X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/6799ee682653854adb91dbdbc567768840155c14..17b2ce31a692b0a82ab22e7d2aad1691eba0188c:/ppp.c?ds=inline diff --git a/ppp.c b/ppp.c index 5ccb72a..25e6f8a 100644 --- a/ppp.c +++ b/ppp.c @@ -1,6 +1,6 @@ // L2TPNS PPP Stuff -char const *cvs_id_ppp = "$Id: ppp.c,v 1.52 2005/05/07 13:12:26 bodea Exp $"; +char const *cvs_id_ppp = "$Id: ppp.c,v 1.64 2005/06/24 08:34:53 bodea Exp $"; #include #include @@ -41,7 +41,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) LOG(1, s, t, "Short PAP %u bytes\n", l); STAT(tunnel_rx_errors); sessionshutdown(s, "Short PAP packet.", 3, 0); - return ; + return; } if ((hl = ntohs(*(uint16_t *) (p + 2))) > l) @@ -49,7 +49,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l); STAT(tunnel_rx_errors); sessionshutdown(s, "PAP length mismatch.", 3, 0); - return ; + return; } l = hl; @@ -58,7 +58,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) LOG(1, s, t, "Unexpected PAP code %d\n", *p); STAT(tunnel_rx_errors); sessionshutdown(s, "Unexpected PAP code.", 3, 0); - return ; + return; } { @@ -157,14 +157,16 @@ void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) { LOG(1, s, t, "Short CHAP %u bytes\n", l); STAT(tunnel_rx_errors); - return ; + sessionshutdown(s, "Short CHAP packet.", 3, 0); + return; } if ((hl = ntohs(*(uint16_t *) (p + 2))) > l) { LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l); STAT(tunnel_rx_errors); - return ; + sessionshutdown(s, "CHAP length mismatch.", 3, 0); + return; } l = hl; @@ -172,20 +174,23 @@ void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) { LOG(1, s, t, "Unexpected CHAP response code %d\n", *p); STAT(tunnel_rx_errors); + sessionshutdown(s, "CHAP length mismatch.", 3, 0); return; } if (p[1] != radius[r].id) { LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r); STAT(tunnel_rx_errors); - return ; + sessionshutdown(s, "Unexpected CHAP response ID.", 3, 0); + return; } if (l < 5 || p[4] != 16) { LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]); STAT(tunnel_rx_errors); - return ; + sessionshutdown(s, "Bad CHAP response length.", 3, 0); + return; } l -= 5; @@ -194,7 +199,8 @@ void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) { LOG(1, s, t, "CHAP user too long %d\n", l - 16); STAT(tunnel_rx_errors); - return ; + sessionshutdown(s, "CHAP username too long.", 3, 0); + return; } // Run PRE_AUTH plugins @@ -348,7 +354,33 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) if (*p == ConfigAck) { - LOG(3, s, t, "LCP: Discarding ConfigAck\n"); + int x = l - 4; + uint8_t *o = (p + 4); + + LOG(3, s, t, "LCP: ConfigAck (%d bytes)...\n", l); + if (config->debug > 3) dumplcp(p, l); + + while (x > 2) + { + int type = o[0]; + int length = o[1]; + + if (length == 0 || type == 0 || x < length) break; + switch (type) + { + case 3: // Authentication-Protocol + { + int proto = ntohs(*(uint16_t *)(o + 2)); + if (proto == PPPCHAP && *(o + 4) == 5) + sendchap(t, s); + } + + break; + } + x -= length; + o += length; + } + session[s].flags |= SF_LCP_ACKED; } else if (*p == ConfigReq) @@ -398,7 +430,6 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) *q++ = 6; memset(q, 0, 4); // asyncmap 0 q += 4; - *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length break; case 3: // Authentication-Protocol @@ -459,7 +490,6 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) q = a; } - *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length break; } break; @@ -491,32 +521,97 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) memcpy(q, o, length); q += length; - *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length } x -= length; o += length; } - if (!response) + if (response) { - // Send back a ConfigAck - q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP); - if (!q) return; - *q = ConfigAck; + l = q - response; // LCP packet length + *((uint16_t *) (response + 2)) = htons(l); // update header + } + else + { + // Send packet back as ConfigAck + response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP); + if (!response) return; + *response = ConfigAck; } LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response)); - tunnelsend(b, l + (q - b), t); + tunnelsend(b, l + response - b, t); if (!(session[s].flags & SF_LCP_ACKED)) sendlcp(t, s, config->radius_authprefer); } else if (*p == ConfigNak) { - LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n"); + int x = l - 4; + uint8_t *o = (p + 4); + int authtype = -1; + + LOG(3, s, t, "LCP: ConfigNak (%d bytes)...\n", l); if (config->debug > 3) dumplcp(p, l); - // FIXME: handle MRU, authentication type - return; + + while (x > 2) + { + int type = o[0]; + int length = o[1]; + + if (length == 0 || type == 0 || x < length) break; + switch (type) + { + case 1: // Maximum-Receive-Unit + session[s].mru = ntohs(*(uint16_t *)(o + 2)); + LOG(3, s, t, " Remote requested MRU of %u\n", session[s].mru); + break; + + case 3: // Authentication-Protocol + if (authtype > 0) + break; + + { + int proto = ntohs(*(uint16_t *)(o + 2)); + if (proto == PPPPAP) + { + authtype = config->radius_authtypes & AUTHPAP; + LOG(3, s, t, " Remote requested PAP authentication...%sing\n", + authtype ? "accept" : "reject"); + } + else if (proto == PPPCHAP && *(o + 4) == 5) + { + authtype = config->radius_authtypes & AUTHCHAP; + LOG(3, s, t, " Remote requested CHAP authentication...%sing\n", + authtype ? "accept" : "reject"); + } + else + { + LOG(3, s, t, " Rejecting unsupported authentication %#4x\n", + proto); + } + } + + break; + + default: + LOG(2, s, t, " Remote NAKed LCP type %u?\n", type); + break; + } + x -= length; + o += length; + } + + if (!authtype) + { + sessionshutdown(s, "Unsupported authentication.", 3, 0); + return; + } + + if (authtype == -1) + authtype = config->radius_authprefer; + + sendlcp(t, s, authtype); } else if (*p == TerminateReq) { @@ -575,7 +670,6 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) { LOG(1, s, t, "Unexpected LCP code %d\n", *p); STAT(tunnel_rx_errors); - return ; } } @@ -624,22 +718,32 @@ void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) if (*p == ConfigAck) { - // happy with our IPCP uint16_t r = sess_local[s].radius; - if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden) - { - if (!r) - r = radiusnew(s); - if (r) - radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last - } + + // ignore duplicate ACKs + if (session[s].flags & SF_IPCP_ACKED) + return; + + // happy with our IPCP session[s].flags |= SF_IPCP_ACKED; LOG(3, s, t, "IPCP Acked, session is now active\n"); - // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers + // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiation for routers session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED); + if (r && session[s].walled_garden) + { + radiusclear(r, s); + return; + } + + if (!r) + r = radiusnew(s); + + if (r) + radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last + return; } if (*p != ConfigReq) @@ -921,21 +1025,26 @@ void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) return; } + p += 4; + l -= 4; + if (session[s].snoop_ip && session[s].snoop_port) { // Snooping this session - snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port); + snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port); } - session[s].cin += l - 4; - session[s].total_cin += l - 4; - sess_local[s].cin += l - 4; - + increment_counter(&session[s].cin, &session[s].cin_wrap, l); + session[s].cin_delta += l; session[s].pin++; - eth_tx += l - 4; + + sess_local[s].cin += l; + sess_local[s].pin++; + + eth_tx += l; STAT(tun_tx_packets); - INC_STAT(tun_tx_bytes, l - 4); + INC_STAT(tun_tx_bytes, l); } // process IPv6 packet received @@ -1009,21 +1118,26 @@ void processipv6in(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) return; } + p += 4; + l -= 4; + if (session[s].snoop_ip && session[s].snoop_port) { // Snooping this session - snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port); + snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port); } - session[s].cin += l - 4; - session[s].total_cin += l - 4; - sess_local[s].cin += l - 4; - + increment_counter(&session[s].cin, &session[s].cin_wrap, l); + session[s].cin_delta += l; session[s].pin++; - eth_tx += l - 4; + + sess_local[s].cin += l; + sess_local[s].pin++; + + eth_tx += l; STAT(tun_tx_packets); - INC_STAT(tun_tx_bytes, l - 4); + INC_STAT(tun_tx_bytes, l); } // @@ -1043,19 +1157,24 @@ void send_ipin(sessionidt s, uint8_t *buf, int len) return; } + buf += 4; + len -= 4; + if (session[s].snoop_ip && session[s].snoop_port) { // Snooping this session - snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port); + snoop_send_packet(buf, len, session[s].snoop_ip, session[s].snoop_port); } // Increment packet counters - session[s].cin += len - 4; - session[s].total_cin += len - 4; - sess_local[s].cin += len - 4; - + increment_counter(&session[s].cin, &session[s].cin_wrap, len); + session[s].cin_delta += len; session[s].pin++; - eth_tx += len - 4; + + sess_local[s].cin += len; + sess_local[s].pin++; + + eth_tx += len; STAT(tun_tx_packets); INC_STAT(tun_tx_bytes, len - 4); @@ -1234,7 +1353,7 @@ void sendlcp(tunnelidt t, sessionidt s, int authtype) return; LOG(4, s, t, "Sending LCP ConfigReq for %s\n", - config->radius_authprefer == AUTHCHAP ? "CHAP" : "PAP"); + authtype == AUTHCHAP ? "CHAP" : "PAP"); if (!session[s].mru) session[s].mru = DEFAULT_MRU; @@ -1243,6 +1362,8 @@ void sendlcp(tunnelidt t, sessionidt s, int authtype) *l++ = ConfigReq; *l++ = (time_now % 255) + 1; // ID + l += 2; //Save space for length + *l++ = 1; *l++ = 4; // Maximum-Receive-Unit (length 4) *(uint16_t *) l = htons(session[s].mru); l += 2;