1 /* 2 * Synchronous PPP/Cisco link level subroutines. 3 * Keepalive protocol implemented in both Cisco and PPP modes. 4 * 5 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 6 * Author: Serge Vakulenko, <vak@cronyx.ru> 7 * 8 * Heavily revamped to conform to RFC 1661. 9 * Copyright (C) 1997, 2001 Joerg Wunsch. 10 * 11 * This software is distributed with NO WARRANTIES, not even the implied 12 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 13 * 14 * Authors grant any other persons or organisations permission to use 15 * or modify this software as long as this message is kept with the software, 16 * all derivative works or modified versions. 17 * 18 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 19 * 20 * $FreeBSD: src/sys/net/if_spppsubr.c,v 1.59.2.13 2002/07/03 15:44:41 joerg Exp $ 21 */ 22 23 #include <sys/param.h> 24 #include <sys/libkern.h> 25 26 #include "opt_inet.h" 27 #include "opt_inet6.h" 28 29 #include <sys/systm.h> 30 #include <sys/kernel.h> 31 #include <sys/module.h> 32 #include <sys/sockio.h> 33 #include <sys/socket.h> 34 #include <sys/syslog.h> 35 #include <sys/random.h> 36 #include <sys/thread2.h> 37 #include <sys/malloc.h> 38 #include <sys/mbuf.h> 39 #include <sys/md5.h> 40 41 #include <net/if.h> 42 #include <net/ifq_var.h> 43 #include <net/netisr.h> 44 #include <net/if_types.h> 45 #include <net/route.h> 46 #include <netinet/in.h> 47 #include <netinet/in_systm.h> 48 #include <netinet/ip.h> 49 #include <net/slcompress.h> 50 51 #include <machine/stdarg.h> 52 53 #include <netinet/in_var.h> 54 55 #ifdef INET 56 #include <netinet/tcp.h> 57 #endif 58 59 #include <netinet/if_ether.h> 60 61 #include "if_sppp.h" 62 63 #define IOCTL_CMD_T u_long 64 #define MAXALIVECNT 3 /* max. alive packets */ 65 66 /* 67 * Interface flags that can be set in an ifconfig command. 68 * 69 * Setting link0 will make the link passive, i.e. it will be marked 70 * as being administrative openable, but won't be opened to begin 71 * with. Incoming calls will be answered, or subsequent calls with 72 * -link1 will cause the administrative open of the LCP layer. 73 * 74 * Setting link1 will cause the link to auto-dial only as packets 75 * arrive to be sent. 76 * 77 * Setting IFF_DEBUG will syslog the option negotiation and state 78 * transitions at level kern.debug. Note: all logs consistently look 79 * like 80 * 81 * <if-name><unit>: <proto-name> <additional info...> 82 * 83 * with <if-name><unit> being something like "bppp0", and <proto-name> 84 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 85 */ 86 87 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 88 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 89 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */ 90 91 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */ 92 #define PPP_UI 0x03 /* Unnumbered Information */ 93 #define PPP_IP 0x0021 /* Internet Protocol */ 94 #define PPP_ISO 0x0023 /* ISO OSI Protocol */ 95 #define PPP_XNS 0x0025 /* Xerox NS Protocol */ 96 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */ 97 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */ 98 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */ 99 #define PPP_LCP 0xc021 /* Link Control Protocol */ 100 #define PPP_PAP 0xc023 /* Password Authentication Protocol */ 101 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */ 102 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */ 103 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ 104 105 #define CONF_REQ 1 /* PPP configure request */ 106 #define CONF_ACK 2 /* PPP configure acknowledge */ 107 #define CONF_NAK 3 /* PPP configure negative ack */ 108 #define CONF_REJ 4 /* PPP configure reject */ 109 #define TERM_REQ 5 /* PPP terminate request */ 110 #define TERM_ACK 6 /* PPP terminate acknowledge */ 111 #define CODE_REJ 7 /* PPP code reject */ 112 #define PROTO_REJ 8 /* PPP protocol reject */ 113 #define ECHO_REQ 9 /* PPP echo request */ 114 #define ECHO_REPLY 10 /* PPP echo reply */ 115 #define DISC_REQ 11 /* PPP discard request */ 116 117 #define LCP_OPT_MRU 1 /* maximum receive unit */ 118 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 119 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 120 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 121 #define LCP_OPT_MAGIC 5 /* magic number */ 122 #define LCP_OPT_RESERVED 6 /* reserved */ 123 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 124 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 125 126 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 127 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */ 128 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 129 130 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 131 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 132 133 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */ 134 135 #define PAP_REQ 1 /* PAP name/password request */ 136 #define PAP_ACK 2 /* PAP acknowledge */ 137 #define PAP_NAK 3 /* PAP fail */ 138 139 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 140 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 141 #define CHAP_SUCCESS 3 /* CHAP response ok */ 142 #define CHAP_FAILURE 4 /* CHAP response failed */ 143 144 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 145 146 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 147 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 148 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 149 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 150 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 151 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 152 153 /* states are named and numbered according to RFC 1661 */ 154 #define STATE_INITIAL 0 155 #define STATE_STARTING 1 156 #define STATE_CLOSED 2 157 #define STATE_STOPPED 3 158 #define STATE_CLOSING 4 159 #define STATE_STOPPING 5 160 #define STATE_REQ_SENT 6 161 #define STATE_ACK_RCVD 7 162 #define STATE_ACK_SENT 8 163 #define STATE_OPENED 9 164 165 struct ppp_header { 166 u_char address; 167 u_char control; 168 u_short protocol; 169 } __attribute__((__packed__)); 170 #define PPP_HEADER_LEN sizeof (struct ppp_header) 171 172 struct lcp_header { 173 u_char type; 174 u_char ident; 175 u_short len; 176 } __attribute__((__packed__)); 177 #define LCP_HEADER_LEN sizeof (struct lcp_header) 178 179 struct cisco_packet { 180 u_long type; 181 u_long par1; 182 u_long par2; 183 u_short rel; 184 u_short time0; 185 u_short time1; 186 } __attribute__((__packed__)); 187 #define CISCO_PACKET_LEN sizeof (struct cisco_packet) 188 189 /* 190 * We follow the spelling and capitalization of RFC 1661 here, to make 191 * it easier comparing with the standard. Please refer to this RFC in 192 * case you can't make sense out of these abbreviation; it will also 193 * explain the semantics related to the various events and actions. 194 */ 195 struct cp { 196 u_short proto; /* PPP control protocol number */ 197 u_char protoidx; /* index into state table in struct sppp */ 198 u_char flags; 199 #define CP_LCP 0x01 /* this is the LCP */ 200 #define CP_AUTH 0x02 /* this is an authentication protocol */ 201 #define CP_NCP 0x04 /* this is a NCP */ 202 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 203 const char *name; /* name of this control protocol */ 204 /* event handlers */ 205 void (*Up)(struct sppp *sp); 206 void (*Down)(struct sppp *sp); 207 void (*Open)(struct sppp *sp); 208 void (*Close)(struct sppp *sp); 209 void (*TO)(void *sp); 210 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 211 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 212 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 213 /* actions */ 214 void (*tlu)(struct sppp *sp); 215 void (*tld)(struct sppp *sp); 216 void (*tls)(struct sppp *sp); 217 void (*tlf)(struct sppp *sp); 218 void (*scr)(struct sppp *sp); 219 }; 220 221 static struct sppp *spppq; 222 static struct callout keepalive_timeout; 223 224 #define SPP_FMT "%s: " 225 #define SPP_ARGS(ifp) (ifp)->if_xname 226 227 #ifdef INET 228 /* 229 * The following disgusting hack gets around the problem that IP TOS 230 * can't be set yet. We want to put "interactive" traffic on a high 231 * priority queue. To decide if traffic is interactive, we check that 232 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 233 * 234 * XXX is this really still necessary? - joerg - 235 */ 236 static u_short interactive_ports[8] = { 237 0, 513, 0, 0, 238 0, 21, 0, 23, 239 }; 240 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 241 #endif 242 243 /* almost every function needs these */ 244 #define STDDCL \ 245 struct ifnet *ifp = &sp->pp_if; \ 246 int debug = ifp->if_flags & IFF_DEBUG 247 248 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 249 struct sockaddr *dst, struct rtentry *rt); 250 251 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2); 252 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 253 254 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 255 struct mbuf *m); 256 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 257 u_char ident, u_short len, void *data); 258 /* static void sppp_cp_timeout(void *arg); */ 259 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 260 int newstate); 261 static void sppp_auth_send(const struct cp *cp, 262 struct sppp *sp, unsigned int type, unsigned int id, 263 ...); 264 265 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 266 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 267 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 268 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 269 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 270 271 static void sppp_null(struct sppp *sp); 272 273 static void sppp_lcp_init(struct sppp *sp); 274 static void sppp_lcp_up(struct sppp *sp); 275 static void sppp_lcp_down(struct sppp *sp); 276 static void sppp_lcp_open(struct sppp *sp); 277 static void sppp_lcp_close(struct sppp *sp); 278 static void sppp_lcp_TO(void *sp); 279 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 280 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 281 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 282 static void sppp_lcp_tlu(struct sppp *sp); 283 static void sppp_lcp_tld(struct sppp *sp); 284 static void sppp_lcp_tls(struct sppp *sp); 285 static void sppp_lcp_tlf(struct sppp *sp); 286 static void sppp_lcp_scr(struct sppp *sp); 287 static void sppp_lcp_check_and_close(struct sppp *sp); 288 static int sppp_ncp_check(struct sppp *sp); 289 290 static void sppp_ipcp_init(struct sppp *sp); 291 static void sppp_ipcp_up(struct sppp *sp); 292 static void sppp_ipcp_down(struct sppp *sp); 293 static void sppp_ipcp_open(struct sppp *sp); 294 static void sppp_ipcp_close(struct sppp *sp); 295 static void sppp_ipcp_TO(void *sp); 296 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 297 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 298 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 299 static void sppp_ipcp_tlu(struct sppp *sp); 300 static void sppp_ipcp_tld(struct sppp *sp); 301 static void sppp_ipcp_tls(struct sppp *sp); 302 static void sppp_ipcp_tlf(struct sppp *sp); 303 static void sppp_ipcp_scr(struct sppp *sp); 304 305 static void sppp_ipv6cp_init(struct sppp *sp); 306 static void sppp_ipv6cp_up(struct sppp *sp); 307 static void sppp_ipv6cp_down(struct sppp *sp); 308 static void sppp_ipv6cp_open(struct sppp *sp); 309 static void sppp_ipv6cp_close(struct sppp *sp); 310 static void sppp_ipv6cp_TO(void *sp); 311 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 312 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 313 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 314 static void sppp_ipv6cp_tlu(struct sppp *sp); 315 static void sppp_ipv6cp_tld(struct sppp *sp); 316 static void sppp_ipv6cp_tls(struct sppp *sp); 317 static void sppp_ipv6cp_tlf(struct sppp *sp); 318 static void sppp_ipv6cp_scr(struct sppp *sp); 319 320 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 321 static void sppp_pap_init(struct sppp *sp); 322 static void sppp_pap_open(struct sppp *sp); 323 static void sppp_pap_close(struct sppp *sp); 324 static void sppp_pap_TO(void *sp); 325 static void sppp_pap_my_TO(void *sp); 326 static void sppp_pap_tlu(struct sppp *sp); 327 static void sppp_pap_tld(struct sppp *sp); 328 static void sppp_pap_scr(struct sppp *sp); 329 330 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 331 static void sppp_chap_init(struct sppp *sp); 332 static void sppp_chap_open(struct sppp *sp); 333 static void sppp_chap_close(struct sppp *sp); 334 static void sppp_chap_TO(void *sp); 335 static void sppp_chap_tlu(struct sppp *sp); 336 static void sppp_chap_tld(struct sppp *sp); 337 static void sppp_chap_scr(struct sppp *sp); 338 339 static const char *sppp_auth_type_name(u_short proto, u_char type); 340 static const char *sppp_cp_type_name(u_char type); 341 static const char *sppp_dotted_quad(u_long addr); 342 static const char *sppp_ipcp_opt_name(u_char opt); 343 #ifdef INET6 344 static const char *sppp_ipv6cp_opt_name(u_char opt); 345 #endif 346 static const char *sppp_lcp_opt_name(u_char opt); 347 static const char *sppp_phase_name(enum ppp_phase phase); 348 static const char *sppp_proto_name(u_short proto); 349 static const char *sppp_state_name(int state); 350 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 351 static int sppp_strnlen(u_char *p, int max); 352 static void sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, 353 u_long *srcmask); 354 static void sppp_keepalive(void *dummy); 355 static void sppp_phase_network(struct sppp *sp); 356 static void sppp_print_bytes(const u_char *p, u_short len); 357 static void sppp_print_string(const char *p, u_short len); 358 static void sppp_set_ip_addr(struct sppp *sp, u_long src); 359 #ifdef INET6 360 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 361 struct in6_addr *dst, struct in6_addr *srcmask); 362 #ifdef IPV6CP_MYIFID_DYN 363 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 364 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 365 #endif 366 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 367 #endif 368 369 /* our control protocol descriptors */ 370 static const struct cp lcp = { 371 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 372 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 373 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 374 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 375 sppp_lcp_scr 376 }; 377 378 static const struct cp ipcp = { 379 PPP_IPCP, IDX_IPCP, CP_NCP, "ipcp", 380 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 381 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 382 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 383 sppp_ipcp_scr 384 }; 385 386 static const struct cp ipv6cp = { 387 PPP_IPV6CP, IDX_IPV6CP, 388 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 389 CP_NCP, 390 #else 391 0, 392 #endif 393 "ipv6cp", 394 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 395 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 396 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 397 sppp_ipv6cp_scr 398 }; 399 400 static const struct cp pap = { 401 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 402 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 403 sppp_pap_TO, 0, 0, 0, 404 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 405 sppp_pap_scr 406 }; 407 408 static const struct cp chap = { 409 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 410 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 411 sppp_chap_TO, 0, 0, 0, 412 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 413 sppp_chap_scr 414 }; 415 416 static const struct cp *cps[IDX_COUNT] = { 417 &lcp, /* IDX_LCP */ 418 &ipcp, /* IDX_IPCP */ 419 &ipv6cp, /* IDX_IPV6CP */ 420 &pap, /* IDX_PAP */ 421 &chap, /* IDX_CHAP */ 422 }; 423 424 static int 425 sppp_modevent(module_t mod, int type, void *unused) 426 { 427 switch (type) { 428 case MOD_LOAD: 429 callout_init(&keepalive_timeout); 430 break; 431 case MOD_UNLOAD: 432 return EACCES; 433 break; 434 default: 435 break; 436 } 437 return 0; 438 } 439 static moduledata_t spppmod = { 440 "sppp", 441 sppp_modevent, 442 0 443 }; 444 MODULE_VERSION(sppp, 1); 445 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY); 446 447 /* 448 * Exported functions, comprising our interface to the lower layer. 449 */ 450 451 /* 452 * Process the received packet. 453 */ 454 void 455 sppp_input(struct ifnet *ifp, struct mbuf *m) 456 { 457 struct ppp_header *h; 458 int isr = -1; 459 struct sppp *sp = (struct sppp *)ifp; 460 u_char *iphdr; 461 int hlen, vjlen, do_account = 0; 462 int debug = ifp->if_flags & IFF_DEBUG; 463 464 if (ifp->if_flags & IFF_UP) 465 /* Count received bytes, add FCS and one flag */ 466 IFNET_STAT_INC(ifp, ibytes, m->m_pkthdr.len + 3); 467 468 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 469 /* Too small packet, drop it. */ 470 if (debug) 471 log(LOG_DEBUG, 472 SPP_FMT "input packet is too small, %d bytes\n", 473 SPP_ARGS(ifp), m->m_pkthdr.len); 474 drop: 475 m_freem (m); 476 drop2: 477 IFNET_STAT_INC(ifp, ierrors, 1); 478 IFNET_STAT_INC(ifp, iqdrops, 1); 479 return; 480 } 481 482 /* Get PPP header. */ 483 h = mtod (m, struct ppp_header*); 484 m_adj (m, PPP_HEADER_LEN); 485 486 switch (h->address) { 487 case PPP_ALLSTATIONS: 488 if (h->control != PPP_UI) 489 goto invalid; 490 if (sp->pp_mode == IFF_CISCO) { 491 if (debug) 492 log(LOG_DEBUG, 493 SPP_FMT "PPP packet in Cisco mode " 494 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 495 SPP_ARGS(ifp), 496 h->address, h->control, ntohs(h->protocol)); 497 goto drop; 498 } 499 switch (ntohs (h->protocol)) { 500 default: 501 if (debug) 502 log(LOG_DEBUG, 503 SPP_FMT "rejecting protocol " 504 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 505 SPP_ARGS(ifp), 506 h->address, h->control, ntohs(h->protocol)); 507 if (sp->state[IDX_LCP] == STATE_OPENED) 508 sppp_cp_send (sp, PPP_LCP, PROTO_REJ, 509 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 510 &h->protocol); 511 IFNET_STAT_INC(ifp, noproto, 1); 512 goto drop; 513 case PPP_LCP: 514 sppp_cp_input(&lcp, sp, m); 515 m_freem (m); 516 return; 517 case PPP_PAP: 518 if (sp->pp_phase >= PHASE_AUTHENTICATE) 519 sppp_pap_input(sp, m); 520 m_freem (m); 521 return; 522 case PPP_CHAP: 523 if (sp->pp_phase >= PHASE_AUTHENTICATE) 524 sppp_chap_input(sp, m); 525 m_freem (m); 526 return; 527 #ifdef INET 528 case PPP_IPCP: 529 if (sp->pp_phase == PHASE_NETWORK) 530 sppp_cp_input(&ipcp, sp, m); 531 m_freem (m); 532 return; 533 case PPP_IP: 534 if (sp->state[IDX_IPCP] == STATE_OPENED) { 535 isr = NETISR_IP; 536 } 537 do_account++; 538 break; 539 case PPP_VJ_COMP: 540 if (sp->state[IDX_IPCP] == STATE_OPENED) { 541 if ((vjlen = 542 sl_uncompress_tcp_core(mtod(m, u_char *), 543 m->m_len, m->m_len, 544 TYPE_COMPRESSED_TCP, 545 sp->pp_comp, 546 &iphdr, &hlen)) <= 0) { 547 if (debug) 548 log(LOG_INFO, 549 SPP_FMT "VJ uncompress failed on compressed packet\n", 550 SPP_ARGS(ifp)); 551 goto drop; 552 } 553 554 /* 555 * Trim the VJ header off the packet, and prepend 556 * the uncompressed IP header (which will usually 557 * end up in two chained mbufs since there's not 558 * enough leading space in the existing mbuf). 559 */ 560 m_adj(m, vjlen); 561 M_PREPEND(m, hlen, MB_DONTWAIT); 562 if (m == NULL) 563 goto drop2; 564 bcopy(iphdr, mtod(m, u_char *), hlen); 565 566 isr = NETISR_IP; 567 } 568 do_account++; 569 break; 570 case PPP_VJ_UCOMP: 571 if (sp->state[IDX_IPCP] == STATE_OPENED) { 572 if (sl_uncompress_tcp_core(mtod(m, u_char *), 573 m->m_len, m->m_len, 574 TYPE_UNCOMPRESSED_TCP, 575 sp->pp_comp, 576 &iphdr, &hlen) != 0) { 577 if (debug) 578 log(LOG_INFO, 579 SPP_FMT "VJ uncompress failed on uncompressed packet\n", 580 SPP_ARGS(ifp)); 581 goto drop; 582 } 583 isr = NETISR_IP; 584 } 585 do_account++; 586 break; 587 #endif 588 #ifdef INET6 589 case PPP_IPV6CP: 590 if (sp->pp_phase == PHASE_NETWORK) 591 sppp_cp_input(&ipv6cp, sp, m); 592 m_freem (m); 593 return; 594 595 case PPP_IPV6: 596 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 597 isr = NETISR_IPV6; 598 } 599 do_account++; 600 break; 601 #endif 602 } 603 break; 604 case CISCO_MULTICAST: 605 case CISCO_UNICAST: 606 /* Don't check the control field here (RFC 1547). */ 607 if (sp->pp_mode != IFF_CISCO) { 608 if (debug) 609 log(LOG_DEBUG, 610 SPP_FMT "Cisco packet in PPP mode " 611 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 612 SPP_ARGS(ifp), 613 h->address, h->control, ntohs(h->protocol)); 614 goto drop; 615 } 616 switch (ntohs (h->protocol)) { 617 default: 618 IFNET_STAT_INC(ifp, noproto, 1); 619 goto invalid; 620 case CISCO_KEEPALIVE: 621 sppp_cisco_input ((struct sppp*) ifp, m); 622 m_freem (m); 623 return; 624 #ifdef INET 625 case ETHERTYPE_IP: 626 isr = NETISR_IP; 627 do_account++; 628 break; 629 #endif 630 #ifdef INET6 631 case ETHERTYPE_IPV6: 632 isr = NETISR_IPV6; 633 do_account++; 634 break; 635 #endif 636 } 637 break; 638 default: /* Invalid PPP packet. */ 639 invalid: 640 if (debug) 641 log(LOG_DEBUG, 642 SPP_FMT "invalid input packet " 643 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 644 SPP_ARGS(ifp), 645 h->address, h->control, ntohs(h->protocol)); 646 goto drop; 647 } 648 649 if (! (ifp->if_flags & IFF_UP) || isr < 0) 650 goto drop; 651 652 /* Check queue. */ 653 654 netisr_queue(isr, m); 655 656 /* 657 * Do only account for network packets, not for control 658 * packets. This is used by some subsystems to detect 659 * idle lines. 660 */ 661 if (do_account) 662 sp->pp_last_recv = time_uptime; 663 } 664 665 /* 666 * Enqueue transmit packet. 667 */ 668 static int 669 sppp_output_serialized(struct ifnet *ifp, struct ifaltq_subque *ifsq, 670 struct mbuf *m, struct sockaddr *dst, struct rtentry *rt) 671 { 672 struct sppp *sp = (struct sppp*) ifp; 673 struct ppp_header *h; 674 struct ifqueue *ifq = NULL; 675 int rv = 0; 676 int ipproto = PPP_IP; 677 int debug = ifp->if_flags & IFF_DEBUG; 678 struct altq_pktattr pktattr; 679 680 crit_enter(); 681 682 if ((ifp->if_flags & IFF_UP) == 0 || 683 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 684 #ifdef INET6 685 drop: 686 #endif 687 m_freem (m); 688 crit_exit(); 689 return (ENETDOWN); 690 } 691 692 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 693 #ifdef INET6 694 /* 695 * XXX 696 * 697 * Hack to prevent the initialization-time generated 698 * IPv6 multicast packet to erroneously cause a 699 * dialout event in case IPv6 has been 700 * administratively disabled on that interface. 701 */ 702 if (dst->sa_family == AF_INET6 && 703 !(sp->confflags & CONF_ENABLE_IPV6)) 704 goto drop; 705 #endif 706 /* 707 * Interface is not yet running, but auto-dial. Need 708 * to start LCP for it. 709 */ 710 ifp->if_flags |= IFF_RUNNING; 711 crit_exit(); 712 lcp.Open(sp); 713 crit_enter(); 714 } 715 716 /* 717 * if the queueing discipline needs packet classification, 718 * do it before prepending link headers. 719 */ 720 ifq_classify(&ifp->if_snd, m, dst->sa_family, &pktattr); 721 722 #ifdef INET 723 if (dst->sa_family == AF_INET) { 724 /* XXX Check mbuf length here? */ 725 struct ip *ip = mtod (m, struct ip*); 726 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl); 727 728 /* 729 * When using dynamic local IP address assignment by using 730 * 0.0.0.0 as a local address, the first TCP session will 731 * not connect because the local TCP checksum is computed 732 * using 0.0.0.0 which will later become our real IP address 733 * so the TCP checksum computed at the remote end will 734 * become invalid. So we 735 * - don't let packets with src ip addr 0 thru 736 * - we flag TCP packets with src ip 0 as an error 737 */ 738 739 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */ 740 { 741 m_freem(m); 742 crit_exit(); 743 if(ip->ip_p == IPPROTO_TCP) 744 return(EADDRNOTAVAIL); 745 else 746 return(0); 747 } 748 749 /* 750 * Put low delay, telnet, rlogin and ftp control packets 751 * in front of the queue. 752 */ 753 if (IF_QFULL (&sp->pp_fastq)) 754 ; 755 else if (ip->ip_tos & IPTOS_LOWDELAY) 756 ifq = &sp->pp_fastq; 757 else if (m->m_len < sizeof *ip + sizeof *tcp) 758 ; 759 else if (ip->ip_p != IPPROTO_TCP) 760 ; 761 else if (INTERACTIVE (ntohs (tcp->th_sport))) 762 ifq = &sp->pp_fastq; 763 else if (INTERACTIVE (ntohs (tcp->th_dport))) 764 ifq = &sp->pp_fastq; 765 766 /* 767 * Do IP Header compression 768 */ 769 if (sp->pp_mode != IFF_CISCO && (sp->ipcp.flags & IPCP_VJ) && 770 ip->ip_p == IPPROTO_TCP) 771 switch (sl_compress_tcp(m, ip, sp->pp_comp, 772 sp->ipcp.compress_cid)) { 773 case TYPE_COMPRESSED_TCP: 774 ipproto = PPP_VJ_COMP; 775 break; 776 case TYPE_UNCOMPRESSED_TCP: 777 ipproto = PPP_VJ_UCOMP; 778 break; 779 case TYPE_IP: 780 ipproto = PPP_IP; 781 break; 782 default: 783 m_freem(m); 784 crit_exit(); 785 return (EINVAL); 786 } 787 } 788 #endif 789 790 #ifdef INET6 791 if (dst->sa_family == AF_INET6) { 792 /* XXX do something tricky here? */ 793 } 794 #endif 795 796 /* 797 * Prepend general data packet PPP header. For now, IP only. 798 */ 799 M_PREPEND (m, PPP_HEADER_LEN, MB_DONTWAIT); 800 if (! m) { 801 if (debug) 802 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n", 803 SPP_ARGS(ifp)); 804 IFNET_STAT_INC(ifp, oerrors, 1); 805 crit_exit(); 806 return (ENOBUFS); 807 } 808 /* 809 * May want to check size of packet 810 * (albeit due to the implementation it's always enough) 811 */ 812 h = mtod (m, struct ppp_header*); 813 if (sp->pp_mode == IFF_CISCO) { 814 h->address = CISCO_UNICAST; /* unicast address */ 815 h->control = 0; 816 } else { 817 h->address = PPP_ALLSTATIONS; /* broadcast address */ 818 h->control = PPP_UI; /* Unnumbered Info */ 819 } 820 821 switch (dst->sa_family) { 822 #ifdef INET 823 case AF_INET: /* Internet Protocol */ 824 if (sp->pp_mode == IFF_CISCO) 825 h->protocol = htons (ETHERTYPE_IP); 826 else { 827 /* 828 * Don't choke with an ENETDOWN early. It's 829 * possible that we just started dialing out, 830 * so don't drop the packet immediately. If 831 * we notice that we run out of buffer space 832 * below, we will however remember that we are 833 * not ready to carry IP packets, and return 834 * ENETDOWN, as opposed to ENOBUFS. 835 */ 836 h->protocol = htons(ipproto); 837 if (sp->state[IDX_IPCP] != STATE_OPENED) 838 rv = ENETDOWN; 839 } 840 break; 841 #endif 842 #ifdef INET6 843 case AF_INET6: /* Internet Protocol */ 844 if (sp->pp_mode == IFF_CISCO) 845 h->protocol = htons (ETHERTYPE_IPV6); 846 else { 847 /* 848 * Don't choke with an ENETDOWN early. It's 849 * possible that we just started dialing out, 850 * so don't drop the packet immediately. If 851 * we notice that we run out of buffer space 852 * below, we will however remember that we are 853 * not ready to carry IP packets, and return 854 * ENETDOWN, as opposed to ENOBUFS. 855 */ 856 h->protocol = htons(PPP_IPV6); 857 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 858 rv = ENETDOWN; 859 } 860 break; 861 #endif 862 default: 863 m_freem (m); 864 IFNET_STAT_INC(ifp, oerrors, 1); 865 crit_exit(); 866 return (EAFNOSUPPORT); 867 } 868 869 /* 870 * Queue message on interface, and start output if interface 871 * not yet active. 872 */ 873 if (ifq != NULL) { 874 if (IF_QFULL(ifq)) { 875 IF_DROP(ifq); 876 m_freem(m); 877 rv = ENOBUFS; 878 } else { 879 IF_ENQUEUE(ifq, m); 880 rv = 0; 881 } 882 } else { 883 rv = ifsq_enqueue(ifsq, m, &pktattr); 884 } 885 if (rv) { 886 IFNET_STAT_INC(ifp, oerrors, 1); 887 crit_exit(); 888 return(rv); 889 } 890 if (!ifsq_is_oactive(ifsq)) 891 (*ifp->if_start) (ifp, ifsq); 892 893 /* 894 * Count output packets and bytes. 895 * The packet length includes header, FCS and 1 flag, 896 * according to RFC 1333. 897 */ 898 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 899 900 /* 901 * Unlike in sppp_input(), we can always bump the timestamp 902 * here since sppp_output() is only called on behalf of 903 * network-layer traffic; control-layer traffic is handled 904 * by sppp_cp_send(). 905 */ 906 sp->pp_last_sent = time_uptime; 907 908 crit_exit(); 909 return (0); 910 } 911 912 static int 913 sppp_output(struct ifnet *ifp, struct mbuf *m, 914 struct sockaddr *dst, struct rtentry *rt) 915 { 916 struct ifaltq_subque *ifsq = ifq_get_subq_default(&ifp->if_snd); 917 int error; 918 919 ifsq_serialize_hw(ifsq); 920 error = sppp_output_serialized(ifp, ifsq, m, dst, rt); 921 ifsq_deserialize_hw(ifsq); 922 923 return error; 924 } 925 926 void 927 sppp_attach(struct ifnet *ifp) 928 { 929 struct sppp *sp = (struct sppp*) ifp; 930 931 /* Initialize keepalive handler. */ 932 if (!spppq) { 933 callout_reset(&keepalive_timeout, hz * 10, 934 sppp_keepalive, NULL); 935 } 936 /* Insert new entry into the keepalive list. */ 937 sp->pp_next = spppq; 938 spppq = sp; 939 940 sp->pp_if.if_mtu = PP_MTU; 941 sp->pp_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 942 sp->pp_if.if_type = IFT_PPP; 943 sp->pp_if.if_output = sppp_output; 944 #if 0 945 sp->pp_flags = PP_KEEPALIVE; 946 #endif 947 ifq_set_maxlen(&sp->pp_if.if_snd, 32); 948 sp->pp_fastq.ifq_maxlen = 32; 949 sp->pp_cpq.ifq_maxlen = 20; 950 sp->pp_loopcnt = 0; 951 sp->pp_alivecnt = 0; 952 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq)); 953 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq)); 954 sp->pp_phase = PHASE_DEAD; 955 sp->pp_up = lcp.Up; 956 sp->pp_down = lcp.Down; 957 sp->pp_last_recv = sp->pp_last_sent = time_uptime; 958 sp->confflags = 0; 959 #ifdef INET 960 sp->confflags |= CONF_ENABLE_VJ; 961 #endif 962 #ifdef INET6 963 sp->confflags |= CONF_ENABLE_IPV6; 964 #endif 965 sp->pp_comp = kmalloc(sizeof(struct slcompress), M_TEMP, M_WAITOK); 966 sl_compress_init(sp->pp_comp, -1); 967 sppp_lcp_init(sp); 968 sppp_ipcp_init(sp); 969 sppp_ipv6cp_init(sp); 970 sppp_pap_init(sp); 971 sppp_chap_init(sp); 972 } 973 974 void 975 sppp_detach(struct ifnet *ifp) 976 { 977 struct sppp **q, *p, *sp = (struct sppp*) ifp; 978 int i; 979 980 /* Remove the entry from the keepalive list. */ 981 for (q = &spppq; (p = *q); q = &p->pp_next) 982 if (p == sp) { 983 *q = p->pp_next; 984 break; 985 } 986 987 /* Stop keepalive handler. */ 988 if (!spppq) 989 callout_stop(&keepalive_timeout); 990 991 for (i = 0; i < IDX_COUNT; i++) 992 callout_stop(&sp->timeout[i]); 993 callout_stop(&sp->pap_my_to); 994 } 995 996 /* 997 * Flush the interface output queue. 998 */ 999 void 1000 sppp_flush(struct ifnet *ifp) 1001 { 1002 struct sppp *sp = (struct sppp*) ifp; 1003 1004 ifq_purge_all(&sp->pp_if.if_snd); 1005 IF_DRAIN(&sp->pp_fastq); 1006 IF_DRAIN(&sp->pp_cpq); 1007 } 1008 1009 /* 1010 * Check if the output queue is empty. 1011 */ 1012 int 1013 sppp_isempty(struct ifnet *ifp) 1014 { 1015 struct sppp *sp = (struct sppp*) ifp; 1016 int empty; 1017 1018 crit_enter(); 1019 empty = IF_QEMPTY(&sp->pp_fastq) && IF_QEMPTY(&sp->pp_cpq) && 1020 ifsq_is_empty(ifq_get_subq_default(&sp->pp_if.if_snd)); 1021 crit_exit(); 1022 return (empty); 1023 } 1024 1025 /* 1026 * Get next packet to send. 1027 */ 1028 struct mbuf * 1029 sppp_dequeue(struct ifnet *ifp) 1030 { 1031 struct sppp *sp = (struct sppp*) ifp; 1032 struct mbuf *m; 1033 1034 crit_enter(); 1035 1036 /* 1037 * Process only the control protocol queue until we have at 1038 * least one NCP open. 1039 * 1040 * Do always serve all three queues in Cisco mode. 1041 */ 1042 IF_DEQUEUE(&sp->pp_cpq, m); 1043 if (m == NULL && 1044 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO)) { 1045 IF_DEQUEUE(&sp->pp_fastq, m); 1046 if (m == NULL) { 1047 m = ifsq_dequeue( 1048 ifq_get_subq_default(&sp->pp_if.if_snd)); 1049 } 1050 } 1051 1052 crit_exit(); 1053 return m; 1054 } 1055 1056 /* 1057 * Pick the next packet, do not remove it from the queue. 1058 */ 1059 struct mbuf * 1060 sppp_pick(struct ifnet *ifp) 1061 { 1062 struct sppp *sp = (struct sppp*)ifp; 1063 struct mbuf *m; 1064 1065 crit_enter(); 1066 1067 m = sp->pp_cpq.ifq_head; 1068 if (m == NULL && 1069 (sp->pp_phase == PHASE_NETWORK || sp->pp_mode == IFF_CISCO)) { 1070 if ((m = sp->pp_fastq.ifq_head) == NULL) 1071 m = ifsq_poll(ifq_get_subq_default(&sp->pp_if.if_snd)); 1072 } 1073 1074 crit_exit(); 1075 return (m); 1076 } 1077 1078 /* 1079 * Process an ioctl request. Called on low priority level. 1080 */ 1081 int 1082 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data) 1083 { 1084 struct ifreq *ifr = (struct ifreq*) data; 1085 struct sppp *sp = (struct sppp*) ifp; 1086 int rv, going_up, going_down, newmode; 1087 1088 crit_enter(); 1089 1090 rv = 0; 1091 switch (cmd) { 1092 case SIOCAIFADDR: 1093 case SIOCSIFDSTADDR: 1094 break; 1095 1096 case SIOCSIFADDR: 1097 /* set the interface "up" when assigning an IP address */ 1098 ifp->if_flags |= IFF_UP; 1099 /* fall through... */ 1100 1101 case SIOCSIFFLAGS: 1102 going_up = ifp->if_flags & IFF_UP && 1103 (ifp->if_flags & IFF_RUNNING) == 0; 1104 going_down = (ifp->if_flags & IFF_UP) == 0 && 1105 ifp->if_flags & IFF_RUNNING; 1106 1107 newmode = ifp->if_flags & IFF_PASSIVE; 1108 if (!newmode) 1109 newmode = ifp->if_flags & IFF_AUTO; 1110 if (!newmode) 1111 newmode = ifp->if_flags & IFF_CISCO; 1112 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO); 1113 ifp->if_flags |= newmode; 1114 1115 if (newmode != sp->pp_mode) { 1116 going_down = 1; 1117 if (!going_up) 1118 going_up = ifp->if_flags & IFF_RUNNING; 1119 } 1120 1121 if (going_down) { 1122 if (sp->pp_mode != IFF_CISCO) 1123 lcp.Close(sp); 1124 else if (sp->pp_tlf) 1125 (sp->pp_tlf)(sp); 1126 sppp_flush(ifp); 1127 ifp->if_flags &= ~IFF_RUNNING; 1128 sp->pp_mode = newmode; 1129 } 1130 1131 if (going_up) { 1132 if (sp->pp_mode != IFF_CISCO) 1133 lcp.Close(sp); 1134 sp->pp_mode = newmode; 1135 if (sp->pp_mode == 0) { 1136 ifp->if_flags |= IFF_RUNNING; 1137 lcp.Open(sp); 1138 } 1139 if (sp->pp_mode == IFF_CISCO) { 1140 if (sp->pp_tls) 1141 (sp->pp_tls)(sp); 1142 ifp->if_flags |= IFF_RUNNING; 1143 } 1144 } 1145 1146 break; 1147 1148 #ifdef SIOCSIFMTU 1149 #ifndef ifr_mtu 1150 #define ifr_mtu ifr_metric 1151 #endif 1152 case SIOCSIFMTU: 1153 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) 1154 return (EINVAL); 1155 ifp->if_mtu = ifr->ifr_mtu; 1156 break; 1157 #endif 1158 #ifdef SLIOCSETMTU 1159 case SLIOCSETMTU: 1160 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru) 1161 return (EINVAL); 1162 ifp->if_mtu = *(short*)data; 1163 break; 1164 #endif 1165 #ifdef SIOCGIFMTU 1166 case SIOCGIFMTU: 1167 ifr->ifr_mtu = ifp->if_mtu; 1168 break; 1169 #endif 1170 #ifdef SLIOCGETMTU 1171 case SLIOCGETMTU: 1172 *(short*)data = ifp->if_mtu; 1173 break; 1174 #endif 1175 case SIOCADDMULTI: 1176 case SIOCDELMULTI: 1177 break; 1178 1179 case SIOCGIFGENERIC: 1180 case SIOCSIFGENERIC: 1181 rv = sppp_params(sp, cmd, data); 1182 break; 1183 1184 default: 1185 rv = ENOTTY; 1186 } 1187 1188 crit_exit(); 1189 return rv; 1190 } 1191 1192 /* 1193 * Cisco framing implementation. 1194 */ 1195 1196 /* 1197 * Handle incoming Cisco keepalive protocol packets. 1198 */ 1199 static void 1200 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1201 { 1202 STDDCL; 1203 struct cisco_packet *h; 1204 u_long me, mymask; 1205 1206 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1207 if (debug) 1208 log(LOG_DEBUG, 1209 SPP_FMT "cisco invalid packet length: %d bytes\n", 1210 SPP_ARGS(ifp), m->m_pkthdr.len); 1211 return; 1212 } 1213 h = mtod (m, struct cisco_packet*); 1214 if (debug) 1215 log(LOG_DEBUG, 1216 SPP_FMT "cisco input: %d bytes " 1217 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1218 SPP_ARGS(ifp), m->m_pkthdr.len, 1219 (u_long)ntohl (h->type), h->par1, h->par2, (u_int)h->rel, 1220 (u_int)h->time0, (u_int)h->time1); 1221 switch (ntohl (h->type)) { 1222 default: 1223 if (debug) 1224 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n", 1225 SPP_ARGS(ifp), (u_long)ntohl (h->type)); 1226 break; 1227 case CISCO_ADDR_REPLY: 1228 /* Reply on address request, ignore */ 1229 break; 1230 case CISCO_KEEPALIVE_REQ: 1231 sp->pp_alivecnt = 0; 1232 sp->pp_rseq[IDX_LCP] = ntohl (h->par1); 1233 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1234 /* Local and remote sequence numbers are equal. 1235 * Probably, the line is in loopback mode. */ 1236 if (sp->pp_loopcnt >= MAXALIVECNT) { 1237 kprintf (SPP_FMT "loopback\n", 1238 SPP_ARGS(ifp)); 1239 sp->pp_loopcnt = 0; 1240 if (ifp->if_flags & IFF_UP) { 1241 if_down (ifp); 1242 IF_DRAIN(&sp->pp_cpq); 1243 } 1244 } 1245 ++sp->pp_loopcnt; 1246 1247 /* Generate new local sequence number */ 1248 sp->pp_seq[IDX_LCP] = krandom(); 1249 break; 1250 } 1251 sp->pp_loopcnt = 0; 1252 if (! (ifp->if_flags & IFF_UP) && 1253 (ifp->if_flags & IFF_RUNNING)) { 1254 if_up(ifp); 1255 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 1256 } 1257 break; 1258 case CISCO_ADDR_REQ: 1259 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1260 if (me != 0L) 1261 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1262 break; 1263 } 1264 } 1265 1266 /* 1267 * Send Cisco keepalive packet. 1268 */ 1269 static void 1270 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2) 1271 { 1272 STDDCL; 1273 struct ppp_header *h; 1274 struct cisco_packet *ch; 1275 struct mbuf *m; 1276 struct timeval tv; 1277 struct ifaltq_subque *ifsq; 1278 1279 getmicrouptime(&tv); 1280 1281 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1282 if (! m) 1283 return; 1284 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1285 m->m_pkthdr.rcvif = 0; 1286 1287 h = mtod (m, struct ppp_header*); 1288 h->address = CISCO_MULTICAST; 1289 h->control = 0; 1290 h->protocol = htons (CISCO_KEEPALIVE); 1291 1292 ch = (struct cisco_packet*) (h + 1); 1293 ch->type = htonl (type); 1294 ch->par1 = htonl (par1); 1295 ch->par2 = htonl (par2); 1296 ch->rel = -1; 1297 1298 ch->time0 = htons ((u_short) (tv.tv_sec >> 16)); 1299 ch->time1 = htons ((u_short) tv.tv_sec); 1300 1301 if (debug) 1302 log(LOG_DEBUG, 1303 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n", 1304 SPP_ARGS(ifp), (u_long)ntohl (ch->type), ch->par1, 1305 ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1); 1306 1307 if (IF_QFULL (&sp->pp_cpq)) { 1308 IF_DROP (&sp->pp_fastq); 1309 m_freem (m); 1310 } else 1311 IF_ENQUEUE (&sp->pp_cpq, m); 1312 ifsq = ifq_get_subq_default(&ifp->if_snd); 1313 if (!ifsq_is_oactive(ifsq)) 1314 (*ifp->if_start) (ifp, ifsq); 1315 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1316 } 1317 1318 /* 1319 * PPP protocol implementation. 1320 */ 1321 1322 /* 1323 * Send PPP control protocol packet. 1324 */ 1325 static void 1326 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1327 u_char ident, u_short len, void *data) 1328 { 1329 STDDCL; 1330 struct ppp_header *h; 1331 struct lcp_header *lh; 1332 struct mbuf *m; 1333 struct ifaltq_subque *ifsq; 1334 1335 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) 1336 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN; 1337 MGETHDR (m, MB_DONTWAIT, MT_DATA); 1338 if (! m) 1339 return; 1340 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 1341 m->m_pkthdr.rcvif = 0; 1342 1343 h = mtod (m, struct ppp_header*); 1344 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1345 h->control = PPP_UI; /* Unnumbered Info */ 1346 h->protocol = htons (proto); /* Link Control Protocol */ 1347 1348 lh = (struct lcp_header*) (h + 1); 1349 lh->type = type; 1350 lh->ident = ident; 1351 lh->len = htons (LCP_HEADER_LEN + len); 1352 if (len) 1353 bcopy (data, lh+1, len); 1354 1355 if (debug) { 1356 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 1357 SPP_ARGS(ifp), 1358 sppp_proto_name(proto), 1359 sppp_cp_type_name (lh->type), lh->ident, 1360 ntohs (lh->len)); 1361 sppp_print_bytes ((u_char*) (lh+1), len); 1362 log(-1, ">\n"); 1363 } 1364 if (IF_QFULL (&sp->pp_cpq)) { 1365 IF_DROP (&sp->pp_fastq); 1366 m_freem (m); 1367 IFNET_STAT_INC(ifp, oerrors, 1); 1368 } else 1369 IF_ENQUEUE (&sp->pp_cpq, m); 1370 ifsq = ifq_get_subq_default(&ifp->if_snd); 1371 if (!ifsq_is_oactive(ifsq)) 1372 (*ifp->if_start) (ifp, ifsq); 1373 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 1374 } 1375 1376 /* 1377 * Handle incoming PPP control protocol packets. 1378 */ 1379 static void 1380 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1381 { 1382 STDDCL; 1383 struct lcp_header *h; 1384 int printlen, len = m->m_pkthdr.len; 1385 int rv; 1386 u_char *p; 1387 1388 if (len < 4) { 1389 if (debug) 1390 log(LOG_DEBUG, 1391 SPP_FMT "%s invalid packet length: %d bytes\n", 1392 SPP_ARGS(ifp), cp->name, len); 1393 return; 1394 } 1395 h = mtod (m, struct lcp_header*); 1396 if (debug) { 1397 printlen = ntohs(h->len); 1398 log(LOG_DEBUG, 1399 SPP_FMT "%s input(%s): <%s id=0x%x len=%d", 1400 SPP_ARGS(ifp), cp->name, 1401 sppp_state_name(sp->state[cp->protoidx]), 1402 sppp_cp_type_name (h->type), h->ident, printlen); 1403 if (len < printlen) 1404 printlen = len; 1405 if (printlen > 4) 1406 sppp_print_bytes ((u_char*) (h+1), printlen - 4); 1407 log(-1, ">\n"); 1408 } 1409 if (len > ntohs (h->len)) 1410 len = ntohs (h->len); 1411 p = (u_char *)(h + 1); 1412 switch (h->type) { 1413 case CONF_REQ: 1414 if (len < 4) { 1415 if (debug) 1416 log(-1, SPP_FMT "%s invalid conf-req length %d\n", 1417 SPP_ARGS(ifp), cp->name, 1418 len); 1419 IFNET_STAT_INC(ifp, ierrors, 1); 1420 break; 1421 } 1422 /* handle states where RCR doesn't get a SCA/SCN */ 1423 switch (sp->state[cp->protoidx]) { 1424 case STATE_CLOSING: 1425 case STATE_STOPPING: 1426 return; 1427 case STATE_CLOSED: 1428 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1429 0, 0); 1430 return; 1431 } 1432 rv = (cp->RCR)(sp, h, len); 1433 if (rv < 0) { 1434 /* fatal error, shut down */ 1435 (cp->tld)(sp); 1436 sppp_lcp_tlf(sp); 1437 return; 1438 } 1439 switch (sp->state[cp->protoidx]) { 1440 case STATE_OPENED: 1441 (cp->tld)(sp); 1442 (cp->scr)(sp); 1443 /* fall through... */ 1444 case STATE_ACK_SENT: 1445 case STATE_REQ_SENT: 1446 /* 1447 * sppp_cp_change_state() have the side effect of 1448 * restarting the timeouts. We want to avoid that 1449 * if the state don't change, otherwise we won't 1450 * ever timeout and resend a configuration request 1451 * that got lost. 1452 */ 1453 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT: 1454 STATE_REQ_SENT)) 1455 break; 1456 sppp_cp_change_state(cp, sp, rv? 1457 STATE_ACK_SENT: STATE_REQ_SENT); 1458 break; 1459 case STATE_STOPPED: 1460 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1461 (cp->scr)(sp); 1462 sppp_cp_change_state(cp, sp, rv? 1463 STATE_ACK_SENT: STATE_REQ_SENT); 1464 break; 1465 case STATE_ACK_RCVD: 1466 if (rv) { 1467 sppp_cp_change_state(cp, sp, STATE_OPENED); 1468 if (debug) 1469 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1470 SPP_ARGS(ifp), 1471 cp->name); 1472 (cp->tlu)(sp); 1473 } else 1474 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1475 break; 1476 default: 1477 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1478 SPP_ARGS(ifp), cp->name, 1479 sppp_cp_type_name(h->type), 1480 sppp_state_name(sp->state[cp->protoidx])); 1481 IFNET_STAT_INC(ifp, ierrors, 1); 1482 } 1483 break; 1484 case CONF_ACK: 1485 if (h->ident != sp->confid[cp->protoidx]) { 1486 if (debug) 1487 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1488 SPP_ARGS(ifp), cp->name, 1489 h->ident, sp->confid[cp->protoidx]); 1490 IFNET_STAT_INC(ifp, ierrors, 1); 1491 break; 1492 } 1493 switch (sp->state[cp->protoidx]) { 1494 case STATE_CLOSED: 1495 case STATE_STOPPED: 1496 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1497 break; 1498 case STATE_CLOSING: 1499 case STATE_STOPPING: 1500 break; 1501 case STATE_REQ_SENT: 1502 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1503 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1504 break; 1505 case STATE_OPENED: 1506 (cp->tld)(sp); 1507 /* fall through */ 1508 case STATE_ACK_RCVD: 1509 (cp->scr)(sp); 1510 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1511 break; 1512 case STATE_ACK_SENT: 1513 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1514 sppp_cp_change_state(cp, sp, STATE_OPENED); 1515 if (debug) 1516 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 1517 SPP_ARGS(ifp), cp->name); 1518 (cp->tlu)(sp); 1519 break; 1520 default: 1521 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1522 SPP_ARGS(ifp), cp->name, 1523 sppp_cp_type_name(h->type), 1524 sppp_state_name(sp->state[cp->protoidx])); 1525 IFNET_STAT_INC(ifp, ierrors, 1); 1526 } 1527 break; 1528 case CONF_NAK: 1529 case CONF_REJ: 1530 if (h->ident != sp->confid[cp->protoidx]) { 1531 if (debug) 1532 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n", 1533 SPP_ARGS(ifp), cp->name, 1534 h->ident, sp->confid[cp->protoidx]); 1535 IFNET_STAT_INC(ifp, ierrors, 1); 1536 break; 1537 } 1538 if (h->type == CONF_NAK) 1539 (cp->RCN_nak)(sp, h, len); 1540 else /* CONF_REJ */ 1541 (cp->RCN_rej)(sp, h, len); 1542 1543 switch (sp->state[cp->protoidx]) { 1544 case STATE_CLOSED: 1545 case STATE_STOPPED: 1546 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1547 break; 1548 case STATE_REQ_SENT: 1549 case STATE_ACK_SENT: 1550 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1551 /* 1552 * Slow things down a bit if we think we might be 1553 * in loopback. Depend on the timeout to send the 1554 * next configuration request. 1555 */ 1556 if (sp->pp_loopcnt) 1557 break; 1558 (cp->scr)(sp); 1559 break; 1560 case STATE_OPENED: 1561 (cp->tld)(sp); 1562 /* fall through */ 1563 case STATE_ACK_RCVD: 1564 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1565 (cp->scr)(sp); 1566 break; 1567 case STATE_CLOSING: 1568 case STATE_STOPPING: 1569 break; 1570 default: 1571 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1572 SPP_ARGS(ifp), cp->name, 1573 sppp_cp_type_name(h->type), 1574 sppp_state_name(sp->state[cp->protoidx])); 1575 IFNET_STAT_INC(ifp, ierrors, 1); 1576 } 1577 break; 1578 1579 case TERM_REQ: 1580 switch (sp->state[cp->protoidx]) { 1581 case STATE_ACK_RCVD: 1582 case STATE_ACK_SENT: 1583 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1584 /* fall through */ 1585 case STATE_CLOSED: 1586 case STATE_STOPPED: 1587 case STATE_CLOSING: 1588 case STATE_STOPPING: 1589 case STATE_REQ_SENT: 1590 sta: 1591 /* Send Terminate-Ack packet. */ 1592 if (debug) 1593 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n", 1594 SPP_ARGS(ifp), cp->name); 1595 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1596 break; 1597 case STATE_OPENED: 1598 (cp->tld)(sp); 1599 sp->rst_counter[cp->protoidx] = 0; 1600 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1601 goto sta; 1602 break; 1603 default: 1604 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1605 SPP_ARGS(ifp), cp->name, 1606 sppp_cp_type_name(h->type), 1607 sppp_state_name(sp->state[cp->protoidx])); 1608 IFNET_STAT_INC(ifp, ierrors, 1); 1609 } 1610 break; 1611 case TERM_ACK: 1612 switch (sp->state[cp->protoidx]) { 1613 case STATE_CLOSED: 1614 case STATE_STOPPED: 1615 case STATE_REQ_SENT: 1616 case STATE_ACK_SENT: 1617 break; 1618 case STATE_CLOSING: 1619 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1620 (cp->tlf)(sp); 1621 break; 1622 case STATE_STOPPING: 1623 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1624 (cp->tlf)(sp); 1625 break; 1626 case STATE_ACK_RCVD: 1627 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1628 break; 1629 case STATE_OPENED: 1630 (cp->tld)(sp); 1631 (cp->scr)(sp); 1632 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1633 break; 1634 default: 1635 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1636 SPP_ARGS(ifp), cp->name, 1637 sppp_cp_type_name(h->type), 1638 sppp_state_name(sp->state[cp->protoidx])); 1639 IFNET_STAT_INC(ifp, ierrors, 1); 1640 } 1641 break; 1642 case CODE_REJ: 1643 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1644 log(LOG_INFO, 1645 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, " 1646 "danger will robinson\n", 1647 SPP_ARGS(ifp), cp->name, 1648 sppp_cp_type_name(h->type), ntohs(*((u_short *)p))); 1649 switch (sp->state[cp->protoidx]) { 1650 case STATE_CLOSED: 1651 case STATE_STOPPED: 1652 case STATE_REQ_SENT: 1653 case STATE_ACK_SENT: 1654 case STATE_CLOSING: 1655 case STATE_STOPPING: 1656 case STATE_OPENED: 1657 break; 1658 case STATE_ACK_RCVD: 1659 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1660 break; 1661 default: 1662 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1663 SPP_ARGS(ifp), cp->name, 1664 sppp_cp_type_name(h->type), 1665 sppp_state_name(sp->state[cp->protoidx])); 1666 IFNET_STAT_INC(ifp, ierrors, 1); 1667 } 1668 break; 1669 case PROTO_REJ: 1670 { 1671 int catastrophic; 1672 const struct cp *upper; 1673 int i; 1674 u_int16_t proto; 1675 1676 catastrophic = 0; 1677 upper = NULL; 1678 proto = ntohs(*((u_int16_t *)p)); 1679 for (i = 0; i < IDX_COUNT; i++) { 1680 if (cps[i]->proto == proto) { 1681 upper = cps[i]; 1682 break; 1683 } 1684 } 1685 if (upper == NULL) 1686 catastrophic++; 1687 1688 if (catastrophic || debug) 1689 log(catastrophic? LOG_INFO: LOG_DEBUG, 1690 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1691 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+', 1692 sppp_cp_type_name(h->type), proto, 1693 upper ? upper->name : "unknown", 1694 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1695 1696 /* 1697 * if we got RXJ+ against conf-req, the peer does not implement 1698 * this particular protocol type. terminate the protocol. 1699 */ 1700 if (upper && !catastrophic) { 1701 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1702 upper->Close(sp); 1703 break; 1704 } 1705 } 1706 1707 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1708 switch (sp->state[cp->protoidx]) { 1709 case STATE_CLOSED: 1710 case STATE_STOPPED: 1711 case STATE_REQ_SENT: 1712 case STATE_ACK_SENT: 1713 case STATE_CLOSING: 1714 case STATE_STOPPING: 1715 case STATE_OPENED: 1716 break; 1717 case STATE_ACK_RCVD: 1718 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1719 break; 1720 default: 1721 kprintf(SPP_FMT "%s illegal %s in state %s\n", 1722 SPP_ARGS(ifp), cp->name, 1723 sppp_cp_type_name(h->type), 1724 sppp_state_name(sp->state[cp->protoidx])); 1725 IFNET_STAT_INC(ifp, ierrors, 1); 1726 } 1727 break; 1728 } 1729 case DISC_REQ: 1730 if (cp->proto != PPP_LCP) 1731 goto illegal; 1732 /* Discard the packet. */ 1733 break; 1734 case ECHO_REQ: 1735 if (cp->proto != PPP_LCP) 1736 goto illegal; 1737 if (sp->state[cp->protoidx] != STATE_OPENED) { 1738 if (debug) 1739 log(-1, SPP_FMT "lcp echo req but lcp closed\n", 1740 SPP_ARGS(ifp)); 1741 IFNET_STAT_INC(ifp, ierrors, 1); 1742 break; 1743 } 1744 if (len < 8) { 1745 if (debug) 1746 log(-1, SPP_FMT "invalid lcp echo request " 1747 "packet length: %d bytes\n", 1748 SPP_ARGS(ifp), len); 1749 break; 1750 } 1751 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 1752 ntohl (*(long*)(h+1)) == sp->lcp.magic) { 1753 /* Line loopback mode detected. */ 1754 kprintf(SPP_FMT "loopback\n", SPP_ARGS(ifp)); 1755 sp->pp_loopcnt = MAXALIVECNT * 5; 1756 if_down (ifp); 1757 IF_DRAIN(&sp->pp_cpq); 1758 1759 /* Shut down the PPP link. */ 1760 /* XXX */ 1761 lcp.Down(sp); 1762 lcp.Up(sp); 1763 break; 1764 } 1765 *(long*)(h+1) = htonl (sp->lcp.magic); 1766 if (debug) 1767 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n", 1768 SPP_ARGS(ifp)); 1769 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1); 1770 break; 1771 case ECHO_REPLY: 1772 if (cp->proto != PPP_LCP) 1773 goto illegal; 1774 if (h->ident != sp->lcp.echoid) { 1775 IFNET_STAT_INC(ifp, ierrors, 1); 1776 break; 1777 } 1778 if (len < 8) { 1779 if (debug) 1780 log(-1, SPP_FMT "lcp invalid echo reply " 1781 "packet length: %d bytes\n", 1782 SPP_ARGS(ifp), len); 1783 break; 1784 } 1785 if (debug) 1786 log(-1, SPP_FMT "lcp got echo rep\n", 1787 SPP_ARGS(ifp)); 1788 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) || 1789 ntohl (*(long*)(h+1)) != sp->lcp.magic) 1790 sp->pp_alivecnt = 0; 1791 break; 1792 default: 1793 /* Unknown packet type -- send Code-Reject packet. */ 1794 illegal: 1795 if (debug) 1796 log(-1, SPP_FMT "%s send code-rej for 0x%x\n", 1797 SPP_ARGS(ifp), cp->name, h->type); 1798 sppp_cp_send(sp, cp->proto, CODE_REJ, 1799 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1800 IFNET_STAT_INC(ifp, ierrors, 1); 1801 } 1802 } 1803 1804 1805 /* 1806 * The generic part of all Up/Down/Open/Close/TO event handlers. 1807 * Basically, the state transition handling in the automaton. 1808 */ 1809 static void 1810 sppp_up_event(const struct cp *cp, struct sppp *sp) 1811 { 1812 STDDCL; 1813 1814 if (debug) 1815 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n", 1816 SPP_ARGS(ifp), cp->name, 1817 sppp_state_name(sp->state[cp->protoidx])); 1818 1819 switch (sp->state[cp->protoidx]) { 1820 case STATE_INITIAL: 1821 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1822 break; 1823 case STATE_STARTING: 1824 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1825 (cp->scr)(sp); 1826 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1827 break; 1828 default: 1829 kprintf(SPP_FMT "%s illegal up in state %s\n", 1830 SPP_ARGS(ifp), cp->name, 1831 sppp_state_name(sp->state[cp->protoidx])); 1832 } 1833 } 1834 1835 static void 1836 sppp_down_event(const struct cp *cp, struct sppp *sp) 1837 { 1838 STDDCL; 1839 1840 if (debug) 1841 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n", 1842 SPP_ARGS(ifp), cp->name, 1843 sppp_state_name(sp->state[cp->protoidx])); 1844 1845 switch (sp->state[cp->protoidx]) { 1846 case STATE_CLOSED: 1847 case STATE_CLOSING: 1848 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1849 break; 1850 case STATE_STOPPED: 1851 sppp_cp_change_state(cp, sp, STATE_STARTING); 1852 (cp->tls)(sp); 1853 break; 1854 case STATE_STOPPING: 1855 case STATE_REQ_SENT: 1856 case STATE_ACK_RCVD: 1857 case STATE_ACK_SENT: 1858 sppp_cp_change_state(cp, sp, STATE_STARTING); 1859 break; 1860 case STATE_OPENED: 1861 (cp->tld)(sp); 1862 sppp_cp_change_state(cp, sp, STATE_STARTING); 1863 break; 1864 default: 1865 kprintf(SPP_FMT "%s illegal down in state %s\n", 1866 SPP_ARGS(ifp), cp->name, 1867 sppp_state_name(sp->state[cp->protoidx])); 1868 } 1869 } 1870 1871 1872 static void 1873 sppp_open_event(const struct cp *cp, struct sppp *sp) 1874 { 1875 STDDCL; 1876 1877 if (debug) 1878 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n", 1879 SPP_ARGS(ifp), cp->name, 1880 sppp_state_name(sp->state[cp->protoidx])); 1881 1882 switch (sp->state[cp->protoidx]) { 1883 case STATE_INITIAL: 1884 sppp_cp_change_state(cp, sp, STATE_STARTING); 1885 (cp->tls)(sp); 1886 break; 1887 case STATE_STARTING: 1888 break; 1889 case STATE_CLOSED: 1890 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1891 (cp->scr)(sp); 1892 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1893 break; 1894 case STATE_STOPPED: 1895 /* 1896 * Try escaping stopped state. This seems to bite 1897 * people occasionally, in particular for IPCP, 1898 * presumably following previous IPCP negotiation 1899 * aborts. Somehow, we must have missed a Down event 1900 * which would have caused a transition into starting 1901 * state, so as a bandaid we force the Down event now. 1902 * This effectively implements (something like the) 1903 * `restart' option mentioned in the state transition 1904 * table of RFC 1661. 1905 */ 1906 sppp_cp_change_state(cp, sp, STATE_STARTING); 1907 (cp->tls)(sp); 1908 break; 1909 case STATE_STOPPING: 1910 case STATE_REQ_SENT: 1911 case STATE_ACK_RCVD: 1912 case STATE_ACK_SENT: 1913 case STATE_OPENED: 1914 break; 1915 case STATE_CLOSING: 1916 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1917 break; 1918 } 1919 } 1920 1921 1922 static void 1923 sppp_close_event(const struct cp *cp, struct sppp *sp) 1924 { 1925 STDDCL; 1926 1927 if (debug) 1928 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n", 1929 SPP_ARGS(ifp), cp->name, 1930 sppp_state_name(sp->state[cp->protoidx])); 1931 1932 switch (sp->state[cp->protoidx]) { 1933 case STATE_INITIAL: 1934 case STATE_CLOSED: 1935 case STATE_CLOSING: 1936 break; 1937 case STATE_STARTING: 1938 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1939 (cp->tlf)(sp); 1940 break; 1941 case STATE_STOPPED: 1942 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1943 break; 1944 case STATE_STOPPING: 1945 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1946 break; 1947 case STATE_OPENED: 1948 (cp->tld)(sp); 1949 /* fall through */ 1950 case STATE_REQ_SENT: 1951 case STATE_ACK_RCVD: 1952 case STATE_ACK_SENT: 1953 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1954 sppp_cp_send(sp, cp->proto, TERM_REQ, 1955 ++sp->pp_seq[cp->protoidx], 0, 0); 1956 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1957 break; 1958 } 1959 } 1960 1961 static void 1962 sppp_to_event(const struct cp *cp, struct sppp *sp) 1963 { 1964 STDDCL; 1965 1966 crit_enter(); 1967 1968 if (debug) 1969 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n", 1970 SPP_ARGS(ifp), cp->name, 1971 sppp_state_name(sp->state[cp->protoidx]), 1972 sp->rst_counter[cp->protoidx]); 1973 1974 if (--sp->rst_counter[cp->protoidx] < 0) 1975 /* TO- event */ 1976 switch (sp->state[cp->protoidx]) { 1977 case STATE_CLOSING: 1978 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1979 (cp->tlf)(sp); 1980 break; 1981 case STATE_STOPPING: 1982 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1983 (cp->tlf)(sp); 1984 break; 1985 case STATE_REQ_SENT: 1986 case STATE_ACK_RCVD: 1987 case STATE_ACK_SENT: 1988 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1989 (cp->tlf)(sp); 1990 break; 1991 } 1992 else 1993 /* TO+ event */ 1994 switch (sp->state[cp->protoidx]) { 1995 case STATE_CLOSING: 1996 case STATE_STOPPING: 1997 sppp_cp_send(sp, cp->proto, TERM_REQ, 1998 ++sp->pp_seq[cp->protoidx], 0, 0); 1999 callout_reset(&sp->timeout[cp->protoidx], 2000 sp->lcp.timeout, cp->TO, sp); 2001 break; 2002 case STATE_REQ_SENT: 2003 case STATE_ACK_RCVD: 2004 (cp->scr)(sp); 2005 /* sppp_cp_change_state() will restart the timer */ 2006 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2007 break; 2008 case STATE_ACK_SENT: 2009 (cp->scr)(sp); 2010 callout_reset(&sp->timeout[cp->protoidx], 2011 sp->lcp.timeout, cp->TO, sp); 2012 break; 2013 } 2014 2015 crit_exit(); 2016 } 2017 2018 /* 2019 * Change the state of a control protocol in the state automaton. 2020 * Takes care of starting/stopping the restart timer. 2021 */ 2022 void 2023 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2024 { 2025 sp->state[cp->protoidx] = newstate; 2026 callout_stop(&sp->timeout[cp->protoidx]); 2027 2028 switch (newstate) { 2029 case STATE_INITIAL: 2030 case STATE_STARTING: 2031 case STATE_CLOSED: 2032 case STATE_STOPPED: 2033 case STATE_OPENED: 2034 break; 2035 case STATE_CLOSING: 2036 case STATE_STOPPING: 2037 case STATE_REQ_SENT: 2038 case STATE_ACK_RCVD: 2039 case STATE_ACK_SENT: 2040 callout_reset(&sp->timeout[cp->protoidx], 2041 sp->lcp.timeout, cp->TO, sp); 2042 break; 2043 } 2044 } 2045 2046 /* 2047 *--------------------------------------------------------------------------* 2048 * * 2049 * The LCP implementation. * 2050 * * 2051 *--------------------------------------------------------------------------* 2052 */ 2053 static void 2054 sppp_lcp_init(struct sppp *sp) 2055 { 2056 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2057 sp->lcp.magic = 0; 2058 sp->state[IDX_LCP] = STATE_INITIAL; 2059 sp->fail_counter[IDX_LCP] = 0; 2060 sp->pp_seq[IDX_LCP] = 0; 2061 sp->pp_rseq[IDX_LCP] = 0; 2062 sp->lcp.protos = 0; 2063 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2064 2065 /* Note that these values are relevant for all control protocols */ 2066 sp->lcp.timeout = 3 * hz; 2067 sp->lcp.max_terminate = 2; 2068 sp->lcp.max_configure = 10; 2069 sp->lcp.max_failure = 10; 2070 callout_init(&sp->timeout[IDX_LCP]); 2071 } 2072 2073 static void 2074 sppp_lcp_up(struct sppp *sp) 2075 { 2076 STDDCL; 2077 2078 sp->pp_alivecnt = 0; 2079 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2080 sp->lcp.magic = 0; 2081 sp->lcp.protos = 0; 2082 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2083 /* 2084 * If this interface is passive or dial-on-demand, and we are 2085 * still in Initial state, it means we've got an incoming 2086 * call. Activate the interface. 2087 */ 2088 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2089 if (debug) 2090 log(LOG_DEBUG, 2091 SPP_FMT "Up event", SPP_ARGS(ifp)); 2092 ifp->if_flags |= IFF_RUNNING; 2093 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2094 if (debug) 2095 log(-1, "(incoming call)\n"); 2096 sp->pp_flags |= PP_CALLIN; 2097 lcp.Open(sp); 2098 } else if (debug) 2099 log(-1, "\n"); 2100 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2101 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2102 ifp->if_flags |= IFF_RUNNING; 2103 lcp.Open(sp); 2104 } 2105 2106 sppp_up_event(&lcp, sp); 2107 } 2108 2109 static void 2110 sppp_lcp_down(struct sppp *sp) 2111 { 2112 STDDCL; 2113 2114 sppp_down_event(&lcp, sp); 2115 2116 /* 2117 * If this is neither a dial-on-demand nor a passive 2118 * interface, simulate an ``ifconfig down'' action, so the 2119 * administrator can force a redial by another ``ifconfig 2120 * up''. XXX For leased line operation, should we immediately 2121 * try to reopen the connection here? 2122 */ 2123 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2124 log(LOG_INFO, 2125 SPP_FMT "Down event, taking interface down.\n", 2126 SPP_ARGS(ifp)); 2127 if_down(ifp); 2128 } else { 2129 if (debug) 2130 log(LOG_DEBUG, 2131 SPP_FMT "Down event (carrier loss)\n", 2132 SPP_ARGS(ifp)); 2133 sp->pp_flags &= ~PP_CALLIN; 2134 if (sp->state[IDX_LCP] != STATE_INITIAL) 2135 lcp.Close(sp); 2136 ifp->if_flags &= ~IFF_RUNNING; 2137 } 2138 } 2139 2140 static void 2141 sppp_lcp_open(struct sppp *sp) 2142 { 2143 /* 2144 * If we are authenticator, negotiate LCP_AUTH 2145 */ 2146 if (sp->hisauth.proto != 0) 2147 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2148 else 2149 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2150 sp->pp_flags &= ~PP_NEEDAUTH; 2151 sppp_open_event(&lcp, sp); 2152 } 2153 2154 static void 2155 sppp_lcp_close(struct sppp *sp) 2156 { 2157 sppp_close_event(&lcp, sp); 2158 } 2159 2160 static void 2161 sppp_lcp_TO(void *cookie) 2162 { 2163 sppp_to_event(&lcp, (struct sppp *)cookie); 2164 } 2165 2166 /* 2167 * Analyze a configure request. Return true if it was agreeable, and 2168 * caused action sca, false if it has been rejected or nak'ed, and 2169 * caused action scn. (The return value is used to make the state 2170 * transition decision in the state automaton.) 2171 */ 2172 static int 2173 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2174 { 2175 STDDCL; 2176 u_char *buf, *r, *p; 2177 int origlen, rlen; 2178 u_long nmagic; 2179 u_short authproto; 2180 2181 len -= 4; 2182 origlen = len; 2183 buf = r = kmalloc (len, M_TEMP, M_INTWAIT); 2184 2185 if (debug) 2186 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ", 2187 SPP_ARGS(ifp)); 2188 2189 /* pass 1: check for things that need to be rejected */ 2190 p = (void*) (h+1); 2191 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2192 /* Sanity check option length */ 2193 if (p[1] > len) { 2194 /* Malicious option - drop immediately. 2195 * XXX Maybe we should just RXJ it? 2196 */ 2197 log(-1, "%s: received malicious LCP option 0x%02x, " 2198 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2199 p[0], p[1], len); 2200 goto drop; 2201 } 2202 if (debug) 2203 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2204 switch (*p) { 2205 case LCP_OPT_MAGIC: 2206 /* Magic number. */ 2207 if (len >= 6 && p[1] == 6) 2208 continue; 2209 if (debug) 2210 log(-1, "[invalid] "); 2211 break; 2212 case LCP_OPT_ASYNC_MAP: 2213 /* Async control character map. */ 2214 if (len >= 6 && p[1] == 6) 2215 continue; 2216 if (debug) 2217 log(-1, "[invalid] "); 2218 break; 2219 case LCP_OPT_MRU: 2220 /* Maximum receive unit. */ 2221 if (len >= 4 && p[1] == 4) 2222 continue; 2223 if (debug) 2224 log(-1, "[invalid] "); 2225 break; 2226 case LCP_OPT_AUTH_PROTO: 2227 if (len < 4) { 2228 if (debug) 2229 log(-1, "[invalid] "); 2230 break; 2231 } 2232 authproto = (p[2] << 8) + p[3]; 2233 if (authproto == PPP_CHAP && p[1] != 5) { 2234 if (debug) 2235 log(-1, "[invalid chap len] "); 2236 break; 2237 } 2238 if (sp->myauth.proto == 0) { 2239 /* we are not configured to do auth */ 2240 if (debug) 2241 log(-1, "[not configured] "); 2242 break; 2243 } 2244 /* 2245 * Remote want us to authenticate, remember this, 2246 * so we stay in PHASE_AUTHENTICATE after LCP got 2247 * up. 2248 */ 2249 sp->pp_flags |= PP_NEEDAUTH; 2250 continue; 2251 default: 2252 /* Others not supported. */ 2253 if (debug) 2254 log(-1, "[rej] "); 2255 break; 2256 } 2257 /* Add the option to rejected list. */ 2258 bcopy (p, r, p[1]); 2259 r += p[1]; 2260 rlen += p[1]; 2261 } 2262 if (rlen) { 2263 if (debug) 2264 log(-1, " send conf-rej\n"); 2265 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2266 return 0; 2267 } else if (debug) 2268 log(-1, "\n"); 2269 2270 /* 2271 * pass 2: check for option values that are unacceptable and 2272 * thus require to be nak'ed. 2273 */ 2274 if (debug) 2275 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ", 2276 SPP_ARGS(ifp)); 2277 2278 p = (void*) (h+1); 2279 len = origlen; 2280 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2281 if (debug) 2282 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2283 switch (*p) { 2284 case LCP_OPT_MAGIC: 2285 /* Magic number -- extract. */ 2286 nmagic = (u_long)p[2] << 24 | 2287 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2288 if (nmagic != sp->lcp.magic) { 2289 sp->pp_loopcnt = 0; 2290 if (debug) 2291 log(-1, "0x%lx ", nmagic); 2292 continue; 2293 } 2294 if (debug && sp->pp_loopcnt < MAXALIVECNT*5) 2295 log(-1, "[glitch] "); 2296 ++sp->pp_loopcnt; 2297 /* 2298 * We negate our magic here, and NAK it. If 2299 * we see it later in an NAK packet, we 2300 * suggest a new one. 2301 */ 2302 nmagic = ~sp->lcp.magic; 2303 /* Gonna NAK it. */ 2304 p[2] = nmagic >> 24; 2305 p[3] = nmagic >> 16; 2306 p[4] = nmagic >> 8; 2307 p[5] = nmagic; 2308 break; 2309 2310 case LCP_OPT_ASYNC_MAP: 2311 /* 2312 * Async control character map -- just ignore it. 2313 * 2314 * Quote from RFC 1662, chapter 6: 2315 * To enable this functionality, synchronous PPP 2316 * implementations MUST always respond to the 2317 * Async-Control-Character-Map Configuration 2318 * Option with the LCP Configure-Ack. However, 2319 * acceptance of the Configuration Option does 2320 * not imply that the synchronous implementation 2321 * will do any ACCM mapping. Instead, all such 2322 * octet mapping will be performed by the 2323 * asynchronous-to-synchronous converter. 2324 */ 2325 continue; 2326 2327 case LCP_OPT_MRU: 2328 /* 2329 * Maximum receive unit. Always agreeable, 2330 * but ignored by now. 2331 */ 2332 sp->lcp.their_mru = p[2] * 256 + p[3]; 2333 if (debug) 2334 log(-1, "%lu ", sp->lcp.their_mru); 2335 continue; 2336 2337 case LCP_OPT_AUTH_PROTO: 2338 authproto = (p[2] << 8) + p[3]; 2339 if (sp->myauth.proto != authproto) { 2340 /* not agreed, nak */ 2341 if (debug) 2342 log(-1, "[mine %s != his %s] ", 2343 sppp_proto_name(sp->hisauth.proto), 2344 sppp_proto_name(authproto)); 2345 p[2] = sp->myauth.proto >> 8; 2346 p[3] = sp->myauth.proto; 2347 break; 2348 } 2349 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2350 if (debug) 2351 log(-1, "[chap not MD5] "); 2352 p[4] = CHAP_MD5; 2353 break; 2354 } 2355 continue; 2356 } 2357 /* Add the option to nak'ed list. */ 2358 bcopy (p, r, p[1]); 2359 r += p[1]; 2360 rlen += p[1]; 2361 } 2362 if (rlen) { 2363 /* 2364 * Local and remote magics equal -- loopback? 2365 */ 2366 if (sp->pp_loopcnt >= MAXALIVECNT*5) { 2367 if (sp->pp_loopcnt == MAXALIVECNT*5) 2368 kprintf (SPP_FMT "loopback\n", 2369 SPP_ARGS(ifp)); 2370 if (ifp->if_flags & IFF_UP) { 2371 if_down(ifp); 2372 IF_DRAIN(&sp->pp_cpq); 2373 /* XXX ? */ 2374 lcp.Down(sp); 2375 lcp.Up(sp); 2376 } 2377 } else if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2378 if (debug) 2379 log(-1, " max_failure (%d) exceeded, " 2380 "send conf-rej\n", 2381 sp->lcp.max_failure); 2382 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2383 } else { 2384 if (debug) 2385 log(-1, " send conf-nak\n"); 2386 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2387 } 2388 } else { 2389 if (debug) 2390 log(-1, " send conf-ack\n"); 2391 sp->fail_counter[IDX_LCP] = 0; 2392 sp->pp_loopcnt = 0; 2393 sppp_cp_send (sp, PPP_LCP, CONF_ACK, 2394 h->ident, origlen, h+1); 2395 } 2396 2397 kfree (buf, M_TEMP); 2398 return (rlen == 0); 2399 2400 drop: 2401 kfree(buf, M_TEMP); 2402 return (-1); 2403 } 2404 2405 /* 2406 * Analyze the LCP Configure-Reject option list, and adjust our 2407 * negotiation. 2408 */ 2409 static void 2410 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2411 { 2412 STDDCL; 2413 u_char *buf, *p; 2414 2415 len -= 4; 2416 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2417 2418 if (debug) 2419 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", 2420 SPP_ARGS(ifp)); 2421 2422 p = (void*) (h+1); 2423 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2424 /* Sanity check option length */ 2425 if (p[1] > len) { 2426 /* 2427 * Malicious option - drop immediately. 2428 * XXX Maybe we should just RXJ it? 2429 */ 2430 log(-1, "%s: received malicious LCP option, " 2431 "dropping.\n", ifp->if_xname); 2432 goto drop; 2433 } 2434 if (debug) 2435 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2436 switch (*p) { 2437 case LCP_OPT_MAGIC: 2438 /* Magic number -- can't use it, use 0 */ 2439 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2440 sp->lcp.magic = 0; 2441 break; 2442 case LCP_OPT_MRU: 2443 /* 2444 * Should not be rejected anyway, since we only 2445 * negotiate a MRU if explicitly requested by 2446 * peer. 2447 */ 2448 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2449 break; 2450 case LCP_OPT_AUTH_PROTO: 2451 /* 2452 * Peer doesn't want to authenticate himself, 2453 * deny unless this is a dialout call, and 2454 * AUTHFLAG_NOCALLOUT is set. 2455 */ 2456 if ((sp->pp_flags & PP_CALLIN) == 0 && 2457 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) { 2458 if (debug) 2459 log(-1, "[don't insist on auth " 2460 "for callout]"); 2461 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2462 break; 2463 } 2464 if (debug) 2465 log(-1, "[access denied]\n"); 2466 lcp.Close(sp); 2467 break; 2468 } 2469 } 2470 if (debug) 2471 log(-1, "\n"); 2472 drop: 2473 kfree (buf, M_TEMP); 2474 return; 2475 } 2476 2477 /* 2478 * Analyze the LCP Configure-NAK option list, and adjust our 2479 * negotiation. 2480 */ 2481 static void 2482 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2483 { 2484 STDDCL; 2485 u_char *buf, *p; 2486 u_long magic; 2487 2488 len -= 4; 2489 buf = kmalloc (len, M_TEMP, M_INTWAIT); 2490 2491 if (debug) 2492 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", 2493 SPP_ARGS(ifp)); 2494 2495 p = (void*) (h+1); 2496 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2497 /* Sanity check option length */ 2498 if (p[1] > len) { 2499 /* 2500 * Malicious option - drop immediately. 2501 * XXX Maybe we should just RXJ it? 2502 */ 2503 log(-1, "%s: received malicious LCP option, " 2504 "dropping.\n", ifp->if_xname); 2505 goto drop; 2506 } 2507 if (debug) 2508 log(-1, " %s ", sppp_lcp_opt_name(*p)); 2509 switch (*p) { 2510 case LCP_OPT_MAGIC: 2511 /* Magic number -- renegotiate */ 2512 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2513 len >= 6 && p[1] == 6) { 2514 magic = (u_long)p[2] << 24 | 2515 (u_long)p[3] << 16 | p[4] << 8 | p[5]; 2516 /* 2517 * If the remote magic is our negated one, 2518 * this looks like a loopback problem. 2519 * Suggest a new magic to make sure. 2520 */ 2521 if (magic == ~sp->lcp.magic) { 2522 if (debug) 2523 log(-1, "magic glitch "); 2524 sp->lcp.magic = krandom(); 2525 } else { 2526 sp->lcp.magic = magic; 2527 if (debug) 2528 log(-1, "%lu ", magic); 2529 } 2530 } 2531 break; 2532 case LCP_OPT_MRU: 2533 /* 2534 * Peer wants to advise us to negotiate an MRU. 2535 * Agree on it if it's reasonable, or use 2536 * default otherwise. 2537 */ 2538 if (len >= 4 && p[1] == 4) { 2539 u_int mru = p[2] * 256 + p[3]; 2540 if (debug) 2541 log(-1, "%d ", mru); 2542 if (mru < PP_MTU || mru > PP_MAX_MRU) 2543 mru = PP_MTU; 2544 sp->lcp.mru = mru; 2545 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2546 } 2547 break; 2548 case LCP_OPT_AUTH_PROTO: 2549 /* 2550 * Peer doesn't like our authentication method, 2551 * deny. 2552 */ 2553 if (debug) 2554 log(-1, "[access denied]\n"); 2555 lcp.Close(sp); 2556 break; 2557 } 2558 } 2559 if (debug) 2560 log(-1, "\n"); 2561 drop: 2562 kfree (buf, M_TEMP); 2563 return; 2564 } 2565 2566 static void 2567 sppp_lcp_tlu(struct sppp *sp) 2568 { 2569 STDDCL; 2570 int i; 2571 u_long mask; 2572 2573 /* XXX ? */ 2574 if (! (ifp->if_flags & IFF_UP) && 2575 (ifp->if_flags & IFF_RUNNING)) { 2576 /* Coming out of loopback mode. */ 2577 if_up(ifp); 2578 kprintf (SPP_FMT "up\n", SPP_ARGS(ifp)); 2579 } 2580 2581 for (i = 0; i < IDX_COUNT; i++) 2582 if ((cps[i])->flags & CP_QUAL) 2583 (cps[i])->Open(sp); 2584 2585 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2586 (sp->pp_flags & PP_NEEDAUTH) != 0) 2587 sp->pp_phase = PHASE_AUTHENTICATE; 2588 else 2589 sp->pp_phase = PHASE_NETWORK; 2590 2591 if (debug) 2592 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2593 sppp_phase_name(sp->pp_phase)); 2594 2595 /* 2596 * Open all authentication protocols. This is even required 2597 * if we already proceeded to network phase, since it might be 2598 * that remote wants us to authenticate, so we might have to 2599 * send a PAP request. Undesired authentication protocols 2600 * don't do anything when they get an Open event. 2601 */ 2602 for (i = 0; i < IDX_COUNT; i++) 2603 if ((cps[i])->flags & CP_AUTH) 2604 (cps[i])->Open(sp); 2605 2606 if (sp->pp_phase == PHASE_NETWORK) { 2607 /* Notify all NCPs. */ 2608 for (i = 0; i < IDX_COUNT; i++) 2609 if (((cps[i])->flags & CP_NCP) && 2610 /* 2611 * XXX 2612 * Hack to administratively disable IPv6 if 2613 * not desired. Perhaps we should have another 2614 * flag for this, but right now, we can make 2615 * all struct cp's read/only. 2616 */ 2617 (cps[i] != &ipv6cp || 2618 (sp->confflags & CONF_ENABLE_IPV6))) 2619 (cps[i])->Open(sp); 2620 } 2621 2622 /* Send Up events to all started protos. */ 2623 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2624 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2625 (cps[i])->Up(sp); 2626 2627 /* notify low-level driver of state change */ 2628 if (sp->pp_chg) 2629 sp->pp_chg(sp, (int)sp->pp_phase); 2630 2631 if (sp->pp_phase == PHASE_NETWORK) 2632 /* if no NCP is starting, close down */ 2633 sppp_lcp_check_and_close(sp); 2634 } 2635 2636 static void 2637 sppp_lcp_tld(struct sppp *sp) 2638 { 2639 STDDCL; 2640 int i; 2641 u_long mask; 2642 2643 sp->pp_phase = PHASE_TERMINATE; 2644 2645 if (debug) 2646 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2647 sppp_phase_name(sp->pp_phase)); 2648 2649 /* 2650 * Take upper layers down. We send the Down event first and 2651 * the Close second to prevent the upper layers from sending 2652 * ``a flurry of terminate-request packets'', as the RFC 2653 * describes it. 2654 */ 2655 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2656 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2657 (cps[i])->Down(sp); 2658 (cps[i])->Close(sp); 2659 } 2660 } 2661 2662 static void 2663 sppp_lcp_tls(struct sppp *sp) 2664 { 2665 STDDCL; 2666 2667 sp->pp_phase = PHASE_ESTABLISH; 2668 2669 if (debug) 2670 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2671 sppp_phase_name(sp->pp_phase)); 2672 2673 /* Notify lower layer if desired. */ 2674 if (sp->pp_tls) 2675 (sp->pp_tls)(sp); 2676 else 2677 (sp->pp_up)(sp); 2678 } 2679 2680 static void 2681 sppp_lcp_tlf(struct sppp *sp) 2682 { 2683 STDDCL; 2684 2685 sp->pp_phase = PHASE_DEAD; 2686 if (debug) 2687 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 2688 sppp_phase_name(sp->pp_phase)); 2689 2690 /* Notify lower layer if desired. */ 2691 if (sp->pp_tlf) 2692 (sp->pp_tlf)(sp); 2693 else 2694 (sp->pp_down)(sp); 2695 } 2696 2697 static void 2698 sppp_lcp_scr(struct sppp *sp) 2699 { 2700 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2701 int i = 0; 2702 u_short authproto; 2703 2704 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2705 if (! sp->lcp.magic) 2706 sp->lcp.magic = krandom(); 2707 opt[i++] = LCP_OPT_MAGIC; 2708 opt[i++] = 6; 2709 opt[i++] = sp->lcp.magic >> 24; 2710 opt[i++] = sp->lcp.magic >> 16; 2711 opt[i++] = sp->lcp.magic >> 8; 2712 opt[i++] = sp->lcp.magic; 2713 } 2714 2715 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2716 opt[i++] = LCP_OPT_MRU; 2717 opt[i++] = 4; 2718 opt[i++] = sp->lcp.mru >> 8; 2719 opt[i++] = sp->lcp.mru; 2720 } 2721 2722 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2723 authproto = sp->hisauth.proto; 2724 opt[i++] = LCP_OPT_AUTH_PROTO; 2725 opt[i++] = authproto == PPP_CHAP? 5: 4; 2726 opt[i++] = authproto >> 8; 2727 opt[i++] = authproto; 2728 if (authproto == PPP_CHAP) 2729 opt[i++] = CHAP_MD5; 2730 } 2731 2732 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2733 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2734 } 2735 2736 /* 2737 * Check the open NCPs, return true if at least one NCP is open. 2738 */ 2739 static int 2740 sppp_ncp_check(struct sppp *sp) 2741 { 2742 int i, mask; 2743 2744 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2745 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2746 return 1; 2747 return 0; 2748 } 2749 2750 /* 2751 * Re-check the open NCPs and see if we should terminate the link. 2752 * Called by the NCPs during their tlf action handling. 2753 */ 2754 static void 2755 sppp_lcp_check_and_close(struct sppp *sp) 2756 { 2757 2758 if (sp->pp_phase < PHASE_NETWORK) 2759 /* don't bother, we are already going down */ 2760 return; 2761 2762 if (sppp_ncp_check(sp)) 2763 return; 2764 2765 lcp.Close(sp); 2766 } 2767 2768 /* 2769 *--------------------------------------------------------------------------* 2770 * * 2771 * The IPCP implementation. * 2772 * * 2773 *--------------------------------------------------------------------------* 2774 */ 2775 2776 static void 2777 sppp_ipcp_init(struct sppp *sp) 2778 { 2779 sp->ipcp.opts = 0; 2780 sp->ipcp.flags = 0; 2781 sp->state[IDX_IPCP] = STATE_INITIAL; 2782 sp->fail_counter[IDX_IPCP] = 0; 2783 sp->pp_seq[IDX_IPCP] = 0; 2784 sp->pp_rseq[IDX_IPCP] = 0; 2785 callout_init(&sp->timeout[IDX_IPCP]); 2786 } 2787 2788 static void 2789 sppp_ipcp_up(struct sppp *sp) 2790 { 2791 sppp_up_event(&ipcp, sp); 2792 } 2793 2794 static void 2795 sppp_ipcp_down(struct sppp *sp) 2796 { 2797 sppp_down_event(&ipcp, sp); 2798 } 2799 2800 static void 2801 sppp_ipcp_open(struct sppp *sp) 2802 { 2803 STDDCL; 2804 u_long myaddr, hisaddr; 2805 2806 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN | 2807 IPCP_MYADDR_DYN | IPCP_VJ); 2808 sp->ipcp.opts = 0; 2809 2810 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2811 /* 2812 * If we don't have his address, this probably means our 2813 * interface doesn't want to talk IP at all. (This could 2814 * be the case if somebody wants to speak only IPX, for 2815 * example.) Don't open IPCP in this case. 2816 */ 2817 if (hisaddr == 0L) { 2818 /* XXX this message should go away */ 2819 if (debug) 2820 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n", 2821 SPP_ARGS(ifp)); 2822 return; 2823 } 2824 if (myaddr == 0L) { 2825 /* 2826 * I don't have an assigned address, so i need to 2827 * negotiate my address. 2828 */ 2829 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2830 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2831 } else 2832 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 2833 if (sp->confflags & CONF_ENABLE_VJ) { 2834 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION); 2835 sp->ipcp.max_state = MAX_STATES - 1; 2836 sp->ipcp.compress_cid = 1; 2837 } 2838 sppp_open_event(&ipcp, sp); 2839 } 2840 2841 static void 2842 sppp_ipcp_close(struct sppp *sp) 2843 { 2844 sppp_close_event(&ipcp, sp); 2845 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 2846 /* 2847 * My address was dynamic, clear it again. 2848 */ 2849 sppp_set_ip_addr(sp, 0L); 2850 } 2851 2852 static void 2853 sppp_ipcp_TO(void *cookie) 2854 { 2855 sppp_to_event(&ipcp, (struct sppp *)cookie); 2856 } 2857 2858 /* 2859 * Analyze a configure request. Return true if it was agreeable, and 2860 * caused action sca, false if it has been rejected or nak'ed, and 2861 * caused action scn. (The return value is used to make the state 2862 * transition decision in the state automaton.) 2863 */ 2864 static int 2865 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2866 { 2867 u_char *buf, *r, *p; 2868 struct ifnet *ifp = &sp->pp_if; 2869 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2870 u_long hisaddr, desiredaddr; 2871 int gotmyaddr = 0; 2872 int desiredcomp; 2873 2874 len -= 4; 2875 origlen = len; 2876 /* 2877 * Make sure to allocate a buf that can at least hold a 2878 * conf-nak with an `address' option. We might need it below. 2879 */ 2880 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 2881 2882 /* pass 1: see if we can recognize them */ 2883 if (debug) 2884 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", 2885 SPP_ARGS(ifp)); 2886 p = (void*) (h+1); 2887 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2888 /* Sanity check option length */ 2889 if (p[1] > len) { 2890 /* XXX should we just RXJ? */ 2891 log(-1, "%s: malicious IPCP option received, dropping\n", 2892 ifp->if_xname); 2893 goto drop; 2894 } 2895 if (debug) 2896 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2897 switch (*p) { 2898 case IPCP_OPT_COMPRESSION: 2899 if (!(sp->confflags & CONF_ENABLE_VJ)) { 2900 /* VJ compression administratively disabled */ 2901 if (debug) 2902 log(-1, "[locally disabled] "); 2903 break; 2904 } 2905 /* 2906 * In theory, we should only conf-rej an 2907 * option that is shorter than RFC 1618 2908 * requires (i.e. < 4), and should conf-nak 2909 * anything else that is not VJ. However, 2910 * since our algorithm always uses the 2911 * original option to NAK it with new values, 2912 * things would become more complicated. In 2913 * pratice, the only commonly implemented IP 2914 * compression option is VJ anyway, so the 2915 * difference is negligible. 2916 */ 2917 if (len >= 6 && p[1] == 6) { 2918 /* 2919 * correctly formed compression option 2920 * that could be VJ compression 2921 */ 2922 continue; 2923 } 2924 if (debug) 2925 log(-1, "optlen %d [invalid/unsupported] ", 2926 p[1]); 2927 break; 2928 case IPCP_OPT_ADDRESS: 2929 if (len >= 6 && p[1] == 6) { 2930 /* correctly formed address option */ 2931 continue; 2932 } 2933 if (debug) 2934 log(-1, "[invalid] "); 2935 break; 2936 default: 2937 /* Others not supported. */ 2938 if (debug) 2939 log(-1, "[rej] "); 2940 break; 2941 } 2942 /* Add the option to rejected list. */ 2943 bcopy (p, r, p[1]); 2944 r += p[1]; 2945 rlen += p[1]; 2946 } 2947 if (rlen) { 2948 if (debug) 2949 log(-1, " send conf-rej\n"); 2950 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2951 return 0; 2952 } else if (debug) 2953 log(-1, "\n"); 2954 2955 /* pass 2: parse option values */ 2956 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); 2957 if (debug) 2958 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ", 2959 SPP_ARGS(ifp)); 2960 p = (void*) (h+1); 2961 len = origlen; 2962 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2963 if (debug) 2964 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 2965 switch (*p) { 2966 case IPCP_OPT_COMPRESSION: 2967 desiredcomp = p[2] << 8 | p[3]; 2968 /* We only support VJ */ 2969 if (desiredcomp == IPCP_COMP_VJ) { 2970 if (debug) 2971 log(-1, "VJ [ack] "); 2972 sp->ipcp.flags |= IPCP_VJ; 2973 sl_compress_init(sp->pp_comp, p[4]); 2974 sp->ipcp.max_state = p[4]; 2975 sp->ipcp.compress_cid = p[5]; 2976 continue; 2977 } 2978 if (debug) 2979 log(-1, "compproto %#04x [not supported] ", 2980 desiredcomp); 2981 p[2] = IPCP_COMP_VJ >> 8; 2982 p[3] = IPCP_COMP_VJ; 2983 p[4] = sp->ipcp.max_state; 2984 p[5] = sp->ipcp.compress_cid; 2985 break; 2986 case IPCP_OPT_ADDRESS: 2987 /* This is the address he wants in his end */ 2988 desiredaddr = p[2] << 24 | p[3] << 16 | 2989 p[4] << 8 | p[5]; 2990 if (desiredaddr == hisaddr || 2991 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) { 2992 /* 2993 * Peer's address is same as our value, 2994 * or we have set it to 0.0.0.* to 2995 * indicate that we do not really care, 2996 * this is agreeable. Gonna conf-ack 2997 * it. 2998 */ 2999 if (debug) 3000 log(-1, "%s [ack] ", 3001 sppp_dotted_quad(hisaddr)); 3002 /* record that we've seen it already */ 3003 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3004 continue; 3005 } 3006 /* 3007 * The address wasn't agreeable. This is either 3008 * he sent us 0.0.0.0, asking to assign him an 3009 * address, or he send us another address not 3010 * matching our value. Either case, we gonna 3011 * conf-nak it with our value. 3012 * XXX: we should "rej" if hisaddr == 0 3013 */ 3014 if (debug) { 3015 if (desiredaddr == 0) 3016 log(-1, "[addr requested] "); 3017 else 3018 log(-1, "%s [not agreed] ", 3019 sppp_dotted_quad(desiredaddr)); 3020 3021 } 3022 p[2] = hisaddr >> 24; 3023 p[3] = hisaddr >> 16; 3024 p[4] = hisaddr >> 8; 3025 p[5] = hisaddr; 3026 break; 3027 } 3028 /* Add the option to nak'ed list. */ 3029 bcopy (p, r, p[1]); 3030 r += p[1]; 3031 rlen += p[1]; 3032 } 3033 3034 /* 3035 * If we are about to conf-ack the request, but haven't seen 3036 * his address so far, gonna conf-nak it instead, with the 3037 * `address' option present and our idea of his address being 3038 * filled in there, to request negotiation of both addresses. 3039 * 3040 * XXX This can result in an endless req - nak loop if peer 3041 * doesn't want to send us his address. Q: What should we do 3042 * about it? XXX A: implement the max-failure counter. 3043 */ 3044 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) { 3045 buf[0] = IPCP_OPT_ADDRESS; 3046 buf[1] = 6; 3047 buf[2] = hisaddr >> 24; 3048 buf[3] = hisaddr >> 16; 3049 buf[4] = hisaddr >> 8; 3050 buf[5] = hisaddr; 3051 rlen = 6; 3052 if (debug) 3053 log(-1, "still need hisaddr "); 3054 } 3055 3056 if (rlen) { 3057 if (debug) 3058 log(-1, " send conf-nak\n"); 3059 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3060 } else { 3061 if (debug) 3062 log(-1, " send conf-ack\n"); 3063 sppp_cp_send (sp, PPP_IPCP, CONF_ACK, 3064 h->ident, origlen, h+1); 3065 } 3066 3067 kfree (buf, M_TEMP); 3068 return (rlen == 0); 3069 3070 drop: 3071 kfree(buf, M_TEMP); 3072 return (-1); 3073 } 3074 3075 /* 3076 * Analyze the IPCP Configure-Reject option list, and adjust our 3077 * negotiation. 3078 */ 3079 static void 3080 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3081 { 3082 u_char *buf, *p; 3083 struct ifnet *ifp = &sp->pp_if; 3084 int debug = ifp->if_flags & IFF_DEBUG; 3085 3086 len -= 4; 3087 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3088 3089 if (debug) 3090 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", 3091 SPP_ARGS(ifp)); 3092 3093 p = (void*) (h+1); 3094 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3095 /* Sanity check option length */ 3096 if (p[1] > len) { 3097 /* XXX should we just RXJ? */ 3098 log(-1, "%s: malicious IPCP option received, dropping\n", 3099 ifp->if_xname); 3100 goto drop; 3101 } 3102 if (debug) 3103 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3104 switch (*p) { 3105 case IPCP_OPT_COMPRESSION: 3106 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION); 3107 break; 3108 case IPCP_OPT_ADDRESS: 3109 /* 3110 * Peer doesn't grok address option. This is 3111 * bad. XXX Should we better give up here? 3112 * XXX We could try old "addresses" option... 3113 */ 3114 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3115 break; 3116 } 3117 } 3118 if (debug) 3119 log(-1, "\n"); 3120 drop: 3121 kfree (buf, M_TEMP); 3122 return; 3123 } 3124 3125 /* 3126 * Analyze the IPCP Configure-NAK option list, and adjust our 3127 * negotiation. 3128 */ 3129 static void 3130 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3131 { 3132 u_char *buf, *p; 3133 struct ifnet *ifp = &sp->pp_if; 3134 int debug = ifp->if_flags & IFF_DEBUG; 3135 int desiredcomp; 3136 u_long wantaddr; 3137 3138 len -= 4; 3139 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3140 3141 if (debug) 3142 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", 3143 SPP_ARGS(ifp)); 3144 3145 p = (void*) (h+1); 3146 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3147 /* Sanity check option length */ 3148 if (p[1] > len) { 3149 /* XXX should we just RXJ? */ 3150 log(-1, "%s: malicious IPCP option received, dropping\n", 3151 ifp->if_xname); 3152 return; 3153 } 3154 if (debug) 3155 log(-1, " %s ", sppp_ipcp_opt_name(*p)); 3156 switch (*p) { 3157 case IPCP_OPT_COMPRESSION: 3158 if (len >= 6 && p[1] == 6) { 3159 desiredcomp = p[2] << 8 | p[3]; 3160 if (debug) 3161 log(-1, "[wantcomp %#04x] ", 3162 desiredcomp); 3163 if (desiredcomp == IPCP_COMP_VJ) { 3164 sl_compress_init(sp->pp_comp, p[4]); 3165 sp->ipcp.max_state = p[4]; 3166 sp->ipcp.compress_cid = p[5]; 3167 if (debug) 3168 log(-1, "[agree] "); 3169 } else 3170 sp->ipcp.opts &= 3171 ~(1 << IPCP_OPT_COMPRESSION); 3172 } 3173 break; 3174 case IPCP_OPT_ADDRESS: 3175 /* 3176 * Peer doesn't like our local IP address. See 3177 * if we can do something for him. We'll drop 3178 * him our address then. 3179 */ 3180 if (len >= 6 && p[1] == 6) { 3181 wantaddr = p[2] << 24 | p[3] << 16 | 3182 p[4] << 8 | p[5]; 3183 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3184 if (debug) 3185 log(-1, "[wantaddr %s] ", 3186 sppp_dotted_quad(wantaddr)); 3187 /* 3188 * When doing dynamic address assignment, 3189 * we accept his offer. Otherwise, we 3190 * ignore it and thus continue to negotiate 3191 * our already existing value. 3192 * XXX: Bogus, if he said no once, he'll 3193 * just say no again, might as well die. 3194 */ 3195 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3196 sppp_set_ip_addr(sp, wantaddr); 3197 if (debug) 3198 log(-1, "[agree] "); 3199 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3200 } 3201 } 3202 break; 3203 } 3204 } 3205 if (debug) 3206 log(-1, "\n"); 3207 kfree (buf, M_TEMP); 3208 return; 3209 } 3210 3211 static void 3212 sppp_ipcp_tlu(struct sppp *sp) 3213 { 3214 /* we are up - notify isdn daemon */ 3215 if (sp->pp_con) 3216 sp->pp_con(sp); 3217 } 3218 3219 static void 3220 sppp_ipcp_tld(struct sppp *sp) 3221 { 3222 } 3223 3224 static void 3225 sppp_ipcp_tls(struct sppp *sp) 3226 { 3227 /* indicate to LCP that it must stay alive */ 3228 sp->lcp.protos |= (1 << IDX_IPCP); 3229 } 3230 3231 static void 3232 sppp_ipcp_tlf(struct sppp *sp) 3233 { 3234 /* we no longer need LCP */ 3235 sp->lcp.protos &= ~(1 << IDX_IPCP); 3236 sppp_lcp_check_and_close(sp); 3237 } 3238 3239 static void 3240 sppp_ipcp_scr(struct sppp *sp) 3241 { 3242 char opt[6 /* compression */ + 6 /* address */]; 3243 u_long ouraddr; 3244 int i = 0; 3245 3246 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3247 opt[i++] = IPCP_OPT_COMPRESSION; 3248 opt[i++] = 6; 3249 opt[i++] = IPCP_COMP_VJ >> 8; 3250 opt[i++] = IPCP_COMP_VJ; 3251 opt[i++] = sp->ipcp.max_state; 3252 opt[i++] = sp->ipcp.compress_cid; 3253 } 3254 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3255 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3256 opt[i++] = IPCP_OPT_ADDRESS; 3257 opt[i++] = 6; 3258 opt[i++] = ouraddr >> 24; 3259 opt[i++] = ouraddr >> 16; 3260 opt[i++] = ouraddr >> 8; 3261 opt[i++] = ouraddr; 3262 } 3263 3264 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3265 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3266 } 3267 3268 /* 3269 *--------------------------------------------------------------------------* 3270 * * 3271 * The IPv6CP implementation. * 3272 * * 3273 *--------------------------------------------------------------------------* 3274 */ 3275 3276 #ifdef INET6 3277 static void 3278 sppp_ipv6cp_init(struct sppp *sp) 3279 { 3280 sp->ipv6cp.opts = 0; 3281 sp->ipv6cp.flags = 0; 3282 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3283 sp->fail_counter[IDX_IPV6CP] = 0; 3284 sp->pp_seq[IDX_IPV6CP] = 0; 3285 sp->pp_rseq[IDX_IPV6CP] = 0; 3286 callout_init(&sp->timeout[IDX_IPV6CP]); 3287 } 3288 3289 static void 3290 sppp_ipv6cp_up(struct sppp *sp) 3291 { 3292 sppp_up_event(&ipv6cp, sp); 3293 } 3294 3295 static void 3296 sppp_ipv6cp_down(struct sppp *sp) 3297 { 3298 sppp_down_event(&ipv6cp, sp); 3299 } 3300 3301 static void 3302 sppp_ipv6cp_open(struct sppp *sp) 3303 { 3304 STDDCL; 3305 struct in6_addr myaddr, hisaddr; 3306 3307 #ifdef IPV6CP_MYIFID_DYN 3308 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3309 #else 3310 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3311 #endif 3312 3313 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3314 /* 3315 * If we don't have our address, this probably means our 3316 * interface doesn't want to talk IPv6 at all. (This could 3317 * be the case if somebody wants to speak only IPX, for 3318 * example.) Don't open IPv6CP in this case. 3319 */ 3320 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3321 /* XXX this message should go away */ 3322 if (debug) 3323 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n", 3324 SPP_ARGS(ifp)); 3325 return; 3326 } 3327 3328 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3329 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3330 sppp_open_event(&ipv6cp, sp); 3331 } 3332 3333 static void 3334 sppp_ipv6cp_close(struct sppp *sp) 3335 { 3336 sppp_close_event(&ipv6cp, sp); 3337 } 3338 3339 static void 3340 sppp_ipv6cp_TO(void *cookie) 3341 { 3342 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3343 } 3344 3345 /* 3346 * Analyze a configure request. Return true if it was agreeable, and 3347 * caused action sca, false if it has been rejected or nak'ed, and 3348 * caused action scn. (The return value is used to make the state 3349 * transition decision in the state automaton.) 3350 */ 3351 static int 3352 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3353 { 3354 u_char *buf, *r, *p; 3355 struct ifnet *ifp = &sp->pp_if; 3356 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3357 struct in6_addr myaddr, desiredaddr, suggestaddr; 3358 int ifidcount; 3359 int type; 3360 int collision, nohisaddr; 3361 3362 len -= 4; 3363 origlen = len; 3364 /* 3365 * Make sure to allocate a buf that can at least hold a 3366 * conf-nak with an `address' option. We might need it below. 3367 */ 3368 buf = r = kmalloc ((len < 6? 6: len), M_TEMP, M_INTWAIT); 3369 3370 /* pass 1: see if we can recognize them */ 3371 if (debug) 3372 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:", 3373 SPP_ARGS(ifp)); 3374 p = (void*) (h+1); 3375 ifidcount = 0; 3376 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3377 /* Sanity check option length */ 3378 if (p[1] > len) { 3379 /* XXX just RXJ? */ 3380 log(-1, "%s: received malicious IPCPv6 option, " 3381 "dropping\n", ifp->if_xname); 3382 goto drop; 3383 } 3384 if (debug) 3385 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3386 switch (*p) { 3387 case IPV6CP_OPT_IFID: 3388 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3389 /* correctly formed address option */ 3390 ifidcount++; 3391 continue; 3392 } 3393 if (debug) 3394 log(-1, " [invalid]"); 3395 break; 3396 #ifdef notyet 3397 case IPV6CP_OPT_COMPRESSION: 3398 if (len >= 4 && p[1] >= 4) { 3399 /* correctly formed compress option */ 3400 continue; 3401 } 3402 if (debug) 3403 log(-1, " [invalid]"); 3404 break; 3405 #endif 3406 default: 3407 /* Others not supported. */ 3408 if (debug) 3409 log(-1, " [rej]"); 3410 break; 3411 } 3412 /* Add the option to rejected list. */ 3413 bcopy (p, r, p[1]); 3414 r += p[1]; 3415 rlen += p[1]; 3416 } 3417 if (rlen) { 3418 if (debug) 3419 log(-1, " send conf-rej\n"); 3420 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3421 goto end; 3422 } else if (debug) 3423 log(-1, "\n"); 3424 3425 /* pass 2: parse option values */ 3426 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3427 if (debug) 3428 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ", 3429 SPP_ARGS(ifp)); 3430 p = (void*) (h+1); 3431 len = origlen; 3432 type = CONF_ACK; 3433 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3434 if (debug) 3435 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3436 switch (*p) { 3437 #ifdef notyet 3438 case IPV6CP_OPT_COMPRESSION: 3439 continue; 3440 #endif 3441 case IPV6CP_OPT_IFID: 3442 bzero(&desiredaddr, sizeof(desiredaddr)); 3443 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3444 collision = (bcmp(&desiredaddr.s6_addr[8], 3445 &myaddr.s6_addr[8], 8) == 0); 3446 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3447 3448 desiredaddr.s6_addr16[0] = htons(0xfe80); 3449 desiredaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3450 3451 if (!collision && !nohisaddr) { 3452 /* no collision, hisaddr known - Conf-Ack */ 3453 type = CONF_ACK; 3454 3455 if (debug) { 3456 log(-1, " %s [%s]", 3457 ip6_sprintf(&desiredaddr), 3458 sppp_cp_type_name(type)); 3459 } 3460 continue; 3461 } 3462 3463 bzero(&suggestaddr, sizeof(suggestaddr)); 3464 if (collision && nohisaddr) { 3465 /* collision, hisaddr unknown - Conf-Rej */ 3466 type = CONF_REJ; 3467 bzero(&p[2], 8); 3468 } else { 3469 /* 3470 * - no collision, hisaddr unknown, or 3471 * - collision, hisaddr known 3472 * Conf-Nak, suggest hisaddr 3473 */ 3474 type = CONF_NAK; 3475 sppp_suggest_ip6_addr(sp, &suggestaddr); 3476 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3477 } 3478 if (debug) 3479 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr), 3480 sppp_cp_type_name(type)); 3481 break; 3482 } 3483 /* Add the option to nak'ed list. */ 3484 bcopy (p, r, p[1]); 3485 r += p[1]; 3486 rlen += p[1]; 3487 } 3488 3489 if (rlen == 0 && type == CONF_ACK) { 3490 if (debug) 3491 log(-1, " send %s\n", sppp_cp_type_name(type)); 3492 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1); 3493 } else { 3494 #ifdef DIAGNOSTIC 3495 if (type == CONF_ACK) 3496 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3497 #endif 3498 3499 if (debug) { 3500 log(-1, " send %s suggest %s\n", 3501 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3502 } 3503 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3504 } 3505 3506 end: 3507 kfree (buf, M_TEMP); 3508 return (rlen == 0); 3509 3510 drop: 3511 kfree(buf, M_TEMP); 3512 return (-1); 3513 } 3514 3515 /* 3516 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3517 * negotiation. 3518 */ 3519 static void 3520 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3521 { 3522 u_char *buf, *p; 3523 struct ifnet *ifp = &sp->pp_if; 3524 int debug = ifp->if_flags & IFF_DEBUG; 3525 3526 len -= 4; 3527 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3528 3529 if (debug) 3530 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:", 3531 SPP_ARGS(ifp)); 3532 3533 p = (void*) (h+1); 3534 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3535 if (p[1] > len) { 3536 /* XXX just RXJ? */ 3537 log(-1, "%s: received malicious IPCPv6 option, " 3538 "dropping\n", ifp->if_xname); 3539 goto drop; 3540 } 3541 if (debug) 3542 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3543 switch (*p) { 3544 case IPV6CP_OPT_IFID: 3545 /* 3546 * Peer doesn't grok address option. This is 3547 * bad. XXX Should we better give up here? 3548 */ 3549 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3550 break; 3551 #ifdef notyet 3552 case IPV6CP_OPT_COMPRESS: 3553 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3554 break; 3555 #endif 3556 } 3557 } 3558 if (debug) 3559 log(-1, "\n"); 3560 drop: 3561 kfree (buf, M_TEMP); 3562 return; 3563 } 3564 3565 /* 3566 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3567 * negotiation. 3568 */ 3569 static void 3570 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3571 { 3572 u_char *buf, *p; 3573 struct ifnet *ifp = &sp->pp_if; 3574 int debug = ifp->if_flags & IFF_DEBUG; 3575 struct in6_addr suggestaddr; 3576 3577 len -= 4; 3578 buf = kmalloc (len, M_TEMP, M_INTWAIT); 3579 3580 if (debug) 3581 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:", 3582 SPP_ARGS(ifp)); 3583 3584 p = (void*) (h+1); 3585 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3586 if (p[1] > len) { 3587 /* XXX just RXJ? */ 3588 log(-1, "%s: received malicious IPCPv6 option, " 3589 "dropping\n", ifp->if_xname); 3590 goto drop; 3591 } 3592 if (debug) 3593 log(-1, " %s", sppp_ipv6cp_opt_name(*p)); 3594 switch (*p) { 3595 case IPV6CP_OPT_IFID: 3596 /* 3597 * Peer doesn't like our local ifid. See 3598 * if we can do something for him. We'll drop 3599 * him our address then. 3600 */ 3601 if (len < 10 || p[1] != 10) 3602 break; 3603 bzero(&suggestaddr, sizeof(suggestaddr)); 3604 suggestaddr.s6_addr16[0] = htons(0xfe80); 3605 suggestaddr.s6_addr16[1] = htons(sp->pp_if.if_index); 3606 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3607 3608 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3609 if (debug) 3610 log(-1, " [suggestaddr %s]", 3611 ip6_sprintf(&suggestaddr)); 3612 #ifdef IPV6CP_MYIFID_DYN 3613 /* 3614 * When doing dynamic address assignment, 3615 * we accept his offer. 3616 */ 3617 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3618 struct in6_addr lastsuggest; 3619 /* 3620 * If <suggested myaddr from peer> equals to 3621 * <hisaddr we have suggested last time>, 3622 * we have a collision. generate new random 3623 * ifid. 3624 */ 3625 sppp_suggest_ip6_addr(&lastsuggest); 3626 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3627 lastsuggest)) { 3628 if (debug) 3629 log(-1, " [random]"); 3630 sppp_gen_ip6_addr(sp, &suggestaddr); 3631 } 3632 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3633 if (debug) 3634 log(-1, " [agree]"); 3635 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3636 } 3637 #else 3638 /* 3639 * Since we do not do dynamic address assignment, 3640 * we ignore it and thus continue to negotiate 3641 * our already existing value. This can possibly 3642 * go into infinite request-reject loop. 3643 * 3644 * This is not likely because we normally use 3645 * ifid based on MAC-address. 3646 * If you have no ethernet card on the node, too bad. 3647 * XXX should we use fail_counter? 3648 */ 3649 #endif 3650 break; 3651 #ifdef notyet 3652 case IPV6CP_OPT_COMPRESS: 3653 /* 3654 * Peer wants different compression parameters. 3655 */ 3656 break; 3657 #endif 3658 } 3659 } 3660 if (debug) 3661 log(-1, "\n"); 3662 drop: 3663 kfree (buf, M_TEMP); 3664 return; 3665 } 3666 static void 3667 sppp_ipv6cp_tlu(struct sppp *sp) 3668 { 3669 /* we are up - notify isdn daemon */ 3670 if (sp->pp_con) 3671 sp->pp_con(sp); 3672 } 3673 3674 static void 3675 sppp_ipv6cp_tld(struct sppp *sp) 3676 { 3677 } 3678 3679 static void 3680 sppp_ipv6cp_tls(struct sppp *sp) 3681 { 3682 /* indicate to LCP that it must stay alive */ 3683 sp->lcp.protos |= (1 << IDX_IPV6CP); 3684 } 3685 3686 static void 3687 sppp_ipv6cp_tlf(struct sppp *sp) 3688 { 3689 3690 #if 0 /* need #if 0 to close IPv6CP properly */ 3691 /* we no longer need LCP */ 3692 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3693 sppp_lcp_check_and_close(sp); 3694 #endif 3695 } 3696 3697 static void 3698 sppp_ipv6cp_scr(struct sppp *sp) 3699 { 3700 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3701 struct in6_addr ouraddr; 3702 int i = 0; 3703 3704 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3705 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3706 opt[i++] = IPV6CP_OPT_IFID; 3707 opt[i++] = 10; 3708 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3709 i += 8; 3710 } 3711 3712 #ifdef notyet 3713 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3714 opt[i++] = IPV6CP_OPT_COMPRESSION; 3715 opt[i++] = 4; 3716 opt[i++] = 0; /* TBD */ 3717 opt[i++] = 0; /* TBD */ 3718 /* variable length data may follow */ 3719 } 3720 #endif 3721 3722 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3723 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3724 } 3725 #else /*INET6*/ 3726 static void 3727 sppp_ipv6cp_init(struct sppp *sp) 3728 { 3729 } 3730 3731 static void 3732 sppp_ipv6cp_up(struct sppp *sp) 3733 { 3734 } 3735 3736 static void 3737 sppp_ipv6cp_down(struct sppp *sp) 3738 { 3739 } 3740 3741 3742 static void 3743 sppp_ipv6cp_open(struct sppp *sp) 3744 { 3745 } 3746 3747 static void 3748 sppp_ipv6cp_close(struct sppp *sp) 3749 { 3750 } 3751 3752 static void 3753 sppp_ipv6cp_TO(void *sp) 3754 { 3755 } 3756 3757 static int 3758 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3759 { 3760 return 0; 3761 } 3762 3763 static void 3764 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3765 { 3766 } 3767 3768 static void 3769 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3770 { 3771 } 3772 3773 static void 3774 sppp_ipv6cp_tlu(struct sppp *sp) 3775 { 3776 } 3777 3778 static void 3779 sppp_ipv6cp_tld(struct sppp *sp) 3780 { 3781 } 3782 3783 static void 3784 sppp_ipv6cp_tls(struct sppp *sp) 3785 { 3786 } 3787 3788 static void 3789 sppp_ipv6cp_tlf(struct sppp *sp) 3790 { 3791 } 3792 3793 static void 3794 sppp_ipv6cp_scr(struct sppp *sp) 3795 { 3796 } 3797 #endif /*INET6*/ 3798 3799 /* 3800 *--------------------------------------------------------------------------* 3801 * * 3802 * The CHAP implementation. * 3803 * * 3804 *--------------------------------------------------------------------------* 3805 */ 3806 3807 /* 3808 * The authentication protocols don't employ a full-fledged state machine as 3809 * the control protocols do, since they do have Open and Close events, but 3810 * not Up and Down, nor are they explicitly terminated. Also, use of the 3811 * authentication protocols may be different in both directions (this makes 3812 * sense, think of a machine that never accepts incoming calls but only 3813 * calls out, it doesn't require the called party to authenticate itself). 3814 * 3815 * Our state machine for the local authentication protocol (we are requesting 3816 * the peer to authenticate) looks like: 3817 * 3818 * RCA- 3819 * +--------------------------------------------+ 3820 * V scn,tld| 3821 * +--------+ Close +---------+ RCA+ 3822 * | |<----------------------------------| |------+ 3823 * +--->| Closed | TO* | Opened | sca | 3824 * | | |-----+ +-------| |<-----+ 3825 * | +--------+ irc | | +---------+ 3826 * | ^ | | ^ 3827 * | | | | | 3828 * | | | | | 3829 * | TO-| | | | 3830 * | |tld TO+ V | | 3831 * | | +------->+ | | 3832 * | | | | | | 3833 * | +--------+ V | | 3834 * | | |<----+<--------------------+ | 3835 * | | Req- | scr | 3836 * | | Sent | | 3837 * | | | | 3838 * | +--------+ | 3839 * | RCA- | | RCA+ | 3840 * +------+ +------------------------------------------+ 3841 * scn,tld sca,irc,ict,tlu 3842 * 3843 * 3844 * with: 3845 * 3846 * Open: LCP reached authentication phase 3847 * Close: LCP reached terminate phase 3848 * 3849 * RCA+: received reply (pap-req, chap-response), acceptable 3850 * RCN: received reply (pap-req, chap-response), not acceptable 3851 * TO+: timeout with restart counter >= 0 3852 * TO-: timeout with restart counter < 0 3853 * TO*: reschedule timeout for CHAP 3854 * 3855 * scr: send request packet (none for PAP, chap-challenge) 3856 * sca: send ack packet (pap-ack, chap-success) 3857 * scn: send nak packet (pap-nak, chap-failure) 3858 * ict: initialize re-challenge timer (CHAP only) 3859 * 3860 * tlu: this-layer-up, LCP reaches network phase 3861 * tld: this-layer-down, LCP enters terminate phase 3862 * 3863 * Note that in CHAP mode, after sending a new challenge, while the state 3864 * automaton falls back into Req-Sent state, it doesn't signal a tld 3865 * event to LCP, so LCP remains in network phase. Only after not getting 3866 * any response (or after getting an unacceptable response), CHAP closes, 3867 * causing LCP to enter terminate phase. 3868 * 3869 * With PAP, there is no initial request that can be sent. The peer is 3870 * expected to send one based on the successful negotiation of PAP as 3871 * the authentication protocol during the LCP option negotiation. 3872 * 3873 * Incoming authentication protocol requests (remote requests 3874 * authentication, we are peer) don't employ a state machine at all, 3875 * they are simply answered. Some peers [Ascend P50 firmware rev 3876 * 4.50] react allergically when sending IPCP requests while they are 3877 * still in authentication phase (thereby violating the standard that 3878 * demands that these NCP packets are to be discarded), so we keep 3879 * track of the peer demanding us to authenticate, and only proceed to 3880 * phase network once we've seen a positive acknowledge for the 3881 * authentication. 3882 */ 3883 3884 /* 3885 * Handle incoming CHAP packets. 3886 */ 3887 void 3888 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3889 { 3890 STDDCL; 3891 struct lcp_header *h; 3892 int len; 3893 u_char *value, *name, digest[AUTHKEYLEN], dsize; 3894 int value_len, name_len; 3895 MD5_CTX ctx; 3896 3897 len = m->m_pkthdr.len; 3898 if (len < 4) { 3899 if (debug) 3900 log(LOG_DEBUG, 3901 SPP_FMT "chap invalid packet length: %d bytes\n", 3902 SPP_ARGS(ifp), len); 3903 return; 3904 } 3905 h = mtod (m, struct lcp_header*); 3906 if (len > ntohs (h->len)) 3907 len = ntohs (h->len); 3908 3909 switch (h->type) { 3910 /* challenge, failure and success are his authproto */ 3911 case CHAP_CHALLENGE: 3912 value = 1 + (u_char*)(h+1); 3913 value_len = value[-1]; 3914 name = value + value_len; 3915 name_len = len - value_len - 5; 3916 if (name_len < 0) { 3917 if (debug) { 3918 log(LOG_DEBUG, 3919 SPP_FMT "chap corrupted challenge " 3920 "<%s id=0x%x len=%d", 3921 SPP_ARGS(ifp), 3922 sppp_auth_type_name(PPP_CHAP, h->type), 3923 h->ident, ntohs(h->len)); 3924 sppp_print_bytes((u_char*) (h+1), len-4); 3925 log(-1, ">\n"); 3926 } 3927 break; 3928 } 3929 3930 if (debug) { 3931 log(LOG_DEBUG, 3932 SPP_FMT "chap input <%s id=0x%x len=%d name=", 3933 SPP_ARGS(ifp), 3934 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3935 ntohs(h->len)); 3936 sppp_print_string((char*) name, name_len); 3937 log(-1, " value-size=%d value=", value_len); 3938 sppp_print_bytes(value, value_len); 3939 log(-1, ">\n"); 3940 } 3941 3942 /* Compute reply value. */ 3943 MD5Init(&ctx); 3944 MD5Update(&ctx, &h->ident, 1); 3945 MD5Update(&ctx, sp->myauth.secret, 3946 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN)); 3947 MD5Update(&ctx, value, value_len); 3948 MD5Final(digest, &ctx); 3949 dsize = sizeof digest; 3950 3951 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3952 sizeof dsize, (const char *)&dsize, 3953 sizeof digest, digest, 3954 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 3955 sp->myauth.name, 3956 0); 3957 break; 3958 3959 case CHAP_SUCCESS: 3960 if (debug) { 3961 log(LOG_DEBUG, SPP_FMT "chap success", 3962 SPP_ARGS(ifp)); 3963 if (len > 4) { 3964 log(-1, ": "); 3965 sppp_print_string((char*)(h + 1), len - 4); 3966 } 3967 log(-1, "\n"); 3968 } 3969 3970 crit_enter(); 3971 3972 sp->pp_flags &= ~PP_NEEDAUTH; 3973 if (sp->myauth.proto == PPP_CHAP && 3974 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3975 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3976 /* 3977 * We are authenticator for CHAP but didn't 3978 * complete yet. Leave it to tlu to proceed 3979 * to network phase. 3980 */ 3981 crit_exit(); 3982 break; 3983 } 3984 crit_exit(); 3985 sppp_phase_network(sp); 3986 break; 3987 3988 case CHAP_FAILURE: 3989 if (debug) { 3990 log(LOG_INFO, SPP_FMT "chap failure", 3991 SPP_ARGS(ifp)); 3992 if (len > 4) { 3993 log(-1, ": "); 3994 sppp_print_string((char*)(h + 1), len - 4); 3995 } 3996 log(-1, "\n"); 3997 } else 3998 log(LOG_INFO, SPP_FMT "chap failure\n", 3999 SPP_ARGS(ifp)); 4000 /* await LCP shutdown by authenticator */ 4001 break; 4002 4003 /* response is my authproto */ 4004 case CHAP_RESPONSE: 4005 value = 1 + (u_char*)(h+1); 4006 value_len = value[-1]; 4007 name = value + value_len; 4008 name_len = len - value_len - 5; 4009 if (name_len < 0) { 4010 if (debug) { 4011 log(LOG_DEBUG, 4012 SPP_FMT "chap corrupted response " 4013 "<%s id=0x%x len=%d", 4014 SPP_ARGS(ifp), 4015 sppp_auth_type_name(PPP_CHAP, h->type), 4016 h->ident, ntohs(h->len)); 4017 sppp_print_bytes((u_char*)(h+1), len-4); 4018 log(-1, ">\n"); 4019 } 4020 break; 4021 } 4022 if (h->ident != sp->confid[IDX_CHAP]) { 4023 if (debug) 4024 log(LOG_DEBUG, 4025 SPP_FMT "chap dropping response for old ID " 4026 "(got %d, expected %d)\n", 4027 SPP_ARGS(ifp), 4028 h->ident, sp->confid[IDX_CHAP]); 4029 break; 4030 } 4031 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) 4032 || bcmp(name, sp->hisauth.name, name_len) != 0) { 4033 log(LOG_INFO, SPP_FMT "chap response, his name ", 4034 SPP_ARGS(ifp)); 4035 sppp_print_string(name, name_len); 4036 log(-1, " != expected "); 4037 sppp_print_string(sp->hisauth.name, 4038 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)); 4039 log(-1, "\n"); 4040 } 4041 if (debug) { 4042 log(LOG_DEBUG, SPP_FMT "chap input(%s) " 4043 "<%s id=0x%x len=%d name=", 4044 SPP_ARGS(ifp), 4045 sppp_state_name(sp->state[IDX_CHAP]), 4046 sppp_auth_type_name(PPP_CHAP, h->type), 4047 h->ident, ntohs (h->len)); 4048 sppp_print_string((char*)name, name_len); 4049 log(-1, " value-size=%d value=", value_len); 4050 sppp_print_bytes(value, value_len); 4051 log(-1, ">\n"); 4052 } 4053 if (value_len != AUTHKEYLEN) { 4054 if (debug) 4055 log(LOG_DEBUG, 4056 SPP_FMT "chap bad hash value length: " 4057 "%d bytes, should be %d\n", 4058 SPP_ARGS(ifp), value_len, 4059 AUTHKEYLEN); 4060 break; 4061 } 4062 4063 MD5Init(&ctx); 4064 MD5Update(&ctx, &h->ident, 1); 4065 MD5Update(&ctx, sp->hisauth.secret, 4066 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN)); 4067 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN); 4068 MD5Final(digest, &ctx); 4069 4070 #define FAILMSG "Failed..." 4071 #define SUCCMSG "Welcome!" 4072 4073 if (value_len != sizeof digest || 4074 bcmp(digest, value, value_len) != 0) { 4075 /* action scn, tld */ 4076 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4077 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4078 0); 4079 chap.tld(sp); 4080 break; 4081 } 4082 /* action sca, perhaps tlu */ 4083 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4084 sp->state[IDX_CHAP] == STATE_OPENED) 4085 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4086 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4087 0); 4088 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4089 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4090 chap.tlu(sp); 4091 } 4092 break; 4093 4094 default: 4095 /* Unknown CHAP packet type -- ignore. */ 4096 if (debug) { 4097 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) " 4098 "<0x%x id=0x%xh len=%d", 4099 SPP_ARGS(ifp), 4100 sppp_state_name(sp->state[IDX_CHAP]), 4101 h->type, h->ident, ntohs(h->len)); 4102 sppp_print_bytes((u_char*)(h+1), len-4); 4103 log(-1, ">\n"); 4104 } 4105 break; 4106 4107 } 4108 } 4109 4110 static void 4111 sppp_chap_init(struct sppp *sp) 4112 { 4113 /* Chap doesn't have STATE_INITIAL at all. */ 4114 sp->state[IDX_CHAP] = STATE_CLOSED; 4115 sp->fail_counter[IDX_CHAP] = 0; 4116 sp->pp_seq[IDX_CHAP] = 0; 4117 sp->pp_rseq[IDX_CHAP] = 0; 4118 callout_init(&sp->timeout[IDX_CHAP]); 4119 } 4120 4121 static void 4122 sppp_chap_open(struct sppp *sp) 4123 { 4124 if (sp->myauth.proto == PPP_CHAP && 4125 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4126 /* we are authenticator for CHAP, start it */ 4127 chap.scr(sp); 4128 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4129 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4130 } 4131 /* nothing to be done if we are peer, await a challenge */ 4132 } 4133 4134 static void 4135 sppp_chap_close(struct sppp *sp) 4136 { 4137 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4138 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4139 } 4140 4141 static void 4142 sppp_chap_TO(void *cookie) 4143 { 4144 struct sppp *sp = (struct sppp *)cookie; 4145 STDDCL; 4146 4147 crit_enter(); 4148 4149 if (debug) 4150 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n", 4151 SPP_ARGS(ifp), 4152 sppp_state_name(sp->state[IDX_CHAP]), 4153 sp->rst_counter[IDX_CHAP]); 4154 4155 if (--sp->rst_counter[IDX_CHAP] < 0) 4156 /* TO- event */ 4157 switch (sp->state[IDX_CHAP]) { 4158 case STATE_REQ_SENT: 4159 chap.tld(sp); 4160 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4161 break; 4162 } 4163 else 4164 /* TO+ (or TO*) event */ 4165 switch (sp->state[IDX_CHAP]) { 4166 case STATE_OPENED: 4167 /* TO* event */ 4168 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4169 /* fall through */ 4170 case STATE_REQ_SENT: 4171 chap.scr(sp); 4172 /* sppp_cp_change_state() will restart the timer */ 4173 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4174 break; 4175 } 4176 4177 crit_exit(); 4178 } 4179 4180 static void 4181 sppp_chap_tlu(struct sppp *sp) 4182 { 4183 STDDCL; 4184 int i; 4185 4186 i = 0; 4187 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4188 4189 /* 4190 * Some broken CHAP implementations (Conware CoNet, firmware 4191 * 4.0.?) don't want to re-authenticate their CHAP once the 4192 * initial challenge-response exchange has taken place. 4193 * Provide for an option to avoid rechallenges. 4194 */ 4195 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) { 4196 /* 4197 * Compute the re-challenge timeout. This will yield 4198 * a number between 300 and 810 seconds. 4199 */ 4200 i = 300 + ((unsigned)(krandom() & 0xff00) >> 7); 4201 callout_reset(&sp->timeout[IDX_CHAP], i * hz, chap.TO, sp); 4202 } 4203 4204 if (debug) { 4205 log(LOG_DEBUG, 4206 SPP_FMT "chap %s, ", 4207 SPP_ARGS(ifp), 4208 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu"); 4209 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) 4210 log(-1, "next re-challenge in %d seconds\n", i); 4211 else 4212 log(-1, "re-challenging suppressed\n"); 4213 } 4214 4215 crit_enter(); 4216 4217 /* indicate to LCP that we need to be closed down */ 4218 sp->lcp.protos |= (1 << IDX_CHAP); 4219 4220 if (sp->pp_flags & PP_NEEDAUTH) { 4221 /* 4222 * Remote is authenticator, but his auth proto didn't 4223 * complete yet. Defer the transition to network 4224 * phase. 4225 */ 4226 crit_exit(); 4227 return; 4228 } 4229 4230 crit_exit(); 4231 4232 /* 4233 * If we are already in phase network, we are done here. This 4234 * is the case if this is a dummy tlu event after a re-challenge. 4235 */ 4236 if (sp->pp_phase != PHASE_NETWORK) 4237 sppp_phase_network(sp); 4238 } 4239 4240 static void 4241 sppp_chap_tld(struct sppp *sp) 4242 { 4243 STDDCL; 4244 4245 if (debug) 4246 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp)); 4247 callout_stop(&sp->timeout[IDX_CHAP]); 4248 sp->lcp.protos &= ~(1 << IDX_CHAP); 4249 4250 lcp.Close(sp); 4251 } 4252 4253 static void 4254 sppp_chap_scr(struct sppp *sp) 4255 { 4256 u_long *ch, seed; 4257 u_char clen; 4258 4259 /* Compute random challenge. */ 4260 ch = (u_long *)sp->myauth.challenge; 4261 read_random(&seed, sizeof seed); 4262 ch[0] = seed ^ krandom(); 4263 ch[1] = seed ^ krandom(); 4264 ch[2] = seed ^ krandom(); 4265 ch[3] = seed ^ krandom(); 4266 clen = AUTHKEYLEN; 4267 4268 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4269 4270 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4271 sizeof clen, (const char *)&clen, 4272 (size_t)AUTHKEYLEN, sp->myauth.challenge, 4273 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN), 4274 sp->myauth.name, 4275 0); 4276 } 4277 4278 /* 4279 *--------------------------------------------------------------------------* 4280 * * 4281 * The PAP implementation. * 4282 * * 4283 *--------------------------------------------------------------------------* 4284 */ 4285 /* 4286 * For PAP, we need to keep a little state also if we are the peer, not the 4287 * authenticator. This is since we don't get a request to authenticate, but 4288 * have to repeatedly authenticate ourself until we got a response (or the 4289 * retry counter is expired). 4290 */ 4291 4292 /* 4293 * Handle incoming PAP packets. */ 4294 static void 4295 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4296 { 4297 STDDCL; 4298 struct lcp_header *h; 4299 int len; 4300 u_char *name, *passwd, mlen; 4301 int name_len, passwd_len; 4302 4303 /* 4304 * Malicious input might leave this uninitialized, so 4305 * init to an impossible value. 4306 */ 4307 passwd_len = -1; 4308 4309 len = m->m_pkthdr.len; 4310 if (len < 5) { 4311 if (debug) 4312 log(LOG_DEBUG, 4313 SPP_FMT "pap invalid packet length: %d bytes\n", 4314 SPP_ARGS(ifp), len); 4315 return; 4316 } 4317 h = mtod (m, struct lcp_header*); 4318 if (len > ntohs (h->len)) 4319 len = ntohs (h->len); 4320 switch (h->type) { 4321 /* PAP request is my authproto */ 4322 case PAP_REQ: 4323 name = 1 + (u_char*)(h+1); 4324 name_len = name[-1]; 4325 passwd = name + name_len + 1; 4326 if (name_len > len - 6 || 4327 (passwd_len = passwd[-1]) > len - 6 - name_len) { 4328 if (debug) { 4329 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4330 "<%s id=0x%x len=%d", 4331 SPP_ARGS(ifp), 4332 sppp_auth_type_name(PPP_PAP, h->type), 4333 h->ident, ntohs(h->len)); 4334 sppp_print_bytes((u_char*)(h+1), len-4); 4335 log(-1, ">\n"); 4336 } 4337 break; 4338 } 4339 if (debug) { 4340 log(LOG_DEBUG, SPP_FMT "pap input(%s) " 4341 "<%s id=0x%x len=%d name=", 4342 SPP_ARGS(ifp), 4343 sppp_state_name(sp->state[IDX_PAP]), 4344 sppp_auth_type_name(PPP_PAP, h->type), 4345 h->ident, ntohs(h->len)); 4346 sppp_print_string((char*)name, name_len); 4347 log(-1, " passwd="); 4348 sppp_print_string((char*)passwd, passwd_len); 4349 log(-1, ">\n"); 4350 } 4351 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || 4352 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || 4353 bcmp(name, sp->hisauth.name, name_len) != 0 || 4354 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { 4355 /* action scn, tld */ 4356 mlen = sizeof(FAILMSG) - 1; 4357 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4358 sizeof mlen, (const char *)&mlen, 4359 sizeof(FAILMSG) - 1, (u_char *)FAILMSG, 4360 0); 4361 pap.tld(sp); 4362 break; 4363 } 4364 /* action sca, perhaps tlu */ 4365 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4366 sp->state[IDX_PAP] == STATE_OPENED) { 4367 mlen = sizeof(SUCCMSG) - 1; 4368 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4369 sizeof mlen, (const char *)&mlen, 4370 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG, 4371 0); 4372 } 4373 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4374 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4375 pap.tlu(sp); 4376 } 4377 break; 4378 4379 /* ack and nak are his authproto */ 4380 case PAP_ACK: 4381 callout_stop(&sp->pap_my_to); 4382 if (debug) { 4383 log(LOG_DEBUG, SPP_FMT "pap success", 4384 SPP_ARGS(ifp)); 4385 name = 1 + (u_char *)(h + 1); 4386 name_len = name[-1]; 4387 if (len > 5 && name_len < len+4) { 4388 log(-1, ": "); 4389 sppp_print_string(name, name_len); 4390 } 4391 log(-1, "\n"); 4392 } 4393 4394 crit_enter(); 4395 4396 sp->pp_flags &= ~PP_NEEDAUTH; 4397 if (sp->myauth.proto == PPP_PAP && 4398 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4399 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4400 /* 4401 * We are authenticator for PAP but didn't 4402 * complete yet. Leave it to tlu to proceed 4403 * to network phase. 4404 */ 4405 4406 crit_exit(); 4407 4408 break; 4409 } 4410 4411 crit_exit(); 4412 4413 sppp_phase_network(sp); 4414 break; 4415 4416 case PAP_NAK: 4417 callout_stop(&sp->pap_my_to); 4418 if (debug) { 4419 log(LOG_INFO, SPP_FMT "pap failure", 4420 SPP_ARGS(ifp)); 4421 name = 1 + (u_char *)(h + 1); 4422 name_len = name[-1]; 4423 if (len > 5 && name_len < len+4) { 4424 log(-1, ": "); 4425 sppp_print_string(name, name_len); 4426 } 4427 log(-1, "\n"); 4428 } else 4429 log(LOG_INFO, SPP_FMT "pap failure\n", 4430 SPP_ARGS(ifp)); 4431 /* await LCP shutdown by authenticator */ 4432 break; 4433 4434 default: 4435 /* Unknown PAP packet type -- ignore. */ 4436 if (debug) { 4437 log(LOG_DEBUG, SPP_FMT "pap corrupted input " 4438 "<0x%x id=0x%x len=%d", 4439 SPP_ARGS(ifp), 4440 h->type, h->ident, ntohs(h->len)); 4441 sppp_print_bytes((u_char*)(h+1), len-4); 4442 log(-1, ">\n"); 4443 } 4444 break; 4445 4446 } 4447 } 4448 4449 static void 4450 sppp_pap_init(struct sppp *sp) 4451 { 4452 /* PAP doesn't have STATE_INITIAL at all. */ 4453 sp->state[IDX_PAP] = STATE_CLOSED; 4454 sp->fail_counter[IDX_PAP] = 0; 4455 sp->pp_seq[IDX_PAP] = 0; 4456 sp->pp_rseq[IDX_PAP] = 0; 4457 callout_init(&sp->timeout[IDX_PAP]); 4458 callout_init(&sp->pap_my_to); 4459 } 4460 4461 static void 4462 sppp_pap_open(struct sppp *sp) 4463 { 4464 if (sp->hisauth.proto == PPP_PAP && 4465 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4466 /* we are authenticator for PAP, start our timer */ 4467 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4468 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4469 } 4470 if (sp->myauth.proto == PPP_PAP) { 4471 /* we are peer, send a request, and start a timer */ 4472 pap.scr(sp); 4473 callout_reset(&sp->pap_my_to, sp->lcp.timeout, 4474 sppp_pap_my_TO, sp); 4475 } 4476 } 4477 4478 static void 4479 sppp_pap_close(struct sppp *sp) 4480 { 4481 if (sp->state[IDX_PAP] != STATE_CLOSED) 4482 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4483 } 4484 4485 /* 4486 * That's the timeout routine if we are authenticator. Since the 4487 * authenticator is basically passive in PAP, we can't do much here. 4488 */ 4489 static void 4490 sppp_pap_TO(void *cookie) 4491 { 4492 struct sppp *sp = (struct sppp *)cookie; 4493 STDDCL; 4494 4495 crit_enter(); 4496 4497 if (debug) 4498 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n", 4499 SPP_ARGS(ifp), 4500 sppp_state_name(sp->state[IDX_PAP]), 4501 sp->rst_counter[IDX_PAP]); 4502 4503 if (--sp->rst_counter[IDX_PAP] < 0) 4504 /* TO- event */ 4505 switch (sp->state[IDX_PAP]) { 4506 case STATE_REQ_SENT: 4507 pap.tld(sp); 4508 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4509 break; 4510 } 4511 else 4512 /* TO+ event, not very much we could do */ 4513 switch (sp->state[IDX_PAP]) { 4514 case STATE_REQ_SENT: 4515 /* sppp_cp_change_state() will restart the timer */ 4516 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4517 break; 4518 } 4519 4520 crit_exit(); 4521 } 4522 4523 /* 4524 * That's the timeout handler if we are peer. Since the peer is active, 4525 * we need to retransmit our PAP request since it is apparently lost. 4526 * XXX We should impose a max counter. 4527 */ 4528 static void 4529 sppp_pap_my_TO(void *cookie) 4530 { 4531 struct sppp *sp = (struct sppp *)cookie; 4532 STDDCL; 4533 4534 if (debug) 4535 log(LOG_DEBUG, SPP_FMT "pap peer TO\n", 4536 SPP_ARGS(ifp)); 4537 4538 pap.scr(sp); 4539 } 4540 4541 static void 4542 sppp_pap_tlu(struct sppp *sp) 4543 { 4544 STDDCL; 4545 4546 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4547 4548 if (debug) 4549 log(LOG_DEBUG, SPP_FMT "%s tlu\n", 4550 SPP_ARGS(ifp), pap.name); 4551 4552 crit_enter(); 4553 4554 /* indicate to LCP that we need to be closed down */ 4555 sp->lcp.protos |= (1 << IDX_PAP); 4556 4557 if (sp->pp_flags & PP_NEEDAUTH) { 4558 /* 4559 * Remote is authenticator, but his auth proto didn't 4560 * complete yet. Defer the transition to network 4561 * phase. 4562 */ 4563 crit_exit(); 4564 return; 4565 } 4566 crit_exit(); 4567 sppp_phase_network(sp); 4568 } 4569 4570 static void 4571 sppp_pap_tld(struct sppp *sp) 4572 { 4573 STDDCL; 4574 4575 if (debug) 4576 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp)); 4577 callout_stop(&sp->timeout[IDX_PAP]); 4578 callout_stop(&sp->pap_my_to); 4579 sp->lcp.protos &= ~(1 << IDX_PAP); 4580 4581 lcp.Close(sp); 4582 } 4583 4584 static void 4585 sppp_pap_scr(struct sppp *sp) 4586 { 4587 u_char idlen, pwdlen; 4588 4589 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4590 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN); 4591 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN); 4592 4593 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4594 sizeof idlen, (const char *)&idlen, 4595 (size_t)idlen, sp->myauth.name, 4596 sizeof pwdlen, (const char *)&pwdlen, 4597 (size_t)pwdlen, sp->myauth.secret, 4598 0); 4599 } 4600 4601 /* 4602 * Random miscellaneous functions. 4603 */ 4604 4605 /* 4606 * Send a PAP or CHAP proto packet. 4607 * 4608 * Varadic function, each of the elements for the ellipsis is of type 4609 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4610 * mlen == 0. 4611 * NOTE: never declare variadic functions with types subject to type 4612 * promotion (i.e. u_char). This is asking for big trouble depending 4613 * on the architecture you are on... 4614 */ 4615 4616 static void 4617 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4618 unsigned int type, unsigned int id, 4619 ...) 4620 { 4621 STDDCL; 4622 struct ppp_header *h; 4623 struct lcp_header *lh; 4624 struct mbuf *m; 4625 u_char *p; 4626 int len; 4627 unsigned int mlen; 4628 const char *msg; 4629 struct ifaltq_subque *ifsq; 4630 __va_list ap; 4631 4632 MGETHDR (m, MB_DONTWAIT, MT_DATA); 4633 if (! m) 4634 return; 4635 m->m_pkthdr.rcvif = 0; 4636 4637 h = mtod (m, struct ppp_header*); 4638 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4639 h->control = PPP_UI; /* Unnumbered Info */ 4640 h->protocol = htons(cp->proto); 4641 4642 lh = (struct lcp_header*)(h + 1); 4643 lh->type = type; 4644 lh->ident = id; 4645 p = (u_char*) (lh+1); 4646 4647 __va_start(ap, id); 4648 len = 0; 4649 4650 while ((mlen = (unsigned int)__va_arg(ap, size_t)) != 0) { 4651 msg = __va_arg(ap, const char *); 4652 len += mlen; 4653 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) { 4654 __va_end(ap); 4655 m_freem(m); 4656 return; 4657 } 4658 4659 bcopy(msg, p, mlen); 4660 p += mlen; 4661 } 4662 __va_end(ap); 4663 4664 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len; 4665 lh->len = htons (LCP_HEADER_LEN + len); 4666 4667 if (debug) { 4668 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d", 4669 SPP_ARGS(ifp), cp->name, 4670 sppp_auth_type_name(cp->proto, lh->type), 4671 lh->ident, ntohs(lh->len)); 4672 sppp_print_bytes((u_char*) (lh+1), len); 4673 log(-1, ">\n"); 4674 } 4675 if (IF_QFULL (&sp->pp_cpq)) { 4676 IF_DROP (&sp->pp_fastq); 4677 m_freem (m); 4678 IFNET_STAT_INC(ifp, oerrors, 1); 4679 } else 4680 IF_ENQUEUE (&sp->pp_cpq, m); 4681 ifsq = ifq_get_subq_default(&ifp->if_snd); 4682 if (!ifsq_is_oactive(ifsq)) 4683 (*ifp->if_start) (ifp, ifsq); 4684 IFNET_STAT_INC(ifp, obytes, m->m_pkthdr.len + 3); 4685 } 4686 4687 /* 4688 * Send keepalive packets, every 10 seconds. 4689 */ 4690 static void 4691 sppp_keepalive(void *dummy) 4692 { 4693 struct sppp *sp; 4694 4695 crit_enter(); 4696 4697 for (sp=spppq; sp; sp=sp->pp_next) { 4698 struct ifnet *ifp = &sp->pp_if; 4699 4700 /* Keepalive mode disabled or channel down? */ 4701 if (! (sp->pp_flags & PP_KEEPALIVE) || 4702 ! (ifp->if_flags & IFF_RUNNING)) 4703 continue; 4704 4705 /* No keepalive in PPP mode if LCP not opened yet. */ 4706 if (sp->pp_mode != IFF_CISCO && 4707 sp->pp_phase < PHASE_AUTHENTICATE) 4708 continue; 4709 4710 if (sp->pp_alivecnt == MAXALIVECNT) { 4711 /* No keepalive packets got. Stop the interface. */ 4712 kprintf (SPP_FMT "down\n", SPP_ARGS(ifp)); 4713 if_down (ifp); 4714 IF_DRAIN(&sp->pp_cpq); 4715 if (sp->pp_mode != IFF_CISCO) { 4716 /* XXX */ 4717 /* Shut down the PPP link. */ 4718 lcp.Down(sp); 4719 /* Initiate negotiation. XXX */ 4720 lcp.Up(sp); 4721 } 4722 } 4723 ifnet_serialize_all(ifp); 4724 if (sp->pp_alivecnt <= MAXALIVECNT) 4725 ++sp->pp_alivecnt; 4726 if (sp->pp_mode == IFF_CISCO) 4727 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ, 4728 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4729 else if (sp->pp_phase >= PHASE_AUTHENTICATE) { 4730 long nmagic = htonl (sp->lcp.magic); 4731 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4732 sppp_cp_send (sp, PPP_LCP, ECHO_REQ, 4733 sp->lcp.echoid, 4, &nmagic); 4734 } 4735 ifnet_deserialize_all(ifp); 4736 } 4737 callout_reset(&keepalive_timeout, hz * 10, sppp_keepalive, NULL); 4738 crit_exit(); 4739 } 4740 4741 /* 4742 * Get both IP addresses. 4743 */ 4744 static void 4745 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask) 4746 { 4747 struct ifnet *ifp = &sp->pp_if; 4748 struct ifaddr_container *ifac; 4749 struct ifaddr *ifa; 4750 struct sockaddr_in *si, *sm; 4751 u_long ssrc, ddst; 4752 4753 sm = NULL; 4754 ssrc = ddst = 0L; 4755 /* 4756 * Pick the first AF_INET address from the list, 4757 * aliases don't make any sense on a p2p link anyway. 4758 */ 4759 si = NULL; 4760 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4761 ifa = ifac->ifa; 4762 if (ifa->ifa_addr->sa_family == AF_INET) { 4763 si = (struct sockaddr_in *)ifa->ifa_addr; 4764 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4765 if (si) 4766 break; 4767 } 4768 } 4769 if (ifac != NULL) { 4770 if (si && si->sin_addr.s_addr) { 4771 ssrc = si->sin_addr.s_addr; 4772 if (srcmask) 4773 *srcmask = ntohl(sm->sin_addr.s_addr); 4774 } 4775 4776 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4777 if (si && si->sin_addr.s_addr) 4778 ddst = si->sin_addr.s_addr; 4779 } 4780 4781 if (dst) *dst = ntohl(ddst); 4782 if (src) *src = ntohl(ssrc); 4783 } 4784 4785 /* 4786 * Set my IP address. Must be called at splimp. 4787 */ 4788 static void 4789 sppp_set_ip_addr(struct sppp *sp, u_long src) 4790 { 4791 STDDCL; 4792 struct ifaddr_container *ifac; 4793 struct ifaddr *ifa = NULL; 4794 struct sockaddr_in *si; 4795 struct in_ifaddr *ia; 4796 4797 /* 4798 * Pick the first AF_INET address from the list, 4799 * aliases don't make any sense on a p2p link anyway. 4800 */ 4801 si = NULL; 4802 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4803 ifa = ifac->ifa; 4804 if (ifa->ifa_addr->sa_family == AF_INET) { 4805 si = (struct sockaddr_in *)ifa->ifa_addr; 4806 if (si) 4807 break; 4808 } 4809 } 4810 4811 if (ifac != NULL && si != NULL) { 4812 int error; 4813 4814 /* delete old route */ 4815 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST); 4816 if(debug && error) 4817 { 4818 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n", 4819 SPP_ARGS(ifp), error); 4820 } 4821 4822 ia = ifatoia(ifa); 4823 in_iahash_remove(ia); 4824 4825 /* set new address */ 4826 si->sin_addr.s_addr = htonl(src); 4827 in_iahash_insert(ia); 4828 4829 /* add new route */ 4830 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST); 4831 if (debug && error) 4832 { 4833 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d", 4834 SPP_ARGS(ifp), error); 4835 } 4836 } 4837 } 4838 4839 #ifdef INET6 4840 /* 4841 * Get both IPv6 addresses. 4842 */ 4843 static void 4844 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4845 struct in6_addr *srcmask) 4846 { 4847 struct ifnet *ifp = &sp->pp_if; 4848 struct ifaddr_container *ifac; 4849 struct ifaddr *ifa; 4850 struct sockaddr_in6 *si, *sm; 4851 struct in6_addr ssrc, ddst; 4852 4853 sm = NULL; 4854 bzero(&ssrc, sizeof(ssrc)); 4855 bzero(&ddst, sizeof(ddst)); 4856 /* 4857 * Pick the first link-local AF_INET6 address from the list, 4858 * aliases don't make any sense on a p2p link anyway. 4859 */ 4860 si = NULL; 4861 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4862 ifa = ifac->ifa; 4863 if (ifa->ifa_addr->sa_family == AF_INET6) { 4864 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4865 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4866 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4867 break; 4868 } 4869 } 4870 if (ifac != NULL) { 4871 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4872 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 4873 if (srcmask) { 4874 bcopy(&sm->sin6_addr, srcmask, 4875 sizeof(*srcmask)); 4876 } 4877 } 4878 4879 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4880 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4881 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 4882 } 4883 4884 if (dst) 4885 bcopy(&ddst, dst, sizeof(*dst)); 4886 if (src) 4887 bcopy(&ssrc, src, sizeof(*src)); 4888 } 4889 4890 #ifdef IPV6CP_MYIFID_DYN 4891 /* 4892 * Generate random ifid. 4893 */ 4894 static void 4895 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 4896 { 4897 /* TBD */ 4898 } 4899 4900 /* 4901 * Set my IPv6 address. Must be called at splimp. 4902 */ 4903 static void 4904 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 4905 { 4906 STDDCL; 4907 struct ifaddr_container *ifac; 4908 struct ifaddr *ifa; 4909 struct sockaddr_in6 *sin6; 4910 4911 /* 4912 * Pick the first link-local AF_INET6 address from the list, 4913 * aliases don't make any sense on a p2p link anyway. 4914 */ 4915 4916 sin6 = NULL; 4917 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) { 4918 ifa = ifac->ifa; 4919 if (ifa->ifa_addr->sa_family == AF_INET6) { 4920 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 4921 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 4922 break; 4923 } 4924 } 4925 4926 if (ifac != NULL && sin6 != NULL) { 4927 int error; 4928 struct sockaddr_in6 new_sin6 = *sin6; 4929 4930 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 4931 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 4932 if (debug && error) { 4933 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit " 4934 " failed, error=%d\n", SPP_ARGS(ifp), error); 4935 } 4936 } 4937 } 4938 #endif 4939 4940 /* 4941 * Suggest a candidate address to be used by peer. 4942 */ 4943 static void 4944 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 4945 { 4946 struct in6_addr myaddr; 4947 struct timeval tv; 4948 4949 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4950 4951 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 4952 microtime(&tv); 4953 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 4954 myaddr.s6_addr[14] ^= 0xff; 4955 myaddr.s6_addr[15] ^= 0xff; 4956 } else { 4957 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 4958 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 4959 } 4960 if (suggest) 4961 bcopy(&myaddr, suggest, sizeof(myaddr)); 4962 } 4963 #endif /*INET6*/ 4964 4965 static int 4966 sppp_params(struct sppp *sp, u_long cmd, void *data) 4967 { 4968 u_long subcmd; 4969 struct ifreq *ifr = (struct ifreq *)data; 4970 struct spppreq *spr; 4971 int rv = 0; 4972 4973 spr = kmalloc(sizeof(struct spppreq), M_TEMP, M_INTWAIT); 4974 4975 /* 4976 * ifr->ifr_data is supposed to point to a struct spppreq. 4977 * Check the cmd word first before attempting to fetch all the 4978 * data. 4979 */ 4980 if ((subcmd = fuword(ifr->ifr_data)) == -1) { 4981 rv = EFAULT; 4982 goto quit; 4983 } 4984 4985 if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) { 4986 rv = EFAULT; 4987 goto quit; 4988 } 4989 4990 switch (subcmd) { 4991 case (u_long)SPPPIOGDEFS: 4992 if (cmd != SIOCGIFGENERIC) { 4993 rv = EINVAL; 4994 break; 4995 } 4996 /* 4997 * We copy over the entire current state, but clean 4998 * out some of the stuff we don't wanna pass up. 4999 * Remember, SIOCGIFGENERIC is unprotected, and can be 5000 * called by any user. No need to ever get PAP or 5001 * CHAP secrets back to userland anyway. 5002 */ 5003 spr->defs.pp_phase = sp->pp_phase; 5004 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0; 5005 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0; 5006 spr->defs.lcp = sp->lcp; 5007 spr->defs.ipcp = sp->ipcp; 5008 spr->defs.ipv6cp = sp->ipv6cp; 5009 spr->defs.myauth = sp->myauth; 5010 spr->defs.hisauth = sp->hisauth; 5011 bzero(spr->defs.myauth.secret, AUTHKEYLEN); 5012 bzero(spr->defs.myauth.challenge, AUTHKEYLEN); 5013 bzero(spr->defs.hisauth.secret, AUTHKEYLEN); 5014 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN); 5015 /* 5016 * Fixup the LCP timeout value to milliseconds so 5017 * spppcontrol doesn't need to bother about the value 5018 * of "hz". We do the reverse calculation below when 5019 * setting it. 5020 */ 5021 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz; 5022 rv = copyout(spr, (caddr_t)ifr->ifr_data, 5023 sizeof(struct spppreq)); 5024 break; 5025 5026 case (u_long)SPPPIOSDEFS: 5027 if (cmd != SIOCSIFGENERIC) { 5028 rv = EINVAL; 5029 break; 5030 } 5031 /* 5032 * We have a very specific idea of which fields we 5033 * allow being passed back from userland, so to not 5034 * clobber our current state. For one, we only allow 5035 * setting anything if LCP is in dead or establish 5036 * phase. Once the authentication negotiations 5037 * started, the authentication settings must not be 5038 * changed again. (The administrator can force an 5039 * ifconfig down in order to get LCP back into dead 5040 * phase.) 5041 * 5042 * Also, we only allow for authentication parameters to be 5043 * specified. 5044 * 5045 * XXX Should allow to set or clear pp_flags. 5046 * 5047 * Finally, if the respective authentication protocol to 5048 * be used is set differently than 0, but the secret is 5049 * passed as all zeros, we don't trash the existing secret. 5050 * This allows an administrator to change the system name 5051 * only without clobbering the secret (which he didn't get 5052 * back in a previous SPPPIOGDEFS call). However, the 5053 * secrets are cleared if the authentication protocol is 5054 * reset to 0. */ 5055 if (sp->pp_phase != PHASE_DEAD && 5056 sp->pp_phase != PHASE_ESTABLISH) { 5057 rv = EBUSY; 5058 break; 5059 } 5060 5061 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP && 5062 spr->defs.myauth.proto != PPP_CHAP) || 5063 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP && 5064 spr->defs.hisauth.proto != PPP_CHAP)) { 5065 rv = EINVAL; 5066 break; 5067 } 5068 5069 if (spr->defs.myauth.proto == 0) 5070 /* resetting myauth */ 5071 bzero(&sp->myauth, sizeof sp->myauth); 5072 else { 5073 /* setting/changing myauth */ 5074 sp->myauth.proto = spr->defs.myauth.proto; 5075 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN); 5076 if (spr->defs.myauth.secret[0] != '\0') 5077 bcopy(spr->defs.myauth.secret, sp->myauth.secret, 5078 AUTHKEYLEN); 5079 } 5080 if (spr->defs.hisauth.proto == 0) 5081 /* resetting hisauth */ 5082 bzero(&sp->hisauth, sizeof sp->hisauth); 5083 else { 5084 /* setting/changing hisauth */ 5085 sp->hisauth.proto = spr->defs.hisauth.proto; 5086 sp->hisauth.flags = spr->defs.hisauth.flags; 5087 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN); 5088 if (spr->defs.hisauth.secret[0] != '\0') 5089 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret, 5090 AUTHKEYLEN); 5091 } 5092 /* set LCP restart timer timeout */ 5093 if (spr->defs.lcp.timeout != 0) 5094 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000; 5095 /* set VJ enable and IPv6 disable flags */ 5096 #ifdef INET 5097 if (spr->defs.enable_vj) 5098 sp->confflags |= CONF_ENABLE_VJ; 5099 else 5100 sp->confflags &= ~CONF_ENABLE_VJ; 5101 #endif 5102 #ifdef INET6 5103 if (spr->defs.enable_ipv6) 5104 sp->confflags |= CONF_ENABLE_IPV6; 5105 else 5106 sp->confflags &= ~CONF_ENABLE_IPV6; 5107 #endif 5108 break; 5109 5110 default: 5111 rv = EINVAL; 5112 } 5113 5114 quit: 5115 kfree(spr, M_TEMP); 5116 5117 return (rv); 5118 } 5119 5120 static void 5121 sppp_phase_network(struct sppp *sp) 5122 { 5123 STDDCL; 5124 int i; 5125 u_long mask; 5126 5127 sp->pp_phase = PHASE_NETWORK; 5128 5129 if (debug) 5130 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp), 5131 sppp_phase_name(sp->pp_phase)); 5132 5133 /* Notify NCPs now. */ 5134 for (i = 0; i < IDX_COUNT; i++) 5135 if ((cps[i])->flags & CP_NCP) 5136 (cps[i])->Open(sp); 5137 5138 /* Send Up events to all NCPs. */ 5139 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5140 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5141 (cps[i])->Up(sp); 5142 5143 /* if no NCP is starting, all this was in vain, close down */ 5144 sppp_lcp_check_and_close(sp); 5145 } 5146 5147 5148 static const char * 5149 sppp_cp_type_name(u_char type) 5150 { 5151 static char buf[12]; 5152 switch (type) { 5153 case CONF_REQ: return "conf-req"; 5154 case CONF_ACK: return "conf-ack"; 5155 case CONF_NAK: return "conf-nak"; 5156 case CONF_REJ: return "conf-rej"; 5157 case TERM_REQ: return "term-req"; 5158 case TERM_ACK: return "term-ack"; 5159 case CODE_REJ: return "code-rej"; 5160 case PROTO_REJ: return "proto-rej"; 5161 case ECHO_REQ: return "echo-req"; 5162 case ECHO_REPLY: return "echo-reply"; 5163 case DISC_REQ: return "discard-req"; 5164 } 5165 ksnprintf (buf, sizeof(buf), "cp/0x%x", type); 5166 return buf; 5167 } 5168 5169 static const char * 5170 sppp_auth_type_name(u_short proto, u_char type) 5171 { 5172 static char buf[12]; 5173 switch (proto) { 5174 case PPP_CHAP: 5175 switch (type) { 5176 case CHAP_CHALLENGE: return "challenge"; 5177 case CHAP_RESPONSE: return "response"; 5178 case CHAP_SUCCESS: return "success"; 5179 case CHAP_FAILURE: return "failure"; 5180 } 5181 case PPP_PAP: 5182 switch (type) { 5183 case PAP_REQ: return "req"; 5184 case PAP_ACK: return "ack"; 5185 case PAP_NAK: return "nak"; 5186 } 5187 } 5188 ksnprintf (buf, sizeof(buf), "auth/0x%x", type); 5189 return buf; 5190 } 5191 5192 static const char * 5193 sppp_lcp_opt_name(u_char opt) 5194 { 5195 static char buf[12]; 5196 switch (opt) { 5197 case LCP_OPT_MRU: return "mru"; 5198 case LCP_OPT_ASYNC_MAP: return "async-map"; 5199 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5200 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5201 case LCP_OPT_MAGIC: return "magic"; 5202 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5203 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5204 } 5205 ksnprintf (buf, sizeof(buf), "lcp/0x%x", opt); 5206 return buf; 5207 } 5208 5209 static const char * 5210 sppp_ipcp_opt_name(u_char opt) 5211 { 5212 static char buf[12]; 5213 switch (opt) { 5214 case IPCP_OPT_ADDRESSES: return "addresses"; 5215 case IPCP_OPT_COMPRESSION: return "compression"; 5216 case IPCP_OPT_ADDRESS: return "address"; 5217 } 5218 ksnprintf (buf, sizeof(buf), "ipcp/0x%x", opt); 5219 return buf; 5220 } 5221 5222 #ifdef INET6 5223 static const char * 5224 sppp_ipv6cp_opt_name(u_char opt) 5225 { 5226 static char buf[12]; 5227 switch (opt) { 5228 case IPV6CP_OPT_IFID: return "ifid"; 5229 case IPV6CP_OPT_COMPRESSION: return "compression"; 5230 } 5231 ksprintf (buf, "0x%x", opt); 5232 return buf; 5233 } 5234 #endif 5235 5236 static const char * 5237 sppp_state_name(int state) 5238 { 5239 switch (state) { 5240 case STATE_INITIAL: return "initial"; 5241 case STATE_STARTING: return "starting"; 5242 case STATE_CLOSED: return "closed"; 5243 case STATE_STOPPED: return "stopped"; 5244 case STATE_CLOSING: return "closing"; 5245 case STATE_STOPPING: return "stopping"; 5246 case STATE_REQ_SENT: return "req-sent"; 5247 case STATE_ACK_RCVD: return "ack-rcvd"; 5248 case STATE_ACK_SENT: return "ack-sent"; 5249 case STATE_OPENED: return "opened"; 5250 } 5251 return "illegal"; 5252 } 5253 5254 static const char * 5255 sppp_phase_name(enum ppp_phase phase) 5256 { 5257 switch (phase) { 5258 case PHASE_DEAD: return "dead"; 5259 case PHASE_ESTABLISH: return "establish"; 5260 case PHASE_TERMINATE: return "terminate"; 5261 case PHASE_AUTHENTICATE: return "authenticate"; 5262 case PHASE_NETWORK: return "network"; 5263 } 5264 return "illegal"; 5265 } 5266 5267 static const char * 5268 sppp_proto_name(u_short proto) 5269 { 5270 static char buf[12]; 5271 switch (proto) { 5272 case PPP_LCP: return "lcp"; 5273 case PPP_IPCP: return "ipcp"; 5274 case PPP_PAP: return "pap"; 5275 case PPP_CHAP: return "chap"; 5276 case PPP_IPV6CP: return "ipv6cp"; 5277 } 5278 ksnprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto); 5279 return buf; 5280 } 5281 5282 static void 5283 sppp_print_bytes(const u_char *p, u_short len) 5284 { 5285 char hexstr[len]; 5286 if (len) 5287 log(-1, " %s", hexncpy(p, len, hexstr, HEX_NCPYLEN(len), "-")); 5288 } 5289 5290 static void 5291 sppp_print_string(const char *p, u_short len) 5292 { 5293 u_char c; 5294 5295 while (len-- > 0) { 5296 c = *p++; 5297 /* 5298 * Print only ASCII chars directly. RFC 1994 recommends 5299 * using only them, but we don't rely on it. */ 5300 if (c < ' ' || c > '~') 5301 log(-1, "\\x%x", c); 5302 else 5303 log(-1, "%c", c); 5304 } 5305 } 5306 5307 static const char * 5308 sppp_dotted_quad(u_long addr) 5309 { 5310 static char s[16]; 5311 ksprintf(s, "%d.%d.%d.%d", 5312 (int)((addr >> 24) & 0xff), 5313 (int)((addr >> 16) & 0xff), 5314 (int)((addr >> 8) & 0xff), 5315 (int)(addr & 0xff)); 5316 return s; 5317 } 5318 5319 static int 5320 sppp_strnlen(u_char *p, int max) 5321 { 5322 int len; 5323 5324 for (len = 0; len < max && *p; ++p) 5325 ++len; 5326 return len; 5327 } 5328 5329 /* a dummy, used to drop uninteresting events */ 5330 static void 5331 sppp_null(struct sppp *unused) 5332 { 5333 /* do just nothing */ 5334 } 5335