e162f06a100b4c6a042850c5f25c1681edc726d1
[l2tpns.git] / ppp.c
1 // L2TPNS PPP Stuff
2
3 char const *cvs_id_ppp = "$Id: ppp.c,v 1.10 2004-08-02 05:40:21 fred_nerk Exp $";
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <errno.h>
9 #include <stdlib.h>
10 #include "l2tpns.h"
11 #include "constants.h"
12 #include "plugin.h"
13 #include "util.h"
14 #include "tbf.h"
15 #include "cluster.h"
16
17 extern tunnelt *tunnel;
18 extern sessiont *session;
19 extern radiust *radius;
20 extern int tunfd;
21 extern char hostname[];
22 extern u32 eth_tx;
23 extern time_t time_now;
24 extern struct configt *config;
25
26 void sendccp(tunnelidt t, sessionidt s);
27
28 // Process PAP messages
29 void processpap(tunnelidt t, sessionidt s, u8 * p, u16 l)
30 {
31 char user[129];
32 char pass[129];
33
34
35 CSTAT(call_processpap);
36
37 log_hex(5, "PAP", p, l);
38 if (l < 4)
39 {
40 log(1, 0, s, t, "Short PAP %u bytes\n", l);
41 STAT(tunnel_rx_errors);
42 return ;
43 }
44 if (*p != 1)
45 {
46 log(1, 0, s, t, "Unexpected PAP code %d\n", *p);
47 STAT(tunnel_rx_errors);
48 return ;
49 }
50 if (ntohs(*(u16 *) (p + 2)) > l)
51 {
52 log(1, 0, s, t, "Length mismatch PAP %d/%d\n", ntohs(*(u16 *) (p + 2)), l);
53 STAT(tunnel_rx_errors);
54 return ;
55 }
56 {
57 u8 *b = p;
58 b += 4;
59 if (*b && *b < sizeof(user))
60 memcpy(user, b + 1, *b);
61 user[*b] = 0;
62 b += 1 + *b;
63 if (*b && *b < sizeof(pass))
64 memcpy(pass, b + 1, *b);
65 pass[*b] = 0;
66 log(3, 0, s, t, "PAP login %s/%s\n", user, pass);
67 }
68 if (session[s].ip || !session[s].radius)
69 {
70 // respond now, either no RADIUS available or already authenticated
71 u8 b[MAXCONTROL];
72 u8 id = p[1];
73 u8 *p = makeppp(b, sizeof(b), 0, 0, t, s, PPPPAP);
74 if (!p) { // Failed to make ppp header!
75 log(1,0,0,0, "Failed to make PPP header in process pap!\n");
76 return;
77 }
78 if (session[s].ip)
79 *p = 2; // ACK
80 else
81 *p = 3; // cant authorise
82 p[1] = id;
83 *(u16 *) (p + 2) = htons(5); // length
84 p[4] = 0; // no message
85 if (session[s].ip)
86 {
87 log(3, session[s].ip, s, t, "%d Already an IP allocated: %s (%d)\n", getpid(), inet_toa(htonl(session[s].ip)), session[s].ip_pool_index);
88 session[s].flags &= ~SF_IPCP_ACKED;
89 }
90 else
91 {
92 log(1, 0, s, t, "No radius session available to authenticate session...\n");
93 }
94 log(3, 0, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
95 tunnelsend(b, 5 + (p - b), t); // send it
96 }
97 else
98 { // set up RADIUS request
99 u16 r = session[s].radius;
100
101 // Run PRE_AUTH plugins
102 struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
103 run_plugins(PLUGIN_PRE_AUTH, &packet);
104 if (!packet.continue_auth)
105 {
106 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
107 if (packet.username) free(packet.username);
108 if (packet.password) free(packet.password);
109 return;
110 }
111
112 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
113 strncpy(radius[r].pass, packet.password, sizeof(radius[r].pass) - 1);
114
115 free(packet.username);
116 free(packet.password);
117
118 radius[r].id = p[1];
119 log(3, 0, s, t, "Sending login for %s/%s to radius\n", user, pass);
120 radiussend(r, RADIUSAUTH);
121 }
122 }
123
124 // Process CHAP messages
125 void processchap(tunnelidt t, sessionidt s, u8 * p, u16 l)
126 {
127 u16 r;
128 u16 len;
129
130
131 CSTAT(call_processchap);
132
133 log_hex(5, "CHAP", p, l);
134 r = session[s].radius;
135 if (!r)
136 {
137 log(1, 0, s, t, "Unexpected CHAP message\n");
138
139 // FIXME: Need to drop the session here.
140
141 STAT(tunnel_rx_errors);
142 return;
143 }
144 if (*p != 2)
145 {
146 log(1, 0, s, t, "Unexpected CHAP response code %d\n", *p);
147 STAT(tunnel_rx_errors);
148 return;
149 }
150 if (p[1] != radius[r].id)
151 {
152 log(1, 0, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
153 STAT(tunnel_rx_errors);
154 return ;
155 }
156 len = ntohs(*(u16 *) (p + 2));
157 if (len > l)
158 {
159 log(1, 0, s, t, "Bad CHAP length %d\n", len);
160 STAT(tunnel_rx_errors);
161 return ;
162 }
163 if (p[4] != 16)
164 {
165 log(1, 0, s, t, "Bad CHAP response length %d\n", p[4]);
166 STAT(tunnel_rx_errors);
167 return ;
168 }
169 if (len - 21 >= sizeof(session[s].user))
170 {
171 log(1, 0, s, t, "CHAP user too long %d\n", len - 21);
172 STAT(tunnel_rx_errors);
173 return ;
174 }
175
176 // Run PRE_AUTH plugins
177 {
178 struct param_pre_auth packet = { &tunnel[t], &session[s], NULL, NULL, PPPCHAP, 1 };
179
180 packet.username = calloc(len-20, 1);
181 packet.password = calloc(16, 1);
182 memcpy(packet.username, p + 21, len - 21);
183 memcpy(packet.password, p + 5, 16);
184
185 run_plugins(PLUGIN_PRE_AUTH, &packet);
186 if (!packet.continue_auth)
187 {
188 log(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
189 if (packet.username) free(packet.username);
190 if (packet.password) free(packet.password);
191 return;
192 }
193
194 strncpy(session[s].user, packet.username, sizeof(session[s].user) - 1);
195 memcpy(radius[r].pass, packet.password, 16);
196
197 free(packet.username);
198 free(packet.password);
199 }
200
201 radius[r].chap = 1;
202 log(3, 0, s, t, "CHAP login %s\n", session[s].user);
203 radiussend(r, RADIUSAUTH);
204 }
205
206 char *ppp_lcp_types[] = {
207 NULL,
208 "ConfigReq",
209 "ConfigAck",
210 "ConfigNak",
211 "ConfigRej",
212 "TerminateReq",
213 "TerminateAck",
214 "CodeRej",
215 "ProtocolRej",
216 "EchoReq",
217 "EchoReply",
218 "DiscardRequest",
219 "IdentRequest",
220 };
221
222 void dumplcp(u8 *p, int l)
223 {
224 signed int x = l - 4;
225 u8 *o = (p + 4);
226
227 log_hex(5, "PPP LCP Packet", p, l);
228 log(4, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
229 log(4, 0, 0, 0, "Length: %d\n", l);
230 if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
231 return;
232
233 while (x > 2)
234 {
235 int type = o[0];
236 int length = o[1];
237 if (length < 2)
238 {
239 log(4, 0, 0, 0, " Option length is %d...\n", length);
240 break;
241 }
242 if (type == 0)
243 {
244 log(4, 0, 0, 0, " Option type is 0...\n");
245 x -= length;
246 o += length;
247 continue;
248 }
249 switch (type)
250 {
251 case 1: // Maximum-Receive-Unit
252 if (length == 4)
253 log(4, 0, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
254 else
255 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
256 break;
257 case 3: // Authentication-Protocol
258 {
259 if (length == 4)
260 {
261 int proto = ntohs(*(u16 *)(o + 2));
262 log(4, 0, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
263 proto == 0xC223 ? "CHAP" :
264 proto == 0xC023 ? "PAP" : "UNKNOWN");
265 }
266 else
267 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
268 break;
269 }
270 case 4: // Quality-Protocol
271 {
272 u32 qp = ntohl(*(u32 *)(o + 2));
273 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], qp);
274 break;
275 }
276 case 5: // Magic-Number
277 {
278 if (length == 6)
279 {
280 u32 magicno = ntohl(*(u32 *)(o + 2));
281 log(4, 0, 0, 0, " %s %x\n", lcp_types[type], magicno);
282 }
283 else
284 log(4, 0, 0, 0, " %s odd length %d\n", lcp_types[type], length);
285 break;
286 }
287 case 7: // Protocol-Field-Compression
288 {
289 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
290 break;
291 }
292 case 8: // Address-And-Control-Field-Compression
293 {
294 log(4, 0, 0, 0, " %s\n", lcp_types[type]);
295 break;
296 }
297 default:
298 log(2, 0, 0, 0, " Unknown PPP LCP Option type %d\n", type);
299 break;
300 }
301 x -= length;
302 o += length;
303 }
304 }
305
306 // Process LCP messages
307 void processlcp(tunnelidt t, sessionidt s, u8 * p, u16 l)
308 {
309 u8 b[MAXCONTROL];
310 u8 *q = NULL;
311 u32 magicno = 0;
312
313
314 CSTAT(call_processlcp);
315
316 log_hex(5, "LCP", p, l);
317 if (l < 4)
318 {
319 log(1, session[s].ip, s, t, "Short LCP %d bytes\n", l);
320 STAT(tunnel_rx_errors);
321 return ;
322 }
323 if (*p == ConfigAck)
324 {
325 log(3, session[s].ip, s, t, "LCP: Discarding ConfigAck\n");
326 session[s].flags |= SESSIONLCPACK;
327 }
328 else if (*p == ConfigReq)
329 {
330 signed int x = l - 4;
331 u8 *o = (p + 4);
332
333 log(3, session[s].ip, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
334 dumplcp(p, l);
335
336 while (x > 2)
337 {
338 int type = o[0];
339 int length = o[1];
340 if (length == 0 || type == 0) break;
341 switch (type)
342 {
343 case 1: // Maximum-Receive-Unit
344 session[s].mru = ntohs(*(u16 *)(o + 2));
345 break;
346 case 2: // asyncmap
347 log_hex(2, "PPP LCP Packet", p, l);
348 log(2, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
349 break;
350 case 3: // Authentication-Protocol
351 {
352 int proto = ntohs(*(u16 *)(o + 2));
353 if (proto == 0xC223)
354 {
355 log(2, session[s].ip, s, t, " Remote end is trying to do CHAP. Rejecting it.\n");
356
357 if (!q)
358 {
359 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
360 if (!q) {
361 log(2, session[s].ip, s, t, " Failed to send packet.\n");
362 break;
363 }
364 *q++ = ConfigNak;
365 }
366 memcpy(q, o, length);
367 *(u16 *)(q += 2) = htons(0xC023); // NAK -> Use PAP instead
368 q += length;
369 }
370 break;
371 }
372 case 5: // Magic-Number
373 {
374 magicno = ntohl(*(u32 *)(o + 2));
375 break;
376 }
377 case 4: // Quality-Protocol
378 case 7: // Protocol-Field-Compression
379 case 8: // Address-And-Control-Field-Compression
380 break;
381 case 13: // CallBack option for LCP extention of win2000/routers L2TP client
382 case 17:
383 case 18:
384 {
385 // Reject LCP CallBack
386 log(2, session[s].ip, s, t, " PPP LCP Option type %d, len=%d\n", type, length);
387 memcpy(p + 4, o, length);
388 *(u16 *)(p + 2) = htons(length + 4);
389 *p = ConfigRej;
390 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
391 tunnelsend(b, 12 + length + 4, t);
392 return;
393 }
394
395 default:
396 // Reject Unknown LCP Option to stop to send it again
397 log(2, session[s].ip, s, t, " Unknown PPP LCP Option type %d\n", type);
398 memcpy(p + 4, o, length);
399 *(u16 *)(p + 2) = htons(length + 4);
400 *p = ConfigRej;
401 q = makeppp(b,sizeof(b), p, length + 4, t, s, PPPLCP);
402 tunnelsend(b, 12 + length + 4, t);
403 return;
404 }
405 x -= length;
406 o += length;
407 }
408
409 if (!q)
410 {
411 // Send back a ConfigAck
412 log(3, session[s].ip, s, t, "ConfigReq accepted, sending as Ack\n");
413 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
414 if (!q) {
415 log(3, session[s].ip, s, t, " failed to create packet.\n");
416 return;
417 }
418 *q = ConfigAck;
419 tunnelsend(b, l + (q - b), t);
420 // For win2k L2TP clients, LCP should be initiated by the LNS
421 if (magicno) initlcp(t, s);
422 }
423 else
424 {
425 // Already built a ConfigNak... send it
426 log(3, session[s].ip, s, t, "Sending ConfigNak\n");
427 tunnelsend(b, l + (q - b), t);
428 }
429
430 if (!(session[s].flags & SESSIONLCPACK))
431 initlcp(t, s);
432 }
433 else if (*p == ConfigNak)
434 {
435 log(1, session[s].ip, s, t, "Remote end sent a ConfigNak. Ignoring\n");
436 dumplcp(p, l);
437 return ;
438 }
439 else if (*p == TerminateReq)
440 {
441 *p = TerminateAck; // close
442 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
443 if (!q) {
444 log(3, session[s].ip, s, t, "Failed to create PPP packet in processlcp.\n");
445 return;
446 }
447 log(3, session[s].ip, s, t, "LCP: Received TerminateReq. Sending TerminateAck\n");
448 sessionshutdown(s, "Remote end closed connection.");
449 tunnelsend(b, l + (q - b), t); // send it
450 }
451 else if (*p == TerminateAck)
452 {
453 sessionshutdown(s, "Connection closed.");
454 }
455 else if (*p == EchoReq)
456 {
457 *p = EchoReply; // reply
458 *(u32 *) (p + 4) = htonl(session[s].magic); // our magic number
459 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
460 if (!q) {
461 log(3, session[s].ip, s, t, " failed to send EchoReply.\n");
462 return;
463 }
464 log(5, session[s].ip, s, t, "LCP: Received EchoReq. Sending EchoReply\n");
465 tunnelsend(b, l + (q - b), t); // send it
466 }
467 else if (*p == EchoReply)
468 {
469 // Ignore it, last_packet time is set earlier than this.
470 }
471 else if (*p == IdentRequest)
472 {
473 *p = CodeRej;
474 if (l > MAXCONTROL)
475 {
476 log(1, 0, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
477 l = 1400;
478 }
479 q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
480 if (!q)
481 {
482 log(3, session[s].ip, s, t, "Failed to create IdentRej.\n");
483 return;
484 }
485 log_hex(5, "LCPIdentRej", q, l + 4);
486 tunnelsend(b, 12 + 4 + l, t);
487 }
488 else
489 {
490 log(1, session[s].ip, s, t, "Unexpected LCP code %d\n", *p);
491 STAT(tunnel_rx_errors);
492 return ;
493 }
494 }
495
496 // Process IPCP messages
497 void processipcp(tunnelidt t, sessionidt s, u8 * p, u16 l)
498 {
499
500 CSTAT(call_processipcp);
501
502 log_hex(5, "IPCP", p, l);
503 if (l < 5)
504 {
505 log(1, 0, s, t, "Short IPCP %d bytes\n", l);
506 STAT(tunnel_rx_errors);
507 return ;
508 }
509 if (*p == ConfigAck)
510 {
511 // happy with our IPCP
512 u16 r = session[s].radius;
513 if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden) {
514 if (!r)
515 r = radiusnew(s);
516 if (r)
517 radiussend(r, RADIUSSTART); // send radius start, having got IPCP at last
518 }
519 session[s].flags |= SF_IPCP_ACKED;
520
521 log(3, session[s].ip, s, t, "IPCP Acked, session is now active\n");
522 return;
523 }
524 if (*p != ConfigReq)
525 {
526 log(1, 0, s, t, "Unexpected IPCP code %d\n", *p);
527 STAT(tunnel_rx_errors);
528 return ;
529 }
530 log(4, session[s].ip, s, t, "IPCP ConfigReq received\n");
531 if (ntohs(*(u16 *) (p + 2)) > l)
532 {
533 log(1, 0, s, t, "Length mismatch IPCP %d/%d\n", ntohs(*(u16 *) (p + 2)), l);
534 STAT(tunnel_rx_errors);
535 return ;
536 }
537 if (!session[s].ip)
538 {
539 log(3, 0, s, t, "Waiting on radius reply\n");
540 return ; // have to wait on RADIUS reply
541 }
542 // form a config reply quoting the IP in the session
543 {
544 u8 b[MAXCONTROL];
545 u8 *i,
546 *q;
547
548 l = ntohs(*(u16 *) (p + 2)); // We must use length from IPCP len field
549 q = p + 4;
550 i = p + l;
551 while (q < i && q[1])
552 {
553 if (*q != 0x81 && *q != 0x83 && *q != 3)
554 break;
555 q += q[1];
556 }
557 if (q < i)
558 {
559 // reject
560 u16 n = 4;
561 i = p + l;
562 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
563 {
564 log(2, 0, s, t, "Failed to send IPCP ConfigRej\n");
565 return;
566 }
567 *q = ConfigRej;
568 p += 4;
569 while (p < i && p[1])
570 {
571 if (*p != 0x81 && *p != 0x83 && *p != 3)
572 {
573 log(2, 0, s, t, "IPCP reject %d\n", *p);
574 memcpy(q + n, p, p[1]);
575 n += p[1];
576 }
577 p += p[1];
578 }
579 *(u16 *) (q + 2) = htons(n);
580 log(4, session[s].ip, s, t, "Sending ConfigRej\n");
581 tunnelsend(b, n + (q - b), t); // send it
582 }
583 else
584 {
585 log(4, session[s].ip, s, t, "Sending ConfigAck\n");
586 *p = ConfigAck;
587 if ((i = findppp(p, 0x81))) // Primary DNS address
588 {
589 if (*(u32 *) (i + 2) != htonl(session[s].dns1))
590 {
591 *(u32 *) (i + 2) = htonl(session[s].dns1);
592 *p = ConfigNak;
593 log(5, session[s].ip, s, t, " DNS1 = %s\n", inet_toa(session[s].dns1));
594 }
595 }
596 if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
597 {
598 if (*(u32 *) (i + 2) != htonl(session[s].dns2))
599 {
600 *(u32 *) (i + 2) = htonl(session[s].dns2);
601 *p = ConfigNak;
602 log(5, session[s].ip, s, t, " DNS2 = %s\n", inet_toa(session[s].dns1));
603 }
604 }
605 i = findppp(p, 3); // IP address
606 if (!i || i[1] != 6)
607 {
608 log(1, 0, s, t, "No IP in IPCP request\n");
609 STAT(tunnel_rx_errors);
610 return ;
611 }
612 if (*(u32 *) (i + 2) != htonl(session[s].ip))
613 {
614 *(u32 *) (i + 2) = htonl(session[s].ip);
615 *p = ConfigNak;
616 log(4, session[s].ip, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
617 inet_toa(session[s].ip));
618 }
619 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
620 {
621 log(2, 0, s, t, " Failed to send IPCP packet.\n");
622 return;
623 }
624 tunnelsend(b, l + (q - b), t); // send it
625 }
626 }
627 }
628
629 // process IP packet received
630 //
631 // This MUST be called with at least 4 byte behind 'p'.
632 // (i.e. this routine writes to p[-4]).
633 void processipin(tunnelidt t, sessionidt s, u8 * p, u16 l)
634 {
635 ipt ip;
636
637
638 CSTAT(call_processipin);
639
640 log_hex(5, "IP", p, l);
641
642 ip = ntohl(*(u32 *)(p + 12));
643
644 if (l > MAXETHER)
645 {
646 log(1, ip, s, t, "IP packet too long %d\n", l);
647 STAT(tunnel_rx_errors);
648 return ;
649 }
650
651 // no spoof (do sessionbyip to handled statically routed subnets)
652 if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
653 {
654 log(5, ip, s, t, "Dropping packet with spoofed IP %s\n", inet_toa(htonl(ip)));
655 return;
656 }
657
658 // Add on the tun header
659 p -= 4;
660 *(u32 *)p = htonl(0x00000800);
661 l += 4;
662
663 if (session[s].tbf_in && !config->cluster_iam_master) { // Are we throttled and a slave?
664 master_throttle_packet(session[s].tbf_in, p, l); // Pass it to the master for handling.
665 return;
666 }
667
668 session[s].cin += l - 4;
669 session[s].total_cin += l - 4;
670 sess_count[s].cin += l - 4;
671
672 session[s].pin++;
673 eth_tx += l - 4;
674
675 if (session[s].snoop_ip && session[s].snoop_port)
676 {
677 // Snooping this session, send it to ASIO
678 snoop_send_packet(p, l, session[s].snoop_ip, session[s].snoop_port);
679 }
680 STAT(tun_tx_packets);
681 INC_STAT(tun_tx_bytes, l);
682
683 if (session[s].tbf_in && config->cluster_iam_master) { // Are we throttled and a master?? actually handle the throttled packets.
684 tbf_queue_packet(session[s].tbf_in, p, l);
685 return;
686 }
687
688 // send to ethernet
689 if (tun_write(p, l) < 0)
690 {
691 STAT(tun_tx_errors);
692 log(0, 0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
693 l, strerror(errno), tunfd, p);
694 }
695
696 }
697
698 //
699 // Helper routine for the TBF filters.
700 // Used to send queued data in from the user.
701 //
702 void send_ipin(sessionidt s, u8 *buf, int len)
703 {
704 log_hex(5, "IP in throttled", buf, len);
705 if (write(tunfd, buf, len) < 0)
706 {
707 STAT(tun_tx_errors);
708 log(0, 0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
709 len, strerror(errno), tunfd, buf);
710 }
711
712 // Increment packet counters
713 session[s].cin += len - 4;
714 session[s].total_cin += len - 4;
715 sess_count[s].cin += len - 4;
716
717 session[s].pin++;
718 eth_tx += len - 4;
719 }
720
721
722 // Process LCP messages
723 void processccp(tunnelidt t, sessionidt s, u8 * p, u16 l)
724 {
725
726 CSTAT(call_processccp);
727
728 log_hex(5, "CCP", p, l);
729 if (l < 2 || (*p != ConfigReq && *p != TerminateReq))
730 {
731 log(1, 0, s, t, "Unexpecetd CCP request code %d\n", *p);
732 STAT(tunnel_rx_errors);
733 return ;
734 }
735 // reject
736 {
737 u8 b[MAXCONTROL];
738 u8 *q;
739 if (*p == ConfigReq)
740 {
741 if (l < 6)
742 {
743 *p = ConfigAck; // accept no compression
744 }
745 else
746 {
747 *p = ConfigRej; // reject
748 sendccp(t, s);
749 }
750 }
751 else
752 *p = TerminateAck; // close
753 if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPCCP)))
754 {
755 log(1,0,0,0, "Failed to send CCP packet.\n");
756 return;
757 }
758 tunnelsend(b, l + (q - b), t); // send it
759 }
760 }
761
762 // send a CHAP PP packet
763 void sendchap(tunnelidt t, sessionidt s)
764 {
765 u8 b[MAXCONTROL];
766 u16 r = session[s].radius;
767 u8 *q;
768
769 CSTAT(call_sendchap);
770
771 if (!r)
772 {
773 log(1, 0, s, t, "No RADIUS to send challenge\n");
774 STAT(tunnel_tx_errors);
775 return ;
776 }
777 log(1, 0, s, t, "Send CHAP challenge\n");
778 { // new challenge
779 int n;
780 for (n = 0; n < 15; n++)
781 radius[r].auth[n] = rand();
782 }
783 radius[r].chap = 1; // CHAP not PAP
784 radius[r].id++;
785 if (radius[r].state != RADIUSCHAP)
786 radius[r].try = 0;
787 radius[r].state = RADIUSCHAP;
788 radius[r].retry = backoff(radius[r].try++);
789 if (radius[r].try > 5)
790 {
791 sessionshutdown(s, "Timeout CHAP");
792 STAT(tunnel_tx_errors);
793 return ;
794 }
795 q = makeppp(b, sizeof(b), 0, 0, t, s, PPPCHAP);
796 if (!q) {
797 log(1, 0, s, t, "failed to send CHAP challenge.\n");
798 return;
799 }
800 *q = 1; // challenhe
801 q[1] = radius[r].id; // ID
802 q[4] = 16; // length
803 memcpy(q + 5, radius[r].auth, 16); // challenge
804 strcpy(q + 21, hostname); // our name
805 *(u16 *) (q + 2) = htons(strlen(hostname) + 21); // length
806 tunnelsend(b, strlen(hostname) + 21 + (q - b), t); // send it
807 }
808
809 // fill in a L2TP message with a PPP frame,
810 // copies existing PPP message and changes magic number if seen
811 // returns start of PPP frame
812 u8 *makeppp(u8 * b, int size, u8 * p, int l, tunnelidt t, sessionidt s, u16 mtype)
813 {
814
815 if (size < 12)
816 return NULL; // Need more space than this!!
817
818 *(u16 *) (b + 0) = htons(0x0002); // L2TP with no options
819 *(u16 *) (b + 2) = htons(tunnel[t].far); // tunnel
820 *(u16 *) (b + 4) = htons(session[s].far); // session
821 b += 6;
822 if (mtype && !(session[s].l2tp_flags & SESSIONACFC))
823 {
824 *(u16 *) b = htons(0xFF03); // HDLC header
825 b += 2;
826 }
827 if (mtype < 0x100 && session[s].l2tp_flags & SESSIONPFC)
828 *b++ = mtype;
829 else
830 {
831 *(u16 *) b = htons(mtype);
832 b += 2;
833 }
834
835 if (l + 12 > size) {
836 log(3,0,0,0, "Would have overflowed the buffer in makeppp: size %d, len %d.\n", size, l);
837 return NULL; // Run out of room to hold the packet!
838 }
839 if (p && l)
840 memcpy(b, p, l);
841 return b;
842 }
843
844 // find a PPP option, returns point to option, or 0 if not found
845 u8 *findppp(u8 * b, u8 mtype)
846 {
847 u16 l = ntohs(*(u16 *) (b + 2));
848 if (l < 4)
849 return 0;
850 b += 4;
851 l -= 4;
852 while (l)
853 {
854 if (l < b[1] || !b[1])
855 return 0; // faulty
856 if (*b == mtype)
857 return b;
858 l -= b[1];
859 b += b[1];
860 }
861 return 0;
862 }
863
864 // Send initial LCP ConfigReq
865 void initlcp(tunnelidt t, sessionidt s)
866 {
867 char b[500] = {0}, *q;
868
869 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
870 if (!q) {
871 log(1, 0, s, t, "Failed to send LCP ConfigReq.\n");
872 return;
873 }
874 log(4, 0, s, t, "Sending LCP ConfigReq for PAP\n");
875 *q = ConfigReq;
876 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
877 *(u16 *)(q + 2) = htons(8); // Length
878 *(u8 *)(q + 4) = 3;
879 *(u8 *)(q + 5) = 4;
880 *(u16 *)(q + 6) = htons(0xC023); // PAP
881 tunnelsend(b, 12 + 8, t);
882 }
883
884 // Send CCP reply
885 void sendccp(tunnelidt t, sessionidt s)
886 {
887 char *q, b[500] = {0};
888
889 q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP);
890 *q = ConfigReq;
891 *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
892 *(u16 *)(q + 2) = htons(4); // Length
893 log_hex(5, "PPPCCP", q, 4);
894 tunnelsend(b, (q - b) + 4 , t);
895 }
896