1 /* $OpenBSD: l2tp_ctrl.c,v 1.27 2022/12/28 21:30:17 jmc Exp $ */
2
3 /*-
4 * Copyright (c) 2009 Internet Initiative Japan Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28 /**@file Control connection processing functions for L2TP LNS */
29 /* $Id: l2tp_ctrl.c,v 1.27 2022/12/28 21:30:17 jmc Exp $ */
30 #include <sys/types.h>
31 #include <sys/time.h>
32 #include <sys/socket.h>
33 #include <netinet/in.h>
34 #include <net/if.h>
35 #include <arpa/inet.h>
36 #include <endian.h>
37 #include <errno.h>
38 #include <event.h>
39 #include <netdb.h>
40 #include <stdarg.h>
41 #include <stddef.h>
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <syslog.h>
46 #include <time.h>
47 #include <unistd.h>
48 #include <limits.h>
49
50 #ifdef USE_LIBSOCKUTIL
51 #include <seil/sockfromto.h>
52 #endif
53
54 #include "time_utils.h"
55 #include "bytebuf.h"
56 #include "hash.h"
57 #include "debugutil.h"
58 #include "slist.h"
59 #include "l2tp.h"
60 #include "l2tp_local.h"
61 #include "l2tp_subr.h"
62 #include "net_utils.h"
63 #include "version.h"
64 #include "recvfromto.h"
65
66 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
67
68 static int l2tp_ctrl_init(l2tp_ctrl *, l2tpd *, struct sockaddr *, struct sockaddr *, void *);
69 static void l2tp_ctrl_reload(l2tp_ctrl *);
70 static int l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *);
71 static void l2tp_ctrl_timeout(int, short, void *);
72 static int l2tp_ctrl_resend_una_packets(l2tp_ctrl *, bool);
73 static void l2tp_ctrl_destroy_all_calls(l2tp_ctrl *);
74 static int l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *, int);
75 static void l2tp_ctrl_reset_timeout(l2tp_ctrl *);
76 static int l2tp_ctrl_txwin_size(l2tp_ctrl *);
77 static bool l2tp_ctrl_txwin_is_full(l2tp_ctrl *);
78 static bool l2tp_ctrl_in_peer_window(l2tp_ctrl *, uint16_t);
79 static bool l2tp_ctrl_in_our_window(l2tp_ctrl *, uint16_t);
80 static int l2tp_ctrl_recv_SCCRQ(l2tp_ctrl *, u_char *, int, l2tpd *, struct sockaddr *);
81 static int l2tp_ctrl_send_StopCCN(l2tp_ctrl *, int);
82 static int l2tp_ctrl_recv_StopCCN(l2tp_ctrl *, u_char *, int);
83 static void l2tp_ctrl_send_SCCRP(l2tp_ctrl *);
84 static int l2tp_ctrl_send_HELLO(l2tp_ctrl *);
85 static int l2tp_ctrl_send_ZLB(l2tp_ctrl *);
86 static const char *l2tp_ctrl_state_string(l2tp_ctrl *);
87
88 #ifdef L2TP_CTRL_DEBUG
89 #define L2TP_CTRL_ASSERT(x) ASSERT(x)
90 #define L2TP_CTRL_DBG(x) l2tp_ctrl_log x
91 #else
92 #define L2TP_CTRL_ASSERT(x)
93 #define L2TP_CTRL_DBG(x)
94 #endif
95
96 /* Sequence # of l2tp_ctrl ID */
97 static u_int l2tp_ctrl_id_seq = 0;
98
99 #define SEQ_LT(a,b) ((int16_t)((a) - (b)) < 0)
100 #define SEQ_GT(a,b) ((int16_t)((a) - (b)) > 0)
101
102 /**
103 * Build instance of {@link ::_l2tp_ctrl L2TP LNS control connection}
104 */
105 l2tp_ctrl *
l2tp_ctrl_create(void)106 l2tp_ctrl_create(void)
107 {
108
109 return calloc(1, sizeof(l2tp_ctrl));
110 }
111
112 /**
113 * initialize and startup of {@link ::_l2tp_ctrl L2TP LNS control connection}
114 * instance
115 */
116 static int
l2tp_ctrl_init(l2tp_ctrl * _this,l2tpd * _l2tpd,struct sockaddr * peer,struct sockaddr * sock,void * nat_t_ctx)117 l2tp_ctrl_init(l2tp_ctrl *_this, l2tpd *_l2tpd, struct sockaddr *peer,
118 struct sockaddr *sock, void *nat_t_ctx)
119 {
120 int tunid, i;
121 bytebuffer *bytebuf;
122 time_t curr_time;
123
124 memset(_this, 0, sizeof(l2tp_ctrl));
125
126 curr_time = get_monosec();
127 _this->l2tpd = _l2tpd;
128 _this->state = L2TP_CTRL_STATE_IDLE;
129 _this->last_snd_ctrl = curr_time;
130
131 slist_init(&_this->call_list);
132
133 /* seek a free tunnel ID */
134 i = 0;
135 _this->id = ++l2tp_ctrl_id_seq;
136 for (i = 0, tunid = _this->id; ; i++, tunid++) {
137 tunid &= 0xffff;
138 _this->tunnel_id = l2tp_ctrl_id_seq & 0xffff;
139 if (tunid == 0)
140 continue;
141 if (l2tpd_get_ctrl(_l2tpd, tunid) == NULL)
142 break;
143 if (i > 80000) {
144 /* this must be happen, just log it. */
145 l2tpd_log(_l2tpd, LOG_ERR, "Too many l2tp controls");
146 return -1;
147 }
148 }
149
150 _this->tunnel_id = tunid;
151
152 L2TP_CTRL_ASSERT(peer != NULL);
153 L2TP_CTRL_ASSERT(sock != NULL);
154 memcpy(&_this->peer, peer, peer->sa_len);
155 memcpy(&_this->sock, sock, sock->sa_len);
156
157 /* prepare send buffer */
158 _this->winsz = L2TPD_DEFAULT_SEND_WINSZ;
159 /*
160 * _this->winsz is informed as our receive window size. Also
161 * MIN(_this->winsz, _this->peer_winsiz) is used for the size of
162 * transmit side window. We need winsz * 2 sized buffer so that a
163 * stingy client can fill both of window separately.
164 */
165 _this->snd_buffercnt = _this->winsz * 2;
166 if ((_this->snd_buffers = calloc(_this->snd_buffercnt,
167 sizeof(bytebuffer *))) == NULL) {
168 l2tpd_log(_l2tpd, LOG_ERR,
169 "calloc() failed in %s(): %m", __func__);
170 goto fail;
171 }
172 for (i = 0; i < _this->snd_buffercnt; i++) {
173 if ((bytebuf = bytebuffer_create(L2TPD_SND_BUFSIZ)) == NULL) {
174 l2tpd_log(_l2tpd, LOG_ERR,
175 "bytebuffer_create() failed in %s(): %m", __func__);
176 goto fail;
177 }
178 _this->snd_buffers[i] = bytebuf;
179 }
180 if ((_this->zlb_buffer = bytebuffer_create(sizeof(struct l2tp_header)
181 + 128)) == NULL) {
182 l2tpd_log(_l2tpd, LOG_ERR,
183 "bytebuffer_create() failed in %s(): %m", __func__);
184 goto fail;
185 }
186 #if defined(USE_LIBSOCKUTIL) || defined(USE_SA_COOKIE)
187 if (nat_t_ctx != NULL) {
188 if ((_this->sa_cookie = malloc(
189 sizeof(struct in_ipsec_sa_cookie))) != NULL) {
190 *(struct in_ipsec_sa_cookie *)_this->sa_cookie =
191 *(struct in_ipsec_sa_cookie *)nat_t_ctx;
192 } else {
193 l2tpd_log(_l2tpd, LOG_ERR,
194 "creating sa_cookie failed: %m");
195 goto fail;
196 }
197 }
198 #endif
199 _this->hello_interval = L2TP_CTRL_DEFAULT_HELLO_INTERVAL;
200 _this->hello_timeout = L2TP_CTRL_DEFAULT_HELLO_TIMEOUT;
201 _this->hello_io_time = curr_time;
202
203 /* initialize timeout timer */
204 l2tp_ctrl_reset_timeout(_this);
205
206 /* register l2tp context */
207 l2tpd_add_ctrl(_l2tpd, _this);
208 return 0;
209 fail:
210 l2tp_ctrl_stop(_this, 0);
211 return -1;
212 }
213
214 /*
215 * setup {@link ::_l2tp_ctrl L2TP LNS control connection} instance
216 */
217 static void
l2tp_ctrl_reload(l2tp_ctrl * _this)218 l2tp_ctrl_reload(l2tp_ctrl *_this)
219 {
220 _this->data_use_seq = L2TP_CTRL_CONF(_this)->data_use_seq;
221 if (L2TP_CTRL_CONF(_this)->hello_interval != 0)
222 _this->hello_interval = L2TP_CTRL_CONF(_this)->hello_interval;
223 if (L2TP_CTRL_CONF(_this)->hello_timeout != 0)
224 _this->hello_timeout = L2TP_CTRL_CONF(_this)->hello_timeout;
225 }
226
227 /*
228 * free {@link ::_l2tp_ctrl L2TP LNS control connection} instance
229 */
230 void
l2tp_ctrl_destroy(l2tp_ctrl * _this)231 l2tp_ctrl_destroy(l2tp_ctrl *_this)
232 {
233 L2TP_CTRL_ASSERT(_this != NULL);
234 #if defined(USE_LIBSOCKUTIL) || defined(USE_SA_COOKIE)
235 free(_this->sa_cookie);
236 #endif
237 free(_this);
238 }
239
240 /*
241 * nortify disconnection to peer
242 *
243 * @return 0: all CDN and StopCCN have been sent.
244 * N: if the remaining calls which still not sent CDN exist,
245 * return # of the calls.
246 * -1: when try to send of StopCCN failed.
247 */
248 static int
l2tp_ctrl_send_disconnect_notify(l2tp_ctrl * _this)249 l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *_this)
250 {
251 int ncalls;
252
253 L2TP_CTRL_ASSERT(_this != NULL)
254 L2TP_CTRL_ASSERT(_this->state == L2TP_CTRL_STATE_ESTABLISHED ||
255 _this->state == L2TP_CTRL_STATE_CLEANUP_WAIT);
256
257 /* this control is not actively closing or StopCCN have been sent */
258 if (_this->active_closing == 0)
259 return 0;
260
261 /* Send CDN all Calls */
262 ncalls = 0;
263 if (slist_length(&_this->call_list) != 0) {
264 ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0);
265 if (ncalls > 0) {
266 /*
267 * Call the function again to check whether the
268 * sending window is fulled. In case ncalls == 0,
269 * it means we've sent CDN for all calls.
270 */
271 ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0);
272 }
273 }
274 if (ncalls > 0)
275 return ncalls;
276
277 if (l2tp_ctrl_send_StopCCN(_this, _this->active_closing) != 0)
278 return -1;
279 _this->active_closing = 0;
280
281 return 0;
282 }
283
284 /*
285 * Terminate the control connection
286 *
287 * <p>
288 * please specify an appropriate value to result( >0 ) for
289 * StopCCN ResultCode AVP, when to sent Active Close (which
290 * require StopCCN sent).</p>
291 * <p>
292 * When the return value of this function is zero, the _this
293 * is already released. The lt2p_ctrl process that was bound to it
294 * could not continue.
295 * When the return value of this function is one, the timer
296 * is reset.</p>
297 *
298 * @return return 0 if terminate process was completed.
299 */
300 int
l2tp_ctrl_stop(l2tp_ctrl * _this,int result)301 l2tp_ctrl_stop(l2tp_ctrl *_this, int result)
302 {
303 int i;
304 l2tpd *_l2tpd;
305
306 L2TP_CTRL_ASSERT(_this != NULL);
307
308 switch (_this->state) {
309 case L2TP_CTRL_STATE_ESTABLISHED:
310 _this->state = L2TP_CTRL_STATE_CLEANUP_WAIT;
311 if (result > 0) {
312 _this->active_closing = result;
313 l2tp_ctrl_send_disconnect_notify(_this);
314 break;
315 }
316 goto cleanup;
317 default:
318 l2tp_ctrl_log(_this, LOG_DEBUG, "%s() unexpected state=%s",
319 __func__, l2tp_ctrl_state_string(_this));
320 /* FALLTHROUGH */
321 case L2TP_CTRL_STATE_WAIT_CTL_CONN:
322 /* FALLTHROUGH */
323 case L2TP_CTRL_STATE_CLEANUP_WAIT:
324 cleanup:
325 if (slist_length(&_this->call_list) != 0) {
326 if (l2tp_ctrl_disconnect_all_calls(_this, 1) > 0)
327 break;
328 }
329
330 l2tp_ctrl_log(_this, LOG_NOTICE, "logtype=Finished");
331
332 evtimer_del(&_this->ev_timeout);
333
334 /* free send buffer */
335 if (_this->snd_buffers != NULL) {
336 for (i = 0; i < _this->snd_buffercnt; i++)
337 bytebuffer_destroy(_this->snd_buffers[i]);
338 free(_this->snd_buffers);
339 _this->snd_buffers = NULL;
340 }
341 if (_this->zlb_buffer != NULL) {
342 bytebuffer_destroy(_this->zlb_buffer);
343 _this->zlb_buffer = NULL;
344 }
345
346 /* free l2tp_call */
347 l2tp_ctrl_destroy_all_calls(_this);
348 slist_fini(&_this->call_list);
349
350 l2tpd_remove_ctrl(_this->l2tpd, _this->tunnel_id);
351
352 _l2tpd = _this->l2tpd;
353 l2tp_ctrl_destroy(_this);
354
355 l2tpd_ctrl_finished_notify(_l2tpd);
356 return 0; /* stopped */
357 }
358 l2tp_ctrl_reset_timeout(_this);
359
360 return 1;
361 }
362
363 /* timeout processing */
364 static void
l2tp_ctrl_timeout(int fd,short evtype,void * ctx)365 l2tp_ctrl_timeout(int fd, short evtype, void *ctx)
366 {
367 int next_timeout, need_resend;
368 time_t curr_time;
369 l2tp_ctrl *_this;
370 l2tp_call *call;
371
372 /*
373 * the timer must be reset, when leave this function.
374 * MEMO: l2tp_ctrl_stop() will reset the timer in it.
375 * and please remember that the l2tp_ctrl_stop() may free _this.
376 */
377 _this = ctx;
378 L2TP_CTRL_ASSERT(_this != NULL);
379
380 curr_time = get_monosec();
381
382 next_timeout = 2;
383 need_resend = 0;
384
385 if (l2tp_ctrl_txwin_size(_this) > 0) {
386 if (_this->state == L2TP_CTRL_STATE_ESTABLISHED) {
387 if (_this->hello_wait_ack != 0) {
388 /* wait Hello reply */
389 if (curr_time - _this->hello_io_time >=
390 _this->hello_timeout) {
391 l2tp_ctrl_log(_this, LOG_NOTICE,
392 "timeout waiting ack for hello "
393 "packets.");
394 l2tp_ctrl_stop(_this,
395 L2TP_STOP_CCN_RCODE_GENERAL);
396 return;
397 }
398 }
399 } else if (curr_time - _this->last_snd_ctrl >=
400 L2TP_CTRL_CTRL_PKT_TIMEOUT) {
401 l2tp_ctrl_log(_this, LOG_NOTICE,
402 "timeout waiting ack for ctrl packets.");
403 l2tp_ctrl_stop(_this,
404 L2TP_STOP_CCN_RCODE_GENERAL);
405 return;
406 }
407 need_resend = 1;
408 } else {
409 for (slist_itr_first(&_this->call_list);
410 slist_itr_has_next(&_this->call_list);) {
411 call = slist_itr_next(&_this->call_list);
412 if (call->state == L2TP_CALL_STATE_CLEANUP_WAIT) {
413 l2tp_call_destroy(call, 1);
414 slist_itr_remove(&_this->call_list);
415 }
416 }
417 }
418
419 switch (_this->state) {
420 case L2TP_CTRL_STATE_IDLE:
421 /*
422 * idle:
423 * XXX: never happen in current implementation
424 */
425 l2tp_ctrl_log(_this, LOG_ERR,
426 "Internal error, timeout on illegal state=idle");
427 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL);
428 break;
429 case L2TP_CTRL_STATE_WAIT_CTL_CONN:
430 /*
431 * wait-ctrl-conn:
432 * if there is no ack for SCCRP, the peer will
433 * resend SCCRQ. however this implementation can
434 * not recognize that the SCCRQ was resent or not.
435 * Therefore, never resent from this side.
436 */
437 need_resend = 0;
438 break;
439 case L2TP_CTRL_STATE_ESTABLISHED:
440 if (slist_length(&_this->call_list) == 0 &&
441 curr_time - _this->last_snd_ctrl >=
442 L2TP_CTRL_WAIT_CALL_TIMEOUT) {
443 if (_this->ncalls == 0)
444 /* fail to receive first call */
445 l2tp_ctrl_log(_this, LOG_WARNING,
446 "timeout waiting call");
447 l2tp_ctrl_stop(_this,
448 L2TP_STOP_CCN_RCODE_GENERAL);
449 return;
450 }
451 if (_this->hello_wait_ack == 0 && _this->hello_interval > 0) {
452 /* send Hello */
453 if (curr_time - _this->hello_interval >=
454 _this->hello_io_time) {
455 if (l2tp_ctrl_send_HELLO(_this) == 0)
456 /* success */
457 _this->hello_wait_ack = 1;
458 _this->hello_io_time = curr_time;
459 need_resend = 0;
460 }
461 }
462 break;
463 case L2TP_CTRL_STATE_CLEANUP_WAIT:
464 if (curr_time - _this->last_snd_ctrl >=
465 L2TP_CTRL_CLEANUP_WAIT_TIME) {
466 l2tp_ctrl_log(_this, LOG_NOTICE,
467 "Cleanup timeout state=%d", _this->state);
468 l2tp_ctrl_stop(_this, 0);
469 return;
470 }
471 if (_this->active_closing != 0)
472 l2tp_ctrl_send_disconnect_notify(_this);
473 break;
474 default:
475 l2tp_ctrl_log(_this, LOG_ERR,
476 "Internal error, timeout on illegal state=%d",
477 _this->state);
478 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL);
479 return;
480 }
481 /* resend if required */
482 if (need_resend)
483 l2tp_ctrl_resend_una_packets(_this, true);
484 l2tp_ctrl_reset_timeout(_this);
485 }
486
487 int
l2tp_ctrl_send(l2tp_ctrl * _this,const void * msg,int len)488 l2tp_ctrl_send(l2tp_ctrl *_this, const void *msg, int len)
489 {
490 int rval;
491
492 #ifdef USE_LIBSOCKUTIL
493 if (_this->sa_cookie != NULL)
494 rval = sendfromto_nat_t(LISTENER_SOCK(_this), msg, len, 0,
495 (struct sockaddr *)&_this->sock,
496 (struct sockaddr *)&_this->peer, _this->sa_cookie);
497 else
498 rval = sendfromto(LISTENER_SOCK(_this), msg, len, 0,
499 (struct sockaddr *)&_this->sock,
500 (struct sockaddr *)&_this->peer);
501 #else
502 #ifdef USE_SA_COOKIE
503 if (_this->sa_cookie != NULL)
504 rval = sendto_nat_t(LISTENER_SOCK(_this), msg, len, 0,
505 (struct sockaddr *)&_this->peer, _this->peer.ss_len,
506 _this->sa_cookie);
507 else
508 #endif
509 rval = sendto(LISTENER_SOCK(_this), msg, len, 0,
510 (struct sockaddr *)&_this->peer, _this->peer.ss_len);
511 #endif
512 return rval;
513 }
514
515 /* resend una packets */
516 static int
l2tp_ctrl_resend_una_packets(l2tp_ctrl * _this,bool resend)517 l2tp_ctrl_resend_una_packets(l2tp_ctrl *_this, bool resend)
518 {
519 uint16_t seq;
520 bytebuffer *bytebuf;
521 struct l2tp_header *header;
522 int nsend;
523
524 nsend = 0;
525 for (seq = _this->snd_una; SEQ_LT(seq, _this->snd_nxt); seq++) {
526 if (!l2tp_ctrl_in_peer_window(_this, seq))
527 break;
528 if (SEQ_LT(seq, _this->snd_last) && !resend)
529 continue;
530 bytebuf = _this->snd_buffers[seq % _this->snd_buffercnt];
531 header = bytebuffer_pointer(bytebuf);
532 header->nr = htons(_this->rcv_nxt);
533 _this->snd_lastnr = _this->rcv_nxt;
534 #ifdef L2TP_CTRL_DEBUG
535 if (debuglevel >= 3) {
536 l2tp_ctrl_log(_this, DEBUG_LEVEL_3, "RESEND seq=%u",
537 ntohs(header->ns));
538 show_hd(debug_get_debugfp(),
539 bytebuffer_pointer(bytebuf),
540 bytebuffer_remaining(bytebuf));
541 }
542 #endif
543 if (l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf),
544 bytebuffer_remaining(bytebuf)) < 0) {
545 l2tp_ctrl_log(_this, LOG_ERR,
546 "sendto() failed in %s: %m", __func__);
547 return -1;
548 }
549 nsend++;
550 }
551 return nsend;
552 }
553
554 /* free all calls */
555 static void
l2tp_ctrl_destroy_all_calls(l2tp_ctrl * _this)556 l2tp_ctrl_destroy_all_calls(l2tp_ctrl *_this)
557 {
558 l2tp_call *call;
559
560 L2TP_CTRL_ASSERT(_this != NULL);
561
562 while ((call = slist_remove_first(&_this->call_list)) != NULL)
563 l2tp_call_destroy(call, 1);
564 }
565
566
567 /* disconnect all calls on the control context
568 * @return return # of calls that is not waiting cleanup.
569 */
570 static int
l2tp_ctrl_disconnect_all_calls(l2tp_ctrl * _this,int drop)571 l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *_this, int drop)
572 {
573 int i, len, ncalls;
574 l2tp_call *call;
575
576 L2TP_CTRL_ASSERT(_this != NULL);
577
578 ncalls = 0;
579 len = slist_length(&_this->call_list);
580 for (i = 0; i < len; i++) {
581 call = slist_get(&_this->call_list, i);
582 if (call->state != L2TP_CALL_STATE_CLEANUP_WAIT) {
583 ncalls++;
584 if (l2tp_ctrl_txwin_is_full(_this)) {
585 L2TP_CTRL_DBG((_this, LOG_INFO,
586 "Too many calls. Sending window is not "
587 "enough to send CDN to all clients."));
588 if (drop)
589 l2tp_call_drop(call);
590 } else
591 l2tp_call_admin_disconnect(call);
592 }
593 }
594 return ncalls;
595 }
596
597 /* reset timeout */
598 static void
l2tp_ctrl_reset_timeout(l2tp_ctrl * _this)599 l2tp_ctrl_reset_timeout(l2tp_ctrl *_this)
600 {
601 int intvl;
602 struct timeval tv0;
603
604 L2TP_CTRL_ASSERT(_this != NULL);
605
606 if (evtimer_initialized(&_this->ev_timeout))
607 evtimer_del(&_this->ev_timeout);
608
609 switch (_this->state) {
610 case L2TP_CTRL_STATE_CLEANUP_WAIT:
611 intvl = 1;
612 break;
613 default:
614 intvl = 2;
615 break;
616 }
617 tv0.tv_usec = 0;
618 tv0.tv_sec = intvl;
619 if (!evtimer_initialized(&_this->ev_timeout))
620 evtimer_set(&_this->ev_timeout, l2tp_ctrl_timeout, _this);
621 evtimer_add(&_this->ev_timeout, &tv0);
622 }
623
624 /*
625 * protocols / send and receive
626 */
627 /* Receive packet */
628 void
l2tp_ctrl_input(l2tpd * _this,int listener_index,struct sockaddr * peer,struct sockaddr * sock,void * nat_t_ctx,u_char * pkt,int pktlen)629 l2tp_ctrl_input(l2tpd *_this, int listener_index, struct sockaddr *peer,
630 struct sockaddr *sock, void *nat_t_ctx, u_char *pkt, int pktlen)
631 {
632 int i, len, offsiz, reqlen, is_ctrl;
633 uint16_t mestype;
634 struct l2tp_avp *avp, *avp0;
635 l2tp_ctrl *ctrl;
636 l2tp_call *call;
637 char buf[L2TP_AVP_MAXSIZ], errmsg[256];
638 time_t curr_time;
639 u_char *pkt0;
640 struct l2tp_header hdr;
641 char hbuf[NI_MAXHOST + NI_MAXSERV + 16];
642
643 ctrl = NULL;
644 curr_time = get_monosec();
645 pkt0 = pkt;
646
647 L2TP_CTRL_ASSERT(peer->sa_family == sock->sa_family);
648 L2TP_CTRL_ASSERT(peer->sa_family == AF_INET ||
649 peer->sa_family == AF_INET6)
650 /*
651 * Parse L2TP Header
652 */
653 memset(&hdr, 0, sizeof(hdr));
654 if (pktlen < 2) {
655 snprintf(errmsg, sizeof(errmsg), "a short packet. "
656 "length=%d", pktlen);
657 goto bad_packet;
658 }
659 memcpy(&hdr, pkt, 2);
660 pkt += 2;
661 if (hdr.ver != L2TP_HEADER_VERSION_RFC2661) {
662 /* XXX: only RFC2661 is supported */
663 snprintf(errmsg, sizeof(errmsg),
664 "Unsupported version at header = %d", hdr.ver);
665 goto bad_packet;
666 }
667 is_ctrl = (hdr.t != 0)? 1 : 0;
668
669 /* calc required length */
670 reqlen = 6; /* for Flags, Tunnel-Id, Session-Id field */
671 if (hdr.l) reqlen += 2; /* for Length field (opt) */
672 if (hdr.s) reqlen += 4; /* for Ns, Nr field (opt) */
673 if (hdr.o) reqlen += 2; /* for Offset Size field (opt) */
674 if (reqlen > pktlen) {
675 snprintf(errmsg, sizeof(errmsg),
676 "a short packet. length=%d", pktlen);
677 goto bad_packet;
678 }
679
680 if (hdr.l != 0) {
681 GETSHORT(hdr.length, pkt);
682 if (hdr.length > pktlen) {
683 snprintf(errmsg, sizeof(errmsg),
684 "Actual packet size is smaller than the length "
685 "field %d < %d", pktlen, hdr.length);
686 goto bad_packet;
687 }
688 pktlen = hdr.length; /* remove trailing trash */
689 }
690 GETSHORT(hdr.tunnel_id, pkt);
691 GETSHORT(hdr.session_id, pkt);
692 if (hdr.s != 0) {
693 GETSHORT(hdr.ns, pkt);
694 GETSHORT(hdr.nr, pkt);
695 }
696 if (hdr.o != 0) {
697 GETSHORT(offsiz, pkt);
698 if (pktlen < offsiz) {
699 snprintf(errmsg, sizeof(errmsg),
700 "offset field is bigger than remaining packet "
701 "length %d > %d", offsiz, pktlen);
702 goto bad_packet;
703 }
704 pkt += offsiz;
705 }
706 L2TP_CTRL_ASSERT(pkt - pkt0 == reqlen);
707 pktlen -= (pkt - pkt0); /* cut down the length of header */
708
709 ctrl = NULL;
710 memset(buf, 0, sizeof(buf));
711 mestype = 0;
712 avp = NULL;
713
714 if (is_ctrl) {
715 avp0 = (struct l2tp_avp *)buf;
716 avp = avp_find_message_type_avp(avp0, pkt, pktlen);
717 if (avp != NULL)
718 mestype = avp->attr_value[0] << 8 | avp->attr_value[1];
719 }
720 ctrl = l2tpd_get_ctrl(_this, hdr.tunnel_id);
721
722 if (ctrl == NULL) {
723 /* new control */
724 if (!is_ctrl) {
725 snprintf(errmsg, sizeof(errmsg),
726 "bad data message: tunnelId=%d is not "
727 "found.", hdr.tunnel_id);
728 goto bad_packet;
729 }
730 if (mestype != L2TP_AVP_MESSAGE_TYPE_SCCRQ) {
731 snprintf(errmsg, sizeof(errmsg),
732 "bad control message: tunnelId=%d is not "
733 "found. mestype=%s", hdr.tunnel_id,
734 avp_mes_type_string(mestype));
735 goto bad_packet;
736 }
737
738 if ((ctrl = l2tp_ctrl_create()) == NULL) {
739 l2tp_ctrl_log(ctrl, LOG_ERR,
740 "l2tp_ctrl_create() failed: %m");
741 goto fail;
742 }
743
744 if (l2tp_ctrl_init(ctrl, _this, peer, sock, nat_t_ctx) != 0) {
745 l2tp_ctrl_log(ctrl, LOG_ERR,
746 "l2tp_ctrl_start() failed: %m");
747 goto fail;
748 }
749
750 ctrl->listener_index = listener_index;
751 l2tp_ctrl_reload(ctrl);
752 } else {
753 /*
754 * treat as an error if src address and port is not
755 * match. (because it is potentially DoS attach)
756 */
757 int notmatch = 0;
758
759 if (ctrl->peer.ss_family != peer->sa_family)
760 notmatch = 1;
761 else if (peer->sa_family == AF_INET) {
762 if (SIN(peer)->sin_addr.s_addr !=
763 SIN(&ctrl->peer)->sin_addr.s_addr ||
764 SIN(peer)->sin_port != SIN(&ctrl->peer)->sin_port)
765 notmatch = 1;
766 } else if (peer->sa_family == AF_INET6) {
767 if (!IN6_ARE_ADDR_EQUAL(&(SIN6(peer)->sin6_addr),
768 &(SIN6(&ctrl->peer)->sin6_addr)) ||
769 SIN6(peer)->sin6_port !=
770 SIN6(&ctrl->peer)->sin6_port)
771 notmatch = 1;
772 }
773 if (notmatch) {
774 snprintf(errmsg, sizeof(errmsg),
775 "tunnelId=%u is already assigned for %s",
776 hdr.tunnel_id, addrport_tostring(
777 (struct sockaddr *)&ctrl->peer,
778 ctrl->peer.ss_len, hbuf, sizeof(hbuf)));
779 goto bad_packet;
780 }
781 }
782 ctrl->last_rcv = curr_time;
783 call = NULL;
784 if (hdr.session_id != 0) {
785 /* search l2tp_call by Session ID */
786 /* linear search is enough for this purpose */
787 len = slist_length(&ctrl->call_list);
788 for (i = 0; i < len; i++) {
789 call = slist_get(&ctrl->call_list, i);
790 if (call->session_id == hdr.session_id)
791 break;
792 call = NULL;
793 }
794 }
795 if (!is_ctrl) {
796 int delayed = 0;
797
798 /* L2TP data */
799 if (ctrl->state != L2TP_CTRL_STATE_ESTABLISHED) {
800 l2tp_ctrl_log(ctrl, LOG_WARNING,
801 "Received Data packet in '%s'",
802 l2tp_ctrl_state_string(ctrl));
803 goto fail;
804 }
805 if (call == NULL) {
806 l2tp_ctrl_log(ctrl, LOG_WARNING,
807 "Received a data packet but it has no call. "
808 "session_id=%u", hdr.session_id);
809 goto fail;
810 }
811 L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2,
812 "call=%u RECV ns=%u nr=%u snd_nxt=%u rcv_nxt=%u len=%d",
813 call->id, hdr.ns, hdr.nr, call->snd_nxt, call->rcv_nxt,
814 pktlen));
815 if (call->state != L2TP_CALL_STATE_ESTABLISHED){
816 l2tp_ctrl_log(ctrl, LOG_WARNING,
817 "Received a data packet but call is not "
818 "established");
819 goto fail;
820 }
821
822 if (hdr.s != 0) {
823 if (SEQ_LT(hdr.ns, call->rcv_nxt)) {
824 if (SEQ_LT(hdr.ns,
825 call->rcv_nxt - L2TP_CALL_DELAY_LIMIT)) {
826 /* sequence number seems to be delayed */
827 /* XXX: need to log? */
828 L2TP_CTRL_DBG((ctrl, LOG_DEBUG,
829 "receive a out of sequence "
830 "data packet: %u < %u.",
831 hdr.ns, call->rcv_nxt));
832 return;
833 }
834 delayed = 1;
835 } else {
836 call->rcv_nxt = hdr.ns + 1;
837 }
838 }
839
840 l2tp_call_ppp_input(call, pkt, pktlen, delayed);
841
842 return;
843 }
844 if (hdr.s != 0) {
845 L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2,
846 "RECV %s ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u "
847 "len=%d", (is_ctrl)? "C" : "", hdr.ns, hdr.nr,
848 ctrl->snd_nxt, ctrl->snd_una, ctrl->rcv_nxt, pktlen));
849
850 if (pktlen <= 0)
851 l2tp_ctrl_log(ctrl, LOG_INFO, "RecvZLB");
852
853 if (SEQ_GT(hdr.nr, ctrl->snd_una)) {
854 /* a new ack arrived */
855 if (SEQ_GT(hdr.nr, ctrl->snd_nxt)) {
856 /* ack is proceeded us */
857 l2tp_ctrl_log(ctrl, LOG_INFO,
858 "Received message has bad Nr field: "
859 "%u < %u", ctrl->snd_nxt, hdr.nr);
860 goto fail;
861 }
862 ctrl->snd_una = hdr.nr;
863 /* peer window is moved. send out pending packets */
864 l2tp_ctrl_resend_una_packets(ctrl, false);
865 }
866 if (l2tp_ctrl_txwin_size(ctrl) <= 0) {
867 /* no waiting ack */
868 if (ctrl->hello_wait_ack != 0) {
869 /*
870 * Reset Hello state, as an ack for the Hello
871 * is received.
872 */
873 ctrl->hello_wait_ack = 0;
874 ctrl->hello_io_time = curr_time;
875 }
876 switch (ctrl->state) {
877 case L2TP_CTRL_STATE_CLEANUP_WAIT:
878 l2tp_ctrl_stop(ctrl, 0);
879 return;
880 }
881 }
882 if (hdr.ns != ctrl->rcv_nxt) {
883 /* there are remaining packet */
884 if (l2tp_ctrl_resend_una_packets(ctrl, true) <= 0) {
885 /* resend or sent ZLB */
886 l2tp_ctrl_send_ZLB(ctrl);
887 }
888 #ifdef L2TP_CTRL_DEBUG
889 if (pktlen != 0) { /* not ZLB */
890 L2TP_CTRL_DBG((ctrl, LOG_DEBUG,
891 "receive out of sequence %u must be %u. "
892 "mestype=%s", hdr.ns, ctrl->rcv_nxt,
893 avp_mes_type_string(mestype)));
894 }
895 #endif
896 return;
897 }
898 if (pktlen <= 0)
899 return; /* ZLB */
900
901 if (!l2tp_ctrl_in_our_window(ctrl, hdr.ns)) {
902 l2tp_ctrl_log(ctrl, LOG_WARNING,
903 "received message is outside of window. "
904 "ns=%d window=%u:%u",
905 hdr.ns, ctrl->snd_lastnr,
906 (uint16_t)(ctrl->snd_lastnr + ctrl->winsz - 1));
907 return;
908 }
909
910 ctrl->rcv_nxt++;
911 if (avp == NULL) {
912 l2tpd_log(_this, LOG_WARNING,
913 "bad control message: no message-type AVP.");
914 goto fail;
915 }
916 }
917
918 /*
919 * state machine (RFC2661 pp. 56-57)
920 */
921 switch (ctrl->state) {
922 case L2TP_CTRL_STATE_IDLE:
923 switch (mestype) {
924 case L2TP_AVP_MESSAGE_TYPE_SCCRQ:
925 if (l2tp_ctrl_recv_SCCRQ(ctrl, pkt, pktlen, _this,
926 peer) == 0) {
927 /* acceptable */
928 l2tp_ctrl_send_SCCRP(ctrl);
929 ctrl->state = L2TP_CTRL_STATE_WAIT_CTL_CONN;
930 return;
931 }
932 /*
933 * in case un-acceptable, it was already processed
934 * at l2tcp_ctrl_recv_SCCRQ
935 */
936 return;
937 case L2TP_AVP_MESSAGE_TYPE_SCCRP:
938 /*
939 * RFC specifies that sent of StopCCN in the state,
940 * However as this implementation only support Passive
941 * open, this packet will not received.
942 */
943 /* FALLTHROUGH */
944 case L2TP_AVP_MESSAGE_TYPE_SCCCN:
945 default:
946 break;
947 }
948 goto fsm_fail;
949
950 case L2TP_CTRL_STATE_WAIT_CTL_CONN:
951 /* Wait-Ctl-Conn */
952 switch (mestype) {
953 case L2TP_AVP_MESSAGE_TYPE_SCCCN:
954 l2tp_ctrl_log(ctrl, LOG_INFO, "RecvSCCN");
955 if (l2tp_ctrl_send_ZLB(ctrl) == 0) {
956 ctrl->state = L2TP_CTRL_STATE_ESTABLISHED;
957 }
958 return;
959 case L2TP_AVP_MESSAGE_TYPE_StopCCN:
960 goto receive_stop_ccn;
961 case L2TP_AVP_MESSAGE_TYPE_SCCRQ:
962 case L2TP_AVP_MESSAGE_TYPE_SCCRP:
963 default:
964 break;
965 }
966 break; /* fsm_fail */
967 case L2TP_CTRL_STATE_ESTABLISHED:
968 /* Established */
969 switch (mestype) {
970 case L2TP_AVP_MESSAGE_TYPE_SCCCN:
971 case L2TP_AVP_MESSAGE_TYPE_SCCRQ:
972 case L2TP_AVP_MESSAGE_TYPE_SCCRP:
973 break;
974 receive_stop_ccn:
975 case L2TP_AVP_MESSAGE_TYPE_StopCCN:
976 l2tp_ctrl_recv_StopCCN(ctrl, pkt, pktlen);
977 l2tp_ctrl_send_ZLB(ctrl);
978 l2tp_ctrl_stop(ctrl, 0);
979 return;
980
981 case L2TP_AVP_MESSAGE_TYPE_HELLO:
982 l2tp_ctrl_send_ZLB(ctrl);
983 return;
984 case L2TP_AVP_MESSAGE_TYPE_CDN:
985 case L2TP_AVP_MESSAGE_TYPE_ICRP:
986 case L2TP_AVP_MESSAGE_TYPE_ICCN:
987 if (call == NULL) {
988 l2tp_ctrl_log(ctrl, LOG_INFO,
989 "Unknown call message: %s",
990 avp_mes_type_string(mestype));
991 goto fail;
992 }
993 /* FALLTHROUGH */
994 case L2TP_AVP_MESSAGE_TYPE_ICRQ:
995 l2tp_call_recv_packet(ctrl, call, mestype, pkt,
996 pktlen);
997 return;
998 default:
999 break;
1000 }
1001 break; /* fsm_fail */
1002 case L2TP_CTRL_STATE_CLEANUP_WAIT:
1003 if (mestype == L2TP_AVP_MESSAGE_TYPE_StopCCN) {
1004 /*
1005 * We left ESTABLISHED state, but the peer sent StopCCN.
1006 */
1007 goto receive_stop_ccn;
1008 }
1009 break; /* fsm_fail */
1010 }
1011
1012 fsm_fail:
1013 /* state machine error */
1014 l2tp_ctrl_log(ctrl, LOG_WARNING, "Received %s in '%s' state",
1015 avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl));
1016 l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_FSM_ERROR);
1017
1018 return;
1019 fail:
1020 if (ctrl != NULL && mestype != 0) {
1021 l2tp_ctrl_log(ctrl, LOG_WARNING, "Received %s in '%s' state",
1022 avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl));
1023 l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_GENERAL_ERROR);
1024 }
1025 return;
1026
1027 bad_packet:
1028 l2tpd_log(_this, LOG_INFO, "Received from=%s: %s",
1029 addrport_tostring(peer, peer->sa_len, hbuf, sizeof(hbuf)), errmsg);
1030
1031 return;
1032 }
1033
1034 static int
l2tp_ctrl_txwin_size(l2tp_ctrl * _this)1035 l2tp_ctrl_txwin_size(l2tp_ctrl *_this)
1036 {
1037 uint16_t sz;
1038
1039 sz = _this->snd_nxt - _this->snd_una;
1040
1041 L2TP_CTRL_ASSERT(sz <= _this->buffercnt);
1042
1043 return sz;
1044 }
1045
1046 static bool
l2tp_ctrl_txwin_is_full(l2tp_ctrl * _this)1047 l2tp_ctrl_txwin_is_full(l2tp_ctrl *_this)
1048 {
1049 return (l2tp_ctrl_txwin_size(_this) >= _this->snd_buffercnt)? 1 : 0;
1050 }
1051
1052 static bool
l2tp_ctrl_in_peer_window(l2tp_ctrl * _this,uint16_t seq)1053 l2tp_ctrl_in_peer_window(l2tp_ctrl *_this, uint16_t seq)
1054 {
1055 uint16_t off;
1056 int winsz;
1057
1058 winsz = MINIMUM(_this->winsz, _this->peer_winsz);
1059 off = seq - _this->snd_una;
1060
1061 return ((off < winsz)? true : false);
1062 }
1063
1064 static bool
l2tp_ctrl_in_our_window(l2tp_ctrl * _this,uint16_t seq)1065 l2tp_ctrl_in_our_window(l2tp_ctrl *_this, uint16_t seq)
1066 {
1067 uint16_t off;
1068
1069 off = seq - _this->snd_lastnr;
1070
1071 return ((off < _this->winsz)? true : false);
1072 }
1073 /* send control packet */
1074 int
l2tp_ctrl_send_packet(l2tp_ctrl * _this,int call_id,bytebuffer * bytebuf)1075 l2tp_ctrl_send_packet(l2tp_ctrl *_this, int call_id, bytebuffer *bytebuf)
1076 {
1077 struct l2tp_header *hdr;
1078 int rval;
1079 time_t curr_time;
1080 uint16_t seq;
1081
1082 curr_time = get_monosec();
1083
1084 bytebuffer_flip(bytebuf);
1085 hdr = (struct l2tp_header *)bytebuffer_pointer(bytebuf);
1086 memset(hdr, 0, sizeof(*hdr));
1087
1088 hdr->t = 1;
1089 hdr->ver = L2TP_HEADER_VERSION_RFC2661;
1090 hdr->l = 1;
1091 hdr->length = htons(bytebuffer_remaining(bytebuf));
1092 hdr->tunnel_id = htons(_this->peer_tunnel_id);
1093 hdr->session_id = htons(call_id);
1094
1095 hdr->s = 1;
1096 seq = _this->snd_nxt;
1097 hdr->ns = htons(seq);
1098 hdr->nr = htons(_this->rcv_nxt);
1099
1100 if (bytebuffer_remaining(bytebuf) > sizeof(struct l2tp_header))
1101 /* Not ZLB */
1102 _this->snd_nxt++;
1103
1104 if (!l2tp_ctrl_in_peer_window(_this, seq))
1105 return (0);
1106
1107 L2TP_CTRL_DBG((_this, DEBUG_LEVEL_2,
1108 "SEND C ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u ",
1109 ntohs(hdr->ns), htons(hdr->nr),
1110 _this->snd_nxt, _this->snd_una, _this->rcv_nxt));
1111
1112 if (L2TP_CTRL_CONF(_this)->ctrl_out_pktdump != 0) {
1113 l2tpd_log(_this->l2tpd, LOG_DEBUG,
1114 "L2TP Control output packet dump");
1115 show_hd(debug_get_debugfp(), bytebuffer_pointer(bytebuf),
1116 bytebuffer_remaining(bytebuf));
1117 }
1118
1119 if ((rval = l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf),
1120 bytebuffer_remaining(bytebuf))) < 0) {
1121 L2TP_CTRL_DBG((_this, LOG_DEBUG, "sendto() failed: %m"));
1122 }
1123
1124 _this->snd_lastnr = _this->rcv_nxt;
1125 _this->last_snd_ctrl = curr_time;
1126 _this->snd_last = seq;
1127
1128 return (rval == bytebuffer_remaining(bytebuf))? 0 : 1;
1129 }
1130
1131 /*
1132 * receiver SCCRQ
1133 */
1134 static int
l2tp_ctrl_recv_SCCRQ(l2tp_ctrl * _this,u_char * pkt,int pktlen,l2tpd * _l2tpd,struct sockaddr * peer)1135 l2tp_ctrl_recv_SCCRQ(l2tp_ctrl *_this, u_char *pkt, int pktlen, l2tpd *_l2tpd,
1136 struct sockaddr *peer)
1137 {
1138 int avpsz, len, protover, protorev, firmrev, result;
1139 struct l2tp_avp *avp;
1140 char host[NI_MAXHOST], serv[NI_MAXSERV];
1141 char buf[L2TP_AVP_MAXSIZ], emes[256], hostname[256], vendorname[256];
1142
1143 result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR;
1144 strlcpy(hostname, "(no hostname)", sizeof(hostname));
1145 strlcpy(vendorname, "(no vendorname)", sizeof(vendorname));
1146
1147 _this->peer_winsz = 4; /* default is 4 in RFC 2661 */
1148 firmrev = 0;
1149 protover = 0;
1150 protorev = 0;
1151 avp = (struct l2tp_avp *)buf;
1152 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) {
1153 pkt += avpsz;
1154 pktlen -= avpsz;
1155 if (avp->vendor_id != 0) {
1156 L2TP_CTRL_DBG((_this, LOG_DEBUG,
1157 "Received a Vendor-specific AVP vendor-id=%d "
1158 "type=%d", avp->vendor_id, avp->attr_type));
1159 continue;
1160 }
1161 switch (avp->attr_type) {
1162 case L2TP_AVP_TYPE_MESSAGE_TYPE:
1163 AVP_SIZE_CHECK(avp, ==, 8);
1164 continue;
1165 case L2TP_AVP_TYPE_PROTOCOL_VERSION:
1166 AVP_SIZE_CHECK(avp, ==, 8);
1167 protover = avp->attr_value[0];
1168 protorev = avp->attr_value[1];
1169
1170 if (protover != L2TP_RFC2661_VERSION ||
1171 protorev != L2TP_RFC2661_REVISION) {
1172 result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR;
1173 snprintf(emes, sizeof(emes),
1174 "Peer's protocol version is not supported:"
1175 " %d.%d", protover, protorev);
1176 goto not_acceptable;
1177 }
1178 continue;
1179 case L2TP_AVP_TYPE_FRAMING_CAPABILITIES:
1180 AVP_SIZE_CHECK(avp, ==, 10);
1181 if ((avp_get_val32(avp) & L2TP_FRAMING_CAP_FLAGS_SYNC)
1182 == 0) {
1183 L2TP_CTRL_DBG((_this, LOG_DEBUG, "Peer doesn't "
1184 "support synchronous framing"));
1185 }
1186 continue;
1187 case L2TP_AVP_TYPE_BEARER_CAPABILITIES:
1188 AVP_SIZE_CHECK(avp, ==, 10);
1189 continue;
1190 case L2TP_AVP_TYPE_TIE_BREAKER:
1191 AVP_SIZE_CHECK(avp, ==, 14);
1192 /*
1193 * As the implementation never send SCCRQ,
1194 * the peer is always winner
1195 */
1196 continue;
1197 case L2TP_AVP_TYPE_FIRMWARE_REVISION:
1198 AVP_SIZE_CHECK(avp, >=, 6);
1199 firmrev = avp_get_val16(avp);
1200 continue;
1201 case L2TP_AVP_TYPE_HOST_NAME:
1202 AVP_SIZE_CHECK(avp, >, 4);
1203 len = MINIMUM(sizeof(hostname) - 1, avp->length - 6);
1204 memcpy(hostname, avp->attr_value, len);
1205 hostname[len] = '\0';
1206 continue;
1207 case L2TP_AVP_TYPE_VENDOR_NAME:
1208 AVP_SIZE_CHECK(avp, >, 4);
1209 len = MINIMUM(sizeof(vendorname) - 1, avp->length - 6);
1210 memcpy(vendorname, avp->attr_value, len);
1211 vendorname[len] = '\0';
1212 continue;
1213 case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID:
1214 AVP_SIZE_CHECK(avp, ==, 8);
1215 _this->peer_tunnel_id = avp_get_val16(avp);
1216 continue;
1217 case L2TP_AVP_TYPE_RECV_WINDOW_SIZE:
1218 AVP_SIZE_CHECK(avp, ==, 8);
1219 _this->peer_winsz = avp_get_val16(avp);
1220 continue;
1221 }
1222 if (avp->is_mandatory) {
1223 l2tp_ctrl_log(_this, LOG_WARNING,
1224 "Received AVP (%s/%d) is not supported, but it's "
1225 "mandatory", avp_attr_type_string(avp->attr_type),
1226 avp->attr_type);
1227 #ifdef L2TP_CTRL_DEBUG
1228 } else {
1229 L2TP_CTRL_DBG((_this, LOG_DEBUG,
1230 "AVP (%s/%d) is not handled",
1231 avp_attr_type_string(avp->attr_type),
1232 avp->attr_type));
1233 #endif
1234 }
1235 }
1236 if (getnameinfo((struct sockaddr *)&_this->peer, _this->peer.ss_len,
1237 host, sizeof(host), serv, sizeof(serv),
1238 NI_NUMERICHOST | NI_NUMERICSERV | NI_DGRAM) != 0) {
1239 l2tp_ctrl_log(_this, LOG_ERR,
1240 "getnameinfo() failed at %s(): %m", __func__);
1241 strlcpy(host, "error", sizeof(host));
1242 strlcpy(serv, "error", sizeof(serv));
1243 }
1244 l2tp_ctrl_log(_this, LOG_NOTICE, "logtype=Started RecvSCCRQ "
1245 "from=%s:%s/udp tunnel_id=%u/%u protocol=%d.%d winsize=%d "
1246 "hostname=%s vendor=%s firm=%04X", host, serv, _this->tunnel_id,
1247 _this->peer_tunnel_id, protover, protorev, _this->peer_winsz,
1248 hostname, vendorname, firmrev);
1249
1250 if (_this->peer_winsz == 0)
1251 _this->peer_winsz = 1;
1252
1253 return 0;
1254 not_acceptable:
1255 size_check_failed:
1256 l2tp_ctrl_log(_this, LOG_ERR, "Received bad SCCRQ: %s", emes);
1257 l2tp_ctrl_stop(_this, result);
1258
1259 return 1;
1260 }
1261
1262 /*
1263 * send StopCCN
1264 */
1265 static int
l2tp_ctrl_send_StopCCN(l2tp_ctrl * _this,int result)1266 l2tp_ctrl_send_StopCCN(l2tp_ctrl *_this, int result)
1267 {
1268 struct l2tp_avp *avp;
1269 char buf[L2TP_AVP_MAXSIZ];
1270 bytebuffer *bytebuf;
1271
1272 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) {
1273 l2tp_ctrl_log(_this, LOG_ERR,
1274 "sending StopCCN failed: no buffer.");
1275 return -1;
1276 }
1277 avp = (struct l2tp_avp *)buf;
1278
1279 /* Message Type = StopCCN */
1280 memset(avp, 0, sizeof(*avp));
1281 avp->is_mandatory = 1;
1282 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE;
1283 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_StopCCN);
1284 bytebuf_add_avp(bytebuf, avp, 2);
1285
1286 /* Assigned Tunnel Id */
1287 memset(avp, 0, sizeof(*avp));
1288 avp->is_mandatory = 1;
1289 avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID;
1290 avp_set_val16(avp, _this->tunnel_id);
1291 bytebuf_add_avp(bytebuf, avp, 2);
1292
1293 /* Result Code */
1294 memset(avp, 0, sizeof(*avp));
1295 avp->is_mandatory = 1;
1296 avp->attr_type = L2TP_AVP_TYPE_RESULT_CODE;
1297 avp_set_val16(avp, result);
1298 bytebuf_add_avp(bytebuf, avp, 2);
1299
1300 if (l2tp_ctrl_send_packet(_this, 0, bytebuf) != 0) {
1301 l2tp_ctrl_log(_this, LOG_ERR, "sending StopCCN failed");
1302 return - 1;
1303 }
1304 l2tp_ctrl_log(_this, LOG_INFO, "SendStopCCN result=%d", result);
1305
1306 return 0;
1307 }
1308
1309 /*
1310 * Receiver StopCCN
1311 */
1312 static int
l2tp_ctrl_recv_StopCCN(l2tp_ctrl * _this,u_char * pkt,int pktlen)1313 l2tp_ctrl_recv_StopCCN(l2tp_ctrl *_this, u_char *pkt, int pktlen)
1314 {
1315 int result, error, avpsz, len;
1316 uint16_t tunid;
1317 struct l2tp_avp *avp;
1318 char buf[L2TP_AVP_MAXSIZ + 16], emes[256], pmes[256];
1319
1320 result = 0;
1321 error = 0;
1322 tunid = 0;
1323 pmes[0] = '\0';
1324 avp = (struct l2tp_avp *)buf;
1325 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) {
1326 pkt += avpsz;
1327 pktlen -= avpsz;
1328 if (avp->vendor_id != 0) {
1329 L2TP_CTRL_DBG((_this, LOG_DEBUG,
1330 "Received a Vendor-specific AVP vendor-id=%d "
1331 "type=%d", avp->vendor_id, avp->attr_type));
1332 continue;
1333 }
1334 if (avp->is_hidden != 0) {
1335 l2tp_ctrl_log(_this, LOG_WARNING,
1336 "Received AVP (%s/%d) is hidden. But we don't "
1337 "share secret.",
1338 avp_attr_type_string(avp->attr_type),
1339 avp->attr_type);
1340 if (avp->is_mandatory != 0) {
1341 l2tp_ctrl_stop(_this,
1342 L2TP_STOP_CCN_RCODE_GENERAL_ERROR |
1343 L2TP_ECODE_UNKNOWN_MANDATORY_AVP);
1344 return 1;
1345 }
1346 continue;
1347 }
1348 switch (avp->attr_type) {
1349 case L2TP_AVP_TYPE_MESSAGE_TYPE:
1350 AVP_SIZE_CHECK(avp, ==, 8);
1351 continue;
1352 case L2TP_AVP_TYPE_RESULT_CODE:
1353 AVP_SIZE_CHECK(avp, >=, 8);
1354 result = avp->attr_value[0] << 8 | avp->attr_value[1];
1355 if (avp->length >= 10) {
1356 error = avp->attr_value[2] << 8 |
1357 avp->attr_value[3];
1358 len = avp->length - 12;
1359 if (len > 0) {
1360 len = MINIMUM(len, sizeof(pmes) - 1);
1361 memcpy(pmes, &avp->attr_value[4], len);
1362 pmes[len] = '\0';
1363 }
1364 }
1365 continue;
1366 case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID:
1367 AVP_SIZE_CHECK(avp, ==, 8);
1368 tunid = avp_get_val16(avp);
1369 continue;
1370 default:
1371 if (avp->is_mandatory != 0) {
1372 l2tp_ctrl_log(_this, LOG_WARNING,
1373 "Received AVP (%s/%d) is not supported, "
1374 "but it's mandatory",
1375 avp_attr_type_string(avp->attr_type),
1376 avp->attr_type);
1377 #ifdef L2TP_CTRL_DEBUG
1378 } else {
1379 L2TP_CTRL_DBG((_this, LOG_DEBUG,
1380 "AVP (%s/%d) is not handled",
1381 avp_attr_type_string(avp->attr_type),
1382 avp->attr_type));
1383 #endif
1384 }
1385 }
1386 }
1387
1388 if (result == L2TP_CDN_RCODE_ERROR_CODE &&
1389 error == L2TP_ECODE_NO_RESOURCE) {
1390 /*
1391 * Memo:
1392 * This state may be happen in following state.
1393 * - lots of connect/disconnect by long-running
1394 * windows2000, sometimes it fall to this state.
1395 * Once it fall to here, connection will fail till
1396 * the windows rebooted
1397 */
1398 l2tp_ctrl_log(_this, LOG_WARNING,
1399 "Peer indicates \"No Resource\" error.");
1400 }
1401
1402 l2tp_ctrl_log(_this, LOG_INFO, "RecvStopCCN result=%s/%u "
1403 "error=%s/%u tunnel_id=%u message=\"%s\"",
1404 l2tp_stopccn_rcode_string(result), result,
1405 l2tp_ecode_string(error), error, tunid, pmes);
1406
1407 return 0;
1408
1409 size_check_failed:
1410 l2tp_ctrl_log(_this, LOG_ERR, "Received bad StopCCN: %s", emes);
1411
1412 return -1;
1413 }
1414
1415 /*
1416 * send SCCRP
1417 */
1418 static void
l2tp_ctrl_send_SCCRP(l2tp_ctrl * _this)1419 l2tp_ctrl_send_SCCRP(l2tp_ctrl *_this)
1420 {
1421 int len;
1422 struct l2tp_avp *avp;
1423 char buf[L2TP_AVP_MAXSIZ], hbuf[HOST_NAME_MAX+1];
1424 const char *val;
1425 bytebuffer *bytebuf;
1426
1427 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) {
1428 l2tp_ctrl_log(_this, LOG_ERR,
1429 "sending SCCRP failed: no buffer.");
1430 return;
1431 }
1432 avp = (struct l2tp_avp *)buf;
1433
1434 /* Message Type = SCCRP */
1435 memset(avp, 0, sizeof(*avp));
1436 avp->is_mandatory = 1;
1437 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE;
1438 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_SCCRP);
1439 bytebuf_add_avp(bytebuf, avp, 2);
1440
1441 /* Protocol Version = 1.0 */
1442 memset(avp, 0, sizeof(*avp));
1443 avp->is_mandatory = 1;
1444 avp->attr_type = L2TP_AVP_TYPE_PROTOCOL_VERSION;
1445 avp->attr_value[0] = L2TP_RFC2661_VERSION;
1446 avp->attr_value[1] = L2TP_RFC2661_REVISION;
1447 bytebuf_add_avp(bytebuf, avp, 2);
1448
1449 /* Framing Capability = Async */
1450 memset(avp, 0, sizeof(*avp));
1451 avp->is_mandatory = 1;
1452 avp->attr_type = L2TP_AVP_TYPE_FRAMING_CAPABILITIES;
1453 avp_set_val32(avp, L2TP_FRAMING_CAP_FLAGS_SYNC);
1454 bytebuf_add_avp(bytebuf, avp, 4);
1455
1456 /* Host Name */
1457 memset(avp, 0, sizeof(*avp));
1458 avp->is_mandatory = 1;
1459 avp->attr_type = L2TP_AVP_TYPE_HOST_NAME;
1460 if ((val = L2TP_CTRL_CONF(_this)->hostname) == NULL) {
1461 gethostname(hbuf, sizeof(hbuf));
1462 val = hbuf;
1463 }
1464 len = strlen(val);
1465 memcpy(avp->attr_value, val, len);
1466 bytebuf_add_avp(bytebuf, avp, len);
1467
1468 /* Assigned Tunnel Id */
1469 memset(avp, 0, sizeof(*avp));
1470 avp->is_mandatory = 1;
1471 avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID;
1472 avp_set_val16(avp, _this->tunnel_id);
1473 bytebuf_add_avp(bytebuf, avp, 2);
1474
1475 /* Bearer Capability
1476 * This implementation never act as LAC.
1477 *
1478 memset(avp, 0, sizeof(*avp));
1479 avp->is_mandatory = 1;
1480 avp->attr_type = L2TP_AVP_TYPE_BEARER_CAPABILITIES;
1481 avp_set_val32(avp, 0);
1482 bytebuf_add_avp(bytebuf, avp, 4);
1483 */
1484
1485 /* Firmware Revision */
1486 memset(avp, 0, sizeof(*avp));
1487 avp->is_mandatory = 0;
1488 avp->attr_type = L2TP_AVP_TYPE_FIRMWARE_REVISION;
1489 avp->attr_value[0] = MAJOR_VERSION;
1490 avp->attr_value[1] = MINOR_VERSION;
1491 bytebuf_add_avp(bytebuf, avp, 2);
1492
1493 /* Vendor Name */
1494 if ((val = L2TP_CTRL_CONF(_this)->vendor_name) != NULL) {
1495 memset(avp, 0, sizeof(*avp));
1496 avp->is_mandatory = 0;
1497 avp->attr_type = L2TP_AVP_TYPE_VENDOR_NAME;
1498
1499 len = strlen(val);
1500 memcpy(avp->attr_value, val, len);
1501 bytebuf_add_avp(bytebuf, avp, len);
1502 }
1503
1504 /* Window Size */
1505 memset(avp, 0, sizeof(*avp));
1506 avp->is_mandatory = 1;
1507 avp->attr_type = L2TP_AVP_TYPE_RECV_WINDOW_SIZE;
1508 avp_set_val16(avp, _this->winsz);
1509 bytebuf_add_avp(bytebuf, avp, 2);
1510
1511 if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) {
1512 l2tp_ctrl_log(_this, LOG_ERR, "sending SCCRP failed");
1513 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL);
1514 return;
1515 }
1516 l2tp_ctrl_log(_this, LOG_INFO, "SendSCCRP");
1517 }
1518
1519 static int
l2tp_ctrl_send_HELLO(l2tp_ctrl * _this)1520 l2tp_ctrl_send_HELLO(l2tp_ctrl *_this)
1521 {
1522 struct l2tp_avp *avp;
1523 char buf[L2TP_AVP_MAXSIZ];
1524 bytebuffer *bytebuf;
1525
1526 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) {
1527 l2tp_ctrl_log(_this, LOG_ERR,
1528 "sending HELLO failed: no buffer.");
1529 return 1;
1530 }
1531 avp = (struct l2tp_avp *)buf;
1532
1533 /* Message Type = HELLO */
1534 memset(avp, 0, sizeof(*avp));
1535 avp->is_mandatory = 1;
1536 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE;
1537 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_HELLO);
1538 bytebuf_add_avp(bytebuf, avp, 2);
1539
1540 if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) {
1541 l2tp_ctrl_log(_this, LOG_ERR, "sending HELLO failed");
1542 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL);
1543 return 1;
1544 }
1545 l2tp_ctrl_log(_this, LOG_DEBUG, "SendHELLO");
1546
1547 return 0;
1548 }
1549
1550 /* Send ZLB */
1551 static int
l2tp_ctrl_send_ZLB(l2tp_ctrl * _this)1552 l2tp_ctrl_send_ZLB(l2tp_ctrl *_this)
1553 {
1554 int loglevel;
1555
1556 loglevel = (_this->state == L2TP_CTRL_STATE_ESTABLISHED)
1557 ? LOG_DEBUG : LOG_INFO;
1558 l2tp_ctrl_log(_this, loglevel, "SendZLB");
1559 bytebuffer_clear(_this->zlb_buffer);
1560 bytebuffer_put(_this->zlb_buffer, BYTEBUFFER_PUT_DIRECT,
1561 sizeof(struct l2tp_header));
1562
1563 return l2tp_ctrl_send_packet(_this, 0, _this->zlb_buffer);
1564 }
1565
1566 /*
1567 * Utility
1568 */
1569
1570 /**
1571 * Prepare send buffer
1572 * @return return Null when the send buffer exceed Window.
1573 */
1574 bytebuffer *
l2tp_ctrl_prepare_snd_buffer(l2tp_ctrl * _this,int with_seq)1575 l2tp_ctrl_prepare_snd_buffer(l2tp_ctrl *_this, int with_seq)
1576 {
1577 bytebuffer *bytebuf;
1578
1579 L2TP_CTRL_ASSERT(_this != NULL);
1580
1581 if (l2tp_ctrl_txwin_is_full(_this)) {
1582 l2tp_ctrl_log(_this, LOG_INFO, "sending buffer is full.");
1583 return NULL;
1584 }
1585 bytebuf = _this->snd_buffers[_this->snd_nxt % _this->snd_buffercnt];
1586 bytebuffer_clear(bytebuf);
1587 if (with_seq)
1588 bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT,
1589 sizeof(struct l2tp_header));
1590 else
1591 bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT,
1592 offsetof(struct l2tp_header, ns));
1593
1594 return bytebuf;
1595 }
1596
1597 /**
1598 * return current state as strings
1599 */
1600 static inline const char *
l2tp_ctrl_state_string(l2tp_ctrl * _this)1601 l2tp_ctrl_state_string(l2tp_ctrl *_this)
1602 {
1603 switch (_this->state) {
1604 case L2TP_CTRL_STATE_IDLE: return "idle";
1605 case L2TP_CTRL_STATE_WAIT_CTL_CONN: return "wait-ctl-conn";
1606 case L2TP_CTRL_STATE_WAIT_CTL_REPLY: return "wait-ctl-reply";
1607 case L2TP_CTRL_STATE_ESTABLISHED: return "established";
1608 case L2TP_CTRL_STATE_CLEANUP_WAIT: return "cleanup-wait";
1609 }
1610 return "unknown";
1611 }
1612
1613 /* logging with the label of the l2tp instance. */
1614 void
l2tp_ctrl_log(l2tp_ctrl * _this,int prio,const char * fmt,...)1615 l2tp_ctrl_log(l2tp_ctrl *_this, int prio, const char *fmt, ...)
1616 {
1617 char logbuf[BUFSIZ];
1618 va_list ap;
1619
1620 va_start(ap, fmt);
1621 #ifdef L2TPD_MULTIPLE
1622 snprintf(logbuf, sizeof(logbuf), "l2tpd id=%u ctrl=%u %s",
1623 _this->l2tpd->id, _this->id, fmt);
1624 #else
1625 snprintf(logbuf, sizeof(logbuf), "l2tpd ctrl=%u %s", _this->id, fmt);
1626 #endif
1627 vlog_printf(prio, logbuf, ap);
1628 va_end(ap);
1629 }
1630