3eb26486ef3f3d8c76364606671d7740607a687a
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.28 2004/11/25 02:45:27 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern u32 eth_tx;
23 extern time_t time_now;
24 extern struct configt *config;
25
26 // Process PAP messages
27 void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
28 {
29 char user[129];
30 char pass[129];
31 u16 hl;
32
33 CSTAT(call_processpap);
34
35 LOG_HEX(5, "PAP", p, l);
36 if (l < 4)
37 {
38 LOG(1, 0, s, t, "Short PAP %u bytes\n", l);
39 STAT(tunnel_rx_errors);
40 return ;
41 }
42
43 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
44 {
45 LOG(1, 0, s, t, "Length mismatch PAP %u/%u\n", hl, l);
46 STAT(tunnel_rx_errors);
47 return ;
48 }
49 l = hl;
50
51 if (*p != 1)
52 {
53 LOG(1, 0, s, t, "Unexpected PAP code %d\n", *p);
54 STAT(tunnel_rx_errors);
55 return ;
56 }
57
58 {
59 u8 *b = p;
60 b += 4;
61 if (*b && *b < sizeof(user))
62 memcpy(user, b + 1, *b);
63 user[*b] = 0;
64 b += 1 + *b;
65 if (*b && *b < sizeof(pass))
66 memcpy(pass, b + 1, *b);
67 pass[*b] = 0;
68 LOG(3, 0, s, t, "PAP login %s/%s\n", user, pass);
69 }
70 if (session[s].ip || !session[s].radius)
71 {
72 // respond now, either no RADIUS available or already authenticated
73 u8 b[MAXCONTROL];
74 u8 id = p[1];
75 u8 *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
76 if (!p) return;
77
78 if (session[s].ip)
79 *p = 2; // ACK
80 else
81 *p = 3; // cant authorise
82 p[1] = id;
83 *(u16 *) (p + 2) = htons(5); // length
84 p[4] = 0; // no message
85 if (session[s].ip)
86 {
87 LOG(3, session[s].ip, s, t, "Already an IP allocated: %s (%d)\n", inet_toa(htonl(session[s].ip)), session[s].ip_pool_index);
88 session[s].flags &= ~SF_IPCP_ACKED;
89 }
90 else
91 {
92 LOG(1, 0, s, t, "No radius session available to authenticate session...\n");
93 }
94 LOG(3, 0, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
95 tunnelsend(b, 5 + (p - b), t); // send it
96 }
97 else
98 {
99 // set up RADIUS request
100 u16 r = session[s].radius;
101
102 // Run PRE_AUTH plugins
103 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
104 run_plugins(PLUGIN_PRE_AUTH, &packet);
105 if (!packet.continue_auth)
106 {
107 LOG(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
108 if (packet.username) free(packet.username);
109 if (packet.password) free(packet.password);
110 return;
111 }
112
113 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
114 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
115
116 free(packet.username);
117 free(packet.password);
118
119 radius[r].id = p[1];
120 LOG(3, 0, s, t, "Sending login for %s/%s to radius\n", user, pass);
121 radiussend(r, RADIUSAUTH);
122 }
123 }
124
125 // Process CHAP messages
126 void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
127 {
128 u16 r;
129 u16 hl;
130
131 CSTAT(call_processchap);
132
133 LOG_HEX(5, "CHAP", p, l);
134 r = session[s].radius;
135 if (!r)
136 {
137 LOG(1, 0, s, t, "Unexpected CHAP message\n");
138
139 // FIXME: Need to drop the session here.
140
141 STAT(tunnel_rx_errors);
142 return;
143 }
144
145 if (l < 4)
146 {
147 LOG(1, 0, s, t, "Short CHAP %u bytes\n", l);
148 STAT(tunnel_rx_errors);
149 return ;
150 }
151
152 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
153 {
154 LOG(1, 0, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
155 STAT(tunnel_rx_errors);
156 return ;
157 }
158 l = hl;
159
160 if (*p != 2)
161 {
162 LOG(1, 0, s, t, "Unexpected CHAP response code %d\n", *p);
163 STAT(tunnel_rx_errors);
164 return;
165 }
166 if (p[1] != radius[r].id)
167 {
168 LOG(1, 0, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
169 STAT(tunnel_rx_errors);
170 return ;
171 }
172
173 if (l < 5 || p[4] != 16)
174 {
175 LOG(1, 0, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
176 STAT(tunnel_rx_errors);
177 return ;
178 }
179
180 l -= 5;
181 p += 5;
182 if (l < 16 || l - 16 >= sizeof(session[s].user))
183 {
184 LOG(1, 0, s, t, "CHAP user too long %d\n", l - 16);
185 STAT(tunnel_rx_errors);
186 return ;
187 }
188
189 // Run PRE_AUTH plugins
190 {
191 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
192
193 packet.password = calloc(17, 1);
194 memcpy(packet.password, p, 16);
195
196 p += 16;
197 l -= 16;
198
199 packet.username = calloc(l + 1, 1);
200 memcpy(packet.username, p, l);
201
202 run_plugins(PLUGIN_PRE_AUTH, &packet);
203 if (!packet.continue_auth)
204 {
205 LOG(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
206 if (packet.username) free(packet.username);
207 if (packet.password) free(packet.password);
208 return;
209 }
210
211 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
212 memcpy(radius[r].pass, packet.password, 16);
213
214 free(packet.username);
215 free(packet.password);
216 }
217
218 radius[r].chap = 1;
219 LOG(3, 0, s, t, "CHAP login %s\n", session[s].user);
220 radiussend(r, RADIUSAUTH);
221 }
222
223 static char *ppp_lcp_types[] = {
224 NULL,
225 "ConfigReq",
226 "ConfigAck",
227 "ConfigNak",
228 "ConfigRej",
229 "TerminateReq",
230 "TerminateAck",
231 "CodeRej",
232 "ProtocolRej",
233 "EchoReq",
234 "EchoReply",
235 "DiscardRequest",
236 "IdentRequest",
237 };
238
239 static void dumplcp(u8 *p, int l)
240 {
241 int x = l - 4;
242 u8 *o = (p + 4);
243
244 LOG_HEX(5, "PPP LCP Packet", p, l);
245 LOG(4, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
246 LOG(4, 0, 0, 0, "Length: %d\n", l);
247 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
248 return;
249
250 while (x > 2)
251 {
252 int type = o[0];
253 int length = o[1];
254 if (length < 2)
255 {
256 LOG(4, 0, 0, 0, " Option length is %d...\n", length);
257 break;
258 }
259 if (type == 0)
260 {
261 LOG(4, 0, 0, 0, " Option type is 0...\n");
262 x -= length;
263 o += length;
264 continue;
265 }
266 switch (type)
267 {
268 case 1: // Maximum-Receive-Unit
269 if (length == 4)
270 LOG(4, 0, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
271 else
272 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
273 break;
274 case 2: // Async-Control-Character-Map
275 if (length == 6)
276 {
277 u32 asyncmap = ntohl(*(u32 *)(o + 2));
278 LOG(4, 0, 0, 0, " %s %x\n", lcp_types[type], asyncmap);
279 }
280 else
281 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
282 break;
283 case 3: // Authentication-Protocol
284 if (length == 4)
285 {
286 int proto = ntohs(*(u16 *)(o + 2));
287 LOG(4, 0, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
288 proto == PPPCHAP ? "CHAP" :
289 proto == PPPPAP ? "PAP" : "UNKNOWN");
290 }
291 else
292 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
293 break;
294 case 4: // Quality-Protocol
295 {
296 u32 qp = ntohl(*(u32 *)(o + 2));
297 LOG(4, 0, 0, 0, " %s %x\n", lcp_types[type], qp);
298 }
299 break;
300 case 5: // Magic-Number
301 if (length == 6)
302 {
303 u32 magicno = ntohl(*(u32 *)(o + 2));
304 LOG(4, 0, 0, 0, " %s %x\n", lcp_types[type], magicno);
305 }
306 else
307 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
308 break;
309 case 7: // Protocol-Field-Compression
310 case 8: // Address-And-Control-Field-Compression
311 LOG(4, 0, 0, 0, " %s\n", lcp_types[type]);
312 break;
313 default:
314 LOG(2, 0, 0, 0, " Unknown PPP LCP Option type %d\n", type);
315 break;
316 }
317 x -= length;
318 o += length;
319 }
320 }
321
322 // Process LCP messages
323 void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
324 {
325 u8 b[MAXCONTROL];
326 u8 *q = NULL;
327 u32 magicno = 0;
328 u16 hl;
329
330 CSTAT(call_processlcp);
331
332 LOG_HEX(5, "LCP", p, l);
333 if (l < 4)
334 {
335 LOG(1, session[s].ip, s, t, "Short LCP %d bytes\n", l);
336 STAT(tunnel_rx_errors);
337 return ;
338 }
339
340 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
341 {
342 LOG(1, 0, s, t, "Length mismatch LCP %u/%u\n", hl, l);
343 STAT(tunnel_rx_errors);
344 return ;
345 }
346 l = hl;
347
348 if (*p == ConfigAck)
349 {
350 LOG(3, session[s].ip, s, t, "LCP: Discarding ConfigAck\n");
351 session[s].flags |= SF_LCP_ACKED;
352 }
353 else if (*p == ConfigReq)
354 {
355 int x = l - 4;
356 u8 *o = (p + 4);
357 u8 response = 0;
358
359 LOG(3, session[s].ip, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
360 if (config->debug > 3) dumplcp(p, l);
361
362 while (x > 2)
363 {
364 int type = o[0];
365 int length = o[1];
366 if (length == 0 || type == 0 || x < length) break;
367 switch (type)
368 {
369 case 1: // Maximum-Receive-Unit
370 session[s].mru = ntohs(*(u16 *)(o + 2));
371 break;
372
373 case 2: // Async-Control-Character-Map
374 if (!ntohl(*(u32 *)(o + 2))) // all bits zero is OK
375 break;
376
377 if (response && response != ConfigNak) // rej already queued
378 break;
379
380 LOG(2, session[s].ip, s, t, " Remote requesting asyncmap. Rejecting.\n");
381 if (!response)
382 {
383 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
384 if (!q) break;
385 response = *q++ = ConfigNak;
386 }
387
388 if ((q - b + 11) > sizeof(b))
389 {
390 LOG(2, session[s].ip, s, t, "LCP overflow for asyncmap ConfigNak.\n");
391 break;
392 }
393
394 *q++ = type;
395 *q++ = 6;
396 memset(q, 0, 4); // asyncmap 0
397 q += 4;
398 break;
399
400 case 3: // Authentication-Protocol
401 {
402 int proto = ntohs(*(u16 *)(o + 2));
403 char proto_name[] = "0x0000";
404 if (proto == PPPPAP)
405 break;
406
407 if (response && response != ConfigNak) // rej already queued
408 break;
409
410 if (proto == PPPCHAP)
411 strcpy(proto_name, "CHAP");
412 else
413 sprintf(proto_name, "%#4.4x", proto);
414
415 LOG(2, session[s].ip, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
416
417 if (!response)
418 {
419 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
420 if (!q) break;
421 response = *q++ = ConfigNak;
422 }
423
424 if ((q - b + length) > sizeof(b))
425 {
426 LOG(2, session[s].ip, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
427 break;
428 }
429
430 memcpy(q, o, length);
431 *(u16 *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
432 q += length;
433 }
434 break;
435
436 case 5: // Magic-Number
437 magicno = ntohl(*(u32 *)(o + 2));
438 break;
439
440 case 4: // Quality-Protocol
441 case 7: // Protocol-Field-Compression
442 case 8: // Address-And-Control-Field-Compression
443 break;
444
445 default: // Reject any unknown options
446 LOG(2, session[s].ip, s, t, " Rejecting PPP LCP Option type %d\n", type);
447 if (!response || response != ConfigRej) // drop nak in favour of rej
448 {
449 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
450 if (!q) return;
451 response = *q++ = ConfigRej;
452 }
453
454 if ((q - b + length) > sizeof(b))
455 {
456 LOG(2, session[s].ip, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
457 break;
458 }
459
460 memcpy(q, o, length);
461 q += length;
462 }
463 x -= length;
464 o += length;
465 }
466
467 if (!response)
468 {
469 // Send back a ConfigAck
470 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
471 if (!q) return;
472 response = *q = ConfigAck;
473 }
474
475 LOG(3, session[s].ip, s, t, "Sending %s\n", ppp_lcp_types[response]);
476 tunnelsend(b, l + (q - b), t);
477
478 if (!(session[s].flags & SF_LCP_ACKED))
479 initlcp(t, s);
480 }
481 else if (*p == ConfigNak)
482 {
483 LOG(1, session[s].ip, s, t, "Remote end sent a ConfigNak. Ignoring\n");
484 if (config->debug > 3) dumplcp(p, l);
485 return ;
486 }
487 else if (*p == TerminateReq)
488 {
489 LOG(3, session[s].ip, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
490 *p = TerminateAck; // close
491 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
492 if (!q) return;
493 tunnelsend(b, l + (q - b), t); // send it
494 sessionshutdown(s, "Remote end closed connection.");
495 }
496 else if (*p == TerminateAck)
497 {
498 sessionshutdown(s, "Connection closed.");
499 }
500 else if (*p == EchoReq)
501 {
502 LOG(5, session[s].ip, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
503 *p = EchoReply; // reply
504 *(u32 *) (p + 4) = htonl(session[s].magic); // our magic number
505 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
506 if (!q) return;
507 tunnelsend(b, l + (q - b), t); // send it
508 }
509 else if (*p == EchoReply)
510 {
511 // Ignore it, last_packet time is set earlier than this.
512 }
513 else if (*p == IdentRequest)
514 {
515 *p = CodeRej;
516 if (l > MAXCONTROL)
517 {
518 LOG(1, 0, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
519 l = 1400;
520 }
521 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
522 if (!q) return;
523 LOG_HEX(5, "LCPIdentRej", q, l + 4);
524 tunnelsend(b, 12 + 4 + l, t);
525 }
526 else
527 {
528 LOG(1, session[s].ip, s, t, "Unexpected LCP code %d\n", *p);
529 STAT(tunnel_rx_errors);
530 return ;
531 }
532 }
533
534 // find a PPP option, returns point to option, or 0 if not found
535 static u8 *findppp(u8 *b, u8 mtype)
536 {
537 u16 l = ntohs(*(u16 *) (b + 2));
538 if (l < 4)
539 return 0;
540 b += 4;
541 l -= 4;
542 while (l)
543 {
544 if (l < b[1] || !b[1])
545 return 0; // faulty
546 if (*b == mtype)
547 return b;
548 l -= b[1];
549 b += b[1];
550 }
551 return 0;
552 }
553
554 // Process IPCP messages
555 void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
556 {
557 u16 hl;
558
559 CSTAT(call_processipcp);
560
561 LOG_HEX(5, "IPCP", p, l);
562 if (l < 5)
563 {
564 LOG(1, 0, s, t, "Short IPCP %d bytes\n", l);
565 STAT(tunnel_rx_errors);
566 return ;
567 }
568
569 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
570 {
571 LOG(1, 0, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
572 STAT(tunnel_rx_errors);
573 return ;
574 }
575 l = hl;
576
577 if (*p == ConfigAck)
578 {
579 // happy with our IPCP
580 u16 r = session[s].radius;
581 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
582 {
583 if (!r)
584 r = radiusnew(s);
585 if (r)
586 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
587 }
588 session[s].flags |= SF_IPCP_ACKED;
589
590 LOG(3, session[s].ip, s, t, "IPCP Acked, session is now active\n");
591
592 // clear LCP_ACKED flag for possible fast renegotiaion for routers
593 session[s].flags &= ~SF_LCP_ACKED;
594
595 return;
596 }
597 if (*p != ConfigReq)
598 {
599 LOG(1, 0, s, t, "Unexpected IPCP code %d\n", *p);
600 STAT(tunnel_rx_errors);
601 return ;
602 }
603 LOG(4, session[s].ip, s, t, "IPCP ConfigReq received\n");
604
605 if (!session[s].ip)
606 {
607 LOG(3, 0, s, t, "Waiting on radius reply\n");
608 return; // have to wait on RADIUS reply
609 }
610 // form a config reply quoting the IP in the session
611 {
612 u8 b[MAXCONTROL];
613 u8 *i,
614 *q;
615
616 q = p + 4;
617 i = p + l;
618 while (q < i && q[1])
619 {
620 if (*q != 0x81 && *q != 0x83 && *q != 3)
621 break;
622 q += q[1];
623 }
624 if (q < i)
625 {
626 // reject
627 u16 n = 4;
628 i = p + l;
629 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
630 return;
631
632 *q = ConfigRej;
633 p += 4;
634 while (p < i && p[1])
635 {
636 if (*p != 0x81 && *p != 0x83 && *p != 3)
637 {
638 LOG(2, 0, s, t, "IPCP reject %d\n", *p);
639 memcpy(q + n, p, p[1]);
640 n += p[1];
641 }
642 p += p[1];
643 }
644 *(u16 *) (q + 2) = htons(n);
645 LOG(4, session[s].ip, s, t, "Sending ConfigRej\n");
646 tunnelsend(b, n + (q - b), t); // send it
647 }
648 else
649 {
650 LOG(4, session[s].ip, s, t, "Sending ConfigAck\n");
651 *p = ConfigAck;
652 if ((i = findppp(p, 0x81))) // Primary DNS address
653 {
654 if (*(u32 *) (i + 2) != htonl(session[s].dns1))
655 {
656 *(u32 *) (i + 2) = htonl(session[s].dns1);
657 *p = ConfigNak;
658 LOG(5, session[s].ip, s, t, " DNS1 = %s\n", inet_toa(session[s].dns1));
659 }
660 }
661 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
662 {
663 if (*(u32 *) (i + 2) != htonl(session[s].dns2))
664 {
665 *(u32 *) (i + 2) = htonl(session[s].dns2);
666 *p = ConfigNak;
667 LOG(5, session[s].ip, s, t, " DNS2 = %s\n", inet_toa(session[s].dns2));
668 }
669 }
670 i = findppp(p, 3); // IP address
671 if (!i || i[1] != 6)
672 {
673 LOG(1, 0, s, t, "No IP in IPCP request\n");
674 STAT(tunnel_rx_errors);
675 return ;
676 }
677 if (*(u32 *) (i + 2) != htonl(session[s].ip))
678 {
679 *(u32 *) (i + 2) = htonl(session[s].ip);
680 *p = ConfigNak;
681 LOG(4, session[s].ip, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
682 inet_toa(htonl(session[s].ip)));
683 }
684 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
685 return;
686
687 tunnelsend(b, l + (q - b), t); // send it
688 }
689 }
690 }
691
692 // process IP packet received
693 //
694 // This MUST be called with at least 4 byte behind 'p'.
695 // (i.e. this routine writes to p[-4]).
696 void processipin(tunnelidt t, sessionidt s, u8 *p, u16 l)
697 {
698 ipt ip;
699
700 CSTAT(call_processipin);
701
702 LOG_HEX(5, "IP", p, l);
703
704 ip = ntohl(*(u32 *)(p + 12));
705
706 if (l > MAXETHER)
707 {
708 LOG(1, ip, s, t, "IP packet too long %d\n", l);
709 STAT(tunnel_rx_errors);
710 return ;
711 }
712
713 // no spoof (do sessionbyip to handled statically routed subnets)
714 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
715 {
716 LOG(5, ip, s, t, "Dropping packet with spoofed IP %s\n", inet_toa(htonl(ip)));
717 return;
718 }
719
720 // Add on the tun header
721 p -= 4;
722 *(u32 *)p = htonl(0x00000800);
723 l += 4;
724
725 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
726 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
727 return;
728 }
729
730 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
731 tbf_queue_packet(session[s].tbf_in, p, l);
732 return;
733 }
734
735 // send to ethernet
736 if (tun_write(p, l) < 0)
737 {
738 STAT(tun_tx_errors);
739 LOG(0, 0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
740 l, strerror(errno), tunfd, p);
741
742 return;
743 }
744
745 if (session[s].snoop_ip && session[s].snoop_port)
746 {
747 // Snooping this session
748 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
749 }
750
751 session[s].cin += l - 4;
752 session[s].total_cin += l - 4;
753 sess_count[s].cin += l - 4;
754
755 session[s].pin++;
756 eth_tx += l - 4;
757
758 STAT(tun_tx_packets);
759 INC_STAT(tun_tx_bytes, l - 4);
760 }
761
762 //
763 // Helper routine for the TBF filters.
764 // Used to send queued data in from the user.
765 //
766 void send_ipin(sessionidt s, u8 *buf, int len)
767 {
768 LOG_HEX(5, "IP in throttled", buf, len);
769
770 if (write(tunfd, buf, len) < 0)
771 {
772 STAT(tun_tx_errors);
773 LOG(0, 0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
774 len, strerror(errno), tunfd, buf);
775
776 return;
777 }
778
779 if (session[s].snoop_ip && session[s].snoop_port)
780 {
781 // Snooping this session
782 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
783 }
784
785 // Increment packet counters
786 session[s].cin += len - 4;
787 session[s].total_cin += len - 4;
788 sess_count[s].cin += len - 4;
789
790 session[s].pin++;
791 eth_tx += len - 4;
792
793 STAT(tun_tx_packets);
794 INC_STAT(tun_tx_bytes, len - 4);
795 }
796
797
798 // Process CCP messages
799 void processccp(tunnelidt t, sessionidt s, u8 *p, u16 l)
800 {
801 u8 b[MAXCONTROL];
802 u8 *q;
803
804 CSTAT(call_processccp);
805
806 LOG_HEX(5, "CCP", p, l);
807 switch (l > 1 ? *p : 0)
808 {
809 case ConfigReq:
810 if (l < 6)
811 *p = ConfigAck; // accept no compression
812 else
813 *p = ConfigRej; // reject
814
815 break;
816
817 case TerminateReq:
818 *p = TerminateAck;
819 break;
820
821 default:
822 if (l > 1)
823 LOG(1, 0, s, t, "Unexpected CCP request code %d\n", *p);
824 else
825 LOG(1, 0, s, t, "Short CCP packet\n");
826
827 STAT(tunnel_rx_errors);
828 return;
829 }
830
831 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
832 return;
833
834 tunnelsend(b, l + (q - b), t); // send it
835 }
836
837 // send a CHAP PP packet
838 void sendchap(tunnelidt t, sessionidt s)
839 {
840 u8 b[MAXCONTROL];
841 u16 r = session[s].radius;
842 u8 *q;
843
844 CSTAT(call_sendchap);
845
846 if (!r)
847 {
848 LOG(1, 0, s, t, "No RADIUS to send challenge\n");
849 STAT(tunnel_tx_errors);
850 return ;
851 }
852 LOG(1, 0, s, t, "Send CHAP challenge\n");
853 {
854 // new challenge
855 int n;
856 for (n = 0; n < 15; n++)
857 radius[r].auth[n] = rand();
858 }
859 radius[r].chap = 1; // CHAP not PAP
860 radius[r].id++;
861 if (radius[r].state != RADIUSCHAP)
862 radius[r].try = 0;
863 radius[r].state = RADIUSCHAP;
864 radius[r].retry = backoff(radius[r].try++);
865 if (radius[r].try > 5)
866 {
867 sessionshutdown(s, "Timeout CHAP");
868 STAT(tunnel_tx_errors);
869 return ;
870 }
871 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
872 if (!q) return;
873
874 *q = 1; // challenge
875 q[1] = radius[r].id; // ID
876 q[4] = 16; // length
877 memcpy(q + 5, radius[r].auth, 16); // challenge
878 strcpy(q + 21, hostname); // our name
879 *(u16 *) (q + 2) = htons(strlen(hostname) + 21); // length
880 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
881 }
882
883 // fill in a L2TP message with a PPP frame,
884 // copies existing PPP message and changes magic number if seen
885 // returns start of PPP frame
886 u8 *makeppp(u8 *b, int size, u8 *p, int l, tunnelidt t, sessionidt s, u16 mtype)
887 {
888 if (size < 12) // Need more space than this!!
889 {
890 static int backtrace_count = 0;
891 LOG(0, session[s].ip, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
892 log_backtrace(backtrace_count, 5)
893 return NULL;
894 }
895
896 *(u16 *) (b + 0) = htons(0x0002); // L2TP with no options
897 *(u16 *) (b + 2) = htons(tunnel[t].far); // tunnel
898 *(u16 *) (b + 4) = htons(session[s].far); // session
899 b += 6;
900 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
901 {
902 *(u16 *) b = htons(0xFF03); // HDLC header
903 b += 2;
904 }
905 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
906 *b++ = mtype;
907 else
908 {
909 *(u16 *) b = htons(mtype);
910 b += 2;
911 }
912
913 if (l + 12 > size)
914 {
915 static int backtrace_count = 0;
916 LOG(2, session[s].ip, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
917 log_backtrace(backtrace_count, 5)
918 return NULL;
919 }
920
921 if (p && l)
922 memcpy(b, p, l);
923
924 return b;
925 }
926
927 // Send initial LCP ConfigReq
928 void initlcp(tunnelidt t, sessionidt s)
929 {
930 char b[500] = {0}, *q;
931
932 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
933 return;
934
935 LOG(4, 0, s, t, "Sending LCP ConfigReq for PAP\n");
936 *q = ConfigReq;
937 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
938 *(u16 *)(q + 2) = htons(14); // Length
939 *(u8 *)(q + 4) = 5;
940 *(u8 *)(q + 5) = 6;
941 *(u32 *)(q + 6) = htonl(session[s].magic);
942 *(u8 *)(q + 10) = 3;
943 *(u8 *)(q + 11) = 4;
944 *(u16 *)(q + 12) = htons(PPPPAP); // PAP
945 tunnelsend(b, 12 + 14, t);
946 }