1/* $OpenBSD: l2tp_call.c,v 1.20 2021/03/29 03:54:39 yasuoka Exp $ */ 2 3/*- 4 * Copyright (c) 2009 Internet Initiative Japan Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28/* $Id: l2tp_call.c,v 1.20 2021/03/29 03:54:39 yasuoka Exp $ */ 29/**@file L2TP LNS call */ 30#include <sys/types.h> 31#include <sys/socket.h> 32#include <sys/time.h> 33#include <stdlib.h> 34#include <stddef.h> 35#include <netinet/in.h> 36#include <stdio.h> 37#include <string.h> 38#include <syslog.h> 39#include <stdarg.h> 40#include <unistd.h> 41#include <event.h> 42#include <net/if_dl.h> 43 44#include "debugutil.h" 45#include "bytebuf.h" 46#include "hash.h" 47#include "slist.h" 48#include "l2tp.h" 49#include "l2tp_subr.h" 50 51#include "npppd.h" 52#include "l2tp_local.h" 53 54#ifdef L2TP_CALL_DEBUG 55#define L2TP_CALL_DBG(m) l2tp_call_log m 56#define L2TP_CALL_ASSERT(x) ASSERT(x) 57#else 58#define L2TP_CALL_DBG(m) 59#define L2TP_CALL_ASSERT(x) 60#endif 61 62static void l2tp_call_log (l2tp_call *, int, const char *, ...) __printflike(3,4); 63static void l2tp_call_disconnect (l2tp_call *, int, int, const char *, struct l2tp_avp *[], int); 64static int l2tp_call_recv_ICRQ (l2tp_call *, u_char *, int); 65static int l2tp_call_send_ICRP (l2tp_call *); 66static int l2tp_call_recv_ICCN (l2tp_call *, u_char *, int, dialin_proxy_info *); 67static int l2tp_recv_CDN (l2tp_call *, u_char *, int); 68static int l2tp_call_send_CDN (l2tp_call *, int, int, const char *, struct l2tp_avp *[], int); 69static int l2tp_call_send_ZLB (l2tp_call *); 70static inline const char *l2tp_call_state_string (l2tp_call *); 71static int l2tp_call_bind_ppp (l2tp_call *, dialin_proxy_info *); 72static void l2tp_call_notify_down (l2tp_call *); 73static int l2tp_call_send_data_packet (l2tp_call *, bytebuffer *); 74 75static int l2tp_call_ppp_output (npppd_ppp *, unsigned char *, int, int); 76static void l2tp_call_closed_by_ppp (npppd_ppp *); 77 78/* create {@link ::_l2tp_call L2TP call} instance */ 79l2tp_call * 80l2tp_call_create(void) 81{ 82 l2tp_call *_this; 83 84 if ((_this = malloc(sizeof(l2tp_call))) == NULL) 85 return NULL; 86 87 return _this; 88} 89 90/* initialize {@link ::_l2tp_call L2TP call} instance */ 91int 92l2tp_call_init(l2tp_call *_this, l2tp_ctrl *ctrl) 93{ 94 memset(_this, 0, sizeof(l2tp_call)); 95 96 _this->ctrl = ctrl; 97 if (l2tpd_assign_call(ctrl->l2tpd, _this) != 0) 98 return -1; 99 100 _this->use_seq = ctrl->data_use_seq; 101 102 return 0; 103} 104 105/* free {@link ::_l2tp_call L2TP call} instance */ 106void 107l2tp_call_destroy(l2tp_call *_this, int from_l2tp_ctrl) 108{ 109 l2tpd_release_call(_this->ctrl->l2tpd, _this); 110 free(_this); 111} 112 113/* 114 * l2tp disconnect will occur when 115 * 1) disconnect request issued from nppdctl command 116 * 2) npppd is terminated 117 * in case 1) ppp_stop() is used to terminal. (PPP LCP TermReq) 118 * and in case 2) l2tp_call_disconnect() is used (L2TP CDN) 119 */ 120/* administrative reason disconnection */ 121void 122l2tp_call_admin_disconnect(l2tp_call *_this) 123{ 124 l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ADMINISTRATIVE_REASON, 0, 125 NULL, NULL, 0); 126} 127 128void 129l2tp_call_drop(l2tp_call *_this) 130{ 131 l2tp_call_disconnect(_this, 0, 0, NULL, NULL, 0); 132} 133 134/* 135 * disconnect l2tp connection 136 * @param result_code disconnect without CDN, specify zero 137 */ 138static void 139l2tp_call_disconnect(l2tp_call *_this, int result_code, int error_code, 140 const char *errmes, struct l2tp_avp *addavp[], int naddavp) 141{ 142 L2TP_CALL_ASSERT(_this != NULL); 143 144 if (_this->state == L2TP_CALL_STATE_CLEANUP_WAIT) { 145 /* CDN received, or have been sent */ 146 l2tp_call_notify_down(_this); /* just in case */ 147 return; 148 } 149 if (result_code > 0) { 150 if (l2tp_call_send_CDN(_this, result_code, error_code, errmes, 151 addavp, naddavp) 152 != 0) 153 l2tp_call_log(_this, LOG_ERR, "Error sending CDN: %m"); 154 } 155 _this->state = L2TP_CALL_STATE_CLEANUP_WAIT; 156 l2tp_call_notify_down(_this); 157} 158 159/* 160 * control packet 161 */ 162 163/* call it when control packet is received */ 164int 165l2tp_call_recv_packet(l2tp_ctrl *ctrl, l2tp_call *_this, int mestype, 166 u_char *pkt, int pktlen) 167{ 168 int i, len, session_id, send_cdn; 169 l2tp_call *call; 170 dialin_proxy_info dpi; 171 172 /* when ICRQ, this will be NULL */ 173 L2TP_CALL_ASSERT(_this != NULL || 174 mestype == L2TP_AVP_MESSAGE_TYPE_ICRQ); 175 176 if (_this == NULL) { 177 if (mestype != L2TP_AVP_MESSAGE_TYPE_ICRQ) 178 return 1; 179 if ((_this = l2tp_call_create()) == NULL) { 180 l2tp_ctrl_log(ctrl, LOG_ERR, 181 "l2tp_call_create failed in %s(): %m", __func__); 182 return 1; 183 } 184 l2tp_call_init(_this, ctrl); 185 186 if (l2tp_call_recv_ICRQ(_this, pkt, pktlen) != 0) 187 return 1; 188 189 len = slist_length(&ctrl->call_list); 190 session_id = _this->id; 191 again: 192 /* assign a session ID */ 193 session_id &= 0xffff; 194 if (session_id == 0) 195 session_id = 1; 196 for (i = 0; i < len; i++) { 197 call = slist_get(&ctrl->call_list, i); 198 if (call->session_id == session_id) { 199 session_id++; 200 goto again; 201 } 202 } 203 _this->session_id = session_id; 204 205 /* add the l2tp_call to call list */ 206 slist_add(&_this->ctrl->call_list, _this); 207 208 if (l2tp_call_send_ICRP(_this) != 0) 209 return 1; 210 _this->state = L2TP_CALL_STATE_WAIT_CONN; 211 return 0; 212 } 213 214 /* state machine */ 215 send_cdn = 0; 216 switch (_this->state) { 217 default: 218 break; 219 case L2TP_CALL_STATE_WAIT_CONN: 220 switch (mestype) { 221 case L2TP_AVP_MESSAGE_TYPE_ICCN: 222 memset(&dpi, 0, sizeof(dpi)); 223 if (l2tp_call_recv_ICCN(_this, pkt, pktlen, &dpi) != 0) 224 return 1; 225 l2tp_call_bind_ppp(_this, &dpi); 226 l2tp_call_send_ZLB(_this); 227 _this->state = L2TP_CALL_STATE_ESTABLISHED; 228 _this->ctrl->ncalls++; 229 return 0; 230 case L2TP_AVP_MESSAGE_TYPE_ICRQ: 231 case L2TP_AVP_MESSAGE_TYPE_ICRP: 232 send_cdn = 1; 233 /* FALLTHROUGH */ 234 default: 235 l2tp_call_log(_this, LOG_ERR, 236 "Waiting ICCN. But received %s", 237 avp_mes_type_string(mestype)); 238 if (send_cdn) { 239 l2tp_call_disconnect(_this, 240 L2TP_CDN_RCODE_ERROR_CODE, 241 L2TP_ECODE_GENERIC_ERROR, "Illegal state.", 242 NULL, 0); 243 return 0; 244 } 245 } 246 break; 247 case L2TP_CALL_STATE_ESTABLISHED: 248 switch (mestype) { 249 case L2TP_AVP_MESSAGE_TYPE_CDN: 250 /* disconnect from peer. log it */ 251 l2tp_recv_CDN(_this, pkt, pktlen); 252 _this->state = L2TP_CALL_STATE_CLEANUP_WAIT; 253 l2tp_call_notify_down(_this); 254 l2tp_call_send_ZLB(_this); 255 return 0; 256 case L2TP_AVP_MESSAGE_TYPE_ICRQ: 257 case L2TP_AVP_MESSAGE_TYPE_ICRP: 258 case L2TP_AVP_MESSAGE_TYPE_ICCN: 259 send_cdn = 1; 260 break; 261 default: 262 break; 263 } 264 l2tp_call_log(_this, LOG_ERR, 265 "Call established. But received %s", 266 avp_mes_type_string(mestype)); 267 if (send_cdn) { 268 l2tp_call_disconnect(_this, 269 L2TP_CDN_RCODE_ERROR_CODE, 270 L2TP_ECODE_GENERIC_ERROR, "Illegal state.", 271 NULL, 0); 272 return 0; 273 } 274 l2tp_call_disconnect(_this, 0, 0, NULL, NULL, 0); 275 return 1; 276 } 277 l2tp_call_log(_this, LOG_INFO, "Received %s in unexpected state=%s", 278 avp_mes_type_string(mestype), l2tp_call_state_string(_this)); 279 l2tp_call_disconnect(_this, 0, 0, NULL, NULL, 0); 280 return 1; 281} 282/* 283 * receive ICRQ 284 * @return return 0 if the ICRQ is acceptable. 285 * other values means fail to receive, and 286 * CDN was sent and status was updated. 287 */ 288static int 289l2tp_call_recv_ICRQ(l2tp_call *_this, u_char *pkt, int pktlen) 290{ 291 int avpsz, slen; 292 struct l2tp_avp *avp; 293 char buf[L2TP_AVP_MAXSIZ], emes[256]; 294 295 avp = (struct l2tp_avp *)buf; 296 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) { 297 pkt += avpsz; 298 pktlen -= avpsz; 299 if (avp->vendor_id != 0) { 300 L2TP_CALL_DBG((_this, LOG_DEBUG, 301 "Received a Vendor-specific AVP vendor-id=%d " 302 "type=%d", avp->vendor_id, avp->attr_type)); 303 continue; 304 } 305 if (avp->is_hidden != 0) { 306 l2tp_call_log(_this, LOG_WARNING, 307 "Received AVP (%s/%d) is hidden. But we don't " 308 "share secret.", 309 avp_attr_type_string(avp->attr_type), 310 avp->attr_type); 311 if (avp->is_mandatory != 0) { 312 l2tp_call_disconnect(_this, 313 L2TP_CDN_RCODE_ERROR_CODE, 314 L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL, 315 NULL, 0); 316 return 1; 317 } 318 continue; 319 } 320 switch (avp->attr_type) { 321 case L2TP_AVP_TYPE_MESSAGE_TYPE: 322 AVP_SIZE_CHECK(avp, ==, 8); 323 continue; 324 case L2TP_AVP_TYPE_ASSIGNED_SESSION_ID: 325 AVP_SIZE_CHECK(avp, ==, 8); 326 _this->peer_session_id = avp_get_val16(avp); 327 continue; 328 case L2TP_AVP_TYPE_CALL_SERIAL_NUMBER: 329 case L2TP_AVP_TYPE_BEARER_TYPE: 330 case L2TP_AVP_TYPE_PHYSICAL_CHANNEL_ID: 331 /* 332 * Memo: 333 * Microsoft "L2TP/IPsec VPN Client" for 334 * Windows 98/Me/NT asserts mandatory bit in 335 * Physical Channel Id 336 */ 337 break; 338 case L2TP_AVP_TYPE_CALLING_NUMBER: 339 slen = MINIMUM(sizeof(_this->calling_number) - 1, 340 avp_attr_length(avp)); 341 memcpy(_this->calling_number, avp->attr_value, slen); 342 _this->calling_number[slen] = '\0'; 343 break; 344 case L2TP_AVP_TYPE_CALLED_NUMBER: 345 case L2TP_AVP_TYPE_SUB_ADDRESS: 346 continue; 347 default: 348 if (avp->is_mandatory) { 349 l2tp_call_log(_this, LOG_WARNING, 350 "AVP (%s/%d) is not supported, but it's " 351 "mandatory", 352 avp_attr_type_string(avp->attr_type), 353 avp->attr_type); 354 if (avp->is_mandatory != 0) { 355 l2tp_call_disconnect(_this, 356 L2TP_CDN_RCODE_ERROR_CODE, 357 L2TP_ECODE_UNKNOWN_MANDATORY_AVP, 358 NULL, NULL, 0); 359 return 1; 360 } 361#ifdef L2TP_CALL_DEBUG 362 } else { 363 L2TP_CALL_DBG((_this, LOG_DEBUG, 364 "AVP (%s/%d) is not handled", 365 avp_attr_type_string(avp->attr_type), 366 avp->attr_type)); 367#endif 368 } 369 } 370 } 371 if (_this->peer_session_id == 0) { 372 l2tp_call_log(_this, LOG_ERR, 373 "Received a bad ICRP: SessionId = 0"); 374 l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ERROR_CODE, 375 L2TP_ECODE_INVALID_MESSAGE, "Session Id must not be 0", 376 NULL, 0); 377 return 1; 378 } 379 l2tp_call_log(_this, LOG_INFO, "RecvICRQ session_id=%u", 380 _this->peer_session_id); 381 382 return 0; 383size_check_failed: 384 l2tp_call_log(_this, LOG_ERR, "Received bad ICRQ: %s", emes); 385 l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ERROR_CODE, 386 L2TP_ECODE_WRONG_LENGTH, NULL, NULL, 0); 387 388 return 1; 389} 390 391/* send ICRP */ 392static int 393l2tp_call_send_ICRP(l2tp_call *_this) 394{ 395 int rval; 396 struct l2tp_avp *avp; 397 char buf[L2TP_AVP_MAXSIZ]; 398 bytebuffer *bytebuf; 399 400 bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, 1); 401 if (bytebuf == NULL) { 402 l2tp_call_log(_this, LOG_ERR, "sending ICRP failed: no buffer"); 403 return 1; 404 } 405 avp = (struct l2tp_avp *)buf; 406 407 /* Message Type = ICRP */ 408 memset(avp, 0, sizeof(*avp)); 409 avp->is_mandatory = 1; 410 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 411 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_ICRP); 412 bytebuf_add_avp(bytebuf, avp, 2); 413 414 memset(avp, 0, sizeof(*avp)); 415 avp->is_mandatory = 1; 416 avp->attr_type = L2TP_AVP_TYPE_ASSIGNED_SESSION_ID; 417 avp_set_val16(avp, _this->session_id); 418 bytebuf_add_avp(bytebuf, avp, 2); 419 420 if ((rval = l2tp_ctrl_send_packet(_this->ctrl, _this->peer_session_id, 421 bytebuf)) != 0) { 422 l2tp_call_log(_this, LOG_ERR, "failed to SendICRP: %m"); 423 return 1; 424 } 425 l2tp_call_log(_this, LOG_INFO, "SendICRP session_id=%u", 426 _this->session_id); 427 return 0; 428} 429 430/* send L2TP data message */ 431static int 432l2tp_call_send_data_packet(l2tp_call *_this, bytebuffer *buffer) 433{ 434 int rval; 435 struct l2tp_header *hdr; 436 437 bytebuffer_flip(buffer); 438 hdr = (struct l2tp_header *)bytebuffer_pointer(buffer); 439 memset(hdr, 0, sizeof(*hdr) - 4); /* Nr, NS are option */ 440 441 hdr->t = 0; 442 hdr->ver = L2TP_HEADER_VERSION_RFC2661; 443 hdr->l = 1; 444 hdr->length = htons(bytebuffer_remaining(buffer)); 445 hdr->tunnel_id = htons(_this->ctrl->peer_tunnel_id); 446 hdr->session_id = htons(_this->peer_session_id); 447 if (_this->use_seq) { 448 hdr->s = 1; 449 hdr->ns = htons(_this->snd_nxt++); 450 hdr->nr = htons(_this->rcv_nxt); 451 } 452 453 if (L2TP_CTRL_CONF(_this->ctrl)->data_out_pktdump != 0) { 454 l2tpd_log(_this->ctrl->l2tpd, LOG_DEBUG, 455 "ctrl=%u call=%u L2TP Data output packet dump", 456 _this->ctrl->id, _this->id); 457 show_hd(debug_get_debugfp(), bytebuffer_pointer(buffer), 458 bytebuffer_remaining(buffer)); 459 } 460 if ((rval = l2tp_ctrl_send(_this->ctrl, bytebuffer_pointer(buffer), 461 bytebuffer_remaining(buffer))) < 0) { 462 L2TP_CALL_DBG((_this, LOG_DEBUG, "sendto() failed: %m")); 463 } 464 465 return (rval == bytebuffer_remaining(buffer))? 0 : 1; 466} 467 468/* 469 * receive ICCN 470 * @return return 0 if the ICCN is acceptable. 471 * other value means fail to receive, and 472 * CDN was sent and status was updated. 473 */ 474static int 475l2tp_call_recv_ICCN(l2tp_call *_this, u_char *pkt, int pktlen, 476 dialin_proxy_info *dpi) 477{ 478 int avpsz, tx_conn_speed; 479 uint32_t framing_type = 0; 480 struct l2tp_avp *avp; 481 char buf[L2TP_AVP_MAXSIZ], emes[256]; 482 483 tx_conn_speed = 0; 484 avp = (struct l2tp_avp *)buf; 485 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) { 486 pkt += avpsz; 487 pktlen -= avpsz; 488 if (avp->vendor_id != 0) { 489 L2TP_CALL_DBG((_this, LOG_DEBUG, 490 "Received a Vendor-specific AVP vendor-id=%d " 491 "type=%d", avp->vendor_id, avp->attr_type)); 492 continue; 493 } 494 if (avp->is_hidden != 0) { 495 l2tp_call_log(_this, LOG_WARNING, 496 "Received AVP (%s/%d) is hidden. But we don't " 497 "share secret.", 498 avp_attr_type_string(avp->attr_type), 499 avp->attr_type); 500 if (avp->is_mandatory != 0) { 501 l2tp_call_disconnect(_this, 502 L2TP_CDN_RCODE_ERROR_CODE, 503 L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL, 504 NULL, 0); 505 return 1; 506 } 507 continue; 508 } 509 switch (avp->attr_type) { 510 case L2TP_AVP_TYPE_MESSAGE_TYPE: 511 AVP_SIZE_CHECK(avp, ==, 8); 512 continue; 513 case L2TP_AVP_TYPE_RX_CONNECT_SPEED: 514 /* 515 * As RFC 2661 this AVP is not mandatory. But `xl2tpd' 516 * sends this as a mandatory AVP. Handle this to 517 * ignore the xl2tpd' bug. 518 */ 519 AVP_SIZE_CHECK(avp, ==, 10); 520 continue; 521 case L2TP_AVP_TYPE_TX_CONNECT_SPEED: 522 AVP_SIZE_CHECK(avp, ==, 10); 523 tx_conn_speed = avp_get_val32(avp); 524 continue; 525 case L2TP_AVP_TYPE_FRAMING_TYPE: 526 AVP_SIZE_CHECK(avp, ==, 10); 527 framing_type = avp_get_val32(avp); 528 continue; 529 case L2TP_AVP_TYPE_SEQUENCING_REQUIRED: 530 _this->seq_required = 1; 531 _this->use_seq = 1; 532 continue; 533 /* 534 * AVP's for Proxy-LCP and Proxy-Authen 535 */ 536 case L2TP_AVP_TYPE_LAST_SENT_LCP_CONFREQ: 537 AVP_MAXLEN_CHECK(avp, sizeof(dpi->last_sent_lcp.data)); 538 memcpy(dpi->last_sent_lcp.data, avp->attr_value, 539 avp_attr_length(avp)); 540 dpi->last_sent_lcp.ldata = avp_attr_length(avp); 541 break; 542 case L2TP_AVP_TYPE_LAST_RECV_LCP_CONFREQ: 543 AVP_MAXLEN_CHECK(avp, sizeof(dpi->last_recv_lcp.data)); 544 memcpy(dpi->last_recv_lcp.data, avp->attr_value, 545 avp_attr_length(avp)); 546 dpi->last_recv_lcp.ldata = avp_attr_length(avp); 547 break; 548 case L2TP_AVP_TYPE_PROXY_AUTHEN_CHALLENGE: 549 AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall)); 550 memcpy(dpi->auth_chall, avp->attr_value, 551 avp_attr_length(avp)); 552 dpi->lauth_chall = avp_attr_length(avp); 553 break; 554 case L2TP_AVP_TYPE_PROXY_AUTHEN_ID: 555 AVP_SIZE_CHECK(avp, ==, 8); 556 dpi->auth_id = avp_get_val16(avp); 557 break; 558 case L2TP_AVP_TYPE_PROXY_AUTHEN_NAME: 559 AVP_MAXLEN_CHECK(avp, sizeof(dpi->username) - 1); 560 memcpy(dpi->username, avp->attr_value, 561 avp_attr_length(avp)); 562 break; 563 case L2TP_AVP_TYPE_PROXY_AUTHEN_RESPONSE: 564 AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_resp)); 565 memcpy(dpi->auth_resp, avp->attr_value, 566 avp_attr_length(avp)); 567 dpi->lauth_resp = avp_attr_length(avp); 568 break; 569 case L2TP_AVP_TYPE_PROXY_AUTHEN_TYPE: 570 AVP_SIZE_CHECK(avp, ==, 8); 571 switch (avp_get_val16(avp)) { 572 default: 573 l2tp_call_log(_this, LOG_WARNING, 574 "RecvICCN Unknown proxy-authen-type=%d", 575 avp_get_val16(avp)); 576 /* FALLTHROUGH */ 577 case L2TP_AUTH_TYPE_NO_AUTH: 578 dpi->auth_type = 0; 579 break; 580 case L2TP_AUTH_TYPE_PPP_CHAP: 581 dpi->auth_type = PPP_AUTH_CHAP_MD5; 582 break; 583 case L2TP_AUTH_TYPE_PPP_PAP: 584 dpi->auth_type = PPP_AUTH_PAP; 585 break; 586 case L2TP_AUTH_TYPE_MS_CHAP_V1: 587 dpi->auth_type = PPP_AUTH_CHAP_MS; 588 break; 589 } 590 break; 591 default: 592 if (avp->is_mandatory != 0) { 593 l2tp_call_log(_this, LOG_WARNING, 594 "AVP (%s/%d) is not supported, but it's " 595 "mandatory", 596 avp_attr_type_string(avp->attr_type), 597 avp->attr_type); 598 l2tp_call_disconnect(_this, 599 L2TP_CDN_RCODE_ERROR_CODE, 600 L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL, 601 NULL, 0); 602 return 1; 603#ifdef L2TP_CALL_DEBUG 604 } else { 605 L2TP_CALL_DBG((_this, LOG_DEBUG, 606 "AVP (%s/%d) is not handled", 607 avp_attr_type_string(avp->attr_type), 608 avp->attr_type)); 609#endif 610 } 611 } 612 } 613 l2tp_call_log(_this, LOG_INFO, "RecvICCN " 614 "session_id=%u calling_number=%s tx_conn_speed=%u framing=%s", 615 _this->peer_session_id, _this->calling_number, tx_conn_speed, 616 ((framing_type & L2TP_FRAMING_CAP_FLAGS_ASYNC) != 0)? "async" : 617 ((framing_type & L2TP_FRAMING_CAP_FLAGS_SYNC) != 0)? "sync" : 618 "unknown"); 619 620 return 0; 621size_check_failed: 622 l2tp_call_log(_this, LOG_ERR, "Received bad ICCN: %s", emes); 623 l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ERROR_CODE, 624 L2TP_ECODE_WRONG_LENGTH, NULL, NULL, 0); 625 return 1; 626} 627 628/* receive CDN */ 629static int 630l2tp_recv_CDN(l2tp_call *_this, u_char *pkt, int pktlen) 631{ 632 int result, error, avpsz, len, sessid; 633 struct l2tp_avp *avp; 634 char buf[L2TP_AVP_MAXSIZ], emes[256], pmes[256]; 635 636 /* initialize */ 637 result = 0; 638 error = 0; 639 sessid = 0; 640 strlcpy(pmes, "(none)", sizeof(pmes)); 641 642 avp = (struct l2tp_avp *)buf; 643 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) { 644 pkt += avpsz; 645 pktlen -= avpsz; 646 if (avp->vendor_id != 0) { 647 L2TP_CALL_DBG((_this, LOG_DEBUG, 648 "Received a Vendor-specific AVP vendor-id=%d " 649 "type=%d", avp->vendor_id, avp->attr_type)); 650 continue; 651 } 652 if (avp->is_hidden != 0) { 653 l2tp_call_log(_this, LOG_WARNING, 654 "Received AVP (%s/%d) is hidden. But we don't " 655 "share secret.", 656 avp_attr_type_string(avp->attr_type), 657 avp->attr_type); 658 if (avp->is_mandatory != 0) { 659 l2tp_call_disconnect(_this, 660 L2TP_CDN_RCODE_ERROR_CODE, 661 L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL, 662 NULL, 0); 663 return 1; 664 } 665 continue; 666 } 667 switch (avp->attr_type) { 668 case L2TP_AVP_TYPE_MESSAGE_TYPE: 669 AVP_SIZE_CHECK(avp, ==, 8); 670 continue; 671 case L2TP_AVP_TYPE_RESULT_CODE: 672 AVP_SIZE_CHECK(avp, >=, 8); 673 result = avp->attr_value[0] << 8 | avp->attr_value[1]; 674 if (avp->length >= 10) { 675 error = avp->attr_value[2] << 8 | 676 avp->attr_value[3]; 677 len = avp->length - 12; 678 if (len > 0) { 679 len = MINIMUM(len, sizeof(pmes) - 1); 680 memcpy(pmes, &avp->attr_value[4], len); 681 pmes[len] = '\0'; 682 } 683 } 684 continue; 685 case L2TP_AVP_TYPE_ASSIGNED_SESSION_ID: 686 AVP_SIZE_CHECK(avp, >=, 8); 687 sessid = avp_get_val16(avp); 688 continue; 689 default: 690 if (avp->is_mandatory) { 691 l2tp_call_log(_this, LOG_WARNING, 692 "AVP (%s/%d) is not supported, but it's " 693 "mandatory", 694 avp_attr_type_string(avp->attr_type), 695 avp->attr_type); 696 if (avp->is_mandatory != 0) { 697 l2tp_call_disconnect(_this, 698 L2TP_CDN_RCODE_ERROR_CODE, 699 L2TP_ECODE_UNKNOWN_MANDATORY_AVP, 700 NULL, NULL, 0); 701 return 1; 702 } 703#ifdef L2TP_CALL_DEBUG 704 } else { 705 L2TP_CALL_DBG((_this, LOG_DEBUG, 706 "AVP (%s/%d) is not handled", 707 avp_attr_type_string(avp->attr_type), 708 avp->attr_type)); 709#endif 710 } 711 } 712 } 713 if (error == 0) { 714 l2tp_call_log(_this, LOG_INFO, 715 "RecvCDN result=%s/%d", l2tp_cdn_rcode_string(result), 716 result); 717 } else { 718 l2tp_call_log(_this, LOG_INFO, 719 "RecvCDN result=%s/%d error=%s/%d message=%s", 720 l2tp_cdn_rcode_string(result), result, 721 l2tp_ecode_string(error), error, pmes); 722 } 723 724 return 0; 725 726size_check_failed: 727 /* continue to process even if the CDN message was broken */ 728 l2tp_call_log(_this, LOG_ERR, "Received bad CDN: %s", emes); 729 730 return 0; 731} 732 733/* send CDN */ 734static int 735l2tp_call_send_CDN(l2tp_call *_this, int result_code, int error_code, const 736 char *errmes, struct l2tp_avp *addavp[], int naddavp) 737{ 738 uint32_t val32; 739 int i, avplen, len; 740 struct l2tp_avp *avp; 741 char buf[L2TP_AVP_MAXSIZ]; 742 bytebuffer *bytebuf; 743 744 L2TP_CALL_ASSERT(_this != NULL); 745 bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, 1); 746 if (bytebuf == NULL) { 747 l2tp_call_log(_this, LOG_ERR, "sending CDN failed: no buffer"); 748 return 1; 749 } 750 avp = (struct l2tp_avp *)buf; 751 752 /* Message Type = CDN */ 753 memset(avp, 0, sizeof(*avp)); 754 avp->is_mandatory = 1; 755 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 756 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_CDN); 757 bytebuf_add_avp(bytebuf, avp, 2); 758 759 /* Result Code */ 760 memset(avp, 0, sizeof(*avp)); 761 avp->is_mandatory = 1; 762 avp->attr_type = L2TP_AVP_TYPE_RESULT_CODE; 763#if 0 764/* 765 * Windows 2000 work around: 766 * Windows 2000 will return "2 - Length is wrong" in StopCCN, 767 * when it received "length = 8 and no error code AVP". 768 * Avoid the error, use AVP length = 10. 769 */ 770 if (error_code > 0) { 771 val32 = (result_code << 16) | (error_code & 0xffff); 772 avplen = 4; 773 avp_set_val32(avp, val32); 774 } else { 775 avplen = 2; 776 avp_set_val16(avp, result_code); 777 } 778#else 779 val32 = (result_code << 16) | (error_code & 0xffff); 780 avplen = 4; 781 avp_set_val32(avp, val32); 782#endif 783 784 if (errmes != NULL) { 785 len = MINIMUM(strlen(errmes), L2TP_AVP_MAXSIZ - 128); 786 memcpy(&avp->attr_value[avplen], errmes, len); 787 avplen += len; 788 } 789 bytebuf_add_avp(bytebuf, avp, avplen); 790 791 /* Assigned Session Id */ 792 memset(avp, 0, sizeof(*avp)); 793 avp->is_mandatory = 1; 794 avp->attr_type = L2TP_AVP_TYPE_ASSIGNED_SESSION_ID; 795 if (_this != NULL && _this->session_id != 0) 796 avp_set_val16(avp, _this->session_id); 797 else 798 avp_set_val16(avp, 0); 799 bytebuf_add_avp(bytebuf, avp, 2); 800 801 for (i = 0; i < naddavp; i++) 802 bytebuf_add_avp(bytebuf, addavp[i], addavp[i]->length - 6); 803 804 if (l2tp_ctrl_send_packet(_this->ctrl, _this->peer_session_id, 805 bytebuf) != 0) { 806 l2tp_call_log(_this, LOG_ERR, "Error sending CDN: %m"); 807 return 1; 808 } 809 810 if (error_code > 0) { 811 l2tp_call_log(_this, LOG_INFO, 812 "SendCDN result=%s/%d error=%s/%d message=%s", 813 l2tp_cdn_rcode_string(result_code), result_code, 814 l2tp_ecode_string(error_code), error_code, 815 (errmes == NULL)? "none" : errmes); 816 } else { 817 l2tp_call_log(_this, LOG_INFO, "SendCDN result=%s/%d", 818 l2tp_cdn_rcode_string(result_code), result_code); 819 } 820 821 return 0; 822} 823 824/* send ZLB */ 825static int 826l2tp_call_send_ZLB(l2tp_call *_this) 827{ 828 bytebuffer *bytebuf; 829 830 l2tp_call_log(_this, LOG_INFO, "SendZLB"); 831 bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, 1); 832 if (bytebuf == NULL) { 833 l2tp_call_log(_this, LOG_ERR, "sending ZLB failed: no buffer"); 834 return 1; 835 } 836 return l2tp_ctrl_send_packet(_this->ctrl, _this->peer_session_id, 837 bytebuf); 838} 839 840/* 841 * misc 842 */ 843/* logging with the label of the instance */ 844static void 845l2tp_call_log(l2tp_call *_this, int prio, const char *fmt, ...) 846{ 847 char logbuf[BUFSIZ]; 848 va_list ap; 849 850 va_start(ap, fmt); 851#ifdef L2TPD_MULTIPLE 852 snprintf(logbuf, sizeof(logbuf), "l2tpd id=%u ctrl=%u call=%u %s", 853 _this->ctrl->l2tpd->id, _this->ctrl->id, _this->id, fmt); 854#else 855 snprintf(logbuf, sizeof(logbuf), "l2tpd ctrl=%u call=%u %s", 856 _this->ctrl->id, _this->id, fmt); 857#endif 858 vlog_printf(prio, logbuf, ap); 859 va_end(ap); 860} 861 862/* convert current status to strings */ 863static inline const char * 864l2tp_call_state_string(l2tp_call *_this) 865{ 866 switch (_this->state) { 867 case L2TP_CALL_STATE_IDLE: return "idle"; 868 case L2TP_CALL_STATE_WAIT_CONN: return "wait-conn"; 869 case L2TP_CALL_STATE_ESTABLISHED: return "established"; 870 case L2TP_CALL_STATE_CLEANUP_WAIT: return "cleanup-wait"; 871 } 872 return "unknown"; 873} 874 875/* 876 * npppd physical layer 877 */ 878 879/* input packet to ppp */ 880void 881l2tp_call_ppp_input(l2tp_call *_this, u_char *pkt, int pktlen, int delayed) 882{ 883 int rval; 884 npppd_ppp *ppp; 885 886 ppp = _this->ppp; 887 rval = ppp->recv_packet(ppp, pkt, pktlen, 888 delayed ? PPP_IO_FLAGS_DELAYED : 0); 889 890 if (_this->ppp == NULL) /* ppp is freed */ 891 return; 892 893 if (rval != 0) 894 ppp->ierrors++; 895 else { 896 ppp->ipackets++; 897 ppp->ibytes += pktlen; 898 } 899} 900 901/* called ppp output a packet */ 902static int 903l2tp_call_ppp_output(npppd_ppp *ppp, unsigned char *bytes, int nbytes, 904 int flags) 905{ 906 l2tp_call *_this; 907 bytebuffer *bytebuf; 908 909 _this = ppp->phy_context; 910 911 bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, _this->use_seq); 912 913 if (bytebuf != NULL) { 914 bytebuffer_put(bytebuf, bytes, nbytes); 915 if (l2tp_call_send_data_packet(_this, bytebuf) != 0) 916 ppp->oerrors++; 917 else { 918 ppp->opackets++; 919 ppp->obytes += nbytes; 920 } 921 } else 922 ppp->oerrors++; 923 924 return 0; 925} 926 927/* it will be called when the connection was closed at ppp */ 928static void 929l2tp_call_closed_by_ppp(npppd_ppp *ppp) 930{ 931 l2tp_call *_this; 932 933 L2TP_CALL_ASSERT(ppp != NULL); 934 L2TP_CALL_ASSERT(ppp->phy_context != NULL); 935 936 _this = ppp->phy_context; 937 938 /* do before l2tp_call_disconnect() */ 939 _this->ppp = NULL; 940 941 if (_this->state == L2TP_CALL_STATE_CLEANUP_WAIT) { 942 /* no need to call l2tp_call_disconnect */ 943 } else if (ppp->disconnect_code == PPP_DISCON_NO_INFORMATION) { 944 l2tp_call_disconnect(_this, 945 L2TP_CDN_RCODE_ADMINISTRATIVE_REASON, 0, NULL, NULL, 0); 946 } else { 947 /* 948 * RFC3145 L2TP Disconnect Cause Information 949 */ 950 struct l2tp_avp *avp[1]; 951 struct _ppp_cause { 952 struct l2tp_avp avp; 953 uint16_t code; 954 uint16_t proto; 955 uint8_t direction; 956 char message[128]; 957 } __attribute__((__packed__)) ppp_cause; 958 959 ppp_cause.avp.is_mandatory = 0; 960 ppp_cause.avp.is_hidden = 0; 961 ppp_cause.avp.vendor_id = 0; /* ietf */ 962 ppp_cause.avp.attr_type = 963 L2TP_AVP_TYPE_PPP_DISCONNECT_CAUSE_CODE; 964 ppp_cause.code = htons(ppp->disconnect_code); 965 ppp_cause.proto = htons(ppp->disconnect_proto); 966 ppp_cause.direction = ppp->disconnect_direction; 967 ppp_cause.avp.length = offsetof(struct _ppp_cause, message[0]); 968 969 if (ppp->disconnect_message != NULL) { 970 strlcpy(ppp_cause.message, ppp->disconnect_message, 971 sizeof(ppp_cause.message)); 972 ppp_cause.avp.length += strlen(ppp_cause.message); 973 } 974 avp[0] = &ppp_cause.avp; 975 l2tp_call_disconnect(_this, 976 L2TP_CDN_RCODE_ERROR_CODE, L2TP_ECODE_GENERIC_ERROR, 977 "Disconnected by local PPP", avp, 1); 978 } 979 l2tp_call_log(_this, LOG_NOTICE, "logtype=PPPUnbind"); 980} 981 982/* notify disconnection to ppp to terminate or free of ppp */ 983static void 984l2tp_call_notify_down(l2tp_call *_this) 985{ 986 if (_this->ppp != NULL) 987 ppp_phy_downed(_this->ppp); 988} 989 990/* bind ppp */ 991static int 992l2tp_call_bind_ppp(l2tp_call *_this, dialin_proxy_info *dpi) 993{ 994 int code, errcode; 995 npppd_ppp *ppp; 996 997 code = L2TP_CDN_RCODE_BUSY; 998 errcode = 0; 999 ppp = NULL; 1000 if ((ppp = ppp_create()) == NULL) 1001 goto fail; 1002 1003 ASSERT(_this->ppp == NULL); 1004 1005 if (_this->ppp != NULL) 1006 return -1; 1007 1008 _this->ppp = ppp; 1009 1010 ppp->tunnel_type = NPPPD_TUNNEL_L2TP; 1011 ppp->tunnel_session_id = _this->session_id; 1012 ppp->phy_context = _this; 1013 ppp->send_packet = l2tp_call_ppp_output; 1014 ppp->phy_close = l2tp_call_closed_by_ppp; 1015 1016 strlcpy(ppp->phy_label, L2TP_CTRL_LISTENER_TUN_NAME(_this->ctrl), 1017 sizeof(ppp->phy_label)); 1018 L2TP_CALL_ASSERT(sizeof(ppp->phy_info) >= _this->ctrl->peer.ss_len); 1019 memcpy(&ppp->phy_info, &_this->ctrl->peer, 1020 MINIMUM(sizeof(ppp->phy_info), _this->ctrl->peer.ss_len)); 1021 strlcpy(ppp->calling_number, _this->calling_number, 1022 sizeof(ppp->calling_number)); 1023 if (ppp_init(npppd_get_npppd(), ppp) != 0) { 1024 l2tp_call_log(_this, LOG_ERR, "failed binding ppp"); 1025 goto fail; 1026 } 1027 1028 l2tp_call_log(_this, LOG_NOTICE, "logtype=PPPBind ppp=%d", ppp->id); 1029 if (DIALIN_PROXY_IS_REQUESTED(dpi)) { 1030 if (!L2TP_CTRL_CONF(_this->ctrl)->accept_dialin) { 1031 l2tp_call_log(_this, LOG_ERR, 1032 "'accept_dialin' is 'false' in the setting."); 1033 code = L2TP_CDN_RCODE_ERROR_CODE; 1034 errcode = L2TP_ECODE_INVALID_MESSAGE; 1035 goto fail; 1036 } 1037 1038 if (ppp_dialin_proxy_prepare(ppp, dpi) != 0) { 1039 code = L2TP_CDN_RCODE_TEMP_NOT_AVALIABLE; 1040 goto fail; 1041 } 1042 } 1043 ppp_start(ppp); 1044 1045 return 0; 1046fail: 1047 if (ppp != NULL) 1048 ppp_destroy(ppp); 1049 _this->ppp = NULL; 1050 1051 l2tp_call_disconnect(_this, code, errcode, NULL, NULL, 0); 1052 return 1; 1053} 1054