1 /* $OpenBSD: pipex_local.h,v 1.23 2015/11/14 14:53:13 miod Exp $ */ 2 3 /* 4 * Copyright (c) 2009 Internet Initiative Japan Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #ifdef __OpenBSD__ 30 #define Static 31 #else 32 #define Static static 33 #endif 34 35 #define PIPEX_PPTP 1 36 #define PIPEX_L2TP 1 37 #define PIPEX_PPPOE 1 38 #define PIPEX_MPPE 1 39 40 #define PIPEX_REWIND_LIMIT 64 41 42 #define PIPEX_ENABLED 0x0001 43 44 /* compile time option constants */ 45 #ifndef PIPEX_MAX_SESSION 46 #define PIPEX_MAX_SESSION 512 47 #endif 48 #define PIPEX_HASH_DIV 8 49 #define PIPEX_HASH_SIZE (PIPEX_MAX_SESSION/PIPEX_HASH_DIV) 50 #define PIPEX_HASH_MASK (PIPEX_HASH_SIZE-1) 51 #define PIPEX_CLOSE_TIMEOUT 30 52 #define PIPEX_PPPMINLEN 5 53 /* minimum PPP header length is 1 and minimum ppp payload length is 4 */ 54 55 #ifndef NNBY /* usually defined on the <sys/types.h> */ 56 #define NNBY 8 /* number of bits of a byte */ 57 #endif 58 59 #define PIPEX_MPPE_NOLDKEY 64 /* should be power of two */ 60 #define PIPEX_MPPE_OLDKEYMASK (PIPEX_MPPE_NOLDKEY - 1) 61 62 #ifdef PIPEX_MPPE 63 /* mppe rc4 key */ 64 struct pipex_mppe { 65 int16_t stateless:1, /* key change mode */ 66 resetreq:1, 67 reserved:14; 68 int16_t keylenbits; /* key length */ 69 int16_t keylen; 70 uint16_t coher_cnt; /* cohency counter */ 71 struct rc4_ctx rc4ctx; 72 u_char master_key[PIPEX_MPPE_KEYLEN]; /* master key of MPPE */ 73 u_char session_key[PIPEX_MPPE_KEYLEN]; /* session key of MPPE */ 74 u_char (*old_session_keys)[PIPEX_MPPE_KEYLEN]; /* old session keys */ 75 }; 76 #endif /* PIPEX_MPPE */ 77 78 #ifdef PIPEX_PPPOE 79 struct pipex_pppoe_session { 80 struct ifnet *over_ifp; /* ether interface */ 81 }; 82 #endif /* PIPEX_PPPOE */ 83 84 #ifdef PIPEX_PPTP 85 struct pipex_pptp_session { 86 /* sequence number gap between pipex and userland */ 87 int32_t snd_gap; /* gap of our sequence */ 88 int32_t rcv_gap; /* gap of peer's sequence */ 89 int32_t ul_snd_una; /* userland send acked seq */ 90 91 uint32_t snd_nxt; /* send next */ 92 uint32_t rcv_nxt; /* receive next */ 93 uint32_t snd_una; /* send acked sequence */ 94 uint32_t rcv_acked; /* recv acked sequence */ 95 96 int winsz; /* windows size */ 97 int maxwinsz; /* max windows size */ 98 int peer_maxwinsz; /* peer's max windows size */ 99 }; 100 #endif /* PIPEX_PPTP */ 101 102 #ifdef PIPEX_L2TP 103 /* 104 * L2TP Packet headers 105 * 106 * +----+---+----+---+----+--------+ 107 * |IPv4|UDP|L2TP|PPP|IPv4|Data....| 108 * +----+---+----+---+----+--------+ 109 * 110 * Session Data 111 * 112 * IPv4 IP_SRC <-- required for encap. 113 * IP_DST <-- required for encap. 114 * 115 * UDP SPort <-- required for encap. 116 * DPort <-- required for encap. 117 * 118 * L2TP FLAGS <-- only handle TYPE=0 (data) 119 * Tunnel ID <-- ID per tunnel(NOT a key: differed from RFC) 120 * Session ID <-- ID per PPP session(KEY to look up session) 121 * Ns(SEND SEQ) <-- sequence number of packet to send(opt.) 122 * Nr(RECV SEQ) <-- sequence number of packet to recv(opt.) 123 * 124 * - Recv Session lookup key is (Tunnnel ID, Session ID) in RFC. 125 * - BUT (Session ID) in PIPEX. SESSION ID MUST BE UNIQ. 126 * 127 * - We must update (Ns, Nr) of data channel. and we must adjust (Ns, Nr) 128 * in packets from/to userland. 129 */ 130 struct pipex_l2tp_session { 131 /* KEYS for session lookup (host byte order) */ 132 uint16_t tunnel_id; /* our tunnel-id */ 133 uint16_t peer_tunnel_id; /* peer's tunnel-id */ 134 135 /* protocol options */ 136 uint32_t option_flags; 137 138 int16_t ns_gap; /* gap between userland and pipex */ 139 int16_t nr_gap; /* gap between userland and pipex */ 140 uint16_t ul_ns_una; /* unacked sequence number (userland) */ 141 142 uint16_t ns_nxt; /* next sequence number to send */ 143 uint16_t ns_una; /* unacked sequence number to send*/ 144 145 uint16_t nr_nxt; /* next sequence number to recv */ 146 uint16_t nr_acked; /* acked sequence number to recv */ 147 uint32_t ipsecflowinfo; /* IPsec SA flow id for NAT-T */ 148 }; 149 #endif /* PIPEX_L2TP */ 150 151 /* pppac ip-extension sessoin table */ 152 struct pipex_session { 153 struct radix_node ps4_rn[2]; /* tree glue, and other values */ 154 struct radix_node ps6_rn[2]; /* tree glue, and other values */ 155 LIST_ENTRY(pipex_session) session_list; /* all session chain */ 156 LIST_ENTRY(pipex_session) state_list; /* state list chain */ 157 LIST_ENTRY(pipex_session) id_chain; /* id hash chain */ 158 LIST_ENTRY(pipex_session) peer_addr_chain; 159 /* peer's address hash chain */ 160 uint16_t state; /* pipex session state */ 161 #define PIPEX_STATE_INITIAL 0x0000 162 #define PIPEX_STATE_OPENED 0x0001 163 #define PIPEX_STATE_CLOSE_WAIT 0x0002 164 #define PIPEX_STATE_CLOSE_WAIT2 0x0003 165 #define PIPEX_STATE_CLOSED 0x0004 166 167 uint16_t ip_forward:1, /* {en|dis}ableIP forwarding */ 168 ip6_forward:1, /* {en|dis}able IPv6 forwarding */ 169 is_multicast:1, /* virtual entry for multicast */ 170 reserved:13; 171 uint16_t protocol; /* tunnel protocol (PK) */ 172 uint16_t session_id; /* session-id (PK) */ 173 uint16_t peer_session_id; /* peer's session-id */ 174 uint16_t peer_mru; /* peer's MRU */ 175 uint32_t timeout_sec; /* idle timeout */ 176 int ppp_id; /* PPP id */ 177 178 struct sockaddr_in ip_address; /* remote address (AK) */ 179 struct sockaddr_in ip_netmask; /* remote address mask (AK) */ 180 struct sockaddr_in6 ip6_address; /* remote IPv6 address */ 181 int ip6_prefixlen; /* remote IPv6 prefixlen */ 182 183 struct pipex_iface_context* pipex_iface;/* context for interface */ 184 185 uint32_t ppp_flags; /* configure flags */ 186 #ifdef PIPEX_MPPE 187 int ccp_id; /* CCP packet id */ 188 struct pipex_mppe 189 mppe_recv, /* MPPE context for incoming */ 190 mppe_send; /* MPPE context for outgoing */ 191 #endif /*PIPEXMPPE */ 192 struct pipex_statistics stat; /* statistics */ 193 union { 194 #ifdef PIPEX_PPPOE 195 struct pipex_pppoe_session pppoe; /* context for PPPoE */ 196 #endif /* PIPEX_PPPOE */ 197 #ifdef PIPEX_PPTP 198 struct pipex_pptp_session pptp; /* context for PPTP */ 199 #endif /* PIPEX_PPTP */ 200 #ifdef PIPEX_L2TP 201 struct pipex_l2tp_session l2tp; 202 #endif 203 char _proto_unknown[0]; 204 } proto; 205 union { 206 struct sockaddr_in sin4; 207 struct sockaddr_in6 sin6; 208 struct sockaddr_dl sdl; 209 } peer, local; 210 }; 211 212 /* gre header */ 213 struct pipex_gre_header { 214 uint16_t flags; /* flags and version*/ 215 #define PIPEX_GRE_KFLAG 0x2000 /* keys present */ 216 #define PIPEX_GRE_SFLAG 0x1000 /* seq present */ 217 #define PIPEX_GRE_AFLAG 0x0080 /* ack present */ 218 #define PIPEX_GRE_VER 0x0001 /* gre version code */ 219 #define PIPEX_GRE_VERMASK 0x0007 /* gre version mask */ 220 #define PIPEX_GRE_UNUSEDFLAGS 0xcf78 /* unused at pptp. set 0 in rfc2637 */ 221 222 uint16_t type; 223 #define PIPEX_GRE_PROTO_PPP 0x880b /* gre/ppp */ 224 225 uint16_t len; /* length not include gre header */ 226 uint16_t call_id; /* call_id */ 227 } __packed; 228 229 /* pppoe header */ 230 struct pipex_pppoe_header { 231 uint8_t vertype; /* version and type */ 232 #define PIPEX_PPPOE_VERTYPE 0x11 /* version and type code */ 233 234 uint8_t code; /* code */ 235 #define PIPEX_PPPOE_CODE_SESSION 0x00 /* code session */ 236 237 uint16_t session_id; /* session id */ 238 uint16_t length; /* length */ 239 } __packed; 240 241 /* l2tp header */ 242 struct pipex_l2tp_header { 243 uint16_t flagsver; 244 #define PIPEX_L2TP_FLAG_MASK 0xfff0 245 #define PIPEX_L2TP_FLAG_TYPE 0x8000 246 #define PIPEX_L2TP_FLAG_LENGTH 0x4000 247 #define PIPEX_L2TP_FLAG_SEQUENCE 0x0800 248 #define PIPEX_L2TP_FLAG_OFFSET 0x0200 249 #define PIPEX_L2TP_FLAG_PRIORITY 0x0100 250 #define PIPEX_L2TP_VER_MASK 0x000f 251 #define PIPEX_L2TP_VER 2 252 uint16_t length; /* optional */ 253 uint16_t tunnel_id; 254 uint16_t session_id; 255 /* can be followed by option header */ 256 } __packed; 257 258 /* l2tp option header */ 259 struct pipex_l2tp_seq_header { 260 uint16_t ns; 261 uint16_t nr; 262 } __packed; 263 264 struct pipex_l2tp_offset_header { 265 uint16_t offset_size; 266 /* uint8_t offset_pad[] */ 267 } __packed; 268 269 #ifdef PIPEX_DEBUG 270 #define PIPEX_DBG(a) if (pipex_debug & 1) pipex_session_log a 271 /* #define PIPEX_MPPE_DBG(a) if (pipex_debug & 1) pipex_session_log a */ 272 #define PIPEX_MPPE_DBG(a) 273 #else 274 #define PIPEX_DBG(a) 275 #define PIPEX_MPPE_DBG(a) 276 #endif /* PIPEX_DEBUG */ 277 278 LIST_HEAD(pipex_hash_head, pipex_session); 279 280 extern struct pipex_hash_head pipex_session_list; 281 extern struct pipex_hash_head pipex_close_wait_list; 282 extern struct pipex_hash_head pipex_peer_addr_hashtable[]; 283 extern struct pipex_hash_head pipex_id_hashtable[]; 284 285 286 #define PIPEX_ID_HASHTABLE(key) \ 287 (&pipex_id_hashtable[(key) & PIPEX_HASH_MASK]) 288 #define PIPEX_PEER_ADDR_HASHTABLE(key) \ 289 (&pipex_peer_addr_hashtable[(key) & PIPEX_HASH_MASK]) 290 291 #define GETCHAR(c, cp) do { \ 292 (c) = *(cp)++; \ 293 } while (0) 294 295 #define PUTCHAR(s, cp) do { \ 296 *(cp)++ = (u_char)(s); \ 297 } while (0) 298 299 #define GETSHORT(s, cp) do { \ 300 (s) = *(cp)++ << 8; \ 301 (s) |= *(cp)++; \ 302 } while (0) 303 304 #define PUTSHORT(s, cp) do { \ 305 *(cp)++ = (u_char) ((s) >> 8); \ 306 *(cp)++ = (u_char) (s); \ 307 } while (0) 308 309 #define GETLONG(l, cp) do { \ 310 (l) = *(cp)++ << 8; \ 311 (l) |= *(cp)++; (l) <<= 8; \ 312 (l) |= *(cp)++; (l) <<= 8; \ 313 (l) |= *(cp)++; \ 314 } while (0) 315 316 #define PUTLONG(l, cp) do { \ 317 *(cp)++ = (u_char) ((l) >> 24); \ 318 *(cp)++ = (u_char) ((l) >> 16); \ 319 *(cp)++ = (u_char) ((l) >> 8); \ 320 *(cp)++ = (u_char) (l); \ 321 } while (0) 322 323 #define PIPEX_PULLUP(m0, l) \ 324 if ((m0)->m_len < (l)) { \ 325 if ((m0)->m_pkthdr.len < (l)) { \ 326 PIPEX_DBG((NULL, LOG_DEBUG, \ 327 "<%s> received packet is too short.", \ 328 __func__)); \ 329 m_freem(m0); \ 330 (m0) = NULL; \ 331 } else { \ 332 (m0) = m_pullup((m0), (l)); \ 333 KASSERT((m0) != NULL); \ 334 } \ 335 } 336 #define PIPEX_SEEK_NEXTHDR(ptr, len, t) \ 337 ((t) (((char *)ptr) + len)) 338 #define SEQ32_LT(a,b) ((int)((a) - (b)) < 0) 339 #define SEQ32_LE(a,b) ((int)((a) - (b)) <= 0) 340 #define SEQ32_GT(a,b) ((int)((a) - (b)) > 0) 341 #define SEQ32_GE(a,b) ((int)((a) - (b)) >= 0) 342 #define SEQ32_SUB(a,b) ((int32_t)((a) - (b))) 343 344 #define SEQ16_LT(a,b) ((int)((a) - (b)) < 0) 345 #define SEQ16_LE(a,b) ((int)((a) - (b)) <= 0) 346 #define SEQ16_GT(a,b) ((int)((a) - (b)) > 0) 347 #define SEQ16_GE(a,b) ((int)((a) - (b)) >= 0) 348 #define SEQ16_SUB(a,b) ((int16_t)((a) - (b))) 349 350 #define pipex_session_is_acfc_accepted(s) \ 351 (((s)->ppp_flags & PIPEX_PPP_ACFC_ACCEPTED)? 1 : 0) 352 #define pipex_session_is_pfc_accepted(s) \ 353 (((s)->ppp_flags & PIPEX_PPP_PFC_ACCEPTED)? 1 : 0) 354 #define pipex_session_is_acfc_enabled(s) \ 355 (((s)->ppp_flags & PIPEX_PPP_ACFC_ENABLED)? 1 : 0) 356 #define pipex_session_is_pfc_enabled(s) \ 357 (((s)->ppp_flags & PIPEX_PPP_PFC_ENABLED)? 1 : 0) 358 #define pipex_session_has_acf(s) \ 359 (((s)->ppp_flags & PIPEX_PPP_HAS_ACF)? 1 : 0) 360 #define pipex_session_is_mppe_accepted(s) \ 361 (((s)->ppp_flags & PIPEX_PPP_MPPE_ACCEPTED)? 1 : 0) 362 #define pipex_session_is_mppe_enabled(s) \ 363 (((s)->ppp_flags & PIPEX_PPP_MPPE_ENABLED)? 1 : 0) 364 #define pipex_session_is_mppe_required(s) \ 365 (((s)->ppp_flags & PIPEX_PPP_MPPE_REQUIRED)? 1 : 0) 366 #define pipex_mppe_rc4_keybits(r) ((r)->keylen << 3) 367 #define pipex_session_is_l2tp_data_sequencing_on(s) \ 368 (((s)->proto.l2tp.option_flags & PIPEX_L2TP_USE_SEQUENCING) ? 1 : 0) 369 370 #define PIPEX_IPGRE_HDRLEN (sizeof(struct ip) + sizeof(struct pipex_gre_header)) 371 #define PIPEX_TCP_OPTLEN 40 372 #define PIPEX_L2TP_MINLEN 8 373 374 /* 375 * static function prototypes 376 */ 377 Static void pipex_iface_start (struct pipex_iface_context *); 378 Static void pipex_iface_stop (struct pipex_iface_context *); 379 Static int pipex_add_session (struct pipex_session_req *, struct pipex_iface_context *); 380 Static int pipex_close_session (struct pipex_session_close_req *); 381 Static int pipex_config_session (struct pipex_session_config_req *); 382 Static int pipex_get_stat (struct pipex_session_stat_req *); 383 Static int pipex_get_closed (struct pipex_session_list_req *); 384 Static int pipex_destroy_session (struct pipex_session *); 385 Static struct pipex_session *pipex_lookup_by_ip_address (struct in_addr); 386 Static struct pipex_session *pipex_lookup_by_session_id (int, int); 387 Static void pipex_ip_output (struct mbuf *, struct pipex_session *); 388 Static void pipex_ppp_output (struct mbuf *, struct pipex_session *, int); 389 Static inline int pipex_ppp_proto (struct mbuf *, struct pipex_session *, int, int *); 390 Static void pipex_ppp_input (struct mbuf *, struct pipex_session *, int); 391 Static void pipex_ip_input (struct mbuf *, struct pipex_session *); 392 #ifdef INET6 393 Static void pipex_ip6_input (struct mbuf *, struct pipex_session *); 394 #endif 395 Static struct mbuf *pipex_common_input(struct pipex_session *, struct mbuf *, int, int); 396 397 #ifdef PIPEX_PPPOE 398 Static void pipex_pppoe_output (struct mbuf *, struct pipex_session *); 399 #endif 400 401 #ifdef PIPEX_PPTP 402 Static void pipex_pptp_output (struct mbuf *, struct pipex_session *, int, int); 403 Static struct pipex_session *pipex_pptp_userland_lookup_session(struct mbuf *, struct sockaddr *); 404 #endif 405 406 #ifdef PIPEX_L2TP 407 Static void pipex_l2tp_output (struct mbuf *, struct pipex_session *); 408 #endif 409 410 #ifdef PIPEX_MPPE 411 Static void pipex_mppe_init (struct pipex_mppe *, int, int, u_char *, int); 412 Static void GetNewKeyFromSHA (u_char *, u_char *, int, u_char *); 413 Static void pipex_mppe_reduce_key (struct pipex_mppe *); 414 Static void mppe_key_change (struct pipex_mppe *); 415 Static void pipex_mppe_input (struct mbuf *, struct pipex_session *); 416 Static void pipex_mppe_output (struct mbuf *, struct pipex_session *, uint16_t); 417 Static void pipex_ccp_input (struct mbuf *, struct pipex_session *); 418 Static int pipex_ccp_output (struct pipex_session *, int, int); 419 Static inline int pipex_mppe_setkey(struct pipex_mppe *); 420 Static inline int pipex_mppe_setoldkey(struct pipex_mppe *, uint16_t); 421 Static inline void pipex_mppe_crypt(struct pipex_mppe *, int, u_char *, u_char *); 422 #endif 423 424 Static struct mbuf *adjust_tcp_mss (struct mbuf *, int); 425 Static struct mbuf *ip_is_idle_packet (struct mbuf *, int *); 426 Static void pipex_session_log (struct pipex_session *, int, const char *, ...) __attribute__((__format__(__printf__,3,4))); 427 Static uint32_t pipex_sockaddr_hash_key(struct sockaddr *); 428 Static int pipex_sockaddr_compar_addr(struct sockaddr *, struct sockaddr *); 429 Static int pipex_ppp_enqueue (struct mbuf *, struct pipex_session *, struct mbuf_queue *); 430 Static void pipex_ppp_dequeue (void); 431 Static void pipex_timer_start (void); 432 Static void pipex_timer_stop (void); 433 Static void pipex_timer (void *); 434