1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 * $DragonFly: src/sys/net/sppp/if_spppsubr.c,v 1.35 2008/06/09 11:24:24 sephe Exp $ 22 */ 23 24 #include <sys/param.h> 25 26 #if defined(__DragonFly__) 27 #include "opt_inet.h" 28 #include "opt_inet6.h" 29 #include "opt_ipx.h" 30 #endif 31 32 #ifdef NetBSD1_3 33 # if NetBSD1_3 > 6 34 # include "opt_inet.h" 35 # include "opt_inet6.h" 36 # include "opt_iso.h" 37 # endif 38 #endif 39 40 #include <sys/systm.h> 41 #include <sys/kernel.h> 42 #include <sys/module.h> 43 #include <sys/sockio.h> 44 #include <sys/socket.h> 45 #include <sys/syslog.h> 46 #if defined(__DragonFly__) 47 #include <sys/random.h> 48 #include <sys/thread2.h> 49 #endif 50 #include <sys/malloc.h> 51 #include <sys/mbuf.h> 52 53 #if defined (__OpenBSD__) 54 #include <sys/md5k.h> 55 #else 56 #include <sys/md5.h> 57 #endif 58 59 #include <net/if.h> 60 #include <net/ifq_var.h> 61 #include <net/netisr.h> 62 #include <net/if_types.h> 63 #include <net/route.h> 64 #include <netinet/in.h> 65 #include <netinet/in_systm.h> 66 #include <netinet/ip.h> 67 #include <net/slcompress.h> 68 69 #if defined (__NetBSD__) || defined (__OpenBSD__) 70 #include <machine/cpu.h> /* XXX for softnet */ 71 #endif 72 73 #include <machine/stdarg.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/in_var.h> 78 79 #ifdef INET 80 #include <netinet/ip.h> 81 #include <netinet/tcp.h> 82 #endif 83 84 #if defined (__DragonFly__) || defined (__OpenBSD__) 85 # include <netinet/if_ether.h> 86 #else 87 # include <net/ethertypes.h> 88 #endif 89 90 #ifdef IPX 91 #include <netproto/ipx/ipx.h> 92 #include <netproto/ipx/ipx_if.h> 93 #endif 94 95 #include "if_sppp.h" 96 97 #define IOCTL_CMD_T u_long 98 #define MAXALIVECNT 3 /* max. alive packets */ 99 100 /* 101 * Interface flags that can be set in an ifconfig command. 102 * 103 * Setting link0 will make the link passive, i.e. it will be marked 104 * as being administrative openable, but won't be opened to begin 105 * with. Incoming calls will be answered, or subsequent calls with 106 * -link1 will cause the administrative open of the LCP layer. 107 * 108 * Setting link1 will cause the link to auto-dial only as packets 109 * arrive to be sent. 110 * 111 * Setting IFF_DEBUG will syslog the option negotiation and state 112 * transitions at level kern.debug. Note: all logs consistently look 113 * like 114 * 115 * <if-name><unit>: <proto-name> <additional info...> 116 * 117 * with <if-name><unit> being something like "bppp0", and <proto-name> 118 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 119 */ 120 121 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 122 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 123 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 124 125 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 126 #define PPP_UI 0x03 /* Unnumbered Information */ 127 #define PPP_IP 0x0021 /* Internet Protocol */ 128 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 129 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 130 #define PPP_IPX 0x002b /* Novell IPX Protocol */ 131 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 132 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 133 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 134 #define PPP_LCP 0xc021 /* Link Control Protocol */ 135 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 136 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 137 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 138 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 139 140 #define CONF_REQ 1 /* PPP configure request */ 141 #define CONF_ACK 2 /* PPP configure acknowledge */ 142 #define CONF_NAK 3 /* PPP configure negative ack */ 143 #define CONF_REJ 4 /* PPP configure reject */ 144 #define TERM_REQ 5 /* PPP terminate request */ 145 #define TERM_ACK 6 /* PPP terminate acknowledge */ 146 #define CODE_REJ 7 /* PPP code reject */ 147 #define PROTO_REJ 8 /* PPP protocol reject */ 148 #define ECHO_REQ 9 /* PPP echo request */ 149 #define ECHO_REPLY 10 /* PPP echo reply */ 150 #define DISC_REQ 11 /* PPP discard request */ 151 152 #define LCP_OPT_MRU 1 /* maximum receive unit */ 153 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 154 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 155 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 156 #define LCP_OPT_MAGIC 5 /* magic number */ 157 #define LCP_OPT_RESERVED 6 /* reserved */ 158 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 159 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 160 161 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 162 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 163 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 164 165 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 166 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 167 168 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 169 170 #define PAP_REQ 1 /* PAP name/password request */ 171 #define PAP_ACK 2 /* PAP acknowledge */ 172 #define PAP_NAK 3 /* PAP fail */ 173 174 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 175 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 176 #define CHAP_SUCCESS 3 /* CHAP response ok */ 177 #define CHAP_FAILURE 4 /* CHAP response failed */ 178 179 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 180 181 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 182 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 183 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 184 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 185 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 186 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 187 188 /* states are named and numbered according to RFC 1661 */ 189 #define STATE_INITIAL 0 190 #define STATE_STARTING 1 191 #define STATE_CLOSED 2 192 #define STATE_STOPPED 3 193 #define STATE_CLOSING 4 194 #define STATE_STOPPING 5 195 #define STATE_REQ_SENT 6 196 #define STATE_ACK_RCVD 7 197 #define STATE_ACK_SENT 8 198 #define STATE_OPENED 9 199 200 struct ppp_header { 201 u_char address; 202 u_char control; 203 u_short protocol; 204 } __attribute__((__packed__)); 205 #define PPP_HEADER_LEN sizeof (struct ppp_header) 206 207 struct lcp_header { 208 u_char type; 209 u_char ident; 210 u_short len; 211 } __attribute__((__packed__)); 212 #define LCP_HEADER_LEN sizeof (struct lcp_header) 213 214 struct cisco_packet { 215 u_long type; 216 u_long par1; 217 u_long par2; 218 u_short rel; 219 u_short time0; 220 u_short time1; 221 } __attribute__((__packed__)); 222 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 223 224 /* 225 * We follow the spelling and capitalization of RFC 1661 here, to make 226 * it easier comparing with the standard. Please refer to this RFC in 227 * case you can't make sense out of these abbreviation; it will also 228 * explain the semantics related to the various events and actions. 229 */ 230 struct cp { 231 u_short proto; /* PPP control protocol number */ 232 u_char protoidx; /* index into state table in struct sppp */ 233 u_char flags; 234 #define CP_LCP 0x01 /* this is the LCP */ 235 #define CP_AUTH 0x02 /* this is an authentication protocol */ 236 #define CP_NCP 0x04 /* this is a NCP */ 237 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 238 const char *name; /* name of this control protocol */ 239 /* event handlers */ 240 void (*Up)(struct sppp *sp); 241 void (*Down)(struct sppp *sp); 242 void (*Open)(struct sppp *sp); 243 void (*Close)(struct sppp *sp); 244 void (*TO)(void *sp); 245 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 246 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 247 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 248 /* actions */ 249 void (*tlu)(struct sppp *sp); 250 void (*tld)(struct sppp *sp); 251 void (*tls)(struct sppp *sp); 252 void (*tlf)(struct sppp *sp); 253 void (*scr)(struct sppp *sp); 254 }; 255 256 static struct sppp *spppq; 257 #if defined(__DragonFly__) 258 static struct callout keepalive_timeout; 259 #endif 260 261 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 && !defined(__DragonFly__) 262 #define SPP_FMT "%s%d: " 263 #define SPP_ARGS(ifp) (ifp)->if_name, (ifp)->if_unit 264 #else 265 #define SPP_FMT "%s: " 266 #define SPP_ARGS(ifp) (ifp)->if_xname 267 #endif 268 269 #ifdef INET 270 /* 271 * The following disgusting hack gets around the problem that IP TOS 272 * can't be set yet. We want to put "interactive" traffic on a high 273 * priority queue. To decide if traffic is interactive, we check that 274 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 275 * 276 * XXX is this really still necessary? - joerg - 277 */ 278 static u_short interactive_ports[8] = { 279 0, 513, 0, 0, 280 0, 21, 0, 23, 281 }; 282 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 283 #endif 284 285 /* almost every function needs these */ 286 #define STDDCL \ 287 struct ifnet *ifp = &sp->pp_if; \ 288 int debug = ifp->if_flags & IFF_DEBUG 289 290 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 291 struct sockaddr *dst, struct rtentry *rt); 292 293 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 294 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 295 296 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 297 struct mbuf *m); 298 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 299 u_char ident, u_short len, void *data); 300 /* static void sppp_cp_timeout(void *arg); */ 301 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 302 int newstate); 303 static void sppp_auth_send(const struct cp *cp, 304 struct sppp *sp, unsigned int type, unsigned int id, 305 ...); 306 307 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 308 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 309 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 310 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 311 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 312 313 static void sppp_null(struct sppp *sp); 314 315 static void sppp_lcp_init(struct sppp *sp); 316 static void sppp_lcp_up(struct sppp *sp); 317 static void sppp_lcp_down(struct sppp *sp); 318 static void sppp_lcp_open(struct sppp *sp); 319 static void sppp_lcp_close(struct sppp *sp); 320 static void sppp_lcp_TO(void *sp); 321 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 322 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 323 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 324 static void sppp_lcp_tlu(struct sppp *sp); 325 static void sppp_lcp_tld(struct sppp *sp); 326 static void sppp_lcp_tls(struct sppp *sp); 327 static void sppp_lcp_tlf(struct sppp *sp); 328 static void sppp_lcp_scr(struct sppp *sp); 329 static void sppp_lcp_check_and_close(struct sppp *sp); 330 static int sppp_ncp_check(struct sppp *sp); 331 332 static void sppp_ipcp_init(struct sppp *sp); 333 static void sppp_ipcp_up(struct sppp *sp); 334 static void sppp_ipcp_down(struct sppp *sp); 335 static void sppp_ipcp_open(struct sppp *sp); 336 static void sppp_ipcp_close(struct sppp *sp); 337 static void sppp_ipcp_TO(void *sp); 338 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 339 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 340 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 341 static void sppp_ipcp_tlu(struct sppp *sp); 342 static void sppp_ipcp_tld(struct sppp *sp); 343 static void sppp_ipcp_tls(struct sppp *sp); 344 static void sppp_ipcp_tlf(struct sppp *sp); 345 static void sppp_ipcp_scr(struct sppp *sp); 346 347 static void sppp_ipv6cp_init(struct sppp *sp); 348 static void sppp_ipv6cp_up(struct sppp *sp); 349 static void sppp_ipv6cp_down(struct sppp *sp); 350 static void sppp_ipv6cp_open(struct sppp *sp); 351 static void sppp_ipv6cp_close(struct sppp *sp); 352 static void sppp_ipv6cp_TO(void *sp); 353 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 354 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 356 static void sppp_ipv6cp_tlu(struct sppp *sp); 357 static void sppp_ipv6cp_tld(struct sppp *sp); 358 static void sppp_ipv6cp_tls(struct sppp *sp); 359 static void sppp_ipv6cp_tlf(struct sppp *sp); 360 static void sppp_ipv6cp_scr(struct sppp *sp); 361 362 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 363 static void sppp_pap_init(struct sppp *sp); 364 static void sppp_pap_open(struct sppp *sp); 365 static void sppp_pap_close(struct sppp *sp); 366 static void sppp_pap_TO(void *sp); 367 static void sppp_pap_my_TO(void *sp); 368 static void sppp_pap_tlu(struct sppp *sp); 369 static void sppp_pap_tld(struct sppp *sp); 370 static void sppp_pap_scr(struct sppp *sp); 371 372 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 373 static void sppp_chap_init(struct sppp *sp); 374 static void sppp_chap_open(struct sppp *sp); 375 static void sppp_chap_close(struct sppp *sp); 376 static void sppp_chap_TO(void *sp); 377 static void sppp_chap_tlu(struct sppp *sp); 378 static void sppp_chap_tld(struct sppp *sp); 379 static void sppp_chap_scr(struct sppp *sp); 380 381 static const char *sppp_auth_type_name(u_short proto, u_char type); 382 static const char *sppp_cp_type_name(u_char type); 383 static const char *sppp_dotted_quad(u_long addr); 384 static const char *sppp_ipcp_opt_name(u_char opt); 385 #ifdef INET6 386 static const char *sppp_ipv6cp_opt_name(u_char opt); 387 #endif 388 static const char *sppp_lcp_opt_name(u_char opt); 389 static const char *sppp_phase_name(enum ppp_phase phase); 390 static const char *sppp_proto_name(u_short proto); 391 static const char *sppp_state_name(int state); 392 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 393 static int sppp_strnlen(u_char *p, int max); 394 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 395 u_long *srcmask); 396 static void sppp_keepalive(void *dummy); 397 static void sppp_phase_network(struct sppp *sp); 398 static void sppp_print_bytes(const u_char *p, u_short len); 399 static void sppp_print_string(const char *p, u_short len); 400 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 401 #ifdef INET6 402 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 403 struct in6_addr *dst, struct in6_addr *srcmask); 404 #ifdef IPV6CP_MYIFID_DYN 405 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 406 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 407 #endif 408 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 409 #endif 410 411 /* our control protocol descriptors */ 412 static const struct cp lcp = { 413 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 414 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 415 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 416 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 417 sppp_lcp_scr 418 }; 419 420 static const struct cp ipcp = { 421 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 422 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 423 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 424 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 425 sppp_ipcp_scr 426 }; 427 428 static const struct cp ipv6cp = { 429 PPP_IPV6CP, IDX_IPV6CP, 430 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 431 CP_NCP, 432 #else 433 0, 434 #endif 435 "ipv6cp", 436 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 437 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 438 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 439 sppp_ipv6cp_scr 440 }; 441 442 static const struct cp pap = { 443 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 444 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 445 sppp_pap_TO, 0, 0, 0, 446 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 447 sppp_pap_scr 448 }; 449 450 static const struct cp chap = { 451 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 452 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 453 sppp_chap_TO, 0, 0, 0, 454 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 455 sppp_chap_scr 456 }; 457 458 static const struct cp *cps[IDX_COUNT] = { 459 &lcp, /* IDX_LCP */ 460 &ipcp, /* IDX_IPCP */ 461 &ipv6cp, /* IDX_IPV6CP */ 462 &pap, /* IDX_PAP */ 463 &chap, /* IDX_CHAP */ 464 }; 465 466 static int 467 sppp_modevent(module_t mod, int type, void *unused) 468 { 469 switch (type) { 470 case MOD_LOAD: 471 callout_init(&keepalive_timeout); 472 break; 473 case MOD_UNLOAD: 474 return EACCES; 475 break; 476 default: 477 break; 478 } 479 return 0; 480 } 481 static moduledata_t spppmod = { 482 "sppp", 483 sppp_modevent, 484 0 485 }; 486 MODULE_VERSION(sppp, 1); 487 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 488 489 /* 490 * Exported functions, comprising our interface to the lower layer. 491 */ 492 493 /* 494 * Process the received packet. 495 */ 496 void 497 sppp_input(struct ifnet *ifp, struct mbuf *m) 498 { 499 struct ppp_header *h; 500 int isr = -1; 501 struct sppp *sp = (struct sppp *)ifp; 502 u_char *iphdr; 503 int hlen, vjlen, do_account = 0; 504 int debug = ifp->if_flags & IFF_DEBUG; 505 506 if (ifp->if_flags & IFF_UP) 507 /* Count received bytes, add FCS and one flag */ 508 ifp->if_ibytes += m->m_pkthdr.len + 3; 509 510 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 511 /* Too small packet, drop it. */ 512 if (debug) 513 log(LOG_DEBUG, 514 SPP_FMT "input packet is too small, %d bytes\n", 515 SPP_ARGS(ifp), m->m_pkthdr.len); 516 drop: 517 m_freem (m); 518 drop2: 519 ++ifp->if_ierrors; 520 ++ifp->if_iqdrops; 521 return; 522 } 523 524 /* Get PPP header. */ 525 h = mtod (m, struct ppp_header*); 526 m_adj (m, PPP_HEADER_LEN); 527 528 switch (h->address) { 529 case PPP_ALLSTATIONS: 530 if (h->control != PPP_UI) 531 goto invalid; 532 if (sp->pp_mode == IFF_CISCO) { 533 if (debug) 534 log(LOG_DEBUG, 535 SPP_FMT "PPP packet in Cisco mode " 536 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 537 SPP_ARGS(ifp), 538 h->address, h->control, ntohs(h->protocol)); 539 goto drop; 540 } 541 switch (ntohs (h->protocol)) { 542 default: 543 if (debug) 544 log(LOG_DEBUG, 545 SPP_FMT "rejecting protocol " 546 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 547 SPP_ARGS(ifp), 548 h->address, h->control, ntohs(h->protocol)); 549 if (sp->state[IDX_LCP] == STATE_OPENED) 550 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 551 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 552 &h->protocol); 553 ++ifp->if_noproto; 554 goto drop; 555 case PPP_LCP: 556 sppp_cp_input(&lcp, sp, m); 557 m_freem (m); 558 return; 559 case PPP_PAP: 560 if (sp->pp_phase >= PHASE_AUTHENTICATE) 561 sppp_pap_input(sp, m); 562 m_freem (m); 563 return; 564 case PPP_CHAP: 565 if (sp->pp_phase >= PHASE_AUTHENTICATE) 566 sppp_chap_input(sp, m); 567 m_freem (m); 568 return; 569 #ifdef INET 570 case PPP_IPCP: 571 if (sp->pp_phase == PHASE_NETWORK) 572 sppp_cp_input(&ipcp, sp, m); 573 m_freem (m); 574 return; 575 case PPP_IP: 576 if (sp->state[IDX_IPCP] == STATE_OPENED) { 577 isr = NETISR_IP; 578 } 579 do_account++; 580 break; 581 case PPP_VJ_COMP: 582 if (sp->state[IDX_IPCP] == STATE_OPENED) { 583 if ((vjlen = 584 sl_uncompress_tcp_core(mtod(m, u_char *), 585 m->m_len, m->m_len, 586 TYPE_COMPRESSED_TCP, 587 sp->pp_comp, 588 &iphdr, &hlen)) <= 0) { 589 if (debug) 590 log(LOG_INFO, 591 SPP_FMT "VJ uncompress failed on compressed packet\n", 592 SPP_ARGS(ifp)); 593 goto drop; 594 } 595 596 /* 597 * Trim the VJ header off the packet, and prepend 598 * the uncompressed IP header (which will usually 599 * end up in two chained mbufs since there's not 600 * enough leading space in the existing mbuf). 601 */ 602 m_adj(m, vjlen); 603 M_PREPEND(m, hlen, MB_DONTWAIT); 604 if (m == NULL) 605 goto drop2; 606 bcopy(iphdr, mtod(m, u_char *), hlen); 607 608 isr = NETISR_IP; 609 } 610 do_account++; 611 break; 612 case PPP_VJ_UCOMP: 613 if (sp->state[IDX_IPCP] == STATE_OPENED) { 614 if (sl_uncompress_tcp_core(mtod(m, u_char *), 615 m->m_len, m->m_len, 616 TYPE_UNCOMPRESSED_TCP, 617 sp->pp_comp, 618 &iphdr, &hlen) != 0) { 619 if (debug) 620 log(LOG_INFO, 621 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 622 SPP_ARGS(ifp)); 623 goto drop; 624 } 625 isr = NETISR_IP; 626 } 627 do_account++; 628 break; 629 #endif 630 #ifdef INET6 631 case PPP_IPV6CP: 632 if (sp->pp_phase == PHASE_NETWORK) 633 sppp_cp_input(&ipv6cp, sp, m); 634 m_freem (m); 635 return; 636 637 case PPP_IPV6: 638 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 639 isr = NETISR_IPV6; 640 } 641 do_account++; 642 break; 643 #endif 644 #ifdef IPX 645 case PPP_IPX: 646 /* IPX IPXCP not implemented yet */ 647 if (sp->pp_phase == PHASE_NETWORK) { 648 isr = NETISR_IPX; 649 } 650 do_account++; 651 break; 652 #endif 653 } 654 break; 655 case CISCO_MULTICAST: 656 case CISCO_UNICAST: 657 /* Don't check the control field here (RFC 1547). */ 658 if (sp->pp_mode != IFF_CISCO) { 659 if (debug) 660 log(LOG_DEBUG, 661 SPP_FMT "Cisco packet in PPP mode " 662 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 663 SPP_ARGS(ifp), 664 h->address, h->control, ntohs(h->protocol)); 665 goto drop; 666 } 667 switch (ntohs (h->protocol)) { 668 default: 669 ++ifp->if_noproto; 670 goto invalid; 671 case CISCO_KEEPALIVE: 672 sppp_cisco_input ((struct sppp*) ifp, m); 673 m_freem (m); 674 return; 675 #ifdef INET 676 case ETHERTYPE_IP: 677 isr = NETISR_IP; 678 do_account++; 679 break; 680 #endif 681 #ifdef INET6 682 case ETHERTYPE_IPV6: 683 isr = NETISR_IPV6; 684 do_account++; 685 break; 686 #endif 687 #ifdef IPX 688 case ETHERTYPE_IPX: 689 isr = NETISR_IPX; 690 do_account++; 691 break; 692 #endif 693 } 694 break; 695 default: /* Invalid PPP packet. */ 696 invalid: 697 if (debug) 698 log(LOG_DEBUG, 699 SPP_FMT "invalid input packet " 700 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 701 SPP_ARGS(ifp), 702 h->address, h->control, ntohs(h->protocol)); 703 goto drop; 704 } 705 706 if (! (ifp->if_flags & IFF_UP) || isr < 0) 707 goto drop; 708 709 /* Check queue. */ 710 711 netisr_queue(isr, m); 712 713 /* 714 * Do only account for network packets, not for control 715 * packets. This is used by some subsystems to detect 716 * idle lines. 717 */ 718 if (do_account) 719 sp->pp_last_recv = time_second; 720 } 721 722 /* 723 * Enqueue transmit packet. 724 */ 725 static int 726 sppp_output_serialized(struct ifnet *ifp, struct mbuf *m, 727 struct sockaddr *dst, struct rtentry *rt) 728 { 729 struct sppp *sp = (struct sppp*) ifp; 730 struct ppp_header *h; 731 struct ifqueue *ifq = NULL; 732 int rv = 0; 733 int ipproto = PPP_IP; 734 int debug = ifp->if_flags & IFF_DEBUG; 735 struct altq_pktattr pktattr; 736 737 crit_enter(); 738 739 if ((ifp->if_flags & IFF_UP) == 0 || 740 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 741 #ifdef INET6 742 drop: 743 #endif 744 m_freem (m); 745 crit_exit(); 746 return (ENETDOWN); 747 } 748 749 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 750 #ifdef INET6 751 /* 752 * XXX 753 * 754 * Hack to prevent the initialization-time generated 755 * IPv6 multicast packet to erroneously cause a 756 * dialout event in case IPv6 has been 757 * administratively disabled on that interface. 758 */ 759 if (dst->sa_family == AF_INET6 && 760 !(sp->confflags & CONF_ENABLE_IPV6)) 761 goto drop; 762 #endif 763 /* 764 * Interface is not yet running, but auto-dial. Need 765 * to start LCP for it. 766 */ 767 ifp->if_flags |= IFF_RUNNING; 768 crit_exit(); 769 lcp.Open(sp); 770 crit_enter(); 771 } 772 773 /* 774 * if the queueing discipline needs packet classification, 775 * do it before prepending link headers. 776 */ 777 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 778 779 #ifdef INET 780 if (dst->sa_family == AF_INET) { 781 /* XXX Check mbuf length here? */ 782 struct ip *ip = mtod (m, struct ip*); 783 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 784 785 /* 786 * When using dynamic local IP address assignment by using 787 * 0.0.0.0 as a local address, the first TCP session will 788 * not connect because the local TCP checksum is computed 789 * using 0.0.0.0 which will later become our real IP address 790 * so the TCP checksum computed at the remote end will 791 * become invalid. So we 792 * - don't let packets with src ip addr 0 thru 793 * - we flag TCP packets with src ip 0 as an error 794 */ 795 796 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 797 { 798 m_freem(m); 799 crit_exit(); 800 if(ip->ip_p == IPPROTO_TCP) 801 return(EADDRNOTAVAIL); 802 else 803 return(0); 804 } 805 806 /* 807 * Put low delay, telnet, rlogin and ftp control packets 808 * in front of the queue. 809 */ 810 if (IF_QFULL (&sp->pp_fastq)) 811 ; 812 else if (ip->ip_tos & IPTOS_LOWDELAY) 813 ifq = &sp->pp_fastq; 814 else if (m->m_len < sizeof *ip + sizeof *tcp) 815 ; 816 else if (ip->ip_p != IPPROTO_TCP) 817 ; 818 else if (INTERACTIVE (ntohs (tcp->th_sport))) 819 ifq = &sp->pp_fastq; 820 else if (INTERACTIVE (ntohs (tcp->th_dport))) 821 ifq = &sp->pp_fastq; 822 823 /* 824 * Do IP Header compression 825 */ 826 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 827 ip->ip_p == IPPROTO_TCP) 828 switch (sl_compress_tcp(m, ip, sp->pp_comp, 829 sp->ipcp.compress_cid)) { 830 case TYPE_COMPRESSED_TCP: 831 ipproto = PPP_VJ_COMP; 832 break; 833 case TYPE_UNCOMPRESSED_TCP: 834 ipproto = PPP_VJ_UCOMP; 835 break; 836 case TYPE_IP: 837 ipproto = PPP_IP; 838 break; 839 default: 840 m_freem(m); 841 crit_exit(); 842 return (EINVAL); 843 } 844 } 845 #endif 846 847 #ifdef INET6 848 if (dst->sa_family == AF_INET6) { 849 /* XXX do something tricky here? */ 850 } 851 #endif 852 853 /* 854 * Prepend general data packet PPP header. For now, IP only. 855 */ 856 M_PREPEND (m, PPP_HEADER_LEN, MB_DONTWAIT); 857 if (! m) { 858 if (debug) 859 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 860 SPP_ARGS(ifp)); 861 ++ifp->if_oerrors; 862 crit_exit(); 863 return (ENOBUFS); 864 } 865 /* 866 * May want to check size of packet 867 * (albeit due to the implementation it's always enough) 868 */ 869 h = mtod (m, struct ppp_header*); 870 if (sp->pp_mode == IFF_CISCO) { 871 h->address = CISCO_UNICAST; /* unicast address */ 872 h->control = 0; 873 } else { 874 h->address = PPP_ALLSTATIONS; /* broadcast address */ 875 h->control = PPP_UI; /* Unnumbered Info */ 876 } 877 878 switch (dst->sa_family) { 879 #ifdef INET 880 case AF_INET: /* Internet Protocol */ 881 if (sp->pp_mode == IFF_CISCO) 882 h->protocol = htons (ETHERTYPE_IP); 883 else { 884 /* 885 * Don't choke with an ENETDOWN early. It's 886 * possible that we just started dialing out, 887 * so don't drop the packet immediately. If 888 * we notice that we run out of buffer space 889 * below, we will however remember that we are 890 * not ready to carry IP packets, and return 891 * ENETDOWN, as opposed to ENOBUFS. 892 */ 893 h->protocol = htons(ipproto); 894 if (sp->state[IDX_IPCP] != STATE_OPENED) 895 rv = ENETDOWN; 896 } 897 break; 898 #endif 899 #ifdef INET6 900 case AF_INET6: /* Internet Protocol */ 901 if (sp->pp_mode == IFF_CISCO) 902 h->protocol = htons (ETHERTYPE_IPV6); 903 else { 904 /* 905 * Don't choke with an ENETDOWN early. It's 906 * possible that we just started dialing out, 907 * so don't drop the packet immediately. If 908 * we notice that we run out of buffer space 909 * below, we will however remember that we are 910 * not ready to carry IP packets, and return 911 * ENETDOWN, as opposed to ENOBUFS. 912 */ 913 h->protocol = htons(PPP_IPV6); 914 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 915 rv = ENETDOWN; 916 } 917 break; 918 #endif 919 #ifdef IPX 920 case AF_IPX: /* Novell IPX Protocol */ 921 h->protocol = htons (sp->pp_mode == IFF_CISCO ? 922 ETHERTYPE_IPX : PPP_IPX); 923 break; 924 #endif 925 default: 926 m_freem (m); 927 ++ifp->if_oerrors; 928 crit_exit(); 929 return (EAFNOSUPPORT); 930 } 931 932 /* 933 * Queue message on interface, and start output if interface 934 * not yet active. 935 */ 936 if (ifq != NULL) { 937 if (IF_QFULL(ifq)) { 938 IF_DROP(ifq); 939 m_freem(m); 940 rv = ENOBUFS; 941 ifq->ifq_drops++; 942 } else { 943 IF_ENQUEUE(ifq, m); 944 rv = 0; 945 } 946 } else { 947 rv = ifq_enqueue(&ifp->if_snd, m, &pktattr); 948 } 949 if (rv) { 950 ++ifp->if_oerrors; 951 crit_exit(); 952 return(rv); 953 } 954 if (! (ifp->if_flags & IFF_OACTIVE)) 955 (*ifp->if_start) (ifp); 956 957 /* 958 * Count output packets and bytes. 959 * The packet length includes header, FCS and 1 flag, 960 * according to RFC 1333. 961 */ 962 ifp->if_obytes += m->m_pkthdr.len + 3; 963 964 /* 965 * Unlike in sppp_input(), we can always bump the timestamp 966 * here since sppp_output() is only called on behalf of 967 * network-layer traffic; control-layer traffic is handled 968 * by sppp_cp_send(). 969 */ 970 sp->pp_last_sent = time_second; 971 972 crit_exit(); 973 return (0); 974 } 975 976 static int 977 sppp_output(struct ifnet *ifp, struct mbuf *m, 978 struct sockaddr *dst, struct rtentry *rt) 979 { 980 int error; 981 982 ifnet_serialize_tx(ifp); 983 error = sppp_output_serialized(ifp, m, dst, rt); 984 ifnet_deserialize_tx(ifp); 985 986 return error; 987 } 988 989 void 990 sppp_attach(struct ifnet *ifp) 991 { 992 struct sppp *sp = (struct sppp*) ifp; 993 994 /* Initialize keepalive handler. */ 995 if (!spppq) { 996 callout_reset(&keepalive_timeout, hz * 10, 997 sppp_keepalive, NULL); 998 } 999 /* Insert new entry into the keepalive list. */ 1000 sp->pp_next = spppq; 1001 spppq = sp; 1002 1003 sp->pp_if.if_mtu = PP_MTU; 1004 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 1005 sp->pp_if.if_type = IFT_PPP; 1006 sp->pp_if.if_output = sppp_output; 1007 #if 0 1008 sp->pp_flags = PP_KEEPALIVE; 1009 #endif 1010 sp->pp_if.if_snd.ifq_maxlen = 32; 1011 sp->pp_fastq.ifq_maxlen = 32; 1012 sp->pp_cpq.ifq_maxlen = 20; 1013 sp->pp_loopcnt = 0; 1014 sp->pp_alivecnt = 0; 1015 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 1016 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 1017 sp->pp_phase = PHASE_DEAD; 1018 sp->pp_up = lcp.Up; 1019 sp->pp_down = lcp.Down; 1020 sp->pp_last_recv = sp->pp_last_sent = time_second; 1021 sp->confflags = 0; 1022 #ifdef INET 1023 sp->confflags |= CONF_ENABLE_VJ; 1024 #endif 1025 #ifdef INET6 1026 sp->confflags |= CONF_ENABLE_IPV6; 1027 #endif 1028 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 1029 sl_compress_init(sp->pp_comp, -1); 1030 sppp_lcp_init(sp); 1031 sppp_ipcp_init(sp); 1032 sppp_ipv6cp_init(sp); 1033 sppp_pap_init(sp); 1034 sppp_chap_init(sp); 1035 } 1036 1037 void 1038 sppp_detach(struct ifnet *ifp) 1039 { 1040 struct sppp **q, *p, *sp = (struct sppp*) ifp; 1041 int i; 1042 1043 /* Remove the entry from the keepalive list. */ 1044 for (q = &spppq; (p = *q); q = &p->pp_next) 1045 if (p == sp) { 1046 *q = p->pp_next; 1047 break; 1048 } 1049 1050 /* Stop keepalive handler. */ 1051 if (!spppq) 1052 callout_stop(&keepalive_timeout); 1053 1054 for (i = 0; i < IDX_COUNT; i++) 1055 callout_stop(&sp->timeout[i]); 1056 callout_stop(&sp->pap_my_to); 1057 } 1058 1059 /* 1060 * Flush the interface output queue. 1061 */ 1062 void 1063 sppp_flush(struct ifnet *ifp) 1064 { 1065 struct sppp *sp = (struct sppp*) ifp; 1066 1067 ifq_purge(&sp->pp_if.if_snd); 1068 IF_DRAIN(&sp->pp_fastq); 1069 IF_DRAIN(&sp->pp_cpq); 1070 } 1071 1072 /* 1073 * Check if the output queue is empty. 1074 */ 1075 int 1076 sppp_isempty(struct ifnet *ifp) 1077 { 1078 struct sppp *sp = (struct sppp*) ifp; 1079 int empty; 1080 1081 crit_enter(); 1082 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1083 ifq_is_empty(&sp->pp_if.if_snd); 1084 crit_exit(); 1085 return (empty); 1086 } 1087 1088 /* 1089 * Get next packet to send. 1090 */ 1091 struct mbuf * 1092 sppp_dequeue(struct ifnet *ifp) 1093 { 1094 struct sppp *sp = (struct sppp*) ifp; 1095 struct mbuf *m; 1096 1097 crit_enter(); 1098 1099 /* 1100 * Process only the control protocol queue until we have at 1101 * least one NCP open. 1102 * 1103 * Do always serve all three queues in Cisco mode. 1104 */ 1105 IF_DEQUEUE(&sp->pp_cpq, m); 1106 if (m == NULL && 1107 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1108 IF_DEQUEUE(&sp->pp_fastq, m); 1109 if (m == NULL) 1110 m = ifq_dequeue(&sp->pp_if.if_snd, NULL); 1111 } 1112 1113 crit_exit(); 1114 return m; 1115 } 1116 1117 /* 1118 * Pick the next packet, do not remove it from the queue. 1119 */ 1120 struct mbuf * 1121 sppp_pick(struct ifnet *ifp) 1122 { 1123 struct sppp *sp = (struct sppp*)ifp; 1124 struct mbuf *m; 1125 1126 crit_enter(); 1127 1128 m = sp->pp_cpq.ifq_head; 1129 if (m == NULL && 1130 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1131 if ((m = sp->pp_fastq.ifq_head) == NULL) 1132 m = ifq_poll(&sp->pp_if.if_snd); 1133 } 1134 1135 crit_exit(); 1136 return (m); 1137 } 1138 1139 /* 1140 * Process an ioctl request. Called on low priority level. 1141 */ 1142 int 1143 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1144 { 1145 struct ifreq *ifr = (struct ifreq*) data; 1146 struct sppp *sp = (struct sppp*) ifp; 1147 int rv, going_up, going_down, newmode; 1148 1149 crit_enter(); 1150 1151 rv = 0; 1152 switch (cmd) { 1153 case SIOCAIFADDR: 1154 case SIOCSIFDSTADDR: 1155 break; 1156 1157 case SIOCSIFADDR: 1158 /* set the interface "up" when assigning an IP address */ 1159 ifp->if_flags |= IFF_UP; 1160 /* fall through... */ 1161 1162 case SIOCSIFFLAGS: 1163 going_up = ifp->if_flags & IFF_UP && 1164 (ifp->if_flags & IFF_RUNNING) == 0; 1165 going_down = (ifp->if_flags & IFF_UP) == 0 && 1166 ifp->if_flags & IFF_RUNNING; 1167 1168 newmode = ifp->if_flags & IFF_PASSIVE; 1169 if (!newmode) 1170 newmode = ifp->if_flags & IFF_AUTO; 1171 if (!newmode) 1172 newmode = ifp->if_flags & IFF_CISCO; 1173 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1174 ifp->if_flags |= newmode; 1175 1176 if (newmode != sp->pp_mode) { 1177 going_down = 1; 1178 if (!going_up) 1179 going_up = ifp->if_flags & IFF_RUNNING; 1180 } 1181 1182 if (going_down) { 1183 if (sp->pp_mode != IFF_CISCO) 1184 lcp.Close(sp); 1185 else if (sp->pp_tlf) 1186 (sp->pp_tlf)(sp); 1187 sppp_flush(ifp); 1188 ifp->if_flags &= ~IFF_RUNNING; 1189 sp->pp_mode = newmode; 1190 } 1191 1192 if (going_up) { 1193 if (sp->pp_mode != IFF_CISCO) 1194 lcp.Close(sp); 1195 sp->pp_mode = newmode; 1196 if (sp->pp_mode == 0) { 1197 ifp->if_flags |= IFF_RUNNING; 1198 lcp.Open(sp); 1199 } 1200 if (sp->pp_mode == IFF_CISCO) { 1201 if (sp->pp_tls) 1202 (sp->pp_tls)(sp); 1203 ifp->if_flags |= IFF_RUNNING; 1204 } 1205 } 1206 1207 break; 1208 1209 #ifdef SIOCSIFMTU 1210 #ifndef ifr_mtu 1211 #define ifr_mtu ifr_metric 1212 #endif 1213 case SIOCSIFMTU: 1214 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) 1215 return (EINVAL); 1216 ifp->if_mtu = ifr->ifr_mtu; 1217 break; 1218 #endif 1219 #ifdef SLIOCSETMTU 1220 case SLIOCSETMTU: 1221 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) 1222 return (EINVAL); 1223 ifp->if_mtu = *(short*)data; 1224 break; 1225 #endif 1226 #ifdef SIOCGIFMTU 1227 case SIOCGIFMTU: 1228 ifr->ifr_mtu = ifp->if_mtu; 1229 break; 1230 #endif 1231 #ifdef SLIOCGETMTU 1232 case SLIOCGETMTU: 1233 *(short*)data = ifp->if_mtu; 1234 break; 1235 #endif 1236 case SIOCADDMULTI: 1237 case SIOCDELMULTI: 1238 break; 1239 1240 case SIOCGIFGENERIC: 1241 case SIOCSIFGENERIC: 1242 rv = sppp_params(sp, cmd, data); 1243 break; 1244 1245 default: 1246 rv = ENOTTY; 1247 } 1248 1249 crit_exit(); 1250 return rv; 1251 } 1252 1253 /* 1254 * Cisco framing implementation. 1255 */ 1256 1257 /* 1258 * Handle incoming Cisco keepalive protocol packets. 1259 */ 1260 static void 1261 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1262 { 1263 STDDCL; 1264 struct cisco_packet *h; 1265 u_long me, mymask; 1266 1267 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1268 if (debug) 1269 log(LOG_DEBUG, 1270 SPP_FMT "cisco invalid packet length: %d bytes\n", 1271 SPP_ARGS(ifp), m->m_pkthdr.len); 1272 return; 1273 } 1274 h = mtod (m, struct cisco_packet*); 1275 if (debug) 1276 log(LOG_DEBUG, 1277 SPP_FMT "cisco input: %d bytes " 1278 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1279 SPP_ARGS(ifp), m->m_pkthdr.len, 1280 (u_long)ntohl (h->type), (u_long)h->par1, (u_long)h->par2, (u_int)h->rel, 1281 (u_int)h->time0, (u_int)h->time1); 1282 switch (ntohl (h->type)) { 1283 default: 1284 if (debug) 1285 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1286 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1287 break; 1288 case CISCO_ADDR_REPLY: 1289 /* Reply on address request, ignore */ 1290 break; 1291 case CISCO_KEEPALIVE_REQ: 1292 sp->pp_alivecnt = 0; 1293 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1294 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1295 /* Local and remote sequence numbers are equal. 1296 * Probably, the line is in loopback mode. */ 1297 if (sp->pp_loopcnt >= MAXALIVECNT) { 1298 kprintf (SPP_FMT "loopback\n", 1299 SPP_ARGS(ifp)); 1300 sp->pp_loopcnt = 0; 1301 if (ifp->if_flags & IFF_UP) { 1302 if_down (ifp); 1303 IF_DRAIN(&sp->pp_cpq); 1304 } 1305 } 1306 ++sp->pp_loopcnt; 1307 1308 /* Generate new local sequence number */ 1309 #if defined(__DragonFly__) 1310 sp->pp_seq[IDX_LCP] = krandom(); 1311 #else 1312 sp->pp_seq[IDX_LCP] ^= time.tv_sec ^ time.tv_usec; 1313 #endif 1314 break; 1315 } 1316 sp->pp_loopcnt = 0; 1317 if (! (ifp->if_flags & IFF_UP) && 1318 (ifp->if_flags & IFF_RUNNING)) { 1319 if_up(ifp); 1320 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1321 } 1322 break; 1323 case CISCO_ADDR_REQ: 1324 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1325 if (me != 0L) 1326 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1327 break; 1328 } 1329 } 1330 1331 /* 1332 * Send Cisco keepalive packet. 1333 */ 1334 static void 1335 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1336 { 1337 STDDCL; 1338 struct ppp_header *h; 1339 struct cisco_packet *ch; 1340 struct mbuf *m; 1341 #if defined(__DragonFly__) 1342 struct timeval tv; 1343 #else 1344 u_long t = (time.tv_sec - boottime.tv_sec) * 1000; 1345 #endif 1346 1347 #if defined(__DragonFly__) 1348 getmicrouptime(&tv); 1349 #endif 1350 1351 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1352 if (! m) 1353 return; 1354 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1355 m->m_pkthdr.rcvif = 0; 1356 1357 h = mtod (m, struct ppp_header*); 1358 h->address = CISCO_MULTICAST; 1359 h->control = 0; 1360 h->protocol = htons (CISCO_KEEPALIVE); 1361 1362 ch = (struct cisco_packet*) (h + 1); 1363 ch->type = htonl (type); 1364 ch->par1 = htonl (par1); 1365 ch->par2 = htonl (par2); 1366 ch->rel = -1; 1367 1368 #if defined(__DragonFly__) 1369 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1370 ch->time1 = htons ((u_short) tv.tv_sec); 1371 #else 1372 ch->time0 = htons ((u_short) (t >> 16)); 1373 ch->time1 = htons ((u_short) t); 1374 #endif 1375 1376 if (debug) 1377 log(LOG_DEBUG, 1378 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1379 SPP_ARGS(ifp), (u_long)ntohl (ch->type), (u_long)ch->par1, 1380 (u_long)ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1381 1382 if (IF_QFULL (&sp->pp_cpq)) { 1383 IF_DROP (&sp->pp_fastq); 1384 IF_DROP (&ifp->if_snd); 1385 m_freem (m); 1386 } else 1387 IF_ENQUEUE (&sp->pp_cpq, m); 1388 if (! (ifp->if_flags & IFF_OACTIVE)) 1389 (*ifp->if_start) (ifp); 1390 ifp->if_obytes += m->m_pkthdr.len + 3; 1391 } 1392 1393 /* 1394 * PPP protocol implementation. 1395 */ 1396 1397 /* 1398 * Send PPP control protocol packet. 1399 */ 1400 static void 1401 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1402 u_char ident, u_short len, void *data) 1403 { 1404 STDDCL; 1405 struct ppp_header *h; 1406 struct lcp_header *lh; 1407 struct mbuf *m; 1408 1409 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1410 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1411 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1412 if (! m) 1413 return; 1414 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1415 m->m_pkthdr.rcvif = 0; 1416 1417 h = mtod (m, struct ppp_header*); 1418 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1419 h->control = PPP_UI; /* Unnumbered Info */ 1420 h->protocol = htons (proto); /* Link Control Protocol */ 1421 1422 lh = (struct lcp_header*) (h + 1); 1423 lh->type = type; 1424 lh->ident = ident; 1425 lh->len = htons (LCP_HEADER_LEN + len); 1426 if (len) 1427 bcopy (data, lh+1, len); 1428 1429 if (debug) { 1430 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1431 SPP_ARGS(ifp), 1432 sppp_proto_name(proto), 1433 sppp_cp_type_name (lh->type), lh->ident, 1434 ntohs (lh->len)); 1435 sppp_print_bytes ((u_char*) (lh+1), len); 1436 log(-1, ">\n"); 1437 } 1438 if (IF_QFULL (&sp->pp_cpq)) { 1439 IF_DROP (&sp->pp_fastq); 1440 IF_DROP (&ifp->if_snd); 1441 m_freem (m); 1442 ++ifp->if_oerrors; 1443 } else 1444 IF_ENQUEUE (&sp->pp_cpq, m); 1445 if (! (ifp->if_flags & IFF_OACTIVE)) 1446 (*ifp->if_start) (ifp); 1447 ifp->if_obytes += m->m_pkthdr.len + 3; 1448 } 1449 1450 /* 1451 * Handle incoming PPP control protocol packets. 1452 */ 1453 static void 1454 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1455 { 1456 STDDCL; 1457 struct lcp_header *h; 1458 int printlen, len = m->m_pkthdr.len; 1459 int rv; 1460 u_char *p; 1461 1462 if (len < 4) { 1463 if (debug) 1464 log(LOG_DEBUG, 1465 SPP_FMT "%s invalid packet length: %d bytes\n", 1466 SPP_ARGS(ifp), cp->name, len); 1467 return; 1468 } 1469 h = mtod (m, struct lcp_header*); 1470 if (debug) { 1471 printlen = ntohs(h->len); 1472 log(LOG_DEBUG, 1473 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1474 SPP_ARGS(ifp), cp->name, 1475 sppp_state_name(sp->state[cp->protoidx]), 1476 sppp_cp_type_name (h->type), h->ident, printlen); 1477 if (len < printlen) 1478 printlen = len; 1479 if (printlen > 4) 1480 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1481 log(-1, ">\n"); 1482 } 1483 if (len > ntohs (h->len)) 1484 len = ntohs (h->len); 1485 p = (u_char *)(h + 1); 1486 switch (h->type) { 1487 case CONF_REQ: 1488 if (len < 4) { 1489 if (debug) 1490 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1491 SPP_ARGS(ifp), cp->name, 1492 len); 1493 ++ifp->if_ierrors; 1494 break; 1495 } 1496 /* handle states where RCR doesn't get a SCA/SCN */ 1497 switch (sp->state[cp->protoidx]) { 1498 case STATE_CLOSING: 1499 case STATE_STOPPING: 1500 return; 1501 case STATE_CLOSED: 1502 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1503 0, 0); 1504 return; 1505 } 1506 rv = (cp->RCR)(sp, h, len); 1507 if (rv < 0) { 1508 /* fatal error, shut down */ 1509 (cp->tld)(sp); 1510 sppp_lcp_tlf(sp); 1511 return; 1512 } 1513 switch (sp->state[cp->protoidx]) { 1514 case STATE_OPENED: 1515 (cp->tld)(sp); 1516 (cp->scr)(sp); 1517 /* fall through... */ 1518 case STATE_ACK_SENT: 1519 case STATE_REQ_SENT: 1520 /* 1521 * sppp_cp_change_state() have the side effect of 1522 * restarting the timeouts. We want to avoid that 1523 * if the state don't change, otherwise we won't 1524 * ever timeout and resend a configuration request 1525 * that got lost. 1526 */ 1527 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1528 STATE_REQ_SENT)) 1529 break; 1530 sppp_cp_change_state(cp, sp, rv? 1531 STATE_ACK_SENT: STATE_REQ_SENT); 1532 break; 1533 case STATE_STOPPED: 1534 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1535 (cp->scr)(sp); 1536 sppp_cp_change_state(cp, sp, rv? 1537 STATE_ACK_SENT: STATE_REQ_SENT); 1538 break; 1539 case STATE_ACK_RCVD: 1540 if (rv) { 1541 sppp_cp_change_state(cp, sp, STATE_OPENED); 1542 if (debug) 1543 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1544 SPP_ARGS(ifp), 1545 cp->name); 1546 (cp->tlu)(sp); 1547 } else 1548 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1549 break; 1550 default: 1551 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1552 SPP_ARGS(ifp), cp->name, 1553 sppp_cp_type_name(h->type), 1554 sppp_state_name(sp->state[cp->protoidx])); 1555 ++ifp->if_ierrors; 1556 } 1557 break; 1558 case CONF_ACK: 1559 if (h->ident != sp->confid[cp->protoidx]) { 1560 if (debug) 1561 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1562 SPP_ARGS(ifp), cp->name, 1563 h->ident, sp->confid[cp->protoidx]); 1564 ++ifp->if_ierrors; 1565 break; 1566 } 1567 switch (sp->state[cp->protoidx]) { 1568 case STATE_CLOSED: 1569 case STATE_STOPPED: 1570 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1571 break; 1572 case STATE_CLOSING: 1573 case STATE_STOPPING: 1574 break; 1575 case STATE_REQ_SENT: 1576 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1577 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1578 break; 1579 case STATE_OPENED: 1580 (cp->tld)(sp); 1581 /* fall through */ 1582 case STATE_ACK_RCVD: 1583 (cp->scr)(sp); 1584 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1585 break; 1586 case STATE_ACK_SENT: 1587 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1588 sppp_cp_change_state(cp, sp, STATE_OPENED); 1589 if (debug) 1590 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1591 SPP_ARGS(ifp), cp->name); 1592 (cp->tlu)(sp); 1593 break; 1594 default: 1595 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1596 SPP_ARGS(ifp), cp->name, 1597 sppp_cp_type_name(h->type), 1598 sppp_state_name(sp->state[cp->protoidx])); 1599 ++ifp->if_ierrors; 1600 } 1601 break; 1602 case CONF_NAK: 1603 case CONF_REJ: 1604 if (h->ident != sp->confid[cp->protoidx]) { 1605 if (debug) 1606 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1607 SPP_ARGS(ifp), cp->name, 1608 h->ident, sp->confid[cp->protoidx]); 1609 ++ifp->if_ierrors; 1610 break; 1611 } 1612 if (h->type == CONF_NAK) 1613 (cp->RCN_nak)(sp, h, len); 1614 else /* CONF_REJ */ 1615 (cp->RCN_rej)(sp, h, len); 1616 1617 switch (sp->state[cp->protoidx]) { 1618 case STATE_CLOSED: 1619 case STATE_STOPPED: 1620 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1621 break; 1622 case STATE_REQ_SENT: 1623 case STATE_ACK_SENT: 1624 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1625 /* 1626 * Slow things down a bit if we think we might be 1627 * in loopback. Depend on the timeout to send the 1628 * next configuration request. 1629 */ 1630 if (sp->pp_loopcnt) 1631 break; 1632 (cp->scr)(sp); 1633 break; 1634 case STATE_OPENED: 1635 (cp->tld)(sp); 1636 /* fall through */ 1637 case STATE_ACK_RCVD: 1638 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1639 (cp->scr)(sp); 1640 break; 1641 case STATE_CLOSING: 1642 case STATE_STOPPING: 1643 break; 1644 default: 1645 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1646 SPP_ARGS(ifp), cp->name, 1647 sppp_cp_type_name(h->type), 1648 sppp_state_name(sp->state[cp->protoidx])); 1649 ++ifp->if_ierrors; 1650 } 1651 break; 1652 1653 case TERM_REQ: 1654 switch (sp->state[cp->protoidx]) { 1655 case STATE_ACK_RCVD: 1656 case STATE_ACK_SENT: 1657 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1658 /* fall through */ 1659 case STATE_CLOSED: 1660 case STATE_STOPPED: 1661 case STATE_CLOSING: 1662 case STATE_STOPPING: 1663 case STATE_REQ_SENT: 1664 sta: 1665 /* Send Terminate-Ack packet. */ 1666 if (debug) 1667 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1668 SPP_ARGS(ifp), cp->name); 1669 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1670 break; 1671 case STATE_OPENED: 1672 (cp->tld)(sp); 1673 sp->rst_counter[cp->protoidx] = 0; 1674 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1675 goto sta; 1676 break; 1677 default: 1678 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1679 SPP_ARGS(ifp), cp->name, 1680 sppp_cp_type_name(h->type), 1681 sppp_state_name(sp->state[cp->protoidx])); 1682 ++ifp->if_ierrors; 1683 } 1684 break; 1685 case TERM_ACK: 1686 switch (sp->state[cp->protoidx]) { 1687 case STATE_CLOSED: 1688 case STATE_STOPPED: 1689 case STATE_REQ_SENT: 1690 case STATE_ACK_SENT: 1691 break; 1692 case STATE_CLOSING: 1693 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1694 (cp->tlf)(sp); 1695 break; 1696 case STATE_STOPPING: 1697 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1698 (cp->tlf)(sp); 1699 break; 1700 case STATE_ACK_RCVD: 1701 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1702 break; 1703 case STATE_OPENED: 1704 (cp->tld)(sp); 1705 (cp->scr)(sp); 1706 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1707 break; 1708 default: 1709 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1710 SPP_ARGS(ifp), cp->name, 1711 sppp_cp_type_name(h->type), 1712 sppp_state_name(sp->state[cp->protoidx])); 1713 ++ifp->if_ierrors; 1714 } 1715 break; 1716 case CODE_REJ: 1717 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1718 log(LOG_INFO, 1719 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1720 "danger will robinson\n", 1721 SPP_ARGS(ifp), cp->name, 1722 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1723 switch (sp->state[cp->protoidx]) { 1724 case STATE_CLOSED: 1725 case STATE_STOPPED: 1726 case STATE_REQ_SENT: 1727 case STATE_ACK_SENT: 1728 case STATE_CLOSING: 1729 case STATE_STOPPING: 1730 case STATE_OPENED: 1731 break; 1732 case STATE_ACK_RCVD: 1733 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1734 break; 1735 default: 1736 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1737 SPP_ARGS(ifp), cp->name, 1738 sppp_cp_type_name(h->type), 1739 sppp_state_name(sp->state[cp->protoidx])); 1740 ++ifp->if_ierrors; 1741 } 1742 break; 1743 case PROTO_REJ: 1744 { 1745 int catastrophic; 1746 const struct cp *upper; 1747 int i; 1748 u_int16_t proto; 1749 1750 catastrophic = 0; 1751 upper = NULL; 1752 proto = ntohs(*((u_int16_t *)p)); 1753 for (i = 0; i < IDX_COUNT; i++) { 1754 if (cps[i]->proto == proto) { 1755 upper = cps[i]; 1756 break; 1757 } 1758 } 1759 if (upper == NULL) 1760 catastrophic++; 1761 1762 if (catastrophic || debug) 1763 log(catastrophic? LOG_INFO: LOG_DEBUG, 1764 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1765 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1766 sppp_cp_type_name(h->type), proto, 1767 upper ? upper->name : "unknown", 1768 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1769 1770 /* 1771 * if we got RXJ+ against conf-req, the peer does not implement 1772 * this particular protocol type. terminate the protocol. 1773 */ 1774 if (upper && !catastrophic) { 1775 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1776 upper->Close(sp); 1777 break; 1778 } 1779 } 1780 1781 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1782 switch (sp->state[cp->protoidx]) { 1783 case STATE_CLOSED: 1784 case STATE_STOPPED: 1785 case STATE_REQ_SENT: 1786 case STATE_ACK_SENT: 1787 case STATE_CLOSING: 1788 case STATE_STOPPING: 1789 case STATE_OPENED: 1790 break; 1791 case STATE_ACK_RCVD: 1792 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1793 break; 1794 default: 1795 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1796 SPP_ARGS(ifp), cp->name, 1797 sppp_cp_type_name(h->type), 1798 sppp_state_name(sp->state[cp->protoidx])); 1799 ++ifp->if_ierrors; 1800 } 1801 break; 1802 } 1803 case DISC_REQ: 1804 if (cp->proto != PPP_LCP) 1805 goto illegal; 1806 /* Discard the packet. */ 1807 break; 1808 case ECHO_REQ: 1809 if (cp->proto != PPP_LCP) 1810 goto illegal; 1811 if (sp->state[cp->protoidx] != STATE_OPENED) { 1812 if (debug) 1813 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1814 SPP_ARGS(ifp)); 1815 ++ifp->if_ierrors; 1816 break; 1817 } 1818 if (len < 8) { 1819 if (debug) 1820 log(-1, SPP_FMT "invalid lcp echo request " 1821 "packet length: %d bytes\n", 1822 SPP_ARGS(ifp), len); 1823 break; 1824 } 1825 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1826 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1827 /* Line loopback mode detected. */ 1828 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1829 sp->pp_loopcnt = MAXALIVECNT * 5; 1830 if_down (ifp); 1831 IF_DRAIN(&sp->pp_cpq); 1832 1833 /* Shut down the PPP link. */ 1834 /* XXX */ 1835 lcp.Down(sp); 1836 lcp.Up(sp); 1837 break; 1838 } 1839 *(long*)(h+1) = htonl (sp->lcp.magic); 1840 if (debug) 1841 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1842 SPP_ARGS(ifp)); 1843 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1844 break; 1845 case ECHO_REPLY: 1846 if (cp->proto != PPP_LCP) 1847 goto illegal; 1848 if (h->ident != sp->lcp.echoid) { 1849 ++ifp->if_ierrors; 1850 break; 1851 } 1852 if (len < 8) { 1853 if (debug) 1854 log(-1, SPP_FMT "lcp invalid echo reply " 1855 "packet length: %d bytes\n", 1856 SPP_ARGS(ifp), len); 1857 break; 1858 } 1859 if (debug) 1860 log(-1, SPP_FMT "lcp got echo rep\n", 1861 SPP_ARGS(ifp)); 1862 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1863 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1864 sp->pp_alivecnt = 0; 1865 break; 1866 default: 1867 /* Unknown packet type -- send Code-Reject packet. */ 1868 illegal: 1869 if (debug) 1870 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1871 SPP_ARGS(ifp), cp->name, h->type); 1872 sppp_cp_send(sp, cp->proto, CODE_REJ, 1873 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1874 ++ifp->if_ierrors; 1875 } 1876 } 1877 1878 1879 /* 1880 * The generic part of all Up/Down/Open/Close/TO event handlers. 1881 * Basically, the state transition handling in the automaton. 1882 */ 1883 static void 1884 sppp_up_event(const struct cp *cp, struct sppp *sp) 1885 { 1886 STDDCL; 1887 1888 if (debug) 1889 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1890 SPP_ARGS(ifp), cp->name, 1891 sppp_state_name(sp->state[cp->protoidx])); 1892 1893 switch (sp->state[cp->protoidx]) { 1894 case STATE_INITIAL: 1895 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1896 break; 1897 case STATE_STARTING: 1898 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1899 (cp->scr)(sp); 1900 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1901 break; 1902 default: 1903 kprintf(SPP_FMT "%s illegal up in state %s\n", 1904 SPP_ARGS(ifp), cp->name, 1905 sppp_state_name(sp->state[cp->protoidx])); 1906 } 1907 } 1908 1909 static void 1910 sppp_down_event(const struct cp *cp, struct sppp *sp) 1911 { 1912 STDDCL; 1913 1914 if (debug) 1915 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1916 SPP_ARGS(ifp), cp->name, 1917 sppp_state_name(sp->state[cp->protoidx])); 1918 1919 switch (sp->state[cp->protoidx]) { 1920 case STATE_CLOSED: 1921 case STATE_CLOSING: 1922 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1923 break; 1924 case STATE_STOPPED: 1925 sppp_cp_change_state(cp, sp, STATE_STARTING); 1926 (cp->tls)(sp); 1927 break; 1928 case STATE_STOPPING: 1929 case STATE_REQ_SENT: 1930 case STATE_ACK_RCVD: 1931 case STATE_ACK_SENT: 1932 sppp_cp_change_state(cp, sp, STATE_STARTING); 1933 break; 1934 case STATE_OPENED: 1935 (cp->tld)(sp); 1936 sppp_cp_change_state(cp, sp, STATE_STARTING); 1937 break; 1938 default: 1939 kprintf(SPP_FMT "%s illegal down in state %s\n", 1940 SPP_ARGS(ifp), cp->name, 1941 sppp_state_name(sp->state[cp->protoidx])); 1942 } 1943 } 1944 1945 1946 static void 1947 sppp_open_event(const struct cp *cp, struct sppp *sp) 1948 { 1949 STDDCL; 1950 1951 if (debug) 1952 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1953 SPP_ARGS(ifp), cp->name, 1954 sppp_state_name(sp->state[cp->protoidx])); 1955 1956 switch (sp->state[cp->protoidx]) { 1957 case STATE_INITIAL: 1958 sppp_cp_change_state(cp, sp, STATE_STARTING); 1959 (cp->tls)(sp); 1960 break; 1961 case STATE_STARTING: 1962 break; 1963 case STATE_CLOSED: 1964 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1965 (cp->scr)(sp); 1966 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1967 break; 1968 case STATE_STOPPED: 1969 /* 1970 * Try escaping stopped state. This seems to bite 1971 * people occasionally, in particular for IPCP, 1972 * presumably following previous IPCP negotiation 1973 * aborts. Somehow, we must have missed a Down event 1974 * which would have caused a transition into starting 1975 * state, so as a bandaid we force the Down event now. 1976 * This effectively implements (something like the) 1977 * `restart' option mentioned in the state transition 1978 * table of RFC 1661. 1979 */ 1980 sppp_cp_change_state(cp, sp, STATE_STARTING); 1981 (cp->tls)(sp); 1982 break; 1983 case STATE_STOPPING: 1984 case STATE_REQ_SENT: 1985 case STATE_ACK_RCVD: 1986 case STATE_ACK_SENT: 1987 case STATE_OPENED: 1988 break; 1989 case STATE_CLOSING: 1990 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1991 break; 1992 } 1993 } 1994 1995 1996 static void 1997 sppp_close_event(const struct cp *cp, struct sppp *sp) 1998 { 1999 STDDCL; 2000 2001 if (debug) 2002 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 2003 SPP_ARGS(ifp), cp->name, 2004 sppp_state_name(sp->state[cp->protoidx])); 2005 2006 switch (sp->state[cp->protoidx]) { 2007 case STATE_INITIAL: 2008 case STATE_CLOSED: 2009 case STATE_CLOSING: 2010 break; 2011 case STATE_STARTING: 2012 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2013 (cp->tlf)(sp); 2014 break; 2015 case STATE_STOPPED: 2016 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2017 break; 2018 case STATE_STOPPING: 2019 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2020 break; 2021 case STATE_OPENED: 2022 (cp->tld)(sp); 2023 /* fall through */ 2024 case STATE_REQ_SENT: 2025 case STATE_ACK_RCVD: 2026 case STATE_ACK_SENT: 2027 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2028 sppp_cp_send(sp, cp->proto, TERM_REQ, 2029 ++sp->pp_seq[cp->protoidx], 0, 0); 2030 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2031 break; 2032 } 2033 } 2034 2035 static void 2036 sppp_to_event(const struct cp *cp, struct sppp *sp) 2037 { 2038 STDDCL; 2039 2040 crit_enter(); 2041 2042 if (debug) 2043 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 2044 SPP_ARGS(ifp), cp->name, 2045 sppp_state_name(sp->state[cp->protoidx]), 2046 sp->rst_counter[cp->protoidx]); 2047 2048 if (--sp->rst_counter[cp->protoidx] < 0) 2049 /* TO- event */ 2050 switch (sp->state[cp->protoidx]) { 2051 case STATE_CLOSING: 2052 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2053 (cp->tlf)(sp); 2054 break; 2055 case STATE_STOPPING: 2056 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2057 (cp->tlf)(sp); 2058 break; 2059 case STATE_REQ_SENT: 2060 case STATE_ACK_RCVD: 2061 case STATE_ACK_SENT: 2062 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2063 (cp->tlf)(sp); 2064 break; 2065 } 2066 else 2067 /* TO+ event */ 2068 switch (sp->state[cp->protoidx]) { 2069 case STATE_CLOSING: 2070 case STATE_STOPPING: 2071 sppp_cp_send(sp, cp->proto, TERM_REQ, 2072 ++sp->pp_seq[cp->protoidx], 0, 0); 2073 callout_reset(&sp->timeout[cp->protoidx], 2074 sp->lcp.timeout, cp->TO, sp); 2075 break; 2076 case STATE_REQ_SENT: 2077 case STATE_ACK_RCVD: 2078 (cp->scr)(sp); 2079 /* sppp_cp_change_state() will restart the timer */ 2080 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2081 break; 2082 case STATE_ACK_SENT: 2083 (cp->scr)(sp); 2084 callout_reset(&sp->timeout[cp->protoidx], 2085 sp->lcp.timeout, cp->TO, sp); 2086 break; 2087 } 2088 2089 crit_exit(); 2090 } 2091 2092 /* 2093 * Change the state of a control protocol in the state automaton. 2094 * Takes care of starting/stopping the restart timer. 2095 */ 2096 void 2097 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2098 { 2099 sp->state[cp->protoidx] = newstate; 2100 callout_stop(&sp->timeout[cp->protoidx]); 2101 2102 switch (newstate) { 2103 case STATE_INITIAL: 2104 case STATE_STARTING: 2105 case STATE_CLOSED: 2106 case STATE_STOPPED: 2107 case STATE_OPENED: 2108 break; 2109 case STATE_CLOSING: 2110 case STATE_STOPPING: 2111 case STATE_REQ_SENT: 2112 case STATE_ACK_RCVD: 2113 case STATE_ACK_SENT: 2114 callout_reset(&sp->timeout[cp->protoidx], 2115 sp->lcp.timeout, cp->TO, sp); 2116 break; 2117 } 2118 } 2119 2120 /* 2121 *--------------------------------------------------------------------------* 2122 * * 2123 * The LCP implementation. * 2124 * * 2125 *--------------------------------------------------------------------------* 2126 */ 2127 static void 2128 sppp_lcp_init(struct sppp *sp) 2129 { 2130 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2131 sp->lcp.magic = 0; 2132 sp->state[IDX_LCP] = STATE_INITIAL; 2133 sp->fail_counter[IDX_LCP] = 0; 2134 sp->pp_seq[IDX_LCP] = 0; 2135 sp->pp_rseq[IDX_LCP] = 0; 2136 sp->lcp.protos = 0; 2137 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2138 2139 /* Note that these values are relevant for all control protocols */ 2140 sp->lcp.timeout = 3 * hz; 2141 sp->lcp.max_terminate = 2; 2142 sp->lcp.max_configure = 10; 2143 sp->lcp.max_failure = 10; 2144 #if defined(__DragonFly__) 2145 callout_init(&sp->timeout[IDX_LCP]); 2146 #endif 2147 } 2148 2149 static void 2150 sppp_lcp_up(struct sppp *sp) 2151 { 2152 STDDCL; 2153 2154 sp->pp_alivecnt = 0; 2155 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2156 sp->lcp.magic = 0; 2157 sp->lcp.protos = 0; 2158 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2159 /* 2160 * If this interface is passive or dial-on-demand, and we are 2161 * still in Initial state, it means we've got an incoming 2162 * call. Activate the interface. 2163 */ 2164 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2165 if (debug) 2166 log(LOG_DEBUG, 2167 SPP_FMT "Up event", SPP_ARGS(ifp)); 2168 ifp->if_flags |= IFF_RUNNING; 2169 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2170 if (debug) 2171 log(-1, "(incoming call)\n"); 2172 sp->pp_flags |= PP_CALLIN; 2173 lcp.Open(sp); 2174 } else if (debug) 2175 log(-1, "\n"); 2176 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2177 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2178 ifp->if_flags |= IFF_RUNNING; 2179 lcp.Open(sp); 2180 } 2181 2182 sppp_up_event(&lcp, sp); 2183 } 2184 2185 static void 2186 sppp_lcp_down(struct sppp *sp) 2187 { 2188 STDDCL; 2189 2190 sppp_down_event(&lcp, sp); 2191 2192 /* 2193 * If this is neither a dial-on-demand nor a passive 2194 * interface, simulate an ``ifconfig down'' action, so the 2195 * administrator can force a redial by another ``ifconfig 2196 * up''. XXX For leased line operation, should we immediately 2197 * try to reopen the connection here? 2198 */ 2199 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2200 log(LOG_INFO, 2201 SPP_FMT "Down event, taking interface down.\n", 2202 SPP_ARGS(ifp)); 2203 if_down(ifp); 2204 } else { 2205 if (debug) 2206 log(LOG_DEBUG, 2207 SPP_FMT "Down event (carrier loss)\n", 2208 SPP_ARGS(ifp)); 2209 sp->pp_flags &= ~PP_CALLIN; 2210 if (sp->state[IDX_LCP] != STATE_INITIAL) 2211 lcp.Close(sp); 2212 ifp->if_flags &= ~IFF_RUNNING; 2213 } 2214 } 2215 2216 static void 2217 sppp_lcp_open(struct sppp *sp) 2218 { 2219 /* 2220 * If we are authenticator, negotiate LCP_AUTH 2221 */ 2222 if (sp->hisauth.proto != 0) 2223 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2224 else 2225 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2226 sp->pp_flags &= ~PP_NEEDAUTH; 2227 sppp_open_event(&lcp, sp); 2228 } 2229 2230 static void 2231 sppp_lcp_close(struct sppp *sp) 2232 { 2233 sppp_close_event(&lcp, sp); 2234 } 2235 2236 static void 2237 sppp_lcp_TO(void *cookie) 2238 { 2239 sppp_to_event(&lcp, (struct sppp *)cookie); 2240 } 2241 2242 /* 2243 * Analyze a configure request. Return true if it was agreeable, and 2244 * caused action sca, false if it has been rejected or nak'ed, and 2245 * caused action scn. (The return value is used to make the state 2246 * transition decision in the state automaton.) 2247 */ 2248 static int 2249 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2250 { 2251 STDDCL; 2252 u_char *buf, *r, *p; 2253 int origlen, rlen; 2254 u_long nmagic; 2255 u_short authproto; 2256 2257 len -= 4; 2258 origlen = len; 2259 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2260 2261 if (debug) 2262 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2263 SPP_ARGS(ifp)); 2264 2265 /* pass 1: check for things that need to be rejected */ 2266 p = (void*) (h+1); 2267 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2268 /* Sanity check option length */ 2269 if (p[1] > len) { 2270 /* Malicious option - drop immediately. 2271 * XXX Maybe we should just RXJ it? 2272 */ 2273 log(-1, "%s: received malicious LCP option 0x%02x, " 2274 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2275 p[0], p[1], len); 2276 goto drop; 2277 } 2278 if (debug) 2279 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2280 switch (*p) { 2281 case LCP_OPT_MAGIC: 2282 /* Magic number. */ 2283 if (len >= 6 && p[1] == 6) 2284 continue; 2285 if (debug) 2286 log(-1, "[invalid] "); 2287 break; 2288 case LCP_OPT_ASYNC_MAP: 2289 /* Async control character map. */ 2290 if (len >= 6 && p[1] == 6) 2291 continue; 2292 if (debug) 2293 log(-1, "[invalid] "); 2294 break; 2295 case LCP_OPT_MRU: 2296 /* Maximum receive unit. */ 2297 if (len >= 4 && p[1] == 4) 2298 continue; 2299 if (debug) 2300 log(-1, "[invalid] "); 2301 break; 2302 case LCP_OPT_AUTH_PROTO: 2303 if (len < 4) { 2304 if (debug) 2305 log(-1, "[invalid] "); 2306 break; 2307 } 2308 authproto = (p[2] << 8) + p[3]; 2309 if (authproto == PPP_CHAP && p[1] != 5) { 2310 if (debug) 2311 log(-1, "[invalid chap len] "); 2312 break; 2313 } 2314 if (sp->myauth.proto == 0) { 2315 /* we are not configured to do auth */ 2316 if (debug) 2317 log(-1, "[not configured] "); 2318 break; 2319 } 2320 /* 2321 * Remote want us to authenticate, remember this, 2322 * so we stay in PHASE_AUTHENTICATE after LCP got 2323 * up. 2324 */ 2325 sp->pp_flags |= PP_NEEDAUTH; 2326 continue; 2327 default: 2328 /* Others not supported. */ 2329 if (debug) 2330 log(-1, "[rej] "); 2331 break; 2332 } 2333 /* Add the option to rejected list. */ 2334 bcopy (p, r, p[1]); 2335 r += p[1]; 2336 rlen += p[1]; 2337 } 2338 if (rlen) { 2339 if (debug) 2340 log(-1, " send conf-rej\n"); 2341 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2342 return 0; 2343 } else if (debug) 2344 log(-1, "\n"); 2345 2346 /* 2347 * pass 2: check for option values that are unacceptable and 2348 * thus require to be nak'ed. 2349 */ 2350 if (debug) 2351 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2352 SPP_ARGS(ifp)); 2353 2354 p = (void*) (h+1); 2355 len = origlen; 2356 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2357 if (debug) 2358 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2359 switch (*p) { 2360 case LCP_OPT_MAGIC: 2361 /* Magic number -- extract. */ 2362 nmagic = (u_long)p[2] << 24 | 2363 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2364 if (nmagic != sp->lcp.magic) { 2365 sp->pp_loopcnt = 0; 2366 if (debug) 2367 log(-1, "0x%lx ", nmagic); 2368 continue; 2369 } 2370 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2371 log(-1, "[glitch] "); 2372 ++sp->pp_loopcnt; 2373 /* 2374 * We negate our magic here, and NAK it. If 2375 * we see it later in an NAK packet, we 2376 * suggest a new one. 2377 */ 2378 nmagic = ~sp->lcp.magic; 2379 /* Gonna NAK it. */ 2380 p[2] = nmagic >> 24; 2381 p[3] = nmagic >> 16; 2382 p[4] = nmagic >> 8; 2383 p[5] = nmagic; 2384 break; 2385 2386 case LCP_OPT_ASYNC_MAP: 2387 /* 2388 * Async control character map -- just ignore it. 2389 * 2390 * Quote from RFC 1662, chapter 6: 2391 * To enable this functionality, synchronous PPP 2392 * implementations MUST always respond to the 2393 * Async-Control-Character-Map Configuration 2394 * Option with the LCP Configure-Ack. However, 2395 * acceptance of the Configuration Option does 2396 * not imply that the synchronous implementation 2397 * will do any ACCM mapping. Instead, all such 2398 * octet mapping will be performed by the 2399 * asynchronous-to-synchronous converter. 2400 */ 2401 continue; 2402 2403 case LCP_OPT_MRU: 2404 /* 2405 * Maximum receive unit. Always agreeable, 2406 * but ignored by now. 2407 */ 2408 sp->lcp.their_mru = p[2] * 256 + p[3]; 2409 if (debug) 2410 log(-1, "%lu ", sp->lcp.their_mru); 2411 continue; 2412 2413 case LCP_OPT_AUTH_PROTO: 2414 authproto = (p[2] << 8) + p[3]; 2415 if (sp->myauth.proto != authproto) { 2416 /* not agreed, nak */ 2417 if (debug) 2418 log(-1, "[mine %s != his %s] ", 2419 sppp_proto_name(sp->hisauth.proto), 2420 sppp_proto_name(authproto)); 2421 p[2] = sp->myauth.proto >> 8; 2422 p[3] = sp->myauth.proto; 2423 break; 2424 } 2425 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2426 if (debug) 2427 log(-1, "[chap not MD5] "); 2428 p[4] = CHAP_MD5; 2429 break; 2430 } 2431 continue; 2432 } 2433 /* Add the option to nak'ed list. */ 2434 bcopy (p, r, p[1]); 2435 r += p[1]; 2436 rlen += p[1]; 2437 } 2438 if (rlen) { 2439 /* 2440 * Local and remote magics equal -- loopback? 2441 */ 2442 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2443 if (sp->pp_loopcnt == MAXALIVECNT*5) 2444 kprintf (SPP_FMT "loopback\n", 2445 SPP_ARGS(ifp)); 2446 if (ifp->if_flags & IFF_UP) { 2447 if_down(ifp); 2448 IF_DRAIN(&sp->pp_cpq); 2449 /* XXX ? */ 2450 lcp.Down(sp); 2451 lcp.Up(sp); 2452 } 2453 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2454 if (debug) 2455 log(-1, " max_failure (%d) exceeded, " 2456 "send conf-rej\n", 2457 sp->lcp.max_failure); 2458 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2459 } else { 2460 if (debug) 2461 log(-1, " send conf-nak\n"); 2462 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2463 } 2464 } else { 2465 if (debug) 2466 log(-1, " send conf-ack\n"); 2467 sp->fail_counter[IDX_LCP] = 0; 2468 sp->pp_loopcnt = 0; 2469 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2470 h->ident, origlen, h+1); 2471 } 2472 2473 kfree (buf, M_TEMP); 2474 return (rlen == 0); 2475 2476 drop: 2477 kfree(buf, M_TEMP); 2478 return (-1); 2479 } 2480 2481 /* 2482 * Analyze the LCP Configure-Reject option list, and adjust our 2483 * negotiation. 2484 */ 2485 static void 2486 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2487 { 2488 STDDCL; 2489 u_char *buf, *p; 2490 2491 len -= 4; 2492 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2493 2494 if (debug) 2495 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2496 SPP_ARGS(ifp)); 2497 2498 p = (void*) (h+1); 2499 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2500 /* Sanity check option length */ 2501 if (p[1] > len) { 2502 /* 2503 * Malicious option - drop immediately. 2504 * XXX Maybe we should just RXJ it? 2505 */ 2506 log(-1, "%s: received malicious LCP option, " 2507 "dropping.\n", ifp->if_xname); 2508 goto drop; 2509 } 2510 if (debug) 2511 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2512 switch (*p) { 2513 case LCP_OPT_MAGIC: 2514 /* Magic number -- can't use it, use 0 */ 2515 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2516 sp->lcp.magic = 0; 2517 break; 2518 case LCP_OPT_MRU: 2519 /* 2520 * Should not be rejected anyway, since we only 2521 * negotiate a MRU if explicitly requested by 2522 * peer. 2523 */ 2524 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2525 break; 2526 case LCP_OPT_AUTH_PROTO: 2527 /* 2528 * Peer doesn't want to authenticate himself, 2529 * deny unless this is a dialout call, and 2530 * AUTHFLAG_NOCALLOUT is set. 2531 */ 2532 if ((sp->pp_flags & PP_CALLIN) == 0 && 2533 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2534 if (debug) 2535 log(-1, "[don't insist on auth " 2536 "for callout]"); 2537 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2538 break; 2539 } 2540 if (debug) 2541 log(-1, "[access denied]\n"); 2542 lcp.Close(sp); 2543 break; 2544 } 2545 } 2546 if (debug) 2547 log(-1, "\n"); 2548 drop: 2549 kfree (buf, M_TEMP); 2550 return; 2551 } 2552 2553 /* 2554 * Analyze the LCP Configure-NAK option list, and adjust our 2555 * negotiation. 2556 */ 2557 static void 2558 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2559 { 2560 STDDCL; 2561 u_char *buf, *p; 2562 u_long magic; 2563 2564 len -= 4; 2565 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2566 2567 if (debug) 2568 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2569 SPP_ARGS(ifp)); 2570 2571 p = (void*) (h+1); 2572 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2573 /* Sanity check option length */ 2574 if (p[1] > len) { 2575 /* 2576 * Malicious option - drop immediately. 2577 * XXX Maybe we should just RXJ it? 2578 */ 2579 log(-1, "%s: received malicious LCP option, " 2580 "dropping.\n", ifp->if_xname); 2581 goto drop; 2582 } 2583 if (debug) 2584 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2585 switch (*p) { 2586 case LCP_OPT_MAGIC: 2587 /* Magic number -- renegotiate */ 2588 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2589 len >= 6 && p[1] == 6) { 2590 magic = (u_long)p[2] << 24 | 2591 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2592 /* 2593 * If the remote magic is our negated one, 2594 * this looks like a loopback problem. 2595 * Suggest a new magic to make sure. 2596 */ 2597 if (magic == ~sp->lcp.magic) { 2598 if (debug) 2599 log(-1, "magic glitch "); 2600 #if defined(__DragonFly__) 2601 sp->lcp.magic = krandom(); 2602 #else 2603 sp->lcp.magic = time.tv_sec + time.tv_usec; 2604 #endif 2605 } else { 2606 sp->lcp.magic = magic; 2607 if (debug) 2608 log(-1, "%lu ", magic); 2609 } 2610 } 2611 break; 2612 case LCP_OPT_MRU: 2613 /* 2614 * Peer wants to advise us to negotiate an MRU. 2615 * Agree on it if it's reasonable, or use 2616 * default otherwise. 2617 */ 2618 if (len >= 4 && p[1] == 4) { 2619 u_int mru = p[2] * 256 + p[3]; 2620 if (debug) 2621 log(-1, "%d ", mru); 2622 if (mru < PP_MTU || mru > PP_MAX_MRU) 2623 mru = PP_MTU; 2624 sp->lcp.mru = mru; 2625 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2626 } 2627 break; 2628 case LCP_OPT_AUTH_PROTO: 2629 /* 2630 * Peer doesn't like our authentication method, 2631 * deny. 2632 */ 2633 if (debug) 2634 log(-1, "[access denied]\n"); 2635 lcp.Close(sp); 2636 break; 2637 } 2638 } 2639 if (debug) 2640 log(-1, "\n"); 2641 drop: 2642 kfree (buf, M_TEMP); 2643 return; 2644 } 2645 2646 static void 2647 sppp_lcp_tlu(struct sppp *sp) 2648 { 2649 STDDCL; 2650 int i; 2651 u_long mask; 2652 2653 /* XXX ? */ 2654 if (! (ifp->if_flags & IFF_UP) && 2655 (ifp->if_flags & IFF_RUNNING)) { 2656 /* Coming out of loopback mode. */ 2657 if_up(ifp); 2658 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2659 } 2660 2661 for (i = 0; i < IDX_COUNT; i++) 2662 if ((cps[i])->flags & CP_QUAL) 2663 (cps[i])->Open(sp); 2664 2665 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2666 (sp->pp_flags & PP_NEEDAUTH) != 0) 2667 sp->pp_phase = PHASE_AUTHENTICATE; 2668 else 2669 sp->pp_phase = PHASE_NETWORK; 2670 2671 if (debug) 2672 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2673 sppp_phase_name(sp->pp_phase)); 2674 2675 /* 2676 * Open all authentication protocols. This is even required 2677 * if we already proceeded to network phase, since it might be 2678 * that remote wants us to authenticate, so we might have to 2679 * send a PAP request. Undesired authentication protocols 2680 * don't do anything when they get an Open event. 2681 */ 2682 for (i = 0; i < IDX_COUNT; i++) 2683 if ((cps[i])->flags & CP_AUTH) 2684 (cps[i])->Open(sp); 2685 2686 if (sp->pp_phase == PHASE_NETWORK) { 2687 /* Notify all NCPs. */ 2688 for (i = 0; i < IDX_COUNT; i++) 2689 if (((cps[i])->flags & CP_NCP) && 2690 /* 2691 * XXX 2692 * Hack to administratively disable IPv6 if 2693 * not desired. Perhaps we should have another 2694 * flag for this, but right now, we can make 2695 * all struct cp's read/only. 2696 */ 2697 (cps[i] != &ipv6cp || 2698 (sp->confflags & CONF_ENABLE_IPV6))) 2699 (cps[i])->Open(sp); 2700 } 2701 2702 /* Send Up events to all started protos. */ 2703 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2704 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2705 (cps[i])->Up(sp); 2706 2707 /* notify low-level driver of state change */ 2708 if (sp->pp_chg) 2709 sp->pp_chg(sp, (int)sp->pp_phase); 2710 2711 if (sp->pp_phase == PHASE_NETWORK) 2712 /* if no NCP is starting, close down */ 2713 sppp_lcp_check_and_close(sp); 2714 } 2715 2716 static void 2717 sppp_lcp_tld(struct sppp *sp) 2718 { 2719 STDDCL; 2720 int i; 2721 u_long mask; 2722 2723 sp->pp_phase = PHASE_TERMINATE; 2724 2725 if (debug) 2726 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2727 sppp_phase_name(sp->pp_phase)); 2728 2729 /* 2730 * Take upper layers down. We send the Down event first and 2731 * the Close second to prevent the upper layers from sending 2732 * ``a flurry of terminate-request packets'', as the RFC 2733 * describes it. 2734 */ 2735 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2736 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2737 (cps[i])->Down(sp); 2738 (cps[i])->Close(sp); 2739 } 2740 } 2741 2742 static void 2743 sppp_lcp_tls(struct sppp *sp) 2744 { 2745 STDDCL; 2746 2747 sp->pp_phase = PHASE_ESTABLISH; 2748 2749 if (debug) 2750 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2751 sppp_phase_name(sp->pp_phase)); 2752 2753 /* Notify lower layer if desired. */ 2754 if (sp->pp_tls) 2755 (sp->pp_tls)(sp); 2756 else 2757 (sp->pp_up)(sp); 2758 } 2759 2760 static void 2761 sppp_lcp_tlf(struct sppp *sp) 2762 { 2763 STDDCL; 2764 2765 sp->pp_phase = PHASE_DEAD; 2766 if (debug) 2767 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2768 sppp_phase_name(sp->pp_phase)); 2769 2770 /* Notify lower layer if desired. */ 2771 if (sp->pp_tlf) 2772 (sp->pp_tlf)(sp); 2773 else 2774 (sp->pp_down)(sp); 2775 } 2776 2777 static void 2778 sppp_lcp_scr(struct sppp *sp) 2779 { 2780 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2781 int i = 0; 2782 u_short authproto; 2783 2784 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2785 if (! sp->lcp.magic) 2786 #if defined(__DragonFly__) 2787 sp->lcp.magic = krandom(); 2788 #else 2789 sp->lcp.magic = time.tv_sec + time.tv_usec; 2790 #endif 2791 opt[i++] = LCP_OPT_MAGIC; 2792 opt[i++] = 6; 2793 opt[i++] = sp->lcp.magic >> 24; 2794 opt[i++] = sp->lcp.magic >> 16; 2795 opt[i++] = sp->lcp.magic >> 8; 2796 opt[i++] = sp->lcp.magic; 2797 } 2798 2799 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2800 opt[i++] = LCP_OPT_MRU; 2801 opt[i++] = 4; 2802 opt[i++] = sp->lcp.mru >> 8; 2803 opt[i++] = sp->lcp.mru; 2804 } 2805 2806 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2807 authproto = sp->hisauth.proto; 2808 opt[i++] = LCP_OPT_AUTH_PROTO; 2809 opt[i++] = authproto == PPP_CHAP? 5: 4; 2810 opt[i++] = authproto >> 8; 2811 opt[i++] = authproto; 2812 if (authproto == PPP_CHAP) 2813 opt[i++] = CHAP_MD5; 2814 } 2815 2816 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2817 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2818 } 2819 2820 /* 2821 * Check the open NCPs, return true if at least one NCP is open. 2822 */ 2823 static int 2824 sppp_ncp_check(struct sppp *sp) 2825 { 2826 int i, mask; 2827 2828 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2829 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2830 return 1; 2831 return 0; 2832 } 2833 2834 /* 2835 * Re-check the open NCPs and see if we should terminate the link. 2836 * Called by the NCPs during their tlf action handling. 2837 */ 2838 static void 2839 sppp_lcp_check_and_close(struct sppp *sp) 2840 { 2841 2842 if (sp->pp_phase < PHASE_NETWORK) 2843 /* don't bother, we are already going down */ 2844 return; 2845 2846 if (sppp_ncp_check(sp)) 2847 return; 2848 2849 lcp.Close(sp); 2850 } 2851 2852 /* 2853 *--------------------------------------------------------------------------* 2854 * * 2855 * The IPCP implementation. * 2856 * * 2857 *--------------------------------------------------------------------------* 2858 */ 2859 2860 static void 2861 sppp_ipcp_init(struct sppp *sp) 2862 { 2863 sp->ipcp.opts = 0; 2864 sp->ipcp.flags = 0; 2865 sp->state[IDX_IPCP] = STATE_INITIAL; 2866 sp->fail_counter[IDX_IPCP] = 0; 2867 sp->pp_seq[IDX_IPCP] = 0; 2868 sp->pp_rseq[IDX_IPCP] = 0; 2869 #if defined(__DragonFly__) 2870 callout_init(&sp->timeout[IDX_IPCP]); 2871 #endif 2872 } 2873 2874 static void 2875 sppp_ipcp_up(struct sppp *sp) 2876 { 2877 sppp_up_event(&ipcp, sp); 2878 } 2879 2880 static void 2881 sppp_ipcp_down(struct sppp *sp) 2882 { 2883 sppp_down_event(&ipcp, sp); 2884 } 2885 2886 static void 2887 sppp_ipcp_open(struct sppp *sp) 2888 { 2889 STDDCL; 2890 u_long myaddr, hisaddr; 2891 2892 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2893 IPCP_MYADDR_DYN | IPCP_VJ); 2894 sp->ipcp.opts = 0; 2895 2896 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2897 /* 2898 * If we don't have his address, this probably means our 2899 * interface doesn't want to talk IP at all. (This could 2900 * be the case if somebody wants to speak only IPX, for 2901 * example.) Don't open IPCP in this case. 2902 */ 2903 if (hisaddr == 0L) { 2904 /* XXX this message should go away */ 2905 if (debug) 2906 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2907 SPP_ARGS(ifp)); 2908 return; 2909 } 2910 if (myaddr == 0L) { 2911 /* 2912 * I don't have an assigned address, so i need to 2913 * negotiate my address. 2914 */ 2915 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2916 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2917 } else 2918 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2919 if (sp->confflags & CONF_ENABLE_VJ) { 2920 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2921 sp->ipcp.max_state = MAX_STATES - 1; 2922 sp->ipcp.compress_cid = 1; 2923 } 2924 sppp_open_event(&ipcp, sp); 2925 } 2926 2927 static void 2928 sppp_ipcp_close(struct sppp *sp) 2929 { 2930 sppp_close_event(&ipcp, sp); 2931 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2932 /* 2933 * My address was dynamic, clear it again. 2934 */ 2935 sppp_set_ip_addr(sp, 0L); 2936 } 2937 2938 static void 2939 sppp_ipcp_TO(void *cookie) 2940 { 2941 sppp_to_event(&ipcp, (struct sppp *)cookie); 2942 } 2943 2944 /* 2945 * Analyze a configure request. Return true if it was agreeable, and 2946 * caused action sca, false if it has been rejected or nak'ed, and 2947 * caused action scn. (The return value is used to make the state 2948 * transition decision in the state automaton.) 2949 */ 2950 static int 2951 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2952 { 2953 u_char *buf, *r, *p; 2954 struct ifnet *ifp = &sp->pp_if; 2955 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2956 u_long hisaddr, desiredaddr; 2957 int gotmyaddr = 0; 2958 int desiredcomp; 2959 2960 len -= 4; 2961 origlen = len; 2962 /* 2963 * Make sure to allocate a buf that can at least hold a 2964 * conf-nak with an `address' option. We might need it below. 2965 */ 2966 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2967 2968 /* pass 1: see if we can recognize them */ 2969 if (debug) 2970 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2971 SPP_ARGS(ifp)); 2972 p = (void*) (h+1); 2973 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2974 /* Sanity check option length */ 2975 if (p[1] > len) { 2976 /* XXX should we just RXJ? */ 2977 log(-1, "%s: malicious IPCP option received, dropping\n", 2978 ifp->if_xname); 2979 goto drop; 2980 } 2981 if (debug) 2982 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2983 switch (*p) { 2984 case IPCP_OPT_COMPRESSION: 2985 if (!(sp->confflags & CONF_ENABLE_VJ)) { 2986 /* VJ compression administratively disabled */ 2987 if (debug) 2988 log(-1, "[locally disabled] "); 2989 break; 2990 } 2991 /* 2992 * In theory, we should only conf-rej an 2993 * option that is shorter than RFC 1618 2994 * requires (i.e. < 4), and should conf-nak 2995 * anything else that is not VJ. However, 2996 * since our algorithm always uses the 2997 * original option to NAK it with new values, 2998 * things would become more complicated. In 2999 * pratice, the only commonly implemented IP 3000 * compression option is VJ anyway, so the 3001 * difference is negligible. 3002 */ 3003 if (len >= 6 && p[1] == 6) { 3004 /* 3005 * correctly formed compression option 3006 * that could be VJ compression 3007 */ 3008 continue; 3009 } 3010 if (debug) 3011 log(-1, "optlen %d [invalid/unsupported] ", 3012 p[1]); 3013 break; 3014 case IPCP_OPT_ADDRESS: 3015 if (len >= 6 && p[1] == 6) { 3016 /* correctly formed address option */ 3017 continue; 3018 } 3019 if (debug) 3020 log(-1, "[invalid] "); 3021 break; 3022 default: 3023 /* Others not supported. */ 3024 if (debug) 3025 log(-1, "[rej] "); 3026 break; 3027 } 3028 /* Add the option to rejected list. */ 3029 bcopy (p, r, p[1]); 3030 r += p[1]; 3031 rlen += p[1]; 3032 } 3033 if (rlen) { 3034 if (debug) 3035 log(-1, " send conf-rej\n"); 3036 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3037 return 0; 3038 } else if (debug) 3039 log(-1, "\n"); 3040 3041 /* pass 2: parse option values */ 3042 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 3043 if (debug) 3044 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 3045 SPP_ARGS(ifp)); 3046 p = (void*) (h+1); 3047 len = origlen; 3048 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3049 if (debug) 3050 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3051 switch (*p) { 3052 case IPCP_OPT_COMPRESSION: 3053 desiredcomp = p[2] << 8 | p[3]; 3054 /* We only support VJ */ 3055 if (desiredcomp == IPCP_COMP_VJ) { 3056 if (debug) 3057 log(-1, "VJ [ack] "); 3058 sp->ipcp.flags |= IPCP_VJ; 3059 sl_compress_init(sp->pp_comp, p[4]); 3060 sp->ipcp.max_state = p[4]; 3061 sp->ipcp.compress_cid = p[5]; 3062 continue; 3063 } 3064 if (debug) 3065 log(-1, "compproto %#04x [not supported] ", 3066 desiredcomp); 3067 p[2] = IPCP_COMP_VJ >> 8; 3068 p[3] = IPCP_COMP_VJ; 3069 p[4] = sp->ipcp.max_state; 3070 p[5] = sp->ipcp.compress_cid; 3071 break; 3072 case IPCP_OPT_ADDRESS: 3073 /* This is the address he wants in his end */ 3074 desiredaddr = p[2] << 24 | p[3] << 16 | 3075 p[4] << 8 | p[5]; 3076 if (desiredaddr == hisaddr || 3077 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 3078 /* 3079 * Peer's address is same as our value, 3080 * or we have set it to 0.0.0.* to 3081 * indicate that we do not really care, 3082 * this is agreeable. Gonna conf-ack 3083 * it. 3084 */ 3085 if (debug) 3086 log(-1, "%s [ack] ", 3087 sppp_dotted_quad(hisaddr)); 3088 /* record that we've seen it already */ 3089 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3090 continue; 3091 } 3092 /* 3093 * The address wasn't agreeable. This is either 3094 * he sent us 0.0.0.0, asking to assign him an 3095 * address, or he send us another address not 3096 * matching our value. Either case, we gonna 3097 * conf-nak it with our value. 3098 * XXX: we should "rej" if hisaddr == 0 3099 */ 3100 if (debug) { 3101 if (desiredaddr == 0) 3102 log(-1, "[addr requested] "); 3103 else 3104 log(-1, "%s [not agreed] ", 3105 sppp_dotted_quad(desiredaddr)); 3106 3107 } 3108 p[2] = hisaddr >> 24; 3109 p[3] = hisaddr >> 16; 3110 p[4] = hisaddr >> 8; 3111 p[5] = hisaddr; 3112 break; 3113 } 3114 /* Add the option to nak'ed list. */ 3115 bcopy (p, r, p[1]); 3116 r += p[1]; 3117 rlen += p[1]; 3118 } 3119 3120 /* 3121 * If we are about to conf-ack the request, but haven't seen 3122 * his address so far, gonna conf-nak it instead, with the 3123 * `address' option present and our idea of his address being 3124 * filled in there, to request negotiation of both addresses. 3125 * 3126 * XXX This can result in an endless req - nak loop if peer 3127 * doesn't want to send us his address. Q: What should we do 3128 * about it? XXX A: implement the max-failure counter. 3129 */ 3130 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3131 buf[0] = IPCP_OPT_ADDRESS; 3132 buf[1] = 6; 3133 buf[2] = hisaddr >> 24; 3134 buf[3] = hisaddr >> 16; 3135 buf[4] = hisaddr >> 8; 3136 buf[5] = hisaddr; 3137 rlen = 6; 3138 if (debug) 3139 log(-1, "still need hisaddr "); 3140 } 3141 3142 if (rlen) { 3143 if (debug) 3144 log(-1, " send conf-nak\n"); 3145 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3146 } else { 3147 if (debug) 3148 log(-1, " send conf-ack\n"); 3149 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3150 h->ident, origlen, h+1); 3151 } 3152 3153 kfree (buf, M_TEMP); 3154 return (rlen == 0); 3155 3156 drop: 3157 kfree(buf, M_TEMP); 3158 return (-1); 3159 } 3160 3161 /* 3162 * Analyze the IPCP Configure-Reject option list, and adjust our 3163 * negotiation. 3164 */ 3165 static void 3166 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3167 { 3168 u_char *buf, *p; 3169 struct ifnet *ifp = &sp->pp_if; 3170 int debug = ifp->if_flags & IFF_DEBUG; 3171 3172 len -= 4; 3173 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3174 3175 if (debug) 3176 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3177 SPP_ARGS(ifp)); 3178 3179 p = (void*) (h+1); 3180 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3181 /* Sanity check option length */ 3182 if (p[1] > len) { 3183 /* XXX should we just RXJ? */ 3184 log(-1, "%s: malicious IPCP option received, dropping\n", 3185 ifp->if_xname); 3186 goto drop; 3187 } 3188 if (debug) 3189 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3190 switch (*p) { 3191 case IPCP_OPT_COMPRESSION: 3192 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3193 break; 3194 case IPCP_OPT_ADDRESS: 3195 /* 3196 * Peer doesn't grok address option. This is 3197 * bad. XXX Should we better give up here? 3198 * XXX We could try old "addresses" option... 3199 */ 3200 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3201 break; 3202 } 3203 } 3204 if (debug) 3205 log(-1, "\n"); 3206 drop: 3207 kfree (buf, M_TEMP); 3208 return; 3209 } 3210 3211 /* 3212 * Analyze the IPCP Configure-NAK option list, and adjust our 3213 * negotiation. 3214 */ 3215 static void 3216 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3217 { 3218 u_char *buf, *p; 3219 struct ifnet *ifp = &sp->pp_if; 3220 int debug = ifp->if_flags & IFF_DEBUG; 3221 int desiredcomp; 3222 u_long wantaddr; 3223 3224 len -= 4; 3225 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3226 3227 if (debug) 3228 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3229 SPP_ARGS(ifp)); 3230 3231 p = (void*) (h+1); 3232 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3233 /* Sanity check option length */ 3234 if (p[1] > len) { 3235 /* XXX should we just RXJ? */ 3236 log(-1, "%s: malicious IPCP option received, dropping\n", 3237 ifp->if_xname); 3238 return; 3239 } 3240 if (debug) 3241 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3242 switch (*p) { 3243 case IPCP_OPT_COMPRESSION: 3244 if (len >= 6 && p[1] == 6) { 3245 desiredcomp = p[2] << 8 | p[3]; 3246 if (debug) 3247 log(-1, "[wantcomp %#04x] ", 3248 desiredcomp); 3249 if (desiredcomp == IPCP_COMP_VJ) { 3250 sl_compress_init(sp->pp_comp, p[4]); 3251 sp->ipcp.max_state = p[4]; 3252 sp->ipcp.compress_cid = p[5]; 3253 if (debug) 3254 log(-1, "[agree] "); 3255 } else 3256 sp->ipcp.opts &= 3257 ~(1 << IPCP_OPT_COMPRESSION); 3258 } 3259 break; 3260 case IPCP_OPT_ADDRESS: 3261 /* 3262 * Peer doesn't like our local IP address. See 3263 * if we can do something for him. We'll drop 3264 * him our address then. 3265 */ 3266 if (len >= 6 && p[1] == 6) { 3267 wantaddr = p[2] << 24 | p[3] << 16 | 3268 p[4] << 8 | p[5]; 3269 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3270 if (debug) 3271 log(-1, "[wantaddr %s] ", 3272 sppp_dotted_quad(wantaddr)); 3273 /* 3274 * When doing dynamic address assignment, 3275 * we accept his offer. Otherwise, we 3276 * ignore it and thus continue to negotiate 3277 * our already existing value. 3278 * XXX: Bogus, if he said no once, he'll 3279 * just say no again, might as well die. 3280 */ 3281 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3282 sppp_set_ip_addr(sp, wantaddr); 3283 if (debug) 3284 log(-1, "[agree] "); 3285 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3286 } 3287 } 3288 break; 3289 } 3290 } 3291 if (debug) 3292 log(-1, "\n"); 3293 kfree (buf, M_TEMP); 3294 return; 3295 } 3296 3297 static void 3298 sppp_ipcp_tlu(struct sppp *sp) 3299 { 3300 /* we are up - notify isdn daemon */ 3301 if (sp->pp_con) 3302 sp->pp_con(sp); 3303 } 3304 3305 static void 3306 sppp_ipcp_tld(struct sppp *sp) 3307 { 3308 } 3309 3310 static void 3311 sppp_ipcp_tls(struct sppp *sp) 3312 { 3313 /* indicate to LCP that it must stay alive */ 3314 sp->lcp.protos |= (1 << IDX_IPCP); 3315 } 3316 3317 static void 3318 sppp_ipcp_tlf(struct sppp *sp) 3319 { 3320 /* we no longer need LCP */ 3321 sp->lcp.protos &= ~(1 << IDX_IPCP); 3322 sppp_lcp_check_and_close(sp); 3323 } 3324 3325 static void 3326 sppp_ipcp_scr(struct sppp *sp) 3327 { 3328 char opt[6 /* compression */ + 6 /* address */]; 3329 u_long ouraddr; 3330 int i = 0; 3331 3332 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3333 opt[i++] = IPCP_OPT_COMPRESSION; 3334 opt[i++] = 6; 3335 opt[i++] = IPCP_COMP_VJ >> 8; 3336 opt[i++] = IPCP_COMP_VJ; 3337 opt[i++] = sp->ipcp.max_state; 3338 opt[i++] = sp->ipcp.compress_cid; 3339 } 3340 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3341 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3342 opt[i++] = IPCP_OPT_ADDRESS; 3343 opt[i++] = 6; 3344 opt[i++] = ouraddr >> 24; 3345 opt[i++] = ouraddr >> 16; 3346 opt[i++] = ouraddr >> 8; 3347 opt[i++] = ouraddr; 3348 } 3349 3350 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3351 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3352 } 3353 3354 /* 3355 *--------------------------------------------------------------------------* 3356 * * 3357 * The IPv6CP implementation. * 3358 * * 3359 *--------------------------------------------------------------------------* 3360 */ 3361 3362 #ifdef INET6 3363 static void 3364 sppp_ipv6cp_init(struct sppp *sp) 3365 { 3366 sp->ipv6cp.opts = 0; 3367 sp->ipv6cp.flags = 0; 3368 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3369 sp->fail_counter[IDX_IPV6CP] = 0; 3370 sp->pp_seq[IDX_IPV6CP] = 0; 3371 sp->pp_rseq[IDX_IPV6CP] = 0; 3372 #if defined(__NetBSD__) 3373 callout_init(&sp->ch[IDX_IPV6CP]); 3374 #endif 3375 #if defined(__DragonFly__) 3376 callout_init(&sp->timeout[IDX_IPV6CP]); 3377 #endif 3378 } 3379 3380 static void 3381 sppp_ipv6cp_up(struct sppp *sp) 3382 { 3383 sppp_up_event(&ipv6cp, sp); 3384 } 3385 3386 static void 3387 sppp_ipv6cp_down(struct sppp *sp) 3388 { 3389 sppp_down_event(&ipv6cp, sp); 3390 } 3391 3392 static void 3393 sppp_ipv6cp_open(struct sppp *sp) 3394 { 3395 STDDCL; 3396 struct in6_addr myaddr, hisaddr; 3397 3398 #ifdef IPV6CP_MYIFID_DYN 3399 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3400 #else 3401 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3402 #endif 3403 3404 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3405 /* 3406 * If we don't have our address, this probably means our 3407 * interface doesn't want to talk IPv6 at all. (This could 3408 * be the case if somebody wants to speak only IPX, for 3409 * example.) Don't open IPv6CP in this case. 3410 */ 3411 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3412 /* XXX this message should go away */ 3413 if (debug) 3414 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3415 SPP_ARGS(ifp)); 3416 return; 3417 } 3418 3419 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3420 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3421 sppp_open_event(&ipv6cp, sp); 3422 } 3423 3424 static void 3425 sppp_ipv6cp_close(struct sppp *sp) 3426 { 3427 sppp_close_event(&ipv6cp, sp); 3428 } 3429 3430 static void 3431 sppp_ipv6cp_TO(void *cookie) 3432 { 3433 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3434 } 3435 3436 /* 3437 * Analyze a configure request. Return true if it was agreeable, and 3438 * caused action sca, false if it has been rejected or nak'ed, and 3439 * caused action scn. (The return value is used to make the state 3440 * transition decision in the state automaton.) 3441 */ 3442 static int 3443 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3444 { 3445 u_char *buf, *r, *p; 3446 struct ifnet *ifp = &sp->pp_if; 3447 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3448 struct in6_addr myaddr, desiredaddr, suggestaddr; 3449 int ifidcount; 3450 int type; 3451 int collision, nohisaddr; 3452 3453 len -= 4; 3454 origlen = len; 3455 /* 3456 * Make sure to allocate a buf that can at least hold a 3457 * conf-nak with an `address' option. We might need it below. 3458 */ 3459 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3460 3461 /* pass 1: see if we can recognize them */ 3462 if (debug) 3463 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3464 SPP_ARGS(ifp)); 3465 p = (void*) (h+1); 3466 ifidcount = 0; 3467 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3468 /* Sanity check option length */ 3469 if (p[1] > len) { 3470 /* XXX just RXJ? */ 3471 log(-1, "%s: received malicious IPCPv6 option, " 3472 "dropping\n", ifp->if_xname); 3473 goto drop; 3474 } 3475 if (debug) 3476 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3477 switch (*p) { 3478 case IPV6CP_OPT_IFID: 3479 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3480 /* correctly formed address option */ 3481 ifidcount++; 3482 continue; 3483 } 3484 if (debug) 3485 log(-1, " [invalid]"); 3486 break; 3487 #ifdef notyet 3488 case IPV6CP_OPT_COMPRESSION: 3489 if (len >= 4 && p[1] >= 4) { 3490 /* correctly formed compress option */ 3491 continue; 3492 } 3493 if (debug) 3494 log(-1, " [invalid]"); 3495 break; 3496 #endif 3497 default: 3498 /* Others not supported. */ 3499 if (debug) 3500 log(-1, " [rej]"); 3501 break; 3502 } 3503 /* Add the option to rejected list. */ 3504 bcopy (p, r, p[1]); 3505 r += p[1]; 3506 rlen += p[1]; 3507 } 3508 if (rlen) { 3509 if (debug) 3510 log(-1, " send conf-rej\n"); 3511 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3512 goto end; 3513 } else if (debug) 3514 log(-1, "\n"); 3515 3516 /* pass 2: parse option values */ 3517 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3518 if (debug) 3519 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3520 SPP_ARGS(ifp)); 3521 p = (void*) (h+1); 3522 len = origlen; 3523 type = CONF_ACK; 3524 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3525 if (debug) 3526 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3527 switch (*p) { 3528 #ifdef notyet 3529 case IPV6CP_OPT_COMPRESSION: 3530 continue; 3531 #endif 3532 case IPV6CP_OPT_IFID: 3533 bzero(&desiredaddr, sizeof(desiredaddr)); 3534 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3535 collision = (bcmp(&desiredaddr.s6_addr[8], 3536 &myaddr.s6_addr[8], 8) == 0); 3537 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3538 3539 desiredaddr.s6_addr16[0] = htons(0xfe80); 3540 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3541 3542 if (!collision && !nohisaddr) { 3543 /* no collision, hisaddr known - Conf-Ack */ 3544 type = CONF_ACK; 3545 3546 if (debug) { 3547 log(-1, " %s [%s]", 3548 ip6_sprintf(&desiredaddr), 3549 sppp_cp_type_name(type)); 3550 } 3551 continue; 3552 } 3553 3554 bzero(&suggestaddr, sizeof(&suggestaddr)); 3555 if (collision && nohisaddr) { 3556 /* collision, hisaddr unknown - Conf-Rej */ 3557 type = CONF_REJ; 3558 bzero(&p[2], 8); 3559 } else { 3560 /* 3561 * - no collision, hisaddr unknown, or 3562 * - collision, hisaddr known 3563 * Conf-Nak, suggest hisaddr 3564 */ 3565 type = CONF_NAK; 3566 sppp_suggest_ip6_addr(sp, &suggestaddr); 3567 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3568 } 3569 if (debug) 3570 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3571 sppp_cp_type_name(type)); 3572 break; 3573 } 3574 /* Add the option to nak'ed list. */ 3575 bcopy (p, r, p[1]); 3576 r += p[1]; 3577 rlen += p[1]; 3578 } 3579 3580 if (rlen == 0 && type == CONF_ACK) { 3581 if (debug) 3582 log(-1, " send %s\n", sppp_cp_type_name(type)); 3583 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3584 } else { 3585 #ifdef DIAGNOSTIC 3586 if (type == CONF_ACK) 3587 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3588 #endif 3589 3590 if (debug) { 3591 log(-1, " send %s suggest %s\n", 3592 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3593 } 3594 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3595 } 3596 3597 end: 3598 kfree (buf, M_TEMP); 3599 return (rlen == 0); 3600 3601 drop: 3602 kfree(buf, M_TEMP); 3603 return (-1); 3604 } 3605 3606 /* 3607 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3608 * negotiation. 3609 */ 3610 static void 3611 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3612 { 3613 u_char *buf, *p; 3614 struct ifnet *ifp = &sp->pp_if; 3615 int debug = ifp->if_flags & IFF_DEBUG; 3616 3617 len -= 4; 3618 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3619 3620 if (debug) 3621 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3622 SPP_ARGS(ifp)); 3623 3624 p = (void*) (h+1); 3625 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3626 if (p[1] > len) { 3627 /* XXX just RXJ? */ 3628 log(-1, "%s: received malicious IPCPv6 option, " 3629 "dropping\n", ifp->if_xname); 3630 goto drop; 3631 } 3632 if (debug) 3633 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3634 switch (*p) { 3635 case IPV6CP_OPT_IFID: 3636 /* 3637 * Peer doesn't grok address option. This is 3638 * bad. XXX Should we better give up here? 3639 */ 3640 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3641 break; 3642 #ifdef notyet 3643 case IPV6CP_OPT_COMPRESS: 3644 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3645 break; 3646 #endif 3647 } 3648 } 3649 if (debug) 3650 log(-1, "\n"); 3651 drop: 3652 kfree (buf, M_TEMP); 3653 return; 3654 } 3655 3656 /* 3657 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3658 * negotiation. 3659 */ 3660 static void 3661 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3662 { 3663 u_char *buf, *p; 3664 struct ifnet *ifp = &sp->pp_if; 3665 int debug = ifp->if_flags & IFF_DEBUG; 3666 struct in6_addr suggestaddr; 3667 3668 len -= 4; 3669 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3670 3671 if (debug) 3672 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3673 SPP_ARGS(ifp)); 3674 3675 p = (void*) (h+1); 3676 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3677 if (p[1] > len) { 3678 /* XXX just RXJ? */ 3679 log(-1, "%s: received malicious IPCPv6 option, " 3680 "dropping\n", ifp->if_xname); 3681 goto drop; 3682 } 3683 if (debug) 3684 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3685 switch (*p) { 3686 case IPV6CP_OPT_IFID: 3687 /* 3688 * Peer doesn't like our local ifid. See 3689 * if we can do something for him. We'll drop 3690 * him our address then. 3691 */ 3692 if (len < 10 || p[1] != 10) 3693 break; 3694 bzero(&suggestaddr, sizeof(suggestaddr)); 3695 suggestaddr.s6_addr16[0] = htons(0xfe80); 3696 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3697 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3698 3699 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3700 if (debug) 3701 log(-1, " [suggestaddr %s]", 3702 ip6_sprintf(&suggestaddr)); 3703 #ifdef IPV6CP_MYIFID_DYN 3704 /* 3705 * When doing dynamic address assignment, 3706 * we accept his offer. 3707 */ 3708 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3709 struct in6_addr lastsuggest; 3710 /* 3711 * If <suggested myaddr from peer> equals to 3712 * <hisaddr we have suggested last time>, 3713 * we have a collision. generate new random 3714 * ifid. 3715 */ 3716 sppp_suggest_ip6_addr(&lastsuggest); 3717 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3718 lastsuggest)) { 3719 if (debug) 3720 log(-1, " [random]"); 3721 sppp_gen_ip6_addr(sp, &suggestaddr); 3722 } 3723 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3724 if (debug) 3725 log(-1, " [agree]"); 3726 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3727 } 3728 #else 3729 /* 3730 * Since we do not do dynamic address assignment, 3731 * we ignore it and thus continue to negotiate 3732 * our already existing value. This can possibly 3733 * go into infinite request-reject loop. 3734 * 3735 * This is not likely because we normally use 3736 * ifid based on MAC-address. 3737 * If you have no ethernet card on the node, too bad. 3738 * XXX should we use fail_counter? 3739 */ 3740 #endif 3741 break; 3742 #ifdef notyet 3743 case IPV6CP_OPT_COMPRESS: 3744 /* 3745 * Peer wants different compression parameters. 3746 */ 3747 break; 3748 #endif 3749 } 3750 } 3751 if (debug) 3752 log(-1, "\n"); 3753 drop: 3754 kfree (buf, M_TEMP); 3755 return; 3756 } 3757 static void 3758 sppp_ipv6cp_tlu(struct sppp *sp) 3759 { 3760 /* we are up - notify isdn daemon */ 3761 if (sp->pp_con) 3762 sp->pp_con(sp); 3763 } 3764 3765 static void 3766 sppp_ipv6cp_tld(struct sppp *sp) 3767 { 3768 } 3769 3770 static void 3771 sppp_ipv6cp_tls(struct sppp *sp) 3772 { 3773 /* indicate to LCP that it must stay alive */ 3774 sp->lcp.protos |= (1 << IDX_IPV6CP); 3775 } 3776 3777 static void 3778 sppp_ipv6cp_tlf(struct sppp *sp) 3779 { 3780 3781 #if 0 /* need #if 0 to close IPv6CP properly */ 3782 /* we no longer need LCP */ 3783 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3784 sppp_lcp_check_and_close(sp); 3785 #endif 3786 } 3787 3788 static void 3789 sppp_ipv6cp_scr(struct sppp *sp) 3790 { 3791 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3792 struct in6_addr ouraddr; 3793 int i = 0; 3794 3795 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3796 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3797 opt[i++] = IPV6CP_OPT_IFID; 3798 opt[i++] = 10; 3799 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3800 i += 8; 3801 } 3802 3803 #ifdef notyet 3804 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3805 opt[i++] = IPV6CP_OPT_COMPRESSION; 3806 opt[i++] = 4; 3807 opt[i++] = 0; /* TBD */ 3808 opt[i++] = 0; /* TBD */ 3809 /* variable length data may follow */ 3810 } 3811 #endif 3812 3813 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3814 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3815 } 3816 #else /*INET6*/ 3817 static void 3818 sppp_ipv6cp_init(struct sppp *sp) 3819 { 3820 } 3821 3822 static void 3823 sppp_ipv6cp_up(struct sppp *sp) 3824 { 3825 } 3826 3827 static void 3828 sppp_ipv6cp_down(struct sppp *sp) 3829 { 3830 } 3831 3832 3833 static void 3834 sppp_ipv6cp_open(struct sppp *sp) 3835 { 3836 } 3837 3838 static void 3839 sppp_ipv6cp_close(struct sppp *sp) 3840 { 3841 } 3842 3843 static void 3844 sppp_ipv6cp_TO(void *sp) 3845 { 3846 } 3847 3848 static int 3849 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3850 { 3851 return 0; 3852 } 3853 3854 static void 3855 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3856 { 3857 } 3858 3859 static void 3860 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3861 { 3862 } 3863 3864 static void 3865 sppp_ipv6cp_tlu(struct sppp *sp) 3866 { 3867 } 3868 3869 static void 3870 sppp_ipv6cp_tld(struct sppp *sp) 3871 { 3872 } 3873 3874 static void 3875 sppp_ipv6cp_tls(struct sppp *sp) 3876 { 3877 } 3878 3879 static void 3880 sppp_ipv6cp_tlf(struct sppp *sp) 3881 { 3882 } 3883 3884 static void 3885 sppp_ipv6cp_scr(struct sppp *sp) 3886 { 3887 } 3888 #endif /*INET6*/ 3889 3890 /* 3891 *--------------------------------------------------------------------------* 3892 * * 3893 * The CHAP implementation. * 3894 * * 3895 *--------------------------------------------------------------------------* 3896 */ 3897 3898 /* 3899 * The authentication protocols don't employ a full-fledged state machine as 3900 * the control protocols do, since they do have Open and Close events, but 3901 * not Up and Down, nor are they explicitly terminated. Also, use of the 3902 * authentication protocols may be different in both directions (this makes 3903 * sense, think of a machine that never accepts incoming calls but only 3904 * calls out, it doesn't require the called party to authenticate itself). 3905 * 3906 * Our state machine for the local authentication protocol (we are requesting 3907 * the peer to authenticate) looks like: 3908 * 3909 * RCA- 3910 * +--------------------------------------------+ 3911 * V scn,tld| 3912 * +--------+ Close +---------+ RCA+ 3913 * | |<----------------------------------| |------+ 3914 * +--->| Closed | TO* | Opened | sca | 3915 * | | |-----+ +-------| |<-----+ 3916 * | +--------+ irc | | +---------+ 3917 * | ^ | | ^ 3918 * | | | | | 3919 * | | | | | 3920 * | TO-| | | | 3921 * | |tld TO+ V | | 3922 * | | +------->+ | | 3923 * | | | | | | 3924 * | +--------+ V | | 3925 * | | |<----+<--------------------+ | 3926 * | | Req- | scr | 3927 * | | Sent | | 3928 * | | | | 3929 * | +--------+ | 3930 * | RCA- | | RCA+ | 3931 * +------+ +------------------------------------------+ 3932 * scn,tld sca,irc,ict,tlu 3933 * 3934 * 3935 * with: 3936 * 3937 * Open: LCP reached authentication phase 3938 * Close: LCP reached terminate phase 3939 * 3940 * RCA+: received reply (pap-req, chap-response), acceptable 3941 * RCN: received reply (pap-req, chap-response), not acceptable 3942 * TO+: timeout with restart counter >= 0 3943 * TO-: timeout with restart counter < 0 3944 * TO*: reschedule timeout for CHAP 3945 * 3946 * scr: send request packet (none for PAP, chap-challenge) 3947 * sca: send ack packet (pap-ack, chap-success) 3948 * scn: send nak packet (pap-nak, chap-failure) 3949 * ict: initialize re-challenge timer (CHAP only) 3950 * 3951 * tlu: this-layer-up, LCP reaches network phase 3952 * tld: this-layer-down, LCP enters terminate phase 3953 * 3954 * Note that in CHAP mode, after sending a new challenge, while the state 3955 * automaton falls back into Req-Sent state, it doesn't signal a tld 3956 * event to LCP, so LCP remains in network phase. Only after not getting 3957 * any response (or after getting an unacceptable response), CHAP closes, 3958 * causing LCP to enter terminate phase. 3959 * 3960 * With PAP, there is no initial request that can be sent. The peer is 3961 * expected to send one based on the successful negotiation of PAP as 3962 * the authentication protocol during the LCP option negotiation. 3963 * 3964 * Incoming authentication protocol requests (remote requests 3965 * authentication, we are peer) don't employ a state machine at all, 3966 * they are simply answered. Some peers [Ascend P50 firmware rev 3967 * 4.50] react allergically when sending IPCP requests while they are 3968 * still in authentication phase (thereby violating the standard that 3969 * demands that these NCP packets are to be discarded), so we keep 3970 * track of the peer demanding us to authenticate, and only proceed to 3971 * phase network once we've seen a positive acknowledge for the 3972 * authentication. 3973 */ 3974 3975 /* 3976 * Handle incoming CHAP packets. 3977 */ 3978 void 3979 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3980 { 3981 STDDCL; 3982 struct lcp_header *h; 3983 int len; 3984 u_char *value, *name, digest[AUTHKEYLEN], dsize; 3985 int value_len, name_len; 3986 MD5_CTX ctx; 3987 3988 len = m->m_pkthdr.len; 3989 if (len < 4) { 3990 if (debug) 3991 log(LOG_DEBUG, 3992 SPP_FMT "chap invalid packet length: %d bytes\n", 3993 SPP_ARGS(ifp), len); 3994 return; 3995 } 3996 h = mtod (m, struct lcp_header*); 3997 if (len > ntohs (h->len)) 3998 len = ntohs (h->len); 3999 4000 switch (h->type) { 4001 /* challenge, failure and success are his authproto */ 4002 case CHAP_CHALLENGE: 4003 value = 1 + (u_char*)(h+1); 4004 value_len = value[-1]; 4005 name = value + value_len; 4006 name_len = len - value_len - 5; 4007 if (name_len < 0) { 4008 if (debug) { 4009 log(LOG_DEBUG, 4010 SPP_FMT "chap corrupted challenge " 4011 "<%s id=0x%x len=%d", 4012 SPP_ARGS(ifp), 4013 sppp_auth_type_name(PPP_CHAP, h->type), 4014 h->ident, ntohs(h->len)); 4015 sppp_print_bytes((u_char*) (h+1), len-4); 4016 log(-1, ">\n"); 4017 } 4018 break; 4019 } 4020 4021 if (debug) { 4022 log(LOG_DEBUG, 4023 SPP_FMT "chap input <%s id=0x%x len=%d name=", 4024 SPP_ARGS(ifp), 4025 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4026 ntohs(h->len)); 4027 sppp_print_string((char*) name, name_len); 4028 log(-1, " value-size=%d value=", value_len); 4029 sppp_print_bytes(value, value_len); 4030 log(-1, ">\n"); 4031 } 4032 4033 /* Compute reply value. */ 4034 MD5Init(&ctx); 4035 MD5Update(&ctx, &h->ident, 1); 4036 MD5Update(&ctx, sp->myauth.secret, 4037 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN)); 4038 MD5Update(&ctx, value, value_len); 4039 MD5Final(digest, &ctx); 4040 dsize = sizeof digest; 4041 4042 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4043 sizeof dsize, (const char *)&dsize, 4044 sizeof digest, digest, 4045 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4046 sp->myauth.name, 4047 0); 4048 break; 4049 4050 case CHAP_SUCCESS: 4051 if (debug) { 4052 log(LOG_DEBUG, SPP_FMT "chap success", 4053 SPP_ARGS(ifp)); 4054 if (len > 4) { 4055 log(-1, ": "); 4056 sppp_print_string((char*)(h + 1), len - 4); 4057 } 4058 log(-1, "\n"); 4059 } 4060 4061 crit_enter(); 4062 4063 sp->pp_flags &= ~PP_NEEDAUTH; 4064 if (sp->myauth.proto == PPP_CHAP && 4065 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4066 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4067 /* 4068 * We are authenticator for CHAP but didn't 4069 * complete yet. Leave it to tlu to proceed 4070 * to network phase. 4071 */ 4072 crit_exit(); 4073 break; 4074 } 4075 crit_exit(); 4076 sppp_phase_network(sp); 4077 break; 4078 4079 case CHAP_FAILURE: 4080 if (debug) { 4081 log(LOG_INFO, SPP_FMT "chap failure", 4082 SPP_ARGS(ifp)); 4083 if (len > 4) { 4084 log(-1, ": "); 4085 sppp_print_string((char*)(h + 1), len - 4); 4086 } 4087 log(-1, "\n"); 4088 } else 4089 log(LOG_INFO, SPP_FMT "chap failure\n", 4090 SPP_ARGS(ifp)); 4091 /* await LCP shutdown by authenticator */ 4092 break; 4093 4094 /* response is my authproto */ 4095 case CHAP_RESPONSE: 4096 value = 1 + (u_char*)(h+1); 4097 value_len = value[-1]; 4098 name = value + value_len; 4099 name_len = len - value_len - 5; 4100 if (name_len < 0) { 4101 if (debug) { 4102 log(LOG_DEBUG, 4103 SPP_FMT "chap corrupted response " 4104 "<%s id=0x%x len=%d", 4105 SPP_ARGS(ifp), 4106 sppp_auth_type_name(PPP_CHAP, h->type), 4107 h->ident, ntohs(h->len)); 4108 sppp_print_bytes((u_char*)(h+1), len-4); 4109 log(-1, ">\n"); 4110 } 4111 break; 4112 } 4113 if (h->ident != sp->confid[IDX_CHAP]) { 4114 if (debug) 4115 log(LOG_DEBUG, 4116 SPP_FMT "chap dropping response for old ID " 4117 "(got %d, expected %d)\n", 4118 SPP_ARGS(ifp), 4119 h->ident, sp->confid[IDX_CHAP]); 4120 break; 4121 } 4122 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) 4123 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4124 log(LOG_INFO, SPP_FMT "chap response, his name ", 4125 SPP_ARGS(ifp)); 4126 sppp_print_string(name, name_len); 4127 log(-1, " != expected "); 4128 sppp_print_string(sp->hisauth.name, 4129 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)); 4130 log(-1, "\n"); 4131 } 4132 if (debug) { 4133 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4134 "<%s id=0x%x len=%d name=", 4135 SPP_ARGS(ifp), 4136 sppp_state_name(sp->state[IDX_CHAP]), 4137 sppp_auth_type_name(PPP_CHAP, h->type), 4138 h->ident, ntohs (h->len)); 4139 sppp_print_string((char*)name, name_len); 4140 log(-1, " value-size=%d value=", value_len); 4141 sppp_print_bytes(value, value_len); 4142 log(-1, ">\n"); 4143 } 4144 if (value_len != AUTHKEYLEN) { 4145 if (debug) 4146 log(LOG_DEBUG, 4147 SPP_FMT "chap bad hash value length: " 4148 "%d bytes, should be %d\n", 4149 SPP_ARGS(ifp), value_len, 4150 AUTHKEYLEN); 4151 break; 4152 } 4153 4154 MD5Init(&ctx); 4155 MD5Update(&ctx, &h->ident, 1); 4156 MD5Update(&ctx, sp->hisauth.secret, 4157 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4158 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4159 MD5Final(digest, &ctx); 4160 4161 #define FAILMSG "Failed..." 4162 #define SUCCMSG "Welcome!" 4163 4164 if (value_len != sizeof digest || 4165 bcmp(digest, value, value_len) != 0) { 4166 /* action scn, tld */ 4167 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4168 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4169 0); 4170 chap.tld(sp); 4171 break; 4172 } 4173 /* action sca, perhaps tlu */ 4174 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4175 sp->state[IDX_CHAP] == STATE_OPENED) 4176 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4177 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4178 0); 4179 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4180 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4181 chap.tlu(sp); 4182 } 4183 break; 4184 4185 default: 4186 /* Unknown CHAP packet type -- ignore. */ 4187 if (debug) { 4188 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4189 "<0x%x id=0x%xh len=%d", 4190 SPP_ARGS(ifp), 4191 sppp_state_name(sp->state[IDX_CHAP]), 4192 h->type, h->ident, ntohs(h->len)); 4193 sppp_print_bytes((u_char*)(h+1), len-4); 4194 log(-1, ">\n"); 4195 } 4196 break; 4197 4198 } 4199 } 4200 4201 static void 4202 sppp_chap_init(struct sppp *sp) 4203 { 4204 /* Chap doesn't have STATE_INITIAL at all. */ 4205 sp->state[IDX_CHAP] = STATE_CLOSED; 4206 sp->fail_counter[IDX_CHAP] = 0; 4207 sp->pp_seq[IDX_CHAP] = 0; 4208 sp->pp_rseq[IDX_CHAP] = 0; 4209 #if defined(__DragonFly__) 4210 callout_init(&sp->timeout[IDX_CHAP]); 4211 #endif 4212 } 4213 4214 static void 4215 sppp_chap_open(struct sppp *sp) 4216 { 4217 if (sp->myauth.proto == PPP_CHAP && 4218 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4219 /* we are authenticator for CHAP, start it */ 4220 chap.scr(sp); 4221 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4222 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4223 } 4224 /* nothing to be done if we are peer, await a challenge */ 4225 } 4226 4227 static void 4228 sppp_chap_close(struct sppp *sp) 4229 { 4230 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4231 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4232 } 4233 4234 static void 4235 sppp_chap_TO(void *cookie) 4236 { 4237 struct sppp *sp = (struct sppp *)cookie; 4238 STDDCL; 4239 4240 crit_enter(); 4241 4242 if (debug) 4243 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4244 SPP_ARGS(ifp), 4245 sppp_state_name(sp->state[IDX_CHAP]), 4246 sp->rst_counter[IDX_CHAP]); 4247 4248 if (--sp->rst_counter[IDX_CHAP] < 0) 4249 /* TO- event */ 4250 switch (sp->state[IDX_CHAP]) { 4251 case STATE_REQ_SENT: 4252 chap.tld(sp); 4253 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4254 break; 4255 } 4256 else 4257 /* TO+ (or TO*) event */ 4258 switch (sp->state[IDX_CHAP]) { 4259 case STATE_OPENED: 4260 /* TO* event */ 4261 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4262 /* fall through */ 4263 case STATE_REQ_SENT: 4264 chap.scr(sp); 4265 /* sppp_cp_change_state() will restart the timer */ 4266 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4267 break; 4268 } 4269 4270 crit_exit(); 4271 } 4272 4273 static void 4274 sppp_chap_tlu(struct sppp *sp) 4275 { 4276 STDDCL; 4277 int i; 4278 4279 i = 0; 4280 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4281 4282 /* 4283 * Some broken CHAP implementations (Conware CoNet, firmware 4284 * 4.0.?) don't want to re-authenticate their CHAP once the 4285 * initial challenge-response exchange has taken place. 4286 * Provide for an option to avoid rechallenges. 4287 */ 4288 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4289 /* 4290 * Compute the re-challenge timeout. This will yield 4291 * a number between 300 and 810 seconds. 4292 */ 4293 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4294 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4295 } 4296 4297 if (debug) { 4298 log(LOG_DEBUG, 4299 SPP_FMT "chap %s, ", 4300 SPP_ARGS(ifp), 4301 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4302 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4303 log(-1, "next re-challenge in %d seconds\n", i); 4304 else 4305 log(-1, "re-challenging suppressed\n"); 4306 } 4307 4308 crit_enter(); 4309 4310 /* indicate to LCP that we need to be closed down */ 4311 sp->lcp.protos |= (1 << IDX_CHAP); 4312 4313 if (sp->pp_flags & PP_NEEDAUTH) { 4314 /* 4315 * Remote is authenticator, but his auth proto didn't 4316 * complete yet. Defer the transition to network 4317 * phase. 4318 */ 4319 crit_exit(); 4320 return; 4321 } 4322 4323 crit_exit(); 4324 4325 /* 4326 * If we are already in phase network, we are done here. This 4327 * is the case if this is a dummy tlu event after a re-challenge. 4328 */ 4329 if (sp->pp_phase != PHASE_NETWORK) 4330 sppp_phase_network(sp); 4331 } 4332 4333 static void 4334 sppp_chap_tld(struct sppp *sp) 4335 { 4336 STDDCL; 4337 4338 if (debug) 4339 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4340 callout_stop(&sp->timeout[IDX_CHAP]); 4341 sp->lcp.protos &= ~(1 << IDX_CHAP); 4342 4343 lcp.Close(sp); 4344 } 4345 4346 static void 4347 sppp_chap_scr(struct sppp *sp) 4348 { 4349 u_long *ch, seed; 4350 u_char clen; 4351 4352 /* Compute random challenge. */ 4353 ch = (u_long *)sp->myauth.challenge; 4354 #if defined(__DragonFly__) 4355 read_random(&seed, sizeof seed); 4356 #else 4357 { 4358 struct timeval tv; 4359 microtime(&tv); 4360 seed = tv.tv_sec ^ tv.tv_usec; 4361 } 4362 #endif 4363 ch[0] = seed ^ krandom(); 4364 ch[1] = seed ^ krandom(); 4365 ch[2] = seed ^ krandom(); 4366 ch[3] = seed ^ krandom(); 4367 clen = AUTHKEYLEN; 4368 4369 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4370 4371 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4372 sizeof clen, (const char *)&clen, 4373 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4374 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4375 sp->myauth.name, 4376 0); 4377 } 4378 4379 /* 4380 *--------------------------------------------------------------------------* 4381 * * 4382 * The PAP implementation. * 4383 * * 4384 *--------------------------------------------------------------------------* 4385 */ 4386 /* 4387 * For PAP, we need to keep a little state also if we are the peer, not the 4388 * authenticator. This is since we don't get a request to authenticate, but 4389 * have to repeatedly authenticate ourself until we got a response (or the 4390 * retry counter is expired). 4391 */ 4392 4393 /* 4394 * Handle incoming PAP packets. */ 4395 static void 4396 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4397 { 4398 STDDCL; 4399 struct lcp_header *h; 4400 int len; 4401 u_char *name, *passwd, mlen; 4402 int name_len, passwd_len; 4403 4404 /* 4405 * Malicious input might leave this uninitialized, so 4406 * init to an impossible value. 4407 */ 4408 passwd_len = -1; 4409 4410 len = m->m_pkthdr.len; 4411 if (len < 5) { 4412 if (debug) 4413 log(LOG_DEBUG, 4414 SPP_FMT "pap invalid packet length: %d bytes\n", 4415 SPP_ARGS(ifp), len); 4416 return; 4417 } 4418 h = mtod (m, struct lcp_header*); 4419 if (len > ntohs (h->len)) 4420 len = ntohs (h->len); 4421 switch (h->type) { 4422 /* PAP request is my authproto */ 4423 case PAP_REQ: 4424 name = 1 + (u_char*)(h+1); 4425 name_len = name[-1]; 4426 passwd = name + name_len + 1; 4427 if (name_len > len - 6 || 4428 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4429 if (debug) { 4430 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4431 "<%s id=0x%x len=%d", 4432 SPP_ARGS(ifp), 4433 sppp_auth_type_name(PPP_PAP, h->type), 4434 h->ident, ntohs(h->len)); 4435 sppp_print_bytes((u_char*)(h+1), len-4); 4436 log(-1, ">\n"); 4437 } 4438 break; 4439 } 4440 if (debug) { 4441 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4442 "<%s id=0x%x len=%d name=", 4443 SPP_ARGS(ifp), 4444 sppp_state_name(sp->state[IDX_PAP]), 4445 sppp_auth_type_name(PPP_PAP, h->type), 4446 h->ident, ntohs(h->len)); 4447 sppp_print_string((char*)name, name_len); 4448 log(-1, " passwd="); 4449 sppp_print_string((char*)passwd, passwd_len); 4450 log(-1, ">\n"); 4451 } 4452 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || 4453 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4454 bcmp(name, sp->hisauth.name, name_len) != 0 || 4455 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4456 /* action scn, tld */ 4457 mlen = sizeof(FAILMSG) - 1; 4458 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4459 sizeof mlen, (const char *)&mlen, 4460 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4461 0); 4462 pap.tld(sp); 4463 break; 4464 } 4465 /* action sca, perhaps tlu */ 4466 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4467 sp->state[IDX_PAP] == STATE_OPENED) { 4468 mlen = sizeof(SUCCMSG) - 1; 4469 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4470 sizeof mlen, (const char *)&mlen, 4471 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4472 0); 4473 } 4474 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4475 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4476 pap.tlu(sp); 4477 } 4478 break; 4479 4480 /* ack and nak are his authproto */ 4481 case PAP_ACK: 4482 callout_stop(&sp->pap_my_to); 4483 if (debug) { 4484 log(LOG_DEBUG, SPP_FMT "pap success", 4485 SPP_ARGS(ifp)); 4486 name = 1 + (u_char *)(h + 1); 4487 name_len = name[-1]; 4488 if (len > 5 && name_len < len+4) { 4489 log(-1, ": "); 4490 sppp_print_string(name, name_len); 4491 } 4492 log(-1, "\n"); 4493 } 4494 4495 crit_enter(); 4496 4497 sp->pp_flags &= ~PP_NEEDAUTH; 4498 if (sp->myauth.proto == PPP_PAP && 4499 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4500 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4501 /* 4502 * We are authenticator for PAP but didn't 4503 * complete yet. Leave it to tlu to proceed 4504 * to network phase. 4505 */ 4506 4507 crit_exit(); 4508 4509 break; 4510 } 4511 4512 crit_exit(); 4513 4514 sppp_phase_network(sp); 4515 break; 4516 4517 case PAP_NAK: 4518 callout_stop(&sp->pap_my_to); 4519 if (debug) { 4520 log(LOG_INFO, SPP_FMT "pap failure", 4521 SPP_ARGS(ifp)); 4522 name = 1 + (u_char *)(h + 1); 4523 name_len = name[-1]; 4524 if (len > 5 && name_len < len+4) { 4525 log(-1, ": "); 4526 sppp_print_string(name, name_len); 4527 } 4528 log(-1, "\n"); 4529 } else 4530 log(LOG_INFO, SPP_FMT "pap failure\n", 4531 SPP_ARGS(ifp)); 4532 /* await LCP shutdown by authenticator */ 4533 break; 4534 4535 default: 4536 /* Unknown PAP packet type -- ignore. */ 4537 if (debug) { 4538 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4539 "<0x%x id=0x%x len=%d", 4540 SPP_ARGS(ifp), 4541 h->type, h->ident, ntohs(h->len)); 4542 sppp_print_bytes((u_char*)(h+1), len-4); 4543 log(-1, ">\n"); 4544 } 4545 break; 4546 4547 } 4548 } 4549 4550 static void 4551 sppp_pap_init(struct sppp *sp) 4552 { 4553 /* PAP doesn't have STATE_INITIAL at all. */ 4554 sp->state[IDX_PAP] = STATE_CLOSED; 4555 sp->fail_counter[IDX_PAP] = 0; 4556 sp->pp_seq[IDX_PAP] = 0; 4557 sp->pp_rseq[IDX_PAP] = 0; 4558 #if defined(__DragonFly__) 4559 callout_init(&sp->timeout[IDX_PAP]); 4560 callout_init(&sp->pap_my_to); 4561 #endif 4562 } 4563 4564 static void 4565 sppp_pap_open(struct sppp *sp) 4566 { 4567 if (sp->hisauth.proto == PPP_PAP && 4568 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4569 /* we are authenticator for PAP, start our timer */ 4570 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4571 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4572 } 4573 if (sp->myauth.proto == PPP_PAP) { 4574 /* we are peer, send a request, and start a timer */ 4575 pap.scr(sp); 4576 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4577 sppp_pap_my_TO, sp); 4578 } 4579 } 4580 4581 static void 4582 sppp_pap_close(struct sppp *sp) 4583 { 4584 if (sp->state[IDX_PAP] != STATE_CLOSED) 4585 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4586 } 4587 4588 /* 4589 * That's the timeout routine if we are authenticator. Since the 4590 * authenticator is basically passive in PAP, we can't do much here. 4591 */ 4592 static void 4593 sppp_pap_TO(void *cookie) 4594 { 4595 struct sppp *sp = (struct sppp *)cookie; 4596 STDDCL; 4597 4598 crit_enter(); 4599 4600 if (debug) 4601 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4602 SPP_ARGS(ifp), 4603 sppp_state_name(sp->state[IDX_PAP]), 4604 sp->rst_counter[IDX_PAP]); 4605 4606 if (--sp->rst_counter[IDX_PAP] < 0) 4607 /* TO- event */ 4608 switch (sp->state[IDX_PAP]) { 4609 case STATE_REQ_SENT: 4610 pap.tld(sp); 4611 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4612 break; 4613 } 4614 else 4615 /* TO+ event, not very much we could do */ 4616 switch (sp->state[IDX_PAP]) { 4617 case STATE_REQ_SENT: 4618 /* sppp_cp_change_state() will restart the timer */ 4619 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4620 break; 4621 } 4622 4623 crit_exit(); 4624 } 4625 4626 /* 4627 * That's the timeout handler if we are peer. Since the peer is active, 4628 * we need to retransmit our PAP request since it is apparently lost. 4629 * XXX We should impose a max counter. 4630 */ 4631 static void 4632 sppp_pap_my_TO(void *cookie) 4633 { 4634 struct sppp *sp = (struct sppp *)cookie; 4635 STDDCL; 4636 4637 if (debug) 4638 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4639 SPP_ARGS(ifp)); 4640 4641 pap.scr(sp); 4642 } 4643 4644 static void 4645 sppp_pap_tlu(struct sppp *sp) 4646 { 4647 STDDCL; 4648 4649 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4650 4651 if (debug) 4652 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4653 SPP_ARGS(ifp), pap.name); 4654 4655 crit_enter(); 4656 4657 /* indicate to LCP that we need to be closed down */ 4658 sp->lcp.protos |= (1 << IDX_PAP); 4659 4660 if (sp->pp_flags & PP_NEEDAUTH) { 4661 /* 4662 * Remote is authenticator, but his auth proto didn't 4663 * complete yet. Defer the transition to network 4664 * phase. 4665 */ 4666 crit_exit(); 4667 return; 4668 } 4669 crit_exit(); 4670 sppp_phase_network(sp); 4671 } 4672 4673 static void 4674 sppp_pap_tld(struct sppp *sp) 4675 { 4676 STDDCL; 4677 4678 if (debug) 4679 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4680 callout_stop(&sp->timeout[IDX_PAP]); 4681 callout_stop(&sp->pap_my_to); 4682 sp->lcp.protos &= ~(1 << IDX_PAP); 4683 4684 lcp.Close(sp); 4685 } 4686 4687 static void 4688 sppp_pap_scr(struct sppp *sp) 4689 { 4690 u_char idlen, pwdlen; 4691 4692 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4693 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN); 4694 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN); 4695 4696 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4697 sizeof idlen, (const char *)&idlen, 4698 (size_t)idlen, sp->myauth.name, 4699 sizeof pwdlen, (const char *)&pwdlen, 4700 (size_t)pwdlen, sp->myauth.secret, 4701 0); 4702 } 4703 4704 /* 4705 * Random miscellaneous functions. 4706 */ 4707 4708 /* 4709 * Send a PAP or CHAP proto packet. 4710 * 4711 * Varadic function, each of the elements for the ellipsis is of type 4712 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4713 * mlen == 0. 4714 * NOTE: never declare variadic functions with types subject to type 4715 * promotion (i.e. u_char). This is asking for big trouble depending 4716 * on the architecture you are on... 4717 */ 4718 4719 static void 4720 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4721 unsigned int type, unsigned int id, 4722 ...) 4723 { 4724 STDDCL; 4725 struct ppp_header *h; 4726 struct lcp_header *lh; 4727 struct mbuf *m; 4728 u_char *p; 4729 int len; 4730 unsigned int mlen; 4731 const char *msg; 4732 __va_list ap; 4733 4734 MGETHDR (m, MB_DONTWAIT, MT_DATA); 4735 if (! m) 4736 return; 4737 m->m_pkthdr.rcvif = 0; 4738 4739 h = mtod (m, struct ppp_header*); 4740 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4741 h->control = PPP_UI; /* Unnumbered Info */ 4742 h->protocol = htons(cp->proto); 4743 4744 lh = (struct lcp_header*)(h + 1); 4745 lh->type = type; 4746 lh->ident = id; 4747 p = (u_char*) (lh+1); 4748 4749 __va_start(ap, id); 4750 len = 0; 4751 4752 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4753 msg = __va_arg(ap, const char *); 4754 len += mlen; 4755 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4756 __va_end(ap); 4757 m_freem(m); 4758 return; 4759 } 4760 4761 bcopy(msg, p, mlen); 4762 p += mlen; 4763 } 4764 __va_end(ap); 4765 4766 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4767 lh->len = htons (LCP_HEADER_LEN + len); 4768 4769 if (debug) { 4770 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4771 SPP_ARGS(ifp), cp->name, 4772 sppp_auth_type_name(cp->proto, lh->type), 4773 lh->ident, ntohs(lh->len)); 4774 sppp_print_bytes((u_char*) (lh+1), len); 4775 log(-1, ">\n"); 4776 } 4777 if (IF_QFULL (&sp->pp_cpq)) { 4778 IF_DROP (&sp->pp_fastq); 4779 IF_DROP (&ifp->if_snd); 4780 m_freem (m); 4781 ++ifp->if_oerrors; 4782 } else 4783 IF_ENQUEUE (&sp->pp_cpq, m); 4784 if (! (ifp->if_flags & IFF_OACTIVE)) 4785 (*ifp->if_start) (ifp); 4786 ifp->if_obytes += m->m_pkthdr.len + 3; 4787 } 4788 4789 /* 4790 * Send keepalive packets, every 10 seconds. 4791 */ 4792 static void 4793 sppp_keepalive(void *dummy) 4794 { 4795 struct sppp *sp; 4796 4797 crit_enter(); 4798 4799 for (sp=spppq; sp; sp=sp->pp_next) { 4800 struct ifnet *ifp = &sp->pp_if; 4801 4802 /* Keepalive mode disabled or channel down? */ 4803 if (! (sp->pp_flags & PP_KEEPALIVE) || 4804 ! (ifp->if_flags & IFF_RUNNING)) 4805 continue; 4806 4807 /* No keepalive in PPP mode if LCP not opened yet. */ 4808 if (sp->pp_mode != IFF_CISCO && 4809 sp->pp_phase < PHASE_AUTHENTICATE) 4810 continue; 4811 4812 if (sp->pp_alivecnt == MAXALIVECNT) { 4813 /* No keepalive packets got. Stop the interface. */ 4814 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4815 if_down (ifp); 4816 IF_DRAIN(&sp->pp_cpq); 4817 if (sp->pp_mode != IFF_CISCO) { 4818 /* XXX */ 4819 /* Shut down the PPP link. */ 4820 lcp.Down(sp); 4821 /* Initiate negotiation. XXX */ 4822 lcp.Up(sp); 4823 } 4824 } 4825 ifnet_serialize_all(ifp); 4826 if (sp->pp_alivecnt <= MAXALIVECNT) 4827 ++sp->pp_alivecnt; 4828 if (sp->pp_mode == IFF_CISCO) 4829 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4830 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4831 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4832 long nmagic = htonl (sp->lcp.magic); 4833 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4834 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4835 sp->lcp.echoid, 4, &nmagic); 4836 } 4837 ifnet_deserialize_all(ifp); 4838 } 4839 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4840 crit_exit(); 4841 } 4842 4843 /* 4844 * Get both IP addresses. 4845 */ 4846 static void 4847 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4848 { 4849 struct ifnet *ifp = &sp->pp_if; 4850 struct ifaddr_container *ifac; 4851 struct ifaddr *ifa; 4852 struct sockaddr_in *si, *sm; 4853 u_long ssrc, ddst; 4854 4855 sm = NULL; 4856 ssrc = ddst = 0L; 4857 /* 4858 * Pick the first AF_INET address from the list, 4859 * aliases don't make any sense on a p2p link anyway. 4860 */ 4861 si = 0; 4862 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4863 ifa = ifac->ifa; 4864 if (ifa->ifa_addr->sa_family == AF_INET) { 4865 si = (struct sockaddr_in *)ifa->ifa_addr; 4866 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4867 if (si) 4868 break; 4869 } 4870 } 4871 if (ifac != NULL) { 4872 if (si && si->sin_addr.s_addr) { 4873 ssrc = si->sin_addr.s_addr; 4874 if (srcmask) 4875 *srcmask = ntohl(sm->sin_addr.s_addr); 4876 } 4877 4878 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4879 if (si && si->sin_addr.s_addr) 4880 ddst = si->sin_addr.s_addr; 4881 } 4882 4883 if (dst) *dst = ntohl(ddst); 4884 if (src) *src = ntohl(ssrc); 4885 } 4886 4887 /* 4888 * Set my IP address. Must be called at splimp. 4889 */ 4890 static void 4891 sppp_set_ip_addr(struct sppp *sp, u_long src) 4892 { 4893 STDDCL; 4894 struct ifaddr_container *ifac; 4895 struct ifaddr *ifa = NULL; 4896 struct sockaddr_in *si; 4897 struct in_ifaddr *ia; 4898 4899 /* 4900 * Pick the first AF_INET address from the list, 4901 * aliases don't make any sense on a p2p link anyway. 4902 */ 4903 si = 0; 4904 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4905 ifa = ifac->ifa; 4906 if (ifa->ifa_addr->sa_family == AF_INET) { 4907 si = (struct sockaddr_in *)ifa->ifa_addr; 4908 if (si) 4909 break; 4910 } 4911 } 4912 4913 if (ifac != NULL && si != NULL) { 4914 int error; 4915 #if __NetBSD_Version__ >= 103080000 4916 struct sockaddr_in new_sin = *si; 4917 4918 new_sin.sin_addr.s_addr = htonl(src); 4919 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 1); 4920 if(debug && error) 4921 { 4922 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: in_ifinit " 4923 " failed, error=%d\n", SPP_ARGS(ifp), error); 4924 } 4925 #else 4926 /* delete old route */ 4927 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4928 if(debug && error) 4929 { 4930 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4931 SPP_ARGS(ifp), error); 4932 } 4933 4934 ia = ifatoia(ifa); 4935 in_iahash_remove(ia); 4936 4937 /* set new address */ 4938 si->sin_addr.s_addr = htonl(src); 4939 in_iahash_insert(ia); 4940 4941 /* add new route */ 4942 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4943 if (debug && error) 4944 { 4945 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4946 SPP_ARGS(ifp), error); 4947 } 4948 #endif 4949 } 4950 } 4951 4952 #ifdef INET6 4953 /* 4954 * Get both IPv6 addresses. 4955 */ 4956 static void 4957 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4958 struct in6_addr *srcmask) 4959 { 4960 struct ifnet *ifp = &sp->pp_if; 4961 struct ifaddr_container *ifac; 4962 struct ifaddr *ifa; 4963 struct sockaddr_in6 *si, *sm; 4964 struct in6_addr ssrc, ddst; 4965 4966 sm = NULL; 4967 bzero(&ssrc, sizeof(ssrc)); 4968 bzero(&ddst, sizeof(ddst)); 4969 /* 4970 * Pick the first link-local AF_INET6 address from the list, 4971 * aliases don't make any sense on a p2p link anyway. 4972 */ 4973 si = 0; 4974 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4975 ifa = ifac->ifa; 4976 if (ifa->ifa_addr->sa_family == AF_INET6) { 4977 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4978 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4979 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4980 break; 4981 } 4982 } 4983 if (ifac != NULL) { 4984 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4985 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 4986 if (srcmask) { 4987 bcopy(&sm->sin6_addr, srcmask, 4988 sizeof(*srcmask)); 4989 } 4990 } 4991 4992 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4993 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4994 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 4995 } 4996 4997 if (dst) 4998 bcopy(&ddst, dst, sizeof(*dst)); 4999 if (src) 5000 bcopy(&ssrc, src, sizeof(*src)); 5001 } 5002 5003 #ifdef IPV6CP_MYIFID_DYN 5004 /* 5005 * Generate random ifid. 5006 */ 5007 static void 5008 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5009 { 5010 /* TBD */ 5011 } 5012 5013 /* 5014 * Set my IPv6 address. Must be called at splimp. 5015 */ 5016 static void 5017 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5018 { 5019 STDDCL; 5020 struct ifaddr_container *ifac; 5021 struct ifaddr *ifa; 5022 struct sockaddr_in6 *sin6; 5023 5024 /* 5025 * Pick the first link-local AF_INET6 address from the list, 5026 * aliases don't make any sense on a p2p link anyway. 5027 */ 5028 5029 sin6 = NULL; 5030 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 5031 ifa = ifac->ifa; 5032 if (ifa->ifa_addr->sa_family == AF_INET6) { 5033 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5034 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5035 break; 5036 } 5037 } 5038 5039 if (ifac != NULL && sin6 != NULL) { 5040 int error; 5041 struct sockaddr_in6 new_sin6 = *sin6; 5042 5043 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 5044 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5045 if (debug && error) { 5046 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 5047 " failed, error=%d\n", SPP_ARGS(ifp), error); 5048 } 5049 } 5050 } 5051 #endif 5052 5053 /* 5054 * Suggest a candidate address to be used by peer. 5055 */ 5056 static void 5057 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5058 { 5059 struct in6_addr myaddr; 5060 struct timeval tv; 5061 5062 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5063 5064 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5065 microtime(&tv); 5066 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5067 myaddr.s6_addr[14] ^= 0xff; 5068 myaddr.s6_addr[15] ^= 0xff; 5069 } else { 5070 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5071 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5072 } 5073 if (suggest) 5074 bcopy(&myaddr, suggest, sizeof(myaddr)); 5075 } 5076 #endif /*INET6*/ 5077 5078 static int 5079 sppp_params(struct sppp *sp, u_long cmd, void *data) 5080 { 5081 u_long subcmd; 5082 struct ifreq *ifr = (struct ifreq *)data; 5083 struct spppreq *spr; 5084 int rv = 0; 5085 5086 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 5087 5088 /* 5089 * ifr->ifr_data is supposed to point to a struct spppreq. 5090 * Check the cmd word first before attempting to fetch all the 5091 * data. 5092 */ 5093 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 5094 rv = EFAULT; 5095 goto quit; 5096 } 5097 5098 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 5099 rv = EFAULT; 5100 goto quit; 5101 } 5102 5103 switch (subcmd) { 5104 case (u_long)SPPPIOGDEFS: 5105 if (cmd != SIOCGIFGENERIC) { 5106 rv = EINVAL; 5107 break; 5108 } 5109 /* 5110 * We copy over the entire current state, but clean 5111 * out some of the stuff we don't wanna pass up. 5112 * Remember, SIOCGIFGENERIC is unprotected, and can be 5113 * called by any user. No need to ever get PAP or 5114 * CHAP secrets back to userland anyway. 5115 */ 5116 spr->defs.pp_phase = sp->pp_phase; 5117 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5118 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5119 spr->defs.lcp = sp->lcp; 5120 spr->defs.ipcp = sp->ipcp; 5121 spr->defs.ipv6cp = sp->ipv6cp; 5122 spr->defs.myauth = sp->myauth; 5123 spr->defs.hisauth = sp->hisauth; 5124 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5125 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5126 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5127 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5128 /* 5129 * Fixup the LCP timeout value to milliseconds so 5130 * spppcontrol doesn't need to bother about the value 5131 * of "hz". We do the reverse calculation below when 5132 * setting it. 5133 */ 5134 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5135 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5136 sizeof(struct spppreq)); 5137 break; 5138 5139 case (u_long)SPPPIOSDEFS: 5140 if (cmd != SIOCSIFGENERIC) { 5141 rv = EINVAL; 5142 break; 5143 } 5144 /* 5145 * We have a very specific idea of which fields we 5146 * allow being passed back from userland, so to not 5147 * clobber our current state. For one, we only allow 5148 * setting anything if LCP is in dead or establish 5149 * phase. Once the authentication negotiations 5150 * started, the authentication settings must not be 5151 * changed again. (The administrator can force an 5152 * ifconfig down in order to get LCP back into dead 5153 * phase.) 5154 * 5155 * Also, we only allow for authentication parameters to be 5156 * specified. 5157 * 5158 * XXX Should allow to set or clear pp_flags. 5159 * 5160 * Finally, if the respective authentication protocol to 5161 * be used is set differently than 0, but the secret is 5162 * passed as all zeros, we don't trash the existing secret. 5163 * This allows an administrator to change the system name 5164 * only without clobbering the secret (which he didn't get 5165 * back in a previous SPPPIOGDEFS call). However, the 5166 * secrets are cleared if the authentication protocol is 5167 * reset to 0. */ 5168 if (sp->pp_phase != PHASE_DEAD && 5169 sp->pp_phase != PHASE_ESTABLISH) { 5170 rv = EBUSY; 5171 break; 5172 } 5173 5174 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5175 spr->defs.myauth.proto != PPP_CHAP) || 5176 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5177 spr->defs.hisauth.proto != PPP_CHAP)) { 5178 rv = EINVAL; 5179 break; 5180 } 5181 5182 if (spr->defs.myauth.proto == 0) 5183 /* resetting myauth */ 5184 bzero(&sp->myauth, sizeof sp->myauth); 5185 else { 5186 /* setting/changing myauth */ 5187 sp->myauth.proto = spr->defs.myauth.proto; 5188 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5189 if (spr->defs.myauth.secret[0] != '\0') 5190 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5191 AUTHKEYLEN); 5192 } 5193 if (spr->defs.hisauth.proto == 0) 5194 /* resetting hisauth */ 5195 bzero(&sp->hisauth, sizeof sp->hisauth); 5196 else { 5197 /* setting/changing hisauth */ 5198 sp->hisauth.proto = spr->defs.hisauth.proto; 5199 sp->hisauth.flags = spr->defs.hisauth.flags; 5200 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5201 if (spr->defs.hisauth.secret[0] != '\0') 5202 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5203 AUTHKEYLEN); 5204 } 5205 /* set LCP restart timer timeout */ 5206 if (spr->defs.lcp.timeout != 0) 5207 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5208 /* set VJ enable and IPv6 disable flags */ 5209 #ifdef INET 5210 if (spr->defs.enable_vj) 5211 sp->confflags |= CONF_ENABLE_VJ; 5212 else 5213 sp->confflags &= ~CONF_ENABLE_VJ; 5214 #endif 5215 #ifdef INET6 5216 if (spr->defs.enable_ipv6) 5217 sp->confflags |= CONF_ENABLE_IPV6; 5218 else 5219 sp->confflags &= ~CONF_ENABLE_IPV6; 5220 #endif 5221 break; 5222 5223 default: 5224 rv = EINVAL; 5225 } 5226 5227 quit: 5228 kfree(spr, M_TEMP); 5229 5230 return (rv); 5231 } 5232 5233 static void 5234 sppp_phase_network(struct sppp *sp) 5235 { 5236 STDDCL; 5237 int i; 5238 u_long mask; 5239 5240 sp->pp_phase = PHASE_NETWORK; 5241 5242 if (debug) 5243 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5244 sppp_phase_name(sp->pp_phase)); 5245 5246 /* Notify NCPs now. */ 5247 for (i = 0; i < IDX_COUNT; i++) 5248 if ((cps[i])->flags & CP_NCP) 5249 (cps[i])->Open(sp); 5250 5251 /* Send Up events to all NCPs. */ 5252 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5253 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5254 (cps[i])->Up(sp); 5255 5256 /* if no NCP is starting, all this was in vain, close down */ 5257 sppp_lcp_check_and_close(sp); 5258 } 5259 5260 5261 static const char * 5262 sppp_cp_type_name(u_char type) 5263 { 5264 static char buf[12]; 5265 switch (type) { 5266 case CONF_REQ: return "conf-req"; 5267 case CONF_ACK: return "conf-ack"; 5268 case CONF_NAK: return "conf-nak"; 5269 case CONF_REJ: return "conf-rej"; 5270 case TERM_REQ: return "term-req"; 5271 case TERM_ACK: return "term-ack"; 5272 case CODE_REJ: return "code-rej"; 5273 case PROTO_REJ: return "proto-rej"; 5274 case ECHO_REQ: return "echo-req"; 5275 case ECHO_REPLY: return "echo-reply"; 5276 case DISC_REQ: return "discard-req"; 5277 } 5278 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5279 return buf; 5280 } 5281 5282 static const char * 5283 sppp_auth_type_name(u_short proto, u_char type) 5284 { 5285 static char buf[12]; 5286 switch (proto) { 5287 case PPP_CHAP: 5288 switch (type) { 5289 case CHAP_CHALLENGE: return "challenge"; 5290 case CHAP_RESPONSE: return "response"; 5291 case CHAP_SUCCESS: return "success"; 5292 case CHAP_FAILURE: return "failure"; 5293 } 5294 case PPP_PAP: 5295 switch (type) { 5296 case PAP_REQ: return "req"; 5297 case PAP_ACK: return "ack"; 5298 case PAP_NAK: return "nak"; 5299 } 5300 } 5301 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5302 return buf; 5303 } 5304 5305 static const char * 5306 sppp_lcp_opt_name(u_char opt) 5307 { 5308 static char buf[12]; 5309 switch (opt) { 5310 case LCP_OPT_MRU: return "mru"; 5311 case LCP_OPT_ASYNC_MAP: return "async-map"; 5312 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5313 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5314 case LCP_OPT_MAGIC: return "magic"; 5315 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5316 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5317 } 5318 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5319 return buf; 5320 } 5321 5322 static const char * 5323 sppp_ipcp_opt_name(u_char opt) 5324 { 5325 static char buf[12]; 5326 switch (opt) { 5327 case IPCP_OPT_ADDRESSES: return "addresses"; 5328 case IPCP_OPT_COMPRESSION: return "compression"; 5329 case IPCP_OPT_ADDRESS: return "address"; 5330 } 5331 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5332 return buf; 5333 } 5334 5335 #ifdef INET6 5336 static const char * 5337 sppp_ipv6cp_opt_name(u_char opt) 5338 { 5339 static char buf[12]; 5340 switch (opt) { 5341 case IPV6CP_OPT_IFID: return "ifid"; 5342 case IPV6CP_OPT_COMPRESSION: return "compression"; 5343 } 5344 ksprintf (buf, "0x%x", opt); 5345 return buf; 5346 } 5347 #endif 5348 5349 static const char * 5350 sppp_state_name(int state) 5351 { 5352 switch (state) { 5353 case STATE_INITIAL: return "initial"; 5354 case STATE_STARTING: return "starting"; 5355 case STATE_CLOSED: return "closed"; 5356 case STATE_STOPPED: return "stopped"; 5357 case STATE_CLOSING: return "closing"; 5358 case STATE_STOPPING: return "stopping"; 5359 case STATE_REQ_SENT: return "req-sent"; 5360 case STATE_ACK_RCVD: return "ack-rcvd"; 5361 case STATE_ACK_SENT: return "ack-sent"; 5362 case STATE_OPENED: return "opened"; 5363 } 5364 return "illegal"; 5365 } 5366 5367 static const char * 5368 sppp_phase_name(enum ppp_phase phase) 5369 { 5370 switch (phase) { 5371 case PHASE_DEAD: return "dead"; 5372 case PHASE_ESTABLISH: return "establish"; 5373 case PHASE_TERMINATE: return "terminate"; 5374 case PHASE_AUTHENTICATE: return "authenticate"; 5375 case PHASE_NETWORK: return "network"; 5376 } 5377 return "illegal"; 5378 } 5379 5380 static const char * 5381 sppp_proto_name(u_short proto) 5382 { 5383 static char buf[12]; 5384 switch (proto) { 5385 case PPP_LCP: return "lcp"; 5386 case PPP_IPCP: return "ipcp"; 5387 case PPP_PAP: return "pap"; 5388 case PPP_CHAP: return "chap"; 5389 case PPP_IPV6CP: return "ipv6cp"; 5390 } 5391 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5392 return buf; 5393 } 5394 5395 static void 5396 sppp_print_bytes(const u_char *p, u_short len) 5397 { 5398 if (len) 5399 log(-1, " %*D", len, p, "-"); 5400 } 5401 5402 static void 5403 sppp_print_string(const char *p, u_short len) 5404 { 5405 u_char c; 5406 5407 while (len-- > 0) { 5408 c = *p++; 5409 /* 5410 * Print only ASCII chars directly. RFC 1994 recommends 5411 * using only them, but we don't rely on it. */ 5412 if (c < ' ' || c > '~') 5413 log(-1, "\\x%x", c); 5414 else 5415 log(-1, "%c", c); 5416 } 5417 } 5418 5419 static const char * 5420 sppp_dotted_quad(u_long addr) 5421 { 5422 static char s[16]; 5423 ksprintf(s, "%d.%d.%d.%d", 5424 (int)((addr >> 24) & 0xff), 5425 (int)((addr >> 16) & 0xff), 5426 (int)((addr >> 8) & 0xff), 5427 (int)(addr & 0xff)); 5428 return s; 5429 } 5430 5431 static int 5432 sppp_strnlen(u_char *p, int max) 5433 { 5434 int len; 5435 5436 for (len = 0; len < max && *p; ++p) 5437 ++len; 5438 return len; 5439 } 5440 5441 /* a dummy, used to drop uninteresting events */ 5442 static void 5443 sppp_null(struct sppp *unused) 5444 { 5445 /* do just nothing */ 5446 } 5447