add -Wformat-security -Wno-format-zero-length
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.40 2005/01/05 13:50:30 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern uint32_t eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
30 {
31 char user[129];
32 char pass[129];
33 uint16_t hl;
34
35 CSTAT(processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44
45 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
46 {
47 LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
48 STAT(tunnel_rx_errors);
49 return ;
50 }
51 l = hl;
52
53 if (*p != 1)
54 {
55 LOG(1, s, t, "Unexpected PAP code %d\n", *p);
56 STAT(tunnel_rx_errors);
57 return ;
58 }
59
60 {
61 uint8_t *b = p;
62 b += 4;
63 if (*b && *b < sizeof(user))
64 memcpy(user, b + 1, *b);
65 user[*b] = 0;
66 b += 1 + *b;
67 if (*b && *b < sizeof(pass))
68 memcpy(pass, b + 1, *b);
69 pass[*b] = 0;
70 LOG(3, s, t, "PAP login %s/%s\n", user, pass);
71 }
72 if (session[s].ip || !session[s].radius)
73 {
74 // respond now, either no RADIUS available or already authenticated
75 uint8_t b[MAXCONTROL];
76 uint8_t id = p[1];
77 uint8_t *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
78 if (!p) return;
79
80 if (session[s].ip)
81 *p = 2; // ACK
82 else
83 *p = 3; // cant authorise
84 p[1] = id;
85 *(uint16_t *) (p + 2) = htons(5); // length
86 p[4] = 0; // no message
87 if (session[s].ip)
88 {
89 LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
90 fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
91
92 session[s].flags &= ~SF_IPCP_ACKED;
93 }
94 else
95 {
96 LOG(1, s, t, "No radius session available to authenticate session...\n");
97 }
98 LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
99 tunnelsend(b, 5 + (p - b), t); // send it
100 }
101 else
102 {
103 // set up RADIUS request
104 uint16_t r = session[s].radius;
105
106 // Run PRE_AUTH plugins
107 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
108 run_plugins(PLUGIN_PRE_AUTH, &packet);
109 if (!packet.continue_auth)
110 {
111 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
112 if (packet.username) free(packet.username);
113 if (packet.password) free(packet.password);
114 return;
115 }
116
117 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
118 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
119
120 free(packet.username);
121 free(packet.password);
122
123 radius[r].id = p[1];
124 LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
125 radiussend(r, RADIUSAUTH);
126 }
127 }
128
129 // Process CHAP messages
130 void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
131 {
132 uint16_t r;
133 uint16_t hl;
134
135 CSTAT(processchap);
136
137 LOG_HEX(5, "CHAP", p, l);
138 r = session[s].radius;
139 if (!r)
140 {
141 LOG(1, s, t, "Unexpected CHAP message\n");
142
143 // FIXME: Need to drop the session here.
144
145 STAT(tunnel_rx_errors);
146 return;
147 }
148
149 if (l < 4)
150 {
151 LOG(1, s, t, "Short CHAP %u bytes\n", l);
152 STAT(tunnel_rx_errors);
153 return ;
154 }
155
156 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
157 {
158 LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
159 STAT(tunnel_rx_errors);
160 return ;
161 }
162 l = hl;
163
164 if (*p != 2)
165 {
166 LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
167 STAT(tunnel_rx_errors);
168 return;
169 }
170 if (p[1] != radius[r].id)
171 {
172 LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
173 STAT(tunnel_rx_errors);
174 return ;
175 }
176
177 if (l < 5 || p[4] != 16)
178 {
179 LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
180 STAT(tunnel_rx_errors);
181 return ;
182 }
183
184 l -= 5;
185 p += 5;
186 if (l < 16 || l - 16 >= sizeof(session[s].user))
187 {
188 LOG(1, s, t, "CHAP user too long %d\n", l - 16);
189 STAT(tunnel_rx_errors);
190 return ;
191 }
192
193 // Run PRE_AUTH plugins
194 {
195 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
196
197 packet.password = calloc(17, 1);
198 memcpy(packet.password, p, 16);
199
200 p += 16;
201 l -= 16;
202
203 packet.username = calloc(l + 1, 1);
204 memcpy(packet.username, p, l);
205
206 run_plugins(PLUGIN_PRE_AUTH, &packet);
207 if (!packet.continue_auth)
208 {
209 LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
210 if (packet.username) free(packet.username);
211 if (packet.password) free(packet.password);
212 return;
213 }
214
215 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
216 memcpy(radius[r].pass, packet.password, 16);
217
218 free(packet.username);
219 free(packet.password);
220 }
221
222 radius[r].chap = 1;
223 LOG(3, s, t, "CHAP login %s\n", session[s].user);
224 radiussend(r, RADIUSAUTH);
225 }
226
227 static void dumplcp(uint8_t *p, int l)
228 {
229 int x = l - 4;
230 uint8_t *o = (p + 4);
231
232 LOG_HEX(5, "PPP LCP Packet", p, l);
233 LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
234 LOG(4, 0, 0, "Length: %d\n", l);
235 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
236 return;
237
238 while (x > 2)
239 {
240 int type = o[0];
241 int length = o[1];
242 if (length < 2)
243 {
244 LOG(4, 0, 0, " Option length is %d...\n", length);
245 break;
246 }
247 if (type == 0)
248 {
249 LOG(4, 0, 0, " Option type is 0...\n");
250 x -= length;
251 o += length;
252 continue;
253 }
254 switch (type)
255 {
256 case 1: // Maximum-Receive-Unit
257 if (length == 4)
258 LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
259 else
260 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
261 break;
262 case 2: // Async-Control-Character-Map
263 if (length == 6)
264 {
265 uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
266 LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
267 }
268 else
269 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
270 break;
271 case 3: // Authentication-Protocol
272 if (length == 4)
273 {
274 int proto = ntohs(*(uint16_t *)(o + 2));
275 LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
276 proto == PPPCHAP ? "CHAP" :
277 proto == PPPPAP ? "PAP" : "UNKNOWN");
278 }
279 else
280 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
281 break;
282 case 4: // Quality-Protocol
283 {
284 uint32_t qp = ntohl(*(uint32_t *)(o + 2));
285 LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
286 }
287 break;
288 case 5: // Magic-Number
289 if (length == 6)
290 {
291 uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
292 LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
293 }
294 else
295 LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
296 break;
297 case 7: // Protocol-Field-Compression
298 case 8: // Address-And-Control-Field-Compression
299 LOG(4, 0, 0, " %s\n", lcp_type(type));
300 break;
301 default:
302 LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
303 break;
304 }
305 x -= length;
306 o += length;
307 }
308 }
309
310 // Process LCP messages
311 void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
312 {
313 uint8_t b[MAXCONTROL];
314 uint8_t *q = NULL;
315 uint32_t magicno = 0;
316 uint16_t hl;
317
318 CSTAT(processlcp);
319
320 LOG_HEX(5, "LCP", p, l);
321 if (l < 4)
322 {
323 LOG(1, s, t, "Short LCP %d bytes\n", l);
324 STAT(tunnel_rx_errors);
325 return ;
326 }
327
328 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
329 {
330 LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
331 STAT(tunnel_rx_errors);
332 return ;
333 }
334 l = hl;
335
336 if (*p == ConfigAck)
337 {
338 LOG(3, s, t, "LCP: Discarding ConfigAck\n");
339 session[s].flags |= SF_LCP_ACKED;
340 }
341 else if (*p == ConfigReq)
342 {
343 int x = l - 4;
344 uint8_t *o = (p + 4);
345 uint8_t *response = 0;
346
347 LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
348 if (config->debug > 3) dumplcp(p, l);
349
350 while (x > 2)
351 {
352 int type = o[0];
353 int length = o[1];
354
355 if (length == 0 || type == 0 || x < length) break;
356 switch (type)
357 {
358 case 1: // Maximum-Receive-Unit
359 session[s].mru = ntohs(*(uint16_t *)(o + 2));
360 break;
361
362 case 2: // Async-Control-Character-Map
363 if (!ntohl(*(uint32_t *)(o + 2))) // all bits zero is OK
364 break;
365
366 if (response && *response != ConfigNak) // rej already queued
367 break;
368
369 LOG(2, s, t, " Remote requesting asyncmap. Rejecting.\n");
370 if (!response)
371 {
372 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
373 if (!q) break;
374 *q = ConfigNak;
375 q += 4;
376 }
377
378 if ((q - b + 11) > sizeof(b))
379 {
380 LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
381 break;
382 }
383
384 *q++ = type;
385 *q++ = 6;
386 memset(q, 0, 4); // asyncmap 0
387 q += 4;
388 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
389 break;
390
391 case 3: // Authentication-Protocol
392 {
393 int proto = ntohs(*(uint16_t *)(o + 2));
394 char proto_name[] = "0x0000";
395 if (proto == PPPPAP)
396 break;
397
398 if (response && *response != ConfigNak) // rej already queued
399 break;
400
401 if (proto == PPPCHAP)
402 strcpy(proto_name, "CHAP");
403 else
404 sprintf(proto_name, "%#4.4x", proto);
405
406 LOG(2, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
407
408 if (!response)
409 {
410 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
411 if (!q) break;
412 *q = ConfigNak;
413 q += 4;
414 }
415
416 if ((q - b + length) > sizeof(b))
417 {
418 LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
419 break;
420 }
421
422 memcpy(q, o, length);
423 *(uint16_t *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
424 q += length;
425 *((uint16_t *) (response + 2)) = htons(q - response);
426 }
427 break;
428
429 case 5: // Magic-Number
430 magicno = ntohl(*(uint32_t *)(o + 2));
431 break;
432
433 case 4: // Quality-Protocol
434 case 7: // Protocol-Field-Compression
435 case 8: // Address-And-Control-Field-Compression
436 break;
437
438 default: // Reject any unknown options
439 LOG(2, s, t, " Rejecting PPP LCP Option type %d\n", type);
440 if (!response || *response != ConfigRej) // drop nak in favour of rej
441 {
442 q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
443 if (!q) break;
444 *q = ConfigRej;
445 q += 4;
446 }
447
448 if ((q - b + length) > sizeof(b))
449 {
450 LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
451 break;
452 }
453
454 memcpy(q, o, length);
455 q += length;
456 *((uint16_t *) (response + 2)) = htons(q - response); // LCP header length
457 }
458 x -= length;
459 o += length;
460 }
461
462 if (!response)
463 {
464 // Send back a ConfigAck
465 q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
466 if (!q) return;
467 *q = ConfigAck;
468 }
469
470 LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
471 tunnelsend(b, l + (q - b), t);
472
473 if (!(session[s].flags & SF_LCP_ACKED))
474 initlcp(t, s);
475 }
476 else if (*p == ConfigNak)
477 {
478 LOG(1, s, t, "Remote end sent a ConfigNak. Ignoring\n");
479 if (config->debug > 3) dumplcp(p, l);
480 return ;
481 }
482 else if (*p == TerminateReq)
483 {
484 LOG(3, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
485 *p = TerminateAck; // close
486 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
487 if (!q) return;
488 tunnelsend(b, l + (q - b), t); // send it
489 sessionshutdown(s, "Remote end closed connection.");
490 }
491 else if (*p == TerminateAck)
492 {
493 sessionshutdown(s, "Connection closed.");
494 }
495 else if (*p == EchoReq)
496 {
497 LOG(5, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
498 *p = EchoReply; // reply
499 *(uint32_t *) (p + 4) = htonl(session[s].magic); // our magic number
500 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
501 if (!q) return;
502 tunnelsend(b, l + (q - b), t); // send it
503 }
504 else if (*p == EchoReply)
505 {
506 // Ignore it, last_packet time is set earlier than this.
507 }
508 else if (*p == IdentRequest)
509 {
510 *p = CodeRej;
511 if (l > MAXCONTROL)
512 {
513 LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
514 l = 1400;
515 }
516 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
517 if (!q) return;
518 LOG_HEX(5, "LCPIdentRej", q, l + 4);
519 tunnelsend(b, 12 + 4 + l, t);
520 }
521 else
522 {
523 LOG(1, s, t, "Unexpected LCP code %d\n", *p);
524 STAT(tunnel_rx_errors);
525 return ;
526 }
527 }
528
529 // find a PPP option, returns point to option, or 0 if not found
530 static uint8_t *findppp(uint8_t *b, uint8_t mtype)
531 {
532 uint16_t l = ntohs(*(uint16_t *) (b + 2));
533 if (l < 4)
534 return 0;
535 b += 4;
536 l -= 4;
537 while (l)
538 {
539 if (l < b[1] || !b[1])
540 return 0; // faulty
541 if (*b == mtype)
542 return b;
543 l -= b[1];
544 b += b[1];
545 }
546 return 0;
547 }
548
549 // Process IPCP messages
550 void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
551 {
552 uint16_t hl;
553
554 CSTAT(processipcp);
555
556 LOG_HEX(5, "IPCP", p, l);
557 if (l < 5)
558 {
559 LOG(1, s, t, "Short IPCP %d bytes\n", l);
560 STAT(tunnel_rx_errors);
561 return ;
562 }
563
564 if ((hl = ntohs(*(uint16_t *) (p + 2))) > l)
565 {
566 LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
567 STAT(tunnel_rx_errors);
568 return ;
569 }
570 l = hl;
571
572 if (*p == ConfigAck)
573 {
574 // happy with our IPCP
575 uint16_t r = session[s].radius;
576 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
577 {
578 if (!r)
579 r = radiusnew(s);
580 if (r)
581 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
582 }
583 session[s].flags |= SF_IPCP_ACKED;
584
585 LOG(3, s, t, "IPCP Acked, session is now active\n");
586
587 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
588 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
589
590 return;
591 }
592 if (*p != ConfigReq)
593 {
594 LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
595 STAT(tunnel_rx_errors);
596 return ;
597 }
598 LOG(4, s, t, "IPCP ConfigReq received\n");
599
600 if (!session[s].ip)
601 {
602 LOG(3, s, t, "Waiting on radius reply\n");
603 return; // have to wait on RADIUS reply
604 }
605 // form a config reply quoting the IP in the session
606 {
607 uint8_t b[MAXCONTROL];
608 uint8_t *i, *q;
609
610 q = p + 4;
611 i = p + l;
612 while (q < i && q[1])
613 {
614 if (*q != 0x81 && *q != 0x83 && *q != 3)
615 break;
616 q += q[1];
617 }
618 if (q < i)
619 {
620 // reject
621 uint16_t n = 4;
622 i = p + l;
623 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
624 return;
625
626 *q = ConfigRej;
627 p += 4;
628 while (p < i && p[1])
629 {
630 if (*p != 0x81 && *p != 0x83 && *p != 3)
631 {
632 LOG(2, s, t, "IPCP reject %d\n", *p);
633 memcpy(q + n, p, p[1]);
634 n += p[1];
635 }
636 p += p[1];
637 }
638 *(uint16_t *) (q + 2) = htons(n);
639 LOG(4, s, t, "Sending ConfigRej\n");
640 tunnelsend(b, n + (q - b), t); // send it
641 }
642 else
643 {
644 LOG(4, s, t, "Sending ConfigAck\n");
645 *p = ConfigAck;
646 if ((i = findppp(p, 0x81))) // Primary DNS address
647 {
648 if (*(uint32_t *) (i + 2) != htonl(session[s].dns1))
649 {
650 *(uint32_t *) (i + 2) = htonl(session[s].dns1);
651 *p = ConfigNak;
652 LOG(5, s, t, " DNS1 = %s\n",
653 fmtaddr(htonl(session[s].dns1), 0));
654 }
655 }
656 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
657 {
658 if (*(uint32_t *) (i + 2) != htonl(session[s].dns2))
659 {
660 *(uint32_t *) (i + 2) = htonl(session[s].dns2);
661 *p = ConfigNak;
662 LOG(5, s, t, " DNS2 = %s\n",
663 fmtaddr(htonl(session[s].dns2), 0));
664 }
665 }
666 i = findppp(p, 3); // IP address
667 if (!i || i[1] != 6)
668 {
669 LOG(1, s, t, "No IP in IPCP request\n");
670 STAT(tunnel_rx_errors);
671 return ;
672 }
673 if (*(uint32_t *) (i + 2) != htonl(session[s].ip))
674 {
675 *(uint32_t *) (i + 2) = htonl(session[s].ip);
676 *p = ConfigNak;
677 LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
678 fmtaddr(htonl(session[s].ip), 0));
679 }
680 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
681 return;
682
683 tunnelsend(b, l + (q - b), t); // send it
684 }
685 }
686 }
687
688 // process IP packet received
689 //
690 // This MUST be called with at least 4 byte behind 'p'.
691 // (i.e. this routine writes to p[-4]).
692 void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
693 {
694 in_addr_t ip;
695
696 CSTAT(processipin);
697
698 LOG_HEX(5, "IP", p, l);
699
700 ip = ntohl(*(uint32_t *)(p + 12));
701
702 if (l > MAXETHER)
703 {
704 LOG(1, s, t, "IP packet too long %d\n", l);
705 STAT(tunnel_rx_errors);
706 return ;
707 }
708
709 // no spoof (do sessionbyip to handled statically routed subnets)
710 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
711 {
712 LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
713 return;
714 }
715
716 // run access-list if any
717 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
718 return;
719
720 // Add on the tun header
721 p -= 4;
722 *(uint32_t *) p = htonl(0x00000800);
723 l += 4;
724
725 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
726 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
727 return;
728 }
729
730 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
731 tbf_queue_packet(session[s].tbf_in, p, l);
732 return;
733 }
734
735 // send to ethernet
736 if (tun_write(p, l) < 0)
737 {
738 STAT(tun_tx_errors);
739 LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
740 l, strerror(errno), tunfd, p);
741
742 return;
743 }
744
745 if (session[s].snoop_ip && session[s].snoop_port)
746 {
747 // Snooping this session
748 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
749 }
750
751 session[s].cin += l - 4;
752 session[s].total_cin += l - 4;
753 sess_count[s].cin += l - 4;
754
755 session[s].pin++;
756 eth_tx += l - 4;
757
758 STAT(tun_tx_packets);
759 INC_STAT(tun_tx_bytes, l - 4);
760 }
761
762 //
763 // Helper routine for the TBF filters.
764 // Used to send queued data in from the user.
765 //
766 void send_ipin(sessionidt s, uint8_t *buf, int len)
767 {
768 LOG_HEX(5, "IP in throttled", buf, len);
769
770 if (write(tunfd, buf, len) < 0)
771 {
772 STAT(tun_tx_errors);
773 LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
774 len, strerror(errno), tunfd, buf);
775
776 return;
777 }
778
779 if (session[s].snoop_ip && session[s].snoop_port)
780 {
781 // Snooping this session
782 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
783 }
784
785 // Increment packet counters
786 session[s].cin += len - 4;
787 session[s].total_cin += len - 4;
788 sess_count[s].cin += len - 4;
789
790 session[s].pin++;
791 eth_tx += len - 4;
792
793 STAT(tun_tx_packets);
794 INC_STAT(tun_tx_bytes, len - 4);
795 }
796
797
798 // Process CCP messages
799 void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
800 {
801 uint8_t b[MAXCONTROL];
802 uint8_t *q;
803
804 CSTAT(processccp);
805
806 LOG_HEX(5, "CCP", p, l);
807 switch (l > 1 ? *p : 0)
808 {
809 case ConfigAck:
810 session[s].flags |= SF_CCP_ACKED;
811 return;
812
813 case ConfigReq:
814 if (l < 6) // accept no compression
815 {
816 *p = ConfigAck;
817 break;
818 }
819
820 // compression requested--reject
821 *p = ConfigRej;
822
823 // send CCP request for no compression for our end if not negotiated
824 if (!(session[s].flags & SF_CCP_ACKED))
825 initccp(t, s);
826
827 break;
828
829 case TerminateReq:
830 *p = TerminateAck;
831 break;
832
833 default:
834 if (l > 1)
835 LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
836 else
837 LOG(1, s, t, "Short CCP packet\n");
838
839 STAT(tunnel_rx_errors);
840 return;
841 }
842
843 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
844 return;
845
846 tunnelsend(b, l + (q - b), t); // send it
847 }
848
849 // send a CHAP PP packet
850 void sendchap(tunnelidt t, sessionidt s)
851 {
852 uint8_t b[MAXCONTROL];
853 uint16_t r = session[s].radius;
854 uint8_t *q;
855
856 CSTAT(sendchap);
857
858 if (!r)
859 {
860 LOG(1, s, t, "No RADIUS to send challenge\n");
861 STAT(tunnel_tx_errors);
862 return;
863 }
864
865 LOG(1, s, t, "Send CHAP challenge\n");
866
867 // new challenge
868 random_data(radius[r].auth, sizeof(radius[r].auth));
869 radius[r].chap = 1; // CHAP not PAP
870 radius[r].id++;
871 if (radius[r].state != RADIUSCHAP)
872 radius[r].try = 0;
873
874 radius[r].state = RADIUSCHAP;
875 radius[r].retry = backoff(radius[r].try++);
876 if (radius[r].try > 5)
877 {
878 sessionshutdown(s, "Timeout CHAP");
879 STAT(tunnel_tx_errors);
880 return ;
881 }
882 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
883 if (!q) return;
884
885 *q = 1; // challenge
886 q[1] = radius[r].id; // ID
887 q[4] = 16; // length
888 memcpy(q + 5, radius[r].auth, 16); // challenge
889 strcpy(q + 21, hostname); // our name
890 *(uint16_t *) (q + 2) = htons(strlen(hostname) + 21); // length
891 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
892 }
893
894 // fill in a L2TP message with a PPP frame,
895 // copies existing PPP message and changes magic number if seen
896 // returns start of PPP frame
897 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, tunnelidt t, sessionidt s, uint16_t mtype)
898 {
899 if (size < 12) // Need more space than this!!
900 {
901 static int backtrace_count = 0;
902 LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
903 log_backtrace(backtrace_count, 5)
904 return NULL;
905 }
906
907 *(uint16_t *) (b + 0) = htons(0x0002); // L2TP with no options
908 *(uint16_t *) (b + 2) = htons(tunnel[t].far); // tunnel
909 *(uint16_t *) (b + 4) = htons(session[s].far); // session
910 b += 6;
911 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
912 {
913 *(uint16_t *) b = htons(0xFF03); // HDLC header
914 b += 2;
915 }
916 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
917 *b++ = mtype;
918 else
919 {
920 *(uint16_t *) b = htons(mtype);
921 b += 2;
922 }
923
924 if (l + 12 > size)
925 {
926 static int backtrace_count = 0;
927 LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
928 log_backtrace(backtrace_count, 5)
929 return NULL;
930 }
931
932 if (p && l)
933 memcpy(b, p, l);
934
935 return b;
936 }
937
938 // Send initial LCP ConfigReq for PAP, set magic no.
939 void initlcp(tunnelidt t, sessionidt s)
940 {
941 char b[500], *q;
942
943 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
944 return;
945
946 LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
947 *q = ConfigReq;
948 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
949 *(uint16_t *)(q + 2) = htons(14); // Length
950 *(uint8_t *)(q + 4) = 5;
951 *(uint8_t *)(q + 5) = 6;
952 *(uint32_t *)(q + 6) = htonl(session[s].magic);
953 *(uint8_t *)(q + 10) = 3;
954 *(uint8_t *)(q + 11) = 4;
955 *(uint16_t *)(q + 12) = htons(PPPPAP); // PAP
956
957 LOG_HEX(5, "PPPLCP", q, 14);
958 tunnelsend(b, (q - b) + 14, t);
959 }
960
961 // Send CCP request for no compression
962 static void initccp(tunnelidt t, sessionidt s)
963 {
964 char b[500], *q;
965
966 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
967 return;
968
969 LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
970 *q = ConfigReq;
971 *(uint8_t *)(q + 1) = (time_now % 255) + 1; // ID
972 *(uint16_t *)(q + 2) = htons(4); // Length
973
974 LOG_HEX(5, "PPPCCP", q, 4);
975 tunnelsend(b, (q - b) + 4 , t);
976 }