1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 */ 22 23 #include <sys/param.h> 24 #include <sys/libkern.h> 25 26 #include "opt_inet.h" 27 #include "opt_inet6.h" 28 #include "opt_ipx.h" 29 30 #include <sys/systm.h> 31 #include <sys/kernel.h> 32 #include <sys/module.h> 33 #include <sys/sockio.h> 34 #include <sys/socket.h> 35 #include <sys/syslog.h> 36 #include <sys/random.h> 37 #include <sys/thread2.h> 38 #include <sys/malloc.h> 39 #include <sys/mbuf.h> 40 #include <sys/md5.h> 41 42 #include <net/if.h> 43 #include <net/ifq_var.h> 44 #include <net/netisr.h> 45 #include <net/if_types.h> 46 #include <net/route.h> 47 #include <netinet/in.h> 48 #include <netinet/in_systm.h> 49 #include <netinet/ip.h> 50 #include <net/slcompress.h> 51 52 #include <machine/stdarg.h> 53 54 #include <netinet/in_var.h> 55 56 #ifdef INET 57 #include <netinet/tcp.h> 58 #endif 59 60 #include <netinet/if_ether.h> 61 62 #ifdef IPX 63 #include <netproto/ipx/ipx.h> 64 #include <netproto/ipx/ipx_if.h> 65 #endif 66 67 #include "if_sppp.h" 68 69 #define IOCTL_CMD_T u_long 70 #define MAXALIVECNT 3 /* max. alive packets */ 71 72 /* 73 * Interface flags that can be set in an ifconfig command. 74 * 75 * Setting link0 will make the link passive, i.e. it will be marked 76 * as being administrative openable, but won't be opened to begin 77 * with. Incoming calls will be answered, or subsequent calls with 78 * -link1 will cause the administrative open of the LCP layer. 79 * 80 * Setting link1 will cause the link to auto-dial only as packets 81 * arrive to be sent. 82 * 83 * Setting IFF_DEBUG will syslog the option negotiation and state 84 * transitions at level kern.debug. Note: all logs consistently look 85 * like 86 * 87 * <if-name><unit>: <proto-name> <additional info...> 88 * 89 * with <if-name><unit> being something like "bppp0", and <proto-name> 90 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 91 */ 92 93 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 94 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 95 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 96 97 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 98 #define PPP_UI 0x03 /* Unnumbered Information */ 99 #define PPP_IP 0x0021 /* Internet Protocol */ 100 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 101 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 102 #define PPP_IPX 0x002b /* Novell IPX Protocol */ 103 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 104 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 105 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 106 #define PPP_LCP 0xc021 /* Link Control Protocol */ 107 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 108 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 109 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 110 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 111 112 #define CONF_REQ 1 /* PPP configure request */ 113 #define CONF_ACK 2 /* PPP configure acknowledge */ 114 #define CONF_NAK 3 /* PPP configure negative ack */ 115 #define CONF_REJ 4 /* PPP configure reject */ 116 #define TERM_REQ 5 /* PPP terminate request */ 117 #define TERM_ACK 6 /* PPP terminate acknowledge */ 118 #define CODE_REJ 7 /* PPP code reject */ 119 #define PROTO_REJ 8 /* PPP protocol reject */ 120 #define ECHO_REQ 9 /* PPP echo request */ 121 #define ECHO_REPLY 10 /* PPP echo reply */ 122 #define DISC_REQ 11 /* PPP discard request */ 123 124 #define LCP_OPT_MRU 1 /* maximum receive unit */ 125 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 126 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 127 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 128 #define LCP_OPT_MAGIC 5 /* magic number */ 129 #define LCP_OPT_RESERVED 6 /* reserved */ 130 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 131 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 132 133 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 134 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 135 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 136 137 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 138 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 139 140 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 141 142 #define PAP_REQ 1 /* PAP name/password request */ 143 #define PAP_ACK 2 /* PAP acknowledge */ 144 #define PAP_NAK 3 /* PAP fail */ 145 146 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 147 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 148 #define CHAP_SUCCESS 3 /* CHAP response ok */ 149 #define CHAP_FAILURE 4 /* CHAP response failed */ 150 151 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 152 153 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 154 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 155 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 156 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 157 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 158 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 159 160 /* states are named and numbered according to RFC 1661 */ 161 #define STATE_INITIAL 0 162 #define STATE_STARTING 1 163 #define STATE_CLOSED 2 164 #define STATE_STOPPED 3 165 #define STATE_CLOSING 4 166 #define STATE_STOPPING 5 167 #define STATE_REQ_SENT 6 168 #define STATE_ACK_RCVD 7 169 #define STATE_ACK_SENT 8 170 #define STATE_OPENED 9 171 172 struct ppp_header { 173 u_char address; 174 u_char control; 175 u_short protocol; 176 } __attribute__((__packed__)); 177 #define PPP_HEADER_LEN sizeof (struct ppp_header) 178 179 struct lcp_header { 180 u_char type; 181 u_char ident; 182 u_short len; 183 } __attribute__((__packed__)); 184 #define LCP_HEADER_LEN sizeof (struct lcp_header) 185 186 struct cisco_packet { 187 u_long type; 188 u_long par1; 189 u_long par2; 190 u_short rel; 191 u_short time0; 192 u_short time1; 193 } __attribute__((__packed__)); 194 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 195 196 /* 197 * We follow the spelling and capitalization of RFC 1661 here, to make 198 * it easier comparing with the standard. Please refer to this RFC in 199 * case you can't make sense out of these abbreviation; it will also 200 * explain the semantics related to the various events and actions. 201 */ 202 struct cp { 203 u_short proto; /* PPP control protocol number */ 204 u_char protoidx; /* index into state table in struct sppp */ 205 u_char flags; 206 #define CP_LCP 0x01 /* this is the LCP */ 207 #define CP_AUTH 0x02 /* this is an authentication protocol */ 208 #define CP_NCP 0x04 /* this is a NCP */ 209 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 210 const char *name; /* name of this control protocol */ 211 /* event handlers */ 212 void (*Up)(struct sppp *sp); 213 void (*Down)(struct sppp *sp); 214 void (*Open)(struct sppp *sp); 215 void (*Close)(struct sppp *sp); 216 void (*TO)(void *sp); 217 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 218 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 219 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 220 /* actions */ 221 void (*tlu)(struct sppp *sp); 222 void (*tld)(struct sppp *sp); 223 void (*tls)(struct sppp *sp); 224 void (*tlf)(struct sppp *sp); 225 void (*scr)(struct sppp *sp); 226 }; 227 228 static struct sppp *spppq; 229 static struct callout keepalive_timeout; 230 231 #define SPP_FMT "%s: " 232 #define SPP_ARGS(ifp) (ifp)->if_xname 233 234 #ifdef INET 235 /* 236 * The following disgusting hack gets around the problem that IP TOS 237 * can't be set yet. We want to put "interactive" traffic on a high 238 * priority queue. To decide if traffic is interactive, we check that 239 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 240 * 241 * XXX is this really still necessary? - joerg - 242 */ 243 static u_short interactive_ports[8] = { 244 0, 513, 0, 0, 245 0, 21, 0, 23, 246 }; 247 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 248 #endif 249 250 /* almost every function needs these */ 251 #define STDDCL \ 252 struct ifnet *ifp = &sp->pp_if; \ 253 int debug = ifp->if_flags & IFF_DEBUG 254 255 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 256 struct sockaddr *dst, struct rtentry *rt); 257 258 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 259 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 260 261 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 262 struct mbuf *m); 263 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 264 u_char ident, u_short len, void *data); 265 /* static void sppp_cp_timeout(void *arg); */ 266 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 267 int newstate); 268 static void sppp_auth_send(const struct cp *cp, 269 struct sppp *sp, unsigned int type, unsigned int id, 270 ...); 271 272 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 273 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 274 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 275 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 276 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 277 278 static void sppp_null(struct sppp *sp); 279 280 static void sppp_lcp_init(struct sppp *sp); 281 static void sppp_lcp_up(struct sppp *sp); 282 static void sppp_lcp_down(struct sppp *sp); 283 static void sppp_lcp_open(struct sppp *sp); 284 static void sppp_lcp_close(struct sppp *sp); 285 static void sppp_lcp_TO(void *sp); 286 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 287 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 288 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 289 static void sppp_lcp_tlu(struct sppp *sp); 290 static void sppp_lcp_tld(struct sppp *sp); 291 static void sppp_lcp_tls(struct sppp *sp); 292 static void sppp_lcp_tlf(struct sppp *sp); 293 static void sppp_lcp_scr(struct sppp *sp); 294 static void sppp_lcp_check_and_close(struct sppp *sp); 295 static int sppp_ncp_check(struct sppp *sp); 296 297 static void sppp_ipcp_init(struct sppp *sp); 298 static void sppp_ipcp_up(struct sppp *sp); 299 static void sppp_ipcp_down(struct sppp *sp); 300 static void sppp_ipcp_open(struct sppp *sp); 301 static void sppp_ipcp_close(struct sppp *sp); 302 static void sppp_ipcp_TO(void *sp); 303 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 304 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 305 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 306 static void sppp_ipcp_tlu(struct sppp *sp); 307 static void sppp_ipcp_tld(struct sppp *sp); 308 static void sppp_ipcp_tls(struct sppp *sp); 309 static void sppp_ipcp_tlf(struct sppp *sp); 310 static void sppp_ipcp_scr(struct sppp *sp); 311 312 static void sppp_ipv6cp_init(struct sppp *sp); 313 static void sppp_ipv6cp_up(struct sppp *sp); 314 static void sppp_ipv6cp_down(struct sppp *sp); 315 static void sppp_ipv6cp_open(struct sppp *sp); 316 static void sppp_ipv6cp_close(struct sppp *sp); 317 static void sppp_ipv6cp_TO(void *sp); 318 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 319 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 320 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 321 static void sppp_ipv6cp_tlu(struct sppp *sp); 322 static void sppp_ipv6cp_tld(struct sppp *sp); 323 static void sppp_ipv6cp_tls(struct sppp *sp); 324 static void sppp_ipv6cp_tlf(struct sppp *sp); 325 static void sppp_ipv6cp_scr(struct sppp *sp); 326 327 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 328 static void sppp_pap_init(struct sppp *sp); 329 static void sppp_pap_open(struct sppp *sp); 330 static void sppp_pap_close(struct sppp *sp); 331 static void sppp_pap_TO(void *sp); 332 static void sppp_pap_my_TO(void *sp); 333 static void sppp_pap_tlu(struct sppp *sp); 334 static void sppp_pap_tld(struct sppp *sp); 335 static void sppp_pap_scr(struct sppp *sp); 336 337 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 338 static void sppp_chap_init(struct sppp *sp); 339 static void sppp_chap_open(struct sppp *sp); 340 static void sppp_chap_close(struct sppp *sp); 341 static void sppp_chap_TO(void *sp); 342 static void sppp_chap_tlu(struct sppp *sp); 343 static void sppp_chap_tld(struct sppp *sp); 344 static void sppp_chap_scr(struct sppp *sp); 345 346 static const char *sppp_auth_type_name(u_short proto, u_char type); 347 static const char *sppp_cp_type_name(u_char type); 348 static const char *sppp_dotted_quad(u_long addr); 349 static const char *sppp_ipcp_opt_name(u_char opt); 350 #ifdef INET6 351 static const char *sppp_ipv6cp_opt_name(u_char opt); 352 #endif 353 static const char *sppp_lcp_opt_name(u_char opt); 354 static const char *sppp_phase_name(enum ppp_phase phase); 355 static const char *sppp_proto_name(u_short proto); 356 static const char *sppp_state_name(int state); 357 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 358 static int sppp_strnlen(u_char *p, int max); 359 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 360 u_long *srcmask); 361 static void sppp_keepalive(void *dummy); 362 static void sppp_phase_network(struct sppp *sp); 363 static void sppp_print_bytes(const u_char *p, u_short len); 364 static void sppp_print_string(const char *p, u_short len); 365 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 366 #ifdef INET6 367 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 368 struct in6_addr *dst, struct in6_addr *srcmask); 369 #ifdef IPV6CP_MYIFID_DYN 370 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 371 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 372 #endif 373 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 374 #endif 375 376 /* our control protocol descriptors */ 377 static const struct cp lcp = { 378 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 379 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 380 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 381 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 382 sppp_lcp_scr 383 }; 384 385 static const struct cp ipcp = { 386 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 387 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 388 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 389 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 390 sppp_ipcp_scr 391 }; 392 393 static const struct cp ipv6cp = { 394 PPP_IPV6CP, IDX_IPV6CP, 395 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 396 CP_NCP, 397 #else 398 0, 399 #endif 400 "ipv6cp", 401 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 402 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 403 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 404 sppp_ipv6cp_scr 405 }; 406 407 static const struct cp pap = { 408 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 409 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 410 sppp_pap_TO, 0, 0, 0, 411 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 412 sppp_pap_scr 413 }; 414 415 static const struct cp chap = { 416 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 417 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 418 sppp_chap_TO, 0, 0, 0, 419 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 420 sppp_chap_scr 421 }; 422 423 static const struct cp *cps[IDX_COUNT] = { 424 &lcp, /* IDX_LCP */ 425 &ipcp, /* IDX_IPCP */ 426 &ipv6cp, /* IDX_IPV6CP */ 427 &pap, /* IDX_PAP */ 428 &chap, /* IDX_CHAP */ 429 }; 430 431 static int 432 sppp_modevent(module_t mod, int type, void *unused) 433 { 434 switch (type) { 435 case MOD_LOAD: 436 callout_init(&keepalive_timeout); 437 break; 438 case MOD_UNLOAD: 439 return EACCES; 440 break; 441 default: 442 break; 443 } 444 return 0; 445 } 446 static moduledata_t spppmod = { 447 "sppp", 448 sppp_modevent, 449 0 450 }; 451 MODULE_VERSION(sppp, 1); 452 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 453 454 /* 455 * Exported functions, comprising our interface to the lower layer. 456 */ 457 458 /* 459 * Process the received packet. 460 */ 461 void 462 sppp_input(struct ifnet *ifp, struct mbuf *m) 463 { 464 struct ppp_header *h; 465 int isr = -1; 466 struct sppp *sp = (struct sppp *)ifp; 467 u_char *iphdr; 468 int hlen, vjlen, do_account = 0; 469 int debug = ifp->if_flags & IFF_DEBUG; 470 471 if (ifp->if_flags & IFF_UP) 472 /* Count received bytes, add FCS and one flag */ 473 IFNET_STAT_INC(ifp, ibytes, m->m_pkthdr.len + 3); 474 475 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 476 /* Too small packet, drop it. */ 477 if (debug) 478 log(LOG_DEBUG, 479 SPP_FMT "input packet is too small, %d bytes\n", 480 SPP_ARGS(ifp), m->m_pkthdr.len); 481 drop: 482 m_freem (m); 483 drop2: 484 IFNET_STAT_INC(ifp, ierrors, 1); 485 IFNET_STAT_INC(ifp, iqdrops, 1); 486 return; 487 } 488 489 /* Get PPP header. */ 490 h = mtod (m, struct ppp_header*); 491 m_adj (m, PPP_HEADER_LEN); 492 493 switch (h->address) { 494 case PPP_ALLSTATIONS: 495 if (h->control != PPP_UI) 496 goto invalid; 497 if (sp->pp_mode == IFF_CISCO) { 498 if (debug) 499 log(LOG_DEBUG, 500 SPP_FMT "PPP packet in Cisco mode " 501 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 502 SPP_ARGS(ifp), 503 h->address, h->control, ntohs(h->protocol)); 504 goto drop; 505 } 506 switch (ntohs (h->protocol)) { 507 default: 508 if (debug) 509 log(LOG_DEBUG, 510 SPP_FMT "rejecting protocol " 511 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 512 SPP_ARGS(ifp), 513 h->address, h->control, ntohs(h->protocol)); 514 if (sp->state[IDX_LCP] == STATE_OPENED) 515 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 516 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 517 &h->protocol); 518 IFNET_STAT_INC(ifp, noproto, 1); 519 goto drop; 520 case PPP_LCP: 521 sppp_cp_input(&lcp, sp, m); 522 m_freem (m); 523 return; 524 case PPP_PAP: 525 if (sp->pp_phase >= PHASE_AUTHENTICATE) 526 sppp_pap_input(sp, m); 527 m_freem (m); 528 return; 529 case PPP_CHAP: 530 if (sp->pp_phase >= PHASE_AUTHENTICATE) 531 sppp_chap_input(sp, m); 532 m_freem (m); 533 return; 534 #ifdef INET 535 case PPP_IPCP: 536 if (sp->pp_phase == PHASE_NETWORK) 537 sppp_cp_input(&ipcp, sp, m); 538 m_freem (m); 539 return; 540 case PPP_IP: 541 if (sp->state[IDX_IPCP] == STATE_OPENED) { 542 isr = NETISR_IP; 543 } 544 do_account++; 545 break; 546 case PPP_VJ_COMP: 547 if (sp->state[IDX_IPCP] == STATE_OPENED) { 548 if ((vjlen = 549 sl_uncompress_tcp_core(mtod(m, u_char *), 550 m->m_len, m->m_len, 551 TYPE_COMPRESSED_TCP, 552 sp->pp_comp, 553 &iphdr, &hlen)) <= 0) { 554 if (debug) 555 log(LOG_INFO, 556 SPP_FMT "VJ uncompress failed on compressed packet\n", 557 SPP_ARGS(ifp)); 558 goto drop; 559 } 560 561 /* 562 * Trim the VJ header off the packet, and prepend 563 * the uncompressed IP header (which will usually 564 * end up in two chained mbufs since there's not 565 * enough leading space in the existing mbuf). 566 */ 567 m_adj(m, vjlen); 568 M_PREPEND(m, hlen, MB_DONTWAIT); 569 if (m == NULL) 570 goto drop2; 571 bcopy(iphdr, mtod(m, u_char *), hlen); 572 573 isr = NETISR_IP; 574 } 575 do_account++; 576 break; 577 case PPP_VJ_UCOMP: 578 if (sp->state[IDX_IPCP] == STATE_OPENED) { 579 if (sl_uncompress_tcp_core(mtod(m, u_char *), 580 m->m_len, m->m_len, 581 TYPE_UNCOMPRESSED_TCP, 582 sp->pp_comp, 583 &iphdr, &hlen) != 0) { 584 if (debug) 585 log(LOG_INFO, 586 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 587 SPP_ARGS(ifp)); 588 goto drop; 589 } 590 isr = NETISR_IP; 591 } 592 do_account++; 593 break; 594 #endif 595 #ifdef INET6 596 case PPP_IPV6CP: 597 if (sp->pp_phase == PHASE_NETWORK) 598 sppp_cp_input(&ipv6cp, sp, m); 599 m_freem (m); 600 return; 601 602 case PPP_IPV6: 603 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 604 isr = NETISR_IPV6; 605 } 606 do_account++; 607 break; 608 #endif 609 #ifdef IPX 610 case PPP_IPX: 611 /* IPX IPXCP not implemented yet */ 612 if (sp->pp_phase == PHASE_NETWORK) { 613 isr = NETISR_IPX; 614 } 615 do_account++; 616 break; 617 #endif 618 } 619 break; 620 case CISCO_MULTICAST: 621 case CISCO_UNICAST: 622 /* Don't check the control field here (RFC 1547). */ 623 if (sp->pp_mode != IFF_CISCO) { 624 if (debug) 625 log(LOG_DEBUG, 626 SPP_FMT "Cisco packet in PPP mode " 627 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 628 SPP_ARGS(ifp), 629 h->address, h->control, ntohs(h->protocol)); 630 goto drop; 631 } 632 switch (ntohs (h->protocol)) { 633 default: 634 IFNET_STAT_INC(ifp, noproto, 1); 635 goto invalid; 636 case CISCO_KEEPALIVE: 637 sppp_cisco_input ((struct sppp*) ifp, m); 638 m_freem (m); 639 return; 640 #ifdef INET 641 case ETHERTYPE_IP: 642 isr = NETISR_IP; 643 do_account++; 644 break; 645 #endif 646 #ifdef INET6 647 case ETHERTYPE_IPV6: 648 isr = NETISR_IPV6; 649 do_account++; 650 break; 651 #endif 652 #ifdef IPX 653 case ETHERTYPE_IPX: 654 isr = NETISR_IPX; 655 do_account++; 656 break; 657 #endif 658 } 659 break; 660 default: /* Invalid PPP packet. */ 661 invalid: 662 if (debug) 663 log(LOG_DEBUG, 664 SPP_FMT "invalid input packet " 665 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 666 SPP_ARGS(ifp), 667 h->address, h->control, ntohs(h->protocol)); 668 goto drop; 669 } 670 671 if (! (ifp->if_flags & IFF_UP) || isr < 0) 672 goto drop; 673 674 /* Check queue. */ 675 676 netisr_queue(isr, m); 677 678 /* 679 * Do only account for network packets, not for control 680 * packets. This is used by some subsystems to detect 681 * idle lines. 682 */ 683 if (do_account) 684 sp->pp_last_recv = time_uptime; 685 } 686 687 /* 688 * Enqueue transmit packet. 689 */ 690 static int 691 sppp_output_serialized(struct ifnet *ifp, struct ifaltq_subque *ifsq, 692 struct mbuf *m, struct sockaddr *dst, struct rtentry *rt) 693 { 694 struct sppp *sp = (struct sppp*) ifp; 695 struct ppp_header *h; 696 struct ifqueue *ifq = NULL; 697 int rv = 0; 698 int ipproto = PPP_IP; 699 int debug = ifp->if_flags & IFF_DEBUG; 700 struct altq_pktattr pktattr; 701 702 crit_enter(); 703 704 if ((ifp->if_flags & IFF_UP) == 0 || 705 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 706 #ifdef INET6 707 drop: 708 #endif 709 m_freem (m); 710 crit_exit(); 711 return (ENETDOWN); 712 } 713 714 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 715 #ifdef INET6 716 /* 717 * XXX 718 * 719 * Hack to prevent the initialization-time generated 720 * IPv6 multicast packet to erroneously cause a 721 * dialout event in case IPv6 has been 722 * administratively disabled on that interface. 723 */ 724 if (dst->sa_family == AF_INET6 && 725 !(sp->confflags & CONF_ENABLE_IPV6)) 726 goto drop; 727 #endif 728 /* 729 * Interface is not yet running, but auto-dial. Need 730 * to start LCP for it. 731 */ 732 ifp->if_flags |= IFF_RUNNING; 733 crit_exit(); 734 lcp.Open(sp); 735 crit_enter(); 736 } 737 738 /* 739 * if the queueing discipline needs packet classification, 740 * do it before prepending link headers. 741 */ 742 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 743 744 #ifdef INET 745 if (dst->sa_family == AF_INET) { 746 /* XXX Check mbuf length here? */ 747 struct ip *ip = mtod (m, struct ip*); 748 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 749 750 /* 751 * When using dynamic local IP address assignment by using 752 * 0.0.0.0 as a local address, the first TCP session will 753 * not connect because the local TCP checksum is computed 754 * using 0.0.0.0 which will later become our real IP address 755 * so the TCP checksum computed at the remote end will 756 * become invalid. So we 757 * - don't let packets with src ip addr 0 thru 758 * - we flag TCP packets with src ip 0 as an error 759 */ 760 761 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 762 { 763 m_freem(m); 764 crit_exit(); 765 if(ip->ip_p == IPPROTO_TCP) 766 return(EADDRNOTAVAIL); 767 else 768 return(0); 769 } 770 771 /* 772 * Put low delay, telnet, rlogin and ftp control packets 773 * in front of the queue. 774 */ 775 if (IF_QFULL (&sp->pp_fastq)) 776 ; 777 else if (ip->ip_tos & IPTOS_LOWDELAY) 778 ifq = &sp->pp_fastq; 779 else if (m->m_len < sizeof *ip + sizeof *tcp) 780 ; 781 else if (ip->ip_p != IPPROTO_TCP) 782 ; 783 else if (INTERACTIVE (ntohs (tcp->th_sport))) 784 ifq = &sp->pp_fastq; 785 else if (INTERACTIVE (ntohs (tcp->th_dport))) 786 ifq = &sp->pp_fastq; 787 788 /* 789 * Do IP Header compression 790 */ 791 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 792 ip->ip_p == IPPROTO_TCP) 793 switch (sl_compress_tcp(m, ip, sp->pp_comp, 794 sp->ipcp.compress_cid)) { 795 case TYPE_COMPRESSED_TCP: 796 ipproto = PPP_VJ_COMP; 797 break; 798 case TYPE_UNCOMPRESSED_TCP: 799 ipproto = PPP_VJ_UCOMP; 800 break; 801 case TYPE_IP: 802 ipproto = PPP_IP; 803 break; 804 default: 805 m_freem(m); 806 crit_exit(); 807 return (EINVAL); 808 } 809 } 810 #endif 811 812 #ifdef INET6 813 if (dst->sa_family == AF_INET6) { 814 /* XXX do something tricky here? */ 815 } 816 #endif 817 818 /* 819 * Prepend general data packet PPP header. For now, IP only. 820 */ 821 M_PREPEND (m, PPP_HEADER_LEN, MB_DONTWAIT); 822 if (! m) { 823 if (debug) 824 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 825 SPP_ARGS(ifp)); 826 IFNET_STAT_INC(ifp, oerrors, 1); 827 crit_exit(); 828 return (ENOBUFS); 829 } 830 /* 831 * May want to check size of packet 832 * (albeit due to the implementation it's always enough) 833 */ 834 h = mtod (m, struct ppp_header*); 835 if (sp->pp_mode == IFF_CISCO) { 836 h->address = CISCO_UNICAST; /* unicast address */ 837 h->control = 0; 838 } else { 839 h->address = PPP_ALLSTATIONS; /* broadcast address */ 840 h->control = PPP_UI; /* Unnumbered Info */ 841 } 842 843 switch (dst->sa_family) { 844 #ifdef INET 845 case AF_INET: /* Internet Protocol */ 846 if (sp->pp_mode == IFF_CISCO) 847 h->protocol = htons (ETHERTYPE_IP); 848 else { 849 /* 850 * Don't choke with an ENETDOWN early. It's 851 * possible that we just started dialing out, 852 * so don't drop the packet immediately. If 853 * we notice that we run out of buffer space 854 * below, we will however remember that we are 855 * not ready to carry IP packets, and return 856 * ENETDOWN, as opposed to ENOBUFS. 857 */ 858 h->protocol = htons(ipproto); 859 if (sp->state[IDX_IPCP] != STATE_OPENED) 860 rv = ENETDOWN; 861 } 862 break; 863 #endif 864 #ifdef INET6 865 case AF_INET6: /* Internet Protocol */ 866 if (sp->pp_mode == IFF_CISCO) 867 h->protocol = htons (ETHERTYPE_IPV6); 868 else { 869 /* 870 * Don't choke with an ENETDOWN early. It's 871 * possible that we just started dialing out, 872 * so don't drop the packet immediately. If 873 * we notice that we run out of buffer space 874 * below, we will however remember that we are 875 * not ready to carry IP packets, and return 876 * ENETDOWN, as opposed to ENOBUFS. 877 */ 878 h->protocol = htons(PPP_IPV6); 879 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 880 rv = ENETDOWN; 881 } 882 break; 883 #endif 884 #ifdef IPX 885 case AF_IPX: /* Novell IPX Protocol */ 886 h->protocol = htons (sp->pp_mode == IFF_CISCO ? 887 ETHERTYPE_IPX : PPP_IPX); 888 break; 889 #endif 890 default: 891 m_freem (m); 892 IFNET_STAT_INC(ifp, oerrors, 1); 893 crit_exit(); 894 return (EAFNOSUPPORT); 895 } 896 897 /* 898 * Queue message on interface, and start output if interface 899 * not yet active. 900 */ 901 if (ifq != NULL) { 902 if (IF_QFULL(ifq)) { 903 IF_DROP(ifq); 904 m_freem(m); 905 rv = ENOBUFS; 906 } else { 907 IF_ENQUEUE(ifq, m); 908 rv = 0; 909 } 910 } else { 911 rv = ifsq_enqueue(ifsq, m, &pktattr); 912 } 913 if (rv) { 914 IFNET_STAT_INC(ifp, oerrors, 1); 915 crit_exit(); 916 return(rv); 917 } 918 if (!ifsq_is_oactive(ifsq)) 919 (*ifp->if_start) (ifp, ifsq); 920 921 /* 922 * Count output packets and bytes. 923 * The packet length includes header, FCS and 1 flag, 924 * according to RFC 1333. 925 */ 926 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 927 928 /* 929 * Unlike in sppp_input(), we can always bump the timestamp 930 * here since sppp_output() is only called on behalf of 931 * network-layer traffic; control-layer traffic is handled 932 * by sppp_cp_send(). 933 */ 934 sp->pp_last_sent = time_uptime; 935 936 crit_exit(); 937 return (0); 938 } 939 940 static int 941 sppp_output(struct ifnet *ifp, struct mbuf *m, 942 struct sockaddr *dst, struct rtentry *rt) 943 { 944 struct ifaltq_subque *ifsq = ifq_get_subq_default(&ifp->if_snd); 945 int error; 946 947 ifsq_serialize_hw(ifsq); 948 error = sppp_output_serialized(ifp, ifsq, m, dst, rt); 949 ifsq_deserialize_hw(ifsq); 950 951 return error; 952 } 953 954 void 955 sppp_attach(struct ifnet *ifp) 956 { 957 struct sppp *sp = (struct sppp*) ifp; 958 959 /* Initialize keepalive handler. */ 960 if (!spppq) { 961 callout_reset(&keepalive_timeout, hz * 10, 962 sppp_keepalive, NULL); 963 } 964 /* Insert new entry into the keepalive list. */ 965 sp->pp_next = spppq; 966 spppq = sp; 967 968 sp->pp_if.if_mtu = PP_MTU; 969 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 970 sp->pp_if.if_type = IFT_PPP; 971 sp->pp_if.if_output = sppp_output; 972 #if 0 973 sp->pp_flags = PP_KEEPALIVE; 974 #endif 975 ifq_set_maxlen(&sp->pp_if.if_snd, 32); 976 sp->pp_fastq.ifq_maxlen = 32; 977 sp->pp_cpq.ifq_maxlen = 20; 978 sp->pp_loopcnt = 0; 979 sp->pp_alivecnt = 0; 980 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 981 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 982 sp->pp_phase = PHASE_DEAD; 983 sp->pp_up = lcp.Up; 984 sp->pp_down = lcp.Down; 985 sp->pp_last_recv = sp->pp_last_sent = time_uptime; 986 sp->confflags = 0; 987 #ifdef INET 988 sp->confflags |= CONF_ENABLE_VJ; 989 #endif 990 #ifdef INET6 991 sp->confflags |= CONF_ENABLE_IPV6; 992 #endif 993 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 994 sl_compress_init(sp->pp_comp, -1); 995 sppp_lcp_init(sp); 996 sppp_ipcp_init(sp); 997 sppp_ipv6cp_init(sp); 998 sppp_pap_init(sp); 999 sppp_chap_init(sp); 1000 } 1001 1002 void 1003 sppp_detach(struct ifnet *ifp) 1004 { 1005 struct sppp **q, *p, *sp = (struct sppp*) ifp; 1006 int i; 1007 1008 /* Remove the entry from the keepalive list. */ 1009 for (q = &spppq; (p = *q); q = &p->pp_next) 1010 if (p == sp) { 1011 *q = p->pp_next; 1012 break; 1013 } 1014 1015 /* Stop keepalive handler. */ 1016 if (!spppq) 1017 callout_stop(&keepalive_timeout); 1018 1019 for (i = 0; i < IDX_COUNT; i++) 1020 callout_stop(&sp->timeout[i]); 1021 callout_stop(&sp->pap_my_to); 1022 } 1023 1024 /* 1025 * Flush the interface output queue. 1026 */ 1027 void 1028 sppp_flush(struct ifnet *ifp) 1029 { 1030 struct sppp *sp = (struct sppp*) ifp; 1031 1032 ifq_purge_all(&sp->pp_if.if_snd); 1033 IF_DRAIN(&sp->pp_fastq); 1034 IF_DRAIN(&sp->pp_cpq); 1035 } 1036 1037 /* 1038 * Check if the output queue is empty. 1039 */ 1040 int 1041 sppp_isempty(struct ifnet *ifp) 1042 { 1043 struct sppp *sp = (struct sppp*) ifp; 1044 int empty; 1045 1046 crit_enter(); 1047 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1048 ifsq_is_empty(ifq_get_subq_default(&sp->pp_if.if_snd)); 1049 crit_exit(); 1050 return (empty); 1051 } 1052 1053 /* 1054 * Get next packet to send. 1055 */ 1056 struct mbuf * 1057 sppp_dequeue(struct ifnet *ifp) 1058 { 1059 struct sppp *sp = (struct sppp*) ifp; 1060 struct mbuf *m; 1061 1062 crit_enter(); 1063 1064 /* 1065 * Process only the control protocol queue until we have at 1066 * least one NCP open. 1067 * 1068 * Do always serve all three queues in Cisco mode. 1069 */ 1070 IF_DEQUEUE(&sp->pp_cpq, m); 1071 if (m == NULL && 1072 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1073 IF_DEQUEUE(&sp->pp_fastq, m); 1074 if (m == NULL) { 1075 m = ifsq_dequeue( 1076 ifq_get_subq_default(&sp->pp_if.if_snd)); 1077 } 1078 } 1079 1080 crit_exit(); 1081 return m; 1082 } 1083 1084 /* 1085 * Pick the next packet, do not remove it from the queue. 1086 */ 1087 struct mbuf * 1088 sppp_pick(struct ifnet *ifp) 1089 { 1090 struct sppp *sp = (struct sppp*)ifp; 1091 struct mbuf *m; 1092 1093 crit_enter(); 1094 1095 m = sp->pp_cpq.ifq_head; 1096 if (m == NULL && 1097 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1098 if ((m = sp->pp_fastq.ifq_head) == NULL) 1099 m = ifsq_poll(ifq_get_subq_default(&sp->pp_if.if_snd)); 1100 } 1101 1102 crit_exit(); 1103 return (m); 1104 } 1105 1106 /* 1107 * Process an ioctl request. Called on low priority level. 1108 */ 1109 int 1110 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1111 { 1112 struct ifreq *ifr = (struct ifreq*) data; 1113 struct sppp *sp = (struct sppp*) ifp; 1114 int rv, going_up, going_down, newmode; 1115 1116 crit_enter(); 1117 1118 rv = 0; 1119 switch (cmd) { 1120 case SIOCAIFADDR: 1121 case SIOCSIFDSTADDR: 1122 break; 1123 1124 case SIOCSIFADDR: 1125 /* set the interface "up" when assigning an IP address */ 1126 ifp->if_flags |= IFF_UP; 1127 /* fall through... */ 1128 1129 case SIOCSIFFLAGS: 1130 going_up = ifp->if_flags & IFF_UP && 1131 (ifp->if_flags & IFF_RUNNING) == 0; 1132 going_down = (ifp->if_flags & IFF_UP) == 0 && 1133 ifp->if_flags & IFF_RUNNING; 1134 1135 newmode = ifp->if_flags & IFF_PASSIVE; 1136 if (!newmode) 1137 newmode = ifp->if_flags & IFF_AUTO; 1138 if (!newmode) 1139 newmode = ifp->if_flags & IFF_CISCO; 1140 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1141 ifp->if_flags |= newmode; 1142 1143 if (newmode != sp->pp_mode) { 1144 going_down = 1; 1145 if (!going_up) 1146 going_up = ifp->if_flags & IFF_RUNNING; 1147 } 1148 1149 if (going_down) { 1150 if (sp->pp_mode != IFF_CISCO) 1151 lcp.Close(sp); 1152 else if (sp->pp_tlf) 1153 (sp->pp_tlf)(sp); 1154 sppp_flush(ifp); 1155 ifp->if_flags &= ~IFF_RUNNING; 1156 sp->pp_mode = newmode; 1157 } 1158 1159 if (going_up) { 1160 if (sp->pp_mode != IFF_CISCO) 1161 lcp.Close(sp); 1162 sp->pp_mode = newmode; 1163 if (sp->pp_mode == 0) { 1164 ifp->if_flags |= IFF_RUNNING; 1165 lcp.Open(sp); 1166 } 1167 if (sp->pp_mode == IFF_CISCO) { 1168 if (sp->pp_tls) 1169 (sp->pp_tls)(sp); 1170 ifp->if_flags |= IFF_RUNNING; 1171 } 1172 } 1173 1174 break; 1175 1176 #ifdef SIOCSIFMTU 1177 #ifndef ifr_mtu 1178 #define ifr_mtu ifr_metric 1179 #endif 1180 case SIOCSIFMTU: 1181 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) 1182 return (EINVAL); 1183 ifp->if_mtu = ifr->ifr_mtu; 1184 break; 1185 #endif 1186 #ifdef SLIOCSETMTU 1187 case SLIOCSETMTU: 1188 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) 1189 return (EINVAL); 1190 ifp->if_mtu = *(short*)data; 1191 break; 1192 #endif 1193 #ifdef SIOCGIFMTU 1194 case SIOCGIFMTU: 1195 ifr->ifr_mtu = ifp->if_mtu; 1196 break; 1197 #endif 1198 #ifdef SLIOCGETMTU 1199 case SLIOCGETMTU: 1200 *(short*)data = ifp->if_mtu; 1201 break; 1202 #endif 1203 case SIOCADDMULTI: 1204 case SIOCDELMULTI: 1205 break; 1206 1207 case SIOCGIFGENERIC: 1208 case SIOCSIFGENERIC: 1209 rv = sppp_params(sp, cmd, data); 1210 break; 1211 1212 default: 1213 rv = ENOTTY; 1214 } 1215 1216 crit_exit(); 1217 return rv; 1218 } 1219 1220 /* 1221 * Cisco framing implementation. 1222 */ 1223 1224 /* 1225 * Handle incoming Cisco keepalive protocol packets. 1226 */ 1227 static void 1228 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1229 { 1230 STDDCL; 1231 struct cisco_packet *h; 1232 u_long me, mymask; 1233 1234 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1235 if (debug) 1236 log(LOG_DEBUG, 1237 SPP_FMT "cisco invalid packet length: %d bytes\n", 1238 SPP_ARGS(ifp), m->m_pkthdr.len); 1239 return; 1240 } 1241 h = mtod (m, struct cisco_packet*); 1242 if (debug) 1243 log(LOG_DEBUG, 1244 SPP_FMT "cisco input: %d bytes " 1245 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1246 SPP_ARGS(ifp), m->m_pkthdr.len, 1247 (u_long)ntohl (h->type), h->par1, h->par2, (u_int)h->rel, 1248 (u_int)h->time0, (u_int)h->time1); 1249 switch (ntohl (h->type)) { 1250 default: 1251 if (debug) 1252 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1253 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1254 break; 1255 case CISCO_ADDR_REPLY: 1256 /* Reply on address request, ignore */ 1257 break; 1258 case CISCO_KEEPALIVE_REQ: 1259 sp->pp_alivecnt = 0; 1260 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1261 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1262 /* Local and remote sequence numbers are equal. 1263 * Probably, the line is in loopback mode. */ 1264 if (sp->pp_loopcnt >= MAXALIVECNT) { 1265 kprintf (SPP_FMT "loopback\n", 1266 SPP_ARGS(ifp)); 1267 sp->pp_loopcnt = 0; 1268 if (ifp->if_flags & IFF_UP) { 1269 if_down (ifp); 1270 IF_DRAIN(&sp->pp_cpq); 1271 } 1272 } 1273 ++sp->pp_loopcnt; 1274 1275 /* Generate new local sequence number */ 1276 sp->pp_seq[IDX_LCP] = krandom(); 1277 break; 1278 } 1279 sp->pp_loopcnt = 0; 1280 if (! (ifp->if_flags & IFF_UP) && 1281 (ifp->if_flags & IFF_RUNNING)) { 1282 if_up(ifp); 1283 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1284 } 1285 break; 1286 case CISCO_ADDR_REQ: 1287 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1288 if (me != 0L) 1289 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1290 break; 1291 } 1292 } 1293 1294 /* 1295 * Send Cisco keepalive packet. 1296 */ 1297 static void 1298 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1299 { 1300 STDDCL; 1301 struct ppp_header *h; 1302 struct cisco_packet *ch; 1303 struct mbuf *m; 1304 struct timeval tv; 1305 struct ifaltq_subque *ifsq; 1306 1307 getmicrouptime(&tv); 1308 1309 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1310 if (! m) 1311 return; 1312 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1313 m->m_pkthdr.rcvif = 0; 1314 1315 h = mtod (m, struct ppp_header*); 1316 h->address = CISCO_MULTICAST; 1317 h->control = 0; 1318 h->protocol = htons (CISCO_KEEPALIVE); 1319 1320 ch = (struct cisco_packet*) (h + 1); 1321 ch->type = htonl (type); 1322 ch->par1 = htonl (par1); 1323 ch->par2 = htonl (par2); 1324 ch->rel = -1; 1325 1326 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1327 ch->time1 = htons ((u_short) tv.tv_sec); 1328 1329 if (debug) 1330 log(LOG_DEBUG, 1331 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1332 SPP_ARGS(ifp), (u_long)ntohl (ch->type), ch->par1, 1333 ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1334 1335 if (IF_QFULL (&sp->pp_cpq)) { 1336 IF_DROP (&sp->pp_fastq); 1337 m_freem (m); 1338 } else 1339 IF_ENQUEUE (&sp->pp_cpq, m); 1340 ifsq = ifq_get_subq_default(&ifp->if_snd); 1341 if (!ifsq_is_oactive(ifsq)) 1342 (*ifp->if_start) (ifp, ifsq); 1343 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1344 } 1345 1346 /* 1347 * PPP protocol implementation. 1348 */ 1349 1350 /* 1351 * Send PPP control protocol packet. 1352 */ 1353 static void 1354 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1355 u_char ident, u_short len, void *data) 1356 { 1357 STDDCL; 1358 struct ppp_header *h; 1359 struct lcp_header *lh; 1360 struct mbuf *m; 1361 struct ifaltq_subque *ifsq; 1362 1363 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1364 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1365 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1366 if (! m) 1367 return; 1368 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1369 m->m_pkthdr.rcvif = 0; 1370 1371 h = mtod (m, struct ppp_header*); 1372 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1373 h->control = PPP_UI; /* Unnumbered Info */ 1374 h->protocol = htons (proto); /* Link Control Protocol */ 1375 1376 lh = (struct lcp_header*) (h + 1); 1377 lh->type = type; 1378 lh->ident = ident; 1379 lh->len = htons (LCP_HEADER_LEN + len); 1380 if (len) 1381 bcopy (data, lh+1, len); 1382 1383 if (debug) { 1384 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1385 SPP_ARGS(ifp), 1386 sppp_proto_name(proto), 1387 sppp_cp_type_name (lh->type), lh->ident, 1388 ntohs (lh->len)); 1389 sppp_print_bytes ((u_char*) (lh+1), len); 1390 log(-1, ">\n"); 1391 } 1392 if (IF_QFULL (&sp->pp_cpq)) { 1393 IF_DROP (&sp->pp_fastq); 1394 m_freem (m); 1395 IFNET_STAT_INC(ifp, oerrors, 1); 1396 } else 1397 IF_ENQUEUE (&sp->pp_cpq, m); 1398 ifsq = ifq_get_subq_default(&ifp->if_snd); 1399 if (!ifsq_is_oactive(ifsq)) 1400 (*ifp->if_start) (ifp, ifsq); 1401 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1402 } 1403 1404 /* 1405 * Handle incoming PPP control protocol packets. 1406 */ 1407 static void 1408 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1409 { 1410 STDDCL; 1411 struct lcp_header *h; 1412 int printlen, len = m->m_pkthdr.len; 1413 int rv; 1414 u_char *p; 1415 1416 if (len < 4) { 1417 if (debug) 1418 log(LOG_DEBUG, 1419 SPP_FMT "%s invalid packet length: %d bytes\n", 1420 SPP_ARGS(ifp), cp->name, len); 1421 return; 1422 } 1423 h = mtod (m, struct lcp_header*); 1424 if (debug) { 1425 printlen = ntohs(h->len); 1426 log(LOG_DEBUG, 1427 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1428 SPP_ARGS(ifp), cp->name, 1429 sppp_state_name(sp->state[cp->protoidx]), 1430 sppp_cp_type_name (h->type), h->ident, printlen); 1431 if (len < printlen) 1432 printlen = len; 1433 if (printlen > 4) 1434 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1435 log(-1, ">\n"); 1436 } 1437 if (len > ntohs (h->len)) 1438 len = ntohs (h->len); 1439 p = (u_char *)(h + 1); 1440 switch (h->type) { 1441 case CONF_REQ: 1442 if (len < 4) { 1443 if (debug) 1444 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1445 SPP_ARGS(ifp), cp->name, 1446 len); 1447 IFNET_STAT_INC(ifp, ierrors, 1); 1448 break; 1449 } 1450 /* handle states where RCR doesn't get a SCA/SCN */ 1451 switch (sp->state[cp->protoidx]) { 1452 case STATE_CLOSING: 1453 case STATE_STOPPING: 1454 return; 1455 case STATE_CLOSED: 1456 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1457 0, 0); 1458 return; 1459 } 1460 rv = (cp->RCR)(sp, h, len); 1461 if (rv < 0) { 1462 /* fatal error, shut down */ 1463 (cp->tld)(sp); 1464 sppp_lcp_tlf(sp); 1465 return; 1466 } 1467 switch (sp->state[cp->protoidx]) { 1468 case STATE_OPENED: 1469 (cp->tld)(sp); 1470 (cp->scr)(sp); 1471 /* fall through... */ 1472 case STATE_ACK_SENT: 1473 case STATE_REQ_SENT: 1474 /* 1475 * sppp_cp_change_state() have the side effect of 1476 * restarting the timeouts. We want to avoid that 1477 * if the state don't change, otherwise we won't 1478 * ever timeout and resend a configuration request 1479 * that got lost. 1480 */ 1481 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1482 STATE_REQ_SENT)) 1483 break; 1484 sppp_cp_change_state(cp, sp, rv? 1485 STATE_ACK_SENT: STATE_REQ_SENT); 1486 break; 1487 case STATE_STOPPED: 1488 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1489 (cp->scr)(sp); 1490 sppp_cp_change_state(cp, sp, rv? 1491 STATE_ACK_SENT: STATE_REQ_SENT); 1492 break; 1493 case STATE_ACK_RCVD: 1494 if (rv) { 1495 sppp_cp_change_state(cp, sp, STATE_OPENED); 1496 if (debug) 1497 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1498 SPP_ARGS(ifp), 1499 cp->name); 1500 (cp->tlu)(sp); 1501 } else 1502 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1503 break; 1504 default: 1505 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1506 SPP_ARGS(ifp), cp->name, 1507 sppp_cp_type_name(h->type), 1508 sppp_state_name(sp->state[cp->protoidx])); 1509 IFNET_STAT_INC(ifp, ierrors, 1); 1510 } 1511 break; 1512 case CONF_ACK: 1513 if (h->ident != sp->confid[cp->protoidx]) { 1514 if (debug) 1515 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1516 SPP_ARGS(ifp), cp->name, 1517 h->ident, sp->confid[cp->protoidx]); 1518 IFNET_STAT_INC(ifp, ierrors, 1); 1519 break; 1520 } 1521 switch (sp->state[cp->protoidx]) { 1522 case STATE_CLOSED: 1523 case STATE_STOPPED: 1524 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1525 break; 1526 case STATE_CLOSING: 1527 case STATE_STOPPING: 1528 break; 1529 case STATE_REQ_SENT: 1530 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1531 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1532 break; 1533 case STATE_OPENED: 1534 (cp->tld)(sp); 1535 /* fall through */ 1536 case STATE_ACK_RCVD: 1537 (cp->scr)(sp); 1538 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1539 break; 1540 case STATE_ACK_SENT: 1541 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1542 sppp_cp_change_state(cp, sp, STATE_OPENED); 1543 if (debug) 1544 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1545 SPP_ARGS(ifp), cp->name); 1546 (cp->tlu)(sp); 1547 break; 1548 default: 1549 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1550 SPP_ARGS(ifp), cp->name, 1551 sppp_cp_type_name(h->type), 1552 sppp_state_name(sp->state[cp->protoidx])); 1553 IFNET_STAT_INC(ifp, ierrors, 1); 1554 } 1555 break; 1556 case CONF_NAK: 1557 case CONF_REJ: 1558 if (h->ident != sp->confid[cp->protoidx]) { 1559 if (debug) 1560 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1561 SPP_ARGS(ifp), cp->name, 1562 h->ident, sp->confid[cp->protoidx]); 1563 IFNET_STAT_INC(ifp, ierrors, 1); 1564 break; 1565 } 1566 if (h->type == CONF_NAK) 1567 (cp->RCN_nak)(sp, h, len); 1568 else /* CONF_REJ */ 1569 (cp->RCN_rej)(sp, h, len); 1570 1571 switch (sp->state[cp->protoidx]) { 1572 case STATE_CLOSED: 1573 case STATE_STOPPED: 1574 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1575 break; 1576 case STATE_REQ_SENT: 1577 case STATE_ACK_SENT: 1578 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1579 /* 1580 * Slow things down a bit if we think we might be 1581 * in loopback. Depend on the timeout to send the 1582 * next configuration request. 1583 */ 1584 if (sp->pp_loopcnt) 1585 break; 1586 (cp->scr)(sp); 1587 break; 1588 case STATE_OPENED: 1589 (cp->tld)(sp); 1590 /* fall through */ 1591 case STATE_ACK_RCVD: 1592 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1593 (cp->scr)(sp); 1594 break; 1595 case STATE_CLOSING: 1596 case STATE_STOPPING: 1597 break; 1598 default: 1599 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1600 SPP_ARGS(ifp), cp->name, 1601 sppp_cp_type_name(h->type), 1602 sppp_state_name(sp->state[cp->protoidx])); 1603 IFNET_STAT_INC(ifp, ierrors, 1); 1604 } 1605 break; 1606 1607 case TERM_REQ: 1608 switch (sp->state[cp->protoidx]) { 1609 case STATE_ACK_RCVD: 1610 case STATE_ACK_SENT: 1611 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1612 /* fall through */ 1613 case STATE_CLOSED: 1614 case STATE_STOPPED: 1615 case STATE_CLOSING: 1616 case STATE_STOPPING: 1617 case STATE_REQ_SENT: 1618 sta: 1619 /* Send Terminate-Ack packet. */ 1620 if (debug) 1621 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1622 SPP_ARGS(ifp), cp->name); 1623 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1624 break; 1625 case STATE_OPENED: 1626 (cp->tld)(sp); 1627 sp->rst_counter[cp->protoidx] = 0; 1628 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1629 goto sta; 1630 break; 1631 default: 1632 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1633 SPP_ARGS(ifp), cp->name, 1634 sppp_cp_type_name(h->type), 1635 sppp_state_name(sp->state[cp->protoidx])); 1636 IFNET_STAT_INC(ifp, ierrors, 1); 1637 } 1638 break; 1639 case TERM_ACK: 1640 switch (sp->state[cp->protoidx]) { 1641 case STATE_CLOSED: 1642 case STATE_STOPPED: 1643 case STATE_REQ_SENT: 1644 case STATE_ACK_SENT: 1645 break; 1646 case STATE_CLOSING: 1647 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1648 (cp->tlf)(sp); 1649 break; 1650 case STATE_STOPPING: 1651 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1652 (cp->tlf)(sp); 1653 break; 1654 case STATE_ACK_RCVD: 1655 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1656 break; 1657 case STATE_OPENED: 1658 (cp->tld)(sp); 1659 (cp->scr)(sp); 1660 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1661 break; 1662 default: 1663 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1664 SPP_ARGS(ifp), cp->name, 1665 sppp_cp_type_name(h->type), 1666 sppp_state_name(sp->state[cp->protoidx])); 1667 IFNET_STAT_INC(ifp, ierrors, 1); 1668 } 1669 break; 1670 case CODE_REJ: 1671 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1672 log(LOG_INFO, 1673 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1674 "danger will robinson\n", 1675 SPP_ARGS(ifp), cp->name, 1676 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1677 switch (sp->state[cp->protoidx]) { 1678 case STATE_CLOSED: 1679 case STATE_STOPPED: 1680 case STATE_REQ_SENT: 1681 case STATE_ACK_SENT: 1682 case STATE_CLOSING: 1683 case STATE_STOPPING: 1684 case STATE_OPENED: 1685 break; 1686 case STATE_ACK_RCVD: 1687 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1688 break; 1689 default: 1690 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1691 SPP_ARGS(ifp), cp->name, 1692 sppp_cp_type_name(h->type), 1693 sppp_state_name(sp->state[cp->protoidx])); 1694 IFNET_STAT_INC(ifp, ierrors, 1); 1695 } 1696 break; 1697 case PROTO_REJ: 1698 { 1699 int catastrophic; 1700 const struct cp *upper; 1701 int i; 1702 u_int16_t proto; 1703 1704 catastrophic = 0; 1705 upper = NULL; 1706 proto = ntohs(*((u_int16_t *)p)); 1707 for (i = 0; i < IDX_COUNT; i++) { 1708 if (cps[i]->proto == proto) { 1709 upper = cps[i]; 1710 break; 1711 } 1712 } 1713 if (upper == NULL) 1714 catastrophic++; 1715 1716 if (catastrophic || debug) 1717 log(catastrophic? LOG_INFO: LOG_DEBUG, 1718 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1719 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1720 sppp_cp_type_name(h->type), proto, 1721 upper ? upper->name : "unknown", 1722 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1723 1724 /* 1725 * if we got RXJ+ against conf-req, the peer does not implement 1726 * this particular protocol type. terminate the protocol. 1727 */ 1728 if (upper && !catastrophic) { 1729 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1730 upper->Close(sp); 1731 break; 1732 } 1733 } 1734 1735 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1736 switch (sp->state[cp->protoidx]) { 1737 case STATE_CLOSED: 1738 case STATE_STOPPED: 1739 case STATE_REQ_SENT: 1740 case STATE_ACK_SENT: 1741 case STATE_CLOSING: 1742 case STATE_STOPPING: 1743 case STATE_OPENED: 1744 break; 1745 case STATE_ACK_RCVD: 1746 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1747 break; 1748 default: 1749 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1750 SPP_ARGS(ifp), cp->name, 1751 sppp_cp_type_name(h->type), 1752 sppp_state_name(sp->state[cp->protoidx])); 1753 IFNET_STAT_INC(ifp, ierrors, 1); 1754 } 1755 break; 1756 } 1757 case DISC_REQ: 1758 if (cp->proto != PPP_LCP) 1759 goto illegal; 1760 /* Discard the packet. */ 1761 break; 1762 case ECHO_REQ: 1763 if (cp->proto != PPP_LCP) 1764 goto illegal; 1765 if (sp->state[cp->protoidx] != STATE_OPENED) { 1766 if (debug) 1767 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1768 SPP_ARGS(ifp)); 1769 IFNET_STAT_INC(ifp, ierrors, 1); 1770 break; 1771 } 1772 if (len < 8) { 1773 if (debug) 1774 log(-1, SPP_FMT "invalid lcp echo request " 1775 "packet length: %d bytes\n", 1776 SPP_ARGS(ifp), len); 1777 break; 1778 } 1779 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1780 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1781 /* Line loopback mode detected. */ 1782 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1783 sp->pp_loopcnt = MAXALIVECNT * 5; 1784 if_down (ifp); 1785 IF_DRAIN(&sp->pp_cpq); 1786 1787 /* Shut down the PPP link. */ 1788 /* XXX */ 1789 lcp.Down(sp); 1790 lcp.Up(sp); 1791 break; 1792 } 1793 *(long*)(h+1) = htonl (sp->lcp.magic); 1794 if (debug) 1795 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1796 SPP_ARGS(ifp)); 1797 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1798 break; 1799 case ECHO_REPLY: 1800 if (cp->proto != PPP_LCP) 1801 goto illegal; 1802 if (h->ident != sp->lcp.echoid) { 1803 IFNET_STAT_INC(ifp, ierrors, 1); 1804 break; 1805 } 1806 if (len < 8) { 1807 if (debug) 1808 log(-1, SPP_FMT "lcp invalid echo reply " 1809 "packet length: %d bytes\n", 1810 SPP_ARGS(ifp), len); 1811 break; 1812 } 1813 if (debug) 1814 log(-1, SPP_FMT "lcp got echo rep\n", 1815 SPP_ARGS(ifp)); 1816 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1817 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1818 sp->pp_alivecnt = 0; 1819 break; 1820 default: 1821 /* Unknown packet type -- send Code-Reject packet. */ 1822 illegal: 1823 if (debug) 1824 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1825 SPP_ARGS(ifp), cp->name, h->type); 1826 sppp_cp_send(sp, cp->proto, CODE_REJ, 1827 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1828 IFNET_STAT_INC(ifp, ierrors, 1); 1829 } 1830 } 1831 1832 1833 /* 1834 * The generic part of all Up/Down/Open/Close/TO event handlers. 1835 * Basically, the state transition handling in the automaton. 1836 */ 1837 static void 1838 sppp_up_event(const struct cp *cp, struct sppp *sp) 1839 { 1840 STDDCL; 1841 1842 if (debug) 1843 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1844 SPP_ARGS(ifp), cp->name, 1845 sppp_state_name(sp->state[cp->protoidx])); 1846 1847 switch (sp->state[cp->protoidx]) { 1848 case STATE_INITIAL: 1849 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1850 break; 1851 case STATE_STARTING: 1852 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1853 (cp->scr)(sp); 1854 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1855 break; 1856 default: 1857 kprintf(SPP_FMT "%s illegal up in state %s\n", 1858 SPP_ARGS(ifp), cp->name, 1859 sppp_state_name(sp->state[cp->protoidx])); 1860 } 1861 } 1862 1863 static void 1864 sppp_down_event(const struct cp *cp, struct sppp *sp) 1865 { 1866 STDDCL; 1867 1868 if (debug) 1869 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1870 SPP_ARGS(ifp), cp->name, 1871 sppp_state_name(sp->state[cp->protoidx])); 1872 1873 switch (sp->state[cp->protoidx]) { 1874 case STATE_CLOSED: 1875 case STATE_CLOSING: 1876 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1877 break; 1878 case STATE_STOPPED: 1879 sppp_cp_change_state(cp, sp, STATE_STARTING); 1880 (cp->tls)(sp); 1881 break; 1882 case STATE_STOPPING: 1883 case STATE_REQ_SENT: 1884 case STATE_ACK_RCVD: 1885 case STATE_ACK_SENT: 1886 sppp_cp_change_state(cp, sp, STATE_STARTING); 1887 break; 1888 case STATE_OPENED: 1889 (cp->tld)(sp); 1890 sppp_cp_change_state(cp, sp, STATE_STARTING); 1891 break; 1892 default: 1893 kprintf(SPP_FMT "%s illegal down in state %s\n", 1894 SPP_ARGS(ifp), cp->name, 1895 sppp_state_name(sp->state[cp->protoidx])); 1896 } 1897 } 1898 1899 1900 static void 1901 sppp_open_event(const struct cp *cp, struct sppp *sp) 1902 { 1903 STDDCL; 1904 1905 if (debug) 1906 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1907 SPP_ARGS(ifp), cp->name, 1908 sppp_state_name(sp->state[cp->protoidx])); 1909 1910 switch (sp->state[cp->protoidx]) { 1911 case STATE_INITIAL: 1912 sppp_cp_change_state(cp, sp, STATE_STARTING); 1913 (cp->tls)(sp); 1914 break; 1915 case STATE_STARTING: 1916 break; 1917 case STATE_CLOSED: 1918 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1919 (cp->scr)(sp); 1920 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1921 break; 1922 case STATE_STOPPED: 1923 /* 1924 * Try escaping stopped state. This seems to bite 1925 * people occasionally, in particular for IPCP, 1926 * presumably following previous IPCP negotiation 1927 * aborts. Somehow, we must have missed a Down event 1928 * which would have caused a transition into starting 1929 * state, so as a bandaid we force the Down event now. 1930 * This effectively implements (something like the) 1931 * `restart' option mentioned in the state transition 1932 * table of RFC 1661. 1933 */ 1934 sppp_cp_change_state(cp, sp, STATE_STARTING); 1935 (cp->tls)(sp); 1936 break; 1937 case STATE_STOPPING: 1938 case STATE_REQ_SENT: 1939 case STATE_ACK_RCVD: 1940 case STATE_ACK_SENT: 1941 case STATE_OPENED: 1942 break; 1943 case STATE_CLOSING: 1944 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1945 break; 1946 } 1947 } 1948 1949 1950 static void 1951 sppp_close_event(const struct cp *cp, struct sppp *sp) 1952 { 1953 STDDCL; 1954 1955 if (debug) 1956 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 1957 SPP_ARGS(ifp), cp->name, 1958 sppp_state_name(sp->state[cp->protoidx])); 1959 1960 switch (sp->state[cp->protoidx]) { 1961 case STATE_INITIAL: 1962 case STATE_CLOSED: 1963 case STATE_CLOSING: 1964 break; 1965 case STATE_STARTING: 1966 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1967 (cp->tlf)(sp); 1968 break; 1969 case STATE_STOPPED: 1970 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1971 break; 1972 case STATE_STOPPING: 1973 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1974 break; 1975 case STATE_OPENED: 1976 (cp->tld)(sp); 1977 /* fall through */ 1978 case STATE_REQ_SENT: 1979 case STATE_ACK_RCVD: 1980 case STATE_ACK_SENT: 1981 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1982 sppp_cp_send(sp, cp->proto, TERM_REQ, 1983 ++sp->pp_seq[cp->protoidx], 0, 0); 1984 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1985 break; 1986 } 1987 } 1988 1989 static void 1990 sppp_to_event(const struct cp *cp, struct sppp *sp) 1991 { 1992 STDDCL; 1993 1994 crit_enter(); 1995 1996 if (debug) 1997 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 1998 SPP_ARGS(ifp), cp->name, 1999 sppp_state_name(sp->state[cp->protoidx]), 2000 sp->rst_counter[cp->protoidx]); 2001 2002 if (--sp->rst_counter[cp->protoidx] < 0) 2003 /* TO- event */ 2004 switch (sp->state[cp->protoidx]) { 2005 case STATE_CLOSING: 2006 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2007 (cp->tlf)(sp); 2008 break; 2009 case STATE_STOPPING: 2010 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2011 (cp->tlf)(sp); 2012 break; 2013 case STATE_REQ_SENT: 2014 case STATE_ACK_RCVD: 2015 case STATE_ACK_SENT: 2016 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2017 (cp->tlf)(sp); 2018 break; 2019 } 2020 else 2021 /* TO+ event */ 2022 switch (sp->state[cp->protoidx]) { 2023 case STATE_CLOSING: 2024 case STATE_STOPPING: 2025 sppp_cp_send(sp, cp->proto, TERM_REQ, 2026 ++sp->pp_seq[cp->protoidx], 0, 0); 2027 callout_reset(&sp->timeout[cp->protoidx], 2028 sp->lcp.timeout, cp->TO, sp); 2029 break; 2030 case STATE_REQ_SENT: 2031 case STATE_ACK_RCVD: 2032 (cp->scr)(sp); 2033 /* sppp_cp_change_state() will restart the timer */ 2034 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2035 break; 2036 case STATE_ACK_SENT: 2037 (cp->scr)(sp); 2038 callout_reset(&sp->timeout[cp->protoidx], 2039 sp->lcp.timeout, cp->TO, sp); 2040 break; 2041 } 2042 2043 crit_exit(); 2044 } 2045 2046 /* 2047 * Change the state of a control protocol in the state automaton. 2048 * Takes care of starting/stopping the restart timer. 2049 */ 2050 void 2051 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2052 { 2053 sp->state[cp->protoidx] = newstate; 2054 callout_stop(&sp->timeout[cp->protoidx]); 2055 2056 switch (newstate) { 2057 case STATE_INITIAL: 2058 case STATE_STARTING: 2059 case STATE_CLOSED: 2060 case STATE_STOPPED: 2061 case STATE_OPENED: 2062 break; 2063 case STATE_CLOSING: 2064 case STATE_STOPPING: 2065 case STATE_REQ_SENT: 2066 case STATE_ACK_RCVD: 2067 case STATE_ACK_SENT: 2068 callout_reset(&sp->timeout[cp->protoidx], 2069 sp->lcp.timeout, cp->TO, sp); 2070 break; 2071 } 2072 } 2073 2074 /* 2075 *--------------------------------------------------------------------------* 2076 * * 2077 * The LCP implementation. * 2078 * * 2079 *--------------------------------------------------------------------------* 2080 */ 2081 static void 2082 sppp_lcp_init(struct sppp *sp) 2083 { 2084 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2085 sp->lcp.magic = 0; 2086 sp->state[IDX_LCP] = STATE_INITIAL; 2087 sp->fail_counter[IDX_LCP] = 0; 2088 sp->pp_seq[IDX_LCP] = 0; 2089 sp->pp_rseq[IDX_LCP] = 0; 2090 sp->lcp.protos = 0; 2091 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2092 2093 /* Note that these values are relevant for all control protocols */ 2094 sp->lcp.timeout = 3 * hz; 2095 sp->lcp.max_terminate = 2; 2096 sp->lcp.max_configure = 10; 2097 sp->lcp.max_failure = 10; 2098 callout_init(&sp->timeout[IDX_LCP]); 2099 } 2100 2101 static void 2102 sppp_lcp_up(struct sppp *sp) 2103 { 2104 STDDCL; 2105 2106 sp->pp_alivecnt = 0; 2107 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2108 sp->lcp.magic = 0; 2109 sp->lcp.protos = 0; 2110 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2111 /* 2112 * If this interface is passive or dial-on-demand, and we are 2113 * still in Initial state, it means we've got an incoming 2114 * call. Activate the interface. 2115 */ 2116 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2117 if (debug) 2118 log(LOG_DEBUG, 2119 SPP_FMT "Up event", SPP_ARGS(ifp)); 2120 ifp->if_flags |= IFF_RUNNING; 2121 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2122 if (debug) 2123 log(-1, "(incoming call)\n"); 2124 sp->pp_flags |= PP_CALLIN; 2125 lcp.Open(sp); 2126 } else if (debug) 2127 log(-1, "\n"); 2128 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2129 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2130 ifp->if_flags |= IFF_RUNNING; 2131 lcp.Open(sp); 2132 } 2133 2134 sppp_up_event(&lcp, sp); 2135 } 2136 2137 static void 2138 sppp_lcp_down(struct sppp *sp) 2139 { 2140 STDDCL; 2141 2142 sppp_down_event(&lcp, sp); 2143 2144 /* 2145 * If this is neither a dial-on-demand nor a passive 2146 * interface, simulate an ``ifconfig down'' action, so the 2147 * administrator can force a redial by another ``ifconfig 2148 * up''. XXX For leased line operation, should we immediately 2149 * try to reopen the connection here? 2150 */ 2151 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2152 log(LOG_INFO, 2153 SPP_FMT "Down event, taking interface down.\n", 2154 SPP_ARGS(ifp)); 2155 if_down(ifp); 2156 } else { 2157 if (debug) 2158 log(LOG_DEBUG, 2159 SPP_FMT "Down event (carrier loss)\n", 2160 SPP_ARGS(ifp)); 2161 sp->pp_flags &= ~PP_CALLIN; 2162 if (sp->state[IDX_LCP] != STATE_INITIAL) 2163 lcp.Close(sp); 2164 ifp->if_flags &= ~IFF_RUNNING; 2165 } 2166 } 2167 2168 static void 2169 sppp_lcp_open(struct sppp *sp) 2170 { 2171 /* 2172 * If we are authenticator, negotiate LCP_AUTH 2173 */ 2174 if (sp->hisauth.proto != 0) 2175 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2176 else 2177 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2178 sp->pp_flags &= ~PP_NEEDAUTH; 2179 sppp_open_event(&lcp, sp); 2180 } 2181 2182 static void 2183 sppp_lcp_close(struct sppp *sp) 2184 { 2185 sppp_close_event(&lcp, sp); 2186 } 2187 2188 static void 2189 sppp_lcp_TO(void *cookie) 2190 { 2191 sppp_to_event(&lcp, (struct sppp *)cookie); 2192 } 2193 2194 /* 2195 * Analyze a configure request. Return true if it was agreeable, and 2196 * caused action sca, false if it has been rejected or nak'ed, and 2197 * caused action scn. (The return value is used to make the state 2198 * transition decision in the state automaton.) 2199 */ 2200 static int 2201 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2202 { 2203 STDDCL; 2204 u_char *buf, *r, *p; 2205 int origlen, rlen; 2206 u_long nmagic; 2207 u_short authproto; 2208 2209 len -= 4; 2210 origlen = len; 2211 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2212 2213 if (debug) 2214 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2215 SPP_ARGS(ifp)); 2216 2217 /* pass 1: check for things that need to be rejected */ 2218 p = (void*) (h+1); 2219 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2220 /* Sanity check option length */ 2221 if (p[1] > len) { 2222 /* Malicious option - drop immediately. 2223 * XXX Maybe we should just RXJ it? 2224 */ 2225 log(-1, "%s: received malicious LCP option 0x%02x, " 2226 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2227 p[0], p[1], len); 2228 goto drop; 2229 } 2230 if (debug) 2231 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2232 switch (*p) { 2233 case LCP_OPT_MAGIC: 2234 /* Magic number. */ 2235 if (len >= 6 && p[1] == 6) 2236 continue; 2237 if (debug) 2238 log(-1, "[invalid] "); 2239 break; 2240 case LCP_OPT_ASYNC_MAP: 2241 /* Async control character map. */ 2242 if (len >= 6 && p[1] == 6) 2243 continue; 2244 if (debug) 2245 log(-1, "[invalid] "); 2246 break; 2247 case LCP_OPT_MRU: 2248 /* Maximum receive unit. */ 2249 if (len >= 4 && p[1] == 4) 2250 continue; 2251 if (debug) 2252 log(-1, "[invalid] "); 2253 break; 2254 case LCP_OPT_AUTH_PROTO: 2255 if (len < 4) { 2256 if (debug) 2257 log(-1, "[invalid] "); 2258 break; 2259 } 2260 authproto = (p[2] << 8) + p[3]; 2261 if (authproto == PPP_CHAP && p[1] != 5) { 2262 if (debug) 2263 log(-1, "[invalid chap len] "); 2264 break; 2265 } 2266 if (sp->myauth.proto == 0) { 2267 /* we are not configured to do auth */ 2268 if (debug) 2269 log(-1, "[not configured] "); 2270 break; 2271 } 2272 /* 2273 * Remote want us to authenticate, remember this, 2274 * so we stay in PHASE_AUTHENTICATE after LCP got 2275 * up. 2276 */ 2277 sp->pp_flags |= PP_NEEDAUTH; 2278 continue; 2279 default: 2280 /* Others not supported. */ 2281 if (debug) 2282 log(-1, "[rej] "); 2283 break; 2284 } 2285 /* Add the option to rejected list. */ 2286 bcopy (p, r, p[1]); 2287 r += p[1]; 2288 rlen += p[1]; 2289 } 2290 if (rlen) { 2291 if (debug) 2292 log(-1, " send conf-rej\n"); 2293 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2294 return 0; 2295 } else if (debug) 2296 log(-1, "\n"); 2297 2298 /* 2299 * pass 2: check for option values that are unacceptable and 2300 * thus require to be nak'ed. 2301 */ 2302 if (debug) 2303 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2304 SPP_ARGS(ifp)); 2305 2306 p = (void*) (h+1); 2307 len = origlen; 2308 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2309 if (debug) 2310 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2311 switch (*p) { 2312 case LCP_OPT_MAGIC: 2313 /* Magic number -- extract. */ 2314 nmagic = (u_long)p[2] << 24 | 2315 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2316 if (nmagic != sp->lcp.magic) { 2317 sp->pp_loopcnt = 0; 2318 if (debug) 2319 log(-1, "0x%lx ", nmagic); 2320 continue; 2321 } 2322 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2323 log(-1, "[glitch] "); 2324 ++sp->pp_loopcnt; 2325 /* 2326 * We negate our magic here, and NAK it. If 2327 * we see it later in an NAK packet, we 2328 * suggest a new one. 2329 */ 2330 nmagic = ~sp->lcp.magic; 2331 /* Gonna NAK it. */ 2332 p[2] = nmagic >> 24; 2333 p[3] = nmagic >> 16; 2334 p[4] = nmagic >> 8; 2335 p[5] = nmagic; 2336 break; 2337 2338 case LCP_OPT_ASYNC_MAP: 2339 /* 2340 * Async control character map -- just ignore it. 2341 * 2342 * Quote from RFC 1662, chapter 6: 2343 * To enable this functionality, synchronous PPP 2344 * implementations MUST always respond to the 2345 * Async-Control-Character-Map Configuration 2346 * Option with the LCP Configure-Ack. However, 2347 * acceptance of the Configuration Option does 2348 * not imply that the synchronous implementation 2349 * will do any ACCM mapping. Instead, all such 2350 * octet mapping will be performed by the 2351 * asynchronous-to-synchronous converter. 2352 */ 2353 continue; 2354 2355 case LCP_OPT_MRU: 2356 /* 2357 * Maximum receive unit. Always agreeable, 2358 * but ignored by now. 2359 */ 2360 sp->lcp.their_mru = p[2] * 256 + p[3]; 2361 if (debug) 2362 log(-1, "%lu ", sp->lcp.their_mru); 2363 continue; 2364 2365 case LCP_OPT_AUTH_PROTO: 2366 authproto = (p[2] << 8) + p[3]; 2367 if (sp->myauth.proto != authproto) { 2368 /* not agreed, nak */ 2369 if (debug) 2370 log(-1, "[mine %s != his %s] ", 2371 sppp_proto_name(sp->hisauth.proto), 2372 sppp_proto_name(authproto)); 2373 p[2] = sp->myauth.proto >> 8; 2374 p[3] = sp->myauth.proto; 2375 break; 2376 } 2377 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2378 if (debug) 2379 log(-1, "[chap not MD5] "); 2380 p[4] = CHAP_MD5; 2381 break; 2382 } 2383 continue; 2384 } 2385 /* Add the option to nak'ed list. */ 2386 bcopy (p, r, p[1]); 2387 r += p[1]; 2388 rlen += p[1]; 2389 } 2390 if (rlen) { 2391 /* 2392 * Local and remote magics equal -- loopback? 2393 */ 2394 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2395 if (sp->pp_loopcnt == MAXALIVECNT*5) 2396 kprintf (SPP_FMT "loopback\n", 2397 SPP_ARGS(ifp)); 2398 if (ifp->if_flags & IFF_UP) { 2399 if_down(ifp); 2400 IF_DRAIN(&sp->pp_cpq); 2401 /* XXX ? */ 2402 lcp.Down(sp); 2403 lcp.Up(sp); 2404 } 2405 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2406 if (debug) 2407 log(-1, " max_failure (%d) exceeded, " 2408 "send conf-rej\n", 2409 sp->lcp.max_failure); 2410 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2411 } else { 2412 if (debug) 2413 log(-1, " send conf-nak\n"); 2414 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2415 } 2416 } else { 2417 if (debug) 2418 log(-1, " send conf-ack\n"); 2419 sp->fail_counter[IDX_LCP] = 0; 2420 sp->pp_loopcnt = 0; 2421 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2422 h->ident, origlen, h+1); 2423 } 2424 2425 kfree (buf, M_TEMP); 2426 return (rlen == 0); 2427 2428 drop: 2429 kfree(buf, M_TEMP); 2430 return (-1); 2431 } 2432 2433 /* 2434 * Analyze the LCP Configure-Reject option list, and adjust our 2435 * negotiation. 2436 */ 2437 static void 2438 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2439 { 2440 STDDCL; 2441 u_char *buf, *p; 2442 2443 len -= 4; 2444 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2445 2446 if (debug) 2447 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2448 SPP_ARGS(ifp)); 2449 2450 p = (void*) (h+1); 2451 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2452 /* Sanity check option length */ 2453 if (p[1] > len) { 2454 /* 2455 * Malicious option - drop immediately. 2456 * XXX Maybe we should just RXJ it? 2457 */ 2458 log(-1, "%s: received malicious LCP option, " 2459 "dropping.\n", ifp->if_xname); 2460 goto drop; 2461 } 2462 if (debug) 2463 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2464 switch (*p) { 2465 case LCP_OPT_MAGIC: 2466 /* Magic number -- can't use it, use 0 */ 2467 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2468 sp->lcp.magic = 0; 2469 break; 2470 case LCP_OPT_MRU: 2471 /* 2472 * Should not be rejected anyway, since we only 2473 * negotiate a MRU if explicitly requested by 2474 * peer. 2475 */ 2476 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2477 break; 2478 case LCP_OPT_AUTH_PROTO: 2479 /* 2480 * Peer doesn't want to authenticate himself, 2481 * deny unless this is a dialout call, and 2482 * AUTHFLAG_NOCALLOUT is set. 2483 */ 2484 if ((sp->pp_flags & PP_CALLIN) == 0 && 2485 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2486 if (debug) 2487 log(-1, "[don't insist on auth " 2488 "for callout]"); 2489 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2490 break; 2491 } 2492 if (debug) 2493 log(-1, "[access denied]\n"); 2494 lcp.Close(sp); 2495 break; 2496 } 2497 } 2498 if (debug) 2499 log(-1, "\n"); 2500 drop: 2501 kfree (buf, M_TEMP); 2502 return; 2503 } 2504 2505 /* 2506 * Analyze the LCP Configure-NAK option list, and adjust our 2507 * negotiation. 2508 */ 2509 static void 2510 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2511 { 2512 STDDCL; 2513 u_char *buf, *p; 2514 u_long magic; 2515 2516 len -= 4; 2517 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2518 2519 if (debug) 2520 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2521 SPP_ARGS(ifp)); 2522 2523 p = (void*) (h+1); 2524 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2525 /* Sanity check option length */ 2526 if (p[1] > len) { 2527 /* 2528 * Malicious option - drop immediately. 2529 * XXX Maybe we should just RXJ it? 2530 */ 2531 log(-1, "%s: received malicious LCP option, " 2532 "dropping.\n", ifp->if_xname); 2533 goto drop; 2534 } 2535 if (debug) 2536 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2537 switch (*p) { 2538 case LCP_OPT_MAGIC: 2539 /* Magic number -- renegotiate */ 2540 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2541 len >= 6 && p[1] == 6) { 2542 magic = (u_long)p[2] << 24 | 2543 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2544 /* 2545 * If the remote magic is our negated one, 2546 * this looks like a loopback problem. 2547 * Suggest a new magic to make sure. 2548 */ 2549 if (magic == ~sp->lcp.magic) { 2550 if (debug) 2551 log(-1, "magic glitch "); 2552 sp->lcp.magic = krandom(); 2553 } else { 2554 sp->lcp.magic = magic; 2555 if (debug) 2556 log(-1, "%lu ", magic); 2557 } 2558 } 2559 break; 2560 case LCP_OPT_MRU: 2561 /* 2562 * Peer wants to advise us to negotiate an MRU. 2563 * Agree on it if it's reasonable, or use 2564 * default otherwise. 2565 */ 2566 if (len >= 4 && p[1] == 4) { 2567 u_int mru = p[2] * 256 + p[3]; 2568 if (debug) 2569 log(-1, "%d ", mru); 2570 if (mru < PP_MTU || mru > PP_MAX_MRU) 2571 mru = PP_MTU; 2572 sp->lcp.mru = mru; 2573 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2574 } 2575 break; 2576 case LCP_OPT_AUTH_PROTO: 2577 /* 2578 * Peer doesn't like our authentication method, 2579 * deny. 2580 */ 2581 if (debug) 2582 log(-1, "[access denied]\n"); 2583 lcp.Close(sp); 2584 break; 2585 } 2586 } 2587 if (debug) 2588 log(-1, "\n"); 2589 drop: 2590 kfree (buf, M_TEMP); 2591 return; 2592 } 2593 2594 static void 2595 sppp_lcp_tlu(struct sppp *sp) 2596 { 2597 STDDCL; 2598 int i; 2599 u_long mask; 2600 2601 /* XXX ? */ 2602 if (! (ifp->if_flags & IFF_UP) && 2603 (ifp->if_flags & IFF_RUNNING)) { 2604 /* Coming out of loopback mode. */ 2605 if_up(ifp); 2606 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2607 } 2608 2609 for (i = 0; i < IDX_COUNT; i++) 2610 if ((cps[i])->flags & CP_QUAL) 2611 (cps[i])->Open(sp); 2612 2613 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2614 (sp->pp_flags & PP_NEEDAUTH) != 0) 2615 sp->pp_phase = PHASE_AUTHENTICATE; 2616 else 2617 sp->pp_phase = PHASE_NETWORK; 2618 2619 if (debug) 2620 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2621 sppp_phase_name(sp->pp_phase)); 2622 2623 /* 2624 * Open all authentication protocols. This is even required 2625 * if we already proceeded to network phase, since it might be 2626 * that remote wants us to authenticate, so we might have to 2627 * send a PAP request. Undesired authentication protocols 2628 * don't do anything when they get an Open event. 2629 */ 2630 for (i = 0; i < IDX_COUNT; i++) 2631 if ((cps[i])->flags & CP_AUTH) 2632 (cps[i])->Open(sp); 2633 2634 if (sp->pp_phase == PHASE_NETWORK) { 2635 /* Notify all NCPs. */ 2636 for (i = 0; i < IDX_COUNT; i++) 2637 if (((cps[i])->flags & CP_NCP) && 2638 /* 2639 * XXX 2640 * Hack to administratively disable IPv6 if 2641 * not desired. Perhaps we should have another 2642 * flag for this, but right now, we can make 2643 * all struct cp's read/only. 2644 */ 2645 (cps[i] != &ipv6cp || 2646 (sp->confflags & CONF_ENABLE_IPV6))) 2647 (cps[i])->Open(sp); 2648 } 2649 2650 /* Send Up events to all started protos. */ 2651 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2652 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2653 (cps[i])->Up(sp); 2654 2655 /* notify low-level driver of state change */ 2656 if (sp->pp_chg) 2657 sp->pp_chg(sp, (int)sp->pp_phase); 2658 2659 if (sp->pp_phase == PHASE_NETWORK) 2660 /* if no NCP is starting, close down */ 2661 sppp_lcp_check_and_close(sp); 2662 } 2663 2664 static void 2665 sppp_lcp_tld(struct sppp *sp) 2666 { 2667 STDDCL; 2668 int i; 2669 u_long mask; 2670 2671 sp->pp_phase = PHASE_TERMINATE; 2672 2673 if (debug) 2674 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2675 sppp_phase_name(sp->pp_phase)); 2676 2677 /* 2678 * Take upper layers down. We send the Down event first and 2679 * the Close second to prevent the upper layers from sending 2680 * ``a flurry of terminate-request packets'', as the RFC 2681 * describes it. 2682 */ 2683 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2684 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2685 (cps[i])->Down(sp); 2686 (cps[i])->Close(sp); 2687 } 2688 } 2689 2690 static void 2691 sppp_lcp_tls(struct sppp *sp) 2692 { 2693 STDDCL; 2694 2695 sp->pp_phase = PHASE_ESTABLISH; 2696 2697 if (debug) 2698 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2699 sppp_phase_name(sp->pp_phase)); 2700 2701 /* Notify lower layer if desired. */ 2702 if (sp->pp_tls) 2703 (sp->pp_tls)(sp); 2704 else 2705 (sp->pp_up)(sp); 2706 } 2707 2708 static void 2709 sppp_lcp_tlf(struct sppp *sp) 2710 { 2711 STDDCL; 2712 2713 sp->pp_phase = PHASE_DEAD; 2714 if (debug) 2715 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2716 sppp_phase_name(sp->pp_phase)); 2717 2718 /* Notify lower layer if desired. */ 2719 if (sp->pp_tlf) 2720 (sp->pp_tlf)(sp); 2721 else 2722 (sp->pp_down)(sp); 2723 } 2724 2725 static void 2726 sppp_lcp_scr(struct sppp *sp) 2727 { 2728 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2729 int i = 0; 2730 u_short authproto; 2731 2732 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2733 if (! sp->lcp.magic) 2734 sp->lcp.magic = krandom(); 2735 opt[i++] = LCP_OPT_MAGIC; 2736 opt[i++] = 6; 2737 opt[i++] = sp->lcp.magic >> 24; 2738 opt[i++] = sp->lcp.magic >> 16; 2739 opt[i++] = sp->lcp.magic >> 8; 2740 opt[i++] = sp->lcp.magic; 2741 } 2742 2743 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2744 opt[i++] = LCP_OPT_MRU; 2745 opt[i++] = 4; 2746 opt[i++] = sp->lcp.mru >> 8; 2747 opt[i++] = sp->lcp.mru; 2748 } 2749 2750 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2751 authproto = sp->hisauth.proto; 2752 opt[i++] = LCP_OPT_AUTH_PROTO; 2753 opt[i++] = authproto == PPP_CHAP? 5: 4; 2754 opt[i++] = authproto >> 8; 2755 opt[i++] = authproto; 2756 if (authproto == PPP_CHAP) 2757 opt[i++] = CHAP_MD5; 2758 } 2759 2760 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2761 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2762 } 2763 2764 /* 2765 * Check the open NCPs, return true if at least one NCP is open. 2766 */ 2767 static int 2768 sppp_ncp_check(struct sppp *sp) 2769 { 2770 int i, mask; 2771 2772 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2773 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2774 return 1; 2775 return 0; 2776 } 2777 2778 /* 2779 * Re-check the open NCPs and see if we should terminate the link. 2780 * Called by the NCPs during their tlf action handling. 2781 */ 2782 static void 2783 sppp_lcp_check_and_close(struct sppp *sp) 2784 { 2785 2786 if (sp->pp_phase < PHASE_NETWORK) 2787 /* don't bother, we are already going down */ 2788 return; 2789 2790 if (sppp_ncp_check(sp)) 2791 return; 2792 2793 lcp.Close(sp); 2794 } 2795 2796 /* 2797 *--------------------------------------------------------------------------* 2798 * * 2799 * The IPCP implementation. * 2800 * * 2801 *--------------------------------------------------------------------------* 2802 */ 2803 2804 static void 2805 sppp_ipcp_init(struct sppp *sp) 2806 { 2807 sp->ipcp.opts = 0; 2808 sp->ipcp.flags = 0; 2809 sp->state[IDX_IPCP] = STATE_INITIAL; 2810 sp->fail_counter[IDX_IPCP] = 0; 2811 sp->pp_seq[IDX_IPCP] = 0; 2812 sp->pp_rseq[IDX_IPCP] = 0; 2813 callout_init(&sp->timeout[IDX_IPCP]); 2814 } 2815 2816 static void 2817 sppp_ipcp_up(struct sppp *sp) 2818 { 2819 sppp_up_event(&ipcp, sp); 2820 } 2821 2822 static void 2823 sppp_ipcp_down(struct sppp *sp) 2824 { 2825 sppp_down_event(&ipcp, sp); 2826 } 2827 2828 static void 2829 sppp_ipcp_open(struct sppp *sp) 2830 { 2831 STDDCL; 2832 u_long myaddr, hisaddr; 2833 2834 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2835 IPCP_MYADDR_DYN | IPCP_VJ); 2836 sp->ipcp.opts = 0; 2837 2838 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2839 /* 2840 * If we don't have his address, this probably means our 2841 * interface doesn't want to talk IP at all. (This could 2842 * be the case if somebody wants to speak only IPX, for 2843 * example.) Don't open IPCP in this case. 2844 */ 2845 if (hisaddr == 0L) { 2846 /* XXX this message should go away */ 2847 if (debug) 2848 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2849 SPP_ARGS(ifp)); 2850 return; 2851 } 2852 if (myaddr == 0L) { 2853 /* 2854 * I don't have an assigned address, so i need to 2855 * negotiate my address. 2856 */ 2857 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2858 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2859 } else 2860 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2861 if (sp->confflags & CONF_ENABLE_VJ) { 2862 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2863 sp->ipcp.max_state = MAX_STATES - 1; 2864 sp->ipcp.compress_cid = 1; 2865 } 2866 sppp_open_event(&ipcp, sp); 2867 } 2868 2869 static void 2870 sppp_ipcp_close(struct sppp *sp) 2871 { 2872 sppp_close_event(&ipcp, sp); 2873 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2874 /* 2875 * My address was dynamic, clear it again. 2876 */ 2877 sppp_set_ip_addr(sp, 0L); 2878 } 2879 2880 static void 2881 sppp_ipcp_TO(void *cookie) 2882 { 2883 sppp_to_event(&ipcp, (struct sppp *)cookie); 2884 } 2885 2886 /* 2887 * Analyze a configure request. Return true if it was agreeable, and 2888 * caused action sca, false if it has been rejected or nak'ed, and 2889 * caused action scn. (The return value is used to make the state 2890 * transition decision in the state automaton.) 2891 */ 2892 static int 2893 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2894 { 2895 u_char *buf, *r, *p; 2896 struct ifnet *ifp = &sp->pp_if; 2897 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2898 u_long hisaddr, desiredaddr; 2899 int gotmyaddr = 0; 2900 int desiredcomp; 2901 2902 len -= 4; 2903 origlen = len; 2904 /* 2905 * Make sure to allocate a buf that can at least hold a 2906 * conf-nak with an `address' option. We might need it below. 2907 */ 2908 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2909 2910 /* pass 1: see if we can recognize them */ 2911 if (debug) 2912 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2913 SPP_ARGS(ifp)); 2914 p = (void*) (h+1); 2915 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2916 /* Sanity check option length */ 2917 if (p[1] > len) { 2918 /* XXX should we just RXJ? */ 2919 log(-1, "%s: malicious IPCP option received, dropping\n", 2920 ifp->if_xname); 2921 goto drop; 2922 } 2923 if (debug) 2924 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2925 switch (*p) { 2926 case IPCP_OPT_COMPRESSION: 2927 if (!(sp->confflags & CONF_ENABLE_VJ)) { 2928 /* VJ compression administratively disabled */ 2929 if (debug) 2930 log(-1, "[locally disabled] "); 2931 break; 2932 } 2933 /* 2934 * In theory, we should only conf-rej an 2935 * option that is shorter than RFC 1618 2936 * requires (i.e. < 4), and should conf-nak 2937 * anything else that is not VJ. However, 2938 * since our algorithm always uses the 2939 * original option to NAK it with new values, 2940 * things would become more complicated. In 2941 * pratice, the only commonly implemented IP 2942 * compression option is VJ anyway, so the 2943 * difference is negligible. 2944 */ 2945 if (len >= 6 && p[1] == 6) { 2946 /* 2947 * correctly formed compression option 2948 * that could be VJ compression 2949 */ 2950 continue; 2951 } 2952 if (debug) 2953 log(-1, "optlen %d [invalid/unsupported] ", 2954 p[1]); 2955 break; 2956 case IPCP_OPT_ADDRESS: 2957 if (len >= 6 && p[1] == 6) { 2958 /* correctly formed address option */ 2959 continue; 2960 } 2961 if (debug) 2962 log(-1, "[invalid] "); 2963 break; 2964 default: 2965 /* Others not supported. */ 2966 if (debug) 2967 log(-1, "[rej] "); 2968 break; 2969 } 2970 /* Add the option to rejected list. */ 2971 bcopy (p, r, p[1]); 2972 r += p[1]; 2973 rlen += p[1]; 2974 } 2975 if (rlen) { 2976 if (debug) 2977 log(-1, " send conf-rej\n"); 2978 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2979 return 0; 2980 } else if (debug) 2981 log(-1, "\n"); 2982 2983 /* pass 2: parse option values */ 2984 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 2985 if (debug) 2986 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 2987 SPP_ARGS(ifp)); 2988 p = (void*) (h+1); 2989 len = origlen; 2990 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2991 if (debug) 2992 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2993 switch (*p) { 2994 case IPCP_OPT_COMPRESSION: 2995 desiredcomp = p[2] << 8 | p[3]; 2996 /* We only support VJ */ 2997 if (desiredcomp == IPCP_COMP_VJ) { 2998 if (debug) 2999 log(-1, "VJ [ack] "); 3000 sp->ipcp.flags |= IPCP_VJ; 3001 sl_compress_init(sp->pp_comp, p[4]); 3002 sp->ipcp.max_state = p[4]; 3003 sp->ipcp.compress_cid = p[5]; 3004 continue; 3005 } 3006 if (debug) 3007 log(-1, "compproto %#04x [not supported] ", 3008 desiredcomp); 3009 p[2] = IPCP_COMP_VJ >> 8; 3010 p[3] = IPCP_COMP_VJ; 3011 p[4] = sp->ipcp.max_state; 3012 p[5] = sp->ipcp.compress_cid; 3013 break; 3014 case IPCP_OPT_ADDRESS: 3015 /* This is the address he wants in his end */ 3016 desiredaddr = p[2] << 24 | p[3] << 16 | 3017 p[4] << 8 | p[5]; 3018 if (desiredaddr == hisaddr || 3019 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 3020 /* 3021 * Peer's address is same as our value, 3022 * or we have set it to 0.0.0.* to 3023 * indicate that we do not really care, 3024 * this is agreeable. Gonna conf-ack 3025 * it. 3026 */ 3027 if (debug) 3028 log(-1, "%s [ack] ", 3029 sppp_dotted_quad(hisaddr)); 3030 /* record that we've seen it already */ 3031 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3032 continue; 3033 } 3034 /* 3035 * The address wasn't agreeable. This is either 3036 * he sent us 0.0.0.0, asking to assign him an 3037 * address, or he send us another address not 3038 * matching our value. Either case, we gonna 3039 * conf-nak it with our value. 3040 * XXX: we should "rej" if hisaddr == 0 3041 */ 3042 if (debug) { 3043 if (desiredaddr == 0) 3044 log(-1, "[addr requested] "); 3045 else 3046 log(-1, "%s [not agreed] ", 3047 sppp_dotted_quad(desiredaddr)); 3048 3049 } 3050 p[2] = hisaddr >> 24; 3051 p[3] = hisaddr >> 16; 3052 p[4] = hisaddr >> 8; 3053 p[5] = hisaddr; 3054 break; 3055 } 3056 /* Add the option to nak'ed list. */ 3057 bcopy (p, r, p[1]); 3058 r += p[1]; 3059 rlen += p[1]; 3060 } 3061 3062 /* 3063 * If we are about to conf-ack the request, but haven't seen 3064 * his address so far, gonna conf-nak it instead, with the 3065 * `address' option present and our idea of his address being 3066 * filled in there, to request negotiation of both addresses. 3067 * 3068 * XXX This can result in an endless req - nak loop if peer 3069 * doesn't want to send us his address. Q: What should we do 3070 * about it? XXX A: implement the max-failure counter. 3071 */ 3072 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3073 buf[0] = IPCP_OPT_ADDRESS; 3074 buf[1] = 6; 3075 buf[2] = hisaddr >> 24; 3076 buf[3] = hisaddr >> 16; 3077 buf[4] = hisaddr >> 8; 3078 buf[5] = hisaddr; 3079 rlen = 6; 3080 if (debug) 3081 log(-1, "still need hisaddr "); 3082 } 3083 3084 if (rlen) { 3085 if (debug) 3086 log(-1, " send conf-nak\n"); 3087 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3088 } else { 3089 if (debug) 3090 log(-1, " send conf-ack\n"); 3091 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3092 h->ident, origlen, h+1); 3093 } 3094 3095 kfree (buf, M_TEMP); 3096 return (rlen == 0); 3097 3098 drop: 3099 kfree(buf, M_TEMP); 3100 return (-1); 3101 } 3102 3103 /* 3104 * Analyze the IPCP Configure-Reject option list, and adjust our 3105 * negotiation. 3106 */ 3107 static void 3108 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3109 { 3110 u_char *buf, *p; 3111 struct ifnet *ifp = &sp->pp_if; 3112 int debug = ifp->if_flags & IFF_DEBUG; 3113 3114 len -= 4; 3115 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3116 3117 if (debug) 3118 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3119 SPP_ARGS(ifp)); 3120 3121 p = (void*) (h+1); 3122 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3123 /* Sanity check option length */ 3124 if (p[1] > len) { 3125 /* XXX should we just RXJ? */ 3126 log(-1, "%s: malicious IPCP option received, dropping\n", 3127 ifp->if_xname); 3128 goto drop; 3129 } 3130 if (debug) 3131 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3132 switch (*p) { 3133 case IPCP_OPT_COMPRESSION: 3134 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3135 break; 3136 case IPCP_OPT_ADDRESS: 3137 /* 3138 * Peer doesn't grok address option. This is 3139 * bad. XXX Should we better give up here? 3140 * XXX We could try old "addresses" option... 3141 */ 3142 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3143 break; 3144 } 3145 } 3146 if (debug) 3147 log(-1, "\n"); 3148 drop: 3149 kfree (buf, M_TEMP); 3150 return; 3151 } 3152 3153 /* 3154 * Analyze the IPCP Configure-NAK option list, and adjust our 3155 * negotiation. 3156 */ 3157 static void 3158 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3159 { 3160 u_char *buf, *p; 3161 struct ifnet *ifp = &sp->pp_if; 3162 int debug = ifp->if_flags & IFF_DEBUG; 3163 int desiredcomp; 3164 u_long wantaddr; 3165 3166 len -= 4; 3167 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3168 3169 if (debug) 3170 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3171 SPP_ARGS(ifp)); 3172 3173 p = (void*) (h+1); 3174 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3175 /* Sanity check option length */ 3176 if (p[1] > len) { 3177 /* XXX should we just RXJ? */ 3178 log(-1, "%s: malicious IPCP option received, dropping\n", 3179 ifp->if_xname); 3180 return; 3181 } 3182 if (debug) 3183 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3184 switch (*p) { 3185 case IPCP_OPT_COMPRESSION: 3186 if (len >= 6 && p[1] == 6) { 3187 desiredcomp = p[2] << 8 | p[3]; 3188 if (debug) 3189 log(-1, "[wantcomp %#04x] ", 3190 desiredcomp); 3191 if (desiredcomp == IPCP_COMP_VJ) { 3192 sl_compress_init(sp->pp_comp, p[4]); 3193 sp->ipcp.max_state = p[4]; 3194 sp->ipcp.compress_cid = p[5]; 3195 if (debug) 3196 log(-1, "[agree] "); 3197 } else 3198 sp->ipcp.opts &= 3199 ~(1 << IPCP_OPT_COMPRESSION); 3200 } 3201 break; 3202 case IPCP_OPT_ADDRESS: 3203 /* 3204 * Peer doesn't like our local IP address. See 3205 * if we can do something for him. We'll drop 3206 * him our address then. 3207 */ 3208 if (len >= 6 && p[1] == 6) { 3209 wantaddr = p[2] << 24 | p[3] << 16 | 3210 p[4] << 8 | p[5]; 3211 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3212 if (debug) 3213 log(-1, "[wantaddr %s] ", 3214 sppp_dotted_quad(wantaddr)); 3215 /* 3216 * When doing dynamic address assignment, 3217 * we accept his offer. Otherwise, we 3218 * ignore it and thus continue to negotiate 3219 * our already existing value. 3220 * XXX: Bogus, if he said no once, he'll 3221 * just say no again, might as well die. 3222 */ 3223 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3224 sppp_set_ip_addr(sp, wantaddr); 3225 if (debug) 3226 log(-1, "[agree] "); 3227 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3228 } 3229 } 3230 break; 3231 } 3232 } 3233 if (debug) 3234 log(-1, "\n"); 3235 kfree (buf, M_TEMP); 3236 return; 3237 } 3238 3239 static void 3240 sppp_ipcp_tlu(struct sppp *sp) 3241 { 3242 /* we are up - notify isdn daemon */ 3243 if (sp->pp_con) 3244 sp->pp_con(sp); 3245 } 3246 3247 static void 3248 sppp_ipcp_tld(struct sppp *sp) 3249 { 3250 } 3251 3252 static void 3253 sppp_ipcp_tls(struct sppp *sp) 3254 { 3255 /* indicate to LCP that it must stay alive */ 3256 sp->lcp.protos |= (1 << IDX_IPCP); 3257 } 3258 3259 static void 3260 sppp_ipcp_tlf(struct sppp *sp) 3261 { 3262 /* we no longer need LCP */ 3263 sp->lcp.protos &= ~(1 << IDX_IPCP); 3264 sppp_lcp_check_and_close(sp); 3265 } 3266 3267 static void 3268 sppp_ipcp_scr(struct sppp *sp) 3269 { 3270 char opt[6 /* compression */ + 6 /* address */]; 3271 u_long ouraddr; 3272 int i = 0; 3273 3274 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3275 opt[i++] = IPCP_OPT_COMPRESSION; 3276 opt[i++] = 6; 3277 opt[i++] = IPCP_COMP_VJ >> 8; 3278 opt[i++] = IPCP_COMP_VJ; 3279 opt[i++] = sp->ipcp.max_state; 3280 opt[i++] = sp->ipcp.compress_cid; 3281 } 3282 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3283 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3284 opt[i++] = IPCP_OPT_ADDRESS; 3285 opt[i++] = 6; 3286 opt[i++] = ouraddr >> 24; 3287 opt[i++] = ouraddr >> 16; 3288 opt[i++] = ouraddr >> 8; 3289 opt[i++] = ouraddr; 3290 } 3291 3292 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3293 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3294 } 3295 3296 /* 3297 *--------------------------------------------------------------------------* 3298 * * 3299 * The IPv6CP implementation. * 3300 * * 3301 *--------------------------------------------------------------------------* 3302 */ 3303 3304 #ifdef INET6 3305 static void 3306 sppp_ipv6cp_init(struct sppp *sp) 3307 { 3308 sp->ipv6cp.opts = 0; 3309 sp->ipv6cp.flags = 0; 3310 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3311 sp->fail_counter[IDX_IPV6CP] = 0; 3312 sp->pp_seq[IDX_IPV6CP] = 0; 3313 sp->pp_rseq[IDX_IPV6CP] = 0; 3314 callout_init(&sp->timeout[IDX_IPV6CP]); 3315 } 3316 3317 static void 3318 sppp_ipv6cp_up(struct sppp *sp) 3319 { 3320 sppp_up_event(&ipv6cp, sp); 3321 } 3322 3323 static void 3324 sppp_ipv6cp_down(struct sppp *sp) 3325 { 3326 sppp_down_event(&ipv6cp, sp); 3327 } 3328 3329 static void 3330 sppp_ipv6cp_open(struct sppp *sp) 3331 { 3332 STDDCL; 3333 struct in6_addr myaddr, hisaddr; 3334 3335 #ifdef IPV6CP_MYIFID_DYN 3336 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3337 #else 3338 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3339 #endif 3340 3341 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3342 /* 3343 * If we don't have our address, this probably means our 3344 * interface doesn't want to talk IPv6 at all. (This could 3345 * be the case if somebody wants to speak only IPX, for 3346 * example.) Don't open IPv6CP in this case. 3347 */ 3348 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3349 /* XXX this message should go away */ 3350 if (debug) 3351 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3352 SPP_ARGS(ifp)); 3353 return; 3354 } 3355 3356 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3357 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3358 sppp_open_event(&ipv6cp, sp); 3359 } 3360 3361 static void 3362 sppp_ipv6cp_close(struct sppp *sp) 3363 { 3364 sppp_close_event(&ipv6cp, sp); 3365 } 3366 3367 static void 3368 sppp_ipv6cp_TO(void *cookie) 3369 { 3370 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3371 } 3372 3373 /* 3374 * Analyze a configure request. Return true if it was agreeable, and 3375 * caused action sca, false if it has been rejected or nak'ed, and 3376 * caused action scn. (The return value is used to make the state 3377 * transition decision in the state automaton.) 3378 */ 3379 static int 3380 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3381 { 3382 u_char *buf, *r, *p; 3383 struct ifnet *ifp = &sp->pp_if; 3384 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3385 struct in6_addr myaddr, desiredaddr, suggestaddr; 3386 int ifidcount; 3387 int type; 3388 int collision, nohisaddr; 3389 3390 len -= 4; 3391 origlen = len; 3392 /* 3393 * Make sure to allocate a buf that can at least hold a 3394 * conf-nak with an `address' option. We might need it below. 3395 */ 3396 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3397 3398 /* pass 1: see if we can recognize them */ 3399 if (debug) 3400 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3401 SPP_ARGS(ifp)); 3402 p = (void*) (h+1); 3403 ifidcount = 0; 3404 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3405 /* Sanity check option length */ 3406 if (p[1] > len) { 3407 /* XXX just RXJ? */ 3408 log(-1, "%s: received malicious IPCPv6 option, " 3409 "dropping\n", ifp->if_xname); 3410 goto drop; 3411 } 3412 if (debug) 3413 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3414 switch (*p) { 3415 case IPV6CP_OPT_IFID: 3416 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3417 /* correctly formed address option */ 3418 ifidcount++; 3419 continue; 3420 } 3421 if (debug) 3422 log(-1, " [invalid]"); 3423 break; 3424 #ifdef notyet 3425 case IPV6CP_OPT_COMPRESSION: 3426 if (len >= 4 && p[1] >= 4) { 3427 /* correctly formed compress option */ 3428 continue; 3429 } 3430 if (debug) 3431 log(-1, " [invalid]"); 3432 break; 3433 #endif 3434 default: 3435 /* Others not supported. */ 3436 if (debug) 3437 log(-1, " [rej]"); 3438 break; 3439 } 3440 /* Add the option to rejected list. */ 3441 bcopy (p, r, p[1]); 3442 r += p[1]; 3443 rlen += p[1]; 3444 } 3445 if (rlen) { 3446 if (debug) 3447 log(-1, " send conf-rej\n"); 3448 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3449 goto end; 3450 } else if (debug) 3451 log(-1, "\n"); 3452 3453 /* pass 2: parse option values */ 3454 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3455 if (debug) 3456 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3457 SPP_ARGS(ifp)); 3458 p = (void*) (h+1); 3459 len = origlen; 3460 type = CONF_ACK; 3461 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3462 if (debug) 3463 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3464 switch (*p) { 3465 #ifdef notyet 3466 case IPV6CP_OPT_COMPRESSION: 3467 continue; 3468 #endif 3469 case IPV6CP_OPT_IFID: 3470 bzero(&desiredaddr, sizeof(desiredaddr)); 3471 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3472 collision = (bcmp(&desiredaddr.s6_addr[8], 3473 &myaddr.s6_addr[8], 8) == 0); 3474 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3475 3476 desiredaddr.s6_addr16[0] = htons(0xfe80); 3477 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3478 3479 if (!collision && !nohisaddr) { 3480 /* no collision, hisaddr known - Conf-Ack */ 3481 type = CONF_ACK; 3482 3483 if (debug) { 3484 log(-1, " %s [%s]", 3485 ip6_sprintf(&desiredaddr), 3486 sppp_cp_type_name(type)); 3487 } 3488 continue; 3489 } 3490 3491 bzero(&suggestaddr, sizeof(suggestaddr)); 3492 if (collision && nohisaddr) { 3493 /* collision, hisaddr unknown - Conf-Rej */ 3494 type = CONF_REJ; 3495 bzero(&p[2], 8); 3496 } else { 3497 /* 3498 * - no collision, hisaddr unknown, or 3499 * - collision, hisaddr known 3500 * Conf-Nak, suggest hisaddr 3501 */ 3502 type = CONF_NAK; 3503 sppp_suggest_ip6_addr(sp, &suggestaddr); 3504 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3505 } 3506 if (debug) 3507 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3508 sppp_cp_type_name(type)); 3509 break; 3510 } 3511 /* Add the option to nak'ed list. */ 3512 bcopy (p, r, p[1]); 3513 r += p[1]; 3514 rlen += p[1]; 3515 } 3516 3517 if (rlen == 0 && type == CONF_ACK) { 3518 if (debug) 3519 log(-1, " send %s\n", sppp_cp_type_name(type)); 3520 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3521 } else { 3522 #ifdef DIAGNOSTIC 3523 if (type == CONF_ACK) 3524 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3525 #endif 3526 3527 if (debug) { 3528 log(-1, " send %s suggest %s\n", 3529 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3530 } 3531 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3532 } 3533 3534 end: 3535 kfree (buf, M_TEMP); 3536 return (rlen == 0); 3537 3538 drop: 3539 kfree(buf, M_TEMP); 3540 return (-1); 3541 } 3542 3543 /* 3544 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3545 * negotiation. 3546 */ 3547 static void 3548 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3549 { 3550 u_char *buf, *p; 3551 struct ifnet *ifp = &sp->pp_if; 3552 int debug = ifp->if_flags & IFF_DEBUG; 3553 3554 len -= 4; 3555 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3556 3557 if (debug) 3558 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3559 SPP_ARGS(ifp)); 3560 3561 p = (void*) (h+1); 3562 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3563 if (p[1] > len) { 3564 /* XXX just RXJ? */ 3565 log(-1, "%s: received malicious IPCPv6 option, " 3566 "dropping\n", ifp->if_xname); 3567 goto drop; 3568 } 3569 if (debug) 3570 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3571 switch (*p) { 3572 case IPV6CP_OPT_IFID: 3573 /* 3574 * Peer doesn't grok address option. This is 3575 * bad. XXX Should we better give up here? 3576 */ 3577 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3578 break; 3579 #ifdef notyet 3580 case IPV6CP_OPT_COMPRESS: 3581 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3582 break; 3583 #endif 3584 } 3585 } 3586 if (debug) 3587 log(-1, "\n"); 3588 drop: 3589 kfree (buf, M_TEMP); 3590 return; 3591 } 3592 3593 /* 3594 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3595 * negotiation. 3596 */ 3597 static void 3598 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3599 { 3600 u_char *buf, *p; 3601 struct ifnet *ifp = &sp->pp_if; 3602 int debug = ifp->if_flags & IFF_DEBUG; 3603 struct in6_addr suggestaddr; 3604 3605 len -= 4; 3606 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3607 3608 if (debug) 3609 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3610 SPP_ARGS(ifp)); 3611 3612 p = (void*) (h+1); 3613 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3614 if (p[1] > len) { 3615 /* XXX just RXJ? */ 3616 log(-1, "%s: received malicious IPCPv6 option, " 3617 "dropping\n", ifp->if_xname); 3618 goto drop; 3619 } 3620 if (debug) 3621 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3622 switch (*p) { 3623 case IPV6CP_OPT_IFID: 3624 /* 3625 * Peer doesn't like our local ifid. See 3626 * if we can do something for him. We'll drop 3627 * him our address then. 3628 */ 3629 if (len < 10 || p[1] != 10) 3630 break; 3631 bzero(&suggestaddr, sizeof(suggestaddr)); 3632 suggestaddr.s6_addr16[0] = htons(0xfe80); 3633 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3634 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3635 3636 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3637 if (debug) 3638 log(-1, " [suggestaddr %s]", 3639 ip6_sprintf(&suggestaddr)); 3640 #ifdef IPV6CP_MYIFID_DYN 3641 /* 3642 * When doing dynamic address assignment, 3643 * we accept his offer. 3644 */ 3645 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3646 struct in6_addr lastsuggest; 3647 /* 3648 * If <suggested myaddr from peer> equals to 3649 * <hisaddr we have suggested last time>, 3650 * we have a collision. generate new random 3651 * ifid. 3652 */ 3653 sppp_suggest_ip6_addr(&lastsuggest); 3654 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3655 lastsuggest)) { 3656 if (debug) 3657 log(-1, " [random]"); 3658 sppp_gen_ip6_addr(sp, &suggestaddr); 3659 } 3660 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3661 if (debug) 3662 log(-1, " [agree]"); 3663 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3664 } 3665 #else 3666 /* 3667 * Since we do not do dynamic address assignment, 3668 * we ignore it and thus continue to negotiate 3669 * our already existing value. This can possibly 3670 * go into infinite request-reject loop. 3671 * 3672 * This is not likely because we normally use 3673 * ifid based on MAC-address. 3674 * If you have no ethernet card on the node, too bad. 3675 * XXX should we use fail_counter? 3676 */ 3677 #endif 3678 break; 3679 #ifdef notyet 3680 case IPV6CP_OPT_COMPRESS: 3681 /* 3682 * Peer wants different compression parameters. 3683 */ 3684 break; 3685 #endif 3686 } 3687 } 3688 if (debug) 3689 log(-1, "\n"); 3690 drop: 3691 kfree (buf, M_TEMP); 3692 return; 3693 } 3694 static void 3695 sppp_ipv6cp_tlu(struct sppp *sp) 3696 { 3697 /* we are up - notify isdn daemon */ 3698 if (sp->pp_con) 3699 sp->pp_con(sp); 3700 } 3701 3702 static void 3703 sppp_ipv6cp_tld(struct sppp *sp) 3704 { 3705 } 3706 3707 static void 3708 sppp_ipv6cp_tls(struct sppp *sp) 3709 { 3710 /* indicate to LCP that it must stay alive */ 3711 sp->lcp.protos |= (1 << IDX_IPV6CP); 3712 } 3713 3714 static void 3715 sppp_ipv6cp_tlf(struct sppp *sp) 3716 { 3717 3718 #if 0 /* need #if 0 to close IPv6CP properly */ 3719 /* we no longer need LCP */ 3720 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3721 sppp_lcp_check_and_close(sp); 3722 #endif 3723 } 3724 3725 static void 3726 sppp_ipv6cp_scr(struct sppp *sp) 3727 { 3728 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3729 struct in6_addr ouraddr; 3730 int i = 0; 3731 3732 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3733 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3734 opt[i++] = IPV6CP_OPT_IFID; 3735 opt[i++] = 10; 3736 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3737 i += 8; 3738 } 3739 3740 #ifdef notyet 3741 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3742 opt[i++] = IPV6CP_OPT_COMPRESSION; 3743 opt[i++] = 4; 3744 opt[i++] = 0; /* TBD */ 3745 opt[i++] = 0; /* TBD */ 3746 /* variable length data may follow */ 3747 } 3748 #endif 3749 3750 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3751 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3752 } 3753 #else /*INET6*/ 3754 static void 3755 sppp_ipv6cp_init(struct sppp *sp) 3756 { 3757 } 3758 3759 static void 3760 sppp_ipv6cp_up(struct sppp *sp) 3761 { 3762 } 3763 3764 static void 3765 sppp_ipv6cp_down(struct sppp *sp) 3766 { 3767 } 3768 3769 3770 static void 3771 sppp_ipv6cp_open(struct sppp *sp) 3772 { 3773 } 3774 3775 static void 3776 sppp_ipv6cp_close(struct sppp *sp) 3777 { 3778 } 3779 3780 static void 3781 sppp_ipv6cp_TO(void *sp) 3782 { 3783 } 3784 3785 static int 3786 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3787 { 3788 return 0; 3789 } 3790 3791 static void 3792 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3793 { 3794 } 3795 3796 static void 3797 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3798 { 3799 } 3800 3801 static void 3802 sppp_ipv6cp_tlu(struct sppp *sp) 3803 { 3804 } 3805 3806 static void 3807 sppp_ipv6cp_tld(struct sppp *sp) 3808 { 3809 } 3810 3811 static void 3812 sppp_ipv6cp_tls(struct sppp *sp) 3813 { 3814 } 3815 3816 static void 3817 sppp_ipv6cp_tlf(struct sppp *sp) 3818 { 3819 } 3820 3821 static void 3822 sppp_ipv6cp_scr(struct sppp *sp) 3823 { 3824 } 3825 #endif /*INET6*/ 3826 3827 /* 3828 *--------------------------------------------------------------------------* 3829 * * 3830 * The CHAP implementation. * 3831 * * 3832 *--------------------------------------------------------------------------* 3833 */ 3834 3835 /* 3836 * The authentication protocols don't employ a full-fledged state machine as 3837 * the control protocols do, since they do have Open and Close events, but 3838 * not Up and Down, nor are they explicitly terminated. Also, use of the 3839 * authentication protocols may be different in both directions (this makes 3840 * sense, think of a machine that never accepts incoming calls but only 3841 * calls out, it doesn't require the called party to authenticate itself). 3842 * 3843 * Our state machine for the local authentication protocol (we are requesting 3844 * the peer to authenticate) looks like: 3845 * 3846 * RCA- 3847 * +--------------------------------------------+ 3848 * V scn,tld| 3849 * +--------+ Close +---------+ RCA+ 3850 * | |<----------------------------------| |------+ 3851 * +--->| Closed | TO* | Opened | sca | 3852 * | | |-----+ +-------| |<-----+ 3853 * | +--------+ irc | | +---------+ 3854 * | ^ | | ^ 3855 * | | | | | 3856 * | | | | | 3857 * | TO-| | | | 3858 * | |tld TO+ V | | 3859 * | | +------->+ | | 3860 * | | | | | | 3861 * | +--------+ V | | 3862 * | | |<----+<--------------------+ | 3863 * | | Req- | scr | 3864 * | | Sent | | 3865 * | | | | 3866 * | +--------+ | 3867 * | RCA- | | RCA+ | 3868 * +------+ +------------------------------------------+ 3869 * scn,tld sca,irc,ict,tlu 3870 * 3871 * 3872 * with: 3873 * 3874 * Open: LCP reached authentication phase 3875 * Close: LCP reached terminate phase 3876 * 3877 * RCA+: received reply (pap-req, chap-response), acceptable 3878 * RCN: received reply (pap-req, chap-response), not acceptable 3879 * TO+: timeout with restart counter >= 0 3880 * TO-: timeout with restart counter < 0 3881 * TO*: reschedule timeout for CHAP 3882 * 3883 * scr: send request packet (none for PAP, chap-challenge) 3884 * sca: send ack packet (pap-ack, chap-success) 3885 * scn: send nak packet (pap-nak, chap-failure) 3886 * ict: initialize re-challenge timer (CHAP only) 3887 * 3888 * tlu: this-layer-up, LCP reaches network phase 3889 * tld: this-layer-down, LCP enters terminate phase 3890 * 3891 * Note that in CHAP mode, after sending a new challenge, while the state 3892 * automaton falls back into Req-Sent state, it doesn't signal a tld 3893 * event to LCP, so LCP remains in network phase. Only after not getting 3894 * any response (or after getting an unacceptable response), CHAP closes, 3895 * causing LCP to enter terminate phase. 3896 * 3897 * With PAP, there is no initial request that can be sent. The peer is 3898 * expected to send one based on the successful negotiation of PAP as 3899 * the authentication protocol during the LCP option negotiation. 3900 * 3901 * Incoming authentication protocol requests (remote requests 3902 * authentication, we are peer) don't employ a state machine at all, 3903 * they are simply answered. Some peers [Ascend P50 firmware rev 3904 * 4.50] react allergically when sending IPCP requests while they are 3905 * still in authentication phase (thereby violating the standard that 3906 * demands that these NCP packets are to be discarded), so we keep 3907 * track of the peer demanding us to authenticate, and only proceed to 3908 * phase network once we've seen a positive acknowledge for the 3909 * authentication. 3910 */ 3911 3912 /* 3913 * Handle incoming CHAP packets. 3914 */ 3915 void 3916 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3917 { 3918 STDDCL; 3919 struct lcp_header *h; 3920 int len; 3921 u_char *value, *name, digest[AUTHKEYLEN], dsize; 3922 int value_len, name_len; 3923 MD5_CTX ctx; 3924 3925 len = m->m_pkthdr.len; 3926 if (len < 4) { 3927 if (debug) 3928 log(LOG_DEBUG, 3929 SPP_FMT "chap invalid packet length: %d bytes\n", 3930 SPP_ARGS(ifp), len); 3931 return; 3932 } 3933 h = mtod (m, struct lcp_header*); 3934 if (len > ntohs (h->len)) 3935 len = ntohs (h->len); 3936 3937 switch (h->type) { 3938 /* challenge, failure and success are his authproto */ 3939 case CHAP_CHALLENGE: 3940 value = 1 + (u_char*)(h+1); 3941 value_len = value[-1]; 3942 name = value + value_len; 3943 name_len = len - value_len - 5; 3944 if (name_len < 0) { 3945 if (debug) { 3946 log(LOG_DEBUG, 3947 SPP_FMT "chap corrupted challenge " 3948 "<%s id=0x%x len=%d", 3949 SPP_ARGS(ifp), 3950 sppp_auth_type_name(PPP_CHAP, h->type), 3951 h->ident, ntohs(h->len)); 3952 sppp_print_bytes((u_char*) (h+1), len-4); 3953 log(-1, ">\n"); 3954 } 3955 break; 3956 } 3957 3958 if (debug) { 3959 log(LOG_DEBUG, 3960 SPP_FMT "chap input <%s id=0x%x len=%d name=", 3961 SPP_ARGS(ifp), 3962 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3963 ntohs(h->len)); 3964 sppp_print_string((char*) name, name_len); 3965 log(-1, " value-size=%d value=", value_len); 3966 sppp_print_bytes(value, value_len); 3967 log(-1, ">\n"); 3968 } 3969 3970 /* Compute reply value. */ 3971 MD5Init(&ctx); 3972 MD5Update(&ctx, &h->ident, 1); 3973 MD5Update(&ctx, sp->myauth.secret, 3974 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN)); 3975 MD5Update(&ctx, value, value_len); 3976 MD5Final(digest, &ctx); 3977 dsize = sizeof digest; 3978 3979 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3980 sizeof dsize, (const char *)&dsize, 3981 sizeof digest, digest, 3982 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 3983 sp->myauth.name, 3984 0); 3985 break; 3986 3987 case CHAP_SUCCESS: 3988 if (debug) { 3989 log(LOG_DEBUG, SPP_FMT "chap success", 3990 SPP_ARGS(ifp)); 3991 if (len > 4) { 3992 log(-1, ": "); 3993 sppp_print_string((char*)(h + 1), len - 4); 3994 } 3995 log(-1, "\n"); 3996 } 3997 3998 crit_enter(); 3999 4000 sp->pp_flags &= ~PP_NEEDAUTH; 4001 if (sp->myauth.proto == PPP_CHAP && 4002 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4003 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4004 /* 4005 * We are authenticator for CHAP but didn't 4006 * complete yet. Leave it to tlu to proceed 4007 * to network phase. 4008 */ 4009 crit_exit(); 4010 break; 4011 } 4012 crit_exit(); 4013 sppp_phase_network(sp); 4014 break; 4015 4016 case CHAP_FAILURE: 4017 if (debug) { 4018 log(LOG_INFO, SPP_FMT "chap failure", 4019 SPP_ARGS(ifp)); 4020 if (len > 4) { 4021 log(-1, ": "); 4022 sppp_print_string((char*)(h + 1), len - 4); 4023 } 4024 log(-1, "\n"); 4025 } else 4026 log(LOG_INFO, SPP_FMT "chap failure\n", 4027 SPP_ARGS(ifp)); 4028 /* await LCP shutdown by authenticator */ 4029 break; 4030 4031 /* response is my authproto */ 4032 case CHAP_RESPONSE: 4033 value = 1 + (u_char*)(h+1); 4034 value_len = value[-1]; 4035 name = value + value_len; 4036 name_len = len - value_len - 5; 4037 if (name_len < 0) { 4038 if (debug) { 4039 log(LOG_DEBUG, 4040 SPP_FMT "chap corrupted response " 4041 "<%s id=0x%x len=%d", 4042 SPP_ARGS(ifp), 4043 sppp_auth_type_name(PPP_CHAP, h->type), 4044 h->ident, ntohs(h->len)); 4045 sppp_print_bytes((u_char*)(h+1), len-4); 4046 log(-1, ">\n"); 4047 } 4048 break; 4049 } 4050 if (h->ident != sp->confid[IDX_CHAP]) { 4051 if (debug) 4052 log(LOG_DEBUG, 4053 SPP_FMT "chap dropping response for old ID " 4054 "(got %d, expected %d)\n", 4055 SPP_ARGS(ifp), 4056 h->ident, sp->confid[IDX_CHAP]); 4057 break; 4058 } 4059 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) 4060 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4061 log(LOG_INFO, SPP_FMT "chap response, his name ", 4062 SPP_ARGS(ifp)); 4063 sppp_print_string(name, name_len); 4064 log(-1, " != expected "); 4065 sppp_print_string(sp->hisauth.name, 4066 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)); 4067 log(-1, "\n"); 4068 } 4069 if (debug) { 4070 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4071 "<%s id=0x%x len=%d name=", 4072 SPP_ARGS(ifp), 4073 sppp_state_name(sp->state[IDX_CHAP]), 4074 sppp_auth_type_name(PPP_CHAP, h->type), 4075 h->ident, ntohs (h->len)); 4076 sppp_print_string((char*)name, name_len); 4077 log(-1, " value-size=%d value=", value_len); 4078 sppp_print_bytes(value, value_len); 4079 log(-1, ">\n"); 4080 } 4081 if (value_len != AUTHKEYLEN) { 4082 if (debug) 4083 log(LOG_DEBUG, 4084 SPP_FMT "chap bad hash value length: " 4085 "%d bytes, should be %d\n", 4086 SPP_ARGS(ifp), value_len, 4087 AUTHKEYLEN); 4088 break; 4089 } 4090 4091 MD5Init(&ctx); 4092 MD5Update(&ctx, &h->ident, 1); 4093 MD5Update(&ctx, sp->hisauth.secret, 4094 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4095 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4096 MD5Final(digest, &ctx); 4097 4098 #define FAILMSG "Failed..." 4099 #define SUCCMSG "Welcome!" 4100 4101 if (value_len != sizeof digest || 4102 bcmp(digest, value, value_len) != 0) { 4103 /* action scn, tld */ 4104 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4105 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4106 0); 4107 chap.tld(sp); 4108 break; 4109 } 4110 /* action sca, perhaps tlu */ 4111 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4112 sp->state[IDX_CHAP] == STATE_OPENED) 4113 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4114 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4115 0); 4116 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4117 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4118 chap.tlu(sp); 4119 } 4120 break; 4121 4122 default: 4123 /* Unknown CHAP packet type -- ignore. */ 4124 if (debug) { 4125 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4126 "<0x%x id=0x%xh len=%d", 4127 SPP_ARGS(ifp), 4128 sppp_state_name(sp->state[IDX_CHAP]), 4129 h->type, h->ident, ntohs(h->len)); 4130 sppp_print_bytes((u_char*)(h+1), len-4); 4131 log(-1, ">\n"); 4132 } 4133 break; 4134 4135 } 4136 } 4137 4138 static void 4139 sppp_chap_init(struct sppp *sp) 4140 { 4141 /* Chap doesn't have STATE_INITIAL at all. */ 4142 sp->state[IDX_CHAP] = STATE_CLOSED; 4143 sp->fail_counter[IDX_CHAP] = 0; 4144 sp->pp_seq[IDX_CHAP] = 0; 4145 sp->pp_rseq[IDX_CHAP] = 0; 4146 callout_init(&sp->timeout[IDX_CHAP]); 4147 } 4148 4149 static void 4150 sppp_chap_open(struct sppp *sp) 4151 { 4152 if (sp->myauth.proto == PPP_CHAP && 4153 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4154 /* we are authenticator for CHAP, start it */ 4155 chap.scr(sp); 4156 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4157 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4158 } 4159 /* nothing to be done if we are peer, await a challenge */ 4160 } 4161 4162 static void 4163 sppp_chap_close(struct sppp *sp) 4164 { 4165 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4166 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4167 } 4168 4169 static void 4170 sppp_chap_TO(void *cookie) 4171 { 4172 struct sppp *sp = (struct sppp *)cookie; 4173 STDDCL; 4174 4175 crit_enter(); 4176 4177 if (debug) 4178 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4179 SPP_ARGS(ifp), 4180 sppp_state_name(sp->state[IDX_CHAP]), 4181 sp->rst_counter[IDX_CHAP]); 4182 4183 if (--sp->rst_counter[IDX_CHAP] < 0) 4184 /* TO- event */ 4185 switch (sp->state[IDX_CHAP]) { 4186 case STATE_REQ_SENT: 4187 chap.tld(sp); 4188 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4189 break; 4190 } 4191 else 4192 /* TO+ (or TO*) event */ 4193 switch (sp->state[IDX_CHAP]) { 4194 case STATE_OPENED: 4195 /* TO* event */ 4196 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4197 /* fall through */ 4198 case STATE_REQ_SENT: 4199 chap.scr(sp); 4200 /* sppp_cp_change_state() will restart the timer */ 4201 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4202 break; 4203 } 4204 4205 crit_exit(); 4206 } 4207 4208 static void 4209 sppp_chap_tlu(struct sppp *sp) 4210 { 4211 STDDCL; 4212 int i; 4213 4214 i = 0; 4215 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4216 4217 /* 4218 * Some broken CHAP implementations (Conware CoNet, firmware 4219 * 4.0.?) don't want to re-authenticate their CHAP once the 4220 * initial challenge-response exchange has taken place. 4221 * Provide for an option to avoid rechallenges. 4222 */ 4223 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4224 /* 4225 * Compute the re-challenge timeout. This will yield 4226 * a number between 300 and 810 seconds. 4227 */ 4228 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4229 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4230 } 4231 4232 if (debug) { 4233 log(LOG_DEBUG, 4234 SPP_FMT "chap %s, ", 4235 SPP_ARGS(ifp), 4236 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4237 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4238 log(-1, "next re-challenge in %d seconds\n", i); 4239 else 4240 log(-1, "re-challenging suppressed\n"); 4241 } 4242 4243 crit_enter(); 4244 4245 /* indicate to LCP that we need to be closed down */ 4246 sp->lcp.protos |= (1 << IDX_CHAP); 4247 4248 if (sp->pp_flags & PP_NEEDAUTH) { 4249 /* 4250 * Remote is authenticator, but his auth proto didn't 4251 * complete yet. Defer the transition to network 4252 * phase. 4253 */ 4254 crit_exit(); 4255 return; 4256 } 4257 4258 crit_exit(); 4259 4260 /* 4261 * If we are already in phase network, we are done here. This 4262 * is the case if this is a dummy tlu event after a re-challenge. 4263 */ 4264 if (sp->pp_phase != PHASE_NETWORK) 4265 sppp_phase_network(sp); 4266 } 4267 4268 static void 4269 sppp_chap_tld(struct sppp *sp) 4270 { 4271 STDDCL; 4272 4273 if (debug) 4274 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4275 callout_stop(&sp->timeout[IDX_CHAP]); 4276 sp->lcp.protos &= ~(1 << IDX_CHAP); 4277 4278 lcp.Close(sp); 4279 } 4280 4281 static void 4282 sppp_chap_scr(struct sppp *sp) 4283 { 4284 u_long *ch, seed; 4285 u_char clen; 4286 4287 /* Compute random challenge. */ 4288 ch = (u_long *)sp->myauth.challenge; 4289 read_random(&seed, sizeof seed); 4290 ch[0] = seed ^ krandom(); 4291 ch[1] = seed ^ krandom(); 4292 ch[2] = seed ^ krandom(); 4293 ch[3] = seed ^ krandom(); 4294 clen = AUTHKEYLEN; 4295 4296 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4297 4298 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4299 sizeof clen, (const char *)&clen, 4300 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4301 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4302 sp->myauth.name, 4303 0); 4304 } 4305 4306 /* 4307 *--------------------------------------------------------------------------* 4308 * * 4309 * The PAP implementation. * 4310 * * 4311 *--------------------------------------------------------------------------* 4312 */ 4313 /* 4314 * For PAP, we need to keep a little state also if we are the peer, not the 4315 * authenticator. This is since we don't get a request to authenticate, but 4316 * have to repeatedly authenticate ourself until we got a response (or the 4317 * retry counter is expired). 4318 */ 4319 4320 /* 4321 * Handle incoming PAP packets. */ 4322 static void 4323 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4324 { 4325 STDDCL; 4326 struct lcp_header *h; 4327 int len; 4328 u_char *name, *passwd, mlen; 4329 int name_len, passwd_len; 4330 4331 /* 4332 * Malicious input might leave this uninitialized, so 4333 * init to an impossible value. 4334 */ 4335 passwd_len = -1; 4336 4337 len = m->m_pkthdr.len; 4338 if (len < 5) { 4339 if (debug) 4340 log(LOG_DEBUG, 4341 SPP_FMT "pap invalid packet length: %d bytes\n", 4342 SPP_ARGS(ifp), len); 4343 return; 4344 } 4345 h = mtod (m, struct lcp_header*); 4346 if (len > ntohs (h->len)) 4347 len = ntohs (h->len); 4348 switch (h->type) { 4349 /* PAP request is my authproto */ 4350 case PAP_REQ: 4351 name = 1 + (u_char*)(h+1); 4352 name_len = name[-1]; 4353 passwd = name + name_len + 1; 4354 if (name_len > len - 6 || 4355 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4356 if (debug) { 4357 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4358 "<%s id=0x%x len=%d", 4359 SPP_ARGS(ifp), 4360 sppp_auth_type_name(PPP_PAP, h->type), 4361 h->ident, ntohs(h->len)); 4362 sppp_print_bytes((u_char*)(h+1), len-4); 4363 log(-1, ">\n"); 4364 } 4365 break; 4366 } 4367 if (debug) { 4368 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4369 "<%s id=0x%x len=%d name=", 4370 SPP_ARGS(ifp), 4371 sppp_state_name(sp->state[IDX_PAP]), 4372 sppp_auth_type_name(PPP_PAP, h->type), 4373 h->ident, ntohs(h->len)); 4374 sppp_print_string((char*)name, name_len); 4375 log(-1, " passwd="); 4376 sppp_print_string((char*)passwd, passwd_len); 4377 log(-1, ">\n"); 4378 } 4379 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || 4380 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4381 bcmp(name, sp->hisauth.name, name_len) != 0 || 4382 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4383 /* action scn, tld */ 4384 mlen = sizeof(FAILMSG) - 1; 4385 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4386 sizeof mlen, (const char *)&mlen, 4387 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4388 0); 4389 pap.tld(sp); 4390 break; 4391 } 4392 /* action sca, perhaps tlu */ 4393 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4394 sp->state[IDX_PAP] == STATE_OPENED) { 4395 mlen = sizeof(SUCCMSG) - 1; 4396 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4397 sizeof mlen, (const char *)&mlen, 4398 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4399 0); 4400 } 4401 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4402 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4403 pap.tlu(sp); 4404 } 4405 break; 4406 4407 /* ack and nak are his authproto */ 4408 case PAP_ACK: 4409 callout_stop(&sp->pap_my_to); 4410 if (debug) { 4411 log(LOG_DEBUG, SPP_FMT "pap success", 4412 SPP_ARGS(ifp)); 4413 name = 1 + (u_char *)(h + 1); 4414 name_len = name[-1]; 4415 if (len > 5 && name_len < len+4) { 4416 log(-1, ": "); 4417 sppp_print_string(name, name_len); 4418 } 4419 log(-1, "\n"); 4420 } 4421 4422 crit_enter(); 4423 4424 sp->pp_flags &= ~PP_NEEDAUTH; 4425 if (sp->myauth.proto == PPP_PAP && 4426 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4427 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4428 /* 4429 * We are authenticator for PAP but didn't 4430 * complete yet. Leave it to tlu to proceed 4431 * to network phase. 4432 */ 4433 4434 crit_exit(); 4435 4436 break; 4437 } 4438 4439 crit_exit(); 4440 4441 sppp_phase_network(sp); 4442 break; 4443 4444 case PAP_NAK: 4445 callout_stop(&sp->pap_my_to); 4446 if (debug) { 4447 log(LOG_INFO, SPP_FMT "pap failure", 4448 SPP_ARGS(ifp)); 4449 name = 1 + (u_char *)(h + 1); 4450 name_len = name[-1]; 4451 if (len > 5 && name_len < len+4) { 4452 log(-1, ": "); 4453 sppp_print_string(name, name_len); 4454 } 4455 log(-1, "\n"); 4456 } else 4457 log(LOG_INFO, SPP_FMT "pap failure\n", 4458 SPP_ARGS(ifp)); 4459 /* await LCP shutdown by authenticator */ 4460 break; 4461 4462 default: 4463 /* Unknown PAP packet type -- ignore. */ 4464 if (debug) { 4465 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4466 "<0x%x id=0x%x len=%d", 4467 SPP_ARGS(ifp), 4468 h->type, h->ident, ntohs(h->len)); 4469 sppp_print_bytes((u_char*)(h+1), len-4); 4470 log(-1, ">\n"); 4471 } 4472 break; 4473 4474 } 4475 } 4476 4477 static void 4478 sppp_pap_init(struct sppp *sp) 4479 { 4480 /* PAP doesn't have STATE_INITIAL at all. */ 4481 sp->state[IDX_PAP] = STATE_CLOSED; 4482 sp->fail_counter[IDX_PAP] = 0; 4483 sp->pp_seq[IDX_PAP] = 0; 4484 sp->pp_rseq[IDX_PAP] = 0; 4485 callout_init(&sp->timeout[IDX_PAP]); 4486 callout_init(&sp->pap_my_to); 4487 } 4488 4489 static void 4490 sppp_pap_open(struct sppp *sp) 4491 { 4492 if (sp->hisauth.proto == PPP_PAP && 4493 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4494 /* we are authenticator for PAP, start our timer */ 4495 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4496 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4497 } 4498 if (sp->myauth.proto == PPP_PAP) { 4499 /* we are peer, send a request, and start a timer */ 4500 pap.scr(sp); 4501 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4502 sppp_pap_my_TO, sp); 4503 } 4504 } 4505 4506 static void 4507 sppp_pap_close(struct sppp *sp) 4508 { 4509 if (sp->state[IDX_PAP] != STATE_CLOSED) 4510 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4511 } 4512 4513 /* 4514 * That's the timeout routine if we are authenticator. Since the 4515 * authenticator is basically passive in PAP, we can't do much here. 4516 */ 4517 static void 4518 sppp_pap_TO(void *cookie) 4519 { 4520 struct sppp *sp = (struct sppp *)cookie; 4521 STDDCL; 4522 4523 crit_enter(); 4524 4525 if (debug) 4526 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4527 SPP_ARGS(ifp), 4528 sppp_state_name(sp->state[IDX_PAP]), 4529 sp->rst_counter[IDX_PAP]); 4530 4531 if (--sp->rst_counter[IDX_PAP] < 0) 4532 /* TO- event */ 4533 switch (sp->state[IDX_PAP]) { 4534 case STATE_REQ_SENT: 4535 pap.tld(sp); 4536 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4537 break; 4538 } 4539 else 4540 /* TO+ event, not very much we could do */ 4541 switch (sp->state[IDX_PAP]) { 4542 case STATE_REQ_SENT: 4543 /* sppp_cp_change_state() will restart the timer */ 4544 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4545 break; 4546 } 4547 4548 crit_exit(); 4549 } 4550 4551 /* 4552 * That's the timeout handler if we are peer. Since the peer is active, 4553 * we need to retransmit our PAP request since it is apparently lost. 4554 * XXX We should impose a max counter. 4555 */ 4556 static void 4557 sppp_pap_my_TO(void *cookie) 4558 { 4559 struct sppp *sp = (struct sppp *)cookie; 4560 STDDCL; 4561 4562 if (debug) 4563 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4564 SPP_ARGS(ifp)); 4565 4566 pap.scr(sp); 4567 } 4568 4569 static void 4570 sppp_pap_tlu(struct sppp *sp) 4571 { 4572 STDDCL; 4573 4574 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4575 4576 if (debug) 4577 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4578 SPP_ARGS(ifp), pap.name); 4579 4580 crit_enter(); 4581 4582 /* indicate to LCP that we need to be closed down */ 4583 sp->lcp.protos |= (1 << IDX_PAP); 4584 4585 if (sp->pp_flags & PP_NEEDAUTH) { 4586 /* 4587 * Remote is authenticator, but his auth proto didn't 4588 * complete yet. Defer the transition to network 4589 * phase. 4590 */ 4591 crit_exit(); 4592 return; 4593 } 4594 crit_exit(); 4595 sppp_phase_network(sp); 4596 } 4597 4598 static void 4599 sppp_pap_tld(struct sppp *sp) 4600 { 4601 STDDCL; 4602 4603 if (debug) 4604 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4605 callout_stop(&sp->timeout[IDX_PAP]); 4606 callout_stop(&sp->pap_my_to); 4607 sp->lcp.protos &= ~(1 << IDX_PAP); 4608 4609 lcp.Close(sp); 4610 } 4611 4612 static void 4613 sppp_pap_scr(struct sppp *sp) 4614 { 4615 u_char idlen, pwdlen; 4616 4617 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4618 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN); 4619 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN); 4620 4621 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4622 sizeof idlen, (const char *)&idlen, 4623 (size_t)idlen, sp->myauth.name, 4624 sizeof pwdlen, (const char *)&pwdlen, 4625 (size_t)pwdlen, sp->myauth.secret, 4626 0); 4627 } 4628 4629 /* 4630 * Random miscellaneous functions. 4631 */ 4632 4633 /* 4634 * Send a PAP or CHAP proto packet. 4635 * 4636 * Varadic function, each of the elements for the ellipsis is of type 4637 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4638 * mlen == 0. 4639 * NOTE: never declare variadic functions with types subject to type 4640 * promotion (i.e. u_char). This is asking for big trouble depending 4641 * on the architecture you are on... 4642 */ 4643 4644 static void 4645 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4646 unsigned int type, unsigned int id, 4647 ...) 4648 { 4649 STDDCL; 4650 struct ppp_header *h; 4651 struct lcp_header *lh; 4652 struct mbuf *m; 4653 u_char *p; 4654 int len; 4655 unsigned int mlen; 4656 const char *msg; 4657 struct ifaltq_subque *ifsq; 4658 __va_list ap; 4659 4660 MGETHDR (m, MB_DONTWAIT, MT_DATA); 4661 if (! m) 4662 return; 4663 m->m_pkthdr.rcvif = 0; 4664 4665 h = mtod (m, struct ppp_header*); 4666 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4667 h->control = PPP_UI; /* Unnumbered Info */ 4668 h->protocol = htons(cp->proto); 4669 4670 lh = (struct lcp_header*)(h + 1); 4671 lh->type = type; 4672 lh->ident = id; 4673 p = (u_char*) (lh+1); 4674 4675 __va_start(ap, id); 4676 len = 0; 4677 4678 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4679 msg = __va_arg(ap, const char *); 4680 len += mlen; 4681 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4682 __va_end(ap); 4683 m_freem(m); 4684 return; 4685 } 4686 4687 bcopy(msg, p, mlen); 4688 p += mlen; 4689 } 4690 __va_end(ap); 4691 4692 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4693 lh->len = htons (LCP_HEADER_LEN + len); 4694 4695 if (debug) { 4696 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4697 SPP_ARGS(ifp), cp->name, 4698 sppp_auth_type_name(cp->proto, lh->type), 4699 lh->ident, ntohs(lh->len)); 4700 sppp_print_bytes((u_char*) (lh+1), len); 4701 log(-1, ">\n"); 4702 } 4703 if (IF_QFULL (&sp->pp_cpq)) { 4704 IF_DROP (&sp->pp_fastq); 4705 m_freem (m); 4706 IFNET_STAT_INC(ifp, oerrors, 1); 4707 } else 4708 IF_ENQUEUE (&sp->pp_cpq, m); 4709 ifsq = ifq_get_subq_default(&ifp->if_snd); 4710 if (!ifsq_is_oactive(ifsq)) 4711 (*ifp->if_start) (ifp, ifsq); 4712 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 4713 } 4714 4715 /* 4716 * Send keepalive packets, every 10 seconds. 4717 */ 4718 static void 4719 sppp_keepalive(void *dummy) 4720 { 4721 struct sppp *sp; 4722 4723 crit_enter(); 4724 4725 for (sp=spppq; sp; sp=sp->pp_next) { 4726 struct ifnet *ifp = &sp->pp_if; 4727 4728 /* Keepalive mode disabled or channel down? */ 4729 if (! (sp->pp_flags & PP_KEEPALIVE) || 4730 ! (ifp->if_flags & IFF_RUNNING)) 4731 continue; 4732 4733 /* No keepalive in PPP mode if LCP not opened yet. */ 4734 if (sp->pp_mode != IFF_CISCO && 4735 sp->pp_phase < PHASE_AUTHENTICATE) 4736 continue; 4737 4738 if (sp->pp_alivecnt == MAXALIVECNT) { 4739 /* No keepalive packets got. Stop the interface. */ 4740 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4741 if_down (ifp); 4742 IF_DRAIN(&sp->pp_cpq); 4743 if (sp->pp_mode != IFF_CISCO) { 4744 /* XXX */ 4745 /* Shut down the PPP link. */ 4746 lcp.Down(sp); 4747 /* Initiate negotiation. XXX */ 4748 lcp.Up(sp); 4749 } 4750 } 4751 ifnet_serialize_all(ifp); 4752 if (sp->pp_alivecnt <= MAXALIVECNT) 4753 ++sp->pp_alivecnt; 4754 if (sp->pp_mode == IFF_CISCO) 4755 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4756 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4757 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4758 long nmagic = htonl (sp->lcp.magic); 4759 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4760 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4761 sp->lcp.echoid, 4, &nmagic); 4762 } 4763 ifnet_deserialize_all(ifp); 4764 } 4765 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4766 crit_exit(); 4767 } 4768 4769 /* 4770 * Get both IP addresses. 4771 */ 4772 static void 4773 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4774 { 4775 struct ifnet *ifp = &sp->pp_if; 4776 struct ifaddr_container *ifac; 4777 struct ifaddr *ifa; 4778 struct sockaddr_in *si, *sm; 4779 u_long ssrc, ddst; 4780 4781 sm = NULL; 4782 ssrc = ddst = 0L; 4783 /* 4784 * Pick the first AF_INET address from the list, 4785 * aliases don't make any sense on a p2p link anyway. 4786 */ 4787 si = NULL; 4788 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4789 ifa = ifac->ifa; 4790 if (ifa->ifa_addr->sa_family == AF_INET) { 4791 si = (struct sockaddr_in *)ifa->ifa_addr; 4792 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4793 if (si) 4794 break; 4795 } 4796 } 4797 if (ifac != NULL) { 4798 if (si && si->sin_addr.s_addr) { 4799 ssrc = si->sin_addr.s_addr; 4800 if (srcmask) 4801 *srcmask = ntohl(sm->sin_addr.s_addr); 4802 } 4803 4804 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4805 if (si && si->sin_addr.s_addr) 4806 ddst = si->sin_addr.s_addr; 4807 } 4808 4809 if (dst) *dst = ntohl(ddst); 4810 if (src) *src = ntohl(ssrc); 4811 } 4812 4813 /* 4814 * Set my IP address. Must be called at splimp. 4815 */ 4816 static void 4817 sppp_set_ip_addr(struct sppp *sp, u_long src) 4818 { 4819 STDDCL; 4820 struct ifaddr_container *ifac; 4821 struct ifaddr *ifa = NULL; 4822 struct sockaddr_in *si; 4823 struct in_ifaddr *ia; 4824 4825 /* 4826 * Pick the first AF_INET address from the list, 4827 * aliases don't make any sense on a p2p link anyway. 4828 */ 4829 si = NULL; 4830 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4831 ifa = ifac->ifa; 4832 if (ifa->ifa_addr->sa_family == AF_INET) { 4833 si = (struct sockaddr_in *)ifa->ifa_addr; 4834 if (si) 4835 break; 4836 } 4837 } 4838 4839 if (ifac != NULL && si != NULL) { 4840 int error; 4841 4842 /* delete old route */ 4843 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4844 if(debug && error) 4845 { 4846 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4847 SPP_ARGS(ifp), error); 4848 } 4849 4850 ia = ifatoia(ifa); 4851 in_iahash_remove(ia); 4852 4853 /* set new address */ 4854 si->sin_addr.s_addr = htonl(src); 4855 in_iahash_insert(ia); 4856 4857 /* add new route */ 4858 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4859 if (debug && error) 4860 { 4861 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4862 SPP_ARGS(ifp), error); 4863 } 4864 } 4865 } 4866 4867 #ifdef INET6 4868 /* 4869 * Get both IPv6 addresses. 4870 */ 4871 static void 4872 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4873 struct in6_addr *srcmask) 4874 { 4875 struct ifnet *ifp = &sp->pp_if; 4876 struct ifaddr_container *ifac; 4877 struct ifaddr *ifa; 4878 struct sockaddr_in6 *si, *sm; 4879 struct in6_addr ssrc, ddst; 4880 4881 sm = NULL; 4882 bzero(&ssrc, sizeof(ssrc)); 4883 bzero(&ddst, sizeof(ddst)); 4884 /* 4885 * Pick the first link-local AF_INET6 address from the list, 4886 * aliases don't make any sense on a p2p link anyway. 4887 */ 4888 si = NULL; 4889 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4890 ifa = ifac->ifa; 4891 if (ifa->ifa_addr->sa_family == AF_INET6) { 4892 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4893 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4894 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4895 break; 4896 } 4897 } 4898 if (ifac != NULL) { 4899 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4900 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 4901 if (srcmask) { 4902 bcopy(&sm->sin6_addr, srcmask, 4903 sizeof(*srcmask)); 4904 } 4905 } 4906 4907 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4908 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4909 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 4910 } 4911 4912 if (dst) 4913 bcopy(&ddst, dst, sizeof(*dst)); 4914 if (src) 4915 bcopy(&ssrc, src, sizeof(*src)); 4916 } 4917 4918 #ifdef IPV6CP_MYIFID_DYN 4919 /* 4920 * Generate random ifid. 4921 */ 4922 static void 4923 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 4924 { 4925 /* TBD */ 4926 } 4927 4928 /* 4929 * Set my IPv6 address. Must be called at splimp. 4930 */ 4931 static void 4932 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 4933 { 4934 STDDCL; 4935 struct ifaddr_container *ifac; 4936 struct ifaddr *ifa; 4937 struct sockaddr_in6 *sin6; 4938 4939 /* 4940 * Pick the first link-local AF_INET6 address from the list, 4941 * aliases don't make any sense on a p2p link anyway. 4942 */ 4943 4944 sin6 = NULL; 4945 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4946 ifa = ifac->ifa; 4947 if (ifa->ifa_addr->sa_family == AF_INET6) { 4948 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 4949 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 4950 break; 4951 } 4952 } 4953 4954 if (ifac != NULL && sin6 != NULL) { 4955 int error; 4956 struct sockaddr_in6 new_sin6 = *sin6; 4957 4958 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 4959 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 4960 if (debug && error) { 4961 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 4962 " failed, error=%d\n", SPP_ARGS(ifp), error); 4963 } 4964 } 4965 } 4966 #endif 4967 4968 /* 4969 * Suggest a candidate address to be used by peer. 4970 */ 4971 static void 4972 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 4973 { 4974 struct in6_addr myaddr; 4975 struct timeval tv; 4976 4977 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4978 4979 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 4980 microtime(&tv); 4981 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 4982 myaddr.s6_addr[14] ^= 0xff; 4983 myaddr.s6_addr[15] ^= 0xff; 4984 } else { 4985 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 4986 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 4987 } 4988 if (suggest) 4989 bcopy(&myaddr, suggest, sizeof(myaddr)); 4990 } 4991 #endif /*INET6*/ 4992 4993 static int 4994 sppp_params(struct sppp *sp, u_long cmd, void *data) 4995 { 4996 u_long subcmd; 4997 struct ifreq *ifr = (struct ifreq *)data; 4998 struct spppreq *spr; 4999 int rv = 0; 5000 5001 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 5002 5003 /* 5004 * ifr->ifr_data is supposed to point to a struct spppreq. 5005 * Check the cmd word first before attempting to fetch all the 5006 * data. 5007 */ 5008 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 5009 rv = EFAULT; 5010 goto quit; 5011 } 5012 5013 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 5014 rv = EFAULT; 5015 goto quit; 5016 } 5017 5018 switch (subcmd) { 5019 case (u_long)SPPPIOGDEFS: 5020 if (cmd != SIOCGIFGENERIC) { 5021 rv = EINVAL; 5022 break; 5023 } 5024 /* 5025 * We copy over the entire current state, but clean 5026 * out some of the stuff we don't wanna pass up. 5027 * Remember, SIOCGIFGENERIC is unprotected, and can be 5028 * called by any user. No need to ever get PAP or 5029 * CHAP secrets back to userland anyway. 5030 */ 5031 spr->defs.pp_phase = sp->pp_phase; 5032 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5033 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5034 spr->defs.lcp = sp->lcp; 5035 spr->defs.ipcp = sp->ipcp; 5036 spr->defs.ipv6cp = sp->ipv6cp; 5037 spr->defs.myauth = sp->myauth; 5038 spr->defs.hisauth = sp->hisauth; 5039 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5040 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5041 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5042 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5043 /* 5044 * Fixup the LCP timeout value to milliseconds so 5045 * spppcontrol doesn't need to bother about the value 5046 * of "hz". We do the reverse calculation below when 5047 * setting it. 5048 */ 5049 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5050 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5051 sizeof(struct spppreq)); 5052 break; 5053 5054 case (u_long)SPPPIOSDEFS: 5055 if (cmd != SIOCSIFGENERIC) { 5056 rv = EINVAL; 5057 break; 5058 } 5059 /* 5060 * We have a very specific idea of which fields we 5061 * allow being passed back from userland, so to not 5062 * clobber our current state. For one, we only allow 5063 * setting anything if LCP is in dead or establish 5064 * phase. Once the authentication negotiations 5065 * started, the authentication settings must not be 5066 * changed again. (The administrator can force an 5067 * ifconfig down in order to get LCP back into dead 5068 * phase.) 5069 * 5070 * Also, we only allow for authentication parameters to be 5071 * specified. 5072 * 5073 * XXX Should allow to set or clear pp_flags. 5074 * 5075 * Finally, if the respective authentication protocol to 5076 * be used is set differently than 0, but the secret is 5077 * passed as all zeros, we don't trash the existing secret. 5078 * This allows an administrator to change the system name 5079 * only without clobbering the secret (which he didn't get 5080 * back in a previous SPPPIOGDEFS call). However, the 5081 * secrets are cleared if the authentication protocol is 5082 * reset to 0. */ 5083 if (sp->pp_phase != PHASE_DEAD && 5084 sp->pp_phase != PHASE_ESTABLISH) { 5085 rv = EBUSY; 5086 break; 5087 } 5088 5089 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5090 spr->defs.myauth.proto != PPP_CHAP) || 5091 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5092 spr->defs.hisauth.proto != PPP_CHAP)) { 5093 rv = EINVAL; 5094 break; 5095 } 5096 5097 if (spr->defs.myauth.proto == 0) 5098 /* resetting myauth */ 5099 bzero(&sp->myauth, sizeof sp->myauth); 5100 else { 5101 /* setting/changing myauth */ 5102 sp->myauth.proto = spr->defs.myauth.proto; 5103 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5104 if (spr->defs.myauth.secret[0] != '\0') 5105 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5106 AUTHKEYLEN); 5107 } 5108 if (spr->defs.hisauth.proto == 0) 5109 /* resetting hisauth */ 5110 bzero(&sp->hisauth, sizeof sp->hisauth); 5111 else { 5112 /* setting/changing hisauth */ 5113 sp->hisauth.proto = spr->defs.hisauth.proto; 5114 sp->hisauth.flags = spr->defs.hisauth.flags; 5115 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5116 if (spr->defs.hisauth.secret[0] != '\0') 5117 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5118 AUTHKEYLEN); 5119 } 5120 /* set LCP restart timer timeout */ 5121 if (spr->defs.lcp.timeout != 0) 5122 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5123 /* set VJ enable and IPv6 disable flags */ 5124 #ifdef INET 5125 if (spr->defs.enable_vj) 5126 sp->confflags |= CONF_ENABLE_VJ; 5127 else 5128 sp->confflags &= ~CONF_ENABLE_VJ; 5129 #endif 5130 #ifdef INET6 5131 if (spr->defs.enable_ipv6) 5132 sp->confflags |= CONF_ENABLE_IPV6; 5133 else 5134 sp->confflags &= ~CONF_ENABLE_IPV6; 5135 #endif 5136 break; 5137 5138 default: 5139 rv = EINVAL; 5140 } 5141 5142 quit: 5143 kfree(spr, M_TEMP); 5144 5145 return (rv); 5146 } 5147 5148 static void 5149 sppp_phase_network(struct sppp *sp) 5150 { 5151 STDDCL; 5152 int i; 5153 u_long mask; 5154 5155 sp->pp_phase = PHASE_NETWORK; 5156 5157 if (debug) 5158 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5159 sppp_phase_name(sp->pp_phase)); 5160 5161 /* Notify NCPs now. */ 5162 for (i = 0; i < IDX_COUNT; i++) 5163 if ((cps[i])->flags & CP_NCP) 5164 (cps[i])->Open(sp); 5165 5166 /* Send Up events to all NCPs. */ 5167 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5168 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5169 (cps[i])->Up(sp); 5170 5171 /* if no NCP is starting, all this was in vain, close down */ 5172 sppp_lcp_check_and_close(sp); 5173 } 5174 5175 5176 static const char * 5177 sppp_cp_type_name(u_char type) 5178 { 5179 static char buf[12]; 5180 switch (type) { 5181 case CONF_REQ: return "conf-req"; 5182 case CONF_ACK: return "conf-ack"; 5183 case CONF_NAK: return "conf-nak"; 5184 case CONF_REJ: return "conf-rej"; 5185 case TERM_REQ: return "term-req"; 5186 case TERM_ACK: return "term-ack"; 5187 case CODE_REJ: return "code-rej"; 5188 case PROTO_REJ: return "proto-rej"; 5189 case ECHO_REQ: return "echo-req"; 5190 case ECHO_REPLY: return "echo-reply"; 5191 case DISC_REQ: return "discard-req"; 5192 } 5193 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5194 return buf; 5195 } 5196 5197 static const char * 5198 sppp_auth_type_name(u_short proto, u_char type) 5199 { 5200 static char buf[12]; 5201 switch (proto) { 5202 case PPP_CHAP: 5203 switch (type) { 5204 case CHAP_CHALLENGE: return "challenge"; 5205 case CHAP_RESPONSE: return "response"; 5206 case CHAP_SUCCESS: return "success"; 5207 case CHAP_FAILURE: return "failure"; 5208 } 5209 case PPP_PAP: 5210 switch (type) { 5211 case PAP_REQ: return "req"; 5212 case PAP_ACK: return "ack"; 5213 case PAP_NAK: return "nak"; 5214 } 5215 } 5216 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5217 return buf; 5218 } 5219 5220 static const char * 5221 sppp_lcp_opt_name(u_char opt) 5222 { 5223 static char buf[12]; 5224 switch (opt) { 5225 case LCP_OPT_MRU: return "mru"; 5226 case LCP_OPT_ASYNC_MAP: return "async-map"; 5227 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5228 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5229 case LCP_OPT_MAGIC: return "magic"; 5230 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5231 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5232 } 5233 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5234 return buf; 5235 } 5236 5237 static const char * 5238 sppp_ipcp_opt_name(u_char opt) 5239 { 5240 static char buf[12]; 5241 switch (opt) { 5242 case IPCP_OPT_ADDRESSES: return "addresses"; 5243 case IPCP_OPT_COMPRESSION: return "compression"; 5244 case IPCP_OPT_ADDRESS: return "address"; 5245 } 5246 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5247 return buf; 5248 } 5249 5250 #ifdef INET6 5251 static const char * 5252 sppp_ipv6cp_opt_name(u_char opt) 5253 { 5254 static char buf[12]; 5255 switch (opt) { 5256 case IPV6CP_OPT_IFID: return "ifid"; 5257 case IPV6CP_OPT_COMPRESSION: return "compression"; 5258 } 5259 ksprintf (buf, "0x%x", opt); 5260 return buf; 5261 } 5262 #endif 5263 5264 static const char * 5265 sppp_state_name(int state) 5266 { 5267 switch (state) { 5268 case STATE_INITIAL: return "initial"; 5269 case STATE_STARTING: return "starting"; 5270 case STATE_CLOSED: return "closed"; 5271 case STATE_STOPPED: return "stopped"; 5272 case STATE_CLOSING: return "closing"; 5273 case STATE_STOPPING: return "stopping"; 5274 case STATE_REQ_SENT: return "req-sent"; 5275 case STATE_ACK_RCVD: return "ack-rcvd"; 5276 case STATE_ACK_SENT: return "ack-sent"; 5277 case STATE_OPENED: return "opened"; 5278 } 5279 return "illegal"; 5280 } 5281 5282 static const char * 5283 sppp_phase_name(enum ppp_phase phase) 5284 { 5285 switch (phase) { 5286 case PHASE_DEAD: return "dead"; 5287 case PHASE_ESTABLISH: return "establish"; 5288 case PHASE_TERMINATE: return "terminate"; 5289 case PHASE_AUTHENTICATE: return "authenticate"; 5290 case PHASE_NETWORK: return "network"; 5291 } 5292 return "illegal"; 5293 } 5294 5295 static const char * 5296 sppp_proto_name(u_short proto) 5297 { 5298 static char buf[12]; 5299 switch (proto) { 5300 case PPP_LCP: return "lcp"; 5301 case PPP_IPCP: return "ipcp"; 5302 case PPP_PAP: return "pap"; 5303 case PPP_CHAP: return "chap"; 5304 case PPP_IPV6CP: return "ipv6cp"; 5305 } 5306 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5307 return buf; 5308 } 5309 5310 static void 5311 sppp_print_bytes(const u_char *p, u_short len) 5312 { 5313 char hexstr[len]; 5314 if (len) 5315 log(-1, " %s", hexncpy(p, len, hexstr, HEX_NCPYLEN(len), "-")); 5316 } 5317 5318 static void 5319 sppp_print_string(const char *p, u_short len) 5320 { 5321 u_char c; 5322 5323 while (len-- > 0) { 5324 c = *p++; 5325 /* 5326 * Print only ASCII chars directly. RFC 1994 recommends 5327 * using only them, but we don't rely on it. */ 5328 if (c < ' ' || c > '~') 5329 log(-1, "\\x%x", c); 5330 else 5331 log(-1, "%c", c); 5332 } 5333 } 5334 5335 static const char * 5336 sppp_dotted_quad(u_long addr) 5337 { 5338 static char s[16]; 5339 ksprintf(s, "%d.%d.%d.%d", 5340 (int)((addr >> 24) & 0xff), 5341 (int)((addr >> 16) & 0xff), 5342 (int)((addr >> 8) & 0xff), 5343 (int)(addr & 0xff)); 5344 return s; 5345 } 5346 5347 static int 5348 sppp_strnlen(u_char *p, int max) 5349 { 5350 int len; 5351 5352 for (len = 0; len < max && *p; ++p) 5353 ++len; 5354 return len; 5355 } 5356 5357 /* a dummy, used to drop uninteresting events */ 5358 static void 5359 sppp_null(struct sppp *unused) 5360 { 5361 /* do just nothing */ 5362 } 5363