off by one
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.39.2.2 2005/02/14 05:55:49 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
30 {
31 char user[129];
32 char pass[129];
33 uint16_t hl;
34
35 CSTAT(call_processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44
45 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
46 {
47 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
48 STAT(tunnel_rx_errors);
49 return ;
50 }
51 l = hl;
52
53 if (*p != 1)
54 {
55 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
56 STAT(tunnel_rx_errors);
57 return ;
58 }
59
60 {
61 uint8_t *b = p;
62 b += 4;
63 user[0] = pass[0] = 0;
64 if (*b && *b < sizeof(user))
65 {
66 memcpy(user, b + 1, *b);
67 user[*b] = 0;
68 b += 1 + *b;
69 if (*b && *b < sizeof(pass))
70 {
71 memcpy(pass, b + 1, *b);
72 pass[*b] = 0;
73 }
74 }
75 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
76 }
77 if (session[s].ip || !session[s].radius)
78 {
79 // respond now, either no RADIUS available or already authenticated
80 uint8_t b[MAXCONTROL];
81 uint8_t id = p[1];
82 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
83 if (!p) return;
84
85 if (session[s].ip)
86 *p = 2; // ACK
87 else
88 *p = 3; // cant authorise
89 p[1] = id;
90 *(uint16_t *) (p + 2) = htons(5); // length
91 p[4] = 0; // no message
92 if (session[s].ip)
93 {
94 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
95 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
96
97 session[s].flags &= ~SF_IPCP_ACKED;
98 }
99 else
100 {
101 LOG(1, s, t, "No radius session available to authenticate session...\n");
102 }
103 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
104 tunnelsend(b, 5 + (p - b), t); // send it
105 }
106 else
107 {
108 // set up RADIUS request
109 uint16_t r = session[s].radius;
110
111 // Run PRE_AUTH plugins
112 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
113 run_plugins(PLUGIN_PRE_AUTH, &packet);
114 if (!packet.continue_auth)
115 {
116 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
117 if (packet.username) free(packet.username);
118 if (packet.password) free(packet.password);
119 return;
120 }
121
122 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
123 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
124
125 free(packet.username);
126 free(packet.password);
127
128 radius[r].id = p[1];
129 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
130 radiussend(r, RADIUSAUTH);
131 }
132 }
133
134 // Process CHAP messages
135 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
136 {
137 uint16_t r;
138 uint16_t hl;
139
140 CSTAT(call_processchap);
141
142 LOG_HEX(5, "CHAP", p, l);
143 r = session[s].radius;
144 if (!r)
145 {
146 LOG(1, s, t, "Unexpected CHAP message\n");
147
148 // FIXME: Need to drop the session here.
149
150 STAT(tunnel_rx_errors);
151 return;
152 }
153
154 if (l < 4)
155 {
156 LOG(1, s, t, "Short CHAP %u bytes\n", l);
157 STAT(tunnel_rx_errors);
158 return ;
159 }
160
161 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
162 {
163 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
164 STAT(tunnel_rx_errors);
165 return ;
166 }
167 l = hl;
168
169 if (*p != 2)
170 {
171 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
172 STAT(tunnel_rx_errors);
173 return;
174 }
175 if (p[1] != radius[r].id)
176 {
177 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
178 STAT(tunnel_rx_errors);
179 return ;
180 }
181
182 if (l < 5 || p[4] != 16)
183 {
184 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
185 STAT(tunnel_rx_errors);
186 return ;
187 }
188
189 l -= 5;
190 p += 5;
191 if (l < 16 || l - 16 >= sizeof(session[s].user))
192 {
193 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
194 STAT(tunnel_rx_errors);
195 return ;
196 }
197
198 // Run PRE_AUTH plugins
199 {
200 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
201
202 packet.password = calloc(17, 1);
203 memcpy(packet.password, p, 16);
204
205 p += 16;
206 l -= 16;
207
208 packet.username = calloc(l + 1, 1);
209 memcpy(packet.username, p, l);
210
211 run_plugins(PLUGIN_PRE_AUTH, &packet);
212 if (!packet.continue_auth)
213 {
214 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
215 if (packet.username) free(packet.username);
216 if (packet.password) free(packet.password);
217 return;
218 }
219
220 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
221 memcpy(radius[r].pass, packet.password, 16);
222
223 free(packet.username);
224 free(packet.password);
225 }
226
227 radius[r].chap = 1;
228 LOG(3, s, t, "CHAP login %s\n", session[s].user);
229 radiussend(r, RADIUSAUTH);
230 }
231
232 static char *ppp_lcp_types[] = {
233 NULL,
234 "ConfigReq",
235 "ConfigAck",
236 "ConfigNak",
237 "ConfigRej",
238 "TerminateReq",
239 "TerminateAck",
240 "CodeRej",
241 "ProtocolRej",
242 "EchoReq",
243 "EchoReply",
244 "DiscardRequest",
245 "IdentRequest",
246 };
247
248 static void dumplcp(uint8_t *p, int l)
249 {
250 int x = l - 4;
251 uint8_t *o = (p + 4);
252
253 LOG_HEX(5, "PPP LCP Packet", p, l);
254 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((uint16_t *) p)[1]) );
255 LOG(4, 0, 0, "Length: %d\n", l);
256 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
257 return;
258
259 while (x > 2)
260 {
261 int type = o[0];
262 int length = o[1];
263 if (length < 2)
264 {
265 LOG(4, 0, 0, " Option length is %d...\n", length);
266 break;
267 }
268 if (type == 0)
269 {
270 LOG(4, 0, 0, " Option type is 0...\n");
271 x -= length;
272 o += length;
273 continue;
274 }
275 switch (type)
276 {
277 case 1: // Maximum-Receive-Unit
278 if (length == 4)
279 LOG(4, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(uint16_t *)(o + 2)));
280 else
281 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
282 break;
283 case 2: // Async-Control-Character-Map
284 if (length == 6)
285 {
286 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
287 LOG(4, 0, 0, " %s %x\n", lcp_types[type], asyncmap);
288 }
289 else
290 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
291 break;
292 case 3: // Authentication-Protocol
293 if (length == 4)
294 {
295 int proto = ntohs(*(uint16_t *)(o + 2));
296 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
297 proto == PPPCHAP ? "CHAP" :
298 proto == PPPPAP ? "PAP" : "UNKNOWN");
299 }
300 else
301 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
302 break;
303 case 4: // Quality-Protocol
304 {
305 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
306 LOG(4, 0, 0, " %s %x\n", lcp_types[type], qp);
307 }
308 break;
309 case 5: // Magic-Number
310 if (length == 6)
311 {
312 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
313 LOG(4, 0, 0, " %s %x\n", lcp_types[type], magicno);
314 }
315 else
316 LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
317 break;
318 case 7: // Protocol-Field-Compression
319 case 8: // Address-And-Control-Field-Compression
320 LOG(4, 0, 0, " %s\n", lcp_types[type]);
321 break;
322 default:
323 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
324 break;
325 }
326 x -= length;
327 o += length;
328 }
329 }
330
331 // Process LCP messages
332 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
333 {
334 uint8_t b[MAXCONTROL];
335 uint8_t *q = NULL;
336 uint32_t magicno = 0;
337 uint16_t hl;
338
339 CSTAT(call_processlcp);
340
341 LOG_HEX(5, "LCP", p, l);
342 if (l < 4)
343 {
344 LOG(1, s, t, "Short LCP %d bytes\n", l);
345 STAT(tunnel_rx_errors);
346 return ;
347 }
348
349 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
350 {
351 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
352 STAT(tunnel_rx_errors);
353 return ;
354 }
355 l = hl;
356
357 if (*p == ConfigAck)
358 {
359 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
360 session[s].flags |= SF_LCP_ACKED;
361 }
362 else if (*p == ConfigReq)
363 {
364 int x = l - 4;
365 uint8_t *o = (p + 4);
366 uint8_t *response = 0;
367
368 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
369 if (config->debug > 3) dumplcp(p, l);
370
371 while (x > 2)
372 {
373 int type = o[0];
374 int length = o[1];
375
376 if (length == 0 || type == 0 || x < length) break;
377 switch (type)
378 {
379 case 1: // Maximum-Receive-Unit
380 session[s].mru = ntohs(*(uint16_t *)(o + 2));
381 break;
382
383 case 2: // Async-Control-Character-Map
384 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
385 break;
386
387 if (response && *response != ConfigNak) // rej already queued
388 break;
389
390 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
391 if (!response)
392 {
393 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
394 if (!q) break;
395 *q = ConfigNak;
396 q += 4;
397 }
398
399 if ((q - b + 11) > sizeof(b))
400 {
401 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
402 break;
403 }
404
405 *q++ = type;
406 *q++ = 6;
407 memset(q, 0, 4); // asyncmap 0
408 q += 4;
409 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
410 break;
411
412 case 3: // Authentication-Protocol
413 {
414 int proto = ntohs(*(uint16_t *)(o + 2));
415 char proto_name[] = "0x0000";
416 if (proto == PPPPAP)
417 break;
418
419 if (response && *response != ConfigNak) // rej already queued
420 break;
421
422 if (proto == PPPCHAP)
423 strcpy(proto_name, "CHAP");
424 else
425 sprintf(proto_name, "%#4.4x", proto);
426
427 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
428
429 if (!response)
430 {
431 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
432 if (!q) break;
433 *q = ConfigNak;
434 q += 4;
435 }
436
437 if ((q - b + length) > sizeof(b))
438 {
439 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
440 break;
441 }
442
443 memcpy(q, o, length);
444 *(uint16_t *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
445 q += length;
446 *((uint16_t *) (response + 2)) = htons(q - response);
447 }
448 break;
449
450 case 5: // Magic-Number
451 magicno = ntohl(*(uint32_t *)(o + 2));
452 break;
453
454 case 4: // Quality-Protocol
455 case 7: // Protocol-Field-Compression
456 case 8: // Address-And-Control-Field-Compression
457 break;
458
459 default: // Reject any unknown options
460 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
461 if (!response || *response != ConfigRej) // drop nak in favour of rej
462 {
463 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
464 if (!q) break;
465 *q = ConfigRej;
466 q += 4;
467 }
468
469 if ((q - b + length) > sizeof(b))
470 {
471 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
472 break;
473 }
474
475 memcpy(q, o, length);
476 q += length;
477 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
478 }
479 x -= length;
480 o += length;
481 }
482
483 if (!response)
484 {
485 // Send back a ConfigAck
486 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
487 if (!q) return;
488 *q = ConfigAck;
489 }
490
491 LOG(3, s, t, "Sending %s\n", ppp_lcp_types[*response]);
492 tunnelsend(b, l + (q - b), t);
493
494 if (!(session[s].flags & SF_LCP_ACKED))
495 initlcp(t, s);
496 }
497 else if (*p == ConfigNak)
498 {
499 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
500 if (config->debug > 3) dumplcp(p, l);
501 return ;
502 }
503 else if (*p == TerminateReq)
504 {
505 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
506 *p = TerminateAck; // close
507 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
508 if (!q) return;
509 tunnelsend(b, l + (q - b), t); // send it
510 sessionshutdown(s, "Remote end closed connection.");
511 }
512 else if (*p == TerminateAck)
513 {
514 sessionshutdown(s, "Connection closed.");
515 }
516 else if (*p == EchoReq)
517 {
518 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
519 *p = EchoReply; // reply
520 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
521 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
522 if (!q) return;
523 tunnelsend(b, l + (q - b), t); // send it
524 }
525 else if (*p == EchoReply)
526 {
527 // Ignore it, last_packet time is set earlier than this.
528 }
529 else if (*p == IdentRequest)
530 {
531 *p = CodeRej;
532 if (l > MAXCONTROL)
533 {
534 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
535 l = 1400;
536 }
537 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
538 if (!q) return;
539 LOG_HEX(5, "LCPIdentRej", q, l + 4);
540 tunnelsend(b, 12 + 4 + l, t);
541 }
542 else
543 {
544 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
545 STAT(tunnel_rx_errors);
546 return ;
547 }
548 }
549
550 // find a PPP option, returns point to option, or 0 if not found
551 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
552 {
553 uint16_t l = ntohs(*(uint16_t *) (b + 2));
554 if (l < 4)
555 return 0;
556 b += 4;
557 l -= 4;
558 while (l)
559 {
560 if (l < b[1] || !b[1])
561 return 0; // faulty
562 if (*b == mtype)
563 return b;
564 l -= b[1];
565 b += b[1];
566 }
567 return 0;
568 }
569
570 // Process IPCP messages
571 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
572 {
573 uint16_t hl;
574
575 CSTAT(call_processipcp);
576
577 LOG_HEX(5, "IPCP", p, l);
578 if (l < 5)
579 {
580 LOG(1, s, t, "Short IPCP %d bytes\n", l);
581 STAT(tunnel_rx_errors);
582 return ;
583 }
584
585 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
586 {
587 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
588 STAT(tunnel_rx_errors);
589 return ;
590 }
591 l = hl;
592
593 if (*p == ConfigAck)
594 {
595 // happy with our IPCP
596 uint16_t r = session[s].radius;
597 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
598 {
599 if (!r)
600 r = radiusnew(s);
601 if (r)
602 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
603 }
604 session[s].flags |= SF_IPCP_ACKED;
605
606 LOG(3, s, t, "IPCP Acked, session is now active\n");
607
608 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
609 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
610
611 return;
612 }
613 if (*p != ConfigReq)
614 {
615 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
616 STAT(tunnel_rx_errors);
617 return ;
618 }
619 LOG(4, s, t, "IPCP ConfigReq received\n");
620
621 if (!session[s].ip)
622 {
623 LOG(3, s, t, "Waiting on radius reply\n");
624 return; // have to wait on RADIUS reply
625 }
626 // form a config reply quoting the IP in the session
627 {
628 uint8_t b[MAXCONTROL];
629 uint8_t *i, *q;
630
631 q = p + 4;
632 i = p + l;
633 while (q < i && q[1])
634 {
635 if (*q != 0x81 && *q != 0x83 && *q != 3)
636 break;
637 q += q[1];
638 }
639 if (q < i)
640 {
641 // reject
642 uint16_t n = 4;
643 i = p + l;
644 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
645 return;
646
647 *q = ConfigRej;
648 p += 4;
649 while (p < i && p[1])
650 {
651 if (*p != 0x81 && *p != 0x83 && *p != 3)
652 {
653 LOG(2, s, t, "IPCP reject %d\n", *p);
654 memcpy(q + n, p, p[1]);
655 n += p[1];
656 }
657 p += p[1];
658 }
659 *(uint16_t *) (q + 2) = htons(n);
660 LOG(4, s, t, "Sending ConfigRej\n");
661 tunnelsend(b, n + (q - b), t); // send it
662 }
663 else
664 {
665 LOG(4, s, t, "Sending ConfigAck\n");
666 *p = ConfigAck;
667 if ((i = findppp(p, 0x81))) // Primary DNS address
668 {
669 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
670 {
671 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
672 *p = ConfigNak;
673 LOG(5, s, t, " DNS1 = %s\n",
674 fmtaddr(htonl(session[s].dns1), 0));
675 }
676 }
677 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
678 {
679 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
680 {
681 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
682 *p = ConfigNak;
683 LOG(5, s, t, " DNS2 = %s\n",
684 fmtaddr(htonl(session[s].dns2), 0));
685 }
686 }
687 i = findppp(p, 3); // IP address
688 if (!i || i[1] != 6)
689 {
690 LOG(1, s, t, "No IP in IPCP request\n");
691 STAT(tunnel_rx_errors);
692 return ;
693 }
694 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
695 {
696 *(uint32_t *) (i + 2) = htonl(session[s].ip);
697 *p = ConfigNak;
698 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
699 fmtaddr(htonl(session[s].ip), 0));
700 }
701 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
702 return;
703
704 tunnelsend(b, l + (q - b), t); // send it
705 }
706 }
707 }
708
709 // process IP packet received
710 //
711 // This MUST be called with at least 4 byte behind 'p'.
712 // (i.e. this routine writes to p[-4]).
713 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
714 {
715 in_addr_t ip;
716
717 CSTAT(call_processipin);
718
719 LOG_HEX(5, "IP", p, l);
720
721 ip = ntohl(*(uint32_t *)(p + 12));
722
723 if (l > MAXETHER)
724 {
725 LOG(1, s, t, "IP packet too long %d\n", l);
726 STAT(tunnel_rx_errors);
727 return ;
728 }
729
730 // no spoof (do sessionbyip to handled statically routed subnets)
731 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
732 {
733 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
734 return;
735 }
736
737 // run access-list if any
738 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
739 return;
740
741 // Add on the tun header
742 p -= 4;
743 *(uint32_t *) p = htonl(0x00000800);
744 l += 4;
745
746 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
747 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
748 return;
749 }
750
751 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
752 tbf_queue_packet(session[s].tbf_in, p, l);
753 return;
754 }
755
756 // send to ethernet
757 if (tun_write(p, l) < 0)
758 {
759 STAT(tun_tx_errors);
760 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
761 l, strerror(errno), tunfd, p);
762
763 return;
764 }
765
766 if (session[s].snoop_ip && session[s].snoop_port)
767 {
768 // Snooping this session
769 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
770 }
771
772 session[s].cin += l - 4;
773 session[s].total_cin += l - 4;
774 sess_local[s].cin += l - 4;
775
776 session[s].pin++;
777 eth_tx += l - 4;
778
779 STAT(tun_tx_packets);
780 INC_STAT(tun_tx_bytes, l - 4);
781 }
782
783 //
784 // Helper routine for the TBF filters.
785 // Used to send queued data in from the user.
786 //
787 void send_ipin(sessionidt s, uint8_t *buf, int len)
788 {
789 LOG_HEX(5, "IP in throttled", buf, len);
790
791 if (write(tunfd, buf, len) < 0)
792 {
793 STAT(tun_tx_errors);
794 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
795 len, strerror(errno), tunfd, buf);
796
797 return;
798 }
799
800 if (session[s].snoop_ip && session[s].snoop_port)
801 {
802 // Snooping this session
803 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
804 }
805
806 // Increment packet counters
807 session[s].cin += len - 4;
808 session[s].total_cin += len - 4;
809 sess_local[s].cin += len - 4;
810
811 session[s].pin++;
812 eth_tx += len - 4;
813
814 STAT(tun_tx_packets);
815 INC_STAT(tun_tx_bytes, len - 4);
816 }
817
818
819 // Process CCP messages
820 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
821 {
822 uint8_t b[MAXCONTROL];
823 uint8_t *q;
824
825 CSTAT(call_processccp);
826
827 LOG_HEX(5, "CCP", p, l);
828 switch (l > 1 ? *p : 0)
829 {
830 case ConfigAck:
831 session[s].flags |= SF_CCP_ACKED;
832 return;
833
834 case ConfigReq:
835 if (l < 6) // accept no compression
836 {
837 *p = ConfigAck;
838 break;
839 }
840
841 // compression requested--reject
842 *p = ConfigRej;
843
844 // send CCP request for no compression for our end if not negotiated
845 if (!(session[s].flags & SF_CCP_ACKED))
846 initccp(t, s);
847
848 break;
849
850 case TerminateReq:
851 *p = TerminateAck;
852 break;
853
854 default:
855 if (l > 1)
856 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
857 else
858 LOG(1, s, t, "Short CCP packet\n");
859
860 STAT(tunnel_rx_errors);
861 return;
862 }
863
864 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
865 return;
866
867 tunnelsend(b, l + (q - b), t); // send it
868 }
869
870 // send a CHAP PP packet
871 void sendchap(tunnelidt t, sessionidt s)
872 {
873 uint8_t b[MAXCONTROL];
874 uint16_t r = session[s].radius;
875 uint8_t *q;
876
877 CSTAT(call_sendchap);
878
879 if (!r)
880 {
881 LOG(1, s, t, "No RADIUS to send challenge\n");
882 STAT(tunnel_tx_errors);
883 return ;
884 }
885 LOG(1, s, t, "Send CHAP challenge\n");
886 {
887 // new challenge
888 int n;
889 for (n = 0; n < 15; n++)
890 radius[r].auth[n] = rand();
891 }
892 radius[r].chap = 1; // CHAP not PAP
893 radius[r].id++;
894 if (radius[r].state != RADIUSCHAP)
895 radius[r].try = 0;
896 radius[r].state = RADIUSCHAP;
897 radius[r].retry = backoff(radius[r].try++);
898 if (radius[r].try > 5)
899 {
900 sessionshutdown(s, "Timeout CHAP");
901 STAT(tunnel_tx_errors);
902 return ;
903 }
904 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
905 if (!q) return;
906
907 *q = 1; // challenge
908 q[1] = radius[r].id; // ID
909 q[4] = 16; // length
910 memcpy(q + 5, radius[r].auth, 16); // challenge
911 strcpy(q + 21, hostname); // our name
912 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
913 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
914 }
915
916 // fill in a L2TP message with a PPP frame,
917 // copies existing PPP message and changes magic number if seen
918 // returns start of PPP frame
919 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
920 {
921 if (size < 12) // Need more space than this!!
922 {
923 static int backtrace_count = 0;
924 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
925 log_backtrace(backtrace_count, 5)
926 return NULL;
927 }
928
929 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
930 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
931 *(uint16_t *) (b + 4) = htons(session[s].far); // session
932 b += 6;
933 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
934 {
935 *(uint16_t *) b = htons(0xFF03); // HDLC header
936 b += 2;
937 }
938 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
939 *b++ = mtype;
940 else
941 {
942 *(uint16_t *) b = htons(mtype);
943 b += 2;
944 }
945
946 if (l + 12 > size)
947 {
948 static int backtrace_count = 0;
949 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
950 log_backtrace(backtrace_count, 5)
951 return NULL;
952 }
953
954 if (p && l)
955 memcpy(b, p, l);
956
957 return b;
958 }
959
960 // Send initial LCP ConfigReq for PAP, set magic no.
961 void initlcp(tunnelidt t, sessionidt s)
962 {
963 char b[500], *q;
964
965 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
966 return;
967
968 LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
969 *q = ConfigReq;
970 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
971 *(uint16_t *)(q + 2) = htons(14); // Length
972 *(uint8_t *)(q + 4) = 5;
973 *(uint8_t *)(q + 5) = 6;
974 *(uint32_t *)(q + 6) = htonl(session[s].magic);
975 *(uint8_t *)(q + 10) = 3;
976 *(uint8_t *)(q + 11) = 4;
977 *(uint16_t *)(q + 12) = htons(PPPPAP); // PAP
978
979 LOG_HEX(5, "PPPLCP", q, 14);
980 tunnelsend(b, (q - b) + 14, t);
981 }
982
983 // Send CCP request for no compression
984 static void initccp(tunnelidt t, sessionidt s)
985 {
986 char b[500], *q;
987
988 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
989 return;
990
991 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
992 *q = ConfigReq;
993 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
994 *(uint16_t *)(q + 2) = htons(4); // Length
995
996 LOG_HEX(5, "PPPCCP", q, 4);
997 tunnelsend(b, (q - b) + 4 , t);
998 }