1 /* $OpenBSD: l2tp_ctrl.c,v 1.24 2020/06/09 02:39:27 yasuoka Exp $ */ 2 3 /*- 4 * Copyright (c) 2009 Internet Initiative Japan Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 /**@file Control connection processing functions for L2TP LNS */ 29 /* $Id: l2tp_ctrl.c,v 1.24 2020/06/09 02:39:27 yasuoka Exp $ */ 30 #include <sys/types.h> 31 #include <sys/time.h> 32 #include <sys/socket.h> 33 #include <netinet/in.h> 34 #include <net/if.h> 35 #include <arpa/inet.h> 36 #include <endian.h> 37 #include <errno.h> 38 #include <event.h> 39 #include <netdb.h> 40 #include <stdarg.h> 41 #include <stddef.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <syslog.h> 46 #include <time.h> 47 #include <unistd.h> 48 #include <limits.h> 49 50 #ifdef USE_LIBSOCKUTIL 51 #include <seil/sockfromto.h> 52 #endif 53 54 #include "time_utils.h" 55 #include "ipsec_util.h" 56 #include "bytebuf.h" 57 #include "hash.h" 58 #include "debugutil.h" 59 #include "slist.h" 60 #include "l2tp.h" 61 #include "l2tp_local.h" 62 #include "l2tp_subr.h" 63 #include "net_utils.h" 64 #include "version.h" 65 #include "recvfromto.h" 66 67 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 68 69 static int l2tp_ctrl_init(l2tp_ctrl *, l2tpd *, struct sockaddr *, struct sockaddr *, void *); 70 static void l2tp_ctrl_reload(l2tp_ctrl *); 71 static int l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *); 72 #if 0 73 static void l2tp_ctrl_purge_ipsec_sa(l2tp_ctrl *); 74 #endif 75 static void l2tp_ctrl_timeout(int, short, void *); 76 static int l2tp_ctrl_resend_una_packets(l2tp_ctrl *, bool); 77 static void l2tp_ctrl_destroy_all_calls(l2tp_ctrl *); 78 static int l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *, int); 79 static void l2tp_ctrl_reset_timeout(l2tp_ctrl *); 80 static int l2tp_ctrl_txwin_size(l2tp_ctrl *); 81 static bool l2tp_ctrl_txwin_is_full(l2tp_ctrl *); 82 static bool l2tp_ctrl_in_peer_window(l2tp_ctrl *, uint16_t); 83 static bool l2tp_ctrl_in_our_window(l2tp_ctrl *, uint16_t); 84 static int l2tp_ctrl_recv_SCCRQ(l2tp_ctrl *, u_char *, int, l2tpd *, struct sockaddr *); 85 static int l2tp_ctrl_send_StopCCN(l2tp_ctrl *, int); 86 static int l2tp_ctrl_recv_StopCCN(l2tp_ctrl *, u_char *, int); 87 static void l2tp_ctrl_send_SCCRP(l2tp_ctrl *); 88 static int l2tp_ctrl_send_HELLO(l2tp_ctrl *); 89 static int l2tp_ctrl_send_ZLB(l2tp_ctrl *); 90 static const char *l2tp_ctrl_state_string(l2tp_ctrl *); 91 92 #ifdef L2TP_CTRL_DEBUG 93 #define L2TP_CTRL_ASSERT(x) ASSERT(x) 94 #define L2TP_CTRL_DBG(x) l2tp_ctrl_log x 95 #else 96 #define L2TP_CTRL_ASSERT(x) 97 #define L2TP_CTRL_DBG(x) 98 #endif 99 100 /* Sequence # of l2tp_ctrl ID */ 101 static u_int l2tp_ctrl_id_seq = 0; 102 103 #define SEQ_LT(a,b) ((int16_t)((a) - (b)) < 0) 104 #define SEQ_GT(a,b) ((int16_t)((a) - (b)) > 0) 105 106 /** 107 * Build instance of {@link ::_l2tp_ctrl L2TP LNS control connection} 108 */ 109 l2tp_ctrl * 110 l2tp_ctrl_create(void) 111 { 112 113 return calloc(1, sizeof(l2tp_ctrl)); 114 } 115 116 /** 117 * initialize and startup of {@link ::_l2tp_ctrl L2TP LNS control connection} 118 * instance 119 */ 120 static int 121 l2tp_ctrl_init(l2tp_ctrl *_this, l2tpd *_l2tpd, struct sockaddr *peer, 122 struct sockaddr *sock, void *nat_t_ctx) 123 { 124 int tunid, i; 125 bytebuffer *bytebuf; 126 time_t curr_time; 127 128 memset(_this, 0, sizeof(l2tp_ctrl)); 129 130 curr_time = get_monosec(); 131 _this->l2tpd = _l2tpd; 132 _this->state = L2TP_CTRL_STATE_IDLE; 133 _this->last_snd_ctrl = curr_time; 134 135 slist_init(&_this->call_list); 136 137 /* seek a free tunnel ID */ 138 i = 0; 139 _this->id = ++l2tp_ctrl_id_seq; 140 for (i = 0, tunid = _this->id; ; i++, tunid++) { 141 tunid &= 0xffff; 142 _this->tunnel_id = l2tp_ctrl_id_seq & 0xffff; 143 if (tunid == 0) 144 continue; 145 if (l2tpd_get_ctrl(_l2tpd, tunid) == NULL) 146 break; 147 if (i > 80000) { 148 /* this must be happen, just log it. */ 149 l2tpd_log(_l2tpd, LOG_ERR, "Too many l2tp controls"); 150 return -1; 151 } 152 } 153 154 _this->tunnel_id = tunid; 155 156 L2TP_CTRL_ASSERT(peer != NULL); 157 L2TP_CTRL_ASSERT(sock != NULL); 158 memcpy(&_this->peer, peer, peer->sa_len); 159 memcpy(&_this->sock, sock, sock->sa_len); 160 161 /* prepare send buffer */ 162 _this->winsz = L2TPD_DEFAULT_SEND_WINSZ; 163 /* 164 * _this->winsz is informed as our receive window size. Also 165 * MIN(_this->winsz, _this->peer_winsiz) is used for the size of 166 * transmit side window. We need winsz * 2 sized buffer so that a 167 * stingy client can fill both of window separately. 168 */ 169 _this->snd_buffercnt = _this->winsz * 2; 170 if ((_this->snd_buffers = calloc(_this->snd_buffercnt, 171 sizeof(bytebuffer *))) == NULL) { 172 l2tpd_log(_l2tpd, LOG_ERR, 173 "calloc() failed in %s(): %m", __func__); 174 goto fail; 175 } 176 for (i = 0; i < _this->snd_buffercnt; i++) { 177 if ((bytebuf = bytebuffer_create(L2TPD_SND_BUFSIZ)) == NULL) { 178 l2tpd_log(_l2tpd, LOG_ERR, 179 "bytebuffer_create() failed in %s(): %m", __func__); 180 goto fail; 181 } 182 _this->snd_buffers[i] = bytebuf; 183 } 184 if ((_this->zlb_buffer = bytebuffer_create(sizeof(struct l2tp_header) 185 + 128)) == NULL) { 186 l2tpd_log(_l2tpd, LOG_ERR, 187 "bytebuffer_create() failed in %s(): %m", __func__); 188 goto fail; 189 } 190 #if defined(USE_LIBSOCKUTIL) || defined(USE_SA_COOKIE) 191 if (nat_t_ctx != NULL) { 192 if ((_this->sa_cookie = malloc( 193 sizeof(struct in_ipsec_sa_cookie))) != NULL) { 194 *(struct in_ipsec_sa_cookie *)_this->sa_cookie = 195 *(struct in_ipsec_sa_cookie *)nat_t_ctx; 196 } else { 197 l2tpd_log(_l2tpd, LOG_ERR, 198 "creating sa_cookie failed: %m"); 199 goto fail; 200 } 201 } 202 #endif 203 _this->hello_interval = L2TP_CTRL_DEFAULT_HELLO_INTERVAL; 204 _this->hello_timeout = L2TP_CTRL_DEFAULT_HELLO_TIMEOUT; 205 _this->hello_io_time = curr_time; 206 207 /* initialize timeout timer */ 208 l2tp_ctrl_reset_timeout(_this); 209 210 /* register l2tp context */ 211 l2tpd_add_ctrl(_l2tpd, _this); 212 return 0; 213 fail: 214 l2tp_ctrl_stop(_this, 0); 215 return -1; 216 } 217 218 /* 219 * setup {@link ::_l2tp_ctrl L2TP LNS control connection} instance 220 */ 221 static void 222 l2tp_ctrl_reload(l2tp_ctrl *_this) 223 { 224 _this->data_use_seq = L2TP_CTRL_CONF(_this)->data_use_seq; 225 if (L2TP_CTRL_CONF(_this)->hello_interval != 0) 226 _this->hello_interval = L2TP_CTRL_CONF(_this)->hello_interval; 227 if (L2TP_CTRL_CONF(_this)->hello_timeout != 0) 228 _this->hello_timeout = L2TP_CTRL_CONF(_this)->hello_timeout; 229 } 230 231 /* 232 * free {@link ::_l2tp_ctrl L2TP LNS control connection} instance 233 */ 234 void 235 l2tp_ctrl_destroy(l2tp_ctrl *_this) 236 { 237 L2TP_CTRL_ASSERT(_this != NULL); 238 #if defined(USE_LIBSOCKUTIL) || defined(USE_SA_COOKIE) 239 free(_this->sa_cookie); 240 #endif 241 free(_this); 242 } 243 244 /* 245 * nortify disconnection to peer 246 * 247 * @return 0: all CDN and StopCCN have been sent. 248 * N: if the remaining calls which still not sent CDN exist, 249 * return # of the calls. 250 * -1: when try to send of StopCCN failed. 251 */ 252 static int 253 l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *_this) 254 { 255 int ncalls; 256 257 L2TP_CTRL_ASSERT(_this != NULL) 258 L2TP_CTRL_ASSERT(_this->state == L2TP_CTRL_STATE_ESTABLISHED || 259 _this->state == L2TP_CTRL_STATE_CLEANUP_WAIT); 260 261 /* this control is not actively closing or StopCCN have been sent */ 262 if (_this->active_closing == 0) 263 return 0; 264 265 /* Send CDN all Calls */ 266 ncalls = 0; 267 if (slist_length(&_this->call_list) != 0) { 268 ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0); 269 if (ncalls > 0) { 270 /* 271 * Call the function again to check whether the 272 * sending window is fulled. In case ncalls == 0, 273 * it means we've sent CDN for all calls. 274 */ 275 ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0); 276 } 277 } 278 if (ncalls > 0) 279 return ncalls; 280 281 if (l2tp_ctrl_send_StopCCN(_this, _this->active_closing) != 0) 282 return -1; 283 _this->active_closing = 0; 284 285 return 0; 286 } 287 288 /* 289 * Terminate the control connection 290 * 291 * <p> 292 * please specify an appropriate value to result( >0 ) for 293 * StopCCN ResultCode AVP, when to sent Active Close (which 294 * require StopCCN sent).</p> 295 * <p> 296 * When the return value of this function is zero, the _this 297 * is already released. The lt2p_ctrl process that was bound to it 298 * could not contine. 299 * When the return value of this function is one, the timer 300 * is reset.</p> 301 * 302 * @return return 0 if terminate process was completed. 303 */ 304 int 305 l2tp_ctrl_stop(l2tp_ctrl *_this, int result) 306 { 307 int i; 308 l2tpd *_l2tpd; 309 310 L2TP_CTRL_ASSERT(_this != NULL); 311 312 switch (_this->state) { 313 case L2TP_CTRL_STATE_ESTABLISHED: 314 _this->state = L2TP_CTRL_STATE_CLEANUP_WAIT; 315 if (result > 0) { 316 _this->active_closing = result; 317 l2tp_ctrl_send_disconnect_notify(_this); 318 break; 319 } 320 goto cleanup; 321 default: 322 l2tp_ctrl_log(_this, LOG_DEBUG, "%s() unexpected state=%s", 323 __func__, l2tp_ctrl_state_string(_this)); 324 /* FALLTHROUGH */ 325 case L2TP_CTRL_STATE_WAIT_CTL_CONN: 326 /* FALLTHROUGH */ 327 case L2TP_CTRL_STATE_CLEANUP_WAIT: 328 cleanup: 329 if (slist_length(&_this->call_list) != 0) { 330 if (l2tp_ctrl_disconnect_all_calls(_this, 1) > 0) 331 break; 332 } 333 #if 0 334 if (L2TP_CTRL_CONF(_this)e_ipsec_sa != 0) 335 l2tp_ctrl_purge_ipsec_sa(_this); 336 #endif 337 338 l2tp_ctrl_log(_this, LOG_NOTICE, "logtype=Finished"); 339 340 evtimer_del(&_this->ev_timeout); 341 342 /* free send buffer */ 343 if (_this->snd_buffers != NULL) { 344 for (i = 0; i < _this->snd_buffercnt; i++) 345 bytebuffer_destroy(_this->snd_buffers[i]); 346 free(_this->snd_buffers); 347 _this->snd_buffers = NULL; 348 } 349 if (_this->zlb_buffer != NULL) { 350 bytebuffer_destroy(_this->zlb_buffer); 351 _this->zlb_buffer = NULL; 352 } 353 354 /* free l2tp_call */ 355 l2tp_ctrl_destroy_all_calls(_this); 356 slist_fini(&_this->call_list); 357 358 l2tpd_remove_ctrl(_this->l2tpd, _this->tunnel_id); 359 360 _l2tpd = _this->l2tpd; 361 l2tp_ctrl_destroy(_this); 362 363 l2tpd_ctrl_finished_notify(_l2tpd); 364 return 0; /* stopped */ 365 } 366 l2tp_ctrl_reset_timeout(_this); 367 368 return 1; 369 } 370 371 #if 0 372 /** Delete the IPsec SA for disconnection */ 373 static void 374 l2tp_ctrl_purge_ipsec_sa(l2tp_ctrl *_this) 375 { 376 int is_natt, proto; 377 struct sockaddr_storage peer, sock; 378 hash_link *hl; 379 #ifdef USE_LIBSOCKUTIL 380 struct in_ipsec_sa_cookie *ipsec_sa_cookie; 381 #endif 382 l2tp_ctrl *anot; 383 384 /* 385 * Search another tunnel that uses the same IPsec SA 386 * by lineer. 387 */ 388 for (hl = hash_first(_this->l2tpd->ctrl_map); 389 hl != NULL; hl = hash_next(_this->l2tpd->ctrl_map)) { 390 anot = hl->item; 391 if (anot == _this) 392 continue; 393 394 if (_this->peer.ss_family != anot->peer.ss_family) 395 continue; 396 if (_this->peer.ss_family == AF_INET) { 397 if (SIN(&_this->peer)->sin_addr.s_addr != 398 SIN(&anot->peer)->sin_addr.s_addr) 399 continue; 400 } else if (_this->peer.ss_family == AF_INET6) { 401 if (!IN6_ARE_ADDR_EQUAL( 402 &(SIN6(&_this->peer)->sin6_addr), 403 &(SIN6(&anot->peer)->sin6_addr))) 404 continue; 405 } 406 #ifdef USE_LIBSOCKUTIL 407 if (_this->sa_cookie != NULL && anot->sa_cookie != NULL) { 408 /* Both tunnels belong the same NAT box. */ 409 410 if (memcmp(_this->sa_cookie, anot->sa_cookie, 411 sizeof(struct in_ipsec_sa_cookie)) != 0) 412 /* Different hosts behind the NAT box. */ 413 continue; 414 415 /* The SA is shared by another tunnels by one host. */ 416 return; /* don't purge the sa */ 417 418 } else if (_this->sa_cookie != NULL || anot->sa_cookie != NULL) 419 /* Only one is behind the NAT */ 420 continue; 421 #endif 422 return; /* don't purge the sa */ 423 } 424 425 #if defined(USE_LIBSOCKUTIL) && defined(IP_IPSEC_SA_COOKIE) 426 is_natt = (_this->sa_cookie != NULL)? 1 : 0; 427 #else 428 is_natt = 0; 429 #endif 430 proto = 0; 431 memcpy(&peer, &_this->peer, _this->peer.ss_len); 432 memcpy(&sock, &_this->sock, _this->sock.ss_len); 433 if (!is_natt) 434 SIN(&peer)->sin_port = SIN(&sock)->sin_port = 0; 435 #if defined(USE_LIBSOCKUTIL) && defined(IP_IPSEC_SA_COOKIE) 436 else { 437 ipsec_sa_cookie = _this->sa_cookie; 438 SIN(&peer)->sin_port = ipsec_sa_cookie->remote_port; 439 SIN(&sock)->sin_port = ipsec_sa_cookie->local_port; 440 #if 1 441 /* 442 * XXX: As RFC 2367, protocol sould be specified if the port 443 * XXX: number is non-zero. 444 */ 445 proto = 0; 446 #else 447 proto = IPPROTO_UDP; 448 #endif 449 } 450 #endif 451 if (ipsec_util_purge_transport_sa((struct sockaddr *)&peer, 452 (struct sockaddr *)&sock, proto, IPSEC_UTIL_DIRECTION_BOTH) != 0) 453 l2tp_ctrl_log(_this, LOG_NOTICE, "failed to purge IPsec SA"); 454 } 455 #endif 456 457 /* timeout processing */ 458 static void 459 l2tp_ctrl_timeout(int fd, short evtype, void *ctx) 460 { 461 int next_timeout, need_resend; 462 time_t curr_time; 463 l2tp_ctrl *_this; 464 l2tp_call *call; 465 466 /* 467 * the timer must be reset, when leave this function. 468 * MEMO: l2tp_ctrl_stop() will reset the timer in it. 469 * and please remember that the l2tp_ctrl_stop() may free _this. 470 */ 471 _this = ctx; 472 L2TP_CTRL_ASSERT(_this != NULL); 473 474 curr_time = get_monosec(); 475 476 next_timeout = 2; 477 need_resend = 0; 478 479 if (l2tp_ctrl_txwin_size(_this) > 0) { 480 if (_this->state == L2TP_CTRL_STATE_ESTABLISHED) { 481 if (_this->hello_wait_ack != 0) { 482 /* wait Hello reply */ 483 if (curr_time - _this->hello_io_time >= 484 _this->hello_timeout) { 485 l2tp_ctrl_log(_this, LOG_NOTICE, 486 "timeout waiting ack for hello " 487 "packets."); 488 l2tp_ctrl_stop(_this, 489 L2TP_STOP_CCN_RCODE_GENERAL); 490 return; 491 } 492 } 493 } else if (curr_time - _this->last_snd_ctrl >= 494 L2TP_CTRL_CTRL_PKT_TIMEOUT) { 495 l2tp_ctrl_log(_this, LOG_NOTICE, 496 "timeout waiting ack for ctrl packets."); 497 l2tp_ctrl_stop(_this, 498 L2TP_STOP_CCN_RCODE_GENERAL); 499 return; 500 } 501 need_resend = 1; 502 } else { 503 for (slist_itr_first(&_this->call_list); 504 slist_itr_has_next(&_this->call_list);) { 505 call = slist_itr_next(&_this->call_list); 506 if (call->state == L2TP_CALL_STATE_CLEANUP_WAIT) { 507 l2tp_call_destroy(call, 1); 508 slist_itr_remove(&_this->call_list); 509 } 510 } 511 } 512 513 switch (_this->state) { 514 case L2TP_CTRL_STATE_IDLE: 515 /* 516 * idle: 517 * XXX: never happen in current implementation 518 */ 519 l2tp_ctrl_log(_this, LOG_ERR, 520 "Internal error, timeout on illegal state=idle"); 521 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 522 break; 523 case L2TP_CTRL_STATE_WAIT_CTL_CONN: 524 /* 525 * wait-ctrl-conn: 526 * if there is no ack for SCCRP, the peer will 527 * resend SCCRQ. however this implementation can 528 * not recognize that the SCCRQ was resent or not. 529 * Therefore, never resent from this side. 530 */ 531 need_resend = 0; 532 break; 533 case L2TP_CTRL_STATE_ESTABLISHED: 534 if (slist_length(&_this->call_list) == 0 && 535 curr_time - _this->last_snd_ctrl >= 536 L2TP_CTRL_WAIT_CALL_TIMEOUT) { 537 if (_this->ncalls == 0) 538 /* fail to receive first call */ 539 l2tp_ctrl_log(_this, LOG_WARNING, 540 "timeout waiting call"); 541 l2tp_ctrl_stop(_this, 542 L2TP_STOP_CCN_RCODE_GENERAL); 543 return; 544 } 545 if (_this->hello_wait_ack == 0 && _this->hello_interval > 0) { 546 /* send Hello */ 547 if (curr_time - _this->hello_interval >= 548 _this->hello_io_time) { 549 if (l2tp_ctrl_send_HELLO(_this) == 0) 550 /* success */ 551 _this->hello_wait_ack = 1; 552 _this->hello_io_time = curr_time; 553 need_resend = 0; 554 } 555 } 556 break; 557 case L2TP_CTRL_STATE_CLEANUP_WAIT: 558 if (curr_time - _this->last_snd_ctrl >= 559 L2TP_CTRL_CLEANUP_WAIT_TIME) { 560 l2tp_ctrl_log(_this, LOG_NOTICE, 561 "Cleanup timeout state=%d", _this->state); 562 l2tp_ctrl_stop(_this, 0); 563 return; 564 } 565 if (_this->active_closing != 0) 566 l2tp_ctrl_send_disconnect_notify(_this); 567 break; 568 default: 569 l2tp_ctrl_log(_this, LOG_ERR, 570 "Internal error, timeout on illegal state=%d", 571 _this->state); 572 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 573 return; 574 } 575 /* resend if required */ 576 if (need_resend) 577 l2tp_ctrl_resend_una_packets(_this, true); 578 l2tp_ctrl_reset_timeout(_this); 579 } 580 581 int 582 l2tp_ctrl_send(l2tp_ctrl *_this, const void *msg, int len) 583 { 584 int rval; 585 586 #ifdef USE_LIBSOCKUTIL 587 if (_this->sa_cookie != NULL) 588 rval = sendfromto_nat_t(LISTENER_SOCK(_this), msg, len, 0, 589 (struct sockaddr *)&_this->sock, 590 (struct sockaddr *)&_this->peer, _this->sa_cookie); 591 else 592 rval = sendfromto(LISTENER_SOCK(_this), msg, len, 0, 593 (struct sockaddr *)&_this->sock, 594 (struct sockaddr *)&_this->peer); 595 #else 596 #ifdef USE_SA_COOKIE 597 if (_this->sa_cookie != NULL) 598 rval = sendto_nat_t(LISTENER_SOCK(_this), msg, len, 0, 599 (struct sockaddr *)&_this->peer, _this->peer.ss_len, 600 _this->sa_cookie); 601 else 602 #endif 603 rval = sendto(LISTENER_SOCK(_this), msg, len, 0, 604 (struct sockaddr *)&_this->peer, _this->peer.ss_len); 605 #endif 606 return rval; 607 } 608 609 /* resend una packets */ 610 static int 611 l2tp_ctrl_resend_una_packets(l2tp_ctrl *_this, bool resend) 612 { 613 uint16_t seq; 614 bytebuffer *bytebuf; 615 struct l2tp_header *header; 616 int nsend; 617 618 nsend = 0; 619 for (seq = _this->snd_una; SEQ_LT(seq, _this->snd_nxt); seq++) { 620 if (!l2tp_ctrl_in_peer_window(_this, seq)) 621 break; 622 if (SEQ_LT(seq, _this->snd_last) && !resend) 623 continue; 624 bytebuf = _this->snd_buffers[seq % _this->snd_buffercnt]; 625 header = bytebuffer_pointer(bytebuf); 626 header->nr = htons(_this->rcv_nxt); 627 _this->snd_lastnr = _this->rcv_nxt; 628 #ifdef L2TP_CTRL_DEBUG 629 if (debuglevel >= 3) { 630 l2tp_ctrl_log(_this, DEBUG_LEVEL_3, "RESEND seq=%u", 631 ntohs(header->ns)); 632 show_hd(debug_get_debugfp(), 633 bytebuffer_pointer(bytebuf), 634 bytebuffer_remaining(bytebuf)); 635 } 636 #endif 637 if (l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf), 638 bytebuffer_remaining(bytebuf)) < 0) { 639 l2tp_ctrl_log(_this, LOG_ERR, 640 "sendto() failed in %s: %m", __func__); 641 return -1; 642 } 643 nsend++; 644 } 645 return nsend; 646 } 647 648 /* free all calls */ 649 static void 650 l2tp_ctrl_destroy_all_calls(l2tp_ctrl *_this) 651 { 652 l2tp_call *call; 653 654 L2TP_CTRL_ASSERT(_this != NULL); 655 656 while ((call = slist_remove_first(&_this->call_list)) != NULL) 657 l2tp_call_destroy(call, 1); 658 } 659 660 661 /* disconnect all calls on the control context 662 * @return return # of calls that is not waiting cleanup. 663 */ 664 static int 665 l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *_this, int drop) 666 { 667 int i, len, ncalls; 668 l2tp_call *call; 669 670 L2TP_CTRL_ASSERT(_this != NULL); 671 672 ncalls = 0; 673 len = slist_length(&_this->call_list); 674 for (i = 0; i < len; i++) { 675 call = slist_get(&_this->call_list, i); 676 if (call->state != L2TP_CALL_STATE_CLEANUP_WAIT) { 677 ncalls++; 678 if (l2tp_ctrl_txwin_is_full(_this)) { 679 L2TP_CTRL_DBG((_this, LOG_INFO, 680 "Too many calls. Sending window is not " 681 "enough to send CDN to all clients.")); 682 if (drop) 683 l2tp_call_drop(call); 684 } else 685 l2tp_call_admin_disconnect(call); 686 } 687 } 688 return ncalls; 689 } 690 691 /* reset timeout */ 692 static void 693 l2tp_ctrl_reset_timeout(l2tp_ctrl *_this) 694 { 695 int intvl; 696 struct timeval tv0; 697 698 L2TP_CTRL_ASSERT(_this != NULL); 699 700 if (evtimer_initialized(&_this->ev_timeout)) 701 evtimer_del(&_this->ev_timeout); 702 703 switch (_this->state) { 704 case L2TP_CTRL_STATE_CLEANUP_WAIT: 705 intvl = 1; 706 break; 707 default: 708 intvl = 2; 709 break; 710 } 711 tv0.tv_usec = 0; 712 tv0.tv_sec = intvl; 713 if (!evtimer_initialized(&_this->ev_timeout)) 714 evtimer_set(&_this->ev_timeout, l2tp_ctrl_timeout, _this); 715 evtimer_add(&_this->ev_timeout, &tv0); 716 } 717 718 /* 719 * protocols / send and receive 720 */ 721 /* Receive packet */ 722 void 723 l2tp_ctrl_input(l2tpd *_this, int listener_index, struct sockaddr *peer, 724 struct sockaddr *sock, void *nat_t_ctx, u_char *pkt, int pktlen) 725 { 726 int i, len, offsiz, reqlen, is_ctrl; 727 uint16_t mestype; 728 struct l2tp_avp *avp, *avp0; 729 l2tp_ctrl *ctrl; 730 l2tp_call *call; 731 char buf[L2TP_AVP_MAXSIZ], errmsg[256]; 732 time_t curr_time; 733 u_char *pkt0; 734 struct l2tp_header hdr; 735 char hbuf[NI_MAXHOST + NI_MAXSERV + 16]; 736 737 ctrl = NULL; 738 curr_time = get_monosec(); 739 pkt0 = pkt; 740 741 L2TP_CTRL_ASSERT(peer->sa_family == sock->sa_family); 742 L2TP_CTRL_ASSERT(peer->sa_family == AF_INET || 743 peer->sa_family == AF_INET6) 744 /* 745 * Parse L2TP Header 746 */ 747 memset(&hdr, 0, sizeof(hdr)); 748 if (pktlen < 2) { 749 snprintf(errmsg, sizeof(errmsg), "a short packet. " 750 "length=%d", pktlen); 751 goto bad_packet; 752 } 753 memcpy(&hdr, pkt, 2); 754 pkt += 2; 755 if (hdr.ver != L2TP_HEADER_VERSION_RFC2661) { 756 /* XXX: only RFC2661 is supported */ 757 snprintf(errmsg, sizeof(errmsg), 758 "Unsupported version at header = %d", hdr.ver); 759 goto bad_packet; 760 } 761 is_ctrl = (hdr.t != 0)? 1 : 0; 762 763 /* calc required length */ 764 reqlen = 6; /* for Flags, Tunnel-Id, Session-Id field */ 765 if (hdr.l) reqlen += 2; /* for Length field (opt) */ 766 if (hdr.s) reqlen += 4; /* for Ns, Nr field (opt) */ 767 if (hdr.o) reqlen += 2; /* for Offset Size field (opt) */ 768 if (reqlen > pktlen) { 769 snprintf(errmsg, sizeof(errmsg), 770 "a short packet. length=%d", pktlen); 771 goto bad_packet; 772 } 773 774 if (hdr.l != 0) { 775 GETSHORT(hdr.length, pkt); 776 if (hdr.length > pktlen) { 777 snprintf(errmsg, sizeof(errmsg), 778 "Actual packet size is smaller than the length " 779 "field %d < %d", pktlen, hdr.length); 780 goto bad_packet; 781 } 782 pktlen = hdr.length; /* remove trailing trash */ 783 } 784 GETSHORT(hdr.tunnel_id, pkt); 785 GETSHORT(hdr.session_id, pkt); 786 if (hdr.s != 0) { 787 GETSHORT(hdr.ns, pkt); 788 GETSHORT(hdr.nr, pkt); 789 } 790 if (hdr.o != 0) { 791 GETSHORT(offsiz, pkt); 792 if (pktlen < offsiz) { 793 snprintf(errmsg, sizeof(errmsg), 794 "offset field is bigger than remaining packet " 795 "length %d > %d", offsiz, pktlen); 796 goto bad_packet; 797 } 798 pkt += offsiz; 799 } 800 L2TP_CTRL_ASSERT(pkt - pkt0 == reqlen); 801 pktlen -= (pkt - pkt0); /* cut down the length of header */ 802 803 ctrl = NULL; 804 memset(buf, 0, sizeof(buf)); 805 mestype = 0; 806 avp = NULL; 807 808 if (is_ctrl) { 809 avp0 = (struct l2tp_avp *)buf; 810 avp = avp_find_message_type_avp(avp0, pkt, pktlen); 811 if (avp != NULL) 812 mestype = avp->attr_value[0] << 8 | avp->attr_value[1]; 813 } 814 ctrl = l2tpd_get_ctrl(_this, hdr.tunnel_id); 815 816 if (ctrl == NULL) { 817 /* new control */ 818 if (!is_ctrl) { 819 snprintf(errmsg, sizeof(errmsg), 820 "bad data message: tunnelId=%d is not " 821 "found.", hdr.tunnel_id); 822 goto bad_packet; 823 } 824 if (mestype != L2TP_AVP_MESSAGE_TYPE_SCCRQ) { 825 snprintf(errmsg, sizeof(errmsg), 826 "bad control message: tunnelId=%d is not " 827 "found. mestype=%s", hdr.tunnel_id, 828 avp_mes_type_string(mestype)); 829 goto bad_packet; 830 } 831 832 if ((ctrl = l2tp_ctrl_create()) == NULL) { 833 l2tp_ctrl_log(ctrl, LOG_ERR, 834 "l2tp_ctrl_create() failed: %m"); 835 goto fail; 836 } 837 838 if (l2tp_ctrl_init(ctrl, _this, peer, sock, nat_t_ctx) != 0) { 839 l2tp_ctrl_log(ctrl, LOG_ERR, 840 "l2tp_ctrl_start() failed: %m"); 841 goto fail; 842 } 843 844 ctrl->listener_index = listener_index; 845 l2tp_ctrl_reload(ctrl); 846 } else { 847 /* 848 * treat as an error if src address and port is not 849 * match. (because it is potentially DoS attach) 850 */ 851 int notmatch = 0; 852 853 if (ctrl->peer.ss_family != peer->sa_family) 854 notmatch = 1; 855 else if (peer->sa_family == AF_INET) { 856 if (SIN(peer)->sin_addr.s_addr != 857 SIN(&ctrl->peer)->sin_addr.s_addr || 858 SIN(peer)->sin_port != SIN(&ctrl->peer)->sin_port) 859 notmatch = 1; 860 } else if (peer->sa_family == AF_INET6) { 861 if (!IN6_ARE_ADDR_EQUAL(&(SIN6(peer)->sin6_addr), 862 &(SIN6(&ctrl->peer)->sin6_addr)) || 863 SIN6(peer)->sin6_port != 864 SIN6(&ctrl->peer)->sin6_port) 865 notmatch = 1; 866 } 867 if (notmatch) { 868 snprintf(errmsg, sizeof(errmsg), 869 "tunnelId=%u is already assigned for %s", 870 hdr.tunnel_id, addrport_tostring( 871 (struct sockaddr *)&ctrl->peer, 872 ctrl->peer.ss_len, hbuf, sizeof(hbuf))); 873 goto bad_packet; 874 } 875 } 876 ctrl->last_rcv = curr_time; 877 call = NULL; 878 if (hdr.session_id != 0) { 879 /* search l2tp_call by Session ID */ 880 /* linear search is enough for this purpose */ 881 len = slist_length(&ctrl->call_list); 882 for (i = 0; i < len; i++) { 883 call = slist_get(&ctrl->call_list, i); 884 if (call->session_id == hdr.session_id) 885 break; 886 call = NULL; 887 } 888 } 889 if (!is_ctrl) { 890 int delayed = 0; 891 892 /* L2TP data */ 893 if (ctrl->state != L2TP_CTRL_STATE_ESTABLISHED) { 894 l2tp_ctrl_log(ctrl, LOG_WARNING, 895 "Received Data packet in '%s'", 896 l2tp_ctrl_state_string(ctrl)); 897 goto fail; 898 } 899 if (call == NULL) { 900 l2tp_ctrl_log(ctrl, LOG_WARNING, 901 "Received a data packet but it has no call. " 902 "session_id=%u", hdr.session_id); 903 goto fail; 904 } 905 L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2, 906 "call=%u RECV ns=%u nr=%u snd_nxt=%u rcv_nxt=%u len=%d", 907 call->id, hdr.ns, hdr.nr, call->snd_nxt, call->rcv_nxt, 908 pktlen)); 909 if (call->state != L2TP_CALL_STATE_ESTABLISHED){ 910 l2tp_ctrl_log(ctrl, LOG_WARNING, 911 "Received a data packet but call is not " 912 "established"); 913 goto fail; 914 } 915 916 if (hdr.s != 0) { 917 if (SEQ_LT(hdr.ns, call->rcv_nxt)) { 918 if (SEQ_LT(hdr.ns, 919 call->rcv_nxt - L2TP_CALL_DELAY_LIMIT)) { 920 /* sequence number seems to be delayed */ 921 /* XXX: need to log? */ 922 L2TP_CTRL_DBG((ctrl, LOG_DEBUG, 923 "receive a out of sequence " 924 "data packet: %u < %u.", 925 hdr.ns, call->rcv_nxt)); 926 return; 927 } 928 delayed = 1; 929 } else { 930 call->rcv_nxt = hdr.ns + 1; 931 } 932 } 933 934 l2tp_call_ppp_input(call, pkt, pktlen, delayed); 935 936 return; 937 } 938 if (hdr.s != 0) { 939 L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2, 940 "RECV %s ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u " 941 "len=%d", (is_ctrl)? "C" : "", hdr.ns, hdr.nr, 942 ctrl->snd_nxt, ctrl->snd_una, ctrl->rcv_nxt, pktlen)); 943 944 if (pktlen <= 0) 945 l2tp_ctrl_log(ctrl, LOG_INFO, "RecvZLB"); 946 947 if (SEQ_GT(hdr.nr, ctrl->snd_una)) { 948 /* a new ack arrived */ 949 if (SEQ_GT(hdr.nr, ctrl->snd_nxt)) { 950 /* ack is proceeded us */ 951 l2tp_ctrl_log(ctrl, LOG_INFO, 952 "Received message has bad Nr field: " 953 "%u < %u", ctrl->snd_nxt, hdr.nr); 954 goto fail; 955 } 956 ctrl->snd_una = hdr.nr; 957 /* peer window is moved. send out pending packets */ 958 l2tp_ctrl_resend_una_packets(ctrl, false); 959 } 960 if (l2tp_ctrl_txwin_size(ctrl) <= 0) { 961 /* no waiting ack */ 962 if (ctrl->hello_wait_ack != 0) { 963 /* 964 * Reset Hello state, as an ack for the Hello 965 * is received. 966 */ 967 ctrl->hello_wait_ack = 0; 968 ctrl->hello_io_time = curr_time; 969 } 970 switch (ctrl->state) { 971 case L2TP_CTRL_STATE_CLEANUP_WAIT: 972 l2tp_ctrl_stop(ctrl, 0); 973 return; 974 } 975 } 976 if (hdr.ns != ctrl->rcv_nxt) { 977 /* there are remaining packet */ 978 if (l2tp_ctrl_resend_una_packets(ctrl, true) <= 0) { 979 /* resend or sent ZLB */ 980 l2tp_ctrl_send_ZLB(ctrl); 981 } 982 #ifdef L2TP_CTRL_DEBUG 983 if (pktlen != 0) { /* not ZLB */ 984 L2TP_CTRL_DBG((ctrl, LOG_DEBUG, 985 "receive out of sequence %u must be %u. " 986 "mestype=%s", hdr.ns, ctrl->rcv_nxt, 987 avp_mes_type_string(mestype))); 988 } 989 #endif 990 return; 991 } 992 if (pktlen <= 0) 993 return; /* ZLB */ 994 995 if (!l2tp_ctrl_in_our_window(ctrl, hdr.ns)) { 996 l2tp_ctrl_log(ctrl, LOG_WARNING, 997 "received message is outside of window. " 998 "ns=%d window=%u:%u", 999 hdr.ns, ctrl->snd_lastnr, 1000 (uint16_t)(ctrl->snd_lastnr + ctrl->winsz - 1)); 1001 return; 1002 } 1003 1004 ctrl->rcv_nxt++; 1005 if (avp == NULL) { 1006 l2tpd_log(_this, LOG_WARNING, 1007 "bad control message: no message-type AVP."); 1008 goto fail; 1009 } 1010 } 1011 1012 /* 1013 * state machine (RFC2661 pp. 56-57) 1014 */ 1015 switch (ctrl->state) { 1016 case L2TP_CTRL_STATE_IDLE: 1017 switch (mestype) { 1018 case L2TP_AVP_MESSAGE_TYPE_SCCRQ: 1019 if (l2tp_ctrl_recv_SCCRQ(ctrl, pkt, pktlen, _this, 1020 peer) == 0) { 1021 /* acceptable */ 1022 l2tp_ctrl_send_SCCRP(ctrl); 1023 ctrl->state = L2TP_CTRL_STATE_WAIT_CTL_CONN; 1024 return; 1025 } 1026 /* 1027 * in case un-acceptable, it was already processed 1028 * at l2tcp_ctrl_recv_SCCRQ 1029 */ 1030 return; 1031 case L2TP_AVP_MESSAGE_TYPE_SCCRP: 1032 /* 1033 * RFC specifies that sent of StopCCN in the state, 1034 * However as this implementation only support Passive 1035 * open, this packet will not received. 1036 */ 1037 /* FALLTHROUGH */ 1038 case L2TP_AVP_MESSAGE_TYPE_SCCCN: 1039 default: 1040 break; 1041 } 1042 goto fsm_fail; 1043 1044 case L2TP_CTRL_STATE_WAIT_CTL_CONN: 1045 /* Wait-Ctl-Conn */ 1046 switch (mestype) { 1047 case L2TP_AVP_MESSAGE_TYPE_SCCCN: 1048 l2tp_ctrl_log(ctrl, LOG_INFO, "RecvSCCN"); 1049 if (l2tp_ctrl_send_ZLB(ctrl) == 0) { 1050 ctrl->state = L2TP_CTRL_STATE_ESTABLISHED; 1051 } 1052 return; 1053 case L2TP_AVP_MESSAGE_TYPE_StopCCN: 1054 goto receive_stop_ccn; 1055 case L2TP_AVP_MESSAGE_TYPE_SCCRQ: 1056 case L2TP_AVP_MESSAGE_TYPE_SCCRP: 1057 default: 1058 break; 1059 } 1060 break; /* fsm_fail */ 1061 case L2TP_CTRL_STATE_ESTABLISHED: 1062 /* Established */ 1063 switch (mestype) { 1064 case L2TP_AVP_MESSAGE_TYPE_SCCCN: 1065 case L2TP_AVP_MESSAGE_TYPE_SCCRQ: 1066 case L2TP_AVP_MESSAGE_TYPE_SCCRP: 1067 break; 1068 receive_stop_ccn: 1069 case L2TP_AVP_MESSAGE_TYPE_StopCCN: 1070 l2tp_ctrl_recv_StopCCN(ctrl, pkt, pktlen); 1071 l2tp_ctrl_send_ZLB(ctrl); 1072 l2tp_ctrl_stop(ctrl, 0); 1073 return; 1074 1075 case L2TP_AVP_MESSAGE_TYPE_HELLO: 1076 l2tp_ctrl_send_ZLB(ctrl); 1077 return; 1078 case L2TP_AVP_MESSAGE_TYPE_CDN: 1079 case L2TP_AVP_MESSAGE_TYPE_ICRP: 1080 case L2TP_AVP_MESSAGE_TYPE_ICCN: 1081 if (call == NULL) { 1082 l2tp_ctrl_log(ctrl, LOG_INFO, 1083 "Unknown call message: %s", 1084 avp_mes_type_string(mestype)); 1085 goto fail; 1086 } 1087 /* FALLTHROUGH */ 1088 case L2TP_AVP_MESSAGE_TYPE_ICRQ: 1089 l2tp_call_recv_packet(ctrl, call, mestype, pkt, 1090 pktlen); 1091 return; 1092 default: 1093 break; 1094 } 1095 break; /* fsm_fail */ 1096 case L2TP_CTRL_STATE_CLEANUP_WAIT: 1097 if (mestype == L2TP_AVP_MESSAGE_TYPE_StopCCN) { 1098 /* 1099 * We left ESTABLISHED state, but the peer sent StopCCN. 1100 */ 1101 goto receive_stop_ccn; 1102 } 1103 break; /* fsm_fail */ 1104 } 1105 1106 fsm_fail: 1107 /* state machine error */ 1108 l2tp_ctrl_log(ctrl, LOG_WARNING, "Received %s in '%s' state", 1109 avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl)); 1110 l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_FSM_ERROR); 1111 1112 return; 1113 fail: 1114 if (ctrl != NULL && mestype != 0) { 1115 l2tp_ctrl_log(ctrl, LOG_WARNING, "Received %s in '%s' state", 1116 avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl)); 1117 l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_GENERAL_ERROR); 1118 } 1119 return; 1120 1121 bad_packet: 1122 l2tpd_log(_this, LOG_INFO, "Received from=%s: %s", 1123 addrport_tostring(peer, peer->sa_len, hbuf, sizeof(hbuf)), errmsg); 1124 1125 return; 1126 } 1127 1128 static int 1129 l2tp_ctrl_txwin_size(l2tp_ctrl *_this) 1130 { 1131 uint16_t sz; 1132 1133 sz = _this->snd_nxt - _this->snd_una; 1134 1135 L2TP_CTRL_ASSERT(sz <= _this->buffercnt); 1136 1137 return sz; 1138 } 1139 1140 static bool 1141 l2tp_ctrl_txwin_is_full(l2tp_ctrl *_this) 1142 { 1143 return (l2tp_ctrl_txwin_size(_this) >= _this->snd_buffercnt)? 1 : 0; 1144 } 1145 1146 static bool 1147 l2tp_ctrl_in_peer_window(l2tp_ctrl *_this, uint16_t seq) 1148 { 1149 uint16_t off; 1150 int winsz; 1151 1152 winsz = MINIMUM(_this->winsz, _this->peer_winsz); 1153 off = seq - _this->snd_una; 1154 1155 return ((off < winsz)? true : false); 1156 } 1157 1158 static bool 1159 l2tp_ctrl_in_our_window(l2tp_ctrl *_this, uint16_t seq) 1160 { 1161 uint16_t off; 1162 1163 off = seq - _this->snd_lastnr; 1164 1165 return ((off < _this->winsz)? true : false); 1166 } 1167 /* send control packet */ 1168 int 1169 l2tp_ctrl_send_packet(l2tp_ctrl *_this, int call_id, bytebuffer *bytebuf) 1170 { 1171 struct l2tp_header *hdr; 1172 int rval; 1173 time_t curr_time; 1174 uint16_t seq; 1175 1176 curr_time = get_monosec(); 1177 1178 bytebuffer_flip(bytebuf); 1179 hdr = (struct l2tp_header *)bytebuffer_pointer(bytebuf); 1180 memset(hdr, 0, sizeof(*hdr)); 1181 1182 hdr->t = 1; 1183 hdr->ver = L2TP_HEADER_VERSION_RFC2661; 1184 hdr->l = 1; 1185 hdr->length = htons(bytebuffer_remaining(bytebuf)); 1186 hdr->tunnel_id = htons(_this->peer_tunnel_id); 1187 hdr->session_id = htons(call_id); 1188 1189 hdr->s = 1; 1190 seq = _this->snd_nxt; 1191 hdr->ns = htons(seq); 1192 hdr->nr = htons(_this->rcv_nxt); 1193 1194 if (bytebuffer_remaining(bytebuf) > sizeof(struct l2tp_header)) 1195 /* Not ZLB */ 1196 _this->snd_nxt++; 1197 1198 if (!l2tp_ctrl_in_peer_window(_this, seq)) 1199 return (0); 1200 1201 L2TP_CTRL_DBG((_this, DEBUG_LEVEL_2, 1202 "SEND C ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u ", 1203 ntohs(hdr->ns), htons(hdr->nr), 1204 _this->snd_nxt, _this->snd_una, _this->rcv_nxt)); 1205 1206 if (L2TP_CTRL_CONF(_this)->ctrl_out_pktdump != 0) { 1207 l2tpd_log(_this->l2tpd, LOG_DEBUG, 1208 "L2TP Control output packet dump"); 1209 show_hd(debug_get_debugfp(), bytebuffer_pointer(bytebuf), 1210 bytebuffer_remaining(bytebuf)); 1211 } 1212 1213 if ((rval = l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf), 1214 bytebuffer_remaining(bytebuf))) < 0) { 1215 L2TP_CTRL_DBG((_this, LOG_DEBUG, "sendto() failed: %m")); 1216 } 1217 1218 _this->snd_lastnr = _this->rcv_nxt; 1219 _this->last_snd_ctrl = curr_time; 1220 _this->snd_last = seq; 1221 1222 return (rval == bytebuffer_remaining(bytebuf))? 0 : 1; 1223 } 1224 1225 /* 1226 * receiver SCCRQ 1227 */ 1228 static int 1229 l2tp_ctrl_recv_SCCRQ(l2tp_ctrl *_this, u_char *pkt, int pktlen, l2tpd *_l2tpd, 1230 struct sockaddr *peer) 1231 { 1232 int avpsz, len, protover, protorev, firmrev, result; 1233 struct l2tp_avp *avp; 1234 char host[NI_MAXHOST], serv[NI_MAXSERV]; 1235 char buf[L2TP_AVP_MAXSIZ], emes[256], hostname[256], vendorname[256]; 1236 1237 result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR; 1238 strlcpy(hostname, "(no hostname)", sizeof(hostname)); 1239 strlcpy(vendorname, "(no vendorname)", sizeof(vendorname)); 1240 1241 _this->peer_winsz = 4; /* default is 4 in RFC 2661 */ 1242 firmrev = 0; 1243 protover = 0; 1244 protorev = 0; 1245 avp = (struct l2tp_avp *)buf; 1246 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) { 1247 pkt += avpsz; 1248 pktlen -= avpsz; 1249 if (avp->vendor_id != 0) { 1250 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1251 "Received a Vendor-specific AVP vendor-id=%d " 1252 "type=%d", avp->vendor_id, avp->attr_type)); 1253 continue; 1254 } 1255 switch (avp->attr_type) { 1256 case L2TP_AVP_TYPE_MESSAGE_TYPE: 1257 AVP_SIZE_CHECK(avp, ==, 8); 1258 continue; 1259 case L2TP_AVP_TYPE_PROTOCOL_VERSION: 1260 AVP_SIZE_CHECK(avp, ==, 8); 1261 protover = avp->attr_value[0]; 1262 protorev = avp->attr_value[1]; 1263 1264 if (protover != L2TP_RFC2661_VERSION || 1265 protorev != L2TP_RFC2661_REVISION) { 1266 result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR; 1267 snprintf(emes, sizeof(emes), 1268 "Peer's protocol version is not supported:" 1269 " %d.%d", protover, protorev); 1270 goto not_acceptable; 1271 } 1272 continue; 1273 case L2TP_AVP_TYPE_FRAMING_CAPABILITIES: 1274 AVP_SIZE_CHECK(avp, ==, 10); 1275 if ((avp_get_val32(avp) & L2TP_FRAMING_CAP_FLAGS_SYNC) 1276 == 0) { 1277 L2TP_CTRL_DBG((_this, LOG_DEBUG, "Peer doesn't " 1278 "support synchronous framing")); 1279 } 1280 continue; 1281 case L2TP_AVP_TYPE_BEARER_CAPABILITIES: 1282 AVP_SIZE_CHECK(avp, ==, 10); 1283 continue; 1284 case L2TP_AVP_TYPE_TIE_BREAKER: 1285 AVP_SIZE_CHECK(avp, ==, 14); 1286 /* 1287 * As the implementation never send SCCRQ, 1288 * the peer is always winner 1289 */ 1290 continue; 1291 case L2TP_AVP_TYPE_FIRMWARE_REVISION: 1292 AVP_SIZE_CHECK(avp, >=, 6); 1293 firmrev = avp_get_val16(avp); 1294 continue; 1295 case L2TP_AVP_TYPE_HOST_NAME: 1296 AVP_SIZE_CHECK(avp, >, 4); 1297 len = MINIMUM(sizeof(hostname) - 1, avp->length - 6); 1298 memcpy(hostname, avp->attr_value, len); 1299 hostname[len] = '\0'; 1300 continue; 1301 case L2TP_AVP_TYPE_VENDOR_NAME: 1302 AVP_SIZE_CHECK(avp, >, 4); 1303 len = MINIMUM(sizeof(vendorname) - 1, avp->length - 6); 1304 memcpy(vendorname, avp->attr_value, len); 1305 vendorname[len] = '\0'; 1306 continue; 1307 case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID: 1308 AVP_SIZE_CHECK(avp, ==, 8); 1309 _this->peer_tunnel_id = avp_get_val16(avp); 1310 continue; 1311 case L2TP_AVP_TYPE_RECV_WINDOW_SIZE: 1312 AVP_SIZE_CHECK(avp, ==, 8); 1313 _this->peer_winsz = avp_get_val16(avp); 1314 continue; 1315 } 1316 if (avp->is_mandatory) { 1317 l2tp_ctrl_log(_this, LOG_WARNING, 1318 "Received AVP (%s/%d) is not supported, but it's " 1319 "mandatory", avp_attr_type_string(avp->attr_type), 1320 avp->attr_type); 1321 #ifdef L2TP_CTRL_DEBUG 1322 } else { 1323 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1324 "AVP (%s/%d) is not handled", 1325 avp_attr_type_string(avp->attr_type), 1326 avp->attr_type)); 1327 #endif 1328 } 1329 } 1330 if (getnameinfo((struct sockaddr *)&_this->peer, _this->peer.ss_len, 1331 host, sizeof(host), serv, sizeof(serv), 1332 NI_NUMERICHOST | NI_NUMERICSERV | NI_DGRAM) != 0) { 1333 l2tp_ctrl_log(_this, LOG_ERR, 1334 "getnameinfo() failed at %s(): %m", __func__); 1335 strlcpy(host, "error", sizeof(host)); 1336 strlcpy(serv, "error", sizeof(serv)); 1337 } 1338 l2tp_ctrl_log(_this, LOG_NOTICE, "logtype=Started RecvSCCRQ " 1339 "from=%s:%s/udp tunnel_id=%u/%u protocol=%d.%d winsize=%d " 1340 "hostname=%s vendor=%s firm=%04X", host, serv, _this->tunnel_id, 1341 _this->peer_tunnel_id, protover, protorev, _this->peer_winsz, 1342 hostname, vendorname, firmrev); 1343 1344 if (_this->peer_winsz == 0) 1345 _this->peer_winsz = 1; 1346 1347 return 0; 1348 not_acceptable: 1349 size_check_failed: 1350 l2tp_ctrl_log(_this, LOG_ERR, "Received bad SCCRQ: %s", emes); 1351 l2tp_ctrl_stop(_this, result); 1352 1353 return 1; 1354 } 1355 1356 /* 1357 * send StopCCN 1358 */ 1359 static int 1360 l2tp_ctrl_send_StopCCN(l2tp_ctrl *_this, int result) 1361 { 1362 struct l2tp_avp *avp; 1363 char buf[L2TP_AVP_MAXSIZ]; 1364 bytebuffer *bytebuf; 1365 1366 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) { 1367 l2tp_ctrl_log(_this, LOG_ERR, 1368 "sending StopCCN failed: no buffer."); 1369 return -1; 1370 } 1371 avp = (struct l2tp_avp *)buf; 1372 1373 /* Message Type = StopCCN */ 1374 memset(avp, 0, sizeof(*avp)); 1375 avp->is_mandatory = 1; 1376 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 1377 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_StopCCN); 1378 bytebuf_add_avp(bytebuf, avp, 2); 1379 1380 /* Assigned Tunnel Id */ 1381 memset(avp, 0, sizeof(*avp)); 1382 avp->is_mandatory = 1; 1383 avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID; 1384 avp_set_val16(avp, _this->tunnel_id); 1385 bytebuf_add_avp(bytebuf, avp, 2); 1386 1387 /* Result Code */ 1388 memset(avp, 0, sizeof(*avp)); 1389 avp->is_mandatory = 1; 1390 avp->attr_type = L2TP_AVP_TYPE_RESULT_CODE; 1391 avp_set_val16(avp, result); 1392 bytebuf_add_avp(bytebuf, avp, 2); 1393 1394 if (l2tp_ctrl_send_packet(_this, 0, bytebuf) != 0) { 1395 l2tp_ctrl_log(_this, LOG_ERR, "sending StopCCN failed"); 1396 return - 1; 1397 } 1398 l2tp_ctrl_log(_this, LOG_INFO, "SendStopCCN result=%d", result); 1399 1400 return 0; 1401 } 1402 1403 /* 1404 * Receiver StopCCN 1405 */ 1406 static int 1407 l2tp_ctrl_recv_StopCCN(l2tp_ctrl *_this, u_char *pkt, int pktlen) 1408 { 1409 int result, error, avpsz, len; 1410 uint16_t tunid; 1411 struct l2tp_avp *avp; 1412 char buf[L2TP_AVP_MAXSIZ + 16], emes[256], pmes[256]; 1413 1414 result = 0; 1415 error = 0; 1416 tunid = 0; 1417 pmes[0] = '\0'; 1418 avp = (struct l2tp_avp *)buf; 1419 while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) { 1420 pkt += avpsz; 1421 pktlen -= avpsz; 1422 if (avp->vendor_id != 0) { 1423 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1424 "Received a Vendor-specific AVP vendor-id=%d " 1425 "type=%d", avp->vendor_id, avp->attr_type)); 1426 continue; 1427 } 1428 if (avp->is_hidden != 0) { 1429 l2tp_ctrl_log(_this, LOG_WARNING, 1430 "Received AVP (%s/%d) is hidden. But we don't " 1431 "share secret.", 1432 avp_attr_type_string(avp->attr_type), 1433 avp->attr_type); 1434 if (avp->is_mandatory != 0) { 1435 l2tp_ctrl_stop(_this, 1436 L2TP_STOP_CCN_RCODE_GENERAL_ERROR | 1437 L2TP_ECODE_UNKNOWN_MANDATORY_AVP); 1438 return 1; 1439 } 1440 continue; 1441 } 1442 switch (avp->attr_type) { 1443 case L2TP_AVP_TYPE_MESSAGE_TYPE: 1444 AVP_SIZE_CHECK(avp, ==, 8); 1445 continue; 1446 case L2TP_AVP_TYPE_RESULT_CODE: 1447 AVP_SIZE_CHECK(avp, >=, 8); 1448 result = avp->attr_value[0] << 8 | avp->attr_value[1]; 1449 if (avp->length >= 10) { 1450 error = avp->attr_value[2] << 8 | 1451 avp->attr_value[3]; 1452 len = avp->length - 12; 1453 if (len > 0) { 1454 len = MINIMUM(len, sizeof(pmes) - 1); 1455 memcpy(pmes, &avp->attr_value[4], len); 1456 pmes[len] = '\0'; 1457 } 1458 } 1459 continue; 1460 case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID: 1461 AVP_SIZE_CHECK(avp, ==, 8); 1462 tunid = avp_get_val16(avp); 1463 continue; 1464 default: 1465 if (avp->is_mandatory != 0) { 1466 l2tp_ctrl_log(_this, LOG_WARNING, 1467 "Received AVP (%s/%d) is not supported, " 1468 "but it's mandatory", 1469 avp_attr_type_string(avp->attr_type), 1470 avp->attr_type); 1471 #ifdef L2TP_CTRL_DEBUG 1472 } else { 1473 L2TP_CTRL_DBG((_this, LOG_DEBUG, 1474 "AVP (%s/%d) is not handled", 1475 avp_attr_type_string(avp->attr_type), 1476 avp->attr_type)); 1477 #endif 1478 } 1479 } 1480 } 1481 1482 if (result == L2TP_CDN_RCODE_ERROR_CODE && 1483 error == L2TP_ECODE_NO_RESOURCE) { 1484 /* 1485 * Memo: 1486 * This state may be happen in following state. 1487 * - lots of connect/disconect by long-running 1488 * windows2000, sometimes it fall to this state. 1489 * Once it fall to here, connection will fail till 1490 * the windows rebooted 1491 */ 1492 l2tp_ctrl_log(_this, LOG_WARNING, 1493 "Peer indicates \"No Resource\" error."); 1494 } 1495 1496 l2tp_ctrl_log(_this, LOG_INFO, "RecvStopCCN result=%s/%u " 1497 "error=%s/%u tunnel_id=%u message=\"%s\"", 1498 l2tp_stopccn_rcode_string(result), result, 1499 l2tp_ecode_string(error), error, tunid, pmes); 1500 1501 return 0; 1502 1503 size_check_failed: 1504 l2tp_ctrl_log(_this, LOG_ERR, "Received bad StopCCN: %s", emes); 1505 1506 return -1; 1507 } 1508 1509 /* 1510 * send SCCRP 1511 */ 1512 static void 1513 l2tp_ctrl_send_SCCRP(l2tp_ctrl *_this) 1514 { 1515 int len; 1516 struct l2tp_avp *avp; 1517 char buf[L2TP_AVP_MAXSIZ], hbuf[HOST_NAME_MAX+1]; 1518 const char *val; 1519 bytebuffer *bytebuf; 1520 1521 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) { 1522 l2tp_ctrl_log(_this, LOG_ERR, 1523 "sending SCCRP failed: no buffer."); 1524 return; 1525 } 1526 avp = (struct l2tp_avp *)buf; 1527 1528 /* Message Type = SCCRP */ 1529 memset(avp, 0, sizeof(*avp)); 1530 avp->is_mandatory = 1; 1531 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 1532 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_SCCRP); 1533 bytebuf_add_avp(bytebuf, avp, 2); 1534 1535 /* Protocol Version = 1.0 */ 1536 memset(avp, 0, sizeof(*avp)); 1537 avp->is_mandatory = 1; 1538 avp->attr_type = L2TP_AVP_TYPE_PROTOCOL_VERSION; 1539 avp->attr_value[0] = L2TP_RFC2661_VERSION; 1540 avp->attr_value[1] = L2TP_RFC2661_REVISION; 1541 bytebuf_add_avp(bytebuf, avp, 2); 1542 1543 /* Framing Capability = Async */ 1544 memset(avp, 0, sizeof(*avp)); 1545 avp->is_mandatory = 1; 1546 avp->attr_type = L2TP_AVP_TYPE_FRAMING_CAPABILITIES; 1547 avp_set_val32(avp, L2TP_FRAMING_CAP_FLAGS_SYNC); 1548 bytebuf_add_avp(bytebuf, avp, 4); 1549 1550 /* Host Name */ 1551 memset(avp, 0, sizeof(*avp)); 1552 avp->is_mandatory = 1; 1553 avp->attr_type = L2TP_AVP_TYPE_HOST_NAME; 1554 if ((val = L2TP_CTRL_CONF(_this)->hostname) == NULL) { 1555 gethostname(hbuf, sizeof(hbuf)); 1556 val = hbuf; 1557 } 1558 len = strlen(val); 1559 memcpy(avp->attr_value, val, len); 1560 bytebuf_add_avp(bytebuf, avp, len); 1561 1562 /* Assigned Tunnel Id */ 1563 memset(avp, 0, sizeof(*avp)); 1564 avp->is_mandatory = 1; 1565 avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID; 1566 avp_set_val16(avp, _this->tunnel_id); 1567 bytebuf_add_avp(bytebuf, avp, 2); 1568 1569 /* Bearer Capability 1570 * This implementation never act as LAC. 1571 * 1572 memset(avp, 0, sizeof(*avp)); 1573 avp->is_mandatory = 1; 1574 avp->attr_type = L2TP_AVP_TYPE_BEARER_CAPABILITIES; 1575 avp_set_val32(avp, 0); 1576 bytebuf_add_avp(bytebuf, avp, 4); 1577 */ 1578 1579 /* Firmware Revision */ 1580 memset(avp, 0, sizeof(*avp)); 1581 avp->is_mandatory = 0; 1582 avp->attr_type = L2TP_AVP_TYPE_FIRMWARE_REVISION; 1583 avp->attr_value[0] = MAJOR_VERSION; 1584 avp->attr_value[1] = MINOR_VERSION; 1585 bytebuf_add_avp(bytebuf, avp, 2); 1586 1587 /* Vendor Name */ 1588 if ((val = L2TP_CTRL_CONF(_this)->vendor_name) != NULL) { 1589 memset(avp, 0, sizeof(*avp)); 1590 avp->is_mandatory = 0; 1591 avp->attr_type = L2TP_AVP_TYPE_VENDOR_NAME; 1592 1593 len = strlen(val); 1594 memcpy(avp->attr_value, val, len); 1595 bytebuf_add_avp(bytebuf, avp, len); 1596 } 1597 1598 /* Window Size */ 1599 memset(avp, 0, sizeof(*avp)); 1600 avp->is_mandatory = 1; 1601 avp->attr_type = L2TP_AVP_TYPE_RECV_WINDOW_SIZE; 1602 avp_set_val16(avp, _this->winsz); 1603 bytebuf_add_avp(bytebuf, avp, 2); 1604 1605 if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) { 1606 l2tp_ctrl_log(_this, LOG_ERR, "sending SCCRP failed"); 1607 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 1608 return; 1609 } 1610 l2tp_ctrl_log(_this, LOG_INFO, "SendSCCRP"); 1611 } 1612 1613 static int 1614 l2tp_ctrl_send_HELLO(l2tp_ctrl *_this) 1615 { 1616 struct l2tp_avp *avp; 1617 char buf[L2TP_AVP_MAXSIZ]; 1618 bytebuffer *bytebuf; 1619 1620 if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL) { 1621 l2tp_ctrl_log(_this, LOG_ERR, 1622 "sending HELLO failed: no buffer."); 1623 return 1; 1624 } 1625 avp = (struct l2tp_avp *)buf; 1626 1627 /* Message Type = HELLO */ 1628 memset(avp, 0, sizeof(*avp)); 1629 avp->is_mandatory = 1; 1630 avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE; 1631 avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_HELLO); 1632 bytebuf_add_avp(bytebuf, avp, 2); 1633 1634 if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) { 1635 l2tp_ctrl_log(_this, LOG_ERR, "sending HELLO failed"); 1636 l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL); 1637 return 1; 1638 } 1639 l2tp_ctrl_log(_this, LOG_DEBUG, "SendHELLO"); 1640 1641 return 0; 1642 } 1643 1644 /* Send ZLB */ 1645 static int 1646 l2tp_ctrl_send_ZLB(l2tp_ctrl *_this) 1647 { 1648 int loglevel; 1649 1650 loglevel = (_this->state == L2TP_CTRL_STATE_ESTABLISHED) 1651 ? LOG_DEBUG : LOG_INFO; 1652 l2tp_ctrl_log(_this, loglevel, "SendZLB"); 1653 bytebuffer_clear(_this->zlb_buffer); 1654 bytebuffer_put(_this->zlb_buffer, BYTEBUFFER_PUT_DIRECT, 1655 sizeof(struct l2tp_header)); 1656 1657 return l2tp_ctrl_send_packet(_this, 0, _this->zlb_buffer); 1658 } 1659 1660 /* 1661 * Utitlity 1662 */ 1663 1664 /** 1665 * Prepare send buffer 1666 * @return return Null when the send buffer exceed Window. 1667 */ 1668 bytebuffer * 1669 l2tp_ctrl_prepare_snd_buffer(l2tp_ctrl *_this, int with_seq) 1670 { 1671 bytebuffer *bytebuf; 1672 1673 L2TP_CTRL_ASSERT(_this != NULL); 1674 1675 if (l2tp_ctrl_txwin_is_full(_this)) { 1676 l2tp_ctrl_log(_this, LOG_INFO, "sending buffer is full."); 1677 return NULL; 1678 } 1679 bytebuf = _this->snd_buffers[_this->snd_nxt % _this->snd_buffercnt]; 1680 bytebuffer_clear(bytebuf); 1681 if (with_seq) 1682 bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT, 1683 sizeof(struct l2tp_header)); 1684 else 1685 bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT, 1686 offsetof(struct l2tp_header, ns)); 1687 1688 return bytebuf; 1689 } 1690 1691 /** 1692 * return current state as strings 1693 */ 1694 static inline const char * 1695 l2tp_ctrl_state_string(l2tp_ctrl *_this) 1696 { 1697 switch (_this->state) { 1698 case L2TP_CTRL_STATE_IDLE: return "idle"; 1699 case L2TP_CTRL_STATE_WAIT_CTL_CONN: return "wait-ctl-conn"; 1700 case L2TP_CTRL_STATE_WAIT_CTL_REPLY: return "wait-ctl-reply"; 1701 case L2TP_CTRL_STATE_ESTABLISHED: return "established"; 1702 case L2TP_CTRL_STATE_CLEANUP_WAIT: return "cleanup-wait"; 1703 } 1704 return "unknown"; 1705 } 1706 1707 /* logging with the label of the l2tp instance. */ 1708 void 1709 l2tp_ctrl_log(l2tp_ctrl *_this, int prio, const char *fmt, ...) 1710 { 1711 char logbuf[BUFSIZ]; 1712 va_list ap; 1713 1714 va_start(ap, fmt); 1715 #ifdef L2TPD_MULTIPLE 1716 snprintf(logbuf, sizeof(logbuf), "l2tpd id=%u ctrl=%u %s", 1717 _this->l2tpd->id, _this->id, fmt); 1718 #else 1719 snprintf(logbuf, sizeof(logbuf), "l2tpd ctrl=%u %s", _this->id, fmt); 1720 #endif 1721 vlog_printf(prio, logbuf, ap); 1722 va_end(ap); 1723 } 1724