1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 /* A simple implementation of PPTP Network Server (RFC 2637) which only 18 * creates a single session. The following code only handles control packets. 19 * Data packets are handled by PPPoPNS driver which can be found in Android 20 * kernel tree. */ 21 22 #include <stdio.h> 23 #include <stdlib.h> 24 #include <string.h> 25 #include <errno.h> 26 #include <sys/types.h> 27 #include <sys/socket.h> 28 #include <arpa/inet.h> 29 #include <linux/if_pppopns.h> 30 31 #include "mtpd.h" 32 33 enum pptp_message { 34 SCCRQ = 1, 35 SCCRP = 2, 36 STOPCCRQ = 3, 37 STOPCCRP = 4, 38 ECHORQ = 5, 39 ECHORP = 6, 40 OCRQ = 7, 41 OCRP = 8, 42 ICRQ = 9, 43 ICRP = 10, 44 ICCN = 11, 45 CCRQ = 12, 46 CDN = 13, 47 WEN = 14, 48 SLI = 15, 49 MESSAGE_MAX = 15, 50 }; 51 52 static char *messages[] = { 53 NULL, "SCCRQ", "SCCRP", "STOPCCRQ", "STOPCCRP", "ECHORQ", "ECHORP", 54 "OCRQ", "OCRP", "ICRQ", "ICRP", "ICCN", "CCRQ", "CDN", "WEN", "SLI", 55 }; 56 57 static uint8_t lengths[] = { 58 0, 156, 156, 16, 16, 16, 20, 168, 32, 220, 24, 28, 16, 148, 40, 24, 59 }; 60 61 #define CONTROL_MESSAGE htons(1) 62 #define MAGIC_COOKIE htonl(0x1A2B3C4D) 63 #define PROTOCOL_VERSION htons(0x0100) 64 65 #define RESULT_OK 1 66 #define RESULT_ERROR 2 67 68 /* Some implementation uses 0 instead of 1, so we allow both of them. */ 69 #define ESTABLISHED(result) (result <= 1) 70 71 #define HEADER_SIZE 8 72 #define MIN_MESSAGE_SIZE 10 73 74 static uint16_t local; 75 static uint16_t remote; 76 static uint16_t state; 77 78 #define MAX_PACKET_LENGTH 220 79 80 /* We define all the fields we used in this structure. Type conversion and byte 81 * alignment are solved in one place. Although it looks a little bit ugly, it 82 * really makes life easier. */ 83 static struct packet { 84 int length; 85 int expect; 86 union { 87 uint8_t buffer[MAX_PACKET_LENGTH]; 88 struct { 89 struct __attribute__((packed)) { 90 uint16_t length; 91 uint16_t type; 92 uint32_t cookie; 93 } header; 94 uint16_t message; 95 uint16_t reserved; 96 union { 97 struct __attribute__((packed)) { 98 uint16_t protocol_version; 99 uint8_t result; 100 uint8_t error; 101 uint32_t framing; 102 uint32_t bearer; 103 uint16_t channels; 104 uint16_t firmware_revision; 105 char host[64]; 106 } sccrp, sccrq; 107 struct __attribute__((packed)) { 108 uint16_t call; 109 uint16_t serial; 110 uint32_t minimum_speed; 111 uint32_t maximum_speed; 112 uint32_t bearer; 113 uint32_t framing; 114 uint16_t window_size; 115 } ocrq; 116 struct __attribute__((packed)) { 117 uint16_t call; 118 uint16_t peer; 119 uint8_t result; 120 } ocrp, icrp; 121 struct __attribute__((packed)) { 122 uint32_t identifier; 123 uint8_t result; 124 } echorq, echorp; 125 struct __attribute__((packed)) { 126 uint16_t call; 127 } icrq, ccrq, cdn; 128 }; 129 } __attribute__((packed)); 130 } __attribute__((aligned(4))); 131 } incoming, outgoing; 132 133 static void set_message(uint16_t message) 134 { 135 uint16_t length = lengths[message]; 136 memset(outgoing.buffer, 0, length); 137 outgoing.length = length; 138 outgoing.header.length = htons(length); 139 outgoing.header.type = CONTROL_MESSAGE; 140 outgoing.header.cookie = MAGIC_COOKIE; 141 outgoing.message = htons(message); 142 } 143 144 static void send_packet() 145 { 146 send(the_socket, outgoing.buffer, outgoing.length, 0); 147 } 148 149 static int recv_packet() 150 { 151 int length; 152 153 /* We are going to read a new message if incoming.expect is 0. */ 154 if (!incoming.expect) { 155 incoming.length = 0; 156 incoming.expect = HEADER_SIZE; 157 } 158 159 /* The longest message defined in RFC 2637 is 220 bytes, but the protocol 160 * itself allows up to 65536 bytes. Therefore we always read a complete 161 * message but only keep the first 220 bytes before passing up. */ 162 length = incoming.expect - incoming.length; 163 if (incoming.length >= MAX_PACKET_LENGTH) { 164 uint8_t buffer[length]; 165 length = recv(the_socket, buffer, length, 0); 166 } else { 167 if (incoming.expect > MAX_PACKET_LENGTH) { 168 length = MAX_PACKET_LENGTH - incoming.length; 169 } 170 length = recv(the_socket, &incoming.buffer[incoming.length], length, 0); 171 } 172 if (length == -1) { 173 if (errno == EINTR) { 174 return 0; 175 } 176 log_print(FATAL, "Recv() %s", strerror(errno)); 177 exit(NETWORK_ERROR); 178 } 179 if (length == 0) { 180 log_print(DEBUG, "Connection closed"); 181 log_print(INFO, "Remote server hung up"); 182 return -REMOTE_REQUESTED; 183 } 184 incoming.length += length; 185 186 /* If incoming.header is valid, check cookie and update incoming.expect. */ 187 if (incoming.length == HEADER_SIZE && incoming.expect == HEADER_SIZE) { 188 if (incoming.header.cookie != MAGIC_COOKIE) { 189 log_print(DEBUG, "Loss of synchronization"); 190 log_print(ERROR, "Protocol error"); 191 return -PROTOCOL_ERROR; 192 } 193 incoming.expect = ntohs(incoming.header.length); 194 if (incoming.expect < HEADER_SIZE) { 195 log_print(DEBUG, "Invalid message length"); 196 log_print(ERROR, "Protocol error"); 197 return -PROTOCOL_ERROR; 198 } 199 } 200 201 /* Now we have a complete message. Reset incoming.expect. */ 202 if (incoming.length == incoming.expect) { 203 incoming.expect = 0; 204 205 /* Return 1 if it is a control message. */ 206 if (incoming.header.type == CONTROL_MESSAGE) { 207 return 1; 208 } 209 log_print(DEBUG, "Ignored non-control message (type = %d)", 210 ntohs(incoming.header.type)); 211 } 212 return 0; 213 } 214 215 static int pptp_connect(int argc, char **argv) 216 { 217 if (argc < 2) { 218 return -USAGE_ERROR; 219 } 220 create_socket(AF_UNSPEC, SOCK_STREAM, argv[0], argv[1]); 221 222 log_print(DEBUG, "Sending SCCRQ"); 223 state = SCCRQ; 224 set_message(SCCRQ); 225 outgoing.sccrq.protocol_version = PROTOCOL_VERSION; 226 outgoing.sccrq.framing = htonl(3); 227 outgoing.sccrq.bearer = htonl(3); 228 outgoing.sccrq.channels = htons(1); 229 strcpy(outgoing.sccrq.host, "anonymous"); 230 send_packet(); 231 return 0; 232 } 233 234 static int create_pppox() 235 { 236 int pppox; 237 log_print(INFO, "Creating PPPoX socket"); 238 pppox = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OPNS); 239 240 if (pppox == -1) { 241 log_print(FATAL, "Socket() %s", strerror(errno)); 242 exit(SYSTEM_ERROR); 243 } else { 244 struct sockaddr_pppopns address = { 245 .sa_family = AF_PPPOX, 246 .sa_protocol = PX_PROTO_OPNS, 247 .tcp_socket = the_socket, 248 .local = local, 249 .remote = remote, 250 }; 251 if (connect(pppox, (struct sockaddr *)&address, sizeof(address)) != 0) { 252 log_print(FATAL, "Connect() %s", strerror(errno)); 253 exit(SYSTEM_ERROR); 254 } 255 } 256 return pppox; 257 } 258 259 static int pptp_process() 260 { 261 int result = recv_packet(); 262 if (result <= 0) { 263 return result; 264 } 265 266 if (incoming.length < MIN_MESSAGE_SIZE) { 267 log_print(DEBUG, "Control message too short"); 268 return 0; 269 } 270 incoming.message = ntohs(incoming.message); 271 if (incoming.message > MESSAGE_MAX || !messages[incoming.message]) { 272 log_print(DEBUG, "Received UNKNOWN %d", incoming.message); 273 return 0; 274 } 275 if (incoming.length < lengths[incoming.message]) { 276 log_print(DEBUG, "Received %s with invalid length (length = %d)", 277 messages[incoming.message], incoming.length); 278 return 0; 279 } 280 281 switch(incoming.message) { 282 case SCCRP: 283 if (state == SCCRQ) { 284 if (incoming.sccrp.protocol_version == PROTOCOL_VERSION 285 && ESTABLISHED(incoming.sccrp.result)) { 286 while (!local) { 287 local = random(); 288 } 289 log_print(DEBUG, "Received SCCRP -> Sending OCRQ " 290 "(local = %d)", local); 291 log_print(INFO, "Tunnel established"); 292 state = OCRQ; 293 set_message(OCRQ); 294 outgoing.ocrq.call = local; 295 outgoing.ocrq.serial = random(); 296 outgoing.ocrq.minimum_speed = htonl(1000); 297 outgoing.ocrq.maximum_speed = htonl(100000000); 298 outgoing.ocrq.bearer = htonl(3); 299 outgoing.ocrq.framing = htonl(3); 300 outgoing.ocrq.window_size = htons(8192); 301 send_packet(); 302 return 0; 303 } 304 log_print(DEBUG, "Received SCCRP (result = %d)", 305 incoming.sccrq.result); 306 log_print(INFO, "Remote server hung up"); 307 return -REMOTE_REQUESTED; 308 } 309 break; 310 311 case OCRP: 312 if (state == OCRQ && incoming.ocrp.peer == local) { 313 if (ESTABLISHED(incoming.ocrp.result)) { 314 remote = incoming.ocrp.call; 315 log_print(DEBUG, "Received OCRQ (remote = %d)", remote); 316 log_print(INFO, "Session established"); 317 state = OCRP; 318 start_pppd(create_pppox()); 319 return 0; 320 } 321 log_print(DEBUG, "Received OCRP (result = %d)", 322 incoming.ocrp.result); 323 log_print(INFO, "Remote server hung up"); 324 return -REMOTE_REQUESTED; 325 } 326 break; 327 328 case STOPCCRQ: 329 log_print(DEBUG, "Received STOPCCRQ"); 330 log_print(INFO, "Remote server hung up"); 331 state = STOPCCRQ; 332 return -REMOTE_REQUESTED; 333 334 case CCRQ: 335 /* According to RFC 2637 page 45, we should never receive CCRQ for 336 * outgoing calls. However, some implementation only acts as PNS and 337 * always uses CCRQ to clear a call, so here we still handle it. */ 338 if (state == OCRP && incoming.ccrq.call == remote) { 339 log_print(DEBUG, "Received CCRQ (remote = %d)", remote); 340 log_print(INFO, "Remote server hung up"); 341 return -REMOTE_REQUESTED; 342 } 343 break; 344 345 case CDN: 346 if (state == OCRP && incoming.cdn.call == remote) { 347 log_print(DEBUG, "Received CDN (remote = %d)", remote); 348 log_print(INFO, "Remote server hung up"); 349 return -REMOTE_REQUESTED; 350 } 351 break; 352 353 case ECHORQ: 354 log_print(DEBUG, "Received ECHORQ -> Sending ECHORP"); 355 set_message(ECHORP); 356 outgoing.echorp.identifier = incoming.echorq.identifier; 357 outgoing.echorp.result = RESULT_OK; 358 send_packet(); 359 return 0; 360 361 case WEN: 362 case SLI: 363 log_print(DEBUG, "Recevied %s", messages[incoming.message]); 364 return 0; 365 366 case ICRQ: 367 log_print(DEBUG, "Received ICRQ (remote = %d) -> Sending ICRP " 368 "with error", incoming.icrq.call); 369 set_message(ICRP); 370 outgoing.icrp.peer = incoming.icrq.call; 371 outgoing.icrp.result = RESULT_ERROR; 372 send_packet(); 373 return 0; 374 375 case OCRQ: 376 log_print(DEBUG, "Received OCRQ (remote = %d) -> Sending OCRP " 377 "with error", incoming.ocrq.call); 378 set_message(OCRP); 379 outgoing.ocrp.peer = incoming.ocrq.call; 380 outgoing.ocrp.result = RESULT_ERROR; 381 send_packet(); 382 return 0; 383 } 384 385 /* We reach here if we got an unexpected message. Just log it. */ 386 log_print(DEBUG, "Received UNEXPECTED %s", messages[incoming.message]); 387 return 0; 388 } 389 390 static int pptp_timeout() 391 { 392 return 0; 393 } 394 395 static void pptp_shutdown() 396 { 397 /* Normally we should send STOPCCRQ and wait for STOPCCRP, but this might 398 * block for a long time. Here we simply take the shortcut: do nothing. */ 399 } 400 401 struct protocol pptp = { 402 .name = "pptp", 403 .usage = "<server> <port>", 404 .connect = pptp_connect, 405 .process = pptp_process, 406 .timeout = pptp_timeout, 407 .shutdown = pptp_shutdown, 408 }; 409