if_spppsubr.c revision 1.146.2.1
1 /* $NetBSD: if_spppsubr.c,v 1.146.2.1 2016/11/04 14:49:20 pgoyette Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.146.2.1 2016/11/04 14:49:20 pgoyette Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #endif 51 52 53 #include <sys/param.h> 54 #include <sys/proc.h> 55 #include <sys/systm.h> 56 #include <sys/kernel.h> 57 #include <sys/sockio.h> 58 #include <sys/socket.h> 59 #include <sys/syslog.h> 60 #include <sys/malloc.h> 61 #include <sys/mbuf.h> 62 #include <sys/callout.h> 63 #include <sys/md5.h> 64 #include <sys/inttypes.h> 65 #include <sys/kauth.h> 66 #include <sys/cprng.h> 67 68 #include <net/if.h> 69 #include <net/netisr.h> 70 #include <net/if_types.h> 71 #include <net/route.h> 72 #include <net/ppp_defs.h> 73 74 #include <netinet/in.h> 75 #include <netinet/in_systm.h> 76 #include <netinet/in_var.h> 77 #ifdef INET 78 #include <netinet/ip.h> 79 #include <netinet/tcp.h> 80 #endif 81 #include <net/ethertypes.h> 82 83 #ifdef INET6 84 #include <netinet6/scope6_var.h> 85 #endif 86 87 #include <net/if_sppp.h> 88 #include <net/if_spppvar.h> 89 90 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 91 #define LOOPALIVECNT 3 /* loopback detection tries */ 92 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 93 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 94 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 95 96 /* 97 * Interface flags that can be set in an ifconfig command. 98 * 99 * Setting link0 will make the link passive, i.e. it will be marked 100 * as being administrative openable, but won't be opened to begin 101 * with. Incoming calls will be answered, or subsequent calls with 102 * -link1 will cause the administrative open of the LCP layer. 103 * 104 * Setting link1 will cause the link to auto-dial only as packets 105 * arrive to be sent. 106 * 107 * Setting IFF_DEBUG will syslog the option negotiation and state 108 * transitions at level kern.debug. Note: all logs consistently look 109 * like 110 * 111 * <if-name><unit>: <proto-name> <additional info...> 112 * 113 * with <if-name><unit> being something like "bppp0", and <proto-name> 114 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 115 */ 116 117 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 118 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 119 120 #define CONF_REQ 1 /* PPP configure request */ 121 #define CONF_ACK 2 /* PPP configure acknowledge */ 122 #define CONF_NAK 3 /* PPP configure negative ack */ 123 #define CONF_REJ 4 /* PPP configure reject */ 124 #define TERM_REQ 5 /* PPP terminate request */ 125 #define TERM_ACK 6 /* PPP terminate acknowledge */ 126 #define CODE_REJ 7 /* PPP code reject */ 127 #define PROTO_REJ 8 /* PPP protocol reject */ 128 #define ECHO_REQ 9 /* PPP echo request */ 129 #define ECHO_REPLY 10 /* PPP echo reply */ 130 #define DISC_REQ 11 /* PPP discard request */ 131 132 #define LCP_OPT_MRU 1 /* maximum receive unit */ 133 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 134 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 135 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 136 #define LCP_OPT_MAGIC 5 /* magic number */ 137 #define LCP_OPT_RESERVED 6 /* reserved */ 138 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 139 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 140 141 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 142 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 143 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 144 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 145 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 146 147 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 148 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 149 150 #define PAP_REQ 1 /* PAP name/password request */ 151 #define PAP_ACK 2 /* PAP acknowledge */ 152 #define PAP_NAK 3 /* PAP fail */ 153 154 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 155 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 156 #define CHAP_SUCCESS 3 /* CHAP response ok */ 157 #define CHAP_FAILURE 4 /* CHAP response failed */ 158 159 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 160 161 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 162 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 163 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 164 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 165 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 166 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 167 168 /* states are named and numbered according to RFC 1661 */ 169 #define STATE_INITIAL 0 170 #define STATE_STARTING 1 171 #define STATE_CLOSED 2 172 #define STATE_STOPPED 3 173 #define STATE_CLOSING 4 174 #define STATE_STOPPING 5 175 #define STATE_REQ_SENT 6 176 #define STATE_ACK_RCVD 7 177 #define STATE_ACK_SENT 8 178 #define STATE_OPENED 9 179 180 struct ppp_header { 181 uint8_t address; 182 uint8_t control; 183 uint16_t protocol; 184 } __packed; 185 #define PPP_HEADER_LEN sizeof (struct ppp_header) 186 187 struct lcp_header { 188 uint8_t type; 189 uint8_t ident; 190 uint16_t len; 191 } __packed; 192 #define LCP_HEADER_LEN sizeof (struct lcp_header) 193 194 struct cisco_packet { 195 uint32_t type; 196 uint32_t par1; 197 uint32_t par2; 198 uint16_t rel; 199 uint16_t time0; 200 uint16_t time1; 201 } __packed; 202 #define CISCO_PACKET_LEN 18 203 204 /* 205 * We follow the spelling and capitalization of RFC 1661 here, to make 206 * it easier comparing with the standard. Please refer to this RFC in 207 * case you can't make sense out of these abbreviation; it will also 208 * explain the semantics related to the various events and actions. 209 */ 210 struct cp { 211 u_short proto; /* PPP control protocol number */ 212 u_char protoidx; /* index into state table in struct sppp */ 213 u_char flags; 214 #define CP_LCP 0x01 /* this is the LCP */ 215 #define CP_AUTH 0x02 /* this is an authentication protocol */ 216 #define CP_NCP 0x04 /* this is a NCP */ 217 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 218 const char *name; /* name of this control protocol */ 219 /* event handlers */ 220 void (*Up)(struct sppp *sp); 221 void (*Down)(struct sppp *sp); 222 void (*Open)(struct sppp *sp); 223 void (*Close)(struct sppp *sp); 224 void (*TO)(void *sp); 225 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 226 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 227 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 228 /* actions */ 229 void (*tlu)(struct sppp *sp); 230 void (*tld)(struct sppp *sp); 231 void (*tls)(struct sppp *sp); 232 void (*tlf)(struct sppp *sp); 233 void (*scr)(struct sppp *sp); 234 }; 235 236 static struct sppp *spppq; 237 static callout_t keepalive_ch; 238 239 #ifdef INET 240 /* 241 * The following disgusting hack gets around the problem that IP TOS 242 * can't be set yet. We want to put "interactive" traffic on a high 243 * priority queue. To decide if traffic is interactive, we check that 244 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 245 * 246 * XXX is this really still necessary? - joerg - 247 */ 248 static u_short interactive_ports[8] = { 249 0, 513, 0, 0, 250 0, 21, 0, 23, 251 }; 252 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 253 #endif 254 255 /* almost every function needs these */ 256 #define STDDCL \ 257 struct ifnet *ifp = &sp->pp_if; \ 258 int debug = ifp->if_flags & IFF_DEBUG 259 260 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 261 const struct sockaddr *dst, const struct rtentry *rt); 262 263 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 264 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 265 266 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 267 struct mbuf *m); 268 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 269 u_char ident, u_short len, void *data); 270 /* static void sppp_cp_timeout(void *arg); */ 271 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 272 int newstate); 273 static void sppp_auth_send(const struct cp *cp, 274 struct sppp *sp, unsigned int type, unsigned int id, 275 ...); 276 277 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 278 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 279 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 280 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 281 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 282 283 static void sppp_null(struct sppp *sp); 284 285 static void sppp_lcp_init(struct sppp *sp); 286 static void sppp_lcp_up(struct sppp *sp); 287 static void sppp_lcp_down(struct sppp *sp); 288 static void sppp_lcp_open(struct sppp *sp); 289 static void sppp_lcp_close(struct sppp *sp); 290 static void sppp_lcp_TO(void *sp); 291 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 292 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 293 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 294 static void sppp_lcp_tlu(struct sppp *sp); 295 static void sppp_lcp_tld(struct sppp *sp); 296 static void sppp_lcp_tls(struct sppp *sp); 297 static void sppp_lcp_tlf(struct sppp *sp); 298 static void sppp_lcp_scr(struct sppp *sp); 299 static void sppp_lcp_check_and_close(struct sppp *sp); 300 static int sppp_ncp_check(struct sppp *sp); 301 302 static void sppp_ipcp_init(struct sppp *sp); 303 static void sppp_ipcp_up(struct sppp *sp); 304 static void sppp_ipcp_down(struct sppp *sp); 305 static void sppp_ipcp_open(struct sppp *sp); 306 static void sppp_ipcp_close(struct sppp *sp); 307 static void sppp_ipcp_TO(void *sp); 308 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 309 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 310 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 311 static void sppp_ipcp_tlu(struct sppp *sp); 312 static void sppp_ipcp_tld(struct sppp *sp); 313 static void sppp_ipcp_tls(struct sppp *sp); 314 static void sppp_ipcp_tlf(struct sppp *sp); 315 static void sppp_ipcp_scr(struct sppp *sp); 316 317 static void sppp_ipv6cp_init(struct sppp *sp); 318 static void sppp_ipv6cp_up(struct sppp *sp); 319 static void sppp_ipv6cp_down(struct sppp *sp); 320 static void sppp_ipv6cp_open(struct sppp *sp); 321 static void sppp_ipv6cp_close(struct sppp *sp); 322 static void sppp_ipv6cp_TO(void *sp); 323 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 324 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 325 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipv6cp_tlu(struct sppp *sp); 327 static void sppp_ipv6cp_tld(struct sppp *sp); 328 static void sppp_ipv6cp_tls(struct sppp *sp); 329 static void sppp_ipv6cp_tlf(struct sppp *sp); 330 static void sppp_ipv6cp_scr(struct sppp *sp); 331 332 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 333 static void sppp_pap_init(struct sppp *sp); 334 static void sppp_pap_open(struct sppp *sp); 335 static void sppp_pap_close(struct sppp *sp); 336 static void sppp_pap_TO(void *sp); 337 static void sppp_pap_my_TO(void *sp); 338 static void sppp_pap_tlu(struct sppp *sp); 339 static void sppp_pap_tld(struct sppp *sp); 340 static void sppp_pap_scr(struct sppp *sp); 341 342 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 343 static void sppp_chap_init(struct sppp *sp); 344 static void sppp_chap_open(struct sppp *sp); 345 static void sppp_chap_close(struct sppp *sp); 346 static void sppp_chap_TO(void *sp); 347 static void sppp_chap_tlu(struct sppp *sp); 348 static void sppp_chap_tld(struct sppp *sp); 349 static void sppp_chap_scr(struct sppp *sp); 350 351 static const char *sppp_auth_type_name(u_short proto, u_char type); 352 static const char *sppp_cp_type_name(u_char type); 353 static const char *sppp_dotted_quad(uint32_t addr); 354 static const char *sppp_ipcp_opt_name(u_char opt); 355 #ifdef INET6 356 static const char *sppp_ipv6cp_opt_name(u_char opt); 357 #endif 358 static const char *sppp_lcp_opt_name(u_char opt); 359 static const char *sppp_phase_name(int phase); 360 static const char *sppp_proto_name(u_short proto); 361 static const char *sppp_state_name(int state); 362 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 363 #ifdef INET 364 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 365 uint32_t *srcmask); 366 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 367 static void sppp_clear_ip_addrs(struct sppp *sp); 368 #endif 369 static void sppp_keepalive(void *dummy); 370 static void sppp_phase_network(struct sppp *sp); 371 static void sppp_print_bytes(const u_char *p, u_short len); 372 static void sppp_print_string(const char *p, u_short len); 373 #ifdef INET6 374 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 375 struct in6_addr *dst, struct in6_addr *srcmask); 376 #ifdef IPV6CP_MYIFID_DYN 377 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 378 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 379 #endif 380 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 381 #endif 382 383 /* our control protocol descriptors */ 384 static const struct cp lcp = { 385 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 386 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 387 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 388 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 389 sppp_lcp_scr 390 }; 391 392 static const struct cp ipcp = { 393 PPP_IPCP, IDX_IPCP, 394 #ifdef INET 395 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 396 #else 397 0, 398 #endif 399 "ipcp", 400 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 401 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 402 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 403 sppp_ipcp_scr 404 }; 405 406 static const struct cp ipv6cp = { 407 PPP_IPV6CP, IDX_IPV6CP, 408 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 409 CP_NCP, 410 #else 411 0, 412 #endif 413 "ipv6cp", 414 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 415 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 416 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 417 sppp_ipv6cp_scr 418 }; 419 420 static const struct cp pap = { 421 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 422 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 423 sppp_pap_TO, 0, 0, 0, 424 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 425 sppp_pap_scr 426 }; 427 428 static const struct cp chap = { 429 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 430 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 431 sppp_chap_TO, 0, 0, 0, 432 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 433 sppp_chap_scr 434 }; 435 436 static const struct cp *cps[IDX_COUNT] = { 437 &lcp, /* IDX_LCP */ 438 &ipcp, /* IDX_IPCP */ 439 &ipv6cp, /* IDX_IPV6CP */ 440 &pap, /* IDX_PAP */ 441 &chap, /* IDX_CHAP */ 442 }; 443 444 445 /* 446 * Exported functions, comprising our interface to the lower layer. 447 */ 448 449 /* 450 * Process the received packet. 451 */ 452 void 453 sppp_input(struct ifnet *ifp, struct mbuf *m) 454 { 455 struct ppp_header *h = NULL; 456 pktqueue_t *pktq = NULL; 457 struct ifqueue *inq = NULL; 458 uint16_t protocol; 459 struct sppp *sp = (struct sppp *)ifp; 460 int debug = ifp->if_flags & IFF_DEBUG; 461 int isr = 0; 462 463 if (ifp->if_flags & IFF_UP) { 464 /* Count received bytes, add hardware framing */ 465 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 466 /* Note time of last receive */ 467 sp->pp_last_receive = time_uptime; 468 } 469 470 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 471 /* Too small packet, drop it. */ 472 if (debug) 473 log(LOG_DEBUG, 474 "%s: input packet is too small, %d bytes\n", 475 ifp->if_xname, m->m_pkthdr.len); 476 drop: 477 ++ifp->if_ierrors; 478 ++ifp->if_iqdrops; 479 m_freem(m); 480 return; 481 } 482 483 if (sp->pp_flags & PP_NOFRAMING) { 484 memcpy(&protocol, mtod(m, void *), 2); 485 protocol = ntohs(protocol); 486 m_adj(m, 2); 487 } else { 488 489 /* Get PPP header. */ 490 h = mtod(m, struct ppp_header *); 491 m_adj(m, PPP_HEADER_LEN); 492 493 switch (h->address) { 494 case PPP_ALLSTATIONS: 495 if (h->control != PPP_UI) 496 goto invalid; 497 if (sp->pp_flags & PP_CISCO) { 498 if (debug) 499 log(LOG_DEBUG, 500 "%s: PPP packet in Cisco mode " 501 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 502 ifp->if_xname, 503 h->address, h->control, ntohs(h->protocol)); 504 goto drop; 505 } 506 break; 507 case CISCO_MULTICAST: 508 case CISCO_UNICAST: 509 /* Don't check the control field here (RFC 1547). */ 510 if (! (sp->pp_flags & PP_CISCO)) { 511 if (debug) 512 log(LOG_DEBUG, 513 "%s: Cisco packet in PPP mode " 514 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 515 ifp->if_xname, 516 h->address, h->control, ntohs(h->protocol)); 517 goto drop; 518 } 519 switch (ntohs(h->protocol)) { 520 default: 521 ++ifp->if_noproto; 522 goto invalid; 523 case CISCO_KEEPALIVE: 524 sppp_cisco_input((struct sppp *) ifp, m); 525 m_freem(m); 526 return; 527 #ifdef INET 528 case ETHERTYPE_IP: 529 pktq = ip_pktq; 530 break; 531 #endif 532 #ifdef INET6 533 case ETHERTYPE_IPV6: 534 pktq = ip6_pktq; 535 break; 536 #endif 537 } 538 goto queue_pkt; 539 default: /* Invalid PPP packet. */ 540 invalid: 541 if (debug) 542 log(LOG_DEBUG, 543 "%s: invalid input packet " 544 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 545 ifp->if_xname, 546 h->address, h->control, ntohs(h->protocol)); 547 goto drop; 548 } 549 protocol = ntohs(h->protocol); 550 } 551 552 switch (protocol) { 553 default: 554 if (sp->state[IDX_LCP] == STATE_OPENED) { 555 uint16_t prot = htons(protocol); 556 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 557 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 558 &prot); 559 } 560 if (debug) 561 log(LOG_DEBUG, 562 "%s: invalid input protocol " 563 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 564 ++ifp->if_noproto; 565 goto drop; 566 case PPP_LCP: 567 sppp_cp_input(&lcp, sp, m); 568 m_freem(m); 569 return; 570 case PPP_PAP: 571 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 572 sppp_pap_input(sp, m); 573 m_freem(m); 574 return; 575 case PPP_CHAP: 576 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 577 sppp_chap_input(sp, m); 578 m_freem(m); 579 return; 580 #ifdef INET 581 case PPP_IPCP: 582 if (sp->pp_phase == SPPP_PHASE_NETWORK) 583 sppp_cp_input(&ipcp, sp, m); 584 m_freem(m); 585 return; 586 case PPP_IP: 587 if (sp->state[IDX_IPCP] == STATE_OPENED) { 588 sp->pp_last_activity = time_uptime; 589 pktq = ip_pktq; 590 } 591 break; 592 #endif 593 #ifdef INET6 594 case PPP_IPV6CP: 595 if (sp->pp_phase == SPPP_PHASE_NETWORK) 596 sppp_cp_input(&ipv6cp, sp, m); 597 m_freem(m); 598 return; 599 600 case PPP_IPV6: 601 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 602 sp->pp_last_activity = time_uptime; 603 pktq = ip6_pktq; 604 } 605 break; 606 #endif 607 } 608 609 queue_pkt: 610 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 611 goto drop; 612 } 613 614 /* Check queue. */ 615 if (__predict_true(pktq)) { 616 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 617 goto drop; 618 } 619 return; 620 } 621 622 IFQ_LOCK(inq); 623 if (IF_QFULL(inq)) { 624 /* Queue overflow. */ 625 IF_DROP(inq); 626 IFQ_UNLOCK(inq); 627 if (debug) 628 log(LOG_DEBUG, "%s: protocol queue overflow\n", 629 ifp->if_xname); 630 goto drop; 631 } 632 IF_ENQUEUE(inq, m); 633 IFQ_UNLOCK(inq); 634 schednetisr(isr); 635 } 636 637 /* 638 * Enqueue transmit packet. 639 */ 640 static int 641 sppp_output(struct ifnet *ifp, struct mbuf *m, 642 const struct sockaddr *dst, const struct rtentry *rt) 643 { 644 struct sppp *sp = (struct sppp *) ifp; 645 struct ppp_header *h = NULL; 646 struct ifqueue *ifq = NULL; /* XXX */ 647 int s, error = 0; 648 uint16_t protocol; 649 650 s = splnet(); 651 652 sp->pp_last_activity = time_uptime; 653 654 if ((ifp->if_flags & IFF_UP) == 0 || 655 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 656 m_freem(m); 657 splx(s); 658 return (ENETDOWN); 659 } 660 661 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 662 /* 663 * Interface is not yet running, but auto-dial. Need 664 * to start LCP for it. 665 */ 666 ifp->if_flags |= IFF_RUNNING; 667 splx(s); 668 lcp.Open(sp); 669 s = splnet(); 670 } 671 672 /* 673 * If the queueing discipline needs packet classification, 674 * do it before prepending link headers. 675 */ 676 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 677 678 #ifdef INET 679 if (dst->sa_family == AF_INET) { 680 struct ip *ip = NULL; 681 struct tcphdr *th = NULL; 682 683 if (m->m_len >= sizeof(struct ip)) { 684 ip = mtod(m, struct ip *); 685 if (ip->ip_p == IPPROTO_TCP && 686 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 687 sizeof(struct tcphdr)) { 688 th = (struct tcphdr *) 689 ((char *)ip + (ip->ip_hl << 2)); 690 } 691 } else 692 ip = NULL; 693 694 /* 695 * When using dynamic local IP address assignment by using 696 * 0.0.0.0 as a local address, the first TCP session will 697 * not connect because the local TCP checksum is computed 698 * using 0.0.0.0 which will later become our real IP address 699 * so the TCP checksum computed at the remote end will 700 * become invalid. So we 701 * - don't let packets with src ip addr 0 thru 702 * - we flag TCP packets with src ip 0 as an error 703 */ 704 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 705 uint8_t proto = ip->ip_p; 706 707 m_freem(m); 708 splx(s); 709 if (proto == IPPROTO_TCP) 710 return (EADDRNOTAVAIL); 711 else 712 return (0); 713 } 714 715 /* 716 * Put low delay, telnet, rlogin and ftp control packets 717 * in front of the queue. 718 */ 719 720 if (!IF_QFULL(&sp->pp_fastq) && 721 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 722 (th && (INTERACTIVE(ntohs(th->th_sport)) || 723 INTERACTIVE(ntohs(th->th_dport)))))) 724 ifq = &sp->pp_fastq; 725 } 726 #endif 727 728 #ifdef INET6 729 if (dst->sa_family == AF_INET6) { 730 /* XXX do something tricky here? */ 731 } 732 #endif 733 734 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 735 /* 736 * Prepend general data packet PPP header. For now, IP only. 737 */ 738 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 739 if (! m) { 740 if (ifp->if_flags & IFF_DEBUG) 741 log(LOG_DEBUG, "%s: no memory for transmit header\n", 742 ifp->if_xname); 743 ++ifp->if_oerrors; 744 splx(s); 745 return (ENOBUFS); 746 } 747 /* 748 * May want to check size of packet 749 * (albeit due to the implementation it's always enough) 750 */ 751 h = mtod(m, struct ppp_header *); 752 if (sp->pp_flags & PP_CISCO) { 753 h->address = CISCO_UNICAST; /* unicast address */ 754 h->control = 0; 755 } else { 756 h->address = PPP_ALLSTATIONS; /* broadcast address */ 757 h->control = PPP_UI; /* Unnumbered Info */ 758 } 759 } 760 761 switch (dst->sa_family) { 762 #ifdef INET 763 case AF_INET: /* Internet Protocol */ 764 if (sp->pp_flags & PP_CISCO) 765 protocol = htons(ETHERTYPE_IP); 766 else { 767 /* 768 * Don't choke with an ENETDOWN early. It's 769 * possible that we just started dialing out, 770 * so don't drop the packet immediately. If 771 * we notice that we run out of buffer space 772 * below, we will however remember that we are 773 * not ready to carry IP packets, and return 774 * ENETDOWN, as opposed to ENOBUFS. 775 */ 776 protocol = htons(PPP_IP); 777 if (sp->state[IDX_IPCP] != STATE_OPENED) 778 error = ENETDOWN; 779 } 780 break; 781 #endif 782 #ifdef INET6 783 case AF_INET6: /* Internet Protocol version 6 */ 784 if (sp->pp_flags & PP_CISCO) 785 protocol = htons(ETHERTYPE_IPV6); 786 else { 787 /* 788 * Don't choke with an ENETDOWN early. It's 789 * possible that we just started dialing out, 790 * so don't drop the packet immediately. If 791 * we notice that we run out of buffer space 792 * below, we will however remember that we are 793 * not ready to carry IP packets, and return 794 * ENETDOWN, as opposed to ENOBUFS. 795 */ 796 protocol = htons(PPP_IPV6); 797 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 798 error = ENETDOWN; 799 } 800 break; 801 #endif 802 default: 803 m_freem(m); 804 ++ifp->if_oerrors; 805 splx(s); 806 return (EAFNOSUPPORT); 807 } 808 809 if (sp->pp_flags & PP_NOFRAMING) { 810 M_PREPEND(m, 2, M_DONTWAIT); 811 if (m == NULL) { 812 if (ifp->if_flags & IFF_DEBUG) 813 log(LOG_DEBUG, "%s: no memory for transmit header\n", 814 ifp->if_xname); 815 ++ifp->if_oerrors; 816 splx(s); 817 return (ENOBUFS); 818 } 819 *mtod(m, uint16_t *) = protocol; 820 } else { 821 h->protocol = protocol; 822 } 823 824 825 error = ifq_enqueue2(ifp, ifq, m); 826 827 if (error == 0) { 828 /* 829 * Count output packets and bytes. 830 * The packet length includes header + additional hardware 831 * framing according to RFC 1333. 832 */ 833 if (!(ifp->if_flags & IFF_OACTIVE)) 834 if_start_lock(ifp); 835 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 836 } 837 splx(s); 838 return error; 839 } 840 841 static int 842 sppp_mediachange(struct ifnet *ifp) 843 { 844 845 return (0); 846 } 847 848 static void 849 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 850 { 851 852 switch (ifp->if_link_state) { 853 case LINK_STATE_UP: 854 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 855 break; 856 case LINK_STATE_DOWN: 857 imr->ifm_status = IFM_AVALID; 858 break; 859 default: 860 /* Should be impossible as we set link state down in attach. */ 861 imr->ifm_status = 0; 862 break; 863 } 864 } 865 866 void 867 sppp_attach(struct ifnet *ifp) 868 { 869 struct sppp *sp = (struct sppp *) ifp; 870 871 /* Initialize keepalive handler. */ 872 if (! spppq) { 873 callout_init(&keepalive_ch, 0); 874 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 875 } 876 877 /* Insert new entry into the keepalive list. */ 878 sp->pp_next = spppq; 879 spppq = sp; 880 881 sp->pp_if.if_type = IFT_PPP; 882 sp->pp_if.if_output = sppp_output; 883 sp->pp_fastq.ifq_maxlen = 32; 884 sp->pp_cpq.ifq_maxlen = 20; 885 sp->pp_loopcnt = 0; 886 sp->pp_alivecnt = 0; 887 sp->pp_last_activity = 0; 888 sp->pp_last_receive = 0; 889 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 890 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 891 sp->pp_idle_timeout = 0; 892 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 893 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 894 sp->pp_auth_failures = 0; 895 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 896 sp->pp_phase = SPPP_PHASE_DEAD; 897 sp->pp_up = lcp.Up; 898 sp->pp_down = lcp.Down; 899 900 if_alloc_sadl(ifp); 901 902 /* Lets not beat about the bush, we know we're down. */ 903 ifp->if_link_state = LINK_STATE_DOWN; 904 /* There is no media for PPP, but it's needed to report link status. */ 905 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 906 907 memset(&sp->myauth, 0, sizeof sp->myauth); 908 memset(&sp->hisauth, 0, sizeof sp->hisauth); 909 sppp_lcp_init(sp); 910 sppp_ipcp_init(sp); 911 sppp_ipv6cp_init(sp); 912 sppp_pap_init(sp); 913 sppp_chap_init(sp); 914 } 915 916 void 917 sppp_detach(struct ifnet *ifp) 918 { 919 struct sppp **q, *p, *sp = (struct sppp *) ifp; 920 921 /* Remove the entry from the keepalive list. */ 922 for (q = &spppq; (p = *q); q = &p->pp_next) 923 if (p == sp) { 924 *q = p->pp_next; 925 break; 926 } 927 928 /* Stop keepalive handler. */ 929 if (! spppq) { 930 callout_stop(&keepalive_ch); 931 } 932 933 callout_stop(&sp->ch[IDX_LCP]); 934 callout_stop(&sp->ch[IDX_IPCP]); 935 callout_stop(&sp->ch[IDX_PAP]); 936 callout_stop(&sp->ch[IDX_CHAP]); 937 #ifdef INET6 938 callout_stop(&sp->ch[IDX_IPV6CP]); 939 #endif 940 callout_stop(&sp->pap_my_to_ch); 941 942 /* free authentication info */ 943 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 944 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 945 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 946 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 947 948 /* Safety - shouldn't be needed as there is no media to set. */ 949 ifmedia_delete_instance(&sp->pp_im, IFM_INST_ANY); 950 } 951 952 /* 953 * Flush the interface output queue. 954 */ 955 void 956 sppp_flush(struct ifnet *ifp) 957 { 958 struct sppp *sp = (struct sppp *) ifp; 959 960 IFQ_PURGE(&sp->pp_if.if_snd); 961 IF_PURGE(&sp->pp_fastq); 962 IF_PURGE(&sp->pp_cpq); 963 } 964 965 /* 966 * Check if the output queue is empty. 967 */ 968 int 969 sppp_isempty(struct ifnet *ifp) 970 { 971 struct sppp *sp = (struct sppp *) ifp; 972 int empty, s; 973 974 s = splnet(); 975 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 976 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 977 splx(s); 978 return (empty); 979 } 980 981 /* 982 * Get next packet to send. 983 */ 984 struct mbuf * 985 sppp_dequeue(struct ifnet *ifp) 986 { 987 struct sppp *sp = (struct sppp *) ifp; 988 struct mbuf *m; 989 int s; 990 991 s = splnet(); 992 /* 993 * Process only the control protocol queue until we have at 994 * least one NCP open. 995 * 996 * Do always serve all three queues in Cisco mode. 997 */ 998 IF_DEQUEUE(&sp->pp_cpq, m); 999 if (m == NULL && 1000 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1001 IF_DEQUEUE(&sp->pp_fastq, m); 1002 if (m == NULL) 1003 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1004 } 1005 splx(s); 1006 return m; 1007 } 1008 1009 /* 1010 * Process an ioctl request. Called on low priority level. 1011 */ 1012 int 1013 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1014 { 1015 struct lwp *l = curlwp; /* XXX */ 1016 struct ifreq *ifr = (struct ifreq *) data; 1017 struct ifaddr *ifa = (struct ifaddr *) data; 1018 struct sppp *sp = (struct sppp *) ifp; 1019 int s, error=0, going_up, going_down, newmode; 1020 1021 s = splnet(); 1022 switch (cmd) { 1023 case SIOCINITIFADDR: 1024 ifa->ifa_rtrequest = p2p_rtrequest; 1025 break; 1026 1027 case SIOCSIFFLAGS: 1028 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1029 break; 1030 going_up = ifp->if_flags & IFF_UP && 1031 (ifp->if_flags & IFF_RUNNING) == 0; 1032 going_down = (ifp->if_flags & IFF_UP) == 0 && 1033 ifp->if_flags & IFF_RUNNING; 1034 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1035 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1036 /* sanity */ 1037 newmode = IFF_PASSIVE; 1038 ifp->if_flags &= ~IFF_AUTO; 1039 } 1040 1041 if (going_up || going_down) 1042 lcp.Close(sp); 1043 if (going_up && newmode == 0) { 1044 /* neither auto-dial nor passive */ 1045 ifp->if_flags |= IFF_RUNNING; 1046 if (!(sp->pp_flags & PP_CISCO)) 1047 lcp.Open(sp); 1048 } else if (going_down) { 1049 sppp_flush(ifp); 1050 ifp->if_flags &= ~IFF_RUNNING; 1051 } 1052 1053 break; 1054 1055 case SIOCSIFMTU: 1056 if (ifr->ifr_mtu < PPP_MINMRU || 1057 ifr->ifr_mtu > sp->lcp.their_mru) { 1058 error = EINVAL; 1059 break; 1060 } 1061 /*FALLTHROUGH*/ 1062 case SIOCGIFMTU: 1063 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1064 error = 0; 1065 break; 1066 case SIOCADDMULTI: 1067 case SIOCDELMULTI: 1068 break; 1069 1070 case SPPPSETAUTHCFG: 1071 case SPPPSETLCPCFG: 1072 case SPPPSETIDLETO: 1073 case SPPPSETAUTHFAILURE: 1074 case SPPPSETDNSOPTS: 1075 case SPPPSETKEEPALIVE: 1076 #if defined(COMPAT_50) || defined(MODULAR) 1077 case __SPPPSETIDLETO50: 1078 case __SPPPSETKEEPALIVE50: 1079 #endif /* COMPAT_50 || MODULAR */ 1080 error = kauth_authorize_network(l->l_cred, 1081 KAUTH_NETWORK_INTERFACE, 1082 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1083 NULL); 1084 if (error) 1085 break; 1086 error = sppp_params(sp, cmd, data); 1087 break; 1088 1089 case SPPPGETAUTHCFG: 1090 case SPPPGETLCPCFG: 1091 case SPPPGETAUTHFAILURES: 1092 error = kauth_authorize_network(l->l_cred, 1093 KAUTH_NETWORK_INTERFACE, 1094 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1095 NULL); 1096 if (error) 1097 break; 1098 error = sppp_params(sp, cmd, data); 1099 break; 1100 1101 case SPPPGETSTATUS: 1102 case SPPPGETSTATUSNCP: 1103 case SPPPGETIDLETO: 1104 case SPPPGETDNSOPTS: 1105 case SPPPGETDNSADDRS: 1106 case SPPPGETKEEPALIVE: 1107 #if defined(COMPAT_50) || defined(MODULAR) 1108 case __SPPPGETIDLETO50: 1109 case __SPPPGETKEEPALIVE50: 1110 #endif /* COMPAT_50 || MODULAR */ 1111 error = sppp_params(sp, cmd, data); 1112 break; 1113 1114 case SIOCGIFMEDIA: 1115 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1116 break; 1117 1118 default: 1119 error = ifioctl_common(ifp, cmd, data); 1120 break; 1121 } 1122 splx(s); 1123 return (error); 1124 } 1125 1126 1127 /* 1128 * Cisco framing implementation. 1129 */ 1130 1131 /* 1132 * Handle incoming Cisco keepalive protocol packets. 1133 */ 1134 static void 1135 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1136 { 1137 STDDCL; 1138 struct cisco_packet *h; 1139 #ifdef INET 1140 uint32_t me, mymask = 0; /* XXX: GCC */ 1141 #endif 1142 1143 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1144 if (debug) 1145 log(LOG_DEBUG, 1146 "%s: cisco invalid packet length: %d bytes\n", 1147 ifp->if_xname, m->m_pkthdr.len); 1148 return; 1149 } 1150 h = mtod(m, struct cisco_packet *); 1151 if (debug) 1152 log(LOG_DEBUG, 1153 "%s: cisco input: %d bytes " 1154 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1155 ifp->if_xname, m->m_pkthdr.len, 1156 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1157 (u_int)h->time0, (u_int)h->time1); 1158 switch (ntohl(h->type)) { 1159 default: 1160 if (debug) 1161 addlog("%s: cisco unknown packet type: 0x%x\n", 1162 ifp->if_xname, ntohl(h->type)); 1163 break; 1164 case CISCO_ADDR_REPLY: 1165 /* Reply on address request, ignore */ 1166 break; 1167 case CISCO_KEEPALIVE_REQ: 1168 sp->pp_alivecnt = 0; 1169 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1170 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1171 /* Local and remote sequence numbers are equal. 1172 * Probably, the line is in loopback mode. */ 1173 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1174 printf ("%s: loopback\n", 1175 ifp->if_xname); 1176 sp->pp_loopcnt = 0; 1177 if (ifp->if_flags & IFF_UP) { 1178 if_down(ifp); 1179 IF_PURGE(&sp->pp_cpq); 1180 } 1181 } 1182 ++sp->pp_loopcnt; 1183 1184 /* Generate new local sequence number */ 1185 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1186 break; 1187 } 1188 sp->pp_loopcnt = 0; 1189 if (! (ifp->if_flags & IFF_UP) && 1190 (ifp->if_flags & IFF_RUNNING)) { 1191 if_up(ifp); 1192 } 1193 break; 1194 case CISCO_ADDR_REQ: 1195 #ifdef INET 1196 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1197 if (me != 0L) 1198 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1199 #endif 1200 break; 1201 } 1202 } 1203 1204 /* 1205 * Send Cisco keepalive packet. 1206 */ 1207 static void 1208 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1209 { 1210 STDDCL; 1211 struct ppp_header *h; 1212 struct cisco_packet *ch; 1213 struct mbuf *m; 1214 uint32_t t; 1215 1216 t = time_uptime * 1000; 1217 MGETHDR(m, M_DONTWAIT, MT_DATA); 1218 if (! m) 1219 return; 1220 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1221 m_reset_rcvif(m); 1222 1223 h = mtod(m, struct ppp_header *); 1224 h->address = CISCO_MULTICAST; 1225 h->control = 0; 1226 h->protocol = htons(CISCO_KEEPALIVE); 1227 1228 ch = (struct cisco_packet *)(h + 1); 1229 ch->type = htonl(type); 1230 ch->par1 = htonl(par1); 1231 ch->par2 = htonl(par2); 1232 ch->rel = -1; 1233 1234 ch->time0 = htons((u_short)(t >> 16)); 1235 ch->time1 = htons((u_short) t); 1236 1237 if (debug) 1238 log(LOG_DEBUG, 1239 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1240 ifp->if_xname, ntohl(ch->type), ch->par1, 1241 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1242 (u_int)ch->time1); 1243 1244 if (IF_QFULL(&sp->pp_cpq)) { 1245 IF_DROP(&sp->pp_fastq); 1246 IF_DROP(&ifp->if_snd); 1247 m_freem(m); 1248 ++ifp->if_oerrors; 1249 return; 1250 } else 1251 IF_ENQUEUE(&sp->pp_cpq, m); 1252 if (! (ifp->if_flags & IFF_OACTIVE)) 1253 if_start_lock(ifp); 1254 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1255 } 1256 1257 /* 1258 * PPP protocol implementation. 1259 */ 1260 1261 /* 1262 * Send PPP control protocol packet. 1263 */ 1264 static void 1265 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1266 u_char ident, u_short len, void *data) 1267 { 1268 STDDCL; 1269 struct lcp_header *lh; 1270 struct mbuf *m; 1271 size_t pkthdrlen; 1272 1273 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1274 1275 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1276 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1277 MGETHDR(m, M_DONTWAIT, MT_DATA); 1278 if (! m) 1279 return; 1280 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1281 m_reset_rcvif(m); 1282 1283 if (sp->pp_flags & PP_NOFRAMING) { 1284 *mtod(m, uint16_t *) = htons(proto); 1285 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1286 } else { 1287 struct ppp_header *h; 1288 h = mtod(m, struct ppp_header *); 1289 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1290 h->control = PPP_UI; /* Unnumbered Info */ 1291 h->protocol = htons(proto); /* Link Control Protocol */ 1292 lh = (struct lcp_header *)(h + 1); 1293 } 1294 lh->type = type; 1295 lh->ident = ident; 1296 lh->len = htons(LCP_HEADER_LEN + len); 1297 if (len) 1298 memcpy(lh + 1, data, len); 1299 1300 if (debug) { 1301 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1302 ifp->if_xname, 1303 sppp_proto_name(proto), 1304 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1305 if (len) 1306 sppp_print_bytes((u_char *)(lh + 1), len); 1307 addlog(">\n"); 1308 } 1309 if (IF_QFULL(&sp->pp_cpq)) { 1310 IF_DROP(&sp->pp_fastq); 1311 IF_DROP(&ifp->if_snd); 1312 m_freem(m); 1313 ++ifp->if_oerrors; 1314 return; 1315 } else 1316 IF_ENQUEUE(&sp->pp_cpq, m); 1317 if (! (ifp->if_flags & IFF_OACTIVE)) 1318 if_start_lock(ifp); 1319 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1320 } 1321 1322 /* 1323 * Handle incoming PPP control protocol packets. 1324 */ 1325 static void 1326 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1327 { 1328 STDDCL; 1329 struct lcp_header *h; 1330 int printlen, len = m->m_pkthdr.len; 1331 int rv; 1332 u_char *p; 1333 uint32_t u32; 1334 1335 if (len < 4) { 1336 if (debug) 1337 log(LOG_DEBUG, 1338 "%s: %s invalid packet length: %d bytes\n", 1339 ifp->if_xname, cp->name, len); 1340 return; 1341 } 1342 h = mtod(m, struct lcp_header *); 1343 if (debug) { 1344 printlen = ntohs(h->len); 1345 log(LOG_DEBUG, 1346 "%s: %s input(%s): <%s id=0x%x len=%d", 1347 ifp->if_xname, cp->name, 1348 sppp_state_name(sp->state[cp->protoidx]), 1349 sppp_cp_type_name(h->type), h->ident, printlen); 1350 if (len < printlen) 1351 printlen = len; 1352 if (printlen > 4) 1353 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1354 addlog(">\n"); 1355 } 1356 if (len > ntohs(h->len)) 1357 len = ntohs(h->len); 1358 p = (u_char *)(h + 1); 1359 switch (h->type) { 1360 case CONF_REQ: 1361 if (len < 4) { 1362 if (debug) 1363 addlog("%s: %s invalid conf-req length %d\n", 1364 ifp->if_xname, cp->name, 1365 len); 1366 ++ifp->if_ierrors; 1367 break; 1368 } 1369 /* handle states where RCR doesn't get a SCA/SCN */ 1370 switch (sp->state[cp->protoidx]) { 1371 case STATE_CLOSING: 1372 case STATE_STOPPING: 1373 return; 1374 case STATE_CLOSED: 1375 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1376 0, 0); 1377 return; 1378 } 1379 rv = (cp->RCR)(sp, h, len); 1380 if (rv < 0) { 1381 /* fatal error, shut down */ 1382 (cp->tld)(sp); 1383 sppp_lcp_tlf(sp); 1384 return; 1385 } 1386 switch (sp->state[cp->protoidx]) { 1387 case STATE_OPENED: 1388 (cp->tld)(sp); 1389 (cp->scr)(sp); 1390 /* fall through... */ 1391 case STATE_ACK_SENT: 1392 case STATE_REQ_SENT: 1393 sppp_cp_change_state(cp, sp, rv? 1394 STATE_ACK_SENT: STATE_REQ_SENT); 1395 break; 1396 case STATE_STOPPED: 1397 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1398 (cp->scr)(sp); 1399 sppp_cp_change_state(cp, sp, rv? 1400 STATE_ACK_SENT: STATE_REQ_SENT); 1401 break; 1402 case STATE_ACK_RCVD: 1403 if (rv) { 1404 sppp_cp_change_state(cp, sp, STATE_OPENED); 1405 if (debug) 1406 log(LOG_DEBUG, "%s: %s tlu\n", 1407 ifp->if_xname, 1408 cp->name); 1409 (cp->tlu)(sp); 1410 } else 1411 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1412 break; 1413 default: 1414 printf("%s: %s illegal %s in state %s\n", 1415 ifp->if_xname, cp->name, 1416 sppp_cp_type_name(h->type), 1417 sppp_state_name(sp->state[cp->protoidx])); 1418 ++ifp->if_ierrors; 1419 } 1420 break; 1421 case CONF_ACK: 1422 if (h->ident != sp->confid[cp->protoidx]) { 1423 if (debug) 1424 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1425 ifp->if_xname, cp->name, 1426 h->ident, sp->confid[cp->protoidx]); 1427 ++ifp->if_ierrors; 1428 break; 1429 } 1430 switch (sp->state[cp->protoidx]) { 1431 case STATE_CLOSED: 1432 case STATE_STOPPED: 1433 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1434 break; 1435 case STATE_CLOSING: 1436 case STATE_STOPPING: 1437 break; 1438 case STATE_REQ_SENT: 1439 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1440 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1441 break; 1442 case STATE_OPENED: 1443 (cp->tld)(sp); 1444 /* fall through */ 1445 case STATE_ACK_RCVD: 1446 (cp->scr)(sp); 1447 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1448 break; 1449 case STATE_ACK_SENT: 1450 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1451 sppp_cp_change_state(cp, sp, STATE_OPENED); 1452 if (debug) 1453 log(LOG_DEBUG, "%s: %s tlu\n", 1454 ifp->if_xname, cp->name); 1455 (cp->tlu)(sp); 1456 break; 1457 default: 1458 printf("%s: %s illegal %s in state %s\n", 1459 ifp->if_xname, cp->name, 1460 sppp_cp_type_name(h->type), 1461 sppp_state_name(sp->state[cp->protoidx])); 1462 ++ifp->if_ierrors; 1463 } 1464 break; 1465 case CONF_NAK: 1466 case CONF_REJ: 1467 if (h->ident != sp->confid[cp->protoidx]) { 1468 if (debug) 1469 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1470 ifp->if_xname, cp->name, 1471 h->ident, sp->confid[cp->protoidx]); 1472 ++ifp->if_ierrors; 1473 break; 1474 } 1475 if (h->type == CONF_NAK) 1476 (cp->RCN_nak)(sp, h, len); 1477 else /* CONF_REJ */ 1478 (cp->RCN_rej)(sp, h, len); 1479 1480 switch (sp->state[cp->protoidx]) { 1481 case STATE_CLOSED: 1482 case STATE_STOPPED: 1483 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1484 break; 1485 case STATE_REQ_SENT: 1486 case STATE_ACK_SENT: 1487 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1488 (cp->scr)(sp); 1489 break; 1490 case STATE_OPENED: 1491 (cp->tld)(sp); 1492 /* fall through */ 1493 case STATE_ACK_RCVD: 1494 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1495 (cp->scr)(sp); 1496 break; 1497 case STATE_CLOSING: 1498 case STATE_STOPPING: 1499 break; 1500 default: 1501 printf("%s: %s illegal %s in state %s\n", 1502 ifp->if_xname, cp->name, 1503 sppp_cp_type_name(h->type), 1504 sppp_state_name(sp->state[cp->protoidx])); 1505 ++ifp->if_ierrors; 1506 } 1507 break; 1508 1509 case TERM_REQ: 1510 switch (sp->state[cp->protoidx]) { 1511 case STATE_ACK_RCVD: 1512 case STATE_ACK_SENT: 1513 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1514 /* fall through */ 1515 case STATE_CLOSED: 1516 case STATE_STOPPED: 1517 case STATE_CLOSING: 1518 case STATE_STOPPING: 1519 case STATE_REQ_SENT: 1520 sta: 1521 /* Send Terminate-Ack packet. */ 1522 if (debug) 1523 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1524 ifp->if_xname, cp->name); 1525 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1526 break; 1527 case STATE_OPENED: 1528 (cp->tld)(sp); 1529 sp->rst_counter[cp->protoidx] = 0; 1530 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1531 goto sta; 1532 default: 1533 printf("%s: %s illegal %s in state %s\n", 1534 ifp->if_xname, cp->name, 1535 sppp_cp_type_name(h->type), 1536 sppp_state_name(sp->state[cp->protoidx])); 1537 ++ifp->if_ierrors; 1538 } 1539 break; 1540 case TERM_ACK: 1541 switch (sp->state[cp->protoidx]) { 1542 case STATE_CLOSED: 1543 case STATE_STOPPED: 1544 case STATE_REQ_SENT: 1545 case STATE_ACK_SENT: 1546 break; 1547 case STATE_CLOSING: 1548 (cp->tlf)(sp); 1549 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1550 sppp_lcp_check_and_close(sp); 1551 break; 1552 case STATE_STOPPING: 1553 (cp->tlf)(sp); 1554 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1555 sppp_lcp_check_and_close(sp); 1556 break; 1557 case STATE_ACK_RCVD: 1558 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1559 break; 1560 case STATE_OPENED: 1561 (cp->tld)(sp); 1562 (cp->scr)(sp); 1563 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1564 break; 1565 default: 1566 printf("%s: %s illegal %s in state %s\n", 1567 ifp->if_xname, cp->name, 1568 sppp_cp_type_name(h->type), 1569 sppp_state_name(sp->state[cp->protoidx])); 1570 ++ifp->if_ierrors; 1571 } 1572 break; 1573 case CODE_REJ: 1574 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1575 log(LOG_INFO, 1576 "%s: %s: ignoring RXJ (%s) for code ?, " 1577 "danger will robinson\n", 1578 ifp->if_xname, cp->name, 1579 sppp_cp_type_name(h->type)); 1580 switch (sp->state[cp->protoidx]) { 1581 case STATE_CLOSED: 1582 case STATE_STOPPED: 1583 case STATE_REQ_SENT: 1584 case STATE_ACK_SENT: 1585 case STATE_CLOSING: 1586 case STATE_STOPPING: 1587 case STATE_OPENED: 1588 break; 1589 case STATE_ACK_RCVD: 1590 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1591 break; 1592 default: 1593 printf("%s: %s illegal %s in state %s\n", 1594 ifp->if_xname, cp->name, 1595 sppp_cp_type_name(h->type), 1596 sppp_state_name(sp->state[cp->protoidx])); 1597 ++ifp->if_ierrors; 1598 } 1599 break; 1600 case PROTO_REJ: 1601 { 1602 int catastrophic; 1603 const struct cp *upper; 1604 int i; 1605 uint16_t proto; 1606 1607 catastrophic = 0; 1608 upper = NULL; 1609 proto = p[0] << 8 | p[1]; 1610 for (i = 0; i < IDX_COUNT; i++) { 1611 if (cps[i]->proto == proto) { 1612 upper = cps[i]; 1613 break; 1614 } 1615 } 1616 if (upper == NULL) 1617 catastrophic++; 1618 1619 if (debug) 1620 log(LOG_INFO, 1621 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1622 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1623 sppp_cp_type_name(h->type), proto, 1624 upper ? upper->name : "unknown", 1625 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1626 1627 /* 1628 * if we got RXJ+ against conf-req, the peer does not implement 1629 * this particular protocol type. terminate the protocol. 1630 */ 1631 if (upper && !catastrophic) { 1632 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1633 upper->Close(sp); 1634 break; 1635 } 1636 } 1637 1638 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1639 switch (sp->state[cp->protoidx]) { 1640 case STATE_CLOSED: 1641 case STATE_STOPPED: 1642 case STATE_REQ_SENT: 1643 case STATE_ACK_SENT: 1644 case STATE_CLOSING: 1645 case STATE_STOPPING: 1646 case STATE_OPENED: 1647 break; 1648 case STATE_ACK_RCVD: 1649 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1650 break; 1651 default: 1652 printf("%s: %s illegal %s in state %s\n", 1653 ifp->if_xname, cp->name, 1654 sppp_cp_type_name(h->type), 1655 sppp_state_name(sp->state[cp->protoidx])); 1656 ++ifp->if_ierrors; 1657 } 1658 break; 1659 } 1660 case DISC_REQ: 1661 if (cp->proto != PPP_LCP) 1662 goto illegal; 1663 /* Discard the packet. */ 1664 break; 1665 case ECHO_REQ: 1666 if (cp->proto != PPP_LCP) 1667 goto illegal; 1668 if (sp->state[cp->protoidx] != STATE_OPENED) { 1669 if (debug) 1670 addlog("%s: lcp echo req but lcp closed\n", 1671 ifp->if_xname); 1672 ++ifp->if_ierrors; 1673 break; 1674 } 1675 if (len < 8) { 1676 if (debug) 1677 addlog("%s: invalid lcp echo request " 1678 "packet length: %d bytes\n", 1679 ifp->if_xname, len); 1680 break; 1681 } 1682 memcpy(&u32, h + 1, sizeof u32); 1683 if (ntohl(u32) == sp->lcp.magic) { 1684 /* Line loopback mode detected. */ 1685 printf("%s: loopback\n", ifp->if_xname); 1686 if_down(ifp); 1687 IF_PURGE(&sp->pp_cpq); 1688 1689 /* Shut down the PPP link. */ 1690 /* XXX */ 1691 lcp.Down(sp); 1692 lcp.Up(sp); 1693 break; 1694 } 1695 u32 = htonl(sp->lcp.magic); 1696 memcpy(h + 1, &u32, sizeof u32); 1697 if (debug) 1698 addlog("%s: got lcp echo req, sending echo rep\n", 1699 ifp->if_xname); 1700 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1701 h + 1); 1702 break; 1703 case ECHO_REPLY: 1704 if (cp->proto != PPP_LCP) 1705 goto illegal; 1706 if (h->ident != sp->lcp.echoid) { 1707 ++ifp->if_ierrors; 1708 break; 1709 } 1710 if (len < 8) { 1711 if (debug) 1712 addlog("%s: lcp invalid echo reply " 1713 "packet length: %d bytes\n", 1714 ifp->if_xname, len); 1715 break; 1716 } 1717 if (debug) 1718 addlog("%s: lcp got echo rep\n", 1719 ifp->if_xname); 1720 memcpy(&u32, h + 1, sizeof u32); 1721 if (ntohl(u32) != sp->lcp.magic) 1722 sp->pp_alivecnt = 0; 1723 break; 1724 default: 1725 /* Unknown packet type -- send Code-Reject packet. */ 1726 illegal: 1727 if (debug) 1728 addlog("%s: %s send code-rej for 0x%x\n", 1729 ifp->if_xname, cp->name, h->type); 1730 sppp_cp_send(sp, cp->proto, CODE_REJ, 1731 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1732 ++ifp->if_ierrors; 1733 } 1734 } 1735 1736 1737 /* 1738 * The generic part of all Up/Down/Open/Close/TO event handlers. 1739 * Basically, the state transition handling in the automaton. 1740 */ 1741 static void 1742 sppp_up_event(const struct cp *cp, struct sppp *sp) 1743 { 1744 STDDCL; 1745 1746 if (debug) 1747 log(LOG_DEBUG, "%s: %s up(%s)\n", 1748 ifp->if_xname, cp->name, 1749 sppp_state_name(sp->state[cp->protoidx])); 1750 1751 switch (sp->state[cp->protoidx]) { 1752 case STATE_INITIAL: 1753 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1754 break; 1755 case STATE_STARTING: 1756 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1757 (cp->scr)(sp); 1758 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1759 break; 1760 default: 1761 printf("%s: %s illegal up in state %s\n", 1762 ifp->if_xname, cp->name, 1763 sppp_state_name(sp->state[cp->protoidx])); 1764 } 1765 } 1766 1767 static void 1768 sppp_down_event(const struct cp *cp, struct sppp *sp) 1769 { 1770 STDDCL; 1771 1772 if (debug) 1773 log(LOG_DEBUG, "%s: %s down(%s)\n", 1774 ifp->if_xname, cp->name, 1775 sppp_state_name(sp->state[cp->protoidx])); 1776 1777 switch (sp->state[cp->protoidx]) { 1778 case STATE_CLOSED: 1779 case STATE_CLOSING: 1780 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1781 break; 1782 case STATE_STOPPED: 1783 (cp->tls)(sp); 1784 /* fall through */ 1785 case STATE_STOPPING: 1786 case STATE_REQ_SENT: 1787 case STATE_ACK_RCVD: 1788 case STATE_ACK_SENT: 1789 sppp_cp_change_state(cp, sp, STATE_STARTING); 1790 break; 1791 case STATE_OPENED: 1792 (cp->tld)(sp); 1793 sppp_cp_change_state(cp, sp, STATE_STARTING); 1794 break; 1795 default: 1796 printf("%s: %s illegal down in state %s\n", 1797 ifp->if_xname, cp->name, 1798 sppp_state_name(sp->state[cp->protoidx])); 1799 } 1800 } 1801 1802 1803 static void 1804 sppp_open_event(const struct cp *cp, struct sppp *sp) 1805 { 1806 STDDCL; 1807 1808 if (debug) 1809 log(LOG_DEBUG, "%s: %s open(%s)\n", 1810 ifp->if_xname, cp->name, 1811 sppp_state_name(sp->state[cp->protoidx])); 1812 1813 switch (sp->state[cp->protoidx]) { 1814 case STATE_INITIAL: 1815 sppp_cp_change_state(cp, sp, STATE_STARTING); 1816 (cp->tls)(sp); 1817 break; 1818 case STATE_STARTING: 1819 break; 1820 case STATE_CLOSED: 1821 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1822 (cp->scr)(sp); 1823 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1824 break; 1825 case STATE_STOPPED: 1826 case STATE_STOPPING: 1827 case STATE_REQ_SENT: 1828 case STATE_ACK_RCVD: 1829 case STATE_ACK_SENT: 1830 case STATE_OPENED: 1831 break; 1832 case STATE_CLOSING: 1833 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1834 break; 1835 } 1836 } 1837 1838 1839 static void 1840 sppp_close_event(const struct cp *cp, struct sppp *sp) 1841 { 1842 STDDCL; 1843 1844 if (debug) 1845 log(LOG_DEBUG, "%s: %s close(%s)\n", 1846 ifp->if_xname, cp->name, 1847 sppp_state_name(sp->state[cp->protoidx])); 1848 1849 switch (sp->state[cp->protoidx]) { 1850 case STATE_INITIAL: 1851 case STATE_CLOSED: 1852 case STATE_CLOSING: 1853 break; 1854 case STATE_STARTING: 1855 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1856 (cp->tlf)(sp); 1857 break; 1858 case STATE_STOPPED: 1859 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1860 break; 1861 case STATE_STOPPING: 1862 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1863 break; 1864 case STATE_OPENED: 1865 (cp->tld)(sp); 1866 /* fall through */ 1867 case STATE_REQ_SENT: 1868 case STATE_ACK_RCVD: 1869 case STATE_ACK_SENT: 1870 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1871 sppp_cp_send(sp, cp->proto, TERM_REQ, 1872 ++sp->pp_seq[cp->protoidx], 0, 0); 1873 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1874 break; 1875 } 1876 } 1877 1878 static void 1879 sppp_to_event(const struct cp *cp, struct sppp *sp) 1880 { 1881 STDDCL; 1882 int s; 1883 1884 s = splnet(); 1885 if (debug) 1886 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1887 ifp->if_xname, cp->name, 1888 sppp_state_name(sp->state[cp->protoidx]), 1889 sp->rst_counter[cp->protoidx]); 1890 1891 if (--sp->rst_counter[cp->protoidx] < 0) 1892 /* TO- event */ 1893 switch (sp->state[cp->protoidx]) { 1894 case STATE_CLOSING: 1895 (cp->tlf)(sp); 1896 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1897 sppp_lcp_check_and_close(sp); 1898 break; 1899 case STATE_STOPPING: 1900 (cp->tlf)(sp); 1901 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1902 sppp_lcp_check_and_close(sp); 1903 break; 1904 case STATE_REQ_SENT: 1905 case STATE_ACK_RCVD: 1906 case STATE_ACK_SENT: 1907 (cp->tlf)(sp); 1908 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1909 sppp_lcp_check_and_close(sp); 1910 break; 1911 } 1912 else 1913 /* TO+ event */ 1914 switch (sp->state[cp->protoidx]) { 1915 case STATE_CLOSING: 1916 case STATE_STOPPING: 1917 sppp_cp_send(sp, cp->proto, TERM_REQ, 1918 ++sp->pp_seq[cp->protoidx], 0, 0); 1919 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1920 cp->TO, sp); 1921 break; 1922 case STATE_REQ_SENT: 1923 case STATE_ACK_RCVD: 1924 (cp->scr)(sp); 1925 /* sppp_cp_change_state() will restart the timer */ 1926 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1927 break; 1928 case STATE_ACK_SENT: 1929 (cp->scr)(sp); 1930 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1931 cp->TO, sp); 1932 break; 1933 } 1934 1935 splx(s); 1936 } 1937 1938 /* 1939 * Change the state of a control protocol in the state automaton. 1940 * Takes care of starting/stopping the restart timer. 1941 */ 1942 void 1943 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1944 { 1945 sp->state[cp->protoidx] = newstate; 1946 callout_stop(&sp->ch[cp->protoidx]); 1947 switch (newstate) { 1948 case STATE_INITIAL: 1949 case STATE_STARTING: 1950 case STATE_CLOSED: 1951 case STATE_STOPPED: 1952 case STATE_OPENED: 1953 break; 1954 case STATE_CLOSING: 1955 case STATE_STOPPING: 1956 case STATE_REQ_SENT: 1957 case STATE_ACK_RCVD: 1958 case STATE_ACK_SENT: 1959 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1960 cp->TO, sp); 1961 break; 1962 } 1963 } 1964 1965 /* 1966 *--------------------------------------------------------------------------* 1967 * * 1968 * The LCP implementation. * 1969 * * 1970 *--------------------------------------------------------------------------* 1971 */ 1972 static void 1973 sppp_lcp_init(struct sppp *sp) 1974 { 1975 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1976 sp->lcp.magic = 0; 1977 sp->state[IDX_LCP] = STATE_INITIAL; 1978 sp->fail_counter[IDX_LCP] = 0; 1979 sp->pp_seq[IDX_LCP] = 0; 1980 sp->pp_rseq[IDX_LCP] = 0; 1981 sp->lcp.protos = 0; 1982 1983 /* 1984 * Initialize counters and timeout values. Note that we don't 1985 * use the 3 seconds suggested in RFC 1661 since we are likely 1986 * running on a fast link. XXX We should probably implement 1987 * the exponential backoff option. Note that these values are 1988 * relevant for all control protocols, not just LCP only. 1989 */ 1990 sp->lcp.timeout = 1 * hz; 1991 sp->lcp.max_terminate = 2; 1992 sp->lcp.max_configure = 10; 1993 sp->lcp.max_failure = 10; 1994 callout_init(&sp->ch[IDX_LCP], 0); 1995 } 1996 1997 static void 1998 sppp_lcp_up(struct sppp *sp) 1999 { 2000 STDDCL; 2001 2002 /* Initialize activity timestamp: opening a connection is an activity */ 2003 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2004 2005 /* 2006 * If this interface is passive or dial-on-demand, and we are 2007 * still in Initial state, it means we've got an incoming 2008 * call. Activate the interface. 2009 */ 2010 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2011 if (debug) 2012 log(LOG_DEBUG, 2013 "%s: Up event", ifp->if_xname); 2014 ifp->if_flags |= IFF_RUNNING; 2015 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2016 if (debug) 2017 addlog("(incoming call)\n"); 2018 sp->pp_flags |= PP_CALLIN; 2019 lcp.Open(sp); 2020 } else if (debug) 2021 addlog("\n"); 2022 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2023 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2024 ifp->if_flags |= IFF_RUNNING; 2025 lcp.Open(sp); 2026 } 2027 2028 sppp_up_event(&lcp, sp); 2029 } 2030 2031 static void 2032 sppp_lcp_down(struct sppp *sp) 2033 { 2034 STDDCL; 2035 2036 sppp_down_event(&lcp, sp); 2037 2038 /* 2039 * If this is neither a dial-on-demand nor a passive 2040 * interface, simulate an ``ifconfig down'' action, so the 2041 * administrator can force a redial by another ``ifconfig 2042 * up''. XXX For leased line operation, should we immediately 2043 * try to reopen the connection here? 2044 */ 2045 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2046 if (debug) 2047 log(LOG_INFO, 2048 "%s: Down event (carrier loss), taking interface down.\n", 2049 ifp->if_xname); 2050 if_down(ifp); 2051 } else { 2052 if (debug) 2053 log(LOG_DEBUG, 2054 "%s: Down event (carrier loss)\n", 2055 ifp->if_xname); 2056 } 2057 sp->pp_flags &= ~PP_CALLIN; 2058 if (sp->state[IDX_LCP] != STATE_INITIAL) 2059 lcp.Close(sp); 2060 ifp->if_flags &= ~IFF_RUNNING; 2061 } 2062 2063 static void 2064 sppp_lcp_open(struct sppp *sp) 2065 { 2066 if (sp->pp_if.if_mtu < PP_MTU) { 2067 sp->lcp.mru = sp->pp_if.if_mtu; 2068 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2069 } else 2070 sp->lcp.mru = PP_MTU; 2071 sp->lcp.their_mru = PP_MTU; 2072 2073 /* 2074 * If we are authenticator, negotiate LCP_AUTH 2075 */ 2076 if (sp->hisauth.proto != 0) 2077 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2078 else 2079 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2080 sp->pp_flags &= ~PP_NEEDAUTH; 2081 sppp_open_event(&lcp, sp); 2082 } 2083 2084 static void 2085 sppp_lcp_close(struct sppp *sp) 2086 { 2087 sppp_close_event(&lcp, sp); 2088 } 2089 2090 static void 2091 sppp_lcp_TO(void *cookie) 2092 { 2093 sppp_to_event(&lcp, (struct sppp *)cookie); 2094 } 2095 2096 /* 2097 * Analyze a configure request. Return true if it was agreeable, and 2098 * caused action sca, false if it has been rejected or nak'ed, and 2099 * caused action scn. (The return value is used to make the state 2100 * transition decision in the state automaton.) 2101 */ 2102 static int 2103 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2104 { 2105 STDDCL; 2106 u_char *buf, *r, *p, l, blen; 2107 int origlen, rlen; 2108 uint32_t nmagic; 2109 u_short authproto; 2110 2111 len -= 4; 2112 origlen = len; 2113 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2114 if (! buf) 2115 return (0); 2116 2117 if (debug) 2118 log(LOG_DEBUG, "%s: lcp parse opts:", 2119 ifp->if_xname); 2120 2121 /* pass 1: check for things that need to be rejected */ 2122 p = (void *)(h + 1); 2123 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2124 /* Sanity check option length */ 2125 if (l > len) { 2126 /* 2127 * Malicious option - drop immediately. 2128 * XXX Maybe we should just RXJ it? 2129 */ 2130 addlog("%s: received malicious LCP option 0x%02x, " 2131 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2132 p[0], l, len); 2133 goto drop; 2134 } 2135 if (debug) 2136 addlog(" %s", sppp_lcp_opt_name(*p)); 2137 switch (*p) { 2138 case LCP_OPT_MAGIC: 2139 /* Magic number. */ 2140 /* fall through, both are same length */ 2141 case LCP_OPT_ASYNC_MAP: 2142 /* Async control character map. */ 2143 if (len >= 6 || l == 6) 2144 continue; 2145 if (debug) 2146 addlog(" [invalid]"); 2147 break; 2148 case LCP_OPT_MRU: 2149 /* Maximum receive unit. */ 2150 if (len >= 4 && l == 4) 2151 continue; 2152 if (debug) 2153 addlog(" [invalid]"); 2154 break; 2155 case LCP_OPT_AUTH_PROTO: 2156 if (len < 4) { 2157 if (debug) 2158 addlog(" [invalid]"); 2159 break; 2160 } 2161 authproto = (p[2] << 8) + p[3]; 2162 if (authproto == PPP_CHAP && l != 5) { 2163 if (debug) 2164 addlog(" [invalid chap len]"); 2165 break; 2166 } 2167 if (sp->myauth.proto == 0) { 2168 /* we are not configured to do auth */ 2169 if (debug) 2170 addlog(" [not configured]"); 2171 break; 2172 } 2173 /* 2174 * Remote want us to authenticate, remember this, 2175 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2176 * up. 2177 */ 2178 sp->pp_flags |= PP_NEEDAUTH; 2179 continue; 2180 default: 2181 /* Others not supported. */ 2182 if (debug) 2183 addlog(" [rej]"); 2184 break; 2185 } 2186 if (rlen + l > blen) { 2187 if (debug) 2188 addlog(" [overflow]"); 2189 continue; 2190 } 2191 /* Add the option to rejected list. */ 2192 memcpy(r, p, l); 2193 r += l; 2194 rlen += l; 2195 } 2196 if (rlen) { 2197 if (debug) 2198 addlog(" send conf-rej\n"); 2199 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2200 goto end; 2201 } else if (debug) 2202 addlog("\n"); 2203 2204 /* 2205 * pass 2: check for option values that are unacceptable and 2206 * thus require to be nak'ed. 2207 */ 2208 if (debug) 2209 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2210 ifp->if_xname); 2211 2212 p = (void *)(h + 1); 2213 len = origlen; 2214 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2215 if (debug) 2216 addlog(" %s", sppp_lcp_opt_name(*p)); 2217 switch (*p) { 2218 case LCP_OPT_MAGIC: 2219 /* Magic number -- extract. */ 2220 nmagic = (uint32_t)p[2] << 24 | 2221 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2222 if (nmagic != sp->lcp.magic) { 2223 if (debug) 2224 addlog(" 0x%x", nmagic); 2225 continue; 2226 } 2227 /* 2228 * Local and remote magics equal -- loopback? 2229 */ 2230 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2231 printf ("%s: loopback\n", 2232 ifp->if_xname); 2233 sp->pp_loopcnt = 0; 2234 if (ifp->if_flags & IFF_UP) { 2235 if_down(ifp); 2236 IF_PURGE(&sp->pp_cpq); 2237 /* XXX ? */ 2238 lcp.Down(sp); 2239 lcp.Up(sp); 2240 } 2241 } else if (debug) 2242 addlog(" [glitch]"); 2243 ++sp->pp_loopcnt; 2244 /* 2245 * We negate our magic here, and NAK it. If 2246 * we see it later in an NAK packet, we 2247 * suggest a new one. 2248 */ 2249 nmagic = ~sp->lcp.magic; 2250 /* Gonna NAK it. */ 2251 p[2] = nmagic >> 24; 2252 p[3] = nmagic >> 16; 2253 p[4] = nmagic >> 8; 2254 p[5] = nmagic; 2255 break; 2256 2257 case LCP_OPT_ASYNC_MAP: 2258 /* 2259 * Async control character map -- just ignore it. 2260 * 2261 * Quote from RFC 1662, chapter 6: 2262 * To enable this functionality, synchronous PPP 2263 * implementations MUST always respond to the 2264 * Async-Control-Character-Map Configuration 2265 * Option with the LCP Configure-Ack. However, 2266 * acceptance of the Configuration Option does 2267 * not imply that the synchronous implementation 2268 * will do any ACCM mapping. Instead, all such 2269 * octet mapping will be performed by the 2270 * asynchronous-to-synchronous converter. 2271 */ 2272 continue; 2273 2274 case LCP_OPT_MRU: 2275 /* 2276 * Maximum receive unit. Always agreeable, 2277 * but ignored by now. 2278 */ 2279 sp->lcp.their_mru = p[2] * 256 + p[3]; 2280 if (debug) 2281 addlog(" %ld", sp->lcp.their_mru); 2282 continue; 2283 2284 case LCP_OPT_AUTH_PROTO: 2285 authproto = (p[2] << 8) + p[3]; 2286 if (sp->myauth.proto != authproto) { 2287 /* not agreed, nak */ 2288 if (debug) 2289 addlog(" [mine %s != his %s]", 2290 sppp_proto_name(sp->myauth.proto), 2291 sppp_proto_name(authproto)); 2292 p[2] = sp->myauth.proto >> 8; 2293 p[3] = sp->myauth.proto; 2294 break; 2295 } 2296 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2297 if (debug) 2298 addlog(" [chap not MD5]"); 2299 p[4] = CHAP_MD5; 2300 break; 2301 } 2302 continue; 2303 } 2304 if (rlen + l > blen) { 2305 if (debug) 2306 addlog(" [overflow]"); 2307 continue; 2308 } 2309 /* Add the option to nak'ed list. */ 2310 memcpy(r, p, l); 2311 r += l; 2312 rlen += l; 2313 } 2314 if (rlen) { 2315 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2316 if (debug) 2317 addlog(" max_failure (%d) exceeded, " 2318 "send conf-rej\n", 2319 sp->lcp.max_failure); 2320 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2321 } else { 2322 if (debug) 2323 addlog(" send conf-nak\n"); 2324 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2325 } 2326 goto end; 2327 } else { 2328 if (debug) 2329 addlog(" send conf-ack\n"); 2330 sp->fail_counter[IDX_LCP] = 0; 2331 sp->pp_loopcnt = 0; 2332 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2333 } 2334 2335 end: 2336 free(buf, M_TEMP); 2337 return (rlen == 0); 2338 2339 drop: 2340 free(buf, M_TEMP); 2341 return -1; 2342 } 2343 2344 /* 2345 * Analyze the LCP Configure-Reject option list, and adjust our 2346 * negotiation. 2347 */ 2348 static void 2349 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2350 { 2351 STDDCL; 2352 u_char *buf, *p, l; 2353 2354 len -= 4; 2355 buf = malloc (len, M_TEMP, M_NOWAIT); 2356 if (!buf) 2357 return; 2358 2359 if (debug) 2360 log(LOG_DEBUG, "%s: lcp rej opts:", 2361 ifp->if_xname); 2362 2363 p = (void *)(h + 1); 2364 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2365 /* Sanity check option length */ 2366 if (l > len) { 2367 /* 2368 * Malicious option - drop immediately. 2369 * XXX Maybe we should just RXJ it? 2370 */ 2371 addlog("%s: received malicious LCP option, " 2372 "dropping.\n", ifp->if_xname); 2373 goto drop; 2374 } 2375 if (debug) 2376 addlog(" %s", sppp_lcp_opt_name(*p)); 2377 switch (*p) { 2378 case LCP_OPT_MAGIC: 2379 /* Magic number -- can't use it, use 0 */ 2380 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2381 sp->lcp.magic = 0; 2382 break; 2383 case LCP_OPT_MRU: 2384 /* 2385 * We try to negotiate a lower MRU if the underlying 2386 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2387 * peer rejects this lower rate, fallback to the 2388 * default. 2389 */ 2390 if (debug) { 2391 addlog("%s: warning: peer rejected our MRU of " 2392 "%ld bytes. Defaulting to %d bytes\n", 2393 ifp->if_xname, sp->lcp.mru, PP_MTU); 2394 } 2395 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2396 sp->lcp.mru = PP_MTU; 2397 break; 2398 case LCP_OPT_AUTH_PROTO: 2399 /* 2400 * Peer doesn't want to authenticate himself, 2401 * deny unless this is a dialout call, and 2402 * SPPP_AUTHFLAG_NOCALLOUT is set. 2403 */ 2404 if ((sp->pp_flags & PP_CALLIN) == 0 && 2405 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2406 if (debug) 2407 addlog(" [don't insist on auth " 2408 "for callout]"); 2409 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2410 break; 2411 } 2412 if (debug) 2413 addlog("[access denied]\n"); 2414 lcp.Close(sp); 2415 break; 2416 } 2417 } 2418 if (debug) 2419 addlog("\n"); 2420 drop: 2421 free(buf, M_TEMP); 2422 return; 2423 } 2424 2425 /* 2426 * Analyze the LCP Configure-NAK option list, and adjust our 2427 * negotiation. 2428 */ 2429 static void 2430 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2431 { 2432 STDDCL; 2433 u_char *buf, *p, l, blen; 2434 uint32_t magic; 2435 2436 len -= 4; 2437 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2438 if (!buf) 2439 return; 2440 2441 if (debug) 2442 log(LOG_DEBUG, "%s: lcp nak opts:", 2443 ifp->if_xname); 2444 2445 p = (void *)(h + 1); 2446 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2447 /* Sanity check option length */ 2448 if (l > len) { 2449 /* 2450 * Malicious option - drop immediately. 2451 * XXX Maybe we should just RXJ it? 2452 */ 2453 addlog("%s: received malicious LCP option, " 2454 "dropping.\n", ifp->if_xname); 2455 goto drop; 2456 } 2457 if (debug) 2458 addlog(" %s", sppp_lcp_opt_name(*p)); 2459 switch (*p) { 2460 case LCP_OPT_MAGIC: 2461 /* Magic number -- renegotiate */ 2462 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2463 len >= 6 && l == 6) { 2464 magic = (uint32_t)p[2] << 24 | 2465 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2466 /* 2467 * If the remote magic is our negated one, 2468 * this looks like a loopback problem. 2469 * Suggest a new magic to make sure. 2470 */ 2471 if (magic == ~sp->lcp.magic) { 2472 if (debug) 2473 addlog(" magic glitch"); 2474 sp->lcp.magic = cprng_fast32(); 2475 } else { 2476 sp->lcp.magic = magic; 2477 if (debug) 2478 addlog(" %d", magic); 2479 } 2480 } 2481 break; 2482 case LCP_OPT_MRU: 2483 /* 2484 * Peer wants to advise us to negotiate an MRU. 2485 * Agree on it if it's reasonable, or use 2486 * default otherwise. 2487 */ 2488 if (len >= 4 && l == 4) { 2489 u_int mru = p[2] * 256 + p[3]; 2490 if (debug) 2491 addlog(" %d", mru); 2492 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2493 mru = sp->pp_if.if_mtu; 2494 sp->lcp.mru = mru; 2495 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2496 } 2497 break; 2498 case LCP_OPT_AUTH_PROTO: 2499 /* 2500 * Peer doesn't like our authentication method, 2501 * deny. 2502 */ 2503 if (debug) 2504 addlog("[access denied]\n"); 2505 lcp.Close(sp); 2506 break; 2507 } 2508 } 2509 if (debug) 2510 addlog("\n"); 2511 drop: 2512 free(buf, M_TEMP); 2513 return; 2514 } 2515 2516 static void 2517 sppp_lcp_tlu(struct sppp *sp) 2518 { 2519 STDDCL; 2520 int i; 2521 uint32_t mask; 2522 2523 /* XXX ? */ 2524 if (! (ifp->if_flags & IFF_UP) && 2525 (ifp->if_flags & IFF_RUNNING)) { 2526 /* Coming out of loopback mode. */ 2527 if_up(ifp); 2528 } 2529 2530 for (i = 0; i < IDX_COUNT; i++) 2531 if ((cps[i])->flags & CP_QUAL) 2532 (cps[i])->Open(sp); 2533 2534 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2535 (sp->pp_flags & PP_NEEDAUTH) != 0) 2536 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2537 else 2538 sp->pp_phase = SPPP_PHASE_NETWORK; 2539 2540 if (debug) 2541 { 2542 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2543 sppp_phase_name(sp->pp_phase)); 2544 } 2545 2546 /* 2547 * Open all authentication protocols. This is even required 2548 * if we already proceeded to network phase, since it might be 2549 * that remote wants us to authenticate, so we might have to 2550 * send a PAP request. Undesired authentication protocols 2551 * don't do anything when they get an Open event. 2552 */ 2553 for (i = 0; i < IDX_COUNT; i++) 2554 if ((cps[i])->flags & CP_AUTH) 2555 (cps[i])->Open(sp); 2556 2557 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2558 /* Notify all NCPs. */ 2559 for (i = 0; i < IDX_COUNT; i++) 2560 if ((cps[i])->flags & CP_NCP) 2561 (cps[i])->Open(sp); 2562 } 2563 2564 /* Send Up events to all started protos. */ 2565 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2566 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2567 (cps[i])->Up(sp); 2568 2569 /* notify low-level driver of state change */ 2570 if (sp->pp_chg) 2571 sp->pp_chg(sp, (int)sp->pp_phase); 2572 2573 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2574 /* if no NCP is starting, close down */ 2575 sppp_lcp_check_and_close(sp); 2576 } 2577 2578 static void 2579 sppp_lcp_tld(struct sppp *sp) 2580 { 2581 STDDCL; 2582 int i; 2583 uint32_t mask; 2584 2585 sp->pp_phase = SPPP_PHASE_TERMINATE; 2586 2587 if (debug) 2588 { 2589 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2590 sppp_phase_name(sp->pp_phase)); 2591 } 2592 2593 /* 2594 * Take upper layers down. We send the Down event first and 2595 * the Close second to prevent the upper layers from sending 2596 * ``a flurry of terminate-request packets'', as the RFC 2597 * describes it. 2598 */ 2599 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2600 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2601 (cps[i])->Down(sp); 2602 (cps[i])->Close(sp); 2603 } 2604 } 2605 2606 static void 2607 sppp_lcp_tls(struct sppp *sp) 2608 { 2609 STDDCL; 2610 2611 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2612 printf("%s: authentication failed %d times, not retrying again\n", 2613 sp->pp_if.if_xname, sp->pp_auth_failures); 2614 if_down(&sp->pp_if); 2615 return; 2616 } 2617 2618 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2619 2620 if (debug) 2621 { 2622 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2623 sppp_phase_name(sp->pp_phase)); 2624 } 2625 2626 /* Notify lower layer if desired. */ 2627 if (sp->pp_tls) 2628 (sp->pp_tls)(sp); 2629 } 2630 2631 static void 2632 sppp_lcp_tlf(struct sppp *sp) 2633 { 2634 STDDCL; 2635 2636 sp->pp_phase = SPPP_PHASE_DEAD; 2637 2638 if (debug) 2639 { 2640 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2641 sppp_phase_name(sp->pp_phase)); 2642 } 2643 2644 /* Notify lower layer if desired. */ 2645 if (sp->pp_tlf) 2646 (sp->pp_tlf)(sp); 2647 } 2648 2649 static void 2650 sppp_lcp_scr(struct sppp *sp) 2651 { 2652 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2653 int i = 0; 2654 u_short authproto; 2655 2656 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2657 if (! sp->lcp.magic) 2658 sp->lcp.magic = cprng_fast32(); 2659 opt[i++] = LCP_OPT_MAGIC; 2660 opt[i++] = 6; 2661 opt[i++] = sp->lcp.magic >> 24; 2662 opt[i++] = sp->lcp.magic >> 16; 2663 opt[i++] = sp->lcp.magic >> 8; 2664 opt[i++] = sp->lcp.magic; 2665 } 2666 2667 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2668 opt[i++] = LCP_OPT_MRU; 2669 opt[i++] = 4; 2670 opt[i++] = sp->lcp.mru >> 8; 2671 opt[i++] = sp->lcp.mru; 2672 } 2673 2674 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2675 authproto = sp->hisauth.proto; 2676 opt[i++] = LCP_OPT_AUTH_PROTO; 2677 opt[i++] = authproto == PPP_CHAP? 5: 4; 2678 opt[i++] = authproto >> 8; 2679 opt[i++] = authproto; 2680 if (authproto == PPP_CHAP) 2681 opt[i++] = CHAP_MD5; 2682 } 2683 2684 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2685 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2686 } 2687 2688 /* 2689 * Check the open NCPs, return true if at least one NCP is open. 2690 */ 2691 static int 2692 sppp_ncp_check(struct sppp *sp) 2693 { 2694 int i, mask; 2695 2696 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2697 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2698 return 1; 2699 return 0; 2700 } 2701 2702 /* 2703 * Re-check the open NCPs and see if we should terminate the link. 2704 * Called by the NCPs during their tlf action handling. 2705 */ 2706 static void 2707 sppp_lcp_check_and_close(struct sppp *sp) 2708 { 2709 2710 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2711 /* don't bother, we are already going down */ 2712 return; 2713 2714 if (sppp_ncp_check(sp)) 2715 return; 2716 2717 lcp.Close(sp); 2718 } 2719 2720 2721 /* 2722 *--------------------------------------------------------------------------* 2723 * * 2724 * The IPCP implementation. * 2725 * * 2726 *--------------------------------------------------------------------------* 2727 */ 2728 2729 static void 2730 sppp_ipcp_init(struct sppp *sp) 2731 { 2732 sp->ipcp.opts = 0; 2733 sp->ipcp.flags = 0; 2734 sp->state[IDX_IPCP] = STATE_INITIAL; 2735 sp->fail_counter[IDX_IPCP] = 0; 2736 sp->pp_seq[IDX_IPCP] = 0; 2737 sp->pp_rseq[IDX_IPCP] = 0; 2738 callout_init(&sp->ch[IDX_IPCP], 0); 2739 } 2740 2741 static void 2742 sppp_ipcp_up(struct sppp *sp) 2743 { 2744 sppp_up_event(&ipcp, sp); 2745 } 2746 2747 static void 2748 sppp_ipcp_down(struct sppp *sp) 2749 { 2750 sppp_down_event(&ipcp, sp); 2751 } 2752 2753 static void 2754 sppp_ipcp_open(struct sppp *sp) 2755 { 2756 STDDCL; 2757 uint32_t myaddr, hisaddr; 2758 2759 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2760 sp->ipcp.req_myaddr = 0; 2761 sp->ipcp.req_hisaddr = 0; 2762 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2763 2764 #ifdef INET 2765 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2766 #else 2767 myaddr = hisaddr = 0; 2768 #endif 2769 /* 2770 * If we don't have his address, this probably means our 2771 * interface doesn't want to talk IP at all. (This could 2772 * be the case if somebody wants to speak only IPX, for 2773 * example.) Don't open IPCP in this case. 2774 */ 2775 if (hisaddr == 0) { 2776 /* XXX this message should go away */ 2777 if (debug) 2778 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2779 ifp->if_xname); 2780 return; 2781 } 2782 2783 if (myaddr == 0) { 2784 /* 2785 * I don't have an assigned address, so i need to 2786 * negotiate my address. 2787 */ 2788 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2789 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2790 } 2791 if (hisaddr == 1) { 2792 /* 2793 * XXX - remove this hack! 2794 * remote has no valid address, we need to get one assigned. 2795 */ 2796 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2797 } 2798 sppp_open_event(&ipcp, sp); 2799 } 2800 2801 static void 2802 sppp_ipcp_close(struct sppp *sp) 2803 { 2804 STDDCL; 2805 2806 sppp_close_event(&ipcp, sp); 2807 #ifdef INET 2808 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2809 /* 2810 * Some address was dynamic, clear it again. 2811 */ 2812 sppp_clear_ip_addrs(sp); 2813 #endif 2814 2815 if (sp->pp_saved_mtu > 0) { 2816 ifp->if_mtu = sp->pp_saved_mtu; 2817 sp->pp_saved_mtu = 0; 2818 if (debug) 2819 log(LOG_DEBUG, 2820 "%s: resetting MTU to %" PRIu64 " bytes\n", 2821 ifp->if_xname, ifp->if_mtu); 2822 } 2823 } 2824 2825 static void 2826 sppp_ipcp_TO(void *cookie) 2827 { 2828 sppp_to_event(&ipcp, (struct sppp *)cookie); 2829 } 2830 2831 /* 2832 * Analyze a configure request. Return true if it was agreeable, and 2833 * caused action sca, false if it has been rejected or nak'ed, and 2834 * caused action scn. (The return value is used to make the state 2835 * transition decision in the state automaton.) 2836 */ 2837 static int 2838 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2839 { 2840 u_char *buf, *r, *p, l, blen; 2841 struct ifnet *ifp = &sp->pp_if; 2842 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2843 uint32_t hisaddr, desiredaddr; 2844 2845 len -= 4; 2846 origlen = len; 2847 /* 2848 * Make sure to allocate a buf that can at least hold a 2849 * conf-nak with an `address' option. We might need it below. 2850 */ 2851 blen = len < 6 ? 6 : len; 2852 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 2853 if (! buf) 2854 return (0); 2855 2856 /* pass 1: see if we can recognize them */ 2857 if (debug) 2858 log(LOG_DEBUG, "%s: ipcp parse opts:", 2859 ifp->if_xname); 2860 p = (void *)(h + 1); 2861 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2862 /* Sanity check option length */ 2863 if (l > len) { 2864 /* XXX should we just RXJ? */ 2865 addlog("%s: malicious IPCP option received, dropping\n", 2866 ifp->if_xname); 2867 goto drop; 2868 } 2869 if (debug) 2870 addlog(" %s", sppp_ipcp_opt_name(*p)); 2871 switch (*p) { 2872 #ifdef notyet 2873 case IPCP_OPT_COMPRESSION: 2874 if (len >= 6 && l >= 6) { 2875 /* correctly formed compress option */ 2876 continue; 2877 } 2878 if (debug) 2879 addlog(" [invalid]"); 2880 break; 2881 #endif 2882 case IPCP_OPT_ADDRESS: 2883 if (len >= 6 && l == 6) { 2884 /* correctly formed address option */ 2885 continue; 2886 } 2887 if (debug) 2888 addlog(" [invalid]"); 2889 break; 2890 default: 2891 /* Others not supported. */ 2892 if (debug) 2893 addlog(" [rej]"); 2894 break; 2895 } 2896 /* Add the option to rejected list. */ 2897 if (rlen + l > blen) { 2898 if (debug) 2899 addlog(" [overflow]"); 2900 continue; 2901 } 2902 memcpy(r, p, l); 2903 r += l; 2904 rlen += l; 2905 } 2906 if (rlen) { 2907 if (debug) 2908 addlog(" send conf-rej\n"); 2909 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2910 goto end; 2911 } else if (debug) 2912 addlog("\n"); 2913 2914 /* pass 2: parse option values */ 2915 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2916 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2917 else 2918 #ifdef INET 2919 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2920 #else 2921 hisaddr = 0; 2922 #endif 2923 if (debug) 2924 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2925 ifp->if_xname); 2926 p = (void *)(h + 1); 2927 len = origlen; 2928 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2929 if (debug) 2930 addlog(" %s", sppp_ipcp_opt_name(*p)); 2931 switch (*p) { 2932 #ifdef notyet 2933 case IPCP_OPT_COMPRESSION: 2934 continue; 2935 #endif 2936 case IPCP_OPT_ADDRESS: 2937 desiredaddr = p[2] << 24 | p[3] << 16 | 2938 p[4] << 8 | p[5]; 2939 if (desiredaddr == hisaddr || 2940 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2941 /* 2942 * Peer's address is same as our value, 2943 * this is agreeable. Gonna conf-ack 2944 * it. 2945 */ 2946 if (debug) 2947 addlog(" %s [ack]", 2948 sppp_dotted_quad(hisaddr)); 2949 /* record that we've seen it already */ 2950 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2951 sp->ipcp.req_hisaddr = desiredaddr; 2952 hisaddr = desiredaddr; 2953 continue; 2954 } 2955 /* 2956 * The address wasn't agreeable. This is either 2957 * he sent us 0.0.0.0, asking to assign him an 2958 * address, or he send us another address not 2959 * matching our value. Either case, we gonna 2960 * conf-nak it with our value. 2961 */ 2962 if (debug) { 2963 if (desiredaddr == 0) 2964 addlog(" [addr requested]"); 2965 else 2966 addlog(" %s [not agreed]", 2967 sppp_dotted_quad(desiredaddr)); 2968 } 2969 2970 p[2] = hisaddr >> 24; 2971 p[3] = hisaddr >> 16; 2972 p[4] = hisaddr >> 8; 2973 p[5] = hisaddr; 2974 break; 2975 } 2976 if (rlen + l > blen) { 2977 if (debug) 2978 addlog(" [overflow]"); 2979 continue; 2980 } 2981 /* Add the option to nak'ed list. */ 2982 memcpy(r, p, l); 2983 r += l; 2984 rlen += l; 2985 } 2986 2987 /* 2988 * If we are about to conf-ack the request, but haven't seen 2989 * his address so far, gonna conf-nak it instead, with the 2990 * `address' option present and our idea of his address being 2991 * filled in there, to request negotiation of both addresses. 2992 * 2993 * XXX This can result in an endless req - nak loop if peer 2994 * doesn't want to send us his address. Q: What should we do 2995 * about it? XXX A: implement the max-failure counter. 2996 */ 2997 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2998 buf[0] = IPCP_OPT_ADDRESS; 2999 buf[1] = 6; 3000 buf[2] = hisaddr >> 24; 3001 buf[3] = hisaddr >> 16; 3002 buf[4] = hisaddr >> 8; 3003 buf[5] = hisaddr; 3004 rlen = 6; 3005 if (debug) 3006 addlog(" still need hisaddr"); 3007 } 3008 3009 if (rlen) { 3010 if (debug) 3011 addlog(" send conf-nak\n"); 3012 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3013 } else { 3014 if (debug) 3015 addlog(" send conf-ack\n"); 3016 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3017 } 3018 3019 end: 3020 free(buf, M_TEMP); 3021 return (rlen == 0); 3022 3023 drop: 3024 free(buf, M_TEMP); 3025 return -1; 3026 } 3027 3028 /* 3029 * Analyze the IPCP Configure-Reject option list, and adjust our 3030 * negotiation. 3031 */ 3032 static void 3033 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3034 { 3035 u_char *buf, *p, l, blen; 3036 struct ifnet *ifp = &sp->pp_if; 3037 int debug = ifp->if_flags & IFF_DEBUG; 3038 3039 len -= 4; 3040 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3041 if (!buf) 3042 return; 3043 3044 if (debug) 3045 log(LOG_DEBUG, "%s: ipcp rej opts:", 3046 ifp->if_xname); 3047 3048 p = (void *)(h + 1); 3049 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3050 /* Sanity check option length */ 3051 if (l > len) { 3052 /* XXX should we just RXJ? */ 3053 addlog("%s: malicious IPCP option received, dropping\n", 3054 ifp->if_xname); 3055 goto drop; 3056 } 3057 if (debug) 3058 addlog(" %s", sppp_ipcp_opt_name(*p)); 3059 switch (*p) { 3060 case IPCP_OPT_ADDRESS: 3061 /* 3062 * Peer doesn't grok address option. This is 3063 * bad. XXX Should we better give up here? 3064 */ 3065 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3066 break; 3067 #ifdef notyet 3068 case IPCP_OPT_COMPRESS: 3069 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3070 break; 3071 #endif 3072 } 3073 } 3074 if (debug) 3075 addlog("\n"); 3076 drop: 3077 free(buf, M_TEMP); 3078 return; 3079 } 3080 3081 /* 3082 * Analyze the IPCP Configure-NAK option list, and adjust our 3083 * negotiation. 3084 */ 3085 static void 3086 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3087 { 3088 u_char *p, l; 3089 struct ifnet *ifp = &sp->pp_if; 3090 int debug = ifp->if_flags & IFF_DEBUG; 3091 uint32_t wantaddr; 3092 3093 len -= 4; 3094 3095 if (debug) 3096 log(LOG_DEBUG, "%s: ipcp nak opts:", 3097 ifp->if_xname); 3098 3099 p = (void *)(h + 1); 3100 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3101 /* Sanity check option length */ 3102 if (l > len) { 3103 /* XXX should we just RXJ? */ 3104 addlog("%s: malicious IPCP option received, dropping\n", 3105 ifp->if_xname); 3106 return; 3107 } 3108 if (debug) 3109 addlog(" %s", sppp_ipcp_opt_name(*p)); 3110 switch (*p) { 3111 case IPCP_OPT_ADDRESS: 3112 /* 3113 * Peer doesn't like our local IP address. See 3114 * if we can do something for him. We'll drop 3115 * him our address then. 3116 */ 3117 if (len >= 6 && l == 6) { 3118 wantaddr = p[2] << 24 | p[3] << 16 | 3119 p[4] << 8 | p[5]; 3120 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3121 if (debug) 3122 addlog(" [wantaddr %s]", 3123 sppp_dotted_quad(wantaddr)); 3124 /* 3125 * When doing dynamic address assignment, 3126 * we accept his offer. Otherwise, we 3127 * ignore it and thus continue to negotiate 3128 * our already existing value. 3129 */ 3130 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3131 if (debug) 3132 addlog(" [agree]"); 3133 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3134 sp->ipcp.req_myaddr = wantaddr; 3135 } 3136 } 3137 break; 3138 3139 case IPCP_OPT_PRIMDNS: 3140 if (len >= 6 && l == 6) { 3141 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3142 p[4] << 8 | p[5]; 3143 } 3144 break; 3145 3146 case IPCP_OPT_SECDNS: 3147 if (len >= 6 && l == 6) { 3148 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3149 p[4] << 8 | p[5]; 3150 } 3151 break; 3152 #ifdef notyet 3153 case IPCP_OPT_COMPRESS: 3154 /* 3155 * Peer wants different compression parameters. 3156 */ 3157 break; 3158 #endif 3159 } 3160 } 3161 if (debug) 3162 addlog("\n"); 3163 } 3164 3165 static void 3166 sppp_ipcp_tlu(struct sppp *sp) 3167 { 3168 #ifdef INET 3169 /* we are up. Set addresses and notify anyone interested */ 3170 STDDCL; 3171 uint32_t myaddr, hisaddr; 3172 3173 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3174 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3175 myaddr = sp->ipcp.req_myaddr; 3176 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3177 hisaddr = sp->ipcp.req_hisaddr; 3178 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3179 3180 if (ifp->if_mtu > sp->lcp.their_mru) { 3181 sp->pp_saved_mtu = ifp->if_mtu; 3182 ifp->if_mtu = sp->lcp.their_mru; 3183 if (debug) 3184 log(LOG_DEBUG, 3185 "%s: setting MTU to %" PRIu64 " bytes\n", 3186 ifp->if_xname, ifp->if_mtu); 3187 } 3188 3189 if (sp->pp_con) 3190 sp->pp_con(sp); 3191 #endif 3192 } 3193 3194 static void 3195 sppp_ipcp_tld(struct sppp *sp) 3196 { 3197 } 3198 3199 static void 3200 sppp_ipcp_tls(struct sppp *sp) 3201 { 3202 /* indicate to LCP that it must stay alive */ 3203 sp->lcp.protos |= (1 << IDX_IPCP); 3204 } 3205 3206 static void 3207 sppp_ipcp_tlf(struct sppp *sp) 3208 { 3209 /* we no longer need LCP */ 3210 sp->lcp.protos &= ~(1 << IDX_IPCP); 3211 } 3212 3213 static void 3214 sppp_ipcp_scr(struct sppp *sp) 3215 { 3216 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3217 #ifdef INET 3218 uint32_t ouraddr; 3219 #endif 3220 int i = 0; 3221 3222 #ifdef notyet 3223 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3224 opt[i++] = IPCP_OPT_COMPRESSION; 3225 opt[i++] = 6; 3226 opt[i++] = 0; /* VJ header compression */ 3227 opt[i++] = 0x2d; /* VJ header compression */ 3228 opt[i++] = max_slot_id; 3229 opt[i++] = comp_slot_id; 3230 } 3231 #endif 3232 3233 #ifdef INET 3234 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3235 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3236 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3237 else 3238 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3239 opt[i++] = IPCP_OPT_ADDRESS; 3240 opt[i++] = 6; 3241 opt[i++] = ouraddr >> 24; 3242 opt[i++] = ouraddr >> 16; 3243 opt[i++] = ouraddr >> 8; 3244 opt[i++] = ouraddr; 3245 } 3246 #endif 3247 3248 if (sp->query_dns & 1) { 3249 opt[i++] = IPCP_OPT_PRIMDNS; 3250 opt[i++] = 6; 3251 opt[i++] = sp->dns_addrs[0] >> 24; 3252 opt[i++] = sp->dns_addrs[0] >> 16; 3253 opt[i++] = sp->dns_addrs[0] >> 8; 3254 opt[i++] = sp->dns_addrs[0]; 3255 } 3256 if (sp->query_dns & 2) { 3257 opt[i++] = IPCP_OPT_SECDNS; 3258 opt[i++] = 6; 3259 opt[i++] = sp->dns_addrs[1] >> 24; 3260 opt[i++] = sp->dns_addrs[1] >> 16; 3261 opt[i++] = sp->dns_addrs[1] >> 8; 3262 opt[i++] = sp->dns_addrs[1]; 3263 } 3264 3265 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3266 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3267 } 3268 3269 3270 /* 3271 *--------------------------------------------------------------------------* 3272 * * 3273 * The IPv6CP implementation. * 3274 * * 3275 *--------------------------------------------------------------------------* 3276 */ 3277 3278 #ifdef INET6 3279 static void 3280 sppp_ipv6cp_init(struct sppp *sp) 3281 { 3282 sp->ipv6cp.opts = 0; 3283 sp->ipv6cp.flags = 0; 3284 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3285 sp->fail_counter[IDX_IPV6CP] = 0; 3286 sp->pp_seq[IDX_IPV6CP] = 0; 3287 sp->pp_rseq[IDX_IPV6CP] = 0; 3288 callout_init(&sp->ch[IDX_IPV6CP], 0); 3289 } 3290 3291 static void 3292 sppp_ipv6cp_up(struct sppp *sp) 3293 { 3294 sppp_up_event(&ipv6cp, sp); 3295 } 3296 3297 static void 3298 sppp_ipv6cp_down(struct sppp *sp) 3299 { 3300 sppp_down_event(&ipv6cp, sp); 3301 } 3302 3303 static void 3304 sppp_ipv6cp_open(struct sppp *sp) 3305 { 3306 STDDCL; 3307 struct in6_addr myaddr, hisaddr; 3308 3309 #ifdef IPV6CP_MYIFID_DYN 3310 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3311 #else 3312 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3313 #endif 3314 3315 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3316 /* 3317 * If we don't have our address, this probably means our 3318 * interface doesn't want to talk IPv6 at all. (This could 3319 * be the case if somebody wants to speak only IPX, for 3320 * example.) Don't open IPv6CP in this case. 3321 */ 3322 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3323 /* XXX this message should go away */ 3324 if (debug) 3325 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3326 ifp->if_xname); 3327 return; 3328 } 3329 3330 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3331 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3332 sppp_open_event(&ipv6cp, sp); 3333 } 3334 3335 static void 3336 sppp_ipv6cp_close(struct sppp *sp) 3337 { 3338 sppp_close_event(&ipv6cp, sp); 3339 } 3340 3341 static void 3342 sppp_ipv6cp_TO(void *cookie) 3343 { 3344 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3345 } 3346 3347 /* 3348 * Analyze a configure request. Return true if it was agreeable, and 3349 * caused action sca, false if it has been rejected or nak'ed, and 3350 * caused action scn. (The return value is used to make the state 3351 * transition decision in the state automaton.) 3352 */ 3353 static int 3354 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3355 { 3356 u_char *buf, *r, *p, l, blen; 3357 struct ifnet *ifp = &sp->pp_if; 3358 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3359 struct in6_addr myaddr, desiredaddr, suggestaddr; 3360 int ifidcount; 3361 int type; 3362 int collision, nohisaddr; 3363 3364 len -= 4; 3365 origlen = len; 3366 /* 3367 * Make sure to allocate a buf that can at least hold a 3368 * conf-nak with an `address' option. We might need it below. 3369 */ 3370 blen = len < 6 ? 6 : len; 3371 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3372 if (! buf) 3373 return (0); 3374 3375 /* pass 1: see if we can recognize them */ 3376 if (debug) 3377 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3378 ifp->if_xname); 3379 p = (void *)(h + 1); 3380 ifidcount = 0; 3381 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3382 /* Sanity check option length */ 3383 if (l > len) { 3384 /* XXX just RXJ? */ 3385 addlog("%s: received malicious IPCPv6 option, " 3386 "dropping\n", ifp->if_xname); 3387 goto drop; 3388 } 3389 if (debug) 3390 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3391 switch (*p) { 3392 case IPV6CP_OPT_IFID: 3393 if (len >= 10 && l == 10 && ifidcount == 0) { 3394 /* correctly formed address option */ 3395 ifidcount++; 3396 continue; 3397 } 3398 if (debug) 3399 addlog(" [invalid]"); 3400 break; 3401 #ifdef notyet 3402 case IPV6CP_OPT_COMPRESSION: 3403 if (len >= 4 && l >= 4) { 3404 /* correctly formed compress option */ 3405 continue; 3406 } 3407 if (debug) 3408 addlog(" [invalid]"); 3409 break; 3410 #endif 3411 default: 3412 /* Others not supported. */ 3413 if (debug) 3414 addlog(" [rej]"); 3415 break; 3416 } 3417 if (rlen + l > blen) { 3418 if (debug) 3419 addlog(" [overflow]"); 3420 continue; 3421 } 3422 /* Add the option to rejected list. */ 3423 memcpy(r, p, l); 3424 r += l; 3425 rlen += l; 3426 } 3427 if (rlen) { 3428 if (debug) 3429 addlog(" send conf-rej\n"); 3430 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3431 goto end; 3432 } else if (debug) 3433 addlog("\n"); 3434 3435 /* pass 2: parse option values */ 3436 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3437 if (debug) 3438 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3439 ifp->if_xname); 3440 p = (void *)(h + 1); 3441 len = origlen; 3442 type = CONF_ACK; 3443 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3444 if (debug) 3445 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3446 switch (*p) { 3447 #ifdef notyet 3448 case IPV6CP_OPT_COMPRESSION: 3449 continue; 3450 #endif 3451 case IPV6CP_OPT_IFID: 3452 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3453 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3454 collision = (memcmp(&desiredaddr.s6_addr[8], 3455 &myaddr.s6_addr[8], 8) == 0); 3456 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3457 3458 desiredaddr.s6_addr16[0] = htons(0xfe80); 3459 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3460 3461 if (!collision && !nohisaddr) { 3462 /* no collision, hisaddr known - Conf-Ack */ 3463 type = CONF_ACK; 3464 3465 if (debug) { 3466 addlog(" %s [%s]", 3467 ip6_sprintf(&desiredaddr), 3468 sppp_cp_type_name(type)); 3469 } 3470 continue; 3471 } 3472 3473 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3474 if (collision && nohisaddr) { 3475 /* collision, hisaddr unknown - Conf-Rej */ 3476 type = CONF_REJ; 3477 memset(&p[2], 0, 8); 3478 } else { 3479 /* 3480 * - no collision, hisaddr unknown, or 3481 * - collision, hisaddr known 3482 * Conf-Nak, suggest hisaddr 3483 */ 3484 type = CONF_NAK; 3485 sppp_suggest_ip6_addr(sp, &suggestaddr); 3486 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3487 } 3488 if (debug) 3489 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3490 sppp_cp_type_name(type)); 3491 break; 3492 } 3493 if (rlen + l > blen) { 3494 if (debug) 3495 addlog(" [overflow]"); 3496 continue; 3497 } 3498 /* Add the option to nak'ed list. */ 3499 memcpy(r, p, l); 3500 r += l; 3501 rlen += l; 3502 } 3503 3504 if (rlen == 0 && type == CONF_ACK) { 3505 if (debug) 3506 addlog(" send %s\n", sppp_cp_type_name(type)); 3507 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3508 } else { 3509 #ifdef notdef 3510 if (type == CONF_ACK) 3511 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3512 #endif 3513 3514 if (debug) { 3515 addlog(" send %s suggest %s\n", 3516 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3517 } 3518 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3519 } 3520 3521 end: 3522 free(buf, M_TEMP); 3523 return (rlen == 0); 3524 3525 drop: 3526 free(buf, M_TEMP); 3527 return -1; 3528 } 3529 3530 /* 3531 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3532 * negotiation. 3533 */ 3534 static void 3535 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3536 { 3537 u_char *buf, *p, l, blen; 3538 struct ifnet *ifp = &sp->pp_if; 3539 int debug = ifp->if_flags & IFF_DEBUG; 3540 3541 len -= 4; 3542 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3543 if (!buf) 3544 return; 3545 3546 if (debug) 3547 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3548 ifp->if_xname); 3549 3550 p = (void *)(h + 1); 3551 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3552 if (l > len) { 3553 /* XXX just RXJ? */ 3554 addlog("%s: received malicious IPCPv6 option, " 3555 "dropping\n", ifp->if_xname); 3556 goto drop; 3557 } 3558 if (debug) 3559 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3560 switch (*p) { 3561 case IPV6CP_OPT_IFID: 3562 /* 3563 * Peer doesn't grok address option. This is 3564 * bad. XXX Should we better give up here? 3565 */ 3566 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3567 break; 3568 #ifdef notyet 3569 case IPV6CP_OPT_COMPRESS: 3570 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3571 break; 3572 #endif 3573 } 3574 } 3575 if (debug) 3576 addlog("\n"); 3577 drop: 3578 free(buf, M_TEMP); 3579 return; 3580 } 3581 3582 /* 3583 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3584 * negotiation. 3585 */ 3586 static void 3587 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3588 { 3589 u_char *buf, *p, l, blen; 3590 struct ifnet *ifp = &sp->pp_if; 3591 int debug = ifp->if_flags & IFF_DEBUG; 3592 struct in6_addr suggestaddr; 3593 3594 len -= 4; 3595 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3596 if (!buf) 3597 return; 3598 3599 if (debug) 3600 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3601 ifp->if_xname); 3602 3603 p = (void *)(h + 1); 3604 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3605 if (l > len) { 3606 /* XXX just RXJ? */ 3607 addlog("%s: received malicious IPCPv6 option, " 3608 "dropping\n", ifp->if_xname); 3609 goto drop; 3610 } 3611 if (debug) 3612 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3613 switch (*p) { 3614 case IPV6CP_OPT_IFID: 3615 /* 3616 * Peer doesn't like our local ifid. See 3617 * if we can do something for him. We'll drop 3618 * him our address then. 3619 */ 3620 if (len < 10 || l != 10) 3621 break; 3622 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3623 suggestaddr.s6_addr16[0] = htons(0xfe80); 3624 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3625 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3626 3627 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3628 if (debug) 3629 addlog(" [suggestaddr %s]", 3630 ip6_sprintf(&suggestaddr)); 3631 #ifdef IPV6CP_MYIFID_DYN 3632 /* 3633 * When doing dynamic address assignment, 3634 * we accept his offer. 3635 */ 3636 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3637 struct in6_addr lastsuggest; 3638 /* 3639 * If <suggested myaddr from peer> equals to 3640 * <hisaddr we have suggested last time>, 3641 * we have a collision. generate new random 3642 * ifid. 3643 */ 3644 sppp_suggest_ip6_addr(&lastsuggest); 3645 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3646 lastsuggest)) { 3647 if (debug) 3648 addlog(" [random]"); 3649 sppp_gen_ip6_addr(sp, &suggestaddr); 3650 } 3651 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3652 if (debug) 3653 addlog(" [agree]"); 3654 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3655 } 3656 #else 3657 /* 3658 * Since we do not do dynamic address assignment, 3659 * we ignore it and thus continue to negotiate 3660 * our already existing value. This can possibly 3661 * go into infinite request-reject loop. 3662 * 3663 * This is not likely because we normally use 3664 * ifid based on MAC-address. 3665 * If you have no ethernet card on the node, too bad. 3666 * XXX should we use fail_counter? 3667 */ 3668 #endif 3669 break; 3670 #ifdef notyet 3671 case IPV6CP_OPT_COMPRESS: 3672 /* 3673 * Peer wants different compression parameters. 3674 */ 3675 break; 3676 #endif 3677 } 3678 } 3679 if (debug) 3680 addlog("\n"); 3681 drop: 3682 free(buf, M_TEMP); 3683 return; 3684 } 3685 3686 static void 3687 sppp_ipv6cp_tlu(struct sppp *sp) 3688 { 3689 /* we are up - notify isdn daemon */ 3690 if (sp->pp_con) 3691 sp->pp_con(sp); 3692 } 3693 3694 static void 3695 sppp_ipv6cp_tld(struct sppp *sp) 3696 { 3697 } 3698 3699 static void 3700 sppp_ipv6cp_tls(struct sppp *sp) 3701 { 3702 /* indicate to LCP that it must stay alive */ 3703 sp->lcp.protos |= (1 << IDX_IPV6CP); 3704 } 3705 3706 static void 3707 sppp_ipv6cp_tlf(struct sppp *sp) 3708 { 3709 /* we no longer need LCP */ 3710 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3711 } 3712 3713 static void 3714 sppp_ipv6cp_scr(struct sppp *sp) 3715 { 3716 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3717 struct in6_addr ouraddr; 3718 int i = 0; 3719 3720 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3721 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3722 opt[i++] = IPV6CP_OPT_IFID; 3723 opt[i++] = 10; 3724 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3725 i += 8; 3726 } 3727 3728 #ifdef notyet 3729 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3730 opt[i++] = IPV6CP_OPT_COMPRESSION; 3731 opt[i++] = 4; 3732 opt[i++] = 0; /* TBD */ 3733 opt[i++] = 0; /* TBD */ 3734 /* variable length data may follow */ 3735 } 3736 #endif 3737 3738 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3739 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3740 } 3741 #else /*INET6*/ 3742 static void 3743 sppp_ipv6cp_init(struct sppp *sp) 3744 { 3745 } 3746 3747 static void 3748 sppp_ipv6cp_up(struct sppp *sp) 3749 { 3750 } 3751 3752 static void 3753 sppp_ipv6cp_down(struct sppp *sp) 3754 { 3755 } 3756 3757 static void 3758 sppp_ipv6cp_open(struct sppp *sp) 3759 { 3760 } 3761 3762 static void 3763 sppp_ipv6cp_close(struct sppp *sp) 3764 { 3765 } 3766 3767 static void 3768 sppp_ipv6cp_TO(void *sp) 3769 { 3770 } 3771 3772 static int 3773 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3774 int len) 3775 { 3776 return 0; 3777 } 3778 3779 static void 3780 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3781 int len) 3782 { 3783 } 3784 3785 static void 3786 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3787 int len) 3788 { 3789 } 3790 3791 static void 3792 sppp_ipv6cp_tlu(struct sppp *sp) 3793 { 3794 } 3795 3796 static void 3797 sppp_ipv6cp_tld(struct sppp *sp) 3798 { 3799 } 3800 3801 static void 3802 sppp_ipv6cp_tls(struct sppp *sp) 3803 { 3804 } 3805 3806 static void 3807 sppp_ipv6cp_tlf(struct sppp *sp) 3808 { 3809 } 3810 3811 static void 3812 sppp_ipv6cp_scr(struct sppp *sp) 3813 { 3814 } 3815 #endif /*INET6*/ 3816 3817 3818 /* 3819 *--------------------------------------------------------------------------* 3820 * * 3821 * The CHAP implementation. * 3822 * * 3823 *--------------------------------------------------------------------------* 3824 */ 3825 3826 /* 3827 * The authentication protocols don't employ a full-fledged state machine as 3828 * the control protocols do, since they do have Open and Close events, but 3829 * not Up and Down, nor are they explicitly terminated. Also, use of the 3830 * authentication protocols may be different in both directions (this makes 3831 * sense, think of a machine that never accepts incoming calls but only 3832 * calls out, it doesn't require the called party to authenticate itself). 3833 * 3834 * Our state machine for the local authentication protocol (we are requesting 3835 * the peer to authenticate) looks like: 3836 * 3837 * RCA- 3838 * +--------------------------------------------+ 3839 * V scn,tld| 3840 * +--------+ Close +---------+ RCA+ 3841 * | |<----------------------------------| |------+ 3842 * +--->| Closed | TO* | Opened | sca | 3843 * | | |-----+ +-------| |<-----+ 3844 * | +--------+ irc | | +---------+ 3845 * | ^ | | ^ 3846 * | | | | | 3847 * | | | | | 3848 * | TO-| | | | 3849 * | |tld TO+ V | | 3850 * | | +------->+ | | 3851 * | | | | | | 3852 * | +--------+ V | | 3853 * | | |<----+<--------------------+ | 3854 * | | Req- | scr | 3855 * | | Sent | | 3856 * | | | | 3857 * | +--------+ | 3858 * | RCA- | | RCA+ | 3859 * +------+ +------------------------------------------+ 3860 * scn,tld sca,irc,ict,tlu 3861 * 3862 * 3863 * with: 3864 * 3865 * Open: LCP reached authentication phase 3866 * Close: LCP reached terminate phase 3867 * 3868 * RCA+: received reply (pap-req, chap-response), acceptable 3869 * RCN: received reply (pap-req, chap-response), not acceptable 3870 * TO+: timeout with restart counter >= 0 3871 * TO-: timeout with restart counter < 0 3872 * TO*: reschedule timeout for CHAP 3873 * 3874 * scr: send request packet (none for PAP, chap-challenge) 3875 * sca: send ack packet (pap-ack, chap-success) 3876 * scn: send nak packet (pap-nak, chap-failure) 3877 * ict: initialize re-challenge timer (CHAP only) 3878 * 3879 * tlu: this-layer-up, LCP reaches network phase 3880 * tld: this-layer-down, LCP enters terminate phase 3881 * 3882 * Note that in CHAP mode, after sending a new challenge, while the state 3883 * automaton falls back into Req-Sent state, it doesn't signal a tld 3884 * event to LCP, so LCP remains in network phase. Only after not getting 3885 * any response (or after getting an unacceptable response), CHAP closes, 3886 * causing LCP to enter terminate phase. 3887 * 3888 * With PAP, there is no initial request that can be sent. The peer is 3889 * expected to send one based on the successful negotiation of PAP as 3890 * the authentication protocol during the LCP option negotiation. 3891 * 3892 * Incoming authentication protocol requests (remote requests 3893 * authentication, we are peer) don't employ a state machine at all, 3894 * they are simply answered. Some peers [Ascend P50 firmware rev 3895 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3896 * still in authentication phase (thereby violating the standard that 3897 * demands that these NCP packets are to be discarded), so we keep 3898 * track of the peer demanding us to authenticate, and only proceed to 3899 * phase network once we've seen a positive acknowledge for the 3900 * authentication. 3901 */ 3902 3903 /* 3904 * Handle incoming CHAP packets. 3905 */ 3906 void 3907 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3908 { 3909 STDDCL; 3910 struct lcp_header *h; 3911 int len, x; 3912 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3913 int value_len, name_len; 3914 MD5_CTX ctx; 3915 3916 len = m->m_pkthdr.len; 3917 if (len < 4) { 3918 if (debug) 3919 log(LOG_DEBUG, 3920 "%s: chap invalid packet length: %d bytes\n", 3921 ifp->if_xname, len); 3922 return; 3923 } 3924 h = mtod(m, struct lcp_header *); 3925 if (len > ntohs(h->len)) 3926 len = ntohs(h->len); 3927 3928 switch (h->type) { 3929 /* challenge, failure and success are his authproto */ 3930 case CHAP_CHALLENGE: 3931 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3932 /* can't do anything useful */ 3933 sp->pp_auth_failures++; 3934 printf("%s: chap input without my name and my secret being set\n", 3935 ifp->if_xname); 3936 break; 3937 } 3938 value = 1 + (u_char *)(h + 1); 3939 value_len = value[-1]; 3940 name = value + value_len; 3941 name_len = len - value_len - 5; 3942 if (name_len < 0) { 3943 if (debug) { 3944 log(LOG_DEBUG, 3945 "%s: chap corrupted challenge " 3946 "<%s id=0x%x len=%d", 3947 ifp->if_xname, 3948 sppp_auth_type_name(PPP_CHAP, h->type), 3949 h->ident, ntohs(h->len)); 3950 if (len > 4) 3951 sppp_print_bytes((u_char *)(h + 1), 3952 len - 4); 3953 addlog(">\n"); 3954 } 3955 break; 3956 } 3957 3958 if (debug) { 3959 log(LOG_DEBUG, 3960 "%s: chap input <%s id=0x%x len=%d name=", 3961 ifp->if_xname, 3962 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3963 ntohs(h->len)); 3964 sppp_print_string((char *) name, name_len); 3965 addlog(" value-size=%d value=", value_len); 3966 sppp_print_bytes(value, value_len); 3967 addlog(">\n"); 3968 } 3969 3970 /* Compute reply value. */ 3971 MD5Init(&ctx); 3972 MD5Update(&ctx, &h->ident, 1); 3973 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3974 MD5Update(&ctx, value, value_len); 3975 MD5Final(digest, &ctx); 3976 dsize = sizeof digest; 3977 3978 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3979 sizeof dsize, (const char *)&dsize, 3980 sizeof digest, digest, 3981 sp->myauth.name_len, 3982 sp->myauth.name, 3983 0); 3984 break; 3985 3986 case CHAP_SUCCESS: 3987 if (debug) { 3988 log(LOG_DEBUG, "%s: chap success", 3989 ifp->if_xname); 3990 if (len > 4) { 3991 addlog(": "); 3992 sppp_print_string((char *)(h + 1), len - 4); 3993 } 3994 addlog("\n"); 3995 } 3996 x = splnet(); 3997 sp->pp_auth_failures = 0; 3998 sp->pp_flags &= ~PP_NEEDAUTH; 3999 if (sp->myauth.proto == PPP_CHAP && 4000 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4001 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4002 /* 4003 * We are authenticator for CHAP but didn't 4004 * complete yet. Leave it to tlu to proceed 4005 * to network phase. 4006 */ 4007 splx(x); 4008 break; 4009 } 4010 splx(x); 4011 sppp_phase_network(sp); 4012 break; 4013 4014 case CHAP_FAILURE: 4015 x = splnet(); 4016 sp->pp_auth_failures++; 4017 splx(x); 4018 if (debug) { 4019 log(LOG_INFO, "%s: chap failure", 4020 ifp->if_xname); 4021 if (len > 4) { 4022 addlog(": "); 4023 sppp_print_string((char *)(h + 1), len - 4); 4024 } 4025 addlog("\n"); 4026 } else 4027 log(LOG_INFO, "%s: chap failure\n", 4028 ifp->if_xname); 4029 /* await LCP shutdown by authenticator */ 4030 break; 4031 4032 /* response is my authproto */ 4033 case CHAP_RESPONSE: 4034 if (sp->hisauth.secret == NULL) { 4035 /* can't do anything useful */ 4036 printf("%s: chap input without his secret being set\n", 4037 ifp->if_xname); 4038 break; 4039 } 4040 value = 1 + (u_char *)(h + 1); 4041 value_len = value[-1]; 4042 name = value + value_len; 4043 name_len = len - value_len - 5; 4044 if (name_len < 0) { 4045 if (debug) { 4046 log(LOG_DEBUG, 4047 "%s: chap corrupted response " 4048 "<%s id=0x%x len=%d", 4049 ifp->if_xname, 4050 sppp_auth_type_name(PPP_CHAP, h->type), 4051 h->ident, ntohs(h->len)); 4052 if (len > 4) 4053 sppp_print_bytes((u_char *)(h + 1), 4054 len - 4); 4055 addlog(">\n"); 4056 } 4057 break; 4058 } 4059 if (h->ident != sp->confid[IDX_CHAP]) { 4060 if (debug) 4061 log(LOG_DEBUG, 4062 "%s: chap dropping response for old ID " 4063 "(got %d, expected %d)\n", 4064 ifp->if_xname, 4065 h->ident, sp->confid[IDX_CHAP]); 4066 break; 4067 } 4068 if (sp->hisauth.name != NULL && 4069 (name_len != sp->hisauth.name_len 4070 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4071 log(LOG_INFO, "%s: chap response, his name ", 4072 ifp->if_xname); 4073 sppp_print_string(name, name_len); 4074 addlog(" != expected "); 4075 sppp_print_string(sp->hisauth.name, 4076 sp->hisauth.name_len); 4077 addlog("\n"); 4078 goto chap_failure; 4079 } 4080 if (debug) { 4081 log(LOG_DEBUG, "%s: chap input(%s) " 4082 "<%s id=0x%x len=%d name=", 4083 ifp->if_xname, 4084 sppp_state_name(sp->state[IDX_CHAP]), 4085 sppp_auth_type_name(PPP_CHAP, h->type), 4086 h->ident, ntohs(h->len)); 4087 sppp_print_string((char *)name, name_len); 4088 addlog(" value-size=%d value=", value_len); 4089 sppp_print_bytes(value, value_len); 4090 addlog(">\n"); 4091 } 4092 if (value_len != sizeof(sp->myauth.challenge)) { 4093 if (debug) 4094 log(LOG_DEBUG, 4095 "%s: chap bad hash value length: " 4096 "%d bytes, should be %ld\n", 4097 ifp->if_xname, value_len, 4098 (long) sizeof(sp->myauth.challenge)); 4099 goto chap_failure; 4100 } 4101 4102 MD5Init(&ctx); 4103 MD5Update(&ctx, &h->ident, 1); 4104 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4105 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4106 MD5Final(digest, &ctx); 4107 4108 #define FAILMSG "Failed..." 4109 #define SUCCMSG "Welcome!" 4110 4111 if (value_len != sizeof digest || 4112 memcmp(digest, value, value_len) != 0) { 4113 chap_failure: 4114 /* action scn, tld */ 4115 x = splnet(); 4116 sp->pp_auth_failures++; 4117 splx(x); 4118 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4119 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4120 0); 4121 chap.tld(sp); 4122 break; 4123 } 4124 sp->pp_auth_failures = 0; 4125 /* action sca, perhaps tlu */ 4126 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4127 sp->state[IDX_CHAP] == STATE_OPENED) 4128 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4129 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4130 0); 4131 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4132 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4133 chap.tlu(sp); 4134 } 4135 break; 4136 4137 default: 4138 /* Unknown CHAP packet type -- ignore. */ 4139 if (debug) { 4140 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4141 "<0x%x id=0x%xh len=%d", 4142 ifp->if_xname, 4143 sppp_state_name(sp->state[IDX_CHAP]), 4144 h->type, h->ident, ntohs(h->len)); 4145 if (len > 4) 4146 sppp_print_bytes((u_char *)(h + 1), len - 4); 4147 addlog(">\n"); 4148 } 4149 break; 4150 4151 } 4152 } 4153 4154 static void 4155 sppp_chap_init(struct sppp *sp) 4156 { 4157 /* Chap doesn't have STATE_INITIAL at all. */ 4158 sp->state[IDX_CHAP] = STATE_CLOSED; 4159 sp->fail_counter[IDX_CHAP] = 0; 4160 sp->pp_seq[IDX_CHAP] = 0; 4161 sp->pp_rseq[IDX_CHAP] = 0; 4162 callout_init(&sp->ch[IDX_CHAP], 0); 4163 } 4164 4165 static void 4166 sppp_chap_open(struct sppp *sp) 4167 { 4168 if (sp->myauth.proto == PPP_CHAP && 4169 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4170 /* we are authenticator for CHAP, start it */ 4171 chap.scr(sp); 4172 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4173 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4174 } 4175 /* nothing to be done if we are peer, await a challenge */ 4176 } 4177 4178 static void 4179 sppp_chap_close(struct sppp *sp) 4180 { 4181 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4182 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4183 } 4184 4185 static void 4186 sppp_chap_TO(void *cookie) 4187 { 4188 struct sppp *sp = (struct sppp *)cookie; 4189 STDDCL; 4190 int s; 4191 4192 s = splnet(); 4193 if (debug) 4194 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4195 ifp->if_xname, 4196 sppp_state_name(sp->state[IDX_CHAP]), 4197 sp->rst_counter[IDX_CHAP]); 4198 4199 if (--sp->rst_counter[IDX_CHAP] < 0) 4200 /* TO- event */ 4201 switch (sp->state[IDX_CHAP]) { 4202 case STATE_REQ_SENT: 4203 chap.tld(sp); 4204 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4205 break; 4206 } 4207 else 4208 /* TO+ (or TO*) event */ 4209 switch (sp->state[IDX_CHAP]) { 4210 case STATE_OPENED: 4211 /* TO* event */ 4212 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4213 /* fall through */ 4214 case STATE_REQ_SENT: 4215 chap.scr(sp); 4216 /* sppp_cp_change_state() will restart the timer */ 4217 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4218 break; 4219 } 4220 4221 splx(s); 4222 } 4223 4224 static void 4225 sppp_chap_tlu(struct sppp *sp) 4226 { 4227 STDDCL; 4228 int i, x; 4229 4230 i = 0; 4231 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4232 4233 /* 4234 * Some broken CHAP implementations (Conware CoNet, firmware 4235 * 4.0.?) don't want to re-authenticate their CHAP once the 4236 * initial challenge-response exchange has taken place. 4237 * Provide for an option to avoid rechallenges. 4238 */ 4239 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4240 /* 4241 * Compute the re-challenge timeout. This will yield 4242 * a number between 300 and 810 seconds. 4243 */ 4244 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4245 4246 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4247 } 4248 4249 if (debug) { 4250 log(LOG_DEBUG, 4251 "%s: chap %s, ", 4252 ifp->if_xname, 4253 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4254 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4255 addlog("next re-challenge in %d seconds\n", i); 4256 else 4257 addlog("re-challenging supressed\n"); 4258 } 4259 4260 x = splnet(); 4261 sp->pp_auth_failures = 0; 4262 /* indicate to LCP that we need to be closed down */ 4263 sp->lcp.protos |= (1 << IDX_CHAP); 4264 4265 if (sp->pp_flags & PP_NEEDAUTH) { 4266 /* 4267 * Remote is authenticator, but his auth proto didn't 4268 * complete yet. Defer the transition to network 4269 * phase. 4270 */ 4271 splx(x); 4272 return; 4273 } 4274 splx(x); 4275 4276 /* 4277 * If we are already in phase network, we are done here. This 4278 * is the case if this is a dummy tlu event after a re-challenge. 4279 */ 4280 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4281 sppp_phase_network(sp); 4282 } 4283 4284 static void 4285 sppp_chap_tld(struct sppp *sp) 4286 { 4287 STDDCL; 4288 4289 if (debug) 4290 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4291 callout_stop(&sp->ch[IDX_CHAP]); 4292 sp->lcp.protos &= ~(1 << IDX_CHAP); 4293 4294 lcp.Close(sp); 4295 } 4296 4297 static void 4298 sppp_chap_scr(struct sppp *sp) 4299 { 4300 uint32_t *ch; 4301 u_char clen = 4 * sizeof(uint32_t); 4302 4303 if (sp->myauth.name == NULL) { 4304 /* can't do anything useful */ 4305 printf("%s: chap starting without my name being set\n", 4306 sp->pp_if.if_xname); 4307 return; 4308 } 4309 4310 /* Compute random challenge. */ 4311 ch = (uint32_t *)sp->myauth.challenge; 4312 cprng_strong(kern_cprng, ch, clen, 0); 4313 4314 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4315 4316 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4317 sizeof clen, (const char *)&clen, 4318 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4319 sp->myauth.name_len, 4320 sp->myauth.name, 4321 0); 4322 } 4323 4324 /* 4325 *--------------------------------------------------------------------------* 4326 * * 4327 * The PAP implementation. * 4328 * * 4329 *--------------------------------------------------------------------------* 4330 */ 4331 /* 4332 * For PAP, we need to keep a little state also if we are the peer, not the 4333 * authenticator. This is since we don't get a request to authenticate, but 4334 * have to repeatedly authenticate ourself until we got a response (or the 4335 * retry counter is expired). 4336 */ 4337 4338 /* 4339 * Handle incoming PAP packets. */ 4340 static void 4341 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4342 { 4343 STDDCL; 4344 struct lcp_header *h; 4345 int len, x; 4346 u_char mlen; 4347 char *name, *secret; 4348 int name_len, secret_len; 4349 4350 /* 4351 * Malicious input might leave this uninitialized, so 4352 * init to an impossible value. 4353 */ 4354 secret_len = -1; 4355 4356 len = m->m_pkthdr.len; 4357 if (len < 5) { 4358 if (debug) 4359 log(LOG_DEBUG, 4360 "%s: pap invalid packet length: %d bytes\n", 4361 ifp->if_xname, len); 4362 return; 4363 } 4364 h = mtod(m, struct lcp_header *); 4365 if (len > ntohs(h->len)) 4366 len = ntohs(h->len); 4367 switch (h->type) { 4368 /* PAP request is my authproto */ 4369 case PAP_REQ: 4370 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4371 /* can't do anything useful */ 4372 printf("%s: pap request without his name and his secret being set\n", 4373 ifp->if_xname); 4374 break; 4375 } 4376 name = 1 + (u_char *)(h + 1); 4377 name_len = name[-1]; 4378 secret = name + name_len + 1; 4379 if (name_len > len - 6 || 4380 (secret_len = secret[-1]) > len - 6 - name_len) { 4381 if (debug) { 4382 log(LOG_DEBUG, "%s: pap corrupted input " 4383 "<%s id=0x%x len=%d", 4384 ifp->if_xname, 4385 sppp_auth_type_name(PPP_PAP, h->type), 4386 h->ident, ntohs(h->len)); 4387 if (len > 4) 4388 sppp_print_bytes((u_char *)(h + 1), 4389 len - 4); 4390 addlog(">\n"); 4391 } 4392 break; 4393 } 4394 if (debug) { 4395 log(LOG_DEBUG, "%s: pap input(%s) " 4396 "<%s id=0x%x len=%d name=", 4397 ifp->if_xname, 4398 sppp_state_name(sp->state[IDX_PAP]), 4399 sppp_auth_type_name(PPP_PAP, h->type), 4400 h->ident, ntohs(h->len)); 4401 sppp_print_string((char *)name, name_len); 4402 addlog(" secret="); 4403 sppp_print_string((char *)secret, secret_len); 4404 addlog(">\n"); 4405 } 4406 if (name_len != sp->hisauth.name_len || 4407 secret_len != sp->hisauth.secret_len || 4408 memcmp(name, sp->hisauth.name, name_len) != 0 || 4409 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4410 /* action scn, tld */ 4411 sp->pp_auth_failures++; 4412 mlen = sizeof(FAILMSG) - 1; 4413 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4414 sizeof mlen, (const char *)&mlen, 4415 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4416 0); 4417 pap.tld(sp); 4418 break; 4419 } 4420 /* action sca, perhaps tlu */ 4421 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4422 sp->state[IDX_PAP] == STATE_OPENED) { 4423 mlen = sizeof(SUCCMSG) - 1; 4424 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4425 sizeof mlen, (const char *)&mlen, 4426 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4427 0); 4428 } 4429 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4430 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4431 pap.tlu(sp); 4432 } 4433 break; 4434 4435 /* ack and nak are his authproto */ 4436 case PAP_ACK: 4437 callout_stop(&sp->pap_my_to_ch); 4438 if (debug) { 4439 log(LOG_DEBUG, "%s: pap success", 4440 ifp->if_xname); 4441 name = 1 + (u_char *)(h + 1); 4442 name_len = name[-1]; 4443 if (len > 5 && name_len < len+4) { 4444 addlog(": "); 4445 sppp_print_string(name, name_len); 4446 } 4447 addlog("\n"); 4448 } 4449 x = splnet(); 4450 sp->pp_auth_failures = 0; 4451 sp->pp_flags &= ~PP_NEEDAUTH; 4452 if (sp->myauth.proto == PPP_PAP && 4453 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4454 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4455 /* 4456 * We are authenticator for PAP but didn't 4457 * complete yet. Leave it to tlu to proceed 4458 * to network phase. 4459 */ 4460 splx(x); 4461 break; 4462 } 4463 splx(x); 4464 sppp_phase_network(sp); 4465 break; 4466 4467 case PAP_NAK: 4468 callout_stop(&sp->pap_my_to_ch); 4469 sp->pp_auth_failures++; 4470 if (debug) { 4471 log(LOG_INFO, "%s: pap failure", 4472 ifp->if_xname); 4473 name = 1 + (u_char *)(h + 1); 4474 name_len = name[-1]; 4475 if (len > 5 && name_len < len+4) { 4476 addlog(": "); 4477 sppp_print_string(name, name_len); 4478 } 4479 addlog("\n"); 4480 } else 4481 log(LOG_INFO, "%s: pap failure\n", 4482 ifp->if_xname); 4483 /* await LCP shutdown by authenticator */ 4484 break; 4485 4486 default: 4487 /* Unknown PAP packet type -- ignore. */ 4488 if (debug) { 4489 log(LOG_DEBUG, "%s: pap corrupted input " 4490 "<0x%x id=0x%x len=%d", 4491 ifp->if_xname, 4492 h->type, h->ident, ntohs(h->len)); 4493 if (len > 4) 4494 sppp_print_bytes((u_char *)(h + 1), len - 4); 4495 addlog(">\n"); 4496 } 4497 break; 4498 4499 } 4500 } 4501 4502 static void 4503 sppp_pap_init(struct sppp *sp) 4504 { 4505 /* PAP doesn't have STATE_INITIAL at all. */ 4506 sp->state[IDX_PAP] = STATE_CLOSED; 4507 sp->fail_counter[IDX_PAP] = 0; 4508 sp->pp_seq[IDX_PAP] = 0; 4509 sp->pp_rseq[IDX_PAP] = 0; 4510 callout_init(&sp->ch[IDX_PAP], 0); 4511 callout_init(&sp->pap_my_to_ch, 0); 4512 } 4513 4514 static void 4515 sppp_pap_open(struct sppp *sp) 4516 { 4517 if (sp->hisauth.proto == PPP_PAP && 4518 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4519 /* we are authenticator for PAP, start our timer */ 4520 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4521 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4522 } 4523 if (sp->myauth.proto == PPP_PAP) { 4524 /* we are peer, send a request, and start a timer */ 4525 pap.scr(sp); 4526 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4527 sppp_pap_my_TO, sp); 4528 } 4529 } 4530 4531 static void 4532 sppp_pap_close(struct sppp *sp) 4533 { 4534 if (sp->state[IDX_PAP] != STATE_CLOSED) 4535 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4536 } 4537 4538 /* 4539 * That's the timeout routine if we are authenticator. Since the 4540 * authenticator is basically passive in PAP, we can't do much here. 4541 */ 4542 static void 4543 sppp_pap_TO(void *cookie) 4544 { 4545 struct sppp *sp = (struct sppp *)cookie; 4546 STDDCL; 4547 int s; 4548 4549 s = splnet(); 4550 if (debug) 4551 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4552 ifp->if_xname, 4553 sppp_state_name(sp->state[IDX_PAP]), 4554 sp->rst_counter[IDX_PAP]); 4555 4556 if (--sp->rst_counter[IDX_PAP] < 0) 4557 /* TO- event */ 4558 switch (sp->state[IDX_PAP]) { 4559 case STATE_REQ_SENT: 4560 pap.tld(sp); 4561 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4562 break; 4563 } 4564 else 4565 /* TO+ event, not very much we could do */ 4566 switch (sp->state[IDX_PAP]) { 4567 case STATE_REQ_SENT: 4568 /* sppp_cp_change_state() will restart the timer */ 4569 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4570 break; 4571 } 4572 4573 splx(s); 4574 } 4575 4576 /* 4577 * That's the timeout handler if we are peer. Since the peer is active, 4578 * we need to retransmit our PAP request since it is apparently lost. 4579 * XXX We should impose a max counter. 4580 */ 4581 static void 4582 sppp_pap_my_TO(void *cookie) 4583 { 4584 struct sppp *sp = (struct sppp *)cookie; 4585 STDDCL; 4586 4587 if (debug) 4588 log(LOG_DEBUG, "%s: pap peer TO\n", 4589 ifp->if_xname); 4590 4591 pap.scr(sp); 4592 } 4593 4594 static void 4595 sppp_pap_tlu(struct sppp *sp) 4596 { 4597 STDDCL; 4598 int x; 4599 4600 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4601 4602 if (debug) 4603 log(LOG_DEBUG, "%s: %s tlu\n", 4604 ifp->if_xname, pap.name); 4605 4606 x = splnet(); 4607 sp->pp_auth_failures = 0; 4608 /* indicate to LCP that we need to be closed down */ 4609 sp->lcp.protos |= (1 << IDX_PAP); 4610 4611 if (sp->pp_flags & PP_NEEDAUTH) { 4612 /* 4613 * Remote is authenticator, but his auth proto didn't 4614 * complete yet. Defer the transition to network 4615 * phase. 4616 */ 4617 splx(x); 4618 return; 4619 } 4620 splx(x); 4621 sppp_phase_network(sp); 4622 } 4623 4624 static void 4625 sppp_pap_tld(struct sppp *sp) 4626 { 4627 STDDCL; 4628 4629 if (debug) 4630 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4631 callout_stop(&sp->ch[IDX_PAP]); 4632 callout_stop(&sp->pap_my_to_ch); 4633 sp->lcp.protos &= ~(1 << IDX_PAP); 4634 4635 lcp.Close(sp); 4636 } 4637 4638 static void 4639 sppp_pap_scr(struct sppp *sp) 4640 { 4641 u_char idlen, pwdlen; 4642 4643 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4644 /* can't do anything useful */ 4645 printf("%s: pap starting without my name and secret being set\n", 4646 sp->pp_if.if_xname); 4647 return; 4648 } 4649 4650 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4651 pwdlen = sp->myauth.secret_len; 4652 idlen = sp->myauth.name_len; 4653 4654 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4655 sizeof idlen, (const char *)&idlen, 4656 idlen, sp->myauth.name, 4657 sizeof pwdlen, (const char *)&pwdlen, 4658 pwdlen, sp->myauth.secret, 4659 0); 4660 } 4661 4662 /* 4663 * Random miscellaneous functions. 4664 */ 4665 4666 /* 4667 * Send a PAP or CHAP proto packet. 4668 * 4669 * Varadic function, each of the elements for the ellipsis is of type 4670 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4671 * mlen == 0. 4672 * NOTE: never declare variadic functions with types subject to type 4673 * promotion (i.e. u_char). This is asking for big trouble depending 4674 * on the architecture you are on... 4675 */ 4676 4677 static void 4678 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4679 unsigned int type, unsigned int id, 4680 ...) 4681 { 4682 STDDCL; 4683 struct lcp_header *lh; 4684 struct mbuf *m; 4685 u_char *p; 4686 int len; 4687 size_t pkthdrlen; 4688 unsigned int mlen; 4689 const char *msg; 4690 va_list ap; 4691 4692 MGETHDR(m, M_DONTWAIT, MT_DATA); 4693 if (! m) 4694 return; 4695 m_reset_rcvif(m); 4696 4697 if (sp->pp_flags & PP_NOFRAMING) { 4698 *mtod(m, uint16_t *) = htons(cp->proto); 4699 pkthdrlen = 2; 4700 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4701 } else { 4702 struct ppp_header *h; 4703 h = mtod(m, struct ppp_header *); 4704 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4705 h->control = PPP_UI; /* Unnumbered Info */ 4706 h->protocol = htons(cp->proto); 4707 pkthdrlen = PPP_HEADER_LEN; 4708 4709 lh = (struct lcp_header *)(h + 1); 4710 } 4711 4712 lh->type = type; 4713 lh->ident = id; 4714 p = (u_char *)(lh + 1); 4715 4716 va_start(ap, id); 4717 len = 0; 4718 4719 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4720 msg = va_arg(ap, const char *); 4721 len += mlen; 4722 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4723 va_end(ap); 4724 m_freem(m); 4725 return; 4726 } 4727 4728 memcpy(p, msg, mlen); 4729 p += mlen; 4730 } 4731 va_end(ap); 4732 4733 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4734 lh->len = htons(LCP_HEADER_LEN + len); 4735 4736 if (debug) { 4737 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4738 ifp->if_xname, cp->name, 4739 sppp_auth_type_name(cp->proto, lh->type), 4740 lh->ident, ntohs(lh->len)); 4741 if (len) 4742 sppp_print_bytes((u_char *)(lh + 1), len); 4743 addlog(">\n"); 4744 } 4745 if (IF_QFULL(&sp->pp_cpq)) { 4746 IF_DROP(&sp->pp_fastq); 4747 IF_DROP(&ifp->if_snd); 4748 m_freem(m); 4749 ++ifp->if_oerrors; 4750 return; 4751 } else 4752 IF_ENQUEUE(&sp->pp_cpq, m); 4753 if (! (ifp->if_flags & IFF_OACTIVE)) 4754 if_start_lock(ifp); 4755 ifp->if_obytes += m->m_pkthdr.len + 3; 4756 } 4757 4758 /* 4759 * Send keepalive packets, every 10 seconds. 4760 */ 4761 static void 4762 sppp_keepalive(void *dummy) 4763 { 4764 struct sppp *sp; 4765 int s; 4766 time_t now; 4767 4768 s = splnet(); 4769 now = time_uptime; 4770 for (sp=spppq; sp; sp=sp->pp_next) { 4771 struct ifnet *ifp = &sp->pp_if; 4772 4773 /* check idle timeout */ 4774 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4775 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4776 /* idle timeout is enabled for this interface */ 4777 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4778 if (ifp->if_flags & IFF_DEBUG) 4779 printf("%s: no activity for %lu seconds\n", 4780 sp->pp_if.if_xname, 4781 (unsigned long)(now-sp->pp_last_activity)); 4782 lcp.Close(sp); 4783 continue; 4784 } 4785 } 4786 4787 /* Keepalive mode disabled or channel down? */ 4788 if (! (sp->pp_flags & PP_KEEPALIVE) || 4789 ! (ifp->if_flags & IFF_RUNNING)) 4790 continue; 4791 4792 /* No keepalive in PPP mode if LCP not opened yet. */ 4793 if (! (sp->pp_flags & PP_CISCO) && 4794 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4795 continue; 4796 4797 /* No echo reply, but maybe user data passed through? */ 4798 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4799 sp->pp_alivecnt = 0; 4800 continue; 4801 } 4802 4803 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4804 /* No keepalive packets got. Stop the interface. */ 4805 if_down (ifp); 4806 IF_PURGE(&sp->pp_cpq); 4807 if (! (sp->pp_flags & PP_CISCO)) { 4808 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4809 ifp->if_xname); 4810 sp->pp_alivecnt = 0; 4811 4812 /* we are down, close all open protocols */ 4813 lcp.Close(sp); 4814 4815 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4816 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4817 4818 /* Close connection immediately, completition of this 4819 * will summon the magic needed to reestablish it. */ 4820 if (sp->pp_tlf) 4821 sp->pp_tlf(sp); 4822 continue; 4823 } 4824 } 4825 if (sp->pp_alivecnt < sp->pp_maxalive) 4826 ++sp->pp_alivecnt; 4827 if (sp->pp_flags & PP_CISCO) 4828 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4829 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4830 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4831 int32_t nmagic = htonl(sp->lcp.magic); 4832 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4833 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4834 sp->lcp.echoid, 4, &nmagic); 4835 } 4836 } 4837 splx(s); 4838 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4839 } 4840 4841 #ifdef INET 4842 /* 4843 * Get both IP addresses. 4844 */ 4845 static void 4846 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4847 { 4848 struct ifnet *ifp = &sp->pp_if; 4849 struct ifaddr *ifa; 4850 struct sockaddr_in *si, *sm; 4851 uint32_t ssrc, ddst; 4852 4853 sm = NULL; 4854 ssrc = ddst = 0; 4855 /* 4856 * Pick the first AF_INET address from the list, 4857 * aliases don't make any sense on a p2p link anyway. 4858 */ 4859 si = 0; 4860 IFADDR_READER_FOREACH(ifa, ifp) { 4861 if (ifa->ifa_addr->sa_family == AF_INET) { 4862 si = (struct sockaddr_in *)ifa->ifa_addr; 4863 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4864 if (si) 4865 break; 4866 } 4867 } 4868 if (ifa) { 4869 if (si && si->sin_addr.s_addr) { 4870 ssrc = si->sin_addr.s_addr; 4871 if (srcmask) 4872 *srcmask = ntohl(sm->sin_addr.s_addr); 4873 } 4874 4875 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4876 if (si && si->sin_addr.s_addr) 4877 ddst = si->sin_addr.s_addr; 4878 } 4879 4880 if (dst) *dst = ntohl(ddst); 4881 if (src) *src = ntohl(ssrc); 4882 } 4883 4884 /* 4885 * Set IP addresses. Must be called at splnet. 4886 * If an address is 0, leave it the way it is. 4887 */ 4888 static void 4889 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4890 { 4891 STDDCL; 4892 struct ifaddr *ifa; 4893 struct sockaddr_in *si, *dest; 4894 4895 /* 4896 * Pick the first AF_INET address from the list, 4897 * aliases don't make any sense on a p2p link anyway. 4898 */ 4899 4900 IFADDR_READER_FOREACH(ifa, ifp) { 4901 if (ifa->ifa_addr->sa_family == AF_INET) { 4902 si = (struct sockaddr_in *)ifa->ifa_addr; 4903 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4904 goto found; 4905 } 4906 } 4907 return; 4908 4909 found: 4910 { 4911 int error; 4912 struct sockaddr_in new_sin = *si; 4913 struct sockaddr_in new_dst = *dest; 4914 4915 if (myaddr != 0) 4916 new_sin.sin_addr.s_addr = htonl(myaddr); 4917 if (hisaddr != 0) { 4918 new_dst.sin_addr.s_addr = htonl(hisaddr); 4919 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 4920 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4921 } 4922 4923 LIST_REMOVE(ifatoia(ifa), ia_hash); 4924 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4925 4926 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 4927 4928 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4929 ifatoia(ifa), ia_hash); 4930 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4931 4932 if (debug && error) 4933 { 4934 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 4935 ifp->if_xname, __func__, error); 4936 } 4937 if (!error) { 4938 (void)pfil_run_hooks(if_pfil, 4939 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4940 } 4941 } 4942 } 4943 4944 /* 4945 * Clear IP addresses. Must be called at splnet. 4946 */ 4947 static void 4948 sppp_clear_ip_addrs(struct sppp *sp) 4949 { 4950 STDDCL; 4951 struct ifaddr *ifa; 4952 struct sockaddr_in *si, *dest; 4953 4954 uint32_t remote; 4955 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4956 remote = sp->ipcp.saved_hisaddr; 4957 else 4958 sppp_get_ip_addrs(sp, 0, &remote, 0); 4959 4960 /* 4961 * Pick the first AF_INET address from the list, 4962 * aliases don't make any sense on a p2p link anyway. 4963 */ 4964 4965 IFADDR_READER_FOREACH(ifa, ifp) { 4966 if (ifa->ifa_addr->sa_family == AF_INET) { 4967 si = (struct sockaddr_in *)ifa->ifa_addr; 4968 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4969 goto found; 4970 } 4971 } 4972 return; 4973 4974 found: 4975 { 4976 struct sockaddr_in new_sin = *si; 4977 struct sockaddr_in new_dst = *dest; 4978 int error; 4979 4980 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4981 new_sin.sin_addr.s_addr = 0; 4982 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4983 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4984 4985 LIST_REMOVE(ifatoia(ifa), ia_hash); 4986 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4987 4988 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 4989 4990 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4991 ifatoia(ifa), ia_hash); 4992 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4993 4994 if (debug && error) 4995 { 4996 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 4997 ifp->if_xname, __func__, error); 4998 } 4999 if (!error) { 5000 (void)pfil_run_hooks(if_pfil, 5001 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 5002 } 5003 } 5004 } 5005 #endif 5006 5007 #ifdef INET6 5008 /* 5009 * Get both IPv6 addresses. 5010 */ 5011 static void 5012 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5013 struct in6_addr *srcmask) 5014 { 5015 struct ifnet *ifp = &sp->pp_if; 5016 struct ifaddr *ifa; 5017 struct sockaddr_in6 *si, *sm; 5018 struct in6_addr ssrc, ddst; 5019 5020 sm = NULL; 5021 memset(&ssrc, 0, sizeof(ssrc)); 5022 memset(&ddst, 0, sizeof(ddst)); 5023 /* 5024 * Pick the first link-local AF_INET6 address from the list, 5025 * aliases don't make any sense on a p2p link anyway. 5026 */ 5027 si = 0; 5028 IFADDR_READER_FOREACH(ifa, ifp) 5029 if (ifa->ifa_addr->sa_family == AF_INET6) { 5030 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5031 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5032 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5033 break; 5034 } 5035 if (ifa) { 5036 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5037 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5038 if (srcmask) { 5039 memcpy(srcmask, &sm->sin6_addr, 5040 sizeof(*srcmask)); 5041 } 5042 } 5043 5044 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5045 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5046 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5047 } 5048 5049 if (dst) 5050 memcpy(dst, &ddst, sizeof(*dst)); 5051 if (src) 5052 memcpy(src, &ssrc, sizeof(*src)); 5053 } 5054 5055 #ifdef IPV6CP_MYIFID_DYN 5056 /* 5057 * Generate random ifid. 5058 */ 5059 static void 5060 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5061 { 5062 /* TBD */ 5063 } 5064 5065 /* 5066 * Set my IPv6 address. Must be called at splnet. 5067 */ 5068 static void 5069 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5070 { 5071 STDDCL; 5072 struct ifaddr *ifa; 5073 struct sockaddr_in6 *sin6; 5074 5075 /* 5076 * Pick the first link-local AF_INET6 address from the list, 5077 * aliases don't make any sense on a p2p link anyway. 5078 */ 5079 5080 sin6 = NULL; 5081 IFADDR_READER_FOREACH(ifa, ifp) 5082 { 5083 if (ifa->ifa_addr->sa_family == AF_INET6) 5084 { 5085 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5086 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5087 break; 5088 } 5089 } 5090 5091 if (ifa && sin6) 5092 { 5093 int error; 5094 struct sockaddr_in6 new_sin6 = *sin6; 5095 5096 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5097 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5098 if (debug && error) 5099 { 5100 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5101 ifp->if_xname, __func__, error); 5102 } 5103 if (!error) { 5104 (void)pfil_run_hooks(if_pfil, 5105 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5106 } 5107 } 5108 } 5109 #endif 5110 5111 /* 5112 * Suggest a candidate address to be used by peer. 5113 */ 5114 static void 5115 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5116 { 5117 struct in6_addr myaddr; 5118 struct timeval tv; 5119 5120 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5121 5122 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5123 microtime(&tv); 5124 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5125 myaddr.s6_addr[14] ^= 0xff; 5126 myaddr.s6_addr[15] ^= 0xff; 5127 } else { 5128 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5129 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5130 } 5131 if (suggest) 5132 memcpy(suggest, &myaddr, sizeof(myaddr)); 5133 } 5134 #endif /*INET6*/ 5135 5136 /* 5137 * Process ioctl requests specific to the PPP interface. 5138 * Permissions have already been checked. 5139 */ 5140 static int 5141 sppp_params(struct sppp *sp, u_long cmd, void *data) 5142 { 5143 switch (cmd) { 5144 case SPPPGETAUTHCFG: 5145 { 5146 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5147 int error; 5148 size_t len; 5149 5150 cfg->myauthflags = sp->myauth.flags; 5151 cfg->hisauthflags = sp->hisauth.flags; 5152 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5153 cfg->hisauth = 0; 5154 if (sp->hisauth.proto) 5155 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5156 cfg->myauth = 0; 5157 if (sp->myauth.proto) 5158 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5159 if (cfg->myname_length == 0) { 5160 if (sp->myauth.name != NULL) 5161 cfg->myname_length = sp->myauth.name_len + 1; 5162 } else { 5163 if (sp->myauth.name == NULL) { 5164 cfg->myname_length = 0; 5165 } else { 5166 len = sp->myauth.name_len + 1; 5167 if (cfg->myname_length < len) 5168 return (ENAMETOOLONG); 5169 error = copyout(sp->myauth.name, cfg->myname, len); 5170 if (error) return error; 5171 } 5172 } 5173 if (cfg->hisname_length == 0) { 5174 if (sp->hisauth.name != NULL) 5175 cfg->hisname_length = sp->hisauth.name_len + 1; 5176 } else { 5177 if (sp->hisauth.name == NULL) { 5178 cfg->hisname_length = 0; 5179 } else { 5180 len = sp->hisauth.name_len + 1; 5181 if (cfg->hisname_length < len) 5182 return (ENAMETOOLONG); 5183 error = copyout(sp->hisauth.name, cfg->hisname, len); 5184 if (error) return error; 5185 } 5186 } 5187 } 5188 break; 5189 case SPPPSETAUTHCFG: 5190 { 5191 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5192 int error; 5193 5194 if (sp->myauth.name) { 5195 free(sp->myauth.name, M_DEVBUF); 5196 sp->myauth.name = NULL; 5197 } 5198 if (sp->myauth.secret) { 5199 free(sp->myauth.secret, M_DEVBUF); 5200 sp->myauth.secret = NULL; 5201 } 5202 if (sp->hisauth.name) { 5203 free(sp->hisauth.name, M_DEVBUF); 5204 sp->hisauth.name = NULL; 5205 } 5206 if (sp->hisauth.secret) { 5207 free(sp->hisauth.secret, M_DEVBUF); 5208 sp->hisauth.secret = NULL; 5209 } 5210 5211 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5212 if (cfg->hisname_length >= MCLBYTES) 5213 return (ENAMETOOLONG); 5214 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5215 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5216 if (error) { 5217 free(sp->hisauth.name, M_DEVBUF); 5218 sp->hisauth.name = NULL; 5219 return error; 5220 } 5221 sp->hisauth.name_len = cfg->hisname_length - 1; 5222 sp->hisauth.name[sp->hisauth.name_len] = 0; 5223 } 5224 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5225 if (cfg->hissecret_length >= MCLBYTES) 5226 return (ENAMETOOLONG); 5227 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5228 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5229 if (error) { 5230 free(sp->hisauth.secret, M_DEVBUF); 5231 sp->hisauth.secret = NULL; 5232 return error; 5233 } 5234 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5235 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5236 } 5237 if (cfg->myname != NULL && cfg->myname_length > 0) { 5238 if (cfg->myname_length >= MCLBYTES) 5239 return (ENAMETOOLONG); 5240 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5241 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5242 if (error) { 5243 free(sp->myauth.name, M_DEVBUF); 5244 sp->myauth.name = NULL; 5245 return error; 5246 } 5247 sp->myauth.name_len = cfg->myname_length - 1; 5248 sp->myauth.name[sp->myauth.name_len] = 0; 5249 } 5250 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5251 if (cfg->mysecret_length >= MCLBYTES) 5252 return (ENAMETOOLONG); 5253 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5254 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5255 if (error) { 5256 free(sp->myauth.secret, M_DEVBUF); 5257 sp->myauth.secret = NULL; 5258 return error; 5259 } 5260 sp->myauth.secret_len = cfg->mysecret_length - 1; 5261 sp->myauth.secret[sp->myauth.secret_len] = 0; 5262 } 5263 sp->myauth.flags = cfg->myauthflags; 5264 if (cfg->myauth) 5265 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5266 sp->hisauth.flags = cfg->hisauthflags; 5267 if (cfg->hisauth) 5268 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5269 sp->pp_auth_failures = 0; 5270 if (sp->hisauth.proto != 0) 5271 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5272 else 5273 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5274 } 5275 break; 5276 case SPPPGETLCPCFG: 5277 { 5278 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5279 lcpp->lcp_timeout = sp->lcp.timeout; 5280 } 5281 break; 5282 case SPPPSETLCPCFG: 5283 { 5284 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5285 sp->lcp.timeout = lcpp->lcp_timeout; 5286 } 5287 break; 5288 case SPPPGETSTATUS: 5289 { 5290 struct spppstatus *status = (struct spppstatus *)data; 5291 status->phase = sp->pp_phase; 5292 } 5293 break; 5294 case SPPPGETSTATUSNCP: 5295 { 5296 struct spppstatusncp *status = (struct spppstatusncp *)data; 5297 status->phase = sp->pp_phase; 5298 status->ncpup = sppp_ncp_check(sp); 5299 } 5300 break; 5301 case SPPPGETIDLETO: 5302 { 5303 struct spppidletimeout *to = (struct spppidletimeout *)data; 5304 to->idle_seconds = sp->pp_idle_timeout; 5305 } 5306 break; 5307 case SPPPSETIDLETO: 5308 { 5309 struct spppidletimeout *to = (struct spppidletimeout *)data; 5310 sp->pp_idle_timeout = to->idle_seconds; 5311 } 5312 break; 5313 case SPPPSETAUTHFAILURE: 5314 { 5315 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5316 sp->pp_max_auth_fail = afsettings->max_failures; 5317 sp->pp_auth_failures = 0; 5318 } 5319 break; 5320 case SPPPGETAUTHFAILURES: 5321 { 5322 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5323 stats->auth_failures = sp->pp_auth_failures; 5324 stats->max_failures = sp->pp_max_auth_fail; 5325 } 5326 break; 5327 case SPPPSETDNSOPTS: 5328 { 5329 struct spppdnssettings *req = (struct spppdnssettings *)data; 5330 sp->query_dns = req->query_dns & 3; 5331 } 5332 break; 5333 case SPPPGETDNSOPTS: 5334 { 5335 struct spppdnssettings *req = (struct spppdnssettings *)data; 5336 req->query_dns = sp->query_dns; 5337 } 5338 break; 5339 case SPPPGETDNSADDRS: 5340 { 5341 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5342 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5343 } 5344 break; 5345 case SPPPGETKEEPALIVE: 5346 { 5347 struct spppkeepalivesettings *settings = 5348 (struct spppkeepalivesettings*)data; 5349 settings->maxalive = sp->pp_maxalive; 5350 settings->max_noreceive = sp->pp_max_noreceive; 5351 } 5352 break; 5353 case SPPPSETKEEPALIVE: 5354 { 5355 struct spppkeepalivesettings *settings = 5356 (struct spppkeepalivesettings*)data; 5357 sp->pp_maxalive = settings->maxalive; 5358 sp->pp_max_noreceive = settings->max_noreceive; 5359 } 5360 break; 5361 #if defined(COMPAT_50) || defined(MODULAR) 5362 case __SPPPGETIDLETO50: 5363 { 5364 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5365 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5366 } 5367 break; 5368 case __SPPPSETIDLETO50: 5369 { 5370 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5371 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5372 } 5373 break; 5374 case __SPPPGETKEEPALIVE50: 5375 { 5376 struct spppkeepalivesettings50 *settings = 5377 (struct spppkeepalivesettings50*)data; 5378 settings->maxalive = sp->pp_maxalive; 5379 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5380 } 5381 break; 5382 case __SPPPSETKEEPALIVE50: 5383 { 5384 struct spppkeepalivesettings50 *settings = 5385 (struct spppkeepalivesettings50*)data; 5386 sp->pp_maxalive = settings->maxalive; 5387 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5388 } 5389 break; 5390 #endif /* COMPAT_50 || MODULAR */ 5391 default: 5392 return (EINVAL); 5393 } 5394 5395 return (0); 5396 } 5397 5398 static void 5399 sppp_phase_network(struct sppp *sp) 5400 { 5401 STDDCL; 5402 int i; 5403 uint32_t mask; 5404 5405 sp->pp_phase = SPPP_PHASE_NETWORK; 5406 5407 if (debug) 5408 { 5409 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5410 sppp_phase_name(sp->pp_phase)); 5411 } 5412 5413 /* Notify NCPs now. */ 5414 for (i = 0; i < IDX_COUNT; i++) 5415 if ((cps[i])->flags & CP_NCP) 5416 (cps[i])->Open(sp); 5417 5418 /* Send Up events to all NCPs. */ 5419 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5420 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5421 (cps[i])->Up(sp); 5422 5423 /* if no NCP is starting, all this was in vain, close down */ 5424 sppp_lcp_check_and_close(sp); 5425 } 5426 5427 5428 static const char * 5429 sppp_cp_type_name(u_char type) 5430 { 5431 static char buf[12]; 5432 switch (type) { 5433 case CONF_REQ: return "conf-req"; 5434 case CONF_ACK: return "conf-ack"; 5435 case CONF_NAK: return "conf-nak"; 5436 case CONF_REJ: return "conf-rej"; 5437 case TERM_REQ: return "term-req"; 5438 case TERM_ACK: return "term-ack"; 5439 case CODE_REJ: return "code-rej"; 5440 case PROTO_REJ: return "proto-rej"; 5441 case ECHO_REQ: return "echo-req"; 5442 case ECHO_REPLY: return "echo-reply"; 5443 case DISC_REQ: return "discard-req"; 5444 } 5445 snprintf(buf, sizeof(buf), "0x%x", type); 5446 return buf; 5447 } 5448 5449 static const char * 5450 sppp_auth_type_name(u_short proto, u_char type) 5451 { 5452 static char buf[32]; 5453 const char *name; 5454 5455 switch (proto) { 5456 case PPP_CHAP: 5457 switch (type) { 5458 case CHAP_CHALLENGE: return "challenge"; 5459 case CHAP_RESPONSE: return "response"; 5460 case CHAP_SUCCESS: return "success"; 5461 case CHAP_FAILURE: return "failure"; 5462 default: name = "chap"; break; 5463 } 5464 break; 5465 5466 case PPP_PAP: 5467 switch (type) { 5468 case PAP_REQ: return "req"; 5469 case PAP_ACK: return "ack"; 5470 case PAP_NAK: return "nak"; 5471 default: name = "pap"; break; 5472 } 5473 break; 5474 5475 default: 5476 name = "bad"; 5477 break; 5478 } 5479 5480 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 5481 return buf; 5482 } 5483 5484 static const char * 5485 sppp_lcp_opt_name(u_char opt) 5486 { 5487 static char buf[12]; 5488 switch (opt) { 5489 case LCP_OPT_MRU: return "mru"; 5490 case LCP_OPT_ASYNC_MAP: return "async-map"; 5491 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5492 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5493 case LCP_OPT_MAGIC: return "magic"; 5494 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5495 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5496 } 5497 snprintf(buf, sizeof(buf), "0x%x", opt); 5498 return buf; 5499 } 5500 5501 static const char * 5502 sppp_ipcp_opt_name(u_char opt) 5503 { 5504 static char buf[12]; 5505 switch (opt) { 5506 case IPCP_OPT_ADDRESSES: return "addresses"; 5507 case IPCP_OPT_COMPRESSION: return "compression"; 5508 case IPCP_OPT_ADDRESS: return "address"; 5509 } 5510 snprintf(buf, sizeof(buf), "0x%x", opt); 5511 return buf; 5512 } 5513 5514 #ifdef INET6 5515 static const char * 5516 sppp_ipv6cp_opt_name(u_char opt) 5517 { 5518 static char buf[12]; 5519 switch (opt) { 5520 case IPV6CP_OPT_IFID: return "ifid"; 5521 case IPV6CP_OPT_COMPRESSION: return "compression"; 5522 } 5523 snprintf(buf, sizeof(buf), "0x%x", opt); 5524 return buf; 5525 } 5526 #endif 5527 5528 static const char * 5529 sppp_state_name(int state) 5530 { 5531 switch (state) { 5532 case STATE_INITIAL: return "initial"; 5533 case STATE_STARTING: return "starting"; 5534 case STATE_CLOSED: return "closed"; 5535 case STATE_STOPPED: return "stopped"; 5536 case STATE_CLOSING: return "closing"; 5537 case STATE_STOPPING: return "stopping"; 5538 case STATE_REQ_SENT: return "req-sent"; 5539 case STATE_ACK_RCVD: return "ack-rcvd"; 5540 case STATE_ACK_SENT: return "ack-sent"; 5541 case STATE_OPENED: return "opened"; 5542 } 5543 return "illegal"; 5544 } 5545 5546 static const char * 5547 sppp_phase_name(int phase) 5548 { 5549 switch (phase) { 5550 case SPPP_PHASE_DEAD: return "dead"; 5551 case SPPP_PHASE_ESTABLISH: return "establish"; 5552 case SPPP_PHASE_TERMINATE: return "terminate"; 5553 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5554 case SPPP_PHASE_NETWORK: return "network"; 5555 } 5556 return "illegal"; 5557 } 5558 5559 static const char * 5560 sppp_proto_name(u_short proto) 5561 { 5562 static char buf[12]; 5563 switch (proto) { 5564 case PPP_LCP: return "lcp"; 5565 case PPP_IPCP: return "ipcp"; 5566 case PPP_PAP: return "pap"; 5567 case PPP_CHAP: return "chap"; 5568 case PPP_IPV6CP: return "ipv6cp"; 5569 } 5570 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5571 return buf; 5572 } 5573 5574 static void 5575 sppp_print_bytes(const u_char *p, u_short len) 5576 { 5577 addlog(" %02x", *p++); 5578 while (--len > 0) 5579 addlog("-%02x", *p++); 5580 } 5581 5582 static void 5583 sppp_print_string(const char *p, u_short len) 5584 { 5585 u_char c; 5586 5587 while (len-- > 0) { 5588 c = *p++; 5589 /* 5590 * Print only ASCII chars directly. RFC 1994 recommends 5591 * using only them, but we don't rely on it. */ 5592 if (c < ' ' || c > '~') 5593 addlog("\\x%x", c); 5594 else 5595 addlog("%c", c); 5596 } 5597 } 5598 5599 static const char * 5600 sppp_dotted_quad(uint32_t addr) 5601 { 5602 static char s[16]; 5603 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5604 (int)((addr >> 24) & 0xff), 5605 (int)((addr >> 16) & 0xff), 5606 (int)((addr >> 8) & 0xff), 5607 (int)(addr & 0xff)); 5608 return s; 5609 } 5610 5611 /* a dummy, used to drop uninteresting events */ 5612 static void 5613 sppp_null(struct sppp *unused) 5614 { 5615 /* do just nothing */ 5616 } 5617 /* 5618 * This file is large. Tell emacs to highlight it nevertheless. 5619 * 5620 * Local Variables: 5621 * hilit-auto-highlight-maxout: 120000 5622 * End: 5623 */ 5624
Indexes created Tue Oct 14 11:09:46 GMT 2025