GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: usr.sbin/npppd/npppd/../l2tp/l2tp_call.c Lines: 0 430 0.0 %
Date: 2017-11-13 Branches: 0 220 0.0 %

Line Branch Exec Source
1
/*	$OpenBSD: l2tp_call.c,v 1.19 2015/12/05 16:10:31 yasuoka Exp $	*/
2
3
/*-
4
 * Copyright (c) 2009 Internet Initiative Japan Inc.
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26
 * SUCH DAMAGE.
27
 */
28
/* $Id: l2tp_call.c,v 1.19 2015/12/05 16:10:31 yasuoka Exp $ */
29
/**@file L2TP LNS call */
30
#include <sys/types.h>
31
#include <sys/socket.h>
32
#include <sys/time.h>
33
#include <stdlib.h>
34
#include <stddef.h>
35
#include <netinet/in.h>
36
#include <stdio.h>
37
#include <string.h>
38
#include <syslog.h>
39
#include <stdarg.h>
40
#include <unistd.h>
41
#include <event.h>
42
#include <net/if_dl.h>
43
44
#include "debugutil.h"
45
#include "bytebuf.h"
46
#include "hash.h"
47
#include "slist.h"
48
#include "l2tp.h"
49
#include "l2tp_subr.h"
50
51
#include "npppd.h"
52
#include "l2tp_local.h"
53
54
#ifdef	L2TP_CALL_DEBUG
55
#define	L2TP_CALL_DBG(m)	l2tp_call_log m
56
#define	L2TP_CALL_ASSERT(x)	ASSERT(x)
57
#else
58
#define	L2TP_CALL_DBG(m)
59
#define	L2TP_CALL_ASSERT(x)
60
#endif
61
62
static void  l2tp_call_log (l2tp_call *, int, const char *, ...) __printflike(3,4);
63
static void               l2tp_call_disconnect (l2tp_call *, int, int, const char *, struct l2tp_avp *[], int);
64
static int                l2tp_call_recv_ICRQ (l2tp_call *, u_char *, int);
65
static int                l2tp_call_send_ICRP (l2tp_call *);
66
static int                l2tp_call_recv_ICCN (l2tp_call *, u_char *, int, dialin_proxy_info *);
67
static int                l2tp_recv_CDN (l2tp_call *, u_char *, int);
68
static int                l2tp_call_send_CDN (l2tp_call *, int, int, const char *, struct l2tp_avp *[], int);
69
static int                l2tp_call_send_ZLB (l2tp_call *);
70
static inline const char  *l2tp_call_state_string (l2tp_call *);
71
static int                l2tp_call_bind_ppp (l2tp_call *, dialin_proxy_info *);
72
static void               l2tp_call_notify_down (l2tp_call *);
73
static int                l2tp_call_send_data_packet (l2tp_call *, bytebuffer *);
74
75
static int   l2tp_call_ppp_output (npppd_ppp *, unsigned char *, int, int);
76
static void  l2tp_call_closed_by_ppp (npppd_ppp *);
77
78
/* create {@link ::_l2tp_call L2TP call} instance */
79
l2tp_call *
80
l2tp_call_create(void)
81
{
82
	l2tp_call *_this;
83
84
	if ((_this = malloc(sizeof(l2tp_call))) == NULL)
85
		return NULL;
86
87
	return _this;
88
}
89
90
/* initialize {@link ::_l2tp_call L2TP call} instance */
91
int
92
l2tp_call_init(l2tp_call *_this, l2tp_ctrl *ctrl)
93
{
94
	memset(_this, 0, sizeof(l2tp_call));
95
96
	_this->ctrl = ctrl;
97
	if (l2tpd_assign_call(ctrl->l2tpd, _this) != 0)
98
		return -1;
99
100
	_this->use_seq = ctrl->data_use_seq;
101
102
	return 0;
103
}
104
105
/* free {@link ::_l2tp_call L2TP call} instance */
106
void
107
l2tp_call_destroy(l2tp_call *_this, int from_l2tp_ctrl)
108
{
109
	l2tpd_release_call(_this->ctrl->l2tpd, _this);
110
	free(_this);
111
}
112
113
/*
114
 * l2tp disconnect will occur when
115
 *      1) disconnect request issued from nppdctl command
116
 *      2) npppd is terminated
117
 * in case 1) ppp_stop() is used to terminal. (PPP LCP TermReq)
118
 * and in case 2) l2tp_call_disconnect() is used (L2TP CDN)
119
 */
120
/* administrative reason disconnection */
121
void
122
l2tp_call_admin_disconnect(l2tp_call *_this)
123
{
124
	l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ADMINISTRATIVE_REASON, 0,
125
	    NULL, NULL, 0);
126
}
127
128
void
129
l2tp_call_drop(l2tp_call *_this)
130
{
131
	l2tp_call_disconnect(_this, 0, 0, NULL, NULL, 0);
132
}
133
134
/*
135
 * disconnect l2tp connection
136
 * @param result_code	disconect without CDN, specify zero
137
 */
138
static void
139
l2tp_call_disconnect(l2tp_call *_this, int result_code, int error_code,
140
    const char *errmes, struct l2tp_avp *addavp[], int naddavp)
141
{
142
	L2TP_CALL_ASSERT(_this != NULL);
143
144
	if (_this->state == L2TP_CALL_STATE_CLEANUP_WAIT) {
145
		/* CDN received, or have been sent */
146
		l2tp_call_notify_down(_this);	/* just in case */
147
		return;
148
	}
149
	if (result_code > 0) {
150
		if (l2tp_call_send_CDN(_this, result_code, error_code, errmes,
151
		    addavp, naddavp)
152
		    != 0)
153
			l2tp_call_log(_this, LOG_ERR, "Error sending CDN: %m");
154
	}
155
	_this->state = L2TP_CALL_STATE_CLEANUP_WAIT;
156
	l2tp_call_notify_down(_this);
157
}
158
159
/*
160
 * control packet
161
 */
162
163
/* call it when control packet is received */
164
int
165
l2tp_call_recv_packet(l2tp_ctrl *ctrl, l2tp_call *_this, int mestype,
166
    u_char *pkt, int pktlen)
167
{
168
	int i, len, session_id, send_cdn;
169
	l2tp_call *call;
170
	dialin_proxy_info dpi;
171
172
	/* when ICRQ, this will be NULL */
173
	L2TP_CALL_ASSERT(_this != NULL ||
174
	    mestype == L2TP_AVP_MESSAGE_TYPE_ICRQ);
175
176
	if (_this == NULL) {
177
		if (mestype != L2TP_AVP_MESSAGE_TYPE_ICRQ)
178
			return 1;
179
		if ((_this = l2tp_call_create()) == NULL) {
180
			l2tp_ctrl_log(ctrl, LOG_ERR,
181
			    "l2tp_call_create failed in %s(): %m", __func__);
182
			return 1;
183
		}
184
		l2tp_call_init(_this, ctrl);
185
186
		if (l2tp_call_recv_ICRQ(_this, pkt, pktlen) != 0)
187
			return 1;
188
189
		len = slist_length(&ctrl->call_list);
190
		session_id = _this->id;
191
	    again:
192
		/* assign a session ID */
193
		session_id &= 0xffff;
194
		if (session_id == 0)
195
			session_id = 1;
196
		for (i = 0; i < len; i++) {
197
			call = slist_get(&ctrl->call_list, i);
198
			if (call->session_id == session_id) {
199
				session_id++;
200
				goto again;
201
			}
202
		}
203
		_this->session_id = session_id;
204
205
		/* add the l2tp_call to call list */
206
		slist_add(&_this->ctrl->call_list, _this);
207
208
		if (l2tp_call_send_ICRP(_this) != 0)
209
			return 1;
210
		_this->state = L2TP_CALL_STATE_WAIT_CONN;
211
		return 0;
212
	}
213
214
	/* state machine */
215
	send_cdn = 0;
216
	switch (_this->state) {
217
	default:
218
		break;
219
	case L2TP_CALL_STATE_WAIT_CONN:
220
		switch (mestype) {
221
		case L2TP_AVP_MESSAGE_TYPE_ICCN:
222
			memset(&dpi, 0, sizeof(dpi));
223
			if (l2tp_call_recv_ICCN(_this, pkt, pktlen, &dpi) != 0)
224
				return 1;
225
			l2tp_call_bind_ppp(_this, &dpi);
226
			l2tp_call_send_ZLB(_this);
227
			_this->state = L2TP_CALL_STATE_ESTABLISHED;
228
			_this->ctrl->ncalls++;
229
			return 0;
230
		case L2TP_AVP_MESSAGE_TYPE_ICRQ:
231
		case L2TP_AVP_MESSAGE_TYPE_ICRP:
232
			send_cdn = 1;
233
			/* FALLTHROUGH */
234
		default:
235
			l2tp_call_log(_this, LOG_ERR,
236
			    "Waiting ICCN.  But received %s",
237
			    avp_mes_type_string(mestype));
238
			if (send_cdn) {
239
				l2tp_call_disconnect(_this,
240
				    L2TP_CDN_RCODE_ERROR_CODE,
241
				    L2TP_ECODE_GENERIC_ERROR, "Illegal state.",
242
				    NULL, 0);
243
				return 0;
244
			}
245
		}
246
		break;
247
	case L2TP_CALL_STATE_ESTABLISHED:
248
		switch (mestype) {
249
		case L2TP_AVP_MESSAGE_TYPE_CDN:
250
			/* disconnect from peer. log it */
251
			l2tp_recv_CDN(_this, pkt, pktlen);
252
			_this->state = L2TP_CALL_STATE_CLEANUP_WAIT;
253
			l2tp_call_notify_down(_this);
254
			l2tp_call_send_ZLB(_this);
255
			return 0;
256
		case L2TP_AVP_MESSAGE_TYPE_ICRQ:
257
		case L2TP_AVP_MESSAGE_TYPE_ICRP:
258
		case L2TP_AVP_MESSAGE_TYPE_ICCN:
259
			send_cdn = 1;
260
			break;
261
		default:
262
			break;
263
		}
264
		l2tp_call_log(_this, LOG_ERR,
265
		    "Call established.  But received %s",
266
		    avp_mes_type_string(mestype));
267
		if (send_cdn) {
268
			l2tp_call_disconnect(_this,
269
			    L2TP_CDN_RCODE_ERROR_CODE,
270
			    L2TP_ECODE_GENERIC_ERROR, "Illegal state.",
271
			    NULL, 0);
272
			return 0;
273
		}
274
		l2tp_call_disconnect(_this, 0, 0, NULL, NULL, 0);
275
		return 1;
276
	}
277
	l2tp_call_log(_this, LOG_INFO, "Received %s in unexpected state=%s",
278
	    avp_mes_type_string(mestype), l2tp_call_state_string(_this));
279
	l2tp_call_disconnect(_this, 0, 0, NULL, NULL, 0);
280
	return 1;
281
}
282
/*
283
 * receieve ICRQ
284
 * @return	return 0 if the ICRQ is acceptable.
285
 *		other values means fail to receive, and
286
 *		CDN was sent and status was updated.
287
 */
288
static int
289
l2tp_call_recv_ICRQ(l2tp_call *_this, u_char *pkt, int pktlen)
290
{
291
	int avpsz, slen;
292
	struct l2tp_avp *avp;
293
	char buf[L2TP_AVP_MAXSIZ], emes[256];
294
295
	avp = (struct l2tp_avp *)buf;
296
	while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) {
297
		pkt += avpsz;
298
		pktlen -= avpsz;
299
		if (avp->vendor_id != 0) {
300
			L2TP_CALL_DBG((_this, LOG_DEBUG,
301
			    "Received a Vendor-specific AVP vendor-id=%d "
302
			    "type=%d", avp->vendor_id, avp->attr_type));
303
			continue;
304
		}
305
		if (avp->is_hidden != 0) {
306
			l2tp_call_log(_this, LOG_WARNING,
307
			    "Received AVP (%s/%d) is hidden.  But we don't "
308
			    "share secret.",
309
			    avp_attr_type_string(avp->attr_type),
310
			    avp->attr_type);
311
			if (avp->is_mandatory != 0) {
312
				l2tp_call_disconnect(_this,
313
				    L2TP_CDN_RCODE_ERROR_CODE,
314
				    L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL,
315
				    NULL, 0);
316
				return 1;
317
			}
318
			continue;
319
		}
320
		switch (avp->attr_type) {
321
		case L2TP_AVP_TYPE_MESSAGE_TYPE:
322
			AVP_SIZE_CHECK(avp, ==, 8);
323
			continue;
324
		case L2TP_AVP_TYPE_ASSIGNED_SESSION_ID:
325
			AVP_SIZE_CHECK(avp, ==, 8);
326
			_this->peer_session_id = avp_get_val16(avp);
327
			continue;
328
		case L2TP_AVP_TYPE_CALL_SERIAL_NUMBER:
329
		case L2TP_AVP_TYPE_BEARER_TYPE:
330
		case L2TP_AVP_TYPE_PHYSICAL_CHANNEL_ID:
331
			/*
332
			 * Memo:
333
			 * Microsoft "L2TP/IPsec VPN Client" for
334
			 * Windows 98/Me/NT asserts mandatory bit in
335
			 * Physical Channel Id
336
			 */
337
			break;
338
		case L2TP_AVP_TYPE_CALLING_NUMBER:
339
			slen = MINIMUM(sizeof(_this->calling_number) - 1,
340
			    avp_attr_length(avp));
341
			memcpy(_this->calling_number, avp->attr_value, slen);
342
			_this->calling_number[slen] = '\0';
343
			break;
344
		case L2TP_AVP_TYPE_CALLED_NUMBER:
345
		case L2TP_AVP_TYPE_SUB_ADDRESS:
346
			continue;
347
		default:
348
			if (avp->is_mandatory) {
349
				l2tp_call_log(_this, LOG_WARNING,
350
				    "AVP (%s/%d) is not supported, but it's "
351
				    "mandatory",
352
				    avp_attr_type_string(avp->attr_type),
353
				    avp->attr_type);
354
				if (avp->is_mandatory != 0) {
355
					l2tp_call_disconnect(_this,
356
					    L2TP_CDN_RCODE_ERROR_CODE,
357
					    L2TP_ECODE_UNKNOWN_MANDATORY_AVP,
358
					    NULL, NULL, 0);
359
					return 1;
360
				}
361
#ifdef L2TP_CALL_DEBUG
362
			} else {
363
				L2TP_CALL_DBG((_this, LOG_DEBUG,
364
				    "AVP (%s/%d) is not handled",
365
				    avp_attr_type_string(avp->attr_type),
366
				    avp->attr_type));
367
#endif
368
			}
369
		}
370
	}
371
	if (_this->peer_session_id == 0) {
372
		l2tp_call_log(_this, LOG_ERR,
373
		    "Received a bad ICRP: SessionId = 0");
374
		l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ERROR_CODE,
375
		    L2TP_ECODE_INVALID_MESSAGE, "Session Id must not be 0",
376
		    NULL, 0);
377
		return 1;
378
	}
379
	l2tp_call_log(_this, LOG_INFO, "RecvICRQ session_id=%u",
380
	    _this->peer_session_id);
381
382
	return 0;
383
size_check_failed:
384
	l2tp_call_log(_this, LOG_ERR, "Received bad ICRQ: %s", emes);
385
	l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ERROR_CODE,
386
	    L2TP_ECODE_WRONG_LENGTH, NULL, NULL, 0);
387
388
	return 1;
389
}
390
391
/* send ICRP */
392
static int
393
l2tp_call_send_ICRP(l2tp_call *_this)
394
{
395
	int rval;
396
	struct l2tp_avp *avp;
397
	char buf[L2TP_AVP_MAXSIZ];
398
	bytebuffer *bytebuf;
399
400
	bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, 1);
401
	if (bytebuf == NULL) {
402
		l2tp_call_log(_this, LOG_ERR, "sending ICRP failed: no buffer");
403
		return 1;
404
	}
405
	avp = (struct l2tp_avp *)buf;
406
407
	/* Message Type = ICRP */
408
	memset(avp, 0, sizeof(*avp));
409
	avp->is_mandatory = 1;
410
	avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE;
411
	avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_ICRP);
412
	bytebuf_add_avp(bytebuf, avp, 2);
413
414
	memset(avp, 0, sizeof(*avp));
415
	avp->is_mandatory = 1;
416
	avp->attr_type = L2TP_AVP_TYPE_ASSIGNED_SESSION_ID;
417
	avp_set_val16(avp, _this->session_id);
418
	bytebuf_add_avp(bytebuf, avp, 2);
419
420
	if ((rval = l2tp_ctrl_send_packet(_this->ctrl, _this->peer_session_id,
421
	    bytebuf)) != 0) {
422
		l2tp_call_log(_this, LOG_ERR, "failed to SendICRP: %m");
423
		return 1;
424
	}
425
	l2tp_call_log(_this, LOG_INFO, "SendICRP session_id=%u",
426
	    _this->session_id);
427
	return 0;
428
}
429
430
/* send L2TP data message */
431
static int
432
l2tp_call_send_data_packet(l2tp_call *_this, bytebuffer *buffer)
433
{
434
	int rval;
435
	struct l2tp_header *hdr;
436
437
	bytebuffer_flip(buffer);
438
	hdr = (struct l2tp_header *)bytebuffer_pointer(buffer);
439
	memset(hdr, 0, sizeof(*hdr) - 4);	/* Nr, NS are option */
440
441
	hdr->t = 0;
442
	hdr->ver = L2TP_HEADER_VERSION_RFC2661;
443
	hdr->l = 1;
444
	hdr->length = htons(bytebuffer_remaining(buffer));
445
	hdr->tunnel_id = htons(_this->ctrl->peer_tunnel_id);
446
	hdr->session_id = htons(_this->peer_session_id);
447
	if (_this->use_seq) {
448
		hdr->s = 1;
449
		hdr->ns = htons(_this->snd_nxt++);
450
		hdr->nr = htons(_this->rcv_nxt);
451
	}
452
453
	if (L2TP_CTRL_CONF(_this->ctrl)->data_out_pktdump != 0) {
454
		l2tpd_log(_this->ctrl->l2tpd, LOG_DEBUG,
455
		    "ctrl=%u call=%u L2TP Data output packet dump",
456
		    _this->ctrl->id, _this->id);
457
		show_hd(debug_get_debugfp(), bytebuffer_pointer(buffer),
458
		    bytebuffer_remaining(buffer));
459
	}
460
	if ((rval = l2tp_ctrl_send(_this->ctrl, bytebuffer_pointer(buffer),
461
	    bytebuffer_remaining(buffer))) < 0) {
462
		L2TP_CALL_DBG((_this, LOG_DEBUG, "sendto() failed: %m"));
463
	}
464
465
	return (rval == bytebuffer_remaining(buffer))? 0 : 1;
466
}
467
468
/*
469
 * receive ICCN
470
 * @return	return 0 if the ICCN is acceptable.
471
 *		other value means fail to receive, and
472
 *		CDN was sent and status was updated.
473
 */
474
static int
475
l2tp_call_recv_ICCN(l2tp_call *_this, u_char *pkt, int pktlen,
476
    dialin_proxy_info *dpi)
477
{
478
	int avpsz, tx_conn_speed;
479
	uint32_t framing_type = 0;
480
	struct l2tp_avp *avp;
481
	char buf[L2TP_AVP_MAXSIZ], emes[256];
482
483
	tx_conn_speed = 0;
484
	avp = (struct l2tp_avp *)buf;
485
	while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) {
486
		pkt += avpsz;
487
		pktlen -= avpsz;
488
		if (avp->vendor_id != 0) {
489
			L2TP_CALL_DBG((_this, LOG_DEBUG,
490
			    "Received a Vendor-specific AVP vendor-id=%d "
491
			    "type=%d", avp->vendor_id, avp->attr_type));
492
			continue;
493
		}
494
		if (avp->is_hidden != 0) {
495
			l2tp_call_log(_this, LOG_WARNING,
496
			    "Received AVP (%s/%d) is hidden.  But we don't "
497
			    "share secret.",
498
			    avp_attr_type_string(avp->attr_type),
499
			    avp->attr_type);
500
			if (avp->is_mandatory != 0) {
501
				l2tp_call_disconnect(_this,
502
				    L2TP_CDN_RCODE_ERROR_CODE,
503
				    L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL,
504
				    NULL, 0);
505
				return 1;
506
			}
507
			continue;
508
		}
509
		switch (avp->attr_type) {
510
		case L2TP_AVP_TYPE_MESSAGE_TYPE:
511
			AVP_SIZE_CHECK(avp, ==, 8);
512
			continue;
513
		case L2TP_AVP_TYPE_RX_CONNECT_SPEED:
514
			/*
515
			 * As RFC 2661 this AVP is not mandatory.  But `xl2tpd'
516
			 * sends this as a mandatory AVP.  Handle this to
517
			 * ignore the xl2tpd' bug.
518
			 */
519
			AVP_SIZE_CHECK(avp, ==, 10);
520
			continue;
521
		case L2TP_AVP_TYPE_TX_CONNECT_SPEED:
522
			AVP_SIZE_CHECK(avp, ==, 10);
523
			tx_conn_speed = avp_get_val32(avp);
524
			continue;
525
		case L2TP_AVP_TYPE_FRAMING_TYPE:
526
			AVP_SIZE_CHECK(avp, ==, 10);
527
			framing_type = avp_get_val32(avp);
528
			continue;
529
		case L2TP_AVP_TYPE_SEQUENCING_REQUIRED:
530
			_this->seq_required = 1;
531
			_this->use_seq = 1;
532
			continue;
533
	    /*
534
	     * AVP's for Proxy-LCP and Proxy-Authen
535
	     */
536
		case L2TP_AVP_TYPE_LAST_SENT_LCP_CONFREQ:
537
			AVP_MAXLEN_CHECK(avp, sizeof(dpi->last_sent_lcp.data));
538
			memcpy(dpi->last_sent_lcp.data, avp->attr_value,
539
			    avp_attr_length(avp));
540
			dpi->last_sent_lcp.ldata = avp_attr_length(avp);
541
			break;
542
		case L2TP_AVP_TYPE_LAST_RECV_LCP_CONFREQ:
543
			AVP_MAXLEN_CHECK(avp, sizeof(dpi->last_recv_lcp.data));
544
			memcpy(dpi->last_recv_lcp.data, avp->attr_value,
545
			    avp_attr_length(avp));
546
			dpi->last_recv_lcp.ldata = avp_attr_length(avp);
547
			break;
548
		case L2TP_AVP_TYPE_PROXY_AUTHEN_CHALLENGE:
549
			AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_chall));
550
			memcpy(dpi->auth_chall, avp->attr_value,
551
			    avp_attr_length(avp));
552
			dpi->lauth_chall = avp_attr_length(avp);
553
			break;
554
		case L2TP_AVP_TYPE_PROXY_AUTHEN_ID:
555
			AVP_SIZE_CHECK(avp, ==, 8);
556
			dpi->auth_id = avp_get_val16(avp);
557
			break;
558
		case L2TP_AVP_TYPE_PROXY_AUTHEN_NAME:
559
			AVP_MAXLEN_CHECK(avp, sizeof(dpi->username) - 1);
560
			memcpy(dpi->username, avp->attr_value,
561
			    avp_attr_length(avp));
562
			break;
563
		case L2TP_AVP_TYPE_PROXY_AUTHEN_RESPONSE:
564
			AVP_MAXLEN_CHECK(avp, sizeof(dpi->auth_resp));
565
			memcpy(dpi->auth_resp, avp->attr_value,
566
			    avp_attr_length(avp));
567
			dpi->lauth_resp = avp_attr_length(avp);
568
			break;
569
		case L2TP_AVP_TYPE_PROXY_AUTHEN_TYPE:
570
			AVP_SIZE_CHECK(avp, ==, 8);
571
			switch (avp_get_val16(avp)) {
572
			default:
573
				l2tp_call_log(_this, LOG_WARNING,
574
				    "RecvICCN Unknown proxy-authen-type=%d",
575
				    avp_get_val16(avp));
576
				/* FALLTHROUGH */
577
			case L2TP_AUTH_TYPE_NO_AUTH:
578
				dpi->auth_type = 0;
579
				break;
580
			case L2TP_AUTH_TYPE_PPP_CHAP:
581
				dpi->auth_type = PPP_AUTH_CHAP_MD5;
582
				break;
583
			case L2TP_AUTH_TYPE_PPP_PAP:
584
				dpi->auth_type = PPP_AUTH_PAP;
585
				break;
586
			case L2TP_AUTH_TYPE_MS_CHAP_V1:
587
				dpi->auth_type = PPP_AUTH_CHAP_MS;
588
				break;
589
			}
590
			break;
591
		default:
592
			if (avp->is_mandatory != 0) {
593
				l2tp_call_log(_this, LOG_WARNING,
594
				    "AVP (%s/%d) is not supported, but it's "
595
				    "mandatory",
596
				    avp_attr_type_string(avp->attr_type),
597
				    avp->attr_type);
598
				l2tp_call_disconnect(_this,
599
				    L2TP_CDN_RCODE_ERROR_CODE,
600
				    L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL,
601
				    NULL, 0);
602
				return 1;
603
#ifdef L2TP_CALL_DEBUG
604
			} else {
605
				L2TP_CALL_DBG((_this, LOG_DEBUG,
606
				    "AVP (%s/%d) is not handled",
607
				    avp_attr_type_string(avp->attr_type),
608
				    avp->attr_type));
609
#endif
610
			}
611
		}
612
	}
613
	l2tp_call_log(_this, LOG_INFO, "RecvICCN "
614
	    "session_id=%u calling_number=%s tx_conn_speed=%u framing=%s",
615
	    _this->peer_session_id, _this->calling_number, tx_conn_speed,
616
	    ((framing_type & L2TP_FRAMING_CAP_FLAGS_ASYNC) != 0)? "async" :
617
	    ((framing_type & L2TP_FRAMING_CAP_FLAGS_SYNC) != 0)? "sync" :
618
	    "unknown");
619
620
	return 0;
621
size_check_failed:
622
	l2tp_call_log(_this, LOG_ERR, "Received bad ICCN: %s", emes);
623
	l2tp_call_disconnect(_this, L2TP_CDN_RCODE_ERROR_CODE,
624
	    L2TP_ECODE_WRONG_LENGTH, NULL, NULL, 0);
625
	return 1;
626
}
627
628
/* receive CDN */
629
static int
630
l2tp_recv_CDN(l2tp_call *_this, u_char *pkt, int pktlen)
631
{
632
	int result, error, avpsz, len, sessid;
633
	struct l2tp_avp *avp;
634
	char buf[L2TP_AVP_MAXSIZ], emes[256], pmes[256];
635
636
	/* initialize */
637
	result = 0;
638
	error = 0;
639
	sessid = 0;
640
	strlcpy(pmes, "(none)", sizeof(pmes));
641
642
	avp = (struct l2tp_avp *)buf;
643
	while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) {
644
		pkt += avpsz;
645
		pktlen -= avpsz;
646
		if (avp->vendor_id != 0) {
647
			L2TP_CALL_DBG((_this, LOG_DEBUG,
648
			    "Received a Vendor-specific AVP vendor-id=%d "
649
			    "type=%d", avp->vendor_id, avp->attr_type));
650
			continue;
651
		}
652
		if (avp->is_hidden != 0) {
653
			l2tp_call_log(_this, LOG_WARNING,
654
			    "Received AVP (%s/%d) is hidden.  But we don't "
655
			    "share secret.",
656
			    avp_attr_type_string(avp->attr_type),
657
			    avp->attr_type);
658
			if (avp->is_mandatory != 0) {
659
				l2tp_call_disconnect(_this,
660
				    L2TP_CDN_RCODE_ERROR_CODE,
661
				    L2TP_ECODE_UNKNOWN_MANDATORY_AVP, NULL,
662
				    NULL, 0);
663
				return 1;
664
			}
665
			continue;
666
		}
667
		switch (avp->attr_type) {
668
		case L2TP_AVP_TYPE_MESSAGE_TYPE:
669
			AVP_SIZE_CHECK(avp, ==, 8);
670
			continue;
671
		case L2TP_AVP_TYPE_RESULT_CODE:
672
			AVP_SIZE_CHECK(avp, >=, 8);
673
			result = avp->attr_value[0] << 8 | avp->attr_value[1];
674
			if (avp->length >= 10) {
675
				error = avp->attr_value[2] << 8 |
676
				    avp->attr_value[3];
677
				len = avp->length - 12;
678
				if (len > 0) {
679
					len = MINIMUM(len, sizeof(pmes) - 1);
680
					memcpy(pmes, &avp->attr_value[4], len);
681
					pmes[len] = '\0';
682
				}
683
			}
684
			continue;
685
		case L2TP_AVP_TYPE_ASSIGNED_SESSION_ID:
686
			AVP_SIZE_CHECK(avp, >=, 8);
687
			sessid = avp_get_val16(avp);
688
			continue;
689
		default:
690
			if (avp->is_mandatory) {
691
				l2tp_call_log(_this, LOG_WARNING,
692
				    "AVP (%s/%d) is not supported, but it's "
693
				    "mandatory",
694
				    avp_attr_type_string(avp->attr_type),
695
				    avp->attr_type);
696
				if (avp->is_mandatory != 0) {
697
					l2tp_call_disconnect(_this,
698
					    L2TP_CDN_RCODE_ERROR_CODE,
699
					    L2TP_ECODE_UNKNOWN_MANDATORY_AVP,
700
					    NULL, NULL, 0);
701
					return 1;
702
				}
703
#ifdef L2TP_CALL_DEBUG
704
			} else {
705
				L2TP_CALL_DBG((_this, LOG_DEBUG,
706
				    "AVP (%s/%d) is not handled",
707
				    avp_attr_type_string(avp->attr_type),
708
				    avp->attr_type));
709
#endif
710
			}
711
		}
712
	}
713
	if (error == 0) {
714
		l2tp_call_log(_this, LOG_INFO,
715
		    "RecvCDN result=%s/%d", l2tp_cdn_rcode_string(result),
716
		    result);
717
	} else {
718
		l2tp_call_log(_this, LOG_INFO,
719
		    "RecvCDN result=%s/%d error=%s/%d message=%s",
720
		    l2tp_cdn_rcode_string(result), result,
721
		    l2tp_ecode_string(error), error, pmes);
722
	}
723
724
	return 0;
725
726
size_check_failed:
727
	/* continue to process even if the CDN message was broken */
728
	l2tp_call_log(_this, LOG_ERR, "Received bad CDN: %s", emes);
729
730
	return 0;
731
}
732
733
/* send CDN */
734
static int
735
l2tp_call_send_CDN(l2tp_call *_this, int result_code, int error_code, const
736
    char *errmes, struct l2tp_avp *addavp[], int naddavp)
737
{
738
	uint32_t val32;
739
	int i, avplen, len;
740
	struct l2tp_avp *avp;
741
	char buf[L2TP_AVP_MAXSIZ];
742
	bytebuffer *bytebuf;
743
744
	L2TP_CALL_ASSERT(_this != NULL);
745
	bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, 1);
746
	if (bytebuf == NULL) {
747
		l2tp_call_log(_this, LOG_ERR, "sending CDN failed: no buffer");
748
		return 1;
749
	}
750
	avp = (struct l2tp_avp *)buf;
751
752
	/* Message Type = CDN */
753
	memset(avp, 0, sizeof(*avp));
754
	avp->is_mandatory = 1;
755
	avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE;
756
	avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_CDN);
757
	bytebuf_add_avp(bytebuf, avp, 2);
758
759
	/* Result Code */
760
	memset(avp, 0, sizeof(*avp));
761
	avp->is_mandatory = 1;
762
	avp->attr_type = L2TP_AVP_TYPE_RESULT_CODE;
763
#if 0
764
/*
765
 * Windows 2000 work around:
766
 * Windows 2000 will return "2 - Length is wrong" in StopCCN,
767
 * when it received "length = 8 and no error code AVP".
768
 * Avoid the error, use AVP length = 10.
769
 */
770
	if (error_code > 0) {
771
		val32 = (result_code << 16) | (error_code & 0xffff);
772
		avplen = 4;
773
		avp_set_val32(avp, val32);
774
	} else {
775
		avplen = 2;
776
		avp_set_val16(avp, result_code);
777
	}
778
#else
779
	val32 = (result_code << 16) | (error_code & 0xffff);
780
	avplen = 4;
781
	avp_set_val32(avp, val32);
782
#endif
783
784
	if (errmes != NULL) {
785
		len = MINIMUM(strlen(errmes), L2TP_AVP_MAXSIZ - 128);
786
		memcpy(&avp->attr_value[avplen], errmes, len);
787
		avplen += len;
788
	}
789
	bytebuf_add_avp(bytebuf, avp, avplen);
790
791
	/* Assigned Session Id */
792
	memset(avp, 0, sizeof(*avp));
793
	avp->is_mandatory = 1;
794
	avp->attr_type = L2TP_AVP_TYPE_ASSIGNED_SESSION_ID;
795
	if (_this != NULL && _this->session_id != 0)
796
		avp_set_val16(avp, _this->session_id);
797
	else
798
		avp_set_val16(avp, 0);
799
	bytebuf_add_avp(bytebuf, avp, 2);
800
801
	for (i = 0; i < naddavp; i++)
802
		bytebuf_add_avp(bytebuf, addavp[i], addavp[i]->length - 6);
803
804
	if (l2tp_ctrl_send_packet(_this->ctrl, _this->peer_session_id,
805
	    bytebuf) != 0) {
806
		l2tp_call_log(_this, LOG_ERR, "Error sending CDN: %m");
807
		return 1;
808
	}
809
810
	if (error_code > 0) {
811
		l2tp_call_log(_this, LOG_INFO,
812
		    "SendCDN result=%s/%d error=%s/%d messsage=%s",
813
		    l2tp_cdn_rcode_string(result_code), result_code,
814
		    l2tp_ecode_string(error_code), error_code,
815
		    (errmes == NULL)? "none" : errmes);
816
	} else {
817
		l2tp_call_log(_this, LOG_INFO, "SendCDN result=%s/%d",
818
		    l2tp_cdn_rcode_string(result_code), result_code);
819
	}
820
821
	return 0;
822
}
823
824
/* send ZLB */
825
static int
826
l2tp_call_send_ZLB(l2tp_call *_this)
827
{
828
	bytebuffer *bytebuf;
829
830
	l2tp_call_log(_this, LOG_INFO, "SendZLB");
831
	bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, 1);
832
	if (bytebuf == NULL) {
833
		l2tp_call_log(_this, LOG_ERR, "sending ZLB failed: no buffer");
834
		return 1;
835
	}
836
	return l2tp_ctrl_send_packet(_this->ctrl, _this->peer_session_id,
837
	    bytebuf);
838
}
839
840
/*
841
 * misc
842
 */
843
/* logging with the label of the instance */
844
static void
845
l2tp_call_log(l2tp_call *_this, int prio, const char *fmt, ...)
846
{
847
	char logbuf[BUFSIZ];
848
	va_list ap;
849
850
	va_start(ap, fmt);
851
#ifdef	L2TPD_MULTIPLE
852
	snprintf(logbuf, sizeof(logbuf), "l2tpd id=%u ctrl=%u call=%u %s",
853
	    _this->ctrl->l2tpd->id, _this->ctrl->id, _this->id, fmt);
854
#else
855
	snprintf(logbuf, sizeof(logbuf), "l2tpd ctrl=%u call=%u %s",
856
	    _this->ctrl->id, _this->id, fmt);
857
#endif
858
	vlog_printf(prio, logbuf, ap);
859
	va_end(ap);
860
}
861
862
/* convert current status to strings */
863
static inline const char *
864
l2tp_call_state_string(l2tp_call *_this)
865
{
866
	switch (_this->state) {
867
	case L2TP_CALL_STATE_IDLE:		return "idle";
868
	case L2TP_CALL_STATE_WAIT_CONN:		return "wait-conn";
869
	case L2TP_CALL_STATE_ESTABLISHED:	return "established";
870
	case L2TP_CALL_STATE_CLEANUP_WAIT:	return "cleanup-wait";
871
	}
872
	return "unknown";
873
}
874
875
/*
876
 * npppd physical layer
877
 */
878
879
/* input packet to ppp */
880
void
881
l2tp_call_ppp_input(l2tp_call *_this, u_char *pkt, int pktlen, int delayed)
882
{
883
	int rval;
884
	npppd_ppp *ppp;
885
886
	ppp = _this->ppp;
887
	rval = ppp->recv_packet(ppp, pkt, pktlen,
888
	    delayed ? PPP_IO_FLAGS_DELAYED : 0);
889
890
	if (_this->ppp == NULL)		/* ppp is freed */
891
		return;
892
893
	if (rval != 0)
894
		ppp->ierrors++;
895
	else {
896
		ppp->ipackets++;
897
		ppp->ibytes += pktlen;
898
	}
899
}
900
901
/* called ppp output a packet */
902
static int
903
l2tp_call_ppp_output(npppd_ppp *ppp, unsigned char *bytes, int nbytes,
904
    int flags)
905
{
906
	l2tp_call *_this;
907
	bytebuffer *bytebuf;
908
909
	_this = ppp->phy_context;
910
911
	bytebuf = l2tp_ctrl_prepare_snd_buffer(_this->ctrl, _this->use_seq);
912
913
	if (bytebuf != NULL) {
914
		bytebuffer_put(bytebuf, bytes, nbytes);
915
		if (l2tp_call_send_data_packet(_this, bytebuf) != 0)
916
			ppp->oerrors++;
917
		else {
918
			ppp->opackets++;
919
			ppp->obytes += nbytes;
920
		}
921
	} else
922
		ppp->oerrors++;
923
924
	return 0;
925
}
926
927
/* it will be called when the connection was closed at ppp */
928
static void
929
l2tp_call_closed_by_ppp(npppd_ppp *ppp)
930
{
931
	l2tp_call *_this;
932
933
	L2TP_CALL_ASSERT(ppp != NULL);
934
	L2TP_CALL_ASSERT(ppp->phy_context != NULL);
935
936
	_this = ppp->phy_context;
937
938
	/* do before l2tp_call_disconnect() */
939
	_this->ppp = NULL;
940
941
	if (_this->state == L2TP_CALL_STATE_CLEANUP_WAIT) {
942
		/*  no need to call l2tp_call_disconnect */
943
	} else if (ppp->disconnect_code == PPP_DISCON_NO_INFORMATION) {
944
		l2tp_call_disconnect(_this,
945
		    L2TP_CDN_RCODE_ADMINISTRATIVE_REASON, 0, NULL, NULL, 0);
946
	} else {
947
		/*
948
		 * RFC3145 L2TP Disconnect Cause Information
949
		 */
950
		struct l2tp_avp *avp[1];
951
		struct _ppp_cause {
952
			struct l2tp_avp avp;
953
			uint16_t	code;
954
			uint16_t	proto;
955
			uint8_t		direction;
956
			char		message[128];
957
		} __attribute__((__packed__)) ppp_cause;
958
959
		ppp_cause.avp.is_mandatory = 0;
960
		ppp_cause.avp.is_hidden = 0;
961
		ppp_cause.avp.vendor_id = 0;	/* ietf */
962
		ppp_cause.avp.attr_type =
963
		    L2TP_AVP_TYPE_PPP_DISCONNECT_CAUSE_CODE;
964
		ppp_cause.code = htons(ppp->disconnect_code);
965
		ppp_cause.proto = htons(ppp->disconnect_proto);
966
		ppp_cause.direction = ppp->disconnect_direction;
967
		ppp_cause.avp.length = offsetof(struct _ppp_cause, message[0]);
968
969
		if (ppp->disconnect_message != NULL) {
970
			strlcpy(ppp_cause.message, ppp->disconnect_message,
971
			    sizeof(ppp_cause.message));
972
			ppp_cause.avp.length += strlen(ppp_cause.message);
973
		}
974
		avp[0] = &ppp_cause.avp;
975
		l2tp_call_disconnect(_this,
976
		    L2TP_CDN_RCODE_ERROR_CODE, L2TP_ECODE_GENERIC_ERROR,
977
		    "Disconnected by local PPP", avp, 1);
978
	}
979
	l2tp_call_log(_this, LOG_NOTICE, "logtype=PPPUnbind");
980
}
981
982
/* notify disconnection to ppp to terminate or free of ppp */
983
static void
984
l2tp_call_notify_down(l2tp_call *_this)
985
{
986
	if (_this->ppp != NULL)
987
		ppp_phy_downed(_this->ppp);
988
}
989
990
/* bind ppp */
991
static int
992
l2tp_call_bind_ppp(l2tp_call *_this, dialin_proxy_info *dpi)
993
{
994
	int code, errcode;
995
	npppd_ppp *ppp;
996
997
	code = L2TP_CDN_RCODE_BUSY;
998
	errcode = 0;
999
	ppp = NULL;
1000
	if ((ppp = ppp_create()) == NULL)
1001
		goto fail;
1002
1003
	ASSERT(_this->ppp == NULL);
1004
1005
	if (_this->ppp != NULL)
1006
		return -1;
1007
1008
	_this->ppp = ppp;
1009
1010
	ppp->tunnel_type = NPPPD_TUNNEL_L2TP;
1011
	ppp->tunnel_session_id = _this->session_id;
1012
	ppp->phy_context = _this;
1013
	ppp->send_packet = l2tp_call_ppp_output;
1014
	ppp->phy_close = l2tp_call_closed_by_ppp;
1015
1016
	strlcpy(ppp->phy_label, L2TP_CTRL_LISTENER_TUN_NAME(_this->ctrl),
1017
	    sizeof(ppp->phy_label));
1018
	L2TP_CALL_ASSERT(sizeof(ppp->phy_info) >= _this->ctrl->peer.ss_len);
1019
	memcpy(&ppp->phy_info, &_this->ctrl->peer,
1020
	    MINIMUM(sizeof(ppp->phy_info), _this->ctrl->peer.ss_len));
1021
	strlcpy(ppp->calling_number, _this->calling_number,
1022
	    sizeof(ppp->calling_number));
1023
	if (ppp_init(npppd_get_npppd(), ppp) != 0) {
1024
		l2tp_call_log(_this, LOG_ERR, "failed binding ppp");
1025
		goto fail;
1026
	}
1027
1028
	l2tp_call_log(_this, LOG_NOTICE, "logtype=PPPBind ppp=%d", ppp->id);
1029
	if (DIALIN_PROXY_IS_REQUESTED(dpi)) {
1030
		if (!L2TP_CTRL_CONF(_this->ctrl)->accept_dialin) {
1031
			l2tp_call_log(_this, LOG_ERR,
1032
			    "'accept_dialin' is 'false' in the setting.");
1033
			code = L2TP_CDN_RCODE_ERROR_CODE;
1034
			errcode = L2TP_ECODE_INVALID_MESSAGE;
1035
			goto fail;
1036
		}
1037
1038
		if (ppp_dialin_proxy_prepare(ppp, dpi) != 0) {
1039
			code = L2TP_CDN_RCODE_TEMP_NOT_AVALIABLE;
1040
			goto fail;
1041
		}
1042
	}
1043
	ppp_start(ppp);
1044
1045
	return 0;
1046
fail:
1047
	if (ppp != NULL)
1048
		ppp_destroy(ppp);
1049
	_this->ppp = NULL;
1050
1051
	l2tp_call_disconnect(_this, code, errcode, NULL, NULL, 0);
1052
	return 1;
1053
}