1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 */ 22 23 #include <sys/param.h> 24 #include <sys/libkern.h> 25 26 #include "opt_inet.h" 27 #include "opt_inet6.h" 28 29 #include <sys/systm.h> 30 #include <sys/kernel.h> 31 #include <sys/module.h> 32 #include <sys/sockio.h> 33 #include <sys/socket.h> 34 #include <sys/syslog.h> 35 #include <sys/random.h> 36 #include <sys/thread2.h> 37 #include <sys/malloc.h> 38 #include <sys/mbuf.h> 39 #include <sys/md5.h> 40 41 #include <net/if.h> 42 #include <net/ifq_var.h> 43 #include <net/netisr.h> 44 #include <net/if_types.h> 45 #include <net/route.h> 46 #include <netinet/in.h> 47 #include <netinet/in_systm.h> 48 #include <netinet/ip.h> 49 #include <net/slcompress.h> 50 51 #include <machine/stdarg.h> 52 53 #include <netinet/in_var.h> 54 55 #ifdef INET 56 #include <netinet/tcp.h> 57 #endif 58 59 #include <netinet/if_ether.h> 60 61 #include "if_sppp.h" 62 63 #define IOCTL_CMD_T u_long 64 #define MAXALIVECNT 3 /* max. alive packets */ 65 66 /* 67 * Interface flags that can be set in an ifconfig command. 68 * 69 * Setting link0 will make the link passive, i.e. it will be marked 70 * as being administrative openable, but won't be opened to begin 71 * with. Incoming calls will be answered, or subsequent calls with 72 * -link1 will cause the administrative open of the LCP layer. 73 * 74 * Setting link1 will cause the link to auto-dial only as packets 75 * arrive to be sent. 76 * 77 * Setting IFF_DEBUG will syslog the option negotiation and state 78 * transitions at level kern.debug. Note: all logs consistently look 79 * like 80 * 81 * <if-name><unit>: <proto-name> <additional info...> 82 * 83 * with <if-name><unit> being something like "bppp0", and <proto-name> 84 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 85 */ 86 87 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 88 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 89 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 90 91 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 92 #define PPP_UI 0x03 /* Unnumbered Information */ 93 #define PPP_IP 0x0021 /* Internet Protocol */ 94 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 95 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 96 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 97 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 98 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 99 #define PPP_LCP 0xc021 /* Link Control Protocol */ 100 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 101 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 102 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 103 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 104 105 #define CONF_REQ 1 /* PPP configure request */ 106 #define CONF_ACK 2 /* PPP configure acknowledge */ 107 #define CONF_NAK 3 /* PPP configure negative ack */ 108 #define CONF_REJ 4 /* PPP configure reject */ 109 #define TERM_REQ 5 /* PPP terminate request */ 110 #define TERM_ACK 6 /* PPP terminate acknowledge */ 111 #define CODE_REJ 7 /* PPP code reject */ 112 #define PROTO_REJ 8 /* PPP protocol reject */ 113 #define ECHO_REQ 9 /* PPP echo request */ 114 #define ECHO_REPLY 10 /* PPP echo reply */ 115 #define DISC_REQ 11 /* PPP discard request */ 116 117 #define LCP_OPT_MRU 1 /* maximum receive unit */ 118 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 119 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 120 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 121 #define LCP_OPT_MAGIC 5 /* magic number */ 122 #define LCP_OPT_RESERVED 6 /* reserved */ 123 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 124 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 125 126 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 127 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 128 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 129 130 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 131 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 132 133 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 134 135 #define PAP_REQ 1 /* PAP name/password request */ 136 #define PAP_ACK 2 /* PAP acknowledge */ 137 #define PAP_NAK 3 /* PAP fail */ 138 139 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 140 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 141 #define CHAP_SUCCESS 3 /* CHAP response ok */ 142 #define CHAP_FAILURE 4 /* CHAP response failed */ 143 144 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 145 146 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 147 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 148 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 149 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 150 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 151 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 152 153 /* states are named and numbered according to RFC 1661 */ 154 #define STATE_INITIAL 0 155 #define STATE_STARTING 1 156 #define STATE_CLOSED 2 157 #define STATE_STOPPED 3 158 #define STATE_CLOSING 4 159 #define STATE_STOPPING 5 160 #define STATE_REQ_SENT 6 161 #define STATE_ACK_RCVD 7 162 #define STATE_ACK_SENT 8 163 #define STATE_OPENED 9 164 165 struct ppp_header { 166 u_char address; 167 u_char control; 168 u_short protocol; 169 } __attribute__((__packed__)); 170 #define PPP_HEADER_LEN sizeof (struct ppp_header) 171 172 struct lcp_header { 173 u_char type; 174 u_char ident; 175 u_short len; 176 } __attribute__((__packed__)); 177 #define LCP_HEADER_LEN sizeof (struct lcp_header) 178 179 struct cisco_packet { 180 u_long type; 181 u_long par1; 182 u_long par2; 183 u_short rel; 184 u_short time0; 185 u_short time1; 186 } __attribute__((__packed__)); 187 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 188 189 /* 190 * We follow the spelling and capitalization of RFC 1661 here, to make 191 * it easier comparing with the standard. Please refer to this RFC in 192 * case you can't make sense out of these abbreviation; it will also 193 * explain the semantics related to the various events and actions. 194 */ 195 struct cp { 196 u_short proto; /* PPP control protocol number */ 197 u_char protoidx; /* index into state table in struct sppp */ 198 u_char flags; 199 #define CP_LCP 0x01 /* this is the LCP */ 200 #define CP_AUTH 0x02 /* this is an authentication protocol */ 201 #define CP_NCP 0x04 /* this is a NCP */ 202 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 203 const char *name; /* name of this control protocol */ 204 /* event handlers */ 205 void (*Up)(struct sppp *sp); 206 void (*Down)(struct sppp *sp); 207 void (*Open)(struct sppp *sp); 208 void (*Close)(struct sppp *sp); 209 void (*TO)(void *sp); 210 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 211 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 212 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 213 /* actions */ 214 void (*tlu)(struct sppp *sp); 215 void (*tld)(struct sppp *sp); 216 void (*tls)(struct sppp *sp); 217 void (*tlf)(struct sppp *sp); 218 void (*scr)(struct sppp *sp); 219 }; 220 221 static struct sppp *spppq; 222 static struct callout keepalive_timeout; 223 224 #define SPP_FMT "%s: " 225 #define SPP_ARGS(ifp) (ifp)->if_xname 226 227 #ifdef INET 228 /* 229 * The following disgusting hack gets around the problem that IP TOS 230 * can't be set yet. We want to put "interactive" traffic on a high 231 * priority queue. To decide if traffic is interactive, we check that 232 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 233 * 234 * XXX is this really still necessary? - joerg - 235 */ 236 static u_short interactive_ports[8] = { 237 0, 513, 0, 0, 238 0, 21, 0, 23, 239 }; 240 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 241 #endif 242 243 /* almost every function needs these */ 244 #define STDDCL \ 245 struct ifnet *ifp = &sp->pp_if; \ 246 int debug = ifp->if_flags & IFF_DEBUG 247 248 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 249 struct sockaddr *dst, struct rtentry *rt); 250 251 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 252 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 253 254 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 255 struct mbuf *m); 256 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 257 u_char ident, u_short len, void *data); 258 /* static void sppp_cp_timeout(void *arg); */ 259 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 260 int newstate); 261 static void sppp_auth_send(const struct cp *cp, 262 struct sppp *sp, unsigned int type, unsigned int id, 263 ...); 264 265 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 266 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 267 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 268 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 269 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 270 271 static void sppp_null(struct sppp *sp); 272 273 static void sppp_lcp_init(struct sppp *sp); 274 static void sppp_lcp_up(struct sppp *sp); 275 static void sppp_lcp_down(struct sppp *sp); 276 static void sppp_lcp_open(struct sppp *sp); 277 static void sppp_lcp_close(struct sppp *sp); 278 static void sppp_lcp_TO(void *sp); 279 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 280 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 281 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 282 static void sppp_lcp_tlu(struct sppp *sp); 283 static void sppp_lcp_tld(struct sppp *sp); 284 static void sppp_lcp_tls(struct sppp *sp); 285 static void sppp_lcp_tlf(struct sppp *sp); 286 static void sppp_lcp_scr(struct sppp *sp); 287 static void sppp_lcp_check_and_close(struct sppp *sp); 288 static int sppp_ncp_check(struct sppp *sp); 289 290 static void sppp_ipcp_init(struct sppp *sp); 291 static void sppp_ipcp_up(struct sppp *sp); 292 static void sppp_ipcp_down(struct sppp *sp); 293 static void sppp_ipcp_open(struct sppp *sp); 294 static void sppp_ipcp_close(struct sppp *sp); 295 static void sppp_ipcp_TO(void *sp); 296 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 297 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 298 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 299 static void sppp_ipcp_tlu(struct sppp *sp); 300 static void sppp_ipcp_tld(struct sppp *sp); 301 static void sppp_ipcp_tls(struct sppp *sp); 302 static void sppp_ipcp_tlf(struct sppp *sp); 303 static void sppp_ipcp_scr(struct sppp *sp); 304 305 static void sppp_ipv6cp_init(struct sppp *sp); 306 static void sppp_ipv6cp_up(struct sppp *sp); 307 static void sppp_ipv6cp_down(struct sppp *sp); 308 static void sppp_ipv6cp_open(struct sppp *sp); 309 static void sppp_ipv6cp_close(struct sppp *sp); 310 static void sppp_ipv6cp_TO(void *sp); 311 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 312 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 313 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 314 static void sppp_ipv6cp_tlu(struct sppp *sp); 315 static void sppp_ipv6cp_tld(struct sppp *sp); 316 static void sppp_ipv6cp_tls(struct sppp *sp); 317 static void sppp_ipv6cp_tlf(struct sppp *sp); 318 static void sppp_ipv6cp_scr(struct sppp *sp); 319 320 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 321 static void sppp_pap_init(struct sppp *sp); 322 static void sppp_pap_open(struct sppp *sp); 323 static void sppp_pap_close(struct sppp *sp); 324 static void sppp_pap_TO(void *sp); 325 static void sppp_pap_my_TO(void *sp); 326 static void sppp_pap_tlu(struct sppp *sp); 327 static void sppp_pap_tld(struct sppp *sp); 328 static void sppp_pap_scr(struct sppp *sp); 329 330 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 331 static void sppp_chap_init(struct sppp *sp); 332 static void sppp_chap_open(struct sppp *sp); 333 static void sppp_chap_close(struct sppp *sp); 334 static void sppp_chap_TO(void *sp); 335 static void sppp_chap_tlu(struct sppp *sp); 336 static void sppp_chap_tld(struct sppp *sp); 337 static void sppp_chap_scr(struct sppp *sp); 338 339 static const char *sppp_auth_type_name(u_short proto, u_char type); 340 static const char *sppp_cp_type_name(u_char type); 341 static const char *sppp_dotted_quad(u_long addr); 342 static const char *sppp_ipcp_opt_name(u_char opt); 343 #ifdef INET6 344 static const char *sppp_ipv6cp_opt_name(u_char opt); 345 #endif 346 static const char *sppp_lcp_opt_name(u_char opt); 347 static const char *sppp_phase_name(enum ppp_phase phase); 348 static const char *sppp_proto_name(u_short proto); 349 static const char *sppp_state_name(int state); 350 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 351 static int sppp_strnlen(u_char *p, int max); 352 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 353 u_long *srcmask); 354 static void sppp_keepalive(void *dummy); 355 static void sppp_phase_network(struct sppp *sp); 356 static void sppp_print_bytes(const u_char *p, u_short len); 357 static void sppp_print_string(const char *p, u_short len); 358 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 359 #ifdef INET6 360 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 361 struct in6_addr *dst, struct in6_addr *srcmask); 362 #ifdef IPV6CP_MYIFID_DYN 363 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 364 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 365 #endif 366 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 367 #endif 368 369 /* our control protocol descriptors */ 370 static const struct cp lcp = { 371 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 372 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 373 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 374 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 375 sppp_lcp_scr 376 }; 377 378 static const struct cp ipcp = { 379 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 380 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 381 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 382 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 383 sppp_ipcp_scr 384 }; 385 386 static const struct cp ipv6cp = { 387 PPP_IPV6CP, IDX_IPV6CP, 388 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 389 CP_NCP, 390 #else 391 0, 392 #endif 393 "ipv6cp", 394 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 395 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 396 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 397 sppp_ipv6cp_scr 398 }; 399 400 static const struct cp pap = { 401 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 402 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 403 sppp_pap_TO, 0, 0, 0, 404 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 405 sppp_pap_scr 406 }; 407 408 static const struct cp chap = { 409 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 410 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 411 sppp_chap_TO, 0, 0, 0, 412 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 413 sppp_chap_scr 414 }; 415 416 static const struct cp *cps[IDX_COUNT] = { 417 &lcp, /* IDX_LCP */ 418 &ipcp, /* IDX_IPCP */ 419 &ipv6cp, /* IDX_IPV6CP */ 420 &pap, /* IDX_PAP */ 421 &chap, /* IDX_CHAP */ 422 }; 423 424 static int 425 sppp_modevent(module_t mod, int type, void *unused) 426 { 427 switch (type) { 428 case MOD_LOAD: 429 callout_init(&keepalive_timeout); 430 break; 431 case MOD_UNLOAD: 432 return EACCES; 433 break; 434 default: 435 break; 436 } 437 return 0; 438 } 439 static moduledata_t spppmod = { 440 "sppp", 441 sppp_modevent, 442 0 443 }; 444 MODULE_VERSION(sppp, 1); 445 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 446 447 /* 448 * Exported functions, comprising our interface to the lower layer. 449 */ 450 451 /* 452 * Process the received packet. 453 */ 454 void 455 sppp_input(struct ifnet *ifp, struct mbuf *m) 456 { 457 struct ppp_header *h; 458 int isr = -1; 459 struct sppp *sp = (struct sppp *)ifp; 460 u_char *iphdr; 461 int hlen, vjlen, do_account = 0; 462 int debug = ifp->if_flags & IFF_DEBUG; 463 464 if (ifp->if_flags & IFF_UP) 465 /* Count received bytes, add FCS and one flag */ 466 IFNET_STAT_INC(ifp, ibytes, m->m_pkthdr.len + 3); 467 468 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 469 /* Too small packet, drop it. */ 470 if (debug) 471 log(LOG_DEBUG, 472 SPP_FMT "input packet is too small, %d bytes\n", 473 SPP_ARGS(ifp), m->m_pkthdr.len); 474 drop: 475 m_freem (m); 476 drop2: 477 IFNET_STAT_INC(ifp, ierrors, 1); 478 IFNET_STAT_INC(ifp, iqdrops, 1); 479 return; 480 } 481 482 /* Get PPP header. */ 483 h = mtod (m, struct ppp_header*); 484 m_adj (m, PPP_HEADER_LEN); 485 486 switch (h->address) { 487 case PPP_ALLSTATIONS: 488 if (h->control != PPP_UI) 489 goto invalid; 490 if (sp->pp_mode == IFF_CISCO) { 491 if (debug) 492 log(LOG_DEBUG, 493 SPP_FMT "PPP packet in Cisco mode " 494 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 495 SPP_ARGS(ifp), 496 h->address, h->control, ntohs(h->protocol)); 497 goto drop; 498 } 499 switch (ntohs (h->protocol)) { 500 default: 501 if (debug) 502 log(LOG_DEBUG, 503 SPP_FMT "rejecting protocol " 504 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 505 SPP_ARGS(ifp), 506 h->address, h->control, ntohs(h->protocol)); 507 if (sp->state[IDX_LCP] == STATE_OPENED) 508 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 509 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 510 &h->protocol); 511 IFNET_STAT_INC(ifp, noproto, 1); 512 goto drop; 513 case PPP_LCP: 514 sppp_cp_input(&lcp, sp, m); 515 m_freem (m); 516 return; 517 case PPP_PAP: 518 if (sp->pp_phase >= PHASE_AUTHENTICATE) 519 sppp_pap_input(sp, m); 520 m_freem (m); 521 return; 522 case PPP_CHAP: 523 if (sp->pp_phase >= PHASE_AUTHENTICATE) 524 sppp_chap_input(sp, m); 525 m_freem (m); 526 return; 527 #ifdef INET 528 case PPP_IPCP: 529 if (sp->pp_phase == PHASE_NETWORK) 530 sppp_cp_input(&ipcp, sp, m); 531 m_freem (m); 532 return; 533 case PPP_IP: 534 if (sp->state[IDX_IPCP] == STATE_OPENED) { 535 isr = NETISR_IP; 536 } 537 do_account++; 538 break; 539 case PPP_VJ_COMP: 540 if (sp->state[IDX_IPCP] == STATE_OPENED) { 541 if ((vjlen = 542 sl_uncompress_tcp_core(mtod(m, u_char *), 543 m->m_len, m->m_len, 544 TYPE_COMPRESSED_TCP, 545 sp->pp_comp, 546 &iphdr, &hlen)) <= 0) { 547 if (debug) 548 log(LOG_INFO, 549 SPP_FMT "VJ uncompress failed on compressed packet\n", 550 SPP_ARGS(ifp)); 551 goto drop; 552 } 553 554 /* 555 * Trim the VJ header off the packet, and prepend 556 * the uncompressed IP header (which will usually 557 * end up in two chained mbufs since there's not 558 * enough leading space in the existing mbuf). 559 */ 560 m_adj(m, vjlen); 561 M_PREPEND(m, hlen, MB_DONTWAIT); 562 if (m == NULL) 563 goto drop2; 564 bcopy(iphdr, mtod(m, u_char *), hlen); 565 566 isr = NETISR_IP; 567 } 568 do_account++; 569 break; 570 case PPP_VJ_UCOMP: 571 if (sp->state[IDX_IPCP] == STATE_OPENED) { 572 if (sl_uncompress_tcp_core(mtod(m, u_char *), 573 m->m_len, m->m_len, 574 TYPE_UNCOMPRESSED_TCP, 575 sp->pp_comp, 576 &iphdr, &hlen) != 0) { 577 if (debug) 578 log(LOG_INFO, 579 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 580 SPP_ARGS(ifp)); 581 goto drop; 582 } 583 isr = NETISR_IP; 584 } 585 do_account++; 586 break; 587 #endif 588 #ifdef INET6 589 case PPP_IPV6CP: 590 if (sp->pp_phase == PHASE_NETWORK) 591 sppp_cp_input(&ipv6cp, sp, m); 592 m_freem (m); 593 return; 594 595 case PPP_IPV6: 596 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 597 isr = NETISR_IPV6; 598 } 599 do_account++; 600 break; 601 #endif 602 } 603 break; 604 case CISCO_MULTICAST: 605 case CISCO_UNICAST: 606 /* Don't check the control field here (RFC 1547). */ 607 if (sp->pp_mode != IFF_CISCO) { 608 if (debug) 609 log(LOG_DEBUG, 610 SPP_FMT "Cisco packet in PPP mode " 611 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 612 SPP_ARGS(ifp), 613 h->address, h->control, ntohs(h->protocol)); 614 goto drop; 615 } 616 switch (ntohs (h->protocol)) { 617 default: 618 IFNET_STAT_INC(ifp, noproto, 1); 619 goto invalid; 620 case CISCO_KEEPALIVE: 621 sppp_cisco_input ((struct sppp*) ifp, m); 622 m_freem (m); 623 return; 624 #ifdef INET 625 case ETHERTYPE_IP: 626 isr = NETISR_IP; 627 do_account++; 628 break; 629 #endif 630 #ifdef INET6 631 case ETHERTYPE_IPV6: 632 isr = NETISR_IPV6; 633 do_account++; 634 break; 635 #endif 636 } 637 break; 638 default: /* Invalid PPP packet. */ 639 invalid: 640 if (debug) 641 log(LOG_DEBUG, 642 SPP_FMT "invalid input packet " 643 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 644 SPP_ARGS(ifp), 645 h->address, h->control, ntohs(h->protocol)); 646 goto drop; 647 } 648 649 if (! (ifp->if_flags & IFF_UP) || isr < 0) 650 goto drop; 651 652 /* Check queue. */ 653 654 netisr_queue(isr, m); 655 656 /* 657 * Do only account for network packets, not for control 658 * packets. This is used by some subsystems to detect 659 * idle lines. 660 */ 661 if (do_account) 662 sp->pp_last_recv = time_uptime; 663 } 664 665 /* 666 * Enqueue transmit packet. 667 */ 668 static int 669 sppp_output_serialized(struct ifnet *ifp, struct ifaltq_subque *ifsq, 670 struct mbuf *m, struct sockaddr *dst, struct rtentry *rt) 671 { 672 struct sppp *sp = (struct sppp*) ifp; 673 struct ppp_header *h; 674 struct ifqueue *ifq = NULL; 675 int rv = 0; 676 int ipproto = PPP_IP; 677 int debug = ifp->if_flags & IFF_DEBUG; 678 struct altq_pktattr pktattr; 679 680 crit_enter(); 681 682 if ((ifp->if_flags & IFF_UP) == 0 || 683 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 684 #ifdef INET6 685 drop: 686 #endif 687 m_freem (m); 688 crit_exit(); 689 return (ENETDOWN); 690 } 691 692 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 693 #ifdef INET6 694 /* 695 * XXX 696 * 697 * Hack to prevent the initialization-time generated 698 * IPv6 multicast packet to erroneously cause a 699 * dialout event in case IPv6 has been 700 * administratively disabled on that interface. 701 */ 702 if (dst->sa_family == AF_INET6 && 703 !(sp->confflags & CONF_ENABLE_IPV6)) 704 goto drop; 705 #endif 706 /* 707 * Interface is not yet running, but auto-dial. Need 708 * to start LCP for it. 709 */ 710 ifp->if_flags |= IFF_RUNNING; 711 crit_exit(); 712 lcp.Open(sp); 713 crit_enter(); 714 } 715 716 /* 717 * if the queueing discipline needs packet classification, 718 * do it before prepending link headers. 719 */ 720 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 721 722 #ifdef INET 723 if (dst->sa_family == AF_INET) { 724 /* XXX Check mbuf length here? */ 725 struct ip *ip = mtod (m, struct ip*); 726 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 727 728 /* 729 * When using dynamic local IP address assignment by using 730 * 0.0.0.0 as a local address, the first TCP session will 731 * not connect because the local TCP checksum is computed 732 * using 0.0.0.0 which will later become our real IP address 733 * so the TCP checksum computed at the remote end will 734 * become invalid. So we 735 * - don't let packets with src ip addr 0 thru 736 * - we flag TCP packets with src ip 0 as an error 737 */ 738 739 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 740 { 741 m_freem(m); 742 crit_exit(); 743 if(ip->ip_p == IPPROTO_TCP) 744 return(EADDRNOTAVAIL); 745 else 746 return(0); 747 } 748 749 /* 750 * Put low delay, telnet, rlogin and ftp control packets 751 * in front of the queue. 752 */ 753 if (IF_QFULL (&sp->pp_fastq)) 754 ; 755 else if (ip->ip_tos & IPTOS_LOWDELAY) 756 ifq = &sp->pp_fastq; 757 else if (m->m_len < sizeof *ip + sizeof *tcp) 758 ; 759 else if (ip->ip_p != IPPROTO_TCP) 760 ; 761 else if (INTERACTIVE (ntohs (tcp->th_sport))) 762 ifq = &sp->pp_fastq; 763 else if (INTERACTIVE (ntohs (tcp->th_dport))) 764 ifq = &sp->pp_fastq; 765 766 /* 767 * Do IP Header compression 768 */ 769 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 770 ip->ip_p == IPPROTO_TCP) 771 switch (sl_compress_tcp(m, ip, sp->pp_comp, 772 sp->ipcp.compress_cid)) { 773 case TYPE_COMPRESSED_TCP: 774 ipproto = PPP_VJ_COMP; 775 break; 776 case TYPE_UNCOMPRESSED_TCP: 777 ipproto = PPP_VJ_UCOMP; 778 break; 779 case TYPE_IP: 780 ipproto = PPP_IP; 781 break; 782 default: 783 m_freem(m); 784 crit_exit(); 785 return (EINVAL); 786 } 787 } 788 #endif 789 790 #ifdef INET6 791 if (dst->sa_family == AF_INET6) { 792 /* XXX do something tricky here? */ 793 } 794 #endif 795 796 /* 797 * Prepend general data packet PPP header. For now, IP only. 798 */ 799 M_PREPEND (m, PPP_HEADER_LEN, MB_DONTWAIT); 800 if (! m) { 801 if (debug) 802 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 803 SPP_ARGS(ifp)); 804 IFNET_STAT_INC(ifp, oerrors, 1); 805 crit_exit(); 806 return (ENOBUFS); 807 } 808 /* 809 * May want to check size of packet 810 * (albeit due to the implementation it's always enough) 811 */ 812 h = mtod (m, struct ppp_header*); 813 if (sp->pp_mode == IFF_CISCO) { 814 h->address = CISCO_UNICAST; /* unicast address */ 815 h->control = 0; 816 } else { 817 h->address = PPP_ALLSTATIONS; /* broadcast address */ 818 h->control = PPP_UI; /* Unnumbered Info */ 819 } 820 821 switch (dst->sa_family) { 822 #ifdef INET 823 case AF_INET: /* Internet Protocol */ 824 if (sp->pp_mode == IFF_CISCO) 825 h->protocol = htons (ETHERTYPE_IP); 826 else { 827 /* 828 * Don't choke with an ENETDOWN early. It's 829 * possible that we just started dialing out, 830 * so don't drop the packet immediately. If 831 * we notice that we run out of buffer space 832 * below, we will however remember that we are 833 * not ready to carry IP packets, and return 834 * ENETDOWN, as opposed to ENOBUFS. 835 */ 836 h->protocol = htons(ipproto); 837 if (sp->state[IDX_IPCP] != STATE_OPENED) 838 rv = ENETDOWN; 839 } 840 break; 841 #endif 842 #ifdef INET6 843 case AF_INET6: /* Internet Protocol */ 844 if (sp->pp_mode == IFF_CISCO) 845 h->protocol = htons (ETHERTYPE_IPV6); 846 else { 847 /* 848 * Don't choke with an ENETDOWN early. It's 849 * possible that we just started dialing out, 850 * so don't drop the packet immediately. If 851 * we notice that we run out of buffer space 852 * below, we will however remember that we are 853 * not ready to carry IP packets, and return 854 * ENETDOWN, as opposed to ENOBUFS. 855 */ 856 h->protocol = htons(PPP_IPV6); 857 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 858 rv = ENETDOWN; 859 } 860 break; 861 #endif 862 default: 863 m_freem (m); 864 IFNET_STAT_INC(ifp, oerrors, 1); 865 crit_exit(); 866 return (EAFNOSUPPORT); 867 } 868 869 /* 870 * Queue message on interface, and start output if interface 871 * not yet active. 872 */ 873 if (ifq != NULL) { 874 if (IF_QFULL(ifq)) { 875 IF_DROP(ifq); 876 m_freem(m); 877 rv = ENOBUFS; 878 } else { 879 IF_ENQUEUE(ifq, m); 880 rv = 0; 881 } 882 } else { 883 rv = ifsq_enqueue(ifsq, m, &pktattr); 884 } 885 if (rv) { 886 IFNET_STAT_INC(ifp, oerrors, 1); 887 crit_exit(); 888 return(rv); 889 } 890 if (!ifsq_is_oactive(ifsq)) 891 (*ifp->if_start) (ifp, ifsq); 892 893 /* 894 * Count output packets and bytes. 895 * The packet length includes header, FCS and 1 flag, 896 * according to RFC 1333. 897 */ 898 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 899 900 /* 901 * Unlike in sppp_input(), we can always bump the timestamp 902 * here since sppp_output() is only called on behalf of 903 * network-layer traffic; control-layer traffic is handled 904 * by sppp_cp_send(). 905 */ 906 sp->pp_last_sent = time_uptime; 907 908 crit_exit(); 909 return (0); 910 } 911 912 static int 913 sppp_output(struct ifnet *ifp, struct mbuf *m, 914 struct sockaddr *dst, struct rtentry *rt) 915 { 916 struct ifaltq_subque *ifsq = ifq_get_subq_default(&ifp->if_snd); 917 int error; 918 919 ifsq_serialize_hw(ifsq); 920 error = sppp_output_serialized(ifp, ifsq, m, dst, rt); 921 ifsq_deserialize_hw(ifsq); 922 923 return error; 924 } 925 926 void 927 sppp_attach(struct ifnet *ifp) 928 { 929 struct sppp *sp = (struct sppp*) ifp; 930 931 /* Initialize keepalive handler. */ 932 if (!spppq) { 933 callout_reset(&keepalive_timeout, hz * 10, 934 sppp_keepalive, NULL); 935 } 936 /* Insert new entry into the keepalive list. */ 937 sp->pp_next = spppq; 938 spppq = sp; 939 940 sp->pp_if.if_mtu = PP_MTU; 941 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 942 sp->pp_if.if_type = IFT_PPP; 943 sp->pp_if.if_output = sppp_output; 944 #if 0 945 sp->pp_flags = PP_KEEPALIVE; 946 #endif 947 ifq_set_maxlen(&sp->pp_if.if_snd, 32); 948 sp->pp_fastq.ifq_maxlen = 32; 949 sp->pp_cpq.ifq_maxlen = 20; 950 sp->pp_loopcnt = 0; 951 sp->pp_alivecnt = 0; 952 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 953 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 954 sp->pp_phase = PHASE_DEAD; 955 sp->pp_up = lcp.Up; 956 sp->pp_down = lcp.Down; 957 sp->pp_last_recv = sp->pp_last_sent = time_uptime; 958 sp->confflags = 0; 959 #ifdef INET 960 sp->confflags |= CONF_ENABLE_VJ; 961 #endif 962 #ifdef INET6 963 sp->confflags |= CONF_ENABLE_IPV6; 964 #endif 965 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 966 sl_compress_init(sp->pp_comp, -1); 967 sppp_lcp_init(sp); 968 sppp_ipcp_init(sp); 969 sppp_ipv6cp_init(sp); 970 sppp_pap_init(sp); 971 sppp_chap_init(sp); 972 } 973 974 void 975 sppp_detach(struct ifnet *ifp) 976 { 977 struct sppp **q, *p, *sp = (struct sppp*) ifp; 978 int i; 979 980 /* Remove the entry from the keepalive list. */ 981 for (q = &spppq; (p = *q); q = &p->pp_next) 982 if (p == sp) { 983 *q = p->pp_next; 984 break; 985 } 986 987 /* Stop keepalive handler. */ 988 if (!spppq) 989 callout_stop(&keepalive_timeout); 990 991 for (i = 0; i < IDX_COUNT; i++) 992 callout_stop(&sp->timeout[i]); 993 callout_stop(&sp->pap_my_to); 994 } 995 996 /* 997 * Flush the interface output queue. 998 */ 999 void 1000 sppp_flush(struct ifnet *ifp) 1001 { 1002 struct sppp *sp = (struct sppp*) ifp; 1003 1004 ifq_purge_all(&sp->pp_if.if_snd); 1005 IF_DRAIN(&sp->pp_fastq); 1006 IF_DRAIN(&sp->pp_cpq); 1007 } 1008 1009 /* 1010 * Check if the output queue is empty. 1011 */ 1012 int 1013 sppp_isempty(struct ifnet *ifp) 1014 { 1015 struct sppp *sp = (struct sppp*) ifp; 1016 int empty; 1017 1018 crit_enter(); 1019 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1020 ifsq_is_empty(ifq_get_subq_default(&sp->pp_if.if_snd)); 1021 crit_exit(); 1022 return (empty); 1023 } 1024 1025 /* 1026 * Get next packet to send. 1027 */ 1028 struct mbuf * 1029 sppp_dequeue(struct ifnet *ifp) 1030 { 1031 struct sppp *sp = (struct sppp*) ifp; 1032 struct mbuf *m; 1033 1034 crit_enter(); 1035 1036 /* 1037 * Process only the control protocol queue until we have at 1038 * least one NCP open. 1039 * 1040 * Do always serve all three queues in Cisco mode. 1041 */ 1042 IF_DEQUEUE(&sp->pp_cpq, m); 1043 if (m == NULL && 1044 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1045 IF_DEQUEUE(&sp->pp_fastq, m); 1046 if (m == NULL) { 1047 m = ifsq_dequeue( 1048 ifq_get_subq_default(&sp->pp_if.if_snd)); 1049 } 1050 } 1051 1052 crit_exit(); 1053 return m; 1054 } 1055 1056 /* 1057 * Pick the next packet, do not remove it from the queue. 1058 */ 1059 struct mbuf * 1060 sppp_pick(struct ifnet *ifp) 1061 { 1062 struct sppp *sp = (struct sppp*)ifp; 1063 struct mbuf *m; 1064 1065 crit_enter(); 1066 1067 m = sp->pp_cpq.ifq_head; 1068 if (m == NULL && 1069 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1070 if ((m = sp->pp_fastq.ifq_head) == NULL) 1071 m = ifsq_poll(ifq_get_subq_default(&sp->pp_if.if_snd)); 1072 } 1073 1074 crit_exit(); 1075 return (m); 1076 } 1077 1078 /* 1079 * Process an ioctl request. Called on low priority level. 1080 */ 1081 int 1082 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1083 { 1084 struct ifreq *ifr = (struct ifreq*) data; 1085 struct sppp *sp = (struct sppp*) ifp; 1086 int rv, going_up, going_down, newmode; 1087 1088 crit_enter(); 1089 1090 rv = 0; 1091 switch (cmd) { 1092 case SIOCAIFADDR: 1093 case SIOCSIFDSTADDR: 1094 break; 1095 1096 case SIOCSIFADDR: 1097 /* set the interface "up" when assigning an IP address */ 1098 ifp->if_flags |= IFF_UP; 1099 /* fall through... */ 1100 1101 case SIOCSIFFLAGS: 1102 going_up = ifp->if_flags & IFF_UP && 1103 (ifp->if_flags & IFF_RUNNING) == 0; 1104 going_down = (ifp->if_flags & IFF_UP) == 0 && 1105 ifp->if_flags & IFF_RUNNING; 1106 1107 newmode = ifp->if_flags & IFF_PASSIVE; 1108 if (!newmode) 1109 newmode = ifp->if_flags & IFF_AUTO; 1110 if (!newmode) 1111 newmode = ifp->if_flags & IFF_CISCO; 1112 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1113 ifp->if_flags |= newmode; 1114 1115 if (newmode != sp->pp_mode) { 1116 going_down = 1; 1117 if (!going_up) 1118 going_up = ifp->if_flags & IFF_RUNNING; 1119 } 1120 1121 if (going_down) { 1122 if (sp->pp_mode != IFF_CISCO) 1123 lcp.Close(sp); 1124 else if (sp->pp_tlf) 1125 (sp->pp_tlf)(sp); 1126 sppp_flush(ifp); 1127 ifp->if_flags &= ~IFF_RUNNING; 1128 sp->pp_mode = newmode; 1129 } 1130 1131 if (going_up) { 1132 if (sp->pp_mode != IFF_CISCO) 1133 lcp.Close(sp); 1134 sp->pp_mode = newmode; 1135 if (sp->pp_mode == 0) { 1136 ifp->if_flags |= IFF_RUNNING; 1137 lcp.Open(sp); 1138 } 1139 if (sp->pp_mode == IFF_CISCO) { 1140 if (sp->pp_tls) 1141 (sp->pp_tls)(sp); 1142 ifp->if_flags |= IFF_RUNNING; 1143 } 1144 } 1145 1146 break; 1147 1148 #ifdef SIOCSIFMTU 1149 #ifndef ifr_mtu 1150 #define ifr_mtu ifr_metric 1151 #endif 1152 case SIOCSIFMTU: 1153 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) { 1154 crit_exit(); 1155 return (EINVAL); 1156 } 1157 ifp->if_mtu = ifr->ifr_mtu; 1158 break; 1159 #endif 1160 #ifdef SLIOCSETMTU 1161 case SLIOCSETMTU: 1162 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) { 1163 crit_exit(); 1164 return (EINVAL); 1165 } 1166 ifp->if_mtu = *(short*)data; 1167 break; 1168 #endif 1169 #ifdef SIOCGIFMTU 1170 case SIOCGIFMTU: 1171 ifr->ifr_mtu = ifp->if_mtu; 1172 break; 1173 #endif 1174 #ifdef SLIOCGETMTU 1175 case SLIOCGETMTU: 1176 *(short*)data = ifp->if_mtu; 1177 break; 1178 #endif 1179 case SIOCADDMULTI: 1180 case SIOCDELMULTI: 1181 break; 1182 1183 case SIOCGIFGENERIC: 1184 case SIOCSIFGENERIC: 1185 rv = sppp_params(sp, cmd, data); 1186 break; 1187 1188 default: 1189 rv = ENOTTY; 1190 } 1191 1192 crit_exit(); 1193 return rv; 1194 } 1195 1196 /* 1197 * Cisco framing implementation. 1198 */ 1199 1200 /* 1201 * Handle incoming Cisco keepalive protocol packets. 1202 */ 1203 static void 1204 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1205 { 1206 STDDCL; 1207 struct cisco_packet *h; 1208 u_long me, mymask; 1209 1210 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1211 if (debug) 1212 log(LOG_DEBUG, 1213 SPP_FMT "cisco invalid packet length: %d bytes\n", 1214 SPP_ARGS(ifp), m->m_pkthdr.len); 1215 return; 1216 } 1217 h = mtod (m, struct cisco_packet*); 1218 if (debug) 1219 log(LOG_DEBUG, 1220 SPP_FMT "cisco input: %d bytes " 1221 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1222 SPP_ARGS(ifp), m->m_pkthdr.len, 1223 (u_long)ntohl (h->type), h->par1, h->par2, (u_int)h->rel, 1224 (u_int)h->time0, (u_int)h->time1); 1225 switch (ntohl (h->type)) { 1226 default: 1227 if (debug) 1228 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1229 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1230 break; 1231 case CISCO_ADDR_REPLY: 1232 /* Reply on address request, ignore */ 1233 break; 1234 case CISCO_KEEPALIVE_REQ: 1235 sp->pp_alivecnt = 0; 1236 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1237 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1238 /* Local and remote sequence numbers are equal. 1239 * Probably, the line is in loopback mode. */ 1240 if (sp->pp_loopcnt >= MAXALIVECNT) { 1241 kprintf (SPP_FMT "loopback\n", 1242 SPP_ARGS(ifp)); 1243 sp->pp_loopcnt = 0; 1244 if (ifp->if_flags & IFF_UP) { 1245 if_down (ifp); 1246 IF_DRAIN(&sp->pp_cpq); 1247 } 1248 } 1249 ++sp->pp_loopcnt; 1250 1251 /* Generate new local sequence number */ 1252 sp->pp_seq[IDX_LCP] = krandom(); 1253 break; 1254 } 1255 sp->pp_loopcnt = 0; 1256 if (! (ifp->if_flags & IFF_UP) && 1257 (ifp->if_flags & IFF_RUNNING)) { 1258 if_up(ifp); 1259 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1260 } 1261 break; 1262 case CISCO_ADDR_REQ: 1263 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1264 if (me != 0L) 1265 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1266 break; 1267 } 1268 } 1269 1270 /* 1271 * Send Cisco keepalive packet. 1272 */ 1273 static void 1274 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1275 { 1276 STDDCL; 1277 struct ppp_header *h; 1278 struct cisco_packet *ch; 1279 struct mbuf *m; 1280 struct timeval tv; 1281 struct ifaltq_subque *ifsq; 1282 1283 getmicrouptime(&tv); 1284 1285 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1286 if (! m) 1287 return; 1288 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1289 m->m_pkthdr.rcvif = 0; 1290 1291 h = mtod (m, struct ppp_header*); 1292 h->address = CISCO_MULTICAST; 1293 h->control = 0; 1294 h->protocol = htons (CISCO_KEEPALIVE); 1295 1296 ch = (struct cisco_packet*) (h + 1); 1297 ch->type = htonl (type); 1298 ch->par1 = htonl (par1); 1299 ch->par2 = htonl (par2); 1300 ch->rel = -1; 1301 1302 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1303 ch->time1 = htons ((u_short) tv.tv_sec); 1304 1305 if (debug) 1306 log(LOG_DEBUG, 1307 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1308 SPP_ARGS(ifp), (u_long)ntohl (ch->type), ch->par1, 1309 ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1310 1311 if (IF_QFULL (&sp->pp_cpq)) { 1312 IF_DROP (&sp->pp_fastq); 1313 m_freem (m); 1314 } else 1315 IF_ENQUEUE (&sp->pp_cpq, m); 1316 ifsq = ifq_get_subq_default(&ifp->if_snd); 1317 if (!ifsq_is_oactive(ifsq)) 1318 (*ifp->if_start) (ifp, ifsq); 1319 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1320 } 1321 1322 /* 1323 * PPP protocol implementation. 1324 */ 1325 1326 /* 1327 * Send PPP control protocol packet. 1328 */ 1329 static void 1330 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1331 u_char ident, u_short len, void *data) 1332 { 1333 STDDCL; 1334 struct ppp_header *h; 1335 struct lcp_header *lh; 1336 struct mbuf *m; 1337 struct ifaltq_subque *ifsq; 1338 1339 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1340 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1341 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1342 if (! m) 1343 return; 1344 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1345 m->m_pkthdr.rcvif = 0; 1346 1347 h = mtod (m, struct ppp_header*); 1348 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1349 h->control = PPP_UI; /* Unnumbered Info */ 1350 h->protocol = htons (proto); /* Link Control Protocol */ 1351 1352 lh = (struct lcp_header*) (h + 1); 1353 lh->type = type; 1354 lh->ident = ident; 1355 lh->len = htons (LCP_HEADER_LEN + len); 1356 if (len) 1357 bcopy (data, lh+1, len); 1358 1359 if (debug) { 1360 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1361 SPP_ARGS(ifp), 1362 sppp_proto_name(proto), 1363 sppp_cp_type_name (lh->type), lh->ident, 1364 ntohs (lh->len)); 1365 sppp_print_bytes ((u_char*) (lh+1), len); 1366 log(-1, ">\n"); 1367 } 1368 if (IF_QFULL (&sp->pp_cpq)) { 1369 IF_DROP (&sp->pp_fastq); 1370 m_freem (m); 1371 IFNET_STAT_INC(ifp, oerrors, 1); 1372 } else 1373 IF_ENQUEUE (&sp->pp_cpq, m); 1374 ifsq = ifq_get_subq_default(&ifp->if_snd); 1375 if (!ifsq_is_oactive(ifsq)) 1376 (*ifp->if_start) (ifp, ifsq); 1377 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1378 } 1379 1380 /* 1381 * Handle incoming PPP control protocol packets. 1382 */ 1383 static void 1384 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1385 { 1386 STDDCL; 1387 struct lcp_header *h; 1388 int printlen, len = m->m_pkthdr.len; 1389 int rv; 1390 u_char *p; 1391 1392 if (len < 4) { 1393 if (debug) 1394 log(LOG_DEBUG, 1395 SPP_FMT "%s invalid packet length: %d bytes\n", 1396 SPP_ARGS(ifp), cp->name, len); 1397 return; 1398 } 1399 h = mtod (m, struct lcp_header*); 1400 if (debug) { 1401 printlen = ntohs(h->len); 1402 log(LOG_DEBUG, 1403 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1404 SPP_ARGS(ifp), cp->name, 1405 sppp_state_name(sp->state[cp->protoidx]), 1406 sppp_cp_type_name (h->type), h->ident, printlen); 1407 if (len < printlen) 1408 printlen = len; 1409 if (printlen > 4) 1410 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1411 log(-1, ">\n"); 1412 } 1413 if (len > ntohs (h->len)) 1414 len = ntohs (h->len); 1415 p = (u_char *)(h + 1); 1416 switch (h->type) { 1417 case CONF_REQ: 1418 if (len < 4) { 1419 if (debug) 1420 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1421 SPP_ARGS(ifp), cp->name, 1422 len); 1423 IFNET_STAT_INC(ifp, ierrors, 1); 1424 break; 1425 } 1426 /* handle states where RCR doesn't get a SCA/SCN */ 1427 switch (sp->state[cp->protoidx]) { 1428 case STATE_CLOSING: 1429 case STATE_STOPPING: 1430 return; 1431 case STATE_CLOSED: 1432 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1433 0, 0); 1434 return; 1435 } 1436 rv = (cp->RCR)(sp, h, len); 1437 if (rv < 0) { 1438 /* fatal error, shut down */ 1439 (cp->tld)(sp); 1440 sppp_lcp_tlf(sp); 1441 return; 1442 } 1443 switch (sp->state[cp->protoidx]) { 1444 case STATE_OPENED: 1445 (cp->tld)(sp); 1446 (cp->scr)(sp); 1447 /* fall through... */ 1448 case STATE_ACK_SENT: 1449 case STATE_REQ_SENT: 1450 /* 1451 * sppp_cp_change_state() have the side effect of 1452 * restarting the timeouts. We want to avoid that 1453 * if the state don't change, otherwise we won't 1454 * ever timeout and resend a configuration request 1455 * that got lost. 1456 */ 1457 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1458 STATE_REQ_SENT)) 1459 break; 1460 sppp_cp_change_state(cp, sp, rv? 1461 STATE_ACK_SENT: STATE_REQ_SENT); 1462 break; 1463 case STATE_STOPPED: 1464 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1465 (cp->scr)(sp); 1466 sppp_cp_change_state(cp, sp, rv? 1467 STATE_ACK_SENT: STATE_REQ_SENT); 1468 break; 1469 case STATE_ACK_RCVD: 1470 if (rv) { 1471 sppp_cp_change_state(cp, sp, STATE_OPENED); 1472 if (debug) 1473 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1474 SPP_ARGS(ifp), 1475 cp->name); 1476 (cp->tlu)(sp); 1477 } else 1478 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1479 break; 1480 default: 1481 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1482 SPP_ARGS(ifp), cp->name, 1483 sppp_cp_type_name(h->type), 1484 sppp_state_name(sp->state[cp->protoidx])); 1485 IFNET_STAT_INC(ifp, ierrors, 1); 1486 } 1487 break; 1488 case CONF_ACK: 1489 if (h->ident != sp->confid[cp->protoidx]) { 1490 if (debug) 1491 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1492 SPP_ARGS(ifp), cp->name, 1493 h->ident, sp->confid[cp->protoidx]); 1494 IFNET_STAT_INC(ifp, ierrors, 1); 1495 break; 1496 } 1497 switch (sp->state[cp->protoidx]) { 1498 case STATE_CLOSED: 1499 case STATE_STOPPED: 1500 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1501 break; 1502 case STATE_CLOSING: 1503 case STATE_STOPPING: 1504 break; 1505 case STATE_REQ_SENT: 1506 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1507 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1508 break; 1509 case STATE_OPENED: 1510 (cp->tld)(sp); 1511 /* fall through */ 1512 case STATE_ACK_RCVD: 1513 (cp->scr)(sp); 1514 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1515 break; 1516 case STATE_ACK_SENT: 1517 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1518 sppp_cp_change_state(cp, sp, STATE_OPENED); 1519 if (debug) 1520 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1521 SPP_ARGS(ifp), cp->name); 1522 (cp->tlu)(sp); 1523 break; 1524 default: 1525 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1526 SPP_ARGS(ifp), cp->name, 1527 sppp_cp_type_name(h->type), 1528 sppp_state_name(sp->state[cp->protoidx])); 1529 IFNET_STAT_INC(ifp, ierrors, 1); 1530 } 1531 break; 1532 case CONF_NAK: 1533 case CONF_REJ: 1534 if (h->ident != sp->confid[cp->protoidx]) { 1535 if (debug) 1536 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1537 SPP_ARGS(ifp), cp->name, 1538 h->ident, sp->confid[cp->protoidx]); 1539 IFNET_STAT_INC(ifp, ierrors, 1); 1540 break; 1541 } 1542 if (h->type == CONF_NAK) 1543 (cp->RCN_nak)(sp, h, len); 1544 else /* CONF_REJ */ 1545 (cp->RCN_rej)(sp, h, len); 1546 1547 switch (sp->state[cp->protoidx]) { 1548 case STATE_CLOSED: 1549 case STATE_STOPPED: 1550 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1551 break; 1552 case STATE_REQ_SENT: 1553 case STATE_ACK_SENT: 1554 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1555 /* 1556 * Slow things down a bit if we think we might be 1557 * in loopback. Depend on the timeout to send the 1558 * next configuration request. 1559 */ 1560 if (sp->pp_loopcnt) 1561 break; 1562 (cp->scr)(sp); 1563 break; 1564 case STATE_OPENED: 1565 (cp->tld)(sp); 1566 /* fall through */ 1567 case STATE_ACK_RCVD: 1568 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1569 (cp->scr)(sp); 1570 break; 1571 case STATE_CLOSING: 1572 case STATE_STOPPING: 1573 break; 1574 default: 1575 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1576 SPP_ARGS(ifp), cp->name, 1577 sppp_cp_type_name(h->type), 1578 sppp_state_name(sp->state[cp->protoidx])); 1579 IFNET_STAT_INC(ifp, ierrors, 1); 1580 } 1581 break; 1582 1583 case TERM_REQ: 1584 switch (sp->state[cp->protoidx]) { 1585 case STATE_ACK_RCVD: 1586 case STATE_ACK_SENT: 1587 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1588 /* fall through */ 1589 case STATE_CLOSED: 1590 case STATE_STOPPED: 1591 case STATE_CLOSING: 1592 case STATE_STOPPING: 1593 case STATE_REQ_SENT: 1594 sta: 1595 /* Send Terminate-Ack packet. */ 1596 if (debug) 1597 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1598 SPP_ARGS(ifp), cp->name); 1599 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1600 break; 1601 case STATE_OPENED: 1602 (cp->tld)(sp); 1603 sp->rst_counter[cp->protoidx] = 0; 1604 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1605 goto sta; 1606 break; 1607 default: 1608 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1609 SPP_ARGS(ifp), cp->name, 1610 sppp_cp_type_name(h->type), 1611 sppp_state_name(sp->state[cp->protoidx])); 1612 IFNET_STAT_INC(ifp, ierrors, 1); 1613 } 1614 break; 1615 case TERM_ACK: 1616 switch (sp->state[cp->protoidx]) { 1617 case STATE_CLOSED: 1618 case STATE_STOPPED: 1619 case STATE_REQ_SENT: 1620 case STATE_ACK_SENT: 1621 break; 1622 case STATE_CLOSING: 1623 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1624 (cp->tlf)(sp); 1625 break; 1626 case STATE_STOPPING: 1627 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1628 (cp->tlf)(sp); 1629 break; 1630 case STATE_ACK_RCVD: 1631 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1632 break; 1633 case STATE_OPENED: 1634 (cp->tld)(sp); 1635 (cp->scr)(sp); 1636 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1637 break; 1638 default: 1639 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1640 SPP_ARGS(ifp), cp->name, 1641 sppp_cp_type_name(h->type), 1642 sppp_state_name(sp->state[cp->protoidx])); 1643 IFNET_STAT_INC(ifp, ierrors, 1); 1644 } 1645 break; 1646 case CODE_REJ: 1647 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1648 log(LOG_INFO, 1649 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1650 "danger will robinson\n", 1651 SPP_ARGS(ifp), cp->name, 1652 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1653 switch (sp->state[cp->protoidx]) { 1654 case STATE_CLOSED: 1655 case STATE_STOPPED: 1656 case STATE_REQ_SENT: 1657 case STATE_ACK_SENT: 1658 case STATE_CLOSING: 1659 case STATE_STOPPING: 1660 case STATE_OPENED: 1661 break; 1662 case STATE_ACK_RCVD: 1663 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1664 break; 1665 default: 1666 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1667 SPP_ARGS(ifp), cp->name, 1668 sppp_cp_type_name(h->type), 1669 sppp_state_name(sp->state[cp->protoidx])); 1670 IFNET_STAT_INC(ifp, ierrors, 1); 1671 } 1672 break; 1673 case PROTO_REJ: 1674 { 1675 int catastrophic; 1676 const struct cp *upper; 1677 int i; 1678 u_int16_t proto; 1679 1680 catastrophic = 0; 1681 upper = NULL; 1682 proto = ntohs(*((u_int16_t *)p)); 1683 for (i = 0; i < IDX_COUNT; i++) { 1684 if (cps[i]->proto == proto) { 1685 upper = cps[i]; 1686 break; 1687 } 1688 } 1689 if (upper == NULL) 1690 catastrophic++; 1691 1692 if (catastrophic || debug) 1693 log(catastrophic? LOG_INFO: LOG_DEBUG, 1694 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1695 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1696 sppp_cp_type_name(h->type), proto, 1697 upper ? upper->name : "unknown", 1698 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1699 1700 /* 1701 * if we got RXJ+ against conf-req, the peer does not implement 1702 * this particular protocol type. terminate the protocol. 1703 */ 1704 if (upper && !catastrophic) { 1705 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1706 upper->Close(sp); 1707 break; 1708 } 1709 } 1710 1711 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1712 switch (sp->state[cp->protoidx]) { 1713 case STATE_CLOSED: 1714 case STATE_STOPPED: 1715 case STATE_REQ_SENT: 1716 case STATE_ACK_SENT: 1717 case STATE_CLOSING: 1718 case STATE_STOPPING: 1719 case STATE_OPENED: 1720 break; 1721 case STATE_ACK_RCVD: 1722 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1723 break; 1724 default: 1725 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1726 SPP_ARGS(ifp), cp->name, 1727 sppp_cp_type_name(h->type), 1728 sppp_state_name(sp->state[cp->protoidx])); 1729 IFNET_STAT_INC(ifp, ierrors, 1); 1730 } 1731 break; 1732 } 1733 case DISC_REQ: 1734 if (cp->proto != PPP_LCP) 1735 goto illegal; 1736 /* Discard the packet. */ 1737 break; 1738 case ECHO_REQ: 1739 if (cp->proto != PPP_LCP) 1740 goto illegal; 1741 if (sp->state[cp->protoidx] != STATE_OPENED) { 1742 if (debug) 1743 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1744 SPP_ARGS(ifp)); 1745 IFNET_STAT_INC(ifp, ierrors, 1); 1746 break; 1747 } 1748 if (len < 8) { 1749 if (debug) 1750 log(-1, SPP_FMT "invalid lcp echo request " 1751 "packet length: %d bytes\n", 1752 SPP_ARGS(ifp), len); 1753 break; 1754 } 1755 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1756 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1757 /* Line loopback mode detected. */ 1758 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1759 sp->pp_loopcnt = MAXALIVECNT * 5; 1760 if_down (ifp); 1761 IF_DRAIN(&sp->pp_cpq); 1762 1763 /* Shut down the PPP link. */ 1764 /* XXX */ 1765 lcp.Down(sp); 1766 lcp.Up(sp); 1767 break; 1768 } 1769 *(long*)(h+1) = htonl (sp->lcp.magic); 1770 if (debug) 1771 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1772 SPP_ARGS(ifp)); 1773 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1774 break; 1775 case ECHO_REPLY: 1776 if (cp->proto != PPP_LCP) 1777 goto illegal; 1778 if (h->ident != sp->lcp.echoid) { 1779 IFNET_STAT_INC(ifp, ierrors, 1); 1780 break; 1781 } 1782 if (len < 8) { 1783 if (debug) 1784 log(-1, SPP_FMT "lcp invalid echo reply " 1785 "packet length: %d bytes\n", 1786 SPP_ARGS(ifp), len); 1787 break; 1788 } 1789 if (debug) 1790 log(-1, SPP_FMT "lcp got echo rep\n", 1791 SPP_ARGS(ifp)); 1792 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1793 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1794 sp->pp_alivecnt = 0; 1795 break; 1796 default: 1797 /* Unknown packet type -- send Code-Reject packet. */ 1798 illegal: 1799 if (debug) 1800 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1801 SPP_ARGS(ifp), cp->name, h->type); 1802 sppp_cp_send(sp, cp->proto, CODE_REJ, 1803 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1804 IFNET_STAT_INC(ifp, ierrors, 1); 1805 } 1806 } 1807 1808 1809 /* 1810 * The generic part of all Up/Down/Open/Close/TO event handlers. 1811 * Basically, the state transition handling in the automaton. 1812 */ 1813 static void 1814 sppp_up_event(const struct cp *cp, struct sppp *sp) 1815 { 1816 STDDCL; 1817 1818 if (debug) 1819 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1820 SPP_ARGS(ifp), cp->name, 1821 sppp_state_name(sp->state[cp->protoidx])); 1822 1823 switch (sp->state[cp->protoidx]) { 1824 case STATE_INITIAL: 1825 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1826 break; 1827 case STATE_STARTING: 1828 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1829 (cp->scr)(sp); 1830 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1831 break; 1832 default: 1833 kprintf(SPP_FMT "%s illegal up in state %s\n", 1834 SPP_ARGS(ifp), cp->name, 1835 sppp_state_name(sp->state[cp->protoidx])); 1836 } 1837 } 1838 1839 static void 1840 sppp_down_event(const struct cp *cp, struct sppp *sp) 1841 { 1842 STDDCL; 1843 1844 if (debug) 1845 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1846 SPP_ARGS(ifp), cp->name, 1847 sppp_state_name(sp->state[cp->protoidx])); 1848 1849 switch (sp->state[cp->protoidx]) { 1850 case STATE_CLOSED: 1851 case STATE_CLOSING: 1852 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1853 break; 1854 case STATE_STOPPED: 1855 sppp_cp_change_state(cp, sp, STATE_STARTING); 1856 (cp->tls)(sp); 1857 break; 1858 case STATE_STOPPING: 1859 case STATE_REQ_SENT: 1860 case STATE_ACK_RCVD: 1861 case STATE_ACK_SENT: 1862 sppp_cp_change_state(cp, sp, STATE_STARTING); 1863 break; 1864 case STATE_OPENED: 1865 (cp->tld)(sp); 1866 sppp_cp_change_state(cp, sp, STATE_STARTING); 1867 break; 1868 default: 1869 kprintf(SPP_FMT "%s illegal down in state %s\n", 1870 SPP_ARGS(ifp), cp->name, 1871 sppp_state_name(sp->state[cp->protoidx])); 1872 } 1873 } 1874 1875 1876 static void 1877 sppp_open_event(const struct cp *cp, struct sppp *sp) 1878 { 1879 STDDCL; 1880 1881 if (debug) 1882 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1883 SPP_ARGS(ifp), cp->name, 1884 sppp_state_name(sp->state[cp->protoidx])); 1885 1886 switch (sp->state[cp->protoidx]) { 1887 case STATE_INITIAL: 1888 sppp_cp_change_state(cp, sp, STATE_STARTING); 1889 (cp->tls)(sp); 1890 break; 1891 case STATE_STARTING: 1892 break; 1893 case STATE_CLOSED: 1894 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1895 (cp->scr)(sp); 1896 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1897 break; 1898 case STATE_STOPPED: 1899 /* 1900 * Try escaping stopped state. This seems to bite 1901 * people occasionally, in particular for IPCP, 1902 * presumably following previous IPCP negotiation 1903 * aborts. Somehow, we must have missed a Down event 1904 * which would have caused a transition into starting 1905 * state, so as a bandaid we force the Down event now. 1906 * This effectively implements (something like the) 1907 * `restart' option mentioned in the state transition 1908 * table of RFC 1661. 1909 */ 1910 sppp_cp_change_state(cp, sp, STATE_STARTING); 1911 (cp->tls)(sp); 1912 break; 1913 case STATE_STOPPING: 1914 case STATE_REQ_SENT: 1915 case STATE_ACK_RCVD: 1916 case STATE_ACK_SENT: 1917 case STATE_OPENED: 1918 break; 1919 case STATE_CLOSING: 1920 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1921 break; 1922 } 1923 } 1924 1925 1926 static void 1927 sppp_close_event(const struct cp *cp, struct sppp *sp) 1928 { 1929 STDDCL; 1930 1931 if (debug) 1932 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 1933 SPP_ARGS(ifp), cp->name, 1934 sppp_state_name(sp->state[cp->protoidx])); 1935 1936 switch (sp->state[cp->protoidx]) { 1937 case STATE_INITIAL: 1938 case STATE_CLOSED: 1939 case STATE_CLOSING: 1940 break; 1941 case STATE_STARTING: 1942 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1943 (cp->tlf)(sp); 1944 break; 1945 case STATE_STOPPED: 1946 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1947 break; 1948 case STATE_STOPPING: 1949 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1950 break; 1951 case STATE_OPENED: 1952 (cp->tld)(sp); 1953 /* fall through */ 1954 case STATE_REQ_SENT: 1955 case STATE_ACK_RCVD: 1956 case STATE_ACK_SENT: 1957 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1958 sppp_cp_send(sp, cp->proto, TERM_REQ, 1959 ++sp->pp_seq[cp->protoidx], 0, 0); 1960 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1961 break; 1962 } 1963 } 1964 1965 static void 1966 sppp_to_event(const struct cp *cp, struct sppp *sp) 1967 { 1968 STDDCL; 1969 1970 crit_enter(); 1971 1972 if (debug) 1973 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 1974 SPP_ARGS(ifp), cp->name, 1975 sppp_state_name(sp->state[cp->protoidx]), 1976 sp->rst_counter[cp->protoidx]); 1977 1978 if (--sp->rst_counter[cp->protoidx] < 0) 1979 /* TO- event */ 1980 switch (sp->state[cp->protoidx]) { 1981 case STATE_CLOSING: 1982 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1983 (cp->tlf)(sp); 1984 break; 1985 case STATE_STOPPING: 1986 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1987 (cp->tlf)(sp); 1988 break; 1989 case STATE_REQ_SENT: 1990 case STATE_ACK_RCVD: 1991 case STATE_ACK_SENT: 1992 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1993 (cp->tlf)(sp); 1994 break; 1995 } 1996 else 1997 /* TO+ event */ 1998 switch (sp->state[cp->protoidx]) { 1999 case STATE_CLOSING: 2000 case STATE_STOPPING: 2001 sppp_cp_send(sp, cp->proto, TERM_REQ, 2002 ++sp->pp_seq[cp->protoidx], 0, 0); 2003 callout_reset(&sp->timeout[cp->protoidx], 2004 sp->lcp.timeout, cp->TO, sp); 2005 break; 2006 case STATE_REQ_SENT: 2007 case STATE_ACK_RCVD: 2008 (cp->scr)(sp); 2009 /* sppp_cp_change_state() will restart the timer */ 2010 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2011 break; 2012 case STATE_ACK_SENT: 2013 (cp->scr)(sp); 2014 callout_reset(&sp->timeout[cp->protoidx], 2015 sp->lcp.timeout, cp->TO, sp); 2016 break; 2017 } 2018 2019 crit_exit(); 2020 } 2021 2022 /* 2023 * Change the state of a control protocol in the state automaton. 2024 * Takes care of starting/stopping the restart timer. 2025 */ 2026 void 2027 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2028 { 2029 sp->state[cp->protoidx] = newstate; 2030 callout_stop(&sp->timeout[cp->protoidx]); 2031 2032 switch (newstate) { 2033 case STATE_INITIAL: 2034 case STATE_STARTING: 2035 case STATE_CLOSED: 2036 case STATE_STOPPED: 2037 case STATE_OPENED: 2038 break; 2039 case STATE_CLOSING: 2040 case STATE_STOPPING: 2041 case STATE_REQ_SENT: 2042 case STATE_ACK_RCVD: 2043 case STATE_ACK_SENT: 2044 callout_reset(&sp->timeout[cp->protoidx], 2045 sp->lcp.timeout, cp->TO, sp); 2046 break; 2047 } 2048 } 2049 2050 /* 2051 *--------------------------------------------------------------------------* 2052 * * 2053 * The LCP implementation. * 2054 * * 2055 *--------------------------------------------------------------------------* 2056 */ 2057 static void 2058 sppp_lcp_init(struct sppp *sp) 2059 { 2060 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2061 sp->lcp.magic = 0; 2062 sp->state[IDX_LCP] = STATE_INITIAL; 2063 sp->fail_counter[IDX_LCP] = 0; 2064 sp->pp_seq[IDX_LCP] = 0; 2065 sp->pp_rseq[IDX_LCP] = 0; 2066 sp->lcp.protos = 0; 2067 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2068 2069 /* Note that these values are relevant for all control protocols */ 2070 sp->lcp.timeout = 3 * hz; 2071 sp->lcp.max_terminate = 2; 2072 sp->lcp.max_configure = 10; 2073 sp->lcp.max_failure = 10; 2074 callout_init(&sp->timeout[IDX_LCP]); 2075 } 2076 2077 static void 2078 sppp_lcp_up(struct sppp *sp) 2079 { 2080 STDDCL; 2081 2082 sp->pp_alivecnt = 0; 2083 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2084 sp->lcp.magic = 0; 2085 sp->lcp.protos = 0; 2086 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2087 /* 2088 * If this interface is passive or dial-on-demand, and we are 2089 * still in Initial state, it means we've got an incoming 2090 * call. Activate the interface. 2091 */ 2092 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2093 if (debug) 2094 log(LOG_DEBUG, 2095 SPP_FMT "Up event", SPP_ARGS(ifp)); 2096 ifp->if_flags |= IFF_RUNNING; 2097 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2098 if (debug) 2099 log(-1, "(incoming call)\n"); 2100 sp->pp_flags |= PP_CALLIN; 2101 lcp.Open(sp); 2102 } else if (debug) 2103 log(-1, "\n"); 2104 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2105 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2106 ifp->if_flags |= IFF_RUNNING; 2107 lcp.Open(sp); 2108 } 2109 2110 sppp_up_event(&lcp, sp); 2111 } 2112 2113 static void 2114 sppp_lcp_down(struct sppp *sp) 2115 { 2116 STDDCL; 2117 2118 sppp_down_event(&lcp, sp); 2119 2120 /* 2121 * If this is neither a dial-on-demand nor a passive 2122 * interface, simulate an ``ifconfig down'' action, so the 2123 * administrator can force a redial by another ``ifconfig 2124 * up''. XXX For leased line operation, should we immediately 2125 * try to reopen the connection here? 2126 */ 2127 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2128 log(LOG_INFO, 2129 SPP_FMT "Down event, taking interface down.\n", 2130 SPP_ARGS(ifp)); 2131 if_down(ifp); 2132 } else { 2133 if (debug) 2134 log(LOG_DEBUG, 2135 SPP_FMT "Down event (carrier loss)\n", 2136 SPP_ARGS(ifp)); 2137 sp->pp_flags &= ~PP_CALLIN; 2138 if (sp->state[IDX_LCP] != STATE_INITIAL) 2139 lcp.Close(sp); 2140 ifp->if_flags &= ~IFF_RUNNING; 2141 } 2142 } 2143 2144 static void 2145 sppp_lcp_open(struct sppp *sp) 2146 { 2147 /* 2148 * If we are authenticator, negotiate LCP_AUTH 2149 */ 2150 if (sp->hisauth.proto != 0) 2151 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2152 else 2153 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2154 sp->pp_flags &= ~PP_NEEDAUTH; 2155 sppp_open_event(&lcp, sp); 2156 } 2157 2158 static void 2159 sppp_lcp_close(struct sppp *sp) 2160 { 2161 sppp_close_event(&lcp, sp); 2162 } 2163 2164 static void 2165 sppp_lcp_TO(void *cookie) 2166 { 2167 sppp_to_event(&lcp, (struct sppp *)cookie); 2168 } 2169 2170 /* 2171 * Analyze a configure request. Return true if it was agreeable, and 2172 * caused action sca, false if it has been rejected or nak'ed, and 2173 * caused action scn. (The return value is used to make the state 2174 * transition decision in the state automaton.) 2175 */ 2176 static int 2177 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2178 { 2179 STDDCL; 2180 u_char *buf, *r, *p; 2181 int origlen, rlen; 2182 u_long nmagic; 2183 u_short authproto; 2184 2185 len -= 4; 2186 origlen = len; 2187 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2188 2189 if (debug) 2190 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2191 SPP_ARGS(ifp)); 2192 2193 /* pass 1: check for things that need to be rejected */ 2194 p = (void*) (h+1); 2195 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2196 /* Sanity check option length */ 2197 if (p[1] > len) { 2198 /* Malicious option - drop immediately. 2199 * XXX Maybe we should just RXJ it? 2200 */ 2201 log(-1, "%s: received malicious LCP option 0x%02x, " 2202 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2203 p[0], p[1], len); 2204 goto drop; 2205 } 2206 if (debug) 2207 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2208 switch (*p) { 2209 case LCP_OPT_MAGIC: 2210 /* Magic number. */ 2211 if (len >= 6 && p[1] == 6) 2212 continue; 2213 if (debug) 2214 log(-1, "[invalid] "); 2215 break; 2216 case LCP_OPT_ASYNC_MAP: 2217 /* Async control character map. */ 2218 if (len >= 6 && p[1] == 6) 2219 continue; 2220 if (debug) 2221 log(-1, "[invalid] "); 2222 break; 2223 case LCP_OPT_MRU: 2224 /* Maximum receive unit. */ 2225 if (len >= 4 && p[1] == 4) 2226 continue; 2227 if (debug) 2228 log(-1, "[invalid] "); 2229 break; 2230 case LCP_OPT_AUTH_PROTO: 2231 if (len < 4) { 2232 if (debug) 2233 log(-1, "[invalid] "); 2234 break; 2235 } 2236 authproto = (p[2] << 8) + p[3]; 2237 if (authproto == PPP_CHAP && p[1] != 5) { 2238 if (debug) 2239 log(-1, "[invalid chap len] "); 2240 break; 2241 } 2242 if (sp->myauth.proto == 0) { 2243 /* we are not configured to do auth */ 2244 if (debug) 2245 log(-1, "[not configured] "); 2246 break; 2247 } 2248 /* 2249 * Remote want us to authenticate, remember this, 2250 * so we stay in PHASE_AUTHENTICATE after LCP got 2251 * up. 2252 */ 2253 sp->pp_flags |= PP_NEEDAUTH; 2254 continue; 2255 default: 2256 /* Others not supported. */ 2257 if (debug) 2258 log(-1, "[rej] "); 2259 break; 2260 } 2261 /* Add the option to rejected list. */ 2262 bcopy (p, r, p[1]); 2263 r += p[1]; 2264 rlen += p[1]; 2265 } 2266 if (rlen) { 2267 if (debug) 2268 log(-1, " send conf-rej\n"); 2269 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2270 return 0; 2271 } else if (debug) 2272 log(-1, "\n"); 2273 2274 /* 2275 * pass 2: check for option values that are unacceptable and 2276 * thus require to be nak'ed. 2277 */ 2278 if (debug) 2279 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2280 SPP_ARGS(ifp)); 2281 2282 p = (void*) (h+1); 2283 len = origlen; 2284 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2285 if (debug) 2286 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2287 switch (*p) { 2288 case LCP_OPT_MAGIC: 2289 /* Magic number -- extract. */ 2290 nmagic = (u_long)p[2] << 24 | 2291 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2292 if (nmagic != sp->lcp.magic) { 2293 sp->pp_loopcnt = 0; 2294 if (debug) 2295 log(-1, "0x%lx ", nmagic); 2296 continue; 2297 } 2298 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2299 log(-1, "[glitch] "); 2300 ++sp->pp_loopcnt; 2301 /* 2302 * We negate our magic here, and NAK it. If 2303 * we see it later in an NAK packet, we 2304 * suggest a new one. 2305 */ 2306 nmagic = ~sp->lcp.magic; 2307 /* Gonna NAK it. */ 2308 p[2] = nmagic >> 24; 2309 p[3] = nmagic >> 16; 2310 p[4] = nmagic >> 8; 2311 p[5] = nmagic; 2312 break; 2313 2314 case LCP_OPT_ASYNC_MAP: 2315 /* 2316 * Async control character map -- just ignore it. 2317 * 2318 * Quote from RFC 1662, chapter 6: 2319 * To enable this functionality, synchronous PPP 2320 * implementations MUST always respond to the 2321 * Async-Control-Character-Map Configuration 2322 * Option with the LCP Configure-Ack. However, 2323 * acceptance of the Configuration Option does 2324 * not imply that the synchronous implementation 2325 * will do any ACCM mapping. Instead, all such 2326 * octet mapping will be performed by the 2327 * asynchronous-to-synchronous converter. 2328 */ 2329 continue; 2330 2331 case LCP_OPT_MRU: 2332 /* 2333 * Maximum receive unit. Always agreeable, 2334 * but ignored by now. 2335 */ 2336 sp->lcp.their_mru = p[2] * 256 + p[3]; 2337 if (debug) 2338 log(-1, "%lu ", sp->lcp.their_mru); 2339 continue; 2340 2341 case LCP_OPT_AUTH_PROTO: 2342 authproto = (p[2] << 8) + p[3]; 2343 if (sp->myauth.proto != authproto) { 2344 /* not agreed, nak */ 2345 if (debug) 2346 log(-1, "[mine %s != his %s] ", 2347 sppp_proto_name(sp->hisauth.proto), 2348 sppp_proto_name(authproto)); 2349 p[2] = sp->myauth.proto >> 8; 2350 p[3] = sp->myauth.proto; 2351 break; 2352 } 2353 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2354 if (debug) 2355 log(-1, "[chap not MD5] "); 2356 p[4] = CHAP_MD5; 2357 break; 2358 } 2359 continue; 2360 } 2361 /* Add the option to nak'ed list. */ 2362 bcopy (p, r, p[1]); 2363 r += p[1]; 2364 rlen += p[1]; 2365 } 2366 if (rlen) { 2367 /* 2368 * Local and remote magics equal -- loopback? 2369 */ 2370 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2371 if (sp->pp_loopcnt == MAXALIVECNT*5) 2372 kprintf (SPP_FMT "loopback\n", 2373 SPP_ARGS(ifp)); 2374 if (ifp->if_flags & IFF_UP) { 2375 if_down(ifp); 2376 IF_DRAIN(&sp->pp_cpq); 2377 /* XXX ? */ 2378 lcp.Down(sp); 2379 lcp.Up(sp); 2380 } 2381 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2382 if (debug) 2383 log(-1, " max_failure (%d) exceeded, " 2384 "send conf-rej\n", 2385 sp->lcp.max_failure); 2386 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2387 } else { 2388 if (debug) 2389 log(-1, " send conf-nak\n"); 2390 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2391 } 2392 } else { 2393 if (debug) 2394 log(-1, " send conf-ack\n"); 2395 sp->fail_counter[IDX_LCP] = 0; 2396 sp->pp_loopcnt = 0; 2397 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2398 h->ident, origlen, h+1); 2399 } 2400 2401 kfree (buf, M_TEMP); 2402 return (rlen == 0); 2403 2404 drop: 2405 kfree(buf, M_TEMP); 2406 return (-1); 2407 } 2408 2409 /* 2410 * Analyze the LCP Configure-Reject option list, and adjust our 2411 * negotiation. 2412 */ 2413 static void 2414 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2415 { 2416 STDDCL; 2417 u_char *buf, *p; 2418 2419 len -= 4; 2420 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2421 2422 if (debug) 2423 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2424 SPP_ARGS(ifp)); 2425 2426 p = (void*) (h+1); 2427 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2428 /* Sanity check option length */ 2429 if (p[1] > len) { 2430 /* 2431 * Malicious option - drop immediately. 2432 * XXX Maybe we should just RXJ it? 2433 */ 2434 log(-1, "%s: received malicious LCP option, " 2435 "dropping.\n", ifp->if_xname); 2436 goto drop; 2437 } 2438 if (debug) 2439 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2440 switch (*p) { 2441 case LCP_OPT_MAGIC: 2442 /* Magic number -- can't use it, use 0 */ 2443 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2444 sp->lcp.magic = 0; 2445 break; 2446 case LCP_OPT_MRU: 2447 /* 2448 * Should not be rejected anyway, since we only 2449 * negotiate a MRU if explicitly requested by 2450 * peer. 2451 */ 2452 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2453 break; 2454 case LCP_OPT_AUTH_PROTO: 2455 /* 2456 * Peer doesn't want to authenticate himself, 2457 * deny unless this is a dialout call, and 2458 * AUTHFLAG_NOCALLOUT is set. 2459 */ 2460 if ((sp->pp_flags & PP_CALLIN) == 0 && 2461 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2462 if (debug) 2463 log(-1, "[don't insist on auth " 2464 "for callout]"); 2465 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2466 break; 2467 } 2468 if (debug) 2469 log(-1, "[access denied]\n"); 2470 lcp.Close(sp); 2471 break; 2472 } 2473 } 2474 if (debug) 2475 log(-1, "\n"); 2476 drop: 2477 kfree (buf, M_TEMP); 2478 return; 2479 } 2480 2481 /* 2482 * Analyze the LCP Configure-NAK option list, and adjust our 2483 * negotiation. 2484 */ 2485 static void 2486 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2487 { 2488 STDDCL; 2489 u_char *buf, *p; 2490 u_long magic; 2491 2492 len -= 4; 2493 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2494 2495 if (debug) 2496 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2497 SPP_ARGS(ifp)); 2498 2499 p = (void*) (h+1); 2500 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2501 /* Sanity check option length */ 2502 if (p[1] > len) { 2503 /* 2504 * Malicious option - drop immediately. 2505 * XXX Maybe we should just RXJ it? 2506 */ 2507 log(-1, "%s: received malicious LCP option, " 2508 "dropping.\n", ifp->if_xname); 2509 goto drop; 2510 } 2511 if (debug) 2512 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2513 switch (*p) { 2514 case LCP_OPT_MAGIC: 2515 /* Magic number -- renegotiate */ 2516 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2517 len >= 6 && p[1] == 6) { 2518 magic = (u_long)p[2] << 24 | 2519 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2520 /* 2521 * If the remote magic is our negated one, 2522 * this looks like a loopback problem. 2523 * Suggest a new magic to make sure. 2524 */ 2525 if (magic == ~sp->lcp.magic) { 2526 if (debug) 2527 log(-1, "magic glitch "); 2528 sp->lcp.magic = krandom(); 2529 } else { 2530 sp->lcp.magic = magic; 2531 if (debug) 2532 log(-1, "%lu ", magic); 2533 } 2534 } 2535 break; 2536 case LCP_OPT_MRU: 2537 /* 2538 * Peer wants to advise us to negotiate an MRU. 2539 * Agree on it if it's reasonable, or use 2540 * default otherwise. 2541 */ 2542 if (len >= 4 && p[1] == 4) { 2543 u_int mru = p[2] * 256 + p[3]; 2544 if (debug) 2545 log(-1, "%d ", mru); 2546 if (mru < PP_MTU || mru > PP_MAX_MRU) 2547 mru = PP_MTU; 2548 sp->lcp.mru = mru; 2549 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2550 } 2551 break; 2552 case LCP_OPT_AUTH_PROTO: 2553 /* 2554 * Peer doesn't like our authentication method, 2555 * deny. 2556 */ 2557 if (debug) 2558 log(-1, "[access denied]\n"); 2559 lcp.Close(sp); 2560 break; 2561 } 2562 } 2563 if (debug) 2564 log(-1, "\n"); 2565 drop: 2566 kfree (buf, M_TEMP); 2567 return; 2568 } 2569 2570 static void 2571 sppp_lcp_tlu(struct sppp *sp) 2572 { 2573 STDDCL; 2574 int i; 2575 u_long mask; 2576 2577 /* XXX ? */ 2578 if (! (ifp->if_flags & IFF_UP) && 2579 (ifp->if_flags & IFF_RUNNING)) { 2580 /* Coming out of loopback mode. */ 2581 if_up(ifp); 2582 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2583 } 2584 2585 for (i = 0; i < IDX_COUNT; i++) 2586 if ((cps[i])->flags & CP_QUAL) 2587 (cps[i])->Open(sp); 2588 2589 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2590 (sp->pp_flags & PP_NEEDAUTH) != 0) 2591 sp->pp_phase = PHASE_AUTHENTICATE; 2592 else 2593 sp->pp_phase = PHASE_NETWORK; 2594 2595 if (debug) 2596 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2597 sppp_phase_name(sp->pp_phase)); 2598 2599 /* 2600 * Open all authentication protocols. This is even required 2601 * if we already proceeded to network phase, since it might be 2602 * that remote wants us to authenticate, so we might have to 2603 * send a PAP request. Undesired authentication protocols 2604 * don't do anything when they get an Open event. 2605 */ 2606 for (i = 0; i < IDX_COUNT; i++) 2607 if ((cps[i])->flags & CP_AUTH) 2608 (cps[i])->Open(sp); 2609 2610 if (sp->pp_phase == PHASE_NETWORK) { 2611 /* Notify all NCPs. */ 2612 for (i = 0; i < IDX_COUNT; i++) 2613 if (((cps[i])->flags & CP_NCP) && 2614 /* 2615 * XXX 2616 * Hack to administratively disable IPv6 if 2617 * not desired. Perhaps we should have another 2618 * flag for this, but right now, we can make 2619 * all struct cp's read/only. 2620 */ 2621 (cps[i] != &ipv6cp || 2622 (sp->confflags & CONF_ENABLE_IPV6))) 2623 (cps[i])->Open(sp); 2624 } 2625 2626 /* Send Up events to all started protos. */ 2627 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2628 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2629 (cps[i])->Up(sp); 2630 2631 /* notify low-level driver of state change */ 2632 if (sp->pp_chg) 2633 sp->pp_chg(sp, (int)sp->pp_phase); 2634 2635 if (sp->pp_phase == PHASE_NETWORK) 2636 /* if no NCP is starting, close down */ 2637 sppp_lcp_check_and_close(sp); 2638 } 2639 2640 static void 2641 sppp_lcp_tld(struct sppp *sp) 2642 { 2643 STDDCL; 2644 int i; 2645 u_long mask; 2646 2647 sp->pp_phase = PHASE_TERMINATE; 2648 2649 if (debug) 2650 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2651 sppp_phase_name(sp->pp_phase)); 2652 2653 /* 2654 * Take upper layers down. We send the Down event first and 2655 * the Close second to prevent the upper layers from sending 2656 * ``a flurry of terminate-request packets'', as the RFC 2657 * describes it. 2658 */ 2659 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2660 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2661 (cps[i])->Down(sp); 2662 (cps[i])->Close(sp); 2663 } 2664 } 2665 2666 static void 2667 sppp_lcp_tls(struct sppp *sp) 2668 { 2669 STDDCL; 2670 2671 sp->pp_phase = PHASE_ESTABLISH; 2672 2673 if (debug) 2674 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2675 sppp_phase_name(sp->pp_phase)); 2676 2677 /* Notify lower layer if desired. */ 2678 if (sp->pp_tls) 2679 (sp->pp_tls)(sp); 2680 else 2681 (sp->pp_up)(sp); 2682 } 2683 2684 static void 2685 sppp_lcp_tlf(struct sppp *sp) 2686 { 2687 STDDCL; 2688 2689 sp->pp_phase = PHASE_DEAD; 2690 if (debug) 2691 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2692 sppp_phase_name(sp->pp_phase)); 2693 2694 /* Notify lower layer if desired. */ 2695 if (sp->pp_tlf) 2696 (sp->pp_tlf)(sp); 2697 else 2698 (sp->pp_down)(sp); 2699 } 2700 2701 static void 2702 sppp_lcp_scr(struct sppp *sp) 2703 { 2704 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2705 int i = 0; 2706 u_short authproto; 2707 2708 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2709 if (! sp->lcp.magic) 2710 sp->lcp.magic = krandom(); 2711 opt[i++] = LCP_OPT_MAGIC; 2712 opt[i++] = 6; 2713 opt[i++] = sp->lcp.magic >> 24; 2714 opt[i++] = sp->lcp.magic >> 16; 2715 opt[i++] = sp->lcp.magic >> 8; 2716 opt[i++] = sp->lcp.magic; 2717 } 2718 2719 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2720 opt[i++] = LCP_OPT_MRU; 2721 opt[i++] = 4; 2722 opt[i++] = sp->lcp.mru >> 8; 2723 opt[i++] = sp->lcp.mru; 2724 } 2725 2726 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2727 authproto = sp->hisauth.proto; 2728 opt[i++] = LCP_OPT_AUTH_PROTO; 2729 opt[i++] = authproto == PPP_CHAP? 5: 4; 2730 opt[i++] = authproto >> 8; 2731 opt[i++] = authproto; 2732 if (authproto == PPP_CHAP) 2733 opt[i++] = CHAP_MD5; 2734 } 2735 2736 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2737 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2738 } 2739 2740 /* 2741 * Check the open NCPs, return true if at least one NCP is open. 2742 */ 2743 static int 2744 sppp_ncp_check(struct sppp *sp) 2745 { 2746 int i, mask; 2747 2748 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2749 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2750 return 1; 2751 return 0; 2752 } 2753 2754 /* 2755 * Re-check the open NCPs and see if we should terminate the link. 2756 * Called by the NCPs during their tlf action handling. 2757 */ 2758 static void 2759 sppp_lcp_check_and_close(struct sppp *sp) 2760 { 2761 2762 if (sp->pp_phase < PHASE_NETWORK) 2763 /* don't bother, we are already going down */ 2764 return; 2765 2766 if (sppp_ncp_check(sp)) 2767 return; 2768 2769 lcp.Close(sp); 2770 } 2771 2772 /* 2773 *--------------------------------------------------------------------------* 2774 * * 2775 * The IPCP implementation. * 2776 * * 2777 *--------------------------------------------------------------------------* 2778 */ 2779 2780 static void 2781 sppp_ipcp_init(struct sppp *sp) 2782 { 2783 sp->ipcp.opts = 0; 2784 sp->ipcp.flags = 0; 2785 sp->state[IDX_IPCP] = STATE_INITIAL; 2786 sp->fail_counter[IDX_IPCP] = 0; 2787 sp->pp_seq[IDX_IPCP] = 0; 2788 sp->pp_rseq[IDX_IPCP] = 0; 2789 callout_init(&sp->timeout[IDX_IPCP]); 2790 } 2791 2792 static void 2793 sppp_ipcp_up(struct sppp *sp) 2794 { 2795 sppp_up_event(&ipcp, sp); 2796 } 2797 2798 static void 2799 sppp_ipcp_down(struct sppp *sp) 2800 { 2801 sppp_down_event(&ipcp, sp); 2802 } 2803 2804 static void 2805 sppp_ipcp_open(struct sppp *sp) 2806 { 2807 STDDCL; 2808 u_long myaddr, hisaddr; 2809 2810 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2811 IPCP_MYADDR_DYN | IPCP_VJ); 2812 sp->ipcp.opts = 0; 2813 2814 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2815 /* 2816 * If we don't have his address, this probably means our 2817 * interface doesn't want to talk IP at all. (This could 2818 * be the case if somebody wants to speak only IPX, for 2819 * example.) Don't open IPCP in this case. 2820 */ 2821 if (hisaddr == 0L) { 2822 /* XXX this message should go away */ 2823 if (debug) 2824 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2825 SPP_ARGS(ifp)); 2826 return; 2827 } 2828 if (myaddr == 0L) { 2829 /* 2830 * I don't have an assigned address, so i need to 2831 * negotiate my address. 2832 */ 2833 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2834 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2835 } else 2836 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2837 if (sp->confflags & CONF_ENABLE_VJ) { 2838 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2839 sp->ipcp.max_state = MAX_STATES - 1; 2840 sp->ipcp.compress_cid = 1; 2841 } 2842 sppp_open_event(&ipcp, sp); 2843 } 2844 2845 static void 2846 sppp_ipcp_close(struct sppp *sp) 2847 { 2848 sppp_close_event(&ipcp, sp); 2849 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2850 /* 2851 * My address was dynamic, clear it again. 2852 */ 2853 sppp_set_ip_addr(sp, 0L); 2854 } 2855 2856 static void 2857 sppp_ipcp_TO(void *cookie) 2858 { 2859 sppp_to_event(&ipcp, (struct sppp *)cookie); 2860 } 2861 2862 /* 2863 * Analyze a configure request. Return true if it was agreeable, and 2864 * caused action sca, false if it has been rejected or nak'ed, and 2865 * caused action scn. (The return value is used to make the state 2866 * transition decision in the state automaton.) 2867 */ 2868 static int 2869 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2870 { 2871 u_char *buf, *r, *p; 2872 struct ifnet *ifp = &sp->pp_if; 2873 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2874 u_long hisaddr, desiredaddr; 2875 int gotmyaddr = 0; 2876 int desiredcomp; 2877 2878 len -= 4; 2879 origlen = len; 2880 /* 2881 * Make sure to allocate a buf that can at least hold a 2882 * conf-nak with an `address' option. We might need it below. 2883 */ 2884 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2885 2886 /* pass 1: see if we can recognize them */ 2887 if (debug) 2888 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2889 SPP_ARGS(ifp)); 2890 p = (void*) (h+1); 2891 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2892 /* Sanity check option length */ 2893 if (p[1] > len) { 2894 /* XXX should we just RXJ? */ 2895 log(-1, "%s: malicious IPCP option received, dropping\n", 2896 ifp->if_xname); 2897 goto drop; 2898 } 2899 if (debug) 2900 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2901 switch (*p) { 2902 case IPCP_OPT_COMPRESSION: 2903 if (!(sp->confflags & CONF_ENABLE_VJ)) { 2904 /* VJ compression administratively disabled */ 2905 if (debug) 2906 log(-1, "[locally disabled] "); 2907 break; 2908 } 2909 /* 2910 * In theory, we should only conf-rej an 2911 * option that is shorter than RFC 1618 2912 * requires (i.e. < 4), and should conf-nak 2913 * anything else that is not VJ. However, 2914 * since our algorithm always uses the 2915 * original option to NAK it with new values, 2916 * things would become more complicated. In 2917 * pratice, the only commonly implemented IP 2918 * compression option is VJ anyway, so the 2919 * difference is negligible. 2920 */ 2921 if (len >= 6 && p[1] == 6) { 2922 /* 2923 * correctly formed compression option 2924 * that could be VJ compression 2925 */ 2926 continue; 2927 } 2928 if (debug) 2929 log(-1, "optlen %d [invalid/unsupported] ", 2930 p[1]); 2931 break; 2932 case IPCP_OPT_ADDRESS: 2933 if (len >= 6 && p[1] == 6) { 2934 /* correctly formed address option */ 2935 continue; 2936 } 2937 if (debug) 2938 log(-1, "[invalid] "); 2939 break; 2940 default: 2941 /* Others not supported. */ 2942 if (debug) 2943 log(-1, "[rej] "); 2944 break; 2945 } 2946 /* Add the option to rejected list. */ 2947 bcopy (p, r, p[1]); 2948 r += p[1]; 2949 rlen += p[1]; 2950 } 2951 if (rlen) { 2952 if (debug) 2953 log(-1, " send conf-rej\n"); 2954 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2955 return 0; 2956 } else if (debug) 2957 log(-1, "\n"); 2958 2959 /* pass 2: parse option values */ 2960 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 2961 if (debug) 2962 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 2963 SPP_ARGS(ifp)); 2964 p = (void*) (h+1); 2965 len = origlen; 2966 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2967 if (debug) 2968 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2969 switch (*p) { 2970 case IPCP_OPT_COMPRESSION: 2971 desiredcomp = p[2] << 8 | p[3]; 2972 /* We only support VJ */ 2973 if (desiredcomp == IPCP_COMP_VJ) { 2974 if (debug) 2975 log(-1, "VJ [ack] "); 2976 sp->ipcp.flags |= IPCP_VJ; 2977 sl_compress_init(sp->pp_comp, p[4]); 2978 sp->ipcp.max_state = p[4]; 2979 sp->ipcp.compress_cid = p[5]; 2980 continue; 2981 } 2982 if (debug) 2983 log(-1, "compproto %#04x [not supported] ", 2984 desiredcomp); 2985 p[2] = IPCP_COMP_VJ >> 8; 2986 p[3] = IPCP_COMP_VJ; 2987 p[4] = sp->ipcp.max_state; 2988 p[5] = sp->ipcp.compress_cid; 2989 break; 2990 case IPCP_OPT_ADDRESS: 2991 /* This is the address he wants in his end */ 2992 desiredaddr = p[2] << 24 | p[3] << 16 | 2993 p[4] << 8 | p[5]; 2994 if (desiredaddr == hisaddr || 2995 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 2996 /* 2997 * Peer's address is same as our value, 2998 * or we have set it to 0.0.0.* to 2999 * indicate that we do not really care, 3000 * this is agreeable. Gonna conf-ack 3001 * it. 3002 */ 3003 if (debug) 3004 log(-1, "%s [ack] ", 3005 sppp_dotted_quad(hisaddr)); 3006 /* record that we've seen it already */ 3007 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3008 continue; 3009 } 3010 /* 3011 * The address wasn't agreeable. This is either 3012 * he sent us 0.0.0.0, asking to assign him an 3013 * address, or he send us another address not 3014 * matching our value. Either case, we gonna 3015 * conf-nak it with our value. 3016 * XXX: we should "rej" if hisaddr == 0 3017 */ 3018 if (debug) { 3019 if (desiredaddr == 0) 3020 log(-1, "[addr requested] "); 3021 else 3022 log(-1, "%s [not agreed] ", 3023 sppp_dotted_quad(desiredaddr)); 3024 3025 } 3026 p[2] = hisaddr >> 24; 3027 p[3] = hisaddr >> 16; 3028 p[4] = hisaddr >> 8; 3029 p[5] = hisaddr; 3030 break; 3031 } 3032 /* Add the option to nak'ed list. */ 3033 bcopy (p, r, p[1]); 3034 r += p[1]; 3035 rlen += p[1]; 3036 } 3037 3038 /* 3039 * If we are about to conf-ack the request, but haven't seen 3040 * his address so far, gonna conf-nak it instead, with the 3041 * `address' option present and our idea of his address being 3042 * filled in there, to request negotiation of both addresses. 3043 * 3044 * XXX This can result in an endless req - nak loop if peer 3045 * doesn't want to send us his address. Q: What should we do 3046 * about it? XXX A: implement the max-failure counter. 3047 */ 3048 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3049 buf[0] = IPCP_OPT_ADDRESS; 3050 buf[1] = 6; 3051 buf[2] = hisaddr >> 24; 3052 buf[3] = hisaddr >> 16; 3053 buf[4] = hisaddr >> 8; 3054 buf[5] = hisaddr; 3055 rlen = 6; 3056 if (debug) 3057 log(-1, "still need hisaddr "); 3058 } 3059 3060 if (rlen) { 3061 if (debug) 3062 log(-1, " send conf-nak\n"); 3063 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3064 } else { 3065 if (debug) 3066 log(-1, " send conf-ack\n"); 3067 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3068 h->ident, origlen, h+1); 3069 } 3070 3071 kfree (buf, M_TEMP); 3072 return (rlen == 0); 3073 3074 drop: 3075 kfree(buf, M_TEMP); 3076 return (-1); 3077 } 3078 3079 /* 3080 * Analyze the IPCP Configure-Reject option list, and adjust our 3081 * negotiation. 3082 */ 3083 static void 3084 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3085 { 3086 u_char *buf, *p; 3087 struct ifnet *ifp = &sp->pp_if; 3088 int debug = ifp->if_flags & IFF_DEBUG; 3089 3090 len -= 4; 3091 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3092 3093 if (debug) 3094 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3095 SPP_ARGS(ifp)); 3096 3097 p = (void*) (h+1); 3098 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3099 /* Sanity check option length */ 3100 if (p[1] > len) { 3101 /* XXX should we just RXJ? */ 3102 log(-1, "%s: malicious IPCP option received, dropping\n", 3103 ifp->if_xname); 3104 goto drop; 3105 } 3106 if (debug) 3107 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3108 switch (*p) { 3109 case IPCP_OPT_COMPRESSION: 3110 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3111 break; 3112 case IPCP_OPT_ADDRESS: 3113 /* 3114 * Peer doesn't grok address option. This is 3115 * bad. XXX Should we better give up here? 3116 * XXX We could try old "addresses" option... 3117 */ 3118 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3119 break; 3120 } 3121 } 3122 if (debug) 3123 log(-1, "\n"); 3124 drop: 3125 kfree (buf, M_TEMP); 3126 return; 3127 } 3128 3129 /* 3130 * Analyze the IPCP Configure-NAK option list, and adjust our 3131 * negotiation. 3132 */ 3133 static void 3134 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3135 { 3136 u_char *buf, *p; 3137 struct ifnet *ifp = &sp->pp_if; 3138 int debug = ifp->if_flags & IFF_DEBUG; 3139 int desiredcomp; 3140 u_long wantaddr; 3141 3142 len -= 4; 3143 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3144 3145 if (debug) 3146 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3147 SPP_ARGS(ifp)); 3148 3149 p = (void*) (h+1); 3150 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3151 /* Sanity check option length */ 3152 if (p[1] > len) { 3153 /* XXX should we just RXJ? */ 3154 log(-1, "%s: malicious IPCP option received, dropping\n", 3155 ifp->if_xname); 3156 return; 3157 } 3158 if (debug) 3159 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3160 switch (*p) { 3161 case IPCP_OPT_COMPRESSION: 3162 if (len >= 6 && p[1] == 6) { 3163 desiredcomp = p[2] << 8 | p[3]; 3164 if (debug) 3165 log(-1, "[wantcomp %#04x] ", 3166 desiredcomp); 3167 if (desiredcomp == IPCP_COMP_VJ) { 3168 sl_compress_init(sp->pp_comp, p[4]); 3169 sp->ipcp.max_state = p[4]; 3170 sp->ipcp.compress_cid = p[5]; 3171 if (debug) 3172 log(-1, "[agree] "); 3173 } else 3174 sp->ipcp.opts &= 3175 ~(1 << IPCP_OPT_COMPRESSION); 3176 } 3177 break; 3178 case IPCP_OPT_ADDRESS: 3179 /* 3180 * Peer doesn't like our local IP address. See 3181 * if we can do something for him. We'll drop 3182 * him our address then. 3183 */ 3184 if (len >= 6 && p[1] == 6) { 3185 wantaddr = p[2] << 24 | p[3] << 16 | 3186 p[4] << 8 | p[5]; 3187 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3188 if (debug) 3189 log(-1, "[wantaddr %s] ", 3190 sppp_dotted_quad(wantaddr)); 3191 /* 3192 * When doing dynamic address assignment, 3193 * we accept his offer. Otherwise, we 3194 * ignore it and thus continue to negotiate 3195 * our already existing value. 3196 * XXX: Bogus, if he said no once, he'll 3197 * just say no again, might as well die. 3198 */ 3199 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3200 sppp_set_ip_addr(sp, wantaddr); 3201 if (debug) 3202 log(-1, "[agree] "); 3203 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3204 } 3205 } 3206 break; 3207 } 3208 } 3209 if (debug) 3210 log(-1, "\n"); 3211 kfree (buf, M_TEMP); 3212 return; 3213 } 3214 3215 static void 3216 sppp_ipcp_tlu(struct sppp *sp) 3217 { 3218 /* we are up - notify isdn daemon */ 3219 if (sp->pp_con) 3220 sp->pp_con(sp); 3221 } 3222 3223 static void 3224 sppp_ipcp_tld(struct sppp *sp) 3225 { 3226 } 3227 3228 static void 3229 sppp_ipcp_tls(struct sppp *sp) 3230 { 3231 /* indicate to LCP that it must stay alive */ 3232 sp->lcp.protos |= (1 << IDX_IPCP); 3233 } 3234 3235 static void 3236 sppp_ipcp_tlf(struct sppp *sp) 3237 { 3238 /* we no longer need LCP */ 3239 sp->lcp.protos &= ~(1 << IDX_IPCP); 3240 sppp_lcp_check_and_close(sp); 3241 } 3242 3243 static void 3244 sppp_ipcp_scr(struct sppp *sp) 3245 { 3246 char opt[6 /* compression */ + 6 /* address */]; 3247 u_long ouraddr; 3248 int i = 0; 3249 3250 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3251 opt[i++] = IPCP_OPT_COMPRESSION; 3252 opt[i++] = 6; 3253 opt[i++] = IPCP_COMP_VJ >> 8; 3254 opt[i++] = IPCP_COMP_VJ; 3255 opt[i++] = sp->ipcp.max_state; 3256 opt[i++] = sp->ipcp.compress_cid; 3257 } 3258 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3259 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3260 opt[i++] = IPCP_OPT_ADDRESS; 3261 opt[i++] = 6; 3262 opt[i++] = ouraddr >> 24; 3263 opt[i++] = ouraddr >> 16; 3264 opt[i++] = ouraddr >> 8; 3265 opt[i++] = ouraddr; 3266 } 3267 3268 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3269 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3270 } 3271 3272 /* 3273 *--------------------------------------------------------------------------* 3274 * * 3275 * The IPv6CP implementation. * 3276 * * 3277 *--------------------------------------------------------------------------* 3278 */ 3279 3280 #ifdef INET6 3281 static void 3282 sppp_ipv6cp_init(struct sppp *sp) 3283 { 3284 sp->ipv6cp.opts = 0; 3285 sp->ipv6cp.flags = 0; 3286 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3287 sp->fail_counter[IDX_IPV6CP] = 0; 3288 sp->pp_seq[IDX_IPV6CP] = 0; 3289 sp->pp_rseq[IDX_IPV6CP] = 0; 3290 callout_init(&sp->timeout[IDX_IPV6CP]); 3291 } 3292 3293 static void 3294 sppp_ipv6cp_up(struct sppp *sp) 3295 { 3296 sppp_up_event(&ipv6cp, sp); 3297 } 3298 3299 static void 3300 sppp_ipv6cp_down(struct sppp *sp) 3301 { 3302 sppp_down_event(&ipv6cp, sp); 3303 } 3304 3305 static void 3306 sppp_ipv6cp_open(struct sppp *sp) 3307 { 3308 STDDCL; 3309 struct in6_addr myaddr, hisaddr; 3310 3311 #ifdef IPV6CP_MYIFID_DYN 3312 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3313 #else 3314 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3315 #endif 3316 3317 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3318 /* 3319 * If we don't have our address, this probably means our 3320 * interface doesn't want to talk IPv6 at all. (This could 3321 * be the case if somebody wants to speak only IPX, for 3322 * example.) Don't open IPv6CP in this case. 3323 */ 3324 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3325 /* XXX this message should go away */ 3326 if (debug) 3327 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3328 SPP_ARGS(ifp)); 3329 return; 3330 } 3331 3332 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3333 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3334 sppp_open_event(&ipv6cp, sp); 3335 } 3336 3337 static void 3338 sppp_ipv6cp_close(struct sppp *sp) 3339 { 3340 sppp_close_event(&ipv6cp, sp); 3341 } 3342 3343 static void 3344 sppp_ipv6cp_TO(void *cookie) 3345 { 3346 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3347 } 3348 3349 /* 3350 * Analyze a configure request. Return true if it was agreeable, and 3351 * caused action sca, false if it has been rejected or nak'ed, and 3352 * caused action scn. (The return value is used to make the state 3353 * transition decision in the state automaton.) 3354 */ 3355 static int 3356 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3357 { 3358 u_char *buf, *r, *p; 3359 struct ifnet *ifp = &sp->pp_if; 3360 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3361 struct in6_addr myaddr, desiredaddr, suggestaddr; 3362 int ifidcount; 3363 int type; 3364 int collision, nohisaddr; 3365 3366 len -= 4; 3367 origlen = len; 3368 /* 3369 * Make sure to allocate a buf that can at least hold a 3370 * conf-nak with an `address' option. We might need it below. 3371 */ 3372 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3373 3374 /* pass 1: see if we can recognize them */ 3375 if (debug) 3376 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3377 SPP_ARGS(ifp)); 3378 p = (void*) (h+1); 3379 ifidcount = 0; 3380 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3381 /* Sanity check option length */ 3382 if (p[1] > len) { 3383 /* XXX just RXJ? */ 3384 log(-1, "%s: received malicious IPCPv6 option, " 3385 "dropping\n", ifp->if_xname); 3386 goto drop; 3387 } 3388 if (debug) 3389 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3390 switch (*p) { 3391 case IPV6CP_OPT_IFID: 3392 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3393 /* correctly formed address option */ 3394 ifidcount++; 3395 continue; 3396 } 3397 if (debug) 3398 log(-1, " [invalid]"); 3399 break; 3400 #ifdef notyet 3401 case IPV6CP_OPT_COMPRESSION: 3402 if (len >= 4 && p[1] >= 4) { 3403 /* correctly formed compress option */ 3404 continue; 3405 } 3406 if (debug) 3407 log(-1, " [invalid]"); 3408 break; 3409 #endif 3410 default: 3411 /* Others not supported. */ 3412 if (debug) 3413 log(-1, " [rej]"); 3414 break; 3415 } 3416 /* Add the option to rejected list. */ 3417 bcopy (p, r, p[1]); 3418 r += p[1]; 3419 rlen += p[1]; 3420 } 3421 if (rlen) { 3422 if (debug) 3423 log(-1, " send conf-rej\n"); 3424 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3425 goto end; 3426 } else if (debug) 3427 log(-1, "\n"); 3428 3429 /* pass 2: parse option values */ 3430 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3431 if (debug) 3432 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3433 SPP_ARGS(ifp)); 3434 p = (void*) (h+1); 3435 len = origlen; 3436 type = CONF_ACK; 3437 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3438 if (debug) 3439 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3440 switch (*p) { 3441 #ifdef notyet 3442 case IPV6CP_OPT_COMPRESSION: 3443 continue; 3444 #endif 3445 case IPV6CP_OPT_IFID: 3446 bzero(&desiredaddr, sizeof(desiredaddr)); 3447 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3448 collision = (bcmp(&desiredaddr.s6_addr[8], 3449 &myaddr.s6_addr[8], 8) == 0); 3450 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3451 3452 desiredaddr.s6_addr16[0] = htons(0xfe80); 3453 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3454 3455 if (!collision && !nohisaddr) { 3456 /* no collision, hisaddr known - Conf-Ack */ 3457 type = CONF_ACK; 3458 3459 if (debug) { 3460 log(-1, " %s [%s]", 3461 ip6_sprintf(&desiredaddr), 3462 sppp_cp_type_name(type)); 3463 } 3464 continue; 3465 } 3466 3467 bzero(&suggestaddr, sizeof(suggestaddr)); 3468 if (collision && nohisaddr) { 3469 /* collision, hisaddr unknown - Conf-Rej */ 3470 type = CONF_REJ; 3471 bzero(&p[2], 8); 3472 } else { 3473 /* 3474 * - no collision, hisaddr unknown, or 3475 * - collision, hisaddr known 3476 * Conf-Nak, suggest hisaddr 3477 */ 3478 type = CONF_NAK; 3479 sppp_suggest_ip6_addr(sp, &suggestaddr); 3480 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3481 } 3482 if (debug) 3483 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3484 sppp_cp_type_name(type)); 3485 break; 3486 } 3487 /* Add the option to nak'ed list. */ 3488 bcopy (p, r, p[1]); 3489 r += p[1]; 3490 rlen += p[1]; 3491 } 3492 3493 if (rlen == 0 && type == CONF_ACK) { 3494 if (debug) 3495 log(-1, " send %s\n", sppp_cp_type_name(type)); 3496 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3497 } else { 3498 #ifdef DIAGNOSTIC 3499 if (type == CONF_ACK) 3500 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3501 #endif 3502 3503 if (debug) { 3504 log(-1, " send %s suggest %s\n", 3505 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3506 } 3507 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3508 } 3509 3510 end: 3511 kfree (buf, M_TEMP); 3512 return (rlen == 0); 3513 3514 drop: 3515 kfree(buf, M_TEMP); 3516 return (-1); 3517 } 3518 3519 /* 3520 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3521 * negotiation. 3522 */ 3523 static void 3524 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3525 { 3526 u_char *buf, *p; 3527 struct ifnet *ifp = &sp->pp_if; 3528 int debug = ifp->if_flags & IFF_DEBUG; 3529 3530 len -= 4; 3531 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3532 3533 if (debug) 3534 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3535 SPP_ARGS(ifp)); 3536 3537 p = (void*) (h+1); 3538 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3539 if (p[1] > len) { 3540 /* XXX just RXJ? */ 3541 log(-1, "%s: received malicious IPCPv6 option, " 3542 "dropping\n", ifp->if_xname); 3543 goto drop; 3544 } 3545 if (debug) 3546 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3547 switch (*p) { 3548 case IPV6CP_OPT_IFID: 3549 /* 3550 * Peer doesn't grok address option. This is 3551 * bad. XXX Should we better give up here? 3552 */ 3553 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3554 break; 3555 #ifdef notyet 3556 case IPV6CP_OPT_COMPRESS: 3557 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3558 break; 3559 #endif 3560 } 3561 } 3562 if (debug) 3563 log(-1, "\n"); 3564 drop: 3565 kfree (buf, M_TEMP); 3566 return; 3567 } 3568 3569 /* 3570 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3571 * negotiation. 3572 */ 3573 static void 3574 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3575 { 3576 u_char *buf, *p; 3577 struct ifnet *ifp = &sp->pp_if; 3578 int debug = ifp->if_flags & IFF_DEBUG; 3579 struct in6_addr suggestaddr; 3580 3581 len -= 4; 3582 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3583 3584 if (debug) 3585 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3586 SPP_ARGS(ifp)); 3587 3588 p = (void*) (h+1); 3589 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3590 if (p[1] > len) { 3591 /* XXX just RXJ? */ 3592 log(-1, "%s: received malicious IPCPv6 option, " 3593 "dropping\n", ifp->if_xname); 3594 goto drop; 3595 } 3596 if (debug) 3597 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3598 switch (*p) { 3599 case IPV6CP_OPT_IFID: 3600 /* 3601 * Peer doesn't like our local ifid. See 3602 * if we can do something for him. We'll drop 3603 * him our address then. 3604 */ 3605 if (len < 10 || p[1] != 10) 3606 break; 3607 bzero(&suggestaddr, sizeof(suggestaddr)); 3608 suggestaddr.s6_addr16[0] = htons(0xfe80); 3609 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3610 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3611 3612 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3613 if (debug) 3614 log(-1, " [suggestaddr %s]", 3615 ip6_sprintf(&suggestaddr)); 3616 #ifdef IPV6CP_MYIFID_DYN 3617 /* 3618 * When doing dynamic address assignment, 3619 * we accept his offer. 3620 */ 3621 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3622 struct in6_addr lastsuggest; 3623 /* 3624 * If <suggested myaddr from peer> equals to 3625 * <hisaddr we have suggested last time>, 3626 * we have a collision. generate new random 3627 * ifid. 3628 */ 3629 sppp_suggest_ip6_addr(&lastsuggest); 3630 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3631 lastsuggest)) { 3632 if (debug) 3633 log(-1, " [random]"); 3634 sppp_gen_ip6_addr(sp, &suggestaddr); 3635 } 3636 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3637 if (debug) 3638 log(-1, " [agree]"); 3639 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3640 } 3641 #else 3642 /* 3643 * Since we do not do dynamic address assignment, 3644 * we ignore it and thus continue to negotiate 3645 * our already existing value. This can possibly 3646 * go into infinite request-reject loop. 3647 * 3648 * This is not likely because we normally use 3649 * ifid based on MAC-address. 3650 * If you have no ethernet card on the node, too bad. 3651 * XXX should we use fail_counter? 3652 */ 3653 #endif 3654 break; 3655 #ifdef notyet 3656 case IPV6CP_OPT_COMPRESS: 3657 /* 3658 * Peer wants different compression parameters. 3659 */ 3660 break; 3661 #endif 3662 } 3663 } 3664 if (debug) 3665 log(-1, "\n"); 3666 drop: 3667 kfree (buf, M_TEMP); 3668 return; 3669 } 3670 static void 3671 sppp_ipv6cp_tlu(struct sppp *sp) 3672 { 3673 /* we are up - notify isdn daemon */ 3674 if (sp->pp_con) 3675 sp->pp_con(sp); 3676 } 3677 3678 static void 3679 sppp_ipv6cp_tld(struct sppp *sp) 3680 { 3681 } 3682 3683 static void 3684 sppp_ipv6cp_tls(struct sppp *sp) 3685 { 3686 /* indicate to LCP that it must stay alive */ 3687 sp->lcp.protos |= (1 << IDX_IPV6CP); 3688 } 3689 3690 static void 3691 sppp_ipv6cp_tlf(struct sppp *sp) 3692 { 3693 3694 #if 0 /* need #if 0 to close IPv6CP properly */ 3695 /* we no longer need LCP */ 3696 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3697 sppp_lcp_check_and_close(sp); 3698 #endif 3699 } 3700 3701 static void 3702 sppp_ipv6cp_scr(struct sppp *sp) 3703 { 3704 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3705 struct in6_addr ouraddr; 3706 int i = 0; 3707 3708 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3709 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3710 opt[i++] = IPV6CP_OPT_IFID; 3711 opt[i++] = 10; 3712 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3713 i += 8; 3714 } 3715 3716 #ifdef notyet 3717 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3718 opt[i++] = IPV6CP_OPT_COMPRESSION; 3719 opt[i++] = 4; 3720 opt[i++] = 0; /* TBD */ 3721 opt[i++] = 0; /* TBD */ 3722 /* variable length data may follow */ 3723 } 3724 #endif 3725 3726 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3727 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3728 } 3729 #else /*INET6*/ 3730 static void 3731 sppp_ipv6cp_init(struct sppp *sp) 3732 { 3733 } 3734 3735 static void 3736 sppp_ipv6cp_up(struct sppp *sp) 3737 { 3738 } 3739 3740 static void 3741 sppp_ipv6cp_down(struct sppp *sp) 3742 { 3743 } 3744 3745 3746 static void 3747 sppp_ipv6cp_open(struct sppp *sp) 3748 { 3749 } 3750 3751 static void 3752 sppp_ipv6cp_close(struct sppp *sp) 3753 { 3754 } 3755 3756 static void 3757 sppp_ipv6cp_TO(void *sp) 3758 { 3759 } 3760 3761 static int 3762 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3763 { 3764 return 0; 3765 } 3766 3767 static void 3768 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3769 { 3770 } 3771 3772 static void 3773 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3774 { 3775 } 3776 3777 static void 3778 sppp_ipv6cp_tlu(struct sppp *sp) 3779 { 3780 } 3781 3782 static void 3783 sppp_ipv6cp_tld(struct sppp *sp) 3784 { 3785 } 3786 3787 static void 3788 sppp_ipv6cp_tls(struct sppp *sp) 3789 { 3790 } 3791 3792 static void 3793 sppp_ipv6cp_tlf(struct sppp *sp) 3794 { 3795 } 3796 3797 static void 3798 sppp_ipv6cp_scr(struct sppp *sp) 3799 { 3800 } 3801 #endif /*INET6*/ 3802 3803 /* 3804 *--------------------------------------------------------------------------* 3805 * * 3806 * The CHAP implementation. * 3807 * * 3808 *--------------------------------------------------------------------------* 3809 */ 3810 3811 /* 3812 * The authentication protocols don't employ a full-fledged state machine as 3813 * the control protocols do, since they do have Open and Close events, but 3814 * not Up and Down, nor are they explicitly terminated. Also, use of the 3815 * authentication protocols may be different in both directions (this makes 3816 * sense, think of a machine that never accepts incoming calls but only 3817 * calls out, it doesn't require the called party to authenticate itself). 3818 * 3819 * Our state machine for the local authentication protocol (we are requesting 3820 * the peer to authenticate) looks like: 3821 * 3822 * RCA- 3823 * +--------------------------------------------+ 3824 * V scn,tld| 3825 * +--------+ Close +---------+ RCA+ 3826 * | |<----------------------------------| |------+ 3827 * +--->| Closed | TO* | Opened | sca | 3828 * | | |-----+ +-------| |<-----+ 3829 * | +--------+ irc | | +---------+ 3830 * | ^ | | ^ 3831 * | | | | | 3832 * | | | | | 3833 * | TO-| | | | 3834 * | |tld TO+ V | | 3835 * | | +------->+ | | 3836 * | | | | | | 3837 * | +--------+ V | | 3838 * | | |<----+<--------------------+ | 3839 * | | Req- | scr | 3840 * | | Sent | | 3841 * | | | | 3842 * | +--------+ | 3843 * | RCA- | | RCA+ | 3844 * +------+ +------------------------------------------+ 3845 * scn,tld sca,irc,ict,tlu 3846 * 3847 * 3848 * with: 3849 * 3850 * Open: LCP reached authentication phase 3851 * Close: LCP reached terminate phase 3852 * 3853 * RCA+: received reply (pap-req, chap-response), acceptable 3854 * RCN: received reply (pap-req, chap-response), not acceptable 3855 * TO+: timeout with restart counter >= 0 3856 * TO-: timeout with restart counter < 0 3857 * TO*: reschedule timeout for CHAP 3858 * 3859 * scr: send request packet (none for PAP, chap-challenge) 3860 * sca: send ack packet (pap-ack, chap-success) 3861 * scn: send nak packet (pap-nak, chap-failure) 3862 * ict: initialize re-challenge timer (CHAP only) 3863 * 3864 * tlu: this-layer-up, LCP reaches network phase 3865 * tld: this-layer-down, LCP enters terminate phase 3866 * 3867 * Note that in CHAP mode, after sending a new challenge, while the state 3868 * automaton falls back into Req-Sent state, it doesn't signal a tld 3869 * event to LCP, so LCP remains in network phase. Only after not getting 3870 * any response (or after getting an unacceptable response), CHAP closes, 3871 * causing LCP to enter terminate phase. 3872 * 3873 * With PAP, there is no initial request that can be sent. The peer is 3874 * expected to send one based on the successful negotiation of PAP as 3875 * the authentication protocol during the LCP option negotiation. 3876 * 3877 * Incoming authentication protocol requests (remote requests 3878 * authentication, we are peer) don't employ a state machine at all, 3879 * they are simply answered. Some peers [Ascend P50 firmware rev 3880 * 4.50] react allergically when sending IPCP requests while they are 3881 * still in authentication phase (thereby violating the standard that 3882 * demands that these NCP packets are to be discarded), so we keep 3883 * track of the peer demanding us to authenticate, and only proceed to 3884 * phase network once we've seen a positive acknowledge for the 3885 * authentication. 3886 */ 3887 3888 /* 3889 * Handle incoming CHAP packets. 3890 */ 3891 void 3892 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3893 { 3894 STDDCL; 3895 struct lcp_header *h; 3896 int len; 3897 u_char *value, *name, digest[AUTHKEYLEN], dsize; 3898 int value_len, name_len; 3899 MD5_CTX ctx; 3900 3901 len = m->m_pkthdr.len; 3902 if (len < 4) { 3903 if (debug) 3904 log(LOG_DEBUG, 3905 SPP_FMT "chap invalid packet length: %d bytes\n", 3906 SPP_ARGS(ifp), len); 3907 return; 3908 } 3909 h = mtod (m, struct lcp_header*); 3910 if (len > ntohs (h->len)) 3911 len = ntohs (h->len); 3912 3913 switch (h->type) { 3914 /* challenge, failure and success are his authproto */ 3915 case CHAP_CHALLENGE: 3916 value = 1 + (u_char*)(h+1); 3917 value_len = value[-1]; 3918 name = value + value_len; 3919 name_len = len - value_len - 5; 3920 if (name_len < 0) { 3921 if (debug) { 3922 log(LOG_DEBUG, 3923 SPP_FMT "chap corrupted challenge " 3924 "<%s id=0x%x len=%d", 3925 SPP_ARGS(ifp), 3926 sppp_auth_type_name(PPP_CHAP, h->type), 3927 h->ident, ntohs(h->len)); 3928 sppp_print_bytes((u_char*) (h+1), len-4); 3929 log(-1, ">\n"); 3930 } 3931 break; 3932 } 3933 3934 if (debug) { 3935 log(LOG_DEBUG, 3936 SPP_FMT "chap input <%s id=0x%x len=%d name=", 3937 SPP_ARGS(ifp), 3938 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3939 ntohs(h->len)); 3940 sppp_print_string((char*) name, name_len); 3941 log(-1, " value-size=%d value=", value_len); 3942 sppp_print_bytes(value, value_len); 3943 log(-1, ">\n"); 3944 } 3945 3946 /* Compute reply value. */ 3947 MD5Init(&ctx); 3948 MD5Update(&ctx, &h->ident, 1); 3949 MD5Update(&ctx, sp->myauth.secret, 3950 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN)); 3951 MD5Update(&ctx, value, value_len); 3952 MD5Final(digest, &ctx); 3953 dsize = sizeof digest; 3954 3955 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3956 sizeof dsize, (const char *)&dsize, 3957 sizeof digest, digest, 3958 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 3959 sp->myauth.name, 3960 0); 3961 break; 3962 3963 case CHAP_SUCCESS: 3964 if (debug) { 3965 log(LOG_DEBUG, SPP_FMT "chap success", 3966 SPP_ARGS(ifp)); 3967 if (len > 4) { 3968 log(-1, ": "); 3969 sppp_print_string((char*)(h + 1), len - 4); 3970 } 3971 log(-1, "\n"); 3972 } 3973 3974 crit_enter(); 3975 3976 sp->pp_flags &= ~PP_NEEDAUTH; 3977 if (sp->myauth.proto == PPP_CHAP && 3978 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3979 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3980 /* 3981 * We are authenticator for CHAP but didn't 3982 * complete yet. Leave it to tlu to proceed 3983 * to network phase. 3984 */ 3985 crit_exit(); 3986 break; 3987 } 3988 crit_exit(); 3989 sppp_phase_network(sp); 3990 break; 3991 3992 case CHAP_FAILURE: 3993 if (debug) { 3994 log(LOG_INFO, SPP_FMT "chap failure", 3995 SPP_ARGS(ifp)); 3996 if (len > 4) { 3997 log(-1, ": "); 3998 sppp_print_string((char*)(h + 1), len - 4); 3999 } 4000 log(-1, "\n"); 4001 } else 4002 log(LOG_INFO, SPP_FMT "chap failure\n", 4003 SPP_ARGS(ifp)); 4004 /* await LCP shutdown by authenticator */ 4005 break; 4006 4007 /* response is my authproto */ 4008 case CHAP_RESPONSE: 4009 value = 1 + (u_char*)(h+1); 4010 value_len = value[-1]; 4011 name = value + value_len; 4012 name_len = len - value_len - 5; 4013 if (name_len < 0) { 4014 if (debug) { 4015 log(LOG_DEBUG, 4016 SPP_FMT "chap corrupted response " 4017 "<%s id=0x%x len=%d", 4018 SPP_ARGS(ifp), 4019 sppp_auth_type_name(PPP_CHAP, h->type), 4020 h->ident, ntohs(h->len)); 4021 sppp_print_bytes((u_char*)(h+1), len-4); 4022 log(-1, ">\n"); 4023 } 4024 break; 4025 } 4026 if (h->ident != sp->confid[IDX_CHAP]) { 4027 if (debug) 4028 log(LOG_DEBUG, 4029 SPP_FMT "chap dropping response for old ID " 4030 "(got %d, expected %d)\n", 4031 SPP_ARGS(ifp), 4032 h->ident, sp->confid[IDX_CHAP]); 4033 break; 4034 } 4035 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) 4036 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4037 log(LOG_INFO, SPP_FMT "chap response, his name ", 4038 SPP_ARGS(ifp)); 4039 sppp_print_string(name, name_len); 4040 log(-1, " != expected "); 4041 sppp_print_string(sp->hisauth.name, 4042 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)); 4043 log(-1, "\n"); 4044 } 4045 if (debug) { 4046 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4047 "<%s id=0x%x len=%d name=", 4048 SPP_ARGS(ifp), 4049 sppp_state_name(sp->state[IDX_CHAP]), 4050 sppp_auth_type_name(PPP_CHAP, h->type), 4051 h->ident, ntohs (h->len)); 4052 sppp_print_string((char*)name, name_len); 4053 log(-1, " value-size=%d value=", value_len); 4054 sppp_print_bytes(value, value_len); 4055 log(-1, ">\n"); 4056 } 4057 if (value_len != AUTHKEYLEN) { 4058 if (debug) 4059 log(LOG_DEBUG, 4060 SPP_FMT "chap bad hash value length: " 4061 "%d bytes, should be %d\n", 4062 SPP_ARGS(ifp), value_len, 4063 AUTHKEYLEN); 4064 break; 4065 } 4066 4067 MD5Init(&ctx); 4068 MD5Update(&ctx, &h->ident, 1); 4069 MD5Update(&ctx, sp->hisauth.secret, 4070 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4071 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4072 MD5Final(digest, &ctx); 4073 4074 #define FAILMSG "Failed..." 4075 #define SUCCMSG "Welcome!" 4076 4077 if (value_len != sizeof digest || 4078 bcmp(digest, value, value_len) != 0) { 4079 /* action scn, tld */ 4080 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4081 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4082 0); 4083 chap.tld(sp); 4084 break; 4085 } 4086 /* action sca, perhaps tlu */ 4087 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4088 sp->state[IDX_CHAP] == STATE_OPENED) 4089 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4090 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4091 0); 4092 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4093 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4094 chap.tlu(sp); 4095 } 4096 break; 4097 4098 default: 4099 /* Unknown CHAP packet type -- ignore. */ 4100 if (debug) { 4101 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4102 "<0x%x id=0x%xh len=%d", 4103 SPP_ARGS(ifp), 4104 sppp_state_name(sp->state[IDX_CHAP]), 4105 h->type, h->ident, ntohs(h->len)); 4106 sppp_print_bytes((u_char*)(h+1), len-4); 4107 log(-1, ">\n"); 4108 } 4109 break; 4110 4111 } 4112 } 4113 4114 static void 4115 sppp_chap_init(struct sppp *sp) 4116 { 4117 /* Chap doesn't have STATE_INITIAL at all. */ 4118 sp->state[IDX_CHAP] = STATE_CLOSED; 4119 sp->fail_counter[IDX_CHAP] = 0; 4120 sp->pp_seq[IDX_CHAP] = 0; 4121 sp->pp_rseq[IDX_CHAP] = 0; 4122 callout_init(&sp->timeout[IDX_CHAP]); 4123 } 4124 4125 static void 4126 sppp_chap_open(struct sppp *sp) 4127 { 4128 if (sp->myauth.proto == PPP_CHAP && 4129 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4130 /* we are authenticator for CHAP, start it */ 4131 chap.scr(sp); 4132 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4133 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4134 } 4135 /* nothing to be done if we are peer, await a challenge */ 4136 } 4137 4138 static void 4139 sppp_chap_close(struct sppp *sp) 4140 { 4141 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4142 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4143 } 4144 4145 static void 4146 sppp_chap_TO(void *cookie) 4147 { 4148 struct sppp *sp = (struct sppp *)cookie; 4149 STDDCL; 4150 4151 crit_enter(); 4152 4153 if (debug) 4154 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4155 SPP_ARGS(ifp), 4156 sppp_state_name(sp->state[IDX_CHAP]), 4157 sp->rst_counter[IDX_CHAP]); 4158 4159 if (--sp->rst_counter[IDX_CHAP] < 0) 4160 /* TO- event */ 4161 switch (sp->state[IDX_CHAP]) { 4162 case STATE_REQ_SENT: 4163 chap.tld(sp); 4164 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4165 break; 4166 } 4167 else 4168 /* TO+ (or TO*) event */ 4169 switch (sp->state[IDX_CHAP]) { 4170 case STATE_OPENED: 4171 /* TO* event */ 4172 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4173 /* fall through */ 4174 case STATE_REQ_SENT: 4175 chap.scr(sp); 4176 /* sppp_cp_change_state() will restart the timer */ 4177 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4178 break; 4179 } 4180 4181 crit_exit(); 4182 } 4183 4184 static void 4185 sppp_chap_tlu(struct sppp *sp) 4186 { 4187 STDDCL; 4188 int i; 4189 4190 i = 0; 4191 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4192 4193 /* 4194 * Some broken CHAP implementations (Conware CoNet, firmware 4195 * 4.0.?) don't want to re-authenticate their CHAP once the 4196 * initial challenge-response exchange has taken place. 4197 * Provide for an option to avoid rechallenges. 4198 */ 4199 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4200 /* 4201 * Compute the re-challenge timeout. This will yield 4202 * a number between 300 and 810 seconds. 4203 */ 4204 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4205 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4206 } 4207 4208 if (debug) { 4209 log(LOG_DEBUG, 4210 SPP_FMT "chap %s, ", 4211 SPP_ARGS(ifp), 4212 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4213 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4214 log(-1, "next re-challenge in %d seconds\n", i); 4215 else 4216 log(-1, "re-challenging suppressed\n"); 4217 } 4218 4219 crit_enter(); 4220 4221 /* indicate to LCP that we need to be closed down */ 4222 sp->lcp.protos |= (1 << IDX_CHAP); 4223 4224 if (sp->pp_flags & PP_NEEDAUTH) { 4225 /* 4226 * Remote is authenticator, but his auth proto didn't 4227 * complete yet. Defer the transition to network 4228 * phase. 4229 */ 4230 crit_exit(); 4231 return; 4232 } 4233 4234 crit_exit(); 4235 4236 /* 4237 * If we are already in phase network, we are done here. This 4238 * is the case if this is a dummy tlu event after a re-challenge. 4239 */ 4240 if (sp->pp_phase != PHASE_NETWORK) 4241 sppp_phase_network(sp); 4242 } 4243 4244 static void 4245 sppp_chap_tld(struct sppp *sp) 4246 { 4247 STDDCL; 4248 4249 if (debug) 4250 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4251 callout_stop(&sp->timeout[IDX_CHAP]); 4252 sp->lcp.protos &= ~(1 << IDX_CHAP); 4253 4254 lcp.Close(sp); 4255 } 4256 4257 static void 4258 sppp_chap_scr(struct sppp *sp) 4259 { 4260 u_long *ch, seed; 4261 u_char clen; 4262 4263 /* Compute random challenge. */ 4264 ch = (u_long *)sp->myauth.challenge; 4265 read_random(&seed, sizeof seed); 4266 ch[0] = seed ^ krandom(); 4267 ch[1] = seed ^ krandom(); 4268 ch[2] = seed ^ krandom(); 4269 ch[3] = seed ^ krandom(); 4270 clen = AUTHKEYLEN; 4271 4272 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4273 4274 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4275 sizeof clen, (const char *)&clen, 4276 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4277 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4278 sp->myauth.name, 4279 0); 4280 } 4281 4282 /* 4283 *--------------------------------------------------------------------------* 4284 * * 4285 * The PAP implementation. * 4286 * * 4287 *--------------------------------------------------------------------------* 4288 */ 4289 /* 4290 * For PAP, we need to keep a little state also if we are the peer, not the 4291 * authenticator. This is since we don't get a request to authenticate, but 4292 * have to repeatedly authenticate ourself until we got a response (or the 4293 * retry counter is expired). 4294 */ 4295 4296 /* 4297 * Handle incoming PAP packets. */ 4298 static void 4299 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4300 { 4301 STDDCL; 4302 struct lcp_header *h; 4303 int len; 4304 u_char *name, *passwd, mlen; 4305 int name_len, passwd_len; 4306 4307 /* 4308 * Malicious input might leave this uninitialized, so 4309 * init to an impossible value. 4310 */ 4311 passwd_len = -1; 4312 4313 len = m->m_pkthdr.len; 4314 if (len < 5) { 4315 if (debug) 4316 log(LOG_DEBUG, 4317 SPP_FMT "pap invalid packet length: %d bytes\n", 4318 SPP_ARGS(ifp), len); 4319 return; 4320 } 4321 h = mtod (m, struct lcp_header*); 4322 if (len > ntohs (h->len)) 4323 len = ntohs (h->len); 4324 switch (h->type) { 4325 /* PAP request is my authproto */ 4326 case PAP_REQ: 4327 name = 1 + (u_char*)(h+1); 4328 name_len = name[-1]; 4329 passwd = name + name_len + 1; 4330 if (name_len > len - 6 || 4331 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4332 if (debug) { 4333 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4334 "<%s id=0x%x len=%d", 4335 SPP_ARGS(ifp), 4336 sppp_auth_type_name(PPP_PAP, h->type), 4337 h->ident, ntohs(h->len)); 4338 sppp_print_bytes((u_char*)(h+1), len-4); 4339 log(-1, ">\n"); 4340 } 4341 break; 4342 } 4343 if (debug) { 4344 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4345 "<%s id=0x%x len=%d name=", 4346 SPP_ARGS(ifp), 4347 sppp_state_name(sp->state[IDX_PAP]), 4348 sppp_auth_type_name(PPP_PAP, h->type), 4349 h->ident, ntohs(h->len)); 4350 sppp_print_string((char*)name, name_len); 4351 log(-1, " passwd="); 4352 sppp_print_string((char*)passwd, passwd_len); 4353 log(-1, ">\n"); 4354 } 4355 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || 4356 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4357 bcmp(name, sp->hisauth.name, name_len) != 0 || 4358 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4359 /* action scn, tld */ 4360 mlen = sizeof(FAILMSG) - 1; 4361 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4362 sizeof mlen, (const char *)&mlen, 4363 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4364 0); 4365 pap.tld(sp); 4366 break; 4367 } 4368 /* action sca, perhaps tlu */ 4369 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4370 sp->state[IDX_PAP] == STATE_OPENED) { 4371 mlen = sizeof(SUCCMSG) - 1; 4372 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4373 sizeof mlen, (const char *)&mlen, 4374 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4375 0); 4376 } 4377 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4378 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4379 pap.tlu(sp); 4380 } 4381 break; 4382 4383 /* ack and nak are his authproto */ 4384 case PAP_ACK: 4385 callout_stop(&sp->pap_my_to); 4386 if (debug) { 4387 log(LOG_DEBUG, SPP_FMT "pap success", 4388 SPP_ARGS(ifp)); 4389 name = 1 + (u_char *)(h + 1); 4390 name_len = name[-1]; 4391 if (len > 5 && name_len < len+4) { 4392 log(-1, ": "); 4393 sppp_print_string(name, name_len); 4394 } 4395 log(-1, "\n"); 4396 } 4397 4398 crit_enter(); 4399 4400 sp->pp_flags &= ~PP_NEEDAUTH; 4401 if (sp->myauth.proto == PPP_PAP && 4402 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4403 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4404 /* 4405 * We are authenticator for PAP but didn't 4406 * complete yet. Leave it to tlu to proceed 4407 * to network phase. 4408 */ 4409 4410 crit_exit(); 4411 4412 break; 4413 } 4414 4415 crit_exit(); 4416 4417 sppp_phase_network(sp); 4418 break; 4419 4420 case PAP_NAK: 4421 callout_stop(&sp->pap_my_to); 4422 if (debug) { 4423 log(LOG_INFO, SPP_FMT "pap failure", 4424 SPP_ARGS(ifp)); 4425 name = 1 + (u_char *)(h + 1); 4426 name_len = name[-1]; 4427 if (len > 5 && name_len < len+4) { 4428 log(-1, ": "); 4429 sppp_print_string(name, name_len); 4430 } 4431 log(-1, "\n"); 4432 } else 4433 log(LOG_INFO, SPP_FMT "pap failure\n", 4434 SPP_ARGS(ifp)); 4435 /* await LCP shutdown by authenticator */ 4436 break; 4437 4438 default: 4439 /* Unknown PAP packet type -- ignore. */ 4440 if (debug) { 4441 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4442 "<0x%x id=0x%x len=%d", 4443 SPP_ARGS(ifp), 4444 h->type, h->ident, ntohs(h->len)); 4445 sppp_print_bytes((u_char*)(h+1), len-4); 4446 log(-1, ">\n"); 4447 } 4448 break; 4449 4450 } 4451 } 4452 4453 static void 4454 sppp_pap_init(struct sppp *sp) 4455 { 4456 /* PAP doesn't have STATE_INITIAL at all. */ 4457 sp->state[IDX_PAP] = STATE_CLOSED; 4458 sp->fail_counter[IDX_PAP] = 0; 4459 sp->pp_seq[IDX_PAP] = 0; 4460 sp->pp_rseq[IDX_PAP] = 0; 4461 callout_init(&sp->timeout[IDX_PAP]); 4462 callout_init(&sp->pap_my_to); 4463 } 4464 4465 static void 4466 sppp_pap_open(struct sppp *sp) 4467 { 4468 if (sp->hisauth.proto == PPP_PAP && 4469 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4470 /* we are authenticator for PAP, start our timer */ 4471 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4472 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4473 } 4474 if (sp->myauth.proto == PPP_PAP) { 4475 /* we are peer, send a request, and start a timer */ 4476 pap.scr(sp); 4477 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4478 sppp_pap_my_TO, sp); 4479 } 4480 } 4481 4482 static void 4483 sppp_pap_close(struct sppp *sp) 4484 { 4485 if (sp->state[IDX_PAP] != STATE_CLOSED) 4486 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4487 } 4488 4489 /* 4490 * That's the timeout routine if we are authenticator. Since the 4491 * authenticator is basically passive in PAP, we can't do much here. 4492 */ 4493 static void 4494 sppp_pap_TO(void *cookie) 4495 { 4496 struct sppp *sp = (struct sppp *)cookie; 4497 STDDCL; 4498 4499 crit_enter(); 4500 4501 if (debug) 4502 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4503 SPP_ARGS(ifp), 4504 sppp_state_name(sp->state[IDX_PAP]), 4505 sp->rst_counter[IDX_PAP]); 4506 4507 if (--sp->rst_counter[IDX_PAP] < 0) 4508 /* TO- event */ 4509 switch (sp->state[IDX_PAP]) { 4510 case STATE_REQ_SENT: 4511 pap.tld(sp); 4512 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4513 break; 4514 } 4515 else 4516 /* TO+ event, not very much we could do */ 4517 switch (sp->state[IDX_PAP]) { 4518 case STATE_REQ_SENT: 4519 /* sppp_cp_change_state() will restart the timer */ 4520 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4521 break; 4522 } 4523 4524 crit_exit(); 4525 } 4526 4527 /* 4528 * That's the timeout handler if we are peer. Since the peer is active, 4529 * we need to retransmit our PAP request since it is apparently lost. 4530 * XXX We should impose a max counter. 4531 */ 4532 static void 4533 sppp_pap_my_TO(void *cookie) 4534 { 4535 struct sppp *sp = (struct sppp *)cookie; 4536 STDDCL; 4537 4538 if (debug) 4539 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4540 SPP_ARGS(ifp)); 4541 4542 pap.scr(sp); 4543 } 4544 4545 static void 4546 sppp_pap_tlu(struct sppp *sp) 4547 { 4548 STDDCL; 4549 4550 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4551 4552 if (debug) 4553 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4554 SPP_ARGS(ifp), pap.name); 4555 4556 crit_enter(); 4557 4558 /* indicate to LCP that we need to be closed down */ 4559 sp->lcp.protos |= (1 << IDX_PAP); 4560 4561 if (sp->pp_flags & PP_NEEDAUTH) { 4562 /* 4563 * Remote is authenticator, but his auth proto didn't 4564 * complete yet. Defer the transition to network 4565 * phase. 4566 */ 4567 crit_exit(); 4568 return; 4569 } 4570 crit_exit(); 4571 sppp_phase_network(sp); 4572 } 4573 4574 static void 4575 sppp_pap_tld(struct sppp *sp) 4576 { 4577 STDDCL; 4578 4579 if (debug) 4580 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4581 callout_stop(&sp->timeout[IDX_PAP]); 4582 callout_stop(&sp->pap_my_to); 4583 sp->lcp.protos &= ~(1 << IDX_PAP); 4584 4585 lcp.Close(sp); 4586 } 4587 4588 static void 4589 sppp_pap_scr(struct sppp *sp) 4590 { 4591 u_char idlen, pwdlen; 4592 4593 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4594 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN); 4595 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN); 4596 4597 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4598 sizeof idlen, (const char *)&idlen, 4599 (size_t)idlen, sp->myauth.name, 4600 sizeof pwdlen, (const char *)&pwdlen, 4601 (size_t)pwdlen, sp->myauth.secret, 4602 0); 4603 } 4604 4605 /* 4606 * Random miscellaneous functions. 4607 */ 4608 4609 /* 4610 * Send a PAP or CHAP proto packet. 4611 * 4612 * Varadic function, each of the elements for the ellipsis is of type 4613 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4614 * mlen == 0. 4615 * NOTE: never declare variadic functions with types subject to type 4616 * promotion (i.e. u_char). This is asking for big trouble depending 4617 * on the architecture you are on... 4618 */ 4619 4620 static void 4621 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4622 unsigned int type, unsigned int id, 4623 ...) 4624 { 4625 STDDCL; 4626 struct ppp_header *h; 4627 struct lcp_header *lh; 4628 struct mbuf *m; 4629 u_char *p; 4630 int len; 4631 unsigned int mlen; 4632 const char *msg; 4633 struct ifaltq_subque *ifsq; 4634 __va_list ap; 4635 4636 MGETHDR (m, MB_DONTWAIT, MT_DATA); 4637 if (! m) 4638 return; 4639 m->m_pkthdr.rcvif = 0; 4640 4641 h = mtod (m, struct ppp_header*); 4642 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4643 h->control = PPP_UI; /* Unnumbered Info */ 4644 h->protocol = htons(cp->proto); 4645 4646 lh = (struct lcp_header*)(h + 1); 4647 lh->type = type; 4648 lh->ident = id; 4649 p = (u_char*) (lh+1); 4650 4651 __va_start(ap, id); 4652 len = 0; 4653 4654 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4655 msg = __va_arg(ap, const char *); 4656 len += mlen; 4657 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4658 __va_end(ap); 4659 m_freem(m); 4660 return; 4661 } 4662 4663 bcopy(msg, p, mlen); 4664 p += mlen; 4665 } 4666 __va_end(ap); 4667 4668 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4669 lh->len = htons (LCP_HEADER_LEN + len); 4670 4671 if (debug) { 4672 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4673 SPP_ARGS(ifp), cp->name, 4674 sppp_auth_type_name(cp->proto, lh->type), 4675 lh->ident, ntohs(lh->len)); 4676 sppp_print_bytes((u_char*) (lh+1), len); 4677 log(-1, ">\n"); 4678 } 4679 if (IF_QFULL (&sp->pp_cpq)) { 4680 IF_DROP (&sp->pp_fastq); 4681 m_freem (m); 4682 IFNET_STAT_INC(ifp, oerrors, 1); 4683 } else 4684 IF_ENQUEUE (&sp->pp_cpq, m); 4685 ifsq = ifq_get_subq_default(&ifp->if_snd); 4686 if (!ifsq_is_oactive(ifsq)) 4687 (*ifp->if_start) (ifp, ifsq); 4688 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 4689 } 4690 4691 /* 4692 * Send keepalive packets, every 10 seconds. 4693 */ 4694 static void 4695 sppp_keepalive(void *dummy) 4696 { 4697 struct sppp *sp; 4698 4699 crit_enter(); 4700 4701 for (sp=spppq; sp; sp=sp->pp_next) { 4702 struct ifnet *ifp = &sp->pp_if; 4703 4704 /* Keepalive mode disabled or channel down? */ 4705 if (! (sp->pp_flags & PP_KEEPALIVE) || 4706 ! (ifp->if_flags & IFF_RUNNING)) 4707 continue; 4708 4709 /* No keepalive in PPP mode if LCP not opened yet. */ 4710 if (sp->pp_mode != IFF_CISCO && 4711 sp->pp_phase < PHASE_AUTHENTICATE) 4712 continue; 4713 4714 if (sp->pp_alivecnt == MAXALIVECNT) { 4715 /* No keepalive packets got. Stop the interface. */ 4716 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4717 if_down (ifp); 4718 IF_DRAIN(&sp->pp_cpq); 4719 if (sp->pp_mode != IFF_CISCO) { 4720 /* XXX */ 4721 /* Shut down the PPP link. */ 4722 lcp.Down(sp); 4723 /* Initiate negotiation. XXX */ 4724 lcp.Up(sp); 4725 } 4726 } 4727 ifnet_serialize_all(ifp); 4728 if (sp->pp_alivecnt <= MAXALIVECNT) 4729 ++sp->pp_alivecnt; 4730 if (sp->pp_mode == IFF_CISCO) 4731 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4732 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4733 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4734 long nmagic = htonl (sp->lcp.magic); 4735 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4736 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4737 sp->lcp.echoid, 4, &nmagic); 4738 } 4739 ifnet_deserialize_all(ifp); 4740 } 4741 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4742 crit_exit(); 4743 } 4744 4745 /* 4746 * Get both IP addresses. 4747 */ 4748 static void 4749 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4750 { 4751 struct ifnet *ifp = &sp->pp_if; 4752 struct ifaddr_container *ifac; 4753 struct ifaddr *ifa; 4754 struct sockaddr_in *si, *sm; 4755 u_long ssrc, ddst; 4756 4757 sm = NULL; 4758 ssrc = ddst = 0L; 4759 /* 4760 * Pick the first AF_INET address from the list, 4761 * aliases don't make any sense on a p2p link anyway. 4762 */ 4763 si = NULL; 4764 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4765 ifa = ifac->ifa; 4766 if (ifa->ifa_addr->sa_family == AF_INET) { 4767 si = (struct sockaddr_in *)ifa->ifa_addr; 4768 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4769 if (si) 4770 break; 4771 } 4772 } 4773 if (ifac != NULL) { 4774 if (si && si->sin_addr.s_addr) { 4775 ssrc = si->sin_addr.s_addr; 4776 if (srcmask) 4777 *srcmask = ntohl(sm->sin_addr.s_addr); 4778 } 4779 4780 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4781 if (si && si->sin_addr.s_addr) 4782 ddst = si->sin_addr.s_addr; 4783 } 4784 4785 if (dst) *dst = ntohl(ddst); 4786 if (src) *src = ntohl(ssrc); 4787 } 4788 4789 /* 4790 * Set my IP address. Must be called at splimp. 4791 */ 4792 static void 4793 sppp_set_ip_addr(struct sppp *sp, u_long src) 4794 { 4795 STDDCL; 4796 struct ifaddr_container *ifac; 4797 struct ifaddr *ifa = NULL; 4798 struct sockaddr_in *si; 4799 struct in_ifaddr *ia; 4800 4801 /* 4802 * Pick the first AF_INET address from the list, 4803 * aliases don't make any sense on a p2p link anyway. 4804 */ 4805 si = NULL; 4806 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4807 ifa = ifac->ifa; 4808 if (ifa->ifa_addr->sa_family == AF_INET) { 4809 si = (struct sockaddr_in *)ifa->ifa_addr; 4810 if (si) 4811 break; 4812 } 4813 } 4814 4815 if (ifac != NULL && si != NULL) { 4816 int error; 4817 4818 /* delete old route */ 4819 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4820 if(debug && error) 4821 { 4822 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4823 SPP_ARGS(ifp), error); 4824 } 4825 4826 ia = ifatoia(ifa); 4827 in_iahash_remove(ia); 4828 4829 /* set new address */ 4830 si->sin_addr.s_addr = htonl(src); 4831 in_iahash_insert(ia); 4832 4833 /* add new route */ 4834 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4835 if (debug && error) 4836 { 4837 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4838 SPP_ARGS(ifp), error); 4839 } 4840 } 4841 } 4842 4843 #ifdef INET6 4844 /* 4845 * Get both IPv6 addresses. 4846 */ 4847 static void 4848 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4849 struct in6_addr *srcmask) 4850 { 4851 struct ifnet *ifp = &sp->pp_if; 4852 struct ifaddr_container *ifac; 4853 struct ifaddr *ifa; 4854 struct sockaddr_in6 *si, *sm; 4855 struct in6_addr ssrc, ddst; 4856 4857 sm = NULL; 4858 bzero(&ssrc, sizeof(ssrc)); 4859 bzero(&ddst, sizeof(ddst)); 4860 /* 4861 * Pick the first link-local AF_INET6 address from the list, 4862 * aliases don't make any sense on a p2p link anyway. 4863 */ 4864 si = NULL; 4865 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4866 ifa = ifac->ifa; 4867 if (ifa->ifa_addr->sa_family == AF_INET6) { 4868 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4869 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4870 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4871 break; 4872 } 4873 } 4874 if (ifac != NULL) { 4875 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4876 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 4877 if (srcmask) { 4878 bcopy(&sm->sin6_addr, srcmask, 4879 sizeof(*srcmask)); 4880 } 4881 } 4882 4883 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4884 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4885 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 4886 } 4887 4888 if (dst) 4889 bcopy(&ddst, dst, sizeof(*dst)); 4890 if (src) 4891 bcopy(&ssrc, src, sizeof(*src)); 4892 } 4893 4894 #ifdef IPV6CP_MYIFID_DYN 4895 /* 4896 * Generate random ifid. 4897 */ 4898 static void 4899 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 4900 { 4901 /* TBD */ 4902 } 4903 4904 /* 4905 * Set my IPv6 address. Must be called at splimp. 4906 */ 4907 static void 4908 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 4909 { 4910 STDDCL; 4911 struct ifaddr_container *ifac; 4912 struct ifaddr *ifa; 4913 struct sockaddr_in6 *sin6; 4914 4915 /* 4916 * Pick the first link-local AF_INET6 address from the list, 4917 * aliases don't make any sense on a p2p link anyway. 4918 */ 4919 4920 sin6 = NULL; 4921 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4922 ifa = ifac->ifa; 4923 if (ifa->ifa_addr->sa_family == AF_INET6) { 4924 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 4925 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 4926 break; 4927 } 4928 } 4929 4930 if (ifac != NULL && sin6 != NULL) { 4931 int error; 4932 struct sockaddr_in6 new_sin6 = *sin6; 4933 4934 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 4935 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 4936 if (debug && error) { 4937 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 4938 " failed, error=%d\n", SPP_ARGS(ifp), error); 4939 } 4940 } 4941 } 4942 #endif 4943 4944 /* 4945 * Suggest a candidate address to be used by peer. 4946 */ 4947 static void 4948 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 4949 { 4950 struct in6_addr myaddr; 4951 struct timeval tv; 4952 4953 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4954 4955 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 4956 microtime(&tv); 4957 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 4958 myaddr.s6_addr[14] ^= 0xff; 4959 myaddr.s6_addr[15] ^= 0xff; 4960 } else { 4961 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 4962 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 4963 } 4964 if (suggest) 4965 bcopy(&myaddr, suggest, sizeof(myaddr)); 4966 } 4967 #endif /*INET6*/ 4968 4969 static int 4970 sppp_params(struct sppp *sp, u_long cmd, void *data) 4971 { 4972 u_long subcmd; 4973 struct ifreq *ifr = (struct ifreq *)data; 4974 struct spppreq *spr; 4975 int rv = 0; 4976 4977 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 4978 4979 /* 4980 * ifr->ifr_data is supposed to point to a struct spppreq. 4981 * Check the cmd word first before attempting to fetch all the 4982 * data. 4983 */ 4984 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 4985 rv = EFAULT; 4986 goto quit; 4987 } 4988 4989 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 4990 rv = EFAULT; 4991 goto quit; 4992 } 4993 4994 switch (subcmd) { 4995 case (u_long)SPPPIOGDEFS: 4996 if (cmd != SIOCGIFGENERIC) { 4997 rv = EINVAL; 4998 break; 4999 } 5000 /* 5001 * We copy over the entire current state, but clean 5002 * out some of the stuff we don't wanna pass up. 5003 * Remember, SIOCGIFGENERIC is unprotected, and can be 5004 * called by any user. No need to ever get PAP or 5005 * CHAP secrets back to userland anyway. 5006 */ 5007 spr->defs.pp_phase = sp->pp_phase; 5008 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5009 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5010 spr->defs.lcp = sp->lcp; 5011 spr->defs.ipcp = sp->ipcp; 5012 spr->defs.ipv6cp = sp->ipv6cp; 5013 spr->defs.myauth = sp->myauth; 5014 spr->defs.hisauth = sp->hisauth; 5015 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5016 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5017 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5018 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5019 /* 5020 * Fixup the LCP timeout value to milliseconds so 5021 * spppcontrol doesn't need to bother about the value 5022 * of "hz". We do the reverse calculation below when 5023 * setting it. 5024 */ 5025 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5026 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5027 sizeof(struct spppreq)); 5028 break; 5029 5030 case (u_long)SPPPIOSDEFS: 5031 if (cmd != SIOCSIFGENERIC) { 5032 rv = EINVAL; 5033 break; 5034 } 5035 /* 5036 * We have a very specific idea of which fields we 5037 * allow being passed back from userland, so to not 5038 * clobber our current state. For one, we only allow 5039 * setting anything if LCP is in dead or establish 5040 * phase. Once the authentication negotiations 5041 * started, the authentication settings must not be 5042 * changed again. (The administrator can force an 5043 * ifconfig down in order to get LCP back into dead 5044 * phase.) 5045 * 5046 * Also, we only allow for authentication parameters to be 5047 * specified. 5048 * 5049 * XXX Should allow to set or clear pp_flags. 5050 * 5051 * Finally, if the respective authentication protocol to 5052 * be used is set differently than 0, but the secret is 5053 * passed as all zeros, we don't trash the existing secret. 5054 * This allows an administrator to change the system name 5055 * only without clobbering the secret (which he didn't get 5056 * back in a previous SPPPIOGDEFS call). However, the 5057 * secrets are cleared if the authentication protocol is 5058 * reset to 0. */ 5059 if (sp->pp_phase != PHASE_DEAD && 5060 sp->pp_phase != PHASE_ESTABLISH) { 5061 rv = EBUSY; 5062 break; 5063 } 5064 5065 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5066 spr->defs.myauth.proto != PPP_CHAP) || 5067 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5068 spr->defs.hisauth.proto != PPP_CHAP)) { 5069 rv = EINVAL; 5070 break; 5071 } 5072 5073 if (spr->defs.myauth.proto == 0) 5074 /* resetting myauth */ 5075 bzero(&sp->myauth, sizeof sp->myauth); 5076 else { 5077 /* setting/changing myauth */ 5078 sp->myauth.proto = spr->defs.myauth.proto; 5079 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5080 if (spr->defs.myauth.secret[0] != '\0') 5081 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5082 AUTHKEYLEN); 5083 } 5084 if (spr->defs.hisauth.proto == 0) 5085 /* resetting hisauth */ 5086 bzero(&sp->hisauth, sizeof sp->hisauth); 5087 else { 5088 /* setting/changing hisauth */ 5089 sp->hisauth.proto = spr->defs.hisauth.proto; 5090 sp->hisauth.flags = spr->defs.hisauth.flags; 5091 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5092 if (spr->defs.hisauth.secret[0] != '\0') 5093 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5094 AUTHKEYLEN); 5095 } 5096 /* set LCP restart timer timeout */ 5097 if (spr->defs.lcp.timeout != 0) 5098 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5099 /* set VJ enable and IPv6 disable flags */ 5100 #ifdef INET 5101 if (spr->defs.enable_vj) 5102 sp->confflags |= CONF_ENABLE_VJ; 5103 else 5104 sp->confflags &= ~CONF_ENABLE_VJ; 5105 #endif 5106 #ifdef INET6 5107 if (spr->defs.enable_ipv6) 5108 sp->confflags |= CONF_ENABLE_IPV6; 5109 else 5110 sp->confflags &= ~CONF_ENABLE_IPV6; 5111 #endif 5112 break; 5113 5114 default: 5115 rv = EINVAL; 5116 } 5117 5118 quit: 5119 kfree(spr, M_TEMP); 5120 5121 return (rv); 5122 } 5123 5124 static void 5125 sppp_phase_network(struct sppp *sp) 5126 { 5127 STDDCL; 5128 int i; 5129 u_long mask; 5130 5131 sp->pp_phase = PHASE_NETWORK; 5132 5133 if (debug) 5134 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5135 sppp_phase_name(sp->pp_phase)); 5136 5137 /* Notify NCPs now. */ 5138 for (i = 0; i < IDX_COUNT; i++) 5139 if ((cps[i])->flags & CP_NCP) 5140 (cps[i])->Open(sp); 5141 5142 /* Send Up events to all NCPs. */ 5143 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5144 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5145 (cps[i])->Up(sp); 5146 5147 /* if no NCP is starting, all this was in vain, close down */ 5148 sppp_lcp_check_and_close(sp); 5149 } 5150 5151 5152 static const char * 5153 sppp_cp_type_name(u_char type) 5154 { 5155 static char buf[12]; 5156 switch (type) { 5157 case CONF_REQ: return "conf-req"; 5158 case CONF_ACK: return "conf-ack"; 5159 case CONF_NAK: return "conf-nak"; 5160 case CONF_REJ: return "conf-rej"; 5161 case TERM_REQ: return "term-req"; 5162 case TERM_ACK: return "term-ack"; 5163 case CODE_REJ: return "code-rej"; 5164 case PROTO_REJ: return "proto-rej"; 5165 case ECHO_REQ: return "echo-req"; 5166 case ECHO_REPLY: return "echo-reply"; 5167 case DISC_REQ: return "discard-req"; 5168 } 5169 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5170 return buf; 5171 } 5172 5173 static const char * 5174 sppp_auth_type_name(u_short proto, u_char type) 5175 { 5176 static char buf[12]; 5177 switch (proto) { 5178 case PPP_CHAP: 5179 switch (type) { 5180 case CHAP_CHALLENGE: return "challenge"; 5181 case CHAP_RESPONSE: return "response"; 5182 case CHAP_SUCCESS: return "success"; 5183 case CHAP_FAILURE: return "failure"; 5184 } 5185 case PPP_PAP: 5186 switch (type) { 5187 case PAP_REQ: return "req"; 5188 case PAP_ACK: return "ack"; 5189 case PAP_NAK: return "nak"; 5190 } 5191 } 5192 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5193 return buf; 5194 } 5195 5196 static const char * 5197 sppp_lcp_opt_name(u_char opt) 5198 { 5199 static char buf[12]; 5200 switch (opt) { 5201 case LCP_OPT_MRU: return "mru"; 5202 case LCP_OPT_ASYNC_MAP: return "async-map"; 5203 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5204 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5205 case LCP_OPT_MAGIC: return "magic"; 5206 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5207 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5208 } 5209 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5210 return buf; 5211 } 5212 5213 static const char * 5214 sppp_ipcp_opt_name(u_char opt) 5215 { 5216 static char buf[12]; 5217 switch (opt) { 5218 case IPCP_OPT_ADDRESSES: return "addresses"; 5219 case IPCP_OPT_COMPRESSION: return "compression"; 5220 case IPCP_OPT_ADDRESS: return "address"; 5221 } 5222 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5223 return buf; 5224 } 5225 5226 #ifdef INET6 5227 static const char * 5228 sppp_ipv6cp_opt_name(u_char opt) 5229 { 5230 static char buf[12]; 5231 switch (opt) { 5232 case IPV6CP_OPT_IFID: return "ifid"; 5233 case IPV6CP_OPT_COMPRESSION: return "compression"; 5234 } 5235 ksprintf (buf, "0x%x", opt); 5236 return buf; 5237 } 5238 #endif 5239 5240 static const char * 5241 sppp_state_name(int state) 5242 { 5243 switch (state) { 5244 case STATE_INITIAL: return "initial"; 5245 case STATE_STARTING: return "starting"; 5246 case STATE_CLOSED: return "closed"; 5247 case STATE_STOPPED: return "stopped"; 5248 case STATE_CLOSING: return "closing"; 5249 case STATE_STOPPING: return "stopping"; 5250 case STATE_REQ_SENT: return "req-sent"; 5251 case STATE_ACK_RCVD: return "ack-rcvd"; 5252 case STATE_ACK_SENT: return "ack-sent"; 5253 case STATE_OPENED: return "opened"; 5254 } 5255 return "illegal"; 5256 } 5257 5258 static const char * 5259 sppp_phase_name(enum ppp_phase phase) 5260 { 5261 switch (phase) { 5262 case PHASE_DEAD: return "dead"; 5263 case PHASE_ESTABLISH: return "establish"; 5264 case PHASE_TERMINATE: return "terminate"; 5265 case PHASE_AUTHENTICATE: return "authenticate"; 5266 case PHASE_NETWORK: return "network"; 5267 } 5268 return "illegal"; 5269 } 5270 5271 static const char * 5272 sppp_proto_name(u_short proto) 5273 { 5274 static char buf[12]; 5275 switch (proto) { 5276 case PPP_LCP: return "lcp"; 5277 case PPP_IPCP: return "ipcp"; 5278 case PPP_PAP: return "pap"; 5279 case PPP_CHAP: return "chap"; 5280 case PPP_IPV6CP: return "ipv6cp"; 5281 } 5282 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5283 return buf; 5284 } 5285 5286 static void 5287 sppp_print_bytes(const u_char *p, u_short len) 5288 { 5289 char hexstr[len]; 5290 if (len) 5291 log(-1, " %s", hexncpy(p, len, hexstr, HEX_NCPYLEN(len), "-")); 5292 } 5293 5294 static void 5295 sppp_print_string(const char *p, u_short len) 5296 { 5297 u_char c; 5298 5299 while (len-- > 0) { 5300 c = *p++; 5301 /* 5302 * Print only ASCII chars directly. RFC 1994 recommends 5303 * using only them, but we don't rely on it. */ 5304 if (c < ' ' || c > '~') 5305 log(-1, "\\x%x", c); 5306 else 5307 log(-1, "%c", c); 5308 } 5309 } 5310 5311 static const char * 5312 sppp_dotted_quad(u_long addr) 5313 { 5314 static char s[16]; 5315 ksprintf(s, "%d.%d.%d.%d", 5316 (int)((addr >> 24) & 0xff), 5317 (int)((addr >> 16) & 0xff), 5318 (int)((addr >> 8) & 0xff), 5319 (int)(addr & 0xff)); 5320 return s; 5321 } 5322 5323 static int 5324 sppp_strnlen(u_char *p, int max) 5325 { 5326 int len; 5327 5328 for (len = 0; len < max && *p; ++p) 5329 ++len; 5330 return len; 5331 } 5332 5333 /* a dummy, used to drop uninteresting events */ 5334 static void 5335 sppp_null(struct sppp *unused) 5336 { 5337 /* do just nothing */ 5338 } 5339