1 /* $NetBSD: if_spppsubr.c,v 1.146 2016/07/07 09:32:02 ozaki-r Exp $ */
2
3 /*
4 * Synchronous PPP/Cisco link level subroutines.
5 * Keepalive protocol implemented in both Cisco and PPP modes.
6 *
7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd.
8 * Author: Serge Vakulenko, <vak@cronyx.ru>
9 *
10 * Heavily revamped to conform to RFC 1661.
11 * Copyright (C) 1997, Joerg Wunsch.
12 *
13 * RFC2472 IPv6CP support.
14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions are met:
18 * 1. Redistributions of source code must retain the above copyright notice,
19 * this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright notice,
21 * this list of conditions and the following disclaimer in the documentation
22 * and/or other materials provided with the distribution.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY
25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE
28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
34 * POSSIBILITY OF SUCH DAMAGE.
35 *
36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997
37 *
38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp
39 *
40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp
41 */
42
43 #include <sys/cdefs.h>
44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.146 2016/07/07 09:32:02 ozaki-r Exp $");
45
46 #if defined(_KERNEL_OPT)
47 #include "opt_inet.h"
48 #include "opt_modular.h"
49 #include "opt_compat_netbsd.h"
50 #endif
51
52
53 #include <sys/param.h>
54 #include <sys/proc.h>
55 #include <sys/systm.h>
56 #include <sys/kernel.h>
57 #include <sys/sockio.h>
58 #include <sys/socket.h>
59 #include <sys/syslog.h>
60 #include <sys/malloc.h>
61 #include <sys/mbuf.h>
62 #include <sys/callout.h>
63 #include <sys/md5.h>
64 #include <sys/inttypes.h>
65 #include <sys/kauth.h>
66 #include <sys/cprng.h>
67
68 #include <net/if.h>
69 #include <net/netisr.h>
70 #include <net/if_types.h>
71 #include <net/route.h>
72 #include <net/ppp_defs.h>
73
74 #include <netinet/in.h>
75 #include <netinet/in_systm.h>
76 #include <netinet/in_var.h>
77 #ifdef INET
78 #include <netinet/ip.h>
79 #include <netinet/tcp.h>
80 #endif
81 #include <net/ethertypes.h>
82
83 #ifdef INET6
84 #include <netinet6/scope6_var.h>
85 #endif
86
87 #include <net/if_sppp.h>
88 #include <net/if_spppvar.h>
89
90 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */
91 #define LOOPALIVECNT 3 /* loopback detection tries */
92 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */
93 #define DEFAULT_NORECV_TIME 15 /* before we get worried */
94 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */
95
96 /*
97 * Interface flags that can be set in an ifconfig command.
98 *
99 * Setting link0 will make the link passive, i.e. it will be marked
100 * as being administrative openable, but won't be opened to begin
101 * with. Incoming calls will be answered, or subsequent calls with
102 * -link1 will cause the administrative open of the LCP layer.
103 *
104 * Setting link1 will cause the link to auto-dial only as packets
105 * arrive to be sent.
106 *
107 * Setting IFF_DEBUG will syslog the option negotiation and state
108 * transitions at level kern.debug. Note: all logs consistently look
109 * like
110 *
111 * <if-name><unit>: <proto-name> <additional info...>
112 *
113 * with <if-name><unit> being something like "bppp0", and <proto-name>
114 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc.
115 */
116
117 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */
118 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */
119
120 #define CONF_REQ 1 /* PPP configure request */
121 #define CONF_ACK 2 /* PPP configure acknowledge */
122 #define CONF_NAK 3 /* PPP configure negative ack */
123 #define CONF_REJ 4 /* PPP configure reject */
124 #define TERM_REQ 5 /* PPP terminate request */
125 #define TERM_ACK 6 /* PPP terminate acknowledge */
126 #define CODE_REJ 7 /* PPP code reject */
127 #define PROTO_REJ 8 /* PPP protocol reject */
128 #define ECHO_REQ 9 /* PPP echo request */
129 #define ECHO_REPLY 10 /* PPP echo reply */
130 #define DISC_REQ 11 /* PPP discard request */
131
132 #define LCP_OPT_MRU 1 /* maximum receive unit */
133 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */
134 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */
135 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */
136 #define LCP_OPT_MAGIC 5 /* magic number */
137 #define LCP_OPT_RESERVED 6 /* reserved */
138 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */
139 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */
140
141 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */
142 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */
143 #define IPCP_OPT_ADDRESS 3 /* local IP address */
144 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */
145 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */
146
147 #define IPV6CP_OPT_IFID 1 /* interface identifier */
148 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */
149
150 #define PAP_REQ 1 /* PAP name/password request */
151 #define PAP_ACK 2 /* PAP acknowledge */
152 #define PAP_NAK 3 /* PAP fail */
153
154 #define CHAP_CHALLENGE 1 /* CHAP challenge request */
155 #define CHAP_RESPONSE 2 /* CHAP challenge response */
156 #define CHAP_SUCCESS 3 /* CHAP response ok */
157 #define CHAP_FAILURE 4 /* CHAP response failed */
158
159 #define CHAP_MD5 5 /* hash algorithm - MD5 */
160
161 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */
162 #define CISCO_UNICAST 0x0f /* Cisco unicast address */
163 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */
164 #define CISCO_ADDR_REQ 0 /* Cisco address request */
165 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */
166 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */
167
168 /* states are named and numbered according to RFC 1661 */
169 #define STATE_INITIAL 0
170 #define STATE_STARTING 1
171 #define STATE_CLOSED 2
172 #define STATE_STOPPED 3
173 #define STATE_CLOSING 4
174 #define STATE_STOPPING 5
175 #define STATE_REQ_SENT 6
176 #define STATE_ACK_RCVD 7
177 #define STATE_ACK_SENT 8
178 #define STATE_OPENED 9
179
180 struct ppp_header {
181 uint8_t address;
182 uint8_t control;
183 uint16_t protocol;
184 } __packed;
185 #define PPP_HEADER_LEN sizeof (struct ppp_header)
186
187 struct lcp_header {
188 uint8_t type;
189 uint8_t ident;
190 uint16_t len;
191 } __packed;
192 #define LCP_HEADER_LEN sizeof (struct lcp_header)
193
194 struct cisco_packet {
195 uint32_t type;
196 uint32_t par1;
197 uint32_t par2;
198 uint16_t rel;
199 uint16_t time0;
200 uint16_t time1;
201 } __packed;
202 #define CISCO_PACKET_LEN 18
203
204 /*
205 * We follow the spelling and capitalization of RFC 1661 here, to make
206 * it easier comparing with the standard. Please refer to this RFC in
207 * case you can't make sense out of these abbreviation; it will also
208 * explain the semantics related to the various events and actions.
209 */
210 struct cp {
211 u_short proto; /* PPP control protocol number */
212 u_char protoidx; /* index into state table in struct sppp */
213 u_char flags;
214 #define CP_LCP 0x01 /* this is the LCP */
215 #define CP_AUTH 0x02 /* this is an authentication protocol */
216 #define CP_NCP 0x04 /* this is a NCP */
217 #define CP_QUAL 0x08 /* this is a quality reporting protocol */
218 const char *name; /* name of this control protocol */
219 /* event handlers */
220 void (*Up)(struct sppp *sp);
221 void (*Down)(struct sppp *sp);
222 void (*Open)(struct sppp *sp);
223 void (*Close)(struct sppp *sp);
224 void (*TO)(void *sp);
225 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len);
226 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len);
227 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len);
228 /* actions */
229 void (*tlu)(struct sppp *sp);
230 void (*tld)(struct sppp *sp);
231 void (*tls)(struct sppp *sp);
232 void (*tlf)(struct sppp *sp);
233 void (*scr)(struct sppp *sp);
234 };
235
236 static struct sppp *spppq;
237 static callout_t keepalive_ch;
238
239 #ifdef INET
240 /*
241 * The following disgusting hack gets around the problem that IP TOS
242 * can't be set yet. We want to put "interactive" traffic on a high
243 * priority queue. To decide if traffic is interactive, we check that
244 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control.
245 *
246 * XXX is this really still necessary? - joerg -
247 */
248 static u_short interactive_ports[8] = {
249 0, 513, 0, 0,
250 0, 21, 0, 23,
251 };
252 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p))
253 #endif
254
255 /* almost every function needs these */
256 #define STDDCL \
257 struct ifnet *ifp = &sp->pp_if; \
258 int debug = ifp->if_flags & IFF_DEBUG
259
260 static int sppp_output(struct ifnet *ifp, struct mbuf *m,
261 const struct sockaddr *dst, const struct rtentry *rt);
262
263 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2);
264 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m);
265
266 static void sppp_cp_input(const struct cp *cp, struct sppp *sp,
267 struct mbuf *m);
268 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
269 u_char ident, u_short len, void *data);
270 /* static void sppp_cp_timeout(void *arg); */
271 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp,
272 int newstate);
273 static void sppp_auth_send(const struct cp *cp,
274 struct sppp *sp, unsigned int type, unsigned int id,
275 ...);
276
277 static void sppp_up_event(const struct cp *cp, struct sppp *sp);
278 static void sppp_down_event(const struct cp *cp, struct sppp *sp);
279 static void sppp_open_event(const struct cp *cp, struct sppp *sp);
280 static void sppp_close_event(const struct cp *cp, struct sppp *sp);
281 static void sppp_to_event(const struct cp *cp, struct sppp *sp);
282
283 static void sppp_null(struct sppp *sp);
284
285 static void sppp_lcp_init(struct sppp *sp);
286 static void sppp_lcp_up(struct sppp *sp);
287 static void sppp_lcp_down(struct sppp *sp);
288 static void sppp_lcp_open(struct sppp *sp);
289 static void sppp_lcp_close(struct sppp *sp);
290 static void sppp_lcp_TO(void *sp);
291 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
292 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
293 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
294 static void sppp_lcp_tlu(struct sppp *sp);
295 static void sppp_lcp_tld(struct sppp *sp);
296 static void sppp_lcp_tls(struct sppp *sp);
297 static void sppp_lcp_tlf(struct sppp *sp);
298 static void sppp_lcp_scr(struct sppp *sp);
299 static void sppp_lcp_check_and_close(struct sppp *sp);
300 static int sppp_ncp_check(struct sppp *sp);
301
302 static void sppp_ipcp_init(struct sppp *sp);
303 static void sppp_ipcp_up(struct sppp *sp);
304 static void sppp_ipcp_down(struct sppp *sp);
305 static void sppp_ipcp_open(struct sppp *sp);
306 static void sppp_ipcp_close(struct sppp *sp);
307 static void sppp_ipcp_TO(void *sp);
308 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
309 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
310 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
311 static void sppp_ipcp_tlu(struct sppp *sp);
312 static void sppp_ipcp_tld(struct sppp *sp);
313 static void sppp_ipcp_tls(struct sppp *sp);
314 static void sppp_ipcp_tlf(struct sppp *sp);
315 static void sppp_ipcp_scr(struct sppp *sp);
316
317 static void sppp_ipv6cp_init(struct sppp *sp);
318 static void sppp_ipv6cp_up(struct sppp *sp);
319 static void sppp_ipv6cp_down(struct sppp *sp);
320 static void sppp_ipv6cp_open(struct sppp *sp);
321 static void sppp_ipv6cp_close(struct sppp *sp);
322 static void sppp_ipv6cp_TO(void *sp);
323 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len);
324 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
325 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
326 static void sppp_ipv6cp_tlu(struct sppp *sp);
327 static void sppp_ipv6cp_tld(struct sppp *sp);
328 static void sppp_ipv6cp_tls(struct sppp *sp);
329 static void sppp_ipv6cp_tlf(struct sppp *sp);
330 static void sppp_ipv6cp_scr(struct sppp *sp);
331
332 static void sppp_pap_input(struct sppp *sp, struct mbuf *m);
333 static void sppp_pap_init(struct sppp *sp);
334 static void sppp_pap_open(struct sppp *sp);
335 static void sppp_pap_close(struct sppp *sp);
336 static void sppp_pap_TO(void *sp);
337 static void sppp_pap_my_TO(void *sp);
338 static void sppp_pap_tlu(struct sppp *sp);
339 static void sppp_pap_tld(struct sppp *sp);
340 static void sppp_pap_scr(struct sppp *sp);
341
342 static void sppp_chap_input(struct sppp *sp, struct mbuf *m);
343 static void sppp_chap_init(struct sppp *sp);
344 static void sppp_chap_open(struct sppp *sp);
345 static void sppp_chap_close(struct sppp *sp);
346 static void sppp_chap_TO(void *sp);
347 static void sppp_chap_tlu(struct sppp *sp);
348 static void sppp_chap_tld(struct sppp *sp);
349 static void sppp_chap_scr(struct sppp *sp);
350
351 static const char *sppp_auth_type_name(u_short proto, u_char type);
352 static const char *sppp_cp_type_name(u_char type);
353 static const char *sppp_dotted_quad(uint32_t addr);
354 static const char *sppp_ipcp_opt_name(u_char opt);
355 #ifdef INET6
356 static const char *sppp_ipv6cp_opt_name(u_char opt);
357 #endif
358 static const char *sppp_lcp_opt_name(u_char opt);
359 static const char *sppp_phase_name(int phase);
360 static const char *sppp_proto_name(u_short proto);
361 static const char *sppp_state_name(int state);
362 static int sppp_params(struct sppp *sp, u_long cmd, void *data);
363 #ifdef INET
364 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst,
365 uint32_t *srcmask);
366 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr);
367 static void sppp_clear_ip_addrs(struct sppp *sp);
368 #endif
369 static void sppp_keepalive(void *dummy);
370 static void sppp_phase_network(struct sppp *sp);
371 static void sppp_print_bytes(const u_char *p, u_short len);
372 static void sppp_print_string(const char *p, u_short len);
373 #ifdef INET6
374 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src,
375 struct in6_addr *dst, struct in6_addr *srcmask);
376 #ifdef IPV6CP_MYIFID_DYN
377 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src);
378 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src);
379 #endif
380 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src);
381 #endif
382
383 /* our control protocol descriptors */
384 static const struct cp lcp = {
385 PPP_LCP, IDX_LCP, CP_LCP, "lcp",
386 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close,
387 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak,
388 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf,
389 sppp_lcp_scr
390 };
391
392 static const struct cp ipcp = {
393 PPP_IPCP, IDX_IPCP,
394 #ifdef INET
395 CP_NCP, /*don't run IPCP if there's no IPv4 support*/
396 #else
397 0,
398 #endif
399 "ipcp",
400 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close,
401 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak,
402 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf,
403 sppp_ipcp_scr
404 };
405
406 static const struct cp ipv6cp = {
407 PPP_IPV6CP, IDX_IPV6CP,
408 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/
409 CP_NCP,
410 #else
411 0,
412 #endif
413 "ipv6cp",
414 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close,
415 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak,
416 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf,
417 sppp_ipv6cp_scr
418 };
419
420 static const struct cp pap = {
421 PPP_PAP, IDX_PAP, CP_AUTH, "pap",
422 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close,
423 sppp_pap_TO, 0, 0, 0,
424 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null,
425 sppp_pap_scr
426 };
427
428 static const struct cp chap = {
429 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap",
430 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close,
431 sppp_chap_TO, 0, 0, 0,
432 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null,
433 sppp_chap_scr
434 };
435
436 static const struct cp *cps[IDX_COUNT] = {
437 &lcp, /* IDX_LCP */
438 &ipcp, /* IDX_IPCP */
439 &ipv6cp, /* IDX_IPV6CP */
440 &pap, /* IDX_PAP */
441 &chap, /* IDX_CHAP */
442 };
443
444
445 /*
446 * Exported functions, comprising our interface to the lower layer.
447 */
448
449 /*
450 * Process the received packet.
451 */
452 void
sppp_input(struct ifnet * ifp,struct mbuf * m)453 sppp_input(struct ifnet *ifp, struct mbuf *m)
454 {
455 struct ppp_header *h = NULL;
456 pktqueue_t *pktq = NULL;
457 struct ifqueue *inq = NULL;
458 uint16_t protocol;
459 int s;
460 struct sppp *sp = (struct sppp *)ifp;
461 int debug = ifp->if_flags & IFF_DEBUG;
462 int isr = 0;
463
464 if (ifp->if_flags & IFF_UP) {
465 /* Count received bytes, add hardware framing */
466 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes;
467 /* Note time of last receive */
468 sp->pp_last_receive = time_uptime;
469 }
470
471 if (m->m_pkthdr.len <= PPP_HEADER_LEN) {
472 /* Too small packet, drop it. */
473 if (debug)
474 log(LOG_DEBUG,
475 "%s: input packet is too small, %d bytes\n",
476 ifp->if_xname, m->m_pkthdr.len);
477 drop:
478 ++ifp->if_ierrors;
479 ++ifp->if_iqdrops;
480 m_freem(m);
481 return;
482 }
483
484 if (sp->pp_flags & PP_NOFRAMING) {
485 memcpy(&protocol, mtod(m, void *), 2);
486 protocol = ntohs(protocol);
487 m_adj(m, 2);
488 } else {
489
490 /* Get PPP header. */
491 h = mtod(m, struct ppp_header *);
492 m_adj(m, PPP_HEADER_LEN);
493
494 switch (h->address) {
495 case PPP_ALLSTATIONS:
496 if (h->control != PPP_UI)
497 goto invalid;
498 if (sp->pp_flags & PP_CISCO) {
499 if (debug)
500 log(LOG_DEBUG,
501 "%s: PPP packet in Cisco mode "
502 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
503 ifp->if_xname,
504 h->address, h->control, ntohs(h->protocol));
505 goto drop;
506 }
507 break;
508 case CISCO_MULTICAST:
509 case CISCO_UNICAST:
510 /* Don't check the control field here (RFC 1547). */
511 if (! (sp->pp_flags & PP_CISCO)) {
512 if (debug)
513 log(LOG_DEBUG,
514 "%s: Cisco packet in PPP mode "
515 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
516 ifp->if_xname,
517 h->address, h->control, ntohs(h->protocol));
518 goto drop;
519 }
520 switch (ntohs(h->protocol)) {
521 default:
522 ++ifp->if_noproto;
523 goto invalid;
524 case CISCO_KEEPALIVE:
525 sppp_cisco_input((struct sppp *) ifp, m);
526 m_freem(m);
527 return;
528 #ifdef INET
529 case ETHERTYPE_IP:
530 pktq = ip_pktq;
531 break;
532 #endif
533 #ifdef INET6
534 case ETHERTYPE_IPV6:
535 pktq = ip6_pktq;
536 break;
537 #endif
538 }
539 goto queue_pkt;
540 default: /* Invalid PPP packet. */
541 invalid:
542 if (debug)
543 log(LOG_DEBUG,
544 "%s: invalid input packet "
545 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
546 ifp->if_xname,
547 h->address, h->control, ntohs(h->protocol));
548 goto drop;
549 }
550 protocol = ntohs(h->protocol);
551 }
552
553 switch (protocol) {
554 default:
555 if (sp->state[IDX_LCP] == STATE_OPENED) {
556 uint16_t prot = htons(protocol);
557 sppp_cp_send(sp, PPP_LCP, PROTO_REJ,
558 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2,
559 &prot);
560 }
561 if (debug)
562 log(LOG_DEBUG,
563 "%s: invalid input protocol "
564 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol));
565 ++ifp->if_noproto;
566 goto drop;
567 case PPP_LCP:
568 sppp_cp_input(&lcp, sp, m);
569 m_freem(m);
570 return;
571 case PPP_PAP:
572 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE)
573 sppp_pap_input(sp, m);
574 m_freem(m);
575 return;
576 case PPP_CHAP:
577 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE)
578 sppp_chap_input(sp, m);
579 m_freem(m);
580 return;
581 #ifdef INET
582 case PPP_IPCP:
583 if (sp->pp_phase == SPPP_PHASE_NETWORK)
584 sppp_cp_input(&ipcp, sp, m);
585 m_freem(m);
586 return;
587 case PPP_IP:
588 if (sp->state[IDX_IPCP] == STATE_OPENED) {
589 sp->pp_last_activity = time_uptime;
590 pktq = ip_pktq;
591 }
592 break;
593 #endif
594 #ifdef INET6
595 case PPP_IPV6CP:
596 if (sp->pp_phase == SPPP_PHASE_NETWORK)
597 sppp_cp_input(&ipv6cp, sp, m);
598 m_freem(m);
599 return;
600
601 case PPP_IPV6:
602 if (sp->state[IDX_IPV6CP] == STATE_OPENED) {
603 sp->pp_last_activity = time_uptime;
604 pktq = ip6_pktq;
605 }
606 break;
607 #endif
608 }
609
610 queue_pkt:
611 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) {
612 goto drop;
613 }
614
615 /* Check queue. */
616 if (__predict_true(pktq)) {
617 if (__predict_false(!pktq_enqueue(pktq, m, 0))) {
618 goto drop;
619 }
620 return;
621 }
622
623 s = splnet();
624 if (IF_QFULL(inq)) {
625 /* Queue overflow. */
626 IF_DROP(inq);
627 splx(s);
628 if (debug)
629 log(LOG_DEBUG, "%s: protocol queue overflow\n",
630 ifp->if_xname);
631 goto drop;
632 }
633 IF_ENQUEUE(inq, m);
634 schednetisr(isr);
635 splx(s);
636 }
637
638 /*
639 * Enqueue transmit packet.
640 */
641 static int
sppp_output(struct ifnet * ifp,struct mbuf * m,const struct sockaddr * dst,const struct rtentry * rt)642 sppp_output(struct ifnet *ifp, struct mbuf *m,
643 const struct sockaddr *dst, const struct rtentry *rt)
644 {
645 struct sppp *sp = (struct sppp *) ifp;
646 struct ppp_header *h = NULL;
647 struct ifqueue *ifq = NULL; /* XXX */
648 int s, error = 0;
649 uint16_t protocol;
650
651 s = splnet();
652
653 sp->pp_last_activity = time_uptime;
654
655 if ((ifp->if_flags & IFF_UP) == 0 ||
656 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) {
657 m_freem(m);
658 splx(s);
659 return (ENETDOWN);
660 }
661
662 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) {
663 /*
664 * Interface is not yet running, but auto-dial. Need
665 * to start LCP for it.
666 */
667 ifp->if_flags |= IFF_RUNNING;
668 splx(s);
669 lcp.Open(sp);
670 s = splnet();
671 }
672
673 /*
674 * If the queueing discipline needs packet classification,
675 * do it before prepending link headers.
676 */
677 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family);
678
679 #ifdef INET
680 if (dst->sa_family == AF_INET) {
681 struct ip *ip = NULL;
682 struct tcphdr *th = NULL;
683
684 if (m->m_len >= sizeof(struct ip)) {
685 ip = mtod(m, struct ip *);
686 if (ip->ip_p == IPPROTO_TCP &&
687 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) +
688 sizeof(struct tcphdr)) {
689 th = (struct tcphdr *)
690 ((char *)ip + (ip->ip_hl << 2));
691 }
692 } else
693 ip = NULL;
694
695 /*
696 * When using dynamic local IP address assignment by using
697 * 0.0.0.0 as a local address, the first TCP session will
698 * not connect because the local TCP checksum is computed
699 * using 0.0.0.0 which will later become our real IP address
700 * so the TCP checksum computed at the remote end will
701 * become invalid. So we
702 * - don't let packets with src ip addr 0 thru
703 * - we flag TCP packets with src ip 0 as an error
704 */
705 if (ip && ip->ip_src.s_addr == INADDR_ANY) {
706 uint8_t proto = ip->ip_p;
707
708 m_freem(m);
709 splx(s);
710 if (proto == IPPROTO_TCP)
711 return (EADDRNOTAVAIL);
712 else
713 return (0);
714 }
715
716 /*
717 * Put low delay, telnet, rlogin and ftp control packets
718 * in front of the queue.
719 */
720
721 if (!IF_QFULL(&sp->pp_fastq) &&
722 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) ||
723 (th && (INTERACTIVE(ntohs(th->th_sport)) ||
724 INTERACTIVE(ntohs(th->th_dport))))))
725 ifq = &sp->pp_fastq;
726 }
727 #endif
728
729 #ifdef INET6
730 if (dst->sa_family == AF_INET6) {
731 /* XXX do something tricky here? */
732 }
733 #endif
734
735 if ((sp->pp_flags & PP_NOFRAMING) == 0) {
736 /*
737 * Prepend general data packet PPP header. For now, IP only.
738 */
739 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT);
740 if (! m) {
741 if (ifp->if_flags & IFF_DEBUG)
742 log(LOG_DEBUG, "%s: no memory for transmit header\n",
743 ifp->if_xname);
744 ++ifp->if_oerrors;
745 splx(s);
746 return (ENOBUFS);
747 }
748 /*
749 * May want to check size of packet
750 * (albeit due to the implementation it's always enough)
751 */
752 h = mtod(m, struct ppp_header *);
753 if (sp->pp_flags & PP_CISCO) {
754 h->address = CISCO_UNICAST; /* unicast address */
755 h->control = 0;
756 } else {
757 h->address = PPP_ALLSTATIONS; /* broadcast address */
758 h->control = PPP_UI; /* Unnumbered Info */
759 }
760 }
761
762 switch (dst->sa_family) {
763 #ifdef INET
764 case AF_INET: /* Internet Protocol */
765 if (sp->pp_flags & PP_CISCO)
766 protocol = htons(ETHERTYPE_IP);
767 else {
768 /*
769 * Don't choke with an ENETDOWN early. It's
770 * possible that we just started dialing out,
771 * so don't drop the packet immediately. If
772 * we notice that we run out of buffer space
773 * below, we will however remember that we are
774 * not ready to carry IP packets, and return
775 * ENETDOWN, as opposed to ENOBUFS.
776 */
777 protocol = htons(PPP_IP);
778 if (sp->state[IDX_IPCP] != STATE_OPENED)
779 error = ENETDOWN;
780 }
781 break;
782 #endif
783 #ifdef INET6
784 case AF_INET6: /* Internet Protocol version 6 */
785 if (sp->pp_flags & PP_CISCO)
786 protocol = htons(ETHERTYPE_IPV6);
787 else {
788 /*
789 * Don't choke with an ENETDOWN early. It's
790 * possible that we just started dialing out,
791 * so don't drop the packet immediately. If
792 * we notice that we run out of buffer space
793 * below, we will however remember that we are
794 * not ready to carry IP packets, and return
795 * ENETDOWN, as opposed to ENOBUFS.
796 */
797 protocol = htons(PPP_IPV6);
798 if (sp->state[IDX_IPV6CP] != STATE_OPENED)
799 error = ENETDOWN;
800 }
801 break;
802 #endif
803 default:
804 m_freem(m);
805 ++ifp->if_oerrors;
806 splx(s);
807 return (EAFNOSUPPORT);
808 }
809
810 if (sp->pp_flags & PP_NOFRAMING) {
811 M_PREPEND(m, 2, M_DONTWAIT);
812 if (m == NULL) {
813 if (ifp->if_flags & IFF_DEBUG)
814 log(LOG_DEBUG, "%s: no memory for transmit header\n",
815 ifp->if_xname);
816 ++ifp->if_oerrors;
817 splx(s);
818 return (ENOBUFS);
819 }
820 *mtod(m, uint16_t *) = protocol;
821 } else {
822 h->protocol = protocol;
823 }
824
825
826 error = ifq_enqueue2(ifp, ifq, m);
827
828 if (error == 0) {
829 /*
830 * Count output packets and bytes.
831 * The packet length includes header + additional hardware
832 * framing according to RFC 1333.
833 */
834 if (!(ifp->if_flags & IFF_OACTIVE))
835 if_start_lock(ifp);
836 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes;
837 }
838 splx(s);
839 return error;
840 }
841
842 void
sppp_attach(struct ifnet * ifp)843 sppp_attach(struct ifnet *ifp)
844 {
845 struct sppp *sp = (struct sppp *) ifp;
846
847 /* Initialize keepalive handler. */
848 if (! spppq) {
849 callout_init(&keepalive_ch, 0);
850 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL);
851 }
852
853 /* Insert new entry into the keepalive list. */
854 sp->pp_next = spppq;
855 spppq = sp;
856
857 sp->pp_if.if_type = IFT_PPP;
858 sp->pp_if.if_output = sppp_output;
859 sp->pp_fastq.ifq_maxlen = 32;
860 sp->pp_cpq.ifq_maxlen = 20;
861 sp->pp_loopcnt = 0;
862 sp->pp_alivecnt = 0;
863 sp->pp_last_activity = 0;
864 sp->pp_last_receive = 0;
865 sp->pp_maxalive = DEFAULT_MAXALIVECNT;
866 sp->pp_max_noreceive = DEFAULT_NORECV_TIME;
867 sp->pp_idle_timeout = 0;
868 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq));
869 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq));
870 sp->pp_auth_failures = 0;
871 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES;
872 sp->pp_phase = SPPP_PHASE_DEAD;
873 sp->pp_up = lcp.Up;
874 sp->pp_down = lcp.Down;
875
876 if_alloc_sadl(ifp);
877
878 memset(&sp->myauth, 0, sizeof sp->myauth);
879 memset(&sp->hisauth, 0, sizeof sp->hisauth);
880 sppp_lcp_init(sp);
881 sppp_ipcp_init(sp);
882 sppp_ipv6cp_init(sp);
883 sppp_pap_init(sp);
884 sppp_chap_init(sp);
885 }
886
887 void
sppp_detach(struct ifnet * ifp)888 sppp_detach(struct ifnet *ifp)
889 {
890 struct sppp **q, *p, *sp = (struct sppp *) ifp;
891
892 /* Remove the entry from the keepalive list. */
893 for (q = &spppq; (p = *q); q = &p->pp_next)
894 if (p == sp) {
895 *q = p->pp_next;
896 break;
897 }
898
899 /* Stop keepalive handler. */
900 if (! spppq) {
901 callout_stop(&keepalive_ch);
902 }
903
904 callout_stop(&sp->ch[IDX_LCP]);
905 callout_stop(&sp->ch[IDX_IPCP]);
906 callout_stop(&sp->ch[IDX_PAP]);
907 callout_stop(&sp->ch[IDX_CHAP]);
908 #ifdef INET6
909 callout_stop(&sp->ch[IDX_IPV6CP]);
910 #endif
911 callout_stop(&sp->pap_my_to_ch);
912
913 /* free authentication info */
914 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF);
915 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF);
916 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF);
917 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF);
918 }
919
920 /*
921 * Flush the interface output queue.
922 */
923 void
sppp_flush(struct ifnet * ifp)924 sppp_flush(struct ifnet *ifp)
925 {
926 struct sppp *sp = (struct sppp *) ifp;
927
928 IFQ_PURGE(&sp->pp_if.if_snd);
929 IF_PURGE(&sp->pp_fastq);
930 IF_PURGE(&sp->pp_cpq);
931 }
932
933 /*
934 * Check if the output queue is empty.
935 */
936 int
sppp_isempty(struct ifnet * ifp)937 sppp_isempty(struct ifnet *ifp)
938 {
939 struct sppp *sp = (struct sppp *) ifp;
940 int empty, s;
941
942 s = splnet();
943 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) &&
944 IFQ_IS_EMPTY(&sp->pp_if.if_snd);
945 splx(s);
946 return (empty);
947 }
948
949 /*
950 * Get next packet to send.
951 */
952 struct mbuf *
sppp_dequeue(struct ifnet * ifp)953 sppp_dequeue(struct ifnet *ifp)
954 {
955 struct sppp *sp = (struct sppp *) ifp;
956 struct mbuf *m;
957 int s;
958
959 s = splnet();
960 /*
961 * Process only the control protocol queue until we have at
962 * least one NCP open.
963 *
964 * Do always serve all three queues in Cisco mode.
965 */
966 IF_DEQUEUE(&sp->pp_cpq, m);
967 if (m == NULL &&
968 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) {
969 IF_DEQUEUE(&sp->pp_fastq, m);
970 if (m == NULL)
971 IFQ_DEQUEUE(&sp->pp_if.if_snd, m);
972 }
973 splx(s);
974 return m;
975 }
976
977 /*
978 * Process an ioctl request. Called on low priority level.
979 */
980 int
sppp_ioctl(struct ifnet * ifp,u_long cmd,void * data)981 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data)
982 {
983 struct lwp *l = curlwp; /* XXX */
984 struct ifreq *ifr = (struct ifreq *) data;
985 struct ifaddr *ifa = (struct ifaddr *) data;
986 struct sppp *sp = (struct sppp *) ifp;
987 int s, error=0, going_up, going_down, newmode;
988
989 s = splnet();
990 switch (cmd) {
991 case SIOCINITIFADDR:
992 ifa->ifa_rtrequest = p2p_rtrequest;
993 break;
994
995 case SIOCSIFFLAGS:
996 if ((error = ifioctl_common(ifp, cmd, data)) != 0)
997 break;
998 going_up = ifp->if_flags & IFF_UP &&
999 (ifp->if_flags & IFF_RUNNING) == 0;
1000 going_down = (ifp->if_flags & IFF_UP) == 0 &&
1001 ifp->if_flags & IFF_RUNNING;
1002 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE);
1003 if (newmode == (IFF_AUTO | IFF_PASSIVE)) {
1004 /* sanity */
1005 newmode = IFF_PASSIVE;
1006 ifp->if_flags &= ~IFF_AUTO;
1007 }
1008
1009 if (going_up || going_down)
1010 lcp.Close(sp);
1011 if (going_up && newmode == 0) {
1012 /* neither auto-dial nor passive */
1013 ifp->if_flags |= IFF_RUNNING;
1014 if (!(sp->pp_flags & PP_CISCO))
1015 lcp.Open(sp);
1016 } else if (going_down) {
1017 sppp_flush(ifp);
1018 ifp->if_flags &= ~IFF_RUNNING;
1019 }
1020
1021 break;
1022
1023 case SIOCSIFMTU:
1024 if (ifr->ifr_mtu < PPP_MINMRU ||
1025 ifr->ifr_mtu > sp->lcp.their_mru) {
1026 error = EINVAL;
1027 break;
1028 }
1029 /*FALLTHROUGH*/
1030 case SIOCGIFMTU:
1031 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET)
1032 error = 0;
1033 break;
1034 case SIOCADDMULTI:
1035 case SIOCDELMULTI:
1036 break;
1037
1038 case SPPPSETAUTHCFG:
1039 case SPPPSETLCPCFG:
1040 case SPPPSETIDLETO:
1041 case SPPPSETAUTHFAILURE:
1042 case SPPPSETDNSOPTS:
1043 case SPPPSETKEEPALIVE:
1044 #if defined(COMPAT_50) || defined(MODULAR)
1045 case __SPPPSETIDLETO50:
1046 case __SPPPSETKEEPALIVE50:
1047 #endif /* COMPAT_50 || MODULAR */
1048 error = kauth_authorize_network(l->l_cred,
1049 KAUTH_NETWORK_INTERFACE,
1050 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd,
1051 NULL);
1052 if (error)
1053 break;
1054 error = sppp_params(sp, cmd, data);
1055 break;
1056
1057 case SPPPGETAUTHCFG:
1058 case SPPPGETLCPCFG:
1059 case SPPPGETAUTHFAILURES:
1060 error = kauth_authorize_network(l->l_cred,
1061 KAUTH_NETWORK_INTERFACE,
1062 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd,
1063 NULL);
1064 if (error)
1065 break;
1066 error = sppp_params(sp, cmd, data);
1067 break;
1068
1069 case SPPPGETSTATUS:
1070 case SPPPGETSTATUSNCP:
1071 case SPPPGETIDLETO:
1072 case SPPPGETDNSOPTS:
1073 case SPPPGETDNSADDRS:
1074 case SPPPGETKEEPALIVE:
1075 #if defined(COMPAT_50) || defined(MODULAR)
1076 case __SPPPGETIDLETO50:
1077 case __SPPPGETKEEPALIVE50:
1078 #endif /* COMPAT_50 || MODULAR */
1079 error = sppp_params(sp, cmd, data);
1080 break;
1081
1082 default:
1083 error = ifioctl_common(ifp, cmd, data);
1084 break;
1085 }
1086 splx(s);
1087 return (error);
1088 }
1089
1090
1091 /*
1092 * Cisco framing implementation.
1093 */
1094
1095 /*
1096 * Handle incoming Cisco keepalive protocol packets.
1097 */
1098 static void
sppp_cisco_input(struct sppp * sp,struct mbuf * m)1099 sppp_cisco_input(struct sppp *sp, struct mbuf *m)
1100 {
1101 STDDCL;
1102 struct cisco_packet *h;
1103 #ifdef INET
1104 uint32_t me, mymask = 0; /* XXX: GCC */
1105 #endif
1106
1107 if (m->m_pkthdr.len < CISCO_PACKET_LEN) {
1108 if (debug)
1109 log(LOG_DEBUG,
1110 "%s: cisco invalid packet length: %d bytes\n",
1111 ifp->if_xname, m->m_pkthdr.len);
1112 return;
1113 }
1114 h = mtod(m, struct cisco_packet *);
1115 if (debug)
1116 log(LOG_DEBUG,
1117 "%s: cisco input: %d bytes "
1118 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n",
1119 ifp->if_xname, m->m_pkthdr.len,
1120 ntohl(h->type), h->par1, h->par2, (u_int)h->rel,
1121 (u_int)h->time0, (u_int)h->time1);
1122 switch (ntohl(h->type)) {
1123 default:
1124 if (debug)
1125 addlog("%s: cisco unknown packet type: 0x%x\n",
1126 ifp->if_xname, ntohl(h->type));
1127 break;
1128 case CISCO_ADDR_REPLY:
1129 /* Reply on address request, ignore */
1130 break;
1131 case CISCO_KEEPALIVE_REQ:
1132 sp->pp_alivecnt = 0;
1133 sp->pp_rseq[IDX_LCP] = ntohl(h->par1);
1134 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) {
1135 /* Local and remote sequence numbers are equal.
1136 * Probably, the line is in loopback mode. */
1137 if (sp->pp_loopcnt >= LOOPALIVECNT) {
1138 printf ("%s: loopback\n",
1139 ifp->if_xname);
1140 sp->pp_loopcnt = 0;
1141 if (ifp->if_flags & IFF_UP) {
1142 if_down(ifp);
1143 IF_PURGE(&sp->pp_cpq);
1144 }
1145 }
1146 ++sp->pp_loopcnt;
1147
1148 /* Generate new local sequence number */
1149 sp->pp_seq[IDX_LCP] = cprng_fast32();
1150 break;
1151 }
1152 sp->pp_loopcnt = 0;
1153 if (! (ifp->if_flags & IFF_UP) &&
1154 (ifp->if_flags & IFF_RUNNING)) {
1155 if_up(ifp);
1156 }
1157 break;
1158 case CISCO_ADDR_REQ:
1159 #ifdef INET
1160 sppp_get_ip_addrs(sp, &me, 0, &mymask);
1161 if (me != 0L)
1162 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask);
1163 #endif
1164 break;
1165 }
1166 }
1167
1168 /*
1169 * Send Cisco keepalive packet.
1170 */
1171 static void
sppp_cisco_send(struct sppp * sp,int type,int32_t par1,int32_t par2)1172 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2)
1173 {
1174 STDDCL;
1175 struct ppp_header *h;
1176 struct cisco_packet *ch;
1177 struct mbuf *m;
1178 uint32_t t;
1179
1180 t = time_uptime * 1000;
1181 MGETHDR(m, M_DONTWAIT, MT_DATA);
1182 if (! m)
1183 return;
1184 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN;
1185 m_reset_rcvif(m);
1186
1187 h = mtod(m, struct ppp_header *);
1188 h->address = CISCO_MULTICAST;
1189 h->control = 0;
1190 h->protocol = htons(CISCO_KEEPALIVE);
1191
1192 ch = (struct cisco_packet *)(h + 1);
1193 ch->type = htonl(type);
1194 ch->par1 = htonl(par1);
1195 ch->par2 = htonl(par2);
1196 ch->rel = -1;
1197
1198 ch->time0 = htons((u_short)(t >> 16));
1199 ch->time1 = htons((u_short) t);
1200
1201 if (debug)
1202 log(LOG_DEBUG,
1203 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n",
1204 ifp->if_xname, ntohl(ch->type), ch->par1,
1205 ch->par2, (u_int)ch->rel, (u_int)ch->time0,
1206 (u_int)ch->time1);
1207
1208 if (IF_QFULL(&sp->pp_cpq)) {
1209 IF_DROP(&sp->pp_fastq);
1210 IF_DROP(&ifp->if_snd);
1211 m_freem(m);
1212 ++ifp->if_oerrors;
1213 return;
1214 } else
1215 IF_ENQUEUE(&sp->pp_cpq, m);
1216 if (! (ifp->if_flags & IFF_OACTIVE))
1217 if_start_lock(ifp);
1218 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes;
1219 }
1220
1221 /*
1222 * PPP protocol implementation.
1223 */
1224
1225 /*
1226 * Send PPP control protocol packet.
1227 */
1228 static void
sppp_cp_send(struct sppp * sp,u_short proto,u_char type,u_char ident,u_short len,void * data)1229 sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
1230 u_char ident, u_short len, void *data)
1231 {
1232 STDDCL;
1233 struct lcp_header *lh;
1234 struct mbuf *m;
1235 size_t pkthdrlen;
1236
1237 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN;
1238
1239 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN)
1240 len = MHLEN - pkthdrlen - LCP_HEADER_LEN;
1241 MGETHDR(m, M_DONTWAIT, MT_DATA);
1242 if (! m)
1243 return;
1244 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len;
1245 m_reset_rcvif(m);
1246
1247 if (sp->pp_flags & PP_NOFRAMING) {
1248 *mtod(m, uint16_t *) = htons(proto);
1249 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2);
1250 } else {
1251 struct ppp_header *h;
1252 h = mtod(m, struct ppp_header *);
1253 h->address = PPP_ALLSTATIONS; /* broadcast address */
1254 h->control = PPP_UI; /* Unnumbered Info */
1255 h->protocol = htons(proto); /* Link Control Protocol */
1256 lh = (struct lcp_header *)(h + 1);
1257 }
1258 lh->type = type;
1259 lh->ident = ident;
1260 lh->len = htons(LCP_HEADER_LEN + len);
1261 if (len)
1262 memcpy(lh + 1, data, len);
1263
1264 if (debug) {
1265 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d",
1266 ifp->if_xname,
1267 sppp_proto_name(proto),
1268 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len));
1269 if (len)
1270 sppp_print_bytes((u_char *)(lh + 1), len);
1271 addlog(">\n");
1272 }
1273 if (IF_QFULL(&sp->pp_cpq)) {
1274 IF_DROP(&sp->pp_fastq);
1275 IF_DROP(&ifp->if_snd);
1276 m_freem(m);
1277 ++ifp->if_oerrors;
1278 return;
1279 } else
1280 IF_ENQUEUE(&sp->pp_cpq, m);
1281 if (! (ifp->if_flags & IFF_OACTIVE))
1282 if_start_lock(ifp);
1283 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes;
1284 }
1285
1286 /*
1287 * Handle incoming PPP control protocol packets.
1288 */
1289 static void
sppp_cp_input(const struct cp * cp,struct sppp * sp,struct mbuf * m)1290 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m)
1291 {
1292 STDDCL;
1293 struct lcp_header *h;
1294 int printlen, len = m->m_pkthdr.len;
1295 int rv;
1296 u_char *p;
1297 uint32_t u32;
1298
1299 if (len < 4) {
1300 if (debug)
1301 log(LOG_DEBUG,
1302 "%s: %s invalid packet length: %d bytes\n",
1303 ifp->if_xname, cp->name, len);
1304 return;
1305 }
1306 h = mtod(m, struct lcp_header *);
1307 if (debug) {
1308 printlen = ntohs(h->len);
1309 log(LOG_DEBUG,
1310 "%s: %s input(%s): <%s id=0x%x len=%d",
1311 ifp->if_xname, cp->name,
1312 sppp_state_name(sp->state[cp->protoidx]),
1313 sppp_cp_type_name(h->type), h->ident, printlen);
1314 if (len < printlen)
1315 printlen = len;
1316 if (printlen > 4)
1317 sppp_print_bytes((u_char *)(h + 1), printlen - 4);
1318 addlog(">\n");
1319 }
1320 if (len > ntohs(h->len))
1321 len = ntohs(h->len);
1322 p = (u_char *)(h + 1);
1323 switch (h->type) {
1324 case CONF_REQ:
1325 if (len < 4) {
1326 if (debug)
1327 addlog("%s: %s invalid conf-req length %d\n",
1328 ifp->if_xname, cp->name,
1329 len);
1330 ++ifp->if_ierrors;
1331 break;
1332 }
1333 /* handle states where RCR doesn't get a SCA/SCN */
1334 switch (sp->state[cp->protoidx]) {
1335 case STATE_CLOSING:
1336 case STATE_STOPPING:
1337 return;
1338 case STATE_CLOSED:
1339 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident,
1340 0, 0);
1341 return;
1342 }
1343 rv = (cp->RCR)(sp, h, len);
1344 if (rv < 0) {
1345 /* fatal error, shut down */
1346 (cp->tld)(sp);
1347 sppp_lcp_tlf(sp);
1348 return;
1349 }
1350 switch (sp->state[cp->protoidx]) {
1351 case STATE_OPENED:
1352 (cp->tld)(sp);
1353 (cp->scr)(sp);
1354 /* fall through... */
1355 case STATE_ACK_SENT:
1356 case STATE_REQ_SENT:
1357 sppp_cp_change_state(cp, sp, rv?
1358 STATE_ACK_SENT: STATE_REQ_SENT);
1359 break;
1360 case STATE_STOPPED:
1361 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1362 (cp->scr)(sp);
1363 sppp_cp_change_state(cp, sp, rv?
1364 STATE_ACK_SENT: STATE_REQ_SENT);
1365 break;
1366 case STATE_ACK_RCVD:
1367 if (rv) {
1368 sppp_cp_change_state(cp, sp, STATE_OPENED);
1369 if (debug)
1370 log(LOG_DEBUG, "%s: %s tlu\n",
1371 ifp->if_xname,
1372 cp->name);
1373 (cp->tlu)(sp);
1374 } else
1375 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1376 break;
1377 default:
1378 printf("%s: %s illegal %s in state %s\n",
1379 ifp->if_xname, cp->name,
1380 sppp_cp_type_name(h->type),
1381 sppp_state_name(sp->state[cp->protoidx]));
1382 ++ifp->if_ierrors;
1383 }
1384 break;
1385 case CONF_ACK:
1386 if (h->ident != sp->confid[cp->protoidx]) {
1387 if (debug)
1388 addlog("%s: %s id mismatch 0x%x != 0x%x\n",
1389 ifp->if_xname, cp->name,
1390 h->ident, sp->confid[cp->protoidx]);
1391 ++ifp->if_ierrors;
1392 break;
1393 }
1394 switch (sp->state[cp->protoidx]) {
1395 case STATE_CLOSED:
1396 case STATE_STOPPED:
1397 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1398 break;
1399 case STATE_CLOSING:
1400 case STATE_STOPPING:
1401 break;
1402 case STATE_REQ_SENT:
1403 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1404 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1405 break;
1406 case STATE_OPENED:
1407 (cp->tld)(sp);
1408 /* fall through */
1409 case STATE_ACK_RCVD:
1410 (cp->scr)(sp);
1411 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1412 break;
1413 case STATE_ACK_SENT:
1414 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1415 sppp_cp_change_state(cp, sp, STATE_OPENED);
1416 if (debug)
1417 log(LOG_DEBUG, "%s: %s tlu\n",
1418 ifp->if_xname, cp->name);
1419 (cp->tlu)(sp);
1420 break;
1421 default:
1422 printf("%s: %s illegal %s in state %s\n",
1423 ifp->if_xname, cp->name,
1424 sppp_cp_type_name(h->type),
1425 sppp_state_name(sp->state[cp->protoidx]));
1426 ++ifp->if_ierrors;
1427 }
1428 break;
1429 case CONF_NAK:
1430 case CONF_REJ:
1431 if (h->ident != sp->confid[cp->protoidx]) {
1432 if (debug)
1433 addlog("%s: %s id mismatch 0x%x != 0x%x\n",
1434 ifp->if_xname, cp->name,
1435 h->ident, sp->confid[cp->protoidx]);
1436 ++ifp->if_ierrors;
1437 break;
1438 }
1439 if (h->type == CONF_NAK)
1440 (cp->RCN_nak)(sp, h, len);
1441 else /* CONF_REJ */
1442 (cp->RCN_rej)(sp, h, len);
1443
1444 switch (sp->state[cp->protoidx]) {
1445 case STATE_CLOSED:
1446 case STATE_STOPPED:
1447 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1448 break;
1449 case STATE_REQ_SENT:
1450 case STATE_ACK_SENT:
1451 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1452 (cp->scr)(sp);
1453 break;
1454 case STATE_OPENED:
1455 (cp->tld)(sp);
1456 /* fall through */
1457 case STATE_ACK_RCVD:
1458 sppp_cp_change_state(cp, sp, STATE_ACK_SENT);
1459 (cp->scr)(sp);
1460 break;
1461 case STATE_CLOSING:
1462 case STATE_STOPPING:
1463 break;
1464 default:
1465 printf("%s: %s illegal %s in state %s\n",
1466 ifp->if_xname, cp->name,
1467 sppp_cp_type_name(h->type),
1468 sppp_state_name(sp->state[cp->protoidx]));
1469 ++ifp->if_ierrors;
1470 }
1471 break;
1472
1473 case TERM_REQ:
1474 switch (sp->state[cp->protoidx]) {
1475 case STATE_ACK_RCVD:
1476 case STATE_ACK_SENT:
1477 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1478 /* fall through */
1479 case STATE_CLOSED:
1480 case STATE_STOPPED:
1481 case STATE_CLOSING:
1482 case STATE_STOPPING:
1483 case STATE_REQ_SENT:
1484 sta:
1485 /* Send Terminate-Ack packet. */
1486 if (debug)
1487 log(LOG_DEBUG, "%s: %s send terminate-ack\n",
1488 ifp->if_xname, cp->name);
1489 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1490 break;
1491 case STATE_OPENED:
1492 (cp->tld)(sp);
1493 sp->rst_counter[cp->protoidx] = 0;
1494 sppp_cp_change_state(cp, sp, STATE_STOPPING);
1495 goto sta;
1496 default:
1497 printf("%s: %s illegal %s in state %s\n",
1498 ifp->if_xname, cp->name,
1499 sppp_cp_type_name(h->type),
1500 sppp_state_name(sp->state[cp->protoidx]));
1501 ++ifp->if_ierrors;
1502 }
1503 break;
1504 case TERM_ACK:
1505 switch (sp->state[cp->protoidx]) {
1506 case STATE_CLOSED:
1507 case STATE_STOPPED:
1508 case STATE_REQ_SENT:
1509 case STATE_ACK_SENT:
1510 break;
1511 case STATE_CLOSING:
1512 (cp->tlf)(sp);
1513 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1514 sppp_lcp_check_and_close(sp);
1515 break;
1516 case STATE_STOPPING:
1517 (cp->tlf)(sp);
1518 sppp_cp_change_state(cp, sp, STATE_STOPPED);
1519 sppp_lcp_check_and_close(sp);
1520 break;
1521 case STATE_ACK_RCVD:
1522 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1523 break;
1524 case STATE_OPENED:
1525 (cp->tld)(sp);
1526 (cp->scr)(sp);
1527 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1528 break;
1529 default:
1530 printf("%s: %s illegal %s in state %s\n",
1531 ifp->if_xname, cp->name,
1532 sppp_cp_type_name(h->type),
1533 sppp_state_name(sp->state[cp->protoidx]));
1534 ++ifp->if_ierrors;
1535 }
1536 break;
1537 case CODE_REJ:
1538 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1539 log(LOG_INFO,
1540 "%s: %s: ignoring RXJ (%s) for code ?, "
1541 "danger will robinson\n",
1542 ifp->if_xname, cp->name,
1543 sppp_cp_type_name(h->type));
1544 switch (sp->state[cp->protoidx]) {
1545 case STATE_CLOSED:
1546 case STATE_STOPPED:
1547 case STATE_REQ_SENT:
1548 case STATE_ACK_SENT:
1549 case STATE_CLOSING:
1550 case STATE_STOPPING:
1551 case STATE_OPENED:
1552 break;
1553 case STATE_ACK_RCVD:
1554 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1555 break;
1556 default:
1557 printf("%s: %s illegal %s in state %s\n",
1558 ifp->if_xname, cp->name,
1559 sppp_cp_type_name(h->type),
1560 sppp_state_name(sp->state[cp->protoidx]));
1561 ++ifp->if_ierrors;
1562 }
1563 break;
1564 case PROTO_REJ:
1565 {
1566 int catastrophic;
1567 const struct cp *upper;
1568 int i;
1569 uint16_t proto;
1570
1571 catastrophic = 0;
1572 upper = NULL;
1573 proto = p[0] << 8 | p[1];
1574 for (i = 0; i < IDX_COUNT; i++) {
1575 if (cps[i]->proto == proto) {
1576 upper = cps[i];
1577 break;
1578 }
1579 }
1580 if (upper == NULL)
1581 catastrophic++;
1582
1583 if (debug)
1584 log(LOG_INFO,
1585 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n",
1586 ifp->if_xname, cp->name, catastrophic ? '-' : '+',
1587 sppp_cp_type_name(h->type), proto,
1588 upper ? upper->name : "unknown",
1589 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?");
1590
1591 /*
1592 * if we got RXJ+ against conf-req, the peer does not implement
1593 * this particular protocol type. terminate the protocol.
1594 */
1595 if (upper && !catastrophic) {
1596 if (sp->state[upper->protoidx] == STATE_REQ_SENT) {
1597 upper->Close(sp);
1598 break;
1599 }
1600 }
1601
1602 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1603 switch (sp->state[cp->protoidx]) {
1604 case STATE_CLOSED:
1605 case STATE_STOPPED:
1606 case STATE_REQ_SENT:
1607 case STATE_ACK_SENT:
1608 case STATE_CLOSING:
1609 case STATE_STOPPING:
1610 case STATE_OPENED:
1611 break;
1612 case STATE_ACK_RCVD:
1613 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1614 break;
1615 default:
1616 printf("%s: %s illegal %s in state %s\n",
1617 ifp->if_xname, cp->name,
1618 sppp_cp_type_name(h->type),
1619 sppp_state_name(sp->state[cp->protoidx]));
1620 ++ifp->if_ierrors;
1621 }
1622 break;
1623 }
1624 case DISC_REQ:
1625 if (cp->proto != PPP_LCP)
1626 goto illegal;
1627 /* Discard the packet. */
1628 break;
1629 case ECHO_REQ:
1630 if (cp->proto != PPP_LCP)
1631 goto illegal;
1632 if (sp->state[cp->protoidx] != STATE_OPENED) {
1633 if (debug)
1634 addlog("%s: lcp echo req but lcp closed\n",
1635 ifp->if_xname);
1636 ++ifp->if_ierrors;
1637 break;
1638 }
1639 if (len < 8) {
1640 if (debug)
1641 addlog("%s: invalid lcp echo request "
1642 "packet length: %d bytes\n",
1643 ifp->if_xname, len);
1644 break;
1645 }
1646 memcpy(&u32, h + 1, sizeof u32);
1647 if (ntohl(u32) == sp->lcp.magic) {
1648 /* Line loopback mode detected. */
1649 printf("%s: loopback\n", ifp->if_xname);
1650 if_down(ifp);
1651 IF_PURGE(&sp->pp_cpq);
1652
1653 /* Shut down the PPP link. */
1654 /* XXX */
1655 lcp.Down(sp);
1656 lcp.Up(sp);
1657 break;
1658 }
1659 u32 = htonl(sp->lcp.magic);
1660 memcpy(h + 1, &u32, sizeof u32);
1661 if (debug)
1662 addlog("%s: got lcp echo req, sending echo rep\n",
1663 ifp->if_xname);
1664 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4,
1665 h + 1);
1666 break;
1667 case ECHO_REPLY:
1668 if (cp->proto != PPP_LCP)
1669 goto illegal;
1670 if (h->ident != sp->lcp.echoid) {
1671 ++ifp->if_ierrors;
1672 break;
1673 }
1674 if (len < 8) {
1675 if (debug)
1676 addlog("%s: lcp invalid echo reply "
1677 "packet length: %d bytes\n",
1678 ifp->if_xname, len);
1679 break;
1680 }
1681 if (debug)
1682 addlog("%s: lcp got echo rep\n",
1683 ifp->if_xname);
1684 memcpy(&u32, h + 1, sizeof u32);
1685 if (ntohl(u32) != sp->lcp.magic)
1686 sp->pp_alivecnt = 0;
1687 break;
1688 default:
1689 /* Unknown packet type -- send Code-Reject packet. */
1690 illegal:
1691 if (debug)
1692 addlog("%s: %s send code-rej for 0x%x\n",
1693 ifp->if_xname, cp->name, h->type);
1694 sppp_cp_send(sp, cp->proto, CODE_REJ,
1695 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h);
1696 ++ifp->if_ierrors;
1697 }
1698 }
1699
1700
1701 /*
1702 * The generic part of all Up/Down/Open/Close/TO event handlers.
1703 * Basically, the state transition handling in the automaton.
1704 */
1705 static void
sppp_up_event(const struct cp * cp,struct sppp * sp)1706 sppp_up_event(const struct cp *cp, struct sppp *sp)
1707 {
1708 STDDCL;
1709
1710 if (debug)
1711 log(LOG_DEBUG, "%s: %s up(%s)\n",
1712 ifp->if_xname, cp->name,
1713 sppp_state_name(sp->state[cp->protoidx]));
1714
1715 switch (sp->state[cp->protoidx]) {
1716 case STATE_INITIAL:
1717 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1718 break;
1719 case STATE_STARTING:
1720 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1721 (cp->scr)(sp);
1722 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1723 break;
1724 default:
1725 printf("%s: %s illegal up in state %s\n",
1726 ifp->if_xname, cp->name,
1727 sppp_state_name(sp->state[cp->protoidx]));
1728 }
1729 }
1730
1731 static void
sppp_down_event(const struct cp * cp,struct sppp * sp)1732 sppp_down_event(const struct cp *cp, struct sppp *sp)
1733 {
1734 STDDCL;
1735
1736 if (debug)
1737 log(LOG_DEBUG, "%s: %s down(%s)\n",
1738 ifp->if_xname, cp->name,
1739 sppp_state_name(sp->state[cp->protoidx]));
1740
1741 switch (sp->state[cp->protoidx]) {
1742 case STATE_CLOSED:
1743 case STATE_CLOSING:
1744 sppp_cp_change_state(cp, sp, STATE_INITIAL);
1745 break;
1746 case STATE_STOPPED:
1747 (cp->tls)(sp);
1748 /* fall through */
1749 case STATE_STOPPING:
1750 case STATE_REQ_SENT:
1751 case STATE_ACK_RCVD:
1752 case STATE_ACK_SENT:
1753 sppp_cp_change_state(cp, sp, STATE_STARTING);
1754 break;
1755 case STATE_OPENED:
1756 (cp->tld)(sp);
1757 sppp_cp_change_state(cp, sp, STATE_STARTING);
1758 break;
1759 default:
1760 printf("%s: %s illegal down in state %s\n",
1761 ifp->if_xname, cp->name,
1762 sppp_state_name(sp->state[cp->protoidx]));
1763 }
1764 }
1765
1766
1767 static void
sppp_open_event(const struct cp * cp,struct sppp * sp)1768 sppp_open_event(const struct cp *cp, struct sppp *sp)
1769 {
1770 STDDCL;
1771
1772 if (debug)
1773 log(LOG_DEBUG, "%s: %s open(%s)\n",
1774 ifp->if_xname, cp->name,
1775 sppp_state_name(sp->state[cp->protoidx]));
1776
1777 switch (sp->state[cp->protoidx]) {
1778 case STATE_INITIAL:
1779 sppp_cp_change_state(cp, sp, STATE_STARTING);
1780 (cp->tls)(sp);
1781 break;
1782 case STATE_STARTING:
1783 break;
1784 case STATE_CLOSED:
1785 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1786 (cp->scr)(sp);
1787 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1788 break;
1789 case STATE_STOPPED:
1790 case STATE_STOPPING:
1791 case STATE_REQ_SENT:
1792 case STATE_ACK_RCVD:
1793 case STATE_ACK_SENT:
1794 case STATE_OPENED:
1795 break;
1796 case STATE_CLOSING:
1797 sppp_cp_change_state(cp, sp, STATE_STOPPING);
1798 break;
1799 }
1800 }
1801
1802
1803 static void
sppp_close_event(const struct cp * cp,struct sppp * sp)1804 sppp_close_event(const struct cp *cp, struct sppp *sp)
1805 {
1806 STDDCL;
1807
1808 if (debug)
1809 log(LOG_DEBUG, "%s: %s close(%s)\n",
1810 ifp->if_xname, cp->name,
1811 sppp_state_name(sp->state[cp->protoidx]));
1812
1813 switch (sp->state[cp->protoidx]) {
1814 case STATE_INITIAL:
1815 case STATE_CLOSED:
1816 case STATE_CLOSING:
1817 break;
1818 case STATE_STARTING:
1819 sppp_cp_change_state(cp, sp, STATE_INITIAL);
1820 (cp->tlf)(sp);
1821 break;
1822 case STATE_STOPPED:
1823 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1824 break;
1825 case STATE_STOPPING:
1826 sppp_cp_change_state(cp, sp, STATE_CLOSING);
1827 break;
1828 case STATE_OPENED:
1829 (cp->tld)(sp);
1830 /* fall through */
1831 case STATE_REQ_SENT:
1832 case STATE_ACK_RCVD:
1833 case STATE_ACK_SENT:
1834 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate;
1835 sppp_cp_send(sp, cp->proto, TERM_REQ,
1836 ++sp->pp_seq[cp->protoidx], 0, 0);
1837 sppp_cp_change_state(cp, sp, STATE_CLOSING);
1838 break;
1839 }
1840 }
1841
1842 static void
sppp_to_event(const struct cp * cp,struct sppp * sp)1843 sppp_to_event(const struct cp *cp, struct sppp *sp)
1844 {
1845 STDDCL;
1846 int s;
1847
1848 s = splnet();
1849 if (debug)
1850 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n",
1851 ifp->if_xname, cp->name,
1852 sppp_state_name(sp->state[cp->protoidx]),
1853 sp->rst_counter[cp->protoidx]);
1854
1855 if (--sp->rst_counter[cp->protoidx] < 0)
1856 /* TO- event */
1857 switch (sp->state[cp->protoidx]) {
1858 case STATE_CLOSING:
1859 (cp->tlf)(sp);
1860 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1861 sppp_lcp_check_and_close(sp);
1862 break;
1863 case STATE_STOPPING:
1864 (cp->tlf)(sp);
1865 sppp_cp_change_state(cp, sp, STATE_STOPPED);
1866 sppp_lcp_check_and_close(sp);
1867 break;
1868 case STATE_REQ_SENT:
1869 case STATE_ACK_RCVD:
1870 case STATE_ACK_SENT:
1871 (cp->tlf)(sp);
1872 sppp_cp_change_state(cp, sp, STATE_STOPPED);
1873 sppp_lcp_check_and_close(sp);
1874 break;
1875 }
1876 else
1877 /* TO+ event */
1878 switch (sp->state[cp->protoidx]) {
1879 case STATE_CLOSING:
1880 case STATE_STOPPING:
1881 sppp_cp_send(sp, cp->proto, TERM_REQ,
1882 ++sp->pp_seq[cp->protoidx], 0, 0);
1883 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
1884 cp->TO, sp);
1885 break;
1886 case STATE_REQ_SENT:
1887 case STATE_ACK_RCVD:
1888 (cp->scr)(sp);
1889 /* sppp_cp_change_state() will restart the timer */
1890 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1891 break;
1892 case STATE_ACK_SENT:
1893 (cp->scr)(sp);
1894 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
1895 cp->TO, sp);
1896 break;
1897 }
1898
1899 splx(s);
1900 }
1901
1902 /*
1903 * Change the state of a control protocol in the state automaton.
1904 * Takes care of starting/stopping the restart timer.
1905 */
1906 void
sppp_cp_change_state(const struct cp * cp,struct sppp * sp,int newstate)1907 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate)
1908 {
1909 sp->state[cp->protoidx] = newstate;
1910 callout_stop(&sp->ch[cp->protoidx]);
1911 switch (newstate) {
1912 case STATE_INITIAL:
1913 case STATE_STARTING:
1914 case STATE_CLOSED:
1915 case STATE_STOPPED:
1916 case STATE_OPENED:
1917 break;
1918 case STATE_CLOSING:
1919 case STATE_STOPPING:
1920 case STATE_REQ_SENT:
1921 case STATE_ACK_RCVD:
1922 case STATE_ACK_SENT:
1923 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
1924 cp->TO, sp);
1925 break;
1926 }
1927 }
1928
1929 /*
1930 *--------------------------------------------------------------------------*
1931 * *
1932 * The LCP implementation. *
1933 * *
1934 *--------------------------------------------------------------------------*
1935 */
1936 static void
sppp_lcp_init(struct sppp * sp)1937 sppp_lcp_init(struct sppp *sp)
1938 {
1939 sp->lcp.opts = (1 << LCP_OPT_MAGIC);
1940 sp->lcp.magic = 0;
1941 sp->state[IDX_LCP] = STATE_INITIAL;
1942 sp->fail_counter[IDX_LCP] = 0;
1943 sp->pp_seq[IDX_LCP] = 0;
1944 sp->pp_rseq[IDX_LCP] = 0;
1945 sp->lcp.protos = 0;
1946
1947 /*
1948 * Initialize counters and timeout values. Note that we don't
1949 * use the 3 seconds suggested in RFC 1661 since we are likely
1950 * running on a fast link. XXX We should probably implement
1951 * the exponential backoff option. Note that these values are
1952 * relevant for all control protocols, not just LCP only.
1953 */
1954 sp->lcp.timeout = 1 * hz;
1955 sp->lcp.max_terminate = 2;
1956 sp->lcp.max_configure = 10;
1957 sp->lcp.max_failure = 10;
1958 callout_init(&sp->ch[IDX_LCP], 0);
1959 }
1960
1961 static void
sppp_lcp_up(struct sppp * sp)1962 sppp_lcp_up(struct sppp *sp)
1963 {
1964 STDDCL;
1965
1966 /* Initialize activity timestamp: opening a connection is an activity */
1967 sp->pp_last_receive = sp->pp_last_activity = time_uptime;
1968
1969 /*
1970 * If this interface is passive or dial-on-demand, and we are
1971 * still in Initial state, it means we've got an incoming
1972 * call. Activate the interface.
1973 */
1974 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) {
1975 if (debug)
1976 log(LOG_DEBUG,
1977 "%s: Up event", ifp->if_xname);
1978 ifp->if_flags |= IFF_RUNNING;
1979 if (sp->state[IDX_LCP] == STATE_INITIAL) {
1980 if (debug)
1981 addlog("(incoming call)\n");
1982 sp->pp_flags |= PP_CALLIN;
1983 lcp.Open(sp);
1984 } else if (debug)
1985 addlog("\n");
1986 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 &&
1987 (sp->state[IDX_LCP] == STATE_INITIAL)) {
1988 ifp->if_flags |= IFF_RUNNING;
1989 lcp.Open(sp);
1990 }
1991
1992 sppp_up_event(&lcp, sp);
1993 }
1994
1995 static void
sppp_lcp_down(struct sppp * sp)1996 sppp_lcp_down(struct sppp *sp)
1997 {
1998 STDDCL;
1999
2000 sppp_down_event(&lcp, sp);
2001
2002 /*
2003 * If this is neither a dial-on-demand nor a passive
2004 * interface, simulate an ``ifconfig down'' action, so the
2005 * administrator can force a redial by another ``ifconfig
2006 * up''. XXX For leased line operation, should we immediately
2007 * try to reopen the connection here?
2008 */
2009 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) {
2010 if (debug)
2011 log(LOG_INFO,
2012 "%s: Down event (carrier loss), taking interface down.\n",
2013 ifp->if_xname);
2014 if_down(ifp);
2015 } else {
2016 if (debug)
2017 log(LOG_DEBUG,
2018 "%s: Down event (carrier loss)\n",
2019 ifp->if_xname);
2020 }
2021 sp->pp_flags &= ~PP_CALLIN;
2022 if (sp->state[IDX_LCP] != STATE_INITIAL)
2023 lcp.Close(sp);
2024 ifp->if_flags &= ~IFF_RUNNING;
2025 }
2026
2027 static void
sppp_lcp_open(struct sppp * sp)2028 sppp_lcp_open(struct sppp *sp)
2029 {
2030 if (sp->pp_if.if_mtu < PP_MTU) {
2031 sp->lcp.mru = sp->pp_if.if_mtu;
2032 sp->lcp.opts |= (1 << LCP_OPT_MRU);
2033 } else
2034 sp->lcp.mru = PP_MTU;
2035 sp->lcp.their_mru = PP_MTU;
2036
2037 /*
2038 * If we are authenticator, negotiate LCP_AUTH
2039 */
2040 if (sp->hisauth.proto != 0)
2041 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO);
2042 else
2043 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2044 sp->pp_flags &= ~PP_NEEDAUTH;
2045 sppp_open_event(&lcp, sp);
2046 }
2047
2048 static void
sppp_lcp_close(struct sppp * sp)2049 sppp_lcp_close(struct sppp *sp)
2050 {
2051 sppp_close_event(&lcp, sp);
2052 }
2053
2054 static void
sppp_lcp_TO(void * cookie)2055 sppp_lcp_TO(void *cookie)
2056 {
2057 sppp_to_event(&lcp, (struct sppp *)cookie);
2058 }
2059
2060 /*
2061 * Analyze a configure request. Return true if it was agreeable, and
2062 * caused action sca, false if it has been rejected or nak'ed, and
2063 * caused action scn. (The return value is used to make the state
2064 * transition decision in the state automaton.)
2065 */
2066 static int
sppp_lcp_RCR(struct sppp * sp,struct lcp_header * h,int len)2067 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2068 {
2069 STDDCL;
2070 u_char *buf, *r, *p, l, blen;
2071 int origlen, rlen;
2072 uint32_t nmagic;
2073 u_short authproto;
2074
2075 len -= 4;
2076 origlen = len;
2077 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT);
2078 if (! buf)
2079 return (0);
2080
2081 if (debug)
2082 log(LOG_DEBUG, "%s: lcp parse opts:",
2083 ifp->if_xname);
2084
2085 /* pass 1: check for things that need to be rejected */
2086 p = (void *)(h + 1);
2087 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
2088 /* Sanity check option length */
2089 if (l > len) {
2090 /*
2091 * Malicious option - drop immediately.
2092 * XXX Maybe we should just RXJ it?
2093 */
2094 addlog("%s: received malicious LCP option 0x%02x, "
2095 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname,
2096 p[0], l, len);
2097 goto drop;
2098 }
2099 if (debug)
2100 addlog(" %s", sppp_lcp_opt_name(*p));
2101 switch (*p) {
2102 case LCP_OPT_MAGIC:
2103 /* Magic number. */
2104 /* fall through, both are same length */
2105 case LCP_OPT_ASYNC_MAP:
2106 /* Async control character map. */
2107 if (len >= 6 || l == 6)
2108 continue;
2109 if (debug)
2110 addlog(" [invalid]");
2111 break;
2112 case LCP_OPT_MRU:
2113 /* Maximum receive unit. */
2114 if (len >= 4 && l == 4)
2115 continue;
2116 if (debug)
2117 addlog(" [invalid]");
2118 break;
2119 case LCP_OPT_AUTH_PROTO:
2120 if (len < 4) {
2121 if (debug)
2122 addlog(" [invalid]");
2123 break;
2124 }
2125 authproto = (p[2] << 8) + p[3];
2126 if (authproto == PPP_CHAP && l != 5) {
2127 if (debug)
2128 addlog(" [invalid chap len]");
2129 break;
2130 }
2131 if (sp->myauth.proto == 0) {
2132 /* we are not configured to do auth */
2133 if (debug)
2134 addlog(" [not configured]");
2135 break;
2136 }
2137 /*
2138 * Remote want us to authenticate, remember this,
2139 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got
2140 * up.
2141 */
2142 sp->pp_flags |= PP_NEEDAUTH;
2143 continue;
2144 default:
2145 /* Others not supported. */
2146 if (debug)
2147 addlog(" [rej]");
2148 break;
2149 }
2150 if (rlen + l > blen) {
2151 if (debug)
2152 addlog(" [overflow]");
2153 continue;
2154 }
2155 /* Add the option to rejected list. */
2156 memcpy(r, p, l);
2157 r += l;
2158 rlen += l;
2159 }
2160 if (rlen) {
2161 if (debug)
2162 addlog(" send conf-rej\n");
2163 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2164 goto end;
2165 } else if (debug)
2166 addlog("\n");
2167
2168 /*
2169 * pass 2: check for option values that are unacceptable and
2170 * thus require to be nak'ed.
2171 */
2172 if (debug)
2173 log(LOG_DEBUG, "%s: lcp parse opt values: ",
2174 ifp->if_xname);
2175
2176 p = (void *)(h + 1);
2177 len = origlen;
2178 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
2179 if (debug)
2180 addlog(" %s", sppp_lcp_opt_name(*p));
2181 switch (*p) {
2182 case LCP_OPT_MAGIC:
2183 /* Magic number -- extract. */
2184 nmagic = (uint32_t)p[2] << 24 |
2185 (uint32_t)p[3] << 16 | p[4] << 8 | p[5];
2186 if (nmagic != sp->lcp.magic) {
2187 if (debug)
2188 addlog(" 0x%x", nmagic);
2189 continue;
2190 }
2191 /*
2192 * Local and remote magics equal -- loopback?
2193 */
2194 if (sp->pp_loopcnt >= LOOPALIVECNT*5) {
2195 printf ("%s: loopback\n",
2196 ifp->if_xname);
2197 sp->pp_loopcnt = 0;
2198 if (ifp->if_flags & IFF_UP) {
2199 if_down(ifp);
2200 IF_PURGE(&sp->pp_cpq);
2201 /* XXX ? */
2202 lcp.Down(sp);
2203 lcp.Up(sp);
2204 }
2205 } else if (debug)
2206 addlog(" [glitch]");
2207 ++sp->pp_loopcnt;
2208 /*
2209 * We negate our magic here, and NAK it. If
2210 * we see it later in an NAK packet, we
2211 * suggest a new one.
2212 */
2213 nmagic = ~sp->lcp.magic;
2214 /* Gonna NAK it. */
2215 p[2] = nmagic >> 24;
2216 p[3] = nmagic >> 16;
2217 p[4] = nmagic >> 8;
2218 p[5] = nmagic;
2219 break;
2220
2221 case LCP_OPT_ASYNC_MAP:
2222 /*
2223 * Async control character map -- just ignore it.
2224 *
2225 * Quote from RFC 1662, chapter 6:
2226 * To enable this functionality, synchronous PPP
2227 * implementations MUST always respond to the
2228 * Async-Control-Character-Map Configuration
2229 * Option with the LCP Configure-Ack. However,
2230 * acceptance of the Configuration Option does
2231 * not imply that the synchronous implementation
2232 * will do any ACCM mapping. Instead, all such
2233 * octet mapping will be performed by the
2234 * asynchronous-to-synchronous converter.
2235 */
2236 continue;
2237
2238 case LCP_OPT_MRU:
2239 /*
2240 * Maximum receive unit. Always agreeable,
2241 * but ignored by now.
2242 */
2243 sp->lcp.their_mru = p[2] * 256 + p[3];
2244 if (debug)
2245 addlog(" %ld", sp->lcp.their_mru);
2246 continue;
2247
2248 case LCP_OPT_AUTH_PROTO:
2249 authproto = (p[2] << 8) + p[3];
2250 if (sp->myauth.proto != authproto) {
2251 /* not agreed, nak */
2252 if (debug)
2253 addlog(" [mine %s != his %s]",
2254 sppp_proto_name(sp->myauth.proto),
2255 sppp_proto_name(authproto));
2256 p[2] = sp->myauth.proto >> 8;
2257 p[3] = sp->myauth.proto;
2258 break;
2259 }
2260 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) {
2261 if (debug)
2262 addlog(" [chap not MD5]");
2263 p[4] = CHAP_MD5;
2264 break;
2265 }
2266 continue;
2267 }
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
2280 if (debug)
2281 addlog(" max_failure (%d) exceeded, "
2282 "send conf-rej\n",
2283 sp->lcp.max_failure);
2284 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2285 } else {
2286 if (debug)
2287 addlog(" send conf-nak\n");
2288 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf);
2289 }
2290 goto end;
2291 } else {
2292 if (debug)
2293 addlog(" send conf-ack\n");
2294 sp->fail_counter[IDX_LCP] = 0;
2295 sp->pp_loopcnt = 0;
2296 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1);
2297 }
2298
2299 end:
2300 free(buf, M_TEMP);
2301 return (rlen == 0);
2302
2303 drop:
2304 free(buf, M_TEMP);
2305 return -1;
2306 }
2307
2308 /*
2309 * Analyze the LCP Configure-Reject option list, and adjust our
2310 * negotiation.
2311 */
2312 static void
sppp_lcp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)2313 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
2314 {
2315 STDDCL;
2316 u_char *buf, *p, l;
2317
2318 len -= 4;
2319 buf = malloc (len, M_TEMP, M_NOWAIT);
2320 if (!buf)
2321 return;
2322
2323 if (debug)
2324 log(LOG_DEBUG, "%s: lcp rej opts:",
2325 ifp->if_xname);
2326
2327 p = (void *)(h + 1);
2328 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
2329 /* Sanity check option length */
2330 if (l > len) {
2331 /*
2332 * Malicious option - drop immediately.
2333 * XXX Maybe we should just RXJ it?
2334 */
2335 addlog("%s: received malicious LCP option, "
2336 "dropping.\n", ifp->if_xname);
2337 goto drop;
2338 }
2339 if (debug)
2340 addlog(" %s", sppp_lcp_opt_name(*p));
2341 switch (*p) {
2342 case LCP_OPT_MAGIC:
2343 /* Magic number -- can't use it, use 0 */
2344 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC);
2345 sp->lcp.magic = 0;
2346 break;
2347 case LCP_OPT_MRU:
2348 /*
2349 * We try to negotiate a lower MRU if the underlying
2350 * link's MTU is less than PP_MTU (e.g. PPPoE). If the
2351 * peer rejects this lower rate, fallback to the
2352 * default.
2353 */
2354 if (debug) {
2355 addlog("%s: warning: peer rejected our MRU of "
2356 "%ld bytes. Defaulting to %d bytes\n",
2357 ifp->if_xname, sp->lcp.mru, PP_MTU);
2358 }
2359 sp->lcp.opts &= ~(1 << LCP_OPT_MRU);
2360 sp->lcp.mru = PP_MTU;
2361 break;
2362 case LCP_OPT_AUTH_PROTO:
2363 /*
2364 * Peer doesn't want to authenticate himself,
2365 * deny unless this is a dialout call, and
2366 * SPPP_AUTHFLAG_NOCALLOUT is set.
2367 */
2368 if ((sp->pp_flags & PP_CALLIN) == 0 &&
2369 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) {
2370 if (debug)
2371 addlog(" [don't insist on auth "
2372 "for callout]");
2373 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2374 break;
2375 }
2376 if (debug)
2377 addlog("[access denied]\n");
2378 lcp.Close(sp);
2379 break;
2380 }
2381 }
2382 if (debug)
2383 addlog("\n");
2384 drop:
2385 free(buf, M_TEMP);
2386 return;
2387 }
2388
2389 /*
2390 * Analyze the LCP Configure-NAK option list, and adjust our
2391 * negotiation.
2392 */
2393 static void
sppp_lcp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)2394 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
2395 {
2396 STDDCL;
2397 u_char *buf, *p, l, blen;
2398 uint32_t magic;
2399
2400 len -= 4;
2401 buf = malloc (blen = len, M_TEMP, M_NOWAIT);
2402 if (!buf)
2403 return;
2404
2405 if (debug)
2406 log(LOG_DEBUG, "%s: lcp nak opts:",
2407 ifp->if_xname);
2408
2409 p = (void *)(h + 1);
2410 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
2411 /* Sanity check option length */
2412 if (l > len) {
2413 /*
2414 * Malicious option - drop immediately.
2415 * XXX Maybe we should just RXJ it?
2416 */
2417 addlog("%s: received malicious LCP option, "
2418 "dropping.\n", ifp->if_xname);
2419 goto drop;
2420 }
2421 if (debug)
2422 addlog(" %s", sppp_lcp_opt_name(*p));
2423 switch (*p) {
2424 case LCP_OPT_MAGIC:
2425 /* Magic number -- renegotiate */
2426 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
2427 len >= 6 && l == 6) {
2428 magic = (uint32_t)p[2] << 24 |
2429 (uint32_t)p[3] << 16 | p[4] << 8 | p[5];
2430 /*
2431 * If the remote magic is our negated one,
2432 * this looks like a loopback problem.
2433 * Suggest a new magic to make sure.
2434 */
2435 if (magic == ~sp->lcp.magic) {
2436 if (debug)
2437 addlog(" magic glitch");
2438 sp->lcp.magic = cprng_fast32();
2439 } else {
2440 sp->lcp.magic = magic;
2441 if (debug)
2442 addlog(" %d", magic);
2443 }
2444 }
2445 break;
2446 case LCP_OPT_MRU:
2447 /*
2448 * Peer wants to advise us to negotiate an MRU.
2449 * Agree on it if it's reasonable, or use
2450 * default otherwise.
2451 */
2452 if (len >= 4 && l == 4) {
2453 u_int mru = p[2] * 256 + p[3];
2454 if (debug)
2455 addlog(" %d", mru);
2456 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu)
2457 mru = sp->pp_if.if_mtu;
2458 sp->lcp.mru = mru;
2459 sp->lcp.opts |= (1 << LCP_OPT_MRU);
2460 }
2461 break;
2462 case LCP_OPT_AUTH_PROTO:
2463 /*
2464 * Peer doesn't like our authentication method,
2465 * deny.
2466 */
2467 if (debug)
2468 addlog("[access denied]\n");
2469 lcp.Close(sp);
2470 break;
2471 }
2472 }
2473 if (debug)
2474 addlog("\n");
2475 drop:
2476 free(buf, M_TEMP);
2477 return;
2478 }
2479
2480 static void
sppp_lcp_tlu(struct sppp * sp)2481 sppp_lcp_tlu(struct sppp *sp)
2482 {
2483 STDDCL;
2484 int i;
2485 uint32_t mask;
2486
2487 /* XXX ? */
2488 if (! (ifp->if_flags & IFF_UP) &&
2489 (ifp->if_flags & IFF_RUNNING)) {
2490 /* Coming out of loopback mode. */
2491 if_up(ifp);
2492 }
2493
2494 for (i = 0; i < IDX_COUNT; i++)
2495 if ((cps[i])->flags & CP_QUAL)
2496 (cps[i])->Open(sp);
2497
2498 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 ||
2499 (sp->pp_flags & PP_NEEDAUTH) != 0)
2500 sp->pp_phase = SPPP_PHASE_AUTHENTICATE;
2501 else
2502 sp->pp_phase = SPPP_PHASE_NETWORK;
2503
2504 if (debug)
2505 {
2506 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2507 sppp_phase_name(sp->pp_phase));
2508 }
2509
2510 /*
2511 * Open all authentication protocols. This is even required
2512 * if we already proceeded to network phase, since it might be
2513 * that remote wants us to authenticate, so we might have to
2514 * send a PAP request. Undesired authentication protocols
2515 * don't do anything when they get an Open event.
2516 */
2517 for (i = 0; i < IDX_COUNT; i++)
2518 if ((cps[i])->flags & CP_AUTH)
2519 (cps[i])->Open(sp);
2520
2521 if (sp->pp_phase == SPPP_PHASE_NETWORK) {
2522 /* Notify all NCPs. */
2523 for (i = 0; i < IDX_COUNT; i++)
2524 if ((cps[i])->flags & CP_NCP)
2525 (cps[i])->Open(sp);
2526 }
2527
2528 /* Send Up events to all started protos. */
2529 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2530 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0)
2531 (cps[i])->Up(sp);
2532
2533 /* notify low-level driver of state change */
2534 if (sp->pp_chg)
2535 sp->pp_chg(sp, (int)sp->pp_phase);
2536
2537 if (sp->pp_phase == SPPP_PHASE_NETWORK)
2538 /* if no NCP is starting, close down */
2539 sppp_lcp_check_and_close(sp);
2540 }
2541
2542 static void
sppp_lcp_tld(struct sppp * sp)2543 sppp_lcp_tld(struct sppp *sp)
2544 {
2545 STDDCL;
2546 int i;
2547 uint32_t mask;
2548
2549 sp->pp_phase = SPPP_PHASE_TERMINATE;
2550
2551 if (debug)
2552 {
2553 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2554 sppp_phase_name(sp->pp_phase));
2555 }
2556
2557 /*
2558 * Take upper layers down. We send the Down event first and
2559 * the Close second to prevent the upper layers from sending
2560 * ``a flurry of terminate-request packets'', as the RFC
2561 * describes it.
2562 */
2563 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2564 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) {
2565 (cps[i])->Down(sp);
2566 (cps[i])->Close(sp);
2567 }
2568 }
2569
2570 static void
sppp_lcp_tls(struct sppp * sp)2571 sppp_lcp_tls(struct sppp *sp)
2572 {
2573 STDDCL;
2574
2575 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) {
2576 printf("%s: authentication failed %d times, not retrying again\n",
2577 sp->pp_if.if_xname, sp->pp_auth_failures);
2578 if_down(&sp->pp_if);
2579 return;
2580 }
2581
2582 sp->pp_phase = SPPP_PHASE_ESTABLISH;
2583
2584 if (debug)
2585 {
2586 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2587 sppp_phase_name(sp->pp_phase));
2588 }
2589
2590 /* Notify lower layer if desired. */
2591 if (sp->pp_tls)
2592 (sp->pp_tls)(sp);
2593 }
2594
2595 static void
sppp_lcp_tlf(struct sppp * sp)2596 sppp_lcp_tlf(struct sppp *sp)
2597 {
2598 STDDCL;
2599
2600 sp->pp_phase = SPPP_PHASE_DEAD;
2601
2602 if (debug)
2603 {
2604 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2605 sppp_phase_name(sp->pp_phase));
2606 }
2607
2608 /* Notify lower layer if desired. */
2609 if (sp->pp_tlf)
2610 (sp->pp_tlf)(sp);
2611 }
2612
2613 static void
sppp_lcp_scr(struct sppp * sp)2614 sppp_lcp_scr(struct sppp *sp)
2615 {
2616 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */];
2617 int i = 0;
2618 u_short authproto;
2619
2620 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) {
2621 if (! sp->lcp.magic)
2622 sp->lcp.magic = cprng_fast32();
2623 opt[i++] = LCP_OPT_MAGIC;
2624 opt[i++] = 6;
2625 opt[i++] = sp->lcp.magic >> 24;
2626 opt[i++] = sp->lcp.magic >> 16;
2627 opt[i++] = sp->lcp.magic >> 8;
2628 opt[i++] = sp->lcp.magic;
2629 }
2630
2631 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) {
2632 opt[i++] = LCP_OPT_MRU;
2633 opt[i++] = 4;
2634 opt[i++] = sp->lcp.mru >> 8;
2635 opt[i++] = sp->lcp.mru;
2636 }
2637
2638 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) {
2639 authproto = sp->hisauth.proto;
2640 opt[i++] = LCP_OPT_AUTH_PROTO;
2641 opt[i++] = authproto == PPP_CHAP? 5: 4;
2642 opt[i++] = authproto >> 8;
2643 opt[i++] = authproto;
2644 if (authproto == PPP_CHAP)
2645 opt[i++] = CHAP_MD5;
2646 }
2647
2648 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP];
2649 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt);
2650 }
2651
2652 /*
2653 * Check the open NCPs, return true if at least one NCP is open.
2654 */
2655 static int
sppp_ncp_check(struct sppp * sp)2656 sppp_ncp_check(struct sppp *sp)
2657 {
2658 int i, mask;
2659
2660 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2661 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP)
2662 return 1;
2663 return 0;
2664 }
2665
2666 /*
2667 * Re-check the open NCPs and see if we should terminate the link.
2668 * Called by the NCPs during their tlf action handling.
2669 */
2670 static void
sppp_lcp_check_and_close(struct sppp * sp)2671 sppp_lcp_check_and_close(struct sppp *sp)
2672 {
2673
2674 if (sp->pp_phase < SPPP_PHASE_NETWORK)
2675 /* don't bother, we are already going down */
2676 return;
2677
2678 if (sppp_ncp_check(sp))
2679 return;
2680
2681 lcp.Close(sp);
2682 }
2683
2684
2685 /*
2686 *--------------------------------------------------------------------------*
2687 * *
2688 * The IPCP implementation. *
2689 * *
2690 *--------------------------------------------------------------------------*
2691 */
2692
2693 static void
sppp_ipcp_init(struct sppp * sp)2694 sppp_ipcp_init(struct sppp *sp)
2695 {
2696 sp->ipcp.opts = 0;
2697 sp->ipcp.flags = 0;
2698 sp->state[IDX_IPCP] = STATE_INITIAL;
2699 sp->fail_counter[IDX_IPCP] = 0;
2700 sp->pp_seq[IDX_IPCP] = 0;
2701 sp->pp_rseq[IDX_IPCP] = 0;
2702 callout_init(&sp->ch[IDX_IPCP], 0);
2703 }
2704
2705 static void
sppp_ipcp_up(struct sppp * sp)2706 sppp_ipcp_up(struct sppp *sp)
2707 {
2708 sppp_up_event(&ipcp, sp);
2709 }
2710
2711 static void
sppp_ipcp_down(struct sppp * sp)2712 sppp_ipcp_down(struct sppp *sp)
2713 {
2714 sppp_down_event(&ipcp, sp);
2715 }
2716
2717 static void
sppp_ipcp_open(struct sppp * sp)2718 sppp_ipcp_open(struct sppp *sp)
2719 {
2720 STDDCL;
2721 uint32_t myaddr, hisaddr;
2722
2723 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN);
2724 sp->ipcp.req_myaddr = 0;
2725 sp->ipcp.req_hisaddr = 0;
2726 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs);
2727
2728 #ifdef INET
2729 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0);
2730 #else
2731 myaddr = hisaddr = 0;
2732 #endif
2733 /*
2734 * If we don't have his address, this probably means our
2735 * interface doesn't want to talk IP at all. (This could
2736 * be the case if somebody wants to speak only IPX, for
2737 * example.) Don't open IPCP in this case.
2738 */
2739 if (hisaddr == 0) {
2740 /* XXX this message should go away */
2741 if (debug)
2742 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n",
2743 ifp->if_xname);
2744 return;
2745 }
2746
2747 if (myaddr == 0) {
2748 /*
2749 * I don't have an assigned address, so i need to
2750 * negotiate my address.
2751 */
2752 sp->ipcp.flags |= IPCP_MYADDR_DYN;
2753 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
2754 }
2755 if (hisaddr == 1) {
2756 /*
2757 * XXX - remove this hack!
2758 * remote has no valid address, we need to get one assigned.
2759 */
2760 sp->ipcp.flags |= IPCP_HISADDR_DYN;
2761 }
2762 sppp_open_event(&ipcp, sp);
2763 }
2764
2765 static void
sppp_ipcp_close(struct sppp * sp)2766 sppp_ipcp_close(struct sppp *sp)
2767 {
2768 STDDCL;
2769
2770 sppp_close_event(&ipcp, sp);
2771 #ifdef INET
2772 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN))
2773 /*
2774 * Some address was dynamic, clear it again.
2775 */
2776 sppp_clear_ip_addrs(sp);
2777 #endif
2778
2779 if (sp->pp_saved_mtu > 0) {
2780 ifp->if_mtu = sp->pp_saved_mtu;
2781 sp->pp_saved_mtu = 0;
2782 if (debug)
2783 log(LOG_DEBUG,
2784 "%s: resetting MTU to %" PRIu64 " bytes\n",
2785 ifp->if_xname, ifp->if_mtu);
2786 }
2787 }
2788
2789 static void
sppp_ipcp_TO(void * cookie)2790 sppp_ipcp_TO(void *cookie)
2791 {
2792 sppp_to_event(&ipcp, (struct sppp *)cookie);
2793 }
2794
2795 /*
2796 * Analyze a configure request. Return true if it was agreeable, and
2797 * caused action sca, false if it has been rejected or nak'ed, and
2798 * caused action scn. (The return value is used to make the state
2799 * transition decision in the state automaton.)
2800 */
2801 static int
sppp_ipcp_RCR(struct sppp * sp,struct lcp_header * h,int len)2802 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2803 {
2804 u_char *buf, *r, *p, l, blen;
2805 struct ifnet *ifp = &sp->pp_if;
2806 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
2807 uint32_t hisaddr, desiredaddr;
2808
2809 len -= 4;
2810 origlen = len;
2811 /*
2812 * Make sure to allocate a buf that can at least hold a
2813 * conf-nak with an `address' option. We might need it below.
2814 */
2815 blen = len < 6 ? 6 : len;
2816 buf = r = malloc (blen, M_TEMP, M_NOWAIT);
2817 if (! buf)
2818 return (0);
2819
2820 /* pass 1: see if we can recognize them */
2821 if (debug)
2822 log(LOG_DEBUG, "%s: ipcp parse opts:",
2823 ifp->if_xname);
2824 p = (void *)(h + 1);
2825 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
2826 /* Sanity check option length */
2827 if (l > len) {
2828 /* XXX should we just RXJ? */
2829 addlog("%s: malicious IPCP option received, dropping\n",
2830 ifp->if_xname);
2831 goto drop;
2832 }
2833 if (debug)
2834 addlog(" %s", sppp_ipcp_opt_name(*p));
2835 switch (*p) {
2836 #ifdef notyet
2837 case IPCP_OPT_COMPRESSION:
2838 if (len >= 6 && l >= 6) {
2839 /* correctly formed compress option */
2840 continue;
2841 }
2842 if (debug)
2843 addlog(" [invalid]");
2844 break;
2845 #endif
2846 case IPCP_OPT_ADDRESS:
2847 if (len >= 6 && l == 6) {
2848 /* correctly formed address option */
2849 continue;
2850 }
2851 if (debug)
2852 addlog(" [invalid]");
2853 break;
2854 default:
2855 /* Others not supported. */
2856 if (debug)
2857 addlog(" [rej]");
2858 break;
2859 }
2860 /* Add the option to rejected list. */
2861 if (rlen + l > blen) {
2862 if (debug)
2863 addlog(" [overflow]");
2864 continue;
2865 }
2866 memcpy(r, p, l);
2867 r += l;
2868 rlen += l;
2869 }
2870 if (rlen) {
2871 if (debug)
2872 addlog(" send conf-rej\n");
2873 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf);
2874 goto end;
2875 } else if (debug)
2876 addlog("\n");
2877
2878 /* pass 2: parse option values */
2879 if (sp->ipcp.flags & IPCP_HISADDR_SEEN)
2880 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */
2881 else
2882 #ifdef INET
2883 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */
2884 #else
2885 hisaddr = 0;
2886 #endif
2887 if (debug)
2888 log(LOG_DEBUG, "%s: ipcp parse opt values: ",
2889 ifp->if_xname);
2890 p = (void *)(h + 1);
2891 len = origlen;
2892 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
2893 if (debug)
2894 addlog(" %s", sppp_ipcp_opt_name(*p));
2895 switch (*p) {
2896 #ifdef notyet
2897 case IPCP_OPT_COMPRESSION:
2898 continue;
2899 #endif
2900 case IPCP_OPT_ADDRESS:
2901 desiredaddr = p[2] << 24 | p[3] << 16 |
2902 p[4] << 8 | p[5];
2903 if (desiredaddr == hisaddr ||
2904 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) {
2905 /*
2906 * Peer's address is same as our value,
2907 * this is agreeable. Gonna conf-ack
2908 * it.
2909 */
2910 if (debug)
2911 addlog(" %s [ack]",
2912 sppp_dotted_quad(hisaddr));
2913 /* record that we've seen it already */
2914 sp->ipcp.flags |= IPCP_HISADDR_SEEN;
2915 sp->ipcp.req_hisaddr = desiredaddr;
2916 hisaddr = desiredaddr;
2917 continue;
2918 }
2919 /*
2920 * The address wasn't agreeable. This is either
2921 * he sent us 0.0.0.0, asking to assign him an
2922 * address, or he send us another address not
2923 * matching our value. Either case, we gonna
2924 * conf-nak it with our value.
2925 */
2926 if (debug) {
2927 if (desiredaddr == 0)
2928 addlog(" [addr requested]");
2929 else
2930 addlog(" %s [not agreed]",
2931 sppp_dotted_quad(desiredaddr));
2932 }
2933
2934 p[2] = hisaddr >> 24;
2935 p[3] = hisaddr >> 16;
2936 p[4] = hisaddr >> 8;
2937 p[5] = hisaddr;
2938 break;
2939 }
2940 if (rlen + l > blen) {
2941 if (debug)
2942 addlog(" [overflow]");
2943 continue;
2944 }
2945 /* Add the option to nak'ed list. */
2946 memcpy(r, p, l);
2947 r += l;
2948 rlen += l;
2949 }
2950
2951 /*
2952 * If we are about to conf-ack the request, but haven't seen
2953 * his address so far, gonna conf-nak it instead, with the
2954 * `address' option present and our idea of his address being
2955 * filled in there, to request negotiation of both addresses.
2956 *
2957 * XXX This can result in an endless req - nak loop if peer
2958 * doesn't want to send us his address. Q: What should we do
2959 * about it? XXX A: implement the max-failure counter.
2960 */
2961 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) {
2962 buf[0] = IPCP_OPT_ADDRESS;
2963 buf[1] = 6;
2964 buf[2] = hisaddr >> 24;
2965 buf[3] = hisaddr >> 16;
2966 buf[4] = hisaddr >> 8;
2967 buf[5] = hisaddr;
2968 rlen = 6;
2969 if (debug)
2970 addlog(" still need hisaddr");
2971 }
2972
2973 if (rlen) {
2974 if (debug)
2975 addlog(" send conf-nak\n");
2976 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf);
2977 } else {
2978 if (debug)
2979 addlog(" send conf-ack\n");
2980 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1);
2981 }
2982
2983 end:
2984 free(buf, M_TEMP);
2985 return (rlen == 0);
2986
2987 drop:
2988 free(buf, M_TEMP);
2989 return -1;
2990 }
2991
2992 /*
2993 * Analyze the IPCP Configure-Reject option list, and adjust our
2994 * negotiation.
2995 */
2996 static void
sppp_ipcp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)2997 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
2998 {
2999 u_char *buf, *p, l, blen;
3000 struct ifnet *ifp = &sp->pp_if;
3001 int debug = ifp->if_flags & IFF_DEBUG;
3002
3003 len -= 4;
3004 buf = malloc (blen = len, M_TEMP, M_NOWAIT);
3005 if (!buf)
3006 return;
3007
3008 if (debug)
3009 log(LOG_DEBUG, "%s: ipcp rej opts:",
3010 ifp->if_xname);
3011
3012 p = (void *)(h + 1);
3013 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
3014 /* Sanity check option length */
3015 if (l > len) {
3016 /* XXX should we just RXJ? */
3017 addlog("%s: malicious IPCP option received, dropping\n",
3018 ifp->if_xname);
3019 goto drop;
3020 }
3021 if (debug)
3022 addlog(" %s", sppp_ipcp_opt_name(*p));
3023 switch (*p) {
3024 case IPCP_OPT_ADDRESS:
3025 /*
3026 * Peer doesn't grok address option. This is
3027 * bad. XXX Should we better give up here?
3028 */
3029 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS);
3030 break;
3031 #ifdef notyet
3032 case IPCP_OPT_COMPRESS:
3033 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS);
3034 break;
3035 #endif
3036 }
3037 }
3038 if (debug)
3039 addlog("\n");
3040 drop:
3041 free(buf, M_TEMP);
3042 return;
3043 }
3044
3045 /*
3046 * Analyze the IPCP Configure-NAK option list, and adjust our
3047 * negotiation.
3048 */
3049 static void
sppp_ipcp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)3050 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3051 {
3052 u_char *p, l;
3053 struct ifnet *ifp = &sp->pp_if;
3054 int debug = ifp->if_flags & IFF_DEBUG;
3055 uint32_t wantaddr;
3056
3057 len -= 4;
3058
3059 if (debug)
3060 log(LOG_DEBUG, "%s: ipcp nak opts:",
3061 ifp->if_xname);
3062
3063 p = (void *)(h + 1);
3064 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
3065 /* Sanity check option length */
3066 if (l > len) {
3067 /* XXX should we just RXJ? */
3068 addlog("%s: malicious IPCP option received, dropping\n",
3069 ifp->if_xname);
3070 return;
3071 }
3072 if (debug)
3073 addlog(" %s", sppp_ipcp_opt_name(*p));
3074 switch (*p) {
3075 case IPCP_OPT_ADDRESS:
3076 /*
3077 * Peer doesn't like our local IP address. See
3078 * if we can do something for him. We'll drop
3079 * him our address then.
3080 */
3081 if (len >= 6 && l == 6) {
3082 wantaddr = p[2] << 24 | p[3] << 16 |
3083 p[4] << 8 | p[5];
3084 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
3085 if (debug)
3086 addlog(" [wantaddr %s]",
3087 sppp_dotted_quad(wantaddr));
3088 /*
3089 * When doing dynamic address assignment,
3090 * we accept his offer. Otherwise, we
3091 * ignore it and thus continue to negotiate
3092 * our already existing value.
3093 */
3094 if (sp->ipcp.flags & IPCP_MYADDR_DYN) {
3095 if (debug)
3096 addlog(" [agree]");
3097 sp->ipcp.flags |= IPCP_MYADDR_SEEN;
3098 sp->ipcp.req_myaddr = wantaddr;
3099 }
3100 }
3101 break;
3102
3103 case IPCP_OPT_PRIMDNS:
3104 if (len >= 6 && l == 6) {
3105 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 |
3106 p[4] << 8 | p[5];
3107 }
3108 break;
3109
3110 case IPCP_OPT_SECDNS:
3111 if (len >= 6 && l == 6) {
3112 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 |
3113 p[4] << 8 | p[5];
3114 }
3115 break;
3116 #ifdef notyet
3117 case IPCP_OPT_COMPRESS:
3118 /*
3119 * Peer wants different compression parameters.
3120 */
3121 break;
3122 #endif
3123 }
3124 }
3125 if (debug)
3126 addlog("\n");
3127 }
3128
3129 static void
sppp_ipcp_tlu(struct sppp * sp)3130 sppp_ipcp_tlu(struct sppp *sp)
3131 {
3132 #ifdef INET
3133 /* we are up. Set addresses and notify anyone interested */
3134 STDDCL;
3135 uint32_t myaddr, hisaddr;
3136
3137 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0);
3138 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN))
3139 myaddr = sp->ipcp.req_myaddr;
3140 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN))
3141 hisaddr = sp->ipcp.req_hisaddr;
3142 sppp_set_ip_addrs(sp, myaddr, hisaddr);
3143
3144 if (ifp->if_mtu > sp->lcp.their_mru) {
3145 sp->pp_saved_mtu = ifp->if_mtu;
3146 ifp->if_mtu = sp->lcp.their_mru;
3147 if (debug)
3148 log(LOG_DEBUG,
3149 "%s: setting MTU to %" PRIu64 " bytes\n",
3150 ifp->if_xname, ifp->if_mtu);
3151 }
3152
3153 if (sp->pp_con)
3154 sp->pp_con(sp);
3155 #endif
3156 }
3157
3158 static void
sppp_ipcp_tld(struct sppp * sp)3159 sppp_ipcp_tld(struct sppp *sp)
3160 {
3161 }
3162
3163 static void
sppp_ipcp_tls(struct sppp * sp)3164 sppp_ipcp_tls(struct sppp *sp)
3165 {
3166 /* indicate to LCP that it must stay alive */
3167 sp->lcp.protos |= (1 << IDX_IPCP);
3168 }
3169
3170 static void
sppp_ipcp_tlf(struct sppp * sp)3171 sppp_ipcp_tlf(struct sppp *sp)
3172 {
3173 /* we no longer need LCP */
3174 sp->lcp.protos &= ~(1 << IDX_IPCP);
3175 }
3176
3177 static void
sppp_ipcp_scr(struct sppp * sp)3178 sppp_ipcp_scr(struct sppp *sp)
3179 {
3180 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */];
3181 #ifdef INET
3182 uint32_t ouraddr;
3183 #endif
3184 int i = 0;
3185
3186 #ifdef notyet
3187 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) {
3188 opt[i++] = (char)IPCP_OPT_COMPRESSION;
3189 opt[i++] = 6;
3190 opt[i++] = 0; /* VJ header compression */
3191 opt[i++] = 0x2d; /* VJ header compression */
3192 opt[i++] = max_slot_id;
3193 opt[i++] = comp_slot_id;
3194 }
3195 #endif
3196
3197 #ifdef INET
3198 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) {
3199 if (sp->ipcp.flags & IPCP_MYADDR_SEEN)
3200 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */
3201 else
3202 sppp_get_ip_addrs(sp, &ouraddr, 0, 0);
3203 opt[i++] = IPCP_OPT_ADDRESS;
3204 opt[i++] = 6;
3205 opt[i++] = ouraddr >> 24;
3206 opt[i++] = ouraddr >> 16;
3207 opt[i++] = ouraddr >> 8;
3208 opt[i++] = ouraddr;
3209 }
3210 #endif
3211
3212 if (sp->query_dns & 1) {
3213 opt[i++] = (char)IPCP_OPT_PRIMDNS;
3214 opt[i++] = 6;
3215 opt[i++] = sp->dns_addrs[0] >> 24;
3216 opt[i++] = sp->dns_addrs[0] >> 16;
3217 opt[i++] = sp->dns_addrs[0] >> 8;
3218 opt[i++] = sp->dns_addrs[0];
3219 }
3220 if (sp->query_dns & 2) {
3221 opt[i++] = (char)IPCP_OPT_SECDNS;
3222 opt[i++] = 6;
3223 opt[i++] = sp->dns_addrs[1] >> 24;
3224 opt[i++] = sp->dns_addrs[1] >> 16;
3225 opt[i++] = sp->dns_addrs[1] >> 8;
3226 opt[i++] = sp->dns_addrs[1];
3227 }
3228
3229 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP];
3230 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt);
3231 }
3232
3233
3234 /*
3235 *--------------------------------------------------------------------------*
3236 * *
3237 * The IPv6CP implementation. *
3238 * *
3239 *--------------------------------------------------------------------------*
3240 */
3241
3242 #ifdef INET6
3243 static void
sppp_ipv6cp_init(struct sppp * sp)3244 sppp_ipv6cp_init(struct sppp *sp)
3245 {
3246 sp->ipv6cp.opts = 0;
3247 sp->ipv6cp.flags = 0;
3248 sp->state[IDX_IPV6CP] = STATE_INITIAL;
3249 sp->fail_counter[IDX_IPV6CP] = 0;
3250 sp->pp_seq[IDX_IPV6CP] = 0;
3251 sp->pp_rseq[IDX_IPV6CP] = 0;
3252 callout_init(&sp->ch[IDX_IPV6CP], 0);
3253 }
3254
3255 static void
sppp_ipv6cp_up(struct sppp * sp)3256 sppp_ipv6cp_up(struct sppp *sp)
3257 {
3258 sppp_up_event(&ipv6cp, sp);
3259 }
3260
3261 static void
sppp_ipv6cp_down(struct sppp * sp)3262 sppp_ipv6cp_down(struct sppp *sp)
3263 {
3264 sppp_down_event(&ipv6cp, sp);
3265 }
3266
3267 static void
sppp_ipv6cp_open(struct sppp * sp)3268 sppp_ipv6cp_open(struct sppp *sp)
3269 {
3270 STDDCL;
3271 struct in6_addr myaddr, hisaddr;
3272
3273 #ifdef IPV6CP_MYIFID_DYN
3274 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN);
3275 #else
3276 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN;
3277 #endif
3278
3279 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0);
3280 /*
3281 * If we don't have our address, this probably means our
3282 * interface doesn't want to talk IPv6 at all. (This could
3283 * be the case if somebody wants to speak only IPX, for
3284 * example.) Don't open IPv6CP in this case.
3285 */
3286 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) {
3287 /* XXX this message should go away */
3288 if (debug)
3289 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n",
3290 ifp->if_xname);
3291 return;
3292 }
3293
3294 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3295 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3296 sppp_open_event(&ipv6cp, sp);
3297 }
3298
3299 static void
sppp_ipv6cp_close(struct sppp * sp)3300 sppp_ipv6cp_close(struct sppp *sp)
3301 {
3302 sppp_close_event(&ipv6cp, sp);
3303 }
3304
3305 static void
sppp_ipv6cp_TO(void * cookie)3306 sppp_ipv6cp_TO(void *cookie)
3307 {
3308 sppp_to_event(&ipv6cp, (struct sppp *)cookie);
3309 }
3310
3311 /*
3312 * Analyze a configure request. Return true if it was agreeable, and
3313 * caused action sca, false if it has been rejected or nak'ed, and
3314 * caused action scn. (The return value is used to make the state
3315 * transition decision in the state automaton.)
3316 */
3317 static int
sppp_ipv6cp_RCR(struct sppp * sp,struct lcp_header * h,int len)3318 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
3319 {
3320 u_char *buf, *r, *p, l, blen;
3321 struct ifnet *ifp = &sp->pp_if;
3322 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
3323 struct in6_addr myaddr, desiredaddr, suggestaddr;
3324 int ifidcount;
3325 int type;
3326 int collision, nohisaddr;
3327
3328 len -= 4;
3329 origlen = len;
3330 /*
3331 * Make sure to allocate a buf that can at least hold a
3332 * conf-nak with an `address' option. We might need it below.
3333 */
3334 blen = len < 6 ? 6 : len;
3335 buf = r = malloc (blen, M_TEMP, M_NOWAIT);
3336 if (! buf)
3337 return (0);
3338
3339 /* pass 1: see if we can recognize them */
3340 if (debug)
3341 log(LOG_DEBUG, "%s: ipv6cp parse opts:",
3342 ifp->if_xname);
3343 p = (void *)(h + 1);
3344 ifidcount = 0;
3345 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
3346 /* Sanity check option length */
3347 if (l > len) {
3348 /* XXX just RXJ? */
3349 addlog("%s: received malicious IPCPv6 option, "
3350 "dropping\n", ifp->if_xname);
3351 goto drop;
3352 }
3353 if (debug)
3354 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3355 switch (*p) {
3356 case IPV6CP_OPT_IFID:
3357 if (len >= 10 && l == 10 && ifidcount == 0) {
3358 /* correctly formed address option */
3359 ifidcount++;
3360 continue;
3361 }
3362 if (debug)
3363 addlog(" [invalid]");
3364 break;
3365 #ifdef notyet
3366 case IPV6CP_OPT_COMPRESSION:
3367 if (len >= 4 && l >= 4) {
3368 /* correctly formed compress option */
3369 continue;
3370 }
3371 if (debug)
3372 addlog(" [invalid]");
3373 break;
3374 #endif
3375 default:
3376 /* Others not supported. */
3377 if (debug)
3378 addlog(" [rej]");
3379 break;
3380 }
3381 if (rlen + l > blen) {
3382 if (debug)
3383 addlog(" [overflow]");
3384 continue;
3385 }
3386 /* Add the option to rejected list. */
3387 memcpy(r, p, l);
3388 r += l;
3389 rlen += l;
3390 }
3391 if (rlen) {
3392 if (debug)
3393 addlog(" send conf-rej\n");
3394 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf);
3395 goto end;
3396 } else if (debug)
3397 addlog("\n");
3398
3399 /* pass 2: parse option values */
3400 sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
3401 if (debug)
3402 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ",
3403 ifp->if_xname);
3404 p = (void *)(h + 1);
3405 len = origlen;
3406 type = CONF_ACK;
3407 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
3408 if (debug)
3409 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3410 switch (*p) {
3411 #ifdef notyet
3412 case IPV6CP_OPT_COMPRESSION:
3413 continue;
3414 #endif
3415 case IPV6CP_OPT_IFID:
3416 memset(&desiredaddr, 0, sizeof(desiredaddr));
3417 memcpy(&desiredaddr.s6_addr[8], &p[2], 8);
3418 collision = (memcmp(&desiredaddr.s6_addr[8],
3419 &myaddr.s6_addr[8], 8) == 0);
3420 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr);
3421
3422 desiredaddr.s6_addr16[0] = htons(0xfe80);
3423 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL);
3424
3425 if (!collision && !nohisaddr) {
3426 /* no collision, hisaddr known - Conf-Ack */
3427 type = CONF_ACK;
3428
3429 if (debug) {
3430 addlog(" %s [%s]",
3431 ip6_sprintf(&desiredaddr),
3432 sppp_cp_type_name(type));
3433 }
3434 continue;
3435 }
3436
3437 memset(&suggestaddr, 0, sizeof(suggestaddr));
3438 if (collision && nohisaddr) {
3439 /* collision, hisaddr unknown - Conf-Rej */
3440 type = CONF_REJ;
3441 memset(&p[2], 0, 8);
3442 } else {
3443 /*
3444 * - no collision, hisaddr unknown, or
3445 * - collision, hisaddr known
3446 * Conf-Nak, suggest hisaddr
3447 */
3448 type = CONF_NAK;
3449 sppp_suggest_ip6_addr(sp, &suggestaddr);
3450 memcpy(&p[2], &suggestaddr.s6_addr[8], 8);
3451 }
3452 if (debug)
3453 addlog(" %s [%s]", ip6_sprintf(&desiredaddr),
3454 sppp_cp_type_name(type));
3455 break;
3456 }
3457 if (rlen + l > blen) {
3458 if (debug)
3459 addlog(" [overflow]");
3460 continue;
3461 }
3462 /* Add the option to nak'ed list. */
3463 memcpy(r, p, l);
3464 r += l;
3465 rlen += l;
3466 }
3467
3468 if (rlen == 0 && type == CONF_ACK) {
3469 if (debug)
3470 addlog(" send %s\n", sppp_cp_type_name(type));
3471 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1);
3472 } else {
3473 #ifdef notdef
3474 if (type == CONF_ACK)
3475 panic("IPv6CP RCR: CONF_ACK with non-zero rlen");
3476 #endif
3477
3478 if (debug) {
3479 addlog(" send %s suggest %s\n",
3480 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr));
3481 }
3482 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf);
3483 }
3484
3485 end:
3486 free(buf, M_TEMP);
3487 return (rlen == 0);
3488
3489 drop:
3490 free(buf, M_TEMP);
3491 return -1;
3492 }
3493
3494 /*
3495 * Analyze the IPv6CP Configure-Reject option list, and adjust our
3496 * negotiation.
3497 */
3498 static void
sppp_ipv6cp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)3499 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3500 {
3501 u_char *buf, *p, l, blen;
3502 struct ifnet *ifp = &sp->pp_if;
3503 int debug = ifp->if_flags & IFF_DEBUG;
3504
3505 len -= 4;
3506 buf = malloc (blen = len, M_TEMP, M_NOWAIT);
3507 if (!buf)
3508 return;
3509
3510 if (debug)
3511 log(LOG_DEBUG, "%s: ipv6cp rej opts:",
3512 ifp->if_xname);
3513
3514 p = (void *)(h + 1);
3515 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
3516 if (l > len) {
3517 /* XXX just RXJ? */
3518 addlog("%s: received malicious IPCPv6 option, "
3519 "dropping\n", ifp->if_xname);
3520 goto drop;
3521 }
3522 if (debug)
3523 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3524 switch (*p) {
3525 case IPV6CP_OPT_IFID:
3526 /*
3527 * Peer doesn't grok address option. This is
3528 * bad. XXX Should we better give up here?
3529 */
3530 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID);
3531 break;
3532 #ifdef notyet
3533 case IPV6CP_OPT_COMPRESS:
3534 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS);
3535 break;
3536 #endif
3537 }
3538 }
3539 if (debug)
3540 addlog("\n");
3541 drop:
3542 free(buf, M_TEMP);
3543 return;
3544 }
3545
3546 /*
3547 * Analyze the IPv6CP Configure-NAK option list, and adjust our
3548 * negotiation.
3549 */
3550 static void
sppp_ipv6cp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)3551 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3552 {
3553 u_char *buf, *p, l, blen;
3554 struct ifnet *ifp = &sp->pp_if;
3555 int debug = ifp->if_flags & IFF_DEBUG;
3556 struct in6_addr suggestaddr;
3557
3558 len -= 4;
3559 buf = malloc (blen = len, M_TEMP, M_NOWAIT);
3560 if (!buf)
3561 return;
3562
3563 if (debug)
3564 log(LOG_DEBUG, "%s: ipv6cp nak opts:",
3565 ifp->if_xname);
3566
3567 p = (void *)(h + 1);
3568 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) {
3569 if (l > len) {
3570 /* XXX just RXJ? */
3571 addlog("%s: received malicious IPCPv6 option, "
3572 "dropping\n", ifp->if_xname);
3573 goto drop;
3574 }
3575 if (debug)
3576 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3577 switch (*p) {
3578 case IPV6CP_OPT_IFID:
3579 /*
3580 * Peer doesn't like our local ifid. See
3581 * if we can do something for him. We'll drop
3582 * him our address then.
3583 */
3584 if (len < 10 || l != 10)
3585 break;
3586 memset(&suggestaddr, 0, sizeof(suggestaddr));
3587 suggestaddr.s6_addr16[0] = htons(0xfe80);
3588 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL);
3589 memcpy(&suggestaddr.s6_addr[8], &p[2], 8);
3590
3591 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3592 if (debug)
3593 addlog(" [suggestaddr %s]",
3594 ip6_sprintf(&suggestaddr));
3595 #ifdef IPV6CP_MYIFID_DYN
3596 /*
3597 * When doing dynamic address assignment,
3598 * we accept his offer.
3599 */
3600 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) {
3601 struct in6_addr lastsuggest;
3602 /*
3603 * If <suggested myaddr from peer> equals to
3604 * <hisaddr we have suggested last time>,
3605 * we have a collision. generate new random
3606 * ifid.
3607 */
3608 sppp_suggest_ip6_addr(&lastsuggest);
3609 if (IN6_ARE_ADDR_EQUAL(&suggestaddr,
3610 lastsuggest)) {
3611 if (debug)
3612 addlog(" [random]");
3613 sppp_gen_ip6_addr(sp, &suggestaddr);
3614 }
3615 sppp_set_ip6_addr(sp, &suggestaddr, 0);
3616 if (debug)
3617 addlog(" [agree]");
3618 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3619 }
3620 #else
3621 /*
3622 * Since we do not do dynamic address assignment,
3623 * we ignore it and thus continue to negotiate
3624 * our already existing value. This can possibly
3625 * go into infinite request-reject loop.
3626 *
3627 * This is not likely because we normally use
3628 * ifid based on MAC-address.
3629 * If you have no ethernet card on the node, too bad.
3630 * XXX should we use fail_counter?
3631 */
3632 #endif
3633 break;
3634 #ifdef notyet
3635 case IPV6CP_OPT_COMPRESS:
3636 /*
3637 * Peer wants different compression parameters.
3638 */
3639 break;
3640 #endif
3641 }
3642 }
3643 if (debug)
3644 addlog("\n");
3645 drop:
3646 free(buf, M_TEMP);
3647 return;
3648 }
3649
3650 static void
sppp_ipv6cp_tlu(struct sppp * sp)3651 sppp_ipv6cp_tlu(struct sppp *sp)
3652 {
3653 /* we are up - notify isdn daemon */
3654 if (sp->pp_con)
3655 sp->pp_con(sp);
3656 }
3657
3658 static void
sppp_ipv6cp_tld(struct sppp * sp)3659 sppp_ipv6cp_tld(struct sppp *sp)
3660 {
3661 }
3662
3663 static void
sppp_ipv6cp_tls(struct sppp * sp)3664 sppp_ipv6cp_tls(struct sppp *sp)
3665 {
3666 /* indicate to LCP that it must stay alive */
3667 sp->lcp.protos |= (1 << IDX_IPV6CP);
3668 }
3669
3670 static void
sppp_ipv6cp_tlf(struct sppp * sp)3671 sppp_ipv6cp_tlf(struct sppp *sp)
3672 {
3673 /* we no longer need LCP */
3674 sp->lcp.protos &= ~(1 << IDX_IPV6CP);
3675 }
3676
3677 static void
sppp_ipv6cp_scr(struct sppp * sp)3678 sppp_ipv6cp_scr(struct sppp *sp)
3679 {
3680 char opt[10 /* ifid */ + 4 /* compression, minimum */];
3681 struct in6_addr ouraddr;
3682 int i = 0;
3683
3684 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) {
3685 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0);
3686 opt[i++] = IPV6CP_OPT_IFID;
3687 opt[i++] = 10;
3688 memcpy(&opt[i], &ouraddr.s6_addr[8], 8);
3689 i += 8;
3690 }
3691
3692 #ifdef notyet
3693 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) {
3694 opt[i++] = IPV6CP_OPT_COMPRESSION;
3695 opt[i++] = 4;
3696 opt[i++] = 0; /* TBD */
3697 opt[i++] = 0; /* TBD */
3698 /* variable length data may follow */
3699 }
3700 #endif
3701
3702 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP];
3703 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt);
3704 }
3705 #else /*INET6*/
3706 static void
sppp_ipv6cp_init(struct sppp * sp)3707 sppp_ipv6cp_init(struct sppp *sp)
3708 {
3709 }
3710
3711 static void
sppp_ipv6cp_up(struct sppp * sp)3712 sppp_ipv6cp_up(struct sppp *sp)
3713 {
3714 }
3715
3716 static void
sppp_ipv6cp_down(struct sppp * sp)3717 sppp_ipv6cp_down(struct sppp *sp)
3718 {
3719 }
3720
3721 static void
sppp_ipv6cp_open(struct sppp * sp)3722 sppp_ipv6cp_open(struct sppp *sp)
3723 {
3724 }
3725
3726 static void
sppp_ipv6cp_close(struct sppp * sp)3727 sppp_ipv6cp_close(struct sppp *sp)
3728 {
3729 }
3730
3731 static void
sppp_ipv6cp_TO(void * sp)3732 sppp_ipv6cp_TO(void *sp)
3733 {
3734 }
3735
3736 static int
sppp_ipv6cp_RCR(struct sppp * sp,struct lcp_header * h,int len)3737 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h,
3738 int len)
3739 {
3740 return 0;
3741 }
3742
3743 static void
sppp_ipv6cp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)3744 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h,
3745 int len)
3746 {
3747 }
3748
3749 static void
sppp_ipv6cp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)3750 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h,
3751 int len)
3752 {
3753 }
3754
3755 static void
sppp_ipv6cp_tlu(struct sppp * sp)3756 sppp_ipv6cp_tlu(struct sppp *sp)
3757 {
3758 }
3759
3760 static void
sppp_ipv6cp_tld(struct sppp * sp)3761 sppp_ipv6cp_tld(struct sppp *sp)
3762 {
3763 }
3764
3765 static void
sppp_ipv6cp_tls(struct sppp * sp)3766 sppp_ipv6cp_tls(struct sppp *sp)
3767 {
3768 }
3769
3770 static void
sppp_ipv6cp_tlf(struct sppp * sp)3771 sppp_ipv6cp_tlf(struct sppp *sp)
3772 {
3773 }
3774
3775 static void
sppp_ipv6cp_scr(struct sppp * sp)3776 sppp_ipv6cp_scr(struct sppp *sp)
3777 {
3778 }
3779 #endif /*INET6*/
3780
3781
3782 /*
3783 *--------------------------------------------------------------------------*
3784 * *
3785 * The CHAP implementation. *
3786 * *
3787 *--------------------------------------------------------------------------*
3788 */
3789
3790 /*
3791 * The authentication protocols don't employ a full-fledged state machine as
3792 * the control protocols do, since they do have Open and Close events, but
3793 * not Up and Down, nor are they explicitly terminated. Also, use of the
3794 * authentication protocols may be different in both directions (this makes
3795 * sense, think of a machine that never accepts incoming calls but only
3796 * calls out, it doesn't require the called party to authenticate itself).
3797 *
3798 * Our state machine for the local authentication protocol (we are requesting
3799 * the peer to authenticate) looks like:
3800 *
3801 * RCA-
3802 * +--------------------------------------------+
3803 * V scn,tld|
3804 * +--------+ Close +---------+ RCA+
3805 * | |<----------------------------------| |------+
3806 * +--->| Closed | TO* | Opened | sca |
3807 * | | |-----+ +-------| |<-----+
3808 * | +--------+ irc | | +---------+
3809 * | ^ | | ^
3810 * | | | | |
3811 * | | | | |
3812 * | TO-| | | |
3813 * | |tld TO+ V | |
3814 * | | +------->+ | |
3815 * | | | | | |
3816 * | +--------+ V | |
3817 * | | |<----+<--------------------+ |
3818 * | | Req- | scr |
3819 * | | Sent | |
3820 * | | | |
3821 * | +--------+ |
3822 * | RCA- | | RCA+ |
3823 * +------+ +------------------------------------------+
3824 * scn,tld sca,irc,ict,tlu
3825 *
3826 *
3827 * with:
3828 *
3829 * Open: LCP reached authentication phase
3830 * Close: LCP reached terminate phase
3831 *
3832 * RCA+: received reply (pap-req, chap-response), acceptable
3833 * RCN: received reply (pap-req, chap-response), not acceptable
3834 * TO+: timeout with restart counter >= 0
3835 * TO-: timeout with restart counter < 0
3836 * TO*: reschedule timeout for CHAP
3837 *
3838 * scr: send request packet (none for PAP, chap-challenge)
3839 * sca: send ack packet (pap-ack, chap-success)
3840 * scn: send nak packet (pap-nak, chap-failure)
3841 * ict: initialize re-challenge timer (CHAP only)
3842 *
3843 * tlu: this-layer-up, LCP reaches network phase
3844 * tld: this-layer-down, LCP enters terminate phase
3845 *
3846 * Note that in CHAP mode, after sending a new challenge, while the state
3847 * automaton falls back into Req-Sent state, it doesn't signal a tld
3848 * event to LCP, so LCP remains in network phase. Only after not getting
3849 * any response (or after getting an unacceptable response), CHAP closes,
3850 * causing LCP to enter terminate phase.
3851 *
3852 * With PAP, there is no initial request that can be sent. The peer is
3853 * expected to send one based on the successful negotiation of PAP as
3854 * the authentication protocol during the LCP option negotiation.
3855 *
3856 * Incoming authentication protocol requests (remote requests
3857 * authentication, we are peer) don't employ a state machine at all,
3858 * they are simply answered. Some peers [Ascend P50 firmware rev
3859 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are
3860 * still in authentication phase (thereby violating the standard that
3861 * demands that these NCP packets are to be discarded), so we keep
3862 * track of the peer demanding us to authenticate, and only proceed to
3863 * phase network once we've seen a positive acknowledge for the
3864 * authentication.
3865 */
3866
3867 /*
3868 * Handle incoming CHAP packets.
3869 */
3870 void
sppp_chap_input(struct sppp * sp,struct mbuf * m)3871 sppp_chap_input(struct sppp *sp, struct mbuf *m)
3872 {
3873 STDDCL;
3874 struct lcp_header *h;
3875 int len, x;
3876 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize;
3877 int value_len, name_len;
3878 MD5_CTX ctx;
3879
3880 len = m->m_pkthdr.len;
3881 if (len < 4) {
3882 if (debug)
3883 log(LOG_DEBUG,
3884 "%s: chap invalid packet length: %d bytes\n",
3885 ifp->if_xname, len);
3886 return;
3887 }
3888 h = mtod(m, struct lcp_header *);
3889 if (len > ntohs(h->len))
3890 len = ntohs(h->len);
3891
3892 switch (h->type) {
3893 /* challenge, failure and success are his authproto */
3894 case CHAP_CHALLENGE:
3895 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) {
3896 /* can't do anything useful */
3897 sp->pp_auth_failures++;
3898 printf("%s: chap input without my name and my secret being set\n",
3899 ifp->if_xname);
3900 break;
3901 }
3902 value = 1 + (u_char *)(h + 1);
3903 value_len = value[-1];
3904 name = value + value_len;
3905 name_len = len - value_len - 5;
3906 if (name_len < 0) {
3907 if (debug) {
3908 log(LOG_DEBUG,
3909 "%s: chap corrupted challenge "
3910 "<%s id=0x%x len=%d",
3911 ifp->if_xname,
3912 sppp_auth_type_name(PPP_CHAP, h->type),
3913 h->ident, ntohs(h->len));
3914 if (len > 4)
3915 sppp_print_bytes((u_char *)(h + 1),
3916 len - 4);
3917 addlog(">\n");
3918 }
3919 break;
3920 }
3921
3922 if (debug) {
3923 log(LOG_DEBUG,
3924 "%s: chap input <%s id=0x%x len=%d name=",
3925 ifp->if_xname,
3926 sppp_auth_type_name(PPP_CHAP, h->type), h->ident,
3927 ntohs(h->len));
3928 sppp_print_string((char *) name, name_len);
3929 addlog(" value-size=%d value=", value_len);
3930 sppp_print_bytes(value, value_len);
3931 addlog(">\n");
3932 }
3933
3934 /* Compute reply value. */
3935 MD5Init(&ctx);
3936 MD5Update(&ctx, &h->ident, 1);
3937 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len);
3938 MD5Update(&ctx, value, value_len);
3939 MD5Final(digest, &ctx);
3940 dsize = sizeof digest;
3941
3942 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident,
3943 sizeof dsize, (const char *)&dsize,
3944 sizeof digest, digest,
3945 sp->myauth.name_len,
3946 sp->myauth.name,
3947 0);
3948 break;
3949
3950 case CHAP_SUCCESS:
3951 if (debug) {
3952 log(LOG_DEBUG, "%s: chap success",
3953 ifp->if_xname);
3954 if (len > 4) {
3955 addlog(": ");
3956 sppp_print_string((char *)(h + 1), len - 4);
3957 }
3958 addlog("\n");
3959 }
3960 x = splnet();
3961 sp->pp_auth_failures = 0;
3962 sp->pp_flags &= ~PP_NEEDAUTH;
3963 if (sp->myauth.proto == PPP_CHAP &&
3964 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
3965 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) {
3966 /*
3967 * We are authenticator for CHAP but didn't
3968 * complete yet. Leave it to tlu to proceed
3969 * to network phase.
3970 */
3971 splx(x);
3972 break;
3973 }
3974 splx(x);
3975 sppp_phase_network(sp);
3976 break;
3977
3978 case CHAP_FAILURE:
3979 x = splnet();
3980 sp->pp_auth_failures++;
3981 splx(x);
3982 if (debug) {
3983 log(LOG_INFO, "%s: chap failure",
3984 ifp->if_xname);
3985 if (len > 4) {
3986 addlog(": ");
3987 sppp_print_string((char *)(h + 1), len - 4);
3988 }
3989 addlog("\n");
3990 } else
3991 log(LOG_INFO, "%s: chap failure\n",
3992 ifp->if_xname);
3993 /* await LCP shutdown by authenticator */
3994 break;
3995
3996 /* response is my authproto */
3997 case CHAP_RESPONSE:
3998 if (sp->hisauth.secret == NULL) {
3999 /* can't do anything useful */
4000 printf("%s: chap input without his secret being set\n",
4001 ifp->if_xname);
4002 break;
4003 }
4004 value = 1 + (u_char *)(h + 1);
4005 value_len = value[-1];
4006 name = value + value_len;
4007 name_len = len - value_len - 5;
4008 if (name_len < 0) {
4009 if (debug) {
4010 log(LOG_DEBUG,
4011 "%s: chap corrupted response "
4012 "<%s id=0x%x len=%d",
4013 ifp->if_xname,
4014 sppp_auth_type_name(PPP_CHAP, h->type),
4015 h->ident, ntohs(h->len));
4016 if (len > 4)
4017 sppp_print_bytes((u_char *)(h + 1),
4018 len - 4);
4019 addlog(">\n");
4020 }
4021 break;
4022 }
4023 if (h->ident != sp->confid[IDX_CHAP]) {
4024 if (debug)
4025 log(LOG_DEBUG,
4026 "%s: chap dropping response for old ID "
4027 "(got %d, expected %d)\n",
4028 ifp->if_xname,
4029 h->ident, sp->confid[IDX_CHAP]);
4030 break;
4031 }
4032 if (sp->hisauth.name != NULL &&
4033 (name_len != sp->hisauth.name_len
4034 || memcmp(name, sp->hisauth.name, name_len) != 0)) {
4035 log(LOG_INFO, "%s: chap response, his name ",
4036 ifp->if_xname);
4037 sppp_print_string(name, name_len);
4038 addlog(" != expected ");
4039 sppp_print_string(sp->hisauth.name,
4040 sp->hisauth.name_len);
4041 addlog("\n");
4042 goto chap_failure;
4043 }
4044 if (debug) {
4045 log(LOG_DEBUG, "%s: chap input(%s) "
4046 "<%s id=0x%x len=%d name=",
4047 ifp->if_xname,
4048 sppp_state_name(sp->state[IDX_CHAP]),
4049 sppp_auth_type_name(PPP_CHAP, h->type),
4050 h->ident, ntohs(h->len));
4051 sppp_print_string((char *)name, name_len);
4052 addlog(" value-size=%d value=", value_len);
4053 sppp_print_bytes(value, value_len);
4054 addlog(">\n");
4055 }
4056 if (value_len != sizeof(sp->myauth.challenge)) {
4057 if (debug)
4058 log(LOG_DEBUG,
4059 "%s: chap bad hash value length: "
4060 "%d bytes, should be %ld\n",
4061 ifp->if_xname, value_len,
4062 (long) sizeof(sp->myauth.challenge));
4063 goto chap_failure;
4064 }
4065
4066 MD5Init(&ctx);
4067 MD5Update(&ctx, &h->ident, 1);
4068 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len);
4069 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge));
4070 MD5Final(digest, &ctx);
4071
4072 #define FAILMSG "Failed..."
4073 #define SUCCMSG "Welcome!"
4074
4075 if (value_len != sizeof digest ||
4076 memcmp(digest, value, value_len) != 0) {
4077 chap_failure:
4078 /* action scn, tld */
4079 x = splnet();
4080 sp->pp_auth_failures++;
4081 splx(x);
4082 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident,
4083 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG,
4084 0);
4085 chap.tld(sp);
4086 break;
4087 }
4088 sp->pp_auth_failures = 0;
4089 /* action sca, perhaps tlu */
4090 if (sp->state[IDX_CHAP] == STATE_REQ_SENT ||
4091 sp->state[IDX_CHAP] == STATE_OPENED)
4092 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident,
4093 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG,
4094 0);
4095 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) {
4096 sppp_cp_change_state(&chap, sp, STATE_OPENED);
4097 chap.tlu(sp);
4098 }
4099 break;
4100
4101 default:
4102 /* Unknown CHAP packet type -- ignore. */
4103 if (debug) {
4104 log(LOG_DEBUG, "%s: chap unknown input(%s) "
4105 "<0x%x id=0x%xh len=%d",
4106 ifp->if_xname,
4107 sppp_state_name(sp->state[IDX_CHAP]),
4108 h->type, h->ident, ntohs(h->len));
4109 if (len > 4)
4110 sppp_print_bytes((u_char *)(h + 1), len - 4);
4111 addlog(">\n");
4112 }
4113 break;
4114
4115 }
4116 }
4117
4118 static void
sppp_chap_init(struct sppp * sp)4119 sppp_chap_init(struct sppp *sp)
4120 {
4121 /* Chap doesn't have STATE_INITIAL at all. */
4122 sp->state[IDX_CHAP] = STATE_CLOSED;
4123 sp->fail_counter[IDX_CHAP] = 0;
4124 sp->pp_seq[IDX_CHAP] = 0;
4125 sp->pp_rseq[IDX_CHAP] = 0;
4126 callout_init(&sp->ch[IDX_CHAP], 0);
4127 }
4128
4129 static void
sppp_chap_open(struct sppp * sp)4130 sppp_chap_open(struct sppp *sp)
4131 {
4132 if (sp->myauth.proto == PPP_CHAP &&
4133 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
4134 /* we are authenticator for CHAP, start it */
4135 chap.scr(sp);
4136 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4137 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
4138 }
4139 /* nothing to be done if we are peer, await a challenge */
4140 }
4141
4142 static void
sppp_chap_close(struct sppp * sp)4143 sppp_chap_close(struct sppp *sp)
4144 {
4145 if (sp->state[IDX_CHAP] != STATE_CLOSED)
4146 sppp_cp_change_state(&chap, sp, STATE_CLOSED);
4147 }
4148
4149 static void
sppp_chap_TO(void * cookie)4150 sppp_chap_TO(void *cookie)
4151 {
4152 struct sppp *sp = (struct sppp *)cookie;
4153 STDDCL;
4154 int s;
4155
4156 s = splnet();
4157 if (debug)
4158 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n",
4159 ifp->if_xname,
4160 sppp_state_name(sp->state[IDX_CHAP]),
4161 sp->rst_counter[IDX_CHAP]);
4162
4163 if (--sp->rst_counter[IDX_CHAP] < 0)
4164 /* TO- event */
4165 switch (sp->state[IDX_CHAP]) {
4166 case STATE_REQ_SENT:
4167 chap.tld(sp);
4168 sppp_cp_change_state(&chap, sp, STATE_CLOSED);
4169 break;
4170 }
4171 else
4172 /* TO+ (or TO*) event */
4173 switch (sp->state[IDX_CHAP]) {
4174 case STATE_OPENED:
4175 /* TO* event */
4176 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4177 /* fall through */
4178 case STATE_REQ_SENT:
4179 chap.scr(sp);
4180 /* sppp_cp_change_state() will restart the timer */
4181 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
4182 break;
4183 }
4184
4185 splx(s);
4186 }
4187
4188 static void
sppp_chap_tlu(struct sppp * sp)4189 sppp_chap_tlu(struct sppp *sp)
4190 {
4191 STDDCL;
4192 int i, x;
4193
4194 i = 0;
4195 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4196
4197 /*
4198 * Some broken CHAP implementations (Conware CoNet, firmware
4199 * 4.0.?) don't want to re-authenticate their CHAP once the
4200 * initial challenge-response exchange has taken place.
4201 * Provide for an option to avoid rechallenges.
4202 */
4203 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) {
4204 /*
4205 * Compute the re-challenge timeout. This will yield
4206 * a number between 300 and 810 seconds.
4207 */
4208 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7);
4209
4210 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp);
4211 }
4212
4213 if (debug) {
4214 log(LOG_DEBUG,
4215 "%s: chap %s, ",
4216 ifp->if_xname,
4217 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu");
4218 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0)
4219 addlog("next re-challenge in %d seconds\n", i);
4220 else
4221 addlog("re-challenging supressed\n");
4222 }
4223
4224 x = splnet();
4225 sp->pp_auth_failures = 0;
4226 /* indicate to LCP that we need to be closed down */
4227 sp->lcp.protos |= (1 << IDX_CHAP);
4228
4229 if (sp->pp_flags & PP_NEEDAUTH) {
4230 /*
4231 * Remote is authenticator, but his auth proto didn't
4232 * complete yet. Defer the transition to network
4233 * phase.
4234 */
4235 splx(x);
4236 return;
4237 }
4238 splx(x);
4239
4240 /*
4241 * If we are already in phase network, we are done here. This
4242 * is the case if this is a dummy tlu event after a re-challenge.
4243 */
4244 if (sp->pp_phase != SPPP_PHASE_NETWORK)
4245 sppp_phase_network(sp);
4246 }
4247
4248 static void
sppp_chap_tld(struct sppp * sp)4249 sppp_chap_tld(struct sppp *sp)
4250 {
4251 STDDCL;
4252
4253 if (debug)
4254 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname);
4255 callout_stop(&sp->ch[IDX_CHAP]);
4256 sp->lcp.protos &= ~(1 << IDX_CHAP);
4257
4258 lcp.Close(sp);
4259 }
4260
4261 static void
sppp_chap_scr(struct sppp * sp)4262 sppp_chap_scr(struct sppp *sp)
4263 {
4264 uint32_t *ch;
4265 u_char clen = 4 * sizeof(uint32_t);
4266
4267 if (sp->myauth.name == NULL) {
4268 /* can't do anything useful */
4269 printf("%s: chap starting without my name being set\n",
4270 sp->pp_if.if_xname);
4271 return;
4272 }
4273
4274 /* Compute random challenge. */
4275 ch = (uint32_t *)sp->myauth.challenge;
4276 cprng_strong(kern_cprng, ch, clen, 0);
4277
4278 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP];
4279
4280 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP],
4281 sizeof clen, (const char *)&clen,
4282 sizeof(sp->myauth.challenge), sp->myauth.challenge,
4283 sp->myauth.name_len,
4284 sp->myauth.name,
4285 0);
4286 }
4287
4288 /*
4289 *--------------------------------------------------------------------------*
4290 * *
4291 * The PAP implementation. *
4292 * *
4293 *--------------------------------------------------------------------------*
4294 */
4295 /*
4296 * For PAP, we need to keep a little state also if we are the peer, not the
4297 * authenticator. This is since we don't get a request to authenticate, but
4298 * have to repeatedly authenticate ourself until we got a response (or the
4299 * retry counter is expired).
4300 */
4301
4302 /*
4303 * Handle incoming PAP packets. */
4304 static void
sppp_pap_input(struct sppp * sp,struct mbuf * m)4305 sppp_pap_input(struct sppp *sp, struct mbuf *m)
4306 {
4307 STDDCL;
4308 struct lcp_header *h;
4309 int len, x;
4310 u_char mlen;
4311 char *name, *secret;
4312 int name_len, secret_len;
4313
4314 /*
4315 * Malicious input might leave this uninitialized, so
4316 * init to an impossible value.
4317 */
4318 secret_len = -1;
4319
4320 len = m->m_pkthdr.len;
4321 if (len < 5) {
4322 if (debug)
4323 log(LOG_DEBUG,
4324 "%s: pap invalid packet length: %d bytes\n",
4325 ifp->if_xname, len);
4326 return;
4327 }
4328 h = mtod(m, struct lcp_header *);
4329 if (len > ntohs(h->len))
4330 len = ntohs(h->len);
4331 switch (h->type) {
4332 /* PAP request is my authproto */
4333 case PAP_REQ:
4334 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) {
4335 /* can't do anything useful */
4336 printf("%s: pap request without his name and his secret being set\n",
4337 ifp->if_xname);
4338 break;
4339 }
4340 name = 1 + (u_char *)(h + 1);
4341 name_len = name[-1];
4342 secret = name + name_len + 1;
4343 if (name_len > len - 6 ||
4344 (secret_len = secret[-1]) > len - 6 - name_len) {
4345 if (debug) {
4346 log(LOG_DEBUG, "%s: pap corrupted input "
4347 "<%s id=0x%x len=%d",
4348 ifp->if_xname,
4349 sppp_auth_type_name(PPP_PAP, h->type),
4350 h->ident, ntohs(h->len));
4351 if (len > 4)
4352 sppp_print_bytes((u_char *)(h + 1),
4353 len - 4);
4354 addlog(">\n");
4355 }
4356 break;
4357 }
4358 if (debug) {
4359 log(LOG_DEBUG, "%s: pap input(%s) "
4360 "<%s id=0x%x len=%d name=",
4361 ifp->if_xname,
4362 sppp_state_name(sp->state[IDX_PAP]),
4363 sppp_auth_type_name(PPP_PAP, h->type),
4364 h->ident, ntohs(h->len));
4365 sppp_print_string((char *)name, name_len);
4366 addlog(" secret=");
4367 sppp_print_string((char *)secret, secret_len);
4368 addlog(">\n");
4369 }
4370 if (name_len != sp->hisauth.name_len ||
4371 secret_len != sp->hisauth.secret_len ||
4372 memcmp(name, sp->hisauth.name, name_len) != 0 ||
4373 memcmp(secret, sp->hisauth.secret, secret_len) != 0) {
4374 /* action scn, tld */
4375 sp->pp_auth_failures++;
4376 mlen = sizeof(FAILMSG) - 1;
4377 sppp_auth_send(&pap, sp, PAP_NAK, h->ident,
4378 sizeof mlen, (const char *)&mlen,
4379 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG,
4380 0);
4381 pap.tld(sp);
4382 break;
4383 }
4384 /* action sca, perhaps tlu */
4385 if (sp->state[IDX_PAP] == STATE_REQ_SENT ||
4386 sp->state[IDX_PAP] == STATE_OPENED) {
4387 mlen = sizeof(SUCCMSG) - 1;
4388 sppp_auth_send(&pap, sp, PAP_ACK, h->ident,
4389 sizeof mlen, (const char *)&mlen,
4390 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG,
4391 0);
4392 }
4393 if (sp->state[IDX_PAP] == STATE_REQ_SENT) {
4394 sppp_cp_change_state(&pap, sp, STATE_OPENED);
4395 pap.tlu(sp);
4396 }
4397 break;
4398
4399 /* ack and nak are his authproto */
4400 case PAP_ACK:
4401 callout_stop(&sp->pap_my_to_ch);
4402 if (debug) {
4403 log(LOG_DEBUG, "%s: pap success",
4404 ifp->if_xname);
4405 name = 1 + (u_char *)(h + 1);
4406 name_len = name[-1];
4407 if (len > 5 && name_len < len+4) {
4408 addlog(": ");
4409 sppp_print_string(name, name_len);
4410 }
4411 addlog("\n");
4412 }
4413 x = splnet();
4414 sp->pp_auth_failures = 0;
4415 sp->pp_flags &= ~PP_NEEDAUTH;
4416 if (sp->myauth.proto == PPP_PAP &&
4417 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
4418 (sp->lcp.protos & (1 << IDX_PAP)) == 0) {
4419 /*
4420 * We are authenticator for PAP but didn't
4421 * complete yet. Leave it to tlu to proceed
4422 * to network phase.
4423 */
4424 splx(x);
4425 break;
4426 }
4427 splx(x);
4428 sppp_phase_network(sp);
4429 break;
4430
4431 case PAP_NAK:
4432 callout_stop(&sp->pap_my_to_ch);
4433 sp->pp_auth_failures++;
4434 if (debug) {
4435 log(LOG_INFO, "%s: pap failure",
4436 ifp->if_xname);
4437 name = 1 + (u_char *)(h + 1);
4438 name_len = name[-1];
4439 if (len > 5 && name_len < len+4) {
4440 addlog(": ");
4441 sppp_print_string(name, name_len);
4442 }
4443 addlog("\n");
4444 } else
4445 log(LOG_INFO, "%s: pap failure\n",
4446 ifp->if_xname);
4447 /* await LCP shutdown by authenticator */
4448 break;
4449
4450 default:
4451 /* Unknown PAP packet type -- ignore. */
4452 if (debug) {
4453 log(LOG_DEBUG, "%s: pap corrupted input "
4454 "<0x%x id=0x%x len=%d",
4455 ifp->if_xname,
4456 h->type, h->ident, ntohs(h->len));
4457 if (len > 4)
4458 sppp_print_bytes((u_char *)(h + 1), len - 4);
4459 addlog(">\n");
4460 }
4461 break;
4462
4463 }
4464 }
4465
4466 static void
sppp_pap_init(struct sppp * sp)4467 sppp_pap_init(struct sppp *sp)
4468 {
4469 /* PAP doesn't have STATE_INITIAL at all. */
4470 sp->state[IDX_PAP] = STATE_CLOSED;
4471 sp->fail_counter[IDX_PAP] = 0;
4472 sp->pp_seq[IDX_PAP] = 0;
4473 sp->pp_rseq[IDX_PAP] = 0;
4474 callout_init(&sp->ch[IDX_PAP], 0);
4475 callout_init(&sp->pap_my_to_ch, 0);
4476 }
4477
4478 static void
sppp_pap_open(struct sppp * sp)4479 sppp_pap_open(struct sppp *sp)
4480 {
4481 if (sp->hisauth.proto == PPP_PAP &&
4482 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
4483 /* we are authenticator for PAP, start our timer */
4484 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
4485 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
4486 }
4487 if (sp->myauth.proto == PPP_PAP) {
4488 /* we are peer, send a request, and start a timer */
4489 pap.scr(sp);
4490 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout,
4491 sppp_pap_my_TO, sp);
4492 }
4493 }
4494
4495 static void
sppp_pap_close(struct sppp * sp)4496 sppp_pap_close(struct sppp *sp)
4497 {
4498 if (sp->state[IDX_PAP] != STATE_CLOSED)
4499 sppp_cp_change_state(&pap, sp, STATE_CLOSED);
4500 }
4501
4502 /*
4503 * That's the timeout routine if we are authenticator. Since the
4504 * authenticator is basically passive in PAP, we can't do much here.
4505 */
4506 static void
sppp_pap_TO(void * cookie)4507 sppp_pap_TO(void *cookie)
4508 {
4509 struct sppp *sp = (struct sppp *)cookie;
4510 STDDCL;
4511 int s;
4512
4513 s = splnet();
4514 if (debug)
4515 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n",
4516 ifp->if_xname,
4517 sppp_state_name(sp->state[IDX_PAP]),
4518 sp->rst_counter[IDX_PAP]);
4519
4520 if (--sp->rst_counter[IDX_PAP] < 0)
4521 /* TO- event */
4522 switch (sp->state[IDX_PAP]) {
4523 case STATE_REQ_SENT:
4524 pap.tld(sp);
4525 sppp_cp_change_state(&pap, sp, STATE_CLOSED);
4526 break;
4527 }
4528 else
4529 /* TO+ event, not very much we could do */
4530 switch (sp->state[IDX_PAP]) {
4531 case STATE_REQ_SENT:
4532 /* sppp_cp_change_state() will restart the timer */
4533 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
4534 break;
4535 }
4536
4537 splx(s);
4538 }
4539
4540 /*
4541 * That's the timeout handler if we are peer. Since the peer is active,
4542 * we need to retransmit our PAP request since it is apparently lost.
4543 * XXX We should impose a max counter.
4544 */
4545 static void
sppp_pap_my_TO(void * cookie)4546 sppp_pap_my_TO(void *cookie)
4547 {
4548 struct sppp *sp = (struct sppp *)cookie;
4549 STDDCL;
4550
4551 if (debug)
4552 log(LOG_DEBUG, "%s: pap peer TO\n",
4553 ifp->if_xname);
4554
4555 pap.scr(sp);
4556 }
4557
4558 static void
sppp_pap_tlu(struct sppp * sp)4559 sppp_pap_tlu(struct sppp *sp)
4560 {
4561 STDDCL;
4562 int x;
4563
4564 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
4565
4566 if (debug)
4567 log(LOG_DEBUG, "%s: %s tlu\n",
4568 ifp->if_xname, pap.name);
4569
4570 x = splnet();
4571 sp->pp_auth_failures = 0;
4572 /* indicate to LCP that we need to be closed down */
4573 sp->lcp.protos |= (1 << IDX_PAP);
4574
4575 if (sp->pp_flags & PP_NEEDAUTH) {
4576 /*
4577 * Remote is authenticator, but his auth proto didn't
4578 * complete yet. Defer the transition to network
4579 * phase.
4580 */
4581 splx(x);
4582 return;
4583 }
4584 splx(x);
4585 sppp_phase_network(sp);
4586 }
4587
4588 static void
sppp_pap_tld(struct sppp * sp)4589 sppp_pap_tld(struct sppp *sp)
4590 {
4591 STDDCL;
4592
4593 if (debug)
4594 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname);
4595 callout_stop(&sp->ch[IDX_PAP]);
4596 callout_stop(&sp->pap_my_to_ch);
4597 sp->lcp.protos &= ~(1 << IDX_PAP);
4598
4599 lcp.Close(sp);
4600 }
4601
4602 static void
sppp_pap_scr(struct sppp * sp)4603 sppp_pap_scr(struct sppp *sp)
4604 {
4605 u_char idlen, pwdlen;
4606
4607 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) {
4608 /* can't do anything useful */
4609 printf("%s: pap starting without my name and secret being set\n",
4610 sp->pp_if.if_xname);
4611 return;
4612 }
4613
4614 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP];
4615 pwdlen = sp->myauth.secret_len;
4616 idlen = sp->myauth.name_len;
4617
4618 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP],
4619 sizeof idlen, (const char *)&idlen,
4620 idlen, sp->myauth.name,
4621 sizeof pwdlen, (const char *)&pwdlen,
4622 pwdlen, sp->myauth.secret,
4623 0);
4624 }
4625
4626 /*
4627 * Random miscellaneous functions.
4628 */
4629
4630 /*
4631 * Send a PAP or CHAP proto packet.
4632 *
4633 * Varadic function, each of the elements for the ellipsis is of type
4634 * ``size_t mlen, const u_char *msg''. Processing will stop iff
4635 * mlen == 0.
4636 * NOTE: never declare variadic functions with types subject to type
4637 * promotion (i.e. u_char). This is asking for big trouble depending
4638 * on the architecture you are on...
4639 */
4640
4641 static void
sppp_auth_send(const struct cp * cp,struct sppp * sp,unsigned int type,unsigned int id,...)4642 sppp_auth_send(const struct cp *cp, struct sppp *sp,
4643 unsigned int type, unsigned int id,
4644 ...)
4645 {
4646 STDDCL;
4647 struct lcp_header *lh;
4648 struct mbuf *m;
4649 u_char *p;
4650 int len;
4651 size_t pkthdrlen;
4652 unsigned int mlen;
4653 const char *msg;
4654 va_list ap;
4655
4656 MGETHDR(m, M_DONTWAIT, MT_DATA);
4657 if (! m)
4658 return;
4659 m_reset_rcvif(m);
4660
4661 if (sp->pp_flags & PP_NOFRAMING) {
4662 *mtod(m, uint16_t *) = htons(cp->proto);
4663 pkthdrlen = 2;
4664 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2);
4665 } else {
4666 struct ppp_header *h;
4667 h = mtod(m, struct ppp_header *);
4668 h->address = PPP_ALLSTATIONS; /* broadcast address */
4669 h->control = PPP_UI; /* Unnumbered Info */
4670 h->protocol = htons(cp->proto);
4671 pkthdrlen = PPP_HEADER_LEN;
4672
4673 lh = (struct lcp_header *)(h + 1);
4674 }
4675
4676 lh->type = type;
4677 lh->ident = id;
4678 p = (u_char *)(lh + 1);
4679
4680 va_start(ap, id);
4681 len = 0;
4682
4683 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) {
4684 msg = va_arg(ap, const char *);
4685 len += mlen;
4686 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) {
4687 va_end(ap);
4688 m_freem(m);
4689 return;
4690 }
4691
4692 memcpy(p, msg, mlen);
4693 p += mlen;
4694 }
4695 va_end(ap);
4696
4697 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len;
4698 lh->len = htons(LCP_HEADER_LEN + len);
4699
4700 if (debug) {
4701 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d",
4702 ifp->if_xname, cp->name,
4703 sppp_auth_type_name(cp->proto, lh->type),
4704 lh->ident, ntohs(lh->len));
4705 if (len)
4706 sppp_print_bytes((u_char *)(lh + 1), len);
4707 addlog(">\n");
4708 }
4709 if (IF_QFULL(&sp->pp_cpq)) {
4710 IF_DROP(&sp->pp_fastq);
4711 IF_DROP(&ifp->if_snd);
4712 m_freem(m);
4713 ++ifp->if_oerrors;
4714 return;
4715 } else
4716 IF_ENQUEUE(&sp->pp_cpq, m);
4717 if (! (ifp->if_flags & IFF_OACTIVE))
4718 if_start_lock(ifp);
4719 ifp->if_obytes += m->m_pkthdr.len + 3;
4720 }
4721
4722 /*
4723 * Send keepalive packets, every 10 seconds.
4724 */
4725 static void
sppp_keepalive(void * dummy)4726 sppp_keepalive(void *dummy)
4727 {
4728 struct sppp *sp;
4729 int s;
4730 time_t now;
4731
4732 s = splnet();
4733 now = time_uptime;
4734 for (sp=spppq; sp; sp=sp->pp_next) {
4735 struct ifnet *ifp = &sp->pp_if;
4736
4737 /* check idle timeout */
4738 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING)
4739 && (sp->pp_phase == SPPP_PHASE_NETWORK)) {
4740 /* idle timeout is enabled for this interface */
4741 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) {
4742 if (ifp->if_flags & IFF_DEBUG)
4743 printf("%s: no activity for %lu seconds\n",
4744 sp->pp_if.if_xname,
4745 (unsigned long)(now-sp->pp_last_activity));
4746 lcp.Close(sp);
4747 continue;
4748 }
4749 }
4750
4751 /* Keepalive mode disabled or channel down? */
4752 if (! (sp->pp_flags & PP_KEEPALIVE) ||
4753 ! (ifp->if_flags & IFF_RUNNING))
4754 continue;
4755
4756 /* No keepalive in PPP mode if LCP not opened yet. */
4757 if (! (sp->pp_flags & PP_CISCO) &&
4758 sp->pp_phase < SPPP_PHASE_AUTHENTICATE)
4759 continue;
4760
4761 /* No echo reply, but maybe user data passed through? */
4762 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) {
4763 sp->pp_alivecnt = 0;
4764 continue;
4765 }
4766
4767 if (sp->pp_alivecnt >= sp->pp_maxalive) {
4768 /* No keepalive packets got. Stop the interface. */
4769 if_down (ifp);
4770 IF_PURGE(&sp->pp_cpq);
4771 if (! (sp->pp_flags & PP_CISCO)) {
4772 printf("%s: LCP keepalive timed out, going to restart the connection\n",
4773 ifp->if_xname);
4774 sp->pp_alivecnt = 0;
4775
4776 /* we are down, close all open protocols */
4777 lcp.Close(sp);
4778
4779 /* And now prepare LCP to reestablish the link, if configured to do so. */
4780 sppp_cp_change_state(&lcp, sp, STATE_STOPPED);
4781
4782 /* Close connection immediately, completition of this
4783 * will summon the magic needed to reestablish it. */
4784 if (sp->pp_tlf)
4785 sp->pp_tlf(sp);
4786 continue;
4787 }
4788 }
4789 if (sp->pp_alivecnt < sp->pp_maxalive)
4790 ++sp->pp_alivecnt;
4791 if (sp->pp_flags & PP_CISCO)
4792 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ,
4793 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]);
4794 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) {
4795 int32_t nmagic = htonl(sp->lcp.magic);
4796 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP];
4797 sppp_cp_send(sp, PPP_LCP, ECHO_REQ,
4798 sp->lcp.echoid, 4, &nmagic);
4799 }
4800 }
4801 splx(s);
4802 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL);
4803 }
4804
4805 #ifdef INET
4806 /*
4807 * Get both IP addresses.
4808 */
4809 static void
sppp_get_ip_addrs(struct sppp * sp,uint32_t * src,uint32_t * dst,uint32_t * srcmask)4810 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask)
4811 {
4812 struct ifnet *ifp = &sp->pp_if;
4813 struct ifaddr *ifa;
4814 struct sockaddr_in *si, *sm;
4815 uint32_t ssrc, ddst;
4816
4817 sm = NULL;
4818 ssrc = ddst = 0;
4819 /*
4820 * Pick the first AF_INET address from the list,
4821 * aliases don't make any sense on a p2p link anyway.
4822 */
4823 si = 0;
4824 IFADDR_READER_FOREACH(ifa, ifp) {
4825 if (ifa->ifa_addr->sa_family == AF_INET) {
4826 si = (struct sockaddr_in *)ifa->ifa_addr;
4827 sm = (struct sockaddr_in *)ifa->ifa_netmask;
4828 if (si)
4829 break;
4830 }
4831 }
4832 if (ifa) {
4833 if (si && si->sin_addr.s_addr) {
4834 ssrc = si->sin_addr.s_addr;
4835 if (srcmask)
4836 *srcmask = ntohl(sm->sin_addr.s_addr);
4837 }
4838
4839 si = (struct sockaddr_in *)ifa->ifa_dstaddr;
4840 if (si && si->sin_addr.s_addr)
4841 ddst = si->sin_addr.s_addr;
4842 }
4843
4844 if (dst) *dst = ntohl(ddst);
4845 if (src) *src = ntohl(ssrc);
4846 }
4847
4848 /*
4849 * Set IP addresses. Must be called at splnet.
4850 * If an address is 0, leave it the way it is.
4851 */
4852 static void
sppp_set_ip_addrs(struct sppp * sp,uint32_t myaddr,uint32_t hisaddr)4853 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr)
4854 {
4855 STDDCL;
4856 struct ifaddr *ifa;
4857 struct sockaddr_in *si, *dest;
4858
4859 /*
4860 * Pick the first AF_INET address from the list,
4861 * aliases don't make any sense on a p2p link anyway.
4862 */
4863
4864 IFADDR_READER_FOREACH(ifa, ifp) {
4865 if (ifa->ifa_addr->sa_family == AF_INET) {
4866 si = (struct sockaddr_in *)ifa->ifa_addr;
4867 dest = (struct sockaddr_in *)ifa->ifa_dstaddr;
4868 goto found;
4869 }
4870 }
4871 return;
4872
4873 found:
4874 {
4875 int error, hostIsNew;
4876 struct sockaddr_in new_sin = *si;
4877 struct sockaddr_in new_dst = *dest;
4878
4879 /*
4880 * Scrub old routes now instead of calling in_ifinit with
4881 * scrub=1, because we may change the dstaddr
4882 * before the call to in_ifinit.
4883 */
4884 in_ifscrub(ifp, ifatoia(ifa));
4885
4886 hostIsNew = 0;
4887 if (myaddr != 0) {
4888 if (new_sin.sin_addr.s_addr != htonl(myaddr)) {
4889 new_sin.sin_addr.s_addr = htonl(myaddr);
4890 hostIsNew = 1;
4891 }
4892 }
4893 if (hisaddr != 0) {
4894 new_dst.sin_addr.s_addr = htonl(hisaddr);
4895 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) {
4896 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr;
4897 *dest = new_dst; /* fix dstaddr in place */
4898 }
4899 }
4900
4901 LIST_REMOVE(ifatoia(ifa), ia_hash);
4902 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa));
4903
4904 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, hostIsNew);
4905
4906 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr),
4907 ifatoia(ifa), ia_hash);
4908 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa));
4909
4910 if (debug && error)
4911 {
4912 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit "
4913 " failed, error=%d\n", ifp->if_xname, error);
4914 }
4915 if (!error) {
4916 (void)pfil_run_hooks(if_pfil,
4917 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR);
4918 }
4919 }
4920 }
4921
4922 /*
4923 * Clear IP addresses. Must be called at splnet.
4924 */
4925 static void
sppp_clear_ip_addrs(struct sppp * sp)4926 sppp_clear_ip_addrs(struct sppp *sp)
4927 {
4928 struct ifnet *ifp = &sp->pp_if;
4929 struct ifaddr *ifa;
4930 struct sockaddr_in *si, *dest;
4931
4932 uint32_t remote;
4933 if (sp->ipcp.flags & IPCP_HISADDR_DYN)
4934 remote = sp->ipcp.saved_hisaddr;
4935 else
4936 sppp_get_ip_addrs(sp, 0, &remote, 0);
4937
4938 /*
4939 * Pick the first AF_INET address from the list,
4940 * aliases don't make any sense on a p2p link anyway.
4941 */
4942
4943 IFADDR_READER_FOREACH(ifa, ifp) {
4944 if (ifa->ifa_addr->sa_family == AF_INET) {
4945 si = (struct sockaddr_in *)ifa->ifa_addr;
4946 dest = (struct sockaddr_in *)ifa->ifa_dstaddr;
4947 goto found;
4948 }
4949 }
4950 return;
4951
4952 found:
4953 {
4954 struct sockaddr_in new_sin = *si;
4955
4956 in_ifscrub(ifp, ifatoia(ifa));
4957 if (sp->ipcp.flags & IPCP_MYADDR_DYN)
4958 new_sin.sin_addr.s_addr = 0;
4959 if (sp->ipcp.flags & IPCP_HISADDR_DYN)
4960 /* replace peer addr in place */
4961 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr;
4962
4963 LIST_REMOVE(ifatoia(ifa), ia_hash);
4964 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa));
4965
4966 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, 0);
4967
4968 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr),
4969 ifatoia(ifa), ia_hash);
4970 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa));
4971
4972 (void)pfil_run_hooks(if_pfil,
4973 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR);
4974 }
4975 }
4976 #endif
4977
4978 #ifdef INET6
4979 /*
4980 * Get both IPv6 addresses.
4981 */
4982 static void
sppp_get_ip6_addrs(struct sppp * sp,struct in6_addr * src,struct in6_addr * dst,struct in6_addr * srcmask)4983 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst,
4984 struct in6_addr *srcmask)
4985 {
4986 struct ifnet *ifp = &sp->pp_if;
4987 struct ifaddr *ifa;
4988 struct sockaddr_in6 *si, *sm;
4989 struct in6_addr ssrc, ddst;
4990
4991 sm = NULL;
4992 memset(&ssrc, 0, sizeof(ssrc));
4993 memset(&ddst, 0, sizeof(ddst));
4994 /*
4995 * Pick the first link-local AF_INET6 address from the list,
4996 * aliases don't make any sense on a p2p link anyway.
4997 */
4998 si = 0;
4999 IFADDR_READER_FOREACH(ifa, ifp)
5000 if (ifa->ifa_addr->sa_family == AF_INET6) {
5001 si = (struct sockaddr_in6 *)ifa->ifa_addr;
5002 sm = (struct sockaddr_in6 *)ifa->ifa_netmask;
5003 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr))
5004 break;
5005 }
5006 if (ifa) {
5007 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) {
5008 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc));
5009 if (srcmask) {
5010 memcpy(srcmask, &sm->sin6_addr,
5011 sizeof(*srcmask));
5012 }
5013 }
5014
5015 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr;
5016 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr))
5017 memcpy(&ddst, &si->sin6_addr, sizeof(ddst));
5018 }
5019
5020 if (dst)
5021 memcpy(dst, &ddst, sizeof(*dst));
5022 if (src)
5023 memcpy(src, &ssrc, sizeof(*src));
5024 }
5025
5026 #ifdef IPV6CP_MYIFID_DYN
5027 /*
5028 * Generate random ifid.
5029 */
5030 static void
sppp_gen_ip6_addr(struct sppp * sp,struct in6_addr * addr)5031 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr)
5032 {
5033 /* TBD */
5034 }
5035
5036 /*
5037 * Set my IPv6 address. Must be called at splnet.
5038 */
5039 static void
sppp_set_ip6_addr(struct sppp * sp,const struct in6_addr * src)5040 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src)
5041 {
5042 STDDCL;
5043 struct ifaddr *ifa;
5044 struct sockaddr_in6 *sin6;
5045
5046 /*
5047 * Pick the first link-local AF_INET6 address from the list,
5048 * aliases don't make any sense on a p2p link anyway.
5049 */
5050
5051 sin6 = NULL;
5052 IFADDR_READER_FOREACH(ifa, ifp)
5053 {
5054 if (ifa->ifa_addr->sa_family == AF_INET6)
5055 {
5056 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
5057 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
5058 break;
5059 }
5060 }
5061
5062 if (ifa && sin6)
5063 {
5064 int error;
5065 struct sockaddr_in6 new_sin6 = *sin6;
5066
5067 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr));
5068 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1);
5069 if (debug && error)
5070 {
5071 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit "
5072 " failed, error=%d\n", ifp->if_xname, error);
5073 }
5074 if (!error) {
5075 (void)pfil_run_hooks(if_pfil,
5076 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR);
5077 }
5078 }
5079 }
5080 #endif
5081
5082 /*
5083 * Suggest a candidate address to be used by peer.
5084 */
5085 static void
sppp_suggest_ip6_addr(struct sppp * sp,struct in6_addr * suggest)5086 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest)
5087 {
5088 struct in6_addr myaddr;
5089 struct timeval tv;
5090
5091 sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
5092
5093 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */
5094 microtime(&tv);
5095 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) {
5096 myaddr.s6_addr[14] ^= 0xff;
5097 myaddr.s6_addr[15] ^= 0xff;
5098 } else {
5099 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff);
5100 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff);
5101 }
5102 if (suggest)
5103 memcpy(suggest, &myaddr, sizeof(myaddr));
5104 }
5105 #endif /*INET6*/
5106
5107 /*
5108 * Process ioctl requests specific to the PPP interface.
5109 * Permissions have already been checked.
5110 */
5111 static int
sppp_params(struct sppp * sp,u_long cmd,void * data)5112 sppp_params(struct sppp *sp, u_long cmd, void *data)
5113 {
5114 switch (cmd) {
5115 case SPPPGETAUTHCFG:
5116 {
5117 struct spppauthcfg *cfg = (struct spppauthcfg *)data;
5118 int error;
5119 size_t len;
5120
5121 cfg->myauthflags = sp->myauth.flags;
5122 cfg->hisauthflags = sp->hisauth.flags;
5123 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname));
5124 cfg->hisauth = 0;
5125 if (sp->hisauth.proto)
5126 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP;
5127 cfg->myauth = 0;
5128 if (sp->myauth.proto)
5129 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP;
5130 if (cfg->myname_length == 0) {
5131 if (sp->myauth.name != NULL)
5132 cfg->myname_length = sp->myauth.name_len + 1;
5133 } else {
5134 if (sp->myauth.name == NULL) {
5135 cfg->myname_length = 0;
5136 } else {
5137 len = sp->myauth.name_len + 1;
5138 if (cfg->myname_length < len)
5139 return (ENAMETOOLONG);
5140 error = copyout(sp->myauth.name, cfg->myname, len);
5141 if (error) return error;
5142 }
5143 }
5144 if (cfg->hisname_length == 0) {
5145 if (sp->hisauth.name != NULL)
5146 cfg->hisname_length = sp->hisauth.name_len + 1;
5147 } else {
5148 if (sp->hisauth.name == NULL) {
5149 cfg->hisname_length = 0;
5150 } else {
5151 len = sp->hisauth.name_len + 1;
5152 if (cfg->hisname_length < len)
5153 return (ENAMETOOLONG);
5154 error = copyout(sp->hisauth.name, cfg->hisname, len);
5155 if (error) return error;
5156 }
5157 }
5158 }
5159 break;
5160 case SPPPSETAUTHCFG:
5161 {
5162 struct spppauthcfg *cfg = (struct spppauthcfg *)data;
5163 int error;
5164
5165 if (sp->myauth.name) {
5166 free(sp->myauth.name, M_DEVBUF);
5167 sp->myauth.name = NULL;
5168 }
5169 if (sp->myauth.secret) {
5170 free(sp->myauth.secret, M_DEVBUF);
5171 sp->myauth.secret = NULL;
5172 }
5173 if (sp->hisauth.name) {
5174 free(sp->hisauth.name, M_DEVBUF);
5175 sp->hisauth.name = NULL;
5176 }
5177 if (sp->hisauth.secret) {
5178 free(sp->hisauth.secret, M_DEVBUF);
5179 sp->hisauth.secret = NULL;
5180 }
5181
5182 if (cfg->hisname != NULL && cfg->hisname_length > 0) {
5183 if (cfg->hisname_length >= MCLBYTES)
5184 return (ENAMETOOLONG);
5185 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK);
5186 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length);
5187 if (error) {
5188 free(sp->hisauth.name, M_DEVBUF);
5189 sp->hisauth.name = NULL;
5190 return error;
5191 }
5192 sp->hisauth.name_len = cfg->hisname_length - 1;
5193 sp->hisauth.name[sp->hisauth.name_len] = 0;
5194 }
5195 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) {
5196 if (cfg->hissecret_length >= MCLBYTES)
5197 return (ENAMETOOLONG);
5198 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK);
5199 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length);
5200 if (error) {
5201 free(sp->hisauth.secret, M_DEVBUF);
5202 sp->hisauth.secret = NULL;
5203 return error;
5204 }
5205 sp->hisauth.secret_len = cfg->hissecret_length - 1;
5206 sp->hisauth.secret[sp->hisauth.secret_len] = 0;
5207 }
5208 if (cfg->myname != NULL && cfg->myname_length > 0) {
5209 if (cfg->myname_length >= MCLBYTES)
5210 return (ENAMETOOLONG);
5211 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK);
5212 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length);
5213 if (error) {
5214 free(sp->myauth.name, M_DEVBUF);
5215 sp->myauth.name = NULL;
5216 return error;
5217 }
5218 sp->myauth.name_len = cfg->myname_length - 1;
5219 sp->myauth.name[sp->myauth.name_len] = 0;
5220 }
5221 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) {
5222 if (cfg->mysecret_length >= MCLBYTES)
5223 return (ENAMETOOLONG);
5224 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK);
5225 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length);
5226 if (error) {
5227 free(sp->myauth.secret, M_DEVBUF);
5228 sp->myauth.secret = NULL;
5229 return error;
5230 }
5231 sp->myauth.secret_len = cfg->mysecret_length - 1;
5232 sp->myauth.secret[sp->myauth.secret_len] = 0;
5233 }
5234 sp->myauth.flags = cfg->myauthflags;
5235 if (cfg->myauth)
5236 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP;
5237 sp->hisauth.flags = cfg->hisauthflags;
5238 if (cfg->hisauth)
5239 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP;
5240 sp->pp_auth_failures = 0;
5241 if (sp->hisauth.proto != 0)
5242 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO);
5243 else
5244 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
5245 }
5246 break;
5247 case SPPPGETLCPCFG:
5248 {
5249 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data;
5250 lcpp->lcp_timeout = sp->lcp.timeout;
5251 }
5252 break;
5253 case SPPPSETLCPCFG:
5254 {
5255 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data;
5256 sp->lcp.timeout = lcpp->lcp_timeout;
5257 }
5258 break;
5259 case SPPPGETSTATUS:
5260 {
5261 struct spppstatus *status = (struct spppstatus *)data;
5262 status->phase = sp->pp_phase;
5263 }
5264 break;
5265 case SPPPGETSTATUSNCP:
5266 {
5267 struct spppstatusncp *status = (struct spppstatusncp *)data;
5268 status->phase = sp->pp_phase;
5269 status->ncpup = sppp_ncp_check(sp);
5270 }
5271 break;
5272 case SPPPGETIDLETO:
5273 {
5274 struct spppidletimeout *to = (struct spppidletimeout *)data;
5275 to->idle_seconds = sp->pp_idle_timeout;
5276 }
5277 break;
5278 case SPPPSETIDLETO:
5279 {
5280 struct spppidletimeout *to = (struct spppidletimeout *)data;
5281 sp->pp_idle_timeout = to->idle_seconds;
5282 }
5283 break;
5284 case SPPPSETAUTHFAILURE:
5285 {
5286 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data;
5287 sp->pp_max_auth_fail = afsettings->max_failures;
5288 sp->pp_auth_failures = 0;
5289 }
5290 break;
5291 case SPPPGETAUTHFAILURES:
5292 {
5293 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data;
5294 stats->auth_failures = sp->pp_auth_failures;
5295 stats->max_failures = sp->pp_max_auth_fail;
5296 }
5297 break;
5298 case SPPPSETDNSOPTS:
5299 {
5300 struct spppdnssettings *req = (struct spppdnssettings *)data;
5301 sp->query_dns = req->query_dns & 3;
5302 }
5303 break;
5304 case SPPPGETDNSOPTS:
5305 {
5306 struct spppdnssettings *req = (struct spppdnssettings *)data;
5307 req->query_dns = sp->query_dns;
5308 }
5309 break;
5310 case SPPPGETDNSADDRS:
5311 {
5312 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data;
5313 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns);
5314 }
5315 break;
5316 case SPPPGETKEEPALIVE:
5317 {
5318 struct spppkeepalivesettings *settings =
5319 (struct spppkeepalivesettings*)data;
5320 settings->maxalive = sp->pp_maxalive;
5321 settings->max_noreceive = sp->pp_max_noreceive;
5322 }
5323 break;
5324 case SPPPSETKEEPALIVE:
5325 {
5326 struct spppkeepalivesettings *settings =
5327 (struct spppkeepalivesettings*)data;
5328 sp->pp_maxalive = settings->maxalive;
5329 sp->pp_max_noreceive = settings->max_noreceive;
5330 }
5331 break;
5332 #if defined(COMPAT_50) || defined(MODULAR)
5333 case __SPPPGETIDLETO50:
5334 {
5335 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data;
5336 to->idle_seconds = (uint32_t)sp->pp_idle_timeout;
5337 }
5338 break;
5339 case __SPPPSETIDLETO50:
5340 {
5341 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data;
5342 sp->pp_idle_timeout = (time_t)to->idle_seconds;
5343 }
5344 break;
5345 case __SPPPGETKEEPALIVE50:
5346 {
5347 struct spppkeepalivesettings50 *settings =
5348 (struct spppkeepalivesettings50*)data;
5349 settings->maxalive = sp->pp_maxalive;
5350 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive;
5351 }
5352 break;
5353 case __SPPPSETKEEPALIVE50:
5354 {
5355 struct spppkeepalivesettings50 *settings =
5356 (struct spppkeepalivesettings50*)data;
5357 sp->pp_maxalive = settings->maxalive;
5358 sp->pp_max_noreceive = (time_t)settings->max_noreceive;
5359 }
5360 break;
5361 #endif /* COMPAT_50 || MODULAR */
5362 default:
5363 return (EINVAL);
5364 }
5365
5366 return (0);
5367 }
5368
5369 static void
sppp_phase_network(struct sppp * sp)5370 sppp_phase_network(struct sppp *sp)
5371 {
5372 STDDCL;
5373 int i;
5374 uint32_t mask;
5375
5376 sp->pp_phase = SPPP_PHASE_NETWORK;
5377
5378 if (debug)
5379 {
5380 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
5381 sppp_phase_name(sp->pp_phase));
5382 }
5383
5384 /* Notify NCPs now. */
5385 for (i = 0; i < IDX_COUNT; i++)
5386 if ((cps[i])->flags & CP_NCP)
5387 (cps[i])->Open(sp);
5388
5389 /* Send Up events to all NCPs. */
5390 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
5391 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP))
5392 (cps[i])->Up(sp);
5393
5394 /* if no NCP is starting, all this was in vain, close down */
5395 sppp_lcp_check_and_close(sp);
5396 }
5397
5398
5399 static const char *
sppp_cp_type_name(u_char type)5400 sppp_cp_type_name(u_char type)
5401 {
5402 static char buf[12];
5403 switch (type) {
5404 case CONF_REQ: return "conf-req";
5405 case CONF_ACK: return "conf-ack";
5406 case CONF_NAK: return "conf-nak";
5407 case CONF_REJ: return "conf-rej";
5408 case TERM_REQ: return "term-req";
5409 case TERM_ACK: return "term-ack";
5410 case CODE_REJ: return "code-rej";
5411 case PROTO_REJ: return "proto-rej";
5412 case ECHO_REQ: return "echo-req";
5413 case ECHO_REPLY: return "echo-reply";
5414 case DISC_REQ: return "discard-req";
5415 }
5416 snprintf(buf, sizeof(buf), "0x%x", type);
5417 return buf;
5418 }
5419
5420 static const char *
sppp_auth_type_name(u_short proto,u_char type)5421 sppp_auth_type_name(u_short proto, u_char type)
5422 {
5423 static char buf[32];
5424 const char *name;
5425
5426 switch (proto) {
5427 case PPP_CHAP:
5428 switch (type) {
5429 case CHAP_CHALLENGE: return "challenge";
5430 case CHAP_RESPONSE: return "response";
5431 case CHAP_SUCCESS: return "success";
5432 case CHAP_FAILURE: return "failure";
5433 default: name = "chap"; break;
5434 }
5435 break;
5436
5437 case PPP_PAP:
5438 switch (type) {
5439 case PAP_REQ: return "req";
5440 case PAP_ACK: return "ack";
5441 case PAP_NAK: return "nak";
5442 default: name = "pap"; break;
5443 }
5444 break;
5445
5446 default:
5447 name = "bad";
5448 break;
5449 }
5450
5451 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type);
5452 return buf;
5453 }
5454
5455 static const char *
sppp_lcp_opt_name(u_char opt)5456 sppp_lcp_opt_name(u_char opt)
5457 {
5458 static char buf[12];
5459 switch (opt) {
5460 case LCP_OPT_MRU: return "mru";
5461 case LCP_OPT_ASYNC_MAP: return "async-map";
5462 case LCP_OPT_AUTH_PROTO: return "auth-proto";
5463 case LCP_OPT_QUAL_PROTO: return "qual-proto";
5464 case LCP_OPT_MAGIC: return "magic";
5465 case LCP_OPT_PROTO_COMP: return "proto-comp";
5466 case LCP_OPT_ADDR_COMP: return "addr-comp";
5467 }
5468 snprintf(buf, sizeof(buf), "0x%x", opt);
5469 return buf;
5470 }
5471
5472 static const char *
sppp_ipcp_opt_name(u_char opt)5473 sppp_ipcp_opt_name(u_char opt)
5474 {
5475 static char buf[12];
5476 switch (opt) {
5477 case IPCP_OPT_ADDRESSES: return "addresses";
5478 case IPCP_OPT_COMPRESSION: return "compression";
5479 case IPCP_OPT_ADDRESS: return "address";
5480 }
5481 snprintf(buf, sizeof(buf), "0x%x", opt);
5482 return buf;
5483 }
5484
5485 #ifdef INET6
5486 static const char *
sppp_ipv6cp_opt_name(u_char opt)5487 sppp_ipv6cp_opt_name(u_char opt)
5488 {
5489 static char buf[12];
5490 switch (opt) {
5491 case IPV6CP_OPT_IFID: return "ifid";
5492 case IPV6CP_OPT_COMPRESSION: return "compression";
5493 }
5494 snprintf(buf, sizeof(buf), "0x%x", opt);
5495 return buf;
5496 }
5497 #endif
5498
5499 static const char *
sppp_state_name(int state)5500 sppp_state_name(int state)
5501 {
5502 switch (state) {
5503 case STATE_INITIAL: return "initial";
5504 case STATE_STARTING: return "starting";
5505 case STATE_CLOSED: return "closed";
5506 case STATE_STOPPED: return "stopped";
5507 case STATE_CLOSING: return "closing";
5508 case STATE_STOPPING: return "stopping";
5509 case STATE_REQ_SENT: return "req-sent";
5510 case STATE_ACK_RCVD: return "ack-rcvd";
5511 case STATE_ACK_SENT: return "ack-sent";
5512 case STATE_OPENED: return "opened";
5513 }
5514 return "illegal";
5515 }
5516
5517 static const char *
sppp_phase_name(int phase)5518 sppp_phase_name(int phase)
5519 {
5520 switch (phase) {
5521 case SPPP_PHASE_DEAD: return "dead";
5522 case SPPP_PHASE_ESTABLISH: return "establish";
5523 case SPPP_PHASE_TERMINATE: return "terminate";
5524 case SPPP_PHASE_AUTHENTICATE: return "authenticate";
5525 case SPPP_PHASE_NETWORK: return "network";
5526 }
5527 return "illegal";
5528 }
5529
5530 static const char *
sppp_proto_name(u_short proto)5531 sppp_proto_name(u_short proto)
5532 {
5533 static char buf[12];
5534 switch (proto) {
5535 case PPP_LCP: return "lcp";
5536 case PPP_IPCP: return "ipcp";
5537 case PPP_PAP: return "pap";
5538 case PPP_CHAP: return "chap";
5539 case PPP_IPV6CP: return "ipv6cp";
5540 }
5541 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto);
5542 return buf;
5543 }
5544
5545 static void
sppp_print_bytes(const u_char * p,u_short len)5546 sppp_print_bytes(const u_char *p, u_short len)
5547 {
5548 addlog(" %02x", *p++);
5549 while (--len > 0)
5550 addlog("-%02x", *p++);
5551 }
5552
5553 static void
sppp_print_string(const char * p,u_short len)5554 sppp_print_string(const char *p, u_short len)
5555 {
5556 u_char c;
5557
5558 while (len-- > 0) {
5559 c = *p++;
5560 /*
5561 * Print only ASCII chars directly. RFC 1994 recommends
5562 * using only them, but we don't rely on it. */
5563 if (c < ' ' || c > '~')
5564 addlog("\\x%x", c);
5565 else
5566 addlog("%c", c);
5567 }
5568 }
5569
5570 static const char *
sppp_dotted_quad(uint32_t addr)5571 sppp_dotted_quad(uint32_t addr)
5572 {
5573 static char s[16];
5574 snprintf(s, sizeof(s), "%d.%d.%d.%d",
5575 (int)((addr >> 24) & 0xff),
5576 (int)((addr >> 16) & 0xff),
5577 (int)((addr >> 8) & 0xff),
5578 (int)(addr & 0xff));
5579 return s;
5580 }
5581
5582 /* a dummy, used to drop uninteresting events */
5583 static void
sppp_null(struct sppp * unused)5584 sppp_null(struct sppp *unused)
5585 {
5586 /* do just nothing */
5587 }
5588 /*
5589 * This file is large. Tell emacs to highlight it nevertheless.
5590 *
5591 * Local Variables:
5592 * hilit-auto-highlight-maxout: 120000
5593 * End:
5594 */
5595