if_spppsubr.c revision 1.149
1 /* $NetBSD: if_spppsubr.c,v 1.149 2016/09/13 19:51:12 joerg Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.149 2016/09/13 19:51:12 joerg Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #endif 51 52 53 #include <sys/param.h> 54 #include <sys/proc.h> 55 #include <sys/systm.h> 56 #include <sys/kernel.h> 57 #include <sys/sockio.h> 58 #include <sys/socket.h> 59 #include <sys/syslog.h> 60 #include <sys/malloc.h> 61 #include <sys/mbuf.h> 62 #include <sys/callout.h> 63 #include <sys/md5.h> 64 #include <sys/inttypes.h> 65 #include <sys/kauth.h> 66 #include <sys/cprng.h> 67 #include <sys/module.h> 68 69 #include <net/if.h> 70 #include <net/netisr.h> 71 #include <net/if_types.h> 72 #include <net/route.h> 73 #include <net/ppp_defs.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/in_var.h> 78 #ifdef INET 79 #include <netinet/ip.h> 80 #include <netinet/tcp.h> 81 #endif 82 #include <net/ethertypes.h> 83 84 #ifdef INET6 85 #include <netinet6/scope6_var.h> 86 #endif 87 88 #include <net/if_sppp.h> 89 #include <net/if_spppvar.h> 90 91 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 92 #define LOOPALIVECNT 3 /* loopback detection tries */ 93 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 94 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 95 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 96 97 /* 98 * Interface flags that can be set in an ifconfig command. 99 * 100 * Setting link0 will make the link passive, i.e. it will be marked 101 * as being administrative openable, but won't be opened to begin 102 * with. Incoming calls will be answered, or subsequent calls with 103 * -link1 will cause the administrative open of the LCP layer. 104 * 105 * Setting link1 will cause the link to auto-dial only as packets 106 * arrive to be sent. 107 * 108 * Setting IFF_DEBUG will syslog the option negotiation and state 109 * transitions at level kern.debug. Note: all logs consistently look 110 * like 111 * 112 * <if-name><unit>: <proto-name> <additional info...> 113 * 114 * with <if-name><unit> being something like "bppp0", and <proto-name> 115 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 116 */ 117 118 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 119 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 120 121 #define CONF_REQ 1 /* PPP configure request */ 122 #define CONF_ACK 2 /* PPP configure acknowledge */ 123 #define CONF_NAK 3 /* PPP configure negative ack */ 124 #define CONF_REJ 4 /* PPP configure reject */ 125 #define TERM_REQ 5 /* PPP terminate request */ 126 #define TERM_ACK 6 /* PPP terminate acknowledge */ 127 #define CODE_REJ 7 /* PPP code reject */ 128 #define PROTO_REJ 8 /* PPP protocol reject */ 129 #define ECHO_REQ 9 /* PPP echo request */ 130 #define ECHO_REPLY 10 /* PPP echo reply */ 131 #define DISC_REQ 11 /* PPP discard request */ 132 133 #define LCP_OPT_MRU 1 /* maximum receive unit */ 134 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 135 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 136 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 137 #define LCP_OPT_MAGIC 5 /* magic number */ 138 #define LCP_OPT_RESERVED 6 /* reserved */ 139 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 140 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 141 142 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 143 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 144 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 145 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 146 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 147 148 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 149 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 150 151 #define PAP_REQ 1 /* PAP name/password request */ 152 #define PAP_ACK 2 /* PAP acknowledge */ 153 #define PAP_NAK 3 /* PAP fail */ 154 155 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 156 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 157 #define CHAP_SUCCESS 3 /* CHAP response ok */ 158 #define CHAP_FAILURE 4 /* CHAP response failed */ 159 160 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 161 162 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 163 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 164 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 165 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 166 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 167 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 168 169 /* states are named and numbered according to RFC 1661 */ 170 #define STATE_INITIAL 0 171 #define STATE_STARTING 1 172 #define STATE_CLOSED 2 173 #define STATE_STOPPED 3 174 #define STATE_CLOSING 4 175 #define STATE_STOPPING 5 176 #define STATE_REQ_SENT 6 177 #define STATE_ACK_RCVD 7 178 #define STATE_ACK_SENT 8 179 #define STATE_OPENED 9 180 181 struct ppp_header { 182 uint8_t address; 183 uint8_t control; 184 uint16_t protocol; 185 } __packed; 186 #define PPP_HEADER_LEN sizeof (struct ppp_header) 187 188 struct lcp_header { 189 uint8_t type; 190 uint8_t ident; 191 uint16_t len; 192 } __packed; 193 #define LCP_HEADER_LEN sizeof (struct lcp_header) 194 195 struct cisco_packet { 196 uint32_t type; 197 uint32_t par1; 198 uint32_t par2; 199 uint16_t rel; 200 uint16_t time0; 201 uint16_t time1; 202 } __packed; 203 #define CISCO_PACKET_LEN 18 204 205 /* 206 * We follow the spelling and capitalization of RFC 1661 here, to make 207 * it easier comparing with the standard. Please refer to this RFC in 208 * case you can't make sense out of these abbreviation; it will also 209 * explain the semantics related to the various events and actions. 210 */ 211 struct cp { 212 u_short proto; /* PPP control protocol number */ 213 u_char protoidx; /* index into state table in struct sppp */ 214 u_char flags; 215 #define CP_LCP 0x01 /* this is the LCP */ 216 #define CP_AUTH 0x02 /* this is an authentication protocol */ 217 #define CP_NCP 0x04 /* this is a NCP */ 218 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 219 const char *name; /* name of this control protocol */ 220 /* event handlers */ 221 void (*Up)(struct sppp *sp); 222 void (*Down)(struct sppp *sp); 223 void (*Open)(struct sppp *sp); 224 void (*Close)(struct sppp *sp); 225 void (*TO)(void *sp); 226 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 227 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 228 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 229 /* actions */ 230 void (*tlu)(struct sppp *sp); 231 void (*tld)(struct sppp *sp); 232 void (*tls)(struct sppp *sp); 233 void (*tlf)(struct sppp *sp); 234 void (*scr)(struct sppp *sp); 235 }; 236 237 static struct sppp *spppq; 238 static callout_t keepalive_ch; 239 240 #ifdef INET 241 /* 242 * The following disgusting hack gets around the problem that IP TOS 243 * can't be set yet. We want to put "interactive" traffic on a high 244 * priority queue. To decide if traffic is interactive, we check that 245 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 246 * 247 * XXX is this really still necessary? - joerg - 248 */ 249 static u_short interactive_ports[8] = { 250 0, 513, 0, 0, 251 0, 21, 0, 23, 252 }; 253 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 254 #endif 255 256 /* almost every function needs these */ 257 #define STDDCL \ 258 struct ifnet *ifp = &sp->pp_if; \ 259 int debug = ifp->if_flags & IFF_DEBUG 260 261 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 262 const struct sockaddr *dst, const struct rtentry *rt); 263 264 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 265 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 266 267 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 268 struct mbuf *m); 269 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 270 u_char ident, u_short len, void *data); 271 /* static void sppp_cp_timeout(void *arg); */ 272 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 273 int newstate); 274 static void sppp_auth_send(const struct cp *cp, 275 struct sppp *sp, unsigned int type, unsigned int id, 276 ...); 277 278 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 279 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 280 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 281 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 282 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 283 284 static void sppp_null(struct sppp *sp); 285 286 static void sppp_lcp_init(struct sppp *sp); 287 static void sppp_lcp_up(struct sppp *sp); 288 static void sppp_lcp_down(struct sppp *sp); 289 static void sppp_lcp_open(struct sppp *sp); 290 static void sppp_lcp_close(struct sppp *sp); 291 static void sppp_lcp_TO(void *sp); 292 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 293 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 294 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 295 static void sppp_lcp_tlu(struct sppp *sp); 296 static void sppp_lcp_tld(struct sppp *sp); 297 static void sppp_lcp_tls(struct sppp *sp); 298 static void sppp_lcp_tlf(struct sppp *sp); 299 static void sppp_lcp_scr(struct sppp *sp); 300 static void sppp_lcp_check_and_close(struct sppp *sp); 301 static int sppp_ncp_check(struct sppp *sp); 302 303 static void sppp_ipcp_init(struct sppp *sp); 304 static void sppp_ipcp_up(struct sppp *sp); 305 static void sppp_ipcp_down(struct sppp *sp); 306 static void sppp_ipcp_open(struct sppp *sp); 307 static void sppp_ipcp_close(struct sppp *sp); 308 static void sppp_ipcp_TO(void *sp); 309 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 310 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 311 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 312 static void sppp_ipcp_tlu(struct sppp *sp); 313 static void sppp_ipcp_tld(struct sppp *sp); 314 static void sppp_ipcp_tls(struct sppp *sp); 315 static void sppp_ipcp_tlf(struct sppp *sp); 316 static void sppp_ipcp_scr(struct sppp *sp); 317 318 static void sppp_ipv6cp_init(struct sppp *sp); 319 static void sppp_ipv6cp_up(struct sppp *sp); 320 static void sppp_ipv6cp_down(struct sppp *sp); 321 static void sppp_ipv6cp_open(struct sppp *sp); 322 static void sppp_ipv6cp_close(struct sppp *sp); 323 static void sppp_ipv6cp_TO(void *sp); 324 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 325 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 327 static void sppp_ipv6cp_tlu(struct sppp *sp); 328 static void sppp_ipv6cp_tld(struct sppp *sp); 329 static void sppp_ipv6cp_tls(struct sppp *sp); 330 static void sppp_ipv6cp_tlf(struct sppp *sp); 331 static void sppp_ipv6cp_scr(struct sppp *sp); 332 333 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 334 static void sppp_pap_init(struct sppp *sp); 335 static void sppp_pap_open(struct sppp *sp); 336 static void sppp_pap_close(struct sppp *sp); 337 static void sppp_pap_TO(void *sp); 338 static void sppp_pap_my_TO(void *sp); 339 static void sppp_pap_tlu(struct sppp *sp); 340 static void sppp_pap_tld(struct sppp *sp); 341 static void sppp_pap_scr(struct sppp *sp); 342 343 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 344 static void sppp_chap_init(struct sppp *sp); 345 static void sppp_chap_open(struct sppp *sp); 346 static void sppp_chap_close(struct sppp *sp); 347 static void sppp_chap_TO(void *sp); 348 static void sppp_chap_tlu(struct sppp *sp); 349 static void sppp_chap_tld(struct sppp *sp); 350 static void sppp_chap_scr(struct sppp *sp); 351 352 static const char *sppp_auth_type_name(u_short proto, u_char type); 353 static const char *sppp_cp_type_name(u_char type); 354 static const char *sppp_dotted_quad(uint32_t addr); 355 static const char *sppp_ipcp_opt_name(u_char opt); 356 #ifdef INET6 357 static const char *sppp_ipv6cp_opt_name(u_char opt); 358 #endif 359 static const char *sppp_lcp_opt_name(u_char opt); 360 static const char *sppp_phase_name(int phase); 361 static const char *sppp_proto_name(u_short proto); 362 static const char *sppp_state_name(int state); 363 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 364 #ifdef INET 365 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 366 uint32_t *srcmask); 367 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 368 static void sppp_clear_ip_addrs(struct sppp *sp); 369 #endif 370 static void sppp_keepalive(void *dummy); 371 static void sppp_phase_network(struct sppp *sp); 372 static void sppp_print_bytes(const u_char *p, u_short len); 373 static void sppp_print_string(const char *p, u_short len); 374 #ifdef INET6 375 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 376 struct in6_addr *dst, struct in6_addr *srcmask); 377 #ifdef IPV6CP_MYIFID_DYN 378 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 379 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 380 #endif 381 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 382 #endif 383 384 /* our control protocol descriptors */ 385 static const struct cp lcp = { 386 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 387 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 388 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 389 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 390 sppp_lcp_scr 391 }; 392 393 static const struct cp ipcp = { 394 PPP_IPCP, IDX_IPCP, 395 #ifdef INET 396 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 397 #else 398 0, 399 #endif 400 "ipcp", 401 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 402 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 403 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 404 sppp_ipcp_scr 405 }; 406 407 static const struct cp ipv6cp = { 408 PPP_IPV6CP, IDX_IPV6CP, 409 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 410 CP_NCP, 411 #else 412 0, 413 #endif 414 "ipv6cp", 415 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 416 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 417 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 418 sppp_ipv6cp_scr 419 }; 420 421 static const struct cp pap = { 422 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 423 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 424 sppp_pap_TO, 0, 0, 0, 425 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 426 sppp_pap_scr 427 }; 428 429 static const struct cp chap = { 430 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 431 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 432 sppp_chap_TO, 0, 0, 0, 433 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 434 sppp_chap_scr 435 }; 436 437 static const struct cp *cps[IDX_COUNT] = { 438 &lcp, /* IDX_LCP */ 439 &ipcp, /* IDX_IPCP */ 440 &ipv6cp, /* IDX_IPV6CP */ 441 &pap, /* IDX_PAP */ 442 &chap, /* IDX_CHAP */ 443 }; 444 445 static void 446 sppp_change_phase(struct sppp *sp, int phase) 447 { 448 STDDCL; 449 450 if (sp->pp_phase == phase) 451 return; 452 453 sp->pp_phase = phase; 454 455 if (phase == SPPP_PHASE_NETWORK) 456 if_link_state_change(ifp, LINK_STATE_UP); 457 else 458 if_link_state_change(ifp, LINK_STATE_DOWN); 459 460 if (debug) 461 { 462 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 463 sppp_phase_name(sp->pp_phase)); 464 } 465 } 466 467 /* 468 * Exported functions, comprising our interface to the lower layer. 469 */ 470 471 /* 472 * Process the received packet. 473 */ 474 void 475 sppp_input(struct ifnet *ifp, struct mbuf *m) 476 { 477 struct ppp_header *h = NULL; 478 pktqueue_t *pktq = NULL; 479 struct ifqueue *inq = NULL; 480 uint16_t protocol; 481 int s; 482 struct sppp *sp = (struct sppp *)ifp; 483 int debug = ifp->if_flags & IFF_DEBUG; 484 int isr = 0; 485 486 if (ifp->if_flags & IFF_UP) { 487 /* Count received bytes, add hardware framing */ 488 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 489 /* Note time of last receive */ 490 sp->pp_last_receive = time_uptime; 491 } 492 493 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 494 /* Too small packet, drop it. */ 495 if (debug) 496 log(LOG_DEBUG, 497 "%s: input packet is too small, %d bytes\n", 498 ifp->if_xname, m->m_pkthdr.len); 499 drop: 500 ++ifp->if_ierrors; 501 ++ifp->if_iqdrops; 502 m_freem(m); 503 return; 504 } 505 506 if (sp->pp_flags & PP_NOFRAMING) { 507 memcpy(&protocol, mtod(m, void *), 2); 508 protocol = ntohs(protocol); 509 m_adj(m, 2); 510 } else { 511 512 /* Get PPP header. */ 513 h = mtod(m, struct ppp_header *); 514 m_adj(m, PPP_HEADER_LEN); 515 516 switch (h->address) { 517 case PPP_ALLSTATIONS: 518 if (h->control != PPP_UI) 519 goto invalid; 520 if (sp->pp_flags & PP_CISCO) { 521 if (debug) 522 log(LOG_DEBUG, 523 "%s: PPP packet in Cisco mode " 524 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 525 ifp->if_xname, 526 h->address, h->control, ntohs(h->protocol)); 527 goto drop; 528 } 529 break; 530 case CISCO_MULTICAST: 531 case CISCO_UNICAST: 532 /* Don't check the control field here (RFC 1547). */ 533 if (! (sp->pp_flags & PP_CISCO)) { 534 if (debug) 535 log(LOG_DEBUG, 536 "%s: Cisco packet in PPP mode " 537 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 538 ifp->if_xname, 539 h->address, h->control, ntohs(h->protocol)); 540 goto drop; 541 } 542 switch (ntohs(h->protocol)) { 543 default: 544 ++ifp->if_noproto; 545 goto invalid; 546 case CISCO_KEEPALIVE: 547 sppp_cisco_input((struct sppp *) ifp, m); 548 m_freem(m); 549 return; 550 #ifdef INET 551 case ETHERTYPE_IP: 552 pktq = ip_pktq; 553 break; 554 #endif 555 #ifdef INET6 556 case ETHERTYPE_IPV6: 557 pktq = ip6_pktq; 558 break; 559 #endif 560 } 561 goto queue_pkt; 562 default: /* Invalid PPP packet. */ 563 invalid: 564 if (debug) 565 log(LOG_DEBUG, 566 "%s: invalid input packet " 567 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 568 ifp->if_xname, 569 h->address, h->control, ntohs(h->protocol)); 570 goto drop; 571 } 572 protocol = ntohs(h->protocol); 573 } 574 575 switch (protocol) { 576 default: 577 if (sp->state[IDX_LCP] == STATE_OPENED) { 578 uint16_t prot = htons(protocol); 579 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 580 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 581 &prot); 582 } 583 if (debug) 584 log(LOG_DEBUG, 585 "%s: invalid input protocol " 586 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 587 ++ifp->if_noproto; 588 goto drop; 589 case PPP_LCP: 590 sppp_cp_input(&lcp, sp, m); 591 m_freem(m); 592 return; 593 case PPP_PAP: 594 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 595 sppp_pap_input(sp, m); 596 m_freem(m); 597 return; 598 case PPP_CHAP: 599 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 600 sppp_chap_input(sp, m); 601 m_freem(m); 602 return; 603 #ifdef INET 604 case PPP_IPCP: 605 if (sp->pp_phase == SPPP_PHASE_NETWORK) 606 sppp_cp_input(&ipcp, sp, m); 607 m_freem(m); 608 return; 609 case PPP_IP: 610 if (sp->state[IDX_IPCP] == STATE_OPENED) { 611 sp->pp_last_activity = time_uptime; 612 pktq = ip_pktq; 613 } 614 break; 615 #endif 616 #ifdef INET6 617 case PPP_IPV6CP: 618 if (sp->pp_phase == SPPP_PHASE_NETWORK) 619 sppp_cp_input(&ipv6cp, sp, m); 620 m_freem(m); 621 return; 622 623 case PPP_IPV6: 624 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 625 sp->pp_last_activity = time_uptime; 626 pktq = ip6_pktq; 627 } 628 break; 629 #endif 630 } 631 632 queue_pkt: 633 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 634 goto drop; 635 } 636 637 /* Check queue. */ 638 if (__predict_true(pktq)) { 639 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 640 goto drop; 641 } 642 return; 643 } 644 645 s = splnet(); 646 if (IF_QFULL(inq)) { 647 /* Queue overflow. */ 648 IF_DROP(inq); 649 splx(s); 650 if (debug) 651 log(LOG_DEBUG, "%s: protocol queue overflow\n", 652 ifp->if_xname); 653 goto drop; 654 } 655 IF_ENQUEUE(inq, m); 656 schednetisr(isr); 657 splx(s); 658 } 659 660 /* 661 * Enqueue transmit packet. 662 */ 663 static int 664 sppp_output(struct ifnet *ifp, struct mbuf *m, 665 const struct sockaddr *dst, const struct rtentry *rt) 666 { 667 struct sppp *sp = (struct sppp *) ifp; 668 struct ppp_header *h = NULL; 669 struct ifqueue *ifq = NULL; /* XXX */ 670 int s, error = 0; 671 uint16_t protocol; 672 673 s = splnet(); 674 675 sp->pp_last_activity = time_uptime; 676 677 if ((ifp->if_flags & IFF_UP) == 0 || 678 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 679 m_freem(m); 680 splx(s); 681 return (ENETDOWN); 682 } 683 684 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 685 /* 686 * Interface is not yet running, but auto-dial. Need 687 * to start LCP for it. 688 */ 689 ifp->if_flags |= IFF_RUNNING; 690 splx(s); 691 lcp.Open(sp); 692 s = splnet(); 693 } 694 695 /* 696 * If the queueing discipline needs packet classification, 697 * do it before prepending link headers. 698 */ 699 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 700 701 #ifdef INET 702 if (dst->sa_family == AF_INET) { 703 struct ip *ip = NULL; 704 struct tcphdr *th = NULL; 705 706 if (m->m_len >= sizeof(struct ip)) { 707 ip = mtod(m, struct ip *); 708 if (ip->ip_p == IPPROTO_TCP && 709 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 710 sizeof(struct tcphdr)) { 711 th = (struct tcphdr *) 712 ((char *)ip + (ip->ip_hl << 2)); 713 } 714 } else 715 ip = NULL; 716 717 /* 718 * When using dynamic local IP address assignment by using 719 * 0.0.0.0 as a local address, the first TCP session will 720 * not connect because the local TCP checksum is computed 721 * using 0.0.0.0 which will later become our real IP address 722 * so the TCP checksum computed at the remote end will 723 * become invalid. So we 724 * - don't let packets with src ip addr 0 thru 725 * - we flag TCP packets with src ip 0 as an error 726 */ 727 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 728 uint8_t proto = ip->ip_p; 729 730 m_freem(m); 731 splx(s); 732 if (proto == IPPROTO_TCP) 733 return (EADDRNOTAVAIL); 734 else 735 return (0); 736 } 737 738 /* 739 * Put low delay, telnet, rlogin and ftp control packets 740 * in front of the queue. 741 */ 742 743 if (!IF_QFULL(&sp->pp_fastq) && 744 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 745 (th && (INTERACTIVE(ntohs(th->th_sport)) || 746 INTERACTIVE(ntohs(th->th_dport)))))) 747 ifq = &sp->pp_fastq; 748 } 749 #endif 750 751 #ifdef INET6 752 if (dst->sa_family == AF_INET6) { 753 /* XXX do something tricky here? */ 754 } 755 #endif 756 757 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 758 /* 759 * Prepend general data packet PPP header. For now, IP only. 760 */ 761 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 762 if (! m) { 763 if (ifp->if_flags & IFF_DEBUG) 764 log(LOG_DEBUG, "%s: no memory for transmit header\n", 765 ifp->if_xname); 766 ++ifp->if_oerrors; 767 splx(s); 768 return (ENOBUFS); 769 } 770 /* 771 * May want to check size of packet 772 * (albeit due to the implementation it's always enough) 773 */ 774 h = mtod(m, struct ppp_header *); 775 if (sp->pp_flags & PP_CISCO) { 776 h->address = CISCO_UNICAST; /* unicast address */ 777 h->control = 0; 778 } else { 779 h->address = PPP_ALLSTATIONS; /* broadcast address */ 780 h->control = PPP_UI; /* Unnumbered Info */ 781 } 782 } 783 784 switch (dst->sa_family) { 785 #ifdef INET 786 case AF_INET: /* Internet Protocol */ 787 if (sp->pp_flags & PP_CISCO) 788 protocol = htons(ETHERTYPE_IP); 789 else { 790 /* 791 * Don't choke with an ENETDOWN early. It's 792 * possible that we just started dialing out, 793 * so don't drop the packet immediately. If 794 * we notice that we run out of buffer space 795 * below, we will however remember that we are 796 * not ready to carry IP packets, and return 797 * ENETDOWN, as opposed to ENOBUFS. 798 */ 799 protocol = htons(PPP_IP); 800 if (sp->state[IDX_IPCP] != STATE_OPENED) 801 error = ENETDOWN; 802 } 803 break; 804 #endif 805 #ifdef INET6 806 case AF_INET6: /* Internet Protocol version 6 */ 807 if (sp->pp_flags & PP_CISCO) 808 protocol = htons(ETHERTYPE_IPV6); 809 else { 810 /* 811 * Don't choke with an ENETDOWN early. It's 812 * possible that we just started dialing out, 813 * so don't drop the packet immediately. If 814 * we notice that we run out of buffer space 815 * below, we will however remember that we are 816 * not ready to carry IP packets, and return 817 * ENETDOWN, as opposed to ENOBUFS. 818 */ 819 protocol = htons(PPP_IPV6); 820 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 821 error = ENETDOWN; 822 } 823 break; 824 #endif 825 default: 826 m_freem(m); 827 ++ifp->if_oerrors; 828 splx(s); 829 return (EAFNOSUPPORT); 830 } 831 832 if (sp->pp_flags & PP_NOFRAMING) { 833 M_PREPEND(m, 2, M_DONTWAIT); 834 if (m == NULL) { 835 if (ifp->if_flags & IFF_DEBUG) 836 log(LOG_DEBUG, "%s: no memory for transmit header\n", 837 ifp->if_xname); 838 ++ifp->if_oerrors; 839 splx(s); 840 return (ENOBUFS); 841 } 842 *mtod(m, uint16_t *) = protocol; 843 } else { 844 h->protocol = protocol; 845 } 846 847 848 error = ifq_enqueue2(ifp, ifq, m); 849 850 if (error == 0) { 851 /* 852 * Count output packets and bytes. 853 * The packet length includes header + additional hardware 854 * framing according to RFC 1333. 855 */ 856 if (!(ifp->if_flags & IFF_OACTIVE)) 857 if_start_lock(ifp); 858 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 859 } 860 splx(s); 861 return error; 862 } 863 864 void 865 sppp_attach(struct ifnet *ifp) 866 { 867 struct sppp *sp = (struct sppp *) ifp; 868 869 /* Initialize keepalive handler. */ 870 if (! spppq) { 871 callout_init(&keepalive_ch, 0); 872 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 873 } 874 875 /* Insert new entry into the keepalive list. */ 876 sp->pp_next = spppq; 877 spppq = sp; 878 879 sp->pp_if.if_type = IFT_PPP; 880 sp->pp_if.if_output = sppp_output; 881 sp->pp_fastq.ifq_maxlen = 32; 882 sp->pp_cpq.ifq_maxlen = 20; 883 sp->pp_loopcnt = 0; 884 sp->pp_alivecnt = 0; 885 sp->pp_last_activity = 0; 886 sp->pp_last_receive = 0; 887 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 888 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 889 sp->pp_idle_timeout = 0; 890 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 891 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 892 sp->pp_auth_failures = 0; 893 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 894 sp->pp_phase = SPPP_PHASE_DEAD; 895 sp->pp_up = lcp.Up; 896 sp->pp_down = lcp.Down; 897 898 if_alloc_sadl(ifp); 899 900 memset(&sp->myauth, 0, sizeof sp->myauth); 901 memset(&sp->hisauth, 0, sizeof sp->hisauth); 902 sppp_lcp_init(sp); 903 sppp_ipcp_init(sp); 904 sppp_ipv6cp_init(sp); 905 sppp_pap_init(sp); 906 sppp_chap_init(sp); 907 } 908 909 void 910 sppp_detach(struct ifnet *ifp) 911 { 912 struct sppp **q, *p, *sp = (struct sppp *) ifp; 913 914 /* Remove the entry from the keepalive list. */ 915 for (q = &spppq; (p = *q); q = &p->pp_next) 916 if (p == sp) { 917 *q = p->pp_next; 918 break; 919 } 920 921 /* Stop keepalive handler. */ 922 if (! spppq) { 923 callout_stop(&keepalive_ch); 924 } 925 926 callout_stop(&sp->ch[IDX_LCP]); 927 callout_stop(&sp->ch[IDX_IPCP]); 928 callout_stop(&sp->ch[IDX_PAP]); 929 callout_stop(&sp->ch[IDX_CHAP]); 930 #ifdef INET6 931 callout_stop(&sp->ch[IDX_IPV6CP]); 932 #endif 933 callout_stop(&sp->pap_my_to_ch); 934 935 /* free authentication info */ 936 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 937 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 938 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 939 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 940 } 941 942 /* 943 * Flush the interface output queue. 944 */ 945 void 946 sppp_flush(struct ifnet *ifp) 947 { 948 struct sppp *sp = (struct sppp *) ifp; 949 950 IFQ_PURGE(&sp->pp_if.if_snd); 951 IF_PURGE(&sp->pp_fastq); 952 IF_PURGE(&sp->pp_cpq); 953 } 954 955 /* 956 * Check if the output queue is empty. 957 */ 958 int 959 sppp_isempty(struct ifnet *ifp) 960 { 961 struct sppp *sp = (struct sppp *) ifp; 962 int empty, s; 963 964 s = splnet(); 965 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 966 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 967 splx(s); 968 return (empty); 969 } 970 971 /* 972 * Get next packet to send. 973 */ 974 struct mbuf * 975 sppp_dequeue(struct ifnet *ifp) 976 { 977 struct sppp *sp = (struct sppp *) ifp; 978 struct mbuf *m; 979 int s; 980 981 s = splnet(); 982 /* 983 * Process only the control protocol queue until we have at 984 * least one NCP open. 985 * 986 * Do always serve all three queues in Cisco mode. 987 */ 988 IF_DEQUEUE(&sp->pp_cpq, m); 989 if (m == NULL && 990 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 991 IF_DEQUEUE(&sp->pp_fastq, m); 992 if (m == NULL) 993 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 994 } 995 splx(s); 996 return m; 997 } 998 999 /* 1000 * Process an ioctl request. Called on low priority level. 1001 */ 1002 int 1003 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1004 { 1005 struct lwp *l = curlwp; /* XXX */ 1006 struct ifreq *ifr = (struct ifreq *) data; 1007 struct ifaddr *ifa = (struct ifaddr *) data; 1008 struct sppp *sp = (struct sppp *) ifp; 1009 int s, error=0, going_up, going_down, newmode; 1010 1011 s = splnet(); 1012 switch (cmd) { 1013 case SIOCINITIFADDR: 1014 ifa->ifa_rtrequest = p2p_rtrequest; 1015 break; 1016 1017 case SIOCSIFFLAGS: 1018 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1019 break; 1020 going_up = ifp->if_flags & IFF_UP && 1021 (ifp->if_flags & IFF_RUNNING) == 0; 1022 going_down = (ifp->if_flags & IFF_UP) == 0 && 1023 ifp->if_flags & IFF_RUNNING; 1024 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1025 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1026 /* sanity */ 1027 newmode = IFF_PASSIVE; 1028 ifp->if_flags &= ~IFF_AUTO; 1029 } 1030 1031 if (going_up || going_down) 1032 lcp.Close(sp); 1033 if (going_up && newmode == 0) { 1034 /* neither auto-dial nor passive */ 1035 ifp->if_flags |= IFF_RUNNING; 1036 if (!(sp->pp_flags & PP_CISCO)) 1037 lcp.Open(sp); 1038 } else if (going_down) { 1039 sppp_flush(ifp); 1040 ifp->if_flags &= ~IFF_RUNNING; 1041 } 1042 1043 break; 1044 1045 case SIOCSIFMTU: 1046 if (ifr->ifr_mtu < PPP_MINMRU || 1047 ifr->ifr_mtu > sp->lcp.their_mru) { 1048 error = EINVAL; 1049 break; 1050 } 1051 /*FALLTHROUGH*/ 1052 case SIOCGIFMTU: 1053 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1054 error = 0; 1055 break; 1056 case SIOCADDMULTI: 1057 case SIOCDELMULTI: 1058 break; 1059 1060 case SPPPSETAUTHCFG: 1061 case SPPPSETLCPCFG: 1062 case SPPPSETIDLETO: 1063 case SPPPSETAUTHFAILURE: 1064 case SPPPSETDNSOPTS: 1065 case SPPPSETKEEPALIVE: 1066 #if defined(COMPAT_50) || defined(MODULAR) 1067 case __SPPPSETIDLETO50: 1068 case __SPPPSETKEEPALIVE50: 1069 #endif /* COMPAT_50 || MODULAR */ 1070 error = kauth_authorize_network(l->l_cred, 1071 KAUTH_NETWORK_INTERFACE, 1072 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1073 NULL); 1074 if (error) 1075 break; 1076 error = sppp_params(sp, cmd, data); 1077 break; 1078 1079 case SPPPGETAUTHCFG: 1080 case SPPPGETLCPCFG: 1081 case SPPPGETAUTHFAILURES: 1082 error = kauth_authorize_network(l->l_cred, 1083 KAUTH_NETWORK_INTERFACE, 1084 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1085 NULL); 1086 if (error) 1087 break; 1088 error = sppp_params(sp, cmd, data); 1089 break; 1090 1091 case SPPPGETSTATUS: 1092 case SPPPGETSTATUSNCP: 1093 case SPPPGETIDLETO: 1094 case SPPPGETDNSOPTS: 1095 case SPPPGETDNSADDRS: 1096 case SPPPGETKEEPALIVE: 1097 #if defined(COMPAT_50) || defined(MODULAR) 1098 case __SPPPGETIDLETO50: 1099 case __SPPPGETKEEPALIVE50: 1100 #endif /* COMPAT_50 || MODULAR */ 1101 error = sppp_params(sp, cmd, data); 1102 break; 1103 1104 default: 1105 error = ifioctl_common(ifp, cmd, data); 1106 break; 1107 } 1108 splx(s); 1109 return (error); 1110 } 1111 1112 1113 /* 1114 * Cisco framing implementation. 1115 */ 1116 1117 /* 1118 * Handle incoming Cisco keepalive protocol packets. 1119 */ 1120 static void 1121 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1122 { 1123 STDDCL; 1124 struct cisco_packet *h; 1125 #ifdef INET 1126 uint32_t me, mymask = 0; /* XXX: GCC */ 1127 #endif 1128 1129 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1130 if (debug) 1131 log(LOG_DEBUG, 1132 "%s: cisco invalid packet length: %d bytes\n", 1133 ifp->if_xname, m->m_pkthdr.len); 1134 return; 1135 } 1136 h = mtod(m, struct cisco_packet *); 1137 if (debug) 1138 log(LOG_DEBUG, 1139 "%s: cisco input: %d bytes " 1140 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1141 ifp->if_xname, m->m_pkthdr.len, 1142 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1143 (u_int)h->time0, (u_int)h->time1); 1144 switch (ntohl(h->type)) { 1145 default: 1146 if (debug) 1147 addlog("%s: cisco unknown packet type: 0x%x\n", 1148 ifp->if_xname, ntohl(h->type)); 1149 break; 1150 case CISCO_ADDR_REPLY: 1151 /* Reply on address request, ignore */ 1152 break; 1153 case CISCO_KEEPALIVE_REQ: 1154 sp->pp_alivecnt = 0; 1155 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1156 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1157 /* Local and remote sequence numbers are equal. 1158 * Probably, the line is in loopback mode. */ 1159 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1160 printf ("%s: loopback\n", 1161 ifp->if_xname); 1162 sp->pp_loopcnt = 0; 1163 if (ifp->if_flags & IFF_UP) { 1164 if_down(ifp); 1165 IF_PURGE(&sp->pp_cpq); 1166 } 1167 } 1168 ++sp->pp_loopcnt; 1169 1170 /* Generate new local sequence number */ 1171 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1172 break; 1173 } 1174 sp->pp_loopcnt = 0; 1175 if (! (ifp->if_flags & IFF_UP) && 1176 (ifp->if_flags & IFF_RUNNING)) { 1177 if_up(ifp); 1178 } 1179 break; 1180 case CISCO_ADDR_REQ: 1181 #ifdef INET 1182 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1183 if (me != 0L) 1184 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1185 #endif 1186 break; 1187 } 1188 } 1189 1190 /* 1191 * Send Cisco keepalive packet. 1192 */ 1193 static void 1194 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1195 { 1196 STDDCL; 1197 struct ppp_header *h; 1198 struct cisco_packet *ch; 1199 struct mbuf *m; 1200 uint32_t t; 1201 1202 t = time_uptime * 1000; 1203 MGETHDR(m, M_DONTWAIT, MT_DATA); 1204 if (! m) 1205 return; 1206 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1207 m_reset_rcvif(m); 1208 1209 h = mtod(m, struct ppp_header *); 1210 h->address = CISCO_MULTICAST; 1211 h->control = 0; 1212 h->protocol = htons(CISCO_KEEPALIVE); 1213 1214 ch = (struct cisco_packet *)(h + 1); 1215 ch->type = htonl(type); 1216 ch->par1 = htonl(par1); 1217 ch->par2 = htonl(par2); 1218 ch->rel = -1; 1219 1220 ch->time0 = htons((u_short)(t >> 16)); 1221 ch->time1 = htons((u_short) t); 1222 1223 if (debug) 1224 log(LOG_DEBUG, 1225 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1226 ifp->if_xname, ntohl(ch->type), ch->par1, 1227 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1228 (u_int)ch->time1); 1229 1230 if (IF_QFULL(&sp->pp_cpq)) { 1231 IF_DROP(&sp->pp_fastq); 1232 IF_DROP(&ifp->if_snd); 1233 m_freem(m); 1234 ++ifp->if_oerrors; 1235 return; 1236 } else 1237 IF_ENQUEUE(&sp->pp_cpq, m); 1238 if (! (ifp->if_flags & IFF_OACTIVE)) 1239 if_start_lock(ifp); 1240 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1241 } 1242 1243 /* 1244 * PPP protocol implementation. 1245 */ 1246 1247 /* 1248 * Send PPP control protocol packet. 1249 */ 1250 static void 1251 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1252 u_char ident, u_short len, void *data) 1253 { 1254 STDDCL; 1255 struct lcp_header *lh; 1256 struct mbuf *m; 1257 size_t pkthdrlen; 1258 1259 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1260 1261 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1262 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1263 MGETHDR(m, M_DONTWAIT, MT_DATA); 1264 if (! m) 1265 return; 1266 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1267 m_reset_rcvif(m); 1268 1269 if (sp->pp_flags & PP_NOFRAMING) { 1270 *mtod(m, uint16_t *) = htons(proto); 1271 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1272 } else { 1273 struct ppp_header *h; 1274 h = mtod(m, struct ppp_header *); 1275 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1276 h->control = PPP_UI; /* Unnumbered Info */ 1277 h->protocol = htons(proto); /* Link Control Protocol */ 1278 lh = (struct lcp_header *)(h + 1); 1279 } 1280 lh->type = type; 1281 lh->ident = ident; 1282 lh->len = htons(LCP_HEADER_LEN + len); 1283 if (len) 1284 memcpy(lh + 1, data, len); 1285 1286 if (debug) { 1287 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1288 ifp->if_xname, 1289 sppp_proto_name(proto), 1290 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1291 if (len) 1292 sppp_print_bytes((u_char *)(lh + 1), len); 1293 addlog(">\n"); 1294 } 1295 if (IF_QFULL(&sp->pp_cpq)) { 1296 IF_DROP(&sp->pp_fastq); 1297 IF_DROP(&ifp->if_snd); 1298 m_freem(m); 1299 ++ifp->if_oerrors; 1300 return; 1301 } else 1302 IF_ENQUEUE(&sp->pp_cpq, m); 1303 if (! (ifp->if_flags & IFF_OACTIVE)) 1304 if_start_lock(ifp); 1305 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1306 } 1307 1308 /* 1309 * Handle incoming PPP control protocol packets. 1310 */ 1311 static void 1312 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1313 { 1314 STDDCL; 1315 struct lcp_header *h; 1316 int printlen, len = m->m_pkthdr.len; 1317 int rv; 1318 u_char *p; 1319 uint32_t u32; 1320 1321 if (len < 4) { 1322 if (debug) 1323 log(LOG_DEBUG, 1324 "%s: %s invalid packet length: %d bytes\n", 1325 ifp->if_xname, cp->name, len); 1326 return; 1327 } 1328 h = mtod(m, struct lcp_header *); 1329 if (debug) { 1330 printlen = ntohs(h->len); 1331 log(LOG_DEBUG, 1332 "%s: %s input(%s): <%s id=0x%x len=%d", 1333 ifp->if_xname, cp->name, 1334 sppp_state_name(sp->state[cp->protoidx]), 1335 sppp_cp_type_name(h->type), h->ident, printlen); 1336 if (len < printlen) 1337 printlen = len; 1338 if (printlen > 4) 1339 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1340 addlog(">\n"); 1341 } 1342 if (len > ntohs(h->len)) 1343 len = ntohs(h->len); 1344 p = (u_char *)(h + 1); 1345 switch (h->type) { 1346 case CONF_REQ: 1347 if (len < 4) { 1348 if (debug) 1349 addlog("%s: %s invalid conf-req length %d\n", 1350 ifp->if_xname, cp->name, 1351 len); 1352 ++ifp->if_ierrors; 1353 break; 1354 } 1355 /* handle states where RCR doesn't get a SCA/SCN */ 1356 switch (sp->state[cp->protoidx]) { 1357 case STATE_CLOSING: 1358 case STATE_STOPPING: 1359 return; 1360 case STATE_CLOSED: 1361 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1362 0, 0); 1363 return; 1364 } 1365 rv = (cp->RCR)(sp, h, len); 1366 if (rv < 0) { 1367 /* fatal error, shut down */ 1368 (cp->tld)(sp); 1369 sppp_lcp_tlf(sp); 1370 return; 1371 } 1372 switch (sp->state[cp->protoidx]) { 1373 case STATE_OPENED: 1374 (cp->tld)(sp); 1375 (cp->scr)(sp); 1376 /* fall through... */ 1377 case STATE_ACK_SENT: 1378 case STATE_REQ_SENT: 1379 sppp_cp_change_state(cp, sp, rv? 1380 STATE_ACK_SENT: STATE_REQ_SENT); 1381 break; 1382 case STATE_STOPPED: 1383 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1384 (cp->scr)(sp); 1385 sppp_cp_change_state(cp, sp, rv? 1386 STATE_ACK_SENT: STATE_REQ_SENT); 1387 break; 1388 case STATE_ACK_RCVD: 1389 if (rv) { 1390 sppp_cp_change_state(cp, sp, STATE_OPENED); 1391 if (debug) 1392 log(LOG_DEBUG, "%s: %s tlu\n", 1393 ifp->if_xname, 1394 cp->name); 1395 (cp->tlu)(sp); 1396 } else 1397 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1398 break; 1399 default: 1400 printf("%s: %s illegal %s in state %s\n", 1401 ifp->if_xname, cp->name, 1402 sppp_cp_type_name(h->type), 1403 sppp_state_name(sp->state[cp->protoidx])); 1404 ++ifp->if_ierrors; 1405 } 1406 break; 1407 case CONF_ACK: 1408 if (h->ident != sp->confid[cp->protoidx]) { 1409 if (debug) 1410 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1411 ifp->if_xname, cp->name, 1412 h->ident, sp->confid[cp->protoidx]); 1413 ++ifp->if_ierrors; 1414 break; 1415 } 1416 switch (sp->state[cp->protoidx]) { 1417 case STATE_CLOSED: 1418 case STATE_STOPPED: 1419 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1420 break; 1421 case STATE_CLOSING: 1422 case STATE_STOPPING: 1423 break; 1424 case STATE_REQ_SENT: 1425 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1426 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1427 break; 1428 case STATE_OPENED: 1429 (cp->tld)(sp); 1430 /* fall through */ 1431 case STATE_ACK_RCVD: 1432 (cp->scr)(sp); 1433 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1434 break; 1435 case STATE_ACK_SENT: 1436 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1437 sppp_cp_change_state(cp, sp, STATE_OPENED); 1438 if (debug) 1439 log(LOG_DEBUG, "%s: %s tlu\n", 1440 ifp->if_xname, cp->name); 1441 (cp->tlu)(sp); 1442 break; 1443 default: 1444 printf("%s: %s illegal %s in state %s\n", 1445 ifp->if_xname, cp->name, 1446 sppp_cp_type_name(h->type), 1447 sppp_state_name(sp->state[cp->protoidx])); 1448 ++ifp->if_ierrors; 1449 } 1450 break; 1451 case CONF_NAK: 1452 case CONF_REJ: 1453 if (h->ident != sp->confid[cp->protoidx]) { 1454 if (debug) 1455 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1456 ifp->if_xname, cp->name, 1457 h->ident, sp->confid[cp->protoidx]); 1458 ++ifp->if_ierrors; 1459 break; 1460 } 1461 if (h->type == CONF_NAK) 1462 (cp->RCN_nak)(sp, h, len); 1463 else /* CONF_REJ */ 1464 (cp->RCN_rej)(sp, h, len); 1465 1466 switch (sp->state[cp->protoidx]) { 1467 case STATE_CLOSED: 1468 case STATE_STOPPED: 1469 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1470 break; 1471 case STATE_REQ_SENT: 1472 case STATE_ACK_SENT: 1473 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1474 (cp->scr)(sp); 1475 break; 1476 case STATE_OPENED: 1477 (cp->tld)(sp); 1478 /* fall through */ 1479 case STATE_ACK_RCVD: 1480 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1481 (cp->scr)(sp); 1482 break; 1483 case STATE_CLOSING: 1484 case STATE_STOPPING: 1485 break; 1486 default: 1487 printf("%s: %s illegal %s in state %s\n", 1488 ifp->if_xname, cp->name, 1489 sppp_cp_type_name(h->type), 1490 sppp_state_name(sp->state[cp->protoidx])); 1491 ++ifp->if_ierrors; 1492 } 1493 break; 1494 1495 case TERM_REQ: 1496 switch (sp->state[cp->protoidx]) { 1497 case STATE_ACK_RCVD: 1498 case STATE_ACK_SENT: 1499 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1500 /* fall through */ 1501 case STATE_CLOSED: 1502 case STATE_STOPPED: 1503 case STATE_CLOSING: 1504 case STATE_STOPPING: 1505 case STATE_REQ_SENT: 1506 sta: 1507 /* Send Terminate-Ack packet. */ 1508 if (debug) 1509 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1510 ifp->if_xname, cp->name); 1511 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1512 break; 1513 case STATE_OPENED: 1514 (cp->tld)(sp); 1515 sp->rst_counter[cp->protoidx] = 0; 1516 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1517 goto sta; 1518 default: 1519 printf("%s: %s illegal %s in state %s\n", 1520 ifp->if_xname, cp->name, 1521 sppp_cp_type_name(h->type), 1522 sppp_state_name(sp->state[cp->protoidx])); 1523 ++ifp->if_ierrors; 1524 } 1525 break; 1526 case TERM_ACK: 1527 switch (sp->state[cp->protoidx]) { 1528 case STATE_CLOSED: 1529 case STATE_STOPPED: 1530 case STATE_REQ_SENT: 1531 case STATE_ACK_SENT: 1532 break; 1533 case STATE_CLOSING: 1534 (cp->tlf)(sp); 1535 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1536 sppp_lcp_check_and_close(sp); 1537 break; 1538 case STATE_STOPPING: 1539 (cp->tlf)(sp); 1540 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1541 sppp_lcp_check_and_close(sp); 1542 break; 1543 case STATE_ACK_RCVD: 1544 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1545 break; 1546 case STATE_OPENED: 1547 (cp->tld)(sp); 1548 (cp->scr)(sp); 1549 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1550 break; 1551 default: 1552 printf("%s: %s illegal %s in state %s\n", 1553 ifp->if_xname, cp->name, 1554 sppp_cp_type_name(h->type), 1555 sppp_state_name(sp->state[cp->protoidx])); 1556 ++ifp->if_ierrors; 1557 } 1558 break; 1559 case CODE_REJ: 1560 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1561 log(LOG_INFO, 1562 "%s: %s: ignoring RXJ (%s) for code ?, " 1563 "danger will robinson\n", 1564 ifp->if_xname, cp->name, 1565 sppp_cp_type_name(h->type)); 1566 switch (sp->state[cp->protoidx]) { 1567 case STATE_CLOSED: 1568 case STATE_STOPPED: 1569 case STATE_REQ_SENT: 1570 case STATE_ACK_SENT: 1571 case STATE_CLOSING: 1572 case STATE_STOPPING: 1573 case STATE_OPENED: 1574 break; 1575 case STATE_ACK_RCVD: 1576 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1577 break; 1578 default: 1579 printf("%s: %s illegal %s in state %s\n", 1580 ifp->if_xname, cp->name, 1581 sppp_cp_type_name(h->type), 1582 sppp_state_name(sp->state[cp->protoidx])); 1583 ++ifp->if_ierrors; 1584 } 1585 break; 1586 case PROTO_REJ: 1587 { 1588 int catastrophic; 1589 const struct cp *upper; 1590 int i; 1591 uint16_t proto; 1592 1593 catastrophic = 0; 1594 upper = NULL; 1595 proto = p[0] << 8 | p[1]; 1596 for (i = 0; i < IDX_COUNT; i++) { 1597 if (cps[i]->proto == proto) { 1598 upper = cps[i]; 1599 break; 1600 } 1601 } 1602 if (upper == NULL) 1603 catastrophic++; 1604 1605 if (debug) 1606 log(LOG_INFO, 1607 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1608 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1609 sppp_cp_type_name(h->type), proto, 1610 upper ? upper->name : "unknown", 1611 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1612 1613 /* 1614 * if we got RXJ+ against conf-req, the peer does not implement 1615 * this particular protocol type. terminate the protocol. 1616 */ 1617 if (upper && !catastrophic) { 1618 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1619 upper->Close(sp); 1620 break; 1621 } 1622 } 1623 1624 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1625 switch (sp->state[cp->protoidx]) { 1626 case STATE_CLOSED: 1627 case STATE_STOPPED: 1628 case STATE_REQ_SENT: 1629 case STATE_ACK_SENT: 1630 case STATE_CLOSING: 1631 case STATE_STOPPING: 1632 case STATE_OPENED: 1633 break; 1634 case STATE_ACK_RCVD: 1635 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1636 break; 1637 default: 1638 printf("%s: %s illegal %s in state %s\n", 1639 ifp->if_xname, cp->name, 1640 sppp_cp_type_name(h->type), 1641 sppp_state_name(sp->state[cp->protoidx])); 1642 ++ifp->if_ierrors; 1643 } 1644 break; 1645 } 1646 case DISC_REQ: 1647 if (cp->proto != PPP_LCP) 1648 goto illegal; 1649 /* Discard the packet. */ 1650 break; 1651 case ECHO_REQ: 1652 if (cp->proto != PPP_LCP) 1653 goto illegal; 1654 if (sp->state[cp->protoidx] != STATE_OPENED) { 1655 if (debug) 1656 addlog("%s: lcp echo req but lcp closed\n", 1657 ifp->if_xname); 1658 ++ifp->if_ierrors; 1659 break; 1660 } 1661 if (len < 8) { 1662 if (debug) 1663 addlog("%s: invalid lcp echo request " 1664 "packet length: %d bytes\n", 1665 ifp->if_xname, len); 1666 break; 1667 } 1668 memcpy(&u32, h + 1, sizeof u32); 1669 if (ntohl(u32) == sp->lcp.magic) { 1670 /* Line loopback mode detected. */ 1671 printf("%s: loopback\n", ifp->if_xname); 1672 if_down(ifp); 1673 IF_PURGE(&sp->pp_cpq); 1674 1675 /* Shut down the PPP link. */ 1676 /* XXX */ 1677 lcp.Down(sp); 1678 lcp.Up(sp); 1679 break; 1680 } 1681 u32 = htonl(sp->lcp.magic); 1682 memcpy(h + 1, &u32, sizeof u32); 1683 if (debug) 1684 addlog("%s: got lcp echo req, sending echo rep\n", 1685 ifp->if_xname); 1686 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1687 h + 1); 1688 break; 1689 case ECHO_REPLY: 1690 if (cp->proto != PPP_LCP) 1691 goto illegal; 1692 if (h->ident != sp->lcp.echoid) { 1693 ++ifp->if_ierrors; 1694 break; 1695 } 1696 if (len < 8) { 1697 if (debug) 1698 addlog("%s: lcp invalid echo reply " 1699 "packet length: %d bytes\n", 1700 ifp->if_xname, len); 1701 break; 1702 } 1703 if (debug) 1704 addlog("%s: lcp got echo rep\n", 1705 ifp->if_xname); 1706 memcpy(&u32, h + 1, sizeof u32); 1707 if (ntohl(u32) != sp->lcp.magic) 1708 sp->pp_alivecnt = 0; 1709 break; 1710 default: 1711 /* Unknown packet type -- send Code-Reject packet. */ 1712 illegal: 1713 if (debug) 1714 addlog("%s: %s send code-rej for 0x%x\n", 1715 ifp->if_xname, cp->name, h->type); 1716 sppp_cp_send(sp, cp->proto, CODE_REJ, 1717 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1718 ++ifp->if_ierrors; 1719 } 1720 } 1721 1722 1723 /* 1724 * The generic part of all Up/Down/Open/Close/TO event handlers. 1725 * Basically, the state transition handling in the automaton. 1726 */ 1727 static void 1728 sppp_up_event(const struct cp *cp, struct sppp *sp) 1729 { 1730 STDDCL; 1731 1732 if (debug) 1733 log(LOG_DEBUG, "%s: %s up(%s)\n", 1734 ifp->if_xname, cp->name, 1735 sppp_state_name(sp->state[cp->protoidx])); 1736 1737 switch (sp->state[cp->protoidx]) { 1738 case STATE_INITIAL: 1739 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1740 break; 1741 case STATE_STARTING: 1742 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1743 (cp->scr)(sp); 1744 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1745 break; 1746 default: 1747 printf("%s: %s illegal up in state %s\n", 1748 ifp->if_xname, cp->name, 1749 sppp_state_name(sp->state[cp->protoidx])); 1750 } 1751 } 1752 1753 static void 1754 sppp_down_event(const struct cp *cp, struct sppp *sp) 1755 { 1756 STDDCL; 1757 1758 if (debug) 1759 log(LOG_DEBUG, "%s: %s down(%s)\n", 1760 ifp->if_xname, cp->name, 1761 sppp_state_name(sp->state[cp->protoidx])); 1762 1763 switch (sp->state[cp->protoidx]) { 1764 case STATE_CLOSED: 1765 case STATE_CLOSING: 1766 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1767 break; 1768 case STATE_STOPPED: 1769 (cp->tls)(sp); 1770 /* fall through */ 1771 case STATE_STOPPING: 1772 case STATE_REQ_SENT: 1773 case STATE_ACK_RCVD: 1774 case STATE_ACK_SENT: 1775 sppp_cp_change_state(cp, sp, STATE_STARTING); 1776 break; 1777 case STATE_OPENED: 1778 (cp->tld)(sp); 1779 sppp_cp_change_state(cp, sp, STATE_STARTING); 1780 break; 1781 default: 1782 printf("%s: %s illegal down in state %s\n", 1783 ifp->if_xname, cp->name, 1784 sppp_state_name(sp->state[cp->protoidx])); 1785 } 1786 } 1787 1788 1789 static void 1790 sppp_open_event(const struct cp *cp, struct sppp *sp) 1791 { 1792 STDDCL; 1793 1794 if (debug) 1795 log(LOG_DEBUG, "%s: %s open(%s)\n", 1796 ifp->if_xname, cp->name, 1797 sppp_state_name(sp->state[cp->protoidx])); 1798 1799 switch (sp->state[cp->protoidx]) { 1800 case STATE_INITIAL: 1801 sppp_cp_change_state(cp, sp, STATE_STARTING); 1802 (cp->tls)(sp); 1803 break; 1804 case STATE_STARTING: 1805 break; 1806 case STATE_CLOSED: 1807 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1808 (cp->scr)(sp); 1809 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1810 break; 1811 case STATE_STOPPED: 1812 case STATE_STOPPING: 1813 case STATE_REQ_SENT: 1814 case STATE_ACK_RCVD: 1815 case STATE_ACK_SENT: 1816 case STATE_OPENED: 1817 break; 1818 case STATE_CLOSING: 1819 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1820 break; 1821 } 1822 } 1823 1824 1825 static void 1826 sppp_close_event(const struct cp *cp, struct sppp *sp) 1827 { 1828 STDDCL; 1829 1830 if (debug) 1831 log(LOG_DEBUG, "%s: %s close(%s)\n", 1832 ifp->if_xname, cp->name, 1833 sppp_state_name(sp->state[cp->protoidx])); 1834 1835 switch (sp->state[cp->protoidx]) { 1836 case STATE_INITIAL: 1837 case STATE_CLOSED: 1838 case STATE_CLOSING: 1839 break; 1840 case STATE_STARTING: 1841 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1842 (cp->tlf)(sp); 1843 break; 1844 case STATE_STOPPED: 1845 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1846 break; 1847 case STATE_STOPPING: 1848 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1849 break; 1850 case STATE_OPENED: 1851 (cp->tld)(sp); 1852 /* fall through */ 1853 case STATE_REQ_SENT: 1854 case STATE_ACK_RCVD: 1855 case STATE_ACK_SENT: 1856 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1857 sppp_cp_send(sp, cp->proto, TERM_REQ, 1858 ++sp->pp_seq[cp->protoidx], 0, 0); 1859 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1860 break; 1861 } 1862 } 1863 1864 static void 1865 sppp_to_event(const struct cp *cp, struct sppp *sp) 1866 { 1867 STDDCL; 1868 int s; 1869 1870 s = splnet(); 1871 if (debug) 1872 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1873 ifp->if_xname, cp->name, 1874 sppp_state_name(sp->state[cp->protoidx]), 1875 sp->rst_counter[cp->protoidx]); 1876 1877 if (--sp->rst_counter[cp->protoidx] < 0) 1878 /* TO- event */ 1879 switch (sp->state[cp->protoidx]) { 1880 case STATE_CLOSING: 1881 (cp->tlf)(sp); 1882 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1883 sppp_lcp_check_and_close(sp); 1884 break; 1885 case STATE_STOPPING: 1886 (cp->tlf)(sp); 1887 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1888 sppp_lcp_check_and_close(sp); 1889 break; 1890 case STATE_REQ_SENT: 1891 case STATE_ACK_RCVD: 1892 case STATE_ACK_SENT: 1893 (cp->tlf)(sp); 1894 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1895 sppp_lcp_check_and_close(sp); 1896 break; 1897 } 1898 else 1899 /* TO+ event */ 1900 switch (sp->state[cp->protoidx]) { 1901 case STATE_CLOSING: 1902 case STATE_STOPPING: 1903 sppp_cp_send(sp, cp->proto, TERM_REQ, 1904 ++sp->pp_seq[cp->protoidx], 0, 0); 1905 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1906 cp->TO, sp); 1907 break; 1908 case STATE_REQ_SENT: 1909 case STATE_ACK_RCVD: 1910 (cp->scr)(sp); 1911 /* sppp_cp_change_state() will restart the timer */ 1912 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1913 break; 1914 case STATE_ACK_SENT: 1915 (cp->scr)(sp); 1916 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1917 cp->TO, sp); 1918 break; 1919 } 1920 1921 splx(s); 1922 } 1923 1924 /* 1925 * Change the state of a control protocol in the state automaton. 1926 * Takes care of starting/stopping the restart timer. 1927 */ 1928 void 1929 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1930 { 1931 sp->state[cp->protoidx] = newstate; 1932 callout_stop(&sp->ch[cp->protoidx]); 1933 switch (newstate) { 1934 case STATE_INITIAL: 1935 case STATE_STARTING: 1936 case STATE_CLOSED: 1937 case STATE_STOPPED: 1938 case STATE_OPENED: 1939 break; 1940 case STATE_CLOSING: 1941 case STATE_STOPPING: 1942 case STATE_REQ_SENT: 1943 case STATE_ACK_RCVD: 1944 case STATE_ACK_SENT: 1945 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1946 cp->TO, sp); 1947 break; 1948 } 1949 } 1950 1951 /* 1952 *--------------------------------------------------------------------------* 1953 * * 1954 * The LCP implementation. * 1955 * * 1956 *--------------------------------------------------------------------------* 1957 */ 1958 static void 1959 sppp_lcp_init(struct sppp *sp) 1960 { 1961 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1962 sp->lcp.magic = 0; 1963 sp->state[IDX_LCP] = STATE_INITIAL; 1964 sp->fail_counter[IDX_LCP] = 0; 1965 sp->pp_seq[IDX_LCP] = 0; 1966 sp->pp_rseq[IDX_LCP] = 0; 1967 sp->lcp.protos = 0; 1968 1969 /* 1970 * Initialize counters and timeout values. Note that we don't 1971 * use the 3 seconds suggested in RFC 1661 since we are likely 1972 * running on a fast link. XXX We should probably implement 1973 * the exponential backoff option. Note that these values are 1974 * relevant for all control protocols, not just LCP only. 1975 */ 1976 sp->lcp.timeout = 1 * hz; 1977 sp->lcp.max_terminate = 2; 1978 sp->lcp.max_configure = 10; 1979 sp->lcp.max_failure = 10; 1980 callout_init(&sp->ch[IDX_LCP], 0); 1981 } 1982 1983 static void 1984 sppp_lcp_up(struct sppp *sp) 1985 { 1986 STDDCL; 1987 1988 /* Initialize activity timestamp: opening a connection is an activity */ 1989 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 1990 1991 /* 1992 * If this interface is passive or dial-on-demand, and we are 1993 * still in Initial state, it means we've got an incoming 1994 * call. Activate the interface. 1995 */ 1996 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 1997 if (debug) 1998 log(LOG_DEBUG, 1999 "%s: Up event", ifp->if_xname); 2000 ifp->if_flags |= IFF_RUNNING; 2001 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2002 if (debug) 2003 addlog("(incoming call)\n"); 2004 sp->pp_flags |= PP_CALLIN; 2005 lcp.Open(sp); 2006 } else if (debug) 2007 addlog("\n"); 2008 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2009 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2010 ifp->if_flags |= IFF_RUNNING; 2011 lcp.Open(sp); 2012 } 2013 2014 sppp_up_event(&lcp, sp); 2015 } 2016 2017 static void 2018 sppp_lcp_down(struct sppp *sp) 2019 { 2020 STDDCL; 2021 2022 sppp_down_event(&lcp, sp); 2023 2024 /* 2025 * If this is neither a dial-on-demand nor a passive 2026 * interface, simulate an ``ifconfig down'' action, so the 2027 * administrator can force a redial by another ``ifconfig 2028 * up''. XXX For leased line operation, should we immediately 2029 * try to reopen the connection here? 2030 */ 2031 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2032 if (debug) 2033 log(LOG_INFO, 2034 "%s: Down event (carrier loss), taking interface down.\n", 2035 ifp->if_xname); 2036 if_down(ifp); 2037 } else { 2038 if (debug) 2039 log(LOG_DEBUG, 2040 "%s: Down event (carrier loss)\n", 2041 ifp->if_xname); 2042 } 2043 sp->pp_flags &= ~PP_CALLIN; 2044 if (sp->state[IDX_LCP] != STATE_INITIAL) 2045 lcp.Close(sp); 2046 ifp->if_flags &= ~IFF_RUNNING; 2047 } 2048 2049 static void 2050 sppp_lcp_open(struct sppp *sp) 2051 { 2052 if (sp->pp_if.if_mtu < PP_MTU) { 2053 sp->lcp.mru = sp->pp_if.if_mtu; 2054 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2055 } else 2056 sp->lcp.mru = PP_MTU; 2057 sp->lcp.their_mru = PP_MTU; 2058 2059 /* 2060 * If we are authenticator, negotiate LCP_AUTH 2061 */ 2062 if (sp->hisauth.proto != 0) 2063 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2064 else 2065 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2066 sp->pp_flags &= ~PP_NEEDAUTH; 2067 sppp_open_event(&lcp, sp); 2068 } 2069 2070 static void 2071 sppp_lcp_close(struct sppp *sp) 2072 { 2073 sppp_close_event(&lcp, sp); 2074 } 2075 2076 static void 2077 sppp_lcp_TO(void *cookie) 2078 { 2079 sppp_to_event(&lcp, (struct sppp *)cookie); 2080 } 2081 2082 /* 2083 * Analyze a configure request. Return true if it was agreeable, and 2084 * caused action sca, false if it has been rejected or nak'ed, and 2085 * caused action scn. (The return value is used to make the state 2086 * transition decision in the state automaton.) 2087 */ 2088 static int 2089 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2090 { 2091 STDDCL; 2092 u_char *buf, *r, *p, l, blen; 2093 int origlen, rlen; 2094 uint32_t nmagic; 2095 u_short authproto; 2096 2097 len -= 4; 2098 origlen = len; 2099 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2100 if (! buf) 2101 return (0); 2102 2103 if (debug) 2104 log(LOG_DEBUG, "%s: lcp parse opts:", 2105 ifp->if_xname); 2106 2107 /* pass 1: check for things that need to be rejected */ 2108 p = (void *)(h + 1); 2109 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2110 /* Sanity check option length */ 2111 if (l > len) { 2112 /* 2113 * Malicious option - drop immediately. 2114 * XXX Maybe we should just RXJ it? 2115 */ 2116 addlog("%s: received malicious LCP option 0x%02x, " 2117 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2118 p[0], l, len); 2119 goto drop; 2120 } 2121 if (debug) 2122 addlog(" %s", sppp_lcp_opt_name(*p)); 2123 switch (*p) { 2124 case LCP_OPT_MAGIC: 2125 /* Magic number. */ 2126 /* fall through, both are same length */ 2127 case LCP_OPT_ASYNC_MAP: 2128 /* Async control character map. */ 2129 if (len >= 6 || l == 6) 2130 continue; 2131 if (debug) 2132 addlog(" [invalid]"); 2133 break; 2134 case LCP_OPT_MRU: 2135 /* Maximum receive unit. */ 2136 if (len >= 4 && l == 4) 2137 continue; 2138 if (debug) 2139 addlog(" [invalid]"); 2140 break; 2141 case LCP_OPT_AUTH_PROTO: 2142 if (len < 4) { 2143 if (debug) 2144 addlog(" [invalid]"); 2145 break; 2146 } 2147 authproto = (p[2] << 8) + p[3]; 2148 if (authproto == PPP_CHAP && l != 5) { 2149 if (debug) 2150 addlog(" [invalid chap len]"); 2151 break; 2152 } 2153 if (sp->myauth.proto == 0) { 2154 /* we are not configured to do auth */ 2155 if (debug) 2156 addlog(" [not configured]"); 2157 break; 2158 } 2159 /* 2160 * Remote want us to authenticate, remember this, 2161 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2162 * up. 2163 */ 2164 sp->pp_flags |= PP_NEEDAUTH; 2165 continue; 2166 default: 2167 /* Others not supported. */ 2168 if (debug) 2169 addlog(" [rej]"); 2170 break; 2171 } 2172 if (rlen + l > blen) { 2173 if (debug) 2174 addlog(" [overflow]"); 2175 continue; 2176 } 2177 /* Add the option to rejected list. */ 2178 memcpy(r, p, l); 2179 r += l; 2180 rlen += l; 2181 } 2182 if (rlen) { 2183 if (debug) 2184 addlog(" send conf-rej\n"); 2185 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2186 goto end; 2187 } else if (debug) 2188 addlog("\n"); 2189 2190 /* 2191 * pass 2: check for option values that are unacceptable and 2192 * thus require to be nak'ed. 2193 */ 2194 if (debug) 2195 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2196 ifp->if_xname); 2197 2198 p = (void *)(h + 1); 2199 len = origlen; 2200 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2201 if (debug) 2202 addlog(" %s", sppp_lcp_opt_name(*p)); 2203 switch (*p) { 2204 case LCP_OPT_MAGIC: 2205 /* Magic number -- extract. */ 2206 nmagic = (uint32_t)p[2] << 24 | 2207 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2208 if (nmagic != sp->lcp.magic) { 2209 if (debug) 2210 addlog(" 0x%x", nmagic); 2211 continue; 2212 } 2213 /* 2214 * Local and remote magics equal -- loopback? 2215 */ 2216 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2217 printf ("%s: loopback\n", 2218 ifp->if_xname); 2219 sp->pp_loopcnt = 0; 2220 if (ifp->if_flags & IFF_UP) { 2221 if_down(ifp); 2222 IF_PURGE(&sp->pp_cpq); 2223 /* XXX ? */ 2224 lcp.Down(sp); 2225 lcp.Up(sp); 2226 } 2227 } else if (debug) 2228 addlog(" [glitch]"); 2229 ++sp->pp_loopcnt; 2230 /* 2231 * We negate our magic here, and NAK it. If 2232 * we see it later in an NAK packet, we 2233 * suggest a new one. 2234 */ 2235 nmagic = ~sp->lcp.magic; 2236 /* Gonna NAK it. */ 2237 p[2] = nmagic >> 24; 2238 p[3] = nmagic >> 16; 2239 p[4] = nmagic >> 8; 2240 p[5] = nmagic; 2241 break; 2242 2243 case LCP_OPT_ASYNC_MAP: 2244 /* 2245 * Async control character map -- just ignore it. 2246 * 2247 * Quote from RFC 1662, chapter 6: 2248 * To enable this functionality, synchronous PPP 2249 * implementations MUST always respond to the 2250 * Async-Control-Character-Map Configuration 2251 * Option with the LCP Configure-Ack. However, 2252 * acceptance of the Configuration Option does 2253 * not imply that the synchronous implementation 2254 * will do any ACCM mapping. Instead, all such 2255 * octet mapping will be performed by the 2256 * asynchronous-to-synchronous converter. 2257 */ 2258 continue; 2259 2260 case LCP_OPT_MRU: 2261 /* 2262 * Maximum receive unit. Always agreeable, 2263 * but ignored by now. 2264 */ 2265 sp->lcp.their_mru = p[2] * 256 + p[3]; 2266 if (debug) 2267 addlog(" %ld", sp->lcp.their_mru); 2268 continue; 2269 2270 case LCP_OPT_AUTH_PROTO: 2271 authproto = (p[2] << 8) + p[3]; 2272 if (sp->myauth.proto != authproto) { 2273 /* not agreed, nak */ 2274 if (debug) 2275 addlog(" [mine %s != his %s]", 2276 sppp_proto_name(sp->myauth.proto), 2277 sppp_proto_name(authproto)); 2278 p[2] = sp->myauth.proto >> 8; 2279 p[3] = sp->myauth.proto; 2280 break; 2281 } 2282 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2283 if (debug) 2284 addlog(" [chap not MD5]"); 2285 p[4] = CHAP_MD5; 2286 break; 2287 } 2288 continue; 2289 } 2290 if (rlen + l > blen) { 2291 if (debug) 2292 addlog(" [overflow]"); 2293 continue; 2294 } 2295 /* Add the option to nak'ed list. */ 2296 memcpy(r, p, l); 2297 r += l; 2298 rlen += l; 2299 } 2300 if (rlen) { 2301 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2302 if (debug) 2303 addlog(" max_failure (%d) exceeded, " 2304 "send conf-rej\n", 2305 sp->lcp.max_failure); 2306 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2307 } else { 2308 if (debug) 2309 addlog(" send conf-nak\n"); 2310 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2311 } 2312 goto end; 2313 } else { 2314 if (debug) 2315 addlog(" send conf-ack\n"); 2316 sp->fail_counter[IDX_LCP] = 0; 2317 sp->pp_loopcnt = 0; 2318 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2319 } 2320 2321 end: 2322 free(buf, M_TEMP); 2323 return (rlen == 0); 2324 2325 drop: 2326 free(buf, M_TEMP); 2327 return -1; 2328 } 2329 2330 /* 2331 * Analyze the LCP Configure-Reject option list, and adjust our 2332 * negotiation. 2333 */ 2334 static void 2335 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2336 { 2337 STDDCL; 2338 u_char *buf, *p, l; 2339 2340 len -= 4; 2341 buf = malloc (len, M_TEMP, M_NOWAIT); 2342 if (!buf) 2343 return; 2344 2345 if (debug) 2346 log(LOG_DEBUG, "%s: lcp rej opts:", 2347 ifp->if_xname); 2348 2349 p = (void *)(h + 1); 2350 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2351 /* Sanity check option length */ 2352 if (l > len) { 2353 /* 2354 * Malicious option - drop immediately. 2355 * XXX Maybe we should just RXJ it? 2356 */ 2357 addlog("%s: received malicious LCP option, " 2358 "dropping.\n", ifp->if_xname); 2359 goto drop; 2360 } 2361 if (debug) 2362 addlog(" %s", sppp_lcp_opt_name(*p)); 2363 switch (*p) { 2364 case LCP_OPT_MAGIC: 2365 /* Magic number -- can't use it, use 0 */ 2366 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2367 sp->lcp.magic = 0; 2368 break; 2369 case LCP_OPT_MRU: 2370 /* 2371 * We try to negotiate a lower MRU if the underlying 2372 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2373 * peer rejects this lower rate, fallback to the 2374 * default. 2375 */ 2376 if (debug) { 2377 addlog("%s: warning: peer rejected our MRU of " 2378 "%ld bytes. Defaulting to %d bytes\n", 2379 ifp->if_xname, sp->lcp.mru, PP_MTU); 2380 } 2381 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2382 sp->lcp.mru = PP_MTU; 2383 break; 2384 case LCP_OPT_AUTH_PROTO: 2385 /* 2386 * Peer doesn't want to authenticate himself, 2387 * deny unless this is a dialout call, and 2388 * SPPP_AUTHFLAG_NOCALLOUT is set. 2389 */ 2390 if ((sp->pp_flags & PP_CALLIN) == 0 && 2391 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2392 if (debug) 2393 addlog(" [don't insist on auth " 2394 "for callout]"); 2395 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2396 break; 2397 } 2398 if (debug) 2399 addlog("[access denied]\n"); 2400 lcp.Close(sp); 2401 break; 2402 } 2403 } 2404 if (debug) 2405 addlog("\n"); 2406 drop: 2407 free(buf, M_TEMP); 2408 return; 2409 } 2410 2411 /* 2412 * Analyze the LCP Configure-NAK option list, and adjust our 2413 * negotiation. 2414 */ 2415 static void 2416 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2417 { 2418 STDDCL; 2419 u_char *buf, *p, l, blen; 2420 uint32_t magic; 2421 2422 len -= 4; 2423 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2424 if (!buf) 2425 return; 2426 2427 if (debug) 2428 log(LOG_DEBUG, "%s: lcp nak opts:", 2429 ifp->if_xname); 2430 2431 p = (void *)(h + 1); 2432 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2433 /* Sanity check option length */ 2434 if (l > len) { 2435 /* 2436 * Malicious option - drop immediately. 2437 * XXX Maybe we should just RXJ it? 2438 */ 2439 addlog("%s: received malicious LCP option, " 2440 "dropping.\n", ifp->if_xname); 2441 goto drop; 2442 } 2443 if (debug) 2444 addlog(" %s", sppp_lcp_opt_name(*p)); 2445 switch (*p) { 2446 case LCP_OPT_MAGIC: 2447 /* Magic number -- renegotiate */ 2448 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2449 len >= 6 && l == 6) { 2450 magic = (uint32_t)p[2] << 24 | 2451 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2452 /* 2453 * If the remote magic is our negated one, 2454 * this looks like a loopback problem. 2455 * Suggest a new magic to make sure. 2456 */ 2457 if (magic == ~sp->lcp.magic) { 2458 if (debug) 2459 addlog(" magic glitch"); 2460 sp->lcp.magic = cprng_fast32(); 2461 } else { 2462 sp->lcp.magic = magic; 2463 if (debug) 2464 addlog(" %d", magic); 2465 } 2466 } 2467 break; 2468 case LCP_OPT_MRU: 2469 /* 2470 * Peer wants to advise us to negotiate an MRU. 2471 * Agree on it if it's reasonable, or use 2472 * default otherwise. 2473 */ 2474 if (len >= 4 && l == 4) { 2475 u_int mru = p[2] * 256 + p[3]; 2476 if (debug) 2477 addlog(" %d", mru); 2478 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2479 mru = sp->pp_if.if_mtu; 2480 sp->lcp.mru = mru; 2481 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2482 } 2483 break; 2484 case LCP_OPT_AUTH_PROTO: 2485 /* 2486 * Peer doesn't like our authentication method, 2487 * deny. 2488 */ 2489 if (debug) 2490 addlog("[access denied]\n"); 2491 lcp.Close(sp); 2492 break; 2493 } 2494 } 2495 if (debug) 2496 addlog("\n"); 2497 drop: 2498 free(buf, M_TEMP); 2499 return; 2500 } 2501 2502 static void 2503 sppp_lcp_tlu(struct sppp *sp) 2504 { 2505 struct ifnet *ifp = &sp->pp_if; 2506 int i; 2507 uint32_t mask; 2508 2509 /* XXX ? */ 2510 if (! (ifp->if_flags & IFF_UP) && 2511 (ifp->if_flags & IFF_RUNNING)) { 2512 /* Coming out of loopback mode. */ 2513 if_up(ifp); 2514 } 2515 2516 for (i = 0; i < IDX_COUNT; i++) 2517 if ((cps[i])->flags & CP_QUAL) 2518 (cps[i])->Open(sp); 2519 2520 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2521 (sp->pp_flags & PP_NEEDAUTH) != 0) 2522 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2523 else 2524 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2525 2526 /* 2527 * Open all authentication protocols. This is even required 2528 * if we already proceeded to network phase, since it might be 2529 * that remote wants us to authenticate, so we might have to 2530 * send a PAP request. Undesired authentication protocols 2531 * don't do anything when they get an Open event. 2532 */ 2533 for (i = 0; i < IDX_COUNT; i++) 2534 if ((cps[i])->flags & CP_AUTH) 2535 (cps[i])->Open(sp); 2536 2537 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2538 /* Notify all NCPs. */ 2539 for (i = 0; i < IDX_COUNT; i++) 2540 if ((cps[i])->flags & CP_NCP) 2541 (cps[i])->Open(sp); 2542 } 2543 2544 /* Send Up events to all started protos. */ 2545 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2546 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2547 (cps[i])->Up(sp); 2548 2549 /* notify low-level driver of state change */ 2550 if (sp->pp_chg) 2551 sp->pp_chg(sp, (int)sp->pp_phase); 2552 2553 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2554 /* if no NCP is starting, close down */ 2555 sppp_lcp_check_and_close(sp); 2556 } 2557 2558 static void 2559 sppp_lcp_tld(struct sppp *sp) 2560 { 2561 int i; 2562 uint32_t mask; 2563 2564 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2565 2566 /* 2567 * Take upper layers down. We send the Down event first and 2568 * the Close second to prevent the upper layers from sending 2569 * ``a flurry of terminate-request packets'', as the RFC 2570 * describes it. 2571 */ 2572 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2573 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2574 (cps[i])->Down(sp); 2575 (cps[i])->Close(sp); 2576 } 2577 } 2578 2579 static void 2580 sppp_lcp_tls(struct sppp *sp) 2581 { 2582 2583 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2584 printf("%s: authentication failed %d times, not retrying again\n", 2585 sp->pp_if.if_xname, sp->pp_auth_failures); 2586 if_down(&sp->pp_if); 2587 return; 2588 } 2589 2590 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2591 2592 /* Notify lower layer if desired. */ 2593 if (sp->pp_tls) 2594 (sp->pp_tls)(sp); 2595 } 2596 2597 static void 2598 sppp_lcp_tlf(struct sppp *sp) 2599 { 2600 2601 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2602 2603 /* Notify lower layer if desired. */ 2604 if (sp->pp_tlf) 2605 (sp->pp_tlf)(sp); 2606 } 2607 2608 static void 2609 sppp_lcp_scr(struct sppp *sp) 2610 { 2611 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2612 int i = 0; 2613 u_short authproto; 2614 2615 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2616 if (! sp->lcp.magic) 2617 sp->lcp.magic = cprng_fast32(); 2618 opt[i++] = LCP_OPT_MAGIC; 2619 opt[i++] = 6; 2620 opt[i++] = sp->lcp.magic >> 24; 2621 opt[i++] = sp->lcp.magic >> 16; 2622 opt[i++] = sp->lcp.magic >> 8; 2623 opt[i++] = sp->lcp.magic; 2624 } 2625 2626 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2627 opt[i++] = LCP_OPT_MRU; 2628 opt[i++] = 4; 2629 opt[i++] = sp->lcp.mru >> 8; 2630 opt[i++] = sp->lcp.mru; 2631 } 2632 2633 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2634 authproto = sp->hisauth.proto; 2635 opt[i++] = LCP_OPT_AUTH_PROTO; 2636 opt[i++] = authproto == PPP_CHAP? 5: 4; 2637 opt[i++] = authproto >> 8; 2638 opt[i++] = authproto; 2639 if (authproto == PPP_CHAP) 2640 opt[i++] = CHAP_MD5; 2641 } 2642 2643 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2644 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2645 } 2646 2647 /* 2648 * Check the open NCPs, return true if at least one NCP is open. 2649 */ 2650 static int 2651 sppp_ncp_check(struct sppp *sp) 2652 { 2653 int i, mask; 2654 2655 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2656 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2657 return 1; 2658 return 0; 2659 } 2660 2661 /* 2662 * Re-check the open NCPs and see if we should terminate the link. 2663 * Called by the NCPs during their tlf action handling. 2664 */ 2665 static void 2666 sppp_lcp_check_and_close(struct sppp *sp) 2667 { 2668 2669 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2670 /* don't bother, we are already going down */ 2671 return; 2672 2673 if (sppp_ncp_check(sp)) 2674 return; 2675 2676 lcp.Close(sp); 2677 } 2678 2679 2680 /* 2681 *--------------------------------------------------------------------------* 2682 * * 2683 * The IPCP implementation. * 2684 * * 2685 *--------------------------------------------------------------------------* 2686 */ 2687 2688 static void 2689 sppp_ipcp_init(struct sppp *sp) 2690 { 2691 sp->ipcp.opts = 0; 2692 sp->ipcp.flags = 0; 2693 sp->state[IDX_IPCP] = STATE_INITIAL; 2694 sp->fail_counter[IDX_IPCP] = 0; 2695 sp->pp_seq[IDX_IPCP] = 0; 2696 sp->pp_rseq[IDX_IPCP] = 0; 2697 callout_init(&sp->ch[IDX_IPCP], 0); 2698 } 2699 2700 static void 2701 sppp_ipcp_up(struct sppp *sp) 2702 { 2703 sppp_up_event(&ipcp, sp); 2704 } 2705 2706 static void 2707 sppp_ipcp_down(struct sppp *sp) 2708 { 2709 sppp_down_event(&ipcp, sp); 2710 } 2711 2712 static void 2713 sppp_ipcp_open(struct sppp *sp) 2714 { 2715 STDDCL; 2716 uint32_t myaddr, hisaddr; 2717 2718 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2719 sp->ipcp.req_myaddr = 0; 2720 sp->ipcp.req_hisaddr = 0; 2721 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2722 2723 #ifdef INET 2724 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2725 #else 2726 myaddr = hisaddr = 0; 2727 #endif 2728 /* 2729 * If we don't have his address, this probably means our 2730 * interface doesn't want to talk IP at all. (This could 2731 * be the case if somebody wants to speak only IPX, for 2732 * example.) Don't open IPCP in this case. 2733 */ 2734 if (hisaddr == 0) { 2735 /* XXX this message should go away */ 2736 if (debug) 2737 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2738 ifp->if_xname); 2739 return; 2740 } 2741 2742 if (myaddr == 0) { 2743 /* 2744 * I don't have an assigned address, so i need to 2745 * negotiate my address. 2746 */ 2747 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2748 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2749 } 2750 if (hisaddr == 1) { 2751 /* 2752 * XXX - remove this hack! 2753 * remote has no valid address, we need to get one assigned. 2754 */ 2755 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2756 } 2757 sppp_open_event(&ipcp, sp); 2758 } 2759 2760 static void 2761 sppp_ipcp_close(struct sppp *sp) 2762 { 2763 STDDCL; 2764 2765 sppp_close_event(&ipcp, sp); 2766 #ifdef INET 2767 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2768 /* 2769 * Some address was dynamic, clear it again. 2770 */ 2771 sppp_clear_ip_addrs(sp); 2772 #endif 2773 2774 if (sp->pp_saved_mtu > 0) { 2775 ifp->if_mtu = sp->pp_saved_mtu; 2776 sp->pp_saved_mtu = 0; 2777 if (debug) 2778 log(LOG_DEBUG, 2779 "%s: resetting MTU to %" PRIu64 " bytes\n", 2780 ifp->if_xname, ifp->if_mtu); 2781 } 2782 } 2783 2784 static void 2785 sppp_ipcp_TO(void *cookie) 2786 { 2787 sppp_to_event(&ipcp, (struct sppp *)cookie); 2788 } 2789 2790 /* 2791 * Analyze a configure request. Return true if it was agreeable, and 2792 * caused action sca, false if it has been rejected or nak'ed, and 2793 * caused action scn. (The return value is used to make the state 2794 * transition decision in the state automaton.) 2795 */ 2796 static int 2797 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2798 { 2799 u_char *buf, *r, *p, l, blen; 2800 struct ifnet *ifp = &sp->pp_if; 2801 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2802 uint32_t hisaddr, desiredaddr; 2803 2804 len -= 4; 2805 origlen = len; 2806 /* 2807 * Make sure to allocate a buf that can at least hold a 2808 * conf-nak with an `address' option. We might need it below. 2809 */ 2810 blen = len < 6 ? 6 : len; 2811 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 2812 if (! buf) 2813 return (0); 2814 2815 /* pass 1: see if we can recognize them */ 2816 if (debug) 2817 log(LOG_DEBUG, "%s: ipcp parse opts:", 2818 ifp->if_xname); 2819 p = (void *)(h + 1); 2820 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2821 /* Sanity check option length */ 2822 if (l > len) { 2823 /* XXX should we just RXJ? */ 2824 addlog("%s: malicious IPCP option received, dropping\n", 2825 ifp->if_xname); 2826 goto drop; 2827 } 2828 if (debug) 2829 addlog(" %s", sppp_ipcp_opt_name(*p)); 2830 switch (*p) { 2831 #ifdef notyet 2832 case IPCP_OPT_COMPRESSION: 2833 if (len >= 6 && l >= 6) { 2834 /* correctly formed compress option */ 2835 continue; 2836 } 2837 if (debug) 2838 addlog(" [invalid]"); 2839 break; 2840 #endif 2841 case IPCP_OPT_ADDRESS: 2842 if (len >= 6 && l == 6) { 2843 /* correctly formed address option */ 2844 continue; 2845 } 2846 if (debug) 2847 addlog(" [invalid]"); 2848 break; 2849 default: 2850 /* Others not supported. */ 2851 if (debug) 2852 addlog(" [rej]"); 2853 break; 2854 } 2855 /* Add the option to rejected list. */ 2856 if (rlen + l > blen) { 2857 if (debug) 2858 addlog(" [overflow]"); 2859 continue; 2860 } 2861 memcpy(r, p, l); 2862 r += l; 2863 rlen += l; 2864 } 2865 if (rlen) { 2866 if (debug) 2867 addlog(" send conf-rej\n"); 2868 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2869 goto end; 2870 } else if (debug) 2871 addlog("\n"); 2872 2873 /* pass 2: parse option values */ 2874 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2875 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2876 else 2877 #ifdef INET 2878 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2879 #else 2880 hisaddr = 0; 2881 #endif 2882 if (debug) 2883 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2884 ifp->if_xname); 2885 p = (void *)(h + 1); 2886 len = origlen; 2887 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2888 if (debug) 2889 addlog(" %s", sppp_ipcp_opt_name(*p)); 2890 switch (*p) { 2891 #ifdef notyet 2892 case IPCP_OPT_COMPRESSION: 2893 continue; 2894 #endif 2895 case IPCP_OPT_ADDRESS: 2896 desiredaddr = p[2] << 24 | p[3] << 16 | 2897 p[4] << 8 | p[5]; 2898 if (desiredaddr == hisaddr || 2899 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2900 /* 2901 * Peer's address is same as our value, 2902 * this is agreeable. Gonna conf-ack 2903 * it. 2904 */ 2905 if (debug) 2906 addlog(" %s [ack]", 2907 sppp_dotted_quad(hisaddr)); 2908 /* record that we've seen it already */ 2909 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2910 sp->ipcp.req_hisaddr = desiredaddr; 2911 hisaddr = desiredaddr; 2912 continue; 2913 } 2914 /* 2915 * The address wasn't agreeable. This is either 2916 * he sent us 0.0.0.0, asking to assign him an 2917 * address, or he send us another address not 2918 * matching our value. Either case, we gonna 2919 * conf-nak it with our value. 2920 */ 2921 if (debug) { 2922 if (desiredaddr == 0) 2923 addlog(" [addr requested]"); 2924 else 2925 addlog(" %s [not agreed]", 2926 sppp_dotted_quad(desiredaddr)); 2927 } 2928 2929 p[2] = hisaddr >> 24; 2930 p[3] = hisaddr >> 16; 2931 p[4] = hisaddr >> 8; 2932 p[5] = hisaddr; 2933 break; 2934 } 2935 if (rlen + l > blen) { 2936 if (debug) 2937 addlog(" [overflow]"); 2938 continue; 2939 } 2940 /* Add the option to nak'ed list. */ 2941 memcpy(r, p, l); 2942 r += l; 2943 rlen += l; 2944 } 2945 2946 /* 2947 * If we are about to conf-ack the request, but haven't seen 2948 * his address so far, gonna conf-nak it instead, with the 2949 * `address' option present and our idea of his address being 2950 * filled in there, to request negotiation of both addresses. 2951 * 2952 * XXX This can result in an endless req - nak loop if peer 2953 * doesn't want to send us his address. Q: What should we do 2954 * about it? XXX A: implement the max-failure counter. 2955 */ 2956 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2957 buf[0] = IPCP_OPT_ADDRESS; 2958 buf[1] = 6; 2959 buf[2] = hisaddr >> 24; 2960 buf[3] = hisaddr >> 16; 2961 buf[4] = hisaddr >> 8; 2962 buf[5] = hisaddr; 2963 rlen = 6; 2964 if (debug) 2965 addlog(" still need hisaddr"); 2966 } 2967 2968 if (rlen) { 2969 if (debug) 2970 addlog(" send conf-nak\n"); 2971 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 2972 } else { 2973 if (debug) 2974 addlog(" send conf-ack\n"); 2975 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 2976 } 2977 2978 end: 2979 free(buf, M_TEMP); 2980 return (rlen == 0); 2981 2982 drop: 2983 free(buf, M_TEMP); 2984 return -1; 2985 } 2986 2987 /* 2988 * Analyze the IPCP Configure-Reject option list, and adjust our 2989 * negotiation. 2990 */ 2991 static void 2992 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2993 { 2994 u_char *buf, *p, l, blen; 2995 struct ifnet *ifp = &sp->pp_if; 2996 int debug = ifp->if_flags & IFF_DEBUG; 2997 2998 len -= 4; 2999 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3000 if (!buf) 3001 return; 3002 3003 if (debug) 3004 log(LOG_DEBUG, "%s: ipcp rej opts:", 3005 ifp->if_xname); 3006 3007 p = (void *)(h + 1); 3008 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3009 /* Sanity check option length */ 3010 if (l > len) { 3011 /* XXX should we just RXJ? */ 3012 addlog("%s: malicious IPCP option received, dropping\n", 3013 ifp->if_xname); 3014 goto drop; 3015 } 3016 if (debug) 3017 addlog(" %s", sppp_ipcp_opt_name(*p)); 3018 switch (*p) { 3019 case IPCP_OPT_ADDRESS: 3020 /* 3021 * Peer doesn't grok address option. This is 3022 * bad. XXX Should we better give up here? 3023 */ 3024 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3025 break; 3026 #ifdef notyet 3027 case IPCP_OPT_COMPRESS: 3028 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3029 break; 3030 #endif 3031 } 3032 } 3033 if (debug) 3034 addlog("\n"); 3035 drop: 3036 free(buf, M_TEMP); 3037 return; 3038 } 3039 3040 /* 3041 * Analyze the IPCP Configure-NAK option list, and adjust our 3042 * negotiation. 3043 */ 3044 static void 3045 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3046 { 3047 u_char *p, l; 3048 struct ifnet *ifp = &sp->pp_if; 3049 int debug = ifp->if_flags & IFF_DEBUG; 3050 uint32_t wantaddr; 3051 3052 len -= 4; 3053 3054 if (debug) 3055 log(LOG_DEBUG, "%s: ipcp nak opts:", 3056 ifp->if_xname); 3057 3058 p = (void *)(h + 1); 3059 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3060 /* Sanity check option length */ 3061 if (l > len) { 3062 /* XXX should we just RXJ? */ 3063 addlog("%s: malicious IPCP option received, dropping\n", 3064 ifp->if_xname); 3065 return; 3066 } 3067 if (debug) 3068 addlog(" %s", sppp_ipcp_opt_name(*p)); 3069 switch (*p) { 3070 case IPCP_OPT_ADDRESS: 3071 /* 3072 * Peer doesn't like our local IP address. See 3073 * if we can do something for him. We'll drop 3074 * him our address then. 3075 */ 3076 if (len >= 6 && l == 6) { 3077 wantaddr = p[2] << 24 | p[3] << 16 | 3078 p[4] << 8 | p[5]; 3079 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3080 if (debug) 3081 addlog(" [wantaddr %s]", 3082 sppp_dotted_quad(wantaddr)); 3083 /* 3084 * When doing dynamic address assignment, 3085 * we accept his offer. Otherwise, we 3086 * ignore it and thus continue to negotiate 3087 * our already existing value. 3088 */ 3089 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3090 if (debug) 3091 addlog(" [agree]"); 3092 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3093 sp->ipcp.req_myaddr = wantaddr; 3094 } 3095 } 3096 break; 3097 3098 case IPCP_OPT_PRIMDNS: 3099 if (len >= 6 && l == 6) { 3100 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3101 p[4] << 8 | p[5]; 3102 } 3103 break; 3104 3105 case IPCP_OPT_SECDNS: 3106 if (len >= 6 && l == 6) { 3107 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3108 p[4] << 8 | p[5]; 3109 } 3110 break; 3111 #ifdef notyet 3112 case IPCP_OPT_COMPRESS: 3113 /* 3114 * Peer wants different compression parameters. 3115 */ 3116 break; 3117 #endif 3118 } 3119 } 3120 if (debug) 3121 addlog("\n"); 3122 } 3123 3124 static void 3125 sppp_ipcp_tlu(struct sppp *sp) 3126 { 3127 #ifdef INET 3128 /* we are up. Set addresses and notify anyone interested */ 3129 STDDCL; 3130 uint32_t myaddr, hisaddr; 3131 3132 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3133 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3134 myaddr = sp->ipcp.req_myaddr; 3135 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3136 hisaddr = sp->ipcp.req_hisaddr; 3137 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3138 3139 if (ifp->if_mtu > sp->lcp.their_mru) { 3140 sp->pp_saved_mtu = ifp->if_mtu; 3141 ifp->if_mtu = sp->lcp.their_mru; 3142 if (debug) 3143 log(LOG_DEBUG, 3144 "%s: setting MTU to %" PRIu64 " bytes\n", 3145 ifp->if_xname, ifp->if_mtu); 3146 } 3147 3148 if (sp->pp_con) 3149 sp->pp_con(sp); 3150 #endif 3151 } 3152 3153 static void 3154 sppp_ipcp_tld(struct sppp *sp) 3155 { 3156 } 3157 3158 static void 3159 sppp_ipcp_tls(struct sppp *sp) 3160 { 3161 /* indicate to LCP that it must stay alive */ 3162 sp->lcp.protos |= (1 << IDX_IPCP); 3163 } 3164 3165 static void 3166 sppp_ipcp_tlf(struct sppp *sp) 3167 { 3168 /* we no longer need LCP */ 3169 sp->lcp.protos &= ~(1 << IDX_IPCP); 3170 } 3171 3172 static void 3173 sppp_ipcp_scr(struct sppp *sp) 3174 { 3175 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3176 #ifdef INET 3177 uint32_t ouraddr; 3178 #endif 3179 int i = 0; 3180 3181 #ifdef notyet 3182 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3183 opt[i++] = IPCP_OPT_COMPRESSION; 3184 opt[i++] = 6; 3185 opt[i++] = 0; /* VJ header compression */ 3186 opt[i++] = 0x2d; /* VJ header compression */ 3187 opt[i++] = max_slot_id; 3188 opt[i++] = comp_slot_id; 3189 } 3190 #endif 3191 3192 #ifdef INET 3193 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3194 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3195 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3196 else 3197 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3198 opt[i++] = IPCP_OPT_ADDRESS; 3199 opt[i++] = 6; 3200 opt[i++] = ouraddr >> 24; 3201 opt[i++] = ouraddr >> 16; 3202 opt[i++] = ouraddr >> 8; 3203 opt[i++] = ouraddr; 3204 } 3205 #endif 3206 3207 if (sp->query_dns & 1) { 3208 opt[i++] = IPCP_OPT_PRIMDNS; 3209 opt[i++] = 6; 3210 opt[i++] = sp->dns_addrs[0] >> 24; 3211 opt[i++] = sp->dns_addrs[0] >> 16; 3212 opt[i++] = sp->dns_addrs[0] >> 8; 3213 opt[i++] = sp->dns_addrs[0]; 3214 } 3215 if (sp->query_dns & 2) { 3216 opt[i++] = IPCP_OPT_SECDNS; 3217 opt[i++] = 6; 3218 opt[i++] = sp->dns_addrs[1] >> 24; 3219 opt[i++] = sp->dns_addrs[1] >> 16; 3220 opt[i++] = sp->dns_addrs[1] >> 8; 3221 opt[i++] = sp->dns_addrs[1]; 3222 } 3223 3224 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3225 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3226 } 3227 3228 3229 /* 3230 *--------------------------------------------------------------------------* 3231 * * 3232 * The IPv6CP implementation. * 3233 * * 3234 *--------------------------------------------------------------------------* 3235 */ 3236 3237 #ifdef INET6 3238 static void 3239 sppp_ipv6cp_init(struct sppp *sp) 3240 { 3241 sp->ipv6cp.opts = 0; 3242 sp->ipv6cp.flags = 0; 3243 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3244 sp->fail_counter[IDX_IPV6CP] = 0; 3245 sp->pp_seq[IDX_IPV6CP] = 0; 3246 sp->pp_rseq[IDX_IPV6CP] = 0; 3247 callout_init(&sp->ch[IDX_IPV6CP], 0); 3248 } 3249 3250 static void 3251 sppp_ipv6cp_up(struct sppp *sp) 3252 { 3253 sppp_up_event(&ipv6cp, sp); 3254 } 3255 3256 static void 3257 sppp_ipv6cp_down(struct sppp *sp) 3258 { 3259 sppp_down_event(&ipv6cp, sp); 3260 } 3261 3262 static void 3263 sppp_ipv6cp_open(struct sppp *sp) 3264 { 3265 STDDCL; 3266 struct in6_addr myaddr, hisaddr; 3267 3268 #ifdef IPV6CP_MYIFID_DYN 3269 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3270 #else 3271 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3272 #endif 3273 3274 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3275 /* 3276 * If we don't have our address, this probably means our 3277 * interface doesn't want to talk IPv6 at all. (This could 3278 * be the case if somebody wants to speak only IPX, for 3279 * example.) Don't open IPv6CP in this case. 3280 */ 3281 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3282 /* XXX this message should go away */ 3283 if (debug) 3284 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3285 ifp->if_xname); 3286 return; 3287 } 3288 3289 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3290 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3291 sppp_open_event(&ipv6cp, sp); 3292 } 3293 3294 static void 3295 sppp_ipv6cp_close(struct sppp *sp) 3296 { 3297 sppp_close_event(&ipv6cp, sp); 3298 } 3299 3300 static void 3301 sppp_ipv6cp_TO(void *cookie) 3302 { 3303 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3304 } 3305 3306 /* 3307 * Analyze a configure request. Return true if it was agreeable, and 3308 * caused action sca, false if it has been rejected or nak'ed, and 3309 * caused action scn. (The return value is used to make the state 3310 * transition decision in the state automaton.) 3311 */ 3312 static int 3313 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3314 { 3315 u_char *buf, *r, *p, l, blen; 3316 struct ifnet *ifp = &sp->pp_if; 3317 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3318 struct in6_addr myaddr, desiredaddr, suggestaddr; 3319 int ifidcount; 3320 int type; 3321 int collision, nohisaddr; 3322 3323 len -= 4; 3324 origlen = len; 3325 /* 3326 * Make sure to allocate a buf that can at least hold a 3327 * conf-nak with an `address' option. We might need it below. 3328 */ 3329 blen = len < 6 ? 6 : len; 3330 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3331 if (! buf) 3332 return (0); 3333 3334 /* pass 1: see if we can recognize them */ 3335 if (debug) 3336 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3337 ifp->if_xname); 3338 p = (void *)(h + 1); 3339 ifidcount = 0; 3340 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3341 /* Sanity check option length */ 3342 if (l > len) { 3343 /* XXX just RXJ? */ 3344 addlog("%s: received malicious IPCPv6 option, " 3345 "dropping\n", ifp->if_xname); 3346 goto drop; 3347 } 3348 if (debug) 3349 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3350 switch (*p) { 3351 case IPV6CP_OPT_IFID: 3352 if (len >= 10 && l == 10 && ifidcount == 0) { 3353 /* correctly formed address option */ 3354 ifidcount++; 3355 continue; 3356 } 3357 if (debug) 3358 addlog(" [invalid]"); 3359 break; 3360 #ifdef notyet 3361 case IPV6CP_OPT_COMPRESSION: 3362 if (len >= 4 && l >= 4) { 3363 /* correctly formed compress option */ 3364 continue; 3365 } 3366 if (debug) 3367 addlog(" [invalid]"); 3368 break; 3369 #endif 3370 default: 3371 /* Others not supported. */ 3372 if (debug) 3373 addlog(" [rej]"); 3374 break; 3375 } 3376 if (rlen + l > blen) { 3377 if (debug) 3378 addlog(" [overflow]"); 3379 continue; 3380 } 3381 /* Add the option to rejected list. */ 3382 memcpy(r, p, l); 3383 r += l; 3384 rlen += l; 3385 } 3386 if (rlen) { 3387 if (debug) 3388 addlog(" send conf-rej\n"); 3389 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3390 goto end; 3391 } else if (debug) 3392 addlog("\n"); 3393 3394 /* pass 2: parse option values */ 3395 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3396 if (debug) 3397 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3398 ifp->if_xname); 3399 p = (void *)(h + 1); 3400 len = origlen; 3401 type = CONF_ACK; 3402 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3403 if (debug) 3404 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3405 switch (*p) { 3406 #ifdef notyet 3407 case IPV6CP_OPT_COMPRESSION: 3408 continue; 3409 #endif 3410 case IPV6CP_OPT_IFID: 3411 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3412 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3413 collision = (memcmp(&desiredaddr.s6_addr[8], 3414 &myaddr.s6_addr[8], 8) == 0); 3415 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3416 3417 desiredaddr.s6_addr16[0] = htons(0xfe80); 3418 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3419 3420 if (!collision && !nohisaddr) { 3421 /* no collision, hisaddr known - Conf-Ack */ 3422 type = CONF_ACK; 3423 3424 if (debug) { 3425 addlog(" %s [%s]", 3426 ip6_sprintf(&desiredaddr), 3427 sppp_cp_type_name(type)); 3428 } 3429 continue; 3430 } 3431 3432 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3433 if (collision && nohisaddr) { 3434 /* collision, hisaddr unknown - Conf-Rej */ 3435 type = CONF_REJ; 3436 memset(&p[2], 0, 8); 3437 } else { 3438 /* 3439 * - no collision, hisaddr unknown, or 3440 * - collision, hisaddr known 3441 * Conf-Nak, suggest hisaddr 3442 */ 3443 type = CONF_NAK; 3444 sppp_suggest_ip6_addr(sp, &suggestaddr); 3445 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3446 } 3447 if (debug) 3448 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3449 sppp_cp_type_name(type)); 3450 break; 3451 } 3452 if (rlen + l > blen) { 3453 if (debug) 3454 addlog(" [overflow]"); 3455 continue; 3456 } 3457 /* Add the option to nak'ed list. */ 3458 memcpy(r, p, l); 3459 r += l; 3460 rlen += l; 3461 } 3462 3463 if (rlen == 0 && type == CONF_ACK) { 3464 if (debug) 3465 addlog(" send %s\n", sppp_cp_type_name(type)); 3466 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3467 } else { 3468 #ifdef notdef 3469 if (type == CONF_ACK) 3470 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3471 #endif 3472 3473 if (debug) { 3474 addlog(" send %s suggest %s\n", 3475 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3476 } 3477 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3478 } 3479 3480 end: 3481 free(buf, M_TEMP); 3482 return (rlen == 0); 3483 3484 drop: 3485 free(buf, M_TEMP); 3486 return -1; 3487 } 3488 3489 /* 3490 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3491 * negotiation. 3492 */ 3493 static void 3494 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3495 { 3496 u_char *buf, *p, l, blen; 3497 struct ifnet *ifp = &sp->pp_if; 3498 int debug = ifp->if_flags & IFF_DEBUG; 3499 3500 len -= 4; 3501 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3502 if (!buf) 3503 return; 3504 3505 if (debug) 3506 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3507 ifp->if_xname); 3508 3509 p = (void *)(h + 1); 3510 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3511 if (l > len) { 3512 /* XXX just RXJ? */ 3513 addlog("%s: received malicious IPCPv6 option, " 3514 "dropping\n", ifp->if_xname); 3515 goto drop; 3516 } 3517 if (debug) 3518 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3519 switch (*p) { 3520 case IPV6CP_OPT_IFID: 3521 /* 3522 * Peer doesn't grok address option. This is 3523 * bad. XXX Should we better give up here? 3524 */ 3525 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3526 break; 3527 #ifdef notyet 3528 case IPV6CP_OPT_COMPRESS: 3529 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3530 break; 3531 #endif 3532 } 3533 } 3534 if (debug) 3535 addlog("\n"); 3536 drop: 3537 free(buf, M_TEMP); 3538 return; 3539 } 3540 3541 /* 3542 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3543 * negotiation. 3544 */ 3545 static void 3546 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3547 { 3548 u_char *buf, *p, l, blen; 3549 struct ifnet *ifp = &sp->pp_if; 3550 int debug = ifp->if_flags & IFF_DEBUG; 3551 struct in6_addr suggestaddr; 3552 3553 len -= 4; 3554 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3555 if (!buf) 3556 return; 3557 3558 if (debug) 3559 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3560 ifp->if_xname); 3561 3562 p = (void *)(h + 1); 3563 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3564 if (l > len) { 3565 /* XXX just RXJ? */ 3566 addlog("%s: received malicious IPCPv6 option, " 3567 "dropping\n", ifp->if_xname); 3568 goto drop; 3569 } 3570 if (debug) 3571 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3572 switch (*p) { 3573 case IPV6CP_OPT_IFID: 3574 /* 3575 * Peer doesn't like our local ifid. See 3576 * if we can do something for him. We'll drop 3577 * him our address then. 3578 */ 3579 if (len < 10 || l != 10) 3580 break; 3581 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3582 suggestaddr.s6_addr16[0] = htons(0xfe80); 3583 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3584 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3585 3586 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3587 if (debug) 3588 addlog(" [suggestaddr %s]", 3589 ip6_sprintf(&suggestaddr)); 3590 #ifdef IPV6CP_MYIFID_DYN 3591 /* 3592 * When doing dynamic address assignment, 3593 * we accept his offer. 3594 */ 3595 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3596 struct in6_addr lastsuggest; 3597 /* 3598 * If <suggested myaddr from peer> equals to 3599 * <hisaddr we have suggested last time>, 3600 * we have a collision. generate new random 3601 * ifid. 3602 */ 3603 sppp_suggest_ip6_addr(&lastsuggest); 3604 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3605 lastsuggest)) { 3606 if (debug) 3607 addlog(" [random]"); 3608 sppp_gen_ip6_addr(sp, &suggestaddr); 3609 } 3610 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3611 if (debug) 3612 addlog(" [agree]"); 3613 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3614 } 3615 #else 3616 /* 3617 * Since we do not do dynamic address assignment, 3618 * we ignore it and thus continue to negotiate 3619 * our already existing value. This can possibly 3620 * go into infinite request-reject loop. 3621 * 3622 * This is not likely because we normally use 3623 * ifid based on MAC-address. 3624 * If you have no ethernet card on the node, too bad. 3625 * XXX should we use fail_counter? 3626 */ 3627 #endif 3628 break; 3629 #ifdef notyet 3630 case IPV6CP_OPT_COMPRESS: 3631 /* 3632 * Peer wants different compression parameters. 3633 */ 3634 break; 3635 #endif 3636 } 3637 } 3638 if (debug) 3639 addlog("\n"); 3640 drop: 3641 free(buf, M_TEMP); 3642 return; 3643 } 3644 3645 static void 3646 sppp_ipv6cp_tlu(struct sppp *sp) 3647 { 3648 /* we are up - notify isdn daemon */ 3649 if (sp->pp_con) 3650 sp->pp_con(sp); 3651 } 3652 3653 static void 3654 sppp_ipv6cp_tld(struct sppp *sp) 3655 { 3656 } 3657 3658 static void 3659 sppp_ipv6cp_tls(struct sppp *sp) 3660 { 3661 /* indicate to LCP that it must stay alive */ 3662 sp->lcp.protos |= (1 << IDX_IPV6CP); 3663 } 3664 3665 static void 3666 sppp_ipv6cp_tlf(struct sppp *sp) 3667 { 3668 /* we no longer need LCP */ 3669 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3670 } 3671 3672 static void 3673 sppp_ipv6cp_scr(struct sppp *sp) 3674 { 3675 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3676 struct in6_addr ouraddr; 3677 int i = 0; 3678 3679 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3680 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3681 opt[i++] = IPV6CP_OPT_IFID; 3682 opt[i++] = 10; 3683 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3684 i += 8; 3685 } 3686 3687 #ifdef notyet 3688 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3689 opt[i++] = IPV6CP_OPT_COMPRESSION; 3690 opt[i++] = 4; 3691 opt[i++] = 0; /* TBD */ 3692 opt[i++] = 0; /* TBD */ 3693 /* variable length data may follow */ 3694 } 3695 #endif 3696 3697 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3698 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3699 } 3700 #else /*INET6*/ 3701 static void 3702 sppp_ipv6cp_init(struct sppp *sp) 3703 { 3704 } 3705 3706 static void 3707 sppp_ipv6cp_up(struct sppp *sp) 3708 { 3709 } 3710 3711 static void 3712 sppp_ipv6cp_down(struct sppp *sp) 3713 { 3714 } 3715 3716 static void 3717 sppp_ipv6cp_open(struct sppp *sp) 3718 { 3719 } 3720 3721 static void 3722 sppp_ipv6cp_close(struct sppp *sp) 3723 { 3724 } 3725 3726 static void 3727 sppp_ipv6cp_TO(void *sp) 3728 { 3729 } 3730 3731 static int 3732 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3733 int len) 3734 { 3735 return 0; 3736 } 3737 3738 static void 3739 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3740 int len) 3741 { 3742 } 3743 3744 static void 3745 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3746 int len) 3747 { 3748 } 3749 3750 static void 3751 sppp_ipv6cp_tlu(struct sppp *sp) 3752 { 3753 } 3754 3755 static void 3756 sppp_ipv6cp_tld(struct sppp *sp) 3757 { 3758 } 3759 3760 static void 3761 sppp_ipv6cp_tls(struct sppp *sp) 3762 { 3763 } 3764 3765 static void 3766 sppp_ipv6cp_tlf(struct sppp *sp) 3767 { 3768 } 3769 3770 static void 3771 sppp_ipv6cp_scr(struct sppp *sp) 3772 { 3773 } 3774 #endif /*INET6*/ 3775 3776 3777 /* 3778 *--------------------------------------------------------------------------* 3779 * * 3780 * The CHAP implementation. * 3781 * * 3782 *--------------------------------------------------------------------------* 3783 */ 3784 3785 /* 3786 * The authentication protocols don't employ a full-fledged state machine as 3787 * the control protocols do, since they do have Open and Close events, but 3788 * not Up and Down, nor are they explicitly terminated. Also, use of the 3789 * authentication protocols may be different in both directions (this makes 3790 * sense, think of a machine that never accepts incoming calls but only 3791 * calls out, it doesn't require the called party to authenticate itself). 3792 * 3793 * Our state machine for the local authentication protocol (we are requesting 3794 * the peer to authenticate) looks like: 3795 * 3796 * RCA- 3797 * +--------------------------------------------+ 3798 * V scn,tld| 3799 * +--------+ Close +---------+ RCA+ 3800 * | |<----------------------------------| |------+ 3801 * +--->| Closed | TO* | Opened | sca | 3802 * | | |-----+ +-------| |<-----+ 3803 * | +--------+ irc | | +---------+ 3804 * | ^ | | ^ 3805 * | | | | | 3806 * | | | | | 3807 * | TO-| | | | 3808 * | |tld TO+ V | | 3809 * | | +------->+ | | 3810 * | | | | | | 3811 * | +--------+ V | | 3812 * | | |<----+<--------------------+ | 3813 * | | Req- | scr | 3814 * | | Sent | | 3815 * | | | | 3816 * | +--------+ | 3817 * | RCA- | | RCA+ | 3818 * +------+ +------------------------------------------+ 3819 * scn,tld sca,irc,ict,tlu 3820 * 3821 * 3822 * with: 3823 * 3824 * Open: LCP reached authentication phase 3825 * Close: LCP reached terminate phase 3826 * 3827 * RCA+: received reply (pap-req, chap-response), acceptable 3828 * RCN: received reply (pap-req, chap-response), not acceptable 3829 * TO+: timeout with restart counter >= 0 3830 * TO-: timeout with restart counter < 0 3831 * TO*: reschedule timeout for CHAP 3832 * 3833 * scr: send request packet (none for PAP, chap-challenge) 3834 * sca: send ack packet (pap-ack, chap-success) 3835 * scn: send nak packet (pap-nak, chap-failure) 3836 * ict: initialize re-challenge timer (CHAP only) 3837 * 3838 * tlu: this-layer-up, LCP reaches network phase 3839 * tld: this-layer-down, LCP enters terminate phase 3840 * 3841 * Note that in CHAP mode, after sending a new challenge, while the state 3842 * automaton falls back into Req-Sent state, it doesn't signal a tld 3843 * event to LCP, so LCP remains in network phase. Only after not getting 3844 * any response (or after getting an unacceptable response), CHAP closes, 3845 * causing LCP to enter terminate phase. 3846 * 3847 * With PAP, there is no initial request that can be sent. The peer is 3848 * expected to send one based on the successful negotiation of PAP as 3849 * the authentication protocol during the LCP option negotiation. 3850 * 3851 * Incoming authentication protocol requests (remote requests 3852 * authentication, we are peer) don't employ a state machine at all, 3853 * they are simply answered. Some peers [Ascend P50 firmware rev 3854 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3855 * still in authentication phase (thereby violating the standard that 3856 * demands that these NCP packets are to be discarded), so we keep 3857 * track of the peer demanding us to authenticate, and only proceed to 3858 * phase network once we've seen a positive acknowledge for the 3859 * authentication. 3860 */ 3861 3862 /* 3863 * Handle incoming CHAP packets. 3864 */ 3865 void 3866 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3867 { 3868 STDDCL; 3869 struct lcp_header *h; 3870 int len, x; 3871 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3872 int value_len, name_len; 3873 MD5_CTX ctx; 3874 3875 len = m->m_pkthdr.len; 3876 if (len < 4) { 3877 if (debug) 3878 log(LOG_DEBUG, 3879 "%s: chap invalid packet length: %d bytes\n", 3880 ifp->if_xname, len); 3881 return; 3882 } 3883 h = mtod(m, struct lcp_header *); 3884 if (len > ntohs(h->len)) 3885 len = ntohs(h->len); 3886 3887 switch (h->type) { 3888 /* challenge, failure and success are his authproto */ 3889 case CHAP_CHALLENGE: 3890 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3891 /* can't do anything useful */ 3892 sp->pp_auth_failures++; 3893 printf("%s: chap input without my name and my secret being set\n", 3894 ifp->if_xname); 3895 break; 3896 } 3897 value = 1 + (u_char *)(h + 1); 3898 value_len = value[-1]; 3899 name = value + value_len; 3900 name_len = len - value_len - 5; 3901 if (name_len < 0) { 3902 if (debug) { 3903 log(LOG_DEBUG, 3904 "%s: chap corrupted challenge " 3905 "<%s id=0x%x len=%d", 3906 ifp->if_xname, 3907 sppp_auth_type_name(PPP_CHAP, h->type), 3908 h->ident, ntohs(h->len)); 3909 if (len > 4) 3910 sppp_print_bytes((u_char *)(h + 1), 3911 len - 4); 3912 addlog(">\n"); 3913 } 3914 break; 3915 } 3916 3917 if (debug) { 3918 log(LOG_DEBUG, 3919 "%s: chap input <%s id=0x%x len=%d name=", 3920 ifp->if_xname, 3921 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3922 ntohs(h->len)); 3923 sppp_print_string((char *) name, name_len); 3924 addlog(" value-size=%d value=", value_len); 3925 sppp_print_bytes(value, value_len); 3926 addlog(">\n"); 3927 } 3928 3929 /* Compute reply value. */ 3930 MD5Init(&ctx); 3931 MD5Update(&ctx, &h->ident, 1); 3932 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3933 MD5Update(&ctx, value, value_len); 3934 MD5Final(digest, &ctx); 3935 dsize = sizeof digest; 3936 3937 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3938 sizeof dsize, (const char *)&dsize, 3939 sizeof digest, digest, 3940 sp->myauth.name_len, 3941 sp->myauth.name, 3942 0); 3943 break; 3944 3945 case CHAP_SUCCESS: 3946 if (debug) { 3947 log(LOG_DEBUG, "%s: chap success", 3948 ifp->if_xname); 3949 if (len > 4) { 3950 addlog(": "); 3951 sppp_print_string((char *)(h + 1), len - 4); 3952 } 3953 addlog("\n"); 3954 } 3955 x = splnet(); 3956 sp->pp_auth_failures = 0; 3957 sp->pp_flags &= ~PP_NEEDAUTH; 3958 if (sp->myauth.proto == PPP_CHAP && 3959 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3960 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3961 /* 3962 * We are authenticator for CHAP but didn't 3963 * complete yet. Leave it to tlu to proceed 3964 * to network phase. 3965 */ 3966 splx(x); 3967 break; 3968 } 3969 splx(x); 3970 sppp_phase_network(sp); 3971 break; 3972 3973 case CHAP_FAILURE: 3974 x = splnet(); 3975 sp->pp_auth_failures++; 3976 splx(x); 3977 if (debug) { 3978 log(LOG_INFO, "%s: chap failure", 3979 ifp->if_xname); 3980 if (len > 4) { 3981 addlog(": "); 3982 sppp_print_string((char *)(h + 1), len - 4); 3983 } 3984 addlog("\n"); 3985 } else 3986 log(LOG_INFO, "%s: chap failure\n", 3987 ifp->if_xname); 3988 /* await LCP shutdown by authenticator */ 3989 break; 3990 3991 /* response is my authproto */ 3992 case CHAP_RESPONSE: 3993 if (sp->hisauth.secret == NULL) { 3994 /* can't do anything useful */ 3995 printf("%s: chap input without his secret being set\n", 3996 ifp->if_xname); 3997 break; 3998 } 3999 value = 1 + (u_char *)(h + 1); 4000 value_len = value[-1]; 4001 name = value + value_len; 4002 name_len = len - value_len - 5; 4003 if (name_len < 0) { 4004 if (debug) { 4005 log(LOG_DEBUG, 4006 "%s: chap corrupted response " 4007 "<%s id=0x%x len=%d", 4008 ifp->if_xname, 4009 sppp_auth_type_name(PPP_CHAP, h->type), 4010 h->ident, ntohs(h->len)); 4011 if (len > 4) 4012 sppp_print_bytes((u_char *)(h + 1), 4013 len - 4); 4014 addlog(">\n"); 4015 } 4016 break; 4017 } 4018 if (h->ident != sp->confid[IDX_CHAP]) { 4019 if (debug) 4020 log(LOG_DEBUG, 4021 "%s: chap dropping response for old ID " 4022 "(got %d, expected %d)\n", 4023 ifp->if_xname, 4024 h->ident, sp->confid[IDX_CHAP]); 4025 break; 4026 } 4027 if (sp->hisauth.name != NULL && 4028 (name_len != sp->hisauth.name_len 4029 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4030 log(LOG_INFO, "%s: chap response, his name ", 4031 ifp->if_xname); 4032 sppp_print_string(name, name_len); 4033 addlog(" != expected "); 4034 sppp_print_string(sp->hisauth.name, 4035 sp->hisauth.name_len); 4036 addlog("\n"); 4037 goto chap_failure; 4038 } 4039 if (debug) { 4040 log(LOG_DEBUG, "%s: chap input(%s) " 4041 "<%s id=0x%x len=%d name=", 4042 ifp->if_xname, 4043 sppp_state_name(sp->state[IDX_CHAP]), 4044 sppp_auth_type_name(PPP_CHAP, h->type), 4045 h->ident, ntohs(h->len)); 4046 sppp_print_string((char *)name, name_len); 4047 addlog(" value-size=%d value=", value_len); 4048 sppp_print_bytes(value, value_len); 4049 addlog(">\n"); 4050 } 4051 if (value_len != sizeof(sp->hisauth.challenge)) { 4052 if (debug) 4053 log(LOG_DEBUG, 4054 "%s: chap bad hash value length: " 4055 "%d bytes, should be %zu\n", 4056 ifp->if_xname, value_len, 4057 sizeof(sp->hisauth.challenge)); 4058 goto chap_failure; 4059 } 4060 4061 MD5Init(&ctx); 4062 MD5Update(&ctx, &h->ident, 1); 4063 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4064 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4065 MD5Final(digest, &ctx); 4066 4067 #define FAILMSG "Failed..." 4068 #define SUCCMSG "Welcome!" 4069 4070 if (value_len != sizeof digest || 4071 memcmp(digest, value, value_len) != 0) { 4072 chap_failure: 4073 /* action scn, tld */ 4074 x = splnet(); 4075 sp->pp_auth_failures++; 4076 splx(x); 4077 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4078 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4079 0); 4080 chap.tld(sp); 4081 break; 4082 } 4083 sp->pp_auth_failures = 0; 4084 /* action sca, perhaps tlu */ 4085 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4086 sp->state[IDX_CHAP] == STATE_OPENED) 4087 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4088 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4089 0); 4090 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4091 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4092 chap.tlu(sp); 4093 } 4094 break; 4095 4096 default: 4097 /* Unknown CHAP packet type -- ignore. */ 4098 if (debug) { 4099 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4100 "<0x%x id=0x%xh len=%d", 4101 ifp->if_xname, 4102 sppp_state_name(sp->state[IDX_CHAP]), 4103 h->type, h->ident, ntohs(h->len)); 4104 if (len > 4) 4105 sppp_print_bytes((u_char *)(h + 1), len - 4); 4106 addlog(">\n"); 4107 } 4108 break; 4109 4110 } 4111 } 4112 4113 static void 4114 sppp_chap_init(struct sppp *sp) 4115 { 4116 /* Chap doesn't have STATE_INITIAL at all. */ 4117 sp->state[IDX_CHAP] = STATE_CLOSED; 4118 sp->fail_counter[IDX_CHAP] = 0; 4119 sp->pp_seq[IDX_CHAP] = 0; 4120 sp->pp_rseq[IDX_CHAP] = 0; 4121 callout_init(&sp->ch[IDX_CHAP], 0); 4122 } 4123 4124 static void 4125 sppp_chap_open(struct sppp *sp) 4126 { 4127 if (sp->hisauth.proto == PPP_CHAP && 4128 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4129 /* we are authenticator for CHAP, start it */ 4130 chap.scr(sp); 4131 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4132 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4133 } 4134 /* nothing to be done if we are peer, await a challenge */ 4135 } 4136 4137 static void 4138 sppp_chap_close(struct sppp *sp) 4139 { 4140 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4141 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4142 } 4143 4144 static void 4145 sppp_chap_TO(void *cookie) 4146 { 4147 struct sppp *sp = (struct sppp *)cookie; 4148 STDDCL; 4149 int s; 4150 4151 s = splnet(); 4152 if (debug) 4153 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4154 ifp->if_xname, 4155 sppp_state_name(sp->state[IDX_CHAP]), 4156 sp->rst_counter[IDX_CHAP]); 4157 4158 if (--sp->rst_counter[IDX_CHAP] < 0) 4159 /* TO- event */ 4160 switch (sp->state[IDX_CHAP]) { 4161 case STATE_REQ_SENT: 4162 chap.tld(sp); 4163 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4164 break; 4165 } 4166 else 4167 /* TO+ (or TO*) event */ 4168 switch (sp->state[IDX_CHAP]) { 4169 case STATE_OPENED: 4170 /* TO* event */ 4171 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4172 /* fall through */ 4173 case STATE_REQ_SENT: 4174 chap.scr(sp); 4175 /* sppp_cp_change_state() will restart the timer */ 4176 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4177 break; 4178 } 4179 4180 splx(s); 4181 } 4182 4183 static void 4184 sppp_chap_tlu(struct sppp *sp) 4185 { 4186 STDDCL; 4187 int i, x; 4188 4189 i = 0; 4190 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4191 4192 /* 4193 * Some broken CHAP implementations (Conware CoNet, firmware 4194 * 4.0.?) don't want to re-authenticate their CHAP once the 4195 * initial challenge-response exchange has taken place. 4196 * Provide for an option to avoid rechallenges. 4197 */ 4198 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4199 /* 4200 * Compute the re-challenge timeout. This will yield 4201 * a number between 300 and 810 seconds. 4202 */ 4203 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4204 4205 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4206 } 4207 4208 if (debug) { 4209 log(LOG_DEBUG, 4210 "%s: chap %s, ", 4211 ifp->if_xname, 4212 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4213 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4214 addlog("next re-challenge in %d seconds\n", i); 4215 else 4216 addlog("re-challenging supressed\n"); 4217 } 4218 4219 x = splnet(); 4220 sp->pp_auth_failures = 0; 4221 /* indicate to LCP that we need to be closed down */ 4222 sp->lcp.protos |= (1 << IDX_CHAP); 4223 4224 if (sp->pp_flags & PP_NEEDAUTH) { 4225 /* 4226 * Remote is authenticator, but his auth proto didn't 4227 * complete yet. Defer the transition to network 4228 * phase. 4229 */ 4230 splx(x); 4231 return; 4232 } 4233 splx(x); 4234 4235 /* 4236 * If we are already in phase network, we are done here. This 4237 * is the case if this is a dummy tlu event after a re-challenge. 4238 */ 4239 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4240 sppp_phase_network(sp); 4241 } 4242 4243 static void 4244 sppp_chap_tld(struct sppp *sp) 4245 { 4246 STDDCL; 4247 4248 if (debug) 4249 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4250 callout_stop(&sp->ch[IDX_CHAP]); 4251 sp->lcp.protos &= ~(1 << IDX_CHAP); 4252 4253 lcp.Close(sp); 4254 } 4255 4256 static void 4257 sppp_chap_scr(struct sppp *sp) 4258 { 4259 uint32_t *ch; 4260 u_char clen = 4 * sizeof(uint32_t); 4261 4262 if (sp->hisauth.name == NULL) { 4263 /* can't do anything useful */ 4264 printf("%s: chap starting without his name being set\n", 4265 sp->pp_if.if_xname); 4266 return; 4267 } 4268 4269 /* Compute random challenge. */ 4270 ch = (uint32_t *)sp->hisauth.challenge; 4271 cprng_strong(kern_cprng, ch, clen, 0); 4272 4273 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4274 4275 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4276 sizeof clen, (const char *)&clen, 4277 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4278 0); 4279 } 4280 4281 /* 4282 *--------------------------------------------------------------------------* 4283 * * 4284 * The PAP implementation. * 4285 * * 4286 *--------------------------------------------------------------------------* 4287 */ 4288 /* 4289 * For PAP, we need to keep a little state also if we are the peer, not the 4290 * authenticator. This is since we don't get a request to authenticate, but 4291 * have to repeatedly authenticate ourself until we got a response (or the 4292 * retry counter is expired). 4293 */ 4294 4295 /* 4296 * Handle incoming PAP packets. */ 4297 static void 4298 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4299 { 4300 STDDCL; 4301 struct lcp_header *h; 4302 int len, x; 4303 u_char mlen; 4304 char *name, *secret; 4305 int name_len, secret_len; 4306 4307 /* 4308 * Malicious input might leave this uninitialized, so 4309 * init to an impossible value. 4310 */ 4311 secret_len = -1; 4312 4313 len = m->m_pkthdr.len; 4314 if (len < 5) { 4315 if (debug) 4316 log(LOG_DEBUG, 4317 "%s: pap invalid packet length: %d bytes\n", 4318 ifp->if_xname, len); 4319 return; 4320 } 4321 h = mtod(m, struct lcp_header *); 4322 if (len > ntohs(h->len)) 4323 len = ntohs(h->len); 4324 switch (h->type) { 4325 /* PAP request is my authproto */ 4326 case PAP_REQ: 4327 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4328 /* can't do anything useful */ 4329 printf("%s: pap request without his name and his secret being set\n", 4330 ifp->if_xname); 4331 break; 4332 } 4333 name = 1 + (u_char *)(h + 1); 4334 name_len = name[-1]; 4335 secret = name + name_len + 1; 4336 if (name_len > len - 6 || 4337 (secret_len = secret[-1]) > len - 6 - name_len) { 4338 if (debug) { 4339 log(LOG_DEBUG, "%s: pap corrupted input " 4340 "<%s id=0x%x len=%d", 4341 ifp->if_xname, 4342 sppp_auth_type_name(PPP_PAP, h->type), 4343 h->ident, ntohs(h->len)); 4344 if (len > 4) 4345 sppp_print_bytes((u_char *)(h + 1), 4346 len - 4); 4347 addlog(">\n"); 4348 } 4349 break; 4350 } 4351 if (debug) { 4352 log(LOG_DEBUG, "%s: pap input(%s) " 4353 "<%s id=0x%x len=%d name=", 4354 ifp->if_xname, 4355 sppp_state_name(sp->state[IDX_PAP]), 4356 sppp_auth_type_name(PPP_PAP, h->type), 4357 h->ident, ntohs(h->len)); 4358 sppp_print_string((char *)name, name_len); 4359 addlog(" secret="); 4360 sppp_print_string((char *)secret, secret_len); 4361 addlog(">\n"); 4362 } 4363 if (name_len != sp->hisauth.name_len || 4364 secret_len != sp->hisauth.secret_len || 4365 memcmp(name, sp->hisauth.name, name_len) != 0 || 4366 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4367 /* action scn, tld */ 4368 sp->pp_auth_failures++; 4369 mlen = sizeof(FAILMSG) - 1; 4370 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4371 sizeof mlen, (const char *)&mlen, 4372 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4373 0); 4374 pap.tld(sp); 4375 break; 4376 } 4377 /* action sca, perhaps tlu */ 4378 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4379 sp->state[IDX_PAP] == STATE_OPENED) { 4380 mlen = sizeof(SUCCMSG) - 1; 4381 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4382 sizeof mlen, (const char *)&mlen, 4383 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4384 0); 4385 } 4386 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4387 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4388 pap.tlu(sp); 4389 } 4390 break; 4391 4392 /* ack and nak are his authproto */ 4393 case PAP_ACK: 4394 callout_stop(&sp->pap_my_to_ch); 4395 if (debug) { 4396 log(LOG_DEBUG, "%s: pap success", 4397 ifp->if_xname); 4398 name = 1 + (u_char *)(h + 1); 4399 name_len = name[-1]; 4400 if (len > 5 && name_len < len+4) { 4401 addlog(": "); 4402 sppp_print_string(name, name_len); 4403 } 4404 addlog("\n"); 4405 } 4406 x = splnet(); 4407 sp->pp_auth_failures = 0; 4408 sp->pp_flags &= ~PP_NEEDAUTH; 4409 if (sp->myauth.proto == PPP_PAP && 4410 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4411 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4412 /* 4413 * We are authenticator for PAP but didn't 4414 * complete yet. Leave it to tlu to proceed 4415 * to network phase. 4416 */ 4417 splx(x); 4418 break; 4419 } 4420 splx(x); 4421 sppp_phase_network(sp); 4422 break; 4423 4424 case PAP_NAK: 4425 callout_stop(&sp->pap_my_to_ch); 4426 sp->pp_auth_failures++; 4427 if (debug) { 4428 log(LOG_INFO, "%s: pap failure", 4429 ifp->if_xname); 4430 name = 1 + (u_char *)(h + 1); 4431 name_len = name[-1]; 4432 if (len > 5 && name_len < len+4) { 4433 addlog(": "); 4434 sppp_print_string(name, name_len); 4435 } 4436 addlog("\n"); 4437 } else 4438 log(LOG_INFO, "%s: pap failure\n", 4439 ifp->if_xname); 4440 /* await LCP shutdown by authenticator */ 4441 break; 4442 4443 default: 4444 /* Unknown PAP packet type -- ignore. */ 4445 if (debug) { 4446 log(LOG_DEBUG, "%s: pap corrupted input " 4447 "<0x%x id=0x%x len=%d", 4448 ifp->if_xname, 4449 h->type, h->ident, ntohs(h->len)); 4450 if (len > 4) 4451 sppp_print_bytes((u_char *)(h + 1), len - 4); 4452 addlog(">\n"); 4453 } 4454 break; 4455 4456 } 4457 } 4458 4459 static void 4460 sppp_pap_init(struct sppp *sp) 4461 { 4462 /* PAP doesn't have STATE_INITIAL at all. */ 4463 sp->state[IDX_PAP] = STATE_CLOSED; 4464 sp->fail_counter[IDX_PAP] = 0; 4465 sp->pp_seq[IDX_PAP] = 0; 4466 sp->pp_rseq[IDX_PAP] = 0; 4467 callout_init(&sp->ch[IDX_PAP], 0); 4468 callout_init(&sp->pap_my_to_ch, 0); 4469 } 4470 4471 static void 4472 sppp_pap_open(struct sppp *sp) 4473 { 4474 if (sp->hisauth.proto == PPP_PAP && 4475 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4476 /* we are authenticator for PAP, start our timer */ 4477 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4478 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4479 } 4480 if (sp->myauth.proto == PPP_PAP) { 4481 /* we are peer, send a request, and start a timer */ 4482 pap.scr(sp); 4483 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4484 sppp_pap_my_TO, sp); 4485 } 4486 } 4487 4488 static void 4489 sppp_pap_close(struct sppp *sp) 4490 { 4491 if (sp->state[IDX_PAP] != STATE_CLOSED) 4492 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4493 } 4494 4495 /* 4496 * That's the timeout routine if we are authenticator. Since the 4497 * authenticator is basically passive in PAP, we can't do much here. 4498 */ 4499 static void 4500 sppp_pap_TO(void *cookie) 4501 { 4502 struct sppp *sp = (struct sppp *)cookie; 4503 STDDCL; 4504 int s; 4505 4506 s = splnet(); 4507 if (debug) 4508 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4509 ifp->if_xname, 4510 sppp_state_name(sp->state[IDX_PAP]), 4511 sp->rst_counter[IDX_PAP]); 4512 4513 if (--sp->rst_counter[IDX_PAP] < 0) 4514 /* TO- event */ 4515 switch (sp->state[IDX_PAP]) { 4516 case STATE_REQ_SENT: 4517 pap.tld(sp); 4518 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4519 break; 4520 } 4521 else 4522 /* TO+ event, not very much we could do */ 4523 switch (sp->state[IDX_PAP]) { 4524 case STATE_REQ_SENT: 4525 /* sppp_cp_change_state() will restart the timer */ 4526 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4527 break; 4528 } 4529 4530 splx(s); 4531 } 4532 4533 /* 4534 * That's the timeout handler if we are peer. Since the peer is active, 4535 * we need to retransmit our PAP request since it is apparently lost. 4536 * XXX We should impose a max counter. 4537 */ 4538 static void 4539 sppp_pap_my_TO(void *cookie) 4540 { 4541 struct sppp *sp = (struct sppp *)cookie; 4542 STDDCL; 4543 4544 if (debug) 4545 log(LOG_DEBUG, "%s: pap peer TO\n", 4546 ifp->if_xname); 4547 4548 pap.scr(sp); 4549 } 4550 4551 static void 4552 sppp_pap_tlu(struct sppp *sp) 4553 { 4554 STDDCL; 4555 int x; 4556 4557 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4558 4559 if (debug) 4560 log(LOG_DEBUG, "%s: %s tlu\n", 4561 ifp->if_xname, pap.name); 4562 4563 x = splnet(); 4564 sp->pp_auth_failures = 0; 4565 /* indicate to LCP that we need to be closed down */ 4566 sp->lcp.protos |= (1 << IDX_PAP); 4567 4568 if (sp->pp_flags & PP_NEEDAUTH) { 4569 /* 4570 * Remote is authenticator, but his auth proto didn't 4571 * complete yet. Defer the transition to network 4572 * phase. 4573 */ 4574 splx(x); 4575 return; 4576 } 4577 splx(x); 4578 sppp_phase_network(sp); 4579 } 4580 4581 static void 4582 sppp_pap_tld(struct sppp *sp) 4583 { 4584 STDDCL; 4585 4586 if (debug) 4587 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4588 callout_stop(&sp->ch[IDX_PAP]); 4589 callout_stop(&sp->pap_my_to_ch); 4590 sp->lcp.protos &= ~(1 << IDX_PAP); 4591 4592 lcp.Close(sp); 4593 } 4594 4595 static void 4596 sppp_pap_scr(struct sppp *sp) 4597 { 4598 u_char idlen, pwdlen; 4599 4600 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4601 /* can't do anything useful */ 4602 printf("%s: pap starting without my name and secret being set\n", 4603 sp->pp_if.if_xname); 4604 return; 4605 } 4606 4607 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4608 pwdlen = sp->myauth.secret_len; 4609 idlen = sp->myauth.name_len; 4610 4611 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4612 sizeof idlen, (const char *)&idlen, 4613 idlen, sp->myauth.name, 4614 sizeof pwdlen, (const char *)&pwdlen, 4615 pwdlen, sp->myauth.secret, 4616 0); 4617 } 4618 4619 /* 4620 * Random miscellaneous functions. 4621 */ 4622 4623 /* 4624 * Send a PAP or CHAP proto packet. 4625 * 4626 * Varadic function, each of the elements for the ellipsis is of type 4627 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4628 * mlen == 0. 4629 * NOTE: never declare variadic functions with types subject to type 4630 * promotion (i.e. u_char). This is asking for big trouble depending 4631 * on the architecture you are on... 4632 */ 4633 4634 static void 4635 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4636 unsigned int type, unsigned int id, 4637 ...) 4638 { 4639 STDDCL; 4640 struct lcp_header *lh; 4641 struct mbuf *m; 4642 u_char *p; 4643 int len; 4644 size_t pkthdrlen; 4645 unsigned int mlen; 4646 const char *msg; 4647 va_list ap; 4648 4649 MGETHDR(m, M_DONTWAIT, MT_DATA); 4650 if (! m) 4651 return; 4652 m_reset_rcvif(m); 4653 4654 if (sp->pp_flags & PP_NOFRAMING) { 4655 *mtod(m, uint16_t *) = htons(cp->proto); 4656 pkthdrlen = 2; 4657 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4658 } else { 4659 struct ppp_header *h; 4660 h = mtod(m, struct ppp_header *); 4661 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4662 h->control = PPP_UI; /* Unnumbered Info */ 4663 h->protocol = htons(cp->proto); 4664 pkthdrlen = PPP_HEADER_LEN; 4665 4666 lh = (struct lcp_header *)(h + 1); 4667 } 4668 4669 lh->type = type; 4670 lh->ident = id; 4671 p = (u_char *)(lh + 1); 4672 4673 va_start(ap, id); 4674 len = 0; 4675 4676 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4677 msg = va_arg(ap, const char *); 4678 len += mlen; 4679 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4680 va_end(ap); 4681 m_freem(m); 4682 return; 4683 } 4684 4685 memcpy(p, msg, mlen); 4686 p += mlen; 4687 } 4688 va_end(ap); 4689 4690 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4691 lh->len = htons(LCP_HEADER_LEN + len); 4692 4693 if (debug) { 4694 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4695 ifp->if_xname, cp->name, 4696 sppp_auth_type_name(cp->proto, lh->type), 4697 lh->ident, ntohs(lh->len)); 4698 if (len) 4699 sppp_print_bytes((u_char *)(lh + 1), len); 4700 addlog(">\n"); 4701 } 4702 if (IF_QFULL(&sp->pp_cpq)) { 4703 IF_DROP(&sp->pp_fastq); 4704 IF_DROP(&ifp->if_snd); 4705 m_freem(m); 4706 ++ifp->if_oerrors; 4707 return; 4708 } else 4709 IF_ENQUEUE(&sp->pp_cpq, m); 4710 if (! (ifp->if_flags & IFF_OACTIVE)) 4711 if_start_lock(ifp); 4712 ifp->if_obytes += m->m_pkthdr.len + 3; 4713 } 4714 4715 /* 4716 * Send keepalive packets, every 10 seconds. 4717 */ 4718 static void 4719 sppp_keepalive(void *dummy) 4720 { 4721 struct sppp *sp; 4722 int s; 4723 time_t now; 4724 4725 s = splnet(); 4726 now = time_uptime; 4727 for (sp=spppq; sp; sp=sp->pp_next) { 4728 struct ifnet *ifp = &sp->pp_if; 4729 4730 /* check idle timeout */ 4731 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4732 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4733 /* idle timeout is enabled for this interface */ 4734 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4735 if (ifp->if_flags & IFF_DEBUG) 4736 printf("%s: no activity for %lu seconds\n", 4737 sp->pp_if.if_xname, 4738 (unsigned long)(now-sp->pp_last_activity)); 4739 lcp.Close(sp); 4740 continue; 4741 } 4742 } 4743 4744 /* Keepalive mode disabled or channel down? */ 4745 if (! (sp->pp_flags & PP_KEEPALIVE) || 4746 ! (ifp->if_flags & IFF_RUNNING)) 4747 continue; 4748 4749 /* No keepalive in PPP mode if LCP not opened yet. */ 4750 if (! (sp->pp_flags & PP_CISCO) && 4751 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4752 continue; 4753 4754 /* No echo reply, but maybe user data passed through? */ 4755 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4756 sp->pp_alivecnt = 0; 4757 continue; 4758 } 4759 4760 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4761 /* No keepalive packets got. Stop the interface. */ 4762 if_down (ifp); 4763 IF_PURGE(&sp->pp_cpq); 4764 if (! (sp->pp_flags & PP_CISCO)) { 4765 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4766 ifp->if_xname); 4767 sp->pp_alivecnt = 0; 4768 4769 /* we are down, close all open protocols */ 4770 lcp.Close(sp); 4771 4772 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4773 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4774 4775 /* Close connection immediately, completition of this 4776 * will summon the magic needed to reestablish it. */ 4777 if (sp->pp_tlf) 4778 sp->pp_tlf(sp); 4779 continue; 4780 } 4781 } 4782 if (sp->pp_alivecnt < sp->pp_maxalive) 4783 ++sp->pp_alivecnt; 4784 if (sp->pp_flags & PP_CISCO) 4785 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4786 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4787 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4788 int32_t nmagic = htonl(sp->lcp.magic); 4789 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4790 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4791 sp->lcp.echoid, 4, &nmagic); 4792 } 4793 } 4794 splx(s); 4795 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4796 } 4797 4798 #ifdef INET 4799 /* 4800 * Get both IP addresses. 4801 */ 4802 static void 4803 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4804 { 4805 struct ifnet *ifp = &sp->pp_if; 4806 struct ifaddr *ifa; 4807 struct sockaddr_in *si, *sm; 4808 uint32_t ssrc, ddst; 4809 4810 sm = NULL; 4811 ssrc = ddst = 0; 4812 /* 4813 * Pick the first AF_INET address from the list, 4814 * aliases don't make any sense on a p2p link anyway. 4815 */ 4816 si = 0; 4817 IFADDR_READER_FOREACH(ifa, ifp) { 4818 if (ifa->ifa_addr->sa_family == AF_INET) { 4819 si = (struct sockaddr_in *)ifa->ifa_addr; 4820 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4821 if (si) 4822 break; 4823 } 4824 } 4825 if (ifa) { 4826 if (si && si->sin_addr.s_addr) { 4827 ssrc = si->sin_addr.s_addr; 4828 if (srcmask) 4829 *srcmask = ntohl(sm->sin_addr.s_addr); 4830 } 4831 4832 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4833 if (si && si->sin_addr.s_addr) 4834 ddst = si->sin_addr.s_addr; 4835 } 4836 4837 if (dst) *dst = ntohl(ddst); 4838 if (src) *src = ntohl(ssrc); 4839 } 4840 4841 /* 4842 * Set IP addresses. Must be called at splnet. 4843 * If an address is 0, leave it the way it is. 4844 */ 4845 static void 4846 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4847 { 4848 STDDCL; 4849 struct ifaddr *ifa; 4850 struct sockaddr_in *si, *dest; 4851 4852 /* 4853 * Pick the first AF_INET address from the list, 4854 * aliases don't make any sense on a p2p link anyway. 4855 */ 4856 4857 IFADDR_READER_FOREACH(ifa, ifp) { 4858 if (ifa->ifa_addr->sa_family == AF_INET) { 4859 si = (struct sockaddr_in *)ifa->ifa_addr; 4860 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4861 goto found; 4862 } 4863 } 4864 return; 4865 4866 found: 4867 { 4868 int error, hostIsNew; 4869 struct sockaddr_in new_sin = *si; 4870 struct sockaddr_in new_dst = *dest; 4871 4872 /* 4873 * Scrub old routes now instead of calling in_ifinit with 4874 * scrub=1, because we may change the dstaddr 4875 * before the call to in_ifinit. 4876 */ 4877 in_ifscrub(ifp, ifatoia(ifa)); 4878 4879 hostIsNew = 0; 4880 if (myaddr != 0) { 4881 if (new_sin.sin_addr.s_addr != htonl(myaddr)) { 4882 new_sin.sin_addr.s_addr = htonl(myaddr); 4883 hostIsNew = 1; 4884 } 4885 } 4886 if (hisaddr != 0) { 4887 new_dst.sin_addr.s_addr = htonl(hisaddr); 4888 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4889 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4890 *dest = new_dst; /* fix dstaddr in place */ 4891 } 4892 } 4893 4894 LIST_REMOVE(ifatoia(ifa), ia_hash); 4895 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4896 4897 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, hostIsNew); 4898 4899 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4900 ifatoia(ifa), ia_hash); 4901 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4902 4903 if (debug && error) 4904 { 4905 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4906 " failed, error=%d\n", ifp->if_xname, error); 4907 } 4908 if (!error) { 4909 (void)pfil_run_hooks(if_pfil, 4910 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4911 } 4912 } 4913 } 4914 4915 /* 4916 * Clear IP addresses. Must be called at splnet. 4917 */ 4918 static void 4919 sppp_clear_ip_addrs(struct sppp *sp) 4920 { 4921 struct ifnet *ifp = &sp->pp_if; 4922 struct ifaddr *ifa; 4923 struct sockaddr_in *si, *dest; 4924 4925 uint32_t remote; 4926 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4927 remote = sp->ipcp.saved_hisaddr; 4928 else 4929 sppp_get_ip_addrs(sp, 0, &remote, 0); 4930 4931 /* 4932 * Pick the first AF_INET address from the list, 4933 * aliases don't make any sense on a p2p link anyway. 4934 */ 4935 4936 IFADDR_READER_FOREACH(ifa, ifp) { 4937 if (ifa->ifa_addr->sa_family == AF_INET) { 4938 si = (struct sockaddr_in *)ifa->ifa_addr; 4939 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4940 goto found; 4941 } 4942 } 4943 return; 4944 4945 found: 4946 { 4947 struct sockaddr_in new_sin = *si; 4948 4949 in_ifscrub(ifp, ifatoia(ifa)); 4950 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4951 new_sin.sin_addr.s_addr = 0; 4952 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4953 /* replace peer addr in place */ 4954 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4955 4956 LIST_REMOVE(ifatoia(ifa), ia_hash); 4957 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4958 4959 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, 0); 4960 4961 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4962 ifatoia(ifa), ia_hash); 4963 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4964 4965 (void)pfil_run_hooks(if_pfil, 4966 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4967 } 4968 } 4969 #endif 4970 4971 #ifdef INET6 4972 /* 4973 * Get both IPv6 addresses. 4974 */ 4975 static void 4976 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4977 struct in6_addr *srcmask) 4978 { 4979 struct ifnet *ifp = &sp->pp_if; 4980 struct ifaddr *ifa; 4981 struct sockaddr_in6 *si, *sm; 4982 struct in6_addr ssrc, ddst; 4983 4984 sm = NULL; 4985 memset(&ssrc, 0, sizeof(ssrc)); 4986 memset(&ddst, 0, sizeof(ddst)); 4987 /* 4988 * Pick the first link-local AF_INET6 address from the list, 4989 * aliases don't make any sense on a p2p link anyway. 4990 */ 4991 si = 0; 4992 IFADDR_READER_FOREACH(ifa, ifp) 4993 if (ifa->ifa_addr->sa_family == AF_INET6) { 4994 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4995 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4996 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4997 break; 4998 } 4999 if (ifa) { 5000 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5001 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5002 if (srcmask) { 5003 memcpy(srcmask, &sm->sin6_addr, 5004 sizeof(*srcmask)); 5005 } 5006 } 5007 5008 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5009 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5010 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5011 } 5012 5013 if (dst) 5014 memcpy(dst, &ddst, sizeof(*dst)); 5015 if (src) 5016 memcpy(src, &ssrc, sizeof(*src)); 5017 } 5018 5019 #ifdef IPV6CP_MYIFID_DYN 5020 /* 5021 * Generate random ifid. 5022 */ 5023 static void 5024 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5025 { 5026 /* TBD */ 5027 } 5028 5029 /* 5030 * Set my IPv6 address. Must be called at splnet. 5031 */ 5032 static void 5033 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5034 { 5035 STDDCL; 5036 struct ifaddr *ifa; 5037 struct sockaddr_in6 *sin6; 5038 5039 /* 5040 * Pick the first link-local AF_INET6 address from the list, 5041 * aliases don't make any sense on a p2p link anyway. 5042 */ 5043 5044 sin6 = NULL; 5045 IFADDR_READER_FOREACH(ifa, ifp) 5046 { 5047 if (ifa->ifa_addr->sa_family == AF_INET6) 5048 { 5049 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5050 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5051 break; 5052 } 5053 } 5054 5055 if (ifa && sin6) 5056 { 5057 int error; 5058 struct sockaddr_in6 new_sin6 = *sin6; 5059 5060 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5061 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5062 if (debug && error) 5063 { 5064 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5065 " failed, error=%d\n", ifp->if_xname, error); 5066 } 5067 if (!error) { 5068 (void)pfil_run_hooks(if_pfil, 5069 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5070 } 5071 } 5072 } 5073 #endif 5074 5075 /* 5076 * Suggest a candidate address to be used by peer. 5077 */ 5078 static void 5079 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5080 { 5081 struct in6_addr myaddr; 5082 struct timeval tv; 5083 5084 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5085 5086 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5087 microtime(&tv); 5088 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5089 myaddr.s6_addr[14] ^= 0xff; 5090 myaddr.s6_addr[15] ^= 0xff; 5091 } else { 5092 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5093 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5094 } 5095 if (suggest) 5096 memcpy(suggest, &myaddr, sizeof(myaddr)); 5097 } 5098 #endif /*INET6*/ 5099 5100 /* 5101 * Process ioctl requests specific to the PPP interface. 5102 * Permissions have already been checked. 5103 */ 5104 static int 5105 sppp_params(struct sppp *sp, u_long cmd, void *data) 5106 { 5107 switch (cmd) { 5108 case SPPPGETAUTHCFG: 5109 { 5110 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5111 int error; 5112 size_t len; 5113 5114 cfg->myauthflags = sp->myauth.flags; 5115 cfg->hisauthflags = sp->hisauth.flags; 5116 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5117 cfg->hisauth = 0; 5118 if (sp->hisauth.proto) 5119 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5120 cfg->myauth = 0; 5121 if (sp->myauth.proto) 5122 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5123 if (cfg->myname_length == 0) { 5124 if (sp->myauth.name != NULL) 5125 cfg->myname_length = sp->myauth.name_len + 1; 5126 } else { 5127 if (sp->myauth.name == NULL) { 5128 cfg->myname_length = 0; 5129 } else { 5130 len = sp->myauth.name_len + 1; 5131 if (cfg->myname_length < len) 5132 return (ENAMETOOLONG); 5133 error = copyout(sp->myauth.name, cfg->myname, len); 5134 if (error) return error; 5135 } 5136 } 5137 if (cfg->hisname_length == 0) { 5138 if (sp->hisauth.name != NULL) 5139 cfg->hisname_length = sp->hisauth.name_len + 1; 5140 } else { 5141 if (sp->hisauth.name == NULL) { 5142 cfg->hisname_length = 0; 5143 } else { 5144 len = sp->hisauth.name_len + 1; 5145 if (cfg->hisname_length < len) 5146 return (ENAMETOOLONG); 5147 error = copyout(sp->hisauth.name, cfg->hisname, len); 5148 if (error) return error; 5149 } 5150 } 5151 } 5152 break; 5153 case SPPPSETAUTHCFG: 5154 { 5155 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5156 int error; 5157 5158 if (sp->myauth.name) { 5159 free(sp->myauth.name, M_DEVBUF); 5160 sp->myauth.name = NULL; 5161 } 5162 if (sp->myauth.secret) { 5163 free(sp->myauth.secret, M_DEVBUF); 5164 sp->myauth.secret = NULL; 5165 } 5166 if (sp->hisauth.name) { 5167 free(sp->hisauth.name, M_DEVBUF); 5168 sp->hisauth.name = NULL; 5169 } 5170 if (sp->hisauth.secret) { 5171 free(sp->hisauth.secret, M_DEVBUF); 5172 sp->hisauth.secret = NULL; 5173 } 5174 5175 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5176 if (cfg->hisname_length >= MCLBYTES) 5177 return (ENAMETOOLONG); 5178 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5179 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5180 if (error) { 5181 free(sp->hisauth.name, M_DEVBUF); 5182 sp->hisauth.name = NULL; 5183 return error; 5184 } 5185 sp->hisauth.name_len = cfg->hisname_length - 1; 5186 sp->hisauth.name[sp->hisauth.name_len] = 0; 5187 } 5188 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5189 if (cfg->hissecret_length >= MCLBYTES) 5190 return (ENAMETOOLONG); 5191 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5192 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5193 if (error) { 5194 free(sp->hisauth.secret, M_DEVBUF); 5195 sp->hisauth.secret = NULL; 5196 return error; 5197 } 5198 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5199 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5200 } 5201 if (cfg->myname != NULL && cfg->myname_length > 0) { 5202 if (cfg->myname_length >= MCLBYTES) 5203 return (ENAMETOOLONG); 5204 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5205 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5206 if (error) { 5207 free(sp->myauth.name, M_DEVBUF); 5208 sp->myauth.name = NULL; 5209 return error; 5210 } 5211 sp->myauth.name_len = cfg->myname_length - 1; 5212 sp->myauth.name[sp->myauth.name_len] = 0; 5213 } 5214 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5215 if (cfg->mysecret_length >= MCLBYTES) 5216 return (ENAMETOOLONG); 5217 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5218 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5219 if (error) { 5220 free(sp->myauth.secret, M_DEVBUF); 5221 sp->myauth.secret = NULL; 5222 return error; 5223 } 5224 sp->myauth.secret_len = cfg->mysecret_length - 1; 5225 sp->myauth.secret[sp->myauth.secret_len] = 0; 5226 } 5227 sp->myauth.flags = cfg->myauthflags; 5228 if (cfg->myauth) 5229 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5230 sp->hisauth.flags = cfg->hisauthflags; 5231 if (cfg->hisauth) 5232 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5233 sp->pp_auth_failures = 0; 5234 if (sp->hisauth.proto != 0) 5235 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5236 else 5237 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5238 } 5239 break; 5240 case SPPPGETLCPCFG: 5241 { 5242 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5243 lcpp->lcp_timeout = sp->lcp.timeout; 5244 } 5245 break; 5246 case SPPPSETLCPCFG: 5247 { 5248 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5249 sp->lcp.timeout = lcpp->lcp_timeout; 5250 } 5251 break; 5252 case SPPPGETSTATUS: 5253 { 5254 struct spppstatus *status = (struct spppstatus *)data; 5255 status->phase = sp->pp_phase; 5256 } 5257 break; 5258 case SPPPGETSTATUSNCP: 5259 { 5260 struct spppstatusncp *status = (struct spppstatusncp *)data; 5261 status->phase = sp->pp_phase; 5262 status->ncpup = sppp_ncp_check(sp); 5263 } 5264 break; 5265 case SPPPGETIDLETO: 5266 { 5267 struct spppidletimeout *to = (struct spppidletimeout *)data; 5268 to->idle_seconds = sp->pp_idle_timeout; 5269 } 5270 break; 5271 case SPPPSETIDLETO: 5272 { 5273 struct spppidletimeout *to = (struct spppidletimeout *)data; 5274 sp->pp_idle_timeout = to->idle_seconds; 5275 } 5276 break; 5277 case SPPPSETAUTHFAILURE: 5278 { 5279 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5280 sp->pp_max_auth_fail = afsettings->max_failures; 5281 sp->pp_auth_failures = 0; 5282 } 5283 break; 5284 case SPPPGETAUTHFAILURES: 5285 { 5286 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5287 stats->auth_failures = sp->pp_auth_failures; 5288 stats->max_failures = sp->pp_max_auth_fail; 5289 } 5290 break; 5291 case SPPPSETDNSOPTS: 5292 { 5293 struct spppdnssettings *req = (struct spppdnssettings *)data; 5294 sp->query_dns = req->query_dns & 3; 5295 } 5296 break; 5297 case SPPPGETDNSOPTS: 5298 { 5299 struct spppdnssettings *req = (struct spppdnssettings *)data; 5300 req->query_dns = sp->query_dns; 5301 } 5302 break; 5303 case SPPPGETDNSADDRS: 5304 { 5305 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5306 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5307 } 5308 break; 5309 case SPPPGETKEEPALIVE: 5310 { 5311 struct spppkeepalivesettings *settings = 5312 (struct spppkeepalivesettings*)data; 5313 settings->maxalive = sp->pp_maxalive; 5314 settings->max_noreceive = sp->pp_max_noreceive; 5315 } 5316 break; 5317 case SPPPSETKEEPALIVE: 5318 { 5319 struct spppkeepalivesettings *settings = 5320 (struct spppkeepalivesettings*)data; 5321 sp->pp_maxalive = settings->maxalive; 5322 sp->pp_max_noreceive = settings->max_noreceive; 5323 } 5324 break; 5325 #if defined(COMPAT_50) || defined(MODULAR) 5326 case __SPPPGETIDLETO50: 5327 { 5328 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5329 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5330 } 5331 break; 5332 case __SPPPSETIDLETO50: 5333 { 5334 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5335 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5336 } 5337 break; 5338 case __SPPPGETKEEPALIVE50: 5339 { 5340 struct spppkeepalivesettings50 *settings = 5341 (struct spppkeepalivesettings50*)data; 5342 settings->maxalive = sp->pp_maxalive; 5343 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5344 } 5345 break; 5346 case __SPPPSETKEEPALIVE50: 5347 { 5348 struct spppkeepalivesettings50 *settings = 5349 (struct spppkeepalivesettings50*)data; 5350 sp->pp_maxalive = settings->maxalive; 5351 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5352 } 5353 break; 5354 #endif /* COMPAT_50 || MODULAR */ 5355 default: 5356 return (EINVAL); 5357 } 5358 5359 return (0); 5360 } 5361 5362 static void 5363 sppp_phase_network(struct sppp *sp) 5364 { 5365 int i; 5366 uint32_t mask; 5367 5368 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5369 5370 /* Notify NCPs now. */ 5371 for (i = 0; i < IDX_COUNT; i++) 5372 if ((cps[i])->flags & CP_NCP) 5373 (cps[i])->Open(sp); 5374 5375 /* Send Up events to all NCPs. */ 5376 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5377 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5378 (cps[i])->Up(sp); 5379 5380 /* if no NCP is starting, all this was in vain, close down */ 5381 sppp_lcp_check_and_close(sp); 5382 } 5383 5384 5385 static const char * 5386 sppp_cp_type_name(u_char type) 5387 { 5388 static char buf[12]; 5389 switch (type) { 5390 case CONF_REQ: return "conf-req"; 5391 case CONF_ACK: return "conf-ack"; 5392 case CONF_NAK: return "conf-nak"; 5393 case CONF_REJ: return "conf-rej"; 5394 case TERM_REQ: return "term-req"; 5395 case TERM_ACK: return "term-ack"; 5396 case CODE_REJ: return "code-rej"; 5397 case PROTO_REJ: return "proto-rej"; 5398 case ECHO_REQ: return "echo-req"; 5399 case ECHO_REPLY: return "echo-reply"; 5400 case DISC_REQ: return "discard-req"; 5401 } 5402 snprintf(buf, sizeof(buf), "0x%x", type); 5403 return buf; 5404 } 5405 5406 static const char * 5407 sppp_auth_type_name(u_short proto, u_char type) 5408 { 5409 static char buf[32]; 5410 const char *name; 5411 5412 switch (proto) { 5413 case PPP_CHAP: 5414 switch (type) { 5415 case CHAP_CHALLENGE: return "challenge"; 5416 case CHAP_RESPONSE: return "response"; 5417 case CHAP_SUCCESS: return "success"; 5418 case CHAP_FAILURE: return "failure"; 5419 default: name = "chap"; break; 5420 } 5421 break; 5422 5423 case PPP_PAP: 5424 switch (type) { 5425 case PAP_REQ: return "req"; 5426 case PAP_ACK: return "ack"; 5427 case PAP_NAK: return "nak"; 5428 default: name = "pap"; break; 5429 } 5430 break; 5431 5432 default: 5433 name = "bad"; 5434 break; 5435 } 5436 5437 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 5438 return buf; 5439 } 5440 5441 static const char * 5442 sppp_lcp_opt_name(u_char opt) 5443 { 5444 static char buf[12]; 5445 switch (opt) { 5446 case LCP_OPT_MRU: return "mru"; 5447 case LCP_OPT_ASYNC_MAP: return "async-map"; 5448 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5449 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5450 case LCP_OPT_MAGIC: return "magic"; 5451 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5452 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5453 } 5454 snprintf(buf, sizeof(buf), "0x%x", opt); 5455 return buf; 5456 } 5457 5458 static const char * 5459 sppp_ipcp_opt_name(u_char opt) 5460 { 5461 static char buf[12]; 5462 switch (opt) { 5463 case IPCP_OPT_ADDRESSES: return "addresses"; 5464 case IPCP_OPT_COMPRESSION: return "compression"; 5465 case IPCP_OPT_ADDRESS: return "address"; 5466 } 5467 snprintf(buf, sizeof(buf), "0x%x", opt); 5468 return buf; 5469 } 5470 5471 #ifdef INET6 5472 static const char * 5473 sppp_ipv6cp_opt_name(u_char opt) 5474 { 5475 static char buf[12]; 5476 switch (opt) { 5477 case IPV6CP_OPT_IFID: return "ifid"; 5478 case IPV6CP_OPT_COMPRESSION: return "compression"; 5479 } 5480 snprintf(buf, sizeof(buf), "0x%x", opt); 5481 return buf; 5482 } 5483 #endif 5484 5485 static const char * 5486 sppp_state_name(int state) 5487 { 5488 switch (state) { 5489 case STATE_INITIAL: return "initial"; 5490 case STATE_STARTING: return "starting"; 5491 case STATE_CLOSED: return "closed"; 5492 case STATE_STOPPED: return "stopped"; 5493 case STATE_CLOSING: return "closing"; 5494 case STATE_STOPPING: return "stopping"; 5495 case STATE_REQ_SENT: return "req-sent"; 5496 case STATE_ACK_RCVD: return "ack-rcvd"; 5497 case STATE_ACK_SENT: return "ack-sent"; 5498 case STATE_OPENED: return "opened"; 5499 } 5500 return "illegal"; 5501 } 5502 5503 static const char * 5504 sppp_phase_name(int phase) 5505 { 5506 switch (phase) { 5507 case SPPP_PHASE_DEAD: return "dead"; 5508 case SPPP_PHASE_ESTABLISH: return "establish"; 5509 case SPPP_PHASE_TERMINATE: return "terminate"; 5510 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5511 case SPPP_PHASE_NETWORK: return "network"; 5512 } 5513 return "illegal"; 5514 } 5515 5516 static const char * 5517 sppp_proto_name(u_short proto) 5518 { 5519 static char buf[12]; 5520 switch (proto) { 5521 case PPP_LCP: return "lcp"; 5522 case PPP_IPCP: return "ipcp"; 5523 case PPP_PAP: return "pap"; 5524 case PPP_CHAP: return "chap"; 5525 case PPP_IPV6CP: return "ipv6cp"; 5526 } 5527 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5528 return buf; 5529 } 5530 5531 static void 5532 sppp_print_bytes(const u_char *p, u_short len) 5533 { 5534 addlog(" %02x", *p++); 5535 while (--len > 0) 5536 addlog("-%02x", *p++); 5537 } 5538 5539 static void 5540 sppp_print_string(const char *p, u_short len) 5541 { 5542 u_char c; 5543 5544 while (len-- > 0) { 5545 c = *p++; 5546 /* 5547 * Print only ASCII chars directly. RFC 1994 recommends 5548 * using only them, but we don't rely on it. */ 5549 if (c < ' ' || c > '~') 5550 addlog("\\x%x", c); 5551 else 5552 addlog("%c", c); 5553 } 5554 } 5555 5556 static const char * 5557 sppp_dotted_quad(uint32_t addr) 5558 { 5559 static char s[16]; 5560 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5561 (int)((addr >> 24) & 0xff), 5562 (int)((addr >> 16) & 0xff), 5563 (int)((addr >> 8) & 0xff), 5564 (int)(addr & 0xff)); 5565 return s; 5566 } 5567 5568 /* a dummy, used to drop uninteresting events */ 5569 static void 5570 sppp_null(struct sppp *unused) 5571 { 5572 /* do just nothing */ 5573 } 5574 /* 5575 * This file is large. Tell emacs to highlight it nevertheless. 5576 * 5577 * Local Variables: 5578 * hilit-auto-highlight-maxout: 120000 5579 * End: 5580 */ 5581 5582 /* 5583 * Module glue 5584 */ 5585 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 5586 5587 static int 5588 sppp_subr_modcmd(modcmd_t cmd, void *arg) 5589 { 5590 switch (cmd) { 5591 case MODULE_CMD_INIT: 5592 case MODULE_CMD_FINI: 5593 return 0; 5594 case MODULE_CMD_STAT: 5595 case MODULE_CMD_AUTOUNLOAD: 5596 default: 5597 return ENOTTY; 5598 } 5599 } 5600 5601
Indexes created Sat Sep 27 21:09:56 GMT 2025