1 /* $NetBSD: if_spppsubr.c,v 1.120 2010/04/20 14:32:03 jmcneill Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.120 2010/04/20 14:32:03 jmcneill Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_ipx.h" 49 #include "opt_iso.h" 50 #include "opt_pfil_hooks.h" 51 #include "opt_modular.h" 52 #include "opt_compat_netbsd.h" 53 #endif 54 55 56 #include <sys/param.h> 57 #include <sys/proc.h> 58 #include <sys/systm.h> 59 #include <sys/kernel.h> 60 #include <sys/sockio.h> 61 #include <sys/socket.h> 62 #include <sys/syslog.h> 63 #include <sys/malloc.h> 64 #include <sys/mbuf.h> 65 #include <sys/callout.h> 66 #include <sys/md5.h> 67 #include <sys/inttypes.h> 68 #include <sys/kauth.h> 69 70 #include <net/if.h> 71 #include <net/netisr.h> 72 #include <net/if_types.h> 73 #include <net/route.h> 74 #include <net/ppp_defs.h> 75 76 #include <machine/stdarg.h> 77 78 #include <netinet/in.h> 79 #include <netinet/in_systm.h> 80 #include <netinet/in_var.h> 81 #ifdef INET 82 #include <netinet/ip.h> 83 #include <netinet/tcp.h> 84 #endif 85 #include <net/ethertypes.h> 86 87 #ifdef INET6 88 #include <netinet6/scope6_var.h> 89 #endif 90 91 #ifdef IPX 92 #include <netipx/ipx.h> 93 #include <netipx/ipx_if.h> 94 #endif 95 96 97 #ifdef ISO 98 #include <netiso/argo_debug.h> 99 #include <netiso/iso.h> 100 #include <netiso/iso_var.h> 101 #include <netiso/iso_snpac.h> 102 #endif 103 104 #include <net/if_sppp.h> 105 #include <net/if_spppvar.h> 106 107 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 108 #define LOOPALIVECNT 3 /* loopback detection tries */ 109 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 110 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 111 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 112 113 /* 114 * Interface flags that can be set in an ifconfig command. 115 * 116 * Setting link0 will make the link passive, i.e. it will be marked 117 * as being administrative openable, but won't be opened to begin 118 * with. Incoming calls will be answered, or subsequent calls with 119 * -link1 will cause the administrative open of the LCP layer. 120 * 121 * Setting link1 will cause the link to auto-dial only as packets 122 * arrive to be sent. 123 * 124 * Setting IFF_DEBUG will syslog the option negotiation and state 125 * transitions at level kern.debug. Note: all logs consistently look 126 * like 127 * 128 * <if-name><unit>: <proto-name> <additional info...> 129 * 130 * with <if-name><unit> being something like "bppp0", and <proto-name> 131 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 132 */ 133 134 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 135 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 136 137 #define CONF_REQ 1 /* PPP configure request */ 138 #define CONF_ACK 2 /* PPP configure acknowledge */ 139 #define CONF_NAK 3 /* PPP configure negative ack */ 140 #define CONF_REJ 4 /* PPP configure reject */ 141 #define TERM_REQ 5 /* PPP terminate request */ 142 #define TERM_ACK 6 /* PPP terminate acknowledge */ 143 #define CODE_REJ 7 /* PPP code reject */ 144 #define PROTO_REJ 8 /* PPP protocol reject */ 145 #define ECHO_REQ 9 /* PPP echo request */ 146 #define ECHO_REPLY 10 /* PPP echo reply */ 147 #define DISC_REQ 11 /* PPP discard request */ 148 149 #define LCP_OPT_MRU 1 /* maximum receive unit */ 150 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 151 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 152 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 153 #define LCP_OPT_MAGIC 5 /* magic number */ 154 #define LCP_OPT_RESERVED 6 /* reserved */ 155 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 156 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 157 158 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 159 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 160 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 161 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 162 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 163 164 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 165 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 166 167 #define PAP_REQ 1 /* PAP name/password request */ 168 #define PAP_ACK 2 /* PAP acknowledge */ 169 #define PAP_NAK 3 /* PAP fail */ 170 171 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 172 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 173 #define CHAP_SUCCESS 3 /* CHAP response ok */ 174 #define CHAP_FAILURE 4 /* CHAP response failed */ 175 176 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 177 178 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 179 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 180 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 181 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 182 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 183 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 184 185 /* states are named and numbered according to RFC 1661 */ 186 #define STATE_INITIAL 0 187 #define STATE_STARTING 1 188 #define STATE_CLOSED 2 189 #define STATE_STOPPED 3 190 #define STATE_CLOSING 4 191 #define STATE_STOPPING 5 192 #define STATE_REQ_SENT 6 193 #define STATE_ACK_RCVD 7 194 #define STATE_ACK_SENT 8 195 #define STATE_OPENED 9 196 197 struct ppp_header { 198 uint8_t address; 199 uint8_t control; 200 uint16_t protocol; 201 } __packed; 202 #define PPP_HEADER_LEN sizeof (struct ppp_header) 203 204 struct lcp_header { 205 uint8_t type; 206 uint8_t ident; 207 uint16_t len; 208 } __packed; 209 #define LCP_HEADER_LEN sizeof (struct lcp_header) 210 211 struct cisco_packet { 212 uint32_t type; 213 uint32_t par1; 214 uint32_t par2; 215 uint16_t rel; 216 uint16_t time0; 217 uint16_t time1; 218 } __packed; 219 #define CISCO_PACKET_LEN 18 220 221 /* 222 * We follow the spelling and capitalization of RFC 1661 here, to make 223 * it easier comparing with the standard. Please refer to this RFC in 224 * case you can't make sense out of these abbreviation; it will also 225 * explain the semantics related to the various events and actions. 226 */ 227 struct cp { 228 u_short proto; /* PPP control protocol number */ 229 u_char protoidx; /* index into state table in struct sppp */ 230 u_char flags; 231 #define CP_LCP 0x01 /* this is the LCP */ 232 #define CP_AUTH 0x02 /* this is an authentication protocol */ 233 #define CP_NCP 0x04 /* this is a NCP */ 234 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 235 const char *name; /* name of this control protocol */ 236 /* event handlers */ 237 void (*Up)(struct sppp *sp); 238 void (*Down)(struct sppp *sp); 239 void (*Open)(struct sppp *sp); 240 void (*Close)(struct sppp *sp); 241 void (*TO)(void *sp); 242 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 243 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 244 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 245 /* actions */ 246 void (*tlu)(struct sppp *sp); 247 void (*tld)(struct sppp *sp); 248 void (*tls)(struct sppp *sp); 249 void (*tlf)(struct sppp *sp); 250 void (*scr)(struct sppp *sp); 251 }; 252 253 static struct sppp *spppq; 254 static callout_t keepalive_ch; 255 256 #ifdef INET 257 /* 258 * The following disgusting hack gets around the problem that IP TOS 259 * can't be set yet. We want to put "interactive" traffic on a high 260 * priority queue. To decide if traffic is interactive, we check that 261 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 262 * 263 * XXX is this really still necessary? - joerg - 264 */ 265 static u_short interactive_ports[8] = { 266 0, 513, 0, 0, 267 0, 21, 0, 23, 268 }; 269 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 270 #endif 271 272 /* almost every function needs these */ 273 #define STDDCL \ 274 struct ifnet *ifp = &sp->pp_if; \ 275 int debug = ifp->if_flags & IFF_DEBUG 276 277 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 278 const struct sockaddr *dst, struct rtentry *rt); 279 280 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 281 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 282 283 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 284 struct mbuf *m); 285 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 286 u_char ident, u_short len, void *data); 287 /* static void sppp_cp_timeout(void *arg); */ 288 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 289 int newstate); 290 static void sppp_auth_send(const struct cp *cp, 291 struct sppp *sp, unsigned int type, unsigned int id, 292 ...); 293 294 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 295 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 296 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 297 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 298 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 299 300 static void sppp_null(struct sppp *sp); 301 302 static void sppp_lcp_init(struct sppp *sp); 303 static void sppp_lcp_up(struct sppp *sp); 304 static void sppp_lcp_down(struct sppp *sp); 305 static void sppp_lcp_open(struct sppp *sp); 306 static void sppp_lcp_close(struct sppp *sp); 307 static void sppp_lcp_TO(void *sp); 308 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 309 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 310 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 311 static void sppp_lcp_tlu(struct sppp *sp); 312 static void sppp_lcp_tld(struct sppp *sp); 313 static void sppp_lcp_tls(struct sppp *sp); 314 static void sppp_lcp_tlf(struct sppp *sp); 315 static void sppp_lcp_scr(struct sppp *sp); 316 static void sppp_lcp_check_and_close(struct sppp *sp); 317 static int sppp_ncp_check(struct sppp *sp); 318 319 static void sppp_ipcp_init(struct sppp *sp); 320 static void sppp_ipcp_up(struct sppp *sp); 321 static void sppp_ipcp_down(struct sppp *sp); 322 static void sppp_ipcp_open(struct sppp *sp); 323 static void sppp_ipcp_close(struct sppp *sp); 324 static void sppp_ipcp_TO(void *sp); 325 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 327 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 328 static void sppp_ipcp_tlu(struct sppp *sp); 329 static void sppp_ipcp_tld(struct sppp *sp); 330 static void sppp_ipcp_tls(struct sppp *sp); 331 static void sppp_ipcp_tlf(struct sppp *sp); 332 static void sppp_ipcp_scr(struct sppp *sp); 333 334 static void sppp_ipv6cp_init(struct sppp *sp); 335 static void sppp_ipv6cp_up(struct sppp *sp); 336 static void sppp_ipv6cp_down(struct sppp *sp); 337 static void sppp_ipv6cp_open(struct sppp *sp); 338 static void sppp_ipv6cp_close(struct sppp *sp); 339 static void sppp_ipv6cp_TO(void *sp); 340 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 341 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 342 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 343 static void sppp_ipv6cp_tlu(struct sppp *sp); 344 static void sppp_ipv6cp_tld(struct sppp *sp); 345 static void sppp_ipv6cp_tls(struct sppp *sp); 346 static void sppp_ipv6cp_tlf(struct sppp *sp); 347 static void sppp_ipv6cp_scr(struct sppp *sp); 348 349 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 350 static void sppp_pap_init(struct sppp *sp); 351 static void sppp_pap_open(struct sppp *sp); 352 static void sppp_pap_close(struct sppp *sp); 353 static void sppp_pap_TO(void *sp); 354 static void sppp_pap_my_TO(void *sp); 355 static void sppp_pap_tlu(struct sppp *sp); 356 static void sppp_pap_tld(struct sppp *sp); 357 static void sppp_pap_scr(struct sppp *sp); 358 359 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 360 static void sppp_chap_init(struct sppp *sp); 361 static void sppp_chap_open(struct sppp *sp); 362 static void sppp_chap_close(struct sppp *sp); 363 static void sppp_chap_TO(void *sp); 364 static void sppp_chap_tlu(struct sppp *sp); 365 static void sppp_chap_tld(struct sppp *sp); 366 static void sppp_chap_scr(struct sppp *sp); 367 368 static const char *sppp_auth_type_name(u_short proto, u_char type); 369 static const char *sppp_cp_type_name(u_char type); 370 static const char *sppp_dotted_quad(uint32_t addr); 371 static const char *sppp_ipcp_opt_name(u_char opt); 372 #ifdef INET6 373 static const char *sppp_ipv6cp_opt_name(u_char opt); 374 #endif 375 static const char *sppp_lcp_opt_name(u_char opt); 376 static const char *sppp_phase_name(int phase); 377 static const char *sppp_proto_name(u_short proto); 378 static const char *sppp_state_name(int state); 379 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 380 #ifdef INET 381 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 382 uint32_t *srcmask); 383 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 384 static void sppp_clear_ip_addrs(struct sppp *sp); 385 #endif 386 static void sppp_keepalive(void *dummy); 387 static void sppp_phase_network(struct sppp *sp); 388 static void sppp_print_bytes(const u_char *p, u_short len); 389 static void sppp_print_string(const char *p, u_short len); 390 #ifdef INET6 391 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 392 struct in6_addr *dst, struct in6_addr *srcmask); 393 #ifdef IPV6CP_MYIFID_DYN 394 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 395 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 396 #endif 397 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 398 #endif 399 400 /* our control protocol descriptors */ 401 static const struct cp lcp = { 402 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 403 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 404 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 405 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 406 sppp_lcp_scr 407 }; 408 409 static const struct cp ipcp = { 410 PPP_IPCP, IDX_IPCP, 411 #ifdef INET 412 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 413 #else 414 0, 415 #endif 416 "ipcp", 417 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 418 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 419 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 420 sppp_ipcp_scr 421 }; 422 423 static const struct cp ipv6cp = { 424 PPP_IPV6CP, IDX_IPV6CP, 425 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 426 CP_NCP, 427 #else 428 0, 429 #endif 430 "ipv6cp", 431 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 432 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 433 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 434 sppp_ipv6cp_scr 435 }; 436 437 static const struct cp pap = { 438 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 439 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 440 sppp_pap_TO, 0, 0, 0, 441 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 442 sppp_pap_scr 443 }; 444 445 static const struct cp chap = { 446 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 447 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 448 sppp_chap_TO, 0, 0, 0, 449 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 450 sppp_chap_scr 451 }; 452 453 static const struct cp *cps[IDX_COUNT] = { 454 &lcp, /* IDX_LCP */ 455 &ipcp, /* IDX_IPCP */ 456 &ipv6cp, /* IDX_IPV6CP */ 457 &pap, /* IDX_PAP */ 458 &chap, /* IDX_CHAP */ 459 }; 460 461 462 void spppattach(int); 463 void 464 /*ARGSUSED*/ 465 spppattach(int count) 466 { 467 } 468 469 /* 470 * Exported functions, comprising our interface to the lower layer. 471 */ 472 473 /* 474 * Process the received packet. 475 */ 476 void 477 sppp_input(struct ifnet *ifp, struct mbuf *m) 478 { 479 struct ppp_header *h = NULL; 480 struct ifqueue *inq = 0; 481 uint16_t protocol; 482 int s; 483 struct sppp *sp = (struct sppp *)ifp; 484 int debug = ifp->if_flags & IFF_DEBUG; 485 486 if (ifp->if_flags & IFF_UP) { 487 /* Count received bytes, add hardware framing */ 488 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 489 /* Note time of last receive */ 490 sp->pp_last_receive = time_uptime; 491 } 492 493 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 494 /* Too small packet, drop it. */ 495 if (debug) 496 log(LOG_DEBUG, 497 "%s: input packet is too small, %d bytes\n", 498 ifp->if_xname, m->m_pkthdr.len); 499 drop: 500 ++ifp->if_ierrors; 501 ++ifp->if_iqdrops; 502 m_freem(m); 503 return; 504 } 505 506 if (sp->pp_flags & PP_NOFRAMING) { 507 memcpy(&protocol, mtod(m, void *), 2); 508 protocol = ntohs(protocol); 509 m_adj(m, 2); 510 } else { 511 512 /* Get PPP header. */ 513 h = mtod(m, struct ppp_header *); 514 m_adj(m, PPP_HEADER_LEN); 515 516 switch (h->address) { 517 case PPP_ALLSTATIONS: 518 if (h->control != PPP_UI) 519 goto invalid; 520 if (sp->pp_flags & PP_CISCO) { 521 if (debug) 522 log(LOG_DEBUG, 523 "%s: PPP packet in Cisco mode " 524 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 525 ifp->if_xname, 526 h->address, h->control, ntohs(h->protocol)); 527 goto drop; 528 } 529 break; 530 case CISCO_MULTICAST: 531 case CISCO_UNICAST: 532 /* Don't check the control field here (RFC 1547). */ 533 if (! (sp->pp_flags & PP_CISCO)) { 534 if (debug) 535 log(LOG_DEBUG, 536 "%s: Cisco packet in PPP mode " 537 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 538 ifp->if_xname, 539 h->address, h->control, ntohs(h->protocol)); 540 goto drop; 541 } 542 switch (ntohs(h->protocol)) { 543 default: 544 ++ifp->if_noproto; 545 goto invalid; 546 case CISCO_KEEPALIVE: 547 sppp_cisco_input((struct sppp *) ifp, m); 548 m_freem(m); 549 return; 550 #ifdef INET 551 case ETHERTYPE_IP: 552 schednetisr(NETISR_IP); 553 inq = &ipintrq; 554 break; 555 #endif 556 #ifdef INET6 557 case ETHERTYPE_IPV6: 558 schednetisr(NETISR_IPV6); 559 inq = &ip6intrq; 560 break; 561 #endif 562 #ifdef IPX 563 case ETHERTYPE_IPX: 564 schednetisr(NETISR_IPX); 565 inq = &ipxintrq; 566 break; 567 #endif 568 } 569 goto queue_pkt; 570 default: /* Invalid PPP packet. */ 571 invalid: 572 if (debug) 573 log(LOG_DEBUG, 574 "%s: invalid input packet " 575 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 576 ifp->if_xname, 577 h->address, h->control, ntohs(h->protocol)); 578 goto drop; 579 } 580 protocol = ntohs(h->protocol); 581 } 582 583 switch (protocol) { 584 default: 585 if (sp->state[IDX_LCP] == STATE_OPENED) { 586 uint16_t prot = htons(protocol); 587 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 588 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 589 &prot); 590 } 591 if (debug) 592 log(LOG_DEBUG, 593 "%s: invalid input protocol " 594 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 595 ++ifp->if_noproto; 596 goto drop; 597 case PPP_LCP: 598 sppp_cp_input(&lcp, sp, m); 599 m_freem(m); 600 return; 601 case PPP_PAP: 602 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 603 sppp_pap_input(sp, m); 604 m_freem(m); 605 return; 606 case PPP_CHAP: 607 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 608 sppp_chap_input(sp, m); 609 m_freem(m); 610 return; 611 #ifdef INET 612 case PPP_IPCP: 613 if (sp->pp_phase == SPPP_PHASE_NETWORK) 614 sppp_cp_input(&ipcp, sp, m); 615 m_freem(m); 616 return; 617 case PPP_IP: 618 if (sp->state[IDX_IPCP] == STATE_OPENED) { 619 schednetisr(NETISR_IP); 620 inq = &ipintrq; 621 sp->pp_last_activity = time_uptime; 622 } 623 break; 624 #endif 625 #ifdef INET6 626 case PPP_IPV6CP: 627 if (sp->pp_phase == SPPP_PHASE_NETWORK) 628 sppp_cp_input(&ipv6cp, sp, m); 629 m_freem(m); 630 return; 631 632 case PPP_IPV6: 633 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 634 schednetisr(NETISR_IPV6); 635 inq = &ip6intrq; 636 sp->pp_last_activity = time_uptime; 637 } 638 break; 639 #endif 640 #ifdef IPX 641 case PPP_IPX: 642 /* IPX IPXCP not implemented yet */ 643 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 644 schednetisr(NETISR_IPX); 645 inq = &ipxintrq; 646 } 647 break; 648 #endif 649 #ifdef ISO 650 case PPP_ISO: 651 /* OSI NLCP not implemented yet */ 652 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 653 schednetisr(NETISR_ISO); 654 inq = &clnlintrq; 655 } 656 break; 657 #endif 658 } 659 660 queue_pkt: 661 if (! (ifp->if_flags & IFF_UP) || ! inq) 662 goto drop; 663 664 /* Check queue. */ 665 s = splnet(); 666 if (IF_QFULL(inq)) { 667 /* Queue overflow. */ 668 IF_DROP(inq); 669 splx(s); 670 if (debug) 671 log(LOG_DEBUG, "%s: protocol queue overflow\n", 672 ifp->if_xname); 673 goto drop; 674 } 675 IF_ENQUEUE(inq, m); 676 splx(s); 677 } 678 679 /* 680 * Enqueue transmit packet. 681 */ 682 static int 683 sppp_output(struct ifnet *ifp, struct mbuf *m, 684 const struct sockaddr *dst, struct rtentry *rt) 685 { 686 struct sppp *sp = (struct sppp *) ifp; 687 struct ppp_header *h = NULL; 688 struct ifqueue *ifq = NULL; /* XXX */ 689 int s, error = 0; 690 uint16_t protocol; 691 ALTQ_DECL(struct altq_pktattr pktattr;) 692 693 s = splnet(); 694 695 sp->pp_last_activity = time_uptime; 696 697 if ((ifp->if_flags & IFF_UP) == 0 || 698 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 699 m_freem(m); 700 splx(s); 701 return (ENETDOWN); 702 } 703 704 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 705 /* 706 * Interface is not yet running, but auto-dial. Need 707 * to start LCP for it. 708 */ 709 ifp->if_flags |= IFF_RUNNING; 710 splx(s); 711 lcp.Open(sp); 712 s = splnet(); 713 } 714 715 /* 716 * If the queueing discipline needs packet classification, 717 * do it before prepending link headers. 718 */ 719 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family, &pktattr); 720 721 #ifdef INET 722 if (dst->sa_family == AF_INET) { 723 struct ip *ip = NULL; 724 struct tcphdr *th = NULL; 725 726 if (m->m_len >= sizeof(struct ip)) { 727 ip = mtod(m, struct ip *); 728 if (ip->ip_p == IPPROTO_TCP && 729 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 730 sizeof(struct tcphdr)) { 731 th = (struct tcphdr *) 732 ((char *)ip + (ip->ip_hl << 2)); 733 } 734 } else 735 ip = NULL; 736 737 /* 738 * When using dynamic local IP address assignment by using 739 * 0.0.0.0 as a local address, the first TCP session will 740 * not connect because the local TCP checksum is computed 741 * using 0.0.0.0 which will later become our real IP address 742 * so the TCP checksum computed at the remote end will 743 * become invalid. So we 744 * - don't let packets with src ip addr 0 thru 745 * - we flag TCP packets with src ip 0 as an error 746 */ 747 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 748 uint8_t proto = ip->ip_p; 749 750 m_freem(m); 751 splx(s); 752 if (proto == IPPROTO_TCP) 753 return (EADDRNOTAVAIL); 754 else 755 return (0); 756 } 757 758 /* 759 * Put low delay, telnet, rlogin and ftp control packets 760 * in front of the queue. 761 */ 762 763 if (!IF_QFULL(&sp->pp_fastq) && 764 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 765 (th && (INTERACTIVE(ntohs(th->th_sport)) || 766 INTERACTIVE(ntohs(th->th_dport)))))) 767 ifq = &sp->pp_fastq; 768 } 769 #endif 770 771 #ifdef INET6 772 if (dst->sa_family == AF_INET6) { 773 /* XXX do something tricky here? */ 774 } 775 #endif 776 777 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 778 /* 779 * Prepend general data packet PPP header. For now, IP only. 780 */ 781 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 782 if (! m) { 783 if (ifp->if_flags & IFF_DEBUG) 784 log(LOG_DEBUG, "%s: no memory for transmit header\n", 785 ifp->if_xname); 786 ++ifp->if_oerrors; 787 splx(s); 788 return (ENOBUFS); 789 } 790 /* 791 * May want to check size of packet 792 * (albeit due to the implementation it's always enough) 793 */ 794 h = mtod(m, struct ppp_header *); 795 if (sp->pp_flags & PP_CISCO) { 796 h->address = CISCO_UNICAST; /* unicast address */ 797 h->control = 0; 798 } else { 799 h->address = PPP_ALLSTATIONS; /* broadcast address */ 800 h->control = PPP_UI; /* Unnumbered Info */ 801 } 802 } 803 804 switch (dst->sa_family) { 805 #ifdef INET 806 case AF_INET: /* Internet Protocol */ 807 if (sp->pp_flags & PP_CISCO) 808 protocol = htons(ETHERTYPE_IP); 809 else { 810 /* 811 * Don't choke with an ENETDOWN early. It's 812 * possible that we just started dialing out, 813 * so don't drop the packet immediately. If 814 * we notice that we run out of buffer space 815 * below, we will however remember that we are 816 * not ready to carry IP packets, and return 817 * ENETDOWN, as opposed to ENOBUFS. 818 */ 819 protocol = htons(PPP_IP); 820 if (sp->state[IDX_IPCP] != STATE_OPENED) 821 error = ENETDOWN; 822 } 823 break; 824 #endif 825 #ifdef INET6 826 case AF_INET6: /* Internet Protocol version 6 */ 827 if (sp->pp_flags & PP_CISCO) 828 protocol = htons(ETHERTYPE_IPV6); 829 else { 830 /* 831 * Don't choke with an ENETDOWN early. It's 832 * possible that we just started dialing out, 833 * so don't drop the packet immediately. If 834 * we notice that we run out of buffer space 835 * below, we will however remember that we are 836 * not ready to carry IP packets, and return 837 * ENETDOWN, as opposed to ENOBUFS. 838 */ 839 protocol = htons(PPP_IPV6); 840 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 841 error = ENETDOWN; 842 } 843 break; 844 #endif 845 #ifdef IPX 846 case AF_IPX: /* Novell IPX Protocol */ 847 protocol = htons((sp->pp_flags & PP_CISCO) ? 848 ETHERTYPE_IPX : PPP_IPX); 849 break; 850 #endif 851 #ifdef ISO 852 case AF_ISO: /* ISO OSI Protocol */ 853 if (sp->pp_flags & PP_CISCO) 854 goto nosupport; 855 protocol = htons(PPP_ISO); 856 break; 857 nosupport: 858 #endif 859 default: 860 m_freem(m); 861 ++ifp->if_oerrors; 862 splx(s); 863 return (EAFNOSUPPORT); 864 } 865 866 if (sp->pp_flags & PP_NOFRAMING) { 867 M_PREPEND(m, 2, M_DONTWAIT); 868 if (m == NULL) { 869 if (ifp->if_flags & IFF_DEBUG) 870 log(LOG_DEBUG, "%s: no memory for transmit header\n", 871 ifp->if_xname); 872 ++ifp->if_oerrors; 873 splx(s); 874 return (ENOBUFS); 875 } 876 *mtod(m, uint16_t *) = protocol; 877 } else { 878 h->protocol = protocol; 879 } 880 881 882 error = ifq_enqueue2(ifp, ifq, m ALTQ_COMMA ALTQ_DECL(&pktattr)); 883 884 if (error == 0) { 885 /* 886 * Count output packets and bytes. 887 * The packet length includes header + additional hardware 888 * framing according to RFC 1333. 889 */ 890 if (!(ifp->if_flags & IFF_OACTIVE)) 891 (*ifp->if_start)(ifp); 892 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 893 } 894 splx(s); 895 return error; 896 } 897 898 void 899 sppp_attach(struct ifnet *ifp) 900 { 901 struct sppp *sp = (struct sppp *) ifp; 902 903 /* Initialize keepalive handler. */ 904 if (! spppq) { 905 callout_init(&keepalive_ch, 0); 906 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 907 } 908 909 /* Insert new entry into the keepalive list. */ 910 sp->pp_next = spppq; 911 spppq = sp; 912 913 sp->pp_if.if_type = IFT_PPP; 914 sp->pp_if.if_output = sppp_output; 915 sp->pp_fastq.ifq_maxlen = 32; 916 sp->pp_cpq.ifq_maxlen = 20; 917 sp->pp_loopcnt = 0; 918 sp->pp_alivecnt = 0; 919 sp->pp_last_activity = 0; 920 sp->pp_last_receive = 0; 921 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 922 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 923 sp->pp_idle_timeout = 0; 924 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 925 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 926 sp->pp_auth_failures = 0; 927 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 928 sp->pp_phase = SPPP_PHASE_DEAD; 929 sp->pp_up = lcp.Up; 930 sp->pp_down = lcp.Down; 931 932 if_alloc_sadl(ifp); 933 934 memset(&sp->myauth, 0, sizeof sp->myauth); 935 memset(&sp->hisauth, 0, sizeof sp->hisauth); 936 sppp_lcp_init(sp); 937 sppp_ipcp_init(sp); 938 sppp_ipv6cp_init(sp); 939 sppp_pap_init(sp); 940 sppp_chap_init(sp); 941 } 942 943 void 944 sppp_detach(struct ifnet *ifp) 945 { 946 struct sppp **q, *p, *sp = (struct sppp *) ifp; 947 948 /* Remove the entry from the keepalive list. */ 949 for (q = &spppq; (p = *q); q = &p->pp_next) 950 if (p == sp) { 951 *q = p->pp_next; 952 break; 953 } 954 955 /* Stop keepalive handler. */ 956 if (! spppq) { 957 callout_stop(&keepalive_ch); 958 } 959 960 callout_stop(&sp->ch[IDX_LCP]); 961 callout_stop(&sp->ch[IDX_IPCP]); 962 callout_stop(&sp->ch[IDX_PAP]); 963 callout_stop(&sp->ch[IDX_CHAP]); 964 #ifdef INET6 965 callout_stop(&sp->ch[IDX_IPV6CP]); 966 #endif 967 callout_stop(&sp->pap_my_to_ch); 968 969 /* free authentication info */ 970 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 971 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 972 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 973 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 974 975 #if 0 /* done in if_detach() */ 976 if_free_sadl(ifp); 977 #endif 978 } 979 980 /* 981 * Flush the interface output queue. 982 */ 983 void 984 sppp_flush(struct ifnet *ifp) 985 { 986 struct sppp *sp = (struct sppp *) ifp; 987 988 IFQ_PURGE(&sp->pp_if.if_snd); 989 IF_PURGE(&sp->pp_fastq); 990 IF_PURGE(&sp->pp_cpq); 991 } 992 993 /* 994 * Check if the output queue is empty. 995 */ 996 int 997 sppp_isempty(struct ifnet *ifp) 998 { 999 struct sppp *sp = (struct sppp *) ifp; 1000 int empty, s; 1001 1002 s = splnet(); 1003 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1004 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1005 splx(s); 1006 return (empty); 1007 } 1008 1009 /* 1010 * Get next packet to send. 1011 */ 1012 struct mbuf * 1013 sppp_dequeue(struct ifnet *ifp) 1014 { 1015 struct sppp *sp = (struct sppp *) ifp; 1016 struct mbuf *m; 1017 int s; 1018 1019 s = splnet(); 1020 /* 1021 * Process only the control protocol queue until we have at 1022 * least one NCP open. 1023 * 1024 * Do always serve all three queues in Cisco mode. 1025 */ 1026 IF_DEQUEUE(&sp->pp_cpq, m); 1027 if (m == NULL && 1028 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1029 IF_DEQUEUE(&sp->pp_fastq, m); 1030 if (m == NULL) 1031 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1032 } 1033 splx(s); 1034 return m; 1035 } 1036 1037 /* 1038 * Process an ioctl request. Called on low priority level. 1039 */ 1040 int 1041 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1042 { 1043 struct lwp *l = curlwp; /* XXX */ 1044 struct ifreq *ifr = (struct ifreq *) data; 1045 struct sppp *sp = (struct sppp *) ifp; 1046 int s, error=0, going_up, going_down, newmode; 1047 1048 s = splnet(); 1049 switch (cmd) { 1050 case SIOCSIFDSTADDR: 1051 case SIOCINITIFADDR: 1052 break; 1053 1054 case SIOCSIFFLAGS: 1055 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1056 break; 1057 going_up = ifp->if_flags & IFF_UP && 1058 (ifp->if_flags & IFF_RUNNING) == 0; 1059 going_down = (ifp->if_flags & IFF_UP) == 0 && 1060 ifp->if_flags & IFF_RUNNING; 1061 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1062 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1063 /* sanity */ 1064 newmode = IFF_PASSIVE; 1065 ifp->if_flags &= ~IFF_AUTO; 1066 } 1067 1068 if (going_up || going_down) 1069 lcp.Close(sp); 1070 if (going_up && newmode == 0) { 1071 /* neither auto-dial nor passive */ 1072 ifp->if_flags |= IFF_RUNNING; 1073 if (!(sp->pp_flags & PP_CISCO)) 1074 lcp.Open(sp); 1075 } else if (going_down) { 1076 sppp_flush(ifp); 1077 ifp->if_flags &= ~IFF_RUNNING; 1078 } 1079 1080 break; 1081 1082 case SIOCSIFMTU: 1083 if (ifr->ifr_mtu < PPP_MINMRU || 1084 ifr->ifr_mtu > sp->lcp.their_mru) { 1085 error = EINVAL; 1086 break; 1087 } 1088 /*FALLTHROUGH*/ 1089 case SIOCGIFMTU: 1090 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1091 error = 0; 1092 break; 1093 case SIOCADDMULTI: 1094 case SIOCDELMULTI: 1095 break; 1096 1097 case SPPPSETAUTHCFG: 1098 case SPPPSETLCPCFG: 1099 case SPPPSETIDLETO: 1100 case SPPPSETAUTHFAILURE: 1101 case SPPPSETDNSOPTS: 1102 case SPPPSETKEEPALIVE: 1103 #if defined(COMPAT_50) || defined(MODULAR) 1104 case __SPPPSETIDLETO50: 1105 case __SPPPSETKEEPALIVE50: 1106 #endif /* COMPAT_50 || MODULAR */ 1107 error = kauth_authorize_network(l->l_cred, 1108 KAUTH_NETWORK_INTERFACE, 1109 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1110 NULL); 1111 if (error) 1112 break; 1113 error = sppp_params(sp, cmd, data); 1114 break; 1115 1116 case SPPPGETAUTHCFG: 1117 case SPPPGETLCPCFG: 1118 case SPPPGETAUTHFAILURES: 1119 error = kauth_authorize_network(l->l_cred, 1120 KAUTH_NETWORK_INTERFACE, 1121 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1122 NULL); 1123 if (error) 1124 break; 1125 error = sppp_params(sp, cmd, data); 1126 break; 1127 1128 case SPPPGETSTATUS: 1129 case SPPPGETSTATUSNCP: 1130 case SPPPGETIDLETO: 1131 case SPPPGETDNSOPTS: 1132 case SPPPGETDNSADDRS: 1133 case SPPPGETKEEPALIVE: 1134 #if defined(COMPAT_50) || defined(MODULAR) 1135 case __SPPPGETIDLETO50: 1136 case __SPPPGETKEEPALIVE50: 1137 #endif /* COMPAT_50 || MODULAR */ 1138 error = sppp_params(sp, cmd, data); 1139 break; 1140 1141 default: 1142 error = ifioctl_common(ifp, cmd, data); 1143 break; 1144 } 1145 splx(s); 1146 return (error); 1147 } 1148 1149 1150 /* 1151 * Cisco framing implementation. 1152 */ 1153 1154 /* 1155 * Handle incoming Cisco keepalive protocol packets. 1156 */ 1157 static void 1158 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1159 { 1160 STDDCL; 1161 struct cisco_packet *h; 1162 #ifdef INET 1163 uint32_t me, mymask = 0; /* XXX: GCC */ 1164 #endif 1165 1166 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1167 if (debug) 1168 log(LOG_DEBUG, 1169 "%s: cisco invalid packet length: %d bytes\n", 1170 ifp->if_xname, m->m_pkthdr.len); 1171 return; 1172 } 1173 h = mtod(m, struct cisco_packet *); 1174 if (debug) 1175 log(LOG_DEBUG, 1176 "%s: cisco input: %d bytes " 1177 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1178 ifp->if_xname, m->m_pkthdr.len, 1179 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1180 (u_int)h->time0, (u_int)h->time1); 1181 switch (ntohl(h->type)) { 1182 default: 1183 if (debug) 1184 addlog("%s: cisco unknown packet type: 0x%x\n", 1185 ifp->if_xname, ntohl(h->type)); 1186 break; 1187 case CISCO_ADDR_REPLY: 1188 /* Reply on address request, ignore */ 1189 break; 1190 case CISCO_KEEPALIVE_REQ: 1191 sp->pp_alivecnt = 0; 1192 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1193 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1194 /* Local and remote sequence numbers are equal. 1195 * Probably, the line is in loopback mode. */ 1196 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1197 printf ("%s: loopback\n", 1198 ifp->if_xname); 1199 sp->pp_loopcnt = 0; 1200 if (ifp->if_flags & IFF_UP) { 1201 if_down(ifp); 1202 IF_PURGE(&sp->pp_cpq); 1203 } 1204 } 1205 ++sp->pp_loopcnt; 1206 1207 /* Generate new local sequence number */ 1208 sp->pp_seq[IDX_LCP] = arc4random(); 1209 break; 1210 } 1211 sp->pp_loopcnt = 0; 1212 if (! (ifp->if_flags & IFF_UP) && 1213 (ifp->if_flags & IFF_RUNNING)) { 1214 if_up(ifp); 1215 } 1216 break; 1217 case CISCO_ADDR_REQ: 1218 #ifdef INET 1219 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1220 if (me != 0L) 1221 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1222 #endif 1223 break; 1224 } 1225 } 1226 1227 /* 1228 * Send Cisco keepalive packet. 1229 */ 1230 static void 1231 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1232 { 1233 STDDCL; 1234 struct ppp_header *h; 1235 struct cisco_packet *ch; 1236 struct mbuf *m; 1237 uint32_t t; 1238 1239 t = time_uptime * 1000; 1240 MGETHDR(m, M_DONTWAIT, MT_DATA); 1241 if (! m) 1242 return; 1243 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1244 m->m_pkthdr.rcvif = 0; 1245 1246 h = mtod(m, struct ppp_header *); 1247 h->address = CISCO_MULTICAST; 1248 h->control = 0; 1249 h->protocol = htons(CISCO_KEEPALIVE); 1250 1251 ch = (struct cisco_packet *)(h + 1); 1252 ch->type = htonl(type); 1253 ch->par1 = htonl(par1); 1254 ch->par2 = htonl(par2); 1255 ch->rel = -1; 1256 1257 ch->time0 = htons((u_short)(t >> 16)); 1258 ch->time1 = htons((u_short) t); 1259 1260 if (debug) 1261 log(LOG_DEBUG, 1262 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1263 ifp->if_xname, ntohl(ch->type), ch->par1, 1264 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1265 (u_int)ch->time1); 1266 1267 if (IF_QFULL(&sp->pp_cpq)) { 1268 IF_DROP(&sp->pp_fastq); 1269 IF_DROP(&ifp->if_snd); 1270 m_freem(m); 1271 ++ifp->if_oerrors; 1272 return; 1273 } else 1274 IF_ENQUEUE(&sp->pp_cpq, m); 1275 if (! (ifp->if_flags & IFF_OACTIVE)) 1276 (*ifp->if_start)(ifp); 1277 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1278 } 1279 1280 /* 1281 * PPP protocol implementation. 1282 */ 1283 1284 /* 1285 * Send PPP control protocol packet. 1286 */ 1287 static void 1288 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1289 u_char ident, u_short len, void *data) 1290 { 1291 STDDCL; 1292 struct lcp_header *lh; 1293 struct mbuf *m; 1294 size_t pkthdrlen; 1295 1296 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1297 1298 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1299 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1300 MGETHDR(m, M_DONTWAIT, MT_DATA); 1301 if (! m) 1302 return; 1303 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1304 m->m_pkthdr.rcvif = 0; 1305 1306 if (sp->pp_flags & PP_NOFRAMING) { 1307 *mtod(m, uint16_t *) = htons(proto); 1308 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1309 } else { 1310 struct ppp_header *h; 1311 h = mtod(m, struct ppp_header *); 1312 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1313 h->control = PPP_UI; /* Unnumbered Info */ 1314 h->protocol = htons(proto); /* Link Control Protocol */ 1315 lh = (struct lcp_header *)(h + 1); 1316 } 1317 lh->type = type; 1318 lh->ident = ident; 1319 lh->len = htons(LCP_HEADER_LEN + len); 1320 if (len) 1321 bcopy (data, lh + 1, len); 1322 1323 if (debug) { 1324 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1325 ifp->if_xname, 1326 sppp_proto_name(proto), 1327 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1328 if (len) 1329 sppp_print_bytes((u_char *)(lh + 1), len); 1330 addlog(">\n"); 1331 } 1332 if (IF_QFULL(&sp->pp_cpq)) { 1333 IF_DROP(&sp->pp_fastq); 1334 IF_DROP(&ifp->if_snd); 1335 m_freem(m); 1336 ++ifp->if_oerrors; 1337 return; 1338 } else 1339 IF_ENQUEUE(&sp->pp_cpq, m); 1340 if (! (ifp->if_flags & IFF_OACTIVE)) 1341 (*ifp->if_start)(ifp); 1342 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1343 } 1344 1345 /* 1346 * Handle incoming PPP control protocol packets. 1347 */ 1348 static void 1349 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1350 { 1351 STDDCL; 1352 struct lcp_header *h; 1353 int printlen, len = m->m_pkthdr.len; 1354 int rv; 1355 u_char *p; 1356 uint32_t u32; 1357 1358 if (len < 4) { 1359 if (debug) 1360 log(LOG_DEBUG, 1361 "%s: %s invalid packet length: %d bytes\n", 1362 ifp->if_xname, cp->name, len); 1363 return; 1364 } 1365 h = mtod(m, struct lcp_header *); 1366 if (debug) { 1367 printlen = ntohs(h->len); 1368 log(LOG_DEBUG, 1369 "%s: %s input(%s): <%s id=0x%x len=%d", 1370 ifp->if_xname, cp->name, 1371 sppp_state_name(sp->state[cp->protoidx]), 1372 sppp_cp_type_name(h->type), h->ident, printlen); 1373 if (len < printlen) 1374 printlen = len; 1375 if (printlen > 4) 1376 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1377 addlog(">\n"); 1378 } 1379 if (len > ntohs(h->len)) 1380 len = ntohs(h->len); 1381 p = (u_char *)(h + 1); 1382 switch (h->type) { 1383 case CONF_REQ: 1384 if (len < 4) { 1385 if (debug) 1386 addlog("%s: %s invalid conf-req length %d\n", 1387 ifp->if_xname, cp->name, 1388 len); 1389 ++ifp->if_ierrors; 1390 break; 1391 } 1392 /* handle states where RCR doesn't get a SCA/SCN */ 1393 switch (sp->state[cp->protoidx]) { 1394 case STATE_CLOSING: 1395 case STATE_STOPPING: 1396 return; 1397 case STATE_CLOSED: 1398 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1399 0, 0); 1400 return; 1401 } 1402 rv = (cp->RCR)(sp, h, len); 1403 if (rv < 0) { 1404 /* fatal error, shut down */ 1405 (cp->tld)(sp); 1406 sppp_lcp_tlf(sp); 1407 return; 1408 } 1409 switch (sp->state[cp->protoidx]) { 1410 case STATE_OPENED: 1411 (cp->tld)(sp); 1412 (cp->scr)(sp); 1413 /* fall through... */ 1414 case STATE_ACK_SENT: 1415 case STATE_REQ_SENT: 1416 sppp_cp_change_state(cp, sp, rv? 1417 STATE_ACK_SENT: STATE_REQ_SENT); 1418 break; 1419 case STATE_STOPPED: 1420 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1421 (cp->scr)(sp); 1422 sppp_cp_change_state(cp, sp, rv? 1423 STATE_ACK_SENT: STATE_REQ_SENT); 1424 break; 1425 case STATE_ACK_RCVD: 1426 if (rv) { 1427 sppp_cp_change_state(cp, sp, STATE_OPENED); 1428 if (debug) 1429 log(LOG_DEBUG, "%s: %s tlu\n", 1430 ifp->if_xname, 1431 cp->name); 1432 (cp->tlu)(sp); 1433 } else 1434 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1435 break; 1436 default: 1437 printf("%s: %s illegal %s in state %s\n", 1438 ifp->if_xname, cp->name, 1439 sppp_cp_type_name(h->type), 1440 sppp_state_name(sp->state[cp->protoidx])); 1441 ++ifp->if_ierrors; 1442 } 1443 break; 1444 case CONF_ACK: 1445 if (h->ident != sp->confid[cp->protoidx]) { 1446 if (debug) 1447 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1448 ifp->if_xname, cp->name, 1449 h->ident, sp->confid[cp->protoidx]); 1450 ++ifp->if_ierrors; 1451 break; 1452 } 1453 switch (sp->state[cp->protoidx]) { 1454 case STATE_CLOSED: 1455 case STATE_STOPPED: 1456 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1457 break; 1458 case STATE_CLOSING: 1459 case STATE_STOPPING: 1460 break; 1461 case STATE_REQ_SENT: 1462 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1463 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1464 break; 1465 case STATE_OPENED: 1466 (cp->tld)(sp); 1467 /* fall through */ 1468 case STATE_ACK_RCVD: 1469 (cp->scr)(sp); 1470 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1471 break; 1472 case STATE_ACK_SENT: 1473 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1474 sppp_cp_change_state(cp, sp, STATE_OPENED); 1475 if (debug) 1476 log(LOG_DEBUG, "%s: %s tlu\n", 1477 ifp->if_xname, cp->name); 1478 (cp->tlu)(sp); 1479 break; 1480 default: 1481 printf("%s: %s illegal %s in state %s\n", 1482 ifp->if_xname, cp->name, 1483 sppp_cp_type_name(h->type), 1484 sppp_state_name(sp->state[cp->protoidx])); 1485 ++ifp->if_ierrors; 1486 } 1487 break; 1488 case CONF_NAK: 1489 case CONF_REJ: 1490 if (h->ident != sp->confid[cp->protoidx]) { 1491 if (debug) 1492 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1493 ifp->if_xname, cp->name, 1494 h->ident, sp->confid[cp->protoidx]); 1495 ++ifp->if_ierrors; 1496 break; 1497 } 1498 if (h->type == CONF_NAK) 1499 (cp->RCN_nak)(sp, h, len); 1500 else /* CONF_REJ */ 1501 (cp->RCN_rej)(sp, h, len); 1502 1503 switch (sp->state[cp->protoidx]) { 1504 case STATE_CLOSED: 1505 case STATE_STOPPED: 1506 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1507 break; 1508 case STATE_REQ_SENT: 1509 case STATE_ACK_SENT: 1510 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1511 (cp->scr)(sp); 1512 break; 1513 case STATE_OPENED: 1514 (cp->tld)(sp); 1515 /* fall through */ 1516 case STATE_ACK_RCVD: 1517 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1518 (cp->scr)(sp); 1519 break; 1520 case STATE_CLOSING: 1521 case STATE_STOPPING: 1522 break; 1523 default: 1524 printf("%s: %s illegal %s in state %s\n", 1525 ifp->if_xname, cp->name, 1526 sppp_cp_type_name(h->type), 1527 sppp_state_name(sp->state[cp->protoidx])); 1528 ++ifp->if_ierrors; 1529 } 1530 break; 1531 1532 case TERM_REQ: 1533 switch (sp->state[cp->protoidx]) { 1534 case STATE_ACK_RCVD: 1535 case STATE_ACK_SENT: 1536 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1537 /* fall through */ 1538 case STATE_CLOSED: 1539 case STATE_STOPPED: 1540 case STATE_CLOSING: 1541 case STATE_STOPPING: 1542 case STATE_REQ_SENT: 1543 sta: 1544 /* Send Terminate-Ack packet. */ 1545 if (debug) 1546 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1547 ifp->if_xname, cp->name); 1548 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1549 break; 1550 case STATE_OPENED: 1551 (cp->tld)(sp); 1552 sp->rst_counter[cp->protoidx] = 0; 1553 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1554 goto sta; 1555 default: 1556 printf("%s: %s illegal %s in state %s\n", 1557 ifp->if_xname, cp->name, 1558 sppp_cp_type_name(h->type), 1559 sppp_state_name(sp->state[cp->protoidx])); 1560 ++ifp->if_ierrors; 1561 } 1562 break; 1563 case TERM_ACK: 1564 switch (sp->state[cp->protoidx]) { 1565 case STATE_CLOSED: 1566 case STATE_STOPPED: 1567 case STATE_REQ_SENT: 1568 case STATE_ACK_SENT: 1569 break; 1570 case STATE_CLOSING: 1571 (cp->tlf)(sp); 1572 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1573 sppp_lcp_check_and_close(sp); 1574 break; 1575 case STATE_STOPPING: 1576 (cp->tlf)(sp); 1577 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1578 sppp_lcp_check_and_close(sp); 1579 break; 1580 case STATE_ACK_RCVD: 1581 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1582 break; 1583 case STATE_OPENED: 1584 (cp->tld)(sp); 1585 (cp->scr)(sp); 1586 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1587 break; 1588 default: 1589 printf("%s: %s illegal %s in state %s\n", 1590 ifp->if_xname, cp->name, 1591 sppp_cp_type_name(h->type), 1592 sppp_state_name(sp->state[cp->protoidx])); 1593 ++ifp->if_ierrors; 1594 } 1595 break; 1596 case CODE_REJ: 1597 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1598 log(LOG_INFO, 1599 "%s: %s: ignoring RXJ (%s) for code ?, " 1600 "danger will robinson\n", 1601 ifp->if_xname, cp->name, 1602 sppp_cp_type_name(h->type)); 1603 switch (sp->state[cp->protoidx]) { 1604 case STATE_CLOSED: 1605 case STATE_STOPPED: 1606 case STATE_REQ_SENT: 1607 case STATE_ACK_SENT: 1608 case STATE_CLOSING: 1609 case STATE_STOPPING: 1610 case STATE_OPENED: 1611 break; 1612 case STATE_ACK_RCVD: 1613 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1614 break; 1615 default: 1616 printf("%s: %s illegal %s in state %s\n", 1617 ifp->if_xname, cp->name, 1618 sppp_cp_type_name(h->type), 1619 sppp_state_name(sp->state[cp->protoidx])); 1620 ++ifp->if_ierrors; 1621 } 1622 break; 1623 case PROTO_REJ: 1624 { 1625 int catastrophic; 1626 const struct cp *upper; 1627 int i; 1628 uint16_t proto; 1629 1630 catastrophic = 0; 1631 upper = NULL; 1632 proto = p[0] << 8 | p[1]; 1633 for (i = 0; i < IDX_COUNT; i++) { 1634 if (cps[i]->proto == proto) { 1635 upper = cps[i]; 1636 break; 1637 } 1638 } 1639 if (upper == NULL) 1640 catastrophic++; 1641 1642 if (debug) 1643 log(LOG_INFO, 1644 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1645 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1646 sppp_cp_type_name(h->type), proto, 1647 upper ? upper->name : "unknown", 1648 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1649 1650 /* 1651 * if we got RXJ+ against conf-req, the peer does not implement 1652 * this particular protocol type. terminate the protocol. 1653 */ 1654 if (upper && !catastrophic) { 1655 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1656 upper->Close(sp); 1657 break; 1658 } 1659 } 1660 1661 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1662 switch (sp->state[cp->protoidx]) { 1663 case STATE_CLOSED: 1664 case STATE_STOPPED: 1665 case STATE_REQ_SENT: 1666 case STATE_ACK_SENT: 1667 case STATE_CLOSING: 1668 case STATE_STOPPING: 1669 case STATE_OPENED: 1670 break; 1671 case STATE_ACK_RCVD: 1672 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1673 break; 1674 default: 1675 printf("%s: %s illegal %s in state %s\n", 1676 ifp->if_xname, cp->name, 1677 sppp_cp_type_name(h->type), 1678 sppp_state_name(sp->state[cp->protoidx])); 1679 ++ifp->if_ierrors; 1680 } 1681 break; 1682 } 1683 case DISC_REQ: 1684 if (cp->proto != PPP_LCP) 1685 goto illegal; 1686 /* Discard the packet. */ 1687 break; 1688 case ECHO_REQ: 1689 if (cp->proto != PPP_LCP) 1690 goto illegal; 1691 if (sp->state[cp->protoidx] != STATE_OPENED) { 1692 if (debug) 1693 addlog("%s: lcp echo req but lcp closed\n", 1694 ifp->if_xname); 1695 ++ifp->if_ierrors; 1696 break; 1697 } 1698 if (len < 8) { 1699 if (debug) 1700 addlog("%s: invalid lcp echo request " 1701 "packet length: %d bytes\n", 1702 ifp->if_xname, len); 1703 break; 1704 } 1705 memcpy(&u32, h + 1, sizeof u32); 1706 if (ntohl(u32) == sp->lcp.magic) { 1707 /* Line loopback mode detected. */ 1708 printf("%s: loopback\n", ifp->if_xname); 1709 if_down(ifp); 1710 IF_PURGE(&sp->pp_cpq); 1711 1712 /* Shut down the PPP link. */ 1713 /* XXX */ 1714 lcp.Down(sp); 1715 lcp.Up(sp); 1716 break; 1717 } 1718 u32 = htonl(sp->lcp.magic); 1719 memcpy(h + 1, &u32, sizeof u32); 1720 if (debug) 1721 addlog("%s: got lcp echo req, sending echo rep\n", 1722 ifp->if_xname); 1723 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1724 h + 1); 1725 break; 1726 case ECHO_REPLY: 1727 if (cp->proto != PPP_LCP) 1728 goto illegal; 1729 if (h->ident != sp->lcp.echoid) { 1730 ++ifp->if_ierrors; 1731 break; 1732 } 1733 if (len < 8) { 1734 if (debug) 1735 addlog("%s: lcp invalid echo reply " 1736 "packet length: %d bytes\n", 1737 ifp->if_xname, len); 1738 break; 1739 } 1740 if (debug) 1741 addlog("%s: lcp got echo rep\n", 1742 ifp->if_xname); 1743 memcpy(&u32, h + 1, sizeof u32); 1744 if (ntohl(u32) != sp->lcp.magic) 1745 sp->pp_alivecnt = 0; 1746 break; 1747 default: 1748 /* Unknown packet type -- send Code-Reject packet. */ 1749 illegal: 1750 if (debug) 1751 addlog("%s: %s send code-rej for 0x%x\n", 1752 ifp->if_xname, cp->name, h->type); 1753 sppp_cp_send(sp, cp->proto, CODE_REJ, 1754 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1755 ++ifp->if_ierrors; 1756 } 1757 } 1758 1759 1760 /* 1761 * The generic part of all Up/Down/Open/Close/TO event handlers. 1762 * Basically, the state transition handling in the automaton. 1763 */ 1764 static void 1765 sppp_up_event(const struct cp *cp, struct sppp *sp) 1766 { 1767 STDDCL; 1768 1769 if (debug) 1770 log(LOG_DEBUG, "%s: %s up(%s)\n", 1771 ifp->if_xname, cp->name, 1772 sppp_state_name(sp->state[cp->protoidx])); 1773 1774 switch (sp->state[cp->protoidx]) { 1775 case STATE_INITIAL: 1776 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1777 break; 1778 case STATE_STARTING: 1779 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1780 (cp->scr)(sp); 1781 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1782 break; 1783 default: 1784 printf("%s: %s illegal up in state %s\n", 1785 ifp->if_xname, cp->name, 1786 sppp_state_name(sp->state[cp->protoidx])); 1787 } 1788 } 1789 1790 static void 1791 sppp_down_event(const struct cp *cp, struct sppp *sp) 1792 { 1793 STDDCL; 1794 1795 if (debug) 1796 log(LOG_DEBUG, "%s: %s down(%s)\n", 1797 ifp->if_xname, cp->name, 1798 sppp_state_name(sp->state[cp->protoidx])); 1799 1800 switch (sp->state[cp->protoidx]) { 1801 case STATE_CLOSED: 1802 case STATE_CLOSING: 1803 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1804 break; 1805 case STATE_STOPPED: 1806 (cp->tls)(sp); 1807 /* fall through */ 1808 case STATE_STOPPING: 1809 case STATE_REQ_SENT: 1810 case STATE_ACK_RCVD: 1811 case STATE_ACK_SENT: 1812 sppp_cp_change_state(cp, sp, STATE_STARTING); 1813 break; 1814 case STATE_OPENED: 1815 (cp->tld)(sp); 1816 sppp_cp_change_state(cp, sp, STATE_STARTING); 1817 break; 1818 default: 1819 printf("%s: %s illegal down in state %s\n", 1820 ifp->if_xname, cp->name, 1821 sppp_state_name(sp->state[cp->protoidx])); 1822 } 1823 } 1824 1825 1826 static void 1827 sppp_open_event(const struct cp *cp, struct sppp *sp) 1828 { 1829 STDDCL; 1830 1831 if (debug) 1832 log(LOG_DEBUG, "%s: %s open(%s)\n", 1833 ifp->if_xname, cp->name, 1834 sppp_state_name(sp->state[cp->protoidx])); 1835 1836 switch (sp->state[cp->protoidx]) { 1837 case STATE_INITIAL: 1838 sppp_cp_change_state(cp, sp, STATE_STARTING); 1839 (cp->tls)(sp); 1840 break; 1841 case STATE_STARTING: 1842 break; 1843 case STATE_CLOSED: 1844 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1845 (cp->scr)(sp); 1846 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1847 break; 1848 case STATE_STOPPED: 1849 case STATE_STOPPING: 1850 case STATE_REQ_SENT: 1851 case STATE_ACK_RCVD: 1852 case STATE_ACK_SENT: 1853 case STATE_OPENED: 1854 break; 1855 case STATE_CLOSING: 1856 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1857 break; 1858 } 1859 } 1860 1861 1862 static void 1863 sppp_close_event(const struct cp *cp, struct sppp *sp) 1864 { 1865 STDDCL; 1866 1867 if (debug) 1868 log(LOG_DEBUG, "%s: %s close(%s)\n", 1869 ifp->if_xname, cp->name, 1870 sppp_state_name(sp->state[cp->protoidx])); 1871 1872 switch (sp->state[cp->protoidx]) { 1873 case STATE_INITIAL: 1874 case STATE_CLOSED: 1875 case STATE_CLOSING: 1876 break; 1877 case STATE_STARTING: 1878 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1879 (cp->tlf)(sp); 1880 break; 1881 case STATE_STOPPED: 1882 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1883 break; 1884 case STATE_STOPPING: 1885 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1886 break; 1887 case STATE_OPENED: 1888 (cp->tld)(sp); 1889 /* fall through */ 1890 case STATE_REQ_SENT: 1891 case STATE_ACK_RCVD: 1892 case STATE_ACK_SENT: 1893 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1894 sppp_cp_send(sp, cp->proto, TERM_REQ, 1895 ++sp->pp_seq[cp->protoidx], 0, 0); 1896 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1897 break; 1898 } 1899 } 1900 1901 static void 1902 sppp_to_event(const struct cp *cp, struct sppp *sp) 1903 { 1904 STDDCL; 1905 int s; 1906 1907 s = splnet(); 1908 if (debug) 1909 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1910 ifp->if_xname, cp->name, 1911 sppp_state_name(sp->state[cp->protoidx]), 1912 sp->rst_counter[cp->protoidx]); 1913 1914 if (--sp->rst_counter[cp->protoidx] < 0) 1915 /* TO- event */ 1916 switch (sp->state[cp->protoidx]) { 1917 case STATE_CLOSING: 1918 (cp->tlf)(sp); 1919 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1920 sppp_lcp_check_and_close(sp); 1921 break; 1922 case STATE_STOPPING: 1923 (cp->tlf)(sp); 1924 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1925 sppp_lcp_check_and_close(sp); 1926 break; 1927 case STATE_REQ_SENT: 1928 case STATE_ACK_RCVD: 1929 case STATE_ACK_SENT: 1930 (cp->tlf)(sp); 1931 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1932 sppp_lcp_check_and_close(sp); 1933 break; 1934 } 1935 else 1936 /* TO+ event */ 1937 switch (sp->state[cp->protoidx]) { 1938 case STATE_CLOSING: 1939 case STATE_STOPPING: 1940 sppp_cp_send(sp, cp->proto, TERM_REQ, 1941 ++sp->pp_seq[cp->protoidx], 0, 0); 1942 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1943 cp->TO, sp); 1944 break; 1945 case STATE_REQ_SENT: 1946 case STATE_ACK_RCVD: 1947 (cp->scr)(sp); 1948 /* sppp_cp_change_state() will restart the timer */ 1949 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1950 break; 1951 case STATE_ACK_SENT: 1952 (cp->scr)(sp); 1953 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1954 cp->TO, sp); 1955 break; 1956 } 1957 1958 splx(s); 1959 } 1960 1961 /* 1962 * Change the state of a control protocol in the state automaton. 1963 * Takes care of starting/stopping the restart timer. 1964 */ 1965 void 1966 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1967 { 1968 sp->state[cp->protoidx] = newstate; 1969 callout_stop(&sp->ch[cp->protoidx]); 1970 switch (newstate) { 1971 case STATE_INITIAL: 1972 case STATE_STARTING: 1973 case STATE_CLOSED: 1974 case STATE_STOPPED: 1975 case STATE_OPENED: 1976 break; 1977 case STATE_CLOSING: 1978 case STATE_STOPPING: 1979 case STATE_REQ_SENT: 1980 case STATE_ACK_RCVD: 1981 case STATE_ACK_SENT: 1982 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1983 cp->TO, sp); 1984 break; 1985 } 1986 } 1987 1988 /* 1989 *--------------------------------------------------------------------------* 1990 * * 1991 * The LCP implementation. * 1992 * * 1993 *--------------------------------------------------------------------------* 1994 */ 1995 static void 1996 sppp_lcp_init(struct sppp *sp) 1997 { 1998 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1999 sp->lcp.magic = 0; 2000 sp->state[IDX_LCP] = STATE_INITIAL; 2001 sp->fail_counter[IDX_LCP] = 0; 2002 sp->pp_seq[IDX_LCP] = 0; 2003 sp->pp_rseq[IDX_LCP] = 0; 2004 sp->lcp.protos = 0; 2005 if (sp->pp_if.if_mtu < PP_MTU) { 2006 sp->lcp.mru = sp->pp_if.if_mtu; 2007 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2008 } else 2009 sp->lcp.mru = PP_MTU; 2010 sp->lcp.their_mru = PP_MTU; 2011 2012 /* 2013 * Initialize counters and timeout values. Note that we don't 2014 * use the 3 seconds suggested in RFC 1661 since we are likely 2015 * running on a fast link. XXX We should probably implement 2016 * the exponential backoff option. Note that these values are 2017 * relevant for all control protocols, not just LCP only. 2018 */ 2019 sp->lcp.timeout = 1 * hz; 2020 sp->lcp.max_terminate = 2; 2021 sp->lcp.max_configure = 10; 2022 sp->lcp.max_failure = 10; 2023 callout_init(&sp->ch[IDX_LCP], 0); 2024 } 2025 2026 static void 2027 sppp_lcp_up(struct sppp *sp) 2028 { 2029 STDDCL; 2030 2031 /* Initialize activity timestamp: opening a connection is an activity */ 2032 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2033 2034 /* 2035 * If this interface is passive or dial-on-demand, and we are 2036 * still in Initial state, it means we've got an incoming 2037 * call. Activate the interface. 2038 */ 2039 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2040 if (debug) 2041 log(LOG_DEBUG, 2042 "%s: Up event", ifp->if_xname); 2043 ifp->if_flags |= IFF_RUNNING; 2044 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2045 if (debug) 2046 addlog("(incoming call)\n"); 2047 sp->pp_flags |= PP_CALLIN; 2048 lcp.Open(sp); 2049 } else if (debug) 2050 addlog("\n"); 2051 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2052 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2053 ifp->if_flags |= IFF_RUNNING; 2054 lcp.Open(sp); 2055 } 2056 2057 sppp_up_event(&lcp, sp); 2058 } 2059 2060 static void 2061 sppp_lcp_down(struct sppp *sp) 2062 { 2063 STDDCL; 2064 2065 sppp_down_event(&lcp, sp); 2066 2067 /* 2068 * If this is neither a dial-on-demand nor a passive 2069 * interface, simulate an ``ifconfig down'' action, so the 2070 * administrator can force a redial by another ``ifconfig 2071 * up''. XXX For leased line operation, should we immediately 2072 * try to reopen the connection here? 2073 */ 2074 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2075 if (debug) 2076 log(LOG_INFO, 2077 "%s: Down event (carrier loss), taking interface down.\n", 2078 ifp->if_xname); 2079 if_down(ifp); 2080 } else { 2081 if (debug) 2082 log(LOG_DEBUG, 2083 "%s: Down event (carrier loss)\n", 2084 ifp->if_xname); 2085 } 2086 sp->pp_flags &= ~PP_CALLIN; 2087 if (sp->state[IDX_LCP] != STATE_INITIAL) 2088 lcp.Close(sp); 2089 ifp->if_flags &= ~IFF_RUNNING; 2090 } 2091 2092 static void 2093 sppp_lcp_open(struct sppp *sp) 2094 { 2095 /* 2096 * If we are authenticator, negotiate LCP_AUTH 2097 */ 2098 if (sp->hisauth.proto != 0) 2099 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2100 else 2101 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2102 sp->pp_flags &= ~PP_NEEDAUTH; 2103 sppp_open_event(&lcp, sp); 2104 } 2105 2106 static void 2107 sppp_lcp_close(struct sppp *sp) 2108 { 2109 sppp_close_event(&lcp, sp); 2110 } 2111 2112 static void 2113 sppp_lcp_TO(void *cookie) 2114 { 2115 sppp_to_event(&lcp, (struct sppp *)cookie); 2116 } 2117 2118 /* 2119 * Analyze a configure request. Return true if it was agreeable, and 2120 * caused action sca, false if it has been rejected or nak'ed, and 2121 * caused action scn. (The return value is used to make the state 2122 * transition decision in the state automaton.) 2123 */ 2124 static int 2125 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2126 { 2127 STDDCL; 2128 u_char *buf, *r, *p; 2129 int origlen, rlen; 2130 uint32_t nmagic; 2131 u_short authproto; 2132 2133 len -= 4; 2134 origlen = len; 2135 buf = r = malloc (len, M_TEMP, M_NOWAIT); 2136 if (! buf) 2137 return (0); 2138 2139 if (debug) 2140 log(LOG_DEBUG, "%s: lcp parse opts:", 2141 ifp->if_xname); 2142 2143 /* pass 1: check for things that need to be rejected */ 2144 p = (void *)(h + 1); 2145 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2146 /* Sanity check option length */ 2147 if (p[1] > len) { 2148 /* 2149 * Malicious option - drop immediately. 2150 * XXX Maybe we should just RXJ it? 2151 */ 2152 addlog("%s: received malicious LCP option 0x%02x, " 2153 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2154 p[0], p[1], len); 2155 goto drop; 2156 } 2157 if (debug) 2158 addlog(" %s", sppp_lcp_opt_name(*p)); 2159 switch (*p) { 2160 case LCP_OPT_MAGIC: 2161 /* Magic number. */ 2162 /* fall through, both are same length */ 2163 case LCP_OPT_ASYNC_MAP: 2164 /* Async control character map. */ 2165 if (len >= 6 || p[1] == 6) 2166 continue; 2167 if (debug) 2168 addlog(" [invalid]"); 2169 break; 2170 case LCP_OPT_MRU: 2171 /* Maximum receive unit. */ 2172 if (len >= 4 && p[1] == 4) 2173 continue; 2174 if (debug) 2175 addlog(" [invalid]"); 2176 break; 2177 case LCP_OPT_AUTH_PROTO: 2178 if (len < 4) { 2179 if (debug) 2180 addlog(" [invalid]"); 2181 break; 2182 } 2183 authproto = (p[2] << 8) + p[3]; 2184 if (authproto == PPP_CHAP && p[1] != 5) { 2185 if (debug) 2186 addlog(" [invalid chap len]"); 2187 break; 2188 } 2189 if (sp->myauth.proto == 0) { 2190 /* we are not configured to do auth */ 2191 if (debug) 2192 addlog(" [not configured]"); 2193 break; 2194 } 2195 /* 2196 * Remote want us to authenticate, remember this, 2197 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2198 * up. 2199 */ 2200 sp->pp_flags |= PP_NEEDAUTH; 2201 continue; 2202 default: 2203 /* Others not supported. */ 2204 if (debug) 2205 addlog(" [rej]"); 2206 break; 2207 } 2208 /* Add the option to rejected list. */ 2209 bcopy (p, r, p[1]); 2210 r += p[1]; 2211 rlen += p[1]; 2212 } 2213 if (rlen) { 2214 if (debug) 2215 addlog(" send conf-rej\n"); 2216 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2217 goto end; 2218 } else if (debug) 2219 addlog("\n"); 2220 2221 /* 2222 * pass 2: check for option values that are unacceptable and 2223 * thus require to be nak'ed. 2224 */ 2225 if (debug) 2226 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2227 ifp->if_xname); 2228 2229 p = (void *)(h + 1); 2230 len = origlen; 2231 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2232 if (debug) 2233 addlog(" %s", sppp_lcp_opt_name(*p)); 2234 switch (*p) { 2235 case LCP_OPT_MAGIC: 2236 /* Magic number -- extract. */ 2237 nmagic = (uint32_t)p[2] << 24 | 2238 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2239 if (nmagic != sp->lcp.magic) { 2240 if (debug) 2241 addlog(" 0x%x", nmagic); 2242 continue; 2243 } 2244 /* 2245 * Local and remote magics equal -- loopback? 2246 */ 2247 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2248 printf ("%s: loopback\n", 2249 ifp->if_xname); 2250 sp->pp_loopcnt = 0; 2251 if (ifp->if_flags & IFF_UP) { 2252 if_down(ifp); 2253 IF_PURGE(&sp->pp_cpq); 2254 /* XXX ? */ 2255 lcp.Down(sp); 2256 lcp.Up(sp); 2257 } 2258 } else if (debug) 2259 addlog(" [glitch]"); 2260 ++sp->pp_loopcnt; 2261 /* 2262 * We negate our magic here, and NAK it. If 2263 * we see it later in an NAK packet, we 2264 * suggest a new one. 2265 */ 2266 nmagic = ~sp->lcp.magic; 2267 /* Gonna NAK it. */ 2268 p[2] = nmagic >> 24; 2269 p[3] = nmagic >> 16; 2270 p[4] = nmagic >> 8; 2271 p[5] = nmagic; 2272 break; 2273 2274 case LCP_OPT_ASYNC_MAP: 2275 /* 2276 * Async control character map -- just ignore it. 2277 * 2278 * Quote from RFC 1662, chapter 6: 2279 * To enable this functionality, synchronous PPP 2280 * implementations MUST always respond to the 2281 * Async-Control-Character-Map Configuration 2282 * Option with the LCP Configure-Ack. However, 2283 * acceptance of the Configuration Option does 2284 * not imply that the synchronous implementation 2285 * will do any ACCM mapping. Instead, all such 2286 * octet mapping will be performed by the 2287 * asynchronous-to-synchronous converter. 2288 */ 2289 continue; 2290 2291 case LCP_OPT_MRU: 2292 /* 2293 * Maximum receive unit. Always agreeable, 2294 * but ignored by now. 2295 */ 2296 sp->lcp.their_mru = p[2] * 256 + p[3]; 2297 if (debug) 2298 addlog(" %ld", sp->lcp.their_mru); 2299 continue; 2300 2301 case LCP_OPT_AUTH_PROTO: 2302 authproto = (p[2] << 8) + p[3]; 2303 if (sp->myauth.proto != authproto) { 2304 /* not agreed, nak */ 2305 if (debug) 2306 addlog(" [mine %s != his %s]", 2307 sppp_proto_name(sp->myauth.proto), 2308 sppp_proto_name(authproto)); 2309 p[2] = sp->myauth.proto >> 8; 2310 p[3] = sp->myauth.proto; 2311 break; 2312 } 2313 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2314 if (debug) 2315 addlog(" [chap not MD5]"); 2316 p[4] = CHAP_MD5; 2317 break; 2318 } 2319 continue; 2320 } 2321 /* Add the option to nak'ed list. */ 2322 bcopy (p, r, p[1]); 2323 r += p[1]; 2324 rlen += p[1]; 2325 } 2326 if (rlen) { 2327 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2328 if (debug) 2329 addlog(" max_failure (%d) exceeded, " 2330 "send conf-rej\n", 2331 sp->lcp.max_failure); 2332 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2333 } else { 2334 if (debug) 2335 addlog(" send conf-nak\n"); 2336 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2337 } 2338 goto end; 2339 } else { 2340 if (debug) 2341 addlog(" send conf-ack\n"); 2342 sp->fail_counter[IDX_LCP] = 0; 2343 sp->pp_loopcnt = 0; 2344 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2345 } 2346 2347 end: 2348 free(buf, M_TEMP); 2349 return (rlen == 0); 2350 2351 drop: 2352 free(buf, M_TEMP); 2353 return -1; 2354 } 2355 2356 /* 2357 * Analyze the LCP Configure-Reject option list, and adjust our 2358 * negotiation. 2359 */ 2360 static void 2361 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2362 { 2363 STDDCL; 2364 u_char *buf, *p; 2365 2366 len -= 4; 2367 buf = malloc (len, M_TEMP, M_NOWAIT); 2368 if (!buf) 2369 return; 2370 2371 if (debug) 2372 log(LOG_DEBUG, "%s: lcp rej opts:", 2373 ifp->if_xname); 2374 2375 p = (void *)(h + 1); 2376 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2377 /* Sanity check option length */ 2378 if (p[1] > len) { 2379 /* 2380 * Malicious option - drop immediately. 2381 * XXX Maybe we should just RXJ it? 2382 */ 2383 addlog("%s: received malicious LCP option, " 2384 "dropping.\n", ifp->if_xname); 2385 goto drop; 2386 } 2387 if (debug) 2388 addlog(" %s", sppp_lcp_opt_name(*p)); 2389 switch (*p) { 2390 case LCP_OPT_MAGIC: 2391 /* Magic number -- can't use it, use 0 */ 2392 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2393 sp->lcp.magic = 0; 2394 break; 2395 case LCP_OPT_MRU: 2396 /* 2397 * We try to negotiate a lower MRU if the underlying 2398 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2399 * peer rejects this lower rate, fallback to the 2400 * default. 2401 */ 2402 if (debug) { 2403 addlog("%s: warning: peer rejected our MRU of " 2404 "%ld bytes. Defaulting to %d bytes\n", 2405 ifp->if_xname, sp->lcp.mru, PP_MTU); 2406 } 2407 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2408 sp->lcp.mru = PP_MTU; 2409 break; 2410 case LCP_OPT_AUTH_PROTO: 2411 /* 2412 * Peer doesn't want to authenticate himself, 2413 * deny unless this is a dialout call, and 2414 * SPPP_AUTHFLAG_NOCALLOUT is set. 2415 */ 2416 if ((sp->pp_flags & PP_CALLIN) == 0 && 2417 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2418 if (debug) 2419 addlog(" [don't insist on auth " 2420 "for callout]"); 2421 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2422 break; 2423 } 2424 if (debug) 2425 addlog("[access denied]\n"); 2426 lcp.Close(sp); 2427 break; 2428 } 2429 } 2430 if (debug) 2431 addlog("\n"); 2432 drop: 2433 free(buf, M_TEMP); 2434 return; 2435 } 2436 2437 /* 2438 * Analyze the LCP Configure-NAK option list, and adjust our 2439 * negotiation. 2440 */ 2441 static void 2442 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2443 { 2444 STDDCL; 2445 u_char *buf, *p; 2446 uint32_t magic; 2447 2448 len -= 4; 2449 buf = malloc (len, M_TEMP, M_NOWAIT); 2450 if (!buf) 2451 return; 2452 2453 if (debug) 2454 log(LOG_DEBUG, "%s: lcp nak opts:", 2455 ifp->if_xname); 2456 2457 p = (void *)(h + 1); 2458 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2459 /* Sanity check option length */ 2460 if (p[1] > len) { 2461 /* 2462 * Malicious option - drop immediately. 2463 * XXX Maybe we should just RXJ it? 2464 */ 2465 addlog("%s: received malicious LCP option, " 2466 "dropping.\n", ifp->if_xname); 2467 goto drop; 2468 } 2469 if (debug) 2470 addlog(" %s", sppp_lcp_opt_name(*p)); 2471 switch (*p) { 2472 case LCP_OPT_MAGIC: 2473 /* Magic number -- renegotiate */ 2474 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2475 len >= 6 && p[1] == 6) { 2476 magic = (uint32_t)p[2] << 24 | 2477 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2478 /* 2479 * If the remote magic is our negated one, 2480 * this looks like a loopback problem. 2481 * Suggest a new magic to make sure. 2482 */ 2483 if (magic == ~sp->lcp.magic) { 2484 if (debug) 2485 addlog(" magic glitch"); 2486 sp->lcp.magic = arc4random(); 2487 } else { 2488 sp->lcp.magic = magic; 2489 if (debug) 2490 addlog(" %d", magic); 2491 } 2492 } 2493 break; 2494 case LCP_OPT_MRU: 2495 /* 2496 * Peer wants to advise us to negotiate an MRU. 2497 * Agree on it if it's reasonable, or use 2498 * default otherwise. 2499 */ 2500 if (len >= 4 && p[1] == 4) { 2501 u_int mru = p[2] * 256 + p[3]; 2502 if (debug) 2503 addlog(" %d", mru); 2504 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2505 mru = sp->pp_if.if_mtu; 2506 sp->lcp.mru = mru; 2507 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2508 } 2509 break; 2510 case LCP_OPT_AUTH_PROTO: 2511 /* 2512 * Peer doesn't like our authentication method, 2513 * deny. 2514 */ 2515 if (debug) 2516 addlog("[access denied]\n"); 2517 lcp.Close(sp); 2518 break; 2519 } 2520 } 2521 if (debug) 2522 addlog("\n"); 2523 drop: 2524 free(buf, M_TEMP); 2525 return; 2526 } 2527 2528 static void 2529 sppp_lcp_tlu(struct sppp *sp) 2530 { 2531 STDDCL; 2532 int i; 2533 uint32_t mask; 2534 2535 /* XXX ? */ 2536 if (! (ifp->if_flags & IFF_UP) && 2537 (ifp->if_flags & IFF_RUNNING)) { 2538 /* Coming out of loopback mode. */ 2539 if_up(ifp); 2540 } 2541 2542 for (i = 0; i < IDX_COUNT; i++) 2543 if ((cps[i])->flags & CP_QUAL) 2544 (cps[i])->Open(sp); 2545 2546 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2547 (sp->pp_flags & PP_NEEDAUTH) != 0) 2548 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2549 else 2550 sp->pp_phase = SPPP_PHASE_NETWORK; 2551 2552 if (debug) 2553 { 2554 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2555 sppp_phase_name(sp->pp_phase)); 2556 } 2557 2558 /* 2559 * Open all authentication protocols. This is even required 2560 * if we already proceeded to network phase, since it might be 2561 * that remote wants us to authenticate, so we might have to 2562 * send a PAP request. Undesired authentication protocols 2563 * don't do anything when they get an Open event. 2564 */ 2565 for (i = 0; i < IDX_COUNT; i++) 2566 if ((cps[i])->flags & CP_AUTH) 2567 (cps[i])->Open(sp); 2568 2569 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2570 /* Notify all NCPs. */ 2571 for (i = 0; i < IDX_COUNT; i++) 2572 if ((cps[i])->flags & CP_NCP) 2573 (cps[i])->Open(sp); 2574 } 2575 2576 /* Send Up events to all started protos. */ 2577 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2578 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2579 (cps[i])->Up(sp); 2580 2581 /* notify low-level driver of state change */ 2582 if (sp->pp_chg) 2583 sp->pp_chg(sp, (int)sp->pp_phase); 2584 2585 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2586 /* if no NCP is starting, close down */ 2587 sppp_lcp_check_and_close(sp); 2588 } 2589 2590 static void 2591 sppp_lcp_tld(struct sppp *sp) 2592 { 2593 STDDCL; 2594 int i; 2595 uint32_t mask; 2596 2597 sp->pp_phase = SPPP_PHASE_TERMINATE; 2598 2599 if (debug) 2600 { 2601 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2602 sppp_phase_name(sp->pp_phase)); 2603 } 2604 2605 /* 2606 * Take upper layers down. We send the Down event first and 2607 * the Close second to prevent the upper layers from sending 2608 * ``a flurry of terminate-request packets'', as the RFC 2609 * describes it. 2610 */ 2611 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2612 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2613 (cps[i])->Down(sp); 2614 (cps[i])->Close(sp); 2615 } 2616 } 2617 2618 static void 2619 sppp_lcp_tls(struct sppp *sp) 2620 { 2621 STDDCL; 2622 2623 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2624 printf("%s: authentication failed %d times, not retrying again\n", 2625 sp->pp_if.if_xname, sp->pp_auth_failures); 2626 if_down(&sp->pp_if); 2627 return; 2628 } 2629 2630 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2631 2632 if (debug) 2633 { 2634 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2635 sppp_phase_name(sp->pp_phase)); 2636 } 2637 2638 /* Notify lower layer if desired. */ 2639 if (sp->pp_tls) 2640 (sp->pp_tls)(sp); 2641 } 2642 2643 static void 2644 sppp_lcp_tlf(struct sppp *sp) 2645 { 2646 STDDCL; 2647 2648 sp->pp_phase = SPPP_PHASE_DEAD; 2649 2650 if (debug) 2651 { 2652 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2653 sppp_phase_name(sp->pp_phase)); 2654 } 2655 2656 /* Notify lower layer if desired. */ 2657 if (sp->pp_tlf) 2658 (sp->pp_tlf)(sp); 2659 } 2660 2661 static void 2662 sppp_lcp_scr(struct sppp *sp) 2663 { 2664 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2665 int i = 0; 2666 u_short authproto; 2667 2668 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2669 if (! sp->lcp.magic) 2670 sp->lcp.magic = arc4random(); 2671 opt[i++] = LCP_OPT_MAGIC; 2672 opt[i++] = 6; 2673 opt[i++] = sp->lcp.magic >> 24; 2674 opt[i++] = sp->lcp.magic >> 16; 2675 opt[i++] = sp->lcp.magic >> 8; 2676 opt[i++] = sp->lcp.magic; 2677 } 2678 2679 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2680 opt[i++] = LCP_OPT_MRU; 2681 opt[i++] = 4; 2682 opt[i++] = sp->lcp.mru >> 8; 2683 opt[i++] = sp->lcp.mru; 2684 } 2685 2686 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2687 authproto = sp->hisauth.proto; 2688 opt[i++] = LCP_OPT_AUTH_PROTO; 2689 opt[i++] = authproto == PPP_CHAP? 5: 4; 2690 opt[i++] = authproto >> 8; 2691 opt[i++] = authproto; 2692 if (authproto == PPP_CHAP) 2693 opt[i++] = CHAP_MD5; 2694 } 2695 2696 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2697 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2698 } 2699 2700 /* 2701 * Check the open NCPs, return true if at least one NCP is open. 2702 */ 2703 static int 2704 sppp_ncp_check(struct sppp *sp) 2705 { 2706 int i, mask; 2707 2708 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2709 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2710 return 1; 2711 return 0; 2712 } 2713 2714 /* 2715 * Re-check the open NCPs and see if we should terminate the link. 2716 * Called by the NCPs during their tlf action handling. 2717 */ 2718 static void 2719 sppp_lcp_check_and_close(struct sppp *sp) 2720 { 2721 2722 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2723 /* don't bother, we are already going down */ 2724 return; 2725 2726 if (sppp_ncp_check(sp)) 2727 return; 2728 2729 lcp.Close(sp); 2730 } 2731 2732 2733 /* 2734 *--------------------------------------------------------------------------* 2735 * * 2736 * The IPCP implementation. * 2737 * * 2738 *--------------------------------------------------------------------------* 2739 */ 2740 2741 static void 2742 sppp_ipcp_init(struct sppp *sp) 2743 { 2744 sp->ipcp.opts = 0; 2745 sp->ipcp.flags = 0; 2746 sp->state[IDX_IPCP] = STATE_INITIAL; 2747 sp->fail_counter[IDX_IPCP] = 0; 2748 sp->pp_seq[IDX_IPCP] = 0; 2749 sp->pp_rseq[IDX_IPCP] = 0; 2750 callout_init(&sp->ch[IDX_IPCP], 0); 2751 } 2752 2753 static void 2754 sppp_ipcp_up(struct sppp *sp) 2755 { 2756 sppp_up_event(&ipcp, sp); 2757 } 2758 2759 static void 2760 sppp_ipcp_down(struct sppp *sp) 2761 { 2762 sppp_down_event(&ipcp, sp); 2763 } 2764 2765 static void 2766 sppp_ipcp_open(struct sppp *sp) 2767 { 2768 STDDCL; 2769 uint32_t myaddr, hisaddr; 2770 2771 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2772 sp->ipcp.req_myaddr = 0; 2773 sp->ipcp.req_hisaddr = 0; 2774 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2775 2776 #ifdef INET 2777 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2778 #else 2779 myaddr = hisaddr = 0; 2780 #endif 2781 /* 2782 * If we don't have his address, this probably means our 2783 * interface doesn't want to talk IP at all. (This could 2784 * be the case if somebody wants to speak only IPX, for 2785 * example.) Don't open IPCP in this case. 2786 */ 2787 if (hisaddr == 0) { 2788 /* XXX this message should go away */ 2789 if (debug) 2790 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2791 ifp->if_xname); 2792 return; 2793 } 2794 2795 if (myaddr == 0) { 2796 /* 2797 * I don't have an assigned address, so i need to 2798 * negotiate my address. 2799 */ 2800 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2801 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2802 } 2803 if (hisaddr == 1) { 2804 /* 2805 * XXX - remove this hack! 2806 * remote has no valid address, we need to get one assigned. 2807 */ 2808 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2809 } 2810 sppp_open_event(&ipcp, sp); 2811 } 2812 2813 static void 2814 sppp_ipcp_close(struct sppp *sp) 2815 { 2816 STDDCL; 2817 2818 sppp_close_event(&ipcp, sp); 2819 #ifdef INET 2820 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2821 /* 2822 * Some address was dynamic, clear it again. 2823 */ 2824 sppp_clear_ip_addrs(sp); 2825 #endif 2826 2827 if (sp->pp_saved_mtu > 0) { 2828 ifp->if_mtu = sp->pp_saved_mtu; 2829 sp->pp_saved_mtu = 0; 2830 if (debug) 2831 log(LOG_DEBUG, 2832 "%s: resetting MTU to %" PRIu64 " bytes\n", 2833 ifp->if_xname, ifp->if_mtu); 2834 } 2835 } 2836 2837 static void 2838 sppp_ipcp_TO(void *cookie) 2839 { 2840 sppp_to_event(&ipcp, (struct sppp *)cookie); 2841 } 2842 2843 /* 2844 * Analyze a configure request. Return true if it was agreeable, and 2845 * caused action sca, false if it has been rejected or nak'ed, and 2846 * caused action scn. (The return value is used to make the state 2847 * transition decision in the state automaton.) 2848 */ 2849 static int 2850 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2851 { 2852 u_char *buf, *r, *p; 2853 struct ifnet *ifp = &sp->pp_if; 2854 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2855 uint32_t hisaddr, desiredaddr; 2856 2857 len -= 4; 2858 origlen = len; 2859 /* 2860 * Make sure to allocate a buf that can at least hold a 2861 * conf-nak with an `address' option. We might need it below. 2862 */ 2863 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 2864 if (! buf) 2865 return (0); 2866 2867 /* pass 1: see if we can recognize them */ 2868 if (debug) 2869 log(LOG_DEBUG, "%s: ipcp parse opts:", 2870 ifp->if_xname); 2871 p = (void *)(h + 1); 2872 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2873 /* Sanity check option length */ 2874 if (p[1] > len) { 2875 /* XXX should we just RXJ? */ 2876 addlog("%s: malicious IPCP option received, dropping\n", 2877 ifp->if_xname); 2878 goto drop; 2879 } 2880 if (debug) 2881 addlog(" %s", sppp_ipcp_opt_name(*p)); 2882 switch (*p) { 2883 #ifdef notyet 2884 case IPCP_OPT_COMPRESSION: 2885 if (len >= 6 && p[1] >= 6) { 2886 /* correctly formed compress option */ 2887 continue; 2888 } 2889 if (debug) 2890 addlog(" [invalid]"); 2891 break; 2892 #endif 2893 case IPCP_OPT_ADDRESS: 2894 if (len >= 6 && p[1] == 6) { 2895 /* correctly formed address option */ 2896 continue; 2897 } 2898 if (debug) 2899 addlog(" [invalid]"); 2900 break; 2901 default: 2902 /* Others not supported. */ 2903 if (debug) 2904 addlog(" [rej]"); 2905 break; 2906 } 2907 /* Add the option to rejected list. */ 2908 bcopy (p, r, p[1]); 2909 r += p[1]; 2910 rlen += p[1]; 2911 } 2912 if (rlen) { 2913 if (debug) 2914 addlog(" send conf-rej\n"); 2915 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2916 goto end; 2917 } else if (debug) 2918 addlog("\n"); 2919 2920 /* pass 2: parse option values */ 2921 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2922 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2923 else 2924 #ifdef INET 2925 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2926 #else 2927 hisaddr = 0; 2928 #endif 2929 if (debug) 2930 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2931 ifp->if_xname); 2932 p = (void *)(h + 1); 2933 len = origlen; 2934 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2935 if (debug) 2936 addlog(" %s", sppp_ipcp_opt_name(*p)); 2937 switch (*p) { 2938 #ifdef notyet 2939 case IPCP_OPT_COMPRESSION: 2940 continue; 2941 #endif 2942 case IPCP_OPT_ADDRESS: 2943 desiredaddr = p[2] << 24 | p[3] << 16 | 2944 p[4] << 8 | p[5]; 2945 if (desiredaddr == hisaddr || 2946 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2947 /* 2948 * Peer's address is same as our value, 2949 * this is agreeable. Gonna conf-ack 2950 * it. 2951 */ 2952 if (debug) 2953 addlog(" %s [ack]", 2954 sppp_dotted_quad(hisaddr)); 2955 /* record that we've seen it already */ 2956 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2957 sp->ipcp.req_hisaddr = desiredaddr; 2958 hisaddr = desiredaddr; 2959 continue; 2960 } 2961 /* 2962 * The address wasn't agreeable. This is either 2963 * he sent us 0.0.0.0, asking to assign him an 2964 * address, or he send us another address not 2965 * matching our value. Either case, we gonna 2966 * conf-nak it with our value. 2967 */ 2968 if (debug) { 2969 if (desiredaddr == 0) 2970 addlog(" [addr requested]"); 2971 else 2972 addlog(" %s [not agreed]", 2973 sppp_dotted_quad(desiredaddr)); 2974 } 2975 2976 p[2] = hisaddr >> 24; 2977 p[3] = hisaddr >> 16; 2978 p[4] = hisaddr >> 8; 2979 p[5] = hisaddr; 2980 break; 2981 } 2982 /* Add the option to nak'ed list. */ 2983 bcopy (p, r, p[1]); 2984 r += p[1]; 2985 rlen += p[1]; 2986 } 2987 2988 /* 2989 * If we are about to conf-ack the request, but haven't seen 2990 * his address so far, gonna conf-nak it instead, with the 2991 * `address' option present and our idea of his address being 2992 * filled in there, to request negotiation of both addresses. 2993 * 2994 * XXX This can result in an endless req - nak loop if peer 2995 * doesn't want to send us his address. Q: What should we do 2996 * about it? XXX A: implement the max-failure counter. 2997 */ 2998 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2999 buf[0] = IPCP_OPT_ADDRESS; 3000 buf[1] = 6; 3001 buf[2] = hisaddr >> 24; 3002 buf[3] = hisaddr >> 16; 3003 buf[4] = hisaddr >> 8; 3004 buf[5] = hisaddr; 3005 rlen = 6; 3006 if (debug) 3007 addlog(" still need hisaddr"); 3008 } 3009 3010 if (rlen) { 3011 if (debug) 3012 addlog(" send conf-nak\n"); 3013 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3014 } else { 3015 if (debug) 3016 addlog(" send conf-ack\n"); 3017 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3018 } 3019 3020 end: 3021 free(buf, M_TEMP); 3022 return (rlen == 0); 3023 3024 drop: 3025 free(buf, M_TEMP); 3026 return -1; 3027 } 3028 3029 /* 3030 * Analyze the IPCP Configure-Reject option list, and adjust our 3031 * negotiation. 3032 */ 3033 static void 3034 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3035 { 3036 u_char *buf, *p; 3037 struct ifnet *ifp = &sp->pp_if; 3038 int debug = ifp->if_flags & IFF_DEBUG; 3039 3040 len -= 4; 3041 buf = malloc (len, M_TEMP, M_NOWAIT); 3042 if (!buf) 3043 return; 3044 3045 if (debug) 3046 log(LOG_DEBUG, "%s: ipcp rej opts:", 3047 ifp->if_xname); 3048 3049 p = (void *)(h + 1); 3050 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3051 /* Sanity check option length */ 3052 if (p[1] > len) { 3053 /* XXX should we just RXJ? */ 3054 addlog("%s: malicious IPCP option received, dropping\n", 3055 ifp->if_xname); 3056 goto drop; 3057 } 3058 if (debug) 3059 addlog(" %s", sppp_ipcp_opt_name(*p)); 3060 switch (*p) { 3061 case IPCP_OPT_ADDRESS: 3062 /* 3063 * Peer doesn't grok address option. This is 3064 * bad. XXX Should we better give up here? 3065 */ 3066 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3067 break; 3068 #ifdef notyet 3069 case IPCP_OPT_COMPRESS: 3070 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3071 break; 3072 #endif 3073 } 3074 } 3075 if (debug) 3076 addlog("\n"); 3077 drop: 3078 free(buf, M_TEMP); 3079 return; 3080 } 3081 3082 /* 3083 * Analyze the IPCP Configure-NAK option list, and adjust our 3084 * negotiation. 3085 */ 3086 static void 3087 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3088 { 3089 u_char *p; 3090 struct ifnet *ifp = &sp->pp_if; 3091 int debug = ifp->if_flags & IFF_DEBUG; 3092 uint32_t wantaddr; 3093 3094 len -= 4; 3095 3096 if (debug) 3097 log(LOG_DEBUG, "%s: ipcp nak opts:", 3098 ifp->if_xname); 3099 3100 p = (void *)(h + 1); 3101 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3102 /* Sanity check option length */ 3103 if (p[1] > len) { 3104 /* XXX should we just RXJ? */ 3105 addlog("%s: malicious IPCP option received, dropping\n", 3106 ifp->if_xname); 3107 return; 3108 } 3109 if (debug) 3110 addlog(" %s", sppp_ipcp_opt_name(*p)); 3111 switch (*p) { 3112 case IPCP_OPT_ADDRESS: 3113 /* 3114 * Peer doesn't like our local IP address. See 3115 * if we can do something for him. We'll drop 3116 * him our address then. 3117 */ 3118 if (len >= 6 && p[1] == 6) { 3119 wantaddr = p[2] << 24 | p[3] << 16 | 3120 p[4] << 8 | p[5]; 3121 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3122 if (debug) 3123 addlog(" [wantaddr %s]", 3124 sppp_dotted_quad(wantaddr)); 3125 /* 3126 * When doing dynamic address assignment, 3127 * we accept his offer. Otherwise, we 3128 * ignore it and thus continue to negotiate 3129 * our already existing value. 3130 */ 3131 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3132 if (debug) 3133 addlog(" [agree]"); 3134 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3135 sp->ipcp.req_myaddr = wantaddr; 3136 } 3137 } 3138 break; 3139 3140 case IPCP_OPT_PRIMDNS: 3141 if (len >= 6 && p[1] == 6) { 3142 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3143 p[4] << 8 | p[5]; 3144 } 3145 break; 3146 3147 case IPCP_OPT_SECDNS: 3148 if (len >= 6 && p[1] == 6) { 3149 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3150 p[4] << 8 | p[5]; 3151 } 3152 break; 3153 #ifdef notyet 3154 case IPCP_OPT_COMPRESS: 3155 /* 3156 * Peer wants different compression parameters. 3157 */ 3158 break; 3159 #endif 3160 } 3161 } 3162 if (debug) 3163 addlog("\n"); 3164 } 3165 3166 static void 3167 sppp_ipcp_tlu(struct sppp *sp) 3168 { 3169 #ifdef INET 3170 /* we are up. Set addresses and notify anyone interested */ 3171 STDDCL; 3172 uint32_t myaddr, hisaddr; 3173 3174 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3175 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3176 myaddr = sp->ipcp.req_myaddr; 3177 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3178 hisaddr = sp->ipcp.req_hisaddr; 3179 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3180 3181 if (ifp->if_mtu > sp->lcp.their_mru) { 3182 sp->pp_saved_mtu = ifp->if_mtu; 3183 ifp->if_mtu = sp->lcp.their_mru; 3184 if (debug) 3185 log(LOG_DEBUG, 3186 "%s: setting MTU to %" PRIu64 " bytes\n", 3187 ifp->if_xname, ifp->if_mtu); 3188 } 3189 3190 if (sp->pp_con) 3191 sp->pp_con(sp); 3192 #endif 3193 } 3194 3195 static void 3196 sppp_ipcp_tld(struct sppp *sp) 3197 { 3198 } 3199 3200 static void 3201 sppp_ipcp_tls(struct sppp *sp) 3202 { 3203 /* indicate to LCP that it must stay alive */ 3204 sp->lcp.protos |= (1 << IDX_IPCP); 3205 } 3206 3207 static void 3208 sppp_ipcp_tlf(struct sppp *sp) 3209 { 3210 /* we no longer need LCP */ 3211 sp->lcp.protos &= ~(1 << IDX_IPCP); 3212 } 3213 3214 static void 3215 sppp_ipcp_scr(struct sppp *sp) 3216 { 3217 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3218 #ifdef INET 3219 uint32_t ouraddr; 3220 #endif 3221 int i = 0; 3222 3223 #ifdef notyet 3224 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3225 opt[i++] = IPCP_OPT_COMPRESSION; 3226 opt[i++] = 6; 3227 opt[i++] = 0; /* VJ header compression */ 3228 opt[i++] = 0x2d; /* VJ header compression */ 3229 opt[i++] = max_slot_id; 3230 opt[i++] = comp_slot_id; 3231 } 3232 #endif 3233 3234 #ifdef INET 3235 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3236 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3237 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3238 else 3239 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3240 opt[i++] = IPCP_OPT_ADDRESS; 3241 opt[i++] = 6; 3242 opt[i++] = ouraddr >> 24; 3243 opt[i++] = ouraddr >> 16; 3244 opt[i++] = ouraddr >> 8; 3245 opt[i++] = ouraddr; 3246 } 3247 #endif 3248 3249 if (sp->query_dns & 1) { 3250 opt[i++] = IPCP_OPT_PRIMDNS; 3251 opt[i++] = 6; 3252 opt[i++] = sp->dns_addrs[0] >> 24; 3253 opt[i++] = sp->dns_addrs[0] >> 16; 3254 opt[i++] = sp->dns_addrs[0] >> 8; 3255 opt[i++] = sp->dns_addrs[0]; 3256 } 3257 if (sp->query_dns & 2) { 3258 opt[i++] = IPCP_OPT_SECDNS; 3259 opt[i++] = 6; 3260 opt[i++] = sp->dns_addrs[1] >> 24; 3261 opt[i++] = sp->dns_addrs[1] >> 16; 3262 opt[i++] = sp->dns_addrs[1] >> 8; 3263 opt[i++] = sp->dns_addrs[1]; 3264 } 3265 3266 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3267 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3268 } 3269 3270 3271 /* 3272 *--------------------------------------------------------------------------* 3273 * * 3274 * The IPv6CP implementation. * 3275 * * 3276 *--------------------------------------------------------------------------* 3277 */ 3278 3279 #ifdef INET6 3280 static void 3281 sppp_ipv6cp_init(struct sppp *sp) 3282 { 3283 sp->ipv6cp.opts = 0; 3284 sp->ipv6cp.flags = 0; 3285 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3286 sp->fail_counter[IDX_IPV6CP] = 0; 3287 sp->pp_seq[IDX_IPV6CP] = 0; 3288 sp->pp_rseq[IDX_IPV6CP] = 0; 3289 callout_init(&sp->ch[IDX_IPV6CP], 0); 3290 } 3291 3292 static void 3293 sppp_ipv6cp_up(struct sppp *sp) 3294 { 3295 sppp_up_event(&ipv6cp, sp); 3296 } 3297 3298 static void 3299 sppp_ipv6cp_down(struct sppp *sp) 3300 { 3301 sppp_down_event(&ipv6cp, sp); 3302 } 3303 3304 static void 3305 sppp_ipv6cp_open(struct sppp *sp) 3306 { 3307 STDDCL; 3308 struct in6_addr myaddr, hisaddr; 3309 3310 #ifdef IPV6CP_MYIFID_DYN 3311 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3312 #else 3313 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3314 #endif 3315 3316 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3317 /* 3318 * If we don't have our address, this probably means our 3319 * interface doesn't want to talk IPv6 at all. (This could 3320 * be the case if somebody wants to speak only IPX, for 3321 * example.) Don't open IPv6CP in this case. 3322 */ 3323 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3324 /* XXX this message should go away */ 3325 if (debug) 3326 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3327 ifp->if_xname); 3328 return; 3329 } 3330 3331 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3332 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3333 sppp_open_event(&ipv6cp, sp); 3334 } 3335 3336 static void 3337 sppp_ipv6cp_close(struct sppp *sp) 3338 { 3339 sppp_close_event(&ipv6cp, sp); 3340 } 3341 3342 static void 3343 sppp_ipv6cp_TO(void *cookie) 3344 { 3345 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3346 } 3347 3348 /* 3349 * Analyze a configure request. Return true if it was agreeable, and 3350 * caused action sca, false if it has been rejected or nak'ed, and 3351 * caused action scn. (The return value is used to make the state 3352 * transition decision in the state automaton.) 3353 */ 3354 static int 3355 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3356 { 3357 u_char *buf, *r, *p; 3358 struct ifnet *ifp = &sp->pp_if; 3359 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3360 struct in6_addr myaddr, desiredaddr, suggestaddr; 3361 int ifidcount; 3362 int type; 3363 int collision, nohisaddr; 3364 3365 len -= 4; 3366 origlen = len; 3367 /* 3368 * Make sure to allocate a buf that can at least hold a 3369 * conf-nak with an `address' option. We might need it below. 3370 */ 3371 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 3372 if (! buf) 3373 return (0); 3374 3375 /* pass 1: see if we can recognize them */ 3376 if (debug) 3377 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3378 ifp->if_xname); 3379 p = (void *)(h + 1); 3380 ifidcount = 0; 3381 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3382 /* Sanity check option length */ 3383 if (p[1] > len) { 3384 /* XXX just RXJ? */ 3385 addlog("%s: received malicious IPCPv6 option, " 3386 "dropping\n", ifp->if_xname); 3387 goto drop; 3388 } 3389 if (debug) 3390 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3391 switch (*p) { 3392 case IPV6CP_OPT_IFID: 3393 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3394 /* correctly formed address option */ 3395 ifidcount++; 3396 continue; 3397 } 3398 if (debug) 3399 addlog(" [invalid]"); 3400 break; 3401 #ifdef notyet 3402 case IPV6CP_OPT_COMPRESSION: 3403 if (len >= 4 && p[1] >= 4) { 3404 /* correctly formed compress option */ 3405 continue; 3406 } 3407 if (debug) 3408 addlog(" [invalid]"); 3409 break; 3410 #endif 3411 default: 3412 /* Others not supported. */ 3413 if (debug) 3414 addlog(" [rej]"); 3415 break; 3416 } 3417 /* Add the option to rejected list. */ 3418 bcopy (p, r, p[1]); 3419 r += p[1]; 3420 rlen += p[1]; 3421 } 3422 if (rlen) { 3423 if (debug) 3424 addlog(" send conf-rej\n"); 3425 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3426 goto end; 3427 } else if (debug) 3428 addlog("\n"); 3429 3430 /* pass 2: parse option values */ 3431 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3432 if (debug) 3433 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3434 ifp->if_xname); 3435 p = (void *)(h + 1); 3436 len = origlen; 3437 type = CONF_ACK; 3438 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3439 if (debug) 3440 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3441 switch (*p) { 3442 #ifdef notyet 3443 case IPV6CP_OPT_COMPRESSION: 3444 continue; 3445 #endif 3446 case IPV6CP_OPT_IFID: 3447 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3448 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3449 collision = (memcmp(&desiredaddr.s6_addr[8], 3450 &myaddr.s6_addr[8], 8) == 0); 3451 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3452 3453 desiredaddr.s6_addr16[0] = htons(0xfe80); 3454 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3455 3456 if (!collision && !nohisaddr) { 3457 /* no collision, hisaddr known - Conf-Ack */ 3458 type = CONF_ACK; 3459 3460 if (debug) { 3461 addlog(" %s [%s]", 3462 ip6_sprintf(&desiredaddr), 3463 sppp_cp_type_name(type)); 3464 } 3465 continue; 3466 } 3467 3468 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3469 if (collision && nohisaddr) { 3470 /* collision, hisaddr unknown - Conf-Rej */ 3471 type = CONF_REJ; 3472 memset(&p[2], 0, 8); 3473 } else { 3474 /* 3475 * - no collision, hisaddr unknown, or 3476 * - collision, hisaddr known 3477 * Conf-Nak, suggest hisaddr 3478 */ 3479 type = CONF_NAK; 3480 sppp_suggest_ip6_addr(sp, &suggestaddr); 3481 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3482 } 3483 if (debug) 3484 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3485 sppp_cp_type_name(type)); 3486 break; 3487 } 3488 /* Add the option to nak'ed list. */ 3489 bcopy (p, r, p[1]); 3490 r += p[1]; 3491 rlen += p[1]; 3492 } 3493 3494 if (rlen == 0 && type == CONF_ACK) { 3495 if (debug) 3496 addlog(" send %s\n", sppp_cp_type_name(type)); 3497 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3498 } else { 3499 #ifdef notdef 3500 if (type == CONF_ACK) 3501 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3502 #endif 3503 3504 if (debug) { 3505 addlog(" send %s suggest %s\n", 3506 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3507 } 3508 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3509 } 3510 3511 end: 3512 free(buf, M_TEMP); 3513 return (rlen == 0); 3514 3515 drop: 3516 free(buf, M_TEMP); 3517 return -1; 3518 } 3519 3520 /* 3521 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3522 * negotiation. 3523 */ 3524 static void 3525 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3526 { 3527 u_char *buf, *p; 3528 struct ifnet *ifp = &sp->pp_if; 3529 int debug = ifp->if_flags & IFF_DEBUG; 3530 3531 len -= 4; 3532 buf = malloc (len, M_TEMP, M_NOWAIT); 3533 if (!buf) 3534 return; 3535 3536 if (debug) 3537 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3538 ifp->if_xname); 3539 3540 p = (void *)(h + 1); 3541 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3542 if (p[1] > len) { 3543 /* XXX just RXJ? */ 3544 addlog("%s: received malicious IPCPv6 option, " 3545 "dropping\n", ifp->if_xname); 3546 goto drop; 3547 } 3548 if (debug) 3549 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3550 switch (*p) { 3551 case IPV6CP_OPT_IFID: 3552 /* 3553 * Peer doesn't grok address option. This is 3554 * bad. XXX Should we better give up here? 3555 */ 3556 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3557 break; 3558 #ifdef notyet 3559 case IPV6CP_OPT_COMPRESS: 3560 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3561 break; 3562 #endif 3563 } 3564 } 3565 if (debug) 3566 addlog("\n"); 3567 drop: 3568 free(buf, M_TEMP); 3569 return; 3570 } 3571 3572 /* 3573 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3574 * negotiation. 3575 */ 3576 static void 3577 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3578 { 3579 u_char *buf, *p; 3580 struct ifnet *ifp = &sp->pp_if; 3581 int debug = ifp->if_flags & IFF_DEBUG; 3582 struct in6_addr suggestaddr; 3583 3584 len -= 4; 3585 buf = malloc (len, M_TEMP, M_NOWAIT); 3586 if (!buf) 3587 return; 3588 3589 if (debug) 3590 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3591 ifp->if_xname); 3592 3593 p = (void *)(h + 1); 3594 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3595 if (p[1] > len) { 3596 /* XXX just RXJ? */ 3597 addlog("%s: received malicious IPCPv6 option, " 3598 "dropping\n", ifp->if_xname); 3599 goto drop; 3600 } 3601 if (debug) 3602 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3603 switch (*p) { 3604 case IPV6CP_OPT_IFID: 3605 /* 3606 * Peer doesn't like our local ifid. See 3607 * if we can do something for him. We'll drop 3608 * him our address then. 3609 */ 3610 if (len < 10 || p[1] != 10) 3611 break; 3612 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3613 suggestaddr.s6_addr16[0] = htons(0xfe80); 3614 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3615 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3616 3617 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3618 if (debug) 3619 addlog(" [suggestaddr %s]", 3620 ip6_sprintf(&suggestaddr)); 3621 #ifdef IPV6CP_MYIFID_DYN 3622 /* 3623 * When doing dynamic address assignment, 3624 * we accept his offer. 3625 */ 3626 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3627 struct in6_addr lastsuggest; 3628 /* 3629 * If <suggested myaddr from peer> equals to 3630 * <hisaddr we have suggested last time>, 3631 * we have a collision. generate new random 3632 * ifid. 3633 */ 3634 sppp_suggest_ip6_addr(&lastsuggest); 3635 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3636 lastsuggest)) { 3637 if (debug) 3638 addlog(" [random]"); 3639 sppp_gen_ip6_addr(sp, &suggestaddr); 3640 } 3641 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3642 if (debug) 3643 addlog(" [agree]"); 3644 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3645 } 3646 #else 3647 /* 3648 * Since we do not do dynamic address assignment, 3649 * we ignore it and thus continue to negotiate 3650 * our already existing value. This can possibly 3651 * go into infinite request-reject loop. 3652 * 3653 * This is not likely because we normally use 3654 * ifid based on MAC-address. 3655 * If you have no ethernet card on the node, too bad. 3656 * XXX should we use fail_counter? 3657 */ 3658 #endif 3659 break; 3660 #ifdef notyet 3661 case IPV6CP_OPT_COMPRESS: 3662 /* 3663 * Peer wants different compression parameters. 3664 */ 3665 break; 3666 #endif 3667 } 3668 } 3669 if (debug) 3670 addlog("\n"); 3671 drop: 3672 free(buf, M_TEMP); 3673 return; 3674 } 3675 3676 static void 3677 sppp_ipv6cp_tlu(struct sppp *sp) 3678 { 3679 /* we are up - notify isdn daemon */ 3680 if (sp->pp_con) 3681 sp->pp_con(sp); 3682 } 3683 3684 static void 3685 sppp_ipv6cp_tld(struct sppp *sp) 3686 { 3687 } 3688 3689 static void 3690 sppp_ipv6cp_tls(struct sppp *sp) 3691 { 3692 /* indicate to LCP that it must stay alive */ 3693 sp->lcp.protos |= (1 << IDX_IPV6CP); 3694 } 3695 3696 static void 3697 sppp_ipv6cp_tlf(struct sppp *sp) 3698 { 3699 /* we no longer need LCP */ 3700 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3701 } 3702 3703 static void 3704 sppp_ipv6cp_scr(struct sppp *sp) 3705 { 3706 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3707 struct in6_addr ouraddr; 3708 int i = 0; 3709 3710 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3711 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3712 opt[i++] = IPV6CP_OPT_IFID; 3713 opt[i++] = 10; 3714 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3715 i += 8; 3716 } 3717 3718 #ifdef notyet 3719 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3720 opt[i++] = IPV6CP_OPT_COMPRESSION; 3721 opt[i++] = 4; 3722 opt[i++] = 0; /* TBD */ 3723 opt[i++] = 0; /* TBD */ 3724 /* variable length data may follow */ 3725 } 3726 #endif 3727 3728 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3729 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3730 } 3731 #else /*INET6*/ 3732 static void 3733 sppp_ipv6cp_init(struct sppp *sp) 3734 { 3735 } 3736 3737 static void 3738 sppp_ipv6cp_up(struct sppp *sp) 3739 { 3740 } 3741 3742 static void 3743 sppp_ipv6cp_down(struct sppp *sp) 3744 { 3745 } 3746 3747 static void 3748 sppp_ipv6cp_open(struct sppp *sp) 3749 { 3750 } 3751 3752 static void 3753 sppp_ipv6cp_close(struct sppp *sp) 3754 { 3755 } 3756 3757 static void 3758 sppp_ipv6cp_TO(void *sp) 3759 { 3760 } 3761 3762 static int 3763 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3764 int len) 3765 { 3766 return 0; 3767 } 3768 3769 static void 3770 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3771 int len) 3772 { 3773 } 3774 3775 static void 3776 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3777 int len) 3778 { 3779 } 3780 3781 static void 3782 sppp_ipv6cp_tlu(struct sppp *sp) 3783 { 3784 } 3785 3786 static void 3787 sppp_ipv6cp_tld(struct sppp *sp) 3788 { 3789 } 3790 3791 static void 3792 sppp_ipv6cp_tls(struct sppp *sp) 3793 { 3794 } 3795 3796 static void 3797 sppp_ipv6cp_tlf(struct sppp *sp) 3798 { 3799 } 3800 3801 static void 3802 sppp_ipv6cp_scr(struct sppp *sp) 3803 { 3804 } 3805 #endif /*INET6*/ 3806 3807 3808 /* 3809 *--------------------------------------------------------------------------* 3810 * * 3811 * The CHAP implementation. * 3812 * * 3813 *--------------------------------------------------------------------------* 3814 */ 3815 3816 /* 3817 * The authentication protocols don't employ a full-fledged state machine as 3818 * the control protocols do, since they do have Open and Close events, but 3819 * not Up and Down, nor are they explicitly terminated. Also, use of the 3820 * authentication protocols may be different in both directions (this makes 3821 * sense, think of a machine that never accepts incoming calls but only 3822 * calls out, it doesn't require the called party to authenticate itself). 3823 * 3824 * Our state machine for the local authentication protocol (we are requesting 3825 * the peer to authenticate) looks like: 3826 * 3827 * RCA- 3828 * +--------------------------------------------+ 3829 * V scn,tld| 3830 * +--------+ Close +---------+ RCA+ 3831 * | |<----------------------------------| |------+ 3832 * +--->| Closed | TO* | Opened | sca | 3833 * | | |-----+ +-------| |<-----+ 3834 * | +--------+ irc | | +---------+ 3835 * | ^ | | ^ 3836 * | | | | | 3837 * | | | | | 3838 * | TO-| | | | 3839 * | |tld TO+ V | | 3840 * | | +------->+ | | 3841 * | | | | | | 3842 * | +--------+ V | | 3843 * | | |<----+<--------------------+ | 3844 * | | Req- | scr | 3845 * | | Sent | | 3846 * | | | | 3847 * | +--------+ | 3848 * | RCA- | | RCA+ | 3849 * +------+ +------------------------------------------+ 3850 * scn,tld sca,irc,ict,tlu 3851 * 3852 * 3853 * with: 3854 * 3855 * Open: LCP reached authentication phase 3856 * Close: LCP reached terminate phase 3857 * 3858 * RCA+: received reply (pap-req, chap-response), acceptable 3859 * RCN: received reply (pap-req, chap-response), not acceptable 3860 * TO+: timeout with restart counter >= 0 3861 * TO-: timeout with restart counter < 0 3862 * TO*: reschedule timeout for CHAP 3863 * 3864 * scr: send request packet (none for PAP, chap-challenge) 3865 * sca: send ack packet (pap-ack, chap-success) 3866 * scn: send nak packet (pap-nak, chap-failure) 3867 * ict: initialize re-challenge timer (CHAP only) 3868 * 3869 * tlu: this-layer-up, LCP reaches network phase 3870 * tld: this-layer-down, LCP enters terminate phase 3871 * 3872 * Note that in CHAP mode, after sending a new challenge, while the state 3873 * automaton falls back into Req-Sent state, it doesn't signal a tld 3874 * event to LCP, so LCP remains in network phase. Only after not getting 3875 * any response (or after getting an unacceptable response), CHAP closes, 3876 * causing LCP to enter terminate phase. 3877 * 3878 * With PAP, there is no initial request that can be sent. The peer is 3879 * expected to send one based on the successful negotiation of PAP as 3880 * the authentication protocol during the LCP option negotiation. 3881 * 3882 * Incoming authentication protocol requests (remote requests 3883 * authentication, we are peer) don't employ a state machine at all, 3884 * they are simply answered. Some peers [Ascend P50 firmware rev 3885 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3886 * still in authentication phase (thereby violating the standard that 3887 * demands that these NCP packets are to be discarded), so we keep 3888 * track of the peer demanding us to authenticate, and only proceed to 3889 * phase network once we've seen a positive acknowledge for the 3890 * authentication. 3891 */ 3892 3893 /* 3894 * Handle incoming CHAP packets. 3895 */ 3896 void 3897 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3898 { 3899 STDDCL; 3900 struct lcp_header *h; 3901 int len, x; 3902 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3903 int value_len, name_len; 3904 MD5_CTX ctx; 3905 3906 len = m->m_pkthdr.len; 3907 if (len < 4) { 3908 if (debug) 3909 log(LOG_DEBUG, 3910 "%s: chap invalid packet length: %d bytes\n", 3911 ifp->if_xname, len); 3912 return; 3913 } 3914 h = mtod(m, struct lcp_header *); 3915 if (len > ntohs(h->len)) 3916 len = ntohs(h->len); 3917 3918 switch (h->type) { 3919 /* challenge, failure and success are his authproto */ 3920 case CHAP_CHALLENGE: 3921 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3922 /* can't do anything useful */ 3923 sp->pp_auth_failures++; 3924 printf("%s: chap input without my name and my secret being set\n", 3925 ifp->if_xname); 3926 break; 3927 } 3928 value = 1 + (u_char *)(h + 1); 3929 value_len = value[-1]; 3930 name = value + value_len; 3931 name_len = len - value_len - 5; 3932 if (name_len < 0) { 3933 if (debug) { 3934 log(LOG_DEBUG, 3935 "%s: chap corrupted challenge " 3936 "<%s id=0x%x len=%d", 3937 ifp->if_xname, 3938 sppp_auth_type_name(PPP_CHAP, h->type), 3939 h->ident, ntohs(h->len)); 3940 if (len > 4) 3941 sppp_print_bytes((u_char *)(h + 1), 3942 len - 4); 3943 addlog(">\n"); 3944 } 3945 break; 3946 } 3947 3948 if (debug) { 3949 log(LOG_DEBUG, 3950 "%s: chap input <%s id=0x%x len=%d name=", 3951 ifp->if_xname, 3952 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3953 ntohs(h->len)); 3954 sppp_print_string((char *) name, name_len); 3955 addlog(" value-size=%d value=", value_len); 3956 sppp_print_bytes(value, value_len); 3957 addlog(">\n"); 3958 } 3959 3960 /* Compute reply value. */ 3961 MD5Init(&ctx); 3962 MD5Update(&ctx, &h->ident, 1); 3963 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3964 MD5Update(&ctx, value, value_len); 3965 MD5Final(digest, &ctx); 3966 dsize = sizeof digest; 3967 3968 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3969 sizeof dsize, (const char *)&dsize, 3970 sizeof digest, digest, 3971 sp->myauth.name_len, 3972 sp->myauth.name, 3973 0); 3974 break; 3975 3976 case CHAP_SUCCESS: 3977 if (debug) { 3978 log(LOG_DEBUG, "%s: chap success", 3979 ifp->if_xname); 3980 if (len > 4) { 3981 addlog(": "); 3982 sppp_print_string((char *)(h + 1), len - 4); 3983 } 3984 addlog("\n"); 3985 } 3986 x = splnet(); 3987 sp->pp_auth_failures = 0; 3988 sp->pp_flags &= ~PP_NEEDAUTH; 3989 if (sp->myauth.proto == PPP_CHAP && 3990 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3991 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3992 /* 3993 * We are authenticator for CHAP but didn't 3994 * complete yet. Leave it to tlu to proceed 3995 * to network phase. 3996 */ 3997 splx(x); 3998 break; 3999 } 4000 splx(x); 4001 sppp_phase_network(sp); 4002 break; 4003 4004 case CHAP_FAILURE: 4005 x = splnet(); 4006 sp->pp_auth_failures++; 4007 splx(x); 4008 if (debug) { 4009 log(LOG_INFO, "%s: chap failure", 4010 ifp->if_xname); 4011 if (len > 4) { 4012 addlog(": "); 4013 sppp_print_string((char *)(h + 1), len - 4); 4014 } 4015 addlog("\n"); 4016 } else 4017 log(LOG_INFO, "%s: chap failure\n", 4018 ifp->if_xname); 4019 /* await LCP shutdown by authenticator */ 4020 break; 4021 4022 /* response is my authproto */ 4023 case CHAP_RESPONSE: 4024 if (sp->hisauth.secret == NULL) { 4025 /* can't do anything useful */ 4026 printf("%s: chap input without his secret being set\n", 4027 ifp->if_xname); 4028 break; 4029 } 4030 value = 1 + (u_char *)(h + 1); 4031 value_len = value[-1]; 4032 name = value + value_len; 4033 name_len = len - value_len - 5; 4034 if (name_len < 0) { 4035 if (debug) { 4036 log(LOG_DEBUG, 4037 "%s: chap corrupted response " 4038 "<%s id=0x%x len=%d", 4039 ifp->if_xname, 4040 sppp_auth_type_name(PPP_CHAP, h->type), 4041 h->ident, ntohs(h->len)); 4042 if (len > 4) 4043 sppp_print_bytes((u_char *)(h + 1), 4044 len - 4); 4045 addlog(">\n"); 4046 } 4047 break; 4048 } 4049 if (h->ident != sp->confid[IDX_CHAP]) { 4050 if (debug) 4051 log(LOG_DEBUG, 4052 "%s: chap dropping response for old ID " 4053 "(got %d, expected %d)\n", 4054 ifp->if_xname, 4055 h->ident, sp->confid[IDX_CHAP]); 4056 break; 4057 } 4058 if (sp->hisauth.name != NULL && 4059 (name_len != sp->hisauth.name_len 4060 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4061 log(LOG_INFO, "%s: chap response, his name ", 4062 ifp->if_xname); 4063 sppp_print_string(name, name_len); 4064 addlog(" != expected "); 4065 sppp_print_string(sp->hisauth.name, 4066 sp->hisauth.name_len); 4067 addlog("\n"); 4068 goto chap_failure; 4069 } 4070 if (debug) { 4071 log(LOG_DEBUG, "%s: chap input(%s) " 4072 "<%s id=0x%x len=%d name=", 4073 ifp->if_xname, 4074 sppp_state_name(sp->state[IDX_CHAP]), 4075 sppp_auth_type_name(PPP_CHAP, h->type), 4076 h->ident, ntohs(h->len)); 4077 sppp_print_string((char *)name, name_len); 4078 addlog(" value-size=%d value=", value_len); 4079 sppp_print_bytes(value, value_len); 4080 addlog(">\n"); 4081 } 4082 if (value_len != sizeof(sp->myauth.challenge)) { 4083 if (debug) 4084 log(LOG_DEBUG, 4085 "%s: chap bad hash value length: " 4086 "%d bytes, should be %ld\n", 4087 ifp->if_xname, value_len, 4088 (long) sizeof(sp->myauth.challenge)); 4089 goto chap_failure; 4090 } 4091 4092 MD5Init(&ctx); 4093 MD5Update(&ctx, &h->ident, 1); 4094 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4095 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4096 MD5Final(digest, &ctx); 4097 4098 #define FAILMSG "Failed..." 4099 #define SUCCMSG "Welcome!" 4100 4101 if (value_len != sizeof digest || 4102 memcmp(digest, value, value_len) != 0) { 4103 chap_failure: 4104 /* action scn, tld */ 4105 x = splnet(); 4106 sp->pp_auth_failures++; 4107 splx(x); 4108 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4109 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4110 0); 4111 chap.tld(sp); 4112 break; 4113 } 4114 sp->pp_auth_failures = 0; 4115 /* action sca, perhaps tlu */ 4116 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4117 sp->state[IDX_CHAP] == STATE_OPENED) 4118 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4119 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4120 0); 4121 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4122 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4123 chap.tlu(sp); 4124 } 4125 break; 4126 4127 default: 4128 /* Unknown CHAP packet type -- ignore. */ 4129 if (debug) { 4130 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4131 "<0x%x id=0x%xh len=%d", 4132 ifp->if_xname, 4133 sppp_state_name(sp->state[IDX_CHAP]), 4134 h->type, h->ident, ntohs(h->len)); 4135 if (len > 4) 4136 sppp_print_bytes((u_char *)(h + 1), len - 4); 4137 addlog(">\n"); 4138 } 4139 break; 4140 4141 } 4142 } 4143 4144 static void 4145 sppp_chap_init(struct sppp *sp) 4146 { 4147 /* Chap doesn't have STATE_INITIAL at all. */ 4148 sp->state[IDX_CHAP] = STATE_CLOSED; 4149 sp->fail_counter[IDX_CHAP] = 0; 4150 sp->pp_seq[IDX_CHAP] = 0; 4151 sp->pp_rseq[IDX_CHAP] = 0; 4152 callout_init(&sp->ch[IDX_CHAP], 0); 4153 } 4154 4155 static void 4156 sppp_chap_open(struct sppp *sp) 4157 { 4158 if (sp->myauth.proto == PPP_CHAP && 4159 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4160 /* we are authenticator for CHAP, start it */ 4161 chap.scr(sp); 4162 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4163 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4164 } 4165 /* nothing to be done if we are peer, await a challenge */ 4166 } 4167 4168 static void 4169 sppp_chap_close(struct sppp *sp) 4170 { 4171 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4172 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4173 } 4174 4175 static void 4176 sppp_chap_TO(void *cookie) 4177 { 4178 struct sppp *sp = (struct sppp *)cookie; 4179 STDDCL; 4180 int s; 4181 4182 s = splnet(); 4183 if (debug) 4184 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4185 ifp->if_xname, 4186 sppp_state_name(sp->state[IDX_CHAP]), 4187 sp->rst_counter[IDX_CHAP]); 4188 4189 if (--sp->rst_counter[IDX_CHAP] < 0) 4190 /* TO- event */ 4191 switch (sp->state[IDX_CHAP]) { 4192 case STATE_REQ_SENT: 4193 chap.tld(sp); 4194 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4195 break; 4196 } 4197 else 4198 /* TO+ (or TO*) event */ 4199 switch (sp->state[IDX_CHAP]) { 4200 case STATE_OPENED: 4201 /* TO* event */ 4202 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4203 /* fall through */ 4204 case STATE_REQ_SENT: 4205 chap.scr(sp); 4206 /* sppp_cp_change_state() will restart the timer */ 4207 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4208 break; 4209 } 4210 4211 splx(s); 4212 } 4213 4214 static void 4215 sppp_chap_tlu(struct sppp *sp) 4216 { 4217 STDDCL; 4218 int i, x; 4219 4220 i = 0; 4221 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4222 4223 /* 4224 * Some broken CHAP implementations (Conware CoNet, firmware 4225 * 4.0.?) don't want to re-authenticate their CHAP once the 4226 * initial challenge-response exchange has taken place. 4227 * Provide for an option to avoid rechallenges. 4228 */ 4229 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4230 /* 4231 * Compute the re-challenge timeout. This will yield 4232 * a number between 300 and 810 seconds. 4233 */ 4234 i = 300 + ((unsigned)(arc4random() & 0xff00) >> 7); 4235 4236 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4237 } 4238 4239 if (debug) { 4240 log(LOG_DEBUG, 4241 "%s: chap %s, ", 4242 ifp->if_xname, 4243 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4244 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4245 addlog("next re-challenge in %d seconds\n", i); 4246 else 4247 addlog("re-challenging supressed\n"); 4248 } 4249 4250 x = splnet(); 4251 sp->pp_auth_failures = 0; 4252 /* indicate to LCP that we need to be closed down */ 4253 sp->lcp.protos |= (1 << IDX_CHAP); 4254 4255 if (sp->pp_flags & PP_NEEDAUTH) { 4256 /* 4257 * Remote is authenticator, but his auth proto didn't 4258 * complete yet. Defer the transition to network 4259 * phase. 4260 */ 4261 splx(x); 4262 return; 4263 } 4264 splx(x); 4265 4266 /* 4267 * If we are already in phase network, we are done here. This 4268 * is the case if this is a dummy tlu event after a re-challenge. 4269 */ 4270 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4271 sppp_phase_network(sp); 4272 } 4273 4274 static void 4275 sppp_chap_tld(struct sppp *sp) 4276 { 4277 STDDCL; 4278 4279 if (debug) 4280 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4281 callout_stop(&sp->ch[IDX_CHAP]); 4282 sp->lcp.protos &= ~(1 << IDX_CHAP); 4283 4284 lcp.Close(sp); 4285 } 4286 4287 static void 4288 sppp_chap_scr(struct sppp *sp) 4289 { 4290 uint32_t *ch; 4291 u_char clen; 4292 4293 if (sp->myauth.name == NULL) { 4294 /* can't do anything useful */ 4295 printf("%s: chap starting without my name being set\n", 4296 sp->pp_if.if_xname); 4297 return; 4298 } 4299 4300 /* Compute random challenge. */ 4301 ch = (uint32_t *)sp->myauth.challenge; 4302 ch[0] = arc4random(); 4303 ch[1] = arc4random(); 4304 ch[2] = arc4random(); 4305 ch[3] = arc4random(); 4306 clen = 16; /* 4 * sizeof(uint32_t) */ 4307 4308 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4309 4310 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4311 sizeof clen, (const char *)&clen, 4312 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4313 sp->myauth.name_len, 4314 sp->myauth.name, 4315 0); 4316 } 4317 4318 /* 4319 *--------------------------------------------------------------------------* 4320 * * 4321 * The PAP implementation. * 4322 * * 4323 *--------------------------------------------------------------------------* 4324 */ 4325 /* 4326 * For PAP, we need to keep a little state also if we are the peer, not the 4327 * authenticator. This is since we don't get a request to authenticate, but 4328 * have to repeatedly authenticate ourself until we got a response (or the 4329 * retry counter is expired). 4330 */ 4331 4332 /* 4333 * Handle incoming PAP packets. */ 4334 static void 4335 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4336 { 4337 STDDCL; 4338 struct lcp_header *h; 4339 int len, x; 4340 u_char mlen; 4341 char *name, *secret; 4342 int name_len, secret_len; 4343 4344 /* 4345 * Malicious input might leave this uninitialized, so 4346 * init to an impossible value. 4347 */ 4348 secret_len = -1; 4349 4350 len = m->m_pkthdr.len; 4351 if (len < 5) { 4352 if (debug) 4353 log(LOG_DEBUG, 4354 "%s: pap invalid packet length: %d bytes\n", 4355 ifp->if_xname, len); 4356 return; 4357 } 4358 h = mtod(m, struct lcp_header *); 4359 if (len > ntohs(h->len)) 4360 len = ntohs(h->len); 4361 switch (h->type) { 4362 /* PAP request is my authproto */ 4363 case PAP_REQ: 4364 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4365 /* can't do anything useful */ 4366 printf("%s: pap request without his name and his secret being set\n", 4367 ifp->if_xname); 4368 break; 4369 } 4370 name = 1 + (u_char *)(h + 1); 4371 name_len = name[-1]; 4372 secret = name + name_len + 1; 4373 if (name_len > len - 6 || 4374 (secret_len = secret[-1]) > len - 6 - name_len) { 4375 if (debug) { 4376 log(LOG_DEBUG, "%s: pap corrupted input " 4377 "<%s id=0x%x len=%d", 4378 ifp->if_xname, 4379 sppp_auth_type_name(PPP_PAP, h->type), 4380 h->ident, ntohs(h->len)); 4381 if (len > 4) 4382 sppp_print_bytes((u_char *)(h + 1), 4383 len - 4); 4384 addlog(">\n"); 4385 } 4386 break; 4387 } 4388 if (debug) { 4389 log(LOG_DEBUG, "%s: pap input(%s) " 4390 "<%s id=0x%x len=%d name=", 4391 ifp->if_xname, 4392 sppp_state_name(sp->state[IDX_PAP]), 4393 sppp_auth_type_name(PPP_PAP, h->type), 4394 h->ident, ntohs(h->len)); 4395 sppp_print_string((char *)name, name_len); 4396 addlog(" secret="); 4397 sppp_print_string((char *)secret, secret_len); 4398 addlog(">\n"); 4399 } 4400 if (name_len != sp->hisauth.name_len || 4401 secret_len != sp->hisauth.secret_len || 4402 memcmp(name, sp->hisauth.name, name_len) != 0 || 4403 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4404 /* action scn, tld */ 4405 sp->pp_auth_failures++; 4406 mlen = sizeof(FAILMSG) - 1; 4407 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4408 sizeof mlen, (const char *)&mlen, 4409 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4410 0); 4411 pap.tld(sp); 4412 break; 4413 } 4414 /* action sca, perhaps tlu */ 4415 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4416 sp->state[IDX_PAP] == STATE_OPENED) { 4417 mlen = sizeof(SUCCMSG) - 1; 4418 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4419 sizeof mlen, (const char *)&mlen, 4420 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4421 0); 4422 } 4423 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4424 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4425 pap.tlu(sp); 4426 } 4427 break; 4428 4429 /* ack and nak are his authproto */ 4430 case PAP_ACK: 4431 callout_stop(&sp->pap_my_to_ch); 4432 if (debug) { 4433 log(LOG_DEBUG, "%s: pap success", 4434 ifp->if_xname); 4435 name = 1 + (u_char *)(h + 1); 4436 name_len = name[-1]; 4437 if (len > 5 && name_len < len+4) { 4438 addlog(": "); 4439 sppp_print_string(name, name_len); 4440 } 4441 addlog("\n"); 4442 } 4443 x = splnet(); 4444 sp->pp_auth_failures = 0; 4445 sp->pp_flags &= ~PP_NEEDAUTH; 4446 if (sp->myauth.proto == PPP_PAP && 4447 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4448 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4449 /* 4450 * We are authenticator for PAP but didn't 4451 * complete yet. Leave it to tlu to proceed 4452 * to network phase. 4453 */ 4454 splx(x); 4455 break; 4456 } 4457 splx(x); 4458 sppp_phase_network(sp); 4459 break; 4460 4461 case PAP_NAK: 4462 callout_stop(&sp->pap_my_to_ch); 4463 sp->pp_auth_failures++; 4464 if (debug) { 4465 log(LOG_INFO, "%s: pap failure", 4466 ifp->if_xname); 4467 name = 1 + (u_char *)(h + 1); 4468 name_len = name[-1]; 4469 if (len > 5 && name_len < len+4) { 4470 addlog(": "); 4471 sppp_print_string(name, name_len); 4472 } 4473 addlog("\n"); 4474 } else 4475 log(LOG_INFO, "%s: pap failure\n", 4476 ifp->if_xname); 4477 /* await LCP shutdown by authenticator */ 4478 break; 4479 4480 default: 4481 /* Unknown PAP packet type -- ignore. */ 4482 if (debug) { 4483 log(LOG_DEBUG, "%s: pap corrupted input " 4484 "<0x%x id=0x%x len=%d", 4485 ifp->if_xname, 4486 h->type, h->ident, ntohs(h->len)); 4487 if (len > 4) 4488 sppp_print_bytes((u_char *)(h + 1), len - 4); 4489 addlog(">\n"); 4490 } 4491 break; 4492 4493 } 4494 } 4495 4496 static void 4497 sppp_pap_init(struct sppp *sp) 4498 { 4499 /* PAP doesn't have STATE_INITIAL at all. */ 4500 sp->state[IDX_PAP] = STATE_CLOSED; 4501 sp->fail_counter[IDX_PAP] = 0; 4502 sp->pp_seq[IDX_PAP] = 0; 4503 sp->pp_rseq[IDX_PAP] = 0; 4504 callout_init(&sp->ch[IDX_PAP], 0); 4505 callout_init(&sp->pap_my_to_ch, 0); 4506 } 4507 4508 static void 4509 sppp_pap_open(struct sppp *sp) 4510 { 4511 if (sp->hisauth.proto == PPP_PAP && 4512 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4513 /* we are authenticator for PAP, start our timer */ 4514 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4515 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4516 } 4517 if (sp->myauth.proto == PPP_PAP) { 4518 /* we are peer, send a request, and start a timer */ 4519 pap.scr(sp); 4520 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4521 sppp_pap_my_TO, sp); 4522 } 4523 } 4524 4525 static void 4526 sppp_pap_close(struct sppp *sp) 4527 { 4528 if (sp->state[IDX_PAP] != STATE_CLOSED) 4529 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4530 } 4531 4532 /* 4533 * That's the timeout routine if we are authenticator. Since the 4534 * authenticator is basically passive in PAP, we can't do much here. 4535 */ 4536 static void 4537 sppp_pap_TO(void *cookie) 4538 { 4539 struct sppp *sp = (struct sppp *)cookie; 4540 STDDCL; 4541 int s; 4542 4543 s = splnet(); 4544 if (debug) 4545 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4546 ifp->if_xname, 4547 sppp_state_name(sp->state[IDX_PAP]), 4548 sp->rst_counter[IDX_PAP]); 4549 4550 if (--sp->rst_counter[IDX_PAP] < 0) 4551 /* TO- event */ 4552 switch (sp->state[IDX_PAP]) { 4553 case STATE_REQ_SENT: 4554 pap.tld(sp); 4555 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4556 break; 4557 } 4558 else 4559 /* TO+ event, not very much we could do */ 4560 switch (sp->state[IDX_PAP]) { 4561 case STATE_REQ_SENT: 4562 /* sppp_cp_change_state() will restart the timer */ 4563 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4564 break; 4565 } 4566 4567 splx(s); 4568 } 4569 4570 /* 4571 * That's the timeout handler if we are peer. Since the peer is active, 4572 * we need to retransmit our PAP request since it is apparently lost. 4573 * XXX We should impose a max counter. 4574 */ 4575 static void 4576 sppp_pap_my_TO(void *cookie) 4577 { 4578 struct sppp *sp = (struct sppp *)cookie; 4579 STDDCL; 4580 4581 if (debug) 4582 log(LOG_DEBUG, "%s: pap peer TO\n", 4583 ifp->if_xname); 4584 4585 pap.scr(sp); 4586 } 4587 4588 static void 4589 sppp_pap_tlu(struct sppp *sp) 4590 { 4591 STDDCL; 4592 int x; 4593 4594 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4595 4596 if (debug) 4597 log(LOG_DEBUG, "%s: %s tlu\n", 4598 ifp->if_xname, pap.name); 4599 4600 x = splnet(); 4601 sp->pp_auth_failures = 0; 4602 /* indicate to LCP that we need to be closed down */ 4603 sp->lcp.protos |= (1 << IDX_PAP); 4604 4605 if (sp->pp_flags & PP_NEEDAUTH) { 4606 /* 4607 * Remote is authenticator, but his auth proto didn't 4608 * complete yet. Defer the transition to network 4609 * phase. 4610 */ 4611 splx(x); 4612 return; 4613 } 4614 splx(x); 4615 sppp_phase_network(sp); 4616 } 4617 4618 static void 4619 sppp_pap_tld(struct sppp *sp) 4620 { 4621 STDDCL; 4622 4623 if (debug) 4624 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4625 callout_stop(&sp->ch[IDX_PAP]); 4626 callout_stop(&sp->pap_my_to_ch); 4627 sp->lcp.protos &= ~(1 << IDX_PAP); 4628 4629 lcp.Close(sp); 4630 } 4631 4632 static void 4633 sppp_pap_scr(struct sppp *sp) 4634 { 4635 u_char idlen, pwdlen; 4636 4637 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4638 /* can't do anything useful */ 4639 printf("%s: pap starting without my name and secret being set\n", 4640 sp->pp_if.if_xname); 4641 return; 4642 } 4643 4644 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4645 pwdlen = sp->myauth.secret_len; 4646 idlen = sp->myauth.name_len; 4647 4648 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4649 sizeof idlen, (const char *)&idlen, 4650 idlen, sp->myauth.name, 4651 sizeof pwdlen, (const char *)&pwdlen, 4652 pwdlen, sp->myauth.secret, 4653 0); 4654 } 4655 4656 /* 4657 * Random miscellaneous functions. 4658 */ 4659 4660 /* 4661 * Send a PAP or CHAP proto packet. 4662 * 4663 * Varadic function, each of the elements for the ellipsis is of type 4664 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4665 * mlen == 0. 4666 * NOTE: never declare variadic functions with types subject to type 4667 * promotion (i.e. u_char). This is asking for big trouble depending 4668 * on the architecture you are on... 4669 */ 4670 4671 static void 4672 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4673 unsigned int type, unsigned int id, 4674 ...) 4675 { 4676 STDDCL; 4677 struct lcp_header *lh; 4678 struct mbuf *m; 4679 u_char *p; 4680 int len; 4681 size_t pkthdrlen; 4682 unsigned int mlen; 4683 const char *msg; 4684 va_list ap; 4685 4686 MGETHDR(m, M_DONTWAIT, MT_DATA); 4687 if (! m) 4688 return; 4689 m->m_pkthdr.rcvif = 0; 4690 4691 if (sp->pp_flags & PP_NOFRAMING) { 4692 *mtod(m, uint16_t *) = htons(cp->proto); 4693 pkthdrlen = 2; 4694 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4695 } else { 4696 struct ppp_header *h; 4697 h = mtod(m, struct ppp_header *); 4698 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4699 h->control = PPP_UI; /* Unnumbered Info */ 4700 h->protocol = htons(cp->proto); 4701 pkthdrlen = PPP_HEADER_LEN; 4702 4703 lh = (struct lcp_header *)(h + 1); 4704 } 4705 4706 lh->type = type; 4707 lh->ident = id; 4708 p = (u_char *)(lh + 1); 4709 4710 va_start(ap, id); 4711 len = 0; 4712 4713 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4714 msg = va_arg(ap, const char *); 4715 len += mlen; 4716 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4717 va_end(ap); 4718 m_freem(m); 4719 return; 4720 } 4721 4722 memcpy(p, msg, mlen); 4723 p += mlen; 4724 } 4725 va_end(ap); 4726 4727 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4728 lh->len = htons(LCP_HEADER_LEN + len); 4729 4730 if (debug) { 4731 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4732 ifp->if_xname, cp->name, 4733 sppp_auth_type_name(cp->proto, lh->type), 4734 lh->ident, ntohs(lh->len)); 4735 if (len) 4736 sppp_print_bytes((u_char *)(lh + 1), len); 4737 addlog(">\n"); 4738 } 4739 if (IF_QFULL(&sp->pp_cpq)) { 4740 IF_DROP(&sp->pp_fastq); 4741 IF_DROP(&ifp->if_snd); 4742 m_freem(m); 4743 ++ifp->if_oerrors; 4744 return; 4745 } else 4746 IF_ENQUEUE(&sp->pp_cpq, m); 4747 if (! (ifp->if_flags & IFF_OACTIVE)) 4748 (*ifp->if_start)(ifp); 4749 ifp->if_obytes += m->m_pkthdr.len + 3; 4750 } 4751 4752 /* 4753 * Send keepalive packets, every 10 seconds. 4754 */ 4755 static void 4756 sppp_keepalive(void *dummy) 4757 { 4758 struct sppp *sp; 4759 int s; 4760 time_t now; 4761 4762 s = splnet(); 4763 now = time_uptime; 4764 for (sp=spppq; sp; sp=sp->pp_next) { 4765 struct ifnet *ifp = &sp->pp_if; 4766 4767 /* check idle timeout */ 4768 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4769 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4770 /* idle timeout is enabled for this interface */ 4771 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4772 if (ifp->if_flags & IFF_DEBUG) 4773 printf("%s: no activity for %lu seconds\n", 4774 sp->pp_if.if_xname, 4775 (unsigned long)(now-sp->pp_last_activity)); 4776 lcp.Close(sp); 4777 continue; 4778 } 4779 } 4780 4781 /* Keepalive mode disabled or channel down? */ 4782 if (! (sp->pp_flags & PP_KEEPALIVE) || 4783 ! (ifp->if_flags & IFF_RUNNING)) 4784 continue; 4785 4786 /* No keepalive in PPP mode if LCP not opened yet. */ 4787 if (! (sp->pp_flags & PP_CISCO) && 4788 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4789 continue; 4790 4791 /* No echo reply, but maybe user data passed through? */ 4792 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4793 sp->pp_alivecnt = 0; 4794 continue; 4795 } 4796 4797 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4798 /* No keepalive packets got. Stop the interface. */ 4799 if_down (ifp); 4800 IF_PURGE(&sp->pp_cpq); 4801 if (! (sp->pp_flags & PP_CISCO)) { 4802 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4803 ifp->if_xname); 4804 sp->pp_alivecnt = 0; 4805 4806 /* we are down, close all open protocols */ 4807 lcp.Close(sp); 4808 4809 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4810 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4811 4812 /* Close connection immediately, completition of this 4813 * will summon the magic needed to reestablish it. */ 4814 if (sp->pp_tlf) 4815 sp->pp_tlf(sp); 4816 continue; 4817 } 4818 } 4819 if (sp->pp_alivecnt < sp->pp_maxalive) 4820 ++sp->pp_alivecnt; 4821 if (sp->pp_flags & PP_CISCO) 4822 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4823 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4824 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4825 int32_t nmagic = htonl(sp->lcp.magic); 4826 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4827 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4828 sp->lcp.echoid, 4, &nmagic); 4829 } 4830 } 4831 splx(s); 4832 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4833 } 4834 4835 #ifdef INET 4836 /* 4837 * Get both IP addresses. 4838 */ 4839 static void 4840 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4841 { 4842 struct ifnet *ifp = &sp->pp_if; 4843 struct ifaddr *ifa; 4844 struct sockaddr_in *si, *sm; 4845 uint32_t ssrc, ddst; 4846 4847 sm = NULL; 4848 ssrc = ddst = 0; 4849 /* 4850 * Pick the first AF_INET address from the list, 4851 * aliases don't make any sense on a p2p link anyway. 4852 */ 4853 si = 0; 4854 IFADDR_FOREACH(ifa, ifp) { 4855 if (ifa->ifa_addr->sa_family == AF_INET) { 4856 si = (struct sockaddr_in *)ifa->ifa_addr; 4857 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4858 if (si) 4859 break; 4860 } 4861 } 4862 if (ifa) { 4863 if (si && si->sin_addr.s_addr) { 4864 ssrc = si->sin_addr.s_addr; 4865 if (srcmask) 4866 *srcmask = ntohl(sm->sin_addr.s_addr); 4867 } 4868 4869 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4870 if (si && si->sin_addr.s_addr) 4871 ddst = si->sin_addr.s_addr; 4872 } 4873 4874 if (dst) *dst = ntohl(ddst); 4875 if (src) *src = ntohl(ssrc); 4876 } 4877 4878 /* 4879 * Set IP addresses. Must be called at splnet. 4880 * If an address is 0, leave it the way it is. 4881 */ 4882 static void 4883 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4884 { 4885 STDDCL; 4886 struct ifaddr *ifa; 4887 struct sockaddr_in *si, *dest; 4888 4889 /* 4890 * Pick the first AF_INET address from the list, 4891 * aliases don't make any sense on a p2p link anyway. 4892 */ 4893 4894 IFADDR_FOREACH(ifa, ifp) { 4895 if (ifa->ifa_addr->sa_family == AF_INET) { 4896 si = (struct sockaddr_in *)ifa->ifa_addr; 4897 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4898 goto found; 4899 } 4900 } 4901 return; 4902 4903 found: 4904 { 4905 int error; 4906 struct sockaddr_in new_sin = *si; 4907 struct sockaddr_in new_dst = *dest; 4908 4909 /* 4910 * Scrub old routes now instead of calling in_ifinit with 4911 * scrub=1, because we may change the dstaddr 4912 * before the call to in_ifinit. 4913 */ 4914 in_ifscrub(ifp, ifatoia(ifa)); 4915 4916 if (myaddr != 0) 4917 new_sin.sin_addr.s_addr = htonl(myaddr); 4918 if (hisaddr != 0) { 4919 new_dst.sin_addr.s_addr = htonl(hisaddr); 4920 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4921 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4922 *dest = new_dst; /* fix dstaddr in place */ 4923 } 4924 } 4925 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4926 if (debug && error) 4927 { 4928 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4929 " failed, error=%d\n", ifp->if_xname, error); 4930 } 4931 #ifdef PFIL_HOOKS 4932 if (!error) 4933 (void)pfil_run_hooks(&if_pfil, 4934 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4935 #endif 4936 } 4937 } 4938 4939 /* 4940 * Clear IP addresses. Must be called at splnet. 4941 */ 4942 static void 4943 sppp_clear_ip_addrs(struct sppp *sp) 4944 { 4945 struct ifnet *ifp = &sp->pp_if; 4946 struct ifaddr *ifa; 4947 struct sockaddr_in *si, *dest; 4948 4949 uint32_t remote; 4950 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4951 remote = sp->ipcp.saved_hisaddr; 4952 else 4953 sppp_get_ip_addrs(sp, 0, &remote, 0); 4954 4955 /* 4956 * Pick the first AF_INET address from the list, 4957 * aliases don't make any sense on a p2p link anyway. 4958 */ 4959 4960 IFADDR_FOREACH(ifa, ifp) { 4961 if (ifa->ifa_addr->sa_family == AF_INET) { 4962 si = (struct sockaddr_in *)ifa->ifa_addr; 4963 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4964 goto found; 4965 } 4966 } 4967 return; 4968 4969 found: 4970 { 4971 struct sockaddr_in new_sin = *si; 4972 4973 in_ifscrub(ifp, ifatoia(ifa)); 4974 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4975 new_sin.sin_addr.s_addr = 0; 4976 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4977 /* replace peer addr in place */ 4978 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4979 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4980 #ifdef PFIL_HOOKS 4981 (void)pfil_run_hooks(&if_pfil, 4982 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4983 #endif 4984 } 4985 } 4986 #endif 4987 4988 #ifdef INET6 4989 /* 4990 * Get both IPv6 addresses. 4991 */ 4992 static void 4993 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4994 struct in6_addr *srcmask) 4995 { 4996 struct ifnet *ifp = &sp->pp_if; 4997 struct ifaddr *ifa; 4998 struct sockaddr_in6 *si, *sm; 4999 struct in6_addr ssrc, ddst; 5000 5001 sm = NULL; 5002 memset(&ssrc, 0, sizeof(ssrc)); 5003 memset(&ddst, 0, sizeof(ddst)); 5004 /* 5005 * Pick the first link-local AF_INET6 address from the list, 5006 * aliases don't make any sense on a p2p link anyway. 5007 */ 5008 si = 0; 5009 IFADDR_FOREACH(ifa, ifp) 5010 if (ifa->ifa_addr->sa_family == AF_INET6) { 5011 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5012 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5013 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5014 break; 5015 } 5016 if (ifa) { 5017 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5018 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5019 if (srcmask) { 5020 memcpy(srcmask, &sm->sin6_addr, 5021 sizeof(*srcmask)); 5022 } 5023 } 5024 5025 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5026 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5027 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5028 } 5029 5030 if (dst) 5031 memcpy(dst, &ddst, sizeof(*dst)); 5032 if (src) 5033 memcpy(src, &ssrc, sizeof(*src)); 5034 } 5035 5036 #ifdef IPV6CP_MYIFID_DYN 5037 /* 5038 * Generate random ifid. 5039 */ 5040 static void 5041 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5042 { 5043 /* TBD */ 5044 } 5045 5046 /* 5047 * Set my IPv6 address. Must be called at splnet. 5048 */ 5049 static void 5050 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5051 { 5052 STDDCL; 5053 struct ifaddr *ifa; 5054 struct sockaddr_in6 *sin6; 5055 5056 /* 5057 * Pick the first link-local AF_INET6 address from the list, 5058 * aliases don't make any sense on a p2p link anyway. 5059 */ 5060 5061 sin6 = NULL; 5062 IFADDR_FOREACH(ifa, ifp) 5063 { 5064 if (ifa->ifa_addr->sa_family == AF_INET6) 5065 { 5066 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5067 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5068 break; 5069 } 5070 } 5071 5072 if (ifa && sin6) 5073 { 5074 int error; 5075 struct sockaddr_in6 new_sin6 = *sin6; 5076 5077 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5078 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5079 if (debug && error) 5080 { 5081 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5082 " failed, error=%d\n", ifp->if_xname, error); 5083 } 5084 #ifdef PFIL_HOOKS 5085 if (!error) 5086 (void)pfil_run_hooks(&if_pfil, 5087 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5088 #endif 5089 } 5090 } 5091 #endif 5092 5093 /* 5094 * Suggest a candidate address to be used by peer. 5095 */ 5096 static void 5097 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5098 { 5099 struct in6_addr myaddr; 5100 struct timeval tv; 5101 5102 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5103 5104 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5105 microtime(&tv); 5106 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5107 myaddr.s6_addr[14] ^= 0xff; 5108 myaddr.s6_addr[15] ^= 0xff; 5109 } else { 5110 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5111 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5112 } 5113 if (suggest) 5114 memcpy(suggest, &myaddr, sizeof(myaddr)); 5115 } 5116 #endif /*INET6*/ 5117 5118 /* 5119 * Process ioctl requests specific to the PPP interface. 5120 * Permissions have already been checked. 5121 */ 5122 static int 5123 sppp_params(struct sppp *sp, u_long cmd, void *data) 5124 { 5125 switch (cmd) { 5126 case SPPPGETAUTHCFG: 5127 { 5128 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5129 int error; 5130 size_t len; 5131 5132 cfg->myauthflags = sp->myauth.flags; 5133 cfg->hisauthflags = sp->hisauth.flags; 5134 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ); 5135 cfg->hisauth = 0; 5136 if (sp->hisauth.proto) 5137 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5138 cfg->myauth = 0; 5139 if (sp->myauth.proto) 5140 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5141 if (cfg->myname_length == 0) { 5142 if (sp->myauth.name != NULL) 5143 cfg->myname_length = sp->myauth.name_len + 1; 5144 } else { 5145 if (sp->myauth.name == NULL) { 5146 cfg->myname_length = 0; 5147 } else { 5148 len = sp->myauth.name_len + 1; 5149 if (cfg->myname_length < len) 5150 return (ENAMETOOLONG); 5151 error = copyout(sp->myauth.name, cfg->myname, len); 5152 if (error) return error; 5153 } 5154 } 5155 if (cfg->hisname_length == 0) { 5156 if (sp->hisauth.name != NULL) 5157 cfg->hisname_length = sp->hisauth.name_len + 1; 5158 } else { 5159 if (sp->hisauth.name == NULL) { 5160 cfg->hisname_length = 0; 5161 } else { 5162 len = sp->hisauth.name_len + 1; 5163 if (cfg->hisname_length < len) 5164 return (ENAMETOOLONG); 5165 error = copyout(sp->hisauth.name, cfg->hisname, len); 5166 if (error) return error; 5167 } 5168 } 5169 } 5170 break; 5171 case SPPPSETAUTHCFG: 5172 { 5173 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5174 int error; 5175 5176 if (sp->myauth.name) { 5177 free(sp->myauth.name, M_DEVBUF); 5178 sp->myauth.name = NULL; 5179 } 5180 if (sp->myauth.secret) { 5181 free(sp->myauth.secret, M_DEVBUF); 5182 sp->myauth.secret = NULL; 5183 } 5184 if (sp->hisauth.name) { 5185 free(sp->hisauth.name, M_DEVBUF); 5186 sp->hisauth.name = NULL; 5187 } 5188 if (sp->hisauth.secret) { 5189 free(sp->hisauth.secret, M_DEVBUF); 5190 sp->hisauth.secret = NULL; 5191 } 5192 5193 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5194 if (cfg->hisname_length >= MCLBYTES) 5195 return (ENAMETOOLONG); 5196 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5197 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5198 if (error) { 5199 free(sp->hisauth.name, M_DEVBUF); 5200 sp->hisauth.name = NULL; 5201 return error; 5202 } 5203 sp->hisauth.name_len = cfg->hisname_length - 1; 5204 sp->hisauth.name[sp->hisauth.name_len] = 0; 5205 } 5206 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5207 if (cfg->hissecret_length >= MCLBYTES) 5208 return (ENAMETOOLONG); 5209 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5210 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5211 if (error) { 5212 free(sp->hisauth.secret, M_DEVBUF); 5213 sp->hisauth.secret = NULL; 5214 return error; 5215 } 5216 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5217 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5218 } 5219 if (cfg->myname != NULL && cfg->myname_length > 0) { 5220 if (cfg->myname_length >= MCLBYTES) 5221 return (ENAMETOOLONG); 5222 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5223 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5224 if (error) { 5225 free(sp->myauth.name, M_DEVBUF); 5226 sp->myauth.name = NULL; 5227 return error; 5228 } 5229 sp->myauth.name_len = cfg->myname_length - 1; 5230 sp->myauth.name[sp->myauth.name_len] = 0; 5231 } 5232 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5233 if (cfg->mysecret_length >= MCLBYTES) 5234 return (ENAMETOOLONG); 5235 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5236 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5237 if (error) { 5238 free(sp->myauth.secret, M_DEVBUF); 5239 sp->myauth.secret = NULL; 5240 return error; 5241 } 5242 sp->myauth.secret_len = cfg->mysecret_length - 1; 5243 sp->myauth.secret[sp->myauth.secret_len] = 0; 5244 } 5245 sp->myauth.flags = cfg->myauthflags; 5246 if (cfg->myauth) 5247 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5248 sp->hisauth.flags = cfg->hisauthflags; 5249 if (cfg->hisauth) 5250 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5251 sp->pp_auth_failures = 0; 5252 if (sp->hisauth.proto != 0) 5253 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5254 else 5255 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5256 } 5257 break; 5258 case SPPPGETLCPCFG: 5259 { 5260 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5261 lcpp->lcp_timeout = sp->lcp.timeout; 5262 } 5263 break; 5264 case SPPPSETLCPCFG: 5265 { 5266 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5267 sp->lcp.timeout = lcpp->lcp_timeout; 5268 } 5269 break; 5270 case SPPPGETSTATUS: 5271 { 5272 struct spppstatus *status = (struct spppstatus *)data; 5273 status->phase = sp->pp_phase; 5274 } 5275 break; 5276 case SPPPGETSTATUSNCP: 5277 { 5278 struct spppstatusncp *status = (struct spppstatusncp *)data; 5279 status->phase = sp->pp_phase; 5280 status->ncpup = sppp_ncp_check(sp); 5281 } 5282 break; 5283 case SPPPGETIDLETO: 5284 { 5285 struct spppidletimeout *to = (struct spppidletimeout *)data; 5286 to->idle_seconds = sp->pp_idle_timeout; 5287 } 5288 break; 5289 case SPPPSETIDLETO: 5290 { 5291 struct spppidletimeout *to = (struct spppidletimeout *)data; 5292 sp->pp_idle_timeout = to->idle_seconds; 5293 } 5294 break; 5295 case SPPPSETAUTHFAILURE: 5296 { 5297 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5298 sp->pp_max_auth_fail = afsettings->max_failures; 5299 sp->pp_auth_failures = 0; 5300 } 5301 break; 5302 case SPPPGETAUTHFAILURES: 5303 { 5304 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5305 stats->auth_failures = sp->pp_auth_failures; 5306 stats->max_failures = sp->pp_max_auth_fail; 5307 } 5308 break; 5309 case SPPPSETDNSOPTS: 5310 { 5311 struct spppdnssettings *req = (struct spppdnssettings *)data; 5312 sp->query_dns = req->query_dns & 3; 5313 } 5314 break; 5315 case SPPPGETDNSOPTS: 5316 { 5317 struct spppdnssettings *req = (struct spppdnssettings *)data; 5318 req->query_dns = sp->query_dns; 5319 } 5320 break; 5321 case SPPPGETDNSADDRS: 5322 { 5323 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5324 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5325 } 5326 break; 5327 case SPPPGETKEEPALIVE: 5328 { 5329 struct spppkeepalivesettings *settings = 5330 (struct spppkeepalivesettings*)data; 5331 settings->maxalive = sp->pp_maxalive; 5332 settings->max_noreceive = sp->pp_max_noreceive; 5333 } 5334 break; 5335 case SPPPSETKEEPALIVE: 5336 { 5337 struct spppkeepalivesettings *settings = 5338 (struct spppkeepalivesettings*)data; 5339 sp->pp_maxalive = settings->maxalive; 5340 sp->pp_max_noreceive = settings->max_noreceive; 5341 } 5342 break; 5343 #if defined(COMPAT_50) || defined(MODULAR) 5344 case __SPPPGETIDLETO50: 5345 { 5346 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5347 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5348 } 5349 break; 5350 case __SPPPSETIDLETO50: 5351 { 5352 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5353 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5354 } 5355 break; 5356 case __SPPPGETKEEPALIVE50: 5357 { 5358 struct spppkeepalivesettings50 *settings = 5359 (struct spppkeepalivesettings50*)data; 5360 settings->maxalive = sp->pp_maxalive; 5361 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5362 } 5363 break; 5364 case __SPPPSETKEEPALIVE50: 5365 { 5366 struct spppkeepalivesettings50 *settings = 5367 (struct spppkeepalivesettings50*)data; 5368 sp->pp_maxalive = settings->maxalive; 5369 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5370 } 5371 break; 5372 #endif /* COMPAT_50 || MODULAR */ 5373 default: 5374 return (EINVAL); 5375 } 5376 5377 return (0); 5378 } 5379 5380 static void 5381 sppp_phase_network(struct sppp *sp) 5382 { 5383 STDDCL; 5384 int i; 5385 uint32_t mask; 5386 5387 sp->pp_phase = SPPP_PHASE_NETWORK; 5388 5389 if (debug) 5390 { 5391 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5392 sppp_phase_name(sp->pp_phase)); 5393 } 5394 5395 /* Notify NCPs now. */ 5396 for (i = 0; i < IDX_COUNT; i++) 5397 if ((cps[i])->flags & CP_NCP) 5398 (cps[i])->Open(sp); 5399 5400 /* Send Up events to all NCPs. */ 5401 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5402 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5403 (cps[i])->Up(sp); 5404 5405 /* if no NCP is starting, all this was in vain, close down */ 5406 sppp_lcp_check_and_close(sp); 5407 } 5408 5409 5410 static const char * 5411 sppp_cp_type_name(u_char type) 5412 { 5413 static char buf[12]; 5414 switch (type) { 5415 case CONF_REQ: return "conf-req"; 5416 case CONF_ACK: return "conf-ack"; 5417 case CONF_NAK: return "conf-nak"; 5418 case CONF_REJ: return "conf-rej"; 5419 case TERM_REQ: return "term-req"; 5420 case TERM_ACK: return "term-ack"; 5421 case CODE_REJ: return "code-rej"; 5422 case PROTO_REJ: return "proto-rej"; 5423 case ECHO_REQ: return "echo-req"; 5424 case ECHO_REPLY: return "echo-reply"; 5425 case DISC_REQ: return "discard-req"; 5426 } 5427 snprintf(buf, sizeof(buf), "0x%x", type); 5428 return buf; 5429 } 5430 5431 static const char * 5432 sppp_auth_type_name(u_short proto, u_char type) 5433 { 5434 static char buf[12]; 5435 switch (proto) { 5436 case PPP_CHAP: 5437 switch (type) { 5438 case CHAP_CHALLENGE: return "challenge"; 5439 case CHAP_RESPONSE: return "response"; 5440 case CHAP_SUCCESS: return "success"; 5441 case CHAP_FAILURE: return "failure"; 5442 } 5443 case PPP_PAP: 5444 switch (type) { 5445 case PAP_REQ: return "req"; 5446 case PAP_ACK: return "ack"; 5447 case PAP_NAK: return "nak"; 5448 } 5449 } 5450 snprintf(buf, sizeof(buf), "0x%x", type); 5451 return buf; 5452 } 5453 5454 static const char * 5455 sppp_lcp_opt_name(u_char opt) 5456 { 5457 static char buf[12]; 5458 switch (opt) { 5459 case LCP_OPT_MRU: return "mru"; 5460 case LCP_OPT_ASYNC_MAP: return "async-map"; 5461 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5462 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5463 case LCP_OPT_MAGIC: return "magic"; 5464 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5465 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5466 } 5467 snprintf(buf, sizeof(buf), "0x%x", opt); 5468 return buf; 5469 } 5470 5471 static const char * 5472 sppp_ipcp_opt_name(u_char opt) 5473 { 5474 static char buf[12]; 5475 switch (opt) { 5476 case IPCP_OPT_ADDRESSES: return "addresses"; 5477 case IPCP_OPT_COMPRESSION: return "compression"; 5478 case IPCP_OPT_ADDRESS: return "address"; 5479 } 5480 snprintf(buf, sizeof(buf), "0x%x", opt); 5481 return buf; 5482 } 5483 5484 #ifdef INET6 5485 static const char * 5486 sppp_ipv6cp_opt_name(u_char opt) 5487 { 5488 static char buf[12]; 5489 switch (opt) { 5490 case IPV6CP_OPT_IFID: return "ifid"; 5491 case IPV6CP_OPT_COMPRESSION: return "compression"; 5492 } 5493 snprintf(buf, sizeof(buf), "0x%x", opt); 5494 return buf; 5495 } 5496 #endif 5497 5498 static const char * 5499 sppp_state_name(int state) 5500 { 5501 switch (state) { 5502 case STATE_INITIAL: return "initial"; 5503 case STATE_STARTING: return "starting"; 5504 case STATE_CLOSED: return "closed"; 5505 case STATE_STOPPED: return "stopped"; 5506 case STATE_CLOSING: return "closing"; 5507 case STATE_STOPPING: return "stopping"; 5508 case STATE_REQ_SENT: return "req-sent"; 5509 case STATE_ACK_RCVD: return "ack-rcvd"; 5510 case STATE_ACK_SENT: return "ack-sent"; 5511 case STATE_OPENED: return "opened"; 5512 } 5513 return "illegal"; 5514 } 5515 5516 static const char * 5517 sppp_phase_name(int phase) 5518 { 5519 switch (phase) { 5520 case SPPP_PHASE_DEAD: return "dead"; 5521 case SPPP_PHASE_ESTABLISH: return "establish"; 5522 case SPPP_PHASE_TERMINATE: return "terminate"; 5523 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5524 case SPPP_PHASE_NETWORK: return "network"; 5525 } 5526 return "illegal"; 5527 } 5528 5529 static const char * 5530 sppp_proto_name(u_short proto) 5531 { 5532 static char buf[12]; 5533 switch (proto) { 5534 case PPP_LCP: return "lcp"; 5535 case PPP_IPCP: return "ipcp"; 5536 case PPP_PAP: return "pap"; 5537 case PPP_CHAP: return "chap"; 5538 case PPP_IPV6CP: return "ipv6cp"; 5539 } 5540 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5541 return buf; 5542 } 5543 5544 static void 5545 sppp_print_bytes(const u_char *p, u_short len) 5546 { 5547 addlog(" %02x", *p++); 5548 while (--len > 0) 5549 addlog("-%02x", *p++); 5550 } 5551 5552 static void 5553 sppp_print_string(const char *p, u_short len) 5554 { 5555 u_char c; 5556 5557 while (len-- > 0) { 5558 c = *p++; 5559 /* 5560 * Print only ASCII chars directly. RFC 1994 recommends 5561 * using only them, but we don't rely on it. */ 5562 if (c < ' ' || c > '~') 5563 addlog("\\x%x", c); 5564 else 5565 addlog("%c", c); 5566 } 5567 } 5568 5569 static const char * 5570 sppp_dotted_quad(uint32_t addr) 5571 { 5572 static char s[16]; 5573 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5574 (int)((addr >> 24) & 0xff), 5575 (int)((addr >> 16) & 0xff), 5576 (int)((addr >> 8) & 0xff), 5577 (int)(addr & 0xff)); 5578 return s; 5579 } 5580 5581 /* a dummy, used to drop uninteresting events */ 5582 static void 5583 sppp_null(struct sppp *unused) 5584 { 5585 /* do just nothing */ 5586 } 5587 /* 5588 * This file is large. Tell emacs to highlight it nevertheless. 5589 * 5590 * Local Variables: 5591 * hilit-auto-highlight-maxout: 120000 5592 * End: 5593 */ 5594