if_spppsubr.c revision 1.133
1 /* $NetBSD: if_spppsubr.c,v 1.133 2015/05/02 14:41:32 roy Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.133 2015/05/02 14:41:32 roy Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_ipx.h" 49 #include "opt_modular.h" 50 #include "opt_compat_netbsd.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 69 #include <net/if.h> 70 #include <net/netisr.h> 71 #include <net/if_types.h> 72 #include <net/route.h> 73 #include <net/ppp_defs.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/in_var.h> 78 #ifdef INET 79 #include <netinet/ip.h> 80 #include <netinet/tcp.h> 81 #endif 82 #include <net/ethertypes.h> 83 84 #ifdef INET6 85 #include <netinet6/scope6_var.h> 86 #endif 87 88 #ifdef IPX 89 #include <netipx/ipx.h> 90 #include <netipx/ipx_if.h> 91 #endif 92 93 #include <net/if_sppp.h> 94 #include <net/if_spppvar.h> 95 96 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 97 #define LOOPALIVECNT 3 /* loopback detection tries */ 98 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 99 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 100 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 101 102 /* 103 * Interface flags that can be set in an ifconfig command. 104 * 105 * Setting link0 will make the link passive, i.e. it will be marked 106 * as being administrative openable, but won't be opened to begin 107 * with. Incoming calls will be answered, or subsequent calls with 108 * -link1 will cause the administrative open of the LCP layer. 109 * 110 * Setting link1 will cause the link to auto-dial only as packets 111 * arrive to be sent. 112 * 113 * Setting IFF_DEBUG will syslog the option negotiation and state 114 * transitions at level kern.debug. Note: all logs consistently look 115 * like 116 * 117 * <if-name><unit>: <proto-name> <additional info...> 118 * 119 * with <if-name><unit> being something like "bppp0", and <proto-name> 120 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 121 */ 122 123 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 124 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 125 126 #define CONF_REQ 1 /* PPP configure request */ 127 #define CONF_ACK 2 /* PPP configure acknowledge */ 128 #define CONF_NAK 3 /* PPP configure negative ack */ 129 #define CONF_REJ 4 /* PPP configure reject */ 130 #define TERM_REQ 5 /* PPP terminate request */ 131 #define TERM_ACK 6 /* PPP terminate acknowledge */ 132 #define CODE_REJ 7 /* PPP code reject */ 133 #define PROTO_REJ 8 /* PPP protocol reject */ 134 #define ECHO_REQ 9 /* PPP echo request */ 135 #define ECHO_REPLY 10 /* PPP echo reply */ 136 #define DISC_REQ 11 /* PPP discard request */ 137 138 #define LCP_OPT_MRU 1 /* maximum receive unit */ 139 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 140 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 141 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 142 #define LCP_OPT_MAGIC 5 /* magic number */ 143 #define LCP_OPT_RESERVED 6 /* reserved */ 144 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 145 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 146 147 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 148 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 149 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 150 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 151 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 152 153 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 154 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 155 156 #define PAP_REQ 1 /* PAP name/password request */ 157 #define PAP_ACK 2 /* PAP acknowledge */ 158 #define PAP_NAK 3 /* PAP fail */ 159 160 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 161 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 162 #define CHAP_SUCCESS 3 /* CHAP response ok */ 163 #define CHAP_FAILURE 4 /* CHAP response failed */ 164 165 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 166 167 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 168 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 169 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 170 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 171 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 172 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 173 174 /* states are named and numbered according to RFC 1661 */ 175 #define STATE_INITIAL 0 176 #define STATE_STARTING 1 177 #define STATE_CLOSED 2 178 #define STATE_STOPPED 3 179 #define STATE_CLOSING 4 180 #define STATE_STOPPING 5 181 #define STATE_REQ_SENT 6 182 #define STATE_ACK_RCVD 7 183 #define STATE_ACK_SENT 8 184 #define STATE_OPENED 9 185 186 struct ppp_header { 187 uint8_t address; 188 uint8_t control; 189 uint16_t protocol; 190 } __packed; 191 #define PPP_HEADER_LEN sizeof (struct ppp_header) 192 193 struct lcp_header { 194 uint8_t type; 195 uint8_t ident; 196 uint16_t len; 197 } __packed; 198 #define LCP_HEADER_LEN sizeof (struct lcp_header) 199 200 struct cisco_packet { 201 uint32_t type; 202 uint32_t par1; 203 uint32_t par2; 204 uint16_t rel; 205 uint16_t time0; 206 uint16_t time1; 207 } __packed; 208 #define CISCO_PACKET_LEN 18 209 210 /* 211 * We follow the spelling and capitalization of RFC 1661 here, to make 212 * it easier comparing with the standard. Please refer to this RFC in 213 * case you can't make sense out of these abbreviation; it will also 214 * explain the semantics related to the various events and actions. 215 */ 216 struct cp { 217 u_short proto; /* PPP control protocol number */ 218 u_char protoidx; /* index into state table in struct sppp */ 219 u_char flags; 220 #define CP_LCP 0x01 /* this is the LCP */ 221 #define CP_AUTH 0x02 /* this is an authentication protocol */ 222 #define CP_NCP 0x04 /* this is a NCP */ 223 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 224 const char *name; /* name of this control protocol */ 225 /* event handlers */ 226 void (*Up)(struct sppp *sp); 227 void (*Down)(struct sppp *sp); 228 void (*Open)(struct sppp *sp); 229 void (*Close)(struct sppp *sp); 230 void (*TO)(void *sp); 231 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 232 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 233 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 234 /* actions */ 235 void (*tlu)(struct sppp *sp); 236 void (*tld)(struct sppp *sp); 237 void (*tls)(struct sppp *sp); 238 void (*tlf)(struct sppp *sp); 239 void (*scr)(struct sppp *sp); 240 }; 241 242 static struct sppp *spppq; 243 static callout_t keepalive_ch; 244 245 #ifdef INET 246 /* 247 * The following disgusting hack gets around the problem that IP TOS 248 * can't be set yet. We want to put "interactive" traffic on a high 249 * priority queue. To decide if traffic is interactive, we check that 250 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 251 * 252 * XXX is this really still necessary? - joerg - 253 */ 254 static u_short interactive_ports[8] = { 255 0, 513, 0, 0, 256 0, 21, 0, 23, 257 }; 258 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 259 #endif 260 261 /* almost every function needs these */ 262 #define STDDCL \ 263 struct ifnet *ifp = &sp->pp_if; \ 264 int debug = ifp->if_flags & IFF_DEBUG 265 266 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 267 const struct sockaddr *dst, struct rtentry *rt); 268 269 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 270 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 271 272 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 273 struct mbuf *m); 274 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 275 u_char ident, u_short len, void *data); 276 /* static void sppp_cp_timeout(void *arg); */ 277 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 278 int newstate); 279 static void sppp_auth_send(const struct cp *cp, 280 struct sppp *sp, unsigned int type, unsigned int id, 281 ...); 282 283 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 284 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 285 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 286 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 287 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 288 289 static void sppp_null(struct sppp *sp); 290 291 static void sppp_lcp_init(struct sppp *sp); 292 static void sppp_lcp_up(struct sppp *sp); 293 static void sppp_lcp_down(struct sppp *sp); 294 static void sppp_lcp_open(struct sppp *sp); 295 static void sppp_lcp_close(struct sppp *sp); 296 static void sppp_lcp_TO(void *sp); 297 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 298 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 299 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 300 static void sppp_lcp_tlu(struct sppp *sp); 301 static void sppp_lcp_tld(struct sppp *sp); 302 static void sppp_lcp_tls(struct sppp *sp); 303 static void sppp_lcp_tlf(struct sppp *sp); 304 static void sppp_lcp_scr(struct sppp *sp); 305 static void sppp_lcp_check_and_close(struct sppp *sp); 306 static int sppp_ncp_check(struct sppp *sp); 307 308 static void sppp_ipcp_init(struct sppp *sp); 309 static void sppp_ipcp_up(struct sppp *sp); 310 static void sppp_ipcp_down(struct sppp *sp); 311 static void sppp_ipcp_open(struct sppp *sp); 312 static void sppp_ipcp_close(struct sppp *sp); 313 static void sppp_ipcp_TO(void *sp); 314 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 315 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 316 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 317 static void sppp_ipcp_tlu(struct sppp *sp); 318 static void sppp_ipcp_tld(struct sppp *sp); 319 static void sppp_ipcp_tls(struct sppp *sp); 320 static void sppp_ipcp_tlf(struct sppp *sp); 321 static void sppp_ipcp_scr(struct sppp *sp); 322 323 static void sppp_ipv6cp_init(struct sppp *sp); 324 static void sppp_ipv6cp_up(struct sppp *sp); 325 static void sppp_ipv6cp_down(struct sppp *sp); 326 static void sppp_ipv6cp_open(struct sppp *sp); 327 static void sppp_ipv6cp_close(struct sppp *sp); 328 static void sppp_ipv6cp_TO(void *sp); 329 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 330 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 331 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 332 static void sppp_ipv6cp_tlu(struct sppp *sp); 333 static void sppp_ipv6cp_tld(struct sppp *sp); 334 static void sppp_ipv6cp_tls(struct sppp *sp); 335 static void sppp_ipv6cp_tlf(struct sppp *sp); 336 static void sppp_ipv6cp_scr(struct sppp *sp); 337 338 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 339 static void sppp_pap_init(struct sppp *sp); 340 static void sppp_pap_open(struct sppp *sp); 341 static void sppp_pap_close(struct sppp *sp); 342 static void sppp_pap_TO(void *sp); 343 static void sppp_pap_my_TO(void *sp); 344 static void sppp_pap_tlu(struct sppp *sp); 345 static void sppp_pap_tld(struct sppp *sp); 346 static void sppp_pap_scr(struct sppp *sp); 347 348 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 349 static void sppp_chap_init(struct sppp *sp); 350 static void sppp_chap_open(struct sppp *sp); 351 static void sppp_chap_close(struct sppp *sp); 352 static void sppp_chap_TO(void *sp); 353 static void sppp_chap_tlu(struct sppp *sp); 354 static void sppp_chap_tld(struct sppp *sp); 355 static void sppp_chap_scr(struct sppp *sp); 356 357 static const char *sppp_auth_type_name(u_short proto, u_char type); 358 static const char *sppp_cp_type_name(u_char type); 359 static const char *sppp_dotted_quad(uint32_t addr); 360 static const char *sppp_ipcp_opt_name(u_char opt); 361 #ifdef INET6 362 static const char *sppp_ipv6cp_opt_name(u_char opt); 363 #endif 364 static const char *sppp_lcp_opt_name(u_char opt); 365 static const char *sppp_phase_name(int phase); 366 static const char *sppp_proto_name(u_short proto); 367 static const char *sppp_state_name(int state); 368 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 369 #ifdef INET 370 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 371 uint32_t *srcmask); 372 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 373 static void sppp_clear_ip_addrs(struct sppp *sp); 374 #endif 375 static void sppp_keepalive(void *dummy); 376 static void sppp_phase_network(struct sppp *sp); 377 static void sppp_print_bytes(const u_char *p, u_short len); 378 static void sppp_print_string(const char *p, u_short len); 379 #ifdef INET6 380 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 381 struct in6_addr *dst, struct in6_addr *srcmask); 382 #ifdef IPV6CP_MYIFID_DYN 383 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 384 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 385 #endif 386 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 387 #endif 388 389 /* our control protocol descriptors */ 390 static const struct cp lcp = { 391 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 392 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 393 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 394 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 395 sppp_lcp_scr 396 }; 397 398 static const struct cp ipcp = { 399 PPP_IPCP, IDX_IPCP, 400 #ifdef INET 401 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 402 #else 403 0, 404 #endif 405 "ipcp", 406 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 407 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 408 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 409 sppp_ipcp_scr 410 }; 411 412 static const struct cp ipv6cp = { 413 PPP_IPV6CP, IDX_IPV6CP, 414 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 415 CP_NCP, 416 #else 417 0, 418 #endif 419 "ipv6cp", 420 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 421 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 422 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 423 sppp_ipv6cp_scr 424 }; 425 426 static const struct cp pap = { 427 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 428 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 429 sppp_pap_TO, 0, 0, 0, 430 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 431 sppp_pap_scr 432 }; 433 434 static const struct cp chap = { 435 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 436 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 437 sppp_chap_TO, 0, 0, 0, 438 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 439 sppp_chap_scr 440 }; 441 442 static const struct cp *cps[IDX_COUNT] = { 443 &lcp, /* IDX_LCP */ 444 &ipcp, /* IDX_IPCP */ 445 &ipv6cp, /* IDX_IPV6CP */ 446 &pap, /* IDX_PAP */ 447 &chap, /* IDX_CHAP */ 448 }; 449 450 451 void spppattach(int); 452 void 453 /*ARGSUSED*/ 454 spppattach(int count) 455 { 456 } 457 458 /* 459 * Exported functions, comprising our interface to the lower layer. 460 */ 461 462 /* 463 * Process the received packet. 464 */ 465 void 466 sppp_input(struct ifnet *ifp, struct mbuf *m) 467 { 468 struct ppp_header *h = NULL; 469 pktqueue_t *pktq = NULL; 470 struct ifqueue *inq = NULL; 471 uint16_t protocol; 472 int s; 473 struct sppp *sp = (struct sppp *)ifp; 474 int debug = ifp->if_flags & IFF_DEBUG; 475 int isr = 0; 476 477 if (ifp->if_flags & IFF_UP) { 478 /* Count received bytes, add hardware framing */ 479 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 480 /* Note time of last receive */ 481 sp->pp_last_receive = time_uptime; 482 } 483 484 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 485 /* Too small packet, drop it. */ 486 if (debug) 487 log(LOG_DEBUG, 488 "%s: input packet is too small, %d bytes\n", 489 ifp->if_xname, m->m_pkthdr.len); 490 drop: 491 ++ifp->if_ierrors; 492 ++ifp->if_iqdrops; 493 m_freem(m); 494 return; 495 } 496 497 if (sp->pp_flags & PP_NOFRAMING) { 498 memcpy(&protocol, mtod(m, void *), 2); 499 protocol = ntohs(protocol); 500 m_adj(m, 2); 501 } else { 502 503 /* Get PPP header. */ 504 h = mtod(m, struct ppp_header *); 505 m_adj(m, PPP_HEADER_LEN); 506 507 switch (h->address) { 508 case PPP_ALLSTATIONS: 509 if (h->control != PPP_UI) 510 goto invalid; 511 if (sp->pp_flags & PP_CISCO) { 512 if (debug) 513 log(LOG_DEBUG, 514 "%s: PPP packet in Cisco mode " 515 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 516 ifp->if_xname, 517 h->address, h->control, ntohs(h->protocol)); 518 goto drop; 519 } 520 break; 521 case CISCO_MULTICAST: 522 case CISCO_UNICAST: 523 /* Don't check the control field here (RFC 1547). */ 524 if (! (sp->pp_flags & PP_CISCO)) { 525 if (debug) 526 log(LOG_DEBUG, 527 "%s: Cisco packet in PPP mode " 528 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 529 ifp->if_xname, 530 h->address, h->control, ntohs(h->protocol)); 531 goto drop; 532 } 533 switch (ntohs(h->protocol)) { 534 default: 535 ++ifp->if_noproto; 536 goto invalid; 537 case CISCO_KEEPALIVE: 538 sppp_cisco_input((struct sppp *) ifp, m); 539 m_freem(m); 540 return; 541 #ifdef INET 542 case ETHERTYPE_IP: 543 pktq = ip_pktq; 544 break; 545 #endif 546 #ifdef INET6 547 case ETHERTYPE_IPV6: 548 pktq = ip6_pktq; 549 break; 550 #endif 551 #ifdef IPX 552 case ETHERTYPE_IPX: 553 isr = NETISR_IPX; 554 inq = &ipxintrq; 555 break; 556 #endif 557 } 558 goto queue_pkt; 559 default: /* Invalid PPP packet. */ 560 invalid: 561 if (debug) 562 log(LOG_DEBUG, 563 "%s: invalid input packet " 564 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 565 ifp->if_xname, 566 h->address, h->control, ntohs(h->protocol)); 567 goto drop; 568 } 569 protocol = ntohs(h->protocol); 570 } 571 572 switch (protocol) { 573 default: 574 if (sp->state[IDX_LCP] == STATE_OPENED) { 575 uint16_t prot = htons(protocol); 576 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 577 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 578 &prot); 579 } 580 if (debug) 581 log(LOG_DEBUG, 582 "%s: invalid input protocol " 583 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 584 ++ifp->if_noproto; 585 goto drop; 586 case PPP_LCP: 587 sppp_cp_input(&lcp, sp, m); 588 m_freem(m); 589 return; 590 case PPP_PAP: 591 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 592 sppp_pap_input(sp, m); 593 m_freem(m); 594 return; 595 case PPP_CHAP: 596 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 597 sppp_chap_input(sp, m); 598 m_freem(m); 599 return; 600 #ifdef INET 601 case PPP_IPCP: 602 if (sp->pp_phase == SPPP_PHASE_NETWORK) 603 sppp_cp_input(&ipcp, sp, m); 604 m_freem(m); 605 return; 606 case PPP_IP: 607 if (sp->state[IDX_IPCP] == STATE_OPENED) { 608 sp->pp_last_activity = time_uptime; 609 pktq = ip_pktq; 610 } 611 break; 612 #endif 613 #ifdef INET6 614 case PPP_IPV6CP: 615 if (sp->pp_phase == SPPP_PHASE_NETWORK) 616 sppp_cp_input(&ipv6cp, sp, m); 617 m_freem(m); 618 return; 619 620 case PPP_IPV6: 621 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 622 sp->pp_last_activity = time_uptime; 623 pktq = ip6_pktq; 624 } 625 break; 626 #endif 627 #ifdef IPX 628 case PPP_IPX: 629 /* IPX IPXCP not implemented yet */ 630 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 631 isr = NETISR_IPX; 632 inq = &ipxintrq; 633 } 634 break; 635 #endif 636 } 637 638 queue_pkt: 639 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 640 goto drop; 641 } 642 643 /* Check queue. */ 644 if (__predict_true(pktq)) { 645 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 646 goto drop; 647 } 648 return; 649 } 650 651 s = splnet(); 652 if (IF_QFULL(inq)) { 653 /* Queue overflow. */ 654 IF_DROP(inq); 655 splx(s); 656 if (debug) 657 log(LOG_DEBUG, "%s: protocol queue overflow\n", 658 ifp->if_xname); 659 goto drop; 660 } 661 IF_ENQUEUE(inq, m); 662 schednetisr(isr); 663 splx(s); 664 } 665 666 /* 667 * Enqueue transmit packet. 668 */ 669 static int 670 sppp_output(struct ifnet *ifp, struct mbuf *m, 671 const struct sockaddr *dst, struct rtentry *rt) 672 { 673 struct sppp *sp = (struct sppp *) ifp; 674 struct ppp_header *h = NULL; 675 struct ifqueue *ifq = NULL; /* XXX */ 676 int s, error = 0; 677 uint16_t protocol; 678 ALTQ_DECL(struct altq_pktattr pktattr;) 679 680 s = splnet(); 681 682 sp->pp_last_activity = time_uptime; 683 684 if ((ifp->if_flags & IFF_UP) == 0 || 685 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 686 m_freem(m); 687 splx(s); 688 return (ENETDOWN); 689 } 690 691 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 692 /* 693 * Interface is not yet running, but auto-dial. Need 694 * to start LCP for it. 695 */ 696 ifp->if_flags |= IFF_RUNNING; 697 splx(s); 698 lcp.Open(sp); 699 s = splnet(); 700 } 701 702 /* 703 * If the queueing discipline needs packet classification, 704 * do it before prepending link headers. 705 */ 706 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family, &pktattr); 707 708 #ifdef INET 709 if (dst->sa_family == AF_INET) { 710 struct ip *ip = NULL; 711 struct tcphdr *th = NULL; 712 713 if (m->m_len >= sizeof(struct ip)) { 714 ip = mtod(m, struct ip *); 715 if (ip->ip_p == IPPROTO_TCP && 716 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 717 sizeof(struct tcphdr)) { 718 th = (struct tcphdr *) 719 ((char *)ip + (ip->ip_hl << 2)); 720 } 721 } else 722 ip = NULL; 723 724 /* 725 * When using dynamic local IP address assignment by using 726 * 0.0.0.0 as a local address, the first TCP session will 727 * not connect because the local TCP checksum is computed 728 * using 0.0.0.0 which will later become our real IP address 729 * so the TCP checksum computed at the remote end will 730 * become invalid. So we 731 * - don't let packets with src ip addr 0 thru 732 * - we flag TCP packets with src ip 0 as an error 733 */ 734 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 735 uint8_t proto = ip->ip_p; 736 737 m_freem(m); 738 splx(s); 739 if (proto == IPPROTO_TCP) 740 return (EADDRNOTAVAIL); 741 else 742 return (0); 743 } 744 745 /* 746 * Put low delay, telnet, rlogin and ftp control packets 747 * in front of the queue. 748 */ 749 750 if (!IF_QFULL(&sp->pp_fastq) && 751 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 752 (th && (INTERACTIVE(ntohs(th->th_sport)) || 753 INTERACTIVE(ntohs(th->th_dport)))))) 754 ifq = &sp->pp_fastq; 755 } 756 #endif 757 758 #ifdef INET6 759 if (dst->sa_family == AF_INET6) { 760 /* XXX do something tricky here? */ 761 } 762 #endif 763 764 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 765 /* 766 * Prepend general data packet PPP header. For now, IP only. 767 */ 768 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 769 if (! m) { 770 if (ifp->if_flags & IFF_DEBUG) 771 log(LOG_DEBUG, "%s: no memory for transmit header\n", 772 ifp->if_xname); 773 ++ifp->if_oerrors; 774 splx(s); 775 return (ENOBUFS); 776 } 777 /* 778 * May want to check size of packet 779 * (albeit due to the implementation it's always enough) 780 */ 781 h = mtod(m, struct ppp_header *); 782 if (sp->pp_flags & PP_CISCO) { 783 h->address = CISCO_UNICAST; /* unicast address */ 784 h->control = 0; 785 } else { 786 h->address = PPP_ALLSTATIONS; /* broadcast address */ 787 h->control = PPP_UI; /* Unnumbered Info */ 788 } 789 } 790 791 switch (dst->sa_family) { 792 #ifdef INET 793 case AF_INET: /* Internet Protocol */ 794 if (sp->pp_flags & PP_CISCO) 795 protocol = htons(ETHERTYPE_IP); 796 else { 797 /* 798 * Don't choke with an ENETDOWN early. It's 799 * possible that we just started dialing out, 800 * so don't drop the packet immediately. If 801 * we notice that we run out of buffer space 802 * below, we will however remember that we are 803 * not ready to carry IP packets, and return 804 * ENETDOWN, as opposed to ENOBUFS. 805 */ 806 protocol = htons(PPP_IP); 807 if (sp->state[IDX_IPCP] != STATE_OPENED) 808 error = ENETDOWN; 809 } 810 break; 811 #endif 812 #ifdef INET6 813 case AF_INET6: /* Internet Protocol version 6 */ 814 if (sp->pp_flags & PP_CISCO) 815 protocol = htons(ETHERTYPE_IPV6); 816 else { 817 /* 818 * Don't choke with an ENETDOWN early. It's 819 * possible that we just started dialing out, 820 * so don't drop the packet immediately. If 821 * we notice that we run out of buffer space 822 * below, we will however remember that we are 823 * not ready to carry IP packets, and return 824 * ENETDOWN, as opposed to ENOBUFS. 825 */ 826 protocol = htons(PPP_IPV6); 827 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 828 error = ENETDOWN; 829 } 830 break; 831 #endif 832 #ifdef IPX 833 case AF_IPX: /* Novell IPX Protocol */ 834 protocol = htons((sp->pp_flags & PP_CISCO) ? 835 ETHERTYPE_IPX : PPP_IPX); 836 break; 837 #endif 838 default: 839 m_freem(m); 840 ++ifp->if_oerrors; 841 splx(s); 842 return (EAFNOSUPPORT); 843 } 844 845 if (sp->pp_flags & PP_NOFRAMING) { 846 M_PREPEND(m, 2, M_DONTWAIT); 847 if (m == NULL) { 848 if (ifp->if_flags & IFF_DEBUG) 849 log(LOG_DEBUG, "%s: no memory for transmit header\n", 850 ifp->if_xname); 851 ++ifp->if_oerrors; 852 splx(s); 853 return (ENOBUFS); 854 } 855 *mtod(m, uint16_t *) = protocol; 856 } else { 857 h->protocol = protocol; 858 } 859 860 861 error = ifq_enqueue2(ifp, ifq, m ALTQ_COMMA ALTQ_DECL(&pktattr)); 862 863 if (error == 0) { 864 /* 865 * Count output packets and bytes. 866 * The packet length includes header + additional hardware 867 * framing according to RFC 1333. 868 */ 869 if (!(ifp->if_flags & IFF_OACTIVE)) 870 (*ifp->if_start)(ifp); 871 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 872 } 873 splx(s); 874 return error; 875 } 876 877 void 878 sppp_attach(struct ifnet *ifp) 879 { 880 struct sppp *sp = (struct sppp *) ifp; 881 882 /* Initialize keepalive handler. */ 883 if (! spppq) { 884 callout_init(&keepalive_ch, 0); 885 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 886 } 887 888 /* Insert new entry into the keepalive list. */ 889 sp->pp_next = spppq; 890 spppq = sp; 891 892 sp->pp_if.if_type = IFT_PPP; 893 sp->pp_if.if_output = sppp_output; 894 sp->pp_fastq.ifq_maxlen = 32; 895 sp->pp_cpq.ifq_maxlen = 20; 896 sp->pp_loopcnt = 0; 897 sp->pp_alivecnt = 0; 898 sp->pp_last_activity = 0; 899 sp->pp_last_receive = 0; 900 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 901 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 902 sp->pp_idle_timeout = 0; 903 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 904 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 905 sp->pp_auth_failures = 0; 906 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 907 sp->pp_phase = SPPP_PHASE_DEAD; 908 sp->pp_up = lcp.Up; 909 sp->pp_down = lcp.Down; 910 911 if_alloc_sadl(ifp); 912 913 memset(&sp->myauth, 0, sizeof sp->myauth); 914 memset(&sp->hisauth, 0, sizeof sp->hisauth); 915 sppp_lcp_init(sp); 916 sppp_ipcp_init(sp); 917 sppp_ipv6cp_init(sp); 918 sppp_pap_init(sp); 919 sppp_chap_init(sp); 920 } 921 922 void 923 sppp_detach(struct ifnet *ifp) 924 { 925 struct sppp **q, *p, *sp = (struct sppp *) ifp; 926 927 /* Remove the entry from the keepalive list. */ 928 for (q = &spppq; (p = *q); q = &p->pp_next) 929 if (p == sp) { 930 *q = p->pp_next; 931 break; 932 } 933 934 /* Stop keepalive handler. */ 935 if (! spppq) { 936 callout_stop(&keepalive_ch); 937 } 938 939 callout_stop(&sp->ch[IDX_LCP]); 940 callout_stop(&sp->ch[IDX_IPCP]); 941 callout_stop(&sp->ch[IDX_PAP]); 942 callout_stop(&sp->ch[IDX_CHAP]); 943 #ifdef INET6 944 callout_stop(&sp->ch[IDX_IPV6CP]); 945 #endif 946 callout_stop(&sp->pap_my_to_ch); 947 948 /* free authentication info */ 949 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 950 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 951 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 952 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 953 } 954 955 /* 956 * Flush the interface output queue. 957 */ 958 void 959 sppp_flush(struct ifnet *ifp) 960 { 961 struct sppp *sp = (struct sppp *) ifp; 962 963 IFQ_PURGE(&sp->pp_if.if_snd); 964 IF_PURGE(&sp->pp_fastq); 965 IF_PURGE(&sp->pp_cpq); 966 } 967 968 /* 969 * Check if the output queue is empty. 970 */ 971 int 972 sppp_isempty(struct ifnet *ifp) 973 { 974 struct sppp *sp = (struct sppp *) ifp; 975 int empty, s; 976 977 s = splnet(); 978 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 979 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 980 splx(s); 981 return (empty); 982 } 983 984 /* 985 * Get next packet to send. 986 */ 987 struct mbuf * 988 sppp_dequeue(struct ifnet *ifp) 989 { 990 struct sppp *sp = (struct sppp *) ifp; 991 struct mbuf *m; 992 int s; 993 994 s = splnet(); 995 /* 996 * Process only the control protocol queue until we have at 997 * least one NCP open. 998 * 999 * Do always serve all three queues in Cisco mode. 1000 */ 1001 IF_DEQUEUE(&sp->pp_cpq, m); 1002 if (m == NULL && 1003 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1004 IF_DEQUEUE(&sp->pp_fastq, m); 1005 if (m == NULL) 1006 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1007 } 1008 splx(s); 1009 return m; 1010 } 1011 1012 /* 1013 * Process an ioctl request. Called on low priority level. 1014 */ 1015 int 1016 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1017 { 1018 struct lwp *l = curlwp; /* XXX */ 1019 struct ifreq *ifr = (struct ifreq *) data; 1020 struct ifaddr *ifa = (struct ifaddr *) data; 1021 struct sppp *sp = (struct sppp *) ifp; 1022 int s, error=0, going_up, going_down, newmode; 1023 1024 s = splnet(); 1025 switch (cmd) { 1026 case SIOCINITIFADDR: 1027 ifa->ifa_rtrequest = p2p_rtrequest; 1028 break; 1029 1030 case SIOCSIFFLAGS: 1031 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1032 break; 1033 going_up = ifp->if_flags & IFF_UP && 1034 (ifp->if_flags & IFF_RUNNING) == 0; 1035 going_down = (ifp->if_flags & IFF_UP) == 0 && 1036 ifp->if_flags & IFF_RUNNING; 1037 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1038 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1039 /* sanity */ 1040 newmode = IFF_PASSIVE; 1041 ifp->if_flags &= ~IFF_AUTO; 1042 } 1043 1044 if (going_up || going_down) 1045 lcp.Close(sp); 1046 if (going_up && newmode == 0) { 1047 /* neither auto-dial nor passive */ 1048 ifp->if_flags |= IFF_RUNNING; 1049 if (!(sp->pp_flags & PP_CISCO)) 1050 lcp.Open(sp); 1051 } else if (going_down) { 1052 sppp_flush(ifp); 1053 ifp->if_flags &= ~IFF_RUNNING; 1054 } 1055 1056 break; 1057 1058 case SIOCSIFMTU: 1059 if (ifr->ifr_mtu < PPP_MINMRU || 1060 ifr->ifr_mtu > sp->lcp.their_mru) { 1061 error = EINVAL; 1062 break; 1063 } 1064 /*FALLTHROUGH*/ 1065 case SIOCGIFMTU: 1066 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1067 error = 0; 1068 break; 1069 case SIOCADDMULTI: 1070 case SIOCDELMULTI: 1071 break; 1072 1073 case SPPPSETAUTHCFG: 1074 case SPPPSETLCPCFG: 1075 case SPPPSETIDLETO: 1076 case SPPPSETAUTHFAILURE: 1077 case SPPPSETDNSOPTS: 1078 case SPPPSETKEEPALIVE: 1079 #if defined(COMPAT_50) || defined(MODULAR) 1080 case __SPPPSETIDLETO50: 1081 case __SPPPSETKEEPALIVE50: 1082 #endif /* COMPAT_50 || MODULAR */ 1083 error = kauth_authorize_network(l->l_cred, 1084 KAUTH_NETWORK_INTERFACE, 1085 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1086 NULL); 1087 if (error) 1088 break; 1089 error = sppp_params(sp, cmd, data); 1090 break; 1091 1092 case SPPPGETAUTHCFG: 1093 case SPPPGETLCPCFG: 1094 case SPPPGETAUTHFAILURES: 1095 error = kauth_authorize_network(l->l_cred, 1096 KAUTH_NETWORK_INTERFACE, 1097 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1098 NULL); 1099 if (error) 1100 break; 1101 error = sppp_params(sp, cmd, data); 1102 break; 1103 1104 case SPPPGETSTATUS: 1105 case SPPPGETSTATUSNCP: 1106 case SPPPGETIDLETO: 1107 case SPPPGETDNSOPTS: 1108 case SPPPGETDNSADDRS: 1109 case SPPPGETKEEPALIVE: 1110 #if defined(COMPAT_50) || defined(MODULAR) 1111 case __SPPPGETIDLETO50: 1112 case __SPPPGETKEEPALIVE50: 1113 #endif /* COMPAT_50 || MODULAR */ 1114 error = sppp_params(sp, cmd, data); 1115 break; 1116 1117 default: 1118 error = ifioctl_common(ifp, cmd, data); 1119 break; 1120 } 1121 splx(s); 1122 return (error); 1123 } 1124 1125 1126 /* 1127 * Cisco framing implementation. 1128 */ 1129 1130 /* 1131 * Handle incoming Cisco keepalive protocol packets. 1132 */ 1133 static void 1134 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1135 { 1136 STDDCL; 1137 struct cisco_packet *h; 1138 #ifdef INET 1139 uint32_t me, mymask = 0; /* XXX: GCC */ 1140 #endif 1141 1142 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1143 if (debug) 1144 log(LOG_DEBUG, 1145 "%s: cisco invalid packet length: %d bytes\n", 1146 ifp->if_xname, m->m_pkthdr.len); 1147 return; 1148 } 1149 h = mtod(m, struct cisco_packet *); 1150 if (debug) 1151 log(LOG_DEBUG, 1152 "%s: cisco input: %d bytes " 1153 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1154 ifp->if_xname, m->m_pkthdr.len, 1155 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1156 (u_int)h->time0, (u_int)h->time1); 1157 switch (ntohl(h->type)) { 1158 default: 1159 if (debug) 1160 addlog("%s: cisco unknown packet type: 0x%x\n", 1161 ifp->if_xname, ntohl(h->type)); 1162 break; 1163 case CISCO_ADDR_REPLY: 1164 /* Reply on address request, ignore */ 1165 break; 1166 case CISCO_KEEPALIVE_REQ: 1167 sp->pp_alivecnt = 0; 1168 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1169 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1170 /* Local and remote sequence numbers are equal. 1171 * Probably, the line is in loopback mode. */ 1172 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1173 printf ("%s: loopback\n", 1174 ifp->if_xname); 1175 sp->pp_loopcnt = 0; 1176 if (ifp->if_flags & IFF_UP) { 1177 if_down(ifp); 1178 IF_PURGE(&sp->pp_cpq); 1179 } 1180 } 1181 ++sp->pp_loopcnt; 1182 1183 /* Generate new local sequence number */ 1184 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1185 break; 1186 } 1187 sp->pp_loopcnt = 0; 1188 if (! (ifp->if_flags & IFF_UP) && 1189 (ifp->if_flags & IFF_RUNNING)) { 1190 if_up(ifp); 1191 } 1192 break; 1193 case CISCO_ADDR_REQ: 1194 #ifdef INET 1195 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1196 if (me != 0L) 1197 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1198 #endif 1199 break; 1200 } 1201 } 1202 1203 /* 1204 * Send Cisco keepalive packet. 1205 */ 1206 static void 1207 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1208 { 1209 STDDCL; 1210 struct ppp_header *h; 1211 struct cisco_packet *ch; 1212 struct mbuf *m; 1213 uint32_t t; 1214 1215 t = time_uptime * 1000; 1216 MGETHDR(m, M_DONTWAIT, MT_DATA); 1217 if (! m) 1218 return; 1219 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1220 m->m_pkthdr.rcvif = 0; 1221 1222 h = mtod(m, struct ppp_header *); 1223 h->address = CISCO_MULTICAST; 1224 h->control = 0; 1225 h->protocol = htons(CISCO_KEEPALIVE); 1226 1227 ch = (struct cisco_packet *)(h + 1); 1228 ch->type = htonl(type); 1229 ch->par1 = htonl(par1); 1230 ch->par2 = htonl(par2); 1231 ch->rel = -1; 1232 1233 ch->time0 = htons((u_short)(t >> 16)); 1234 ch->time1 = htons((u_short) t); 1235 1236 if (debug) 1237 log(LOG_DEBUG, 1238 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1239 ifp->if_xname, ntohl(ch->type), ch->par1, 1240 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1241 (u_int)ch->time1); 1242 1243 if (IF_QFULL(&sp->pp_cpq)) { 1244 IF_DROP(&sp->pp_fastq); 1245 IF_DROP(&ifp->if_snd); 1246 m_freem(m); 1247 ++ifp->if_oerrors; 1248 return; 1249 } else 1250 IF_ENQUEUE(&sp->pp_cpq, m); 1251 if (! (ifp->if_flags & IFF_OACTIVE)) 1252 (*ifp->if_start)(ifp); 1253 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1254 } 1255 1256 /* 1257 * PPP protocol implementation. 1258 */ 1259 1260 /* 1261 * Send PPP control protocol packet. 1262 */ 1263 static void 1264 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1265 u_char ident, u_short len, void *data) 1266 { 1267 STDDCL; 1268 struct lcp_header *lh; 1269 struct mbuf *m; 1270 size_t pkthdrlen; 1271 1272 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1273 1274 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1275 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1276 MGETHDR(m, M_DONTWAIT, MT_DATA); 1277 if (! m) 1278 return; 1279 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1280 m->m_pkthdr.rcvif = 0; 1281 1282 if (sp->pp_flags & PP_NOFRAMING) { 1283 *mtod(m, uint16_t *) = htons(proto); 1284 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1285 } else { 1286 struct ppp_header *h; 1287 h = mtod(m, struct ppp_header *); 1288 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1289 h->control = PPP_UI; /* Unnumbered Info */ 1290 h->protocol = htons(proto); /* Link Control Protocol */ 1291 lh = (struct lcp_header *)(h + 1); 1292 } 1293 lh->type = type; 1294 lh->ident = ident; 1295 lh->len = htons(LCP_HEADER_LEN + len); 1296 if (len) 1297 bcopy (data, lh + 1, len); 1298 1299 if (debug) { 1300 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1301 ifp->if_xname, 1302 sppp_proto_name(proto), 1303 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1304 if (len) 1305 sppp_print_bytes((u_char *)(lh + 1), len); 1306 addlog(">\n"); 1307 } 1308 if (IF_QFULL(&sp->pp_cpq)) { 1309 IF_DROP(&sp->pp_fastq); 1310 IF_DROP(&ifp->if_snd); 1311 m_freem(m); 1312 ++ifp->if_oerrors; 1313 return; 1314 } else 1315 IF_ENQUEUE(&sp->pp_cpq, m); 1316 if (! (ifp->if_flags & IFF_OACTIVE)) 1317 (*ifp->if_start)(ifp); 1318 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1319 } 1320 1321 /* 1322 * Handle incoming PPP control protocol packets. 1323 */ 1324 static void 1325 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1326 { 1327 STDDCL; 1328 struct lcp_header *h; 1329 int printlen, len = m->m_pkthdr.len; 1330 int rv; 1331 u_char *p; 1332 uint32_t u32; 1333 1334 if (len < 4) { 1335 if (debug) 1336 log(LOG_DEBUG, 1337 "%s: %s invalid packet length: %d bytes\n", 1338 ifp->if_xname, cp->name, len); 1339 return; 1340 } 1341 h = mtod(m, struct lcp_header *); 1342 if (debug) { 1343 printlen = ntohs(h->len); 1344 log(LOG_DEBUG, 1345 "%s: %s input(%s): <%s id=0x%x len=%d", 1346 ifp->if_xname, cp->name, 1347 sppp_state_name(sp->state[cp->protoidx]), 1348 sppp_cp_type_name(h->type), h->ident, printlen); 1349 if (len < printlen) 1350 printlen = len; 1351 if (printlen > 4) 1352 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1353 addlog(">\n"); 1354 } 1355 if (len > ntohs(h->len)) 1356 len = ntohs(h->len); 1357 p = (u_char *)(h + 1); 1358 switch (h->type) { 1359 case CONF_REQ: 1360 if (len < 4) { 1361 if (debug) 1362 addlog("%s: %s invalid conf-req length %d\n", 1363 ifp->if_xname, cp->name, 1364 len); 1365 ++ifp->if_ierrors; 1366 break; 1367 } 1368 /* handle states where RCR doesn't get a SCA/SCN */ 1369 switch (sp->state[cp->protoidx]) { 1370 case STATE_CLOSING: 1371 case STATE_STOPPING: 1372 return; 1373 case STATE_CLOSED: 1374 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1375 0, 0); 1376 return; 1377 } 1378 rv = (cp->RCR)(sp, h, len); 1379 if (rv < 0) { 1380 /* fatal error, shut down */ 1381 (cp->tld)(sp); 1382 sppp_lcp_tlf(sp); 1383 return; 1384 } 1385 switch (sp->state[cp->protoidx]) { 1386 case STATE_OPENED: 1387 (cp->tld)(sp); 1388 (cp->scr)(sp); 1389 /* fall through... */ 1390 case STATE_ACK_SENT: 1391 case STATE_REQ_SENT: 1392 sppp_cp_change_state(cp, sp, rv? 1393 STATE_ACK_SENT: STATE_REQ_SENT); 1394 break; 1395 case STATE_STOPPED: 1396 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1397 (cp->scr)(sp); 1398 sppp_cp_change_state(cp, sp, rv? 1399 STATE_ACK_SENT: STATE_REQ_SENT); 1400 break; 1401 case STATE_ACK_RCVD: 1402 if (rv) { 1403 sppp_cp_change_state(cp, sp, STATE_OPENED); 1404 if (debug) 1405 log(LOG_DEBUG, "%s: %s tlu\n", 1406 ifp->if_xname, 1407 cp->name); 1408 (cp->tlu)(sp); 1409 } else 1410 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1411 break; 1412 default: 1413 printf("%s: %s illegal %s in state %s\n", 1414 ifp->if_xname, cp->name, 1415 sppp_cp_type_name(h->type), 1416 sppp_state_name(sp->state[cp->protoidx])); 1417 ++ifp->if_ierrors; 1418 } 1419 break; 1420 case CONF_ACK: 1421 if (h->ident != sp->confid[cp->protoidx]) { 1422 if (debug) 1423 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1424 ifp->if_xname, cp->name, 1425 h->ident, sp->confid[cp->protoidx]); 1426 ++ifp->if_ierrors; 1427 break; 1428 } 1429 switch (sp->state[cp->protoidx]) { 1430 case STATE_CLOSED: 1431 case STATE_STOPPED: 1432 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1433 break; 1434 case STATE_CLOSING: 1435 case STATE_STOPPING: 1436 break; 1437 case STATE_REQ_SENT: 1438 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1439 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1440 break; 1441 case STATE_OPENED: 1442 (cp->tld)(sp); 1443 /* fall through */ 1444 case STATE_ACK_RCVD: 1445 (cp->scr)(sp); 1446 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1447 break; 1448 case STATE_ACK_SENT: 1449 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1450 sppp_cp_change_state(cp, sp, STATE_OPENED); 1451 if (debug) 1452 log(LOG_DEBUG, "%s: %s tlu\n", 1453 ifp->if_xname, cp->name); 1454 (cp->tlu)(sp); 1455 break; 1456 default: 1457 printf("%s: %s illegal %s in state %s\n", 1458 ifp->if_xname, cp->name, 1459 sppp_cp_type_name(h->type), 1460 sppp_state_name(sp->state[cp->protoidx])); 1461 ++ifp->if_ierrors; 1462 } 1463 break; 1464 case CONF_NAK: 1465 case CONF_REJ: 1466 if (h->ident != sp->confid[cp->protoidx]) { 1467 if (debug) 1468 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1469 ifp->if_xname, cp->name, 1470 h->ident, sp->confid[cp->protoidx]); 1471 ++ifp->if_ierrors; 1472 break; 1473 } 1474 if (h->type == CONF_NAK) 1475 (cp->RCN_nak)(sp, h, len); 1476 else /* CONF_REJ */ 1477 (cp->RCN_rej)(sp, h, len); 1478 1479 switch (sp->state[cp->protoidx]) { 1480 case STATE_CLOSED: 1481 case STATE_STOPPED: 1482 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1483 break; 1484 case STATE_REQ_SENT: 1485 case STATE_ACK_SENT: 1486 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1487 (cp->scr)(sp); 1488 break; 1489 case STATE_OPENED: 1490 (cp->tld)(sp); 1491 /* fall through */ 1492 case STATE_ACK_RCVD: 1493 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1494 (cp->scr)(sp); 1495 break; 1496 case STATE_CLOSING: 1497 case STATE_STOPPING: 1498 break; 1499 default: 1500 printf("%s: %s illegal %s in state %s\n", 1501 ifp->if_xname, cp->name, 1502 sppp_cp_type_name(h->type), 1503 sppp_state_name(sp->state[cp->protoidx])); 1504 ++ifp->if_ierrors; 1505 } 1506 break; 1507 1508 case TERM_REQ: 1509 switch (sp->state[cp->protoidx]) { 1510 case STATE_ACK_RCVD: 1511 case STATE_ACK_SENT: 1512 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1513 /* fall through */ 1514 case STATE_CLOSED: 1515 case STATE_STOPPED: 1516 case STATE_CLOSING: 1517 case STATE_STOPPING: 1518 case STATE_REQ_SENT: 1519 sta: 1520 /* Send Terminate-Ack packet. */ 1521 if (debug) 1522 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1523 ifp->if_xname, cp->name); 1524 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1525 break; 1526 case STATE_OPENED: 1527 (cp->tld)(sp); 1528 sp->rst_counter[cp->protoidx] = 0; 1529 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1530 goto sta; 1531 default: 1532 printf("%s: %s illegal %s in state %s\n", 1533 ifp->if_xname, cp->name, 1534 sppp_cp_type_name(h->type), 1535 sppp_state_name(sp->state[cp->protoidx])); 1536 ++ifp->if_ierrors; 1537 } 1538 break; 1539 case TERM_ACK: 1540 switch (sp->state[cp->protoidx]) { 1541 case STATE_CLOSED: 1542 case STATE_STOPPED: 1543 case STATE_REQ_SENT: 1544 case STATE_ACK_SENT: 1545 break; 1546 case STATE_CLOSING: 1547 (cp->tlf)(sp); 1548 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1549 sppp_lcp_check_and_close(sp); 1550 break; 1551 case STATE_STOPPING: 1552 (cp->tlf)(sp); 1553 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1554 sppp_lcp_check_and_close(sp); 1555 break; 1556 case STATE_ACK_RCVD: 1557 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1558 break; 1559 case STATE_OPENED: 1560 (cp->tld)(sp); 1561 (cp->scr)(sp); 1562 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1563 break; 1564 default: 1565 printf("%s: %s illegal %s in state %s\n", 1566 ifp->if_xname, cp->name, 1567 sppp_cp_type_name(h->type), 1568 sppp_state_name(sp->state[cp->protoidx])); 1569 ++ifp->if_ierrors; 1570 } 1571 break; 1572 case CODE_REJ: 1573 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1574 log(LOG_INFO, 1575 "%s: %s: ignoring RXJ (%s) for code ?, " 1576 "danger will robinson\n", 1577 ifp->if_xname, cp->name, 1578 sppp_cp_type_name(h->type)); 1579 switch (sp->state[cp->protoidx]) { 1580 case STATE_CLOSED: 1581 case STATE_STOPPED: 1582 case STATE_REQ_SENT: 1583 case STATE_ACK_SENT: 1584 case STATE_CLOSING: 1585 case STATE_STOPPING: 1586 case STATE_OPENED: 1587 break; 1588 case STATE_ACK_RCVD: 1589 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1590 break; 1591 default: 1592 printf("%s: %s illegal %s in state %s\n", 1593 ifp->if_xname, cp->name, 1594 sppp_cp_type_name(h->type), 1595 sppp_state_name(sp->state[cp->protoidx])); 1596 ++ifp->if_ierrors; 1597 } 1598 break; 1599 case PROTO_REJ: 1600 { 1601 int catastrophic; 1602 const struct cp *upper; 1603 int i; 1604 uint16_t proto; 1605 1606 catastrophic = 0; 1607 upper = NULL; 1608 proto = p[0] << 8 | p[1]; 1609 for (i = 0; i < IDX_COUNT; i++) { 1610 if (cps[i]->proto == proto) { 1611 upper = cps[i]; 1612 break; 1613 } 1614 } 1615 if (upper == NULL) 1616 catastrophic++; 1617 1618 if (debug) 1619 log(LOG_INFO, 1620 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1621 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1622 sppp_cp_type_name(h->type), proto, 1623 upper ? upper->name : "unknown", 1624 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1625 1626 /* 1627 * if we got RXJ+ against conf-req, the peer does not implement 1628 * this particular protocol type. terminate the protocol. 1629 */ 1630 if (upper && !catastrophic) { 1631 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1632 upper->Close(sp); 1633 break; 1634 } 1635 } 1636 1637 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1638 switch (sp->state[cp->protoidx]) { 1639 case STATE_CLOSED: 1640 case STATE_STOPPED: 1641 case STATE_REQ_SENT: 1642 case STATE_ACK_SENT: 1643 case STATE_CLOSING: 1644 case STATE_STOPPING: 1645 case STATE_OPENED: 1646 break; 1647 case STATE_ACK_RCVD: 1648 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1649 break; 1650 default: 1651 printf("%s: %s illegal %s in state %s\n", 1652 ifp->if_xname, cp->name, 1653 sppp_cp_type_name(h->type), 1654 sppp_state_name(sp->state[cp->protoidx])); 1655 ++ifp->if_ierrors; 1656 } 1657 break; 1658 } 1659 case DISC_REQ: 1660 if (cp->proto != PPP_LCP) 1661 goto illegal; 1662 /* Discard the packet. */ 1663 break; 1664 case ECHO_REQ: 1665 if (cp->proto != PPP_LCP) 1666 goto illegal; 1667 if (sp->state[cp->protoidx] != STATE_OPENED) { 1668 if (debug) 1669 addlog("%s: lcp echo req but lcp closed\n", 1670 ifp->if_xname); 1671 ++ifp->if_ierrors; 1672 break; 1673 } 1674 if (len < 8) { 1675 if (debug) 1676 addlog("%s: invalid lcp echo request " 1677 "packet length: %d bytes\n", 1678 ifp->if_xname, len); 1679 break; 1680 } 1681 memcpy(&u32, h + 1, sizeof u32); 1682 if (ntohl(u32) == sp->lcp.magic) { 1683 /* Line loopback mode detected. */ 1684 printf("%s: loopback\n", ifp->if_xname); 1685 if_down(ifp); 1686 IF_PURGE(&sp->pp_cpq); 1687 1688 /* Shut down the PPP link. */ 1689 /* XXX */ 1690 lcp.Down(sp); 1691 lcp.Up(sp); 1692 break; 1693 } 1694 u32 = htonl(sp->lcp.magic); 1695 memcpy(h + 1, &u32, sizeof u32); 1696 if (debug) 1697 addlog("%s: got lcp echo req, sending echo rep\n", 1698 ifp->if_xname); 1699 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1700 h + 1); 1701 break; 1702 case ECHO_REPLY: 1703 if (cp->proto != PPP_LCP) 1704 goto illegal; 1705 if (h->ident != sp->lcp.echoid) { 1706 ++ifp->if_ierrors; 1707 break; 1708 } 1709 if (len < 8) { 1710 if (debug) 1711 addlog("%s: lcp invalid echo reply " 1712 "packet length: %d bytes\n", 1713 ifp->if_xname, len); 1714 break; 1715 } 1716 if (debug) 1717 addlog("%s: lcp got echo rep\n", 1718 ifp->if_xname); 1719 memcpy(&u32, h + 1, sizeof u32); 1720 if (ntohl(u32) != sp->lcp.magic) 1721 sp->pp_alivecnt = 0; 1722 break; 1723 default: 1724 /* Unknown packet type -- send Code-Reject packet. */ 1725 illegal: 1726 if (debug) 1727 addlog("%s: %s send code-rej for 0x%x\n", 1728 ifp->if_xname, cp->name, h->type); 1729 sppp_cp_send(sp, cp->proto, CODE_REJ, 1730 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1731 ++ifp->if_ierrors; 1732 } 1733 } 1734 1735 1736 /* 1737 * The generic part of all Up/Down/Open/Close/TO event handlers. 1738 * Basically, the state transition handling in the automaton. 1739 */ 1740 static void 1741 sppp_up_event(const struct cp *cp, struct sppp *sp) 1742 { 1743 STDDCL; 1744 1745 if (debug) 1746 log(LOG_DEBUG, "%s: %s up(%s)\n", 1747 ifp->if_xname, cp->name, 1748 sppp_state_name(sp->state[cp->protoidx])); 1749 1750 switch (sp->state[cp->protoidx]) { 1751 case STATE_INITIAL: 1752 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1753 break; 1754 case STATE_STARTING: 1755 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1756 (cp->scr)(sp); 1757 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1758 break; 1759 default: 1760 printf("%s: %s illegal up in state %s\n", 1761 ifp->if_xname, cp->name, 1762 sppp_state_name(sp->state[cp->protoidx])); 1763 } 1764 } 1765 1766 static void 1767 sppp_down_event(const struct cp *cp, struct sppp *sp) 1768 { 1769 STDDCL; 1770 1771 if (debug) 1772 log(LOG_DEBUG, "%s: %s down(%s)\n", 1773 ifp->if_xname, cp->name, 1774 sppp_state_name(sp->state[cp->protoidx])); 1775 1776 switch (sp->state[cp->protoidx]) { 1777 case STATE_CLOSED: 1778 case STATE_CLOSING: 1779 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1780 break; 1781 case STATE_STOPPED: 1782 (cp->tls)(sp); 1783 /* fall through */ 1784 case STATE_STOPPING: 1785 case STATE_REQ_SENT: 1786 case STATE_ACK_RCVD: 1787 case STATE_ACK_SENT: 1788 sppp_cp_change_state(cp, sp, STATE_STARTING); 1789 break; 1790 case STATE_OPENED: 1791 (cp->tld)(sp); 1792 sppp_cp_change_state(cp, sp, STATE_STARTING); 1793 break; 1794 default: 1795 printf("%s: %s illegal down in state %s\n", 1796 ifp->if_xname, cp->name, 1797 sppp_state_name(sp->state[cp->protoidx])); 1798 } 1799 } 1800 1801 1802 static void 1803 sppp_open_event(const struct cp *cp, struct sppp *sp) 1804 { 1805 STDDCL; 1806 1807 if (debug) 1808 log(LOG_DEBUG, "%s: %s open(%s)\n", 1809 ifp->if_xname, cp->name, 1810 sppp_state_name(sp->state[cp->protoidx])); 1811 1812 switch (sp->state[cp->protoidx]) { 1813 case STATE_INITIAL: 1814 sppp_cp_change_state(cp, sp, STATE_STARTING); 1815 (cp->tls)(sp); 1816 break; 1817 case STATE_STARTING: 1818 break; 1819 case STATE_CLOSED: 1820 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1821 (cp->scr)(sp); 1822 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1823 break; 1824 case STATE_STOPPED: 1825 case STATE_STOPPING: 1826 case STATE_REQ_SENT: 1827 case STATE_ACK_RCVD: 1828 case STATE_ACK_SENT: 1829 case STATE_OPENED: 1830 break; 1831 case STATE_CLOSING: 1832 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1833 break; 1834 } 1835 } 1836 1837 1838 static void 1839 sppp_close_event(const struct cp *cp, struct sppp *sp) 1840 { 1841 STDDCL; 1842 1843 if (debug) 1844 log(LOG_DEBUG, "%s: %s close(%s)\n", 1845 ifp->if_xname, cp->name, 1846 sppp_state_name(sp->state[cp->protoidx])); 1847 1848 switch (sp->state[cp->protoidx]) { 1849 case STATE_INITIAL: 1850 case STATE_CLOSED: 1851 case STATE_CLOSING: 1852 break; 1853 case STATE_STARTING: 1854 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1855 (cp->tlf)(sp); 1856 break; 1857 case STATE_STOPPED: 1858 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1859 break; 1860 case STATE_STOPPING: 1861 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1862 break; 1863 case STATE_OPENED: 1864 (cp->tld)(sp); 1865 /* fall through */ 1866 case STATE_REQ_SENT: 1867 case STATE_ACK_RCVD: 1868 case STATE_ACK_SENT: 1869 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1870 sppp_cp_send(sp, cp->proto, TERM_REQ, 1871 ++sp->pp_seq[cp->protoidx], 0, 0); 1872 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1873 break; 1874 } 1875 } 1876 1877 static void 1878 sppp_to_event(const struct cp *cp, struct sppp *sp) 1879 { 1880 STDDCL; 1881 int s; 1882 1883 s = splnet(); 1884 if (debug) 1885 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1886 ifp->if_xname, cp->name, 1887 sppp_state_name(sp->state[cp->protoidx]), 1888 sp->rst_counter[cp->protoidx]); 1889 1890 if (--sp->rst_counter[cp->protoidx] < 0) 1891 /* TO- event */ 1892 switch (sp->state[cp->protoidx]) { 1893 case STATE_CLOSING: 1894 (cp->tlf)(sp); 1895 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1896 sppp_lcp_check_and_close(sp); 1897 break; 1898 case STATE_STOPPING: 1899 (cp->tlf)(sp); 1900 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1901 sppp_lcp_check_and_close(sp); 1902 break; 1903 case STATE_REQ_SENT: 1904 case STATE_ACK_RCVD: 1905 case STATE_ACK_SENT: 1906 (cp->tlf)(sp); 1907 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1908 sppp_lcp_check_and_close(sp); 1909 break; 1910 } 1911 else 1912 /* TO+ event */ 1913 switch (sp->state[cp->protoidx]) { 1914 case STATE_CLOSING: 1915 case STATE_STOPPING: 1916 sppp_cp_send(sp, cp->proto, TERM_REQ, 1917 ++sp->pp_seq[cp->protoidx], 0, 0); 1918 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1919 cp->TO, sp); 1920 break; 1921 case STATE_REQ_SENT: 1922 case STATE_ACK_RCVD: 1923 (cp->scr)(sp); 1924 /* sppp_cp_change_state() will restart the timer */ 1925 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1926 break; 1927 case STATE_ACK_SENT: 1928 (cp->scr)(sp); 1929 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1930 cp->TO, sp); 1931 break; 1932 } 1933 1934 splx(s); 1935 } 1936 1937 /* 1938 * Change the state of a control protocol in the state automaton. 1939 * Takes care of starting/stopping the restart timer. 1940 */ 1941 void 1942 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1943 { 1944 sp->state[cp->protoidx] = newstate; 1945 callout_stop(&sp->ch[cp->protoidx]); 1946 switch (newstate) { 1947 case STATE_INITIAL: 1948 case STATE_STARTING: 1949 case STATE_CLOSED: 1950 case STATE_STOPPED: 1951 case STATE_OPENED: 1952 break; 1953 case STATE_CLOSING: 1954 case STATE_STOPPING: 1955 case STATE_REQ_SENT: 1956 case STATE_ACK_RCVD: 1957 case STATE_ACK_SENT: 1958 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1959 cp->TO, sp); 1960 break; 1961 } 1962 } 1963 1964 /* 1965 *--------------------------------------------------------------------------* 1966 * * 1967 * The LCP implementation. * 1968 * * 1969 *--------------------------------------------------------------------------* 1970 */ 1971 static void 1972 sppp_lcp_init(struct sppp *sp) 1973 { 1974 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1975 sp->lcp.magic = 0; 1976 sp->state[IDX_LCP] = STATE_INITIAL; 1977 sp->fail_counter[IDX_LCP] = 0; 1978 sp->pp_seq[IDX_LCP] = 0; 1979 sp->pp_rseq[IDX_LCP] = 0; 1980 sp->lcp.protos = 0; 1981 1982 /* 1983 * Initialize counters and timeout values. Note that we don't 1984 * use the 3 seconds suggested in RFC 1661 since we are likely 1985 * running on a fast link. XXX We should probably implement 1986 * the exponential backoff option. Note that these values are 1987 * relevant for all control protocols, not just LCP only. 1988 */ 1989 sp->lcp.timeout = 1 * hz; 1990 sp->lcp.max_terminate = 2; 1991 sp->lcp.max_configure = 10; 1992 sp->lcp.max_failure = 10; 1993 callout_init(&sp->ch[IDX_LCP], 0); 1994 } 1995 1996 static void 1997 sppp_lcp_up(struct sppp *sp) 1998 { 1999 STDDCL; 2000 2001 /* Initialize activity timestamp: opening a connection is an activity */ 2002 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2003 2004 /* 2005 * If this interface is passive or dial-on-demand, and we are 2006 * still in Initial state, it means we've got an incoming 2007 * call. Activate the interface. 2008 */ 2009 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2010 if (debug) 2011 log(LOG_DEBUG, 2012 "%s: Up event", ifp->if_xname); 2013 ifp->if_flags |= IFF_RUNNING; 2014 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2015 if (debug) 2016 addlog("(incoming call)\n"); 2017 sp->pp_flags |= PP_CALLIN; 2018 lcp.Open(sp); 2019 } else if (debug) 2020 addlog("\n"); 2021 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2022 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2023 ifp->if_flags |= IFF_RUNNING; 2024 lcp.Open(sp); 2025 } 2026 2027 sppp_up_event(&lcp, sp); 2028 } 2029 2030 static void 2031 sppp_lcp_down(struct sppp *sp) 2032 { 2033 STDDCL; 2034 2035 sppp_down_event(&lcp, sp); 2036 2037 /* 2038 * If this is neither a dial-on-demand nor a passive 2039 * interface, simulate an ``ifconfig down'' action, so the 2040 * administrator can force a redial by another ``ifconfig 2041 * up''. XXX For leased line operation, should we immediately 2042 * try to reopen the connection here? 2043 */ 2044 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2045 if (debug) 2046 log(LOG_INFO, 2047 "%s: Down event (carrier loss), taking interface down.\n", 2048 ifp->if_xname); 2049 if_down(ifp); 2050 } else { 2051 if (debug) 2052 log(LOG_DEBUG, 2053 "%s: Down event (carrier loss)\n", 2054 ifp->if_xname); 2055 } 2056 sp->pp_flags &= ~PP_CALLIN; 2057 if (sp->state[IDX_LCP] != STATE_INITIAL) 2058 lcp.Close(sp); 2059 ifp->if_flags &= ~IFF_RUNNING; 2060 } 2061 2062 static void 2063 sppp_lcp_open(struct sppp *sp) 2064 { 2065 if (sp->pp_if.if_mtu < PP_MTU) { 2066 sp->lcp.mru = sp->pp_if.if_mtu; 2067 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2068 } else 2069 sp->lcp.mru = PP_MTU; 2070 sp->lcp.their_mru = PP_MTU; 2071 2072 /* 2073 * If we are authenticator, negotiate LCP_AUTH 2074 */ 2075 if (sp->hisauth.proto != 0) 2076 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2077 else 2078 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2079 sp->pp_flags &= ~PP_NEEDAUTH; 2080 sppp_open_event(&lcp, sp); 2081 } 2082 2083 static void 2084 sppp_lcp_close(struct sppp *sp) 2085 { 2086 sppp_close_event(&lcp, sp); 2087 } 2088 2089 static void 2090 sppp_lcp_TO(void *cookie) 2091 { 2092 sppp_to_event(&lcp, (struct sppp *)cookie); 2093 } 2094 2095 /* 2096 * Analyze a configure request. Return true if it was agreeable, and 2097 * caused action sca, false if it has been rejected or nak'ed, and 2098 * caused action scn. (The return value is used to make the state 2099 * transition decision in the state automaton.) 2100 */ 2101 static int 2102 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2103 { 2104 STDDCL; 2105 u_char *buf, *r, *p; 2106 int origlen, rlen; 2107 uint32_t nmagic; 2108 u_short authproto; 2109 2110 len -= 4; 2111 origlen = len; 2112 buf = r = malloc (len, M_TEMP, M_NOWAIT); 2113 if (! buf) 2114 return (0); 2115 2116 if (debug) 2117 log(LOG_DEBUG, "%s: lcp parse opts:", 2118 ifp->if_xname); 2119 2120 /* pass 1: check for things that need to be rejected */ 2121 p = (void *)(h + 1); 2122 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2123 /* Sanity check option length */ 2124 if (p[1] > len) { 2125 /* 2126 * Malicious option - drop immediately. 2127 * XXX Maybe we should just RXJ it? 2128 */ 2129 addlog("%s: received malicious LCP option 0x%02x, " 2130 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2131 p[0], p[1], len); 2132 goto drop; 2133 } 2134 if (debug) 2135 addlog(" %s", sppp_lcp_opt_name(*p)); 2136 switch (*p) { 2137 case LCP_OPT_MAGIC: 2138 /* Magic number. */ 2139 /* fall through, both are same length */ 2140 case LCP_OPT_ASYNC_MAP: 2141 /* Async control character map. */ 2142 if (len >= 6 || p[1] == 6) 2143 continue; 2144 if (debug) 2145 addlog(" [invalid]"); 2146 break; 2147 case LCP_OPT_MRU: 2148 /* Maximum receive unit. */ 2149 if (len >= 4 && p[1] == 4) 2150 continue; 2151 if (debug) 2152 addlog(" [invalid]"); 2153 break; 2154 case LCP_OPT_AUTH_PROTO: 2155 if (len < 4) { 2156 if (debug) 2157 addlog(" [invalid]"); 2158 break; 2159 } 2160 authproto = (p[2] << 8) + p[3]; 2161 if (authproto == PPP_CHAP && p[1] != 5) { 2162 if (debug) 2163 addlog(" [invalid chap len]"); 2164 break; 2165 } 2166 if (sp->myauth.proto == 0) { 2167 /* we are not configured to do auth */ 2168 if (debug) 2169 addlog(" [not configured]"); 2170 break; 2171 } 2172 /* 2173 * Remote want us to authenticate, remember this, 2174 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2175 * up. 2176 */ 2177 sp->pp_flags |= PP_NEEDAUTH; 2178 continue; 2179 default: 2180 /* Others not supported. */ 2181 if (debug) 2182 addlog(" [rej]"); 2183 break; 2184 } 2185 /* Add the option to rejected list. */ 2186 bcopy (p, r, p[1]); 2187 r += p[1]; 2188 rlen += p[1]; 2189 } 2190 if (rlen) { 2191 if (debug) 2192 addlog(" send conf-rej\n"); 2193 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2194 goto end; 2195 } else if (debug) 2196 addlog("\n"); 2197 2198 /* 2199 * pass 2: check for option values that are unacceptable and 2200 * thus require to be nak'ed. 2201 */ 2202 if (debug) 2203 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2204 ifp->if_xname); 2205 2206 p = (void *)(h + 1); 2207 len = origlen; 2208 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2209 if (debug) 2210 addlog(" %s", sppp_lcp_opt_name(*p)); 2211 switch (*p) { 2212 case LCP_OPT_MAGIC: 2213 /* Magic number -- extract. */ 2214 nmagic = (uint32_t)p[2] << 24 | 2215 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2216 if (nmagic != sp->lcp.magic) { 2217 if (debug) 2218 addlog(" 0x%x", nmagic); 2219 continue; 2220 } 2221 /* 2222 * Local and remote magics equal -- loopback? 2223 */ 2224 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2225 printf ("%s: loopback\n", 2226 ifp->if_xname); 2227 sp->pp_loopcnt = 0; 2228 if (ifp->if_flags & IFF_UP) { 2229 if_down(ifp); 2230 IF_PURGE(&sp->pp_cpq); 2231 /* XXX ? */ 2232 lcp.Down(sp); 2233 lcp.Up(sp); 2234 } 2235 } else if (debug) 2236 addlog(" [glitch]"); 2237 ++sp->pp_loopcnt; 2238 /* 2239 * We negate our magic here, and NAK it. If 2240 * we see it later in an NAK packet, we 2241 * suggest a new one. 2242 */ 2243 nmagic = ~sp->lcp.magic; 2244 /* Gonna NAK it. */ 2245 p[2] = nmagic >> 24; 2246 p[3] = nmagic >> 16; 2247 p[4] = nmagic >> 8; 2248 p[5] = nmagic; 2249 break; 2250 2251 case LCP_OPT_ASYNC_MAP: 2252 /* 2253 * Async control character map -- just ignore it. 2254 * 2255 * Quote from RFC 1662, chapter 6: 2256 * To enable this functionality, synchronous PPP 2257 * implementations MUST always respond to the 2258 * Async-Control-Character-Map Configuration 2259 * Option with the LCP Configure-Ack. However, 2260 * acceptance of the Configuration Option does 2261 * not imply that the synchronous implementation 2262 * will do any ACCM mapping. Instead, all such 2263 * octet mapping will be performed by the 2264 * asynchronous-to-synchronous converter. 2265 */ 2266 continue; 2267 2268 case LCP_OPT_MRU: 2269 /* 2270 * Maximum receive unit. Always agreeable, 2271 * but ignored by now. 2272 */ 2273 sp->lcp.their_mru = p[2] * 256 + p[3]; 2274 if (debug) 2275 addlog(" %ld", sp->lcp.their_mru); 2276 continue; 2277 2278 case LCP_OPT_AUTH_PROTO: 2279 authproto = (p[2] << 8) + p[3]; 2280 if (sp->myauth.proto != authproto) { 2281 /* not agreed, nak */ 2282 if (debug) 2283 addlog(" [mine %s != his %s]", 2284 sppp_proto_name(sp->myauth.proto), 2285 sppp_proto_name(authproto)); 2286 p[2] = sp->myauth.proto >> 8; 2287 p[3] = sp->myauth.proto; 2288 break; 2289 } 2290 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2291 if (debug) 2292 addlog(" [chap not MD5]"); 2293 p[4] = CHAP_MD5; 2294 break; 2295 } 2296 continue; 2297 } 2298 /* Add the option to nak'ed list. */ 2299 bcopy (p, r, p[1]); 2300 r += p[1]; 2301 rlen += p[1]; 2302 } 2303 if (rlen) { 2304 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2305 if (debug) 2306 addlog(" max_failure (%d) exceeded, " 2307 "send conf-rej\n", 2308 sp->lcp.max_failure); 2309 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2310 } else { 2311 if (debug) 2312 addlog(" send conf-nak\n"); 2313 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2314 } 2315 goto end; 2316 } else { 2317 if (debug) 2318 addlog(" send conf-ack\n"); 2319 sp->fail_counter[IDX_LCP] = 0; 2320 sp->pp_loopcnt = 0; 2321 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2322 } 2323 2324 end: 2325 free(buf, M_TEMP); 2326 return (rlen == 0); 2327 2328 drop: 2329 free(buf, M_TEMP); 2330 return -1; 2331 } 2332 2333 /* 2334 * Analyze the LCP Configure-Reject option list, and adjust our 2335 * negotiation. 2336 */ 2337 static void 2338 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2339 { 2340 STDDCL; 2341 u_char *buf, *p; 2342 2343 len -= 4; 2344 buf = malloc (len, M_TEMP, M_NOWAIT); 2345 if (!buf) 2346 return; 2347 2348 if (debug) 2349 log(LOG_DEBUG, "%s: lcp rej opts:", 2350 ifp->if_xname); 2351 2352 p = (void *)(h + 1); 2353 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2354 /* Sanity check option length */ 2355 if (p[1] > len) { 2356 /* 2357 * Malicious option - drop immediately. 2358 * XXX Maybe we should just RXJ it? 2359 */ 2360 addlog("%s: received malicious LCP option, " 2361 "dropping.\n", ifp->if_xname); 2362 goto drop; 2363 } 2364 if (debug) 2365 addlog(" %s", sppp_lcp_opt_name(*p)); 2366 switch (*p) { 2367 case LCP_OPT_MAGIC: 2368 /* Magic number -- can't use it, use 0 */ 2369 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2370 sp->lcp.magic = 0; 2371 break; 2372 case LCP_OPT_MRU: 2373 /* 2374 * We try to negotiate a lower MRU if the underlying 2375 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2376 * peer rejects this lower rate, fallback to the 2377 * default. 2378 */ 2379 if (debug) { 2380 addlog("%s: warning: peer rejected our MRU of " 2381 "%ld bytes. Defaulting to %d bytes\n", 2382 ifp->if_xname, sp->lcp.mru, PP_MTU); 2383 } 2384 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2385 sp->lcp.mru = PP_MTU; 2386 break; 2387 case LCP_OPT_AUTH_PROTO: 2388 /* 2389 * Peer doesn't want to authenticate himself, 2390 * deny unless this is a dialout call, and 2391 * SPPP_AUTHFLAG_NOCALLOUT is set. 2392 */ 2393 if ((sp->pp_flags & PP_CALLIN) == 0 && 2394 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2395 if (debug) 2396 addlog(" [don't insist on auth " 2397 "for callout]"); 2398 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2399 break; 2400 } 2401 if (debug) 2402 addlog("[access denied]\n"); 2403 lcp.Close(sp); 2404 break; 2405 } 2406 } 2407 if (debug) 2408 addlog("\n"); 2409 drop: 2410 free(buf, M_TEMP); 2411 return; 2412 } 2413 2414 /* 2415 * Analyze the LCP Configure-NAK option list, and adjust our 2416 * negotiation. 2417 */ 2418 static void 2419 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2420 { 2421 STDDCL; 2422 u_char *buf, *p; 2423 uint32_t magic; 2424 2425 len -= 4; 2426 buf = malloc (len, M_TEMP, M_NOWAIT); 2427 if (!buf) 2428 return; 2429 2430 if (debug) 2431 log(LOG_DEBUG, "%s: lcp nak opts:", 2432 ifp->if_xname); 2433 2434 p = (void *)(h + 1); 2435 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2436 /* Sanity check option length */ 2437 if (p[1] > len) { 2438 /* 2439 * Malicious option - drop immediately. 2440 * XXX Maybe we should just RXJ it? 2441 */ 2442 addlog("%s: received malicious LCP option, " 2443 "dropping.\n", ifp->if_xname); 2444 goto drop; 2445 } 2446 if (debug) 2447 addlog(" %s", sppp_lcp_opt_name(*p)); 2448 switch (*p) { 2449 case LCP_OPT_MAGIC: 2450 /* Magic number -- renegotiate */ 2451 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2452 len >= 6 && p[1] == 6) { 2453 magic = (uint32_t)p[2] << 24 | 2454 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2455 /* 2456 * If the remote magic is our negated one, 2457 * this looks like a loopback problem. 2458 * Suggest a new magic to make sure. 2459 */ 2460 if (magic == ~sp->lcp.magic) { 2461 if (debug) 2462 addlog(" magic glitch"); 2463 sp->lcp.magic = cprng_fast32(); 2464 } else { 2465 sp->lcp.magic = magic; 2466 if (debug) 2467 addlog(" %d", magic); 2468 } 2469 } 2470 break; 2471 case LCP_OPT_MRU: 2472 /* 2473 * Peer wants to advise us to negotiate an MRU. 2474 * Agree on it if it's reasonable, or use 2475 * default otherwise. 2476 */ 2477 if (len >= 4 && p[1] == 4) { 2478 u_int mru = p[2] * 256 + p[3]; 2479 if (debug) 2480 addlog(" %d", mru); 2481 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2482 mru = sp->pp_if.if_mtu; 2483 sp->lcp.mru = mru; 2484 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2485 } 2486 break; 2487 case LCP_OPT_AUTH_PROTO: 2488 /* 2489 * Peer doesn't like our authentication method, 2490 * deny. 2491 */ 2492 if (debug) 2493 addlog("[access denied]\n"); 2494 lcp.Close(sp); 2495 break; 2496 } 2497 } 2498 if (debug) 2499 addlog("\n"); 2500 drop: 2501 free(buf, M_TEMP); 2502 return; 2503 } 2504 2505 static void 2506 sppp_lcp_tlu(struct sppp *sp) 2507 { 2508 STDDCL; 2509 int i; 2510 uint32_t mask; 2511 2512 /* XXX ? */ 2513 if (! (ifp->if_flags & IFF_UP) && 2514 (ifp->if_flags & IFF_RUNNING)) { 2515 /* Coming out of loopback mode. */ 2516 if_up(ifp); 2517 } 2518 2519 for (i = 0; i < IDX_COUNT; i++) 2520 if ((cps[i])->flags & CP_QUAL) 2521 (cps[i])->Open(sp); 2522 2523 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2524 (sp->pp_flags & PP_NEEDAUTH) != 0) 2525 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2526 else 2527 sp->pp_phase = SPPP_PHASE_NETWORK; 2528 2529 if (debug) 2530 { 2531 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2532 sppp_phase_name(sp->pp_phase)); 2533 } 2534 2535 /* 2536 * Open all authentication protocols. This is even required 2537 * if we already proceeded to network phase, since it might be 2538 * that remote wants us to authenticate, so we might have to 2539 * send a PAP request. Undesired authentication protocols 2540 * don't do anything when they get an Open event. 2541 */ 2542 for (i = 0; i < IDX_COUNT; i++) 2543 if ((cps[i])->flags & CP_AUTH) 2544 (cps[i])->Open(sp); 2545 2546 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2547 /* Notify all NCPs. */ 2548 for (i = 0; i < IDX_COUNT; i++) 2549 if ((cps[i])->flags & CP_NCP) 2550 (cps[i])->Open(sp); 2551 } 2552 2553 /* Send Up events to all started protos. */ 2554 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2555 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2556 (cps[i])->Up(sp); 2557 2558 /* notify low-level driver of state change */ 2559 if (sp->pp_chg) 2560 sp->pp_chg(sp, (int)sp->pp_phase); 2561 2562 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2563 /* if no NCP is starting, close down */ 2564 sppp_lcp_check_and_close(sp); 2565 } 2566 2567 static void 2568 sppp_lcp_tld(struct sppp *sp) 2569 { 2570 STDDCL; 2571 int i; 2572 uint32_t mask; 2573 2574 sp->pp_phase = SPPP_PHASE_TERMINATE; 2575 2576 if (debug) 2577 { 2578 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2579 sppp_phase_name(sp->pp_phase)); 2580 } 2581 2582 /* 2583 * Take upper layers down. We send the Down event first and 2584 * the Close second to prevent the upper layers from sending 2585 * ``a flurry of terminate-request packets'', as the RFC 2586 * describes it. 2587 */ 2588 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2589 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2590 (cps[i])->Down(sp); 2591 (cps[i])->Close(sp); 2592 } 2593 } 2594 2595 static void 2596 sppp_lcp_tls(struct sppp *sp) 2597 { 2598 STDDCL; 2599 2600 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2601 printf("%s: authentication failed %d times, not retrying again\n", 2602 sp->pp_if.if_xname, sp->pp_auth_failures); 2603 if_down(&sp->pp_if); 2604 return; 2605 } 2606 2607 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2608 2609 if (debug) 2610 { 2611 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2612 sppp_phase_name(sp->pp_phase)); 2613 } 2614 2615 /* Notify lower layer if desired. */ 2616 if (sp->pp_tls) 2617 (sp->pp_tls)(sp); 2618 } 2619 2620 static void 2621 sppp_lcp_tlf(struct sppp *sp) 2622 { 2623 STDDCL; 2624 2625 sp->pp_phase = SPPP_PHASE_DEAD; 2626 2627 if (debug) 2628 { 2629 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2630 sppp_phase_name(sp->pp_phase)); 2631 } 2632 2633 /* Notify lower layer if desired. */ 2634 if (sp->pp_tlf) 2635 (sp->pp_tlf)(sp); 2636 } 2637 2638 static void 2639 sppp_lcp_scr(struct sppp *sp) 2640 { 2641 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2642 int i = 0; 2643 u_short authproto; 2644 2645 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2646 if (! sp->lcp.magic) 2647 sp->lcp.magic = cprng_fast32(); 2648 opt[i++] = LCP_OPT_MAGIC; 2649 opt[i++] = 6; 2650 opt[i++] = sp->lcp.magic >> 24; 2651 opt[i++] = sp->lcp.magic >> 16; 2652 opt[i++] = sp->lcp.magic >> 8; 2653 opt[i++] = sp->lcp.magic; 2654 } 2655 2656 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2657 opt[i++] = LCP_OPT_MRU; 2658 opt[i++] = 4; 2659 opt[i++] = sp->lcp.mru >> 8; 2660 opt[i++] = sp->lcp.mru; 2661 } 2662 2663 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2664 authproto = sp->hisauth.proto; 2665 opt[i++] = LCP_OPT_AUTH_PROTO; 2666 opt[i++] = authproto == PPP_CHAP? 5: 4; 2667 opt[i++] = authproto >> 8; 2668 opt[i++] = authproto; 2669 if (authproto == PPP_CHAP) 2670 opt[i++] = CHAP_MD5; 2671 } 2672 2673 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2674 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2675 } 2676 2677 /* 2678 * Check the open NCPs, return true if at least one NCP is open. 2679 */ 2680 static int 2681 sppp_ncp_check(struct sppp *sp) 2682 { 2683 int i, mask; 2684 2685 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2686 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2687 return 1; 2688 return 0; 2689 } 2690 2691 /* 2692 * Re-check the open NCPs and see if we should terminate the link. 2693 * Called by the NCPs during their tlf action handling. 2694 */ 2695 static void 2696 sppp_lcp_check_and_close(struct sppp *sp) 2697 { 2698 2699 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2700 /* don't bother, we are already going down */ 2701 return; 2702 2703 if (sppp_ncp_check(sp)) 2704 return; 2705 2706 lcp.Close(sp); 2707 } 2708 2709 2710 /* 2711 *--------------------------------------------------------------------------* 2712 * * 2713 * The IPCP implementation. * 2714 * * 2715 *--------------------------------------------------------------------------* 2716 */ 2717 2718 static void 2719 sppp_ipcp_init(struct sppp *sp) 2720 { 2721 sp->ipcp.opts = 0; 2722 sp->ipcp.flags = 0; 2723 sp->state[IDX_IPCP] = STATE_INITIAL; 2724 sp->fail_counter[IDX_IPCP] = 0; 2725 sp->pp_seq[IDX_IPCP] = 0; 2726 sp->pp_rseq[IDX_IPCP] = 0; 2727 callout_init(&sp->ch[IDX_IPCP], 0); 2728 } 2729 2730 static void 2731 sppp_ipcp_up(struct sppp *sp) 2732 { 2733 sppp_up_event(&ipcp, sp); 2734 } 2735 2736 static void 2737 sppp_ipcp_down(struct sppp *sp) 2738 { 2739 sppp_down_event(&ipcp, sp); 2740 } 2741 2742 static void 2743 sppp_ipcp_open(struct sppp *sp) 2744 { 2745 STDDCL; 2746 uint32_t myaddr, hisaddr; 2747 2748 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2749 sp->ipcp.req_myaddr = 0; 2750 sp->ipcp.req_hisaddr = 0; 2751 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2752 2753 #ifdef INET 2754 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2755 #else 2756 myaddr = hisaddr = 0; 2757 #endif 2758 /* 2759 * If we don't have his address, this probably means our 2760 * interface doesn't want to talk IP at all. (This could 2761 * be the case if somebody wants to speak only IPX, for 2762 * example.) Don't open IPCP in this case. 2763 */ 2764 if (hisaddr == 0) { 2765 /* XXX this message should go away */ 2766 if (debug) 2767 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2768 ifp->if_xname); 2769 return; 2770 } 2771 2772 if (myaddr == 0) { 2773 /* 2774 * I don't have an assigned address, so i need to 2775 * negotiate my address. 2776 */ 2777 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2778 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2779 } 2780 if (hisaddr == 1) { 2781 /* 2782 * XXX - remove this hack! 2783 * remote has no valid address, we need to get one assigned. 2784 */ 2785 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2786 } 2787 sppp_open_event(&ipcp, sp); 2788 } 2789 2790 static void 2791 sppp_ipcp_close(struct sppp *sp) 2792 { 2793 STDDCL; 2794 2795 sppp_close_event(&ipcp, sp); 2796 #ifdef INET 2797 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2798 /* 2799 * Some address was dynamic, clear it again. 2800 */ 2801 sppp_clear_ip_addrs(sp); 2802 #endif 2803 2804 if (sp->pp_saved_mtu > 0) { 2805 ifp->if_mtu = sp->pp_saved_mtu; 2806 sp->pp_saved_mtu = 0; 2807 if (debug) 2808 log(LOG_DEBUG, 2809 "%s: resetting MTU to %" PRIu64 " bytes\n", 2810 ifp->if_xname, ifp->if_mtu); 2811 } 2812 } 2813 2814 static void 2815 sppp_ipcp_TO(void *cookie) 2816 { 2817 sppp_to_event(&ipcp, (struct sppp *)cookie); 2818 } 2819 2820 /* 2821 * Analyze a configure request. Return true if it was agreeable, and 2822 * caused action sca, false if it has been rejected or nak'ed, and 2823 * caused action scn. (The return value is used to make the state 2824 * transition decision in the state automaton.) 2825 */ 2826 static int 2827 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2828 { 2829 u_char *buf, *r, *p; 2830 struct ifnet *ifp = &sp->pp_if; 2831 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2832 uint32_t hisaddr, desiredaddr; 2833 2834 len -= 4; 2835 origlen = len; 2836 /* 2837 * Make sure to allocate a buf that can at least hold a 2838 * conf-nak with an `address' option. We might need it below. 2839 */ 2840 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 2841 if (! buf) 2842 return (0); 2843 2844 /* pass 1: see if we can recognize them */ 2845 if (debug) 2846 log(LOG_DEBUG, "%s: ipcp parse opts:", 2847 ifp->if_xname); 2848 p = (void *)(h + 1); 2849 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2850 /* Sanity check option length */ 2851 if (p[1] > len) { 2852 /* XXX should we just RXJ? */ 2853 addlog("%s: malicious IPCP option received, dropping\n", 2854 ifp->if_xname); 2855 goto drop; 2856 } 2857 if (debug) 2858 addlog(" %s", sppp_ipcp_opt_name(*p)); 2859 switch (*p) { 2860 #ifdef notyet 2861 case IPCP_OPT_COMPRESSION: 2862 if (len >= 6 && p[1] >= 6) { 2863 /* correctly formed compress option */ 2864 continue; 2865 } 2866 if (debug) 2867 addlog(" [invalid]"); 2868 break; 2869 #endif 2870 case IPCP_OPT_ADDRESS: 2871 if (len >= 6 && p[1] == 6) { 2872 /* correctly formed address option */ 2873 continue; 2874 } 2875 if (debug) 2876 addlog(" [invalid]"); 2877 break; 2878 default: 2879 /* Others not supported. */ 2880 if (debug) 2881 addlog(" [rej]"); 2882 break; 2883 } 2884 /* Add the option to rejected list. */ 2885 bcopy (p, r, p[1]); 2886 r += p[1]; 2887 rlen += p[1]; 2888 } 2889 if (rlen) { 2890 if (debug) 2891 addlog(" send conf-rej\n"); 2892 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2893 goto end; 2894 } else if (debug) 2895 addlog("\n"); 2896 2897 /* pass 2: parse option values */ 2898 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2899 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2900 else 2901 #ifdef INET 2902 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2903 #else 2904 hisaddr = 0; 2905 #endif 2906 if (debug) 2907 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2908 ifp->if_xname); 2909 p = (void *)(h + 1); 2910 len = origlen; 2911 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2912 if (debug) 2913 addlog(" %s", sppp_ipcp_opt_name(*p)); 2914 switch (*p) { 2915 #ifdef notyet 2916 case IPCP_OPT_COMPRESSION: 2917 continue; 2918 #endif 2919 case IPCP_OPT_ADDRESS: 2920 desiredaddr = p[2] << 24 | p[3] << 16 | 2921 p[4] << 8 | p[5]; 2922 if (desiredaddr == hisaddr || 2923 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2924 /* 2925 * Peer's address is same as our value, 2926 * this is agreeable. Gonna conf-ack 2927 * it. 2928 */ 2929 if (debug) 2930 addlog(" %s [ack]", 2931 sppp_dotted_quad(hisaddr)); 2932 /* record that we've seen it already */ 2933 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2934 sp->ipcp.req_hisaddr = desiredaddr; 2935 hisaddr = desiredaddr; 2936 continue; 2937 } 2938 /* 2939 * The address wasn't agreeable. This is either 2940 * he sent us 0.0.0.0, asking to assign him an 2941 * address, or he send us another address not 2942 * matching our value. Either case, we gonna 2943 * conf-nak it with our value. 2944 */ 2945 if (debug) { 2946 if (desiredaddr == 0) 2947 addlog(" [addr requested]"); 2948 else 2949 addlog(" %s [not agreed]", 2950 sppp_dotted_quad(desiredaddr)); 2951 } 2952 2953 p[2] = hisaddr >> 24; 2954 p[3] = hisaddr >> 16; 2955 p[4] = hisaddr >> 8; 2956 p[5] = hisaddr; 2957 break; 2958 } 2959 /* Add the option to nak'ed list. */ 2960 bcopy (p, r, p[1]); 2961 r += p[1]; 2962 rlen += p[1]; 2963 } 2964 2965 /* 2966 * If we are about to conf-ack the request, but haven't seen 2967 * his address so far, gonna conf-nak it instead, with the 2968 * `address' option present and our idea of his address being 2969 * filled in there, to request negotiation of both addresses. 2970 * 2971 * XXX This can result in an endless req - nak loop if peer 2972 * doesn't want to send us his address. Q: What should we do 2973 * about it? XXX A: implement the max-failure counter. 2974 */ 2975 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2976 buf[0] = IPCP_OPT_ADDRESS; 2977 buf[1] = 6; 2978 buf[2] = hisaddr >> 24; 2979 buf[3] = hisaddr >> 16; 2980 buf[4] = hisaddr >> 8; 2981 buf[5] = hisaddr; 2982 rlen = 6; 2983 if (debug) 2984 addlog(" still need hisaddr"); 2985 } 2986 2987 if (rlen) { 2988 if (debug) 2989 addlog(" send conf-nak\n"); 2990 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 2991 } else { 2992 if (debug) 2993 addlog(" send conf-ack\n"); 2994 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 2995 } 2996 2997 end: 2998 free(buf, M_TEMP); 2999 return (rlen == 0); 3000 3001 drop: 3002 free(buf, M_TEMP); 3003 return -1; 3004 } 3005 3006 /* 3007 * Analyze the IPCP Configure-Reject option list, and adjust our 3008 * negotiation. 3009 */ 3010 static void 3011 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3012 { 3013 u_char *buf, *p; 3014 struct ifnet *ifp = &sp->pp_if; 3015 int debug = ifp->if_flags & IFF_DEBUG; 3016 3017 len -= 4; 3018 buf = malloc (len, M_TEMP, M_NOWAIT); 3019 if (!buf) 3020 return; 3021 3022 if (debug) 3023 log(LOG_DEBUG, "%s: ipcp rej opts:", 3024 ifp->if_xname); 3025 3026 p = (void *)(h + 1); 3027 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3028 /* Sanity check option length */ 3029 if (p[1] > len) { 3030 /* XXX should we just RXJ? */ 3031 addlog("%s: malicious IPCP option received, dropping\n", 3032 ifp->if_xname); 3033 goto drop; 3034 } 3035 if (debug) 3036 addlog(" %s", sppp_ipcp_opt_name(*p)); 3037 switch (*p) { 3038 case IPCP_OPT_ADDRESS: 3039 /* 3040 * Peer doesn't grok address option. This is 3041 * bad. XXX Should we better give up here? 3042 */ 3043 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3044 break; 3045 #ifdef notyet 3046 case IPCP_OPT_COMPRESS: 3047 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3048 break; 3049 #endif 3050 } 3051 } 3052 if (debug) 3053 addlog("\n"); 3054 drop: 3055 free(buf, M_TEMP); 3056 return; 3057 } 3058 3059 /* 3060 * Analyze the IPCP Configure-NAK option list, and adjust our 3061 * negotiation. 3062 */ 3063 static void 3064 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3065 { 3066 u_char *p; 3067 struct ifnet *ifp = &sp->pp_if; 3068 int debug = ifp->if_flags & IFF_DEBUG; 3069 uint32_t wantaddr; 3070 3071 len -= 4; 3072 3073 if (debug) 3074 log(LOG_DEBUG, "%s: ipcp nak opts:", 3075 ifp->if_xname); 3076 3077 p = (void *)(h + 1); 3078 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3079 /* Sanity check option length */ 3080 if (p[1] > len) { 3081 /* XXX should we just RXJ? */ 3082 addlog("%s: malicious IPCP option received, dropping\n", 3083 ifp->if_xname); 3084 return; 3085 } 3086 if (debug) 3087 addlog(" %s", sppp_ipcp_opt_name(*p)); 3088 switch (*p) { 3089 case IPCP_OPT_ADDRESS: 3090 /* 3091 * Peer doesn't like our local IP address. See 3092 * if we can do something for him. We'll drop 3093 * him our address then. 3094 */ 3095 if (len >= 6 && p[1] == 6) { 3096 wantaddr = p[2] << 24 | p[3] << 16 | 3097 p[4] << 8 | p[5]; 3098 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3099 if (debug) 3100 addlog(" [wantaddr %s]", 3101 sppp_dotted_quad(wantaddr)); 3102 /* 3103 * When doing dynamic address assignment, 3104 * we accept his offer. Otherwise, we 3105 * ignore it and thus continue to negotiate 3106 * our already existing value. 3107 */ 3108 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3109 if (debug) 3110 addlog(" [agree]"); 3111 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3112 sp->ipcp.req_myaddr = wantaddr; 3113 } 3114 } 3115 break; 3116 3117 case IPCP_OPT_PRIMDNS: 3118 if (len >= 6 && p[1] == 6) { 3119 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3120 p[4] << 8 | p[5]; 3121 } 3122 break; 3123 3124 case IPCP_OPT_SECDNS: 3125 if (len >= 6 && p[1] == 6) { 3126 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3127 p[4] << 8 | p[5]; 3128 } 3129 break; 3130 #ifdef notyet 3131 case IPCP_OPT_COMPRESS: 3132 /* 3133 * Peer wants different compression parameters. 3134 */ 3135 break; 3136 #endif 3137 } 3138 } 3139 if (debug) 3140 addlog("\n"); 3141 } 3142 3143 static void 3144 sppp_ipcp_tlu(struct sppp *sp) 3145 { 3146 #ifdef INET 3147 /* we are up. Set addresses and notify anyone interested */ 3148 STDDCL; 3149 uint32_t myaddr, hisaddr; 3150 3151 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3152 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3153 myaddr = sp->ipcp.req_myaddr; 3154 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3155 hisaddr = sp->ipcp.req_hisaddr; 3156 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3157 3158 if (ifp->if_mtu > sp->lcp.their_mru) { 3159 sp->pp_saved_mtu = ifp->if_mtu; 3160 ifp->if_mtu = sp->lcp.their_mru; 3161 if (debug) 3162 log(LOG_DEBUG, 3163 "%s: setting MTU to %" PRIu64 " bytes\n", 3164 ifp->if_xname, ifp->if_mtu); 3165 } 3166 3167 if (sp->pp_con) 3168 sp->pp_con(sp); 3169 #endif 3170 } 3171 3172 static void 3173 sppp_ipcp_tld(struct sppp *sp) 3174 { 3175 } 3176 3177 static void 3178 sppp_ipcp_tls(struct sppp *sp) 3179 { 3180 /* indicate to LCP that it must stay alive */ 3181 sp->lcp.protos |= (1 << IDX_IPCP); 3182 } 3183 3184 static void 3185 sppp_ipcp_tlf(struct sppp *sp) 3186 { 3187 /* we no longer need LCP */ 3188 sp->lcp.protos &= ~(1 << IDX_IPCP); 3189 } 3190 3191 static void 3192 sppp_ipcp_scr(struct sppp *sp) 3193 { 3194 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3195 #ifdef INET 3196 uint32_t ouraddr; 3197 #endif 3198 int i = 0; 3199 3200 #ifdef notyet 3201 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3202 opt[i++] = IPCP_OPT_COMPRESSION; 3203 opt[i++] = 6; 3204 opt[i++] = 0; /* VJ header compression */ 3205 opt[i++] = 0x2d; /* VJ header compression */ 3206 opt[i++] = max_slot_id; 3207 opt[i++] = comp_slot_id; 3208 } 3209 #endif 3210 3211 #ifdef INET 3212 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3213 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3214 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3215 else 3216 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3217 opt[i++] = IPCP_OPT_ADDRESS; 3218 opt[i++] = 6; 3219 opt[i++] = ouraddr >> 24; 3220 opt[i++] = ouraddr >> 16; 3221 opt[i++] = ouraddr >> 8; 3222 opt[i++] = ouraddr; 3223 } 3224 #endif 3225 3226 if (sp->query_dns & 1) { 3227 opt[i++] = IPCP_OPT_PRIMDNS; 3228 opt[i++] = 6; 3229 opt[i++] = sp->dns_addrs[0] >> 24; 3230 opt[i++] = sp->dns_addrs[0] >> 16; 3231 opt[i++] = sp->dns_addrs[0] >> 8; 3232 opt[i++] = sp->dns_addrs[0]; 3233 } 3234 if (sp->query_dns & 2) { 3235 opt[i++] = IPCP_OPT_SECDNS; 3236 opt[i++] = 6; 3237 opt[i++] = sp->dns_addrs[1] >> 24; 3238 opt[i++] = sp->dns_addrs[1] >> 16; 3239 opt[i++] = sp->dns_addrs[1] >> 8; 3240 opt[i++] = sp->dns_addrs[1]; 3241 } 3242 3243 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3244 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3245 } 3246 3247 3248 /* 3249 *--------------------------------------------------------------------------* 3250 * * 3251 * The IPv6CP implementation. * 3252 * * 3253 *--------------------------------------------------------------------------* 3254 */ 3255 3256 #ifdef INET6 3257 static void 3258 sppp_ipv6cp_init(struct sppp *sp) 3259 { 3260 sp->ipv6cp.opts = 0; 3261 sp->ipv6cp.flags = 0; 3262 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3263 sp->fail_counter[IDX_IPV6CP] = 0; 3264 sp->pp_seq[IDX_IPV6CP] = 0; 3265 sp->pp_rseq[IDX_IPV6CP] = 0; 3266 callout_init(&sp->ch[IDX_IPV6CP], 0); 3267 } 3268 3269 static void 3270 sppp_ipv6cp_up(struct sppp *sp) 3271 { 3272 sppp_up_event(&ipv6cp, sp); 3273 } 3274 3275 static void 3276 sppp_ipv6cp_down(struct sppp *sp) 3277 { 3278 sppp_down_event(&ipv6cp, sp); 3279 } 3280 3281 static void 3282 sppp_ipv6cp_open(struct sppp *sp) 3283 { 3284 STDDCL; 3285 struct in6_addr myaddr, hisaddr; 3286 3287 #ifdef IPV6CP_MYIFID_DYN 3288 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3289 #else 3290 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3291 #endif 3292 3293 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3294 /* 3295 * If we don't have our address, this probably means our 3296 * interface doesn't want to talk IPv6 at all. (This could 3297 * be the case if somebody wants to speak only IPX, for 3298 * example.) Don't open IPv6CP in this case. 3299 */ 3300 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3301 /* XXX this message should go away */ 3302 if (debug) 3303 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3304 ifp->if_xname); 3305 return; 3306 } 3307 3308 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3309 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3310 sppp_open_event(&ipv6cp, sp); 3311 } 3312 3313 static void 3314 sppp_ipv6cp_close(struct sppp *sp) 3315 { 3316 sppp_close_event(&ipv6cp, sp); 3317 } 3318 3319 static void 3320 sppp_ipv6cp_TO(void *cookie) 3321 { 3322 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3323 } 3324 3325 /* 3326 * Analyze a configure request. Return true if it was agreeable, and 3327 * caused action sca, false if it has been rejected or nak'ed, and 3328 * caused action scn. (The return value is used to make the state 3329 * transition decision in the state automaton.) 3330 */ 3331 static int 3332 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3333 { 3334 u_char *buf, *r, *p; 3335 struct ifnet *ifp = &sp->pp_if; 3336 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3337 struct in6_addr myaddr, desiredaddr, suggestaddr; 3338 int ifidcount; 3339 int type; 3340 int collision, nohisaddr; 3341 3342 len -= 4; 3343 origlen = len; 3344 /* 3345 * Make sure to allocate a buf that can at least hold a 3346 * conf-nak with an `address' option. We might need it below. 3347 */ 3348 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 3349 if (! buf) 3350 return (0); 3351 3352 /* pass 1: see if we can recognize them */ 3353 if (debug) 3354 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3355 ifp->if_xname); 3356 p = (void *)(h + 1); 3357 ifidcount = 0; 3358 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3359 /* Sanity check option length */ 3360 if (p[1] > len) { 3361 /* XXX just RXJ? */ 3362 addlog("%s: received malicious IPCPv6 option, " 3363 "dropping\n", ifp->if_xname); 3364 goto drop; 3365 } 3366 if (debug) 3367 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3368 switch (*p) { 3369 case IPV6CP_OPT_IFID: 3370 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3371 /* correctly formed address option */ 3372 ifidcount++; 3373 continue; 3374 } 3375 if (debug) 3376 addlog(" [invalid]"); 3377 break; 3378 #ifdef notyet 3379 case IPV6CP_OPT_COMPRESSION: 3380 if (len >= 4 && p[1] >= 4) { 3381 /* correctly formed compress option */ 3382 continue; 3383 } 3384 if (debug) 3385 addlog(" [invalid]"); 3386 break; 3387 #endif 3388 default: 3389 /* Others not supported. */ 3390 if (debug) 3391 addlog(" [rej]"); 3392 break; 3393 } 3394 /* Add the option to rejected list. */ 3395 bcopy (p, r, p[1]); 3396 r += p[1]; 3397 rlen += p[1]; 3398 } 3399 if (rlen) { 3400 if (debug) 3401 addlog(" send conf-rej\n"); 3402 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3403 goto end; 3404 } else if (debug) 3405 addlog("\n"); 3406 3407 /* pass 2: parse option values */ 3408 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3409 if (debug) 3410 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3411 ifp->if_xname); 3412 p = (void *)(h + 1); 3413 len = origlen; 3414 type = CONF_ACK; 3415 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3416 if (debug) 3417 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3418 switch (*p) { 3419 #ifdef notyet 3420 case IPV6CP_OPT_COMPRESSION: 3421 continue; 3422 #endif 3423 case IPV6CP_OPT_IFID: 3424 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3425 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3426 collision = (memcmp(&desiredaddr.s6_addr[8], 3427 &myaddr.s6_addr[8], 8) == 0); 3428 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3429 3430 desiredaddr.s6_addr16[0] = htons(0xfe80); 3431 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3432 3433 if (!collision && !nohisaddr) { 3434 /* no collision, hisaddr known - Conf-Ack */ 3435 type = CONF_ACK; 3436 3437 if (debug) { 3438 addlog(" %s [%s]", 3439 ip6_sprintf(&desiredaddr), 3440 sppp_cp_type_name(type)); 3441 } 3442 continue; 3443 } 3444 3445 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3446 if (collision && nohisaddr) { 3447 /* collision, hisaddr unknown - Conf-Rej */ 3448 type = CONF_REJ; 3449 memset(&p[2], 0, 8); 3450 } else { 3451 /* 3452 * - no collision, hisaddr unknown, or 3453 * - collision, hisaddr known 3454 * Conf-Nak, suggest hisaddr 3455 */ 3456 type = CONF_NAK; 3457 sppp_suggest_ip6_addr(sp, &suggestaddr); 3458 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3459 } 3460 if (debug) 3461 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3462 sppp_cp_type_name(type)); 3463 break; 3464 } 3465 /* Add the option to nak'ed list. */ 3466 bcopy (p, r, p[1]); 3467 r += p[1]; 3468 rlen += p[1]; 3469 } 3470 3471 if (rlen == 0 && type == CONF_ACK) { 3472 if (debug) 3473 addlog(" send %s\n", sppp_cp_type_name(type)); 3474 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3475 } else { 3476 #ifdef notdef 3477 if (type == CONF_ACK) 3478 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3479 #endif 3480 3481 if (debug) { 3482 addlog(" send %s suggest %s\n", 3483 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3484 } 3485 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3486 } 3487 3488 end: 3489 free(buf, M_TEMP); 3490 return (rlen == 0); 3491 3492 drop: 3493 free(buf, M_TEMP); 3494 return -1; 3495 } 3496 3497 /* 3498 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3499 * negotiation. 3500 */ 3501 static void 3502 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3503 { 3504 u_char *buf, *p; 3505 struct ifnet *ifp = &sp->pp_if; 3506 int debug = ifp->if_flags & IFF_DEBUG; 3507 3508 len -= 4; 3509 buf = malloc (len, M_TEMP, M_NOWAIT); 3510 if (!buf) 3511 return; 3512 3513 if (debug) 3514 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3515 ifp->if_xname); 3516 3517 p = (void *)(h + 1); 3518 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3519 if (p[1] > len) { 3520 /* XXX just RXJ? */ 3521 addlog("%s: received malicious IPCPv6 option, " 3522 "dropping\n", ifp->if_xname); 3523 goto drop; 3524 } 3525 if (debug) 3526 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3527 switch (*p) { 3528 case IPV6CP_OPT_IFID: 3529 /* 3530 * Peer doesn't grok address option. This is 3531 * bad. XXX Should we better give up here? 3532 */ 3533 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3534 break; 3535 #ifdef notyet 3536 case IPV6CP_OPT_COMPRESS: 3537 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3538 break; 3539 #endif 3540 } 3541 } 3542 if (debug) 3543 addlog("\n"); 3544 drop: 3545 free(buf, M_TEMP); 3546 return; 3547 } 3548 3549 /* 3550 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3551 * negotiation. 3552 */ 3553 static void 3554 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3555 { 3556 u_char *buf, *p; 3557 struct ifnet *ifp = &sp->pp_if; 3558 int debug = ifp->if_flags & IFF_DEBUG; 3559 struct in6_addr suggestaddr; 3560 3561 len -= 4; 3562 buf = malloc (len, M_TEMP, M_NOWAIT); 3563 if (!buf) 3564 return; 3565 3566 if (debug) 3567 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3568 ifp->if_xname); 3569 3570 p = (void *)(h + 1); 3571 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3572 if (p[1] > len) { 3573 /* XXX just RXJ? */ 3574 addlog("%s: received malicious IPCPv6 option, " 3575 "dropping\n", ifp->if_xname); 3576 goto drop; 3577 } 3578 if (debug) 3579 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3580 switch (*p) { 3581 case IPV6CP_OPT_IFID: 3582 /* 3583 * Peer doesn't like our local ifid. See 3584 * if we can do something for him. We'll drop 3585 * him our address then. 3586 */ 3587 if (len < 10 || p[1] != 10) 3588 break; 3589 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3590 suggestaddr.s6_addr16[0] = htons(0xfe80); 3591 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3592 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3593 3594 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3595 if (debug) 3596 addlog(" [suggestaddr %s]", 3597 ip6_sprintf(&suggestaddr)); 3598 #ifdef IPV6CP_MYIFID_DYN 3599 /* 3600 * When doing dynamic address assignment, 3601 * we accept his offer. 3602 */ 3603 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3604 struct in6_addr lastsuggest; 3605 /* 3606 * If <suggested myaddr from peer> equals to 3607 * <hisaddr we have suggested last time>, 3608 * we have a collision. generate new random 3609 * ifid. 3610 */ 3611 sppp_suggest_ip6_addr(&lastsuggest); 3612 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3613 lastsuggest)) { 3614 if (debug) 3615 addlog(" [random]"); 3616 sppp_gen_ip6_addr(sp, &suggestaddr); 3617 } 3618 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3619 if (debug) 3620 addlog(" [agree]"); 3621 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3622 } 3623 #else 3624 /* 3625 * Since we do not do dynamic address assignment, 3626 * we ignore it and thus continue to negotiate 3627 * our already existing value. This can possibly 3628 * go into infinite request-reject loop. 3629 * 3630 * This is not likely because we normally use 3631 * ifid based on MAC-address. 3632 * If you have no ethernet card on the node, too bad. 3633 * XXX should we use fail_counter? 3634 */ 3635 #endif 3636 break; 3637 #ifdef notyet 3638 case IPV6CP_OPT_COMPRESS: 3639 /* 3640 * Peer wants different compression parameters. 3641 */ 3642 break; 3643 #endif 3644 } 3645 } 3646 if (debug) 3647 addlog("\n"); 3648 drop: 3649 free(buf, M_TEMP); 3650 return; 3651 } 3652 3653 static void 3654 sppp_ipv6cp_tlu(struct sppp *sp) 3655 { 3656 /* we are up - notify isdn daemon */ 3657 if (sp->pp_con) 3658 sp->pp_con(sp); 3659 } 3660 3661 static void 3662 sppp_ipv6cp_tld(struct sppp *sp) 3663 { 3664 } 3665 3666 static void 3667 sppp_ipv6cp_tls(struct sppp *sp) 3668 { 3669 /* indicate to LCP that it must stay alive */ 3670 sp->lcp.protos |= (1 << IDX_IPV6CP); 3671 } 3672 3673 static void 3674 sppp_ipv6cp_tlf(struct sppp *sp) 3675 { 3676 /* we no longer need LCP */ 3677 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3678 } 3679 3680 static void 3681 sppp_ipv6cp_scr(struct sppp *sp) 3682 { 3683 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3684 struct in6_addr ouraddr; 3685 int i = 0; 3686 3687 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3688 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3689 opt[i++] = IPV6CP_OPT_IFID; 3690 opt[i++] = 10; 3691 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3692 i += 8; 3693 } 3694 3695 #ifdef notyet 3696 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3697 opt[i++] = IPV6CP_OPT_COMPRESSION; 3698 opt[i++] = 4; 3699 opt[i++] = 0; /* TBD */ 3700 opt[i++] = 0; /* TBD */ 3701 /* variable length data may follow */ 3702 } 3703 #endif 3704 3705 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3706 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3707 } 3708 #else /*INET6*/ 3709 static void 3710 sppp_ipv6cp_init(struct sppp *sp) 3711 { 3712 } 3713 3714 static void 3715 sppp_ipv6cp_up(struct sppp *sp) 3716 { 3717 } 3718 3719 static void 3720 sppp_ipv6cp_down(struct sppp *sp) 3721 { 3722 } 3723 3724 static void 3725 sppp_ipv6cp_open(struct sppp *sp) 3726 { 3727 } 3728 3729 static void 3730 sppp_ipv6cp_close(struct sppp *sp) 3731 { 3732 } 3733 3734 static void 3735 sppp_ipv6cp_TO(void *sp) 3736 { 3737 } 3738 3739 static int 3740 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3741 int len) 3742 { 3743 return 0; 3744 } 3745 3746 static void 3747 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3748 int len) 3749 { 3750 } 3751 3752 static void 3753 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3754 int len) 3755 { 3756 } 3757 3758 static void 3759 sppp_ipv6cp_tlu(struct sppp *sp) 3760 { 3761 } 3762 3763 static void 3764 sppp_ipv6cp_tld(struct sppp *sp) 3765 { 3766 } 3767 3768 static void 3769 sppp_ipv6cp_tls(struct sppp *sp) 3770 { 3771 } 3772 3773 static void 3774 sppp_ipv6cp_tlf(struct sppp *sp) 3775 { 3776 } 3777 3778 static void 3779 sppp_ipv6cp_scr(struct sppp *sp) 3780 { 3781 } 3782 #endif /*INET6*/ 3783 3784 3785 /* 3786 *--------------------------------------------------------------------------* 3787 * * 3788 * The CHAP implementation. * 3789 * * 3790 *--------------------------------------------------------------------------* 3791 */ 3792 3793 /* 3794 * The authentication protocols don't employ a full-fledged state machine as 3795 * the control protocols do, since they do have Open and Close events, but 3796 * not Up and Down, nor are they explicitly terminated. Also, use of the 3797 * authentication protocols may be different in both directions (this makes 3798 * sense, think of a machine that never accepts incoming calls but only 3799 * calls out, it doesn't require the called party to authenticate itself). 3800 * 3801 * Our state machine for the local authentication protocol (we are requesting 3802 * the peer to authenticate) looks like: 3803 * 3804 * RCA- 3805 * +--------------------------------------------+ 3806 * V scn,tld| 3807 * +--------+ Close +---------+ RCA+ 3808 * | |<----------------------------------| |------+ 3809 * +--->| Closed | TO* | Opened | sca | 3810 * | | |-----+ +-------| |<-----+ 3811 * | +--------+ irc | | +---------+ 3812 * | ^ | | ^ 3813 * | | | | | 3814 * | | | | | 3815 * | TO-| | | | 3816 * | |tld TO+ V | | 3817 * | | +------->+ | | 3818 * | | | | | | 3819 * | +--------+ V | | 3820 * | | |<----+<--------------------+ | 3821 * | | Req- | scr | 3822 * | | Sent | | 3823 * | | | | 3824 * | +--------+ | 3825 * | RCA- | | RCA+ | 3826 * +------+ +------------------------------------------+ 3827 * scn,tld sca,irc,ict,tlu 3828 * 3829 * 3830 * with: 3831 * 3832 * Open: LCP reached authentication phase 3833 * Close: LCP reached terminate phase 3834 * 3835 * RCA+: received reply (pap-req, chap-response), acceptable 3836 * RCN: received reply (pap-req, chap-response), not acceptable 3837 * TO+: timeout with restart counter >= 0 3838 * TO-: timeout with restart counter < 0 3839 * TO*: reschedule timeout for CHAP 3840 * 3841 * scr: send request packet (none for PAP, chap-challenge) 3842 * sca: send ack packet (pap-ack, chap-success) 3843 * scn: send nak packet (pap-nak, chap-failure) 3844 * ict: initialize re-challenge timer (CHAP only) 3845 * 3846 * tlu: this-layer-up, LCP reaches network phase 3847 * tld: this-layer-down, LCP enters terminate phase 3848 * 3849 * Note that in CHAP mode, after sending a new challenge, while the state 3850 * automaton falls back into Req-Sent state, it doesn't signal a tld 3851 * event to LCP, so LCP remains in network phase. Only after not getting 3852 * any response (or after getting an unacceptable response), CHAP closes, 3853 * causing LCP to enter terminate phase. 3854 * 3855 * With PAP, there is no initial request that can be sent. The peer is 3856 * expected to send one based on the successful negotiation of PAP as 3857 * the authentication protocol during the LCP option negotiation. 3858 * 3859 * Incoming authentication protocol requests (remote requests 3860 * authentication, we are peer) don't employ a state machine at all, 3861 * they are simply answered. Some peers [Ascend P50 firmware rev 3862 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3863 * still in authentication phase (thereby violating the standard that 3864 * demands that these NCP packets are to be discarded), so we keep 3865 * track of the peer demanding us to authenticate, and only proceed to 3866 * phase network once we've seen a positive acknowledge for the 3867 * authentication. 3868 */ 3869 3870 /* 3871 * Handle incoming CHAP packets. 3872 */ 3873 void 3874 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3875 { 3876 STDDCL; 3877 struct lcp_header *h; 3878 int len, x; 3879 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3880 int value_len, name_len; 3881 MD5_CTX ctx; 3882 3883 len = m->m_pkthdr.len; 3884 if (len < 4) { 3885 if (debug) 3886 log(LOG_DEBUG, 3887 "%s: chap invalid packet length: %d bytes\n", 3888 ifp->if_xname, len); 3889 return; 3890 } 3891 h = mtod(m, struct lcp_header *); 3892 if (len > ntohs(h->len)) 3893 len = ntohs(h->len); 3894 3895 switch (h->type) { 3896 /* challenge, failure and success are his authproto */ 3897 case CHAP_CHALLENGE: 3898 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3899 /* can't do anything useful */ 3900 sp->pp_auth_failures++; 3901 printf("%s: chap input without my name and my secret being set\n", 3902 ifp->if_xname); 3903 break; 3904 } 3905 value = 1 + (u_char *)(h + 1); 3906 value_len = value[-1]; 3907 name = value + value_len; 3908 name_len = len - value_len - 5; 3909 if (name_len < 0) { 3910 if (debug) { 3911 log(LOG_DEBUG, 3912 "%s: chap corrupted challenge " 3913 "<%s id=0x%x len=%d", 3914 ifp->if_xname, 3915 sppp_auth_type_name(PPP_CHAP, h->type), 3916 h->ident, ntohs(h->len)); 3917 if (len > 4) 3918 sppp_print_bytes((u_char *)(h + 1), 3919 len - 4); 3920 addlog(">\n"); 3921 } 3922 break; 3923 } 3924 3925 if (debug) { 3926 log(LOG_DEBUG, 3927 "%s: chap input <%s id=0x%x len=%d name=", 3928 ifp->if_xname, 3929 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3930 ntohs(h->len)); 3931 sppp_print_string((char *) name, name_len); 3932 addlog(" value-size=%d value=", value_len); 3933 sppp_print_bytes(value, value_len); 3934 addlog(">\n"); 3935 } 3936 3937 /* Compute reply value. */ 3938 MD5Init(&ctx); 3939 MD5Update(&ctx, &h->ident, 1); 3940 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3941 MD5Update(&ctx, value, value_len); 3942 MD5Final(digest, &ctx); 3943 dsize = sizeof digest; 3944 3945 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3946 sizeof dsize, (const char *)&dsize, 3947 sizeof digest, digest, 3948 sp->myauth.name_len, 3949 sp->myauth.name, 3950 0); 3951 break; 3952 3953 case CHAP_SUCCESS: 3954 if (debug) { 3955 log(LOG_DEBUG, "%s: chap success", 3956 ifp->if_xname); 3957 if (len > 4) { 3958 addlog(": "); 3959 sppp_print_string((char *)(h + 1), len - 4); 3960 } 3961 addlog("\n"); 3962 } 3963 x = splnet(); 3964 sp->pp_auth_failures = 0; 3965 sp->pp_flags &= ~PP_NEEDAUTH; 3966 if (sp->myauth.proto == PPP_CHAP && 3967 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3968 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3969 /* 3970 * We are authenticator for CHAP but didn't 3971 * complete yet. Leave it to tlu to proceed 3972 * to network phase. 3973 */ 3974 splx(x); 3975 break; 3976 } 3977 splx(x); 3978 sppp_phase_network(sp); 3979 break; 3980 3981 case CHAP_FAILURE: 3982 x = splnet(); 3983 sp->pp_auth_failures++; 3984 splx(x); 3985 if (debug) { 3986 log(LOG_INFO, "%s: chap failure", 3987 ifp->if_xname); 3988 if (len > 4) { 3989 addlog(": "); 3990 sppp_print_string((char *)(h + 1), len - 4); 3991 } 3992 addlog("\n"); 3993 } else 3994 log(LOG_INFO, "%s: chap failure\n", 3995 ifp->if_xname); 3996 /* await LCP shutdown by authenticator */ 3997 break; 3998 3999 /* response is my authproto */ 4000 case CHAP_RESPONSE: 4001 if (sp->hisauth.secret == NULL) { 4002 /* can't do anything useful */ 4003 printf("%s: chap input without his secret being set\n", 4004 ifp->if_xname); 4005 break; 4006 } 4007 value = 1 + (u_char *)(h + 1); 4008 value_len = value[-1]; 4009 name = value + value_len; 4010 name_len = len - value_len - 5; 4011 if (name_len < 0) { 4012 if (debug) { 4013 log(LOG_DEBUG, 4014 "%s: chap corrupted response " 4015 "<%s id=0x%x len=%d", 4016 ifp->if_xname, 4017 sppp_auth_type_name(PPP_CHAP, h->type), 4018 h->ident, ntohs(h->len)); 4019 if (len > 4) 4020 sppp_print_bytes((u_char *)(h + 1), 4021 len - 4); 4022 addlog(">\n"); 4023 } 4024 break; 4025 } 4026 if (h->ident != sp->confid[IDX_CHAP]) { 4027 if (debug) 4028 log(LOG_DEBUG, 4029 "%s: chap dropping response for old ID " 4030 "(got %d, expected %d)\n", 4031 ifp->if_xname, 4032 h->ident, sp->confid[IDX_CHAP]); 4033 break; 4034 } 4035 if (sp->hisauth.name != NULL && 4036 (name_len != sp->hisauth.name_len 4037 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4038 log(LOG_INFO, "%s: chap response, his name ", 4039 ifp->if_xname); 4040 sppp_print_string(name, name_len); 4041 addlog(" != expected "); 4042 sppp_print_string(sp->hisauth.name, 4043 sp->hisauth.name_len); 4044 addlog("\n"); 4045 goto chap_failure; 4046 } 4047 if (debug) { 4048 log(LOG_DEBUG, "%s: chap input(%s) " 4049 "<%s id=0x%x len=%d name=", 4050 ifp->if_xname, 4051 sppp_state_name(sp->state[IDX_CHAP]), 4052 sppp_auth_type_name(PPP_CHAP, h->type), 4053 h->ident, ntohs(h->len)); 4054 sppp_print_string((char *)name, name_len); 4055 addlog(" value-size=%d value=", value_len); 4056 sppp_print_bytes(value, value_len); 4057 addlog(">\n"); 4058 } 4059 if (value_len != sizeof(sp->myauth.challenge)) { 4060 if (debug) 4061 log(LOG_DEBUG, 4062 "%s: chap bad hash value length: " 4063 "%d bytes, should be %ld\n", 4064 ifp->if_xname, value_len, 4065 (long) sizeof(sp->myauth.challenge)); 4066 goto chap_failure; 4067 } 4068 4069 MD5Init(&ctx); 4070 MD5Update(&ctx, &h->ident, 1); 4071 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4072 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4073 MD5Final(digest, &ctx); 4074 4075 #define FAILMSG "Failed..." 4076 #define SUCCMSG "Welcome!" 4077 4078 if (value_len != sizeof digest || 4079 memcmp(digest, value, value_len) != 0) { 4080 chap_failure: 4081 /* action scn, tld */ 4082 x = splnet(); 4083 sp->pp_auth_failures++; 4084 splx(x); 4085 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4086 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4087 0); 4088 chap.tld(sp); 4089 break; 4090 } 4091 sp->pp_auth_failures = 0; 4092 /* action sca, perhaps tlu */ 4093 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4094 sp->state[IDX_CHAP] == STATE_OPENED) 4095 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4096 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4097 0); 4098 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4099 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4100 chap.tlu(sp); 4101 } 4102 break; 4103 4104 default: 4105 /* Unknown CHAP packet type -- ignore. */ 4106 if (debug) { 4107 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4108 "<0x%x id=0x%xh len=%d", 4109 ifp->if_xname, 4110 sppp_state_name(sp->state[IDX_CHAP]), 4111 h->type, h->ident, ntohs(h->len)); 4112 if (len > 4) 4113 sppp_print_bytes((u_char *)(h + 1), len - 4); 4114 addlog(">\n"); 4115 } 4116 break; 4117 4118 } 4119 } 4120 4121 static void 4122 sppp_chap_init(struct sppp *sp) 4123 { 4124 /* Chap doesn't have STATE_INITIAL at all. */ 4125 sp->state[IDX_CHAP] = STATE_CLOSED; 4126 sp->fail_counter[IDX_CHAP] = 0; 4127 sp->pp_seq[IDX_CHAP] = 0; 4128 sp->pp_rseq[IDX_CHAP] = 0; 4129 callout_init(&sp->ch[IDX_CHAP], 0); 4130 } 4131 4132 static void 4133 sppp_chap_open(struct sppp *sp) 4134 { 4135 if (sp->myauth.proto == PPP_CHAP && 4136 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4137 /* we are authenticator for CHAP, start it */ 4138 chap.scr(sp); 4139 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4140 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4141 } 4142 /* nothing to be done if we are peer, await a challenge */ 4143 } 4144 4145 static void 4146 sppp_chap_close(struct sppp *sp) 4147 { 4148 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4149 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4150 } 4151 4152 static void 4153 sppp_chap_TO(void *cookie) 4154 { 4155 struct sppp *sp = (struct sppp *)cookie; 4156 STDDCL; 4157 int s; 4158 4159 s = splnet(); 4160 if (debug) 4161 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4162 ifp->if_xname, 4163 sppp_state_name(sp->state[IDX_CHAP]), 4164 sp->rst_counter[IDX_CHAP]); 4165 4166 if (--sp->rst_counter[IDX_CHAP] < 0) 4167 /* TO- event */ 4168 switch (sp->state[IDX_CHAP]) { 4169 case STATE_REQ_SENT: 4170 chap.tld(sp); 4171 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4172 break; 4173 } 4174 else 4175 /* TO+ (or TO*) event */ 4176 switch (sp->state[IDX_CHAP]) { 4177 case STATE_OPENED: 4178 /* TO* event */ 4179 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4180 /* fall through */ 4181 case STATE_REQ_SENT: 4182 chap.scr(sp); 4183 /* sppp_cp_change_state() will restart the timer */ 4184 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4185 break; 4186 } 4187 4188 splx(s); 4189 } 4190 4191 static void 4192 sppp_chap_tlu(struct sppp *sp) 4193 { 4194 STDDCL; 4195 int i, x; 4196 4197 i = 0; 4198 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4199 4200 /* 4201 * Some broken CHAP implementations (Conware CoNet, firmware 4202 * 4.0.?) don't want to re-authenticate their CHAP once the 4203 * initial challenge-response exchange has taken place. 4204 * Provide for an option to avoid rechallenges. 4205 */ 4206 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4207 /* 4208 * Compute the re-challenge timeout. This will yield 4209 * a number between 300 and 810 seconds. 4210 */ 4211 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4212 4213 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4214 } 4215 4216 if (debug) { 4217 log(LOG_DEBUG, 4218 "%s: chap %s, ", 4219 ifp->if_xname, 4220 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4221 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4222 addlog("next re-challenge in %d seconds\n", i); 4223 else 4224 addlog("re-challenging supressed\n"); 4225 } 4226 4227 x = splnet(); 4228 sp->pp_auth_failures = 0; 4229 /* indicate to LCP that we need to be closed down */ 4230 sp->lcp.protos |= (1 << IDX_CHAP); 4231 4232 if (sp->pp_flags & PP_NEEDAUTH) { 4233 /* 4234 * Remote is authenticator, but his auth proto didn't 4235 * complete yet. Defer the transition to network 4236 * phase. 4237 */ 4238 splx(x); 4239 return; 4240 } 4241 splx(x); 4242 4243 /* 4244 * If we are already in phase network, we are done here. This 4245 * is the case if this is a dummy tlu event after a re-challenge. 4246 */ 4247 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4248 sppp_phase_network(sp); 4249 } 4250 4251 static void 4252 sppp_chap_tld(struct sppp *sp) 4253 { 4254 STDDCL; 4255 4256 if (debug) 4257 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4258 callout_stop(&sp->ch[IDX_CHAP]); 4259 sp->lcp.protos &= ~(1 << IDX_CHAP); 4260 4261 lcp.Close(sp); 4262 } 4263 4264 static void 4265 sppp_chap_scr(struct sppp *sp) 4266 { 4267 uint32_t *ch; 4268 u_char clen = 4 * sizeof(uint32_t); 4269 4270 if (sp->myauth.name == NULL) { 4271 /* can't do anything useful */ 4272 printf("%s: chap starting without my name being set\n", 4273 sp->pp_if.if_xname); 4274 return; 4275 } 4276 4277 /* Compute random challenge. */ 4278 ch = (uint32_t *)sp->myauth.challenge; 4279 cprng_strong(kern_cprng, ch, clen, 0); 4280 4281 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4282 4283 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4284 sizeof clen, (const char *)&clen, 4285 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4286 sp->myauth.name_len, 4287 sp->myauth.name, 4288 0); 4289 } 4290 4291 /* 4292 *--------------------------------------------------------------------------* 4293 * * 4294 * The PAP implementation. * 4295 * * 4296 *--------------------------------------------------------------------------* 4297 */ 4298 /* 4299 * For PAP, we need to keep a little state also if we are the peer, not the 4300 * authenticator. This is since we don't get a request to authenticate, but 4301 * have to repeatedly authenticate ourself until we got a response (or the 4302 * retry counter is expired). 4303 */ 4304 4305 /* 4306 * Handle incoming PAP packets. */ 4307 static void 4308 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4309 { 4310 STDDCL; 4311 struct lcp_header *h; 4312 int len, x; 4313 u_char mlen; 4314 char *name, *secret; 4315 int name_len, secret_len; 4316 4317 /* 4318 * Malicious input might leave this uninitialized, so 4319 * init to an impossible value. 4320 */ 4321 secret_len = -1; 4322 4323 len = m->m_pkthdr.len; 4324 if (len < 5) { 4325 if (debug) 4326 log(LOG_DEBUG, 4327 "%s: pap invalid packet length: %d bytes\n", 4328 ifp->if_xname, len); 4329 return; 4330 } 4331 h = mtod(m, struct lcp_header *); 4332 if (len > ntohs(h->len)) 4333 len = ntohs(h->len); 4334 switch (h->type) { 4335 /* PAP request is my authproto */ 4336 case PAP_REQ: 4337 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4338 /* can't do anything useful */ 4339 printf("%s: pap request without his name and his secret being set\n", 4340 ifp->if_xname); 4341 break; 4342 } 4343 name = 1 + (u_char *)(h + 1); 4344 name_len = name[-1]; 4345 secret = name + name_len + 1; 4346 if (name_len > len - 6 || 4347 (secret_len = secret[-1]) > len - 6 - name_len) { 4348 if (debug) { 4349 log(LOG_DEBUG, "%s: pap corrupted input " 4350 "<%s id=0x%x len=%d", 4351 ifp->if_xname, 4352 sppp_auth_type_name(PPP_PAP, h->type), 4353 h->ident, ntohs(h->len)); 4354 if (len > 4) 4355 sppp_print_bytes((u_char *)(h + 1), 4356 len - 4); 4357 addlog(">\n"); 4358 } 4359 break; 4360 } 4361 if (debug) { 4362 log(LOG_DEBUG, "%s: pap input(%s) " 4363 "<%s id=0x%x len=%d name=", 4364 ifp->if_xname, 4365 sppp_state_name(sp->state[IDX_PAP]), 4366 sppp_auth_type_name(PPP_PAP, h->type), 4367 h->ident, ntohs(h->len)); 4368 sppp_print_string((char *)name, name_len); 4369 addlog(" secret="); 4370 sppp_print_string((char *)secret, secret_len); 4371 addlog(">\n"); 4372 } 4373 if (name_len != sp->hisauth.name_len || 4374 secret_len != sp->hisauth.secret_len || 4375 memcmp(name, sp->hisauth.name, name_len) != 0 || 4376 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4377 /* action scn, tld */ 4378 sp->pp_auth_failures++; 4379 mlen = sizeof(FAILMSG) - 1; 4380 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4381 sizeof mlen, (const char *)&mlen, 4382 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4383 0); 4384 pap.tld(sp); 4385 break; 4386 } 4387 /* action sca, perhaps tlu */ 4388 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4389 sp->state[IDX_PAP] == STATE_OPENED) { 4390 mlen = sizeof(SUCCMSG) - 1; 4391 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4392 sizeof mlen, (const char *)&mlen, 4393 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4394 0); 4395 } 4396 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4397 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4398 pap.tlu(sp); 4399 } 4400 break; 4401 4402 /* ack and nak are his authproto */ 4403 case PAP_ACK: 4404 callout_stop(&sp->pap_my_to_ch); 4405 if (debug) { 4406 log(LOG_DEBUG, "%s: pap success", 4407 ifp->if_xname); 4408 name = 1 + (u_char *)(h + 1); 4409 name_len = name[-1]; 4410 if (len > 5 && name_len < len+4) { 4411 addlog(": "); 4412 sppp_print_string(name, name_len); 4413 } 4414 addlog("\n"); 4415 } 4416 x = splnet(); 4417 sp->pp_auth_failures = 0; 4418 sp->pp_flags &= ~PP_NEEDAUTH; 4419 if (sp->myauth.proto == PPP_PAP && 4420 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4421 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4422 /* 4423 * We are authenticator for PAP but didn't 4424 * complete yet. Leave it to tlu to proceed 4425 * to network phase. 4426 */ 4427 splx(x); 4428 break; 4429 } 4430 splx(x); 4431 sppp_phase_network(sp); 4432 break; 4433 4434 case PAP_NAK: 4435 callout_stop(&sp->pap_my_to_ch); 4436 sp->pp_auth_failures++; 4437 if (debug) { 4438 log(LOG_INFO, "%s: pap failure", 4439 ifp->if_xname); 4440 name = 1 + (u_char *)(h + 1); 4441 name_len = name[-1]; 4442 if (len > 5 && name_len < len+4) { 4443 addlog(": "); 4444 sppp_print_string(name, name_len); 4445 } 4446 addlog("\n"); 4447 } else 4448 log(LOG_INFO, "%s: pap failure\n", 4449 ifp->if_xname); 4450 /* await LCP shutdown by authenticator */ 4451 break; 4452 4453 default: 4454 /* Unknown PAP packet type -- ignore. */ 4455 if (debug) { 4456 log(LOG_DEBUG, "%s: pap corrupted input " 4457 "<0x%x id=0x%x len=%d", 4458 ifp->if_xname, 4459 h->type, h->ident, ntohs(h->len)); 4460 if (len > 4) 4461 sppp_print_bytes((u_char *)(h + 1), len - 4); 4462 addlog(">\n"); 4463 } 4464 break; 4465 4466 } 4467 } 4468 4469 static void 4470 sppp_pap_init(struct sppp *sp) 4471 { 4472 /* PAP doesn't have STATE_INITIAL at all. */ 4473 sp->state[IDX_PAP] = STATE_CLOSED; 4474 sp->fail_counter[IDX_PAP] = 0; 4475 sp->pp_seq[IDX_PAP] = 0; 4476 sp->pp_rseq[IDX_PAP] = 0; 4477 callout_init(&sp->ch[IDX_PAP], 0); 4478 callout_init(&sp->pap_my_to_ch, 0); 4479 } 4480 4481 static void 4482 sppp_pap_open(struct sppp *sp) 4483 { 4484 if (sp->hisauth.proto == PPP_PAP && 4485 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4486 /* we are authenticator for PAP, start our timer */ 4487 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4488 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4489 } 4490 if (sp->myauth.proto == PPP_PAP) { 4491 /* we are peer, send a request, and start a timer */ 4492 pap.scr(sp); 4493 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4494 sppp_pap_my_TO, sp); 4495 } 4496 } 4497 4498 static void 4499 sppp_pap_close(struct sppp *sp) 4500 { 4501 if (sp->state[IDX_PAP] != STATE_CLOSED) 4502 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4503 } 4504 4505 /* 4506 * That's the timeout routine if we are authenticator. Since the 4507 * authenticator is basically passive in PAP, we can't do much here. 4508 */ 4509 static void 4510 sppp_pap_TO(void *cookie) 4511 { 4512 struct sppp *sp = (struct sppp *)cookie; 4513 STDDCL; 4514 int s; 4515 4516 s = splnet(); 4517 if (debug) 4518 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4519 ifp->if_xname, 4520 sppp_state_name(sp->state[IDX_PAP]), 4521 sp->rst_counter[IDX_PAP]); 4522 4523 if (--sp->rst_counter[IDX_PAP] < 0) 4524 /* TO- event */ 4525 switch (sp->state[IDX_PAP]) { 4526 case STATE_REQ_SENT: 4527 pap.tld(sp); 4528 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4529 break; 4530 } 4531 else 4532 /* TO+ event, not very much we could do */ 4533 switch (sp->state[IDX_PAP]) { 4534 case STATE_REQ_SENT: 4535 /* sppp_cp_change_state() will restart the timer */ 4536 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4537 break; 4538 } 4539 4540 splx(s); 4541 } 4542 4543 /* 4544 * That's the timeout handler if we are peer. Since the peer is active, 4545 * we need to retransmit our PAP request since it is apparently lost. 4546 * XXX We should impose a max counter. 4547 */ 4548 static void 4549 sppp_pap_my_TO(void *cookie) 4550 { 4551 struct sppp *sp = (struct sppp *)cookie; 4552 STDDCL; 4553 4554 if (debug) 4555 log(LOG_DEBUG, "%s: pap peer TO\n", 4556 ifp->if_xname); 4557 4558 pap.scr(sp); 4559 } 4560 4561 static void 4562 sppp_pap_tlu(struct sppp *sp) 4563 { 4564 STDDCL; 4565 int x; 4566 4567 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4568 4569 if (debug) 4570 log(LOG_DEBUG, "%s: %s tlu\n", 4571 ifp->if_xname, pap.name); 4572 4573 x = splnet(); 4574 sp->pp_auth_failures = 0; 4575 /* indicate to LCP that we need to be closed down */ 4576 sp->lcp.protos |= (1 << IDX_PAP); 4577 4578 if (sp->pp_flags & PP_NEEDAUTH) { 4579 /* 4580 * Remote is authenticator, but his auth proto didn't 4581 * complete yet. Defer the transition to network 4582 * phase. 4583 */ 4584 splx(x); 4585 return; 4586 } 4587 splx(x); 4588 sppp_phase_network(sp); 4589 } 4590 4591 static void 4592 sppp_pap_tld(struct sppp *sp) 4593 { 4594 STDDCL; 4595 4596 if (debug) 4597 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4598 callout_stop(&sp->ch[IDX_PAP]); 4599 callout_stop(&sp->pap_my_to_ch); 4600 sp->lcp.protos &= ~(1 << IDX_PAP); 4601 4602 lcp.Close(sp); 4603 } 4604 4605 static void 4606 sppp_pap_scr(struct sppp *sp) 4607 { 4608 u_char idlen, pwdlen; 4609 4610 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4611 /* can't do anything useful */ 4612 printf("%s: pap starting without my name and secret being set\n", 4613 sp->pp_if.if_xname); 4614 return; 4615 } 4616 4617 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4618 pwdlen = sp->myauth.secret_len; 4619 idlen = sp->myauth.name_len; 4620 4621 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4622 sizeof idlen, (const char *)&idlen, 4623 idlen, sp->myauth.name, 4624 sizeof pwdlen, (const char *)&pwdlen, 4625 pwdlen, sp->myauth.secret, 4626 0); 4627 } 4628 4629 /* 4630 * Random miscellaneous functions. 4631 */ 4632 4633 /* 4634 * Send a PAP or CHAP proto packet. 4635 * 4636 * Varadic function, each of the elements for the ellipsis is of type 4637 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4638 * mlen == 0. 4639 * NOTE: never declare variadic functions with types subject to type 4640 * promotion (i.e. u_char). This is asking for big trouble depending 4641 * on the architecture you are on... 4642 */ 4643 4644 static void 4645 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4646 unsigned int type, unsigned int id, 4647 ...) 4648 { 4649 STDDCL; 4650 struct lcp_header *lh; 4651 struct mbuf *m; 4652 u_char *p; 4653 int len; 4654 size_t pkthdrlen; 4655 unsigned int mlen; 4656 const char *msg; 4657 va_list ap; 4658 4659 MGETHDR(m, M_DONTWAIT, MT_DATA); 4660 if (! m) 4661 return; 4662 m->m_pkthdr.rcvif = 0; 4663 4664 if (sp->pp_flags & PP_NOFRAMING) { 4665 *mtod(m, uint16_t *) = htons(cp->proto); 4666 pkthdrlen = 2; 4667 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4668 } else { 4669 struct ppp_header *h; 4670 h = mtod(m, struct ppp_header *); 4671 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4672 h->control = PPP_UI; /* Unnumbered Info */ 4673 h->protocol = htons(cp->proto); 4674 pkthdrlen = PPP_HEADER_LEN; 4675 4676 lh = (struct lcp_header *)(h + 1); 4677 } 4678 4679 lh->type = type; 4680 lh->ident = id; 4681 p = (u_char *)(lh + 1); 4682 4683 va_start(ap, id); 4684 len = 0; 4685 4686 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4687 msg = va_arg(ap, const char *); 4688 len += mlen; 4689 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4690 va_end(ap); 4691 m_freem(m); 4692 return; 4693 } 4694 4695 memcpy(p, msg, mlen); 4696 p += mlen; 4697 } 4698 va_end(ap); 4699 4700 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4701 lh->len = htons(LCP_HEADER_LEN + len); 4702 4703 if (debug) { 4704 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4705 ifp->if_xname, cp->name, 4706 sppp_auth_type_name(cp->proto, lh->type), 4707 lh->ident, ntohs(lh->len)); 4708 if (len) 4709 sppp_print_bytes((u_char *)(lh + 1), len); 4710 addlog(">\n"); 4711 } 4712 if (IF_QFULL(&sp->pp_cpq)) { 4713 IF_DROP(&sp->pp_fastq); 4714 IF_DROP(&ifp->if_snd); 4715 m_freem(m); 4716 ++ifp->if_oerrors; 4717 return; 4718 } else 4719 IF_ENQUEUE(&sp->pp_cpq, m); 4720 if (! (ifp->if_flags & IFF_OACTIVE)) 4721 (*ifp->if_start)(ifp); 4722 ifp->if_obytes += m->m_pkthdr.len + 3; 4723 } 4724 4725 /* 4726 * Send keepalive packets, every 10 seconds. 4727 */ 4728 static void 4729 sppp_keepalive(void *dummy) 4730 { 4731 struct sppp *sp; 4732 int s; 4733 time_t now; 4734 4735 s = splnet(); 4736 now = time_uptime; 4737 for (sp=spppq; sp; sp=sp->pp_next) { 4738 struct ifnet *ifp = &sp->pp_if; 4739 4740 /* check idle timeout */ 4741 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4742 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4743 /* idle timeout is enabled for this interface */ 4744 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4745 if (ifp->if_flags & IFF_DEBUG) 4746 printf("%s: no activity for %lu seconds\n", 4747 sp->pp_if.if_xname, 4748 (unsigned long)(now-sp->pp_last_activity)); 4749 lcp.Close(sp); 4750 continue; 4751 } 4752 } 4753 4754 /* Keepalive mode disabled or channel down? */ 4755 if (! (sp->pp_flags & PP_KEEPALIVE) || 4756 ! (ifp->if_flags & IFF_RUNNING)) 4757 continue; 4758 4759 /* No keepalive in PPP mode if LCP not opened yet. */ 4760 if (! (sp->pp_flags & PP_CISCO) && 4761 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4762 continue; 4763 4764 /* No echo reply, but maybe user data passed through? */ 4765 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4766 sp->pp_alivecnt = 0; 4767 continue; 4768 } 4769 4770 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4771 /* No keepalive packets got. Stop the interface. */ 4772 if_down (ifp); 4773 IF_PURGE(&sp->pp_cpq); 4774 if (! (sp->pp_flags & PP_CISCO)) { 4775 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4776 ifp->if_xname); 4777 sp->pp_alivecnt = 0; 4778 4779 /* we are down, close all open protocols */ 4780 lcp.Close(sp); 4781 4782 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4783 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4784 4785 /* Close connection immediately, completition of this 4786 * will summon the magic needed to reestablish it. */ 4787 if (sp->pp_tlf) 4788 sp->pp_tlf(sp); 4789 continue; 4790 } 4791 } 4792 if (sp->pp_alivecnt < sp->pp_maxalive) 4793 ++sp->pp_alivecnt; 4794 if (sp->pp_flags & PP_CISCO) 4795 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4796 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4797 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4798 int32_t nmagic = htonl(sp->lcp.magic); 4799 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4800 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4801 sp->lcp.echoid, 4, &nmagic); 4802 } 4803 } 4804 splx(s); 4805 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4806 } 4807 4808 #ifdef INET 4809 /* 4810 * Get both IP addresses. 4811 */ 4812 static void 4813 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4814 { 4815 struct ifnet *ifp = &sp->pp_if; 4816 struct ifaddr *ifa; 4817 struct sockaddr_in *si, *sm; 4818 uint32_t ssrc, ddst; 4819 4820 sm = NULL; 4821 ssrc = ddst = 0; 4822 /* 4823 * Pick the first AF_INET address from the list, 4824 * aliases don't make any sense on a p2p link anyway. 4825 */ 4826 si = 0; 4827 IFADDR_FOREACH(ifa, ifp) { 4828 if (ifa->ifa_addr->sa_family == AF_INET) { 4829 si = (struct sockaddr_in *)ifa->ifa_addr; 4830 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4831 if (si) 4832 break; 4833 } 4834 } 4835 if (ifa) { 4836 if (si && si->sin_addr.s_addr) { 4837 ssrc = si->sin_addr.s_addr; 4838 if (srcmask) 4839 *srcmask = ntohl(sm->sin_addr.s_addr); 4840 } 4841 4842 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4843 if (si && si->sin_addr.s_addr) 4844 ddst = si->sin_addr.s_addr; 4845 } 4846 4847 if (dst) *dst = ntohl(ddst); 4848 if (src) *src = ntohl(ssrc); 4849 } 4850 4851 /* 4852 * Set IP addresses. Must be called at splnet. 4853 * If an address is 0, leave it the way it is. 4854 */ 4855 static void 4856 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4857 { 4858 STDDCL; 4859 struct ifaddr *ifa; 4860 struct sockaddr_in *si, *dest; 4861 4862 /* 4863 * Pick the first AF_INET address from the list, 4864 * aliases don't make any sense on a p2p link anyway. 4865 */ 4866 4867 IFADDR_FOREACH(ifa, ifp) { 4868 if (ifa->ifa_addr->sa_family == AF_INET) { 4869 si = (struct sockaddr_in *)ifa->ifa_addr; 4870 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4871 goto found; 4872 } 4873 } 4874 return; 4875 4876 found: 4877 { 4878 int error, hostIsNew; 4879 struct sockaddr_in new_sin = *si; 4880 struct sockaddr_in new_dst = *dest; 4881 4882 /* 4883 * Scrub old routes now instead of calling in_ifinit with 4884 * scrub=1, because we may change the dstaddr 4885 * before the call to in_ifinit. 4886 */ 4887 in_ifscrub(ifp, ifatoia(ifa)); 4888 4889 hostIsNew = 0; 4890 if (myaddr != 0) { 4891 if (new_sin.sin_addr.s_addr != htonl(myaddr)) { 4892 new_sin.sin_addr.s_addr = htonl(myaddr); 4893 hostIsNew = 1; 4894 } 4895 } 4896 if (hisaddr != 0) { 4897 new_dst.sin_addr.s_addr = htonl(hisaddr); 4898 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4899 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4900 *dest = new_dst; /* fix dstaddr in place */ 4901 } 4902 } 4903 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, hostIsNew); 4904 if (debug && error) 4905 { 4906 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4907 " failed, error=%d\n", ifp->if_xname, error); 4908 } 4909 if (!error) { 4910 (void)pfil_run_hooks(if_pfil, 4911 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4912 } 4913 } 4914 } 4915 4916 /* 4917 * Clear IP addresses. Must be called at splnet. 4918 */ 4919 static void 4920 sppp_clear_ip_addrs(struct sppp *sp) 4921 { 4922 struct ifnet *ifp = &sp->pp_if; 4923 struct ifaddr *ifa; 4924 struct sockaddr_in *si, *dest; 4925 4926 uint32_t remote; 4927 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4928 remote = sp->ipcp.saved_hisaddr; 4929 else 4930 sppp_get_ip_addrs(sp, 0, &remote, 0); 4931 4932 /* 4933 * Pick the first AF_INET address from the list, 4934 * aliases don't make any sense on a p2p link anyway. 4935 */ 4936 4937 IFADDR_FOREACH(ifa, ifp) { 4938 if (ifa->ifa_addr->sa_family == AF_INET) { 4939 si = (struct sockaddr_in *)ifa->ifa_addr; 4940 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4941 goto found; 4942 } 4943 } 4944 return; 4945 4946 found: 4947 { 4948 struct sockaddr_in new_sin = *si; 4949 4950 in_ifscrub(ifp, ifatoia(ifa)); 4951 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4952 new_sin.sin_addr.s_addr = 0; 4953 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4954 /* replace peer addr in place */ 4955 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4956 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, 0); 4957 (void)pfil_run_hooks(if_pfil, 4958 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4959 } 4960 } 4961 #endif 4962 4963 #ifdef INET6 4964 /* 4965 * Get both IPv6 addresses. 4966 */ 4967 static void 4968 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4969 struct in6_addr *srcmask) 4970 { 4971 struct ifnet *ifp = &sp->pp_if; 4972 struct ifaddr *ifa; 4973 struct sockaddr_in6 *si, *sm; 4974 struct in6_addr ssrc, ddst; 4975 4976 sm = NULL; 4977 memset(&ssrc, 0, sizeof(ssrc)); 4978 memset(&ddst, 0, sizeof(ddst)); 4979 /* 4980 * Pick the first link-local AF_INET6 address from the list, 4981 * aliases don't make any sense on a p2p link anyway. 4982 */ 4983 si = 0; 4984 IFADDR_FOREACH(ifa, ifp) 4985 if (ifa->ifa_addr->sa_family == AF_INET6) { 4986 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4987 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4988 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4989 break; 4990 } 4991 if (ifa) { 4992 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4993 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 4994 if (srcmask) { 4995 memcpy(srcmask, &sm->sin6_addr, 4996 sizeof(*srcmask)); 4997 } 4998 } 4999 5000 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5001 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5002 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5003 } 5004 5005 if (dst) 5006 memcpy(dst, &ddst, sizeof(*dst)); 5007 if (src) 5008 memcpy(src, &ssrc, sizeof(*src)); 5009 } 5010 5011 #ifdef IPV6CP_MYIFID_DYN 5012 /* 5013 * Generate random ifid. 5014 */ 5015 static void 5016 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5017 { 5018 /* TBD */ 5019 } 5020 5021 /* 5022 * Set my IPv6 address. Must be called at splnet. 5023 */ 5024 static void 5025 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5026 { 5027 STDDCL; 5028 struct ifaddr *ifa; 5029 struct sockaddr_in6 *sin6; 5030 5031 /* 5032 * Pick the first link-local AF_INET6 address from the list, 5033 * aliases don't make any sense on a p2p link anyway. 5034 */ 5035 5036 sin6 = NULL; 5037 IFADDR_FOREACH(ifa, ifp) 5038 { 5039 if (ifa->ifa_addr->sa_family == AF_INET6) 5040 { 5041 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5042 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5043 break; 5044 } 5045 } 5046 5047 if (ifa && sin6) 5048 { 5049 int error; 5050 struct sockaddr_in6 new_sin6 = *sin6; 5051 5052 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5053 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5054 if (debug && error) 5055 { 5056 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5057 " failed, error=%d\n", ifp->if_xname, error); 5058 } 5059 if (!error) { 5060 (void)pfil_run_hooks(if_pfil, 5061 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5062 } 5063 } 5064 } 5065 #endif 5066 5067 /* 5068 * Suggest a candidate address to be used by peer. 5069 */ 5070 static void 5071 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5072 { 5073 struct in6_addr myaddr; 5074 struct timeval tv; 5075 5076 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5077 5078 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5079 microtime(&tv); 5080 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5081 myaddr.s6_addr[14] ^= 0xff; 5082 myaddr.s6_addr[15] ^= 0xff; 5083 } else { 5084 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5085 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5086 } 5087 if (suggest) 5088 memcpy(suggest, &myaddr, sizeof(myaddr)); 5089 } 5090 #endif /*INET6*/ 5091 5092 /* 5093 * Process ioctl requests specific to the PPP interface. 5094 * Permissions have already been checked. 5095 */ 5096 static int 5097 sppp_params(struct sppp *sp, u_long cmd, void *data) 5098 { 5099 switch (cmd) { 5100 case SPPPGETAUTHCFG: 5101 { 5102 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5103 int error; 5104 size_t len; 5105 5106 cfg->myauthflags = sp->myauth.flags; 5107 cfg->hisauthflags = sp->hisauth.flags; 5108 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ); 5109 cfg->hisauth = 0; 5110 if (sp->hisauth.proto) 5111 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5112 cfg->myauth = 0; 5113 if (sp->myauth.proto) 5114 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5115 if (cfg->myname_length == 0) { 5116 if (sp->myauth.name != NULL) 5117 cfg->myname_length = sp->myauth.name_len + 1; 5118 } else { 5119 if (sp->myauth.name == NULL) { 5120 cfg->myname_length = 0; 5121 } else { 5122 len = sp->myauth.name_len + 1; 5123 if (cfg->myname_length < len) 5124 return (ENAMETOOLONG); 5125 error = copyout(sp->myauth.name, cfg->myname, len); 5126 if (error) return error; 5127 } 5128 } 5129 if (cfg->hisname_length == 0) { 5130 if (sp->hisauth.name != NULL) 5131 cfg->hisname_length = sp->hisauth.name_len + 1; 5132 } else { 5133 if (sp->hisauth.name == NULL) { 5134 cfg->hisname_length = 0; 5135 } else { 5136 len = sp->hisauth.name_len + 1; 5137 if (cfg->hisname_length < len) 5138 return (ENAMETOOLONG); 5139 error = copyout(sp->hisauth.name, cfg->hisname, len); 5140 if (error) return error; 5141 } 5142 } 5143 } 5144 break; 5145 case SPPPSETAUTHCFG: 5146 { 5147 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5148 int error; 5149 5150 if (sp->myauth.name) { 5151 free(sp->myauth.name, M_DEVBUF); 5152 sp->myauth.name = NULL; 5153 } 5154 if (sp->myauth.secret) { 5155 free(sp->myauth.secret, M_DEVBUF); 5156 sp->myauth.secret = NULL; 5157 } 5158 if (sp->hisauth.name) { 5159 free(sp->hisauth.name, M_DEVBUF); 5160 sp->hisauth.name = NULL; 5161 } 5162 if (sp->hisauth.secret) { 5163 free(sp->hisauth.secret, M_DEVBUF); 5164 sp->hisauth.secret = NULL; 5165 } 5166 5167 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5168 if (cfg->hisname_length >= MCLBYTES) 5169 return (ENAMETOOLONG); 5170 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5171 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5172 if (error) { 5173 free(sp->hisauth.name, M_DEVBUF); 5174 sp->hisauth.name = NULL; 5175 return error; 5176 } 5177 sp->hisauth.name_len = cfg->hisname_length - 1; 5178 sp->hisauth.name[sp->hisauth.name_len] = 0; 5179 } 5180 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5181 if (cfg->hissecret_length >= MCLBYTES) 5182 return (ENAMETOOLONG); 5183 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5184 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5185 if (error) { 5186 free(sp->hisauth.secret, M_DEVBUF); 5187 sp->hisauth.secret = NULL; 5188 return error; 5189 } 5190 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5191 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5192 } 5193 if (cfg->myname != NULL && cfg->myname_length > 0) { 5194 if (cfg->myname_length >= MCLBYTES) 5195 return (ENAMETOOLONG); 5196 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5197 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5198 if (error) { 5199 free(sp->myauth.name, M_DEVBUF); 5200 sp->myauth.name = NULL; 5201 return error; 5202 } 5203 sp->myauth.name_len = cfg->myname_length - 1; 5204 sp->myauth.name[sp->myauth.name_len] = 0; 5205 } 5206 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5207 if (cfg->mysecret_length >= MCLBYTES) 5208 return (ENAMETOOLONG); 5209 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5210 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5211 if (error) { 5212 free(sp->myauth.secret, M_DEVBUF); 5213 sp->myauth.secret = NULL; 5214 return error; 5215 } 5216 sp->myauth.secret_len = cfg->mysecret_length - 1; 5217 sp->myauth.secret[sp->myauth.secret_len] = 0; 5218 } 5219 sp->myauth.flags = cfg->myauthflags; 5220 if (cfg->myauth) 5221 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5222 sp->hisauth.flags = cfg->hisauthflags; 5223 if (cfg->hisauth) 5224 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5225 sp->pp_auth_failures = 0; 5226 if (sp->hisauth.proto != 0) 5227 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5228 else 5229 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5230 } 5231 break; 5232 case SPPPGETLCPCFG: 5233 { 5234 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5235 lcpp->lcp_timeout = sp->lcp.timeout; 5236 } 5237 break; 5238 case SPPPSETLCPCFG: 5239 { 5240 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5241 sp->lcp.timeout = lcpp->lcp_timeout; 5242 } 5243 break; 5244 case SPPPGETSTATUS: 5245 { 5246 struct spppstatus *status = (struct spppstatus *)data; 5247 status->phase = sp->pp_phase; 5248 } 5249 break; 5250 case SPPPGETSTATUSNCP: 5251 { 5252 struct spppstatusncp *status = (struct spppstatusncp *)data; 5253 status->phase = sp->pp_phase; 5254 status->ncpup = sppp_ncp_check(sp); 5255 } 5256 break; 5257 case SPPPGETIDLETO: 5258 { 5259 struct spppidletimeout *to = (struct spppidletimeout *)data; 5260 to->idle_seconds = sp->pp_idle_timeout; 5261 } 5262 break; 5263 case SPPPSETIDLETO: 5264 { 5265 struct spppidletimeout *to = (struct spppidletimeout *)data; 5266 sp->pp_idle_timeout = to->idle_seconds; 5267 } 5268 break; 5269 case SPPPSETAUTHFAILURE: 5270 { 5271 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5272 sp->pp_max_auth_fail = afsettings->max_failures; 5273 sp->pp_auth_failures = 0; 5274 } 5275 break; 5276 case SPPPGETAUTHFAILURES: 5277 { 5278 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5279 stats->auth_failures = sp->pp_auth_failures; 5280 stats->max_failures = sp->pp_max_auth_fail; 5281 } 5282 break; 5283 case SPPPSETDNSOPTS: 5284 { 5285 struct spppdnssettings *req = (struct spppdnssettings *)data; 5286 sp->query_dns = req->query_dns & 3; 5287 } 5288 break; 5289 case SPPPGETDNSOPTS: 5290 { 5291 struct spppdnssettings *req = (struct spppdnssettings *)data; 5292 req->query_dns = sp->query_dns; 5293 } 5294 break; 5295 case SPPPGETDNSADDRS: 5296 { 5297 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5298 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5299 } 5300 break; 5301 case SPPPGETKEEPALIVE: 5302 { 5303 struct spppkeepalivesettings *settings = 5304 (struct spppkeepalivesettings*)data; 5305 settings->maxalive = sp->pp_maxalive; 5306 settings->max_noreceive = sp->pp_max_noreceive; 5307 } 5308 break; 5309 case SPPPSETKEEPALIVE: 5310 { 5311 struct spppkeepalivesettings *settings = 5312 (struct spppkeepalivesettings*)data; 5313 sp->pp_maxalive = settings->maxalive; 5314 sp->pp_max_noreceive = settings->max_noreceive; 5315 } 5316 break; 5317 #if defined(COMPAT_50) || defined(MODULAR) 5318 case __SPPPGETIDLETO50: 5319 { 5320 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5321 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5322 } 5323 break; 5324 case __SPPPSETIDLETO50: 5325 { 5326 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5327 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5328 } 5329 break; 5330 case __SPPPGETKEEPALIVE50: 5331 { 5332 struct spppkeepalivesettings50 *settings = 5333 (struct spppkeepalivesettings50*)data; 5334 settings->maxalive = sp->pp_maxalive; 5335 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5336 } 5337 break; 5338 case __SPPPSETKEEPALIVE50: 5339 { 5340 struct spppkeepalivesettings50 *settings = 5341 (struct spppkeepalivesettings50*)data; 5342 sp->pp_maxalive = settings->maxalive; 5343 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5344 } 5345 break; 5346 #endif /* COMPAT_50 || MODULAR */ 5347 default: 5348 return (EINVAL); 5349 } 5350 5351 return (0); 5352 } 5353 5354 static void 5355 sppp_phase_network(struct sppp *sp) 5356 { 5357 STDDCL; 5358 int i; 5359 uint32_t mask; 5360 5361 sp->pp_phase = SPPP_PHASE_NETWORK; 5362 5363 if (debug) 5364 { 5365 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5366 sppp_phase_name(sp->pp_phase)); 5367 } 5368 5369 /* Notify NCPs now. */ 5370 for (i = 0; i < IDX_COUNT; i++) 5371 if ((cps[i])->flags & CP_NCP) 5372 (cps[i])->Open(sp); 5373 5374 /* Send Up events to all NCPs. */ 5375 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5376 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5377 (cps[i])->Up(sp); 5378 5379 /* if no NCP is starting, all this was in vain, close down */ 5380 sppp_lcp_check_and_close(sp); 5381 } 5382 5383 5384 static const char * 5385 sppp_cp_type_name(u_char type) 5386 { 5387 static char buf[12]; 5388 switch (type) { 5389 case CONF_REQ: return "conf-req"; 5390 case CONF_ACK: return "conf-ack"; 5391 case CONF_NAK: return "conf-nak"; 5392 case CONF_REJ: return "conf-rej"; 5393 case TERM_REQ: return "term-req"; 5394 case TERM_ACK: return "term-ack"; 5395 case CODE_REJ: return "code-rej"; 5396 case PROTO_REJ: return "proto-rej"; 5397 case ECHO_REQ: return "echo-req"; 5398 case ECHO_REPLY: return "echo-reply"; 5399 case DISC_REQ: return "discard-req"; 5400 } 5401 snprintf(buf, sizeof(buf), "0x%x", type); 5402 return buf; 5403 } 5404 5405 static const char * 5406 sppp_auth_type_name(u_short proto, u_char type) 5407 { 5408 static char buf[12]; 5409 switch (proto) { 5410 case PPP_CHAP: 5411 switch (type) { 5412 case CHAP_CHALLENGE: return "challenge"; 5413 case CHAP_RESPONSE: return "response"; 5414 case CHAP_SUCCESS: return "success"; 5415 case CHAP_FAILURE: return "failure"; 5416 } 5417 case PPP_PAP: 5418 switch (type) { 5419 case PAP_REQ: return "req"; 5420 case PAP_ACK: return "ack"; 5421 case PAP_NAK: return "nak"; 5422 } 5423 } 5424 snprintf(buf, sizeof(buf), "0x%x", type); 5425 return buf; 5426 } 5427 5428 static const char * 5429 sppp_lcp_opt_name(u_char opt) 5430 { 5431 static char buf[12]; 5432 switch (opt) { 5433 case LCP_OPT_MRU: return "mru"; 5434 case LCP_OPT_ASYNC_MAP: return "async-map"; 5435 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5436 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5437 case LCP_OPT_MAGIC: return "magic"; 5438 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5439 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5440 } 5441 snprintf(buf, sizeof(buf), "0x%x", opt); 5442 return buf; 5443 } 5444 5445 static const char * 5446 sppp_ipcp_opt_name(u_char opt) 5447 { 5448 static char buf[12]; 5449 switch (opt) { 5450 case IPCP_OPT_ADDRESSES: return "addresses"; 5451 case IPCP_OPT_COMPRESSION: return "compression"; 5452 case IPCP_OPT_ADDRESS: return "address"; 5453 } 5454 snprintf(buf, sizeof(buf), "0x%x", opt); 5455 return buf; 5456 } 5457 5458 #ifdef INET6 5459 static const char * 5460 sppp_ipv6cp_opt_name(u_char opt) 5461 { 5462 static char buf[12]; 5463 switch (opt) { 5464 case IPV6CP_OPT_IFID: return "ifid"; 5465 case IPV6CP_OPT_COMPRESSION: return "compression"; 5466 } 5467 snprintf(buf, sizeof(buf), "0x%x", opt); 5468 return buf; 5469 } 5470 #endif 5471 5472 static const char * 5473 sppp_state_name(int state) 5474 { 5475 switch (state) { 5476 case STATE_INITIAL: return "initial"; 5477 case STATE_STARTING: return "starting"; 5478 case STATE_CLOSED: return "closed"; 5479 case STATE_STOPPED: return "stopped"; 5480 case STATE_CLOSING: return "closing"; 5481 case STATE_STOPPING: return "stopping"; 5482 case STATE_REQ_SENT: return "req-sent"; 5483 case STATE_ACK_RCVD: return "ack-rcvd"; 5484 case STATE_ACK_SENT: return "ack-sent"; 5485 case STATE_OPENED: return "opened"; 5486 } 5487 return "illegal"; 5488 } 5489 5490 static const char * 5491 sppp_phase_name(int phase) 5492 { 5493 switch (phase) { 5494 case SPPP_PHASE_DEAD: return "dead"; 5495 case SPPP_PHASE_ESTABLISH: return "establish"; 5496 case SPPP_PHASE_TERMINATE: return "terminate"; 5497 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5498 case SPPP_PHASE_NETWORK: return "network"; 5499 } 5500 return "illegal"; 5501 } 5502 5503 static const char * 5504 sppp_proto_name(u_short proto) 5505 { 5506 static char buf[12]; 5507 switch (proto) { 5508 case PPP_LCP: return "lcp"; 5509 case PPP_IPCP: return "ipcp"; 5510 case PPP_PAP: return "pap"; 5511 case PPP_CHAP: return "chap"; 5512 case PPP_IPV6CP: return "ipv6cp"; 5513 } 5514 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5515 return buf; 5516 } 5517 5518 static void 5519 sppp_print_bytes(const u_char *p, u_short len) 5520 { 5521 addlog(" %02x", *p++); 5522 while (--len > 0) 5523 addlog("-%02x", *p++); 5524 } 5525 5526 static void 5527 sppp_print_string(const char *p, u_short len) 5528 { 5529 u_char c; 5530 5531 while (len-- > 0) { 5532 c = *p++; 5533 /* 5534 * Print only ASCII chars directly. RFC 1994 recommends 5535 * using only them, but we don't rely on it. */ 5536 if (c < ' ' || c > '~') 5537 addlog("\\x%x", c); 5538 else 5539 addlog("%c", c); 5540 } 5541 } 5542 5543 static const char * 5544 sppp_dotted_quad(uint32_t addr) 5545 { 5546 static char s[16]; 5547 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5548 (int)((addr >> 24) & 0xff), 5549 (int)((addr >> 16) & 0xff), 5550 (int)((addr >> 8) & 0xff), 5551 (int)(addr & 0xff)); 5552 return s; 5553 } 5554 5555 /* a dummy, used to drop uninteresting events */ 5556 static void 5557 sppp_null(struct sppp *unused) 5558 { 5559 /* do just nothing */ 5560 } 5561 /* 5562 * This file is large. Tell emacs to highlight it nevertheless. 5563 * 5564 * Local Variables: 5565 * hilit-auto-highlight-maxout: 120000 5566 * End: 5567 */ 5568
Indexes created Sat Sep 27 21:09:56 GMT 2025