ad84be4caa8e8fd98f4eb7a5ea9449bec98ff99e
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.32 2004-11-28 20:10:04 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern u32 eth_tx;
23 extern time_t time_now;
24 extern configt *config;
25
26 static void initccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
30 {
31 char user[129];
32 char pass[129];
33 u16 hl;
34
35 CSTAT(call_processpap);
36
37 LOG_HEX(5, "PAP", p, l);
38 if (l < 4)
39 {
40 LOG(1, 0, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44
45 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
46 {
47 LOG(1, 0, s, t, "Length mismatch PAP %u/%u\n", hl, l);
48 STAT(tunnel_rx_errors);
49 return ;
50 }
51 l = hl;
52
53 if (*p != 1)
54 {
55 LOG(1, 0, s, t, "Unexpected PAP code %d\n", *p);
56 STAT(tunnel_rx_errors);
57 return ;
58 }
59
60 {
61 u8 *b = p;
62 b += 4;
63 if (*b && *b < sizeof(user))
64 memcpy(user, b + 1, *b);
65 user[*b] = 0;
66 b += 1 + *b;
67 if (*b && *b < sizeof(pass))
68 memcpy(pass, b + 1, *b);
69 pass[*b] = 0;
70 LOG(3, 0, s, t, "PAP login %s/%s\n", user, pass);
71 }
72 if (session[s].ip || !session[s].radius)
73 {
74 // respond now, either no RADIUS available or already authenticated
75 u8 b[MAXCONTROL];
76 u8 id = p[1];
77 u8 *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
78 if (!p) return;
79
80 if (session[s].ip)
81 *p = 2; // ACK
82 else
83 *p = 3; // cant authorise
84 p[1] = id;
85 *(u16 *) (p + 2) = htons(5); // length
86 p[4] = 0; // no message
87 if (session[s].ip)
88 {
89 LOG(3, session[s].ip, s, t, "Already an IP allocated: %s (%d)\n", inet_toa(htonl(session[s].ip)), session[s].ip_pool_index);
90 session[s].flags &= ~SF_IPCP_ACKED;
91 }
92 else
93 {
94 LOG(1, 0, s, t, "No radius session available to authenticate session...\n");
95 }
96 LOG(3, 0, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
97 tunnelsend(b, 5 + (p - b), t); // send it
98 }
99 else
100 {
101 // set up RADIUS request
102 u16 r = session[s].radius;
103
104 // Run PRE_AUTH plugins
105 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
106 run_plugins(PLUGIN_PRE_AUTH, &packet);
107 if (!packet.continue_auth)
108 {
109 LOG(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
110 if (packet.username) free(packet.username);
111 if (packet.password) free(packet.password);
112 return;
113 }
114
115 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
116 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
117
118 free(packet.username);
119 free(packet.password);
120
121 radius[r].id = p[1];
122 LOG(3, 0, s, t, "Sending login for %s/%s to radius\n", user, pass);
123 radiussend(r, RADIUSAUTH);
124 }
125 }
126
127 // Process CHAP messages
128 void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
129 {
130 u16 r;
131 u16 hl;
132
133 CSTAT(call_processchap);
134
135 LOG_HEX(5, "CHAP", p, l);
136 r = session[s].radius;
137 if (!r)
138 {
139 LOG(1, 0, s, t, "Unexpected CHAP message\n");
140
141 // FIXME: Need to drop the session here.
142
143 STAT(tunnel_rx_errors);
144 return;
145 }
146
147 if (l < 4)
148 {
149 LOG(1, 0, s, t, "Short CHAP %u bytes\n", l);
150 STAT(tunnel_rx_errors);
151 return ;
152 }
153
154 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
155 {
156 LOG(1, 0, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
157 STAT(tunnel_rx_errors);
158 return ;
159 }
160 l = hl;
161
162 if (*p != 2)
163 {
164 LOG(1, 0, s, t, "Unexpected CHAP response code %d\n", *p);
165 STAT(tunnel_rx_errors);
166 return;
167 }
168 if (p[1] != radius[r].id)
169 {
170 LOG(1, 0, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
171 STAT(tunnel_rx_errors);
172 return ;
173 }
174
175 if (l < 5 || p[4] != 16)
176 {
177 LOG(1, 0, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
178 STAT(tunnel_rx_errors);
179 return ;
180 }
181
182 l -= 5;
183 p += 5;
184 if (l < 16 || l - 16 >= sizeof(session[s].user))
185 {
186 LOG(1, 0, s, t, "CHAP user too long %d\n", l - 16);
187 STAT(tunnel_rx_errors);
188 return ;
189 }
190
191 // Run PRE_AUTH plugins
192 {
193 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
194
195 packet.password = calloc(17, 1);
196 memcpy(packet.password, p, 16);
197
198 p += 16;
199 l -= 16;
200
201 packet.username = calloc(l + 1, 1);
202 memcpy(packet.username, p, l);
203
204 run_plugins(PLUGIN_PRE_AUTH, &packet);
205 if (!packet.continue_auth)
206 {
207 LOG(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
208 if (packet.username) free(packet.username);
209 if (packet.password) free(packet.password);
210 return;
211 }
212
213 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
214 memcpy(radius[r].pass, packet.password, 16);
215
216 free(packet.username);
217 free(packet.password);
218 }
219
220 radius[r].chap = 1;
221 LOG(3, 0, s, t, "CHAP login %s\n", session[s].user);
222 radiussend(r, RADIUSAUTH);
223 }
224
225 static char *ppp_lcp_types[] = {
226 NULL,
227 "ConfigReq",
228 "ConfigAck",
229 "ConfigNak",
230 "ConfigRej",
231 "TerminateReq",
232 "TerminateAck",
233 "CodeRej",
234 "ProtocolRej",
235 "EchoReq",
236 "EchoReply",
237 "DiscardRequest",
238 "IdentRequest",
239 };
240
241 static void dumplcp(u8 *p, int l)
242 {
243 int x = l - 4;
244 u8 *o = (p + 4);
245
246 LOG_HEX(5, "PPP LCP Packet", p, l);
247 LOG(4, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
248 LOG(4, 0, 0, 0, "Length: %d\n", l);
249 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
250 return;
251
252 while (x > 2)
253 {
254 int type = o[0];
255 int length = o[1];
256 if (length < 2)
257 {
258 LOG(4, 0, 0, 0, " Option length is %d...\n", length);
259 break;
260 }
261 if (type == 0)
262 {
263 LOG(4, 0, 0, 0, " Option type is 0...\n");
264 x -= length;
265 o += length;
266 continue;
267 }
268 switch (type)
269 {
270 case 1: // Maximum-Receive-Unit
271 if (length == 4)
272 LOG(4, 0, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
273 else
274 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
275 break;
276 case 2: // Async-Control-Character-Map
277 if (length == 6)
278 {
279 u32 asyncmap = ntohl(*(u32 *)(o + 2));
280 LOG(4, 0, 0, 0, " %s %x\n", lcp_types[type], asyncmap);
281 }
282 else
283 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
284 break;
285 case 3: // Authentication-Protocol
286 if (length == 4)
287 {
288 int proto = ntohs(*(u16 *)(o + 2));
289 LOG(4, 0, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
290 proto == PPPCHAP ? "CHAP" :
291 proto == PPPPAP ? "PAP" : "UNKNOWN");
292 }
293 else
294 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
295 break;
296 case 4: // Quality-Protocol
297 {
298 u32 qp = ntohl(*(u32 *)(o + 2));
299 LOG(4, 0, 0, 0, " %s %x\n", lcp_types[type], qp);
300 }
301 break;
302 case 5: // Magic-Number
303 if (length == 6)
304 {
305 u32 magicno = ntohl(*(u32 *)(o + 2));
306 LOG(4, 0, 0, 0, " %s %x\n", lcp_types[type], magicno);
307 }
308 else
309 LOG(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
310 break;
311 case 7: // Protocol-Field-Compression
312 case 8: // Address-And-Control-Field-Compression
313 LOG(4, 0, 0, 0, " %s\n", lcp_types[type]);
314 break;
315 default:
316 LOG(2, 0, 0, 0, " Unknown PPP LCP Option type %d\n", type);
317 break;
318 }
319 x -= length;
320 o += length;
321 }
322 }
323
324 // Process LCP messages
325 void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
326 {
327 u8 b[MAXCONTROL];
328 u8 *q = NULL;
329 u32 magicno = 0;
330 u16 hl;
331
332 CSTAT(call_processlcp);
333
334 LOG_HEX(5, "LCP", p, l);
335 if (l < 4)
336 {
337 LOG(1, session[s].ip, s, t, "Short LCP %d bytes\n", l);
338 STAT(tunnel_rx_errors);
339 return ;
340 }
341
342 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
343 {
344 LOG(1, 0, s, t, "Length mismatch LCP %u/%u\n", hl, l);
345 STAT(tunnel_rx_errors);
346 return ;
347 }
348 l = hl;
349
350 if (*p == ConfigAck)
351 {
352 LOG(3, session[s].ip, s, t, "LCP: Discarding ConfigAck\n");
353 session[s].flags |= SF_LCP_ACKED;
354 }
355 else if (*p == ConfigReq)
356 {
357 int x = l - 4;
358 u8 *o = (p + 4);
359 u8 response = 0;
360
361 LOG(3, session[s].ip, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
362 if (config->debug > 3) dumplcp(p, l);
363
364 while (x > 2)
365 {
366 int type = o[0];
367 int length = o[1];
368 if (length == 0 || type == 0 || x < length) break;
369 switch (type)
370 {
371 case 1: // Maximum-Receive-Unit
372 session[s].mru = ntohs(*(u16 *)(o + 2));
373 break;
374
375 case 2: // Async-Control-Character-Map
376 if (!ntohl(*(u32 *)(o + 2))) // all bits zero is OK
377 break;
378
379 if (response && response != ConfigNak) // rej already queued
380 break;
381
382 LOG(2, session[s].ip, s, t, " Remote requesting asyncmap. Rejecting.\n");
383 if (!response)
384 {
385 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
386 if (!q) break;
387 response = *q++ = ConfigNak;
388 }
389
390 if ((q - b + 11) > sizeof(b))
391 {
392 LOG(2, session[s].ip, s, t, "LCP overflow for asyncmap ConfigNak.\n");
393 break;
394 }
395
396 *q++ = type;
397 *q++ = 6;
398 memset(q, 0, 4); // asyncmap 0
399 q += 4;
400 break;
401
402 case 3: // Authentication-Protocol
403 {
404 int proto = ntohs(*(u16 *)(o + 2));
405 char proto_name[] = "0x0000";
406 if (proto == PPPPAP)
407 break;
408
409 if (response && response != ConfigNak) // rej already queued
410 break;
411
412 if (proto == PPPCHAP)
413 strcpy(proto_name, "CHAP");
414 else
415 sprintf(proto_name, "%#4.4x", proto);
416
417 LOG(2, session[s].ip, s, t, " Remote requesting %s authentication. Rejecting.\n", proto_name);
418
419 if (!response)
420 {
421 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
422 if (!q) break;
423 response = *q++ = ConfigNak;
424 }
425
426 if ((q - b + length) > sizeof(b))
427 {
428 LOG(2, session[s].ip, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
429 break;
430 }
431
432 memcpy(q, o, length);
433 *(u16 *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
434 q += length;
435 }
436 break;
437
438 case 5: // Magic-Number
439 magicno = ntohl(*(u32 *)(o + 2));
440 break;
441
442 case 4: // Quality-Protocol
443 case 7: // Protocol-Field-Compression
444 case 8: // Address-And-Control-Field-Compression
445 break;
446
447 default: // Reject any unknown options
448 LOG(2, session[s].ip, s, t, " Rejecting PPP LCP Option type %d\n", type);
449 if (!response || response != ConfigRej) // drop nak in favour of rej
450 {
451 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
452 if (!q) return;
453 response = *q++ = ConfigRej;
454 }
455
456 if ((q - b + length) > sizeof(b))
457 {
458 LOG(2, session[s].ip, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
459 break;
460 }
461
462 memcpy(q, o, length);
463 q += length;
464 }
465 x -= length;
466 o += length;
467 }
468
469 if (!response)
470 {
471 // Send back a ConfigAck
472 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
473 if (!q) return;
474 response = *q = ConfigAck;
475 }
476
477 LOG(3, session[s].ip, s, t, "Sending %s\n", ppp_lcp_types[response]);
478 tunnelsend(b, l + (q - b), t);
479
480 if (!(session[s].flags & SF_LCP_ACKED))
481 initlcp(t, s);
482 }
483 else if (*p == ConfigNak)
484 {
485 LOG(1, session[s].ip, s, t, "Remote end sent a ConfigNak. Ignoring\n");
486 if (config->debug > 3) dumplcp(p, l);
487 return ;
488 }
489 else if (*p == TerminateReq)
490 {
491 LOG(3, session[s].ip, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
492 *p = TerminateAck; // close
493 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
494 if (!q) return;
495 tunnelsend(b, l + (q - b), t); // send it
496 sessionshutdown(s, "Remote end closed connection.");
497 }
498 else if (*p == TerminateAck)
499 {
500 sessionshutdown(s, "Connection closed.");
501 }
502 else if (*p == EchoReq)
503 {
504 LOG(5, session[s].ip, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
505 *p = EchoReply; // reply
506 *(u32 *) (p + 4) = htonl(session[s].magic); // our magic number
507 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
508 if (!q) return;
509 tunnelsend(b, l + (q - b), t); // send it
510 }
511 else if (*p == EchoReply)
512 {
513 // Ignore it, last_packet time is set earlier than this.
514 }
515 else if (*p == IdentRequest)
516 {
517 *p = CodeRej;
518 if (l > MAXCONTROL)
519 {
520 LOG(1, 0, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
521 l = 1400;
522 }
523 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
524 if (!q) return;
525 LOG_HEX(5, "LCPIdentRej", q, l + 4);
526 tunnelsend(b, 12 + 4 + l, t);
527 }
528 else
529 {
530 LOG(1, session[s].ip, s, t, "Unexpected LCP code %d\n", *p);
531 STAT(tunnel_rx_errors);
532 return ;
533 }
534 }
535
536 // find a PPP option, returns point to option, or 0 if not found
537 static u8 *findppp(u8 *b, u8 mtype)
538 {
539 u16 l = ntohs(*(u16 *) (b + 2));
540 if (l < 4)
541 return 0;
542 b += 4;
543 l -= 4;
544 while (l)
545 {
546 if (l < b[1] || !b[1])
547 return 0; // faulty
548 if (*b == mtype)
549 return b;
550 l -= b[1];
551 b += b[1];
552 }
553 return 0;
554 }
555
556 // Process IPCP messages
557 void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
558 {
559 u16 hl;
560
561 CSTAT(call_processipcp);
562
563 LOG_HEX(5, "IPCP", p, l);
564 if (l < 5)
565 {
566 LOG(1, 0, s, t, "Short IPCP %d bytes\n", l);
567 STAT(tunnel_rx_errors);
568 return ;
569 }
570
571 if ((hl = ntohs(*(u16 *) (p + 2))) > l)
572 {
573 LOG(1, 0, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
574 STAT(tunnel_rx_errors);
575 return ;
576 }
577 l = hl;
578
579 if (*p == ConfigAck)
580 {
581 // happy with our IPCP
582 u16 r = session[s].radius;
583 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
584 {
585 if (!r)
586 r = radiusnew(s);
587 if (r)
588 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
589 }
590 session[s].flags |= SF_IPCP_ACKED;
591
592 LOG(3, session[s].ip, s, t, "IPCP Acked, session is now active\n");
593
594 // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
595 session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
596
597 return;
598 }
599 if (*p != ConfigReq)
600 {
601 LOG(1, 0, s, t, "Unexpected IPCP code %d\n", *p);
602 STAT(tunnel_rx_errors);
603 return ;
604 }
605 LOG(4, session[s].ip, s, t, "IPCP ConfigReq received\n");
606
607 if (!session[s].ip)
608 {
609 LOG(3, 0, s, t, "Waiting on radius reply\n");
610 return; // have to wait on RADIUS reply
611 }
612 // form a config reply quoting the IP in the session
613 {
614 u8 b[MAXCONTROL];
615 u8 *i,
616 *q;
617
618 q = p + 4;
619 i = p + l;
620 while (q < i && q[1])
621 {
622 if (*q != 0x81 && *q != 0x83 && *q != 3)
623 break;
624 q += q[1];
625 }
626 if (q < i)
627 {
628 // reject
629 u16 n = 4;
630 i = p + l;
631 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
632 return;
633
634 *q = ConfigRej;
635 p += 4;
636 while (p < i && p[1])
637 {
638 if (*p != 0x81 && *p != 0x83 && *p != 3)
639 {
640 LOG(2, 0, s, t, "IPCP reject %d\n", *p);
641 memcpy(q + n, p, p[1]);
642 n += p[1];
643 }
644 p += p[1];
645 }
646 *(u16 *) (q + 2) = htons(n);
647 LOG(4, session[s].ip, s, t, "Sending ConfigRej\n");
648 tunnelsend(b, n + (q - b), t); // send it
649 }
650 else
651 {
652 LOG(4, session[s].ip, s, t, "Sending ConfigAck\n");
653 *p = ConfigAck;
654 if ((i = findppp(p, 0x81))) // Primary DNS address
655 {
656 if (*(u32 *) (i + 2) != htonl(session[s].dns1))
657 {
658 *(u32 *) (i + 2) = htonl(session[s].dns1);
659 *p = ConfigNak;
660 LOG(5, session[s].ip, s, t, " DNS1 = %s\n", inet_toa(session[s].dns1));
661 }
662 }
663 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
664 {
665 if (*(u32 *) (i + 2) != htonl(session[s].dns2))
666 {
667 *(u32 *) (i + 2) = htonl(session[s].dns2);
668 *p = ConfigNak;
669 LOG(5, session[s].ip, s, t, " DNS2 = %s\n", inet_toa(session[s].dns2));
670 }
671 }
672 i = findppp(p, 3); // IP address
673 if (!i || i[1] != 6)
674 {
675 LOG(1, 0, s, t, "No IP in IPCP request\n");
676 STAT(tunnel_rx_errors);
677 return ;
678 }
679 if (*(u32 *) (i + 2) != htonl(session[s].ip))
680 {
681 *(u32 *) (i + 2) = htonl(session[s].ip);
682 *p = ConfigNak;
683 LOG(4, session[s].ip, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
684 inet_toa(htonl(session[s].ip)));
685 }
686 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
687 return;
688
689 tunnelsend(b, l + (q - b), t); // send it
690 }
691 }
692 }
693
694 // process IP packet received
695 //
696 // This MUST be called with at least 4 byte behind 'p'.
697 // (i.e. this routine writes to p[-4]).
698 void processipin(tunnelidt t, sessionidt s, u8 *p, u16 l)
699 {
700 ipt ip;
701
702 CSTAT(call_processipin);
703
704 LOG_HEX(5, "IP", p, l);
705
706 ip = ntohl(*(u32 *)(p + 12));
707
708 if (l > MAXETHER)
709 {
710 LOG(1, ip, s, t, "IP packet too long %d\n", l);
711 STAT(tunnel_rx_errors);
712 return ;
713 }
714
715 // no spoof (do sessionbyip to handled statically routed subnets)
716 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
717 {
718 LOG(5, ip, s, t, "Dropping packet with spoofed IP %s\n", inet_toa(htonl(ip)));
719 return;
720 }
721
722 // run access-list if any
723 if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
724 return;
725
726 // Add on the tun header
727 p -= 4;
728 *(u32 *)p = htonl(0x00000800);
729 l += 4;
730
731 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
732 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
733 return;
734 }
735
736 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
737 tbf_queue_packet(session[s].tbf_in, p, l);
738 return;
739 }
740
741 // send to ethernet
742 if (tun_write(p, l) < 0)
743 {
744 STAT(tun_tx_errors);
745 LOG(0, 0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
746 l, strerror(errno), tunfd, p);
747
748 return;
749 }
750
751 if (session[s].snoop_ip && session[s].snoop_port)
752 {
753 // Snooping this session
754 snoop_send_packet(p + 4, l - 4, session[s].snoop_ip, session[s].snoop_port);
755 }
756
757 session[s].cin += l - 4;
758 session[s].total_cin += l - 4;
759 sess_count[s].cin += l - 4;
760
761 session[s].pin++;
762 eth_tx += l - 4;
763
764 STAT(tun_tx_packets);
765 INC_STAT(tun_tx_bytes, l - 4);
766 }
767
768 //
769 // Helper routine for the TBF filters.
770 // Used to send queued data in from the user.
771 //
772 void send_ipin(sessionidt s, u8 *buf, int len)
773 {
774 LOG_HEX(5, "IP in throttled", buf, len);
775
776 if (write(tunfd, buf, len) < 0)
777 {
778 STAT(tun_tx_errors);
779 LOG(0, 0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
780 len, strerror(errno), tunfd, buf);
781
782 return;
783 }
784
785 if (session[s].snoop_ip && session[s].snoop_port)
786 {
787 // Snooping this session
788 snoop_send_packet(buf + 4, len - 4, session[s].snoop_ip, session[s].snoop_port);
789 }
790
791 // Increment packet counters
792 session[s].cin += len - 4;
793 session[s].total_cin += len - 4;
794 sess_count[s].cin += len - 4;
795
796 session[s].pin++;
797 eth_tx += len - 4;
798
799 STAT(tun_tx_packets);
800 INC_STAT(tun_tx_bytes, len - 4);
801 }
802
803
804 // Process CCP messages
805 void processccp(tunnelidt t, sessionidt s, u8 *p, u16 l)
806 {
807 u8 b[MAXCONTROL];
808 u8 *q;
809
810 CSTAT(call_processccp);
811
812 LOG_HEX(5, "CCP", p, l);
813 switch (l > 1 ? *p : 0)
814 {
815 case ConfigAck:
816 session[s].flags |= SF_CCP_ACKED;
817 return;
818
819 case ConfigReq:
820 if (l < 6) // accept no compression
821 {
822 *p = ConfigAck;
823 break;
824 }
825
826 // compression requested--reject
827 *p = ConfigRej;
828
829 // send CCP request for no compression for our end if not negotiated
830 if (!(session[s].flags & SF_CCP_ACKED))
831 initccp(t, s);
832
833 break;
834
835 case TerminateReq:
836 *p = TerminateAck;
837 break;
838
839 default:
840 if (l > 1)
841 LOG(1, 0, s, t, "Unexpected CCP request code %d\n", *p);
842 else
843 LOG(1, 0, s, t, "Short CCP packet\n");
844
845 STAT(tunnel_rx_errors);
846 return;
847 }
848
849 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
850 return;
851
852 tunnelsend(b, l + (q - b), t); // send it
853 }
854
855 // send a CHAP PP packet
856 void sendchap(tunnelidt t, sessionidt s)
857 {
858 u8 b[MAXCONTROL];
859 u16 r = session[s].radius;
860 u8 *q;
861
862 CSTAT(call_sendchap);
863
864 if (!r)
865 {
866 LOG(1, 0, s, t, "No RADIUS to send challenge\n");
867 STAT(tunnel_tx_errors);
868 return ;
869 }
870 LOG(1, 0, s, t, "Send CHAP challenge\n");
871 {
872 // new challenge
873 int n;
874 for (n = 0; n < 15; n++)
875 radius[r].auth[n] = rand();
876 }
877 radius[r].chap = 1; // CHAP not PAP
878 radius[r].id++;
879 if (radius[r].state != RADIUSCHAP)
880 radius[r].try = 0;
881 radius[r].state = RADIUSCHAP;
882 radius[r].retry = backoff(radius[r].try++);
883 if (radius[r].try > 5)
884 {
885 sessionshutdown(s, "Timeout CHAP");
886 STAT(tunnel_tx_errors);
887 return ;
888 }
889 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
890 if (!q) return;
891
892 *q = 1; // challenge
893 q[1] = radius[r].id; // ID
894 q[4] = 16; // length
895 memcpy(q + 5, radius[r].auth, 16); // challenge
896 strcpy(q + 21, hostname); // our name
897 *(u16 *) (q + 2) = htons(strlen(hostname) + 21); // length
898 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
899 }
900
901 // fill in a L2TP message with a PPP frame,
902 // copies existing PPP message and changes magic number if seen
903 // returns start of PPP frame
904 u8 *makeppp(u8 *b, int size, u8 *p, int l, tunnelidt t, sessionidt s, u16 mtype)
905 {
906 if (size < 12) // Need more space than this!!
907 {
908 static int backtrace_count = 0;
909 LOG(0, session[s].ip, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
910 log_backtrace(backtrace_count, 5)
911 return NULL;
912 }
913
914 *(u16 *) (b + 0) = htons(0x0002); // L2TP with no options
915 *(u16 *) (b + 2) = htons(tunnel[t].far); // tunnel
916 *(u16 *) (b + 4) = htons(session[s].far); // session
917 b += 6;
918 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
919 {
920 *(u16 *) b = htons(0xFF03); // HDLC header
921 b += 2;
922 }
923 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
924 *b++ = mtype;
925 else
926 {
927 *(u16 *) b = htons(mtype);
928 b += 2;
929 }
930
931 if (l + 12 > size)
932 {
933 static int backtrace_count = 0;
934 LOG(2, session[s].ip, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
935 log_backtrace(backtrace_count, 5)
936 return NULL;
937 }
938
939 if (p && l)
940 memcpy(b, p, l);
941
942 return b;
943 }
944
945 // Send initial LCP ConfigReq for PAP, set magic no.
946 void initlcp(tunnelidt t, sessionidt s)
947 {
948 char b[500], *q;
949
950 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
951 return;
952
953 LOG(4, 0, s, t, "Sending LCP ConfigReq for PAP\n");
954 *q = ConfigReq;
955 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
956 *(u16 *)(q + 2) = htons(14); // Length
957 *(u8 *)(q + 4) = 5;
958 *(u8 *)(q + 5) = 6;
959 *(u32 *)(q + 6) = htonl(session[s].magic);
960 *(u8 *)(q + 10) = 3;
961 *(u8 *)(q + 11) = 4;
962 *(u16 *)(q + 12) = htons(PPPPAP); // PAP
963
964 LOG_HEX(5, "PPPLCP", q, 14);
965 tunnelsend(b, (q - b) + 14, t);
966 }
967
968 // Send CCP request for no compression
969 static void initccp(tunnelidt t, sessionidt s)
970 {
971 char b[500], *q;
972
973 if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
974 return;
975
976 LOG(4, 0, s, t, "Sending CCP ConfigReq for no compression\n");
977 *q = ConfigReq;
978 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
979 *(u16 *)(q + 2) = htons(4); // Length
980
981 LOG_HEX(5, "PPPCCP", q, 4);
982 tunnelsend(b, (q - b) + 4 , t);
983 }