cleanup packet length handling
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.18 2004/11/03 13:22:39 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern u32 eth_tx;
23 extern time_t time_now;
24 extern struct configt *config;
25
26 void sendccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
30 {
31 char user[129];
32 char pass[129];
33 u16 hl;
34
35 CSTAT(call_processpap);
36
37 log_hex(5, "PAP", p, l);
38 if (l < 4)
39 {
40 log(1, 0, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44
45 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
46 {
47 log(1, 0, s, t, "Length mismatch PAP %u/%u\n", hl, l);
48 STAT(tunnel_rx_errors);
49 return ;
50 }
51 l = hl;
52
53 if (*p != 1)
54 {
55 log(1, 0, s, t, "Unexpected PAP code %d\n", *p);
56 STAT(tunnel_rx_errors);
57 return ;
58 }
59
60 {
61 u8 *b = p;
62 b += 4;
63 if (*b && *b < sizeof(user))
64 memcpy(user, b + 1, *b);
65 user[*b] = 0;
66 b += 1 + *b;
67 if (*b && *b < sizeof(pass))
68 memcpy(pass, b + 1, *b);
69 pass[*b] = 0;
70 log(3, 0, s, t, "PAP login %s/%s\n", user, pass);
71 }
72 if (session[s].ip || !session[s].radius)
73 {
74 // respond now, either no RADIUS available or already authenticated
75 u8 b[MAXCONTROL];
76 u8 id = p[1];
77 u8 *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
78 if (!p) { // Failed to make ppp header!
79 log(1,0,0,0, "Failed to make PPP header in process pap!\n");
80 return;
81 }
82 if (session[s].ip)
83 *p = 2; // ACK
84 else
85 *p = 3; // cant authorise
86 p[1] = id;
87 *(u16 *) (p + 2) = htons(5); // length
88 p[4] = 0; // no message
89 if (session[s].ip)
90 {
91 log(3, session[s].ip, s, t, "%d Already an IP allocated: %s (%d)\n", getpid(), inet_toa(htonl(session[s].ip)), session[s].ip_pool_index);
92 session[s].flags &= ~SF_IPCP_ACKED;
93 }
94 else
95 {
96 log(1, 0, s, t, "No radius session available to authenticate session...\n");
97 }
98 log(3, 0, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
99 tunnelsend(b, 5 + (p - b), t); // send it
100 }
101 else
102 {
103 // set up RADIUS request
104 u16 r = session[s].radius;
105
106 // Run PRE_AUTH plugins
107 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
108 run_plugins(PLUGIN_PRE_AUTH, &packet);
109 if (!packet.continue_auth)
110 {
111 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
112 if (packet.username) free(packet.username);
113 if (packet.password) free(packet.password);
114 return;
115 }
116
117 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
118 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
119
120 free(packet.username);
121 free(packet.password);
122
123 radius[r].id = p[1];
124 log(3, 0, s, t, "Sending login for %s/%s to radius\n", user, pass);
125 radiussend(r, RADIUSAUTH);
126 }
127 }
128
129 // Process CHAP messages
130 void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
131 {
132 u16 r;
133 u16 hl;
134
135 CSTAT(call_processchap);
136
137 log_hex(5, "CHAP", p, l);
138 r = session[s].radius;
139 if (!r)
140 {
141 log(1, 0, s, t, "Unexpected CHAP message\n");
142
143 // FIXME: Need to drop the session here.
144
145 STAT(tunnel_rx_errors);
146 return;
147 }
148
149 if (l < 4)
150 {
151 log(1, 0, s, t, "Short CHAP %u bytes\n", l);
152 STAT(tunnel_rx_errors);
153 return ;
154 }
155
156 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
157 {
158 log(1, 0, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
159 STAT(tunnel_rx_errors);
160 return ;
161 }
162 l = hl;
163
164 if (*p != 2)
165 {
166 log(1, 0, s, t, "Unexpected CHAP response code %d\n", *p);
167 STAT(tunnel_rx_errors);
168 return;
169 }
170 if (p[1] != radius[r].id)
171 {
172 log(1, 0, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
173 STAT(tunnel_rx_errors);
174 return ;
175 }
176
177 if (l < 5 || p[4] != 16)
178 {
179 log(1, 0, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
180 STAT(tunnel_rx_errors);
181 return ;
182 }
183
184 l -= 5;
185 p += 5;
186 if (l < 16 || l - 16 >= sizeof(session[s].user))
187 {
188 log(1, 0, s, t, "CHAP user too long %d\n", l - 16);
189 STAT(tunnel_rx_errors);
190 return ;
191 }
192
193 // Run PRE_AUTH plugins
194 {
195 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
196
197 packet.username = calloc(l - 16 + 1, 1);
198 packet.password = calloc(16, 1);
199 memcpy(packet.username, p + 16, l - 16);
200 memcpy(packet.password, p, 16);
201
202 run_plugins(PLUGIN_PRE_AUTH, &packet);
203 if (!packet.continue_auth)
204 {
205 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
206 if (packet.username) free(packet.username);
207 if (packet.password) free(packet.password);
208 return;
209 }
210
211 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
212 memcpy(radius[r].pass, packet.password, 16);
213
214 free(packet.username);
215 free(packet.password);
216 }
217
218 radius[r].chap = 1;
219 log(3, 0, s, t, "CHAP login %s\n", session[s].user);
220 radiussend(r, RADIUSAUTH);
221 }
222
223 char *ppp_lcp_types[] = {
224 NULL,
225 "ConfigReq",
226 "ConfigAck",
227 "ConfigNak",
228 "ConfigRej",
229 "TerminateReq",
230 "TerminateAck",
231 "CodeRej",
232 "ProtocolRej",
233 "EchoReq",
234 "EchoReply",
235 "DiscardRequest",
236 "IdentRequest",
237 };
238
239 void dumplcp(u8 *p, int l)
240 {
241 int x = l - 4;
242 u8 *o = (p + 4);
243
244 log_hex(5, "PPP LCP Packet", p, l);
245 log(4, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
246 log(4, 0, 0, 0, "Length: %d\n", l);
247 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
248 return;
249
250 while (x > 2)
251 {
252 int type = o[0];
253 int length = o[1];
254 if (length < 2)
255 {
256 log(4, 0, 0, 0, " Option length is %d...\n", length);
257 break;
258 }
259 if (type == 0)
260 {
261 log(4, 0, 0, 0, " Option type is 0...\n");
262 x -= length;
263 o += length;
264 continue;
265 }
266 switch (type)
267 {
268 case 1: // Maximum-Receive-Unit
269 if (length == 4)
270 log(4, 0, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
271 else
272 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
273 break;
274 case 3: // Authentication-Protocol
275 {
276 if (length == 4)
277 {
278 int proto = ntohs(*(u16 *)(o + 2));
279 log(4, 0, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
280 proto == 0xC223 ? "CHAP" :
281 proto == 0xC023 ? "PAP" : "UNKNOWN");
282 }
283 else
284 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
285 break;
286 }
287 case 4: // Quality-Protocol
288 {
289 u32 qp = ntohl(*(u32 *)(o + 2));
290 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], qp);
291 break;
292 }
293 case 5: // Magic-Number
294 {
295 if (length == 6)
296 {
297 u32 magicno = ntohl(*(u32 *)(o + 2));
298 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], magicno);
299 }
300 else
301 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
302 break;
303 }
304 case 7: // Protocol-Field-Compression
305 {
306 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
307 break;
308 }
309 case 8: // Address-And-Control-Field-Compression
310 {
311 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
312 break;
313 }
314 default:
315 log(2, 0, 0, 0, " Unknown PPP LCP Option type %d\n", type);
316 break;
317 }
318 x -= length;
319 o += length;
320 }
321 }
322
323 // Process LCP messages
324 void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
325 {
326 u8 b[MAXCONTROL];
327 u8 *q = NULL;
328 u32 magicno = 0;
329 u16 hl;
330
331 CSTAT(call_processlcp);
332
333 log_hex(5, "LCP", p, l);
334 if (l < 4)
335 {
336 log(1, session[s].ip, s, t, "Short LCP %d bytes\n", l);
337 STAT(tunnel_rx_errors);
338 return ;
339 }
340
341 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
342 {
343 log(1, 0, s, t, "Length mismatch LCP %u/%u\n", hl, l);
344 STAT(tunnel_rx_errors);
345 return ;
346 }
347 l = hl;
348
349 if (*p == ConfigAck)
350 {
351 log(3, session[s].ip, s, t, "LCP: Discarding ConfigAck\n");
352 session[s].flags |= SESSIONLCPACK;
353 }
354 else if (*p == ConfigReq)
355 {
356 int x = l - 4;
357 u8 *o = (p + 4);
358
359 log(3, session[s].ip, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
360 if (config->debug > 3) dumplcp(p, l);
361
362 while (x > 2)
363 {
364 int type = o[0];
365 int length = o[1];
366 if (length == 0 || type == 0) break;
367 switch (type)
368 {
369 case 1: // Maximum-Receive-Unit
370 session[s].mru = ntohs(*(u16 *)(o + 2));
371 break;
372 case 2: // asyncmap
373 log_hex(2, "PPP LCP Packet", p, l);
374 log(2, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
375 break;
376 case 3: // Authentication-Protocol
377 {
378 int proto = ntohs(*(u16 *)(o + 2));
379 if (proto == 0xC223)
380 {
381 log(2, session[s].ip, s, t, " Remote end is trying to do CHAP. Rejecting it.\n");
382
383 if (!q)
384 {
385 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
386 if (!q) {
387 log(2, session[s].ip, s, t, " Failed to send packet.\n");
388 break;
389 }
390 *q++ = ConfigNak;
391 }
392 memcpy(q, o, length);
393 *(u16 *)(q += 2) = htons(0xC023); // NAK -> Use PAP instead
394 q += length;
395 }
396 break;
397 }
398 case 5: // Magic-Number
399 {
400 magicno = ntohl(*(u32 *)(o + 2));
401 break;
402 }
403 case 4: // Quality-Protocol
404 case 7: // Protocol-Field-Compression
405 case 8: // Address-And-Control-Field-Compression
406 break;
407 case 13: // CallBack option for LCP extention of win2000/routers L2TP client
408 case 17:
409 case 18:
410 {
411 // Reject LCP CallBack
412 log(2, session[s].ip, s, t, " PPP LCP Option type %d, len=%d\n", type, length);
413 memcpy(p + 4, o, length);
414 *(u16 *)(p + 2) = htons(length + 4);
415 *p = ConfigRej;
416 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
417 tunnelsend(b, 12 + length + 4, t);
418 return;
419 }
420
421 default:
422 // Reject Unknown LCP Option to stop to send it again
423 log(2, session[s].ip, s, t, " Unknown PPP LCP Option type %d\n", type);
424 memcpy(p + 4, o, length);
425 *(u16 *)(p + 2) = htons(length + 4);
426 *p = ConfigRej;
427 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
428 tunnelsend(b, 12 + length + 4, t);
429 return;
430 }
431 x -= length;
432 o += length;
433 }
434
435 if (!q)
436 {
437 // Send back a ConfigAck
438 log(3, session[s].ip, s, t, "ConfigReq accepted, sending as Ack\n");
439 // for win2k L2TP clients and LCP renegotiation of alive session
440 if (magicno || l == 4 || (session[s].mru && l == 8)) initlcp(t, s);
441 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
442 if (!q)
443 {
444 log(3, session[s].ip, s, t, " failed to create packet.\n");
445 return;
446 }
447 *q = ConfigAck;
448 tunnelsend(b, l + (q - b), t);
449 }
450 else
451 {
452 // Already built a ConfigNak... send it
453 log(3, session[s].ip, s, t, "Sending ConfigNak\n");
454 tunnelsend(b, l + (q - b), t);
455 }
456
457 if (!(session[s].flags & SESSIONLCPACK))
458 initlcp(t, s);
459 }
460 else if (*p == ConfigNak)
461 {
462 log(1, session[s].ip, s, t, "Remote end sent a ConfigNak. Ignoring\n");
463 if (config->debug > 3) dumplcp(p, l);
464 return ;
465 }
466 else if (*p == TerminateReq)
467 {
468 *p = TerminateAck; // close
469 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
470 if (!q) {
471 log(3, session[s].ip, s, t, "Failed to create PPP packet in processlcp.\n");
472 return;
473 }
474 log(3, session[s].ip, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
475 sessionshutdown(s, "Remote end closed connection.");
476 tunnelsend(b, l + (q - b), t); // send it
477 }
478 else if (*p == TerminateAck)
479 {
480 sessionshutdown(s, "Connection closed.");
481 }
482 else if (*p == EchoReq)
483 {
484 *p = EchoReply; // reply
485 *(u32 *) (p + 4) = htonl(session[s].magic); // our magic number
486 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
487 if (!q) {
488 log(3, session[s].ip, s, t, " failed to send EchoReply.\n");
489 return;
490 }
491 log(5, session[s].ip, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
492 tunnelsend(b, l + (q - b), t); // send it
493 }
494 else if (*p == EchoReply)
495 {
496 // Ignore it, last_packet time is set earlier than this.
497 }
498 else if (*p == IdentRequest)
499 {
500 *p = CodeRej;
501 if (l > MAXCONTROL)
502 {
503 log(1, 0, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
504 l = 1400;
505 }
506 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
507 if (!q)
508 {
509 log(3, session[s].ip, s, t, "Failed to create IdentRej.\n");
510 return;
511 }
512 log_hex(5, "LCPIdentRej", q, l + 4);
513 tunnelsend(b, 12 + 4 + l, t);
514 }
515 else
516 {
517 log(1, session[s].ip, s, t, "Unexpected LCP code %d\n", *p);
518 STAT(tunnel_rx_errors);
519 return ;
520 }
521 }
522
523 // Process IPCP messages
524 void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
525 {
526 u16 hl;
527
528 CSTAT(call_processipcp);
529
530 log_hex(5, "IPCP", p, l);
531 if (l < 5)
532 {
533 log(1, 0, s, t, "Short IPCP %d bytes\n", l);
534 STAT(tunnel_rx_errors);
535 return ;
536 }
537
538 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
539 {
540 log(1, 0, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
541 STAT(tunnel_rx_errors);
542 return ;
543 }
544 l = hl;
545
546 if (*p == ConfigAck)
547 {
548 // happy with our IPCP
549 u16 r = session[s].radius;
550 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
551 {
552 if (!r)
553 r = radiusnew(s);
554 if (r)
555 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
556 }
557 session[s].flags |= SF_IPCP_ACKED;
558
559 log(3, session[s].ip, s, t, "IPCP Acked, session is now active\n");
560 return;
561 }
562 if (*p != ConfigReq)
563 {
564 log(1, 0, s, t, "Unexpected IPCP code %d\n", *p);
565 STAT(tunnel_rx_errors);
566 return ;
567 }
568 log(4, session[s].ip, s, t, "IPCP ConfigReq received\n");
569
570 if (!session[s].ip)
571 {
572 log(3, 0, s, t, "Waiting on radius reply\n");
573 return; // have to wait on RADIUS reply
574 }
575 // form a config reply quoting the IP in the session
576 {
577 u8 b[MAXCONTROL];
578 u8 *i,
579 *q;
580
581 q = p + 4;
582 i = p + l;
583 while (q < i && q[1])
584 {
585 if (*q != 0x81 && *q != 0x83 && *q != 3)
586 break;
587 q += q[1];
588 }
589 if (q < i)
590 {
591 // reject
592 u16 n = 4;
593 i = p + l;
594 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
595 {
596 log(2, 0, s, t, "Failed to send IPCP ConfigRej\n");
597 return;
598 }
599 *q = ConfigRej;
600 p += 4;
601 while (p < i && p[1])
602 {
603 if (*p != 0x81 && *p != 0x83 && *p != 3)
604 {
605 log(2, 0, s, t, "IPCP reject %d\n", *p);
606 memcpy(q + n, p, p[1]);
607 n += p[1];
608 }
609 p += p[1];
610 }
611 *(u16 *) (q + 2) = htons(n);
612 log(4, session[s].ip, s, t, "Sending ConfigRej\n");
613 tunnelsend(b, n + (q - b), t); // send it
614 }
615 else
616 {
617 log(4, session[s].ip, s, t, "Sending ConfigAck\n");
618 *p = ConfigAck;
619 if ((i = findppp(p, 0x81))) // Primary DNS address
620 {
621 if (*(u32 *) (i + 2) != htonl(session[s].dns1))
622 {
623 *(u32 *) (i + 2) = htonl(session[s].dns1);
624 *p = ConfigNak;
625 log(5, session[s].ip, s, t, " DNS1 = %s\n", inet_toa(session[s].dns1));
626 }
627 }
628 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
629 {
630 if (*(u32 *) (i + 2) != htonl(session[s].dns2))
631 {
632 *(u32 *) (i + 2) = htonl(session[s].dns2);
633 *p = ConfigNak;
634 log(5, session[s].ip, s, t, " DNS2 = %s\n", inet_toa(session[s].dns1));
635 }
636 }
637 i = findppp(p, 3); // IP address
638 if (!i || i[1] != 6)
639 {
640 log(1, 0, s, t, "No IP in IPCP request\n");
641 STAT(tunnel_rx_errors);
642 return ;
643 }
644 if (*(u32 *) (i + 2) != htonl(session[s].ip))
645 {
646 *(u32 *) (i + 2) = htonl(session[s].ip);
647 *p = ConfigNak;
648 log(4, session[s].ip, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
649 inet_toa(htonl(session[s].ip)));
650 }
651 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
652 {
653 log(2, 0, s, t, " Failed to send IPCP packet.\n");
654 return;
655 }
656 tunnelsend(b, l + (q - b), t); // send it
657 }
658 }
659 }
660
661 // process IP packet received
662 //
663 // This MUST be called with at least 4 byte behind 'p'.
664 // (i.e. this routine writes to p[-4]).
665 void processipin(tunnelidt t, sessionidt s, u8 *p, u16 l)
666 {
667 ipt ip;
668
669 CSTAT(call_processipin);
670
671 log_hex(5, "IP", p, l);
672
673 ip = ntohl(*(u32 *)(p + 12));
674
675 if (l > MAXETHER)
676 {
677 log(1, ip, s, t, "IP packet too long %d\n", l);
678 STAT(tunnel_rx_errors);
679 return ;
680 }
681
682 // no spoof (do sessionbyip to handled statically routed subnets)
683 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
684 {
685 log(5, ip, s, t, "Dropping packet with spoofed IP %s\n", inet_toa(htonl(ip)));
686 return;
687 }
688
689 // Add on the tun header
690 p -= 4;
691 *(u32 *)p = htonl(0x00000800);
692 l += 4;
693
694 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
695 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
696 return;
697 }
698
699 session[s].cin += l - 4;
700 session[s].total_cin += l - 4;
701 sess_count[s].cin += l - 4;
702
703 session[s].pin++;
704 eth_tx += l - 4;
705
706 if (session[s].snoop_ip && session[s].snoop_port)
707 {
708 // Snooping this session
709 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
710 }
711 STAT(tun_tx_packets);
712 INC_STAT(tun_tx_bytes, l);
713
714 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
715 tbf_queue_packet(session[s].tbf_in, p, l);
716 return;
717 }
718
719 // send to ethernet
720 if (tun_write(p, l) < 0)
721 {
722 STAT(tun_tx_errors);
723 log(0, 0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
724 l, strerror(errno), tunfd, p);
725 }
726
727 }
728
729 //
730 // Helper routine for the TBF filters.
731 // Used to send queued data in from the user.
732 //
733 void send_ipin(sessionidt s, u8 *buf, int len)
734 {
735 log_hex(5, "IP in throttled", buf, len);
736 if (write(tunfd, buf, len) < 0)
737 {
738 STAT(tun_tx_errors);
739 log(0, 0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
740 len, strerror(errno), tunfd, buf);
741 }
742
743 // Increment packet counters
744 session[s].cin += len - 4;
745 session[s].total_cin += len - 4;
746 sess_count[s].cin += len - 4;
747
748 session[s].pin++;
749 eth_tx += len - 4;
750 }
751
752
753 // Process LCP messages
754 void processccp(tunnelidt t, sessionidt s, u8 *p, u16 l)
755 {
756
757 CSTAT(call_processccp);
758
759 log_hex(5, "CCP", p, l);
760 if (l < 2 || (*p != ConfigReq && *p != TerminateReq))
761 {
762 log(1, 0, s, t, "Unexpected CCP request code %d\n", *p);
763 STAT(tunnel_rx_errors);
764 return ;
765 }
766 // reject
767 {
768 u8 b[MAXCONTROL];
769 u8 *q;
770 if (*p == ConfigReq)
771 {
772 if (l < 6)
773 {
774 *p = ConfigAck; // accept no compression
775 }
776 else
777 {
778 *p = ConfigRej; // reject
779 sendccp(t, s);
780 }
781 }
782 else
783 *p = TerminateAck; // close
784 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
785 {
786 log(1,0,0,0, "Failed to send CCP packet.\n");
787 return;
788 }
789 tunnelsend(b, l + (q - b), t); // send it
790 }
791 }
792
793 // send a CHAP PP packet
794 void sendchap(tunnelidt t, sessionidt s)
795 {
796 u8 b[MAXCONTROL];
797 u16 r = session[s].radius;
798 u8 *q;
799
800 CSTAT(call_sendchap);
801
802 if (!r)
803 {
804 log(1, 0, s, t, "No RADIUS to send challenge\n");
805 STAT(tunnel_tx_errors);
806 return ;
807 }
808 log(1, 0, s, t, "Send CHAP challenge\n");
809 {
810 // new challenge
811 int n;
812 for (n = 0; n < 15; n++)
813 radius[r].auth[n] = rand();
814 }
815 radius[r].chap = 1; // CHAP not PAP
816 radius[r].id++;
817 if (radius[r].state != RADIUSCHAP)
818 radius[r].try = 0;
819 radius[r].state = RADIUSCHAP;
820 radius[r].retry = backoff(radius[r].try++);
821 if (radius[r].try > 5)
822 {
823 sessionshutdown(s, "Timeout CHAP");
824 STAT(tunnel_tx_errors);
825 return ;
826 }
827 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
828 if (!q) {
829 log(1, 0, s, t, "failed to send CHAP challenge.\n");
830 return;
831 }
832 *q = 1; // challenge
833 q[1] = radius[r].id; // ID
834 q[4] = 16; // length
835 memcpy(q + 5, radius[r].auth, 16); // challenge
836 strcpy(q + 21, hostname); // our name
837 *(u16 *) (q + 2) = htons(strlen(hostname) + 21); // length
838 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
839 }
840
841 // fill in a L2TP message with a PPP frame,
842 // copies existing PPP message and changes magic number if seen
843 // returns start of PPP frame
844 u8 *makeppp(u8 *b, int size, u8 *p, int l, tunnelidt t, sessionidt s, u16 mtype)
845 {
846 if (size < 12)
847 return NULL; // Need more space than this!!
848
849 *(u16 *) (b + 0) = htons(0x0002); // L2TP with no options
850 *(u16 *) (b + 2) = htons(tunnel[t].far); // tunnel
851 *(u16 *) (b + 4) = htons(session[s].far); // session
852 b += 6;
853 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
854 {
855 *(u16 *) b = htons(0xFF03); // HDLC header
856 b += 2;
857 }
858 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
859 *b++ = mtype;
860 else
861 {
862 *(u16 *) b = htons(mtype);
863 b += 2;
864 }
865
866 if (l + 12 > size) {
867 log(3,0,0,0, "Would have overflowed the buffer in makeppp: size %d, len %d.\n", size, l);
868 return NULL; // Run out of room to hold the packet!
869 }
870 if (p && l)
871 memcpy(b, p, l);
872 return b;
873 }
874
875 // find a PPP option, returns point to option, or 0 if not found
876 u8 *findppp(u8 *b, u8 mtype)
877 {
878 u16 l = ntohs(*(u16 *) (b + 2));
879 if (l < 4)
880 return 0;
881 b += 4;
882 l -= 4;
883 while (l)
884 {
885 if (l < b[1] || !b[1])
886 return 0; // faulty
887 if (*b == mtype)
888 return b;
889 l -= b[1];
890 b += b[1];
891 }
892 return 0;
893 }
894
895 // Send initial LCP ConfigReq
896 void initlcp(tunnelidt t, sessionidt s)
897 {
898 char b[500] = {0}, *q;
899
900 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
901 if (!q) {
902 log(1, 0, s, t, "Failed to send LCP ConfigReq.\n");
903 return;
904 }
905 log(4, 0, s, t, "Sending LCP ConfigReq for PAP\n");
906 *q = ConfigReq;
907 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
908 *(u16 *)(q + 2) = htons(14); // Length
909 *(u8 *)(q + 4) = 5;
910 *(u8 *)(q + 5) = 6;
911 *(u32 *)(q + 6) = htonl(session[s].magic);
912 *(u8 *)(q + 10) = 3;
913 *(u8 *)(q + 11) = 4;
914 *(u16 *)(q + 12) = htons(0xC023); // PAP
915 tunnelsend(b, 12 + 14, t);
916 }
917
918 // Send CCP reply
919 void sendccp(tunnelidt t, sessionidt s)
920 {
921 char *q, b[500] = {0};
922
923 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP);
924 *q = ConfigReq;
925 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
926 *(u16 *)(q + 2) = htons(4); // Length
927 log_hex(5, "PPPCCP", q, 4);
928 tunnelsend(b, (q - b) + 4 , t);
929 }
930