- Use 2 seperate u16 values for throttle rate in/out
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.17 2004/10/29 04:01:53 bodea Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern u32 eth_tx;
23 extern time_t time_now;
24 extern struct configt *config;
25
26 void sendccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, u8 * p, u16 l)
30 {
31 char user[129];
32 char pass[129];
33
34
35 CSTAT(call_processpap);
36
37 log_hex(5, "PAP", p, l);
38 if (l < 4)
39 {
40 log(1, 0, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44 if (*p != 1)
45 {
46 log(1, 0, s, t, "Unexpected PAP code %d\n", *p);
47 STAT(tunnel_rx_errors);
48 return ;
49 }
50 if (ntohs(*(u16 *) (p + 2)) > l)
51 {
52 log(1, 0, s, t, "Length mismatch PAP %d/%d\n", ntohs(*(u16 *) (p + 2)), l);
53 STAT(tunnel_rx_errors);
54 return ;
55 }
56 {
57 u8 *b = p;
58 b += 4;
59 if (*b && *b < sizeof(user))
60 memcpy(user, b + 1, *b);
61 user[*b] = 0;
62 b += 1 + *b;
63 if (*b && *b < sizeof(pass))
64 memcpy(pass, b + 1, *b);
65 pass[*b] = 0;
66 log(3, 0, s, t, "PAP login %s/%s\n", user, pass);
67 }
68 if (session[s].ip || !session[s].radius)
69 {
70 // respond now, either no RADIUS available or already authenticated
71 u8 b[MAXCONTROL];
72 u8 id = p[1];
73 u8 *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
74 if (!p) { // Failed to make ppp header!
75 log(1,0,0,0, "Failed to make PPP header in process pap!\n");
76 return;
77 }
78 if (session[s].ip)
79 *p = 2; // ACK
80 else
81 *p = 3; // cant authorise
82 p[1] = id;
83 *(u16 *) (p + 2) = htons(5); // length
84 p[4] = 0; // no message
85 if (session[s].ip)
86 {
87 log(3, session[s].ip, s, t, "%d Already an IP allocated: %s (%d)\n", getpid(), inet_toa(htonl(session[s].ip)), session[s].ip_pool_index);
88 session[s].flags &= ~SF_IPCP_ACKED;
89 }
90 else
91 {
92 log(1, 0, s, t, "No radius session available to authenticate session...\n");
93 }
94 log(3, 0, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
95 tunnelsend(b, 5 + (p - b), t); // send it
96 }
97 else
98 {
99 // set up RADIUS request
100 u16 r = session[s].radius;
101
102 // Run PRE_AUTH plugins
103 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
104 run_plugins(PLUGIN_PRE_AUTH, &packet);
105 if (!packet.continue_auth)
106 {
107 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
108 if (packet.username) free(packet.username);
109 if (packet.password) free(packet.password);
110 return;
111 }
112
113 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
114 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
115
116 free(packet.username);
117 free(packet.password);
118
119 radius[r].id = p[1];
120 log(3, 0, s, t, "Sending login for %s/%s to radius\n", user, pass);
121 radiussend(r, RADIUSAUTH);
122 }
123 }
124
125 // Process CHAP messages
126 void processchap(tunnelidt t, sessionidt s, u8 * p, u16 l)
127 {
128 u16 r;
129 u16 len;
130
131
132 CSTAT(call_processchap);
133
134 log_hex(5, "CHAP", p, l);
135 r = session[s].radius;
136 if (!r)
137 {
138 log(1, 0, s, t, "Unexpected CHAP message\n");
139
140 // FIXME: Need to drop the session here.
141
142 STAT(tunnel_rx_errors);
143 return;
144 }
145 if (*p != 2)
146 {
147 log(1, 0, s, t, "Unexpected CHAP response code %d\n", *p);
148 STAT(tunnel_rx_errors);
149 return;
150 }
151 if (p[1] != radius[r].id)
152 {
153 log(1, 0, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
154 STAT(tunnel_rx_errors);
155 return ;
156 }
157 len = ntohs(*(u16 *) (p + 2));
158 if (len > l)
159 {
160 log(1, 0, s, t, "Bad CHAP length %d\n", len);
161 STAT(tunnel_rx_errors);
162 return ;
163 }
164 if (p[4] != 16)
165 {
166 log(1, 0, s, t, "Bad CHAP response length %d\n", p[4]);
167 STAT(tunnel_rx_errors);
168 return ;
169 }
170 if (len - 21 >= sizeof(session[s].user))
171 {
172 log(1, 0, s, t, "CHAP user too long %d\n", len - 21);
173 STAT(tunnel_rx_errors);
174 return ;
175 }
176
177 // Run PRE_AUTH plugins
178 {
179 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
180
181 packet.username = calloc(len-20, 1);
182 packet.password = calloc(16, 1);
183 memcpy(packet.username, p + 21, len - 21);
184 memcpy(packet.password, p + 5, 16);
185
186 run_plugins(PLUGIN_PRE_AUTH, &packet);
187 if (!packet.continue_auth)
188 {
189 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
190 if (packet.username) free(packet.username);
191 if (packet.password) free(packet.password);
192 return;
193 }
194
195 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
196 memcpy(radius[r].pass, packet.password, 16);
197
198 free(packet.username);
199 free(packet.password);
200 }
201
202 radius[r].chap = 1;
203 log(3, 0, s, t, "CHAP login %s\n", session[s].user);
204 radiussend(r, RADIUSAUTH);
205 }
206
207 char *ppp_lcp_types[] = {
208 NULL,
209 "ConfigReq",
210 "ConfigAck",
211 "ConfigNak",
212 "ConfigRej",
213 "TerminateReq",
214 "TerminateAck",
215 "CodeRej",
216 "ProtocolRej",
217 "EchoReq",
218 "EchoReply",
219 "DiscardRequest",
220 "IdentRequest",
221 };
222
223 void dumplcp(u8 *p, int l)
224 {
225 signed int x = l - 4;
226 u8 *o = (p + 4);
227
228 log_hex(5, "PPP LCP Packet", p, l);
229 log(4, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
230 log(4, 0, 0, 0, "Length: %d\n", l);
231 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
232 return;
233
234 while (x > 2)
235 {
236 int type = o[0];
237 int length = o[1];
238 if (length < 2)
239 {
240 log(4, 0, 0, 0, " Option length is %d...\n", length);
241 break;
242 }
243 if (type == 0)
244 {
245 log(4, 0, 0, 0, " Option type is 0...\n");
246 x -= length;
247 o += length;
248 continue;
249 }
250 switch (type)
251 {
252 case 1: // Maximum-Receive-Unit
253 if (length == 4)
254 log(4, 0, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
255 else
256 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
257 break;
258 case 3: // Authentication-Protocol
259 {
260 if (length == 4)
261 {
262 int proto = ntohs(*(u16 *)(o + 2));
263 log(4, 0, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
264 proto == 0xC223 ? "CHAP" :
265 proto == 0xC023 ? "PAP" : "UNKNOWN");
266 }
267 else
268 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
269 break;
270 }
271 case 4: // Quality-Protocol
272 {
273 u32 qp = ntohl(*(u32 *)(o + 2));
274 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], qp);
275 break;
276 }
277 case 5: // Magic-Number
278 {
279 if (length == 6)
280 {
281 u32 magicno = ntohl(*(u32 *)(o + 2));
282 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], magicno);
283 }
284 else
285 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
286 break;
287 }
288 case 7: // Protocol-Field-Compression
289 {
290 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
291 break;
292 }
293 case 8: // Address-And-Control-Field-Compression
294 {
295 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
296 break;
297 }
298 default:
299 log(2, 0, 0, 0, " Unknown PPP LCP Option type %d\n", type);
300 break;
301 }
302 x -= length;
303 o += length;
304 }
305 }
306
307 // Process LCP messages
308 void processlcp(tunnelidt t, sessionidt s, u8 * p, u16 l)
309 {
310 u8 b[MAXCONTROL];
311 u8 *q = NULL;
312 u32 magicno = 0;
313
314
315 CSTAT(call_processlcp);
316
317 log_hex(5, "LCP", p, l);
318 if (l < 4)
319 {
320 log(1, session[s].ip, s, t, "Short LCP %d bytes\n", l);
321 STAT(tunnel_rx_errors);
322 return ;
323 }
324 if (*p == ConfigAck)
325 {
326 log(3, session[s].ip, s, t, "LCP: Discarding ConfigAck\n");
327 session[s].flags |= SESSIONLCPACK;
328 }
329 else if (*p == ConfigReq)
330 {
331 l = ntohs(*(u16 *)(p + 2));
332 signed int x = l - 4;
333 u8 *o = (p + 4);
334
335 log(3, session[s].ip, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
336 dumplcp(p, l);
337
338 while (x > 2)
339 {
340 int type = o[0];
341 int length = o[1];
342 if (length == 0 || type == 0) break;
343 switch (type)
344 {
345 case 1: // Maximum-Receive-Unit
346 session[s].mru = ntohs(*(u16 *)(o + 2));
347 break;
348 case 2: // asyncmap
349 log_hex(2, "PPP LCP Packet", p, l);
350 log(2, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
351 break;
352 case 3: // Authentication-Protocol
353 {
354 int proto = ntohs(*(u16 *)(o + 2));
355 if (proto == 0xC223)
356 {
357 log(2, session[s].ip, s, t, " Remote end is trying to do CHAP. Rejecting it.\n");
358
359 if (!q)
360 {
361 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
362 if (!q) {
363 log(2, session[s].ip, s, t, " Failed to send packet.\n");
364 break;
365 }
366 *q++ = ConfigNak;
367 }
368 memcpy(q, o, length);
369 *(u16 *)(q += 2) = htons(0xC023); // NAK -> Use PAP instead
370 q += length;
371 }
372 break;
373 }
374 case 5: // Magic-Number
375 {
376 magicno = ntohl(*(u32 *)(o + 2));
377 break;
378 }
379 case 4: // Quality-Protocol
380 case 7: // Protocol-Field-Compression
381 case 8: // Address-And-Control-Field-Compression
382 break;
383 case 13: // CallBack option for LCP extention of win2000/routers L2TP client
384 case 17:
385 case 18:
386 {
387 // Reject LCP CallBack
388 log(2, session[s].ip, s, t, " PPP LCP Option type %d, len=%d\n", type, length);
389 memcpy(p + 4, o, length);
390 *(u16 *)(p + 2) = htons(length + 4);
391 *p = ConfigRej;
392 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
393 tunnelsend(b, 12 + length + 4, t);
394 return;
395 }
396
397 default:
398 // Reject Unknown LCP Option to stop to send it again
399 log(2, session[s].ip, s, t, " Unknown PPP LCP Option type %d\n", type);
400 memcpy(p + 4, o, length);
401 *(u16 *)(p + 2) = htons(length + 4);
402 *p = ConfigRej;
403 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
404 tunnelsend(b, 12 + length + 4, t);
405 return;
406 }
407 x -= length;
408 o += length;
409 }
410
411 if (!q)
412 {
413 // Send back a ConfigAck
414 log(3, session[s].ip, s, t, "ConfigReq accepted, sending as Ack\n");
415 // for win2k L2TP clients and LCP renegotiation of alive session
416 if (magicno || l == 4 || (session[s].mru && l == 8)) initlcp(t, s);
417 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
418 if (!q)
419 {
420 log(3, session[s].ip, s, t, " failed to create packet.\n");
421 return;
422 }
423 *q = ConfigAck;
424 tunnelsend(b, l + (q - b), t);
425 }
426 else
427 {
428 // Already built a ConfigNak... send it
429 log(3, session[s].ip, s, t, "Sending ConfigNak\n");
430 tunnelsend(b, l + (q - b), t);
431 }
432
433 if (!(session[s].flags & SESSIONLCPACK))
434 initlcp(t, s);
435 }
436 else if (*p == ConfigNak)
437 {
438 log(1, session[s].ip, s, t, "Remote end sent a ConfigNak. Ignoring\n");
439 dumplcp(p, l);
440 return ;
441 }
442 else if (*p == TerminateReq)
443 {
444 *p = TerminateAck; // close
445 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
446 if (!q) {
447 log(3, session[s].ip, s, t, "Failed to create PPP packet in processlcp.\n");
448 return;
449 }
450 log(3, session[s].ip, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
451 sessionshutdown(s, "Remote end closed connection.");
452 tunnelsend(b, l + (q - b), t); // send it
453 }
454 else if (*p == TerminateAck)
455 {
456 sessionshutdown(s, "Connection closed.");
457 }
458 else if (*p == EchoReq)
459 {
460 *p = EchoReply; // reply
461 *(u32 *) (p + 4) = htonl(session[s].magic); // our magic number
462 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
463 if (!q) {
464 log(3, session[s].ip, s, t, " failed to send EchoReply.\n");
465 return;
466 }
467 log(5, session[s].ip, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
468 tunnelsend(b, l + (q - b), t); // send it
469 }
470 else if (*p == EchoReply)
471 {
472 // Ignore it, last_packet time is set earlier than this.
473 }
474 else if (*p == IdentRequest)
475 {
476 *p = CodeRej;
477 if (l > MAXCONTROL)
478 {
479 log(1, 0, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
480 l = 1400;
481 }
482 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
483 if (!q)
484 {
485 log(3, session[s].ip, s, t, "Failed to create IdentRej.\n");
486 return;
487 }
488 log_hex(5, "LCPIdentRej", q, l + 4);
489 tunnelsend(b, 12 + 4 + l, t);
490 }
491 else
492 {
493 log(1, session[s].ip, s, t, "Unexpected LCP code %d\n", *p);
494 STAT(tunnel_rx_errors);
495 return ;
496 }
497 }
498
499 // Process IPCP messages
500 void processipcp(tunnelidt t, sessionidt s, u8 * p, u16 l)
501 {
502
503 CSTAT(call_processipcp);
504
505 log_hex(5, "IPCP", p, l);
506 if (l < 5)
507 {
508 log(1, 0, s, t, "Short IPCP %d bytes\n", l);
509 STAT(tunnel_rx_errors);
510 return ;
511 }
512 if (*p == ConfigAck)
513 {
514 // happy with our IPCP
515 u16 r = session[s].radius;
516 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
517 {
518 if (!r)
519 r = radiusnew(s);
520 if (r)
521 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
522 }
523 session[s].flags |= SF_IPCP_ACKED;
524
525 log(3, session[s].ip, s, t, "IPCP Acked, session is now active\n");
526 return;
527 }
528 if (*p != ConfigReq)
529 {
530 log(1, 0, s, t, "Unexpected IPCP code %d\n", *p);
531 STAT(tunnel_rx_errors);
532 return ;
533 }
534 log(4, session[s].ip, s, t, "IPCP ConfigReq received\n");
535 if (ntohs(*(u16 *) (p + 2)) > l)
536 {
537 log(1, 0, s, t, "Length mismatch IPCP %d/%d\n", ntohs(*(u16 *) (p + 2)), l);
538 STAT(tunnel_rx_errors);
539 return ;
540 }
541 if (!session[s].ip)
542 {
543 log(3, 0, s, t, "Waiting on radius reply\n");
544 return; // have to wait on RADIUS reply
545 }
546 // form a config reply quoting the IP in the session
547 {
548 u8 b[MAXCONTROL];
549 u8 *i,
550 *q;
551
552 l = ntohs(*(u16 *) (p + 2)); // We must use length from IPCP len field
553 q = p + 4;
554 i = p + l;
555 while (q < i && q[1])
556 {
557 if (*q != 0x81 && *q != 0x83 && *q != 3)
558 break;
559 q += q[1];
560 }
561 if (q < i)
562 {
563 // reject
564 u16 n = 4;
565 i = p + l;
566 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
567 {
568 log(2, 0, s, t, "Failed to send IPCP ConfigRej\n");
569 return;
570 }
571 *q = ConfigRej;
572 p += 4;
573 while (p < i && p[1])
574 {
575 if (*p != 0x81 && *p != 0x83 && *p != 3)
576 {
577 log(2, 0, s, t, "IPCP reject %d\n", *p);
578 memcpy(q + n, p, p[1]);
579 n += p[1];
580 }
581 p += p[1];
582 }
583 *(u16 *) (q + 2) = htons(n);
584 log(4, session[s].ip, s, t, "Sending ConfigRej\n");
585 tunnelsend(b, n + (q - b), t); // send it
586 }
587 else
588 {
589 log(4, session[s].ip, s, t, "Sending ConfigAck\n");
590 *p = ConfigAck;
591 if ((i = findppp(p, 0x81))) // Primary DNS address
592 {
593 if (*(u32 *) (i + 2) != htonl(session[s].dns1))
594 {
595 *(u32 *) (i + 2) = htonl(session[s].dns1);
596 *p = ConfigNak;
597 log(5, session[s].ip, s, t, " DNS1 = %s\n", inet_toa(session[s].dns1));
598 }
599 }
600 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
601 {
602 if (*(u32 *) (i + 2) != htonl(session[s].dns2))
603 {
604 *(u32 *) (i + 2) = htonl(session[s].dns2);
605 *p = ConfigNak;
606 log(5, session[s].ip, s, t, " DNS2 = %s\n", inet_toa(session[s].dns1));
607 }
608 }
609 i = findppp(p, 3); // IP address
610 if (!i || i[1] != 6)
611 {
612 log(1, 0, s, t, "No IP in IPCP request\n");
613 STAT(tunnel_rx_errors);
614 return ;
615 }
616 if (*(u32 *) (i + 2) != htonl(session[s].ip))
617 {
618 *(u32 *) (i + 2) = htonl(session[s].ip);
619 *p = ConfigNak;
620 log(4, session[s].ip, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
621 inet_toa(htonl(session[s].ip)));
622 }
623 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
624 {
625 log(2, 0, s, t, " Failed to send IPCP packet.\n");
626 return;
627 }
628 tunnelsend(b, l + (q - b), t); // send it
629 }
630 }
631 }
632
633 // process IP packet received
634 //
635 // This MUST be called with at least 4 byte behind 'p'.
636 // (i.e. this routine writes to p[-4]).
637 void processipin(tunnelidt t, sessionidt s, u8 * p, u16 l)
638 {
639 ipt ip;
640
641 CSTAT(call_processipin);
642
643 log_hex(5, "IP", p, l);
644
645 ip = ntohl(*(u32 *)(p + 12));
646
647 if (l > MAXETHER)
648 {
649 log(1, ip, s, t, "IP packet too long %d\n", l);
650 STAT(tunnel_rx_errors);
651 return ;
652 }
653
654 // no spoof (do sessionbyip to handled statically routed subnets)
655 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
656 {
657 log(5, ip, s, t, "Dropping packet with spoofed IP %s\n", inet_toa(htonl(ip)));
658 return;
659 }
660
661 // Add on the tun header
662 p -= 4;
663 *(u32 *)p = htonl(0x00000800);
664 l += 4;
665
666 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
667 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
668 return;
669 }
670
671 session[s].cin += l - 4;
672 session[s].total_cin += l - 4;
673 sess_count[s].cin += l - 4;
674
675 session[s].pin++;
676 eth_tx += l - 4;
677
678 if (session[s].snoop_ip && session[s].snoop_port)
679 {
680 // Snooping this session
681 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
682 }
683 STAT(tun_tx_packets);
684 INC_STAT(tun_tx_bytes, l);
685
686 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
687 tbf_queue_packet(session[s].tbf_in, p, l);
688 return;
689 }
690
691 // send to ethernet
692 if (tun_write(p, l) < 0)
693 {
694 STAT(tun_tx_errors);
695 log(0, 0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
696 l, strerror(errno), tunfd, p);
697 }
698
699 }
700
701 //
702 // Helper routine for the TBF filters.
703 // Used to send queued data in from the user.
704 //
705 void send_ipin(sessionidt s, u8 *buf, int len)
706 {
707 log_hex(5, "IP in throttled", buf, len);
708 if (write(tunfd, buf, len) < 0)
709 {
710 STAT(tun_tx_errors);
711 log(0, 0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
712 len, strerror(errno), tunfd, buf);
713 }
714
715 // Increment packet counters
716 session[s].cin += len - 4;
717 session[s].total_cin += len - 4;
718 sess_count[s].cin += len - 4;
719
720 session[s].pin++;
721 eth_tx += len - 4;
722 }
723
724
725 // Process LCP messages
726 void processccp(tunnelidt t, sessionidt s, u8 * p, u16 l)
727 {
728
729 CSTAT(call_processccp);
730
731 log_hex(5, "CCP", p, l);
732 if (l < 2 || (*p != ConfigReq && *p != TerminateReq))
733 {
734 log(1, 0, s, t, "Unexpected CCP request code %d\n", *p);
735 STAT(tunnel_rx_errors);
736 return ;
737 }
738 // reject
739 {
740 u8 b[MAXCONTROL];
741 u8 *q;
742 if (*p == ConfigReq)
743 {
744 if (l < 6)
745 {
746 *p = ConfigAck; // accept no compression
747 }
748 else
749 {
750 *p = ConfigRej; // reject
751 sendccp(t, s);
752 }
753 }
754 else
755 *p = TerminateAck; // close
756 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
757 {
758 log(1,0,0,0, "Failed to send CCP packet.\n");
759 return;
760 }
761 tunnelsend(b, l + (q - b), t); // send it
762 }
763 }
764
765 // send a CHAP PP packet
766 void sendchap(tunnelidt t, sessionidt s)
767 {
768 u8 b[MAXCONTROL];
769 u16 r = session[s].radius;
770 u8 *q;
771
772 CSTAT(call_sendchap);
773
774 if (!r)
775 {
776 log(1, 0, s, t, "No RADIUS to send challenge\n");
777 STAT(tunnel_tx_errors);
778 return ;
779 }
780 log(1, 0, s, t, "Send CHAP challenge\n");
781 {
782 // new challenge
783 int n;
784 for (n = 0; n < 15; n++)
785 radius[r].auth[n] = rand();
786 }
787 radius[r].chap = 1; // CHAP not PAP
788 radius[r].id++;
789 if (radius[r].state != RADIUSCHAP)
790 radius[r].try = 0;
791 radius[r].state = RADIUSCHAP;
792 radius[r].retry = backoff(radius[r].try++);
793 if (radius[r].try > 5)
794 {
795 sessionshutdown(s, "Timeout CHAP");
796 STAT(tunnel_tx_errors);
797 return ;
798 }
799 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
800 if (!q) {
801 log(1, 0, s, t, "failed to send CHAP challenge.\n");
802 return;
803 }
804 *q = 1; // challenge
805 q[1] = radius[r].id; // ID
806 q[4] = 16; // length
807 memcpy(q + 5, radius[r].auth, 16); // challenge
808 strcpy(q + 21, hostname); // our name
809 *(u16 *) (q + 2) = htons(strlen(hostname) + 21); // length
810 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
811 }
812
813 // fill in a L2TP message with a PPP frame,
814 // copies existing PPP message and changes magic number if seen
815 // returns start of PPP frame
816 u8 *makeppp(u8 * b, int size, u8 * p, int l, tunnelidt t, sessionidt s, u16 mtype)
817 {
818 if (size < 12)
819 return NULL; // Need more space than this!!
820
821 *(u16 *) (b + 0) = htons(0x0002); // L2TP with no options
822 *(u16 *) (b + 2) = htons(tunnel[t].far); // tunnel
823 *(u16 *) (b + 4) = htons(session[s].far); // session
824 b += 6;
825 if (mtype == PPPLCP || !(session[s].l2tp_flags & SESSIONACFC))
826 {
827 *(u16 *) b = htons(0xFF03); // HDLC header
828 b += 2;
829 }
830 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
831 *b++ = mtype;
832 else
833 {
834 *(u16 *) b = htons(mtype);
835 b += 2;
836 }
837
838 if (l + 12 > size) {
839 log(3,0,0,0, "Would have overflowed the buffer in makeppp: size %d, len %d.\n", size, l);
840 return NULL; // Run out of room to hold the packet!
841 }
842 if (p && l)
843 memcpy(b, p, l);
844 return b;
845 }
846
847 // find a PPP option, returns point to option, or 0 if not found
848 u8 *findppp(u8 * b, u8 mtype)
849 {
850 u16 l = ntohs(*(u16 *) (b + 2));
851 if (l < 4)
852 return 0;
853 b += 4;
854 l -= 4;
855 while (l)
856 {
857 if (l < b[1] || !b[1])
858 return 0; // faulty
859 if (*b == mtype)
860 return b;
861 l -= b[1];
862 b += b[1];
863 }
864 return 0;
865 }
866
867 // Send initial LCP ConfigReq
868 void initlcp(tunnelidt t, sessionidt s)
869 {
870 char b[500] = {0}, *q;
871
872 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
873 if (!q) {
874 log(1, 0, s, t, "Failed to send LCP ConfigReq.\n");
875 return;
876 }
877 log(4, 0, s, t, "Sending LCP ConfigReq for PAP\n");
878 *q = ConfigReq;
879 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
880 *(u16 *)(q + 2) = htons(14); // Length
881 *(u8 *)(q + 4) = 5;
882 *(u8 *)(q + 5) = 6;
883 *(u32 *)(q + 6) = htonl(session[s].magic);
884 *(u8 *)(q + 10) = 3;
885 *(u8 *)(q + 11) = 4;
886 *(u16 *)(q + 12) = htons(0xC023); // PAP
887 tunnelsend(b, 12 + 14, t);
888 }
889
890 // Send CCP reply
891 void sendccp(tunnelidt t, sessionidt s)
892 {
893 char *q, b[500] = {0};
894
895 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP);
896 *q = ConfigReq;
897 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
898 *(u16 *)(q + 2) = htons(4); // Length
899 log_hex(5, "PPPCCP", q, 4);
900 tunnelsend(b, (q - b) + 4 , t);
901 }
902