1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 */ 22 23 #include <sys/param.h> 24 #include <sys/libkern.h> 25 26 #include "opt_inet.h" 27 #include "opt_inet6.h" 28 29 #include <sys/systm.h> 30 #include <sys/kernel.h> 31 #include <sys/module.h> 32 #include <sys/sockio.h> 33 #include <sys/socket.h> 34 #include <sys/syslog.h> 35 #include <sys/random.h> 36 #include <sys/thread2.h> 37 #include <sys/malloc.h> 38 #include <sys/mbuf.h> 39 #include <sys/md5.h> 40 41 #include <net/if.h> 42 #include <net/ifq_var.h> 43 #include <net/netisr.h> 44 #include <net/if_types.h> 45 #include <net/route.h> 46 #include <netinet/in.h> 47 #include <netinet/in_systm.h> 48 #include <netinet/ip.h> 49 #include <net/slcompress.h> 50 51 #include <machine/stdarg.h> 52 53 #include <netinet/in_var.h> 54 55 #ifdef INET 56 #include <netinet/tcp.h> 57 #endif 58 59 #include <netinet/if_ether.h> 60 61 #include "if_sppp.h" 62 63 #define IOCTL_CMD_T u_long 64 #define MAXALIVECNT 3 /* max. alive packets */ 65 66 /* 67 * Interface flags that can be set in an ifconfig command. 68 * 69 * Setting link0 will make the link passive, i.e. it will be marked 70 * as being administrative openable, but won't be opened to begin 71 * with. Incoming calls will be answered, or subsequent calls with 72 * -link1 will cause the administrative open of the LCP layer. 73 * 74 * Setting link1 will cause the link to auto-dial only as packets 75 * arrive to be sent. 76 * 77 * Setting IFF_DEBUG will syslog the option negotiation and state 78 * transitions at level kern.debug. Note: all logs consistently look 79 * like 80 * 81 * <if-name><unit>: <proto-name> <additional info...> 82 * 83 * with <if-name><unit> being something like "bppp0", and <proto-name> 84 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 85 */ 86 87 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 88 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 89 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 90 91 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 92 #define PPP_UI 0x03 /* Unnumbered Information */ 93 #define PPP_IP 0x0021 /* Internet Protocol */ 94 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 95 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 96 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 97 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 98 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 99 #define PPP_LCP 0xc021 /* Link Control Protocol */ 100 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 101 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 102 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 103 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 104 105 #define CONF_REQ 1 /* PPP configure request */ 106 #define CONF_ACK 2 /* PPP configure acknowledge */ 107 #define CONF_NAK 3 /* PPP configure negative ack */ 108 #define CONF_REJ 4 /* PPP configure reject */ 109 #define TERM_REQ 5 /* PPP terminate request */ 110 #define TERM_ACK 6 /* PPP terminate acknowledge */ 111 #define CODE_REJ 7 /* PPP code reject */ 112 #define PROTO_REJ 8 /* PPP protocol reject */ 113 #define ECHO_REQ 9 /* PPP echo request */ 114 #define ECHO_REPLY 10 /* PPP echo reply */ 115 #define DISC_REQ 11 /* PPP discard request */ 116 117 #define LCP_OPT_MRU 1 /* maximum receive unit */ 118 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 119 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 120 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 121 #define LCP_OPT_MAGIC 5 /* magic number */ 122 #define LCP_OPT_RESERVED 6 /* reserved */ 123 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 124 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 125 126 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 127 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 128 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 129 130 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 131 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 132 133 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 134 135 #define PAP_REQ 1 /* PAP name/password request */ 136 #define PAP_ACK 2 /* PAP acknowledge */ 137 #define PAP_NAK 3 /* PAP fail */ 138 139 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 140 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 141 #define CHAP_SUCCESS 3 /* CHAP response ok */ 142 #define CHAP_FAILURE 4 /* CHAP response failed */ 143 144 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 145 146 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 147 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 148 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 149 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 150 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 151 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 152 153 /* states are named and numbered according to RFC 1661 */ 154 #define STATE_INITIAL 0 155 #define STATE_STARTING 1 156 #define STATE_CLOSED 2 157 #define STATE_STOPPED 3 158 #define STATE_CLOSING 4 159 #define STATE_STOPPING 5 160 #define STATE_REQ_SENT 6 161 #define STATE_ACK_RCVD 7 162 #define STATE_ACK_SENT 8 163 #define STATE_OPENED 9 164 165 struct ppp_header { 166 u_char address; 167 u_char control; 168 u_short protocol; 169 } __attribute__((__packed__)); 170 #define PPP_HEADER_LEN sizeof (struct ppp_header) 171 172 struct lcp_header { 173 u_char type; 174 u_char ident; 175 u_short len; 176 } __attribute__((__packed__)); 177 #define LCP_HEADER_LEN sizeof (struct lcp_header) 178 179 struct cisco_packet { 180 u_long type; 181 u_long par1; 182 u_long par2; 183 u_short rel; 184 u_short time0; 185 u_short time1; 186 } __attribute__((__packed__)); 187 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 188 189 /* 190 * We follow the spelling and capitalization of RFC 1661 here, to make 191 * it easier comparing with the standard. Please refer to this RFC in 192 * case you can't make sense out of these abbreviation; it will also 193 * explain the semantics related to the various events and actions. 194 */ 195 struct cp { 196 u_short proto; /* PPP control protocol number */ 197 u_char protoidx; /* index into state table in struct sppp */ 198 u_char flags; 199 #define CP_LCP 0x01 /* this is the LCP */ 200 #define CP_AUTH 0x02 /* this is an authentication protocol */ 201 #define CP_NCP 0x04 /* this is a NCP */ 202 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 203 const char *name; /* name of this control protocol */ 204 /* event handlers */ 205 void (*Up)(struct sppp *sp); 206 void (*Down)(struct sppp *sp); 207 void (*Open)(struct sppp *sp); 208 void (*Close)(struct sppp *sp); 209 void (*TO)(void *sp); 210 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 211 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 212 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 213 /* actions */ 214 void (*tlu)(struct sppp *sp); 215 void (*tld)(struct sppp *sp); 216 void (*tls)(struct sppp *sp); 217 void (*tlf)(struct sppp *sp); 218 void (*scr)(struct sppp *sp); 219 }; 220 221 static struct sppp *spppq; 222 static struct callout keepalive_timeout; 223 224 #define SPP_FMT "%s: " 225 #define SPP_ARGS(ifp) (ifp)->if_xname 226 227 #ifdef INET 228 /* 229 * The following disgusting hack gets around the problem that IP TOS 230 * can't be set yet. We want to put "interactive" traffic on a high 231 * priority queue. To decide if traffic is interactive, we check that 232 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 233 * 234 * XXX is this really still necessary? - joerg - 235 */ 236 static u_short interactive_ports[8] = { 237 0, 513, 0, 0, 238 0, 21, 0, 23, 239 }; 240 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 241 #endif 242 243 /* almost every function needs these */ 244 #define STDDCL \ 245 struct ifnet *ifp = &sp->pp_if; \ 246 int debug = ifp->if_flags & IFF_DEBUG 247 248 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 249 struct sockaddr *dst, struct rtentry *rt); 250 251 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 252 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 253 254 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 255 struct mbuf *m); 256 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 257 u_char ident, u_short len, void *data); 258 /* static void sppp_cp_timeout(void *arg); */ 259 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 260 int newstate); 261 static void sppp_auth_send(const struct cp *cp, 262 struct sppp *sp, unsigned int type, unsigned int id, 263 ...); 264 265 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 266 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 267 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 268 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 269 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 270 271 static void sppp_null(struct sppp *sp); 272 273 static void sppp_lcp_init(struct sppp *sp); 274 static void sppp_lcp_up(struct sppp *sp); 275 static void sppp_lcp_down(struct sppp *sp); 276 static void sppp_lcp_open(struct sppp *sp); 277 static void sppp_lcp_close(struct sppp *sp); 278 static void sppp_lcp_TO(void *sp); 279 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 280 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 281 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 282 static void sppp_lcp_tlu(struct sppp *sp); 283 static void sppp_lcp_tld(struct sppp *sp); 284 static void sppp_lcp_tls(struct sppp *sp); 285 static void sppp_lcp_tlf(struct sppp *sp); 286 static void sppp_lcp_scr(struct sppp *sp); 287 static void sppp_lcp_check_and_close(struct sppp *sp); 288 static int sppp_ncp_check(struct sppp *sp); 289 290 static void sppp_ipcp_init(struct sppp *sp); 291 static void sppp_ipcp_up(struct sppp *sp); 292 static void sppp_ipcp_down(struct sppp *sp); 293 static void sppp_ipcp_open(struct sppp *sp); 294 static void sppp_ipcp_close(struct sppp *sp); 295 static void sppp_ipcp_TO(void *sp); 296 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 297 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 298 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 299 static void sppp_ipcp_tlu(struct sppp *sp); 300 static void sppp_ipcp_tld(struct sppp *sp); 301 static void sppp_ipcp_tls(struct sppp *sp); 302 static void sppp_ipcp_tlf(struct sppp *sp); 303 static void sppp_ipcp_scr(struct sppp *sp); 304 305 static void sppp_ipv6cp_init(struct sppp *sp); 306 static void sppp_ipv6cp_up(struct sppp *sp); 307 static void sppp_ipv6cp_down(struct sppp *sp); 308 static void sppp_ipv6cp_open(struct sppp *sp); 309 static void sppp_ipv6cp_close(struct sppp *sp); 310 static void sppp_ipv6cp_TO(void *sp); 311 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 312 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 313 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 314 static void sppp_ipv6cp_tlu(struct sppp *sp); 315 static void sppp_ipv6cp_tld(struct sppp *sp); 316 static void sppp_ipv6cp_tls(struct sppp *sp); 317 static void sppp_ipv6cp_tlf(struct sppp *sp); 318 static void sppp_ipv6cp_scr(struct sppp *sp); 319 320 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 321 static void sppp_pap_init(struct sppp *sp); 322 static void sppp_pap_open(struct sppp *sp); 323 static void sppp_pap_close(struct sppp *sp); 324 static void sppp_pap_TO(void *sp); 325 static void sppp_pap_my_TO(void *sp); 326 static void sppp_pap_tlu(struct sppp *sp); 327 static void sppp_pap_tld(struct sppp *sp); 328 static void sppp_pap_scr(struct sppp *sp); 329 330 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 331 static void sppp_chap_init(struct sppp *sp); 332 static void sppp_chap_open(struct sppp *sp); 333 static void sppp_chap_close(struct sppp *sp); 334 static void sppp_chap_TO(void *sp); 335 static void sppp_chap_tlu(struct sppp *sp); 336 static void sppp_chap_tld(struct sppp *sp); 337 static void sppp_chap_scr(struct sppp *sp); 338 339 static const char *sppp_auth_type_name(u_short proto, u_char type); 340 static const char *sppp_cp_type_name(u_char type); 341 static const char *sppp_dotted_quad(u_long addr); 342 static const char *sppp_ipcp_opt_name(u_char opt); 343 #ifdef INET6 344 static const char *sppp_ipv6cp_opt_name(u_char opt); 345 #endif 346 static const char *sppp_lcp_opt_name(u_char opt); 347 static const char *sppp_phase_name(enum ppp_phase phase); 348 static const char *sppp_proto_name(u_short proto); 349 static const char *sppp_state_name(int state); 350 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 351 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 352 u_long *srcmask); 353 static void sppp_keepalive(void *dummy); 354 static void sppp_phase_network(struct sppp *sp); 355 static void sppp_print_bytes(const u_char *p, u_short len); 356 static void sppp_print_string(const char *p, u_short len); 357 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 358 #ifdef INET6 359 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 360 struct in6_addr *dst, struct in6_addr *srcmask); 361 #ifdef IPV6CP_MYIFID_DYN 362 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 363 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 364 #endif 365 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 366 #endif 367 368 /* our control protocol descriptors */ 369 static const struct cp lcp = { 370 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 371 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 372 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 373 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 374 sppp_lcp_scr 375 }; 376 377 static const struct cp ipcp = { 378 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 379 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 380 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 381 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 382 sppp_ipcp_scr 383 }; 384 385 static const struct cp ipv6cp = { 386 PPP_IPV6CP, IDX_IPV6CP, 387 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 388 CP_NCP, 389 #else 390 0, 391 #endif 392 "ipv6cp", 393 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 394 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 395 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 396 sppp_ipv6cp_scr 397 }; 398 399 static const struct cp pap = { 400 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 401 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 402 sppp_pap_TO, 0, 0, 0, 403 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 404 sppp_pap_scr 405 }; 406 407 static const struct cp chap = { 408 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 409 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 410 sppp_chap_TO, 0, 0, 0, 411 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 412 sppp_chap_scr 413 }; 414 415 static const struct cp *cps[IDX_COUNT] = { 416 &lcp, /* IDX_LCP */ 417 &ipcp, /* IDX_IPCP */ 418 &ipv6cp, /* IDX_IPV6CP */ 419 &pap, /* IDX_PAP */ 420 &chap, /* IDX_CHAP */ 421 }; 422 423 static int 424 sppp_modevent(module_t mod, int type, void *unused) 425 { 426 switch (type) { 427 case MOD_LOAD: 428 callout_init(&keepalive_timeout); 429 break; 430 case MOD_UNLOAD: 431 return EACCES; 432 break; 433 default: 434 break; 435 } 436 return 0; 437 } 438 static moduledata_t spppmod = { 439 "sppp", 440 sppp_modevent, 441 0 442 }; 443 MODULE_VERSION(sppp, 1); 444 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 445 446 /* 447 * Exported functions, comprising our interface to the lower layer. 448 */ 449 450 /* 451 * Process the received packet. 452 */ 453 void 454 sppp_input(struct ifnet *ifp, struct mbuf *m) 455 { 456 struct ppp_header *h; 457 int isr = -1; 458 struct sppp *sp = (struct sppp *)ifp; 459 u_char *iphdr; 460 int hlen, vjlen, do_account = 0; 461 int debug = ifp->if_flags & IFF_DEBUG; 462 463 if (ifp->if_flags & IFF_UP) 464 /* Count received bytes, add FCS and one flag */ 465 IFNET_STAT_INC(ifp, ibytes, m->m_pkthdr.len + 3); 466 467 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 468 /* Too small packet, drop it. */ 469 if (debug) 470 log(LOG_DEBUG, 471 SPP_FMT "input packet is too small, %d bytes\n", 472 SPP_ARGS(ifp), m->m_pkthdr.len); 473 drop: 474 m_freem (m); 475 drop2: 476 IFNET_STAT_INC(ifp, ierrors, 1); 477 IFNET_STAT_INC(ifp, iqdrops, 1); 478 return; 479 } 480 481 /* Get PPP header. */ 482 h = mtod (m, struct ppp_header*); 483 m_adj (m, PPP_HEADER_LEN); 484 485 switch (h->address) { 486 case PPP_ALLSTATIONS: 487 if (h->control != PPP_UI) 488 goto invalid; 489 if (sp->pp_mode == IFF_CISCO) { 490 if (debug) 491 log(LOG_DEBUG, 492 SPP_FMT "PPP packet in Cisco mode " 493 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 494 SPP_ARGS(ifp), 495 h->address, h->control, ntohs(h->protocol)); 496 goto drop; 497 } 498 switch (ntohs (h->protocol)) { 499 default: 500 if (debug) 501 log(LOG_DEBUG, 502 SPP_FMT "rejecting protocol " 503 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 504 SPP_ARGS(ifp), 505 h->address, h->control, ntohs(h->protocol)); 506 if (sp->state[IDX_LCP] == STATE_OPENED) 507 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 508 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 509 &h->protocol); 510 IFNET_STAT_INC(ifp, noproto, 1); 511 goto drop; 512 case PPP_LCP: 513 sppp_cp_input(&lcp, sp, m); 514 m_freem (m); 515 return; 516 case PPP_PAP: 517 if (sp->pp_phase >= PHASE_AUTHENTICATE) 518 sppp_pap_input(sp, m); 519 m_freem (m); 520 return; 521 case PPP_CHAP: 522 if (sp->pp_phase >= PHASE_AUTHENTICATE) 523 sppp_chap_input(sp, m); 524 m_freem (m); 525 return; 526 #ifdef INET 527 case PPP_IPCP: 528 if (sp->pp_phase == PHASE_NETWORK) 529 sppp_cp_input(&ipcp, sp, m); 530 m_freem (m); 531 return; 532 case PPP_IP: 533 if (sp->state[IDX_IPCP] == STATE_OPENED) { 534 isr = NETISR_IP; 535 } 536 do_account++; 537 break; 538 case PPP_VJ_COMP: 539 if (sp->state[IDX_IPCP] == STATE_OPENED) { 540 if ((vjlen = 541 sl_uncompress_tcp_core(mtod(m, u_char *), 542 m->m_len, m->m_len, 543 TYPE_COMPRESSED_TCP, 544 sp->pp_comp, 545 &iphdr, &hlen)) <= 0) { 546 if (debug) 547 log(LOG_INFO, 548 SPP_FMT "VJ uncompress failed on compressed packet\n", 549 SPP_ARGS(ifp)); 550 goto drop; 551 } 552 553 /* 554 * Trim the VJ header off the packet, and prepend 555 * the uncompressed IP header (which will usually 556 * end up in two chained mbufs since there's not 557 * enough leading space in the existing mbuf). 558 */ 559 m_adj(m, vjlen); 560 M_PREPEND(m, hlen, M_NOWAIT); 561 if (m == NULL) 562 goto drop2; 563 bcopy(iphdr, mtod(m, u_char *), hlen); 564 565 isr = NETISR_IP; 566 } 567 do_account++; 568 break; 569 case PPP_VJ_UCOMP: 570 if (sp->state[IDX_IPCP] == STATE_OPENED) { 571 if (sl_uncompress_tcp_core(mtod(m, u_char *), 572 m->m_len, m->m_len, 573 TYPE_UNCOMPRESSED_TCP, 574 sp->pp_comp, 575 &iphdr, &hlen) != 0) { 576 if (debug) 577 log(LOG_INFO, 578 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 579 SPP_ARGS(ifp)); 580 goto drop; 581 } 582 isr = NETISR_IP; 583 } 584 do_account++; 585 break; 586 #endif 587 #ifdef INET6 588 case PPP_IPV6CP: 589 if (sp->pp_phase == PHASE_NETWORK) 590 sppp_cp_input(&ipv6cp, sp, m); 591 m_freem (m); 592 return; 593 594 case PPP_IPV6: 595 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 596 isr = NETISR_IPV6; 597 } 598 do_account++; 599 break; 600 #endif 601 } 602 break; 603 case CISCO_MULTICAST: 604 case CISCO_UNICAST: 605 /* Don't check the control field here (RFC 1547). */ 606 if (sp->pp_mode != IFF_CISCO) { 607 if (debug) 608 log(LOG_DEBUG, 609 SPP_FMT "Cisco packet in PPP mode " 610 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 611 SPP_ARGS(ifp), 612 h->address, h->control, ntohs(h->protocol)); 613 goto drop; 614 } 615 switch (ntohs (h->protocol)) { 616 default: 617 IFNET_STAT_INC(ifp, noproto, 1); 618 goto invalid; 619 case CISCO_KEEPALIVE: 620 sppp_cisco_input ((struct sppp*) ifp, m); 621 m_freem (m); 622 return; 623 #ifdef INET 624 case ETHERTYPE_IP: 625 isr = NETISR_IP; 626 do_account++; 627 break; 628 #endif 629 #ifdef INET6 630 case ETHERTYPE_IPV6: 631 isr = NETISR_IPV6; 632 do_account++; 633 break; 634 #endif 635 } 636 break; 637 default: /* Invalid PPP packet. */ 638 invalid: 639 if (debug) 640 log(LOG_DEBUG, 641 SPP_FMT "invalid input packet " 642 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 643 SPP_ARGS(ifp), 644 h->address, h->control, ntohs(h->protocol)); 645 goto drop; 646 } 647 648 if (! (ifp->if_flags & IFF_UP) || isr < 0) 649 goto drop; 650 651 /* Check queue. */ 652 653 netisr_queue(isr, m); 654 655 /* 656 * Do only account for network packets, not for control 657 * packets. This is used by some subsystems to detect 658 * idle lines. 659 */ 660 if (do_account) 661 sp->pp_last_recv = time_uptime; 662 } 663 664 /* 665 * Enqueue transmit packet. 666 */ 667 static int 668 sppp_output_serialized(struct ifnet *ifp, struct ifaltq_subque *ifsq, 669 struct mbuf *m, struct sockaddr *dst, struct rtentry *rt) 670 { 671 struct sppp *sp = (struct sppp*) ifp; 672 struct ppp_header *h; 673 struct ifqueue *ifq = NULL; 674 int rv = 0; 675 int ipproto = PPP_IP; 676 int debug = ifp->if_flags & IFF_DEBUG; 677 struct altq_pktattr pktattr; 678 679 crit_enter(); 680 681 if ((ifp->if_flags & IFF_UP) == 0 || 682 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 683 #ifdef INET6 684 drop: 685 #endif 686 m_freem (m); 687 crit_exit(); 688 return (ENETDOWN); 689 } 690 691 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 692 #ifdef INET6 693 /* 694 * XXX 695 * 696 * Hack to prevent the initialization-time generated 697 * IPv6 multicast packet to erroneously cause a 698 * dialout event in case IPv6 has been 699 * administratively disabled on that interface. 700 */ 701 if (dst->sa_family == AF_INET6 && 702 !(sp->confflags & CONF_ENABLE_IPV6)) 703 goto drop; 704 #endif 705 /* 706 * Interface is not yet running, but auto-dial. Need 707 * to start LCP for it. 708 */ 709 ifp->if_flags |= IFF_RUNNING; 710 crit_exit(); 711 lcp.Open(sp); 712 crit_enter(); 713 } 714 715 /* 716 * if the queueing discipline needs packet classification, 717 * do it before prepending link headers. 718 */ 719 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 720 721 #ifdef INET 722 if (dst->sa_family == AF_INET) { 723 /* XXX Check mbuf length here? */ 724 struct ip *ip = mtod (m, struct ip*); 725 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 726 727 /* 728 * When using dynamic local IP address assignment by using 729 * 0.0.0.0 as a local address, the first TCP session will 730 * not connect because the local TCP checksum is computed 731 * using 0.0.0.0 which will later become our real IP address 732 * so the TCP checksum computed at the remote end will 733 * become invalid. So we 734 * - don't let packets with src ip addr 0 thru 735 * - we flag TCP packets with src ip 0 as an error 736 */ 737 738 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 739 { 740 m_freem(m); 741 crit_exit(); 742 if(ip->ip_p == IPPROTO_TCP) 743 return(EADDRNOTAVAIL); 744 else 745 return(0); 746 } 747 748 /* 749 * Put low delay, telnet, rlogin and ftp control packets 750 * in front of the queue. 751 */ 752 if (IF_QFULL (&sp->pp_fastq)) 753 ; 754 else if (ip->ip_tos & IPTOS_LOWDELAY) 755 ifq = &sp->pp_fastq; 756 else if (m->m_len < sizeof *ip + sizeof *tcp) 757 ; 758 else if (ip->ip_p != IPPROTO_TCP) 759 ; 760 else if (INTERACTIVE (ntohs (tcp->th_sport))) 761 ifq = &sp->pp_fastq; 762 else if (INTERACTIVE (ntohs (tcp->th_dport))) 763 ifq = &sp->pp_fastq; 764 765 /* 766 * Do IP Header compression 767 */ 768 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 769 ip->ip_p == IPPROTO_TCP) 770 switch (sl_compress_tcp(m, ip, sp->pp_comp, 771 sp->ipcp.compress_cid)) { 772 case TYPE_COMPRESSED_TCP: 773 ipproto = PPP_VJ_COMP; 774 break; 775 case TYPE_UNCOMPRESSED_TCP: 776 ipproto = PPP_VJ_UCOMP; 777 break; 778 case TYPE_IP: 779 ipproto = PPP_IP; 780 break; 781 default: 782 m_freem(m); 783 crit_exit(); 784 return (EINVAL); 785 } 786 } 787 #endif 788 789 #ifdef INET6 790 if (dst->sa_family == AF_INET6) { 791 /* XXX do something tricky here? */ 792 } 793 #endif 794 795 /* 796 * Prepend general data packet PPP header. For now, IP only. 797 */ 798 M_PREPEND (m, PPP_HEADER_LEN, M_NOWAIT); 799 if (! m) { 800 if (debug) 801 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 802 SPP_ARGS(ifp)); 803 IFNET_STAT_INC(ifp, oerrors, 1); 804 crit_exit(); 805 return (ENOBUFS); 806 } 807 /* 808 * May want to check size of packet 809 * (albeit due to the implementation it's always enough) 810 */ 811 h = mtod (m, struct ppp_header*); 812 if (sp->pp_mode == IFF_CISCO) { 813 h->address = CISCO_UNICAST; /* unicast address */ 814 h->control = 0; 815 } else { 816 h->address = PPP_ALLSTATIONS; /* broadcast address */ 817 h->control = PPP_UI; /* Unnumbered Info */ 818 } 819 820 switch (dst->sa_family) { 821 #ifdef INET 822 case AF_INET: /* Internet Protocol */ 823 if (sp->pp_mode == IFF_CISCO) 824 h->protocol = htons (ETHERTYPE_IP); 825 else { 826 /* 827 * Don't choke with an ENETDOWN early. It's 828 * possible that we just started dialing out, 829 * so don't drop the packet immediately. If 830 * we notice that we run out of buffer space 831 * below, we will however remember that we are 832 * not ready to carry IP packets, and return 833 * ENETDOWN, as opposed to ENOBUFS. 834 */ 835 h->protocol = htons(ipproto); 836 if (sp->state[IDX_IPCP] != STATE_OPENED) 837 rv = ENETDOWN; 838 } 839 break; 840 #endif 841 #ifdef INET6 842 case AF_INET6: /* Internet Protocol */ 843 if (sp->pp_mode == IFF_CISCO) 844 h->protocol = htons (ETHERTYPE_IPV6); 845 else { 846 /* 847 * Don't choke with an ENETDOWN early. It's 848 * possible that we just started dialing out, 849 * so don't drop the packet immediately. If 850 * we notice that we run out of buffer space 851 * below, we will however remember that we are 852 * not ready to carry IP packets, and return 853 * ENETDOWN, as opposed to ENOBUFS. 854 */ 855 h->protocol = htons(PPP_IPV6); 856 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 857 rv = ENETDOWN; 858 } 859 break; 860 #endif 861 default: 862 m_freem (m); 863 IFNET_STAT_INC(ifp, oerrors, 1); 864 crit_exit(); 865 return (EAFNOSUPPORT); 866 } 867 868 /* 869 * Queue message on interface, and start output if interface 870 * not yet active. 871 */ 872 if (ifq != NULL) { 873 if (IF_QFULL(ifq)) { 874 IF_DROP(ifq); 875 m_freem(m); 876 rv = ENOBUFS; 877 } else { 878 IF_ENQUEUE(ifq, m); 879 rv = 0; 880 } 881 } else { 882 rv = ifsq_enqueue(ifsq, m, &pktattr); 883 } 884 if (rv) { 885 IFNET_STAT_INC(ifp, oerrors, 1); 886 crit_exit(); 887 return(rv); 888 } 889 if (!ifsq_is_oactive(ifsq)) 890 (*ifp->if_start) (ifp, ifsq); 891 892 /* 893 * Count output packets and bytes. 894 * The packet length includes header, FCS and 1 flag, 895 * according to RFC 1333. 896 */ 897 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 898 899 /* 900 * Unlike in sppp_input(), we can always bump the timestamp 901 * here since sppp_output() is only called on behalf of 902 * network-layer traffic; control-layer traffic is handled 903 * by sppp_cp_send(). 904 */ 905 sp->pp_last_sent = time_uptime; 906 907 crit_exit(); 908 return (0); 909 } 910 911 static int 912 sppp_output(struct ifnet *ifp, struct mbuf *m, 913 struct sockaddr *dst, struct rtentry *rt) 914 { 915 struct ifaltq_subque *ifsq = ifq_get_subq_default(&ifp->if_snd); 916 int error; 917 918 ifsq_serialize_hw(ifsq); 919 error = sppp_output_serialized(ifp, ifsq, m, dst, rt); 920 ifsq_deserialize_hw(ifsq); 921 922 return error; 923 } 924 925 void 926 sppp_attach(struct ifnet *ifp) 927 { 928 struct sppp *sp = (struct sppp*) ifp; 929 930 /* Initialize keepalive handler. */ 931 if (!spppq) { 932 callout_reset(&keepalive_timeout, hz * 10, 933 sppp_keepalive, NULL); 934 } 935 /* Insert new entry into the keepalive list. */ 936 sp->pp_next = spppq; 937 spppq = sp; 938 939 sp->pp_if.if_mtu = PP_MTU; 940 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 941 sp->pp_if.if_type = IFT_PPP; 942 sp->pp_if.if_output = sppp_output; 943 #if 0 944 sp->pp_flags = PP_KEEPALIVE; 945 #endif 946 ifq_set_maxlen(&sp->pp_if.if_snd, 32); 947 sp->pp_fastq.ifq_maxlen = 32; 948 sp->pp_cpq.ifq_maxlen = 20; 949 sp->pp_loopcnt = 0; 950 sp->pp_alivecnt = 0; 951 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 952 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 953 sp->pp_phase = PHASE_DEAD; 954 sp->pp_up = lcp.Up; 955 sp->pp_down = lcp.Down; 956 sp->pp_last_recv = sp->pp_last_sent = time_uptime; 957 sp->confflags = 0; 958 #ifdef INET 959 sp->confflags |= CONF_ENABLE_VJ; 960 #endif 961 #ifdef INET6 962 sp->confflags |= CONF_ENABLE_IPV6; 963 #endif 964 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 965 sl_compress_init(sp->pp_comp, -1); 966 sppp_lcp_init(sp); 967 sppp_ipcp_init(sp); 968 sppp_ipv6cp_init(sp); 969 sppp_pap_init(sp); 970 sppp_chap_init(sp); 971 } 972 973 void 974 sppp_detach(struct ifnet *ifp) 975 { 976 struct sppp **q, *p, *sp = (struct sppp*) ifp; 977 int i; 978 979 /* Remove the entry from the keepalive list. */ 980 for (q = &spppq; (p = *q); q = &p->pp_next) 981 if (p == sp) { 982 *q = p->pp_next; 983 break; 984 } 985 986 /* Stop keepalive handler. */ 987 if (!spppq) 988 callout_stop(&keepalive_timeout); 989 990 for (i = 0; i < IDX_COUNT; i++) 991 callout_stop(&sp->timeout[i]); 992 callout_stop(&sp->pap_my_to); 993 } 994 995 /* 996 * Flush the interface output queue. 997 */ 998 void 999 sppp_flush(struct ifnet *ifp) 1000 { 1001 struct sppp *sp = (struct sppp*) ifp; 1002 1003 ifq_purge_all(&sp->pp_if.if_snd); 1004 IF_DRAIN(&sp->pp_fastq); 1005 IF_DRAIN(&sp->pp_cpq); 1006 } 1007 1008 /* 1009 * Check if the output queue is empty. 1010 */ 1011 int 1012 sppp_isempty(struct ifnet *ifp) 1013 { 1014 struct sppp *sp = (struct sppp*) ifp; 1015 int empty; 1016 1017 crit_enter(); 1018 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1019 ifsq_is_empty(ifq_get_subq_default(&sp->pp_if.if_snd)); 1020 crit_exit(); 1021 return (empty); 1022 } 1023 1024 /* 1025 * Get next packet to send. 1026 */ 1027 struct mbuf * 1028 sppp_dequeue(struct ifnet *ifp) 1029 { 1030 struct sppp *sp = (struct sppp*) ifp; 1031 struct mbuf *m; 1032 1033 crit_enter(); 1034 1035 /* 1036 * Process only the control protocol queue until we have at 1037 * least one NCP open. 1038 * 1039 * Do always serve all three queues in Cisco mode. 1040 */ 1041 IF_DEQUEUE(&sp->pp_cpq, m); 1042 if (m == NULL && 1043 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1044 IF_DEQUEUE(&sp->pp_fastq, m); 1045 if (m == NULL) { 1046 m = ifsq_dequeue( 1047 ifq_get_subq_default(&sp->pp_if.if_snd)); 1048 } 1049 } 1050 1051 crit_exit(); 1052 return m; 1053 } 1054 1055 /* 1056 * Pick the next packet, do not remove it from the queue. 1057 */ 1058 struct mbuf * 1059 sppp_pick(struct ifnet *ifp) 1060 { 1061 struct sppp *sp = (struct sppp*)ifp; 1062 struct mbuf *m; 1063 1064 crit_enter(); 1065 1066 m = sp->pp_cpq.ifq_head; 1067 if (m == NULL && 1068 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1069 if ((m = sp->pp_fastq.ifq_head) == NULL) 1070 m = ifsq_poll(ifq_get_subq_default(&sp->pp_if.if_snd)); 1071 } 1072 1073 crit_exit(); 1074 return (m); 1075 } 1076 1077 /* 1078 * Process an ioctl request. Called on low priority level. 1079 */ 1080 int 1081 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1082 { 1083 struct ifreq *ifr = (struct ifreq*) data; 1084 struct sppp *sp = (struct sppp*) ifp; 1085 int rv, going_up, going_down, newmode; 1086 1087 crit_enter(); 1088 1089 rv = 0; 1090 switch (cmd) { 1091 case SIOCAIFADDR: 1092 case SIOCSIFDSTADDR: 1093 break; 1094 1095 case SIOCSIFADDR: 1096 /* set the interface "up" when assigning an IP address */ 1097 ifp->if_flags |= IFF_UP; 1098 /* fall through... */ 1099 1100 case SIOCSIFFLAGS: 1101 going_up = ifp->if_flags & IFF_UP && 1102 (ifp->if_flags & IFF_RUNNING) == 0; 1103 going_down = (ifp->if_flags & IFF_UP) == 0 && 1104 ifp->if_flags & IFF_RUNNING; 1105 1106 newmode = ifp->if_flags & IFF_PASSIVE; 1107 if (!newmode) 1108 newmode = ifp->if_flags & IFF_AUTO; 1109 if (!newmode) 1110 newmode = ifp->if_flags & IFF_CISCO; 1111 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1112 ifp->if_flags |= newmode; 1113 1114 if (newmode != sp->pp_mode) { 1115 going_down = 1; 1116 if (!going_up) 1117 going_up = ifp->if_flags & IFF_RUNNING; 1118 } 1119 1120 if (going_down) { 1121 if (sp->pp_mode != IFF_CISCO) 1122 lcp.Close(sp); 1123 else if (sp->pp_tlf) 1124 (sp->pp_tlf)(sp); 1125 sppp_flush(ifp); 1126 ifp->if_flags &= ~IFF_RUNNING; 1127 sp->pp_mode = newmode; 1128 } 1129 1130 if (going_up) { 1131 if (sp->pp_mode != IFF_CISCO) 1132 lcp.Close(sp); 1133 sp->pp_mode = newmode; 1134 if (sp->pp_mode == 0) { 1135 ifp->if_flags |= IFF_RUNNING; 1136 lcp.Open(sp); 1137 } 1138 if (sp->pp_mode == IFF_CISCO) { 1139 if (sp->pp_tls) 1140 (sp->pp_tls)(sp); 1141 ifp->if_flags |= IFF_RUNNING; 1142 } 1143 } 1144 1145 break; 1146 1147 #ifdef SIOCSIFMTU 1148 #ifndef ifr_mtu 1149 #define ifr_mtu ifr_metric 1150 #endif 1151 case SIOCSIFMTU: 1152 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) { 1153 crit_exit(); 1154 return (EINVAL); 1155 } 1156 ifp->if_mtu = ifr->ifr_mtu; 1157 break; 1158 #endif 1159 #ifdef SLIOCSETMTU 1160 case SLIOCSETMTU: 1161 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) { 1162 crit_exit(); 1163 return (EINVAL); 1164 } 1165 ifp->if_mtu = *(short*)data; 1166 break; 1167 #endif 1168 #ifdef SIOCGIFMTU 1169 case SIOCGIFMTU: 1170 ifr->ifr_mtu = ifp->if_mtu; 1171 break; 1172 #endif 1173 #ifdef SLIOCGETMTU 1174 case SLIOCGETMTU: 1175 *(short*)data = ifp->if_mtu; 1176 break; 1177 #endif 1178 case SIOCADDMULTI: 1179 case SIOCDELMULTI: 1180 break; 1181 1182 case SIOCGIFGENERIC: 1183 case SIOCSIFGENERIC: 1184 rv = sppp_params(sp, cmd, data); 1185 break; 1186 1187 default: 1188 rv = ENOTTY; 1189 } 1190 1191 crit_exit(); 1192 return rv; 1193 } 1194 1195 /* 1196 * Cisco framing implementation. 1197 */ 1198 1199 /* 1200 * Handle incoming Cisco keepalive protocol packets. 1201 */ 1202 static void 1203 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1204 { 1205 STDDCL; 1206 struct cisco_packet *h; 1207 u_long me, mymask; 1208 1209 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1210 if (debug) 1211 log(LOG_DEBUG, 1212 SPP_FMT "cisco invalid packet length: %d bytes\n", 1213 SPP_ARGS(ifp), m->m_pkthdr.len); 1214 return; 1215 } 1216 h = mtod (m, struct cisco_packet*); 1217 if (debug) 1218 log(LOG_DEBUG, 1219 SPP_FMT "cisco input: %d bytes " 1220 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1221 SPP_ARGS(ifp), m->m_pkthdr.len, 1222 (u_long)ntohl (h->type), h->par1, h->par2, (u_int)h->rel, 1223 (u_int)h->time0, (u_int)h->time1); 1224 switch (ntohl (h->type)) { 1225 default: 1226 if (debug) 1227 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1228 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1229 break; 1230 case CISCO_ADDR_REPLY: 1231 /* Reply on address request, ignore */ 1232 break; 1233 case CISCO_KEEPALIVE_REQ: 1234 sp->pp_alivecnt = 0; 1235 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1236 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1237 /* Local and remote sequence numbers are equal. 1238 * Probably, the line is in loopback mode. */ 1239 if (sp->pp_loopcnt >= MAXALIVECNT) { 1240 kprintf (SPP_FMT "loopback\n", 1241 SPP_ARGS(ifp)); 1242 sp->pp_loopcnt = 0; 1243 if (ifp->if_flags & IFF_UP) { 1244 if_down (ifp); 1245 IF_DRAIN(&sp->pp_cpq); 1246 } 1247 } 1248 ++sp->pp_loopcnt; 1249 1250 /* Generate new local sequence number */ 1251 sp->pp_seq[IDX_LCP] = krandom(); 1252 break; 1253 } 1254 sp->pp_loopcnt = 0; 1255 if (! (ifp->if_flags & IFF_UP) && 1256 (ifp->if_flags & IFF_RUNNING)) { 1257 if_up(ifp); 1258 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1259 } 1260 break; 1261 case CISCO_ADDR_REQ: 1262 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1263 if (me != 0L) 1264 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1265 break; 1266 } 1267 } 1268 1269 /* 1270 * Send Cisco keepalive packet. 1271 */ 1272 static void 1273 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1274 { 1275 STDDCL; 1276 struct ppp_header *h; 1277 struct cisco_packet *ch; 1278 struct mbuf *m; 1279 struct timeval tv; 1280 struct ifaltq_subque *ifsq; 1281 1282 getmicrouptime(&tv); 1283 1284 MGETHDR (m, M_NOWAIT, MT_DATA); 1285 if (! m) 1286 return; 1287 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1288 m->m_pkthdr.rcvif = 0; 1289 1290 h = mtod (m, struct ppp_header*); 1291 h->address = CISCO_MULTICAST; 1292 h->control = 0; 1293 h->protocol = htons (CISCO_KEEPALIVE); 1294 1295 ch = (struct cisco_packet*) (h + 1); 1296 ch->type = htonl (type); 1297 ch->par1 = htonl (par1); 1298 ch->par2 = htonl (par2); 1299 ch->rel = -1; 1300 1301 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1302 ch->time1 = htons ((u_short) tv.tv_sec); 1303 1304 if (debug) 1305 log(LOG_DEBUG, 1306 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1307 SPP_ARGS(ifp), (u_long)ntohl (ch->type), ch->par1, 1308 ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1309 1310 if (IF_QFULL (&sp->pp_cpq)) { 1311 IF_DROP (&sp->pp_fastq); 1312 m_freem (m); 1313 } else 1314 IF_ENQUEUE (&sp->pp_cpq, m); 1315 ifsq = ifq_get_subq_default(&ifp->if_snd); 1316 if (!ifsq_is_oactive(ifsq)) 1317 (*ifp->if_start) (ifp, ifsq); 1318 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1319 } 1320 1321 /* 1322 * PPP protocol implementation. 1323 */ 1324 1325 /* 1326 * Send PPP control protocol packet. 1327 */ 1328 static void 1329 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1330 u_char ident, u_short len, void *data) 1331 { 1332 STDDCL; 1333 struct ppp_header *h; 1334 struct lcp_header *lh; 1335 struct mbuf *m; 1336 struct ifaltq_subque *ifsq; 1337 1338 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1339 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1340 MGETHDR (m, M_NOWAIT, MT_DATA); 1341 if (! m) 1342 return; 1343 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1344 m->m_pkthdr.rcvif = 0; 1345 1346 h = mtod (m, struct ppp_header*); 1347 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1348 h->control = PPP_UI; /* Unnumbered Info */ 1349 h->protocol = htons (proto); /* Link Control Protocol */ 1350 1351 lh = (struct lcp_header*) (h + 1); 1352 lh->type = type; 1353 lh->ident = ident; 1354 lh->len = htons (LCP_HEADER_LEN + len); 1355 if (len) 1356 bcopy (data, lh+1, len); 1357 1358 if (debug) { 1359 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1360 SPP_ARGS(ifp), 1361 sppp_proto_name(proto), 1362 sppp_cp_type_name (lh->type), lh->ident, 1363 ntohs (lh->len)); 1364 sppp_print_bytes ((u_char*) (lh+1), len); 1365 log(-1, ">\n"); 1366 } 1367 if (IF_QFULL (&sp->pp_cpq)) { 1368 IF_DROP (&sp->pp_fastq); 1369 m_freem (m); 1370 IFNET_STAT_INC(ifp, oerrors, 1); 1371 } else 1372 IF_ENQUEUE (&sp->pp_cpq, m); 1373 ifsq = ifq_get_subq_default(&ifp->if_snd); 1374 if (!ifsq_is_oactive(ifsq)) 1375 (*ifp->if_start) (ifp, ifsq); 1376 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1377 } 1378 1379 /* 1380 * Handle incoming PPP control protocol packets. 1381 */ 1382 static void 1383 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1384 { 1385 STDDCL; 1386 struct lcp_header *h; 1387 int printlen, len = m->m_pkthdr.len; 1388 int rv; 1389 u_char *p; 1390 1391 if (len < 4) { 1392 if (debug) 1393 log(LOG_DEBUG, 1394 SPP_FMT "%s invalid packet length: %d bytes\n", 1395 SPP_ARGS(ifp), cp->name, len); 1396 return; 1397 } 1398 h = mtod (m, struct lcp_header*); 1399 if (debug) { 1400 printlen = ntohs(h->len); 1401 log(LOG_DEBUG, 1402 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1403 SPP_ARGS(ifp), cp->name, 1404 sppp_state_name(sp->state[cp->protoidx]), 1405 sppp_cp_type_name (h->type), h->ident, printlen); 1406 if (len < printlen) 1407 printlen = len; 1408 if (printlen > 4) 1409 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1410 log(-1, ">\n"); 1411 } 1412 if (len > ntohs (h->len)) 1413 len = ntohs (h->len); 1414 p = (u_char *)(h + 1); 1415 switch (h->type) { 1416 case CONF_REQ: 1417 if (len < 4) { 1418 if (debug) 1419 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1420 SPP_ARGS(ifp), cp->name, 1421 len); 1422 IFNET_STAT_INC(ifp, ierrors, 1); 1423 break; 1424 } 1425 /* handle states where RCR doesn't get a SCA/SCN */ 1426 switch (sp->state[cp->protoidx]) { 1427 case STATE_CLOSING: 1428 case STATE_STOPPING: 1429 return; 1430 case STATE_CLOSED: 1431 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1432 0, 0); 1433 return; 1434 } 1435 rv = (cp->RCR)(sp, h, len); 1436 if (rv < 0) { 1437 /* fatal error, shut down */ 1438 (cp->tld)(sp); 1439 sppp_lcp_tlf(sp); 1440 return; 1441 } 1442 switch (sp->state[cp->protoidx]) { 1443 case STATE_OPENED: 1444 (cp->tld)(sp); 1445 (cp->scr)(sp); 1446 /* fall through... */ 1447 case STATE_ACK_SENT: 1448 case STATE_REQ_SENT: 1449 /* 1450 * sppp_cp_change_state() have the side effect of 1451 * restarting the timeouts. We want to avoid that 1452 * if the state don't change, otherwise we won't 1453 * ever timeout and resend a configuration request 1454 * that got lost. 1455 */ 1456 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1457 STATE_REQ_SENT)) 1458 break; 1459 sppp_cp_change_state(cp, sp, rv? 1460 STATE_ACK_SENT: STATE_REQ_SENT); 1461 break; 1462 case STATE_STOPPED: 1463 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1464 (cp->scr)(sp); 1465 sppp_cp_change_state(cp, sp, rv? 1466 STATE_ACK_SENT: STATE_REQ_SENT); 1467 break; 1468 case STATE_ACK_RCVD: 1469 if (rv) { 1470 sppp_cp_change_state(cp, sp, STATE_OPENED); 1471 if (debug) 1472 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1473 SPP_ARGS(ifp), 1474 cp->name); 1475 (cp->tlu)(sp); 1476 } else 1477 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1478 break; 1479 default: 1480 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1481 SPP_ARGS(ifp), cp->name, 1482 sppp_cp_type_name(h->type), 1483 sppp_state_name(sp->state[cp->protoidx])); 1484 IFNET_STAT_INC(ifp, ierrors, 1); 1485 } 1486 break; 1487 case CONF_ACK: 1488 if (h->ident != sp->confid[cp->protoidx]) { 1489 if (debug) 1490 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1491 SPP_ARGS(ifp), cp->name, 1492 h->ident, sp->confid[cp->protoidx]); 1493 IFNET_STAT_INC(ifp, ierrors, 1); 1494 break; 1495 } 1496 switch (sp->state[cp->protoidx]) { 1497 case STATE_CLOSED: 1498 case STATE_STOPPED: 1499 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1500 break; 1501 case STATE_CLOSING: 1502 case STATE_STOPPING: 1503 break; 1504 case STATE_REQ_SENT: 1505 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1506 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1507 break; 1508 case STATE_OPENED: 1509 (cp->tld)(sp); 1510 /* fall through */ 1511 case STATE_ACK_RCVD: 1512 (cp->scr)(sp); 1513 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1514 break; 1515 case STATE_ACK_SENT: 1516 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1517 sppp_cp_change_state(cp, sp, STATE_OPENED); 1518 if (debug) 1519 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1520 SPP_ARGS(ifp), cp->name); 1521 (cp->tlu)(sp); 1522 break; 1523 default: 1524 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1525 SPP_ARGS(ifp), cp->name, 1526 sppp_cp_type_name(h->type), 1527 sppp_state_name(sp->state[cp->protoidx])); 1528 IFNET_STAT_INC(ifp, ierrors, 1); 1529 } 1530 break; 1531 case CONF_NAK: 1532 case CONF_REJ: 1533 if (h->ident != sp->confid[cp->protoidx]) { 1534 if (debug) 1535 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1536 SPP_ARGS(ifp), cp->name, 1537 h->ident, sp->confid[cp->protoidx]); 1538 IFNET_STAT_INC(ifp, ierrors, 1); 1539 break; 1540 } 1541 if (h->type == CONF_NAK) 1542 (cp->RCN_nak)(sp, h, len); 1543 else /* CONF_REJ */ 1544 (cp->RCN_rej)(sp, h, len); 1545 1546 switch (sp->state[cp->protoidx]) { 1547 case STATE_CLOSED: 1548 case STATE_STOPPED: 1549 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1550 break; 1551 case STATE_REQ_SENT: 1552 case STATE_ACK_SENT: 1553 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1554 /* 1555 * Slow things down a bit if we think we might be 1556 * in loopback. Depend on the timeout to send the 1557 * next configuration request. 1558 */ 1559 if (sp->pp_loopcnt) 1560 break; 1561 (cp->scr)(sp); 1562 break; 1563 case STATE_OPENED: 1564 (cp->tld)(sp); 1565 /* fall through */ 1566 case STATE_ACK_RCVD: 1567 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1568 (cp->scr)(sp); 1569 break; 1570 case STATE_CLOSING: 1571 case STATE_STOPPING: 1572 break; 1573 default: 1574 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1575 SPP_ARGS(ifp), cp->name, 1576 sppp_cp_type_name(h->type), 1577 sppp_state_name(sp->state[cp->protoidx])); 1578 IFNET_STAT_INC(ifp, ierrors, 1); 1579 } 1580 break; 1581 1582 case TERM_REQ: 1583 switch (sp->state[cp->protoidx]) { 1584 case STATE_ACK_RCVD: 1585 case STATE_ACK_SENT: 1586 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1587 /* fall through */ 1588 case STATE_CLOSED: 1589 case STATE_STOPPED: 1590 case STATE_CLOSING: 1591 case STATE_STOPPING: 1592 case STATE_REQ_SENT: 1593 sta: 1594 /* Send Terminate-Ack packet. */ 1595 if (debug) 1596 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1597 SPP_ARGS(ifp), cp->name); 1598 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1599 break; 1600 case STATE_OPENED: 1601 (cp->tld)(sp); 1602 sp->rst_counter[cp->protoidx] = 0; 1603 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1604 goto sta; 1605 break; 1606 default: 1607 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1608 SPP_ARGS(ifp), cp->name, 1609 sppp_cp_type_name(h->type), 1610 sppp_state_name(sp->state[cp->protoidx])); 1611 IFNET_STAT_INC(ifp, ierrors, 1); 1612 } 1613 break; 1614 case TERM_ACK: 1615 switch (sp->state[cp->protoidx]) { 1616 case STATE_CLOSED: 1617 case STATE_STOPPED: 1618 case STATE_REQ_SENT: 1619 case STATE_ACK_SENT: 1620 break; 1621 case STATE_CLOSING: 1622 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1623 (cp->tlf)(sp); 1624 break; 1625 case STATE_STOPPING: 1626 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1627 (cp->tlf)(sp); 1628 break; 1629 case STATE_ACK_RCVD: 1630 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1631 break; 1632 case STATE_OPENED: 1633 (cp->tld)(sp); 1634 (cp->scr)(sp); 1635 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1636 break; 1637 default: 1638 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1639 SPP_ARGS(ifp), cp->name, 1640 sppp_cp_type_name(h->type), 1641 sppp_state_name(sp->state[cp->protoidx])); 1642 IFNET_STAT_INC(ifp, ierrors, 1); 1643 } 1644 break; 1645 case CODE_REJ: 1646 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1647 log(LOG_INFO, 1648 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1649 "danger will robinson\n", 1650 SPP_ARGS(ifp), cp->name, 1651 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1652 switch (sp->state[cp->protoidx]) { 1653 case STATE_CLOSED: 1654 case STATE_STOPPED: 1655 case STATE_REQ_SENT: 1656 case STATE_ACK_SENT: 1657 case STATE_CLOSING: 1658 case STATE_STOPPING: 1659 case STATE_OPENED: 1660 break; 1661 case STATE_ACK_RCVD: 1662 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1663 break; 1664 default: 1665 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1666 SPP_ARGS(ifp), cp->name, 1667 sppp_cp_type_name(h->type), 1668 sppp_state_name(sp->state[cp->protoidx])); 1669 IFNET_STAT_INC(ifp, ierrors, 1); 1670 } 1671 break; 1672 case PROTO_REJ: 1673 { 1674 int catastrophic; 1675 const struct cp *upper; 1676 int i; 1677 u_int16_t proto; 1678 1679 catastrophic = 0; 1680 upper = NULL; 1681 proto = ntohs(*((u_int16_t *)p)); 1682 for (i = 0; i < IDX_COUNT; i++) { 1683 if (cps[i]->proto == proto) { 1684 upper = cps[i]; 1685 break; 1686 } 1687 } 1688 if (upper == NULL) 1689 catastrophic++; 1690 1691 if (catastrophic || debug) 1692 log(catastrophic? LOG_INFO: LOG_DEBUG, 1693 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1694 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1695 sppp_cp_type_name(h->type), proto, 1696 upper ? upper->name : "unknown", 1697 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1698 1699 /* 1700 * if we got RXJ+ against conf-req, the peer does not implement 1701 * this particular protocol type. terminate the protocol. 1702 */ 1703 if (upper && !catastrophic) { 1704 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1705 upper->Close(sp); 1706 break; 1707 } 1708 } 1709 1710 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1711 switch (sp->state[cp->protoidx]) { 1712 case STATE_CLOSED: 1713 case STATE_STOPPED: 1714 case STATE_REQ_SENT: 1715 case STATE_ACK_SENT: 1716 case STATE_CLOSING: 1717 case STATE_STOPPING: 1718 case STATE_OPENED: 1719 break; 1720 case STATE_ACK_RCVD: 1721 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1722 break; 1723 default: 1724 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1725 SPP_ARGS(ifp), cp->name, 1726 sppp_cp_type_name(h->type), 1727 sppp_state_name(sp->state[cp->protoidx])); 1728 IFNET_STAT_INC(ifp, ierrors, 1); 1729 } 1730 break; 1731 } 1732 case DISC_REQ: 1733 if (cp->proto != PPP_LCP) 1734 goto illegal; 1735 /* Discard the packet. */ 1736 break; 1737 case ECHO_REQ: 1738 if (cp->proto != PPP_LCP) 1739 goto illegal; 1740 if (sp->state[cp->protoidx] != STATE_OPENED) { 1741 if (debug) 1742 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1743 SPP_ARGS(ifp)); 1744 IFNET_STAT_INC(ifp, ierrors, 1); 1745 break; 1746 } 1747 if (len < 8) { 1748 if (debug) 1749 log(-1, SPP_FMT "invalid lcp echo request " 1750 "packet length: %d bytes\n", 1751 SPP_ARGS(ifp), len); 1752 break; 1753 } 1754 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1755 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1756 /* Line loopback mode detected. */ 1757 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1758 sp->pp_loopcnt = MAXALIVECNT * 5; 1759 if_down (ifp); 1760 IF_DRAIN(&sp->pp_cpq); 1761 1762 /* Shut down the PPP link. */ 1763 /* XXX */ 1764 lcp.Down(sp); 1765 lcp.Up(sp); 1766 break; 1767 } 1768 *(long*)(h+1) = htonl (sp->lcp.magic); 1769 if (debug) 1770 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1771 SPP_ARGS(ifp)); 1772 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1773 break; 1774 case ECHO_REPLY: 1775 if (cp->proto != PPP_LCP) 1776 goto illegal; 1777 if (h->ident != sp->lcp.echoid) { 1778 IFNET_STAT_INC(ifp, ierrors, 1); 1779 break; 1780 } 1781 if (len < 8) { 1782 if (debug) 1783 log(-1, SPP_FMT "lcp invalid echo reply " 1784 "packet length: %d bytes\n", 1785 SPP_ARGS(ifp), len); 1786 break; 1787 } 1788 if (debug) 1789 log(-1, SPP_FMT "lcp got echo rep\n", 1790 SPP_ARGS(ifp)); 1791 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1792 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1793 sp->pp_alivecnt = 0; 1794 break; 1795 default: 1796 /* Unknown packet type -- send Code-Reject packet. */ 1797 illegal: 1798 if (debug) 1799 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1800 SPP_ARGS(ifp), cp->name, h->type); 1801 sppp_cp_send(sp, cp->proto, CODE_REJ, 1802 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1803 IFNET_STAT_INC(ifp, ierrors, 1); 1804 } 1805 } 1806 1807 1808 /* 1809 * The generic part of all Up/Down/Open/Close/TO event handlers. 1810 * Basically, the state transition handling in the automaton. 1811 */ 1812 static void 1813 sppp_up_event(const struct cp *cp, struct sppp *sp) 1814 { 1815 STDDCL; 1816 1817 if (debug) 1818 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1819 SPP_ARGS(ifp), cp->name, 1820 sppp_state_name(sp->state[cp->protoidx])); 1821 1822 switch (sp->state[cp->protoidx]) { 1823 case STATE_INITIAL: 1824 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1825 break; 1826 case STATE_STARTING: 1827 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1828 (cp->scr)(sp); 1829 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1830 break; 1831 default: 1832 kprintf(SPP_FMT "%s illegal up in state %s\n", 1833 SPP_ARGS(ifp), cp->name, 1834 sppp_state_name(sp->state[cp->protoidx])); 1835 } 1836 } 1837 1838 static void 1839 sppp_down_event(const struct cp *cp, struct sppp *sp) 1840 { 1841 STDDCL; 1842 1843 if (debug) 1844 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1845 SPP_ARGS(ifp), cp->name, 1846 sppp_state_name(sp->state[cp->protoidx])); 1847 1848 switch (sp->state[cp->protoidx]) { 1849 case STATE_CLOSED: 1850 case STATE_CLOSING: 1851 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1852 break; 1853 case STATE_STOPPED: 1854 sppp_cp_change_state(cp, sp, STATE_STARTING); 1855 (cp->tls)(sp); 1856 break; 1857 case STATE_STOPPING: 1858 case STATE_REQ_SENT: 1859 case STATE_ACK_RCVD: 1860 case STATE_ACK_SENT: 1861 sppp_cp_change_state(cp, sp, STATE_STARTING); 1862 break; 1863 case STATE_OPENED: 1864 (cp->tld)(sp); 1865 sppp_cp_change_state(cp, sp, STATE_STARTING); 1866 break; 1867 default: 1868 kprintf(SPP_FMT "%s illegal down in state %s\n", 1869 SPP_ARGS(ifp), cp->name, 1870 sppp_state_name(sp->state[cp->protoidx])); 1871 } 1872 } 1873 1874 1875 static void 1876 sppp_open_event(const struct cp *cp, struct sppp *sp) 1877 { 1878 STDDCL; 1879 1880 if (debug) 1881 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1882 SPP_ARGS(ifp), cp->name, 1883 sppp_state_name(sp->state[cp->protoidx])); 1884 1885 switch (sp->state[cp->protoidx]) { 1886 case STATE_INITIAL: 1887 sppp_cp_change_state(cp, sp, STATE_STARTING); 1888 (cp->tls)(sp); 1889 break; 1890 case STATE_STARTING: 1891 break; 1892 case STATE_CLOSED: 1893 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1894 (cp->scr)(sp); 1895 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1896 break; 1897 case STATE_STOPPED: 1898 /* 1899 * Try escaping stopped state. This seems to bite 1900 * people occasionally, in particular for IPCP, 1901 * presumably following previous IPCP negotiation 1902 * aborts. Somehow, we must have missed a Down event 1903 * which would have caused a transition into starting 1904 * state, so as a bandaid we force the Down event now. 1905 * This effectively implements (something like the) 1906 * `restart' option mentioned in the state transition 1907 * table of RFC 1661. 1908 */ 1909 sppp_cp_change_state(cp, sp, STATE_STARTING); 1910 (cp->tls)(sp); 1911 break; 1912 case STATE_STOPPING: 1913 case STATE_REQ_SENT: 1914 case STATE_ACK_RCVD: 1915 case STATE_ACK_SENT: 1916 case STATE_OPENED: 1917 break; 1918 case STATE_CLOSING: 1919 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1920 break; 1921 } 1922 } 1923 1924 1925 static void 1926 sppp_close_event(const struct cp *cp, struct sppp *sp) 1927 { 1928 STDDCL; 1929 1930 if (debug) 1931 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 1932 SPP_ARGS(ifp), cp->name, 1933 sppp_state_name(sp->state[cp->protoidx])); 1934 1935 switch (sp->state[cp->protoidx]) { 1936 case STATE_INITIAL: 1937 case STATE_CLOSED: 1938 case STATE_CLOSING: 1939 break; 1940 case STATE_STARTING: 1941 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1942 (cp->tlf)(sp); 1943 break; 1944 case STATE_STOPPED: 1945 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1946 break; 1947 case STATE_STOPPING: 1948 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1949 break; 1950 case STATE_OPENED: 1951 (cp->tld)(sp); 1952 /* fall through */ 1953 case STATE_REQ_SENT: 1954 case STATE_ACK_RCVD: 1955 case STATE_ACK_SENT: 1956 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1957 sppp_cp_send(sp, cp->proto, TERM_REQ, 1958 ++sp->pp_seq[cp->protoidx], 0, 0); 1959 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1960 break; 1961 } 1962 } 1963 1964 static void 1965 sppp_to_event(const struct cp *cp, struct sppp *sp) 1966 { 1967 STDDCL; 1968 1969 crit_enter(); 1970 1971 if (debug) 1972 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 1973 SPP_ARGS(ifp), cp->name, 1974 sppp_state_name(sp->state[cp->protoidx]), 1975 sp->rst_counter[cp->protoidx]); 1976 1977 if (--sp->rst_counter[cp->protoidx] < 0) 1978 /* TO- event */ 1979 switch (sp->state[cp->protoidx]) { 1980 case STATE_CLOSING: 1981 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1982 (cp->tlf)(sp); 1983 break; 1984 case STATE_STOPPING: 1985 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1986 (cp->tlf)(sp); 1987 break; 1988 case STATE_REQ_SENT: 1989 case STATE_ACK_RCVD: 1990 case STATE_ACK_SENT: 1991 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1992 (cp->tlf)(sp); 1993 break; 1994 } 1995 else 1996 /* TO+ event */ 1997 switch (sp->state[cp->protoidx]) { 1998 case STATE_CLOSING: 1999 case STATE_STOPPING: 2000 sppp_cp_send(sp, cp->proto, TERM_REQ, 2001 ++sp->pp_seq[cp->protoidx], 0, 0); 2002 callout_reset(&sp->timeout[cp->protoidx], 2003 sp->lcp.timeout, cp->TO, sp); 2004 break; 2005 case STATE_REQ_SENT: 2006 case STATE_ACK_RCVD: 2007 (cp->scr)(sp); 2008 /* sppp_cp_change_state() will restart the timer */ 2009 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2010 break; 2011 case STATE_ACK_SENT: 2012 (cp->scr)(sp); 2013 callout_reset(&sp->timeout[cp->protoidx], 2014 sp->lcp.timeout, cp->TO, sp); 2015 break; 2016 } 2017 2018 crit_exit(); 2019 } 2020 2021 /* 2022 * Change the state of a control protocol in the state automaton. 2023 * Takes care of starting/stopping the restart timer. 2024 */ 2025 static void 2026 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2027 { 2028 sp->state[cp->protoidx] = newstate; 2029 callout_stop(&sp->timeout[cp->protoidx]); 2030 2031 switch (newstate) { 2032 case STATE_INITIAL: 2033 case STATE_STARTING: 2034 case STATE_CLOSED: 2035 case STATE_STOPPED: 2036 case STATE_OPENED: 2037 break; 2038 case STATE_CLOSING: 2039 case STATE_STOPPING: 2040 case STATE_REQ_SENT: 2041 case STATE_ACK_RCVD: 2042 case STATE_ACK_SENT: 2043 callout_reset(&sp->timeout[cp->protoidx], 2044 sp->lcp.timeout, cp->TO, sp); 2045 break; 2046 } 2047 } 2048 2049 /* 2050 *--------------------------------------------------------------------------* 2051 * * 2052 * The LCP implementation. * 2053 * * 2054 *--------------------------------------------------------------------------* 2055 */ 2056 static void 2057 sppp_lcp_init(struct sppp *sp) 2058 { 2059 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2060 sp->lcp.magic = 0; 2061 sp->state[IDX_LCP] = STATE_INITIAL; 2062 sp->fail_counter[IDX_LCP] = 0; 2063 sp->pp_seq[IDX_LCP] = 0; 2064 sp->pp_rseq[IDX_LCP] = 0; 2065 sp->lcp.protos = 0; 2066 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2067 2068 /* Note that these values are relevant for all control protocols */ 2069 sp->lcp.timeout = 3 * hz; 2070 sp->lcp.max_terminate = 2; 2071 sp->lcp.max_configure = 10; 2072 sp->lcp.max_failure = 10; 2073 callout_init(&sp->timeout[IDX_LCP]); 2074 } 2075 2076 static void 2077 sppp_lcp_up(struct sppp *sp) 2078 { 2079 STDDCL; 2080 2081 sp->pp_alivecnt = 0; 2082 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2083 sp->lcp.magic = 0; 2084 sp->lcp.protos = 0; 2085 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2086 /* 2087 * If this interface is passive or dial-on-demand, and we are 2088 * still in Initial state, it means we've got an incoming 2089 * call. Activate the interface. 2090 */ 2091 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2092 if (debug) 2093 log(LOG_DEBUG, 2094 SPP_FMT "Up event", SPP_ARGS(ifp)); 2095 ifp->if_flags |= IFF_RUNNING; 2096 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2097 if (debug) 2098 log(-1, "(incoming call)\n"); 2099 sp->pp_flags |= PP_CALLIN; 2100 lcp.Open(sp); 2101 } else if (debug) 2102 log(-1, "\n"); 2103 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2104 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2105 ifp->if_flags |= IFF_RUNNING; 2106 lcp.Open(sp); 2107 } 2108 2109 sppp_up_event(&lcp, sp); 2110 } 2111 2112 static void 2113 sppp_lcp_down(struct sppp *sp) 2114 { 2115 STDDCL; 2116 2117 sppp_down_event(&lcp, sp); 2118 2119 /* 2120 * If this is neither a dial-on-demand nor a passive 2121 * interface, simulate an ``ifconfig down'' action, so the 2122 * administrator can force a redial by another ``ifconfig 2123 * up''. XXX For leased line operation, should we immediately 2124 * try to reopen the connection here? 2125 */ 2126 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2127 log(LOG_INFO, 2128 SPP_FMT "Down event, taking interface down.\n", 2129 SPP_ARGS(ifp)); 2130 if_down(ifp); 2131 } else { 2132 if (debug) 2133 log(LOG_DEBUG, 2134 SPP_FMT "Down event (carrier loss)\n", 2135 SPP_ARGS(ifp)); 2136 sp->pp_flags &= ~PP_CALLIN; 2137 if (sp->state[IDX_LCP] != STATE_INITIAL) 2138 lcp.Close(sp); 2139 ifp->if_flags &= ~IFF_RUNNING; 2140 } 2141 } 2142 2143 static void 2144 sppp_lcp_open(struct sppp *sp) 2145 { 2146 /* 2147 * If we are authenticator, negotiate LCP_AUTH 2148 */ 2149 if (sp->hisauth.proto != 0) 2150 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2151 else 2152 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2153 sp->pp_flags &= ~PP_NEEDAUTH; 2154 sppp_open_event(&lcp, sp); 2155 } 2156 2157 static void 2158 sppp_lcp_close(struct sppp *sp) 2159 { 2160 sppp_close_event(&lcp, sp); 2161 } 2162 2163 static void 2164 sppp_lcp_TO(void *cookie) 2165 { 2166 sppp_to_event(&lcp, (struct sppp *)cookie); 2167 } 2168 2169 /* 2170 * Analyze a configure request. Return true if it was agreeable, and 2171 * caused action sca, false if it has been rejected or nak'ed, and 2172 * caused action scn. (The return value is used to make the state 2173 * transition decision in the state automaton.) 2174 */ 2175 static int 2176 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2177 { 2178 STDDCL; 2179 u_char *buf, *r, *p; 2180 int origlen, rlen; 2181 u_long nmagic; 2182 u_short authproto; 2183 2184 len -= 4; 2185 origlen = len; 2186 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2187 2188 if (debug) 2189 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2190 SPP_ARGS(ifp)); 2191 2192 /* pass 1: check for things that need to be rejected */ 2193 p = (void*) (h+1); 2194 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2195 /* Sanity check option length */ 2196 if (p[1] > len) { 2197 /* Malicious option - drop immediately. 2198 * XXX Maybe we should just RXJ it? 2199 */ 2200 log(-1, "%s: received malicious LCP option 0x%02x, " 2201 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2202 p[0], p[1], len); 2203 goto drop; 2204 } 2205 if (debug) 2206 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2207 switch (*p) { 2208 case LCP_OPT_MAGIC: 2209 /* Magic number. */ 2210 if (len >= 6 && p[1] == 6) 2211 continue; 2212 if (debug) 2213 log(-1, "[invalid] "); 2214 break; 2215 case LCP_OPT_ASYNC_MAP: 2216 /* Async control character map. */ 2217 if (len >= 6 && p[1] == 6) 2218 continue; 2219 if (debug) 2220 log(-1, "[invalid] "); 2221 break; 2222 case LCP_OPT_MRU: 2223 /* Maximum receive unit. */ 2224 if (len >= 4 && p[1] == 4) 2225 continue; 2226 if (debug) 2227 log(-1, "[invalid] "); 2228 break; 2229 case LCP_OPT_AUTH_PROTO: 2230 if (len < 4) { 2231 if (debug) 2232 log(-1, "[invalid] "); 2233 break; 2234 } 2235 authproto = (p[2] << 8) + p[3]; 2236 if (authproto == PPP_CHAP && p[1] != 5) { 2237 if (debug) 2238 log(-1, "[invalid chap len] "); 2239 break; 2240 } 2241 if (sp->myauth.proto == 0) { 2242 /* we are not configured to do auth */ 2243 if (debug) 2244 log(-1, "[not configured] "); 2245 break; 2246 } 2247 /* 2248 * Remote want us to authenticate, remember this, 2249 * so we stay in PHASE_AUTHENTICATE after LCP got 2250 * up. 2251 */ 2252 sp->pp_flags |= PP_NEEDAUTH; 2253 continue; 2254 default: 2255 /* Others not supported. */ 2256 if (debug) 2257 log(-1, "[rej] "); 2258 break; 2259 } 2260 /* Add the option to rejected list. */ 2261 bcopy (p, r, p[1]); 2262 r += p[1]; 2263 rlen += p[1]; 2264 } 2265 if (rlen) { 2266 if (debug) 2267 log(-1, " send conf-rej\n"); 2268 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2269 return 0; 2270 } else if (debug) 2271 log(-1, "\n"); 2272 2273 /* 2274 * pass 2: check for option values that are unacceptable and 2275 * thus require to be nak'ed. 2276 */ 2277 if (debug) 2278 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2279 SPP_ARGS(ifp)); 2280 2281 p = (void*) (h+1); 2282 len = origlen; 2283 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2284 if (debug) 2285 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2286 switch (*p) { 2287 case LCP_OPT_MAGIC: 2288 /* Magic number -- extract. */ 2289 nmagic = (u_long)p[2] << 24 | 2290 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2291 if (nmagic != sp->lcp.magic) { 2292 sp->pp_loopcnt = 0; 2293 if (debug) 2294 log(-1, "0x%lx ", nmagic); 2295 continue; 2296 } 2297 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2298 log(-1, "[glitch] "); 2299 ++sp->pp_loopcnt; 2300 /* 2301 * We negate our magic here, and NAK it. If 2302 * we see it later in an NAK packet, we 2303 * suggest a new one. 2304 */ 2305 nmagic = ~sp->lcp.magic; 2306 /* Gonna NAK it. */ 2307 p[2] = nmagic >> 24; 2308 p[3] = nmagic >> 16; 2309 p[4] = nmagic >> 8; 2310 p[5] = nmagic; 2311 break; 2312 2313 case LCP_OPT_ASYNC_MAP: 2314 /* 2315 * Async control character map -- just ignore it. 2316 * 2317 * Quote from RFC 1662, chapter 6: 2318 * To enable this functionality, synchronous PPP 2319 * implementations MUST always respond to the 2320 * Async-Control-Character-Map Configuration 2321 * Option with the LCP Configure-Ack. However, 2322 * acceptance of the Configuration Option does 2323 * not imply that the synchronous implementation 2324 * will do any ACCM mapping. Instead, all such 2325 * octet mapping will be performed by the 2326 * asynchronous-to-synchronous converter. 2327 */ 2328 continue; 2329 2330 case LCP_OPT_MRU: 2331 /* 2332 * Maximum receive unit. Always agreeable, 2333 * but ignored by now. 2334 */ 2335 sp->lcp.their_mru = p[2] * 256 + p[3]; 2336 if (debug) 2337 log(-1, "%lu ", sp->lcp.their_mru); 2338 continue; 2339 2340 case LCP_OPT_AUTH_PROTO: 2341 authproto = (p[2] << 8) + p[3]; 2342 if (sp->myauth.proto != authproto) { 2343 /* not agreed, nak */ 2344 if (debug) 2345 log(-1, "[mine %s != his %s] ", 2346 sppp_proto_name(sp->hisauth.proto), 2347 sppp_proto_name(authproto)); 2348 p[2] = sp->myauth.proto >> 8; 2349 p[3] = sp->myauth.proto; 2350 break; 2351 } 2352 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2353 if (debug) 2354 log(-1, "[chap not MD5] "); 2355 p[4] = CHAP_MD5; 2356 break; 2357 } 2358 continue; 2359 } 2360 /* Add the option to nak'ed list. */ 2361 bcopy (p, r, p[1]); 2362 r += p[1]; 2363 rlen += p[1]; 2364 } 2365 if (rlen) { 2366 /* 2367 * Local and remote magics equal -- loopback? 2368 */ 2369 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2370 if (sp->pp_loopcnt == MAXALIVECNT*5) 2371 kprintf (SPP_FMT "loopback\n", 2372 SPP_ARGS(ifp)); 2373 if (ifp->if_flags & IFF_UP) { 2374 if_down(ifp); 2375 IF_DRAIN(&sp->pp_cpq); 2376 /* XXX ? */ 2377 lcp.Down(sp); 2378 lcp.Up(sp); 2379 } 2380 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2381 if (debug) 2382 log(-1, " max_failure (%d) exceeded, " 2383 "send conf-rej\n", 2384 sp->lcp.max_failure); 2385 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2386 } else { 2387 if (debug) 2388 log(-1, " send conf-nak\n"); 2389 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2390 } 2391 } else { 2392 if (debug) 2393 log(-1, " send conf-ack\n"); 2394 sp->fail_counter[IDX_LCP] = 0; 2395 sp->pp_loopcnt = 0; 2396 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2397 h->ident, origlen, h+1); 2398 } 2399 2400 kfree (buf, M_TEMP); 2401 return (rlen == 0); 2402 2403 drop: 2404 kfree(buf, M_TEMP); 2405 return (-1); 2406 } 2407 2408 /* 2409 * Analyze the LCP Configure-Reject option list, and adjust our 2410 * negotiation. 2411 */ 2412 static void 2413 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2414 { 2415 STDDCL; 2416 u_char *buf, *p; 2417 2418 len -= 4; 2419 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2420 2421 if (debug) 2422 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2423 SPP_ARGS(ifp)); 2424 2425 p = (void*) (h+1); 2426 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2427 /* Sanity check option length */ 2428 if (p[1] > len) { 2429 /* 2430 * Malicious option - drop immediately. 2431 * XXX Maybe we should just RXJ it? 2432 */ 2433 log(-1, "%s: received malicious LCP option, " 2434 "dropping.\n", ifp->if_xname); 2435 goto drop; 2436 } 2437 if (debug) 2438 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2439 switch (*p) { 2440 case LCP_OPT_MAGIC: 2441 /* Magic number -- can't use it, use 0 */ 2442 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2443 sp->lcp.magic = 0; 2444 break; 2445 case LCP_OPT_MRU: 2446 /* 2447 * Should not be rejected anyway, since we only 2448 * negotiate a MRU if explicitly requested by 2449 * peer. 2450 */ 2451 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2452 break; 2453 case LCP_OPT_AUTH_PROTO: 2454 /* 2455 * Peer doesn't want to authenticate himself, 2456 * deny unless this is a dialout call, and 2457 * AUTHFLAG_NOCALLOUT is set. 2458 */ 2459 if ((sp->pp_flags & PP_CALLIN) == 0 && 2460 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2461 if (debug) 2462 log(-1, "[don't insist on auth " 2463 "for callout]"); 2464 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2465 break; 2466 } 2467 if (debug) 2468 log(-1, "[access denied]\n"); 2469 lcp.Close(sp); 2470 break; 2471 } 2472 } 2473 if (debug) 2474 log(-1, "\n"); 2475 drop: 2476 kfree (buf, M_TEMP); 2477 return; 2478 } 2479 2480 /* 2481 * Analyze the LCP Configure-NAK option list, and adjust our 2482 * negotiation. 2483 */ 2484 static void 2485 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2486 { 2487 STDDCL; 2488 u_char *buf, *p; 2489 u_long magic; 2490 2491 len -= 4; 2492 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2493 2494 if (debug) 2495 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2496 SPP_ARGS(ifp)); 2497 2498 p = (void*) (h+1); 2499 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2500 /* Sanity check option length */ 2501 if (p[1] > len) { 2502 /* 2503 * Malicious option - drop immediately. 2504 * XXX Maybe we should just RXJ it? 2505 */ 2506 log(-1, "%s: received malicious LCP option, " 2507 "dropping.\n", ifp->if_xname); 2508 goto drop; 2509 } 2510 if (debug) 2511 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2512 switch (*p) { 2513 case LCP_OPT_MAGIC: 2514 /* Magic number -- renegotiate */ 2515 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2516 len >= 6 && p[1] == 6) { 2517 magic = (u_long)p[2] << 24 | 2518 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2519 /* 2520 * If the remote magic is our negated one, 2521 * this looks like a loopback problem. 2522 * Suggest a new magic to make sure. 2523 */ 2524 if (magic == ~sp->lcp.magic) { 2525 if (debug) 2526 log(-1, "magic glitch "); 2527 sp->lcp.magic = krandom(); 2528 } else { 2529 sp->lcp.magic = magic; 2530 if (debug) 2531 log(-1, "%lu ", magic); 2532 } 2533 } 2534 break; 2535 case LCP_OPT_MRU: 2536 /* 2537 * Peer wants to advise us to negotiate an MRU. 2538 * Agree on it if it's reasonable, or use 2539 * default otherwise. 2540 */ 2541 if (len >= 4 && p[1] == 4) { 2542 u_int mru = p[2] * 256 + p[3]; 2543 if (debug) 2544 log(-1, "%d ", mru); 2545 if (mru < PP_MTU || mru > PP_MAX_MRU) 2546 mru = PP_MTU; 2547 sp->lcp.mru = mru; 2548 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2549 } 2550 break; 2551 case LCP_OPT_AUTH_PROTO: 2552 /* 2553 * Peer doesn't like our authentication method, 2554 * deny. 2555 */ 2556 if (debug) 2557 log(-1, "[access denied]\n"); 2558 lcp.Close(sp); 2559 break; 2560 } 2561 } 2562 if (debug) 2563 log(-1, "\n"); 2564 drop: 2565 kfree (buf, M_TEMP); 2566 return; 2567 } 2568 2569 static void 2570 sppp_lcp_tlu(struct sppp *sp) 2571 { 2572 STDDCL; 2573 int i; 2574 u_long mask; 2575 2576 /* XXX ? */ 2577 if (! (ifp->if_flags & IFF_UP) && 2578 (ifp->if_flags & IFF_RUNNING)) { 2579 /* Coming out of loopback mode. */ 2580 if_up(ifp); 2581 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2582 } 2583 2584 for (i = 0; i < IDX_COUNT; i++) 2585 if ((cps[i])->flags & CP_QUAL) 2586 (cps[i])->Open(sp); 2587 2588 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2589 (sp->pp_flags & PP_NEEDAUTH) != 0) 2590 sp->pp_phase = PHASE_AUTHENTICATE; 2591 else 2592 sp->pp_phase = PHASE_NETWORK; 2593 2594 if (debug) 2595 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2596 sppp_phase_name(sp->pp_phase)); 2597 2598 /* 2599 * Open all authentication protocols. This is even required 2600 * if we already proceeded to network phase, since it might be 2601 * that remote wants us to authenticate, so we might have to 2602 * send a PAP request. Undesired authentication protocols 2603 * don't do anything when they get an Open event. 2604 */ 2605 for (i = 0; i < IDX_COUNT; i++) 2606 if ((cps[i])->flags & CP_AUTH) 2607 (cps[i])->Open(sp); 2608 2609 if (sp->pp_phase == PHASE_NETWORK) { 2610 /* Notify all NCPs. */ 2611 for (i = 0; i < IDX_COUNT; i++) 2612 if (((cps[i])->flags & CP_NCP) && 2613 /* 2614 * XXX 2615 * Hack to administratively disable IPv6 if 2616 * not desired. Perhaps we should have another 2617 * flag for this, but right now, we can make 2618 * all struct cp's read/only. 2619 */ 2620 (cps[i] != &ipv6cp || 2621 (sp->confflags & CONF_ENABLE_IPV6))) 2622 (cps[i])->Open(sp); 2623 } 2624 2625 /* Send Up events to all started protos. */ 2626 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2627 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2628 (cps[i])->Up(sp); 2629 2630 /* notify low-level driver of state change */ 2631 if (sp->pp_chg) 2632 sp->pp_chg(sp, (int)sp->pp_phase); 2633 2634 if (sp->pp_phase == PHASE_NETWORK) 2635 /* if no NCP is starting, close down */ 2636 sppp_lcp_check_and_close(sp); 2637 } 2638 2639 static void 2640 sppp_lcp_tld(struct sppp *sp) 2641 { 2642 STDDCL; 2643 int i; 2644 u_long mask; 2645 2646 sp->pp_phase = PHASE_TERMINATE; 2647 2648 if (debug) 2649 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2650 sppp_phase_name(sp->pp_phase)); 2651 2652 /* 2653 * Take upper layers down. We send the Down event first and 2654 * the Close second to prevent the upper layers from sending 2655 * ``a flurry of terminate-request packets'', as the RFC 2656 * describes it. 2657 */ 2658 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2659 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2660 (cps[i])->Down(sp); 2661 (cps[i])->Close(sp); 2662 } 2663 } 2664 2665 static void 2666 sppp_lcp_tls(struct sppp *sp) 2667 { 2668 STDDCL; 2669 2670 sp->pp_phase = PHASE_ESTABLISH; 2671 2672 if (debug) 2673 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2674 sppp_phase_name(sp->pp_phase)); 2675 2676 /* Notify lower layer if desired. */ 2677 if (sp->pp_tls) 2678 (sp->pp_tls)(sp); 2679 else 2680 (sp->pp_up)(sp); 2681 } 2682 2683 static void 2684 sppp_lcp_tlf(struct sppp *sp) 2685 { 2686 STDDCL; 2687 2688 sp->pp_phase = PHASE_DEAD; 2689 if (debug) 2690 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2691 sppp_phase_name(sp->pp_phase)); 2692 2693 /* Notify lower layer if desired. */ 2694 if (sp->pp_tlf) 2695 (sp->pp_tlf)(sp); 2696 else 2697 (sp->pp_down)(sp); 2698 } 2699 2700 static void 2701 sppp_lcp_scr(struct sppp *sp) 2702 { 2703 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2704 int i = 0; 2705 u_short authproto; 2706 2707 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2708 if (! sp->lcp.magic) 2709 sp->lcp.magic = krandom(); 2710 opt[i++] = LCP_OPT_MAGIC; 2711 opt[i++] = 6; 2712 opt[i++] = sp->lcp.magic >> 24; 2713 opt[i++] = sp->lcp.magic >> 16; 2714 opt[i++] = sp->lcp.magic >> 8; 2715 opt[i++] = sp->lcp.magic; 2716 } 2717 2718 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2719 opt[i++] = LCP_OPT_MRU; 2720 opt[i++] = 4; 2721 opt[i++] = sp->lcp.mru >> 8; 2722 opt[i++] = sp->lcp.mru; 2723 } 2724 2725 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2726 authproto = sp->hisauth.proto; 2727 opt[i++] = LCP_OPT_AUTH_PROTO; 2728 opt[i++] = authproto == PPP_CHAP? 5: 4; 2729 opt[i++] = authproto >> 8; 2730 opt[i++] = authproto; 2731 if (authproto == PPP_CHAP) 2732 opt[i++] = CHAP_MD5; 2733 } 2734 2735 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2736 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2737 } 2738 2739 /* 2740 * Check the open NCPs, return true if at least one NCP is open. 2741 */ 2742 static int 2743 sppp_ncp_check(struct sppp *sp) 2744 { 2745 int i, mask; 2746 2747 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2748 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2749 return 1; 2750 return 0; 2751 } 2752 2753 /* 2754 * Re-check the open NCPs and see if we should terminate the link. 2755 * Called by the NCPs during their tlf action handling. 2756 */ 2757 static void 2758 sppp_lcp_check_and_close(struct sppp *sp) 2759 { 2760 2761 if (sp->pp_phase < PHASE_NETWORK) 2762 /* don't bother, we are already going down */ 2763 return; 2764 2765 if (sppp_ncp_check(sp)) 2766 return; 2767 2768 lcp.Close(sp); 2769 } 2770 2771 /* 2772 *--------------------------------------------------------------------------* 2773 * * 2774 * The IPCP implementation. * 2775 * * 2776 *--------------------------------------------------------------------------* 2777 */ 2778 2779 static void 2780 sppp_ipcp_init(struct sppp *sp) 2781 { 2782 sp->ipcp.opts = 0; 2783 sp->ipcp.flags = 0; 2784 sp->state[IDX_IPCP] = STATE_INITIAL; 2785 sp->fail_counter[IDX_IPCP] = 0; 2786 sp->pp_seq[IDX_IPCP] = 0; 2787 sp->pp_rseq[IDX_IPCP] = 0; 2788 callout_init(&sp->timeout[IDX_IPCP]); 2789 } 2790 2791 static void 2792 sppp_ipcp_up(struct sppp *sp) 2793 { 2794 sppp_up_event(&ipcp, sp); 2795 } 2796 2797 static void 2798 sppp_ipcp_down(struct sppp *sp) 2799 { 2800 sppp_down_event(&ipcp, sp); 2801 } 2802 2803 static void 2804 sppp_ipcp_open(struct sppp *sp) 2805 { 2806 STDDCL; 2807 u_long myaddr, hisaddr; 2808 2809 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2810 IPCP_MYADDR_DYN | IPCP_VJ); 2811 sp->ipcp.opts = 0; 2812 2813 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2814 /* 2815 * If we don't have his address, this probably means our 2816 * interface doesn't want to talk IP at all. (This could 2817 * be the case if somebody wants to speak only IPX, for 2818 * example.) Don't open IPCP in this case. 2819 */ 2820 if (hisaddr == 0L) { 2821 /* XXX this message should go away */ 2822 if (debug) 2823 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2824 SPP_ARGS(ifp)); 2825 return; 2826 } 2827 if (myaddr == 0L) { 2828 /* 2829 * I don't have an assigned address, so i need to 2830 * negotiate my address. 2831 */ 2832 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2833 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2834 } else 2835 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2836 if (sp->confflags & CONF_ENABLE_VJ) { 2837 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2838 sp->ipcp.max_state = MAX_STATES - 1; 2839 sp->ipcp.compress_cid = 1; 2840 } 2841 sppp_open_event(&ipcp, sp); 2842 } 2843 2844 static void 2845 sppp_ipcp_close(struct sppp *sp) 2846 { 2847 sppp_close_event(&ipcp, sp); 2848 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2849 /* 2850 * My address was dynamic, clear it again. 2851 */ 2852 sppp_set_ip_addr(sp, 0L); 2853 } 2854 2855 static void 2856 sppp_ipcp_TO(void *cookie) 2857 { 2858 sppp_to_event(&ipcp, (struct sppp *)cookie); 2859 } 2860 2861 /* 2862 * Analyze a configure request. Return true if it was agreeable, and 2863 * caused action sca, false if it has been rejected or nak'ed, and 2864 * caused action scn. (The return value is used to make the state 2865 * transition decision in the state automaton.) 2866 */ 2867 static int 2868 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2869 { 2870 u_char *buf, *r, *p; 2871 struct ifnet *ifp = &sp->pp_if; 2872 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2873 u_long hisaddr, desiredaddr; 2874 int gotmyaddr = 0; 2875 int desiredcomp; 2876 2877 len -= 4; 2878 origlen = len; 2879 /* 2880 * Make sure to allocate a buf that can at least hold a 2881 * conf-nak with an `address' option. We might need it below. 2882 */ 2883 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2884 2885 /* pass 1: see if we can recognize them */ 2886 if (debug) 2887 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2888 SPP_ARGS(ifp)); 2889 p = (void*) (h+1); 2890 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2891 /* Sanity check option length */ 2892 if (p[1] > len) { 2893 /* XXX should we just RXJ? */ 2894 log(-1, "%s: malicious IPCP option received, dropping\n", 2895 ifp->if_xname); 2896 goto drop; 2897 } 2898 if (debug) 2899 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2900 switch (*p) { 2901 case IPCP_OPT_COMPRESSION: 2902 if (!(sp->confflags & CONF_ENABLE_VJ)) { 2903 /* VJ compression administratively disabled */ 2904 if (debug) 2905 log(-1, "[locally disabled] "); 2906 break; 2907 } 2908 /* 2909 * In theory, we should only conf-rej an 2910 * option that is shorter than RFC 1618 2911 * requires (i.e. < 4), and should conf-nak 2912 * anything else that is not VJ. However, 2913 * since our algorithm always uses the 2914 * original option to NAK it with new values, 2915 * things would become more complicated. In 2916 * pratice, the only commonly implemented IP 2917 * compression option is VJ anyway, so the 2918 * difference is negligible. 2919 */ 2920 if (len >= 6 && p[1] == 6) { 2921 /* 2922 * correctly formed compression option 2923 * that could be VJ compression 2924 */ 2925 continue; 2926 } 2927 if (debug) 2928 log(-1, "optlen %d [invalid/unsupported] ", 2929 p[1]); 2930 break; 2931 case IPCP_OPT_ADDRESS: 2932 if (len >= 6 && p[1] == 6) { 2933 /* correctly formed address option */ 2934 continue; 2935 } 2936 if (debug) 2937 log(-1, "[invalid] "); 2938 break; 2939 default: 2940 /* Others not supported. */ 2941 if (debug) 2942 log(-1, "[rej] "); 2943 break; 2944 } 2945 /* Add the option to rejected list. */ 2946 bcopy (p, r, p[1]); 2947 r += p[1]; 2948 rlen += p[1]; 2949 } 2950 if (rlen) { 2951 if (debug) 2952 log(-1, " send conf-rej\n"); 2953 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2954 return 0; 2955 } else if (debug) 2956 log(-1, "\n"); 2957 2958 /* pass 2: parse option values */ 2959 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 2960 if (debug) 2961 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 2962 SPP_ARGS(ifp)); 2963 p = (void*) (h+1); 2964 len = origlen; 2965 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2966 if (debug) 2967 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2968 switch (*p) { 2969 case IPCP_OPT_COMPRESSION: 2970 desiredcomp = p[2] << 8 | p[3]; 2971 /* We only support VJ */ 2972 if (desiredcomp == IPCP_COMP_VJ) { 2973 if (debug) 2974 log(-1, "VJ [ack] "); 2975 sp->ipcp.flags |= IPCP_VJ; 2976 sl_compress_init(sp->pp_comp, p[4]); 2977 sp->ipcp.max_state = p[4]; 2978 sp->ipcp.compress_cid = p[5]; 2979 continue; 2980 } 2981 if (debug) 2982 log(-1, "compproto %#04x [not supported] ", 2983 desiredcomp); 2984 p[2] = IPCP_COMP_VJ >> 8; 2985 p[3] = IPCP_COMP_VJ; 2986 p[4] = sp->ipcp.max_state; 2987 p[5] = sp->ipcp.compress_cid; 2988 break; 2989 case IPCP_OPT_ADDRESS: 2990 /* This is the address he wants in his end */ 2991 desiredaddr = p[2] << 24 | p[3] << 16 | 2992 p[4] << 8 | p[5]; 2993 if (desiredaddr == hisaddr || 2994 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 2995 /* 2996 * Peer's address is same as our value, 2997 * or we have set it to 0.0.0.* to 2998 * indicate that we do not really care, 2999 * this is agreeable. Gonna conf-ack 3000 * it. 3001 */ 3002 if (debug) 3003 log(-1, "%s [ack] ", 3004 sppp_dotted_quad(hisaddr)); 3005 /* record that we've seen it already */ 3006 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3007 continue; 3008 } 3009 /* 3010 * The address wasn't agreeable. This is either 3011 * he sent us 0.0.0.0, asking to assign him an 3012 * address, or he send us another address not 3013 * matching our value. Either case, we gonna 3014 * conf-nak it with our value. 3015 * XXX: we should "rej" if hisaddr == 0 3016 */ 3017 if (debug) { 3018 if (desiredaddr == 0) 3019 log(-1, "[addr requested] "); 3020 else 3021 log(-1, "%s [not agreed] ", 3022 sppp_dotted_quad(desiredaddr)); 3023 3024 } 3025 p[2] = hisaddr >> 24; 3026 p[3] = hisaddr >> 16; 3027 p[4] = hisaddr >> 8; 3028 p[5] = hisaddr; 3029 break; 3030 } 3031 /* Add the option to nak'ed list. */ 3032 bcopy (p, r, p[1]); 3033 r += p[1]; 3034 rlen += p[1]; 3035 } 3036 3037 /* 3038 * If we are about to conf-ack the request, but haven't seen 3039 * his address so far, gonna conf-nak it instead, with the 3040 * `address' option present and our idea of his address being 3041 * filled in there, to request negotiation of both addresses. 3042 * 3043 * XXX This can result in an endless req - nak loop if peer 3044 * doesn't want to send us his address. Q: What should we do 3045 * about it? XXX A: implement the max-failure counter. 3046 */ 3047 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3048 buf[0] = IPCP_OPT_ADDRESS; 3049 buf[1] = 6; 3050 buf[2] = hisaddr >> 24; 3051 buf[3] = hisaddr >> 16; 3052 buf[4] = hisaddr >> 8; 3053 buf[5] = hisaddr; 3054 rlen = 6; 3055 if (debug) 3056 log(-1, "still need hisaddr "); 3057 } 3058 3059 if (rlen) { 3060 if (debug) 3061 log(-1, " send conf-nak\n"); 3062 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3063 } else { 3064 if (debug) 3065 log(-1, " send conf-ack\n"); 3066 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3067 h->ident, origlen, h+1); 3068 } 3069 3070 kfree (buf, M_TEMP); 3071 return (rlen == 0); 3072 3073 drop: 3074 kfree(buf, M_TEMP); 3075 return (-1); 3076 } 3077 3078 /* 3079 * Analyze the IPCP Configure-Reject option list, and adjust our 3080 * negotiation. 3081 */ 3082 static void 3083 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3084 { 3085 u_char *buf, *p; 3086 struct ifnet *ifp = &sp->pp_if; 3087 int debug = ifp->if_flags & IFF_DEBUG; 3088 3089 len -= 4; 3090 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3091 3092 if (debug) 3093 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3094 SPP_ARGS(ifp)); 3095 3096 p = (void*) (h+1); 3097 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3098 /* Sanity check option length */ 3099 if (p[1] > len) { 3100 /* XXX should we just RXJ? */ 3101 log(-1, "%s: malicious IPCP option received, dropping\n", 3102 ifp->if_xname); 3103 goto drop; 3104 } 3105 if (debug) 3106 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3107 switch (*p) { 3108 case IPCP_OPT_COMPRESSION: 3109 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3110 break; 3111 case IPCP_OPT_ADDRESS: 3112 /* 3113 * Peer doesn't grok address option. This is 3114 * bad. XXX Should we better give up here? 3115 * XXX We could try old "addresses" option... 3116 */ 3117 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3118 break; 3119 } 3120 } 3121 if (debug) 3122 log(-1, "\n"); 3123 drop: 3124 kfree (buf, M_TEMP); 3125 return; 3126 } 3127 3128 /* 3129 * Analyze the IPCP Configure-NAK option list, and adjust our 3130 * negotiation. 3131 */ 3132 static void 3133 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3134 { 3135 u_char *buf, *p; 3136 struct ifnet *ifp = &sp->pp_if; 3137 int debug = ifp->if_flags & IFF_DEBUG; 3138 int desiredcomp; 3139 u_long wantaddr; 3140 3141 len -= 4; 3142 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3143 3144 if (debug) 3145 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3146 SPP_ARGS(ifp)); 3147 3148 p = (void*) (h+1); 3149 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3150 /* Sanity check option length */ 3151 if (p[1] > len) { 3152 /* XXX should we just RXJ? */ 3153 log(-1, "%s: malicious IPCP option received, dropping\n", 3154 ifp->if_xname); 3155 return; 3156 } 3157 if (debug) 3158 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3159 switch (*p) { 3160 case IPCP_OPT_COMPRESSION: 3161 if (len >= 6 && p[1] == 6) { 3162 desiredcomp = p[2] << 8 | p[3]; 3163 if (debug) 3164 log(-1, "[wantcomp %#04x] ", 3165 desiredcomp); 3166 if (desiredcomp == IPCP_COMP_VJ) { 3167 sl_compress_init(sp->pp_comp, p[4]); 3168 sp->ipcp.max_state = p[4]; 3169 sp->ipcp.compress_cid = p[5]; 3170 if (debug) 3171 log(-1, "[agree] "); 3172 } else 3173 sp->ipcp.opts &= 3174 ~(1 << IPCP_OPT_COMPRESSION); 3175 } 3176 break; 3177 case IPCP_OPT_ADDRESS: 3178 /* 3179 * Peer doesn't like our local IP address. See 3180 * if we can do something for him. We'll drop 3181 * him our address then. 3182 */ 3183 if (len >= 6 && p[1] == 6) { 3184 wantaddr = p[2] << 24 | p[3] << 16 | 3185 p[4] << 8 | p[5]; 3186 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3187 if (debug) 3188 log(-1, "[wantaddr %s] ", 3189 sppp_dotted_quad(wantaddr)); 3190 /* 3191 * When doing dynamic address assignment, 3192 * we accept his offer. Otherwise, we 3193 * ignore it and thus continue to negotiate 3194 * our already existing value. 3195 * XXX: Bogus, if he said no once, he'll 3196 * just say no again, might as well die. 3197 */ 3198 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3199 sppp_set_ip_addr(sp, wantaddr); 3200 if (debug) 3201 log(-1, "[agree] "); 3202 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3203 } 3204 } 3205 break; 3206 } 3207 } 3208 if (debug) 3209 log(-1, "\n"); 3210 kfree (buf, M_TEMP); 3211 return; 3212 } 3213 3214 static void 3215 sppp_ipcp_tlu(struct sppp *sp) 3216 { 3217 /* we are up - notify isdn daemon */ 3218 if (sp->pp_con) 3219 sp->pp_con(sp); 3220 } 3221 3222 static void 3223 sppp_ipcp_tld(struct sppp *sp) 3224 { 3225 } 3226 3227 static void 3228 sppp_ipcp_tls(struct sppp *sp) 3229 { 3230 /* indicate to LCP that it must stay alive */ 3231 sp->lcp.protos |= (1 << IDX_IPCP); 3232 } 3233 3234 static void 3235 sppp_ipcp_tlf(struct sppp *sp) 3236 { 3237 /* we no longer need LCP */ 3238 sp->lcp.protos &= ~(1 << IDX_IPCP); 3239 sppp_lcp_check_and_close(sp); 3240 } 3241 3242 static void 3243 sppp_ipcp_scr(struct sppp *sp) 3244 { 3245 char opt[6 /* compression */ + 6 /* address */]; 3246 u_long ouraddr; 3247 int i = 0; 3248 3249 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3250 opt[i++] = IPCP_OPT_COMPRESSION; 3251 opt[i++] = 6; 3252 opt[i++] = IPCP_COMP_VJ >> 8; 3253 opt[i++] = IPCP_COMP_VJ; 3254 opt[i++] = sp->ipcp.max_state; 3255 opt[i++] = sp->ipcp.compress_cid; 3256 } 3257 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3258 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3259 opt[i++] = IPCP_OPT_ADDRESS; 3260 opt[i++] = 6; 3261 opt[i++] = ouraddr >> 24; 3262 opt[i++] = ouraddr >> 16; 3263 opt[i++] = ouraddr >> 8; 3264 opt[i++] = ouraddr; 3265 } 3266 3267 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3268 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3269 } 3270 3271 /* 3272 *--------------------------------------------------------------------------* 3273 * * 3274 * The IPv6CP implementation. * 3275 * * 3276 *--------------------------------------------------------------------------* 3277 */ 3278 3279 #ifdef INET6 3280 static void 3281 sppp_ipv6cp_init(struct sppp *sp) 3282 { 3283 sp->ipv6cp.opts = 0; 3284 sp->ipv6cp.flags = 0; 3285 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3286 sp->fail_counter[IDX_IPV6CP] = 0; 3287 sp->pp_seq[IDX_IPV6CP] = 0; 3288 sp->pp_rseq[IDX_IPV6CP] = 0; 3289 callout_init(&sp->timeout[IDX_IPV6CP]); 3290 } 3291 3292 static void 3293 sppp_ipv6cp_up(struct sppp *sp) 3294 { 3295 sppp_up_event(&ipv6cp, sp); 3296 } 3297 3298 static void 3299 sppp_ipv6cp_down(struct sppp *sp) 3300 { 3301 sppp_down_event(&ipv6cp, sp); 3302 } 3303 3304 static void 3305 sppp_ipv6cp_open(struct sppp *sp) 3306 { 3307 STDDCL; 3308 struct in6_addr myaddr, hisaddr; 3309 3310 #ifdef IPV6CP_MYIFID_DYN 3311 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3312 #else 3313 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3314 #endif 3315 3316 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3317 /* 3318 * If we don't have our address, this probably means our 3319 * interface doesn't want to talk IPv6 at all. (This could 3320 * be the case if somebody wants to speak only IPX, for 3321 * example.) Don't open IPv6CP in this case. 3322 */ 3323 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3324 /* XXX this message should go away */ 3325 if (debug) 3326 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3327 SPP_ARGS(ifp)); 3328 return; 3329 } 3330 3331 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3332 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3333 sppp_open_event(&ipv6cp, sp); 3334 } 3335 3336 static void 3337 sppp_ipv6cp_close(struct sppp *sp) 3338 { 3339 sppp_close_event(&ipv6cp, sp); 3340 } 3341 3342 static void 3343 sppp_ipv6cp_TO(void *cookie) 3344 { 3345 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3346 } 3347 3348 /* 3349 * Analyze a configure request. Return true if it was agreeable, and 3350 * caused action sca, false if it has been rejected or nak'ed, and 3351 * caused action scn. (The return value is used to make the state 3352 * transition decision in the state automaton.) 3353 */ 3354 static int 3355 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3356 { 3357 u_char *buf, *r, *p; 3358 struct ifnet *ifp = &sp->pp_if; 3359 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3360 struct in6_addr myaddr, desiredaddr, suggestaddr; 3361 int ifidcount; 3362 int type; 3363 int collision, nohisaddr; 3364 3365 len -= 4; 3366 origlen = len; 3367 /* 3368 * Make sure to allocate a buf that can at least hold a 3369 * conf-nak with an `address' option. We might need it below. 3370 */ 3371 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3372 3373 /* pass 1: see if we can recognize them */ 3374 if (debug) 3375 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3376 SPP_ARGS(ifp)); 3377 p = (void*) (h+1); 3378 ifidcount = 0; 3379 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3380 /* Sanity check option length */ 3381 if (p[1] > len) { 3382 /* XXX just RXJ? */ 3383 log(-1, "%s: received malicious IPCPv6 option, " 3384 "dropping\n", ifp->if_xname); 3385 goto drop; 3386 } 3387 if (debug) 3388 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3389 switch (*p) { 3390 case IPV6CP_OPT_IFID: 3391 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3392 /* correctly formed address option */ 3393 ifidcount++; 3394 continue; 3395 } 3396 if (debug) 3397 log(-1, " [invalid]"); 3398 break; 3399 #ifdef notyet 3400 case IPV6CP_OPT_COMPRESSION: 3401 if (len >= 4 && p[1] >= 4) { 3402 /* correctly formed compress option */ 3403 continue; 3404 } 3405 if (debug) 3406 log(-1, " [invalid]"); 3407 break; 3408 #endif 3409 default: 3410 /* Others not supported. */ 3411 if (debug) 3412 log(-1, " [rej]"); 3413 break; 3414 } 3415 /* Add the option to rejected list. */ 3416 bcopy (p, r, p[1]); 3417 r += p[1]; 3418 rlen += p[1]; 3419 } 3420 if (rlen) { 3421 if (debug) 3422 log(-1, " send conf-rej\n"); 3423 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3424 goto end; 3425 } else if (debug) 3426 log(-1, "\n"); 3427 3428 /* pass 2: parse option values */ 3429 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3430 if (debug) 3431 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3432 SPP_ARGS(ifp)); 3433 p = (void*) (h+1); 3434 len = origlen; 3435 type = CONF_ACK; 3436 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3437 if (debug) 3438 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3439 switch (*p) { 3440 #ifdef notyet 3441 case IPV6CP_OPT_COMPRESSION: 3442 continue; 3443 #endif 3444 case IPV6CP_OPT_IFID: 3445 bzero(&desiredaddr, sizeof(desiredaddr)); 3446 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3447 collision = (bcmp(&desiredaddr.s6_addr[8], 3448 &myaddr.s6_addr[8], 8) == 0); 3449 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3450 3451 desiredaddr.s6_addr16[0] = htons(0xfe80); 3452 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3453 3454 if (!collision && !nohisaddr) { 3455 /* no collision, hisaddr known - Conf-Ack */ 3456 type = CONF_ACK; 3457 3458 if (debug) { 3459 log(-1, " %s [%s]", 3460 ip6_sprintf(&desiredaddr), 3461 sppp_cp_type_name(type)); 3462 } 3463 continue; 3464 } 3465 3466 bzero(&suggestaddr, sizeof(suggestaddr)); 3467 if (collision && nohisaddr) { 3468 /* collision, hisaddr unknown - Conf-Rej */ 3469 type = CONF_REJ; 3470 bzero(&p[2], 8); 3471 } else { 3472 /* 3473 * - no collision, hisaddr unknown, or 3474 * - collision, hisaddr known 3475 * Conf-Nak, suggest hisaddr 3476 */ 3477 type = CONF_NAK; 3478 sppp_suggest_ip6_addr(sp, &suggestaddr); 3479 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3480 } 3481 if (debug) 3482 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3483 sppp_cp_type_name(type)); 3484 break; 3485 } 3486 /* Add the option to nak'ed list. */ 3487 bcopy (p, r, p[1]); 3488 r += p[1]; 3489 rlen += p[1]; 3490 } 3491 3492 if (rlen == 0 && type == CONF_ACK) { 3493 if (debug) 3494 log(-1, " send %s\n", sppp_cp_type_name(type)); 3495 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3496 } else { 3497 #ifdef DIAGNOSTIC 3498 if (type == CONF_ACK) 3499 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3500 #endif 3501 3502 if (debug) { 3503 log(-1, " send %s suggest %s\n", 3504 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3505 } 3506 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3507 } 3508 3509 end: 3510 kfree (buf, M_TEMP); 3511 return (rlen == 0); 3512 3513 drop: 3514 kfree(buf, M_TEMP); 3515 return (-1); 3516 } 3517 3518 /* 3519 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3520 * negotiation. 3521 */ 3522 static void 3523 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3524 { 3525 u_char *buf, *p; 3526 struct ifnet *ifp = &sp->pp_if; 3527 int debug = ifp->if_flags & IFF_DEBUG; 3528 3529 len -= 4; 3530 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3531 3532 if (debug) 3533 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3534 SPP_ARGS(ifp)); 3535 3536 p = (void*) (h+1); 3537 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3538 if (p[1] > len) { 3539 /* XXX just RXJ? */ 3540 log(-1, "%s: received malicious IPCPv6 option, " 3541 "dropping\n", ifp->if_xname); 3542 goto drop; 3543 } 3544 if (debug) 3545 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3546 switch (*p) { 3547 case IPV6CP_OPT_IFID: 3548 /* 3549 * Peer doesn't grok address option. This is 3550 * bad. XXX Should we better give up here? 3551 */ 3552 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3553 break; 3554 #ifdef notyet 3555 case IPV6CP_OPT_COMPRESS: 3556 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3557 break; 3558 #endif 3559 } 3560 } 3561 if (debug) 3562 log(-1, "\n"); 3563 drop: 3564 kfree (buf, M_TEMP); 3565 return; 3566 } 3567 3568 /* 3569 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3570 * negotiation. 3571 */ 3572 static void 3573 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3574 { 3575 u_char *buf, *p; 3576 struct ifnet *ifp = &sp->pp_if; 3577 int debug = ifp->if_flags & IFF_DEBUG; 3578 struct in6_addr suggestaddr; 3579 3580 len -= 4; 3581 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3582 3583 if (debug) 3584 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3585 SPP_ARGS(ifp)); 3586 3587 p = (void*) (h+1); 3588 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3589 if (p[1] > len) { 3590 /* XXX just RXJ? */ 3591 log(-1, "%s: received malicious IPCPv6 option, " 3592 "dropping\n", ifp->if_xname); 3593 goto drop; 3594 } 3595 if (debug) 3596 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3597 switch (*p) { 3598 case IPV6CP_OPT_IFID: 3599 /* 3600 * Peer doesn't like our local ifid. See 3601 * if we can do something for him. We'll drop 3602 * him our address then. 3603 */ 3604 if (len < 10 || p[1] != 10) 3605 break; 3606 bzero(&suggestaddr, sizeof(suggestaddr)); 3607 suggestaddr.s6_addr16[0] = htons(0xfe80); 3608 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3609 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3610 3611 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3612 if (debug) 3613 log(-1, " [suggestaddr %s]", 3614 ip6_sprintf(&suggestaddr)); 3615 #ifdef IPV6CP_MYIFID_DYN 3616 /* 3617 * When doing dynamic address assignment, 3618 * we accept his offer. 3619 */ 3620 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3621 struct in6_addr lastsuggest; 3622 /* 3623 * If <suggested myaddr from peer> equals to 3624 * <hisaddr we have suggested last time>, 3625 * we have a collision. generate new random 3626 * ifid. 3627 */ 3628 sppp_suggest_ip6_addr(&lastsuggest); 3629 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3630 lastsuggest)) { 3631 if (debug) 3632 log(-1, " [random]"); 3633 sppp_gen_ip6_addr(sp, &suggestaddr); 3634 } 3635 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3636 if (debug) 3637 log(-1, " [agree]"); 3638 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3639 } 3640 #else 3641 /* 3642 * Since we do not do dynamic address assignment, 3643 * we ignore it and thus continue to negotiate 3644 * our already existing value. This can possibly 3645 * go into infinite request-reject loop. 3646 * 3647 * This is not likely because we normally use 3648 * ifid based on MAC-address. 3649 * If you have no ethernet card on the node, too bad. 3650 * XXX should we use fail_counter? 3651 */ 3652 #endif 3653 break; 3654 #ifdef notyet 3655 case IPV6CP_OPT_COMPRESS: 3656 /* 3657 * Peer wants different compression parameters. 3658 */ 3659 break; 3660 #endif 3661 } 3662 } 3663 if (debug) 3664 log(-1, "\n"); 3665 drop: 3666 kfree (buf, M_TEMP); 3667 return; 3668 } 3669 static void 3670 sppp_ipv6cp_tlu(struct sppp *sp) 3671 { 3672 /* we are up - notify isdn daemon */ 3673 if (sp->pp_con) 3674 sp->pp_con(sp); 3675 } 3676 3677 static void 3678 sppp_ipv6cp_tld(struct sppp *sp) 3679 { 3680 } 3681 3682 static void 3683 sppp_ipv6cp_tls(struct sppp *sp) 3684 { 3685 /* indicate to LCP that it must stay alive */ 3686 sp->lcp.protos |= (1 << IDX_IPV6CP); 3687 } 3688 3689 static void 3690 sppp_ipv6cp_tlf(struct sppp *sp) 3691 { 3692 3693 #if 0 /* need #if 0 to close IPv6CP properly */ 3694 /* we no longer need LCP */ 3695 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3696 sppp_lcp_check_and_close(sp); 3697 #endif 3698 } 3699 3700 static void 3701 sppp_ipv6cp_scr(struct sppp *sp) 3702 { 3703 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3704 struct in6_addr ouraddr; 3705 int i = 0; 3706 3707 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3708 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3709 opt[i++] = IPV6CP_OPT_IFID; 3710 opt[i++] = 10; 3711 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3712 i += 8; 3713 } 3714 3715 #ifdef notyet 3716 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3717 opt[i++] = IPV6CP_OPT_COMPRESSION; 3718 opt[i++] = 4; 3719 opt[i++] = 0; /* TBD */ 3720 opt[i++] = 0; /* TBD */ 3721 /* variable length data may follow */ 3722 } 3723 #endif 3724 3725 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3726 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3727 } 3728 #else /*INET6*/ 3729 static void 3730 sppp_ipv6cp_init(struct sppp *sp) 3731 { 3732 } 3733 3734 static void 3735 sppp_ipv6cp_up(struct sppp *sp) 3736 { 3737 } 3738 3739 static void 3740 sppp_ipv6cp_down(struct sppp *sp) 3741 { 3742 } 3743 3744 3745 static void 3746 sppp_ipv6cp_open(struct sppp *sp) 3747 { 3748 } 3749 3750 static void 3751 sppp_ipv6cp_close(struct sppp *sp) 3752 { 3753 } 3754 3755 static void 3756 sppp_ipv6cp_TO(void *sp) 3757 { 3758 } 3759 3760 static int 3761 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3762 { 3763 return 0; 3764 } 3765 3766 static void 3767 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3768 { 3769 } 3770 3771 static void 3772 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3773 { 3774 } 3775 3776 static void 3777 sppp_ipv6cp_tlu(struct sppp *sp) 3778 { 3779 } 3780 3781 static void 3782 sppp_ipv6cp_tld(struct sppp *sp) 3783 { 3784 } 3785 3786 static void 3787 sppp_ipv6cp_tls(struct sppp *sp) 3788 { 3789 } 3790 3791 static void 3792 sppp_ipv6cp_tlf(struct sppp *sp) 3793 { 3794 } 3795 3796 static void 3797 sppp_ipv6cp_scr(struct sppp *sp) 3798 { 3799 } 3800 #endif /*INET6*/ 3801 3802 /* 3803 *--------------------------------------------------------------------------* 3804 * * 3805 * The CHAP implementation. * 3806 * * 3807 *--------------------------------------------------------------------------* 3808 */ 3809 3810 /* 3811 * The authentication protocols don't employ a full-fledged state machine as 3812 * the control protocols do, since they do have Open and Close events, but 3813 * not Up and Down, nor are they explicitly terminated. Also, use of the 3814 * authentication protocols may be different in both directions (this makes 3815 * sense, think of a machine that never accepts incoming calls but only 3816 * calls out, it doesn't require the called party to authenticate itself). 3817 * 3818 * Our state machine for the local authentication protocol (we are requesting 3819 * the peer to authenticate) looks like: 3820 * 3821 * RCA- 3822 * +--------------------------------------------+ 3823 * V scn,tld| 3824 * +--------+ Close +---------+ RCA+ 3825 * | |<----------------------------------| |------+ 3826 * +--->| Closed | TO* | Opened | sca | 3827 * | | |-----+ +-------| |<-----+ 3828 * | +--------+ irc | | +---------+ 3829 * | ^ | | ^ 3830 * | | | | | 3831 * | | | | | 3832 * | TO-| | | | 3833 * | |tld TO+ V | | 3834 * | | +------->+ | | 3835 * | | | | | | 3836 * | +--------+ V | | 3837 * | | |<----+<--------------------+ | 3838 * | | Req- | scr | 3839 * | | Sent | | 3840 * | | | | 3841 * | +--------+ | 3842 * | RCA- | | RCA+ | 3843 * +------+ +------------------------------------------+ 3844 * scn,tld sca,irc,ict,tlu 3845 * 3846 * 3847 * with: 3848 * 3849 * Open: LCP reached authentication phase 3850 * Close: LCP reached terminate phase 3851 * 3852 * RCA+: received reply (pap-req, chap-response), acceptable 3853 * RCN: received reply (pap-req, chap-response), not acceptable 3854 * TO+: timeout with restart counter >= 0 3855 * TO-: timeout with restart counter < 0 3856 * TO*: reschedule timeout for CHAP 3857 * 3858 * scr: send request packet (none for PAP, chap-challenge) 3859 * sca: send ack packet (pap-ack, chap-success) 3860 * scn: send nak packet (pap-nak, chap-failure) 3861 * ict: initialize re-challenge timer (CHAP only) 3862 * 3863 * tlu: this-layer-up, LCP reaches network phase 3864 * tld: this-layer-down, LCP enters terminate phase 3865 * 3866 * Note that in CHAP mode, after sending a new challenge, while the state 3867 * automaton falls back into Req-Sent state, it doesn't signal a tld 3868 * event to LCP, so LCP remains in network phase. Only after not getting 3869 * any response (or after getting an unacceptable response), CHAP closes, 3870 * causing LCP to enter terminate phase. 3871 * 3872 * With PAP, there is no initial request that can be sent. The peer is 3873 * expected to send one based on the successful negotiation of PAP as 3874 * the authentication protocol during the LCP option negotiation. 3875 * 3876 * Incoming authentication protocol requests (remote requests 3877 * authentication, we are peer) don't employ a state machine at all, 3878 * they are simply answered. Some peers [Ascend P50 firmware rev 3879 * 4.50] react allergically when sending IPCP requests while they are 3880 * still in authentication phase (thereby violating the standard that 3881 * demands that these NCP packets are to be discarded), so we keep 3882 * track of the peer demanding us to authenticate, and only proceed to 3883 * phase network once we've seen a positive acknowledge for the 3884 * authentication. 3885 */ 3886 3887 /* 3888 * Handle incoming CHAP packets. 3889 */ 3890 static void 3891 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3892 { 3893 STDDCL; 3894 struct lcp_header *h; 3895 int len; 3896 u_char *value, *name, digest[AUTHKEYLEN], dsize; 3897 int value_len, name_len; 3898 MD5_CTX ctx; 3899 3900 len = m->m_pkthdr.len; 3901 if (len < 4) { 3902 if (debug) 3903 log(LOG_DEBUG, 3904 SPP_FMT "chap invalid packet length: %d bytes\n", 3905 SPP_ARGS(ifp), len); 3906 return; 3907 } 3908 h = mtod (m, struct lcp_header*); 3909 if (len > ntohs (h->len)) 3910 len = ntohs (h->len); 3911 3912 switch (h->type) { 3913 /* challenge, failure and success are his authproto */ 3914 case CHAP_CHALLENGE: 3915 value = 1 + (u_char*)(h+1); 3916 value_len = value[-1]; 3917 name = value + value_len; 3918 name_len = len - value_len - 5; 3919 if (name_len < 0) { 3920 if (debug) { 3921 log(LOG_DEBUG, 3922 SPP_FMT "chap corrupted challenge " 3923 "<%s id=0x%x len=%d", 3924 SPP_ARGS(ifp), 3925 sppp_auth_type_name(PPP_CHAP, h->type), 3926 h->ident, ntohs(h->len)); 3927 sppp_print_bytes((u_char*) (h+1), len-4); 3928 log(-1, ">\n"); 3929 } 3930 break; 3931 } 3932 3933 if (debug) { 3934 log(LOG_DEBUG, 3935 SPP_FMT "chap input <%s id=0x%x len=%d name=", 3936 SPP_ARGS(ifp), 3937 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3938 ntohs(h->len)); 3939 sppp_print_string((char*) name, name_len); 3940 log(-1, " value-size=%d value=", value_len); 3941 sppp_print_bytes(value, value_len); 3942 log(-1, ">\n"); 3943 } 3944 3945 /* Compute reply value. */ 3946 MD5Init(&ctx); 3947 MD5Update(&ctx, &h->ident, 1); 3948 MD5Update(&ctx, sp->myauth.secret, 3949 strnlen(sp->myauth.secret, AUTHKEYLEN)); 3950 MD5Update(&ctx, value, value_len); 3951 MD5Final(digest, &ctx); 3952 dsize = sizeof digest; 3953 3954 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3955 sizeof dsize, (const char *)&dsize, 3956 sizeof digest, digest, 3957 (size_t)strnlen(sp->myauth.name, AUTHNAMELEN), 3958 sp->myauth.name, 3959 0); 3960 break; 3961 3962 case CHAP_SUCCESS: 3963 if (debug) { 3964 log(LOG_DEBUG, SPP_FMT "chap success", 3965 SPP_ARGS(ifp)); 3966 if (len > 4) { 3967 log(-1, ": "); 3968 sppp_print_string((char*)(h + 1), len - 4); 3969 } 3970 log(-1, "\n"); 3971 } 3972 3973 crit_enter(); 3974 3975 sp->pp_flags &= ~PP_NEEDAUTH; 3976 if (sp->myauth.proto == PPP_CHAP && 3977 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3978 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3979 /* 3980 * We are authenticator for CHAP but didn't 3981 * complete yet. Leave it to tlu to proceed 3982 * to network phase. 3983 */ 3984 crit_exit(); 3985 break; 3986 } 3987 crit_exit(); 3988 sppp_phase_network(sp); 3989 break; 3990 3991 case CHAP_FAILURE: 3992 if (debug) { 3993 log(LOG_INFO, SPP_FMT "chap failure", 3994 SPP_ARGS(ifp)); 3995 if (len > 4) { 3996 log(-1, ": "); 3997 sppp_print_string((char*)(h + 1), len - 4); 3998 } 3999 log(-1, "\n"); 4000 } else 4001 log(LOG_INFO, SPP_FMT "chap failure\n", 4002 SPP_ARGS(ifp)); 4003 /* await LCP shutdown by authenticator */ 4004 break; 4005 4006 /* response is my authproto */ 4007 case CHAP_RESPONSE: 4008 value = 1 + (u_char*)(h+1); 4009 value_len = value[-1]; 4010 name = value + value_len; 4011 name_len = len - value_len - 5; 4012 if (name_len < 0) { 4013 if (debug) { 4014 log(LOG_DEBUG, 4015 SPP_FMT "chap corrupted response " 4016 "<%s id=0x%x len=%d", 4017 SPP_ARGS(ifp), 4018 sppp_auth_type_name(PPP_CHAP, h->type), 4019 h->ident, ntohs(h->len)); 4020 sppp_print_bytes((u_char*)(h+1), len-4); 4021 log(-1, ">\n"); 4022 } 4023 break; 4024 } 4025 if (h->ident != sp->confid[IDX_CHAP]) { 4026 if (debug) 4027 log(LOG_DEBUG, 4028 SPP_FMT "chap dropping response for old ID " 4029 "(got %d, expected %d)\n", 4030 SPP_ARGS(ifp), 4031 h->ident, sp->confid[IDX_CHAP]); 4032 break; 4033 } 4034 if (name_len != strnlen(sp->hisauth.name, AUTHNAMELEN) 4035 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4036 log(LOG_INFO, SPP_FMT "chap response, his name ", 4037 SPP_ARGS(ifp)); 4038 sppp_print_string(name, name_len); 4039 log(-1, " != expected "); 4040 sppp_print_string(sp->hisauth.name, 4041 strnlen(sp->hisauth.name, AUTHNAMELEN)); 4042 log(-1, "\n"); 4043 } 4044 if (debug) { 4045 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4046 "<%s id=0x%x len=%d name=", 4047 SPP_ARGS(ifp), 4048 sppp_state_name(sp->state[IDX_CHAP]), 4049 sppp_auth_type_name(PPP_CHAP, h->type), 4050 h->ident, ntohs (h->len)); 4051 sppp_print_string((char*)name, name_len); 4052 log(-1, " value-size=%d value=", value_len); 4053 sppp_print_bytes(value, value_len); 4054 log(-1, ">\n"); 4055 } 4056 if (value_len != AUTHKEYLEN) { 4057 if (debug) 4058 log(LOG_DEBUG, 4059 SPP_FMT "chap bad hash value length: " 4060 "%d bytes, should be %d\n", 4061 SPP_ARGS(ifp), value_len, 4062 AUTHKEYLEN); 4063 break; 4064 } 4065 4066 MD5Init(&ctx); 4067 MD5Update(&ctx, &h->ident, 1); 4068 MD5Update(&ctx, sp->hisauth.secret, 4069 strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4070 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4071 MD5Final(digest, &ctx); 4072 4073 #define FAILMSG "Failed..." 4074 #define SUCCMSG "Welcome!" 4075 4076 if (value_len != sizeof digest || 4077 bcmp(digest, value, value_len) != 0) { 4078 /* action scn, tld */ 4079 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4080 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4081 0); 4082 chap.tld(sp); 4083 break; 4084 } 4085 /* action sca, perhaps tlu */ 4086 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4087 sp->state[IDX_CHAP] == STATE_OPENED) 4088 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4089 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4090 0); 4091 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4092 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4093 chap.tlu(sp); 4094 } 4095 break; 4096 4097 default: 4098 /* Unknown CHAP packet type -- ignore. */ 4099 if (debug) { 4100 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4101 "<0x%x id=0x%xh len=%d", 4102 SPP_ARGS(ifp), 4103 sppp_state_name(sp->state[IDX_CHAP]), 4104 h->type, h->ident, ntohs(h->len)); 4105 sppp_print_bytes((u_char*)(h+1), len-4); 4106 log(-1, ">\n"); 4107 } 4108 break; 4109 4110 } 4111 } 4112 4113 static void 4114 sppp_chap_init(struct sppp *sp) 4115 { 4116 /* Chap doesn't have STATE_INITIAL at all. */ 4117 sp->state[IDX_CHAP] = STATE_CLOSED; 4118 sp->fail_counter[IDX_CHAP] = 0; 4119 sp->pp_seq[IDX_CHAP] = 0; 4120 sp->pp_rseq[IDX_CHAP] = 0; 4121 callout_init(&sp->timeout[IDX_CHAP]); 4122 } 4123 4124 static void 4125 sppp_chap_open(struct sppp *sp) 4126 { 4127 if (sp->myauth.proto == PPP_CHAP && 4128 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4129 /* we are authenticator for CHAP, start it */ 4130 chap.scr(sp); 4131 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4132 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4133 } 4134 /* nothing to be done if we are peer, await a challenge */ 4135 } 4136 4137 static void 4138 sppp_chap_close(struct sppp *sp) 4139 { 4140 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4141 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4142 } 4143 4144 static void 4145 sppp_chap_TO(void *cookie) 4146 { 4147 struct sppp *sp = (struct sppp *)cookie; 4148 STDDCL; 4149 4150 crit_enter(); 4151 4152 if (debug) 4153 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4154 SPP_ARGS(ifp), 4155 sppp_state_name(sp->state[IDX_CHAP]), 4156 sp->rst_counter[IDX_CHAP]); 4157 4158 if (--sp->rst_counter[IDX_CHAP] < 0) 4159 /* TO- event */ 4160 switch (sp->state[IDX_CHAP]) { 4161 case STATE_REQ_SENT: 4162 chap.tld(sp); 4163 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4164 break; 4165 } 4166 else 4167 /* TO+ (or TO*) event */ 4168 switch (sp->state[IDX_CHAP]) { 4169 case STATE_OPENED: 4170 /* TO* event */ 4171 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4172 /* fall through */ 4173 case STATE_REQ_SENT: 4174 chap.scr(sp); 4175 /* sppp_cp_change_state() will restart the timer */ 4176 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4177 break; 4178 } 4179 4180 crit_exit(); 4181 } 4182 4183 static void 4184 sppp_chap_tlu(struct sppp *sp) 4185 { 4186 STDDCL; 4187 int i; 4188 4189 i = 0; 4190 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4191 4192 /* 4193 * Some broken CHAP implementations (Conware CoNet, firmware 4194 * 4.0.?) don't want to re-authenticate their CHAP once the 4195 * initial challenge-response exchange has taken place. 4196 * Provide for an option to avoid rechallenges. 4197 */ 4198 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4199 /* 4200 * Compute the re-challenge timeout. This will yield 4201 * a number between 300 and 810 seconds. 4202 */ 4203 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4204 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4205 } 4206 4207 if (debug) { 4208 log(LOG_DEBUG, 4209 SPP_FMT "chap %s, ", 4210 SPP_ARGS(ifp), 4211 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4212 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4213 log(-1, "next re-challenge in %d seconds\n", i); 4214 else 4215 log(-1, "re-challenging suppressed\n"); 4216 } 4217 4218 crit_enter(); 4219 4220 /* indicate to LCP that we need to be closed down */ 4221 sp->lcp.protos |= (1 << IDX_CHAP); 4222 4223 if (sp->pp_flags & PP_NEEDAUTH) { 4224 /* 4225 * Remote is authenticator, but his auth proto didn't 4226 * complete yet. Defer the transition to network 4227 * phase. 4228 */ 4229 crit_exit(); 4230 return; 4231 } 4232 4233 crit_exit(); 4234 4235 /* 4236 * If we are already in phase network, we are done here. This 4237 * is the case if this is a dummy tlu event after a re-challenge. 4238 */ 4239 if (sp->pp_phase != PHASE_NETWORK) 4240 sppp_phase_network(sp); 4241 } 4242 4243 static void 4244 sppp_chap_tld(struct sppp *sp) 4245 { 4246 STDDCL; 4247 4248 if (debug) 4249 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4250 callout_stop(&sp->timeout[IDX_CHAP]); 4251 sp->lcp.protos &= ~(1 << IDX_CHAP); 4252 4253 lcp.Close(sp); 4254 } 4255 4256 static void 4257 sppp_chap_scr(struct sppp *sp) 4258 { 4259 u_long *ch, seed; 4260 u_char clen; 4261 4262 /* Compute random challenge. */ 4263 ch = (u_long *)sp->myauth.challenge; 4264 read_random(&seed, sizeof seed); 4265 ch[0] = seed ^ krandom(); 4266 ch[1] = seed ^ krandom(); 4267 ch[2] = seed ^ krandom(); 4268 ch[3] = seed ^ krandom(); 4269 clen = AUTHKEYLEN; 4270 4271 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4272 4273 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4274 sizeof clen, (const char *)&clen, 4275 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4276 (size_t)strnlen(sp->myauth.name, AUTHNAMELEN), 4277 sp->myauth.name, 4278 0); 4279 } 4280 4281 /* 4282 *--------------------------------------------------------------------------* 4283 * * 4284 * The PAP implementation. * 4285 * * 4286 *--------------------------------------------------------------------------* 4287 */ 4288 /* 4289 * For PAP, we need to keep a little state also if we are the peer, not the 4290 * authenticator. This is since we don't get a request to authenticate, but 4291 * have to repeatedly authenticate ourself until we got a response (or the 4292 * retry counter is expired). 4293 */ 4294 4295 /* 4296 * Handle incoming PAP packets. */ 4297 static void 4298 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4299 { 4300 STDDCL; 4301 struct lcp_header *h; 4302 int len; 4303 u_char *name, *passwd, mlen; 4304 int name_len, passwd_len; 4305 4306 /* 4307 * Malicious input might leave this uninitialized, so 4308 * init to an impossible value. 4309 */ 4310 passwd_len = -1; 4311 4312 len = m->m_pkthdr.len; 4313 if (len < 5) { 4314 if (debug) 4315 log(LOG_DEBUG, 4316 SPP_FMT "pap invalid packet length: %d bytes\n", 4317 SPP_ARGS(ifp), len); 4318 return; 4319 } 4320 h = mtod (m, struct lcp_header*); 4321 if (len > ntohs (h->len)) 4322 len = ntohs (h->len); 4323 switch (h->type) { 4324 /* PAP request is my authproto */ 4325 case PAP_REQ: 4326 name = 1 + (u_char*)(h+1); 4327 name_len = name[-1]; 4328 passwd = name + name_len + 1; 4329 if (name_len > len - 6 || 4330 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4331 if (debug) { 4332 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4333 "<%s id=0x%x len=%d", 4334 SPP_ARGS(ifp), 4335 sppp_auth_type_name(PPP_PAP, h->type), 4336 h->ident, ntohs(h->len)); 4337 sppp_print_bytes((u_char*)(h+1), len-4); 4338 log(-1, ">\n"); 4339 } 4340 break; 4341 } 4342 if (debug) { 4343 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4344 "<%s id=0x%x len=%d name=", 4345 SPP_ARGS(ifp), 4346 sppp_state_name(sp->state[IDX_PAP]), 4347 sppp_auth_type_name(PPP_PAP, h->type), 4348 h->ident, ntohs(h->len)); 4349 sppp_print_string((char*)name, name_len); 4350 log(-1, " passwd="); 4351 sppp_print_string((char*)passwd, passwd_len); 4352 log(-1, ">\n"); 4353 } 4354 if (name_len != strnlen(sp->hisauth.name, AUTHNAMELEN) || 4355 passwd_len != strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4356 bcmp(name, sp->hisauth.name, name_len) != 0 || 4357 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4358 /* action scn, tld */ 4359 mlen = sizeof(FAILMSG) - 1; 4360 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4361 sizeof mlen, (const char *)&mlen, 4362 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4363 0); 4364 pap.tld(sp); 4365 break; 4366 } 4367 /* action sca, perhaps tlu */ 4368 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4369 sp->state[IDX_PAP] == STATE_OPENED) { 4370 mlen = sizeof(SUCCMSG) - 1; 4371 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4372 sizeof mlen, (const char *)&mlen, 4373 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4374 0); 4375 } 4376 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4377 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4378 pap.tlu(sp); 4379 } 4380 break; 4381 4382 /* ack and nak are his authproto */ 4383 case PAP_ACK: 4384 callout_stop(&sp->pap_my_to); 4385 if (debug) { 4386 log(LOG_DEBUG, SPP_FMT "pap success", 4387 SPP_ARGS(ifp)); 4388 name = 1 + (u_char *)(h + 1); 4389 name_len = name[-1]; 4390 if (len > 5 && name_len < len+4) { 4391 log(-1, ": "); 4392 sppp_print_string(name, name_len); 4393 } 4394 log(-1, "\n"); 4395 } 4396 4397 crit_enter(); 4398 4399 sp->pp_flags &= ~PP_NEEDAUTH; 4400 if (sp->myauth.proto == PPP_PAP && 4401 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4402 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4403 /* 4404 * We are authenticator for PAP but didn't 4405 * complete yet. Leave it to tlu to proceed 4406 * to network phase. 4407 */ 4408 4409 crit_exit(); 4410 4411 break; 4412 } 4413 4414 crit_exit(); 4415 4416 sppp_phase_network(sp); 4417 break; 4418 4419 case PAP_NAK: 4420 callout_stop(&sp->pap_my_to); 4421 if (debug) { 4422 log(LOG_INFO, SPP_FMT "pap failure", 4423 SPP_ARGS(ifp)); 4424 name = 1 + (u_char *)(h + 1); 4425 name_len = name[-1]; 4426 if (len > 5 && name_len < len+4) { 4427 log(-1, ": "); 4428 sppp_print_string(name, name_len); 4429 } 4430 log(-1, "\n"); 4431 } else 4432 log(LOG_INFO, SPP_FMT "pap failure\n", 4433 SPP_ARGS(ifp)); 4434 /* await LCP shutdown by authenticator */ 4435 break; 4436 4437 default: 4438 /* Unknown PAP packet type -- ignore. */ 4439 if (debug) { 4440 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4441 "<0x%x id=0x%x len=%d", 4442 SPP_ARGS(ifp), 4443 h->type, h->ident, ntohs(h->len)); 4444 sppp_print_bytes((u_char*)(h+1), len-4); 4445 log(-1, ">\n"); 4446 } 4447 break; 4448 4449 } 4450 } 4451 4452 static void 4453 sppp_pap_init(struct sppp *sp) 4454 { 4455 /* PAP doesn't have STATE_INITIAL at all. */ 4456 sp->state[IDX_PAP] = STATE_CLOSED; 4457 sp->fail_counter[IDX_PAP] = 0; 4458 sp->pp_seq[IDX_PAP] = 0; 4459 sp->pp_rseq[IDX_PAP] = 0; 4460 callout_init(&sp->timeout[IDX_PAP]); 4461 callout_init(&sp->pap_my_to); 4462 } 4463 4464 static void 4465 sppp_pap_open(struct sppp *sp) 4466 { 4467 if (sp->hisauth.proto == PPP_PAP && 4468 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4469 /* we are authenticator for PAP, start our timer */ 4470 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4471 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4472 } 4473 if (sp->myauth.proto == PPP_PAP) { 4474 /* we are peer, send a request, and start a timer */ 4475 pap.scr(sp); 4476 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4477 sppp_pap_my_TO, sp); 4478 } 4479 } 4480 4481 static void 4482 sppp_pap_close(struct sppp *sp) 4483 { 4484 if (sp->state[IDX_PAP] != STATE_CLOSED) 4485 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4486 } 4487 4488 /* 4489 * That's the timeout routine if we are authenticator. Since the 4490 * authenticator is basically passive in PAP, we can't do much here. 4491 */ 4492 static void 4493 sppp_pap_TO(void *cookie) 4494 { 4495 struct sppp *sp = (struct sppp *)cookie; 4496 STDDCL; 4497 4498 crit_enter(); 4499 4500 if (debug) 4501 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4502 SPP_ARGS(ifp), 4503 sppp_state_name(sp->state[IDX_PAP]), 4504 sp->rst_counter[IDX_PAP]); 4505 4506 if (--sp->rst_counter[IDX_PAP] < 0) 4507 /* TO- event */ 4508 switch (sp->state[IDX_PAP]) { 4509 case STATE_REQ_SENT: 4510 pap.tld(sp); 4511 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4512 break; 4513 } 4514 else 4515 /* TO+ event, not very much we could do */ 4516 switch (sp->state[IDX_PAP]) { 4517 case STATE_REQ_SENT: 4518 /* sppp_cp_change_state() will restart the timer */ 4519 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4520 break; 4521 } 4522 4523 crit_exit(); 4524 } 4525 4526 /* 4527 * That's the timeout handler if we are peer. Since the peer is active, 4528 * we need to retransmit our PAP request since it is apparently lost. 4529 * XXX We should impose a max counter. 4530 */ 4531 static void 4532 sppp_pap_my_TO(void *cookie) 4533 { 4534 struct sppp *sp = (struct sppp *)cookie; 4535 STDDCL; 4536 4537 if (debug) 4538 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4539 SPP_ARGS(ifp)); 4540 4541 pap.scr(sp); 4542 } 4543 4544 static void 4545 sppp_pap_tlu(struct sppp *sp) 4546 { 4547 STDDCL; 4548 4549 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4550 4551 if (debug) 4552 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4553 SPP_ARGS(ifp), pap.name); 4554 4555 crit_enter(); 4556 4557 /* indicate to LCP that we need to be closed down */ 4558 sp->lcp.protos |= (1 << IDX_PAP); 4559 4560 if (sp->pp_flags & PP_NEEDAUTH) { 4561 /* 4562 * Remote is authenticator, but his auth proto didn't 4563 * complete yet. Defer the transition to network 4564 * phase. 4565 */ 4566 crit_exit(); 4567 return; 4568 } 4569 crit_exit(); 4570 sppp_phase_network(sp); 4571 } 4572 4573 static void 4574 sppp_pap_tld(struct sppp *sp) 4575 { 4576 STDDCL; 4577 4578 if (debug) 4579 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4580 callout_stop(&sp->timeout[IDX_PAP]); 4581 callout_stop(&sp->pap_my_to); 4582 sp->lcp.protos &= ~(1 << IDX_PAP); 4583 4584 lcp.Close(sp); 4585 } 4586 4587 static void 4588 sppp_pap_scr(struct sppp *sp) 4589 { 4590 u_char idlen, pwdlen; 4591 4592 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4593 pwdlen = strnlen(sp->myauth.secret, AUTHKEYLEN); 4594 idlen = strnlen(sp->myauth.name, AUTHNAMELEN); 4595 4596 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4597 sizeof idlen, (const char *)&idlen, 4598 (size_t)idlen, sp->myauth.name, 4599 sizeof pwdlen, (const char *)&pwdlen, 4600 (size_t)pwdlen, sp->myauth.secret, 4601 0); 4602 } 4603 4604 /* 4605 * Random miscellaneous functions. 4606 */ 4607 4608 /* 4609 * Send a PAP or CHAP proto packet. 4610 * 4611 * Varadic function, each of the elements for the ellipsis is of type 4612 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4613 * mlen == 0. 4614 * NOTE: never declare variadic functions with types subject to type 4615 * promotion (i.e. u_char). This is asking for big trouble depending 4616 * on the architecture you are on... 4617 */ 4618 4619 static void 4620 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4621 unsigned int type, unsigned int id, 4622 ...) 4623 { 4624 STDDCL; 4625 struct ppp_header *h; 4626 struct lcp_header *lh; 4627 struct mbuf *m; 4628 u_char *p; 4629 int len; 4630 unsigned int mlen; 4631 const char *msg; 4632 struct ifaltq_subque *ifsq; 4633 __va_list ap; 4634 4635 MGETHDR (m, M_NOWAIT, MT_DATA); 4636 if (! m) 4637 return; 4638 m->m_pkthdr.rcvif = 0; 4639 4640 h = mtod (m, struct ppp_header*); 4641 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4642 h->control = PPP_UI; /* Unnumbered Info */ 4643 h->protocol = htons(cp->proto); 4644 4645 lh = (struct lcp_header*)(h + 1); 4646 lh->type = type; 4647 lh->ident = id; 4648 p = (u_char*) (lh+1); 4649 4650 __va_start(ap, id); 4651 len = 0; 4652 4653 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4654 msg = __va_arg(ap, const char *); 4655 len += mlen; 4656 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4657 __va_end(ap); 4658 m_freem(m); 4659 return; 4660 } 4661 4662 bcopy(msg, p, mlen); 4663 p += mlen; 4664 } 4665 __va_end(ap); 4666 4667 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4668 lh->len = htons (LCP_HEADER_LEN + len); 4669 4670 if (debug) { 4671 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4672 SPP_ARGS(ifp), cp->name, 4673 sppp_auth_type_name(cp->proto, lh->type), 4674 lh->ident, ntohs(lh->len)); 4675 sppp_print_bytes((u_char*) (lh+1), len); 4676 log(-1, ">\n"); 4677 } 4678 if (IF_QFULL (&sp->pp_cpq)) { 4679 IF_DROP (&sp->pp_fastq); 4680 m_freem (m); 4681 IFNET_STAT_INC(ifp, oerrors, 1); 4682 } else 4683 IF_ENQUEUE (&sp->pp_cpq, m); 4684 ifsq = ifq_get_subq_default(&ifp->if_snd); 4685 if (!ifsq_is_oactive(ifsq)) 4686 (*ifp->if_start) (ifp, ifsq); 4687 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 4688 } 4689 4690 /* 4691 * Send keepalive packets, every 10 seconds. 4692 */ 4693 static void 4694 sppp_keepalive(void *dummy) 4695 { 4696 struct sppp *sp; 4697 4698 crit_enter(); 4699 4700 for (sp=spppq; sp; sp=sp->pp_next) { 4701 struct ifnet *ifp = &sp->pp_if; 4702 4703 /* Keepalive mode disabled or channel down? */ 4704 if (! (sp->pp_flags & PP_KEEPALIVE) || 4705 ! (ifp->if_flags & IFF_RUNNING)) 4706 continue; 4707 4708 /* No keepalive in PPP mode if LCP not opened yet. */ 4709 if (sp->pp_mode != IFF_CISCO && 4710 sp->pp_phase < PHASE_AUTHENTICATE) 4711 continue; 4712 4713 if (sp->pp_alivecnt == MAXALIVECNT) { 4714 /* No keepalive packets got. Stop the interface. */ 4715 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4716 if_down (ifp); 4717 IF_DRAIN(&sp->pp_cpq); 4718 if (sp->pp_mode != IFF_CISCO) { 4719 /* XXX */ 4720 /* Shut down the PPP link. */ 4721 lcp.Down(sp); 4722 /* Initiate negotiation. XXX */ 4723 lcp.Up(sp); 4724 } 4725 } 4726 ifnet_serialize_all(ifp); 4727 if (sp->pp_alivecnt <= MAXALIVECNT) 4728 ++sp->pp_alivecnt; 4729 if (sp->pp_mode == IFF_CISCO) 4730 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4731 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4732 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4733 long nmagic = htonl (sp->lcp.magic); 4734 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4735 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4736 sp->lcp.echoid, 4, &nmagic); 4737 } 4738 ifnet_deserialize_all(ifp); 4739 } 4740 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4741 crit_exit(); 4742 } 4743 4744 /* 4745 * Get both IP addresses. 4746 */ 4747 static void 4748 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4749 { 4750 struct ifnet *ifp = &sp->pp_if; 4751 struct ifaddr_container *ifac; 4752 struct ifaddr *ifa; 4753 struct sockaddr_in *si, *sm; 4754 u_long ssrc, ddst; 4755 4756 sm = NULL; 4757 ssrc = ddst = 0L; 4758 /* 4759 * Pick the first AF_INET address from the list, 4760 * aliases don't make any sense on a p2p link anyway. 4761 */ 4762 si = NULL; 4763 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4764 ifa = ifac->ifa; 4765 if (ifa->ifa_addr->sa_family == AF_INET) { 4766 si = (struct sockaddr_in *)ifa->ifa_addr; 4767 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4768 if (si) 4769 break; 4770 } 4771 } 4772 if (ifac != NULL) { 4773 if (si && si->sin_addr.s_addr) { 4774 ssrc = si->sin_addr.s_addr; 4775 if (srcmask) 4776 *srcmask = ntohl(sm->sin_addr.s_addr); 4777 } 4778 4779 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4780 if (si && si->sin_addr.s_addr) 4781 ddst = si->sin_addr.s_addr; 4782 } 4783 4784 if (dst) *dst = ntohl(ddst); 4785 if (src) *src = ntohl(ssrc); 4786 } 4787 4788 /* 4789 * Set my IP address. Must be called at splimp. 4790 */ 4791 static void 4792 sppp_set_ip_addr(struct sppp *sp, u_long src) 4793 { 4794 STDDCL; 4795 struct ifaddr_container *ifac; 4796 struct ifaddr *ifa = NULL; 4797 struct sockaddr_in *si; 4798 struct in_ifaddr *ia; 4799 4800 /* 4801 * Pick the first AF_INET address from the list, 4802 * aliases don't make any sense on a p2p link anyway. 4803 */ 4804 si = NULL; 4805 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4806 ifa = ifac->ifa; 4807 if (ifa->ifa_addr->sa_family == AF_INET) { 4808 si = (struct sockaddr_in *)ifa->ifa_addr; 4809 if (si) 4810 break; 4811 } 4812 } 4813 4814 if (ifac != NULL && si != NULL) { 4815 int error; 4816 4817 /* delete old route */ 4818 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4819 if(debug && error) 4820 { 4821 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4822 SPP_ARGS(ifp), error); 4823 } 4824 4825 ia = ifatoia(ifa); 4826 in_iahash_remove(ia); 4827 4828 /* set new address */ 4829 si->sin_addr.s_addr = htonl(src); 4830 in_iahash_insert(ia); 4831 4832 /* add new route */ 4833 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4834 if (debug && error) 4835 { 4836 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4837 SPP_ARGS(ifp), error); 4838 } 4839 } 4840 } 4841 4842 #ifdef INET6 4843 /* 4844 * Get both IPv6 addresses. 4845 */ 4846 static void 4847 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4848 struct in6_addr *srcmask) 4849 { 4850 struct ifnet *ifp = &sp->pp_if; 4851 struct ifaddr_container *ifac; 4852 struct ifaddr *ifa; 4853 struct sockaddr_in6 *si, *sm; 4854 struct in6_addr ssrc, ddst; 4855 4856 sm = NULL; 4857 bzero(&ssrc, sizeof(ssrc)); 4858 bzero(&ddst, sizeof(ddst)); 4859 /* 4860 * Pick the first link-local AF_INET6 address from the list, 4861 * aliases don't make any sense on a p2p link anyway. 4862 */ 4863 si = NULL; 4864 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4865 ifa = ifac->ifa; 4866 if (ifa->ifa_addr->sa_family == AF_INET6) { 4867 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4868 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4869 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4870 break; 4871 } 4872 } 4873 if (ifac != NULL) { 4874 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4875 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 4876 if (srcmask) { 4877 bcopy(&sm->sin6_addr, srcmask, 4878 sizeof(*srcmask)); 4879 } 4880 } 4881 4882 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4883 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4884 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 4885 } 4886 4887 if (dst) 4888 bcopy(&ddst, dst, sizeof(*dst)); 4889 if (src) 4890 bcopy(&ssrc, src, sizeof(*src)); 4891 } 4892 4893 #ifdef IPV6CP_MYIFID_DYN 4894 /* 4895 * Generate random ifid. 4896 */ 4897 static void 4898 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 4899 { 4900 /* TBD */ 4901 } 4902 4903 /* 4904 * Set my IPv6 address. Must be called at splimp. 4905 */ 4906 static void 4907 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 4908 { 4909 STDDCL; 4910 struct ifaddr_container *ifac; 4911 struct ifaddr *ifa; 4912 struct sockaddr_in6 *sin6; 4913 4914 /* 4915 * Pick the first link-local AF_INET6 address from the list, 4916 * aliases don't make any sense on a p2p link anyway. 4917 */ 4918 4919 sin6 = NULL; 4920 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4921 ifa = ifac->ifa; 4922 if (ifa->ifa_addr->sa_family == AF_INET6) { 4923 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 4924 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 4925 break; 4926 } 4927 } 4928 4929 if (ifac != NULL && sin6 != NULL) { 4930 int error; 4931 struct sockaddr_in6 new_sin6 = *sin6; 4932 4933 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 4934 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 4935 if (debug && error) { 4936 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 4937 " failed, error=%d\n", SPP_ARGS(ifp), error); 4938 } 4939 } 4940 } 4941 #endif 4942 4943 /* 4944 * Suggest a candidate address to be used by peer. 4945 */ 4946 static void 4947 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 4948 { 4949 struct in6_addr myaddr; 4950 struct timeval tv; 4951 4952 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4953 4954 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 4955 microtime(&tv); 4956 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 4957 myaddr.s6_addr[14] ^= 0xff; 4958 myaddr.s6_addr[15] ^= 0xff; 4959 } else { 4960 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 4961 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 4962 } 4963 if (suggest) 4964 bcopy(&myaddr, suggest, sizeof(myaddr)); 4965 } 4966 #endif /*INET6*/ 4967 4968 static int 4969 sppp_params(struct sppp *sp, u_long cmd, void *data) 4970 { 4971 u_long subcmd; 4972 struct ifreq *ifr = (struct ifreq *)data; 4973 struct spppreq *spr; 4974 int rv = 0; 4975 4976 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 4977 4978 /* 4979 * ifr->ifr_data is supposed to point to a struct spppreq. 4980 * Check the cmd word first before attempting to fetch all the 4981 * data. 4982 */ 4983 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 4984 rv = EFAULT; 4985 goto quit; 4986 } 4987 4988 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 4989 rv = EFAULT; 4990 goto quit; 4991 } 4992 4993 switch (subcmd) { 4994 case (u_long)SPPPIOGDEFS: 4995 if (cmd != SIOCGIFGENERIC) { 4996 rv = EINVAL; 4997 break; 4998 } 4999 /* 5000 * We copy over the entire current state, but clean 5001 * out some of the stuff we don't wanna pass up. 5002 * Remember, SIOCGIFGENERIC is unprotected, and can be 5003 * called by any user. No need to ever get PAP or 5004 * CHAP secrets back to userland anyway. 5005 */ 5006 spr->defs.pp_phase = sp->pp_phase; 5007 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5008 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5009 spr->defs.lcp = sp->lcp; 5010 spr->defs.ipcp = sp->ipcp; 5011 spr->defs.ipv6cp = sp->ipv6cp; 5012 spr->defs.myauth = sp->myauth; 5013 spr->defs.hisauth = sp->hisauth; 5014 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5015 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5016 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5017 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5018 /* 5019 * Fixup the LCP timeout value to milliseconds so 5020 * spppcontrol doesn't need to bother about the value 5021 * of "hz". We do the reverse calculation below when 5022 * setting it. 5023 */ 5024 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5025 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5026 sizeof(struct spppreq)); 5027 break; 5028 5029 case (u_long)SPPPIOSDEFS: 5030 if (cmd != SIOCSIFGENERIC) { 5031 rv = EINVAL; 5032 break; 5033 } 5034 /* 5035 * We have a very specific idea of which fields we 5036 * allow being passed back from userland, so to not 5037 * clobber our current state. For one, we only allow 5038 * setting anything if LCP is in dead or establish 5039 * phase. Once the authentication negotiations 5040 * started, the authentication settings must not be 5041 * changed again. (The administrator can force an 5042 * ifconfig down in order to get LCP back into dead 5043 * phase.) 5044 * 5045 * Also, we only allow for authentication parameters to be 5046 * specified. 5047 * 5048 * XXX Should allow to set or clear pp_flags. 5049 * 5050 * Finally, if the respective authentication protocol to 5051 * be used is set differently than 0, but the secret is 5052 * passed as all zeros, we don't trash the existing secret. 5053 * This allows an administrator to change the system name 5054 * only without clobbering the secret (which he didn't get 5055 * back in a previous SPPPIOGDEFS call). However, the 5056 * secrets are cleared if the authentication protocol is 5057 * reset to 0. */ 5058 if (sp->pp_phase != PHASE_DEAD && 5059 sp->pp_phase != PHASE_ESTABLISH) { 5060 rv = EBUSY; 5061 break; 5062 } 5063 5064 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5065 spr->defs.myauth.proto != PPP_CHAP) || 5066 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5067 spr->defs.hisauth.proto != PPP_CHAP)) { 5068 rv = EINVAL; 5069 break; 5070 } 5071 5072 if (spr->defs.myauth.proto == 0) 5073 /* resetting myauth */ 5074 bzero(&sp->myauth, sizeof sp->myauth); 5075 else { 5076 /* setting/changing myauth */ 5077 sp->myauth.proto = spr->defs.myauth.proto; 5078 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5079 if (spr->defs.myauth.secret[0] != '\0') 5080 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5081 AUTHKEYLEN); 5082 } 5083 if (spr->defs.hisauth.proto == 0) 5084 /* resetting hisauth */ 5085 bzero(&sp->hisauth, sizeof sp->hisauth); 5086 else { 5087 /* setting/changing hisauth */ 5088 sp->hisauth.proto = spr->defs.hisauth.proto; 5089 sp->hisauth.flags = spr->defs.hisauth.flags; 5090 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5091 if (spr->defs.hisauth.secret[0] != '\0') 5092 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5093 AUTHKEYLEN); 5094 } 5095 /* set LCP restart timer timeout */ 5096 if (spr->defs.lcp.timeout != 0) 5097 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5098 /* set VJ enable and IPv6 disable flags */ 5099 #ifdef INET 5100 if (spr->defs.enable_vj) 5101 sp->confflags |= CONF_ENABLE_VJ; 5102 else 5103 sp->confflags &= ~CONF_ENABLE_VJ; 5104 #endif 5105 #ifdef INET6 5106 if (spr->defs.enable_ipv6) 5107 sp->confflags |= CONF_ENABLE_IPV6; 5108 else 5109 sp->confflags &= ~CONF_ENABLE_IPV6; 5110 #endif 5111 break; 5112 5113 default: 5114 rv = EINVAL; 5115 } 5116 5117 quit: 5118 kfree(spr, M_TEMP); 5119 5120 return (rv); 5121 } 5122 5123 static void 5124 sppp_phase_network(struct sppp *sp) 5125 { 5126 STDDCL; 5127 int i; 5128 u_long mask; 5129 5130 sp->pp_phase = PHASE_NETWORK; 5131 5132 if (debug) 5133 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5134 sppp_phase_name(sp->pp_phase)); 5135 5136 /* Notify NCPs now. */ 5137 for (i = 0; i < IDX_COUNT; i++) 5138 if ((cps[i])->flags & CP_NCP) 5139 (cps[i])->Open(sp); 5140 5141 /* Send Up events to all NCPs. */ 5142 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5143 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5144 (cps[i])->Up(sp); 5145 5146 /* if no NCP is starting, all this was in vain, close down */ 5147 sppp_lcp_check_and_close(sp); 5148 } 5149 5150 5151 static const char * 5152 sppp_cp_type_name(u_char type) 5153 { 5154 static char buf[12]; 5155 switch (type) { 5156 case CONF_REQ: return "conf-req"; 5157 case CONF_ACK: return "conf-ack"; 5158 case CONF_NAK: return "conf-nak"; 5159 case CONF_REJ: return "conf-rej"; 5160 case TERM_REQ: return "term-req"; 5161 case TERM_ACK: return "term-ack"; 5162 case CODE_REJ: return "code-rej"; 5163 case PROTO_REJ: return "proto-rej"; 5164 case ECHO_REQ: return "echo-req"; 5165 case ECHO_REPLY: return "echo-reply"; 5166 case DISC_REQ: return "discard-req"; 5167 } 5168 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5169 return buf; 5170 } 5171 5172 static const char * 5173 sppp_auth_type_name(u_short proto, u_char type) 5174 { 5175 static char buf[12]; 5176 switch (proto) { 5177 case PPP_CHAP: 5178 switch (type) { 5179 case CHAP_CHALLENGE: return "challenge"; 5180 case CHAP_RESPONSE: return "response"; 5181 case CHAP_SUCCESS: return "success"; 5182 case CHAP_FAILURE: return "failure"; 5183 } 5184 case PPP_PAP: 5185 switch (type) { 5186 case PAP_REQ: return "req"; 5187 case PAP_ACK: return "ack"; 5188 case PAP_NAK: return "nak"; 5189 } 5190 } 5191 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5192 return buf; 5193 } 5194 5195 static const char * 5196 sppp_lcp_opt_name(u_char opt) 5197 { 5198 static char buf[12]; 5199 switch (opt) { 5200 case LCP_OPT_MRU: return "mru"; 5201 case LCP_OPT_ASYNC_MAP: return "async-map"; 5202 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5203 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5204 case LCP_OPT_MAGIC: return "magic"; 5205 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5206 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5207 } 5208 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5209 return buf; 5210 } 5211 5212 static const char * 5213 sppp_ipcp_opt_name(u_char opt) 5214 { 5215 static char buf[12]; 5216 switch (opt) { 5217 case IPCP_OPT_ADDRESSES: return "addresses"; 5218 case IPCP_OPT_COMPRESSION: return "compression"; 5219 case IPCP_OPT_ADDRESS: return "address"; 5220 } 5221 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5222 return buf; 5223 } 5224 5225 #ifdef INET6 5226 static const char * 5227 sppp_ipv6cp_opt_name(u_char opt) 5228 { 5229 static char buf[12]; 5230 switch (opt) { 5231 case IPV6CP_OPT_IFID: return "ifid"; 5232 case IPV6CP_OPT_COMPRESSION: return "compression"; 5233 } 5234 ksprintf (buf, "0x%x", opt); 5235 return buf; 5236 } 5237 #endif 5238 5239 static const char * 5240 sppp_state_name(int state) 5241 { 5242 switch (state) { 5243 case STATE_INITIAL: return "initial"; 5244 case STATE_STARTING: return "starting"; 5245 case STATE_CLOSED: return "closed"; 5246 case STATE_STOPPED: return "stopped"; 5247 case STATE_CLOSING: return "closing"; 5248 case STATE_STOPPING: return "stopping"; 5249 case STATE_REQ_SENT: return "req-sent"; 5250 case STATE_ACK_RCVD: return "ack-rcvd"; 5251 case STATE_ACK_SENT: return "ack-sent"; 5252 case STATE_OPENED: return "opened"; 5253 } 5254 return "illegal"; 5255 } 5256 5257 static const char * 5258 sppp_phase_name(enum ppp_phase phase) 5259 { 5260 switch (phase) { 5261 case PHASE_DEAD: return "dead"; 5262 case PHASE_ESTABLISH: return "establish"; 5263 case PHASE_TERMINATE: return "terminate"; 5264 case PHASE_AUTHENTICATE: return "authenticate"; 5265 case PHASE_NETWORK: return "network"; 5266 } 5267 return "illegal"; 5268 } 5269 5270 static const char * 5271 sppp_proto_name(u_short proto) 5272 { 5273 static char buf[12]; 5274 switch (proto) { 5275 case PPP_LCP: return "lcp"; 5276 case PPP_IPCP: return "ipcp"; 5277 case PPP_PAP: return "pap"; 5278 case PPP_CHAP: return "chap"; 5279 case PPP_IPV6CP: return "ipv6cp"; 5280 } 5281 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5282 return buf; 5283 } 5284 5285 static void 5286 sppp_print_bytes(const u_char *p, u_short len) 5287 { 5288 char hexstr[len]; 5289 if (len) 5290 log(-1, " %s", hexncpy(p, len, hexstr, HEX_NCPYLEN(len), "-")); 5291 } 5292 5293 static void 5294 sppp_print_string(const char *p, u_short len) 5295 { 5296 u_char c; 5297 5298 while (len-- > 0) { 5299 c = *p++; 5300 /* 5301 * Print only ASCII chars directly. RFC 1994 recommends 5302 * using only them, but we don't rely on it. */ 5303 if (c < ' ' || c > '~') 5304 log(-1, "\\x%x", c); 5305 else 5306 log(-1, "%c", c); 5307 } 5308 } 5309 5310 static const char * 5311 sppp_dotted_quad(u_long addr) 5312 { 5313 static char s[16]; 5314 ksprintf(s, "%d.%d.%d.%d", 5315 (int)((addr >> 24) & 0xff), 5316 (int)((addr >> 16) & 0xff), 5317 (int)((addr >> 8) & 0xff), 5318 (int)(addr & 0xff)); 5319 return s; 5320 } 5321 5322 /* a dummy, used to drop uninteresting events */ 5323 static void 5324 sppp_null(struct sppp *unused) 5325 { 5326 /* do just nothing */ 5327 } 5328