1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 */ 22 23 #include <sys/param.h> 24 25 #if defined(__DragonFly__) 26 #include "opt_inet.h" 27 #include "opt_inet6.h" 28 #include "opt_ipx.h" 29 #endif 30 31 #ifdef NetBSD1_3 32 # if NetBSD1_3 > 6 33 # include "opt_inet.h" 34 # include "opt_inet6.h" 35 # include "opt_iso.h" 36 # endif 37 #endif 38 39 #include <sys/systm.h> 40 #include <sys/kernel.h> 41 #include <sys/module.h> 42 #include <sys/sockio.h> 43 #include <sys/socket.h> 44 #include <sys/syslog.h> 45 #if defined(__DragonFly__) 46 #include <sys/random.h> 47 #include <sys/thread2.h> 48 #endif 49 #include <sys/malloc.h> 50 #include <sys/mbuf.h> 51 52 #if defined (__OpenBSD__) 53 #include <sys/md5k.h> 54 #else 55 #include <sys/md5.h> 56 #endif 57 58 #include <net/if.h> 59 #include <net/ifq_var.h> 60 #include <net/netisr.h> 61 #include <net/if_types.h> 62 #include <net/route.h> 63 #include <netinet/in.h> 64 #include <netinet/in_systm.h> 65 #include <netinet/ip.h> 66 #include <net/slcompress.h> 67 68 #if defined (__NetBSD__) || defined (__OpenBSD__) 69 #include <machine/cpu.h> /* XXX for softnet */ 70 #endif 71 72 #include <machine/stdarg.h> 73 74 #include <netinet/in.h> 75 #include <netinet/in_systm.h> 76 #include <netinet/in_var.h> 77 78 #ifdef INET 79 #include <netinet/ip.h> 80 #include <netinet/tcp.h> 81 #endif 82 83 #if defined (__DragonFly__) || defined (__OpenBSD__) 84 # include <netinet/if_ether.h> 85 #else 86 # include <net/ethertypes.h> 87 #endif 88 89 #ifdef IPX 90 #include <netproto/ipx/ipx.h> 91 #include <netproto/ipx/ipx_if.h> 92 #endif 93 94 #include "if_sppp.h" 95 96 #define IOCTL_CMD_T u_long 97 #define MAXALIVECNT 3 /* max. alive packets */ 98 99 /* 100 * Interface flags that can be set in an ifconfig command. 101 * 102 * Setting link0 will make the link passive, i.e. it will be marked 103 * as being administrative openable, but won't be opened to begin 104 * with. Incoming calls will be answered, or subsequent calls with 105 * -link1 will cause the administrative open of the LCP layer. 106 * 107 * Setting link1 will cause the link to auto-dial only as packets 108 * arrive to be sent. 109 * 110 * Setting IFF_DEBUG will syslog the option negotiation and state 111 * transitions at level kern.debug. Note: all logs consistently look 112 * like 113 * 114 * <if-name><unit>: <proto-name> <additional info...> 115 * 116 * with <if-name><unit> being something like "bppp0", and <proto-name> 117 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 118 */ 119 120 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 121 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 122 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 123 124 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 125 #define PPP_UI 0x03 /* Unnumbered Information */ 126 #define PPP_IP 0x0021 /* Internet Protocol */ 127 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 128 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 129 #define PPP_IPX 0x002b /* Novell IPX Protocol */ 130 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 131 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 132 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 133 #define PPP_LCP 0xc021 /* Link Control Protocol */ 134 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 135 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 136 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 137 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 138 139 #define CONF_REQ 1 /* PPP configure request */ 140 #define CONF_ACK 2 /* PPP configure acknowledge */ 141 #define CONF_NAK 3 /* PPP configure negative ack */ 142 #define CONF_REJ 4 /* PPP configure reject */ 143 #define TERM_REQ 5 /* PPP terminate request */ 144 #define TERM_ACK 6 /* PPP terminate acknowledge */ 145 #define CODE_REJ 7 /* PPP code reject */ 146 #define PROTO_REJ 8 /* PPP protocol reject */ 147 #define ECHO_REQ 9 /* PPP echo request */ 148 #define ECHO_REPLY 10 /* PPP echo reply */ 149 #define DISC_REQ 11 /* PPP discard request */ 150 151 #define LCP_OPT_MRU 1 /* maximum receive unit */ 152 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 153 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 154 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 155 #define LCP_OPT_MAGIC 5 /* magic number */ 156 #define LCP_OPT_RESERVED 6 /* reserved */ 157 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 158 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 159 160 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 161 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 162 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 163 164 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 165 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 166 167 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 168 169 #define PAP_REQ 1 /* PAP name/password request */ 170 #define PAP_ACK 2 /* PAP acknowledge */ 171 #define PAP_NAK 3 /* PAP fail */ 172 173 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 174 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 175 #define CHAP_SUCCESS 3 /* CHAP response ok */ 176 #define CHAP_FAILURE 4 /* CHAP response failed */ 177 178 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 179 180 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 181 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 182 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 183 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 184 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 185 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 186 187 /* states are named and numbered according to RFC 1661 */ 188 #define STATE_INITIAL 0 189 #define STATE_STARTING 1 190 #define STATE_CLOSED 2 191 #define STATE_STOPPED 3 192 #define STATE_CLOSING 4 193 #define STATE_STOPPING 5 194 #define STATE_REQ_SENT 6 195 #define STATE_ACK_RCVD 7 196 #define STATE_ACK_SENT 8 197 #define STATE_OPENED 9 198 199 struct ppp_header { 200 u_char address; 201 u_char control; 202 u_short protocol; 203 } __attribute__((__packed__)); 204 #define PPP_HEADER_LEN sizeof (struct ppp_header) 205 206 struct lcp_header { 207 u_char type; 208 u_char ident; 209 u_short len; 210 } __attribute__((__packed__)); 211 #define LCP_HEADER_LEN sizeof (struct lcp_header) 212 213 struct cisco_packet { 214 u_long type; 215 u_long par1; 216 u_long par2; 217 u_short rel; 218 u_short time0; 219 u_short time1; 220 } __attribute__((__packed__)); 221 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 222 223 /* 224 * We follow the spelling and capitalization of RFC 1661 here, to make 225 * it easier comparing with the standard. Please refer to this RFC in 226 * case you can't make sense out of these abbreviation; it will also 227 * explain the semantics related to the various events and actions. 228 */ 229 struct cp { 230 u_short proto; /* PPP control protocol number */ 231 u_char protoidx; /* index into state table in struct sppp */ 232 u_char flags; 233 #define CP_LCP 0x01 /* this is the LCP */ 234 #define CP_AUTH 0x02 /* this is an authentication protocol */ 235 #define CP_NCP 0x04 /* this is a NCP */ 236 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 237 const char *name; /* name of this control protocol */ 238 /* event handlers */ 239 void (*Up)(struct sppp *sp); 240 void (*Down)(struct sppp *sp); 241 void (*Open)(struct sppp *sp); 242 void (*Close)(struct sppp *sp); 243 void (*TO)(void *sp); 244 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 245 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 246 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 247 /* actions */ 248 void (*tlu)(struct sppp *sp); 249 void (*tld)(struct sppp *sp); 250 void (*tls)(struct sppp *sp); 251 void (*tlf)(struct sppp *sp); 252 void (*scr)(struct sppp *sp); 253 }; 254 255 static struct sppp *spppq; 256 #if defined(__DragonFly__) 257 static struct callout keepalive_timeout; 258 #endif 259 260 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 && !defined(__DragonFly__) 261 #define SPP_FMT "%s%d: " 262 #define SPP_ARGS(ifp) (ifp)->if_name, (ifp)->if_unit 263 #else 264 #define SPP_FMT "%s: " 265 #define SPP_ARGS(ifp) (ifp)->if_xname 266 #endif 267 268 #ifdef INET 269 /* 270 * The following disgusting hack gets around the problem that IP TOS 271 * can't be set yet. We want to put "interactive" traffic on a high 272 * priority queue. To decide if traffic is interactive, we check that 273 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 274 * 275 * XXX is this really still necessary? - joerg - 276 */ 277 static u_short interactive_ports[8] = { 278 0, 513, 0, 0, 279 0, 21, 0, 23, 280 }; 281 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 282 #endif 283 284 /* almost every function needs these */ 285 #define STDDCL \ 286 struct ifnet *ifp = &sp->pp_if; \ 287 int debug = ifp->if_flags & IFF_DEBUG 288 289 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 290 struct sockaddr *dst, struct rtentry *rt); 291 292 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 293 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 294 295 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 296 struct mbuf *m); 297 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 298 u_char ident, u_short len, void *data); 299 /* static void sppp_cp_timeout(void *arg); */ 300 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 301 int newstate); 302 static void sppp_auth_send(const struct cp *cp, 303 struct sppp *sp, unsigned int type, unsigned int id, 304 ...); 305 306 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 307 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 308 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 309 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 310 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 311 312 static void sppp_null(struct sppp *sp); 313 314 static void sppp_lcp_init(struct sppp *sp); 315 static void sppp_lcp_up(struct sppp *sp); 316 static void sppp_lcp_down(struct sppp *sp); 317 static void sppp_lcp_open(struct sppp *sp); 318 static void sppp_lcp_close(struct sppp *sp); 319 static void sppp_lcp_TO(void *sp); 320 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 321 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 322 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 323 static void sppp_lcp_tlu(struct sppp *sp); 324 static void sppp_lcp_tld(struct sppp *sp); 325 static void sppp_lcp_tls(struct sppp *sp); 326 static void sppp_lcp_tlf(struct sppp *sp); 327 static void sppp_lcp_scr(struct sppp *sp); 328 static void sppp_lcp_check_and_close(struct sppp *sp); 329 static int sppp_ncp_check(struct sppp *sp); 330 331 static void sppp_ipcp_init(struct sppp *sp); 332 static void sppp_ipcp_up(struct sppp *sp); 333 static void sppp_ipcp_down(struct sppp *sp); 334 static void sppp_ipcp_open(struct sppp *sp); 335 static void sppp_ipcp_close(struct sppp *sp); 336 static void sppp_ipcp_TO(void *sp); 337 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 338 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 339 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 340 static void sppp_ipcp_tlu(struct sppp *sp); 341 static void sppp_ipcp_tld(struct sppp *sp); 342 static void sppp_ipcp_tls(struct sppp *sp); 343 static void sppp_ipcp_tlf(struct sppp *sp); 344 static void sppp_ipcp_scr(struct sppp *sp); 345 346 static void sppp_ipv6cp_init(struct sppp *sp); 347 static void sppp_ipv6cp_up(struct sppp *sp); 348 static void sppp_ipv6cp_down(struct sppp *sp); 349 static void sppp_ipv6cp_open(struct sppp *sp); 350 static void sppp_ipv6cp_close(struct sppp *sp); 351 static void sppp_ipv6cp_TO(void *sp); 352 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 353 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 354 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipv6cp_tlu(struct sppp *sp); 356 static void sppp_ipv6cp_tld(struct sppp *sp); 357 static void sppp_ipv6cp_tls(struct sppp *sp); 358 static void sppp_ipv6cp_tlf(struct sppp *sp); 359 static void sppp_ipv6cp_scr(struct sppp *sp); 360 361 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 362 static void sppp_pap_init(struct sppp *sp); 363 static void sppp_pap_open(struct sppp *sp); 364 static void sppp_pap_close(struct sppp *sp); 365 static void sppp_pap_TO(void *sp); 366 static void sppp_pap_my_TO(void *sp); 367 static void sppp_pap_tlu(struct sppp *sp); 368 static void sppp_pap_tld(struct sppp *sp); 369 static void sppp_pap_scr(struct sppp *sp); 370 371 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 372 static void sppp_chap_init(struct sppp *sp); 373 static void sppp_chap_open(struct sppp *sp); 374 static void sppp_chap_close(struct sppp *sp); 375 static void sppp_chap_TO(void *sp); 376 static void sppp_chap_tlu(struct sppp *sp); 377 static void sppp_chap_tld(struct sppp *sp); 378 static void sppp_chap_scr(struct sppp *sp); 379 380 static const char *sppp_auth_type_name(u_short proto, u_char type); 381 static const char *sppp_cp_type_name(u_char type); 382 static const char *sppp_dotted_quad(u_long addr); 383 static const char *sppp_ipcp_opt_name(u_char opt); 384 #ifdef INET6 385 static const char *sppp_ipv6cp_opt_name(u_char opt); 386 #endif 387 static const char *sppp_lcp_opt_name(u_char opt); 388 static const char *sppp_phase_name(enum ppp_phase phase); 389 static const char *sppp_proto_name(u_short proto); 390 static const char *sppp_state_name(int state); 391 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 392 static int sppp_strnlen(u_char *p, int max); 393 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 394 u_long *srcmask); 395 static void sppp_keepalive(void *dummy); 396 static void sppp_phase_network(struct sppp *sp); 397 static void sppp_print_bytes(const u_char *p, u_short len); 398 static void sppp_print_string(const char *p, u_short len); 399 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 400 #ifdef INET6 401 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 402 struct in6_addr *dst, struct in6_addr *srcmask); 403 #ifdef IPV6CP_MYIFID_DYN 404 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 405 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 406 #endif 407 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 408 #endif 409 410 /* our control protocol descriptors */ 411 static const struct cp lcp = { 412 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 413 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 414 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 415 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 416 sppp_lcp_scr 417 }; 418 419 static const struct cp ipcp = { 420 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 421 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 422 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 423 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 424 sppp_ipcp_scr 425 }; 426 427 static const struct cp ipv6cp = { 428 PPP_IPV6CP, IDX_IPV6CP, 429 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 430 CP_NCP, 431 #else 432 0, 433 #endif 434 "ipv6cp", 435 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 436 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 437 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 438 sppp_ipv6cp_scr 439 }; 440 441 static const struct cp pap = { 442 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 443 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 444 sppp_pap_TO, 0, 0, 0, 445 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 446 sppp_pap_scr 447 }; 448 449 static const struct cp chap = { 450 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 451 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 452 sppp_chap_TO, 0, 0, 0, 453 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 454 sppp_chap_scr 455 }; 456 457 static const struct cp *cps[IDX_COUNT] = { 458 &lcp, /* IDX_LCP */ 459 &ipcp, /* IDX_IPCP */ 460 &ipv6cp, /* IDX_IPV6CP */ 461 &pap, /* IDX_PAP */ 462 &chap, /* IDX_CHAP */ 463 }; 464 465 static int 466 sppp_modevent(module_t mod, int type, void *unused) 467 { 468 switch (type) { 469 case MOD_LOAD: 470 callout_init(&keepalive_timeout); 471 break; 472 case MOD_UNLOAD: 473 return EACCES; 474 break; 475 default: 476 break; 477 } 478 return 0; 479 } 480 static moduledata_t spppmod = { 481 "sppp", 482 sppp_modevent, 483 0 484 }; 485 MODULE_VERSION(sppp, 1); 486 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 487 488 /* 489 * Exported functions, comprising our interface to the lower layer. 490 */ 491 492 /* 493 * Process the received packet. 494 */ 495 void 496 sppp_input(struct ifnet *ifp, struct mbuf *m) 497 { 498 struct ppp_header *h; 499 int isr = -1; 500 struct sppp *sp = (struct sppp *)ifp; 501 u_char *iphdr; 502 int hlen, vjlen, do_account = 0; 503 int debug = ifp->if_flags & IFF_DEBUG; 504 505 if (ifp->if_flags & IFF_UP) 506 /* Count received bytes, add FCS and one flag */ 507 ifp->if_ibytes += m->m_pkthdr.len + 3; 508 509 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 510 /* Too small packet, drop it. */ 511 if (debug) 512 log(LOG_DEBUG, 513 SPP_FMT "input packet is too small, %d bytes\n", 514 SPP_ARGS(ifp), m->m_pkthdr.len); 515 drop: 516 m_freem (m); 517 drop2: 518 ++ifp->if_ierrors; 519 ++ifp->if_iqdrops; 520 return; 521 } 522 523 /* Get PPP header. */ 524 h = mtod (m, struct ppp_header*); 525 m_adj (m, PPP_HEADER_LEN); 526 527 switch (h->address) { 528 case PPP_ALLSTATIONS: 529 if (h->control != PPP_UI) 530 goto invalid; 531 if (sp->pp_mode == IFF_CISCO) { 532 if (debug) 533 log(LOG_DEBUG, 534 SPP_FMT "PPP packet in Cisco mode " 535 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 536 SPP_ARGS(ifp), 537 h->address, h->control, ntohs(h->protocol)); 538 goto drop; 539 } 540 switch (ntohs (h->protocol)) { 541 default: 542 if (debug) 543 log(LOG_DEBUG, 544 SPP_FMT "rejecting protocol " 545 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 546 SPP_ARGS(ifp), 547 h->address, h->control, ntohs(h->protocol)); 548 if (sp->state[IDX_LCP] == STATE_OPENED) 549 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 550 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 551 &h->protocol); 552 ++ifp->if_noproto; 553 goto drop; 554 case PPP_LCP: 555 sppp_cp_input(&lcp, sp, m); 556 m_freem (m); 557 return; 558 case PPP_PAP: 559 if (sp->pp_phase >= PHASE_AUTHENTICATE) 560 sppp_pap_input(sp, m); 561 m_freem (m); 562 return; 563 case PPP_CHAP: 564 if (sp->pp_phase >= PHASE_AUTHENTICATE) 565 sppp_chap_input(sp, m); 566 m_freem (m); 567 return; 568 #ifdef INET 569 case PPP_IPCP: 570 if (sp->pp_phase == PHASE_NETWORK) 571 sppp_cp_input(&ipcp, sp, m); 572 m_freem (m); 573 return; 574 case PPP_IP: 575 if (sp->state[IDX_IPCP] == STATE_OPENED) { 576 isr = NETISR_IP; 577 } 578 do_account++; 579 break; 580 case PPP_VJ_COMP: 581 if (sp->state[IDX_IPCP] == STATE_OPENED) { 582 if ((vjlen = 583 sl_uncompress_tcp_core(mtod(m, u_char *), 584 m->m_len, m->m_len, 585 TYPE_COMPRESSED_TCP, 586 sp->pp_comp, 587 &iphdr, &hlen)) <= 0) { 588 if (debug) 589 log(LOG_INFO, 590 SPP_FMT "VJ uncompress failed on compressed packet\n", 591 SPP_ARGS(ifp)); 592 goto drop; 593 } 594 595 /* 596 * Trim the VJ header off the packet, and prepend 597 * the uncompressed IP header (which will usually 598 * end up in two chained mbufs since there's not 599 * enough leading space in the existing mbuf). 600 */ 601 m_adj(m, vjlen); 602 M_PREPEND(m, hlen, MB_DONTWAIT); 603 if (m == NULL) 604 goto drop2; 605 bcopy(iphdr, mtod(m, u_char *), hlen); 606 607 isr = NETISR_IP; 608 } 609 do_account++; 610 break; 611 case PPP_VJ_UCOMP: 612 if (sp->state[IDX_IPCP] == STATE_OPENED) { 613 if (sl_uncompress_tcp_core(mtod(m, u_char *), 614 m->m_len, m->m_len, 615 TYPE_UNCOMPRESSED_TCP, 616 sp->pp_comp, 617 &iphdr, &hlen) != 0) { 618 if (debug) 619 log(LOG_INFO, 620 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 621 SPP_ARGS(ifp)); 622 goto drop; 623 } 624 isr = NETISR_IP; 625 } 626 do_account++; 627 break; 628 #endif 629 #ifdef INET6 630 case PPP_IPV6CP: 631 if (sp->pp_phase == PHASE_NETWORK) 632 sppp_cp_input(&ipv6cp, sp, m); 633 m_freem (m); 634 return; 635 636 case PPP_IPV6: 637 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 638 isr = NETISR_IPV6; 639 } 640 do_account++; 641 break; 642 #endif 643 #ifdef IPX 644 case PPP_IPX: 645 /* IPX IPXCP not implemented yet */ 646 if (sp->pp_phase == PHASE_NETWORK) { 647 isr = NETISR_IPX; 648 } 649 do_account++; 650 break; 651 #endif 652 } 653 break; 654 case CISCO_MULTICAST: 655 case CISCO_UNICAST: 656 /* Don't check the control field here (RFC 1547). */ 657 if (sp->pp_mode != IFF_CISCO) { 658 if (debug) 659 log(LOG_DEBUG, 660 SPP_FMT "Cisco packet in PPP mode " 661 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 662 SPP_ARGS(ifp), 663 h->address, h->control, ntohs(h->protocol)); 664 goto drop; 665 } 666 switch (ntohs (h->protocol)) { 667 default: 668 ++ifp->if_noproto; 669 goto invalid; 670 case CISCO_KEEPALIVE: 671 sppp_cisco_input ((struct sppp*) ifp, m); 672 m_freem (m); 673 return; 674 #ifdef INET 675 case ETHERTYPE_IP: 676 isr = NETISR_IP; 677 do_account++; 678 break; 679 #endif 680 #ifdef INET6 681 case ETHERTYPE_IPV6: 682 isr = NETISR_IPV6; 683 do_account++; 684 break; 685 #endif 686 #ifdef IPX 687 case ETHERTYPE_IPX: 688 isr = NETISR_IPX; 689 do_account++; 690 break; 691 #endif 692 } 693 break; 694 default: /* Invalid PPP packet. */ 695 invalid: 696 if (debug) 697 log(LOG_DEBUG, 698 SPP_FMT "invalid input packet " 699 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 700 SPP_ARGS(ifp), 701 h->address, h->control, ntohs(h->protocol)); 702 goto drop; 703 } 704 705 if (! (ifp->if_flags & IFF_UP) || isr < 0) 706 goto drop; 707 708 /* Check queue. */ 709 710 netisr_queue(isr, m); 711 712 /* 713 * Do only account for network packets, not for control 714 * packets. This is used by some subsystems to detect 715 * idle lines. 716 */ 717 if (do_account) 718 sp->pp_last_recv = time_second; 719 } 720 721 /* 722 * Enqueue transmit packet. 723 */ 724 static int 725 sppp_output_serialized(struct ifnet *ifp, struct mbuf *m, 726 struct sockaddr *dst, struct rtentry *rt) 727 { 728 struct sppp *sp = (struct sppp*) ifp; 729 struct ppp_header *h; 730 struct ifqueue *ifq = NULL; 731 int rv = 0; 732 int ipproto = PPP_IP; 733 int debug = ifp->if_flags & IFF_DEBUG; 734 struct altq_pktattr pktattr; 735 736 crit_enter(); 737 738 if ((ifp->if_flags & IFF_UP) == 0 || 739 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 740 #ifdef INET6 741 drop: 742 #endif 743 m_freem (m); 744 crit_exit(); 745 return (ENETDOWN); 746 } 747 748 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 749 #ifdef INET6 750 /* 751 * XXX 752 * 753 * Hack to prevent the initialization-time generated 754 * IPv6 multicast packet to erroneously cause a 755 * dialout event in case IPv6 has been 756 * administratively disabled on that interface. 757 */ 758 if (dst->sa_family == AF_INET6 && 759 !(sp->confflags & CONF_ENABLE_IPV6)) 760 goto drop; 761 #endif 762 /* 763 * Interface is not yet running, but auto-dial. Need 764 * to start LCP for it. 765 */ 766 ifp->if_flags |= IFF_RUNNING; 767 crit_exit(); 768 lcp.Open(sp); 769 crit_enter(); 770 } 771 772 /* 773 * if the queueing discipline needs packet classification, 774 * do it before prepending link headers. 775 */ 776 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 777 778 #ifdef INET 779 if (dst->sa_family == AF_INET) { 780 /* XXX Check mbuf length here? */ 781 struct ip *ip = mtod (m, struct ip*); 782 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 783 784 /* 785 * When using dynamic local IP address assignment by using 786 * 0.0.0.0 as a local address, the first TCP session will 787 * not connect because the local TCP checksum is computed 788 * using 0.0.0.0 which will later become our real IP address 789 * so the TCP checksum computed at the remote end will 790 * become invalid. So we 791 * - don't let packets with src ip addr 0 thru 792 * - we flag TCP packets with src ip 0 as an error 793 */ 794 795 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 796 { 797 m_freem(m); 798 crit_exit(); 799 if(ip->ip_p == IPPROTO_TCP) 800 return(EADDRNOTAVAIL); 801 else 802 return(0); 803 } 804 805 /* 806 * Put low delay, telnet, rlogin and ftp control packets 807 * in front of the queue. 808 */ 809 if (IF_QFULL (&sp->pp_fastq)) 810 ; 811 else if (ip->ip_tos & IPTOS_LOWDELAY) 812 ifq = &sp->pp_fastq; 813 else if (m->m_len < sizeof *ip + sizeof *tcp) 814 ; 815 else if (ip->ip_p != IPPROTO_TCP) 816 ; 817 else if (INTERACTIVE (ntohs (tcp->th_sport))) 818 ifq = &sp->pp_fastq; 819 else if (INTERACTIVE (ntohs (tcp->th_dport))) 820 ifq = &sp->pp_fastq; 821 822 /* 823 * Do IP Header compression 824 */ 825 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 826 ip->ip_p == IPPROTO_TCP) 827 switch (sl_compress_tcp(m, ip, sp->pp_comp, 828 sp->ipcp.compress_cid)) { 829 case TYPE_COMPRESSED_TCP: 830 ipproto = PPP_VJ_COMP; 831 break; 832 case TYPE_UNCOMPRESSED_TCP: 833 ipproto = PPP_VJ_UCOMP; 834 break; 835 case TYPE_IP: 836 ipproto = PPP_IP; 837 break; 838 default: 839 m_freem(m); 840 crit_exit(); 841 return (EINVAL); 842 } 843 } 844 #endif 845 846 #ifdef INET6 847 if (dst->sa_family == AF_INET6) { 848 /* XXX do something tricky here? */ 849 } 850 #endif 851 852 /* 853 * Prepend general data packet PPP header. For now, IP only. 854 */ 855 M_PREPEND (m, PPP_HEADER_LEN, MB_DONTWAIT); 856 if (! m) { 857 if (debug) 858 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 859 SPP_ARGS(ifp)); 860 ++ifp->if_oerrors; 861 crit_exit(); 862 return (ENOBUFS); 863 } 864 /* 865 * May want to check size of packet 866 * (albeit due to the implementation it's always enough) 867 */ 868 h = mtod (m, struct ppp_header*); 869 if (sp->pp_mode == IFF_CISCO) { 870 h->address = CISCO_UNICAST; /* unicast address */ 871 h->control = 0; 872 } else { 873 h->address = PPP_ALLSTATIONS; /* broadcast address */ 874 h->control = PPP_UI; /* Unnumbered Info */ 875 } 876 877 switch (dst->sa_family) { 878 #ifdef INET 879 case AF_INET: /* Internet Protocol */ 880 if (sp->pp_mode == IFF_CISCO) 881 h->protocol = htons (ETHERTYPE_IP); 882 else { 883 /* 884 * Don't choke with an ENETDOWN early. It's 885 * possible that we just started dialing out, 886 * so don't drop the packet immediately. If 887 * we notice that we run out of buffer space 888 * below, we will however remember that we are 889 * not ready to carry IP packets, and return 890 * ENETDOWN, as opposed to ENOBUFS. 891 */ 892 h->protocol = htons(ipproto); 893 if (sp->state[IDX_IPCP] != STATE_OPENED) 894 rv = ENETDOWN; 895 } 896 break; 897 #endif 898 #ifdef INET6 899 case AF_INET6: /* Internet Protocol */ 900 if (sp->pp_mode == IFF_CISCO) 901 h->protocol = htons (ETHERTYPE_IPV6); 902 else { 903 /* 904 * Don't choke with an ENETDOWN early. It's 905 * possible that we just started dialing out, 906 * so don't drop the packet immediately. If 907 * we notice that we run out of buffer space 908 * below, we will however remember that we are 909 * not ready to carry IP packets, and return 910 * ENETDOWN, as opposed to ENOBUFS. 911 */ 912 h->protocol = htons(PPP_IPV6); 913 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 914 rv = ENETDOWN; 915 } 916 break; 917 #endif 918 #ifdef IPX 919 case AF_IPX: /* Novell IPX Protocol */ 920 h->protocol = htons (sp->pp_mode == IFF_CISCO ? 921 ETHERTYPE_IPX : PPP_IPX); 922 break; 923 #endif 924 default: 925 m_freem (m); 926 ++ifp->if_oerrors; 927 crit_exit(); 928 return (EAFNOSUPPORT); 929 } 930 931 /* 932 * Queue message on interface, and start output if interface 933 * not yet active. 934 */ 935 if (ifq != NULL) { 936 if (IF_QFULL(ifq)) { 937 IF_DROP(ifq); 938 m_freem(m); 939 rv = ENOBUFS; 940 ifq->ifq_drops++; 941 } else { 942 IF_ENQUEUE(ifq, m); 943 rv = 0; 944 } 945 } else { 946 rv = ifq_enqueue(&ifp->if_snd, m, &pktattr); 947 } 948 if (rv) { 949 ++ifp->if_oerrors; 950 crit_exit(); 951 return(rv); 952 } 953 if (! (ifp->if_flags & IFF_OACTIVE)) 954 (*ifp->if_start) (ifp); 955 956 /* 957 * Count output packets and bytes. 958 * The packet length includes header, FCS and 1 flag, 959 * according to RFC 1333. 960 */ 961 ifp->if_obytes += m->m_pkthdr.len + 3; 962 963 /* 964 * Unlike in sppp_input(), we can always bump the timestamp 965 * here since sppp_output() is only called on behalf of 966 * network-layer traffic; control-layer traffic is handled 967 * by sppp_cp_send(). 968 */ 969 sp->pp_last_sent = time_second; 970 971 crit_exit(); 972 return (0); 973 } 974 975 static int 976 sppp_output(struct ifnet *ifp, struct mbuf *m, 977 struct sockaddr *dst, struct rtentry *rt) 978 { 979 int error; 980 981 ifnet_serialize_tx(ifp); 982 error = sppp_output_serialized(ifp, m, dst, rt); 983 ifnet_deserialize_tx(ifp); 984 985 return error; 986 } 987 988 void 989 sppp_attach(struct ifnet *ifp) 990 { 991 struct sppp *sp = (struct sppp*) ifp; 992 993 /* Initialize keepalive handler. */ 994 if (!spppq) { 995 callout_reset(&keepalive_timeout, hz * 10, 996 sppp_keepalive, NULL); 997 } 998 /* Insert new entry into the keepalive list. */ 999 sp->pp_next = spppq; 1000 spppq = sp; 1001 1002 sp->pp_if.if_mtu = PP_MTU; 1003 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 1004 sp->pp_if.if_type = IFT_PPP; 1005 sp->pp_if.if_output = sppp_output; 1006 #if 0 1007 sp->pp_flags = PP_KEEPALIVE; 1008 #endif 1009 sp->pp_if.if_snd.ifq_maxlen = 32; 1010 sp->pp_fastq.ifq_maxlen = 32; 1011 sp->pp_cpq.ifq_maxlen = 20; 1012 sp->pp_loopcnt = 0; 1013 sp->pp_alivecnt = 0; 1014 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 1015 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 1016 sp->pp_phase = PHASE_DEAD; 1017 sp->pp_up = lcp.Up; 1018 sp->pp_down = lcp.Down; 1019 sp->pp_last_recv = sp->pp_last_sent = time_second; 1020 sp->confflags = 0; 1021 #ifdef INET 1022 sp->confflags |= CONF_ENABLE_VJ; 1023 #endif 1024 #ifdef INET6 1025 sp->confflags |= CONF_ENABLE_IPV6; 1026 #endif 1027 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 1028 sl_compress_init(sp->pp_comp, -1); 1029 sppp_lcp_init(sp); 1030 sppp_ipcp_init(sp); 1031 sppp_ipv6cp_init(sp); 1032 sppp_pap_init(sp); 1033 sppp_chap_init(sp); 1034 } 1035 1036 void 1037 sppp_detach(struct ifnet *ifp) 1038 { 1039 struct sppp **q, *p, *sp = (struct sppp*) ifp; 1040 int i; 1041 1042 /* Remove the entry from the keepalive list. */ 1043 for (q = &spppq; (p = *q); q = &p->pp_next) 1044 if (p == sp) { 1045 *q = p->pp_next; 1046 break; 1047 } 1048 1049 /* Stop keepalive handler. */ 1050 if (!spppq) 1051 callout_stop(&keepalive_timeout); 1052 1053 for (i = 0; i < IDX_COUNT; i++) 1054 callout_stop(&sp->timeout[i]); 1055 callout_stop(&sp->pap_my_to); 1056 } 1057 1058 /* 1059 * Flush the interface output queue. 1060 */ 1061 void 1062 sppp_flush(struct ifnet *ifp) 1063 { 1064 struct sppp *sp = (struct sppp*) ifp; 1065 1066 ifq_purge(&sp->pp_if.if_snd); 1067 IF_DRAIN(&sp->pp_fastq); 1068 IF_DRAIN(&sp->pp_cpq); 1069 } 1070 1071 /* 1072 * Check if the output queue is empty. 1073 */ 1074 int 1075 sppp_isempty(struct ifnet *ifp) 1076 { 1077 struct sppp *sp = (struct sppp*) ifp; 1078 int empty; 1079 1080 crit_enter(); 1081 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1082 ifq_is_empty(&sp->pp_if.if_snd); 1083 crit_exit(); 1084 return (empty); 1085 } 1086 1087 /* 1088 * Get next packet to send. 1089 */ 1090 struct mbuf * 1091 sppp_dequeue(struct ifnet *ifp) 1092 { 1093 struct sppp *sp = (struct sppp*) ifp; 1094 struct mbuf *m; 1095 1096 crit_enter(); 1097 1098 /* 1099 * Process only the control protocol queue until we have at 1100 * least one NCP open. 1101 * 1102 * Do always serve all three queues in Cisco mode. 1103 */ 1104 IF_DEQUEUE(&sp->pp_cpq, m); 1105 if (m == NULL && 1106 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1107 IF_DEQUEUE(&sp->pp_fastq, m); 1108 if (m == NULL) 1109 m = ifq_dequeue(&sp->pp_if.if_snd, NULL); 1110 } 1111 1112 crit_exit(); 1113 return m; 1114 } 1115 1116 /* 1117 * Pick the next packet, do not remove it from the queue. 1118 */ 1119 struct mbuf * 1120 sppp_pick(struct ifnet *ifp) 1121 { 1122 struct sppp *sp = (struct sppp*)ifp; 1123 struct mbuf *m; 1124 1125 crit_enter(); 1126 1127 m = sp->pp_cpq.ifq_head; 1128 if (m == NULL && 1129 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1130 if ((m = sp->pp_fastq.ifq_head) == NULL) 1131 m = ifq_poll(&sp->pp_if.if_snd); 1132 } 1133 1134 crit_exit(); 1135 return (m); 1136 } 1137 1138 /* 1139 * Process an ioctl request. Called on low priority level. 1140 */ 1141 int 1142 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1143 { 1144 struct ifreq *ifr = (struct ifreq*) data; 1145 struct sppp *sp = (struct sppp*) ifp; 1146 int rv, going_up, going_down, newmode; 1147 1148 crit_enter(); 1149 1150 rv = 0; 1151 switch (cmd) { 1152 case SIOCAIFADDR: 1153 case SIOCSIFDSTADDR: 1154 break; 1155 1156 case SIOCSIFADDR: 1157 /* set the interface "up" when assigning an IP address */ 1158 ifp->if_flags |= IFF_UP; 1159 /* fall through... */ 1160 1161 case SIOCSIFFLAGS: 1162 going_up = ifp->if_flags & IFF_UP && 1163 (ifp->if_flags & IFF_RUNNING) == 0; 1164 going_down = (ifp->if_flags & IFF_UP) == 0 && 1165 ifp->if_flags & IFF_RUNNING; 1166 1167 newmode = ifp->if_flags & IFF_PASSIVE; 1168 if (!newmode) 1169 newmode = ifp->if_flags & IFF_AUTO; 1170 if (!newmode) 1171 newmode = ifp->if_flags & IFF_CISCO; 1172 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1173 ifp->if_flags |= newmode; 1174 1175 if (newmode != sp->pp_mode) { 1176 going_down = 1; 1177 if (!going_up) 1178 going_up = ifp->if_flags & IFF_RUNNING; 1179 } 1180 1181 if (going_down) { 1182 if (sp->pp_mode != IFF_CISCO) 1183 lcp.Close(sp); 1184 else if (sp->pp_tlf) 1185 (sp->pp_tlf)(sp); 1186 sppp_flush(ifp); 1187 ifp->if_flags &= ~IFF_RUNNING; 1188 sp->pp_mode = newmode; 1189 } 1190 1191 if (going_up) { 1192 if (sp->pp_mode != IFF_CISCO) 1193 lcp.Close(sp); 1194 sp->pp_mode = newmode; 1195 if (sp->pp_mode == 0) { 1196 ifp->if_flags |= IFF_RUNNING; 1197 lcp.Open(sp); 1198 } 1199 if (sp->pp_mode == IFF_CISCO) { 1200 if (sp->pp_tls) 1201 (sp->pp_tls)(sp); 1202 ifp->if_flags |= IFF_RUNNING; 1203 } 1204 } 1205 1206 break; 1207 1208 #ifdef SIOCSIFMTU 1209 #ifndef ifr_mtu 1210 #define ifr_mtu ifr_metric 1211 #endif 1212 case SIOCSIFMTU: 1213 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) 1214 return (EINVAL); 1215 ifp->if_mtu = ifr->ifr_mtu; 1216 break; 1217 #endif 1218 #ifdef SLIOCSETMTU 1219 case SLIOCSETMTU: 1220 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) 1221 return (EINVAL); 1222 ifp->if_mtu = *(short*)data; 1223 break; 1224 #endif 1225 #ifdef SIOCGIFMTU 1226 case SIOCGIFMTU: 1227 ifr->ifr_mtu = ifp->if_mtu; 1228 break; 1229 #endif 1230 #ifdef SLIOCGETMTU 1231 case SLIOCGETMTU: 1232 *(short*)data = ifp->if_mtu; 1233 break; 1234 #endif 1235 case SIOCADDMULTI: 1236 case SIOCDELMULTI: 1237 break; 1238 1239 case SIOCGIFGENERIC: 1240 case SIOCSIFGENERIC: 1241 rv = sppp_params(sp, cmd, data); 1242 break; 1243 1244 default: 1245 rv = ENOTTY; 1246 } 1247 1248 crit_exit(); 1249 return rv; 1250 } 1251 1252 /* 1253 * Cisco framing implementation. 1254 */ 1255 1256 /* 1257 * Handle incoming Cisco keepalive protocol packets. 1258 */ 1259 static void 1260 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1261 { 1262 STDDCL; 1263 struct cisco_packet *h; 1264 u_long me, mymask; 1265 1266 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1267 if (debug) 1268 log(LOG_DEBUG, 1269 SPP_FMT "cisco invalid packet length: %d bytes\n", 1270 SPP_ARGS(ifp), m->m_pkthdr.len); 1271 return; 1272 } 1273 h = mtod (m, struct cisco_packet*); 1274 if (debug) 1275 log(LOG_DEBUG, 1276 SPP_FMT "cisco input: %d bytes " 1277 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1278 SPP_ARGS(ifp), m->m_pkthdr.len, 1279 (u_long)ntohl (h->type), (u_long)h->par1, (u_long)h->par2, (u_int)h->rel, 1280 (u_int)h->time0, (u_int)h->time1); 1281 switch (ntohl (h->type)) { 1282 default: 1283 if (debug) 1284 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1285 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1286 break; 1287 case CISCO_ADDR_REPLY: 1288 /* Reply on address request, ignore */ 1289 break; 1290 case CISCO_KEEPALIVE_REQ: 1291 sp->pp_alivecnt = 0; 1292 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1293 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1294 /* Local and remote sequence numbers are equal. 1295 * Probably, the line is in loopback mode. */ 1296 if (sp->pp_loopcnt >= MAXALIVECNT) { 1297 kprintf (SPP_FMT "loopback\n", 1298 SPP_ARGS(ifp)); 1299 sp->pp_loopcnt = 0; 1300 if (ifp->if_flags & IFF_UP) { 1301 if_down (ifp); 1302 IF_DRAIN(&sp->pp_cpq); 1303 } 1304 } 1305 ++sp->pp_loopcnt; 1306 1307 /* Generate new local sequence number */ 1308 #if defined(__DragonFly__) 1309 sp->pp_seq[IDX_LCP] = krandom(); 1310 #else 1311 sp->pp_seq[IDX_LCP] ^= time.tv_sec ^ time.tv_usec; 1312 #endif 1313 break; 1314 } 1315 sp->pp_loopcnt = 0; 1316 if (! (ifp->if_flags & IFF_UP) && 1317 (ifp->if_flags & IFF_RUNNING)) { 1318 if_up(ifp); 1319 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1320 } 1321 break; 1322 case CISCO_ADDR_REQ: 1323 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1324 if (me != 0L) 1325 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1326 break; 1327 } 1328 } 1329 1330 /* 1331 * Send Cisco keepalive packet. 1332 */ 1333 static void 1334 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1335 { 1336 STDDCL; 1337 struct ppp_header *h; 1338 struct cisco_packet *ch; 1339 struct mbuf *m; 1340 #if defined(__DragonFly__) 1341 struct timeval tv; 1342 #else 1343 u_long t = (time.tv_sec - boottime.tv_sec) * 1000; 1344 #endif 1345 1346 #if defined(__DragonFly__) 1347 getmicrouptime(&tv); 1348 #endif 1349 1350 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1351 if (! m) 1352 return; 1353 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1354 m->m_pkthdr.rcvif = 0; 1355 1356 h = mtod (m, struct ppp_header*); 1357 h->address = CISCO_MULTICAST; 1358 h->control = 0; 1359 h->protocol = htons (CISCO_KEEPALIVE); 1360 1361 ch = (struct cisco_packet*) (h + 1); 1362 ch->type = htonl (type); 1363 ch->par1 = htonl (par1); 1364 ch->par2 = htonl (par2); 1365 ch->rel = -1; 1366 1367 #if defined(__DragonFly__) 1368 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1369 ch->time1 = htons ((u_short) tv.tv_sec); 1370 #else 1371 ch->time0 = htons ((u_short) (t >> 16)); 1372 ch->time1 = htons ((u_short) t); 1373 #endif 1374 1375 if (debug) 1376 log(LOG_DEBUG, 1377 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1378 SPP_ARGS(ifp), (u_long)ntohl (ch->type), (u_long)ch->par1, 1379 (u_long)ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1380 1381 if (IF_QFULL (&sp->pp_cpq)) { 1382 IF_DROP (&sp->pp_fastq); 1383 IF_DROP (&ifp->if_snd); 1384 m_freem (m); 1385 } else 1386 IF_ENQUEUE (&sp->pp_cpq, m); 1387 if (! (ifp->if_flags & IFF_OACTIVE)) 1388 (*ifp->if_start) (ifp); 1389 ifp->if_obytes += m->m_pkthdr.len + 3; 1390 } 1391 1392 /* 1393 * PPP protocol implementation. 1394 */ 1395 1396 /* 1397 * Send PPP control protocol packet. 1398 */ 1399 static void 1400 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1401 u_char ident, u_short len, void *data) 1402 { 1403 STDDCL; 1404 struct ppp_header *h; 1405 struct lcp_header *lh; 1406 struct mbuf *m; 1407 1408 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1409 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1410 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1411 if (! m) 1412 return; 1413 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1414 m->m_pkthdr.rcvif = 0; 1415 1416 h = mtod (m, struct ppp_header*); 1417 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1418 h->control = PPP_UI; /* Unnumbered Info */ 1419 h->protocol = htons (proto); /* Link Control Protocol */ 1420 1421 lh = (struct lcp_header*) (h + 1); 1422 lh->type = type; 1423 lh->ident = ident; 1424 lh->len = htons (LCP_HEADER_LEN + len); 1425 if (len) 1426 bcopy (data, lh+1, len); 1427 1428 if (debug) { 1429 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1430 SPP_ARGS(ifp), 1431 sppp_proto_name(proto), 1432 sppp_cp_type_name (lh->type), lh->ident, 1433 ntohs (lh->len)); 1434 sppp_print_bytes ((u_char*) (lh+1), len); 1435 log(-1, ">\n"); 1436 } 1437 if (IF_QFULL (&sp->pp_cpq)) { 1438 IF_DROP (&sp->pp_fastq); 1439 IF_DROP (&ifp->if_snd); 1440 m_freem (m); 1441 ++ifp->if_oerrors; 1442 } else 1443 IF_ENQUEUE (&sp->pp_cpq, m); 1444 if (! (ifp->if_flags & IFF_OACTIVE)) 1445 (*ifp->if_start) (ifp); 1446 ifp->if_obytes += m->m_pkthdr.len + 3; 1447 } 1448 1449 /* 1450 * Handle incoming PPP control protocol packets. 1451 */ 1452 static void 1453 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1454 { 1455 STDDCL; 1456 struct lcp_header *h; 1457 int printlen, len = m->m_pkthdr.len; 1458 int rv; 1459 u_char *p; 1460 1461 if (len < 4) { 1462 if (debug) 1463 log(LOG_DEBUG, 1464 SPP_FMT "%s invalid packet length: %d bytes\n", 1465 SPP_ARGS(ifp), cp->name, len); 1466 return; 1467 } 1468 h = mtod (m, struct lcp_header*); 1469 if (debug) { 1470 printlen = ntohs(h->len); 1471 log(LOG_DEBUG, 1472 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1473 SPP_ARGS(ifp), cp->name, 1474 sppp_state_name(sp->state[cp->protoidx]), 1475 sppp_cp_type_name (h->type), h->ident, printlen); 1476 if (len < printlen) 1477 printlen = len; 1478 if (printlen > 4) 1479 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1480 log(-1, ">\n"); 1481 } 1482 if (len > ntohs (h->len)) 1483 len = ntohs (h->len); 1484 p = (u_char *)(h + 1); 1485 switch (h->type) { 1486 case CONF_REQ: 1487 if (len < 4) { 1488 if (debug) 1489 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1490 SPP_ARGS(ifp), cp->name, 1491 len); 1492 ++ifp->if_ierrors; 1493 break; 1494 } 1495 /* handle states where RCR doesn't get a SCA/SCN */ 1496 switch (sp->state[cp->protoidx]) { 1497 case STATE_CLOSING: 1498 case STATE_STOPPING: 1499 return; 1500 case STATE_CLOSED: 1501 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1502 0, 0); 1503 return; 1504 } 1505 rv = (cp->RCR)(sp, h, len); 1506 if (rv < 0) { 1507 /* fatal error, shut down */ 1508 (cp->tld)(sp); 1509 sppp_lcp_tlf(sp); 1510 return; 1511 } 1512 switch (sp->state[cp->protoidx]) { 1513 case STATE_OPENED: 1514 (cp->tld)(sp); 1515 (cp->scr)(sp); 1516 /* fall through... */ 1517 case STATE_ACK_SENT: 1518 case STATE_REQ_SENT: 1519 /* 1520 * sppp_cp_change_state() have the side effect of 1521 * restarting the timeouts. We want to avoid that 1522 * if the state don't change, otherwise we won't 1523 * ever timeout and resend a configuration request 1524 * that got lost. 1525 */ 1526 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1527 STATE_REQ_SENT)) 1528 break; 1529 sppp_cp_change_state(cp, sp, rv? 1530 STATE_ACK_SENT: STATE_REQ_SENT); 1531 break; 1532 case STATE_STOPPED: 1533 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1534 (cp->scr)(sp); 1535 sppp_cp_change_state(cp, sp, rv? 1536 STATE_ACK_SENT: STATE_REQ_SENT); 1537 break; 1538 case STATE_ACK_RCVD: 1539 if (rv) { 1540 sppp_cp_change_state(cp, sp, STATE_OPENED); 1541 if (debug) 1542 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1543 SPP_ARGS(ifp), 1544 cp->name); 1545 (cp->tlu)(sp); 1546 } else 1547 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1548 break; 1549 default: 1550 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1551 SPP_ARGS(ifp), cp->name, 1552 sppp_cp_type_name(h->type), 1553 sppp_state_name(sp->state[cp->protoidx])); 1554 ++ifp->if_ierrors; 1555 } 1556 break; 1557 case CONF_ACK: 1558 if (h->ident != sp->confid[cp->protoidx]) { 1559 if (debug) 1560 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1561 SPP_ARGS(ifp), cp->name, 1562 h->ident, sp->confid[cp->protoidx]); 1563 ++ifp->if_ierrors; 1564 break; 1565 } 1566 switch (sp->state[cp->protoidx]) { 1567 case STATE_CLOSED: 1568 case STATE_STOPPED: 1569 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1570 break; 1571 case STATE_CLOSING: 1572 case STATE_STOPPING: 1573 break; 1574 case STATE_REQ_SENT: 1575 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1576 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1577 break; 1578 case STATE_OPENED: 1579 (cp->tld)(sp); 1580 /* fall through */ 1581 case STATE_ACK_RCVD: 1582 (cp->scr)(sp); 1583 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1584 break; 1585 case STATE_ACK_SENT: 1586 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1587 sppp_cp_change_state(cp, sp, STATE_OPENED); 1588 if (debug) 1589 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1590 SPP_ARGS(ifp), cp->name); 1591 (cp->tlu)(sp); 1592 break; 1593 default: 1594 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1595 SPP_ARGS(ifp), cp->name, 1596 sppp_cp_type_name(h->type), 1597 sppp_state_name(sp->state[cp->protoidx])); 1598 ++ifp->if_ierrors; 1599 } 1600 break; 1601 case CONF_NAK: 1602 case CONF_REJ: 1603 if (h->ident != sp->confid[cp->protoidx]) { 1604 if (debug) 1605 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1606 SPP_ARGS(ifp), cp->name, 1607 h->ident, sp->confid[cp->protoidx]); 1608 ++ifp->if_ierrors; 1609 break; 1610 } 1611 if (h->type == CONF_NAK) 1612 (cp->RCN_nak)(sp, h, len); 1613 else /* CONF_REJ */ 1614 (cp->RCN_rej)(sp, h, len); 1615 1616 switch (sp->state[cp->protoidx]) { 1617 case STATE_CLOSED: 1618 case STATE_STOPPED: 1619 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1620 break; 1621 case STATE_REQ_SENT: 1622 case STATE_ACK_SENT: 1623 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1624 /* 1625 * Slow things down a bit if we think we might be 1626 * in loopback. Depend on the timeout to send the 1627 * next configuration request. 1628 */ 1629 if (sp->pp_loopcnt) 1630 break; 1631 (cp->scr)(sp); 1632 break; 1633 case STATE_OPENED: 1634 (cp->tld)(sp); 1635 /* fall through */ 1636 case STATE_ACK_RCVD: 1637 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1638 (cp->scr)(sp); 1639 break; 1640 case STATE_CLOSING: 1641 case STATE_STOPPING: 1642 break; 1643 default: 1644 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1645 SPP_ARGS(ifp), cp->name, 1646 sppp_cp_type_name(h->type), 1647 sppp_state_name(sp->state[cp->protoidx])); 1648 ++ifp->if_ierrors; 1649 } 1650 break; 1651 1652 case TERM_REQ: 1653 switch (sp->state[cp->protoidx]) { 1654 case STATE_ACK_RCVD: 1655 case STATE_ACK_SENT: 1656 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1657 /* fall through */ 1658 case STATE_CLOSED: 1659 case STATE_STOPPED: 1660 case STATE_CLOSING: 1661 case STATE_STOPPING: 1662 case STATE_REQ_SENT: 1663 sta: 1664 /* Send Terminate-Ack packet. */ 1665 if (debug) 1666 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1667 SPP_ARGS(ifp), cp->name); 1668 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1669 break; 1670 case STATE_OPENED: 1671 (cp->tld)(sp); 1672 sp->rst_counter[cp->protoidx] = 0; 1673 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1674 goto sta; 1675 break; 1676 default: 1677 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1678 SPP_ARGS(ifp), cp->name, 1679 sppp_cp_type_name(h->type), 1680 sppp_state_name(sp->state[cp->protoidx])); 1681 ++ifp->if_ierrors; 1682 } 1683 break; 1684 case TERM_ACK: 1685 switch (sp->state[cp->protoidx]) { 1686 case STATE_CLOSED: 1687 case STATE_STOPPED: 1688 case STATE_REQ_SENT: 1689 case STATE_ACK_SENT: 1690 break; 1691 case STATE_CLOSING: 1692 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1693 (cp->tlf)(sp); 1694 break; 1695 case STATE_STOPPING: 1696 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1697 (cp->tlf)(sp); 1698 break; 1699 case STATE_ACK_RCVD: 1700 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1701 break; 1702 case STATE_OPENED: 1703 (cp->tld)(sp); 1704 (cp->scr)(sp); 1705 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1706 break; 1707 default: 1708 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1709 SPP_ARGS(ifp), cp->name, 1710 sppp_cp_type_name(h->type), 1711 sppp_state_name(sp->state[cp->protoidx])); 1712 ++ifp->if_ierrors; 1713 } 1714 break; 1715 case CODE_REJ: 1716 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1717 log(LOG_INFO, 1718 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1719 "danger will robinson\n", 1720 SPP_ARGS(ifp), cp->name, 1721 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1722 switch (sp->state[cp->protoidx]) { 1723 case STATE_CLOSED: 1724 case STATE_STOPPED: 1725 case STATE_REQ_SENT: 1726 case STATE_ACK_SENT: 1727 case STATE_CLOSING: 1728 case STATE_STOPPING: 1729 case STATE_OPENED: 1730 break; 1731 case STATE_ACK_RCVD: 1732 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1733 break; 1734 default: 1735 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1736 SPP_ARGS(ifp), cp->name, 1737 sppp_cp_type_name(h->type), 1738 sppp_state_name(sp->state[cp->protoidx])); 1739 ++ifp->if_ierrors; 1740 } 1741 break; 1742 case PROTO_REJ: 1743 { 1744 int catastrophic; 1745 const struct cp *upper; 1746 int i; 1747 u_int16_t proto; 1748 1749 catastrophic = 0; 1750 upper = NULL; 1751 proto = ntohs(*((u_int16_t *)p)); 1752 for (i = 0; i < IDX_COUNT; i++) { 1753 if (cps[i]->proto == proto) { 1754 upper = cps[i]; 1755 break; 1756 } 1757 } 1758 if (upper == NULL) 1759 catastrophic++; 1760 1761 if (catastrophic || debug) 1762 log(catastrophic? LOG_INFO: LOG_DEBUG, 1763 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1764 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1765 sppp_cp_type_name(h->type), proto, 1766 upper ? upper->name : "unknown", 1767 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1768 1769 /* 1770 * if we got RXJ+ against conf-req, the peer does not implement 1771 * this particular protocol type. terminate the protocol. 1772 */ 1773 if (upper && !catastrophic) { 1774 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1775 upper->Close(sp); 1776 break; 1777 } 1778 } 1779 1780 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1781 switch (sp->state[cp->protoidx]) { 1782 case STATE_CLOSED: 1783 case STATE_STOPPED: 1784 case STATE_REQ_SENT: 1785 case STATE_ACK_SENT: 1786 case STATE_CLOSING: 1787 case STATE_STOPPING: 1788 case STATE_OPENED: 1789 break; 1790 case STATE_ACK_RCVD: 1791 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1792 break; 1793 default: 1794 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1795 SPP_ARGS(ifp), cp->name, 1796 sppp_cp_type_name(h->type), 1797 sppp_state_name(sp->state[cp->protoidx])); 1798 ++ifp->if_ierrors; 1799 } 1800 break; 1801 } 1802 case DISC_REQ: 1803 if (cp->proto != PPP_LCP) 1804 goto illegal; 1805 /* Discard the packet. */ 1806 break; 1807 case ECHO_REQ: 1808 if (cp->proto != PPP_LCP) 1809 goto illegal; 1810 if (sp->state[cp->protoidx] != STATE_OPENED) { 1811 if (debug) 1812 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1813 SPP_ARGS(ifp)); 1814 ++ifp->if_ierrors; 1815 break; 1816 } 1817 if (len < 8) { 1818 if (debug) 1819 log(-1, SPP_FMT "invalid lcp echo request " 1820 "packet length: %d bytes\n", 1821 SPP_ARGS(ifp), len); 1822 break; 1823 } 1824 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1825 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1826 /* Line loopback mode detected. */ 1827 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1828 sp->pp_loopcnt = MAXALIVECNT * 5; 1829 if_down (ifp); 1830 IF_DRAIN(&sp->pp_cpq); 1831 1832 /* Shut down the PPP link. */ 1833 /* XXX */ 1834 lcp.Down(sp); 1835 lcp.Up(sp); 1836 break; 1837 } 1838 *(long*)(h+1) = htonl (sp->lcp.magic); 1839 if (debug) 1840 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1841 SPP_ARGS(ifp)); 1842 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1843 break; 1844 case ECHO_REPLY: 1845 if (cp->proto != PPP_LCP) 1846 goto illegal; 1847 if (h->ident != sp->lcp.echoid) { 1848 ++ifp->if_ierrors; 1849 break; 1850 } 1851 if (len < 8) { 1852 if (debug) 1853 log(-1, SPP_FMT "lcp invalid echo reply " 1854 "packet length: %d bytes\n", 1855 SPP_ARGS(ifp), len); 1856 break; 1857 } 1858 if (debug) 1859 log(-1, SPP_FMT "lcp got echo rep\n", 1860 SPP_ARGS(ifp)); 1861 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1862 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1863 sp->pp_alivecnt = 0; 1864 break; 1865 default: 1866 /* Unknown packet type -- send Code-Reject packet. */ 1867 illegal: 1868 if (debug) 1869 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1870 SPP_ARGS(ifp), cp->name, h->type); 1871 sppp_cp_send(sp, cp->proto, CODE_REJ, 1872 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1873 ++ifp->if_ierrors; 1874 } 1875 } 1876 1877 1878 /* 1879 * The generic part of all Up/Down/Open/Close/TO event handlers. 1880 * Basically, the state transition handling in the automaton. 1881 */ 1882 static void 1883 sppp_up_event(const struct cp *cp, struct sppp *sp) 1884 { 1885 STDDCL; 1886 1887 if (debug) 1888 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1889 SPP_ARGS(ifp), cp->name, 1890 sppp_state_name(sp->state[cp->protoidx])); 1891 1892 switch (sp->state[cp->protoidx]) { 1893 case STATE_INITIAL: 1894 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1895 break; 1896 case STATE_STARTING: 1897 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1898 (cp->scr)(sp); 1899 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1900 break; 1901 default: 1902 kprintf(SPP_FMT "%s illegal up in state %s\n", 1903 SPP_ARGS(ifp), cp->name, 1904 sppp_state_name(sp->state[cp->protoidx])); 1905 } 1906 } 1907 1908 static void 1909 sppp_down_event(const struct cp *cp, struct sppp *sp) 1910 { 1911 STDDCL; 1912 1913 if (debug) 1914 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1915 SPP_ARGS(ifp), cp->name, 1916 sppp_state_name(sp->state[cp->protoidx])); 1917 1918 switch (sp->state[cp->protoidx]) { 1919 case STATE_CLOSED: 1920 case STATE_CLOSING: 1921 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1922 break; 1923 case STATE_STOPPED: 1924 sppp_cp_change_state(cp, sp, STATE_STARTING); 1925 (cp->tls)(sp); 1926 break; 1927 case STATE_STOPPING: 1928 case STATE_REQ_SENT: 1929 case STATE_ACK_RCVD: 1930 case STATE_ACK_SENT: 1931 sppp_cp_change_state(cp, sp, STATE_STARTING); 1932 break; 1933 case STATE_OPENED: 1934 (cp->tld)(sp); 1935 sppp_cp_change_state(cp, sp, STATE_STARTING); 1936 break; 1937 default: 1938 kprintf(SPP_FMT "%s illegal down in state %s\n", 1939 SPP_ARGS(ifp), cp->name, 1940 sppp_state_name(sp->state[cp->protoidx])); 1941 } 1942 } 1943 1944 1945 static void 1946 sppp_open_event(const struct cp *cp, struct sppp *sp) 1947 { 1948 STDDCL; 1949 1950 if (debug) 1951 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1952 SPP_ARGS(ifp), cp->name, 1953 sppp_state_name(sp->state[cp->protoidx])); 1954 1955 switch (sp->state[cp->protoidx]) { 1956 case STATE_INITIAL: 1957 sppp_cp_change_state(cp, sp, STATE_STARTING); 1958 (cp->tls)(sp); 1959 break; 1960 case STATE_STARTING: 1961 break; 1962 case STATE_CLOSED: 1963 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1964 (cp->scr)(sp); 1965 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1966 break; 1967 case STATE_STOPPED: 1968 /* 1969 * Try escaping stopped state. This seems to bite 1970 * people occasionally, in particular for IPCP, 1971 * presumably following previous IPCP negotiation 1972 * aborts. Somehow, we must have missed a Down event 1973 * which would have caused a transition into starting 1974 * state, so as a bandaid we force the Down event now. 1975 * This effectively implements (something like the) 1976 * `restart' option mentioned in the state transition 1977 * table of RFC 1661. 1978 */ 1979 sppp_cp_change_state(cp, sp, STATE_STARTING); 1980 (cp->tls)(sp); 1981 break; 1982 case STATE_STOPPING: 1983 case STATE_REQ_SENT: 1984 case STATE_ACK_RCVD: 1985 case STATE_ACK_SENT: 1986 case STATE_OPENED: 1987 break; 1988 case STATE_CLOSING: 1989 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1990 break; 1991 } 1992 } 1993 1994 1995 static void 1996 sppp_close_event(const struct cp *cp, struct sppp *sp) 1997 { 1998 STDDCL; 1999 2000 if (debug) 2001 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 2002 SPP_ARGS(ifp), cp->name, 2003 sppp_state_name(sp->state[cp->protoidx])); 2004 2005 switch (sp->state[cp->protoidx]) { 2006 case STATE_INITIAL: 2007 case STATE_CLOSED: 2008 case STATE_CLOSING: 2009 break; 2010 case STATE_STARTING: 2011 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2012 (cp->tlf)(sp); 2013 break; 2014 case STATE_STOPPED: 2015 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2016 break; 2017 case STATE_STOPPING: 2018 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2019 break; 2020 case STATE_OPENED: 2021 (cp->tld)(sp); 2022 /* fall through */ 2023 case STATE_REQ_SENT: 2024 case STATE_ACK_RCVD: 2025 case STATE_ACK_SENT: 2026 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2027 sppp_cp_send(sp, cp->proto, TERM_REQ, 2028 ++sp->pp_seq[cp->protoidx], 0, 0); 2029 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2030 break; 2031 } 2032 } 2033 2034 static void 2035 sppp_to_event(const struct cp *cp, struct sppp *sp) 2036 { 2037 STDDCL; 2038 2039 crit_enter(); 2040 2041 if (debug) 2042 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 2043 SPP_ARGS(ifp), cp->name, 2044 sppp_state_name(sp->state[cp->protoidx]), 2045 sp->rst_counter[cp->protoidx]); 2046 2047 if (--sp->rst_counter[cp->protoidx] < 0) 2048 /* TO- event */ 2049 switch (sp->state[cp->protoidx]) { 2050 case STATE_CLOSING: 2051 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2052 (cp->tlf)(sp); 2053 break; 2054 case STATE_STOPPING: 2055 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2056 (cp->tlf)(sp); 2057 break; 2058 case STATE_REQ_SENT: 2059 case STATE_ACK_RCVD: 2060 case STATE_ACK_SENT: 2061 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2062 (cp->tlf)(sp); 2063 break; 2064 } 2065 else 2066 /* TO+ event */ 2067 switch (sp->state[cp->protoidx]) { 2068 case STATE_CLOSING: 2069 case STATE_STOPPING: 2070 sppp_cp_send(sp, cp->proto, TERM_REQ, 2071 ++sp->pp_seq[cp->protoidx], 0, 0); 2072 callout_reset(&sp->timeout[cp->protoidx], 2073 sp->lcp.timeout, cp->TO, sp); 2074 break; 2075 case STATE_REQ_SENT: 2076 case STATE_ACK_RCVD: 2077 (cp->scr)(sp); 2078 /* sppp_cp_change_state() will restart the timer */ 2079 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2080 break; 2081 case STATE_ACK_SENT: 2082 (cp->scr)(sp); 2083 callout_reset(&sp->timeout[cp->protoidx], 2084 sp->lcp.timeout, cp->TO, sp); 2085 break; 2086 } 2087 2088 crit_exit(); 2089 } 2090 2091 /* 2092 * Change the state of a control protocol in the state automaton. 2093 * Takes care of starting/stopping the restart timer. 2094 */ 2095 void 2096 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2097 { 2098 sp->state[cp->protoidx] = newstate; 2099 callout_stop(&sp->timeout[cp->protoidx]); 2100 2101 switch (newstate) { 2102 case STATE_INITIAL: 2103 case STATE_STARTING: 2104 case STATE_CLOSED: 2105 case STATE_STOPPED: 2106 case STATE_OPENED: 2107 break; 2108 case STATE_CLOSING: 2109 case STATE_STOPPING: 2110 case STATE_REQ_SENT: 2111 case STATE_ACK_RCVD: 2112 case STATE_ACK_SENT: 2113 callout_reset(&sp->timeout[cp->protoidx], 2114 sp->lcp.timeout, cp->TO, sp); 2115 break; 2116 } 2117 } 2118 2119 /* 2120 *--------------------------------------------------------------------------* 2121 * * 2122 * The LCP implementation. * 2123 * * 2124 *--------------------------------------------------------------------------* 2125 */ 2126 static void 2127 sppp_lcp_init(struct sppp *sp) 2128 { 2129 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2130 sp->lcp.magic = 0; 2131 sp->state[IDX_LCP] = STATE_INITIAL; 2132 sp->fail_counter[IDX_LCP] = 0; 2133 sp->pp_seq[IDX_LCP] = 0; 2134 sp->pp_rseq[IDX_LCP] = 0; 2135 sp->lcp.protos = 0; 2136 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2137 2138 /* Note that these values are relevant for all control protocols */ 2139 sp->lcp.timeout = 3 * hz; 2140 sp->lcp.max_terminate = 2; 2141 sp->lcp.max_configure = 10; 2142 sp->lcp.max_failure = 10; 2143 #if defined(__DragonFly__) 2144 callout_init(&sp->timeout[IDX_LCP]); 2145 #endif 2146 } 2147 2148 static void 2149 sppp_lcp_up(struct sppp *sp) 2150 { 2151 STDDCL; 2152 2153 sp->pp_alivecnt = 0; 2154 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2155 sp->lcp.magic = 0; 2156 sp->lcp.protos = 0; 2157 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2158 /* 2159 * If this interface is passive or dial-on-demand, and we are 2160 * still in Initial state, it means we've got an incoming 2161 * call. Activate the interface. 2162 */ 2163 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2164 if (debug) 2165 log(LOG_DEBUG, 2166 SPP_FMT "Up event", SPP_ARGS(ifp)); 2167 ifp->if_flags |= IFF_RUNNING; 2168 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2169 if (debug) 2170 log(-1, "(incoming call)\n"); 2171 sp->pp_flags |= PP_CALLIN; 2172 lcp.Open(sp); 2173 } else if (debug) 2174 log(-1, "\n"); 2175 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2176 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2177 ifp->if_flags |= IFF_RUNNING; 2178 lcp.Open(sp); 2179 } 2180 2181 sppp_up_event(&lcp, sp); 2182 } 2183 2184 static void 2185 sppp_lcp_down(struct sppp *sp) 2186 { 2187 STDDCL; 2188 2189 sppp_down_event(&lcp, sp); 2190 2191 /* 2192 * If this is neither a dial-on-demand nor a passive 2193 * interface, simulate an ``ifconfig down'' action, so the 2194 * administrator can force a redial by another ``ifconfig 2195 * up''. XXX For leased line operation, should we immediately 2196 * try to reopen the connection here? 2197 */ 2198 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2199 log(LOG_INFO, 2200 SPP_FMT "Down event, taking interface down.\n", 2201 SPP_ARGS(ifp)); 2202 if_down(ifp); 2203 } else { 2204 if (debug) 2205 log(LOG_DEBUG, 2206 SPP_FMT "Down event (carrier loss)\n", 2207 SPP_ARGS(ifp)); 2208 sp->pp_flags &= ~PP_CALLIN; 2209 if (sp->state[IDX_LCP] != STATE_INITIAL) 2210 lcp.Close(sp); 2211 ifp->if_flags &= ~IFF_RUNNING; 2212 } 2213 } 2214 2215 static void 2216 sppp_lcp_open(struct sppp *sp) 2217 { 2218 /* 2219 * If we are authenticator, negotiate LCP_AUTH 2220 */ 2221 if (sp->hisauth.proto != 0) 2222 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2223 else 2224 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2225 sp->pp_flags &= ~PP_NEEDAUTH; 2226 sppp_open_event(&lcp, sp); 2227 } 2228 2229 static void 2230 sppp_lcp_close(struct sppp *sp) 2231 { 2232 sppp_close_event(&lcp, sp); 2233 } 2234 2235 static void 2236 sppp_lcp_TO(void *cookie) 2237 { 2238 sppp_to_event(&lcp, (struct sppp *)cookie); 2239 } 2240 2241 /* 2242 * Analyze a configure request. Return true if it was agreeable, and 2243 * caused action sca, false if it has been rejected or nak'ed, and 2244 * caused action scn. (The return value is used to make the state 2245 * transition decision in the state automaton.) 2246 */ 2247 static int 2248 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2249 { 2250 STDDCL; 2251 u_char *buf, *r, *p; 2252 int origlen, rlen; 2253 u_long nmagic; 2254 u_short authproto; 2255 2256 len -= 4; 2257 origlen = len; 2258 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2259 2260 if (debug) 2261 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2262 SPP_ARGS(ifp)); 2263 2264 /* pass 1: check for things that need to be rejected */ 2265 p = (void*) (h+1); 2266 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2267 /* Sanity check option length */ 2268 if (p[1] > len) { 2269 /* Malicious option - drop immediately. 2270 * XXX Maybe we should just RXJ it? 2271 */ 2272 log(-1, "%s: received malicious LCP option 0x%02x, " 2273 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2274 p[0], p[1], len); 2275 goto drop; 2276 } 2277 if (debug) 2278 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2279 switch (*p) { 2280 case LCP_OPT_MAGIC: 2281 /* Magic number. */ 2282 if (len >= 6 && p[1] == 6) 2283 continue; 2284 if (debug) 2285 log(-1, "[invalid] "); 2286 break; 2287 case LCP_OPT_ASYNC_MAP: 2288 /* Async control character map. */ 2289 if (len >= 6 && p[1] == 6) 2290 continue; 2291 if (debug) 2292 log(-1, "[invalid] "); 2293 break; 2294 case LCP_OPT_MRU: 2295 /* Maximum receive unit. */ 2296 if (len >= 4 && p[1] == 4) 2297 continue; 2298 if (debug) 2299 log(-1, "[invalid] "); 2300 break; 2301 case LCP_OPT_AUTH_PROTO: 2302 if (len < 4) { 2303 if (debug) 2304 log(-1, "[invalid] "); 2305 break; 2306 } 2307 authproto = (p[2] << 8) + p[3]; 2308 if (authproto == PPP_CHAP && p[1] != 5) { 2309 if (debug) 2310 log(-1, "[invalid chap len] "); 2311 break; 2312 } 2313 if (sp->myauth.proto == 0) { 2314 /* we are not configured to do auth */ 2315 if (debug) 2316 log(-1, "[not configured] "); 2317 break; 2318 } 2319 /* 2320 * Remote want us to authenticate, remember this, 2321 * so we stay in PHASE_AUTHENTICATE after LCP got 2322 * up. 2323 */ 2324 sp->pp_flags |= PP_NEEDAUTH; 2325 continue; 2326 default: 2327 /* Others not supported. */ 2328 if (debug) 2329 log(-1, "[rej] "); 2330 break; 2331 } 2332 /* Add the option to rejected list. */ 2333 bcopy (p, r, p[1]); 2334 r += p[1]; 2335 rlen += p[1]; 2336 } 2337 if (rlen) { 2338 if (debug) 2339 log(-1, " send conf-rej\n"); 2340 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2341 return 0; 2342 } else if (debug) 2343 log(-1, "\n"); 2344 2345 /* 2346 * pass 2: check for option values that are unacceptable and 2347 * thus require to be nak'ed. 2348 */ 2349 if (debug) 2350 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2351 SPP_ARGS(ifp)); 2352 2353 p = (void*) (h+1); 2354 len = origlen; 2355 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2356 if (debug) 2357 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2358 switch (*p) { 2359 case LCP_OPT_MAGIC: 2360 /* Magic number -- extract. */ 2361 nmagic = (u_long)p[2] << 24 | 2362 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2363 if (nmagic != sp->lcp.magic) { 2364 sp->pp_loopcnt = 0; 2365 if (debug) 2366 log(-1, "0x%lx ", nmagic); 2367 continue; 2368 } 2369 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2370 log(-1, "[glitch] "); 2371 ++sp->pp_loopcnt; 2372 /* 2373 * We negate our magic here, and NAK it. If 2374 * we see it later in an NAK packet, we 2375 * suggest a new one. 2376 */ 2377 nmagic = ~sp->lcp.magic; 2378 /* Gonna NAK it. */ 2379 p[2] = nmagic >> 24; 2380 p[3] = nmagic >> 16; 2381 p[4] = nmagic >> 8; 2382 p[5] = nmagic; 2383 break; 2384 2385 case LCP_OPT_ASYNC_MAP: 2386 /* 2387 * Async control character map -- just ignore it. 2388 * 2389 * Quote from RFC 1662, chapter 6: 2390 * To enable this functionality, synchronous PPP 2391 * implementations MUST always respond to the 2392 * Async-Control-Character-Map Configuration 2393 * Option with the LCP Configure-Ack. However, 2394 * acceptance of the Configuration Option does 2395 * not imply that the synchronous implementation 2396 * will do any ACCM mapping. Instead, all such 2397 * octet mapping will be performed by the 2398 * asynchronous-to-synchronous converter. 2399 */ 2400 continue; 2401 2402 case LCP_OPT_MRU: 2403 /* 2404 * Maximum receive unit. Always agreeable, 2405 * but ignored by now. 2406 */ 2407 sp->lcp.their_mru = p[2] * 256 + p[3]; 2408 if (debug) 2409 log(-1, "%lu ", sp->lcp.their_mru); 2410 continue; 2411 2412 case LCP_OPT_AUTH_PROTO: 2413 authproto = (p[2] << 8) + p[3]; 2414 if (sp->myauth.proto != authproto) { 2415 /* not agreed, nak */ 2416 if (debug) 2417 log(-1, "[mine %s != his %s] ", 2418 sppp_proto_name(sp->hisauth.proto), 2419 sppp_proto_name(authproto)); 2420 p[2] = sp->myauth.proto >> 8; 2421 p[3] = sp->myauth.proto; 2422 break; 2423 } 2424 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2425 if (debug) 2426 log(-1, "[chap not MD5] "); 2427 p[4] = CHAP_MD5; 2428 break; 2429 } 2430 continue; 2431 } 2432 /* Add the option to nak'ed list. */ 2433 bcopy (p, r, p[1]); 2434 r += p[1]; 2435 rlen += p[1]; 2436 } 2437 if (rlen) { 2438 /* 2439 * Local and remote magics equal -- loopback? 2440 */ 2441 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2442 if (sp->pp_loopcnt == MAXALIVECNT*5) 2443 kprintf (SPP_FMT "loopback\n", 2444 SPP_ARGS(ifp)); 2445 if (ifp->if_flags & IFF_UP) { 2446 if_down(ifp); 2447 IF_DRAIN(&sp->pp_cpq); 2448 /* XXX ? */ 2449 lcp.Down(sp); 2450 lcp.Up(sp); 2451 } 2452 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2453 if (debug) 2454 log(-1, " max_failure (%d) exceeded, " 2455 "send conf-rej\n", 2456 sp->lcp.max_failure); 2457 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2458 } else { 2459 if (debug) 2460 log(-1, " send conf-nak\n"); 2461 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2462 } 2463 } else { 2464 if (debug) 2465 log(-1, " send conf-ack\n"); 2466 sp->fail_counter[IDX_LCP] = 0; 2467 sp->pp_loopcnt = 0; 2468 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2469 h->ident, origlen, h+1); 2470 } 2471 2472 kfree (buf, M_TEMP); 2473 return (rlen == 0); 2474 2475 drop: 2476 kfree(buf, M_TEMP); 2477 return (-1); 2478 } 2479 2480 /* 2481 * Analyze the LCP Configure-Reject option list, and adjust our 2482 * negotiation. 2483 */ 2484 static void 2485 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2486 { 2487 STDDCL; 2488 u_char *buf, *p; 2489 2490 len -= 4; 2491 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2492 2493 if (debug) 2494 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2495 SPP_ARGS(ifp)); 2496 2497 p = (void*) (h+1); 2498 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2499 /* Sanity check option length */ 2500 if (p[1] > len) { 2501 /* 2502 * Malicious option - drop immediately. 2503 * XXX Maybe we should just RXJ it? 2504 */ 2505 log(-1, "%s: received malicious LCP option, " 2506 "dropping.\n", ifp->if_xname); 2507 goto drop; 2508 } 2509 if (debug) 2510 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2511 switch (*p) { 2512 case LCP_OPT_MAGIC: 2513 /* Magic number -- can't use it, use 0 */ 2514 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2515 sp->lcp.magic = 0; 2516 break; 2517 case LCP_OPT_MRU: 2518 /* 2519 * Should not be rejected anyway, since we only 2520 * negotiate a MRU if explicitly requested by 2521 * peer. 2522 */ 2523 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2524 break; 2525 case LCP_OPT_AUTH_PROTO: 2526 /* 2527 * Peer doesn't want to authenticate himself, 2528 * deny unless this is a dialout call, and 2529 * AUTHFLAG_NOCALLOUT is set. 2530 */ 2531 if ((sp->pp_flags & PP_CALLIN) == 0 && 2532 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2533 if (debug) 2534 log(-1, "[don't insist on auth " 2535 "for callout]"); 2536 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2537 break; 2538 } 2539 if (debug) 2540 log(-1, "[access denied]\n"); 2541 lcp.Close(sp); 2542 break; 2543 } 2544 } 2545 if (debug) 2546 log(-1, "\n"); 2547 drop: 2548 kfree (buf, M_TEMP); 2549 return; 2550 } 2551 2552 /* 2553 * Analyze the LCP Configure-NAK option list, and adjust our 2554 * negotiation. 2555 */ 2556 static void 2557 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2558 { 2559 STDDCL; 2560 u_char *buf, *p; 2561 u_long magic; 2562 2563 len -= 4; 2564 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2565 2566 if (debug) 2567 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2568 SPP_ARGS(ifp)); 2569 2570 p = (void*) (h+1); 2571 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2572 /* Sanity check option length */ 2573 if (p[1] > len) { 2574 /* 2575 * Malicious option - drop immediately. 2576 * XXX Maybe we should just RXJ it? 2577 */ 2578 log(-1, "%s: received malicious LCP option, " 2579 "dropping.\n", ifp->if_xname); 2580 goto drop; 2581 } 2582 if (debug) 2583 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2584 switch (*p) { 2585 case LCP_OPT_MAGIC: 2586 /* Magic number -- renegotiate */ 2587 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2588 len >= 6 && p[1] == 6) { 2589 magic = (u_long)p[2] << 24 | 2590 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2591 /* 2592 * If the remote magic is our negated one, 2593 * this looks like a loopback problem. 2594 * Suggest a new magic to make sure. 2595 */ 2596 if (magic == ~sp->lcp.magic) { 2597 if (debug) 2598 log(-1, "magic glitch "); 2599 #if defined(__DragonFly__) 2600 sp->lcp.magic = krandom(); 2601 #else 2602 sp->lcp.magic = time.tv_sec + time.tv_usec; 2603 #endif 2604 } else { 2605 sp->lcp.magic = magic; 2606 if (debug) 2607 log(-1, "%lu ", magic); 2608 } 2609 } 2610 break; 2611 case LCP_OPT_MRU: 2612 /* 2613 * Peer wants to advise us to negotiate an MRU. 2614 * Agree on it if it's reasonable, or use 2615 * default otherwise. 2616 */ 2617 if (len >= 4 && p[1] == 4) { 2618 u_int mru = p[2] * 256 + p[3]; 2619 if (debug) 2620 log(-1, "%d ", mru); 2621 if (mru < PP_MTU || mru > PP_MAX_MRU) 2622 mru = PP_MTU; 2623 sp->lcp.mru = mru; 2624 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2625 } 2626 break; 2627 case LCP_OPT_AUTH_PROTO: 2628 /* 2629 * Peer doesn't like our authentication method, 2630 * deny. 2631 */ 2632 if (debug) 2633 log(-1, "[access denied]\n"); 2634 lcp.Close(sp); 2635 break; 2636 } 2637 } 2638 if (debug) 2639 log(-1, "\n"); 2640 drop: 2641 kfree (buf, M_TEMP); 2642 return; 2643 } 2644 2645 static void 2646 sppp_lcp_tlu(struct sppp *sp) 2647 { 2648 STDDCL; 2649 int i; 2650 u_long mask; 2651 2652 /* XXX ? */ 2653 if (! (ifp->if_flags & IFF_UP) && 2654 (ifp->if_flags & IFF_RUNNING)) { 2655 /* Coming out of loopback mode. */ 2656 if_up(ifp); 2657 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2658 } 2659 2660 for (i = 0; i < IDX_COUNT; i++) 2661 if ((cps[i])->flags & CP_QUAL) 2662 (cps[i])->Open(sp); 2663 2664 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2665 (sp->pp_flags & PP_NEEDAUTH) != 0) 2666 sp->pp_phase = PHASE_AUTHENTICATE; 2667 else 2668 sp->pp_phase = PHASE_NETWORK; 2669 2670 if (debug) 2671 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2672 sppp_phase_name(sp->pp_phase)); 2673 2674 /* 2675 * Open all authentication protocols. This is even required 2676 * if we already proceeded to network phase, since it might be 2677 * that remote wants us to authenticate, so we might have to 2678 * send a PAP request. Undesired authentication protocols 2679 * don't do anything when they get an Open event. 2680 */ 2681 for (i = 0; i < IDX_COUNT; i++) 2682 if ((cps[i])->flags & CP_AUTH) 2683 (cps[i])->Open(sp); 2684 2685 if (sp->pp_phase == PHASE_NETWORK) { 2686 /* Notify all NCPs. */ 2687 for (i = 0; i < IDX_COUNT; i++) 2688 if (((cps[i])->flags & CP_NCP) && 2689 /* 2690 * XXX 2691 * Hack to administratively disable IPv6 if 2692 * not desired. Perhaps we should have another 2693 * flag for this, but right now, we can make 2694 * all struct cp's read/only. 2695 */ 2696 (cps[i] != &ipv6cp || 2697 (sp->confflags & CONF_ENABLE_IPV6))) 2698 (cps[i])->Open(sp); 2699 } 2700 2701 /* Send Up events to all started protos. */ 2702 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2703 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2704 (cps[i])->Up(sp); 2705 2706 /* notify low-level driver of state change */ 2707 if (sp->pp_chg) 2708 sp->pp_chg(sp, (int)sp->pp_phase); 2709 2710 if (sp->pp_phase == PHASE_NETWORK) 2711 /* if no NCP is starting, close down */ 2712 sppp_lcp_check_and_close(sp); 2713 } 2714 2715 static void 2716 sppp_lcp_tld(struct sppp *sp) 2717 { 2718 STDDCL; 2719 int i; 2720 u_long mask; 2721 2722 sp->pp_phase = PHASE_TERMINATE; 2723 2724 if (debug) 2725 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2726 sppp_phase_name(sp->pp_phase)); 2727 2728 /* 2729 * Take upper layers down. We send the Down event first and 2730 * the Close second to prevent the upper layers from sending 2731 * ``a flurry of terminate-request packets'', as the RFC 2732 * describes it. 2733 */ 2734 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2735 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2736 (cps[i])->Down(sp); 2737 (cps[i])->Close(sp); 2738 } 2739 } 2740 2741 static void 2742 sppp_lcp_tls(struct sppp *sp) 2743 { 2744 STDDCL; 2745 2746 sp->pp_phase = PHASE_ESTABLISH; 2747 2748 if (debug) 2749 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2750 sppp_phase_name(sp->pp_phase)); 2751 2752 /* Notify lower layer if desired. */ 2753 if (sp->pp_tls) 2754 (sp->pp_tls)(sp); 2755 else 2756 (sp->pp_up)(sp); 2757 } 2758 2759 static void 2760 sppp_lcp_tlf(struct sppp *sp) 2761 { 2762 STDDCL; 2763 2764 sp->pp_phase = PHASE_DEAD; 2765 if (debug) 2766 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2767 sppp_phase_name(sp->pp_phase)); 2768 2769 /* Notify lower layer if desired. */ 2770 if (sp->pp_tlf) 2771 (sp->pp_tlf)(sp); 2772 else 2773 (sp->pp_down)(sp); 2774 } 2775 2776 static void 2777 sppp_lcp_scr(struct sppp *sp) 2778 { 2779 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2780 int i = 0; 2781 u_short authproto; 2782 2783 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2784 if (! sp->lcp.magic) 2785 #if defined(__DragonFly__) 2786 sp->lcp.magic = krandom(); 2787 #else 2788 sp->lcp.magic = time.tv_sec + time.tv_usec; 2789 #endif 2790 opt[i++] = LCP_OPT_MAGIC; 2791 opt[i++] = 6; 2792 opt[i++] = sp->lcp.magic >> 24; 2793 opt[i++] = sp->lcp.magic >> 16; 2794 opt[i++] = sp->lcp.magic >> 8; 2795 opt[i++] = sp->lcp.magic; 2796 } 2797 2798 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2799 opt[i++] = LCP_OPT_MRU; 2800 opt[i++] = 4; 2801 opt[i++] = sp->lcp.mru >> 8; 2802 opt[i++] = sp->lcp.mru; 2803 } 2804 2805 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2806 authproto = sp->hisauth.proto; 2807 opt[i++] = LCP_OPT_AUTH_PROTO; 2808 opt[i++] = authproto == PPP_CHAP? 5: 4; 2809 opt[i++] = authproto >> 8; 2810 opt[i++] = authproto; 2811 if (authproto == PPP_CHAP) 2812 opt[i++] = CHAP_MD5; 2813 } 2814 2815 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2816 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2817 } 2818 2819 /* 2820 * Check the open NCPs, return true if at least one NCP is open. 2821 */ 2822 static int 2823 sppp_ncp_check(struct sppp *sp) 2824 { 2825 int i, mask; 2826 2827 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2828 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2829 return 1; 2830 return 0; 2831 } 2832 2833 /* 2834 * Re-check the open NCPs and see if we should terminate the link. 2835 * Called by the NCPs during their tlf action handling. 2836 */ 2837 static void 2838 sppp_lcp_check_and_close(struct sppp *sp) 2839 { 2840 2841 if (sp->pp_phase < PHASE_NETWORK) 2842 /* don't bother, we are already going down */ 2843 return; 2844 2845 if (sppp_ncp_check(sp)) 2846 return; 2847 2848 lcp.Close(sp); 2849 } 2850 2851 /* 2852 *--------------------------------------------------------------------------* 2853 * * 2854 * The IPCP implementation. * 2855 * * 2856 *--------------------------------------------------------------------------* 2857 */ 2858 2859 static void 2860 sppp_ipcp_init(struct sppp *sp) 2861 { 2862 sp->ipcp.opts = 0; 2863 sp->ipcp.flags = 0; 2864 sp->state[IDX_IPCP] = STATE_INITIAL; 2865 sp->fail_counter[IDX_IPCP] = 0; 2866 sp->pp_seq[IDX_IPCP] = 0; 2867 sp->pp_rseq[IDX_IPCP] = 0; 2868 #if defined(__DragonFly__) 2869 callout_init(&sp->timeout[IDX_IPCP]); 2870 #endif 2871 } 2872 2873 static void 2874 sppp_ipcp_up(struct sppp *sp) 2875 { 2876 sppp_up_event(&ipcp, sp); 2877 } 2878 2879 static void 2880 sppp_ipcp_down(struct sppp *sp) 2881 { 2882 sppp_down_event(&ipcp, sp); 2883 } 2884 2885 static void 2886 sppp_ipcp_open(struct sppp *sp) 2887 { 2888 STDDCL; 2889 u_long myaddr, hisaddr; 2890 2891 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2892 IPCP_MYADDR_DYN | IPCP_VJ); 2893 sp->ipcp.opts = 0; 2894 2895 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2896 /* 2897 * If we don't have his address, this probably means our 2898 * interface doesn't want to talk IP at all. (This could 2899 * be the case if somebody wants to speak only IPX, for 2900 * example.) Don't open IPCP in this case. 2901 */ 2902 if (hisaddr == 0L) { 2903 /* XXX this message should go away */ 2904 if (debug) 2905 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2906 SPP_ARGS(ifp)); 2907 return; 2908 } 2909 if (myaddr == 0L) { 2910 /* 2911 * I don't have an assigned address, so i need to 2912 * negotiate my address. 2913 */ 2914 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2915 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2916 } else 2917 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2918 if (sp->confflags & CONF_ENABLE_VJ) { 2919 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2920 sp->ipcp.max_state = MAX_STATES - 1; 2921 sp->ipcp.compress_cid = 1; 2922 } 2923 sppp_open_event(&ipcp, sp); 2924 } 2925 2926 static void 2927 sppp_ipcp_close(struct sppp *sp) 2928 { 2929 sppp_close_event(&ipcp, sp); 2930 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2931 /* 2932 * My address was dynamic, clear it again. 2933 */ 2934 sppp_set_ip_addr(sp, 0L); 2935 } 2936 2937 static void 2938 sppp_ipcp_TO(void *cookie) 2939 { 2940 sppp_to_event(&ipcp, (struct sppp *)cookie); 2941 } 2942 2943 /* 2944 * Analyze a configure request. Return true if it was agreeable, and 2945 * caused action sca, false if it has been rejected or nak'ed, and 2946 * caused action scn. (The return value is used to make the state 2947 * transition decision in the state automaton.) 2948 */ 2949 static int 2950 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2951 { 2952 u_char *buf, *r, *p; 2953 struct ifnet *ifp = &sp->pp_if; 2954 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2955 u_long hisaddr, desiredaddr; 2956 int gotmyaddr = 0; 2957 int desiredcomp; 2958 2959 len -= 4; 2960 origlen = len; 2961 /* 2962 * Make sure to allocate a buf that can at least hold a 2963 * conf-nak with an `address' option. We might need it below. 2964 */ 2965 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2966 2967 /* pass 1: see if we can recognize them */ 2968 if (debug) 2969 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2970 SPP_ARGS(ifp)); 2971 p = (void*) (h+1); 2972 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2973 /* Sanity check option length */ 2974 if (p[1] > len) { 2975 /* XXX should we just RXJ? */ 2976 log(-1, "%s: malicious IPCP option received, dropping\n", 2977 ifp->if_xname); 2978 goto drop; 2979 } 2980 if (debug) 2981 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2982 switch (*p) { 2983 case IPCP_OPT_COMPRESSION: 2984 if (!(sp->confflags & CONF_ENABLE_VJ)) { 2985 /* VJ compression administratively disabled */ 2986 if (debug) 2987 log(-1, "[locally disabled] "); 2988 break; 2989 } 2990 /* 2991 * In theory, we should only conf-rej an 2992 * option that is shorter than RFC 1618 2993 * requires (i.e. < 4), and should conf-nak 2994 * anything else that is not VJ. However, 2995 * since our algorithm always uses the 2996 * original option to NAK it with new values, 2997 * things would become more complicated. In 2998 * pratice, the only commonly implemented IP 2999 * compression option is VJ anyway, so the 3000 * difference is negligible. 3001 */ 3002 if (len >= 6 && p[1] == 6) { 3003 /* 3004 * correctly formed compression option 3005 * that could be VJ compression 3006 */ 3007 continue; 3008 } 3009 if (debug) 3010 log(-1, "optlen %d [invalid/unsupported] ", 3011 p[1]); 3012 break; 3013 case IPCP_OPT_ADDRESS: 3014 if (len >= 6 && p[1] == 6) { 3015 /* correctly formed address option */ 3016 continue; 3017 } 3018 if (debug) 3019 log(-1, "[invalid] "); 3020 break; 3021 default: 3022 /* Others not supported. */ 3023 if (debug) 3024 log(-1, "[rej] "); 3025 break; 3026 } 3027 /* Add the option to rejected list. */ 3028 bcopy (p, r, p[1]); 3029 r += p[1]; 3030 rlen += p[1]; 3031 } 3032 if (rlen) { 3033 if (debug) 3034 log(-1, " send conf-rej\n"); 3035 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3036 return 0; 3037 } else if (debug) 3038 log(-1, "\n"); 3039 3040 /* pass 2: parse option values */ 3041 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 3042 if (debug) 3043 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 3044 SPP_ARGS(ifp)); 3045 p = (void*) (h+1); 3046 len = origlen; 3047 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3048 if (debug) 3049 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3050 switch (*p) { 3051 case IPCP_OPT_COMPRESSION: 3052 desiredcomp = p[2] << 8 | p[3]; 3053 /* We only support VJ */ 3054 if (desiredcomp == IPCP_COMP_VJ) { 3055 if (debug) 3056 log(-1, "VJ [ack] "); 3057 sp->ipcp.flags |= IPCP_VJ; 3058 sl_compress_init(sp->pp_comp, p[4]); 3059 sp->ipcp.max_state = p[4]; 3060 sp->ipcp.compress_cid = p[5]; 3061 continue; 3062 } 3063 if (debug) 3064 log(-1, "compproto %#04x [not supported] ", 3065 desiredcomp); 3066 p[2] = IPCP_COMP_VJ >> 8; 3067 p[3] = IPCP_COMP_VJ; 3068 p[4] = sp->ipcp.max_state; 3069 p[5] = sp->ipcp.compress_cid; 3070 break; 3071 case IPCP_OPT_ADDRESS: 3072 /* This is the address he wants in his end */ 3073 desiredaddr = p[2] << 24 | p[3] << 16 | 3074 p[4] << 8 | p[5]; 3075 if (desiredaddr == hisaddr || 3076 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 3077 /* 3078 * Peer's address is same as our value, 3079 * or we have set it to 0.0.0.* to 3080 * indicate that we do not really care, 3081 * this is agreeable. Gonna conf-ack 3082 * it. 3083 */ 3084 if (debug) 3085 log(-1, "%s [ack] ", 3086 sppp_dotted_quad(hisaddr)); 3087 /* record that we've seen it already */ 3088 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3089 continue; 3090 } 3091 /* 3092 * The address wasn't agreeable. This is either 3093 * he sent us 0.0.0.0, asking to assign him an 3094 * address, or he send us another address not 3095 * matching our value. Either case, we gonna 3096 * conf-nak it with our value. 3097 * XXX: we should "rej" if hisaddr == 0 3098 */ 3099 if (debug) { 3100 if (desiredaddr == 0) 3101 log(-1, "[addr requested] "); 3102 else 3103 log(-1, "%s [not agreed] ", 3104 sppp_dotted_quad(desiredaddr)); 3105 3106 } 3107 p[2] = hisaddr >> 24; 3108 p[3] = hisaddr >> 16; 3109 p[4] = hisaddr >> 8; 3110 p[5] = hisaddr; 3111 break; 3112 } 3113 /* Add the option to nak'ed list. */ 3114 bcopy (p, r, p[1]); 3115 r += p[1]; 3116 rlen += p[1]; 3117 } 3118 3119 /* 3120 * If we are about to conf-ack the request, but haven't seen 3121 * his address so far, gonna conf-nak it instead, with the 3122 * `address' option present and our idea of his address being 3123 * filled in there, to request negotiation of both addresses. 3124 * 3125 * XXX This can result in an endless req - nak loop if peer 3126 * doesn't want to send us his address. Q: What should we do 3127 * about it? XXX A: implement the max-failure counter. 3128 */ 3129 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3130 buf[0] = IPCP_OPT_ADDRESS; 3131 buf[1] = 6; 3132 buf[2] = hisaddr >> 24; 3133 buf[3] = hisaddr >> 16; 3134 buf[4] = hisaddr >> 8; 3135 buf[5] = hisaddr; 3136 rlen = 6; 3137 if (debug) 3138 log(-1, "still need hisaddr "); 3139 } 3140 3141 if (rlen) { 3142 if (debug) 3143 log(-1, " send conf-nak\n"); 3144 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3145 } else { 3146 if (debug) 3147 log(-1, " send conf-ack\n"); 3148 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3149 h->ident, origlen, h+1); 3150 } 3151 3152 kfree (buf, M_TEMP); 3153 return (rlen == 0); 3154 3155 drop: 3156 kfree(buf, M_TEMP); 3157 return (-1); 3158 } 3159 3160 /* 3161 * Analyze the IPCP Configure-Reject option list, and adjust our 3162 * negotiation. 3163 */ 3164 static void 3165 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3166 { 3167 u_char *buf, *p; 3168 struct ifnet *ifp = &sp->pp_if; 3169 int debug = ifp->if_flags & IFF_DEBUG; 3170 3171 len -= 4; 3172 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3173 3174 if (debug) 3175 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3176 SPP_ARGS(ifp)); 3177 3178 p = (void*) (h+1); 3179 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3180 /* Sanity check option length */ 3181 if (p[1] > len) { 3182 /* XXX should we just RXJ? */ 3183 log(-1, "%s: malicious IPCP option received, dropping\n", 3184 ifp->if_xname); 3185 goto drop; 3186 } 3187 if (debug) 3188 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3189 switch (*p) { 3190 case IPCP_OPT_COMPRESSION: 3191 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3192 break; 3193 case IPCP_OPT_ADDRESS: 3194 /* 3195 * Peer doesn't grok address option. This is 3196 * bad. XXX Should we better give up here? 3197 * XXX We could try old "addresses" option... 3198 */ 3199 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3200 break; 3201 } 3202 } 3203 if (debug) 3204 log(-1, "\n"); 3205 drop: 3206 kfree (buf, M_TEMP); 3207 return; 3208 } 3209 3210 /* 3211 * Analyze the IPCP Configure-NAK option list, and adjust our 3212 * negotiation. 3213 */ 3214 static void 3215 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3216 { 3217 u_char *buf, *p; 3218 struct ifnet *ifp = &sp->pp_if; 3219 int debug = ifp->if_flags & IFF_DEBUG; 3220 int desiredcomp; 3221 u_long wantaddr; 3222 3223 len -= 4; 3224 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3225 3226 if (debug) 3227 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3228 SPP_ARGS(ifp)); 3229 3230 p = (void*) (h+1); 3231 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3232 /* Sanity check option length */ 3233 if (p[1] > len) { 3234 /* XXX should we just RXJ? */ 3235 log(-1, "%s: malicious IPCP option received, dropping\n", 3236 ifp->if_xname); 3237 return; 3238 } 3239 if (debug) 3240 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3241 switch (*p) { 3242 case IPCP_OPT_COMPRESSION: 3243 if (len >= 6 && p[1] == 6) { 3244 desiredcomp = p[2] << 8 | p[3]; 3245 if (debug) 3246 log(-1, "[wantcomp %#04x] ", 3247 desiredcomp); 3248 if (desiredcomp == IPCP_COMP_VJ) { 3249 sl_compress_init(sp->pp_comp, p[4]); 3250 sp->ipcp.max_state = p[4]; 3251 sp->ipcp.compress_cid = p[5]; 3252 if (debug) 3253 log(-1, "[agree] "); 3254 } else 3255 sp->ipcp.opts &= 3256 ~(1 << IPCP_OPT_COMPRESSION); 3257 } 3258 break; 3259 case IPCP_OPT_ADDRESS: 3260 /* 3261 * Peer doesn't like our local IP address. See 3262 * if we can do something for him. We'll drop 3263 * him our address then. 3264 */ 3265 if (len >= 6 && p[1] == 6) { 3266 wantaddr = p[2] << 24 | p[3] << 16 | 3267 p[4] << 8 | p[5]; 3268 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3269 if (debug) 3270 log(-1, "[wantaddr %s] ", 3271 sppp_dotted_quad(wantaddr)); 3272 /* 3273 * When doing dynamic address assignment, 3274 * we accept his offer. Otherwise, we 3275 * ignore it and thus continue to negotiate 3276 * our already existing value. 3277 * XXX: Bogus, if he said no once, he'll 3278 * just say no again, might as well die. 3279 */ 3280 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3281 sppp_set_ip_addr(sp, wantaddr); 3282 if (debug) 3283 log(-1, "[agree] "); 3284 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3285 } 3286 } 3287 break; 3288 } 3289 } 3290 if (debug) 3291 log(-1, "\n"); 3292 kfree (buf, M_TEMP); 3293 return; 3294 } 3295 3296 static void 3297 sppp_ipcp_tlu(struct sppp *sp) 3298 { 3299 /* we are up - notify isdn daemon */ 3300 if (sp->pp_con) 3301 sp->pp_con(sp); 3302 } 3303 3304 static void 3305 sppp_ipcp_tld(struct sppp *sp) 3306 { 3307 } 3308 3309 static void 3310 sppp_ipcp_tls(struct sppp *sp) 3311 { 3312 /* indicate to LCP that it must stay alive */ 3313 sp->lcp.protos |= (1 << IDX_IPCP); 3314 } 3315 3316 static void 3317 sppp_ipcp_tlf(struct sppp *sp) 3318 { 3319 /* we no longer need LCP */ 3320 sp->lcp.protos &= ~(1 << IDX_IPCP); 3321 sppp_lcp_check_and_close(sp); 3322 } 3323 3324 static void 3325 sppp_ipcp_scr(struct sppp *sp) 3326 { 3327 char opt[6 /* compression */ + 6 /* address */]; 3328 u_long ouraddr; 3329 int i = 0; 3330 3331 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3332 opt[i++] = IPCP_OPT_COMPRESSION; 3333 opt[i++] = 6; 3334 opt[i++] = IPCP_COMP_VJ >> 8; 3335 opt[i++] = IPCP_COMP_VJ; 3336 opt[i++] = sp->ipcp.max_state; 3337 opt[i++] = sp->ipcp.compress_cid; 3338 } 3339 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3340 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3341 opt[i++] = IPCP_OPT_ADDRESS; 3342 opt[i++] = 6; 3343 opt[i++] = ouraddr >> 24; 3344 opt[i++] = ouraddr >> 16; 3345 opt[i++] = ouraddr >> 8; 3346 opt[i++] = ouraddr; 3347 } 3348 3349 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3350 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3351 } 3352 3353 /* 3354 *--------------------------------------------------------------------------* 3355 * * 3356 * The IPv6CP implementation. * 3357 * * 3358 *--------------------------------------------------------------------------* 3359 */ 3360 3361 #ifdef INET6 3362 static void 3363 sppp_ipv6cp_init(struct sppp *sp) 3364 { 3365 sp->ipv6cp.opts = 0; 3366 sp->ipv6cp.flags = 0; 3367 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3368 sp->fail_counter[IDX_IPV6CP] = 0; 3369 sp->pp_seq[IDX_IPV6CP] = 0; 3370 sp->pp_rseq[IDX_IPV6CP] = 0; 3371 #if defined(__NetBSD__) 3372 callout_init(&sp->ch[IDX_IPV6CP]); 3373 #endif 3374 #if defined(__DragonFly__) 3375 callout_init(&sp->timeout[IDX_IPV6CP]); 3376 #endif 3377 } 3378 3379 static void 3380 sppp_ipv6cp_up(struct sppp *sp) 3381 { 3382 sppp_up_event(&ipv6cp, sp); 3383 } 3384 3385 static void 3386 sppp_ipv6cp_down(struct sppp *sp) 3387 { 3388 sppp_down_event(&ipv6cp, sp); 3389 } 3390 3391 static void 3392 sppp_ipv6cp_open(struct sppp *sp) 3393 { 3394 STDDCL; 3395 struct in6_addr myaddr, hisaddr; 3396 3397 #ifdef IPV6CP_MYIFID_DYN 3398 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3399 #else 3400 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3401 #endif 3402 3403 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3404 /* 3405 * If we don't have our address, this probably means our 3406 * interface doesn't want to talk IPv6 at all. (This could 3407 * be the case if somebody wants to speak only IPX, for 3408 * example.) Don't open IPv6CP in this case. 3409 */ 3410 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3411 /* XXX this message should go away */ 3412 if (debug) 3413 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3414 SPP_ARGS(ifp)); 3415 return; 3416 } 3417 3418 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3419 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3420 sppp_open_event(&ipv6cp, sp); 3421 } 3422 3423 static void 3424 sppp_ipv6cp_close(struct sppp *sp) 3425 { 3426 sppp_close_event(&ipv6cp, sp); 3427 } 3428 3429 static void 3430 sppp_ipv6cp_TO(void *cookie) 3431 { 3432 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3433 } 3434 3435 /* 3436 * Analyze a configure request. Return true if it was agreeable, and 3437 * caused action sca, false if it has been rejected or nak'ed, and 3438 * caused action scn. (The return value is used to make the state 3439 * transition decision in the state automaton.) 3440 */ 3441 static int 3442 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3443 { 3444 u_char *buf, *r, *p; 3445 struct ifnet *ifp = &sp->pp_if; 3446 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3447 struct in6_addr myaddr, desiredaddr, suggestaddr; 3448 int ifidcount; 3449 int type; 3450 int collision, nohisaddr; 3451 3452 len -= 4; 3453 origlen = len; 3454 /* 3455 * Make sure to allocate a buf that can at least hold a 3456 * conf-nak with an `address' option. We might need it below. 3457 */ 3458 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3459 3460 /* pass 1: see if we can recognize them */ 3461 if (debug) 3462 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3463 SPP_ARGS(ifp)); 3464 p = (void*) (h+1); 3465 ifidcount = 0; 3466 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3467 /* Sanity check option length */ 3468 if (p[1] > len) { 3469 /* XXX just RXJ? */ 3470 log(-1, "%s: received malicious IPCPv6 option, " 3471 "dropping\n", ifp->if_xname); 3472 goto drop; 3473 } 3474 if (debug) 3475 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3476 switch (*p) { 3477 case IPV6CP_OPT_IFID: 3478 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3479 /* correctly formed address option */ 3480 ifidcount++; 3481 continue; 3482 } 3483 if (debug) 3484 log(-1, " [invalid]"); 3485 break; 3486 #ifdef notyet 3487 case IPV6CP_OPT_COMPRESSION: 3488 if (len >= 4 && p[1] >= 4) { 3489 /* correctly formed compress option */ 3490 continue; 3491 } 3492 if (debug) 3493 log(-1, " [invalid]"); 3494 break; 3495 #endif 3496 default: 3497 /* Others not supported. */ 3498 if (debug) 3499 log(-1, " [rej]"); 3500 break; 3501 } 3502 /* Add the option to rejected list. */ 3503 bcopy (p, r, p[1]); 3504 r += p[1]; 3505 rlen += p[1]; 3506 } 3507 if (rlen) { 3508 if (debug) 3509 log(-1, " send conf-rej\n"); 3510 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3511 goto end; 3512 } else if (debug) 3513 log(-1, "\n"); 3514 3515 /* pass 2: parse option values */ 3516 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3517 if (debug) 3518 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3519 SPP_ARGS(ifp)); 3520 p = (void*) (h+1); 3521 len = origlen; 3522 type = CONF_ACK; 3523 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3524 if (debug) 3525 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3526 switch (*p) { 3527 #ifdef notyet 3528 case IPV6CP_OPT_COMPRESSION: 3529 continue; 3530 #endif 3531 case IPV6CP_OPT_IFID: 3532 bzero(&desiredaddr, sizeof(desiredaddr)); 3533 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3534 collision = (bcmp(&desiredaddr.s6_addr[8], 3535 &myaddr.s6_addr[8], 8) == 0); 3536 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3537 3538 desiredaddr.s6_addr16[0] = htons(0xfe80); 3539 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3540 3541 if (!collision && !nohisaddr) { 3542 /* no collision, hisaddr known - Conf-Ack */ 3543 type = CONF_ACK; 3544 3545 if (debug) { 3546 log(-1, " %s [%s]", 3547 ip6_sprintf(&desiredaddr), 3548 sppp_cp_type_name(type)); 3549 } 3550 continue; 3551 } 3552 3553 bzero(&suggestaddr, sizeof(&suggestaddr)); 3554 if (collision && nohisaddr) { 3555 /* collision, hisaddr unknown - Conf-Rej */ 3556 type = CONF_REJ; 3557 bzero(&p[2], 8); 3558 } else { 3559 /* 3560 * - no collision, hisaddr unknown, or 3561 * - collision, hisaddr known 3562 * Conf-Nak, suggest hisaddr 3563 */ 3564 type = CONF_NAK; 3565 sppp_suggest_ip6_addr(sp, &suggestaddr); 3566 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3567 } 3568 if (debug) 3569 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3570 sppp_cp_type_name(type)); 3571 break; 3572 } 3573 /* Add the option to nak'ed list. */ 3574 bcopy (p, r, p[1]); 3575 r += p[1]; 3576 rlen += p[1]; 3577 } 3578 3579 if (rlen == 0 && type == CONF_ACK) { 3580 if (debug) 3581 log(-1, " send %s\n", sppp_cp_type_name(type)); 3582 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3583 } else { 3584 #ifdef DIAGNOSTIC 3585 if (type == CONF_ACK) 3586 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3587 #endif 3588 3589 if (debug) { 3590 log(-1, " send %s suggest %s\n", 3591 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3592 } 3593 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3594 } 3595 3596 end: 3597 kfree (buf, M_TEMP); 3598 return (rlen == 0); 3599 3600 drop: 3601 kfree(buf, M_TEMP); 3602 return (-1); 3603 } 3604 3605 /* 3606 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3607 * negotiation. 3608 */ 3609 static void 3610 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3611 { 3612 u_char *buf, *p; 3613 struct ifnet *ifp = &sp->pp_if; 3614 int debug = ifp->if_flags & IFF_DEBUG; 3615 3616 len -= 4; 3617 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3618 3619 if (debug) 3620 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3621 SPP_ARGS(ifp)); 3622 3623 p = (void*) (h+1); 3624 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3625 if (p[1] > len) { 3626 /* XXX just RXJ? */ 3627 log(-1, "%s: received malicious IPCPv6 option, " 3628 "dropping\n", ifp->if_xname); 3629 goto drop; 3630 } 3631 if (debug) 3632 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3633 switch (*p) { 3634 case IPV6CP_OPT_IFID: 3635 /* 3636 * Peer doesn't grok address option. This is 3637 * bad. XXX Should we better give up here? 3638 */ 3639 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3640 break; 3641 #ifdef notyet 3642 case IPV6CP_OPT_COMPRESS: 3643 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3644 break; 3645 #endif 3646 } 3647 } 3648 if (debug) 3649 log(-1, "\n"); 3650 drop: 3651 kfree (buf, M_TEMP); 3652 return; 3653 } 3654 3655 /* 3656 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3657 * negotiation. 3658 */ 3659 static void 3660 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3661 { 3662 u_char *buf, *p; 3663 struct ifnet *ifp = &sp->pp_if; 3664 int debug = ifp->if_flags & IFF_DEBUG; 3665 struct in6_addr suggestaddr; 3666 3667 len -= 4; 3668 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3669 3670 if (debug) 3671 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3672 SPP_ARGS(ifp)); 3673 3674 p = (void*) (h+1); 3675 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3676 if (p[1] > len) { 3677 /* XXX just RXJ? */ 3678 log(-1, "%s: received malicious IPCPv6 option, " 3679 "dropping\n", ifp->if_xname); 3680 goto drop; 3681 } 3682 if (debug) 3683 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3684 switch (*p) { 3685 case IPV6CP_OPT_IFID: 3686 /* 3687 * Peer doesn't like our local ifid. See 3688 * if we can do something for him. We'll drop 3689 * him our address then. 3690 */ 3691 if (len < 10 || p[1] != 10) 3692 break; 3693 bzero(&suggestaddr, sizeof(suggestaddr)); 3694 suggestaddr.s6_addr16[0] = htons(0xfe80); 3695 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3696 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3697 3698 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3699 if (debug) 3700 log(-1, " [suggestaddr %s]", 3701 ip6_sprintf(&suggestaddr)); 3702 #ifdef IPV6CP_MYIFID_DYN 3703 /* 3704 * When doing dynamic address assignment, 3705 * we accept his offer. 3706 */ 3707 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3708 struct in6_addr lastsuggest; 3709 /* 3710 * If <suggested myaddr from peer> equals to 3711 * <hisaddr we have suggested last time>, 3712 * we have a collision. generate new random 3713 * ifid. 3714 */ 3715 sppp_suggest_ip6_addr(&lastsuggest); 3716 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3717 lastsuggest)) { 3718 if (debug) 3719 log(-1, " [random]"); 3720 sppp_gen_ip6_addr(sp, &suggestaddr); 3721 } 3722 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3723 if (debug) 3724 log(-1, " [agree]"); 3725 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3726 } 3727 #else 3728 /* 3729 * Since we do not do dynamic address assignment, 3730 * we ignore it and thus continue to negotiate 3731 * our already existing value. This can possibly 3732 * go into infinite request-reject loop. 3733 * 3734 * This is not likely because we normally use 3735 * ifid based on MAC-address. 3736 * If you have no ethernet card on the node, too bad. 3737 * XXX should we use fail_counter? 3738 */ 3739 #endif 3740 break; 3741 #ifdef notyet 3742 case IPV6CP_OPT_COMPRESS: 3743 /* 3744 * Peer wants different compression parameters. 3745 */ 3746 break; 3747 #endif 3748 } 3749 } 3750 if (debug) 3751 log(-1, "\n"); 3752 drop: 3753 kfree (buf, M_TEMP); 3754 return; 3755 } 3756 static void 3757 sppp_ipv6cp_tlu(struct sppp *sp) 3758 { 3759 /* we are up - notify isdn daemon */ 3760 if (sp->pp_con) 3761 sp->pp_con(sp); 3762 } 3763 3764 static void 3765 sppp_ipv6cp_tld(struct sppp *sp) 3766 { 3767 } 3768 3769 static void 3770 sppp_ipv6cp_tls(struct sppp *sp) 3771 { 3772 /* indicate to LCP that it must stay alive */ 3773 sp->lcp.protos |= (1 << IDX_IPV6CP); 3774 } 3775 3776 static void 3777 sppp_ipv6cp_tlf(struct sppp *sp) 3778 { 3779 3780 #if 0 /* need #if 0 to close IPv6CP properly */ 3781 /* we no longer need LCP */ 3782 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3783 sppp_lcp_check_and_close(sp); 3784 #endif 3785 } 3786 3787 static void 3788 sppp_ipv6cp_scr(struct sppp *sp) 3789 { 3790 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3791 struct in6_addr ouraddr; 3792 int i = 0; 3793 3794 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3795 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3796 opt[i++] = IPV6CP_OPT_IFID; 3797 opt[i++] = 10; 3798 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3799 i += 8; 3800 } 3801 3802 #ifdef notyet 3803 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3804 opt[i++] = IPV6CP_OPT_COMPRESSION; 3805 opt[i++] = 4; 3806 opt[i++] = 0; /* TBD */ 3807 opt[i++] = 0; /* TBD */ 3808 /* variable length data may follow */ 3809 } 3810 #endif 3811 3812 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3813 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3814 } 3815 #else /*INET6*/ 3816 static void 3817 sppp_ipv6cp_init(struct sppp *sp) 3818 { 3819 } 3820 3821 static void 3822 sppp_ipv6cp_up(struct sppp *sp) 3823 { 3824 } 3825 3826 static void 3827 sppp_ipv6cp_down(struct sppp *sp) 3828 { 3829 } 3830 3831 3832 static void 3833 sppp_ipv6cp_open(struct sppp *sp) 3834 { 3835 } 3836 3837 static void 3838 sppp_ipv6cp_close(struct sppp *sp) 3839 { 3840 } 3841 3842 static void 3843 sppp_ipv6cp_TO(void *sp) 3844 { 3845 } 3846 3847 static int 3848 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3849 { 3850 return 0; 3851 } 3852 3853 static void 3854 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3855 { 3856 } 3857 3858 static void 3859 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3860 { 3861 } 3862 3863 static void 3864 sppp_ipv6cp_tlu(struct sppp *sp) 3865 { 3866 } 3867 3868 static void 3869 sppp_ipv6cp_tld(struct sppp *sp) 3870 { 3871 } 3872 3873 static void 3874 sppp_ipv6cp_tls(struct sppp *sp) 3875 { 3876 } 3877 3878 static void 3879 sppp_ipv6cp_tlf(struct sppp *sp) 3880 { 3881 } 3882 3883 static void 3884 sppp_ipv6cp_scr(struct sppp *sp) 3885 { 3886 } 3887 #endif /*INET6*/ 3888 3889 /* 3890 *--------------------------------------------------------------------------* 3891 * * 3892 * The CHAP implementation. * 3893 * * 3894 *--------------------------------------------------------------------------* 3895 */ 3896 3897 /* 3898 * The authentication protocols don't employ a full-fledged state machine as 3899 * the control protocols do, since they do have Open and Close events, but 3900 * not Up and Down, nor are they explicitly terminated. Also, use of the 3901 * authentication protocols may be different in both directions (this makes 3902 * sense, think of a machine that never accepts incoming calls but only 3903 * calls out, it doesn't require the called party to authenticate itself). 3904 * 3905 * Our state machine for the local authentication protocol (we are requesting 3906 * the peer to authenticate) looks like: 3907 * 3908 * RCA- 3909 * +--------------------------------------------+ 3910 * V scn,tld| 3911 * +--------+ Close +---------+ RCA+ 3912 * | |<----------------------------------| |------+ 3913 * +--->| Closed | TO* | Opened | sca | 3914 * | | |-----+ +-------| |<-----+ 3915 * | +--------+ irc | | +---------+ 3916 * | ^ | | ^ 3917 * | | | | | 3918 * | | | | | 3919 * | TO-| | | | 3920 * | |tld TO+ V | | 3921 * | | +------->+ | | 3922 * | | | | | | 3923 * | +--------+ V | | 3924 * | | |<----+<--------------------+ | 3925 * | | Req- | scr | 3926 * | | Sent | | 3927 * | | | | 3928 * | +--------+ | 3929 * | RCA- | | RCA+ | 3930 * +------+ +------------------------------------------+ 3931 * scn,tld sca,irc,ict,tlu 3932 * 3933 * 3934 * with: 3935 * 3936 * Open: LCP reached authentication phase 3937 * Close: LCP reached terminate phase 3938 * 3939 * RCA+: received reply (pap-req, chap-response), acceptable 3940 * RCN: received reply (pap-req, chap-response), not acceptable 3941 * TO+: timeout with restart counter >= 0 3942 * TO-: timeout with restart counter < 0 3943 * TO*: reschedule timeout for CHAP 3944 * 3945 * scr: send request packet (none for PAP, chap-challenge) 3946 * sca: send ack packet (pap-ack, chap-success) 3947 * scn: send nak packet (pap-nak, chap-failure) 3948 * ict: initialize re-challenge timer (CHAP only) 3949 * 3950 * tlu: this-layer-up, LCP reaches network phase 3951 * tld: this-layer-down, LCP enters terminate phase 3952 * 3953 * Note that in CHAP mode, after sending a new challenge, while the state 3954 * automaton falls back into Req-Sent state, it doesn't signal a tld 3955 * event to LCP, so LCP remains in network phase. Only after not getting 3956 * any response (or after getting an unacceptable response), CHAP closes, 3957 * causing LCP to enter terminate phase. 3958 * 3959 * With PAP, there is no initial request that can be sent. The peer is 3960 * expected to send one based on the successful negotiation of PAP as 3961 * the authentication protocol during the LCP option negotiation. 3962 * 3963 * Incoming authentication protocol requests (remote requests 3964 * authentication, we are peer) don't employ a state machine at all, 3965 * they are simply answered. Some peers [Ascend P50 firmware rev 3966 * 4.50] react allergically when sending IPCP requests while they are 3967 * still in authentication phase (thereby violating the standard that 3968 * demands that these NCP packets are to be discarded), so we keep 3969 * track of the peer demanding us to authenticate, and only proceed to 3970 * phase network once we've seen a positive acknowledge for the 3971 * authentication. 3972 */ 3973 3974 /* 3975 * Handle incoming CHAP packets. 3976 */ 3977 void 3978 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3979 { 3980 STDDCL; 3981 struct lcp_header *h; 3982 int len; 3983 u_char *value, *name, digest[AUTHKEYLEN], dsize; 3984 int value_len, name_len; 3985 MD5_CTX ctx; 3986 3987 len = m->m_pkthdr.len; 3988 if (len < 4) { 3989 if (debug) 3990 log(LOG_DEBUG, 3991 SPP_FMT "chap invalid packet length: %d bytes\n", 3992 SPP_ARGS(ifp), len); 3993 return; 3994 } 3995 h = mtod (m, struct lcp_header*); 3996 if (len > ntohs (h->len)) 3997 len = ntohs (h->len); 3998 3999 switch (h->type) { 4000 /* challenge, failure and success are his authproto */ 4001 case CHAP_CHALLENGE: 4002 value = 1 + (u_char*)(h+1); 4003 value_len = value[-1]; 4004 name = value + value_len; 4005 name_len = len - value_len - 5; 4006 if (name_len < 0) { 4007 if (debug) { 4008 log(LOG_DEBUG, 4009 SPP_FMT "chap corrupted challenge " 4010 "<%s id=0x%x len=%d", 4011 SPP_ARGS(ifp), 4012 sppp_auth_type_name(PPP_CHAP, h->type), 4013 h->ident, ntohs(h->len)); 4014 sppp_print_bytes((u_char*) (h+1), len-4); 4015 log(-1, ">\n"); 4016 } 4017 break; 4018 } 4019 4020 if (debug) { 4021 log(LOG_DEBUG, 4022 SPP_FMT "chap input <%s id=0x%x len=%d name=", 4023 SPP_ARGS(ifp), 4024 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4025 ntohs(h->len)); 4026 sppp_print_string((char*) name, name_len); 4027 log(-1, " value-size=%d value=", value_len); 4028 sppp_print_bytes(value, value_len); 4029 log(-1, ">\n"); 4030 } 4031 4032 /* Compute reply value. */ 4033 MD5Init(&ctx); 4034 MD5Update(&ctx, &h->ident, 1); 4035 MD5Update(&ctx, sp->myauth.secret, 4036 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN)); 4037 MD5Update(&ctx, value, value_len); 4038 MD5Final(digest, &ctx); 4039 dsize = sizeof digest; 4040 4041 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4042 sizeof dsize, (const char *)&dsize, 4043 sizeof digest, digest, 4044 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4045 sp->myauth.name, 4046 0); 4047 break; 4048 4049 case CHAP_SUCCESS: 4050 if (debug) { 4051 log(LOG_DEBUG, SPP_FMT "chap success", 4052 SPP_ARGS(ifp)); 4053 if (len > 4) { 4054 log(-1, ": "); 4055 sppp_print_string((char*)(h + 1), len - 4); 4056 } 4057 log(-1, "\n"); 4058 } 4059 4060 crit_enter(); 4061 4062 sp->pp_flags &= ~PP_NEEDAUTH; 4063 if (sp->myauth.proto == PPP_CHAP && 4064 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4065 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4066 /* 4067 * We are authenticator for CHAP but didn't 4068 * complete yet. Leave it to tlu to proceed 4069 * to network phase. 4070 */ 4071 crit_exit(); 4072 break; 4073 } 4074 crit_exit(); 4075 sppp_phase_network(sp); 4076 break; 4077 4078 case CHAP_FAILURE: 4079 if (debug) { 4080 log(LOG_INFO, SPP_FMT "chap failure", 4081 SPP_ARGS(ifp)); 4082 if (len > 4) { 4083 log(-1, ": "); 4084 sppp_print_string((char*)(h + 1), len - 4); 4085 } 4086 log(-1, "\n"); 4087 } else 4088 log(LOG_INFO, SPP_FMT "chap failure\n", 4089 SPP_ARGS(ifp)); 4090 /* await LCP shutdown by authenticator */ 4091 break; 4092 4093 /* response is my authproto */ 4094 case CHAP_RESPONSE: 4095 value = 1 + (u_char*)(h+1); 4096 value_len = value[-1]; 4097 name = value + value_len; 4098 name_len = len - value_len - 5; 4099 if (name_len < 0) { 4100 if (debug) { 4101 log(LOG_DEBUG, 4102 SPP_FMT "chap corrupted response " 4103 "<%s id=0x%x len=%d", 4104 SPP_ARGS(ifp), 4105 sppp_auth_type_name(PPP_CHAP, h->type), 4106 h->ident, ntohs(h->len)); 4107 sppp_print_bytes((u_char*)(h+1), len-4); 4108 log(-1, ">\n"); 4109 } 4110 break; 4111 } 4112 if (h->ident != sp->confid[IDX_CHAP]) { 4113 if (debug) 4114 log(LOG_DEBUG, 4115 SPP_FMT "chap dropping response for old ID " 4116 "(got %d, expected %d)\n", 4117 SPP_ARGS(ifp), 4118 h->ident, sp->confid[IDX_CHAP]); 4119 break; 4120 } 4121 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) 4122 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4123 log(LOG_INFO, SPP_FMT "chap response, his name ", 4124 SPP_ARGS(ifp)); 4125 sppp_print_string(name, name_len); 4126 log(-1, " != expected "); 4127 sppp_print_string(sp->hisauth.name, 4128 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)); 4129 log(-1, "\n"); 4130 } 4131 if (debug) { 4132 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4133 "<%s id=0x%x len=%d name=", 4134 SPP_ARGS(ifp), 4135 sppp_state_name(sp->state[IDX_CHAP]), 4136 sppp_auth_type_name(PPP_CHAP, h->type), 4137 h->ident, ntohs (h->len)); 4138 sppp_print_string((char*)name, name_len); 4139 log(-1, " value-size=%d value=", value_len); 4140 sppp_print_bytes(value, value_len); 4141 log(-1, ">\n"); 4142 } 4143 if (value_len != AUTHKEYLEN) { 4144 if (debug) 4145 log(LOG_DEBUG, 4146 SPP_FMT "chap bad hash value length: " 4147 "%d bytes, should be %d\n", 4148 SPP_ARGS(ifp), value_len, 4149 AUTHKEYLEN); 4150 break; 4151 } 4152 4153 MD5Init(&ctx); 4154 MD5Update(&ctx, &h->ident, 1); 4155 MD5Update(&ctx, sp->hisauth.secret, 4156 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4157 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4158 MD5Final(digest, &ctx); 4159 4160 #define FAILMSG "Failed..." 4161 #define SUCCMSG "Welcome!" 4162 4163 if (value_len != sizeof digest || 4164 bcmp(digest, value, value_len) != 0) { 4165 /* action scn, tld */ 4166 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4167 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4168 0); 4169 chap.tld(sp); 4170 break; 4171 } 4172 /* action sca, perhaps tlu */ 4173 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4174 sp->state[IDX_CHAP] == STATE_OPENED) 4175 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4176 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4177 0); 4178 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4179 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4180 chap.tlu(sp); 4181 } 4182 break; 4183 4184 default: 4185 /* Unknown CHAP packet type -- ignore. */ 4186 if (debug) { 4187 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4188 "<0x%x id=0x%xh len=%d", 4189 SPP_ARGS(ifp), 4190 sppp_state_name(sp->state[IDX_CHAP]), 4191 h->type, h->ident, ntohs(h->len)); 4192 sppp_print_bytes((u_char*)(h+1), len-4); 4193 log(-1, ">\n"); 4194 } 4195 break; 4196 4197 } 4198 } 4199 4200 static void 4201 sppp_chap_init(struct sppp *sp) 4202 { 4203 /* Chap doesn't have STATE_INITIAL at all. */ 4204 sp->state[IDX_CHAP] = STATE_CLOSED; 4205 sp->fail_counter[IDX_CHAP] = 0; 4206 sp->pp_seq[IDX_CHAP] = 0; 4207 sp->pp_rseq[IDX_CHAP] = 0; 4208 #if defined(__DragonFly__) 4209 callout_init(&sp->timeout[IDX_CHAP]); 4210 #endif 4211 } 4212 4213 static void 4214 sppp_chap_open(struct sppp *sp) 4215 { 4216 if (sp->myauth.proto == PPP_CHAP && 4217 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4218 /* we are authenticator for CHAP, start it */ 4219 chap.scr(sp); 4220 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4221 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4222 } 4223 /* nothing to be done if we are peer, await a challenge */ 4224 } 4225 4226 static void 4227 sppp_chap_close(struct sppp *sp) 4228 { 4229 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4230 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4231 } 4232 4233 static void 4234 sppp_chap_TO(void *cookie) 4235 { 4236 struct sppp *sp = (struct sppp *)cookie; 4237 STDDCL; 4238 4239 crit_enter(); 4240 4241 if (debug) 4242 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4243 SPP_ARGS(ifp), 4244 sppp_state_name(sp->state[IDX_CHAP]), 4245 sp->rst_counter[IDX_CHAP]); 4246 4247 if (--sp->rst_counter[IDX_CHAP] < 0) 4248 /* TO- event */ 4249 switch (sp->state[IDX_CHAP]) { 4250 case STATE_REQ_SENT: 4251 chap.tld(sp); 4252 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4253 break; 4254 } 4255 else 4256 /* TO+ (or TO*) event */ 4257 switch (sp->state[IDX_CHAP]) { 4258 case STATE_OPENED: 4259 /* TO* event */ 4260 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4261 /* fall through */ 4262 case STATE_REQ_SENT: 4263 chap.scr(sp); 4264 /* sppp_cp_change_state() will restart the timer */ 4265 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4266 break; 4267 } 4268 4269 crit_exit(); 4270 } 4271 4272 static void 4273 sppp_chap_tlu(struct sppp *sp) 4274 { 4275 STDDCL; 4276 int i; 4277 4278 i = 0; 4279 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4280 4281 /* 4282 * Some broken CHAP implementations (Conware CoNet, firmware 4283 * 4.0.?) don't want to re-authenticate their CHAP once the 4284 * initial challenge-response exchange has taken place. 4285 * Provide for an option to avoid rechallenges. 4286 */ 4287 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4288 /* 4289 * Compute the re-challenge timeout. This will yield 4290 * a number between 300 and 810 seconds. 4291 */ 4292 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4293 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4294 } 4295 4296 if (debug) { 4297 log(LOG_DEBUG, 4298 SPP_FMT "chap %s, ", 4299 SPP_ARGS(ifp), 4300 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4301 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4302 log(-1, "next re-challenge in %d seconds\n", i); 4303 else 4304 log(-1, "re-challenging suppressed\n"); 4305 } 4306 4307 crit_enter(); 4308 4309 /* indicate to LCP that we need to be closed down */ 4310 sp->lcp.protos |= (1 << IDX_CHAP); 4311 4312 if (sp->pp_flags & PP_NEEDAUTH) { 4313 /* 4314 * Remote is authenticator, but his auth proto didn't 4315 * complete yet. Defer the transition to network 4316 * phase. 4317 */ 4318 crit_exit(); 4319 return; 4320 } 4321 4322 crit_exit(); 4323 4324 /* 4325 * If we are already in phase network, we are done here. This 4326 * is the case if this is a dummy tlu event after a re-challenge. 4327 */ 4328 if (sp->pp_phase != PHASE_NETWORK) 4329 sppp_phase_network(sp); 4330 } 4331 4332 static void 4333 sppp_chap_tld(struct sppp *sp) 4334 { 4335 STDDCL; 4336 4337 if (debug) 4338 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4339 callout_stop(&sp->timeout[IDX_CHAP]); 4340 sp->lcp.protos &= ~(1 << IDX_CHAP); 4341 4342 lcp.Close(sp); 4343 } 4344 4345 static void 4346 sppp_chap_scr(struct sppp *sp) 4347 { 4348 u_long *ch, seed; 4349 u_char clen; 4350 4351 /* Compute random challenge. */ 4352 ch = (u_long *)sp->myauth.challenge; 4353 #if defined(__DragonFly__) 4354 read_random(&seed, sizeof seed); 4355 #else 4356 { 4357 struct timeval tv; 4358 microtime(&tv); 4359 seed = tv.tv_sec ^ tv.tv_usec; 4360 } 4361 #endif 4362 ch[0] = seed ^ krandom(); 4363 ch[1] = seed ^ krandom(); 4364 ch[2] = seed ^ krandom(); 4365 ch[3] = seed ^ krandom(); 4366 clen = AUTHKEYLEN; 4367 4368 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4369 4370 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4371 sizeof clen, (const char *)&clen, 4372 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4373 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4374 sp->myauth.name, 4375 0); 4376 } 4377 4378 /* 4379 *--------------------------------------------------------------------------* 4380 * * 4381 * The PAP implementation. * 4382 * * 4383 *--------------------------------------------------------------------------* 4384 */ 4385 /* 4386 * For PAP, we need to keep a little state also if we are the peer, not the 4387 * authenticator. This is since we don't get a request to authenticate, but 4388 * have to repeatedly authenticate ourself until we got a response (or the 4389 * retry counter is expired). 4390 */ 4391 4392 /* 4393 * Handle incoming PAP packets. */ 4394 static void 4395 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4396 { 4397 STDDCL; 4398 struct lcp_header *h; 4399 int len; 4400 u_char *name, *passwd, mlen; 4401 int name_len, passwd_len; 4402 4403 /* 4404 * Malicious input might leave this uninitialized, so 4405 * init to an impossible value. 4406 */ 4407 passwd_len = -1; 4408 4409 len = m->m_pkthdr.len; 4410 if (len < 5) { 4411 if (debug) 4412 log(LOG_DEBUG, 4413 SPP_FMT "pap invalid packet length: %d bytes\n", 4414 SPP_ARGS(ifp), len); 4415 return; 4416 } 4417 h = mtod (m, struct lcp_header*); 4418 if (len > ntohs (h->len)) 4419 len = ntohs (h->len); 4420 switch (h->type) { 4421 /* PAP request is my authproto */ 4422 case PAP_REQ: 4423 name = 1 + (u_char*)(h+1); 4424 name_len = name[-1]; 4425 passwd = name + name_len + 1; 4426 if (name_len > len - 6 || 4427 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4428 if (debug) { 4429 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4430 "<%s id=0x%x len=%d", 4431 SPP_ARGS(ifp), 4432 sppp_auth_type_name(PPP_PAP, h->type), 4433 h->ident, ntohs(h->len)); 4434 sppp_print_bytes((u_char*)(h+1), len-4); 4435 log(-1, ">\n"); 4436 } 4437 break; 4438 } 4439 if (debug) { 4440 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4441 "<%s id=0x%x len=%d name=", 4442 SPP_ARGS(ifp), 4443 sppp_state_name(sp->state[IDX_PAP]), 4444 sppp_auth_type_name(PPP_PAP, h->type), 4445 h->ident, ntohs(h->len)); 4446 sppp_print_string((char*)name, name_len); 4447 log(-1, " passwd="); 4448 sppp_print_string((char*)passwd, passwd_len); 4449 log(-1, ">\n"); 4450 } 4451 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || 4452 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4453 bcmp(name, sp->hisauth.name, name_len) != 0 || 4454 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4455 /* action scn, tld */ 4456 mlen = sizeof(FAILMSG) - 1; 4457 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4458 sizeof mlen, (const char *)&mlen, 4459 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4460 0); 4461 pap.tld(sp); 4462 break; 4463 } 4464 /* action sca, perhaps tlu */ 4465 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4466 sp->state[IDX_PAP] == STATE_OPENED) { 4467 mlen = sizeof(SUCCMSG) - 1; 4468 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4469 sizeof mlen, (const char *)&mlen, 4470 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4471 0); 4472 } 4473 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4474 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4475 pap.tlu(sp); 4476 } 4477 break; 4478 4479 /* ack and nak are his authproto */ 4480 case PAP_ACK: 4481 callout_stop(&sp->pap_my_to); 4482 if (debug) { 4483 log(LOG_DEBUG, SPP_FMT "pap success", 4484 SPP_ARGS(ifp)); 4485 name = 1 + (u_char *)(h + 1); 4486 name_len = name[-1]; 4487 if (len > 5 && name_len < len+4) { 4488 log(-1, ": "); 4489 sppp_print_string(name, name_len); 4490 } 4491 log(-1, "\n"); 4492 } 4493 4494 crit_enter(); 4495 4496 sp->pp_flags &= ~PP_NEEDAUTH; 4497 if (sp->myauth.proto == PPP_PAP && 4498 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4499 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4500 /* 4501 * We are authenticator for PAP but didn't 4502 * complete yet. Leave it to tlu to proceed 4503 * to network phase. 4504 */ 4505 4506 crit_exit(); 4507 4508 break; 4509 } 4510 4511 crit_exit(); 4512 4513 sppp_phase_network(sp); 4514 break; 4515 4516 case PAP_NAK: 4517 callout_stop(&sp->pap_my_to); 4518 if (debug) { 4519 log(LOG_INFO, SPP_FMT "pap failure", 4520 SPP_ARGS(ifp)); 4521 name = 1 + (u_char *)(h + 1); 4522 name_len = name[-1]; 4523 if (len > 5 && name_len < len+4) { 4524 log(-1, ": "); 4525 sppp_print_string(name, name_len); 4526 } 4527 log(-1, "\n"); 4528 } else 4529 log(LOG_INFO, SPP_FMT "pap failure\n", 4530 SPP_ARGS(ifp)); 4531 /* await LCP shutdown by authenticator */ 4532 break; 4533 4534 default: 4535 /* Unknown PAP packet type -- ignore. */ 4536 if (debug) { 4537 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4538 "<0x%x id=0x%x len=%d", 4539 SPP_ARGS(ifp), 4540 h->type, h->ident, ntohs(h->len)); 4541 sppp_print_bytes((u_char*)(h+1), len-4); 4542 log(-1, ">\n"); 4543 } 4544 break; 4545 4546 } 4547 } 4548 4549 static void 4550 sppp_pap_init(struct sppp *sp) 4551 { 4552 /* PAP doesn't have STATE_INITIAL at all. */ 4553 sp->state[IDX_PAP] = STATE_CLOSED; 4554 sp->fail_counter[IDX_PAP] = 0; 4555 sp->pp_seq[IDX_PAP] = 0; 4556 sp->pp_rseq[IDX_PAP] = 0; 4557 #if defined(__DragonFly__) 4558 callout_init(&sp->timeout[IDX_PAP]); 4559 callout_init(&sp->pap_my_to); 4560 #endif 4561 } 4562 4563 static void 4564 sppp_pap_open(struct sppp *sp) 4565 { 4566 if (sp->hisauth.proto == PPP_PAP && 4567 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4568 /* we are authenticator for PAP, start our timer */ 4569 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4570 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4571 } 4572 if (sp->myauth.proto == PPP_PAP) { 4573 /* we are peer, send a request, and start a timer */ 4574 pap.scr(sp); 4575 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4576 sppp_pap_my_TO, sp); 4577 } 4578 } 4579 4580 static void 4581 sppp_pap_close(struct sppp *sp) 4582 { 4583 if (sp->state[IDX_PAP] != STATE_CLOSED) 4584 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4585 } 4586 4587 /* 4588 * That's the timeout routine if we are authenticator. Since the 4589 * authenticator is basically passive in PAP, we can't do much here. 4590 */ 4591 static void 4592 sppp_pap_TO(void *cookie) 4593 { 4594 struct sppp *sp = (struct sppp *)cookie; 4595 STDDCL; 4596 4597 crit_enter(); 4598 4599 if (debug) 4600 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4601 SPP_ARGS(ifp), 4602 sppp_state_name(sp->state[IDX_PAP]), 4603 sp->rst_counter[IDX_PAP]); 4604 4605 if (--sp->rst_counter[IDX_PAP] < 0) 4606 /* TO- event */ 4607 switch (sp->state[IDX_PAP]) { 4608 case STATE_REQ_SENT: 4609 pap.tld(sp); 4610 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4611 break; 4612 } 4613 else 4614 /* TO+ event, not very much we could do */ 4615 switch (sp->state[IDX_PAP]) { 4616 case STATE_REQ_SENT: 4617 /* sppp_cp_change_state() will restart the timer */ 4618 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4619 break; 4620 } 4621 4622 crit_exit(); 4623 } 4624 4625 /* 4626 * That's the timeout handler if we are peer. Since the peer is active, 4627 * we need to retransmit our PAP request since it is apparently lost. 4628 * XXX We should impose a max counter. 4629 */ 4630 static void 4631 sppp_pap_my_TO(void *cookie) 4632 { 4633 struct sppp *sp = (struct sppp *)cookie; 4634 STDDCL; 4635 4636 if (debug) 4637 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4638 SPP_ARGS(ifp)); 4639 4640 pap.scr(sp); 4641 } 4642 4643 static void 4644 sppp_pap_tlu(struct sppp *sp) 4645 { 4646 STDDCL; 4647 4648 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4649 4650 if (debug) 4651 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4652 SPP_ARGS(ifp), pap.name); 4653 4654 crit_enter(); 4655 4656 /* indicate to LCP that we need to be closed down */ 4657 sp->lcp.protos |= (1 << IDX_PAP); 4658 4659 if (sp->pp_flags & PP_NEEDAUTH) { 4660 /* 4661 * Remote is authenticator, but his auth proto didn't 4662 * complete yet. Defer the transition to network 4663 * phase. 4664 */ 4665 crit_exit(); 4666 return; 4667 } 4668 crit_exit(); 4669 sppp_phase_network(sp); 4670 } 4671 4672 static void 4673 sppp_pap_tld(struct sppp *sp) 4674 { 4675 STDDCL; 4676 4677 if (debug) 4678 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4679 callout_stop(&sp->timeout[IDX_PAP]); 4680 callout_stop(&sp->pap_my_to); 4681 sp->lcp.protos &= ~(1 << IDX_PAP); 4682 4683 lcp.Close(sp); 4684 } 4685 4686 static void 4687 sppp_pap_scr(struct sppp *sp) 4688 { 4689 u_char idlen, pwdlen; 4690 4691 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4692 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN); 4693 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN); 4694 4695 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4696 sizeof idlen, (const char *)&idlen, 4697 (size_t)idlen, sp->myauth.name, 4698 sizeof pwdlen, (const char *)&pwdlen, 4699 (size_t)pwdlen, sp->myauth.secret, 4700 0); 4701 } 4702 4703 /* 4704 * Random miscellaneous functions. 4705 */ 4706 4707 /* 4708 * Send a PAP or CHAP proto packet. 4709 * 4710 * Varadic function, each of the elements for the ellipsis is of type 4711 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4712 * mlen == 0. 4713 * NOTE: never declare variadic functions with types subject to type 4714 * promotion (i.e. u_char). This is asking for big trouble depending 4715 * on the architecture you are on... 4716 */ 4717 4718 static void 4719 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4720 unsigned int type, unsigned int id, 4721 ...) 4722 { 4723 STDDCL; 4724 struct ppp_header *h; 4725 struct lcp_header *lh; 4726 struct mbuf *m; 4727 u_char *p; 4728 int len; 4729 unsigned int mlen; 4730 const char *msg; 4731 __va_list ap; 4732 4733 MGETHDR (m, MB_DONTWAIT, MT_DATA); 4734 if (! m) 4735 return; 4736 m->m_pkthdr.rcvif = 0; 4737 4738 h = mtod (m, struct ppp_header*); 4739 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4740 h->control = PPP_UI; /* Unnumbered Info */ 4741 h->protocol = htons(cp->proto); 4742 4743 lh = (struct lcp_header*)(h + 1); 4744 lh->type = type; 4745 lh->ident = id; 4746 p = (u_char*) (lh+1); 4747 4748 __va_start(ap, id); 4749 len = 0; 4750 4751 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4752 msg = __va_arg(ap, const char *); 4753 len += mlen; 4754 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4755 __va_end(ap); 4756 m_freem(m); 4757 return; 4758 } 4759 4760 bcopy(msg, p, mlen); 4761 p += mlen; 4762 } 4763 __va_end(ap); 4764 4765 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4766 lh->len = htons (LCP_HEADER_LEN + len); 4767 4768 if (debug) { 4769 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4770 SPP_ARGS(ifp), cp->name, 4771 sppp_auth_type_name(cp->proto, lh->type), 4772 lh->ident, ntohs(lh->len)); 4773 sppp_print_bytes((u_char*) (lh+1), len); 4774 log(-1, ">\n"); 4775 } 4776 if (IF_QFULL (&sp->pp_cpq)) { 4777 IF_DROP (&sp->pp_fastq); 4778 IF_DROP (&ifp->if_snd); 4779 m_freem (m); 4780 ++ifp->if_oerrors; 4781 } else 4782 IF_ENQUEUE (&sp->pp_cpq, m); 4783 if (! (ifp->if_flags & IFF_OACTIVE)) 4784 (*ifp->if_start) (ifp); 4785 ifp->if_obytes += m->m_pkthdr.len + 3; 4786 } 4787 4788 /* 4789 * Send keepalive packets, every 10 seconds. 4790 */ 4791 static void 4792 sppp_keepalive(void *dummy) 4793 { 4794 struct sppp *sp; 4795 4796 crit_enter(); 4797 4798 for (sp=spppq; sp; sp=sp->pp_next) { 4799 struct ifnet *ifp = &sp->pp_if; 4800 4801 /* Keepalive mode disabled or channel down? */ 4802 if (! (sp->pp_flags & PP_KEEPALIVE) || 4803 ! (ifp->if_flags & IFF_RUNNING)) 4804 continue; 4805 4806 /* No keepalive in PPP mode if LCP not opened yet. */ 4807 if (sp->pp_mode != IFF_CISCO && 4808 sp->pp_phase < PHASE_AUTHENTICATE) 4809 continue; 4810 4811 if (sp->pp_alivecnt == MAXALIVECNT) { 4812 /* No keepalive packets got. Stop the interface. */ 4813 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4814 if_down (ifp); 4815 IF_DRAIN(&sp->pp_cpq); 4816 if (sp->pp_mode != IFF_CISCO) { 4817 /* XXX */ 4818 /* Shut down the PPP link. */ 4819 lcp.Down(sp); 4820 /* Initiate negotiation. XXX */ 4821 lcp.Up(sp); 4822 } 4823 } 4824 ifnet_serialize_all(ifp); 4825 if (sp->pp_alivecnt <= MAXALIVECNT) 4826 ++sp->pp_alivecnt; 4827 if (sp->pp_mode == IFF_CISCO) 4828 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4829 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4830 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4831 long nmagic = htonl (sp->lcp.magic); 4832 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4833 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4834 sp->lcp.echoid, 4, &nmagic); 4835 } 4836 ifnet_deserialize_all(ifp); 4837 } 4838 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4839 crit_exit(); 4840 } 4841 4842 /* 4843 * Get both IP addresses. 4844 */ 4845 static void 4846 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4847 { 4848 struct ifnet *ifp = &sp->pp_if; 4849 struct ifaddr_container *ifac; 4850 struct ifaddr *ifa; 4851 struct sockaddr_in *si, *sm; 4852 u_long ssrc, ddst; 4853 4854 sm = NULL; 4855 ssrc = ddst = 0L; 4856 /* 4857 * Pick the first AF_INET address from the list, 4858 * aliases don't make any sense on a p2p link anyway. 4859 */ 4860 si = NULL; 4861 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4862 ifa = ifac->ifa; 4863 if (ifa->ifa_addr->sa_family == AF_INET) { 4864 si = (struct sockaddr_in *)ifa->ifa_addr; 4865 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4866 if (si) 4867 break; 4868 } 4869 } 4870 if (ifac != NULL) { 4871 if (si && si->sin_addr.s_addr) { 4872 ssrc = si->sin_addr.s_addr; 4873 if (srcmask) 4874 *srcmask = ntohl(sm->sin_addr.s_addr); 4875 } 4876 4877 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4878 if (si && si->sin_addr.s_addr) 4879 ddst = si->sin_addr.s_addr; 4880 } 4881 4882 if (dst) *dst = ntohl(ddst); 4883 if (src) *src = ntohl(ssrc); 4884 } 4885 4886 /* 4887 * Set my IP address. Must be called at splimp. 4888 */ 4889 static void 4890 sppp_set_ip_addr(struct sppp *sp, u_long src) 4891 { 4892 STDDCL; 4893 struct ifaddr_container *ifac; 4894 struct ifaddr *ifa = NULL; 4895 struct sockaddr_in *si; 4896 struct in_ifaddr *ia; 4897 4898 /* 4899 * Pick the first AF_INET address from the list, 4900 * aliases don't make any sense on a p2p link anyway. 4901 */ 4902 si = NULL; 4903 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4904 ifa = ifac->ifa; 4905 if (ifa->ifa_addr->sa_family == AF_INET) { 4906 si = (struct sockaddr_in *)ifa->ifa_addr; 4907 if (si) 4908 break; 4909 } 4910 } 4911 4912 if (ifac != NULL && si != NULL) { 4913 int error; 4914 #if __NetBSD_Version__ >= 103080000 4915 struct sockaddr_in new_sin = *si; 4916 4917 new_sin.sin_addr.s_addr = htonl(src); 4918 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 1); 4919 if(debug && error) 4920 { 4921 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: in_ifinit " 4922 " failed, error=%d\n", SPP_ARGS(ifp), error); 4923 } 4924 #else 4925 /* delete old route */ 4926 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4927 if(debug && error) 4928 { 4929 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4930 SPP_ARGS(ifp), error); 4931 } 4932 4933 ia = ifatoia(ifa); 4934 in_iahash_remove(ia); 4935 4936 /* set new address */ 4937 si->sin_addr.s_addr = htonl(src); 4938 in_iahash_insert(ia); 4939 4940 /* add new route */ 4941 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4942 if (debug && error) 4943 { 4944 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4945 SPP_ARGS(ifp), error); 4946 } 4947 #endif 4948 } 4949 } 4950 4951 #ifdef INET6 4952 /* 4953 * Get both IPv6 addresses. 4954 */ 4955 static void 4956 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4957 struct in6_addr *srcmask) 4958 { 4959 struct ifnet *ifp = &sp->pp_if; 4960 struct ifaddr_container *ifac; 4961 struct ifaddr *ifa; 4962 struct sockaddr_in6 *si, *sm; 4963 struct in6_addr ssrc, ddst; 4964 4965 sm = NULL; 4966 bzero(&ssrc, sizeof(ssrc)); 4967 bzero(&ddst, sizeof(ddst)); 4968 /* 4969 * Pick the first link-local AF_INET6 address from the list, 4970 * aliases don't make any sense on a p2p link anyway. 4971 */ 4972 si = NULL; 4973 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4974 ifa = ifac->ifa; 4975 if (ifa->ifa_addr->sa_family == AF_INET6) { 4976 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4977 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4978 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4979 break; 4980 } 4981 } 4982 if (ifac != NULL) { 4983 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4984 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 4985 if (srcmask) { 4986 bcopy(&sm->sin6_addr, srcmask, 4987 sizeof(*srcmask)); 4988 } 4989 } 4990 4991 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4992 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4993 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 4994 } 4995 4996 if (dst) 4997 bcopy(&ddst, dst, sizeof(*dst)); 4998 if (src) 4999 bcopy(&ssrc, src, sizeof(*src)); 5000 } 5001 5002 #ifdef IPV6CP_MYIFID_DYN 5003 /* 5004 * Generate random ifid. 5005 */ 5006 static void 5007 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5008 { 5009 /* TBD */ 5010 } 5011 5012 /* 5013 * Set my IPv6 address. Must be called at splimp. 5014 */ 5015 static void 5016 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5017 { 5018 STDDCL; 5019 struct ifaddr_container *ifac; 5020 struct ifaddr *ifa; 5021 struct sockaddr_in6 *sin6; 5022 5023 /* 5024 * Pick the first link-local AF_INET6 address from the list, 5025 * aliases don't make any sense on a p2p link anyway. 5026 */ 5027 5028 sin6 = NULL; 5029 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 5030 ifa = ifac->ifa; 5031 if (ifa->ifa_addr->sa_family == AF_INET6) { 5032 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5033 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5034 break; 5035 } 5036 } 5037 5038 if (ifac != NULL && sin6 != NULL) { 5039 int error; 5040 struct sockaddr_in6 new_sin6 = *sin6; 5041 5042 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 5043 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5044 if (debug && error) { 5045 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 5046 " failed, error=%d\n", SPP_ARGS(ifp), error); 5047 } 5048 } 5049 } 5050 #endif 5051 5052 /* 5053 * Suggest a candidate address to be used by peer. 5054 */ 5055 static void 5056 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5057 { 5058 struct in6_addr myaddr; 5059 struct timeval tv; 5060 5061 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5062 5063 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5064 microtime(&tv); 5065 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5066 myaddr.s6_addr[14] ^= 0xff; 5067 myaddr.s6_addr[15] ^= 0xff; 5068 } else { 5069 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5070 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5071 } 5072 if (suggest) 5073 bcopy(&myaddr, suggest, sizeof(myaddr)); 5074 } 5075 #endif /*INET6*/ 5076 5077 static int 5078 sppp_params(struct sppp *sp, u_long cmd, void *data) 5079 { 5080 u_long subcmd; 5081 struct ifreq *ifr = (struct ifreq *)data; 5082 struct spppreq *spr; 5083 int rv = 0; 5084 5085 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 5086 5087 /* 5088 * ifr->ifr_data is supposed to point to a struct spppreq. 5089 * Check the cmd word first before attempting to fetch all the 5090 * data. 5091 */ 5092 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 5093 rv = EFAULT; 5094 goto quit; 5095 } 5096 5097 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 5098 rv = EFAULT; 5099 goto quit; 5100 } 5101 5102 switch (subcmd) { 5103 case (u_long)SPPPIOGDEFS: 5104 if (cmd != SIOCGIFGENERIC) { 5105 rv = EINVAL; 5106 break; 5107 } 5108 /* 5109 * We copy over the entire current state, but clean 5110 * out some of the stuff we don't wanna pass up. 5111 * Remember, SIOCGIFGENERIC is unprotected, and can be 5112 * called by any user. No need to ever get PAP or 5113 * CHAP secrets back to userland anyway. 5114 */ 5115 spr->defs.pp_phase = sp->pp_phase; 5116 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5117 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5118 spr->defs.lcp = sp->lcp; 5119 spr->defs.ipcp = sp->ipcp; 5120 spr->defs.ipv6cp = sp->ipv6cp; 5121 spr->defs.myauth = sp->myauth; 5122 spr->defs.hisauth = sp->hisauth; 5123 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5124 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5125 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5126 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5127 /* 5128 * Fixup the LCP timeout value to milliseconds so 5129 * spppcontrol doesn't need to bother about the value 5130 * of "hz". We do the reverse calculation below when 5131 * setting it. 5132 */ 5133 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5134 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5135 sizeof(struct spppreq)); 5136 break; 5137 5138 case (u_long)SPPPIOSDEFS: 5139 if (cmd != SIOCSIFGENERIC) { 5140 rv = EINVAL; 5141 break; 5142 } 5143 /* 5144 * We have a very specific idea of which fields we 5145 * allow being passed back from userland, so to not 5146 * clobber our current state. For one, we only allow 5147 * setting anything if LCP is in dead or establish 5148 * phase. Once the authentication negotiations 5149 * started, the authentication settings must not be 5150 * changed again. (The administrator can force an 5151 * ifconfig down in order to get LCP back into dead 5152 * phase.) 5153 * 5154 * Also, we only allow for authentication parameters to be 5155 * specified. 5156 * 5157 * XXX Should allow to set or clear pp_flags. 5158 * 5159 * Finally, if the respective authentication protocol to 5160 * be used is set differently than 0, but the secret is 5161 * passed as all zeros, we don't trash the existing secret. 5162 * This allows an administrator to change the system name 5163 * only without clobbering the secret (which he didn't get 5164 * back in a previous SPPPIOGDEFS call). However, the 5165 * secrets are cleared if the authentication protocol is 5166 * reset to 0. */ 5167 if (sp->pp_phase != PHASE_DEAD && 5168 sp->pp_phase != PHASE_ESTABLISH) { 5169 rv = EBUSY; 5170 break; 5171 } 5172 5173 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5174 spr->defs.myauth.proto != PPP_CHAP) || 5175 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5176 spr->defs.hisauth.proto != PPP_CHAP)) { 5177 rv = EINVAL; 5178 break; 5179 } 5180 5181 if (spr->defs.myauth.proto == 0) 5182 /* resetting myauth */ 5183 bzero(&sp->myauth, sizeof sp->myauth); 5184 else { 5185 /* setting/changing myauth */ 5186 sp->myauth.proto = spr->defs.myauth.proto; 5187 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5188 if (spr->defs.myauth.secret[0] != '\0') 5189 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5190 AUTHKEYLEN); 5191 } 5192 if (spr->defs.hisauth.proto == 0) 5193 /* resetting hisauth */ 5194 bzero(&sp->hisauth, sizeof sp->hisauth); 5195 else { 5196 /* setting/changing hisauth */ 5197 sp->hisauth.proto = spr->defs.hisauth.proto; 5198 sp->hisauth.flags = spr->defs.hisauth.flags; 5199 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5200 if (spr->defs.hisauth.secret[0] != '\0') 5201 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5202 AUTHKEYLEN); 5203 } 5204 /* set LCP restart timer timeout */ 5205 if (spr->defs.lcp.timeout != 0) 5206 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5207 /* set VJ enable and IPv6 disable flags */ 5208 #ifdef INET 5209 if (spr->defs.enable_vj) 5210 sp->confflags |= CONF_ENABLE_VJ; 5211 else 5212 sp->confflags &= ~CONF_ENABLE_VJ; 5213 #endif 5214 #ifdef INET6 5215 if (spr->defs.enable_ipv6) 5216 sp->confflags |= CONF_ENABLE_IPV6; 5217 else 5218 sp->confflags &= ~CONF_ENABLE_IPV6; 5219 #endif 5220 break; 5221 5222 default: 5223 rv = EINVAL; 5224 } 5225 5226 quit: 5227 kfree(spr, M_TEMP); 5228 5229 return (rv); 5230 } 5231 5232 static void 5233 sppp_phase_network(struct sppp *sp) 5234 { 5235 STDDCL; 5236 int i; 5237 u_long mask; 5238 5239 sp->pp_phase = PHASE_NETWORK; 5240 5241 if (debug) 5242 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5243 sppp_phase_name(sp->pp_phase)); 5244 5245 /* Notify NCPs now. */ 5246 for (i = 0; i < IDX_COUNT; i++) 5247 if ((cps[i])->flags & CP_NCP) 5248 (cps[i])->Open(sp); 5249 5250 /* Send Up events to all NCPs. */ 5251 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5252 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5253 (cps[i])->Up(sp); 5254 5255 /* if no NCP is starting, all this was in vain, close down */ 5256 sppp_lcp_check_and_close(sp); 5257 } 5258 5259 5260 static const char * 5261 sppp_cp_type_name(u_char type) 5262 { 5263 static char buf[12]; 5264 switch (type) { 5265 case CONF_REQ: return "conf-req"; 5266 case CONF_ACK: return "conf-ack"; 5267 case CONF_NAK: return "conf-nak"; 5268 case CONF_REJ: return "conf-rej"; 5269 case TERM_REQ: return "term-req"; 5270 case TERM_ACK: return "term-ack"; 5271 case CODE_REJ: return "code-rej"; 5272 case PROTO_REJ: return "proto-rej"; 5273 case ECHO_REQ: return "echo-req"; 5274 case ECHO_REPLY: return "echo-reply"; 5275 case DISC_REQ: return "discard-req"; 5276 } 5277 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5278 return buf; 5279 } 5280 5281 static const char * 5282 sppp_auth_type_name(u_short proto, u_char type) 5283 { 5284 static char buf[12]; 5285 switch (proto) { 5286 case PPP_CHAP: 5287 switch (type) { 5288 case CHAP_CHALLENGE: return "challenge"; 5289 case CHAP_RESPONSE: return "response"; 5290 case CHAP_SUCCESS: return "success"; 5291 case CHAP_FAILURE: return "failure"; 5292 } 5293 case PPP_PAP: 5294 switch (type) { 5295 case PAP_REQ: return "req"; 5296 case PAP_ACK: return "ack"; 5297 case PAP_NAK: return "nak"; 5298 } 5299 } 5300 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5301 return buf; 5302 } 5303 5304 static const char * 5305 sppp_lcp_opt_name(u_char opt) 5306 { 5307 static char buf[12]; 5308 switch (opt) { 5309 case LCP_OPT_MRU: return "mru"; 5310 case LCP_OPT_ASYNC_MAP: return "async-map"; 5311 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5312 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5313 case LCP_OPT_MAGIC: return "magic"; 5314 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5315 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5316 } 5317 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5318 return buf; 5319 } 5320 5321 static const char * 5322 sppp_ipcp_opt_name(u_char opt) 5323 { 5324 static char buf[12]; 5325 switch (opt) { 5326 case IPCP_OPT_ADDRESSES: return "addresses"; 5327 case IPCP_OPT_COMPRESSION: return "compression"; 5328 case IPCP_OPT_ADDRESS: return "address"; 5329 } 5330 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5331 return buf; 5332 } 5333 5334 #ifdef INET6 5335 static const char * 5336 sppp_ipv6cp_opt_name(u_char opt) 5337 { 5338 static char buf[12]; 5339 switch (opt) { 5340 case IPV6CP_OPT_IFID: return "ifid"; 5341 case IPV6CP_OPT_COMPRESSION: return "compression"; 5342 } 5343 ksprintf (buf, "0x%x", opt); 5344 return buf; 5345 } 5346 #endif 5347 5348 static const char * 5349 sppp_state_name(int state) 5350 { 5351 switch (state) { 5352 case STATE_INITIAL: return "initial"; 5353 case STATE_STARTING: return "starting"; 5354 case STATE_CLOSED: return "closed"; 5355 case STATE_STOPPED: return "stopped"; 5356 case STATE_CLOSING: return "closing"; 5357 case STATE_STOPPING: return "stopping"; 5358 case STATE_REQ_SENT: return "req-sent"; 5359 case STATE_ACK_RCVD: return "ack-rcvd"; 5360 case STATE_ACK_SENT: return "ack-sent"; 5361 case STATE_OPENED: return "opened"; 5362 } 5363 return "illegal"; 5364 } 5365 5366 static const char * 5367 sppp_phase_name(enum ppp_phase phase) 5368 { 5369 switch (phase) { 5370 case PHASE_DEAD: return "dead"; 5371 case PHASE_ESTABLISH: return "establish"; 5372 case PHASE_TERMINATE: return "terminate"; 5373 case PHASE_AUTHENTICATE: return "authenticate"; 5374 case PHASE_NETWORK: return "network"; 5375 } 5376 return "illegal"; 5377 } 5378 5379 static const char * 5380 sppp_proto_name(u_short proto) 5381 { 5382 static char buf[12]; 5383 switch (proto) { 5384 case PPP_LCP: return "lcp"; 5385 case PPP_IPCP: return "ipcp"; 5386 case PPP_PAP: return "pap"; 5387 case PPP_CHAP: return "chap"; 5388 case PPP_IPV6CP: return "ipv6cp"; 5389 } 5390 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5391 return buf; 5392 } 5393 5394 static void 5395 sppp_print_bytes(const u_char *p, u_short len) 5396 { 5397 if (len) 5398 log(-1, " %*D", len, p, "-"); 5399 } 5400 5401 static void 5402 sppp_print_string(const char *p, u_short len) 5403 { 5404 u_char c; 5405 5406 while (len-- > 0) { 5407 c = *p++; 5408 /* 5409 * Print only ASCII chars directly. RFC 1994 recommends 5410 * using only them, but we don't rely on it. */ 5411 if (c < ' ' || c > '~') 5412 log(-1, "\\x%x", c); 5413 else 5414 log(-1, "%c", c); 5415 } 5416 } 5417 5418 static const char * 5419 sppp_dotted_quad(u_long addr) 5420 { 5421 static char s[16]; 5422 ksprintf(s, "%d.%d.%d.%d", 5423 (int)((addr >> 24) & 0xff), 5424 (int)((addr >> 16) & 0xff), 5425 (int)((addr >> 8) & 0xff), 5426 (int)(addr & 0xff)); 5427 return s; 5428 } 5429 5430 static int 5431 sppp_strnlen(u_char *p, int max) 5432 { 5433 int len; 5434 5435 for (len = 0; len < max && *p; ++p) 5436 ++len; 5437 return len; 5438 } 5439 5440 /* a dummy, used to drop uninteresting events */ 5441 static void 5442 sppp_null(struct sppp *unused) 5443 { 5444 /* do just nothing */ 5445 } 5446