1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 * $DragonFly: src/sys/net/sppp/if_spppsubr.c,v 1.35 2008/06/09 11:24:24 sephe Exp $ 22 */ 23 24 #include <sys/param.h> 25 26 #if defined(__DragonFly__) 27 #include "opt_inet.h" 28 #include "opt_inet6.h" 29 #include "opt_ipx.h" 30 #endif 31 32 #ifdef NetBSD1_3 33 # if NetBSD1_3 > 6 34 # include "opt_inet.h" 35 # include "opt_inet6.h" 36 # include "opt_iso.h" 37 # endif 38 #endif 39 40 #include <sys/systm.h> 41 #include <sys/kernel.h> 42 #include <sys/module.h> 43 #include <sys/sockio.h> 44 #include <sys/socket.h> 45 #include <sys/syslog.h> 46 #if defined(__DragonFly__) 47 #include <sys/random.h> 48 #include <sys/thread2.h> 49 #endif 50 #include <sys/malloc.h> 51 #include <sys/mbuf.h> 52 53 #if defined (__OpenBSD__) 54 #include <sys/md5k.h> 55 #else 56 #include <sys/md5.h> 57 #endif 58 59 #include <net/if.h> 60 #include <net/ifq_var.h> 61 #include <net/netisr.h> 62 #include <net/if_types.h> 63 #include <net/route.h> 64 #include <netinet/in.h> 65 #include <netinet/in_systm.h> 66 #include <netinet/ip.h> 67 #include <net/slcompress.h> 68 69 #if defined (__NetBSD__) || defined (__OpenBSD__) 70 #include <machine/cpu.h> /* XXX for softnet */ 71 #endif 72 73 #include <machine/stdarg.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/in_var.h> 78 79 #ifdef INET 80 #include <netinet/ip.h> 81 #include <netinet/tcp.h> 82 #endif 83 84 #if defined (__DragonFly__) || defined (__OpenBSD__) 85 # include <netinet/if_ether.h> 86 #else 87 # include <net/ethertypes.h> 88 #endif 89 90 #ifdef IPX 91 #include <netproto/ipx/ipx.h> 92 #include <netproto/ipx/ipx_if.h> 93 #endif 94 95 #ifdef NS 96 #include <netns/ns.h> 97 #include <netns/ns_if.h> 98 #endif 99 100 #include "if_sppp.h" 101 102 #define IOCTL_CMD_T u_long 103 #define MAXALIVECNT 3 /* max. alive packets */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 129 130 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 131 #define PPP_UI 0x03 /* Unnumbered Information */ 132 #define PPP_IP 0x0021 /* Internet Protocol */ 133 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 134 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 135 #define PPP_IPX 0x002b /* Novell IPX Protocol */ 136 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 137 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 138 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 139 #define PPP_LCP 0xc021 /* Link Control Protocol */ 140 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 141 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 142 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 143 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 144 145 #define CONF_REQ 1 /* PPP configure request */ 146 #define CONF_ACK 2 /* PPP configure acknowledge */ 147 #define CONF_NAK 3 /* PPP configure negative ack */ 148 #define CONF_REJ 4 /* PPP configure reject */ 149 #define TERM_REQ 5 /* PPP terminate request */ 150 #define TERM_ACK 6 /* PPP terminate acknowledge */ 151 #define CODE_REJ 7 /* PPP code reject */ 152 #define PROTO_REJ 8 /* PPP protocol reject */ 153 #define ECHO_REQ 9 /* PPP echo request */ 154 #define ECHO_REPLY 10 /* PPP echo reply */ 155 #define DISC_REQ 11 /* PPP discard request */ 156 157 #define LCP_OPT_MRU 1 /* maximum receive unit */ 158 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 159 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 160 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 161 #define LCP_OPT_MAGIC 5 /* magic number */ 162 #define LCP_OPT_RESERVED 6 /* reserved */ 163 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 164 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 165 166 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 167 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 168 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 169 170 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 171 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 172 173 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 174 175 #define PAP_REQ 1 /* PAP name/password request */ 176 #define PAP_ACK 2 /* PAP acknowledge */ 177 #define PAP_NAK 3 /* PAP fail */ 178 179 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 180 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 181 #define CHAP_SUCCESS 3 /* CHAP response ok */ 182 #define CHAP_FAILURE 4 /* CHAP response failed */ 183 184 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 185 186 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 187 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 188 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 189 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 190 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 191 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 192 193 /* states are named and numbered according to RFC 1661 */ 194 #define STATE_INITIAL 0 195 #define STATE_STARTING 1 196 #define STATE_CLOSED 2 197 #define STATE_STOPPED 3 198 #define STATE_CLOSING 4 199 #define STATE_STOPPING 5 200 #define STATE_REQ_SENT 6 201 #define STATE_ACK_RCVD 7 202 #define STATE_ACK_SENT 8 203 #define STATE_OPENED 9 204 205 struct ppp_header { 206 u_char address; 207 u_char control; 208 u_short protocol; 209 } __attribute__((__packed__)); 210 #define PPP_HEADER_LEN sizeof (struct ppp_header) 211 212 struct lcp_header { 213 u_char type; 214 u_char ident; 215 u_short len; 216 } __attribute__((__packed__)); 217 #define LCP_HEADER_LEN sizeof (struct lcp_header) 218 219 struct cisco_packet { 220 u_long type; 221 u_long par1; 222 u_long par2; 223 u_short rel; 224 u_short time0; 225 u_short time1; 226 } __attribute__((__packed__)); 227 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 228 229 /* 230 * We follow the spelling and capitalization of RFC 1661 here, to make 231 * it easier comparing with the standard. Please refer to this RFC in 232 * case you can't make sense out of these abbreviation; it will also 233 * explain the semantics related to the various events and actions. 234 */ 235 struct cp { 236 u_short proto; /* PPP control protocol number */ 237 u_char protoidx; /* index into state table in struct sppp */ 238 u_char flags; 239 #define CP_LCP 0x01 /* this is the LCP */ 240 #define CP_AUTH 0x02 /* this is an authentication protocol */ 241 #define CP_NCP 0x04 /* this is a NCP */ 242 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 243 const char *name; /* name of this control protocol */ 244 /* event handlers */ 245 void (*Up)(struct sppp *sp); 246 void (*Down)(struct sppp *sp); 247 void (*Open)(struct sppp *sp); 248 void (*Close)(struct sppp *sp); 249 void (*TO)(void *sp); 250 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 251 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 252 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 253 /* actions */ 254 void (*tlu)(struct sppp *sp); 255 void (*tld)(struct sppp *sp); 256 void (*tls)(struct sppp *sp); 257 void (*tlf)(struct sppp *sp); 258 void (*scr)(struct sppp *sp); 259 }; 260 261 static struct sppp *spppq; 262 #if defined(__DragonFly__) 263 static struct callout keepalive_timeout; 264 #endif 265 266 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 && !defined(__DragonFly__) 267 #define SPP_FMT "%s%d: " 268 #define SPP_ARGS(ifp) (ifp)->if_name, (ifp)->if_unit 269 #else 270 #define SPP_FMT "%s: " 271 #define SPP_ARGS(ifp) (ifp)->if_xname 272 #endif 273 274 #ifdef INET 275 /* 276 * The following disgusting hack gets around the problem that IP TOS 277 * can't be set yet. We want to put "interactive" traffic on a high 278 * priority queue. To decide if traffic is interactive, we check that 279 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 280 * 281 * XXX is this really still necessary? - joerg - 282 */ 283 static u_short interactive_ports[8] = { 284 0, 513, 0, 0, 285 0, 21, 0, 23, 286 }; 287 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 288 #endif 289 290 /* almost every function needs these */ 291 #define STDDCL \ 292 struct ifnet *ifp = &sp->pp_if; \ 293 int debug = ifp->if_flags & IFF_DEBUG 294 295 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 296 struct sockaddr *dst, struct rtentry *rt); 297 298 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 299 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 300 301 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 302 struct mbuf *m); 303 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 304 u_char ident, u_short len, void *data); 305 /* static void sppp_cp_timeout(void *arg); */ 306 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 307 int newstate); 308 static void sppp_auth_send(const struct cp *cp, 309 struct sppp *sp, unsigned int type, unsigned int id, 310 ...); 311 312 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 313 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 314 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 315 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 316 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 317 318 static void sppp_null(struct sppp *sp); 319 320 static void sppp_lcp_init(struct sppp *sp); 321 static void sppp_lcp_up(struct sppp *sp); 322 static void sppp_lcp_down(struct sppp *sp); 323 static void sppp_lcp_open(struct sppp *sp); 324 static void sppp_lcp_close(struct sppp *sp); 325 static void sppp_lcp_TO(void *sp); 326 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 327 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 328 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 329 static void sppp_lcp_tlu(struct sppp *sp); 330 static void sppp_lcp_tld(struct sppp *sp); 331 static void sppp_lcp_tls(struct sppp *sp); 332 static void sppp_lcp_tlf(struct sppp *sp); 333 static void sppp_lcp_scr(struct sppp *sp); 334 static void sppp_lcp_check_and_close(struct sppp *sp); 335 static int sppp_ncp_check(struct sppp *sp); 336 337 static void sppp_ipcp_init(struct sppp *sp); 338 static void sppp_ipcp_up(struct sppp *sp); 339 static void sppp_ipcp_down(struct sppp *sp); 340 static void sppp_ipcp_open(struct sppp *sp); 341 static void sppp_ipcp_close(struct sppp *sp); 342 static void sppp_ipcp_TO(void *sp); 343 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 344 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 345 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 346 static void sppp_ipcp_tlu(struct sppp *sp); 347 static void sppp_ipcp_tld(struct sppp *sp); 348 static void sppp_ipcp_tls(struct sppp *sp); 349 static void sppp_ipcp_tlf(struct sppp *sp); 350 static void sppp_ipcp_scr(struct sppp *sp); 351 352 static void sppp_ipv6cp_init(struct sppp *sp); 353 static void sppp_ipv6cp_up(struct sppp *sp); 354 static void sppp_ipv6cp_down(struct sppp *sp); 355 static void sppp_ipv6cp_open(struct sppp *sp); 356 static void sppp_ipv6cp_close(struct sppp *sp); 357 static void sppp_ipv6cp_TO(void *sp); 358 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 359 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 360 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 361 static void sppp_ipv6cp_tlu(struct sppp *sp); 362 static void sppp_ipv6cp_tld(struct sppp *sp); 363 static void sppp_ipv6cp_tls(struct sppp *sp); 364 static void sppp_ipv6cp_tlf(struct sppp *sp); 365 static void sppp_ipv6cp_scr(struct sppp *sp); 366 367 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 368 static void sppp_pap_init(struct sppp *sp); 369 static void sppp_pap_open(struct sppp *sp); 370 static void sppp_pap_close(struct sppp *sp); 371 static void sppp_pap_TO(void *sp); 372 static void sppp_pap_my_TO(void *sp); 373 static void sppp_pap_tlu(struct sppp *sp); 374 static void sppp_pap_tld(struct sppp *sp); 375 static void sppp_pap_scr(struct sppp *sp); 376 377 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 378 static void sppp_chap_init(struct sppp *sp); 379 static void sppp_chap_open(struct sppp *sp); 380 static void sppp_chap_close(struct sppp *sp); 381 static void sppp_chap_TO(void *sp); 382 static void sppp_chap_tlu(struct sppp *sp); 383 static void sppp_chap_tld(struct sppp *sp); 384 static void sppp_chap_scr(struct sppp *sp); 385 386 static const char *sppp_auth_type_name(u_short proto, u_char type); 387 static const char *sppp_cp_type_name(u_char type); 388 static const char *sppp_dotted_quad(u_long addr); 389 static const char *sppp_ipcp_opt_name(u_char opt); 390 #ifdef INET6 391 static const char *sppp_ipv6cp_opt_name(u_char opt); 392 #endif 393 static const char *sppp_lcp_opt_name(u_char opt); 394 static const char *sppp_phase_name(enum ppp_phase phase); 395 static const char *sppp_proto_name(u_short proto); 396 static const char *sppp_state_name(int state); 397 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 398 static int sppp_strnlen(u_char *p, int max); 399 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 400 u_long *srcmask); 401 static void sppp_keepalive(void *dummy); 402 static void sppp_phase_network(struct sppp *sp); 403 static void sppp_print_bytes(const u_char *p, u_short len); 404 static void sppp_print_string(const char *p, u_short len); 405 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 406 #ifdef INET6 407 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 408 struct in6_addr *dst, struct in6_addr *srcmask); 409 #ifdef IPV6CP_MYIFID_DYN 410 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 411 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 412 #endif 413 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 414 #endif 415 416 /* our control protocol descriptors */ 417 static const struct cp lcp = { 418 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 419 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 420 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 421 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 422 sppp_lcp_scr 423 }; 424 425 static const struct cp ipcp = { 426 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 427 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 428 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 429 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 430 sppp_ipcp_scr 431 }; 432 433 static const struct cp ipv6cp = { 434 PPP_IPV6CP, IDX_IPV6CP, 435 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 436 CP_NCP, 437 #else 438 0, 439 #endif 440 "ipv6cp", 441 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 442 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 443 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 444 sppp_ipv6cp_scr 445 }; 446 447 static const struct cp pap = { 448 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 449 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 450 sppp_pap_TO, 0, 0, 0, 451 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 452 sppp_pap_scr 453 }; 454 455 static const struct cp chap = { 456 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 457 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 458 sppp_chap_TO, 0, 0, 0, 459 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 460 sppp_chap_scr 461 }; 462 463 static const struct cp *cps[IDX_COUNT] = { 464 &lcp, /* IDX_LCP */ 465 &ipcp, /* IDX_IPCP */ 466 &ipv6cp, /* IDX_IPV6CP */ 467 &pap, /* IDX_PAP */ 468 &chap, /* IDX_CHAP */ 469 }; 470 471 static int 472 sppp_modevent(module_t mod, int type, void *unused) 473 { 474 switch (type) { 475 case MOD_LOAD: 476 callout_init(&keepalive_timeout); 477 break; 478 case MOD_UNLOAD: 479 return EACCES; 480 break; 481 default: 482 break; 483 } 484 return 0; 485 } 486 static moduledata_t spppmod = { 487 "sppp", 488 sppp_modevent, 489 0 490 }; 491 MODULE_VERSION(sppp, 1); 492 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 493 494 /* 495 * Exported functions, comprising our interface to the lower layer. 496 */ 497 498 /* 499 * Process the received packet. 500 */ 501 void 502 sppp_input(struct ifnet *ifp, struct mbuf *m) 503 { 504 struct ppp_header *h; 505 int isr = -1; 506 struct sppp *sp = (struct sppp *)ifp; 507 u_char *iphdr; 508 int hlen, vjlen, do_account = 0; 509 int debug = ifp->if_flags & IFF_DEBUG; 510 511 if (ifp->if_flags & IFF_UP) 512 /* Count received bytes, add FCS and one flag */ 513 ifp->if_ibytes += m->m_pkthdr.len + 3; 514 515 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 516 /* Too small packet, drop it. */ 517 if (debug) 518 log(LOG_DEBUG, 519 SPP_FMT "input packet is too small, %d bytes\n", 520 SPP_ARGS(ifp), m->m_pkthdr.len); 521 drop: 522 m_freem (m); 523 drop2: 524 ++ifp->if_ierrors; 525 ++ifp->if_iqdrops; 526 return; 527 } 528 529 /* Get PPP header. */ 530 h = mtod (m, struct ppp_header*); 531 m_adj (m, PPP_HEADER_LEN); 532 533 switch (h->address) { 534 case PPP_ALLSTATIONS: 535 if (h->control != PPP_UI) 536 goto invalid; 537 if (sp->pp_mode == IFF_CISCO) { 538 if (debug) 539 log(LOG_DEBUG, 540 SPP_FMT "PPP packet in Cisco mode " 541 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 542 SPP_ARGS(ifp), 543 h->address, h->control, ntohs(h->protocol)); 544 goto drop; 545 } 546 switch (ntohs (h->protocol)) { 547 default: 548 if (debug) 549 log(LOG_DEBUG, 550 SPP_FMT "rejecting protocol " 551 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 552 SPP_ARGS(ifp), 553 h->address, h->control, ntohs(h->protocol)); 554 if (sp->state[IDX_LCP] == STATE_OPENED) 555 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 556 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 557 &h->protocol); 558 ++ifp->if_noproto; 559 goto drop; 560 case PPP_LCP: 561 sppp_cp_input(&lcp, sp, m); 562 m_freem (m); 563 return; 564 case PPP_PAP: 565 if (sp->pp_phase >= PHASE_AUTHENTICATE) 566 sppp_pap_input(sp, m); 567 m_freem (m); 568 return; 569 case PPP_CHAP: 570 if (sp->pp_phase >= PHASE_AUTHENTICATE) 571 sppp_chap_input(sp, m); 572 m_freem (m); 573 return; 574 #ifdef INET 575 case PPP_IPCP: 576 if (sp->pp_phase == PHASE_NETWORK) 577 sppp_cp_input(&ipcp, sp, m); 578 m_freem (m); 579 return; 580 case PPP_IP: 581 if (sp->state[IDX_IPCP] == STATE_OPENED) { 582 isr = NETISR_IP; 583 } 584 do_account++; 585 break; 586 case PPP_VJ_COMP: 587 if (sp->state[IDX_IPCP] == STATE_OPENED) { 588 if ((vjlen = 589 sl_uncompress_tcp_core(mtod(m, u_char *), 590 m->m_len, m->m_len, 591 TYPE_COMPRESSED_TCP, 592 sp->pp_comp, 593 &iphdr, &hlen)) <= 0) { 594 if (debug) 595 log(LOG_INFO, 596 SPP_FMT "VJ uncompress failed on compressed packet\n", 597 SPP_ARGS(ifp)); 598 goto drop; 599 } 600 601 /* 602 * Trim the VJ header off the packet, and prepend 603 * the uncompressed IP header (which will usually 604 * end up in two chained mbufs since there's not 605 * enough leading space in the existing mbuf). 606 */ 607 m_adj(m, vjlen); 608 M_PREPEND(m, hlen, MB_DONTWAIT); 609 if (m == NULL) 610 goto drop2; 611 bcopy(iphdr, mtod(m, u_char *), hlen); 612 613 isr = NETISR_IP; 614 } 615 do_account++; 616 break; 617 case PPP_VJ_UCOMP: 618 if (sp->state[IDX_IPCP] == STATE_OPENED) { 619 if (sl_uncompress_tcp_core(mtod(m, u_char *), 620 m->m_len, m->m_len, 621 TYPE_UNCOMPRESSED_TCP, 622 sp->pp_comp, 623 &iphdr, &hlen) != 0) { 624 if (debug) 625 log(LOG_INFO, 626 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 627 SPP_ARGS(ifp)); 628 goto drop; 629 } 630 isr = NETISR_IP; 631 } 632 do_account++; 633 break; 634 #endif 635 #ifdef INET6 636 case PPP_IPV6CP: 637 if (sp->pp_phase == PHASE_NETWORK) 638 sppp_cp_input(&ipv6cp, sp, m); 639 m_freem (m); 640 return; 641 642 case PPP_IPV6: 643 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 644 isr = NETISR_IPV6; 645 } 646 do_account++; 647 break; 648 #endif 649 #ifdef IPX 650 case PPP_IPX: 651 /* IPX IPXCP not implemented yet */ 652 if (sp->pp_phase == PHASE_NETWORK) { 653 isr = NETISR_IPX; 654 } 655 do_account++; 656 break; 657 #endif 658 #ifdef NS 659 case PPP_XNS: 660 /* XNS IDPCP not implemented yet */ 661 if (sp->pp_phase == PHASE_NETWORK) { 662 isr = NETISR_NS; 663 } 664 do_account++; 665 break; 666 #endif 667 } 668 break; 669 case CISCO_MULTICAST: 670 case CISCO_UNICAST: 671 /* Don't check the control field here (RFC 1547). */ 672 if (sp->pp_mode != IFF_CISCO) { 673 if (debug) 674 log(LOG_DEBUG, 675 SPP_FMT "Cisco packet in PPP mode " 676 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 677 SPP_ARGS(ifp), 678 h->address, h->control, ntohs(h->protocol)); 679 goto drop; 680 } 681 switch (ntohs (h->protocol)) { 682 default: 683 ++ifp->if_noproto; 684 goto invalid; 685 case CISCO_KEEPALIVE: 686 sppp_cisco_input ((struct sppp*) ifp, m); 687 m_freem (m); 688 return; 689 #ifdef INET 690 case ETHERTYPE_IP: 691 isr = NETISR_IP; 692 do_account++; 693 break; 694 #endif 695 #ifdef INET6 696 case ETHERTYPE_IPV6: 697 isr = NETISR_IPV6; 698 do_account++; 699 break; 700 #endif 701 #ifdef IPX 702 case ETHERTYPE_IPX: 703 isr = NETISR_IPX; 704 do_account++; 705 break; 706 #endif 707 #ifdef NS 708 case ETHERTYPE_NS: 709 isr = NETISR_NS 710 do_account++; 711 break; 712 #endif 713 } 714 break; 715 default: /* Invalid PPP packet. */ 716 invalid: 717 if (debug) 718 log(LOG_DEBUG, 719 SPP_FMT "invalid input packet " 720 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 721 SPP_ARGS(ifp), 722 h->address, h->control, ntohs(h->protocol)); 723 goto drop; 724 } 725 726 if (! (ifp->if_flags & IFF_UP) || isr < 0) 727 goto drop; 728 729 /* Check queue. */ 730 731 netisr_queue(isr, m); 732 733 /* 734 * Do only account for network packets, not for control 735 * packets. This is used by some subsystems to detect 736 * idle lines. 737 */ 738 if (do_account) 739 sp->pp_last_recv = time_second; 740 } 741 742 /* 743 * Enqueue transmit packet. 744 */ 745 static int 746 sppp_output_serialized(struct ifnet *ifp, struct mbuf *m, 747 struct sockaddr *dst, struct rtentry *rt) 748 { 749 struct sppp *sp = (struct sppp*) ifp; 750 struct ppp_header *h; 751 struct ifqueue *ifq = NULL; 752 int rv = 0; 753 int ipproto = PPP_IP; 754 int debug = ifp->if_flags & IFF_DEBUG; 755 struct altq_pktattr pktattr; 756 757 crit_enter(); 758 759 if ((ifp->if_flags & IFF_UP) == 0 || 760 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 761 #ifdef INET6 762 drop: 763 #endif 764 m_freem (m); 765 crit_exit(); 766 return (ENETDOWN); 767 } 768 769 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 770 #ifdef INET6 771 /* 772 * XXX 773 * 774 * Hack to prevent the initialization-time generated 775 * IPv6 multicast packet to erroneously cause a 776 * dialout event in case IPv6 has been 777 * administratively disabled on that interface. 778 */ 779 if (dst->sa_family == AF_INET6 && 780 !(sp->confflags & CONF_ENABLE_IPV6)) 781 goto drop; 782 #endif 783 /* 784 * Interface is not yet running, but auto-dial. Need 785 * to start LCP for it. 786 */ 787 ifp->if_flags |= IFF_RUNNING; 788 crit_exit(); 789 lcp.Open(sp); 790 crit_enter(); 791 } 792 793 /* 794 * if the queueing discipline needs packet classification, 795 * do it before prepending link headers. 796 */ 797 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 798 799 #ifdef INET 800 if (dst->sa_family == AF_INET) { 801 /* XXX Check mbuf length here? */ 802 struct ip *ip = mtod (m, struct ip*); 803 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 804 805 /* 806 * When using dynamic local IP address assignment by using 807 * 0.0.0.0 as a local address, the first TCP session will 808 * not connect because the local TCP checksum is computed 809 * using 0.0.0.0 which will later become our real IP address 810 * so the TCP checksum computed at the remote end will 811 * become invalid. So we 812 * - don't let packets with src ip addr 0 thru 813 * - we flag TCP packets with src ip 0 as an error 814 */ 815 816 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 817 { 818 m_freem(m); 819 crit_exit(); 820 if(ip->ip_p == IPPROTO_TCP) 821 return(EADDRNOTAVAIL); 822 else 823 return(0); 824 } 825 826 /* 827 * Put low delay, telnet, rlogin and ftp control packets 828 * in front of the queue. 829 */ 830 if (IF_QFULL (&sp->pp_fastq)) 831 ; 832 else if (ip->ip_tos & IPTOS_LOWDELAY) 833 ifq = &sp->pp_fastq; 834 else if (m->m_len < sizeof *ip + sizeof *tcp) 835 ; 836 else if (ip->ip_p != IPPROTO_TCP) 837 ; 838 else if (INTERACTIVE (ntohs (tcp->th_sport))) 839 ifq = &sp->pp_fastq; 840 else if (INTERACTIVE (ntohs (tcp->th_dport))) 841 ifq = &sp->pp_fastq; 842 843 /* 844 * Do IP Header compression 845 */ 846 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 847 ip->ip_p == IPPROTO_TCP) 848 switch (sl_compress_tcp(m, ip, sp->pp_comp, 849 sp->ipcp.compress_cid)) { 850 case TYPE_COMPRESSED_TCP: 851 ipproto = PPP_VJ_COMP; 852 break; 853 case TYPE_UNCOMPRESSED_TCP: 854 ipproto = PPP_VJ_UCOMP; 855 break; 856 case TYPE_IP: 857 ipproto = PPP_IP; 858 break; 859 default: 860 m_freem(m); 861 crit_exit(); 862 return (EINVAL); 863 } 864 } 865 #endif 866 867 #ifdef INET6 868 if (dst->sa_family == AF_INET6) { 869 /* XXX do something tricky here? */ 870 } 871 #endif 872 873 /* 874 * Prepend general data packet PPP header. For now, IP only. 875 */ 876 M_PREPEND (m, PPP_HEADER_LEN, MB_DONTWAIT); 877 if (! m) { 878 if (debug) 879 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 880 SPP_ARGS(ifp)); 881 ++ifp->if_oerrors; 882 crit_exit(); 883 return (ENOBUFS); 884 } 885 /* 886 * May want to check size of packet 887 * (albeit due to the implementation it's always enough) 888 */ 889 h = mtod (m, struct ppp_header*); 890 if (sp->pp_mode == IFF_CISCO) { 891 h->address = CISCO_UNICAST; /* unicast address */ 892 h->control = 0; 893 } else { 894 h->address = PPP_ALLSTATIONS; /* broadcast address */ 895 h->control = PPP_UI; /* Unnumbered Info */ 896 } 897 898 switch (dst->sa_family) { 899 #ifdef INET 900 case AF_INET: /* Internet Protocol */ 901 if (sp->pp_mode == IFF_CISCO) 902 h->protocol = htons (ETHERTYPE_IP); 903 else { 904 /* 905 * Don't choke with an ENETDOWN early. It's 906 * possible that we just started dialing out, 907 * so don't drop the packet immediately. If 908 * we notice that we run out of buffer space 909 * below, we will however remember that we are 910 * not ready to carry IP packets, and return 911 * ENETDOWN, as opposed to ENOBUFS. 912 */ 913 h->protocol = htons(ipproto); 914 if (sp->state[IDX_IPCP] != STATE_OPENED) 915 rv = ENETDOWN; 916 } 917 break; 918 #endif 919 #ifdef INET6 920 case AF_INET6: /* Internet Protocol */ 921 if (sp->pp_mode == IFF_CISCO) 922 h->protocol = htons (ETHERTYPE_IPV6); 923 else { 924 /* 925 * Don't choke with an ENETDOWN early. It's 926 * possible that we just started dialing out, 927 * so don't drop the packet immediately. If 928 * we notice that we run out of buffer space 929 * below, we will however remember that we are 930 * not ready to carry IP packets, and return 931 * ENETDOWN, as opposed to ENOBUFS. 932 */ 933 h->protocol = htons(PPP_IPV6); 934 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 935 rv = ENETDOWN; 936 } 937 break; 938 #endif 939 #ifdef NS 940 case AF_NS: /* Xerox NS Protocol */ 941 h->protocol = htons (sp->pp_mode == IFF_CISCO ? 942 ETHERTYPE_NS : PPP_XNS); 943 break; 944 #endif 945 #ifdef IPX 946 case AF_IPX: /* Novell IPX Protocol */ 947 h->protocol = htons (sp->pp_mode == IFF_CISCO ? 948 ETHERTYPE_IPX : PPP_IPX); 949 break; 950 #endif 951 default: 952 m_freem (m); 953 ++ifp->if_oerrors; 954 crit_exit(); 955 return (EAFNOSUPPORT); 956 } 957 958 /* 959 * Queue message on interface, and start output if interface 960 * not yet active. 961 */ 962 if (ifq != NULL) { 963 if (IF_QFULL(ifq)) { 964 IF_DROP(ifq); 965 m_freem(m); 966 rv = ENOBUFS; 967 ifq->ifq_drops++; 968 } else { 969 IF_ENQUEUE(ifq, m); 970 rv = 0; 971 } 972 } else { 973 rv = ifq_enqueue(&ifp->if_snd, m, &pktattr); 974 } 975 if (rv) { 976 ++ifp->if_oerrors; 977 crit_exit(); 978 return(rv); 979 } 980 if (! (ifp->if_flags & IFF_OACTIVE)) 981 (*ifp->if_start) (ifp); 982 983 /* 984 * Count output packets and bytes. 985 * The packet length includes header, FCS and 1 flag, 986 * according to RFC 1333. 987 */ 988 ifp->if_obytes += m->m_pkthdr.len + 3; 989 990 /* 991 * Unlike in sppp_input(), we can always bump the timestamp 992 * here since sppp_output() is only called on behalf of 993 * network-layer traffic; control-layer traffic is handled 994 * by sppp_cp_send(). 995 */ 996 sp->pp_last_sent = time_second; 997 998 crit_exit(); 999 return (0); 1000 } 1001 1002 static int 1003 sppp_output(struct ifnet *ifp, struct mbuf *m, 1004 struct sockaddr *dst, struct rtentry *rt) 1005 { 1006 int error; 1007 1008 ifnet_serialize_tx(ifp); 1009 error = sppp_output_serialized(ifp, m, dst, rt); 1010 ifnet_deserialize_tx(ifp); 1011 1012 return error; 1013 } 1014 1015 void 1016 sppp_attach(struct ifnet *ifp) 1017 { 1018 struct sppp *sp = (struct sppp*) ifp; 1019 1020 /* Initialize keepalive handler. */ 1021 if (!spppq) { 1022 callout_reset(&keepalive_timeout, hz * 10, 1023 sppp_keepalive, NULL); 1024 } 1025 /* Insert new entry into the keepalive list. */ 1026 sp->pp_next = spppq; 1027 spppq = sp; 1028 1029 sp->pp_if.if_mtu = PP_MTU; 1030 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 1031 sp->pp_if.if_type = IFT_PPP; 1032 sp->pp_if.if_output = sppp_output; 1033 #if 0 1034 sp->pp_flags = PP_KEEPALIVE; 1035 #endif 1036 sp->pp_if.if_snd.ifq_maxlen = 32; 1037 sp->pp_fastq.ifq_maxlen = 32; 1038 sp->pp_cpq.ifq_maxlen = 20; 1039 sp->pp_loopcnt = 0; 1040 sp->pp_alivecnt = 0; 1041 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 1042 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 1043 sp->pp_phase = PHASE_DEAD; 1044 sp->pp_up = lcp.Up; 1045 sp->pp_down = lcp.Down; 1046 sp->pp_last_recv = sp->pp_last_sent = time_second; 1047 sp->confflags = 0; 1048 #ifdef INET 1049 sp->confflags |= CONF_ENABLE_VJ; 1050 #endif 1051 #ifdef INET6 1052 sp->confflags |= CONF_ENABLE_IPV6; 1053 #endif 1054 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 1055 sl_compress_init(sp->pp_comp, -1); 1056 sppp_lcp_init(sp); 1057 sppp_ipcp_init(sp); 1058 sppp_ipv6cp_init(sp); 1059 sppp_pap_init(sp); 1060 sppp_chap_init(sp); 1061 } 1062 1063 void 1064 sppp_detach(struct ifnet *ifp) 1065 { 1066 struct sppp **q, *p, *sp = (struct sppp*) ifp; 1067 int i; 1068 1069 /* Remove the entry from the keepalive list. */ 1070 for (q = &spppq; (p = *q); q = &p->pp_next) 1071 if (p == sp) { 1072 *q = p->pp_next; 1073 break; 1074 } 1075 1076 /* Stop keepalive handler. */ 1077 if (!spppq) 1078 callout_stop(&keepalive_timeout); 1079 1080 for (i = 0; i < IDX_COUNT; i++) 1081 callout_stop(&sp->timeout[i]); 1082 callout_stop(&sp->pap_my_to); 1083 } 1084 1085 /* 1086 * Flush the interface output queue. 1087 */ 1088 void 1089 sppp_flush(struct ifnet *ifp) 1090 { 1091 struct sppp *sp = (struct sppp*) ifp; 1092 1093 ifq_purge(&sp->pp_if.if_snd); 1094 IF_DRAIN(&sp->pp_fastq); 1095 IF_DRAIN(&sp->pp_cpq); 1096 } 1097 1098 /* 1099 * Check if the output queue is empty. 1100 */ 1101 int 1102 sppp_isempty(struct ifnet *ifp) 1103 { 1104 struct sppp *sp = (struct sppp*) ifp; 1105 int empty; 1106 1107 crit_enter(); 1108 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1109 ifq_is_empty(&sp->pp_if.if_snd); 1110 crit_exit(); 1111 return (empty); 1112 } 1113 1114 /* 1115 * Get next packet to send. 1116 */ 1117 struct mbuf * 1118 sppp_dequeue(struct ifnet *ifp) 1119 { 1120 struct sppp *sp = (struct sppp*) ifp; 1121 struct mbuf *m; 1122 1123 crit_enter(); 1124 1125 /* 1126 * Process only the control protocol queue until we have at 1127 * least one NCP open. 1128 * 1129 * Do always serve all three queues in Cisco mode. 1130 */ 1131 IF_DEQUEUE(&sp->pp_cpq, m); 1132 if (m == NULL && 1133 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1134 IF_DEQUEUE(&sp->pp_fastq, m); 1135 if (m == NULL) 1136 m = ifq_dequeue(&sp->pp_if.if_snd, NULL); 1137 } 1138 1139 crit_exit(); 1140 return m; 1141 } 1142 1143 /* 1144 * Pick the next packet, do not remove it from the queue. 1145 */ 1146 struct mbuf * 1147 sppp_pick(struct ifnet *ifp) 1148 { 1149 struct sppp *sp = (struct sppp*)ifp; 1150 struct mbuf *m; 1151 1152 crit_enter(); 1153 1154 m = sp->pp_cpq.ifq_head; 1155 if (m == NULL && 1156 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1157 if ((m = sp->pp_fastq.ifq_head) == NULL) 1158 m = ifq_poll(&sp->pp_if.if_snd); 1159 } 1160 1161 crit_exit(); 1162 return (m); 1163 } 1164 1165 /* 1166 * Process an ioctl request. Called on low priority level. 1167 */ 1168 int 1169 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1170 { 1171 struct ifreq *ifr = (struct ifreq*) data; 1172 struct sppp *sp = (struct sppp*) ifp; 1173 int rv, going_up, going_down, newmode; 1174 1175 crit_enter(); 1176 1177 rv = 0; 1178 switch (cmd) { 1179 case SIOCAIFADDR: 1180 case SIOCSIFDSTADDR: 1181 break; 1182 1183 case SIOCSIFADDR: 1184 /* set the interface "up" when assigning an IP address */ 1185 ifp->if_flags |= IFF_UP; 1186 /* fall through... */ 1187 1188 case SIOCSIFFLAGS: 1189 going_up = ifp->if_flags & IFF_UP && 1190 (ifp->if_flags & IFF_RUNNING) == 0; 1191 going_down = (ifp->if_flags & IFF_UP) == 0 && 1192 ifp->if_flags & IFF_RUNNING; 1193 1194 newmode = ifp->if_flags & IFF_PASSIVE; 1195 if (!newmode) 1196 newmode = ifp->if_flags & IFF_AUTO; 1197 if (!newmode) 1198 newmode = ifp->if_flags & IFF_CISCO; 1199 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1200 ifp->if_flags |= newmode; 1201 1202 if (newmode != sp->pp_mode) { 1203 going_down = 1; 1204 if (!going_up) 1205 going_up = ifp->if_flags & IFF_RUNNING; 1206 } 1207 1208 if (going_down) { 1209 if (sp->pp_mode != IFF_CISCO) 1210 lcp.Close(sp); 1211 else if (sp->pp_tlf) 1212 (sp->pp_tlf)(sp); 1213 sppp_flush(ifp); 1214 ifp->if_flags &= ~IFF_RUNNING; 1215 sp->pp_mode = newmode; 1216 } 1217 1218 if (going_up) { 1219 if (sp->pp_mode != IFF_CISCO) 1220 lcp.Close(sp); 1221 sp->pp_mode = newmode; 1222 if (sp->pp_mode == 0) { 1223 ifp->if_flags |= IFF_RUNNING; 1224 lcp.Open(sp); 1225 } 1226 if (sp->pp_mode == IFF_CISCO) { 1227 if (sp->pp_tls) 1228 (sp->pp_tls)(sp); 1229 ifp->if_flags |= IFF_RUNNING; 1230 } 1231 } 1232 1233 break; 1234 1235 #ifdef SIOCSIFMTU 1236 #ifndef ifr_mtu 1237 #define ifr_mtu ifr_metric 1238 #endif 1239 case SIOCSIFMTU: 1240 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) 1241 return (EINVAL); 1242 ifp->if_mtu = ifr->ifr_mtu; 1243 break; 1244 #endif 1245 #ifdef SLIOCSETMTU 1246 case SLIOCSETMTU: 1247 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) 1248 return (EINVAL); 1249 ifp->if_mtu = *(short*)data; 1250 break; 1251 #endif 1252 #ifdef SIOCGIFMTU 1253 case SIOCGIFMTU: 1254 ifr->ifr_mtu = ifp->if_mtu; 1255 break; 1256 #endif 1257 #ifdef SLIOCGETMTU 1258 case SLIOCGETMTU: 1259 *(short*)data = ifp->if_mtu; 1260 break; 1261 #endif 1262 case SIOCADDMULTI: 1263 case SIOCDELMULTI: 1264 break; 1265 1266 case SIOCGIFGENERIC: 1267 case SIOCSIFGENERIC: 1268 rv = sppp_params(sp, cmd, data); 1269 break; 1270 1271 default: 1272 rv = ENOTTY; 1273 } 1274 1275 crit_exit(); 1276 return rv; 1277 } 1278 1279 /* 1280 * Cisco framing implementation. 1281 */ 1282 1283 /* 1284 * Handle incoming Cisco keepalive protocol packets. 1285 */ 1286 static void 1287 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1288 { 1289 STDDCL; 1290 struct cisco_packet *h; 1291 u_long me, mymask; 1292 1293 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1294 if (debug) 1295 log(LOG_DEBUG, 1296 SPP_FMT "cisco invalid packet length: %d bytes\n", 1297 SPP_ARGS(ifp), m->m_pkthdr.len); 1298 return; 1299 } 1300 h = mtod (m, struct cisco_packet*); 1301 if (debug) 1302 log(LOG_DEBUG, 1303 SPP_FMT "cisco input: %d bytes " 1304 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1305 SPP_ARGS(ifp), m->m_pkthdr.len, 1306 (u_long)ntohl (h->type), (u_long)h->par1, (u_long)h->par2, (u_int)h->rel, 1307 (u_int)h->time0, (u_int)h->time1); 1308 switch (ntohl (h->type)) { 1309 default: 1310 if (debug) 1311 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1312 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1313 break; 1314 case CISCO_ADDR_REPLY: 1315 /* Reply on address request, ignore */ 1316 break; 1317 case CISCO_KEEPALIVE_REQ: 1318 sp->pp_alivecnt = 0; 1319 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1320 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1321 /* Local and remote sequence numbers are equal. 1322 * Probably, the line is in loopback mode. */ 1323 if (sp->pp_loopcnt >= MAXALIVECNT) { 1324 kprintf (SPP_FMT "loopback\n", 1325 SPP_ARGS(ifp)); 1326 sp->pp_loopcnt = 0; 1327 if (ifp->if_flags & IFF_UP) { 1328 if_down (ifp); 1329 IF_DRAIN(&sp->pp_cpq); 1330 } 1331 } 1332 ++sp->pp_loopcnt; 1333 1334 /* Generate new local sequence number */ 1335 #if defined(__DragonFly__) 1336 sp->pp_seq[IDX_LCP] = krandom(); 1337 #else 1338 sp->pp_seq[IDX_LCP] ^= time.tv_sec ^ time.tv_usec; 1339 #endif 1340 break; 1341 } 1342 sp->pp_loopcnt = 0; 1343 if (! (ifp->if_flags & IFF_UP) && 1344 (ifp->if_flags & IFF_RUNNING)) { 1345 if_up(ifp); 1346 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1347 } 1348 break; 1349 case CISCO_ADDR_REQ: 1350 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1351 if (me != 0L) 1352 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1353 break; 1354 } 1355 } 1356 1357 /* 1358 * Send Cisco keepalive packet. 1359 */ 1360 static void 1361 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1362 { 1363 STDDCL; 1364 struct ppp_header *h; 1365 struct cisco_packet *ch; 1366 struct mbuf *m; 1367 #if defined(__DragonFly__) 1368 struct timeval tv; 1369 #else 1370 u_long t = (time.tv_sec - boottime.tv_sec) * 1000; 1371 #endif 1372 1373 #if defined(__DragonFly__) 1374 getmicrouptime(&tv); 1375 #endif 1376 1377 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1378 if (! m) 1379 return; 1380 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1381 m->m_pkthdr.rcvif = 0; 1382 1383 h = mtod (m, struct ppp_header*); 1384 h->address = CISCO_MULTICAST; 1385 h->control = 0; 1386 h->protocol = htons (CISCO_KEEPALIVE); 1387 1388 ch = (struct cisco_packet*) (h + 1); 1389 ch->type = htonl (type); 1390 ch->par1 = htonl (par1); 1391 ch->par2 = htonl (par2); 1392 ch->rel = -1; 1393 1394 #if defined(__DragonFly__) 1395 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1396 ch->time1 = htons ((u_short) tv.tv_sec); 1397 #else 1398 ch->time0 = htons ((u_short) (t >> 16)); 1399 ch->time1 = htons ((u_short) t); 1400 #endif 1401 1402 if (debug) 1403 log(LOG_DEBUG, 1404 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1405 SPP_ARGS(ifp), (u_long)ntohl (ch->type), (u_long)ch->par1, 1406 (u_long)ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1407 1408 if (IF_QFULL (&sp->pp_cpq)) { 1409 IF_DROP (&sp->pp_fastq); 1410 IF_DROP (&ifp->if_snd); 1411 m_freem (m); 1412 } else 1413 IF_ENQUEUE (&sp->pp_cpq, m); 1414 if (! (ifp->if_flags & IFF_OACTIVE)) 1415 (*ifp->if_start) (ifp); 1416 ifp->if_obytes += m->m_pkthdr.len + 3; 1417 } 1418 1419 /* 1420 * PPP protocol implementation. 1421 */ 1422 1423 /* 1424 * Send PPP control protocol packet. 1425 */ 1426 static void 1427 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1428 u_char ident, u_short len, void *data) 1429 { 1430 STDDCL; 1431 struct ppp_header *h; 1432 struct lcp_header *lh; 1433 struct mbuf *m; 1434 1435 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1436 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1437 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1438 if (! m) 1439 return; 1440 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1441 m->m_pkthdr.rcvif = 0; 1442 1443 h = mtod (m, struct ppp_header*); 1444 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1445 h->control = PPP_UI; /* Unnumbered Info */ 1446 h->protocol = htons (proto); /* Link Control Protocol */ 1447 1448 lh = (struct lcp_header*) (h + 1); 1449 lh->type = type; 1450 lh->ident = ident; 1451 lh->len = htons (LCP_HEADER_LEN + len); 1452 if (len) 1453 bcopy (data, lh+1, len); 1454 1455 if (debug) { 1456 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1457 SPP_ARGS(ifp), 1458 sppp_proto_name(proto), 1459 sppp_cp_type_name (lh->type), lh->ident, 1460 ntohs (lh->len)); 1461 sppp_print_bytes ((u_char*) (lh+1), len); 1462 log(-1, ">\n"); 1463 } 1464 if (IF_QFULL (&sp->pp_cpq)) { 1465 IF_DROP (&sp->pp_fastq); 1466 IF_DROP (&ifp->if_snd); 1467 m_freem (m); 1468 ++ifp->if_oerrors; 1469 } else 1470 IF_ENQUEUE (&sp->pp_cpq, m); 1471 if (! (ifp->if_flags & IFF_OACTIVE)) 1472 (*ifp->if_start) (ifp); 1473 ifp->if_obytes += m->m_pkthdr.len + 3; 1474 } 1475 1476 /* 1477 * Handle incoming PPP control protocol packets. 1478 */ 1479 static void 1480 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1481 { 1482 STDDCL; 1483 struct lcp_header *h; 1484 int printlen, len = m->m_pkthdr.len; 1485 int rv; 1486 u_char *p; 1487 1488 if (len < 4) { 1489 if (debug) 1490 log(LOG_DEBUG, 1491 SPP_FMT "%s invalid packet length: %d bytes\n", 1492 SPP_ARGS(ifp), cp->name, len); 1493 return; 1494 } 1495 h = mtod (m, struct lcp_header*); 1496 if (debug) { 1497 printlen = ntohs(h->len); 1498 log(LOG_DEBUG, 1499 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1500 SPP_ARGS(ifp), cp->name, 1501 sppp_state_name(sp->state[cp->protoidx]), 1502 sppp_cp_type_name (h->type), h->ident, printlen); 1503 if (len < printlen) 1504 printlen = len; 1505 if (printlen > 4) 1506 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1507 log(-1, ">\n"); 1508 } 1509 if (len > ntohs (h->len)) 1510 len = ntohs (h->len); 1511 p = (u_char *)(h + 1); 1512 switch (h->type) { 1513 case CONF_REQ: 1514 if (len < 4) { 1515 if (debug) 1516 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1517 SPP_ARGS(ifp), cp->name, 1518 len); 1519 ++ifp->if_ierrors; 1520 break; 1521 } 1522 /* handle states where RCR doesn't get a SCA/SCN */ 1523 switch (sp->state[cp->protoidx]) { 1524 case STATE_CLOSING: 1525 case STATE_STOPPING: 1526 return; 1527 case STATE_CLOSED: 1528 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1529 0, 0); 1530 return; 1531 } 1532 rv = (cp->RCR)(sp, h, len); 1533 if (rv < 0) { 1534 /* fatal error, shut down */ 1535 (cp->tld)(sp); 1536 sppp_lcp_tlf(sp); 1537 return; 1538 } 1539 switch (sp->state[cp->protoidx]) { 1540 case STATE_OPENED: 1541 (cp->tld)(sp); 1542 (cp->scr)(sp); 1543 /* fall through... */ 1544 case STATE_ACK_SENT: 1545 case STATE_REQ_SENT: 1546 /* 1547 * sppp_cp_change_state() have the side effect of 1548 * restarting the timeouts. We want to avoid that 1549 * if the state don't change, otherwise we won't 1550 * ever timeout and resend a configuration request 1551 * that got lost. 1552 */ 1553 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1554 STATE_REQ_SENT)) 1555 break; 1556 sppp_cp_change_state(cp, sp, rv? 1557 STATE_ACK_SENT: STATE_REQ_SENT); 1558 break; 1559 case STATE_STOPPED: 1560 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1561 (cp->scr)(sp); 1562 sppp_cp_change_state(cp, sp, rv? 1563 STATE_ACK_SENT: STATE_REQ_SENT); 1564 break; 1565 case STATE_ACK_RCVD: 1566 if (rv) { 1567 sppp_cp_change_state(cp, sp, STATE_OPENED); 1568 if (debug) 1569 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1570 SPP_ARGS(ifp), 1571 cp->name); 1572 (cp->tlu)(sp); 1573 } else 1574 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1575 break; 1576 default: 1577 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1578 SPP_ARGS(ifp), cp->name, 1579 sppp_cp_type_name(h->type), 1580 sppp_state_name(sp->state[cp->protoidx])); 1581 ++ifp->if_ierrors; 1582 } 1583 break; 1584 case CONF_ACK: 1585 if (h->ident != sp->confid[cp->protoidx]) { 1586 if (debug) 1587 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1588 SPP_ARGS(ifp), cp->name, 1589 h->ident, sp->confid[cp->protoidx]); 1590 ++ifp->if_ierrors; 1591 break; 1592 } 1593 switch (sp->state[cp->protoidx]) { 1594 case STATE_CLOSED: 1595 case STATE_STOPPED: 1596 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1597 break; 1598 case STATE_CLOSING: 1599 case STATE_STOPPING: 1600 break; 1601 case STATE_REQ_SENT: 1602 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1603 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1604 break; 1605 case STATE_OPENED: 1606 (cp->tld)(sp); 1607 /* fall through */ 1608 case STATE_ACK_RCVD: 1609 (cp->scr)(sp); 1610 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1611 break; 1612 case STATE_ACK_SENT: 1613 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1614 sppp_cp_change_state(cp, sp, STATE_OPENED); 1615 if (debug) 1616 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1617 SPP_ARGS(ifp), cp->name); 1618 (cp->tlu)(sp); 1619 break; 1620 default: 1621 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1622 SPP_ARGS(ifp), cp->name, 1623 sppp_cp_type_name(h->type), 1624 sppp_state_name(sp->state[cp->protoidx])); 1625 ++ifp->if_ierrors; 1626 } 1627 break; 1628 case CONF_NAK: 1629 case CONF_REJ: 1630 if (h->ident != sp->confid[cp->protoidx]) { 1631 if (debug) 1632 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1633 SPP_ARGS(ifp), cp->name, 1634 h->ident, sp->confid[cp->protoidx]); 1635 ++ifp->if_ierrors; 1636 break; 1637 } 1638 if (h->type == CONF_NAK) 1639 (cp->RCN_nak)(sp, h, len); 1640 else /* CONF_REJ */ 1641 (cp->RCN_rej)(sp, h, len); 1642 1643 switch (sp->state[cp->protoidx]) { 1644 case STATE_CLOSED: 1645 case STATE_STOPPED: 1646 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1647 break; 1648 case STATE_REQ_SENT: 1649 case STATE_ACK_SENT: 1650 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1651 /* 1652 * Slow things down a bit if we think we might be 1653 * in loopback. Depend on the timeout to send the 1654 * next configuration request. 1655 */ 1656 if (sp->pp_loopcnt) 1657 break; 1658 (cp->scr)(sp); 1659 break; 1660 case STATE_OPENED: 1661 (cp->tld)(sp); 1662 /* fall through */ 1663 case STATE_ACK_RCVD: 1664 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1665 (cp->scr)(sp); 1666 break; 1667 case STATE_CLOSING: 1668 case STATE_STOPPING: 1669 break; 1670 default: 1671 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1672 SPP_ARGS(ifp), cp->name, 1673 sppp_cp_type_name(h->type), 1674 sppp_state_name(sp->state[cp->protoidx])); 1675 ++ifp->if_ierrors; 1676 } 1677 break; 1678 1679 case TERM_REQ: 1680 switch (sp->state[cp->protoidx]) { 1681 case STATE_ACK_RCVD: 1682 case STATE_ACK_SENT: 1683 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1684 /* fall through */ 1685 case STATE_CLOSED: 1686 case STATE_STOPPED: 1687 case STATE_CLOSING: 1688 case STATE_STOPPING: 1689 case STATE_REQ_SENT: 1690 sta: 1691 /* Send Terminate-Ack packet. */ 1692 if (debug) 1693 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1694 SPP_ARGS(ifp), cp->name); 1695 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1696 break; 1697 case STATE_OPENED: 1698 (cp->tld)(sp); 1699 sp->rst_counter[cp->protoidx] = 0; 1700 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1701 goto sta; 1702 break; 1703 default: 1704 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1705 SPP_ARGS(ifp), cp->name, 1706 sppp_cp_type_name(h->type), 1707 sppp_state_name(sp->state[cp->protoidx])); 1708 ++ifp->if_ierrors; 1709 } 1710 break; 1711 case TERM_ACK: 1712 switch (sp->state[cp->protoidx]) { 1713 case STATE_CLOSED: 1714 case STATE_STOPPED: 1715 case STATE_REQ_SENT: 1716 case STATE_ACK_SENT: 1717 break; 1718 case STATE_CLOSING: 1719 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1720 (cp->tlf)(sp); 1721 break; 1722 case STATE_STOPPING: 1723 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1724 (cp->tlf)(sp); 1725 break; 1726 case STATE_ACK_RCVD: 1727 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1728 break; 1729 case STATE_OPENED: 1730 (cp->tld)(sp); 1731 (cp->scr)(sp); 1732 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1733 break; 1734 default: 1735 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1736 SPP_ARGS(ifp), cp->name, 1737 sppp_cp_type_name(h->type), 1738 sppp_state_name(sp->state[cp->protoidx])); 1739 ++ifp->if_ierrors; 1740 } 1741 break; 1742 case CODE_REJ: 1743 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1744 log(LOG_INFO, 1745 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1746 "danger will robinson\n", 1747 SPP_ARGS(ifp), cp->name, 1748 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1749 switch (sp->state[cp->protoidx]) { 1750 case STATE_CLOSED: 1751 case STATE_STOPPED: 1752 case STATE_REQ_SENT: 1753 case STATE_ACK_SENT: 1754 case STATE_CLOSING: 1755 case STATE_STOPPING: 1756 case STATE_OPENED: 1757 break; 1758 case STATE_ACK_RCVD: 1759 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1760 break; 1761 default: 1762 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1763 SPP_ARGS(ifp), cp->name, 1764 sppp_cp_type_name(h->type), 1765 sppp_state_name(sp->state[cp->protoidx])); 1766 ++ifp->if_ierrors; 1767 } 1768 break; 1769 case PROTO_REJ: 1770 { 1771 int catastrophic; 1772 const struct cp *upper; 1773 int i; 1774 u_int16_t proto; 1775 1776 catastrophic = 0; 1777 upper = NULL; 1778 proto = ntohs(*((u_int16_t *)p)); 1779 for (i = 0; i < IDX_COUNT; i++) { 1780 if (cps[i]->proto == proto) { 1781 upper = cps[i]; 1782 break; 1783 } 1784 } 1785 if (upper == NULL) 1786 catastrophic++; 1787 1788 if (catastrophic || debug) 1789 log(catastrophic? LOG_INFO: LOG_DEBUG, 1790 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1791 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1792 sppp_cp_type_name(h->type), proto, 1793 upper ? upper->name : "unknown", 1794 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1795 1796 /* 1797 * if we got RXJ+ against conf-req, the peer does not implement 1798 * this particular protocol type. terminate the protocol. 1799 */ 1800 if (upper && !catastrophic) { 1801 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1802 upper->Close(sp); 1803 break; 1804 } 1805 } 1806 1807 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1808 switch (sp->state[cp->protoidx]) { 1809 case STATE_CLOSED: 1810 case STATE_STOPPED: 1811 case STATE_REQ_SENT: 1812 case STATE_ACK_SENT: 1813 case STATE_CLOSING: 1814 case STATE_STOPPING: 1815 case STATE_OPENED: 1816 break; 1817 case STATE_ACK_RCVD: 1818 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1819 break; 1820 default: 1821 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1822 SPP_ARGS(ifp), cp->name, 1823 sppp_cp_type_name(h->type), 1824 sppp_state_name(sp->state[cp->protoidx])); 1825 ++ifp->if_ierrors; 1826 } 1827 break; 1828 } 1829 case DISC_REQ: 1830 if (cp->proto != PPP_LCP) 1831 goto illegal; 1832 /* Discard the packet. */ 1833 break; 1834 case ECHO_REQ: 1835 if (cp->proto != PPP_LCP) 1836 goto illegal; 1837 if (sp->state[cp->protoidx] != STATE_OPENED) { 1838 if (debug) 1839 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1840 SPP_ARGS(ifp)); 1841 ++ifp->if_ierrors; 1842 break; 1843 } 1844 if (len < 8) { 1845 if (debug) 1846 log(-1, SPP_FMT "invalid lcp echo request " 1847 "packet length: %d bytes\n", 1848 SPP_ARGS(ifp), len); 1849 break; 1850 } 1851 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1852 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1853 /* Line loopback mode detected. */ 1854 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1855 sp->pp_loopcnt = MAXALIVECNT * 5; 1856 if_down (ifp); 1857 IF_DRAIN(&sp->pp_cpq); 1858 1859 /* Shut down the PPP link. */ 1860 /* XXX */ 1861 lcp.Down(sp); 1862 lcp.Up(sp); 1863 break; 1864 } 1865 *(long*)(h+1) = htonl (sp->lcp.magic); 1866 if (debug) 1867 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1868 SPP_ARGS(ifp)); 1869 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1870 break; 1871 case ECHO_REPLY: 1872 if (cp->proto != PPP_LCP) 1873 goto illegal; 1874 if (h->ident != sp->lcp.echoid) { 1875 ++ifp->if_ierrors; 1876 break; 1877 } 1878 if (len < 8) { 1879 if (debug) 1880 log(-1, SPP_FMT "lcp invalid echo reply " 1881 "packet length: %d bytes\n", 1882 SPP_ARGS(ifp), len); 1883 break; 1884 } 1885 if (debug) 1886 log(-1, SPP_FMT "lcp got echo rep\n", 1887 SPP_ARGS(ifp)); 1888 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1889 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1890 sp->pp_alivecnt = 0; 1891 break; 1892 default: 1893 /* Unknown packet type -- send Code-Reject packet. */ 1894 illegal: 1895 if (debug) 1896 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1897 SPP_ARGS(ifp), cp->name, h->type); 1898 sppp_cp_send(sp, cp->proto, CODE_REJ, 1899 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1900 ++ifp->if_ierrors; 1901 } 1902 } 1903 1904 1905 /* 1906 * The generic part of all Up/Down/Open/Close/TO event handlers. 1907 * Basically, the state transition handling in the automaton. 1908 */ 1909 static void 1910 sppp_up_event(const struct cp *cp, struct sppp *sp) 1911 { 1912 STDDCL; 1913 1914 if (debug) 1915 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1916 SPP_ARGS(ifp), cp->name, 1917 sppp_state_name(sp->state[cp->protoidx])); 1918 1919 switch (sp->state[cp->protoidx]) { 1920 case STATE_INITIAL: 1921 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1922 break; 1923 case STATE_STARTING: 1924 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1925 (cp->scr)(sp); 1926 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1927 break; 1928 default: 1929 kprintf(SPP_FMT "%s illegal up in state %s\n", 1930 SPP_ARGS(ifp), cp->name, 1931 sppp_state_name(sp->state[cp->protoidx])); 1932 } 1933 } 1934 1935 static void 1936 sppp_down_event(const struct cp *cp, struct sppp *sp) 1937 { 1938 STDDCL; 1939 1940 if (debug) 1941 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1942 SPP_ARGS(ifp), cp->name, 1943 sppp_state_name(sp->state[cp->protoidx])); 1944 1945 switch (sp->state[cp->protoidx]) { 1946 case STATE_CLOSED: 1947 case STATE_CLOSING: 1948 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1949 break; 1950 case STATE_STOPPED: 1951 sppp_cp_change_state(cp, sp, STATE_STARTING); 1952 (cp->tls)(sp); 1953 break; 1954 case STATE_STOPPING: 1955 case STATE_REQ_SENT: 1956 case STATE_ACK_RCVD: 1957 case STATE_ACK_SENT: 1958 sppp_cp_change_state(cp, sp, STATE_STARTING); 1959 break; 1960 case STATE_OPENED: 1961 (cp->tld)(sp); 1962 sppp_cp_change_state(cp, sp, STATE_STARTING); 1963 break; 1964 default: 1965 kprintf(SPP_FMT "%s illegal down in state %s\n", 1966 SPP_ARGS(ifp), cp->name, 1967 sppp_state_name(sp->state[cp->protoidx])); 1968 } 1969 } 1970 1971 1972 static void 1973 sppp_open_event(const struct cp *cp, struct sppp *sp) 1974 { 1975 STDDCL; 1976 1977 if (debug) 1978 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1979 SPP_ARGS(ifp), cp->name, 1980 sppp_state_name(sp->state[cp->protoidx])); 1981 1982 switch (sp->state[cp->protoidx]) { 1983 case STATE_INITIAL: 1984 sppp_cp_change_state(cp, sp, STATE_STARTING); 1985 (cp->tls)(sp); 1986 break; 1987 case STATE_STARTING: 1988 break; 1989 case STATE_CLOSED: 1990 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1991 (cp->scr)(sp); 1992 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1993 break; 1994 case STATE_STOPPED: 1995 /* 1996 * Try escaping stopped state. This seems to bite 1997 * people occasionally, in particular for IPCP, 1998 * presumably following previous IPCP negotiation 1999 * aborts. Somehow, we must have missed a Down event 2000 * which would have caused a transition into starting 2001 * state, so as a bandaid we force the Down event now. 2002 * This effectively implements (something like the) 2003 * `restart' option mentioned in the state transition 2004 * table of RFC 1661. 2005 */ 2006 sppp_cp_change_state(cp, sp, STATE_STARTING); 2007 (cp->tls)(sp); 2008 break; 2009 case STATE_STOPPING: 2010 case STATE_REQ_SENT: 2011 case STATE_ACK_RCVD: 2012 case STATE_ACK_SENT: 2013 case STATE_OPENED: 2014 break; 2015 case STATE_CLOSING: 2016 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2017 break; 2018 } 2019 } 2020 2021 2022 static void 2023 sppp_close_event(const struct cp *cp, struct sppp *sp) 2024 { 2025 STDDCL; 2026 2027 if (debug) 2028 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 2029 SPP_ARGS(ifp), cp->name, 2030 sppp_state_name(sp->state[cp->protoidx])); 2031 2032 switch (sp->state[cp->protoidx]) { 2033 case STATE_INITIAL: 2034 case STATE_CLOSED: 2035 case STATE_CLOSING: 2036 break; 2037 case STATE_STARTING: 2038 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2039 (cp->tlf)(sp); 2040 break; 2041 case STATE_STOPPED: 2042 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2043 break; 2044 case STATE_STOPPING: 2045 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2046 break; 2047 case STATE_OPENED: 2048 (cp->tld)(sp); 2049 /* fall through */ 2050 case STATE_REQ_SENT: 2051 case STATE_ACK_RCVD: 2052 case STATE_ACK_SENT: 2053 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2054 sppp_cp_send(sp, cp->proto, TERM_REQ, 2055 ++sp->pp_seq[cp->protoidx], 0, 0); 2056 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2057 break; 2058 } 2059 } 2060 2061 static void 2062 sppp_to_event(const struct cp *cp, struct sppp *sp) 2063 { 2064 STDDCL; 2065 2066 crit_enter(); 2067 2068 if (debug) 2069 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 2070 SPP_ARGS(ifp), cp->name, 2071 sppp_state_name(sp->state[cp->protoidx]), 2072 sp->rst_counter[cp->protoidx]); 2073 2074 if (--sp->rst_counter[cp->protoidx] < 0) 2075 /* TO- event */ 2076 switch (sp->state[cp->protoidx]) { 2077 case STATE_CLOSING: 2078 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2079 (cp->tlf)(sp); 2080 break; 2081 case STATE_STOPPING: 2082 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2083 (cp->tlf)(sp); 2084 break; 2085 case STATE_REQ_SENT: 2086 case STATE_ACK_RCVD: 2087 case STATE_ACK_SENT: 2088 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2089 (cp->tlf)(sp); 2090 break; 2091 } 2092 else 2093 /* TO+ event */ 2094 switch (sp->state[cp->protoidx]) { 2095 case STATE_CLOSING: 2096 case STATE_STOPPING: 2097 sppp_cp_send(sp, cp->proto, TERM_REQ, 2098 ++sp->pp_seq[cp->protoidx], 0, 0); 2099 callout_reset(&sp->timeout[cp->protoidx], 2100 sp->lcp.timeout, cp->TO, sp); 2101 break; 2102 case STATE_REQ_SENT: 2103 case STATE_ACK_RCVD: 2104 (cp->scr)(sp); 2105 /* sppp_cp_change_state() will restart the timer */ 2106 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2107 break; 2108 case STATE_ACK_SENT: 2109 (cp->scr)(sp); 2110 callout_reset(&sp->timeout[cp->protoidx], 2111 sp->lcp.timeout, cp->TO, sp); 2112 break; 2113 } 2114 2115 crit_exit(); 2116 } 2117 2118 /* 2119 * Change the state of a control protocol in the state automaton. 2120 * Takes care of starting/stopping the restart timer. 2121 */ 2122 void 2123 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2124 { 2125 sp->state[cp->protoidx] = newstate; 2126 callout_stop(&sp->timeout[cp->protoidx]); 2127 2128 switch (newstate) { 2129 case STATE_INITIAL: 2130 case STATE_STARTING: 2131 case STATE_CLOSED: 2132 case STATE_STOPPED: 2133 case STATE_OPENED: 2134 break; 2135 case STATE_CLOSING: 2136 case STATE_STOPPING: 2137 case STATE_REQ_SENT: 2138 case STATE_ACK_RCVD: 2139 case STATE_ACK_SENT: 2140 callout_reset(&sp->timeout[cp->protoidx], 2141 sp->lcp.timeout, cp->TO, sp); 2142 break; 2143 } 2144 } 2145 2146 /* 2147 *--------------------------------------------------------------------------* 2148 * * 2149 * The LCP implementation. * 2150 * * 2151 *--------------------------------------------------------------------------* 2152 */ 2153 static void 2154 sppp_lcp_init(struct sppp *sp) 2155 { 2156 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2157 sp->lcp.magic = 0; 2158 sp->state[IDX_LCP] = STATE_INITIAL; 2159 sp->fail_counter[IDX_LCP] = 0; 2160 sp->pp_seq[IDX_LCP] = 0; 2161 sp->pp_rseq[IDX_LCP] = 0; 2162 sp->lcp.protos = 0; 2163 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2164 2165 /* Note that these values are relevant for all control protocols */ 2166 sp->lcp.timeout = 3 * hz; 2167 sp->lcp.max_terminate = 2; 2168 sp->lcp.max_configure = 10; 2169 sp->lcp.max_failure = 10; 2170 #if defined(__DragonFly__) 2171 callout_init(&sp->timeout[IDX_LCP]); 2172 #endif 2173 } 2174 2175 static void 2176 sppp_lcp_up(struct sppp *sp) 2177 { 2178 STDDCL; 2179 2180 sp->pp_alivecnt = 0; 2181 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2182 sp->lcp.magic = 0; 2183 sp->lcp.protos = 0; 2184 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2185 /* 2186 * If this interface is passive or dial-on-demand, and we are 2187 * still in Initial state, it means we've got an incoming 2188 * call. Activate the interface. 2189 */ 2190 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2191 if (debug) 2192 log(LOG_DEBUG, 2193 SPP_FMT "Up event", SPP_ARGS(ifp)); 2194 ifp->if_flags |= IFF_RUNNING; 2195 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2196 if (debug) 2197 log(-1, "(incoming call)\n"); 2198 sp->pp_flags |= PP_CALLIN; 2199 lcp.Open(sp); 2200 } else if (debug) 2201 log(-1, "\n"); 2202 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2203 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2204 ifp->if_flags |= IFF_RUNNING; 2205 lcp.Open(sp); 2206 } 2207 2208 sppp_up_event(&lcp, sp); 2209 } 2210 2211 static void 2212 sppp_lcp_down(struct sppp *sp) 2213 { 2214 STDDCL; 2215 2216 sppp_down_event(&lcp, sp); 2217 2218 /* 2219 * If this is neither a dial-on-demand nor a passive 2220 * interface, simulate an ``ifconfig down'' action, so the 2221 * administrator can force a redial by another ``ifconfig 2222 * up''. XXX For leased line operation, should we immediately 2223 * try to reopen the connection here? 2224 */ 2225 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2226 log(LOG_INFO, 2227 SPP_FMT "Down event, taking interface down.\n", 2228 SPP_ARGS(ifp)); 2229 if_down(ifp); 2230 } else { 2231 if (debug) 2232 log(LOG_DEBUG, 2233 SPP_FMT "Down event (carrier loss)\n", 2234 SPP_ARGS(ifp)); 2235 sp->pp_flags &= ~PP_CALLIN; 2236 if (sp->state[IDX_LCP] != STATE_INITIAL) 2237 lcp.Close(sp); 2238 ifp->if_flags &= ~IFF_RUNNING; 2239 } 2240 } 2241 2242 static void 2243 sppp_lcp_open(struct sppp *sp) 2244 { 2245 /* 2246 * If we are authenticator, negotiate LCP_AUTH 2247 */ 2248 if (sp->hisauth.proto != 0) 2249 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2250 else 2251 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2252 sp->pp_flags &= ~PP_NEEDAUTH; 2253 sppp_open_event(&lcp, sp); 2254 } 2255 2256 static void 2257 sppp_lcp_close(struct sppp *sp) 2258 { 2259 sppp_close_event(&lcp, sp); 2260 } 2261 2262 static void 2263 sppp_lcp_TO(void *cookie) 2264 { 2265 sppp_to_event(&lcp, (struct sppp *)cookie); 2266 } 2267 2268 /* 2269 * Analyze a configure request. Return true if it was agreeable, and 2270 * caused action sca, false if it has been rejected or nak'ed, and 2271 * caused action scn. (The return value is used to make the state 2272 * transition decision in the state automaton.) 2273 */ 2274 static int 2275 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2276 { 2277 STDDCL; 2278 u_char *buf, *r, *p; 2279 int origlen, rlen; 2280 u_long nmagic; 2281 u_short authproto; 2282 2283 len -= 4; 2284 origlen = len; 2285 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2286 2287 if (debug) 2288 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2289 SPP_ARGS(ifp)); 2290 2291 /* pass 1: check for things that need to be rejected */ 2292 p = (void*) (h+1); 2293 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2294 /* Sanity check option length */ 2295 if (p[1] > len) { 2296 /* Malicious option - drop immediately. 2297 * XXX Maybe we should just RXJ it? 2298 */ 2299 log(-1, "%s: received malicious LCP option 0x%02x, " 2300 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2301 p[0], p[1], len); 2302 goto drop; 2303 } 2304 if (debug) 2305 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2306 switch (*p) { 2307 case LCP_OPT_MAGIC: 2308 /* Magic number. */ 2309 if (len >= 6 && p[1] == 6) 2310 continue; 2311 if (debug) 2312 log(-1, "[invalid] "); 2313 break; 2314 case LCP_OPT_ASYNC_MAP: 2315 /* Async control character map. */ 2316 if (len >= 6 && p[1] == 6) 2317 continue; 2318 if (debug) 2319 log(-1, "[invalid] "); 2320 break; 2321 case LCP_OPT_MRU: 2322 /* Maximum receive unit. */ 2323 if (len >= 4 && p[1] == 4) 2324 continue; 2325 if (debug) 2326 log(-1, "[invalid] "); 2327 break; 2328 case LCP_OPT_AUTH_PROTO: 2329 if (len < 4) { 2330 if (debug) 2331 log(-1, "[invalid] "); 2332 break; 2333 } 2334 authproto = (p[2] << 8) + p[3]; 2335 if (authproto == PPP_CHAP && p[1] != 5) { 2336 if (debug) 2337 log(-1, "[invalid chap len] "); 2338 break; 2339 } 2340 if (sp->myauth.proto == 0) { 2341 /* we are not configured to do auth */ 2342 if (debug) 2343 log(-1, "[not configured] "); 2344 break; 2345 } 2346 /* 2347 * Remote want us to authenticate, remember this, 2348 * so we stay in PHASE_AUTHENTICATE after LCP got 2349 * up. 2350 */ 2351 sp->pp_flags |= PP_NEEDAUTH; 2352 continue; 2353 default: 2354 /* Others not supported. */ 2355 if (debug) 2356 log(-1, "[rej] "); 2357 break; 2358 } 2359 /* Add the option to rejected list. */ 2360 bcopy (p, r, p[1]); 2361 r += p[1]; 2362 rlen += p[1]; 2363 } 2364 if (rlen) { 2365 if (debug) 2366 log(-1, " send conf-rej\n"); 2367 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2368 return 0; 2369 } else if (debug) 2370 log(-1, "\n"); 2371 2372 /* 2373 * pass 2: check for option values that are unacceptable and 2374 * thus require to be nak'ed. 2375 */ 2376 if (debug) 2377 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2378 SPP_ARGS(ifp)); 2379 2380 p = (void*) (h+1); 2381 len = origlen; 2382 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2383 if (debug) 2384 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2385 switch (*p) { 2386 case LCP_OPT_MAGIC: 2387 /* Magic number -- extract. */ 2388 nmagic = (u_long)p[2] << 24 | 2389 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2390 if (nmagic != sp->lcp.magic) { 2391 sp->pp_loopcnt = 0; 2392 if (debug) 2393 log(-1, "0x%lx ", nmagic); 2394 continue; 2395 } 2396 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2397 log(-1, "[glitch] "); 2398 ++sp->pp_loopcnt; 2399 /* 2400 * We negate our magic here, and NAK it. If 2401 * we see it later in an NAK packet, we 2402 * suggest a new one. 2403 */ 2404 nmagic = ~sp->lcp.magic; 2405 /* Gonna NAK it. */ 2406 p[2] = nmagic >> 24; 2407 p[3] = nmagic >> 16; 2408 p[4] = nmagic >> 8; 2409 p[5] = nmagic; 2410 break; 2411 2412 case LCP_OPT_ASYNC_MAP: 2413 /* 2414 * Async control character map -- just ignore it. 2415 * 2416 * Quote from RFC 1662, chapter 6: 2417 * To enable this functionality, synchronous PPP 2418 * implementations MUST always respond to the 2419 * Async-Control-Character-Map Configuration 2420 * Option with the LCP Configure-Ack. However, 2421 * acceptance of the Configuration Option does 2422 * not imply that the synchronous implementation 2423 * will do any ACCM mapping. Instead, all such 2424 * octet mapping will be performed by the 2425 * asynchronous-to-synchronous converter. 2426 */ 2427 continue; 2428 2429 case LCP_OPT_MRU: 2430 /* 2431 * Maximum receive unit. Always agreeable, 2432 * but ignored by now. 2433 */ 2434 sp->lcp.their_mru = p[2] * 256 + p[3]; 2435 if (debug) 2436 log(-1, "%lu ", sp->lcp.their_mru); 2437 continue; 2438 2439 case LCP_OPT_AUTH_PROTO: 2440 authproto = (p[2] << 8) + p[3]; 2441 if (sp->myauth.proto != authproto) { 2442 /* not agreed, nak */ 2443 if (debug) 2444 log(-1, "[mine %s != his %s] ", 2445 sppp_proto_name(sp->hisauth.proto), 2446 sppp_proto_name(authproto)); 2447 p[2] = sp->myauth.proto >> 8; 2448 p[3] = sp->myauth.proto; 2449 break; 2450 } 2451 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2452 if (debug) 2453 log(-1, "[chap not MD5] "); 2454 p[4] = CHAP_MD5; 2455 break; 2456 } 2457 continue; 2458 } 2459 /* Add the option to nak'ed list. */ 2460 bcopy (p, r, p[1]); 2461 r += p[1]; 2462 rlen += p[1]; 2463 } 2464 if (rlen) { 2465 /* 2466 * Local and remote magics equal -- loopback? 2467 */ 2468 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2469 if (sp->pp_loopcnt == MAXALIVECNT*5) 2470 kprintf (SPP_FMT "loopback\n", 2471 SPP_ARGS(ifp)); 2472 if (ifp->if_flags & IFF_UP) { 2473 if_down(ifp); 2474 IF_DRAIN(&sp->pp_cpq); 2475 /* XXX ? */ 2476 lcp.Down(sp); 2477 lcp.Up(sp); 2478 } 2479 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2480 if (debug) 2481 log(-1, " max_failure (%d) exceeded, " 2482 "send conf-rej\n", 2483 sp->lcp.max_failure); 2484 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2485 } else { 2486 if (debug) 2487 log(-1, " send conf-nak\n"); 2488 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2489 } 2490 } else { 2491 if (debug) 2492 log(-1, " send conf-ack\n"); 2493 sp->fail_counter[IDX_LCP] = 0; 2494 sp->pp_loopcnt = 0; 2495 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2496 h->ident, origlen, h+1); 2497 } 2498 2499 kfree (buf, M_TEMP); 2500 return (rlen == 0); 2501 2502 drop: 2503 kfree(buf, M_TEMP); 2504 return (-1); 2505 } 2506 2507 /* 2508 * Analyze the LCP Configure-Reject option list, and adjust our 2509 * negotiation. 2510 */ 2511 static void 2512 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2513 { 2514 STDDCL; 2515 u_char *buf, *p; 2516 2517 len -= 4; 2518 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2519 2520 if (debug) 2521 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2522 SPP_ARGS(ifp)); 2523 2524 p = (void*) (h+1); 2525 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2526 /* Sanity check option length */ 2527 if (p[1] > len) { 2528 /* 2529 * Malicious option - drop immediately. 2530 * XXX Maybe we should just RXJ it? 2531 */ 2532 log(-1, "%s: received malicious LCP option, " 2533 "dropping.\n", ifp->if_xname); 2534 goto drop; 2535 } 2536 if (debug) 2537 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2538 switch (*p) { 2539 case LCP_OPT_MAGIC: 2540 /* Magic number -- can't use it, use 0 */ 2541 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2542 sp->lcp.magic = 0; 2543 break; 2544 case LCP_OPT_MRU: 2545 /* 2546 * Should not be rejected anyway, since we only 2547 * negotiate a MRU if explicitly requested by 2548 * peer. 2549 */ 2550 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2551 break; 2552 case LCP_OPT_AUTH_PROTO: 2553 /* 2554 * Peer doesn't want to authenticate himself, 2555 * deny unless this is a dialout call, and 2556 * AUTHFLAG_NOCALLOUT is set. 2557 */ 2558 if ((sp->pp_flags & PP_CALLIN) == 0 && 2559 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2560 if (debug) 2561 log(-1, "[don't insist on auth " 2562 "for callout]"); 2563 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2564 break; 2565 } 2566 if (debug) 2567 log(-1, "[access denied]\n"); 2568 lcp.Close(sp); 2569 break; 2570 } 2571 } 2572 if (debug) 2573 log(-1, "\n"); 2574 drop: 2575 kfree (buf, M_TEMP); 2576 return; 2577 } 2578 2579 /* 2580 * Analyze the LCP Configure-NAK option list, and adjust our 2581 * negotiation. 2582 */ 2583 static void 2584 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2585 { 2586 STDDCL; 2587 u_char *buf, *p; 2588 u_long magic; 2589 2590 len -= 4; 2591 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2592 2593 if (debug) 2594 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2595 SPP_ARGS(ifp)); 2596 2597 p = (void*) (h+1); 2598 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2599 /* Sanity check option length */ 2600 if (p[1] > len) { 2601 /* 2602 * Malicious option - drop immediately. 2603 * XXX Maybe we should just RXJ it? 2604 */ 2605 log(-1, "%s: received malicious LCP option, " 2606 "dropping.\n", ifp->if_xname); 2607 goto drop; 2608 } 2609 if (debug) 2610 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2611 switch (*p) { 2612 case LCP_OPT_MAGIC: 2613 /* Magic number -- renegotiate */ 2614 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2615 len >= 6 && p[1] == 6) { 2616 magic = (u_long)p[2] << 24 | 2617 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2618 /* 2619 * If the remote magic is our negated one, 2620 * this looks like a loopback problem. 2621 * Suggest a new magic to make sure. 2622 */ 2623 if (magic == ~sp->lcp.magic) { 2624 if (debug) 2625 log(-1, "magic glitch "); 2626 #if defined(__DragonFly__) 2627 sp->lcp.magic = krandom(); 2628 #else 2629 sp->lcp.magic = time.tv_sec + time.tv_usec; 2630 #endif 2631 } else { 2632 sp->lcp.magic = magic; 2633 if (debug) 2634 log(-1, "%lu ", magic); 2635 } 2636 } 2637 break; 2638 case LCP_OPT_MRU: 2639 /* 2640 * Peer wants to advise us to negotiate an MRU. 2641 * Agree on it if it's reasonable, or use 2642 * default otherwise. 2643 */ 2644 if (len >= 4 && p[1] == 4) { 2645 u_int mru = p[2] * 256 + p[3]; 2646 if (debug) 2647 log(-1, "%d ", mru); 2648 if (mru < PP_MTU || mru > PP_MAX_MRU) 2649 mru = PP_MTU; 2650 sp->lcp.mru = mru; 2651 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2652 } 2653 break; 2654 case LCP_OPT_AUTH_PROTO: 2655 /* 2656 * Peer doesn't like our authentication method, 2657 * deny. 2658 */ 2659 if (debug) 2660 log(-1, "[access denied]\n"); 2661 lcp.Close(sp); 2662 break; 2663 } 2664 } 2665 if (debug) 2666 log(-1, "\n"); 2667 drop: 2668 kfree (buf, M_TEMP); 2669 return; 2670 } 2671 2672 static void 2673 sppp_lcp_tlu(struct sppp *sp) 2674 { 2675 STDDCL; 2676 int i; 2677 u_long mask; 2678 2679 /* XXX ? */ 2680 if (! (ifp->if_flags & IFF_UP) && 2681 (ifp->if_flags & IFF_RUNNING)) { 2682 /* Coming out of loopback mode. */ 2683 if_up(ifp); 2684 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2685 } 2686 2687 for (i = 0; i < IDX_COUNT; i++) 2688 if ((cps[i])->flags & CP_QUAL) 2689 (cps[i])->Open(sp); 2690 2691 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2692 (sp->pp_flags & PP_NEEDAUTH) != 0) 2693 sp->pp_phase = PHASE_AUTHENTICATE; 2694 else 2695 sp->pp_phase = PHASE_NETWORK; 2696 2697 if (debug) 2698 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2699 sppp_phase_name(sp->pp_phase)); 2700 2701 /* 2702 * Open all authentication protocols. This is even required 2703 * if we already proceeded to network phase, since it might be 2704 * that remote wants us to authenticate, so we might have to 2705 * send a PAP request. Undesired authentication protocols 2706 * don't do anything when they get an Open event. 2707 */ 2708 for (i = 0; i < IDX_COUNT; i++) 2709 if ((cps[i])->flags & CP_AUTH) 2710 (cps[i])->Open(sp); 2711 2712 if (sp->pp_phase == PHASE_NETWORK) { 2713 /* Notify all NCPs. */ 2714 for (i = 0; i < IDX_COUNT; i++) 2715 if (((cps[i])->flags & CP_NCP) && 2716 /* 2717 * XXX 2718 * Hack to administratively disable IPv6 if 2719 * not desired. Perhaps we should have another 2720 * flag for this, but right now, we can make 2721 * all struct cp's read/only. 2722 */ 2723 (cps[i] != &ipv6cp || 2724 (sp->confflags & CONF_ENABLE_IPV6))) 2725 (cps[i])->Open(sp); 2726 } 2727 2728 /* Send Up events to all started protos. */ 2729 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2730 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2731 (cps[i])->Up(sp); 2732 2733 /* notify low-level driver of state change */ 2734 if (sp->pp_chg) 2735 sp->pp_chg(sp, (int)sp->pp_phase); 2736 2737 if (sp->pp_phase == PHASE_NETWORK) 2738 /* if no NCP is starting, close down */ 2739 sppp_lcp_check_and_close(sp); 2740 } 2741 2742 static void 2743 sppp_lcp_tld(struct sppp *sp) 2744 { 2745 STDDCL; 2746 int i; 2747 u_long mask; 2748 2749 sp->pp_phase = PHASE_TERMINATE; 2750 2751 if (debug) 2752 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2753 sppp_phase_name(sp->pp_phase)); 2754 2755 /* 2756 * Take upper layers down. We send the Down event first and 2757 * the Close second to prevent the upper layers from sending 2758 * ``a flurry of terminate-request packets'', as the RFC 2759 * describes it. 2760 */ 2761 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2762 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2763 (cps[i])->Down(sp); 2764 (cps[i])->Close(sp); 2765 } 2766 } 2767 2768 static void 2769 sppp_lcp_tls(struct sppp *sp) 2770 { 2771 STDDCL; 2772 2773 sp->pp_phase = PHASE_ESTABLISH; 2774 2775 if (debug) 2776 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2777 sppp_phase_name(sp->pp_phase)); 2778 2779 /* Notify lower layer if desired. */ 2780 if (sp->pp_tls) 2781 (sp->pp_tls)(sp); 2782 else 2783 (sp->pp_up)(sp); 2784 } 2785 2786 static void 2787 sppp_lcp_tlf(struct sppp *sp) 2788 { 2789 STDDCL; 2790 2791 sp->pp_phase = PHASE_DEAD; 2792 if (debug) 2793 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2794 sppp_phase_name(sp->pp_phase)); 2795 2796 /* Notify lower layer if desired. */ 2797 if (sp->pp_tlf) 2798 (sp->pp_tlf)(sp); 2799 else 2800 (sp->pp_down)(sp); 2801 } 2802 2803 static void 2804 sppp_lcp_scr(struct sppp *sp) 2805 { 2806 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2807 int i = 0; 2808 u_short authproto; 2809 2810 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2811 if (! sp->lcp.magic) 2812 #if defined(__DragonFly__) 2813 sp->lcp.magic = krandom(); 2814 #else 2815 sp->lcp.magic = time.tv_sec + time.tv_usec; 2816 #endif 2817 opt[i++] = LCP_OPT_MAGIC; 2818 opt[i++] = 6; 2819 opt[i++] = sp->lcp.magic >> 24; 2820 opt[i++] = sp->lcp.magic >> 16; 2821 opt[i++] = sp->lcp.magic >> 8; 2822 opt[i++] = sp->lcp.magic; 2823 } 2824 2825 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2826 opt[i++] = LCP_OPT_MRU; 2827 opt[i++] = 4; 2828 opt[i++] = sp->lcp.mru >> 8; 2829 opt[i++] = sp->lcp.mru; 2830 } 2831 2832 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2833 authproto = sp->hisauth.proto; 2834 opt[i++] = LCP_OPT_AUTH_PROTO; 2835 opt[i++] = authproto == PPP_CHAP? 5: 4; 2836 opt[i++] = authproto >> 8; 2837 opt[i++] = authproto; 2838 if (authproto == PPP_CHAP) 2839 opt[i++] = CHAP_MD5; 2840 } 2841 2842 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2843 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2844 } 2845 2846 /* 2847 * Check the open NCPs, return true if at least one NCP is open. 2848 */ 2849 static int 2850 sppp_ncp_check(struct sppp *sp) 2851 { 2852 int i, mask; 2853 2854 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2855 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2856 return 1; 2857 return 0; 2858 } 2859 2860 /* 2861 * Re-check the open NCPs and see if we should terminate the link. 2862 * Called by the NCPs during their tlf action handling. 2863 */ 2864 static void 2865 sppp_lcp_check_and_close(struct sppp *sp) 2866 { 2867 2868 if (sp->pp_phase < PHASE_NETWORK) 2869 /* don't bother, we are already going down */ 2870 return; 2871 2872 if (sppp_ncp_check(sp)) 2873 return; 2874 2875 lcp.Close(sp); 2876 } 2877 2878 /* 2879 *--------------------------------------------------------------------------* 2880 * * 2881 * The IPCP implementation. * 2882 * * 2883 *--------------------------------------------------------------------------* 2884 */ 2885 2886 static void 2887 sppp_ipcp_init(struct sppp *sp) 2888 { 2889 sp->ipcp.opts = 0; 2890 sp->ipcp.flags = 0; 2891 sp->state[IDX_IPCP] = STATE_INITIAL; 2892 sp->fail_counter[IDX_IPCP] = 0; 2893 sp->pp_seq[IDX_IPCP] = 0; 2894 sp->pp_rseq[IDX_IPCP] = 0; 2895 #if defined(__DragonFly__) 2896 callout_init(&sp->timeout[IDX_IPCP]); 2897 #endif 2898 } 2899 2900 static void 2901 sppp_ipcp_up(struct sppp *sp) 2902 { 2903 sppp_up_event(&ipcp, sp); 2904 } 2905 2906 static void 2907 sppp_ipcp_down(struct sppp *sp) 2908 { 2909 sppp_down_event(&ipcp, sp); 2910 } 2911 2912 static void 2913 sppp_ipcp_open(struct sppp *sp) 2914 { 2915 STDDCL; 2916 u_long myaddr, hisaddr; 2917 2918 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2919 IPCP_MYADDR_DYN | IPCP_VJ); 2920 sp->ipcp.opts = 0; 2921 2922 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2923 /* 2924 * If we don't have his address, this probably means our 2925 * interface doesn't want to talk IP at all. (This could 2926 * be the case if somebody wants to speak only IPX, for 2927 * example.) Don't open IPCP in this case. 2928 */ 2929 if (hisaddr == 0L) { 2930 /* XXX this message should go away */ 2931 if (debug) 2932 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2933 SPP_ARGS(ifp)); 2934 return; 2935 } 2936 if (myaddr == 0L) { 2937 /* 2938 * I don't have an assigned address, so i need to 2939 * negotiate my address. 2940 */ 2941 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2942 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2943 } else 2944 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2945 if (sp->confflags & CONF_ENABLE_VJ) { 2946 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2947 sp->ipcp.max_state = MAX_STATES - 1; 2948 sp->ipcp.compress_cid = 1; 2949 } 2950 sppp_open_event(&ipcp, sp); 2951 } 2952 2953 static void 2954 sppp_ipcp_close(struct sppp *sp) 2955 { 2956 sppp_close_event(&ipcp, sp); 2957 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2958 /* 2959 * My address was dynamic, clear it again. 2960 */ 2961 sppp_set_ip_addr(sp, 0L); 2962 } 2963 2964 static void 2965 sppp_ipcp_TO(void *cookie) 2966 { 2967 sppp_to_event(&ipcp, (struct sppp *)cookie); 2968 } 2969 2970 /* 2971 * Analyze a configure request. Return true if it was agreeable, and 2972 * caused action sca, false if it has been rejected or nak'ed, and 2973 * caused action scn. (The return value is used to make the state 2974 * transition decision in the state automaton.) 2975 */ 2976 static int 2977 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2978 { 2979 u_char *buf, *r, *p; 2980 struct ifnet *ifp = &sp->pp_if; 2981 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2982 u_long hisaddr, desiredaddr; 2983 int gotmyaddr = 0; 2984 int desiredcomp; 2985 2986 len -= 4; 2987 origlen = len; 2988 /* 2989 * Make sure to allocate a buf that can at least hold a 2990 * conf-nak with an `address' option. We might need it below. 2991 */ 2992 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2993 2994 /* pass 1: see if we can recognize them */ 2995 if (debug) 2996 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2997 SPP_ARGS(ifp)); 2998 p = (void*) (h+1); 2999 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3000 /* Sanity check option length */ 3001 if (p[1] > len) { 3002 /* XXX should we just RXJ? */ 3003 log(-1, "%s: malicious IPCP option received, dropping\n", 3004 ifp->if_xname); 3005 goto drop; 3006 } 3007 if (debug) 3008 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3009 switch (*p) { 3010 case IPCP_OPT_COMPRESSION: 3011 if (!(sp->confflags & CONF_ENABLE_VJ)) { 3012 /* VJ compression administratively disabled */ 3013 if (debug) 3014 log(-1, "[locally disabled] "); 3015 break; 3016 } 3017 /* 3018 * In theory, we should only conf-rej an 3019 * option that is shorter than RFC 1618 3020 * requires (i.e. < 4), and should conf-nak 3021 * anything else that is not VJ. However, 3022 * since our algorithm always uses the 3023 * original option to NAK it with new values, 3024 * things would become more complicated. In 3025 * pratice, the only commonly implemented IP 3026 * compression option is VJ anyway, so the 3027 * difference is negligible. 3028 */ 3029 if (len >= 6 && p[1] == 6) { 3030 /* 3031 * correctly formed compression option 3032 * that could be VJ compression 3033 */ 3034 continue; 3035 } 3036 if (debug) 3037 log(-1, "optlen %d [invalid/unsupported] ", 3038 p[1]); 3039 break; 3040 case IPCP_OPT_ADDRESS: 3041 if (len >= 6 && p[1] == 6) { 3042 /* correctly formed address option */ 3043 continue; 3044 } 3045 if (debug) 3046 log(-1, "[invalid] "); 3047 break; 3048 default: 3049 /* Others not supported. */ 3050 if (debug) 3051 log(-1, "[rej] "); 3052 break; 3053 } 3054 /* Add the option to rejected list. */ 3055 bcopy (p, r, p[1]); 3056 r += p[1]; 3057 rlen += p[1]; 3058 } 3059 if (rlen) { 3060 if (debug) 3061 log(-1, " send conf-rej\n"); 3062 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3063 return 0; 3064 } else if (debug) 3065 log(-1, "\n"); 3066 3067 /* pass 2: parse option values */ 3068 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 3069 if (debug) 3070 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 3071 SPP_ARGS(ifp)); 3072 p = (void*) (h+1); 3073 len = origlen; 3074 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3075 if (debug) 3076 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3077 switch (*p) { 3078 case IPCP_OPT_COMPRESSION: 3079 desiredcomp = p[2] << 8 | p[3]; 3080 /* We only support VJ */ 3081 if (desiredcomp == IPCP_COMP_VJ) { 3082 if (debug) 3083 log(-1, "VJ [ack] "); 3084 sp->ipcp.flags |= IPCP_VJ; 3085 sl_compress_init(sp->pp_comp, p[4]); 3086 sp->ipcp.max_state = p[4]; 3087 sp->ipcp.compress_cid = p[5]; 3088 continue; 3089 } 3090 if (debug) 3091 log(-1, "compproto %#04x [not supported] ", 3092 desiredcomp); 3093 p[2] = IPCP_COMP_VJ >> 8; 3094 p[3] = IPCP_COMP_VJ; 3095 p[4] = sp->ipcp.max_state; 3096 p[5] = sp->ipcp.compress_cid; 3097 break; 3098 case IPCP_OPT_ADDRESS: 3099 /* This is the address he wants in his end */ 3100 desiredaddr = p[2] << 24 | p[3] << 16 | 3101 p[4] << 8 | p[5]; 3102 if (desiredaddr == hisaddr || 3103 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 3104 /* 3105 * Peer's address is same as our value, 3106 * or we have set it to 0.0.0.* to 3107 * indicate that we do not really care, 3108 * this is agreeable. Gonna conf-ack 3109 * it. 3110 */ 3111 if (debug) 3112 log(-1, "%s [ack] ", 3113 sppp_dotted_quad(hisaddr)); 3114 /* record that we've seen it already */ 3115 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3116 continue; 3117 } 3118 /* 3119 * The address wasn't agreeable. This is either 3120 * he sent us 0.0.0.0, asking to assign him an 3121 * address, or he send us another address not 3122 * matching our value. Either case, we gonna 3123 * conf-nak it with our value. 3124 * XXX: we should "rej" if hisaddr == 0 3125 */ 3126 if (debug) { 3127 if (desiredaddr == 0) 3128 log(-1, "[addr requested] "); 3129 else 3130 log(-1, "%s [not agreed] ", 3131 sppp_dotted_quad(desiredaddr)); 3132 3133 } 3134 p[2] = hisaddr >> 24; 3135 p[3] = hisaddr >> 16; 3136 p[4] = hisaddr >> 8; 3137 p[5] = hisaddr; 3138 break; 3139 } 3140 /* Add the option to nak'ed list. */ 3141 bcopy (p, r, p[1]); 3142 r += p[1]; 3143 rlen += p[1]; 3144 } 3145 3146 /* 3147 * If we are about to conf-ack the request, but haven't seen 3148 * his address so far, gonna conf-nak it instead, with the 3149 * `address' option present and our idea of his address being 3150 * filled in there, to request negotiation of both addresses. 3151 * 3152 * XXX This can result in an endless req - nak loop if peer 3153 * doesn't want to send us his address. Q: What should we do 3154 * about it? XXX A: implement the max-failure counter. 3155 */ 3156 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3157 buf[0] = IPCP_OPT_ADDRESS; 3158 buf[1] = 6; 3159 buf[2] = hisaddr >> 24; 3160 buf[3] = hisaddr >> 16; 3161 buf[4] = hisaddr >> 8; 3162 buf[5] = hisaddr; 3163 rlen = 6; 3164 if (debug) 3165 log(-1, "still need hisaddr "); 3166 } 3167 3168 if (rlen) { 3169 if (debug) 3170 log(-1, " send conf-nak\n"); 3171 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3172 } else { 3173 if (debug) 3174 log(-1, " send conf-ack\n"); 3175 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3176 h->ident, origlen, h+1); 3177 } 3178 3179 kfree (buf, M_TEMP); 3180 return (rlen == 0); 3181 3182 drop: 3183 kfree(buf, M_TEMP); 3184 return (-1); 3185 } 3186 3187 /* 3188 * Analyze the IPCP Configure-Reject option list, and adjust our 3189 * negotiation. 3190 */ 3191 static void 3192 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3193 { 3194 u_char *buf, *p; 3195 struct ifnet *ifp = &sp->pp_if; 3196 int debug = ifp->if_flags & IFF_DEBUG; 3197 3198 len -= 4; 3199 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3200 3201 if (debug) 3202 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3203 SPP_ARGS(ifp)); 3204 3205 p = (void*) (h+1); 3206 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3207 /* Sanity check option length */ 3208 if (p[1] > len) { 3209 /* XXX should we just RXJ? */ 3210 log(-1, "%s: malicious IPCP option received, dropping\n", 3211 ifp->if_xname); 3212 goto drop; 3213 } 3214 if (debug) 3215 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3216 switch (*p) { 3217 case IPCP_OPT_COMPRESSION: 3218 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3219 break; 3220 case IPCP_OPT_ADDRESS: 3221 /* 3222 * Peer doesn't grok address option. This is 3223 * bad. XXX Should we better give up here? 3224 * XXX We could try old "addresses" option... 3225 */ 3226 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3227 break; 3228 } 3229 } 3230 if (debug) 3231 log(-1, "\n"); 3232 drop: 3233 kfree (buf, M_TEMP); 3234 return; 3235 } 3236 3237 /* 3238 * Analyze the IPCP Configure-NAK option list, and adjust our 3239 * negotiation. 3240 */ 3241 static void 3242 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3243 { 3244 u_char *buf, *p; 3245 struct ifnet *ifp = &sp->pp_if; 3246 int debug = ifp->if_flags & IFF_DEBUG; 3247 int desiredcomp; 3248 u_long wantaddr; 3249 3250 len -= 4; 3251 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3252 3253 if (debug) 3254 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3255 SPP_ARGS(ifp)); 3256 3257 p = (void*) (h+1); 3258 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3259 /* Sanity check option length */ 3260 if (p[1] > len) { 3261 /* XXX should we just RXJ? */ 3262 log(-1, "%s: malicious IPCP option received, dropping\n", 3263 ifp->if_xname); 3264 return; 3265 } 3266 if (debug) 3267 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3268 switch (*p) { 3269 case IPCP_OPT_COMPRESSION: 3270 if (len >= 6 && p[1] == 6) { 3271 desiredcomp = p[2] << 8 | p[3]; 3272 if (debug) 3273 log(-1, "[wantcomp %#04x] ", 3274 desiredcomp); 3275 if (desiredcomp == IPCP_COMP_VJ) { 3276 sl_compress_init(sp->pp_comp, p[4]); 3277 sp->ipcp.max_state = p[4]; 3278 sp->ipcp.compress_cid = p[5]; 3279 if (debug) 3280 log(-1, "[agree] "); 3281 } else 3282 sp->ipcp.opts &= 3283 ~(1 << IPCP_OPT_COMPRESSION); 3284 } 3285 break; 3286 case IPCP_OPT_ADDRESS: 3287 /* 3288 * Peer doesn't like our local IP address. See 3289 * if we can do something for him. We'll drop 3290 * him our address then. 3291 */ 3292 if (len >= 6 && p[1] == 6) { 3293 wantaddr = p[2] << 24 | p[3] << 16 | 3294 p[4] << 8 | p[5]; 3295 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3296 if (debug) 3297 log(-1, "[wantaddr %s] ", 3298 sppp_dotted_quad(wantaddr)); 3299 /* 3300 * When doing dynamic address assignment, 3301 * we accept his offer. Otherwise, we 3302 * ignore it and thus continue to negotiate 3303 * our already existing value. 3304 * XXX: Bogus, if he said no once, he'll 3305 * just say no again, might as well die. 3306 */ 3307 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3308 sppp_set_ip_addr(sp, wantaddr); 3309 if (debug) 3310 log(-1, "[agree] "); 3311 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3312 } 3313 } 3314 break; 3315 } 3316 } 3317 if (debug) 3318 log(-1, "\n"); 3319 kfree (buf, M_TEMP); 3320 return; 3321 } 3322 3323 static void 3324 sppp_ipcp_tlu(struct sppp *sp) 3325 { 3326 /* we are up - notify isdn daemon */ 3327 if (sp->pp_con) 3328 sp->pp_con(sp); 3329 } 3330 3331 static void 3332 sppp_ipcp_tld(struct sppp *sp) 3333 { 3334 } 3335 3336 static void 3337 sppp_ipcp_tls(struct sppp *sp) 3338 { 3339 /* indicate to LCP that it must stay alive */ 3340 sp->lcp.protos |= (1 << IDX_IPCP); 3341 } 3342 3343 static void 3344 sppp_ipcp_tlf(struct sppp *sp) 3345 { 3346 /* we no longer need LCP */ 3347 sp->lcp.protos &= ~(1 << IDX_IPCP); 3348 sppp_lcp_check_and_close(sp); 3349 } 3350 3351 static void 3352 sppp_ipcp_scr(struct sppp *sp) 3353 { 3354 char opt[6 /* compression */ + 6 /* address */]; 3355 u_long ouraddr; 3356 int i = 0; 3357 3358 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3359 opt[i++] = IPCP_OPT_COMPRESSION; 3360 opt[i++] = 6; 3361 opt[i++] = IPCP_COMP_VJ >> 8; 3362 opt[i++] = IPCP_COMP_VJ; 3363 opt[i++] = sp->ipcp.max_state; 3364 opt[i++] = sp->ipcp.compress_cid; 3365 } 3366 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3367 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3368 opt[i++] = IPCP_OPT_ADDRESS; 3369 opt[i++] = 6; 3370 opt[i++] = ouraddr >> 24; 3371 opt[i++] = ouraddr >> 16; 3372 opt[i++] = ouraddr >> 8; 3373 opt[i++] = ouraddr; 3374 } 3375 3376 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3377 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3378 } 3379 3380 /* 3381 *--------------------------------------------------------------------------* 3382 * * 3383 * The IPv6CP implementation. * 3384 * * 3385 *--------------------------------------------------------------------------* 3386 */ 3387 3388 #ifdef INET6 3389 static void 3390 sppp_ipv6cp_init(struct sppp *sp) 3391 { 3392 sp->ipv6cp.opts = 0; 3393 sp->ipv6cp.flags = 0; 3394 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3395 sp->fail_counter[IDX_IPV6CP] = 0; 3396 sp->pp_seq[IDX_IPV6CP] = 0; 3397 sp->pp_rseq[IDX_IPV6CP] = 0; 3398 #if defined(__NetBSD__) 3399 callout_init(&sp->ch[IDX_IPV6CP]); 3400 #endif 3401 #if defined(__DragonFly__) 3402 callout_init(&sp->timeout[IDX_IPV6CP]); 3403 #endif 3404 } 3405 3406 static void 3407 sppp_ipv6cp_up(struct sppp *sp) 3408 { 3409 sppp_up_event(&ipv6cp, sp); 3410 } 3411 3412 static void 3413 sppp_ipv6cp_down(struct sppp *sp) 3414 { 3415 sppp_down_event(&ipv6cp, sp); 3416 } 3417 3418 static void 3419 sppp_ipv6cp_open(struct sppp *sp) 3420 { 3421 STDDCL; 3422 struct in6_addr myaddr, hisaddr; 3423 3424 #ifdef IPV6CP_MYIFID_DYN 3425 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3426 #else 3427 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3428 #endif 3429 3430 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3431 /* 3432 * If we don't have our address, this probably means our 3433 * interface doesn't want to talk IPv6 at all. (This could 3434 * be the case if somebody wants to speak only IPX, for 3435 * example.) Don't open IPv6CP in this case. 3436 */ 3437 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3438 /* XXX this message should go away */ 3439 if (debug) 3440 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3441 SPP_ARGS(ifp)); 3442 return; 3443 } 3444 3445 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3446 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3447 sppp_open_event(&ipv6cp, sp); 3448 } 3449 3450 static void 3451 sppp_ipv6cp_close(struct sppp *sp) 3452 { 3453 sppp_close_event(&ipv6cp, sp); 3454 } 3455 3456 static void 3457 sppp_ipv6cp_TO(void *cookie) 3458 { 3459 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3460 } 3461 3462 /* 3463 * Analyze a configure request. Return true if it was agreeable, and 3464 * caused action sca, false if it has been rejected or nak'ed, and 3465 * caused action scn. (The return value is used to make the state 3466 * transition decision in the state automaton.) 3467 */ 3468 static int 3469 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3470 { 3471 u_char *buf, *r, *p; 3472 struct ifnet *ifp = &sp->pp_if; 3473 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3474 struct in6_addr myaddr, desiredaddr, suggestaddr; 3475 int ifidcount; 3476 int type; 3477 int collision, nohisaddr; 3478 3479 len -= 4; 3480 origlen = len; 3481 /* 3482 * Make sure to allocate a buf that can at least hold a 3483 * conf-nak with an `address' option. We might need it below. 3484 */ 3485 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3486 3487 /* pass 1: see if we can recognize them */ 3488 if (debug) 3489 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3490 SPP_ARGS(ifp)); 3491 p = (void*) (h+1); 3492 ifidcount = 0; 3493 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3494 /* Sanity check option length */ 3495 if (p[1] > len) { 3496 /* XXX just RXJ? */ 3497 log(-1, "%s: received malicious IPCPv6 option, " 3498 "dropping\n", ifp->if_xname); 3499 goto drop; 3500 } 3501 if (debug) 3502 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3503 switch (*p) { 3504 case IPV6CP_OPT_IFID: 3505 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3506 /* correctly formed address option */ 3507 ifidcount++; 3508 continue; 3509 } 3510 if (debug) 3511 log(-1, " [invalid]"); 3512 break; 3513 #ifdef notyet 3514 case IPV6CP_OPT_COMPRESSION: 3515 if (len >= 4 && p[1] >= 4) { 3516 /* correctly formed compress option */ 3517 continue; 3518 } 3519 if (debug) 3520 log(-1, " [invalid]"); 3521 break; 3522 #endif 3523 default: 3524 /* Others not supported. */ 3525 if (debug) 3526 log(-1, " [rej]"); 3527 break; 3528 } 3529 /* Add the option to rejected list. */ 3530 bcopy (p, r, p[1]); 3531 r += p[1]; 3532 rlen += p[1]; 3533 } 3534 if (rlen) { 3535 if (debug) 3536 log(-1, " send conf-rej\n"); 3537 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3538 goto end; 3539 } else if (debug) 3540 log(-1, "\n"); 3541 3542 /* pass 2: parse option values */ 3543 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3544 if (debug) 3545 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3546 SPP_ARGS(ifp)); 3547 p = (void*) (h+1); 3548 len = origlen; 3549 type = CONF_ACK; 3550 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3551 if (debug) 3552 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3553 switch (*p) { 3554 #ifdef notyet 3555 case IPV6CP_OPT_COMPRESSION: 3556 continue; 3557 #endif 3558 case IPV6CP_OPT_IFID: 3559 bzero(&desiredaddr, sizeof(desiredaddr)); 3560 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3561 collision = (bcmp(&desiredaddr.s6_addr[8], 3562 &myaddr.s6_addr[8], 8) == 0); 3563 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3564 3565 desiredaddr.s6_addr16[0] = htons(0xfe80); 3566 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3567 3568 if (!collision && !nohisaddr) { 3569 /* no collision, hisaddr known - Conf-Ack */ 3570 type = CONF_ACK; 3571 3572 if (debug) { 3573 log(-1, " %s [%s]", 3574 ip6_sprintf(&desiredaddr), 3575 sppp_cp_type_name(type)); 3576 } 3577 continue; 3578 } 3579 3580 bzero(&suggestaddr, sizeof(&suggestaddr)); 3581 if (collision && nohisaddr) { 3582 /* collision, hisaddr unknown - Conf-Rej */ 3583 type = CONF_REJ; 3584 bzero(&p[2], 8); 3585 } else { 3586 /* 3587 * - no collision, hisaddr unknown, or 3588 * - collision, hisaddr known 3589 * Conf-Nak, suggest hisaddr 3590 */ 3591 type = CONF_NAK; 3592 sppp_suggest_ip6_addr(sp, &suggestaddr); 3593 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3594 } 3595 if (debug) 3596 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3597 sppp_cp_type_name(type)); 3598 break; 3599 } 3600 /* Add the option to nak'ed list. */ 3601 bcopy (p, r, p[1]); 3602 r += p[1]; 3603 rlen += p[1]; 3604 } 3605 3606 if (rlen == 0 && type == CONF_ACK) { 3607 if (debug) 3608 log(-1, " send %s\n", sppp_cp_type_name(type)); 3609 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3610 } else { 3611 #ifdef DIAGNOSTIC 3612 if (type == CONF_ACK) 3613 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3614 #endif 3615 3616 if (debug) { 3617 log(-1, " send %s suggest %s\n", 3618 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3619 } 3620 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3621 } 3622 3623 end: 3624 kfree (buf, M_TEMP); 3625 return (rlen == 0); 3626 3627 drop: 3628 kfree(buf, M_TEMP); 3629 return (-1); 3630 } 3631 3632 /* 3633 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3634 * negotiation. 3635 */ 3636 static void 3637 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3638 { 3639 u_char *buf, *p; 3640 struct ifnet *ifp = &sp->pp_if; 3641 int debug = ifp->if_flags & IFF_DEBUG; 3642 3643 len -= 4; 3644 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3645 3646 if (debug) 3647 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3648 SPP_ARGS(ifp)); 3649 3650 p = (void*) (h+1); 3651 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3652 if (p[1] > len) { 3653 /* XXX just RXJ? */ 3654 log(-1, "%s: received malicious IPCPv6 option, " 3655 "dropping\n", ifp->if_xname); 3656 goto drop; 3657 } 3658 if (debug) 3659 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3660 switch (*p) { 3661 case IPV6CP_OPT_IFID: 3662 /* 3663 * Peer doesn't grok address option. This is 3664 * bad. XXX Should we better give up here? 3665 */ 3666 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3667 break; 3668 #ifdef notyet 3669 case IPV6CP_OPT_COMPRESS: 3670 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3671 break; 3672 #endif 3673 } 3674 } 3675 if (debug) 3676 log(-1, "\n"); 3677 drop: 3678 kfree (buf, M_TEMP); 3679 return; 3680 } 3681 3682 /* 3683 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3684 * negotiation. 3685 */ 3686 static void 3687 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3688 { 3689 u_char *buf, *p; 3690 struct ifnet *ifp = &sp->pp_if; 3691 int debug = ifp->if_flags & IFF_DEBUG; 3692 struct in6_addr suggestaddr; 3693 3694 len -= 4; 3695 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3696 3697 if (debug) 3698 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3699 SPP_ARGS(ifp)); 3700 3701 p = (void*) (h+1); 3702 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3703 if (p[1] > len) { 3704 /* XXX just RXJ? */ 3705 log(-1, "%s: received malicious IPCPv6 option, " 3706 "dropping\n", ifp->if_xname); 3707 goto drop; 3708 } 3709 if (debug) 3710 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3711 switch (*p) { 3712 case IPV6CP_OPT_IFID: 3713 /* 3714 * Peer doesn't like our local ifid. See 3715 * if we can do something for him. We'll drop 3716 * him our address then. 3717 */ 3718 if (len < 10 || p[1] != 10) 3719 break; 3720 bzero(&suggestaddr, sizeof(suggestaddr)); 3721 suggestaddr.s6_addr16[0] = htons(0xfe80); 3722 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3723 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3724 3725 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3726 if (debug) 3727 log(-1, " [suggestaddr %s]", 3728 ip6_sprintf(&suggestaddr)); 3729 #ifdef IPV6CP_MYIFID_DYN 3730 /* 3731 * When doing dynamic address assignment, 3732 * we accept his offer. 3733 */ 3734 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3735 struct in6_addr lastsuggest; 3736 /* 3737 * If <suggested myaddr from peer> equals to 3738 * <hisaddr we have suggested last time>, 3739 * we have a collision. generate new random 3740 * ifid. 3741 */ 3742 sppp_suggest_ip6_addr(&lastsuggest); 3743 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3744 lastsuggest)) { 3745 if (debug) 3746 log(-1, " [random]"); 3747 sppp_gen_ip6_addr(sp, &suggestaddr); 3748 } 3749 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3750 if (debug) 3751 log(-1, " [agree]"); 3752 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3753 } 3754 #else 3755 /* 3756 * Since we do not do dynamic address assignment, 3757 * we ignore it and thus continue to negotiate 3758 * our already existing value. This can possibly 3759 * go into infinite request-reject loop. 3760 * 3761 * This is not likely because we normally use 3762 * ifid based on MAC-address. 3763 * If you have no ethernet card on the node, too bad. 3764 * XXX should we use fail_counter? 3765 */ 3766 #endif 3767 break; 3768 #ifdef notyet 3769 case IPV6CP_OPT_COMPRESS: 3770 /* 3771 * Peer wants different compression parameters. 3772 */ 3773 break; 3774 #endif 3775 } 3776 } 3777 if (debug) 3778 log(-1, "\n"); 3779 drop: 3780 kfree (buf, M_TEMP); 3781 return; 3782 } 3783 static void 3784 sppp_ipv6cp_tlu(struct sppp *sp) 3785 { 3786 /* we are up - notify isdn daemon */ 3787 if (sp->pp_con) 3788 sp->pp_con(sp); 3789 } 3790 3791 static void 3792 sppp_ipv6cp_tld(struct sppp *sp) 3793 { 3794 } 3795 3796 static void 3797 sppp_ipv6cp_tls(struct sppp *sp) 3798 { 3799 /* indicate to LCP that it must stay alive */ 3800 sp->lcp.protos |= (1 << IDX_IPV6CP); 3801 } 3802 3803 static void 3804 sppp_ipv6cp_tlf(struct sppp *sp) 3805 { 3806 3807 #if 0 /* need #if 0 to close IPv6CP properly */ 3808 /* we no longer need LCP */ 3809 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3810 sppp_lcp_check_and_close(sp); 3811 #endif 3812 } 3813 3814 static void 3815 sppp_ipv6cp_scr(struct sppp *sp) 3816 { 3817 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3818 struct in6_addr ouraddr; 3819 int i = 0; 3820 3821 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3822 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3823 opt[i++] = IPV6CP_OPT_IFID; 3824 opt[i++] = 10; 3825 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3826 i += 8; 3827 } 3828 3829 #ifdef notyet 3830 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3831 opt[i++] = IPV6CP_OPT_COMPRESSION; 3832 opt[i++] = 4; 3833 opt[i++] = 0; /* TBD */ 3834 opt[i++] = 0; /* TBD */ 3835 /* variable length data may follow */ 3836 } 3837 #endif 3838 3839 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3840 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3841 } 3842 #else /*INET6*/ 3843 static void 3844 sppp_ipv6cp_init(struct sppp *sp) 3845 { 3846 } 3847 3848 static void 3849 sppp_ipv6cp_up(struct sppp *sp) 3850 { 3851 } 3852 3853 static void 3854 sppp_ipv6cp_down(struct sppp *sp) 3855 { 3856 } 3857 3858 3859 static void 3860 sppp_ipv6cp_open(struct sppp *sp) 3861 { 3862 } 3863 3864 static void 3865 sppp_ipv6cp_close(struct sppp *sp) 3866 { 3867 } 3868 3869 static void 3870 sppp_ipv6cp_TO(void *sp) 3871 { 3872 } 3873 3874 static int 3875 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3876 { 3877 return 0; 3878 } 3879 3880 static void 3881 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3882 { 3883 } 3884 3885 static void 3886 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3887 { 3888 } 3889 3890 static void 3891 sppp_ipv6cp_tlu(struct sppp *sp) 3892 { 3893 } 3894 3895 static void 3896 sppp_ipv6cp_tld(struct sppp *sp) 3897 { 3898 } 3899 3900 static void 3901 sppp_ipv6cp_tls(struct sppp *sp) 3902 { 3903 } 3904 3905 static void 3906 sppp_ipv6cp_tlf(struct sppp *sp) 3907 { 3908 } 3909 3910 static void 3911 sppp_ipv6cp_scr(struct sppp *sp) 3912 { 3913 } 3914 #endif /*INET6*/ 3915 3916 /* 3917 *--------------------------------------------------------------------------* 3918 * * 3919 * The CHAP implementation. * 3920 * * 3921 *--------------------------------------------------------------------------* 3922 */ 3923 3924 /* 3925 * The authentication protocols don't employ a full-fledged state machine as 3926 * the control protocols do, since they do have Open and Close events, but 3927 * not Up and Down, nor are they explicitly terminated. Also, use of the 3928 * authentication protocols may be different in both directions (this makes 3929 * sense, think of a machine that never accepts incoming calls but only 3930 * calls out, it doesn't require the called party to authenticate itself). 3931 * 3932 * Our state machine for the local authentication protocol (we are requesting 3933 * the peer to authenticate) looks like: 3934 * 3935 * RCA- 3936 * +--------------------------------------------+ 3937 * V scn,tld| 3938 * +--------+ Close +---------+ RCA+ 3939 * | |<----------------------------------| |------+ 3940 * +--->| Closed | TO* | Opened | sca | 3941 * | | |-----+ +-------| |<-----+ 3942 * | +--------+ irc | | +---------+ 3943 * | ^ | | ^ 3944 * | | | | | 3945 * | | | | | 3946 * | TO-| | | | 3947 * | |tld TO+ V | | 3948 * | | +------->+ | | 3949 * | | | | | | 3950 * | +--------+ V | | 3951 * | | |<----+<--------------------+ | 3952 * | | Req- | scr | 3953 * | | Sent | | 3954 * | | | | 3955 * | +--------+ | 3956 * | RCA- | | RCA+ | 3957 * +------+ +------------------------------------------+ 3958 * scn,tld sca,irc,ict,tlu 3959 * 3960 * 3961 * with: 3962 * 3963 * Open: LCP reached authentication phase 3964 * Close: LCP reached terminate phase 3965 * 3966 * RCA+: received reply (pap-req, chap-response), acceptable 3967 * RCN: received reply (pap-req, chap-response), not acceptable 3968 * TO+: timeout with restart counter >= 0 3969 * TO-: timeout with restart counter < 0 3970 * TO*: reschedule timeout for CHAP 3971 * 3972 * scr: send request packet (none for PAP, chap-challenge) 3973 * sca: send ack packet (pap-ack, chap-success) 3974 * scn: send nak packet (pap-nak, chap-failure) 3975 * ict: initialize re-challenge timer (CHAP only) 3976 * 3977 * tlu: this-layer-up, LCP reaches network phase 3978 * tld: this-layer-down, LCP enters terminate phase 3979 * 3980 * Note that in CHAP mode, after sending a new challenge, while the state 3981 * automaton falls back into Req-Sent state, it doesn't signal a tld 3982 * event to LCP, so LCP remains in network phase. Only after not getting 3983 * any response (or after getting an unacceptable response), CHAP closes, 3984 * causing LCP to enter terminate phase. 3985 * 3986 * With PAP, there is no initial request that can be sent. The peer is 3987 * expected to send one based on the successful negotiation of PAP as 3988 * the authentication protocol during the LCP option negotiation. 3989 * 3990 * Incoming authentication protocol requests (remote requests 3991 * authentication, we are peer) don't employ a state machine at all, 3992 * they are simply answered. Some peers [Ascend P50 firmware rev 3993 * 4.50] react allergically when sending IPCP requests while they are 3994 * still in authentication phase (thereby violating the standard that 3995 * demands that these NCP packets are to be discarded), so we keep 3996 * track of the peer demanding us to authenticate, and only proceed to 3997 * phase network once we've seen a positive acknowledge for the 3998 * authentication. 3999 */ 4000 4001 /* 4002 * Handle incoming CHAP packets. 4003 */ 4004 void 4005 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4006 { 4007 STDDCL; 4008 struct lcp_header *h; 4009 int len; 4010 u_char *value, *name, digest[AUTHKEYLEN], dsize; 4011 int value_len, name_len; 4012 MD5_CTX ctx; 4013 4014 len = m->m_pkthdr.len; 4015 if (len < 4) { 4016 if (debug) 4017 log(LOG_DEBUG, 4018 SPP_FMT "chap invalid packet length: %d bytes\n", 4019 SPP_ARGS(ifp), len); 4020 return; 4021 } 4022 h = mtod (m, struct lcp_header*); 4023 if (len > ntohs (h->len)) 4024 len = ntohs (h->len); 4025 4026 switch (h->type) { 4027 /* challenge, failure and success are his authproto */ 4028 case CHAP_CHALLENGE: 4029 value = 1 + (u_char*)(h+1); 4030 value_len = value[-1]; 4031 name = value + value_len; 4032 name_len = len - value_len - 5; 4033 if (name_len < 0) { 4034 if (debug) { 4035 log(LOG_DEBUG, 4036 SPP_FMT "chap corrupted challenge " 4037 "<%s id=0x%x len=%d", 4038 SPP_ARGS(ifp), 4039 sppp_auth_type_name(PPP_CHAP, h->type), 4040 h->ident, ntohs(h->len)); 4041 sppp_print_bytes((u_char*) (h+1), len-4); 4042 log(-1, ">\n"); 4043 } 4044 break; 4045 } 4046 4047 if (debug) { 4048 log(LOG_DEBUG, 4049 SPP_FMT "chap input <%s id=0x%x len=%d name=", 4050 SPP_ARGS(ifp), 4051 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4052 ntohs(h->len)); 4053 sppp_print_string((char*) name, name_len); 4054 log(-1, " value-size=%d value=", value_len); 4055 sppp_print_bytes(value, value_len); 4056 log(-1, ">\n"); 4057 } 4058 4059 /* Compute reply value. */ 4060 MD5Init(&ctx); 4061 MD5Update(&ctx, &h->ident, 1); 4062 MD5Update(&ctx, sp->myauth.secret, 4063 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN)); 4064 MD5Update(&ctx, value, value_len); 4065 MD5Final(digest, &ctx); 4066 dsize = sizeof digest; 4067 4068 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4069 sizeof dsize, (const char *)&dsize, 4070 sizeof digest, digest, 4071 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4072 sp->myauth.name, 4073 0); 4074 break; 4075 4076 case CHAP_SUCCESS: 4077 if (debug) { 4078 log(LOG_DEBUG, SPP_FMT "chap success", 4079 SPP_ARGS(ifp)); 4080 if (len > 4) { 4081 log(-1, ": "); 4082 sppp_print_string((char*)(h + 1), len - 4); 4083 } 4084 log(-1, "\n"); 4085 } 4086 4087 crit_enter(); 4088 4089 sp->pp_flags &= ~PP_NEEDAUTH; 4090 if (sp->myauth.proto == PPP_CHAP && 4091 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4092 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4093 /* 4094 * We are authenticator for CHAP but didn't 4095 * complete yet. Leave it to tlu to proceed 4096 * to network phase. 4097 */ 4098 crit_exit(); 4099 break; 4100 } 4101 crit_exit(); 4102 sppp_phase_network(sp); 4103 break; 4104 4105 case CHAP_FAILURE: 4106 if (debug) { 4107 log(LOG_INFO, SPP_FMT "chap failure", 4108 SPP_ARGS(ifp)); 4109 if (len > 4) { 4110 log(-1, ": "); 4111 sppp_print_string((char*)(h + 1), len - 4); 4112 } 4113 log(-1, "\n"); 4114 } else 4115 log(LOG_INFO, SPP_FMT "chap failure\n", 4116 SPP_ARGS(ifp)); 4117 /* await LCP shutdown by authenticator */ 4118 break; 4119 4120 /* response is my authproto */ 4121 case CHAP_RESPONSE: 4122 value = 1 + (u_char*)(h+1); 4123 value_len = value[-1]; 4124 name = value + value_len; 4125 name_len = len - value_len - 5; 4126 if (name_len < 0) { 4127 if (debug) { 4128 log(LOG_DEBUG, 4129 SPP_FMT "chap corrupted response " 4130 "<%s id=0x%x len=%d", 4131 SPP_ARGS(ifp), 4132 sppp_auth_type_name(PPP_CHAP, h->type), 4133 h->ident, ntohs(h->len)); 4134 sppp_print_bytes((u_char*)(h+1), len-4); 4135 log(-1, ">\n"); 4136 } 4137 break; 4138 } 4139 if (h->ident != sp->confid[IDX_CHAP]) { 4140 if (debug) 4141 log(LOG_DEBUG, 4142 SPP_FMT "chap dropping response for old ID " 4143 "(got %d, expected %d)\n", 4144 SPP_ARGS(ifp), 4145 h->ident, sp->confid[IDX_CHAP]); 4146 break; 4147 } 4148 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) 4149 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4150 log(LOG_INFO, SPP_FMT "chap response, his name ", 4151 SPP_ARGS(ifp)); 4152 sppp_print_string(name, name_len); 4153 log(-1, " != expected "); 4154 sppp_print_string(sp->hisauth.name, 4155 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)); 4156 log(-1, "\n"); 4157 } 4158 if (debug) { 4159 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4160 "<%s id=0x%x len=%d name=", 4161 SPP_ARGS(ifp), 4162 sppp_state_name(sp->state[IDX_CHAP]), 4163 sppp_auth_type_name(PPP_CHAP, h->type), 4164 h->ident, ntohs (h->len)); 4165 sppp_print_string((char*)name, name_len); 4166 log(-1, " value-size=%d value=", value_len); 4167 sppp_print_bytes(value, value_len); 4168 log(-1, ">\n"); 4169 } 4170 if (value_len != AUTHKEYLEN) { 4171 if (debug) 4172 log(LOG_DEBUG, 4173 SPP_FMT "chap bad hash value length: " 4174 "%d bytes, should be %d\n", 4175 SPP_ARGS(ifp), value_len, 4176 AUTHKEYLEN); 4177 break; 4178 } 4179 4180 MD5Init(&ctx); 4181 MD5Update(&ctx, &h->ident, 1); 4182 MD5Update(&ctx, sp->hisauth.secret, 4183 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4184 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4185 MD5Final(digest, &ctx); 4186 4187 #define FAILMSG "Failed..." 4188 #define SUCCMSG "Welcome!" 4189 4190 if (value_len != sizeof digest || 4191 bcmp(digest, value, value_len) != 0) { 4192 /* action scn, tld */ 4193 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4194 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4195 0); 4196 chap.tld(sp); 4197 break; 4198 } 4199 /* action sca, perhaps tlu */ 4200 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4201 sp->state[IDX_CHAP] == STATE_OPENED) 4202 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4203 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4204 0); 4205 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4206 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4207 chap.tlu(sp); 4208 } 4209 break; 4210 4211 default: 4212 /* Unknown CHAP packet type -- ignore. */ 4213 if (debug) { 4214 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4215 "<0x%x id=0x%xh len=%d", 4216 SPP_ARGS(ifp), 4217 sppp_state_name(sp->state[IDX_CHAP]), 4218 h->type, h->ident, ntohs(h->len)); 4219 sppp_print_bytes((u_char*)(h+1), len-4); 4220 log(-1, ">\n"); 4221 } 4222 break; 4223 4224 } 4225 } 4226 4227 static void 4228 sppp_chap_init(struct sppp *sp) 4229 { 4230 /* Chap doesn't have STATE_INITIAL at all. */ 4231 sp->state[IDX_CHAP] = STATE_CLOSED; 4232 sp->fail_counter[IDX_CHAP] = 0; 4233 sp->pp_seq[IDX_CHAP] = 0; 4234 sp->pp_rseq[IDX_CHAP] = 0; 4235 #if defined(__DragonFly__) 4236 callout_init(&sp->timeout[IDX_CHAP]); 4237 #endif 4238 } 4239 4240 static void 4241 sppp_chap_open(struct sppp *sp) 4242 { 4243 if (sp->myauth.proto == PPP_CHAP && 4244 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4245 /* we are authenticator for CHAP, start it */ 4246 chap.scr(sp); 4247 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4248 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4249 } 4250 /* nothing to be done if we are peer, await a challenge */ 4251 } 4252 4253 static void 4254 sppp_chap_close(struct sppp *sp) 4255 { 4256 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4257 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4258 } 4259 4260 static void 4261 sppp_chap_TO(void *cookie) 4262 { 4263 struct sppp *sp = (struct sppp *)cookie; 4264 STDDCL; 4265 4266 crit_enter(); 4267 4268 if (debug) 4269 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4270 SPP_ARGS(ifp), 4271 sppp_state_name(sp->state[IDX_CHAP]), 4272 sp->rst_counter[IDX_CHAP]); 4273 4274 if (--sp->rst_counter[IDX_CHAP] < 0) 4275 /* TO- event */ 4276 switch (sp->state[IDX_CHAP]) { 4277 case STATE_REQ_SENT: 4278 chap.tld(sp); 4279 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4280 break; 4281 } 4282 else 4283 /* TO+ (or TO*) event */ 4284 switch (sp->state[IDX_CHAP]) { 4285 case STATE_OPENED: 4286 /* TO* event */ 4287 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4288 /* fall through */ 4289 case STATE_REQ_SENT: 4290 chap.scr(sp); 4291 /* sppp_cp_change_state() will restart the timer */ 4292 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4293 break; 4294 } 4295 4296 crit_exit(); 4297 } 4298 4299 static void 4300 sppp_chap_tlu(struct sppp *sp) 4301 { 4302 STDDCL; 4303 int i; 4304 4305 i = 0; 4306 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4307 4308 /* 4309 * Some broken CHAP implementations (Conware CoNet, firmware 4310 * 4.0.?) don't want to re-authenticate their CHAP once the 4311 * initial challenge-response exchange has taken place. 4312 * Provide for an option to avoid rechallenges. 4313 */ 4314 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4315 /* 4316 * Compute the re-challenge timeout. This will yield 4317 * a number between 300 and 810 seconds. 4318 */ 4319 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4320 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4321 } 4322 4323 if (debug) { 4324 log(LOG_DEBUG, 4325 SPP_FMT "chap %s, ", 4326 SPP_ARGS(ifp), 4327 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4328 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4329 log(-1, "next re-challenge in %d seconds\n", i); 4330 else 4331 log(-1, "re-challenging suppressed\n"); 4332 } 4333 4334 crit_enter(); 4335 4336 /* indicate to LCP that we need to be closed down */ 4337 sp->lcp.protos |= (1 << IDX_CHAP); 4338 4339 if (sp->pp_flags & PP_NEEDAUTH) { 4340 /* 4341 * Remote is authenticator, but his auth proto didn't 4342 * complete yet. Defer the transition to network 4343 * phase. 4344 */ 4345 crit_exit(); 4346 return; 4347 } 4348 4349 crit_exit(); 4350 4351 /* 4352 * If we are already in phase network, we are done here. This 4353 * is the case if this is a dummy tlu event after a re-challenge. 4354 */ 4355 if (sp->pp_phase != PHASE_NETWORK) 4356 sppp_phase_network(sp); 4357 } 4358 4359 static void 4360 sppp_chap_tld(struct sppp *sp) 4361 { 4362 STDDCL; 4363 4364 if (debug) 4365 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4366 callout_stop(&sp->timeout[IDX_CHAP]); 4367 sp->lcp.protos &= ~(1 << IDX_CHAP); 4368 4369 lcp.Close(sp); 4370 } 4371 4372 static void 4373 sppp_chap_scr(struct sppp *sp) 4374 { 4375 u_long *ch, seed; 4376 u_char clen; 4377 4378 /* Compute random challenge. */ 4379 ch = (u_long *)sp->myauth.challenge; 4380 #if defined(__DragonFly__) 4381 read_random(&seed, sizeof seed); 4382 #else 4383 { 4384 struct timeval tv; 4385 microtime(&tv); 4386 seed = tv.tv_sec ^ tv.tv_usec; 4387 } 4388 #endif 4389 ch[0] = seed ^ krandom(); 4390 ch[1] = seed ^ krandom(); 4391 ch[2] = seed ^ krandom(); 4392 ch[3] = seed ^ krandom(); 4393 clen = AUTHKEYLEN; 4394 4395 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4396 4397 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4398 sizeof clen, (const char *)&clen, 4399 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4400 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4401 sp->myauth.name, 4402 0); 4403 } 4404 4405 /* 4406 *--------------------------------------------------------------------------* 4407 * * 4408 * The PAP implementation. * 4409 * * 4410 *--------------------------------------------------------------------------* 4411 */ 4412 /* 4413 * For PAP, we need to keep a little state also if we are the peer, not the 4414 * authenticator. This is since we don't get a request to authenticate, but 4415 * have to repeatedly authenticate ourself until we got a response (or the 4416 * retry counter is expired). 4417 */ 4418 4419 /* 4420 * Handle incoming PAP packets. */ 4421 static void 4422 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4423 { 4424 STDDCL; 4425 struct lcp_header *h; 4426 int len; 4427 u_char *name, *passwd, mlen; 4428 int name_len, passwd_len; 4429 4430 /* 4431 * Malicious input might leave this uninitialized, so 4432 * init to an impossible value. 4433 */ 4434 passwd_len = -1; 4435 4436 len = m->m_pkthdr.len; 4437 if (len < 5) { 4438 if (debug) 4439 log(LOG_DEBUG, 4440 SPP_FMT "pap invalid packet length: %d bytes\n", 4441 SPP_ARGS(ifp), len); 4442 return; 4443 } 4444 h = mtod (m, struct lcp_header*); 4445 if (len > ntohs (h->len)) 4446 len = ntohs (h->len); 4447 switch (h->type) { 4448 /* PAP request is my authproto */ 4449 case PAP_REQ: 4450 name = 1 + (u_char*)(h+1); 4451 name_len = name[-1]; 4452 passwd = name + name_len + 1; 4453 if (name_len > len - 6 || 4454 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4455 if (debug) { 4456 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4457 "<%s id=0x%x len=%d", 4458 SPP_ARGS(ifp), 4459 sppp_auth_type_name(PPP_PAP, h->type), 4460 h->ident, ntohs(h->len)); 4461 sppp_print_bytes((u_char*)(h+1), len-4); 4462 log(-1, ">\n"); 4463 } 4464 break; 4465 } 4466 if (debug) { 4467 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4468 "<%s id=0x%x len=%d name=", 4469 SPP_ARGS(ifp), 4470 sppp_state_name(sp->state[IDX_PAP]), 4471 sppp_auth_type_name(PPP_PAP, h->type), 4472 h->ident, ntohs(h->len)); 4473 sppp_print_string((char*)name, name_len); 4474 log(-1, " passwd="); 4475 sppp_print_string((char*)passwd, passwd_len); 4476 log(-1, ">\n"); 4477 } 4478 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || 4479 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4480 bcmp(name, sp->hisauth.name, name_len) != 0 || 4481 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4482 /* action scn, tld */ 4483 mlen = sizeof(FAILMSG) - 1; 4484 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4485 sizeof mlen, (const char *)&mlen, 4486 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4487 0); 4488 pap.tld(sp); 4489 break; 4490 } 4491 /* action sca, perhaps tlu */ 4492 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4493 sp->state[IDX_PAP] == STATE_OPENED) { 4494 mlen = sizeof(SUCCMSG) - 1; 4495 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4496 sizeof mlen, (const char *)&mlen, 4497 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4498 0); 4499 } 4500 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4501 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4502 pap.tlu(sp); 4503 } 4504 break; 4505 4506 /* ack and nak are his authproto */ 4507 case PAP_ACK: 4508 callout_stop(&sp->pap_my_to); 4509 if (debug) { 4510 log(LOG_DEBUG, SPP_FMT "pap success", 4511 SPP_ARGS(ifp)); 4512 name = 1 + (u_char *)(h + 1); 4513 name_len = name[-1]; 4514 if (len > 5 && name_len < len+4) { 4515 log(-1, ": "); 4516 sppp_print_string(name, name_len); 4517 } 4518 log(-1, "\n"); 4519 } 4520 4521 crit_enter(); 4522 4523 sp->pp_flags &= ~PP_NEEDAUTH; 4524 if (sp->myauth.proto == PPP_PAP && 4525 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4526 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4527 /* 4528 * We are authenticator for PAP but didn't 4529 * complete yet. Leave it to tlu to proceed 4530 * to network phase. 4531 */ 4532 4533 crit_exit(); 4534 4535 break; 4536 } 4537 4538 crit_exit(); 4539 4540 sppp_phase_network(sp); 4541 break; 4542 4543 case PAP_NAK: 4544 callout_stop(&sp->pap_my_to); 4545 if (debug) { 4546 log(LOG_INFO, SPP_FMT "pap failure", 4547 SPP_ARGS(ifp)); 4548 name = 1 + (u_char *)(h + 1); 4549 name_len = name[-1]; 4550 if (len > 5 && name_len < len+4) { 4551 log(-1, ": "); 4552 sppp_print_string(name, name_len); 4553 } 4554 log(-1, "\n"); 4555 } else 4556 log(LOG_INFO, SPP_FMT "pap failure\n", 4557 SPP_ARGS(ifp)); 4558 /* await LCP shutdown by authenticator */ 4559 break; 4560 4561 default: 4562 /* Unknown PAP packet type -- ignore. */ 4563 if (debug) { 4564 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4565 "<0x%x id=0x%x len=%d", 4566 SPP_ARGS(ifp), 4567 h->type, h->ident, ntohs(h->len)); 4568 sppp_print_bytes((u_char*)(h+1), len-4); 4569 log(-1, ">\n"); 4570 } 4571 break; 4572 4573 } 4574 } 4575 4576 static void 4577 sppp_pap_init(struct sppp *sp) 4578 { 4579 /* PAP doesn't have STATE_INITIAL at all. */ 4580 sp->state[IDX_PAP] = STATE_CLOSED; 4581 sp->fail_counter[IDX_PAP] = 0; 4582 sp->pp_seq[IDX_PAP] = 0; 4583 sp->pp_rseq[IDX_PAP] = 0; 4584 #if defined(__DragonFly__) 4585 callout_init(&sp->timeout[IDX_PAP]); 4586 callout_init(&sp->pap_my_to); 4587 #endif 4588 } 4589 4590 static void 4591 sppp_pap_open(struct sppp *sp) 4592 { 4593 if (sp->hisauth.proto == PPP_PAP && 4594 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4595 /* we are authenticator for PAP, start our timer */ 4596 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4597 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4598 } 4599 if (sp->myauth.proto == PPP_PAP) { 4600 /* we are peer, send a request, and start a timer */ 4601 pap.scr(sp); 4602 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4603 sppp_pap_my_TO, sp); 4604 } 4605 } 4606 4607 static void 4608 sppp_pap_close(struct sppp *sp) 4609 { 4610 if (sp->state[IDX_PAP] != STATE_CLOSED) 4611 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4612 } 4613 4614 /* 4615 * That's the timeout routine if we are authenticator. Since the 4616 * authenticator is basically passive in PAP, we can't do much here. 4617 */ 4618 static void 4619 sppp_pap_TO(void *cookie) 4620 { 4621 struct sppp *sp = (struct sppp *)cookie; 4622 STDDCL; 4623 4624 crit_enter(); 4625 4626 if (debug) 4627 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4628 SPP_ARGS(ifp), 4629 sppp_state_name(sp->state[IDX_PAP]), 4630 sp->rst_counter[IDX_PAP]); 4631 4632 if (--sp->rst_counter[IDX_PAP] < 0) 4633 /* TO- event */ 4634 switch (sp->state[IDX_PAP]) { 4635 case STATE_REQ_SENT: 4636 pap.tld(sp); 4637 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4638 break; 4639 } 4640 else 4641 /* TO+ event, not very much we could do */ 4642 switch (sp->state[IDX_PAP]) { 4643 case STATE_REQ_SENT: 4644 /* sppp_cp_change_state() will restart the timer */ 4645 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4646 break; 4647 } 4648 4649 crit_exit(); 4650 } 4651 4652 /* 4653 * That's the timeout handler if we are peer. Since the peer is active, 4654 * we need to retransmit our PAP request since it is apparently lost. 4655 * XXX We should impose a max counter. 4656 */ 4657 static void 4658 sppp_pap_my_TO(void *cookie) 4659 { 4660 struct sppp *sp = (struct sppp *)cookie; 4661 STDDCL; 4662 4663 if (debug) 4664 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4665 SPP_ARGS(ifp)); 4666 4667 pap.scr(sp); 4668 } 4669 4670 static void 4671 sppp_pap_tlu(struct sppp *sp) 4672 { 4673 STDDCL; 4674 4675 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4676 4677 if (debug) 4678 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4679 SPP_ARGS(ifp), pap.name); 4680 4681 crit_enter(); 4682 4683 /* indicate to LCP that we need to be closed down */ 4684 sp->lcp.protos |= (1 << IDX_PAP); 4685 4686 if (sp->pp_flags & PP_NEEDAUTH) { 4687 /* 4688 * Remote is authenticator, but his auth proto didn't 4689 * complete yet. Defer the transition to network 4690 * phase. 4691 */ 4692 crit_exit(); 4693 return; 4694 } 4695 crit_exit(); 4696 sppp_phase_network(sp); 4697 } 4698 4699 static void 4700 sppp_pap_tld(struct sppp *sp) 4701 { 4702 STDDCL; 4703 4704 if (debug) 4705 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4706 callout_stop(&sp->timeout[IDX_PAP]); 4707 callout_stop(&sp->pap_my_to); 4708 sp->lcp.protos &= ~(1 << IDX_PAP); 4709 4710 lcp.Close(sp); 4711 } 4712 4713 static void 4714 sppp_pap_scr(struct sppp *sp) 4715 { 4716 u_char idlen, pwdlen; 4717 4718 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4719 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN); 4720 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN); 4721 4722 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4723 sizeof idlen, (const char *)&idlen, 4724 (size_t)idlen, sp->myauth.name, 4725 sizeof pwdlen, (const char *)&pwdlen, 4726 (size_t)pwdlen, sp->myauth.secret, 4727 0); 4728 } 4729 4730 /* 4731 * Random miscellaneous functions. 4732 */ 4733 4734 /* 4735 * Send a PAP or CHAP proto packet. 4736 * 4737 * Varadic function, each of the elements for the ellipsis is of type 4738 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4739 * mlen == 0. 4740 * NOTE: never declare variadic functions with types subject to type 4741 * promotion (i.e. u_char). This is asking for big trouble depending 4742 * on the architecture you are on... 4743 */ 4744 4745 static void 4746 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4747 unsigned int type, unsigned int id, 4748 ...) 4749 { 4750 STDDCL; 4751 struct ppp_header *h; 4752 struct lcp_header *lh; 4753 struct mbuf *m; 4754 u_char *p; 4755 int len; 4756 unsigned int mlen; 4757 const char *msg; 4758 __va_list ap; 4759 4760 MGETHDR (m, MB_DONTWAIT, MT_DATA); 4761 if (! m) 4762 return; 4763 m->m_pkthdr.rcvif = 0; 4764 4765 h = mtod (m, struct ppp_header*); 4766 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4767 h->control = PPP_UI; /* Unnumbered Info */ 4768 h->protocol = htons(cp->proto); 4769 4770 lh = (struct lcp_header*)(h + 1); 4771 lh->type = type; 4772 lh->ident = id; 4773 p = (u_char*) (lh+1); 4774 4775 __va_start(ap, id); 4776 len = 0; 4777 4778 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4779 msg = __va_arg(ap, const char *); 4780 len += mlen; 4781 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4782 __va_end(ap); 4783 m_freem(m); 4784 return; 4785 } 4786 4787 bcopy(msg, p, mlen); 4788 p += mlen; 4789 } 4790 __va_end(ap); 4791 4792 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4793 lh->len = htons (LCP_HEADER_LEN + len); 4794 4795 if (debug) { 4796 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4797 SPP_ARGS(ifp), cp->name, 4798 sppp_auth_type_name(cp->proto, lh->type), 4799 lh->ident, ntohs(lh->len)); 4800 sppp_print_bytes((u_char*) (lh+1), len); 4801 log(-1, ">\n"); 4802 } 4803 if (IF_QFULL (&sp->pp_cpq)) { 4804 IF_DROP (&sp->pp_fastq); 4805 IF_DROP (&ifp->if_snd); 4806 m_freem (m); 4807 ++ifp->if_oerrors; 4808 } else 4809 IF_ENQUEUE (&sp->pp_cpq, m); 4810 if (! (ifp->if_flags & IFF_OACTIVE)) 4811 (*ifp->if_start) (ifp); 4812 ifp->if_obytes += m->m_pkthdr.len + 3; 4813 } 4814 4815 /* 4816 * Send keepalive packets, every 10 seconds. 4817 */ 4818 static void 4819 sppp_keepalive(void *dummy) 4820 { 4821 struct sppp *sp; 4822 4823 crit_enter(); 4824 4825 for (sp=spppq; sp; sp=sp->pp_next) { 4826 struct ifnet *ifp = &sp->pp_if; 4827 4828 /* Keepalive mode disabled or channel down? */ 4829 if (! (sp->pp_flags & PP_KEEPALIVE) || 4830 ! (ifp->if_flags & IFF_RUNNING)) 4831 continue; 4832 4833 /* No keepalive in PPP mode if LCP not opened yet. */ 4834 if (sp->pp_mode != IFF_CISCO && 4835 sp->pp_phase < PHASE_AUTHENTICATE) 4836 continue; 4837 4838 if (sp->pp_alivecnt == MAXALIVECNT) { 4839 /* No keepalive packets got. Stop the interface. */ 4840 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4841 if_down (ifp); 4842 IF_DRAIN(&sp->pp_cpq); 4843 if (sp->pp_mode != IFF_CISCO) { 4844 /* XXX */ 4845 /* Shut down the PPP link. */ 4846 lcp.Down(sp); 4847 /* Initiate negotiation. XXX */ 4848 lcp.Up(sp); 4849 } 4850 } 4851 ifnet_serialize_all(ifp); 4852 if (sp->pp_alivecnt <= MAXALIVECNT) 4853 ++sp->pp_alivecnt; 4854 if (sp->pp_mode == IFF_CISCO) 4855 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4856 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4857 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4858 long nmagic = htonl (sp->lcp.magic); 4859 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4860 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4861 sp->lcp.echoid, 4, &nmagic); 4862 } 4863 ifnet_deserialize_all(ifp); 4864 } 4865 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4866 crit_exit(); 4867 } 4868 4869 /* 4870 * Get both IP addresses. 4871 */ 4872 static void 4873 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4874 { 4875 struct ifnet *ifp = &sp->pp_if; 4876 struct ifaddr_container *ifac; 4877 struct ifaddr *ifa; 4878 struct sockaddr_in *si, *sm; 4879 u_long ssrc, ddst; 4880 4881 sm = NULL; 4882 ssrc = ddst = 0L; 4883 /* 4884 * Pick the first AF_INET address from the list, 4885 * aliases don't make any sense on a p2p link anyway. 4886 */ 4887 si = 0; 4888 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4889 ifa = ifac->ifa; 4890 if (ifa->ifa_addr->sa_family == AF_INET) { 4891 si = (struct sockaddr_in *)ifa->ifa_addr; 4892 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4893 if (si) 4894 break; 4895 } 4896 } 4897 if (ifac != NULL) { 4898 if (si && si->sin_addr.s_addr) { 4899 ssrc = si->sin_addr.s_addr; 4900 if (srcmask) 4901 *srcmask = ntohl(sm->sin_addr.s_addr); 4902 } 4903 4904 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4905 if (si && si->sin_addr.s_addr) 4906 ddst = si->sin_addr.s_addr; 4907 } 4908 4909 if (dst) *dst = ntohl(ddst); 4910 if (src) *src = ntohl(ssrc); 4911 } 4912 4913 /* 4914 * Set my IP address. Must be called at splimp. 4915 */ 4916 static void 4917 sppp_set_ip_addr(struct sppp *sp, u_long src) 4918 { 4919 STDDCL; 4920 struct ifaddr_container *ifac; 4921 struct ifaddr *ifa = NULL; 4922 struct sockaddr_in *si; 4923 struct in_ifaddr *ia; 4924 4925 /* 4926 * Pick the first AF_INET address from the list, 4927 * aliases don't make any sense on a p2p link anyway. 4928 */ 4929 si = 0; 4930 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4931 ifa = ifac->ifa; 4932 if (ifa->ifa_addr->sa_family == AF_INET) { 4933 si = (struct sockaddr_in *)ifa->ifa_addr; 4934 if (si) 4935 break; 4936 } 4937 } 4938 4939 if (ifac != NULL && si != NULL) { 4940 int error; 4941 #if __NetBSD_Version__ >= 103080000 4942 struct sockaddr_in new_sin = *si; 4943 4944 new_sin.sin_addr.s_addr = htonl(src); 4945 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 1); 4946 if(debug && error) 4947 { 4948 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: in_ifinit " 4949 " failed, error=%d\n", SPP_ARGS(ifp), error); 4950 } 4951 #else 4952 /* delete old route */ 4953 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4954 if(debug && error) 4955 { 4956 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4957 SPP_ARGS(ifp), error); 4958 } 4959 4960 ia = ifatoia(ifa); 4961 in_iahash_remove(ia); 4962 4963 /* set new address */ 4964 si->sin_addr.s_addr = htonl(src); 4965 in_iahash_insert(ia); 4966 4967 /* add new route */ 4968 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4969 if (debug && error) 4970 { 4971 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4972 SPP_ARGS(ifp), error); 4973 } 4974 #endif 4975 } 4976 } 4977 4978 #ifdef INET6 4979 /* 4980 * Get both IPv6 addresses. 4981 */ 4982 static void 4983 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4984 struct in6_addr *srcmask) 4985 { 4986 struct ifnet *ifp = &sp->pp_if; 4987 struct ifaddr_container *ifac; 4988 struct ifaddr *ifa; 4989 struct sockaddr_in6 *si, *sm; 4990 struct in6_addr ssrc, ddst; 4991 4992 sm = NULL; 4993 bzero(&ssrc, sizeof(ssrc)); 4994 bzero(&ddst, sizeof(ddst)); 4995 /* 4996 * Pick the first link-local AF_INET6 address from the list, 4997 * aliases don't make any sense on a p2p link anyway. 4998 */ 4999 si = 0; 5000 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 5001 ifa = ifac->ifa; 5002 if (ifa->ifa_addr->sa_family == AF_INET6) { 5003 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5004 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5005 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5006 break; 5007 } 5008 } 5009 if (ifac != NULL) { 5010 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5011 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 5012 if (srcmask) { 5013 bcopy(&sm->sin6_addr, srcmask, 5014 sizeof(*srcmask)); 5015 } 5016 } 5017 5018 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5019 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5020 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 5021 } 5022 5023 if (dst) 5024 bcopy(&ddst, dst, sizeof(*dst)); 5025 if (src) 5026 bcopy(&ssrc, src, sizeof(*src)); 5027 } 5028 5029 #ifdef IPV6CP_MYIFID_DYN 5030 /* 5031 * Generate random ifid. 5032 */ 5033 static void 5034 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5035 { 5036 /* TBD */ 5037 } 5038 5039 /* 5040 * Set my IPv6 address. Must be called at splimp. 5041 */ 5042 static void 5043 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5044 { 5045 STDDCL; 5046 struct ifaddr_container *ifac; 5047 struct ifaddr *ifa; 5048 struct sockaddr_in6 *sin6; 5049 5050 /* 5051 * Pick the first link-local AF_INET6 address from the list, 5052 * aliases don't make any sense on a p2p link anyway. 5053 */ 5054 5055 sin6 = NULL; 5056 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 5057 ifa = ifac->ifa; 5058 if (ifa->ifa_addr->sa_family == AF_INET6) { 5059 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5060 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5061 break; 5062 } 5063 } 5064 5065 if (ifac != NULL && sin6 != NULL) { 5066 int error; 5067 struct sockaddr_in6 new_sin6 = *sin6; 5068 5069 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 5070 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5071 if (debug && error) { 5072 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 5073 " failed, error=%d\n", SPP_ARGS(ifp), error); 5074 } 5075 } 5076 } 5077 #endif 5078 5079 /* 5080 * Suggest a candidate address to be used by peer. 5081 */ 5082 static void 5083 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5084 { 5085 struct in6_addr myaddr; 5086 struct timeval tv; 5087 5088 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5089 5090 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5091 microtime(&tv); 5092 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5093 myaddr.s6_addr[14] ^= 0xff; 5094 myaddr.s6_addr[15] ^= 0xff; 5095 } else { 5096 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5097 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5098 } 5099 if (suggest) 5100 bcopy(&myaddr, suggest, sizeof(myaddr)); 5101 } 5102 #endif /*INET6*/ 5103 5104 static int 5105 sppp_params(struct sppp *sp, u_long cmd, void *data) 5106 { 5107 u_long subcmd; 5108 struct ifreq *ifr = (struct ifreq *)data; 5109 struct spppreq *spr; 5110 int rv = 0; 5111 5112 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 5113 5114 /* 5115 * ifr->ifr_data is supposed to point to a struct spppreq. 5116 * Check the cmd word first before attempting to fetch all the 5117 * data. 5118 */ 5119 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 5120 rv = EFAULT; 5121 goto quit; 5122 } 5123 5124 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 5125 rv = EFAULT; 5126 goto quit; 5127 } 5128 5129 switch (subcmd) { 5130 case (int)SPPPIOGDEFS: 5131 if (cmd != SIOCGIFGENERIC) { 5132 rv = EINVAL; 5133 break; 5134 } 5135 /* 5136 * We copy over the entire current state, but clean 5137 * out some of the stuff we don't wanna pass up. 5138 * Remember, SIOCGIFGENERIC is unprotected, and can be 5139 * called by any user. No need to ever get PAP or 5140 * CHAP secrets back to userland anyway. 5141 */ 5142 spr->defs.pp_phase = sp->pp_phase; 5143 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5144 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5145 spr->defs.lcp = sp->lcp; 5146 spr->defs.ipcp = sp->ipcp; 5147 spr->defs.ipv6cp = sp->ipv6cp; 5148 spr->defs.myauth = sp->myauth; 5149 spr->defs.hisauth = sp->hisauth; 5150 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5151 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5152 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5153 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5154 /* 5155 * Fixup the LCP timeout value to milliseconds so 5156 * spppcontrol doesn't need to bother about the value 5157 * of "hz". We do the reverse calculation below when 5158 * setting it. 5159 */ 5160 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5161 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5162 sizeof(struct spppreq)); 5163 break; 5164 5165 case (int)SPPPIOSDEFS: 5166 if (cmd != SIOCSIFGENERIC) { 5167 rv = EINVAL; 5168 break; 5169 } 5170 /* 5171 * We have a very specific idea of which fields we 5172 * allow being passed back from userland, so to not 5173 * clobber our current state. For one, we only allow 5174 * setting anything if LCP is in dead or establish 5175 * phase. Once the authentication negotiations 5176 * started, the authentication settings must not be 5177 * changed again. (The administrator can force an 5178 * ifconfig down in order to get LCP back into dead 5179 * phase.) 5180 * 5181 * Also, we only allow for authentication parameters to be 5182 * specified. 5183 * 5184 * XXX Should allow to set or clear pp_flags. 5185 * 5186 * Finally, if the respective authentication protocol to 5187 * be used is set differently than 0, but the secret is 5188 * passed as all zeros, we don't trash the existing secret. 5189 * This allows an administrator to change the system name 5190 * only without clobbering the secret (which he didn't get 5191 * back in a previous SPPPIOGDEFS call). However, the 5192 * secrets are cleared if the authentication protocol is 5193 * reset to 0. */ 5194 if (sp->pp_phase != PHASE_DEAD && 5195 sp->pp_phase != PHASE_ESTABLISH) { 5196 rv = EBUSY; 5197 break; 5198 } 5199 5200 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5201 spr->defs.myauth.proto != PPP_CHAP) || 5202 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5203 spr->defs.hisauth.proto != PPP_CHAP)) { 5204 rv = EINVAL; 5205 break; 5206 } 5207 5208 if (spr->defs.myauth.proto == 0) 5209 /* resetting myauth */ 5210 bzero(&sp->myauth, sizeof sp->myauth); 5211 else { 5212 /* setting/changing myauth */ 5213 sp->myauth.proto = spr->defs.myauth.proto; 5214 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5215 if (spr->defs.myauth.secret[0] != '\0') 5216 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5217 AUTHKEYLEN); 5218 } 5219 if (spr->defs.hisauth.proto == 0) 5220 /* resetting hisauth */ 5221 bzero(&sp->hisauth, sizeof sp->hisauth); 5222 else { 5223 /* setting/changing hisauth */ 5224 sp->hisauth.proto = spr->defs.hisauth.proto; 5225 sp->hisauth.flags = spr->defs.hisauth.flags; 5226 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5227 if (spr->defs.hisauth.secret[0] != '\0') 5228 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5229 AUTHKEYLEN); 5230 } 5231 /* set LCP restart timer timeout */ 5232 if (spr->defs.lcp.timeout != 0) 5233 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5234 /* set VJ enable and IPv6 disable flags */ 5235 #ifdef INET 5236 if (spr->defs.enable_vj) 5237 sp->confflags |= CONF_ENABLE_VJ; 5238 else 5239 sp->confflags &= ~CONF_ENABLE_VJ; 5240 #endif 5241 #ifdef INET6 5242 if (spr->defs.enable_ipv6) 5243 sp->confflags |= CONF_ENABLE_IPV6; 5244 else 5245 sp->confflags &= ~CONF_ENABLE_IPV6; 5246 #endif 5247 break; 5248 5249 default: 5250 rv = EINVAL; 5251 } 5252 5253 quit: 5254 kfree(spr, M_TEMP); 5255 5256 return (rv); 5257 } 5258 5259 static void 5260 sppp_phase_network(struct sppp *sp) 5261 { 5262 STDDCL; 5263 int i; 5264 u_long mask; 5265 5266 sp->pp_phase = PHASE_NETWORK; 5267 5268 if (debug) 5269 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5270 sppp_phase_name(sp->pp_phase)); 5271 5272 /* Notify NCPs now. */ 5273 for (i = 0; i < IDX_COUNT; i++) 5274 if ((cps[i])->flags & CP_NCP) 5275 (cps[i])->Open(sp); 5276 5277 /* Send Up events to all NCPs. */ 5278 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5279 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5280 (cps[i])->Up(sp); 5281 5282 /* if no NCP is starting, all this was in vain, close down */ 5283 sppp_lcp_check_and_close(sp); 5284 } 5285 5286 5287 static const char * 5288 sppp_cp_type_name(u_char type) 5289 { 5290 static char buf[12]; 5291 switch (type) { 5292 case CONF_REQ: return "conf-req"; 5293 case CONF_ACK: return "conf-ack"; 5294 case CONF_NAK: return "conf-nak"; 5295 case CONF_REJ: return "conf-rej"; 5296 case TERM_REQ: return "term-req"; 5297 case TERM_ACK: return "term-ack"; 5298 case CODE_REJ: return "code-rej"; 5299 case PROTO_REJ: return "proto-rej"; 5300 case ECHO_REQ: return "echo-req"; 5301 case ECHO_REPLY: return "echo-reply"; 5302 case DISC_REQ: return "discard-req"; 5303 } 5304 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5305 return buf; 5306 } 5307 5308 static const char * 5309 sppp_auth_type_name(u_short proto, u_char type) 5310 { 5311 static char buf[12]; 5312 switch (proto) { 5313 case PPP_CHAP: 5314 switch (type) { 5315 case CHAP_CHALLENGE: return "challenge"; 5316 case CHAP_RESPONSE: return "response"; 5317 case CHAP_SUCCESS: return "success"; 5318 case CHAP_FAILURE: return "failure"; 5319 } 5320 case PPP_PAP: 5321 switch (type) { 5322 case PAP_REQ: return "req"; 5323 case PAP_ACK: return "ack"; 5324 case PAP_NAK: return "nak"; 5325 } 5326 } 5327 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5328 return buf; 5329 } 5330 5331 static const char * 5332 sppp_lcp_opt_name(u_char opt) 5333 { 5334 static char buf[12]; 5335 switch (opt) { 5336 case LCP_OPT_MRU: return "mru"; 5337 case LCP_OPT_ASYNC_MAP: return "async-map"; 5338 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5339 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5340 case LCP_OPT_MAGIC: return "magic"; 5341 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5342 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5343 } 5344 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5345 return buf; 5346 } 5347 5348 static const char * 5349 sppp_ipcp_opt_name(u_char opt) 5350 { 5351 static char buf[12]; 5352 switch (opt) { 5353 case IPCP_OPT_ADDRESSES: return "addresses"; 5354 case IPCP_OPT_COMPRESSION: return "compression"; 5355 case IPCP_OPT_ADDRESS: return "address"; 5356 } 5357 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5358 return buf; 5359 } 5360 5361 #ifdef INET6 5362 static const char * 5363 sppp_ipv6cp_opt_name(u_char opt) 5364 { 5365 static char buf[12]; 5366 switch (opt) { 5367 case IPV6CP_OPT_IFID: return "ifid"; 5368 case IPV6CP_OPT_COMPRESSION: return "compression"; 5369 } 5370 ksprintf (buf, "0x%x", opt); 5371 return buf; 5372 } 5373 #endif 5374 5375 static const char * 5376 sppp_state_name(int state) 5377 { 5378 switch (state) { 5379 case STATE_INITIAL: return "initial"; 5380 case STATE_STARTING: return "starting"; 5381 case STATE_CLOSED: return "closed"; 5382 case STATE_STOPPED: return "stopped"; 5383 case STATE_CLOSING: return "closing"; 5384 case STATE_STOPPING: return "stopping"; 5385 case STATE_REQ_SENT: return "req-sent"; 5386 case STATE_ACK_RCVD: return "ack-rcvd"; 5387 case STATE_ACK_SENT: return "ack-sent"; 5388 case STATE_OPENED: return "opened"; 5389 } 5390 return "illegal"; 5391 } 5392 5393 static const char * 5394 sppp_phase_name(enum ppp_phase phase) 5395 { 5396 switch (phase) { 5397 case PHASE_DEAD: return "dead"; 5398 case PHASE_ESTABLISH: return "establish"; 5399 case PHASE_TERMINATE: return "terminate"; 5400 case PHASE_AUTHENTICATE: return "authenticate"; 5401 case PHASE_NETWORK: return "network"; 5402 } 5403 return "illegal"; 5404 } 5405 5406 static const char * 5407 sppp_proto_name(u_short proto) 5408 { 5409 static char buf[12]; 5410 switch (proto) { 5411 case PPP_LCP: return "lcp"; 5412 case PPP_IPCP: return "ipcp"; 5413 case PPP_PAP: return "pap"; 5414 case PPP_CHAP: return "chap"; 5415 case PPP_IPV6CP: return "ipv6cp"; 5416 } 5417 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5418 return buf; 5419 } 5420 5421 static void 5422 sppp_print_bytes(const u_char *p, u_short len) 5423 { 5424 if (len) 5425 log(-1, " %*D", len, p, "-"); 5426 } 5427 5428 static void 5429 sppp_print_string(const char *p, u_short len) 5430 { 5431 u_char c; 5432 5433 while (len-- > 0) { 5434 c = *p++; 5435 /* 5436 * Print only ASCII chars directly. RFC 1994 recommends 5437 * using only them, but we don't rely on it. */ 5438 if (c < ' ' || c > '~') 5439 log(-1, "\\x%x", c); 5440 else 5441 log(-1, "%c", c); 5442 } 5443 } 5444 5445 static const char * 5446 sppp_dotted_quad(u_long addr) 5447 { 5448 static char s[16]; 5449 ksprintf(s, "%d.%d.%d.%d", 5450 (int)((addr >> 24) & 0xff), 5451 (int)((addr >> 16) & 0xff), 5452 (int)((addr >> 8) & 0xff), 5453 (int)(addr & 0xff)); 5454 return s; 5455 } 5456 5457 static int 5458 sppp_strnlen(u_char *p, int max) 5459 { 5460 int len; 5461 5462 for (len = 0; len < max && *p; ++p) 5463 ++len; 5464 return len; 5465 } 5466 5467 /* a dummy, used to drop uninteresting events */ 5468 static void 5469 sppp_null(struct sppp *unused) 5470 { 5471 /* do just nothing */ 5472 } 5473