1 /* $OpenBSD: l2tp_ctrl.c,v 1.26 2021/05/22 08:29:57 yasuoka Exp $ */ 2 3 /*- 4 * Copyright (c) 2009 Internet Initiative Japan Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 /**@file Control connection processing functions for L2TP LNS */ 29 /* $Id: l2tp_ctrl.c,v 1.26 2021/05/22 08:29:57 yasuoka Exp $ */ 30 #include <sys/types.h> 31 #include <sys/time.h> 32 #include <sys/socket.h> 33 #include <netinet/in.h> 34 #include <net/if.h> 35 #include <arpa/inet.h> 36 #include <endian.h> 37 #include <errno.h> 38 #include <event.h> 39 #include <netdb.h> 40 #include <stdarg.h> 41 #include <stddef.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <syslog.h> 46 #include <time.h> 47 #include <unistd.h> 48 #include <limits.h> 49 50 #ifdef USE_LIBSOCKUTIL 51 #include <seil/sockfromto.h> 52 #endif 53 54 #include "time_utils.h" 55 #include "bytebuf.h" 56 #include "hash.h" 57 #include "debugutil.h" 58 #include "slist.h" 59 #include "l2tp.h" 60 #include "l2tp_local.h" 61 #include "l2tp_subr.h" 62 #include "net_utils.h" 63 #include "version.h" 64 #include "recvfromto.h" 65 66 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 67 68 static int l2tp_ctrl_init(l2tp_ctrl *, l2tpd *, struct sockaddr *, struct sockaddr *, void *); 69 static void l2tp_ctrl_reload(l2tp_ctrl *); 70 static int l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *); 71 static void l2tp_ctrl_timeout(int, short, void *); 72 static int l2tp_ctrl_resend_una_packets(l2tp_ctrl *, bool); 73 static void l2tp_ctrl_destroy_all_calls(l2tp_ctrl *); 74 static int l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *, int); 75 static void l2tp_ctrl_reset_timeout(l2tp_ctrl *); 76 static int l2tp_ctrl_txwin_size(l2tp_ctrl *); 77 static bool l2tp_ctrl_txwin_is_full(l2tp_ctrl *); 78 static bool l2tp_ctrl_in_peer_window(l2tp_ctrl *, uint16_t); 79 static bool l2tp_ctrl_in_our_window(l2tp_ctrl *, uint16_t); 80 static int l2tp_ctrl_recv_SCCRQ(l2tp_ctrl *, u_char *, int, l2tpd *, struct sockaddr *); 81 static int l2tp_ctrl_send_StopCCN(l2tp_ctrl *, int); 82 static int l2tp_ctrl_recv_StopCCN(l2tp_ctrl *, u_char *, int); 83 static void l2tp_ctrl_send_SCCRP(l2tp_ctrl *); 84 static int l2tp_ctrl_send_HELLO(l2tp_ctrl *); 85 static int l2tp_ctrl_send_ZLB(l2tp_ctrl *); 86 static const char *l2tp_ctrl_state_string(l2tp_ctrl *); 87 88 #ifdef L2TP_CTRL_DEBUG 89 #define L2TP_CTRL_ASSERT(x) ASSERT(x) 90 #define L2TP_CTRL_DBG(x) l2tp_ctrl_log x 91 #else 92 #define L2TP_CTRL_ASSERT(x) 93 #define L2TP_CTRL_DBG(x) 94 #endif 95 96 /* Sequence # of l2tp_ctrl ID */ 97 static u_int l2tp_ctrl_id_seq = 0; 98 99 #define SEQ_LT(a,b) ((int16_t)((a) - (b)) < 0) 100 #define SEQ_GT(a,b) ((int16_t)((a) - (b)) > 0) 101 102 /** 103 * Build instance of {@link ::_l2tp_ctrl L2TP LNS control connection} 104 */ 105 l2tp_ctrl * 106 l2tp_ctrl_create(void) 107 { 108 109 return calloc(1, sizeof(l2tp_ctrl)); 110 } 111 112 /** 113 * initialize and startup of {@link ::_l2tp_ctrl L2TP LNS control connection} 114 * instance 115 */ 116 static int 117 l2tp_ctrl_init(l2tp_ctrl *_this, l2tpd *_l2tpd, struct sockaddr *peer, 118 struct sockaddr *sock, void *nat_t_ctx) 119 { 120 int tunid, i; 121 bytebuffer *bytebuf; 122 time_t curr_time; 123 124 memset(_this, 0, sizeof(l2tp_ctrl)); 125 126 curr_time = get_monosec(); 127 _this->l2tpd = _l2tpd; 128 _this->state = L2TP_CTRL_STATE_IDLE; 129 _this->last_snd_ctrl = curr_time; 130 131 slist_init(&_this->call_list); 132 133 /* seek a free tunnel ID */ 134 i = 0; 135 _this->id = ++l2tp_ctrl_id_seq; 136 for (i = 0, tunid = _this->id; ; i++, tunid++) { 137 tunid &= 0xffff; 138 _this->tunnel_id = l2tp_ctrl_id_seq & 0xffff; 139 if (tunid == 0) 140 continue; 141 if (l2tpd_get_ctrl(_l2tpd, tunid) == NULL) 142 break; 143 if (i > 80000) { 144 /* this must be happen, just log it. */ 145 l2tpd_log(_l2tpd, LOG_ERR, "Too many l2tp controls"); 146 return -1; 147 } 148 } 149 150 _this->tunnel_id = tunid; 151 152 L2TP_CTRL_ASSERT(peer != NULL); 153 L2TP_CTRL_ASSERT(sock != NULL); 154 memcpy(&_this->peer, peer, peer->sa_len); 155 memcpy(&_this->sock, sock, sock->sa_len); 156 157 /* prepare send buffer */ 158 _this->winsz = L2TPD_DEFAULT_SEND_WINSZ; 159 /* 160 * _this->winsz is informed as our receive window size. Also 161 * MIN(_this->winsz, _this->peer_winsiz) is used for the size of 162 * transmit side window. We need winsz * 2 sized buffer so that a 163 * stingy client can fill both of window separately. 164 */ 165 _this->snd_buffercnt = _this->winsz * 2; 166 if ((_this->snd_buffers = calloc(_this->snd_buffercnt, 167 sizeof(bytebuffer *))) == NULL) { 168 l2tpd_log(_l2tpd, LOG_ERR, 169 "calloc() failed in %s(): %m", __func__); 170 goto fail; 171 } 172 for (i = 0; i < _this->snd_buffercnt; i++) { 173 if ((bytebuf = bytebuffer_create(L2TPD_SND_BUFSIZ)) == NULL) { 174 l2tpd_log(_l2tpd, LOG_ERR, 175 "bytebuffer_create() failed in %s(): %m", __func__); 176 goto fail; 177 } 178 _this->snd_buffers[i] = bytebuf; 179 } 180 if ((_this->zlb_buffer = bytebuffer_create(sizeof(struct l2tp_header) 181 + 128)) == NULL) { 182 l2tpd_log(_l2tpd, LOG_ERR, 183 "bytebuffer_create() failed in %s(): %m", __func__); 184 goto fail; 185 } 186 #if defined(USE_LIBSOCKUTIL) || defined(USE_SA_COOKIE) 187 if (nat_t_ctx != NULL) { 188 if ((_this->sa_cookie = malloc( 189 sizeof(struct in_ipsec_sa_cookie))) != NULL) { 190 *(struct in_ipsec_sa_cookie *)_this->sa_cookie = 191 *(struct in_ipsec_sa_cookie *)nat_t_ctx; 192 } else { 193 l2tpd_log(_l2tpd, LOG_ERR, 194 "creating sa_cookie failed: %m"); 195 goto fail; 196 } 197 } 198 #endif 199 _this->hello_interval = L2TP_CTRL_DEFAULT_HELLO_INTERVAL; 200 _this->hello_timeout = L2TP_CTRL_DEFAULT_HELLO_TIMEOUT; 201 _this->hello_io_time = curr_time; 202 203 /* initialize timeout timer */ 204 l2tp_ctrl_reset_timeout(_this); 205 206 /* register l2tp context */ 207 l2tpd_add_ctrl(_l2tpd, _this); 208 return 0; 209 fail: 210 l2tp_ctrl_stop(_this, 0); 211 return -1; 212 } 213 214 /* 215 * setup {@link ::_l2tp_ctrl L2TP LNS control connection} instance 216 */ 217 static void 218 l2tp_ctrl_reload(l2tp_ctrl *_this) 219 { 220 _this->data_use_seq = L2TP_CTRL_CONF(_this)->data_use_seq; 221 if (L2TP_CTRL_CONF(_this)->hello_interval != 0) 222 _this->hello_interval = L2TP_CTRL_CONF(_this)->hello_interval; 223 if (L2TP_CTRL_CONF(_this)->hello_timeout != 0) 224 _this->hello_timeout = L2TP_CTRL_CONF(_this)->hello_timeout; 225 } 226 227 /* 228 * free {@link ::_l2tp_ctrl L2TP LNS control connection} instance 229 */ 230 void 231 l2tp_ctrl_destroy(l2tp_ctrl *_this) 232 { 233 L2TP_CTRL_ASSERT(_this != NULL); 234 #if defined(USE_LIBSOCKUTIL) || defined(USE_SA_COOKIE) 235 free(_this->sa_cookie); 236 #endif 237 free(_this); 238 } 239 240 /* 241 * nortify disconnection to peer 242 * 243 * @return 0: all CDN and StopCCN have been sent. 244 * N: if the remaining calls which still not sent CDN exist, 245 * return # of the calls. 246 * -1: when try to send of StopCCN failed. 247 */ 248 static int 249 l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *_this) 250 { 251 int ncalls; 252 253 L2TP_CTRL_ASSERT(_this != NULL) 254 L2TP_CTRL_ASSERT(_this->state == L2TP_CTRL_STATE_ESTABLISHED || 255 _this->state == L2TP_CTRL_STATE_CLEANUP_WAIT); 256 257 /* this control is not actively closing or StopCCN have been sent */ 258 if (_this->active_closing == 0) 259 return 0; 260 261 /* Send CDN all Calls */ 262 ncalls = 0; 263 if (slist_length(&_this->call_list) != 0) { 264 ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0); 265 if (ncalls > 0) { 266 /* 267 * Call the function again to check whether the 268 * sending window is fulled. In case ncalls == 0, 269 * it means we've sent CDN for all calls. 270 */ 271 ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0); 272 } 273 } 274 if (ncalls > 0) 275 return ncalls; 276 277 if (l2tp_ctrl_send_StopCCN(_this, _this->active_closing) != 0) 278 return -1; 279 _this->active_closing = 0; 280 281 return 0; 282 } 283 284 /* 285 * Terminate the control connection 286 * 287 * <p> 288 * please specify an appropriate value to result( >0 ) for 289 * StopCCN ResultCode AVP, when to sent Active Close (which 290 * require StopCCN sent).</p> 291 * <p> 292 * When the return value of this function is zero, the _this 293 * is already released. The lt2p_ctrl process that was bound to it 294 * could not continue. 295 * When the return value of this function is one, the timer 296 * is reset.</p> 297 * 298 * @return return 0 if terminate process was completed. 299 */ 300 int 301 l2tp_ctrl_stop(l2tp_ctrl *_this, int result) 302 { 303 int i; 304 l2tpd *_l2tpd; 305 306 L2TP_CTRL_ASSERT(_this != NULL); 307 308 switch (_this->state) { 309 case L2TP_CTRL_STATE_ESTABLISHED: 310 _this->state = L2TP_CTRL_STATE_CLEANUP_WAIT; 311 if (result > 0) { 312 _this->active_closing = result; 313 l2tp_ctrl_send_disconnect_notify(_this); 314 break; 315 } 316 goto cleanup; 317 default: 318 l2tp_ctrl_log(_this, LOG_DEBUG, "%s() unexpected state=%s", 319 __func__, l2tp_ctrl_state_string(_this)); 320 /* FALLTHROUGH */ 321 case L2TP_CTRL_STATE_WAIT_CTL_CONN: 322 /* FALLTHROUGH */ 323 case L2TP_CTRL_STATE_CLEANUP_WAIT: 324 cleanup: 325 if (slist_length(&_this->call_list) != 0) { 326 if (l2tp_ctrl_disconnect_all_calls(_this, 1) > 0) 327 break; 328 } 329 330 l2tp_ctrl_log(_this, LOG_NOTICE, "logtype=Finished"); 331 332 evtimer_del(&_this->ev_timeout); 333 334 /* free send buffer */ 335 if (_this->snd_buffers != NULL) { 336 for (i = 0; i < _this->snd_buffercnt; i++) 337 bytebuffer_destroy(_this->snd_buffers[i]); 338 free(_this->snd_buffers); 339 _this->snd_buffers = NULL; 340 } 341 if (_this->zlb_buffer != NULL) { 342 bytebuffer_destroy(_this->zlb_buffer); 343 _this->zlb_buffer = NULL; 344 } 345 346 /* free l2tp_call */ 347 l2tp_ctrl_destroy_all_calls(_this); 348 slist_fini(&_this->call_list); 349 350 l2tpd_remove_ctrl(_this->l2tpd, _this->tunnel_id); 351 352 _l2tpd = _this->l2tpd; 353 l2tp_ctrl_destroy(_this); 354 355 l2tpd_ctrl_finished_notify(_l2tpd); 356 return 0; /* stopped */ 357 } 358 l2tp_ctrl_reset_timeout(_this); 359 360 return 1; 361 } 362 363 /* timeout processing */ 364 static void 365 l2tp_ctrl_timeout(int fd, short evtype, void *ctx) 366 { 367 int next_timeout, need_resend; 368 time_t curr_time; 369 l2tp_ctrl *_this; 370 l2tp_call *call; 371 372 /* 373 * the timer must be reset, when leave this function. 374 * MEMO: l2tp_ctrl_stop() will reset the timer in it. 375 * and please remember that the l2tp_ctrl_stop() may free _this. 376 */ 377 _this = ctx; 378 L2TP_CTRL_ASSERT(_this != NULL); 379 380 curr_time = get_monosec(); 381 382 next_timeout = 2; 383 need_resend = 0; 384 385 if (l2tp_ctrl_txwin_size(_this) > 0) { 386 if (_this->state == L2TP_CTRL_STATE_ESTABLISHED) { 387 if (_this->hello_wait_ack != 0) { 388 /* wait Hello reply */ 389 if (curr_time - _this->hello_io_time >= 390 _this->hello_timeout) { 391 l2tp_ctrl_log(_this, LOG_NOTICE, 392 "timeout waiting ack for hello " 393 "packets."); 394 l2tp_ctrl_stop(_this, 395 L2TP_STOP_CCN_RCODE_GENERAL); 396 return; 397 } 398 } 399 } else if (curr_time - _this->last_snd_ctrl >= 400 L2TP_CTRL_CTRL_PKT_TIMEOUT) { 401 l2tp_ctrl_log(_this, LOG_NOTICE, 402 "timeout waiting ack for ctrl packets."); 403 l2tp_ctrl_stop(_this, 404 L2TP_STOP_CCN_RCODE_GENERAL); 405 return; 406 } 407 need_resend = 1; 408 } else { 409 for (slist_itr_first(&_this->call_list); 410 slist_itr_has_next(&_this->call_list);) { 411 call = slist_itr_next(&_this->call_list); 412 if (call->state == L2TP_CALL_STATE_CLEANUP_WAIT) { 413 l2tp_call_destroy(call, 1); 414 slist_itr_remove(&_this->call_list); 415 } 416 } 417 } 418 419 switch (_this->state) { 420 case L2TP_CTRL_STATE_IDLE: 421 /* 422 * idle: 423 * XXX: never happen in current implementation 424 */ 425 l2tp_ctrl_log(_this, LOG_ERR, 426 "Internal error, timeout on illegal state=idle"); 427 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 428 break; 429 case L2TP_CTRL_STATE_WAIT_CTL_CONN: 430 /* 431 * wait-ctrl-conn: 432 * if there is no ack for SCCRP, the peer will 433 * resend SCCRQ. however this implementation can 434 * not recognize that the SCCRQ was resent or not. 435 * Therefore, never resent from this side. 436 */ 437 need_resend = 0; 438 break; 439 case L2TP_CTRL_STATE_ESTABLISHED: 440 if (slist_length(&_this->call_list) == 0 && 441 curr_time - _this->last_snd_ctrl >= 442 L2TP_CTRL_WAIT_CALL_TIMEOUT) { 443 if (_this->ncalls == 0) 444 /* fail to receive first call */ 445 l2tp_ctrl_log(_this, LOG_WARNING, 446 "timeout waiting call"); 447 l2tp_ctrl_stop(_this, 448 L2TP_STOP_CCN_RCODE_GENERAL); 449 return; 450 } 451 if (_this->hello_wait_ack == 0 && _this->hello_interval > 0) { 452 /* send Hello */ 453 if (curr_time - _this->hello_interval >= 454 _this->hello_io_time) { 455 if (l2tp_ctrl_send_HELLO(_this) == 0) 456 /* success */ 457 _this->hello_wait_ack = 1; 458 _this->hello_io_time = curr_time; 459 need_resend = 0; 460 } 461 } 462 break; 463 case L2TP_CTRL_STATE_CLEANUP_WAIT: 464 if (curr_time - _this->last_snd_ctrl >= 465 L2TP_CTRL_CLEANUP_WAIT_TIME) { 466 l2tp_ctrl_log(_this, LOG_NOTICE, 467 "Cleanup timeout state=%d", _this->state); 468 l2tp_ctrl_stop(_this, 0); 469 return; 470 } 471 if (_this->active_closing != 0) 472 l2tp_ctrl_send_disconnect_notify(_this); 473 break; 474 default: 475 l2tp_ctrl_log(_this, LOG_ERR, 476 "Internal error, timeout on illegal state=%d", 477 _this->state); 478 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 479 return; 480 } 481 /* resend if required */ 482 if (need_resend) 483 l2tp_ctrl_resend_una_packets(_this, true); 484 l2tp_ctrl_reset_timeout(_this); 485 } 486 487 int 488 l2tp_ctrl_send(l2tp_ctrl *_this, const void *msg, int len) 489 { 490 int rval; 491 492 #ifdef USE_LIBSOCKUTIL 493 if (_this->sa_cookie != NULL) 494 rval = sendfromto_nat_t(LISTENER_SOCK(_this), msg, len, 0, 495 (struct sockaddr *)&_this->sock, 496 (struct sockaddr *)&_this->peer, _this->sa_cookie); 497 else 498 rval = sendfromto(LISTENER_SOCK(_this), msg, len, 0, 499 (struct sockaddr *)&_this->sock, 500 (struct sockaddr *)&_this->peer); 501 #else 502 #ifdef USE_SA_COOKIE 503 if (_this->sa_cookie != NULL) 504 rval = sendto_nat_t(LISTENER_SOCK(_this), msg, len, 0, 505 (struct sockaddr *)&_this->peer, _this->peer.ss_len, 506 _this->sa_cookie); 507 else 508 #endif 509 rval = sendto(LISTENER_SOCK(_this), msg, len, 0, 510 (struct sockaddr *)&_this->peer, _this->peer.ss_len); 511 #endif 512 return rval; 513 } 514 515 /* resend una packets */ 516 static int 517 l2tp_ctrl_resend_una_packets(l2tp_ctrl *_this, bool resend) 518 { 519 uint16_t seq; 520 bytebuffer *bytebuf; 521 struct l2tp_header *header; 522 int nsend; 523 524 nsend = 0; 525 for (seq = _this->snd_una; SEQ_LT(seq, _this->snd_nxt); seq++) { 526 if (!l2tp_ctrl_in_peer_window(_this, seq)) 527 break; 528 if (SEQ_LT(seq, _this->snd_last) && !resend) 529 continue; 530 bytebuf = _this->snd_buffers[seq % _this->snd_buffercnt]; 531 header = bytebuffer_pointer(bytebuf); 532 header->nr = htons(_this->rcv_nxt); 533 _this->snd_lastnr = _this->rcv_nxt; 534 #ifdef L2TP_CTRL_DEBUG 535 if (debuglevel >= 3) { 536 l2tp_ctrl_log(_this, DEBUG_LEVEL_3, "RESEND seq=%u", 537 ntohs(header->ns)); 538 show_hd(debug_get_debugfp(), 539 bytebuffer_pointer(bytebuf), 540 bytebuffer_remaining(bytebuf)); 541 } 542 #endif 543 if (l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf), 544 bytebuffer_remaining(bytebuf)) < 0) { 545 l2tp_ctrl_log(_this, LOG_ERR, 546 "sendto() failed in %s: %m", __func__); 547 return -1; 548 } 549 nsend++; 550 } 551 return nsend; 552 } 553 554 /* free all calls */ 555 static void 556 l2tp_ctrl_destroy_all_calls(l2tp_ctrl *_this) 557 { 558 l2tp_call *call; 559 560 L2TP_CTRL_ASSERT(_this != NULL); 561 562 while ((call = slist_remove_first(&_this->call_list)) != NULL) 563 l2tp_call_destroy(call, 1); 564 } 565 566 567 /* disconnect all calls on the control context 568 * @return return # of calls that is not waiting cleanup. 569 */ 570 static int 571 l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *_this, int drop) 572 { 573 int i, len, ncalls; 574 l2tp_call *call; 575 576 L2TP_CTRL_ASSERT(_this != NULL); 577 578 ncalls = 0; 579 len = slist_length(&_this->call_list); 580 for (i = 0; i < len; i++) { 581 call = slist_get(&_this->call_list, i); 582 if (call->state != L2TP_CALL_STATE_CLEANUP_WAIT) { 583 ncalls++; 584 if (l2tp_ctrl_txwin_is_full(_this)) { 585 L2TP_CTRL_DBG((_this, LOG_INFO, 586 "Too many calls. Sending window is not " 587 "enough to send CDN to all clients.")); 588 if (drop) 589 l2tp_call_drop(call); 590 } else 591 l2tp_call_admin_disconnect(call); 592 } 593 } 594 return ncalls; 595 } 596 597 /* reset timeout */ 598 static void 599 l2tp_ctrl_reset_timeout(l2tp_ctrl *_this) 600 { 601 int intvl; 602 struct timeval tv0; 603 604 L2TP_CTRL_ASSERT(_this != NULL); 605 606 if (evtimer_initialized(&_this->ev_timeout)) 607 evtimer_del(&_this->ev_timeout); 608 609 switch (_this->state) { 610 case L2TP_CTRL_STATE_CLEANUP_WAIT: 611 intvl = 1; 612 break; 613 default: 614 intvl = 2; 615 break; 616 } 617 tv0.tv_usec = 0; 618 tv0.tv_sec = intvl; 619 if (!evtimer_initialized(&_this->ev_timeout)) 620 evtimer_set(&_this->ev_timeout, l2tp_ctrl_timeout, _this); 621 evtimer_add(&_this->ev_timeout, &tv0); 622 } 623 624 /* 625 * protocols / send and receive 626 */ 627 /* Receive packet */ 628 void 629 l2tp_ctrl_input(l2tpd *_this, int listener_index, struct sockaddr *peer, 630 struct sockaddr *sock, void *nat_t_ctx, u_char *pkt, int pktlen) 631 { 632 int i, len, offsiz, reqlen, is_ctrl; 633 uint16_t mestype; 634 struct l2tp_avp *avp, *avp0; 635 l2tp_ctrl *ctrl; 636 l2tp_call *call; 637 char buf[L2TP_AVP_MAXSIZ], errmsg[256]; 638 time_t curr_time; 639 u_char *pkt0; 640 struct l2tp_header hdr; 641 char hbuf[NI_MAXHOST + NI_MAXSERV + 16]; 642 643 ctrl = NULL; 644 curr_time = get_monosec(); 645 pkt0 = pkt; 646 647 L2TP_CTRL_ASSERT(peer->sa_family == sock->sa_family); 648 L2TP_CTRL_ASSERT(peer->sa_family == AF_INET || 649 peer->sa_family == AF_INET6) 650 /* 651 * Parse L2TP Header 652 */ 653 memset(&hdr, 0, sizeof(hdr)); 654 if (pktlen < 2) { 655 snprintf(errmsg, sizeof(errmsg), "a short packet. " 656 "length=%d", pktlen); 657 goto bad_packet; 658 } 659 memcpy(&hdr, pkt, 2); 660 pkt += 2; 661 if (hdr.ver != L2TP_HEADER_VERSION_RFC2661) { 662 /* XXX: only RFC2661 is supported */ 663 snprintf(errmsg, sizeof(errmsg), 664 "Unsupported version at header = %d", hdr.ver); 665 goto bad_packet; 666 } 667 is_ctrl = (hdr.t != 0)? 1 : 0; 668 669 /* calc required length */ 670 reqlen = 6; /* for Flags, Tunnel-Id, Session-Id field */ 671 if (hdr.l) reqlen += 2; /* for Length field (opt) */ 672 if (hdr.s) reqlen += 4; /* for Ns, Nr field (opt) */ 673 if (hdr.o) reqlen += 2; /* for Offset Size field (opt) */ 674 if (reqlen > pktlen) { 675 snprintf(errmsg, sizeof(errmsg), 676 "a short packet. length=%d", pktlen); 677 goto bad_packet; 678 } 679 680 if (hdr.l != 0) { 681 GETSHORT(hdr.length, pkt); 682 if (hdr.length > pktlen) { 683 snprintf(errmsg, sizeof(errmsg), 684 "Actual packet size is smaller than the length " 685 "field %d < %d", pktlen, hdr.length); 686 goto bad_packet; 687 } 688 pktlen = hdr.length; /* remove trailing trash */ 689 } 690 GETSHORT(hdr.tunnel_id, pkt); 691 GETSHORT(hdr.session_id, pkt); 692 if (hdr.s != 0) { 693 GETSHORT(hdr.ns, pkt); 694 GETSHORT(hdr.nr, pkt); 695 } 696 if (hdr.o != 0) { 697 GETSHORT(offsiz, pkt); 698 if (pktlen < offsiz) { 699 snprintf(errmsg, sizeof(errmsg), 700 "offset field is bigger than remaining packet " 701 "length %d > %d", offsiz, pktlen); 702 goto bad_packet; 703 } 704 pkt += offsiz; 705 } 706 L2TP_CTRL_ASSERT(pkt - pkt0 == reqlen); 707 pktlen -= (pkt - pkt0); /* cut down the length of header */ 708 709 ctrl = NULL; 710 memset(buf, 0, sizeof(buf)); 711 mestype = 0; 712 avp = NULL; 713 714 if (is_ctrl) { 715 avp0 = (struct l2tp_avp *)buf; 716 avp = avp_find_message_type_avp(avp0, pkt, pktlen); 717 if (avp != NULL) 718 mestype = avp->attr_value[0] << 8 | avp->attr_value[1]; 719 } 720 ctrl = l2tpd_get_ctrl(_this, hdr.tunnel_id); 721 722 if (ctrl == NULL) { 723 /* new control */ 724 if (!is_ctrl) { 725 snprintf(errmsg, sizeof(errmsg), 726 "bad data message: tunnelId=%d is not " 727 "found.", hdr.tunnel_id); 728 goto bad_packet; 729 } 730 if (mestype != L2TP_AVP_MESSAGE_TYPE_SCCRQ) { 731 snprintf(errmsg, sizeof(errmsg), 732 "bad control message: tunnelId=%d is not " 733 "found. mestype=%s", hdr.tunnel_id, 734 avp_mes_type_string(mestype)); 735 goto bad_packet; 736 } 737 738 if ((ctrl = l2tp_ctrl_create()) == NULL) { 739 l2tp_ctrl_log(ctrl, LOG_ERR, 740 "l2tp_ctrl_create() failed: %m"); 741 goto fail; 742 } 743 744 if (l2tp_ctrl_init(ctrl, _this, peer, sock, nat_t_ctx) != 0) { 745 l2tp_ctrl_log(ctrl, LOG_ERR, 746 "l2tp_ctrl_start() failed: %m"); 747 goto fail; 748 } 749 750 ctrl->listener_index = listener_index; 751 l2tp_ctrl_reload(ctrl); 752 } else { 753 /* 754 * treat as an error if src address and port is not 755 * match. (because it is potentially DoS attach) 756 */ 757 int notmatch = 0; 758 759 if (ctrl->peer.ss_family != peer->sa_family) 760 notmatch = 1; 761 else if (peer->sa_family == AF_INET) { 762 if (SIN(peer)->sin_addr.s_addr != 763 SIN(&ctrl->peer)->sin_addr.s_addr || 764 SIN(peer)->sin_port != SIN(&ctrl->peer)->sin_port) 765 notmatch = 1; 766 } else if (peer->sa_family == AF_INET6) { 767 if (!IN6_ARE_ADDR_EQUAL(&(SIN6(peer)->sin6_addr), 768 &(SIN6(&ctrl->peer)->sin6_addr)) || 769 SIN6(peer)->sin6_port != 770 SIN6(&ctrl->peer)->sin6_port) 771 notmatch = 1; 772 } 773 if (notmatch) { 774 snprintf(errmsg, sizeof(errmsg), 775 "tunnelId=%u is already assigned for %s", 776 hdr.tunnel_id, addrport_tostring( 777 (struct sockaddr *)&ctrl->peer, 778 ctrl->peer.ss_len, hbuf, sizeof(hbuf))); 779 goto bad_packet; 780 } 781 } 782 ctrl->last_rcv = curr_time; 783 call = NULL; 784 if (hdr.session_id != 0) { 785 /* search l2tp_call by Session ID */ 786 /* linear search is enough for this purpose */ 787 len = slist_length(&ctrl->call_list); 788 for (i = 0; i < len; i++) { 789 call = slist_get(&ctrl->call_list, i); 790 if (call->session_id == hdr.session_id) 791 break; 792 call = NULL; 793 } 794 } 795 if (!is_ctrl) { 796 int delayed = 0; 797 798 /* L2TP data */ 799 if (ctrl->state != L2TP_CTRL_STATE_ESTABLISHED) { 800 l2tp_ctrl_log(ctrl, LOG_WARNING, 801 "Received Data packet in '%s'", 802 l2tp_ctrl_state_string(ctrl)); 803 goto fail; 804 } 805 if (call == NULL) { 806 l2tp_ctrl_log(ctrl, LOG_WARNING, 807 "Received a data packet but it has no call. " 808 "session_id=%u", hdr.session_id); 809 goto fail; 810 } 811 L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2, 812 "call=%u RECV ns=%u nr=%u snd_nxt=%u rcv_nxt=%u len=%d", 813 call->id, hdr.ns, hdr.nr, call->snd_nxt, call->rcv_nxt, 814 pktlen)); 815 if (call->state != L2TP_CALL_STATE_ESTABLISHED){ 816 l2tp_ctrl_log(ctrl, LOG_WARNING, 817 "Received a data packet but call is not " 818 "established"); 819 goto fail; 820 } 821 822 if (hdr.s != 0) { 823 if (SEQ_LT(hdr.ns, call->rcv_nxt)) { 824 if (SEQ_LT(hdr.ns, 825 call->rcv_nxt - L2TP_CALL_DELAY_LIMIT)) { 826 /* sequence number seems to be delayed */ 827 /* XXX: need to log? */ 828 L2TP_CTRL_DBG((ctrl, LOG_DEBUG, 829 "receive a out of sequence " 830 "data packet: %u < %u.", 831 hdr.ns, call->rcv_nxt)); 832 return; 833 } 834 delayed = 1; 835 } else { 836 call->rcv_nxt = hdr.ns + 1; 837 } 838 } 839 840 l2tp_call_ppp_input(call, pkt, pktlen, delayed); 841 842 return; 843 } 844 if (hdr.s != 0) { 845 L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2, 846 "RECV %s ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u " 847 "len=%d", (is_ctrl)? "C" : "", hdr.ns, hdr.nr, 848 ctrl->snd_nxt, ctrl->snd_una, ctrl->rcv_nxt, pktlen)); 849 850 if (pktlen <= 0) 851 l2tp_ctrl_log(ctrl, LOG_INFO, "RecvZLB"); 852 853 if (SEQ_GT(hdr.nr, ctrl->snd_una)) { 854 /* a new ack arrived */ 855 if (SEQ_GT(hdr.nr, ctrl->snd_nxt)) { 856 /* ack is proceeded us */ 857 l2tp_ctrl_log(ctrl, LOG_INFO, 858 "Received message has bad Nr field: " 859 "%u < %u", ctrl->snd_nxt, hdr.nr); 860 goto fail; 861 } 862 ctrl->snd_una = hdr.nr; 863 /* peer window is moved. send out pending packets */ 864 l2tp_ctrl_resend_una_packets(ctrl, false); 865 } 866 if (l2tp_ctrl_txwin_size(ctrl) <= 0) { 867 /* no waiting ack */ 868 if (ctrl->hello_wait_ack != 0) { 869 /* 870 * Reset Hello state, as an ack for the Hello 871 * is received. 872 */ 873 ctrl->hello_wait_ack = 0; 874 ctrl->hello_io_time = curr_time; 875 } 876 switch (ctrl->state) { 877 case L2TP_CTRL_STATE_CLEANUP_WAIT: 878 l2tp_ctrl_stop(ctrl, 0); 879 return; 880 } 881 } 882 if (hdr.ns != ctrl->rcv_nxt) { 883 /* there are remaining packet */ 884 if (l2tp_ctrl_resend_una_packets(ctrl, true) <= 0) { 885 /* resend or sent ZLB */ 886 l2tp_ctrl_send_ZLB(ctrl); 887 } 888 #ifdef L2TP_CTRL_DEBUG 889 if (pktlen != 0) { /* not ZLB */ 890 L2TP_CTRL_DBG((ctrl, LOG_DEBUG, 891 "receive out of sequence %u must be %u. " 892 "mestype=%s", hdr.ns, ctrl->rcv_nxt, 893 avp_mes_type_string(mestype))); 894 } 895 #endif 896 return; 897 } 898 if (pktlen <= 0) 899 return; /* ZLB */ 900 901 if (!l2tp_ctrl_in_our_window(ctrl, hdr.ns)) { 902 l2tp_ctrl_log(ctrl, LOG_WARNING, 903 "received message is outside of window. " 904 "ns=%d window=%u:%u", 905 hdr.ns, ctrl->snd_lastnr, 906 (uint16_t)(ctrl->snd_lastnr + ctrl->winsz - 1)); 907 return; 908 } 909 910 ctrl->rcv_nxt++; 911 if (avp == NULL) { 912 l2tpd_log(_this, LOG_WARNING, 913 "bad control message: no message-type AVP."); 914 goto fail; 915 } 916 } 917 918 /* 919 * state machine (RFC2661 pp. 56-57) 920 */ 921 switch (ctrl->state) { 922 case L2TP_CTRL_STATE_IDLE: 923 switch (mestype) { 924 case L2TP_AVP_MESSAGE_TYPE_SCCRQ: 925 if (l2tp_ctrl_recv_SCCRQ(ctrl, pkt, pktlen, _this, 926 peer) == 0) { 927 /* acceptable */ 928 l2tp_ctrl_send_SCCRP(ctrl); 929 ctrl->state = L2TP_CTRL_STATE_WAIT_CTL_CONN; 930 return; 931 } 932 /* 933 * in case un-acceptable, it was already processed 934 * at l2tcp_ctrl_recv_SCCRQ 935 */ 936 return; 937 case L2TP_AVP_MESSAGE_TYPE_SCCRP: 938 /* 939 * RFC specifies that sent of StopCCN in the state, 940 * However as this implementation only support Passive 941 * open, this packet will not received. 942 */ 943 /* FALLTHROUGH */ 944 case L2TP_AVP_MESSAGE_TYPE_SCCCN: 945 default: 946 break; 947 } 948 goto fsm_fail; 949 950 case L2TP_CTRL_STATE_WAIT_CTL_CONN: 951 /* Wait-Ctl-Conn */ 952 switch (mestype) { 953 case L2TP_AVP_MESSAGE_TYPE_SCCCN: 954 l2tp_ctrl_log(ctrl, LOG_INFO, "RecvSCCN"); 955 if (l2tp_ctrl_send_ZLB(ctrl) == 0) { 956 ctrl->state = L2TP_CTRL_STATE_ESTABLISHED; 957 } 958 return; 959 case L2TP_AVP_MESSAGE_TYPE_StopCCN: 960 goto receive_stop_ccn; 961 case L2TP_AVP_MESSAGE_TYPE_SCCRQ: 962 case L2TP_AVP_MESSAGE_TYPE_SCCRP: 963 default: 964 break; 965 } 966 break; /* fsm_fail */ 967 case L2TP_CTRL_STATE_ESTABLISHED: 968 /* Established */ 969 switch (mestype) { 970 case L2TP_AVP_MESSAGE_TYPE_SCCCN: 971 case L2TP_AVP_MESSAGE_TYPE_SCCRQ: 972 case L2TP_AVP_MESSAGE_TYPE_SCCRP: 973 break; 974 receive_stop_ccn: 975 case L2TP_AVP_MESSAGE_TYPE_StopCCN: 976 l2tp_ctrl_recv_StopCCN(ctrl, pkt, pktlen); 977 l2tp_ctrl_send_ZLB(ctrl); 978 l2tp_ctrl_stop(ctrl, 0); 979 return; 980 981 case L2TP_AVP_MESSAGE_TYPE_HELLO: 982 l2tp_ctrl_send_ZLB(ctrl); 983 return; 984 case L2TP_AVP_MESSAGE_TYPE_CDN: 985 case L2TP_AVP_MESSAGE_TYPE_ICRP: 986 case L2TP_AVP_MESSAGE_TYPE_ICCN: 987 if (call == NULL) { 988 l2tp_ctrl_log(ctrl, LOG_INFO, 989 "Unknown call message: %s", 990 avp_mes_type_string(mestype)); 991 goto fail; 992 } 993 /* FALLTHROUGH */ 994 case L2TP_AVP_MESSAGE_TYPE_ICRQ: 995 l2tp_call_recv_packet(ctrl, call, mestype, pkt, 996 pktlen); 997 return; 998 default: 999 break; 1000 } 1001 break; /* fsm_fail */ 1002 case L2TP_CTRL_STATE_CLEANUP_WAIT: 1003 if (mestype == L2TP_AVP_MESSAGE_TYPE_StopCCN) { 1004 /* 1005 * We left ESTABLISHED state, but the peer sent StopCCN. 1006 */ 1007 goto receive_stop_ccn; 1008 } 1009 break; /* fsm_fail */ 1010 } 1011 1012 fsm_fail: 1013 /* state machine error */ 1014 l2tp_ctrl_log(ctrl, LOG_WARNING, "Received %s in '%s' state", 1015 avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl)); 1016 l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_FSM_ERROR); 1017 1018 return; 1019 fail: 1020 if (ctrl != NULL && mestype != 0) { 1021 l2tp_ctrl_log(ctrl, LOG_WARNING, "Received %s in '%s' state", 1022 avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl)); 1023 l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_GENERAL_ERROR); 1024 } 1025 return; 1026 1027 bad_packet: 1028 l2tpd_log(_this, LOG_INFO, "Received from=%s: %s", 1029 addrport_tostring(peer, peer->sa_len, hbuf, sizeof(hbuf)), errmsg); 1030 1031 return; 1032 } 1033 1034 static int 1035 l2tp_ctrl_txwin_size(l2tp_ctrl *_this) 1036 { 1037 uint16_t sz; 1038 1039 sz = _this->snd_nxt - _this->snd_una; 1040 1041 L2TP_CTRL_ASSERT(sz <= _this->buffercnt); 1042 1043 return sz; 1044 } 1045 1046 static bool 1047 l2tp_ctrl_txwin_is_full(l2tp_ctrl *_this) 1048 { 1049 return (l2tp_ctrl_txwin_size(_this) >= _this->snd_buffercnt)? 1 : 0; 1050 } 1051 1052 static bool 1053 l2tp_ctrl_in_peer_window(l2tp_ctrl *_this, uint16_t seq) 1054 { 1055 uint16_t off; 1056 int winsz; 1057 1058 winsz = MINIMUM(_this->winsz, _this->peer_winsz); 1059 off = seq - _this->snd_una; 1060 1061 return ((off < winsz)? true : false); 1062 } 1063 1064 static bool 1065 l2tp_ctrl_in_our_window(l2tp_ctrl *_this, uint16_t seq) 1066 { 1067 uint16_t off; 1068 1069 off = seq - _this->snd_lastnr; 1070 1071 return ((off < _this->winsz)? true : false); 1072 } 1073 /* send control packet */ 1074 int 1075 l2tp_ctrl_send_packet(l2tp_ctrl *_this, int call_id, bytebuffer *bytebuf) 1076 { 1077 struct l2tp_header *hdr; 1078 int rval; 1079 time_t curr_time; 1080 uint16_t seq; 1081 1082 curr_time = get_monosec(); 1083 1084 bytebuffer_flip(bytebuf); 1085 hdr = (struct l2tp_header *)bytebuffer_pointer(bytebuf); 1086 memset(hdr, 0, sizeof(*hdr)); 1087 1088 hdr->t = 1; 1089 hdr->ver = L2TP_HEADER_VERSION_RFC2661; 1090 hdr->l = 1; 1091 hdr->length = htons(bytebuffer_remaining(bytebuf)); 1092 hdr->tunnel_id = htons(_this->peer_tunnel_id); 1093 hdr->session_id = htons(call_id); 1094 1095 hdr->s = 1; 1096 seq = _this->snd_nxt; 1097 hdr->ns = htons(seq); 1098 hdr->nr = htons(_this->rcv_nxt); 1099 1100 if (bytebuffer_remaining(bytebuf) > sizeof(struct l2tp_header)) 1101 /* Not ZLB */ 1102 _this->snd_nxt++; 1103 1104 if (!l2tp_ctrl_in_peer_window(_this, seq)) 1105 return (0); 1106 1107 L2TP_CTRL_DBG((_this, DEBUG_LEVEL_2, 1108 "SEND C ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u ", 1109 ntohs(hdr->ns), htons(hdr->nr), 1110 _this->snd_nxt, _this->snd_una, _this->rcv_nxt)); 1111 1112 if (L2TP_CTRL_CONF(_this)->ctrl_out_pktdump != 0) { 1113 l2tpd_log(_this->l2tpd, LOG_DEBUG, 1114 "L2TP Control output packet dump"); 1115 show_hd(debug_get_debugfp(), bytebuffer_pointer(bytebuf), 1116 bytebuffer_remaining(bytebuf)); 1117 } 1118 1119 if ((rval = l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf), 1120 bytebuffer_remaining(bytebuf))) < 0) { 1121 L2TP_CTRL_DBG((_this, LOG_DEBUG, "sendto() failed: %m")); 1122 } 1123 1124 _this->snd_lastnr = _this->rcv_nxt; 1125 _this->last_snd_ctrl = curr_time; 1126 _this->snd_last = seq; 1127 1128 return (rval == bytebuffer_remaining(bytebuf))? 0 : 1; 1129 } 1130 1131 /* 1132 * receiver SCCRQ 1133 */ 1134 static int 1135 l2tp_ctrl_recv_SCCRQ(l2tp_ctrl *_this, u_char *pkt, int pktlen, l2tpd *_l2tpd, 1136 struct sockaddr *peer) 1137 { 1138 int avpsz, len, protover, protorev, firmrev, result; 1139 struct l2tp_avp *avp; 1140 char host[NI_MAXHOST], serv[NI_MAXSERV]; 1141 char buf[L2TP_AVP_MAXSIZ], emes[256], hostname[256], vendorname[256]; 1142 1143 result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR; 1144 strlcpy(hostname, "(no hostname)", sizeof(hostname)); 1145 strlcpy(vendorname, "(no vendorname)", sizeof(vendorname)); 1146 1147 _this->peer_winsz = 4; /* default is 4 in RFC 2661 */ 1148 firmrev = 0; 1149 protover = 0; 1150 protorev = 0; 1151 avp = (struct l2tp_avp *)buf; 1152 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) { 1153 pkt += avpsz; 1154 pktlen -= avpsz; 1155 if (avp->vendor_id != 0) { 1156 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1157 "Received a Vendor-specific AVP vendor-id=%d " 1158 "type=%d", avp->vendor_id, avp->attr_type)); 1159 continue; 1160 } 1161 switch (avp->attr_type) { 1162 case L2TP_AVP_TYPE_MESSAGE_TYPE: 1163 AVP_SIZE_CHECK(avp, ==, 8); 1164 continue; 1165 case L2TP_AVP_TYPE_PROTOCOL_VERSION: 1166 AVP_SIZE_CHECK(avp, ==, 8); 1167 protover = avp->attr_value[0]; 1168 protorev = avp->attr_value[1]; 1169 1170 if (protover != L2TP_RFC2661_VERSION || 1171 protorev != L2TP_RFC2661_REVISION) { 1172 result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR; 1173 snprintf(emes, sizeof(emes), 1174 "Peer's protocol version is not supported:" 1175 " %d.%d", protover, protorev); 1176 goto not_acceptable; 1177 } 1178 continue; 1179 case L2TP_AVP_TYPE_FRAMING_CAPABILITIES: 1180 AVP_SIZE_CHECK(avp, ==, 10); 1181 if ((avp_get_val32(avp) & L2TP_FRAMING_CAP_FLAGS_SYNC) 1182 == 0) { 1183 L2TP_CTRL_DBG((_this, LOG_DEBUG, "Peer doesn't " 1184 "support synchronous framing")); 1185 } 1186 continue; 1187 case L2TP_AVP_TYPE_BEARER_CAPABILITIES: 1188 AVP_SIZE_CHECK(avp, ==, 10); 1189 continue; 1190 case L2TP_AVP_TYPE_TIE_BREAKER: 1191 AVP_SIZE_CHECK(avp, ==, 14); 1192 /* 1193 * As the implementation never send SCCRQ, 1194 * the peer is always winner 1195 */ 1196 continue; 1197 case L2TP_AVP_TYPE_FIRMWARE_REVISION: 1198 AVP_SIZE_CHECK(avp, >=, 6); 1199 firmrev = avp_get_val16(avp); 1200 continue; 1201 case L2TP_AVP_TYPE_HOST_NAME: 1202 AVP_SIZE_CHECK(avp, >, 4); 1203 len = MINIMUM(sizeof(hostname) - 1, avp->length - 6); 1204 memcpy(hostname, avp->attr_value, len); 1205 hostname[len] = '\0'; 1206 continue; 1207 case L2TP_AVP_TYPE_VENDOR_NAME: 1208 AVP_SIZE_CHECK(avp, >, 4); 1209 len = MINIMUM(sizeof(vendorname) - 1, avp->length - 6); 1210 memcpy(vendorname, avp->attr_value, len); 1211 vendorname[len] = '\0'; 1212 continue; 1213 case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID: 1214 AVP_SIZE_CHECK(avp, ==, 8); 1215 _this->peer_tunnel_id = avp_get_val16(avp); 1216 continue; 1217 case L2TP_AVP_TYPE_RECV_WINDOW_SIZE: 1218 AVP_SIZE_CHECK(avp, ==, 8); 1219 _this->peer_winsz = avp_get_val16(avp); 1220 continue; 1221 } 1222 if (avp->is_mandatory) { 1223 l2tp_ctrl_log(_this, LOG_WARNING, 1224 "Received AVP (%s/%d) is not supported, but it's " 1225 "mandatory", avp_attr_type_string(avp->attr_type), 1226 avp->attr_type); 1227 #ifdef L2TP_CTRL_DEBUG 1228 } else { 1229 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1230 "AVP (%s/%d) is not handled", 1231 avp_attr_type_string(avp->attr_type), 1232 avp->attr_type)); 1233 #endif 1234 } 1235 } 1236 if (getnameinfo((struct sockaddr *)&_this->peer, _this->peer.ss_len, 1237 host, sizeof(host), serv, sizeof(serv), 1238 NI_NUMERICHOST | NI_NUMERICSERV | NI_DGRAM) != 0) { 1239 l2tp_ctrl_log(_this, LOG_ERR, 1240 "getnameinfo() failed at %s(): %m", __func__); 1241 strlcpy(host, "error", sizeof(host)); 1242 strlcpy(serv, "error", sizeof(serv)); 1243 } 1244 l2tp_ctrl_log(_this, LOG_NOTICE, "logtype=Started RecvSCCRQ " 1245 "from=%s:%s/udp tunnel_id=%u/%u protocol=%d.%d winsize=%d " 1246 "hostname=%s vendor=%s firm=%04X", host, serv, _this->tunnel_id, 1247 _this->peer_tunnel_id, protover, protorev, _this->peer_winsz, 1248 hostname, vendorname, firmrev); 1249 1250 if (_this->peer_winsz == 0) 1251 _this->peer_winsz = 1; 1252 1253 return 0; 1254 not_acceptable: 1255 size_check_failed: 1256 l2tp_ctrl_log(_this, LOG_ERR, "Received bad SCCRQ: %s", emes); 1257 l2tp_ctrl_stop(_this, result); 1258 1259 return 1; 1260 } 1261 1262 /* 1263 * send StopCCN 1264 */ 1265 static int 1266 l2tp_ctrl_send_StopCCN(l2tp_ctrl *_this, int result) 1267 { 1268 struct l2tp_avp *avp; 1269 char buf[L2TP_AVP_MAXSIZ]; 1270 bytebuffer *bytebuf; 1271 1272 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) { 1273 l2tp_ctrl_log(_this, LOG_ERR, 1274 "sending StopCCN failed: no buffer."); 1275 return -1; 1276 } 1277 avp = (struct l2tp_avp *)buf; 1278 1279 /* Message Type = StopCCN */ 1280 memset(avp, 0, sizeof(*avp)); 1281 avp->is_mandatory = 1; 1282 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 1283 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_StopCCN); 1284 bytebuf_add_avp(bytebuf, avp, 2); 1285 1286 /* Assigned Tunnel Id */ 1287 memset(avp, 0, sizeof(*avp)); 1288 avp->is_mandatory = 1; 1289 avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID; 1290 avp_set_val16(avp, _this->tunnel_id); 1291 bytebuf_add_avp(bytebuf, avp, 2); 1292 1293 /* Result Code */ 1294 memset(avp, 0, sizeof(*avp)); 1295 avp->is_mandatory = 1; 1296 avp->attr_type = L2TP_AVP_TYPE_RESULT_CODE; 1297 avp_set_val16(avp, result); 1298 bytebuf_add_avp(bytebuf, avp, 2); 1299 1300 if (l2tp_ctrl_send_packet(_this, 0, bytebuf) != 0) { 1301 l2tp_ctrl_log(_this, LOG_ERR, "sending StopCCN failed"); 1302 return - 1; 1303 } 1304 l2tp_ctrl_log(_this, LOG_INFO, "SendStopCCN result=%d", result); 1305 1306 return 0; 1307 } 1308 1309 /* 1310 * Receiver StopCCN 1311 */ 1312 static int 1313 l2tp_ctrl_recv_StopCCN(l2tp_ctrl *_this, u_char *pkt, int pktlen) 1314 { 1315 int result, error, avpsz, len; 1316 uint16_t tunid; 1317 struct l2tp_avp *avp; 1318 char buf[L2TP_AVP_MAXSIZ + 16], emes[256], pmes[256]; 1319 1320 result = 0; 1321 error = 0; 1322 tunid = 0; 1323 pmes[0] = '\0'; 1324 avp = (struct l2tp_avp *)buf; 1325 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) { 1326 pkt += avpsz; 1327 pktlen -= avpsz; 1328 if (avp->vendor_id != 0) { 1329 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1330 "Received a Vendor-specific AVP vendor-id=%d " 1331 "type=%d", avp->vendor_id, avp->attr_type)); 1332 continue; 1333 } 1334 if (avp->is_hidden != 0) { 1335 l2tp_ctrl_log(_this, LOG_WARNING, 1336 "Received AVP (%s/%d) is hidden. But we don't " 1337 "share secret.", 1338 avp_attr_type_string(avp->attr_type), 1339 avp->attr_type); 1340 if (avp->is_mandatory != 0) { 1341 l2tp_ctrl_stop(_this, 1342 L2TP_STOP_CCN_RCODE_GENERAL_ERROR | 1343 L2TP_ECODE_UNKNOWN_MANDATORY_AVP); 1344 return 1; 1345 } 1346 continue; 1347 } 1348 switch (avp->attr_type) { 1349 case L2TP_AVP_TYPE_MESSAGE_TYPE: 1350 AVP_SIZE_CHECK(avp, ==, 8); 1351 continue; 1352 case L2TP_AVP_TYPE_RESULT_CODE: 1353 AVP_SIZE_CHECK(avp, >=, 8); 1354 result = avp->attr_value[0] << 8 | avp->attr_value[1]; 1355 if (avp->length >= 10) { 1356 error = avp->attr_value[2] << 8 | 1357 avp->attr_value[3]; 1358 len = avp->length - 12; 1359 if (len > 0) { 1360 len = MINIMUM(len, sizeof(pmes) - 1); 1361 memcpy(pmes, &avp->attr_value[4], len); 1362 pmes[len] = '\0'; 1363 } 1364 } 1365 continue; 1366 case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID: 1367 AVP_SIZE_CHECK(avp, ==, 8); 1368 tunid = avp_get_val16(avp); 1369 continue; 1370 default: 1371 if (avp->is_mandatory != 0) { 1372 l2tp_ctrl_log(_this, LOG_WARNING, 1373 "Received AVP (%s/%d) is not supported, " 1374 "but it's mandatory", 1375 avp_attr_type_string(avp->attr_type), 1376 avp->attr_type); 1377 #ifdef L2TP_CTRL_DEBUG 1378 } else { 1379 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1380 "AVP (%s/%d) is not handled", 1381 avp_attr_type_string(avp->attr_type), 1382 avp->attr_type)); 1383 #endif 1384 } 1385 } 1386 } 1387 1388 if (result == L2TP_CDN_RCODE_ERROR_CODE && 1389 error == L2TP_ECODE_NO_RESOURCE) { 1390 /* 1391 * Memo: 1392 * This state may be happen in following state. 1393 * - lots of connect/disconnect by long-running 1394 * windows2000, sometimes it fall to this state. 1395 * Once it fall to here, connection will fail till 1396 * the windows rebooted 1397 */ 1398 l2tp_ctrl_log(_this, LOG_WARNING, 1399 "Peer indicates \"No Resource\" error."); 1400 } 1401 1402 l2tp_ctrl_log(_this, LOG_INFO, "RecvStopCCN result=%s/%u " 1403 "error=%s/%u tunnel_id=%u message=\"%s\"", 1404 l2tp_stopccn_rcode_string(result), result, 1405 l2tp_ecode_string(error), error, tunid, pmes); 1406 1407 return 0; 1408 1409 size_check_failed: 1410 l2tp_ctrl_log(_this, LOG_ERR, "Received bad StopCCN: %s", emes); 1411 1412 return -1; 1413 } 1414 1415 /* 1416 * send SCCRP 1417 */ 1418 static void 1419 l2tp_ctrl_send_SCCRP(l2tp_ctrl *_this) 1420 { 1421 int len; 1422 struct l2tp_avp *avp; 1423 char buf[L2TP_AVP_MAXSIZ], hbuf[HOST_NAME_MAX+1]; 1424 const char *val; 1425 bytebuffer *bytebuf; 1426 1427 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) { 1428 l2tp_ctrl_log(_this, LOG_ERR, 1429 "sending SCCRP failed: no buffer."); 1430 return; 1431 } 1432 avp = (struct l2tp_avp *)buf; 1433 1434 /* Message Type = SCCRP */ 1435 memset(avp, 0, sizeof(*avp)); 1436 avp->is_mandatory = 1; 1437 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 1438 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_SCCRP); 1439 bytebuf_add_avp(bytebuf, avp, 2); 1440 1441 /* Protocol Version = 1.0 */ 1442 memset(avp, 0, sizeof(*avp)); 1443 avp->is_mandatory = 1; 1444 avp->attr_type = L2TP_AVP_TYPE_PROTOCOL_VERSION; 1445 avp->attr_value[0] = L2TP_RFC2661_VERSION; 1446 avp->attr_value[1] = L2TP_RFC2661_REVISION; 1447 bytebuf_add_avp(bytebuf, avp, 2); 1448 1449 /* Framing Capability = Async */ 1450 memset(avp, 0, sizeof(*avp)); 1451 avp->is_mandatory = 1; 1452 avp->attr_type = L2TP_AVP_TYPE_FRAMING_CAPABILITIES; 1453 avp_set_val32(avp, L2TP_FRAMING_CAP_FLAGS_SYNC); 1454 bytebuf_add_avp(bytebuf, avp, 4); 1455 1456 /* Host Name */ 1457 memset(avp, 0, sizeof(*avp)); 1458 avp->is_mandatory = 1; 1459 avp->attr_type = L2TP_AVP_TYPE_HOST_NAME; 1460 if ((val = L2TP_CTRL_CONF(_this)->hostname) == NULL) { 1461 gethostname(hbuf, sizeof(hbuf)); 1462 val = hbuf; 1463 } 1464 len = strlen(val); 1465 memcpy(avp->attr_value, val, len); 1466 bytebuf_add_avp(bytebuf, avp, len); 1467 1468 /* Assigned Tunnel Id */ 1469 memset(avp, 0, sizeof(*avp)); 1470 avp->is_mandatory = 1; 1471 avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID; 1472 avp_set_val16(avp, _this->tunnel_id); 1473 bytebuf_add_avp(bytebuf, avp, 2); 1474 1475 /* Bearer Capability 1476 * This implementation never act as LAC. 1477 * 1478 memset(avp, 0, sizeof(*avp)); 1479 avp->is_mandatory = 1; 1480 avp->attr_type = L2TP_AVP_TYPE_BEARER_CAPABILITIES; 1481 avp_set_val32(avp, 0); 1482 bytebuf_add_avp(bytebuf, avp, 4); 1483 */ 1484 1485 /* Firmware Revision */ 1486 memset(avp, 0, sizeof(*avp)); 1487 avp->is_mandatory = 0; 1488 avp->attr_type = L2TP_AVP_TYPE_FIRMWARE_REVISION; 1489 avp->attr_value[0] = MAJOR_VERSION; 1490 avp->attr_value[1] = MINOR_VERSION; 1491 bytebuf_add_avp(bytebuf, avp, 2); 1492 1493 /* Vendor Name */ 1494 if ((val = L2TP_CTRL_CONF(_this)->vendor_name) != NULL) { 1495 memset(avp, 0, sizeof(*avp)); 1496 avp->is_mandatory = 0; 1497 avp->attr_type = L2TP_AVP_TYPE_VENDOR_NAME; 1498 1499 len = strlen(val); 1500 memcpy(avp->attr_value, val, len); 1501 bytebuf_add_avp(bytebuf, avp, len); 1502 } 1503 1504 /* Window Size */ 1505 memset(avp, 0, sizeof(*avp)); 1506 avp->is_mandatory = 1; 1507 avp->attr_type = L2TP_AVP_TYPE_RECV_WINDOW_SIZE; 1508 avp_set_val16(avp, _this->winsz); 1509 bytebuf_add_avp(bytebuf, avp, 2); 1510 1511 if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) { 1512 l2tp_ctrl_log(_this, LOG_ERR, "sending SCCRP failed"); 1513 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 1514 return; 1515 } 1516 l2tp_ctrl_log(_this, LOG_INFO, "SendSCCRP"); 1517 } 1518 1519 static int 1520 l2tp_ctrl_send_HELLO(l2tp_ctrl *_this) 1521 { 1522 struct l2tp_avp *avp; 1523 char buf[L2TP_AVP_MAXSIZ]; 1524 bytebuffer *bytebuf; 1525 1526 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) { 1527 l2tp_ctrl_log(_this, LOG_ERR, 1528 "sending HELLO failed: no buffer."); 1529 return 1; 1530 } 1531 avp = (struct l2tp_avp *)buf; 1532 1533 /* Message Type = HELLO */ 1534 memset(avp, 0, sizeof(*avp)); 1535 avp->is_mandatory = 1; 1536 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 1537 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_HELLO); 1538 bytebuf_add_avp(bytebuf, avp, 2); 1539 1540 if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) { 1541 l2tp_ctrl_log(_this, LOG_ERR, "sending HELLO failed"); 1542 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 1543 return 1; 1544 } 1545 l2tp_ctrl_log(_this, LOG_DEBUG, "SendHELLO"); 1546 1547 return 0; 1548 } 1549 1550 /* Send ZLB */ 1551 static int 1552 l2tp_ctrl_send_ZLB(l2tp_ctrl *_this) 1553 { 1554 int loglevel; 1555 1556 loglevel = (_this->state == L2TP_CTRL_STATE_ESTABLISHED) 1557 ? LOG_DEBUG : LOG_INFO; 1558 l2tp_ctrl_log(_this, loglevel, "SendZLB"); 1559 bytebuffer_clear(_this->zlb_buffer); 1560 bytebuffer_put(_this->zlb_buffer, BYTEBUFFER_PUT_DIRECT, 1561 sizeof(struct l2tp_header)); 1562 1563 return l2tp_ctrl_send_packet(_this, 0, _this->zlb_buffer); 1564 } 1565 1566 /* 1567 * Utitlity 1568 */ 1569 1570 /** 1571 * Prepare send buffer 1572 * @return return Null when the send buffer exceed Window. 1573 */ 1574 bytebuffer * 1575 l2tp_ctrl_prepare_snd_buffer(l2tp_ctrl *_this, int with_seq) 1576 { 1577 bytebuffer *bytebuf; 1578 1579 L2TP_CTRL_ASSERT(_this != NULL); 1580 1581 if (l2tp_ctrl_txwin_is_full(_this)) { 1582 l2tp_ctrl_log(_this, LOG_INFO, "sending buffer is full."); 1583 return NULL; 1584 } 1585 bytebuf = _this->snd_buffers[_this->snd_nxt % _this->snd_buffercnt]; 1586 bytebuffer_clear(bytebuf); 1587 if (with_seq) 1588 bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT, 1589 sizeof(struct l2tp_header)); 1590 else 1591 bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT, 1592 offsetof(struct l2tp_header, ns)); 1593 1594 return bytebuf; 1595 } 1596 1597 /** 1598 * return current state as strings 1599 */ 1600 static inline const char * 1601 l2tp_ctrl_state_string(l2tp_ctrl *_this) 1602 { 1603 switch (_this->state) { 1604 case L2TP_CTRL_STATE_IDLE: return "idle"; 1605 case L2TP_CTRL_STATE_WAIT_CTL_CONN: return "wait-ctl-conn"; 1606 case L2TP_CTRL_STATE_WAIT_CTL_REPLY: return "wait-ctl-reply"; 1607 case L2TP_CTRL_STATE_ESTABLISHED: return "established"; 1608 case L2TP_CTRL_STATE_CLEANUP_WAIT: return "cleanup-wait"; 1609 } 1610 return "unknown"; 1611 } 1612 1613 /* logging with the label of the l2tp instance. */ 1614 void 1615 l2tp_ctrl_log(l2tp_ctrl *_this, int prio, const char *fmt, ...) 1616 { 1617 char logbuf[BUFSIZ]; 1618 va_list ap; 1619 1620 va_start(ap, fmt); 1621 #ifdef L2TPD_MULTIPLE 1622 snprintf(logbuf, sizeof(logbuf), "l2tpd id=%u ctrl=%u %s", 1623 _this->l2tpd->id, _this->id, fmt); 1624 #else 1625 snprintf(logbuf, sizeof(logbuf), "l2tpd ctrl=%u %s", _this->id, fmt); 1626 #endif 1627 vlog_printf(prio, logbuf, ap); 1628 va_end(ap); 1629 } 1630