1 /*
2 * Copyright (C) 2009 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* A simple implementation of PPTP Network Server (RFC 2637) which only
18 * creates a single session. The following code only handles control packets.
19 * Data packets are handled by PPPoPNS driver which can be found in Android
20 * kernel tree. */
21
22 #include <stdbool.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <errno.h>
27 #include <sys/types.h>
28 #include <sys/socket.h>
29 #include <netdb.h>
30 #include <unistd.h>
31 #include <arpa/inet.h>
32 #include <linux/netdevice.h>
33 #include <linux/if_pppox.h>
34 #include <linux/types.h>
35
36 #include "mtpd.h"
37
38 enum pptp_message {
39 SCCRQ = 1,
40 SCCRP = 2,
41 STOPCCRQ = 3,
42 STOPCCRP = 4,
43 ECHORQ = 5,
44 ECHORP = 6,
45 OCRQ = 7,
46 OCRP = 8,
47 ICRQ = 9,
48 ICRP = 10,
49 ICCN = 11,
50 CCRQ = 12,
51 CDN = 13,
52 WEN = 14,
53 SLI = 15,
54 MESSAGE_MAX = 15,
55 };
56
57 static char *messages[] = {
58 NULL, "SCCRQ", "SCCRP", "STOPCCRQ", "STOPCCRP", "ECHORQ", "ECHORP",
59 "OCRQ", "OCRP", "ICRQ", "ICRP", "ICCN", "CCRQ", "CDN", "WEN", "SLI",
60 };
61
62 static uint8_t lengths[] = {
63 0, 156, 156, 16, 16, 16, 20, 168, 32, 220, 24, 28, 16, 148, 40, 24,
64 };
65
66 #define CONTROL_MESSAGE htons(1)
67 #define MAGIC_COOKIE htonl(0x1A2B3C4D)
68 #define PROTOCOL_VERSION htons(0x0100)
69
70 #define RESULT_OK 1
71 #define RESULT_ERROR 2
72
73 /* Some implementation uses 0 instead of 1, so we allow both of them. */
74 #define ESTABLISHED(result) (result <= 1)
75
76 #define HEADER_SIZE 8
77 #define MIN_MESSAGE_SIZE 10
78
79 static __be16 local;
80 static __be16 remote;
81 static uint16_t state;
82 static const char *remote_name; /* server host name or IP address */
83
84 #define MAX_PACKET_LENGTH 220
85
86 /* We define all the fields we used in this structure. Type conversion and byte
87 * alignment are solved in one place. Although it looks a little bit ugly, it
88 * really makes life easier. */
89 static struct packet {
90 int length;
91 int expect;
92 union {
93 uint8_t buffer[MAX_PACKET_LENGTH];
94 struct {
95 struct __attribute__((packed)) {
96 uint16_t length;
97 uint16_t type;
98 uint32_t cookie;
99 } header;
100 uint16_t message;
101 uint16_t reserved;
102 union {
103 struct __attribute__((packed)) {
104 uint16_t protocol_version;
105 uint8_t result;
106 uint8_t error;
107 uint32_t framing;
108 uint32_t bearer;
109 uint16_t channels;
110 uint16_t firmware_revision;
111 char host[64];
112 } sccrp, sccrq;
113 struct __attribute__((packed)) {
114 uint16_t call;
115 uint16_t serial;
116 uint32_t minimum_speed;
117 uint32_t maximum_speed;
118 uint32_t bearer;
119 uint32_t framing;
120 uint16_t window_size;
121 } ocrq;
122 struct __attribute__((packed)) {
123 uint16_t call;
124 uint16_t peer;
125 uint8_t result;
126 } ocrp, icrp;
127 struct __attribute__((packed)) {
128 uint32_t identifier;
129 uint8_t result;
130 } echorq, echorp;
131 struct __attribute__((packed)) {
132 uint16_t call;
133 } icrq, ccrq, cdn;
134 };
135 } __attribute__((packed));
136 } __attribute__((aligned(4)));
137 } incoming, outgoing;
138
set_message(uint16_t message)139 static void set_message(uint16_t message)
140 {
141 uint16_t length = lengths[message];
142 memset(outgoing.buffer, 0, length);
143 outgoing.length = length;
144 outgoing.header.length = htons(length);
145 outgoing.header.type = CONTROL_MESSAGE;
146 outgoing.header.cookie = MAGIC_COOKIE;
147 outgoing.message = htons(message);
148 }
149
send_packet()150 static void send_packet()
151 {
152 send(the_socket, outgoing.buffer, outgoing.length, 0);
153 }
154
recv_packet()155 static int recv_packet()
156 {
157 int length;
158
159 /* We are going to read a new message if incoming.expect is 0. */
160 if (!incoming.expect) {
161 incoming.length = 0;
162 incoming.expect = HEADER_SIZE;
163 }
164
165 /* The longest message defined in RFC 2637 is 220 bytes, but the protocol
166 * itself allows up to 65536 bytes. Therefore we always read a complete
167 * message but only keep the first 220 bytes before passing up. */
168 length = incoming.expect - incoming.length;
169 if (incoming.length >= MAX_PACKET_LENGTH) {
170 uint8_t buffer[length];
171 length = recv(the_socket, buffer, length, 0);
172 } else {
173 if (incoming.expect > MAX_PACKET_LENGTH) {
174 length = MAX_PACKET_LENGTH - incoming.length;
175 }
176 length = recv(the_socket, &incoming.buffer[incoming.length], length, 0);
177 }
178 if (length == -1) {
179 if (errno == EINTR) {
180 return 0;
181 }
182 log_print(FATAL, "Recv() %s", strerror(errno));
183 exit(NETWORK_ERROR);
184 }
185 if (length == 0) {
186 log_print(DEBUG, "Connection closed");
187 log_print(INFO, "Remote server hung up");
188 return -REMOTE_REQUESTED;
189 }
190 incoming.length += length;
191
192 /* If incoming.header is valid, check cookie and update incoming.expect. */
193 if (incoming.length == HEADER_SIZE && incoming.expect == HEADER_SIZE) {
194 if (incoming.header.cookie != MAGIC_COOKIE) {
195 log_print(DEBUG, "Loss of synchronization");
196 log_print(ERROR, "Protocol error");
197 return -PROTOCOL_ERROR;
198 }
199 incoming.expect = ntohs(incoming.header.length);
200 if (incoming.expect < HEADER_SIZE) {
201 log_print(DEBUG, "Invalid message length");
202 log_print(ERROR, "Protocol error");
203 return -PROTOCOL_ERROR;
204 }
205 }
206
207 /* Now we have a complete message. Reset incoming.expect. */
208 if (incoming.length == incoming.expect) {
209 incoming.expect = 0;
210
211 /* Return 1 if it is a control message. */
212 if (incoming.header.type == CONTROL_MESSAGE) {
213 return 1;
214 }
215 log_print(DEBUG, "Ignored non-control message (type = %u)",
216 (unsigned)ntohs(incoming.header.type));
217 }
218 return 0;
219 }
220
pptp_connect(char ** arguments)221 static int pptp_connect(char **arguments)
222 {
223 remote_name = arguments[0];
224
225 create_socket(AF_UNSPEC, SOCK_STREAM, arguments[0], arguments[1]);
226
227 log_print(DEBUG, "Sending SCCRQ");
228 state = SCCRQ;
229 set_message(SCCRQ);
230 outgoing.sccrq.protocol_version = PROTOCOL_VERSION;
231 outgoing.sccrq.framing = htonl(3);
232 outgoing.sccrq.bearer = htonl(3);
233 outgoing.sccrq.channels = htons(1);
234 strcpy(outgoing.sccrq.host, "anonymous");
235 send_packet();
236 return 0;
237 }
238
239 /**
240 * Check if upstream kernel implementation of PPTP should be used.
241 *
242 * @return true If upstream PPTP should be used, which is the case if
243 * the obsolete OPNS feature is not available.
244 */
check_pptp(void)245 static bool check_pptp(void)
246 {
247 int fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OPNS);
248
249 if (fd < 0) {
250 return true;
251 } else {
252 close(fd);
253 return false;
254 }
255 }
256
257 /**
258 * Create OPNS session.
259 *
260 * @deprecated It will be removed soon in favor of upstream PPTP.
261 *
262 * @return PPPoX socket file descriptor
263 */
create_pppox_opns(void)264 static int create_pppox_opns(void)
265 {
266 int pppox;
267
268 log_print(WARNING, "Using deprecated OPNS protocol. "
269 "Its support will be removed soon. "
270 "Please enable PPTP support in your kernel");
271
272 log_print(INFO, "Creating PPPoX socket");
273 pppox = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OPNS);
274
275 if (pppox == -1) {
276 log_print(FATAL, "Socket() %s", strerror(errno));
277 exit(SYSTEM_ERROR);
278 } else {
279 struct sockaddr_pppopns address = {
280 .sa_family = AF_PPPOX,
281 .sa_protocol = PX_PROTO_OPNS,
282 .tcp_socket = the_socket,
283 .local = local,
284 .remote = remote,
285 };
286 if (connect(pppox, (struct sockaddr *)&address, sizeof(address))) {
287 log_print(FATAL, "Connect() %s", strerror(errno));
288 exit(SYSTEM_ERROR);
289 }
290 }
291 return pppox;
292 }
293
294 /**
295 * Get IP address by host name.
296 *
297 * @param name Host name to get IP address for
298 *
299 * @return IP address for given host name
300 */
get_addr_by_name(const char * name)301 static struct in_addr get_addr_by_name(const char *name)
302 {
303 struct addrinfo hints;
304 struct addrinfo *res, *rp;
305 struct in_addr addr;
306 int err;
307
308 memset(&hints, 0, sizeof(struct addrinfo));
309 hints.ai_family = AF_INET; /* allow only IPv4 */
310 hints.ai_socktype = SOCK_DGRAM; /* UDP */
311 hints.ai_protocol = 0; /* any protocol */
312
313 err = getaddrinfo(name, NULL, &hints, &res);
314 if (err) {
315 log_print(FATAL, "%s: getaddrinfo: %s", __func__, gai_strerror(err));
316 exit(SYSTEM_ERROR);
317 }
318
319 for (rp = res; rp != NULL; rp = rp->ai_next) {
320 /* For now we only support IPv4 */
321 if (rp->ai_family == AF_INET) {
322 addr = ((struct sockaddr_in *)rp->ai_addr)->sin_addr;
323 break;
324 }
325 }
326
327 if (rp == NULL) {
328 log_print(FATAL, "%s: No IPv4 addresses found", __func__);
329 freeaddrinfo(res);
330 exit(SYSTEM_ERROR);
331 }
332
333 freeaddrinfo(res);
334
335 return addr;
336 }
337
338 /**
339 * Get local IP address.
340 *
341 * Make a socket connection with remote server and then call getsockname() on
342 * the connected socket. This will return the local IP address.
343 *
344 * @param remote_addr Server IP address
345 *
346 * @return Local IP address
347 */
get_local_addr(struct in_addr remote_addr)348 static struct in_addr get_local_addr(struct in_addr remote_addr)
349 {
350 int sock;
351 struct sockaddr_in addr;
352 socklen_t addr_len;
353
354 addr_len = sizeof(struct sockaddr_in);
355 addr.sin_addr = remote_addr;
356 addr.sin_family = AF_INET;
357 addr.sin_port = htons(0);
358
359 sock = socket(AF_INET, SOCK_DGRAM, 0);
360 if (sock < 0) {
361 log_print(FATAL, "%s: Socket() %s", __func__, strerror(errno));
362 exit(SYSTEM_ERROR);
363 }
364
365 if (connect(sock, (struct sockaddr*)&addr, sizeof(addr))) {
366 close(sock);
367 log_print(FATAL, "%s: Connect() %s", __func__, strerror(errno));
368 exit(SYSTEM_ERROR);
369 }
370
371 getsockname(sock, (struct sockaddr*)&addr, &addr_len);
372 close(sock);
373
374 return addr.sin_addr;
375 }
376
377 /**
378 * Create PPTP session.
379 *
380 * @return PPTP socket file descriptor
381 */
create_pppox_pptp(void)382 static int create_pppox_pptp(void)
383 {
384 int pptp_fd;
385 struct sockaddr_pppox src, dst;
386 struct in_addr remote_addr; /* server IP address */
387 struct in_addr local_addr; /* client IP address */
388
389 remote_addr = get_addr_by_name(remote_name);
390 local_addr = get_local_addr(remote_addr);
391
392 src.sa_family = AF_PPPOX;
393 src.sa_protocol = PX_PROTO_PPTP;
394 src.sa_addr.pptp.call_id = ntohs(local);
395 src.sa_addr.pptp.sin_addr = local_addr;
396
397 dst.sa_family = AF_PPPOX;
398 dst.sa_protocol = PX_PROTO_PPTP;
399 dst.sa_addr.pptp.call_id = ntohs(remote);
400 dst.sa_addr.pptp.sin_addr = remote_addr;
401
402 pptp_fd = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_PPTP);
403 if (pptp_fd < 0) {
404 log_print(FATAL, "Failed to create PPTP socket (%s)", strerror(errno));
405 exit(SYSTEM_ERROR);
406 }
407
408 if (bind(pptp_fd, (struct sockaddr*)&src, sizeof(src))) {
409 log_print(FATAL, "Failed to bind PPTP socket (%s)", strerror(errno));
410 close(pptp_fd);
411 exit(SYSTEM_ERROR);
412 }
413
414 if (connect(pptp_fd, (struct sockaddr*)&dst, sizeof(dst))) {
415 log_print(FATAL, "Failed to connect PPTP socket (%s)", strerror(errno));
416 close(pptp_fd);
417 exit(SYSTEM_ERROR);
418 }
419
420 return pptp_fd;
421 }
422
pptp_process()423 static int pptp_process()
424 {
425 int result = recv_packet();
426 if (result <= 0) {
427 return result;
428 }
429
430 if (incoming.length < MIN_MESSAGE_SIZE) {
431 log_print(DEBUG, "Control message too short");
432 return 0;
433 }
434 incoming.message = ntohs(incoming.message);
435 if (incoming.message > MESSAGE_MAX || !messages[incoming.message]) {
436 log_print(DEBUG, "Received UNKNOWN %d", incoming.message);
437 return 0;
438 }
439 if (incoming.length < lengths[incoming.message]) {
440 log_print(DEBUG, "Received %s with invalid length (length = %d)",
441 messages[incoming.message], incoming.length);
442 return 0;
443 }
444
445 switch(incoming.message) {
446 case SCCRP:
447 if (state == SCCRQ) {
448 if (incoming.sccrp.protocol_version == PROTOCOL_VERSION &&
449 ESTABLISHED(incoming.sccrp.result)) {
450 while (!local) {
451 local = random();
452 }
453 log_print(DEBUG, "Received SCCRP -> Sending OCRQ "
454 "(local = %u)", (unsigned)ntohs(local));
455 log_print(INFO, "Tunnel established");
456 state = OCRQ;
457 set_message(OCRQ);
458 outgoing.ocrq.call = local;
459 outgoing.ocrq.serial = random();
460 outgoing.ocrq.minimum_speed = htonl(1000);
461 outgoing.ocrq.maximum_speed = htonl(100000000);
462 outgoing.ocrq.bearer = htonl(3);
463 outgoing.ocrq.framing = htonl(3);
464 outgoing.ocrq.window_size = htons(8192);
465 send_packet();
466 return 0;
467 }
468 log_print(DEBUG, "Received SCCRP (result = %d)",
469 incoming.sccrq.result);
470 log_print(INFO, "Remote server hung up");
471 return -REMOTE_REQUESTED;
472 }
473 break;
474
475 case OCRP:
476 if (state == OCRQ && incoming.ocrp.peer == local) {
477 if (ESTABLISHED(incoming.ocrp.result)) {
478 remote = incoming.ocrp.call;
479 log_print(DEBUG, "Received OCRQ (remote = %u)",
480 (unsigned)ntohs(remote));
481 log_print(INFO, "Session established");
482 state = OCRP;
483
484 if (check_pptp())
485 start_pppd_pptp(create_pppox_pptp());
486 else
487 start_pppd(create_pppox_opns());
488
489 return 0;
490 }
491 log_print(DEBUG, "Received OCRP (result = %d)",
492 incoming.ocrp.result);
493 log_print(INFO, "Remote server hung up");
494 return -REMOTE_REQUESTED;
495 }
496 break;
497
498 case STOPCCRQ:
499 log_print(DEBUG, "Received STOPCCRQ");
500 log_print(INFO, "Remote server hung up");
501 state = STOPCCRQ;
502 return -REMOTE_REQUESTED;
503
504 case CCRQ:
505 /* According to RFC 2637 page 45, we should never receive CCRQ for
506 * outgoing calls. However, some implementation only acts as PNS and
507 * always uses CCRQ to clear a call, so here we still handle it. */
508 if (state == OCRP && incoming.ccrq.call == remote) {
509 log_print(DEBUG, "Received CCRQ (remote = %u)",
510 (unsigned)ntohs(remote));
511 log_print(INFO, "Remote server hung up");
512 return -REMOTE_REQUESTED;
513 }
514 break;
515
516 case CDN:
517 if (state == OCRP && incoming.cdn.call == remote) {
518 log_print(DEBUG, "Received CDN (remote = %u)",
519 (unsigned)ntohs(remote));
520 log_print(INFO, "Remote server hung up");
521 return -REMOTE_REQUESTED;
522 }
523 break;
524
525 case ECHORQ:
526 log_print(DEBUG, "Received ECHORQ -> Sending ECHORP");
527 set_message(ECHORP);
528 outgoing.echorp.identifier = incoming.echorq.identifier;
529 outgoing.echorp.result = RESULT_OK;
530 send_packet();
531 return 0;
532
533 case WEN:
534 case SLI:
535 log_print(DEBUG, "Recevied %s", messages[incoming.message]);
536 return 0;
537
538 case ICRQ:
539 log_print(DEBUG, "Received ICRQ (remote = %u, call = %u) -> "
540 "Sending ICRP with error", (unsigned)ntohs(remote),
541 (unsigned)ntohs(incoming.icrq.call));
542 set_message(ICRP);
543 outgoing.icrp.peer = incoming.icrq.call;
544 outgoing.icrp.result = RESULT_ERROR;
545 send_packet();
546 return 0;
547
548 case OCRQ:
549 log_print(DEBUG, "Received OCRQ (remote = %u, call = %u) -> "
550 "Sending OCRP with error", (unsigned)ntohs(remote),
551 (unsigned)ntohs(incoming.ocrq.call));
552 set_message(OCRP);
553 outgoing.ocrp.peer = incoming.ocrq.call;
554 outgoing.ocrp.result = RESULT_ERROR;
555 send_packet();
556 return 0;
557 }
558
559 /* We reach here if we got an unexpected message. Just log it. */
560 log_print(DEBUG, "Received UNEXPECTED %s", messages[incoming.message]);
561 return 0;
562 }
563
pptp_timeout()564 static int pptp_timeout()
565 {
566 return 0;
567 }
568
pptp_shutdown()569 static void pptp_shutdown()
570 {
571 /* Normally we should send STOPCCRQ and wait for STOPCCRP, but this might
572 * block for a long time. Here we simply take the shortcut: do nothing. */
573 }
574
575 struct protocol pptp = {
576 .name = "pptp",
577 .arguments = 2,
578 .usage = "<server> <port>",
579 .connect = pptp_connect,
580 .process = pptp_process,
581 .timeout = pptp_timeout,
582 .shutdown = pptp_shutdown,
583 };
584