1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
|
/* $OpenBSD: pipex_local.h,v 1.51 2024/01/23 17:57:21 mvs Exp $ */
/*
* Copyright (c) 2009 Internet Initiative Japan Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/mutex.h>
#include <sys/refcnt.h>
extern struct mutex pipex_list_mtx;
#define PIPEX_PPTP 1
#define PIPEX_L2TP 1
#define PIPEX_PPPOE 1
#define PIPEX_MPPE 1
#define PIPEX_REWIND_LIMIT 64
#define PIPEX_ENABLED 0x0001
/* compile time option constants */
#ifndef PIPEX_MAX_SESSION
#define PIPEX_MAX_SESSION 512
#endif
#define PIPEX_HASH_DIV 8
#define PIPEX_HASH_SIZE (PIPEX_MAX_SESSION/PIPEX_HASH_DIV)
#define PIPEX_HASH_MASK (PIPEX_HASH_SIZE-1)
#define PIPEX_CLOSE_TIMEOUT 30
#define PIPEX_PPPMINLEN 5
/* minimum PPP header length is 1 and minimum ppp payload length is 4 */
#define PIPEX_MPPE_NOLDKEY 64 /* should be power of two */
#define PIPEX_MPPE_OLDKEYMASK (PIPEX_MPPE_NOLDKEY - 1)
/*
* Locks used to protect struct members:
* A atomic operation
* I immutable after creation
* L pipex_list_mtx
* s this pipex_session' `pxs_mtx'
* m this pipex_mppe' `pxm_mtx'
*/
#ifdef PIPEX_MPPE
/* mppe rc4 key */
struct pipex_mppe {
struct mutex pxm_mtx;
u_int flags; /* [m] flags, see below */
#define PIPEX_MPPE_STATELESS 0x01 /* [I] key change mode */
#define PIPEX_MPPE_RESETREQ 0x02 /* [m] */
int16_t keylenbits; /* [I] key length */
int16_t keylen; /* [I] */
uint16_t coher_cnt; /* [m] coherency counter */
struct rc4_ctx rc4ctx; /* [m] */
u_char master_key[PIPEX_MPPE_KEYLEN]; /* [m] master key of MPPE */
u_char session_key[PIPEX_MPPE_KEYLEN]; /* [m] session key of MPPE */
u_char (*old_session_keys)[PIPEX_MPPE_KEYLEN];
/* [m] old session keys */
};
#endif /* PIPEX_MPPE */
#ifdef PIPEX_PPPOE
struct pipex_pppoe_session {
u_int over_ifidx; /* [I] ether interface */
};
#endif /* PIPEX_PPPOE */
#ifdef PIPEX_PPTP
struct pipex_pptp_session {
/* sequence number gap between pipex and userland */
int32_t snd_gap; /* [s] gap of our sequence */
int32_t rcv_gap; /* [s] gap of peer's sequence */
int32_t ul_snd_una; /* [s] userland send acked seq */
uint32_t snd_nxt; /* [s] send next */
uint32_t rcv_nxt; /* [s] receive next */
uint32_t snd_una; /* [s] send acked sequence */
uint32_t rcv_acked; /* [s] recv acked sequence */
int winsz; /* [I] windows size */
int maxwinsz; /* [I] max windows size */
int peer_maxwinsz; /* [I] peer's max windows size */
};
#endif /* PIPEX_PPTP */
#ifdef PIPEX_L2TP
/*
* L2TP Packet headers
*
* +----+---+----+---+----+--------+
* |IPv4|UDP|L2TP|PPP|IPv4|Data....|
* +----+---+----+---+----+--------+
*
* Session Data
*
* IPv4 IP_SRC <-- required for encap.
* IP_DST <-- required for encap.
*
* UDP SPort <-- required for encap.
* DPort <-- required for encap.
*
* L2TP FLAGS <-- only handle TYPE=0 (data)
* Tunnel ID <-- ID per tunnel(NOT a key: differed from RFC)
* Session ID <-- ID per PPP session(KEY to look up session)
* Ns(SEND SEQ) <-- sequence number of packet to send(opt.)
* Nr(RECV SEQ) <-- sequence number of packet to recv(opt.)
*
* - Recv Session lookup key is (Tunnnel ID, Session ID) in RFC.
* - BUT (Session ID) in PIPEX. SESSION ID MUST BE UNIQ.
*
* - We must update (Ns, Nr) of data channel. and we must adjust (Ns, Nr)
* in packets from/to userland.
*/
struct pipex_l2tp_session {
/* KEYS for session lookup (host byte order) */
uint16_t tunnel_id; /* [I] our tunnel-id */
uint16_t peer_tunnel_id; /* [I] peer's tunnel-id */
uint32_t option_flags; /* [I] protocol options */
int16_t ns_gap; /* [s] gap between userland and pipex */
int16_t nr_gap; /* [s] gap between userland and pipex */
uint16_t ul_ns_una; /* [s] unacked sequence number (userland) */
uint16_t ns_nxt; /* [s] next sequence number to send */
uint16_t ns_una; /* [s] unacked sequence number to send */
uint16_t nr_nxt; /* [s] next sequence number to recv */
uint16_t nr_acked; /* [s] acked sequence number to recv */
uint32_t ipsecflowinfo; /* [s] IPsec SA flow id for NAT-T */
};
#endif /* PIPEX_L2TP */
struct cpumem;
/* special iterator session */
struct pipex_session_iterator {
/* Fields below should be in sync with pipex_session structure */
struct radix_node ps4_rn[2];
u_int flags; /* [I] flags, see below */
LIST_ENTRY(pipex_session) session_list; /* [L] all session chain */
};
/* pppac ip-extension session table */
struct pipex_session {
struct radix_node ps4_rn[2];
/* [L] tree glue, and other values */
u_int flags; /* [I] flags, see below */
#define PIPEX_SFLAGS_MULTICAST 0x01 /* virtual entry for multicast */
#define PIPEX_SFLAGS_PPPX 0x02 /* interface is
point2point(pppx) */
#define PIPEX_SFLAGS_ITERATOR 0x04 /* iterator session */
LIST_ENTRY(pipex_session) session_list; /* [L] all session chain */
LIST_ENTRY(pipex_session) state_list; /* [L] state list chain */
LIST_ENTRY(pipex_session) id_chain; /* [L] id hash chain */
LIST_ENTRY(pipex_session) peer_addr_chain;
/* [L] peer's address hash chain */
struct refcnt pxs_refcnt;
struct mutex pxs_mtx;
u_int state; /* [L] pipex session state */
#define PIPEX_STATE_INITIAL 0x0000
#define PIPEX_STATE_OPENED 0x0001
#define PIPEX_STATE_CLOSE_WAIT 0x0002
#define PIPEX_STATE_CLOSE_WAIT2 0x0003
#define PIPEX_STATE_CLOSED 0x0004
uint32_t idle_time; /* [L] idle time in seconds */
uint16_t protocol; /* [I] tunnel protocol (PK) */
uint16_t session_id; /* [I] session-id (PK) */
uint16_t peer_session_id; /* [I] peer's session-id */
uint16_t peer_mru; /* [I] peer's MRU */
uint32_t timeout_sec; /* [I] idle timeout */
int ppp_id; /* [I] PPP id */
struct sockaddr_in ip_address; /* [I] remote address (AK) */
struct sockaddr_in ip_netmask; /* [I] remote address mask (AK) */
struct sockaddr_in6 ip6_address; /* [I] remote IPv6 address */
int ip6_prefixlen; /* [I] remote IPv6 prefixlen */
u_int ifindex; /* [A] interface index */
void *ownersc; /* [I] owner context */
uint32_t ppp_flags; /* [I] configure flags */
#ifdef PIPEX_MPPE
int ccp_id; /* [s] CCP packet id */
struct pipex_mppe
mppe_recv, /* MPPE context for incoming */
mppe_send; /* MPPE context for outgoing */
#endif /*PIPEXMPPE */
struct cpumem *stat_counters;
union {
#ifdef PIPEX_PPPOE
struct pipex_pppoe_session pppoe; /* context for PPPoE */
#endif /* PIPEX_PPPOE */
#ifdef PIPEX_PPTP
struct pipex_pptp_session pptp; /* context for PPTP */
#endif /* PIPEX_PPTP */
#ifdef PIPEX_L2TP
struct pipex_l2tp_session l2tp;
#endif
char _proto_unknown[0];
} proto;
union {
struct sockaddr sa;
struct sockaddr_in sin4;
struct sockaddr_in6 sin6;
struct sockaddr_dl sdl;
} peer, local; /* [I] */
};
enum pipex_counters {
pxc_ipackets, /* packets received from tunnel */
pxc_ierrors, /* error packets received from tunnel */
pxc_ibytes, /* number of received bytes from tunnel */
pxc_opackets, /* packets sent to tunnel */
pxc_oerrors, /* error packets on sending to tunnel */
pxc_obytes, /* number of sent bytes to tunnel */
pxc_ncounters
};
/* gre header */
struct pipex_gre_header {
uint16_t flags; /* flags and version*/
#define PIPEX_GRE_KFLAG 0x2000 /* keys present */
#define PIPEX_GRE_SFLAG 0x1000 /* seq present */
#define PIPEX_GRE_AFLAG 0x0080 /* ack present */
#define PIPEX_GRE_VER 0x0001 /* gre version code */
#define PIPEX_GRE_VERMASK 0x0007 /* gre version mask */
#define PIPEX_GRE_UNUSEDFLAGS 0xcf78 /* unused at pptp. set 0 in rfc2637 */
uint16_t type;
#define PIPEX_GRE_PROTO_PPP 0x880b /* gre/ppp */
uint16_t len; /* length not include gre header */
uint16_t call_id; /* call_id */
} __packed;
/* pppoe header */
struct pipex_pppoe_header {
uint8_t vertype; /* version and type */
#define PIPEX_PPPOE_VERTYPE 0x11 /* version and type code */
uint8_t code; /* code */
#define PIPEX_PPPOE_CODE_SESSION 0x00 /* code session */
uint16_t session_id; /* session id */
uint16_t length; /* length */
} __packed;
/* l2tp header */
struct pipex_l2tp_header {
uint16_t flagsver;
#define PIPEX_L2TP_FLAG_MASK 0xfff0
#define PIPEX_L2TP_FLAG_TYPE 0x8000
#define PIPEX_L2TP_FLAG_LENGTH 0x4000
#define PIPEX_L2TP_FLAG_SEQUENCE 0x0800
#define PIPEX_L2TP_FLAG_OFFSET 0x0200
#define PIPEX_L2TP_FLAG_PRIORITY 0x0100
#define PIPEX_L2TP_VER_MASK 0x000f
#define PIPEX_L2TP_VER 2
uint16_t length; /* optional */
uint16_t tunnel_id;
uint16_t session_id;
/* can be followed by option header */
} __packed;
/* l2tp option header */
struct pipex_l2tp_seq_header {
uint16_t ns;
uint16_t nr;
} __packed;
struct pipex_l2tp_offset_header {
uint16_t offset_size;
/* uint8_t offset_pad[] */
} __packed;
#ifdef PIPEX_DEBUG
#define PIPEX_DBG(a) if (pipex_debug & 1) pipex_session_log a
/* #define PIPEX_MPPE_DBG(a) if (pipex_debug & 1) pipex_session_log a */
#define PIPEX_MPPE_DBG(a)
#else
#define PIPEX_DBG(a)
#define PIPEX_MPPE_DBG(a)
#endif /* PIPEX_DEBUG */
LIST_HEAD(pipex_hash_head, pipex_session);
extern struct pipex_hash_head pipex_session_list;
extern struct pipex_hash_head pipex_close_wait_list;
extern struct pipex_hash_head pipex_peer_addr_hashtable[];
extern struct pipex_hash_head pipex_id_hashtable[];
extern struct pool pipex_session_pool;
#define PIPEX_ID_HASHTABLE(key) \
(&pipex_id_hashtable[(key) & PIPEX_HASH_MASK])
#define PIPEX_PEER_ADDR_HASHTABLE(key) \
(&pipex_peer_addr_hashtable[(key) & PIPEX_HASH_MASK])
#define GETCHAR(c, cp) do { \
(c) = *(cp)++; \
} while (0)
#define PUTCHAR(s, cp) do { \
*(cp)++ = (u_char)(s); \
} while (0)
#define GETSHORT(s, cp) do { \
(s) = *(cp)++ << 8; \
(s) |= *(cp)++; \
} while (0)
#define PUTSHORT(s, cp) do { \
*(cp)++ = (u_char) ((s) >> 8); \
*(cp)++ = (u_char) (s); \
} while (0)
#define GETLONG(l, cp) do { \
(l) = *(cp)++ << 8; \
(l) |= *(cp)++; (l) <<= 8; \
(l) |= *(cp)++; (l) <<= 8; \
(l) |= *(cp)++; \
} while (0)
#define PUTLONG(l, cp) do { \
*(cp)++ = (u_char) ((l) >> 24); \
*(cp)++ = (u_char) ((l) >> 16); \
*(cp)++ = (u_char) ((l) >> 8); \
*(cp)++ = (u_char) (l); \
} while (0)
#define PIPEX_PULLUP(m0, l) \
if ((m0)->m_len < (l)) { \
if ((m0)->m_pkthdr.len < (l)) { \
PIPEX_DBG((NULL, LOG_DEBUG, \
"<%s> received packet is too short.", \
__func__)); \
m_freem(m0); \
(m0) = NULL; \
} else { \
(m0) = m_pullup((m0), (l)); \
KASSERT((m0) != NULL); \
} \
}
#define PIPEX_SEEK_NEXTHDR(ptr, len, t) \
((t) (((char *)ptr) + len))
#define SEQ32_LT(a,b) ((int32_t)((a) - (b)) < 0)
#define SEQ32_LE(a,b) ((int32_t)((a) - (b)) <= 0)
#define SEQ32_GT(a,b) ((int32_t)((a) - (b)) > 0)
#define SEQ32_GE(a,b) ((int32_t)((a) - (b)) >= 0)
#define SEQ32_SUB(a,b) ((int32_t)((a) - (b)))
#define SEQ16_LT(a,b) ((int16_t)((a) - (b)) < 0)
#define SEQ16_LE(a,b) ((int16_t)((a) - (b)) <= 0)
#define SEQ16_GT(a,b) ((int16_t)((a) - (b)) > 0)
#define SEQ16_GE(a,b) ((int16_t)((a) - (b)) >= 0)
#define SEQ16_SUB(a,b) ((int16_t)((a) - (b)))
#define pipex_session_is_acfc_accepted(s) \
(((s)->ppp_flags & PIPEX_PPP_ACFC_ACCEPTED)? 1 : 0)
#define pipex_session_is_pfc_accepted(s) \
(((s)->ppp_flags & PIPEX_PPP_PFC_ACCEPTED)? 1 : 0)
#define pipex_session_is_acfc_enabled(s) \
(((s)->ppp_flags & PIPEX_PPP_ACFC_ENABLED)? 1 : 0)
#define pipex_session_is_pfc_enabled(s) \
(((s)->ppp_flags & PIPEX_PPP_PFC_ENABLED)? 1 : 0)
#define pipex_session_has_acf(s) \
(((s)->ppp_flags & PIPEX_PPP_HAS_ACF)? 1 : 0)
#define pipex_session_is_mppe_accepted(s) \
(((s)->ppp_flags & PIPEX_PPP_MPPE_ACCEPTED)? 1 : 0)
#define pipex_session_is_mppe_enabled(s) \
(((s)->ppp_flags & PIPEX_PPP_MPPE_ENABLED)? 1 : 0)
#define pipex_session_is_mppe_required(s) \
(((s)->ppp_flags & PIPEX_PPP_MPPE_REQUIRED)? 1 : 0)
#define pipex_mppe_rc4_keybits(r) ((r)->keylen << 3)
#define pipex_session_is_l2tp_data_sequencing_on(s) \
(((s)->proto.l2tp.option_flags & PIPEX_L2TP_USE_SEQUENCING) ? 1 : 0)
#define PIPEX_IPGRE_HDRLEN (sizeof(struct ip) + sizeof(struct pipex_gre_header))
#define PIPEX_TCP_OPTLEN 40
#define PIPEX_L2TP_MINLEN 8
void pipex_destroy_all_sessions (void *);
int pipex_init_session(struct pipex_session **,
struct pipex_session_req *);
int pipex_link_session(struct pipex_session *,
struct ifnet *, void *);
void pipex_unlink_session(struct pipex_session *);
void pipex_unlink_session_locked(struct pipex_session *);
void pipex_export_session_stats(struct pipex_session *,
struct pipex_statistics *);
int pipex_get_stat (struct pipex_session_stat_req *,
void *);
int pipex_get_closed (struct pipex_session_list_req *,
void *);
struct pipex_session *pipex_lookup_by_ip_address_locked (struct in_addr);
struct pipex_session *pipex_lookup_by_ip_address (struct in_addr);
struct pipex_session *pipex_lookup_by_session_id_locked (int, int);
struct pipex_session *pipex_lookup_by_session_id (int, int);
void pipex_ip_output (struct mbuf *, struct pipex_session *);
void pipex_ppp_output (struct mbuf *, struct pipex_session *, int);
int pipex_ppp_proto (struct mbuf *, struct pipex_session *, int, int *);
void pipex_ppp_input (struct mbuf *, struct pipex_session *, int);
void pipex_ip_input (struct mbuf *, struct pipex_session *);
#ifdef INET6
void pipex_ip6_input (struct mbuf *, struct pipex_session *);
#endif
struct mbuf *pipex_common_input(struct pipex_session *,
struct mbuf *, int, int, int);
#ifdef PIPEX_PPPOE
void pipex_pppoe_output (struct mbuf *, struct pipex_session *);
#endif
#ifdef PIPEX_PPTP
void pipex_pptp_output (struct mbuf *, struct pipex_session *, int, int);
struct pipex_session *pipex_pptp_userland_lookup_session(struct mbuf *, struct sockaddr *);
#endif
#ifdef PIPEX_L2TP
void pipex_l2tp_output (struct mbuf *, struct pipex_session *);
#endif
#ifdef PIPEX_MPPE
void pipex_mppe_init (struct pipex_mppe *, int, int, u_char *, int);
void GetNewKeyFromSHA (u_char *, u_char *, int, u_char *);
void pipex_mppe_reduce_key (struct pipex_mppe *);
void mppe_key_change (struct pipex_mppe *);
struct mbuf *pipex_mppe_input (struct mbuf *,
struct pipex_session *);
struct mbuf *pipex_mppe_output (struct mbuf *,
struct pipex_session *, uint16_t);
void pipex_ccp_input (struct mbuf *, struct pipex_session *);
int pipex_ccp_output (struct pipex_session *, int, int);
#endif
struct mbuf *adjust_tcp_mss (struct mbuf *, int);
struct mbuf *ip_is_idle_packet (struct mbuf *, int *);
void pipex_session_log (struct pipex_session *, int, const char *, ...) __attribute__((__format__(__printf__,3,4)));
uint32_t pipex_sockaddr_hash_key(struct sockaddr *);
int pipex_sockaddr_compar_addr(struct sockaddr *, struct sockaddr *);
int pipex_ppp_enqueue (struct mbuf *, struct pipex_session *, struct mbuf_queue *);
void pipex_timer_start (void);
void pipex_timer_stop (void);
void pipex_timer (void *);
struct pipex_session *pipex_iterator(struct pipex_session *,
struct pipex_session_iterator *, void *);
|