1 /* $NetBSD: if_spppsubr.c,v 1.134 2015/05/25 08:29:01 ozaki-r Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.134 2015/05/25 08:29:01 ozaki-r Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #endif 51 52 53 #include <sys/param.h> 54 #include <sys/proc.h> 55 #include <sys/systm.h> 56 #include <sys/kernel.h> 57 #include <sys/sockio.h> 58 #include <sys/socket.h> 59 #include <sys/syslog.h> 60 #include <sys/malloc.h> 61 #include <sys/mbuf.h> 62 #include <sys/callout.h> 63 #include <sys/md5.h> 64 #include <sys/inttypes.h> 65 #include <sys/kauth.h> 66 #include <sys/cprng.h> 67 68 #include <net/if.h> 69 #include <net/netisr.h> 70 #include <net/if_types.h> 71 #include <net/route.h> 72 #include <net/ppp_defs.h> 73 74 #include <netinet/in.h> 75 #include <netinet/in_systm.h> 76 #include <netinet/in_var.h> 77 #ifdef INET 78 #include <netinet/ip.h> 79 #include <netinet/tcp.h> 80 #endif 81 #include <net/ethertypes.h> 82 83 #ifdef INET6 84 #include <netinet6/scope6_var.h> 85 #endif 86 87 #include <net/if_sppp.h> 88 #include <net/if_spppvar.h> 89 90 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 91 #define LOOPALIVECNT 3 /* loopback detection tries */ 92 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 93 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 94 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 95 96 /* 97 * Interface flags that can be set in an ifconfig command. 98 * 99 * Setting link0 will make the link passive, i.e. it will be marked 100 * as being administrative openable, but won't be opened to begin 101 * with. Incoming calls will be answered, or subsequent calls with 102 * -link1 will cause the administrative open of the LCP layer. 103 * 104 * Setting link1 will cause the link to auto-dial only as packets 105 * arrive to be sent. 106 * 107 * Setting IFF_DEBUG will syslog the option negotiation and state 108 * transitions at level kern.debug. Note: all logs consistently look 109 * like 110 * 111 * <if-name><unit>: <proto-name> <additional info...> 112 * 113 * with <if-name><unit> being something like "bppp0", and <proto-name> 114 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 115 */ 116 117 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 118 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 119 120 #define CONF_REQ 1 /* PPP configure request */ 121 #define CONF_ACK 2 /* PPP configure acknowledge */ 122 #define CONF_NAK 3 /* PPP configure negative ack */ 123 #define CONF_REJ 4 /* PPP configure reject */ 124 #define TERM_REQ 5 /* PPP terminate request */ 125 #define TERM_ACK 6 /* PPP terminate acknowledge */ 126 #define CODE_REJ 7 /* PPP code reject */ 127 #define PROTO_REJ 8 /* PPP protocol reject */ 128 #define ECHO_REQ 9 /* PPP echo request */ 129 #define ECHO_REPLY 10 /* PPP echo reply */ 130 #define DISC_REQ 11 /* PPP discard request */ 131 132 #define LCP_OPT_MRU 1 /* maximum receive unit */ 133 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 134 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 135 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 136 #define LCP_OPT_MAGIC 5 /* magic number */ 137 #define LCP_OPT_RESERVED 6 /* reserved */ 138 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 139 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 140 141 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 142 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 143 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 144 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 145 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 146 147 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 148 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 149 150 #define PAP_REQ 1 /* PAP name/password request */ 151 #define PAP_ACK 2 /* PAP acknowledge */ 152 #define PAP_NAK 3 /* PAP fail */ 153 154 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 155 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 156 #define CHAP_SUCCESS 3 /* CHAP response ok */ 157 #define CHAP_FAILURE 4 /* CHAP response failed */ 158 159 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 160 161 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 162 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 163 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 164 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 165 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 166 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 167 168 /* states are named and numbered according to RFC 1661 */ 169 #define STATE_INITIAL 0 170 #define STATE_STARTING 1 171 #define STATE_CLOSED 2 172 #define STATE_STOPPED 3 173 #define STATE_CLOSING 4 174 #define STATE_STOPPING 5 175 #define STATE_REQ_SENT 6 176 #define STATE_ACK_RCVD 7 177 #define STATE_ACK_SENT 8 178 #define STATE_OPENED 9 179 180 struct ppp_header { 181 uint8_t address; 182 uint8_t control; 183 uint16_t protocol; 184 } __packed; 185 #define PPP_HEADER_LEN sizeof (struct ppp_header) 186 187 struct lcp_header { 188 uint8_t type; 189 uint8_t ident; 190 uint16_t len; 191 } __packed; 192 #define LCP_HEADER_LEN sizeof (struct lcp_header) 193 194 struct cisco_packet { 195 uint32_t type; 196 uint32_t par1; 197 uint32_t par2; 198 uint16_t rel; 199 uint16_t time0; 200 uint16_t time1; 201 } __packed; 202 #define CISCO_PACKET_LEN 18 203 204 /* 205 * We follow the spelling and capitalization of RFC 1661 here, to make 206 * it easier comparing with the standard. Please refer to this RFC in 207 * case you can't make sense out of these abbreviation; it will also 208 * explain the semantics related to the various events and actions. 209 */ 210 struct cp { 211 u_short proto; /* PPP control protocol number */ 212 u_char protoidx; /* index into state table in struct sppp */ 213 u_char flags; 214 #define CP_LCP 0x01 /* this is the LCP */ 215 #define CP_AUTH 0x02 /* this is an authentication protocol */ 216 #define CP_NCP 0x04 /* this is a NCP */ 217 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 218 const char *name; /* name of this control protocol */ 219 /* event handlers */ 220 void (*Up)(struct sppp *sp); 221 void (*Down)(struct sppp *sp); 222 void (*Open)(struct sppp *sp); 223 void (*Close)(struct sppp *sp); 224 void (*TO)(void *sp); 225 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 226 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 227 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 228 /* actions */ 229 void (*tlu)(struct sppp *sp); 230 void (*tld)(struct sppp *sp); 231 void (*tls)(struct sppp *sp); 232 void (*tlf)(struct sppp *sp); 233 void (*scr)(struct sppp *sp); 234 }; 235 236 static struct sppp *spppq; 237 static callout_t keepalive_ch; 238 239 #ifdef INET 240 /* 241 * The following disgusting hack gets around the problem that IP TOS 242 * can't be set yet. We want to put "interactive" traffic on a high 243 * priority queue. To decide if traffic is interactive, we check that 244 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 245 * 246 * XXX is this really still necessary? - joerg - 247 */ 248 static u_short interactive_ports[8] = { 249 0, 513, 0, 0, 250 0, 21, 0, 23, 251 }; 252 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 253 #endif 254 255 /* almost every function needs these */ 256 #define STDDCL \ 257 struct ifnet *ifp = &sp->pp_if; \ 258 int debug = ifp->if_flags & IFF_DEBUG 259 260 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 261 const struct sockaddr *dst, struct rtentry *rt); 262 263 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 264 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 265 266 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 267 struct mbuf *m); 268 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 269 u_char ident, u_short len, void *data); 270 /* static void sppp_cp_timeout(void *arg); */ 271 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 272 int newstate); 273 static void sppp_auth_send(const struct cp *cp, 274 struct sppp *sp, unsigned int type, unsigned int id, 275 ...); 276 277 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 278 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 279 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 280 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 281 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 282 283 static void sppp_null(struct sppp *sp); 284 285 static void sppp_lcp_init(struct sppp *sp); 286 static void sppp_lcp_up(struct sppp *sp); 287 static void sppp_lcp_down(struct sppp *sp); 288 static void sppp_lcp_open(struct sppp *sp); 289 static void sppp_lcp_close(struct sppp *sp); 290 static void sppp_lcp_TO(void *sp); 291 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 292 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 293 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 294 static void sppp_lcp_tlu(struct sppp *sp); 295 static void sppp_lcp_tld(struct sppp *sp); 296 static void sppp_lcp_tls(struct sppp *sp); 297 static void sppp_lcp_tlf(struct sppp *sp); 298 static void sppp_lcp_scr(struct sppp *sp); 299 static void sppp_lcp_check_and_close(struct sppp *sp); 300 static int sppp_ncp_check(struct sppp *sp); 301 302 static void sppp_ipcp_init(struct sppp *sp); 303 static void sppp_ipcp_up(struct sppp *sp); 304 static void sppp_ipcp_down(struct sppp *sp); 305 static void sppp_ipcp_open(struct sppp *sp); 306 static void sppp_ipcp_close(struct sppp *sp); 307 static void sppp_ipcp_TO(void *sp); 308 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 309 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 310 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 311 static void sppp_ipcp_tlu(struct sppp *sp); 312 static void sppp_ipcp_tld(struct sppp *sp); 313 static void sppp_ipcp_tls(struct sppp *sp); 314 static void sppp_ipcp_tlf(struct sppp *sp); 315 static void sppp_ipcp_scr(struct sppp *sp); 316 317 static void sppp_ipv6cp_init(struct sppp *sp); 318 static void sppp_ipv6cp_up(struct sppp *sp); 319 static void sppp_ipv6cp_down(struct sppp *sp); 320 static void sppp_ipv6cp_open(struct sppp *sp); 321 static void sppp_ipv6cp_close(struct sppp *sp); 322 static void sppp_ipv6cp_TO(void *sp); 323 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 324 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 325 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipv6cp_tlu(struct sppp *sp); 327 static void sppp_ipv6cp_tld(struct sppp *sp); 328 static void sppp_ipv6cp_tls(struct sppp *sp); 329 static void sppp_ipv6cp_tlf(struct sppp *sp); 330 static void sppp_ipv6cp_scr(struct sppp *sp); 331 332 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 333 static void sppp_pap_init(struct sppp *sp); 334 static void sppp_pap_open(struct sppp *sp); 335 static void sppp_pap_close(struct sppp *sp); 336 static void sppp_pap_TO(void *sp); 337 static void sppp_pap_my_TO(void *sp); 338 static void sppp_pap_tlu(struct sppp *sp); 339 static void sppp_pap_tld(struct sppp *sp); 340 static void sppp_pap_scr(struct sppp *sp); 341 342 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 343 static void sppp_chap_init(struct sppp *sp); 344 static void sppp_chap_open(struct sppp *sp); 345 static void sppp_chap_close(struct sppp *sp); 346 static void sppp_chap_TO(void *sp); 347 static void sppp_chap_tlu(struct sppp *sp); 348 static void sppp_chap_tld(struct sppp *sp); 349 static void sppp_chap_scr(struct sppp *sp); 350 351 static const char *sppp_auth_type_name(u_short proto, u_char type); 352 static const char *sppp_cp_type_name(u_char type); 353 static const char *sppp_dotted_quad(uint32_t addr); 354 static const char *sppp_ipcp_opt_name(u_char opt); 355 #ifdef INET6 356 static const char *sppp_ipv6cp_opt_name(u_char opt); 357 #endif 358 static const char *sppp_lcp_opt_name(u_char opt); 359 static const char *sppp_phase_name(int phase); 360 static const char *sppp_proto_name(u_short proto); 361 static const char *sppp_state_name(int state); 362 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 363 #ifdef INET 364 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 365 uint32_t *srcmask); 366 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 367 static void sppp_clear_ip_addrs(struct sppp *sp); 368 #endif 369 static void sppp_keepalive(void *dummy); 370 static void sppp_phase_network(struct sppp *sp); 371 static void sppp_print_bytes(const u_char *p, u_short len); 372 static void sppp_print_string(const char *p, u_short len); 373 #ifdef INET6 374 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 375 struct in6_addr *dst, struct in6_addr *srcmask); 376 #ifdef IPV6CP_MYIFID_DYN 377 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 378 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 379 #endif 380 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 381 #endif 382 383 /* our control protocol descriptors */ 384 static const struct cp lcp = { 385 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 386 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 387 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 388 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 389 sppp_lcp_scr 390 }; 391 392 static const struct cp ipcp = { 393 PPP_IPCP, IDX_IPCP, 394 #ifdef INET 395 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 396 #else 397 0, 398 #endif 399 "ipcp", 400 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 401 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 402 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 403 sppp_ipcp_scr 404 }; 405 406 static const struct cp ipv6cp = { 407 PPP_IPV6CP, IDX_IPV6CP, 408 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 409 CP_NCP, 410 #else 411 0, 412 #endif 413 "ipv6cp", 414 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 415 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 416 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 417 sppp_ipv6cp_scr 418 }; 419 420 static const struct cp pap = { 421 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 422 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 423 sppp_pap_TO, 0, 0, 0, 424 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 425 sppp_pap_scr 426 }; 427 428 static const struct cp chap = { 429 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 430 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 431 sppp_chap_TO, 0, 0, 0, 432 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 433 sppp_chap_scr 434 }; 435 436 static const struct cp *cps[IDX_COUNT] = { 437 &lcp, /* IDX_LCP */ 438 &ipcp, /* IDX_IPCP */ 439 &ipv6cp, /* IDX_IPV6CP */ 440 &pap, /* IDX_PAP */ 441 &chap, /* IDX_CHAP */ 442 }; 443 444 445 void spppattach(int); 446 void 447 /*ARGSUSED*/ 448 spppattach(int count) 449 { 450 } 451 452 /* 453 * Exported functions, comprising our interface to the lower layer. 454 */ 455 456 /* 457 * Process the received packet. 458 */ 459 void 460 sppp_input(struct ifnet *ifp, struct mbuf *m) 461 { 462 struct ppp_header *h = NULL; 463 pktqueue_t *pktq = NULL; 464 struct ifqueue *inq = NULL; 465 uint16_t protocol; 466 int s; 467 struct sppp *sp = (struct sppp *)ifp; 468 int debug = ifp->if_flags & IFF_DEBUG; 469 int isr = 0; 470 471 if (ifp->if_flags & IFF_UP) { 472 /* Count received bytes, add hardware framing */ 473 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 474 /* Note time of last receive */ 475 sp->pp_last_receive = time_uptime; 476 } 477 478 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 479 /* Too small packet, drop it. */ 480 if (debug) 481 log(LOG_DEBUG, 482 "%s: input packet is too small, %d bytes\n", 483 ifp->if_xname, m->m_pkthdr.len); 484 drop: 485 ++ifp->if_ierrors; 486 ++ifp->if_iqdrops; 487 m_freem(m); 488 return; 489 } 490 491 if (sp->pp_flags & PP_NOFRAMING) { 492 memcpy(&protocol, mtod(m, void *), 2); 493 protocol = ntohs(protocol); 494 m_adj(m, 2); 495 } else { 496 497 /* Get PPP header. */ 498 h = mtod(m, struct ppp_header *); 499 m_adj(m, PPP_HEADER_LEN); 500 501 switch (h->address) { 502 case PPP_ALLSTATIONS: 503 if (h->control != PPP_UI) 504 goto invalid; 505 if (sp->pp_flags & PP_CISCO) { 506 if (debug) 507 log(LOG_DEBUG, 508 "%s: PPP packet in Cisco mode " 509 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 510 ifp->if_xname, 511 h->address, h->control, ntohs(h->protocol)); 512 goto drop; 513 } 514 break; 515 case CISCO_MULTICAST: 516 case CISCO_UNICAST: 517 /* Don't check the control field here (RFC 1547). */ 518 if (! (sp->pp_flags & PP_CISCO)) { 519 if (debug) 520 log(LOG_DEBUG, 521 "%s: Cisco packet in PPP mode " 522 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 523 ifp->if_xname, 524 h->address, h->control, ntohs(h->protocol)); 525 goto drop; 526 } 527 switch (ntohs(h->protocol)) { 528 default: 529 ++ifp->if_noproto; 530 goto invalid; 531 case CISCO_KEEPALIVE: 532 sppp_cisco_input((struct sppp *) ifp, m); 533 m_freem(m); 534 return; 535 #ifdef INET 536 case ETHERTYPE_IP: 537 pktq = ip_pktq; 538 break; 539 #endif 540 #ifdef INET6 541 case ETHERTYPE_IPV6: 542 pktq = ip6_pktq; 543 break; 544 #endif 545 } 546 goto queue_pkt; 547 default: /* Invalid PPP packet. */ 548 invalid: 549 if (debug) 550 log(LOG_DEBUG, 551 "%s: invalid input packet " 552 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 553 ifp->if_xname, 554 h->address, h->control, ntohs(h->protocol)); 555 goto drop; 556 } 557 protocol = ntohs(h->protocol); 558 } 559 560 switch (protocol) { 561 default: 562 if (sp->state[IDX_LCP] == STATE_OPENED) { 563 uint16_t prot = htons(protocol); 564 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 565 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 566 &prot); 567 } 568 if (debug) 569 log(LOG_DEBUG, 570 "%s: invalid input protocol " 571 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 572 ++ifp->if_noproto; 573 goto drop; 574 case PPP_LCP: 575 sppp_cp_input(&lcp, sp, m); 576 m_freem(m); 577 return; 578 case PPP_PAP: 579 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 580 sppp_pap_input(sp, m); 581 m_freem(m); 582 return; 583 case PPP_CHAP: 584 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 585 sppp_chap_input(sp, m); 586 m_freem(m); 587 return; 588 #ifdef INET 589 case PPP_IPCP: 590 if (sp->pp_phase == SPPP_PHASE_NETWORK) 591 sppp_cp_input(&ipcp, sp, m); 592 m_freem(m); 593 return; 594 case PPP_IP: 595 if (sp->state[IDX_IPCP] == STATE_OPENED) { 596 sp->pp_last_activity = time_uptime; 597 pktq = ip_pktq; 598 } 599 break; 600 #endif 601 #ifdef INET6 602 case PPP_IPV6CP: 603 if (sp->pp_phase == SPPP_PHASE_NETWORK) 604 sppp_cp_input(&ipv6cp, sp, m); 605 m_freem(m); 606 return; 607 608 case PPP_IPV6: 609 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 610 sp->pp_last_activity = time_uptime; 611 pktq = ip6_pktq; 612 } 613 break; 614 #endif 615 } 616 617 queue_pkt: 618 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 619 goto drop; 620 } 621 622 /* Check queue. */ 623 if (__predict_true(pktq)) { 624 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 625 goto drop; 626 } 627 return; 628 } 629 630 s = splnet(); 631 if (IF_QFULL(inq)) { 632 /* Queue overflow. */ 633 IF_DROP(inq); 634 splx(s); 635 if (debug) 636 log(LOG_DEBUG, "%s: protocol queue overflow\n", 637 ifp->if_xname); 638 goto drop; 639 } 640 IF_ENQUEUE(inq, m); 641 schednetisr(isr); 642 splx(s); 643 } 644 645 /* 646 * Enqueue transmit packet. 647 */ 648 static int 649 sppp_output(struct ifnet *ifp, struct mbuf *m, 650 const struct sockaddr *dst, struct rtentry *rt) 651 { 652 struct sppp *sp = (struct sppp *) ifp; 653 struct ppp_header *h = NULL; 654 struct ifqueue *ifq = NULL; /* XXX */ 655 int s, error = 0; 656 uint16_t protocol; 657 ALTQ_DECL(struct altq_pktattr pktattr;) 658 659 s = splnet(); 660 661 sp->pp_last_activity = time_uptime; 662 663 if ((ifp->if_flags & IFF_UP) == 0 || 664 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 665 m_freem(m); 666 splx(s); 667 return (ENETDOWN); 668 } 669 670 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 671 /* 672 * Interface is not yet running, but auto-dial. Need 673 * to start LCP for it. 674 */ 675 ifp->if_flags |= IFF_RUNNING; 676 splx(s); 677 lcp.Open(sp); 678 s = splnet(); 679 } 680 681 /* 682 * If the queueing discipline needs packet classification, 683 * do it before prepending link headers. 684 */ 685 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family, &pktattr); 686 687 #ifdef INET 688 if (dst->sa_family == AF_INET) { 689 struct ip *ip = NULL; 690 struct tcphdr *th = NULL; 691 692 if (m->m_len >= sizeof(struct ip)) { 693 ip = mtod(m, struct ip *); 694 if (ip->ip_p == IPPROTO_TCP && 695 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 696 sizeof(struct tcphdr)) { 697 th = (struct tcphdr *) 698 ((char *)ip + (ip->ip_hl << 2)); 699 } 700 } else 701 ip = NULL; 702 703 /* 704 * When using dynamic local IP address assignment by using 705 * 0.0.0.0 as a local address, the first TCP session will 706 * not connect because the local TCP checksum is computed 707 * using 0.0.0.0 which will later become our real IP address 708 * so the TCP checksum computed at the remote end will 709 * become invalid. So we 710 * - don't let packets with src ip addr 0 thru 711 * - we flag TCP packets with src ip 0 as an error 712 */ 713 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 714 uint8_t proto = ip->ip_p; 715 716 m_freem(m); 717 splx(s); 718 if (proto == IPPROTO_TCP) 719 return (EADDRNOTAVAIL); 720 else 721 return (0); 722 } 723 724 /* 725 * Put low delay, telnet, rlogin and ftp control packets 726 * in front of the queue. 727 */ 728 729 if (!IF_QFULL(&sp->pp_fastq) && 730 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 731 (th && (INTERACTIVE(ntohs(th->th_sport)) || 732 INTERACTIVE(ntohs(th->th_dport)))))) 733 ifq = &sp->pp_fastq; 734 } 735 #endif 736 737 #ifdef INET6 738 if (dst->sa_family == AF_INET6) { 739 /* XXX do something tricky here? */ 740 } 741 #endif 742 743 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 744 /* 745 * Prepend general data packet PPP header. For now, IP only. 746 */ 747 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 748 if (! m) { 749 if (ifp->if_flags & IFF_DEBUG) 750 log(LOG_DEBUG, "%s: no memory for transmit header\n", 751 ifp->if_xname); 752 ++ifp->if_oerrors; 753 splx(s); 754 return (ENOBUFS); 755 } 756 /* 757 * May want to check size of packet 758 * (albeit due to the implementation it's always enough) 759 */ 760 h = mtod(m, struct ppp_header *); 761 if (sp->pp_flags & PP_CISCO) { 762 h->address = CISCO_UNICAST; /* unicast address */ 763 h->control = 0; 764 } else { 765 h->address = PPP_ALLSTATIONS; /* broadcast address */ 766 h->control = PPP_UI; /* Unnumbered Info */ 767 } 768 } 769 770 switch (dst->sa_family) { 771 #ifdef INET 772 case AF_INET: /* Internet Protocol */ 773 if (sp->pp_flags & PP_CISCO) 774 protocol = htons(ETHERTYPE_IP); 775 else { 776 /* 777 * Don't choke with an ENETDOWN early. It's 778 * possible that we just started dialing out, 779 * so don't drop the packet immediately. If 780 * we notice that we run out of buffer space 781 * below, we will however remember that we are 782 * not ready to carry IP packets, and return 783 * ENETDOWN, as opposed to ENOBUFS. 784 */ 785 protocol = htons(PPP_IP); 786 if (sp->state[IDX_IPCP] != STATE_OPENED) 787 error = ENETDOWN; 788 } 789 break; 790 #endif 791 #ifdef INET6 792 case AF_INET6: /* Internet Protocol version 6 */ 793 if (sp->pp_flags & PP_CISCO) 794 protocol = htons(ETHERTYPE_IPV6); 795 else { 796 /* 797 * Don't choke with an ENETDOWN early. It's 798 * possible that we just started dialing out, 799 * so don't drop the packet immediately. If 800 * we notice that we run out of buffer space 801 * below, we will however remember that we are 802 * not ready to carry IP packets, and return 803 * ENETDOWN, as opposed to ENOBUFS. 804 */ 805 protocol = htons(PPP_IPV6); 806 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 807 error = ENETDOWN; 808 } 809 break; 810 #endif 811 default: 812 m_freem(m); 813 ++ifp->if_oerrors; 814 splx(s); 815 return (EAFNOSUPPORT); 816 } 817 818 if (sp->pp_flags & PP_NOFRAMING) { 819 M_PREPEND(m, 2, M_DONTWAIT); 820 if (m == NULL) { 821 if (ifp->if_flags & IFF_DEBUG) 822 log(LOG_DEBUG, "%s: no memory for transmit header\n", 823 ifp->if_xname); 824 ++ifp->if_oerrors; 825 splx(s); 826 return (ENOBUFS); 827 } 828 *mtod(m, uint16_t *) = protocol; 829 } else { 830 h->protocol = protocol; 831 } 832 833 834 error = ifq_enqueue2(ifp, ifq, m ALTQ_COMMA ALTQ_DECL(&pktattr)); 835 836 if (error == 0) { 837 /* 838 * Count output packets and bytes. 839 * The packet length includes header + additional hardware 840 * framing according to RFC 1333. 841 */ 842 if (!(ifp->if_flags & IFF_OACTIVE)) 843 (*ifp->if_start)(ifp); 844 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 845 } 846 splx(s); 847 return error; 848 } 849 850 void 851 sppp_attach(struct ifnet *ifp) 852 { 853 struct sppp *sp = (struct sppp *) ifp; 854 855 /* Initialize keepalive handler. */ 856 if (! spppq) { 857 callout_init(&keepalive_ch, 0); 858 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 859 } 860 861 /* Insert new entry into the keepalive list. */ 862 sp->pp_next = spppq; 863 spppq = sp; 864 865 sp->pp_if.if_type = IFT_PPP; 866 sp->pp_if.if_output = sppp_output; 867 sp->pp_fastq.ifq_maxlen = 32; 868 sp->pp_cpq.ifq_maxlen = 20; 869 sp->pp_loopcnt = 0; 870 sp->pp_alivecnt = 0; 871 sp->pp_last_activity = 0; 872 sp->pp_last_receive = 0; 873 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 874 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 875 sp->pp_idle_timeout = 0; 876 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 877 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 878 sp->pp_auth_failures = 0; 879 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 880 sp->pp_phase = SPPP_PHASE_DEAD; 881 sp->pp_up = lcp.Up; 882 sp->pp_down = lcp.Down; 883 884 if_alloc_sadl(ifp); 885 886 memset(&sp->myauth, 0, sizeof sp->myauth); 887 memset(&sp->hisauth, 0, sizeof sp->hisauth); 888 sppp_lcp_init(sp); 889 sppp_ipcp_init(sp); 890 sppp_ipv6cp_init(sp); 891 sppp_pap_init(sp); 892 sppp_chap_init(sp); 893 } 894 895 void 896 sppp_detach(struct ifnet *ifp) 897 { 898 struct sppp **q, *p, *sp = (struct sppp *) ifp; 899 900 /* Remove the entry from the keepalive list. */ 901 for (q = &spppq; (p = *q); q = &p->pp_next) 902 if (p == sp) { 903 *q = p->pp_next; 904 break; 905 } 906 907 /* Stop keepalive handler. */ 908 if (! spppq) { 909 callout_stop(&keepalive_ch); 910 } 911 912 callout_stop(&sp->ch[IDX_LCP]); 913 callout_stop(&sp->ch[IDX_IPCP]); 914 callout_stop(&sp->ch[IDX_PAP]); 915 callout_stop(&sp->ch[IDX_CHAP]); 916 #ifdef INET6 917 callout_stop(&sp->ch[IDX_IPV6CP]); 918 #endif 919 callout_stop(&sp->pap_my_to_ch); 920 921 /* free authentication info */ 922 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 923 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 924 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 925 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 926 } 927 928 /* 929 * Flush the interface output queue. 930 */ 931 void 932 sppp_flush(struct ifnet *ifp) 933 { 934 struct sppp *sp = (struct sppp *) ifp; 935 936 IFQ_PURGE(&sp->pp_if.if_snd); 937 IF_PURGE(&sp->pp_fastq); 938 IF_PURGE(&sp->pp_cpq); 939 } 940 941 /* 942 * Check if the output queue is empty. 943 */ 944 int 945 sppp_isempty(struct ifnet *ifp) 946 { 947 struct sppp *sp = (struct sppp *) ifp; 948 int empty, s; 949 950 s = splnet(); 951 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 952 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 953 splx(s); 954 return (empty); 955 } 956 957 /* 958 * Get next packet to send. 959 */ 960 struct mbuf * 961 sppp_dequeue(struct ifnet *ifp) 962 { 963 struct sppp *sp = (struct sppp *) ifp; 964 struct mbuf *m; 965 int s; 966 967 s = splnet(); 968 /* 969 * Process only the control protocol queue until we have at 970 * least one NCP open. 971 * 972 * Do always serve all three queues in Cisco mode. 973 */ 974 IF_DEQUEUE(&sp->pp_cpq, m); 975 if (m == NULL && 976 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 977 IF_DEQUEUE(&sp->pp_fastq, m); 978 if (m == NULL) 979 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 980 } 981 splx(s); 982 return m; 983 } 984 985 /* 986 * Process an ioctl request. Called on low priority level. 987 */ 988 int 989 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 990 { 991 struct lwp *l = curlwp; /* XXX */ 992 struct ifreq *ifr = (struct ifreq *) data; 993 struct ifaddr *ifa = (struct ifaddr *) data; 994 struct sppp *sp = (struct sppp *) ifp; 995 int s, error=0, going_up, going_down, newmode; 996 997 s = splnet(); 998 switch (cmd) { 999 case SIOCINITIFADDR: 1000 ifa->ifa_rtrequest = p2p_rtrequest; 1001 break; 1002 1003 case SIOCSIFFLAGS: 1004 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1005 break; 1006 going_up = ifp->if_flags & IFF_UP && 1007 (ifp->if_flags & IFF_RUNNING) == 0; 1008 going_down = (ifp->if_flags & IFF_UP) == 0 && 1009 ifp->if_flags & IFF_RUNNING; 1010 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1011 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1012 /* sanity */ 1013 newmode = IFF_PASSIVE; 1014 ifp->if_flags &= ~IFF_AUTO; 1015 } 1016 1017 if (going_up || going_down) 1018 lcp.Close(sp); 1019 if (going_up && newmode == 0) { 1020 /* neither auto-dial nor passive */ 1021 ifp->if_flags |= IFF_RUNNING; 1022 if (!(sp->pp_flags & PP_CISCO)) 1023 lcp.Open(sp); 1024 } else if (going_down) { 1025 sppp_flush(ifp); 1026 ifp->if_flags &= ~IFF_RUNNING; 1027 } 1028 1029 break; 1030 1031 case SIOCSIFMTU: 1032 if (ifr->ifr_mtu < PPP_MINMRU || 1033 ifr->ifr_mtu > sp->lcp.their_mru) { 1034 error = EINVAL; 1035 break; 1036 } 1037 /*FALLTHROUGH*/ 1038 case SIOCGIFMTU: 1039 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1040 error = 0; 1041 break; 1042 case SIOCADDMULTI: 1043 case SIOCDELMULTI: 1044 break; 1045 1046 case SPPPSETAUTHCFG: 1047 case SPPPSETLCPCFG: 1048 case SPPPSETIDLETO: 1049 case SPPPSETAUTHFAILURE: 1050 case SPPPSETDNSOPTS: 1051 case SPPPSETKEEPALIVE: 1052 #if defined(COMPAT_50) || defined(MODULAR) 1053 case __SPPPSETIDLETO50: 1054 case __SPPPSETKEEPALIVE50: 1055 #endif /* COMPAT_50 || MODULAR */ 1056 error = kauth_authorize_network(l->l_cred, 1057 KAUTH_NETWORK_INTERFACE, 1058 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1059 NULL); 1060 if (error) 1061 break; 1062 error = sppp_params(sp, cmd, data); 1063 break; 1064 1065 case SPPPGETAUTHCFG: 1066 case SPPPGETLCPCFG: 1067 case SPPPGETAUTHFAILURES: 1068 error = kauth_authorize_network(l->l_cred, 1069 KAUTH_NETWORK_INTERFACE, 1070 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1071 NULL); 1072 if (error) 1073 break; 1074 error = sppp_params(sp, cmd, data); 1075 break; 1076 1077 case SPPPGETSTATUS: 1078 case SPPPGETSTATUSNCP: 1079 case SPPPGETIDLETO: 1080 case SPPPGETDNSOPTS: 1081 case SPPPGETDNSADDRS: 1082 case SPPPGETKEEPALIVE: 1083 #if defined(COMPAT_50) || defined(MODULAR) 1084 case __SPPPGETIDLETO50: 1085 case __SPPPGETKEEPALIVE50: 1086 #endif /* COMPAT_50 || MODULAR */ 1087 error = sppp_params(sp, cmd, data); 1088 break; 1089 1090 default: 1091 error = ifioctl_common(ifp, cmd, data); 1092 break; 1093 } 1094 splx(s); 1095 return (error); 1096 } 1097 1098 1099 /* 1100 * Cisco framing implementation. 1101 */ 1102 1103 /* 1104 * Handle incoming Cisco keepalive protocol packets. 1105 */ 1106 static void 1107 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1108 { 1109 STDDCL; 1110 struct cisco_packet *h; 1111 #ifdef INET 1112 uint32_t me, mymask = 0; /* XXX: GCC */ 1113 #endif 1114 1115 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1116 if (debug) 1117 log(LOG_DEBUG, 1118 "%s: cisco invalid packet length: %d bytes\n", 1119 ifp->if_xname, m->m_pkthdr.len); 1120 return; 1121 } 1122 h = mtod(m, struct cisco_packet *); 1123 if (debug) 1124 log(LOG_DEBUG, 1125 "%s: cisco input: %d bytes " 1126 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1127 ifp->if_xname, m->m_pkthdr.len, 1128 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1129 (u_int)h->time0, (u_int)h->time1); 1130 switch (ntohl(h->type)) { 1131 default: 1132 if (debug) 1133 addlog("%s: cisco unknown packet type: 0x%x\n", 1134 ifp->if_xname, ntohl(h->type)); 1135 break; 1136 case CISCO_ADDR_REPLY: 1137 /* Reply on address request, ignore */ 1138 break; 1139 case CISCO_KEEPALIVE_REQ: 1140 sp->pp_alivecnt = 0; 1141 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1142 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1143 /* Local and remote sequence numbers are equal. 1144 * Probably, the line is in loopback mode. */ 1145 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1146 printf ("%s: loopback\n", 1147 ifp->if_xname); 1148 sp->pp_loopcnt = 0; 1149 if (ifp->if_flags & IFF_UP) { 1150 if_down(ifp); 1151 IF_PURGE(&sp->pp_cpq); 1152 } 1153 } 1154 ++sp->pp_loopcnt; 1155 1156 /* Generate new local sequence number */ 1157 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1158 break; 1159 } 1160 sp->pp_loopcnt = 0; 1161 if (! (ifp->if_flags & IFF_UP) && 1162 (ifp->if_flags & IFF_RUNNING)) { 1163 if_up(ifp); 1164 } 1165 break; 1166 case CISCO_ADDR_REQ: 1167 #ifdef INET 1168 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1169 if (me != 0L) 1170 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1171 #endif 1172 break; 1173 } 1174 } 1175 1176 /* 1177 * Send Cisco keepalive packet. 1178 */ 1179 static void 1180 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1181 { 1182 STDDCL; 1183 struct ppp_header *h; 1184 struct cisco_packet *ch; 1185 struct mbuf *m; 1186 uint32_t t; 1187 1188 t = time_uptime * 1000; 1189 MGETHDR(m, M_DONTWAIT, MT_DATA); 1190 if (! m) 1191 return; 1192 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1193 m->m_pkthdr.rcvif = 0; 1194 1195 h = mtod(m, struct ppp_header *); 1196 h->address = CISCO_MULTICAST; 1197 h->control = 0; 1198 h->protocol = htons(CISCO_KEEPALIVE); 1199 1200 ch = (struct cisco_packet *)(h + 1); 1201 ch->type = htonl(type); 1202 ch->par1 = htonl(par1); 1203 ch->par2 = htonl(par2); 1204 ch->rel = -1; 1205 1206 ch->time0 = htons((u_short)(t >> 16)); 1207 ch->time1 = htons((u_short) t); 1208 1209 if (debug) 1210 log(LOG_DEBUG, 1211 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1212 ifp->if_xname, ntohl(ch->type), ch->par1, 1213 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1214 (u_int)ch->time1); 1215 1216 if (IF_QFULL(&sp->pp_cpq)) { 1217 IF_DROP(&sp->pp_fastq); 1218 IF_DROP(&ifp->if_snd); 1219 m_freem(m); 1220 ++ifp->if_oerrors; 1221 return; 1222 } else 1223 IF_ENQUEUE(&sp->pp_cpq, m); 1224 if (! (ifp->if_flags & IFF_OACTIVE)) 1225 (*ifp->if_start)(ifp); 1226 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1227 } 1228 1229 /* 1230 * PPP protocol implementation. 1231 */ 1232 1233 /* 1234 * Send PPP control protocol packet. 1235 */ 1236 static void 1237 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1238 u_char ident, u_short len, void *data) 1239 { 1240 STDDCL; 1241 struct lcp_header *lh; 1242 struct mbuf *m; 1243 size_t pkthdrlen; 1244 1245 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1246 1247 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1248 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1249 MGETHDR(m, M_DONTWAIT, MT_DATA); 1250 if (! m) 1251 return; 1252 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1253 m->m_pkthdr.rcvif = 0; 1254 1255 if (sp->pp_flags & PP_NOFRAMING) { 1256 *mtod(m, uint16_t *) = htons(proto); 1257 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1258 } else { 1259 struct ppp_header *h; 1260 h = mtod(m, struct ppp_header *); 1261 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1262 h->control = PPP_UI; /* Unnumbered Info */ 1263 h->protocol = htons(proto); /* Link Control Protocol */ 1264 lh = (struct lcp_header *)(h + 1); 1265 } 1266 lh->type = type; 1267 lh->ident = ident; 1268 lh->len = htons(LCP_HEADER_LEN + len); 1269 if (len) 1270 bcopy (data, lh + 1, len); 1271 1272 if (debug) { 1273 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1274 ifp->if_xname, 1275 sppp_proto_name(proto), 1276 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1277 if (len) 1278 sppp_print_bytes((u_char *)(lh + 1), len); 1279 addlog(">\n"); 1280 } 1281 if (IF_QFULL(&sp->pp_cpq)) { 1282 IF_DROP(&sp->pp_fastq); 1283 IF_DROP(&ifp->if_snd); 1284 m_freem(m); 1285 ++ifp->if_oerrors; 1286 return; 1287 } else 1288 IF_ENQUEUE(&sp->pp_cpq, m); 1289 if (! (ifp->if_flags & IFF_OACTIVE)) 1290 (*ifp->if_start)(ifp); 1291 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1292 } 1293 1294 /* 1295 * Handle incoming PPP control protocol packets. 1296 */ 1297 static void 1298 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1299 { 1300 STDDCL; 1301 struct lcp_header *h; 1302 int printlen, len = m->m_pkthdr.len; 1303 int rv; 1304 u_char *p; 1305 uint32_t u32; 1306 1307 if (len < 4) { 1308 if (debug) 1309 log(LOG_DEBUG, 1310 "%s: %s invalid packet length: %d bytes\n", 1311 ifp->if_xname, cp->name, len); 1312 return; 1313 } 1314 h = mtod(m, struct lcp_header *); 1315 if (debug) { 1316 printlen = ntohs(h->len); 1317 log(LOG_DEBUG, 1318 "%s: %s input(%s): <%s id=0x%x len=%d", 1319 ifp->if_xname, cp->name, 1320 sppp_state_name(sp->state[cp->protoidx]), 1321 sppp_cp_type_name(h->type), h->ident, printlen); 1322 if (len < printlen) 1323 printlen = len; 1324 if (printlen > 4) 1325 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1326 addlog(">\n"); 1327 } 1328 if (len > ntohs(h->len)) 1329 len = ntohs(h->len); 1330 p = (u_char *)(h + 1); 1331 switch (h->type) { 1332 case CONF_REQ: 1333 if (len < 4) { 1334 if (debug) 1335 addlog("%s: %s invalid conf-req length %d\n", 1336 ifp->if_xname, cp->name, 1337 len); 1338 ++ifp->if_ierrors; 1339 break; 1340 } 1341 /* handle states where RCR doesn't get a SCA/SCN */ 1342 switch (sp->state[cp->protoidx]) { 1343 case STATE_CLOSING: 1344 case STATE_STOPPING: 1345 return; 1346 case STATE_CLOSED: 1347 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1348 0, 0); 1349 return; 1350 } 1351 rv = (cp->RCR)(sp, h, len); 1352 if (rv < 0) { 1353 /* fatal error, shut down */ 1354 (cp->tld)(sp); 1355 sppp_lcp_tlf(sp); 1356 return; 1357 } 1358 switch (sp->state[cp->protoidx]) { 1359 case STATE_OPENED: 1360 (cp->tld)(sp); 1361 (cp->scr)(sp); 1362 /* fall through... */ 1363 case STATE_ACK_SENT: 1364 case STATE_REQ_SENT: 1365 sppp_cp_change_state(cp, sp, rv? 1366 STATE_ACK_SENT: STATE_REQ_SENT); 1367 break; 1368 case STATE_STOPPED: 1369 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1370 (cp->scr)(sp); 1371 sppp_cp_change_state(cp, sp, rv? 1372 STATE_ACK_SENT: STATE_REQ_SENT); 1373 break; 1374 case STATE_ACK_RCVD: 1375 if (rv) { 1376 sppp_cp_change_state(cp, sp, STATE_OPENED); 1377 if (debug) 1378 log(LOG_DEBUG, "%s: %s tlu\n", 1379 ifp->if_xname, 1380 cp->name); 1381 (cp->tlu)(sp); 1382 } else 1383 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1384 break; 1385 default: 1386 printf("%s: %s illegal %s in state %s\n", 1387 ifp->if_xname, cp->name, 1388 sppp_cp_type_name(h->type), 1389 sppp_state_name(sp->state[cp->protoidx])); 1390 ++ifp->if_ierrors; 1391 } 1392 break; 1393 case CONF_ACK: 1394 if (h->ident != sp->confid[cp->protoidx]) { 1395 if (debug) 1396 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1397 ifp->if_xname, cp->name, 1398 h->ident, sp->confid[cp->protoidx]); 1399 ++ifp->if_ierrors; 1400 break; 1401 } 1402 switch (sp->state[cp->protoidx]) { 1403 case STATE_CLOSED: 1404 case STATE_STOPPED: 1405 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1406 break; 1407 case STATE_CLOSING: 1408 case STATE_STOPPING: 1409 break; 1410 case STATE_REQ_SENT: 1411 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1412 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1413 break; 1414 case STATE_OPENED: 1415 (cp->tld)(sp); 1416 /* fall through */ 1417 case STATE_ACK_RCVD: 1418 (cp->scr)(sp); 1419 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1420 break; 1421 case STATE_ACK_SENT: 1422 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1423 sppp_cp_change_state(cp, sp, STATE_OPENED); 1424 if (debug) 1425 log(LOG_DEBUG, "%s: %s tlu\n", 1426 ifp->if_xname, cp->name); 1427 (cp->tlu)(sp); 1428 break; 1429 default: 1430 printf("%s: %s illegal %s in state %s\n", 1431 ifp->if_xname, cp->name, 1432 sppp_cp_type_name(h->type), 1433 sppp_state_name(sp->state[cp->protoidx])); 1434 ++ifp->if_ierrors; 1435 } 1436 break; 1437 case CONF_NAK: 1438 case CONF_REJ: 1439 if (h->ident != sp->confid[cp->protoidx]) { 1440 if (debug) 1441 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1442 ifp->if_xname, cp->name, 1443 h->ident, sp->confid[cp->protoidx]); 1444 ++ifp->if_ierrors; 1445 break; 1446 } 1447 if (h->type == CONF_NAK) 1448 (cp->RCN_nak)(sp, h, len); 1449 else /* CONF_REJ */ 1450 (cp->RCN_rej)(sp, h, len); 1451 1452 switch (sp->state[cp->protoidx]) { 1453 case STATE_CLOSED: 1454 case STATE_STOPPED: 1455 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1456 break; 1457 case STATE_REQ_SENT: 1458 case STATE_ACK_SENT: 1459 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1460 (cp->scr)(sp); 1461 break; 1462 case STATE_OPENED: 1463 (cp->tld)(sp); 1464 /* fall through */ 1465 case STATE_ACK_RCVD: 1466 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1467 (cp->scr)(sp); 1468 break; 1469 case STATE_CLOSING: 1470 case STATE_STOPPING: 1471 break; 1472 default: 1473 printf("%s: %s illegal %s in state %s\n", 1474 ifp->if_xname, cp->name, 1475 sppp_cp_type_name(h->type), 1476 sppp_state_name(sp->state[cp->protoidx])); 1477 ++ifp->if_ierrors; 1478 } 1479 break; 1480 1481 case TERM_REQ: 1482 switch (sp->state[cp->protoidx]) { 1483 case STATE_ACK_RCVD: 1484 case STATE_ACK_SENT: 1485 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1486 /* fall through */ 1487 case STATE_CLOSED: 1488 case STATE_STOPPED: 1489 case STATE_CLOSING: 1490 case STATE_STOPPING: 1491 case STATE_REQ_SENT: 1492 sta: 1493 /* Send Terminate-Ack packet. */ 1494 if (debug) 1495 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1496 ifp->if_xname, cp->name); 1497 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1498 break; 1499 case STATE_OPENED: 1500 (cp->tld)(sp); 1501 sp->rst_counter[cp->protoidx] = 0; 1502 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1503 goto sta; 1504 default: 1505 printf("%s: %s illegal %s in state %s\n", 1506 ifp->if_xname, cp->name, 1507 sppp_cp_type_name(h->type), 1508 sppp_state_name(sp->state[cp->protoidx])); 1509 ++ifp->if_ierrors; 1510 } 1511 break; 1512 case TERM_ACK: 1513 switch (sp->state[cp->protoidx]) { 1514 case STATE_CLOSED: 1515 case STATE_STOPPED: 1516 case STATE_REQ_SENT: 1517 case STATE_ACK_SENT: 1518 break; 1519 case STATE_CLOSING: 1520 (cp->tlf)(sp); 1521 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1522 sppp_lcp_check_and_close(sp); 1523 break; 1524 case STATE_STOPPING: 1525 (cp->tlf)(sp); 1526 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1527 sppp_lcp_check_and_close(sp); 1528 break; 1529 case STATE_ACK_RCVD: 1530 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1531 break; 1532 case STATE_OPENED: 1533 (cp->tld)(sp); 1534 (cp->scr)(sp); 1535 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1536 break; 1537 default: 1538 printf("%s: %s illegal %s in state %s\n", 1539 ifp->if_xname, cp->name, 1540 sppp_cp_type_name(h->type), 1541 sppp_state_name(sp->state[cp->protoidx])); 1542 ++ifp->if_ierrors; 1543 } 1544 break; 1545 case CODE_REJ: 1546 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1547 log(LOG_INFO, 1548 "%s: %s: ignoring RXJ (%s) for code ?, " 1549 "danger will robinson\n", 1550 ifp->if_xname, cp->name, 1551 sppp_cp_type_name(h->type)); 1552 switch (sp->state[cp->protoidx]) { 1553 case STATE_CLOSED: 1554 case STATE_STOPPED: 1555 case STATE_REQ_SENT: 1556 case STATE_ACK_SENT: 1557 case STATE_CLOSING: 1558 case STATE_STOPPING: 1559 case STATE_OPENED: 1560 break; 1561 case STATE_ACK_RCVD: 1562 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1563 break; 1564 default: 1565 printf("%s: %s illegal %s in state %s\n", 1566 ifp->if_xname, cp->name, 1567 sppp_cp_type_name(h->type), 1568 sppp_state_name(sp->state[cp->protoidx])); 1569 ++ifp->if_ierrors; 1570 } 1571 break; 1572 case PROTO_REJ: 1573 { 1574 int catastrophic; 1575 const struct cp *upper; 1576 int i; 1577 uint16_t proto; 1578 1579 catastrophic = 0; 1580 upper = NULL; 1581 proto = p[0] << 8 | p[1]; 1582 for (i = 0; i < IDX_COUNT; i++) { 1583 if (cps[i]->proto == proto) { 1584 upper = cps[i]; 1585 break; 1586 } 1587 } 1588 if (upper == NULL) 1589 catastrophic++; 1590 1591 if (debug) 1592 log(LOG_INFO, 1593 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1594 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1595 sppp_cp_type_name(h->type), proto, 1596 upper ? upper->name : "unknown", 1597 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1598 1599 /* 1600 * if we got RXJ+ against conf-req, the peer does not implement 1601 * this particular protocol type. terminate the protocol. 1602 */ 1603 if (upper && !catastrophic) { 1604 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1605 upper->Close(sp); 1606 break; 1607 } 1608 } 1609 1610 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1611 switch (sp->state[cp->protoidx]) { 1612 case STATE_CLOSED: 1613 case STATE_STOPPED: 1614 case STATE_REQ_SENT: 1615 case STATE_ACK_SENT: 1616 case STATE_CLOSING: 1617 case STATE_STOPPING: 1618 case STATE_OPENED: 1619 break; 1620 case STATE_ACK_RCVD: 1621 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1622 break; 1623 default: 1624 printf("%s: %s illegal %s in state %s\n", 1625 ifp->if_xname, cp->name, 1626 sppp_cp_type_name(h->type), 1627 sppp_state_name(sp->state[cp->protoidx])); 1628 ++ifp->if_ierrors; 1629 } 1630 break; 1631 } 1632 case DISC_REQ: 1633 if (cp->proto != PPP_LCP) 1634 goto illegal; 1635 /* Discard the packet. */ 1636 break; 1637 case ECHO_REQ: 1638 if (cp->proto != PPP_LCP) 1639 goto illegal; 1640 if (sp->state[cp->protoidx] != STATE_OPENED) { 1641 if (debug) 1642 addlog("%s: lcp echo req but lcp closed\n", 1643 ifp->if_xname); 1644 ++ifp->if_ierrors; 1645 break; 1646 } 1647 if (len < 8) { 1648 if (debug) 1649 addlog("%s: invalid lcp echo request " 1650 "packet length: %d bytes\n", 1651 ifp->if_xname, len); 1652 break; 1653 } 1654 memcpy(&u32, h + 1, sizeof u32); 1655 if (ntohl(u32) == sp->lcp.magic) { 1656 /* Line loopback mode detected. */ 1657 printf("%s: loopback\n", ifp->if_xname); 1658 if_down(ifp); 1659 IF_PURGE(&sp->pp_cpq); 1660 1661 /* Shut down the PPP link. */ 1662 /* XXX */ 1663 lcp.Down(sp); 1664 lcp.Up(sp); 1665 break; 1666 } 1667 u32 = htonl(sp->lcp.magic); 1668 memcpy(h + 1, &u32, sizeof u32); 1669 if (debug) 1670 addlog("%s: got lcp echo req, sending echo rep\n", 1671 ifp->if_xname); 1672 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1673 h + 1); 1674 break; 1675 case ECHO_REPLY: 1676 if (cp->proto != PPP_LCP) 1677 goto illegal; 1678 if (h->ident != sp->lcp.echoid) { 1679 ++ifp->if_ierrors; 1680 break; 1681 } 1682 if (len < 8) { 1683 if (debug) 1684 addlog("%s: lcp invalid echo reply " 1685 "packet length: %d bytes\n", 1686 ifp->if_xname, len); 1687 break; 1688 } 1689 if (debug) 1690 addlog("%s: lcp got echo rep\n", 1691 ifp->if_xname); 1692 memcpy(&u32, h + 1, sizeof u32); 1693 if (ntohl(u32) != sp->lcp.magic) 1694 sp->pp_alivecnt = 0; 1695 break; 1696 default: 1697 /* Unknown packet type -- send Code-Reject packet. */ 1698 illegal: 1699 if (debug) 1700 addlog("%s: %s send code-rej for 0x%x\n", 1701 ifp->if_xname, cp->name, h->type); 1702 sppp_cp_send(sp, cp->proto, CODE_REJ, 1703 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1704 ++ifp->if_ierrors; 1705 } 1706 } 1707 1708 1709 /* 1710 * The generic part of all Up/Down/Open/Close/TO event handlers. 1711 * Basically, the state transition handling in the automaton. 1712 */ 1713 static void 1714 sppp_up_event(const struct cp *cp, struct sppp *sp) 1715 { 1716 STDDCL; 1717 1718 if (debug) 1719 log(LOG_DEBUG, "%s: %s up(%s)\n", 1720 ifp->if_xname, cp->name, 1721 sppp_state_name(sp->state[cp->protoidx])); 1722 1723 switch (sp->state[cp->protoidx]) { 1724 case STATE_INITIAL: 1725 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1726 break; 1727 case STATE_STARTING: 1728 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1729 (cp->scr)(sp); 1730 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1731 break; 1732 default: 1733 printf("%s: %s illegal up in state %s\n", 1734 ifp->if_xname, cp->name, 1735 sppp_state_name(sp->state[cp->protoidx])); 1736 } 1737 } 1738 1739 static void 1740 sppp_down_event(const struct cp *cp, struct sppp *sp) 1741 { 1742 STDDCL; 1743 1744 if (debug) 1745 log(LOG_DEBUG, "%s: %s down(%s)\n", 1746 ifp->if_xname, cp->name, 1747 sppp_state_name(sp->state[cp->protoidx])); 1748 1749 switch (sp->state[cp->protoidx]) { 1750 case STATE_CLOSED: 1751 case STATE_CLOSING: 1752 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1753 break; 1754 case STATE_STOPPED: 1755 (cp->tls)(sp); 1756 /* fall through */ 1757 case STATE_STOPPING: 1758 case STATE_REQ_SENT: 1759 case STATE_ACK_RCVD: 1760 case STATE_ACK_SENT: 1761 sppp_cp_change_state(cp, sp, STATE_STARTING); 1762 break; 1763 case STATE_OPENED: 1764 (cp->tld)(sp); 1765 sppp_cp_change_state(cp, sp, STATE_STARTING); 1766 break; 1767 default: 1768 printf("%s: %s illegal down in state %s\n", 1769 ifp->if_xname, cp->name, 1770 sppp_state_name(sp->state[cp->protoidx])); 1771 } 1772 } 1773 1774 1775 static void 1776 sppp_open_event(const struct cp *cp, struct sppp *sp) 1777 { 1778 STDDCL; 1779 1780 if (debug) 1781 log(LOG_DEBUG, "%s: %s open(%s)\n", 1782 ifp->if_xname, cp->name, 1783 sppp_state_name(sp->state[cp->protoidx])); 1784 1785 switch (sp->state[cp->protoidx]) { 1786 case STATE_INITIAL: 1787 sppp_cp_change_state(cp, sp, STATE_STARTING); 1788 (cp->tls)(sp); 1789 break; 1790 case STATE_STARTING: 1791 break; 1792 case STATE_CLOSED: 1793 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1794 (cp->scr)(sp); 1795 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1796 break; 1797 case STATE_STOPPED: 1798 case STATE_STOPPING: 1799 case STATE_REQ_SENT: 1800 case STATE_ACK_RCVD: 1801 case STATE_ACK_SENT: 1802 case STATE_OPENED: 1803 break; 1804 case STATE_CLOSING: 1805 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1806 break; 1807 } 1808 } 1809 1810 1811 static void 1812 sppp_close_event(const struct cp *cp, struct sppp *sp) 1813 { 1814 STDDCL; 1815 1816 if (debug) 1817 log(LOG_DEBUG, "%s: %s close(%s)\n", 1818 ifp->if_xname, cp->name, 1819 sppp_state_name(sp->state[cp->protoidx])); 1820 1821 switch (sp->state[cp->protoidx]) { 1822 case STATE_INITIAL: 1823 case STATE_CLOSED: 1824 case STATE_CLOSING: 1825 break; 1826 case STATE_STARTING: 1827 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1828 (cp->tlf)(sp); 1829 break; 1830 case STATE_STOPPED: 1831 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1832 break; 1833 case STATE_STOPPING: 1834 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1835 break; 1836 case STATE_OPENED: 1837 (cp->tld)(sp); 1838 /* fall through */ 1839 case STATE_REQ_SENT: 1840 case STATE_ACK_RCVD: 1841 case STATE_ACK_SENT: 1842 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1843 sppp_cp_send(sp, cp->proto, TERM_REQ, 1844 ++sp->pp_seq[cp->protoidx], 0, 0); 1845 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1846 break; 1847 } 1848 } 1849 1850 static void 1851 sppp_to_event(const struct cp *cp, struct sppp *sp) 1852 { 1853 STDDCL; 1854 int s; 1855 1856 s = splnet(); 1857 if (debug) 1858 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1859 ifp->if_xname, cp->name, 1860 sppp_state_name(sp->state[cp->protoidx]), 1861 sp->rst_counter[cp->protoidx]); 1862 1863 if (--sp->rst_counter[cp->protoidx] < 0) 1864 /* TO- event */ 1865 switch (sp->state[cp->protoidx]) { 1866 case STATE_CLOSING: 1867 (cp->tlf)(sp); 1868 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1869 sppp_lcp_check_and_close(sp); 1870 break; 1871 case STATE_STOPPING: 1872 (cp->tlf)(sp); 1873 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1874 sppp_lcp_check_and_close(sp); 1875 break; 1876 case STATE_REQ_SENT: 1877 case STATE_ACK_RCVD: 1878 case STATE_ACK_SENT: 1879 (cp->tlf)(sp); 1880 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1881 sppp_lcp_check_and_close(sp); 1882 break; 1883 } 1884 else 1885 /* TO+ event */ 1886 switch (sp->state[cp->protoidx]) { 1887 case STATE_CLOSING: 1888 case STATE_STOPPING: 1889 sppp_cp_send(sp, cp->proto, TERM_REQ, 1890 ++sp->pp_seq[cp->protoidx], 0, 0); 1891 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1892 cp->TO, sp); 1893 break; 1894 case STATE_REQ_SENT: 1895 case STATE_ACK_RCVD: 1896 (cp->scr)(sp); 1897 /* sppp_cp_change_state() will restart the timer */ 1898 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1899 break; 1900 case STATE_ACK_SENT: 1901 (cp->scr)(sp); 1902 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1903 cp->TO, sp); 1904 break; 1905 } 1906 1907 splx(s); 1908 } 1909 1910 /* 1911 * Change the state of a control protocol in the state automaton. 1912 * Takes care of starting/stopping the restart timer. 1913 */ 1914 void 1915 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1916 { 1917 sp->state[cp->protoidx] = newstate; 1918 callout_stop(&sp->ch[cp->protoidx]); 1919 switch (newstate) { 1920 case STATE_INITIAL: 1921 case STATE_STARTING: 1922 case STATE_CLOSED: 1923 case STATE_STOPPED: 1924 case STATE_OPENED: 1925 break; 1926 case STATE_CLOSING: 1927 case STATE_STOPPING: 1928 case STATE_REQ_SENT: 1929 case STATE_ACK_RCVD: 1930 case STATE_ACK_SENT: 1931 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1932 cp->TO, sp); 1933 break; 1934 } 1935 } 1936 1937 /* 1938 *--------------------------------------------------------------------------* 1939 * * 1940 * The LCP implementation. * 1941 * * 1942 *--------------------------------------------------------------------------* 1943 */ 1944 static void 1945 sppp_lcp_init(struct sppp *sp) 1946 { 1947 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1948 sp->lcp.magic = 0; 1949 sp->state[IDX_LCP] = STATE_INITIAL; 1950 sp->fail_counter[IDX_LCP] = 0; 1951 sp->pp_seq[IDX_LCP] = 0; 1952 sp->pp_rseq[IDX_LCP] = 0; 1953 sp->lcp.protos = 0; 1954 1955 /* 1956 * Initialize counters and timeout values. Note that we don't 1957 * use the 3 seconds suggested in RFC 1661 since we are likely 1958 * running on a fast link. XXX We should probably implement 1959 * the exponential backoff option. Note that these values are 1960 * relevant for all control protocols, not just LCP only. 1961 */ 1962 sp->lcp.timeout = 1 * hz; 1963 sp->lcp.max_terminate = 2; 1964 sp->lcp.max_configure = 10; 1965 sp->lcp.max_failure = 10; 1966 callout_init(&sp->ch[IDX_LCP], 0); 1967 } 1968 1969 static void 1970 sppp_lcp_up(struct sppp *sp) 1971 { 1972 STDDCL; 1973 1974 /* Initialize activity timestamp: opening a connection is an activity */ 1975 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 1976 1977 /* 1978 * If this interface is passive or dial-on-demand, and we are 1979 * still in Initial state, it means we've got an incoming 1980 * call. Activate the interface. 1981 */ 1982 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 1983 if (debug) 1984 log(LOG_DEBUG, 1985 "%s: Up event", ifp->if_xname); 1986 ifp->if_flags |= IFF_RUNNING; 1987 if (sp->state[IDX_LCP] == STATE_INITIAL) { 1988 if (debug) 1989 addlog("(incoming call)\n"); 1990 sp->pp_flags |= PP_CALLIN; 1991 lcp.Open(sp); 1992 } else if (debug) 1993 addlog("\n"); 1994 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 1995 (sp->state[IDX_LCP] == STATE_INITIAL)) { 1996 ifp->if_flags |= IFF_RUNNING; 1997 lcp.Open(sp); 1998 } 1999 2000 sppp_up_event(&lcp, sp); 2001 } 2002 2003 static void 2004 sppp_lcp_down(struct sppp *sp) 2005 { 2006 STDDCL; 2007 2008 sppp_down_event(&lcp, sp); 2009 2010 /* 2011 * If this is neither a dial-on-demand nor a passive 2012 * interface, simulate an ``ifconfig down'' action, so the 2013 * administrator can force a redial by another ``ifconfig 2014 * up''. XXX For leased line operation, should we immediately 2015 * try to reopen the connection here? 2016 */ 2017 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2018 if (debug) 2019 log(LOG_INFO, 2020 "%s: Down event (carrier loss), taking interface down.\n", 2021 ifp->if_xname); 2022 if_down(ifp); 2023 } else { 2024 if (debug) 2025 log(LOG_DEBUG, 2026 "%s: Down event (carrier loss)\n", 2027 ifp->if_xname); 2028 } 2029 sp->pp_flags &= ~PP_CALLIN; 2030 if (sp->state[IDX_LCP] != STATE_INITIAL) 2031 lcp.Close(sp); 2032 ifp->if_flags &= ~IFF_RUNNING; 2033 } 2034 2035 static void 2036 sppp_lcp_open(struct sppp *sp) 2037 { 2038 if (sp->pp_if.if_mtu < PP_MTU) { 2039 sp->lcp.mru = sp->pp_if.if_mtu; 2040 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2041 } else 2042 sp->lcp.mru = PP_MTU; 2043 sp->lcp.their_mru = PP_MTU; 2044 2045 /* 2046 * If we are authenticator, negotiate LCP_AUTH 2047 */ 2048 if (sp->hisauth.proto != 0) 2049 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2050 else 2051 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2052 sp->pp_flags &= ~PP_NEEDAUTH; 2053 sppp_open_event(&lcp, sp); 2054 } 2055 2056 static void 2057 sppp_lcp_close(struct sppp *sp) 2058 { 2059 sppp_close_event(&lcp, sp); 2060 } 2061 2062 static void 2063 sppp_lcp_TO(void *cookie) 2064 { 2065 sppp_to_event(&lcp, (struct sppp *)cookie); 2066 } 2067 2068 /* 2069 * Analyze a configure request. Return true if it was agreeable, and 2070 * caused action sca, false if it has been rejected or nak'ed, and 2071 * caused action scn. (The return value is used to make the state 2072 * transition decision in the state automaton.) 2073 */ 2074 static int 2075 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2076 { 2077 STDDCL; 2078 u_char *buf, *r, *p; 2079 int origlen, rlen; 2080 uint32_t nmagic; 2081 u_short authproto; 2082 2083 len -= 4; 2084 origlen = len; 2085 buf = r = malloc (len, M_TEMP, M_NOWAIT); 2086 if (! buf) 2087 return (0); 2088 2089 if (debug) 2090 log(LOG_DEBUG, "%s: lcp parse opts:", 2091 ifp->if_xname); 2092 2093 /* pass 1: check for things that need to be rejected */ 2094 p = (void *)(h + 1); 2095 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2096 /* Sanity check option length */ 2097 if (p[1] > len) { 2098 /* 2099 * Malicious option - drop immediately. 2100 * XXX Maybe we should just RXJ it? 2101 */ 2102 addlog("%s: received malicious LCP option 0x%02x, " 2103 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2104 p[0], p[1], len); 2105 goto drop; 2106 } 2107 if (debug) 2108 addlog(" %s", sppp_lcp_opt_name(*p)); 2109 switch (*p) { 2110 case LCP_OPT_MAGIC: 2111 /* Magic number. */ 2112 /* fall through, both are same length */ 2113 case LCP_OPT_ASYNC_MAP: 2114 /* Async control character map. */ 2115 if (len >= 6 || p[1] == 6) 2116 continue; 2117 if (debug) 2118 addlog(" [invalid]"); 2119 break; 2120 case LCP_OPT_MRU: 2121 /* Maximum receive unit. */ 2122 if (len >= 4 && p[1] == 4) 2123 continue; 2124 if (debug) 2125 addlog(" [invalid]"); 2126 break; 2127 case LCP_OPT_AUTH_PROTO: 2128 if (len < 4) { 2129 if (debug) 2130 addlog(" [invalid]"); 2131 break; 2132 } 2133 authproto = (p[2] << 8) + p[3]; 2134 if (authproto == PPP_CHAP && p[1] != 5) { 2135 if (debug) 2136 addlog(" [invalid chap len]"); 2137 break; 2138 } 2139 if (sp->myauth.proto == 0) { 2140 /* we are not configured to do auth */ 2141 if (debug) 2142 addlog(" [not configured]"); 2143 break; 2144 } 2145 /* 2146 * Remote want us to authenticate, remember this, 2147 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2148 * up. 2149 */ 2150 sp->pp_flags |= PP_NEEDAUTH; 2151 continue; 2152 default: 2153 /* Others not supported. */ 2154 if (debug) 2155 addlog(" [rej]"); 2156 break; 2157 } 2158 /* Add the option to rejected list. */ 2159 bcopy (p, r, p[1]); 2160 r += p[1]; 2161 rlen += p[1]; 2162 } 2163 if (rlen) { 2164 if (debug) 2165 addlog(" send conf-rej\n"); 2166 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2167 goto end; 2168 } else if (debug) 2169 addlog("\n"); 2170 2171 /* 2172 * pass 2: check for option values that are unacceptable and 2173 * thus require to be nak'ed. 2174 */ 2175 if (debug) 2176 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2177 ifp->if_xname); 2178 2179 p = (void *)(h + 1); 2180 len = origlen; 2181 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2182 if (debug) 2183 addlog(" %s", sppp_lcp_opt_name(*p)); 2184 switch (*p) { 2185 case LCP_OPT_MAGIC: 2186 /* Magic number -- extract. */ 2187 nmagic = (uint32_t)p[2] << 24 | 2188 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2189 if (nmagic != sp->lcp.magic) { 2190 if (debug) 2191 addlog(" 0x%x", nmagic); 2192 continue; 2193 } 2194 /* 2195 * Local and remote magics equal -- loopback? 2196 */ 2197 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2198 printf ("%s: loopback\n", 2199 ifp->if_xname); 2200 sp->pp_loopcnt = 0; 2201 if (ifp->if_flags & IFF_UP) { 2202 if_down(ifp); 2203 IF_PURGE(&sp->pp_cpq); 2204 /* XXX ? */ 2205 lcp.Down(sp); 2206 lcp.Up(sp); 2207 } 2208 } else if (debug) 2209 addlog(" [glitch]"); 2210 ++sp->pp_loopcnt; 2211 /* 2212 * We negate our magic here, and NAK it. If 2213 * we see it later in an NAK packet, we 2214 * suggest a new one. 2215 */ 2216 nmagic = ~sp->lcp.magic; 2217 /* Gonna NAK it. */ 2218 p[2] = nmagic >> 24; 2219 p[3] = nmagic >> 16; 2220 p[4] = nmagic >> 8; 2221 p[5] = nmagic; 2222 break; 2223 2224 case LCP_OPT_ASYNC_MAP: 2225 /* 2226 * Async control character map -- just ignore it. 2227 * 2228 * Quote from RFC 1662, chapter 6: 2229 * To enable this functionality, synchronous PPP 2230 * implementations MUST always respond to the 2231 * Async-Control-Character-Map Configuration 2232 * Option with the LCP Configure-Ack. However, 2233 * acceptance of the Configuration Option does 2234 * not imply that the synchronous implementation 2235 * will do any ACCM mapping. Instead, all such 2236 * octet mapping will be performed by the 2237 * asynchronous-to-synchronous converter. 2238 */ 2239 continue; 2240 2241 case LCP_OPT_MRU: 2242 /* 2243 * Maximum receive unit. Always agreeable, 2244 * but ignored by now. 2245 */ 2246 sp->lcp.their_mru = p[2] * 256 + p[3]; 2247 if (debug) 2248 addlog(" %ld", sp->lcp.their_mru); 2249 continue; 2250 2251 case LCP_OPT_AUTH_PROTO: 2252 authproto = (p[2] << 8) + p[3]; 2253 if (sp->myauth.proto != authproto) { 2254 /* not agreed, nak */ 2255 if (debug) 2256 addlog(" [mine %s != his %s]", 2257 sppp_proto_name(sp->myauth.proto), 2258 sppp_proto_name(authproto)); 2259 p[2] = sp->myauth.proto >> 8; 2260 p[3] = sp->myauth.proto; 2261 break; 2262 } 2263 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2264 if (debug) 2265 addlog(" [chap not MD5]"); 2266 p[4] = CHAP_MD5; 2267 break; 2268 } 2269 continue; 2270 } 2271 /* Add the option to nak'ed list. */ 2272 bcopy (p, r, p[1]); 2273 r += p[1]; 2274 rlen += p[1]; 2275 } 2276 if (rlen) { 2277 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2278 if (debug) 2279 addlog(" max_failure (%d) exceeded, " 2280 "send conf-rej\n", 2281 sp->lcp.max_failure); 2282 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2283 } else { 2284 if (debug) 2285 addlog(" send conf-nak\n"); 2286 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2287 } 2288 goto end; 2289 } else { 2290 if (debug) 2291 addlog(" send conf-ack\n"); 2292 sp->fail_counter[IDX_LCP] = 0; 2293 sp->pp_loopcnt = 0; 2294 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2295 } 2296 2297 end: 2298 free(buf, M_TEMP); 2299 return (rlen == 0); 2300 2301 drop: 2302 free(buf, M_TEMP); 2303 return -1; 2304 } 2305 2306 /* 2307 * Analyze the LCP Configure-Reject option list, and adjust our 2308 * negotiation. 2309 */ 2310 static void 2311 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2312 { 2313 STDDCL; 2314 u_char *buf, *p; 2315 2316 len -= 4; 2317 buf = malloc (len, M_TEMP, M_NOWAIT); 2318 if (!buf) 2319 return; 2320 2321 if (debug) 2322 log(LOG_DEBUG, "%s: lcp rej opts:", 2323 ifp->if_xname); 2324 2325 p = (void *)(h + 1); 2326 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2327 /* Sanity check option length */ 2328 if (p[1] > len) { 2329 /* 2330 * Malicious option - drop immediately. 2331 * XXX Maybe we should just RXJ it? 2332 */ 2333 addlog("%s: received malicious LCP option, " 2334 "dropping.\n", ifp->if_xname); 2335 goto drop; 2336 } 2337 if (debug) 2338 addlog(" %s", sppp_lcp_opt_name(*p)); 2339 switch (*p) { 2340 case LCP_OPT_MAGIC: 2341 /* Magic number -- can't use it, use 0 */ 2342 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2343 sp->lcp.magic = 0; 2344 break; 2345 case LCP_OPT_MRU: 2346 /* 2347 * We try to negotiate a lower MRU if the underlying 2348 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2349 * peer rejects this lower rate, fallback to the 2350 * default. 2351 */ 2352 if (debug) { 2353 addlog("%s: warning: peer rejected our MRU of " 2354 "%ld bytes. Defaulting to %d bytes\n", 2355 ifp->if_xname, sp->lcp.mru, PP_MTU); 2356 } 2357 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2358 sp->lcp.mru = PP_MTU; 2359 break; 2360 case LCP_OPT_AUTH_PROTO: 2361 /* 2362 * Peer doesn't want to authenticate himself, 2363 * deny unless this is a dialout call, and 2364 * SPPP_AUTHFLAG_NOCALLOUT is set. 2365 */ 2366 if ((sp->pp_flags & PP_CALLIN) == 0 && 2367 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2368 if (debug) 2369 addlog(" [don't insist on auth " 2370 "for callout]"); 2371 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2372 break; 2373 } 2374 if (debug) 2375 addlog("[access denied]\n"); 2376 lcp.Close(sp); 2377 break; 2378 } 2379 } 2380 if (debug) 2381 addlog("\n"); 2382 drop: 2383 free(buf, M_TEMP); 2384 return; 2385 } 2386 2387 /* 2388 * Analyze the LCP Configure-NAK option list, and adjust our 2389 * negotiation. 2390 */ 2391 static void 2392 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2393 { 2394 STDDCL; 2395 u_char *buf, *p; 2396 uint32_t magic; 2397 2398 len -= 4; 2399 buf = malloc (len, M_TEMP, M_NOWAIT); 2400 if (!buf) 2401 return; 2402 2403 if (debug) 2404 log(LOG_DEBUG, "%s: lcp nak opts:", 2405 ifp->if_xname); 2406 2407 p = (void *)(h + 1); 2408 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2409 /* Sanity check option length */ 2410 if (p[1] > len) { 2411 /* 2412 * Malicious option - drop immediately. 2413 * XXX Maybe we should just RXJ it? 2414 */ 2415 addlog("%s: received malicious LCP option, " 2416 "dropping.\n", ifp->if_xname); 2417 goto drop; 2418 } 2419 if (debug) 2420 addlog(" %s", sppp_lcp_opt_name(*p)); 2421 switch (*p) { 2422 case LCP_OPT_MAGIC: 2423 /* Magic number -- renegotiate */ 2424 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2425 len >= 6 && p[1] == 6) { 2426 magic = (uint32_t)p[2] << 24 | 2427 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2428 /* 2429 * If the remote magic is our negated one, 2430 * this looks like a loopback problem. 2431 * Suggest a new magic to make sure. 2432 */ 2433 if (magic == ~sp->lcp.magic) { 2434 if (debug) 2435 addlog(" magic glitch"); 2436 sp->lcp.magic = cprng_fast32(); 2437 } else { 2438 sp->lcp.magic = magic; 2439 if (debug) 2440 addlog(" %d", magic); 2441 } 2442 } 2443 break; 2444 case LCP_OPT_MRU: 2445 /* 2446 * Peer wants to advise us to negotiate an MRU. 2447 * Agree on it if it's reasonable, or use 2448 * default otherwise. 2449 */ 2450 if (len >= 4 && p[1] == 4) { 2451 u_int mru = p[2] * 256 + p[3]; 2452 if (debug) 2453 addlog(" %d", mru); 2454 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2455 mru = sp->pp_if.if_mtu; 2456 sp->lcp.mru = mru; 2457 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2458 } 2459 break; 2460 case LCP_OPT_AUTH_PROTO: 2461 /* 2462 * Peer doesn't like our authentication method, 2463 * deny. 2464 */ 2465 if (debug) 2466 addlog("[access denied]\n"); 2467 lcp.Close(sp); 2468 break; 2469 } 2470 } 2471 if (debug) 2472 addlog("\n"); 2473 drop: 2474 free(buf, M_TEMP); 2475 return; 2476 } 2477 2478 static void 2479 sppp_lcp_tlu(struct sppp *sp) 2480 { 2481 STDDCL; 2482 int i; 2483 uint32_t mask; 2484 2485 /* XXX ? */ 2486 if (! (ifp->if_flags & IFF_UP) && 2487 (ifp->if_flags & IFF_RUNNING)) { 2488 /* Coming out of loopback mode. */ 2489 if_up(ifp); 2490 } 2491 2492 for (i = 0; i < IDX_COUNT; i++) 2493 if ((cps[i])->flags & CP_QUAL) 2494 (cps[i])->Open(sp); 2495 2496 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2497 (sp->pp_flags & PP_NEEDAUTH) != 0) 2498 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2499 else 2500 sp->pp_phase = SPPP_PHASE_NETWORK; 2501 2502 if (debug) 2503 { 2504 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2505 sppp_phase_name(sp->pp_phase)); 2506 } 2507 2508 /* 2509 * Open all authentication protocols. This is even required 2510 * if we already proceeded to network phase, since it might be 2511 * that remote wants us to authenticate, so we might have to 2512 * send a PAP request. Undesired authentication protocols 2513 * don't do anything when they get an Open event. 2514 */ 2515 for (i = 0; i < IDX_COUNT; i++) 2516 if ((cps[i])->flags & CP_AUTH) 2517 (cps[i])->Open(sp); 2518 2519 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2520 /* Notify all NCPs. */ 2521 for (i = 0; i < IDX_COUNT; i++) 2522 if ((cps[i])->flags & CP_NCP) 2523 (cps[i])->Open(sp); 2524 } 2525 2526 /* Send Up events to all started protos. */ 2527 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2528 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2529 (cps[i])->Up(sp); 2530 2531 /* notify low-level driver of state change */ 2532 if (sp->pp_chg) 2533 sp->pp_chg(sp, (int)sp->pp_phase); 2534 2535 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2536 /* if no NCP is starting, close down */ 2537 sppp_lcp_check_and_close(sp); 2538 } 2539 2540 static void 2541 sppp_lcp_tld(struct sppp *sp) 2542 { 2543 STDDCL; 2544 int i; 2545 uint32_t mask; 2546 2547 sp->pp_phase = SPPP_PHASE_TERMINATE; 2548 2549 if (debug) 2550 { 2551 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2552 sppp_phase_name(sp->pp_phase)); 2553 } 2554 2555 /* 2556 * Take upper layers down. We send the Down event first and 2557 * the Close second to prevent the upper layers from sending 2558 * ``a flurry of terminate-request packets'', as the RFC 2559 * describes it. 2560 */ 2561 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2562 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2563 (cps[i])->Down(sp); 2564 (cps[i])->Close(sp); 2565 } 2566 } 2567 2568 static void 2569 sppp_lcp_tls(struct sppp *sp) 2570 { 2571 STDDCL; 2572 2573 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2574 printf("%s: authentication failed %d times, not retrying again\n", 2575 sp->pp_if.if_xname, sp->pp_auth_failures); 2576 if_down(&sp->pp_if); 2577 return; 2578 } 2579 2580 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2581 2582 if (debug) 2583 { 2584 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2585 sppp_phase_name(sp->pp_phase)); 2586 } 2587 2588 /* Notify lower layer if desired. */ 2589 if (sp->pp_tls) 2590 (sp->pp_tls)(sp); 2591 } 2592 2593 static void 2594 sppp_lcp_tlf(struct sppp *sp) 2595 { 2596 STDDCL; 2597 2598 sp->pp_phase = SPPP_PHASE_DEAD; 2599 2600 if (debug) 2601 { 2602 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2603 sppp_phase_name(sp->pp_phase)); 2604 } 2605 2606 /* Notify lower layer if desired. */ 2607 if (sp->pp_tlf) 2608 (sp->pp_tlf)(sp); 2609 } 2610 2611 static void 2612 sppp_lcp_scr(struct sppp *sp) 2613 { 2614 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2615 int i = 0; 2616 u_short authproto; 2617 2618 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2619 if (! sp->lcp.magic) 2620 sp->lcp.magic = cprng_fast32(); 2621 opt[i++] = LCP_OPT_MAGIC; 2622 opt[i++] = 6; 2623 opt[i++] = sp->lcp.magic >> 24; 2624 opt[i++] = sp->lcp.magic >> 16; 2625 opt[i++] = sp->lcp.magic >> 8; 2626 opt[i++] = sp->lcp.magic; 2627 } 2628 2629 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2630 opt[i++] = LCP_OPT_MRU; 2631 opt[i++] = 4; 2632 opt[i++] = sp->lcp.mru >> 8; 2633 opt[i++] = sp->lcp.mru; 2634 } 2635 2636 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2637 authproto = sp->hisauth.proto; 2638 opt[i++] = LCP_OPT_AUTH_PROTO; 2639 opt[i++] = authproto == PPP_CHAP? 5: 4; 2640 opt[i++] = authproto >> 8; 2641 opt[i++] = authproto; 2642 if (authproto == PPP_CHAP) 2643 opt[i++] = CHAP_MD5; 2644 } 2645 2646 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2647 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2648 } 2649 2650 /* 2651 * Check the open NCPs, return true if at least one NCP is open. 2652 */ 2653 static int 2654 sppp_ncp_check(struct sppp *sp) 2655 { 2656 int i, mask; 2657 2658 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2659 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2660 return 1; 2661 return 0; 2662 } 2663 2664 /* 2665 * Re-check the open NCPs and see if we should terminate the link. 2666 * Called by the NCPs during their tlf action handling. 2667 */ 2668 static void 2669 sppp_lcp_check_and_close(struct sppp *sp) 2670 { 2671 2672 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2673 /* don't bother, we are already going down */ 2674 return; 2675 2676 if (sppp_ncp_check(sp)) 2677 return; 2678 2679 lcp.Close(sp); 2680 } 2681 2682 2683 /* 2684 *--------------------------------------------------------------------------* 2685 * * 2686 * The IPCP implementation. * 2687 * * 2688 *--------------------------------------------------------------------------* 2689 */ 2690 2691 static void 2692 sppp_ipcp_init(struct sppp *sp) 2693 { 2694 sp->ipcp.opts = 0; 2695 sp->ipcp.flags = 0; 2696 sp->state[IDX_IPCP] = STATE_INITIAL; 2697 sp->fail_counter[IDX_IPCP] = 0; 2698 sp->pp_seq[IDX_IPCP] = 0; 2699 sp->pp_rseq[IDX_IPCP] = 0; 2700 callout_init(&sp->ch[IDX_IPCP], 0); 2701 } 2702 2703 static void 2704 sppp_ipcp_up(struct sppp *sp) 2705 { 2706 sppp_up_event(&ipcp, sp); 2707 } 2708 2709 static void 2710 sppp_ipcp_down(struct sppp *sp) 2711 { 2712 sppp_down_event(&ipcp, sp); 2713 } 2714 2715 static void 2716 sppp_ipcp_open(struct sppp *sp) 2717 { 2718 STDDCL; 2719 uint32_t myaddr, hisaddr; 2720 2721 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2722 sp->ipcp.req_myaddr = 0; 2723 sp->ipcp.req_hisaddr = 0; 2724 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2725 2726 #ifdef INET 2727 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2728 #else 2729 myaddr = hisaddr = 0; 2730 #endif 2731 /* 2732 * If we don't have his address, this probably means our 2733 * interface doesn't want to talk IP at all. (This could 2734 * be the case if somebody wants to speak only IPX, for 2735 * example.) Don't open IPCP in this case. 2736 */ 2737 if (hisaddr == 0) { 2738 /* XXX this message should go away */ 2739 if (debug) 2740 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2741 ifp->if_xname); 2742 return; 2743 } 2744 2745 if (myaddr == 0) { 2746 /* 2747 * I don't have an assigned address, so i need to 2748 * negotiate my address. 2749 */ 2750 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2751 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2752 } 2753 if (hisaddr == 1) { 2754 /* 2755 * XXX - remove this hack! 2756 * remote has no valid address, we need to get one assigned. 2757 */ 2758 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2759 } 2760 sppp_open_event(&ipcp, sp); 2761 } 2762 2763 static void 2764 sppp_ipcp_close(struct sppp *sp) 2765 { 2766 STDDCL; 2767 2768 sppp_close_event(&ipcp, sp); 2769 #ifdef INET 2770 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2771 /* 2772 * Some address was dynamic, clear it again. 2773 */ 2774 sppp_clear_ip_addrs(sp); 2775 #endif 2776 2777 if (sp->pp_saved_mtu > 0) { 2778 ifp->if_mtu = sp->pp_saved_mtu; 2779 sp->pp_saved_mtu = 0; 2780 if (debug) 2781 log(LOG_DEBUG, 2782 "%s: resetting MTU to %" PRIu64 " bytes\n", 2783 ifp->if_xname, ifp->if_mtu); 2784 } 2785 } 2786 2787 static void 2788 sppp_ipcp_TO(void *cookie) 2789 { 2790 sppp_to_event(&ipcp, (struct sppp *)cookie); 2791 } 2792 2793 /* 2794 * Analyze a configure request. Return true if it was agreeable, and 2795 * caused action sca, false if it has been rejected or nak'ed, and 2796 * caused action scn. (The return value is used to make the state 2797 * transition decision in the state automaton.) 2798 */ 2799 static int 2800 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2801 { 2802 u_char *buf, *r, *p; 2803 struct ifnet *ifp = &sp->pp_if; 2804 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2805 uint32_t hisaddr, desiredaddr; 2806 2807 len -= 4; 2808 origlen = len; 2809 /* 2810 * Make sure to allocate a buf that can at least hold a 2811 * conf-nak with an `address' option. We might need it below. 2812 */ 2813 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 2814 if (! buf) 2815 return (0); 2816 2817 /* pass 1: see if we can recognize them */ 2818 if (debug) 2819 log(LOG_DEBUG, "%s: ipcp parse opts:", 2820 ifp->if_xname); 2821 p = (void *)(h + 1); 2822 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2823 /* Sanity check option length */ 2824 if (p[1] > len) { 2825 /* XXX should we just RXJ? */ 2826 addlog("%s: malicious IPCP option received, dropping\n", 2827 ifp->if_xname); 2828 goto drop; 2829 } 2830 if (debug) 2831 addlog(" %s", sppp_ipcp_opt_name(*p)); 2832 switch (*p) { 2833 #ifdef notyet 2834 case IPCP_OPT_COMPRESSION: 2835 if (len >= 6 && p[1] >= 6) { 2836 /* correctly formed compress option */ 2837 continue; 2838 } 2839 if (debug) 2840 addlog(" [invalid]"); 2841 break; 2842 #endif 2843 case IPCP_OPT_ADDRESS: 2844 if (len >= 6 && p[1] == 6) { 2845 /* correctly formed address option */ 2846 continue; 2847 } 2848 if (debug) 2849 addlog(" [invalid]"); 2850 break; 2851 default: 2852 /* Others not supported. */ 2853 if (debug) 2854 addlog(" [rej]"); 2855 break; 2856 } 2857 /* Add the option to rejected list. */ 2858 bcopy (p, r, p[1]); 2859 r += p[1]; 2860 rlen += p[1]; 2861 } 2862 if (rlen) { 2863 if (debug) 2864 addlog(" send conf-rej\n"); 2865 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2866 goto end; 2867 } else if (debug) 2868 addlog("\n"); 2869 2870 /* pass 2: parse option values */ 2871 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2872 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2873 else 2874 #ifdef INET 2875 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2876 #else 2877 hisaddr = 0; 2878 #endif 2879 if (debug) 2880 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2881 ifp->if_xname); 2882 p = (void *)(h + 1); 2883 len = origlen; 2884 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2885 if (debug) 2886 addlog(" %s", sppp_ipcp_opt_name(*p)); 2887 switch (*p) { 2888 #ifdef notyet 2889 case IPCP_OPT_COMPRESSION: 2890 continue; 2891 #endif 2892 case IPCP_OPT_ADDRESS: 2893 desiredaddr = p[2] << 24 | p[3] << 16 | 2894 p[4] << 8 | p[5]; 2895 if (desiredaddr == hisaddr || 2896 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2897 /* 2898 * Peer's address is same as our value, 2899 * this is agreeable. Gonna conf-ack 2900 * it. 2901 */ 2902 if (debug) 2903 addlog(" %s [ack]", 2904 sppp_dotted_quad(hisaddr)); 2905 /* record that we've seen it already */ 2906 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2907 sp->ipcp.req_hisaddr = desiredaddr; 2908 hisaddr = desiredaddr; 2909 continue; 2910 } 2911 /* 2912 * The address wasn't agreeable. This is either 2913 * he sent us 0.0.0.0, asking to assign him an 2914 * address, or he send us another address not 2915 * matching our value. Either case, we gonna 2916 * conf-nak it with our value. 2917 */ 2918 if (debug) { 2919 if (desiredaddr == 0) 2920 addlog(" [addr requested]"); 2921 else 2922 addlog(" %s [not agreed]", 2923 sppp_dotted_quad(desiredaddr)); 2924 } 2925 2926 p[2] = hisaddr >> 24; 2927 p[3] = hisaddr >> 16; 2928 p[4] = hisaddr >> 8; 2929 p[5] = hisaddr; 2930 break; 2931 } 2932 /* Add the option to nak'ed list. */ 2933 bcopy (p, r, p[1]); 2934 r += p[1]; 2935 rlen += p[1]; 2936 } 2937 2938 /* 2939 * If we are about to conf-ack the request, but haven't seen 2940 * his address so far, gonna conf-nak it instead, with the 2941 * `address' option present and our idea of his address being 2942 * filled in there, to request negotiation of both addresses. 2943 * 2944 * XXX This can result in an endless req - nak loop if peer 2945 * doesn't want to send us his address. Q: What should we do 2946 * about it? XXX A: implement the max-failure counter. 2947 */ 2948 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2949 buf[0] = IPCP_OPT_ADDRESS; 2950 buf[1] = 6; 2951 buf[2] = hisaddr >> 24; 2952 buf[3] = hisaddr >> 16; 2953 buf[4] = hisaddr >> 8; 2954 buf[5] = hisaddr; 2955 rlen = 6; 2956 if (debug) 2957 addlog(" still need hisaddr"); 2958 } 2959 2960 if (rlen) { 2961 if (debug) 2962 addlog(" send conf-nak\n"); 2963 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 2964 } else { 2965 if (debug) 2966 addlog(" send conf-ack\n"); 2967 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 2968 } 2969 2970 end: 2971 free(buf, M_TEMP); 2972 return (rlen == 0); 2973 2974 drop: 2975 free(buf, M_TEMP); 2976 return -1; 2977 } 2978 2979 /* 2980 * Analyze the IPCP Configure-Reject option list, and adjust our 2981 * negotiation. 2982 */ 2983 static void 2984 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2985 { 2986 u_char *buf, *p; 2987 struct ifnet *ifp = &sp->pp_if; 2988 int debug = ifp->if_flags & IFF_DEBUG; 2989 2990 len -= 4; 2991 buf = malloc (len, M_TEMP, M_NOWAIT); 2992 if (!buf) 2993 return; 2994 2995 if (debug) 2996 log(LOG_DEBUG, "%s: ipcp rej opts:", 2997 ifp->if_xname); 2998 2999 p = (void *)(h + 1); 3000 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3001 /* Sanity check option length */ 3002 if (p[1] > len) { 3003 /* XXX should we just RXJ? */ 3004 addlog("%s: malicious IPCP option received, dropping\n", 3005 ifp->if_xname); 3006 goto drop; 3007 } 3008 if (debug) 3009 addlog(" %s", sppp_ipcp_opt_name(*p)); 3010 switch (*p) { 3011 case IPCP_OPT_ADDRESS: 3012 /* 3013 * Peer doesn't grok address option. This is 3014 * bad. XXX Should we better give up here? 3015 */ 3016 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3017 break; 3018 #ifdef notyet 3019 case IPCP_OPT_COMPRESS: 3020 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3021 break; 3022 #endif 3023 } 3024 } 3025 if (debug) 3026 addlog("\n"); 3027 drop: 3028 free(buf, M_TEMP); 3029 return; 3030 } 3031 3032 /* 3033 * Analyze the IPCP Configure-NAK option list, and adjust our 3034 * negotiation. 3035 */ 3036 static void 3037 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3038 { 3039 u_char *p; 3040 struct ifnet *ifp = &sp->pp_if; 3041 int debug = ifp->if_flags & IFF_DEBUG; 3042 uint32_t wantaddr; 3043 3044 len -= 4; 3045 3046 if (debug) 3047 log(LOG_DEBUG, "%s: ipcp nak opts:", 3048 ifp->if_xname); 3049 3050 p = (void *)(h + 1); 3051 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3052 /* Sanity check option length */ 3053 if (p[1] > len) { 3054 /* XXX should we just RXJ? */ 3055 addlog("%s: malicious IPCP option received, dropping\n", 3056 ifp->if_xname); 3057 return; 3058 } 3059 if (debug) 3060 addlog(" %s", sppp_ipcp_opt_name(*p)); 3061 switch (*p) { 3062 case IPCP_OPT_ADDRESS: 3063 /* 3064 * Peer doesn't like our local IP address. See 3065 * if we can do something for him. We'll drop 3066 * him our address then. 3067 */ 3068 if (len >= 6 && p[1] == 6) { 3069 wantaddr = p[2] << 24 | p[3] << 16 | 3070 p[4] << 8 | p[5]; 3071 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3072 if (debug) 3073 addlog(" [wantaddr %s]", 3074 sppp_dotted_quad(wantaddr)); 3075 /* 3076 * When doing dynamic address assignment, 3077 * we accept his offer. Otherwise, we 3078 * ignore it and thus continue to negotiate 3079 * our already existing value. 3080 */ 3081 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3082 if (debug) 3083 addlog(" [agree]"); 3084 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3085 sp->ipcp.req_myaddr = wantaddr; 3086 } 3087 } 3088 break; 3089 3090 case IPCP_OPT_PRIMDNS: 3091 if (len >= 6 && p[1] == 6) { 3092 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3093 p[4] << 8 | p[5]; 3094 } 3095 break; 3096 3097 case IPCP_OPT_SECDNS: 3098 if (len >= 6 && p[1] == 6) { 3099 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3100 p[4] << 8 | p[5]; 3101 } 3102 break; 3103 #ifdef notyet 3104 case IPCP_OPT_COMPRESS: 3105 /* 3106 * Peer wants different compression parameters. 3107 */ 3108 break; 3109 #endif 3110 } 3111 } 3112 if (debug) 3113 addlog("\n"); 3114 } 3115 3116 static void 3117 sppp_ipcp_tlu(struct sppp *sp) 3118 { 3119 #ifdef INET 3120 /* we are up. Set addresses and notify anyone interested */ 3121 STDDCL; 3122 uint32_t myaddr, hisaddr; 3123 3124 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3125 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3126 myaddr = sp->ipcp.req_myaddr; 3127 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3128 hisaddr = sp->ipcp.req_hisaddr; 3129 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3130 3131 if (ifp->if_mtu > sp->lcp.their_mru) { 3132 sp->pp_saved_mtu = ifp->if_mtu; 3133 ifp->if_mtu = sp->lcp.their_mru; 3134 if (debug) 3135 log(LOG_DEBUG, 3136 "%s: setting MTU to %" PRIu64 " bytes\n", 3137 ifp->if_xname, ifp->if_mtu); 3138 } 3139 3140 if (sp->pp_con) 3141 sp->pp_con(sp); 3142 #endif 3143 } 3144 3145 static void 3146 sppp_ipcp_tld(struct sppp *sp) 3147 { 3148 } 3149 3150 static void 3151 sppp_ipcp_tls(struct sppp *sp) 3152 { 3153 /* indicate to LCP that it must stay alive */ 3154 sp->lcp.protos |= (1 << IDX_IPCP); 3155 } 3156 3157 static void 3158 sppp_ipcp_tlf(struct sppp *sp) 3159 { 3160 /* we no longer need LCP */ 3161 sp->lcp.protos &= ~(1 << IDX_IPCP); 3162 } 3163 3164 static void 3165 sppp_ipcp_scr(struct sppp *sp) 3166 { 3167 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3168 #ifdef INET 3169 uint32_t ouraddr; 3170 #endif 3171 int i = 0; 3172 3173 #ifdef notyet 3174 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3175 opt[i++] = IPCP_OPT_COMPRESSION; 3176 opt[i++] = 6; 3177 opt[i++] = 0; /* VJ header compression */ 3178 opt[i++] = 0x2d; /* VJ header compression */ 3179 opt[i++] = max_slot_id; 3180 opt[i++] = comp_slot_id; 3181 } 3182 #endif 3183 3184 #ifdef INET 3185 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3186 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3187 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3188 else 3189 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3190 opt[i++] = IPCP_OPT_ADDRESS; 3191 opt[i++] = 6; 3192 opt[i++] = ouraddr >> 24; 3193 opt[i++] = ouraddr >> 16; 3194 opt[i++] = ouraddr >> 8; 3195 opt[i++] = ouraddr; 3196 } 3197 #endif 3198 3199 if (sp->query_dns & 1) { 3200 opt[i++] = IPCP_OPT_PRIMDNS; 3201 opt[i++] = 6; 3202 opt[i++] = sp->dns_addrs[0] >> 24; 3203 opt[i++] = sp->dns_addrs[0] >> 16; 3204 opt[i++] = sp->dns_addrs[0] >> 8; 3205 opt[i++] = sp->dns_addrs[0]; 3206 } 3207 if (sp->query_dns & 2) { 3208 opt[i++] = IPCP_OPT_SECDNS; 3209 opt[i++] = 6; 3210 opt[i++] = sp->dns_addrs[1] >> 24; 3211 opt[i++] = sp->dns_addrs[1] >> 16; 3212 opt[i++] = sp->dns_addrs[1] >> 8; 3213 opt[i++] = sp->dns_addrs[1]; 3214 } 3215 3216 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3217 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3218 } 3219 3220 3221 /* 3222 *--------------------------------------------------------------------------* 3223 * * 3224 * The IPv6CP implementation. * 3225 * * 3226 *--------------------------------------------------------------------------* 3227 */ 3228 3229 #ifdef INET6 3230 static void 3231 sppp_ipv6cp_init(struct sppp *sp) 3232 { 3233 sp->ipv6cp.opts = 0; 3234 sp->ipv6cp.flags = 0; 3235 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3236 sp->fail_counter[IDX_IPV6CP] = 0; 3237 sp->pp_seq[IDX_IPV6CP] = 0; 3238 sp->pp_rseq[IDX_IPV6CP] = 0; 3239 callout_init(&sp->ch[IDX_IPV6CP], 0); 3240 } 3241 3242 static void 3243 sppp_ipv6cp_up(struct sppp *sp) 3244 { 3245 sppp_up_event(&ipv6cp, sp); 3246 } 3247 3248 static void 3249 sppp_ipv6cp_down(struct sppp *sp) 3250 { 3251 sppp_down_event(&ipv6cp, sp); 3252 } 3253 3254 static void 3255 sppp_ipv6cp_open(struct sppp *sp) 3256 { 3257 STDDCL; 3258 struct in6_addr myaddr, hisaddr; 3259 3260 #ifdef IPV6CP_MYIFID_DYN 3261 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3262 #else 3263 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3264 #endif 3265 3266 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3267 /* 3268 * If we don't have our address, this probably means our 3269 * interface doesn't want to talk IPv6 at all. (This could 3270 * be the case if somebody wants to speak only IPX, for 3271 * example.) Don't open IPv6CP in this case. 3272 */ 3273 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3274 /* XXX this message should go away */ 3275 if (debug) 3276 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3277 ifp->if_xname); 3278 return; 3279 } 3280 3281 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3282 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3283 sppp_open_event(&ipv6cp, sp); 3284 } 3285 3286 static void 3287 sppp_ipv6cp_close(struct sppp *sp) 3288 { 3289 sppp_close_event(&ipv6cp, sp); 3290 } 3291 3292 static void 3293 sppp_ipv6cp_TO(void *cookie) 3294 { 3295 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3296 } 3297 3298 /* 3299 * Analyze a configure request. Return true if it was agreeable, and 3300 * caused action sca, false if it has been rejected or nak'ed, and 3301 * caused action scn. (The return value is used to make the state 3302 * transition decision in the state automaton.) 3303 */ 3304 static int 3305 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3306 { 3307 u_char *buf, *r, *p; 3308 struct ifnet *ifp = &sp->pp_if; 3309 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3310 struct in6_addr myaddr, desiredaddr, suggestaddr; 3311 int ifidcount; 3312 int type; 3313 int collision, nohisaddr; 3314 3315 len -= 4; 3316 origlen = len; 3317 /* 3318 * Make sure to allocate a buf that can at least hold a 3319 * conf-nak with an `address' option. We might need it below. 3320 */ 3321 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 3322 if (! buf) 3323 return (0); 3324 3325 /* pass 1: see if we can recognize them */ 3326 if (debug) 3327 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3328 ifp->if_xname); 3329 p = (void *)(h + 1); 3330 ifidcount = 0; 3331 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3332 /* Sanity check option length */ 3333 if (p[1] > len) { 3334 /* XXX just RXJ? */ 3335 addlog("%s: received malicious IPCPv6 option, " 3336 "dropping\n", ifp->if_xname); 3337 goto drop; 3338 } 3339 if (debug) 3340 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3341 switch (*p) { 3342 case IPV6CP_OPT_IFID: 3343 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3344 /* correctly formed address option */ 3345 ifidcount++; 3346 continue; 3347 } 3348 if (debug) 3349 addlog(" [invalid]"); 3350 break; 3351 #ifdef notyet 3352 case IPV6CP_OPT_COMPRESSION: 3353 if (len >= 4 && p[1] >= 4) { 3354 /* correctly formed compress option */ 3355 continue; 3356 } 3357 if (debug) 3358 addlog(" [invalid]"); 3359 break; 3360 #endif 3361 default: 3362 /* Others not supported. */ 3363 if (debug) 3364 addlog(" [rej]"); 3365 break; 3366 } 3367 /* Add the option to rejected list. */ 3368 bcopy (p, r, p[1]); 3369 r += p[1]; 3370 rlen += p[1]; 3371 } 3372 if (rlen) { 3373 if (debug) 3374 addlog(" send conf-rej\n"); 3375 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3376 goto end; 3377 } else if (debug) 3378 addlog("\n"); 3379 3380 /* pass 2: parse option values */ 3381 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3382 if (debug) 3383 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3384 ifp->if_xname); 3385 p = (void *)(h + 1); 3386 len = origlen; 3387 type = CONF_ACK; 3388 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3389 if (debug) 3390 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3391 switch (*p) { 3392 #ifdef notyet 3393 case IPV6CP_OPT_COMPRESSION: 3394 continue; 3395 #endif 3396 case IPV6CP_OPT_IFID: 3397 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3398 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3399 collision = (memcmp(&desiredaddr.s6_addr[8], 3400 &myaddr.s6_addr[8], 8) == 0); 3401 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3402 3403 desiredaddr.s6_addr16[0] = htons(0xfe80); 3404 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3405 3406 if (!collision && !nohisaddr) { 3407 /* no collision, hisaddr known - Conf-Ack */ 3408 type = CONF_ACK; 3409 3410 if (debug) { 3411 addlog(" %s [%s]", 3412 ip6_sprintf(&desiredaddr), 3413 sppp_cp_type_name(type)); 3414 } 3415 continue; 3416 } 3417 3418 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3419 if (collision && nohisaddr) { 3420 /* collision, hisaddr unknown - Conf-Rej */ 3421 type = CONF_REJ; 3422 memset(&p[2], 0, 8); 3423 } else { 3424 /* 3425 * - no collision, hisaddr unknown, or 3426 * - collision, hisaddr known 3427 * Conf-Nak, suggest hisaddr 3428 */ 3429 type = CONF_NAK; 3430 sppp_suggest_ip6_addr(sp, &suggestaddr); 3431 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3432 } 3433 if (debug) 3434 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3435 sppp_cp_type_name(type)); 3436 break; 3437 } 3438 /* Add the option to nak'ed list. */ 3439 bcopy (p, r, p[1]); 3440 r += p[1]; 3441 rlen += p[1]; 3442 } 3443 3444 if (rlen == 0 && type == CONF_ACK) { 3445 if (debug) 3446 addlog(" send %s\n", sppp_cp_type_name(type)); 3447 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3448 } else { 3449 #ifdef notdef 3450 if (type == CONF_ACK) 3451 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3452 #endif 3453 3454 if (debug) { 3455 addlog(" send %s suggest %s\n", 3456 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3457 } 3458 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3459 } 3460 3461 end: 3462 free(buf, M_TEMP); 3463 return (rlen == 0); 3464 3465 drop: 3466 free(buf, M_TEMP); 3467 return -1; 3468 } 3469 3470 /* 3471 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3472 * negotiation. 3473 */ 3474 static void 3475 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3476 { 3477 u_char *buf, *p; 3478 struct ifnet *ifp = &sp->pp_if; 3479 int debug = ifp->if_flags & IFF_DEBUG; 3480 3481 len -= 4; 3482 buf = malloc (len, M_TEMP, M_NOWAIT); 3483 if (!buf) 3484 return; 3485 3486 if (debug) 3487 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3488 ifp->if_xname); 3489 3490 p = (void *)(h + 1); 3491 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3492 if (p[1] > len) { 3493 /* XXX just RXJ? */ 3494 addlog("%s: received malicious IPCPv6 option, " 3495 "dropping\n", ifp->if_xname); 3496 goto drop; 3497 } 3498 if (debug) 3499 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3500 switch (*p) { 3501 case IPV6CP_OPT_IFID: 3502 /* 3503 * Peer doesn't grok address option. This is 3504 * bad. XXX Should we better give up here? 3505 */ 3506 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3507 break; 3508 #ifdef notyet 3509 case IPV6CP_OPT_COMPRESS: 3510 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3511 break; 3512 #endif 3513 } 3514 } 3515 if (debug) 3516 addlog("\n"); 3517 drop: 3518 free(buf, M_TEMP); 3519 return; 3520 } 3521 3522 /* 3523 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3524 * negotiation. 3525 */ 3526 static void 3527 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3528 { 3529 u_char *buf, *p; 3530 struct ifnet *ifp = &sp->pp_if; 3531 int debug = ifp->if_flags & IFF_DEBUG; 3532 struct in6_addr suggestaddr; 3533 3534 len -= 4; 3535 buf = malloc (len, M_TEMP, M_NOWAIT); 3536 if (!buf) 3537 return; 3538 3539 if (debug) 3540 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3541 ifp->if_xname); 3542 3543 p = (void *)(h + 1); 3544 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3545 if (p[1] > len) { 3546 /* XXX just RXJ? */ 3547 addlog("%s: received malicious IPCPv6 option, " 3548 "dropping\n", ifp->if_xname); 3549 goto drop; 3550 } 3551 if (debug) 3552 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3553 switch (*p) { 3554 case IPV6CP_OPT_IFID: 3555 /* 3556 * Peer doesn't like our local ifid. See 3557 * if we can do something for him. We'll drop 3558 * him our address then. 3559 */ 3560 if (len < 10 || p[1] != 10) 3561 break; 3562 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3563 suggestaddr.s6_addr16[0] = htons(0xfe80); 3564 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3565 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3566 3567 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3568 if (debug) 3569 addlog(" [suggestaddr %s]", 3570 ip6_sprintf(&suggestaddr)); 3571 #ifdef IPV6CP_MYIFID_DYN 3572 /* 3573 * When doing dynamic address assignment, 3574 * we accept his offer. 3575 */ 3576 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3577 struct in6_addr lastsuggest; 3578 /* 3579 * If <suggested myaddr from peer> equals to 3580 * <hisaddr we have suggested last time>, 3581 * we have a collision. generate new random 3582 * ifid. 3583 */ 3584 sppp_suggest_ip6_addr(&lastsuggest); 3585 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3586 lastsuggest)) { 3587 if (debug) 3588 addlog(" [random]"); 3589 sppp_gen_ip6_addr(sp, &suggestaddr); 3590 } 3591 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3592 if (debug) 3593 addlog(" [agree]"); 3594 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3595 } 3596 #else 3597 /* 3598 * Since we do not do dynamic address assignment, 3599 * we ignore it and thus continue to negotiate 3600 * our already existing value. This can possibly 3601 * go into infinite request-reject loop. 3602 * 3603 * This is not likely because we normally use 3604 * ifid based on MAC-address. 3605 * If you have no ethernet card on the node, too bad. 3606 * XXX should we use fail_counter? 3607 */ 3608 #endif 3609 break; 3610 #ifdef notyet 3611 case IPV6CP_OPT_COMPRESS: 3612 /* 3613 * Peer wants different compression parameters. 3614 */ 3615 break; 3616 #endif 3617 } 3618 } 3619 if (debug) 3620 addlog("\n"); 3621 drop: 3622 free(buf, M_TEMP); 3623 return; 3624 } 3625 3626 static void 3627 sppp_ipv6cp_tlu(struct sppp *sp) 3628 { 3629 /* we are up - notify isdn daemon */ 3630 if (sp->pp_con) 3631 sp->pp_con(sp); 3632 } 3633 3634 static void 3635 sppp_ipv6cp_tld(struct sppp *sp) 3636 { 3637 } 3638 3639 static void 3640 sppp_ipv6cp_tls(struct sppp *sp) 3641 { 3642 /* indicate to LCP that it must stay alive */ 3643 sp->lcp.protos |= (1 << IDX_IPV6CP); 3644 } 3645 3646 static void 3647 sppp_ipv6cp_tlf(struct sppp *sp) 3648 { 3649 /* we no longer need LCP */ 3650 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3651 } 3652 3653 static void 3654 sppp_ipv6cp_scr(struct sppp *sp) 3655 { 3656 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3657 struct in6_addr ouraddr; 3658 int i = 0; 3659 3660 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3661 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3662 opt[i++] = IPV6CP_OPT_IFID; 3663 opt[i++] = 10; 3664 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3665 i += 8; 3666 } 3667 3668 #ifdef notyet 3669 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3670 opt[i++] = IPV6CP_OPT_COMPRESSION; 3671 opt[i++] = 4; 3672 opt[i++] = 0; /* TBD */ 3673 opt[i++] = 0; /* TBD */ 3674 /* variable length data may follow */ 3675 } 3676 #endif 3677 3678 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3679 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3680 } 3681 #else /*INET6*/ 3682 static void 3683 sppp_ipv6cp_init(struct sppp *sp) 3684 { 3685 } 3686 3687 static void 3688 sppp_ipv6cp_up(struct sppp *sp) 3689 { 3690 } 3691 3692 static void 3693 sppp_ipv6cp_down(struct sppp *sp) 3694 { 3695 } 3696 3697 static void 3698 sppp_ipv6cp_open(struct sppp *sp) 3699 { 3700 } 3701 3702 static void 3703 sppp_ipv6cp_close(struct sppp *sp) 3704 { 3705 } 3706 3707 static void 3708 sppp_ipv6cp_TO(void *sp) 3709 { 3710 } 3711 3712 static int 3713 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3714 int len) 3715 { 3716 return 0; 3717 } 3718 3719 static void 3720 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3721 int len) 3722 { 3723 } 3724 3725 static void 3726 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3727 int len) 3728 { 3729 } 3730 3731 static void 3732 sppp_ipv6cp_tlu(struct sppp *sp) 3733 { 3734 } 3735 3736 static void 3737 sppp_ipv6cp_tld(struct sppp *sp) 3738 { 3739 } 3740 3741 static void 3742 sppp_ipv6cp_tls(struct sppp *sp) 3743 { 3744 } 3745 3746 static void 3747 sppp_ipv6cp_tlf(struct sppp *sp) 3748 { 3749 } 3750 3751 static void 3752 sppp_ipv6cp_scr(struct sppp *sp) 3753 { 3754 } 3755 #endif /*INET6*/ 3756 3757 3758 /* 3759 *--------------------------------------------------------------------------* 3760 * * 3761 * The CHAP implementation. * 3762 * * 3763 *--------------------------------------------------------------------------* 3764 */ 3765 3766 /* 3767 * The authentication protocols don't employ a full-fledged state machine as 3768 * the control protocols do, since they do have Open and Close events, but 3769 * not Up and Down, nor are they explicitly terminated. Also, use of the 3770 * authentication protocols may be different in both directions (this makes 3771 * sense, think of a machine that never accepts incoming calls but only 3772 * calls out, it doesn't require the called party to authenticate itself). 3773 * 3774 * Our state machine for the local authentication protocol (we are requesting 3775 * the peer to authenticate) looks like: 3776 * 3777 * RCA- 3778 * +--------------------------------------------+ 3779 * V scn,tld| 3780 * +--------+ Close +---------+ RCA+ 3781 * | |<----------------------------------| |------+ 3782 * +--->| Closed | TO* | Opened | sca | 3783 * | | |-----+ +-------| |<-----+ 3784 * | +--------+ irc | | +---------+ 3785 * | ^ | | ^ 3786 * | | | | | 3787 * | | | | | 3788 * | TO-| | | | 3789 * | |tld TO+ V | | 3790 * | | +------->+ | | 3791 * | | | | | | 3792 * | +--------+ V | | 3793 * | | |<----+<--------------------+ | 3794 * | | Req- | scr | 3795 * | | Sent | | 3796 * | | | | 3797 * | +--------+ | 3798 * | RCA- | | RCA+ | 3799 * +------+ +------------------------------------------+ 3800 * scn,tld sca,irc,ict,tlu 3801 * 3802 * 3803 * with: 3804 * 3805 * Open: LCP reached authentication phase 3806 * Close: LCP reached terminate phase 3807 * 3808 * RCA+: received reply (pap-req, chap-response), acceptable 3809 * RCN: received reply (pap-req, chap-response), not acceptable 3810 * TO+: timeout with restart counter >= 0 3811 * TO-: timeout with restart counter < 0 3812 * TO*: reschedule timeout for CHAP 3813 * 3814 * scr: send request packet (none for PAP, chap-challenge) 3815 * sca: send ack packet (pap-ack, chap-success) 3816 * scn: send nak packet (pap-nak, chap-failure) 3817 * ict: initialize re-challenge timer (CHAP only) 3818 * 3819 * tlu: this-layer-up, LCP reaches network phase 3820 * tld: this-layer-down, LCP enters terminate phase 3821 * 3822 * Note that in CHAP mode, after sending a new challenge, while the state 3823 * automaton falls back into Req-Sent state, it doesn't signal a tld 3824 * event to LCP, so LCP remains in network phase. Only after not getting 3825 * any response (or after getting an unacceptable response), CHAP closes, 3826 * causing LCP to enter terminate phase. 3827 * 3828 * With PAP, there is no initial request that can be sent. The peer is 3829 * expected to send one based on the successful negotiation of PAP as 3830 * the authentication protocol during the LCP option negotiation. 3831 * 3832 * Incoming authentication protocol requests (remote requests 3833 * authentication, we are peer) don't employ a state machine at all, 3834 * they are simply answered. Some peers [Ascend P50 firmware rev 3835 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3836 * still in authentication phase (thereby violating the standard that 3837 * demands that these NCP packets are to be discarded), so we keep 3838 * track of the peer demanding us to authenticate, and only proceed to 3839 * phase network once we've seen a positive acknowledge for the 3840 * authentication. 3841 */ 3842 3843 /* 3844 * Handle incoming CHAP packets. 3845 */ 3846 void 3847 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3848 { 3849 STDDCL; 3850 struct lcp_header *h; 3851 int len, x; 3852 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3853 int value_len, name_len; 3854 MD5_CTX ctx; 3855 3856 len = m->m_pkthdr.len; 3857 if (len < 4) { 3858 if (debug) 3859 log(LOG_DEBUG, 3860 "%s: chap invalid packet length: %d bytes\n", 3861 ifp->if_xname, len); 3862 return; 3863 } 3864 h = mtod(m, struct lcp_header *); 3865 if (len > ntohs(h->len)) 3866 len = ntohs(h->len); 3867 3868 switch (h->type) { 3869 /* challenge, failure and success are his authproto */ 3870 case CHAP_CHALLENGE: 3871 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3872 /* can't do anything useful */ 3873 sp->pp_auth_failures++; 3874 printf("%s: chap input without my name and my secret being set\n", 3875 ifp->if_xname); 3876 break; 3877 } 3878 value = 1 + (u_char *)(h + 1); 3879 value_len = value[-1]; 3880 name = value + value_len; 3881 name_len = len - value_len - 5; 3882 if (name_len < 0) { 3883 if (debug) { 3884 log(LOG_DEBUG, 3885 "%s: chap corrupted challenge " 3886 "<%s id=0x%x len=%d", 3887 ifp->if_xname, 3888 sppp_auth_type_name(PPP_CHAP, h->type), 3889 h->ident, ntohs(h->len)); 3890 if (len > 4) 3891 sppp_print_bytes((u_char *)(h + 1), 3892 len - 4); 3893 addlog(">\n"); 3894 } 3895 break; 3896 } 3897 3898 if (debug) { 3899 log(LOG_DEBUG, 3900 "%s: chap input <%s id=0x%x len=%d name=", 3901 ifp->if_xname, 3902 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3903 ntohs(h->len)); 3904 sppp_print_string((char *) name, name_len); 3905 addlog(" value-size=%d value=", value_len); 3906 sppp_print_bytes(value, value_len); 3907 addlog(">\n"); 3908 } 3909 3910 /* Compute reply value. */ 3911 MD5Init(&ctx); 3912 MD5Update(&ctx, &h->ident, 1); 3913 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3914 MD5Update(&ctx, value, value_len); 3915 MD5Final(digest, &ctx); 3916 dsize = sizeof digest; 3917 3918 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3919 sizeof dsize, (const char *)&dsize, 3920 sizeof digest, digest, 3921 sp->myauth.name_len, 3922 sp->myauth.name, 3923 0); 3924 break; 3925 3926 case CHAP_SUCCESS: 3927 if (debug) { 3928 log(LOG_DEBUG, "%s: chap success", 3929 ifp->if_xname); 3930 if (len > 4) { 3931 addlog(": "); 3932 sppp_print_string((char *)(h + 1), len - 4); 3933 } 3934 addlog("\n"); 3935 } 3936 x = splnet(); 3937 sp->pp_auth_failures = 0; 3938 sp->pp_flags &= ~PP_NEEDAUTH; 3939 if (sp->myauth.proto == PPP_CHAP && 3940 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3941 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3942 /* 3943 * We are authenticator for CHAP but didn't 3944 * complete yet. Leave it to tlu to proceed 3945 * to network phase. 3946 */ 3947 splx(x); 3948 break; 3949 } 3950 splx(x); 3951 sppp_phase_network(sp); 3952 break; 3953 3954 case CHAP_FAILURE: 3955 x = splnet(); 3956 sp->pp_auth_failures++; 3957 splx(x); 3958 if (debug) { 3959 log(LOG_INFO, "%s: chap failure", 3960 ifp->if_xname); 3961 if (len > 4) { 3962 addlog(": "); 3963 sppp_print_string((char *)(h + 1), len - 4); 3964 } 3965 addlog("\n"); 3966 } else 3967 log(LOG_INFO, "%s: chap failure\n", 3968 ifp->if_xname); 3969 /* await LCP shutdown by authenticator */ 3970 break; 3971 3972 /* response is my authproto */ 3973 case CHAP_RESPONSE: 3974 if (sp->hisauth.secret == NULL) { 3975 /* can't do anything useful */ 3976 printf("%s: chap input without his secret being set\n", 3977 ifp->if_xname); 3978 break; 3979 } 3980 value = 1 + (u_char *)(h + 1); 3981 value_len = value[-1]; 3982 name = value + value_len; 3983 name_len = len - value_len - 5; 3984 if (name_len < 0) { 3985 if (debug) { 3986 log(LOG_DEBUG, 3987 "%s: chap corrupted response " 3988 "<%s id=0x%x len=%d", 3989 ifp->if_xname, 3990 sppp_auth_type_name(PPP_CHAP, h->type), 3991 h->ident, ntohs(h->len)); 3992 if (len > 4) 3993 sppp_print_bytes((u_char *)(h + 1), 3994 len - 4); 3995 addlog(">\n"); 3996 } 3997 break; 3998 } 3999 if (h->ident != sp->confid[IDX_CHAP]) { 4000 if (debug) 4001 log(LOG_DEBUG, 4002 "%s: chap dropping response for old ID " 4003 "(got %d, expected %d)\n", 4004 ifp->if_xname, 4005 h->ident, sp->confid[IDX_CHAP]); 4006 break; 4007 } 4008 if (sp->hisauth.name != NULL && 4009 (name_len != sp->hisauth.name_len 4010 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4011 log(LOG_INFO, "%s: chap response, his name ", 4012 ifp->if_xname); 4013 sppp_print_string(name, name_len); 4014 addlog(" != expected "); 4015 sppp_print_string(sp->hisauth.name, 4016 sp->hisauth.name_len); 4017 addlog("\n"); 4018 goto chap_failure; 4019 } 4020 if (debug) { 4021 log(LOG_DEBUG, "%s: chap input(%s) " 4022 "<%s id=0x%x len=%d name=", 4023 ifp->if_xname, 4024 sppp_state_name(sp->state[IDX_CHAP]), 4025 sppp_auth_type_name(PPP_CHAP, h->type), 4026 h->ident, ntohs(h->len)); 4027 sppp_print_string((char *)name, name_len); 4028 addlog(" value-size=%d value=", value_len); 4029 sppp_print_bytes(value, value_len); 4030 addlog(">\n"); 4031 } 4032 if (value_len != sizeof(sp->myauth.challenge)) { 4033 if (debug) 4034 log(LOG_DEBUG, 4035 "%s: chap bad hash value length: " 4036 "%d bytes, should be %ld\n", 4037 ifp->if_xname, value_len, 4038 (long) sizeof(sp->myauth.challenge)); 4039 goto chap_failure; 4040 } 4041 4042 MD5Init(&ctx); 4043 MD5Update(&ctx, &h->ident, 1); 4044 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4045 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4046 MD5Final(digest, &ctx); 4047 4048 #define FAILMSG "Failed..." 4049 #define SUCCMSG "Welcome!" 4050 4051 if (value_len != sizeof digest || 4052 memcmp(digest, value, value_len) != 0) { 4053 chap_failure: 4054 /* action scn, tld */ 4055 x = splnet(); 4056 sp->pp_auth_failures++; 4057 splx(x); 4058 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4059 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4060 0); 4061 chap.tld(sp); 4062 break; 4063 } 4064 sp->pp_auth_failures = 0; 4065 /* action sca, perhaps tlu */ 4066 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4067 sp->state[IDX_CHAP] == STATE_OPENED) 4068 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4069 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4070 0); 4071 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4072 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4073 chap.tlu(sp); 4074 } 4075 break; 4076 4077 default: 4078 /* Unknown CHAP packet type -- ignore. */ 4079 if (debug) { 4080 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4081 "<0x%x id=0x%xh len=%d", 4082 ifp->if_xname, 4083 sppp_state_name(sp->state[IDX_CHAP]), 4084 h->type, h->ident, ntohs(h->len)); 4085 if (len > 4) 4086 sppp_print_bytes((u_char *)(h + 1), len - 4); 4087 addlog(">\n"); 4088 } 4089 break; 4090 4091 } 4092 } 4093 4094 static void 4095 sppp_chap_init(struct sppp *sp) 4096 { 4097 /* Chap doesn't have STATE_INITIAL at all. */ 4098 sp->state[IDX_CHAP] = STATE_CLOSED; 4099 sp->fail_counter[IDX_CHAP] = 0; 4100 sp->pp_seq[IDX_CHAP] = 0; 4101 sp->pp_rseq[IDX_CHAP] = 0; 4102 callout_init(&sp->ch[IDX_CHAP], 0); 4103 } 4104 4105 static void 4106 sppp_chap_open(struct sppp *sp) 4107 { 4108 if (sp->myauth.proto == PPP_CHAP && 4109 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4110 /* we are authenticator for CHAP, start it */ 4111 chap.scr(sp); 4112 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4113 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4114 } 4115 /* nothing to be done if we are peer, await a challenge */ 4116 } 4117 4118 static void 4119 sppp_chap_close(struct sppp *sp) 4120 { 4121 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4122 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4123 } 4124 4125 static void 4126 sppp_chap_TO(void *cookie) 4127 { 4128 struct sppp *sp = (struct sppp *)cookie; 4129 STDDCL; 4130 int s; 4131 4132 s = splnet(); 4133 if (debug) 4134 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4135 ifp->if_xname, 4136 sppp_state_name(sp->state[IDX_CHAP]), 4137 sp->rst_counter[IDX_CHAP]); 4138 4139 if (--sp->rst_counter[IDX_CHAP] < 0) 4140 /* TO- event */ 4141 switch (sp->state[IDX_CHAP]) { 4142 case STATE_REQ_SENT: 4143 chap.tld(sp); 4144 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4145 break; 4146 } 4147 else 4148 /* TO+ (or TO*) event */ 4149 switch (sp->state[IDX_CHAP]) { 4150 case STATE_OPENED: 4151 /* TO* event */ 4152 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4153 /* fall through */ 4154 case STATE_REQ_SENT: 4155 chap.scr(sp); 4156 /* sppp_cp_change_state() will restart the timer */ 4157 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4158 break; 4159 } 4160 4161 splx(s); 4162 } 4163 4164 static void 4165 sppp_chap_tlu(struct sppp *sp) 4166 { 4167 STDDCL; 4168 int i, x; 4169 4170 i = 0; 4171 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4172 4173 /* 4174 * Some broken CHAP implementations (Conware CoNet, firmware 4175 * 4.0.?) don't want to re-authenticate their CHAP once the 4176 * initial challenge-response exchange has taken place. 4177 * Provide for an option to avoid rechallenges. 4178 */ 4179 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4180 /* 4181 * Compute the re-challenge timeout. This will yield 4182 * a number between 300 and 810 seconds. 4183 */ 4184 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4185 4186 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4187 } 4188 4189 if (debug) { 4190 log(LOG_DEBUG, 4191 "%s: chap %s, ", 4192 ifp->if_xname, 4193 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4194 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4195 addlog("next re-challenge in %d seconds\n", i); 4196 else 4197 addlog("re-challenging supressed\n"); 4198 } 4199 4200 x = splnet(); 4201 sp->pp_auth_failures = 0; 4202 /* indicate to LCP that we need to be closed down */ 4203 sp->lcp.protos |= (1 << IDX_CHAP); 4204 4205 if (sp->pp_flags & PP_NEEDAUTH) { 4206 /* 4207 * Remote is authenticator, but his auth proto didn't 4208 * complete yet. Defer the transition to network 4209 * phase. 4210 */ 4211 splx(x); 4212 return; 4213 } 4214 splx(x); 4215 4216 /* 4217 * If we are already in phase network, we are done here. This 4218 * is the case if this is a dummy tlu event after a re-challenge. 4219 */ 4220 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4221 sppp_phase_network(sp); 4222 } 4223 4224 static void 4225 sppp_chap_tld(struct sppp *sp) 4226 { 4227 STDDCL; 4228 4229 if (debug) 4230 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4231 callout_stop(&sp->ch[IDX_CHAP]); 4232 sp->lcp.protos &= ~(1 << IDX_CHAP); 4233 4234 lcp.Close(sp); 4235 } 4236 4237 static void 4238 sppp_chap_scr(struct sppp *sp) 4239 { 4240 uint32_t *ch; 4241 u_char clen = 4 * sizeof(uint32_t); 4242 4243 if (sp->myauth.name == NULL) { 4244 /* can't do anything useful */ 4245 printf("%s: chap starting without my name being set\n", 4246 sp->pp_if.if_xname); 4247 return; 4248 } 4249 4250 /* Compute random challenge. */ 4251 ch = (uint32_t *)sp->myauth.challenge; 4252 cprng_strong(kern_cprng, ch, clen, 0); 4253 4254 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4255 4256 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4257 sizeof clen, (const char *)&clen, 4258 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4259 sp->myauth.name_len, 4260 sp->myauth.name, 4261 0); 4262 } 4263 4264 /* 4265 *--------------------------------------------------------------------------* 4266 * * 4267 * The PAP implementation. * 4268 * * 4269 *--------------------------------------------------------------------------* 4270 */ 4271 /* 4272 * For PAP, we need to keep a little state also if we are the peer, not the 4273 * authenticator. This is since we don't get a request to authenticate, but 4274 * have to repeatedly authenticate ourself until we got a response (or the 4275 * retry counter is expired). 4276 */ 4277 4278 /* 4279 * Handle incoming PAP packets. */ 4280 static void 4281 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4282 { 4283 STDDCL; 4284 struct lcp_header *h; 4285 int len, x; 4286 u_char mlen; 4287 char *name, *secret; 4288 int name_len, secret_len; 4289 4290 /* 4291 * Malicious input might leave this uninitialized, so 4292 * init to an impossible value. 4293 */ 4294 secret_len = -1; 4295 4296 len = m->m_pkthdr.len; 4297 if (len < 5) { 4298 if (debug) 4299 log(LOG_DEBUG, 4300 "%s: pap invalid packet length: %d bytes\n", 4301 ifp->if_xname, len); 4302 return; 4303 } 4304 h = mtod(m, struct lcp_header *); 4305 if (len > ntohs(h->len)) 4306 len = ntohs(h->len); 4307 switch (h->type) { 4308 /* PAP request is my authproto */ 4309 case PAP_REQ: 4310 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4311 /* can't do anything useful */ 4312 printf("%s: pap request without his name and his secret being set\n", 4313 ifp->if_xname); 4314 break; 4315 } 4316 name = 1 + (u_char *)(h + 1); 4317 name_len = name[-1]; 4318 secret = name + name_len + 1; 4319 if (name_len > len - 6 || 4320 (secret_len = secret[-1]) > len - 6 - name_len) { 4321 if (debug) { 4322 log(LOG_DEBUG, "%s: pap corrupted input " 4323 "<%s id=0x%x len=%d", 4324 ifp->if_xname, 4325 sppp_auth_type_name(PPP_PAP, h->type), 4326 h->ident, ntohs(h->len)); 4327 if (len > 4) 4328 sppp_print_bytes((u_char *)(h + 1), 4329 len - 4); 4330 addlog(">\n"); 4331 } 4332 break; 4333 } 4334 if (debug) { 4335 log(LOG_DEBUG, "%s: pap input(%s) " 4336 "<%s id=0x%x len=%d name=", 4337 ifp->if_xname, 4338 sppp_state_name(sp->state[IDX_PAP]), 4339 sppp_auth_type_name(PPP_PAP, h->type), 4340 h->ident, ntohs(h->len)); 4341 sppp_print_string((char *)name, name_len); 4342 addlog(" secret="); 4343 sppp_print_string((char *)secret, secret_len); 4344 addlog(">\n"); 4345 } 4346 if (name_len != sp->hisauth.name_len || 4347 secret_len != sp->hisauth.secret_len || 4348 memcmp(name, sp->hisauth.name, name_len) != 0 || 4349 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4350 /* action scn, tld */ 4351 sp->pp_auth_failures++; 4352 mlen = sizeof(FAILMSG) - 1; 4353 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4354 sizeof mlen, (const char *)&mlen, 4355 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4356 0); 4357 pap.tld(sp); 4358 break; 4359 } 4360 /* action sca, perhaps tlu */ 4361 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4362 sp->state[IDX_PAP] == STATE_OPENED) { 4363 mlen = sizeof(SUCCMSG) - 1; 4364 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4365 sizeof mlen, (const char *)&mlen, 4366 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4367 0); 4368 } 4369 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4370 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4371 pap.tlu(sp); 4372 } 4373 break; 4374 4375 /* ack and nak are his authproto */ 4376 case PAP_ACK: 4377 callout_stop(&sp->pap_my_to_ch); 4378 if (debug) { 4379 log(LOG_DEBUG, "%s: pap success", 4380 ifp->if_xname); 4381 name = 1 + (u_char *)(h + 1); 4382 name_len = name[-1]; 4383 if (len > 5 && name_len < len+4) { 4384 addlog(": "); 4385 sppp_print_string(name, name_len); 4386 } 4387 addlog("\n"); 4388 } 4389 x = splnet(); 4390 sp->pp_auth_failures = 0; 4391 sp->pp_flags &= ~PP_NEEDAUTH; 4392 if (sp->myauth.proto == PPP_PAP && 4393 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4394 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4395 /* 4396 * We are authenticator for PAP but didn't 4397 * complete yet. Leave it to tlu to proceed 4398 * to network phase. 4399 */ 4400 splx(x); 4401 break; 4402 } 4403 splx(x); 4404 sppp_phase_network(sp); 4405 break; 4406 4407 case PAP_NAK: 4408 callout_stop(&sp->pap_my_to_ch); 4409 sp->pp_auth_failures++; 4410 if (debug) { 4411 log(LOG_INFO, "%s: pap failure", 4412 ifp->if_xname); 4413 name = 1 + (u_char *)(h + 1); 4414 name_len = name[-1]; 4415 if (len > 5 && name_len < len+4) { 4416 addlog(": "); 4417 sppp_print_string(name, name_len); 4418 } 4419 addlog("\n"); 4420 } else 4421 log(LOG_INFO, "%s: pap failure\n", 4422 ifp->if_xname); 4423 /* await LCP shutdown by authenticator */ 4424 break; 4425 4426 default: 4427 /* Unknown PAP packet type -- ignore. */ 4428 if (debug) { 4429 log(LOG_DEBUG, "%s: pap corrupted input " 4430 "<0x%x id=0x%x len=%d", 4431 ifp->if_xname, 4432 h->type, h->ident, ntohs(h->len)); 4433 if (len > 4) 4434 sppp_print_bytes((u_char *)(h + 1), len - 4); 4435 addlog(">\n"); 4436 } 4437 break; 4438 4439 } 4440 } 4441 4442 static void 4443 sppp_pap_init(struct sppp *sp) 4444 { 4445 /* PAP doesn't have STATE_INITIAL at all. */ 4446 sp->state[IDX_PAP] = STATE_CLOSED; 4447 sp->fail_counter[IDX_PAP] = 0; 4448 sp->pp_seq[IDX_PAP] = 0; 4449 sp->pp_rseq[IDX_PAP] = 0; 4450 callout_init(&sp->ch[IDX_PAP], 0); 4451 callout_init(&sp->pap_my_to_ch, 0); 4452 } 4453 4454 static void 4455 sppp_pap_open(struct sppp *sp) 4456 { 4457 if (sp->hisauth.proto == PPP_PAP && 4458 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4459 /* we are authenticator for PAP, start our timer */ 4460 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4461 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4462 } 4463 if (sp->myauth.proto == PPP_PAP) { 4464 /* we are peer, send a request, and start a timer */ 4465 pap.scr(sp); 4466 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4467 sppp_pap_my_TO, sp); 4468 } 4469 } 4470 4471 static void 4472 sppp_pap_close(struct sppp *sp) 4473 { 4474 if (sp->state[IDX_PAP] != STATE_CLOSED) 4475 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4476 } 4477 4478 /* 4479 * That's the timeout routine if we are authenticator. Since the 4480 * authenticator is basically passive in PAP, we can't do much here. 4481 */ 4482 static void 4483 sppp_pap_TO(void *cookie) 4484 { 4485 struct sppp *sp = (struct sppp *)cookie; 4486 STDDCL; 4487 int s; 4488 4489 s = splnet(); 4490 if (debug) 4491 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4492 ifp->if_xname, 4493 sppp_state_name(sp->state[IDX_PAP]), 4494 sp->rst_counter[IDX_PAP]); 4495 4496 if (--sp->rst_counter[IDX_PAP] < 0) 4497 /* TO- event */ 4498 switch (sp->state[IDX_PAP]) { 4499 case STATE_REQ_SENT: 4500 pap.tld(sp); 4501 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4502 break; 4503 } 4504 else 4505 /* TO+ event, not very much we could do */ 4506 switch (sp->state[IDX_PAP]) { 4507 case STATE_REQ_SENT: 4508 /* sppp_cp_change_state() will restart the timer */ 4509 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4510 break; 4511 } 4512 4513 splx(s); 4514 } 4515 4516 /* 4517 * That's the timeout handler if we are peer. Since the peer is active, 4518 * we need to retransmit our PAP request since it is apparently lost. 4519 * XXX We should impose a max counter. 4520 */ 4521 static void 4522 sppp_pap_my_TO(void *cookie) 4523 { 4524 struct sppp *sp = (struct sppp *)cookie; 4525 STDDCL; 4526 4527 if (debug) 4528 log(LOG_DEBUG, "%s: pap peer TO\n", 4529 ifp->if_xname); 4530 4531 pap.scr(sp); 4532 } 4533 4534 static void 4535 sppp_pap_tlu(struct sppp *sp) 4536 { 4537 STDDCL; 4538 int x; 4539 4540 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4541 4542 if (debug) 4543 log(LOG_DEBUG, "%s: %s tlu\n", 4544 ifp->if_xname, pap.name); 4545 4546 x = splnet(); 4547 sp->pp_auth_failures = 0; 4548 /* indicate to LCP that we need to be closed down */ 4549 sp->lcp.protos |= (1 << IDX_PAP); 4550 4551 if (sp->pp_flags & PP_NEEDAUTH) { 4552 /* 4553 * Remote is authenticator, but his auth proto didn't 4554 * complete yet. Defer the transition to network 4555 * phase. 4556 */ 4557 splx(x); 4558 return; 4559 } 4560 splx(x); 4561 sppp_phase_network(sp); 4562 } 4563 4564 static void 4565 sppp_pap_tld(struct sppp *sp) 4566 { 4567 STDDCL; 4568 4569 if (debug) 4570 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4571 callout_stop(&sp->ch[IDX_PAP]); 4572 callout_stop(&sp->pap_my_to_ch); 4573 sp->lcp.protos &= ~(1 << IDX_PAP); 4574 4575 lcp.Close(sp); 4576 } 4577 4578 static void 4579 sppp_pap_scr(struct sppp *sp) 4580 { 4581 u_char idlen, pwdlen; 4582 4583 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4584 /* can't do anything useful */ 4585 printf("%s: pap starting without my name and secret being set\n", 4586 sp->pp_if.if_xname); 4587 return; 4588 } 4589 4590 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4591 pwdlen = sp->myauth.secret_len; 4592 idlen = sp->myauth.name_len; 4593 4594 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4595 sizeof idlen, (const char *)&idlen, 4596 idlen, sp->myauth.name, 4597 sizeof pwdlen, (const char *)&pwdlen, 4598 pwdlen, sp->myauth.secret, 4599 0); 4600 } 4601 4602 /* 4603 * Random miscellaneous functions. 4604 */ 4605 4606 /* 4607 * Send a PAP or CHAP proto packet. 4608 * 4609 * Varadic function, each of the elements for the ellipsis is of type 4610 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4611 * mlen == 0. 4612 * NOTE: never declare variadic functions with types subject to type 4613 * promotion (i.e. u_char). This is asking for big trouble depending 4614 * on the architecture you are on... 4615 */ 4616 4617 static void 4618 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4619 unsigned int type, unsigned int id, 4620 ...) 4621 { 4622 STDDCL; 4623 struct lcp_header *lh; 4624 struct mbuf *m; 4625 u_char *p; 4626 int len; 4627 size_t pkthdrlen; 4628 unsigned int mlen; 4629 const char *msg; 4630 va_list ap; 4631 4632 MGETHDR(m, M_DONTWAIT, MT_DATA); 4633 if (! m) 4634 return; 4635 m->m_pkthdr.rcvif = 0; 4636 4637 if (sp->pp_flags & PP_NOFRAMING) { 4638 *mtod(m, uint16_t *) = htons(cp->proto); 4639 pkthdrlen = 2; 4640 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4641 } else { 4642 struct ppp_header *h; 4643 h = mtod(m, struct ppp_header *); 4644 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4645 h->control = PPP_UI; /* Unnumbered Info */ 4646 h->protocol = htons(cp->proto); 4647 pkthdrlen = PPP_HEADER_LEN; 4648 4649 lh = (struct lcp_header *)(h + 1); 4650 } 4651 4652 lh->type = type; 4653 lh->ident = id; 4654 p = (u_char *)(lh + 1); 4655 4656 va_start(ap, id); 4657 len = 0; 4658 4659 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4660 msg = va_arg(ap, const char *); 4661 len += mlen; 4662 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4663 va_end(ap); 4664 m_freem(m); 4665 return; 4666 } 4667 4668 memcpy(p, msg, mlen); 4669 p += mlen; 4670 } 4671 va_end(ap); 4672 4673 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4674 lh->len = htons(LCP_HEADER_LEN + len); 4675 4676 if (debug) { 4677 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4678 ifp->if_xname, cp->name, 4679 sppp_auth_type_name(cp->proto, lh->type), 4680 lh->ident, ntohs(lh->len)); 4681 if (len) 4682 sppp_print_bytes((u_char *)(lh + 1), len); 4683 addlog(">\n"); 4684 } 4685 if (IF_QFULL(&sp->pp_cpq)) { 4686 IF_DROP(&sp->pp_fastq); 4687 IF_DROP(&ifp->if_snd); 4688 m_freem(m); 4689 ++ifp->if_oerrors; 4690 return; 4691 } else 4692 IF_ENQUEUE(&sp->pp_cpq, m); 4693 if (! (ifp->if_flags & IFF_OACTIVE)) 4694 (*ifp->if_start)(ifp); 4695 ifp->if_obytes += m->m_pkthdr.len + 3; 4696 } 4697 4698 /* 4699 * Send keepalive packets, every 10 seconds. 4700 */ 4701 static void 4702 sppp_keepalive(void *dummy) 4703 { 4704 struct sppp *sp; 4705 int s; 4706 time_t now; 4707 4708 s = splnet(); 4709 now = time_uptime; 4710 for (sp=spppq; sp; sp=sp->pp_next) { 4711 struct ifnet *ifp = &sp->pp_if; 4712 4713 /* check idle timeout */ 4714 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4715 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4716 /* idle timeout is enabled for this interface */ 4717 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4718 if (ifp->if_flags & IFF_DEBUG) 4719 printf("%s: no activity for %lu seconds\n", 4720 sp->pp_if.if_xname, 4721 (unsigned long)(now-sp->pp_last_activity)); 4722 lcp.Close(sp); 4723 continue; 4724 } 4725 } 4726 4727 /* Keepalive mode disabled or channel down? */ 4728 if (! (sp->pp_flags & PP_KEEPALIVE) || 4729 ! (ifp->if_flags & IFF_RUNNING)) 4730 continue; 4731 4732 /* No keepalive in PPP mode if LCP not opened yet. */ 4733 if (! (sp->pp_flags & PP_CISCO) && 4734 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4735 continue; 4736 4737 /* No echo reply, but maybe user data passed through? */ 4738 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4739 sp->pp_alivecnt = 0; 4740 continue; 4741 } 4742 4743 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4744 /* No keepalive packets got. Stop the interface. */ 4745 if_down (ifp); 4746 IF_PURGE(&sp->pp_cpq); 4747 if (! (sp->pp_flags & PP_CISCO)) { 4748 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4749 ifp->if_xname); 4750 sp->pp_alivecnt = 0; 4751 4752 /* we are down, close all open protocols */ 4753 lcp.Close(sp); 4754 4755 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4756 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4757 4758 /* Close connection immediately, completition of this 4759 * will summon the magic needed to reestablish it. */ 4760 if (sp->pp_tlf) 4761 sp->pp_tlf(sp); 4762 continue; 4763 } 4764 } 4765 if (sp->pp_alivecnt < sp->pp_maxalive) 4766 ++sp->pp_alivecnt; 4767 if (sp->pp_flags & PP_CISCO) 4768 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4769 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4770 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4771 int32_t nmagic = htonl(sp->lcp.magic); 4772 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4773 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4774 sp->lcp.echoid, 4, &nmagic); 4775 } 4776 } 4777 splx(s); 4778 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4779 } 4780 4781 #ifdef INET 4782 /* 4783 * Get both IP addresses. 4784 */ 4785 static void 4786 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4787 { 4788 struct ifnet *ifp = &sp->pp_if; 4789 struct ifaddr *ifa; 4790 struct sockaddr_in *si, *sm; 4791 uint32_t ssrc, ddst; 4792 4793 sm = NULL; 4794 ssrc = ddst = 0; 4795 /* 4796 * Pick the first AF_INET address from the list, 4797 * aliases don't make any sense on a p2p link anyway. 4798 */ 4799 si = 0; 4800 IFADDR_FOREACH(ifa, ifp) { 4801 if (ifa->ifa_addr->sa_family == AF_INET) { 4802 si = (struct sockaddr_in *)ifa->ifa_addr; 4803 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4804 if (si) 4805 break; 4806 } 4807 } 4808 if (ifa) { 4809 if (si && si->sin_addr.s_addr) { 4810 ssrc = si->sin_addr.s_addr; 4811 if (srcmask) 4812 *srcmask = ntohl(sm->sin_addr.s_addr); 4813 } 4814 4815 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4816 if (si && si->sin_addr.s_addr) 4817 ddst = si->sin_addr.s_addr; 4818 } 4819 4820 if (dst) *dst = ntohl(ddst); 4821 if (src) *src = ntohl(ssrc); 4822 } 4823 4824 /* 4825 * Set IP addresses. Must be called at splnet. 4826 * If an address is 0, leave it the way it is. 4827 */ 4828 static void 4829 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4830 { 4831 STDDCL; 4832 struct ifaddr *ifa; 4833 struct sockaddr_in *si, *dest; 4834 4835 /* 4836 * Pick the first AF_INET address from the list, 4837 * aliases don't make any sense on a p2p link anyway. 4838 */ 4839 4840 IFADDR_FOREACH(ifa, ifp) { 4841 if (ifa->ifa_addr->sa_family == AF_INET) { 4842 si = (struct sockaddr_in *)ifa->ifa_addr; 4843 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4844 goto found; 4845 } 4846 } 4847 return; 4848 4849 found: 4850 { 4851 int error, hostIsNew; 4852 struct sockaddr_in new_sin = *si; 4853 struct sockaddr_in new_dst = *dest; 4854 4855 /* 4856 * Scrub old routes now instead of calling in_ifinit with 4857 * scrub=1, because we may change the dstaddr 4858 * before the call to in_ifinit. 4859 */ 4860 in_ifscrub(ifp, ifatoia(ifa)); 4861 4862 hostIsNew = 0; 4863 if (myaddr != 0) { 4864 if (new_sin.sin_addr.s_addr != htonl(myaddr)) { 4865 new_sin.sin_addr.s_addr = htonl(myaddr); 4866 hostIsNew = 1; 4867 } 4868 } 4869 if (hisaddr != 0) { 4870 new_dst.sin_addr.s_addr = htonl(hisaddr); 4871 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4872 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4873 *dest = new_dst; /* fix dstaddr in place */ 4874 } 4875 } 4876 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, hostIsNew); 4877 if (debug && error) 4878 { 4879 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4880 " failed, error=%d\n", ifp->if_xname, error); 4881 } 4882 if (!error) { 4883 (void)pfil_run_hooks(if_pfil, 4884 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4885 } 4886 } 4887 } 4888 4889 /* 4890 * Clear IP addresses. Must be called at splnet. 4891 */ 4892 static void 4893 sppp_clear_ip_addrs(struct sppp *sp) 4894 { 4895 struct ifnet *ifp = &sp->pp_if; 4896 struct ifaddr *ifa; 4897 struct sockaddr_in *si, *dest; 4898 4899 uint32_t remote; 4900 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4901 remote = sp->ipcp.saved_hisaddr; 4902 else 4903 sppp_get_ip_addrs(sp, 0, &remote, 0); 4904 4905 /* 4906 * Pick the first AF_INET address from the list, 4907 * aliases don't make any sense on a p2p link anyway. 4908 */ 4909 4910 IFADDR_FOREACH(ifa, ifp) { 4911 if (ifa->ifa_addr->sa_family == AF_INET) { 4912 si = (struct sockaddr_in *)ifa->ifa_addr; 4913 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4914 goto found; 4915 } 4916 } 4917 return; 4918 4919 found: 4920 { 4921 struct sockaddr_in new_sin = *si; 4922 4923 in_ifscrub(ifp, ifatoia(ifa)); 4924 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4925 new_sin.sin_addr.s_addr = 0; 4926 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4927 /* replace peer addr in place */ 4928 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4929 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, 0); 4930 (void)pfil_run_hooks(if_pfil, 4931 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4932 } 4933 } 4934 #endif 4935 4936 #ifdef INET6 4937 /* 4938 * Get both IPv6 addresses. 4939 */ 4940 static void 4941 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4942 struct in6_addr *srcmask) 4943 { 4944 struct ifnet *ifp = &sp->pp_if; 4945 struct ifaddr *ifa; 4946 struct sockaddr_in6 *si, *sm; 4947 struct in6_addr ssrc, ddst; 4948 4949 sm = NULL; 4950 memset(&ssrc, 0, sizeof(ssrc)); 4951 memset(&ddst, 0, sizeof(ddst)); 4952 /* 4953 * Pick the first link-local AF_INET6 address from the list, 4954 * aliases don't make any sense on a p2p link anyway. 4955 */ 4956 si = 0; 4957 IFADDR_FOREACH(ifa, ifp) 4958 if (ifa->ifa_addr->sa_family == AF_INET6) { 4959 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4960 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4961 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4962 break; 4963 } 4964 if (ifa) { 4965 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4966 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 4967 if (srcmask) { 4968 memcpy(srcmask, &sm->sin6_addr, 4969 sizeof(*srcmask)); 4970 } 4971 } 4972 4973 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4974 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4975 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 4976 } 4977 4978 if (dst) 4979 memcpy(dst, &ddst, sizeof(*dst)); 4980 if (src) 4981 memcpy(src, &ssrc, sizeof(*src)); 4982 } 4983 4984 #ifdef IPV6CP_MYIFID_DYN 4985 /* 4986 * Generate random ifid. 4987 */ 4988 static void 4989 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 4990 { 4991 /* TBD */ 4992 } 4993 4994 /* 4995 * Set my IPv6 address. Must be called at splnet. 4996 */ 4997 static void 4998 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 4999 { 5000 STDDCL; 5001 struct ifaddr *ifa; 5002 struct sockaddr_in6 *sin6; 5003 5004 /* 5005 * Pick the first link-local AF_INET6 address from the list, 5006 * aliases don't make any sense on a p2p link anyway. 5007 */ 5008 5009 sin6 = NULL; 5010 IFADDR_FOREACH(ifa, ifp) 5011 { 5012 if (ifa->ifa_addr->sa_family == AF_INET6) 5013 { 5014 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5015 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5016 break; 5017 } 5018 } 5019 5020 if (ifa && sin6) 5021 { 5022 int error; 5023 struct sockaddr_in6 new_sin6 = *sin6; 5024 5025 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5026 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5027 if (debug && error) 5028 { 5029 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5030 " failed, error=%d\n", ifp->if_xname, error); 5031 } 5032 if (!error) { 5033 (void)pfil_run_hooks(if_pfil, 5034 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5035 } 5036 } 5037 } 5038 #endif 5039 5040 /* 5041 * Suggest a candidate address to be used by peer. 5042 */ 5043 static void 5044 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5045 { 5046 struct in6_addr myaddr; 5047 struct timeval tv; 5048 5049 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5050 5051 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5052 microtime(&tv); 5053 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5054 myaddr.s6_addr[14] ^= 0xff; 5055 myaddr.s6_addr[15] ^= 0xff; 5056 } else { 5057 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5058 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5059 } 5060 if (suggest) 5061 memcpy(suggest, &myaddr, sizeof(myaddr)); 5062 } 5063 #endif /*INET6*/ 5064 5065 /* 5066 * Process ioctl requests specific to the PPP interface. 5067 * Permissions have already been checked. 5068 */ 5069 static int 5070 sppp_params(struct sppp *sp, u_long cmd, void *data) 5071 { 5072 switch (cmd) { 5073 case SPPPGETAUTHCFG: 5074 { 5075 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5076 int error; 5077 size_t len; 5078 5079 cfg->myauthflags = sp->myauth.flags; 5080 cfg->hisauthflags = sp->hisauth.flags; 5081 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ); 5082 cfg->hisauth = 0; 5083 if (sp->hisauth.proto) 5084 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5085 cfg->myauth = 0; 5086 if (sp->myauth.proto) 5087 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5088 if (cfg->myname_length == 0) { 5089 if (sp->myauth.name != NULL) 5090 cfg->myname_length = sp->myauth.name_len + 1; 5091 } else { 5092 if (sp->myauth.name == NULL) { 5093 cfg->myname_length = 0; 5094 } else { 5095 len = sp->myauth.name_len + 1; 5096 if (cfg->myname_length < len) 5097 return (ENAMETOOLONG); 5098 error = copyout(sp->myauth.name, cfg->myname, len); 5099 if (error) return error; 5100 } 5101 } 5102 if (cfg->hisname_length == 0) { 5103 if (sp->hisauth.name != NULL) 5104 cfg->hisname_length = sp->hisauth.name_len + 1; 5105 } else { 5106 if (sp->hisauth.name == NULL) { 5107 cfg->hisname_length = 0; 5108 } else { 5109 len = sp->hisauth.name_len + 1; 5110 if (cfg->hisname_length < len) 5111 return (ENAMETOOLONG); 5112 error = copyout(sp->hisauth.name, cfg->hisname, len); 5113 if (error) return error; 5114 } 5115 } 5116 } 5117 break; 5118 case SPPPSETAUTHCFG: 5119 { 5120 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5121 int error; 5122 5123 if (sp->myauth.name) { 5124 free(sp->myauth.name, M_DEVBUF); 5125 sp->myauth.name = NULL; 5126 } 5127 if (sp->myauth.secret) { 5128 free(sp->myauth.secret, M_DEVBUF); 5129 sp->myauth.secret = NULL; 5130 } 5131 if (sp->hisauth.name) { 5132 free(sp->hisauth.name, M_DEVBUF); 5133 sp->hisauth.name = NULL; 5134 } 5135 if (sp->hisauth.secret) { 5136 free(sp->hisauth.secret, M_DEVBUF); 5137 sp->hisauth.secret = NULL; 5138 } 5139 5140 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5141 if (cfg->hisname_length >= MCLBYTES) 5142 return (ENAMETOOLONG); 5143 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5144 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5145 if (error) { 5146 free(sp->hisauth.name, M_DEVBUF); 5147 sp->hisauth.name = NULL; 5148 return error; 5149 } 5150 sp->hisauth.name_len = cfg->hisname_length - 1; 5151 sp->hisauth.name[sp->hisauth.name_len] = 0; 5152 } 5153 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5154 if (cfg->hissecret_length >= MCLBYTES) 5155 return (ENAMETOOLONG); 5156 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5157 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5158 if (error) { 5159 free(sp->hisauth.secret, M_DEVBUF); 5160 sp->hisauth.secret = NULL; 5161 return error; 5162 } 5163 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5164 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5165 } 5166 if (cfg->myname != NULL && cfg->myname_length > 0) { 5167 if (cfg->myname_length >= MCLBYTES) 5168 return (ENAMETOOLONG); 5169 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5170 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5171 if (error) { 5172 free(sp->myauth.name, M_DEVBUF); 5173 sp->myauth.name = NULL; 5174 return error; 5175 } 5176 sp->myauth.name_len = cfg->myname_length - 1; 5177 sp->myauth.name[sp->myauth.name_len] = 0; 5178 } 5179 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5180 if (cfg->mysecret_length >= MCLBYTES) 5181 return (ENAMETOOLONG); 5182 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5183 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5184 if (error) { 5185 free(sp->myauth.secret, M_DEVBUF); 5186 sp->myauth.secret = NULL; 5187 return error; 5188 } 5189 sp->myauth.secret_len = cfg->mysecret_length - 1; 5190 sp->myauth.secret[sp->myauth.secret_len] = 0; 5191 } 5192 sp->myauth.flags = cfg->myauthflags; 5193 if (cfg->myauth) 5194 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5195 sp->hisauth.flags = cfg->hisauthflags; 5196 if (cfg->hisauth) 5197 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5198 sp->pp_auth_failures = 0; 5199 if (sp->hisauth.proto != 0) 5200 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5201 else 5202 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5203 } 5204 break; 5205 case SPPPGETLCPCFG: 5206 { 5207 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5208 lcpp->lcp_timeout = sp->lcp.timeout; 5209 } 5210 break; 5211 case SPPPSETLCPCFG: 5212 { 5213 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5214 sp->lcp.timeout = lcpp->lcp_timeout; 5215 } 5216 break; 5217 case SPPPGETSTATUS: 5218 { 5219 struct spppstatus *status = (struct spppstatus *)data; 5220 status->phase = sp->pp_phase; 5221 } 5222 break; 5223 case SPPPGETSTATUSNCP: 5224 { 5225 struct spppstatusncp *status = (struct spppstatusncp *)data; 5226 status->phase = sp->pp_phase; 5227 status->ncpup = sppp_ncp_check(sp); 5228 } 5229 break; 5230 case SPPPGETIDLETO: 5231 { 5232 struct spppidletimeout *to = (struct spppidletimeout *)data; 5233 to->idle_seconds = sp->pp_idle_timeout; 5234 } 5235 break; 5236 case SPPPSETIDLETO: 5237 { 5238 struct spppidletimeout *to = (struct spppidletimeout *)data; 5239 sp->pp_idle_timeout = to->idle_seconds; 5240 } 5241 break; 5242 case SPPPSETAUTHFAILURE: 5243 { 5244 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5245 sp->pp_max_auth_fail = afsettings->max_failures; 5246 sp->pp_auth_failures = 0; 5247 } 5248 break; 5249 case SPPPGETAUTHFAILURES: 5250 { 5251 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5252 stats->auth_failures = sp->pp_auth_failures; 5253 stats->max_failures = sp->pp_max_auth_fail; 5254 } 5255 break; 5256 case SPPPSETDNSOPTS: 5257 { 5258 struct spppdnssettings *req = (struct spppdnssettings *)data; 5259 sp->query_dns = req->query_dns & 3; 5260 } 5261 break; 5262 case SPPPGETDNSOPTS: 5263 { 5264 struct spppdnssettings *req = (struct spppdnssettings *)data; 5265 req->query_dns = sp->query_dns; 5266 } 5267 break; 5268 case SPPPGETDNSADDRS: 5269 { 5270 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5271 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5272 } 5273 break; 5274 case SPPPGETKEEPALIVE: 5275 { 5276 struct spppkeepalivesettings *settings = 5277 (struct spppkeepalivesettings*)data; 5278 settings->maxalive = sp->pp_maxalive; 5279 settings->max_noreceive = sp->pp_max_noreceive; 5280 } 5281 break; 5282 case SPPPSETKEEPALIVE: 5283 { 5284 struct spppkeepalivesettings *settings = 5285 (struct spppkeepalivesettings*)data; 5286 sp->pp_maxalive = settings->maxalive; 5287 sp->pp_max_noreceive = settings->max_noreceive; 5288 } 5289 break; 5290 #if defined(COMPAT_50) || defined(MODULAR) 5291 case __SPPPGETIDLETO50: 5292 { 5293 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5294 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5295 } 5296 break; 5297 case __SPPPSETIDLETO50: 5298 { 5299 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5300 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5301 } 5302 break; 5303 case __SPPPGETKEEPALIVE50: 5304 { 5305 struct spppkeepalivesettings50 *settings = 5306 (struct spppkeepalivesettings50*)data; 5307 settings->maxalive = sp->pp_maxalive; 5308 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5309 } 5310 break; 5311 case __SPPPSETKEEPALIVE50: 5312 { 5313 struct spppkeepalivesettings50 *settings = 5314 (struct spppkeepalivesettings50*)data; 5315 sp->pp_maxalive = settings->maxalive; 5316 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5317 } 5318 break; 5319 #endif /* COMPAT_50 || MODULAR */ 5320 default: 5321 return (EINVAL); 5322 } 5323 5324 return (0); 5325 } 5326 5327 static void 5328 sppp_phase_network(struct sppp *sp) 5329 { 5330 STDDCL; 5331 int i; 5332 uint32_t mask; 5333 5334 sp->pp_phase = SPPP_PHASE_NETWORK; 5335 5336 if (debug) 5337 { 5338 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5339 sppp_phase_name(sp->pp_phase)); 5340 } 5341 5342 /* Notify NCPs now. */ 5343 for (i = 0; i < IDX_COUNT; i++) 5344 if ((cps[i])->flags & CP_NCP) 5345 (cps[i])->Open(sp); 5346 5347 /* Send Up events to all NCPs. */ 5348 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5349 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5350 (cps[i])->Up(sp); 5351 5352 /* if no NCP is starting, all this was in vain, close down */ 5353 sppp_lcp_check_and_close(sp); 5354 } 5355 5356 5357 static const char * 5358 sppp_cp_type_name(u_char type) 5359 { 5360 static char buf[12]; 5361 switch (type) { 5362 case CONF_REQ: return "conf-req"; 5363 case CONF_ACK: return "conf-ack"; 5364 case CONF_NAK: return "conf-nak"; 5365 case CONF_REJ: return "conf-rej"; 5366 case TERM_REQ: return "term-req"; 5367 case TERM_ACK: return "term-ack"; 5368 case CODE_REJ: return "code-rej"; 5369 case PROTO_REJ: return "proto-rej"; 5370 case ECHO_REQ: return "echo-req"; 5371 case ECHO_REPLY: return "echo-reply"; 5372 case DISC_REQ: return "discard-req"; 5373 } 5374 snprintf(buf, sizeof(buf), "0x%x", type); 5375 return buf; 5376 } 5377 5378 static const char * 5379 sppp_auth_type_name(u_short proto, u_char type) 5380 { 5381 static char buf[12]; 5382 switch (proto) { 5383 case PPP_CHAP: 5384 switch (type) { 5385 case CHAP_CHALLENGE: return "challenge"; 5386 case CHAP_RESPONSE: return "response"; 5387 case CHAP_SUCCESS: return "success"; 5388 case CHAP_FAILURE: return "failure"; 5389 } 5390 case PPP_PAP: 5391 switch (type) { 5392 case PAP_REQ: return "req"; 5393 case PAP_ACK: return "ack"; 5394 case PAP_NAK: return "nak"; 5395 } 5396 } 5397 snprintf(buf, sizeof(buf), "0x%x", type); 5398 return buf; 5399 } 5400 5401 static const char * 5402 sppp_lcp_opt_name(u_char opt) 5403 { 5404 static char buf[12]; 5405 switch (opt) { 5406 case LCP_OPT_MRU: return "mru"; 5407 case LCP_OPT_ASYNC_MAP: return "async-map"; 5408 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5409 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5410 case LCP_OPT_MAGIC: return "magic"; 5411 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5412 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5413 } 5414 snprintf(buf, sizeof(buf), "0x%x", opt); 5415 return buf; 5416 } 5417 5418 static const char * 5419 sppp_ipcp_opt_name(u_char opt) 5420 { 5421 static char buf[12]; 5422 switch (opt) { 5423 case IPCP_OPT_ADDRESSES: return "addresses"; 5424 case IPCP_OPT_COMPRESSION: return "compression"; 5425 case IPCP_OPT_ADDRESS: return "address"; 5426 } 5427 snprintf(buf, sizeof(buf), "0x%x", opt); 5428 return buf; 5429 } 5430 5431 #ifdef INET6 5432 static const char * 5433 sppp_ipv6cp_opt_name(u_char opt) 5434 { 5435 static char buf[12]; 5436 switch (opt) { 5437 case IPV6CP_OPT_IFID: return "ifid"; 5438 case IPV6CP_OPT_COMPRESSION: return "compression"; 5439 } 5440 snprintf(buf, sizeof(buf), "0x%x", opt); 5441 return buf; 5442 } 5443 #endif 5444 5445 static const char * 5446 sppp_state_name(int state) 5447 { 5448 switch (state) { 5449 case STATE_INITIAL: return "initial"; 5450 case STATE_STARTING: return "starting"; 5451 case STATE_CLOSED: return "closed"; 5452 case STATE_STOPPED: return "stopped"; 5453 case STATE_CLOSING: return "closing"; 5454 case STATE_STOPPING: return "stopping"; 5455 case STATE_REQ_SENT: return "req-sent"; 5456 case STATE_ACK_RCVD: return "ack-rcvd"; 5457 case STATE_ACK_SENT: return "ack-sent"; 5458 case STATE_OPENED: return "opened"; 5459 } 5460 return "illegal"; 5461 } 5462 5463 static const char * 5464 sppp_phase_name(int phase) 5465 { 5466 switch (phase) { 5467 case SPPP_PHASE_DEAD: return "dead"; 5468 case SPPP_PHASE_ESTABLISH: return "establish"; 5469 case SPPP_PHASE_TERMINATE: return "terminate"; 5470 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5471 case SPPP_PHASE_NETWORK: return "network"; 5472 } 5473 return "illegal"; 5474 } 5475 5476 static const char * 5477 sppp_proto_name(u_short proto) 5478 { 5479 static char buf[12]; 5480 switch (proto) { 5481 case PPP_LCP: return "lcp"; 5482 case PPP_IPCP: return "ipcp"; 5483 case PPP_PAP: return "pap"; 5484 case PPP_CHAP: return "chap"; 5485 case PPP_IPV6CP: return "ipv6cp"; 5486 } 5487 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5488 return buf; 5489 } 5490 5491 static void 5492 sppp_print_bytes(const u_char *p, u_short len) 5493 { 5494 addlog(" %02x", *p++); 5495 while (--len > 0) 5496 addlog("-%02x", *p++); 5497 } 5498 5499 static void 5500 sppp_print_string(const char *p, u_short len) 5501 { 5502 u_char c; 5503 5504 while (len-- > 0) { 5505 c = *p++; 5506 /* 5507 * Print only ASCII chars directly. RFC 1994 recommends 5508 * using only them, but we don't rely on it. */ 5509 if (c < ' ' || c > '~') 5510 addlog("\\x%x", c); 5511 else 5512 addlog("%c", c); 5513 } 5514 } 5515 5516 static const char * 5517 sppp_dotted_quad(uint32_t addr) 5518 { 5519 static char s[16]; 5520 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5521 (int)((addr >> 24) & 0xff), 5522 (int)((addr >> 16) & 0xff), 5523 (int)((addr >> 8) & 0xff), 5524 (int)(addr & 0xff)); 5525 return s; 5526 } 5527 5528 /* a dummy, used to drop uninteresting events */ 5529 static void 5530 sppp_null(struct sppp *unused) 5531 { 5532 /* do just nothing */ 5533 } 5534 /* 5535 * This file is large. Tell emacs to highlight it nevertheless. 5536 * 5537 * Local Variables: 5538 * hilit-auto-highlight-maxout: 120000 5539 * End: 5540 */ 5541