1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
|
/* $OpenBSD: pipex_local.h,v 1.25 2017/05/04 15:00:24 bluhm Exp $ */
/*
* Copyright (c) 2009 Internet Initiative Japan Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef __OpenBSD__
#define Static
#else
#define Static static
#endif
#define PIPEX_PPTP 1
#define PIPEX_L2TP 1
#define PIPEX_PPPOE 1
#define PIPEX_MPPE 1
#define PIPEX_REWIND_LIMIT 64
#define PIPEX_ENABLED 0x0001
/* compile time option constants */
#ifndef PIPEX_MAX_SESSION
#define PIPEX_MAX_SESSION 512
#endif
#define PIPEX_HASH_DIV 8
#define PIPEX_HASH_SIZE (PIPEX_MAX_SESSION/PIPEX_HASH_DIV)
#define PIPEX_HASH_MASK (PIPEX_HASH_SIZE-1)
#define PIPEX_CLOSE_TIMEOUT 30
#define PIPEX_PPPMINLEN 5
/* minimum PPP header length is 1 and minimum ppp payload length is 4 */
#ifndef NNBY /* usually defined on the <sys/types.h> */
#define NNBY 8 /* number of bits of a byte */
#endif
#define PIPEX_MPPE_NOLDKEY 64 /* should be power of two */
#define PIPEX_MPPE_OLDKEYMASK (PIPEX_MPPE_NOLDKEY - 1)
#ifdef PIPEX_MPPE
/* mppe rc4 key */
struct pipex_mppe {
int16_t stateless:1, /* key change mode */
resetreq:1,
reserved:14;
int16_t keylenbits; /* key length */
int16_t keylen;
uint16_t coher_cnt; /* cohency counter */
struct rc4_ctx rc4ctx;
u_char master_key[PIPEX_MPPE_KEYLEN]; /* master key of MPPE */
u_char session_key[PIPEX_MPPE_KEYLEN]; /* session key of MPPE */
u_char (*old_session_keys)[PIPEX_MPPE_KEYLEN]; /* old session keys */
};
#endif /* PIPEX_MPPE */
#ifdef PIPEX_PPPOE
struct pipex_pppoe_session {
struct ifnet *over_ifp; /* ether interface */
};
#endif /* PIPEX_PPPOE */
#ifdef PIPEX_PPTP
struct pipex_pptp_session {
/* sequence number gap between pipex and userland */
int32_t snd_gap; /* gap of our sequence */
int32_t rcv_gap; /* gap of peer's sequence */
int32_t ul_snd_una; /* userland send acked seq */
uint32_t snd_nxt; /* send next */
uint32_t rcv_nxt; /* receive next */
uint32_t snd_una; /* send acked sequence */
uint32_t rcv_acked; /* recv acked sequence */
int winsz; /* windows size */
int maxwinsz; /* max windows size */
int peer_maxwinsz; /* peer's max windows size */
};
#endif /* PIPEX_PPTP */
#ifdef PIPEX_L2TP
/*
* L2TP Packet headers
*
* +----+---+----+---+----+--------+
* |IPv4|UDP|L2TP|PPP|IPv4|Data....|
* +----+---+----+---+----+--------+
*
* Session Data
*
* IPv4 IP_SRC <-- required for encap.
* IP_DST <-- required for encap.
*
* UDP SPort <-- required for encap.
* DPort <-- required for encap.
*
* L2TP FLAGS <-- only handle TYPE=0 (data)
* Tunnel ID <-- ID per tunnel(NOT a key: differed from RFC)
* Session ID <-- ID per PPP session(KEY to look up session)
* Ns(SEND SEQ) <-- sequence number of packet to send(opt.)
* Nr(RECV SEQ) <-- sequence number of packet to recv(opt.)
*
* - Recv Session lookup key is (Tunnnel ID, Session ID) in RFC.
* - BUT (Session ID) in PIPEX. SESSION ID MUST BE UNIQ.
*
* - We must update (Ns, Nr) of data channel. and we must adjust (Ns, Nr)
* in packets from/to userland.
*/
struct pipex_l2tp_session {
/* KEYS for session lookup (host byte order) */
uint16_t tunnel_id; /* our tunnel-id */
uint16_t peer_tunnel_id; /* peer's tunnel-id */
/* protocol options */
uint32_t option_flags;
int16_t ns_gap; /* gap between userland and pipex */
int16_t nr_gap; /* gap between userland and pipex */
uint16_t ul_ns_una; /* unacked sequence number (userland) */
uint16_t ns_nxt; /* next sequence number to send */
uint16_t ns_una; /* unacked sequence number to send*/
uint16_t nr_nxt; /* next sequence number to recv */
uint16_t nr_acked; /* acked sequence number to recv */
uint32_t ipsecflowinfo; /* IPsec SA flow id for NAT-T */
};
#endif /* PIPEX_L2TP */
/* pppac ip-extension sessoin table */
struct pipex_session {
struct radix_node ps4_rn[2]; /* tree glue, and other values */
struct radix_node ps6_rn[2]; /* tree glue, and other values */
LIST_ENTRY(pipex_session) session_list; /* all session chain */
LIST_ENTRY(pipex_session) state_list; /* state list chain */
LIST_ENTRY(pipex_session) id_chain; /* id hash chain */
LIST_ENTRY(pipex_session) peer_addr_chain;
/* peer's address hash chain */
uint16_t state; /* pipex session state */
#define PIPEX_STATE_INITIAL 0x0000
#define PIPEX_STATE_OPENED 0x0001
#define PIPEX_STATE_CLOSE_WAIT 0x0002
#define PIPEX_STATE_CLOSE_WAIT2 0x0003
#define PIPEX_STATE_CLOSED 0x0004
uint16_t ip_forward:1, /* {en|dis}ableIP forwarding */
ip6_forward:1, /* {en|dis}able IPv6 forwarding */
is_multicast:1, /* virtual entry for multicast */
reserved:13;
uint16_t protocol; /* tunnel protocol (PK) */
uint16_t session_id; /* session-id (PK) */
uint16_t peer_session_id; /* peer's session-id */
uint16_t peer_mru; /* peer's MRU */
uint32_t timeout_sec; /* idle timeout */
int ppp_id; /* PPP id */
struct sockaddr_in ip_address; /* remote address (AK) */
struct sockaddr_in ip_netmask; /* remote address mask (AK) */
struct sockaddr_in6 ip6_address; /* remote IPv6 address */
int ip6_prefixlen; /* remote IPv6 prefixlen */
struct pipex_iface_context* pipex_iface;/* context for interface */
uint32_t ppp_flags; /* configure flags */
#ifdef PIPEX_MPPE
int ccp_id; /* CCP packet id */
struct pipex_mppe
mppe_recv, /* MPPE context for incoming */
mppe_send; /* MPPE context for outgoing */
#endif /*PIPEXMPPE */
struct pipex_statistics stat; /* statistics */
union {
#ifdef PIPEX_PPPOE
struct pipex_pppoe_session pppoe; /* context for PPPoE */
#endif /* PIPEX_PPPOE */
#ifdef PIPEX_PPTP
struct pipex_pptp_session pptp; /* context for PPTP */
#endif /* PIPEX_PPTP */
#ifdef PIPEX_L2TP
struct pipex_l2tp_session l2tp;
#endif
char _proto_unknown[0];
} proto;
union {
struct sockaddr sa;
struct sockaddr_in sin4;
struct sockaddr_in6 sin6;
struct sockaddr_dl sdl;
} peer, local;
};
/* gre header */
struct pipex_gre_header {
uint16_t flags; /* flags and version*/
#define PIPEX_GRE_KFLAG 0x2000 /* keys present */
#define PIPEX_GRE_SFLAG 0x1000 /* seq present */
#define PIPEX_GRE_AFLAG 0x0080 /* ack present */
#define PIPEX_GRE_VER 0x0001 /* gre version code */
#define PIPEX_GRE_VERMASK 0x0007 /* gre version mask */
#define PIPEX_GRE_UNUSEDFLAGS 0xcf78 /* unused at pptp. set 0 in rfc2637 */
uint16_t type;
#define PIPEX_GRE_PROTO_PPP 0x880b /* gre/ppp */
uint16_t len; /* length not include gre header */
uint16_t call_id; /* call_id */
} __packed;
/* pppoe header */
struct pipex_pppoe_header {
uint8_t vertype; /* version and type */
#define PIPEX_PPPOE_VERTYPE 0x11 /* version and type code */
uint8_t code; /* code */
#define PIPEX_PPPOE_CODE_SESSION 0x00 /* code session */
uint16_t session_id; /* session id */
uint16_t length; /* length */
} __packed;
/* l2tp header */
struct pipex_l2tp_header {
uint16_t flagsver;
#define PIPEX_L2TP_FLAG_MASK 0xfff0
#define PIPEX_L2TP_FLAG_TYPE 0x8000
#define PIPEX_L2TP_FLAG_LENGTH 0x4000
#define PIPEX_L2TP_FLAG_SEQUENCE 0x0800
#define PIPEX_L2TP_FLAG_OFFSET 0x0200
#define PIPEX_L2TP_FLAG_PRIORITY 0x0100
#define PIPEX_L2TP_VER_MASK 0x000f
#define PIPEX_L2TP_VER 2
uint16_t length; /* optional */
uint16_t tunnel_id;
uint16_t session_id;
/* can be followed by option header */
} __packed;
/* l2tp option header */
struct pipex_l2tp_seq_header {
uint16_t ns;
uint16_t nr;
} __packed;
struct pipex_l2tp_offset_header {
uint16_t offset_size;
/* uint8_t offset_pad[] */
} __packed;
#ifdef PIPEX_DEBUG
#define PIPEX_DBG(a) if (pipex_debug & 1) pipex_session_log a
/* #define PIPEX_MPPE_DBG(a) if (pipex_debug & 1) pipex_session_log a */
#define PIPEX_MPPE_DBG(a)
#else
#define PIPEX_DBG(a)
#define PIPEX_MPPE_DBG(a)
#endif /* PIPEX_DEBUG */
LIST_HEAD(pipex_hash_head, pipex_session);
extern struct pipex_hash_head pipex_session_list;
extern struct pipex_hash_head pipex_close_wait_list;
extern struct pipex_hash_head pipex_peer_addr_hashtable[];
extern struct pipex_hash_head pipex_id_hashtable[];
#define PIPEX_ID_HASHTABLE(key) \
(&pipex_id_hashtable[(key) & PIPEX_HASH_MASK])
#define PIPEX_PEER_ADDR_HASHTABLE(key) \
(&pipex_peer_addr_hashtable[(key) & PIPEX_HASH_MASK])
#define GETCHAR(c, cp) do { \
(c) = *(cp)++; \
} while (0)
#define PUTCHAR(s, cp) do { \
*(cp)++ = (u_char)(s); \
} while (0)
#define GETSHORT(s, cp) do { \
(s) = *(cp)++ << 8; \
(s) |= *(cp)++; \
} while (0)
#define PUTSHORT(s, cp) do { \
*(cp)++ = (u_char) ((s) >> 8); \
*(cp)++ = (u_char) (s); \
} while (0)
#define GETLONG(l, cp) do { \
(l) = *(cp)++ << 8; \
(l) |= *(cp)++; (l) <<= 8; \
(l) |= *(cp)++; (l) <<= 8; \
(l) |= *(cp)++; \
} while (0)
#define PUTLONG(l, cp) do { \
*(cp)++ = (u_char) ((l) >> 24); \
*(cp)++ = (u_char) ((l) >> 16); \
*(cp)++ = (u_char) ((l) >> 8); \
*(cp)++ = (u_char) (l); \
} while (0)
#define PIPEX_PULLUP(m0, l) \
if ((m0)->m_len < (l)) { \
if ((m0)->m_pkthdr.len < (l)) { \
PIPEX_DBG((NULL, LOG_DEBUG, \
"<%s> received packet is too short.", \
__func__)); \
m_freem(m0); \
(m0) = NULL; \
} else { \
(m0) = m_pullup((m0), (l)); \
KASSERT((m0) != NULL); \
} \
}
#define PIPEX_SEEK_NEXTHDR(ptr, len, t) \
((t) (((char *)ptr) + len))
#define SEQ32_LT(a,b) ((int)((a) - (b)) < 0)
#define SEQ32_LE(a,b) ((int)((a) - (b)) <= 0)
#define SEQ32_GT(a,b) ((int)((a) - (b)) > 0)
#define SEQ32_GE(a,b) ((int)((a) - (b)) >= 0)
#define SEQ32_SUB(a,b) ((int32_t)((a) - (b)))
#define SEQ16_LT(a,b) ((int)((a) - (b)) < 0)
#define SEQ16_LE(a,b) ((int)((a) - (b)) <= 0)
#define SEQ16_GT(a,b) ((int)((a) - (b)) > 0)
#define SEQ16_GE(a,b) ((int)((a) - (b)) >= 0)
#define SEQ16_SUB(a,b) ((int16_t)((a) - (b)))
#define pipex_session_is_acfc_accepted(s) \
(((s)->ppp_flags & PIPEX_PPP_ACFC_ACCEPTED)? 1 : 0)
#define pipex_session_is_pfc_accepted(s) \
(((s)->ppp_flags & PIPEX_PPP_PFC_ACCEPTED)? 1 : 0)
#define pipex_session_is_acfc_enabled(s) \
(((s)->ppp_flags & PIPEX_PPP_ACFC_ENABLED)? 1 : 0)
#define pipex_session_is_pfc_enabled(s) \
(((s)->ppp_flags & PIPEX_PPP_PFC_ENABLED)? 1 : 0)
#define pipex_session_has_acf(s) \
(((s)->ppp_flags & PIPEX_PPP_HAS_ACF)? 1 : 0)
#define pipex_session_is_mppe_accepted(s) \
(((s)->ppp_flags & PIPEX_PPP_MPPE_ACCEPTED)? 1 : 0)
#define pipex_session_is_mppe_enabled(s) \
(((s)->ppp_flags & PIPEX_PPP_MPPE_ENABLED)? 1 : 0)
#define pipex_session_is_mppe_required(s) \
(((s)->ppp_flags & PIPEX_PPP_MPPE_REQUIRED)? 1 : 0)
#define pipex_mppe_rc4_keybits(r) ((r)->keylen << 3)
#define pipex_session_is_l2tp_data_sequencing_on(s) \
(((s)->proto.l2tp.option_flags & PIPEX_L2TP_USE_SEQUENCING) ? 1 : 0)
#define PIPEX_IPGRE_HDRLEN (sizeof(struct ip) + sizeof(struct pipex_gre_header))
#define PIPEX_TCP_OPTLEN 40
#define PIPEX_L2TP_MINLEN 8
/*
* static function prototypes
*/
Static void pipex_iface_start (struct pipex_iface_context *);
Static void pipex_iface_stop (struct pipex_iface_context *);
Static int pipex_add_session (struct pipex_session_req *, struct pipex_iface_context *);
Static int pipex_close_session (struct pipex_session_close_req *);
Static int pipex_config_session (struct pipex_session_config_req *);
Static int pipex_get_stat (struct pipex_session_stat_req *);
Static int pipex_get_closed (struct pipex_session_list_req *);
Static int pipex_destroy_session (struct pipex_session *);
Static struct pipex_session *pipex_lookup_by_ip_address (struct in_addr);
Static struct pipex_session *pipex_lookup_by_session_id (int, int);
Static void pipex_ip_output (struct mbuf *, struct pipex_session *);
Static void pipex_ppp_output (struct mbuf *, struct pipex_session *, int);
Static inline int pipex_ppp_proto (struct mbuf *, struct pipex_session *, int, int *);
Static void pipex_ppp_input (struct mbuf *, struct pipex_session *, int);
Static void pipex_ip_input (struct mbuf *, struct pipex_session *);
#ifdef INET6
Static void pipex_ip6_input (struct mbuf *, struct pipex_session *);
#endif
Static struct mbuf *pipex_common_input(struct pipex_session *, struct mbuf *, int, int);
#ifdef PIPEX_PPPOE
Static void pipex_pppoe_output (struct mbuf *, struct pipex_session *);
#endif
#ifdef PIPEX_PPTP
Static void pipex_pptp_output (struct mbuf *, struct pipex_session *, int, int);
Static struct pipex_session *pipex_pptp_userland_lookup_session(struct mbuf *, struct sockaddr *);
#endif
#ifdef PIPEX_L2TP
Static void pipex_l2tp_output (struct mbuf *, struct pipex_session *);
#endif
#ifdef PIPEX_MPPE
Static void pipex_mppe_init (struct pipex_mppe *, int, int, u_char *, int);
Static void GetNewKeyFromSHA (u_char *, u_char *, int, u_char *);
Static void pipex_mppe_reduce_key (struct pipex_mppe *);
Static void mppe_key_change (struct pipex_mppe *);
Static void pipex_mppe_input (struct mbuf *, struct pipex_session *);
Static void pipex_mppe_output (struct mbuf *, struct pipex_session *, uint16_t);
Static void pipex_ccp_input (struct mbuf *, struct pipex_session *);
Static int pipex_ccp_output (struct pipex_session *, int, int);
Static inline int pipex_mppe_setkey(struct pipex_mppe *);
Static inline int pipex_mppe_setoldkey(struct pipex_mppe *, uint16_t);
Static inline void pipex_mppe_crypt(struct pipex_mppe *, int, u_char *, u_char *);
#endif
Static struct mbuf *adjust_tcp_mss (struct mbuf *, int);
Static struct mbuf *ip_is_idle_packet (struct mbuf *, int *);
Static void pipex_session_log (struct pipex_session *, int, const char *, ...) __attribute__((__format__(__printf__,3,4)));
Static uint32_t pipex_sockaddr_hash_key(struct sockaddr *);
Static int pipex_sockaddr_compar_addr(struct sockaddr *, struct sockaddr *);
Static int pipex_ppp_enqueue (struct mbuf *, struct pipex_session *, struct mbuf_queue *);
Static void pipex_ppp_dequeue (void);
Static void pipex_timer_start (void);
Static void pipex_timer_stop (void);
Static void pipex_timer (void *);
|