doh
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.39.2.1 2005/01/13 07:58:54 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
30 {
31 char user[129];
32 char pass[129];
33 uint16_t hl;
34
35 CSTAT(call_processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44
45 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
46 {
47 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
48 STAT(tunnel_rx_errors);
49 return ;
50 }
51 l = hl;
52
53 if (*p != 1)
54 {
55 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
56 STAT(tunnel_rx_errors);
57 return ;
58 }
59
60 {
61 uint8_t *b = p;
62 b += 4;
63 if (*b && *b < sizeof(user))
64 memcpy(user, b + 1, *b);
65 user[*b] = 0;
66 b += 1 + *b;
67 if (*b && *b < sizeof(pass))
68 memcpy(pass, b + 1, *b);
69 pass[*b] = 0;
70 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
71 }
72 if (session[s].ip || !session[s].radius)
73 {
74 // respond now, either no RADIUS available or already authenticated
75 uint8_t b[MAXCONTROL];
76 uint8_t id = p[1];
77 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
78 if (!p) return;
79
80 if (session[s].ip)
81 *p = 2; // ACK
82 else
83 *p = 3; // cant authorise
84 p[1] = id;
85 *(uint16_t *) (p + 2) = htons(5); // length
86 p[4] = 0; // no message
87 if (session[s].ip)
88 {
89 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
90 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
91
92 session[s].flags &= ~SF_IPCP_ACKED;
93 }
94 else
95 {
96 LOG(1, s, t, "No radius session available to authenticate session...\n");
97 }
98 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
99 tunnelsend(b, 5 + (p - b), t); // send it
100 }
101 else
102 {
103 // set up RADIUS request
104 uint16_t r = session[s].radius;
105
106 // Run PRE_AUTH plugins
107 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
108 run_plugins(PLUGIN_PRE_AUTH, &packet);
109 if (!packet.continue_auth)
110 {
111 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
112 if (packet.username) free(packet.username);
113 if (packet.password) free(packet.password);
114 return;
115 }
116
117 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
118 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
119
120 free(packet.username);
121 free(packet.password);
122
123 radius[r].id = p[1];
124 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
125 radiussend(r, RADIUSAUTH);
126 }
127 }
128
129 // Process CHAP messages
130 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
131 {
132 uint16_t r;
133 uint16_t hl;
134
135 CSTAT(call_processchap);
136
137 LOG_HEX(5, "CHAP", p, l);
138 r = session[s].radius;
139 if (!r)
140 {
141 LOG(1, s, t, "Unexpected CHAP message\n");
142
143 // FIXME: Need to drop the session here.
144
145 STAT(tunnel_rx_errors);
146 return;
147 }
148
149 if (l < 4)
150 {
151 LOG(1, s, t, "Short CHAP %u bytes\n", l);
152 STAT(tunnel_rx_errors);
153 return ;
154 }
155
156 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
157 {
158 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
159 STAT(tunnel_rx_errors);
160 return ;
161 }
162 l = hl;
163
164 if (*p != 2)
165 {
166 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
167 STAT(tunnel_rx_errors);
168 return;
169 }
170 if (p[1] != radius[r].id)
171 {
172 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
173 STAT(tunnel_rx_errors);
174 return ;
175 }
176
177 if (l < 5 || p[4] != 16)
178 {
179 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
180 STAT(tunnel_rx_errors);
181 return ;
182 }
183
184 l -= 5;
185 p += 5;
186 if (l < 16 || l - 16 >= sizeof(session[s].user))
187 {
188 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
189 STAT(tunnel_rx_errors);
190 return ;
191 }
192
193 // Run PRE_AUTH plugins
194 {
195 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
196
197 packet.password = calloc(17, 1);
198 memcpy(packet.password, p, 16);
199
200 p += 16;
201 l -= 16;
202
203 packet.username = calloc(l + 1, 1);
204 memcpy(packet.username, p, l);
205
206 run_plugins(PLUGIN_PRE_AUTH, &packet);
207 if (!packet.continue_auth)
208 {
209 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
210 if (packet.username) free(packet.username);
211 if (packet.password) free(packet.password);
212 return;
213 }
214
215 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
216 memcpy(radius[r].pass, packet.password, 16);
217
218 free(packet.username);
219 free(packet.password);
220 }
221
222 radius[r].chap = 1;
223 LOG(3, s, t, "CHAP login %s\n", session[s].user);
224 radiussend(r, RADIUSAUTH);
225 }
226
227 static char *ppp_lcp_types[] = {
228 NULL,
229 "ConfigReq",
230 "ConfigAck",
231 "ConfigNak",
232 "ConfigRej",
233 "TerminateReq",
234 "TerminateAck",
235 "CodeRej",
236 "ProtocolRej",
237 "EchoReq",
238 "EchoReply",
239 "DiscardRequest",
240 "IdentRequest",
241 };
242
243 static void dumplcp(uint8_t *p, int l)
244 {
245 int x = l - 4;
246 uint8_t *o = (p + 4);
247
248 LOG_HEX(5, "PPP LCP Packet", p, l);
249 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((uint16_t *) p)[1]) );
250 LOG(4, 0, 0, "Length: %d\n", l);
251 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
252 return;
253
254 while (x > 2)
255 {
256 int type = o[0];
257 int length = o[1];
258 if (length < 2)
259 {
260 LOG(4, 0, 0, " Option length is %d...\n", length);
261 break;
262 }
263 if (type == 0)
264 {
265 LOG(4, 0, 0, " Option type is 0...\n");
266 x -= length;
267 o += length;
268 continue;
269 }
270 switch (type)
271 {
272 case 1: // Maximum-Receive-Unit
273 if (length == 4)
274 LOG(4, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(uint16_t *)(o + 2)));
275 else
276 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
277 break;
278 case 2: // Async-Control-Character-Map
279 if (length == 6)
280 {
281 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
282 LOG(4, 0, 0, " %s %x\n", lcp_types[type], asyncmap);
283 }
284 else
285 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
286 break;
287 case 3: // Authentication-Protocol
288 if (length == 4)
289 {
290 int proto = ntohs(*(uint16_t *)(o + 2));
291 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
292 proto == PPPCHAP ? "CHAP" :
293 proto == PPPPAP ? "PAP" : "UNKNOWN");
294 }
295 else
296 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
297 break;
298 case 4: // Quality-Protocol
299 {
300 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
301 LOG(4, 0, 0, " %s %x\n", lcp_types[type], qp);
302 }
303 break;
304 case 5: // Magic-Number
305 if (length == 6)
306 {
307 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
308 LOG(4, 0, 0, " %s %x\n", lcp_types[type], magicno);
309 }
310 else
311 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
312 break;
313 case 7: // Protocol-Field-Compression
314 case 8: // Address-And-Control-Field-Compression
315 LOG(4, 0, 0, " %s\n", lcp_types[type]);
316 break;
317 default:
318 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
319 break;
320 }
321 x -= length;
322 o += length;
323 }
324 }
325
326 // Process LCP messages
327 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
328 {
329 uint8_t b[MAXCONTROL];
330 uint8_t *q = NULL;
331 uint32_t magicno = 0;
332 uint16_t hl;
333
334 CSTAT(call_processlcp);
335
336 LOG_HEX(5, "LCP", p, l);
337 if (l < 4)
338 {
339 LOG(1, s, t, "Short LCP %d bytes\n", l);
340 STAT(tunnel_rx_errors);
341 return ;
342 }
343
344 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
345 {
346 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
347 STAT(tunnel_rx_errors);
348 return ;
349 }
350 l = hl;
351
352 if (*p == ConfigAck)
353 {
354 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
355 session[s].flags |= SF_LCP_ACKED;
356 }
357 else if (*p == ConfigReq)
358 {
359 int x = l - 4;
360 uint8_t *o = (p + 4);
361 uint8_t *response = 0;
362
363 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
364 if (config->debug > 3) dumplcp(p, l);
365
366 while (x > 2)
367 {
368 int type = o[0];
369 int length = o[1];
370
371 if (length == 0 || type == 0 || x < length) break;
372 switch (type)
373 {
374 case 1: // Maximum-Receive-Unit
375 session[s].mru = ntohs(*(uint16_t *)(o + 2));
376 break;
377
378 case 2: // Async-Control-Character-Map
379 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
380 break;
381
382 if (response && *response != ConfigNak) // rej already queued
383 break;
384
385 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
386 if (!response)
387 {
388 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
389 if (!q) break;
390 *q = ConfigNak;
391 q += 4;
392 }
393
394 if ((q - b + 11) > sizeof(b))
395 {
396 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
397 break;
398 }
399
400 *q++ = type;
401 *q++ = 6;
402 memset(q, 0, 4); // asyncmap 0
403 q += 4;
404 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
405 break;
406
407 case 3: // Authentication-Protocol
408 {
409 int proto = ntohs(*(uint16_t *)(o + 2));
410 char proto_name[] = "0x0000";
411 if (proto == PPPPAP)
412 break;
413
414 if (response && *response != ConfigNak) // rej already queued
415 break;
416
417 if (proto == PPPCHAP)
418 strcpy(proto_name, "CHAP");
419 else
420 sprintf(proto_name, "%#4.4x", proto);
421
422 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
423
424 if (!response)
425 {
426 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
427 if (!q) break;
428 *q = ConfigNak;
429 q += 4;
430 }
431
432 if ((q - b + length) > sizeof(b))
433 {
434 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
435 break;
436 }
437
438 memcpy(q, o, length);
439 *(uint16_t *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
440 q += length;
441 *((uint16_t *) (response + 2)) = htons(q - response);
442 }
443 break;
444
445 case 5: // Magic-Number
446 magicno = ntohl(*(uint32_t *)(o + 2));
447 break;
448
449 case 4: // Quality-Protocol
450 case 7: // Protocol-Field-Compression
451 case 8: // Address-And-Control-Field-Compression
452 break;
453
454 default: // Reject any unknown options
455 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
456 if (!response || *response != ConfigRej) // drop nak in favour of rej
457 {
458 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
459 if (!q) break;
460 *q = ConfigRej;
461 q += 4;
462 }
463
464 if ((q - b + length) > sizeof(b))
465 {
466 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
467 break;
468 }
469
470 memcpy(q, o, length);
471 q += length;
472 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
473 }
474 x -= length;
475 o += length;
476 }
477
478 if (!response)
479 {
480 // Send back a ConfigAck
481 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
482 if (!q) return;
483 *q = ConfigAck;
484 }
485
486 LOG(3, s, t, "Sending %s\n", ppp_lcp_types[*response]);
487 tunnelsend(b, l + (q - b), t);
488
489 if (!(session[s].flags & SF_LCP_ACKED))
490 initlcp(t, s);
491 }
492 else if (*p == ConfigNak)
493 {
494 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
495 if (config->debug > 3) dumplcp(p, l);
496 return ;
497 }
498 else if (*p == TerminateReq)
499 {
500 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
501 *p = TerminateAck; // close
502 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
503 if (!q) return;
504 tunnelsend(b, l + (q - b), t); // send it
505 sessionshutdown(s, "Remote end closed connection.");
506 }
507 else if (*p == TerminateAck)
508 {
509 sessionshutdown(s, "Connection closed.");
510 }
511 else if (*p == EchoReq)
512 {
513 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
514 *p = EchoReply; // reply
515 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
516 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
517 if (!q) return;
518 tunnelsend(b, l + (q - b), t); // send it
519 }
520 else if (*p == EchoReply)
521 {
522 // Ignore it, last_packet time is set earlier than this.
523 }
524 else if (*p == IdentRequest)
525 {
526 *p = CodeRej;
527 if (l > MAXCONTROL)
528 {
529 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
530 l = 1400;
531 }
532 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
533 if (!q) return;
534 LOG_HEX(5, "LCPIdentRej", q, l + 4);
535 tunnelsend(b, 12 + 4 + l, t);
536 }
537 else
538 {
539 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
540 STAT(tunnel_rx_errors);
541 return ;
542 }
543 }
544
545 // find a PPP option, returns point to option, or 0 if not found
546 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
547 {
548 uint16_t l = ntohs(*(uint16_t *) (b + 2));
549 if (l < 4)
550 return 0;
551 b += 4;
552 l -= 4;
553 while (l)
554 {
555 if (l < b[1] || !b[1])
556 return 0; // faulty
557 if (*b == mtype)
558 return b;
559 l -= b[1];
560 b += b[1];
561 }
562 return 0;
563 }
564
565 // Process IPCP messages
566 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
567 {
568 uint16_t hl;
569
570 CSTAT(call_processipcp);
571
572 LOG_HEX(5, "IPCP", p, l);
573 if (l < 5)
574 {
575 LOG(1, s, t, "Short IPCP %d bytes\n", l);
576 STAT(tunnel_rx_errors);
577 return ;
578 }
579
580 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
581 {
582 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
583 STAT(tunnel_rx_errors);
584 return ;
585 }
586 l = hl;
587
588 if (*p == ConfigAck)
589 {
590 // happy with our IPCP
591 uint16_t r = session[s].radius;
592 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
593 {
594 if (!r)
595 r = radiusnew(s);
596 if (r)
597 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
598 }
599 session[s].flags |= SF_IPCP_ACKED;
600
601 LOG(3, s, t, "IPCP Acked, session is now active\n");
602
603 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
604 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
605
606 return;
607 }
608 if (*p != ConfigReq)
609 {
610 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
611 STAT(tunnel_rx_errors);
612 return ;
613 }
614 LOG(4, s, t, "IPCP ConfigReq received\n");
615
616 if (!session[s].ip)
617 {
618 LOG(3, s, t, "Waiting on radius reply\n");
619 return; // have to wait on RADIUS reply
620 }
621 // form a config reply quoting the IP in the session
622 {
623 uint8_t b[MAXCONTROL];
624 uint8_t *i, *q;
625
626 q = p + 4;
627 i = p + l;
628 while (q < i && q[1])
629 {
630 if (*q != 0x81 && *q != 0x83 && *q != 3)
631 break;
632 q += q[1];
633 }
634 if (q < i)
635 {
636 // reject
637 uint16_t n = 4;
638 i = p + l;
639 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
640 return;
641
642 *q = ConfigRej;
643 p += 4;
644 while (p < i && p[1])
645 {
646 if (*p != 0x81 && *p != 0x83 && *p != 3)
647 {
648 LOG(2, s, t, "IPCP reject %d\n", *p);
649 memcpy(q + n, p, p[1]);
650 n += p[1];
651 }
652 p += p[1];
653 }
654 *(uint16_t *) (q + 2) = htons(n);
655 LOG(4, s, t, "Sending ConfigRej\n");
656 tunnelsend(b, n + (q - b), t); // send it
657 }
658 else
659 {
660 LOG(4, s, t, "Sending ConfigAck\n");
661 *p = ConfigAck;
662 if ((i = findppp(p, 0x81))) // Primary DNS address
663 {
664 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
665 {
666 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
667 *p = ConfigNak;
668 LOG(5, s, t, " DNS1 = %s\n",
669 fmtaddr(htonl(session[s].dns1), 0));
670 }
671 }
672 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
673 {
674 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
675 {
676 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
677 *p = ConfigNak;
678 LOG(5, s, t, " DNS2 = %s\n",
679 fmtaddr(htonl(session[s].dns2), 0));
680 }
681 }
682 i = findppp(p, 3); // IP address
683 if (!i || i[1] != 6)
684 {
685 LOG(1, s, t, "No IP in IPCP request\n");
686 STAT(tunnel_rx_errors);
687 return ;
688 }
689 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
690 {
691 *(uint32_t *) (i + 2) = htonl(session[s].ip);
692 *p = ConfigNak;
693 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
694 fmtaddr(htonl(session[s].ip), 0));
695 }
696 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
697 return;
698
699 tunnelsend(b, l + (q - b), t); // send it
700 }
701 }
702 }
703
704 // process IP packet received
705 //
706 // This MUST be called with at least 4 byte behind 'p'.
707 // (i.e. this routine writes to p[-4]).
708 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
709 {
710 in_addr_t ip;
711
712 CSTAT(call_processipin);
713
714 LOG_HEX(5, "IP", p, l);
715
716 ip = ntohl(*(uint32_t *)(p + 12));
717
718 if (l > MAXETHER)
719 {
720 LOG(1, s, t, "IP packet too long %d\n", l);
721 STAT(tunnel_rx_errors);
722 return ;
723 }
724
725 // no spoof (do sessionbyip to handled statically routed subnets)
726 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
727 {
728 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
729 return;
730 }
731
732 // run access-list if any
733 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
734 return;
735
736 // Add on the tun header
737 p -= 4;
738 *(uint32_t *) p = htonl(0x00000800);
739 l += 4;
740
741 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
742 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
743 return;
744 }
745
746 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
747 tbf_queue_packet(session[s].tbf_in, p, l);
748 return;
749 }
750
751 // send to ethernet
752 if (tun_write(p, l) < 0)
753 {
754 STAT(tun_tx_errors);
755 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
756 l, strerror(errno), tunfd, p);
757
758 return;
759 }
760
761 if (session[s].snoop_ip && session[s].snoop_port)
762 {
763 // Snooping this session
764 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
765 }
766
767 session[s].cin += l - 4;
768 session[s].total_cin += l - 4;
769 sess_local[s].cin += l - 4;
770
771 session[s].pin++;
772 eth_tx += l - 4;
773
774 STAT(tun_tx_packets);
775 INC_STAT(tun_tx_bytes, l - 4);
776 }
777
778 //
779 // Helper routine for the TBF filters.
780 // Used to send queued data in from the user.
781 //
782 void send_ipin(sessionidt s, uint8_t *buf, int len)
783 {
784 LOG_HEX(5, "IP in throttled", buf, len);
785
786 if (write(tunfd, buf, len) < 0)
787 {
788 STAT(tun_tx_errors);
789 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
790 len, strerror(errno), tunfd, buf);
791
792 return;
793 }
794
795 if (session[s].snoop_ip && session[s].snoop_port)
796 {
797 // Snooping this session
798 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
799 }
800
801 // Increment packet counters
802 session[s].cin += len - 4;
803 session[s].total_cin += len - 4;
804 sess_local[s].cin += len - 4;
805
806 session[s].pin++;
807 eth_tx += len - 4;
808
809 STAT(tun_tx_packets);
810 INC_STAT(tun_tx_bytes, len - 4);
811 }
812
813
814 // Process CCP messages
815 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
816 {
817 uint8_t b[MAXCONTROL];
818 uint8_t *q;
819
820 CSTAT(call_processccp);
821
822 LOG_HEX(5, "CCP", p, l);
823 switch (l > 1 ? *p : 0)
824 {
825 case ConfigAck:
826 session[s].flags |= SF_CCP_ACKED;
827 return;
828
829 case ConfigReq:
830 if (l < 6) // accept no compression
831 {
832 *p = ConfigAck;
833 break;
834 }
835
836 // compression requested--reject
837 *p = ConfigRej;
838
839 // send CCP request for no compression for our end if not negotiated
840 if (!(session[s].flags & SF_CCP_ACKED))
841 initccp(t, s);
842
843 break;
844
845 case TerminateReq:
846 *p = TerminateAck;
847 break;
848
849 default:
850 if (l > 1)
851 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
852 else
853 LOG(1, s, t, "Short CCP packet\n");
854
855 STAT(tunnel_rx_errors);
856 return;
857 }
858
859 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
860 return;
861
862 tunnelsend(b, l + (q - b), t); // send it
863 }
864
865 // send a CHAP PP packet
866 void sendchap(tunnelidt t, sessionidt s)
867 {
868 uint8_t b[MAXCONTROL];
869 uint16_t r = session[s].radius;
870 uint8_t *q;
871
872 CSTAT(call_sendchap);
873
874 if (!r)
875 {
876 LOG(1, s, t, "No RADIUS to send challenge\n");
877 STAT(tunnel_tx_errors);
878 return ;
879 }
880 LOG(1, s, t, "Send CHAP challenge\n");
881 {
882 // new challenge
883 int n;
884 for (n = 0; n < 15; n++)
885 radius[r].auth[n] = rand();
886 }
887 radius[r].chap = 1; // CHAP not PAP
888 radius[r].id++;
889 if (radius[r].state != RADIUSCHAP)
890 radius[r].try = 0;
891 radius[r].state = RADIUSCHAP;
892 radius[r].retry = backoff(radius[r].try++);
893 if (radius[r].try > 5)
894 {
895 sessionshutdown(s, "Timeout CHAP");
896 STAT(tunnel_tx_errors);
897 return ;
898 }
899 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
900 if (!q) return;
901
902 *q = 1; // challenge
903 q[1] = radius[r].id; // ID
904 q[4] = 16; // length
905 memcpy(q + 5, radius[r].auth, 16); // challenge
906 strcpy(q + 21, hostname); // our name
907 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
908 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
909 }
910
911 // fill in a L2TP message with a PPP frame,
912 // copies existing PPP message and changes magic number if seen
913 // returns start of PPP frame
914 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
915 {
916 if (size < 12) // Need more space than this!!
917 {
918 static int backtrace_count = 0;
919 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
920 log_backtrace(backtrace_count, 5)
921 return NULL;
922 }
923
924 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
925 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
926 *(uint16_t *) (b + 4) = htons(session[s].far); // session
927 b += 6;
928 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
929 {
930 *(uint16_t *) b = htons(0xFF03); // HDLC header
931 b += 2;
932 }
933 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
934 *b++ = mtype;
935 else
936 {
937 *(uint16_t *) b = htons(mtype);
938 b += 2;
939 }
940
941 if (l + 12 > size)
942 {
943 static int backtrace_count = 0;
944 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
945 log_backtrace(backtrace_count, 5)
946 return NULL;
947 }
948
949 if (p && l)
950 memcpy(b, p, l);
951
952 return b;
953 }
954
955 // Send initial LCP ConfigReq for PAP, set magic no.
956 void initlcp(tunnelidt t, sessionidt s)
957 {
958 char b[500], *q;
959
960 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
961 return;
962
963 LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
964 *q = ConfigReq;
965 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
966 *(uint16_t *)(q + 2) = htons(14); // Length
967 *(uint8_t *)(q + 4) = 5;
968 *(uint8_t *)(q + 5) = 6;
969 *(uint32_t *)(q + 6) = htonl(session[s].magic);
970 *(uint8_t *)(q + 10) = 3;
971 *(uint8_t *)(q + 11) = 4;
972 *(uint16_t *)(q + 12) = htons(PPPPAP); // PAP
973
974 LOG_HEX(5, "PPPLCP", q, 14);
975 tunnelsend(b, (q - b) + 14, t);
976 }
977
978 // Send CCP request for no compression
979 static void initccp(tunnelidt t, sessionidt s)
980 {
981 char b[500], *q;
982
983 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
984 return;
985
986 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
987 *q = ConfigReq;
988 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
989 *(uint16_t *)(q + 2) = htons(4); // Length
990
991 LOG_HEX(5, "PPPCCP", q, 4);
992 tunnelsend(b, (q - b) + 4 , t);
993 }