1 /* $NetBSD: if_spppsubr.c,v 1.141 2016/04/28 00:16:56 ozaki-r Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.141 2016/04/28 00:16:56 ozaki-r Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #endif 51 52 53 #include <sys/param.h> 54 #include <sys/proc.h> 55 #include <sys/systm.h> 56 #include <sys/kernel.h> 57 #include <sys/sockio.h> 58 #include <sys/socket.h> 59 #include <sys/syslog.h> 60 #include <sys/malloc.h> 61 #include <sys/mbuf.h> 62 #include <sys/callout.h> 63 #include <sys/md5.h> 64 #include <sys/inttypes.h> 65 #include <sys/kauth.h> 66 #include <sys/cprng.h> 67 68 #include <net/if.h> 69 #include <net/netisr.h> 70 #include <net/if_types.h> 71 #include <net/route.h> 72 #include <net/ppp_defs.h> 73 74 #include <netinet/in.h> 75 #include <netinet/in_systm.h> 76 #include <netinet/in_var.h> 77 #ifdef INET 78 #include <netinet/ip.h> 79 #include <netinet/tcp.h> 80 #endif 81 #include <net/ethertypes.h> 82 83 #ifdef INET6 84 #include <netinet6/scope6_var.h> 85 #endif 86 87 #include <net/if_sppp.h> 88 #include <net/if_spppvar.h> 89 90 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 91 #define LOOPALIVECNT 3 /* loopback detection tries */ 92 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 93 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 94 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 95 96 /* 97 * Interface flags that can be set in an ifconfig command. 98 * 99 * Setting link0 will make the link passive, i.e. it will be marked 100 * as being administrative openable, but won't be opened to begin 101 * with. Incoming calls will be answered, or subsequent calls with 102 * -link1 will cause the administrative open of the LCP layer. 103 * 104 * Setting link1 will cause the link to auto-dial only as packets 105 * arrive to be sent. 106 * 107 * Setting IFF_DEBUG will syslog the option negotiation and state 108 * transitions at level kern.debug. Note: all logs consistently look 109 * like 110 * 111 * <if-name><unit>: <proto-name> <additional info...> 112 * 113 * with <if-name><unit> being something like "bppp0", and <proto-name> 114 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 115 */ 116 117 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 118 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 119 120 #define CONF_REQ 1 /* PPP configure request */ 121 #define CONF_ACK 2 /* PPP configure acknowledge */ 122 #define CONF_NAK 3 /* PPP configure negative ack */ 123 #define CONF_REJ 4 /* PPP configure reject */ 124 #define TERM_REQ 5 /* PPP terminate request */ 125 #define TERM_ACK 6 /* PPP terminate acknowledge */ 126 #define CODE_REJ 7 /* PPP code reject */ 127 #define PROTO_REJ 8 /* PPP protocol reject */ 128 #define ECHO_REQ 9 /* PPP echo request */ 129 #define ECHO_REPLY 10 /* PPP echo reply */ 130 #define DISC_REQ 11 /* PPP discard request */ 131 132 #define LCP_OPT_MRU 1 /* maximum receive unit */ 133 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 134 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 135 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 136 #define LCP_OPT_MAGIC 5 /* magic number */ 137 #define LCP_OPT_RESERVED 6 /* reserved */ 138 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 139 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 140 141 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 142 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 143 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 144 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 145 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 146 147 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 148 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 149 150 #define PAP_REQ 1 /* PAP name/password request */ 151 #define PAP_ACK 2 /* PAP acknowledge */ 152 #define PAP_NAK 3 /* PAP fail */ 153 154 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 155 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 156 #define CHAP_SUCCESS 3 /* CHAP response ok */ 157 #define CHAP_FAILURE 4 /* CHAP response failed */ 158 159 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 160 161 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 162 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 163 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 164 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 165 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 166 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 167 168 /* states are named and numbered according to RFC 1661 */ 169 #define STATE_INITIAL 0 170 #define STATE_STARTING 1 171 #define STATE_CLOSED 2 172 #define STATE_STOPPED 3 173 #define STATE_CLOSING 4 174 #define STATE_STOPPING 5 175 #define STATE_REQ_SENT 6 176 #define STATE_ACK_RCVD 7 177 #define STATE_ACK_SENT 8 178 #define STATE_OPENED 9 179 180 struct ppp_header { 181 uint8_t address; 182 uint8_t control; 183 uint16_t protocol; 184 } __packed; 185 #define PPP_HEADER_LEN sizeof (struct ppp_header) 186 187 struct lcp_header { 188 uint8_t type; 189 uint8_t ident; 190 uint16_t len; 191 } __packed; 192 #define LCP_HEADER_LEN sizeof (struct lcp_header) 193 194 struct cisco_packet { 195 uint32_t type; 196 uint32_t par1; 197 uint32_t par2; 198 uint16_t rel; 199 uint16_t time0; 200 uint16_t time1; 201 } __packed; 202 #define CISCO_PACKET_LEN 18 203 204 /* 205 * We follow the spelling and capitalization of RFC 1661 here, to make 206 * it easier comparing with the standard. Please refer to this RFC in 207 * case you can't make sense out of these abbreviation; it will also 208 * explain the semantics related to the various events and actions. 209 */ 210 struct cp { 211 u_short proto; /* PPP control protocol number */ 212 u_char protoidx; /* index into state table in struct sppp */ 213 u_char flags; 214 #define CP_LCP 0x01 /* this is the LCP */ 215 #define CP_AUTH 0x02 /* this is an authentication protocol */ 216 #define CP_NCP 0x04 /* this is a NCP */ 217 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 218 const char *name; /* name of this control protocol */ 219 /* event handlers */ 220 void (*Up)(struct sppp *sp); 221 void (*Down)(struct sppp *sp); 222 void (*Open)(struct sppp *sp); 223 void (*Close)(struct sppp *sp); 224 void (*TO)(void *sp); 225 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 226 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 227 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 228 /* actions */ 229 void (*tlu)(struct sppp *sp); 230 void (*tld)(struct sppp *sp); 231 void (*tls)(struct sppp *sp); 232 void (*tlf)(struct sppp *sp); 233 void (*scr)(struct sppp *sp); 234 }; 235 236 static struct sppp *spppq; 237 static callout_t keepalive_ch; 238 239 #ifdef INET 240 /* 241 * The following disgusting hack gets around the problem that IP TOS 242 * can't be set yet. We want to put "interactive" traffic on a high 243 * priority queue. To decide if traffic is interactive, we check that 244 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 245 * 246 * XXX is this really still necessary? - joerg - 247 */ 248 static u_short interactive_ports[8] = { 249 0, 513, 0, 0, 250 0, 21, 0, 23, 251 }; 252 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 253 #endif 254 255 /* almost every function needs these */ 256 #define STDDCL \ 257 struct ifnet *ifp = &sp->pp_if; \ 258 int debug = ifp->if_flags & IFF_DEBUG 259 260 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 261 const struct sockaddr *dst, const struct rtentry *rt); 262 263 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 264 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 265 266 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 267 struct mbuf *m); 268 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 269 u_char ident, u_short len, void *data); 270 /* static void sppp_cp_timeout(void *arg); */ 271 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 272 int newstate); 273 static void sppp_auth_send(const struct cp *cp, 274 struct sppp *sp, unsigned int type, unsigned int id, 275 ...); 276 277 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 278 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 279 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 280 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 281 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 282 283 static void sppp_null(struct sppp *sp); 284 285 static void sppp_lcp_init(struct sppp *sp); 286 static void sppp_lcp_up(struct sppp *sp); 287 static void sppp_lcp_down(struct sppp *sp); 288 static void sppp_lcp_open(struct sppp *sp); 289 static void sppp_lcp_close(struct sppp *sp); 290 static void sppp_lcp_TO(void *sp); 291 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 292 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 293 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 294 static void sppp_lcp_tlu(struct sppp *sp); 295 static void sppp_lcp_tld(struct sppp *sp); 296 static void sppp_lcp_tls(struct sppp *sp); 297 static void sppp_lcp_tlf(struct sppp *sp); 298 static void sppp_lcp_scr(struct sppp *sp); 299 static void sppp_lcp_check_and_close(struct sppp *sp); 300 static int sppp_ncp_check(struct sppp *sp); 301 302 static void sppp_ipcp_init(struct sppp *sp); 303 static void sppp_ipcp_up(struct sppp *sp); 304 static void sppp_ipcp_down(struct sppp *sp); 305 static void sppp_ipcp_open(struct sppp *sp); 306 static void sppp_ipcp_close(struct sppp *sp); 307 static void sppp_ipcp_TO(void *sp); 308 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 309 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 310 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 311 static void sppp_ipcp_tlu(struct sppp *sp); 312 static void sppp_ipcp_tld(struct sppp *sp); 313 static void sppp_ipcp_tls(struct sppp *sp); 314 static void sppp_ipcp_tlf(struct sppp *sp); 315 static void sppp_ipcp_scr(struct sppp *sp); 316 317 static void sppp_ipv6cp_init(struct sppp *sp); 318 static void sppp_ipv6cp_up(struct sppp *sp); 319 static void sppp_ipv6cp_down(struct sppp *sp); 320 static void sppp_ipv6cp_open(struct sppp *sp); 321 static void sppp_ipv6cp_close(struct sppp *sp); 322 static void sppp_ipv6cp_TO(void *sp); 323 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 324 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 325 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipv6cp_tlu(struct sppp *sp); 327 static void sppp_ipv6cp_tld(struct sppp *sp); 328 static void sppp_ipv6cp_tls(struct sppp *sp); 329 static void sppp_ipv6cp_tlf(struct sppp *sp); 330 static void sppp_ipv6cp_scr(struct sppp *sp); 331 332 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 333 static void sppp_pap_init(struct sppp *sp); 334 static void sppp_pap_open(struct sppp *sp); 335 static void sppp_pap_close(struct sppp *sp); 336 static void sppp_pap_TO(void *sp); 337 static void sppp_pap_my_TO(void *sp); 338 static void sppp_pap_tlu(struct sppp *sp); 339 static void sppp_pap_tld(struct sppp *sp); 340 static void sppp_pap_scr(struct sppp *sp); 341 342 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 343 static void sppp_chap_init(struct sppp *sp); 344 static void sppp_chap_open(struct sppp *sp); 345 static void sppp_chap_close(struct sppp *sp); 346 static void sppp_chap_TO(void *sp); 347 static void sppp_chap_tlu(struct sppp *sp); 348 static void sppp_chap_tld(struct sppp *sp); 349 static void sppp_chap_scr(struct sppp *sp); 350 351 static const char *sppp_auth_type_name(u_short proto, u_char type); 352 static const char *sppp_cp_type_name(u_char type); 353 static const char *sppp_dotted_quad(uint32_t addr); 354 static const char *sppp_ipcp_opt_name(u_char opt); 355 #ifdef INET6 356 static const char *sppp_ipv6cp_opt_name(u_char opt); 357 #endif 358 static const char *sppp_lcp_opt_name(u_char opt); 359 static const char *sppp_phase_name(int phase); 360 static const char *sppp_proto_name(u_short proto); 361 static const char *sppp_state_name(int state); 362 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 363 #ifdef INET 364 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 365 uint32_t *srcmask); 366 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 367 static void sppp_clear_ip_addrs(struct sppp *sp); 368 #endif 369 static void sppp_keepalive(void *dummy); 370 static void sppp_phase_network(struct sppp *sp); 371 static void sppp_print_bytes(const u_char *p, u_short len); 372 static void sppp_print_string(const char *p, u_short len); 373 #ifdef INET6 374 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 375 struct in6_addr *dst, struct in6_addr *srcmask); 376 #ifdef IPV6CP_MYIFID_DYN 377 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 378 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 379 #endif 380 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 381 #endif 382 383 /* our control protocol descriptors */ 384 static const struct cp lcp = { 385 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 386 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 387 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 388 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 389 sppp_lcp_scr 390 }; 391 392 static const struct cp ipcp = { 393 PPP_IPCP, IDX_IPCP, 394 #ifdef INET 395 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 396 #else 397 0, 398 #endif 399 "ipcp", 400 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 401 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 402 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 403 sppp_ipcp_scr 404 }; 405 406 static const struct cp ipv6cp = { 407 PPP_IPV6CP, IDX_IPV6CP, 408 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 409 CP_NCP, 410 #else 411 0, 412 #endif 413 "ipv6cp", 414 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 415 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 416 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 417 sppp_ipv6cp_scr 418 }; 419 420 static const struct cp pap = { 421 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 422 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 423 sppp_pap_TO, 0, 0, 0, 424 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 425 sppp_pap_scr 426 }; 427 428 static const struct cp chap = { 429 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 430 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 431 sppp_chap_TO, 0, 0, 0, 432 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 433 sppp_chap_scr 434 }; 435 436 static const struct cp *cps[IDX_COUNT] = { 437 &lcp, /* IDX_LCP */ 438 &ipcp, /* IDX_IPCP */ 439 &ipv6cp, /* IDX_IPV6CP */ 440 &pap, /* IDX_PAP */ 441 &chap, /* IDX_CHAP */ 442 }; 443 444 445 /* 446 * Exported functions, comprising our interface to the lower layer. 447 */ 448 449 /* 450 * Process the received packet. 451 */ 452 void 453 sppp_input(struct ifnet *ifp, struct mbuf *m) 454 { 455 struct ppp_header *h = NULL; 456 pktqueue_t *pktq = NULL; 457 struct ifqueue *inq = NULL; 458 uint16_t protocol; 459 int s; 460 struct sppp *sp = (struct sppp *)ifp; 461 int debug = ifp->if_flags & IFF_DEBUG; 462 int isr = 0; 463 464 if (ifp->if_flags & IFF_UP) { 465 /* Count received bytes, add hardware framing */ 466 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 467 /* Note time of last receive */ 468 sp->pp_last_receive = time_uptime; 469 } 470 471 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 472 /* Too small packet, drop it. */ 473 if (debug) 474 log(LOG_DEBUG, 475 "%s: input packet is too small, %d bytes\n", 476 ifp->if_xname, m->m_pkthdr.len); 477 drop: 478 ++ifp->if_ierrors; 479 ++ifp->if_iqdrops; 480 m_freem(m); 481 return; 482 } 483 484 if (sp->pp_flags & PP_NOFRAMING) { 485 memcpy(&protocol, mtod(m, void *), 2); 486 protocol = ntohs(protocol); 487 m_adj(m, 2); 488 } else { 489 490 /* Get PPP header. */ 491 h = mtod(m, struct ppp_header *); 492 m_adj(m, PPP_HEADER_LEN); 493 494 switch (h->address) { 495 case PPP_ALLSTATIONS: 496 if (h->control != PPP_UI) 497 goto invalid; 498 if (sp->pp_flags & PP_CISCO) { 499 if (debug) 500 log(LOG_DEBUG, 501 "%s: PPP packet in Cisco mode " 502 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 503 ifp->if_xname, 504 h->address, h->control, ntohs(h->protocol)); 505 goto drop; 506 } 507 break; 508 case CISCO_MULTICAST: 509 case CISCO_UNICAST: 510 /* Don't check the control field here (RFC 1547). */ 511 if (! (sp->pp_flags & PP_CISCO)) { 512 if (debug) 513 log(LOG_DEBUG, 514 "%s: Cisco packet in PPP mode " 515 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 516 ifp->if_xname, 517 h->address, h->control, ntohs(h->protocol)); 518 goto drop; 519 } 520 switch (ntohs(h->protocol)) { 521 default: 522 ++ifp->if_noproto; 523 goto invalid; 524 case CISCO_KEEPALIVE: 525 sppp_cisco_input((struct sppp *) ifp, m); 526 m_freem(m); 527 return; 528 #ifdef INET 529 case ETHERTYPE_IP: 530 pktq = ip_pktq; 531 break; 532 #endif 533 #ifdef INET6 534 case ETHERTYPE_IPV6: 535 pktq = ip6_pktq; 536 break; 537 #endif 538 } 539 goto queue_pkt; 540 default: /* Invalid PPP packet. */ 541 invalid: 542 if (debug) 543 log(LOG_DEBUG, 544 "%s: invalid input packet " 545 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 546 ifp->if_xname, 547 h->address, h->control, ntohs(h->protocol)); 548 goto drop; 549 } 550 protocol = ntohs(h->protocol); 551 } 552 553 switch (protocol) { 554 default: 555 if (sp->state[IDX_LCP] == STATE_OPENED) { 556 uint16_t prot = htons(protocol); 557 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 558 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 559 &prot); 560 } 561 if (debug) 562 log(LOG_DEBUG, 563 "%s: invalid input protocol " 564 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 565 ++ifp->if_noproto; 566 goto drop; 567 case PPP_LCP: 568 sppp_cp_input(&lcp, sp, m); 569 m_freem(m); 570 return; 571 case PPP_PAP: 572 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 573 sppp_pap_input(sp, m); 574 m_freem(m); 575 return; 576 case PPP_CHAP: 577 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 578 sppp_chap_input(sp, m); 579 m_freem(m); 580 return; 581 #ifdef INET 582 case PPP_IPCP: 583 if (sp->pp_phase == SPPP_PHASE_NETWORK) 584 sppp_cp_input(&ipcp, sp, m); 585 m_freem(m); 586 return; 587 case PPP_IP: 588 if (sp->state[IDX_IPCP] == STATE_OPENED) { 589 sp->pp_last_activity = time_uptime; 590 pktq = ip_pktq; 591 } 592 break; 593 #endif 594 #ifdef INET6 595 case PPP_IPV6CP: 596 if (sp->pp_phase == SPPP_PHASE_NETWORK) 597 sppp_cp_input(&ipv6cp, sp, m); 598 m_freem(m); 599 return; 600 601 case PPP_IPV6: 602 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 603 sp->pp_last_activity = time_uptime; 604 pktq = ip6_pktq; 605 } 606 break; 607 #endif 608 } 609 610 queue_pkt: 611 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 612 goto drop; 613 } 614 615 /* Check queue. */ 616 if (__predict_true(pktq)) { 617 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 618 goto drop; 619 } 620 return; 621 } 622 623 s = splnet(); 624 if (IF_QFULL(inq)) { 625 /* Queue overflow. */ 626 IF_DROP(inq); 627 splx(s); 628 if (debug) 629 log(LOG_DEBUG, "%s: protocol queue overflow\n", 630 ifp->if_xname); 631 goto drop; 632 } 633 IF_ENQUEUE(inq, m); 634 schednetisr(isr); 635 splx(s); 636 } 637 638 /* 639 * Enqueue transmit packet. 640 */ 641 static int 642 sppp_output(struct ifnet *ifp, struct mbuf *m, 643 const struct sockaddr *dst, const struct rtentry *rt) 644 { 645 struct sppp *sp = (struct sppp *) ifp; 646 struct ppp_header *h = NULL; 647 struct ifqueue *ifq = NULL; /* XXX */ 648 int s, error = 0; 649 uint16_t protocol; 650 651 s = splnet(); 652 653 sp->pp_last_activity = time_uptime; 654 655 if ((ifp->if_flags & IFF_UP) == 0 || 656 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 657 m_freem(m); 658 splx(s); 659 return (ENETDOWN); 660 } 661 662 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 663 /* 664 * Interface is not yet running, but auto-dial. Need 665 * to start LCP for it. 666 */ 667 ifp->if_flags |= IFF_RUNNING; 668 splx(s); 669 lcp.Open(sp); 670 s = splnet(); 671 } 672 673 /* 674 * If the queueing discipline needs packet classification, 675 * do it before prepending link headers. 676 */ 677 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 678 679 #ifdef INET 680 if (dst->sa_family == AF_INET) { 681 struct ip *ip = NULL; 682 struct tcphdr *th = NULL; 683 684 if (m->m_len >= sizeof(struct ip)) { 685 ip = mtod(m, struct ip *); 686 if (ip->ip_p == IPPROTO_TCP && 687 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 688 sizeof(struct tcphdr)) { 689 th = (struct tcphdr *) 690 ((char *)ip + (ip->ip_hl << 2)); 691 } 692 } else 693 ip = NULL; 694 695 /* 696 * When using dynamic local IP address assignment by using 697 * 0.0.0.0 as a local address, the first TCP session will 698 * not connect because the local TCP checksum is computed 699 * using 0.0.0.0 which will later become our real IP address 700 * so the TCP checksum computed at the remote end will 701 * become invalid. So we 702 * - don't let packets with src ip addr 0 thru 703 * - we flag TCP packets with src ip 0 as an error 704 */ 705 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 706 uint8_t proto = ip->ip_p; 707 708 m_freem(m); 709 splx(s); 710 if (proto == IPPROTO_TCP) 711 return (EADDRNOTAVAIL); 712 else 713 return (0); 714 } 715 716 /* 717 * Put low delay, telnet, rlogin and ftp control packets 718 * in front of the queue. 719 */ 720 721 if (!IF_QFULL(&sp->pp_fastq) && 722 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 723 (th && (INTERACTIVE(ntohs(th->th_sport)) || 724 INTERACTIVE(ntohs(th->th_dport)))))) 725 ifq = &sp->pp_fastq; 726 } 727 #endif 728 729 #ifdef INET6 730 if (dst->sa_family == AF_INET6) { 731 /* XXX do something tricky here? */ 732 } 733 #endif 734 735 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 736 /* 737 * Prepend general data packet PPP header. For now, IP only. 738 */ 739 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 740 if (! m) { 741 if (ifp->if_flags & IFF_DEBUG) 742 log(LOG_DEBUG, "%s: no memory for transmit header\n", 743 ifp->if_xname); 744 ++ifp->if_oerrors; 745 splx(s); 746 return (ENOBUFS); 747 } 748 /* 749 * May want to check size of packet 750 * (albeit due to the implementation it's always enough) 751 */ 752 h = mtod(m, struct ppp_header *); 753 if (sp->pp_flags & PP_CISCO) { 754 h->address = CISCO_UNICAST; /* unicast address */ 755 h->control = 0; 756 } else { 757 h->address = PPP_ALLSTATIONS; /* broadcast address */ 758 h->control = PPP_UI; /* Unnumbered Info */ 759 } 760 } 761 762 switch (dst->sa_family) { 763 #ifdef INET 764 case AF_INET: /* Internet Protocol */ 765 if (sp->pp_flags & PP_CISCO) 766 protocol = htons(ETHERTYPE_IP); 767 else { 768 /* 769 * Don't choke with an ENETDOWN early. It's 770 * possible that we just started dialing out, 771 * so don't drop the packet immediately. If 772 * we notice that we run out of buffer space 773 * below, we will however remember that we are 774 * not ready to carry IP packets, and return 775 * ENETDOWN, as opposed to ENOBUFS. 776 */ 777 protocol = htons(PPP_IP); 778 if (sp->state[IDX_IPCP] != STATE_OPENED) 779 error = ENETDOWN; 780 } 781 break; 782 #endif 783 #ifdef INET6 784 case AF_INET6: /* Internet Protocol version 6 */ 785 if (sp->pp_flags & PP_CISCO) 786 protocol = htons(ETHERTYPE_IPV6); 787 else { 788 /* 789 * Don't choke with an ENETDOWN early. It's 790 * possible that we just started dialing out, 791 * so don't drop the packet immediately. If 792 * we notice that we run out of buffer space 793 * below, we will however remember that we are 794 * not ready to carry IP packets, and return 795 * ENETDOWN, as opposed to ENOBUFS. 796 */ 797 protocol = htons(PPP_IPV6); 798 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 799 error = ENETDOWN; 800 } 801 break; 802 #endif 803 default: 804 m_freem(m); 805 ++ifp->if_oerrors; 806 splx(s); 807 return (EAFNOSUPPORT); 808 } 809 810 if (sp->pp_flags & PP_NOFRAMING) { 811 M_PREPEND(m, 2, M_DONTWAIT); 812 if (m == NULL) { 813 if (ifp->if_flags & IFF_DEBUG) 814 log(LOG_DEBUG, "%s: no memory for transmit header\n", 815 ifp->if_xname); 816 ++ifp->if_oerrors; 817 splx(s); 818 return (ENOBUFS); 819 } 820 *mtod(m, uint16_t *) = protocol; 821 } else { 822 h->protocol = protocol; 823 } 824 825 826 error = ifq_enqueue2(ifp, ifq, m); 827 828 if (error == 0) { 829 /* 830 * Count output packets and bytes. 831 * The packet length includes header + additional hardware 832 * framing according to RFC 1333. 833 */ 834 if (!(ifp->if_flags & IFF_OACTIVE)) 835 (*ifp->if_start)(ifp); 836 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 837 } 838 splx(s); 839 return error; 840 } 841 842 void 843 sppp_attach(struct ifnet *ifp) 844 { 845 struct sppp *sp = (struct sppp *) ifp; 846 847 /* Initialize keepalive handler. */ 848 if (! spppq) { 849 callout_init(&keepalive_ch, 0); 850 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 851 } 852 853 /* Insert new entry into the keepalive list. */ 854 sp->pp_next = spppq; 855 spppq = sp; 856 857 sp->pp_if.if_type = IFT_PPP; 858 sp->pp_if.if_output = sppp_output; 859 sp->pp_fastq.ifq_maxlen = 32; 860 sp->pp_cpq.ifq_maxlen = 20; 861 sp->pp_loopcnt = 0; 862 sp->pp_alivecnt = 0; 863 sp->pp_last_activity = 0; 864 sp->pp_last_receive = 0; 865 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 866 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 867 sp->pp_idle_timeout = 0; 868 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 869 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 870 sp->pp_auth_failures = 0; 871 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 872 sp->pp_phase = SPPP_PHASE_DEAD; 873 sp->pp_up = lcp.Up; 874 sp->pp_down = lcp.Down; 875 876 if_alloc_sadl(ifp); 877 878 memset(&sp->myauth, 0, sizeof sp->myauth); 879 memset(&sp->hisauth, 0, sizeof sp->hisauth); 880 sppp_lcp_init(sp); 881 sppp_ipcp_init(sp); 882 sppp_ipv6cp_init(sp); 883 sppp_pap_init(sp); 884 sppp_chap_init(sp); 885 } 886 887 void 888 sppp_detach(struct ifnet *ifp) 889 { 890 struct sppp **q, *p, *sp = (struct sppp *) ifp; 891 892 /* Remove the entry from the keepalive list. */ 893 for (q = &spppq; (p = *q); q = &p->pp_next) 894 if (p == sp) { 895 *q = p->pp_next; 896 break; 897 } 898 899 /* Stop keepalive handler. */ 900 if (! spppq) { 901 callout_stop(&keepalive_ch); 902 } 903 904 callout_stop(&sp->ch[IDX_LCP]); 905 callout_stop(&sp->ch[IDX_IPCP]); 906 callout_stop(&sp->ch[IDX_PAP]); 907 callout_stop(&sp->ch[IDX_CHAP]); 908 #ifdef INET6 909 callout_stop(&sp->ch[IDX_IPV6CP]); 910 #endif 911 callout_stop(&sp->pap_my_to_ch); 912 913 /* free authentication info */ 914 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 915 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 916 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 917 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 918 } 919 920 /* 921 * Flush the interface output queue. 922 */ 923 void 924 sppp_flush(struct ifnet *ifp) 925 { 926 struct sppp *sp = (struct sppp *) ifp; 927 928 IFQ_PURGE(&sp->pp_if.if_snd); 929 IF_PURGE(&sp->pp_fastq); 930 IF_PURGE(&sp->pp_cpq); 931 } 932 933 /* 934 * Check if the output queue is empty. 935 */ 936 int 937 sppp_isempty(struct ifnet *ifp) 938 { 939 struct sppp *sp = (struct sppp *) ifp; 940 int empty, s; 941 942 s = splnet(); 943 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 944 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 945 splx(s); 946 return (empty); 947 } 948 949 /* 950 * Get next packet to send. 951 */ 952 struct mbuf * 953 sppp_dequeue(struct ifnet *ifp) 954 { 955 struct sppp *sp = (struct sppp *) ifp; 956 struct mbuf *m; 957 int s; 958 959 s = splnet(); 960 /* 961 * Process only the control protocol queue until we have at 962 * least one NCP open. 963 * 964 * Do always serve all three queues in Cisco mode. 965 */ 966 IF_DEQUEUE(&sp->pp_cpq, m); 967 if (m == NULL && 968 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 969 IF_DEQUEUE(&sp->pp_fastq, m); 970 if (m == NULL) 971 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 972 } 973 splx(s); 974 return m; 975 } 976 977 /* 978 * Process an ioctl request. Called on low priority level. 979 */ 980 int 981 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 982 { 983 struct lwp *l = curlwp; /* XXX */ 984 struct ifreq *ifr = (struct ifreq *) data; 985 struct ifaddr *ifa = (struct ifaddr *) data; 986 struct sppp *sp = (struct sppp *) ifp; 987 int s, error=0, going_up, going_down, newmode; 988 989 s = splnet(); 990 switch (cmd) { 991 case SIOCINITIFADDR: 992 ifa->ifa_rtrequest = p2p_rtrequest; 993 break; 994 995 case SIOCSIFFLAGS: 996 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 997 break; 998 going_up = ifp->if_flags & IFF_UP && 999 (ifp->if_flags & IFF_RUNNING) == 0; 1000 going_down = (ifp->if_flags & IFF_UP) == 0 && 1001 ifp->if_flags & IFF_RUNNING; 1002 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1003 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1004 /* sanity */ 1005 newmode = IFF_PASSIVE; 1006 ifp->if_flags &= ~IFF_AUTO; 1007 } 1008 1009 if (going_up || going_down) 1010 lcp.Close(sp); 1011 if (going_up && newmode == 0) { 1012 /* neither auto-dial nor passive */ 1013 ifp->if_flags |= IFF_RUNNING; 1014 if (!(sp->pp_flags & PP_CISCO)) 1015 lcp.Open(sp); 1016 } else if (going_down) { 1017 sppp_flush(ifp); 1018 ifp->if_flags &= ~IFF_RUNNING; 1019 } 1020 1021 break; 1022 1023 case SIOCSIFMTU: 1024 if (ifr->ifr_mtu < PPP_MINMRU || 1025 ifr->ifr_mtu > sp->lcp.their_mru) { 1026 error = EINVAL; 1027 break; 1028 } 1029 /*FALLTHROUGH*/ 1030 case SIOCGIFMTU: 1031 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1032 error = 0; 1033 break; 1034 case SIOCADDMULTI: 1035 case SIOCDELMULTI: 1036 break; 1037 1038 case SPPPSETAUTHCFG: 1039 case SPPPSETLCPCFG: 1040 case SPPPSETIDLETO: 1041 case SPPPSETAUTHFAILURE: 1042 case SPPPSETDNSOPTS: 1043 case SPPPSETKEEPALIVE: 1044 #if defined(COMPAT_50) || defined(MODULAR) 1045 case __SPPPSETIDLETO50: 1046 case __SPPPSETKEEPALIVE50: 1047 #endif /* COMPAT_50 || MODULAR */ 1048 error = kauth_authorize_network(l->l_cred, 1049 KAUTH_NETWORK_INTERFACE, 1050 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1051 NULL); 1052 if (error) 1053 break; 1054 error = sppp_params(sp, cmd, data); 1055 break; 1056 1057 case SPPPGETAUTHCFG: 1058 case SPPPGETLCPCFG: 1059 case SPPPGETAUTHFAILURES: 1060 error = kauth_authorize_network(l->l_cred, 1061 KAUTH_NETWORK_INTERFACE, 1062 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1063 NULL); 1064 if (error) 1065 break; 1066 error = sppp_params(sp, cmd, data); 1067 break; 1068 1069 case SPPPGETSTATUS: 1070 case SPPPGETSTATUSNCP: 1071 case SPPPGETIDLETO: 1072 case SPPPGETDNSOPTS: 1073 case SPPPGETDNSADDRS: 1074 case SPPPGETKEEPALIVE: 1075 #if defined(COMPAT_50) || defined(MODULAR) 1076 case __SPPPGETIDLETO50: 1077 case __SPPPGETKEEPALIVE50: 1078 #endif /* COMPAT_50 || MODULAR */ 1079 error = sppp_params(sp, cmd, data); 1080 break; 1081 1082 default: 1083 error = ifioctl_common(ifp, cmd, data); 1084 break; 1085 } 1086 splx(s); 1087 return (error); 1088 } 1089 1090 1091 /* 1092 * Cisco framing implementation. 1093 */ 1094 1095 /* 1096 * Handle incoming Cisco keepalive protocol packets. 1097 */ 1098 static void 1099 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1100 { 1101 STDDCL; 1102 struct cisco_packet *h; 1103 #ifdef INET 1104 uint32_t me, mymask = 0; /* XXX: GCC */ 1105 #endif 1106 1107 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1108 if (debug) 1109 log(LOG_DEBUG, 1110 "%s: cisco invalid packet length: %d bytes\n", 1111 ifp->if_xname, m->m_pkthdr.len); 1112 return; 1113 } 1114 h = mtod(m, struct cisco_packet *); 1115 if (debug) 1116 log(LOG_DEBUG, 1117 "%s: cisco input: %d bytes " 1118 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1119 ifp->if_xname, m->m_pkthdr.len, 1120 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1121 (u_int)h->time0, (u_int)h->time1); 1122 switch (ntohl(h->type)) { 1123 default: 1124 if (debug) 1125 addlog("%s: cisco unknown packet type: 0x%x\n", 1126 ifp->if_xname, ntohl(h->type)); 1127 break; 1128 case CISCO_ADDR_REPLY: 1129 /* Reply on address request, ignore */ 1130 break; 1131 case CISCO_KEEPALIVE_REQ: 1132 sp->pp_alivecnt = 0; 1133 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1134 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1135 /* Local and remote sequence numbers are equal. 1136 * Probably, the line is in loopback mode. */ 1137 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1138 printf ("%s: loopback\n", 1139 ifp->if_xname); 1140 sp->pp_loopcnt = 0; 1141 if (ifp->if_flags & IFF_UP) { 1142 if_down(ifp); 1143 IF_PURGE(&sp->pp_cpq); 1144 } 1145 } 1146 ++sp->pp_loopcnt; 1147 1148 /* Generate new local sequence number */ 1149 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1150 break; 1151 } 1152 sp->pp_loopcnt = 0; 1153 if (! (ifp->if_flags & IFF_UP) && 1154 (ifp->if_flags & IFF_RUNNING)) { 1155 if_up(ifp); 1156 } 1157 break; 1158 case CISCO_ADDR_REQ: 1159 #ifdef INET 1160 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1161 if (me != 0L) 1162 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1163 #endif 1164 break; 1165 } 1166 } 1167 1168 /* 1169 * Send Cisco keepalive packet. 1170 */ 1171 static void 1172 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1173 { 1174 STDDCL; 1175 struct ppp_header *h; 1176 struct cisco_packet *ch; 1177 struct mbuf *m; 1178 uint32_t t; 1179 1180 t = time_uptime * 1000; 1181 MGETHDR(m, M_DONTWAIT, MT_DATA); 1182 if (! m) 1183 return; 1184 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1185 m->m_pkthdr.rcvif = 0; 1186 1187 h = mtod(m, struct ppp_header *); 1188 h->address = CISCO_MULTICAST; 1189 h->control = 0; 1190 h->protocol = htons(CISCO_KEEPALIVE); 1191 1192 ch = (struct cisco_packet *)(h + 1); 1193 ch->type = htonl(type); 1194 ch->par1 = htonl(par1); 1195 ch->par2 = htonl(par2); 1196 ch->rel = -1; 1197 1198 ch->time0 = htons((u_short)(t >> 16)); 1199 ch->time1 = htons((u_short) t); 1200 1201 if (debug) 1202 log(LOG_DEBUG, 1203 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1204 ifp->if_xname, ntohl(ch->type), ch->par1, 1205 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1206 (u_int)ch->time1); 1207 1208 if (IF_QFULL(&sp->pp_cpq)) { 1209 IF_DROP(&sp->pp_fastq); 1210 IF_DROP(&ifp->if_snd); 1211 m_freem(m); 1212 ++ifp->if_oerrors; 1213 return; 1214 } else 1215 IF_ENQUEUE(&sp->pp_cpq, m); 1216 if (! (ifp->if_flags & IFF_OACTIVE)) 1217 (*ifp->if_start)(ifp); 1218 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1219 } 1220 1221 /* 1222 * PPP protocol implementation. 1223 */ 1224 1225 /* 1226 * Send PPP control protocol packet. 1227 */ 1228 static void 1229 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1230 u_char ident, u_short len, void *data) 1231 { 1232 STDDCL; 1233 struct lcp_header *lh; 1234 struct mbuf *m; 1235 size_t pkthdrlen; 1236 1237 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1238 1239 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1240 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1241 MGETHDR(m, M_DONTWAIT, MT_DATA); 1242 if (! m) 1243 return; 1244 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1245 m->m_pkthdr.rcvif = 0; 1246 1247 if (sp->pp_flags & PP_NOFRAMING) { 1248 *mtod(m, uint16_t *) = htons(proto); 1249 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1250 } else { 1251 struct ppp_header *h; 1252 h = mtod(m, struct ppp_header *); 1253 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1254 h->control = PPP_UI; /* Unnumbered Info */ 1255 h->protocol = htons(proto); /* Link Control Protocol */ 1256 lh = (struct lcp_header *)(h + 1); 1257 } 1258 lh->type = type; 1259 lh->ident = ident; 1260 lh->len = htons(LCP_HEADER_LEN + len); 1261 if (len) 1262 memcpy(lh + 1, data, len); 1263 1264 if (debug) { 1265 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1266 ifp->if_xname, 1267 sppp_proto_name(proto), 1268 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1269 if (len) 1270 sppp_print_bytes((u_char *)(lh + 1), len); 1271 addlog(">\n"); 1272 } 1273 if (IF_QFULL(&sp->pp_cpq)) { 1274 IF_DROP(&sp->pp_fastq); 1275 IF_DROP(&ifp->if_snd); 1276 m_freem(m); 1277 ++ifp->if_oerrors; 1278 return; 1279 } else 1280 IF_ENQUEUE(&sp->pp_cpq, m); 1281 if (! (ifp->if_flags & IFF_OACTIVE)) 1282 (*ifp->if_start)(ifp); 1283 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1284 } 1285 1286 /* 1287 * Handle incoming PPP control protocol packets. 1288 */ 1289 static void 1290 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1291 { 1292 STDDCL; 1293 struct lcp_header *h; 1294 int printlen, len = m->m_pkthdr.len; 1295 int rv; 1296 u_char *p; 1297 uint32_t u32; 1298 1299 if (len < 4) { 1300 if (debug) 1301 log(LOG_DEBUG, 1302 "%s: %s invalid packet length: %d bytes\n", 1303 ifp->if_xname, cp->name, len); 1304 return; 1305 } 1306 h = mtod(m, struct lcp_header *); 1307 if (debug) { 1308 printlen = ntohs(h->len); 1309 log(LOG_DEBUG, 1310 "%s: %s input(%s): <%s id=0x%x len=%d", 1311 ifp->if_xname, cp->name, 1312 sppp_state_name(sp->state[cp->protoidx]), 1313 sppp_cp_type_name(h->type), h->ident, printlen); 1314 if (len < printlen) 1315 printlen = len; 1316 if (printlen > 4) 1317 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1318 addlog(">\n"); 1319 } 1320 if (len > ntohs(h->len)) 1321 len = ntohs(h->len); 1322 p = (u_char *)(h + 1); 1323 switch (h->type) { 1324 case CONF_REQ: 1325 if (len < 4) { 1326 if (debug) 1327 addlog("%s: %s invalid conf-req length %d\n", 1328 ifp->if_xname, cp->name, 1329 len); 1330 ++ifp->if_ierrors; 1331 break; 1332 } 1333 /* handle states where RCR doesn't get a SCA/SCN */ 1334 switch (sp->state[cp->protoidx]) { 1335 case STATE_CLOSING: 1336 case STATE_STOPPING: 1337 return; 1338 case STATE_CLOSED: 1339 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1340 0, 0); 1341 return; 1342 } 1343 rv = (cp->RCR)(sp, h, len); 1344 if (rv < 0) { 1345 /* fatal error, shut down */ 1346 (cp->tld)(sp); 1347 sppp_lcp_tlf(sp); 1348 return; 1349 } 1350 switch (sp->state[cp->protoidx]) { 1351 case STATE_OPENED: 1352 (cp->tld)(sp); 1353 (cp->scr)(sp); 1354 /* fall through... */ 1355 case STATE_ACK_SENT: 1356 case STATE_REQ_SENT: 1357 sppp_cp_change_state(cp, sp, rv? 1358 STATE_ACK_SENT: STATE_REQ_SENT); 1359 break; 1360 case STATE_STOPPED: 1361 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1362 (cp->scr)(sp); 1363 sppp_cp_change_state(cp, sp, rv? 1364 STATE_ACK_SENT: STATE_REQ_SENT); 1365 break; 1366 case STATE_ACK_RCVD: 1367 if (rv) { 1368 sppp_cp_change_state(cp, sp, STATE_OPENED); 1369 if (debug) 1370 log(LOG_DEBUG, "%s: %s tlu\n", 1371 ifp->if_xname, 1372 cp->name); 1373 (cp->tlu)(sp); 1374 } else 1375 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1376 break; 1377 default: 1378 printf("%s: %s illegal %s in state %s\n", 1379 ifp->if_xname, cp->name, 1380 sppp_cp_type_name(h->type), 1381 sppp_state_name(sp->state[cp->protoidx])); 1382 ++ifp->if_ierrors; 1383 } 1384 break; 1385 case CONF_ACK: 1386 if (h->ident != sp->confid[cp->protoidx]) { 1387 if (debug) 1388 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1389 ifp->if_xname, cp->name, 1390 h->ident, sp->confid[cp->protoidx]); 1391 ++ifp->if_ierrors; 1392 break; 1393 } 1394 switch (sp->state[cp->protoidx]) { 1395 case STATE_CLOSED: 1396 case STATE_STOPPED: 1397 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1398 break; 1399 case STATE_CLOSING: 1400 case STATE_STOPPING: 1401 break; 1402 case STATE_REQ_SENT: 1403 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1404 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1405 break; 1406 case STATE_OPENED: 1407 (cp->tld)(sp); 1408 /* fall through */ 1409 case STATE_ACK_RCVD: 1410 (cp->scr)(sp); 1411 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1412 break; 1413 case STATE_ACK_SENT: 1414 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1415 sppp_cp_change_state(cp, sp, STATE_OPENED); 1416 if (debug) 1417 log(LOG_DEBUG, "%s: %s tlu\n", 1418 ifp->if_xname, cp->name); 1419 (cp->tlu)(sp); 1420 break; 1421 default: 1422 printf("%s: %s illegal %s in state %s\n", 1423 ifp->if_xname, cp->name, 1424 sppp_cp_type_name(h->type), 1425 sppp_state_name(sp->state[cp->protoidx])); 1426 ++ifp->if_ierrors; 1427 } 1428 break; 1429 case CONF_NAK: 1430 case CONF_REJ: 1431 if (h->ident != sp->confid[cp->protoidx]) { 1432 if (debug) 1433 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1434 ifp->if_xname, cp->name, 1435 h->ident, sp->confid[cp->protoidx]); 1436 ++ifp->if_ierrors; 1437 break; 1438 } 1439 if (h->type == CONF_NAK) 1440 (cp->RCN_nak)(sp, h, len); 1441 else /* CONF_REJ */ 1442 (cp->RCN_rej)(sp, h, len); 1443 1444 switch (sp->state[cp->protoidx]) { 1445 case STATE_CLOSED: 1446 case STATE_STOPPED: 1447 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1448 break; 1449 case STATE_REQ_SENT: 1450 case STATE_ACK_SENT: 1451 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1452 (cp->scr)(sp); 1453 break; 1454 case STATE_OPENED: 1455 (cp->tld)(sp); 1456 /* fall through */ 1457 case STATE_ACK_RCVD: 1458 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1459 (cp->scr)(sp); 1460 break; 1461 case STATE_CLOSING: 1462 case STATE_STOPPING: 1463 break; 1464 default: 1465 printf("%s: %s illegal %s in state %s\n", 1466 ifp->if_xname, cp->name, 1467 sppp_cp_type_name(h->type), 1468 sppp_state_name(sp->state[cp->protoidx])); 1469 ++ifp->if_ierrors; 1470 } 1471 break; 1472 1473 case TERM_REQ: 1474 switch (sp->state[cp->protoidx]) { 1475 case STATE_ACK_RCVD: 1476 case STATE_ACK_SENT: 1477 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1478 /* fall through */ 1479 case STATE_CLOSED: 1480 case STATE_STOPPED: 1481 case STATE_CLOSING: 1482 case STATE_STOPPING: 1483 case STATE_REQ_SENT: 1484 sta: 1485 /* Send Terminate-Ack packet. */ 1486 if (debug) 1487 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1488 ifp->if_xname, cp->name); 1489 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1490 break; 1491 case STATE_OPENED: 1492 (cp->tld)(sp); 1493 sp->rst_counter[cp->protoidx] = 0; 1494 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1495 goto sta; 1496 default: 1497 printf("%s: %s illegal %s in state %s\n", 1498 ifp->if_xname, cp->name, 1499 sppp_cp_type_name(h->type), 1500 sppp_state_name(sp->state[cp->protoidx])); 1501 ++ifp->if_ierrors; 1502 } 1503 break; 1504 case TERM_ACK: 1505 switch (sp->state[cp->protoidx]) { 1506 case STATE_CLOSED: 1507 case STATE_STOPPED: 1508 case STATE_REQ_SENT: 1509 case STATE_ACK_SENT: 1510 break; 1511 case STATE_CLOSING: 1512 (cp->tlf)(sp); 1513 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1514 sppp_lcp_check_and_close(sp); 1515 break; 1516 case STATE_STOPPING: 1517 (cp->tlf)(sp); 1518 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1519 sppp_lcp_check_and_close(sp); 1520 break; 1521 case STATE_ACK_RCVD: 1522 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1523 break; 1524 case STATE_OPENED: 1525 (cp->tld)(sp); 1526 (cp->scr)(sp); 1527 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1528 break; 1529 default: 1530 printf("%s: %s illegal %s in state %s\n", 1531 ifp->if_xname, cp->name, 1532 sppp_cp_type_name(h->type), 1533 sppp_state_name(sp->state[cp->protoidx])); 1534 ++ifp->if_ierrors; 1535 } 1536 break; 1537 case CODE_REJ: 1538 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1539 log(LOG_INFO, 1540 "%s: %s: ignoring RXJ (%s) for code ?, " 1541 "danger will robinson\n", 1542 ifp->if_xname, cp->name, 1543 sppp_cp_type_name(h->type)); 1544 switch (sp->state[cp->protoidx]) { 1545 case STATE_CLOSED: 1546 case STATE_STOPPED: 1547 case STATE_REQ_SENT: 1548 case STATE_ACK_SENT: 1549 case STATE_CLOSING: 1550 case STATE_STOPPING: 1551 case STATE_OPENED: 1552 break; 1553 case STATE_ACK_RCVD: 1554 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1555 break; 1556 default: 1557 printf("%s: %s illegal %s in state %s\n", 1558 ifp->if_xname, cp->name, 1559 sppp_cp_type_name(h->type), 1560 sppp_state_name(sp->state[cp->protoidx])); 1561 ++ifp->if_ierrors; 1562 } 1563 break; 1564 case PROTO_REJ: 1565 { 1566 int catastrophic; 1567 const struct cp *upper; 1568 int i; 1569 uint16_t proto; 1570 1571 catastrophic = 0; 1572 upper = NULL; 1573 proto = p[0] << 8 | p[1]; 1574 for (i = 0; i < IDX_COUNT; i++) { 1575 if (cps[i]->proto == proto) { 1576 upper = cps[i]; 1577 break; 1578 } 1579 } 1580 if (upper == NULL) 1581 catastrophic++; 1582 1583 if (debug) 1584 log(LOG_INFO, 1585 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1586 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1587 sppp_cp_type_name(h->type), proto, 1588 upper ? upper->name : "unknown", 1589 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1590 1591 /* 1592 * if we got RXJ+ against conf-req, the peer does not implement 1593 * this particular protocol type. terminate the protocol. 1594 */ 1595 if (upper && !catastrophic) { 1596 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1597 upper->Close(sp); 1598 break; 1599 } 1600 } 1601 1602 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1603 switch (sp->state[cp->protoidx]) { 1604 case STATE_CLOSED: 1605 case STATE_STOPPED: 1606 case STATE_REQ_SENT: 1607 case STATE_ACK_SENT: 1608 case STATE_CLOSING: 1609 case STATE_STOPPING: 1610 case STATE_OPENED: 1611 break; 1612 case STATE_ACK_RCVD: 1613 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1614 break; 1615 default: 1616 printf("%s: %s illegal %s in state %s\n", 1617 ifp->if_xname, cp->name, 1618 sppp_cp_type_name(h->type), 1619 sppp_state_name(sp->state[cp->protoidx])); 1620 ++ifp->if_ierrors; 1621 } 1622 break; 1623 } 1624 case DISC_REQ: 1625 if (cp->proto != PPP_LCP) 1626 goto illegal; 1627 /* Discard the packet. */ 1628 break; 1629 case ECHO_REQ: 1630 if (cp->proto != PPP_LCP) 1631 goto illegal; 1632 if (sp->state[cp->protoidx] != STATE_OPENED) { 1633 if (debug) 1634 addlog("%s: lcp echo req but lcp closed\n", 1635 ifp->if_xname); 1636 ++ifp->if_ierrors; 1637 break; 1638 } 1639 if (len < 8) { 1640 if (debug) 1641 addlog("%s: invalid lcp echo request " 1642 "packet length: %d bytes\n", 1643 ifp->if_xname, len); 1644 break; 1645 } 1646 memcpy(&u32, h + 1, sizeof u32); 1647 if (ntohl(u32) == sp->lcp.magic) { 1648 /* Line loopback mode detected. */ 1649 printf("%s: loopback\n", ifp->if_xname); 1650 if_down(ifp); 1651 IF_PURGE(&sp->pp_cpq); 1652 1653 /* Shut down the PPP link. */ 1654 /* XXX */ 1655 lcp.Down(sp); 1656 lcp.Up(sp); 1657 break; 1658 } 1659 u32 = htonl(sp->lcp.magic); 1660 memcpy(h + 1, &u32, sizeof u32); 1661 if (debug) 1662 addlog("%s: got lcp echo req, sending echo rep\n", 1663 ifp->if_xname); 1664 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1665 h + 1); 1666 break; 1667 case ECHO_REPLY: 1668 if (cp->proto != PPP_LCP) 1669 goto illegal; 1670 if (h->ident != sp->lcp.echoid) { 1671 ++ifp->if_ierrors; 1672 break; 1673 } 1674 if (len < 8) { 1675 if (debug) 1676 addlog("%s: lcp invalid echo reply " 1677 "packet length: %d bytes\n", 1678 ifp->if_xname, len); 1679 break; 1680 } 1681 if (debug) 1682 addlog("%s: lcp got echo rep\n", 1683 ifp->if_xname); 1684 memcpy(&u32, h + 1, sizeof u32); 1685 if (ntohl(u32) != sp->lcp.magic) 1686 sp->pp_alivecnt = 0; 1687 break; 1688 default: 1689 /* Unknown packet type -- send Code-Reject packet. */ 1690 illegal: 1691 if (debug) 1692 addlog("%s: %s send code-rej for 0x%x\n", 1693 ifp->if_xname, cp->name, h->type); 1694 sppp_cp_send(sp, cp->proto, CODE_REJ, 1695 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1696 ++ifp->if_ierrors; 1697 } 1698 } 1699 1700 1701 /* 1702 * The generic part of all Up/Down/Open/Close/TO event handlers. 1703 * Basically, the state transition handling in the automaton. 1704 */ 1705 static void 1706 sppp_up_event(const struct cp *cp, struct sppp *sp) 1707 { 1708 STDDCL; 1709 1710 if (debug) 1711 log(LOG_DEBUG, "%s: %s up(%s)\n", 1712 ifp->if_xname, cp->name, 1713 sppp_state_name(sp->state[cp->protoidx])); 1714 1715 switch (sp->state[cp->protoidx]) { 1716 case STATE_INITIAL: 1717 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1718 break; 1719 case STATE_STARTING: 1720 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1721 (cp->scr)(sp); 1722 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1723 break; 1724 default: 1725 printf("%s: %s illegal up in state %s\n", 1726 ifp->if_xname, cp->name, 1727 sppp_state_name(sp->state[cp->protoidx])); 1728 } 1729 } 1730 1731 static void 1732 sppp_down_event(const struct cp *cp, struct sppp *sp) 1733 { 1734 STDDCL; 1735 1736 if (debug) 1737 log(LOG_DEBUG, "%s: %s down(%s)\n", 1738 ifp->if_xname, cp->name, 1739 sppp_state_name(sp->state[cp->protoidx])); 1740 1741 switch (sp->state[cp->protoidx]) { 1742 case STATE_CLOSED: 1743 case STATE_CLOSING: 1744 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1745 break; 1746 case STATE_STOPPED: 1747 (cp->tls)(sp); 1748 /* fall through */ 1749 case STATE_STOPPING: 1750 case STATE_REQ_SENT: 1751 case STATE_ACK_RCVD: 1752 case STATE_ACK_SENT: 1753 sppp_cp_change_state(cp, sp, STATE_STARTING); 1754 break; 1755 case STATE_OPENED: 1756 (cp->tld)(sp); 1757 sppp_cp_change_state(cp, sp, STATE_STARTING); 1758 break; 1759 default: 1760 printf("%s: %s illegal down in state %s\n", 1761 ifp->if_xname, cp->name, 1762 sppp_state_name(sp->state[cp->protoidx])); 1763 } 1764 } 1765 1766 1767 static void 1768 sppp_open_event(const struct cp *cp, struct sppp *sp) 1769 { 1770 STDDCL; 1771 1772 if (debug) 1773 log(LOG_DEBUG, "%s: %s open(%s)\n", 1774 ifp->if_xname, cp->name, 1775 sppp_state_name(sp->state[cp->protoidx])); 1776 1777 switch (sp->state[cp->protoidx]) { 1778 case STATE_INITIAL: 1779 sppp_cp_change_state(cp, sp, STATE_STARTING); 1780 (cp->tls)(sp); 1781 break; 1782 case STATE_STARTING: 1783 break; 1784 case STATE_CLOSED: 1785 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1786 (cp->scr)(sp); 1787 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1788 break; 1789 case STATE_STOPPED: 1790 case STATE_STOPPING: 1791 case STATE_REQ_SENT: 1792 case STATE_ACK_RCVD: 1793 case STATE_ACK_SENT: 1794 case STATE_OPENED: 1795 break; 1796 case STATE_CLOSING: 1797 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1798 break; 1799 } 1800 } 1801 1802 1803 static void 1804 sppp_close_event(const struct cp *cp, struct sppp *sp) 1805 { 1806 STDDCL; 1807 1808 if (debug) 1809 log(LOG_DEBUG, "%s: %s close(%s)\n", 1810 ifp->if_xname, cp->name, 1811 sppp_state_name(sp->state[cp->protoidx])); 1812 1813 switch (sp->state[cp->protoidx]) { 1814 case STATE_INITIAL: 1815 case STATE_CLOSED: 1816 case STATE_CLOSING: 1817 break; 1818 case STATE_STARTING: 1819 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1820 (cp->tlf)(sp); 1821 break; 1822 case STATE_STOPPED: 1823 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1824 break; 1825 case STATE_STOPPING: 1826 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1827 break; 1828 case STATE_OPENED: 1829 (cp->tld)(sp); 1830 /* fall through */ 1831 case STATE_REQ_SENT: 1832 case STATE_ACK_RCVD: 1833 case STATE_ACK_SENT: 1834 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1835 sppp_cp_send(sp, cp->proto, TERM_REQ, 1836 ++sp->pp_seq[cp->protoidx], 0, 0); 1837 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1838 break; 1839 } 1840 } 1841 1842 static void 1843 sppp_to_event(const struct cp *cp, struct sppp *sp) 1844 { 1845 STDDCL; 1846 int s; 1847 1848 s = splnet(); 1849 if (debug) 1850 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1851 ifp->if_xname, cp->name, 1852 sppp_state_name(sp->state[cp->protoidx]), 1853 sp->rst_counter[cp->protoidx]); 1854 1855 if (--sp->rst_counter[cp->protoidx] < 0) 1856 /* TO- event */ 1857 switch (sp->state[cp->protoidx]) { 1858 case STATE_CLOSING: 1859 (cp->tlf)(sp); 1860 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1861 sppp_lcp_check_and_close(sp); 1862 break; 1863 case STATE_STOPPING: 1864 (cp->tlf)(sp); 1865 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1866 sppp_lcp_check_and_close(sp); 1867 break; 1868 case STATE_REQ_SENT: 1869 case STATE_ACK_RCVD: 1870 case STATE_ACK_SENT: 1871 (cp->tlf)(sp); 1872 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1873 sppp_lcp_check_and_close(sp); 1874 break; 1875 } 1876 else 1877 /* TO+ event */ 1878 switch (sp->state[cp->protoidx]) { 1879 case STATE_CLOSING: 1880 case STATE_STOPPING: 1881 sppp_cp_send(sp, cp->proto, TERM_REQ, 1882 ++sp->pp_seq[cp->protoidx], 0, 0); 1883 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1884 cp->TO, sp); 1885 break; 1886 case STATE_REQ_SENT: 1887 case STATE_ACK_RCVD: 1888 (cp->scr)(sp); 1889 /* sppp_cp_change_state() will restart the timer */ 1890 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1891 break; 1892 case STATE_ACK_SENT: 1893 (cp->scr)(sp); 1894 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1895 cp->TO, sp); 1896 break; 1897 } 1898 1899 splx(s); 1900 } 1901 1902 /* 1903 * Change the state of a control protocol in the state automaton. 1904 * Takes care of starting/stopping the restart timer. 1905 */ 1906 void 1907 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1908 { 1909 sp->state[cp->protoidx] = newstate; 1910 callout_stop(&sp->ch[cp->protoidx]); 1911 switch (newstate) { 1912 case STATE_INITIAL: 1913 case STATE_STARTING: 1914 case STATE_CLOSED: 1915 case STATE_STOPPED: 1916 case STATE_OPENED: 1917 break; 1918 case STATE_CLOSING: 1919 case STATE_STOPPING: 1920 case STATE_REQ_SENT: 1921 case STATE_ACK_RCVD: 1922 case STATE_ACK_SENT: 1923 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1924 cp->TO, sp); 1925 break; 1926 } 1927 } 1928 1929 /* 1930 *--------------------------------------------------------------------------* 1931 * * 1932 * The LCP implementation. * 1933 * * 1934 *--------------------------------------------------------------------------* 1935 */ 1936 static void 1937 sppp_lcp_init(struct sppp *sp) 1938 { 1939 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1940 sp->lcp.magic = 0; 1941 sp->state[IDX_LCP] = STATE_INITIAL; 1942 sp->fail_counter[IDX_LCP] = 0; 1943 sp->pp_seq[IDX_LCP] = 0; 1944 sp->pp_rseq[IDX_LCP] = 0; 1945 sp->lcp.protos = 0; 1946 1947 /* 1948 * Initialize counters and timeout values. Note that we don't 1949 * use the 3 seconds suggested in RFC 1661 since we are likely 1950 * running on a fast link. XXX We should probably implement 1951 * the exponential backoff option. Note that these values are 1952 * relevant for all control protocols, not just LCP only. 1953 */ 1954 sp->lcp.timeout = 1 * hz; 1955 sp->lcp.max_terminate = 2; 1956 sp->lcp.max_configure = 10; 1957 sp->lcp.max_failure = 10; 1958 callout_init(&sp->ch[IDX_LCP], 0); 1959 } 1960 1961 static void 1962 sppp_lcp_up(struct sppp *sp) 1963 { 1964 STDDCL; 1965 1966 /* Initialize activity timestamp: opening a connection is an activity */ 1967 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 1968 1969 /* 1970 * If this interface is passive or dial-on-demand, and we are 1971 * still in Initial state, it means we've got an incoming 1972 * call. Activate the interface. 1973 */ 1974 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 1975 if (debug) 1976 log(LOG_DEBUG, 1977 "%s: Up event", ifp->if_xname); 1978 ifp->if_flags |= IFF_RUNNING; 1979 if (sp->state[IDX_LCP] == STATE_INITIAL) { 1980 if (debug) 1981 addlog("(incoming call)\n"); 1982 sp->pp_flags |= PP_CALLIN; 1983 lcp.Open(sp); 1984 } else if (debug) 1985 addlog("\n"); 1986 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 1987 (sp->state[IDX_LCP] == STATE_INITIAL)) { 1988 ifp->if_flags |= IFF_RUNNING; 1989 lcp.Open(sp); 1990 } 1991 1992 sppp_up_event(&lcp, sp); 1993 } 1994 1995 static void 1996 sppp_lcp_down(struct sppp *sp) 1997 { 1998 STDDCL; 1999 2000 sppp_down_event(&lcp, sp); 2001 2002 /* 2003 * If this is neither a dial-on-demand nor a passive 2004 * interface, simulate an ``ifconfig down'' action, so the 2005 * administrator can force a redial by another ``ifconfig 2006 * up''. XXX For leased line operation, should we immediately 2007 * try to reopen the connection here? 2008 */ 2009 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2010 if (debug) 2011 log(LOG_INFO, 2012 "%s: Down event (carrier loss), taking interface down.\n", 2013 ifp->if_xname); 2014 if_down(ifp); 2015 } else { 2016 if (debug) 2017 log(LOG_DEBUG, 2018 "%s: Down event (carrier loss)\n", 2019 ifp->if_xname); 2020 } 2021 sp->pp_flags &= ~PP_CALLIN; 2022 if (sp->state[IDX_LCP] != STATE_INITIAL) 2023 lcp.Close(sp); 2024 ifp->if_flags &= ~IFF_RUNNING; 2025 } 2026 2027 static void 2028 sppp_lcp_open(struct sppp *sp) 2029 { 2030 if (sp->pp_if.if_mtu < PP_MTU) { 2031 sp->lcp.mru = sp->pp_if.if_mtu; 2032 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2033 } else 2034 sp->lcp.mru = PP_MTU; 2035 sp->lcp.their_mru = PP_MTU; 2036 2037 /* 2038 * If we are authenticator, negotiate LCP_AUTH 2039 */ 2040 if (sp->hisauth.proto != 0) 2041 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2042 else 2043 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2044 sp->pp_flags &= ~PP_NEEDAUTH; 2045 sppp_open_event(&lcp, sp); 2046 } 2047 2048 static void 2049 sppp_lcp_close(struct sppp *sp) 2050 { 2051 sppp_close_event(&lcp, sp); 2052 } 2053 2054 static void 2055 sppp_lcp_TO(void *cookie) 2056 { 2057 sppp_to_event(&lcp, (struct sppp *)cookie); 2058 } 2059 2060 /* 2061 * Analyze a configure request. Return true if it was agreeable, and 2062 * caused action sca, false if it has been rejected or nak'ed, and 2063 * caused action scn. (The return value is used to make the state 2064 * transition decision in the state automaton.) 2065 */ 2066 static int 2067 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2068 { 2069 STDDCL; 2070 u_char *buf, *r, *p, l, blen; 2071 int origlen, rlen; 2072 uint32_t nmagic; 2073 u_short authproto; 2074 2075 len -= 4; 2076 origlen = len; 2077 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2078 if (! buf) 2079 return (0); 2080 2081 if (debug) 2082 log(LOG_DEBUG, "%s: lcp parse opts:", 2083 ifp->if_xname); 2084 2085 /* pass 1: check for things that need to be rejected */ 2086 p = (void *)(h + 1); 2087 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2088 /* Sanity check option length */ 2089 if (l > len) { 2090 /* 2091 * Malicious option - drop immediately. 2092 * XXX Maybe we should just RXJ it? 2093 */ 2094 addlog("%s: received malicious LCP option 0x%02x, " 2095 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2096 p[0], l, len); 2097 goto drop; 2098 } 2099 if (debug) 2100 addlog(" %s", sppp_lcp_opt_name(*p)); 2101 switch (*p) { 2102 case LCP_OPT_MAGIC: 2103 /* Magic number. */ 2104 /* fall through, both are same length */ 2105 case LCP_OPT_ASYNC_MAP: 2106 /* Async control character map. */ 2107 if (len >= 6 || l == 6) 2108 continue; 2109 if (debug) 2110 addlog(" [invalid]"); 2111 break; 2112 case LCP_OPT_MRU: 2113 /* Maximum receive unit. */ 2114 if (len >= 4 && l == 4) 2115 continue; 2116 if (debug) 2117 addlog(" [invalid]"); 2118 break; 2119 case LCP_OPT_AUTH_PROTO: 2120 if (len < 4) { 2121 if (debug) 2122 addlog(" [invalid]"); 2123 break; 2124 } 2125 authproto = (p[2] << 8) + p[3]; 2126 if (authproto == PPP_CHAP && l != 5) { 2127 if (debug) 2128 addlog(" [invalid chap len]"); 2129 break; 2130 } 2131 if (sp->myauth.proto == 0) { 2132 /* we are not configured to do auth */ 2133 if (debug) 2134 addlog(" [not configured]"); 2135 break; 2136 } 2137 /* 2138 * Remote want us to authenticate, remember this, 2139 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2140 * up. 2141 */ 2142 sp->pp_flags |= PP_NEEDAUTH; 2143 continue; 2144 default: 2145 /* Others not supported. */ 2146 if (debug) 2147 addlog(" [rej]"); 2148 break; 2149 } 2150 if (rlen + l > blen) { 2151 if (debug) 2152 addlog(" [overflow]"); 2153 continue; 2154 } 2155 /* Add the option to rejected list. */ 2156 memcpy(r, p, l); 2157 r += l; 2158 rlen += l; 2159 } 2160 if (rlen) { 2161 if (debug) 2162 addlog(" send conf-rej\n"); 2163 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2164 goto end; 2165 } else if (debug) 2166 addlog("\n"); 2167 2168 /* 2169 * pass 2: check for option values that are unacceptable and 2170 * thus require to be nak'ed. 2171 */ 2172 if (debug) 2173 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2174 ifp->if_xname); 2175 2176 p = (void *)(h + 1); 2177 len = origlen; 2178 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2179 if (debug) 2180 addlog(" %s", sppp_lcp_opt_name(*p)); 2181 switch (*p) { 2182 case LCP_OPT_MAGIC: 2183 /* Magic number -- extract. */ 2184 nmagic = (uint32_t)p[2] << 24 | 2185 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2186 if (nmagic != sp->lcp.magic) { 2187 if (debug) 2188 addlog(" 0x%x", nmagic); 2189 continue; 2190 } 2191 /* 2192 * Local and remote magics equal -- loopback? 2193 */ 2194 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2195 printf ("%s: loopback\n", 2196 ifp->if_xname); 2197 sp->pp_loopcnt = 0; 2198 if (ifp->if_flags & IFF_UP) { 2199 if_down(ifp); 2200 IF_PURGE(&sp->pp_cpq); 2201 /* XXX ? */ 2202 lcp.Down(sp); 2203 lcp.Up(sp); 2204 } 2205 } else if (debug) 2206 addlog(" [glitch]"); 2207 ++sp->pp_loopcnt; 2208 /* 2209 * We negate our magic here, and NAK it. If 2210 * we see it later in an NAK packet, we 2211 * suggest a new one. 2212 */ 2213 nmagic = ~sp->lcp.magic; 2214 /* Gonna NAK it. */ 2215 p[2] = nmagic >> 24; 2216 p[3] = nmagic >> 16; 2217 p[4] = nmagic >> 8; 2218 p[5] = nmagic; 2219 break; 2220 2221 case LCP_OPT_ASYNC_MAP: 2222 /* 2223 * Async control character map -- just ignore it. 2224 * 2225 * Quote from RFC 1662, chapter 6: 2226 * To enable this functionality, synchronous PPP 2227 * implementations MUST always respond to the 2228 * Async-Control-Character-Map Configuration 2229 * Option with the LCP Configure-Ack. However, 2230 * acceptance of the Configuration Option does 2231 * not imply that the synchronous implementation 2232 * will do any ACCM mapping. Instead, all such 2233 * octet mapping will be performed by the 2234 * asynchronous-to-synchronous converter. 2235 */ 2236 continue; 2237 2238 case LCP_OPT_MRU: 2239 /* 2240 * Maximum receive unit. Always agreeable, 2241 * but ignored by now. 2242 */ 2243 sp->lcp.their_mru = p[2] * 256 + p[3]; 2244 if (debug) 2245 addlog(" %ld", sp->lcp.their_mru); 2246 continue; 2247 2248 case LCP_OPT_AUTH_PROTO: 2249 authproto = (p[2] << 8) + p[3]; 2250 if (sp->myauth.proto != authproto) { 2251 /* not agreed, nak */ 2252 if (debug) 2253 addlog(" [mine %s != his %s]", 2254 sppp_proto_name(sp->myauth.proto), 2255 sppp_proto_name(authproto)); 2256 p[2] = sp->myauth.proto >> 8; 2257 p[3] = sp->myauth.proto; 2258 break; 2259 } 2260 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2261 if (debug) 2262 addlog(" [chap not MD5]"); 2263 p[4] = CHAP_MD5; 2264 break; 2265 } 2266 continue; 2267 } 2268 if (rlen + l > blen) { 2269 if (debug) 2270 addlog(" [overflow]"); 2271 continue; 2272 } 2273 /* Add the option to nak'ed list. */ 2274 memcpy(r, p, l); 2275 r += l; 2276 rlen += l; 2277 } 2278 if (rlen) { 2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2280 if (debug) 2281 addlog(" max_failure (%d) exceeded, " 2282 "send conf-rej\n", 2283 sp->lcp.max_failure); 2284 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2285 } else { 2286 if (debug) 2287 addlog(" send conf-nak\n"); 2288 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2289 } 2290 goto end; 2291 } else { 2292 if (debug) 2293 addlog(" send conf-ack\n"); 2294 sp->fail_counter[IDX_LCP] = 0; 2295 sp->pp_loopcnt = 0; 2296 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2297 } 2298 2299 end: 2300 free(buf, M_TEMP); 2301 return (rlen == 0); 2302 2303 drop: 2304 free(buf, M_TEMP); 2305 return -1; 2306 } 2307 2308 /* 2309 * Analyze the LCP Configure-Reject option list, and adjust our 2310 * negotiation. 2311 */ 2312 static void 2313 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2314 { 2315 STDDCL; 2316 u_char *buf, *p, l; 2317 2318 len -= 4; 2319 buf = malloc (len, M_TEMP, M_NOWAIT); 2320 if (!buf) 2321 return; 2322 2323 if (debug) 2324 log(LOG_DEBUG, "%s: lcp rej opts:", 2325 ifp->if_xname); 2326 2327 p = (void *)(h + 1); 2328 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2329 /* Sanity check option length */ 2330 if (l > len) { 2331 /* 2332 * Malicious option - drop immediately. 2333 * XXX Maybe we should just RXJ it? 2334 */ 2335 addlog("%s: received malicious LCP option, " 2336 "dropping.\n", ifp->if_xname); 2337 goto drop; 2338 } 2339 if (debug) 2340 addlog(" %s", sppp_lcp_opt_name(*p)); 2341 switch (*p) { 2342 case LCP_OPT_MAGIC: 2343 /* Magic number -- can't use it, use 0 */ 2344 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2345 sp->lcp.magic = 0; 2346 break; 2347 case LCP_OPT_MRU: 2348 /* 2349 * We try to negotiate a lower MRU if the underlying 2350 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2351 * peer rejects this lower rate, fallback to the 2352 * default. 2353 */ 2354 if (debug) { 2355 addlog("%s: warning: peer rejected our MRU of " 2356 "%ld bytes. Defaulting to %d bytes\n", 2357 ifp->if_xname, sp->lcp.mru, PP_MTU); 2358 } 2359 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2360 sp->lcp.mru = PP_MTU; 2361 break; 2362 case LCP_OPT_AUTH_PROTO: 2363 /* 2364 * Peer doesn't want to authenticate himself, 2365 * deny unless this is a dialout call, and 2366 * SPPP_AUTHFLAG_NOCALLOUT is set. 2367 */ 2368 if ((sp->pp_flags & PP_CALLIN) == 0 && 2369 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2370 if (debug) 2371 addlog(" [don't insist on auth " 2372 "for callout]"); 2373 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2374 break; 2375 } 2376 if (debug) 2377 addlog("[access denied]\n"); 2378 lcp.Close(sp); 2379 break; 2380 } 2381 } 2382 if (debug) 2383 addlog("\n"); 2384 drop: 2385 free(buf, M_TEMP); 2386 return; 2387 } 2388 2389 /* 2390 * Analyze the LCP Configure-NAK option list, and adjust our 2391 * negotiation. 2392 */ 2393 static void 2394 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2395 { 2396 STDDCL; 2397 u_char *buf, *p, l, blen; 2398 uint32_t magic; 2399 2400 len -= 4; 2401 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2402 if (!buf) 2403 return; 2404 2405 if (debug) 2406 log(LOG_DEBUG, "%s: lcp nak opts:", 2407 ifp->if_xname); 2408 2409 p = (void *)(h + 1); 2410 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2411 /* Sanity check option length */ 2412 if (l > len) { 2413 /* 2414 * Malicious option - drop immediately. 2415 * XXX Maybe we should just RXJ it? 2416 */ 2417 addlog("%s: received malicious LCP option, " 2418 "dropping.\n", ifp->if_xname); 2419 goto drop; 2420 } 2421 if (debug) 2422 addlog(" %s", sppp_lcp_opt_name(*p)); 2423 switch (*p) { 2424 case LCP_OPT_MAGIC: 2425 /* Magic number -- renegotiate */ 2426 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2427 len >= 6 && l == 6) { 2428 magic = (uint32_t)p[2] << 24 | 2429 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2430 /* 2431 * If the remote magic is our negated one, 2432 * this looks like a loopback problem. 2433 * Suggest a new magic to make sure. 2434 */ 2435 if (magic == ~sp->lcp.magic) { 2436 if (debug) 2437 addlog(" magic glitch"); 2438 sp->lcp.magic = cprng_fast32(); 2439 } else { 2440 sp->lcp.magic = magic; 2441 if (debug) 2442 addlog(" %d", magic); 2443 } 2444 } 2445 break; 2446 case LCP_OPT_MRU: 2447 /* 2448 * Peer wants to advise us to negotiate an MRU. 2449 * Agree on it if it's reasonable, or use 2450 * default otherwise. 2451 */ 2452 if (len >= 4 && l == 4) { 2453 u_int mru = p[2] * 256 + p[3]; 2454 if (debug) 2455 addlog(" %d", mru); 2456 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2457 mru = sp->pp_if.if_mtu; 2458 sp->lcp.mru = mru; 2459 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2460 } 2461 break; 2462 case LCP_OPT_AUTH_PROTO: 2463 /* 2464 * Peer doesn't like our authentication method, 2465 * deny. 2466 */ 2467 if (debug) 2468 addlog("[access denied]\n"); 2469 lcp.Close(sp); 2470 break; 2471 } 2472 } 2473 if (debug) 2474 addlog("\n"); 2475 drop: 2476 free(buf, M_TEMP); 2477 return; 2478 } 2479 2480 static void 2481 sppp_lcp_tlu(struct sppp *sp) 2482 { 2483 STDDCL; 2484 int i; 2485 uint32_t mask; 2486 2487 /* XXX ? */ 2488 if (! (ifp->if_flags & IFF_UP) && 2489 (ifp->if_flags & IFF_RUNNING)) { 2490 /* Coming out of loopback mode. */ 2491 if_up(ifp); 2492 } 2493 2494 for (i = 0; i < IDX_COUNT; i++) 2495 if ((cps[i])->flags & CP_QUAL) 2496 (cps[i])->Open(sp); 2497 2498 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2499 (sp->pp_flags & PP_NEEDAUTH) != 0) 2500 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2501 else 2502 sp->pp_phase = SPPP_PHASE_NETWORK; 2503 2504 if (debug) 2505 { 2506 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2507 sppp_phase_name(sp->pp_phase)); 2508 } 2509 2510 /* 2511 * Open all authentication protocols. This is even required 2512 * if we already proceeded to network phase, since it might be 2513 * that remote wants us to authenticate, so we might have to 2514 * send a PAP request. Undesired authentication protocols 2515 * don't do anything when they get an Open event. 2516 */ 2517 for (i = 0; i < IDX_COUNT; i++) 2518 if ((cps[i])->flags & CP_AUTH) 2519 (cps[i])->Open(sp); 2520 2521 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2522 /* Notify all NCPs. */ 2523 for (i = 0; i < IDX_COUNT; i++) 2524 if ((cps[i])->flags & CP_NCP) 2525 (cps[i])->Open(sp); 2526 } 2527 2528 /* Send Up events to all started protos. */ 2529 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2530 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2531 (cps[i])->Up(sp); 2532 2533 /* notify low-level driver of state change */ 2534 if (sp->pp_chg) 2535 sp->pp_chg(sp, (int)sp->pp_phase); 2536 2537 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2538 /* if no NCP is starting, close down */ 2539 sppp_lcp_check_and_close(sp); 2540 } 2541 2542 static void 2543 sppp_lcp_tld(struct sppp *sp) 2544 { 2545 STDDCL; 2546 int i; 2547 uint32_t mask; 2548 2549 sp->pp_phase = SPPP_PHASE_TERMINATE; 2550 2551 if (debug) 2552 { 2553 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2554 sppp_phase_name(sp->pp_phase)); 2555 } 2556 2557 /* 2558 * Take upper layers down. We send the Down event first and 2559 * the Close second to prevent the upper layers from sending 2560 * ``a flurry of terminate-request packets'', as the RFC 2561 * describes it. 2562 */ 2563 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2564 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2565 (cps[i])->Down(sp); 2566 (cps[i])->Close(sp); 2567 } 2568 } 2569 2570 static void 2571 sppp_lcp_tls(struct sppp *sp) 2572 { 2573 STDDCL; 2574 2575 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2576 printf("%s: authentication failed %d times, not retrying again\n", 2577 sp->pp_if.if_xname, sp->pp_auth_failures); 2578 if_down(&sp->pp_if); 2579 return; 2580 } 2581 2582 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2583 2584 if (debug) 2585 { 2586 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2587 sppp_phase_name(sp->pp_phase)); 2588 } 2589 2590 /* Notify lower layer if desired. */ 2591 if (sp->pp_tls) 2592 (sp->pp_tls)(sp); 2593 } 2594 2595 static void 2596 sppp_lcp_tlf(struct sppp *sp) 2597 { 2598 STDDCL; 2599 2600 sp->pp_phase = SPPP_PHASE_DEAD; 2601 2602 if (debug) 2603 { 2604 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2605 sppp_phase_name(sp->pp_phase)); 2606 } 2607 2608 /* Notify lower layer if desired. */ 2609 if (sp->pp_tlf) 2610 (sp->pp_tlf)(sp); 2611 } 2612 2613 static void 2614 sppp_lcp_scr(struct sppp *sp) 2615 { 2616 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2617 int i = 0; 2618 u_short authproto; 2619 2620 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2621 if (! sp->lcp.magic) 2622 sp->lcp.magic = cprng_fast32(); 2623 opt[i++] = LCP_OPT_MAGIC; 2624 opt[i++] = 6; 2625 opt[i++] = sp->lcp.magic >> 24; 2626 opt[i++] = sp->lcp.magic >> 16; 2627 opt[i++] = sp->lcp.magic >> 8; 2628 opt[i++] = sp->lcp.magic; 2629 } 2630 2631 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2632 opt[i++] = LCP_OPT_MRU; 2633 opt[i++] = 4; 2634 opt[i++] = sp->lcp.mru >> 8; 2635 opt[i++] = sp->lcp.mru; 2636 } 2637 2638 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2639 authproto = sp->hisauth.proto; 2640 opt[i++] = LCP_OPT_AUTH_PROTO; 2641 opt[i++] = authproto == PPP_CHAP? 5: 4; 2642 opt[i++] = authproto >> 8; 2643 opt[i++] = authproto; 2644 if (authproto == PPP_CHAP) 2645 opt[i++] = CHAP_MD5; 2646 } 2647 2648 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2649 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2650 } 2651 2652 /* 2653 * Check the open NCPs, return true if at least one NCP is open. 2654 */ 2655 static int 2656 sppp_ncp_check(struct sppp *sp) 2657 { 2658 int i, mask; 2659 2660 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2661 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2662 return 1; 2663 return 0; 2664 } 2665 2666 /* 2667 * Re-check the open NCPs and see if we should terminate the link. 2668 * Called by the NCPs during their tlf action handling. 2669 */ 2670 static void 2671 sppp_lcp_check_and_close(struct sppp *sp) 2672 { 2673 2674 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2675 /* don't bother, we are already going down */ 2676 return; 2677 2678 if (sppp_ncp_check(sp)) 2679 return; 2680 2681 lcp.Close(sp); 2682 } 2683 2684 2685 /* 2686 *--------------------------------------------------------------------------* 2687 * * 2688 * The IPCP implementation. * 2689 * * 2690 *--------------------------------------------------------------------------* 2691 */ 2692 2693 static void 2694 sppp_ipcp_init(struct sppp *sp) 2695 { 2696 sp->ipcp.opts = 0; 2697 sp->ipcp.flags = 0; 2698 sp->state[IDX_IPCP] = STATE_INITIAL; 2699 sp->fail_counter[IDX_IPCP] = 0; 2700 sp->pp_seq[IDX_IPCP] = 0; 2701 sp->pp_rseq[IDX_IPCP] = 0; 2702 callout_init(&sp->ch[IDX_IPCP], 0); 2703 } 2704 2705 static void 2706 sppp_ipcp_up(struct sppp *sp) 2707 { 2708 sppp_up_event(&ipcp, sp); 2709 } 2710 2711 static void 2712 sppp_ipcp_down(struct sppp *sp) 2713 { 2714 sppp_down_event(&ipcp, sp); 2715 } 2716 2717 static void 2718 sppp_ipcp_open(struct sppp *sp) 2719 { 2720 STDDCL; 2721 uint32_t myaddr, hisaddr; 2722 2723 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2724 sp->ipcp.req_myaddr = 0; 2725 sp->ipcp.req_hisaddr = 0; 2726 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2727 2728 #ifdef INET 2729 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2730 #else 2731 myaddr = hisaddr = 0; 2732 #endif 2733 /* 2734 * If we don't have his address, this probably means our 2735 * interface doesn't want to talk IP at all. (This could 2736 * be the case if somebody wants to speak only IPX, for 2737 * example.) Don't open IPCP in this case. 2738 */ 2739 if (hisaddr == 0) { 2740 /* XXX this message should go away */ 2741 if (debug) 2742 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2743 ifp->if_xname); 2744 return; 2745 } 2746 2747 if (myaddr == 0) { 2748 /* 2749 * I don't have an assigned address, so i need to 2750 * negotiate my address. 2751 */ 2752 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2753 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2754 } 2755 if (hisaddr == 1) { 2756 /* 2757 * XXX - remove this hack! 2758 * remote has no valid address, we need to get one assigned. 2759 */ 2760 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2761 } 2762 sppp_open_event(&ipcp, sp); 2763 } 2764 2765 static void 2766 sppp_ipcp_close(struct sppp *sp) 2767 { 2768 STDDCL; 2769 2770 sppp_close_event(&ipcp, sp); 2771 #ifdef INET 2772 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2773 /* 2774 * Some address was dynamic, clear it again. 2775 */ 2776 sppp_clear_ip_addrs(sp); 2777 #endif 2778 2779 if (sp->pp_saved_mtu > 0) { 2780 ifp->if_mtu = sp->pp_saved_mtu; 2781 sp->pp_saved_mtu = 0; 2782 if (debug) 2783 log(LOG_DEBUG, 2784 "%s: resetting MTU to %" PRIu64 " bytes\n", 2785 ifp->if_xname, ifp->if_mtu); 2786 } 2787 } 2788 2789 static void 2790 sppp_ipcp_TO(void *cookie) 2791 { 2792 sppp_to_event(&ipcp, (struct sppp *)cookie); 2793 } 2794 2795 /* 2796 * Analyze a configure request. Return true if it was agreeable, and 2797 * caused action sca, false if it has been rejected or nak'ed, and 2798 * caused action scn. (The return value is used to make the state 2799 * transition decision in the state automaton.) 2800 */ 2801 static int 2802 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2803 { 2804 u_char *buf, *r, *p, l, blen; 2805 struct ifnet *ifp = &sp->pp_if; 2806 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2807 uint32_t hisaddr, desiredaddr; 2808 2809 len -= 4; 2810 origlen = len; 2811 /* 2812 * Make sure to allocate a buf that can at least hold a 2813 * conf-nak with an `address' option. We might need it below. 2814 */ 2815 blen = len < 6 ? 6 : len; 2816 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 2817 if (! buf) 2818 return (0); 2819 2820 /* pass 1: see if we can recognize them */ 2821 if (debug) 2822 log(LOG_DEBUG, "%s: ipcp parse opts:", 2823 ifp->if_xname); 2824 p = (void *)(h + 1); 2825 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2826 /* Sanity check option length */ 2827 if (l > len) { 2828 /* XXX should we just RXJ? */ 2829 addlog("%s: malicious IPCP option received, dropping\n", 2830 ifp->if_xname); 2831 goto drop; 2832 } 2833 if (debug) 2834 addlog(" %s", sppp_ipcp_opt_name(*p)); 2835 switch (*p) { 2836 #ifdef notyet 2837 case IPCP_OPT_COMPRESSION: 2838 if (len >= 6 && l >= 6) { 2839 /* correctly formed compress option */ 2840 continue; 2841 } 2842 if (debug) 2843 addlog(" [invalid]"); 2844 break; 2845 #endif 2846 case IPCP_OPT_ADDRESS: 2847 if (len >= 6 && l == 6) { 2848 /* correctly formed address option */ 2849 continue; 2850 } 2851 if (debug) 2852 addlog(" [invalid]"); 2853 break; 2854 default: 2855 /* Others not supported. */ 2856 if (debug) 2857 addlog(" [rej]"); 2858 break; 2859 } 2860 /* Add the option to rejected list. */ 2861 if (rlen + l > blen) { 2862 if (debug) 2863 addlog(" [overflow]"); 2864 continue; 2865 } 2866 memcpy(r, p, l); 2867 r += l; 2868 rlen += l; 2869 } 2870 if (rlen) { 2871 if (debug) 2872 addlog(" send conf-rej\n"); 2873 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2874 goto end; 2875 } else if (debug) 2876 addlog("\n"); 2877 2878 /* pass 2: parse option values */ 2879 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2880 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2881 else 2882 #ifdef INET 2883 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2884 #else 2885 hisaddr = 0; 2886 #endif 2887 if (debug) 2888 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2889 ifp->if_xname); 2890 p = (void *)(h + 1); 2891 len = origlen; 2892 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2893 if (debug) 2894 addlog(" %s", sppp_ipcp_opt_name(*p)); 2895 switch (*p) { 2896 #ifdef notyet 2897 case IPCP_OPT_COMPRESSION: 2898 continue; 2899 #endif 2900 case IPCP_OPT_ADDRESS: 2901 desiredaddr = p[2] << 24 | p[3] << 16 | 2902 p[4] << 8 | p[5]; 2903 if (desiredaddr == hisaddr || 2904 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2905 /* 2906 * Peer's address is same as our value, 2907 * this is agreeable. Gonna conf-ack 2908 * it. 2909 */ 2910 if (debug) 2911 addlog(" %s [ack]", 2912 sppp_dotted_quad(hisaddr)); 2913 /* record that we've seen it already */ 2914 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2915 sp->ipcp.req_hisaddr = desiredaddr; 2916 hisaddr = desiredaddr; 2917 continue; 2918 } 2919 /* 2920 * The address wasn't agreeable. This is either 2921 * he sent us 0.0.0.0, asking to assign him an 2922 * address, or he send us another address not 2923 * matching our value. Either case, we gonna 2924 * conf-nak it with our value. 2925 */ 2926 if (debug) { 2927 if (desiredaddr == 0) 2928 addlog(" [addr requested]"); 2929 else 2930 addlog(" %s [not agreed]", 2931 sppp_dotted_quad(desiredaddr)); 2932 } 2933 2934 p[2] = hisaddr >> 24; 2935 p[3] = hisaddr >> 16; 2936 p[4] = hisaddr >> 8; 2937 p[5] = hisaddr; 2938 break; 2939 } 2940 if (rlen + l > blen) { 2941 if (debug) 2942 addlog(" [overflow]"); 2943 continue; 2944 } 2945 /* Add the option to nak'ed list. */ 2946 memcpy(r, p, l); 2947 r += l; 2948 rlen += l; 2949 } 2950 2951 /* 2952 * If we are about to conf-ack the request, but haven't seen 2953 * his address so far, gonna conf-nak it instead, with the 2954 * `address' option present and our idea of his address being 2955 * filled in there, to request negotiation of both addresses. 2956 * 2957 * XXX This can result in an endless req - nak loop if peer 2958 * doesn't want to send us his address. Q: What should we do 2959 * about it? XXX A: implement the max-failure counter. 2960 */ 2961 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2962 buf[0] = IPCP_OPT_ADDRESS; 2963 buf[1] = 6; 2964 buf[2] = hisaddr >> 24; 2965 buf[3] = hisaddr >> 16; 2966 buf[4] = hisaddr >> 8; 2967 buf[5] = hisaddr; 2968 rlen = 6; 2969 if (debug) 2970 addlog(" still need hisaddr"); 2971 } 2972 2973 if (rlen) { 2974 if (debug) 2975 addlog(" send conf-nak\n"); 2976 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 2977 } else { 2978 if (debug) 2979 addlog(" send conf-ack\n"); 2980 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 2981 } 2982 2983 end: 2984 free(buf, M_TEMP); 2985 return (rlen == 0); 2986 2987 drop: 2988 free(buf, M_TEMP); 2989 return -1; 2990 } 2991 2992 /* 2993 * Analyze the IPCP Configure-Reject option list, and adjust our 2994 * negotiation. 2995 */ 2996 static void 2997 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2998 { 2999 u_char *buf, *p, l, blen; 3000 struct ifnet *ifp = &sp->pp_if; 3001 int debug = ifp->if_flags & IFF_DEBUG; 3002 3003 len -= 4; 3004 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3005 if (!buf) 3006 return; 3007 3008 if (debug) 3009 log(LOG_DEBUG, "%s: ipcp rej opts:", 3010 ifp->if_xname); 3011 3012 p = (void *)(h + 1); 3013 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3014 /* Sanity check option length */ 3015 if (l > len) { 3016 /* XXX should we just RXJ? */ 3017 addlog("%s: malicious IPCP option received, dropping\n", 3018 ifp->if_xname); 3019 goto drop; 3020 } 3021 if (debug) 3022 addlog(" %s", sppp_ipcp_opt_name(*p)); 3023 switch (*p) { 3024 case IPCP_OPT_ADDRESS: 3025 /* 3026 * Peer doesn't grok address option. This is 3027 * bad. XXX Should we better give up here? 3028 */ 3029 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3030 break; 3031 #ifdef notyet 3032 case IPCP_OPT_COMPRESS: 3033 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3034 break; 3035 #endif 3036 } 3037 } 3038 if (debug) 3039 addlog("\n"); 3040 drop: 3041 free(buf, M_TEMP); 3042 return; 3043 } 3044 3045 /* 3046 * Analyze the IPCP Configure-NAK option list, and adjust our 3047 * negotiation. 3048 */ 3049 static void 3050 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3051 { 3052 u_char *p, l; 3053 struct ifnet *ifp = &sp->pp_if; 3054 int debug = ifp->if_flags & IFF_DEBUG; 3055 uint32_t wantaddr; 3056 3057 len -= 4; 3058 3059 if (debug) 3060 log(LOG_DEBUG, "%s: ipcp nak opts:", 3061 ifp->if_xname); 3062 3063 p = (void *)(h + 1); 3064 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3065 /* Sanity check option length */ 3066 if (l > len) { 3067 /* XXX should we just RXJ? */ 3068 addlog("%s: malicious IPCP option received, dropping\n", 3069 ifp->if_xname); 3070 return; 3071 } 3072 if (debug) 3073 addlog(" %s", sppp_ipcp_opt_name(*p)); 3074 switch (*p) { 3075 case IPCP_OPT_ADDRESS: 3076 /* 3077 * Peer doesn't like our local IP address. See 3078 * if we can do something for him. We'll drop 3079 * him our address then. 3080 */ 3081 if (len >= 6 && l == 6) { 3082 wantaddr = p[2] << 24 | p[3] << 16 | 3083 p[4] << 8 | p[5]; 3084 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3085 if (debug) 3086 addlog(" [wantaddr %s]", 3087 sppp_dotted_quad(wantaddr)); 3088 /* 3089 * When doing dynamic address assignment, 3090 * we accept his offer. Otherwise, we 3091 * ignore it and thus continue to negotiate 3092 * our already existing value. 3093 */ 3094 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3095 if (debug) 3096 addlog(" [agree]"); 3097 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3098 sp->ipcp.req_myaddr = wantaddr; 3099 } 3100 } 3101 break; 3102 3103 case IPCP_OPT_PRIMDNS: 3104 if (len >= 6 && l == 6) { 3105 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3106 p[4] << 8 | p[5]; 3107 } 3108 break; 3109 3110 case IPCP_OPT_SECDNS: 3111 if (len >= 6 && l == 6) { 3112 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3113 p[4] << 8 | p[5]; 3114 } 3115 break; 3116 #ifdef notyet 3117 case IPCP_OPT_COMPRESS: 3118 /* 3119 * Peer wants different compression parameters. 3120 */ 3121 break; 3122 #endif 3123 } 3124 } 3125 if (debug) 3126 addlog("\n"); 3127 } 3128 3129 static void 3130 sppp_ipcp_tlu(struct sppp *sp) 3131 { 3132 #ifdef INET 3133 /* we are up. Set addresses and notify anyone interested */ 3134 STDDCL; 3135 uint32_t myaddr, hisaddr; 3136 3137 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3138 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3139 myaddr = sp->ipcp.req_myaddr; 3140 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3141 hisaddr = sp->ipcp.req_hisaddr; 3142 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3143 3144 if (ifp->if_mtu > sp->lcp.their_mru) { 3145 sp->pp_saved_mtu = ifp->if_mtu; 3146 ifp->if_mtu = sp->lcp.their_mru; 3147 if (debug) 3148 log(LOG_DEBUG, 3149 "%s: setting MTU to %" PRIu64 " bytes\n", 3150 ifp->if_xname, ifp->if_mtu); 3151 } 3152 3153 if (sp->pp_con) 3154 sp->pp_con(sp); 3155 #endif 3156 } 3157 3158 static void 3159 sppp_ipcp_tld(struct sppp *sp) 3160 { 3161 } 3162 3163 static void 3164 sppp_ipcp_tls(struct sppp *sp) 3165 { 3166 /* indicate to LCP that it must stay alive */ 3167 sp->lcp.protos |= (1 << IDX_IPCP); 3168 } 3169 3170 static void 3171 sppp_ipcp_tlf(struct sppp *sp) 3172 { 3173 /* we no longer need LCP */ 3174 sp->lcp.protos &= ~(1 << IDX_IPCP); 3175 } 3176 3177 static void 3178 sppp_ipcp_scr(struct sppp *sp) 3179 { 3180 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3181 #ifdef INET 3182 uint32_t ouraddr; 3183 #endif 3184 int i = 0; 3185 3186 #ifdef notyet 3187 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3188 opt[i++] = IPCP_OPT_COMPRESSION; 3189 opt[i++] = 6; 3190 opt[i++] = 0; /* VJ header compression */ 3191 opt[i++] = 0x2d; /* VJ header compression */ 3192 opt[i++] = max_slot_id; 3193 opt[i++] = comp_slot_id; 3194 } 3195 #endif 3196 3197 #ifdef INET 3198 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3199 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3200 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3201 else 3202 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3203 opt[i++] = IPCP_OPT_ADDRESS; 3204 opt[i++] = 6; 3205 opt[i++] = ouraddr >> 24; 3206 opt[i++] = ouraddr >> 16; 3207 opt[i++] = ouraddr >> 8; 3208 opt[i++] = ouraddr; 3209 } 3210 #endif 3211 3212 if (sp->query_dns & 1) { 3213 opt[i++] = IPCP_OPT_PRIMDNS; 3214 opt[i++] = 6; 3215 opt[i++] = sp->dns_addrs[0] >> 24; 3216 opt[i++] = sp->dns_addrs[0] >> 16; 3217 opt[i++] = sp->dns_addrs[0] >> 8; 3218 opt[i++] = sp->dns_addrs[0]; 3219 } 3220 if (sp->query_dns & 2) { 3221 opt[i++] = IPCP_OPT_SECDNS; 3222 opt[i++] = 6; 3223 opt[i++] = sp->dns_addrs[1] >> 24; 3224 opt[i++] = sp->dns_addrs[1] >> 16; 3225 opt[i++] = sp->dns_addrs[1] >> 8; 3226 opt[i++] = sp->dns_addrs[1]; 3227 } 3228 3229 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3230 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3231 } 3232 3233 3234 /* 3235 *--------------------------------------------------------------------------* 3236 * * 3237 * The IPv6CP implementation. * 3238 * * 3239 *--------------------------------------------------------------------------* 3240 */ 3241 3242 #ifdef INET6 3243 static void 3244 sppp_ipv6cp_init(struct sppp *sp) 3245 { 3246 sp->ipv6cp.opts = 0; 3247 sp->ipv6cp.flags = 0; 3248 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3249 sp->fail_counter[IDX_IPV6CP] = 0; 3250 sp->pp_seq[IDX_IPV6CP] = 0; 3251 sp->pp_rseq[IDX_IPV6CP] = 0; 3252 callout_init(&sp->ch[IDX_IPV6CP], 0); 3253 } 3254 3255 static void 3256 sppp_ipv6cp_up(struct sppp *sp) 3257 { 3258 sppp_up_event(&ipv6cp, sp); 3259 } 3260 3261 static void 3262 sppp_ipv6cp_down(struct sppp *sp) 3263 { 3264 sppp_down_event(&ipv6cp, sp); 3265 } 3266 3267 static void 3268 sppp_ipv6cp_open(struct sppp *sp) 3269 { 3270 STDDCL; 3271 struct in6_addr myaddr, hisaddr; 3272 3273 #ifdef IPV6CP_MYIFID_DYN 3274 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3275 #else 3276 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3277 #endif 3278 3279 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3280 /* 3281 * If we don't have our address, this probably means our 3282 * interface doesn't want to talk IPv6 at all. (This could 3283 * be the case if somebody wants to speak only IPX, for 3284 * example.) Don't open IPv6CP in this case. 3285 */ 3286 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3287 /* XXX this message should go away */ 3288 if (debug) 3289 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3290 ifp->if_xname); 3291 return; 3292 } 3293 3294 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3295 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3296 sppp_open_event(&ipv6cp, sp); 3297 } 3298 3299 static void 3300 sppp_ipv6cp_close(struct sppp *sp) 3301 { 3302 sppp_close_event(&ipv6cp, sp); 3303 } 3304 3305 static void 3306 sppp_ipv6cp_TO(void *cookie) 3307 { 3308 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3309 } 3310 3311 /* 3312 * Analyze a configure request. Return true if it was agreeable, and 3313 * caused action sca, false if it has been rejected or nak'ed, and 3314 * caused action scn. (The return value is used to make the state 3315 * transition decision in the state automaton.) 3316 */ 3317 static int 3318 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3319 { 3320 u_char *buf, *r, *p, l, blen; 3321 struct ifnet *ifp = &sp->pp_if; 3322 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3323 struct in6_addr myaddr, desiredaddr, suggestaddr; 3324 int ifidcount; 3325 int type; 3326 int collision, nohisaddr; 3327 3328 len -= 4; 3329 origlen = len; 3330 /* 3331 * Make sure to allocate a buf that can at least hold a 3332 * conf-nak with an `address' option. We might need it below. 3333 */ 3334 blen = len < 6 ? 6 : len; 3335 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3336 if (! buf) 3337 return (0); 3338 3339 /* pass 1: see if we can recognize them */ 3340 if (debug) 3341 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3342 ifp->if_xname); 3343 p = (void *)(h + 1); 3344 ifidcount = 0; 3345 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3346 /* Sanity check option length */ 3347 if (l > len) { 3348 /* XXX just RXJ? */ 3349 addlog("%s: received malicious IPCPv6 option, " 3350 "dropping\n", ifp->if_xname); 3351 goto drop; 3352 } 3353 if (debug) 3354 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3355 switch (*p) { 3356 case IPV6CP_OPT_IFID: 3357 if (len >= 10 && l == 10 && ifidcount == 0) { 3358 /* correctly formed address option */ 3359 ifidcount++; 3360 continue; 3361 } 3362 if (debug) 3363 addlog(" [invalid]"); 3364 break; 3365 #ifdef notyet 3366 case IPV6CP_OPT_COMPRESSION: 3367 if (len >= 4 && l >= 4) { 3368 /* correctly formed compress option */ 3369 continue; 3370 } 3371 if (debug) 3372 addlog(" [invalid]"); 3373 break; 3374 #endif 3375 default: 3376 /* Others not supported. */ 3377 if (debug) 3378 addlog(" [rej]"); 3379 break; 3380 } 3381 if (rlen + l > blen) { 3382 if (debug) 3383 addlog(" [overflow]"); 3384 continue; 3385 } 3386 /* Add the option to rejected list. */ 3387 memcpy(r, p, l); 3388 r += l; 3389 rlen += l; 3390 } 3391 if (rlen) { 3392 if (debug) 3393 addlog(" send conf-rej\n"); 3394 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3395 goto end; 3396 } else if (debug) 3397 addlog("\n"); 3398 3399 /* pass 2: parse option values */ 3400 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3401 if (debug) 3402 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3403 ifp->if_xname); 3404 p = (void *)(h + 1); 3405 len = origlen; 3406 type = CONF_ACK; 3407 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3408 if (debug) 3409 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3410 switch (*p) { 3411 #ifdef notyet 3412 case IPV6CP_OPT_COMPRESSION: 3413 continue; 3414 #endif 3415 case IPV6CP_OPT_IFID: 3416 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3417 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3418 collision = (memcmp(&desiredaddr.s6_addr[8], 3419 &myaddr.s6_addr[8], 8) == 0); 3420 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3421 3422 desiredaddr.s6_addr16[0] = htons(0xfe80); 3423 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3424 3425 if (!collision && !nohisaddr) { 3426 /* no collision, hisaddr known - Conf-Ack */ 3427 type = CONF_ACK; 3428 3429 if (debug) { 3430 addlog(" %s [%s]", 3431 ip6_sprintf(&desiredaddr), 3432 sppp_cp_type_name(type)); 3433 } 3434 continue; 3435 } 3436 3437 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3438 if (collision && nohisaddr) { 3439 /* collision, hisaddr unknown - Conf-Rej */ 3440 type = CONF_REJ; 3441 memset(&p[2], 0, 8); 3442 } else { 3443 /* 3444 * - no collision, hisaddr unknown, or 3445 * - collision, hisaddr known 3446 * Conf-Nak, suggest hisaddr 3447 */ 3448 type = CONF_NAK; 3449 sppp_suggest_ip6_addr(sp, &suggestaddr); 3450 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3451 } 3452 if (debug) 3453 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3454 sppp_cp_type_name(type)); 3455 break; 3456 } 3457 if (rlen + l > blen) { 3458 if (debug) 3459 addlog(" [overflow]"); 3460 continue; 3461 } 3462 /* Add the option to nak'ed list. */ 3463 memcpy(r, p, l); 3464 r += l; 3465 rlen += l; 3466 } 3467 3468 if (rlen == 0 && type == CONF_ACK) { 3469 if (debug) 3470 addlog(" send %s\n", sppp_cp_type_name(type)); 3471 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3472 } else { 3473 #ifdef notdef 3474 if (type == CONF_ACK) 3475 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3476 #endif 3477 3478 if (debug) { 3479 addlog(" send %s suggest %s\n", 3480 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3481 } 3482 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3483 } 3484 3485 end: 3486 free(buf, M_TEMP); 3487 return (rlen == 0); 3488 3489 drop: 3490 free(buf, M_TEMP); 3491 return -1; 3492 } 3493 3494 /* 3495 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3496 * negotiation. 3497 */ 3498 static void 3499 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3500 { 3501 u_char *buf, *p, l, blen; 3502 struct ifnet *ifp = &sp->pp_if; 3503 int debug = ifp->if_flags & IFF_DEBUG; 3504 3505 len -= 4; 3506 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3507 if (!buf) 3508 return; 3509 3510 if (debug) 3511 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3512 ifp->if_xname); 3513 3514 p = (void *)(h + 1); 3515 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3516 if (l > len) { 3517 /* XXX just RXJ? */ 3518 addlog("%s: received malicious IPCPv6 option, " 3519 "dropping\n", ifp->if_xname); 3520 goto drop; 3521 } 3522 if (debug) 3523 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3524 switch (*p) { 3525 case IPV6CP_OPT_IFID: 3526 /* 3527 * Peer doesn't grok address option. This is 3528 * bad. XXX Should we better give up here? 3529 */ 3530 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3531 break; 3532 #ifdef notyet 3533 case IPV6CP_OPT_COMPRESS: 3534 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3535 break; 3536 #endif 3537 } 3538 } 3539 if (debug) 3540 addlog("\n"); 3541 drop: 3542 free(buf, M_TEMP); 3543 return; 3544 } 3545 3546 /* 3547 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3548 * negotiation. 3549 */ 3550 static void 3551 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3552 { 3553 u_char *buf, *p, l, blen; 3554 struct ifnet *ifp = &sp->pp_if; 3555 int debug = ifp->if_flags & IFF_DEBUG; 3556 struct in6_addr suggestaddr; 3557 3558 len -= 4; 3559 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3560 if (!buf) 3561 return; 3562 3563 if (debug) 3564 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3565 ifp->if_xname); 3566 3567 p = (void *)(h + 1); 3568 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3569 if (l > len) { 3570 /* XXX just RXJ? */ 3571 addlog("%s: received malicious IPCPv6 option, " 3572 "dropping\n", ifp->if_xname); 3573 goto drop; 3574 } 3575 if (debug) 3576 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3577 switch (*p) { 3578 case IPV6CP_OPT_IFID: 3579 /* 3580 * Peer doesn't like our local ifid. See 3581 * if we can do something for him. We'll drop 3582 * him our address then. 3583 */ 3584 if (len < 10 || l != 10) 3585 break; 3586 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3587 suggestaddr.s6_addr16[0] = htons(0xfe80); 3588 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3589 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3590 3591 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3592 if (debug) 3593 addlog(" [suggestaddr %s]", 3594 ip6_sprintf(&suggestaddr)); 3595 #ifdef IPV6CP_MYIFID_DYN 3596 /* 3597 * When doing dynamic address assignment, 3598 * we accept his offer. 3599 */ 3600 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3601 struct in6_addr lastsuggest; 3602 /* 3603 * If <suggested myaddr from peer> equals to 3604 * <hisaddr we have suggested last time>, 3605 * we have a collision. generate new random 3606 * ifid. 3607 */ 3608 sppp_suggest_ip6_addr(&lastsuggest); 3609 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3610 lastsuggest)) { 3611 if (debug) 3612 addlog(" [random]"); 3613 sppp_gen_ip6_addr(sp, &suggestaddr); 3614 } 3615 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3616 if (debug) 3617 addlog(" [agree]"); 3618 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3619 } 3620 #else 3621 /* 3622 * Since we do not do dynamic address assignment, 3623 * we ignore it and thus continue to negotiate 3624 * our already existing value. This can possibly 3625 * go into infinite request-reject loop. 3626 * 3627 * This is not likely because we normally use 3628 * ifid based on MAC-address. 3629 * If you have no ethernet card on the node, too bad. 3630 * XXX should we use fail_counter? 3631 */ 3632 #endif 3633 break; 3634 #ifdef notyet 3635 case IPV6CP_OPT_COMPRESS: 3636 /* 3637 * Peer wants different compression parameters. 3638 */ 3639 break; 3640 #endif 3641 } 3642 } 3643 if (debug) 3644 addlog("\n"); 3645 drop: 3646 free(buf, M_TEMP); 3647 return; 3648 } 3649 3650 static void 3651 sppp_ipv6cp_tlu(struct sppp *sp) 3652 { 3653 /* we are up - notify isdn daemon */ 3654 if (sp->pp_con) 3655 sp->pp_con(sp); 3656 } 3657 3658 static void 3659 sppp_ipv6cp_tld(struct sppp *sp) 3660 { 3661 } 3662 3663 static void 3664 sppp_ipv6cp_tls(struct sppp *sp) 3665 { 3666 /* indicate to LCP that it must stay alive */ 3667 sp->lcp.protos |= (1 << IDX_IPV6CP); 3668 } 3669 3670 static void 3671 sppp_ipv6cp_tlf(struct sppp *sp) 3672 { 3673 /* we no longer need LCP */ 3674 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3675 } 3676 3677 static void 3678 sppp_ipv6cp_scr(struct sppp *sp) 3679 { 3680 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3681 struct in6_addr ouraddr; 3682 int i = 0; 3683 3684 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3685 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3686 opt[i++] = IPV6CP_OPT_IFID; 3687 opt[i++] = 10; 3688 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3689 i += 8; 3690 } 3691 3692 #ifdef notyet 3693 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3694 opt[i++] = IPV6CP_OPT_COMPRESSION; 3695 opt[i++] = 4; 3696 opt[i++] = 0; /* TBD */ 3697 opt[i++] = 0; /* TBD */ 3698 /* variable length data may follow */ 3699 } 3700 #endif 3701 3702 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3703 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3704 } 3705 #else /*INET6*/ 3706 static void 3707 sppp_ipv6cp_init(struct sppp *sp) 3708 { 3709 } 3710 3711 static void 3712 sppp_ipv6cp_up(struct sppp *sp) 3713 { 3714 } 3715 3716 static void 3717 sppp_ipv6cp_down(struct sppp *sp) 3718 { 3719 } 3720 3721 static void 3722 sppp_ipv6cp_open(struct sppp *sp) 3723 { 3724 } 3725 3726 static void 3727 sppp_ipv6cp_close(struct sppp *sp) 3728 { 3729 } 3730 3731 static void 3732 sppp_ipv6cp_TO(void *sp) 3733 { 3734 } 3735 3736 static int 3737 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3738 int len) 3739 { 3740 return 0; 3741 } 3742 3743 static void 3744 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3745 int len) 3746 { 3747 } 3748 3749 static void 3750 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3751 int len) 3752 { 3753 } 3754 3755 static void 3756 sppp_ipv6cp_tlu(struct sppp *sp) 3757 { 3758 } 3759 3760 static void 3761 sppp_ipv6cp_tld(struct sppp *sp) 3762 { 3763 } 3764 3765 static void 3766 sppp_ipv6cp_tls(struct sppp *sp) 3767 { 3768 } 3769 3770 static void 3771 sppp_ipv6cp_tlf(struct sppp *sp) 3772 { 3773 } 3774 3775 static void 3776 sppp_ipv6cp_scr(struct sppp *sp) 3777 { 3778 } 3779 #endif /*INET6*/ 3780 3781 3782 /* 3783 *--------------------------------------------------------------------------* 3784 * * 3785 * The CHAP implementation. * 3786 * * 3787 *--------------------------------------------------------------------------* 3788 */ 3789 3790 /* 3791 * The authentication protocols don't employ a full-fledged state machine as 3792 * the control protocols do, since they do have Open and Close events, but 3793 * not Up and Down, nor are they explicitly terminated. Also, use of the 3794 * authentication protocols may be different in both directions (this makes 3795 * sense, think of a machine that never accepts incoming calls but only 3796 * calls out, it doesn't require the called party to authenticate itself). 3797 * 3798 * Our state machine for the local authentication protocol (we are requesting 3799 * the peer to authenticate) looks like: 3800 * 3801 * RCA- 3802 * +--------------------------------------------+ 3803 * V scn,tld| 3804 * +--------+ Close +---------+ RCA+ 3805 * | |<----------------------------------| |------+ 3806 * +--->| Closed | TO* | Opened | sca | 3807 * | | |-----+ +-------| |<-----+ 3808 * | +--------+ irc | | +---------+ 3809 * | ^ | | ^ 3810 * | | | | | 3811 * | | | | | 3812 * | TO-| | | | 3813 * | |tld TO+ V | | 3814 * | | +------->+ | | 3815 * | | | | | | 3816 * | +--------+ V | | 3817 * | | |<----+<--------------------+ | 3818 * | | Req- | scr | 3819 * | | Sent | | 3820 * | | | | 3821 * | +--------+ | 3822 * | RCA- | | RCA+ | 3823 * +------+ +------------------------------------------+ 3824 * scn,tld sca,irc,ict,tlu 3825 * 3826 * 3827 * with: 3828 * 3829 * Open: LCP reached authentication phase 3830 * Close: LCP reached terminate phase 3831 * 3832 * RCA+: received reply (pap-req, chap-response), acceptable 3833 * RCN: received reply (pap-req, chap-response), not acceptable 3834 * TO+: timeout with restart counter >= 0 3835 * TO-: timeout with restart counter < 0 3836 * TO*: reschedule timeout for CHAP 3837 * 3838 * scr: send request packet (none for PAP, chap-challenge) 3839 * sca: send ack packet (pap-ack, chap-success) 3840 * scn: send nak packet (pap-nak, chap-failure) 3841 * ict: initialize re-challenge timer (CHAP only) 3842 * 3843 * tlu: this-layer-up, LCP reaches network phase 3844 * tld: this-layer-down, LCP enters terminate phase 3845 * 3846 * Note that in CHAP mode, after sending a new challenge, while the state 3847 * automaton falls back into Req-Sent state, it doesn't signal a tld 3848 * event to LCP, so LCP remains in network phase. Only after not getting 3849 * any response (or after getting an unacceptable response), CHAP closes, 3850 * causing LCP to enter terminate phase. 3851 * 3852 * With PAP, there is no initial request that can be sent. The peer is 3853 * expected to send one based on the successful negotiation of PAP as 3854 * the authentication protocol during the LCP option negotiation. 3855 * 3856 * Incoming authentication protocol requests (remote requests 3857 * authentication, we are peer) don't employ a state machine at all, 3858 * they are simply answered. Some peers [Ascend P50 firmware rev 3859 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3860 * still in authentication phase (thereby violating the standard that 3861 * demands that these NCP packets are to be discarded), so we keep 3862 * track of the peer demanding us to authenticate, and only proceed to 3863 * phase network once we've seen a positive acknowledge for the 3864 * authentication. 3865 */ 3866 3867 /* 3868 * Handle incoming CHAP packets. 3869 */ 3870 void 3871 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3872 { 3873 STDDCL; 3874 struct lcp_header *h; 3875 int len, x; 3876 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3877 int value_len, name_len; 3878 MD5_CTX ctx; 3879 3880 len = m->m_pkthdr.len; 3881 if (len < 4) { 3882 if (debug) 3883 log(LOG_DEBUG, 3884 "%s: chap invalid packet length: %d bytes\n", 3885 ifp->if_xname, len); 3886 return; 3887 } 3888 h = mtod(m, struct lcp_header *); 3889 if (len > ntohs(h->len)) 3890 len = ntohs(h->len); 3891 3892 switch (h->type) { 3893 /* challenge, failure and success are his authproto */ 3894 case CHAP_CHALLENGE: 3895 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3896 /* can't do anything useful */ 3897 sp->pp_auth_failures++; 3898 printf("%s: chap input without my name and my secret being set\n", 3899 ifp->if_xname); 3900 break; 3901 } 3902 value = 1 + (u_char *)(h + 1); 3903 value_len = value[-1]; 3904 name = value + value_len; 3905 name_len = len - value_len - 5; 3906 if (name_len < 0) { 3907 if (debug) { 3908 log(LOG_DEBUG, 3909 "%s: chap corrupted challenge " 3910 "<%s id=0x%x len=%d", 3911 ifp->if_xname, 3912 sppp_auth_type_name(PPP_CHAP, h->type), 3913 h->ident, ntohs(h->len)); 3914 if (len > 4) 3915 sppp_print_bytes((u_char *)(h + 1), 3916 len - 4); 3917 addlog(">\n"); 3918 } 3919 break; 3920 } 3921 3922 if (debug) { 3923 log(LOG_DEBUG, 3924 "%s: chap input <%s id=0x%x len=%d name=", 3925 ifp->if_xname, 3926 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3927 ntohs(h->len)); 3928 sppp_print_string((char *) name, name_len); 3929 addlog(" value-size=%d value=", value_len); 3930 sppp_print_bytes(value, value_len); 3931 addlog(">\n"); 3932 } 3933 3934 /* Compute reply value. */ 3935 MD5Init(&ctx); 3936 MD5Update(&ctx, &h->ident, 1); 3937 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3938 MD5Update(&ctx, value, value_len); 3939 MD5Final(digest, &ctx); 3940 dsize = sizeof digest; 3941 3942 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3943 sizeof dsize, (const char *)&dsize, 3944 sizeof digest, digest, 3945 sp->myauth.name_len, 3946 sp->myauth.name, 3947 0); 3948 break; 3949 3950 case CHAP_SUCCESS: 3951 if (debug) { 3952 log(LOG_DEBUG, "%s: chap success", 3953 ifp->if_xname); 3954 if (len > 4) { 3955 addlog(": "); 3956 sppp_print_string((char *)(h + 1), len - 4); 3957 } 3958 addlog("\n"); 3959 } 3960 x = splnet(); 3961 sp->pp_auth_failures = 0; 3962 sp->pp_flags &= ~PP_NEEDAUTH; 3963 if (sp->myauth.proto == PPP_CHAP && 3964 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3965 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3966 /* 3967 * We are authenticator for CHAP but didn't 3968 * complete yet. Leave it to tlu to proceed 3969 * to network phase. 3970 */ 3971 splx(x); 3972 break; 3973 } 3974 splx(x); 3975 sppp_phase_network(sp); 3976 break; 3977 3978 case CHAP_FAILURE: 3979 x = splnet(); 3980 sp->pp_auth_failures++; 3981 splx(x); 3982 if (debug) { 3983 log(LOG_INFO, "%s: chap failure", 3984 ifp->if_xname); 3985 if (len > 4) { 3986 addlog(": "); 3987 sppp_print_string((char *)(h + 1), len - 4); 3988 } 3989 addlog("\n"); 3990 } else 3991 log(LOG_INFO, "%s: chap failure\n", 3992 ifp->if_xname); 3993 /* await LCP shutdown by authenticator */ 3994 break; 3995 3996 /* response is my authproto */ 3997 case CHAP_RESPONSE: 3998 if (sp->hisauth.secret == NULL) { 3999 /* can't do anything useful */ 4000 printf("%s: chap input without his secret being set\n", 4001 ifp->if_xname); 4002 break; 4003 } 4004 value = 1 + (u_char *)(h + 1); 4005 value_len = value[-1]; 4006 name = value + value_len; 4007 name_len = len - value_len - 5; 4008 if (name_len < 0) { 4009 if (debug) { 4010 log(LOG_DEBUG, 4011 "%s: chap corrupted response " 4012 "<%s id=0x%x len=%d", 4013 ifp->if_xname, 4014 sppp_auth_type_name(PPP_CHAP, h->type), 4015 h->ident, ntohs(h->len)); 4016 if (len > 4) 4017 sppp_print_bytes((u_char *)(h + 1), 4018 len - 4); 4019 addlog(">\n"); 4020 } 4021 break; 4022 } 4023 if (h->ident != sp->confid[IDX_CHAP]) { 4024 if (debug) 4025 log(LOG_DEBUG, 4026 "%s: chap dropping response for old ID " 4027 "(got %d, expected %d)\n", 4028 ifp->if_xname, 4029 h->ident, sp->confid[IDX_CHAP]); 4030 break; 4031 } 4032 if (sp->hisauth.name != NULL && 4033 (name_len != sp->hisauth.name_len 4034 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4035 log(LOG_INFO, "%s: chap response, his name ", 4036 ifp->if_xname); 4037 sppp_print_string(name, name_len); 4038 addlog(" != expected "); 4039 sppp_print_string(sp->hisauth.name, 4040 sp->hisauth.name_len); 4041 addlog("\n"); 4042 goto chap_failure; 4043 } 4044 if (debug) { 4045 log(LOG_DEBUG, "%s: chap input(%s) " 4046 "<%s id=0x%x len=%d name=", 4047 ifp->if_xname, 4048 sppp_state_name(sp->state[IDX_CHAP]), 4049 sppp_auth_type_name(PPP_CHAP, h->type), 4050 h->ident, ntohs(h->len)); 4051 sppp_print_string((char *)name, name_len); 4052 addlog(" value-size=%d value=", value_len); 4053 sppp_print_bytes(value, value_len); 4054 addlog(">\n"); 4055 } 4056 if (value_len != sizeof(sp->myauth.challenge)) { 4057 if (debug) 4058 log(LOG_DEBUG, 4059 "%s: chap bad hash value length: " 4060 "%d bytes, should be %ld\n", 4061 ifp->if_xname, value_len, 4062 (long) sizeof(sp->myauth.challenge)); 4063 goto chap_failure; 4064 } 4065 4066 MD5Init(&ctx); 4067 MD5Update(&ctx, &h->ident, 1); 4068 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4069 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4070 MD5Final(digest, &ctx); 4071 4072 #define FAILMSG "Failed..." 4073 #define SUCCMSG "Welcome!" 4074 4075 if (value_len != sizeof digest || 4076 memcmp(digest, value, value_len) != 0) { 4077 chap_failure: 4078 /* action scn, tld */ 4079 x = splnet(); 4080 sp->pp_auth_failures++; 4081 splx(x); 4082 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4083 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4084 0); 4085 chap.tld(sp); 4086 break; 4087 } 4088 sp->pp_auth_failures = 0; 4089 /* action sca, perhaps tlu */ 4090 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4091 sp->state[IDX_CHAP] == STATE_OPENED) 4092 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4093 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4094 0); 4095 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4096 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4097 chap.tlu(sp); 4098 } 4099 break; 4100 4101 default: 4102 /* Unknown CHAP packet type -- ignore. */ 4103 if (debug) { 4104 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4105 "<0x%x id=0x%xh len=%d", 4106 ifp->if_xname, 4107 sppp_state_name(sp->state[IDX_CHAP]), 4108 h->type, h->ident, ntohs(h->len)); 4109 if (len > 4) 4110 sppp_print_bytes((u_char *)(h + 1), len - 4); 4111 addlog(">\n"); 4112 } 4113 break; 4114 4115 } 4116 } 4117 4118 static void 4119 sppp_chap_init(struct sppp *sp) 4120 { 4121 /* Chap doesn't have STATE_INITIAL at all. */ 4122 sp->state[IDX_CHAP] = STATE_CLOSED; 4123 sp->fail_counter[IDX_CHAP] = 0; 4124 sp->pp_seq[IDX_CHAP] = 0; 4125 sp->pp_rseq[IDX_CHAP] = 0; 4126 callout_init(&sp->ch[IDX_CHAP], 0); 4127 } 4128 4129 static void 4130 sppp_chap_open(struct sppp *sp) 4131 { 4132 if (sp->myauth.proto == PPP_CHAP && 4133 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4134 /* we are authenticator for CHAP, start it */ 4135 chap.scr(sp); 4136 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4137 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4138 } 4139 /* nothing to be done if we are peer, await a challenge */ 4140 } 4141 4142 static void 4143 sppp_chap_close(struct sppp *sp) 4144 { 4145 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4146 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4147 } 4148 4149 static void 4150 sppp_chap_TO(void *cookie) 4151 { 4152 struct sppp *sp = (struct sppp *)cookie; 4153 STDDCL; 4154 int s; 4155 4156 s = splnet(); 4157 if (debug) 4158 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4159 ifp->if_xname, 4160 sppp_state_name(sp->state[IDX_CHAP]), 4161 sp->rst_counter[IDX_CHAP]); 4162 4163 if (--sp->rst_counter[IDX_CHAP] < 0) 4164 /* TO- event */ 4165 switch (sp->state[IDX_CHAP]) { 4166 case STATE_REQ_SENT: 4167 chap.tld(sp); 4168 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4169 break; 4170 } 4171 else 4172 /* TO+ (or TO*) event */ 4173 switch (sp->state[IDX_CHAP]) { 4174 case STATE_OPENED: 4175 /* TO* event */ 4176 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4177 /* fall through */ 4178 case STATE_REQ_SENT: 4179 chap.scr(sp); 4180 /* sppp_cp_change_state() will restart the timer */ 4181 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4182 break; 4183 } 4184 4185 splx(s); 4186 } 4187 4188 static void 4189 sppp_chap_tlu(struct sppp *sp) 4190 { 4191 STDDCL; 4192 int i, x; 4193 4194 i = 0; 4195 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4196 4197 /* 4198 * Some broken CHAP implementations (Conware CoNet, firmware 4199 * 4.0.?) don't want to re-authenticate their CHAP once the 4200 * initial challenge-response exchange has taken place. 4201 * Provide for an option to avoid rechallenges. 4202 */ 4203 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4204 /* 4205 * Compute the re-challenge timeout. This will yield 4206 * a number between 300 and 810 seconds. 4207 */ 4208 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4209 4210 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4211 } 4212 4213 if (debug) { 4214 log(LOG_DEBUG, 4215 "%s: chap %s, ", 4216 ifp->if_xname, 4217 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4218 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4219 addlog("next re-challenge in %d seconds\n", i); 4220 else 4221 addlog("re-challenging supressed\n"); 4222 } 4223 4224 x = splnet(); 4225 sp->pp_auth_failures = 0; 4226 /* indicate to LCP that we need to be closed down */ 4227 sp->lcp.protos |= (1 << IDX_CHAP); 4228 4229 if (sp->pp_flags & PP_NEEDAUTH) { 4230 /* 4231 * Remote is authenticator, but his auth proto didn't 4232 * complete yet. Defer the transition to network 4233 * phase. 4234 */ 4235 splx(x); 4236 return; 4237 } 4238 splx(x); 4239 4240 /* 4241 * If we are already in phase network, we are done here. This 4242 * is the case if this is a dummy tlu event after a re-challenge. 4243 */ 4244 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4245 sppp_phase_network(sp); 4246 } 4247 4248 static void 4249 sppp_chap_tld(struct sppp *sp) 4250 { 4251 STDDCL; 4252 4253 if (debug) 4254 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4255 callout_stop(&sp->ch[IDX_CHAP]); 4256 sp->lcp.protos &= ~(1 << IDX_CHAP); 4257 4258 lcp.Close(sp); 4259 } 4260 4261 static void 4262 sppp_chap_scr(struct sppp *sp) 4263 { 4264 uint32_t *ch; 4265 u_char clen = 4 * sizeof(uint32_t); 4266 4267 if (sp->myauth.name == NULL) { 4268 /* can't do anything useful */ 4269 printf("%s: chap starting without my name being set\n", 4270 sp->pp_if.if_xname); 4271 return; 4272 } 4273 4274 /* Compute random challenge. */ 4275 ch = (uint32_t *)sp->myauth.challenge; 4276 cprng_strong(kern_cprng, ch, clen, 0); 4277 4278 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4279 4280 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4281 sizeof clen, (const char *)&clen, 4282 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4283 sp->myauth.name_len, 4284 sp->myauth.name, 4285 0); 4286 } 4287 4288 /* 4289 *--------------------------------------------------------------------------* 4290 * * 4291 * The PAP implementation. * 4292 * * 4293 *--------------------------------------------------------------------------* 4294 */ 4295 /* 4296 * For PAP, we need to keep a little state also if we are the peer, not the 4297 * authenticator. This is since we don't get a request to authenticate, but 4298 * have to repeatedly authenticate ourself until we got a response (or the 4299 * retry counter is expired). 4300 */ 4301 4302 /* 4303 * Handle incoming PAP packets. */ 4304 static void 4305 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4306 { 4307 STDDCL; 4308 struct lcp_header *h; 4309 int len, x; 4310 u_char mlen; 4311 char *name, *secret; 4312 int name_len, secret_len; 4313 4314 /* 4315 * Malicious input might leave this uninitialized, so 4316 * init to an impossible value. 4317 */ 4318 secret_len = -1; 4319 4320 len = m->m_pkthdr.len; 4321 if (len < 5) { 4322 if (debug) 4323 log(LOG_DEBUG, 4324 "%s: pap invalid packet length: %d bytes\n", 4325 ifp->if_xname, len); 4326 return; 4327 } 4328 h = mtod(m, struct lcp_header *); 4329 if (len > ntohs(h->len)) 4330 len = ntohs(h->len); 4331 switch (h->type) { 4332 /* PAP request is my authproto */ 4333 case PAP_REQ: 4334 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4335 /* can't do anything useful */ 4336 printf("%s: pap request without his name and his secret being set\n", 4337 ifp->if_xname); 4338 break; 4339 } 4340 name = 1 + (u_char *)(h + 1); 4341 name_len = name[-1]; 4342 secret = name + name_len + 1; 4343 if (name_len > len - 6 || 4344 (secret_len = secret[-1]) > len - 6 - name_len) { 4345 if (debug) { 4346 log(LOG_DEBUG, "%s: pap corrupted input " 4347 "<%s id=0x%x len=%d", 4348 ifp->if_xname, 4349 sppp_auth_type_name(PPP_PAP, h->type), 4350 h->ident, ntohs(h->len)); 4351 if (len > 4) 4352 sppp_print_bytes((u_char *)(h + 1), 4353 len - 4); 4354 addlog(">\n"); 4355 } 4356 break; 4357 } 4358 if (debug) { 4359 log(LOG_DEBUG, "%s: pap input(%s) " 4360 "<%s id=0x%x len=%d name=", 4361 ifp->if_xname, 4362 sppp_state_name(sp->state[IDX_PAP]), 4363 sppp_auth_type_name(PPP_PAP, h->type), 4364 h->ident, ntohs(h->len)); 4365 sppp_print_string((char *)name, name_len); 4366 addlog(" secret="); 4367 sppp_print_string((char *)secret, secret_len); 4368 addlog(">\n"); 4369 } 4370 if (name_len != sp->hisauth.name_len || 4371 secret_len != sp->hisauth.secret_len || 4372 memcmp(name, sp->hisauth.name, name_len) != 0 || 4373 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4374 /* action scn, tld */ 4375 sp->pp_auth_failures++; 4376 mlen = sizeof(FAILMSG) - 1; 4377 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4378 sizeof mlen, (const char *)&mlen, 4379 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4380 0); 4381 pap.tld(sp); 4382 break; 4383 } 4384 /* action sca, perhaps tlu */ 4385 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4386 sp->state[IDX_PAP] == STATE_OPENED) { 4387 mlen = sizeof(SUCCMSG) - 1; 4388 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4389 sizeof mlen, (const char *)&mlen, 4390 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4391 0); 4392 } 4393 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4394 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4395 pap.tlu(sp); 4396 } 4397 break; 4398 4399 /* ack and nak are his authproto */ 4400 case PAP_ACK: 4401 callout_stop(&sp->pap_my_to_ch); 4402 if (debug) { 4403 log(LOG_DEBUG, "%s: pap success", 4404 ifp->if_xname); 4405 name = 1 + (u_char *)(h + 1); 4406 name_len = name[-1]; 4407 if (len > 5 && name_len < len+4) { 4408 addlog(": "); 4409 sppp_print_string(name, name_len); 4410 } 4411 addlog("\n"); 4412 } 4413 x = splnet(); 4414 sp->pp_auth_failures = 0; 4415 sp->pp_flags &= ~PP_NEEDAUTH; 4416 if (sp->myauth.proto == PPP_PAP && 4417 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4418 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4419 /* 4420 * We are authenticator for PAP but didn't 4421 * complete yet. Leave it to tlu to proceed 4422 * to network phase. 4423 */ 4424 splx(x); 4425 break; 4426 } 4427 splx(x); 4428 sppp_phase_network(sp); 4429 break; 4430 4431 case PAP_NAK: 4432 callout_stop(&sp->pap_my_to_ch); 4433 sp->pp_auth_failures++; 4434 if (debug) { 4435 log(LOG_INFO, "%s: pap failure", 4436 ifp->if_xname); 4437 name = 1 + (u_char *)(h + 1); 4438 name_len = name[-1]; 4439 if (len > 5 && name_len < len+4) { 4440 addlog(": "); 4441 sppp_print_string(name, name_len); 4442 } 4443 addlog("\n"); 4444 } else 4445 log(LOG_INFO, "%s: pap failure\n", 4446 ifp->if_xname); 4447 /* await LCP shutdown by authenticator */ 4448 break; 4449 4450 default: 4451 /* Unknown PAP packet type -- ignore. */ 4452 if (debug) { 4453 log(LOG_DEBUG, "%s: pap corrupted input " 4454 "<0x%x id=0x%x len=%d", 4455 ifp->if_xname, 4456 h->type, h->ident, ntohs(h->len)); 4457 if (len > 4) 4458 sppp_print_bytes((u_char *)(h + 1), len - 4); 4459 addlog(">\n"); 4460 } 4461 break; 4462 4463 } 4464 } 4465 4466 static void 4467 sppp_pap_init(struct sppp *sp) 4468 { 4469 /* PAP doesn't have STATE_INITIAL at all. */ 4470 sp->state[IDX_PAP] = STATE_CLOSED; 4471 sp->fail_counter[IDX_PAP] = 0; 4472 sp->pp_seq[IDX_PAP] = 0; 4473 sp->pp_rseq[IDX_PAP] = 0; 4474 callout_init(&sp->ch[IDX_PAP], 0); 4475 callout_init(&sp->pap_my_to_ch, 0); 4476 } 4477 4478 static void 4479 sppp_pap_open(struct sppp *sp) 4480 { 4481 if (sp->hisauth.proto == PPP_PAP && 4482 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4483 /* we are authenticator for PAP, start our timer */ 4484 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4485 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4486 } 4487 if (sp->myauth.proto == PPP_PAP) { 4488 /* we are peer, send a request, and start a timer */ 4489 pap.scr(sp); 4490 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4491 sppp_pap_my_TO, sp); 4492 } 4493 } 4494 4495 static void 4496 sppp_pap_close(struct sppp *sp) 4497 { 4498 if (sp->state[IDX_PAP] != STATE_CLOSED) 4499 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4500 } 4501 4502 /* 4503 * That's the timeout routine if we are authenticator. Since the 4504 * authenticator is basically passive in PAP, we can't do much here. 4505 */ 4506 static void 4507 sppp_pap_TO(void *cookie) 4508 { 4509 struct sppp *sp = (struct sppp *)cookie; 4510 STDDCL; 4511 int s; 4512 4513 s = splnet(); 4514 if (debug) 4515 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4516 ifp->if_xname, 4517 sppp_state_name(sp->state[IDX_PAP]), 4518 sp->rst_counter[IDX_PAP]); 4519 4520 if (--sp->rst_counter[IDX_PAP] < 0) 4521 /* TO- event */ 4522 switch (sp->state[IDX_PAP]) { 4523 case STATE_REQ_SENT: 4524 pap.tld(sp); 4525 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4526 break; 4527 } 4528 else 4529 /* TO+ event, not very much we could do */ 4530 switch (sp->state[IDX_PAP]) { 4531 case STATE_REQ_SENT: 4532 /* sppp_cp_change_state() will restart the timer */ 4533 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4534 break; 4535 } 4536 4537 splx(s); 4538 } 4539 4540 /* 4541 * That's the timeout handler if we are peer. Since the peer is active, 4542 * we need to retransmit our PAP request since it is apparently lost. 4543 * XXX We should impose a max counter. 4544 */ 4545 static void 4546 sppp_pap_my_TO(void *cookie) 4547 { 4548 struct sppp *sp = (struct sppp *)cookie; 4549 STDDCL; 4550 4551 if (debug) 4552 log(LOG_DEBUG, "%s: pap peer TO\n", 4553 ifp->if_xname); 4554 4555 pap.scr(sp); 4556 } 4557 4558 static void 4559 sppp_pap_tlu(struct sppp *sp) 4560 { 4561 STDDCL; 4562 int x; 4563 4564 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4565 4566 if (debug) 4567 log(LOG_DEBUG, "%s: %s tlu\n", 4568 ifp->if_xname, pap.name); 4569 4570 x = splnet(); 4571 sp->pp_auth_failures = 0; 4572 /* indicate to LCP that we need to be closed down */ 4573 sp->lcp.protos |= (1 << IDX_PAP); 4574 4575 if (sp->pp_flags & PP_NEEDAUTH) { 4576 /* 4577 * Remote is authenticator, but his auth proto didn't 4578 * complete yet. Defer the transition to network 4579 * phase. 4580 */ 4581 splx(x); 4582 return; 4583 } 4584 splx(x); 4585 sppp_phase_network(sp); 4586 } 4587 4588 static void 4589 sppp_pap_tld(struct sppp *sp) 4590 { 4591 STDDCL; 4592 4593 if (debug) 4594 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4595 callout_stop(&sp->ch[IDX_PAP]); 4596 callout_stop(&sp->pap_my_to_ch); 4597 sp->lcp.protos &= ~(1 << IDX_PAP); 4598 4599 lcp.Close(sp); 4600 } 4601 4602 static void 4603 sppp_pap_scr(struct sppp *sp) 4604 { 4605 u_char idlen, pwdlen; 4606 4607 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4608 /* can't do anything useful */ 4609 printf("%s: pap starting without my name and secret being set\n", 4610 sp->pp_if.if_xname); 4611 return; 4612 } 4613 4614 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4615 pwdlen = sp->myauth.secret_len; 4616 idlen = sp->myauth.name_len; 4617 4618 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4619 sizeof idlen, (const char *)&idlen, 4620 idlen, sp->myauth.name, 4621 sizeof pwdlen, (const char *)&pwdlen, 4622 pwdlen, sp->myauth.secret, 4623 0); 4624 } 4625 4626 /* 4627 * Random miscellaneous functions. 4628 */ 4629 4630 /* 4631 * Send a PAP or CHAP proto packet. 4632 * 4633 * Varadic function, each of the elements for the ellipsis is of type 4634 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4635 * mlen == 0. 4636 * NOTE: never declare variadic functions with types subject to type 4637 * promotion (i.e. u_char). This is asking for big trouble depending 4638 * on the architecture you are on... 4639 */ 4640 4641 static void 4642 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4643 unsigned int type, unsigned int id, 4644 ...) 4645 { 4646 STDDCL; 4647 struct lcp_header *lh; 4648 struct mbuf *m; 4649 u_char *p; 4650 int len; 4651 size_t pkthdrlen; 4652 unsigned int mlen; 4653 const char *msg; 4654 va_list ap; 4655 4656 MGETHDR(m, M_DONTWAIT, MT_DATA); 4657 if (! m) 4658 return; 4659 m->m_pkthdr.rcvif = 0; 4660 4661 if (sp->pp_flags & PP_NOFRAMING) { 4662 *mtod(m, uint16_t *) = htons(cp->proto); 4663 pkthdrlen = 2; 4664 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4665 } else { 4666 struct ppp_header *h; 4667 h = mtod(m, struct ppp_header *); 4668 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4669 h->control = PPP_UI; /* Unnumbered Info */ 4670 h->protocol = htons(cp->proto); 4671 pkthdrlen = PPP_HEADER_LEN; 4672 4673 lh = (struct lcp_header *)(h + 1); 4674 } 4675 4676 lh->type = type; 4677 lh->ident = id; 4678 p = (u_char *)(lh + 1); 4679 4680 va_start(ap, id); 4681 len = 0; 4682 4683 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4684 msg = va_arg(ap, const char *); 4685 len += mlen; 4686 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4687 va_end(ap); 4688 m_freem(m); 4689 return; 4690 } 4691 4692 memcpy(p, msg, mlen); 4693 p += mlen; 4694 } 4695 va_end(ap); 4696 4697 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4698 lh->len = htons(LCP_HEADER_LEN + len); 4699 4700 if (debug) { 4701 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4702 ifp->if_xname, cp->name, 4703 sppp_auth_type_name(cp->proto, lh->type), 4704 lh->ident, ntohs(lh->len)); 4705 if (len) 4706 sppp_print_bytes((u_char *)(lh + 1), len); 4707 addlog(">\n"); 4708 } 4709 if (IF_QFULL(&sp->pp_cpq)) { 4710 IF_DROP(&sp->pp_fastq); 4711 IF_DROP(&ifp->if_snd); 4712 m_freem(m); 4713 ++ifp->if_oerrors; 4714 return; 4715 } else 4716 IF_ENQUEUE(&sp->pp_cpq, m); 4717 if (! (ifp->if_flags & IFF_OACTIVE)) 4718 (*ifp->if_start)(ifp); 4719 ifp->if_obytes += m->m_pkthdr.len + 3; 4720 } 4721 4722 /* 4723 * Send keepalive packets, every 10 seconds. 4724 */ 4725 static void 4726 sppp_keepalive(void *dummy) 4727 { 4728 struct sppp *sp; 4729 int s; 4730 time_t now; 4731 4732 s = splnet(); 4733 now = time_uptime; 4734 for (sp=spppq; sp; sp=sp->pp_next) { 4735 struct ifnet *ifp = &sp->pp_if; 4736 4737 /* check idle timeout */ 4738 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4739 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4740 /* idle timeout is enabled for this interface */ 4741 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4742 if (ifp->if_flags & IFF_DEBUG) 4743 printf("%s: no activity for %lu seconds\n", 4744 sp->pp_if.if_xname, 4745 (unsigned long)(now-sp->pp_last_activity)); 4746 lcp.Close(sp); 4747 continue; 4748 } 4749 } 4750 4751 /* Keepalive mode disabled or channel down? */ 4752 if (! (sp->pp_flags & PP_KEEPALIVE) || 4753 ! (ifp->if_flags & IFF_RUNNING)) 4754 continue; 4755 4756 /* No keepalive in PPP mode if LCP not opened yet. */ 4757 if (! (sp->pp_flags & PP_CISCO) && 4758 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4759 continue; 4760 4761 /* No echo reply, but maybe user data passed through? */ 4762 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4763 sp->pp_alivecnt = 0; 4764 continue; 4765 } 4766 4767 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4768 /* No keepalive packets got. Stop the interface. */ 4769 if_down (ifp); 4770 IF_PURGE(&sp->pp_cpq); 4771 if (! (sp->pp_flags & PP_CISCO)) { 4772 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4773 ifp->if_xname); 4774 sp->pp_alivecnt = 0; 4775 4776 /* we are down, close all open protocols */ 4777 lcp.Close(sp); 4778 4779 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4780 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4781 4782 /* Close connection immediately, completition of this 4783 * will summon the magic needed to reestablish it. */ 4784 if (sp->pp_tlf) 4785 sp->pp_tlf(sp); 4786 continue; 4787 } 4788 } 4789 if (sp->pp_alivecnt < sp->pp_maxalive) 4790 ++sp->pp_alivecnt; 4791 if (sp->pp_flags & PP_CISCO) 4792 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4793 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4794 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4795 int32_t nmagic = htonl(sp->lcp.magic); 4796 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4797 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4798 sp->lcp.echoid, 4, &nmagic); 4799 } 4800 } 4801 splx(s); 4802 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4803 } 4804 4805 #ifdef INET 4806 /* 4807 * Get both IP addresses. 4808 */ 4809 static void 4810 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4811 { 4812 struct ifnet *ifp = &sp->pp_if; 4813 struct ifaddr *ifa; 4814 struct sockaddr_in *si, *sm; 4815 uint32_t ssrc, ddst; 4816 4817 sm = NULL; 4818 ssrc = ddst = 0; 4819 /* 4820 * Pick the first AF_INET address from the list, 4821 * aliases don't make any sense on a p2p link anyway. 4822 */ 4823 si = 0; 4824 IFADDR_FOREACH(ifa, ifp) { 4825 if (ifa->ifa_addr->sa_family == AF_INET) { 4826 si = (struct sockaddr_in *)ifa->ifa_addr; 4827 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4828 if (si) 4829 break; 4830 } 4831 } 4832 if (ifa) { 4833 if (si && si->sin_addr.s_addr) { 4834 ssrc = si->sin_addr.s_addr; 4835 if (srcmask) 4836 *srcmask = ntohl(sm->sin_addr.s_addr); 4837 } 4838 4839 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4840 if (si && si->sin_addr.s_addr) 4841 ddst = si->sin_addr.s_addr; 4842 } 4843 4844 if (dst) *dst = ntohl(ddst); 4845 if (src) *src = ntohl(ssrc); 4846 } 4847 4848 /* 4849 * Set IP addresses. Must be called at splnet. 4850 * If an address is 0, leave it the way it is. 4851 */ 4852 static void 4853 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4854 { 4855 STDDCL; 4856 struct ifaddr *ifa; 4857 struct sockaddr_in *si, *dest; 4858 4859 /* 4860 * Pick the first AF_INET address from the list, 4861 * aliases don't make any sense on a p2p link anyway. 4862 */ 4863 4864 IFADDR_FOREACH(ifa, ifp) { 4865 if (ifa->ifa_addr->sa_family == AF_INET) { 4866 si = (struct sockaddr_in *)ifa->ifa_addr; 4867 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4868 goto found; 4869 } 4870 } 4871 return; 4872 4873 found: 4874 { 4875 int error, hostIsNew; 4876 struct sockaddr_in new_sin = *si; 4877 struct sockaddr_in new_dst = *dest; 4878 4879 /* 4880 * Scrub old routes now instead of calling in_ifinit with 4881 * scrub=1, because we may change the dstaddr 4882 * before the call to in_ifinit. 4883 */ 4884 in_ifscrub(ifp, ifatoia(ifa)); 4885 4886 hostIsNew = 0; 4887 if (myaddr != 0) { 4888 if (new_sin.sin_addr.s_addr != htonl(myaddr)) { 4889 new_sin.sin_addr.s_addr = htonl(myaddr); 4890 hostIsNew = 1; 4891 } 4892 } 4893 if (hisaddr != 0) { 4894 new_dst.sin_addr.s_addr = htonl(hisaddr); 4895 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4896 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4897 *dest = new_dst; /* fix dstaddr in place */ 4898 } 4899 } 4900 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, hostIsNew); 4901 if (debug && error) 4902 { 4903 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4904 " failed, error=%d\n", ifp->if_xname, error); 4905 } 4906 if (!error) { 4907 (void)pfil_run_hooks(if_pfil, 4908 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4909 } 4910 } 4911 } 4912 4913 /* 4914 * Clear IP addresses. Must be called at splnet. 4915 */ 4916 static void 4917 sppp_clear_ip_addrs(struct sppp *sp) 4918 { 4919 struct ifnet *ifp = &sp->pp_if; 4920 struct ifaddr *ifa; 4921 struct sockaddr_in *si, *dest; 4922 4923 uint32_t remote; 4924 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4925 remote = sp->ipcp.saved_hisaddr; 4926 else 4927 sppp_get_ip_addrs(sp, 0, &remote, 0); 4928 4929 /* 4930 * Pick the first AF_INET address from the list, 4931 * aliases don't make any sense on a p2p link anyway. 4932 */ 4933 4934 IFADDR_FOREACH(ifa, ifp) { 4935 if (ifa->ifa_addr->sa_family == AF_INET) { 4936 si = (struct sockaddr_in *)ifa->ifa_addr; 4937 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4938 goto found; 4939 } 4940 } 4941 return; 4942 4943 found: 4944 { 4945 struct sockaddr_in new_sin = *si; 4946 4947 in_ifscrub(ifp, ifatoia(ifa)); 4948 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4949 new_sin.sin_addr.s_addr = 0; 4950 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4951 /* replace peer addr in place */ 4952 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4953 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, 0); 4954 (void)pfil_run_hooks(if_pfil, 4955 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4956 } 4957 } 4958 #endif 4959 4960 #ifdef INET6 4961 /* 4962 * Get both IPv6 addresses. 4963 */ 4964 static void 4965 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4966 struct in6_addr *srcmask) 4967 { 4968 struct ifnet *ifp = &sp->pp_if; 4969 struct ifaddr *ifa; 4970 struct sockaddr_in6 *si, *sm; 4971 struct in6_addr ssrc, ddst; 4972 4973 sm = NULL; 4974 memset(&ssrc, 0, sizeof(ssrc)); 4975 memset(&ddst, 0, sizeof(ddst)); 4976 /* 4977 * Pick the first link-local AF_INET6 address from the list, 4978 * aliases don't make any sense on a p2p link anyway. 4979 */ 4980 si = 0; 4981 IFADDR_FOREACH(ifa, ifp) 4982 if (ifa->ifa_addr->sa_family == AF_INET6) { 4983 si = (struct sockaddr_in6 *)ifa->ifa_addr; 4984 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 4985 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 4986 break; 4987 } 4988 if (ifa) { 4989 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 4990 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 4991 if (srcmask) { 4992 memcpy(srcmask, &sm->sin6_addr, 4993 sizeof(*srcmask)); 4994 } 4995 } 4996 4997 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 4998 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 4999 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5000 } 5001 5002 if (dst) 5003 memcpy(dst, &ddst, sizeof(*dst)); 5004 if (src) 5005 memcpy(src, &ssrc, sizeof(*src)); 5006 } 5007 5008 #ifdef IPV6CP_MYIFID_DYN 5009 /* 5010 * Generate random ifid. 5011 */ 5012 static void 5013 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5014 { 5015 /* TBD */ 5016 } 5017 5018 /* 5019 * Set my IPv6 address. Must be called at splnet. 5020 */ 5021 static void 5022 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5023 { 5024 STDDCL; 5025 struct ifaddr *ifa; 5026 struct sockaddr_in6 *sin6; 5027 5028 /* 5029 * Pick the first link-local AF_INET6 address from the list, 5030 * aliases don't make any sense on a p2p link anyway. 5031 */ 5032 5033 sin6 = NULL; 5034 IFADDR_FOREACH(ifa, ifp) 5035 { 5036 if (ifa->ifa_addr->sa_family == AF_INET6) 5037 { 5038 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5039 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5040 break; 5041 } 5042 } 5043 5044 if (ifa && sin6) 5045 { 5046 int error; 5047 struct sockaddr_in6 new_sin6 = *sin6; 5048 5049 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5050 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5051 if (debug && error) 5052 { 5053 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5054 " failed, error=%d\n", ifp->if_xname, error); 5055 } 5056 if (!error) { 5057 (void)pfil_run_hooks(if_pfil, 5058 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5059 } 5060 } 5061 } 5062 #endif 5063 5064 /* 5065 * Suggest a candidate address to be used by peer. 5066 */ 5067 static void 5068 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5069 { 5070 struct in6_addr myaddr; 5071 struct timeval tv; 5072 5073 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5074 5075 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5076 microtime(&tv); 5077 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5078 myaddr.s6_addr[14] ^= 0xff; 5079 myaddr.s6_addr[15] ^= 0xff; 5080 } else { 5081 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5082 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5083 } 5084 if (suggest) 5085 memcpy(suggest, &myaddr, sizeof(myaddr)); 5086 } 5087 #endif /*INET6*/ 5088 5089 /* 5090 * Process ioctl requests specific to the PPP interface. 5091 * Permissions have already been checked. 5092 */ 5093 static int 5094 sppp_params(struct sppp *sp, u_long cmd, void *data) 5095 { 5096 switch (cmd) { 5097 case SPPPGETAUTHCFG: 5098 { 5099 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5100 int error; 5101 size_t len; 5102 5103 cfg->myauthflags = sp->myauth.flags; 5104 cfg->hisauthflags = sp->hisauth.flags; 5105 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5106 cfg->hisauth = 0; 5107 if (sp->hisauth.proto) 5108 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5109 cfg->myauth = 0; 5110 if (sp->myauth.proto) 5111 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5112 if (cfg->myname_length == 0) { 5113 if (sp->myauth.name != NULL) 5114 cfg->myname_length = sp->myauth.name_len + 1; 5115 } else { 5116 if (sp->myauth.name == NULL) { 5117 cfg->myname_length = 0; 5118 } else { 5119 len = sp->myauth.name_len + 1; 5120 if (cfg->myname_length < len) 5121 return (ENAMETOOLONG); 5122 error = copyout(sp->myauth.name, cfg->myname, len); 5123 if (error) return error; 5124 } 5125 } 5126 if (cfg->hisname_length == 0) { 5127 if (sp->hisauth.name != NULL) 5128 cfg->hisname_length = sp->hisauth.name_len + 1; 5129 } else { 5130 if (sp->hisauth.name == NULL) { 5131 cfg->hisname_length = 0; 5132 } else { 5133 len = sp->hisauth.name_len + 1; 5134 if (cfg->hisname_length < len) 5135 return (ENAMETOOLONG); 5136 error = copyout(sp->hisauth.name, cfg->hisname, len); 5137 if (error) return error; 5138 } 5139 } 5140 } 5141 break; 5142 case SPPPSETAUTHCFG: 5143 { 5144 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5145 int error; 5146 5147 if (sp->myauth.name) { 5148 free(sp->myauth.name, M_DEVBUF); 5149 sp->myauth.name = NULL; 5150 } 5151 if (sp->myauth.secret) { 5152 free(sp->myauth.secret, M_DEVBUF); 5153 sp->myauth.secret = NULL; 5154 } 5155 if (sp->hisauth.name) { 5156 free(sp->hisauth.name, M_DEVBUF); 5157 sp->hisauth.name = NULL; 5158 } 5159 if (sp->hisauth.secret) { 5160 free(sp->hisauth.secret, M_DEVBUF); 5161 sp->hisauth.secret = NULL; 5162 } 5163 5164 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5165 if (cfg->hisname_length >= MCLBYTES) 5166 return (ENAMETOOLONG); 5167 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5168 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5169 if (error) { 5170 free(sp->hisauth.name, M_DEVBUF); 5171 sp->hisauth.name = NULL; 5172 return error; 5173 } 5174 sp->hisauth.name_len = cfg->hisname_length - 1; 5175 sp->hisauth.name[sp->hisauth.name_len] = 0; 5176 } 5177 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5178 if (cfg->hissecret_length >= MCLBYTES) 5179 return (ENAMETOOLONG); 5180 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5181 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5182 if (error) { 5183 free(sp->hisauth.secret, M_DEVBUF); 5184 sp->hisauth.secret = NULL; 5185 return error; 5186 } 5187 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5188 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5189 } 5190 if (cfg->myname != NULL && cfg->myname_length > 0) { 5191 if (cfg->myname_length >= MCLBYTES) 5192 return (ENAMETOOLONG); 5193 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5194 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5195 if (error) { 5196 free(sp->myauth.name, M_DEVBUF); 5197 sp->myauth.name = NULL; 5198 return error; 5199 } 5200 sp->myauth.name_len = cfg->myname_length - 1; 5201 sp->myauth.name[sp->myauth.name_len] = 0; 5202 } 5203 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5204 if (cfg->mysecret_length >= MCLBYTES) 5205 return (ENAMETOOLONG); 5206 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5207 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5208 if (error) { 5209 free(sp->myauth.secret, M_DEVBUF); 5210 sp->myauth.secret = NULL; 5211 return error; 5212 } 5213 sp->myauth.secret_len = cfg->mysecret_length - 1; 5214 sp->myauth.secret[sp->myauth.secret_len] = 0; 5215 } 5216 sp->myauth.flags = cfg->myauthflags; 5217 if (cfg->myauth) 5218 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5219 sp->hisauth.flags = cfg->hisauthflags; 5220 if (cfg->hisauth) 5221 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5222 sp->pp_auth_failures = 0; 5223 if (sp->hisauth.proto != 0) 5224 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5225 else 5226 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5227 } 5228 break; 5229 case SPPPGETLCPCFG: 5230 { 5231 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5232 lcpp->lcp_timeout = sp->lcp.timeout; 5233 } 5234 break; 5235 case SPPPSETLCPCFG: 5236 { 5237 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5238 sp->lcp.timeout = lcpp->lcp_timeout; 5239 } 5240 break; 5241 case SPPPGETSTATUS: 5242 { 5243 struct spppstatus *status = (struct spppstatus *)data; 5244 status->phase = sp->pp_phase; 5245 } 5246 break; 5247 case SPPPGETSTATUSNCP: 5248 { 5249 struct spppstatusncp *status = (struct spppstatusncp *)data; 5250 status->phase = sp->pp_phase; 5251 status->ncpup = sppp_ncp_check(sp); 5252 } 5253 break; 5254 case SPPPGETIDLETO: 5255 { 5256 struct spppidletimeout *to = (struct spppidletimeout *)data; 5257 to->idle_seconds = sp->pp_idle_timeout; 5258 } 5259 break; 5260 case SPPPSETIDLETO: 5261 { 5262 struct spppidletimeout *to = (struct spppidletimeout *)data; 5263 sp->pp_idle_timeout = to->idle_seconds; 5264 } 5265 break; 5266 case SPPPSETAUTHFAILURE: 5267 { 5268 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5269 sp->pp_max_auth_fail = afsettings->max_failures; 5270 sp->pp_auth_failures = 0; 5271 } 5272 break; 5273 case SPPPGETAUTHFAILURES: 5274 { 5275 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5276 stats->auth_failures = sp->pp_auth_failures; 5277 stats->max_failures = sp->pp_max_auth_fail; 5278 } 5279 break; 5280 case SPPPSETDNSOPTS: 5281 { 5282 struct spppdnssettings *req = (struct spppdnssettings *)data; 5283 sp->query_dns = req->query_dns & 3; 5284 } 5285 break; 5286 case SPPPGETDNSOPTS: 5287 { 5288 struct spppdnssettings *req = (struct spppdnssettings *)data; 5289 req->query_dns = sp->query_dns; 5290 } 5291 break; 5292 case SPPPGETDNSADDRS: 5293 { 5294 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5295 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5296 } 5297 break; 5298 case SPPPGETKEEPALIVE: 5299 { 5300 struct spppkeepalivesettings *settings = 5301 (struct spppkeepalivesettings*)data; 5302 settings->maxalive = sp->pp_maxalive; 5303 settings->max_noreceive = sp->pp_max_noreceive; 5304 } 5305 break; 5306 case SPPPSETKEEPALIVE: 5307 { 5308 struct spppkeepalivesettings *settings = 5309 (struct spppkeepalivesettings*)data; 5310 sp->pp_maxalive = settings->maxalive; 5311 sp->pp_max_noreceive = settings->max_noreceive; 5312 } 5313 break; 5314 #if defined(COMPAT_50) || defined(MODULAR) 5315 case __SPPPGETIDLETO50: 5316 { 5317 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5318 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5319 } 5320 break; 5321 case __SPPPSETIDLETO50: 5322 { 5323 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5324 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5325 } 5326 break; 5327 case __SPPPGETKEEPALIVE50: 5328 { 5329 struct spppkeepalivesettings50 *settings = 5330 (struct spppkeepalivesettings50*)data; 5331 settings->maxalive = sp->pp_maxalive; 5332 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5333 } 5334 break; 5335 case __SPPPSETKEEPALIVE50: 5336 { 5337 struct spppkeepalivesettings50 *settings = 5338 (struct spppkeepalivesettings50*)data; 5339 sp->pp_maxalive = settings->maxalive; 5340 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5341 } 5342 break; 5343 #endif /* COMPAT_50 || MODULAR */ 5344 default: 5345 return (EINVAL); 5346 } 5347 5348 return (0); 5349 } 5350 5351 static void 5352 sppp_phase_network(struct sppp *sp) 5353 { 5354 STDDCL; 5355 int i; 5356 uint32_t mask; 5357 5358 sp->pp_phase = SPPP_PHASE_NETWORK; 5359 5360 if (debug) 5361 { 5362 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5363 sppp_phase_name(sp->pp_phase)); 5364 } 5365 5366 /* Notify NCPs now. */ 5367 for (i = 0; i < IDX_COUNT; i++) 5368 if ((cps[i])->flags & CP_NCP) 5369 (cps[i])->Open(sp); 5370 5371 /* Send Up events to all NCPs. */ 5372 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5373 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5374 (cps[i])->Up(sp); 5375 5376 /* if no NCP is starting, all this was in vain, close down */ 5377 sppp_lcp_check_and_close(sp); 5378 } 5379 5380 5381 static const char * 5382 sppp_cp_type_name(u_char type) 5383 { 5384 static char buf[12]; 5385 switch (type) { 5386 case CONF_REQ: return "conf-req"; 5387 case CONF_ACK: return "conf-ack"; 5388 case CONF_NAK: return "conf-nak"; 5389 case CONF_REJ: return "conf-rej"; 5390 case TERM_REQ: return "term-req"; 5391 case TERM_ACK: return "term-ack"; 5392 case CODE_REJ: return "code-rej"; 5393 case PROTO_REJ: return "proto-rej"; 5394 case ECHO_REQ: return "echo-req"; 5395 case ECHO_REPLY: return "echo-reply"; 5396 case DISC_REQ: return "discard-req"; 5397 } 5398 snprintf(buf, sizeof(buf), "0x%x", type); 5399 return buf; 5400 } 5401 5402 static const char * 5403 sppp_auth_type_name(u_short proto, u_char type) 5404 { 5405 static char buf[32]; 5406 const char *name; 5407 5408 switch (proto) { 5409 case PPP_CHAP: 5410 switch (type) { 5411 case CHAP_CHALLENGE: return "challenge"; 5412 case CHAP_RESPONSE: return "response"; 5413 case CHAP_SUCCESS: return "success"; 5414 case CHAP_FAILURE: return "failure"; 5415 default: name = "chap"; break; 5416 } 5417 break; 5418 5419 case PPP_PAP: 5420 switch (type) { 5421 case PAP_REQ: return "req"; 5422 case PAP_ACK: return "ack"; 5423 case PAP_NAK: return "nak"; 5424 default: name = "pap"; break; 5425 } 5426 break; 5427 5428 default: 5429 name = "bad"; 5430 break; 5431 } 5432 5433 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 5434 return buf; 5435 } 5436 5437 static const char * 5438 sppp_lcp_opt_name(u_char opt) 5439 { 5440 static char buf[12]; 5441 switch (opt) { 5442 case LCP_OPT_MRU: return "mru"; 5443 case LCP_OPT_ASYNC_MAP: return "async-map"; 5444 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5445 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5446 case LCP_OPT_MAGIC: return "magic"; 5447 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5448 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5449 } 5450 snprintf(buf, sizeof(buf), "0x%x", opt); 5451 return buf; 5452 } 5453 5454 static const char * 5455 sppp_ipcp_opt_name(u_char opt) 5456 { 5457 static char buf[12]; 5458 switch (opt) { 5459 case IPCP_OPT_ADDRESSES: return "addresses"; 5460 case IPCP_OPT_COMPRESSION: return "compression"; 5461 case IPCP_OPT_ADDRESS: return "address"; 5462 } 5463 snprintf(buf, sizeof(buf), "0x%x", opt); 5464 return buf; 5465 } 5466 5467 #ifdef INET6 5468 static const char * 5469 sppp_ipv6cp_opt_name(u_char opt) 5470 { 5471 static char buf[12]; 5472 switch (opt) { 5473 case IPV6CP_OPT_IFID: return "ifid"; 5474 case IPV6CP_OPT_COMPRESSION: return "compression"; 5475 } 5476 snprintf(buf, sizeof(buf), "0x%x", opt); 5477 return buf; 5478 } 5479 #endif 5480 5481 static const char * 5482 sppp_state_name(int state) 5483 { 5484 switch (state) { 5485 case STATE_INITIAL: return "initial"; 5486 case STATE_STARTING: return "starting"; 5487 case STATE_CLOSED: return "closed"; 5488 case STATE_STOPPED: return "stopped"; 5489 case STATE_CLOSING: return "closing"; 5490 case STATE_STOPPING: return "stopping"; 5491 case STATE_REQ_SENT: return "req-sent"; 5492 case STATE_ACK_RCVD: return "ack-rcvd"; 5493 case STATE_ACK_SENT: return "ack-sent"; 5494 case STATE_OPENED: return "opened"; 5495 } 5496 return "illegal"; 5497 } 5498 5499 static const char * 5500 sppp_phase_name(int phase) 5501 { 5502 switch (phase) { 5503 case SPPP_PHASE_DEAD: return "dead"; 5504 case SPPP_PHASE_ESTABLISH: return "establish"; 5505 case SPPP_PHASE_TERMINATE: return "terminate"; 5506 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5507 case SPPP_PHASE_NETWORK: return "network"; 5508 } 5509 return "illegal"; 5510 } 5511 5512 static const char * 5513 sppp_proto_name(u_short proto) 5514 { 5515 static char buf[12]; 5516 switch (proto) { 5517 case PPP_LCP: return "lcp"; 5518 case PPP_IPCP: return "ipcp"; 5519 case PPP_PAP: return "pap"; 5520 case PPP_CHAP: return "chap"; 5521 case PPP_IPV6CP: return "ipv6cp"; 5522 } 5523 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5524 return buf; 5525 } 5526 5527 static void 5528 sppp_print_bytes(const u_char *p, u_short len) 5529 { 5530 addlog(" %02x", *p++); 5531 while (--len > 0) 5532 addlog("-%02x", *p++); 5533 } 5534 5535 static void 5536 sppp_print_string(const char *p, u_short len) 5537 { 5538 u_char c; 5539 5540 while (len-- > 0) { 5541 c = *p++; 5542 /* 5543 * Print only ASCII chars directly. RFC 1994 recommends 5544 * using only them, but we don't rely on it. */ 5545 if (c < ' ' || c > '~') 5546 addlog("\\x%x", c); 5547 else 5548 addlog("%c", c); 5549 } 5550 } 5551 5552 static const char * 5553 sppp_dotted_quad(uint32_t addr) 5554 { 5555 static char s[16]; 5556 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5557 (int)((addr >> 24) & 0xff), 5558 (int)((addr >> 16) & 0xff), 5559 (int)((addr >> 8) & 0xff), 5560 (int)(addr & 0xff)); 5561 return s; 5562 } 5563 5564 /* a dummy, used to drop uninteresting events */ 5565 static void 5566 sppp_null(struct sppp *unused) 5567 { 5568 /* do just nothing */ 5569 } 5570 /* 5571 * This file is large. Tell emacs to highlight it nevertheless. 5572 * 5573 * Local Variables: 5574 * hilit-auto-highlight-maxout: 120000 5575 * End: 5576 */ 5577