search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Correct PPTP server firewall rules chain.
[tomato/davidwu.git] / release / src / router / xl2tpd / control.c
blob2491d1547628e46d3e713d26ee1984d8e9eb001b
1 /*
2 * Layer Two Tunnelling Protocol Daemon
3 * Copyright (C) 1998 Adtran, Inc.
4 * Copyright (C) 2002 Jeff McAdams
5 *
6 * Mark Spencer
7 *
8 * This software is distributed under the terms
9 * of the GPL, which you should have received
10 * along with this source.
11 *
12 * Control Packet Handling
13 *
14 */
15
16 #include <errno.h>
17 #include <string.h>
18 #include <stdio.h>
19 #include <netinet/in.h>
20 #include <arpa/inet.h>
21 #include <unistd.h>
22 #include <stdlib.h>
23 #include "l2tp.h"
24
25 _u16 ppp_crc16_table[256] = {
26 0x0000, 0x1189, 0x2312, 0x329b, 0x4624, 0x57ad, 0x6536, 0x74bf,
27 0x8c48, 0x9dc1, 0xaf5a, 0xbed3, 0xca6c, 0xdbe5, 0xe97e, 0xf8f7,
28 0x1081, 0x0108, 0x3393, 0x221a, 0x56a5, 0x472c, 0x75b7, 0x643e,
29 0x9cc9, 0x8d40, 0xbfdb, 0xae52, 0xdaed, 0xcb64, 0xf9ff, 0xe876,
30 0x2102, 0x308b, 0x0210, 0x1399, 0x6726, 0x76af, 0x4434, 0x55bd,
31 0xad4a, 0xbcc3, 0x8e58, 0x9fd1, 0xeb6e, 0xfae7, 0xc87c, 0xd9f5,
32 0x3183, 0x200a, 0x1291, 0x0318, 0x77a7, 0x662e, 0x54b5, 0x453c,
33 0xbdcb, 0xac42, 0x9ed9, 0x8f50, 0xfbef, 0xea66, 0xd8fd, 0xc974,
34 0x4204, 0x538d, 0x6116, 0x709f, 0x0420, 0x15a9, 0x2732, 0x36bb,
35 0xce4c, 0xdfc5, 0xed5e, 0xfcd7, 0x8868, 0x99e1, 0xab7a, 0xbaf3,
36 0x5285, 0x430c, 0x7197, 0x601e, 0x14a1, 0x0528, 0x37b3, 0x263a,
37 0xdecd, 0xcf44, 0xfddf, 0xec56, 0x98e9, 0x8960, 0xbbfb, 0xaa72,
38 0x6306, 0x728f, 0x4014, 0x519d, 0x2522, 0x34ab, 0x0630, 0x17b9,
39 0xef4e, 0xfec7, 0xcc5c, 0xddd5, 0xa96a, 0xb8e3, 0x8a78, 0x9bf1,
40 0x7387, 0x620e, 0x5095, 0x411c, 0x35a3, 0x242a, 0x16b1, 0x0738,
41 0xffcf, 0xee46, 0xdcdd, 0xcd54, 0xb9eb, 0xa862, 0x9af9, 0x8b70,
42 0x8408, 0x9581, 0xa71a, 0xb693, 0xc22c, 0xd3a5, 0xe13e, 0xf0b7,
43 0x0840, 0x19c9, 0x2b52, 0x3adb, 0x4e64, 0x5fed, 0x6d76, 0x7cff,
44 0x9489, 0x8500, 0xb79b, 0xa612, 0xd2ad, 0xc324, 0xf1bf, 0xe036,
45 0x18c1, 0x0948, 0x3bd3, 0x2a5a, 0x5ee5, 0x4f6c, 0x7df7, 0x6c7e,
46 0xa50a, 0xb483, 0x8618, 0x9791, 0xe32e, 0xf2a7, 0xc03c, 0xd1b5,
47 0x2942, 0x38cb, 0x0a50, 0x1bd9, 0x6f66, 0x7eef, 0x4c74, 0x5dfd,
48 0xb58b, 0xa402, 0x9699, 0x8710, 0xf3af, 0xe226, 0xd0bd, 0xc134,
49 0x39c3, 0x284a, 0x1ad1, 0x0b58, 0x7fe7, 0x6e6e, 0x5cf5, 0x4d7c,
50 0xc60c, 0xd785, 0xe51e, 0xf497, 0x8028, 0x91a1, 0xa33a, 0xb2b3,
51 0x4a44, 0x5bcd, 0x6956, 0x78df, 0x0c60, 0x1de9, 0x2f72, 0x3efb,
52 0xd68d, 0xc704, 0xf59f, 0xe416, 0x90a9, 0x8120, 0xb3bb, 0xa232,
53 0x5ac5, 0x4b4c, 0x79d7, 0x685e, 0x1ce1, 0x0d68, 0x3ff3, 0x2e7a,
54 0xe70e, 0xf687, 0xc41c, 0xd595, 0xa12a, 0xb0a3, 0x8238, 0x93b1,
55 0x6b46, 0x7acf, 0x4854, 0x59dd, 0x2d62, 0x3ceb, 0x0e70, 0x1ff9,
56 0xf78f, 0xe606, 0xd49d, 0xc514, 0xb1ab, 0xa022, 0x92b9, 0x8330,
57 0x7bc7, 0x6a4e, 0x58d5, 0x495c, 0x3de3, 0x2c6a, 0x1ef1, 0x0f78
58 };
59
60 int global_serno = 1;
61
62 struct buffer *new_outgoing (struct tunnel *t)
63 {
64 /*
65 * Make a new outgoing control packet
66 */
67 struct buffer *tmp = new_buf (MAX_RECV_SIZE);
68 if (!tmp)
69 return NULL;
70 tmp->peer = t->peer;
71 tmp->start += sizeof (struct control_hdr);
72 tmp->len = 0;
73 tmp->retries = 0;
74 tmp->tunnel = t;
75 return tmp;
76 }
77
78 inline void recycle_outgoing (struct buffer *buf, struct sockaddr_in peer)
79 {
80 /*
81 * This should only be used for ZLB's!
82 */
83 buf->start = buf->rstart + sizeof (struct control_hdr);
84 buf->peer = peer;
85 buf->len = 0;
86 buf->retries = -1;
87 buf->tunnel = NULL;
88 }
89 void add_fcs (struct buffer *buf)
90 {
91 _u16 fcs = PPP_INITFCS;
92 unsigned char *c = buf->start;
93 int x;
94 for (x = 0; x < buf->len; x++)
95 {
96 fcs = PPP_FCS (fcs, *c);
97 c++;
98 }
99 fcs = fcs ^ 0xFFFF;
100 *c = fcs & 0xFF;
101 c++;
102 *c = (fcs >> 8) & 0xFF;
103 buf->len += 2;
104 }
105
106 void add_control_hdr (struct tunnel *t, struct call *c, struct buffer *buf)
107 {
108 struct control_hdr *h;
109 buf->start -= sizeof (struct control_hdr);
110 buf->len += sizeof (struct control_hdr);
111 h = (struct control_hdr *) buf->start;
112 h->ver = htons (TBIT | LBIT | FBIT | VER_L2TP);
113 h->length = htons ((_u16) buf->len);
114 h->tid = htons (t->tid);
115 h->cid = htons (c->cid);
116 h->Ns = htons (t->control_seq_num);
117 h->Nr = htons (t->control_rec_seq_num);
118 t->control_seq_num++;
119
120 }
121
122 void hello (void *tun)
123 {
124 struct buffer *buf;
125 struct tunnel *t;
126 struct timeval tv;
127 tv.tv_sec = HELLO_DELAY;
128 tv.tv_usec = 0;
129 t = (struct tunnel *) tun;
130 buf = new_outgoing (t);
131 add_message_type_avp (buf, Hello);
132 add_control_hdr (t, t->self, buf);
133 if (gconfig.packet_dump)
134 do_packet_dump (buf);
135 #ifdef DEBUG_HELLO
136 l2tp_log (LOG_DEBUG, "%s: sending Hello on %d\n", __FUNCTION__, t->ourtid);
137 #endif
138 control_xmit (buf);
139 /*
140 * Schedule another Hello in a little bit.
141 */
142 #ifdef DEBUG_HELLO
143 l2tp_log (LOG_DEBUG, "%s: scheduling another Hello on %d\n", __FUNCTION__,
144 t->ourtid);
145 #endif
146 t->hello = schedule (tv, hello, (void *) t);
147 }
148
149 void control_zlb (struct buffer *buf, struct tunnel *t, struct call *c)
150 {
151 recycle_outgoing (buf, t->peer);
152 add_control_hdr (t, c, buf);
153 t->control_seq_num--;
154 #ifdef DEBUG_ZLB
155 l2tp_log (LOG_DEBUG, "%s: sending control ZLB on tunnel %d\n", __FUNCTION__,
156 t->tid);
157 #endif
158 udp_xmit (buf, t);
159 }
160
161 int control_finish (struct tunnel *t, struct call *c)
162 {
163 /*
164 * After all AVP's have been handled, do anything else
165 * which needs to be done, like prepare response
166 * packets to go back. This is essentially the
167 * implementation of the state machine of section 7.2.1
168 *
169 * If we set c->needclose, the call (or tunnel) will
170 * be closed upon return.
171 */
172 struct buffer *buf;
173 struct call *p, *z;
174 struct tunnel *y;
175 struct timeval tv;
176 struct ppp_opts *po;
177 char ip1[STRLEN];
178 char ip2[STRLEN];
179 char dummy_buf[128] = "/var/l2tp/"; /* jz: needed to read /etc/ppp/var.options - just kick it if you don't like */
180 char passwdfd_buf[32] = ""; /* buffer for the fd, not the password */
181 int i;
182 int pppd_passwdfd[2];
183 int tmptid,tmpcid;
184
185 if (c->msgtype < 0)
186 {
187 l2tp_log (LOG_DEBUG, "%s: Whoa... non-ZLB with no message type!\n",
188 __FUNCTION__);
189 return -EINVAL;
190 }
191 if (gconfig.debug_state)
192 l2tp_log (LOG_DEBUG,
193 "%s: message type is %s(%d). Tunnel is %d, call is %d.\n",
194 __FUNCTION__, msgtypes[c->msgtype], c->msgtype, t->tid, c->cid);
195 switch (c->msgtype)
196 {
197 case 0:
198 /*
199 * We need to initiate a connection.
200 */
201 if (t->self == c)
202 {
203 if (t->lns)
204 {
205 t->ourrws = t->lns->tun_rws;
206 t->hbit = t->lns->hbit;
207 t->rxspeed = t->lns->rxspeed;
208 t->txspeed = t->lns->txspeed;
209 }
210 else if (t->lac)
211 {
212 t->ourrws = t->lac->tun_rws;
213 t->hbit = t->lac->hbit;
214 t->rxspeed = t->lac->rxspeed;
215 t->txspeed = t->lac->txspeed;
216 }
217 /* This is an attempt to bring up the tunnel */
218 t->state = SCCRQ;
219 buf = new_outgoing (t);
220 add_message_type_avp (buf, SCCRQ);
221 if (t->hbit)
222 {
223 mk_challenge (t->chal_them.vector, VECTOR_SIZE);
224 add_randvect_avp (buf, t->chal_them.vector, VECTOR_SIZE);
225 }
226 add_protocol_avp (buf);
227 add_frame_caps_avp (buf, t->ourfc);
228 add_bearer_caps_avp (buf, t->ourbc);
229 /* FIXME: Tie breaker */
230 add_firmware_avp (buf);
231 if (t->lac && t->lac->hostname && t->lac->hostname[0])
232 add_hostname_avp (buf, t->lac->hostname);
233 else if (t->lns && t->lns->hostname && t->lns->hostname[0])
234 add_hostname_avp (buf, t->lns->hostname);
235 else
236 add_hostname_avp (buf, hostname);
237 add_vendor_avp (buf);
238 add_tunnelid_avp (buf, t->ourtid);
239 if (t->ourrws >= 0)
240 add_avp_rws (buf, t->ourrws);
241 if ((t->lac && t->lac->challenge)
242 || (t->lns && t->lns->challenge))
243 {
244 if (t->chal_them.challenge)
245 free(t->chal_them.challenge);
246 t->chal_them.challenge = malloc(MD_SIG_SIZE);
247 if (!(t->chal_them.challenge))
248 {
249 l2tp_log (LOG_WARNING, "%s: malloc failed for challenge\n",
250 __FUNCTION__);
251 toss (buf);
252 return -EINVAL;
253 }
254 mk_challenge (t->chal_them.challenge, MD_SIG_SIZE);
255 t->chal_them.chal_len = MD_SIG_SIZE;
256 add_challenge_avp (buf, t->chal_them.challenge,
257 t->chal_them.chal_len);
258 t->chal_them.state = STATE_CHALLENGED;
259 /* We generate the challenge and make a note that we plan to
260 challenge the peer, but we can't predict the response yet
261 because we don't know their hostname AVP */
262 }
263 add_control_hdr (t, c, buf);
264 c->cnu = 0;
265 if (gconfig.packet_dump)
266 do_packet_dump (buf);
267 if (gconfig.debug_state)
268 l2tp_log (LOG_DEBUG, "%s: sending SCCRQ\n",
269 __FUNCTION__);
270 control_xmit (buf);
271 }
272 else
273 {
274 if (switch_io)
275 {
276 c->state = ICRQ;
277 if (c->lns)
278 {
279 c->lbit = c->lns->lbit ? LBIT : 0;
280 /* c->ourrws = c->lns->call_rws;
281 if (c->ourrws > -1) c->ourfbit = FBIT; else c->ourfbit = 0; */
282 }
283 else if (c->lac)
284 {
285 c->lbit = c->lac->lbit ? LBIT : 0;
286 /* c->ourrws = c->lac->call_rws;
287 if (c->ourrws > -1) c->ourfbit = FBIT; else c->ourfbit = 0; */
288 }
289 buf = new_outgoing (t);
290 add_message_type_avp (buf, ICRQ);
291 if (t->hbit)
292 {
293 mk_challenge (t->chal_them.vector, VECTOR_SIZE);
294 add_randvect_avp (buf, t->chal_them.vector, VECTOR_SIZE);
295 }
296 #ifdef TEST_HIDDEN
297 add_callid_avp (buf, c->ourcid, t);
298 #else
299 add_callid_avp (buf, c->ourcid);
300 #endif
301 add_serno_avp (buf, global_serno);
302 c->serno = global_serno;
303 global_serno++;
304 add_bearer_avp (buf, 0);
305 add_control_hdr (t, c, buf);
306 c->cnu = 0;
307 if (gconfig.packet_dump)
308 do_packet_dump (buf);
309 if (gconfig.debug_state)
310 l2tp_log (LOG_DEBUG, "%s: sending ICRQ\n", __FUNCTION__);
311 control_xmit (buf);
312 }
313 else
314 { /* jz: sending a OCRQ */
315 c->state = OCRQ;
316 if (c->lns)
317 {
318 c->lbit = c->lns->lbit ? LBIT : 0;
319 /* c->ourrws = c->lns->call_rws;
320 if (c->ourrws > -1) c->ourfbit = FBIT; else c->ourfbit = 0; */
321 }
322 else if (c->lac)
323 {
324 /* c->ourrws = c->lac->call_rws;
325 if (c->ourrws > -1) c->ourfbit = FBIT; else c->ourfbit = 0; */
326 }
327
328 if (t->fc & SYNC_FRAMING)
329 c->frame = SYNC_FRAMING;
330 else
331 c->frame = ASYNC_FRAMING;
332 buf = new_outgoing (t);
333 add_message_type_avp (buf, OCRQ);
334 #ifdef TEST_HIDDEN
335 add_callid_avp (buf, c->ourcid, t);
336 #else
337 add_callid_avp (buf, c->ourcid);
338 #endif
339 add_serno_avp (buf, global_serno);
340 c->serno = global_serno;
341 global_serno++;
342 add_minbps_avp (buf, DEFAULT_MIN_BPS);
343 add_maxbps_avp (buf, DEFAULT_MAX_BPS);
344 add_bearer_avp (buf, 0);
345 add_frame_avp (buf, c->frame);
346 add_number_avp (buf, c->dial_no);
347 add_control_hdr (t, c, buf);
348 c->cnu = 0;
349 if (gconfig.packet_dump)
350 do_packet_dump (buf);
351 control_xmit (buf);
352 }
353 }
354 break;
355 case SCCRQ:
356 /*
357 * We've received a request, now let's
358 * formulate a response.
359 */
360 if (t->tid <= 0)
361 {
362 if (DEBUG)
363 l2tp_log (LOG_DEBUG,
364 "%s: Peer did not specify assigned tunnel ID. Closing.\n",
365 __FUNCTION__);
366 set_error (c, VENDOR_ERROR, "Specify your assigned tunnel ID");
367 c->needclose = -1;
368 return -EINVAL;
369 }
370 if (!(t->lns = get_lns (t)))
371 {
372 if (DEBUG)
373 l2tp_log (LOG_DEBUG,
374 "%s: Denied connection to unauthorized peer %s\n",
375 __FUNCTION__, IPADDY (t->peer.sin_addr));
376 set_error (c, VENDOR_ERROR, "No Authorization");
377 c->needclose = -1;
378 return -EINVAL;
379 }
380 t->ourrws = t->lns->tun_rws;
381 t->hbit = t->lns->hbit;
382 if (t->fc < 0)
383 {
384 if (DEBUG)
385 l2tp_log (LOG_DEBUG,
386 "%s: Peer did not specify framing capability. Closing.\n",
387 __FUNCTION__);
388 set_error (c, VENDOR_ERROR, "Specify framing capability");
389 c->needclose = -1;
390 return -EINVAL;
391 }
392 /* FIXME: Do we need to be sure they specified a version number?
393 * Theoretically, yes, but we don't have anything in the code
394 * to actually *do* anything with it, so...why check at this point?
395 * We shouldn't be requiring a bearer capabilities avp to be present in
396 * SCCRQ and SCCRP as they aren't required
397 if (t->bc < 0 ) {
398 if (DEBUG) l2tp_log(LOG_DEBUG,
399 "%s: Peer did not specify bearer capability. Closing.\n",__FUNCTION__);
400 set_error(c, VENDOR_ERROR, "Specify bearer capability");
401 c->needclose = -1;
402 return -EINVAL;
403 } */
404 if ((!strlen (t->hostname)) && ((t->chal_us.state) || ((t->lns->challenge))))
405 {
406 if (DEBUG)
407 l2tp_log (LOG_DEBUG,
408 "%s: Peer did not specify hostname. Closing.\n",
409 __FUNCTION__);
410 set_error (c, VENDOR_ERROR, "Specify your hostname");
411 c->needclose = -1;
412 return -EINVAL;
413 }
414 y = tunnels.head;
415 while (y)
416 {
417 if ((y->tid == t->tid) &&
418 (y->peer.sin_addr.s_addr == t->peer.sin_addr.s_addr) &&
419 (!gconfig.ipsecsaref || y->refhim == t->refhim) &&
420 (y != t))
421 {
422 /* This can happen if we get a duplicate
423 StartCCN or if they don't get our ack packet */
424 /*
425 * But it is legitimate for two different remote systems
426 * to use the same tid
427 */
428 l2tp_log (LOG_DEBUG,
429 "%s: Peer requested tunnel %d twice, ignoring second one.\n",
430 __FUNCTION__, t->tid);
431 c->needclose = 0;
432 c->closing = -1;
433 return 0;
434 }
435 y = y->next;
436 }
437 t->state = SCCRP;
438 buf = new_outgoing (t);
439 add_message_type_avp (buf, SCCRP);
440 if (t->hbit)
441 {
442 mk_challenge (t->chal_them.vector, VECTOR_SIZE);
443 add_randvect_avp (buf, t->chal_them.vector, VECTOR_SIZE);
444 }
445 add_protocol_avp (buf);
446 add_frame_caps_avp (buf, t->ourfc);
447 add_bearer_caps_avp (buf, t->ourbc);
448 add_firmware_avp (buf);
449 if (t->lac && t->lac->hostname && t->lac->hostname[0])
450 add_hostname_avp (buf, t->lac->hostname);
451 else if (t->lns && t->lns->hostname && t->lns->hostname[0])
452 add_hostname_avp (buf, t->lns->hostname);
453 else
454 add_hostname_avp (buf, hostname);
455 add_vendor_avp (buf);
456 add_tunnelid_avp (buf, t->ourtid);
457 if (t->ourrws >= 0)
458 add_avp_rws (buf, t->ourrws);
459 if (t->chal_us.state)
460 {
461 t->chal_us.ss = SCCRP;
462 handle_challenge (t, &t->chal_us);
463 add_chalresp_avp (buf, t->chal_us.response, MD_SIG_SIZE);
464 }
465 if (t->lns->challenge)
466 {
467 if (t->chal_them.challenge)
468 free(t->chal_them.challenge);
469 t->chal_them.challenge = malloc(MD_SIG_SIZE);
470 if (!(t->chal_them.challenge))
471 {
472 l2tp_log (LOG_WARNING, "%s: malloc failed\n", __FUNCTION__);
473 set_error (c, VENDOR_ERROR, "malloc failed");
474 toss (buf);
475 return -EINVAL;
476 }
477 mk_challenge (t->chal_them.challenge, MD_SIG_SIZE);
478 t->chal_them.chal_len = MD_SIG_SIZE;
479 t->chal_them.ss = SCCCN;
480 if (handle_challenge (t, &t->chal_them))
481 {
482 /* We already know what to expect back */
483 l2tp_log (LOG_WARNING, "%s: No secret for '%s'\n", __FUNCTION__,
484 t->hostname);
485 set_error (c, VENDOR_ERROR, "No secret on our side");
486 toss (buf);
487 return -EINVAL;
488 };
489 add_challenge_avp (buf, t->chal_them.challenge,
490 t->chal_them.chal_len);
491 }
492 add_control_hdr (t, c, buf);
493 if (gconfig.packet_dump)
494 do_packet_dump (buf);
495 c->cnu = 0;
496 if (gconfig.debug_state)
497 l2tp_log (LOG_DEBUG, "%s: sending SCCRP\n", __FUNCTION__);
498 sleep(2);
499 control_xmit (buf);
500 break;
501 case SCCRP:
502 /*
503 * We have a reply. If everything is okay, send
504 * a connected message
505 */
506 if (t->fc < 0)
507 {
508 if (DEBUG)
509 l2tp_log (LOG_DEBUG,
510 "%s: Peer did not specify framing capability. Closing.\n",
511 __FUNCTION__);
512 set_error (c, VENDOR_ERROR, "Specify framing capability");
513 c->needclose = -1;
514 return -EINVAL;
515 }
516 /* FIXME: Do we need to be sure they specified a version number?
517 * Theoretically, yes, but we don't have anything in the code
518 * to actually *do* anything with it, so...why check at this point?
519 * We shouldn't be requiring a bearer capabilities avp to be present in
520 * SCCRQ and SCCRP as they aren't required
521 if (t->bc < 0 ) {
522 if (DEBUG) log(LOG_DEBUG,
523 "%s: Peer did not specify bearer capability. Closing.\n",__FUNCTION__);
524 set_error(c, VENDOR_ERROR, "Specify bearer capability");
525 c->needclose = -1;
526 return -EINVAL;
527 } */
528 if ((!strlen (t->hostname)) && ((t->chal_them.state) || ((t->chal_us.state))))
529 {
530 if (DEBUG)
531 l2tp_log (LOG_DEBUG,
532 "%s: Peer did not specify hostname. Closing.\n",
533 __FUNCTION__);
534 set_error (c, VENDOR_ERROR, "Specify your hostname");
535 c->needclose = -1;
536 return -EINVAL;
537 }
538 if (t->tid <= 0)
539 {
540 if (DEBUG)
541 l2tp_log (LOG_DEBUG,
542 "%s: Peer did not specify assigned tunnel ID. Closing.\n",
543 __FUNCTION__);
544 set_error (c, VENDOR_ERROR, "Specify your assigned tunnel ID");
545 c->needclose = -1;
546 return -EINVAL;
547 }
548 if (t->chal_them.state)
549 {
550 t->chal_them.ss = SCCRP;
551 if (handle_challenge (t, &t->chal_them))
552 {
553 set_error (c, VENDOR_ERROR, "No secret key on our side");
554 l2tp_log (LOG_WARNING, "%s: No secret key for authenticating '%s'\n",
555 __FUNCTION__, t->hostname);
556 c->needclose = -1;
557 return -EINVAL;
558 }
559 if (memcmp
560 (t->chal_them.reply, t->chal_them.response, MD_SIG_SIZE))
561 {
562 set_error (c, VENDOR_ERROR,
563 "Invalid challenge authentication");
564 l2tp_log (LOG_DEBUG, "%s: Invalid authentication for host '%s'\n",
565 __FUNCTION__, t->hostname);
566 c->needclose = -1;
567 return -EINVAL;
568 }
569 }
570 if (t->chal_us.state)
571 {
572 t->chal_us.ss = SCCCN;
573 if (handle_challenge (t, &t->chal_us))
574 {
575 l2tp_log (LOG_WARNING, "%s: No secret for authenticating to '%s'\n",
576 __FUNCTION__, t->hostname);
577 set_error (c, VENDOR_ERROR, "No secret key on our end");
578 c->needclose = -1;
579 return -EINVAL;
580 };
581 }
582 t->state = SCCCN;
583 buf = new_outgoing (t);
584 add_message_type_avp (buf, SCCCN);
585 if (t->hbit)
586 {
587 mk_challenge (t->chal_them.vector, VECTOR_SIZE);
588 add_randvect_avp (buf, t->chal_them.vector, VECTOR_SIZE);
589 }
590 if (t->chal_us.state)
591 add_chalresp_avp (buf, t->chal_us.response, MD_SIG_SIZE);
592 add_control_hdr (t, c, buf);
593 if (gconfig.packet_dump)
594 do_packet_dump (buf);
595 c->cnu = 0;
596 if (gconfig.debug_state)
597 l2tp_log (LOG_DEBUG, "%s: sending SCCCN\n", __FUNCTION__);
598 control_xmit (buf);
599
600 connect_pppol2tp(t);
601
602 /* Schedule a HELLO */
603 tv.tv_sec = HELLO_DELAY;
604 tv.tv_usec = 0;
605 #ifdef DEBUG_HELLO
606 l2tp_log (LOG_DEBUG, "%s: scheduling initial HELLO on %d\n", __FUNCTION__,
607 t->ourtid);
608 #endif
609 t->hello = schedule (tv, hello, (void *) t);
610 l2tp_log (LOG_NOTICE,
611 "Connection established to %s, %d. Local: %d, Remote: %d (ref=%u/%u).\n",
612 IPADDY (t->peer.sin_addr),
613 ntohs (t->peer.sin_port), t->ourtid, t->tid, t->refme, t->refhim);
614
615 if (t->lac)
616 {
617 /* This is part of a LAC, so we want to go ahead
618 and start an ICRQ now */
619 magic_lac_dial (t->lac);
620 }
621 break;
622 case SCCCN:
623 if (t->chal_them.state)
624 {
625 if (memcmp
626 (t->chal_them.reply, t->chal_them.response, MD_SIG_SIZE))
627 {
628 set_error (c, VENDOR_ERROR,
629 "Invalid challenge authentication");
630 l2tp_log (LOG_DEBUG, "%s: Invalid authentication for host '%s'\n",
631 __FUNCTION__, t->hostname);
632 c->needclose = -1;
633 return -EINVAL;
634 }
635 }
636 t->state = SCCCN;
637 l2tp_log (LOG_NOTICE,
638 "Connection established to %s, %d. Local: %d, Remote: %d (ref=%u/%u). LNS session is '%s'\n",
639 IPADDY (t->peer.sin_addr),
640 ntohs (t->peer.sin_port), t->ourtid, t->tid, t->refme, t->refhim,
641 t->lns->entname);
642
643 connect_pppol2tp(t);
644
645 /* Schedule a HELLO */
646 tv.tv_sec = HELLO_DELAY;
647 tv.tv_usec = 0;
648 #ifdef DEBUG_HELLO
649 l2tp_log (LOG_DEBUG, "%s: scheduling initial HELLO on %d\n", __FUNCTION__,
650 t->ourtid);
651 #endif
652 t->hello = schedule (tv, hello, (void *) t);
653 break;
654 case StopCCN:
655 if (t->qtid < 0)
656 {
657 if (DEBUG)
658 l2tp_log (LOG_DEBUG,
659 "%s: Peer tried to disconnect without specifying tunnel ID\n",
660 __FUNCTION__);
661 return -EINVAL;
662 }
663
664 /* Work around bug in MSL2TP client */
665 if ((t->firmware == 0xff00) && (!(strncmp(t->vendor, "Deterministic Networks Inc.", 27))))
666 tmptid = t->ourtid;
667 else
668 tmptid = t->tid;
669 if ((t->qtid != tmptid) && (tmptid > 0))
670 {
671 if (DEBUG)
672 l2tp_log (LOG_DEBUG,
673 "%s: Peer [Vendor:%s] [Firmware:%d (0x%.4x)] tried to disconnect with invalid TID (%d != %d)\n",
674 __FUNCTION__, t->vendor, t->firmware, t->firmware, t->qtid, tmptid);
675 return -EINVAL;
676 }
677 /* In case they're disconnecting immediately after SCCN */
678 if (!t->tid)
679 t->tid = t->qtid;
680 if (t->self->result < 0)
681 {
682 if (DEBUG)
683 l2tp_log (LOG_DEBUG,
684 "%s: Peer tried to disconnect without specifying result code.\n",
685 __FUNCTION__);
686 return -EINVAL;
687 }
688 l2tp_log (LOG_INFO,
689 "%s: Connection closed to %s, port %d (%s), Local: %d, Remote: %d\n",
690 __FUNCTION__, IPADDY (t->peer.sin_addr),
691 ntohs (t->peer.sin_port), t->self->errormsg, t->ourtid, t->tid);
692 c->needclose = 0;
693 c->closing = -1;
694 break;
695 case ICRQ:
696 p = t->call_head;
697 if (!p->lns)
698 {
699 set_error (p, ERROR_INVALID, "This tunnel cannot accept calls\n");
700 call_close (p);
701 return -EINVAL;
702 }
703 p->lbit = p->lns->lbit ? LBIT : 0;
704 /* p->ourrws = p->lns->call_rws;
705 if (p->ourrws > -1) p->ourfbit = FBIT; else p->ourfbit = 0; */
706 if (p->cid < 0)
707 {
708 if (DEBUG)
709 l2tp_log (LOG_DEBUG,
710 "%s: Peer tried to initiate call without call ID\n",
711 __FUNCTION__);
712 /* Here it doesn't make sense to use the needclose flag because
713 the call p did not receive any packets */
714 call_close (p);
715 return -EINVAL;
716 }
717 z = p->next;
718 while (z)
719 {
720 if (z->cid == p->cid)
721 {
722 /* This can happen if we get a duplicate
723 ICRQ or if they don't get our ack packet */
724 l2tp_log (LOG_DEBUG,
725 "%s: Peer requested call %d twice, ignoring second one.\n",
726 __FUNCTION__, p->cid);
727 p->needclose = 0;
728 p->closing = -1;
729 return 0;
730 }
731 z = z->next;
732 }
733 p = t->call_head;
734 /* FIXME: by commenting this out, we're not checking whether the serial
735 * number avp is included in the ICRQ at all which its required to be.
736 * Since the serial number is only used for human debugging aid, this
737 * isn't a big deal, but it would be nice to have *some* sort of check
738 * for it and perhaps just log it and go on. */
739 /* JLM if (p->serno<1) {
740 if (DEBUG) log(LOG_DEBUG,
741 "%s: Peer did not specify serial number when initiating call\n", __FUNCTION__);
742 call_close(p);
743 return -EINVAL;
744 } */
745
746 #ifdef IP_ALLOCATION
747 if (t->lns->assign_ip) {
748 p->addr = get_addr (t->lns->range);
749 if (!p->addr)
750 {
751 set_error (p, ERROR_NORES, "No available IP address");
752 call_close (p);
753 l2tp_log (LOG_DEBUG, "%s: Out of IP addresses on tunnel %d!\n",
754 __FUNCTION__, t->tid);
755 return -EINVAL;
756 }
757 reserve_addr (p->addr);
758 }
759 else
760 p->addr = 0;
761 #endif
762
763 p->state = ICRP;
764 buf = new_outgoing (t);
765 add_message_type_avp (buf, ICRP);
766 if (t->hbit)
767 {
768 mk_challenge (t->chal_them.vector, VECTOR_SIZE);
769 add_randvect_avp (buf, t->chal_them.vector, VECTOR_SIZE);
770 }
771 #ifdef TEST_HIDDEN
772 add_callid_avp (buf, p->ourcid, t);
773 #else
774 add_callid_avp (buf, p->ourcid);
775 #endif
776 /* if (p->ourrws >=0)
777 add_avp_rws(buf, p->ourrws); */
778 /*
779 * FIXME: I should really calculate
780 * Packet Processing Delay
781 */
782 /* add_ppd_avp(buf,ppd); */
783 add_control_hdr (t, p, buf);
784 if (gconfig.packet_dump)
785 do_packet_dump (buf);
786 p->cnu = 0;
787 if (gconfig.debug_state)
788 l2tp_log (LOG_DEBUG, "%s: Sending ICRP\n", __FUNCTION__);
789 control_xmit (buf);
790 break;
791 case ICRP:
792 if (c->cid < 0)
793 {
794 if (DEBUG)
795 l2tp_log (LOG_DEBUG,
796 "%s: Peer tried to negotiate ICRP without specifying call ID\n",
797 __FUNCTION__);
798 c->needclose = -1;
799 return -EINVAL;
800 }
801 c->state = ICCN;
802 if (t->fc & ASYNC_FRAMING)
803 c->frame = ASYNC_FRAMING;
804 else
805 c->frame = SYNC_FRAMING;
806
807 buf = new_outgoing (t);
808 add_message_type_avp (buf, ICCN);
809 if (t->hbit)
810 {
811 mk_challenge (t->chal_them.vector, VECTOR_SIZE);
812 add_randvect_avp (buf, t->chal_them.vector, VECTOR_SIZE);
813 }
814 add_txspeed_avp (buf, t->txspeed);
815 add_frame_avp (buf, c->frame);
816 /* if (c->ourrws >= 0)
817 add_avp_rws(buf, c->ourrws); */
818 /* FIXME: Packet Processing Delay */
819 /* We don't need any kind of proxy PPP stuff */
820 /* Can we proxy authenticate ourselves??? */
821 add_rxspeed_avp (buf, t->rxspeed);
822 /* add_seqreqd_avp (buf); *//* We don't have sequencing code, so
823 * don't ask for sequencing */
824 add_control_hdr (t, c, buf);
825 if (gconfig.packet_dump)
826 do_packet_dump (buf);
827 c->cnu = 0;
828 if (gconfig.debug_state)
829 l2tp_log (LOG_DEBUG, "%s: Sending ICCN\n", __FUNCTION__);
830 l2tp_log (LOG_NOTICE,
831 "Call established with %s, Local: %d, Remote: %d, Serial: %d (ref=%u/%u)\n",
832 IPADDY (t->peer.sin_addr), c->ourcid, c->cid,
833 c->serno, t->refme, t->refhim);
834 control_xmit (buf);
835 po = NULL;
836 po = add_opt (po, "passive");
837 po = add_opt (po, "nodetach");
838 if (c->lac)
839 {
840 if (c->lac->defaultroute)
841 po = add_opt (po, "defaultroute");
842 strncpy (ip1, IPADDY (c->lac->localaddr), sizeof (ip1));
843 strncpy (ip2, IPADDY (c->lac->remoteaddr), sizeof (ip2));
844 #ifdef IP_ALLOCATION
845 po = add_opt (po, "%s:%s", c->lac->localaddr ? ip1 : "",
846 c->lac->remoteaddr ? ip2 : "");
847 #endif
848 if (c->lac->authself)
849 {
850 if (c->lac->pap_refuse)
851 po = add_opt (po, "refuse-pap");
852 if (c->lac->chap_refuse)
853 po = add_opt (po, "refuse-chap");
854 }
855 else
856 {
857 po = add_opt (po, "refuse-pap");
858 po = add_opt (po, "refuse-chap");
859 }
860 if (c->lac->authpeer)
861 {
862 po = add_opt (po, "auth");
863 if (c->lac->pap_require)
864 po = add_opt (po, "require-pap");
865 if (c->lac->chap_require)
866 po = add_opt (po, "require-chap");
867 }
868 if (c->lac->authname[0])
869 {
870 po = add_opt (po, "name");
871 po = add_opt (po, c->lac->authname);
872 }
873 if (c->lac->debug)
874 po = add_opt (po, "debug");
875 if (c->lac->password[0])
876 {
877 if (pipe (pppd_passwdfd) == -1)
878 {
879 l2tp_log (LOG_DEBUG,
880 "%s: Unable to create password pipe for pppd\n", __FUNCTION__);
881 return -EINVAL;
882 }
883 if (-1 == write (pppd_passwdfd[1], c->lac->password, strlen (c->lac->password)))
884 {
885 l2tp_log (LOG_DEBUG,
886 "%s: Unable to write password to pipe for pppd\n", __FUNCTION__);
887 close (pppd_passwdfd[1]);
888 return -EINVAL;
889 }
890 close (pppd_passwdfd[1]);
891
892 /* clear memory used for password, paranoid? */
893 for (i = 0; i < STRLEN; i++)
894 c->lac->password[i] = '\0';
895
896 po = add_opt (po, "plugin");
897 po = add_opt (po, "passwordfd.so");
898 po = add_opt (po, "passwordfd");
899 snprintf (passwdfd_buf, 32, "%d", pppd_passwdfd[0]);
900 po = add_opt (po, passwdfd_buf);
901 }
902 if (c->lac->pppoptfile[0])
903 {
904 po = add_opt (po, "file");
905 po = add_opt (po, c->lac->pppoptfile);
906 }
907 };
908 po = add_opt (po, "ipparam");
909 po = add_opt (po, IPADDY (t->peer.sin_addr));
910 start_pppd (c, po);
911 opt_destroy (po);
912 if (c->lac)
913 c->lac->rtries = 0;
914 if (c->lac->password[0])
915 close(pppd_passwdfd[0]);
916 break;
917 case ICCN:
918 if (c == t->self)
919 {
920 l2tp_log (LOG_DEBUG,
921 "%s: Peer attempted ICCN on the actual tunnel, not the call",
922 __FUNCTION__);
923 return -EINVAL;
924 }
925 if (c->txspeed < 1)
926 {
927 l2tp_log (LOG_DEBUG,
928 "%s: Warning: Peer did not specify transmit speed\n", __FUNCTION__);
929 /* don't refuse the connection over this
930 c->needclose = -1;
931 return -EINVAL;
932 */
933 };
934 if (c->frame < 1)
935 {
936 l2tp_log (LOG_DEBUG,
937 "%s: Warning: Peer did not specify framing type\n", __FUNCTION__);
938 /* don't refuse the connection over this
939 c->needclose = -1;
940 return -EINVAL;
941 */
942 }
943 c->state = ICCN;
944 strncpy (ip1, IPADDY (c->lns->localaddr), sizeof (ip1));
945 strncpy (ip2, IPADDY (c->addr), sizeof (ip2));
946 po = NULL;
947 po = add_opt (po, "passive");
948 po = add_opt (po, "nodetach");
949 po = add_opt (po, "%s:%s", c->lns->localaddr ? ip1 : "", ip2);
950 if (c->lns->authself)
951 {
952 if (c->lns->pap_refuse)
953 po = add_opt (po, "refuse-pap");
954 if (c->lns->chap_refuse)
955 po = add_opt (po, "refuse-chap");
956 }
957 else
958 {
959 po = add_opt (po, "refuse-pap");
960 po = add_opt (po, "refuse-chap");
961 }
962 if (c->lns->authpeer)
963 {
964 po = add_opt (po, "auth");
965 if (c->lns->pap_require)
966 po = add_opt (po, "require-pap");
967 if (c->lns->chap_require)
968 po = add_opt (po, "require-chap");
969 if (c->lns->passwdauth)
970 po = add_opt (po, "login");
971 }
972 if (c->lns->authname[0])
973 {
974 po = add_opt (po, "name");
975 po = add_opt (po, c->lns->authname);
976 }
977 if (c->lns->debug)
978 po = add_opt (po, "debug");
979 if (c->lns->pppoptfile[0])
980 {
981 po = add_opt (po, "file");
982 po = add_opt (po, c->lns->pppoptfile);
983 }
984 po = add_opt (po, "ipparam");
985 po = add_opt (po, IPADDY (t->peer.sin_addr));
986 start_pppd (c, po);
987 opt_destroy (po);
988 l2tp_log (LOG_NOTICE,
989 "Call established with %s, Local: %d, Remote: %d, Serial: %d\n",
990 IPADDY (t->peer.sin_addr), c->ourcid, c->cid,
991 c->serno);
992 break;
993 case OCRP: /* jz: nothing to do for OCRP, waiting for OCCN */
994 break;
995 case OCCN: /* jz: get OCCN, so the only thing we must do is to start the pppd */
996 po = NULL;
997 po = add_opt (po, "passive");
998 po = add_opt (po, "nodetach");
999 po = add_opt (po, "file");
1000 strcat (dummy_buf, c->dial_no); /* jz: use /etc/ppp/dialnumber.options for pppd - kick it if you don't like */
1001 strcat (dummy_buf, ".options");
1002 po = add_opt (po, dummy_buf);
1003 if (c->lac)
1004 {
1005 if (c->lac->defaultroute)
1006 po = add_opt (po, "defaultroute");
1007 strncpy (ip1, IPADDY (c->lac->localaddr), sizeof (ip1));
1008 strncpy (ip2, IPADDY (c->lac->remoteaddr), sizeof (ip2));
1009 po = add_opt (po, "%s:%s", c->lac->localaddr ? ip1 : "",
1010 c->lac->remoteaddr ? ip2 : "");
1011 if (c->lac->authself)
1012 {
1013 if (c->lac->pap_refuse)
1014 po = add_opt (po, "refuse-pap");
1015 if (c->lac->chap_refuse)
1016 po = add_opt (po, "refuse-chap");
1017 }
1018 else
1019 {
1020 po = add_opt (po, "refuse-pap");
1021 po = add_opt (po, "refuse-chap");
1022 }
1023 if (c->lac->authpeer)
1024 {
1025 po = add_opt (po, "auth");
1026 if (c->lac->pap_require)
1027 po = add_opt (po, "require-pap");
1028 if (c->lac->chap_require)
1029 po = add_opt (po, "require-chap");
1030 }
1031 if (c->lac->authname[0])
1032 {
1033 po = add_opt (po, "name");
1034 po = add_opt (po, c->lac->authname);
1035 }
1036 if (c->lac->debug)
1037 po = add_opt (po, "debug");
1038 if (c->lac->pppoptfile[0])
1039 {
1040 po = add_opt (po, "file");
1041 po = add_opt (po, c->lac->pppoptfile);
1042 }
1043 };
1044 po = add_opt (po, "ipparam");
1045 po = add_opt (po, IPADDY (t->peer.sin_addr));
1046 start_pppd (c, po);
1047
1048 /* jz: just show some information */
1049 l2tp_log (LOG_INFO,
1050 "parameters: Local: %d , Remote: %d , Serial: %d , Pid: %d , Tunnelid: %d , Phoneid: %s\n",
1051 c->ourcid, c->cid, c->serno, c->pppd, t->ourtid, c->dial_no);
1052
1053 opt_destroy (po);
1054 if (c->lac)
1055 c->lac->rtries = 0;
1056 break;
1057
1058
1059 case CDN:
1060 if (c->qcid < 0)
1061 {
1062 if (DEBUG)
1063 l2tp_log (LOG_DEBUG,
1064 "%s: Peer tried to disconnect without specifying call ID\n",
1065 __FUNCTION__);
1066 return -EINVAL;
1067 }
1068 if (c == t->self)
1069 {
1070 p = t->call_head;
1071 while (p && (p->cid != c->qcid))
1072 p = p->next;
1073 if (!p)
1074 {
1075 if (DEBUG)
1076 l2tp_log (LOG_DEBUG,
1077 "%s: Unable to determine call to be disconnected.\n",
1078 __FUNCTION__);
1079 return -EINVAL;
1080 }
1081 }
1082 else {
1083 p = c;
1084 }
1085
1086 /* Work around bug in MSL2TP client */
1087 if ((t->firmware == 0xff00) && (!(strncmp(t->vendor, "Deterministic Networks Inc.", 27))))
1088 tmpcid = p->ourcid;
1089 else
1090 tmpcid = p->cid;
1091
1092 if ((c->qcid != tmpcid) && tmpcid > 0)
1093 {
1094 if (DEBUG)
1095 l2tp_log (LOG_DEBUG,
1096 "%s: Peer tried to disconnect with invalid CID (%d != %d)\n",
1097 __FUNCTION__, c->qcid, c->ourcid);
1098 return -EINVAL;
1099 }
1100 c->qcid = -1;
1101 if (c->result < 0)
1102 {
1103 if (DEBUG)
1104 l2tp_log (LOG_DEBUG,
1105 "%s: Peer tried to disconnect without specifying result code.\n",
1106 __FUNCTION__);
1107 return -EINVAL;
1108 }
1109 l2tp_log (LOG_INFO,
1110 "%s: Connection closed to %s, serial %d (%s)\n", __FUNCTION__,
1111 IPADDY (t->peer.sin_addr), c->serno, c->errormsg);
1112 c->needclose = 0;
1113 c->closing = -1;
1114 break;
1115 case Hello:
1116 break;
1117 case SLI:
1118 break;
1119 default:
1120 l2tp_log (LOG_DEBUG,
1121 "%s: Don't know how to finish a message of type %d\n",
1122 __FUNCTION__, c->msgtype);
1123 set_error (c, VENDOR_ERROR, "Unimplemented message %d\n", c->msgtype);
1124 }
1125 return 0;
1126 }
1127
1128 inline int check_control (const struct buffer *buf, struct tunnel *t,
1129 struct call *c)
1130 {
1131 /*
1132 * Check if this is a valid control
1133 * or not. Returns 0 on success
1134 */
1135 struct control_hdr *h = (struct control_hdr *) (buf->start);
1136 struct buffer *zlb;
1137 if (buf->len < sizeof (struct control_hdr))
1138 {
1139 if (DEBUG)
1140 {
1141 l2tp_log (LOG_DEBUG,
1142 "%s: Received too small of packet\n", __FUNCTION__);
1143 }
1144 return -EINVAL;
1145 }
1146 #ifdef SANITY
1147 if (buf->len != h->length)
1148 {
1149 if (DEBUG)
1150 {
1151 l2tp_log (LOG_DEBUG,
1152 "%s: Reported and actual sizes differ (%d != %d)\n",
1153 __FUNCTION__, h->length, buf->len);
1154 }
1155 return -EINVAL;
1156 }
1157 /*
1158 * FIXME: H-bit handling goes here
1159 */
1160 #ifdef DEBUG_CONTROL
1161 l2tp_log (LOG_DEBUG, "%s: control, cid = %d, Ns = %d, Nr = %d\n", __FUNCTION__,
1162 c->cid, h->Ns, h->Nr);
1163 #endif
1164 if (h->Ns != t->control_rec_seq_num)
1165 {
1166 if (DEBUG)
1167 l2tp_log (LOG_DEBUG,
1168 "%s: Received out of order control packet on tunnel %d (got %d, expected %d)\n",
1169 __FUNCTION__, t->tid, h->Ns, t->control_rec_seq_num);
1170 if (((h->Ns < t->control_rec_seq_num) &&
1171 ((t->control_rec_seq_num - h->Ns) < 32768)) ||
1172 ((h->Ns > t->control_rec_seq_num) &&
1173 ((t->control_rec_seq_num - h->Ns) > 32768)))
1174 {
1175 /*
1176 * Woopsies, they sent us a message we should have already received
1177 * so we should send them a ZLB so they know
1178 * for sure that we already have it.
1179 */
1180 #ifdef DEBUG_ZLB
1181 if (DEBUG)
1182 l2tp_log (LOG_DEBUG, "%s: Sending an updated ZLB in reponse\n",
1183 __FUNCTION__);
1184 #endif
1185 zlb = new_outgoing (t);
1186 control_zlb (zlb, t, c);
1187 udp_xmit (zlb, t);
1188 toss (zlb);
1189 }
1190 else if (!t->control_rec_seq_num && (t->tid == -1))
1191 {
1192 /* We made this tunnel just for this message, so let's
1193 destroy it. */
1194 c->needclose = 0;
1195 c->closing = -1;
1196 }
1197 return -EINVAL;
1198 }
1199 else
1200 {
1201 t->control_rec_seq_num++;
1202 c->cnu = -1;
1203 }
1204 /*
1205 * So we know what the other end has received
1206 * so far
1207 */
1208
1209 t->cLr = h->Nr;
1210 if (t->sanity)
1211 {
1212 if (!CTBIT (h->ver))
1213 {
1214 if (DEBUG)
1215 {
1216 l2tp_log (LOG_DEBUG, "%s: Control bit not set\n", __FUNCTION__);
1217 }
1218 return -EINVAL;
1219 }
1220 if (!CLBIT (h->ver))
1221 {
1222 if (DEBUG)
1223 {
1224 l2tp_log (LOG_DEBUG, "%s: Length bit not set\n", __FUNCTION__);
1225 }
1226 return -EINVAL;
1227 }
1228 if (!CFBIT (h->ver))
1229 {
1230 if (DEBUG)
1231 {
1232 l2tp_log (LOG_DEBUG, "%s: Flow bit not set\n", __FUNCTION__);
1233 }
1234 return -EINVAL;
1235 }
1236 if (CVER (h->ver) != VER_L2TP)
1237 {
1238 if (DEBUG)
1239 {
1240 if (CVER (h->ver) == VER_PPTP)
1241 {
1242 l2tp_log (LOG_DEBUG,
1243 "%s: PPTP packet received\n", __FUNCTION__);
1244 }
1245 else if (CVER (h->ver) < VER_L2TP)
1246 {
1247 l2tp_log (LOG_DEBUG,
1248 "%s: L2F packet received\n", __FUNCTION__);
1249 }
1250 else
1251 {
1252 l2tp_log (LOG_DEBUG,
1253 "%s: Unknown version received\n", __FUNCTION__);
1254 }
1255 }
1256 return -EINVAL;
1257 }
1258
1259 }
1260 #endif
1261 return 0;
1262 }
1263
1264 inline int check_payload (struct buffer *buf, struct tunnel *t,
1265 struct call *c)
1266 {
1267 /*
1268 * Check if this is a valid payload
1269 * or not. Returns 0 on success.
1270 */
1271
1272 int ehlen = MIN_PAYLOAD_HDR_LEN;
1273 struct payload_hdr *h = (struct payload_hdr *) (buf->start);
1274 if (!c)
1275 {
1276 if (DEBUG)
1277 {
1278 l2tp_log (LOG_DEBUG, "%s: Aempted to send payload on tunnel\n",
1279 __FUNCTION__);
1280 }
1281 return -EINVAL;
1282 }
1283 if (buf->len < MIN_PAYLOAD_HDR_LEN)
1284 {
1285 /* has to be at least MIN_PAYLOAD_HDR_LEN
1286 no matter what. we'll look more later */
1287 if (DEBUG)
1288 {
1289 l2tp_log (LOG_DEBUG, "%s:Recieved to small of packet\n", __FUNCTION__);
1290 }
1291 return -EINVAL;
1292 }
1293 #ifdef SANITY
1294 if (t->sanity)
1295 {
1296 if (PTBIT (h->ver))
1297 {
1298 if (DEBUG)
1299 {
1300 l2tp_log (LOG_DEBUG, "%s Control bit set\n", __FUNCTION__);
1301 }
1302 return -EINVAL;
1303 }
1304 if (PLBIT (h->ver))
1305 ehlen += 2; /* Should have length information */
1306 if (PFBIT (h->ver))
1307 {
1308 /* if (!c->fbit && !c->ourfbit) {
1309 if (DEBUG)
1310 l2tp_log(LOG_DEBUG,"%s: flow bit set, but no RWS negotiated.\n",__FUNCTION__);
1311 return -EINVAL;
1312 } */
1313 ehlen += 4; /* Should have Ns and Nr too */
1314 }
1315 /* if (!PFBIT(h->ver)) {
1316 if (c->fbit || c->ourfbit) {
1317 if (DEBUG)
1318 l2tp_log(LOG_DEBUG, "%s: no flow bit, but RWS was negotiated.\n",__FUNCTION__);
1319 return -EINVAL;;
1320 }
1321 } */
1322 if (PSBIT (h->ver))
1323 ehlen += 2; /* Offset information */
1324 if (PLBIT (h->ver))
1325 ehlen += h->length; /* include length if available */
1326 if (PVER (h->ver) != VER_L2TP)
1327 {
1328 if (DEBUG)
1329 {
1330 if (PVER (h->ver) == VER_PPTP)
1331 {
1332 l2tp_log (LOG_DEBUG, "%s: PPTP packet received\n",
1333 __FUNCTION__);
1334 }
1335 else if (CVER (h->ver) < VER_L2TP)
1336 {
1337 l2tp_log (LOG_DEBUG, "%s: L2F packet received\n",
1338 __FUNCTION__);
1339 }
1340 else
1341 {
1342 l2tp_log (LOG_DEBUG, "%s: Unknown version received\n",
1343 __FUNCTION__);
1344 }
1345 }
1346 return -EINVAL;
1347 }
1348 if ((buf->len < ehlen) && !PLBIT (h->ver))
1349 {
1350 if (DEBUG)
1351 {
1352 l2tp_log (LOG_DEBUG, "%s payload too small (%d < %d)\n",
1353 __FUNCTION__, buf->len, ehlen);
1354 }
1355 return -EINVAL;
1356 }
1357 if ((buf->len != h->length) && PLBIT (h->ver))
1358 {
1359 if (DEBUG)
1360 {
1361 l2tp_log (LOG_DEBUG, "%s: size mismatch (%d != %d)\n",
1362 __FUNCTION__, buf->len, h->length);
1363 }
1364 return -EINVAL;
1365 }
1366 }
1367 #endif
1368 return 0;
1369 }
1370 inline int expand_payload (struct buffer *buf, struct tunnel *t,
1371 struct call *c)
1372 {
1373 /*
1374 * Expands payload header. Does not check for valid header,
1375 * check_payload() should already be called as a prerequisite.
1376 */
1377 struct payload_hdr *h = (struct payload_hdr *) (buf->start);
1378 _u16 *r = (_u16 *) h; /* Nice to have raw word pointers */
1379 struct payload_hdr *new_hdr;
1380 int ehlen = 0;
1381 /*
1382 * We first calculate our offset
1383 */
1384 if (!PLBIT (h->ver))
1385 ehlen += 2; /* Should have length information */
1386 if (!PFBIT (h->ver))
1387 ehlen += 4; /* Should have Ns and Nr too */
1388 if (!PSBIT (h->ver))
1389 ehlen += 2; /* Offset information */
1390 if (ehlen)
1391 {
1392 /*
1393 * If this payload is missing any information, we'll
1394 * fill it in
1395 */
1396 new_hdr = (struct payload_hdr *) (buf->start - ehlen);
1397 if ((void *) new_hdr < (void *) buf->rstart)
1398 {
1399 l2tp_log (LOG_WARNING, "%s: not enough space to decompress frame\n",
1400 __FUNCTION__);
1401 return -EINVAL;
1402
1403 };
1404 new_hdr->ver = *r;
1405 if (PLBIT (new_hdr->ver))
1406 {
1407 r++;
1408 new_hdr->length = *r;
1409 }
1410 else
1411 {
1412 new_hdr->length = buf->len + ehlen;
1413 };
1414 r++;
1415 new_hdr->tid = *r;
1416 r++;
1417 new_hdr->cid = *r;
1418 if (PFBIT (new_hdr->ver))
1419 {
1420 r++;
1421 new_hdr->Ns = *r;
1422 r++;
1423 new_hdr->Nr = *r;
1424 }
1425 else
1426 {
1427 new_hdr->Nr = c->data_seq_num;
1428 new_hdr->Ns = c->data_rec_seq_num;
1429 };
1430 if (PSBIT (new_hdr->ver))
1431 {
1432 r++;
1433 new_hdr->o_size = *r;
1434 // r++;
1435 // new_hdr->o_pad = *r;
1436 }
1437 else
1438 {
1439 new_hdr->o_size = 0;
1440 // new_hdr->o_pad = 0;
1441 }
1442 }
1443 else
1444 new_hdr = h;
1445 /*
1446 * Handle sequence numbers
1447 *
1448 */
1449 /* JLM if (PRBIT(new_hdr->ver)) {
1450 if (c->pSr > new_hdr->Ns) {
1451 l2tp_log(LOG_DEBUG, "%s: R-bit set with Ns < pSr!\n",__FUNCTION__);
1452 return -EINVAL;
1453 }
1454 #ifdef DEBUG_FLOW
1455 l2tp_log(LOG_DEBUG, "%s: R-bit set on packet %d\n",__FUNCTION__,new_hdr->Ns);
1456 #endif
1457 c->pSr=new_hdr->Ns;
1458 } */
1459 #ifdef DEBUG_PAYLOAD
1460 l2tp_log (LOG_DEBUG, "%s: payload, cid = %d, Ns = %d, Nr = %d\n", __FUNCTION__,
1461 c->cid, new_hdr->Ns, new_hdr->Nr);
1462 #endif
1463 if (new_hdr->Ns != c->data_seq_num)
1464 {
1465 /* RFC1982-esque comparison of serial numbers */
1466 if (((new_hdr->Ns < c->data_rec_seq_num) &&
1467 ((c->data_rec_seq_num - new_hdr->Ns) < 32768)) ||
1468 ((new_hdr->Ns > c->data_rec_seq_num) &&
1469 ((c->data_rec_seq_num - new_hdr->Ns) > 32768)))
1470 {
1471 #ifdef DEBUG_FLOW
1472 if (DEBUG)
1473 l2tp_log (LOG_DEBUG,
1474 "%s: Already seen this packet before (%d)\n",
1475 __FUNCTION__, new_hdr->Ns);
1476 #endif
1477 return -EINVAL;
1478 }
1479 else if (new_hdr->Ns <= c->data_rec_seq_num + PAYLOAD_FUDGE)
1480 {
1481 /* FIXME: I should buffer for out of order packets */
1482 #ifdef DEBUG_FLOW
1483 if (DEBUG)
1484 l2tp_log (LOG_DEBUG,
1485 "%s: Oops, lost a packet or two (%d). continuing...\n",
1486 __FUNCTION__, new_hdr->Ns);
1487 #endif
1488 c->data_rec_seq_num = new_hdr->Ns;
1489 }
1490 else
1491 {
1492 #ifdef DEBUG_FLOW
1493 if (DEBUG)
1494 l2tp_log (LOG_DEBUG,
1495 "%s: Received out of order payload packet (%d)\n",
1496 __FUNCTION__, new_hdr->Ns);
1497 #endif
1498 return -EINVAL;
1499 }
1500 }
1501 else
1502 {
1503 c->data_rec_seq_num++;
1504 c->pnu = -1;
1505 }
1506 /*
1507 * Check to see what the last thing
1508 * we got back was
1509 */
1510 c->pLr = new_hdr->Nr;
1511 buf->start = new_hdr;
1512 buf->len += ehlen;
1513 return 0;
1514 }
1515
1516 void send_zlb (void *data)
1517 {
1518 /*
1519 * Send a ZLB. This procedure should be schedule()able
1520 */
1521 struct call *c;
1522 struct tunnel *t;
1523 struct buffer *buf;
1524 c = (struct call *) data;
1525 if (!c)
1526 {
1527 l2tp_log (LOG_WARNING, "%s: called on NULL call\n", __FUNCTION__);
1528 return;
1529 }
1530 t = c->container;
1531 if (!t)
1532 {
1533 l2tp_log (LOG_WARNING, "%s: called on call with NULL container\n",
1534 __FUNCTION__);
1535 return;
1536 }
1537 /* Update the counter so we know what Lr was when we last transmited a ZLB */
1538 c->prx = c->data_rec_seq_num;
1539 buf = new_payload (t->peer);
1540 add_payload_hdr (t, c, buf);
1541 c->data_seq_num--; /* We don't increment on ZLB's */
1542 c->zlb_xmit = NULL;
1543 #ifdef DEBUG_ZLB
1544 l2tp_log (LOG_DEBUG, "%s: sending payload ZLB\n", __FUNCTION__);
1545 #endif
1546 udp_xmit (buf, t);
1547 toss (buf);
1548 }
1549
1550 inline int write_packet (struct buffer *buf, struct tunnel *t, struct call *c,
1551 int convert)
1552 {
1553 /*
1554 * Write a packet, doing sync->async conversion if
1555 * necessary
1556 */
1557 int x;
1558 unsigned char e;
1559 int err;
1560 static unsigned char wbuf[MAX_RECV_SIZE];
1561 int pos = 0;
1562
1563 if (c->fd < 0)
1564 {
1565 if (DEBUG || 1)
1566 l2tp_log (LOG_DEBUG, "%s: tty is not open yet.\n", __FUNCTION__);
1567 return -EIO;
1568 }
1569 /*
1570 * Skip over header
1571 */
1572 _u16 offset = ((struct payload_hdr*)(buf->start))->o_size; // For FIXME:
1573 buf->start += sizeof(struct payload_hdr) + offset;
1574 buf->len -= sizeof(struct payload_hdr) + offset;
1575
1576 c->rx_pkts++;
1577 c->rx_bytes += buf->len;
1578
1579 /*
1580 * FIXME: What about offset?
1581 */
1582 while (!convert)
1583 {
1584 /* We are given async frames, so write them
1585 directly to the tty */
1586 err = write (c->fd, buf->start, buf->len);
1587 if (err == buf->len)
1588 {
1589 return 0;
1590 }
1591 else if (err == 0)
1592 {
1593 l2tp_log (LOG_WARNING, "%s: wrote no bytes of async packet\n",
1594 __FUNCTION__);
1595 return -EINVAL;
1596 }
1597 else if (err < 0)
1598 {
1599 if ((errno == EAGAIN) || (errno == EINTR))
1600 {
1601 continue;
1602 }
1603 else
1604 {
1605 l2tp_log (LOG_WARNING, "%s: async write failed: %s\n", __FUNCTION__,
1606 strerror (errno));
1607 }
1608 }
1609 else if (err < buf->len)
1610 {
1611 l2tp_log (LOG_WARNING, "%s: short write (%d of %d bytes)\n", __FUNCTION__,
1612 err, buf->len);
1613 return -EINVAL;
1614 }
1615 else if (err > buf->len)
1616 {
1617 l2tp_log (LOG_WARNING, "%s: write returned LONGER than buffer length?\n",
1618 __FUNCTION__);
1619 return -EINVAL;
1620 }
1621 }
1622
1623 /*
1624 * sync->async conversion if we're doing sync frames
1625 * since the pppd driver will expect async frames
1626 * Write leading flag character
1627 */
1628
1629 add_fcs (buf);
1630 e = PPP_FLAG;
1631 wbuf[pos++] = e;
1632 for (x = 0; x < buf->len; x++)
1633 {
1634 // we must at least still have 3 bytes left in the worst case scenario:
1635 // 1 for a possible escape, 1 for the value and 1 to end the PPP stream.
1636 if(pos >= (sizeof(wbuf) - 4)) {
1637 if(DEBUG)
1638 l2tp_log(LOG_CRIT, "%s: rx packet is too big after PPP encoding (size %u, max is %u)\n",
1639 __FUNCTION__, buf->len, MAX_RECV_SIZE);
1640 return -EINVAL;
1641 }
1642 e = *((char *) buf->start + x);
1643 if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG))
1644 {
1645 /* Escape this */
1646 e = e ^ 0x20;
1647 wbuf[pos++] = PPP_ESCAPE;
1648 }
1649 wbuf[pos++] = e;
1650
1651 }
1652 wbuf[pos++] = PPP_FLAG;
1653
1654 #if 0
1655 if(DEBUG) {
1656 l2tp_log(LOG_DEBUG, "after sync->async, expanded %d->%d\n",
1657 buf->len, pos);
1658 }
1659 #endif
1660
1661 x = 0;
1662 while ( pos != x )
1663 {
1664 err = write (c->fd, wbuf+x, pos-x);
1665 if ( err < 0 ) {
1666 if ( errno != EINTR && errno != EAGAIN ) {
1667 l2tp_log (LOG_WARNING, "%s: %s(%d)\n", __FUNCTION__, strerror (errno),
1668 errno);
1669 /*
1670 * I guess pppd died. we'll pretend
1671 * everything ended normally
1672 */
1673 c->needclose = -1;
1674 c->fd = -1;
1675 return -EIO;
1676 }
1677 else {
1678 continue; //goto while
1679 }
1680 }
1681 x += err;
1682 }
1683 return 0;
1684 }
1685
1686 void handle_special (struct buffer *buf, struct call *c, _u16 call)
1687 {
1688 /*
1689 * This procedure is called when we have received a packet
1690 * on a call which doesn't exist in our tunnel. We want to
1691 * send back a ZLB to keep the tunnel alive, on that particular
1692 * call if it was a CDN, otherwise, send a CDN to notify them
1693 * that this call has been terminated.
1694 */
1695 struct tunnel *t = c->container;
1696 /* Don't do anything unless it's a control packet */
1697 if (!CTBIT (*((_u16 *) buf->start)))
1698 return;
1699 /* Temporarily, we make the tunnel have cid of call instead of 0,
1700 but we need to stop any scheduled events (like Hello's in
1701 particular) which might use this value */
1702 c->cid = call;
1703 if (!check_control (buf, t, c))
1704 {
1705 if (buf->len == sizeof (struct control_hdr))
1706 {
1707 /* If it's a ZLB, we ignore it */
1708 if (gconfig.debug_tunnel)
1709 l2tp_log (LOG_DEBUG, "%s: ZLB for closed call\n", __FUNCTION__);
1710 c->cid = 0;
1711 return;
1712 }
1713 /* Make a packet with the specified call number */
1714 /* FIXME: If I'm not a CDN, I need to send a CDN */
1715 control_zlb (buf, t, c);
1716 c->cid = 0;
1717 udp_xmit (buf, t);
1718 toss (buf);
1719 }
1720 else
1721 {
1722 c->cid = 0;
1723 if (gconfig.debug_tunnel)
1724 l2tp_log (LOG_DEBUG, "%s: invalid control packet\n", __FUNCTION__);
1725 }
1726 }
1727
1728 inline int handle_packet (struct buffer *buf, struct tunnel *t,
1729 struct call *c)
1730 {
1731 int res;
1732 /* tv code is commented out below
1733 #ifdef DEBUG_ZLB
1734 struct timeval tv;
1735 #endif
1736 */
1737 if (CTBIT (*((_u16 *) buf->start)))
1738 {
1739 /* We have a control packet */
1740 if (!check_control (buf, t, c))
1741 {
1742 c->msgtype = -1;
1743 if (buf->len == sizeof (struct control_hdr))
1744 {
1745 #ifdef DEBUG_ZLB
1746 l2tp_log (LOG_DEBUG, "%s: control ZLB received\n", __FUNCTION__);
1747 #endif
1748 t->control_rec_seq_num--;
1749 c->cnu = 0;
1750 if (c->needclose && c->closing)
1751 {
1752 if (c->container->cLr >= c->closeSs)
1753 {
1754 #ifdef DEBUG_ZLB
1755 l2tp_log (LOG_DEBUG, "%s: ZLB for closing message found\n",
1756 __FUNCTION__);
1757 #endif
1758 c->needclose = 0;
1759 /* Trigger final closing of call */
1760 }
1761 }
1762 return 0;
1763 }
1764 else if (!handle_avps (buf, t, c))
1765 {
1766 return control_finish (t, c);
1767 }
1768 else
1769 {
1770 if (gconfig.debug_tunnel)
1771 l2tp_log (LOG_DEBUG, "%s: bad AVP handling!\n", __FUNCTION__);
1772 return -EINVAL;
1773 }
1774 }
1775 else
1776 {
1777 l2tp_log (LOG_DEBUG, "%s: bad control packet!\n", __FUNCTION__);
1778 return -EINVAL;
1779 }
1780 }
1781 else
1782 {
1783 if (!check_payload (buf, t, c))
1784 {
1785 if (!expand_payload (buf, t, c))
1786 {
1787 if (buf->len > sizeof (struct payload_hdr))
1788 {
1789 /* if (c->throttle) {
1790 if (c->pSs > c->pLr + c->rws) {
1791 #ifdef DEBUG_FLOW
1792 l2tp_log(LOG_DEBUG, "%s: not yet dethrottling call\n",__FUNCTION__);
1793 #endif
1794 } else {
1795 #ifdef DEBUG_FLOW
1796 l2tp_log(LOG_DEBUG, "%s: dethrottling call\n",__FUNCTION__);
1797 #endif
1798 if (c->dethrottle) deschedule(c->dethrottle);
1799 c->dethrottle=NULL;
1800 c->throttle = 0;
1801 }
1802 } */
1803 /* JLM res = write_packet(buf,t,c, c->frame & SYNC_FRAMING); */
1804 res = write_packet (buf, t, c, SYNC_FRAMING);
1805 if (res)
1806 return res;
1807 /*
1808 * Assuming we wrote to the ppp driver okay, we should
1809 * do something about ZLB's unless *we* requested no
1810 * window size or if they we have turned off our fbit.
1811 */
1812
1813 /* if (c->ourfbit && (c->ourrws > 0)) {
1814 if (c->pSr >= c->prx + c->ourrws - 2) {
1815 We've received enough to fill our receive window. At
1816 this point, we should immediately send a ZLB!
1817 #ifdef DEBUG_ZLB
1818 l2tp_log(LOG_DEBUG, "%s: Sending immediate ZLB!\n",__FUNCTION__);
1819 #endif
1820 if (c->zlb_xmit) {
1821 Deschedule any existing zlb_xmit's
1822 deschedule(c->zlb_xmit);
1823 c->zlb_xmit = NULL;
1824 }
1825 send_zlb((void *)c);
1826 } else {
1827 struct timeval tv;
1828 We need to schedule sending a ZLB. FIXME: Should
1829 be 1/4 RTT instead, when rate adaptive stuff is
1830 in place. Spec allows .5 seconds though
1831 tv.tv_sec = 0;
1832 tv.tv_usec = 500000;
1833 if (c->zlb_xmit)
1834 deschedule(c->zlb_xmit);
1835 #ifdef DEBUG_ZLB
1836 l2tp_log(LOG_DEBUG, "%s: scheduling ZLB\n",__FUNCTION__);
1837 #endif
1838 c->zlb_xmit = schedule(tv, &send_zlb, (void *)c);
1839 }
1840 } */
1841 return 0;
1842 }
1843 else if (buf->len == sizeof (struct payload_hdr))
1844 {
1845 #ifdef DEBUG_ZLB
1846 l2tp_log (LOG_DEBUG, "%s: payload ZLB received\n",
1847 __FUNCTION__);
1848 #endif
1849 /* if (c->throttle) {
1850 if (c->pSs > c->pLr + c->rws) {
1851 #ifdef DEBUG_FLOW
1852 l2tp_log(LOG_DEBUG, "%s: not yet dethrottling call\n",__FUNCTION__);
1853 #endif
1854 } else {
1855 #ifdef DEBUG_FLOW
1856 l2tp_log(LOG_DEBUG, "%s: dethrottling call\n",__FUNCTION__);
1857 #endif
1858 if (c->dethrottle)
1859 deschedule(c->dethrottle);
1860 c->dethrottle=NULL;
1861 c->throttle = 0;
1862 }
1863 } */
1864 c->data_rec_seq_num--;
1865 return 0;
1866 }
1867 else
1868 {
1869 l2tp_log (LOG_DEBUG, "%s: payload too small!\n", __FUNCTION__);
1870 return -EINVAL;
1871 }
1872 }
1873 else
1874 {
1875 if (gconfig.debug_tunnel)
1876 l2tp_log (LOG_DEBUG, "%s: unable to expand payload!\n",
1877 __FUNCTION__);
1878 return -EINVAL;
1879 }
1880 }
1881 else
1882 {
1883 l2tp_log (LOG_DEBUG, "%s: invalid payload packet!\n", __FUNCTION__);
1884 return -EINVAL;
1885 }
1886 }
1887 }