf, blen, mtype, response, 0, packet, option);
444
445 queued = *response = makeppp(buf, blen, packet, 2, s, session[s].tunnel, mtype, 0, 0, 0);
446 if (!queued)
447 return 0;
448
449 (*nak_sent)++;
450 *queued = ConfigNak;
451 queued += 4;
452 }
453
454 if ((queued - buf + vlen + 2) > blen)
455 {
456 LOG(2, s, session[s].tunnel, "PPP overflow for ConfigNak (proto %u, option %u).\n", mtype, *option);
457 return 0;
458 }
459
460 *queued++ = *option;
461 *queued++ = vlen + 2;
462 memcpy(queued, value, vlen);
463 return queued + vlen;
464 }
465
466 static void ppp_code_rej(sessionidt s, tunnelidt t, uint16_t proto,
467 char *pname, uint8_t *p, uint16_t l, uint8_t *buf, size_t size)
468 {
469 uint8_t *q;
470 int mru = session[s].mru;
471 if (mru < MINMTU) mru = MINMTU;
472 if (mru > size) mru = size;
473
474 l += 4;
475 if (l > mru) l = mru;
476
477 q = makeppp(buf, size, 0, 0, s, t, proto, 0, 0, 0);
478 if (!q) return;
479
480 *q = CodeRej;
481 *(q + 1) = ++sess_local[s].lcp_ident;
482 *(uint16_t *)(q + 2) = htons(l);
483 memcpy(q + 4, p, l - 4);
484
485 LOG(2, s, t, "Unexpected %s code %s\n", pname, ppp_code(*p));
486 LOG(3, s, t, "%s: send %s\n", pname, ppp_code(*q));
487 if (config->debug > 3) dumplcp(q, l);
488
489 tunnelsend(buf, l + (q - buf), t);
490 }
491
492 // Process LCP messages
493 void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
494 {
495 uint8_t b[MAXETHER];
496 uint8_t *q = NULL;
497 uint16_t hl;
498
499 CSTAT(processlcp);
500
501 LOG_HEX(5, "LCP", p, l);
502 if (l < 4)
503 {
504 LOG(1, s, t, "Short LCP %d bytes\n", l);
505 STAT(tunnel_rx_errors);
506 return ;
507 }
508
509 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
510 {
511 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
512 STAT(tunnel_rx_errors);
513 return ;
514 }
515 l = hl;
516
517 if (session[s].die) // going down...
518 return;
519
520 LOG((*p == EchoReq || *p == EchoReply) ? 4 : 3, s, t,
521 "LCP: recv %s\n", ppp_code(*p));
522
523 if (config->debug > 3) dumplcp(p, l);
524
525 if (*p == ConfigAck)
526 {
527 int x = l - 4;
528 uint8_t *o = (p + 4);
529 int authtype = 0;
530
531 while (x > 2)
532 {
533 int type = o[0];
534 int length = o[1];
535
536 if (length == 0 || type == 0 || x < length) break;
537 switch (type)
538 {
539 case 3: // Authentication-Protocol
540 {
541 int proto = ntohs(*(uint16_t *)(o + 2));
542 if (proto == PPPPAP)
543 authtype = AUTHPAP;
544 else if (proto == PPPCHAP && *(o + 4) == 5)
545 authtype = AUTHCHAP;
546 }
547
548 break;
549 }
550 x -= length;
551 o += length;
552 }
553
554 if (!session[s].ip && authtype)
555 sess_local[s].lcp_authtype = authtype;
556
557 switch (session[s].ppp.lcp)
558 {
559 case RequestSent:
560 initialise_restart_count(s, lcp);
561 change_state(s, lcp, AckReceived);
562 break;
563
564 case AckReceived:
565 case Opened:
566 LOG(2, s, t, "LCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.lcp));
567 if (session[s].ppp.lcp == Opened)
568 lcp_restart(s);
569
570 sendlcp(s, t);
571 change_state(s, lcp, RequestSent);
572 break;
573
574 case AckSent:
575 lcp_open(s, t);
576 break;
577
578 default:
579 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
580 }
581 }
582 else if (*p == ConfigReq)
583 {
584 int x = l - 4;
585 uint8_t *o = (p + 4);
586 uint8_t *response = 0;
587 static uint8_t asyncmap[4] = { 0, 0, 0, 0 }; // all zero
588 static uint8_t authproto[5];
589 int changed = 0;
590
591 while (x > 2)
592 {
593 int type = o[0];
594 int length = o[1];
595
596 if (length == 0 || type == 0 || x < length) break;
597 switch (type)
598 {
599 case 1: // Maximum-Receive-Unit
600 {
601 uint16_t mru = ntohs(*(uint16_t *)(o + 2));
602 if (mru >= MINMTU)
603 {
604 session[s].mru = mru;
605 changed++;
606 break;
607 }
608
609 LOG(3, s, t, " Remote requesting MRU of %u. Rejecting.\n", mru);
610 mru = htons(MRU);
611 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, (uint8_t *) &mru, sizeof(mru));
612 }
613 break;
614
615 case 2: // Async-Control-Character-Map
616 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
617 break;
618
619 LOG(3, s, t, " Remote requesting asyncmap. Rejecting.\n");
620 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, asyncmap, sizeof(asyncmap));
621 break;
622
623 case 3: // Authentication-Protocol
624 {
625 int proto = ntohs(*(uint16_t *)(o + 2));
626 char proto_name[] = "0x0000";
627 int alen;
628
629 if (proto == PPPPAP)
630 {
631 if (config->radius_authtypes & AUTHPAP)
632 {
633 sess_local[s].lcp_authtype = AUTHPAP;
634 break;
635 }
636
637 strcpy(proto_name, "PAP");
638 }
639 else if (proto == PPPCHAP)
640 {
641 if (config->radius_authtypes & AUTHCHAP
642 && *(o + 4) == 5) // MD5
643 {
644 sess_local[s].lcp_authtype = AUTHCHAP;
645 break;
646 }
647
648 strcpy(proto_name, "CHAP");
649 }
650 else
651 sprintf(proto_name, "%#4.4x", proto);
652
653 LOG(3, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
654
655 alen = add_lcp_auth(authproto, sizeof(authproto), config->radius_authprefer);
656 if (alen < 2) break; // paranoia
657
658 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, authproto + 2, alen - 2);
659 if (q && *response == ConfigNak &&
660 config->radius_authtypes != config->radius_authprefer)
661 {
662 // alternate type
663 alen = add_lcp_auth(authproto, sizeof(authproto), config->radius_authtypes & ~config->radius_authprefer);
664 if (alen < 2) break;
665 q = ppp_conf_nak(s, b, sizeof(b), PPPLCP, &response, q, p, o, authproto + 2, alen - 2);
666 }
667
668 break;
669 }
670 break;
671
672 case 4: // Quality-Protocol
673 case 5: // Magic-Number
674 case 7: // Protocol-Field-Compression
675 case 8: // Address-And-Control-Field-Compression
676 break;
677
678 case 17: // Multilink Max-Receive-Reconstructed-Unit
679 {
680 uint16_t mrru = ntohs(*(uint16_t *)(o + 2));
681 session[s].mrru = mrru;
682 changed++;
683 LOG(3, s, t, " Received PPP LCP option MRRU: %d\n",mrru);
684 }
685 break;
686
687 case 18: // Multilink Short Sequence Number Header Format
688 {
689 session[s].mssf = 1;
690 changed++;
691 LOG(3, s, t, " Received PPP LCP option MSSN format\n");
692 }
693 break;
694
695 case 19: // Multilink Endpoint Discriminator
696 {
697 uint8_t epdis_class = o[2];
698 int addr;
699
700 session[s].epdis.addr_class = epdis_class;
701 session[s].epdis.length = length - 3;
702 if (session[s].epdis.length > 20)
703 {
704 LOG(1, s, t, "Error: received EndDis Address Length more than 20: %d\n", session[s].epdis.length);
705 session[s].epdis.length = 20;
706 }
707
708 for (addr = 0; addr < session[s].epdis.length; addr++)
709 session[s].epdis.address[addr] = o[3+addr];
710
711 changed++;
712
713 switch (epdis_class)
714 {
715 case LOCALADDR:
716 LOG(3, s, t, " Received PPP LCP option Multilink EndDis Local Address Class: %d\n",epdis_class);
717 break;
718 case IPADDR:
719 LOG(3, s, t, " Received PPP LCP option Multilink EndDis IP Address Class: %d\n",epdis_class);
720 break;
721 case IEEEMACADDR:
722 LOG(3, s, t, " Received PPP LCP option Multilink EndDis IEEE MAC Address Class: %d\n",epdis_class);
723 break;
724 case PPPMAGIC:
725 LOG(3, s, t, " Received PPP LCP option Multilink EndDis PPP Magic No Class: %d\n",epdis_class);
726 break;
727 case PSNDN:
728 LOG(3, s, t, " Received PPP LCP option Multilink EndDis PSND No Class: %d\n",epdis_class);
729 break;
730 default:
731 LOG(3, s, t, " Received PPP LCP option Multilink EndDis NULL Class %d\n",epdis_class);
732 }
733 }
734 break;
735
736 default: // Reject any unknown options
737 LOG(3, s, t, " Rejecting unknown PPP LCP option %d\n", type);
738 q = ppp_conf_rej(s, b, sizeof(b), PPPLCP, &response, q, p, o);
739 }
740 x -= length;
741 o += length;
742 }
743
744 if (changed)
745 cluster_send_session(s);
746
747 if (response)
748 {
749 l = q - response; // LCP packet length
750 *((uint16_t *) (response + 2)) = htons(l); // update header
751 }
752 else
753 {
754 // Send packet back as ConfigAck
755 response = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
756 if (!response) return;
757 *response = ConfigAck;
758 }
759
760 switch (session[s].ppp.lcp)
761 {
762 case Closed:
763 response = makeppp(b, sizeof(b), p, 2, s, t, PPPLCP, 0, 0, 0);
764 if (!response) return;
765 *response = TerminateAck;
766 *((uint16_t *) (response + 2)) = htons(l = 4);
767 break;
768
769 case Stopped:
770 initialise_restart_count(s, lcp);
771 sendlcp(s, t);
772 if (*response == ConfigAck)
773 change_state(s, lcp, AckSent);
774 else
775 change_state(s, lcp, RequestSent);
776
777 break;
778
779 case RequestSent:
780 if (*response == ConfigAck)
781 change_state(s, lcp, AckSent);
782
783 break;
784
785 case AckReceived:
786 if (*response == ConfigAck)
787 lcp_open(s, t);
788
789 break;
790
791 case Opened:
792 lcp_restart(s);
793 sendlcp(s, t);
794 /* fallthrough */
795
796 case AckSent:
797 if (*response == ConfigAck)
798 change_state(s, lcp, AckSent);
799 else
800 change_state(s, lcp, RequestSent);
801
802 break;
803
804 default:
805 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
806 return;
807 }
808
809 LOG(3, s, t, "LCP: send %s\n", ppp_code(*response));
810 if (config->debug > 3) dumplcp(response, l);
811
812 tunnelsend(b, l + (response - b), t);
813 }
814 else if (*p == ConfigNak || *p == ConfigRej)
815 {
816 int x = l - 4;
817 uint8_t *o = (p + 4);
818 int authtype = -1;
819
820 while (x > 2)
821 {
822 int type = o[0];
823 int length = o[1];
824
825 if (length == 0 || type == 0 || x < length) break;
826 switch (type)
827 {
828 case 1: // Maximum-Receive-Unit
829 if (*p == ConfigNak)
830 {
831 if (length < 4) break;
832 sess_local[s].ppp_mru = ntohs(*(uint16_t *)(o + 2));
833 LOG(3, s, t, " Remote requested MRU of %u\n", sess_local[s].ppp_mru);
834 }
835 else
836 {
837 sess_local[s].ppp_mru = 0;
838 LOG(3, s, t, " Remote rejected MRU negotiation\n");
839 }
840
841 break;
842
843 case 3: // Authentication-Protocol
844 if (authtype > 0)
845 break;
846
847 if (*p == ConfigNak)
848 {
849 int proto;
850
851 if (length < 4) break;
852 proto = ntohs(*(uint16_t *)(o + 2));
853
854 if (proto == PPPPAP)
855 {
856 authtype = config->radius_authtypes & AUTHPAP;
857 LOG(3, s, t, " Remote requested PAP authentication...%sing\n",
858 authtype ? "accept" : "reject");
859 }
860 else if (proto == PPPCHAP && length > 4 && *(o + 4) == 5)
861 {
862 authtype = config->radius_authtypes & AUTHCHAP;
863 LOG(3, s, t, " Remote requested CHAP authentication...%sing\n",
864 authtype ? "accept" : "reject");
865 }
866 else
867 {
868 LOG(3, s, t, " Rejecting unsupported authentication %#4x\n",
869 proto);
870 }
871 }
872 else
873 {
874 LOG(2, s, t, "LCP: remote rejected auth negotiation\n");
875 authtype = 0; // shutdown
876 }
877
878 break;
879
880 case 5: // Magic-Number
881 session[s].magic = 0;
882 if (*p == ConfigNak)
883 {
884 if (length < 6) break;
885 session[s].magic = ntohl(*(uint32_t *)(o + 2));
886 }
887
888 if (session[s].magic)
889 LOG(3, s, t, " Remote requested magic-no %x\n", session[s].magic);
890 else
891 LOG(3, s, t, " Remote rejected magic-no\n");
892
893 cluster_send_session(s);
894 break;
895
896 case 17: // Multilink Max-Receive-Reconstructed-Unit
897 {
898 if (*p == ConfigNak)
899 {
900 sess_local[s].mp_mrru = ntohs(*(uint16_t *)(o + 2));
901 LOG(3, s, t, " Remote requested MRRU of %u\n", sess_local[s].mp_mrru);
902 }
903 else
904 {
905 sess_local[s].mp_mrru = 0;
906 LOG(3, s, t, " Remote rejected MRRU negotiation\n");
907 }
908 }
909 break;
910
911 case 18: // Multilink Short Sequence Number Header Format
912 {
913 if (*p == ConfigNak)
914 {
915 sess_local[s].mp_mssf = 0;
916 LOG(3, s, t, " Remote requested Naked mssf\n");
917 }
918 else
919 {
920 sess_local[s].mp_mssf = 0;
921 LOG(3, s, t, " Remote rejected mssf\n");
922 }
923 }
924 break;
925
926 case 19: // Multilink Endpoint Discriminator
927 {
928 if (*p == ConfigNak)
929 {
930 LOG(2, s, t, " Remote should not configNak Endpoint Dis!\n");
931 }
932 else
933 {
934 sess_local[s].mp_epdis = 0;
935 LOG(3, s, t, " Remote rejected Endpoint Discriminator\n");
936 }
937 }
938 break;
939
940 default:
941 LOG(2, s, t, "LCP: remote sent %s for type %u?\n", ppp_code(*p), type);
942 sessionshutdown(s, "Unable to negotiate LCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
943 return;
944 }
945 x -= length;
946 o += length;
947 }
948
949 if (!authtype)
950 {
951 sessionshutdown(s, "Unsupported authentication.", CDN_ADMIN_DISC, TERM_USER_ERROR);
952 return;
953 }
954
955 if (authtype > 0)
956 sess_local[s].lcp_authtype = authtype;
957
958 switch (session[s].ppp.lcp)
959 {
960 case Closed:
961 case Stopped:
962 {
963 uint8_t *response = makeppp(b, sizeof(b), p, 2, s, t, PPPLCP, 0, 0, 0);
964 if (!response) return;
965 *response = TerminateAck;
966 *((uint16_t *) (response + 2)) = htons(l = 4);
967
968 LOG(3, s, t, "LCP: send %s\n", ppp_code(*response));
969 if (config->debug > 3) dumplcp(response, l);
970
971 tunnelsend(b, l + (response - b), t);
972 }
973 break;
974
975 case RequestSent:
976 case AckSent:
977 initialise_restart_count(s, lcp);
978 sendlcp(s, t);
979 break;
980
981 case AckReceived:
982 LOG(2, s, t, "LCP: ConfigNak in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.lcp));
983 sendlcp(s, t);
984 break;
985
986 case Opened:
987 lcp_restart(s);
988 sendlcp(s, t);
989 break;
990
991 default:
992 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
993 return;
994 }
995 }
996 else if (*p == TerminateReq)
997 {
998 switch (session[s].ppp.lcp)
999 {
1000 case Closed:
1001 case Stopped:
1002 case Closing:
1003 case Stopping:
1004 case RequestSent:
1005 case AckReceived:
1006 case AckSent:
1007 break;
1008
1009 case Opened:
1010 lcp_restart(s);
1011 zero_restart_count(s, lcp);
1012 change_state(s, lcp, Closing);
1013 break;
1014
1015 default:
1016 LOG(2, s, t, "LCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.lcp));
1017 return;
1018 }
1019
1020 *p = TerminateAck; // send ack
1021 q = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
1022 if (!q) return;
1023
1024 LOG(3, s, t, "LCP: send %s\n", ppp_code(*q));
1025 if (config->debug > 3) dumplcp(q, l);
1026
1027 tunnelsend(b, l + (q - b), t); // send it
1028 }
1029 else if (*p == ProtocolRej)
1030 {
1031 uint16_t proto = 0;
1032
1033 if (l > 4)
1034 {
1035 proto = *(p+4);
1036 if (l > 5 && !(proto & 1))
1037 {
1038 proto <<= 8;
1039 proto |= *(p+5);
1040 }
1041 }
1042
1043 if (proto == PPPIPV6CP)
1044 {
1045 LOG(3, s, t, "IPv6 rejected\n");
1046 change_state(s, ipv6cp, Closed);
1047 }
1048 else
1049 {
1050 LOG(3, s, t, "LCP protocol reject: 0x%04X\n", proto);
1051 }
1052 }
1053 else if (*p == EchoReq)
1054 {
1055 *p = EchoReply; // reply
1056 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
1057 q = makeppp(b, sizeof(b), p, l, s, t, PPPLCP, 0, 0, 0);
1058 if (!q) return;
1059
1060 LOG(4, s, t, "LCP: send %s\n", ppp_code(*q));
1061 if (config->debug > 3) dumplcp(q, l);
1062
1063 tunnelsend(b, l + (q - b), t); // send it
1064 }
1065 else if (*p == EchoReply)
1066 {
1067 // Ignore it, last_packet time is set earlier than this.
1068 }
1069 else if (*p != CodeRej)
1070 {
1071 ppp_code_rej(s, t, PPPLCP, "LCP", p, l, b, sizeof(b));
1072 }
1073 }
1074
1075 int join_bundle(sessionidt s)
1076 {
1077 // Search for a bundle to join
1078 bundleidt i;
1079 bundleidt b;
1080 for (i = 1; i < MAXBUNDLE; i++)
1081 {
1082 if (bundle[i].state != BUNDLEFREE)
1083 {
1084 if (epdiscmp(session[s].epdis,bundle[i].epdis) && !strcmp(session[s].user, bundle[i].user))
1085 {
1086 session[s].bundle = i;
1087 bundle[i].mrru = session[s].mrru;
1088 bundle[i].mssf = session[s].mssf;
1089 if (session[s].epdis.length > 0)
1090 setepdis(&bundle[i].epdis, session[s].epdis);
1091
1092 strcpy(bundle[i].user, session[s].user);
1093 bundle[i].members[bundle[i].num_of_links] = s;
1094 bundle[i].num_of_links++;
1095 LOG(3, s, session[s].tunnel, "MPPP: Bundling additional line in bundle (%d), lines:%d\n",i,bundle[i].num_of_links);
1096 return i;
1097 }
1098 }
1099 }
1100
1101 // No previously created bundle was found for this session, so create a new one
1102 if (!(b = new_bundle())) return 0;
1103
1104 session[s].bundle = b;
1105 bundle[b].mrru = session[s].mrru;
1106 bundle[b].mssf = session[s].mssf;
1107 if (session[s].epdis.length > 0)
1108 setepdis(&bundle[b].epdis, session[s].epdis);
1109
1110 strcpy(bundle[b].user, session[s].user);
1111 bundle[b].members[0] = s;
1112 LOG(3, s, session[s].tunnel, "MPPP: Created a new bundle (%d)\n", b);
1113 return b;
1114 }
1115
1116 static int epdiscmp(epdist ep1, epdist ep2)
1117 {
1118 int ad;
1119 if (ep1.length != ep2.length)
1120 return 0;
1121
1122 if (ep1.addr_class != ep2.addr_class)
1123 return 0;
1124
1125 for (ad = 0; ad < ep1.length; ad++)
1126 if (ep1.address[ad] != ep2.address[ad])
1127 return 0;
1128
1129 return 1;
1130 }
1131
1132 static void setepdis(epdist *ep1, epdist ep2)
1133 {
1134 int ad;
1135 ep1->length = ep2.length;
1136 ep1->addr_class = ep2.addr_class;
1137 for (ad = 0; ad < ep2.length; ad++)
1138 ep1->address[ad] = ep2.address[ad];
1139 }
1140
1141 static bundleidt new_bundle()
1142 {
1143 bundleidt i;
1144 for (i = 1; i < MAXBUNDLE; i++)
1145 {
1146 if (bundle[i].state == BUNDLEFREE)
1147 {
1148 LOG(4, 0, 0, "MPPP: Assigning bundle ID %d\n", i);
1149 bundle[i].num_of_links = 1;
1150 bundle[i].last_check = time_now; // Initialize last_check value
1151 bundle[i].state = BUNDLEOPEN;
1152 bundle[i].current_ses = -1; // This is to enforce the first session 0 to be used at first
1153 if (i > config->cluster_highest_bundleid)
1154 config->cluster_highest_bundleid = i;
1155 return i;
1156 }
1157 }
1158 LOG(0, 0, 0, "MPPP: Can't find a free bundle! There shouldn't be this many in use!\n");
1159 return 0;
1160 }
1161
1162 static void ipcp_open(sessionidt s, tunnelidt t)
1163 {
1164 LOG(3, s, t, "IPCP: Opened, session is now active\n");
1165
1166 change_state(s, ipcp, Opened);
1167
1168 if (!(session[s].walled_garden || session[s].flags & SESSION_STARTED))
1169 {
1170 uint16_t r = radiusnew(s);
1171 if (r)
1172 {
1173 radiussend(r, RADIUSSTART); // send radius start
1174
1175 // don't send further Start records if IPCP is restarted
1176 session[s].flags |= SESSION_STARTED;
1177 cluster_send_session(s);
1178 }
1179 }
1180
1181 // start IPv6 if configured and still in passive state
1182 if (session[s].ppp.ipv6cp == Stopped)
1183 {
1184 sendipv6cp(s, t);
1185 change_state(s, ipv6cp, RequestSent);
1186 }
1187 }
1188
1189 // Process IPCP messages
1190 void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1191 {
1192 uint8_t b[MAXETHER];
1193 uint8_t *q = 0;
1194 uint16_t hl;
1195
1196 CSTAT(processipcp);
1197
1198 LOG_HEX(5, "IPCP", p, l);
1199 if (l < 4)
1200 {
1201 LOG(1, s, t, "Short IPCP %d bytes\n", l);
1202 STAT(tunnel_rx_errors);
1203 return ;
1204 }
1205
1206 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
1207 {
1208 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
1209 STAT(tunnel_rx_errors);
1210 return ;
1211 }
1212 l = hl;
1213
1214 if (session[s].ppp.phase < Network)
1215 {
1216 LOG(2, s, t, "IPCP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
1217 return;
1218 }
1219
1220 LOG(3, s, t, "IPCP: recv %s\n", ppp_code(*p));
1221
1222 if (*p == ConfigAck)
1223 {
1224 switch (session[s].ppp.ipcp)
1225 {
1226 case RequestSent:
1227 initialise_restart_count(s, ipcp);
1228 change_state(s, ipcp, AckReceived);
1229 break;
1230
1231 case AckReceived:
1232 case Opened:
1233 LOG(2, s, t, "IPCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ipcp));
1234 sendipcp(s, t);
1235 change_state(s, ipcp, RequestSent);
1236 break;
1237
1238 case AckSent:
1239 ipcp_open(s, t);
1240 break;
1241
1242 default:
1243 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1244 }
1245 }
1246 else if (*p == ConfigReq)
1247 {
1248 uint8_t *response = 0;
1249 uint8_t *o = p + 4;
1250 int length = l - 4;
1251 int gotip = 0;
1252 in_addr_t addr;
1253
1254 while (length > 2)
1255 {
1256 if (!o[1] || o[1] > length) return;
1257
1258 switch (*o)
1259 {
1260 case 3: // ip address
1261 gotip++; // seen address
1262 if (o[1] != 6) return;
1263
1264 addr = htonl(session[s].ip);
1265 if (memcmp(o + 2, &addr, (sizeof addr)))
1266 {
1267 uint8_t *oq = q;
1268 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1269 if (!q || (q != oq && *response == ConfigRej))
1270 {
1271 sessionshutdown(s, "Can't negotiate IPCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
1272 return;
1273 }
1274 }
1275
1276 break;
1277
1278 case 129: // primary DNS
1279 if (o[1] != 6) return;
1280
1281 addr = htonl(session[s].dns1);
1282 if (memcmp(o + 2, &addr, (sizeof addr)))
1283 {
1284 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1285 if (!q) return;
1286 }
1287
1288 break;
1289
1290 case 131: // secondary DNS
1291 if (o[1] != 6) return;
1292
1293 addr = htonl(session[s].dns2);
1294 if (memcmp(o + 2, &addr, sizeof(addr)))
1295 {
1296 q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
1297 if (!q) return;
1298 }
1299
1300 break;
1301
1302 default:
1303 LOG(2, s, t, " Rejecting PPP IPCP Option type %d\n", *o);
1304 q = ppp_conf_rej(s, b, sizeof(b), PPPIPCP, &response, q, p, o);
1305 if (!q) return;
1306 }
1307
1308 length -= o[1];
1309 o += o[1];
1310 }
1311
1312 if (response)
1313 {
1314 l = q - response; // IPCP packet length
1315 *((uint16_t *) (response + 2)) = htons(l); // update header
1316 }
1317 else if (gotip)
1318 {
1319 // Send packet back as ConfigAck
1320 response = makeppp(b, sizeof(b), p, l, s, t, PPPIPCP, 0, 0, 0);
1321 if (!response) return;
1322 *response = ConfigAck;
1323 }
1324 else
1325 {
1326 LOG(1, s, t, "No IP in IPCP request\n");
1327 STAT(tunnel_rx_errors);
1328 return;
1329 }
1330
1331 switch (session[s].ppp.ipcp)
1332 {
1333 case Closed:
1334 response = makeppp(b, sizeof(b), p, 2, s, t, PPPIPCP, 0, 0, 0);
1335 if (!response) return;
1336 *response = TerminateAck;
1337 *((uint16_t *) (response + 2)) = htons(l = 4);
1338 break;
1339
1340 case Stopped:
1341 initialise_restart_count(s, ipcp);
1342 sendipcp(s, t);
1343 if (*response == ConfigAck)
1344 change_state(s, ipcp, AckSent);
1345 else
1346 change_state(s, ipcp, RequestSent);
1347
1348 break;
1349
1350 case RequestSent:
1351 if (*response == ConfigAck)
1352 change_state(s, ipcp, AckSent);
1353
1354 break;
1355
1356 case AckReceived:
1357 if (*response == ConfigAck)
1358 ipcp_open(s, t);
1359
1360 break;
1361
1362 case Opened:
1363 initialise_restart_count(s, ipcp);
1364 sendipcp(s, t);
1365 /* fallthrough */
1366
1367 case AckSent:
1368 if (*response == ConfigAck)
1369 change_state(s, ipcp, AckSent);
1370 else
1371 change_state(s, ipcp, RequestSent);
1372
1373 break;
1374
1375 default:
1376 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1377 return;
1378 }
1379
1380 LOG(3, s, t, "IPCP: send %s\n", ppp_code(*response));
1381 tunnelsend(b, l + (response - b), t);
1382 }
1383 else if (*p == TerminateReq)
1384 {
1385 switch (session[s].ppp.ipcp)
1386 {
1387 case Closed:
1388 case Stopped:
1389 case Closing:
1390 case Stopping:
1391 case RequestSent:
1392 case AckReceived:
1393 case AckSent:
1394 break;
1395
1396 case Opened:
1397 zero_restart_count(s, ipcp);
1398 change_state(s, ipcp, Closing);
1399 break;
1400
1401 default:
1402 LOG(2, s, t, "IPCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipcp));
1403 return;
1404 }
1405
1406 *p = TerminateAck; // send ack
1407 q = makeppp(b, sizeof(b), p, l, s, t, PPPIPCP, 0, 0, 0);
1408 if (!q) return;
1409
1410 LOG(3, s, t, "IPCP: send %s\n", ppp_code(*q));
1411 tunnelsend(b, l + (q - b), t); // send it
1412 }
1413 else if (*p != CodeRej)
1414 {
1415 ppp_code_rej(s, t, PPPIPCP, "IPCP", p, l, b, sizeof(b));
1416 }
1417 }
1418
1419 static void ipv6cp_open(sessionidt s, tunnelidt t)
1420 {
1421 LOG(3, s, t, "IPV6CP: Opened\n");
1422
1423 change_state(s, ipv6cp, Opened);
1424 if (session[s].ipv6prefixlen)
1425 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
1426
1427 // Send an initial RA (TODO: Should we send these regularly?)
1428 send_ipv6_ra(s, t, NULL);
1429 }
1430
1431 // Process IPV6CP messages
1432 void processipv6cp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1433 {
1434 uint8_t b[MAXETHER];
1435 uint8_t *q = 0;
1436 uint16_t hl;
1437
1438 CSTAT(processipv6cp);
1439
1440 LOG_HEX(5, "IPV6CP", p, l);
1441 if (l < 4)
1442 {
1443 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
1444 STAT(tunnel_rx_errors);
1445 return ;
1446 }
1447
1448 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
1449 {
1450 LOG(1, s, t, "Length mismatch IPV6CP %u/%u\n", hl, l);
1451 STAT(tunnel_rx_errors);
1452 return ;
1453 }
1454 l = hl;
1455
1456 if (session[s].ppp.phase < Network)
1457 {
1458 LOG(2, s, t, "IPV6CP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
1459 return;
1460 }
1461
1462 LOG(3, s, t, "IPV6CP: recv %s\n", ppp_code(*p));
1463
1464 if (!session[s].ip)
1465 {
1466 LOG(3, s, t, "IPV6CP: no IPv4 address (IPCP in state %s)\n", ppp_state(session[s].ppp.ipcp));
1467 return; // need IPCP to complete...
1468 }
1469
1470 if (*p == ConfigAck)
1471 {
1472 switch (session[s].ppp.ipv6cp)
1473 {
1474 case RequestSent:
1475 initialise_restart_count(s, ipv6cp);
1476 change_state(s, ipv6cp, AckReceived);
1477 break;
1478
1479 case AckReceived:
1480 case Opened:
1481 LOG(2, s, t, "IPV6CP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ipv6cp));
1482 sendipv6cp(s, t);
1483 change_state(s, ipv6cp, RequestSent);
1484 break;
1485
1486 case AckSent:
1487 ipv6cp_open(s, t);
1488 break;
1489
1490 default:
1491 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1492 }
1493 }
1494 else if (*p == ConfigReq)
1495 {
1496 uint8_t *response = 0;
1497 uint8_t *o = p + 4;
1498 int length = l - 4;
1499 int gotip = 0;
1500 uint8_t ident[8];
1501
1502 while (length > 2)
1503 {
1504 if (!o[1] || o[1] > length) return;
1505
1506 switch (*o)
1507 {
1508 case 1: // interface identifier
1509 gotip++; // seen address
1510 if (o[1] != 10) return;
1511
1512 *(uint32_t *) ident = htonl(session[s].ip);
1513 *(uint32_t *) (ident + 4) = 0;
1514
1515 if (memcmp(o + 2, ident, sizeof(ident)))
1516 {
1517 q = ppp_conf_nak(s, b, sizeof(b), PPPIPV6CP, &response, q, p, o, ident, sizeof(ident));
1518 if (!q) return;
1519 }
1520
1521 break;
1522
1523 default:
1524 LOG(2, s, t, " Rejecting PPP IPV6CP Option type %d\n", *o);
1525 q = ppp_conf_rej(s, b, sizeof(b), PPPIPV6CP, &response, q, p, o);
1526 if (!q) return;
1527 }
1528
1529 length -= o[1];
1530 o += o[1];
1531 }
1532
1533 if (response)
1534 {
1535 l = q - response; // IPV6CP packet length
1536 *((uint16_t *) (response + 2)) = htons(l); // update header
1537 }
1538 else if (gotip)
1539 {
1540 // Send packet back as ConfigAck
1541 response = makeppp(b, sizeof(b), p, l, s, t, PPPIPV6CP, 0, 0, 0);
1542 if (!response) return;
1543 *response = ConfigAck;
1544 }
1545 else
1546 {
1547 LOG(1, s, t, "No interface identifier in IPV6CP request\n");
1548 STAT(tunnel_rx_errors);
1549 return;
1550 }
1551
1552 switch (session[s].ppp.ipv6cp)
1553 {
1554 case Closed:
1555 response = makeppp(b, sizeof(b), p, 2, s, t, PPPIPV6CP, 0, 0, 0);
1556 if (!response) return;
1557 *response = TerminateAck;
1558 *((uint16_t *) (response + 2)) = htons(l = 4);
1559 break;
1560
1561 case Stopped:
1562 initialise_restart_count(s, ipv6cp);
1563 sendipv6cp(s, t);
1564 if (*response == ConfigAck)
1565 change_state(s, ipv6cp, AckSent);
1566 else
1567 change_state(s, ipv6cp, RequestSent);
1568
1569 break;
1570
1571 case RequestSent:
1572 if (*response == ConfigAck)
1573 change_state(s, ipv6cp, AckSent);
1574
1575 break;
1576
1577 case AckReceived:
1578 if (*response == ConfigAck)
1579 ipv6cp_open(s, t);
1580
1581 break;
1582
1583 case Opened:
1584 initialise_restart_count(s, ipv6cp);
1585 sendipv6cp(s, t);
1586 /* fallthrough */
1587
1588 case AckSent:
1589 if (*response == ConfigAck)
1590 change_state(s, ipv6cp, AckSent);
1591 else
1592 change_state(s, ipv6cp, RequestSent);
1593
1594 break;
1595
1596 default:
1597 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1598 return;
1599 }
1600
1601 LOG(3, s, t, "IPV6CP: send %s\n", ppp_code(*response));
1602 tunnelsend(b, l + (response - b), t);
1603 }
1604 else if (*p == TerminateReq)
1605 {
1606 switch (session[s].ppp.ipv6cp)
1607 {
1608 case Closed:
1609 case Stopped:
1610 case Closing:
1611 case Stopping:
1612 case RequestSent:
1613 case AckReceived:
1614 case AckSent:
1615 break;
1616
1617 case Opened:
1618 zero_restart_count(s, ipv6cp);
1619 change_state(s, ipv6cp, Closing);
1620 break;
1621
1622 default:
1623 LOG(2, s, t, "IPV6CP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ipv6cp));
1624 return;
1625 }
1626
1627 *p = TerminateAck; // send ack
1628 q = makeppp(b, sizeof(b), p, l, s, t, PPPIPV6CP, 0, 0, 0);
1629 if (!q) return;
1630
1631 LOG(3, s, t, "IPV6CP: send %s\n", ppp_code(*q));
1632 tunnelsend(b, l + (q - b), t); // send it
1633 }
1634 else if (*p != CodeRej)
1635 {
1636 ppp_code_rej(s, t, PPPIPV6CP, "IPV6CP", p, l, b, sizeof(b));
1637 }
1638 }
1639
1640 // process IP packet received
1641 //
1642 // This MUST be called with at least 4 byte behind 'p'.
1643 // (i.e. this routine writes to p[-4]).
1644 void processipin(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1645 {
1646 in_addr_t ip;
1647
1648 CSTAT(processipin);
1649
1650 LOG_HEX(5, "IP", p, l);
1651
1652 if (l < 20)
1653 {
1654 LOG(1, s, t, "IP packet too short %d\n", l);
1655 STAT(tunnel_rx_errors);
1656 return ;
1657 }
1658
1659 ip = ntohl(*(uint32_t *)(p + 12));
1660
1661 if (l > MAXETHER)
1662 {
1663 LOG(1, s, t, "IP packet too long %d\n", l);
1664 STAT(tunnel_rx_errors);
1665 return ;
1666 }
1667
1668 if (session[s].ppp.phase != Network || session[s].ppp.ipcp != Opened)
1669 return;
1670
1671 if (!session[s].bundle || bundle[session[s].bundle].num_of_links < 2) // FIXME:
1672 {
1673 // no spoof (do sessionbyip to handled statically routed subnets)
1674 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
1675 {
1676 LOG(4, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
1677 return;
1678 }
1679 }
1680
1681 // run access-list if any
1682 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
1683 return;
1684
1685 // adjust MSS on SYN and SYN,ACK packets with options
1686 if ((ntohs(*(uint16_t *) (p + 6)) & 0x1fff) == 0 && p[9] == IPPROTO_TCP) // first tcp fragment
1687 {
1688 int ihl = (p[0] & 0xf) * 4; // length of IP header
1689 if (l >= ihl + 20 && (p[ihl + 13] & TCP_FLAG_SYN) && ((p[ihl + 12] >> 4) > 5))
1690 adjust_tcp_mss(s, t, p, l, p + ihl);
1691 }
1692
1693 // Add on the tun header
1694 p -= 4;
1695 *(uint32_t *) p = htonl(PKTIP);
1696 l += 4;
1697
1698 // Are we throttled and a slave?
1699 if (session[s].tbf_in && !config->cluster_iam_master) {
1700 // Pass it to the master for handling.
1701 master_throttle_packet(session[s].tbf_in, p, l);
1702 return;
1703 }
1704
1705 // Are we throttled and a master??
1706 if (session[s].tbf_in && config->cluster_iam_master) {
1707 // Actually handle the throttled packets.
1708 tbf_queue_packet(session[s].tbf_in, p, l);
1709 return;
1710 }
1711
1712 // send to ethernet
1713 if (tun_write(p, l) < 0)
1714 {
1715 STAT(tun_tx_errors);
1716 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1717 l, strerror(errno), tunfd, p);
1718
1719 return;
1720 }
1721
1722 p += 4;
1723 l -= 4;
1724
1725 if (session[s].snoop_ip && session[s].snoop_port)
1726 {
1727 // Snooping this session
1728 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
1729 }
1730
1731 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1732 session[s].cin_delta += l;
1733 session[s].pin++;
1734
1735 sess_local[s].cin += l;
1736 sess_local[s].pin++;
1737
1738 eth_tx += l;
1739
1740 STAT(tun_tx_packets);
1741 INC_STAT(tun_tx_bytes, l);
1742 }
1743
1744 // process Multilink PPP packet received
1745 void processmpin(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1746 {
1747 bundleidt b = session[s].bundle;
1748 uint8_t begin_frame;
1749 uint8_t end_frame;
1750 uint32_t seq_num;
1751 uint32_t offset;
1752
1753 if (!b)
1754 {
1755 LOG(3, s, t, "MPPP: Invalid bundle id: 0\n");
1756 return;
1757 }
1758
1759 begin_frame = (*p & 0x80);
1760 end_frame = (*p & 0x40);
1761 if (session[s].mssf)
1762 {
1763 // Get 12 bit for seq number
1764 uint16_t short_seq_num = ntohs((*(uint16_t *) p) & 0xFF0F);
1765 uint16_t short_seq_num2 = short_seq_num >> 4;
1766 p += 2;
1767 l -= 2;
1768 seq_num = short_seq_num2;
1769 // After this point the pointer should be advanced 2 bytes
1770 LOG(3, s, t, "MPPP: 12 bits, sequence number: %d, short1: %d, short2: %d\n",seq_num, short_seq_num, short_seq_num2);
1771 }
1772 else
1773 {
1774 // Get 24 bit for seq number
1775 p++;
1776 seq_num = ntohl((*(uint32_t *) p) & 0xFFFFFF00);
1777 seq_num = seq_num >> 8;
1778 p += 3;
1779 l -= 4;
1780 // After this point the pointer should be advanced 4 bytes
1781 LOG(4, s, t, "MPPP: 24 bits sequence number:%d\n",seq_num);
1782 }
1783
1784 if (seq_num - bundle[b].offset < 0)
1785 {
1786 bundle[b].offset = 0;
1787 bundle[b].pending_frag = 0;
1788 }
1789
1790 offset = bundle[b].offset;
1791 if (begin_frame)
1792 {
1793 // Check for previous non-assembled frames
1794 int error = 0;
1795 if (bundle[b].pending_frag)
1796 {
1797 uint32_t fn = bundle[b].seq_num_m - offset;
1798 uint16_t cur_len;
1799 bundle[b].pending_frag = 0;
1800 // Check for array indexes
1801 if (fn < 0 || fn > MAXFRAGNUM)
1802 {
1803 LOG(2, s, t, "ERROR: Index out of range fn:%d, bundle:%d\n",fn,b);
1804 return;
1805 }
1806
1807 if (seq_num-offset < 0 || seq_num-offset > MAXFRAGNUM)
1808 {
1809 LOG(2, s, t, "ERROR: Index out of range fn(last):%d, bundle:%d\n",fn,b);
1810 return;
1811 }
1812 /////////////////////////////////////////////////////
1813 cur_len = 4; // This is set to 4 to leave 4 bytes for function processipin
1814 for (fn = bundle[b].seq_num_m - offset; fn < seq_num - offset; fn++)
1815 {
1816 if (!frag[b].fragment[fn].length)
1817 {
1818 LOG(4, s, t, "MPPP: Found lost fragment while reassembling frame %d in (%d,%d)\n",fn, bundle[b].seq_num_m-offset, seq_num-offset);
1819 error = 1;
1820 break;
1821 }
1822
1823 if (cur_len + frag[b].fragment[fn].length > MAXETHER)
1824 {
1825 LOG(2, s, t, "MPPP: ERROR: very long frame after assembling %d\n", frag[b].fragment[fn].length+cur_len);
1826 error = 1;
1827 break;
1828 }
1829
1830 memcpy(frag[b].reassembled_frame+cur_len, frag[b].fragment[fn].data, frag[b].fragment[fn].length);
1831 cur_len += frag[b].fragment[fn].length;
1832 frag[b].fragment[fn].length = 0; // Indicates that this fragment has been consumed
1833 // This is usefull for compression
1834 memset(frag[b].fragment[fn].data, 0, sizeof(frag[b].fragment[fn].data));
1835 }
1836
1837 if (!error)
1838 {
1839 frag[b].re_frame_len = cur_len;
1840 // Process the resassembled frame
1841 LOG(4, s, t, "MPPP: Process the reassembled frame, len=%d\n",cur_len);
1842 processmpframe(s, t, frag[b].reassembled_frame, frag[b].re_frame_len, 1);
1843 // Set reassembled frame length to zero after processing it
1844 frag[b].re_frame_len = 0;
1845 memset(frag[b].reassembled_frame, 0, sizeof(frag[b].reassembled_frame));
1846 }
1847 }
1848 //////////////////////////////////////////
1849 bundle[b].seq_num_m = seq_num;
1850 if (end_frame)
1851 {
1852 // Both bits are set
1853 LOG(4, s, t, "MPPP: Both bits are set (Begin and End).\n");
1854 processmpframe(s, t, p, l, 0);
1855 // The maximum number of fragments is 1500
1856 if (seq_num - bundle[b].offset >= 1400)
1857 {
1858 bundle[b].offset = seq_num;
1859 LOG(4, s, t, "MPPP: Setting offset to: %d\n",bundle[b].offset);
1860 }
1861 }
1862 else
1863 {
1864 bundle[b].pending_frag = 1;
1865 // End bit is clear
1866 LOG(4, s, t, "MPPP: Push to receive buffer\n");
1867 // Push to the receive buffer
1868 // Array indexes checking
1869 if (seq_num-offset < 0 || seq_num-offset >= MAXFRAGNUM)
1870 {
1871 LOG(2, s, t, "ERROR: Index out of range, push to receive buffer(1) seq:%d, offset:%d, bundle:%d\n",seq_num,offset,b);
1872 return;
1873 }
1874 // Perform length checking
1875 if (l > MAXFRAGLEN)
1876 {
1877 LOG(2, s, t, "MPPP: ERROR: very long fragment length (1)\n");
1878 return;
1879 }
1880 frag[b].fragment[seq_num - offset].length = l;
1881 memcpy(frag[b].fragment[seq_num - offset].data, p, l);
1882 }
1883 }
1884 else
1885 {
1886 LOG(4, s, t, "MPPP: Push to receive buffer\n");
1887 // Push to the receive buffer
1888 // Array indexes checking
1889 if (seq_num-offset < 0 || seq_num-offset >= MAXFRAGNUM)
1890 {
1891 LOG(2, s, t, "ERROR: Index out of range, push to receive buffer(2) seq:%d, offset:%d, bundle:%d\n",seq_num,offset,b);
1892 return;
1893 }
1894 // Perform length checking
1895 if (l > MAXFRAGLEN)
1896 {
1897 LOG(2, s, t, "MPPP: ERROR: very long fragment length (2).\n");
1898 return;
1899 }
1900 frag[b].fragment[seq_num - offset].length = l;
1901 memcpy(frag[b].fragment[seq_num - offset].data, p, l);
1902 }
1903 }
1904
1905 // process IPv6 packet received
1906 //
1907 // This MUST be called with at least 4 byte behind 'p'.
1908 // (i.e. this routine writes to p[-4]).
1909 void processipv6in(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
1910 {
1911 struct in6_addr ip;
1912 in_addr_t ipv4;
1913
1914 CSTAT(processipv6in);
1915
1916 LOG_HEX(5, "IPv6", p, l);
1917
1918 ip = *(struct in6_addr *) (p + 8);
1919 ipv4 = ntohl(*(uint32_t *)(p + 16));
1920
1921 if (l > MAXETHER)
1922 {
1923 LOG(1, s, t, "IP packet too long %d\n", l);
1924 STAT(tunnel_rx_errors);
1925 return ;
1926 }
1927
1928 if (session[s].ppp.phase != Network || session[s].ppp.ipv6cp != Opened)
1929 return;
1930
1931 // no spoof
1932 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
1933 {
1934 char str[INET6_ADDRSTRLEN];
1935 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
1936 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
1937 return;
1938 }
1939
1940 // Check if it's a Router Solicition message.
1941 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
1942 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
1943 *(uint32_t *)(p + 34) == 0 &&
1944 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
1945 LOG(3, s, t, "Got IPv6 RS\n");
1946 send_ipv6_ra(s, t, &ip);
1947 return;
1948 }
1949
1950 // Add on the tun header
1951 p -= 4;
1952 *(uint32_t *) p = htonl(PKTIPV6);
1953 l += 4;
1954
1955 // Are we throttled and a slave?
1956 if (session[s].tbf_in && !config->cluster_iam_master) {
1957 // Pass it to the master for handling.
1958 master_throttle_packet(session[s].tbf_in, p, l);
1959 return;
1960 }
1961
1962 // Are we throttled and a master??
1963 if (session[s].tbf_in && config->cluster_iam_master) {
1964 // Actually handle the throttled packets.
1965 tbf_queue_packet(session[s].tbf_in, p, l);
1966 return;
1967 }
1968
1969 // send to ethernet
1970 if (tun_write(p, l) < 0)
1971 {
1972 STAT(tun_tx_errors);
1973 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1974 l, strerror(errno), tunfd, p);
1975
1976 return;
1977 }
1978
1979 p += 4;
1980 l -= 4;
1981
1982 if (session[s].snoop_ip && session[s].snoop_port)
1983 {
1984 // Snooping this session
1985 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
1986 }
1987
1988 increment_counter(&session[s].cin, &session[s].cin_wrap, l);
1989 session[s].cin_delta += l;
1990 session[s].pin++;
1991
1992 sess_local[s].cin += l;
1993 sess_local[s].pin++;
1994
1995 eth_tx += l;
1996
1997 STAT(tun_tx_packets);
1998 INC_STAT(tun_tx_bytes, l);
1999 }
2000
2001 //
2002 // Helper routine for the TBF filters.
2003 // Used to send queued data in from the user.
2004 //
2005 void send_ipin(sessionidt s, uint8_t *buf, int len)
2006 {
2007 LOG_HEX(5, "IP in throttled", buf, len);
2008
2009 if (write(tunfd, buf, len) < 0)
2010 {
2011 STAT(tun_tx_errors);
2012 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
2013 len, strerror(errno), tunfd, buf);
2014
2015 return;
2016 }
2017
2018 buf += 4;
2019 len -= 4;
2020
2021 if (session[s].snoop_ip && session[s].snoop_port)
2022 {
2023 // Snooping this session
2024 snoop_send_packet(buf, len, session[s].snoop_ip, session[s].snoop_port);
2025 }
2026
2027 // Increment packet counters
2028 increment_counter(&session[s].cin, &session[s].cin_wrap, len);
2029 session[s].cin_delta += len;
2030 session[s].pin++;
2031
2032 sess_local[s].cin += len;
2033 sess_local[s].pin++;
2034
2035 eth_tx += len;
2036
2037 STAT(tun_tx_packets);
2038 INC_STAT(tun_tx_bytes, len - 4);
2039 }
2040
2041
2042 // Process CCP messages
2043 void processccp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
2044 {
2045 uint8_t b[MAXETHER];
2046 uint8_t *q;
2047
2048 CSTAT(processccp);
2049
2050 LOG_HEX(5, "CCP", p, l);
2051
2052 if (session[s].ppp.phase < Network)
2053 {
2054 LOG(2, s, t, "CCP %s ignored in %s phase\n", ppp_code(*p), ppp_phase(session[s].ppp.phase));
2055 return;
2056 }
2057
2058 if (l < 1)
2059 {
2060 LOG(1, s, t, "Short CCP packet\n");
2061 STAT(tunnel_rx_errors);
2062 }
2063
2064 LOG(4, s, t, "CCP: recv %s\n", ppp_code(*p));
2065 if (*p == ConfigAck)
2066 {
2067 switch (session[s].ppp.ccp)
2068 {
2069 case RequestSent:
2070 initialise_restart_count(s, ccp);
2071 change_state(s, ccp, AckReceived);
2072 break;
2073
2074 case AckReceived:
2075 case Opened:
2076 LOG(2, s, t, "CCP: ConfigAck in state %s? Sending ConfigReq\n", ppp_state(session[s].ppp.ccp));
2077 sendccp(s, t);
2078 change_state(s, ccp, RequestSent);
2079 break;
2080
2081 case AckSent:
2082 LOG(3, s, t, "CCP: Opened\n");
2083 change_state(s, ccp, Opened);
2084 break;
2085
2086 default:
2087 LOG(2, s, t, "CCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ccp));
2088 }
2089 }
2090 else if (*p == ConfigReq)
2091 {
2092 if (l < 6) // accept no compression
2093 *p = ConfigAck;
2094 else // compression requested--reject
2095 *p = ConfigRej;
2096
2097 q = makeppp(b, sizeof(b), p, l, s, t, PPPCCP, 0, 0, 0);
2098 if (!q) return;
2099
2100 switch (session[s].ppp.ccp)
2101 {
2102 case Closed:
2103 q = makeppp(b, sizeof(b), p, 2, s, t, PPPCCP, 0, 0, 0);
2104 if (!q) return;
2105 *q = TerminateAck;
2106 *((uint16_t *) (q + 2)) = htons(l = 4);
2107 break;
2108
2109 case Stopped:
2110 initialise_restart_count(s, ccp);
2111 sendccp(s, t);
2112 if (*q == ConfigAck)
2113 change_state(s, ccp, AckSent);
2114 else
2115 change_state(s, ccp, RequestSent);
2116
2117 break;
2118
2119 case RequestSent:
2120 if (*q == ConfigAck)
2121 change_state(s, ccp, AckSent);
2122
2123 break;
2124
2125 case AckReceived:
2126 if (*q == ConfigAck)
2127 change_state(s, ccp, Opened);
2128
2129 break;
2130
2131 case Opened:
2132 initialise_restart_count(s, ccp);
2133 sendccp(s, t);
2134 /* fallthrough */
2135
2136 case AckSent:
2137 if (*q == ConfigAck)
2138 change_state(s, ccp, AckSent);
2139 else
2140 change_state(s, ccp, RequestSent);
2141
2142 break;
2143
2144 default:
2145 LOG(2, s, t, "CCP: ignoring %s in state %s\n", ppp_code(*p), ppp_state(session[s].ppp.ccp));
2146 return;
2147 }
2148
2149 LOG(4, s, t, "CCP: send %s\n", ppp_code(*q));
2150 tunnelsend(b, l + (q - b), t);
2151 }
2152 else if (*p == TerminateReq)
2153 {
2154 *p = TerminateAck;
2155 q = makeppp(b, sizeof(b), p, l, s, t, PPPCCP, 0, 0, 0);
2156 if (!q) return;
2157 LOG(3, s, t, "CCP: send %s\n", ppp_code(*q));
2158 tunnelsend(b, l + (q - b), t);
2159 change_state(s, ccp, Stopped);
2160 }
2161 else if (*p != CodeRej)
2162 {
2163 ppp_code_rej(s, t, PPPCCP, "CCP", p, l, b, sizeof(b));
2164 }
2165 }
2166
2167 // send a CHAP challenge
2168 void sendchap(sessionidt s, tunnelidt t)
2169 {
2170 uint8_t b[MAXETHER];
2171 uint16_t r;
2172 uint8_t *q;
2173
2174 CSTAT(sendchap);
2175
2176 r = radiusnew(s);
2177 if (!r)
2178 {
2179 LOG(1, s, t, "No RADIUS to send challenge\n");
2180 STAT(tunnel_tx_errors);
2181 return;
2182 }
2183
2184 LOG(1, s, t, "Send CHAP challenge\n");
2185
2186 radius[r].chap = 1; // CHAP not PAP
2187 radius[r].id++;
2188 if (radius[r].state != RADIUSCHAP)
2189 radius[r].try = 0;
2190
2191 radius[r].state = RADIUSCHAP;
2192 radius[r].retry = backoff(radius[r].try++);
2193 if (radius[r].try > 5)
2194 {
2195 sessionshutdown(s, "CHAP timeout.", CDN_ADMIN_DISC, TERM_REAUTHENTICATION_FAILURE);
2196 STAT(tunnel_tx_errors);
2197 return ;
2198 }
2199 q = makeppp(b, sizeof(b), 0, 0, s, t, PPPCHAP, 0, 0, 0);
2200 if (!q) return;
2201
2202 *q = 1; // challenge
2203 q[1] = radius[r].id; // ID
2204 q[4] = 16; // value size (size of challenge)
2205 memcpy(q + 5, radius[r].auth, 16); // challenge
2206 strcpy((char *) q + 21, hostname); // our name
2207 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
2208 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
2209 }
2210
2211 // fill in a L2TP message with a PPP frame,
2212 // returns start of PPP frame
2213 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, sessionidt s, tunnelidt t, uint16_t mtype, uint8_t prio, bundleidt bid, uint8_t mp_bits)
2214 {
2215 uint16_t hdr = 0x0002; // L2TP with no options
2216 uint16_t type = mtype;
2217 uint8_t *start = b;
2218
2219 if (size < 16) // Need more space than this!!
2220 {
2221 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
2222 return NULL;
2223 }
2224
2225 if (prio) hdr |= 0x0100; // set priority bit
2226
2227 *(uint16_t *) (b + 0) = htons(hdr);
2228 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
2229 *(uint16_t *) (b + 4) = htons(session[s].far); // session
2230 b += 6;
2231
2232 // Check whether this session is part of multilink
2233 if (bid)
2234 {
2235 if (bundle[bid].num_of_links > 1)
2236 type = PPPMP; // Change PPP message type to the PPPMP
2237 else
2238 bid = 0;
2239 }
2240
2241 if (type == PPPLCP || !(session[s].flags & SESSION_ACFC))
2242 {
2243 *(uint16_t *) b = htons(0xFF03); // HDLC header
2244 b += 2;
2245 }
2246
2247 if (type < 0x100 && session[s].flags & SESSION_PFC)
2248 {
2249 *b++ = type;
2250 }
2251 else
2252 {
2253 *(uint16_t *) b = htons(type);
2254 b += 2;
2255 }
2256
2257 if (bid)
2258 {
2259 // Set the sequence number and (B)egin (E)nd flags
2260 if (session[s].mssf)
2261 {
2262 // Set the multilink bits
2263 uint16_t bits_send = mp_bits;
2264 *(uint16_t *) b = htons((bundle[bid].seq_num_t & 0xFF0F)|bits_send);
2265 b += 2;
2266 }
2267 else
2268 {
2269 *(uint32_t *) b = htonl(bundle[bid].seq_num_t);
2270 // Set the multilink bits
2271 *b = mp_bits;
2272 b += 4;
2273 }
2274
2275 bundle[bid].seq_num_t++;
2276
2277 // Add the message type if this fragment has the begin bit set
2278 if (mp_bits & MP_BEGIN)
2279 {
2280 //*b++ = mtype; // The next two lines are instead of this
2281 *(uint16_t *) b = htons(mtype); // Message type
2282 b += 2;
2283 }
2284 }
2285
2286 if ((b - start) + l > size)
2287 {
2288 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, (b - start) + l);
2289 return NULL;
2290 }
2291
2292 // Copy the payload
2293 if (p && l)
2294 memcpy(b, p, l);
2295
2296 return b;
2297 }
2298
2299 static int add_lcp_auth(uint8_t *b, int size, int authtype)
2300 {
2301 int len = 0;
2302 if ((authtype == AUTHCHAP && size < 5) || size < 4)
2303 return 0;
2304
2305 *b++ = 3; // Authentication-Protocol
2306 if (authtype == AUTHCHAP)
2307 {
2308 len = *b++ = 5; // length
2309 *(uint16_t *) b = htons(PPPCHAP); b += 2;
2310 *b++ = 5; // MD5
2311 }
2312 else if (authtype == AUTHPAP)
2313 {
2314 len = *b++ = 4; // length
2315 *(uint16_t *) b = htons(PPPPAP); b += 2;
2316 }
2317 else
2318 {
2319 LOG(0, 0, 0, "add_lcp_auth called with unsupported auth type %d\n", authtype);
2320 }
2321
2322 return len;
2323 }
2324
2325 // Send LCP ConfigReq for MRU, authentication type and magic no
2326 void sendlcp(sessionidt s, tunnelidt t)
2327 {
2328 uint8_t b[500], *q, *l;
2329 int authtype = sess_local[s].lcp_authtype;
2330
2331 if (!(q = makeppp(b, sizeof(b), NULL, 0, s, t, PPPLCP, 0, 0, 0)))
2332 return;
2333
2334 LOG(3, s, t, "LCP: send ConfigReq%s%s%s including MP options\n",
2335 authtype ? " (" : "",
2336 authtype ? (authtype == AUTHCHAP ? "CHAP" : "PAP") : "",
2337 authtype ? ")" : "");
2338
2339 l = q;
2340 *l++ = ConfigReq;
2341 *l++ = ++sess_local[s].lcp_ident; // ID
2342
2343 l += 2; //Save space for length
2344
2345 if (sess_local[s].ppp_mru)
2346 {
2347 *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4)
2348 *(uint16_t *) l = htons(sess_local[s].ppp_mru); l += 2;
2349 }
2350
2351 if (authtype)
2352 l += add_lcp_auth(l, sizeof(b) - (l - b), authtype);
2353
2354 if (session[s].magic)
2355 {
2356 *l++ = 5; *l++ = 6; // Magic-Number (length 6)
2357 *(uint32_t *) l = htonl(session[s].magic);
2358 l += 4;
2359 }
2360
2361 if (sess_local[s].mp_mrru)
2362 {
2363 *l++ = 17; *l++ = 4; // Multilink Max-Receive-Reconstructed-Unit (length 4)
2364 *(uint16_t *) l = htons(sess_local[s].mp_mrru); l += 2;
2365 }
2366
2367 if (sess_local[s].mp_epdis)
2368 {
2369 *l++ = 19; *l++ = 7; // Multilink Endpoint Discriminator (length 7)
2370 *l++ = IPADDR; // Endpoint Discriminator class
2371 *(uint32_t *) l = htonl(sess_local[s].mp_epdis);
2372 l += 4;
2373 }
2374
2375 *(uint16_t *)(q + 2) = htons(l - q); // Length
2376
2377 LOG_HEX(5, "PPPLCP", q, l - q);
2378 if (config->debug > 3) dumplcp(q, l - q);
2379
2380 tunnelsend(b, (l - b), t);
2381 restart_timer(s, lcp);
2382 }
2383
2384 // Send CCP request for no compression
2385 void sendccp(sessionidt s, tunnelidt t)
2386 {
2387 uint8_t b[500], *q;
2388
2389 if (!(q = makeppp(b, sizeof(b), NULL, 0, s, t, PPPCCP, 0, 0, 0)))
2390 return;
2391
2392 LOG(3, s, t, "CCP: send ConfigReq (no compression)\n");
2393
2394 *q = ConfigReq;
2395 *(q + 1) = ++sess_local[s].lcp_ident; // ID
2396 *(uint16_t *)(q + 2) = htons(4); // Length
2397
2398 LOG_HEX(5, "PPPCCP", q, 4);
2399 tunnelsend(b, (q - b) + 4 , t);
2400 restart_timer(s, ccp);
2401 }
2402
2403 // Reject unknown/unconfigured protocols
2404 void protoreject(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l, uint16_t proto)
2405 {
2406
2407 uint8_t buf[MAXETHER];
2408 uint8_t *q;
2409 int mru = session[s].mru;
2410 if (mru < MINMTU) mru = MINMTU;
2411 if (mru > sizeof(buf)) mru = sizeof(buf);
2412
2413 l += 6;
2414 if (l > mru) l = mru;
2415
2416 q = makeppp(buf, sizeof(buf), 0, 0, s, t, PPPLCP, 0, 0, 0);
2417 if (!q) return;
2418
2419 *q = ProtocolRej;
2420 *(q + 1) = ++sess_local[s].lcp_ident;
2421 *(uint16_t *)(q + 2) = htons(l);
2422 *(uint16_t *)(q + 4) = htons(proto);
2423 memcpy(q + 6, p, l - 6);
2424
2425 if (proto == PPPIPV6CP)
2426 LOG(3, s, t, "LCP: send ProtocolRej (IPV6CP: not configured)\n");
2427 else
2428 LOG(2, s, t, "LCP: sent ProtocolRej (0x%04X: unsupported)\n", proto);
2429
2430 tunnelsend(buf, l + (q - buf), t);
2431 }