e3a2c7478c9dfcb411eaee21221b997b5443928c
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.48 2005-05-05 10:02:08 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
30 {
31 char user[MAXUSER];
32 char pass[MAXPASS];
33 uint16_t hl;
34
35 CSTAT(processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 sessionshutdown(s, "Short PAP packet.", 3, 0);
43 return ;
44 }
45
46 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
47 {
48 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
49 STAT(tunnel_rx_errors);
50 sessionshutdown(s, "PAP length mismatch.", 3, 0);
51 return ;
52 }
53 l = hl;
54
55 if (*p != 1)
56 {
57 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
58 STAT(tunnel_rx_errors);
59 sessionshutdown(s, "Unexpected PAP code.", 3, 0);
60 return ;
61 }
62
63 {
64 uint8_t *b = p;
65 b += 4;
66 user[0] = pass[0] = 0;
67 if (*b && *b < sizeof(user))
68 {
69 memcpy(user, b + 1, *b);
70 user[*b] = 0;
71 b += 1 + *b;
72 if (*b && *b < sizeof(pass))
73 {
74 memcpy(pass, b + 1, *b);
75 pass[*b] = 0;
76 }
77 }
78 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
79 }
80 if (session[s].ip || !sess_local[s].radius)
81 {
82 // respond now, either no RADIUS available or already authenticated
83 uint8_t b[MAXCONTROL];
84 uint8_t id = p[1];
85 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
86 if (!p) return;
87
88 if (session[s].ip)
89 *p = 2; // ACK
90 else
91 *p = 3; // cant authorise
92 p[1] = id;
93 *(uint16_t *) (p + 2) = htons(5); // length
94 p[4] = 0; // no message
95 if (session[s].ip)
96 {
97 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
98 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
99
100 session[s].flags &= ~SF_IPCP_ACKED;
101 }
102 else
103 {
104 LOG(1, s, t, "No radius session available to authenticate session...\n");
105 }
106 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
107 tunnelsend(b, 5 + (p - b), t); // send it
108 sessionshutdown(s, "PAP authentication failed.", 3, 0);
109 }
110 else
111 {
112 // set up RADIUS request
113 uint16_t r = sess_local[s].radius;
114
115 // Run PRE_AUTH plugins
116 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
117 run_plugins(PLUGIN_PRE_AUTH, &packet);
118 if (!packet.continue_auth)
119 {
120 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
121 if (packet.username) free(packet.username);
122 if (packet.password) free(packet.password);
123 return;
124 }
125
126 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
127 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
128
129 free(packet.username);
130 free(packet.password);
131
132 radius[r].id = p[1];
133 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
134 radiussend(r, RADIUSAUTH);
135 }
136 }
137
138 // Process CHAP messages
139 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
140 {
141 uint16_t r;
142 uint16_t hl;
143
144 CSTAT(processchap);
145
146 LOG_HEX(5, "CHAP", p, l);
147 r = sess_local[s].radius;
148 if (!r)
149 {
150 LOG(1, s, t, "Unexpected CHAP message\n");
151 STAT(tunnel_rx_errors);
152 return;
153 }
154
155 if (l < 4)
156 {
157 LOG(1, s, t, "Short CHAP %u bytes\n", l);
158 STAT(tunnel_rx_errors);
159 return ;
160 }
161
162 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
163 {
164 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
165 STAT(tunnel_rx_errors);
166 return ;
167 }
168 l = hl;
169
170 if (*p != 2)
171 {
172 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
173 STAT(tunnel_rx_errors);
174 return;
175 }
176 if (p[1] != radius[r].id)
177 {
178 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
179 STAT(tunnel_rx_errors);
180 return ;
181 }
182
183 if (l < 5 || p[4] != 16)
184 {
185 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
186 STAT(tunnel_rx_errors);
187 return ;
188 }
189
190 l -= 5;
191 p += 5;
192 if (l < 16 || l - 16 >= sizeof(session[s].user))
193 {
194 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
195 STAT(tunnel_rx_errors);
196 return ;
197 }
198
199 // Run PRE_AUTH plugins
200 {
201 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
202
203 packet.password = calloc(17, 1);
204 memcpy(packet.password, p, 16);
205
206 p += 16;
207 l -= 16;
208
209 packet.username = calloc(l + 1, 1);
210 memcpy(packet.username, p, l);
211
212 run_plugins(PLUGIN_PRE_AUTH, &packet);
213 if (!packet.continue_auth)
214 {
215 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
216 if (packet.username) free(packet.username);
217 if (packet.password) free(packet.password);
218 return;
219 }
220
221 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
222 memcpy(radius[r].pass, packet.password, 16);
223
224 free(packet.username);
225 free(packet.password);
226 }
227
228 radius[r].chap = 1;
229 LOG(3, s, t, "CHAP login %s\n", session[s].user);
230 radiussend(r, RADIUSAUTH);
231 }
232
233 static void dumplcp(uint8_t *p, int l)
234 {
235 int x = l - 4;
236 uint8_t *o = (p + 4);
237
238 LOG_HEX(5, "PPP LCP Packet", p, l);
239 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
240 LOG(4, 0, 0, "Length: %d\n", l);
241 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
242 return;
243
244 while (x > 2)
245 {
246 int type = o[0];
247 int length = o[1];
248 if (length < 2)
249 {
250 LOG(4, 0, 0, " Option length is %d...\n", length);
251 break;
252 }
253 if (type == 0)
254 {
255 LOG(4, 0, 0, " Option type is 0...\n");
256 x -= length;
257 o += length;
258 continue;
259 }
260 switch (type)
261 {
262 case 1: // Maximum-Receive-Unit
263 if (length == 4)
264 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
265 else
266 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
267 break;
268 case 2: // Async-Control-Character-Map
269 if (length == 6)
270 {
271 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
272 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
273 }
274 else
275 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
276 break;
277 case 3: // Authentication-Protocol
278 if (length == 4)
279 {
280 int proto = ntohs(*(uint16_t *)(o + 2));
281 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
282 proto == PPPCHAP ? "CHAP" :
283 proto == PPPPAP ? "PAP" : "UNKNOWN");
284 }
285 else
286 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
287 break;
288 case 4: // Quality-Protocol
289 {
290 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
291 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
292 }
293 break;
294 case 5: // Magic-Number
295 if (length == 6)
296 {
297 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
298 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
299 }
300 else
301 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
302 break;
303 case 7: // Protocol-Field-Compression
304 case 8: // Address-And-Control-Field-Compression
305 LOG(4, 0, 0, " %s\n", lcp_type(type));
306 break;
307 default:
308 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
309 break;
310 }
311 x -= length;
312 o += length;
313 }
314 }
315
316 // Process LCP messages
317 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
318 {
319 uint8_t b[MAXCONTROL];
320 uint8_t *q = NULL;
321 uint32_t magicno = 0;
322 uint16_t hl;
323
324 CSTAT(processlcp);
325
326 LOG_HEX(5, "LCP", p, l);
327 if (l < 4)
328 {
329 LOG(1, s, t, "Short LCP %d bytes\n", l);
330 STAT(tunnel_rx_errors);
331 return ;
332 }
333
334 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
335 {
336 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
337 STAT(tunnel_rx_errors);
338 return ;
339 }
340 l = hl;
341
342 if (*p == ConfigAck)
343 {
344 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
345 session[s].flags |= SF_LCP_ACKED;
346 }
347 else if (*p == ConfigReq)
348 {
349 int x = l - 4;
350 uint8_t *o = (p + 4);
351 uint8_t *response = 0;
352
353 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
354 if (config->debug > 3) dumplcp(p, l);
355
356 while (x > 2)
357 {
358 int type = o[0];
359 int length = o[1];
360
361 if (length == 0 || type == 0 || x < length) break;
362 switch (type)
363 {
364 case 1: // Maximum-Receive-Unit
365 session[s].mru = ntohs(*(uint16_t *)(o + 2));
366 break;
367
368 case 2: // Async-Control-Character-Map
369 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
370 break;
371
372 if (response && *response != ConfigNak) // rej already queued
373 break;
374
375 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
376 if (!response)
377 {
378 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
379 if (!q) break;
380 *q = ConfigNak;
381 q += 4;
382 }
383
384 if ((q - b + 11) > sizeof(b))
385 {
386 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
387 break;
388 }
389
390 *q++ = type;
391 *q++ = 6;
392 memset(q, 0, 4); // asyncmap 0
393 q += 4;
394 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
395 break;
396
397 case 3: // Authentication-Protocol
398 {
399 int proto = ntohs(*(uint16_t *)(o + 2));
400 char proto_name[] = "0x0000";
401 if (proto == PPPPAP)
402 break;
403
404 if (response && *response != ConfigNak) // rej already queued
405 break;
406
407 if (proto == PPPCHAP)
408 strcpy(proto_name, "CHAP");
409 else
410 sprintf(proto_name, "%#4.4x", proto);
411
412 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
413
414 if (!response)
415 {
416 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
417 if (!q) break;
418 *q = ConfigNak;
419 q += 4;
420 }
421
422 if ((q - b + length) > sizeof(b))
423 {
424 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
425 break;
426 }
427
428 memcpy(q, o, length);
429 *(uint16_t *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
430 q += length;
431 *((uint16_t *) (response + 2)) = htons(q - response);
432 }
433 break;
434
435 case 5: // Magic-Number
436 magicno = ntohl(*(uint32_t *)(o + 2));
437 break;
438
439 case 4: // Quality-Protocol
440 case 7: // Protocol-Field-Compression
441 case 8: // Address-And-Control-Field-Compression
442 break;
443
444 default: // Reject any unknown options
445 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
446 if (!response || *response != ConfigRej) // drop nak in favour of rej
447 {
448 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
449 if (!q) break;
450 *q = ConfigRej;
451 q += 4;
452 }
453
454 if ((q - b + length) > sizeof(b))
455 {
456 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
457 break;
458 }
459
460 memcpy(q, o, length);
461 q += length;
462 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
463 }
464 x -= length;
465 o += length;
466 }
467
468 if (!response)
469 {
470 // Send back a ConfigAck
471 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
472 if (!q) return;
473 *q = ConfigAck;
474 }
475
476 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
477 tunnelsend(b, l + (q - b), t);
478
479 if (!(session[s].flags & SF_LCP_ACKED))
480 initlcp(t, s);
481 }
482 else if (*p == ConfigNak)
483 {
484 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
485 if (config->debug > 3) dumplcp(p, l);
486 return ;
487 }
488 else if (*p == TerminateReq)
489 {
490 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
491 *p = TerminateAck; // close
492 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
493 if (!q) return;
494 tunnelsend(b, l + (q - b), t); // send it
495 sessionshutdown(s, "Remote end closed connection.", 3, 0);
496 }
497 else if (*p == TerminateAck)
498 {
499 sessionshutdown(s, "Connection closed.", 3, 0);
500 }
501 else if (*p == ProtocolRej)
502 {
503 if (*(uint16_t *) (p+4) == htons(PPPIPV6CP))
504 {
505 LOG(3, s, t, "IPv6 rejected\n");
506 session[s].flags |= SF_IPV6_NACKED;
507 }
508 else
509 {
510 LOG(1, s, t, "Unexpected LCP protocol reject 0x%X\n",
511 ntohs(*(uint16_t *) (p+4)));
512 STAT(tunnel_rx_errors);
513 }
514 }
515 else if (*p == EchoReq)
516 {
517 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
518 *p = EchoReply; // reply
519 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
520 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
521 if (!q) return;
522 tunnelsend(b, l + (q - b), t); // send it
523 }
524 else if (*p == EchoReply)
525 {
526 // Ignore it, last_packet time is set earlier than this.
527 }
528 else if (*p == IdentRequest)
529 {
530 *p = CodeRej;
531 if (l > MAXCONTROL)
532 {
533 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
534 l = 1400;
535 }
536 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
537 if (!q) return;
538 LOG_HEX(5, "LCPIdentRej", q, l + 4);
539 tunnelsend(b, 12 + 4 + l, t);
540 }
541 else
542 {
543 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
544 STAT(tunnel_rx_errors);
545 return ;
546 }
547 }
548
549 // find a PPP option, returns point to option, or 0 if not found
550 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
551 {
552 uint16_t l = ntohs(*(uint16_t *) (b + 2));
553 if (l < 4)
554 return 0;
555 b += 4;
556 l -= 4;
557 while (l)
558 {
559 if (l < b[1] || !b[1])
560 return 0; // faulty
561 if (*b == mtype)
562 return b;
563 l -= b[1];
564 b += b[1];
565 }
566 return 0;
567 }
568
569 // Process IPCP messages
570 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
571 {
572 uint16_t hl;
573
574 CSTAT(processipcp);
575
576 LOG_HEX(5, "IPCP", p, l);
577 if (l < 5)
578 {
579 LOG(1, s, t, "Short IPCP %d bytes\n", l);
580 STAT(tunnel_rx_errors);
581 return ;
582 }
583
584 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
585 {
586 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
587 STAT(tunnel_rx_errors);
588 return ;
589 }
590 l = hl;
591
592 if (*p == ConfigAck)
593 {
594 // happy with our IPCP
595 uint16_t r = sess_local[s].radius;
596 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
597 {
598 if (!r)
599 r = radiusnew(s);
600 if (r)
601 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
602 }
603 session[s].flags |= SF_IPCP_ACKED;
604
605 LOG(3, s, t, "IPCP Acked, session is now active\n");
606
607 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
608 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
609
610 return;
611 }
612 if (*p != ConfigReq)
613 {
614 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
615 STAT(tunnel_rx_errors);
616 return ;
617 }
618 LOG(4, s, t, "IPCP ConfigReq received\n");
619
620 if (!session[s].ip)
621 {
622 LOG(3, s, t, "Waiting on radius reply\n");
623 return; // have to wait on RADIUS reply
624 }
625 // form a config reply quoting the IP in the session
626 {
627 uint8_t b[MAXCONTROL];
628 uint8_t *i, *q;
629
630 q = p + 4;
631 i = p + l;
632 while (q < i && q[1])
633 {
634 if (*q != 0x81 && *q != 0x83 && *q != 3)
635 break;
636 q += q[1];
637 }
638 if (q < i)
639 {
640 // reject
641 uint16_t n = 4;
642 i = p + l;
643 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
644 return;
645
646 *q = ConfigRej;
647 p += 4;
648 while (p < i && p[1])
649 {
650 if (*p != 0x81 && *p != 0x83 && *p != 3)
651 {
652 LOG(2, s, t, "IPCP reject %d\n", *p);
653 memcpy(q + n, p, p[1]);
654 n += p[1];
655 }
656 p += p[1];
657 }
658 *(uint16_t *) (q + 2) = htons(n);
659 LOG(4, s, t, "Sending ConfigRej\n");
660 tunnelsend(b, n + (q - b), t); // send it
661 }
662 else
663 {
664 LOG(4, s, t, "Sending ConfigAck\n");
665 *p = ConfigAck;
666 if ((i = findppp(p, 0x81))) // Primary DNS address
667 {
668 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
669 {
670 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
671 *p = ConfigNak;
672 LOG(5, s, t, " DNS1 = %s\n",
673 fmtaddr(htonl(session[s].dns1), 0));
674 }
675 }
676 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
677 {
678 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
679 {
680 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
681 *p = ConfigNak;
682 LOG(5, s, t, " DNS2 = %s\n",
683 fmtaddr(htonl(session[s].dns2), 0));
684 }
685 }
686 i = findppp(p, 3); // IP address
687 if (!i || i[1] != 6)
688 {
689 LOG(1, s, t, "No IP in IPCP request\n");
690 STAT(tunnel_rx_errors);
691 return ;
692 }
693 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
694 {
695 *(uint32_t *) (i + 2) = htonl(session[s].ip);
696 *p = ConfigNak;
697 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
698 fmtaddr(htonl(session[s].ip), 0));
699 }
700 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
701 return;
702
703 tunnelsend(b, l + (q - b), t); // send it
704 }
705 }
706 }
707
708 // Process IPV6CP messages
709 void processipv6cp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
710 {
711
712 CSTAT(processipv6cp);
713
714 LOG_HEX(5, "IPV6CP", p, l);
715 if (l < 4)
716 {
717 LOG(1, s, t, "Short IPV6CP %d bytes\n", l);
718 STAT(tunnel_rx_errors);
719 return ;
720 }
721 if (*p == ConfigAck)
722 {
723 // happy with our IPV6CP
724 session[s].flags |= SF_IPV6CP_ACKED;
725
726 LOG(3, s, t, "IPV6CP Acked, IPv6 is now active\n");
727 // Add a routed block if configured.
728 if (session[s].ipv6prefixlen)
729 {
730 route6set(s, session[s].ipv6route, session[s].ipv6prefixlen, 1);
731 session[s].flags |= SF_IPV6_ROUTED;
732 }
733
734 // Send an initial RA (TODO: Should we send these regularly?)
735 send_ipv6_ra(t, s, NULL);
736 return;
737 }
738 if (*p != ConfigReq)
739 {
740 LOG(1, s, t, "Unexpected IPV6CP code %d\n", *p);
741 STAT(tunnel_rx_errors);
742 return;
743 }
744
745 LOG(4, s, t, "IPV6CP ConfigReq received\n");
746 if (ntohs(*(uint16_t *) (p + 2)) > l)
747 {
748 LOG(1, s, t, "Length mismatch IPV6CP %d/%d\n", ntohs(*(uint16_t *) (p + 2)), l);
749 STAT(tunnel_rx_errors);
750 return ;
751 }
752 if (!session[s].ip)
753 {
754 LOG(3, s, t, "Waiting on radius reply\n");
755 return; // have to wait on RADIUS reply
756 }
757 // form a config reply quoting the IP in the session
758 {
759 uint8_t b[MAXCONTROL];
760 uint8_t *i,
761 *q;
762
763 l = ntohs(*(uint16_t *) (p + 2)); // We must use length from IPV6CP len field
764 q = p + 4;
765 i = p + l;
766 while (q < i && q[1])
767 {
768 if (*q != 1)
769 break;
770 q += q[1];
771 }
772 if (q < i)
773 {
774 // reject
775 uint16_t n = 4;
776 i = p + l;
777 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
778 {
779 LOG(2, s, t, "Failed to send IPV6CP ConfigRej\n");
780 return;
781 }
782 *q = ConfigRej;
783 p += 4;
784 while (p < i && p[1])
785 {
786 if (*p != 1)
787 {
788 LOG(2, s, t, "IPV6CP reject %d\n", *p);
789 memcpy(q + n, p, p[1]);
790 n += p[1];
791 }
792 p += p[1];
793 }
794 *(uint16_t *) (q + 2) = htons(n);
795 LOG(4, s, t, "Sending ConfigRej\n");
796 tunnelsend(b, n + (q - b), t); // send it
797 }
798 else
799 {
800 LOG(4, s, t, "Sending ConfigAck\n");
801 *p = ConfigAck;
802 i = findppp(p, 1); // IP address
803 if (!i || i[1] != 10)
804 {
805 LOG(1, s, t, "No IP in IPV6CP request\n");
806 STAT(tunnel_rx_errors);
807 return ;
808 }
809 if ((*(uint32_t *) (i + 2) != htonl(session[s].ip)) ||
810 (*(uint32_t *) (i + 6) != 0))
811 {
812 *(uint32_t *) (i + 2) = htonl(session[s].ip);
813 *(uint32_t *) (i + 6) = 0;
814 *p = ConfigNak;
815 LOG(4, s, t,
816 " No, a ConfigNak, client is "
817 "requesting IP - sending %s\n",
818 fmtaddr(htonl(session[s].ip), 0));
819 }
820 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPV6CP)))
821 {
822 LOG(2, s, t, " Failed to send IPV6CP packet.\n");
823 return;
824 }
825 tunnelsend(b, l + (q - b), t); // send it
826 }
827 }
828 }
829
830 // process IP packet received
831 //
832 // This MUST be called with at least 4 byte behind 'p'.
833 // (i.e. this routine writes to p[-4]).
834 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
835 {
836 in_addr_t ip;
837
838 CSTAT(processipin);
839
840 LOG_HEX(5, "IP", p, l);
841
842 ip = ntohl(*(uint32_t *)(p + 12));
843
844 if (l > MAXETHER)
845 {
846 LOG(1, s, t, "IP packet too long %d\n", l);
847 STAT(tunnel_rx_errors);
848 return ;
849 }
850
851 // no spoof (do sessionbyip to handled statically routed subnets)
852 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
853 {
854 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
855 return;
856 }
857
858 // run access-list if any
859 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
860 return;
861
862 // Add on the tun header
863 p -= 4;
864 *(uint32_t *) p = htonl(PKTIP);
865 l += 4;
866
867 // Are we throttled and a slave?
868 if (session[s].tbf_in && !config->cluster_iam_master) {
869 // Pass it to the master for handling.
870 master_throttle_packet(session[s].tbf_in, p, l);
871 return;
872 }
873
874 // Are we throttled and a master??
875 if (session[s].tbf_in && config->cluster_iam_master) {
876 // Actually handle the throttled packets.
877 tbf_queue_packet(session[s].tbf_in, p, l);
878 return;
879 }
880
881 // send to ethernet
882 if (tun_write(p, l) < 0)
883 {
884 STAT(tun_tx_errors);
885 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
886 l, strerror(errno), tunfd, p);
887
888 return;
889 }
890
891 if (session[s].snoop_ip && session[s].snoop_port)
892 {
893 // Snooping this session
894 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
895 }
896
897 session[s].cin += l - 4;
898 session[s].total_cin += l - 4;
899 sess_local[s].cin += l - 4;
900
901 session[s].pin++;
902 eth_tx += l - 4;
903
904 STAT(tun_tx_packets);
905 INC_STAT(tun_tx_bytes, l - 4);
906 }
907
908 // process IPv6 packet received
909 //
910 // This MUST be called with at least 4 byte behind 'p'.
911 // (i.e. this routine writes to p[-4]).
912 void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
913 {
914 struct in6_addr ip;
915 in_addr_t ipv4;
916
917 CSTAT(processipv6in);
918
919 LOG_HEX(5, "IPv6", p, l);
920
921 ip = *(struct in6_addr *) (p + 8);
922 ipv4 = ntohl(*(uint32_t *)(p + 16));
923
924 if (l > MAXETHER)
925 {
926 LOG(1, s, t, "IP packet too long %d\n", l);
927 STAT(tunnel_rx_errors);
928 return ;
929 }
930
931 // no spoof
932 if (ipv4 != session[s].ip && memcmp(&config->ipv6_prefix, &ip, 8) && sessionbyipv6(ip) != s)
933 {
934 char str[INET6_ADDRSTRLEN];
935 LOG(5, s, t, "Dropping packet with spoofed IP %s\n",
936 inet_ntop(AF_INET6, &ip, str, INET6_ADDRSTRLEN));
937 return;
938 }
939
940 // Check if it's a Router Solicition message.
941 if (*(p + 6) == 58 && *(p + 7) == 255 && *(p + 24) == 0xFF && *(p + 25) == 2 &&
942 *(uint32_t *)(p + 26) == 0 && *(uint32_t *)(p + 30) == 0 &&
943 *(uint32_t *)(p + 34) == 0 &&
944 *(p + 38) == 0 && *(p + 39) == 2 && *(p + 40) == 133) {
945 LOG(3, s, t, "Got IPv6 RS\n");
946 send_ipv6_ra(t, s, &ip);
947 return;
948 }
949
950 // Add on the tun header
951 p -= 4;
952 *(uint32_t *) p = htonl(PKTIPV6);
953 l += 4;
954
955 // Are we throttled and a slave?
956 if (session[s].tbf_in && !config->cluster_iam_master) {
957 // Pass it to the master for handling.
958 master_throttle_packet(session[s].tbf_in, p, l);
959 return;
960 }
961
962 // Are we throttled and a master??
963 if (session[s].tbf_in && config->cluster_iam_master) {
964 // Actually handle the throttled packets.
965 tbf_queue_packet(session[s].tbf_in, p, l);
966 return;
967 }
968
969 // send to ethernet
970 if (tun_write(p, l) < 0)
971 {
972 STAT(tun_tx_errors);
973 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
974 l, strerror(errno), tunfd, p);
975
976 return;
977 }
978
979 if (session[s].snoop_ip && session[s].snoop_port)
980 {
981 // Snooping this session
982 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
983 }
984
985 session[s].cin += l - 4;
986 session[s].total_cin += l - 4;
987 sess_local[s].cin += l - 4;
988
989 session[s].pin++;
990 eth_tx += l - 4;
991
992 STAT(tun_tx_packets);
993 INC_STAT(tun_tx_bytes, l - 4);
994 }
995
996 //
997 // Helper routine for the TBF filters.
998 // Used to send queued data in from the user.
999 //
1000 void send_ipin(sessionidt s, uint8_t *buf, int len)
1001 {
1002 LOG_HEX(5, "IP in throttled", buf, len);
1003
1004 if (write(tunfd, buf, len) < 0)
1005 {
1006 STAT(tun_tx_errors);
1007 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
1008 len, strerror(errno), tunfd, buf);
1009
1010 return;
1011 }
1012
1013 if (session[s].snoop_ip && session[s].snoop_port)
1014 {
1015 // Snooping this session
1016 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
1017 }
1018
1019 // Increment packet counters
1020 session[s].cin += len - 4;
1021 session[s].total_cin += len - 4;
1022 sess_local[s].cin += len - 4;
1023
1024 session[s].pin++;
1025 eth_tx += len - 4;
1026
1027 STAT(tun_tx_packets);
1028 INC_STAT(tun_tx_bytes, len - 4);
1029 }
1030
1031
1032 // Process CCP messages
1033 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
1034 {
1035 uint8_t b[MAXCONTROL];
1036 uint8_t *q;
1037
1038 CSTAT(processccp);
1039
1040 LOG_HEX(5, "CCP", p, l);
1041 switch (l > 1 ? *p : 0)
1042 {
1043 case ConfigAck:
1044 session[s].flags |= SF_CCP_ACKED;
1045 return;
1046
1047 case ConfigReq:
1048 if (l < 6) // accept no compression
1049 {
1050 *p = ConfigAck;
1051 break;
1052 }
1053
1054 // compression requested--reject
1055 *p = ConfigRej;
1056
1057 // send CCP request for no compression for our end if not negotiated
1058 if (!(session[s].flags & SF_CCP_ACKED))
1059 initccp(t, s);
1060
1061 break;
1062
1063 case TerminateReq:
1064 *p = TerminateAck;
1065 break;
1066
1067 default:
1068 if (l > 1)
1069 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
1070 else
1071 LOG(1, s, t, "Short CCP packet\n");
1072
1073 STAT(tunnel_rx_errors);
1074 return;
1075 }
1076
1077 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
1078 return;
1079
1080 tunnelsend(b, l + (q - b), t); // send it
1081 }
1082
1083 // send a CHAP challenge
1084 void sendchap(tunnelidt t, sessionidt s)
1085 {
1086 uint8_t b[MAXCONTROL];
1087 uint16_t r = sess_local[s].radius;
1088 uint8_t *q;
1089
1090 CSTAT(sendchap);
1091
1092 if (!r)
1093 {
1094 LOG(1, s, t, "No RADIUS to send challenge\n");
1095 STAT(tunnel_tx_errors);
1096 return;
1097 }
1098
1099 LOG(1, s, t, "Send CHAP challenge\n");
1100
1101 // new challenge
1102 random_data(radius[r].auth, sizeof(radius[r].auth));
1103 radius[r].chap = 1; // CHAP not PAP
1104 radius[r].id++;
1105 if (radius[r].state != RADIUSCHAP)
1106 radius[r].try = 0;
1107
1108 radius[r].state = RADIUSCHAP;
1109 radius[r].retry = backoff(radius[r].try++);
1110 if (radius[r].try > 5)
1111 {
1112 sessionshutdown(s, "CHAP timeout.", 3, 0);
1113 STAT(tunnel_tx_errors);
1114 return ;
1115 }
1116 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
1117 if (!q) return;
1118
1119 *q = 1; // challenge
1120 q[1] = radius[r].id; // ID
1121 q[4] = 16; // value size (size of challenge)
1122 memcpy(q + 5, radius[r].auth, 16); // challenge
1123 strcpy(q + 21, hostname); // our name
1124 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
1125 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
1126 }
1127
1128 // fill in a L2TP message with a PPP frame,
1129 // copies existing PPP message and changes magic number if seen
1130 // returns start of PPP frame
1131 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
1132 {
1133 if (size < 12) // Need more space than this!!
1134 {
1135 static int backtrace_count = 0;
1136 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
1137 log_backtrace(backtrace_count, 5)
1138 return NULL;
1139 }
1140
1141 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
1142 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
1143 *(uint16_t *) (b + 4) = htons(session[s].far); // session
1144 b += 6;
1145 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
1146 {
1147 *(uint16_t *) b = htons(0xFF03); // HDLC header
1148 b += 2;
1149 }
1150 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
1151 *b++ = mtype;
1152 else
1153 {
1154 *(uint16_t *) b = htons(mtype);
1155 b += 2;
1156 }
1157
1158 if (l + 12 > size)
1159 {
1160 static int backtrace_count = 0;
1161 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
1162 log_backtrace(backtrace_count, 5)
1163 return NULL;
1164 }
1165
1166 if (p && l)
1167 memcpy(b, p, l);
1168
1169 return b;
1170 }
1171
1172 // Send initial LCP ConfigReq for PAP, set magic no.
1173 void initlcp(tunnelidt t, sessionidt s)
1174 {
1175 char b[500], *q;
1176
1177 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
1178 return;
1179
1180 LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
1181 *q = ConfigReq;
1182 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1183 *(uint16_t *)(q + 2) = htons(14); // Length
1184 *(uint8_t *)(q + 4) = 5;
1185 *(uint8_t *)(q + 5) = 6;
1186 *(uint32_t *)(q + 6) = htonl(session[s].magic);
1187 *(uint8_t *)(q + 10) = 3;
1188 *(uint8_t *)(q + 11) = 4;
1189 *(uint16_t *)(q + 12) = htons(PPPPAP); // PAP
1190
1191 LOG_HEX(5, "PPPLCP", q, 14);
1192 tunnelsend(b, (q - b) + 14, t);
1193 }
1194
1195 // Send CCP request for no compression
1196 static void initccp(tunnelidt t, sessionidt s)
1197 {
1198 char b[500], *q;
1199
1200 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
1201 return;
1202
1203 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
1204 *q = ConfigReq;
1205 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
1206 *(uint16_t *)(q + 2) = htons(4); // Length
1207
1208 LOG_HEX(5, "PPPCCP", q, 4);
1209 tunnelsend(b, (q - b) + 4 , t);
1210 }