off by one
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.43 2005-01-25 04:38:49 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
30 {
31 char user[129];
32 char pass[129];
33 uint16_t hl;
34
35 CSTAT(processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44
45 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
46 {
47 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
48 STAT(tunnel_rx_errors);
49 return ;
50 }
51 l = hl;
52
53 if (*p != 1)
54 {
55 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
56 STAT(tunnel_rx_errors);
57 return ;
58 }
59
60 {
61 uint8_t *b = p;
62 b += 4;
63 if (*b && *b < sizeof(user))
64 memcpy(user, b + 1, *b);
65 user[*b] = 0;
66 b += 1 + *b;
67 if (*b && *b < sizeof(pass))
68 memcpy(pass, b + 1, *b);
69 pass[*b] = 0;
70 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
71 }
72 if (session[s].ip || !session[s].radius)
73 {
74 // respond now, either no RADIUS available or already authenticated
75 uint8_t b[MAXCONTROL];
76 uint8_t id = p[1];
77 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
78 if (!p) return;
79
80 if (session[s].ip)
81 *p = 2; // ACK
82 else
83 *p = 3; // cant authorise
84 p[1] = id;
85 *(uint16_t *) (p + 2) = htons(5); // length
86 p[4] = 0; // no message
87 if (session[s].ip)
88 {
89 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
90 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
91
92 session[s].flags &= ~SF_IPCP_ACKED;
93 }
94 else
95 {
96 LOG(1, s, t, "No radius session available to authenticate session...\n");
97 }
98 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
99 tunnelsend(b, 5 + (p - b), t); // send it
100 }
101 else
102 {
103 // set up RADIUS request
104 uint16_t r = session[s].radius;
105
106 // Run PRE_AUTH plugins
107 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
108 run_plugins(PLUGIN_PRE_AUTH, &packet);
109 if (!packet.continue_auth)
110 {
111 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
112 if (packet.username) free(packet.username);
113 if (packet.password) free(packet.password);
114 return;
115 }
116
117 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
118 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
119
120 free(packet.username);
121 free(packet.password);
122
123 radius[r].id = p[1];
124 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
125 radiussend(r, RADIUSAUTH);
126 }
127 }
128
129 // Process CHAP messages
130 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
131 {
132 uint16_t r;
133 uint16_t hl;
134
135 CSTAT(processchap);
136
137 LOG_HEX(5, "CHAP", p, l);
138 r = session[s].radius;
139 if (!r)
140 {
141 LOG(1, s, t, "Unexpected CHAP message\n");
142 STAT(tunnel_rx_errors);
143 return;
144 }
145
146 if (l < 4)
147 {
148 LOG(1, s, t, "Short CHAP %u bytes\n", l);
149 STAT(tunnel_rx_errors);
150 return ;
151 }
152
153 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
154 {
155 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
156 STAT(tunnel_rx_errors);
157 return ;
158 }
159 l = hl;
160
161 if (*p != 2)
162 {
163 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
164 STAT(tunnel_rx_errors);
165 return;
166 }
167 if (p[1] != radius[r].id)
168 {
169 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
170 STAT(tunnel_rx_errors);
171 return ;
172 }
173
174 if (l < 5 || p[4] != 16)
175 {
176 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
177 STAT(tunnel_rx_errors);
178 return ;
179 }
180
181 l -= 5;
182 p += 5;
183 if (l < 16 || l - 16 >= sizeof(session[s].user))
184 {
185 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
186 STAT(tunnel_rx_errors);
187 return ;
188 }
189
190 // Run PRE_AUTH plugins
191 {
192 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
193
194 packet.password = calloc(17, 1);
195 memcpy(packet.password, p, 16);
196
197 p += 16;
198 l -= 16;
199
200 packet.username = calloc(l + 1, 1);
201 memcpy(packet.username, p, l);
202
203 run_plugins(PLUGIN_PRE_AUTH, &packet);
204 if (!packet.continue_auth)
205 {
206 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
207 if (packet.username) free(packet.username);
208 if (packet.password) free(packet.password);
209 return;
210 }
211
212 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
213 memcpy(radius[r].pass, packet.password, 16);
214
215 free(packet.username);
216 free(packet.password);
217 }
218
219 radius[r].chap = 1;
220 LOG(3, s, t, "CHAP login %s\n", session[s].user);
221 radiussend(r, RADIUSAUTH);
222 }
223
224 static void dumplcp(uint8_t *p, int l)
225 {
226 int x = l - 4;
227 uint8_t *o = (p + 4);
228
229 LOG_HEX(5, "PPP LCP Packet", p, l);
230 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
231 LOG(4, 0, 0, "Length: %d\n", l);
232 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
233 return;
234
235 while (x > 2)
236 {
237 int type = o[0];
238 int length = o[1];
239 if (length < 2)
240 {
241 LOG(4, 0, 0, " Option length is %d...\n", length);
242 break;
243 }
244 if (type == 0)
245 {
246 LOG(4, 0, 0, " Option type is 0...\n");
247 x -= length;
248 o += length;
249 continue;
250 }
251 switch (type)
252 {
253 case 1: // Maximum-Receive-Unit
254 if (length == 4)
255 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
256 else
257 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
258 break;
259 case 2: // Async-Control-Character-Map
260 if (length == 6)
261 {
262 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
263 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
264 }
265 else
266 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
267 break;
268 case 3: // Authentication-Protocol
269 if (length == 4)
270 {
271 int proto = ntohs(*(uint16_t *)(o + 2));
272 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
273 proto == PPPCHAP ? "CHAP" :
274 proto == PPPPAP ? "PAP" : "UNKNOWN");
275 }
276 else
277 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
278 break;
279 case 4: // Quality-Protocol
280 {
281 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
282 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
283 }
284 break;
285 case 5: // Magic-Number
286 if (length == 6)
287 {
288 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
289 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
290 }
291 else
292 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
293 break;
294 case 7: // Protocol-Field-Compression
295 case 8: // Address-And-Control-Field-Compression
296 LOG(4, 0, 0, " %s\n", lcp_type(type));
297 break;
298 default:
299 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
300 break;
301 }
302 x -= length;
303 o += length;
304 }
305 }
306
307 // Process LCP messages
308 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
309 {
310 uint8_t b[MAXCONTROL];
311 uint8_t *q = NULL;
312 uint32_t magicno = 0;
313 uint16_t hl;
314
315 CSTAT(processlcp);
316
317 LOG_HEX(5, "LCP", p, l);
318 if (l < 4)
319 {
320 LOG(1, s, t, "Short LCP %d bytes\n", l);
321 STAT(tunnel_rx_errors);
322 return ;
323 }
324
325 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
326 {
327 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
328 STAT(tunnel_rx_errors);
329 return ;
330 }
331 l = hl;
332
333 if (*p == ConfigAck)
334 {
335 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
336 session[s].flags |= SF_LCP_ACKED;
337 }
338 else if (*p == ConfigReq)
339 {
340 int x = l - 4;
341 uint8_t *o = (p + 4);
342 uint8_t *response = 0;
343
344 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
345 if (config->debug > 3) dumplcp(p, l);
346
347 while (x > 2)
348 {
349 int type = o[0];
350 int length = o[1];
351
352 if (length == 0 || type == 0 || x < length) break;
353 switch (type)
354 {
355 case 1: // Maximum-Receive-Unit
356 session[s].mru = ntohs(*(uint16_t *)(o + 2));
357 break;
358
359 case 2: // Async-Control-Character-Map
360 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
361 break;
362
363 if (response && *response != ConfigNak) // rej already queued
364 break;
365
366 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
367 if (!response)
368 {
369 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
370 if (!q) break;
371 *q = ConfigNak;
372 q += 4;
373 }
374
375 if ((q - b + 11) > sizeof(b))
376 {
377 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
378 break;
379 }
380
381 *q++ = type;
382 *q++ = 6;
383 memset(q, 0, 4); // asyncmap 0
384 q += 4;
385 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
386 break;
387
388 case 3: // Authentication-Protocol
389 {
390 int proto = ntohs(*(uint16_t *)(o + 2));
391 char proto_name[] = "0x0000";
392 if (proto == PPPPAP)
393 break;
394
395 if (response && *response != ConfigNak) // rej already queued
396 break;
397
398 if (proto == PPPCHAP)
399 strcpy(proto_name, "CHAP");
400 else
401 sprintf(proto_name, "%#4.4x", proto);
402
403 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
404
405 if (!response)
406 {
407 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
408 if (!q) break;
409 *q = ConfigNak;
410 q += 4;
411 }
412
413 if ((q - b + length) > sizeof(b))
414 {
415 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
416 break;
417 }
418
419 memcpy(q, o, length);
420 *(uint16_t *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
421 q += length;
422 *((uint16_t *) (response + 2)) = htons(q - response);
423 }
424 break;
425
426 case 5: // Magic-Number
427 magicno = ntohl(*(uint32_t *)(o + 2));
428 break;
429
430 case 4: // Quality-Protocol
431 case 7: // Protocol-Field-Compression
432 case 8: // Address-And-Control-Field-Compression
433 break;
434
435 default: // Reject any unknown options
436 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
437 if (!response || *response != ConfigRej) // drop nak in favour of rej
438 {
439 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
440 if (!q) break;
441 *q = ConfigRej;
442 q += 4;
443 }
444
445 if ((q - b + length) > sizeof(b))
446 {
447 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
448 break;
449 }
450
451 memcpy(q, o, length);
452 q += length;
453 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
454 }
455 x -= length;
456 o += length;
457 }
458
459 if (!response)
460 {
461 // Send back a ConfigAck
462 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
463 if (!q) return;
464 *q = ConfigAck;
465 }
466
467 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
468 tunnelsend(b, l + (q - b), t);
469
470 if (!(session[s].flags & SF_LCP_ACKED))
471 initlcp(t, s);
472 }
473 else if (*p == ConfigNak)
474 {
475 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
476 if (config->debug > 3) dumplcp(p, l);
477 return ;
478 }
479 else if (*p == TerminateReq)
480 {
481 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
482 *p = TerminateAck; // close
483 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
484 if (!q) return;
485 tunnelsend(b, l + (q - b), t); // send it
486 sessionshutdown(s, "Remote end closed connection.");
487 }
488 else if (*p == TerminateAck)
489 {
490 sessionshutdown(s, "Connection closed.");
491 }
492 else if (*p == ProtocolRej)
493 {
494 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
495 {
496 LOG(3, s, t, "IPv6 rejected\n");
497 session[s].flags |= SF_IPV6_NACKED;
498 }
499 else
500 {
501 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
502 ntohs(*(uint16_t *) (p+4)));
503 STAT(tunnel_rx_errors);
504 }
505 }
506 else if (*p == EchoReq)
507 {
508 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
509 *p = EchoReply; // reply
510 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
511 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
512 if (!q) return;
513 tunnelsend(b, l + (q - b), t); // send it
514 }
515 else if (*p == EchoReply)
516 {
517 // Ignore it, last_packet time is set earlier than this.
518 }
519 else if (*p == IdentRequest)
520 {
521 *p = CodeRej;
522 if (l > MAXCONTROL)
523 {
524 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
525 l = 1400;
526 }
527 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
528 if (!q) return;
529 LOG_HEX(5, "LCPIdentRej", q, l + 4);
530 tunnelsend(b, 12 + 4 + l, t);
531 }
532 else
533 {
534 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
535 STAT(tunnel_rx_errors);
536 return ;
537 }
538 }
539
540 // find a PPP option, returns point to option, or 0 if not found
541 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
542 {
543 uint16_t l = ntohs(*(uint16_t *) (b + 2));
544 if (l < 4)
545 return 0;
546 b += 4;
547 l -= 4;
548 while (l)
549 {
550 if (l < b[1] || !b[1])
551 return 0; // faulty
552 if (*b == mtype)
553 return b;
554 l -= b[1];
555 b += b[1];
556 }
557 return 0;
558 }
559
560 // Process IPCP messages
561 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
562 {
563 uint16_t hl;
564
565 CSTAT(processipcp);
566
567 LOG_HEX(5, "IPCP", p, l);
568 if (l < 5)
569 {
570 LOG(1, s, t, "Short IPCP %d bytes\n", l);
571 STAT(tunnel_rx_errors);
572 return ;
573 }
574
575 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
576 {
577 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
578 STAT(tunnel_rx_errors);
579 return ;
580 }
581 l = hl;
582
583 if (*p == ConfigAck)
584 {
585 // happy with our IPCP
586 uint16_t r = session[s].radius;
587 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
588 {
589 if (!r)
590 r = radiusnew(s);
591 if (r)
592 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
593 }
594 session[s].flags |= SF_IPCP_ACKED;
595
596 LOG(3, s, t, "IPCP Acked, session is now active\n");
597
598 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
599 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
600
601 return;
602 }
603 if (*p != ConfigReq)
604 {
605 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
606 STAT(tunnel_rx_errors);
607 return ;
608 }
609 LOG(4, s, t, "IPCP ConfigReq received\n");
610
611 if (!session[s].ip)
612 {
613 LOG(3, s, t, "Waiting on radius reply\n");
614 return; // have to wait on RADIUS reply
615 }
616 // form a config reply quoting the IP in the session
617 {
618 uint8_t b[MAXCONTROL];
619 uint8_t *i, *q;
620
621 q = p + 4;
622 i = p + l;
623 while (q < i && q[1])
624 {
625 if (*q != 0x81 && *q != 0x83 && *q != 3)
626 break;
627 q += q[1];
628 }
629 if (q < i)
630 {
631 // reject
632 uint16_t n = 4;
633 i = p + l;
634 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
635 return;
636
637 *q = ConfigRej;
638 p += 4;
639 while (p < i && p[1])
640 {
641 if (*p != 0x81 && *p != 0x83 && *p != 3)
642 {
643 LOG(2, s, t, "IPCP reject %d\n", *p);
644 memcpy(q + n, p, p[1]);
645 n += p[1];
646 }
647 p += p[1];
648 }
649 *(uint16_t *) (q + 2) = htons(n);
650 LOG(4, s, t, "Sending ConfigRej\n");
651 tunnelsend(b, n + (q - b), t); // send it
652 }
653 else
654 {
655 LOG(4, s, t, "Sending ConfigAck\n");
656 *p = ConfigAck;
657 if ((i = findppp(p, 0x81))) // Primary DNS address
658 {
659 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
660 {
661 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
662 *p = ConfigNak;
663 LOG(5, s, t, " DNS1 = %s\n",
664 fmtaddr(htonl(session[s].dns1), 0));
665 }
666 }
667 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
668 {
669 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
670 {
671 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
672 *p = ConfigNak;
673 LOG(5, s, t, " DNS2 = %s\n",
674 fmtaddr(htonl(session[s].dns2), 0));
675 }
676 }
677 i = findppp(p, 3); // IP address
678 if (!i || i[1] != 6)
679 {
680 LOG(1, s, t, "No IP in IPCP request\n");
681 STAT(tunnel_rx_errors);
682 return ;
683 }
684 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
685 {
686 *(uint32_t *) (i + 2) = htonl(session[s].ip);
687 *p = ConfigNak;
688 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
689 fmtaddr(htonl(session[s].ip), 0));
690 }
691 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
692 return;
693
694 tunnelsend(b, l + (q - b), t); // send it
695 }
696 }
697 }
698
699 // Process IPV6CP messages
700 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
701 {
702
703 CSTAT(processipv6cp);
704
705 LOG_HEX(5, "IPV6CP", p, l);
706 if (l < 4)
707 {
708 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
709 STAT(tunnel_rx_errors);
710 return ;
711 }
712 if (*p == ConfigAck)
713 {
714 // happy with our IPV6CP
715 session[s].flags |= SF_IPV6CP_ACKED;
716
717 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
718 // Add a routed block if configured.
719 if (session[s].ipv6prefixlen)
720 {
721 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
722 session[s].flags |= SF_IPV6_ROUTED;
723 }
724
725 // Send an initial RA (TODO: Should we send these regularly?)
726 send_ipv6_ra(t, s, NULL);
727 return;
728 }
729 if (*p != ConfigReq)
730 {
731 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
732 STAT(tunnel_rx_errors);
733 return;
734 }
735
736 LOG(4, s, t, "IPV6CP ConfigReq received\n");
737 if (ntohs(*(uint16_t *) (p + 2)) > l)
738 {
739 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
740 STAT(tunnel_rx_errors);
741 return ;
742 }
743 if (!session[s].ip)
744 {
745 LOG(3, s, t, "Waiting on radius reply\n");
746 return; // have to wait on RADIUS reply
747 }
748 // form a config reply quoting the IP in the session
749 {
750 uint8_t b[MAXCONTROL];
751 uint8_t *i,
752 *q;
753
754 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
755 q = p + 4;
756 i = p + l;
757 while (q < i && q[1])
758 {
759 if (*q != 1)
760 break;
761 q += q[1];
762 }
763 if (q < i)
764 {
765 // reject
766 uint16_t n = 4;
767 i = p + l;
768 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
769 {
770 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
771 return;
772 }
773 *q = ConfigRej;
774 p += 4;
775 while (p < i && p[1])
776 {
777 if (*p != 1)
778 {
779 LOG(2, s, t, "IPV6CP reject %d\n", *p);
780 memcpy(q + n, p, p[1]);
781 n += p[1];
782 }
783 p += p[1];
784 }
785 *(uint16_t *) (q + 2) = htons(n);
786 LOG(4, s, t, "Sending ConfigRej\n");
787 tunnelsend(b, n + (q - b), t); // send it
788 }
789 else
790 {
791 LOG(4, s, t, "Sending ConfigAck\n");
792 *p = ConfigAck;
793 i = findppp(p, 1); // IP address
794 if (!i || i[1] != 10)
795 {
796 LOG(1, s, t, "No IP in IPV6CP request\n");
797 STAT(tunnel_rx_errors);
798 return ;
799 }
800 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
801 (*(uint32_t *) (i + 6) != 0))
802 {
803 *(uint32_t *) (i + 2) = htonl(session[s].ip);
804 *(uint32_t *) (i + 6) = 0;
805 *p = ConfigNak;
806 LOG(4, s, t,
807 " No, a ConfigNak, client is "
808 "requesting IP - sending %s\n",
809 fmtaddr(htonl(session[s].ip), 0));
810 }
811 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
812 {
813 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
814 return;
815 }
816 tunnelsend(b, l + (q - b), t); // send it
817 }
818 }
819 }
820
821 // process IP packet received
822 //
823 // This MUST be called with at least 4 byte behind 'p'.
824 // (i.e. this routine writes to p[-4]).
825 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
826 {
827 in_addr_t ip;
828
829 CSTAT(processipin);
830
831 LOG_HEX(5, "IP", p, l);
832
833 ip = ntohl(*(uint32_t *)(p + 12));
834
835 if (l > MAXETHER)
836 {
837 LOG(1, s, t, "IP packet too long %d\n", l);
838 STAT(tunnel_rx_errors);
839 return ;
840 }
841
842 // no spoof (do sessionbyip to handled statically routed subnets)
843 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
844 {
845 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
846 return;
847 }
848
849 // run access-list if any
850 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
851 return;
852
853 // Add on the tun header
854 p -= 4;
855 *(uint32_t *) p = htonl(PKTIP);
856 l += 4;
857
858 // Are we throttled and a slave?
859 if (session[s].tbf_in && !config->cluster_iam_master) {
860 // Pass it to the master for handling.
861 master_throttle_packet(session[s].tbf_in, p, l);
862 return;
863 }
864
865 // Are we throttled and a master??
866 if (session[s].tbf_in && config->cluster_iam_master) {
867 // Actually handle the throttled packets.
868 tbf_queue_packet(session[s].tbf_in, p, l);
869 return;
870 }
871
872 // send to ethernet
873 if (tun_write(p, l) < 0)
874 {
875 STAT(tun_tx_errors);
876 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
877 l, strerror(errno), tunfd, p);
878
879 return;
880 }
881
882 if (session[s].snoop_ip && session[s].snoop_port)
883 {
884 // Snooping this session
885 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
886 }
887
888 session[s].cin += l - 4;
889 session[s].total_cin += l - 4;
890 sess_local[s].cin += l - 4;
891
892 session[s].pin++;
893 eth_tx += l - 4;
894
895 STAT(tun_tx_packets);
896 INC_STAT(tun_tx_bytes, l - 4);
897 }
898
899 // process IPv6 packet received
900 //
901 // This MUST be called with at least 4 byte behind 'p'.
902 // (i.e. this routine writes to p[-4]).
903 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
904 {
905 struct in6_addr ip;
906 in_addr_t ipv4;
907
908 CSTAT(processipv6in);
909
910 LOG_HEX(5, "IPv6", p, l);
911
912 ip = *(struct in6_addr *) (p + 8);
913 ipv4 = ntohl(*(uint32_t *)(p + 16));
914
915 if (l > MAXETHER)
916 {
917 LOG(1, s, t, "IP packet too long %d\n", l);
918 STAT(tunnel_rx_errors);
919 return ;
920 }
921
922 // no spoof
923 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
924 {
925 char str[INET6_ADDRSTRLEN];
926 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
927 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
928 return;
929 }
930
931 // Check if it's a Router Solicition message.
932 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
933 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
934 *(uint32_t *)(p + 34) == 0 &&
935 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
936 LOG(3, s, t, "Got IPv6 RS\n");
937 send_ipv6_ra(t, s, &ip);
938 return;
939 }
940
941 // Add on the tun header
942 p -= 4;
943 *(uint32_t *) p = htonl(PKTIPV6);
944 l += 4;
945
946 // Are we throttled and a slave?
947 if (session[s].tbf_in && !config->cluster_iam_master) {
948 // Pass it to the master for handling.
949 master_throttle_packet(session[s].tbf_in, p, l);
950 return;
951 }
952
953 // Are we throttled and a master??
954 if (session[s].tbf_in && config->cluster_iam_master) {
955 // Actually handle the throttled packets.
956 tbf_queue_packet(session[s].tbf_in, p, l);
957 return;
958 }
959
960 // send to ethernet
961 if (tun_write(p, l) < 0)
962 {
963 STAT(tun_tx_errors);
964 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
965 l, strerror(errno), tunfd, p);
966
967 return;
968 }
969
970 if (session[s].snoop_ip && session[s].snoop_port)
971 {
972 // Snooping this session
973 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
974 }
975
976 session[s].cin += l - 4;
977 session[s].total_cin += l - 4;
978 sess_local[s].cin += l - 4;
979
980 session[s].pin++;
981 eth_tx += l - 4;
982
983 STAT(tun_tx_packets);
984 INC_STAT(tun_tx_bytes, l - 4);
985 }
986
987 //
988 // Helper routine for the TBF filters.
989 // Used to send queued data in from the user.
990 //
991 void send_ipin(sessionidt s, uint8_t *buf, int len)
992 {
993 LOG_HEX(5, "IP in throttled", buf, len);
994
995 if (write(tunfd, buf, len) < 0)
996 {
997 STAT(tun_tx_errors);
998 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
999 len, strerror(errno), tunfd, buf);
1000
1001 return;
1002 }
1003
1004 if (session[s].snoop_ip && session[s].snoop_port)
1005 {
1006 // Snooping this session
1007 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
1008 }
1009
1010 // Increment packet counters
1011 session[s].cin += len - 4;
1012 session[s].total_cin += len - 4;
1013 sess_local[s].cin += len - 4;
1014
1015 session[s].pin++;
1016 eth_tx += len - 4;
1017
1018 STAT(tun_tx_packets);
1019 INC_STAT(tun_tx_bytes, len - 4);
1020 }
1021
1022
1023 // Process CCP messages
1024 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1025 {
1026 uint8_t b[MAXCONTROL];
1027 uint8_t *q;
1028
1029 CSTAT(processccp);
1030
1031 LOG_HEX(5, "CCP", p, l);
1032 switch (l > 1 ? *p : 0)
1033 {
1034 case ConfigAck:
1035 session[s].flags |= SF_CCP_ACKED;
1036 return;
1037
1038 case ConfigReq:
1039 if (l < 6) // accept no compression
1040 {
1041 *p = ConfigAck;
1042 break;
1043 }
1044
1045 // compression requested--reject
1046 *p = ConfigRej;
1047
1048 // send CCP request for no compression for our end if not negotiated
1049 if (!(session[s].flags & SF_CCP_ACKED))
1050 initccp(t, s);
1051
1052 break;
1053
1054 case TerminateReq:
1055 *p = TerminateAck;
1056 break;
1057
1058 default:
1059 if (l > 1)
1060 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1061 else
1062 LOG(1, s, t, "Short CCP packet\n");
1063
1064 STAT(tunnel_rx_errors);
1065 return;
1066 }
1067
1068 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1069 return;
1070
1071 tunnelsend(b, l + (q - b), t); // send it
1072 }
1073
1074 // send a CHAP PP packet
1075 void sendchap(tunnelidt t, sessionidt s)
1076 {
1077 uint8_t b[MAXCONTROL];
1078 uint16_t r = session[s].radius;
1079 uint8_t *q;
1080
1081 CSTAT(sendchap);
1082
1083 if (!r)
1084 {
1085 LOG(1, s, t, "No RADIUS to send challenge\n");
1086 STAT(tunnel_tx_errors);
1087 return;
1088 }
1089
1090 LOG(1, s, t, "Send CHAP challenge\n");
1091
1092 // new challenge
1093 random_data(radius[r].auth, sizeof(radius[r].auth));
1094 radius[r].chap = 1; // CHAP not PAP
1095 radius[r].id++;
1096 if (radius[r].state != RADIUSCHAP)
1097 radius[r].try = 0;
1098
1099 radius[r].state = RADIUSCHAP;
1100 radius[r].retry = backoff(radius[r].try++);
1101 if (radius[r].try > 5)
1102 {
1103 sessionshutdown(s, "Timeout CHAP");
1104 STAT(tunnel_tx_errors);
1105 return ;
1106 }
1107 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1108 if (!q) return;
1109
1110 *q = 1; // challenge
1111 q[1] = radius[r].id; // ID
1112 q[4] = 16; // length
1113 memcpy(q + 5, radius[r].auth, 16); // challenge
1114 strcpy(q + 21, hostname); // our name
1115 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1116 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1117 }
1118
1119 // fill in a L2TP message with a PPP frame,
1120 // copies existing PPP message and changes magic number if seen
1121 // returns start of PPP frame
1122 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1123 {
1124 if (size < 12) // Need more space than this!!
1125 {
1126 static int backtrace_count = 0;
1127 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1128 log_backtrace(backtrace_count, 5)
1129 return NULL;
1130 }
1131
1132 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1133 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1134 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1135 b += 6;
1136 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1137 {
1138 *(uint16_t *) b = htons(0xFF03); // HDLC header
1139 b += 2;
1140 }
1141 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1142 *b++ = mtype;
1143 else
1144 {
1145 *(uint16_t *) b = htons(mtype);
1146 b += 2;
1147 }
1148
1149 if (l + 12 > size)
1150 {
1151 static int backtrace_count = 0;
1152 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1153 log_backtrace(backtrace_count, 5)
1154 return NULL;
1155 }
1156
1157 if (p && l)
1158 memcpy(b, p, l);
1159
1160 return b;
1161 }
1162
1163 // Send initial LCP ConfigReq for PAP, set magic no.
1164 void initlcp(tunnelidt t, sessionidt s)
1165 {
1166 char b[500], *q;
1167
1168 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1169 return;
1170
1171 LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
1172 *q = ConfigReq;
1173 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1174 *(uint16_t *)(q + 2) = htons(14); // Length
1175 *(uint8_t *)(q + 4) = 5;
1176 *(uint8_t *)(q + 5) = 6;
1177 *(uint32_t *)(q + 6) = htonl(session[s].magic);
1178 *(uint8_t *)(q + 10) = 3;
1179 *(uint8_t *)(q + 11) = 4;
1180 *(uint16_t *)(q + 12) = htons(PPPPAP); // PAP
1181
1182 LOG_HEX(5, "PPPLCP", q, 14);
1183 tunnelsend(b, (q - b) + 14, t);
1184 }
1185
1186 // Send CCP request for no compression
1187 static void initccp(tunnelidt t, sessionidt s)
1188 {
1189 char b[500], *q;
1190
1191 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1192 return;
1193
1194 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1195 *q = ConfigReq;
1196 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1197 *(uint16_t *)(q + 2) = htons(4); // Length
1198
1199 LOG_HEX(5, "PPPCCP", q, 4);
1200 tunnelsend(b, (q - b) + 4 , t);
1201 }