1 /***********************************************************************
5 * Routines for manipulating L2TP datagrams.
7 * Copyright (C) 2002 by Roaring Penguin Software Inc.
9 * This software may be distributed under the terms of the GNU General
10 * Public License, Version 2, or (at your option) any later version.
14 ***********************************************************************/
16 static char const RCSID
[] =
17 "$Id: dgram.c,v 1.1.48.1 2005/08/08 12:05:25 honor Exp $";
21 #include <sys/types.h>
22 #include <sys/socket.h>
27 #define PULL_UINT16(buf, cursor, val) \
29 val = ((uint16_t) buf[cursor]) * 256 + (uint16_t) buf[cursor+1]; \
33 #define PUSH_UINT16(buf, cursor, val) \
35 buf[cursor] = val / 256; \
36 buf[cursor+1] = val & 0xFF; \
40 #define GET_AVP_LEN(x) ((((x)[0] & 3) * 256) + (x)[1])
42 static int dgram_add_random_vector_avp(l2tp_dgram
*dgram
);
44 static void dgram_do_hide(uint16_t type
,
47 unsigned char const *secret
,
49 unsigned char const *random
,
51 unsigned char *output
);
53 static unsigned char *dgram_do_unhide(uint16_t type
,
56 unsigned char const *secret
,
58 unsigned char const *random
,
60 unsigned char *output
);
62 /* Description of AVP's indexed by AVP type */
64 char const *name
; /* AVP name */
65 int can_hide
; /* Can AVP be hidden? */
66 uint16_t min_len
; /* Minimum PAYLOAD length */
67 uint16_t max_len
; /* Maximum PAYLOAD length (9999 = no limit) */
70 static struct avp_descrip avp_table
[] = {
71 /* Name can_hide min_len max_len */
72 {"Message Type", 0, 2, 2}, /* 0 */
73 {"Result Code", 0, 2, 9999}, /* 1 */
74 {"Protocol Version", 0, 2, 2}, /* 2 */
75 {"Framing Capabilities", 1, 4, 4}, /* 3 */
76 {"Bearer Capabilities", 1, 4, 4}, /* 4 */
77 {"Tie Breaker", 0, 8, 8}, /* 5 */
78 {"Firmware Revision", 1, 2, 2}, /* 6 */
79 {"Host Name", 0, 0, 9999}, /* 7 */
80 {"Vendor Name", 1, 0, 9999}, /* 8 */
81 {"Assigned Tunnel ID", 1, 2, 2}, /* 9 */
82 {"Receive Window Size", 0, 2, 2}, /* 10 */
83 {"Challenge", 1, 0, 9999}, /* 11 */
84 {"Q.931 Cause Code", 0, 3, 9999}, /* 12 */
85 {"Challenge Response", 1, 16, 16}, /* 13 */
86 {"Assigned Session ID", 1, 2, 2}, /* 14 */
87 {"Call Serial Number", 1, 4, 4}, /* 15 */
88 {"Minimum BPS", 1, 4, 4}, /* 16 */
89 {"Maximum BPS", 1, 4, 4}, /* 17 */
90 {"Bearer Type", 1, 4, 4}, /* 18 */
91 {"Framing Type", 1, 4, 4}, /* 19 */
92 {"Unknown", 0, 0, 9999}, /* 20 */
93 {"Called Number", 1, 0, 9999}, /* 21 */
94 {"Calling Number", 1, 0, 9999}, /* 22 */
95 {"Sub-Address", 1, 0, 9999}, /* 23 */
96 {"TX Connect Speed", 1, 4, 4}, /* 24 */
97 {"Physical Channel ID", 1, 4, 4}, /* 25 */
98 {"Intial Received Confreq", 1, 0, 9999}, /* 26 */
99 {"Last Sent Confreq", 1, 0, 9999}, /* 27 */
100 {"Last Received Confreq", 1, 0, 9999}, /* 28 */
101 {"Proxy Authen Type", 1, 2, 2}, /* 29 */
102 {"Proxy Authen Name", 1, 0, 9999}, /* 30 */
103 {"Proxy Authen Challenge", 1, 0, 9999}, /* 31 */
104 {"Proxy Authen ID", 1, 2, 2}, /* 32 */
105 {"Proxy Authen Response", 1, 0, 9999}, /* 33 */
106 {"Call Errors", 1, 26, 26}, /* 34 */
107 {"ACCM", 1, 10, 10}, /* 35 */
108 {"Random Vector", 0, 0, 9999}, /* 36 */
109 {"Private Group ID", 1, 0, 9999}, /* 37 */
110 {"RX Connect Speed", 1, 4, 4}, /* 38 */
111 {"Sequencing Required", 0, 0, 0} /* 39 */
114 /* A free list of L2TP dgram strucures. Allocation of L2TP dgrams
116 static l2tp_dgram
*dgram_free_list
= NULL
;
119 describe_pulled_avp(uint16_t vendor
,
126 unsigned char *buf
= val
;
130 fprintf(stderr
, "Pulled avp: len=%d ", (int) len
);
131 if (vendor
== VENDOR_IETF
) {
132 fprintf(stderr
, "type='%s' ",avp_table
[type
].name
);
134 fprintf(stderr
, "type=%d/%d ", (int) vendor
, (int) type
);
136 fprintf(stderr
, "M=%d H=%d ", mandatory
? 1 : 0, hidden
? 1 : 0);
138 fprintf(stderr
, "val='");
139 for (i
=0; i
<len
; i
++) {
140 if (buf
[i
] < 32 || buf
[i
] > 126) {
145 for (i
=0; i
<len
; i
++) {
147 fprintf(stderr
, "%c", buf
[i
]);
149 fprintf(stderr
, "%02X ", (unsigned int) buf
[i
]);
152 fprintf(stderr
, "'\n");
155 /**********************************************************************
156 * %FUNCTION: dgram_validate_avp
158 * vendor -- vendor code
160 * len -- PAYLOAD length
161 * mandatory -- non-zero if mandatory bit is set
163 * 1 if len is valid for type, 0 otherwise.
164 ***********************************************************************/
166 l2tp_dgram_validate_avp(uint16_t vendor
,
171 if (vendor
!= VENDOR_IETF
) {
173 l2tp_set_errmsg("Unknown mandatory AVP (vendor %d, type %d)",
174 (int) vendor
, (int) type
);
181 if (type
> HIGHEST_AVP
) {
183 l2tp_set_errmsg("Unknown mandatory AVP of type %d",
190 return (len
>= avp_table
[type
].min_len
&&
191 len
<= avp_table
[type
].max_len
);
194 /**********************************************************************
195 * %FUNCTION: dgram_new
197 * len -- payload length to allocate (not currently used...)
199 * A newly-allocated l2tp_dgram structure or NULL
201 * Allocates and initializes an datagram structure.
202 ***********************************************************************/
204 l2tp_dgram_new(size_t len
)
208 if (len
> MAX_PACKET_LEN
) {
209 l2tp_set_errmsg("dgram_new: cannot allocate datagram with payload length %d",
214 if (dgram_free_list
) {
215 dgram
= dgram_free_list
;
216 dgram_free_list
= dgram
->next
;
218 dgram
= malloc(sizeof(l2tp_dgram
));
221 l2tp_set_errmsg("dgram_new: Out of memory");
232 dgram
->last_random
= 0;
233 dgram
->payload_len
= 0;
236 /* We maintain this in case it becomes dynamic later on */
237 dgram
->alloc_len
= MAX_PACKET_LEN
;
243 /**********************************************************************
244 * %FUNCTION: dgram_new_control
246 * msg_type -- message type
250 * A newly-allocated control datagram
252 * Allocates datagram; sets tid and sid fields; adds message_type AVP
253 ***********************************************************************/
255 l2tp_dgram_new_control(uint16_t msg_type
,
259 l2tp_dgram
*dgram
= l2tp_dgram_new(MAX_PACKET_LEN
);
262 if (!dgram
) return NULL
;
264 dgram
->bits
= TYPE_BIT
| LENGTH_BIT
| SEQUENCE_BIT
;
267 dgram
->msg_type
= msg_type
;
268 if (msg_type
!= MESSAGE_ZLB
) {
269 u16
= htons(msg_type
);
271 l2tp_dgram_add_avp(dgram
, NULL
, MANDATORY
,
272 sizeof(u16
), VENDOR_IETF
, AVP_MESSAGE_TYPE
, &u16
);
277 /**********************************************************************
278 * %FUNCTION: dgram_free
280 * dgram -- datagram to free
284 * Frees a datagram structure.
285 ***********************************************************************/
287 l2tp_dgram_free(l2tp_dgram
*dgram
)
290 dgram
->next
= dgram_free_list
;
291 dgram_free_list
= dgram
;
294 /**********************************************************************
295 * %FUNCTION: dgram_take_from_wire
297 * from -- set to address of peer.
299 * NULL on error, allocated datagram otherwise.
301 * Reads an L2TP datagram off the wire and puts it in dgram. Adjusts
302 * header fields to host byte order. Keeps reading in a loop unless
303 * we hit a control frame or EAGAIN. This is more efficient than
304 * returning to select loop each time if there's lots of traffic.
305 ***********************************************************************/
307 l2tp_dgram_take_from_wire(struct sockaddr_in
*from
)
309 /* EXTRA_HEADER_ROOM bytes for other headers like PPPoE, etc. */
311 unsigned char inbuf
[MAX_PACKET_LEN
+EXTRA_HEADER_ROOM
];
313 socklen_t len
= sizeof(struct sockaddr_in
);
316 unsigned char *payload
;
317 unsigned char *tidptr
;
319 uint16_t cache_tid
, cache_sid
;
321 l2tp_session
*ses
= NULL
;
322 int mandatory
, hidden
, err
;
323 uint16_t vendor
, type
;
327 /* Limit iterations before bailing back to select look. Otherwise,
328 we have a nice DoS possibility */
334 /* Active part of buffer */
335 buf
= inbuf
+ EXTRA_HEADER_ROOM
;
338 if (--iters
<= 0) return NULL
;
340 r
= recvfrom(Sock
, buf
, MAX_PACKET_LEN
, 0,
341 (struct sockaddr
*) from
, &len
);
346 /* Check version; drop frame if not L2TP (ver = 2) */
347 if ((buf
[1] & VERSION_MASK
) != 2) continue;
349 /* Not a data frame -- break out of loop and handle control frame */
350 if (buf
[0] & TYPE_BIT
) break;
352 /* If it's a data frame, we need to be FAST, so do not allocate
353 a dgram structure, etc; just call into handler */
356 if (buf
[0] & LENGTH_BIT
) {
357 framelen
= (((uint16_t) buf
[2]) << 8) + buf
[3];
361 if (buf
[0] & SEQUENCE_BIT
) {
364 if (buf
[0] & OFFSET_BIT
) {
366 off
= (((uint16_t) *(payload
-2)) << 8) + *(payload
-1);
369 off
= (payload
- buf
);
370 if (framelen
== -1) {
373 if (framelen
< off
|| framelen
> r
) {
376 /* Only count payload length */
380 /* Forget the 0xFF, 0x03 HDLC markers */
387 /* Get tunnel, session ID */
388 tid
= (((uint16_t) tidptr
[0]) << 8) + (uint16_t) tidptr
[1];
389 sid
= (((uint16_t) tidptr
[2]) << 8) + (uint16_t) tidptr
[3];
391 /* Only do hash lookup if it's not cached */
392 /* TODO: Is this optimization really worthwhile? */
393 if (!ses
|| tid
!= cache_tid
|| sid
!= cache_sid
) {
395 tunnel
= l2tp_tunnel_find_by_my_id(tid
);
397 l2tp_set_errmsg("Unknown tunnel %d", (int) tid
);
400 if (tunnel
->state
!= TUNNEL_ESTABLISHED
) {
401 /* Drop frame if tunnel in wrong state */
404 /* TODO: Verify source address */
405 ses
= l2tp_tunnel_find_session(tunnel
, sid
);
407 l2tp_set_errmsg("Unknown session %d in tunnel %d",
408 (int) sid
, (int) tid
);
413 if (ses
->state
!= SESSION_ESTABLISHED
) {
414 /* Drop frame if session in wrong state */
418 ses
->call_ops
->handle_ppp_frame(ses
, payload
, framelen
);
419 /* Snoop, if necessary */
421 l2tp_session_lcp_snoop(ses
, payload
, framelen
, 1);
426 /* A bit of slop on dgram size */
427 dgram
= l2tp_dgram_new(r
);
428 if (!dgram
) return NULL
;
430 dgram
->bits
= buf
[0];
431 dgram
->version
= buf
[1];
434 if (dgram
->bits
& LENGTH_BIT
) {
435 PULL_UINT16(buf
, cursor
, dgram
->length
);
436 if (dgram
->length
> r
) {
437 l2tp_set_errmsg("Invalid length field %d greater than received datagram size %d", (int) dgram
->length
, r
);
438 l2tp_dgram_free(dgram
);
445 PULL_UINT16(buf
, cursor
, dgram
->tid
);
446 PULL_UINT16(buf
, cursor
, dgram
->sid
);
447 if (dgram
->bits
& SEQUENCE_BIT
) {
448 PULL_UINT16(buf
, cursor
, dgram
->Ns
);
449 PULL_UINT16(buf
, cursor
, dgram
->Nr
);
455 if (dgram
->bits
& OFFSET_BIT
) {
456 PULL_UINT16(buf
, cursor
, dgram
->off_size
);
460 if (cursor
> dgram
->length
) {
461 l2tp_set_errmsg("Invalid length of datagram %d", (int) dgram
->length
);
462 l2tp_dgram_free(dgram
);
466 dgram
->payload_len
= dgram
->length
- cursor
;
467 memcpy(dgram
->data
, buf
+cursor
, dgram
->payload_len
);
469 /* Pull off the message type */
470 if (dgram
->bits
& OFFSET_BIT
) {
471 l2tp_set_errmsg("Invalid control frame: O bit is set");
472 l2tp_dgram_free(dgram
);
477 if (dgram
->payload_len
== 0) {
478 dgram
->msg_type
= MESSAGE_ZLB
;
481 msg
= l2tp_dgram_pull_avp(dgram
, NULL
, &mandatory
, &hidden
,
482 &avp_len
, &vendor
, &type
, &err
);
484 l2tp_dgram_free(dgram
);
487 if (type
!= AVP_MESSAGE_TYPE
|| vendor
!= VENDOR_IETF
) {
488 l2tp_set_errmsg("Invalid control message: First AVP must be message type");
489 l2tp_dgram_free(dgram
);
493 l2tp_set_errmsg("Invalid length %d for message-type AVP", (int) avp_len
+6);
494 l2tp_dgram_free(dgram
);
498 l2tp_set_errmsg("Invalid control message: M bit not set on message-type AVP");
499 l2tp_dgram_free(dgram
);
503 l2tp_set_errmsg("Invalid control message: H bit set on message-type AVP");
504 l2tp_dgram_free(dgram
);
508 dgram
->msg_type
= ((unsigned int) msg
[0]) * 256 +
509 (unsigned int) msg
[1];
511 DBG(l2tp_db(DBG_XMIT_RCV
,
512 "dgram_take_from_wire() -> %s\n",
513 l2tp_debug_describe_dgram(dgram
)));
517 /**********************************************************************
518 * %FUNCTION: dgram_send_to_wire
520 * dgram -- datagram to send
521 * to -- address to send datagram to
523 * Whatever sendto returns. 0 on success, -1 on failure.
525 * Adjusts header fields from host byte order, then sends datagram
526 ***********************************************************************/
528 l2tp_dgram_send_to_wire(l2tp_dgram
const *dgram
,
529 struct sockaddr_in
const *to
)
531 unsigned char buf
[MAX_PACKET_LEN
+128];
532 socklen_t len
= sizeof(struct sockaddr_in
);
535 unsigned char *len_ptr
= NULL
;
537 DBG(l2tp_db(DBG_XMIT_RCV
,
538 "dgram_send_to_wire() -> %s\n",
539 l2tp_debug_describe_dgram(dgram
)));
540 buf
[0] = dgram
->bits
;
541 buf
[1] = dgram
->version
;
543 if (dgram
->bits
& LENGTH_BIT
) {
544 len_ptr
= buf
+ cursor
;
545 PUSH_UINT16(buf
, cursor
, dgram
->length
);
547 PUSH_UINT16(buf
, cursor
, dgram
->tid
);
548 PUSH_UINT16(buf
, cursor
, dgram
->sid
);
549 if (dgram
->bits
& SEQUENCE_BIT
) {
550 PUSH_UINT16(buf
, cursor
, dgram
->Ns
);
551 PUSH_UINT16(buf
, cursor
, dgram
->Nr
);
553 if (dgram
->bits
& OFFSET_BIT
) {
554 PUSH_UINT16(buf
, cursor
, dgram
->off_size
);
556 total_len
= cursor
+ dgram
->payload_len
;
557 if (dgram
->bits
& LENGTH_BIT
) {
558 *len_ptr
++ = total_len
/ 256;
559 *len_ptr
= total_len
& 255;
561 memcpy(buf
+cursor
, dgram
->data
, dgram
->payload_len
);
562 return sendto(Sock
, buf
, total_len
, 0,
563 (struct sockaddr
const *) to
, len
);
566 /**********************************************************************
567 * %FUNCTION: dgram_add_avp
569 * dgram -- the L2TP datagram
570 * tunnel -- the tunnel it will be sent on (for secret for hiding)
571 * mandatory -- if true, set the M bit
572 * len -- length of VALUE. NOT length of entire attribute!
573 * vendor -- vendor ID
574 * type -- attribute type
575 * val -- attribute value
577 * 0 on success, -1 on failure
579 * Adds an AVP to the datagram. If AVP may be hidden, and we have
580 * a secret for it, then hide the AVP.
581 ***********************************************************************/
583 l2tp_dgram_add_avp(l2tp_dgram
*dgram
,
591 static unsigned char hidden_buffer
[1024];
592 unsigned char const *random_data
;
596 /* max len is 1023 - 6 */
597 if (len
> 1023 - 6) {
598 l2tp_set_errmsg("AVP length of %d too long", (int) len
);
602 /* Do hiding where possible */
605 tunnel
->peer
->hide_avps
&&
606 vendor
== VENDOR_IETF
&&
607 tunnel
->peer
->secret_len
&&
609 avp_table
[type
].can_hide
) {
610 if (!dgram
->last_random
) {
611 /* Add a random vector */
612 if (dgram_add_random_vector_avp(dgram
) < 0) return -1;
614 /* Get pointer to random data */
615 random_data
= dgram
->data
+ dgram
->last_random
+ 6;
616 random_len
= GET_AVP_LEN(dgram
->data
+ dgram
->last_random
) - 6;
618 /* Hide the value into the buffer */
619 dgram_do_hide(type
, len
, val
, (unsigned char *) tunnel
->peer
->secret
,
620 tunnel
->peer
->secret_len
,
621 random_data
, random_len
, hidden_buffer
);
623 /* Length is increased by 2 */
629 /* Adjust from payload len to actual len */
632 /* Does datagram have room? */
633 if (dgram
->cursor
+ len
> dgram
->alloc_len
) {
634 l2tp_set_errmsg("No room for AVP of length %d", (int) len
);
638 dgram
->data
[dgram
->cursor
] = 0;
640 dgram
->data
[dgram
->cursor
] |= AVP_MANDATORY_BIT
;
643 dgram
->data
[dgram
->cursor
] |= AVP_HIDDEN_BIT
;
646 dgram
->data
[dgram
->cursor
] |= (len
>> 8);
647 dgram
->data
[dgram
->cursor
+1] = (len
& 0xFF);
648 dgram
->data
[dgram
->cursor
+2] = (vendor
>> 8);
649 dgram
->data
[dgram
->cursor
+3] = (vendor
& 0xFF);
650 dgram
->data
[dgram
->cursor
+4] = (type
>> 8);
651 dgram
->data
[dgram
->cursor
+5] = (type
& 0xFF);
654 memcpy(dgram
->data
+ dgram
->cursor
+ 6, val
, len
-6);
656 if (type
== AVP_RANDOM_VECTOR
) {
657 /* Remember location of random vector */
658 dgram
->last_random
= dgram
->cursor
;
660 dgram
->cursor
+= len
;
661 dgram
->payload_len
= dgram
->cursor
;
665 /**********************************************************************
666 * %FUNCTION: dgram_pull_avp
668 * dgram -- the L2TP datagram
669 * tunnel -- the tunnel it was received on (for secret for hiding)
670 * mandatory -- if set to true, the M bit was set.
671 * hidden -- if set to true, the value was hidden
672 * len -- set to length of value (after unhiding)
673 * vendor -- set to vendor ID
674 * type -- set to attribute type
675 * err -- set to true if an error occurs, false if not.
677 * A pointer to a buffer containing the value, or NULL if an
678 * error occurs or there are no more AVPs.
680 * Pulls an AVP out of a received datagram.
681 ***********************************************************************/
683 l2tp_dgram_pull_avp(l2tp_dgram
*dgram
,
692 static unsigned char val
[1024];
694 unsigned char *random_data
;
700 if (dgram
->cursor
>= dgram
->payload_len
) {
708 mandatory
= &local_mandatory
;
710 *mandatory
= dgram
->data
[dgram
->cursor
] & AVP_MANDATORY_BIT
;
713 hidden
= &local_hidden
;
715 *hidden
= dgram
->data
[dgram
->cursor
] & AVP_HIDDEN_BIT
;
716 if (dgram
->data
[dgram
->cursor
] & AVP_RESERVED_BITS
) {
717 l2tp_set_errmsg("AVP with reserved bits set to non-zero");
722 *len
= ((unsigned int) (dgram
->data
[dgram
->cursor
] & 3)) * 256 +
723 dgram
->data
[dgram
->cursor
+1];
725 l2tp_set_errmsg("Received AVP of length %d (too short)", (int) *len
);
729 if (dgram
->cursor
+ *len
> dgram
->payload_len
) {
730 l2tp_set_errmsg("Received AVP of length %d too long for rest of datagram",
736 PULL_UINT16(dgram
->data
, dgram
->cursor
, *vendor
);
737 PULL_UINT16(dgram
->data
, dgram
->cursor
, *type
);
739 /* If we see a random vector, remember it */
740 if (*vendor
== VENDOR_IETF
&& *type
== AVP_RANDOM_VECTOR
) {
742 l2tp_set_errmsg("Invalid random vector AVP has H bit set");
745 dgram
->last_random
= dgram
->cursor
- 6;
748 ans
= dgram
->data
+ dgram
->cursor
;
749 dgram
->cursor
+= *len
- 6;
752 l2tp_set_errmsg("AVP cannot be hidden");
756 l2tp_set_errmsg("Received hidden AVP of length %d (too short)",
762 l2tp_set_errmsg("No peer??");
765 if (!tunnel
->peer
->secret_len
) {
766 l2tp_set_errmsg("No shared secret to unhide AVP");
769 if (!dgram
->last_random
) {
770 l2tp_set_errmsg("Cannot unhide AVP unless Random Vector received first");
774 if (*type
<= HIGHEST_AVP
) {
775 if (!avp_table
[*type
].can_hide
) {
776 l2tp_set_errmsg("AVP of type %s cannot be hidden, but H bit set",
777 avp_table
[*type
].name
);
782 /* Get pointer to random data */
783 random_data
= dgram
->data
+ dgram
->last_random
+ 6;
784 random_len
= GET_AVP_LEN(dgram
->data
+ dgram
->last_random
) - 6;
787 ans
= dgram_do_unhide(*type
, len
, ans
,
788 (unsigned char *) tunnel
->peer
->secret
,
789 tunnel
->peer
->secret_len
,
790 random_data
, random_len
, val
);
791 if (!ans
) return NULL
;
794 /* Set len to length of value only */
798 /* DBG(describe_pulled_avp(*vendor, *type, *len, *hidden, *mandatory, ans)); */
803 /**********************************************************************
804 * %FUNCTION: dgram_do_hide
806 * type -- attribute type
807 * len -- attribute length
808 * value -- attribute value
809 * secret -- shared tunnel secret
810 * secret_len -- length of secret
811 * random -- random data
812 * random_len -- length of random data
813 * output -- where to put result
817 * Hides AVP into output as described in RFC2661. Does not do
818 * padding (should we?)
819 ***********************************************************************/
821 dgram_do_hide(uint16_t type
,
823 unsigned char *value
,
824 unsigned char const *secret
,
826 unsigned char const *random_data
,
828 unsigned char *output
)
830 struct MD5Context ctx
;
832 unsigned char digest
[16];
836 /* Put type in network byte order */
840 /* Compute initial pad */
842 MD5Update(&ctx
, t
, 2);
843 MD5Update(&ctx
, secret
, secret_len
);
844 MD5Update(&ctx
, random_data
, random_len
);
845 MD5Final(digest
, &ctx
);
848 output
[0] = digest
[0] ^ (len
/ 256);
849 output
[1] = digest
[1] ^ (len
& 255);
855 *output
= digest
[done
] ^ *value
;
860 if (done
== 16 && todo
) {
861 /* Compute new digest */
864 MD5Update(&ctx
, secret
, secret_len
);
865 MD5Update(&ctx
, output
-16, 16);
866 MD5Final(digest
, &ctx
);
871 /**********************************************************************
872 * %FUNCTION: dgram_do_unhide
874 * type -- attribute type
875 * len -- attribute length (input = orig len; output = unhidden len)
876 * value -- attribute value (the hidden characters)
877 * secret -- shared tunnel secret
878 * secret_len -- length of secret
879 * random_data -- random data
880 * random_len -- length of random data
881 * output -- where to put result
883 * pointer to "output" on success; NULL on failure.
885 * Un-hides AVP as in RFC2661
886 ***********************************************************************/
887 static unsigned char *
888 dgram_do_unhide(uint16_t type
,
890 unsigned char *value
,
891 unsigned char const *secret
,
893 unsigned char const *random_data
,
895 unsigned char *output
)
897 struct MD5Context ctx
;
899 unsigned char digest
[16];
901 unsigned char *orig_output
= output
;
904 /* Put type in network byte order */
908 /* Compute initial pad */
910 MD5Update(&ctx
, t
, 2);
911 MD5Update(&ctx
, secret
, secret_len
);
912 MD5Update(&ctx
, random_data
, random_len
);
913 MD5Final(digest
, &ctx
);
915 /* Get hidden length */
917 ((uint16_t) (digest
[0] ^ value
[0])) * 256 +
918 (uint16_t) (digest
[1] ^ value
[1]);
922 if (tmplen
> *len
-8) {
923 l2tp_set_errmsg("Hidden length %d too long in AVP of length %d",
924 (int) tmplen
, (int) *len
);
928 /* Adjust len. Add 6 to compensate for pseudo-header */
931 /* Decrypt remainder */
935 *output
= digest
[done
] ^ *value
;
940 if (done
== 16 && todo
) {
941 /* Compute new digest */
944 MD5Update(&ctx
, secret
, secret_len
);
945 MD5Update(&ctx
, value
-16, 16);
946 MD5Final(digest
, &ctx
);
952 /**********************************************************************
953 * %FUNCTION: dgram_search_avp
955 * dgram -- the datagram
956 * tunnel -- associated tunnel
957 * mandatory -- set to 1 if M bit was set
958 * hidden -- set to 1 if H bit was set
959 * len -- set to length of payload
960 * vendor -- vendor ID we want
961 * type -- AVP type we want
963 * A pointer to the AVP value if found, NULL if not
965 * Searches dgram for specific AVP type.
966 ***********************************************************************/
968 l2tp_dgram_search_avp(l2tp_dgram
*dgram
,
976 uint16_t svend
, stype
;
979 size_t cursor
= dgram
->cursor
;
980 size_t last_random
= dgram
->last_random
;
982 val
= l2tp_dgram_pull_avp(dgram
, tunnel
, mandatory
, hidden
, len
,
983 &svend
, &stype
, &err
);
986 l2tp_set_errmsg("AVP of vendor/type (%d, %d) not found",
987 (int) vendor
, (int) type
);
989 dgram
->cursor
= cursor
;
990 dgram
->last_random
= last_random
;
993 if (vendor
== svend
&& type
== stype
) break;
995 dgram
->cursor
= cursor
;
996 dgram
->last_random
= last_random
;
1000 /**********************************************************************
1001 * %FUNCTION: dgram_send_ppp_frame
1003 * ses -- the session
1004 * buf -- PPP frame. BUF MUST HAVE AT LEAST 16 BYTES OF SPACE AHEAD OF IT!
1005 * len -- length of PPP frame
1007 * Whatever sendto returns
1009 * Sends a PPP frame. TODO: Implement sequence numbers if required.
1010 ***********************************************************************/
1012 l2tp_dgram_send_ppp_frame(l2tp_session
*ses
,
1013 unsigned char const *buf
,
1017 unsigned char *real_buf
= (unsigned char *) buf
- 8;
1018 l2tp_tunnel
*tunnel
= ses
->tunnel
;
1020 /* Drop frame if tunnel and/or session in wrong state */
1022 tunnel
->state
!= TUNNEL_ESTABLISHED
||
1023 ses
->state
!= SESSION_ESTABLISHED
) {
1027 /* If there is a pending ack on the tunnel, cancel and ack now */
1028 if (tunnel
->ack_handler
) {
1029 Event_DelHandler(tunnel
->es
, tunnel
->ack_handler
);
1030 tunnel
->ack_handler
= NULL
;
1031 tunnel_send_ZLB(tunnel
);
1036 real_buf
[2] = (tunnel
->assigned_id
>> 8);
1037 real_buf
[3] = tunnel
->assigned_id
& 0xFF;
1038 real_buf
[4] = ses
->assigned_id
>> 8;
1039 real_buf
[5] = ses
->assigned_id
& 0xFF;
1040 real_buf
[6] = 0xFF; /* HDLC address */
1041 real_buf
[7] = 0x03; /* HDLC control */
1042 r
= sendto(Sock
, real_buf
, len
+8, 0,
1043 (struct sockaddr
const *) &tunnel
->peer_addr
,
1044 sizeof(struct sockaddr_in
));
1045 /* Snoop, if necessary */
1046 if (ses
->snooping
) {
1047 l2tp_session_lcp_snoop(ses
, buf
, len
, 0);
1052 /**********************************************************************
1053 * %FUNCTION: dgram_add_random_vector_avp
1057 * 0 on success; -1 on failure
1059 * Adds a random-vector AVP to the datagram
1060 ***********************************************************************/
1062 dgram_add_random_vector_avp(l2tp_dgram
*dgram
)
1064 unsigned char buf
[16];
1066 l2tp_random_fill(buf
, sizeof(buf
));
1068 return l2tp_dgram_add_avp(dgram
, NULL
, MANDATORY
, sizeof(buf
),
1069 VENDOR_IETF
, AVP_RANDOM_VECTOR
, buf
);