/* * Copyright (C) 2009 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* A simple implementation of PPTP Network Server (RFC 2637) which only * creates a single session. The following code only handles control packets. * Data packets are handled by PPPoPNS driver which can be found in Android * kernel tree. */ #include #include #include #include #include #include #include #include #include #include "mtpd.h" enum pptp_message { SCCRQ = 1, SCCRP = 2, STOPCCRQ = 3, STOPCCRP = 4, ECHORQ = 5, ECHORP = 6, OCRQ = 7, OCRP = 8, ICRQ = 9, ICRP = 10, ICCN = 11, CCRQ = 12, CDN = 13, WEN = 14, SLI = 15, MESSAGE_MAX = 15, }; static char *messages[] = { NULL, "SCCRQ", "SCCRP", "STOPCCRQ", "STOPCCRP", "ECHORQ", "ECHORP", "OCRQ", "OCRP", "ICRQ", "ICRP", "ICCN", "CCRQ", "CDN", "WEN", "SLI", }; static uint8_t lengths[] = { 0, 156, 156, 16, 16, 16, 20, 168, 32, 220, 24, 28, 16, 148, 40, 24, }; #define CONTROL_MESSAGE htons(1) #define MAGIC_COOKIE htonl(0x1A2B3C4D) #define PROTOCOL_VERSION htons(0x0100) #define RESULT_OK 1 #define RESULT_ERROR 2 /* Some implementation uses 0 instead of 1, so we allow both of them. */ #define ESTABLISHED(result) (result <= 1) #define HEADER_SIZE 8 #define MIN_MESSAGE_SIZE 10 static uint16_t local; static uint16_t remote; static uint16_t state; #define MAX_PACKET_LENGTH 220 /* We define all the fields we used in this structure. Type conversion and byte * alignment are solved in one place. Although it looks a little bit ugly, it * really makes life easier. */ static struct packet { int length; int expect; union { uint8_t buffer[MAX_PACKET_LENGTH]; struct { struct __attribute__((packed)) { uint16_t length; uint16_t type; uint32_t cookie; } header; uint16_t message; uint16_t reserved; union { struct __attribute__((packed)) { uint16_t protocol_version; uint8_t result; uint8_t error; uint32_t framing; uint32_t bearer; uint16_t channels; uint16_t firmware_revision; char host[64]; } sccrp, sccrq; struct __attribute__((packed)) { uint16_t call; uint16_t serial; uint32_t minimum_speed; uint32_t maximum_speed; uint32_t bearer; uint32_t framing; uint16_t window_size; } ocrq; struct __attribute__((packed)) { uint16_t call; uint16_t peer; uint8_t result; } ocrp, icrp; struct __attribute__((packed)) { uint32_t identifier; uint8_t result; } echorq, echorp; struct __attribute__((packed)) { uint16_t call; } icrq, ccrq, cdn; }; } __attribute__((packed)); } __attribute__((aligned(4))); } incoming, outgoing; static void set_message(uint16_t message) { uint16_t length = lengths[message]; memset(outgoing.buffer, 0, length); outgoing.length = length; outgoing.header.length = htons(length); outgoing.header.type = CONTROL_MESSAGE; outgoing.header.cookie = MAGIC_COOKIE; outgoing.message = htons(message); } static void send_packet() { send(the_socket, outgoing.buffer, outgoing.length, 0); } static int recv_packet() { int length; /* We are going to read a new message if incoming.expect is 0. */ if (!incoming.expect) { incoming.length = 0; incoming.expect = HEADER_SIZE; } /* The longest message defined in RFC 2637 is 220 bytes, but the protocol * itself allows up to 65536 bytes. Therefore we always read a complete * message but only keep the first 220 bytes before passing up. */ length = incoming.expect - incoming.length; if (incoming.length >= MAX_PACKET_LENGTH) { uint8_t buffer[length]; length = recv(the_socket, buffer, length, 0); } else { if (incoming.expect > MAX_PACKET_LENGTH) { length = MAX_PACKET_LENGTH - incoming.length; } length = recv(the_socket, &incoming.buffer[incoming.length], length, 0); } if (length == -1) { if (errno == EINTR) { return 0; } log_print(FATAL, "Recv() %s", strerror(errno)); exit(NETWORK_ERROR); } if (length == 0) { log_print(DEBUG, "Connection closed"); log_print(INFO, "Remote server hung up"); return -REMOTE_REQUESTED; } incoming.length += length; /* If incoming.header is valid, check cookie and update incoming.expect. */ if (incoming.length == HEADER_SIZE && incoming.expect == HEADER_SIZE) { if (incoming.header.cookie != MAGIC_COOKIE) { log_print(DEBUG, "Loss of synchronization"); log_print(ERROR, "Protocol error"); return -PROTOCOL_ERROR; } incoming.expect = ntohs(incoming.header.length); if (incoming.expect < HEADER_SIZE) { log_print(DEBUG, "Invalid message length"); log_print(ERROR, "Protocol error"); return -PROTOCOL_ERROR; } } /* Now we have a complete message. Reset incoming.expect. */ if (incoming.length == incoming.expect) { incoming.expect = 0; /* Return 1 if it is a control message. */ if (incoming.header.type == CONTROL_MESSAGE) { return 1; } log_print(DEBUG, "Ignored non-control message (type = %d)", ntohs(incoming.header.type)); } return 0; } static int pptp_connect(char **arguments) { create_socket(AF_UNSPEC, SOCK_STREAM, arguments[0], arguments[1]); log_print(DEBUG, "Sending SCCRQ"); state = SCCRQ; set_message(SCCRQ); outgoing.sccrq.protocol_version = PROTOCOL_VERSION; outgoing.sccrq.framing = htonl(3); outgoing.sccrq.bearer = htonl(3); outgoing.sccrq.channels = htons(1); strcpy(outgoing.sccrq.host, "anonymous"); send_packet(); return 0; } static int create_pppox() { int pppox = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OPNS); log_print(INFO, "Creating PPPoX socket"); if (pppox == -1) { log_print(FATAL, "Socket() %s", strerror(errno)); exit(SYSTEM_ERROR); } else { struct sockaddr_pppopns address = { .sa_family = AF_PPPOX, .sa_protocol = PX_PROTO_OPNS, .tcp_socket = the_socket, .local = local, .remote = remote, }; if (connect(pppox, (struct sockaddr *)&address, sizeof(address))) { log_print(FATAL, "Connect() %s", strerror(errno)); exit(SYSTEM_ERROR); } } return pppox; } static int pptp_process() { int result = recv_packet(); if (result <= 0) { return result; } if (incoming.length < MIN_MESSAGE_SIZE) { log_print(DEBUG, "Control message too short"); return 0; } incoming.message = ntohs(incoming.message); if (incoming.message > MESSAGE_MAX || !messages[incoming.message]) { log_print(DEBUG, "Received UNKNOWN %d", incoming.message); return 0; } if (incoming.length < lengths[incoming.message]) { log_print(DEBUG, "Received %s with invalid length (length = %d)", messages[incoming.message], incoming.length); return 0; } switch(incoming.message) { case SCCRP: if (state == SCCRQ) { if (incoming.sccrp.protocol_version == PROTOCOL_VERSION && ESTABLISHED(incoming.sccrp.result)) { while (!local) { local = random(); } log_print(DEBUG, "Received SCCRP -> Sending OCRQ " "(local = %d)", local); log_print(INFO, "Tunnel established"); state = OCRQ; set_message(OCRQ); outgoing.ocrq.call = local; outgoing.ocrq.serial = random(); outgoing.ocrq.minimum_speed = htonl(1000); outgoing.ocrq.maximum_speed = htonl(100000000); outgoing.ocrq.bearer = htonl(3); outgoing.ocrq.framing = htonl(3); outgoing.ocrq.window_size = htons(8192); send_packet(); return 0; } log_print(DEBUG, "Received SCCRP (result = %d)", incoming.sccrq.result); log_print(INFO, "Remote server hung up"); return -REMOTE_REQUESTED; } break; case OCRP: if (state == OCRQ && incoming.ocrp.peer == local) { if (ESTABLISHED(incoming.ocrp.result)) { remote = incoming.ocrp.call; log_print(DEBUG, "Received OCRQ (remote = %d)", remote); log_print(INFO, "Session established"); state = OCRP; start_pppd(create_pppox()); return 0; } log_print(DEBUG, "Received OCRP (result = %d)", incoming.ocrp.result); log_print(INFO, "Remote server hung up"); return -REMOTE_REQUESTED; } break; case STOPCCRQ: log_print(DEBUG, "Received STOPCCRQ"); log_print(INFO, "Remote server hung up"); state = STOPCCRQ; return -REMOTE_REQUESTED; case CCRQ: /* According to RFC 2637 page 45, we should never receive CCRQ for * outgoing calls. However, some implementation only acts as PNS and * always uses CCRQ to clear a call, so here we still handle it. */ if (state == OCRP && incoming.ccrq.call == remote) { log_print(DEBUG, "Received CCRQ (remote = %d)", remote); log_print(INFO, "Remote server hung up"); return -REMOTE_REQUESTED; } break; case CDN: if (state == OCRP && incoming.cdn.call == remote) { log_print(DEBUG, "Received CDN (remote = %d)", remote); log_print(INFO, "Remote server hung up"); return -REMOTE_REQUESTED; } break; case ECHORQ: log_print(DEBUG, "Received ECHORQ -> Sending ECHORP"); set_message(ECHORP); outgoing.echorp.identifier = incoming.echorq.identifier; outgoing.echorp.result = RESULT_OK; send_packet(); return 0; case WEN: case SLI: log_print(DEBUG, "Recevied %s", messages[incoming.message]); return 0; case ICRQ: log_print(DEBUG, "Received ICRQ (remote = %d) -> Sending ICRP " "with error", incoming.icrq.call); set_message(ICRP); outgoing.icrp.peer = incoming.icrq.call; outgoing.icrp.result = RESULT_ERROR; send_packet(); return 0; case OCRQ: log_print(DEBUG, "Received OCRQ (remote = %d) -> Sending OCRP " "with error", incoming.ocrq.call); set_message(OCRP); outgoing.ocrp.peer = incoming.ocrq.call; outgoing.ocrp.result = RESULT_ERROR; send_packet(); return 0; } /* We reach here if we got an unexpected message. Just log it. */ log_print(DEBUG, "Received UNEXPECTED %s", messages[incoming.message]); return 0; } static int pptp_timeout() { return 0; } static void pptp_shutdown() { /* Normally we should send STOPCCRQ and wait for STOPCCRP, but this might * block for a long time. Here we simply take the shortcut: do nothing. */ } struct protocol pptp = { .name = "pptp", .arguments = 2, .usage = " ", .connect = pptp_connect, .process = pptp_process, .timeout = pptp_timeout, .shutdown = pptp_shutdown, };