Add spec file
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.14 2004/09/02 04:18:07 fred_nerk Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern u32 eth_tx;
23 extern time_t time_now;
24 extern struct configt *config;
25
26 void sendccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, u8 * p, u16 l)
30 {
31 char user[129];
32 char pass[129];
33
34
35 CSTAT(call_processpap);
36
37 log_hex(5, "PAP", p, l);
38 if (l < 4)
39 {
40 log(1, 0, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44 if (*p != 1)
45 {
46 log(1, 0, s, t, "Unexpected PAP code %d\n", *p);
47 STAT(tunnel_rx_errors);
48 return ;
49 }
50 if (ntohs(*(u16 *) (p + 2)) > l)
51 {
52 log(1, 0, s, t, "Length mismatch PAP %d/%d\n", ntohs(*(u16 *) (p + 2)), l);
53 STAT(tunnel_rx_errors);
54 return ;
55 }
56 {
57 u8 *b = p;
58 b += 4;
59 if (*b && *b < sizeof(user))
60 memcpy(user, b + 1, *b);
61 user[*b] = 0;
62 b += 1 + *b;
63 if (*b && *b < sizeof(pass))
64 memcpy(pass, b + 1, *b);
65 pass[*b] = 0;
66 log(3, 0, s, t, "PAP login %s/%s\n", user, pass);
67 }
68 if (session[s].ip || !session[s].radius)
69 {
70 // respond now, either no RADIUS available or already authenticated
71 u8 b[MAXCONTROL];
72 u8 id = p[1];
73 u8 *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
74 if (!p) { // Failed to make ppp header!
75 log(1,0,0,0, "Failed to make PPP header in process pap!\n");
76 return;
77 }
78 if (session[s].ip)
79 *p = 2; // ACK
80 else
81 *p = 3; // cant authorise
82 p[1] = id;
83 *(u16 *) (p + 2) = htons(5); // length
84 p[4] = 0; // no message
85 if (session[s].ip)
86 {
87 log(3, session[s].ip, s, t, "%d Already an IP allocated: %s (%d)\n", getpid(), inet_toa(htonl(session[s].ip)), session[s].ip_pool_index);
88 session[s].flags &= ~SF_IPCP_ACKED;
89 }
90 else
91 {
92 log(1, 0, s, t, "No radius session available to authenticate session...\n");
93 }
94 log(3, 0, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
95 tunnelsend(b, 5 + (p - b), t); // send it
96 }
97 else
98 {
99 // set up RADIUS request
100 u16 r = session[s].radius;
101
102 // Run PRE_AUTH plugins
103 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
104 run_plugins(PLUGIN_PRE_AUTH, &packet);
105 if (!packet.continue_auth)
106 {
107 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
108 if (packet.username) free(packet.username);
109 if (packet.password) free(packet.password);
110 return;
111 }
112
113 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
114 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
115
116 free(packet.username);
117 free(packet.password);
118
119 radius[r].id = p[1];
120 log(3, 0, s, t, "Sending login for %s/%s to radius\n", user, pass);
121 radiussend(r, RADIUSAUTH);
122 }
123 }
124
125 // Process CHAP messages
126 void processchap(tunnelidt t, sessionidt s, u8 * p, u16 l)
127 {
128 u16 r;
129 u16 len;
130
131
132 CSTAT(call_processchap);
133
134 log_hex(5, "CHAP", p, l);
135 r = session[s].radius;
136 if (!r)
137 {
138 log(1, 0, s, t, "Unexpected CHAP message\n");
139
140 // FIXME: Need to drop the session here.
141
142 STAT(tunnel_rx_errors);
143 return;
144 }
145 if (*p != 2)
146 {
147 log(1, 0, s, t, "Unexpected CHAP response code %d\n", *p);
148 STAT(tunnel_rx_errors);
149 return;
150 }
151 if (p[1] != radius[r].id)
152 {
153 log(1, 0, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
154 STAT(tunnel_rx_errors);
155 return ;
156 }
157 len = ntohs(*(u16 *) (p + 2));
158 if (len > l)
159 {
160 log(1, 0, s, t, "Bad CHAP length %d\n", len);
161 STAT(tunnel_rx_errors);
162 return ;
163 }
164 if (p[4] != 16)
165 {
166 log(1, 0, s, t, "Bad CHAP response length %d\n", p[4]);
167 STAT(tunnel_rx_errors);
168 return ;
169 }
170 if (len - 21 >= sizeof(session[s].user))
171 {
172 log(1, 0, s, t, "CHAP user too long %d\n", len - 21);
173 STAT(tunnel_rx_errors);
174 return ;
175 }
176
177 // Run PRE_AUTH plugins
178 {
179 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
180
181 packet.username = calloc(len-20, 1);
182 packet.password = calloc(16, 1);
183 memcpy(packet.username, p + 21, len - 21);
184 memcpy(packet.password, p + 5, 16);
185
186 run_plugins(PLUGIN_PRE_AUTH, &packet);
187 if (!packet.continue_auth)
188 {
189 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
190 if (packet.username) free(packet.username);
191 if (packet.password) free(packet.password);
192 return;
193 }
194
195 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
196 memcpy(radius[r].pass, packet.password, 16);
197
198 free(packet.username);
199 free(packet.password);
200 }
201
202 radius[r].chap = 1;
203 log(3, 0, s, t, "CHAP login %s\n", session[s].user);
204 radiussend(r, RADIUSAUTH);
205 }
206
207 char *ppp_lcp_types[] = {
208 NULL,
209 "ConfigReq",
210 "ConfigAck",
211 "ConfigNak",
212 "ConfigRej",
213 "TerminateReq",
214 "TerminateAck",
215 "CodeRej",
216 "ProtocolRej",
217 "EchoReq",
218 "EchoReply",
219 "DiscardRequest",
220 "IdentRequest",
221 };
222
223 void dumplcp(u8 *p, int l)
224 {
225 signed int x = l - 4;
226 u8 *o = (p + 4);
227
228 log_hex(5, "PPP LCP Packet", p, l);
229 log(4, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
230 log(4, 0, 0, 0, "Length: %d\n", l);
231 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
232 return;
233
234 while (x > 2)
235 {
236 int type = o[0];
237 int length = o[1];
238 if (length < 2)
239 {
240 log(4, 0, 0, 0, " Option length is %d...\n", length);
241 break;
242 }
243 if (type == 0)
244 {
245 log(4, 0, 0, 0, " Option type is 0...\n");
246 x -= length;
247 o += length;
248 continue;
249 }
250 switch (type)
251 {
252 case 1: // Maximum-Receive-Unit
253 if (length == 4)
254 log(4, 0, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
255 else
256 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
257 break;
258 case 3: // Authentication-Protocol
259 {
260 if (length == 4)
261 {
262 int proto = ntohs(*(u16 *)(o + 2));
263 log(4, 0, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
264 proto == 0xC223 ? "CHAP" :
265 proto == 0xC023 ? "PAP" : "UNKNOWN");
266 }
267 else
268 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
269 break;
270 }
271 case 4: // Quality-Protocol
272 {
273 u32 qp = ntohl(*(u32 *)(o + 2));
274 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], qp);
275 break;
276 }
277 case 5: // Magic-Number
278 {
279 if (length == 6)
280 {
281 u32 magicno = ntohl(*(u32 *)(o + 2));
282 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], magicno);
283 }
284 else
285 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
286 break;
287 }
288 case 7: // Protocol-Field-Compression
289 {
290 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
291 break;
292 }
293 case 8: // Address-And-Control-Field-Compression
294 {
295 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
296 break;
297 }
298 default:
299 log(2, 0, 0, 0, " Unknown PPP LCP Option type %d\n", type);
300 break;
301 }
302 x -= length;
303 o += length;
304 }
305 }
306
307 // Process LCP messages
308 void processlcp(tunnelidt t, sessionidt s, u8 * p, u16 l)
309 {
310 u8 b[MAXCONTROL];
311 u8 *q = NULL;
312 u32 magicno = 0;
313
314
315 CSTAT(call_processlcp);
316
317 log_hex(5, "LCP", p, l);
318 if (l < 4)
319 {
320 log(1, session[s].ip, s, t, "Short LCP %d bytes\n", l);
321 STAT(tunnel_rx_errors);
322 return ;
323 }
324 if (*p == ConfigAck)
325 {
326 log(3, session[s].ip, s, t, "LCP: Discarding ConfigAck\n");
327 session[s].flags |= SESSIONLCPACK;
328 }
329 else if (*p == ConfigReq)
330 {
331 signed int x = l - 4;
332 u8 *o = (p + 4);
333
334 log(3, session[s].ip, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
335 dumplcp(p, l);
336
337 while (x > 2)
338 {
339 int type = o[0];
340 int length = o[1];
341 if (length == 0 || type == 0) break;
342 switch (type)
343 {
344 case 1: // Maximum-Receive-Unit
345 session[s].mru = ntohs(*(u16 *)(o + 2));
346 break;
347 case 2: // asyncmap
348 log_hex(2, "PPP LCP Packet", p, l);
349 log(2, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
350 break;
351 case 3: // Authentication-Protocol
352 {
353 int proto = ntohs(*(u16 *)(o + 2));
354 if (proto == 0xC223)
355 {
356 log(2, session[s].ip, s, t, " Remote end is trying to do CHAP. Rejecting it.\n");
357
358 if (!q)
359 {
360 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
361 if (!q) {
362 log(2, session[s].ip, s, t, " Failed to send packet.\n");
363 break;
364 }
365 *q++ = ConfigNak;
366 }
367 memcpy(q, o, length);
368 *(u16 *)(q += 2) = htons(0xC023); // NAK -> Use PAP instead
369 q += length;
370 }
371 break;
372 }
373 case 5: // Magic-Number
374 {
375 magicno = ntohl(*(u32 *)(o + 2));
376 break;
377 }
378 case 4: // Quality-Protocol
379 case 7: // Protocol-Field-Compression
380 case 8: // Address-And-Control-Field-Compression
381 break;
382 case 13: // CallBack option for LCP extention of win2000/routers L2TP client
383 case 17:
384 case 18:
385 {
386 // Reject LCP CallBack
387 log(2, session[s].ip, s, t, " PPP LCP Option type %d, len=%d\n", type, length);
388 memcpy(p + 4, o, length);
389 *(u16 *)(p + 2) = htons(length + 4);
390 *p = ConfigRej;
391 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
392 tunnelsend(b, 12 + length + 4, t);
393 return;
394 }
395
396 default:
397 // Reject Unknown LCP Option to stop to send it again
398 log(2, session[s].ip, s, t, " Unknown PPP LCP Option type %d\n", type);
399 memcpy(p + 4, o, length);
400 *(u16 *)(p + 2) = htons(length + 4);
401 *p = ConfigRej;
402 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
403 tunnelsend(b, 12 + length + 4, t);
404 return;
405 }
406 x -= length;
407 o += length;
408 }
409
410 if (!q)
411 {
412 // Send back a ConfigAck
413 log(3, session[s].ip, s, t, "ConfigReq accepted, sending as Ack\n");
414 // for win2k L2TP clientis and LCP renegotiation of alive session
415 if (magicno || l == 4) initlcp(t, s);
416 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
417 if (!q)
418 {
419 log(3, session[s].ip, s, t, " failed to create packet.\n");
420 return;
421 }
422 *q = ConfigAck;
423 tunnelsend(b, l + (q - b), t);
424 }
425 else
426 {
427 // Already built a ConfigNak... send it
428 log(3, session[s].ip, s, t, "Sending ConfigNak\n");
429 tunnelsend(b, l + (q - b), t);
430 }
431
432 if (!(session[s].flags & SESSIONLCPACK))
433 initlcp(t, s);
434 }
435 else if (*p == ConfigNak)
436 {
437 log(1, session[s].ip, s, t, "Remote end sent a ConfigNak. Ignoring\n");
438 dumplcp(p, l);
439 return ;
440 }
441 else if (*p == TerminateReq)
442 {
443 *p = TerminateAck; // close
444 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
445 if (!q) {
446 log(3, session[s].ip, s, t, "Failed to create PPP packet in processlcp.\n");
447 return;
448 }
449 log(3, session[s].ip, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
450 sessionshutdown(s, "Remote end closed connection.");
451 tunnelsend(b, l + (q - b), t); // send it
452 }
453 else if (*p == TerminateAck)
454 {
455 sessionshutdown(s, "Connection closed.");
456 }
457 else if (*p == EchoReq)
458 {
459 *p = EchoReply; // reply
460 *(u32 *) (p + 4) = htonl(session[s].magic); // our magic number
461 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
462 if (!q) {
463 log(3, session[s].ip, s, t, " failed to send EchoReply.\n");
464 return;
465 }
466 log(5, session[s].ip, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
467 tunnelsend(b, l + (q - b), t); // send it
468 }
469 else if (*p == EchoReply)
470 {
471 // Ignore it, last_packet time is set earlier than this.
472 }
473 else if (*p == IdentRequest)
474 {
475 *p = CodeRej;
476 if (l > MAXCONTROL)
477 {
478 log(1, 0, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
479 l = 1400;
480 }
481 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
482 if (!q)
483 {
484 log(3, session[s].ip, s, t, "Failed to create IdentRej.\n");
485 return;
486 }
487 log_hex(5, "LCPIdentRej", q, l + 4);
488 tunnelsend(b, 12 + 4 + l, t);
489 }
490 else
491 {
492 log(1, session[s].ip, s, t, "Unexpected LCP code %d\n", *p);
493 STAT(tunnel_rx_errors);
494 return ;
495 }
496 }
497
498 // Process IPCP messages
499 void processipcp(tunnelidt t, sessionidt s, u8 * p, u16 l)
500 {
501
502 CSTAT(call_processipcp);
503
504 log_hex(5, "IPCP", p, l);
505 if (l < 5)
506 {
507 log(1, 0, s, t, "Short IPCP %d bytes\n", l);
508 STAT(tunnel_rx_errors);
509 return ;
510 }
511 if (*p == ConfigAck)
512 {
513 // happy with our IPCP
514 u16 r = session[s].radius;
515 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden) {
516 if (!r)
517 r = radiusnew(s);
518 if (r)
519 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
520 }
521 session[s].flags |= SF_IPCP_ACKED;
522
523 log(3, session[s].ip, s, t, "IPCP Acked, session is now active\n");
524 return;
525 }
526 if (*p != ConfigReq)
527 {
528 log(1, 0, s, t, "Unexpected IPCP code %d\n", *p);
529 STAT(tunnel_rx_errors);
530 return ;
531 }
532 log(4, session[s].ip, s, t, "IPCP ConfigReq received\n");
533 if (ntohs(*(u16 *) (p + 2)) > l)
534 {
535 log(1, 0, s, t, "Length mismatch IPCP %d/%d\n", ntohs(*(u16 *) (p + 2)), l);
536 STAT(tunnel_rx_errors);
537 return ;
538 }
539 if (!session[s].ip)
540 {
541 log(3, 0, s, t, "Waiting on radius reply\n");
542 return; // have to wait on RADIUS reply
543 }
544 // form a config reply quoting the IP in the session
545 {
546 u8 b[MAXCONTROL];
547 u8 *i,
548 *q;
549
550 l = ntohs(*(u16 *) (p + 2)); // We must use length from IPCP len field
551 q = p + 4;
552 i = p + l;
553 while (q < i && q[1])
554 {
555 if (*q != 0x81 && *q != 0x83 && *q != 3)
556 break;
557 q += q[1];
558 }
559 if (q < i)
560 {
561 // reject
562 u16 n = 4;
563 i = p + l;
564 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
565 {
566 log(2, 0, s, t, "Failed to send IPCP ConfigRej\n");
567 return;
568 }
569 *q = ConfigRej;
570 p += 4;
571 while (p < i && p[1])
572 {
573 if (*p != 0x81 && *p != 0x83 && *p != 3)
574 {
575 log(2, 0, s, t, "IPCP reject %d\n", *p);
576 memcpy(q + n, p, p[1]);
577 n += p[1];
578 }
579 p += p[1];
580 }
581 *(u16 *) (q + 2) = htons(n);
582 log(4, session[s].ip, s, t, "Sending ConfigRej\n");
583 tunnelsend(b, n + (q - b), t); // send it
584 }
585 else
586 {
587 log(4, session[s].ip, s, t, "Sending ConfigAck\n");
588 *p = ConfigAck;
589 if ((i = findppp(p, 0x81))) // Primary DNS address
590 {
591 if (*(u32 *) (i + 2) != htonl(session[s].dns1))
592 {
593 *(u32 *) (i + 2) = htonl(session[s].dns1);
594 *p = ConfigNak;
595 log(5, session[s].ip, s, t, " DNS1 = %s\n", inet_toa(session[s].dns1));
596 }
597 }
598 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
599 {
600 if (*(u32 *) (i + 2) != htonl(session[s].dns2))
601 {
602 *(u32 *) (i + 2) = htonl(session[s].dns2);
603 *p = ConfigNak;
604 log(5, session[s].ip, s, t, " DNS2 = %s\n", inet_toa(session[s].dns1));
605 }
606 }
607 i = findppp(p, 3); // IP address
608 if (!i || i[1] != 6)
609 {
610 log(1, 0, s, t, "No IP in IPCP request\n");
611 STAT(tunnel_rx_errors);
612 return ;
613 }
614 if (*(u32 *) (i + 2) != htonl(session[s].ip))
615 {
616 *(u32 *) (i + 2) = htonl(session[s].ip);
617 *p = ConfigNak;
618 log(4, session[s].ip, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
619 inet_toa(htonl(session[s].ip)));
620 }
621 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
622 {
623 log(2, 0, s, t, " Failed to send IPCP packet.\n");
624 return;
625 }
626 tunnelsend(b, l + (q - b), t); // send it
627 }
628 }
629 }
630
631 // process IP packet received
632 //
633 // This MUST be called with at least 4 byte behind 'p'.
634 // (i.e. this routine writes to p[-4]).
635 void processipin(tunnelidt t, sessionidt s, u8 * p, u16 l)
636 {
637 ipt ip;
638
639
640 CSTAT(call_processipin);
641
642 log_hex(5, "IP", p, l);
643
644 ip = ntohl(*(u32 *)(p + 12));
645
646 if (l > MAXETHER)
647 {
648 log(1, ip, s, t, "IP packet too long %d\n", l);
649 STAT(tunnel_rx_errors);
650 return ;
651 }
652
653 // no spoof (do sessionbyip to handled statically routed subnets)
654 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
655 {
656 log(5, ip, s, t, "Dropping packet with spoofed IP %s\n", inet_toa(htonl(ip)));
657 return;
658 }
659
660 // Add on the tun header
661 p -= 4;
662 *(u32 *)p = htonl(0x00000800);
663 l += 4;
664
665 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
666 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
667 return;
668 }
669
670 session[s].cin += l - 4;
671 session[s].total_cin += l - 4;
672 sess_count[s].cin += l - 4;
673
674 session[s].pin++;
675 eth_tx += l - 4;
676
677 if (session[s].snoop_ip && session[s].snoop_port)
678 {
679 // Snooping this session
680 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
681 }
682 STAT(tun_tx_packets);
683 INC_STAT(tun_tx_bytes, l);
684
685 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
686 tbf_queue_packet(session[s].tbf_in, p, l);
687 return;
688 }
689
690 // send to ethernet
691 if (tun_write(p, l) < 0)
692 {
693 STAT(tun_tx_errors);
694 log(0, 0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
695 l, strerror(errno), tunfd, p);
696 }
697
698 }
699
700 //
701 // Helper routine for the TBF filters.
702 // Used to send queued data in from the user.
703 //
704 void send_ipin(sessionidt s, u8 *buf, int len)
705 {
706 log_hex(5, "IP in throttled", buf, len);
707 if (write(tunfd, buf, len) < 0)
708 {
709 STAT(tun_tx_errors);
710 log(0, 0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
711 len, strerror(errno), tunfd, buf);
712 }
713
714 // Increment packet counters
715 session[s].cin += len - 4;
716 session[s].total_cin += len - 4;
717 sess_count[s].cin += len - 4;
718
719 session[s].pin++;
720 eth_tx += len - 4;
721 }
722
723
724 // Process LCP messages
725 void processccp(tunnelidt t, sessionidt s, u8 * p, u16 l)
726 {
727
728 CSTAT(call_processccp);
729
730 log_hex(5, "CCP", p, l);
731 if (l < 2 || (*p != ConfigReq && *p != TerminateReq))
732 {
733 log(1, 0, s, t, "Unexpecetd CCP request code %d\n", *p);
734 STAT(tunnel_rx_errors);
735 return ;
736 }
737 // reject
738 {
739 u8 b[MAXCONTROL];
740 u8 *q;
741 if (*p == ConfigReq)
742 {
743 if (l < 6)
744 {
745 *p = ConfigAck; // accept no compression
746 }
747 else
748 {
749 *p = ConfigRej; // reject
750 sendccp(t, s);
751 }
752 }
753 else
754 *p = TerminateAck; // close
755 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
756 {
757 log(1,0,0,0, "Failed to send CCP packet.\n");
758 return;
759 }
760 tunnelsend(b, l + (q - b), t); // send it
761 }
762 }
763
764 // send a CHAP PP packet
765 void sendchap(tunnelidt t, sessionidt s)
766 {
767 u8 b[MAXCONTROL];
768 u16 r = session[s].radius;
769 u8 *q;
770
771 CSTAT(call_sendchap);
772
773 if (!r)
774 {
775 log(1, 0, s, t, "No RADIUS to send challenge\n");
776 STAT(tunnel_tx_errors);
777 return ;
778 }
779 log(1, 0, s, t, "Send CHAP challenge\n");
780 {
781 // new challenge
782 int n;
783 for (n = 0; n < 15; n++)
784 radius[r].auth[n] = rand();
785 }
786 radius[r].chap = 1; // CHAP not PAP
787 radius[r].id++;
788 if (radius[r].state != RADIUSCHAP)
789 radius[r].try = 0;
790 radius[r].state = RADIUSCHAP;
791 radius[r].retry = backoff(radius[r].try++);
792 if (radius[r].try > 5)
793 {
794 sessionshutdown(s, "Timeout CHAP");
795 STAT(tunnel_tx_errors);
796 return ;
797 }
798 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
799 if (!q) {
800 log(1, 0, s, t, "failed to send CHAP challenge.\n");
801 return;
802 }
803 *q = 1; // challenge
804 q[1] = radius[r].id; // ID
805 q[4] = 16; // length
806 memcpy(q + 5, radius[r].auth, 16); // challenge
807 strcpy(q + 21, hostname); // our name
808 *(u16 *) (q + 2) = htons(strlen(hostname) + 21); // length
809 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
810 }
811
812 // fill in a L2TP message with a PPP frame,
813 // copies existing PPP message and changes magic number if seen
814 // returns start of PPP frame
815 u8 *makeppp(u8 * b, int size, u8 * p, int l, tunnelidt t, sessionidt s, u16 mtype)
816 {
817 if (size < 12)
818 return NULL; // Need more space than this!!
819
820 *(u16 *) (b + 0) = htons(0x0002); // L2TP with no options
821 *(u16 *) (b + 2) = htons(tunnel[t].far); // tunnel
822 *(u16 *) (b + 4) = htons(session[s].far); // session
823 b += 6;
824 if (mtype && !(session[s].l2tp_flags & SESSIONACFC))
825 {
826 *(u16 *) b = htons(0xFF03); // HDLC header
827 b += 2;
828 }
829 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
830 *b++ = mtype;
831 else
832 {
833 *(u16 *) b = htons(mtype);
834 b += 2;
835 }
836
837 if (l + 12 > size) {
838 log(3,0,0,0, "Would have overflowed the buffer in makeppp: size %d, len %d.\n", size, l);
839 return NULL; // Run out of room to hold the packet!
840 }
841 if (p && l)
842 memcpy(b, p, l);
843 return b;
844 }
845
846 // find a PPP option, returns point to option, or 0 if not found
847 u8 *findppp(u8 * b, u8 mtype)
848 {
849 u16 l = ntohs(*(u16 *) (b + 2));
850 if (l < 4)
851 return 0;
852 b += 4;
853 l -= 4;
854 while (l)
855 {
856 if (l < b[1] || !b[1])
857 return 0; // faulty
858 if (*b == mtype)
859 return b;
860 l -= b[1];
861 b += b[1];
862 }
863 return 0;
864 }
865
866 // Send initial LCP ConfigReq
867 void initlcp(tunnelidt t, sessionidt s)
868 {
869 char b[500] = {0}, *q;
870
871 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
872 if (!q) {
873 log(1, 0, s, t, "Failed to send LCP ConfigReq.\n");
874 return;
875 }
876 log(4, 0, s, t, "Sending LCP ConfigReq for PAP\n");
877 *q = ConfigReq;
878 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
879 *(u16 *)(q + 2) = htons(14); // Length
880 *(u8 *)(q + 4) = 5;
881 *(u8 *)(q + 5) = 6;
882 *(u32 *)(q + 6) = htonl(session[s].magic);
883 *(u8 *)(q + 10) = 3;
884 *(u8 *)(q + 11) = 4;
885 *(u16 *)(q + 12) = htons(0xC023); // PAP
886 tunnelsend(b, 12 + 14, t);
887 }
888
889 // Send CCP reply
890 void sendccp(tunnelidt t, sessionidt s)
891 {
892 char *q, b[500] = {0};
893
894 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP);
895 *q = ConfigReq;
896 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
897 *(u16 *)(q + 2) = htons(4); // Length
898 log_hex(5, "PPPCCP", q, 4);
899 tunnelsend(b, (q - b) + 4 , t);
900 }
901