if_spppsubr.c revision 1.131.2.6
1 /* $NetBSD: if_spppsubr.c,v 1.131.2.6 2016/10/05 20:56:08 skrll Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.131.2.6 2016/10/05 20:56:08 skrll Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #endif 51 52 53 #include <sys/param.h> 54 #include <sys/proc.h> 55 #include <sys/systm.h> 56 #include <sys/kernel.h> 57 #include <sys/sockio.h> 58 #include <sys/socket.h> 59 #include <sys/syslog.h> 60 #include <sys/malloc.h> 61 #include <sys/mbuf.h> 62 #include <sys/callout.h> 63 #include <sys/md5.h> 64 #include <sys/inttypes.h> 65 #include <sys/kauth.h> 66 #include <sys/cprng.h> 67 #include <sys/module.h> 68 69 #include <net/if.h> 70 #include <net/netisr.h> 71 #include <net/if_types.h> 72 #include <net/route.h> 73 #include <net/ppp_defs.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/in_var.h> 78 #ifdef INET 79 #include <netinet/ip.h> 80 #include <netinet/tcp.h> 81 #endif 82 #include <net/ethertypes.h> 83 84 #ifdef INET6 85 #include <netinet6/scope6_var.h> 86 #endif 87 88 #include <net/if_sppp.h> 89 #include <net/if_spppvar.h> 90 91 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 92 #define LOOPALIVECNT 3 /* loopback detection tries */ 93 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 94 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 95 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 96 97 /* 98 * Interface flags that can be set in an ifconfig command. 99 * 100 * Setting link0 will make the link passive, i.e. it will be marked 101 * as being administrative openable, but won't be opened to begin 102 * with. Incoming calls will be answered, or subsequent calls with 103 * -link1 will cause the administrative open of the LCP layer. 104 * 105 * Setting link1 will cause the link to auto-dial only as packets 106 * arrive to be sent. 107 * 108 * Setting IFF_DEBUG will syslog the option negotiation and state 109 * transitions at level kern.debug. Note: all logs consistently look 110 * like 111 * 112 * <if-name><unit>: <proto-name> <additional info...> 113 * 114 * with <if-name><unit> being something like "bppp0", and <proto-name> 115 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 116 */ 117 118 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 119 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 120 121 #define CONF_REQ 1 /* PPP configure request */ 122 #define CONF_ACK 2 /* PPP configure acknowledge */ 123 #define CONF_NAK 3 /* PPP configure negative ack */ 124 #define CONF_REJ 4 /* PPP configure reject */ 125 #define TERM_REQ 5 /* PPP terminate request */ 126 #define TERM_ACK 6 /* PPP terminate acknowledge */ 127 #define CODE_REJ 7 /* PPP code reject */ 128 #define PROTO_REJ 8 /* PPP protocol reject */ 129 #define ECHO_REQ 9 /* PPP echo request */ 130 #define ECHO_REPLY 10 /* PPP echo reply */ 131 #define DISC_REQ 11 /* PPP discard request */ 132 133 #define LCP_OPT_MRU 1 /* maximum receive unit */ 134 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 135 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 136 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 137 #define LCP_OPT_MAGIC 5 /* magic number */ 138 #define LCP_OPT_RESERVED 6 /* reserved */ 139 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 140 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 141 142 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 143 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 144 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 145 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 146 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 147 148 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 149 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 150 151 #define PAP_REQ 1 /* PAP name/password request */ 152 #define PAP_ACK 2 /* PAP acknowledge */ 153 #define PAP_NAK 3 /* PAP fail */ 154 155 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 156 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 157 #define CHAP_SUCCESS 3 /* CHAP response ok */ 158 #define CHAP_FAILURE 4 /* CHAP response failed */ 159 160 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 161 162 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 163 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 164 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 165 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 166 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 167 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 168 169 /* states are named and numbered according to RFC 1661 */ 170 #define STATE_INITIAL 0 171 #define STATE_STARTING 1 172 #define STATE_CLOSED 2 173 #define STATE_STOPPED 3 174 #define STATE_CLOSING 4 175 #define STATE_STOPPING 5 176 #define STATE_REQ_SENT 6 177 #define STATE_ACK_RCVD 7 178 #define STATE_ACK_SENT 8 179 #define STATE_OPENED 9 180 181 struct ppp_header { 182 uint8_t address; 183 uint8_t control; 184 uint16_t protocol; 185 } __packed; 186 #define PPP_HEADER_LEN sizeof (struct ppp_header) 187 188 struct lcp_header { 189 uint8_t type; 190 uint8_t ident; 191 uint16_t len; 192 } __packed; 193 #define LCP_HEADER_LEN sizeof (struct lcp_header) 194 195 struct cisco_packet { 196 uint32_t type; 197 uint32_t par1; 198 uint32_t par2; 199 uint16_t rel; 200 uint16_t time0; 201 uint16_t time1; 202 } __packed; 203 #define CISCO_PACKET_LEN 18 204 205 /* 206 * We follow the spelling and capitalization of RFC 1661 here, to make 207 * it easier comparing with the standard. Please refer to this RFC in 208 * case you can't make sense out of these abbreviation; it will also 209 * explain the semantics related to the various events and actions. 210 */ 211 struct cp { 212 u_short proto; /* PPP control protocol number */ 213 u_char protoidx; /* index into state table in struct sppp */ 214 u_char flags; 215 #define CP_LCP 0x01 /* this is the LCP */ 216 #define CP_AUTH 0x02 /* this is an authentication protocol */ 217 #define CP_NCP 0x04 /* this is a NCP */ 218 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 219 const char *name; /* name of this control protocol */ 220 /* event handlers */ 221 void (*Up)(struct sppp *sp); 222 void (*Down)(struct sppp *sp); 223 void (*Open)(struct sppp *sp); 224 void (*Close)(struct sppp *sp); 225 void (*TO)(void *sp); 226 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 227 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 228 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 229 /* actions */ 230 void (*tlu)(struct sppp *sp); 231 void (*tld)(struct sppp *sp); 232 void (*tls)(struct sppp *sp); 233 void (*tlf)(struct sppp *sp); 234 void (*scr)(struct sppp *sp); 235 }; 236 237 static struct sppp *spppq; 238 static callout_t keepalive_ch; 239 240 #ifdef INET 241 /* 242 * The following disgusting hack gets around the problem that IP TOS 243 * can't be set yet. We want to put "interactive" traffic on a high 244 * priority queue. To decide if traffic is interactive, we check that 245 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 246 * 247 * XXX is this really still necessary? - joerg - 248 */ 249 static u_short interactive_ports[8] = { 250 0, 513, 0, 0, 251 0, 21, 0, 23, 252 }; 253 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 254 #endif 255 256 /* almost every function needs these */ 257 #define STDDCL \ 258 struct ifnet *ifp = &sp->pp_if; \ 259 int debug = ifp->if_flags & IFF_DEBUG 260 261 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 262 const struct sockaddr *dst, const struct rtentry *rt); 263 264 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 265 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 266 267 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 268 struct mbuf *m); 269 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 270 u_char ident, u_short len, void *data); 271 /* static void sppp_cp_timeout(void *arg); */ 272 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 273 int newstate); 274 static void sppp_auth_send(const struct cp *cp, 275 struct sppp *sp, unsigned int type, unsigned int id, 276 ...); 277 278 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 279 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 280 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 281 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 282 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 283 284 static void sppp_null(struct sppp *sp); 285 286 static void sppp_lcp_init(struct sppp *sp); 287 static void sppp_lcp_up(struct sppp *sp); 288 static void sppp_lcp_down(struct sppp *sp); 289 static void sppp_lcp_open(struct sppp *sp); 290 static void sppp_lcp_close(struct sppp *sp); 291 static void sppp_lcp_TO(void *sp); 292 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 293 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 294 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 295 static void sppp_lcp_tlu(struct sppp *sp); 296 static void sppp_lcp_tld(struct sppp *sp); 297 static void sppp_lcp_tls(struct sppp *sp); 298 static void sppp_lcp_tlf(struct sppp *sp); 299 static void sppp_lcp_scr(struct sppp *sp); 300 static void sppp_lcp_check_and_close(struct sppp *sp); 301 static int sppp_ncp_check(struct sppp *sp); 302 303 static void sppp_ipcp_init(struct sppp *sp); 304 static void sppp_ipcp_up(struct sppp *sp); 305 static void sppp_ipcp_down(struct sppp *sp); 306 static void sppp_ipcp_open(struct sppp *sp); 307 static void sppp_ipcp_close(struct sppp *sp); 308 static void sppp_ipcp_TO(void *sp); 309 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 310 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 311 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 312 static void sppp_ipcp_tlu(struct sppp *sp); 313 static void sppp_ipcp_tld(struct sppp *sp); 314 static void sppp_ipcp_tls(struct sppp *sp); 315 static void sppp_ipcp_tlf(struct sppp *sp); 316 static void sppp_ipcp_scr(struct sppp *sp); 317 318 static void sppp_ipv6cp_init(struct sppp *sp); 319 static void sppp_ipv6cp_up(struct sppp *sp); 320 static void sppp_ipv6cp_down(struct sppp *sp); 321 static void sppp_ipv6cp_open(struct sppp *sp); 322 static void sppp_ipv6cp_close(struct sppp *sp); 323 static void sppp_ipv6cp_TO(void *sp); 324 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 325 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 327 static void sppp_ipv6cp_tlu(struct sppp *sp); 328 static void sppp_ipv6cp_tld(struct sppp *sp); 329 static void sppp_ipv6cp_tls(struct sppp *sp); 330 static void sppp_ipv6cp_tlf(struct sppp *sp); 331 static void sppp_ipv6cp_scr(struct sppp *sp); 332 333 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 334 static void sppp_pap_init(struct sppp *sp); 335 static void sppp_pap_open(struct sppp *sp); 336 static void sppp_pap_close(struct sppp *sp); 337 static void sppp_pap_TO(void *sp); 338 static void sppp_pap_my_TO(void *sp); 339 static void sppp_pap_tlu(struct sppp *sp); 340 static void sppp_pap_tld(struct sppp *sp); 341 static void sppp_pap_scr(struct sppp *sp); 342 343 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 344 static void sppp_chap_init(struct sppp *sp); 345 static void sppp_chap_open(struct sppp *sp); 346 static void sppp_chap_close(struct sppp *sp); 347 static void sppp_chap_TO(void *sp); 348 static void sppp_chap_tlu(struct sppp *sp); 349 static void sppp_chap_tld(struct sppp *sp); 350 static void sppp_chap_scr(struct sppp *sp); 351 352 static const char *sppp_auth_type_name(u_short proto, u_char type); 353 static const char *sppp_cp_type_name(u_char type); 354 static const char *sppp_dotted_quad(uint32_t addr); 355 static const char *sppp_ipcp_opt_name(u_char opt); 356 #ifdef INET6 357 static const char *sppp_ipv6cp_opt_name(u_char opt); 358 #endif 359 static const char *sppp_lcp_opt_name(u_char opt); 360 static const char *sppp_phase_name(int phase); 361 static const char *sppp_proto_name(u_short proto); 362 static const char *sppp_state_name(int state); 363 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 364 #ifdef INET 365 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 366 uint32_t *srcmask); 367 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 368 static void sppp_clear_ip_addrs(struct sppp *sp); 369 #endif 370 static void sppp_keepalive(void *dummy); 371 static void sppp_phase_network(struct sppp *sp); 372 static void sppp_print_bytes(const u_char *p, u_short len); 373 static void sppp_print_string(const char *p, u_short len); 374 #ifdef INET6 375 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 376 struct in6_addr *dst, struct in6_addr *srcmask); 377 #ifdef IPV6CP_MYIFID_DYN 378 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 379 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 380 #endif 381 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 382 #endif 383 384 /* our control protocol descriptors */ 385 static const struct cp lcp = { 386 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 387 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 388 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 389 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 390 sppp_lcp_scr 391 }; 392 393 static const struct cp ipcp = { 394 PPP_IPCP, IDX_IPCP, 395 #ifdef INET 396 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 397 #else 398 0, 399 #endif 400 "ipcp", 401 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 402 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 403 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 404 sppp_ipcp_scr 405 }; 406 407 static const struct cp ipv6cp = { 408 PPP_IPV6CP, IDX_IPV6CP, 409 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 410 CP_NCP, 411 #else 412 0, 413 #endif 414 "ipv6cp", 415 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 416 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 417 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 418 sppp_ipv6cp_scr 419 }; 420 421 static const struct cp pap = { 422 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 423 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 424 sppp_pap_TO, 0, 0, 0, 425 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 426 sppp_pap_scr 427 }; 428 429 static const struct cp chap = { 430 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 431 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 432 sppp_chap_TO, 0, 0, 0, 433 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 434 sppp_chap_scr 435 }; 436 437 static const struct cp *cps[IDX_COUNT] = { 438 &lcp, /* IDX_LCP */ 439 &ipcp, /* IDX_IPCP */ 440 &ipv6cp, /* IDX_IPV6CP */ 441 &pap, /* IDX_PAP */ 442 &chap, /* IDX_CHAP */ 443 }; 444 445 static void 446 sppp_change_phase(struct sppp *sp, int phase) 447 { 448 STDDCL; 449 450 if (sp->pp_phase == phase) 451 return; 452 453 sp->pp_phase = phase; 454 455 if (phase == SPPP_PHASE_NETWORK) 456 if_link_state_change(ifp, LINK_STATE_UP); 457 else 458 if_link_state_change(ifp, LINK_STATE_DOWN); 459 460 if (debug) 461 { 462 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 463 sppp_phase_name(sp->pp_phase)); 464 } 465 } 466 467 /* 468 * Exported functions, comprising our interface to the lower layer. 469 */ 470 471 /* 472 * Process the received packet. 473 */ 474 void 475 sppp_input(struct ifnet *ifp, struct mbuf *m) 476 { 477 struct ppp_header *h = NULL; 478 pktqueue_t *pktq = NULL; 479 struct ifqueue *inq = NULL; 480 uint16_t protocol; 481 struct sppp *sp = (struct sppp *)ifp; 482 int debug = ifp->if_flags & IFF_DEBUG; 483 int isr = 0; 484 485 if (ifp->if_flags & IFF_UP) { 486 /* Count received bytes, add hardware framing */ 487 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 488 /* Note time of last receive */ 489 sp->pp_last_receive = time_uptime; 490 } 491 492 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 493 /* Too small packet, drop it. */ 494 if (debug) 495 log(LOG_DEBUG, 496 "%s: input packet is too small, %d bytes\n", 497 ifp->if_xname, m->m_pkthdr.len); 498 drop: 499 ++ifp->if_ierrors; 500 ++ifp->if_iqdrops; 501 m_freem(m); 502 return; 503 } 504 505 if (sp->pp_flags & PP_NOFRAMING) { 506 memcpy(&protocol, mtod(m, void *), 2); 507 protocol = ntohs(protocol); 508 m_adj(m, 2); 509 } else { 510 511 /* Get PPP header. */ 512 h = mtod(m, struct ppp_header *); 513 m_adj(m, PPP_HEADER_LEN); 514 515 switch (h->address) { 516 case PPP_ALLSTATIONS: 517 if (h->control != PPP_UI) 518 goto invalid; 519 if (sp->pp_flags & PP_CISCO) { 520 if (debug) 521 log(LOG_DEBUG, 522 "%s: PPP packet in Cisco mode " 523 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 524 ifp->if_xname, 525 h->address, h->control, ntohs(h->protocol)); 526 goto drop; 527 } 528 break; 529 case CISCO_MULTICAST: 530 case CISCO_UNICAST: 531 /* Don't check the control field here (RFC 1547). */ 532 if (! (sp->pp_flags & PP_CISCO)) { 533 if (debug) 534 log(LOG_DEBUG, 535 "%s: Cisco packet in PPP mode " 536 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 537 ifp->if_xname, 538 h->address, h->control, ntohs(h->protocol)); 539 goto drop; 540 } 541 switch (ntohs(h->protocol)) { 542 default: 543 ++ifp->if_noproto; 544 goto invalid; 545 case CISCO_KEEPALIVE: 546 sppp_cisco_input((struct sppp *) ifp, m); 547 m_freem(m); 548 return; 549 #ifdef INET 550 case ETHERTYPE_IP: 551 pktq = ip_pktq; 552 break; 553 #endif 554 #ifdef INET6 555 case ETHERTYPE_IPV6: 556 pktq = ip6_pktq; 557 break; 558 #endif 559 } 560 goto queue_pkt; 561 default: /* Invalid PPP packet. */ 562 invalid: 563 if (debug) 564 log(LOG_DEBUG, 565 "%s: invalid input packet " 566 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 567 ifp->if_xname, 568 h->address, h->control, ntohs(h->protocol)); 569 goto drop; 570 } 571 protocol = ntohs(h->protocol); 572 } 573 574 switch (protocol) { 575 default: 576 if (sp->state[IDX_LCP] == STATE_OPENED) { 577 uint16_t prot = htons(protocol); 578 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 579 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 580 &prot); 581 } 582 if (debug) 583 log(LOG_DEBUG, 584 "%s: invalid input protocol " 585 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 586 ++ifp->if_noproto; 587 goto drop; 588 case PPP_LCP: 589 sppp_cp_input(&lcp, sp, m); 590 m_freem(m); 591 return; 592 case PPP_PAP: 593 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 594 sppp_pap_input(sp, m); 595 m_freem(m); 596 return; 597 case PPP_CHAP: 598 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 599 sppp_chap_input(sp, m); 600 m_freem(m); 601 return; 602 #ifdef INET 603 case PPP_IPCP: 604 if (sp->pp_phase == SPPP_PHASE_NETWORK) 605 sppp_cp_input(&ipcp, sp, m); 606 m_freem(m); 607 return; 608 case PPP_IP: 609 if (sp->state[IDX_IPCP] == STATE_OPENED) { 610 sp->pp_last_activity = time_uptime; 611 pktq = ip_pktq; 612 } 613 break; 614 #endif 615 #ifdef INET6 616 case PPP_IPV6CP: 617 if (sp->pp_phase == SPPP_PHASE_NETWORK) 618 sppp_cp_input(&ipv6cp, sp, m); 619 m_freem(m); 620 return; 621 622 case PPP_IPV6: 623 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 624 sp->pp_last_activity = time_uptime; 625 pktq = ip6_pktq; 626 } 627 break; 628 #endif 629 } 630 631 queue_pkt: 632 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 633 goto drop; 634 } 635 636 /* Check queue. */ 637 if (__predict_true(pktq)) { 638 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 639 goto drop; 640 } 641 return; 642 } 643 644 IFQ_LOCK(inq); 645 if (IF_QFULL(inq)) { 646 /* Queue overflow. */ 647 IF_DROP(inq); 648 IFQ_UNLOCK(inq); 649 if (debug) 650 log(LOG_DEBUG, "%s: protocol queue overflow\n", 651 ifp->if_xname); 652 goto drop; 653 } 654 IF_ENQUEUE(inq, m); 655 IFQ_UNLOCK(inq); 656 schednetisr(isr); 657 } 658 659 /* 660 * Enqueue transmit packet. 661 */ 662 static int 663 sppp_output(struct ifnet *ifp, struct mbuf *m, 664 const struct sockaddr *dst, const struct rtentry *rt) 665 { 666 struct sppp *sp = (struct sppp *) ifp; 667 struct ppp_header *h = NULL; 668 struct ifqueue *ifq = NULL; /* XXX */ 669 int s, error = 0; 670 uint16_t protocol; 671 672 s = splnet(); 673 674 sp->pp_last_activity = time_uptime; 675 676 if ((ifp->if_flags & IFF_UP) == 0 || 677 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 678 m_freem(m); 679 splx(s); 680 return (ENETDOWN); 681 } 682 683 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 684 /* 685 * Interface is not yet running, but auto-dial. Need 686 * to start LCP for it. 687 */ 688 ifp->if_flags |= IFF_RUNNING; 689 splx(s); 690 lcp.Open(sp); 691 s = splnet(); 692 } 693 694 /* 695 * If the queueing discipline needs packet classification, 696 * do it before prepending link headers. 697 */ 698 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 699 700 #ifdef INET 701 if (dst->sa_family == AF_INET) { 702 struct ip *ip = NULL; 703 struct tcphdr *th = NULL; 704 705 if (m->m_len >= sizeof(struct ip)) { 706 ip = mtod(m, struct ip *); 707 if (ip->ip_p == IPPROTO_TCP && 708 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 709 sizeof(struct tcphdr)) { 710 th = (struct tcphdr *) 711 ((char *)ip + (ip->ip_hl << 2)); 712 } 713 } else 714 ip = NULL; 715 716 /* 717 * When using dynamic local IP address assignment by using 718 * 0.0.0.0 as a local address, the first TCP session will 719 * not connect because the local TCP checksum is computed 720 * using 0.0.0.0 which will later become our real IP address 721 * so the TCP checksum computed at the remote end will 722 * become invalid. So we 723 * - don't let packets with src ip addr 0 thru 724 * - we flag TCP packets with src ip 0 as an error 725 */ 726 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 727 uint8_t proto = ip->ip_p; 728 729 m_freem(m); 730 splx(s); 731 if (proto == IPPROTO_TCP) 732 return (EADDRNOTAVAIL); 733 else 734 return (0); 735 } 736 737 /* 738 * Put low delay, telnet, rlogin and ftp control packets 739 * in front of the queue. 740 */ 741 742 if (!IF_QFULL(&sp->pp_fastq) && 743 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 744 (th && (INTERACTIVE(ntohs(th->th_sport)) || 745 INTERACTIVE(ntohs(th->th_dport)))))) 746 ifq = &sp->pp_fastq; 747 } 748 #endif 749 750 #ifdef INET6 751 if (dst->sa_family == AF_INET6) { 752 /* XXX do something tricky here? */ 753 } 754 #endif 755 756 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 757 /* 758 * Prepend general data packet PPP header. For now, IP only. 759 */ 760 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 761 if (! m) { 762 if (ifp->if_flags & IFF_DEBUG) 763 log(LOG_DEBUG, "%s: no memory for transmit header\n", 764 ifp->if_xname); 765 ++ifp->if_oerrors; 766 splx(s); 767 return (ENOBUFS); 768 } 769 /* 770 * May want to check size of packet 771 * (albeit due to the implementation it's always enough) 772 */ 773 h = mtod(m, struct ppp_header *); 774 if (sp->pp_flags & PP_CISCO) { 775 h->address = CISCO_UNICAST; /* unicast address */ 776 h->control = 0; 777 } else { 778 h->address = PPP_ALLSTATIONS; /* broadcast address */ 779 h->control = PPP_UI; /* Unnumbered Info */ 780 } 781 } 782 783 switch (dst->sa_family) { 784 #ifdef INET 785 case AF_INET: /* Internet Protocol */ 786 if (sp->pp_flags & PP_CISCO) 787 protocol = htons(ETHERTYPE_IP); 788 else { 789 /* 790 * Don't choke with an ENETDOWN early. It's 791 * possible that we just started dialing out, 792 * so don't drop the packet immediately. If 793 * we notice that we run out of buffer space 794 * below, we will however remember that we are 795 * not ready to carry IP packets, and return 796 * ENETDOWN, as opposed to ENOBUFS. 797 */ 798 protocol = htons(PPP_IP); 799 if (sp->state[IDX_IPCP] != STATE_OPENED) 800 error = ENETDOWN; 801 } 802 break; 803 #endif 804 #ifdef INET6 805 case AF_INET6: /* Internet Protocol version 6 */ 806 if (sp->pp_flags & PP_CISCO) 807 protocol = htons(ETHERTYPE_IPV6); 808 else { 809 /* 810 * Don't choke with an ENETDOWN early. It's 811 * possible that we just started dialing out, 812 * so don't drop the packet immediately. If 813 * we notice that we run out of buffer space 814 * below, we will however remember that we are 815 * not ready to carry IP packets, and return 816 * ENETDOWN, as opposed to ENOBUFS. 817 */ 818 protocol = htons(PPP_IPV6); 819 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 820 error = ENETDOWN; 821 } 822 break; 823 #endif 824 default: 825 m_freem(m); 826 ++ifp->if_oerrors; 827 splx(s); 828 return (EAFNOSUPPORT); 829 } 830 831 if (sp->pp_flags & PP_NOFRAMING) { 832 M_PREPEND(m, 2, M_DONTWAIT); 833 if (m == NULL) { 834 if (ifp->if_flags & IFF_DEBUG) 835 log(LOG_DEBUG, "%s: no memory for transmit header\n", 836 ifp->if_xname); 837 ++ifp->if_oerrors; 838 splx(s); 839 return (ENOBUFS); 840 } 841 *mtod(m, uint16_t *) = protocol; 842 } else { 843 h->protocol = protocol; 844 } 845 846 847 error = ifq_enqueue2(ifp, ifq, m); 848 849 if (error == 0) { 850 /* 851 * Count output packets and bytes. 852 * The packet length includes header + additional hardware 853 * framing according to RFC 1333. 854 */ 855 if (!(ifp->if_flags & IFF_OACTIVE)) 856 if_start_lock(ifp); 857 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 858 } 859 splx(s); 860 return error; 861 } 862 863 static int 864 sppp_mediachange(struct ifnet *ifp) 865 { 866 867 return (0); 868 } 869 870 static void 871 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 872 { 873 874 switch (ifp->if_link_state) { 875 case LINK_STATE_UP: 876 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 877 break; 878 case LINK_STATE_DOWN: 879 imr->ifm_status = IFM_AVALID; 880 break; 881 default: 882 /* Should be impossible as we set link state down in attach. */ 883 imr->ifm_status = 0; 884 break; 885 } 886 } 887 888 void 889 sppp_attach(struct ifnet *ifp) 890 { 891 struct sppp *sp = (struct sppp *) ifp; 892 893 /* Initialize keepalive handler. */ 894 if (! spppq) { 895 callout_init(&keepalive_ch, 0); 896 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 897 } 898 899 /* Insert new entry into the keepalive list. */ 900 sp->pp_next = spppq; 901 spppq = sp; 902 903 sp->pp_if.if_type = IFT_PPP; 904 sp->pp_if.if_output = sppp_output; 905 sp->pp_fastq.ifq_maxlen = 32; 906 sp->pp_cpq.ifq_maxlen = 20; 907 sp->pp_loopcnt = 0; 908 sp->pp_alivecnt = 0; 909 sp->pp_last_activity = 0; 910 sp->pp_last_receive = 0; 911 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 912 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 913 sp->pp_idle_timeout = 0; 914 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 915 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 916 sp->pp_auth_failures = 0; 917 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 918 sp->pp_phase = SPPP_PHASE_DEAD; 919 sp->pp_up = lcp.Up; 920 sp->pp_down = lcp.Down; 921 922 if_alloc_sadl(ifp); 923 924 /* Lets not beat about the bush, we know we're down. */ 925 ifp->if_link_state = LINK_STATE_DOWN; 926 /* There is no media for PPP, but it's needed to report link status. */ 927 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 928 929 memset(&sp->myauth, 0, sizeof sp->myauth); 930 memset(&sp->hisauth, 0, sizeof sp->hisauth); 931 sppp_lcp_init(sp); 932 sppp_ipcp_init(sp); 933 sppp_ipv6cp_init(sp); 934 sppp_pap_init(sp); 935 sppp_chap_init(sp); 936 } 937 938 void 939 sppp_detach(struct ifnet *ifp) 940 { 941 struct sppp **q, *p, *sp = (struct sppp *) ifp; 942 943 /* Remove the entry from the keepalive list. */ 944 for (q = &spppq; (p = *q); q = &p->pp_next) 945 if (p == sp) { 946 *q = p->pp_next; 947 break; 948 } 949 950 /* Stop keepalive handler. */ 951 if (! spppq) { 952 callout_stop(&keepalive_ch); 953 } 954 955 callout_stop(&sp->ch[IDX_LCP]); 956 callout_stop(&sp->ch[IDX_IPCP]); 957 callout_stop(&sp->ch[IDX_PAP]); 958 callout_stop(&sp->ch[IDX_CHAP]); 959 #ifdef INET6 960 callout_stop(&sp->ch[IDX_IPV6CP]); 961 #endif 962 callout_stop(&sp->pap_my_to_ch); 963 964 /* free authentication info */ 965 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 966 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 967 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 968 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 969 970 /* Safety - shouldn't be needed as there is no media to set. */ 971 ifmedia_delete_instance(&sp->pp_im, IFM_INST_ANY); 972 } 973 974 /* 975 * Flush the interface output queue. 976 */ 977 void 978 sppp_flush(struct ifnet *ifp) 979 { 980 struct sppp *sp = (struct sppp *) ifp; 981 982 IFQ_PURGE(&sp->pp_if.if_snd); 983 IF_PURGE(&sp->pp_fastq); 984 IF_PURGE(&sp->pp_cpq); 985 } 986 987 /* 988 * Check if the output queue is empty. 989 */ 990 int 991 sppp_isempty(struct ifnet *ifp) 992 { 993 struct sppp *sp = (struct sppp *) ifp; 994 int empty, s; 995 996 s = splnet(); 997 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 998 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 999 splx(s); 1000 return (empty); 1001 } 1002 1003 /* 1004 * Get next packet to send. 1005 */ 1006 struct mbuf * 1007 sppp_dequeue(struct ifnet *ifp) 1008 { 1009 struct sppp *sp = (struct sppp *) ifp; 1010 struct mbuf *m; 1011 int s; 1012 1013 s = splnet(); 1014 /* 1015 * Process only the control protocol queue until we have at 1016 * least one NCP open. 1017 * 1018 * Do always serve all three queues in Cisco mode. 1019 */ 1020 IF_DEQUEUE(&sp->pp_cpq, m); 1021 if (m == NULL && 1022 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1023 IF_DEQUEUE(&sp->pp_fastq, m); 1024 if (m == NULL) 1025 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1026 } 1027 splx(s); 1028 return m; 1029 } 1030 1031 /* 1032 * Process an ioctl request. Called on low priority level. 1033 */ 1034 int 1035 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1036 { 1037 struct lwp *l = curlwp; /* XXX */ 1038 struct ifreq *ifr = (struct ifreq *) data; 1039 struct ifaddr *ifa = (struct ifaddr *) data; 1040 struct sppp *sp = (struct sppp *) ifp; 1041 int s, error=0, going_up, going_down, newmode; 1042 1043 s = splnet(); 1044 switch (cmd) { 1045 case SIOCINITIFADDR: 1046 ifa->ifa_rtrequest = p2p_rtrequest; 1047 break; 1048 1049 case SIOCSIFFLAGS: 1050 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1051 break; 1052 going_up = ifp->if_flags & IFF_UP && 1053 (ifp->if_flags & IFF_RUNNING) == 0; 1054 going_down = (ifp->if_flags & IFF_UP) == 0 && 1055 ifp->if_flags & IFF_RUNNING; 1056 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1057 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1058 /* sanity */ 1059 newmode = IFF_PASSIVE; 1060 ifp->if_flags &= ~IFF_AUTO; 1061 } 1062 1063 if (going_up || going_down) 1064 lcp.Close(sp); 1065 if (going_up && newmode == 0) { 1066 /* neither auto-dial nor passive */ 1067 ifp->if_flags |= IFF_RUNNING; 1068 if (!(sp->pp_flags & PP_CISCO)) 1069 lcp.Open(sp); 1070 } else if (going_down) { 1071 sppp_flush(ifp); 1072 ifp->if_flags &= ~IFF_RUNNING; 1073 } 1074 1075 break; 1076 1077 case SIOCSIFMTU: 1078 if (ifr->ifr_mtu < PPP_MINMRU || 1079 ifr->ifr_mtu > sp->lcp.their_mru) { 1080 error = EINVAL; 1081 break; 1082 } 1083 /*FALLTHROUGH*/ 1084 case SIOCGIFMTU: 1085 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1086 error = 0; 1087 break; 1088 case SIOCADDMULTI: 1089 case SIOCDELMULTI: 1090 break; 1091 1092 case SPPPSETAUTHCFG: 1093 case SPPPSETLCPCFG: 1094 case SPPPSETIDLETO: 1095 case SPPPSETAUTHFAILURE: 1096 case SPPPSETDNSOPTS: 1097 case SPPPSETKEEPALIVE: 1098 #if defined(COMPAT_50) || defined(MODULAR) 1099 case __SPPPSETIDLETO50: 1100 case __SPPPSETKEEPALIVE50: 1101 #endif /* COMPAT_50 || MODULAR */ 1102 error = kauth_authorize_network(l->l_cred, 1103 KAUTH_NETWORK_INTERFACE, 1104 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1105 NULL); 1106 if (error) 1107 break; 1108 error = sppp_params(sp, cmd, data); 1109 break; 1110 1111 case SPPPGETAUTHCFG: 1112 case SPPPGETLCPCFG: 1113 case SPPPGETAUTHFAILURES: 1114 error = kauth_authorize_network(l->l_cred, 1115 KAUTH_NETWORK_INTERFACE, 1116 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1117 NULL); 1118 if (error) 1119 break; 1120 error = sppp_params(sp, cmd, data); 1121 break; 1122 1123 case SPPPGETSTATUS: 1124 case SPPPGETSTATUSNCP: 1125 case SPPPGETIDLETO: 1126 case SPPPGETDNSOPTS: 1127 case SPPPGETDNSADDRS: 1128 case SPPPGETKEEPALIVE: 1129 #if defined(COMPAT_50) || defined(MODULAR) 1130 case __SPPPGETIDLETO50: 1131 case __SPPPGETKEEPALIVE50: 1132 #endif /* COMPAT_50 || MODULAR */ 1133 error = sppp_params(sp, cmd, data); 1134 break; 1135 1136 case SIOCGIFMEDIA: 1137 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1138 break; 1139 1140 default: 1141 error = ifioctl_common(ifp, cmd, data); 1142 break; 1143 } 1144 splx(s); 1145 return (error); 1146 } 1147 1148 1149 /* 1150 * Cisco framing implementation. 1151 */ 1152 1153 /* 1154 * Handle incoming Cisco keepalive protocol packets. 1155 */ 1156 static void 1157 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1158 { 1159 STDDCL; 1160 struct cisco_packet *h; 1161 #ifdef INET 1162 uint32_t me, mymask = 0; /* XXX: GCC */ 1163 #endif 1164 1165 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1166 if (debug) 1167 log(LOG_DEBUG, 1168 "%s: cisco invalid packet length: %d bytes\n", 1169 ifp->if_xname, m->m_pkthdr.len); 1170 return; 1171 } 1172 h = mtod(m, struct cisco_packet *); 1173 if (debug) 1174 log(LOG_DEBUG, 1175 "%s: cisco input: %d bytes " 1176 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1177 ifp->if_xname, m->m_pkthdr.len, 1178 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1179 (u_int)h->time0, (u_int)h->time1); 1180 switch (ntohl(h->type)) { 1181 default: 1182 if (debug) 1183 addlog("%s: cisco unknown packet type: 0x%x\n", 1184 ifp->if_xname, ntohl(h->type)); 1185 break; 1186 case CISCO_ADDR_REPLY: 1187 /* Reply on address request, ignore */ 1188 break; 1189 case CISCO_KEEPALIVE_REQ: 1190 sp->pp_alivecnt = 0; 1191 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1192 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1193 /* Local and remote sequence numbers are equal. 1194 * Probably, the line is in loopback mode. */ 1195 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1196 printf ("%s: loopback\n", 1197 ifp->if_xname); 1198 sp->pp_loopcnt = 0; 1199 if (ifp->if_flags & IFF_UP) { 1200 if_down(ifp); 1201 IF_PURGE(&sp->pp_cpq); 1202 } 1203 } 1204 ++sp->pp_loopcnt; 1205 1206 /* Generate new local sequence number */ 1207 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1208 break; 1209 } 1210 sp->pp_loopcnt = 0; 1211 if (! (ifp->if_flags & IFF_UP) && 1212 (ifp->if_flags & IFF_RUNNING)) { 1213 if_up(ifp); 1214 } 1215 break; 1216 case CISCO_ADDR_REQ: 1217 #ifdef INET 1218 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1219 if (me != 0L) 1220 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1221 #endif 1222 break; 1223 } 1224 } 1225 1226 /* 1227 * Send Cisco keepalive packet. 1228 */ 1229 static void 1230 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1231 { 1232 STDDCL; 1233 struct ppp_header *h; 1234 struct cisco_packet *ch; 1235 struct mbuf *m; 1236 uint32_t t; 1237 1238 t = time_uptime * 1000; 1239 MGETHDR(m, M_DONTWAIT, MT_DATA); 1240 if (! m) 1241 return; 1242 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1243 m_reset_rcvif(m); 1244 1245 h = mtod(m, struct ppp_header *); 1246 h->address = CISCO_MULTICAST; 1247 h->control = 0; 1248 h->protocol = htons(CISCO_KEEPALIVE); 1249 1250 ch = (struct cisco_packet *)(h + 1); 1251 ch->type = htonl(type); 1252 ch->par1 = htonl(par1); 1253 ch->par2 = htonl(par2); 1254 ch->rel = -1; 1255 1256 ch->time0 = htons((u_short)(t >> 16)); 1257 ch->time1 = htons((u_short) t); 1258 1259 if (debug) 1260 log(LOG_DEBUG, 1261 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1262 ifp->if_xname, ntohl(ch->type), ch->par1, 1263 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1264 (u_int)ch->time1); 1265 1266 if (IF_QFULL(&sp->pp_cpq)) { 1267 IF_DROP(&sp->pp_fastq); 1268 IF_DROP(&ifp->if_snd); 1269 m_freem(m); 1270 ++ifp->if_oerrors; 1271 return; 1272 } else 1273 IF_ENQUEUE(&sp->pp_cpq, m); 1274 if (! (ifp->if_flags & IFF_OACTIVE)) 1275 if_start_lock(ifp); 1276 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1277 } 1278 1279 /* 1280 * PPP protocol implementation. 1281 */ 1282 1283 /* 1284 * Send PPP control protocol packet. 1285 */ 1286 static void 1287 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1288 u_char ident, u_short len, void *data) 1289 { 1290 STDDCL; 1291 struct lcp_header *lh; 1292 struct mbuf *m; 1293 size_t pkthdrlen; 1294 1295 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1296 1297 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1298 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1299 MGETHDR(m, M_DONTWAIT, MT_DATA); 1300 if (! m) 1301 return; 1302 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1303 m_reset_rcvif(m); 1304 1305 if (sp->pp_flags & PP_NOFRAMING) { 1306 *mtod(m, uint16_t *) = htons(proto); 1307 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1308 } else { 1309 struct ppp_header *h; 1310 h = mtod(m, struct ppp_header *); 1311 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1312 h->control = PPP_UI; /* Unnumbered Info */ 1313 h->protocol = htons(proto); /* Link Control Protocol */ 1314 lh = (struct lcp_header *)(h + 1); 1315 } 1316 lh->type = type; 1317 lh->ident = ident; 1318 lh->len = htons(LCP_HEADER_LEN + len); 1319 if (len) 1320 memcpy(lh + 1, data, len); 1321 1322 if (debug) { 1323 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1324 ifp->if_xname, 1325 sppp_proto_name(proto), 1326 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1327 if (len) 1328 sppp_print_bytes((u_char *)(lh + 1), len); 1329 addlog(">\n"); 1330 } 1331 if (IF_QFULL(&sp->pp_cpq)) { 1332 IF_DROP(&sp->pp_fastq); 1333 IF_DROP(&ifp->if_snd); 1334 m_freem(m); 1335 ++ifp->if_oerrors; 1336 return; 1337 } else 1338 IF_ENQUEUE(&sp->pp_cpq, m); 1339 if (! (ifp->if_flags & IFF_OACTIVE)) 1340 if_start_lock(ifp); 1341 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1342 } 1343 1344 /* 1345 * Handle incoming PPP control protocol packets. 1346 */ 1347 static void 1348 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1349 { 1350 STDDCL; 1351 struct lcp_header *h; 1352 int printlen, len = m->m_pkthdr.len; 1353 int rv; 1354 u_char *p; 1355 uint32_t u32; 1356 1357 if (len < 4) { 1358 if (debug) 1359 log(LOG_DEBUG, 1360 "%s: %s invalid packet length: %d bytes\n", 1361 ifp->if_xname, cp->name, len); 1362 return; 1363 } 1364 h = mtod(m, struct lcp_header *); 1365 if (debug) { 1366 printlen = ntohs(h->len); 1367 log(LOG_DEBUG, 1368 "%s: %s input(%s): <%s id=0x%x len=%d", 1369 ifp->if_xname, cp->name, 1370 sppp_state_name(sp->state[cp->protoidx]), 1371 sppp_cp_type_name(h->type), h->ident, printlen); 1372 if (len < printlen) 1373 printlen = len; 1374 if (printlen > 4) 1375 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1376 addlog(">\n"); 1377 } 1378 if (len > ntohs(h->len)) 1379 len = ntohs(h->len); 1380 p = (u_char *)(h + 1); 1381 switch (h->type) { 1382 case CONF_REQ: 1383 if (len < 4) { 1384 if (debug) 1385 addlog("%s: %s invalid conf-req length %d\n", 1386 ifp->if_xname, cp->name, 1387 len); 1388 ++ifp->if_ierrors; 1389 break; 1390 } 1391 /* handle states where RCR doesn't get a SCA/SCN */ 1392 switch (sp->state[cp->protoidx]) { 1393 case STATE_CLOSING: 1394 case STATE_STOPPING: 1395 return; 1396 case STATE_CLOSED: 1397 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1398 0, 0); 1399 return; 1400 } 1401 rv = (cp->RCR)(sp, h, len); 1402 if (rv < 0) { 1403 /* fatal error, shut down */ 1404 (cp->tld)(sp); 1405 sppp_lcp_tlf(sp); 1406 return; 1407 } 1408 switch (sp->state[cp->protoidx]) { 1409 case STATE_OPENED: 1410 (cp->tld)(sp); 1411 (cp->scr)(sp); 1412 /* fall through... */ 1413 case STATE_ACK_SENT: 1414 case STATE_REQ_SENT: 1415 sppp_cp_change_state(cp, sp, rv? 1416 STATE_ACK_SENT: STATE_REQ_SENT); 1417 break; 1418 case STATE_STOPPED: 1419 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1420 (cp->scr)(sp); 1421 sppp_cp_change_state(cp, sp, rv? 1422 STATE_ACK_SENT: STATE_REQ_SENT); 1423 break; 1424 case STATE_ACK_RCVD: 1425 if (rv) { 1426 sppp_cp_change_state(cp, sp, STATE_OPENED); 1427 if (debug) 1428 log(LOG_DEBUG, "%s: %s tlu\n", 1429 ifp->if_xname, 1430 cp->name); 1431 (cp->tlu)(sp); 1432 } else 1433 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1434 break; 1435 default: 1436 printf("%s: %s illegal %s in state %s\n", 1437 ifp->if_xname, cp->name, 1438 sppp_cp_type_name(h->type), 1439 sppp_state_name(sp->state[cp->protoidx])); 1440 ++ifp->if_ierrors; 1441 } 1442 break; 1443 case CONF_ACK: 1444 if (h->ident != sp->confid[cp->protoidx]) { 1445 if (debug) 1446 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1447 ifp->if_xname, cp->name, 1448 h->ident, sp->confid[cp->protoidx]); 1449 ++ifp->if_ierrors; 1450 break; 1451 } 1452 switch (sp->state[cp->protoidx]) { 1453 case STATE_CLOSED: 1454 case STATE_STOPPED: 1455 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1456 break; 1457 case STATE_CLOSING: 1458 case STATE_STOPPING: 1459 break; 1460 case STATE_REQ_SENT: 1461 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1462 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1463 break; 1464 case STATE_OPENED: 1465 (cp->tld)(sp); 1466 /* fall through */ 1467 case STATE_ACK_RCVD: 1468 (cp->scr)(sp); 1469 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1470 break; 1471 case STATE_ACK_SENT: 1472 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1473 sppp_cp_change_state(cp, sp, STATE_OPENED); 1474 if (debug) 1475 log(LOG_DEBUG, "%s: %s tlu\n", 1476 ifp->if_xname, cp->name); 1477 (cp->tlu)(sp); 1478 break; 1479 default: 1480 printf("%s: %s illegal %s in state %s\n", 1481 ifp->if_xname, cp->name, 1482 sppp_cp_type_name(h->type), 1483 sppp_state_name(sp->state[cp->protoidx])); 1484 ++ifp->if_ierrors; 1485 } 1486 break; 1487 case CONF_NAK: 1488 case CONF_REJ: 1489 if (h->ident != sp->confid[cp->protoidx]) { 1490 if (debug) 1491 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1492 ifp->if_xname, cp->name, 1493 h->ident, sp->confid[cp->protoidx]); 1494 ++ifp->if_ierrors; 1495 break; 1496 } 1497 if (h->type == CONF_NAK) 1498 (cp->RCN_nak)(sp, h, len); 1499 else /* CONF_REJ */ 1500 (cp->RCN_rej)(sp, h, len); 1501 1502 switch (sp->state[cp->protoidx]) { 1503 case STATE_CLOSED: 1504 case STATE_STOPPED: 1505 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1506 break; 1507 case STATE_REQ_SENT: 1508 case STATE_ACK_SENT: 1509 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1510 (cp->scr)(sp); 1511 break; 1512 case STATE_OPENED: 1513 (cp->tld)(sp); 1514 /* fall through */ 1515 case STATE_ACK_RCVD: 1516 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1517 (cp->scr)(sp); 1518 break; 1519 case STATE_CLOSING: 1520 case STATE_STOPPING: 1521 break; 1522 default: 1523 printf("%s: %s illegal %s in state %s\n", 1524 ifp->if_xname, cp->name, 1525 sppp_cp_type_name(h->type), 1526 sppp_state_name(sp->state[cp->protoidx])); 1527 ++ifp->if_ierrors; 1528 } 1529 break; 1530 1531 case TERM_REQ: 1532 switch (sp->state[cp->protoidx]) { 1533 case STATE_ACK_RCVD: 1534 case STATE_ACK_SENT: 1535 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1536 /* fall through */ 1537 case STATE_CLOSED: 1538 case STATE_STOPPED: 1539 case STATE_CLOSING: 1540 case STATE_STOPPING: 1541 case STATE_REQ_SENT: 1542 sta: 1543 /* Send Terminate-Ack packet. */ 1544 if (debug) 1545 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1546 ifp->if_xname, cp->name); 1547 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1548 break; 1549 case STATE_OPENED: 1550 (cp->tld)(sp); 1551 sp->rst_counter[cp->protoidx] = 0; 1552 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1553 goto sta; 1554 default: 1555 printf("%s: %s illegal %s in state %s\n", 1556 ifp->if_xname, cp->name, 1557 sppp_cp_type_name(h->type), 1558 sppp_state_name(sp->state[cp->protoidx])); 1559 ++ifp->if_ierrors; 1560 } 1561 break; 1562 case TERM_ACK: 1563 switch (sp->state[cp->protoidx]) { 1564 case STATE_CLOSED: 1565 case STATE_STOPPED: 1566 case STATE_REQ_SENT: 1567 case STATE_ACK_SENT: 1568 break; 1569 case STATE_CLOSING: 1570 (cp->tlf)(sp); 1571 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1572 sppp_lcp_check_and_close(sp); 1573 break; 1574 case STATE_STOPPING: 1575 (cp->tlf)(sp); 1576 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1577 sppp_lcp_check_and_close(sp); 1578 break; 1579 case STATE_ACK_RCVD: 1580 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1581 break; 1582 case STATE_OPENED: 1583 (cp->tld)(sp); 1584 (cp->scr)(sp); 1585 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1586 break; 1587 default: 1588 printf("%s: %s illegal %s in state %s\n", 1589 ifp->if_xname, cp->name, 1590 sppp_cp_type_name(h->type), 1591 sppp_state_name(sp->state[cp->protoidx])); 1592 ++ifp->if_ierrors; 1593 } 1594 break; 1595 case CODE_REJ: 1596 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1597 log(LOG_INFO, 1598 "%s: %s: ignoring RXJ (%s) for code ?, " 1599 "danger will robinson\n", 1600 ifp->if_xname, cp->name, 1601 sppp_cp_type_name(h->type)); 1602 switch (sp->state[cp->protoidx]) { 1603 case STATE_CLOSED: 1604 case STATE_STOPPED: 1605 case STATE_REQ_SENT: 1606 case STATE_ACK_SENT: 1607 case STATE_CLOSING: 1608 case STATE_STOPPING: 1609 case STATE_OPENED: 1610 break; 1611 case STATE_ACK_RCVD: 1612 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1613 break; 1614 default: 1615 printf("%s: %s illegal %s in state %s\n", 1616 ifp->if_xname, cp->name, 1617 sppp_cp_type_name(h->type), 1618 sppp_state_name(sp->state[cp->protoidx])); 1619 ++ifp->if_ierrors; 1620 } 1621 break; 1622 case PROTO_REJ: 1623 { 1624 int catastrophic; 1625 const struct cp *upper; 1626 int i; 1627 uint16_t proto; 1628 1629 catastrophic = 0; 1630 upper = NULL; 1631 proto = p[0] << 8 | p[1]; 1632 for (i = 0; i < IDX_COUNT; i++) { 1633 if (cps[i]->proto == proto) { 1634 upper = cps[i]; 1635 break; 1636 } 1637 } 1638 if (upper == NULL) 1639 catastrophic++; 1640 1641 if (debug) 1642 log(LOG_INFO, 1643 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1644 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1645 sppp_cp_type_name(h->type), proto, 1646 upper ? upper->name : "unknown", 1647 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1648 1649 /* 1650 * if we got RXJ+ against conf-req, the peer does not implement 1651 * this particular protocol type. terminate the protocol. 1652 */ 1653 if (upper && !catastrophic) { 1654 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1655 upper->Close(sp); 1656 break; 1657 } 1658 } 1659 1660 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1661 switch (sp->state[cp->protoidx]) { 1662 case STATE_CLOSED: 1663 case STATE_STOPPED: 1664 case STATE_REQ_SENT: 1665 case STATE_ACK_SENT: 1666 case STATE_CLOSING: 1667 case STATE_STOPPING: 1668 case STATE_OPENED: 1669 break; 1670 case STATE_ACK_RCVD: 1671 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1672 break; 1673 default: 1674 printf("%s: %s illegal %s in state %s\n", 1675 ifp->if_xname, cp->name, 1676 sppp_cp_type_name(h->type), 1677 sppp_state_name(sp->state[cp->protoidx])); 1678 ++ifp->if_ierrors; 1679 } 1680 break; 1681 } 1682 case DISC_REQ: 1683 if (cp->proto != PPP_LCP) 1684 goto illegal; 1685 /* Discard the packet. */ 1686 break; 1687 case ECHO_REQ: 1688 if (cp->proto != PPP_LCP) 1689 goto illegal; 1690 if (sp->state[cp->protoidx] != STATE_OPENED) { 1691 if (debug) 1692 addlog("%s: lcp echo req but lcp closed\n", 1693 ifp->if_xname); 1694 ++ifp->if_ierrors; 1695 break; 1696 } 1697 if (len < 8) { 1698 if (debug) 1699 addlog("%s: invalid lcp echo request " 1700 "packet length: %d bytes\n", 1701 ifp->if_xname, len); 1702 break; 1703 } 1704 memcpy(&u32, h + 1, sizeof u32); 1705 if (ntohl(u32) == sp->lcp.magic) { 1706 /* Line loopback mode detected. */ 1707 printf("%s: loopback\n", ifp->if_xname); 1708 if_down(ifp); 1709 IF_PURGE(&sp->pp_cpq); 1710 1711 /* Shut down the PPP link. */ 1712 /* XXX */ 1713 lcp.Down(sp); 1714 lcp.Up(sp); 1715 break; 1716 } 1717 u32 = htonl(sp->lcp.magic); 1718 memcpy(h + 1, &u32, sizeof u32); 1719 if (debug) 1720 addlog("%s: got lcp echo req, sending echo rep\n", 1721 ifp->if_xname); 1722 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1723 h + 1); 1724 break; 1725 case ECHO_REPLY: 1726 if (cp->proto != PPP_LCP) 1727 goto illegal; 1728 if (h->ident != sp->lcp.echoid) { 1729 ++ifp->if_ierrors; 1730 break; 1731 } 1732 if (len < 8) { 1733 if (debug) 1734 addlog("%s: lcp invalid echo reply " 1735 "packet length: %d bytes\n", 1736 ifp->if_xname, len); 1737 break; 1738 } 1739 if (debug) 1740 addlog("%s: lcp got echo rep\n", 1741 ifp->if_xname); 1742 memcpy(&u32, h + 1, sizeof u32); 1743 if (ntohl(u32) != sp->lcp.magic) 1744 sp->pp_alivecnt = 0; 1745 break; 1746 default: 1747 /* Unknown packet type -- send Code-Reject packet. */ 1748 illegal: 1749 if (debug) 1750 addlog("%s: %s send code-rej for 0x%x\n", 1751 ifp->if_xname, cp->name, h->type); 1752 sppp_cp_send(sp, cp->proto, CODE_REJ, 1753 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1754 ++ifp->if_ierrors; 1755 } 1756 } 1757 1758 1759 /* 1760 * The generic part of all Up/Down/Open/Close/TO event handlers. 1761 * Basically, the state transition handling in the automaton. 1762 */ 1763 static void 1764 sppp_up_event(const struct cp *cp, struct sppp *sp) 1765 { 1766 STDDCL; 1767 1768 if (debug) 1769 log(LOG_DEBUG, "%s: %s up(%s)\n", 1770 ifp->if_xname, cp->name, 1771 sppp_state_name(sp->state[cp->protoidx])); 1772 1773 switch (sp->state[cp->protoidx]) { 1774 case STATE_INITIAL: 1775 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1776 break; 1777 case STATE_STARTING: 1778 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1779 (cp->scr)(sp); 1780 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1781 break; 1782 default: 1783 printf("%s: %s illegal up in state %s\n", 1784 ifp->if_xname, cp->name, 1785 sppp_state_name(sp->state[cp->protoidx])); 1786 } 1787 } 1788 1789 static void 1790 sppp_down_event(const struct cp *cp, struct sppp *sp) 1791 { 1792 STDDCL; 1793 1794 if (debug) 1795 log(LOG_DEBUG, "%s: %s down(%s)\n", 1796 ifp->if_xname, cp->name, 1797 sppp_state_name(sp->state[cp->protoidx])); 1798 1799 switch (sp->state[cp->protoidx]) { 1800 case STATE_CLOSED: 1801 case STATE_CLOSING: 1802 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1803 break; 1804 case STATE_STOPPED: 1805 (cp->tls)(sp); 1806 /* fall through */ 1807 case STATE_STOPPING: 1808 case STATE_REQ_SENT: 1809 case STATE_ACK_RCVD: 1810 case STATE_ACK_SENT: 1811 sppp_cp_change_state(cp, sp, STATE_STARTING); 1812 break; 1813 case STATE_OPENED: 1814 (cp->tld)(sp); 1815 sppp_cp_change_state(cp, sp, STATE_STARTING); 1816 break; 1817 default: 1818 printf("%s: %s illegal down in state %s\n", 1819 ifp->if_xname, cp->name, 1820 sppp_state_name(sp->state[cp->protoidx])); 1821 } 1822 } 1823 1824 1825 static void 1826 sppp_open_event(const struct cp *cp, struct sppp *sp) 1827 { 1828 STDDCL; 1829 1830 if (debug) 1831 log(LOG_DEBUG, "%s: %s open(%s)\n", 1832 ifp->if_xname, cp->name, 1833 sppp_state_name(sp->state[cp->protoidx])); 1834 1835 switch (sp->state[cp->protoidx]) { 1836 case STATE_INITIAL: 1837 sppp_cp_change_state(cp, sp, STATE_STARTING); 1838 (cp->tls)(sp); 1839 break; 1840 case STATE_STARTING: 1841 break; 1842 case STATE_CLOSED: 1843 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1844 (cp->scr)(sp); 1845 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1846 break; 1847 case STATE_STOPPED: 1848 case STATE_STOPPING: 1849 case STATE_REQ_SENT: 1850 case STATE_ACK_RCVD: 1851 case STATE_ACK_SENT: 1852 case STATE_OPENED: 1853 break; 1854 case STATE_CLOSING: 1855 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1856 break; 1857 } 1858 } 1859 1860 1861 static void 1862 sppp_close_event(const struct cp *cp, struct sppp *sp) 1863 { 1864 STDDCL; 1865 1866 if (debug) 1867 log(LOG_DEBUG, "%s: %s close(%s)\n", 1868 ifp->if_xname, cp->name, 1869 sppp_state_name(sp->state[cp->protoidx])); 1870 1871 switch (sp->state[cp->protoidx]) { 1872 case STATE_INITIAL: 1873 case STATE_CLOSED: 1874 case STATE_CLOSING: 1875 break; 1876 case STATE_STARTING: 1877 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1878 (cp->tlf)(sp); 1879 break; 1880 case STATE_STOPPED: 1881 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1882 break; 1883 case STATE_STOPPING: 1884 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1885 break; 1886 case STATE_OPENED: 1887 (cp->tld)(sp); 1888 /* fall through */ 1889 case STATE_REQ_SENT: 1890 case STATE_ACK_RCVD: 1891 case STATE_ACK_SENT: 1892 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1893 sppp_cp_send(sp, cp->proto, TERM_REQ, 1894 ++sp->pp_seq[cp->protoidx], 0, 0); 1895 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1896 break; 1897 } 1898 } 1899 1900 static void 1901 sppp_to_event(const struct cp *cp, struct sppp *sp) 1902 { 1903 STDDCL; 1904 int s; 1905 1906 s = splnet(); 1907 if (debug) 1908 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1909 ifp->if_xname, cp->name, 1910 sppp_state_name(sp->state[cp->protoidx]), 1911 sp->rst_counter[cp->protoidx]); 1912 1913 if (--sp->rst_counter[cp->protoidx] < 0) 1914 /* TO- event */ 1915 switch (sp->state[cp->protoidx]) { 1916 case STATE_CLOSING: 1917 (cp->tlf)(sp); 1918 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1919 sppp_lcp_check_and_close(sp); 1920 break; 1921 case STATE_STOPPING: 1922 (cp->tlf)(sp); 1923 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1924 sppp_lcp_check_and_close(sp); 1925 break; 1926 case STATE_REQ_SENT: 1927 case STATE_ACK_RCVD: 1928 case STATE_ACK_SENT: 1929 (cp->tlf)(sp); 1930 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1931 sppp_lcp_check_and_close(sp); 1932 break; 1933 } 1934 else 1935 /* TO+ event */ 1936 switch (sp->state[cp->protoidx]) { 1937 case STATE_CLOSING: 1938 case STATE_STOPPING: 1939 sppp_cp_send(sp, cp->proto, TERM_REQ, 1940 ++sp->pp_seq[cp->protoidx], 0, 0); 1941 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1942 cp->TO, sp); 1943 break; 1944 case STATE_REQ_SENT: 1945 case STATE_ACK_RCVD: 1946 (cp->scr)(sp); 1947 /* sppp_cp_change_state() will restart the timer */ 1948 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1949 break; 1950 case STATE_ACK_SENT: 1951 (cp->scr)(sp); 1952 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1953 cp->TO, sp); 1954 break; 1955 } 1956 1957 splx(s); 1958 } 1959 1960 /* 1961 * Change the state of a control protocol in the state automaton. 1962 * Takes care of starting/stopping the restart timer. 1963 */ 1964 void 1965 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1966 { 1967 sp->state[cp->protoidx] = newstate; 1968 callout_stop(&sp->ch[cp->protoidx]); 1969 switch (newstate) { 1970 case STATE_INITIAL: 1971 case STATE_STARTING: 1972 case STATE_CLOSED: 1973 case STATE_STOPPED: 1974 case STATE_OPENED: 1975 break; 1976 case STATE_CLOSING: 1977 case STATE_STOPPING: 1978 case STATE_REQ_SENT: 1979 case STATE_ACK_RCVD: 1980 case STATE_ACK_SENT: 1981 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1982 cp->TO, sp); 1983 break; 1984 } 1985 } 1986 1987 /* 1988 *--------------------------------------------------------------------------* 1989 * * 1990 * The LCP implementation. * 1991 * * 1992 *--------------------------------------------------------------------------* 1993 */ 1994 static void 1995 sppp_lcp_init(struct sppp *sp) 1996 { 1997 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1998 sp->lcp.magic = 0; 1999 sp->state[IDX_LCP] = STATE_INITIAL; 2000 sp->fail_counter[IDX_LCP] = 0; 2001 sp->pp_seq[IDX_LCP] = 0; 2002 sp->pp_rseq[IDX_LCP] = 0; 2003 sp->lcp.protos = 0; 2004 2005 /* 2006 * Initialize counters and timeout values. Note that we don't 2007 * use the 3 seconds suggested in RFC 1661 since we are likely 2008 * running on a fast link. XXX We should probably implement 2009 * the exponential backoff option. Note that these values are 2010 * relevant for all control protocols, not just LCP only. 2011 */ 2012 sp->lcp.timeout = 1 * hz; 2013 sp->lcp.max_terminate = 2; 2014 sp->lcp.max_configure = 10; 2015 sp->lcp.max_failure = 10; 2016 callout_init(&sp->ch[IDX_LCP], 0); 2017 } 2018 2019 static void 2020 sppp_lcp_up(struct sppp *sp) 2021 { 2022 STDDCL; 2023 2024 /* Initialize activity timestamp: opening a connection is an activity */ 2025 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2026 2027 /* 2028 * If this interface is passive or dial-on-demand, and we are 2029 * still in Initial state, it means we've got an incoming 2030 * call. Activate the interface. 2031 */ 2032 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2033 if (debug) 2034 log(LOG_DEBUG, 2035 "%s: Up event", ifp->if_xname); 2036 ifp->if_flags |= IFF_RUNNING; 2037 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2038 if (debug) 2039 addlog("(incoming call)\n"); 2040 sp->pp_flags |= PP_CALLIN; 2041 lcp.Open(sp); 2042 } else if (debug) 2043 addlog("\n"); 2044 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2045 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2046 ifp->if_flags |= IFF_RUNNING; 2047 lcp.Open(sp); 2048 } 2049 2050 sppp_up_event(&lcp, sp); 2051 } 2052 2053 static void 2054 sppp_lcp_down(struct sppp *sp) 2055 { 2056 STDDCL; 2057 2058 sppp_down_event(&lcp, sp); 2059 2060 /* 2061 * If this is neither a dial-on-demand nor a passive 2062 * interface, simulate an ``ifconfig down'' action, so the 2063 * administrator can force a redial by another ``ifconfig 2064 * up''. XXX For leased line operation, should we immediately 2065 * try to reopen the connection here? 2066 */ 2067 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2068 if (debug) 2069 log(LOG_INFO, 2070 "%s: Down event (carrier loss), taking interface down.\n", 2071 ifp->if_xname); 2072 if_down(ifp); 2073 } else { 2074 if (debug) 2075 log(LOG_DEBUG, 2076 "%s: Down event (carrier loss)\n", 2077 ifp->if_xname); 2078 } 2079 sp->pp_flags &= ~PP_CALLIN; 2080 if (sp->state[IDX_LCP] != STATE_INITIAL) 2081 lcp.Close(sp); 2082 ifp->if_flags &= ~IFF_RUNNING; 2083 } 2084 2085 static void 2086 sppp_lcp_open(struct sppp *sp) 2087 { 2088 if (sp->pp_if.if_mtu < PP_MTU) { 2089 sp->lcp.mru = sp->pp_if.if_mtu; 2090 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2091 } else 2092 sp->lcp.mru = PP_MTU; 2093 sp->lcp.their_mru = PP_MTU; 2094 2095 /* 2096 * If we are authenticator, negotiate LCP_AUTH 2097 */ 2098 if (sp->hisauth.proto != 0) 2099 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2100 else 2101 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2102 sp->pp_flags &= ~PP_NEEDAUTH; 2103 sppp_open_event(&lcp, sp); 2104 } 2105 2106 static void 2107 sppp_lcp_close(struct sppp *sp) 2108 { 2109 sppp_close_event(&lcp, sp); 2110 } 2111 2112 static void 2113 sppp_lcp_TO(void *cookie) 2114 { 2115 sppp_to_event(&lcp, (struct sppp *)cookie); 2116 } 2117 2118 /* 2119 * Analyze a configure request. Return true if it was agreeable, and 2120 * caused action sca, false if it has been rejected or nak'ed, and 2121 * caused action scn. (The return value is used to make the state 2122 * transition decision in the state automaton.) 2123 */ 2124 static int 2125 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2126 { 2127 STDDCL; 2128 u_char *buf, *r, *p, l, blen; 2129 int origlen, rlen; 2130 uint32_t nmagic; 2131 u_short authproto; 2132 2133 len -= 4; 2134 origlen = len; 2135 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2136 if (! buf) 2137 return (0); 2138 2139 if (debug) 2140 log(LOG_DEBUG, "%s: lcp parse opts:", 2141 ifp->if_xname); 2142 2143 /* pass 1: check for things that need to be rejected */ 2144 p = (void *)(h + 1); 2145 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2146 /* Sanity check option length */ 2147 if (l > len) { 2148 /* 2149 * Malicious option - drop immediately. 2150 * XXX Maybe we should just RXJ it? 2151 */ 2152 addlog("%s: received malicious LCP option 0x%02x, " 2153 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2154 p[0], l, len); 2155 goto drop; 2156 } 2157 if (debug) 2158 addlog(" %s", sppp_lcp_opt_name(*p)); 2159 switch (*p) { 2160 case LCP_OPT_MAGIC: 2161 /* Magic number. */ 2162 /* fall through, both are same length */ 2163 case LCP_OPT_ASYNC_MAP: 2164 /* Async control character map. */ 2165 if (len >= 6 || l == 6) 2166 continue; 2167 if (debug) 2168 addlog(" [invalid]"); 2169 break; 2170 case LCP_OPT_MRU: 2171 /* Maximum receive unit. */ 2172 if (len >= 4 && l == 4) 2173 continue; 2174 if (debug) 2175 addlog(" [invalid]"); 2176 break; 2177 case LCP_OPT_AUTH_PROTO: 2178 if (len < 4) { 2179 if (debug) 2180 addlog(" [invalid]"); 2181 break; 2182 } 2183 authproto = (p[2] << 8) + p[3]; 2184 if (authproto == PPP_CHAP && l != 5) { 2185 if (debug) 2186 addlog(" [invalid chap len]"); 2187 break; 2188 } 2189 if (sp->myauth.proto == 0) { 2190 /* we are not configured to do auth */ 2191 if (debug) 2192 addlog(" [not configured]"); 2193 break; 2194 } 2195 /* 2196 * Remote want us to authenticate, remember this, 2197 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2198 * up. 2199 */ 2200 sp->pp_flags |= PP_NEEDAUTH; 2201 continue; 2202 default: 2203 /* Others not supported. */ 2204 if (debug) 2205 addlog(" [rej]"); 2206 break; 2207 } 2208 if (rlen + l > blen) { 2209 if (debug) 2210 addlog(" [overflow]"); 2211 continue; 2212 } 2213 /* Add the option to rejected list. */ 2214 memcpy(r, p, l); 2215 r += l; 2216 rlen += l; 2217 } 2218 if (rlen) { 2219 if (debug) 2220 addlog(" send conf-rej\n"); 2221 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2222 goto end; 2223 } else if (debug) 2224 addlog("\n"); 2225 2226 /* 2227 * pass 2: check for option values that are unacceptable and 2228 * thus require to be nak'ed. 2229 */ 2230 if (debug) 2231 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2232 ifp->if_xname); 2233 2234 p = (void *)(h + 1); 2235 len = origlen; 2236 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2237 if (debug) 2238 addlog(" %s", sppp_lcp_opt_name(*p)); 2239 switch (*p) { 2240 case LCP_OPT_MAGIC: 2241 /* Magic number -- extract. */ 2242 nmagic = (uint32_t)p[2] << 24 | 2243 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2244 if (nmagic != sp->lcp.magic) { 2245 if (debug) 2246 addlog(" 0x%x", nmagic); 2247 continue; 2248 } 2249 /* 2250 * Local and remote magics equal -- loopback? 2251 */ 2252 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2253 printf ("%s: loopback\n", 2254 ifp->if_xname); 2255 sp->pp_loopcnt = 0; 2256 if (ifp->if_flags & IFF_UP) { 2257 if_down(ifp); 2258 IF_PURGE(&sp->pp_cpq); 2259 /* XXX ? */ 2260 lcp.Down(sp); 2261 lcp.Up(sp); 2262 } 2263 } else if (debug) 2264 addlog(" [glitch]"); 2265 ++sp->pp_loopcnt; 2266 /* 2267 * We negate our magic here, and NAK it. If 2268 * we see it later in an NAK packet, we 2269 * suggest a new one. 2270 */ 2271 nmagic = ~sp->lcp.magic; 2272 /* Gonna NAK it. */ 2273 p[2] = nmagic >> 24; 2274 p[3] = nmagic >> 16; 2275 p[4] = nmagic >> 8; 2276 p[5] = nmagic; 2277 break; 2278 2279 case LCP_OPT_ASYNC_MAP: 2280 /* 2281 * Async control character map -- just ignore it. 2282 * 2283 * Quote from RFC 1662, chapter 6: 2284 * To enable this functionality, synchronous PPP 2285 * implementations MUST always respond to the 2286 * Async-Control-Character-Map Configuration 2287 * Option with the LCP Configure-Ack. However, 2288 * acceptance of the Configuration Option does 2289 * not imply that the synchronous implementation 2290 * will do any ACCM mapping. Instead, all such 2291 * octet mapping will be performed by the 2292 * asynchronous-to-synchronous converter. 2293 */ 2294 continue; 2295 2296 case LCP_OPT_MRU: 2297 /* 2298 * Maximum receive unit. Always agreeable, 2299 * but ignored by now. 2300 */ 2301 sp->lcp.their_mru = p[2] * 256 + p[3]; 2302 if (debug) 2303 addlog(" %ld", sp->lcp.their_mru); 2304 continue; 2305 2306 case LCP_OPT_AUTH_PROTO: 2307 authproto = (p[2] << 8) + p[3]; 2308 if (sp->myauth.proto != authproto) { 2309 /* not agreed, nak */ 2310 if (debug) 2311 addlog(" [mine %s != his %s]", 2312 sppp_proto_name(sp->myauth.proto), 2313 sppp_proto_name(authproto)); 2314 p[2] = sp->myauth.proto >> 8; 2315 p[3] = sp->myauth.proto; 2316 break; 2317 } 2318 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2319 if (debug) 2320 addlog(" [chap not MD5]"); 2321 p[4] = CHAP_MD5; 2322 break; 2323 } 2324 continue; 2325 } 2326 if (rlen + l > blen) { 2327 if (debug) 2328 addlog(" [overflow]"); 2329 continue; 2330 } 2331 /* Add the option to nak'ed list. */ 2332 memcpy(r, p, l); 2333 r += l; 2334 rlen += l; 2335 } 2336 if (rlen) { 2337 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2338 if (debug) 2339 addlog(" max_failure (%d) exceeded, " 2340 "send conf-rej\n", 2341 sp->lcp.max_failure); 2342 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2343 } else { 2344 if (debug) 2345 addlog(" send conf-nak\n"); 2346 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2347 } 2348 goto end; 2349 } else { 2350 if (debug) 2351 addlog(" send conf-ack\n"); 2352 sp->fail_counter[IDX_LCP] = 0; 2353 sp->pp_loopcnt = 0; 2354 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2355 } 2356 2357 end: 2358 free(buf, M_TEMP); 2359 return (rlen == 0); 2360 2361 drop: 2362 free(buf, M_TEMP); 2363 return -1; 2364 } 2365 2366 /* 2367 * Analyze the LCP Configure-Reject option list, and adjust our 2368 * negotiation. 2369 */ 2370 static void 2371 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2372 { 2373 STDDCL; 2374 u_char *buf, *p, l; 2375 2376 len -= 4; 2377 buf = malloc (len, M_TEMP, M_NOWAIT); 2378 if (!buf) 2379 return; 2380 2381 if (debug) 2382 log(LOG_DEBUG, "%s: lcp rej opts:", 2383 ifp->if_xname); 2384 2385 p = (void *)(h + 1); 2386 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2387 /* Sanity check option length */ 2388 if (l > len) { 2389 /* 2390 * Malicious option - drop immediately. 2391 * XXX Maybe we should just RXJ it? 2392 */ 2393 addlog("%s: received malicious LCP option, " 2394 "dropping.\n", ifp->if_xname); 2395 goto drop; 2396 } 2397 if (debug) 2398 addlog(" %s", sppp_lcp_opt_name(*p)); 2399 switch (*p) { 2400 case LCP_OPT_MAGIC: 2401 /* Magic number -- can't use it, use 0 */ 2402 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2403 sp->lcp.magic = 0; 2404 break; 2405 case LCP_OPT_MRU: 2406 /* 2407 * We try to negotiate a lower MRU if the underlying 2408 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2409 * peer rejects this lower rate, fallback to the 2410 * default. 2411 */ 2412 if (debug) { 2413 addlog("%s: warning: peer rejected our MRU of " 2414 "%ld bytes. Defaulting to %d bytes\n", 2415 ifp->if_xname, sp->lcp.mru, PP_MTU); 2416 } 2417 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2418 sp->lcp.mru = PP_MTU; 2419 break; 2420 case LCP_OPT_AUTH_PROTO: 2421 /* 2422 * Peer doesn't want to authenticate himself, 2423 * deny unless this is a dialout call, and 2424 * SPPP_AUTHFLAG_NOCALLOUT is set. 2425 */ 2426 if ((sp->pp_flags & PP_CALLIN) == 0 && 2427 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2428 if (debug) 2429 addlog(" [don't insist on auth " 2430 "for callout]"); 2431 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2432 break; 2433 } 2434 if (debug) 2435 addlog("[access denied]\n"); 2436 lcp.Close(sp); 2437 break; 2438 } 2439 } 2440 if (debug) 2441 addlog("\n"); 2442 drop: 2443 free(buf, M_TEMP); 2444 return; 2445 } 2446 2447 /* 2448 * Analyze the LCP Configure-NAK option list, and adjust our 2449 * negotiation. 2450 */ 2451 static void 2452 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2453 { 2454 STDDCL; 2455 u_char *buf, *p, l, blen; 2456 uint32_t magic; 2457 2458 len -= 4; 2459 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2460 if (!buf) 2461 return; 2462 2463 if (debug) 2464 log(LOG_DEBUG, "%s: lcp nak opts:", 2465 ifp->if_xname); 2466 2467 p = (void *)(h + 1); 2468 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2469 /* Sanity check option length */ 2470 if (l > len) { 2471 /* 2472 * Malicious option - drop immediately. 2473 * XXX Maybe we should just RXJ it? 2474 */ 2475 addlog("%s: received malicious LCP option, " 2476 "dropping.\n", ifp->if_xname); 2477 goto drop; 2478 } 2479 if (debug) 2480 addlog(" %s", sppp_lcp_opt_name(*p)); 2481 switch (*p) { 2482 case LCP_OPT_MAGIC: 2483 /* Magic number -- renegotiate */ 2484 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2485 len >= 6 && l == 6) { 2486 magic = (uint32_t)p[2] << 24 | 2487 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2488 /* 2489 * If the remote magic is our negated one, 2490 * this looks like a loopback problem. 2491 * Suggest a new magic to make sure. 2492 */ 2493 if (magic == ~sp->lcp.magic) { 2494 if (debug) 2495 addlog(" magic glitch"); 2496 sp->lcp.magic = cprng_fast32(); 2497 } else { 2498 sp->lcp.magic = magic; 2499 if (debug) 2500 addlog(" %d", magic); 2501 } 2502 } 2503 break; 2504 case LCP_OPT_MRU: 2505 /* 2506 * Peer wants to advise us to negotiate an MRU. 2507 * Agree on it if it's reasonable, or use 2508 * default otherwise. 2509 */ 2510 if (len >= 4 && l == 4) { 2511 u_int mru = p[2] * 256 + p[3]; 2512 if (debug) 2513 addlog(" %d", mru); 2514 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2515 mru = sp->pp_if.if_mtu; 2516 sp->lcp.mru = mru; 2517 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2518 } 2519 break; 2520 case LCP_OPT_AUTH_PROTO: 2521 /* 2522 * Peer doesn't like our authentication method, 2523 * deny. 2524 */ 2525 if (debug) 2526 addlog("[access denied]\n"); 2527 lcp.Close(sp); 2528 break; 2529 } 2530 } 2531 if (debug) 2532 addlog("\n"); 2533 drop: 2534 free(buf, M_TEMP); 2535 return; 2536 } 2537 2538 static void 2539 sppp_lcp_tlu(struct sppp *sp) 2540 { 2541 struct ifnet *ifp = &sp->pp_if; 2542 int i; 2543 uint32_t mask; 2544 2545 /* XXX ? */ 2546 if (! (ifp->if_flags & IFF_UP) && 2547 (ifp->if_flags & IFF_RUNNING)) { 2548 /* Coming out of loopback mode. */ 2549 if_up(ifp); 2550 } 2551 2552 for (i = 0; i < IDX_COUNT; i++) 2553 if ((cps[i])->flags & CP_QUAL) 2554 (cps[i])->Open(sp); 2555 2556 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2557 (sp->pp_flags & PP_NEEDAUTH) != 0) 2558 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2559 else 2560 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2561 2562 /* 2563 * Open all authentication protocols. This is even required 2564 * if we already proceeded to network phase, since it might be 2565 * that remote wants us to authenticate, so we might have to 2566 * send a PAP request. Undesired authentication protocols 2567 * don't do anything when they get an Open event. 2568 */ 2569 for (i = 0; i < IDX_COUNT; i++) 2570 if ((cps[i])->flags & CP_AUTH) 2571 (cps[i])->Open(sp); 2572 2573 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2574 /* Notify all NCPs. */ 2575 for (i = 0; i < IDX_COUNT; i++) 2576 if ((cps[i])->flags & CP_NCP) 2577 (cps[i])->Open(sp); 2578 } 2579 2580 /* Send Up events to all started protos. */ 2581 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2582 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2583 (cps[i])->Up(sp); 2584 2585 /* notify low-level driver of state change */ 2586 if (sp->pp_chg) 2587 sp->pp_chg(sp, (int)sp->pp_phase); 2588 2589 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2590 /* if no NCP is starting, close down */ 2591 sppp_lcp_check_and_close(sp); 2592 } 2593 2594 static void 2595 sppp_lcp_tld(struct sppp *sp) 2596 { 2597 int i; 2598 uint32_t mask; 2599 2600 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2601 2602 /* 2603 * Take upper layers down. We send the Down event first and 2604 * the Close second to prevent the upper layers from sending 2605 * ``a flurry of terminate-request packets'', as the RFC 2606 * describes it. 2607 */ 2608 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2609 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2610 (cps[i])->Down(sp); 2611 (cps[i])->Close(sp); 2612 } 2613 } 2614 2615 static void 2616 sppp_lcp_tls(struct sppp *sp) 2617 { 2618 2619 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2620 printf("%s: authentication failed %d times, not retrying again\n", 2621 sp->pp_if.if_xname, sp->pp_auth_failures); 2622 if_down(&sp->pp_if); 2623 return; 2624 } 2625 2626 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2627 2628 /* Notify lower layer if desired. */ 2629 if (sp->pp_tls) 2630 (sp->pp_tls)(sp); 2631 } 2632 2633 static void 2634 sppp_lcp_tlf(struct sppp *sp) 2635 { 2636 2637 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2638 2639 /* Notify lower layer if desired. */ 2640 if (sp->pp_tlf) 2641 (sp->pp_tlf)(sp); 2642 } 2643 2644 static void 2645 sppp_lcp_scr(struct sppp *sp) 2646 { 2647 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2648 int i = 0; 2649 u_short authproto; 2650 2651 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2652 if (! sp->lcp.magic) 2653 sp->lcp.magic = cprng_fast32(); 2654 opt[i++] = LCP_OPT_MAGIC; 2655 opt[i++] = 6; 2656 opt[i++] = sp->lcp.magic >> 24; 2657 opt[i++] = sp->lcp.magic >> 16; 2658 opt[i++] = sp->lcp.magic >> 8; 2659 opt[i++] = sp->lcp.magic; 2660 } 2661 2662 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2663 opt[i++] = LCP_OPT_MRU; 2664 opt[i++] = 4; 2665 opt[i++] = sp->lcp.mru >> 8; 2666 opt[i++] = sp->lcp.mru; 2667 } 2668 2669 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2670 authproto = sp->hisauth.proto; 2671 opt[i++] = LCP_OPT_AUTH_PROTO; 2672 opt[i++] = authproto == PPP_CHAP? 5: 4; 2673 opt[i++] = authproto >> 8; 2674 opt[i++] = authproto; 2675 if (authproto == PPP_CHAP) 2676 opt[i++] = CHAP_MD5; 2677 } 2678 2679 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2680 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2681 } 2682 2683 /* 2684 * Check the open NCPs, return true if at least one NCP is open. 2685 */ 2686 static int 2687 sppp_ncp_check(struct sppp *sp) 2688 { 2689 int i, mask; 2690 2691 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2692 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2693 return 1; 2694 return 0; 2695 } 2696 2697 /* 2698 * Re-check the open NCPs and see if we should terminate the link. 2699 * Called by the NCPs during their tlf action handling. 2700 */ 2701 static void 2702 sppp_lcp_check_and_close(struct sppp *sp) 2703 { 2704 2705 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2706 /* don't bother, we are already going down */ 2707 return; 2708 2709 if (sppp_ncp_check(sp)) 2710 return; 2711 2712 lcp.Close(sp); 2713 } 2714 2715 2716 /* 2717 *--------------------------------------------------------------------------* 2718 * * 2719 * The IPCP implementation. * 2720 * * 2721 *--------------------------------------------------------------------------* 2722 */ 2723 2724 static void 2725 sppp_ipcp_init(struct sppp *sp) 2726 { 2727 sp->ipcp.opts = 0; 2728 sp->ipcp.flags = 0; 2729 sp->state[IDX_IPCP] = STATE_INITIAL; 2730 sp->fail_counter[IDX_IPCP] = 0; 2731 sp->pp_seq[IDX_IPCP] = 0; 2732 sp->pp_rseq[IDX_IPCP] = 0; 2733 callout_init(&sp->ch[IDX_IPCP], 0); 2734 } 2735 2736 static void 2737 sppp_ipcp_up(struct sppp *sp) 2738 { 2739 sppp_up_event(&ipcp, sp); 2740 } 2741 2742 static void 2743 sppp_ipcp_down(struct sppp *sp) 2744 { 2745 sppp_down_event(&ipcp, sp); 2746 } 2747 2748 static void 2749 sppp_ipcp_open(struct sppp *sp) 2750 { 2751 STDDCL; 2752 uint32_t myaddr, hisaddr; 2753 2754 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2755 sp->ipcp.req_myaddr = 0; 2756 sp->ipcp.req_hisaddr = 0; 2757 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2758 2759 #ifdef INET 2760 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2761 #else 2762 myaddr = hisaddr = 0; 2763 #endif 2764 /* 2765 * If we don't have his address, this probably means our 2766 * interface doesn't want to talk IP at all. (This could 2767 * be the case if somebody wants to speak only IPX, for 2768 * example.) Don't open IPCP in this case. 2769 */ 2770 if (hisaddr == 0) { 2771 /* XXX this message should go away */ 2772 if (debug) 2773 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2774 ifp->if_xname); 2775 return; 2776 } 2777 2778 if (myaddr == 0) { 2779 /* 2780 * I don't have an assigned address, so i need to 2781 * negotiate my address. 2782 */ 2783 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2784 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2785 } 2786 if (hisaddr == 1) { 2787 /* 2788 * XXX - remove this hack! 2789 * remote has no valid address, we need to get one assigned. 2790 */ 2791 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2792 } 2793 sppp_open_event(&ipcp, sp); 2794 } 2795 2796 static void 2797 sppp_ipcp_close(struct sppp *sp) 2798 { 2799 STDDCL; 2800 2801 sppp_close_event(&ipcp, sp); 2802 #ifdef INET 2803 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2804 /* 2805 * Some address was dynamic, clear it again. 2806 */ 2807 sppp_clear_ip_addrs(sp); 2808 #endif 2809 2810 if (sp->pp_saved_mtu > 0) { 2811 ifp->if_mtu = sp->pp_saved_mtu; 2812 sp->pp_saved_mtu = 0; 2813 if (debug) 2814 log(LOG_DEBUG, 2815 "%s: resetting MTU to %" PRIu64 " bytes\n", 2816 ifp->if_xname, ifp->if_mtu); 2817 } 2818 } 2819 2820 static void 2821 sppp_ipcp_TO(void *cookie) 2822 { 2823 sppp_to_event(&ipcp, (struct sppp *)cookie); 2824 } 2825 2826 /* 2827 * Analyze a configure request. Return true if it was agreeable, and 2828 * caused action sca, false if it has been rejected or nak'ed, and 2829 * caused action scn. (The return value is used to make the state 2830 * transition decision in the state automaton.) 2831 */ 2832 static int 2833 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2834 { 2835 u_char *buf, *r, *p, l, blen; 2836 struct ifnet *ifp = &sp->pp_if; 2837 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2838 uint32_t hisaddr, desiredaddr; 2839 2840 len -= 4; 2841 origlen = len; 2842 /* 2843 * Make sure to allocate a buf that can at least hold a 2844 * conf-nak with an `address' option. We might need it below. 2845 */ 2846 blen = len < 6 ? 6 : len; 2847 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 2848 if (! buf) 2849 return (0); 2850 2851 /* pass 1: see if we can recognize them */ 2852 if (debug) 2853 log(LOG_DEBUG, "%s: ipcp parse opts:", 2854 ifp->if_xname); 2855 p = (void *)(h + 1); 2856 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2857 /* Sanity check option length */ 2858 if (l > len) { 2859 /* XXX should we just RXJ? */ 2860 addlog("%s: malicious IPCP option received, dropping\n", 2861 ifp->if_xname); 2862 goto drop; 2863 } 2864 if (debug) 2865 addlog(" %s", sppp_ipcp_opt_name(*p)); 2866 switch (*p) { 2867 #ifdef notyet 2868 case IPCP_OPT_COMPRESSION: 2869 if (len >= 6 && l >= 6) { 2870 /* correctly formed compress option */ 2871 continue; 2872 } 2873 if (debug) 2874 addlog(" [invalid]"); 2875 break; 2876 #endif 2877 case IPCP_OPT_ADDRESS: 2878 if (len >= 6 && l == 6) { 2879 /* correctly formed address option */ 2880 continue; 2881 } 2882 if (debug) 2883 addlog(" [invalid]"); 2884 break; 2885 default: 2886 /* Others not supported. */ 2887 if (debug) 2888 addlog(" [rej]"); 2889 break; 2890 } 2891 /* Add the option to rejected list. */ 2892 if (rlen + l > blen) { 2893 if (debug) 2894 addlog(" [overflow]"); 2895 continue; 2896 } 2897 memcpy(r, p, l); 2898 r += l; 2899 rlen += l; 2900 } 2901 if (rlen) { 2902 if (debug) 2903 addlog(" send conf-rej\n"); 2904 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2905 goto end; 2906 } else if (debug) 2907 addlog("\n"); 2908 2909 /* pass 2: parse option values */ 2910 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2911 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2912 else 2913 #ifdef INET 2914 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2915 #else 2916 hisaddr = 0; 2917 #endif 2918 if (debug) 2919 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2920 ifp->if_xname); 2921 p = (void *)(h + 1); 2922 len = origlen; 2923 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2924 if (debug) 2925 addlog(" %s", sppp_ipcp_opt_name(*p)); 2926 switch (*p) { 2927 #ifdef notyet 2928 case IPCP_OPT_COMPRESSION: 2929 continue; 2930 #endif 2931 case IPCP_OPT_ADDRESS: 2932 desiredaddr = p[2] << 24 | p[3] << 16 | 2933 p[4] << 8 | p[5]; 2934 if (desiredaddr == hisaddr || 2935 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2936 /* 2937 * Peer's address is same as our value, 2938 * this is agreeable. Gonna conf-ack 2939 * it. 2940 */ 2941 if (debug) 2942 addlog(" %s [ack]", 2943 sppp_dotted_quad(hisaddr)); 2944 /* record that we've seen it already */ 2945 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2946 sp->ipcp.req_hisaddr = desiredaddr; 2947 hisaddr = desiredaddr; 2948 continue; 2949 } 2950 /* 2951 * The address wasn't agreeable. This is either 2952 * he sent us 0.0.0.0, asking to assign him an 2953 * address, or he send us another address not 2954 * matching our value. Either case, we gonna 2955 * conf-nak it with our value. 2956 */ 2957 if (debug) { 2958 if (desiredaddr == 0) 2959 addlog(" [addr requested]"); 2960 else 2961 addlog(" %s [not agreed]", 2962 sppp_dotted_quad(desiredaddr)); 2963 } 2964 2965 p[2] = hisaddr >> 24; 2966 p[3] = hisaddr >> 16; 2967 p[4] = hisaddr >> 8; 2968 p[5] = hisaddr; 2969 break; 2970 } 2971 if (rlen + l > blen) { 2972 if (debug) 2973 addlog(" [overflow]"); 2974 continue; 2975 } 2976 /* Add the option to nak'ed list. */ 2977 memcpy(r, p, l); 2978 r += l; 2979 rlen += l; 2980 } 2981 2982 /* 2983 * If we are about to conf-ack the request, but haven't seen 2984 * his address so far, gonna conf-nak it instead, with the 2985 * `address' option present and our idea of his address being 2986 * filled in there, to request negotiation of both addresses. 2987 * 2988 * XXX This can result in an endless req - nak loop if peer 2989 * doesn't want to send us his address. Q: What should we do 2990 * about it? XXX A: implement the max-failure counter. 2991 */ 2992 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2993 buf[0] = IPCP_OPT_ADDRESS; 2994 buf[1] = 6; 2995 buf[2] = hisaddr >> 24; 2996 buf[3] = hisaddr >> 16; 2997 buf[4] = hisaddr >> 8; 2998 buf[5] = hisaddr; 2999 rlen = 6; 3000 if (debug) 3001 addlog(" still need hisaddr"); 3002 } 3003 3004 if (rlen) { 3005 if (debug) 3006 addlog(" send conf-nak\n"); 3007 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3008 } else { 3009 if (debug) 3010 addlog(" send conf-ack\n"); 3011 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3012 } 3013 3014 end: 3015 free(buf, M_TEMP); 3016 return (rlen == 0); 3017 3018 drop: 3019 free(buf, M_TEMP); 3020 return -1; 3021 } 3022 3023 /* 3024 * Analyze the IPCP Configure-Reject option list, and adjust our 3025 * negotiation. 3026 */ 3027 static void 3028 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3029 { 3030 u_char *buf, *p, l, blen; 3031 struct ifnet *ifp = &sp->pp_if; 3032 int debug = ifp->if_flags & IFF_DEBUG; 3033 3034 len -= 4; 3035 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3036 if (!buf) 3037 return; 3038 3039 if (debug) 3040 log(LOG_DEBUG, "%s: ipcp rej opts:", 3041 ifp->if_xname); 3042 3043 p = (void *)(h + 1); 3044 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3045 /* Sanity check option length */ 3046 if (l > len) { 3047 /* XXX should we just RXJ? */ 3048 addlog("%s: malicious IPCP option received, dropping\n", 3049 ifp->if_xname); 3050 goto drop; 3051 } 3052 if (debug) 3053 addlog(" %s", sppp_ipcp_opt_name(*p)); 3054 switch (*p) { 3055 case IPCP_OPT_ADDRESS: 3056 /* 3057 * Peer doesn't grok address option. This is 3058 * bad. XXX Should we better give up here? 3059 */ 3060 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3061 break; 3062 #ifdef notyet 3063 case IPCP_OPT_COMPRESS: 3064 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3065 break; 3066 #endif 3067 } 3068 } 3069 if (debug) 3070 addlog("\n"); 3071 drop: 3072 free(buf, M_TEMP); 3073 return; 3074 } 3075 3076 /* 3077 * Analyze the IPCP Configure-NAK option list, and adjust our 3078 * negotiation. 3079 */ 3080 static void 3081 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3082 { 3083 u_char *p, l; 3084 struct ifnet *ifp = &sp->pp_if; 3085 int debug = ifp->if_flags & IFF_DEBUG; 3086 uint32_t wantaddr; 3087 3088 len -= 4; 3089 3090 if (debug) 3091 log(LOG_DEBUG, "%s: ipcp nak opts:", 3092 ifp->if_xname); 3093 3094 p = (void *)(h + 1); 3095 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3096 /* Sanity check option length */ 3097 if (l > len) { 3098 /* XXX should we just RXJ? */ 3099 addlog("%s: malicious IPCP option received, dropping\n", 3100 ifp->if_xname); 3101 return; 3102 } 3103 if (debug) 3104 addlog(" %s", sppp_ipcp_opt_name(*p)); 3105 switch (*p) { 3106 case IPCP_OPT_ADDRESS: 3107 /* 3108 * Peer doesn't like our local IP address. See 3109 * if we can do something for him. We'll drop 3110 * him our address then. 3111 */ 3112 if (len >= 6 && l == 6) { 3113 wantaddr = p[2] << 24 | p[3] << 16 | 3114 p[4] << 8 | p[5]; 3115 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3116 if (debug) 3117 addlog(" [wantaddr %s]", 3118 sppp_dotted_quad(wantaddr)); 3119 /* 3120 * When doing dynamic address assignment, 3121 * we accept his offer. Otherwise, we 3122 * ignore it and thus continue to negotiate 3123 * our already existing value. 3124 */ 3125 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3126 if (debug) 3127 addlog(" [agree]"); 3128 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3129 sp->ipcp.req_myaddr = wantaddr; 3130 } 3131 } 3132 break; 3133 3134 case IPCP_OPT_PRIMDNS: 3135 if (len >= 6 && l == 6) { 3136 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3137 p[4] << 8 | p[5]; 3138 } 3139 break; 3140 3141 case IPCP_OPT_SECDNS: 3142 if (len >= 6 && l == 6) { 3143 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3144 p[4] << 8 | p[5]; 3145 } 3146 break; 3147 #ifdef notyet 3148 case IPCP_OPT_COMPRESS: 3149 /* 3150 * Peer wants different compression parameters. 3151 */ 3152 break; 3153 #endif 3154 } 3155 } 3156 if (debug) 3157 addlog("\n"); 3158 } 3159 3160 static void 3161 sppp_ipcp_tlu(struct sppp *sp) 3162 { 3163 #ifdef INET 3164 /* we are up. Set addresses and notify anyone interested */ 3165 STDDCL; 3166 uint32_t myaddr, hisaddr; 3167 3168 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3169 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3170 myaddr = sp->ipcp.req_myaddr; 3171 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3172 hisaddr = sp->ipcp.req_hisaddr; 3173 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3174 3175 if (ifp->if_mtu > sp->lcp.their_mru) { 3176 sp->pp_saved_mtu = ifp->if_mtu; 3177 ifp->if_mtu = sp->lcp.their_mru; 3178 if (debug) 3179 log(LOG_DEBUG, 3180 "%s: setting MTU to %" PRIu64 " bytes\n", 3181 ifp->if_xname, ifp->if_mtu); 3182 } 3183 3184 if (sp->pp_con) 3185 sp->pp_con(sp); 3186 #endif 3187 } 3188 3189 static void 3190 sppp_ipcp_tld(struct sppp *sp) 3191 { 3192 } 3193 3194 static void 3195 sppp_ipcp_tls(struct sppp *sp) 3196 { 3197 /* indicate to LCP that it must stay alive */ 3198 sp->lcp.protos |= (1 << IDX_IPCP); 3199 } 3200 3201 static void 3202 sppp_ipcp_tlf(struct sppp *sp) 3203 { 3204 /* we no longer need LCP */ 3205 sp->lcp.protos &= ~(1 << IDX_IPCP); 3206 } 3207 3208 static void 3209 sppp_ipcp_scr(struct sppp *sp) 3210 { 3211 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3212 #ifdef INET 3213 uint32_t ouraddr; 3214 #endif 3215 int i = 0; 3216 3217 #ifdef notyet 3218 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3219 opt[i++] = IPCP_OPT_COMPRESSION; 3220 opt[i++] = 6; 3221 opt[i++] = 0; /* VJ header compression */ 3222 opt[i++] = 0x2d; /* VJ header compression */ 3223 opt[i++] = max_slot_id; 3224 opt[i++] = comp_slot_id; 3225 } 3226 #endif 3227 3228 #ifdef INET 3229 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3230 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3231 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3232 else 3233 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3234 opt[i++] = IPCP_OPT_ADDRESS; 3235 opt[i++] = 6; 3236 opt[i++] = ouraddr >> 24; 3237 opt[i++] = ouraddr >> 16; 3238 opt[i++] = ouraddr >> 8; 3239 opt[i++] = ouraddr; 3240 } 3241 #endif 3242 3243 if (sp->query_dns & 1) { 3244 opt[i++] = IPCP_OPT_PRIMDNS; 3245 opt[i++] = 6; 3246 opt[i++] = sp->dns_addrs[0] >> 24; 3247 opt[i++] = sp->dns_addrs[0] >> 16; 3248 opt[i++] = sp->dns_addrs[0] >> 8; 3249 opt[i++] = sp->dns_addrs[0]; 3250 } 3251 if (sp->query_dns & 2) { 3252 opt[i++] = IPCP_OPT_SECDNS; 3253 opt[i++] = 6; 3254 opt[i++] = sp->dns_addrs[1] >> 24; 3255 opt[i++] = sp->dns_addrs[1] >> 16; 3256 opt[i++] = sp->dns_addrs[1] >> 8; 3257 opt[i++] = sp->dns_addrs[1]; 3258 } 3259 3260 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3261 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3262 } 3263 3264 3265 /* 3266 *--------------------------------------------------------------------------* 3267 * * 3268 * The IPv6CP implementation. * 3269 * * 3270 *--------------------------------------------------------------------------* 3271 */ 3272 3273 #ifdef INET6 3274 static void 3275 sppp_ipv6cp_init(struct sppp *sp) 3276 { 3277 sp->ipv6cp.opts = 0; 3278 sp->ipv6cp.flags = 0; 3279 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3280 sp->fail_counter[IDX_IPV6CP] = 0; 3281 sp->pp_seq[IDX_IPV6CP] = 0; 3282 sp->pp_rseq[IDX_IPV6CP] = 0; 3283 callout_init(&sp->ch[IDX_IPV6CP], 0); 3284 } 3285 3286 static void 3287 sppp_ipv6cp_up(struct sppp *sp) 3288 { 3289 sppp_up_event(&ipv6cp, sp); 3290 } 3291 3292 static void 3293 sppp_ipv6cp_down(struct sppp *sp) 3294 { 3295 sppp_down_event(&ipv6cp, sp); 3296 } 3297 3298 static void 3299 sppp_ipv6cp_open(struct sppp *sp) 3300 { 3301 STDDCL; 3302 struct in6_addr myaddr, hisaddr; 3303 3304 #ifdef IPV6CP_MYIFID_DYN 3305 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3306 #else 3307 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3308 #endif 3309 3310 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3311 /* 3312 * If we don't have our address, this probably means our 3313 * interface doesn't want to talk IPv6 at all. (This could 3314 * be the case if somebody wants to speak only IPX, for 3315 * example.) Don't open IPv6CP in this case. 3316 */ 3317 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3318 /* XXX this message should go away */ 3319 if (debug) 3320 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3321 ifp->if_xname); 3322 return; 3323 } 3324 3325 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3326 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3327 sppp_open_event(&ipv6cp, sp); 3328 } 3329 3330 static void 3331 sppp_ipv6cp_close(struct sppp *sp) 3332 { 3333 sppp_close_event(&ipv6cp, sp); 3334 } 3335 3336 static void 3337 sppp_ipv6cp_TO(void *cookie) 3338 { 3339 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3340 } 3341 3342 /* 3343 * Analyze a configure request. Return true if it was agreeable, and 3344 * caused action sca, false if it has been rejected or nak'ed, and 3345 * caused action scn. (The return value is used to make the state 3346 * transition decision in the state automaton.) 3347 */ 3348 static int 3349 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3350 { 3351 u_char *buf, *r, *p, l, blen; 3352 struct ifnet *ifp = &sp->pp_if; 3353 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3354 struct in6_addr myaddr, desiredaddr, suggestaddr; 3355 int ifidcount; 3356 int type; 3357 int collision, nohisaddr; 3358 3359 len -= 4; 3360 origlen = len; 3361 /* 3362 * Make sure to allocate a buf that can at least hold a 3363 * conf-nak with an `address' option. We might need it below. 3364 */ 3365 blen = len < 6 ? 6 : len; 3366 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3367 if (! buf) 3368 return (0); 3369 3370 /* pass 1: see if we can recognize them */ 3371 if (debug) 3372 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3373 ifp->if_xname); 3374 p = (void *)(h + 1); 3375 ifidcount = 0; 3376 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3377 /* Sanity check option length */ 3378 if (l > len) { 3379 /* XXX just RXJ? */ 3380 addlog("%s: received malicious IPCPv6 option, " 3381 "dropping\n", ifp->if_xname); 3382 goto drop; 3383 } 3384 if (debug) 3385 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3386 switch (*p) { 3387 case IPV6CP_OPT_IFID: 3388 if (len >= 10 && l == 10 && ifidcount == 0) { 3389 /* correctly formed address option */ 3390 ifidcount++; 3391 continue; 3392 } 3393 if (debug) 3394 addlog(" [invalid]"); 3395 break; 3396 #ifdef notyet 3397 case IPV6CP_OPT_COMPRESSION: 3398 if (len >= 4 && l >= 4) { 3399 /* correctly formed compress option */ 3400 continue; 3401 } 3402 if (debug) 3403 addlog(" [invalid]"); 3404 break; 3405 #endif 3406 default: 3407 /* Others not supported. */ 3408 if (debug) 3409 addlog(" [rej]"); 3410 break; 3411 } 3412 if (rlen + l > blen) { 3413 if (debug) 3414 addlog(" [overflow]"); 3415 continue; 3416 } 3417 /* Add the option to rejected list. */ 3418 memcpy(r, p, l); 3419 r += l; 3420 rlen += l; 3421 } 3422 if (rlen) { 3423 if (debug) 3424 addlog(" send conf-rej\n"); 3425 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3426 goto end; 3427 } else if (debug) 3428 addlog("\n"); 3429 3430 /* pass 2: parse option values */ 3431 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3432 if (debug) 3433 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3434 ifp->if_xname); 3435 p = (void *)(h + 1); 3436 len = origlen; 3437 type = CONF_ACK; 3438 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3439 if (debug) 3440 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3441 switch (*p) { 3442 #ifdef notyet 3443 case IPV6CP_OPT_COMPRESSION: 3444 continue; 3445 #endif 3446 case IPV6CP_OPT_IFID: 3447 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3448 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3449 collision = (memcmp(&desiredaddr.s6_addr[8], 3450 &myaddr.s6_addr[8], 8) == 0); 3451 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3452 3453 desiredaddr.s6_addr16[0] = htons(0xfe80); 3454 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3455 3456 if (!collision && !nohisaddr) { 3457 /* no collision, hisaddr known - Conf-Ack */ 3458 type = CONF_ACK; 3459 3460 if (debug) { 3461 addlog(" %s [%s]", 3462 ip6_sprintf(&desiredaddr), 3463 sppp_cp_type_name(type)); 3464 } 3465 continue; 3466 } 3467 3468 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3469 if (collision && nohisaddr) { 3470 /* collision, hisaddr unknown - Conf-Rej */ 3471 type = CONF_REJ; 3472 memset(&p[2], 0, 8); 3473 } else { 3474 /* 3475 * - no collision, hisaddr unknown, or 3476 * - collision, hisaddr known 3477 * Conf-Nak, suggest hisaddr 3478 */ 3479 type = CONF_NAK; 3480 sppp_suggest_ip6_addr(sp, &suggestaddr); 3481 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3482 } 3483 if (debug) 3484 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3485 sppp_cp_type_name(type)); 3486 break; 3487 } 3488 if (rlen + l > blen) { 3489 if (debug) 3490 addlog(" [overflow]"); 3491 continue; 3492 } 3493 /* Add the option to nak'ed list. */ 3494 memcpy(r, p, l); 3495 r += l; 3496 rlen += l; 3497 } 3498 3499 if (rlen == 0 && type == CONF_ACK) { 3500 if (debug) 3501 addlog(" send %s\n", sppp_cp_type_name(type)); 3502 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3503 } else { 3504 #ifdef notdef 3505 if (type == CONF_ACK) 3506 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3507 #endif 3508 3509 if (debug) { 3510 addlog(" send %s suggest %s\n", 3511 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3512 } 3513 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3514 } 3515 3516 end: 3517 free(buf, M_TEMP); 3518 return (rlen == 0); 3519 3520 drop: 3521 free(buf, M_TEMP); 3522 return -1; 3523 } 3524 3525 /* 3526 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3527 * negotiation. 3528 */ 3529 static void 3530 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3531 { 3532 u_char *buf, *p, l, blen; 3533 struct ifnet *ifp = &sp->pp_if; 3534 int debug = ifp->if_flags & IFF_DEBUG; 3535 3536 len -= 4; 3537 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3538 if (!buf) 3539 return; 3540 3541 if (debug) 3542 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3543 ifp->if_xname); 3544 3545 p = (void *)(h + 1); 3546 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3547 if (l > len) { 3548 /* XXX just RXJ? */ 3549 addlog("%s: received malicious IPCPv6 option, " 3550 "dropping\n", ifp->if_xname); 3551 goto drop; 3552 } 3553 if (debug) 3554 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3555 switch (*p) { 3556 case IPV6CP_OPT_IFID: 3557 /* 3558 * Peer doesn't grok address option. This is 3559 * bad. XXX Should we better give up here? 3560 */ 3561 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3562 break; 3563 #ifdef notyet 3564 case IPV6CP_OPT_COMPRESS: 3565 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3566 break; 3567 #endif 3568 } 3569 } 3570 if (debug) 3571 addlog("\n"); 3572 drop: 3573 free(buf, M_TEMP); 3574 return; 3575 } 3576 3577 /* 3578 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3579 * negotiation. 3580 */ 3581 static void 3582 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3583 { 3584 u_char *buf, *p, l, blen; 3585 struct ifnet *ifp = &sp->pp_if; 3586 int debug = ifp->if_flags & IFF_DEBUG; 3587 struct in6_addr suggestaddr; 3588 3589 len -= 4; 3590 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3591 if (!buf) 3592 return; 3593 3594 if (debug) 3595 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3596 ifp->if_xname); 3597 3598 p = (void *)(h + 1); 3599 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3600 if (l > len) { 3601 /* XXX just RXJ? */ 3602 addlog("%s: received malicious IPCPv6 option, " 3603 "dropping\n", ifp->if_xname); 3604 goto drop; 3605 } 3606 if (debug) 3607 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3608 switch (*p) { 3609 case IPV6CP_OPT_IFID: 3610 /* 3611 * Peer doesn't like our local ifid. See 3612 * if we can do something for him. We'll drop 3613 * him our address then. 3614 */ 3615 if (len < 10 || l != 10) 3616 break; 3617 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3618 suggestaddr.s6_addr16[0] = htons(0xfe80); 3619 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3620 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3621 3622 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3623 if (debug) 3624 addlog(" [suggestaddr %s]", 3625 ip6_sprintf(&suggestaddr)); 3626 #ifdef IPV6CP_MYIFID_DYN 3627 /* 3628 * When doing dynamic address assignment, 3629 * we accept his offer. 3630 */ 3631 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3632 struct in6_addr lastsuggest; 3633 /* 3634 * If <suggested myaddr from peer> equals to 3635 * <hisaddr we have suggested last time>, 3636 * we have a collision. generate new random 3637 * ifid. 3638 */ 3639 sppp_suggest_ip6_addr(&lastsuggest); 3640 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3641 lastsuggest)) { 3642 if (debug) 3643 addlog(" [random]"); 3644 sppp_gen_ip6_addr(sp, &suggestaddr); 3645 } 3646 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3647 if (debug) 3648 addlog(" [agree]"); 3649 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3650 } 3651 #else 3652 /* 3653 * Since we do not do dynamic address assignment, 3654 * we ignore it and thus continue to negotiate 3655 * our already existing value. This can possibly 3656 * go into infinite request-reject loop. 3657 * 3658 * This is not likely because we normally use 3659 * ifid based on MAC-address. 3660 * If you have no ethernet card on the node, too bad. 3661 * XXX should we use fail_counter? 3662 */ 3663 #endif 3664 break; 3665 #ifdef notyet 3666 case IPV6CP_OPT_COMPRESS: 3667 /* 3668 * Peer wants different compression parameters. 3669 */ 3670 break; 3671 #endif 3672 } 3673 } 3674 if (debug) 3675 addlog("\n"); 3676 drop: 3677 free(buf, M_TEMP); 3678 return; 3679 } 3680 3681 static void 3682 sppp_ipv6cp_tlu(struct sppp *sp) 3683 { 3684 /* we are up - notify isdn daemon */ 3685 if (sp->pp_con) 3686 sp->pp_con(sp); 3687 } 3688 3689 static void 3690 sppp_ipv6cp_tld(struct sppp *sp) 3691 { 3692 } 3693 3694 static void 3695 sppp_ipv6cp_tls(struct sppp *sp) 3696 { 3697 /* indicate to LCP that it must stay alive */ 3698 sp->lcp.protos |= (1 << IDX_IPV6CP); 3699 } 3700 3701 static void 3702 sppp_ipv6cp_tlf(struct sppp *sp) 3703 { 3704 /* we no longer need LCP */ 3705 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3706 } 3707 3708 static void 3709 sppp_ipv6cp_scr(struct sppp *sp) 3710 { 3711 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3712 struct in6_addr ouraddr; 3713 int i = 0; 3714 3715 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3716 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3717 opt[i++] = IPV6CP_OPT_IFID; 3718 opt[i++] = 10; 3719 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3720 i += 8; 3721 } 3722 3723 #ifdef notyet 3724 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3725 opt[i++] = IPV6CP_OPT_COMPRESSION; 3726 opt[i++] = 4; 3727 opt[i++] = 0; /* TBD */ 3728 opt[i++] = 0; /* TBD */ 3729 /* variable length data may follow */ 3730 } 3731 #endif 3732 3733 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3734 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3735 } 3736 #else /*INET6*/ 3737 static void 3738 sppp_ipv6cp_init(struct sppp *sp) 3739 { 3740 } 3741 3742 static void 3743 sppp_ipv6cp_up(struct sppp *sp) 3744 { 3745 } 3746 3747 static void 3748 sppp_ipv6cp_down(struct sppp *sp) 3749 { 3750 } 3751 3752 static void 3753 sppp_ipv6cp_open(struct sppp *sp) 3754 { 3755 } 3756 3757 static void 3758 sppp_ipv6cp_close(struct sppp *sp) 3759 { 3760 } 3761 3762 static void 3763 sppp_ipv6cp_TO(void *sp) 3764 { 3765 } 3766 3767 static int 3768 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3769 int len) 3770 { 3771 return 0; 3772 } 3773 3774 static void 3775 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3776 int len) 3777 { 3778 } 3779 3780 static void 3781 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3782 int len) 3783 { 3784 } 3785 3786 static void 3787 sppp_ipv6cp_tlu(struct sppp *sp) 3788 { 3789 } 3790 3791 static void 3792 sppp_ipv6cp_tld(struct sppp *sp) 3793 { 3794 } 3795 3796 static void 3797 sppp_ipv6cp_tls(struct sppp *sp) 3798 { 3799 } 3800 3801 static void 3802 sppp_ipv6cp_tlf(struct sppp *sp) 3803 { 3804 } 3805 3806 static void 3807 sppp_ipv6cp_scr(struct sppp *sp) 3808 { 3809 } 3810 #endif /*INET6*/ 3811 3812 3813 /* 3814 *--------------------------------------------------------------------------* 3815 * * 3816 * The CHAP implementation. * 3817 * * 3818 *--------------------------------------------------------------------------* 3819 */ 3820 3821 /* 3822 * The authentication protocols don't employ a full-fledged state machine as 3823 * the control protocols do, since they do have Open and Close events, but 3824 * not Up and Down, nor are they explicitly terminated. Also, use of the 3825 * authentication protocols may be different in both directions (this makes 3826 * sense, think of a machine that never accepts incoming calls but only 3827 * calls out, it doesn't require the called party to authenticate itself). 3828 * 3829 * Our state machine for the local authentication protocol (we are requesting 3830 * the peer to authenticate) looks like: 3831 * 3832 * RCA- 3833 * +--------------------------------------------+ 3834 * V scn,tld| 3835 * +--------+ Close +---------+ RCA+ 3836 * | |<----------------------------------| |------+ 3837 * +--->| Closed | TO* | Opened | sca | 3838 * | | |-----+ +-------| |<-----+ 3839 * | +--------+ irc | | +---------+ 3840 * | ^ | | ^ 3841 * | | | | | 3842 * | | | | | 3843 * | TO-| | | | 3844 * | |tld TO+ V | | 3845 * | | +------->+ | | 3846 * | | | | | | 3847 * | +--------+ V | | 3848 * | | |<----+<--------------------+ | 3849 * | | Req- | scr | 3850 * | | Sent | | 3851 * | | | | 3852 * | +--------+ | 3853 * | RCA- | | RCA+ | 3854 * +------+ +------------------------------------------+ 3855 * scn,tld sca,irc,ict,tlu 3856 * 3857 * 3858 * with: 3859 * 3860 * Open: LCP reached authentication phase 3861 * Close: LCP reached terminate phase 3862 * 3863 * RCA+: received reply (pap-req, chap-response), acceptable 3864 * RCN: received reply (pap-req, chap-response), not acceptable 3865 * TO+: timeout with restart counter >= 0 3866 * TO-: timeout with restart counter < 0 3867 * TO*: reschedule timeout for CHAP 3868 * 3869 * scr: send request packet (none for PAP, chap-challenge) 3870 * sca: send ack packet (pap-ack, chap-success) 3871 * scn: send nak packet (pap-nak, chap-failure) 3872 * ict: initialize re-challenge timer (CHAP only) 3873 * 3874 * tlu: this-layer-up, LCP reaches network phase 3875 * tld: this-layer-down, LCP enters terminate phase 3876 * 3877 * Note that in CHAP mode, after sending a new challenge, while the state 3878 * automaton falls back into Req-Sent state, it doesn't signal a tld 3879 * event to LCP, so LCP remains in network phase. Only after not getting 3880 * any response (or after getting an unacceptable response), CHAP closes, 3881 * causing LCP to enter terminate phase. 3882 * 3883 * With PAP, there is no initial request that can be sent. The peer is 3884 * expected to send one based on the successful negotiation of PAP as 3885 * the authentication protocol during the LCP option negotiation. 3886 * 3887 * Incoming authentication protocol requests (remote requests 3888 * authentication, we are peer) don't employ a state machine at all, 3889 * they are simply answered. Some peers [Ascend P50 firmware rev 3890 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3891 * still in authentication phase (thereby violating the standard that 3892 * demands that these NCP packets are to be discarded), so we keep 3893 * track of the peer demanding us to authenticate, and only proceed to 3894 * phase network once we've seen a positive acknowledge for the 3895 * authentication. 3896 */ 3897 3898 /* 3899 * Handle incoming CHAP packets. 3900 */ 3901 void 3902 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3903 { 3904 STDDCL; 3905 struct lcp_header *h; 3906 int len, x; 3907 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3908 int value_len, name_len; 3909 MD5_CTX ctx; 3910 3911 len = m->m_pkthdr.len; 3912 if (len < 4) { 3913 if (debug) 3914 log(LOG_DEBUG, 3915 "%s: chap invalid packet length: %d bytes\n", 3916 ifp->if_xname, len); 3917 return; 3918 } 3919 h = mtod(m, struct lcp_header *); 3920 if (len > ntohs(h->len)) 3921 len = ntohs(h->len); 3922 3923 switch (h->type) { 3924 /* challenge, failure and success are his authproto */ 3925 case CHAP_CHALLENGE: 3926 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3927 /* can't do anything useful */ 3928 sp->pp_auth_failures++; 3929 printf("%s: chap input without my name and my secret being set\n", 3930 ifp->if_xname); 3931 break; 3932 } 3933 value = 1 + (u_char *)(h + 1); 3934 value_len = value[-1]; 3935 name = value + value_len; 3936 name_len = len - value_len - 5; 3937 if (name_len < 0) { 3938 if (debug) { 3939 log(LOG_DEBUG, 3940 "%s: chap corrupted challenge " 3941 "<%s id=0x%x len=%d", 3942 ifp->if_xname, 3943 sppp_auth_type_name(PPP_CHAP, h->type), 3944 h->ident, ntohs(h->len)); 3945 if (len > 4) 3946 sppp_print_bytes((u_char *)(h + 1), 3947 len - 4); 3948 addlog(">\n"); 3949 } 3950 break; 3951 } 3952 3953 if (debug) { 3954 log(LOG_DEBUG, 3955 "%s: chap input <%s id=0x%x len=%d name=", 3956 ifp->if_xname, 3957 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3958 ntohs(h->len)); 3959 sppp_print_string((char *) name, name_len); 3960 addlog(" value-size=%d value=", value_len); 3961 sppp_print_bytes(value, value_len); 3962 addlog(">\n"); 3963 } 3964 3965 /* Compute reply value. */ 3966 MD5Init(&ctx); 3967 MD5Update(&ctx, &h->ident, 1); 3968 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3969 MD5Update(&ctx, value, value_len); 3970 MD5Final(digest, &ctx); 3971 dsize = sizeof digest; 3972 3973 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3974 sizeof dsize, (const char *)&dsize, 3975 sizeof digest, digest, 3976 sp->myauth.name_len, 3977 sp->myauth.name, 3978 0); 3979 break; 3980 3981 case CHAP_SUCCESS: 3982 if (debug) { 3983 log(LOG_DEBUG, "%s: chap success", 3984 ifp->if_xname); 3985 if (len > 4) { 3986 addlog(": "); 3987 sppp_print_string((char *)(h + 1), len - 4); 3988 } 3989 addlog("\n"); 3990 } 3991 x = splnet(); 3992 sp->pp_auth_failures = 0; 3993 sp->pp_flags &= ~PP_NEEDAUTH; 3994 if (sp->myauth.proto == PPP_CHAP && 3995 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3996 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3997 /* 3998 * We are authenticator for CHAP but didn't 3999 * complete yet. Leave it to tlu to proceed 4000 * to network phase. 4001 */ 4002 splx(x); 4003 break; 4004 } 4005 splx(x); 4006 sppp_phase_network(sp); 4007 break; 4008 4009 case CHAP_FAILURE: 4010 x = splnet(); 4011 sp->pp_auth_failures++; 4012 splx(x); 4013 if (debug) { 4014 log(LOG_INFO, "%s: chap failure", 4015 ifp->if_xname); 4016 if (len > 4) { 4017 addlog(": "); 4018 sppp_print_string((char *)(h + 1), len - 4); 4019 } 4020 addlog("\n"); 4021 } else 4022 log(LOG_INFO, "%s: chap failure\n", 4023 ifp->if_xname); 4024 /* await LCP shutdown by authenticator */ 4025 break; 4026 4027 /* response is my authproto */ 4028 case CHAP_RESPONSE: 4029 if (sp->hisauth.secret == NULL) { 4030 /* can't do anything useful */ 4031 printf("%s: chap input without his secret being set\n", 4032 ifp->if_xname); 4033 break; 4034 } 4035 value = 1 + (u_char *)(h + 1); 4036 value_len = value[-1]; 4037 name = value + value_len; 4038 name_len = len - value_len - 5; 4039 if (name_len < 0) { 4040 if (debug) { 4041 log(LOG_DEBUG, 4042 "%s: chap corrupted response " 4043 "<%s id=0x%x len=%d", 4044 ifp->if_xname, 4045 sppp_auth_type_name(PPP_CHAP, h->type), 4046 h->ident, ntohs(h->len)); 4047 if (len > 4) 4048 sppp_print_bytes((u_char *)(h + 1), 4049 len - 4); 4050 addlog(">\n"); 4051 } 4052 break; 4053 } 4054 if (h->ident != sp->confid[IDX_CHAP]) { 4055 if (debug) 4056 log(LOG_DEBUG, 4057 "%s: chap dropping response for old ID " 4058 "(got %d, expected %d)\n", 4059 ifp->if_xname, 4060 h->ident, sp->confid[IDX_CHAP]); 4061 break; 4062 } 4063 if (sp->hisauth.name != NULL && 4064 (name_len != sp->hisauth.name_len 4065 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4066 log(LOG_INFO, "%s: chap response, his name ", 4067 ifp->if_xname); 4068 sppp_print_string(name, name_len); 4069 addlog(" != expected "); 4070 sppp_print_string(sp->hisauth.name, 4071 sp->hisauth.name_len); 4072 addlog("\n"); 4073 goto chap_failure; 4074 } 4075 if (debug) { 4076 log(LOG_DEBUG, "%s: chap input(%s) " 4077 "<%s id=0x%x len=%d name=", 4078 ifp->if_xname, 4079 sppp_state_name(sp->state[IDX_CHAP]), 4080 sppp_auth_type_name(PPP_CHAP, h->type), 4081 h->ident, ntohs(h->len)); 4082 sppp_print_string((char *)name, name_len); 4083 addlog(" value-size=%d value=", value_len); 4084 sppp_print_bytes(value, value_len); 4085 addlog(">\n"); 4086 } 4087 if (value_len != sizeof(sp->hisauth.challenge)) { 4088 if (debug) 4089 log(LOG_DEBUG, 4090 "%s: chap bad hash value length: " 4091 "%d bytes, should be %zu\n", 4092 ifp->if_xname, value_len, 4093 sizeof(sp->hisauth.challenge)); 4094 goto chap_failure; 4095 } 4096 4097 MD5Init(&ctx); 4098 MD5Update(&ctx, &h->ident, 1); 4099 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4100 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4101 MD5Final(digest, &ctx); 4102 4103 #define FAILMSG "Failed..." 4104 #define SUCCMSG "Welcome!" 4105 4106 if (value_len != sizeof digest || 4107 memcmp(digest, value, value_len) != 0) { 4108 chap_failure: 4109 /* action scn, tld */ 4110 x = splnet(); 4111 sp->pp_auth_failures++; 4112 splx(x); 4113 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4114 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4115 0); 4116 chap.tld(sp); 4117 break; 4118 } 4119 sp->pp_auth_failures = 0; 4120 /* action sca, perhaps tlu */ 4121 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4122 sp->state[IDX_CHAP] == STATE_OPENED) 4123 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4124 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4125 0); 4126 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4127 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4128 chap.tlu(sp); 4129 } 4130 break; 4131 4132 default: 4133 /* Unknown CHAP packet type -- ignore. */ 4134 if (debug) { 4135 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4136 "<0x%x id=0x%xh len=%d", 4137 ifp->if_xname, 4138 sppp_state_name(sp->state[IDX_CHAP]), 4139 h->type, h->ident, ntohs(h->len)); 4140 if (len > 4) 4141 sppp_print_bytes((u_char *)(h + 1), len - 4); 4142 addlog(">\n"); 4143 } 4144 break; 4145 4146 } 4147 } 4148 4149 static void 4150 sppp_chap_init(struct sppp *sp) 4151 { 4152 /* Chap doesn't have STATE_INITIAL at all. */ 4153 sp->state[IDX_CHAP] = STATE_CLOSED; 4154 sp->fail_counter[IDX_CHAP] = 0; 4155 sp->pp_seq[IDX_CHAP] = 0; 4156 sp->pp_rseq[IDX_CHAP] = 0; 4157 callout_init(&sp->ch[IDX_CHAP], 0); 4158 } 4159 4160 static void 4161 sppp_chap_open(struct sppp *sp) 4162 { 4163 if (sp->hisauth.proto == PPP_CHAP && 4164 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4165 /* we are authenticator for CHAP, start it */ 4166 chap.scr(sp); 4167 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4168 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4169 } 4170 /* nothing to be done if we are peer, await a challenge */ 4171 } 4172 4173 static void 4174 sppp_chap_close(struct sppp *sp) 4175 { 4176 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4177 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4178 } 4179 4180 static void 4181 sppp_chap_TO(void *cookie) 4182 { 4183 struct sppp *sp = (struct sppp *)cookie; 4184 STDDCL; 4185 int s; 4186 4187 s = splnet(); 4188 if (debug) 4189 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4190 ifp->if_xname, 4191 sppp_state_name(sp->state[IDX_CHAP]), 4192 sp->rst_counter[IDX_CHAP]); 4193 4194 if (--sp->rst_counter[IDX_CHAP] < 0) 4195 /* TO- event */ 4196 switch (sp->state[IDX_CHAP]) { 4197 case STATE_REQ_SENT: 4198 chap.tld(sp); 4199 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4200 break; 4201 } 4202 else 4203 /* TO+ (or TO*) event */ 4204 switch (sp->state[IDX_CHAP]) { 4205 case STATE_OPENED: 4206 /* TO* event */ 4207 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4208 /* fall through */ 4209 case STATE_REQ_SENT: 4210 chap.scr(sp); 4211 /* sppp_cp_change_state() will restart the timer */ 4212 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4213 break; 4214 } 4215 4216 splx(s); 4217 } 4218 4219 static void 4220 sppp_chap_tlu(struct sppp *sp) 4221 { 4222 STDDCL; 4223 int i, x; 4224 4225 i = 0; 4226 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4227 4228 /* 4229 * Some broken CHAP implementations (Conware CoNet, firmware 4230 * 4.0.?) don't want to re-authenticate their CHAP once the 4231 * initial challenge-response exchange has taken place. 4232 * Provide for an option to avoid rechallenges. 4233 */ 4234 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4235 /* 4236 * Compute the re-challenge timeout. This will yield 4237 * a number between 300 and 810 seconds. 4238 */ 4239 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4240 4241 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4242 } 4243 4244 if (debug) { 4245 log(LOG_DEBUG, 4246 "%s: chap %s, ", 4247 ifp->if_xname, 4248 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4249 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4250 addlog("next re-challenge in %d seconds\n", i); 4251 else 4252 addlog("re-challenging supressed\n"); 4253 } 4254 4255 x = splnet(); 4256 sp->pp_auth_failures = 0; 4257 /* indicate to LCP that we need to be closed down */ 4258 sp->lcp.protos |= (1 << IDX_CHAP); 4259 4260 if (sp->pp_flags & PP_NEEDAUTH) { 4261 /* 4262 * Remote is authenticator, but his auth proto didn't 4263 * complete yet. Defer the transition to network 4264 * phase. 4265 */ 4266 splx(x); 4267 return; 4268 } 4269 splx(x); 4270 4271 /* 4272 * If we are already in phase network, we are done here. This 4273 * is the case if this is a dummy tlu event after a re-challenge. 4274 */ 4275 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4276 sppp_phase_network(sp); 4277 } 4278 4279 static void 4280 sppp_chap_tld(struct sppp *sp) 4281 { 4282 STDDCL; 4283 4284 if (debug) 4285 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4286 callout_stop(&sp->ch[IDX_CHAP]); 4287 sp->lcp.protos &= ~(1 << IDX_CHAP); 4288 4289 lcp.Close(sp); 4290 } 4291 4292 static void 4293 sppp_chap_scr(struct sppp *sp) 4294 { 4295 uint32_t *ch; 4296 u_char clen = 4 * sizeof(uint32_t); 4297 4298 if (sp->hisauth.name == NULL) { 4299 /* can't do anything useful */ 4300 printf("%s: chap starting without his name being set\n", 4301 sp->pp_if.if_xname); 4302 return; 4303 } 4304 4305 /* Compute random challenge. */ 4306 ch = (uint32_t *)sp->hisauth.challenge; 4307 cprng_strong(kern_cprng, ch, clen, 0); 4308 4309 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4310 4311 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4312 sizeof clen, (const char *)&clen, 4313 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4314 0); 4315 } 4316 4317 /* 4318 *--------------------------------------------------------------------------* 4319 * * 4320 * The PAP implementation. * 4321 * * 4322 *--------------------------------------------------------------------------* 4323 */ 4324 /* 4325 * For PAP, we need to keep a little state also if we are the peer, not the 4326 * authenticator. This is since we don't get a request to authenticate, but 4327 * have to repeatedly authenticate ourself until we got a response (or the 4328 * retry counter is expired). 4329 */ 4330 4331 /* 4332 * Handle incoming PAP packets. */ 4333 static void 4334 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4335 { 4336 STDDCL; 4337 struct lcp_header *h; 4338 int len, x; 4339 u_char mlen; 4340 char *name, *secret; 4341 int name_len, secret_len; 4342 4343 /* 4344 * Malicious input might leave this uninitialized, so 4345 * init to an impossible value. 4346 */ 4347 secret_len = -1; 4348 4349 len = m->m_pkthdr.len; 4350 if (len < 5) { 4351 if (debug) 4352 log(LOG_DEBUG, 4353 "%s: pap invalid packet length: %d bytes\n", 4354 ifp->if_xname, len); 4355 return; 4356 } 4357 h = mtod(m, struct lcp_header *); 4358 if (len > ntohs(h->len)) 4359 len = ntohs(h->len); 4360 switch (h->type) { 4361 /* PAP request is my authproto */ 4362 case PAP_REQ: 4363 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4364 /* can't do anything useful */ 4365 printf("%s: pap request without his name and his secret being set\n", 4366 ifp->if_xname); 4367 break; 4368 } 4369 name = 1 + (u_char *)(h + 1); 4370 name_len = name[-1]; 4371 secret = name + name_len + 1; 4372 if (name_len > len - 6 || 4373 (secret_len = secret[-1]) > len - 6 - name_len) { 4374 if (debug) { 4375 log(LOG_DEBUG, "%s: pap corrupted input " 4376 "<%s id=0x%x len=%d", 4377 ifp->if_xname, 4378 sppp_auth_type_name(PPP_PAP, h->type), 4379 h->ident, ntohs(h->len)); 4380 if (len > 4) 4381 sppp_print_bytes((u_char *)(h + 1), 4382 len - 4); 4383 addlog(">\n"); 4384 } 4385 break; 4386 } 4387 if (debug) { 4388 log(LOG_DEBUG, "%s: pap input(%s) " 4389 "<%s id=0x%x len=%d name=", 4390 ifp->if_xname, 4391 sppp_state_name(sp->state[IDX_PAP]), 4392 sppp_auth_type_name(PPP_PAP, h->type), 4393 h->ident, ntohs(h->len)); 4394 sppp_print_string((char *)name, name_len); 4395 addlog(" secret="); 4396 sppp_print_string((char *)secret, secret_len); 4397 addlog(">\n"); 4398 } 4399 if (name_len != sp->hisauth.name_len || 4400 secret_len != sp->hisauth.secret_len || 4401 memcmp(name, sp->hisauth.name, name_len) != 0 || 4402 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4403 /* action scn, tld */ 4404 sp->pp_auth_failures++; 4405 mlen = sizeof(FAILMSG) - 1; 4406 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4407 sizeof mlen, (const char *)&mlen, 4408 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4409 0); 4410 pap.tld(sp); 4411 break; 4412 } 4413 /* action sca, perhaps tlu */ 4414 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4415 sp->state[IDX_PAP] == STATE_OPENED) { 4416 mlen = sizeof(SUCCMSG) - 1; 4417 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4418 sizeof mlen, (const char *)&mlen, 4419 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4420 0); 4421 } 4422 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4423 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4424 pap.tlu(sp); 4425 } 4426 break; 4427 4428 /* ack and nak are his authproto */ 4429 case PAP_ACK: 4430 callout_stop(&sp->pap_my_to_ch); 4431 if (debug) { 4432 log(LOG_DEBUG, "%s: pap success", 4433 ifp->if_xname); 4434 name = 1 + (u_char *)(h + 1); 4435 name_len = name[-1]; 4436 if (len > 5 && name_len < len+4) { 4437 addlog(": "); 4438 sppp_print_string(name, name_len); 4439 } 4440 addlog("\n"); 4441 } 4442 x = splnet(); 4443 sp->pp_auth_failures = 0; 4444 sp->pp_flags &= ~PP_NEEDAUTH; 4445 if (sp->myauth.proto == PPP_PAP && 4446 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4447 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4448 /* 4449 * We are authenticator for PAP but didn't 4450 * complete yet. Leave it to tlu to proceed 4451 * to network phase. 4452 */ 4453 splx(x); 4454 break; 4455 } 4456 splx(x); 4457 sppp_phase_network(sp); 4458 break; 4459 4460 case PAP_NAK: 4461 callout_stop(&sp->pap_my_to_ch); 4462 sp->pp_auth_failures++; 4463 if (debug) { 4464 log(LOG_INFO, "%s: pap failure", 4465 ifp->if_xname); 4466 name = 1 + (u_char *)(h + 1); 4467 name_len = name[-1]; 4468 if (len > 5 && name_len < len+4) { 4469 addlog(": "); 4470 sppp_print_string(name, name_len); 4471 } 4472 addlog("\n"); 4473 } else 4474 log(LOG_INFO, "%s: pap failure\n", 4475 ifp->if_xname); 4476 /* await LCP shutdown by authenticator */ 4477 break; 4478 4479 default: 4480 /* Unknown PAP packet type -- ignore. */ 4481 if (debug) { 4482 log(LOG_DEBUG, "%s: pap corrupted input " 4483 "<0x%x id=0x%x len=%d", 4484 ifp->if_xname, 4485 h->type, h->ident, ntohs(h->len)); 4486 if (len > 4) 4487 sppp_print_bytes((u_char *)(h + 1), len - 4); 4488 addlog(">\n"); 4489 } 4490 break; 4491 4492 } 4493 } 4494 4495 static void 4496 sppp_pap_init(struct sppp *sp) 4497 { 4498 /* PAP doesn't have STATE_INITIAL at all. */ 4499 sp->state[IDX_PAP] = STATE_CLOSED; 4500 sp->fail_counter[IDX_PAP] = 0; 4501 sp->pp_seq[IDX_PAP] = 0; 4502 sp->pp_rseq[IDX_PAP] = 0; 4503 callout_init(&sp->ch[IDX_PAP], 0); 4504 callout_init(&sp->pap_my_to_ch, 0); 4505 } 4506 4507 static void 4508 sppp_pap_open(struct sppp *sp) 4509 { 4510 if (sp->hisauth.proto == PPP_PAP && 4511 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4512 /* we are authenticator for PAP, start our timer */ 4513 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4514 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4515 } 4516 if (sp->myauth.proto == PPP_PAP) { 4517 /* we are peer, send a request, and start a timer */ 4518 pap.scr(sp); 4519 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4520 sppp_pap_my_TO, sp); 4521 } 4522 } 4523 4524 static void 4525 sppp_pap_close(struct sppp *sp) 4526 { 4527 if (sp->state[IDX_PAP] != STATE_CLOSED) 4528 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4529 } 4530 4531 /* 4532 * That's the timeout routine if we are authenticator. Since the 4533 * authenticator is basically passive in PAP, we can't do much here. 4534 */ 4535 static void 4536 sppp_pap_TO(void *cookie) 4537 { 4538 struct sppp *sp = (struct sppp *)cookie; 4539 STDDCL; 4540 int s; 4541 4542 s = splnet(); 4543 if (debug) 4544 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4545 ifp->if_xname, 4546 sppp_state_name(sp->state[IDX_PAP]), 4547 sp->rst_counter[IDX_PAP]); 4548 4549 if (--sp->rst_counter[IDX_PAP] < 0) 4550 /* TO- event */ 4551 switch (sp->state[IDX_PAP]) { 4552 case STATE_REQ_SENT: 4553 pap.tld(sp); 4554 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4555 break; 4556 } 4557 else 4558 /* TO+ event, not very much we could do */ 4559 switch (sp->state[IDX_PAP]) { 4560 case STATE_REQ_SENT: 4561 /* sppp_cp_change_state() will restart the timer */ 4562 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4563 break; 4564 } 4565 4566 splx(s); 4567 } 4568 4569 /* 4570 * That's the timeout handler if we are peer. Since the peer is active, 4571 * we need to retransmit our PAP request since it is apparently lost. 4572 * XXX We should impose a max counter. 4573 */ 4574 static void 4575 sppp_pap_my_TO(void *cookie) 4576 { 4577 struct sppp *sp = (struct sppp *)cookie; 4578 STDDCL; 4579 4580 if (debug) 4581 log(LOG_DEBUG, "%s: pap peer TO\n", 4582 ifp->if_xname); 4583 4584 pap.scr(sp); 4585 } 4586 4587 static void 4588 sppp_pap_tlu(struct sppp *sp) 4589 { 4590 STDDCL; 4591 int x; 4592 4593 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4594 4595 if (debug) 4596 log(LOG_DEBUG, "%s: %s tlu\n", 4597 ifp->if_xname, pap.name); 4598 4599 x = splnet(); 4600 sp->pp_auth_failures = 0; 4601 /* indicate to LCP that we need to be closed down */ 4602 sp->lcp.protos |= (1 << IDX_PAP); 4603 4604 if (sp->pp_flags & PP_NEEDAUTH) { 4605 /* 4606 * Remote is authenticator, but his auth proto didn't 4607 * complete yet. Defer the transition to network 4608 * phase. 4609 */ 4610 splx(x); 4611 return; 4612 } 4613 splx(x); 4614 sppp_phase_network(sp); 4615 } 4616 4617 static void 4618 sppp_pap_tld(struct sppp *sp) 4619 { 4620 STDDCL; 4621 4622 if (debug) 4623 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4624 callout_stop(&sp->ch[IDX_PAP]); 4625 callout_stop(&sp->pap_my_to_ch); 4626 sp->lcp.protos &= ~(1 << IDX_PAP); 4627 4628 lcp.Close(sp); 4629 } 4630 4631 static void 4632 sppp_pap_scr(struct sppp *sp) 4633 { 4634 u_char idlen, pwdlen; 4635 4636 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4637 /* can't do anything useful */ 4638 printf("%s: pap starting without my name and secret being set\n", 4639 sp->pp_if.if_xname); 4640 return; 4641 } 4642 4643 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4644 pwdlen = sp->myauth.secret_len; 4645 idlen = sp->myauth.name_len; 4646 4647 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4648 sizeof idlen, (const char *)&idlen, 4649 idlen, sp->myauth.name, 4650 sizeof pwdlen, (const char *)&pwdlen, 4651 pwdlen, sp->myauth.secret, 4652 0); 4653 } 4654 4655 /* 4656 * Random miscellaneous functions. 4657 */ 4658 4659 /* 4660 * Send a PAP or CHAP proto packet. 4661 * 4662 * Varadic function, each of the elements for the ellipsis is of type 4663 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4664 * mlen == 0. 4665 * NOTE: never declare variadic functions with types subject to type 4666 * promotion (i.e. u_char). This is asking for big trouble depending 4667 * on the architecture you are on... 4668 */ 4669 4670 static void 4671 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4672 unsigned int type, unsigned int id, 4673 ...) 4674 { 4675 STDDCL; 4676 struct lcp_header *lh; 4677 struct mbuf *m; 4678 u_char *p; 4679 int len; 4680 size_t pkthdrlen; 4681 unsigned int mlen; 4682 const char *msg; 4683 va_list ap; 4684 4685 MGETHDR(m, M_DONTWAIT, MT_DATA); 4686 if (! m) 4687 return; 4688 m_reset_rcvif(m); 4689 4690 if (sp->pp_flags & PP_NOFRAMING) { 4691 *mtod(m, uint16_t *) = htons(cp->proto); 4692 pkthdrlen = 2; 4693 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4694 } else { 4695 struct ppp_header *h; 4696 h = mtod(m, struct ppp_header *); 4697 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4698 h->control = PPP_UI; /* Unnumbered Info */ 4699 h->protocol = htons(cp->proto); 4700 pkthdrlen = PPP_HEADER_LEN; 4701 4702 lh = (struct lcp_header *)(h + 1); 4703 } 4704 4705 lh->type = type; 4706 lh->ident = id; 4707 p = (u_char *)(lh + 1); 4708 4709 va_start(ap, id); 4710 len = 0; 4711 4712 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4713 msg = va_arg(ap, const char *); 4714 len += mlen; 4715 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4716 va_end(ap); 4717 m_freem(m); 4718 return; 4719 } 4720 4721 memcpy(p, msg, mlen); 4722 p += mlen; 4723 } 4724 va_end(ap); 4725 4726 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4727 lh->len = htons(LCP_HEADER_LEN + len); 4728 4729 if (debug) { 4730 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4731 ifp->if_xname, cp->name, 4732 sppp_auth_type_name(cp->proto, lh->type), 4733 lh->ident, ntohs(lh->len)); 4734 if (len) 4735 sppp_print_bytes((u_char *)(lh + 1), len); 4736 addlog(">\n"); 4737 } 4738 if (IF_QFULL(&sp->pp_cpq)) { 4739 IF_DROP(&sp->pp_fastq); 4740 IF_DROP(&ifp->if_snd); 4741 m_freem(m); 4742 ++ifp->if_oerrors; 4743 return; 4744 } else 4745 IF_ENQUEUE(&sp->pp_cpq, m); 4746 if (! (ifp->if_flags & IFF_OACTIVE)) 4747 if_start_lock(ifp); 4748 ifp->if_obytes += m->m_pkthdr.len + 3; 4749 } 4750 4751 /* 4752 * Send keepalive packets, every 10 seconds. 4753 */ 4754 static void 4755 sppp_keepalive(void *dummy) 4756 { 4757 struct sppp *sp; 4758 int s; 4759 time_t now; 4760 4761 s = splnet(); 4762 now = time_uptime; 4763 for (sp=spppq; sp; sp=sp->pp_next) { 4764 struct ifnet *ifp = &sp->pp_if; 4765 4766 /* check idle timeout */ 4767 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4768 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4769 /* idle timeout is enabled for this interface */ 4770 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4771 if (ifp->if_flags & IFF_DEBUG) 4772 printf("%s: no activity for %lu seconds\n", 4773 sp->pp_if.if_xname, 4774 (unsigned long)(now-sp->pp_last_activity)); 4775 lcp.Close(sp); 4776 continue; 4777 } 4778 } 4779 4780 /* Keepalive mode disabled or channel down? */ 4781 if (! (sp->pp_flags & PP_KEEPALIVE) || 4782 ! (ifp->if_flags & IFF_RUNNING)) 4783 continue; 4784 4785 /* No keepalive in PPP mode if LCP not opened yet. */ 4786 if (! (sp->pp_flags & PP_CISCO) && 4787 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4788 continue; 4789 4790 /* No echo reply, but maybe user data passed through? */ 4791 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4792 sp->pp_alivecnt = 0; 4793 continue; 4794 } 4795 4796 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4797 /* No keepalive packets got. Stop the interface. */ 4798 if_down (ifp); 4799 IF_PURGE(&sp->pp_cpq); 4800 if (! (sp->pp_flags & PP_CISCO)) { 4801 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4802 ifp->if_xname); 4803 sp->pp_alivecnt = 0; 4804 4805 /* we are down, close all open protocols */ 4806 lcp.Close(sp); 4807 4808 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4809 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4810 4811 /* Close connection immediately, completition of this 4812 * will summon the magic needed to reestablish it. */ 4813 if (sp->pp_tlf) 4814 sp->pp_tlf(sp); 4815 continue; 4816 } 4817 } 4818 if (sp->pp_alivecnt < sp->pp_maxalive) 4819 ++sp->pp_alivecnt; 4820 if (sp->pp_flags & PP_CISCO) 4821 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4822 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4823 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4824 int32_t nmagic = htonl(sp->lcp.magic); 4825 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4826 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4827 sp->lcp.echoid, 4, &nmagic); 4828 } 4829 } 4830 splx(s); 4831 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4832 } 4833 4834 #ifdef INET 4835 /* 4836 * Get both IP addresses. 4837 */ 4838 static void 4839 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4840 { 4841 struct ifnet *ifp = &sp->pp_if; 4842 struct ifaddr *ifa; 4843 struct sockaddr_in *si, *sm; 4844 uint32_t ssrc, ddst; 4845 4846 sm = NULL; 4847 ssrc = ddst = 0; 4848 /* 4849 * Pick the first AF_INET address from the list, 4850 * aliases don't make any sense on a p2p link anyway. 4851 */ 4852 si = 0; 4853 IFADDR_READER_FOREACH(ifa, ifp) { 4854 if (ifa->ifa_addr->sa_family == AF_INET) { 4855 si = (struct sockaddr_in *)ifa->ifa_addr; 4856 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4857 if (si) 4858 break; 4859 } 4860 } 4861 if (ifa) { 4862 if (si && si->sin_addr.s_addr) { 4863 ssrc = si->sin_addr.s_addr; 4864 if (srcmask) 4865 *srcmask = ntohl(sm->sin_addr.s_addr); 4866 } 4867 4868 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4869 if (si && si->sin_addr.s_addr) 4870 ddst = si->sin_addr.s_addr; 4871 } 4872 4873 if (dst) *dst = ntohl(ddst); 4874 if (src) *src = ntohl(ssrc); 4875 } 4876 4877 /* 4878 * Set IP addresses. Must be called at splnet. 4879 * If an address is 0, leave it the way it is. 4880 */ 4881 static void 4882 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4883 { 4884 STDDCL; 4885 struct ifaddr *ifa; 4886 struct sockaddr_in *si, *dest; 4887 4888 /* 4889 * Pick the first AF_INET address from the list, 4890 * aliases don't make any sense on a p2p link anyway. 4891 */ 4892 4893 IFADDR_READER_FOREACH(ifa, ifp) { 4894 if (ifa->ifa_addr->sa_family == AF_INET) { 4895 si = (struct sockaddr_in *)ifa->ifa_addr; 4896 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4897 goto found; 4898 } 4899 } 4900 return; 4901 4902 found: 4903 { 4904 int error; 4905 struct sockaddr_in new_sin = *si; 4906 struct sockaddr_in new_dst = *dest; 4907 4908 if (myaddr != 0) 4909 new_sin.sin_addr.s_addr = htonl(myaddr); 4910 if (hisaddr != 0) { 4911 new_dst.sin_addr.s_addr = htonl(hisaddr); 4912 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 4913 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4914 } 4915 4916 LIST_REMOVE(ifatoia(ifa), ia_hash); 4917 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4918 4919 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 4920 4921 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4922 ifatoia(ifa), ia_hash); 4923 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4924 4925 if (debug && error) 4926 { 4927 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 4928 ifp->if_xname, __func__, error); 4929 } 4930 if (!error) { 4931 (void)pfil_run_hooks(if_pfil, 4932 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4933 } 4934 } 4935 } 4936 4937 /* 4938 * Clear IP addresses. Must be called at splnet. 4939 */ 4940 static void 4941 sppp_clear_ip_addrs(struct sppp *sp) 4942 { 4943 STDDCL; 4944 struct ifaddr *ifa; 4945 struct sockaddr_in *si, *dest; 4946 4947 uint32_t remote; 4948 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4949 remote = sp->ipcp.saved_hisaddr; 4950 else 4951 sppp_get_ip_addrs(sp, 0, &remote, 0); 4952 4953 /* 4954 * Pick the first AF_INET address from the list, 4955 * aliases don't make any sense on a p2p link anyway. 4956 */ 4957 4958 IFADDR_READER_FOREACH(ifa, ifp) { 4959 if (ifa->ifa_addr->sa_family == AF_INET) { 4960 si = (struct sockaddr_in *)ifa->ifa_addr; 4961 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4962 goto found; 4963 } 4964 } 4965 return; 4966 4967 found: 4968 { 4969 struct sockaddr_in new_sin = *si; 4970 struct sockaddr_in new_dst = *dest; 4971 int error; 4972 4973 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4974 new_sin.sin_addr.s_addr = 0; 4975 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4976 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4977 4978 LIST_REMOVE(ifatoia(ifa), ia_hash); 4979 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4980 4981 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 4982 4983 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4984 ifatoia(ifa), ia_hash); 4985 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4986 4987 if (debug && error) 4988 { 4989 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 4990 ifp->if_xname, __func__, error); 4991 } 4992 if (!error) { 4993 (void)pfil_run_hooks(if_pfil, 4994 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4995 } 4996 } 4997 } 4998 #endif 4999 5000 #ifdef INET6 5001 /* 5002 * Get both IPv6 addresses. 5003 */ 5004 static void 5005 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5006 struct in6_addr *srcmask) 5007 { 5008 struct ifnet *ifp = &sp->pp_if; 5009 struct ifaddr *ifa; 5010 struct sockaddr_in6 *si, *sm; 5011 struct in6_addr ssrc, ddst; 5012 5013 sm = NULL; 5014 memset(&ssrc, 0, sizeof(ssrc)); 5015 memset(&ddst, 0, sizeof(ddst)); 5016 /* 5017 * Pick the first link-local AF_INET6 address from the list, 5018 * aliases don't make any sense on a p2p link anyway. 5019 */ 5020 si = 0; 5021 IFADDR_READER_FOREACH(ifa, ifp) 5022 if (ifa->ifa_addr->sa_family == AF_INET6) { 5023 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5024 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5025 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5026 break; 5027 } 5028 if (ifa) { 5029 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5030 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5031 if (srcmask) { 5032 memcpy(srcmask, &sm->sin6_addr, 5033 sizeof(*srcmask)); 5034 } 5035 } 5036 5037 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5038 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5039 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5040 } 5041 5042 if (dst) 5043 memcpy(dst, &ddst, sizeof(*dst)); 5044 if (src) 5045 memcpy(src, &ssrc, sizeof(*src)); 5046 } 5047 5048 #ifdef IPV6CP_MYIFID_DYN 5049 /* 5050 * Generate random ifid. 5051 */ 5052 static void 5053 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5054 { 5055 /* TBD */ 5056 } 5057 5058 /* 5059 * Set my IPv6 address. Must be called at splnet. 5060 */ 5061 static void 5062 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5063 { 5064 STDDCL; 5065 struct ifaddr *ifa; 5066 struct sockaddr_in6 *sin6; 5067 5068 /* 5069 * Pick the first link-local AF_INET6 address from the list, 5070 * aliases don't make any sense on a p2p link anyway. 5071 */ 5072 5073 sin6 = NULL; 5074 IFADDR_READER_FOREACH(ifa, ifp) 5075 { 5076 if (ifa->ifa_addr->sa_family == AF_INET6) 5077 { 5078 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5079 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5080 break; 5081 } 5082 } 5083 5084 if (ifa && sin6) 5085 { 5086 int error; 5087 struct sockaddr_in6 new_sin6 = *sin6; 5088 5089 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5090 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5091 if (debug && error) 5092 { 5093 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5094 ifp->if_xname, __func__, error); 5095 } 5096 if (!error) { 5097 (void)pfil_run_hooks(if_pfil, 5098 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5099 } 5100 } 5101 } 5102 #endif 5103 5104 /* 5105 * Suggest a candidate address to be used by peer. 5106 */ 5107 static void 5108 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5109 { 5110 struct in6_addr myaddr; 5111 struct timeval tv; 5112 5113 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5114 5115 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5116 microtime(&tv); 5117 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5118 myaddr.s6_addr[14] ^= 0xff; 5119 myaddr.s6_addr[15] ^= 0xff; 5120 } else { 5121 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5122 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5123 } 5124 if (suggest) 5125 memcpy(suggest, &myaddr, sizeof(myaddr)); 5126 } 5127 #endif /*INET6*/ 5128 5129 /* 5130 * Process ioctl requests specific to the PPP interface. 5131 * Permissions have already been checked. 5132 */ 5133 static int 5134 sppp_params(struct sppp *sp, u_long cmd, void *data) 5135 { 5136 switch (cmd) { 5137 case SPPPGETAUTHCFG: 5138 { 5139 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5140 int error; 5141 size_t len; 5142 5143 cfg->myauthflags = sp->myauth.flags; 5144 cfg->hisauthflags = sp->hisauth.flags; 5145 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5146 cfg->hisauth = 0; 5147 if (sp->hisauth.proto) 5148 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5149 cfg->myauth = 0; 5150 if (sp->myauth.proto) 5151 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5152 if (cfg->myname_length == 0) { 5153 if (sp->myauth.name != NULL) 5154 cfg->myname_length = sp->myauth.name_len + 1; 5155 } else { 5156 if (sp->myauth.name == NULL) { 5157 cfg->myname_length = 0; 5158 } else { 5159 len = sp->myauth.name_len + 1; 5160 if (cfg->myname_length < len) 5161 return (ENAMETOOLONG); 5162 error = copyout(sp->myauth.name, cfg->myname, len); 5163 if (error) return error; 5164 } 5165 } 5166 if (cfg->hisname_length == 0) { 5167 if (sp->hisauth.name != NULL) 5168 cfg->hisname_length = sp->hisauth.name_len + 1; 5169 } else { 5170 if (sp->hisauth.name == NULL) { 5171 cfg->hisname_length = 0; 5172 } else { 5173 len = sp->hisauth.name_len + 1; 5174 if (cfg->hisname_length < len) 5175 return (ENAMETOOLONG); 5176 error = copyout(sp->hisauth.name, cfg->hisname, len); 5177 if (error) return error; 5178 } 5179 } 5180 } 5181 break; 5182 case SPPPSETAUTHCFG: 5183 { 5184 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5185 int error; 5186 5187 if (sp->myauth.name) { 5188 free(sp->myauth.name, M_DEVBUF); 5189 sp->myauth.name = NULL; 5190 } 5191 if (sp->myauth.secret) { 5192 free(sp->myauth.secret, M_DEVBUF); 5193 sp->myauth.secret = NULL; 5194 } 5195 if (sp->hisauth.name) { 5196 free(sp->hisauth.name, M_DEVBUF); 5197 sp->hisauth.name = NULL; 5198 } 5199 if (sp->hisauth.secret) { 5200 free(sp->hisauth.secret, M_DEVBUF); 5201 sp->hisauth.secret = NULL; 5202 } 5203 5204 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5205 if (cfg->hisname_length >= MCLBYTES) 5206 return (ENAMETOOLONG); 5207 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5208 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5209 if (error) { 5210 free(sp->hisauth.name, M_DEVBUF); 5211 sp->hisauth.name = NULL; 5212 return error; 5213 } 5214 sp->hisauth.name_len = cfg->hisname_length - 1; 5215 sp->hisauth.name[sp->hisauth.name_len] = 0; 5216 } 5217 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5218 if (cfg->hissecret_length >= MCLBYTES) 5219 return (ENAMETOOLONG); 5220 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5221 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5222 if (error) { 5223 free(sp->hisauth.secret, M_DEVBUF); 5224 sp->hisauth.secret = NULL; 5225 return error; 5226 } 5227 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5228 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5229 } 5230 if (cfg->myname != NULL && cfg->myname_length > 0) { 5231 if (cfg->myname_length >= MCLBYTES) 5232 return (ENAMETOOLONG); 5233 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5234 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5235 if (error) { 5236 free(sp->myauth.name, M_DEVBUF); 5237 sp->myauth.name = NULL; 5238 return error; 5239 } 5240 sp->myauth.name_len = cfg->myname_length - 1; 5241 sp->myauth.name[sp->myauth.name_len] = 0; 5242 } 5243 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5244 if (cfg->mysecret_length >= MCLBYTES) 5245 return (ENAMETOOLONG); 5246 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5247 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5248 if (error) { 5249 free(sp->myauth.secret, M_DEVBUF); 5250 sp->myauth.secret = NULL; 5251 return error; 5252 } 5253 sp->myauth.secret_len = cfg->mysecret_length - 1; 5254 sp->myauth.secret[sp->myauth.secret_len] = 0; 5255 } 5256 sp->myauth.flags = cfg->myauthflags; 5257 if (cfg->myauth) 5258 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5259 sp->hisauth.flags = cfg->hisauthflags; 5260 if (cfg->hisauth) 5261 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5262 sp->pp_auth_failures = 0; 5263 if (sp->hisauth.proto != 0) 5264 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5265 else 5266 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5267 } 5268 break; 5269 case SPPPGETLCPCFG: 5270 { 5271 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5272 lcpp->lcp_timeout = sp->lcp.timeout; 5273 } 5274 break; 5275 case SPPPSETLCPCFG: 5276 { 5277 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5278 sp->lcp.timeout = lcpp->lcp_timeout; 5279 } 5280 break; 5281 case SPPPGETSTATUS: 5282 { 5283 struct spppstatus *status = (struct spppstatus *)data; 5284 status->phase = sp->pp_phase; 5285 } 5286 break; 5287 case SPPPGETSTATUSNCP: 5288 { 5289 struct spppstatusncp *status = (struct spppstatusncp *)data; 5290 status->phase = sp->pp_phase; 5291 status->ncpup = sppp_ncp_check(sp); 5292 } 5293 break; 5294 case SPPPGETIDLETO: 5295 { 5296 struct spppidletimeout *to = (struct spppidletimeout *)data; 5297 to->idle_seconds = sp->pp_idle_timeout; 5298 } 5299 break; 5300 case SPPPSETIDLETO: 5301 { 5302 struct spppidletimeout *to = (struct spppidletimeout *)data; 5303 sp->pp_idle_timeout = to->idle_seconds; 5304 } 5305 break; 5306 case SPPPSETAUTHFAILURE: 5307 { 5308 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5309 sp->pp_max_auth_fail = afsettings->max_failures; 5310 sp->pp_auth_failures = 0; 5311 } 5312 break; 5313 case SPPPGETAUTHFAILURES: 5314 { 5315 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5316 stats->auth_failures = sp->pp_auth_failures; 5317 stats->max_failures = sp->pp_max_auth_fail; 5318 } 5319 break; 5320 case SPPPSETDNSOPTS: 5321 { 5322 struct spppdnssettings *req = (struct spppdnssettings *)data; 5323 sp->query_dns = req->query_dns & 3; 5324 } 5325 break; 5326 case SPPPGETDNSOPTS: 5327 { 5328 struct spppdnssettings *req = (struct spppdnssettings *)data; 5329 req->query_dns = sp->query_dns; 5330 } 5331 break; 5332 case SPPPGETDNSADDRS: 5333 { 5334 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5335 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5336 } 5337 break; 5338 case SPPPGETKEEPALIVE: 5339 { 5340 struct spppkeepalivesettings *settings = 5341 (struct spppkeepalivesettings*)data; 5342 settings->maxalive = sp->pp_maxalive; 5343 settings->max_noreceive = sp->pp_max_noreceive; 5344 } 5345 break; 5346 case SPPPSETKEEPALIVE: 5347 { 5348 struct spppkeepalivesettings *settings = 5349 (struct spppkeepalivesettings*)data; 5350 sp->pp_maxalive = settings->maxalive; 5351 sp->pp_max_noreceive = settings->max_noreceive; 5352 } 5353 break; 5354 #if defined(COMPAT_50) || defined(MODULAR) 5355 case __SPPPGETIDLETO50: 5356 { 5357 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5358 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5359 } 5360 break; 5361 case __SPPPSETIDLETO50: 5362 { 5363 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5364 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5365 } 5366 break; 5367 case __SPPPGETKEEPALIVE50: 5368 { 5369 struct spppkeepalivesettings50 *settings = 5370 (struct spppkeepalivesettings50*)data; 5371 settings->maxalive = sp->pp_maxalive; 5372 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5373 } 5374 break; 5375 case __SPPPSETKEEPALIVE50: 5376 { 5377 struct spppkeepalivesettings50 *settings = 5378 (struct spppkeepalivesettings50*)data; 5379 sp->pp_maxalive = settings->maxalive; 5380 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5381 } 5382 break; 5383 #endif /* COMPAT_50 || MODULAR */ 5384 default: 5385 return (EINVAL); 5386 } 5387 5388 return (0); 5389 } 5390 5391 static void 5392 sppp_phase_network(struct sppp *sp) 5393 { 5394 int i; 5395 uint32_t mask; 5396 5397 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5398 5399 /* Notify NCPs now. */ 5400 for (i = 0; i < IDX_COUNT; i++) 5401 if ((cps[i])->flags & CP_NCP) 5402 (cps[i])->Open(sp); 5403 5404 /* Send Up events to all NCPs. */ 5405 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5406 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5407 (cps[i])->Up(sp); 5408 5409 /* if no NCP is starting, all this was in vain, close down */ 5410 sppp_lcp_check_and_close(sp); 5411 } 5412 5413 5414 static const char * 5415 sppp_cp_type_name(u_char type) 5416 { 5417 static char buf[12]; 5418 switch (type) { 5419 case CONF_REQ: return "conf-req"; 5420 case CONF_ACK: return "conf-ack"; 5421 case CONF_NAK: return "conf-nak"; 5422 case CONF_REJ: return "conf-rej"; 5423 case TERM_REQ: return "term-req"; 5424 case TERM_ACK: return "term-ack"; 5425 case CODE_REJ: return "code-rej"; 5426 case PROTO_REJ: return "proto-rej"; 5427 case ECHO_REQ: return "echo-req"; 5428 case ECHO_REPLY: return "echo-reply"; 5429 case DISC_REQ: return "discard-req"; 5430 } 5431 snprintf(buf, sizeof(buf), "0x%x", type); 5432 return buf; 5433 } 5434 5435 static const char * 5436 sppp_auth_type_name(u_short proto, u_char type) 5437 { 5438 static char buf[32]; 5439 const char *name; 5440 5441 switch (proto) { 5442 case PPP_CHAP: 5443 switch (type) { 5444 case CHAP_CHALLENGE: return "challenge"; 5445 case CHAP_RESPONSE: return "response"; 5446 case CHAP_SUCCESS: return "success"; 5447 case CHAP_FAILURE: return "failure"; 5448 default: name = "chap"; break; 5449 } 5450 break; 5451 5452 case PPP_PAP: 5453 switch (type) { 5454 case PAP_REQ: return "req"; 5455 case PAP_ACK: return "ack"; 5456 case PAP_NAK: return "nak"; 5457 default: name = "pap"; break; 5458 } 5459 break; 5460 5461 default: 5462 name = "bad"; 5463 break; 5464 } 5465 5466 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 5467 return buf; 5468 } 5469 5470 static const char * 5471 sppp_lcp_opt_name(u_char opt) 5472 { 5473 static char buf[12]; 5474 switch (opt) { 5475 case LCP_OPT_MRU: return "mru"; 5476 case LCP_OPT_ASYNC_MAP: return "async-map"; 5477 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5478 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5479 case LCP_OPT_MAGIC: return "magic"; 5480 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5481 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5482 } 5483 snprintf(buf, sizeof(buf), "0x%x", opt); 5484 return buf; 5485 } 5486 5487 static const char * 5488 sppp_ipcp_opt_name(u_char opt) 5489 { 5490 static char buf[12]; 5491 switch (opt) { 5492 case IPCP_OPT_ADDRESSES: return "addresses"; 5493 case IPCP_OPT_COMPRESSION: return "compression"; 5494 case IPCP_OPT_ADDRESS: return "address"; 5495 } 5496 snprintf(buf, sizeof(buf), "0x%x", opt); 5497 return buf; 5498 } 5499 5500 #ifdef INET6 5501 static const char * 5502 sppp_ipv6cp_opt_name(u_char opt) 5503 { 5504 static char buf[12]; 5505 switch (opt) { 5506 case IPV6CP_OPT_IFID: return "ifid"; 5507 case IPV6CP_OPT_COMPRESSION: return "compression"; 5508 } 5509 snprintf(buf, sizeof(buf), "0x%x", opt); 5510 return buf; 5511 } 5512 #endif 5513 5514 static const char * 5515 sppp_state_name(int state) 5516 { 5517 switch (state) { 5518 case STATE_INITIAL: return "initial"; 5519 case STATE_STARTING: return "starting"; 5520 case STATE_CLOSED: return "closed"; 5521 case STATE_STOPPED: return "stopped"; 5522 case STATE_CLOSING: return "closing"; 5523 case STATE_STOPPING: return "stopping"; 5524 case STATE_REQ_SENT: return "req-sent"; 5525 case STATE_ACK_RCVD: return "ack-rcvd"; 5526 case STATE_ACK_SENT: return "ack-sent"; 5527 case STATE_OPENED: return "opened"; 5528 } 5529 return "illegal"; 5530 } 5531 5532 static const char * 5533 sppp_phase_name(int phase) 5534 { 5535 switch (phase) { 5536 case SPPP_PHASE_DEAD: return "dead"; 5537 case SPPP_PHASE_ESTABLISH: return "establish"; 5538 case SPPP_PHASE_TERMINATE: return "terminate"; 5539 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5540 case SPPP_PHASE_NETWORK: return "network"; 5541 } 5542 return "illegal"; 5543 } 5544 5545 static const char * 5546 sppp_proto_name(u_short proto) 5547 { 5548 static char buf[12]; 5549 switch (proto) { 5550 case PPP_LCP: return "lcp"; 5551 case PPP_IPCP: return "ipcp"; 5552 case PPP_PAP: return "pap"; 5553 case PPP_CHAP: return "chap"; 5554 case PPP_IPV6CP: return "ipv6cp"; 5555 } 5556 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5557 return buf; 5558 } 5559 5560 static void 5561 sppp_print_bytes(const u_char *p, u_short len) 5562 { 5563 addlog(" %02x", *p++); 5564 while (--len > 0) 5565 addlog("-%02x", *p++); 5566 } 5567 5568 static void 5569 sppp_print_string(const char *p, u_short len) 5570 { 5571 u_char c; 5572 5573 while (len-- > 0) { 5574 c = *p++; 5575 /* 5576 * Print only ASCII chars directly. RFC 1994 recommends 5577 * using only them, but we don't rely on it. */ 5578 if (c < ' ' || c > '~') 5579 addlog("\\x%x", c); 5580 else 5581 addlog("%c", c); 5582 } 5583 } 5584 5585 static const char * 5586 sppp_dotted_quad(uint32_t addr) 5587 { 5588 static char s[16]; 5589 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5590 (int)((addr >> 24) & 0xff), 5591 (int)((addr >> 16) & 0xff), 5592 (int)((addr >> 8) & 0xff), 5593 (int)(addr & 0xff)); 5594 return s; 5595 } 5596 5597 /* a dummy, used to drop uninteresting events */ 5598 static void 5599 sppp_null(struct sppp *unused) 5600 { 5601 /* do just nothing */ 5602 } 5603 /* 5604 * This file is large. Tell emacs to highlight it nevertheless. 5605 * 5606 * Local Variables: 5607 * hilit-auto-highlight-maxout: 120000 5608 * End: 5609 */ 5610 5611 /* 5612 * Module glue 5613 */ 5614 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 5615 5616 static int 5617 sppp_subr_modcmd(modcmd_t cmd, void *arg) 5618 { 5619 switch (cmd) { 5620 case MODULE_CMD_INIT: 5621 case MODULE_CMD_FINI: 5622 return 0; 5623 case MODULE_CMD_STAT: 5624 case MODULE_CMD_AUTOUNLOAD: 5625 default: 5626 return ENOTTY; 5627 } 5628 } 5629 5630
Indexes created Mon Oct 13 16:09:52 GMT 2025