1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 * $DragonFly: src/sys/net/sppp/if_spppsubr.c,v 1.35 2008/06/09 11:24:24 sephe Exp $ 22 */ 23 24 #include <sys/param.h> 25 26 #if defined(__DragonFly__) 27 #include "opt_inet.h" 28 #include "opt_inet6.h" 29 #include "opt_ipx.h" 30 #endif 31 32 #ifdef NetBSD1_3 33 # if NetBSD1_3 > 6 34 # include "opt_inet.h" 35 # include "opt_inet6.h" 36 # include "opt_iso.h" 37 # endif 38 #endif 39 40 #include <sys/systm.h> 41 #include <sys/kernel.h> 42 #include <sys/module.h> 43 #include <sys/sockio.h> 44 #include <sys/socket.h> 45 #include <sys/syslog.h> 46 #if defined(__DragonFly__) 47 #include <sys/random.h> 48 #include <sys/thread2.h> 49 #endif 50 #include <sys/malloc.h> 51 #include <sys/mbuf.h> 52 53 #if defined (__OpenBSD__) 54 #include <sys/md5k.h> 55 #else 56 #include <sys/md5.h> 57 #endif 58 59 #include <net/if.h> 60 #include <net/ifq_var.h> 61 #include <net/netisr.h> 62 #include <net/if_types.h> 63 #include <net/route.h> 64 #include <netinet/in.h> 65 #include <netinet/in_systm.h> 66 #include <netinet/ip.h> 67 #include <net/slcompress.h> 68 69 #if defined (__NetBSD__) || defined (__OpenBSD__) 70 #include <machine/cpu.h> /* XXX for softnet */ 71 #endif 72 73 #include <machine/stdarg.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/in_var.h> 78 79 #ifdef INET 80 #include <netinet/ip.h> 81 #include <netinet/tcp.h> 82 #endif 83 84 #if defined (__DragonFly__) || defined (__OpenBSD__) 85 # include <netinet/if_ether.h> 86 #else 87 # include <net/ethertypes.h> 88 #endif 89 90 #ifdef IPX 91 #include <netproto/ipx/ipx.h> 92 #include <netproto/ipx/ipx_if.h> 93 #endif 94 95 #ifdef NS 96 #include <netns/ns.h> 97 #include <netns/ns_if.h> 98 #endif 99 100 #include "if_sppp.h" 101 102 #define IOCTL_CMD_T u_long 103 #define MAXALIVECNT 3 /* max. alive packets */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 129 130 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 131 #define PPP_UI 0x03 /* Unnumbered Information */ 132 #define PPP_IP 0x0021 /* Internet Protocol */ 133 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 134 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 135 #define PPP_IPX 0x002b /* Novell IPX Protocol */ 136 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 137 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 138 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 139 #define PPP_LCP 0xc021 /* Link Control Protocol */ 140 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 141 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 142 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 143 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 144 145 #define CONF_REQ 1 /* PPP configure request */ 146 #define CONF_ACK 2 /* PPP configure acknowledge */ 147 #define CONF_NAK 3 /* PPP configure negative ack */ 148 #define CONF_REJ 4 /* PPP configure reject */ 149 #define TERM_REQ 5 /* PPP terminate request */ 150 #define TERM_ACK 6 /* PPP terminate acknowledge */ 151 #define CODE_REJ 7 /* PPP code reject */ 152 #define PROTO_REJ 8 /* PPP protocol reject */ 153 #define ECHO_REQ 9 /* PPP echo request */ 154 #define ECHO_REPLY 10 /* PPP echo reply */ 155 #define DISC_REQ 11 /* PPP discard request */ 156 157 #define LCP_OPT_MRU 1 /* maximum receive unit */ 158 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 159 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 160 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 161 #define LCP_OPT_MAGIC 5 /* magic number */ 162 #define LCP_OPT_RESERVED 6 /* reserved */ 163 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 164 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 165 166 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 167 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 168 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 169 170 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 171 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 172 173 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 174 175 #define PAP_REQ 1 /* PAP name/password request */ 176 #define PAP_ACK 2 /* PAP acknowledge */ 177 #define PAP_NAK 3 /* PAP fail */ 178 179 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 180 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 181 #define CHAP_SUCCESS 3 /* CHAP response ok */ 182 #define CHAP_FAILURE 4 /* CHAP response failed */ 183 184 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 185 186 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 187 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 188 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 189 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 190 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 191 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 192 193 /* states are named and numbered according to RFC 1661 */ 194 #define STATE_INITIAL 0 195 #define STATE_STARTING 1 196 #define STATE_CLOSED 2 197 #define STATE_STOPPED 3 198 #define STATE_CLOSING 4 199 #define STATE_STOPPING 5 200 #define STATE_REQ_SENT 6 201 #define STATE_ACK_RCVD 7 202 #define STATE_ACK_SENT 8 203 #define STATE_OPENED 9 204 205 struct ppp_header { 206 u_char address; 207 u_char control; 208 u_short protocol; 209 } __attribute__((__packed__)); 210 #define PPP_HEADER_LEN sizeof (struct ppp_header) 211 212 struct lcp_header { 213 u_char type; 214 u_char ident; 215 u_short len; 216 } __attribute__((__packed__)); 217 #define LCP_HEADER_LEN sizeof (struct lcp_header) 218 219 struct cisco_packet { 220 u_long type; 221 u_long par1; 222 u_long par2; 223 u_short rel; 224 u_short time0; 225 u_short time1; 226 } __attribute__((__packed__)); 227 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 228 229 /* 230 * We follow the spelling and capitalization of RFC 1661 here, to make 231 * it easier comparing with the standard. Please refer to this RFC in 232 * case you can't make sense out of these abbreviation; it will also 233 * explain the semantics related to the various events and actions. 234 */ 235 struct cp { 236 u_short proto; /* PPP control protocol number */ 237 u_char protoidx; /* index into state table in struct sppp */ 238 u_char flags; 239 #define CP_LCP 0x01 /* this is the LCP */ 240 #define CP_AUTH 0x02 /* this is an authentication protocol */ 241 #define CP_NCP 0x04 /* this is a NCP */ 242 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 243 const char *name; /* name of this control protocol */ 244 /* event handlers */ 245 void (*Up)(struct sppp *sp); 246 void (*Down)(struct sppp *sp); 247 void (*Open)(struct sppp *sp); 248 void (*Close)(struct sppp *sp); 249 void (*TO)(void *sp); 250 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 251 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 252 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 253 /* actions */ 254 void (*tlu)(struct sppp *sp); 255 void (*tld)(struct sppp *sp); 256 void (*tls)(struct sppp *sp); 257 void (*tlf)(struct sppp *sp); 258 void (*scr)(struct sppp *sp); 259 }; 260 261 static struct sppp *spppq; 262 #if defined(__DragonFly__) 263 static struct callout keepalive_timeout; 264 #endif 265 266 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 && !defined(__DragonFly__) 267 #define SPP_FMT "%s%d: " 268 #define SPP_ARGS(ifp) (ifp)->if_name, (ifp)->if_unit 269 #else 270 #define SPP_FMT "%s: " 271 #define SPP_ARGS(ifp) (ifp)->if_xname 272 #endif 273 274 #ifdef INET 275 /* 276 * The following disgusting hack gets around the problem that IP TOS 277 * can't be set yet. We want to put "interactive" traffic on a high 278 * priority queue. To decide if traffic is interactive, we check that 279 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 280 * 281 * XXX is this really still necessary? - joerg - 282 */ 283 static u_short interactive_ports[8] = { 284 0, 513, 0, 0, 285 0, 21, 0, 23, 286 }; 287 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 288 #endif 289 290 /* almost every function needs these */ 291 #define STDDCL \ 292 struct ifnet *ifp = &sp->pp_if; \ 293 int debug = ifp->if_flags & IFF_DEBUG 294 295 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 296 struct sockaddr *dst, struct rtentry *rt); 297 298 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 299 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 300 301 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 302 struct mbuf *m); 303 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 304 u_char ident, u_short len, void *data); 305 /* static void sppp_cp_timeout(void *arg); */ 306 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 307 int newstate); 308 static void sppp_auth_send(const struct cp *cp, 309 struct sppp *sp, unsigned int type, unsigned int id, 310 ...); 311 312 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 313 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 314 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 315 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 316 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 317 318 static void sppp_null(struct sppp *sp); 319 320 static void sppp_lcp_init(struct sppp *sp); 321 static void sppp_lcp_up(struct sppp *sp); 322 static void sppp_lcp_down(struct sppp *sp); 323 static void sppp_lcp_open(struct sppp *sp); 324 static void sppp_lcp_close(struct sppp *sp); 325 static void sppp_lcp_TO(void *sp); 326 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 327 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 328 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 329 static void sppp_lcp_tlu(struct sppp *sp); 330 static void sppp_lcp_tld(struct sppp *sp); 331 static void sppp_lcp_tls(struct sppp *sp); 332 static void sppp_lcp_tlf(struct sppp *sp); 333 static void sppp_lcp_scr(struct sppp *sp); 334 static void sppp_lcp_check_and_close(struct sppp *sp); 335 static int sppp_ncp_check(struct sppp *sp); 336 337 static void sppp_ipcp_init(struct sppp *sp); 338 static void sppp_ipcp_up(struct sppp *sp); 339 static void sppp_ipcp_down(struct sppp *sp); 340 static void sppp_ipcp_open(struct sppp *sp); 341 static void sppp_ipcp_close(struct sppp *sp); 342 static void sppp_ipcp_TO(void *sp); 343 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 344 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 345 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 346 static void sppp_ipcp_tlu(struct sppp *sp); 347 static void sppp_ipcp_tld(struct sppp *sp); 348 static void sppp_ipcp_tls(struct sppp *sp); 349 static void sppp_ipcp_tlf(struct sppp *sp); 350 static void sppp_ipcp_scr(struct sppp *sp); 351 352 static void sppp_ipv6cp_init(struct sppp *sp); 353 static void sppp_ipv6cp_up(struct sppp *sp); 354 static void sppp_ipv6cp_down(struct sppp *sp); 355 static void sppp_ipv6cp_open(struct sppp *sp); 356 static void sppp_ipv6cp_close(struct sppp *sp); 357 static void sppp_ipv6cp_TO(void *sp); 358 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 359 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 360 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 361 static void sppp_ipv6cp_tlu(struct sppp *sp); 362 static void sppp_ipv6cp_tld(struct sppp *sp); 363 static void sppp_ipv6cp_tls(struct sppp *sp); 364 static void sppp_ipv6cp_tlf(struct sppp *sp); 365 static void sppp_ipv6cp_scr(struct sppp *sp); 366 367 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 368 static void sppp_pap_init(struct sppp *sp); 369 static void sppp_pap_open(struct sppp *sp); 370 static void sppp_pap_close(struct sppp *sp); 371 static void sppp_pap_TO(void *sp); 372 static void sppp_pap_my_TO(void *sp); 373 static void sppp_pap_tlu(struct sppp *sp); 374 static void sppp_pap_tld(struct sppp *sp); 375 static void sppp_pap_scr(struct sppp *sp); 376 377 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 378 static void sppp_chap_init(struct sppp *sp); 379 static void sppp_chap_open(struct sppp *sp); 380 static void sppp_chap_close(struct sppp *sp); 381 static void sppp_chap_TO(void *sp); 382 static void sppp_chap_tlu(struct sppp *sp); 383 static void sppp_chap_tld(struct sppp *sp); 384 static void sppp_chap_scr(struct sppp *sp); 385 386 static const char *sppp_auth_type_name(u_short proto, u_char type); 387 static const char *sppp_cp_type_name(u_char type); 388 static const char *sppp_dotted_quad(u_long addr); 389 static const char *sppp_ipcp_opt_name(u_char opt); 390 #ifdef INET6 391 static const char *sppp_ipv6cp_opt_name(u_char opt); 392 #endif 393 static const char *sppp_lcp_opt_name(u_char opt); 394 static const char *sppp_phase_name(enum ppp_phase phase); 395 static const char *sppp_proto_name(u_short proto); 396 static const char *sppp_state_name(int state); 397 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 398 static int sppp_strnlen(u_char *p, int max); 399 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 400 u_long *srcmask); 401 static void sppp_keepalive(void *dummy); 402 static void sppp_phase_network(struct sppp *sp); 403 static void sppp_print_bytes(const u_char *p, u_short len); 404 static void sppp_print_string(const char *p, u_short len); 405 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 406 #ifdef INET6 407 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 408 struct in6_addr *dst, struct in6_addr *srcmask); 409 #ifdef IPV6CP_MYIFID_DYN 410 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 411 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 412 #endif 413 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 414 #endif 415 416 /* our control protocol descriptors */ 417 static const struct cp lcp = { 418 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 419 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 420 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 421 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 422 sppp_lcp_scr 423 }; 424 425 static const struct cp ipcp = { 426 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 427 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 428 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 429 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 430 sppp_ipcp_scr 431 }; 432 433 static const struct cp ipv6cp = { 434 PPP_IPV6CP, IDX_IPV6CP, 435 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 436 CP_NCP, 437 #else 438 0, 439 #endif 440 "ipv6cp", 441 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 442 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 443 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 444 sppp_ipv6cp_scr 445 }; 446 447 static const struct cp pap = { 448 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 449 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 450 sppp_pap_TO, 0, 0, 0, 451 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 452 sppp_pap_scr 453 }; 454 455 static const struct cp chap = { 456 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 457 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 458 sppp_chap_TO, 0, 0, 0, 459 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 460 sppp_chap_scr 461 }; 462 463 static const struct cp *cps[IDX_COUNT] = { 464 &lcp, /* IDX_LCP */ 465 &ipcp, /* IDX_IPCP */ 466 &ipv6cp, /* IDX_IPV6CP */ 467 &pap, /* IDX_PAP */ 468 &chap, /* IDX_CHAP */ 469 }; 470 471 static int 472 sppp_modevent(module_t mod, int type, void *unused) 473 { 474 switch (type) { 475 case MOD_LOAD: 476 break; 477 case MOD_UNLOAD: 478 return EACCES; 479 break; 480 default: 481 break; 482 } 483 return 0; 484 } 485 static moduledata_t spppmod = { 486 "sppp", 487 sppp_modevent, 488 0 489 }; 490 MODULE_VERSION(sppp, 1); 491 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 492 493 /* 494 * Exported functions, comprising our interface to the lower layer. 495 */ 496 497 /* 498 * Process the received packet. 499 */ 500 void 501 sppp_input(struct ifnet *ifp, struct mbuf *m) 502 { 503 struct ppp_header *h; 504 int isr = -1; 505 struct sppp *sp = (struct sppp *)ifp; 506 u_char *iphdr; 507 int hlen, vjlen, do_account = 0; 508 int debug = ifp->if_flags & IFF_DEBUG; 509 510 if (ifp->if_flags & IFF_UP) 511 /* Count received bytes, add FCS and one flag */ 512 ifp->if_ibytes += m->m_pkthdr.len + 3; 513 514 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 515 /* Too small packet, drop it. */ 516 if (debug) 517 log(LOG_DEBUG, 518 SPP_FMT "input packet is too small, %d bytes\n", 519 SPP_ARGS(ifp), m->m_pkthdr.len); 520 drop: 521 m_freem (m); 522 drop2: 523 ++ifp->if_ierrors; 524 ++ifp->if_iqdrops; 525 return; 526 } 527 528 /* Get PPP header. */ 529 h = mtod (m, struct ppp_header*); 530 m_adj (m, PPP_HEADER_LEN); 531 532 switch (h->address) { 533 case PPP_ALLSTATIONS: 534 if (h->control != PPP_UI) 535 goto invalid; 536 if (sp->pp_mode == IFF_CISCO) { 537 if (debug) 538 log(LOG_DEBUG, 539 SPP_FMT "PPP packet in Cisco mode " 540 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 541 SPP_ARGS(ifp), 542 h->address, h->control, ntohs(h->protocol)); 543 goto drop; 544 } 545 switch (ntohs (h->protocol)) { 546 default: 547 if (debug) 548 log(LOG_DEBUG, 549 SPP_FMT "rejecting protocol " 550 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 551 SPP_ARGS(ifp), 552 h->address, h->control, ntohs(h->protocol)); 553 if (sp->state[IDX_LCP] == STATE_OPENED) 554 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 555 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 556 &h->protocol); 557 ++ifp->if_noproto; 558 goto drop; 559 case PPP_LCP: 560 sppp_cp_input(&lcp, sp, m); 561 m_freem (m); 562 return; 563 case PPP_PAP: 564 if (sp->pp_phase >= PHASE_AUTHENTICATE) 565 sppp_pap_input(sp, m); 566 m_freem (m); 567 return; 568 case PPP_CHAP: 569 if (sp->pp_phase >= PHASE_AUTHENTICATE) 570 sppp_chap_input(sp, m); 571 m_freem (m); 572 return; 573 #ifdef INET 574 case PPP_IPCP: 575 if (sp->pp_phase == PHASE_NETWORK) 576 sppp_cp_input(&ipcp, sp, m); 577 m_freem (m); 578 return; 579 case PPP_IP: 580 if (sp->state[IDX_IPCP] == STATE_OPENED) { 581 isr = NETISR_IP; 582 } 583 do_account++; 584 break; 585 case PPP_VJ_COMP: 586 if (sp->state[IDX_IPCP] == STATE_OPENED) { 587 if ((vjlen = 588 sl_uncompress_tcp_core(mtod(m, u_char *), 589 m->m_len, m->m_len, 590 TYPE_COMPRESSED_TCP, 591 sp->pp_comp, 592 &iphdr, &hlen)) <= 0) { 593 if (debug) 594 log(LOG_INFO, 595 SPP_FMT "VJ uncompress failed on compressed packet\n", 596 SPP_ARGS(ifp)); 597 goto drop; 598 } 599 600 /* 601 * Trim the VJ header off the packet, and prepend 602 * the uncompressed IP header (which will usually 603 * end up in two chained mbufs since there's not 604 * enough leading space in the existing mbuf). 605 */ 606 m_adj(m, vjlen); 607 M_PREPEND(m, hlen, MB_DONTWAIT); 608 if (m == NULL) 609 goto drop2; 610 bcopy(iphdr, mtod(m, u_char *), hlen); 611 612 isr = NETISR_IP; 613 } 614 do_account++; 615 break; 616 case PPP_VJ_UCOMP: 617 if (sp->state[IDX_IPCP] == STATE_OPENED) { 618 if (sl_uncompress_tcp_core(mtod(m, u_char *), 619 m->m_len, m->m_len, 620 TYPE_UNCOMPRESSED_TCP, 621 sp->pp_comp, 622 &iphdr, &hlen) != 0) { 623 if (debug) 624 log(LOG_INFO, 625 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 626 SPP_ARGS(ifp)); 627 goto drop; 628 } 629 isr = NETISR_IP; 630 } 631 do_account++; 632 break; 633 #endif 634 #ifdef INET6 635 case PPP_IPV6CP: 636 if (sp->pp_phase == PHASE_NETWORK) 637 sppp_cp_input(&ipv6cp, sp, m); 638 m_freem (m); 639 return; 640 641 case PPP_IPV6: 642 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 643 isr = NETISR_IPV6; 644 } 645 do_account++; 646 break; 647 #endif 648 #ifdef IPX 649 case PPP_IPX: 650 /* IPX IPXCP not implemented yet */ 651 if (sp->pp_phase == PHASE_NETWORK) { 652 isr = NETISR_IPX; 653 } 654 do_account++; 655 break; 656 #endif 657 #ifdef NS 658 case PPP_XNS: 659 /* XNS IDPCP not implemented yet */ 660 if (sp->pp_phase == PHASE_NETWORK) { 661 isr = NETISR_NS; 662 } 663 do_account++; 664 break; 665 #endif 666 } 667 break; 668 case CISCO_MULTICAST: 669 case CISCO_UNICAST: 670 /* Don't check the control field here (RFC 1547). */ 671 if (sp->pp_mode != IFF_CISCO) { 672 if (debug) 673 log(LOG_DEBUG, 674 SPP_FMT "Cisco packet in PPP mode " 675 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 676 SPP_ARGS(ifp), 677 h->address, h->control, ntohs(h->protocol)); 678 goto drop; 679 } 680 switch (ntohs (h->protocol)) { 681 default: 682 ++ifp->if_noproto; 683 goto invalid; 684 case CISCO_KEEPALIVE: 685 sppp_cisco_input ((struct sppp*) ifp, m); 686 m_freem (m); 687 return; 688 #ifdef INET 689 case ETHERTYPE_IP: 690 isr = NETISR_IP; 691 do_account++; 692 break; 693 #endif 694 #ifdef INET6 695 case ETHERTYPE_IPV6: 696 isr = NETISR_IPV6; 697 do_account++; 698 break; 699 #endif 700 #ifdef IPX 701 case ETHERTYPE_IPX: 702 isr = NETISR_IPX; 703 do_account++; 704 break; 705 #endif 706 #ifdef NS 707 case ETHERTYPE_NS: 708 isr = NETISR_NS 709 do_account++; 710 break; 711 #endif 712 } 713 break; 714 default: /* Invalid PPP packet. */ 715 invalid: 716 if (debug) 717 log(LOG_DEBUG, 718 SPP_FMT "invalid input packet " 719 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 720 SPP_ARGS(ifp), 721 h->address, h->control, ntohs(h->protocol)); 722 goto drop; 723 } 724 725 if (! (ifp->if_flags & IFF_UP) || isr < 0) 726 goto drop; 727 728 /* Check queue. */ 729 730 netisr_dispatch(isr, m); 731 if (do_account) 732 /* 733 * Do only account for network packets, not for control 734 * packets. This is used by some subsystems to detect 735 * idle lines. 736 */ 737 sp->pp_last_recv = time_second; 738 } 739 740 /* 741 * Enqueue transmit packet. 742 */ 743 static int 744 sppp_output_serialized(struct ifnet *ifp, struct mbuf *m, 745 struct sockaddr *dst, struct rtentry *rt) 746 { 747 struct sppp *sp = (struct sppp*) ifp; 748 struct ppp_header *h; 749 struct ifqueue *ifq = NULL; 750 int rv = 0; 751 int ipproto = PPP_IP; 752 int debug = ifp->if_flags & IFF_DEBUG; 753 struct altq_pktattr pktattr; 754 755 crit_enter(); 756 757 if ((ifp->if_flags & IFF_UP) == 0 || 758 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 759 #ifdef INET6 760 drop: 761 #endif 762 m_freem (m); 763 crit_exit(); 764 return (ENETDOWN); 765 } 766 767 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 768 #ifdef INET6 769 /* 770 * XXX 771 * 772 * Hack to prevent the initialization-time generated 773 * IPv6 multicast packet to erroneously cause a 774 * dialout event in case IPv6 has been 775 * administratively disabled on that interface. 776 */ 777 if (dst->sa_family == AF_INET6 && 778 !(sp->confflags & CONF_ENABLE_IPV6)) 779 goto drop; 780 #endif 781 /* 782 * Interface is not yet running, but auto-dial. Need 783 * to start LCP for it. 784 */ 785 ifp->if_flags |= IFF_RUNNING; 786 crit_exit(); 787 lcp.Open(sp); 788 crit_enter(); 789 } 790 791 /* 792 * if the queueing discipline needs packet classification, 793 * do it before prepending link headers. 794 */ 795 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 796 797 #ifdef INET 798 if (dst->sa_family == AF_INET) { 799 /* XXX Check mbuf length here? */ 800 struct ip *ip = mtod (m, struct ip*); 801 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 802 803 /* 804 * When using dynamic local IP address assignment by using 805 * 0.0.0.0 as a local address, the first TCP session will 806 * not connect because the local TCP checksum is computed 807 * using 0.0.0.0 which will later become our real IP address 808 * so the TCP checksum computed at the remote end will 809 * become invalid. So we 810 * - don't let packets with src ip addr 0 thru 811 * - we flag TCP packets with src ip 0 as an error 812 */ 813 814 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 815 { 816 m_freem(m); 817 crit_exit(); 818 if(ip->ip_p == IPPROTO_TCP) 819 return(EADDRNOTAVAIL); 820 else 821 return(0); 822 } 823 824 /* 825 * Put low delay, telnet, rlogin and ftp control packets 826 * in front of the queue. 827 */ 828 if (IF_QFULL (&sp->pp_fastq)) 829 ; 830 else if (ip->ip_tos & IPTOS_LOWDELAY) 831 ifq = &sp->pp_fastq; 832 else if (m->m_len < sizeof *ip + sizeof *tcp) 833 ; 834 else if (ip->ip_p != IPPROTO_TCP) 835 ; 836 else if (INTERACTIVE (ntohs (tcp->th_sport))) 837 ifq = &sp->pp_fastq; 838 else if (INTERACTIVE (ntohs (tcp->th_dport))) 839 ifq = &sp->pp_fastq; 840 841 /* 842 * Do IP Header compression 843 */ 844 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 845 ip->ip_p == IPPROTO_TCP) 846 switch (sl_compress_tcp(m, ip, sp->pp_comp, 847 sp->ipcp.compress_cid)) { 848 case TYPE_COMPRESSED_TCP: 849 ipproto = PPP_VJ_COMP; 850 break; 851 case TYPE_UNCOMPRESSED_TCP: 852 ipproto = PPP_VJ_UCOMP; 853 break; 854 case TYPE_IP: 855 ipproto = PPP_IP; 856 break; 857 default: 858 m_freem(m); 859 crit_exit(); 860 return (EINVAL); 861 } 862 } 863 #endif 864 865 #ifdef INET6 866 if (dst->sa_family == AF_INET6) { 867 /* XXX do something tricky here? */ 868 } 869 #endif 870 871 /* 872 * Prepend general data packet PPP header. For now, IP only. 873 */ 874 M_PREPEND (m, PPP_HEADER_LEN, MB_DONTWAIT); 875 if (! m) { 876 if (debug) 877 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 878 SPP_ARGS(ifp)); 879 ++ifp->if_oerrors; 880 crit_exit(); 881 return (ENOBUFS); 882 } 883 /* 884 * May want to check size of packet 885 * (albeit due to the implementation it's always enough) 886 */ 887 h = mtod (m, struct ppp_header*); 888 if (sp->pp_mode == IFF_CISCO) { 889 h->address = CISCO_UNICAST; /* unicast address */ 890 h->control = 0; 891 } else { 892 h->address = PPP_ALLSTATIONS; /* broadcast address */ 893 h->control = PPP_UI; /* Unnumbered Info */ 894 } 895 896 switch (dst->sa_family) { 897 #ifdef INET 898 case AF_INET: /* Internet Protocol */ 899 if (sp->pp_mode == IFF_CISCO) 900 h->protocol = htons (ETHERTYPE_IP); 901 else { 902 /* 903 * Don't choke with an ENETDOWN early. It's 904 * possible that we just started dialing out, 905 * so don't drop the packet immediately. If 906 * we notice that we run out of buffer space 907 * below, we will however remember that we are 908 * not ready to carry IP packets, and return 909 * ENETDOWN, as opposed to ENOBUFS. 910 */ 911 h->protocol = htons(ipproto); 912 if (sp->state[IDX_IPCP] != STATE_OPENED) 913 rv = ENETDOWN; 914 } 915 break; 916 #endif 917 #ifdef INET6 918 case AF_INET6: /* Internet Protocol */ 919 if (sp->pp_mode == IFF_CISCO) 920 h->protocol = htons (ETHERTYPE_IPV6); 921 else { 922 /* 923 * Don't choke with an ENETDOWN early. It's 924 * possible that we just started dialing out, 925 * so don't drop the packet immediately. If 926 * we notice that we run out of buffer space 927 * below, we will however remember that we are 928 * not ready to carry IP packets, and return 929 * ENETDOWN, as opposed to ENOBUFS. 930 */ 931 h->protocol = htons(PPP_IPV6); 932 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 933 rv = ENETDOWN; 934 } 935 break; 936 #endif 937 #ifdef NS 938 case AF_NS: /* Xerox NS Protocol */ 939 h->protocol = htons (sp->pp_mode == IFF_CISCO ? 940 ETHERTYPE_NS : PPP_XNS); 941 break; 942 #endif 943 #ifdef IPX 944 case AF_IPX: /* Novell IPX Protocol */ 945 h->protocol = htons (sp->pp_mode == IFF_CISCO ? 946 ETHERTYPE_IPX : PPP_IPX); 947 break; 948 #endif 949 default: 950 m_freem (m); 951 ++ifp->if_oerrors; 952 crit_exit(); 953 return (EAFNOSUPPORT); 954 } 955 956 /* 957 * Queue message on interface, and start output if interface 958 * not yet active. 959 */ 960 if (ifq != NULL) { 961 if (IF_QFULL(ifq)) { 962 IF_DROP(ifq); 963 m_freem(m); 964 rv = ENOBUFS; 965 ifq->ifq_drops++; 966 } else { 967 IF_ENQUEUE(ifq, m); 968 rv = 0; 969 } 970 } else { 971 rv = ifq_enqueue(&ifp->if_snd, m, &pktattr); 972 } 973 if (rv) { 974 ++ifp->if_oerrors; 975 crit_exit(); 976 return(rv); 977 } 978 if (! (ifp->if_flags & IFF_OACTIVE)) 979 (*ifp->if_start) (ifp); 980 981 /* 982 * Count output packets and bytes. 983 * The packet length includes header, FCS and 1 flag, 984 * according to RFC 1333. 985 */ 986 ifp->if_obytes += m->m_pkthdr.len + 3; 987 988 /* 989 * Unlike in sppp_input(), we can always bump the timestamp 990 * here since sppp_output() is only called on behalf of 991 * network-layer traffic; control-layer traffic is handled 992 * by sppp_cp_send(). 993 */ 994 sp->pp_last_sent = time_second; 995 996 crit_exit(); 997 return (0); 998 } 999 1000 static int 1001 sppp_output(struct ifnet *ifp, struct mbuf *m, 1002 struct sockaddr *dst, struct rtentry *rt) 1003 { 1004 int error; 1005 1006 lwkt_serialize_enter(ifp->if_serializer); 1007 error = sppp_output_serialized(ifp, m, dst, rt); 1008 lwkt_serialize_exit(ifp->if_serializer); 1009 1010 return error; 1011 } 1012 1013 void 1014 sppp_attach(struct ifnet *ifp) 1015 { 1016 struct sppp *sp = (struct sppp*) ifp; 1017 1018 /* Initialize keepalive handler. */ 1019 if (!spppq) { 1020 callout_reset(&keepalive_timeout, hz * 10, 1021 sppp_keepalive, NULL); 1022 } 1023 /* Insert new entry into the keepalive list. */ 1024 sp->pp_next = spppq; 1025 spppq = sp; 1026 1027 sp->pp_if.if_mtu = PP_MTU; 1028 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 1029 sp->pp_if.if_type = IFT_PPP; 1030 sp->pp_if.if_output = sppp_output; 1031 #if 0 1032 sp->pp_flags = PP_KEEPALIVE; 1033 #endif 1034 sp->pp_if.if_snd.ifq_maxlen = 32; 1035 sp->pp_fastq.ifq_maxlen = 32; 1036 sp->pp_cpq.ifq_maxlen = 20; 1037 sp->pp_loopcnt = 0; 1038 sp->pp_alivecnt = 0; 1039 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 1040 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 1041 sp->pp_phase = PHASE_DEAD; 1042 sp->pp_up = lcp.Up; 1043 sp->pp_down = lcp.Down; 1044 sp->pp_last_recv = sp->pp_last_sent = time_second; 1045 sp->confflags = 0; 1046 #ifdef INET 1047 sp->confflags |= CONF_ENABLE_VJ; 1048 #endif 1049 #ifdef INET6 1050 sp->confflags |= CONF_ENABLE_IPV6; 1051 #endif 1052 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 1053 sl_compress_init(sp->pp_comp, -1); 1054 sppp_lcp_init(sp); 1055 sppp_ipcp_init(sp); 1056 sppp_ipv6cp_init(sp); 1057 sppp_pap_init(sp); 1058 sppp_chap_init(sp); 1059 } 1060 1061 void 1062 sppp_detach(struct ifnet *ifp) 1063 { 1064 struct sppp **q, *p, *sp = (struct sppp*) ifp; 1065 int i; 1066 1067 /* Remove the entry from the keepalive list. */ 1068 for (q = &spppq; (p = *q); q = &p->pp_next) 1069 if (p == sp) { 1070 *q = p->pp_next; 1071 break; 1072 } 1073 1074 /* Stop keepalive handler. */ 1075 if (!spppq) 1076 callout_stop(&keepalive_timeout); 1077 1078 for (i = 0; i < IDX_COUNT; i++) 1079 callout_stop(&sp->timeout[i]); 1080 callout_stop(&sp->pap_my_to); 1081 } 1082 1083 /* 1084 * Flush the interface output queue. 1085 */ 1086 void 1087 sppp_flush(struct ifnet *ifp) 1088 { 1089 struct sppp *sp = (struct sppp*) ifp; 1090 1091 ifq_purge(&sp->pp_if.if_snd); 1092 IF_DRAIN(&sp->pp_fastq); 1093 IF_DRAIN(&sp->pp_cpq); 1094 } 1095 1096 /* 1097 * Check if the output queue is empty. 1098 */ 1099 int 1100 sppp_isempty(struct ifnet *ifp) 1101 { 1102 struct sppp *sp = (struct sppp*) ifp; 1103 int empty; 1104 1105 crit_enter(); 1106 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1107 ifq_is_empty(&sp->pp_if.if_snd); 1108 crit_exit(); 1109 return (empty); 1110 } 1111 1112 /* 1113 * Get next packet to send. 1114 */ 1115 struct mbuf * 1116 sppp_dequeue(struct ifnet *ifp) 1117 { 1118 struct sppp *sp = (struct sppp*) ifp; 1119 struct mbuf *m; 1120 1121 crit_enter(); 1122 1123 /* 1124 * Process only the control protocol queue until we have at 1125 * least one NCP open. 1126 * 1127 * Do always serve all three queues in Cisco mode. 1128 */ 1129 IF_DEQUEUE(&sp->pp_cpq, m); 1130 if (m == NULL && 1131 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1132 IF_DEQUEUE(&sp->pp_fastq, m); 1133 if (m == NULL) 1134 m = ifq_dequeue(&sp->pp_if.if_snd, NULL); 1135 } 1136 1137 crit_exit(); 1138 return m; 1139 } 1140 1141 /* 1142 * Pick the next packet, do not remove it from the queue. 1143 */ 1144 struct mbuf * 1145 sppp_pick(struct ifnet *ifp) 1146 { 1147 struct sppp *sp = (struct sppp*)ifp; 1148 struct mbuf *m; 1149 1150 crit_enter(); 1151 1152 m = sp->pp_cpq.ifq_head; 1153 if (m == NULL && 1154 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1155 if ((m = sp->pp_fastq.ifq_head) == NULL) 1156 m = ifq_poll(&sp->pp_if.if_snd); 1157 } 1158 1159 crit_exit(); 1160 return (m); 1161 } 1162 1163 /* 1164 * Process an ioctl request. Called on low priority level. 1165 */ 1166 int 1167 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1168 { 1169 struct ifreq *ifr = (struct ifreq*) data; 1170 struct sppp *sp = (struct sppp*) ifp; 1171 int rv, going_up, going_down, newmode; 1172 1173 crit_enter(); 1174 1175 rv = 0; 1176 switch (cmd) { 1177 case SIOCAIFADDR: 1178 case SIOCSIFDSTADDR: 1179 break; 1180 1181 case SIOCSIFADDR: 1182 /* set the interface "up" when assigning an IP address */ 1183 ifp->if_flags |= IFF_UP; 1184 /* fall through... */ 1185 1186 case SIOCSIFFLAGS: 1187 going_up = ifp->if_flags & IFF_UP && 1188 (ifp->if_flags & IFF_RUNNING) == 0; 1189 going_down = (ifp->if_flags & IFF_UP) == 0 && 1190 ifp->if_flags & IFF_RUNNING; 1191 1192 newmode = ifp->if_flags & IFF_PASSIVE; 1193 if (!newmode) 1194 newmode = ifp->if_flags & IFF_AUTO; 1195 if (!newmode) 1196 newmode = ifp->if_flags & IFF_CISCO; 1197 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1198 ifp->if_flags |= newmode; 1199 1200 if (newmode != sp->pp_mode) { 1201 going_down = 1; 1202 if (!going_up) 1203 going_up = ifp->if_flags & IFF_RUNNING; 1204 } 1205 1206 if (going_down) { 1207 if (sp->pp_mode != IFF_CISCO) 1208 lcp.Close(sp); 1209 else if (sp->pp_tlf) 1210 (sp->pp_tlf)(sp); 1211 sppp_flush(ifp); 1212 ifp->if_flags &= ~IFF_RUNNING; 1213 sp->pp_mode = newmode; 1214 } 1215 1216 if (going_up) { 1217 if (sp->pp_mode != IFF_CISCO) 1218 lcp.Close(sp); 1219 sp->pp_mode = newmode; 1220 if (sp->pp_mode == 0) { 1221 ifp->if_flags |= IFF_RUNNING; 1222 lcp.Open(sp); 1223 } 1224 if (sp->pp_mode == IFF_CISCO) { 1225 if (sp->pp_tls) 1226 (sp->pp_tls)(sp); 1227 ifp->if_flags |= IFF_RUNNING; 1228 } 1229 } 1230 1231 break; 1232 1233 #ifdef SIOCSIFMTU 1234 #ifndef ifr_mtu 1235 #define ifr_mtu ifr_metric 1236 #endif 1237 case SIOCSIFMTU: 1238 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) 1239 return (EINVAL); 1240 ifp->if_mtu = ifr->ifr_mtu; 1241 break; 1242 #endif 1243 #ifdef SLIOCSETMTU 1244 case SLIOCSETMTU: 1245 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) 1246 return (EINVAL); 1247 ifp->if_mtu = *(short*)data; 1248 break; 1249 #endif 1250 #ifdef SIOCGIFMTU 1251 case SIOCGIFMTU: 1252 ifr->ifr_mtu = ifp->if_mtu; 1253 break; 1254 #endif 1255 #ifdef SLIOCGETMTU 1256 case SLIOCGETMTU: 1257 *(short*)data = ifp->if_mtu; 1258 break; 1259 #endif 1260 case SIOCADDMULTI: 1261 case SIOCDELMULTI: 1262 break; 1263 1264 case SIOCGIFGENERIC: 1265 case SIOCSIFGENERIC: 1266 rv = sppp_params(sp, cmd, data); 1267 break; 1268 1269 default: 1270 rv = ENOTTY; 1271 } 1272 1273 crit_exit(); 1274 return rv; 1275 } 1276 1277 /* 1278 * Cisco framing implementation. 1279 */ 1280 1281 /* 1282 * Handle incoming Cisco keepalive protocol packets. 1283 */ 1284 static void 1285 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1286 { 1287 STDDCL; 1288 struct cisco_packet *h; 1289 u_long me, mymask; 1290 1291 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1292 if (debug) 1293 log(LOG_DEBUG, 1294 SPP_FMT "cisco invalid packet length: %d bytes\n", 1295 SPP_ARGS(ifp), m->m_pkthdr.len); 1296 return; 1297 } 1298 h = mtod (m, struct cisco_packet*); 1299 if (debug) 1300 log(LOG_DEBUG, 1301 SPP_FMT "cisco input: %d bytes " 1302 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1303 SPP_ARGS(ifp), m->m_pkthdr.len, 1304 (u_long)ntohl (h->type), (u_long)h->par1, (u_long)h->par2, (u_int)h->rel, 1305 (u_int)h->time0, (u_int)h->time1); 1306 switch (ntohl (h->type)) { 1307 default: 1308 if (debug) 1309 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1310 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1311 break; 1312 case CISCO_ADDR_REPLY: 1313 /* Reply on address request, ignore */ 1314 break; 1315 case CISCO_KEEPALIVE_REQ: 1316 sp->pp_alivecnt = 0; 1317 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1318 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1319 /* Local and remote sequence numbers are equal. 1320 * Probably, the line is in loopback mode. */ 1321 if (sp->pp_loopcnt >= MAXALIVECNT) { 1322 kprintf (SPP_FMT "loopback\n", 1323 SPP_ARGS(ifp)); 1324 sp->pp_loopcnt = 0; 1325 if (ifp->if_flags & IFF_UP) { 1326 if_down (ifp); 1327 IF_DRAIN(&sp->pp_cpq); 1328 } 1329 } 1330 ++sp->pp_loopcnt; 1331 1332 /* Generate new local sequence number */ 1333 #if defined(__DragonFly__) 1334 sp->pp_seq[IDX_LCP] = krandom(); 1335 #else 1336 sp->pp_seq[IDX_LCP] ^= time.tv_sec ^ time.tv_usec; 1337 #endif 1338 break; 1339 } 1340 sp->pp_loopcnt = 0; 1341 if (! (ifp->if_flags & IFF_UP) && 1342 (ifp->if_flags & IFF_RUNNING)) { 1343 if_up(ifp); 1344 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1345 } 1346 break; 1347 case CISCO_ADDR_REQ: 1348 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1349 if (me != 0L) 1350 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1351 break; 1352 } 1353 } 1354 1355 /* 1356 * Send Cisco keepalive packet. 1357 */ 1358 static void 1359 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1360 { 1361 STDDCL; 1362 struct ppp_header *h; 1363 struct cisco_packet *ch; 1364 struct mbuf *m; 1365 #if defined(__DragonFly__) 1366 struct timeval tv; 1367 #else 1368 u_long t = (time.tv_sec - boottime.tv_sec) * 1000; 1369 #endif 1370 1371 #if defined(__DragonFly__) 1372 getmicrouptime(&tv); 1373 #endif 1374 1375 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1376 if (! m) 1377 return; 1378 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1379 m->m_pkthdr.rcvif = 0; 1380 1381 h = mtod (m, struct ppp_header*); 1382 h->address = CISCO_MULTICAST; 1383 h->control = 0; 1384 h->protocol = htons (CISCO_KEEPALIVE); 1385 1386 ch = (struct cisco_packet*) (h + 1); 1387 ch->type = htonl (type); 1388 ch->par1 = htonl (par1); 1389 ch->par2 = htonl (par2); 1390 ch->rel = -1; 1391 1392 #if defined(__DragonFly__) 1393 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1394 ch->time1 = htons ((u_short) tv.tv_sec); 1395 #else 1396 ch->time0 = htons ((u_short) (t >> 16)); 1397 ch->time1 = htons ((u_short) t); 1398 #endif 1399 1400 if (debug) 1401 log(LOG_DEBUG, 1402 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1403 SPP_ARGS(ifp), (u_long)ntohl (ch->type), (u_long)ch->par1, 1404 (u_long)ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1405 1406 if (IF_QFULL (&sp->pp_cpq)) { 1407 IF_DROP (&sp->pp_fastq); 1408 IF_DROP (&ifp->if_snd); 1409 m_freem (m); 1410 } else 1411 IF_ENQUEUE (&sp->pp_cpq, m); 1412 if (! (ifp->if_flags & IFF_OACTIVE)) 1413 (*ifp->if_start) (ifp); 1414 ifp->if_obytes += m->m_pkthdr.len + 3; 1415 } 1416 1417 /* 1418 * PPP protocol implementation. 1419 */ 1420 1421 /* 1422 * Send PPP control protocol packet. 1423 */ 1424 static void 1425 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1426 u_char ident, u_short len, void *data) 1427 { 1428 STDDCL; 1429 struct ppp_header *h; 1430 struct lcp_header *lh; 1431 struct mbuf *m; 1432 1433 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1434 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1435 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1436 if (! m) 1437 return; 1438 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1439 m->m_pkthdr.rcvif = 0; 1440 1441 h = mtod (m, struct ppp_header*); 1442 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1443 h->control = PPP_UI; /* Unnumbered Info */ 1444 h->protocol = htons (proto); /* Link Control Protocol */ 1445 1446 lh = (struct lcp_header*) (h + 1); 1447 lh->type = type; 1448 lh->ident = ident; 1449 lh->len = htons (LCP_HEADER_LEN + len); 1450 if (len) 1451 bcopy (data, lh+1, len); 1452 1453 if (debug) { 1454 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1455 SPP_ARGS(ifp), 1456 sppp_proto_name(proto), 1457 sppp_cp_type_name (lh->type), lh->ident, 1458 ntohs (lh->len)); 1459 sppp_print_bytes ((u_char*) (lh+1), len); 1460 log(-1, ">\n"); 1461 } 1462 if (IF_QFULL (&sp->pp_cpq)) { 1463 IF_DROP (&sp->pp_fastq); 1464 IF_DROP (&ifp->if_snd); 1465 m_freem (m); 1466 ++ifp->if_oerrors; 1467 } else 1468 IF_ENQUEUE (&sp->pp_cpq, m); 1469 if (! (ifp->if_flags & IFF_OACTIVE)) 1470 (*ifp->if_start) (ifp); 1471 ifp->if_obytes += m->m_pkthdr.len + 3; 1472 } 1473 1474 /* 1475 * Handle incoming PPP control protocol packets. 1476 */ 1477 static void 1478 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1479 { 1480 STDDCL; 1481 struct lcp_header *h; 1482 int printlen, len = m->m_pkthdr.len; 1483 int rv; 1484 u_char *p; 1485 1486 if (len < 4) { 1487 if (debug) 1488 log(LOG_DEBUG, 1489 SPP_FMT "%s invalid packet length: %d bytes\n", 1490 SPP_ARGS(ifp), cp->name, len); 1491 return; 1492 } 1493 h = mtod (m, struct lcp_header*); 1494 if (debug) { 1495 printlen = ntohs(h->len); 1496 log(LOG_DEBUG, 1497 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1498 SPP_ARGS(ifp), cp->name, 1499 sppp_state_name(sp->state[cp->protoidx]), 1500 sppp_cp_type_name (h->type), h->ident, printlen); 1501 if (len < printlen) 1502 printlen = len; 1503 if (printlen > 4) 1504 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1505 log(-1, ">\n"); 1506 } 1507 if (len > ntohs (h->len)) 1508 len = ntohs (h->len); 1509 p = (u_char *)(h + 1); 1510 switch (h->type) { 1511 case CONF_REQ: 1512 if (len < 4) { 1513 if (debug) 1514 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1515 SPP_ARGS(ifp), cp->name, 1516 len); 1517 ++ifp->if_ierrors; 1518 break; 1519 } 1520 /* handle states where RCR doesn't get a SCA/SCN */ 1521 switch (sp->state[cp->protoidx]) { 1522 case STATE_CLOSING: 1523 case STATE_STOPPING: 1524 return; 1525 case STATE_CLOSED: 1526 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1527 0, 0); 1528 return; 1529 } 1530 rv = (cp->RCR)(sp, h, len); 1531 if (rv < 0) { 1532 /* fatal error, shut down */ 1533 (cp->tld)(sp); 1534 sppp_lcp_tlf(sp); 1535 return; 1536 } 1537 switch (sp->state[cp->protoidx]) { 1538 case STATE_OPENED: 1539 (cp->tld)(sp); 1540 (cp->scr)(sp); 1541 /* fall through... */ 1542 case STATE_ACK_SENT: 1543 case STATE_REQ_SENT: 1544 /* 1545 * sppp_cp_change_state() have the side effect of 1546 * restarting the timeouts. We want to avoid that 1547 * if the state don't change, otherwise we won't 1548 * ever timeout and resend a configuration request 1549 * that got lost. 1550 */ 1551 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1552 STATE_REQ_SENT)) 1553 break; 1554 sppp_cp_change_state(cp, sp, rv? 1555 STATE_ACK_SENT: STATE_REQ_SENT); 1556 break; 1557 case STATE_STOPPED: 1558 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1559 (cp->scr)(sp); 1560 sppp_cp_change_state(cp, sp, rv? 1561 STATE_ACK_SENT: STATE_REQ_SENT); 1562 break; 1563 case STATE_ACK_RCVD: 1564 if (rv) { 1565 sppp_cp_change_state(cp, sp, STATE_OPENED); 1566 if (debug) 1567 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1568 SPP_ARGS(ifp), 1569 cp->name); 1570 (cp->tlu)(sp); 1571 } else 1572 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1573 break; 1574 default: 1575 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1576 SPP_ARGS(ifp), cp->name, 1577 sppp_cp_type_name(h->type), 1578 sppp_state_name(sp->state[cp->protoidx])); 1579 ++ifp->if_ierrors; 1580 } 1581 break; 1582 case CONF_ACK: 1583 if (h->ident != sp->confid[cp->protoidx]) { 1584 if (debug) 1585 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1586 SPP_ARGS(ifp), cp->name, 1587 h->ident, sp->confid[cp->protoidx]); 1588 ++ifp->if_ierrors; 1589 break; 1590 } 1591 switch (sp->state[cp->protoidx]) { 1592 case STATE_CLOSED: 1593 case STATE_STOPPED: 1594 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1595 break; 1596 case STATE_CLOSING: 1597 case STATE_STOPPING: 1598 break; 1599 case STATE_REQ_SENT: 1600 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1601 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1602 break; 1603 case STATE_OPENED: 1604 (cp->tld)(sp); 1605 /* fall through */ 1606 case STATE_ACK_RCVD: 1607 (cp->scr)(sp); 1608 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1609 break; 1610 case STATE_ACK_SENT: 1611 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1612 sppp_cp_change_state(cp, sp, STATE_OPENED); 1613 if (debug) 1614 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1615 SPP_ARGS(ifp), cp->name); 1616 (cp->tlu)(sp); 1617 break; 1618 default: 1619 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1620 SPP_ARGS(ifp), cp->name, 1621 sppp_cp_type_name(h->type), 1622 sppp_state_name(sp->state[cp->protoidx])); 1623 ++ifp->if_ierrors; 1624 } 1625 break; 1626 case CONF_NAK: 1627 case CONF_REJ: 1628 if (h->ident != sp->confid[cp->protoidx]) { 1629 if (debug) 1630 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1631 SPP_ARGS(ifp), cp->name, 1632 h->ident, sp->confid[cp->protoidx]); 1633 ++ifp->if_ierrors; 1634 break; 1635 } 1636 if (h->type == CONF_NAK) 1637 (cp->RCN_nak)(sp, h, len); 1638 else /* CONF_REJ */ 1639 (cp->RCN_rej)(sp, h, len); 1640 1641 switch (sp->state[cp->protoidx]) { 1642 case STATE_CLOSED: 1643 case STATE_STOPPED: 1644 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1645 break; 1646 case STATE_REQ_SENT: 1647 case STATE_ACK_SENT: 1648 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1649 /* 1650 * Slow things down a bit if we think we might be 1651 * in loopback. Depend on the timeout to send the 1652 * next configuration request. 1653 */ 1654 if (sp->pp_loopcnt) 1655 break; 1656 (cp->scr)(sp); 1657 break; 1658 case STATE_OPENED: 1659 (cp->tld)(sp); 1660 /* fall through */ 1661 case STATE_ACK_RCVD: 1662 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1663 (cp->scr)(sp); 1664 break; 1665 case STATE_CLOSING: 1666 case STATE_STOPPING: 1667 break; 1668 default: 1669 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1670 SPP_ARGS(ifp), cp->name, 1671 sppp_cp_type_name(h->type), 1672 sppp_state_name(sp->state[cp->protoidx])); 1673 ++ifp->if_ierrors; 1674 } 1675 break; 1676 1677 case TERM_REQ: 1678 switch (sp->state[cp->protoidx]) { 1679 case STATE_ACK_RCVD: 1680 case STATE_ACK_SENT: 1681 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1682 /* fall through */ 1683 case STATE_CLOSED: 1684 case STATE_STOPPED: 1685 case STATE_CLOSING: 1686 case STATE_STOPPING: 1687 case STATE_REQ_SENT: 1688 sta: 1689 /* Send Terminate-Ack packet. */ 1690 if (debug) 1691 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1692 SPP_ARGS(ifp), cp->name); 1693 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1694 break; 1695 case STATE_OPENED: 1696 (cp->tld)(sp); 1697 sp->rst_counter[cp->protoidx] = 0; 1698 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1699 goto sta; 1700 break; 1701 default: 1702 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1703 SPP_ARGS(ifp), cp->name, 1704 sppp_cp_type_name(h->type), 1705 sppp_state_name(sp->state[cp->protoidx])); 1706 ++ifp->if_ierrors; 1707 } 1708 break; 1709 case TERM_ACK: 1710 switch (sp->state[cp->protoidx]) { 1711 case STATE_CLOSED: 1712 case STATE_STOPPED: 1713 case STATE_REQ_SENT: 1714 case STATE_ACK_SENT: 1715 break; 1716 case STATE_CLOSING: 1717 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1718 (cp->tlf)(sp); 1719 break; 1720 case STATE_STOPPING: 1721 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1722 (cp->tlf)(sp); 1723 break; 1724 case STATE_ACK_RCVD: 1725 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1726 break; 1727 case STATE_OPENED: 1728 (cp->tld)(sp); 1729 (cp->scr)(sp); 1730 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1731 break; 1732 default: 1733 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1734 SPP_ARGS(ifp), cp->name, 1735 sppp_cp_type_name(h->type), 1736 sppp_state_name(sp->state[cp->protoidx])); 1737 ++ifp->if_ierrors; 1738 } 1739 break; 1740 case CODE_REJ: 1741 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1742 log(LOG_INFO, 1743 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1744 "danger will robinson\n", 1745 SPP_ARGS(ifp), cp->name, 1746 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1747 switch (sp->state[cp->protoidx]) { 1748 case STATE_CLOSED: 1749 case STATE_STOPPED: 1750 case STATE_REQ_SENT: 1751 case STATE_ACK_SENT: 1752 case STATE_CLOSING: 1753 case STATE_STOPPING: 1754 case STATE_OPENED: 1755 break; 1756 case STATE_ACK_RCVD: 1757 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1758 break; 1759 default: 1760 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1761 SPP_ARGS(ifp), cp->name, 1762 sppp_cp_type_name(h->type), 1763 sppp_state_name(sp->state[cp->protoidx])); 1764 ++ifp->if_ierrors; 1765 } 1766 break; 1767 case PROTO_REJ: 1768 { 1769 int catastrophic; 1770 const struct cp *upper; 1771 int i; 1772 u_int16_t proto; 1773 1774 catastrophic = 0; 1775 upper = NULL; 1776 proto = ntohs(*((u_int16_t *)p)); 1777 for (i = 0; i < IDX_COUNT; i++) { 1778 if (cps[i]->proto == proto) { 1779 upper = cps[i]; 1780 break; 1781 } 1782 } 1783 if (upper == NULL) 1784 catastrophic++; 1785 1786 if (catastrophic || debug) 1787 log(catastrophic? LOG_INFO: LOG_DEBUG, 1788 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1789 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1790 sppp_cp_type_name(h->type), proto, 1791 upper ? upper->name : "unknown", 1792 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1793 1794 /* 1795 * if we got RXJ+ against conf-req, the peer does not implement 1796 * this particular protocol type. terminate the protocol. 1797 */ 1798 if (upper && !catastrophic) { 1799 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1800 upper->Close(sp); 1801 break; 1802 } 1803 } 1804 1805 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1806 switch (sp->state[cp->protoidx]) { 1807 case STATE_CLOSED: 1808 case STATE_STOPPED: 1809 case STATE_REQ_SENT: 1810 case STATE_ACK_SENT: 1811 case STATE_CLOSING: 1812 case STATE_STOPPING: 1813 case STATE_OPENED: 1814 break; 1815 case STATE_ACK_RCVD: 1816 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1817 break; 1818 default: 1819 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1820 SPP_ARGS(ifp), cp->name, 1821 sppp_cp_type_name(h->type), 1822 sppp_state_name(sp->state[cp->protoidx])); 1823 ++ifp->if_ierrors; 1824 } 1825 break; 1826 } 1827 case DISC_REQ: 1828 if (cp->proto != PPP_LCP) 1829 goto illegal; 1830 /* Discard the packet. */ 1831 break; 1832 case ECHO_REQ: 1833 if (cp->proto != PPP_LCP) 1834 goto illegal; 1835 if (sp->state[cp->protoidx] != STATE_OPENED) { 1836 if (debug) 1837 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1838 SPP_ARGS(ifp)); 1839 ++ifp->if_ierrors; 1840 break; 1841 } 1842 if (len < 8) { 1843 if (debug) 1844 log(-1, SPP_FMT "invalid lcp echo request " 1845 "packet length: %d bytes\n", 1846 SPP_ARGS(ifp), len); 1847 break; 1848 } 1849 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1850 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1851 /* Line loopback mode detected. */ 1852 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1853 sp->pp_loopcnt = MAXALIVECNT * 5; 1854 if_down (ifp); 1855 IF_DRAIN(&sp->pp_cpq); 1856 1857 /* Shut down the PPP link. */ 1858 /* XXX */ 1859 lcp.Down(sp); 1860 lcp.Up(sp); 1861 break; 1862 } 1863 *(long*)(h+1) = htonl (sp->lcp.magic); 1864 if (debug) 1865 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1866 SPP_ARGS(ifp)); 1867 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1868 break; 1869 case ECHO_REPLY: 1870 if (cp->proto != PPP_LCP) 1871 goto illegal; 1872 if (h->ident != sp->lcp.echoid) { 1873 ++ifp->if_ierrors; 1874 break; 1875 } 1876 if (len < 8) { 1877 if (debug) 1878 log(-1, SPP_FMT "lcp invalid echo reply " 1879 "packet length: %d bytes\n", 1880 SPP_ARGS(ifp), len); 1881 break; 1882 } 1883 if (debug) 1884 log(-1, SPP_FMT "lcp got echo rep\n", 1885 SPP_ARGS(ifp)); 1886 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1887 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1888 sp->pp_alivecnt = 0; 1889 break; 1890 default: 1891 /* Unknown packet type -- send Code-Reject packet. */ 1892 illegal: 1893 if (debug) 1894 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1895 SPP_ARGS(ifp), cp->name, h->type); 1896 sppp_cp_send(sp, cp->proto, CODE_REJ, 1897 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1898 ++ifp->if_ierrors; 1899 } 1900 } 1901 1902 1903 /* 1904 * The generic part of all Up/Down/Open/Close/TO event handlers. 1905 * Basically, the state transition handling in the automaton. 1906 */ 1907 static void 1908 sppp_up_event(const struct cp *cp, struct sppp *sp) 1909 { 1910 STDDCL; 1911 1912 if (debug) 1913 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1914 SPP_ARGS(ifp), cp->name, 1915 sppp_state_name(sp->state[cp->protoidx])); 1916 1917 switch (sp->state[cp->protoidx]) { 1918 case STATE_INITIAL: 1919 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1920 break; 1921 case STATE_STARTING: 1922 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1923 (cp->scr)(sp); 1924 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1925 break; 1926 default: 1927 kprintf(SPP_FMT "%s illegal up in state %s\n", 1928 SPP_ARGS(ifp), cp->name, 1929 sppp_state_name(sp->state[cp->protoidx])); 1930 } 1931 } 1932 1933 static void 1934 sppp_down_event(const struct cp *cp, struct sppp *sp) 1935 { 1936 STDDCL; 1937 1938 if (debug) 1939 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1940 SPP_ARGS(ifp), cp->name, 1941 sppp_state_name(sp->state[cp->protoidx])); 1942 1943 switch (sp->state[cp->protoidx]) { 1944 case STATE_CLOSED: 1945 case STATE_CLOSING: 1946 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1947 break; 1948 case STATE_STOPPED: 1949 sppp_cp_change_state(cp, sp, STATE_STARTING); 1950 (cp->tls)(sp); 1951 break; 1952 case STATE_STOPPING: 1953 case STATE_REQ_SENT: 1954 case STATE_ACK_RCVD: 1955 case STATE_ACK_SENT: 1956 sppp_cp_change_state(cp, sp, STATE_STARTING); 1957 break; 1958 case STATE_OPENED: 1959 (cp->tld)(sp); 1960 sppp_cp_change_state(cp, sp, STATE_STARTING); 1961 break; 1962 default: 1963 kprintf(SPP_FMT "%s illegal down in state %s\n", 1964 SPP_ARGS(ifp), cp->name, 1965 sppp_state_name(sp->state[cp->protoidx])); 1966 } 1967 } 1968 1969 1970 static void 1971 sppp_open_event(const struct cp *cp, struct sppp *sp) 1972 { 1973 STDDCL; 1974 1975 if (debug) 1976 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1977 SPP_ARGS(ifp), cp->name, 1978 sppp_state_name(sp->state[cp->protoidx])); 1979 1980 switch (sp->state[cp->protoidx]) { 1981 case STATE_INITIAL: 1982 sppp_cp_change_state(cp, sp, STATE_STARTING); 1983 (cp->tls)(sp); 1984 break; 1985 case STATE_STARTING: 1986 break; 1987 case STATE_CLOSED: 1988 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1989 (cp->scr)(sp); 1990 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1991 break; 1992 case STATE_STOPPED: 1993 /* 1994 * Try escaping stopped state. This seems to bite 1995 * people occasionally, in particular for IPCP, 1996 * presumably following previous IPCP negotiation 1997 * aborts. Somehow, we must have missed a Down event 1998 * which would have caused a transition into starting 1999 * state, so as a bandaid we force the Down event now. 2000 * This effectively implements (something like the) 2001 * `restart' option mentioned in the state transition 2002 * table of RFC 1661. 2003 */ 2004 sppp_cp_change_state(cp, sp, STATE_STARTING); 2005 (cp->tls)(sp); 2006 break; 2007 case STATE_STOPPING: 2008 case STATE_REQ_SENT: 2009 case STATE_ACK_RCVD: 2010 case STATE_ACK_SENT: 2011 case STATE_OPENED: 2012 break; 2013 case STATE_CLOSING: 2014 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2015 break; 2016 } 2017 } 2018 2019 2020 static void 2021 sppp_close_event(const struct cp *cp, struct sppp *sp) 2022 { 2023 STDDCL; 2024 2025 if (debug) 2026 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 2027 SPP_ARGS(ifp), cp->name, 2028 sppp_state_name(sp->state[cp->protoidx])); 2029 2030 switch (sp->state[cp->protoidx]) { 2031 case STATE_INITIAL: 2032 case STATE_CLOSED: 2033 case STATE_CLOSING: 2034 break; 2035 case STATE_STARTING: 2036 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2037 (cp->tlf)(sp); 2038 break; 2039 case STATE_STOPPED: 2040 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2041 break; 2042 case STATE_STOPPING: 2043 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2044 break; 2045 case STATE_OPENED: 2046 (cp->tld)(sp); 2047 /* fall through */ 2048 case STATE_REQ_SENT: 2049 case STATE_ACK_RCVD: 2050 case STATE_ACK_SENT: 2051 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2052 sppp_cp_send(sp, cp->proto, TERM_REQ, 2053 ++sp->pp_seq[cp->protoidx], 0, 0); 2054 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2055 break; 2056 } 2057 } 2058 2059 static void 2060 sppp_to_event(const struct cp *cp, struct sppp *sp) 2061 { 2062 STDDCL; 2063 2064 crit_enter(); 2065 2066 if (debug) 2067 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 2068 SPP_ARGS(ifp), cp->name, 2069 sppp_state_name(sp->state[cp->protoidx]), 2070 sp->rst_counter[cp->protoidx]); 2071 2072 if (--sp->rst_counter[cp->protoidx] < 0) 2073 /* TO- event */ 2074 switch (sp->state[cp->protoidx]) { 2075 case STATE_CLOSING: 2076 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2077 (cp->tlf)(sp); 2078 break; 2079 case STATE_STOPPING: 2080 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2081 (cp->tlf)(sp); 2082 break; 2083 case STATE_REQ_SENT: 2084 case STATE_ACK_RCVD: 2085 case STATE_ACK_SENT: 2086 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2087 (cp->tlf)(sp); 2088 break; 2089 } 2090 else 2091 /* TO+ event */ 2092 switch (sp->state[cp->protoidx]) { 2093 case STATE_CLOSING: 2094 case STATE_STOPPING: 2095 sppp_cp_send(sp, cp->proto, TERM_REQ, 2096 ++sp->pp_seq[cp->protoidx], 0, 0); 2097 callout_reset(&sp->timeout[cp->protoidx], 2098 sp->lcp.timeout, cp->TO, sp); 2099 break; 2100 case STATE_REQ_SENT: 2101 case STATE_ACK_RCVD: 2102 (cp->scr)(sp); 2103 /* sppp_cp_change_state() will restart the timer */ 2104 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2105 break; 2106 case STATE_ACK_SENT: 2107 (cp->scr)(sp); 2108 callout_reset(&sp->timeout[cp->protoidx], 2109 sp->lcp.timeout, cp->TO, sp); 2110 break; 2111 } 2112 2113 crit_exit(); 2114 } 2115 2116 /* 2117 * Change the state of a control protocol in the state automaton. 2118 * Takes care of starting/stopping the restart timer. 2119 */ 2120 void 2121 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2122 { 2123 sp->state[cp->protoidx] = newstate; 2124 callout_stop(&sp->timeout[cp->protoidx]); 2125 2126 switch (newstate) { 2127 case STATE_INITIAL: 2128 case STATE_STARTING: 2129 case STATE_CLOSED: 2130 case STATE_STOPPED: 2131 case STATE_OPENED: 2132 break; 2133 case STATE_CLOSING: 2134 case STATE_STOPPING: 2135 case STATE_REQ_SENT: 2136 case STATE_ACK_RCVD: 2137 case STATE_ACK_SENT: 2138 callout_reset(&sp->timeout[cp->protoidx], 2139 sp->lcp.timeout, cp->TO, sp); 2140 break; 2141 } 2142 } 2143 2144 /* 2145 *--------------------------------------------------------------------------* 2146 * * 2147 * The LCP implementation. * 2148 * * 2149 *--------------------------------------------------------------------------* 2150 */ 2151 static void 2152 sppp_lcp_init(struct sppp *sp) 2153 { 2154 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2155 sp->lcp.magic = 0; 2156 sp->state[IDX_LCP] = STATE_INITIAL; 2157 sp->fail_counter[IDX_LCP] = 0; 2158 sp->pp_seq[IDX_LCP] = 0; 2159 sp->pp_rseq[IDX_LCP] = 0; 2160 sp->lcp.protos = 0; 2161 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2162 2163 /* Note that these values are relevant for all control protocols */ 2164 sp->lcp.timeout = 3 * hz; 2165 sp->lcp.max_terminate = 2; 2166 sp->lcp.max_configure = 10; 2167 sp->lcp.max_failure = 10; 2168 #if defined(__DragonFly__) 2169 callout_init(&sp->timeout[IDX_LCP]); 2170 #endif 2171 } 2172 2173 static void 2174 sppp_lcp_up(struct sppp *sp) 2175 { 2176 STDDCL; 2177 2178 sp->pp_alivecnt = 0; 2179 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2180 sp->lcp.magic = 0; 2181 sp->lcp.protos = 0; 2182 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2183 /* 2184 * If this interface is passive or dial-on-demand, and we are 2185 * still in Initial state, it means we've got an incoming 2186 * call. Activate the interface. 2187 */ 2188 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2189 if (debug) 2190 log(LOG_DEBUG, 2191 SPP_FMT "Up event", SPP_ARGS(ifp)); 2192 ifp->if_flags |= IFF_RUNNING; 2193 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2194 if (debug) 2195 log(-1, "(incoming call)\n"); 2196 sp->pp_flags |= PP_CALLIN; 2197 lcp.Open(sp); 2198 } else if (debug) 2199 log(-1, "\n"); 2200 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2201 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2202 ifp->if_flags |= IFF_RUNNING; 2203 lcp.Open(sp); 2204 } 2205 2206 sppp_up_event(&lcp, sp); 2207 } 2208 2209 static void 2210 sppp_lcp_down(struct sppp *sp) 2211 { 2212 STDDCL; 2213 2214 sppp_down_event(&lcp, sp); 2215 2216 /* 2217 * If this is neither a dial-on-demand nor a passive 2218 * interface, simulate an ``ifconfig down'' action, so the 2219 * administrator can force a redial by another ``ifconfig 2220 * up''. XXX For leased line operation, should we immediately 2221 * try to reopen the connection here? 2222 */ 2223 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2224 log(LOG_INFO, 2225 SPP_FMT "Down event, taking interface down.\n", 2226 SPP_ARGS(ifp)); 2227 if_down(ifp); 2228 } else { 2229 if (debug) 2230 log(LOG_DEBUG, 2231 SPP_FMT "Down event (carrier loss)\n", 2232 SPP_ARGS(ifp)); 2233 sp->pp_flags &= ~PP_CALLIN; 2234 if (sp->state[IDX_LCP] != STATE_INITIAL) 2235 lcp.Close(sp); 2236 ifp->if_flags &= ~IFF_RUNNING; 2237 } 2238 } 2239 2240 static void 2241 sppp_lcp_open(struct sppp *sp) 2242 { 2243 /* 2244 * If we are authenticator, negotiate LCP_AUTH 2245 */ 2246 if (sp->hisauth.proto != 0) 2247 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2248 else 2249 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2250 sp->pp_flags &= ~PP_NEEDAUTH; 2251 sppp_open_event(&lcp, sp); 2252 } 2253 2254 static void 2255 sppp_lcp_close(struct sppp *sp) 2256 { 2257 sppp_close_event(&lcp, sp); 2258 } 2259 2260 static void 2261 sppp_lcp_TO(void *cookie) 2262 { 2263 sppp_to_event(&lcp, (struct sppp *)cookie); 2264 } 2265 2266 /* 2267 * Analyze a configure request. Return true if it was agreeable, and 2268 * caused action sca, false if it has been rejected or nak'ed, and 2269 * caused action scn. (The return value is used to make the state 2270 * transition decision in the state automaton.) 2271 */ 2272 static int 2273 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2274 { 2275 STDDCL; 2276 u_char *buf, *r, *p; 2277 int origlen, rlen; 2278 u_long nmagic; 2279 u_short authproto; 2280 2281 len -= 4; 2282 origlen = len; 2283 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2284 2285 if (debug) 2286 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2287 SPP_ARGS(ifp)); 2288 2289 /* pass 1: check for things that need to be rejected */ 2290 p = (void*) (h+1); 2291 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2292 /* Sanity check option length */ 2293 if (p[1] > len) { 2294 /* Malicious option - drop immediately. 2295 * XXX Maybe we should just RXJ it? 2296 */ 2297 log(-1, "%s: received malicious LCP option 0x%02x, " 2298 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2299 p[0], p[1], len); 2300 goto drop; 2301 } 2302 if (debug) 2303 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2304 switch (*p) { 2305 case LCP_OPT_MAGIC: 2306 /* Magic number. */ 2307 if (len >= 6 && p[1] == 6) 2308 continue; 2309 if (debug) 2310 log(-1, "[invalid] "); 2311 break; 2312 case LCP_OPT_ASYNC_MAP: 2313 /* Async control character map. */ 2314 if (len >= 6 && p[1] == 6) 2315 continue; 2316 if (debug) 2317 log(-1, "[invalid] "); 2318 break; 2319 case LCP_OPT_MRU: 2320 /* Maximum receive unit. */ 2321 if (len >= 4 && p[1] == 4) 2322 continue; 2323 if (debug) 2324 log(-1, "[invalid] "); 2325 break; 2326 case LCP_OPT_AUTH_PROTO: 2327 if (len < 4) { 2328 if (debug) 2329 log(-1, "[invalid] "); 2330 break; 2331 } 2332 authproto = (p[2] << 8) + p[3]; 2333 if (authproto == PPP_CHAP && p[1] != 5) { 2334 if (debug) 2335 log(-1, "[invalid chap len] "); 2336 break; 2337 } 2338 if (sp->myauth.proto == 0) { 2339 /* we are not configured to do auth */ 2340 if (debug) 2341 log(-1, "[not configured] "); 2342 break; 2343 } 2344 /* 2345 * Remote want us to authenticate, remember this, 2346 * so we stay in PHASE_AUTHENTICATE after LCP got 2347 * up. 2348 */ 2349 sp->pp_flags |= PP_NEEDAUTH; 2350 continue; 2351 default: 2352 /* Others not supported. */ 2353 if (debug) 2354 log(-1, "[rej] "); 2355 break; 2356 } 2357 /* Add the option to rejected list. */ 2358 bcopy (p, r, p[1]); 2359 r += p[1]; 2360 rlen += p[1]; 2361 } 2362 if (rlen) { 2363 if (debug) 2364 log(-1, " send conf-rej\n"); 2365 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2366 return 0; 2367 } else if (debug) 2368 log(-1, "\n"); 2369 2370 /* 2371 * pass 2: check for option values that are unacceptable and 2372 * thus require to be nak'ed. 2373 */ 2374 if (debug) 2375 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2376 SPP_ARGS(ifp)); 2377 2378 p = (void*) (h+1); 2379 len = origlen; 2380 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2381 if (debug) 2382 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2383 switch (*p) { 2384 case LCP_OPT_MAGIC: 2385 /* Magic number -- extract. */ 2386 nmagic = (u_long)p[2] << 24 | 2387 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2388 if (nmagic != sp->lcp.magic) { 2389 sp->pp_loopcnt = 0; 2390 if (debug) 2391 log(-1, "0x%lx ", nmagic); 2392 continue; 2393 } 2394 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2395 log(-1, "[glitch] "); 2396 ++sp->pp_loopcnt; 2397 /* 2398 * We negate our magic here, and NAK it. If 2399 * we see it later in an NAK packet, we 2400 * suggest a new one. 2401 */ 2402 nmagic = ~sp->lcp.magic; 2403 /* Gonna NAK it. */ 2404 p[2] = nmagic >> 24; 2405 p[3] = nmagic >> 16; 2406 p[4] = nmagic >> 8; 2407 p[5] = nmagic; 2408 break; 2409 2410 case LCP_OPT_ASYNC_MAP: 2411 /* 2412 * Async control character map -- just ignore it. 2413 * 2414 * Quote from RFC 1662, chapter 6: 2415 * To enable this functionality, synchronous PPP 2416 * implementations MUST always respond to the 2417 * Async-Control-Character-Map Configuration 2418 * Option with the LCP Configure-Ack. However, 2419 * acceptance of the Configuration Option does 2420 * not imply that the synchronous implementation 2421 * will do any ACCM mapping. Instead, all such 2422 * octet mapping will be performed by the 2423 * asynchronous-to-synchronous converter. 2424 */ 2425 continue; 2426 2427 case LCP_OPT_MRU: 2428 /* 2429 * Maximum receive unit. Always agreeable, 2430 * but ignored by now. 2431 */ 2432 sp->lcp.their_mru = p[2] * 256 + p[3]; 2433 if (debug) 2434 log(-1, "%lu ", sp->lcp.their_mru); 2435 continue; 2436 2437 case LCP_OPT_AUTH_PROTO: 2438 authproto = (p[2] << 8) + p[3]; 2439 if (sp->myauth.proto != authproto) { 2440 /* not agreed, nak */ 2441 if (debug) 2442 log(-1, "[mine %s != his %s] ", 2443 sppp_proto_name(sp->hisauth.proto), 2444 sppp_proto_name(authproto)); 2445 p[2] = sp->myauth.proto >> 8; 2446 p[3] = sp->myauth.proto; 2447 break; 2448 } 2449 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2450 if (debug) 2451 log(-1, "[chap not MD5] "); 2452 p[4] = CHAP_MD5; 2453 break; 2454 } 2455 continue; 2456 } 2457 /* Add the option to nak'ed list. */ 2458 bcopy (p, r, p[1]); 2459 r += p[1]; 2460 rlen += p[1]; 2461 } 2462 if (rlen) { 2463 /* 2464 * Local and remote magics equal -- loopback? 2465 */ 2466 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2467 if (sp->pp_loopcnt == MAXALIVECNT*5) 2468 kprintf (SPP_FMT "loopback\n", 2469 SPP_ARGS(ifp)); 2470 if (ifp->if_flags & IFF_UP) { 2471 if_down(ifp); 2472 IF_DRAIN(&sp->pp_cpq); 2473 /* XXX ? */ 2474 lcp.Down(sp); 2475 lcp.Up(sp); 2476 } 2477 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2478 if (debug) 2479 log(-1, " max_failure (%d) exceeded, " 2480 "send conf-rej\n", 2481 sp->lcp.max_failure); 2482 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2483 } else { 2484 if (debug) 2485 log(-1, " send conf-nak\n"); 2486 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2487 } 2488 } else { 2489 if (debug) 2490 log(-1, " send conf-ack\n"); 2491 sp->fail_counter[IDX_LCP] = 0; 2492 sp->pp_loopcnt = 0; 2493 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2494 h->ident, origlen, h+1); 2495 } 2496 2497 kfree (buf, M_TEMP); 2498 return (rlen == 0); 2499 2500 drop: 2501 kfree(buf, M_TEMP); 2502 return (-1); 2503 } 2504 2505 /* 2506 * Analyze the LCP Configure-Reject option list, and adjust our 2507 * negotiation. 2508 */ 2509 static void 2510 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2511 { 2512 STDDCL; 2513 u_char *buf, *p; 2514 2515 len -= 4; 2516 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2517 2518 if (debug) 2519 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2520 SPP_ARGS(ifp)); 2521 2522 p = (void*) (h+1); 2523 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2524 /* Sanity check option length */ 2525 if (p[1] > len) { 2526 /* 2527 * Malicious option - drop immediately. 2528 * XXX Maybe we should just RXJ it? 2529 */ 2530 log(-1, "%s: received malicious LCP option, " 2531 "dropping.\n", ifp->if_xname); 2532 goto drop; 2533 } 2534 if (debug) 2535 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2536 switch (*p) { 2537 case LCP_OPT_MAGIC: 2538 /* Magic number -- can't use it, use 0 */ 2539 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2540 sp->lcp.magic = 0; 2541 break; 2542 case LCP_OPT_MRU: 2543 /* 2544 * Should not be rejected anyway, since we only 2545 * negotiate a MRU if explicitly requested by 2546 * peer. 2547 */ 2548 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2549 break; 2550 case LCP_OPT_AUTH_PROTO: 2551 /* 2552 * Peer doesn't want to authenticate himself, 2553 * deny unless this is a dialout call, and 2554 * AUTHFLAG_NOCALLOUT is set. 2555 */ 2556 if ((sp->pp_flags & PP_CALLIN) == 0 && 2557 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2558 if (debug) 2559 log(-1, "[don't insist on auth " 2560 "for callout]"); 2561 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2562 break; 2563 } 2564 if (debug) 2565 log(-1, "[access denied]\n"); 2566 lcp.Close(sp); 2567 break; 2568 } 2569 } 2570 if (debug) 2571 log(-1, "\n"); 2572 drop: 2573 kfree (buf, M_TEMP); 2574 return; 2575 } 2576 2577 /* 2578 * Analyze the LCP Configure-NAK option list, and adjust our 2579 * negotiation. 2580 */ 2581 static void 2582 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2583 { 2584 STDDCL; 2585 u_char *buf, *p; 2586 u_long magic; 2587 2588 len -= 4; 2589 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2590 2591 if (debug) 2592 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2593 SPP_ARGS(ifp)); 2594 2595 p = (void*) (h+1); 2596 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2597 /* Sanity check option length */ 2598 if (p[1] > len) { 2599 /* 2600 * Malicious option - drop immediately. 2601 * XXX Maybe we should just RXJ it? 2602 */ 2603 log(-1, "%s: received malicious LCP option, " 2604 "dropping.\n", ifp->if_xname); 2605 goto drop; 2606 } 2607 if (debug) 2608 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2609 switch (*p) { 2610 case LCP_OPT_MAGIC: 2611 /* Magic number -- renegotiate */ 2612 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2613 len >= 6 && p[1] == 6) { 2614 magic = (u_long)p[2] << 24 | 2615 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2616 /* 2617 * If the remote magic is our negated one, 2618 * this looks like a loopback problem. 2619 * Suggest a new magic to make sure. 2620 */ 2621 if (magic == ~sp->lcp.magic) { 2622 if (debug) 2623 log(-1, "magic glitch "); 2624 #if defined(__DragonFly__) 2625 sp->lcp.magic = krandom(); 2626 #else 2627 sp->lcp.magic = time.tv_sec + time.tv_usec; 2628 #endif 2629 } else { 2630 sp->lcp.magic = magic; 2631 if (debug) 2632 log(-1, "%lu ", magic); 2633 } 2634 } 2635 break; 2636 case LCP_OPT_MRU: 2637 /* 2638 * Peer wants to advise us to negotiate an MRU. 2639 * Agree on it if it's reasonable, or use 2640 * default otherwise. 2641 */ 2642 if (len >= 4 && p[1] == 4) { 2643 u_int mru = p[2] * 256 + p[3]; 2644 if (debug) 2645 log(-1, "%d ", mru); 2646 if (mru < PP_MTU || mru > PP_MAX_MRU) 2647 mru = PP_MTU; 2648 sp->lcp.mru = mru; 2649 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2650 } 2651 break; 2652 case LCP_OPT_AUTH_PROTO: 2653 /* 2654 * Peer doesn't like our authentication method, 2655 * deny. 2656 */ 2657 if (debug) 2658 log(-1, "[access denied]\n"); 2659 lcp.Close(sp); 2660 break; 2661 } 2662 } 2663 if (debug) 2664 log(-1, "\n"); 2665 drop: 2666 kfree (buf, M_TEMP); 2667 return; 2668 } 2669 2670 static void 2671 sppp_lcp_tlu(struct sppp *sp) 2672 { 2673 STDDCL; 2674 int i; 2675 u_long mask; 2676 2677 /* XXX ? */ 2678 if (! (ifp->if_flags & IFF_UP) && 2679 (ifp->if_flags & IFF_RUNNING)) { 2680 /* Coming out of loopback mode. */ 2681 if_up(ifp); 2682 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2683 } 2684 2685 for (i = 0; i < IDX_COUNT; i++) 2686 if ((cps[i])->flags & CP_QUAL) 2687 (cps[i])->Open(sp); 2688 2689 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2690 (sp->pp_flags & PP_NEEDAUTH) != 0) 2691 sp->pp_phase = PHASE_AUTHENTICATE; 2692 else 2693 sp->pp_phase = PHASE_NETWORK; 2694 2695 if (debug) 2696 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2697 sppp_phase_name(sp->pp_phase)); 2698 2699 /* 2700 * Open all authentication protocols. This is even required 2701 * if we already proceeded to network phase, since it might be 2702 * that remote wants us to authenticate, so we might have to 2703 * send a PAP request. Undesired authentication protocols 2704 * don't do anything when they get an Open event. 2705 */ 2706 for (i = 0; i < IDX_COUNT; i++) 2707 if ((cps[i])->flags & CP_AUTH) 2708 (cps[i])->Open(sp); 2709 2710 if (sp->pp_phase == PHASE_NETWORK) { 2711 /* Notify all NCPs. */ 2712 for (i = 0; i < IDX_COUNT; i++) 2713 if (((cps[i])->flags & CP_NCP) && 2714 /* 2715 * XXX 2716 * Hack to administratively disable IPv6 if 2717 * not desired. Perhaps we should have another 2718 * flag for this, but right now, we can make 2719 * all struct cp's read/only. 2720 */ 2721 (cps[i] != &ipv6cp || 2722 (sp->confflags & CONF_ENABLE_IPV6))) 2723 (cps[i])->Open(sp); 2724 } 2725 2726 /* Send Up events to all started protos. */ 2727 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2728 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2729 (cps[i])->Up(sp); 2730 2731 /* notify low-level driver of state change */ 2732 if (sp->pp_chg) 2733 sp->pp_chg(sp, (int)sp->pp_phase); 2734 2735 if (sp->pp_phase == PHASE_NETWORK) 2736 /* if no NCP is starting, close down */ 2737 sppp_lcp_check_and_close(sp); 2738 } 2739 2740 static void 2741 sppp_lcp_tld(struct sppp *sp) 2742 { 2743 STDDCL; 2744 int i; 2745 u_long mask; 2746 2747 sp->pp_phase = PHASE_TERMINATE; 2748 2749 if (debug) 2750 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2751 sppp_phase_name(sp->pp_phase)); 2752 2753 /* 2754 * Take upper layers down. We send the Down event first and 2755 * the Close second to prevent the upper layers from sending 2756 * ``a flurry of terminate-request packets'', as the RFC 2757 * describes it. 2758 */ 2759 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2760 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2761 (cps[i])->Down(sp); 2762 (cps[i])->Close(sp); 2763 } 2764 } 2765 2766 static void 2767 sppp_lcp_tls(struct sppp *sp) 2768 { 2769 STDDCL; 2770 2771 sp->pp_phase = PHASE_ESTABLISH; 2772 2773 if (debug) 2774 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2775 sppp_phase_name(sp->pp_phase)); 2776 2777 /* Notify lower layer if desired. */ 2778 if (sp->pp_tls) 2779 (sp->pp_tls)(sp); 2780 else 2781 (sp->pp_up)(sp); 2782 } 2783 2784 static void 2785 sppp_lcp_tlf(struct sppp *sp) 2786 { 2787 STDDCL; 2788 2789 sp->pp_phase = PHASE_DEAD; 2790 if (debug) 2791 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2792 sppp_phase_name(sp->pp_phase)); 2793 2794 /* Notify lower layer if desired. */ 2795 if (sp->pp_tlf) 2796 (sp->pp_tlf)(sp); 2797 else 2798 (sp->pp_down)(sp); 2799 } 2800 2801 static void 2802 sppp_lcp_scr(struct sppp *sp) 2803 { 2804 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2805 int i = 0; 2806 u_short authproto; 2807 2808 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2809 if (! sp->lcp.magic) 2810 #if defined(__DragonFly__) 2811 sp->lcp.magic = krandom(); 2812 #else 2813 sp->lcp.magic = time.tv_sec + time.tv_usec; 2814 #endif 2815 opt[i++] = LCP_OPT_MAGIC; 2816 opt[i++] = 6; 2817 opt[i++] = sp->lcp.magic >> 24; 2818 opt[i++] = sp->lcp.magic >> 16; 2819 opt[i++] = sp->lcp.magic >> 8; 2820 opt[i++] = sp->lcp.magic; 2821 } 2822 2823 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2824 opt[i++] = LCP_OPT_MRU; 2825 opt[i++] = 4; 2826 opt[i++] = sp->lcp.mru >> 8; 2827 opt[i++] = sp->lcp.mru; 2828 } 2829 2830 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2831 authproto = sp->hisauth.proto; 2832 opt[i++] = LCP_OPT_AUTH_PROTO; 2833 opt[i++] = authproto == PPP_CHAP? 5: 4; 2834 opt[i++] = authproto >> 8; 2835 opt[i++] = authproto; 2836 if (authproto == PPP_CHAP) 2837 opt[i++] = CHAP_MD5; 2838 } 2839 2840 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2841 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2842 } 2843 2844 /* 2845 * Check the open NCPs, return true if at least one NCP is open. 2846 */ 2847 static int 2848 sppp_ncp_check(struct sppp *sp) 2849 { 2850 int i, mask; 2851 2852 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2853 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2854 return 1; 2855 return 0; 2856 } 2857 2858 /* 2859 * Re-check the open NCPs and see if we should terminate the link. 2860 * Called by the NCPs during their tlf action handling. 2861 */ 2862 static void 2863 sppp_lcp_check_and_close(struct sppp *sp) 2864 { 2865 2866 if (sp->pp_phase < PHASE_NETWORK) 2867 /* don't bother, we are already going down */ 2868 return; 2869 2870 if (sppp_ncp_check(sp)) 2871 return; 2872 2873 lcp.Close(sp); 2874 } 2875 2876 /* 2877 *--------------------------------------------------------------------------* 2878 * * 2879 * The IPCP implementation. * 2880 * * 2881 *--------------------------------------------------------------------------* 2882 */ 2883 2884 static void 2885 sppp_ipcp_init(struct sppp *sp) 2886 { 2887 sp->ipcp.opts = 0; 2888 sp->ipcp.flags = 0; 2889 sp->state[IDX_IPCP] = STATE_INITIAL; 2890 sp->fail_counter[IDX_IPCP] = 0; 2891 sp->pp_seq[IDX_IPCP] = 0; 2892 sp->pp_rseq[IDX_IPCP] = 0; 2893 #if defined(__DragonFly__) 2894 callout_init(&sp->timeout[IDX_IPCP]); 2895 #endif 2896 } 2897 2898 static void 2899 sppp_ipcp_up(struct sppp *sp) 2900 { 2901 sppp_up_event(&ipcp, sp); 2902 } 2903 2904 static void 2905 sppp_ipcp_down(struct sppp *sp) 2906 { 2907 sppp_down_event(&ipcp, sp); 2908 } 2909 2910 static void 2911 sppp_ipcp_open(struct sppp *sp) 2912 { 2913 STDDCL; 2914 u_long myaddr, hisaddr; 2915 2916 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2917 IPCP_MYADDR_DYN | IPCP_VJ); 2918 sp->ipcp.opts = 0; 2919 2920 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2921 /* 2922 * If we don't have his address, this probably means our 2923 * interface doesn't want to talk IP at all. (This could 2924 * be the case if somebody wants to speak only IPX, for 2925 * example.) Don't open IPCP in this case. 2926 */ 2927 if (hisaddr == 0L) { 2928 /* XXX this message should go away */ 2929 if (debug) 2930 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2931 SPP_ARGS(ifp)); 2932 return; 2933 } 2934 if (myaddr == 0L) { 2935 /* 2936 * I don't have an assigned address, so i need to 2937 * negotiate my address. 2938 */ 2939 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2940 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2941 } else 2942 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2943 if (sp->confflags & CONF_ENABLE_VJ) { 2944 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2945 sp->ipcp.max_state = MAX_STATES - 1; 2946 sp->ipcp.compress_cid = 1; 2947 } 2948 sppp_open_event(&ipcp, sp); 2949 } 2950 2951 static void 2952 sppp_ipcp_close(struct sppp *sp) 2953 { 2954 sppp_close_event(&ipcp, sp); 2955 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2956 /* 2957 * My address was dynamic, clear it again. 2958 */ 2959 sppp_set_ip_addr(sp, 0L); 2960 } 2961 2962 static void 2963 sppp_ipcp_TO(void *cookie) 2964 { 2965 sppp_to_event(&ipcp, (struct sppp *)cookie); 2966 } 2967 2968 /* 2969 * Analyze a configure request. Return true if it was agreeable, and 2970 * caused action sca, false if it has been rejected or nak'ed, and 2971 * caused action scn. (The return value is used to make the state 2972 * transition decision in the state automaton.) 2973 */ 2974 static int 2975 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2976 { 2977 u_char *buf, *r, *p; 2978 struct ifnet *ifp = &sp->pp_if; 2979 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2980 u_long hisaddr, desiredaddr; 2981 int gotmyaddr = 0; 2982 int desiredcomp; 2983 2984 len -= 4; 2985 origlen = len; 2986 /* 2987 * Make sure to allocate a buf that can at least hold a 2988 * conf-nak with an `address' option. We might need it below. 2989 */ 2990 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2991 2992 /* pass 1: see if we can recognize them */ 2993 if (debug) 2994 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2995 SPP_ARGS(ifp)); 2996 p = (void*) (h+1); 2997 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2998 /* Sanity check option length */ 2999 if (p[1] > len) { 3000 /* XXX should we just RXJ? */ 3001 log(-1, "%s: malicious IPCP option received, dropping\n", 3002 ifp->if_xname); 3003 goto drop; 3004 } 3005 if (debug) 3006 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3007 switch (*p) { 3008 case IPCP_OPT_COMPRESSION: 3009 if (!(sp->confflags & CONF_ENABLE_VJ)) { 3010 /* VJ compression administratively disabled */ 3011 if (debug) 3012 log(-1, "[locally disabled] "); 3013 break; 3014 } 3015 /* 3016 * In theory, we should only conf-rej an 3017 * option that is shorter than RFC 1618 3018 * requires (i.e. < 4), and should conf-nak 3019 * anything else that is not VJ. However, 3020 * since our algorithm always uses the 3021 * original option to NAK it with new values, 3022 * things would become more complicated. In 3023 * pratice, the only commonly implemented IP 3024 * compression option is VJ anyway, so the 3025 * difference is negligible. 3026 */ 3027 if (len >= 6 && p[1] == 6) { 3028 /* 3029 * correctly formed compression option 3030 * that could be VJ compression 3031 */ 3032 continue; 3033 } 3034 if (debug) 3035 log(-1, "optlen %d [invalid/unsupported] ", 3036 p[1]); 3037 break; 3038 case IPCP_OPT_ADDRESS: 3039 if (len >= 6 && p[1] == 6) { 3040 /* correctly formed address option */ 3041 continue; 3042 } 3043 if (debug) 3044 log(-1, "[invalid] "); 3045 break; 3046 default: 3047 /* Others not supported. */ 3048 if (debug) 3049 log(-1, "[rej] "); 3050 break; 3051 } 3052 /* Add the option to rejected list. */ 3053 bcopy (p, r, p[1]); 3054 r += p[1]; 3055 rlen += p[1]; 3056 } 3057 if (rlen) { 3058 if (debug) 3059 log(-1, " send conf-rej\n"); 3060 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3061 return 0; 3062 } else if (debug) 3063 log(-1, "\n"); 3064 3065 /* pass 2: parse option values */ 3066 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 3067 if (debug) 3068 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 3069 SPP_ARGS(ifp)); 3070 p = (void*) (h+1); 3071 len = origlen; 3072 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3073 if (debug) 3074 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3075 switch (*p) { 3076 case IPCP_OPT_COMPRESSION: 3077 desiredcomp = p[2] << 8 | p[3]; 3078 /* We only support VJ */ 3079 if (desiredcomp == IPCP_COMP_VJ) { 3080 if (debug) 3081 log(-1, "VJ [ack] "); 3082 sp->ipcp.flags |= IPCP_VJ; 3083 sl_compress_init(sp->pp_comp, p[4]); 3084 sp->ipcp.max_state = p[4]; 3085 sp->ipcp.compress_cid = p[5]; 3086 continue; 3087 } 3088 if (debug) 3089 log(-1, "compproto %#04x [not supported] ", 3090 desiredcomp); 3091 p[2] = IPCP_COMP_VJ >> 8; 3092 p[3] = IPCP_COMP_VJ; 3093 p[4] = sp->ipcp.max_state; 3094 p[5] = sp->ipcp.compress_cid; 3095 break; 3096 case IPCP_OPT_ADDRESS: 3097 /* This is the address he wants in his end */ 3098 desiredaddr = p[2] << 24 | p[3] << 16 | 3099 p[4] << 8 | p[5]; 3100 if (desiredaddr == hisaddr || 3101 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 3102 /* 3103 * Peer's address is same as our value, 3104 * or we have set it to 0.0.0.* to 3105 * indicate that we do not really care, 3106 * this is agreeable. Gonna conf-ack 3107 * it. 3108 */ 3109 if (debug) 3110 log(-1, "%s [ack] ", 3111 sppp_dotted_quad(hisaddr)); 3112 /* record that we've seen it already */ 3113 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3114 continue; 3115 } 3116 /* 3117 * The address wasn't agreeable. This is either 3118 * he sent us 0.0.0.0, asking to assign him an 3119 * address, or he send us another address not 3120 * matching our value. Either case, we gonna 3121 * conf-nak it with our value. 3122 * XXX: we should "rej" if hisaddr == 0 3123 */ 3124 if (debug) { 3125 if (desiredaddr == 0) 3126 log(-1, "[addr requested] "); 3127 else 3128 log(-1, "%s [not agreed] ", 3129 sppp_dotted_quad(desiredaddr)); 3130 3131 } 3132 p[2] = hisaddr >> 24; 3133 p[3] = hisaddr >> 16; 3134 p[4] = hisaddr >> 8; 3135 p[5] = hisaddr; 3136 break; 3137 } 3138 /* Add the option to nak'ed list. */ 3139 bcopy (p, r, p[1]); 3140 r += p[1]; 3141 rlen += p[1]; 3142 } 3143 3144 /* 3145 * If we are about to conf-ack the request, but haven't seen 3146 * his address so far, gonna conf-nak it instead, with the 3147 * `address' option present and our idea of his address being 3148 * filled in there, to request negotiation of both addresses. 3149 * 3150 * XXX This can result in an endless req - nak loop if peer 3151 * doesn't want to send us his address. Q: What should we do 3152 * about it? XXX A: implement the max-failure counter. 3153 */ 3154 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3155 buf[0] = IPCP_OPT_ADDRESS; 3156 buf[1] = 6; 3157 buf[2] = hisaddr >> 24; 3158 buf[3] = hisaddr >> 16; 3159 buf[4] = hisaddr >> 8; 3160 buf[5] = hisaddr; 3161 rlen = 6; 3162 if (debug) 3163 log(-1, "still need hisaddr "); 3164 } 3165 3166 if (rlen) { 3167 if (debug) 3168 log(-1, " send conf-nak\n"); 3169 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3170 } else { 3171 if (debug) 3172 log(-1, " send conf-ack\n"); 3173 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3174 h->ident, origlen, h+1); 3175 } 3176 3177 kfree (buf, M_TEMP); 3178 return (rlen == 0); 3179 3180 drop: 3181 kfree(buf, M_TEMP); 3182 return (-1); 3183 } 3184 3185 /* 3186 * Analyze the IPCP Configure-Reject option list, and adjust our 3187 * negotiation. 3188 */ 3189 static void 3190 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3191 { 3192 u_char *buf, *p; 3193 struct ifnet *ifp = &sp->pp_if; 3194 int debug = ifp->if_flags & IFF_DEBUG; 3195 3196 len -= 4; 3197 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3198 3199 if (debug) 3200 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3201 SPP_ARGS(ifp)); 3202 3203 p = (void*) (h+1); 3204 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3205 /* Sanity check option length */ 3206 if (p[1] > len) { 3207 /* XXX should we just RXJ? */ 3208 log(-1, "%s: malicious IPCP option received, dropping\n", 3209 ifp->if_xname); 3210 goto drop; 3211 } 3212 if (debug) 3213 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3214 switch (*p) { 3215 case IPCP_OPT_COMPRESSION: 3216 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3217 break; 3218 case IPCP_OPT_ADDRESS: 3219 /* 3220 * Peer doesn't grok address option. This is 3221 * bad. XXX Should we better give up here? 3222 * XXX We could try old "addresses" option... 3223 */ 3224 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3225 break; 3226 } 3227 } 3228 if (debug) 3229 log(-1, "\n"); 3230 drop: 3231 kfree (buf, M_TEMP); 3232 return; 3233 } 3234 3235 /* 3236 * Analyze the IPCP Configure-NAK option list, and adjust our 3237 * negotiation. 3238 */ 3239 static void 3240 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3241 { 3242 u_char *buf, *p; 3243 struct ifnet *ifp = &sp->pp_if; 3244 int debug = ifp->if_flags & IFF_DEBUG; 3245 int desiredcomp; 3246 u_long wantaddr; 3247 3248 len -= 4; 3249 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3250 3251 if (debug) 3252 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3253 SPP_ARGS(ifp)); 3254 3255 p = (void*) (h+1); 3256 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3257 /* Sanity check option length */ 3258 if (p[1] > len) { 3259 /* XXX should we just RXJ? */ 3260 log(-1, "%s: malicious IPCP option received, dropping\n", 3261 ifp->if_xname); 3262 return; 3263 } 3264 if (debug) 3265 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3266 switch (*p) { 3267 case IPCP_OPT_COMPRESSION: 3268 if (len >= 6 && p[1] == 6) { 3269 desiredcomp = p[2] << 8 | p[3]; 3270 if (debug) 3271 log(-1, "[wantcomp %#04x] ", 3272 desiredcomp); 3273 if (desiredcomp == IPCP_COMP_VJ) { 3274 sl_compress_init(sp->pp_comp, p[4]); 3275 sp->ipcp.max_state = p[4]; 3276 sp->ipcp.compress_cid = p[5]; 3277 if (debug) 3278 log(-1, "[agree] "); 3279 } else 3280 sp->ipcp.opts &= 3281 ~(1 << IPCP_OPT_COMPRESSION); 3282 } 3283 break; 3284 case IPCP_OPT_ADDRESS: 3285 /* 3286 * Peer doesn't like our local IP address. See 3287 * if we can do something for him. We'll drop 3288 * him our address then. 3289 */ 3290 if (len >= 6 && p[1] == 6) { 3291 wantaddr = p[2] << 24 | p[3] << 16 | 3292 p[4] << 8 | p[5]; 3293 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3294 if (debug) 3295 log(-1, "[wantaddr %s] ", 3296 sppp_dotted_quad(wantaddr)); 3297 /* 3298 * When doing dynamic address assignment, 3299 * we accept his offer. Otherwise, we 3300 * ignore it and thus continue to negotiate 3301 * our already existing value. 3302 * XXX: Bogus, if he said no once, he'll 3303 * just say no again, might as well die. 3304 */ 3305 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3306 sppp_set_ip_addr(sp, wantaddr); 3307 if (debug) 3308 log(-1, "[agree] "); 3309 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3310 } 3311 } 3312 break; 3313 } 3314 } 3315 if (debug) 3316 log(-1, "\n"); 3317 kfree (buf, M_TEMP); 3318 return; 3319 } 3320 3321 static void 3322 sppp_ipcp_tlu(struct sppp *sp) 3323 { 3324 /* we are up - notify isdn daemon */ 3325 if (sp->pp_con) 3326 sp->pp_con(sp); 3327 } 3328 3329 static void 3330 sppp_ipcp_tld(struct sppp *sp) 3331 { 3332 } 3333 3334 static void 3335 sppp_ipcp_tls(struct sppp *sp) 3336 { 3337 /* indicate to LCP that it must stay alive */ 3338 sp->lcp.protos |= (1 << IDX_IPCP); 3339 } 3340 3341 static void 3342 sppp_ipcp_tlf(struct sppp *sp) 3343 { 3344 /* we no longer need LCP */ 3345 sp->lcp.protos &= ~(1 << IDX_IPCP); 3346 sppp_lcp_check_and_close(sp); 3347 } 3348 3349 static void 3350 sppp_ipcp_scr(struct sppp *sp) 3351 { 3352 char opt[6 /* compression */ + 6 /* address */]; 3353 u_long ouraddr; 3354 int i = 0; 3355 3356 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3357 opt[i++] = IPCP_OPT_COMPRESSION; 3358 opt[i++] = 6; 3359 opt[i++] = IPCP_COMP_VJ >> 8; 3360 opt[i++] = IPCP_COMP_VJ; 3361 opt[i++] = sp->ipcp.max_state; 3362 opt[i++] = sp->ipcp.compress_cid; 3363 } 3364 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3365 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3366 opt[i++] = IPCP_OPT_ADDRESS; 3367 opt[i++] = 6; 3368 opt[i++] = ouraddr >> 24; 3369 opt[i++] = ouraddr >> 16; 3370 opt[i++] = ouraddr >> 8; 3371 opt[i++] = ouraddr; 3372 } 3373 3374 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3375 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3376 } 3377 3378 /* 3379 *--------------------------------------------------------------------------* 3380 * * 3381 * The IPv6CP implementation. * 3382 * * 3383 *--------------------------------------------------------------------------* 3384 */ 3385 3386 #ifdef INET6 3387 static void 3388 sppp_ipv6cp_init(struct sppp *sp) 3389 { 3390 sp->ipv6cp.opts = 0; 3391 sp->ipv6cp.flags = 0; 3392 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3393 sp->fail_counter[IDX_IPV6CP] = 0; 3394 sp->pp_seq[IDX_IPV6CP] = 0; 3395 sp->pp_rseq[IDX_IPV6CP] = 0; 3396 #if defined(__NetBSD__) 3397 callout_init(&sp->ch[IDX_IPV6CP]); 3398 #endif 3399 #if defined(__DragonFly__) 3400 callout_init(&sp->timeout[IDX_IPV6CP]); 3401 #endif 3402 } 3403 3404 static void 3405 sppp_ipv6cp_up(struct sppp *sp) 3406 { 3407 sppp_up_event(&ipv6cp, sp); 3408 } 3409 3410 static void 3411 sppp_ipv6cp_down(struct sppp *sp) 3412 { 3413 sppp_down_event(&ipv6cp, sp); 3414 } 3415 3416 static void 3417 sppp_ipv6cp_open(struct sppp *sp) 3418 { 3419 STDDCL; 3420 struct in6_addr myaddr, hisaddr; 3421 3422 #ifdef IPV6CP_MYIFID_DYN 3423 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3424 #else 3425 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3426 #endif 3427 3428 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3429 /* 3430 * If we don't have our address, this probably means our 3431 * interface doesn't want to talk IPv6 at all. (This could 3432 * be the case if somebody wants to speak only IPX, for 3433 * example.) Don't open IPv6CP in this case. 3434 */ 3435 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3436 /* XXX this message should go away */ 3437 if (debug) 3438 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3439 SPP_ARGS(ifp)); 3440 return; 3441 } 3442 3443 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3444 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3445 sppp_open_event(&ipv6cp, sp); 3446 } 3447 3448 static void 3449 sppp_ipv6cp_close(struct sppp *sp) 3450 { 3451 sppp_close_event(&ipv6cp, sp); 3452 } 3453 3454 static void 3455 sppp_ipv6cp_TO(void *cookie) 3456 { 3457 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3458 } 3459 3460 /* 3461 * Analyze a configure request. Return true if it was agreeable, and 3462 * caused action sca, false if it has been rejected or nak'ed, and 3463 * caused action scn. (The return value is used to make the state 3464 * transition decision in the state automaton.) 3465 */ 3466 static int 3467 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3468 { 3469 u_char *buf, *r, *p; 3470 struct ifnet *ifp = &sp->pp_if; 3471 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3472 struct in6_addr myaddr, desiredaddr, suggestaddr; 3473 int ifidcount; 3474 int type; 3475 int collision, nohisaddr; 3476 3477 len -= 4; 3478 origlen = len; 3479 /* 3480 * Make sure to allocate a buf that can at least hold a 3481 * conf-nak with an `address' option. We might need it below. 3482 */ 3483 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3484 3485 /* pass 1: see if we can recognize them */ 3486 if (debug) 3487 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3488 SPP_ARGS(ifp)); 3489 p = (void*) (h+1); 3490 ifidcount = 0; 3491 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3492 /* Sanity check option length */ 3493 if (p[1] > len) { 3494 /* XXX just RXJ? */ 3495 log(-1, "%s: received malicious IPCPv6 option, " 3496 "dropping\n", ifp->if_xname); 3497 goto drop; 3498 } 3499 if (debug) 3500 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3501 switch (*p) { 3502 case IPV6CP_OPT_IFID: 3503 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3504 /* correctly formed address option */ 3505 ifidcount++; 3506 continue; 3507 } 3508 if (debug) 3509 log(-1, " [invalid]"); 3510 break; 3511 #ifdef notyet 3512 case IPV6CP_OPT_COMPRESSION: 3513 if (len >= 4 && p[1] >= 4) { 3514 /* correctly formed compress option */ 3515 continue; 3516 } 3517 if (debug) 3518 log(-1, " [invalid]"); 3519 break; 3520 #endif 3521 default: 3522 /* Others not supported. */ 3523 if (debug) 3524 log(-1, " [rej]"); 3525 break; 3526 } 3527 /* Add the option to rejected list. */ 3528 bcopy (p, r, p[1]); 3529 r += p[1]; 3530 rlen += p[1]; 3531 } 3532 if (rlen) { 3533 if (debug) 3534 log(-1, " send conf-rej\n"); 3535 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3536 goto end; 3537 } else if (debug) 3538 log(-1, "\n"); 3539 3540 /* pass 2: parse option values */ 3541 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3542 if (debug) 3543 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3544 SPP_ARGS(ifp)); 3545 p = (void*) (h+1); 3546 len = origlen; 3547 type = CONF_ACK; 3548 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3549 if (debug) 3550 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3551 switch (*p) { 3552 #ifdef notyet 3553 case IPV6CP_OPT_COMPRESSION: 3554 continue; 3555 #endif 3556 case IPV6CP_OPT_IFID: 3557 bzero(&desiredaddr, sizeof(desiredaddr)); 3558 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3559 collision = (bcmp(&desiredaddr.s6_addr[8], 3560 &myaddr.s6_addr[8], 8) == 0); 3561 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3562 3563 desiredaddr.s6_addr16[0] = htons(0xfe80); 3564 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3565 3566 if (!collision && !nohisaddr) { 3567 /* no collision, hisaddr known - Conf-Ack */ 3568 type = CONF_ACK; 3569 3570 if (debug) { 3571 log(-1, " %s [%s]", 3572 ip6_sprintf(&desiredaddr), 3573 sppp_cp_type_name(type)); 3574 } 3575 continue; 3576 } 3577 3578 bzero(&suggestaddr, sizeof(&suggestaddr)); 3579 if (collision && nohisaddr) { 3580 /* collision, hisaddr unknown - Conf-Rej */ 3581 type = CONF_REJ; 3582 bzero(&p[2], 8); 3583 } else { 3584 /* 3585 * - no collision, hisaddr unknown, or 3586 * - collision, hisaddr known 3587 * Conf-Nak, suggest hisaddr 3588 */ 3589 type = CONF_NAK; 3590 sppp_suggest_ip6_addr(sp, &suggestaddr); 3591 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3592 } 3593 if (debug) 3594 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3595 sppp_cp_type_name(type)); 3596 break; 3597 } 3598 /* Add the option to nak'ed list. */ 3599 bcopy (p, r, p[1]); 3600 r += p[1]; 3601 rlen += p[1]; 3602 } 3603 3604 if (rlen == 0 && type == CONF_ACK) { 3605 if (debug) 3606 log(-1, " send %s\n", sppp_cp_type_name(type)); 3607 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3608 } else { 3609 #ifdef DIAGNOSTIC 3610 if (type == CONF_ACK) 3611 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3612 #endif 3613 3614 if (debug) { 3615 log(-1, " send %s suggest %s\n", 3616 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3617 } 3618 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3619 } 3620 3621 end: 3622 kfree (buf, M_TEMP); 3623 return (rlen == 0); 3624 3625 drop: 3626 kfree(buf, M_TEMP); 3627 return (-1); 3628 } 3629 3630 /* 3631 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3632 * negotiation. 3633 */ 3634 static void 3635 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3636 { 3637 u_char *buf, *p; 3638 struct ifnet *ifp = &sp->pp_if; 3639 int debug = ifp->if_flags & IFF_DEBUG; 3640 3641 len -= 4; 3642 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3643 3644 if (debug) 3645 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3646 SPP_ARGS(ifp)); 3647 3648 p = (void*) (h+1); 3649 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3650 if (p[1] > len) { 3651 /* XXX just RXJ? */ 3652 log(-1, "%s: received malicious IPCPv6 option, " 3653 "dropping\n", ifp->if_xname); 3654 goto drop; 3655 } 3656 if (debug) 3657 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3658 switch (*p) { 3659 case IPV6CP_OPT_IFID: 3660 /* 3661 * Peer doesn't grok address option. This is 3662 * bad. XXX Should we better give up here? 3663 */ 3664 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3665 break; 3666 #ifdef notyet 3667 case IPV6CP_OPT_COMPRESS: 3668 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3669 break; 3670 #endif 3671 } 3672 } 3673 if (debug) 3674 log(-1, "\n"); 3675 drop: 3676 kfree (buf, M_TEMP); 3677 return; 3678 } 3679 3680 /* 3681 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3682 * negotiation. 3683 */ 3684 static void 3685 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3686 { 3687 u_char *buf, *p; 3688 struct ifnet *ifp = &sp->pp_if; 3689 int debug = ifp->if_flags & IFF_DEBUG; 3690 struct in6_addr suggestaddr; 3691 3692 len -= 4; 3693 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3694 3695 if (debug) 3696 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3697 SPP_ARGS(ifp)); 3698 3699 p = (void*) (h+1); 3700 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3701 if (p[1] > len) { 3702 /* XXX just RXJ? */ 3703 log(-1, "%s: received malicious IPCPv6 option, " 3704 "dropping\n", ifp->if_xname); 3705 goto drop; 3706 } 3707 if (debug) 3708 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3709 switch (*p) { 3710 case IPV6CP_OPT_IFID: 3711 /* 3712 * Peer doesn't like our local ifid. See 3713 * if we can do something for him. We'll drop 3714 * him our address then. 3715 */ 3716 if (len < 10 || p[1] != 10) 3717 break; 3718 bzero(&suggestaddr, sizeof(suggestaddr)); 3719 suggestaddr.s6_addr16[0] = htons(0xfe80); 3720 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3721 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3722 3723 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3724 if (debug) 3725 log(-1, " [suggestaddr %s]", 3726 ip6_sprintf(&suggestaddr)); 3727 #ifdef IPV6CP_MYIFID_DYN 3728 /* 3729 * When doing dynamic address assignment, 3730 * we accept his offer. 3731 */ 3732 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3733 struct in6_addr lastsuggest; 3734 /* 3735 * If <suggested myaddr from peer> equals to 3736 * <hisaddr we have suggested last time>, 3737 * we have a collision. generate new random 3738 * ifid. 3739 */ 3740 sppp_suggest_ip6_addr(&lastsuggest); 3741 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3742 lastsuggest)) { 3743 if (debug) 3744 log(-1, " [random]"); 3745 sppp_gen_ip6_addr(sp, &suggestaddr); 3746 } 3747 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3748 if (debug) 3749 log(-1, " [agree]"); 3750 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3751 } 3752 #else 3753 /* 3754 * Since we do not do dynamic address assignment, 3755 * we ignore it and thus continue to negotiate 3756 * our already existing value. This can possibly 3757 * go into infinite request-reject loop. 3758 * 3759 * This is not likely because we normally use 3760 * ifid based on MAC-address. 3761 * If you have no ethernet card on the node, too bad. 3762 * XXX should we use fail_counter? 3763 */ 3764 #endif 3765 break; 3766 #ifdef notyet 3767 case IPV6CP_OPT_COMPRESS: 3768 /* 3769 * Peer wants different compression parameters. 3770 */ 3771 break; 3772 #endif 3773 } 3774 } 3775 if (debug) 3776 log(-1, "\n"); 3777 drop: 3778 kfree (buf, M_TEMP); 3779 return; 3780 } 3781 static void 3782 sppp_ipv6cp_tlu(struct sppp *sp) 3783 { 3784 /* we are up - notify isdn daemon */ 3785 if (sp->pp_con) 3786 sp->pp_con(sp); 3787 } 3788 3789 static void 3790 sppp_ipv6cp_tld(struct sppp *sp) 3791 { 3792 } 3793 3794 static void 3795 sppp_ipv6cp_tls(struct sppp *sp) 3796 { 3797 /* indicate to LCP that it must stay alive */ 3798 sp->lcp.protos |= (1 << IDX_IPV6CP); 3799 } 3800 3801 static void 3802 sppp_ipv6cp_tlf(struct sppp *sp) 3803 { 3804 3805 #if 0 /* need #if 0 to close IPv6CP properly */ 3806 /* we no longer need LCP */ 3807 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3808 sppp_lcp_check_and_close(sp); 3809 #endif 3810 } 3811 3812 static void 3813 sppp_ipv6cp_scr(struct sppp *sp) 3814 { 3815 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3816 struct in6_addr ouraddr; 3817 int i = 0; 3818 3819 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3820 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3821 opt[i++] = IPV6CP_OPT_IFID; 3822 opt[i++] = 10; 3823 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3824 i += 8; 3825 } 3826 3827 #ifdef notyet 3828 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3829 opt[i++] = IPV6CP_OPT_COMPRESSION; 3830 opt[i++] = 4; 3831 opt[i++] = 0; /* TBD */ 3832 opt[i++] = 0; /* TBD */ 3833 /* variable length data may follow */ 3834 } 3835 #endif 3836 3837 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3838 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3839 } 3840 #else /*INET6*/ 3841 static void 3842 sppp_ipv6cp_init(struct sppp *sp) 3843 { 3844 } 3845 3846 static void 3847 sppp_ipv6cp_up(struct sppp *sp) 3848 { 3849 } 3850 3851 static void 3852 sppp_ipv6cp_down(struct sppp *sp) 3853 { 3854 } 3855 3856 3857 static void 3858 sppp_ipv6cp_open(struct sppp *sp) 3859 { 3860 } 3861 3862 static void 3863 sppp_ipv6cp_close(struct sppp *sp) 3864 { 3865 } 3866 3867 static void 3868 sppp_ipv6cp_TO(void *sp) 3869 { 3870 } 3871 3872 static int 3873 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3874 { 3875 return 0; 3876 } 3877 3878 static void 3879 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3880 { 3881 } 3882 3883 static void 3884 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3885 { 3886 } 3887 3888 static void 3889 sppp_ipv6cp_tlu(struct sppp *sp) 3890 { 3891 } 3892 3893 static void 3894 sppp_ipv6cp_tld(struct sppp *sp) 3895 { 3896 } 3897 3898 static void 3899 sppp_ipv6cp_tls(struct sppp *sp) 3900 { 3901 } 3902 3903 static void 3904 sppp_ipv6cp_tlf(struct sppp *sp) 3905 { 3906 } 3907 3908 static void 3909 sppp_ipv6cp_scr(struct sppp *sp) 3910 { 3911 } 3912 #endif /*INET6*/ 3913 3914 /* 3915 *--------------------------------------------------------------------------* 3916 * * 3917 * The CHAP implementation. * 3918 * * 3919 *--------------------------------------------------------------------------* 3920 */ 3921 3922 /* 3923 * The authentication protocols don't employ a full-fledged state machine as 3924 * the control protocols do, since they do have Open and Close events, but 3925 * not Up and Down, nor are they explicitly terminated. Also, use of the 3926 * authentication protocols may be different in both directions (this makes 3927 * sense, think of a machine that never accepts incoming calls but only 3928 * calls out, it doesn't require the called party to authenticate itself). 3929 * 3930 * Our state machine for the local authentication protocol (we are requesting 3931 * the peer to authenticate) looks like: 3932 * 3933 * RCA- 3934 * +--------------------------------------------+ 3935 * V scn,tld| 3936 * +--------+ Close +---------+ RCA+ 3937 * | |<----------------------------------| |------+ 3938 * +--->| Closed | TO* | Opened | sca | 3939 * | | |-----+ +-------| |<-----+ 3940 * | +--------+ irc | | +---------+ 3941 * | ^ | | ^ 3942 * | | | | | 3943 * | | | | | 3944 * | TO-| | | | 3945 * | |tld TO+ V | | 3946 * | | +------->+ | | 3947 * | | | | | | 3948 * | +--------+ V | | 3949 * | | |<----+<--------------------+ | 3950 * | | Req- | scr | 3951 * | | Sent | | 3952 * | | | | 3953 * | +--------+ | 3954 * | RCA- | | RCA+ | 3955 * +------+ +------------------------------------------+ 3956 * scn,tld sca,irc,ict,tlu 3957 * 3958 * 3959 * with: 3960 * 3961 * Open: LCP reached authentication phase 3962 * Close: LCP reached terminate phase 3963 * 3964 * RCA+: received reply (pap-req, chap-response), acceptable 3965 * RCN: received reply (pap-req, chap-response), not acceptable 3966 * TO+: timeout with restart counter >= 0 3967 * TO-: timeout with restart counter < 0 3968 * TO*: reschedule timeout for CHAP 3969 * 3970 * scr: send request packet (none for PAP, chap-challenge) 3971 * sca: send ack packet (pap-ack, chap-success) 3972 * scn: send nak packet (pap-nak, chap-failure) 3973 * ict: initialize re-challenge timer (CHAP only) 3974 * 3975 * tlu: this-layer-up, LCP reaches network phase 3976 * tld: this-layer-down, LCP enters terminate phase 3977 * 3978 * Note that in CHAP mode, after sending a new challenge, while the state 3979 * automaton falls back into Req-Sent state, it doesn't signal a tld 3980 * event to LCP, so LCP remains in network phase. Only after not getting 3981 * any response (or after getting an unacceptable response), CHAP closes, 3982 * causing LCP to enter terminate phase. 3983 * 3984 * With PAP, there is no initial request that can be sent. The peer is 3985 * expected to send one based on the successful negotiation of PAP as 3986 * the authentication protocol during the LCP option negotiation. 3987 * 3988 * Incoming authentication protocol requests (remote requests 3989 * authentication, we are peer) don't employ a state machine at all, 3990 * they are simply answered. Some peers [Ascend P50 firmware rev 3991 * 4.50] react allergically when sending IPCP requests while they are 3992 * still in authentication phase (thereby violating the standard that 3993 * demands that these NCP packets are to be discarded), so we keep 3994 * track of the peer demanding us to authenticate, and only proceed to 3995 * phase network once we've seen a positive acknowledge for the 3996 * authentication. 3997 */ 3998 3999 /* 4000 * Handle incoming CHAP packets. 4001 */ 4002 void 4003 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4004 { 4005 STDDCL; 4006 struct lcp_header *h; 4007 int len; 4008 u_char *value, *name, digest[AUTHKEYLEN], dsize; 4009 int value_len, name_len; 4010 MD5_CTX ctx; 4011 4012 len = m->m_pkthdr.len; 4013 if (len < 4) { 4014 if (debug) 4015 log(LOG_DEBUG, 4016 SPP_FMT "chap invalid packet length: %d bytes\n", 4017 SPP_ARGS(ifp), len); 4018 return; 4019 } 4020 h = mtod (m, struct lcp_header*); 4021 if (len > ntohs (h->len)) 4022 len = ntohs (h->len); 4023 4024 switch (h->type) { 4025 /* challenge, failure and success are his authproto */ 4026 case CHAP_CHALLENGE: 4027 value = 1 + (u_char*)(h+1); 4028 value_len = value[-1]; 4029 name = value + value_len; 4030 name_len = len - value_len - 5; 4031 if (name_len < 0) { 4032 if (debug) { 4033 log(LOG_DEBUG, 4034 SPP_FMT "chap corrupted challenge " 4035 "<%s id=0x%x len=%d", 4036 SPP_ARGS(ifp), 4037 sppp_auth_type_name(PPP_CHAP, h->type), 4038 h->ident, ntohs(h->len)); 4039 sppp_print_bytes((u_char*) (h+1), len-4); 4040 log(-1, ">\n"); 4041 } 4042 break; 4043 } 4044 4045 if (debug) { 4046 log(LOG_DEBUG, 4047 SPP_FMT "chap input <%s id=0x%x len=%d name=", 4048 SPP_ARGS(ifp), 4049 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4050 ntohs(h->len)); 4051 sppp_print_string((char*) name, name_len); 4052 log(-1, " value-size=%d value=", value_len); 4053 sppp_print_bytes(value, value_len); 4054 log(-1, ">\n"); 4055 } 4056 4057 /* Compute reply value. */ 4058 MD5Init(&ctx); 4059 MD5Update(&ctx, &h->ident, 1); 4060 MD5Update(&ctx, sp->myauth.secret, 4061 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN)); 4062 MD5Update(&ctx, value, value_len); 4063 MD5Final(digest, &ctx); 4064 dsize = sizeof digest; 4065 4066 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4067 sizeof dsize, (const char *)&dsize, 4068 sizeof digest, digest, 4069 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4070 sp->myauth.name, 4071 0); 4072 break; 4073 4074 case CHAP_SUCCESS: 4075 if (debug) { 4076 log(LOG_DEBUG, SPP_FMT "chap success", 4077 SPP_ARGS(ifp)); 4078 if (len > 4) { 4079 log(-1, ": "); 4080 sppp_print_string((char*)(h + 1), len - 4); 4081 } 4082 log(-1, "\n"); 4083 } 4084 4085 crit_enter(); 4086 4087 sp->pp_flags &= ~PP_NEEDAUTH; 4088 if (sp->myauth.proto == PPP_CHAP && 4089 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4090 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4091 /* 4092 * We are authenticator for CHAP but didn't 4093 * complete yet. Leave it to tlu to proceed 4094 * to network phase. 4095 */ 4096 crit_exit(); 4097 break; 4098 } 4099 crit_exit(); 4100 sppp_phase_network(sp); 4101 break; 4102 4103 case CHAP_FAILURE: 4104 if (debug) { 4105 log(LOG_INFO, SPP_FMT "chap failure", 4106 SPP_ARGS(ifp)); 4107 if (len > 4) { 4108 log(-1, ": "); 4109 sppp_print_string((char*)(h + 1), len - 4); 4110 } 4111 log(-1, "\n"); 4112 } else 4113 log(LOG_INFO, SPP_FMT "chap failure\n", 4114 SPP_ARGS(ifp)); 4115 /* await LCP shutdown by authenticator */ 4116 break; 4117 4118 /* response is my authproto */ 4119 case CHAP_RESPONSE: 4120 value = 1 + (u_char*)(h+1); 4121 value_len = value[-1]; 4122 name = value + value_len; 4123 name_len = len - value_len - 5; 4124 if (name_len < 0) { 4125 if (debug) { 4126 log(LOG_DEBUG, 4127 SPP_FMT "chap corrupted response " 4128 "<%s id=0x%x len=%d", 4129 SPP_ARGS(ifp), 4130 sppp_auth_type_name(PPP_CHAP, h->type), 4131 h->ident, ntohs(h->len)); 4132 sppp_print_bytes((u_char*)(h+1), len-4); 4133 log(-1, ">\n"); 4134 } 4135 break; 4136 } 4137 if (h->ident != sp->confid[IDX_CHAP]) { 4138 if (debug) 4139 log(LOG_DEBUG, 4140 SPP_FMT "chap dropping response for old ID " 4141 "(got %d, expected %d)\n", 4142 SPP_ARGS(ifp), 4143 h->ident, sp->confid[IDX_CHAP]); 4144 break; 4145 } 4146 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) 4147 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4148 log(LOG_INFO, SPP_FMT "chap response, his name ", 4149 SPP_ARGS(ifp)); 4150 sppp_print_string(name, name_len); 4151 log(-1, " != expected "); 4152 sppp_print_string(sp->hisauth.name, 4153 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)); 4154 log(-1, "\n"); 4155 } 4156 if (debug) { 4157 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4158 "<%s id=0x%x len=%d name=", 4159 SPP_ARGS(ifp), 4160 sppp_state_name(sp->state[IDX_CHAP]), 4161 sppp_auth_type_name(PPP_CHAP, h->type), 4162 h->ident, ntohs (h->len)); 4163 sppp_print_string((char*)name, name_len); 4164 log(-1, " value-size=%d value=", value_len); 4165 sppp_print_bytes(value, value_len); 4166 log(-1, ">\n"); 4167 } 4168 if (value_len != AUTHKEYLEN) { 4169 if (debug) 4170 log(LOG_DEBUG, 4171 SPP_FMT "chap bad hash value length: " 4172 "%d bytes, should be %d\n", 4173 SPP_ARGS(ifp), value_len, 4174 AUTHKEYLEN); 4175 break; 4176 } 4177 4178 MD5Init(&ctx); 4179 MD5Update(&ctx, &h->ident, 1); 4180 MD5Update(&ctx, sp->hisauth.secret, 4181 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4182 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4183 MD5Final(digest, &ctx); 4184 4185 #define FAILMSG "Failed..." 4186 #define SUCCMSG "Welcome!" 4187 4188 if (value_len != sizeof digest || 4189 bcmp(digest, value, value_len) != 0) { 4190 /* action scn, tld */ 4191 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4192 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4193 0); 4194 chap.tld(sp); 4195 break; 4196 } 4197 /* action sca, perhaps tlu */ 4198 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4199 sp->state[IDX_CHAP] == STATE_OPENED) 4200 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4201 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4202 0); 4203 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4204 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4205 chap.tlu(sp); 4206 } 4207 break; 4208 4209 default: 4210 /* Unknown CHAP packet type -- ignore. */ 4211 if (debug) { 4212 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4213 "<0x%x id=0x%xh len=%d", 4214 SPP_ARGS(ifp), 4215 sppp_state_name(sp->state[IDX_CHAP]), 4216 h->type, h->ident, ntohs(h->len)); 4217 sppp_print_bytes((u_char*)(h+1), len-4); 4218 log(-1, ">\n"); 4219 } 4220 break; 4221 4222 } 4223 } 4224 4225 static void 4226 sppp_chap_init(struct sppp *sp) 4227 { 4228 /* Chap doesn't have STATE_INITIAL at all. */ 4229 sp->state[IDX_CHAP] = STATE_CLOSED; 4230 sp->fail_counter[IDX_CHAP] = 0; 4231 sp->pp_seq[IDX_CHAP] = 0; 4232 sp->pp_rseq[IDX_CHAP] = 0; 4233 #if defined(__DragonFly__) 4234 callout_init(&sp->timeout[IDX_CHAP]); 4235 #endif 4236 } 4237 4238 static void 4239 sppp_chap_open(struct sppp *sp) 4240 { 4241 if (sp->myauth.proto == PPP_CHAP && 4242 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4243 /* we are authenticator for CHAP, start it */ 4244 chap.scr(sp); 4245 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4246 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4247 } 4248 /* nothing to be done if we are peer, await a challenge */ 4249 } 4250 4251 static void 4252 sppp_chap_close(struct sppp *sp) 4253 { 4254 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4255 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4256 } 4257 4258 static void 4259 sppp_chap_TO(void *cookie) 4260 { 4261 struct sppp *sp = (struct sppp *)cookie; 4262 STDDCL; 4263 4264 crit_enter(); 4265 4266 if (debug) 4267 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4268 SPP_ARGS(ifp), 4269 sppp_state_name(sp->state[IDX_CHAP]), 4270 sp->rst_counter[IDX_CHAP]); 4271 4272 if (--sp->rst_counter[IDX_CHAP] < 0) 4273 /* TO- event */ 4274 switch (sp->state[IDX_CHAP]) { 4275 case STATE_REQ_SENT: 4276 chap.tld(sp); 4277 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4278 break; 4279 } 4280 else 4281 /* TO+ (or TO*) event */ 4282 switch (sp->state[IDX_CHAP]) { 4283 case STATE_OPENED: 4284 /* TO* event */ 4285 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4286 /* fall through */ 4287 case STATE_REQ_SENT: 4288 chap.scr(sp); 4289 /* sppp_cp_change_state() will restart the timer */ 4290 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4291 break; 4292 } 4293 4294 crit_exit(); 4295 } 4296 4297 static void 4298 sppp_chap_tlu(struct sppp *sp) 4299 { 4300 STDDCL; 4301 int i; 4302 4303 i = 0; 4304 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4305 4306 /* 4307 * Some broken CHAP implementations (Conware CoNet, firmware 4308 * 4.0.?) don't want to re-authenticate their CHAP once the 4309 * initial challenge-response exchange has taken place. 4310 * Provide for an option to avoid rechallenges. 4311 */ 4312 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4313 /* 4314 * Compute the re-challenge timeout. This will yield 4315 * a number between 300 and 810 seconds. 4316 */ 4317 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4318 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4319 } 4320 4321 if (debug) { 4322 log(LOG_DEBUG, 4323 SPP_FMT "chap %s, ", 4324 SPP_ARGS(ifp), 4325 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4326 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4327 log(-1, "next re-challenge in %d seconds\n", i); 4328 else 4329 log(-1, "re-challenging suppressed\n"); 4330 } 4331 4332 crit_enter(); 4333 4334 /* indicate to LCP that we need to be closed down */ 4335 sp->lcp.protos |= (1 << IDX_CHAP); 4336 4337 if (sp->pp_flags & PP_NEEDAUTH) { 4338 /* 4339 * Remote is authenticator, but his auth proto didn't 4340 * complete yet. Defer the transition to network 4341 * phase. 4342 */ 4343 crit_exit(); 4344 return; 4345 } 4346 4347 crit_exit(); 4348 4349 /* 4350 * If we are already in phase network, we are done here. This 4351 * is the case if this is a dummy tlu event after a re-challenge. 4352 */ 4353 if (sp->pp_phase != PHASE_NETWORK) 4354 sppp_phase_network(sp); 4355 } 4356 4357 static void 4358 sppp_chap_tld(struct sppp *sp) 4359 { 4360 STDDCL; 4361 4362 if (debug) 4363 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4364 callout_stop(&sp->timeout[IDX_CHAP]); 4365 sp->lcp.protos &= ~(1 << IDX_CHAP); 4366 4367 lcp.Close(sp); 4368 } 4369 4370 static void 4371 sppp_chap_scr(struct sppp *sp) 4372 { 4373 u_long *ch, seed; 4374 u_char clen; 4375 4376 /* Compute random challenge. */ 4377 ch = (u_long *)sp->myauth.challenge; 4378 #if defined(__DragonFly__) 4379 read_random(&seed, sizeof seed); 4380 #else 4381 { 4382 struct timeval tv; 4383 microtime(&tv); 4384 seed = tv.tv_sec ^ tv.tv_usec; 4385 } 4386 #endif 4387 ch[0] = seed ^ krandom(); 4388 ch[1] = seed ^ krandom(); 4389 ch[2] = seed ^ krandom(); 4390 ch[3] = seed ^ krandom(); 4391 clen = AUTHKEYLEN; 4392 4393 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4394 4395 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4396 sizeof clen, (const char *)&clen, 4397 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4398 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4399 sp->myauth.name, 4400 0); 4401 } 4402 4403 /* 4404 *--------------------------------------------------------------------------* 4405 * * 4406 * The PAP implementation. * 4407 * * 4408 *--------------------------------------------------------------------------* 4409 */ 4410 /* 4411 * For PAP, we need to keep a little state also if we are the peer, not the 4412 * authenticator. This is since we don't get a request to authenticate, but 4413 * have to repeatedly authenticate ourself until we got a response (or the 4414 * retry counter is expired). 4415 */ 4416 4417 /* 4418 * Handle incoming PAP packets. */ 4419 static void 4420 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4421 { 4422 STDDCL; 4423 struct lcp_header *h; 4424 int len; 4425 u_char *name, *passwd, mlen; 4426 int name_len, passwd_len; 4427 4428 /* 4429 * Malicious input might leave this uninitialized, so 4430 * init to an impossible value. 4431 */ 4432 passwd_len = -1; 4433 4434 len = m->m_pkthdr.len; 4435 if (len < 5) { 4436 if (debug) 4437 log(LOG_DEBUG, 4438 SPP_FMT "pap invalid packet length: %d bytes\n", 4439 SPP_ARGS(ifp), len); 4440 return; 4441 } 4442 h = mtod (m, struct lcp_header*); 4443 if (len > ntohs (h->len)) 4444 len = ntohs (h->len); 4445 switch (h->type) { 4446 /* PAP request is my authproto */ 4447 case PAP_REQ: 4448 name = 1 + (u_char*)(h+1); 4449 name_len = name[-1]; 4450 passwd = name + name_len + 1; 4451 if (name_len > len - 6 || 4452 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4453 if (debug) { 4454 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4455 "<%s id=0x%x len=%d", 4456 SPP_ARGS(ifp), 4457 sppp_auth_type_name(PPP_PAP, h->type), 4458 h->ident, ntohs(h->len)); 4459 sppp_print_bytes((u_char*)(h+1), len-4); 4460 log(-1, ">\n"); 4461 } 4462 break; 4463 } 4464 if (debug) { 4465 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4466 "<%s id=0x%x len=%d name=", 4467 SPP_ARGS(ifp), 4468 sppp_state_name(sp->state[IDX_PAP]), 4469 sppp_auth_type_name(PPP_PAP, h->type), 4470 h->ident, ntohs(h->len)); 4471 sppp_print_string((char*)name, name_len); 4472 log(-1, " passwd="); 4473 sppp_print_string((char*)passwd, passwd_len); 4474 log(-1, ">\n"); 4475 } 4476 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || 4477 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4478 bcmp(name, sp->hisauth.name, name_len) != 0 || 4479 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4480 /* action scn, tld */ 4481 mlen = sizeof(FAILMSG) - 1; 4482 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4483 sizeof mlen, (const char *)&mlen, 4484 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4485 0); 4486 pap.tld(sp); 4487 break; 4488 } 4489 /* action sca, perhaps tlu */ 4490 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4491 sp->state[IDX_PAP] == STATE_OPENED) { 4492 mlen = sizeof(SUCCMSG) - 1; 4493 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4494 sizeof mlen, (const char *)&mlen, 4495 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4496 0); 4497 } 4498 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4499 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4500 pap.tlu(sp); 4501 } 4502 break; 4503 4504 /* ack and nak are his authproto */ 4505 case PAP_ACK: 4506 callout_stop(&sp->pap_my_to); 4507 if (debug) { 4508 log(LOG_DEBUG, SPP_FMT "pap success", 4509 SPP_ARGS(ifp)); 4510 name = 1 + (u_char *)(h + 1); 4511 name_len = name[-1]; 4512 if (len > 5 && name_len < len+4) { 4513 log(-1, ": "); 4514 sppp_print_string(name, name_len); 4515 } 4516 log(-1, "\n"); 4517 } 4518 4519 crit_enter(); 4520 4521 sp->pp_flags &= ~PP_NEEDAUTH; 4522 if (sp->myauth.proto == PPP_PAP && 4523 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4524 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4525 /* 4526 * We are authenticator for PAP but didn't 4527 * complete yet. Leave it to tlu to proceed 4528 * to network phase. 4529 */ 4530 4531 crit_exit(); 4532 4533 break; 4534 } 4535 4536 crit_exit(); 4537 4538 sppp_phase_network(sp); 4539 break; 4540 4541 case PAP_NAK: 4542 callout_stop(&sp->pap_my_to); 4543 if (debug) { 4544 log(LOG_INFO, SPP_FMT "pap failure", 4545 SPP_ARGS(ifp)); 4546 name = 1 + (u_char *)(h + 1); 4547 name_len = name[-1]; 4548 if (len > 5 && name_len < len+4) { 4549 log(-1, ": "); 4550 sppp_print_string(name, name_len); 4551 } 4552 log(-1, "\n"); 4553 } else 4554 log(LOG_INFO, SPP_FMT "pap failure\n", 4555 SPP_ARGS(ifp)); 4556 /* await LCP shutdown by authenticator */ 4557 break; 4558 4559 default: 4560 /* Unknown PAP packet type -- ignore. */ 4561 if (debug) { 4562 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4563 "<0x%x id=0x%x len=%d", 4564 SPP_ARGS(ifp), 4565 h->type, h->ident, ntohs(h->len)); 4566 sppp_print_bytes((u_char*)(h+1), len-4); 4567 log(-1, ">\n"); 4568 } 4569 break; 4570 4571 } 4572 } 4573 4574 static void 4575 sppp_pap_init(struct sppp *sp) 4576 { 4577 /* PAP doesn't have STATE_INITIAL at all. */ 4578 sp->state[IDX_PAP] = STATE_CLOSED; 4579 sp->fail_counter[IDX_PAP] = 0; 4580 sp->pp_seq[IDX_PAP] = 0; 4581 sp->pp_rseq[IDX_PAP] = 0; 4582 #if defined(__DragonFly__) 4583 callout_init(&sp->timeout[IDX_PAP]); 4584 callout_init(&sp->pap_my_to); 4585 #endif 4586 } 4587 4588 static void 4589 sppp_pap_open(struct sppp *sp) 4590 { 4591 if (sp->hisauth.proto == PPP_PAP && 4592 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4593 /* we are authenticator for PAP, start our timer */ 4594 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4595 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4596 } 4597 if (sp->myauth.proto == PPP_PAP) { 4598 /* we are peer, send a request, and start a timer */ 4599 pap.scr(sp); 4600 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4601 sppp_pap_my_TO, sp); 4602 } 4603 } 4604 4605 static void 4606 sppp_pap_close(struct sppp *sp) 4607 { 4608 if (sp->state[IDX_PAP] != STATE_CLOSED) 4609 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4610 } 4611 4612 /* 4613 * That's the timeout routine if we are authenticator. Since the 4614 * authenticator is basically passive in PAP, we can't do much here. 4615 */ 4616 static void 4617 sppp_pap_TO(void *cookie) 4618 { 4619 struct sppp *sp = (struct sppp *)cookie; 4620 STDDCL; 4621 4622 crit_enter(); 4623 4624 if (debug) 4625 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4626 SPP_ARGS(ifp), 4627 sppp_state_name(sp->state[IDX_PAP]), 4628 sp->rst_counter[IDX_PAP]); 4629 4630 if (--sp->rst_counter[IDX_PAP] < 0) 4631 /* TO- event */ 4632 switch (sp->state[IDX_PAP]) { 4633 case STATE_REQ_SENT: 4634 pap.tld(sp); 4635 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4636 break; 4637 } 4638 else 4639 /* TO+ event, not very much we could do */ 4640 switch (sp->state[IDX_PAP]) { 4641 case STATE_REQ_SENT: 4642 /* sppp_cp_change_state() will restart the timer */ 4643 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4644 break; 4645 } 4646 4647 crit_exit(); 4648 } 4649 4650 /* 4651 * That's the timeout handler if we are peer. Since the peer is active, 4652 * we need to retransmit our PAP request since it is apparently lost. 4653 * XXX We should impose a max counter. 4654 */ 4655 static void 4656 sppp_pap_my_TO(void *cookie) 4657 { 4658 struct sppp *sp = (struct sppp *)cookie; 4659 STDDCL; 4660 4661 if (debug) 4662 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4663 SPP_ARGS(ifp)); 4664 4665 pap.scr(sp); 4666 } 4667 4668 static void 4669 sppp_pap_tlu(struct sppp *sp) 4670 { 4671 STDDCL; 4672 4673 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4674 4675 if (debug) 4676 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4677 SPP_ARGS(ifp), pap.name); 4678 4679 crit_enter(); 4680 4681 /* indicate to LCP that we need to be closed down */ 4682 sp->lcp.protos |= (1 << IDX_PAP); 4683 4684 if (sp->pp_flags & PP_NEEDAUTH) { 4685 /* 4686 * Remote is authenticator, but his auth proto didn't 4687 * complete yet. Defer the transition to network 4688 * phase. 4689 */ 4690 crit_exit(); 4691 return; 4692 } 4693 crit_exit(); 4694 sppp_phase_network(sp); 4695 } 4696 4697 static void 4698 sppp_pap_tld(struct sppp *sp) 4699 { 4700 STDDCL; 4701 4702 if (debug) 4703 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4704 callout_stop(&sp->timeout[IDX_PAP]); 4705 callout_stop(&sp->pap_my_to); 4706 sp->lcp.protos &= ~(1 << IDX_PAP); 4707 4708 lcp.Close(sp); 4709 } 4710 4711 static void 4712 sppp_pap_scr(struct sppp *sp) 4713 { 4714 u_char idlen, pwdlen; 4715 4716 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4717 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN); 4718 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN); 4719 4720 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4721 sizeof idlen, (const char *)&idlen, 4722 (size_t)idlen, sp->myauth.name, 4723 sizeof pwdlen, (const char *)&pwdlen, 4724 (size_t)pwdlen, sp->myauth.secret, 4725 0); 4726 } 4727 4728 /* 4729 * Random miscellaneous functions. 4730 */ 4731 4732 /* 4733 * Send a PAP or CHAP proto packet. 4734 * 4735 * Varadic function, each of the elements for the ellipsis is of type 4736 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4737 * mlen == 0. 4738 * NOTE: never declare variadic functions with types subject to type 4739 * promotion (i.e. u_char). This is asking for big trouble depending 4740 * on the architecture you are on... 4741 */ 4742 4743 static void 4744 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4745 unsigned int type, unsigned int id, 4746 ...) 4747 { 4748 STDDCL; 4749 struct ppp_header *h; 4750 struct lcp_header *lh; 4751 struct mbuf *m; 4752 u_char *p; 4753 int len; 4754 unsigned int mlen; 4755 const char *msg; 4756 __va_list ap; 4757 4758 MGETHDR (m, MB_DONTWAIT, MT_DATA); 4759 if (! m) 4760 return; 4761 m->m_pkthdr.rcvif = 0; 4762 4763 h = mtod (m, struct ppp_header*); 4764 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4765 h->control = PPP_UI; /* Unnumbered Info */ 4766 h->protocol = htons(cp->proto); 4767 4768 lh = (struct lcp_header*)(h + 1); 4769 lh->type = type; 4770 lh->ident = id; 4771 p = (u_char*) (lh+1); 4772 4773 __va_start(ap, id); 4774 len = 0; 4775 4776 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4777 msg = __va_arg(ap, const char *); 4778 len += mlen; 4779 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4780 __va_end(ap); 4781 m_freem(m); 4782 return; 4783 } 4784 4785 bcopy(msg, p, mlen); 4786 p += mlen; 4787 } 4788 __va_end(ap); 4789 4790 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4791 lh->len = htons (LCP_HEADER_LEN + len); 4792 4793 if (debug) { 4794 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4795 SPP_ARGS(ifp), cp->name, 4796 sppp_auth_type_name(cp->proto, lh->type), 4797 lh->ident, ntohs(lh->len)); 4798 sppp_print_bytes((u_char*) (lh+1), len); 4799 log(-1, ">\n"); 4800 } 4801 if (IF_QFULL (&sp->pp_cpq)) { 4802 IF_DROP (&sp->pp_fastq); 4803 IF_DROP (&ifp->if_snd); 4804 m_freem (m); 4805 ++ifp->if_oerrors; 4806 } else 4807 IF_ENQUEUE (&sp->pp_cpq, m); 4808 if (! (ifp->if_flags & IFF_OACTIVE)) 4809 (*ifp->if_start) (ifp); 4810 ifp->if_obytes += m->m_pkthdr.len + 3; 4811 } 4812 4813 /* 4814 * Send keepalive packets, every 10 seconds. 4815 */ 4816 static void 4817 sppp_keepalive(void *dummy) 4818 { 4819 struct sppp *sp; 4820 4821 crit_enter(); 4822 4823 for (sp=spppq; sp; sp=sp->pp_next) { 4824 struct ifnet *ifp = &sp->pp_if; 4825 4826 /* Keepalive mode disabled or channel down? */ 4827 if (! (sp->pp_flags & PP_KEEPALIVE) || 4828 ! (ifp->if_flags & IFF_RUNNING)) 4829 continue; 4830 4831 /* No keepalive in PPP mode if LCP not opened yet. */ 4832 if (sp->pp_mode != IFF_CISCO && 4833 sp->pp_phase < PHASE_AUTHENTICATE) 4834 continue; 4835 4836 if (sp->pp_alivecnt == MAXALIVECNT) { 4837 /* No keepalive packets got. Stop the interface. */ 4838 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4839 if_down (ifp); 4840 IF_DRAIN(&sp->pp_cpq); 4841 if (sp->pp_mode != IFF_CISCO) { 4842 /* XXX */ 4843 /* Shut down the PPP link. */ 4844 lcp.Down(sp); 4845 /* Initiate negotiation. XXX */ 4846 lcp.Up(sp); 4847 } 4848 } 4849 lwkt_serialize_enter(ifp->if_serializer); 4850 if (sp->pp_alivecnt <= MAXALIVECNT) 4851 ++sp->pp_alivecnt; 4852 if (sp->pp_mode == IFF_CISCO) 4853 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4854 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4855 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4856 long nmagic = htonl (sp->lcp.magic); 4857 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4858 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4859 sp->lcp.echoid, 4, &nmagic); 4860 } 4861 lwkt_serialize_exit(ifp->if_serializer); 4862 } 4863 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4864 crit_exit(); 4865 } 4866 4867 /* 4868 * Get both IP addresses. 4869 */ 4870 static void 4871 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4872 { 4873 struct ifnet *ifp = &sp->pp_if; 4874 struct ifaddr_container *ifac; 4875 struct ifaddr *ifa; 4876 struct sockaddr_in *si, *sm; 4877 u_long ssrc, ddst; 4878 4879 sm = NULL; 4880 ssrc = ddst = 0L; 4881 /* 4882 * Pick the first AF_INET address from the list, 4883 * aliases don't make any sense on a p2p link anyway. 4884 */ 4885 si = 0; 4886 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4887 ifa = ifac->ifa; 4888 if (ifa->ifa_addr->sa_family == AF_INET) { 4889 si = (struct sockaddr_in *)ifa->ifa_addr; 4890 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4891 if (si) 4892 break; 4893 } 4894 } 4895 if (ifac != NULL) { 4896 if (si && si->sin_addr.s_addr) { 4897 ssrc = si->sin_addr.s_addr; 4898 if (srcmask) 4899 *srcmask = ntohl(sm->sin_addr.s_addr); 4900 } 4901 4902 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4903 if (si && si->sin_addr.s_addr) 4904 ddst = si->sin_addr.s_addr; 4905 } 4906 4907 if (dst) *dst = ntohl(ddst); 4908 if (src) *src = ntohl(ssrc); 4909 } 4910 4911 /* 4912 * Set my IP address. Must be called at splimp. 4913 */ 4914 static void 4915 sppp_set_ip_addr(struct sppp *sp, u_long src) 4916 { 4917 STDDCL; 4918 struct ifaddr_container *ifac; 4919 struct ifaddr *ifa = NULL; 4920 struct sockaddr_in *si; 4921 struct in_ifaddr *ia; 4922 4923 /* 4924 * Pick the first AF_INET address from the list, 4925 * aliases don't make any sense on a p2p link anyway. 4926 */ 4927 si = 0; 4928 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4929 ifa = ifac->ifa; 4930 if (ifa->ifa_addr->sa_family == AF_INET) { 4931 si = (struct sockaddr_in *)ifa->ifa_addr; 4932 if (si) 4933 break; 4934 } 4935 } 4936 4937 if (ifac != NULL && si != NULL) { 4938 int error; 4939 #if __NetBSD_Version__ >= 103080000 4940 struct sockaddr_in new_sin = *si; 4941 4942 new_sin.sin_addr.s_addr = htonl(src); 4943 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 1); 4944 if(debug && error) 4945 { 4946 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: in_ifinit " 4947 " failed, error=%d\n", SPP_ARGS(ifp), error); 4948 } 4949 #else 4950 /* delete old route */ 4951 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4952 if(debug && error) 4953 { 4954 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4955 SPP_ARGS(ifp), error); 4956 } 4957 4958 ia = ifatoia(ifa); 4959 in_iahash_remove(ia); 4960 4961 /* set new address */ 4962 si->sin_addr.s_addr = htonl(src); 4963 in_iahash_insert(ia); 4964 4965 /* add new route */ 4966 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4967 if (debug && error) 4968 { 4969 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4970 SPP_ARGS(ifp), error); 4971 } 4972 #endif 4973 } 4974 } 4975 4976 #ifdef INET6 4977 /* 4978 * Get both IPv6 addresses. 4979 */ 4980 static void 4981 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4982 struct in6_addr *srcmask) 4983 { 4984 struct ifnet *ifp = &sp->pp_if; 4985 struct ifaddr_container *ifac; 4986 struct ifaddr *ifa; 4987 struct sockaddr_in6 *si, *sm; 4988 struct in6_addr ssrc, ddst; 4989 4990 sm = NULL; 4991 bzero(&ssrc, sizeof(ssrc)); 4992 bzero(&ddst, sizeof(ddst)); 4993 /* 4994 * Pick the first link-local AF_INET6 address from the list, 4995 * aliases don't make any sense on a p2p link anyway. 4996 */ 4997 si = 0; 4998 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4999 ifa = ifac->ifa; 5000 if (ifa->ifa_addr->sa_family == AF_INET6) { 5001 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5002 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5003 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5004 break; 5005 } 5006 } 5007 if (ifac != NULL) { 5008 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5009 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 5010 if (srcmask) { 5011 bcopy(&sm->sin6_addr, srcmask, 5012 sizeof(*srcmask)); 5013 } 5014 } 5015 5016 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5017 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5018 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 5019 } 5020 5021 if (dst) 5022 bcopy(&ddst, dst, sizeof(*dst)); 5023 if (src) 5024 bcopy(&ssrc, src, sizeof(*src)); 5025 } 5026 5027 #ifdef IPV6CP_MYIFID_DYN 5028 /* 5029 * Generate random ifid. 5030 */ 5031 static void 5032 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5033 { 5034 /* TBD */ 5035 } 5036 5037 /* 5038 * Set my IPv6 address. Must be called at splimp. 5039 */ 5040 static void 5041 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5042 { 5043 STDDCL; 5044 struct ifaddr_container *ifac; 5045 struct ifaddr *ifa; 5046 struct sockaddr_in6 *sin6; 5047 5048 /* 5049 * Pick the first link-local AF_INET6 address from the list, 5050 * aliases don't make any sense on a p2p link anyway. 5051 */ 5052 5053 sin6 = NULL; 5054 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 5055 ifa = ifac->ifa; 5056 if (ifa->ifa_addr->sa_family == AF_INET6) { 5057 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5058 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5059 break; 5060 } 5061 } 5062 5063 if (ifac != NULL && sin6 != NULL) { 5064 int error; 5065 struct sockaddr_in6 new_sin6 = *sin6; 5066 5067 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 5068 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5069 if (debug && error) { 5070 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 5071 " failed, error=%d\n", SPP_ARGS(ifp), error); 5072 } 5073 } 5074 } 5075 #endif 5076 5077 /* 5078 * Suggest a candidate address to be used by peer. 5079 */ 5080 static void 5081 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5082 { 5083 struct in6_addr myaddr; 5084 struct timeval tv; 5085 5086 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5087 5088 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5089 microtime(&tv); 5090 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5091 myaddr.s6_addr[14] ^= 0xff; 5092 myaddr.s6_addr[15] ^= 0xff; 5093 } else { 5094 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5095 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5096 } 5097 if (suggest) 5098 bcopy(&myaddr, suggest, sizeof(myaddr)); 5099 } 5100 #endif /*INET6*/ 5101 5102 static int 5103 sppp_params(struct sppp *sp, u_long cmd, void *data) 5104 { 5105 u_long subcmd; 5106 struct ifreq *ifr = (struct ifreq *)data; 5107 struct spppreq *spr; 5108 int rv = 0; 5109 5110 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 5111 5112 /* 5113 * ifr->ifr_data is supposed to point to a struct spppreq. 5114 * Check the cmd word first before attempting to fetch all the 5115 * data. 5116 */ 5117 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 5118 rv = EFAULT; 5119 goto quit; 5120 } 5121 5122 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 5123 rv = EFAULT; 5124 goto quit; 5125 } 5126 5127 switch (subcmd) { 5128 case (int)SPPPIOGDEFS: 5129 if (cmd != SIOCGIFGENERIC) { 5130 rv = EINVAL; 5131 break; 5132 } 5133 /* 5134 * We copy over the entire current state, but clean 5135 * out some of the stuff we don't wanna pass up. 5136 * Remember, SIOCGIFGENERIC is unprotected, and can be 5137 * called by any user. No need to ever get PAP or 5138 * CHAP secrets back to userland anyway. 5139 */ 5140 spr->defs.pp_phase = sp->pp_phase; 5141 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5142 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5143 spr->defs.lcp = sp->lcp; 5144 spr->defs.ipcp = sp->ipcp; 5145 spr->defs.ipv6cp = sp->ipv6cp; 5146 spr->defs.myauth = sp->myauth; 5147 spr->defs.hisauth = sp->hisauth; 5148 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5149 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5150 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5151 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5152 /* 5153 * Fixup the LCP timeout value to milliseconds so 5154 * spppcontrol doesn't need to bother about the value 5155 * of "hz". We do the reverse calculation below when 5156 * setting it. 5157 */ 5158 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5159 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5160 sizeof(struct spppreq)); 5161 break; 5162 5163 case (int)SPPPIOSDEFS: 5164 if (cmd != SIOCSIFGENERIC) { 5165 rv = EINVAL; 5166 break; 5167 } 5168 /* 5169 * We have a very specific idea of which fields we 5170 * allow being passed back from userland, so to not 5171 * clobber our current state. For one, we only allow 5172 * setting anything if LCP is in dead or establish 5173 * phase. Once the authentication negotiations 5174 * started, the authentication settings must not be 5175 * changed again. (The administrator can force an 5176 * ifconfig down in order to get LCP back into dead 5177 * phase.) 5178 * 5179 * Also, we only allow for authentication parameters to be 5180 * specified. 5181 * 5182 * XXX Should allow to set or clear pp_flags. 5183 * 5184 * Finally, if the respective authentication protocol to 5185 * be used is set differently than 0, but the secret is 5186 * passed as all zeros, we don't trash the existing secret. 5187 * This allows an administrator to change the system name 5188 * only without clobbering the secret (which he didn't get 5189 * back in a previous SPPPIOGDEFS call). However, the 5190 * secrets are cleared if the authentication protocol is 5191 * reset to 0. */ 5192 if (sp->pp_phase != PHASE_DEAD && 5193 sp->pp_phase != PHASE_ESTABLISH) { 5194 rv = EBUSY; 5195 break; 5196 } 5197 5198 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5199 spr->defs.myauth.proto != PPP_CHAP) || 5200 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5201 spr->defs.hisauth.proto != PPP_CHAP)) { 5202 rv = EINVAL; 5203 break; 5204 } 5205 5206 if (spr->defs.myauth.proto == 0) 5207 /* resetting myauth */ 5208 bzero(&sp->myauth, sizeof sp->myauth); 5209 else { 5210 /* setting/changing myauth */ 5211 sp->myauth.proto = spr->defs.myauth.proto; 5212 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5213 if (spr->defs.myauth.secret[0] != '\0') 5214 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5215 AUTHKEYLEN); 5216 } 5217 if (spr->defs.hisauth.proto == 0) 5218 /* resetting hisauth */ 5219 bzero(&sp->hisauth, sizeof sp->hisauth); 5220 else { 5221 /* setting/changing hisauth */ 5222 sp->hisauth.proto = spr->defs.hisauth.proto; 5223 sp->hisauth.flags = spr->defs.hisauth.flags; 5224 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5225 if (spr->defs.hisauth.secret[0] != '\0') 5226 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5227 AUTHKEYLEN); 5228 } 5229 /* set LCP restart timer timeout */ 5230 if (spr->defs.lcp.timeout != 0) 5231 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5232 /* set VJ enable and IPv6 disable flags */ 5233 #ifdef INET 5234 if (spr->defs.enable_vj) 5235 sp->confflags |= CONF_ENABLE_VJ; 5236 else 5237 sp->confflags &= ~CONF_ENABLE_VJ; 5238 #endif 5239 #ifdef INET6 5240 if (spr->defs.enable_ipv6) 5241 sp->confflags |= CONF_ENABLE_IPV6; 5242 else 5243 sp->confflags &= ~CONF_ENABLE_IPV6; 5244 #endif 5245 break; 5246 5247 default: 5248 rv = EINVAL; 5249 } 5250 5251 quit: 5252 kfree(spr, M_TEMP); 5253 5254 return (rv); 5255 } 5256 5257 static void 5258 sppp_phase_network(struct sppp *sp) 5259 { 5260 STDDCL; 5261 int i; 5262 u_long mask; 5263 5264 sp->pp_phase = PHASE_NETWORK; 5265 5266 if (debug) 5267 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5268 sppp_phase_name(sp->pp_phase)); 5269 5270 /* Notify NCPs now. */ 5271 for (i = 0; i < IDX_COUNT; i++) 5272 if ((cps[i])->flags & CP_NCP) 5273 (cps[i])->Open(sp); 5274 5275 /* Send Up events to all NCPs. */ 5276 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5277 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5278 (cps[i])->Up(sp); 5279 5280 /* if no NCP is starting, all this was in vain, close down */ 5281 sppp_lcp_check_and_close(sp); 5282 } 5283 5284 5285 static const char * 5286 sppp_cp_type_name(u_char type) 5287 { 5288 static char buf[12]; 5289 switch (type) { 5290 case CONF_REQ: return "conf-req"; 5291 case CONF_ACK: return "conf-ack"; 5292 case CONF_NAK: return "conf-nak"; 5293 case CONF_REJ: return "conf-rej"; 5294 case TERM_REQ: return "term-req"; 5295 case TERM_ACK: return "term-ack"; 5296 case CODE_REJ: return "code-rej"; 5297 case PROTO_REJ: return "proto-rej"; 5298 case ECHO_REQ: return "echo-req"; 5299 case ECHO_REPLY: return "echo-reply"; 5300 case DISC_REQ: return "discard-req"; 5301 } 5302 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5303 return buf; 5304 } 5305 5306 static const char * 5307 sppp_auth_type_name(u_short proto, u_char type) 5308 { 5309 static char buf[12]; 5310 switch (proto) { 5311 case PPP_CHAP: 5312 switch (type) { 5313 case CHAP_CHALLENGE: return "challenge"; 5314 case CHAP_RESPONSE: return "response"; 5315 case CHAP_SUCCESS: return "success"; 5316 case CHAP_FAILURE: return "failure"; 5317 } 5318 case PPP_PAP: 5319 switch (type) { 5320 case PAP_REQ: return "req"; 5321 case PAP_ACK: return "ack"; 5322 case PAP_NAK: return "nak"; 5323 } 5324 } 5325 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5326 return buf; 5327 } 5328 5329 static const char * 5330 sppp_lcp_opt_name(u_char opt) 5331 { 5332 static char buf[12]; 5333 switch (opt) { 5334 case LCP_OPT_MRU: return "mru"; 5335 case LCP_OPT_ASYNC_MAP: return "async-map"; 5336 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5337 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5338 case LCP_OPT_MAGIC: return "magic"; 5339 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5340 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5341 } 5342 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5343 return buf; 5344 } 5345 5346 static const char * 5347 sppp_ipcp_opt_name(u_char opt) 5348 { 5349 static char buf[12]; 5350 switch (opt) { 5351 case IPCP_OPT_ADDRESSES: return "addresses"; 5352 case IPCP_OPT_COMPRESSION: return "compression"; 5353 case IPCP_OPT_ADDRESS: return "address"; 5354 } 5355 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5356 return buf; 5357 } 5358 5359 #ifdef INET6 5360 static const char * 5361 sppp_ipv6cp_opt_name(u_char opt) 5362 { 5363 static char buf[12]; 5364 switch (opt) { 5365 case IPV6CP_OPT_IFID: return "ifid"; 5366 case IPV6CP_OPT_COMPRESSION: return "compression"; 5367 } 5368 ksprintf (buf, "0x%x", opt); 5369 return buf; 5370 } 5371 #endif 5372 5373 static const char * 5374 sppp_state_name(int state) 5375 { 5376 switch (state) { 5377 case STATE_INITIAL: return "initial"; 5378 case STATE_STARTING: return "starting"; 5379 case STATE_CLOSED: return "closed"; 5380 case STATE_STOPPED: return "stopped"; 5381 case STATE_CLOSING: return "closing"; 5382 case STATE_STOPPING: return "stopping"; 5383 case STATE_REQ_SENT: return "req-sent"; 5384 case STATE_ACK_RCVD: return "ack-rcvd"; 5385 case STATE_ACK_SENT: return "ack-sent"; 5386 case STATE_OPENED: return "opened"; 5387 } 5388 return "illegal"; 5389 } 5390 5391 static const char * 5392 sppp_phase_name(enum ppp_phase phase) 5393 { 5394 switch (phase) { 5395 case PHASE_DEAD: return "dead"; 5396 case PHASE_ESTABLISH: return "establish"; 5397 case PHASE_TERMINATE: return "terminate"; 5398 case PHASE_AUTHENTICATE: return "authenticate"; 5399 case PHASE_NETWORK: return "network"; 5400 } 5401 return "illegal"; 5402 } 5403 5404 static const char * 5405 sppp_proto_name(u_short proto) 5406 { 5407 static char buf[12]; 5408 switch (proto) { 5409 case PPP_LCP: return "lcp"; 5410 case PPP_IPCP: return "ipcp"; 5411 case PPP_PAP: return "pap"; 5412 case PPP_CHAP: return "chap"; 5413 case PPP_IPV6CP: return "ipv6cp"; 5414 } 5415 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5416 return buf; 5417 } 5418 5419 static void 5420 sppp_print_bytes(const u_char *p, u_short len) 5421 { 5422 if (len) 5423 log(-1, " %*D", len, p, "-"); 5424 } 5425 5426 static void 5427 sppp_print_string(const char *p, u_short len) 5428 { 5429 u_char c; 5430 5431 while (len-- > 0) { 5432 c = *p++; 5433 /* 5434 * Print only ASCII chars directly. RFC 1994 recommends 5435 * using only them, but we don't rely on it. */ 5436 if (c < ' ' || c > '~') 5437 log(-1, "\\x%x", c); 5438 else 5439 log(-1, "%c", c); 5440 } 5441 } 5442 5443 static const char * 5444 sppp_dotted_quad(u_long addr) 5445 { 5446 static char s[16]; 5447 ksprintf(s, "%d.%d.%d.%d", 5448 (int)((addr >> 24) & 0xff), 5449 (int)((addr >> 16) & 0xff), 5450 (int)((addr >> 8) & 0xff), 5451 (int)(addr & 0xff)); 5452 return s; 5453 } 5454 5455 static int 5456 sppp_strnlen(u_char *p, int max) 5457 { 5458 int len; 5459 5460 for (len = 0; len < max && *p; ++p) 5461 ++len; 5462 return len; 5463 } 5464 5465 /* a dummy, used to drop uninteresting events */ 5466 static void 5467 sppp_null(struct sppp *unused) 5468 { 5469 /* do just nothing */ 5470 } 5471