1/*
2 * Copyright (C) 2002-2003 by Darren Reed
3 *
4 * Simple PPTP transparent proxy for in-kernel use.  For use with the NAT
5 * code.
6 *
7 * $Id: ip_pptp_pxy.c,v 2.10.2.10 2005/07/15 21:56:52 darrenr Exp $
8 *
9 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
10 * Use is subject to license terms.
11 */
12
13#define	IPF_PPTP_PROXY
14
15typedef struct ifs_pptppxy {
16	frentry_t	pptpfr;
17	int		pptp_proxy_init;
18} ifs_pptppxy_t;
19
20typedef	struct pptp_hdr {
21	u_short	pptph_len;
22	u_short	pptph_type;
23	u_32_t	pptph_cookie;
24} pptp_hdr_t;
25
26#define	PPTP_MSGTYPE_CTL	1
27#define	PPTP_MTCTL_STARTREQ	1
28#define	PPTP_MTCTL_STARTREP	2
29#define	PPTP_MTCTL_STOPREQ	3
30#define	PPTP_MTCTL_STOPREP	4
31#define	PPTP_MTCTL_ECHOREQ	5
32#define	PPTP_MTCTL_ECHOREP	6
33#define	PPTP_MTCTL_OUTREQ	7
34#define	PPTP_MTCTL_OUTREP	8
35#define	PPTP_MTCTL_INREQ	9
36#define	PPTP_MTCTL_INREP	10
37#define	PPTP_MTCTL_INCONNECT	11
38#define	PPTP_MTCTL_CLEAR	12
39#define	PPTP_MTCTL_DISCONNECT	13
40#define	PPTP_MTCTL_WANERROR	14
41#define	PPTP_MTCTL_LINKINFO	15
42
43
44int ippr_pptp_init __P((void **, ipf_stack_t *));
45void ippr_pptp_fini __P((void **, ipf_stack_t *));
46int ippr_pptp_new __P((fr_info_t *, ap_session_t *, nat_t *, void *));
47void ippr_pptp_del __P((ap_session_t *, void *, ipf_stack_t *));
48int ippr_pptp_inout __P((fr_info_t *, ap_session_t *, nat_t *, void *));
49void ippr_pptp_donatstate __P((fr_info_t *, nat_t *, pptp_pxy_t *, ifs_pptppxy_t *));
50int ippr_pptp_message __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *, ifs_pptppxy_t *));
51int ippr_pptp_nextmessage __P((fr_info_t *, nat_t *, pptp_pxy_t *, int, ifs_pptppxy_t *));
52int ippr_pptp_mctl __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *, ifs_pptppxy_t *));
53
54int	ippr_pptp_debug = 0;			/* It never changes */
55int	ippr_pptp_gretimeout = IPF_TTLVAL(120);	/* 2 minutes, never changes */
56
57/*
58 * PPTP application proxy initialization.
59 */
60/*ARGSUSED*/
61int ippr_pptp_init(private, ifs)
62void **private;
63ipf_stack_t *ifs;
64{
65	ifs_pptppxy_t *ifspptp;
66
67	KMALLOC(ifspptp, ifs_pptppxy_t *);
68	if (ifspptp == NULL)
69		return -1;
70
71	bzero((char *)&ifspptp->pptpfr, sizeof(ifspptp->pptpfr));
72	ifspptp->pptpfr.fr_ref = 1;
73	ifspptp->pptpfr.fr_age[0] = ippr_pptp_gretimeout;
74	ifspptp->pptpfr.fr_age[1] = ippr_pptp_gretimeout;
75	ifspptp->pptpfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
76	MUTEX_INIT(&ifspptp->pptpfr.fr_lock, "PPTP proxy rule lock");
77	ifspptp->pptp_proxy_init = 1;
78
79	*private = (void *)ifspptp;
80
81	return 0;
82}
83
84
85/*ARGSUSED*/
86void ippr_pptp_fini(private, ifs)
87void **private;
88ipf_stack_t *ifs;
89{
90	ifs_pptppxy_t *ifspptp = *((ifs_pptppxy_t **)private);
91
92	if (ifspptp->pptp_proxy_init == 1) {
93		MUTEX_DESTROY(&ifspptp->pptpfr.fr_lock);
94		ifspptp->pptp_proxy_init = 0;
95	}
96
97	KFREE(ifspptp);
98	*private = NULL;
99}
100
101
102/*
103 * Setup for a new PPTP proxy.
104 */
105/*ARGSUSED*/
106int ippr_pptp_new(fin, aps, nat, private)
107fr_info_t *fin;
108ap_session_t *aps;
109nat_t *nat;
110void *private;
111{
112	pptp_pxy_t *pptp;
113	ipnat_t *ipn;
114	ip_t *ip;
115
116	ip = fin->fin_ip;
117
118	if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip,
119			  ip->ip_dst) != NULL) {
120		if (ippr_pptp_debug > 0)
121			printf("ippr_pptp_new: GRE session already exists\n");
122		return -1;
123	}
124
125	aps->aps_psiz = sizeof(*pptp);
126	KMALLOCS(aps->aps_data, pptp_pxy_t *, sizeof(*pptp));
127	if (aps->aps_data == NULL) {
128		if (ippr_pptp_debug > 0)
129			printf("ippr_pptp_new: malloc for aps_data failed\n");
130		return -1;
131	}
132
133	/*
134	 * Create NAT rule against which the tunnel/transport mapping is
135	 * created.  This is required because the current NAT rule does not
136	 * describe GRE but TCP instead.
137	 */
138	pptp = aps->aps_data;
139	bzero((char *)pptp, sizeof(*pptp));
140	ipn = &pptp->pptp_rule;
141	ipn->in_ifps[0] = fin->fin_ifp;
142	ipn->in_apr = NULL;
143	ipn->in_use = 1;
144	ipn->in_hits = 1;
145	ipn->in_ippip = 1;
146	if (nat->nat_dir == NAT_OUTBOUND) {
147		ipn->in_nip = ntohl(nat->nat_outip.s_addr);
148		ipn->in_outip = fin->fin_saddr;
149		ipn->in_redir = NAT_MAP;
150	} else if (nat->nat_dir == NAT_INBOUND) {
151		ipn->in_nip = 0;
152		ipn->in_outip = nat->nat_outip.s_addr;
153		ipn->in_redir = NAT_REDIRECT;
154	}
155	ipn->in_inip = nat->nat_inip.s_addr;
156	ipn->in_inmsk = 0xffffffff;
157	ipn->in_outmsk = 0xffffffff;
158	ipn->in_srcip = fin->fin_saddr;
159	ipn->in_srcmsk = 0xffffffff;
160	bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
161	      sizeof(ipn->in_ifnames[0]));
162	ipn->in_p = IPPROTO_GRE;
163
164	pptp->pptp_side[0].pptps_wptr = pptp->pptp_side[0].pptps_buffer;
165	pptp->pptp_side[1].pptps_wptr = pptp->pptp_side[1].pptps_buffer;
166	return 0;
167}
168
169
170void ippr_pptp_donatstate(fin, nat, pptp, ifspptp)
171fr_info_t *fin;
172nat_t *nat;
173pptp_pxy_t *pptp;
174ifs_pptppxy_t *ifspptp;
175{
176	fr_info_t fi;
177	grehdr_t gre;
178	nat_t *nat2;
179	u_char p;
180	ip_t *ip;
181	ipf_stack_t *ifs = fin->fin_ifs;
182
183	ip = fin->fin_ip;
184	p = ip->ip_p;
185
186	nat2 = pptp->pptp_nat;
187	if ((nat2 == NULL) || (pptp->pptp_state == NULL)) {
188		bcopy((char *)fin, (char *)&fi, sizeof(fi));
189		bzero((char *)&gre, sizeof(gre));
190		fi.fin_fi.fi_p = IPPROTO_GRE;
191		fi.fin_fr = &ifspptp->pptpfr;
192		if ((nat->nat_dir == NAT_OUTBOUND && fin->fin_out) ||
193		    (nat->nat_dir == NAT_INBOUND && !fin->fin_out)) {
194			fi.fin_data[0] = pptp->pptp_call[0];
195			fi.fin_data[1] = pptp->pptp_call[1];
196		} else {
197			fi.fin_data[0] = pptp->pptp_call[1];
198			fi.fin_data[1] = pptp->pptp_call[0];
199		}
200		ip = fin->fin_ip;
201		ip->ip_p = IPPROTO_GRE;
202		fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
203		fi.fin_flx |= FI_IGNORE;
204		fi.fin_dp = &gre;
205		gre.gr_flags = htons(1 << 13);
206		if (fin->fin_out && nat->nat_dir == NAT_INBOUND) {
207			fi.fin_fi.fi_saddr = fin->fin_fi.fi_daddr;
208			fi.fin_fi.fi_daddr = nat->nat_outip.s_addr;
209		} else if (!fin->fin_out && nat->nat_dir == NAT_OUTBOUND) {
210			fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
211			fi.fin_fi.fi_daddr = fin->fin_fi.fi_saddr;
212		}
213	}
214
215	/*
216	 * Update NAT timeout/create NAT if missing.
217	 */
218	if (nat2 != NULL)
219		fr_queueback(&nat2->nat_tqe, ifs);
220	else {
221		nat2 = nat_new(&fi, &pptp->pptp_rule, &pptp->pptp_nat,
222			       NAT_SLAVE, nat->nat_dir);
223		pptp->pptp_nat = nat2;
224		if (nat2 != NULL) {
225			(void) nat_proto(&fi, nat2, 0);
226			nat_update(&fi, nat2, nat2->nat_ptr);
227		}
228	}
229
230	READ_ENTER(&ifs->ifs_ipf_state);
231	if (pptp->pptp_state != NULL) {
232		fr_queueback(&pptp->pptp_state->is_sti, ifs);
233		RWLOCK_EXIT(&ifs->ifs_ipf_state);
234	} else {
235		RWLOCK_EXIT(&ifs->ifs_ipf_state);
236		if (nat->nat_dir == NAT_INBOUND)
237			fi.fin_fi.fi_daddr = nat2->nat_inip.s_addr;
238		else
239			fi.fin_fi.fi_saddr = nat2->nat_inip.s_addr;
240		fi.fin_ifp = NULL;
241		pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state,
242					       0);
243	}
244	ip->ip_p = p;
245	return;
246}
247
248
249/*
250 * Try and build up the next PPTP message in the TCP stream and if we can
251 * build it up completely (fits in our buffer) then pass it off to the message
252 * parsing function.
253 */
254int ippr_pptp_nextmessage(fin, nat, pptp, rev, ifspptp)
255fr_info_t *fin;
256nat_t *nat;
257pptp_pxy_t *pptp;
258int rev;
259ifs_pptppxy_t *ifspptp;
260{
261	static char *funcname = "ippr_pptp_nextmessage";
262	pptp_side_t *pptps;
263	u_32_t start, end;
264	pptp_hdr_t *hdr;
265	tcphdr_t *tcp;
266	int dlen, off;
267	u_short len;
268	char *msg;
269
270	tcp = fin->fin_dp;
271	dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
272	start = ntohl(tcp->th_seq);
273	pptps = &pptp->pptp_side[rev];
274	off = (char *)tcp - (char *)fin->fin_ip + (TCP_OFF(tcp) << 2) +
275	      fin->fin_ipoff;
276
277	if (dlen <= 0)
278		return 0;
279	/*
280	 * If the complete data packet is before what we expect to see
281	 * "next", just ignore it as the chances are we've already seen it.
282	 * The next if statement following this one really just causes packets
283	 * ahead of what we've seen to be dropped, implying that something in
284	 * the middle went missing and we want to see that first.
285	 */
286	end = start + dlen;
287	if (pptps->pptps_next > end && pptps->pptps_next > start)
288		return 0;
289
290	if (pptps->pptps_next != start) {
291		if (ippr_pptp_debug > 5)
292			printf("%s: next (%x) != start (%x)\n", funcname,
293				pptps->pptps_next, start);
294		return -1;
295	}
296
297	msg = (char *)fin->fin_dp + (TCP_OFF(tcp) << 2);
298
299	while (dlen > 0) {
300		off += pptps->pptps_bytes;
301		if (pptps->pptps_gothdr == 0) {
302			/*
303			 * PPTP has an 8 byte header that inclues the cookie.
304			 * The start of every message should include one and
305			 * it should match 1a2b3c4d.  Byte order is ignored,
306			 * deliberately, when printing out the error.
307			 */
308			len = MIN(8 - pptps->pptps_bytes, dlen);
309			COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
310			pptps->pptps_bytes += len;
311			pptps->pptps_wptr += len;
312			hdr = (pptp_hdr_t *)pptps->pptps_buffer;
313			if (pptps->pptps_bytes == 8) {
314				pptps->pptps_next += 8;
315				if (ntohl(hdr->pptph_cookie) != 0x1a2b3c4d) {
316					if (ippr_pptp_debug > 1)
317						printf("%s: bad cookie (%x)\n",
318						       funcname,
319						       hdr->pptph_cookie);
320					return -1;
321				}
322			}
323			dlen -= len;
324			msg += len;
325			off += len;
326
327			pptps->pptps_gothdr = 1;
328			len = ntohs(hdr->pptph_len);
329			pptps->pptps_len = len;
330			pptps->pptps_nexthdr += len;
331
332			/*
333			 * If a message is too big for the buffer, just set
334			 * the fields for the next message to come along.
335			 * The messages defined in RFC 2637 will not exceed
336			 * 512 bytes (in total length) so this is likely a
337			 * bad data packet, anyway.
338			 */
339			if (len > sizeof(pptps->pptps_buffer)) {
340				if (ippr_pptp_debug > 3)
341					printf("%s: message too big (%d)\n",
342					       funcname, len);
343				pptps->pptps_next = pptps->pptps_nexthdr;
344				pptps->pptps_wptr = pptps->pptps_buffer;
345				pptps->pptps_gothdr = 0;
346				pptps->pptps_bytes = 0;
347				pptps->pptps_len = 0;
348				break;
349			}
350		}
351
352		len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen);
353		COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
354		pptps->pptps_bytes += len;
355		pptps->pptps_wptr += len;
356		pptps->pptps_next += len;
357
358		if (pptps->pptps_len > pptps->pptps_bytes)
359			break;
360
361		(void) ippr_pptp_message(fin, nat, pptp, pptps, ifspptp);
362		pptps->pptps_wptr = pptps->pptps_buffer;
363		pptps->pptps_gothdr = 0;
364		pptps->pptps_bytes = 0;
365		pptps->pptps_len = 0;
366
367		start += len;
368		msg += len;
369		dlen -= len;
370	}
371
372	return 0;
373}
374
375
376/*
377 * handle a complete PPTP message
378 */
379int ippr_pptp_message(fin, nat, pptp, pptps, ifspptp)
380fr_info_t *fin;
381nat_t *nat;
382pptp_pxy_t *pptp;
383pptp_side_t *pptps;
384ifs_pptppxy_t *ifspptp;
385{
386	pptp_hdr_t *hdr = (pptp_hdr_t *)pptps->pptps_buffer;
387
388	switch (ntohs(hdr->pptph_type))
389	{
390	case PPTP_MSGTYPE_CTL :
391		(void) ippr_pptp_mctl(fin, nat, pptp, pptps, ifspptp);
392		break;
393
394	default :
395		break;
396	}
397	return 0;
398}
399
400
401/*
402 * handle a complete PPTP control message
403 */
404int ippr_pptp_mctl(fin, nat, pptp, pptps, ifspptp)
405fr_info_t *fin;
406nat_t *nat;
407pptp_pxy_t *pptp;
408pptp_side_t *pptps;
409ifs_pptppxy_t *ifspptp;
410{
411	u_short *buffer = (u_short *)(pptps->pptps_buffer);
412	pptp_side_t *pptpo;
413
414	if (pptps == &pptp->pptp_side[0])
415		pptpo = &pptp->pptp_side[1];
416	else
417		pptpo = &pptp->pptp_side[0];
418
419	/*
420	 * Breakout to handle all the various messages.  Most are just state
421	 * transition.
422	 */
423	switch (ntohs(buffer[4]))
424	{
425	case PPTP_MTCTL_STARTREQ :
426		pptps->pptps_state = PPTP_MTCTL_STARTREQ;
427		break;
428	case PPTP_MTCTL_STARTREP :
429		if (pptpo->pptps_state == PPTP_MTCTL_STARTREQ)
430			pptps->pptps_state = PPTP_MTCTL_STARTREP;
431		break;
432	case PPTP_MTCTL_STOPREQ :
433		pptps->pptps_state = PPTP_MTCTL_STOPREQ;
434		break;
435	case PPTP_MTCTL_STOPREP :
436		if (pptpo->pptps_state == PPTP_MTCTL_STOPREQ)
437			pptps->pptps_state = PPTP_MTCTL_STOPREP;
438		break;
439	case PPTP_MTCTL_ECHOREQ :
440		pptps->pptps_state = PPTP_MTCTL_ECHOREQ;
441		break;
442	case PPTP_MTCTL_ECHOREP :
443		if (pptpo->pptps_state == PPTP_MTCTL_ECHOREQ)
444			pptps->pptps_state = PPTP_MTCTL_ECHOREP;
445		break;
446	case PPTP_MTCTL_OUTREQ :
447		pptps->pptps_state = PPTP_MTCTL_OUTREQ;
448		break;
449	case PPTP_MTCTL_OUTREP :
450		if (pptpo->pptps_state == PPTP_MTCTL_OUTREQ) {
451			pptps->pptps_state = PPTP_MTCTL_OUTREP;
452			pptp->pptp_call[0] = buffer[7];
453			pptp->pptp_call[1] = buffer[6];
454			ippr_pptp_donatstate(fin, nat, pptp, ifspptp);
455		}
456		break;
457	case PPTP_MTCTL_INREQ :
458		pptps->pptps_state = PPTP_MTCTL_INREQ;
459		break;
460	case PPTP_MTCTL_INREP :
461		if (pptpo->pptps_state == PPTP_MTCTL_INREQ) {
462			pptps->pptps_state = PPTP_MTCTL_INREP;
463			pptp->pptp_call[0] = buffer[7];
464			pptp->pptp_call[1] = buffer[6];
465			ippr_pptp_donatstate(fin, nat, pptp, ifspptp);
466		}
467		break;
468	case PPTP_MTCTL_INCONNECT :
469		pptps->pptps_state = PPTP_MTCTL_INCONNECT;
470		break;
471	case PPTP_MTCTL_CLEAR :
472		pptps->pptps_state = PPTP_MTCTL_CLEAR;
473		break;
474	case PPTP_MTCTL_DISCONNECT :
475		pptps->pptps_state = PPTP_MTCTL_DISCONNECT;
476		break;
477	case PPTP_MTCTL_WANERROR :
478		pptps->pptps_state = PPTP_MTCTL_WANERROR;
479		break;
480	case PPTP_MTCTL_LINKINFO :
481		pptps->pptps_state = PPTP_MTCTL_LINKINFO;
482		break;
483	}
484
485	return 0;
486}
487
488
489/*
490 * For outgoing PPTP packets.  refresh timeouts for NAT & state entries, if
491 * we can.  If they have disappeared, recreate them.
492 */
493int ippr_pptp_inout(fin, aps, nat, private)
494fr_info_t *fin;
495ap_session_t *aps;
496nat_t *nat;
497void *private;
498{
499	pptp_pxy_t *pptp;
500	tcphdr_t *tcp;
501	int rev;
502
503	if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
504		rev = 1;
505	else if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
506		rev = 1;
507	else
508		rev = 0;
509
510	tcp = (tcphdr_t *)fin->fin_dp;
511	if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
512		pptp = (pptp_pxy_t *)aps->aps_data;
513		pptp->pptp_side[1 - rev].pptps_next = ntohl(tcp->th_ack);
514		pptp->pptp_side[1 - rev].pptps_nexthdr = ntohl(tcp->th_ack);
515		pptp->pptp_side[rev].pptps_next = ntohl(tcp->th_seq) + 1;
516		pptp->pptp_side[rev].pptps_nexthdr = ntohl(tcp->th_seq) + 1;
517	}
518	return ippr_pptp_nextmessage(fin, nat, (pptp_pxy_t *)aps->aps_data,
519				     rev, (ifs_pptppxy_t *)private);
520}
521
522
523/*
524 * clean up after ourselves.
525 */
526/*ARGSUSED*/
527void ippr_pptp_del(aps, private, ifs)
528ap_session_t *aps;
529void *private;
530ipf_stack_t *ifs;
531{
532	pptp_pxy_t *pptp;
533
534	pptp = aps->aps_data;
535
536	if (pptp != NULL) {
537		/*
538		 * Don't bother changing any of the NAT structure details,
539		 * *_del() is on a callback from aps_free(), from nat_delete()
540		 */
541
542		READ_ENTER(&ifs->ifs_ipf_state);
543		if (pptp->pptp_state != NULL) {
544			pptp->pptp_state->is_die = ifs->ifs_fr_ticks + 1;
545			pptp->pptp_state->is_me = NULL;
546			fr_queuefront(&pptp->pptp_state->is_sti);
547		}
548		RWLOCK_EXIT(&ifs->ifs_ipf_state);
549
550		pptp->pptp_state = NULL;
551		pptp->pptp_nat = NULL;
552
553	}
554}
555