1 /* $NetBSD: if_spppsubr.c,v 1.123 2011/10/28 22:08:14 dyoung Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.123 2011/10/28 22:08:14 dyoung Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_ipx.h" 49 #include "opt_iso.h" 50 #include "opt_pfil_hooks.h" 51 #include "opt_modular.h" 52 #include "opt_compat_netbsd.h" 53 #endif 54 55 56 #include <sys/param.h> 57 #include <sys/proc.h> 58 #include <sys/systm.h> 59 #include <sys/kernel.h> 60 #include <sys/sockio.h> 61 #include <sys/socket.h> 62 #include <sys/syslog.h> 63 #include <sys/malloc.h> 64 #include <sys/mbuf.h> 65 #include <sys/callout.h> 66 #include <sys/md5.h> 67 #include <sys/inttypes.h> 68 #include <sys/kauth.h> 69 70 #include <net/if.h> 71 #include <net/netisr.h> 72 #include <net/if_types.h> 73 #include <net/route.h> 74 #include <net/ppp_defs.h> 75 76 #include <netinet/in.h> 77 #include <netinet/in_systm.h> 78 #include <netinet/in_var.h> 79 #ifdef INET 80 #include <netinet/ip.h> 81 #include <netinet/tcp.h> 82 #endif 83 #include <net/ethertypes.h> 84 85 #ifdef INET6 86 #include <netinet6/scope6_var.h> 87 #endif 88 89 #ifdef IPX 90 #include <netipx/ipx.h> 91 #include <netipx/ipx_if.h> 92 #endif 93 94 95 #ifdef ISO 96 #include <netiso/argo_debug.h> 97 #include <netiso/iso.h> 98 #include <netiso/iso_var.h> 99 #include <netiso/iso_snpac.h> 100 #endif 101 102 #include <net/if_sppp.h> 103 #include <net/if_spppvar.h> 104 105 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 106 #define LOOPALIVECNT 3 /* loopback detection tries */ 107 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 108 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 109 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 110 111 /* 112 * Interface flags that can be set in an ifconfig command. 113 * 114 * Setting link0 will make the link passive, i.e. it will be marked 115 * as being administrative openable, but won't be opened to begin 116 * with. Incoming calls will be answered, or subsequent calls with 117 * -link1 will cause the administrative open of the LCP layer. 118 * 119 * Setting link1 will cause the link to auto-dial only as packets 120 * arrive to be sent. 121 * 122 * Setting IFF_DEBUG will syslog the option negotiation and state 123 * transitions at level kern.debug. Note: all logs consistently look 124 * like 125 * 126 * <if-name><unit>: <proto-name> <additional info...> 127 * 128 * with <if-name><unit> being something like "bppp0", and <proto-name> 129 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 130 */ 131 132 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 133 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 134 135 #define CONF_REQ 1 /* PPP configure request */ 136 #define CONF_ACK 2 /* PPP configure acknowledge */ 137 #define CONF_NAK 3 /* PPP configure negative ack */ 138 #define CONF_REJ 4 /* PPP configure reject */ 139 #define TERM_REQ 5 /* PPP terminate request */ 140 #define TERM_ACK 6 /* PPP terminate acknowledge */ 141 #define CODE_REJ 7 /* PPP code reject */ 142 #define PROTO_REJ 8 /* PPP protocol reject */ 143 #define ECHO_REQ 9 /* PPP echo request */ 144 #define ECHO_REPLY 10 /* PPP echo reply */ 145 #define DISC_REQ 11 /* PPP discard request */ 146 147 #define LCP_OPT_MRU 1 /* maximum receive unit */ 148 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 149 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 150 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 151 #define LCP_OPT_MAGIC 5 /* magic number */ 152 #define LCP_OPT_RESERVED 6 /* reserved */ 153 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 154 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 155 156 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 157 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 158 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 159 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 160 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 161 162 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 163 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 164 165 #define PAP_REQ 1 /* PAP name/password request */ 166 #define PAP_ACK 2 /* PAP acknowledge */ 167 #define PAP_NAK 3 /* PAP fail */ 168 169 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 170 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 171 #define CHAP_SUCCESS 3 /* CHAP response ok */ 172 #define CHAP_FAILURE 4 /* CHAP response failed */ 173 174 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 175 176 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 177 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 178 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 179 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 180 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 181 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 182 183 /* states are named and numbered according to RFC 1661 */ 184 #define STATE_INITIAL 0 185 #define STATE_STARTING 1 186 #define STATE_CLOSED 2 187 #define STATE_STOPPED 3 188 #define STATE_CLOSING 4 189 #define STATE_STOPPING 5 190 #define STATE_REQ_SENT 6 191 #define STATE_ACK_RCVD 7 192 #define STATE_ACK_SENT 8 193 #define STATE_OPENED 9 194 195 struct ppp_header { 196 uint8_t address; 197 uint8_t control; 198 uint16_t protocol; 199 } __packed; 200 #define PPP_HEADER_LEN sizeof (struct ppp_header) 201 202 struct lcp_header { 203 uint8_t type; 204 uint8_t ident; 205 uint16_t len; 206 } __packed; 207 #define LCP_HEADER_LEN sizeof (struct lcp_header) 208 209 struct cisco_packet { 210 uint32_t type; 211 uint32_t par1; 212 uint32_t par2; 213 uint16_t rel; 214 uint16_t time0; 215 uint16_t time1; 216 } __packed; 217 #define CISCO_PACKET_LEN 18 218 219 /* 220 * We follow the spelling and capitalization of RFC 1661 here, to make 221 * it easier comparing with the standard. Please refer to this RFC in 222 * case you can't make sense out of these abbreviation; it will also 223 * explain the semantics related to the various events and actions. 224 */ 225 struct cp { 226 u_short proto; /* PPP control protocol number */ 227 u_char protoidx; /* index into state table in struct sppp */ 228 u_char flags; 229 #define CP_LCP 0x01 /* this is the LCP */ 230 #define CP_AUTH 0x02 /* this is an authentication protocol */ 231 #define CP_NCP 0x04 /* this is a NCP */ 232 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 233 const char *name; /* name of this control protocol */ 234 /* event handlers */ 235 void (*Up)(struct sppp *sp); 236 void (*Down)(struct sppp *sp); 237 void (*Open)(struct sppp *sp); 238 void (*Close)(struct sppp *sp); 239 void (*TO)(void *sp); 240 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 241 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 242 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 243 /* actions */ 244 void (*tlu)(struct sppp *sp); 245 void (*tld)(struct sppp *sp); 246 void (*tls)(struct sppp *sp); 247 void (*tlf)(struct sppp *sp); 248 void (*scr)(struct sppp *sp); 249 }; 250 251 static struct sppp *spppq; 252 static callout_t keepalive_ch; 253 254 #ifdef INET 255 /* 256 * The following disgusting hack gets around the problem that IP TOS 257 * can't be set yet. We want to put "interactive" traffic on a high 258 * priority queue. To decide if traffic is interactive, we check that 259 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 260 * 261 * XXX is this really still necessary? - joerg - 262 */ 263 static u_short interactive_ports[8] = { 264 0, 513, 0, 0, 265 0, 21, 0, 23, 266 }; 267 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 268 #endif 269 270 /* almost every function needs these */ 271 #define STDDCL \ 272 struct ifnet *ifp = &sp->pp_if; \ 273 int debug = ifp->if_flags & IFF_DEBUG 274 275 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 276 const struct sockaddr *dst, struct rtentry *rt); 277 278 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 279 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 280 281 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 282 struct mbuf *m); 283 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 284 u_char ident, u_short len, void *data); 285 /* static void sppp_cp_timeout(void *arg); */ 286 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 287 int newstate); 288 static void sppp_auth_send(const struct cp *cp, 289 struct sppp *sp, unsigned int type, unsigned int id, 290 ...); 291 292 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 293 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 294 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 295 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 296 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 297 298 static void sppp_null(struct sppp *sp); 299 300 static void sppp_lcp_init(struct sppp *sp); 301 static void sppp_lcp_up(struct sppp *sp); 302 static void sppp_lcp_down(struct sppp *sp); 303 static void sppp_lcp_open(struct sppp *sp); 304 static void sppp_lcp_close(struct sppp *sp); 305 static void sppp_lcp_TO(void *sp); 306 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 307 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 308 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 309 static void sppp_lcp_tlu(struct sppp *sp); 310 static void sppp_lcp_tld(struct sppp *sp); 311 static void sppp_lcp_tls(struct sppp *sp); 312 static void sppp_lcp_tlf(struct sppp *sp); 313 static void sppp_lcp_scr(struct sppp *sp); 314 static void sppp_lcp_check_and_close(struct sppp *sp); 315 static int sppp_ncp_check(struct sppp *sp); 316 317 static void sppp_ipcp_init(struct sppp *sp); 318 static void sppp_ipcp_up(struct sppp *sp); 319 static void sppp_ipcp_down(struct sppp *sp); 320 static void sppp_ipcp_open(struct sppp *sp); 321 static void sppp_ipcp_close(struct sppp *sp); 322 static void sppp_ipcp_TO(void *sp); 323 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 324 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 325 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipcp_tlu(struct sppp *sp); 327 static void sppp_ipcp_tld(struct sppp *sp); 328 static void sppp_ipcp_tls(struct sppp *sp); 329 static void sppp_ipcp_tlf(struct sppp *sp); 330 static void sppp_ipcp_scr(struct sppp *sp); 331 332 static void sppp_ipv6cp_init(struct sppp *sp); 333 static void sppp_ipv6cp_up(struct sppp *sp); 334 static void sppp_ipv6cp_down(struct sppp *sp); 335 static void sppp_ipv6cp_open(struct sppp *sp); 336 static void sppp_ipv6cp_close(struct sppp *sp); 337 static void sppp_ipv6cp_TO(void *sp); 338 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 339 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 340 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 341 static void sppp_ipv6cp_tlu(struct sppp *sp); 342 static void sppp_ipv6cp_tld(struct sppp *sp); 343 static void sppp_ipv6cp_tls(struct sppp *sp); 344 static void sppp_ipv6cp_tlf(struct sppp *sp); 345 static void sppp_ipv6cp_scr(struct sppp *sp); 346 347 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 348 static void sppp_pap_init(struct sppp *sp); 349 static void sppp_pap_open(struct sppp *sp); 350 static void sppp_pap_close(struct sppp *sp); 351 static void sppp_pap_TO(void *sp); 352 static void sppp_pap_my_TO(void *sp); 353 static void sppp_pap_tlu(struct sppp *sp); 354 static void sppp_pap_tld(struct sppp *sp); 355 static void sppp_pap_scr(struct sppp *sp); 356 357 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 358 static void sppp_chap_init(struct sppp *sp); 359 static void sppp_chap_open(struct sppp *sp); 360 static void sppp_chap_close(struct sppp *sp); 361 static void sppp_chap_TO(void *sp); 362 static void sppp_chap_tlu(struct sppp *sp); 363 static void sppp_chap_tld(struct sppp *sp); 364 static void sppp_chap_scr(struct sppp *sp); 365 366 static const char *sppp_auth_type_name(u_short proto, u_char type); 367 static const char *sppp_cp_type_name(u_char type); 368 static const char *sppp_dotted_quad(uint32_t addr); 369 static const char *sppp_ipcp_opt_name(u_char opt); 370 #ifdef INET6 371 static const char *sppp_ipv6cp_opt_name(u_char opt); 372 #endif 373 static const char *sppp_lcp_opt_name(u_char opt); 374 static const char *sppp_phase_name(int phase); 375 static const char *sppp_proto_name(u_short proto); 376 static const char *sppp_state_name(int state); 377 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 378 #ifdef INET 379 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 380 uint32_t *srcmask); 381 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 382 static void sppp_clear_ip_addrs(struct sppp *sp); 383 #endif 384 static void sppp_keepalive(void *dummy); 385 static void sppp_phase_network(struct sppp *sp); 386 static void sppp_print_bytes(const u_char *p, u_short len); 387 static void sppp_print_string(const char *p, u_short len); 388 #ifdef INET6 389 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 390 struct in6_addr *dst, struct in6_addr *srcmask); 391 #ifdef IPV6CP_MYIFID_DYN 392 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 393 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 394 #endif 395 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 396 #endif 397 398 /* our control protocol descriptors */ 399 static const struct cp lcp = { 400 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 401 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 402 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 403 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 404 sppp_lcp_scr 405 }; 406 407 static const struct cp ipcp = { 408 PPP_IPCP, IDX_IPCP, 409 #ifdef INET 410 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 411 #else 412 0, 413 #endif 414 "ipcp", 415 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 416 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 417 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 418 sppp_ipcp_scr 419 }; 420 421 static const struct cp ipv6cp = { 422 PPP_IPV6CP, IDX_IPV6CP, 423 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 424 CP_NCP, 425 #else 426 0, 427 #endif 428 "ipv6cp", 429 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 430 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 431 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 432 sppp_ipv6cp_scr 433 }; 434 435 static const struct cp pap = { 436 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 437 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 438 sppp_pap_TO, 0, 0, 0, 439 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 440 sppp_pap_scr 441 }; 442 443 static const struct cp chap = { 444 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 445 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 446 sppp_chap_TO, 0, 0, 0, 447 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 448 sppp_chap_scr 449 }; 450 451 static const struct cp *cps[IDX_COUNT] = { 452 &lcp, /* IDX_LCP */ 453 &ipcp, /* IDX_IPCP */ 454 &ipv6cp, /* IDX_IPV6CP */ 455 &pap, /* IDX_PAP */ 456 &chap, /* IDX_CHAP */ 457 }; 458 459 460 void spppattach(int); 461 void 462 /*ARGSUSED*/ 463 spppattach(int count) 464 { 465 } 466 467 /* 468 * Exported functions, comprising our interface to the lower layer. 469 */ 470 471 /* 472 * Process the received packet. 473 */ 474 void 475 sppp_input(struct ifnet *ifp, struct mbuf *m) 476 { 477 struct ppp_header *h = NULL; 478 struct ifqueue *inq = 0; 479 uint16_t protocol; 480 int s; 481 struct sppp *sp = (struct sppp *)ifp; 482 int debug = ifp->if_flags & IFF_DEBUG; 483 484 if (ifp->if_flags & IFF_UP) { 485 /* Count received bytes, add hardware framing */ 486 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 487 /* Note time of last receive */ 488 sp->pp_last_receive = time_uptime; 489 } 490 491 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 492 /* Too small packet, drop it. */ 493 if (debug) 494 log(LOG_DEBUG, 495 "%s: input packet is too small, %d bytes\n", 496 ifp->if_xname, m->m_pkthdr.len); 497 drop: 498 ++ifp->if_ierrors; 499 ++ifp->if_iqdrops; 500 m_freem(m); 501 return; 502 } 503 504 if (sp->pp_flags & PP_NOFRAMING) { 505 memcpy(&protocol, mtod(m, void *), 2); 506 protocol = ntohs(protocol); 507 m_adj(m, 2); 508 } else { 509 510 /* Get PPP header. */ 511 h = mtod(m, struct ppp_header *); 512 m_adj(m, PPP_HEADER_LEN); 513 514 switch (h->address) { 515 case PPP_ALLSTATIONS: 516 if (h->control != PPP_UI) 517 goto invalid; 518 if (sp->pp_flags & PP_CISCO) { 519 if (debug) 520 log(LOG_DEBUG, 521 "%s: PPP packet in Cisco mode " 522 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 523 ifp->if_xname, 524 h->address, h->control, ntohs(h->protocol)); 525 goto drop; 526 } 527 break; 528 case CISCO_MULTICAST: 529 case CISCO_UNICAST: 530 /* Don't check the control field here (RFC 1547). */ 531 if (! (sp->pp_flags & PP_CISCO)) { 532 if (debug) 533 log(LOG_DEBUG, 534 "%s: Cisco packet in PPP mode " 535 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 536 ifp->if_xname, 537 h->address, h->control, ntohs(h->protocol)); 538 goto drop; 539 } 540 switch (ntohs(h->protocol)) { 541 default: 542 ++ifp->if_noproto; 543 goto invalid; 544 case CISCO_KEEPALIVE: 545 sppp_cisco_input((struct sppp *) ifp, m); 546 m_freem(m); 547 return; 548 #ifdef INET 549 case ETHERTYPE_IP: 550 schednetisr(NETISR_IP); 551 inq = &ipintrq; 552 break; 553 #endif 554 #ifdef INET6 555 case ETHERTYPE_IPV6: 556 schednetisr(NETISR_IPV6); 557 inq = &ip6intrq; 558 break; 559 #endif 560 #ifdef IPX 561 case ETHERTYPE_IPX: 562 schednetisr(NETISR_IPX); 563 inq = &ipxintrq; 564 break; 565 #endif 566 } 567 goto queue_pkt; 568 default: /* Invalid PPP packet. */ 569 invalid: 570 if (debug) 571 log(LOG_DEBUG, 572 "%s: invalid input packet " 573 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 574 ifp->if_xname, 575 h->address, h->control, ntohs(h->protocol)); 576 goto drop; 577 } 578 protocol = ntohs(h->protocol); 579 } 580 581 switch (protocol) { 582 default: 583 if (sp->state[IDX_LCP] == STATE_OPENED) { 584 uint16_t prot = htons(protocol); 585 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 586 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 587 &prot); 588 } 589 if (debug) 590 log(LOG_DEBUG, 591 "%s: invalid input protocol " 592 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 593 ++ifp->if_noproto; 594 goto drop; 595 case PPP_LCP: 596 sppp_cp_input(&lcp, sp, m); 597 m_freem(m); 598 return; 599 case PPP_PAP: 600 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 601 sppp_pap_input(sp, m); 602 m_freem(m); 603 return; 604 case PPP_CHAP: 605 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 606 sppp_chap_input(sp, m); 607 m_freem(m); 608 return; 609 #ifdef INET 610 case PPP_IPCP: 611 if (sp->pp_phase == SPPP_PHASE_NETWORK) 612 sppp_cp_input(&ipcp, sp, m); 613 m_freem(m); 614 return; 615 case PPP_IP: 616 if (sp->state[IDX_IPCP] == STATE_OPENED) { 617 schednetisr(NETISR_IP); 618 inq = &ipintrq; 619 sp->pp_last_activity = time_uptime; 620 } 621 break; 622 #endif 623 #ifdef INET6 624 case PPP_IPV6CP: 625 if (sp->pp_phase == SPPP_PHASE_NETWORK) 626 sppp_cp_input(&ipv6cp, sp, m); 627 m_freem(m); 628 return; 629 630 case PPP_IPV6: 631 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 632 schednetisr(NETISR_IPV6); 633 inq = &ip6intrq; 634 sp->pp_last_activity = time_uptime; 635 } 636 break; 637 #endif 638 #ifdef IPX 639 case PPP_IPX: 640 /* IPX IPXCP not implemented yet */ 641 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 642 schednetisr(NETISR_IPX); 643 inq = &ipxintrq; 644 } 645 break; 646 #endif 647 #ifdef ISO 648 case PPP_ISO: 649 /* OSI NLCP not implemented yet */ 650 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 651 schednetisr(NETISR_ISO); 652 inq = &clnlintrq; 653 } 654 break; 655 #endif 656 } 657 658 queue_pkt: 659 if (! (ifp->if_flags & IFF_UP) || ! inq) 660 goto drop; 661 662 /* Check queue. */ 663 s = splnet(); 664 if (IF_QFULL(inq)) { 665 /* Queue overflow. */ 666 IF_DROP(inq); 667 splx(s); 668 if (debug) 669 log(LOG_DEBUG, "%s: protocol queue overflow\n", 670 ifp->if_xname); 671 goto drop; 672 } 673 IF_ENQUEUE(inq, m); 674 splx(s); 675 } 676 677 /* 678 * Enqueue transmit packet. 679 */ 680 static int 681 sppp_output(struct ifnet *ifp, struct mbuf *m, 682 const struct sockaddr *dst, struct rtentry *rt) 683 { 684 struct sppp *sp = (struct sppp *) ifp; 685 struct ppp_header *h = NULL; 686 struct ifqueue *ifq = NULL; /* XXX */ 687 int s, error = 0; 688 uint16_t protocol; 689 ALTQ_DECL(struct altq_pktattr pktattr;) 690 691 s = splnet(); 692 693 sp->pp_last_activity = time_uptime; 694 695 if ((ifp->if_flags & IFF_UP) == 0 || 696 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 697 m_freem(m); 698 splx(s); 699 return (ENETDOWN); 700 } 701 702 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 703 /* 704 * Interface is not yet running, but auto-dial. Need 705 * to start LCP for it. 706 */ 707 ifp->if_flags |= IFF_RUNNING; 708 splx(s); 709 lcp.Open(sp); 710 s = splnet(); 711 } 712 713 /* 714 * If the queueing discipline needs packet classification, 715 * do it before prepending link headers. 716 */ 717 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family, &pktattr); 718 719 #ifdef INET 720 if (dst->sa_family == AF_INET) { 721 struct ip *ip = NULL; 722 struct tcphdr *th = NULL; 723 724 if (m->m_len >= sizeof(struct ip)) { 725 ip = mtod(m, struct ip *); 726 if (ip->ip_p == IPPROTO_TCP && 727 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 728 sizeof(struct tcphdr)) { 729 th = (struct tcphdr *) 730 ((char *)ip + (ip->ip_hl << 2)); 731 } 732 } else 733 ip = NULL; 734 735 /* 736 * When using dynamic local IP address assignment by using 737 * 0.0.0.0 as a local address, the first TCP session will 738 * not connect because the local TCP checksum is computed 739 * using 0.0.0.0 which will later become our real IP address 740 * so the TCP checksum computed at the remote end will 741 * become invalid. So we 742 * - don't let packets with src ip addr 0 thru 743 * - we flag TCP packets with src ip 0 as an error 744 */ 745 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 746 uint8_t proto = ip->ip_p; 747 748 m_freem(m); 749 splx(s); 750 if (proto == IPPROTO_TCP) 751 return (EADDRNOTAVAIL); 752 else 753 return (0); 754 } 755 756 /* 757 * Put low delay, telnet, rlogin and ftp control packets 758 * in front of the queue. 759 */ 760 761 if (!IF_QFULL(&sp->pp_fastq) && 762 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 763 (th && (INTERACTIVE(ntohs(th->th_sport)) || 764 INTERACTIVE(ntohs(th->th_dport)))))) 765 ifq = &sp->pp_fastq; 766 } 767 #endif 768 769 #ifdef INET6 770 if (dst->sa_family == AF_INET6) { 771 /* XXX do something tricky here? */ 772 } 773 #endif 774 775 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 776 /* 777 * Prepend general data packet PPP header. For now, IP only. 778 */ 779 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 780 if (! m) { 781 if (ifp->if_flags & IFF_DEBUG) 782 log(LOG_DEBUG, "%s: no memory for transmit header\n", 783 ifp->if_xname); 784 ++ifp->if_oerrors; 785 splx(s); 786 return (ENOBUFS); 787 } 788 /* 789 * May want to check size of packet 790 * (albeit due to the implementation it's always enough) 791 */ 792 h = mtod(m, struct ppp_header *); 793 if (sp->pp_flags & PP_CISCO) { 794 h->address = CISCO_UNICAST; /* unicast address */ 795 h->control = 0; 796 } else { 797 h->address = PPP_ALLSTATIONS; /* broadcast address */ 798 h->control = PPP_UI; /* Unnumbered Info */ 799 } 800 } 801 802 switch (dst->sa_family) { 803 #ifdef INET 804 case AF_INET: /* Internet Protocol */ 805 if (sp->pp_flags & PP_CISCO) 806 protocol = htons(ETHERTYPE_IP); 807 else { 808 /* 809 * Don't choke with an ENETDOWN early. It's 810 * possible that we just started dialing out, 811 * so don't drop the packet immediately. If 812 * we notice that we run out of buffer space 813 * below, we will however remember that we are 814 * not ready to carry IP packets, and return 815 * ENETDOWN, as opposed to ENOBUFS. 816 */ 817 protocol = htons(PPP_IP); 818 if (sp->state[IDX_IPCP] != STATE_OPENED) 819 error = ENETDOWN; 820 } 821 break; 822 #endif 823 #ifdef INET6 824 case AF_INET6: /* Internet Protocol version 6 */ 825 if (sp->pp_flags & PP_CISCO) 826 protocol = htons(ETHERTYPE_IPV6); 827 else { 828 /* 829 * Don't choke with an ENETDOWN early. It's 830 * possible that we just started dialing out, 831 * so don't drop the packet immediately. If 832 * we notice that we run out of buffer space 833 * below, we will however remember that we are 834 * not ready to carry IP packets, and return 835 * ENETDOWN, as opposed to ENOBUFS. 836 */ 837 protocol = htons(PPP_IPV6); 838 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 839 error = ENETDOWN; 840 } 841 break; 842 #endif 843 #ifdef IPX 844 case AF_IPX: /* Novell IPX Protocol */ 845 protocol = htons((sp->pp_flags & PP_CISCO) ? 846 ETHERTYPE_IPX : PPP_IPX); 847 break; 848 #endif 849 #ifdef ISO 850 case AF_ISO: /* ISO OSI Protocol */ 851 if (sp->pp_flags & PP_CISCO) 852 goto nosupport; 853 protocol = htons(PPP_ISO); 854 break; 855 nosupport: 856 #endif 857 default: 858 m_freem(m); 859 ++ifp->if_oerrors; 860 splx(s); 861 return (EAFNOSUPPORT); 862 } 863 864 if (sp->pp_flags & PP_NOFRAMING) { 865 M_PREPEND(m, 2, M_DONTWAIT); 866 if (m == NULL) { 867 if (ifp->if_flags & IFF_DEBUG) 868 log(LOG_DEBUG, "%s: no memory for transmit header\n", 869 ifp->if_xname); 870 ++ifp->if_oerrors; 871 splx(s); 872 return (ENOBUFS); 873 } 874 *mtod(m, uint16_t *) = protocol; 875 } else { 876 h->protocol = protocol; 877 } 878 879 880 error = ifq_enqueue2(ifp, ifq, m ALTQ_COMMA ALTQ_DECL(&pktattr)); 881 882 if (error == 0) { 883 /* 884 * Count output packets and bytes. 885 * The packet length includes header + additional hardware 886 * framing according to RFC 1333. 887 */ 888 if (!(ifp->if_flags & IFF_OACTIVE)) 889 (*ifp->if_start)(ifp); 890 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 891 } 892 splx(s); 893 return error; 894 } 895 896 void 897 sppp_attach(struct ifnet *ifp) 898 { 899 struct sppp *sp = (struct sppp *) ifp; 900 901 /* Initialize keepalive handler. */ 902 if (! spppq) { 903 callout_init(&keepalive_ch, 0); 904 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 905 } 906 907 /* Insert new entry into the keepalive list. */ 908 sp->pp_next = spppq; 909 spppq = sp; 910 911 sp->pp_if.if_type = IFT_PPP; 912 sp->pp_if.if_output = sppp_output; 913 sp->pp_fastq.ifq_maxlen = 32; 914 sp->pp_cpq.ifq_maxlen = 20; 915 sp->pp_loopcnt = 0; 916 sp->pp_alivecnt = 0; 917 sp->pp_last_activity = 0; 918 sp->pp_last_receive = 0; 919 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 920 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 921 sp->pp_idle_timeout = 0; 922 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 923 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 924 sp->pp_auth_failures = 0; 925 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 926 sp->pp_phase = SPPP_PHASE_DEAD; 927 sp->pp_up = lcp.Up; 928 sp->pp_down = lcp.Down; 929 930 if_alloc_sadl(ifp); 931 932 memset(&sp->myauth, 0, sizeof sp->myauth); 933 memset(&sp->hisauth, 0, sizeof sp->hisauth); 934 sppp_lcp_init(sp); 935 sppp_ipcp_init(sp); 936 sppp_ipv6cp_init(sp); 937 sppp_pap_init(sp); 938 sppp_chap_init(sp); 939 } 940 941 void 942 sppp_detach(struct ifnet *ifp) 943 { 944 struct sppp **q, *p, *sp = (struct sppp *) ifp; 945 946 /* Remove the entry from the keepalive list. */ 947 for (q = &spppq; (p = *q); q = &p->pp_next) 948 if (p == sp) { 949 *q = p->pp_next; 950 break; 951 } 952 953 /* Stop keepalive handler. */ 954 if (! spppq) { 955 callout_stop(&keepalive_ch); 956 } 957 958 callout_stop(&sp->ch[IDX_LCP]); 959 callout_stop(&sp->ch[IDX_IPCP]); 960 callout_stop(&sp->ch[IDX_PAP]); 961 callout_stop(&sp->ch[IDX_CHAP]); 962 #ifdef INET6 963 callout_stop(&sp->ch[IDX_IPV6CP]); 964 #endif 965 callout_stop(&sp->pap_my_to_ch); 966 967 /* free authentication info */ 968 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 969 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 970 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 971 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 972 973 #if 0 /* done in if_detach() */ 974 if_free_sadl(ifp); 975 #endif 976 } 977 978 /* 979 * Flush the interface output queue. 980 */ 981 void 982 sppp_flush(struct ifnet *ifp) 983 { 984 struct sppp *sp = (struct sppp *) ifp; 985 986 IFQ_PURGE(&sp->pp_if.if_snd); 987 IF_PURGE(&sp->pp_fastq); 988 IF_PURGE(&sp->pp_cpq); 989 } 990 991 /* 992 * Check if the output queue is empty. 993 */ 994 int 995 sppp_isempty(struct ifnet *ifp) 996 { 997 struct sppp *sp = (struct sppp *) ifp; 998 int empty, s; 999 1000 s = splnet(); 1001 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1002 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1003 splx(s); 1004 return (empty); 1005 } 1006 1007 /* 1008 * Get next packet to send. 1009 */ 1010 struct mbuf * 1011 sppp_dequeue(struct ifnet *ifp) 1012 { 1013 struct sppp *sp = (struct sppp *) ifp; 1014 struct mbuf *m; 1015 int s; 1016 1017 s = splnet(); 1018 /* 1019 * Process only the control protocol queue until we have at 1020 * least one NCP open. 1021 * 1022 * Do always serve all three queues in Cisco mode. 1023 */ 1024 IF_DEQUEUE(&sp->pp_cpq, m); 1025 if (m == NULL && 1026 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1027 IF_DEQUEUE(&sp->pp_fastq, m); 1028 if (m == NULL) 1029 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1030 } 1031 splx(s); 1032 return m; 1033 } 1034 1035 /* 1036 * Process an ioctl request. Called on low priority level. 1037 */ 1038 int 1039 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1040 { 1041 struct lwp *l = curlwp; /* XXX */ 1042 struct ifreq *ifr = (struct ifreq *) data; 1043 struct sppp *sp = (struct sppp *) ifp; 1044 int s, error=0, going_up, going_down, newmode; 1045 1046 s = splnet(); 1047 switch (cmd) { 1048 case SIOCINITIFADDR: 1049 break; 1050 1051 case SIOCSIFFLAGS: 1052 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1053 break; 1054 going_up = ifp->if_flags & IFF_UP && 1055 (ifp->if_flags & IFF_RUNNING) == 0; 1056 going_down = (ifp->if_flags & IFF_UP) == 0 && 1057 ifp->if_flags & IFF_RUNNING; 1058 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1059 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1060 /* sanity */ 1061 newmode = IFF_PASSIVE; 1062 ifp->if_flags &= ~IFF_AUTO; 1063 } 1064 1065 if (going_up || going_down) 1066 lcp.Close(sp); 1067 if (going_up && newmode == 0) { 1068 /* neither auto-dial nor passive */ 1069 ifp->if_flags |= IFF_RUNNING; 1070 if (!(sp->pp_flags & PP_CISCO)) 1071 lcp.Open(sp); 1072 } else if (going_down) { 1073 sppp_flush(ifp); 1074 ifp->if_flags &= ~IFF_RUNNING; 1075 } 1076 1077 break; 1078 1079 case SIOCSIFMTU: 1080 if (ifr->ifr_mtu < PPP_MINMRU || 1081 ifr->ifr_mtu > sp->lcp.their_mru) { 1082 error = EINVAL; 1083 break; 1084 } 1085 /*FALLTHROUGH*/ 1086 case SIOCGIFMTU: 1087 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1088 error = 0; 1089 break; 1090 case SIOCADDMULTI: 1091 case SIOCDELMULTI: 1092 break; 1093 1094 case SPPPSETAUTHCFG: 1095 case SPPPSETLCPCFG: 1096 case SPPPSETIDLETO: 1097 case SPPPSETAUTHFAILURE: 1098 case SPPPSETDNSOPTS: 1099 case SPPPSETKEEPALIVE: 1100 #if defined(COMPAT_50) || defined(MODULAR) 1101 case __SPPPSETIDLETO50: 1102 case __SPPPSETKEEPALIVE50: 1103 #endif /* COMPAT_50 || MODULAR */ 1104 error = kauth_authorize_network(l->l_cred, 1105 KAUTH_NETWORK_INTERFACE, 1106 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1107 NULL); 1108 if (error) 1109 break; 1110 error = sppp_params(sp, cmd, data); 1111 break; 1112 1113 case SPPPGETAUTHCFG: 1114 case SPPPGETLCPCFG: 1115 case SPPPGETAUTHFAILURES: 1116 error = kauth_authorize_network(l->l_cred, 1117 KAUTH_NETWORK_INTERFACE, 1118 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1119 NULL); 1120 if (error) 1121 break; 1122 error = sppp_params(sp, cmd, data); 1123 break; 1124 1125 case SPPPGETSTATUS: 1126 case SPPPGETSTATUSNCP: 1127 case SPPPGETIDLETO: 1128 case SPPPGETDNSOPTS: 1129 case SPPPGETDNSADDRS: 1130 case SPPPGETKEEPALIVE: 1131 #if defined(COMPAT_50) || defined(MODULAR) 1132 case __SPPPGETIDLETO50: 1133 case __SPPPGETKEEPALIVE50: 1134 #endif /* COMPAT_50 || MODULAR */ 1135 error = sppp_params(sp, cmd, data); 1136 break; 1137 1138 default: 1139 error = ifioctl_common(ifp, cmd, data); 1140 break; 1141 } 1142 splx(s); 1143 return (error); 1144 } 1145 1146 1147 /* 1148 * Cisco framing implementation. 1149 */ 1150 1151 /* 1152 * Handle incoming Cisco keepalive protocol packets. 1153 */ 1154 static void 1155 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1156 { 1157 STDDCL; 1158 struct cisco_packet *h; 1159 #ifdef INET 1160 uint32_t me, mymask = 0; /* XXX: GCC */ 1161 #endif 1162 1163 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1164 if (debug) 1165 log(LOG_DEBUG, 1166 "%s: cisco invalid packet length: %d bytes\n", 1167 ifp->if_xname, m->m_pkthdr.len); 1168 return; 1169 } 1170 h = mtod(m, struct cisco_packet *); 1171 if (debug) 1172 log(LOG_DEBUG, 1173 "%s: cisco input: %d bytes " 1174 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1175 ifp->if_xname, m->m_pkthdr.len, 1176 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1177 (u_int)h->time0, (u_int)h->time1); 1178 switch (ntohl(h->type)) { 1179 default: 1180 if (debug) 1181 addlog("%s: cisco unknown packet type: 0x%x\n", 1182 ifp->if_xname, ntohl(h->type)); 1183 break; 1184 case CISCO_ADDR_REPLY: 1185 /* Reply on address request, ignore */ 1186 break; 1187 case CISCO_KEEPALIVE_REQ: 1188 sp->pp_alivecnt = 0; 1189 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1190 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1191 /* Local and remote sequence numbers are equal. 1192 * Probably, the line is in loopback mode. */ 1193 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1194 printf ("%s: loopback\n", 1195 ifp->if_xname); 1196 sp->pp_loopcnt = 0; 1197 if (ifp->if_flags & IFF_UP) { 1198 if_down(ifp); 1199 IF_PURGE(&sp->pp_cpq); 1200 } 1201 } 1202 ++sp->pp_loopcnt; 1203 1204 /* Generate new local sequence number */ 1205 sp->pp_seq[IDX_LCP] = arc4random(); 1206 break; 1207 } 1208 sp->pp_loopcnt = 0; 1209 if (! (ifp->if_flags & IFF_UP) && 1210 (ifp->if_flags & IFF_RUNNING)) { 1211 if_up(ifp); 1212 } 1213 break; 1214 case CISCO_ADDR_REQ: 1215 #ifdef INET 1216 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1217 if (me != 0L) 1218 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1219 #endif 1220 break; 1221 } 1222 } 1223 1224 /* 1225 * Send Cisco keepalive packet. 1226 */ 1227 static void 1228 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1229 { 1230 STDDCL; 1231 struct ppp_header *h; 1232 struct cisco_packet *ch; 1233 struct mbuf *m; 1234 uint32_t t; 1235 1236 t = time_uptime * 1000; 1237 MGETHDR(m, M_DONTWAIT, MT_DATA); 1238 if (! m) 1239 return; 1240 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1241 m->m_pkthdr.rcvif = 0; 1242 1243 h = mtod(m, struct ppp_header *); 1244 h->address = CISCO_MULTICAST; 1245 h->control = 0; 1246 h->protocol = htons(CISCO_KEEPALIVE); 1247 1248 ch = (struct cisco_packet *)(h + 1); 1249 ch->type = htonl(type); 1250 ch->par1 = htonl(par1); 1251 ch->par2 = htonl(par2); 1252 ch->rel = -1; 1253 1254 ch->time0 = htons((u_short)(t >> 16)); 1255 ch->time1 = htons((u_short) t); 1256 1257 if (debug) 1258 log(LOG_DEBUG, 1259 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1260 ifp->if_xname, ntohl(ch->type), ch->par1, 1261 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1262 (u_int)ch->time1); 1263 1264 if (IF_QFULL(&sp->pp_cpq)) { 1265 IF_DROP(&sp->pp_fastq); 1266 IF_DROP(&ifp->if_snd); 1267 m_freem(m); 1268 ++ifp->if_oerrors; 1269 return; 1270 } else 1271 IF_ENQUEUE(&sp->pp_cpq, m); 1272 if (! (ifp->if_flags & IFF_OACTIVE)) 1273 (*ifp->if_start)(ifp); 1274 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1275 } 1276 1277 /* 1278 * PPP protocol implementation. 1279 */ 1280 1281 /* 1282 * Send PPP control protocol packet. 1283 */ 1284 static void 1285 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1286 u_char ident, u_short len, void *data) 1287 { 1288 STDDCL; 1289 struct lcp_header *lh; 1290 struct mbuf *m; 1291 size_t pkthdrlen; 1292 1293 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1294 1295 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1296 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1297 MGETHDR(m, M_DONTWAIT, MT_DATA); 1298 if (! m) 1299 return; 1300 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1301 m->m_pkthdr.rcvif = 0; 1302 1303 if (sp->pp_flags & PP_NOFRAMING) { 1304 *mtod(m, uint16_t *) = htons(proto); 1305 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1306 } else { 1307 struct ppp_header *h; 1308 h = mtod(m, struct ppp_header *); 1309 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1310 h->control = PPP_UI; /* Unnumbered Info */ 1311 h->protocol = htons(proto); /* Link Control Protocol */ 1312 lh = (struct lcp_header *)(h + 1); 1313 } 1314 lh->type = type; 1315 lh->ident = ident; 1316 lh->len = htons(LCP_HEADER_LEN + len); 1317 if (len) 1318 bcopy (data, lh + 1, len); 1319 1320 if (debug) { 1321 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1322 ifp->if_xname, 1323 sppp_proto_name(proto), 1324 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1325 if (len) 1326 sppp_print_bytes((u_char *)(lh + 1), len); 1327 addlog(">\n"); 1328 } 1329 if (IF_QFULL(&sp->pp_cpq)) { 1330 IF_DROP(&sp->pp_fastq); 1331 IF_DROP(&ifp->if_snd); 1332 m_freem(m); 1333 ++ifp->if_oerrors; 1334 return; 1335 } else 1336 IF_ENQUEUE(&sp->pp_cpq, m); 1337 if (! (ifp->if_flags & IFF_OACTIVE)) 1338 (*ifp->if_start)(ifp); 1339 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1340 } 1341 1342 /* 1343 * Handle incoming PPP control protocol packets. 1344 */ 1345 static void 1346 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1347 { 1348 STDDCL; 1349 struct lcp_header *h; 1350 int printlen, len = m->m_pkthdr.len; 1351 int rv; 1352 u_char *p; 1353 uint32_t u32; 1354 1355 if (len < 4) { 1356 if (debug) 1357 log(LOG_DEBUG, 1358 "%s: %s invalid packet length: %d bytes\n", 1359 ifp->if_xname, cp->name, len); 1360 return; 1361 } 1362 h = mtod(m, struct lcp_header *); 1363 if (debug) { 1364 printlen = ntohs(h->len); 1365 log(LOG_DEBUG, 1366 "%s: %s input(%s): <%s id=0x%x len=%d", 1367 ifp->if_xname, cp->name, 1368 sppp_state_name(sp->state[cp->protoidx]), 1369 sppp_cp_type_name(h->type), h->ident, printlen); 1370 if (len < printlen) 1371 printlen = len; 1372 if (printlen > 4) 1373 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1374 addlog(">\n"); 1375 } 1376 if (len > ntohs(h->len)) 1377 len = ntohs(h->len); 1378 p = (u_char *)(h + 1); 1379 switch (h->type) { 1380 case CONF_REQ: 1381 if (len < 4) { 1382 if (debug) 1383 addlog("%s: %s invalid conf-req length %d\n", 1384 ifp->if_xname, cp->name, 1385 len); 1386 ++ifp->if_ierrors; 1387 break; 1388 } 1389 /* handle states where RCR doesn't get a SCA/SCN */ 1390 switch (sp->state[cp->protoidx]) { 1391 case STATE_CLOSING: 1392 case STATE_STOPPING: 1393 return; 1394 case STATE_CLOSED: 1395 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1396 0, 0); 1397 return; 1398 } 1399 rv = (cp->RCR)(sp, h, len); 1400 if (rv < 0) { 1401 /* fatal error, shut down */ 1402 (cp->tld)(sp); 1403 sppp_lcp_tlf(sp); 1404 return; 1405 } 1406 switch (sp->state[cp->protoidx]) { 1407 case STATE_OPENED: 1408 (cp->tld)(sp); 1409 (cp->scr)(sp); 1410 /* fall through... */ 1411 case STATE_ACK_SENT: 1412 case STATE_REQ_SENT: 1413 sppp_cp_change_state(cp, sp, rv? 1414 STATE_ACK_SENT: STATE_REQ_SENT); 1415 break; 1416 case STATE_STOPPED: 1417 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1418 (cp->scr)(sp); 1419 sppp_cp_change_state(cp, sp, rv? 1420 STATE_ACK_SENT: STATE_REQ_SENT); 1421 break; 1422 case STATE_ACK_RCVD: 1423 if (rv) { 1424 sppp_cp_change_state(cp, sp, STATE_OPENED); 1425 if (debug) 1426 log(LOG_DEBUG, "%s: %s tlu\n", 1427 ifp->if_xname, 1428 cp->name); 1429 (cp->tlu)(sp); 1430 } else 1431 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1432 break; 1433 default: 1434 printf("%s: %s illegal %s in state %s\n", 1435 ifp->if_xname, cp->name, 1436 sppp_cp_type_name(h->type), 1437 sppp_state_name(sp->state[cp->protoidx])); 1438 ++ifp->if_ierrors; 1439 } 1440 break; 1441 case CONF_ACK: 1442 if (h->ident != sp->confid[cp->protoidx]) { 1443 if (debug) 1444 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1445 ifp->if_xname, cp->name, 1446 h->ident, sp->confid[cp->protoidx]); 1447 ++ifp->if_ierrors; 1448 break; 1449 } 1450 switch (sp->state[cp->protoidx]) { 1451 case STATE_CLOSED: 1452 case STATE_STOPPED: 1453 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1454 break; 1455 case STATE_CLOSING: 1456 case STATE_STOPPING: 1457 break; 1458 case STATE_REQ_SENT: 1459 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1460 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1461 break; 1462 case STATE_OPENED: 1463 (cp->tld)(sp); 1464 /* fall through */ 1465 case STATE_ACK_RCVD: 1466 (cp->scr)(sp); 1467 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1468 break; 1469 case STATE_ACK_SENT: 1470 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1471 sppp_cp_change_state(cp, sp, STATE_OPENED); 1472 if (debug) 1473 log(LOG_DEBUG, "%s: %s tlu\n", 1474 ifp->if_xname, cp->name); 1475 (cp->tlu)(sp); 1476 break; 1477 default: 1478 printf("%s: %s illegal %s in state %s\n", 1479 ifp->if_xname, cp->name, 1480 sppp_cp_type_name(h->type), 1481 sppp_state_name(sp->state[cp->protoidx])); 1482 ++ifp->if_ierrors; 1483 } 1484 break; 1485 case CONF_NAK: 1486 case CONF_REJ: 1487 if (h->ident != sp->confid[cp->protoidx]) { 1488 if (debug) 1489 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1490 ifp->if_xname, cp->name, 1491 h->ident, sp->confid[cp->protoidx]); 1492 ++ifp->if_ierrors; 1493 break; 1494 } 1495 if (h->type == CONF_NAK) 1496 (cp->RCN_nak)(sp, h, len); 1497 else /* CONF_REJ */ 1498 (cp->RCN_rej)(sp, h, len); 1499 1500 switch (sp->state[cp->protoidx]) { 1501 case STATE_CLOSED: 1502 case STATE_STOPPED: 1503 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1504 break; 1505 case STATE_REQ_SENT: 1506 case STATE_ACK_SENT: 1507 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1508 (cp->scr)(sp); 1509 break; 1510 case STATE_OPENED: 1511 (cp->tld)(sp); 1512 /* fall through */ 1513 case STATE_ACK_RCVD: 1514 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1515 (cp->scr)(sp); 1516 break; 1517 case STATE_CLOSING: 1518 case STATE_STOPPING: 1519 break; 1520 default: 1521 printf("%s: %s illegal %s in state %s\n", 1522 ifp->if_xname, cp->name, 1523 sppp_cp_type_name(h->type), 1524 sppp_state_name(sp->state[cp->protoidx])); 1525 ++ifp->if_ierrors; 1526 } 1527 break; 1528 1529 case TERM_REQ: 1530 switch (sp->state[cp->protoidx]) { 1531 case STATE_ACK_RCVD: 1532 case STATE_ACK_SENT: 1533 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1534 /* fall through */ 1535 case STATE_CLOSED: 1536 case STATE_STOPPED: 1537 case STATE_CLOSING: 1538 case STATE_STOPPING: 1539 case STATE_REQ_SENT: 1540 sta: 1541 /* Send Terminate-Ack packet. */ 1542 if (debug) 1543 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1544 ifp->if_xname, cp->name); 1545 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1546 break; 1547 case STATE_OPENED: 1548 (cp->tld)(sp); 1549 sp->rst_counter[cp->protoidx] = 0; 1550 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1551 goto sta; 1552 default: 1553 printf("%s: %s illegal %s in state %s\n", 1554 ifp->if_xname, cp->name, 1555 sppp_cp_type_name(h->type), 1556 sppp_state_name(sp->state[cp->protoidx])); 1557 ++ifp->if_ierrors; 1558 } 1559 break; 1560 case TERM_ACK: 1561 switch (sp->state[cp->protoidx]) { 1562 case STATE_CLOSED: 1563 case STATE_STOPPED: 1564 case STATE_REQ_SENT: 1565 case STATE_ACK_SENT: 1566 break; 1567 case STATE_CLOSING: 1568 (cp->tlf)(sp); 1569 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1570 sppp_lcp_check_and_close(sp); 1571 break; 1572 case STATE_STOPPING: 1573 (cp->tlf)(sp); 1574 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1575 sppp_lcp_check_and_close(sp); 1576 break; 1577 case STATE_ACK_RCVD: 1578 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1579 break; 1580 case STATE_OPENED: 1581 (cp->tld)(sp); 1582 (cp->scr)(sp); 1583 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1584 break; 1585 default: 1586 printf("%s: %s illegal %s in state %s\n", 1587 ifp->if_xname, cp->name, 1588 sppp_cp_type_name(h->type), 1589 sppp_state_name(sp->state[cp->protoidx])); 1590 ++ifp->if_ierrors; 1591 } 1592 break; 1593 case CODE_REJ: 1594 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1595 log(LOG_INFO, 1596 "%s: %s: ignoring RXJ (%s) for code ?, " 1597 "danger will robinson\n", 1598 ifp->if_xname, cp->name, 1599 sppp_cp_type_name(h->type)); 1600 switch (sp->state[cp->protoidx]) { 1601 case STATE_CLOSED: 1602 case STATE_STOPPED: 1603 case STATE_REQ_SENT: 1604 case STATE_ACK_SENT: 1605 case STATE_CLOSING: 1606 case STATE_STOPPING: 1607 case STATE_OPENED: 1608 break; 1609 case STATE_ACK_RCVD: 1610 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1611 break; 1612 default: 1613 printf("%s: %s illegal %s in state %s\n", 1614 ifp->if_xname, cp->name, 1615 sppp_cp_type_name(h->type), 1616 sppp_state_name(sp->state[cp->protoidx])); 1617 ++ifp->if_ierrors; 1618 } 1619 break; 1620 case PROTO_REJ: 1621 { 1622 int catastrophic; 1623 const struct cp *upper; 1624 int i; 1625 uint16_t proto; 1626 1627 catastrophic = 0; 1628 upper = NULL; 1629 proto = p[0] << 8 | p[1]; 1630 for (i = 0; i < IDX_COUNT; i++) { 1631 if (cps[i]->proto == proto) { 1632 upper = cps[i]; 1633 break; 1634 } 1635 } 1636 if (upper == NULL) 1637 catastrophic++; 1638 1639 if (debug) 1640 log(LOG_INFO, 1641 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1642 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1643 sppp_cp_type_name(h->type), proto, 1644 upper ? upper->name : "unknown", 1645 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1646 1647 /* 1648 * if we got RXJ+ against conf-req, the peer does not implement 1649 * this particular protocol type. terminate the protocol. 1650 */ 1651 if (upper && !catastrophic) { 1652 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1653 upper->Close(sp); 1654 break; 1655 } 1656 } 1657 1658 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1659 switch (sp->state[cp->protoidx]) { 1660 case STATE_CLOSED: 1661 case STATE_STOPPED: 1662 case STATE_REQ_SENT: 1663 case STATE_ACK_SENT: 1664 case STATE_CLOSING: 1665 case STATE_STOPPING: 1666 case STATE_OPENED: 1667 break; 1668 case STATE_ACK_RCVD: 1669 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1670 break; 1671 default: 1672 printf("%s: %s illegal %s in state %s\n", 1673 ifp->if_xname, cp->name, 1674 sppp_cp_type_name(h->type), 1675 sppp_state_name(sp->state[cp->protoidx])); 1676 ++ifp->if_ierrors; 1677 } 1678 break; 1679 } 1680 case DISC_REQ: 1681 if (cp->proto != PPP_LCP) 1682 goto illegal; 1683 /* Discard the packet. */ 1684 break; 1685 case ECHO_REQ: 1686 if (cp->proto != PPP_LCP) 1687 goto illegal; 1688 if (sp->state[cp->protoidx] != STATE_OPENED) { 1689 if (debug) 1690 addlog("%s: lcp echo req but lcp closed\n", 1691 ifp->if_xname); 1692 ++ifp->if_ierrors; 1693 break; 1694 } 1695 if (len < 8) { 1696 if (debug) 1697 addlog("%s: invalid lcp echo request " 1698 "packet length: %d bytes\n", 1699 ifp->if_xname, len); 1700 break; 1701 } 1702 memcpy(&u32, h + 1, sizeof u32); 1703 if (ntohl(u32) == sp->lcp.magic) { 1704 /* Line loopback mode detected. */ 1705 printf("%s: loopback\n", ifp->if_xname); 1706 if_down(ifp); 1707 IF_PURGE(&sp->pp_cpq); 1708 1709 /* Shut down the PPP link. */ 1710 /* XXX */ 1711 lcp.Down(sp); 1712 lcp.Up(sp); 1713 break; 1714 } 1715 u32 = htonl(sp->lcp.magic); 1716 memcpy(h + 1, &u32, sizeof u32); 1717 if (debug) 1718 addlog("%s: got lcp echo req, sending echo rep\n", 1719 ifp->if_xname); 1720 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1721 h + 1); 1722 break; 1723 case ECHO_REPLY: 1724 if (cp->proto != PPP_LCP) 1725 goto illegal; 1726 if (h->ident != sp->lcp.echoid) { 1727 ++ifp->if_ierrors; 1728 break; 1729 } 1730 if (len < 8) { 1731 if (debug) 1732 addlog("%s: lcp invalid echo reply " 1733 "packet length: %d bytes\n", 1734 ifp->if_xname, len); 1735 break; 1736 } 1737 if (debug) 1738 addlog("%s: lcp got echo rep\n", 1739 ifp->if_xname); 1740 memcpy(&u32, h + 1, sizeof u32); 1741 if (ntohl(u32) != sp->lcp.magic) 1742 sp->pp_alivecnt = 0; 1743 break; 1744 default: 1745 /* Unknown packet type -- send Code-Reject packet. */ 1746 illegal: 1747 if (debug) 1748 addlog("%s: %s send code-rej for 0x%x\n", 1749 ifp->if_xname, cp->name, h->type); 1750 sppp_cp_send(sp, cp->proto, CODE_REJ, 1751 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1752 ++ifp->if_ierrors; 1753 } 1754 } 1755 1756 1757 /* 1758 * The generic part of all Up/Down/Open/Close/TO event handlers. 1759 * Basically, the state transition handling in the automaton. 1760 */ 1761 static void 1762 sppp_up_event(const struct cp *cp, struct sppp *sp) 1763 { 1764 STDDCL; 1765 1766 if (debug) 1767 log(LOG_DEBUG, "%s: %s up(%s)\n", 1768 ifp->if_xname, cp->name, 1769 sppp_state_name(sp->state[cp->protoidx])); 1770 1771 switch (sp->state[cp->protoidx]) { 1772 case STATE_INITIAL: 1773 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1774 break; 1775 case STATE_STARTING: 1776 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1777 (cp->scr)(sp); 1778 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1779 break; 1780 default: 1781 printf("%s: %s illegal up in state %s\n", 1782 ifp->if_xname, cp->name, 1783 sppp_state_name(sp->state[cp->protoidx])); 1784 } 1785 } 1786 1787 static void 1788 sppp_down_event(const struct cp *cp, struct sppp *sp) 1789 { 1790 STDDCL; 1791 1792 if (debug) 1793 log(LOG_DEBUG, "%s: %s down(%s)\n", 1794 ifp->if_xname, cp->name, 1795 sppp_state_name(sp->state[cp->protoidx])); 1796 1797 switch (sp->state[cp->protoidx]) { 1798 case STATE_CLOSED: 1799 case STATE_CLOSING: 1800 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1801 break; 1802 case STATE_STOPPED: 1803 (cp->tls)(sp); 1804 /* fall through */ 1805 case STATE_STOPPING: 1806 case STATE_REQ_SENT: 1807 case STATE_ACK_RCVD: 1808 case STATE_ACK_SENT: 1809 sppp_cp_change_state(cp, sp, STATE_STARTING); 1810 break; 1811 case STATE_OPENED: 1812 (cp->tld)(sp); 1813 sppp_cp_change_state(cp, sp, STATE_STARTING); 1814 break; 1815 default: 1816 printf("%s: %s illegal down in state %s\n", 1817 ifp->if_xname, cp->name, 1818 sppp_state_name(sp->state[cp->protoidx])); 1819 } 1820 } 1821 1822 1823 static void 1824 sppp_open_event(const struct cp *cp, struct sppp *sp) 1825 { 1826 STDDCL; 1827 1828 if (debug) 1829 log(LOG_DEBUG, "%s: %s open(%s)\n", 1830 ifp->if_xname, cp->name, 1831 sppp_state_name(sp->state[cp->protoidx])); 1832 1833 switch (sp->state[cp->protoidx]) { 1834 case STATE_INITIAL: 1835 sppp_cp_change_state(cp, sp, STATE_STARTING); 1836 (cp->tls)(sp); 1837 break; 1838 case STATE_STARTING: 1839 break; 1840 case STATE_CLOSED: 1841 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1842 (cp->scr)(sp); 1843 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1844 break; 1845 case STATE_STOPPED: 1846 case STATE_STOPPING: 1847 case STATE_REQ_SENT: 1848 case STATE_ACK_RCVD: 1849 case STATE_ACK_SENT: 1850 case STATE_OPENED: 1851 break; 1852 case STATE_CLOSING: 1853 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1854 break; 1855 } 1856 } 1857 1858 1859 static void 1860 sppp_close_event(const struct cp *cp, struct sppp *sp) 1861 { 1862 STDDCL; 1863 1864 if (debug) 1865 log(LOG_DEBUG, "%s: %s close(%s)\n", 1866 ifp->if_xname, cp->name, 1867 sppp_state_name(sp->state[cp->protoidx])); 1868 1869 switch (sp->state[cp->protoidx]) { 1870 case STATE_INITIAL: 1871 case STATE_CLOSED: 1872 case STATE_CLOSING: 1873 break; 1874 case STATE_STARTING: 1875 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1876 (cp->tlf)(sp); 1877 break; 1878 case STATE_STOPPED: 1879 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1880 break; 1881 case STATE_STOPPING: 1882 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1883 break; 1884 case STATE_OPENED: 1885 (cp->tld)(sp); 1886 /* fall through */ 1887 case STATE_REQ_SENT: 1888 case STATE_ACK_RCVD: 1889 case STATE_ACK_SENT: 1890 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1891 sppp_cp_send(sp, cp->proto, TERM_REQ, 1892 ++sp->pp_seq[cp->protoidx], 0, 0); 1893 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1894 break; 1895 } 1896 } 1897 1898 static void 1899 sppp_to_event(const struct cp *cp, struct sppp *sp) 1900 { 1901 STDDCL; 1902 int s; 1903 1904 s = splnet(); 1905 if (debug) 1906 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1907 ifp->if_xname, cp->name, 1908 sppp_state_name(sp->state[cp->protoidx]), 1909 sp->rst_counter[cp->protoidx]); 1910 1911 if (--sp->rst_counter[cp->protoidx] < 0) 1912 /* TO- event */ 1913 switch (sp->state[cp->protoidx]) { 1914 case STATE_CLOSING: 1915 (cp->tlf)(sp); 1916 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1917 sppp_lcp_check_and_close(sp); 1918 break; 1919 case STATE_STOPPING: 1920 (cp->tlf)(sp); 1921 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1922 sppp_lcp_check_and_close(sp); 1923 break; 1924 case STATE_REQ_SENT: 1925 case STATE_ACK_RCVD: 1926 case STATE_ACK_SENT: 1927 (cp->tlf)(sp); 1928 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1929 sppp_lcp_check_and_close(sp); 1930 break; 1931 } 1932 else 1933 /* TO+ event */ 1934 switch (sp->state[cp->protoidx]) { 1935 case STATE_CLOSING: 1936 case STATE_STOPPING: 1937 sppp_cp_send(sp, cp->proto, TERM_REQ, 1938 ++sp->pp_seq[cp->protoidx], 0, 0); 1939 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1940 cp->TO, sp); 1941 break; 1942 case STATE_REQ_SENT: 1943 case STATE_ACK_RCVD: 1944 (cp->scr)(sp); 1945 /* sppp_cp_change_state() will restart the timer */ 1946 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1947 break; 1948 case STATE_ACK_SENT: 1949 (cp->scr)(sp); 1950 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1951 cp->TO, sp); 1952 break; 1953 } 1954 1955 splx(s); 1956 } 1957 1958 /* 1959 * Change the state of a control protocol in the state automaton. 1960 * Takes care of starting/stopping the restart timer. 1961 */ 1962 void 1963 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1964 { 1965 sp->state[cp->protoidx] = newstate; 1966 callout_stop(&sp->ch[cp->protoidx]); 1967 switch (newstate) { 1968 case STATE_INITIAL: 1969 case STATE_STARTING: 1970 case STATE_CLOSED: 1971 case STATE_STOPPED: 1972 case STATE_OPENED: 1973 break; 1974 case STATE_CLOSING: 1975 case STATE_STOPPING: 1976 case STATE_REQ_SENT: 1977 case STATE_ACK_RCVD: 1978 case STATE_ACK_SENT: 1979 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1980 cp->TO, sp); 1981 break; 1982 } 1983 } 1984 1985 /* 1986 *--------------------------------------------------------------------------* 1987 * * 1988 * The LCP implementation. * 1989 * * 1990 *--------------------------------------------------------------------------* 1991 */ 1992 static void 1993 sppp_lcp_init(struct sppp *sp) 1994 { 1995 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1996 sp->lcp.magic = 0; 1997 sp->state[IDX_LCP] = STATE_INITIAL; 1998 sp->fail_counter[IDX_LCP] = 0; 1999 sp->pp_seq[IDX_LCP] = 0; 2000 sp->pp_rseq[IDX_LCP] = 0; 2001 sp->lcp.protos = 0; 2002 2003 /* 2004 * Initialize counters and timeout values. Note that we don't 2005 * use the 3 seconds suggested in RFC 1661 since we are likely 2006 * running on a fast link. XXX We should probably implement 2007 * the exponential backoff option. Note that these values are 2008 * relevant for all control protocols, not just LCP only. 2009 */ 2010 sp->lcp.timeout = 1 * hz; 2011 sp->lcp.max_terminate = 2; 2012 sp->lcp.max_configure = 10; 2013 sp->lcp.max_failure = 10; 2014 callout_init(&sp->ch[IDX_LCP], 0); 2015 } 2016 2017 static void 2018 sppp_lcp_up(struct sppp *sp) 2019 { 2020 STDDCL; 2021 2022 /* Initialize activity timestamp: opening a connection is an activity */ 2023 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2024 2025 /* 2026 * If this interface is passive or dial-on-demand, and we are 2027 * still in Initial state, it means we've got an incoming 2028 * call. Activate the interface. 2029 */ 2030 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2031 if (debug) 2032 log(LOG_DEBUG, 2033 "%s: Up event", ifp->if_xname); 2034 ifp->if_flags |= IFF_RUNNING; 2035 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2036 if (debug) 2037 addlog("(incoming call)\n"); 2038 sp->pp_flags |= PP_CALLIN; 2039 lcp.Open(sp); 2040 } else if (debug) 2041 addlog("\n"); 2042 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2043 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2044 ifp->if_flags |= IFF_RUNNING; 2045 lcp.Open(sp); 2046 } 2047 2048 sppp_up_event(&lcp, sp); 2049 } 2050 2051 static void 2052 sppp_lcp_down(struct sppp *sp) 2053 { 2054 STDDCL; 2055 2056 sppp_down_event(&lcp, sp); 2057 2058 /* 2059 * If this is neither a dial-on-demand nor a passive 2060 * interface, simulate an ``ifconfig down'' action, so the 2061 * administrator can force a redial by another ``ifconfig 2062 * up''. XXX For leased line operation, should we immediately 2063 * try to reopen the connection here? 2064 */ 2065 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2066 if (debug) 2067 log(LOG_INFO, 2068 "%s: Down event (carrier loss), taking interface down.\n", 2069 ifp->if_xname); 2070 if_down(ifp); 2071 } else { 2072 if (debug) 2073 log(LOG_DEBUG, 2074 "%s: Down event (carrier loss)\n", 2075 ifp->if_xname); 2076 } 2077 sp->pp_flags &= ~PP_CALLIN; 2078 if (sp->state[IDX_LCP] != STATE_INITIAL) 2079 lcp.Close(sp); 2080 ifp->if_flags &= ~IFF_RUNNING; 2081 } 2082 2083 static void 2084 sppp_lcp_open(struct sppp *sp) 2085 { 2086 if (sp->pp_if.if_mtu < PP_MTU) { 2087 sp->lcp.mru = sp->pp_if.if_mtu; 2088 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2089 } else 2090 sp->lcp.mru = PP_MTU; 2091 sp->lcp.their_mru = PP_MTU; 2092 2093 /* 2094 * If we are authenticator, negotiate LCP_AUTH 2095 */ 2096 if (sp->hisauth.proto != 0) 2097 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2098 else 2099 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2100 sp->pp_flags &= ~PP_NEEDAUTH; 2101 sppp_open_event(&lcp, sp); 2102 } 2103 2104 static void 2105 sppp_lcp_close(struct sppp *sp) 2106 { 2107 sppp_close_event(&lcp, sp); 2108 } 2109 2110 static void 2111 sppp_lcp_TO(void *cookie) 2112 { 2113 sppp_to_event(&lcp, (struct sppp *)cookie); 2114 } 2115 2116 /* 2117 * Analyze a configure request. Return true if it was agreeable, and 2118 * caused action sca, false if it has been rejected or nak'ed, and 2119 * caused action scn. (The return value is used to make the state 2120 * transition decision in the state automaton.) 2121 */ 2122 static int 2123 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2124 { 2125 STDDCL; 2126 u_char *buf, *r, *p; 2127 int origlen, rlen; 2128 uint32_t nmagic; 2129 u_short authproto; 2130 2131 len -= 4; 2132 origlen = len; 2133 buf = r = malloc (len, M_TEMP, M_NOWAIT); 2134 if (! buf) 2135 return (0); 2136 2137 if (debug) 2138 log(LOG_DEBUG, "%s: lcp parse opts:", 2139 ifp->if_xname); 2140 2141 /* pass 1: check for things that need to be rejected */ 2142 p = (void *)(h + 1); 2143 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2144 /* Sanity check option length */ 2145 if (p[1] > len) { 2146 /* 2147 * Malicious option - drop immediately. 2148 * XXX Maybe we should just RXJ it? 2149 */ 2150 addlog("%s: received malicious LCP option 0x%02x, " 2151 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2152 p[0], p[1], len); 2153 goto drop; 2154 } 2155 if (debug) 2156 addlog(" %s", sppp_lcp_opt_name(*p)); 2157 switch (*p) { 2158 case LCP_OPT_MAGIC: 2159 /* Magic number. */ 2160 /* fall through, both are same length */ 2161 case LCP_OPT_ASYNC_MAP: 2162 /* Async control character map. */ 2163 if (len >= 6 || p[1] == 6) 2164 continue; 2165 if (debug) 2166 addlog(" [invalid]"); 2167 break; 2168 case LCP_OPT_MRU: 2169 /* Maximum receive unit. */ 2170 if (len >= 4 && p[1] == 4) 2171 continue; 2172 if (debug) 2173 addlog(" [invalid]"); 2174 break; 2175 case LCP_OPT_AUTH_PROTO: 2176 if (len < 4) { 2177 if (debug) 2178 addlog(" [invalid]"); 2179 break; 2180 } 2181 authproto = (p[2] << 8) + p[3]; 2182 if (authproto == PPP_CHAP && p[1] != 5) { 2183 if (debug) 2184 addlog(" [invalid chap len]"); 2185 break; 2186 } 2187 if (sp->myauth.proto == 0) { 2188 /* we are not configured to do auth */ 2189 if (debug) 2190 addlog(" [not configured]"); 2191 break; 2192 } 2193 /* 2194 * Remote want us to authenticate, remember this, 2195 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2196 * up. 2197 */ 2198 sp->pp_flags |= PP_NEEDAUTH; 2199 continue; 2200 default: 2201 /* Others not supported. */ 2202 if (debug) 2203 addlog(" [rej]"); 2204 break; 2205 } 2206 /* Add the option to rejected list. */ 2207 bcopy (p, r, p[1]); 2208 r += p[1]; 2209 rlen += p[1]; 2210 } 2211 if (rlen) { 2212 if (debug) 2213 addlog(" send conf-rej\n"); 2214 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2215 goto end; 2216 } else if (debug) 2217 addlog("\n"); 2218 2219 /* 2220 * pass 2: check for option values that are unacceptable and 2221 * thus require to be nak'ed. 2222 */ 2223 if (debug) 2224 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2225 ifp->if_xname); 2226 2227 p = (void *)(h + 1); 2228 len = origlen; 2229 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2230 if (debug) 2231 addlog(" %s", sppp_lcp_opt_name(*p)); 2232 switch (*p) { 2233 case LCP_OPT_MAGIC: 2234 /* Magic number -- extract. */ 2235 nmagic = (uint32_t)p[2] << 24 | 2236 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2237 if (nmagic != sp->lcp.magic) { 2238 if (debug) 2239 addlog(" 0x%x", nmagic); 2240 continue; 2241 } 2242 /* 2243 * Local and remote magics equal -- loopback? 2244 */ 2245 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2246 printf ("%s: loopback\n", 2247 ifp->if_xname); 2248 sp->pp_loopcnt = 0; 2249 if (ifp->if_flags & IFF_UP) { 2250 if_down(ifp); 2251 IF_PURGE(&sp->pp_cpq); 2252 /* XXX ? */ 2253 lcp.Down(sp); 2254 lcp.Up(sp); 2255 } 2256 } else if (debug) 2257 addlog(" [glitch]"); 2258 ++sp->pp_loopcnt; 2259 /* 2260 * We negate our magic here, and NAK it. If 2261 * we see it later in an NAK packet, we 2262 * suggest a new one. 2263 */ 2264 nmagic = ~sp->lcp.magic; 2265 /* Gonna NAK it. */ 2266 p[2] = nmagic >> 24; 2267 p[3] = nmagic >> 16; 2268 p[4] = nmagic >> 8; 2269 p[5] = nmagic; 2270 break; 2271 2272 case LCP_OPT_ASYNC_MAP: 2273 /* 2274 * Async control character map -- just ignore it. 2275 * 2276 * Quote from RFC 1662, chapter 6: 2277 * To enable this functionality, synchronous PPP 2278 * implementations MUST always respond to the 2279 * Async-Control-Character-Map Configuration 2280 * Option with the LCP Configure-Ack. However, 2281 * acceptance of the Configuration Option does 2282 * not imply that the synchronous implementation 2283 * will do any ACCM mapping. Instead, all such 2284 * octet mapping will be performed by the 2285 * asynchronous-to-synchronous converter. 2286 */ 2287 continue; 2288 2289 case LCP_OPT_MRU: 2290 /* 2291 * Maximum receive unit. Always agreeable, 2292 * but ignored by now. 2293 */ 2294 sp->lcp.their_mru = p[2] * 256 + p[3]; 2295 if (debug) 2296 addlog(" %ld", sp->lcp.their_mru); 2297 continue; 2298 2299 case LCP_OPT_AUTH_PROTO: 2300 authproto = (p[2] << 8) + p[3]; 2301 if (sp->myauth.proto != authproto) { 2302 /* not agreed, nak */ 2303 if (debug) 2304 addlog(" [mine %s != his %s]", 2305 sppp_proto_name(sp->myauth.proto), 2306 sppp_proto_name(authproto)); 2307 p[2] = sp->myauth.proto >> 8; 2308 p[3] = sp->myauth.proto; 2309 break; 2310 } 2311 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2312 if (debug) 2313 addlog(" [chap not MD5]"); 2314 p[4] = CHAP_MD5; 2315 break; 2316 } 2317 continue; 2318 } 2319 /* Add the option to nak'ed list. */ 2320 bcopy (p, r, p[1]); 2321 r += p[1]; 2322 rlen += p[1]; 2323 } 2324 if (rlen) { 2325 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2326 if (debug) 2327 addlog(" max_failure (%d) exceeded, " 2328 "send conf-rej\n", 2329 sp->lcp.max_failure); 2330 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2331 } else { 2332 if (debug) 2333 addlog(" send conf-nak\n"); 2334 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2335 } 2336 goto end; 2337 } else { 2338 if (debug) 2339 addlog(" send conf-ack\n"); 2340 sp->fail_counter[IDX_LCP] = 0; 2341 sp->pp_loopcnt = 0; 2342 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2343 } 2344 2345 end: 2346 free(buf, M_TEMP); 2347 return (rlen == 0); 2348 2349 drop: 2350 free(buf, M_TEMP); 2351 return -1; 2352 } 2353 2354 /* 2355 * Analyze the LCP Configure-Reject option list, and adjust our 2356 * negotiation. 2357 */ 2358 static void 2359 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2360 { 2361 STDDCL; 2362 u_char *buf, *p; 2363 2364 len -= 4; 2365 buf = malloc (len, M_TEMP, M_NOWAIT); 2366 if (!buf) 2367 return; 2368 2369 if (debug) 2370 log(LOG_DEBUG, "%s: lcp rej opts:", 2371 ifp->if_xname); 2372 2373 p = (void *)(h + 1); 2374 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2375 /* Sanity check option length */ 2376 if (p[1] > len) { 2377 /* 2378 * Malicious option - drop immediately. 2379 * XXX Maybe we should just RXJ it? 2380 */ 2381 addlog("%s: received malicious LCP option, " 2382 "dropping.\n", ifp->if_xname); 2383 goto drop; 2384 } 2385 if (debug) 2386 addlog(" %s", sppp_lcp_opt_name(*p)); 2387 switch (*p) { 2388 case LCP_OPT_MAGIC: 2389 /* Magic number -- can't use it, use 0 */ 2390 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2391 sp->lcp.magic = 0; 2392 break; 2393 case LCP_OPT_MRU: 2394 /* 2395 * We try to negotiate a lower MRU if the underlying 2396 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2397 * peer rejects this lower rate, fallback to the 2398 * default. 2399 */ 2400 if (debug) { 2401 addlog("%s: warning: peer rejected our MRU of " 2402 "%ld bytes. Defaulting to %d bytes\n", 2403 ifp->if_xname, sp->lcp.mru, PP_MTU); 2404 } 2405 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2406 sp->lcp.mru = PP_MTU; 2407 break; 2408 case LCP_OPT_AUTH_PROTO: 2409 /* 2410 * Peer doesn't want to authenticate himself, 2411 * deny unless this is a dialout call, and 2412 * SPPP_AUTHFLAG_NOCALLOUT is set. 2413 */ 2414 if ((sp->pp_flags & PP_CALLIN) == 0 && 2415 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2416 if (debug) 2417 addlog(" [don't insist on auth " 2418 "for callout]"); 2419 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2420 break; 2421 } 2422 if (debug) 2423 addlog("[access denied]\n"); 2424 lcp.Close(sp); 2425 break; 2426 } 2427 } 2428 if (debug) 2429 addlog("\n"); 2430 drop: 2431 free(buf, M_TEMP); 2432 return; 2433 } 2434 2435 /* 2436 * Analyze the LCP Configure-NAK option list, and adjust our 2437 * negotiation. 2438 */ 2439 static void 2440 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2441 { 2442 STDDCL; 2443 u_char *buf, *p; 2444 uint32_t magic; 2445 2446 len -= 4; 2447 buf = malloc (len, M_TEMP, M_NOWAIT); 2448 if (!buf) 2449 return; 2450 2451 if (debug) 2452 log(LOG_DEBUG, "%s: lcp nak opts:", 2453 ifp->if_xname); 2454 2455 p = (void *)(h + 1); 2456 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2457 /* Sanity check option length */ 2458 if (p[1] > len) { 2459 /* 2460 * Malicious option - drop immediately. 2461 * XXX Maybe we should just RXJ it? 2462 */ 2463 addlog("%s: received malicious LCP option, " 2464 "dropping.\n", ifp->if_xname); 2465 goto drop; 2466 } 2467 if (debug) 2468 addlog(" %s", sppp_lcp_opt_name(*p)); 2469 switch (*p) { 2470 case LCP_OPT_MAGIC: 2471 /* Magic number -- renegotiate */ 2472 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2473 len >= 6 && p[1] == 6) { 2474 magic = (uint32_t)p[2] << 24 | 2475 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2476 /* 2477 * If the remote magic is our negated one, 2478 * this looks like a loopback problem. 2479 * Suggest a new magic to make sure. 2480 */ 2481 if (magic == ~sp->lcp.magic) { 2482 if (debug) 2483 addlog(" magic glitch"); 2484 sp->lcp.magic = arc4random(); 2485 } else { 2486 sp->lcp.magic = magic; 2487 if (debug) 2488 addlog(" %d", magic); 2489 } 2490 } 2491 break; 2492 case LCP_OPT_MRU: 2493 /* 2494 * Peer wants to advise us to negotiate an MRU. 2495 * Agree on it if it's reasonable, or use 2496 * default otherwise. 2497 */ 2498 if (len >= 4 && p[1] == 4) { 2499 u_int mru = p[2] * 256 + p[3]; 2500 if (debug) 2501 addlog(" %d", mru); 2502 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2503 mru = sp->pp_if.if_mtu; 2504 sp->lcp.mru = mru; 2505 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2506 } 2507 break; 2508 case LCP_OPT_AUTH_PROTO: 2509 /* 2510 * Peer doesn't like our authentication method, 2511 * deny. 2512 */ 2513 if (debug) 2514 addlog("[access denied]\n"); 2515 lcp.Close(sp); 2516 break; 2517 } 2518 } 2519 if (debug) 2520 addlog("\n"); 2521 drop: 2522 free(buf, M_TEMP); 2523 return; 2524 } 2525 2526 static void 2527 sppp_lcp_tlu(struct sppp *sp) 2528 { 2529 STDDCL; 2530 int i; 2531 uint32_t mask; 2532 2533 /* XXX ? */ 2534 if (! (ifp->if_flags & IFF_UP) && 2535 (ifp->if_flags & IFF_RUNNING)) { 2536 /* Coming out of loopback mode. */ 2537 if_up(ifp); 2538 } 2539 2540 for (i = 0; i < IDX_COUNT; i++) 2541 if ((cps[i])->flags & CP_QUAL) 2542 (cps[i])->Open(sp); 2543 2544 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2545 (sp->pp_flags & PP_NEEDAUTH) != 0) 2546 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2547 else 2548 sp->pp_phase = SPPP_PHASE_NETWORK; 2549 2550 if (debug) 2551 { 2552 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2553 sppp_phase_name(sp->pp_phase)); 2554 } 2555 2556 /* 2557 * Open all authentication protocols. This is even required 2558 * if we already proceeded to network phase, since it might be 2559 * that remote wants us to authenticate, so we might have to 2560 * send a PAP request. Undesired authentication protocols 2561 * don't do anything when they get an Open event. 2562 */ 2563 for (i = 0; i < IDX_COUNT; i++) 2564 if ((cps[i])->flags & CP_AUTH) 2565 (cps[i])->Open(sp); 2566 2567 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2568 /* Notify all NCPs. */ 2569 for (i = 0; i < IDX_COUNT; i++) 2570 if ((cps[i])->flags & CP_NCP) 2571 (cps[i])->Open(sp); 2572 } 2573 2574 /* Send Up events to all started protos. */ 2575 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2576 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2577 (cps[i])->Up(sp); 2578 2579 /* notify low-level driver of state change */ 2580 if (sp->pp_chg) 2581 sp->pp_chg(sp, (int)sp->pp_phase); 2582 2583 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2584 /* if no NCP is starting, close down */ 2585 sppp_lcp_check_and_close(sp); 2586 } 2587 2588 static void 2589 sppp_lcp_tld(struct sppp *sp) 2590 { 2591 STDDCL; 2592 int i; 2593 uint32_t mask; 2594 2595 sp->pp_phase = SPPP_PHASE_TERMINATE; 2596 2597 if (debug) 2598 { 2599 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2600 sppp_phase_name(sp->pp_phase)); 2601 } 2602 2603 /* 2604 * Take upper layers down. We send the Down event first and 2605 * the Close second to prevent the upper layers from sending 2606 * ``a flurry of terminate-request packets'', as the RFC 2607 * describes it. 2608 */ 2609 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2610 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2611 (cps[i])->Down(sp); 2612 (cps[i])->Close(sp); 2613 } 2614 } 2615 2616 static void 2617 sppp_lcp_tls(struct sppp *sp) 2618 { 2619 STDDCL; 2620 2621 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2622 printf("%s: authentication failed %d times, not retrying again\n", 2623 sp->pp_if.if_xname, sp->pp_auth_failures); 2624 if_down(&sp->pp_if); 2625 return; 2626 } 2627 2628 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2629 2630 if (debug) 2631 { 2632 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2633 sppp_phase_name(sp->pp_phase)); 2634 } 2635 2636 /* Notify lower layer if desired. */ 2637 if (sp->pp_tls) 2638 (sp->pp_tls)(sp); 2639 } 2640 2641 static void 2642 sppp_lcp_tlf(struct sppp *sp) 2643 { 2644 STDDCL; 2645 2646 sp->pp_phase = SPPP_PHASE_DEAD; 2647 2648 if (debug) 2649 { 2650 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2651 sppp_phase_name(sp->pp_phase)); 2652 } 2653 2654 /* Notify lower layer if desired. */ 2655 if (sp->pp_tlf) 2656 (sp->pp_tlf)(sp); 2657 } 2658 2659 static void 2660 sppp_lcp_scr(struct sppp *sp) 2661 { 2662 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2663 int i = 0; 2664 u_short authproto; 2665 2666 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2667 if (! sp->lcp.magic) 2668 sp->lcp.magic = arc4random(); 2669 opt[i++] = LCP_OPT_MAGIC; 2670 opt[i++] = 6; 2671 opt[i++] = sp->lcp.magic >> 24; 2672 opt[i++] = sp->lcp.magic >> 16; 2673 opt[i++] = sp->lcp.magic >> 8; 2674 opt[i++] = sp->lcp.magic; 2675 } 2676 2677 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2678 opt[i++] = LCP_OPT_MRU; 2679 opt[i++] = 4; 2680 opt[i++] = sp->lcp.mru >> 8; 2681 opt[i++] = sp->lcp.mru; 2682 } 2683 2684 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2685 authproto = sp->hisauth.proto; 2686 opt[i++] = LCP_OPT_AUTH_PROTO; 2687 opt[i++] = authproto == PPP_CHAP? 5: 4; 2688 opt[i++] = authproto >> 8; 2689 opt[i++] = authproto; 2690 if (authproto == PPP_CHAP) 2691 opt[i++] = CHAP_MD5; 2692 } 2693 2694 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2695 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2696 } 2697 2698 /* 2699 * Check the open NCPs, return true if at least one NCP is open. 2700 */ 2701 static int 2702 sppp_ncp_check(struct sppp *sp) 2703 { 2704 int i, mask; 2705 2706 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2707 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2708 return 1; 2709 return 0; 2710 } 2711 2712 /* 2713 * Re-check the open NCPs and see if we should terminate the link. 2714 * Called by the NCPs during their tlf action handling. 2715 */ 2716 static void 2717 sppp_lcp_check_and_close(struct sppp *sp) 2718 { 2719 2720 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2721 /* don't bother, we are already going down */ 2722 return; 2723 2724 if (sppp_ncp_check(sp)) 2725 return; 2726 2727 lcp.Close(sp); 2728 } 2729 2730 2731 /* 2732 *--------------------------------------------------------------------------* 2733 * * 2734 * The IPCP implementation. * 2735 * * 2736 *--------------------------------------------------------------------------* 2737 */ 2738 2739 static void 2740 sppp_ipcp_init(struct sppp *sp) 2741 { 2742 sp->ipcp.opts = 0; 2743 sp->ipcp.flags = 0; 2744 sp->state[IDX_IPCP] = STATE_INITIAL; 2745 sp->fail_counter[IDX_IPCP] = 0; 2746 sp->pp_seq[IDX_IPCP] = 0; 2747 sp->pp_rseq[IDX_IPCP] = 0; 2748 callout_init(&sp->ch[IDX_IPCP], 0); 2749 } 2750 2751 static void 2752 sppp_ipcp_up(struct sppp *sp) 2753 { 2754 sppp_up_event(&ipcp, sp); 2755 } 2756 2757 static void 2758 sppp_ipcp_down(struct sppp *sp) 2759 { 2760 sppp_down_event(&ipcp, sp); 2761 } 2762 2763 static void 2764 sppp_ipcp_open(struct sppp *sp) 2765 { 2766 STDDCL; 2767 uint32_t myaddr, hisaddr; 2768 2769 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2770 sp->ipcp.req_myaddr = 0; 2771 sp->ipcp.req_hisaddr = 0; 2772 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2773 2774 #ifdef INET 2775 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2776 #else 2777 myaddr = hisaddr = 0; 2778 #endif 2779 /* 2780 * If we don't have his address, this probably means our 2781 * interface doesn't want to talk IP at all. (This could 2782 * be the case if somebody wants to speak only IPX, for 2783 * example.) Don't open IPCP in this case. 2784 */ 2785 if (hisaddr == 0) { 2786 /* XXX this message should go away */ 2787 if (debug) 2788 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2789 ifp->if_xname); 2790 return; 2791 } 2792 2793 if (myaddr == 0) { 2794 /* 2795 * I don't have an assigned address, so i need to 2796 * negotiate my address. 2797 */ 2798 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2799 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2800 } 2801 if (hisaddr == 1) { 2802 /* 2803 * XXX - remove this hack! 2804 * remote has no valid address, we need to get one assigned. 2805 */ 2806 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2807 } 2808 sppp_open_event(&ipcp, sp); 2809 } 2810 2811 static void 2812 sppp_ipcp_close(struct sppp *sp) 2813 { 2814 STDDCL; 2815 2816 sppp_close_event(&ipcp, sp); 2817 #ifdef INET 2818 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2819 /* 2820 * Some address was dynamic, clear it again. 2821 */ 2822 sppp_clear_ip_addrs(sp); 2823 #endif 2824 2825 if (sp->pp_saved_mtu > 0) { 2826 ifp->if_mtu = sp->pp_saved_mtu; 2827 sp->pp_saved_mtu = 0; 2828 if (debug) 2829 log(LOG_DEBUG, 2830 "%s: resetting MTU to %" PRIu64 " bytes\n", 2831 ifp->if_xname, ifp->if_mtu); 2832 } 2833 } 2834 2835 static void 2836 sppp_ipcp_TO(void *cookie) 2837 { 2838 sppp_to_event(&ipcp, (struct sppp *)cookie); 2839 } 2840 2841 /* 2842 * Analyze a configure request. Return true if it was agreeable, and 2843 * caused action sca, false if it has been rejected or nak'ed, and 2844 * caused action scn. (The return value is used to make the state 2845 * transition decision in the state automaton.) 2846 */ 2847 static int 2848 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2849 { 2850 u_char *buf, *r, *p; 2851 struct ifnet *ifp = &sp->pp_if; 2852 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2853 uint32_t hisaddr, desiredaddr; 2854 2855 len -= 4; 2856 origlen = len; 2857 /* 2858 * Make sure to allocate a buf that can at least hold a 2859 * conf-nak with an `address' option. We might need it below. 2860 */ 2861 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 2862 if (! buf) 2863 return (0); 2864 2865 /* pass 1: see if we can recognize them */ 2866 if (debug) 2867 log(LOG_DEBUG, "%s: ipcp parse opts:", 2868 ifp->if_xname); 2869 p = (void *)(h + 1); 2870 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2871 /* Sanity check option length */ 2872 if (p[1] > len) { 2873 /* XXX should we just RXJ? */ 2874 addlog("%s: malicious IPCP option received, dropping\n", 2875 ifp->if_xname); 2876 goto drop; 2877 } 2878 if (debug) 2879 addlog(" %s", sppp_ipcp_opt_name(*p)); 2880 switch (*p) { 2881 #ifdef notyet 2882 case IPCP_OPT_COMPRESSION: 2883 if (len >= 6 && p[1] >= 6) { 2884 /* correctly formed compress option */ 2885 continue; 2886 } 2887 if (debug) 2888 addlog(" [invalid]"); 2889 break; 2890 #endif 2891 case IPCP_OPT_ADDRESS: 2892 if (len >= 6 && p[1] == 6) { 2893 /* correctly formed address option */ 2894 continue; 2895 } 2896 if (debug) 2897 addlog(" [invalid]"); 2898 break; 2899 default: 2900 /* Others not supported. */ 2901 if (debug) 2902 addlog(" [rej]"); 2903 break; 2904 } 2905 /* Add the option to rejected list. */ 2906 bcopy (p, r, p[1]); 2907 r += p[1]; 2908 rlen += p[1]; 2909 } 2910 if (rlen) { 2911 if (debug) 2912 addlog(" send conf-rej\n"); 2913 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2914 goto end; 2915 } else if (debug) 2916 addlog("\n"); 2917 2918 /* pass 2: parse option values */ 2919 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2920 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2921 else 2922 #ifdef INET 2923 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2924 #else 2925 hisaddr = 0; 2926 #endif 2927 if (debug) 2928 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2929 ifp->if_xname); 2930 p = (void *)(h + 1); 2931 len = origlen; 2932 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2933 if (debug) 2934 addlog(" %s", sppp_ipcp_opt_name(*p)); 2935 switch (*p) { 2936 #ifdef notyet 2937 case IPCP_OPT_COMPRESSION: 2938 continue; 2939 #endif 2940 case IPCP_OPT_ADDRESS: 2941 desiredaddr = p[2] << 24 | p[3] << 16 | 2942 p[4] << 8 | p[5]; 2943 if (desiredaddr == hisaddr || 2944 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2945 /* 2946 * Peer's address is same as our value, 2947 * this is agreeable. Gonna conf-ack 2948 * it. 2949 */ 2950 if (debug) 2951 addlog(" %s [ack]", 2952 sppp_dotted_quad(hisaddr)); 2953 /* record that we've seen it already */ 2954 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2955 sp->ipcp.req_hisaddr = desiredaddr; 2956 hisaddr = desiredaddr; 2957 continue; 2958 } 2959 /* 2960 * The address wasn't agreeable. This is either 2961 * he sent us 0.0.0.0, asking to assign him an 2962 * address, or he send us another address not 2963 * matching our value. Either case, we gonna 2964 * conf-nak it with our value. 2965 */ 2966 if (debug) { 2967 if (desiredaddr == 0) 2968 addlog(" [addr requested]"); 2969 else 2970 addlog(" %s [not agreed]", 2971 sppp_dotted_quad(desiredaddr)); 2972 } 2973 2974 p[2] = hisaddr >> 24; 2975 p[3] = hisaddr >> 16; 2976 p[4] = hisaddr >> 8; 2977 p[5] = hisaddr; 2978 break; 2979 } 2980 /* Add the option to nak'ed list. */ 2981 bcopy (p, r, p[1]); 2982 r += p[1]; 2983 rlen += p[1]; 2984 } 2985 2986 /* 2987 * If we are about to conf-ack the request, but haven't seen 2988 * his address so far, gonna conf-nak it instead, with the 2989 * `address' option present and our idea of his address being 2990 * filled in there, to request negotiation of both addresses. 2991 * 2992 * XXX This can result in an endless req - nak loop if peer 2993 * doesn't want to send us his address. Q: What should we do 2994 * about it? XXX A: implement the max-failure counter. 2995 */ 2996 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2997 buf[0] = IPCP_OPT_ADDRESS; 2998 buf[1] = 6; 2999 buf[2] = hisaddr >> 24; 3000 buf[3] = hisaddr >> 16; 3001 buf[4] = hisaddr >> 8; 3002 buf[5] = hisaddr; 3003 rlen = 6; 3004 if (debug) 3005 addlog(" still need hisaddr"); 3006 } 3007 3008 if (rlen) { 3009 if (debug) 3010 addlog(" send conf-nak\n"); 3011 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3012 } else { 3013 if (debug) 3014 addlog(" send conf-ack\n"); 3015 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3016 } 3017 3018 end: 3019 free(buf, M_TEMP); 3020 return (rlen == 0); 3021 3022 drop: 3023 free(buf, M_TEMP); 3024 return -1; 3025 } 3026 3027 /* 3028 * Analyze the IPCP Configure-Reject option list, and adjust our 3029 * negotiation. 3030 */ 3031 static void 3032 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3033 { 3034 u_char *buf, *p; 3035 struct ifnet *ifp = &sp->pp_if; 3036 int debug = ifp->if_flags & IFF_DEBUG; 3037 3038 len -= 4; 3039 buf = malloc (len, M_TEMP, M_NOWAIT); 3040 if (!buf) 3041 return; 3042 3043 if (debug) 3044 log(LOG_DEBUG, "%s: ipcp rej opts:", 3045 ifp->if_xname); 3046 3047 p = (void *)(h + 1); 3048 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3049 /* Sanity check option length */ 3050 if (p[1] > len) { 3051 /* XXX should we just RXJ? */ 3052 addlog("%s: malicious IPCP option received, dropping\n", 3053 ifp->if_xname); 3054 goto drop; 3055 } 3056 if (debug) 3057 addlog(" %s", sppp_ipcp_opt_name(*p)); 3058 switch (*p) { 3059 case IPCP_OPT_ADDRESS: 3060 /* 3061 * Peer doesn't grok address option. This is 3062 * bad. XXX Should we better give up here? 3063 */ 3064 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3065 break; 3066 #ifdef notyet 3067 case IPCP_OPT_COMPRESS: 3068 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3069 break; 3070 #endif 3071 } 3072 } 3073 if (debug) 3074 addlog("\n"); 3075 drop: 3076 free(buf, M_TEMP); 3077 return; 3078 } 3079 3080 /* 3081 * Analyze the IPCP Configure-NAK option list, and adjust our 3082 * negotiation. 3083 */ 3084 static void 3085 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3086 { 3087 u_char *p; 3088 struct ifnet *ifp = &sp->pp_if; 3089 int debug = ifp->if_flags & IFF_DEBUG; 3090 uint32_t wantaddr; 3091 3092 len -= 4; 3093 3094 if (debug) 3095 log(LOG_DEBUG, "%s: ipcp nak opts:", 3096 ifp->if_xname); 3097 3098 p = (void *)(h + 1); 3099 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3100 /* Sanity check option length */ 3101 if (p[1] > len) { 3102 /* XXX should we just RXJ? */ 3103 addlog("%s: malicious IPCP option received, dropping\n", 3104 ifp->if_xname); 3105 return; 3106 } 3107 if (debug) 3108 addlog(" %s", sppp_ipcp_opt_name(*p)); 3109 switch (*p) { 3110 case IPCP_OPT_ADDRESS: 3111 /* 3112 * Peer doesn't like our local IP address. See 3113 * if we can do something for him. We'll drop 3114 * him our address then. 3115 */ 3116 if (len >= 6 && p[1] == 6) { 3117 wantaddr = p[2] << 24 | p[3] << 16 | 3118 p[4] << 8 | p[5]; 3119 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3120 if (debug) 3121 addlog(" [wantaddr %s]", 3122 sppp_dotted_quad(wantaddr)); 3123 /* 3124 * When doing dynamic address assignment, 3125 * we accept his offer. Otherwise, we 3126 * ignore it and thus continue to negotiate 3127 * our already existing value. 3128 */ 3129 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3130 if (debug) 3131 addlog(" [agree]"); 3132 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3133 sp->ipcp.req_myaddr = wantaddr; 3134 } 3135 } 3136 break; 3137 3138 case IPCP_OPT_PRIMDNS: 3139 if (len >= 6 && p[1] == 6) { 3140 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3141 p[4] << 8 | p[5]; 3142 } 3143 break; 3144 3145 case IPCP_OPT_SECDNS: 3146 if (len >= 6 && p[1] == 6) { 3147 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3148 p[4] << 8 | p[5]; 3149 } 3150 break; 3151 #ifdef notyet 3152 case IPCP_OPT_COMPRESS: 3153 /* 3154 * Peer wants different compression parameters. 3155 */ 3156 break; 3157 #endif 3158 } 3159 } 3160 if (debug) 3161 addlog("\n"); 3162 } 3163 3164 static void 3165 sppp_ipcp_tlu(struct sppp *sp) 3166 { 3167 #ifdef INET 3168 /* we are up. Set addresses and notify anyone interested */ 3169 STDDCL; 3170 uint32_t myaddr, hisaddr; 3171 3172 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3173 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3174 myaddr = sp->ipcp.req_myaddr; 3175 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3176 hisaddr = sp->ipcp.req_hisaddr; 3177 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3178 3179 if (ifp->if_mtu > sp->lcp.their_mru) { 3180 sp->pp_saved_mtu = ifp->if_mtu; 3181 ifp->if_mtu = sp->lcp.their_mru; 3182 if (debug) 3183 log(LOG_DEBUG, 3184 "%s: setting MTU to %" PRIu64 " bytes\n", 3185 ifp->if_xname, ifp->if_mtu); 3186 } 3187 3188 if (sp->pp_con) 3189 sp->pp_con(sp); 3190 #endif 3191 } 3192 3193 static void 3194 sppp_ipcp_tld(struct sppp *sp) 3195 { 3196 } 3197 3198 static void 3199 sppp_ipcp_tls(struct sppp *sp) 3200 { 3201 /* indicate to LCP that it must stay alive */ 3202 sp->lcp.protos |= (1 << IDX_IPCP); 3203 } 3204 3205 static void 3206 sppp_ipcp_tlf(struct sppp *sp) 3207 { 3208 /* we no longer need LCP */ 3209 sp->lcp.protos &= ~(1 << IDX_IPCP); 3210 } 3211 3212 static void 3213 sppp_ipcp_scr(struct sppp *sp) 3214 { 3215 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3216 #ifdef INET 3217 uint32_t ouraddr; 3218 #endif 3219 int i = 0; 3220 3221 #ifdef notyet 3222 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3223 opt[i++] = IPCP_OPT_COMPRESSION; 3224 opt[i++] = 6; 3225 opt[i++] = 0; /* VJ header compression */ 3226 opt[i++] = 0x2d; /* VJ header compression */ 3227 opt[i++] = max_slot_id; 3228 opt[i++] = comp_slot_id; 3229 } 3230 #endif 3231 3232 #ifdef INET 3233 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3234 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3235 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3236 else 3237 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3238 opt[i++] = IPCP_OPT_ADDRESS; 3239 opt[i++] = 6; 3240 opt[i++] = ouraddr >> 24; 3241 opt[i++] = ouraddr >> 16; 3242 opt[i++] = ouraddr >> 8; 3243 opt[i++] = ouraddr; 3244 } 3245 #endif 3246 3247 if (sp->query_dns & 1) { 3248 opt[i++] = IPCP_OPT_PRIMDNS; 3249 opt[i++] = 6; 3250 opt[i++] = sp->dns_addrs[0] >> 24; 3251 opt[i++] = sp->dns_addrs[0] >> 16; 3252 opt[i++] = sp->dns_addrs[0] >> 8; 3253 opt[i++] = sp->dns_addrs[0]; 3254 } 3255 if (sp->query_dns & 2) { 3256 opt[i++] = IPCP_OPT_SECDNS; 3257 opt[i++] = 6; 3258 opt[i++] = sp->dns_addrs[1] >> 24; 3259 opt[i++] = sp->dns_addrs[1] >> 16; 3260 opt[i++] = sp->dns_addrs[1] >> 8; 3261 opt[i++] = sp->dns_addrs[1]; 3262 } 3263 3264 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3265 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3266 } 3267 3268 3269 /* 3270 *--------------------------------------------------------------------------* 3271 * * 3272 * The IPv6CP implementation. * 3273 * * 3274 *--------------------------------------------------------------------------* 3275 */ 3276 3277 #ifdef INET6 3278 static void 3279 sppp_ipv6cp_init(struct sppp *sp) 3280 { 3281 sp->ipv6cp.opts = 0; 3282 sp->ipv6cp.flags = 0; 3283 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3284 sp->fail_counter[IDX_IPV6CP] = 0; 3285 sp->pp_seq[IDX_IPV6CP] = 0; 3286 sp->pp_rseq[IDX_IPV6CP] = 0; 3287 callout_init(&sp->ch[IDX_IPV6CP], 0); 3288 } 3289 3290 static void 3291 sppp_ipv6cp_up(struct sppp *sp) 3292 { 3293 sppp_up_event(&ipv6cp, sp); 3294 } 3295 3296 static void 3297 sppp_ipv6cp_down(struct sppp *sp) 3298 { 3299 sppp_down_event(&ipv6cp, sp); 3300 } 3301 3302 static void 3303 sppp_ipv6cp_open(struct sppp *sp) 3304 { 3305 STDDCL; 3306 struct in6_addr myaddr, hisaddr; 3307 3308 #ifdef IPV6CP_MYIFID_DYN 3309 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3310 #else 3311 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3312 #endif 3313 3314 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3315 /* 3316 * If we don't have our address, this probably means our 3317 * interface doesn't want to talk IPv6 at all. (This could 3318 * be the case if somebody wants to speak only IPX, for 3319 * example.) Don't open IPv6CP in this case. 3320 */ 3321 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3322 /* XXX this message should go away */ 3323 if (debug) 3324 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3325 ifp->if_xname); 3326 return; 3327 } 3328 3329 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3330 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3331 sppp_open_event(&ipv6cp, sp); 3332 } 3333 3334 static void 3335 sppp_ipv6cp_close(struct sppp *sp) 3336 { 3337 sppp_close_event(&ipv6cp, sp); 3338 } 3339 3340 static void 3341 sppp_ipv6cp_TO(void *cookie) 3342 { 3343 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3344 } 3345 3346 /* 3347 * Analyze a configure request. Return true if it was agreeable, and 3348 * caused action sca, false if it has been rejected or nak'ed, and 3349 * caused action scn. (The return value is used to make the state 3350 * transition decision in the state automaton.) 3351 */ 3352 static int 3353 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3354 { 3355 u_char *buf, *r, *p; 3356 struct ifnet *ifp = &sp->pp_if; 3357 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3358 struct in6_addr myaddr, desiredaddr, suggestaddr; 3359 int ifidcount; 3360 int type; 3361 int collision, nohisaddr; 3362 3363 len -= 4; 3364 origlen = len; 3365 /* 3366 * Make sure to allocate a buf that can at least hold a 3367 * conf-nak with an `address' option. We might need it below. 3368 */ 3369 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 3370 if (! buf) 3371 return (0); 3372 3373 /* pass 1: see if we can recognize them */ 3374 if (debug) 3375 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3376 ifp->if_xname); 3377 p = (void *)(h + 1); 3378 ifidcount = 0; 3379 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3380 /* Sanity check option length */ 3381 if (p[1] > len) { 3382 /* XXX just RXJ? */ 3383 addlog("%s: received malicious IPCPv6 option, " 3384 "dropping\n", ifp->if_xname); 3385 goto drop; 3386 } 3387 if (debug) 3388 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3389 switch (*p) { 3390 case IPV6CP_OPT_IFID: 3391 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3392 /* correctly formed address option */ 3393 ifidcount++; 3394 continue; 3395 } 3396 if (debug) 3397 addlog(" [invalid]"); 3398 break; 3399 #ifdef notyet 3400 case IPV6CP_OPT_COMPRESSION: 3401 if (len >= 4 && p[1] >= 4) { 3402 /* correctly formed compress option */ 3403 continue; 3404 } 3405 if (debug) 3406 addlog(" [invalid]"); 3407 break; 3408 #endif 3409 default: 3410 /* Others not supported. */ 3411 if (debug) 3412 addlog(" [rej]"); 3413 break; 3414 } 3415 /* Add the option to rejected list. */ 3416 bcopy (p, r, p[1]); 3417 r += p[1]; 3418 rlen += p[1]; 3419 } 3420 if (rlen) { 3421 if (debug) 3422 addlog(" send conf-rej\n"); 3423 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3424 goto end; 3425 } else if (debug) 3426 addlog("\n"); 3427 3428 /* pass 2: parse option values */ 3429 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3430 if (debug) 3431 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3432 ifp->if_xname); 3433 p = (void *)(h + 1); 3434 len = origlen; 3435 type = CONF_ACK; 3436 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3437 if (debug) 3438 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3439 switch (*p) { 3440 #ifdef notyet 3441 case IPV6CP_OPT_COMPRESSION: 3442 continue; 3443 #endif 3444 case IPV6CP_OPT_IFID: 3445 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3446 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3447 collision = (memcmp(&desiredaddr.s6_addr[8], 3448 &myaddr.s6_addr[8], 8) == 0); 3449 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3450 3451 desiredaddr.s6_addr16[0] = htons(0xfe80); 3452 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3453 3454 if (!collision && !nohisaddr) { 3455 /* no collision, hisaddr known - Conf-Ack */ 3456 type = CONF_ACK; 3457 3458 if (debug) { 3459 addlog(" %s [%s]", 3460 ip6_sprintf(&desiredaddr), 3461 sppp_cp_type_name(type)); 3462 } 3463 continue; 3464 } 3465 3466 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3467 if (collision && nohisaddr) { 3468 /* collision, hisaddr unknown - Conf-Rej */ 3469 type = CONF_REJ; 3470 memset(&p[2], 0, 8); 3471 } else { 3472 /* 3473 * - no collision, hisaddr unknown, or 3474 * - collision, hisaddr known 3475 * Conf-Nak, suggest hisaddr 3476 */ 3477 type = CONF_NAK; 3478 sppp_suggest_ip6_addr(sp, &suggestaddr); 3479 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3480 } 3481 if (debug) 3482 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3483 sppp_cp_type_name(type)); 3484 break; 3485 } 3486 /* Add the option to nak'ed list. */ 3487 bcopy (p, r, p[1]); 3488 r += p[1]; 3489 rlen += p[1]; 3490 } 3491 3492 if (rlen == 0 && type == CONF_ACK) { 3493 if (debug) 3494 addlog(" send %s\n", sppp_cp_type_name(type)); 3495 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3496 } else { 3497 #ifdef notdef 3498 if (type == CONF_ACK) 3499 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3500 #endif 3501 3502 if (debug) { 3503 addlog(" send %s suggest %s\n", 3504 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3505 } 3506 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3507 } 3508 3509 end: 3510 free(buf, M_TEMP); 3511 return (rlen == 0); 3512 3513 drop: 3514 free(buf, M_TEMP); 3515 return -1; 3516 } 3517 3518 /* 3519 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3520 * negotiation. 3521 */ 3522 static void 3523 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3524 { 3525 u_char *buf, *p; 3526 struct ifnet *ifp = &sp->pp_if; 3527 int debug = ifp->if_flags & IFF_DEBUG; 3528 3529 len -= 4; 3530 buf = malloc (len, M_TEMP, M_NOWAIT); 3531 if (!buf) 3532 return; 3533 3534 if (debug) 3535 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3536 ifp->if_xname); 3537 3538 p = (void *)(h + 1); 3539 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3540 if (p[1] > len) { 3541 /* XXX just RXJ? */ 3542 addlog("%s: received malicious IPCPv6 option, " 3543 "dropping\n", ifp->if_xname); 3544 goto drop; 3545 } 3546 if (debug) 3547 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3548 switch (*p) { 3549 case IPV6CP_OPT_IFID: 3550 /* 3551 * Peer doesn't grok address option. This is 3552 * bad. XXX Should we better give up here? 3553 */ 3554 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3555 break; 3556 #ifdef notyet 3557 case IPV6CP_OPT_COMPRESS: 3558 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3559 break; 3560 #endif 3561 } 3562 } 3563 if (debug) 3564 addlog("\n"); 3565 drop: 3566 free(buf, M_TEMP); 3567 return; 3568 } 3569 3570 /* 3571 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3572 * negotiation. 3573 */ 3574 static void 3575 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3576 { 3577 u_char *buf, *p; 3578 struct ifnet *ifp = &sp->pp_if; 3579 int debug = ifp->if_flags & IFF_DEBUG; 3580 struct in6_addr suggestaddr; 3581 3582 len -= 4; 3583 buf = malloc (len, M_TEMP, M_NOWAIT); 3584 if (!buf) 3585 return; 3586 3587 if (debug) 3588 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3589 ifp->if_xname); 3590 3591 p = (void *)(h + 1); 3592 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3593 if (p[1] > len) { 3594 /* XXX just RXJ? */ 3595 addlog("%s: received malicious IPCPv6 option, " 3596 "dropping\n", ifp->if_xname); 3597 goto drop; 3598 } 3599 if (debug) 3600 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3601 switch (*p) { 3602 case IPV6CP_OPT_IFID: 3603 /* 3604 * Peer doesn't like our local ifid. See 3605 * if we can do something for him. We'll drop 3606 * him our address then. 3607 */ 3608 if (len < 10 || p[1] != 10) 3609 break; 3610 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3611 suggestaddr.s6_addr16[0] = htons(0xfe80); 3612 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3613 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3614 3615 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3616 if (debug) 3617 addlog(" [suggestaddr %s]", 3618 ip6_sprintf(&suggestaddr)); 3619 #ifdef IPV6CP_MYIFID_DYN 3620 /* 3621 * When doing dynamic address assignment, 3622 * we accept his offer. 3623 */ 3624 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3625 struct in6_addr lastsuggest; 3626 /* 3627 * If <suggested myaddr from peer> equals to 3628 * <hisaddr we have suggested last time>, 3629 * we have a collision. generate new random 3630 * ifid. 3631 */ 3632 sppp_suggest_ip6_addr(&lastsuggest); 3633 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3634 lastsuggest)) { 3635 if (debug) 3636 addlog(" [random]"); 3637 sppp_gen_ip6_addr(sp, &suggestaddr); 3638 } 3639 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3640 if (debug) 3641 addlog(" [agree]"); 3642 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3643 } 3644 #else 3645 /* 3646 * Since we do not do dynamic address assignment, 3647 * we ignore it and thus continue to negotiate 3648 * our already existing value. This can possibly 3649 * go into infinite request-reject loop. 3650 * 3651 * This is not likely because we normally use 3652 * ifid based on MAC-address. 3653 * If you have no ethernet card on the node, too bad. 3654 * XXX should we use fail_counter? 3655 */ 3656 #endif 3657 break; 3658 #ifdef notyet 3659 case IPV6CP_OPT_COMPRESS: 3660 /* 3661 * Peer wants different compression parameters. 3662 */ 3663 break; 3664 #endif 3665 } 3666 } 3667 if (debug) 3668 addlog("\n"); 3669 drop: 3670 free(buf, M_TEMP); 3671 return; 3672 } 3673 3674 static void 3675 sppp_ipv6cp_tlu(struct sppp *sp) 3676 { 3677 /* we are up - notify isdn daemon */ 3678 if (sp->pp_con) 3679 sp->pp_con(sp); 3680 } 3681 3682 static void 3683 sppp_ipv6cp_tld(struct sppp *sp) 3684 { 3685 } 3686 3687 static void 3688 sppp_ipv6cp_tls(struct sppp *sp) 3689 { 3690 /* indicate to LCP that it must stay alive */ 3691 sp->lcp.protos |= (1 << IDX_IPV6CP); 3692 } 3693 3694 static void 3695 sppp_ipv6cp_tlf(struct sppp *sp) 3696 { 3697 /* we no longer need LCP */ 3698 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3699 } 3700 3701 static void 3702 sppp_ipv6cp_scr(struct sppp *sp) 3703 { 3704 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3705 struct in6_addr ouraddr; 3706 int i = 0; 3707 3708 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3709 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3710 opt[i++] = IPV6CP_OPT_IFID; 3711 opt[i++] = 10; 3712 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3713 i += 8; 3714 } 3715 3716 #ifdef notyet 3717 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3718 opt[i++] = IPV6CP_OPT_COMPRESSION; 3719 opt[i++] = 4; 3720 opt[i++] = 0; /* TBD */ 3721 opt[i++] = 0; /* TBD */ 3722 /* variable length data may follow */ 3723 } 3724 #endif 3725 3726 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3727 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3728 } 3729 #else /*INET6*/ 3730 static void 3731 sppp_ipv6cp_init(struct sppp *sp) 3732 { 3733 } 3734 3735 static void 3736 sppp_ipv6cp_up(struct sppp *sp) 3737 { 3738 } 3739 3740 static void 3741 sppp_ipv6cp_down(struct sppp *sp) 3742 { 3743 } 3744 3745 static void 3746 sppp_ipv6cp_open(struct sppp *sp) 3747 { 3748 } 3749 3750 static void 3751 sppp_ipv6cp_close(struct sppp *sp) 3752 { 3753 } 3754 3755 static void 3756 sppp_ipv6cp_TO(void *sp) 3757 { 3758 } 3759 3760 static int 3761 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3762 int len) 3763 { 3764 return 0; 3765 } 3766 3767 static void 3768 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3769 int len) 3770 { 3771 } 3772 3773 static void 3774 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3775 int len) 3776 { 3777 } 3778 3779 static void 3780 sppp_ipv6cp_tlu(struct sppp *sp) 3781 { 3782 } 3783 3784 static void 3785 sppp_ipv6cp_tld(struct sppp *sp) 3786 { 3787 } 3788 3789 static void 3790 sppp_ipv6cp_tls(struct sppp *sp) 3791 { 3792 } 3793 3794 static void 3795 sppp_ipv6cp_tlf(struct sppp *sp) 3796 { 3797 } 3798 3799 static void 3800 sppp_ipv6cp_scr(struct sppp *sp) 3801 { 3802 } 3803 #endif /*INET6*/ 3804 3805 3806 /* 3807 *--------------------------------------------------------------------------* 3808 * * 3809 * The CHAP implementation. * 3810 * * 3811 *--------------------------------------------------------------------------* 3812 */ 3813 3814 /* 3815 * The authentication protocols don't employ a full-fledged state machine as 3816 * the control protocols do, since they do have Open and Close events, but 3817 * not Up and Down, nor are they explicitly terminated. Also, use of the 3818 * authentication protocols may be different in both directions (this makes 3819 * sense, think of a machine that never accepts incoming calls but only 3820 * calls out, it doesn't require the called party to authenticate itself). 3821 * 3822 * Our state machine for the local authentication protocol (we are requesting 3823 * the peer to authenticate) looks like: 3824 * 3825 * RCA- 3826 * +--------------------------------------------+ 3827 * V scn,tld| 3828 * +--------+ Close +---------+ RCA+ 3829 * | |<----------------------------------| |------+ 3830 * +--->| Closed | TO* | Opened | sca | 3831 * | | |-----+ +-------| |<-----+ 3832 * | +--------+ irc | | +---------+ 3833 * | ^ | | ^ 3834 * | | | | | 3835 * | | | | | 3836 * | TO-| | | | 3837 * | |tld TO+ V | | 3838 * | | +------->+ | | 3839 * | | | | | | 3840 * | +--------+ V | | 3841 * | | |<----+<--------------------+ | 3842 * | | Req- | scr | 3843 * | | Sent | | 3844 * | | | | 3845 * | +--------+ | 3846 * | RCA- | | RCA+ | 3847 * +------+ +------------------------------------------+ 3848 * scn,tld sca,irc,ict,tlu 3849 * 3850 * 3851 * with: 3852 * 3853 * Open: LCP reached authentication phase 3854 * Close: LCP reached terminate phase 3855 * 3856 * RCA+: received reply (pap-req, chap-response), acceptable 3857 * RCN: received reply (pap-req, chap-response), not acceptable 3858 * TO+: timeout with restart counter >= 0 3859 * TO-: timeout with restart counter < 0 3860 * TO*: reschedule timeout for CHAP 3861 * 3862 * scr: send request packet (none for PAP, chap-challenge) 3863 * sca: send ack packet (pap-ack, chap-success) 3864 * scn: send nak packet (pap-nak, chap-failure) 3865 * ict: initialize re-challenge timer (CHAP only) 3866 * 3867 * tlu: this-layer-up, LCP reaches network phase 3868 * tld: this-layer-down, LCP enters terminate phase 3869 * 3870 * Note that in CHAP mode, after sending a new challenge, while the state 3871 * automaton falls back into Req-Sent state, it doesn't signal a tld 3872 * event to LCP, so LCP remains in network phase. Only after not getting 3873 * any response (or after getting an unacceptable response), CHAP closes, 3874 * causing LCP to enter terminate phase. 3875 * 3876 * With PAP, there is no initial request that can be sent. The peer is 3877 * expected to send one based on the successful negotiation of PAP as 3878 * the authentication protocol during the LCP option negotiation. 3879 * 3880 * Incoming authentication protocol requests (remote requests 3881 * authentication, we are peer) don't employ a state machine at all, 3882 * they are simply answered. Some peers [Ascend P50 firmware rev 3883 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3884 * still in authentication phase (thereby violating the standard that 3885 * demands that these NCP packets are to be discarded), so we keep 3886 * track of the peer demanding us to authenticate, and only proceed to 3887 * phase network once we've seen a positive acknowledge for the 3888 * authentication. 3889 */ 3890 3891 /* 3892 * Handle incoming CHAP packets. 3893 */ 3894 void 3895 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3896 { 3897 STDDCL; 3898 struct lcp_header *h; 3899 int len, x; 3900 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3901 int value_len, name_len; 3902 MD5_CTX ctx; 3903 3904 len = m->m_pkthdr.len; 3905 if (len < 4) { 3906 if (debug) 3907 log(LOG_DEBUG, 3908 "%s: chap invalid packet length: %d bytes\n", 3909 ifp->if_xname, len); 3910 return; 3911 } 3912 h = mtod(m, struct lcp_header *); 3913 if (len > ntohs(h->len)) 3914 len = ntohs(h->len); 3915 3916 switch (h->type) { 3917 /* challenge, failure and success are his authproto */ 3918 case CHAP_CHALLENGE: 3919 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3920 /* can't do anything useful */ 3921 sp->pp_auth_failures++; 3922 printf("%s: chap input without my name and my secret being set\n", 3923 ifp->if_xname); 3924 break; 3925 } 3926 value = 1 + (u_char *)(h + 1); 3927 value_len = value[-1]; 3928 name = value + value_len; 3929 name_len = len - value_len - 5; 3930 if (name_len < 0) { 3931 if (debug) { 3932 log(LOG_DEBUG, 3933 "%s: chap corrupted challenge " 3934 "<%s id=0x%x len=%d", 3935 ifp->if_xname, 3936 sppp_auth_type_name(PPP_CHAP, h->type), 3937 h->ident, ntohs(h->len)); 3938 if (len > 4) 3939 sppp_print_bytes((u_char *)(h + 1), 3940 len - 4); 3941 addlog(">\n"); 3942 } 3943 break; 3944 } 3945 3946 if (debug) { 3947 log(LOG_DEBUG, 3948 "%s: chap input <%s id=0x%x len=%d name=", 3949 ifp->if_xname, 3950 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3951 ntohs(h->len)); 3952 sppp_print_string((char *) name, name_len); 3953 addlog(" value-size=%d value=", value_len); 3954 sppp_print_bytes(value, value_len); 3955 addlog(">\n"); 3956 } 3957 3958 /* Compute reply value. */ 3959 MD5Init(&ctx); 3960 MD5Update(&ctx, &h->ident, 1); 3961 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3962 MD5Update(&ctx, value, value_len); 3963 MD5Final(digest, &ctx); 3964 dsize = sizeof digest; 3965 3966 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3967 sizeof dsize, (const char *)&dsize, 3968 sizeof digest, digest, 3969 sp->myauth.name_len, 3970 sp->myauth.name, 3971 0); 3972 break; 3973 3974 case CHAP_SUCCESS: 3975 if (debug) { 3976 log(LOG_DEBUG, "%s: chap success", 3977 ifp->if_xname); 3978 if (len > 4) { 3979 addlog(": "); 3980 sppp_print_string((char *)(h + 1), len - 4); 3981 } 3982 addlog("\n"); 3983 } 3984 x = splnet(); 3985 sp->pp_auth_failures = 0; 3986 sp->pp_flags &= ~PP_NEEDAUTH; 3987 if (sp->myauth.proto == PPP_CHAP && 3988 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3989 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3990 /* 3991 * We are authenticator for CHAP but didn't 3992 * complete yet. Leave it to tlu to proceed 3993 * to network phase. 3994 */ 3995 splx(x); 3996 break; 3997 } 3998 splx(x); 3999 sppp_phase_network(sp); 4000 break; 4001 4002 case CHAP_FAILURE: 4003 x = splnet(); 4004 sp->pp_auth_failures++; 4005 splx(x); 4006 if (debug) { 4007 log(LOG_INFO, "%s: chap failure", 4008 ifp->if_xname); 4009 if (len > 4) { 4010 addlog(": "); 4011 sppp_print_string((char *)(h + 1), len - 4); 4012 } 4013 addlog("\n"); 4014 } else 4015 log(LOG_INFO, "%s: chap failure\n", 4016 ifp->if_xname); 4017 /* await LCP shutdown by authenticator */ 4018 break; 4019 4020 /* response is my authproto */ 4021 case CHAP_RESPONSE: 4022 if (sp->hisauth.secret == NULL) { 4023 /* can't do anything useful */ 4024 printf("%s: chap input without his secret being set\n", 4025 ifp->if_xname); 4026 break; 4027 } 4028 value = 1 + (u_char *)(h + 1); 4029 value_len = value[-1]; 4030 name = value + value_len; 4031 name_len = len - value_len - 5; 4032 if (name_len < 0) { 4033 if (debug) { 4034 log(LOG_DEBUG, 4035 "%s: chap corrupted response " 4036 "<%s id=0x%x len=%d", 4037 ifp->if_xname, 4038 sppp_auth_type_name(PPP_CHAP, h->type), 4039 h->ident, ntohs(h->len)); 4040 if (len > 4) 4041 sppp_print_bytes((u_char *)(h + 1), 4042 len - 4); 4043 addlog(">\n"); 4044 } 4045 break; 4046 } 4047 if (h->ident != sp->confid[IDX_CHAP]) { 4048 if (debug) 4049 log(LOG_DEBUG, 4050 "%s: chap dropping response for old ID " 4051 "(got %d, expected %d)\n", 4052 ifp->if_xname, 4053 h->ident, sp->confid[IDX_CHAP]); 4054 break; 4055 } 4056 if (sp->hisauth.name != NULL && 4057 (name_len != sp->hisauth.name_len 4058 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4059 log(LOG_INFO, "%s: chap response, his name ", 4060 ifp->if_xname); 4061 sppp_print_string(name, name_len); 4062 addlog(" != expected "); 4063 sppp_print_string(sp->hisauth.name, 4064 sp->hisauth.name_len); 4065 addlog("\n"); 4066 goto chap_failure; 4067 } 4068 if (debug) { 4069 log(LOG_DEBUG, "%s: chap input(%s) " 4070 "<%s id=0x%x len=%d name=", 4071 ifp->if_xname, 4072 sppp_state_name(sp->state[IDX_CHAP]), 4073 sppp_auth_type_name(PPP_CHAP, h->type), 4074 h->ident, ntohs(h->len)); 4075 sppp_print_string((char *)name, name_len); 4076 addlog(" value-size=%d value=", value_len); 4077 sppp_print_bytes(value, value_len); 4078 addlog(">\n"); 4079 } 4080 if (value_len != sizeof(sp->myauth.challenge)) { 4081 if (debug) 4082 log(LOG_DEBUG, 4083 "%s: chap bad hash value length: " 4084 "%d bytes, should be %ld\n", 4085 ifp->if_xname, value_len, 4086 (long) sizeof(sp->myauth.challenge)); 4087 goto chap_failure; 4088 } 4089 4090 MD5Init(&ctx); 4091 MD5Update(&ctx, &h->ident, 1); 4092 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4093 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4094 MD5Final(digest, &ctx); 4095 4096 #define FAILMSG "Failed..." 4097 #define SUCCMSG "Welcome!" 4098 4099 if (value_len != sizeof digest || 4100 memcmp(digest, value, value_len) != 0) { 4101 chap_failure: 4102 /* action scn, tld */ 4103 x = splnet(); 4104 sp->pp_auth_failures++; 4105 splx(x); 4106 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4107 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4108 0); 4109 chap.tld(sp); 4110 break; 4111 } 4112 sp->pp_auth_failures = 0; 4113 /* action sca, perhaps tlu */ 4114 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4115 sp->state[IDX_CHAP] == STATE_OPENED) 4116 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4117 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4118 0); 4119 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4120 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4121 chap.tlu(sp); 4122 } 4123 break; 4124 4125 default: 4126 /* Unknown CHAP packet type -- ignore. */ 4127 if (debug) { 4128 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4129 "<0x%x id=0x%xh len=%d", 4130 ifp->if_xname, 4131 sppp_state_name(sp->state[IDX_CHAP]), 4132 h->type, h->ident, ntohs(h->len)); 4133 if (len > 4) 4134 sppp_print_bytes((u_char *)(h + 1), len - 4); 4135 addlog(">\n"); 4136 } 4137 break; 4138 4139 } 4140 } 4141 4142 static void 4143 sppp_chap_init(struct sppp *sp) 4144 { 4145 /* Chap doesn't have STATE_INITIAL at all. */ 4146 sp->state[IDX_CHAP] = STATE_CLOSED; 4147 sp->fail_counter[IDX_CHAP] = 0; 4148 sp->pp_seq[IDX_CHAP] = 0; 4149 sp->pp_rseq[IDX_CHAP] = 0; 4150 callout_init(&sp->ch[IDX_CHAP], 0); 4151 } 4152 4153 static void 4154 sppp_chap_open(struct sppp *sp) 4155 { 4156 if (sp->myauth.proto == PPP_CHAP && 4157 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4158 /* we are authenticator for CHAP, start it */ 4159 chap.scr(sp); 4160 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4161 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4162 } 4163 /* nothing to be done if we are peer, await a challenge */ 4164 } 4165 4166 static void 4167 sppp_chap_close(struct sppp *sp) 4168 { 4169 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4170 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4171 } 4172 4173 static void 4174 sppp_chap_TO(void *cookie) 4175 { 4176 struct sppp *sp = (struct sppp *)cookie; 4177 STDDCL; 4178 int s; 4179 4180 s = splnet(); 4181 if (debug) 4182 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4183 ifp->if_xname, 4184 sppp_state_name(sp->state[IDX_CHAP]), 4185 sp->rst_counter[IDX_CHAP]); 4186 4187 if (--sp->rst_counter[IDX_CHAP] < 0) 4188 /* TO- event */ 4189 switch (sp->state[IDX_CHAP]) { 4190 case STATE_REQ_SENT: 4191 chap.tld(sp); 4192 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4193 break; 4194 } 4195 else 4196 /* TO+ (or TO*) event */ 4197 switch (sp->state[IDX_CHAP]) { 4198 case STATE_OPENED: 4199 /* TO* event */ 4200 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4201 /* fall through */ 4202 case STATE_REQ_SENT: 4203 chap.scr(sp); 4204 /* sppp_cp_change_state() will restart the timer */ 4205 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4206 break; 4207 } 4208 4209 splx(s); 4210 } 4211 4212 static void 4213 sppp_chap_tlu(struct sppp *sp) 4214 { 4215 STDDCL; 4216 int i, x; 4217 4218 i = 0; 4219 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4220 4221 /* 4222 * Some broken CHAP implementations (Conware CoNet, firmware 4223 * 4.0.?) don't want to re-authenticate their CHAP once the 4224 * initial challenge-response exchange has taken place. 4225 * Provide for an option to avoid rechallenges. 4226 */ 4227 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4228 /* 4229 * Compute the re-challenge timeout. This will yield 4230 * a number between 300 and 810 seconds. 4231 */ 4232 i = 300 + ((unsigned)(arc4random() & 0xff00) >> 7); 4233 4234 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4235 } 4236 4237 if (debug) { 4238 log(LOG_DEBUG, 4239 "%s: chap %s, ", 4240 ifp->if_xname, 4241 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4242 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4243 addlog("next re-challenge in %d seconds\n", i); 4244 else 4245 addlog("re-challenging supressed\n"); 4246 } 4247 4248 x = splnet(); 4249 sp->pp_auth_failures = 0; 4250 /* indicate to LCP that we need to be closed down */ 4251 sp->lcp.protos |= (1 << IDX_CHAP); 4252 4253 if (sp->pp_flags & PP_NEEDAUTH) { 4254 /* 4255 * Remote is authenticator, but his auth proto didn't 4256 * complete yet. Defer the transition to network 4257 * phase. 4258 */ 4259 splx(x); 4260 return; 4261 } 4262 splx(x); 4263 4264 /* 4265 * If we are already in phase network, we are done here. This 4266 * is the case if this is a dummy tlu event after a re-challenge. 4267 */ 4268 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4269 sppp_phase_network(sp); 4270 } 4271 4272 static void 4273 sppp_chap_tld(struct sppp *sp) 4274 { 4275 STDDCL; 4276 4277 if (debug) 4278 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4279 callout_stop(&sp->ch[IDX_CHAP]); 4280 sp->lcp.protos &= ~(1 << IDX_CHAP); 4281 4282 lcp.Close(sp); 4283 } 4284 4285 static void 4286 sppp_chap_scr(struct sppp *sp) 4287 { 4288 uint32_t *ch; 4289 u_char clen; 4290 4291 if (sp->myauth.name == NULL) { 4292 /* can't do anything useful */ 4293 printf("%s: chap starting without my name being set\n", 4294 sp->pp_if.if_xname); 4295 return; 4296 } 4297 4298 /* Compute random challenge. */ 4299 ch = (uint32_t *)sp->myauth.challenge; 4300 ch[0] = arc4random(); 4301 ch[1] = arc4random(); 4302 ch[2] = arc4random(); 4303 ch[3] = arc4random(); 4304 clen = 16; /* 4 * sizeof(uint32_t) */ 4305 4306 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4307 4308 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4309 sizeof clen, (const char *)&clen, 4310 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4311 sp->myauth.name_len, 4312 sp->myauth.name, 4313 0); 4314 } 4315 4316 /* 4317 *--------------------------------------------------------------------------* 4318 * * 4319 * The PAP implementation. * 4320 * * 4321 *--------------------------------------------------------------------------* 4322 */ 4323 /* 4324 * For PAP, we need to keep a little state also if we are the peer, not the 4325 * authenticator. This is since we don't get a request to authenticate, but 4326 * have to repeatedly authenticate ourself until we got a response (or the 4327 * retry counter is expired). 4328 */ 4329 4330 /* 4331 * Handle incoming PAP packets. */ 4332 static void 4333 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4334 { 4335 STDDCL; 4336 struct lcp_header *h; 4337 int len, x; 4338 u_char mlen; 4339 char *name, *secret; 4340 int name_len, secret_len; 4341 4342 /* 4343 * Malicious input might leave this uninitialized, so 4344 * init to an impossible value. 4345 */ 4346 secret_len = -1; 4347 4348 len = m->m_pkthdr.len; 4349 if (len < 5) { 4350 if (debug) 4351 log(LOG_DEBUG, 4352 "%s: pap invalid packet length: %d bytes\n", 4353 ifp->if_xname, len); 4354 return; 4355 } 4356 h = mtod(m, struct lcp_header *); 4357 if (len > ntohs(h->len)) 4358 len = ntohs(h->len); 4359 switch (h->type) { 4360 /* PAP request is my authproto */ 4361 case PAP_REQ: 4362 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4363 /* can't do anything useful */ 4364 printf("%s: pap request without his name and his secret being set\n", 4365 ifp->if_xname); 4366 break; 4367 } 4368 name = 1 + (u_char *)(h + 1); 4369 name_len = name[-1]; 4370 secret = name + name_len + 1; 4371 if (name_len > len - 6 || 4372 (secret_len = secret[-1]) > len - 6 - name_len) { 4373 if (debug) { 4374 log(LOG_DEBUG, "%s: pap corrupted input " 4375 "<%s id=0x%x len=%d", 4376 ifp->if_xname, 4377 sppp_auth_type_name(PPP_PAP, h->type), 4378 h->ident, ntohs(h->len)); 4379 if (len > 4) 4380 sppp_print_bytes((u_char *)(h + 1), 4381 len - 4); 4382 addlog(">\n"); 4383 } 4384 break; 4385 } 4386 if (debug) { 4387 log(LOG_DEBUG, "%s: pap input(%s) " 4388 "<%s id=0x%x len=%d name=", 4389 ifp->if_xname, 4390 sppp_state_name(sp->state[IDX_PAP]), 4391 sppp_auth_type_name(PPP_PAP, h->type), 4392 h->ident, ntohs(h->len)); 4393 sppp_print_string((char *)name, name_len); 4394 addlog(" secret="); 4395 sppp_print_string((char *)secret, secret_len); 4396 addlog(">\n"); 4397 } 4398 if (name_len != sp->hisauth.name_len || 4399 secret_len != sp->hisauth.secret_len || 4400 memcmp(name, sp->hisauth.name, name_len) != 0 || 4401 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4402 /* action scn, tld */ 4403 sp->pp_auth_failures++; 4404 mlen = sizeof(FAILMSG) - 1; 4405 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4406 sizeof mlen, (const char *)&mlen, 4407 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4408 0); 4409 pap.tld(sp); 4410 break; 4411 } 4412 /* action sca, perhaps tlu */ 4413 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4414 sp->state[IDX_PAP] == STATE_OPENED) { 4415 mlen = sizeof(SUCCMSG) - 1; 4416 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4417 sizeof mlen, (const char *)&mlen, 4418 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4419 0); 4420 } 4421 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4422 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4423 pap.tlu(sp); 4424 } 4425 break; 4426 4427 /* ack and nak are his authproto */ 4428 case PAP_ACK: 4429 callout_stop(&sp->pap_my_to_ch); 4430 if (debug) { 4431 log(LOG_DEBUG, "%s: pap success", 4432 ifp->if_xname); 4433 name = 1 + (u_char *)(h + 1); 4434 name_len = name[-1]; 4435 if (len > 5 && name_len < len+4) { 4436 addlog(": "); 4437 sppp_print_string(name, name_len); 4438 } 4439 addlog("\n"); 4440 } 4441 x = splnet(); 4442 sp->pp_auth_failures = 0; 4443 sp->pp_flags &= ~PP_NEEDAUTH; 4444 if (sp->myauth.proto == PPP_PAP && 4445 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4446 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4447 /* 4448 * We are authenticator for PAP but didn't 4449 * complete yet. Leave it to tlu to proceed 4450 * to network phase. 4451 */ 4452 splx(x); 4453 break; 4454 } 4455 splx(x); 4456 sppp_phase_network(sp); 4457 break; 4458 4459 case PAP_NAK: 4460 callout_stop(&sp->pap_my_to_ch); 4461 sp->pp_auth_failures++; 4462 if (debug) { 4463 log(LOG_INFO, "%s: pap failure", 4464 ifp->if_xname); 4465 name = 1 + (u_char *)(h + 1); 4466 name_len = name[-1]; 4467 if (len > 5 && name_len < len+4) { 4468 addlog(": "); 4469 sppp_print_string(name, name_len); 4470 } 4471 addlog("\n"); 4472 } else 4473 log(LOG_INFO, "%s: pap failure\n", 4474 ifp->if_xname); 4475 /* await LCP shutdown by authenticator */ 4476 break; 4477 4478 default: 4479 /* Unknown PAP packet type -- ignore. */ 4480 if (debug) { 4481 log(LOG_DEBUG, "%s: pap corrupted input " 4482 "<0x%x id=0x%x len=%d", 4483 ifp->if_xname, 4484 h->type, h->ident, ntohs(h->len)); 4485 if (len > 4) 4486 sppp_print_bytes((u_char *)(h + 1), len - 4); 4487 addlog(">\n"); 4488 } 4489 break; 4490 4491 } 4492 } 4493 4494 static void 4495 sppp_pap_init(struct sppp *sp) 4496 { 4497 /* PAP doesn't have STATE_INITIAL at all. */ 4498 sp->state[IDX_PAP] = STATE_CLOSED; 4499 sp->fail_counter[IDX_PAP] = 0; 4500 sp->pp_seq[IDX_PAP] = 0; 4501 sp->pp_rseq[IDX_PAP] = 0; 4502 callout_init(&sp->ch[IDX_PAP], 0); 4503 callout_init(&sp->pap_my_to_ch, 0); 4504 } 4505 4506 static void 4507 sppp_pap_open(struct sppp *sp) 4508 { 4509 if (sp->hisauth.proto == PPP_PAP && 4510 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4511 /* we are authenticator for PAP, start our timer */ 4512 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4513 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4514 } 4515 if (sp->myauth.proto == PPP_PAP) { 4516 /* we are peer, send a request, and start a timer */ 4517 pap.scr(sp); 4518 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4519 sppp_pap_my_TO, sp); 4520 } 4521 } 4522 4523 static void 4524 sppp_pap_close(struct sppp *sp) 4525 { 4526 if (sp->state[IDX_PAP] != STATE_CLOSED) 4527 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4528 } 4529 4530 /* 4531 * That's the timeout routine if we are authenticator. Since the 4532 * authenticator is basically passive in PAP, we can't do much here. 4533 */ 4534 static void 4535 sppp_pap_TO(void *cookie) 4536 { 4537 struct sppp *sp = (struct sppp *)cookie; 4538 STDDCL; 4539 int s; 4540 4541 s = splnet(); 4542 if (debug) 4543 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4544 ifp->if_xname, 4545 sppp_state_name(sp->state[IDX_PAP]), 4546 sp->rst_counter[IDX_PAP]); 4547 4548 if (--sp->rst_counter[IDX_PAP] < 0) 4549 /* TO- event */ 4550 switch (sp->state[IDX_PAP]) { 4551 case STATE_REQ_SENT: 4552 pap.tld(sp); 4553 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4554 break; 4555 } 4556 else 4557 /* TO+ event, not very much we could do */ 4558 switch (sp->state[IDX_PAP]) { 4559 case STATE_REQ_SENT: 4560 /* sppp_cp_change_state() will restart the timer */ 4561 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4562 break; 4563 } 4564 4565 splx(s); 4566 } 4567 4568 /* 4569 * That's the timeout handler if we are peer. Since the peer is active, 4570 * we need to retransmit our PAP request since it is apparently lost. 4571 * XXX We should impose a max counter. 4572 */ 4573 static void 4574 sppp_pap_my_TO(void *cookie) 4575 { 4576 struct sppp *sp = (struct sppp *)cookie; 4577 STDDCL; 4578 4579 if (debug) 4580 log(LOG_DEBUG, "%s: pap peer TO\n", 4581 ifp->if_xname); 4582 4583 pap.scr(sp); 4584 } 4585 4586 static void 4587 sppp_pap_tlu(struct sppp *sp) 4588 { 4589 STDDCL; 4590 int x; 4591 4592 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4593 4594 if (debug) 4595 log(LOG_DEBUG, "%s: %s tlu\n", 4596 ifp->if_xname, pap.name); 4597 4598 x = splnet(); 4599 sp->pp_auth_failures = 0; 4600 /* indicate to LCP that we need to be closed down */ 4601 sp->lcp.protos |= (1 << IDX_PAP); 4602 4603 if (sp->pp_flags & PP_NEEDAUTH) { 4604 /* 4605 * Remote is authenticator, but his auth proto didn't 4606 * complete yet. Defer the transition to network 4607 * phase. 4608 */ 4609 splx(x); 4610 return; 4611 } 4612 splx(x); 4613 sppp_phase_network(sp); 4614 } 4615 4616 static void 4617 sppp_pap_tld(struct sppp *sp) 4618 { 4619 STDDCL; 4620 4621 if (debug) 4622 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4623 callout_stop(&sp->ch[IDX_PAP]); 4624 callout_stop(&sp->pap_my_to_ch); 4625 sp->lcp.protos &= ~(1 << IDX_PAP); 4626 4627 lcp.Close(sp); 4628 } 4629 4630 static void 4631 sppp_pap_scr(struct sppp *sp) 4632 { 4633 u_char idlen, pwdlen; 4634 4635 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4636 /* can't do anything useful */ 4637 printf("%s: pap starting without my name and secret being set\n", 4638 sp->pp_if.if_xname); 4639 return; 4640 } 4641 4642 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4643 pwdlen = sp->myauth.secret_len; 4644 idlen = sp->myauth.name_len; 4645 4646 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4647 sizeof idlen, (const char *)&idlen, 4648 idlen, sp->myauth.name, 4649 sizeof pwdlen, (const char *)&pwdlen, 4650 pwdlen, sp->myauth.secret, 4651 0); 4652 } 4653 4654 /* 4655 * Random miscellaneous functions. 4656 */ 4657 4658 /* 4659 * Send a PAP or CHAP proto packet. 4660 * 4661 * Varadic function, each of the elements for the ellipsis is of type 4662 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4663 * mlen == 0. 4664 * NOTE: never declare variadic functions with types subject to type 4665 * promotion (i.e. u_char). This is asking for big trouble depending 4666 * on the architecture you are on... 4667 */ 4668 4669 static void 4670 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4671 unsigned int type, unsigned int id, 4672 ...) 4673 { 4674 STDDCL; 4675 struct lcp_header *lh; 4676 struct mbuf *m; 4677 u_char *p; 4678 int len; 4679 size_t pkthdrlen; 4680 unsigned int mlen; 4681 const char *msg; 4682 va_list ap; 4683 4684 MGETHDR(m, M_DONTWAIT, MT_DATA); 4685 if (! m) 4686 return; 4687 m->m_pkthdr.rcvif = 0; 4688 4689 if (sp->pp_flags & PP_NOFRAMING) { 4690 *mtod(m, uint16_t *) = htons(cp->proto); 4691 pkthdrlen = 2; 4692 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4693 } else { 4694 struct ppp_header *h; 4695 h = mtod(m, struct ppp_header *); 4696 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4697 h->control = PPP_UI; /* Unnumbered Info */ 4698 h->protocol = htons(cp->proto); 4699 pkthdrlen = PPP_HEADER_LEN; 4700 4701 lh = (struct lcp_header *)(h + 1); 4702 } 4703 4704 lh->type = type; 4705 lh->ident = id; 4706 p = (u_char *)(lh + 1); 4707 4708 va_start(ap, id); 4709 len = 0; 4710 4711 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4712 msg = va_arg(ap, const char *); 4713 len += mlen; 4714 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4715 va_end(ap); 4716 m_freem(m); 4717 return; 4718 } 4719 4720 memcpy(p, msg, mlen); 4721 p += mlen; 4722 } 4723 va_end(ap); 4724 4725 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4726 lh->len = htons(LCP_HEADER_LEN + len); 4727 4728 if (debug) { 4729 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4730 ifp->if_xname, cp->name, 4731 sppp_auth_type_name(cp->proto, lh->type), 4732 lh->ident, ntohs(lh->len)); 4733 if (len) 4734 sppp_print_bytes((u_char *)(lh + 1), len); 4735 addlog(">\n"); 4736 } 4737 if (IF_QFULL(&sp->pp_cpq)) { 4738 IF_DROP(&sp->pp_fastq); 4739 IF_DROP(&ifp->if_snd); 4740 m_freem(m); 4741 ++ifp->if_oerrors; 4742 return; 4743 } else 4744 IF_ENQUEUE(&sp->pp_cpq, m); 4745 if (! (ifp->if_flags & IFF_OACTIVE)) 4746 (*ifp->if_start)(ifp); 4747 ifp->if_obytes += m->m_pkthdr.len + 3; 4748 } 4749 4750 /* 4751 * Send keepalive packets, every 10 seconds. 4752 */ 4753 static void 4754 sppp_keepalive(void *dummy) 4755 { 4756 struct sppp *sp; 4757 int s; 4758 time_t now; 4759 4760 s = splnet(); 4761 now = time_uptime; 4762 for (sp=spppq; sp; sp=sp->pp_next) { 4763 struct ifnet *ifp = &sp->pp_if; 4764 4765 /* check idle timeout */ 4766 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4767 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4768 /* idle timeout is enabled for this interface */ 4769 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4770 if (ifp->if_flags & IFF_DEBUG) 4771 printf("%s: no activity for %lu seconds\n", 4772 sp->pp_if.if_xname, 4773 (unsigned long)(now-sp->pp_last_activity)); 4774 lcp.Close(sp); 4775 continue; 4776 } 4777 } 4778 4779 /* Keepalive mode disabled or channel down? */ 4780 if (! (sp->pp_flags & PP_KEEPALIVE) || 4781 ! (ifp->if_flags & IFF_RUNNING)) 4782 continue; 4783 4784 /* No keepalive in PPP mode if LCP not opened yet. */ 4785 if (! (sp->pp_flags & PP_CISCO) && 4786 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4787 continue; 4788 4789 /* No echo reply, but maybe user data passed through? */ 4790 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4791 sp->pp_alivecnt = 0; 4792 continue; 4793 } 4794 4795 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4796 /* No keepalive packets got. Stop the interface. */ 4797 if_down (ifp); 4798 IF_PURGE(&sp->pp_cpq); 4799 if (! (sp->pp_flags & PP_CISCO)) { 4800 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4801 ifp->if_xname); 4802 sp->pp_alivecnt = 0; 4803 4804 /* we are down, close all open protocols */ 4805 lcp.Close(sp); 4806 4807 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4808 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4809 4810 /* Close connection immediately, completition of this 4811 * will summon the magic needed to reestablish it. */ 4812 if (sp->pp_tlf) 4813 sp->pp_tlf(sp); 4814 continue; 4815 } 4816 } 4817 if (sp->pp_alivecnt < sp->pp_maxalive) 4818 ++sp->pp_alivecnt; 4819 if (sp->pp_flags & PP_CISCO) 4820 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4821 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4822 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4823 int32_t nmagic = htonl(sp->lcp.magic); 4824 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4825 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4826 sp->lcp.echoid, 4, &nmagic); 4827 } 4828 } 4829 splx(s); 4830 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4831 } 4832 4833 #ifdef INET 4834 /* 4835 * Get both IP addresses. 4836 */ 4837 static void 4838 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4839 { 4840 struct ifnet *ifp = &sp->pp_if; 4841 struct ifaddr *ifa; 4842 struct sockaddr_in *si, *sm; 4843 uint32_t ssrc, ddst; 4844 4845 sm = NULL; 4846 ssrc = ddst = 0; 4847 /* 4848 * Pick the first AF_INET address from the list, 4849 * aliases don't make any sense on a p2p link anyway. 4850 */ 4851 si = 0; 4852 IFADDR_FOREACH(ifa, ifp) { 4853 if (ifa->ifa_addr->sa_family == AF_INET) { 4854 si = (struct sockaddr_in *)ifa->ifa_addr; 4855 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4856 if (si) 4857 break; 4858 } 4859 } 4860 if (ifa) { 4861 if (si && si->sin_addr.s_addr) { 4862 ssrc = si->sin_addr.s_addr; 4863 if (srcmask) 4864 *srcmask = ntohl(sm->sin_addr.s_addr); 4865 } 4866 4867 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4868 if (si && si->sin_addr.s_addr) 4869 ddst = si->sin_addr.s_addr; 4870 } 4871 4872 if (dst) *dst = ntohl(ddst); 4873 if (src) *src = ntohl(ssrc); 4874 } 4875 4876 /* 4877 * Set IP addresses. Must be called at splnet. 4878 * If an address is 0, leave it the way it is. 4879 */ 4880 static void 4881 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4882 { 4883 STDDCL; 4884 struct ifaddr *ifa; 4885 struct sockaddr_in *si, *dest; 4886 4887 /* 4888 * Pick the first AF_INET address from the list, 4889 * aliases don't make any sense on a p2p link anyway. 4890 */ 4891 4892 IFADDR_FOREACH(ifa, ifp) { 4893 if (ifa->ifa_addr->sa_family == AF_INET) { 4894 si = (struct sockaddr_in *)ifa->ifa_addr; 4895 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4896 goto found; 4897 } 4898 } 4899 return; 4900 4901 found: 4902 { 4903 int error; 4904 struct sockaddr_in new_sin = *si; 4905 struct sockaddr_in new_dst = *dest; 4906 4907 /* 4908 * Scrub old routes now instead of calling in_ifinit with 4909 * scrub=1, because we may change the dstaddr 4910 * before the call to in_ifinit. 4911 */ 4912 in_ifscrub(ifp, ifatoia(ifa)); 4913 4914 if (myaddr != 0) 4915 new_sin.sin_addr.s_addr = htonl(myaddr); 4916 if (hisaddr != 0) { 4917 new_dst.sin_addr.s_addr = htonl(hisaddr); 4918 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4919 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4920 *dest = new_dst; /* fix dstaddr in place */ 4921 } 4922 } 4923 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4924 if (debug && error) 4925 { 4926 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4927 " failed, error=%d\n", ifp->if_xname, error); 4928 } 4929 #ifdef PFIL_HOOKS 4930 if (!error) 4931 (void)pfil_run_hooks(&if_pfil, 4932 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4933 #endif 4934 } 4935 } 4936 4937 /* 4938 * Clear IP addresses. Must be called at splnet. 4939 */ 4940 static void 4941 sppp_clear_ip_addrs(struct sppp *sp) 4942 { 4943 struct ifnet *ifp = &sp->pp_if; 4944 struct ifaddr *ifa; 4945 struct sockaddr_in *si, *dest; 4946 4947 uint32_t remote; 4948 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4949 remote = sp->ipcp.saved_hisaddr; 4950 else 4951 sppp_get_ip_addrs(sp, 0, &remote, 0); 4952 4953 /* 4954 * Pick the first AF_INET address from the list, 4955 * aliases don't make any sense on a p2p link anyway. 4956 */ 4957 4958 IFADDR_FOREACH(ifa, ifp) { 4959 if (ifa->ifa_addr->sa_family == AF_INET) { 4960 si = (struct sockaddr_in *)ifa->ifa_addr; 4961 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4962 goto found; 4963 } 4964 } 4965 return; 4966 4967 found: 4968 { 4969 struct sockaddr_in new_sin = *si; 4970 4971 in_ifscrub(ifp, ifatoia(ifa)); 4972 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4973 new_sin.sin_addr.s_addr = 0; 4974 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4975 /* replace peer addr in place */ 4976 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4977 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4978 #ifdef PFIL_HOOKS 4979 (void)pfil_run_hooks(&if_pfil, 4980 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4981 #endif 4982 } 4983 } 4984 #endif 4985 4986 #ifdef INET6 4987 /* 4988 * Get both IPv6 addresses. 4989 */ 4990 static void 4991 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4992 struct in6_addr *srcmask) 4993 { 4994 struct ifnet *ifp = &sp->pp_if; 4995 struct ifaddr *ifa; 4996 struct sockaddr_in6 *si, *sm; 4997 struct in6_addr ssrc, ddst; 4998 4999 sm = NULL; 5000 memset(&ssrc, 0, sizeof(ssrc)); 5001 memset(&ddst, 0, sizeof(ddst)); 5002 /* 5003 * Pick the first link-local AF_INET6 address from the list, 5004 * aliases don't make any sense on a p2p link anyway. 5005 */ 5006 si = 0; 5007 IFADDR_FOREACH(ifa, ifp) 5008 if (ifa->ifa_addr->sa_family == AF_INET6) { 5009 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5010 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5011 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5012 break; 5013 } 5014 if (ifa) { 5015 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5016 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5017 if (srcmask) { 5018 memcpy(srcmask, &sm->sin6_addr, 5019 sizeof(*srcmask)); 5020 } 5021 } 5022 5023 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5024 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5025 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5026 } 5027 5028 if (dst) 5029 memcpy(dst, &ddst, sizeof(*dst)); 5030 if (src) 5031 memcpy(src, &ssrc, sizeof(*src)); 5032 } 5033 5034 #ifdef IPV6CP_MYIFID_DYN 5035 /* 5036 * Generate random ifid. 5037 */ 5038 static void 5039 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5040 { 5041 /* TBD */ 5042 } 5043 5044 /* 5045 * Set my IPv6 address. Must be called at splnet. 5046 */ 5047 static void 5048 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5049 { 5050 STDDCL; 5051 struct ifaddr *ifa; 5052 struct sockaddr_in6 *sin6; 5053 5054 /* 5055 * Pick the first link-local AF_INET6 address from the list, 5056 * aliases don't make any sense on a p2p link anyway. 5057 */ 5058 5059 sin6 = NULL; 5060 IFADDR_FOREACH(ifa, ifp) 5061 { 5062 if (ifa->ifa_addr->sa_family == AF_INET6) 5063 { 5064 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5065 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5066 break; 5067 } 5068 } 5069 5070 if (ifa && sin6) 5071 { 5072 int error; 5073 struct sockaddr_in6 new_sin6 = *sin6; 5074 5075 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5076 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5077 if (debug && error) 5078 { 5079 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5080 " failed, error=%d\n", ifp->if_xname, error); 5081 } 5082 #ifdef PFIL_HOOKS 5083 if (!error) 5084 (void)pfil_run_hooks(&if_pfil, 5085 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5086 #endif 5087 } 5088 } 5089 #endif 5090 5091 /* 5092 * Suggest a candidate address to be used by peer. 5093 */ 5094 static void 5095 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5096 { 5097 struct in6_addr myaddr; 5098 struct timeval tv; 5099 5100 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5101 5102 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5103 microtime(&tv); 5104 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5105 myaddr.s6_addr[14] ^= 0xff; 5106 myaddr.s6_addr[15] ^= 0xff; 5107 } else { 5108 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5109 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5110 } 5111 if (suggest) 5112 memcpy(suggest, &myaddr, sizeof(myaddr)); 5113 } 5114 #endif /*INET6*/ 5115 5116 /* 5117 * Process ioctl requests specific to the PPP interface. 5118 * Permissions have already been checked. 5119 */ 5120 static int 5121 sppp_params(struct sppp *sp, u_long cmd, void *data) 5122 { 5123 switch (cmd) { 5124 case SPPPGETAUTHCFG: 5125 { 5126 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5127 int error; 5128 size_t len; 5129 5130 cfg->myauthflags = sp->myauth.flags; 5131 cfg->hisauthflags = sp->hisauth.flags; 5132 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ); 5133 cfg->hisauth = 0; 5134 if (sp->hisauth.proto) 5135 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5136 cfg->myauth = 0; 5137 if (sp->myauth.proto) 5138 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5139 if (cfg->myname_length == 0) { 5140 if (sp->myauth.name != NULL) 5141 cfg->myname_length = sp->myauth.name_len + 1; 5142 } else { 5143 if (sp->myauth.name == NULL) { 5144 cfg->myname_length = 0; 5145 } else { 5146 len = sp->myauth.name_len + 1; 5147 if (cfg->myname_length < len) 5148 return (ENAMETOOLONG); 5149 error = copyout(sp->myauth.name, cfg->myname, len); 5150 if (error) return error; 5151 } 5152 } 5153 if (cfg->hisname_length == 0) { 5154 if (sp->hisauth.name != NULL) 5155 cfg->hisname_length = sp->hisauth.name_len + 1; 5156 } else { 5157 if (sp->hisauth.name == NULL) { 5158 cfg->hisname_length = 0; 5159 } else { 5160 len = sp->hisauth.name_len + 1; 5161 if (cfg->hisname_length < len) 5162 return (ENAMETOOLONG); 5163 error = copyout(sp->hisauth.name, cfg->hisname, len); 5164 if (error) return error; 5165 } 5166 } 5167 } 5168 break; 5169 case SPPPSETAUTHCFG: 5170 { 5171 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5172 int error; 5173 5174 if (sp->myauth.name) { 5175 free(sp->myauth.name, M_DEVBUF); 5176 sp->myauth.name = NULL; 5177 } 5178 if (sp->myauth.secret) { 5179 free(sp->myauth.secret, M_DEVBUF); 5180 sp->myauth.secret = NULL; 5181 } 5182 if (sp->hisauth.name) { 5183 free(sp->hisauth.name, M_DEVBUF); 5184 sp->hisauth.name = NULL; 5185 } 5186 if (sp->hisauth.secret) { 5187 free(sp->hisauth.secret, M_DEVBUF); 5188 sp->hisauth.secret = NULL; 5189 } 5190 5191 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5192 if (cfg->hisname_length >= MCLBYTES) 5193 return (ENAMETOOLONG); 5194 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5195 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5196 if (error) { 5197 free(sp->hisauth.name, M_DEVBUF); 5198 sp->hisauth.name = NULL; 5199 return error; 5200 } 5201 sp->hisauth.name_len = cfg->hisname_length - 1; 5202 sp->hisauth.name[sp->hisauth.name_len] = 0; 5203 } 5204 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5205 if (cfg->hissecret_length >= MCLBYTES) 5206 return (ENAMETOOLONG); 5207 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5208 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5209 if (error) { 5210 free(sp->hisauth.secret, M_DEVBUF); 5211 sp->hisauth.secret = NULL; 5212 return error; 5213 } 5214 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5215 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5216 } 5217 if (cfg->myname != NULL && cfg->myname_length > 0) { 5218 if (cfg->myname_length >= MCLBYTES) 5219 return (ENAMETOOLONG); 5220 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5221 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5222 if (error) { 5223 free(sp->myauth.name, M_DEVBUF); 5224 sp->myauth.name = NULL; 5225 return error; 5226 } 5227 sp->myauth.name_len = cfg->myname_length - 1; 5228 sp->myauth.name[sp->myauth.name_len] = 0; 5229 } 5230 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5231 if (cfg->mysecret_length >= MCLBYTES) 5232 return (ENAMETOOLONG); 5233 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5234 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5235 if (error) { 5236 free(sp->myauth.secret, M_DEVBUF); 5237 sp->myauth.secret = NULL; 5238 return error; 5239 } 5240 sp->myauth.secret_len = cfg->mysecret_length - 1; 5241 sp->myauth.secret[sp->myauth.secret_len] = 0; 5242 } 5243 sp->myauth.flags = cfg->myauthflags; 5244 if (cfg->myauth) 5245 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5246 sp->hisauth.flags = cfg->hisauthflags; 5247 if (cfg->hisauth) 5248 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5249 sp->pp_auth_failures = 0; 5250 if (sp->hisauth.proto != 0) 5251 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5252 else 5253 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5254 } 5255 break; 5256 case SPPPGETLCPCFG: 5257 { 5258 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5259 lcpp->lcp_timeout = sp->lcp.timeout; 5260 } 5261 break; 5262 case SPPPSETLCPCFG: 5263 { 5264 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5265 sp->lcp.timeout = lcpp->lcp_timeout; 5266 } 5267 break; 5268 case SPPPGETSTATUS: 5269 { 5270 struct spppstatus *status = (struct spppstatus *)data; 5271 status->phase = sp->pp_phase; 5272 } 5273 break; 5274 case SPPPGETSTATUSNCP: 5275 { 5276 struct spppstatusncp *status = (struct spppstatusncp *)data; 5277 status->phase = sp->pp_phase; 5278 status->ncpup = sppp_ncp_check(sp); 5279 } 5280 break; 5281 case SPPPGETIDLETO: 5282 { 5283 struct spppidletimeout *to = (struct spppidletimeout *)data; 5284 to->idle_seconds = sp->pp_idle_timeout; 5285 } 5286 break; 5287 case SPPPSETIDLETO: 5288 { 5289 struct spppidletimeout *to = (struct spppidletimeout *)data; 5290 sp->pp_idle_timeout = to->idle_seconds; 5291 } 5292 break; 5293 case SPPPSETAUTHFAILURE: 5294 { 5295 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5296 sp->pp_max_auth_fail = afsettings->max_failures; 5297 sp->pp_auth_failures = 0; 5298 } 5299 break; 5300 case SPPPGETAUTHFAILURES: 5301 { 5302 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5303 stats->auth_failures = sp->pp_auth_failures; 5304 stats->max_failures = sp->pp_max_auth_fail; 5305 } 5306 break; 5307 case SPPPSETDNSOPTS: 5308 { 5309 struct spppdnssettings *req = (struct spppdnssettings *)data; 5310 sp->query_dns = req->query_dns & 3; 5311 } 5312 break; 5313 case SPPPGETDNSOPTS: 5314 { 5315 struct spppdnssettings *req = (struct spppdnssettings *)data; 5316 req->query_dns = sp->query_dns; 5317 } 5318 break; 5319 case SPPPGETDNSADDRS: 5320 { 5321 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5322 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5323 } 5324 break; 5325 case SPPPGETKEEPALIVE: 5326 { 5327 struct spppkeepalivesettings *settings = 5328 (struct spppkeepalivesettings*)data; 5329 settings->maxalive = sp->pp_maxalive; 5330 settings->max_noreceive = sp->pp_max_noreceive; 5331 } 5332 break; 5333 case SPPPSETKEEPALIVE: 5334 { 5335 struct spppkeepalivesettings *settings = 5336 (struct spppkeepalivesettings*)data; 5337 sp->pp_maxalive = settings->maxalive; 5338 sp->pp_max_noreceive = settings->max_noreceive; 5339 } 5340 break; 5341 #if defined(COMPAT_50) || defined(MODULAR) 5342 case __SPPPGETIDLETO50: 5343 { 5344 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5345 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5346 } 5347 break; 5348 case __SPPPSETIDLETO50: 5349 { 5350 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5351 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5352 } 5353 break; 5354 case __SPPPGETKEEPALIVE50: 5355 { 5356 struct spppkeepalivesettings50 *settings = 5357 (struct spppkeepalivesettings50*)data; 5358 settings->maxalive = sp->pp_maxalive; 5359 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5360 } 5361 break; 5362 case __SPPPSETKEEPALIVE50: 5363 { 5364 struct spppkeepalivesettings50 *settings = 5365 (struct spppkeepalivesettings50*)data; 5366 sp->pp_maxalive = settings->maxalive; 5367 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5368 } 5369 break; 5370 #endif /* COMPAT_50 || MODULAR */ 5371 default: 5372 return (EINVAL); 5373 } 5374 5375 return (0); 5376 } 5377 5378 static void 5379 sppp_phase_network(struct sppp *sp) 5380 { 5381 STDDCL; 5382 int i; 5383 uint32_t mask; 5384 5385 sp->pp_phase = SPPP_PHASE_NETWORK; 5386 5387 if (debug) 5388 { 5389 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5390 sppp_phase_name(sp->pp_phase)); 5391 } 5392 5393 /* Notify NCPs now. */ 5394 for (i = 0; i < IDX_COUNT; i++) 5395 if ((cps[i])->flags & CP_NCP) 5396 (cps[i])->Open(sp); 5397 5398 /* Send Up events to all NCPs. */ 5399 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5400 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5401 (cps[i])->Up(sp); 5402 5403 /* if no NCP is starting, all this was in vain, close down */ 5404 sppp_lcp_check_and_close(sp); 5405 } 5406 5407 5408 static const char * 5409 sppp_cp_type_name(u_char type) 5410 { 5411 static char buf[12]; 5412 switch (type) { 5413 case CONF_REQ: return "conf-req"; 5414 case CONF_ACK: return "conf-ack"; 5415 case CONF_NAK: return "conf-nak"; 5416 case CONF_REJ: return "conf-rej"; 5417 case TERM_REQ: return "term-req"; 5418 case TERM_ACK: return "term-ack"; 5419 case CODE_REJ: return "code-rej"; 5420 case PROTO_REJ: return "proto-rej"; 5421 case ECHO_REQ: return "echo-req"; 5422 case ECHO_REPLY: return "echo-reply"; 5423 case DISC_REQ: return "discard-req"; 5424 } 5425 snprintf(buf, sizeof(buf), "0x%x", type); 5426 return buf; 5427 } 5428 5429 static const char * 5430 sppp_auth_type_name(u_short proto, u_char type) 5431 { 5432 static char buf[12]; 5433 switch (proto) { 5434 case PPP_CHAP: 5435 switch (type) { 5436 case CHAP_CHALLENGE: return "challenge"; 5437 case CHAP_RESPONSE: return "response"; 5438 case CHAP_SUCCESS: return "success"; 5439 case CHAP_FAILURE: return "failure"; 5440 } 5441 case PPP_PAP: 5442 switch (type) { 5443 case PAP_REQ: return "req"; 5444 case PAP_ACK: return "ack"; 5445 case PAP_NAK: return "nak"; 5446 } 5447 } 5448 snprintf(buf, sizeof(buf), "0x%x", type); 5449 return buf; 5450 } 5451 5452 static const char * 5453 sppp_lcp_opt_name(u_char opt) 5454 { 5455 static char buf[12]; 5456 switch (opt) { 5457 case LCP_OPT_MRU: return "mru"; 5458 case LCP_OPT_ASYNC_MAP: return "async-map"; 5459 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5460 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5461 case LCP_OPT_MAGIC: return "magic"; 5462 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5463 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5464 } 5465 snprintf(buf, sizeof(buf), "0x%x", opt); 5466 return buf; 5467 } 5468 5469 static const char * 5470 sppp_ipcp_opt_name(u_char opt) 5471 { 5472 static char buf[12]; 5473 switch (opt) { 5474 case IPCP_OPT_ADDRESSES: return "addresses"; 5475 case IPCP_OPT_COMPRESSION: return "compression"; 5476 case IPCP_OPT_ADDRESS: return "address"; 5477 } 5478 snprintf(buf, sizeof(buf), "0x%x", opt); 5479 return buf; 5480 } 5481 5482 #ifdef INET6 5483 static const char * 5484 sppp_ipv6cp_opt_name(u_char opt) 5485 { 5486 static char buf[12]; 5487 switch (opt) { 5488 case IPV6CP_OPT_IFID: return "ifid"; 5489 case IPV6CP_OPT_COMPRESSION: return "compression"; 5490 } 5491 snprintf(buf, sizeof(buf), "0x%x", opt); 5492 return buf; 5493 } 5494 #endif 5495 5496 static const char * 5497 sppp_state_name(int state) 5498 { 5499 switch (state) { 5500 case STATE_INITIAL: return "initial"; 5501 case STATE_STARTING: return "starting"; 5502 case STATE_CLOSED: return "closed"; 5503 case STATE_STOPPED: return "stopped"; 5504 case STATE_CLOSING: return "closing"; 5505 case STATE_STOPPING: return "stopping"; 5506 case STATE_REQ_SENT: return "req-sent"; 5507 case STATE_ACK_RCVD: return "ack-rcvd"; 5508 case STATE_ACK_SENT: return "ack-sent"; 5509 case STATE_OPENED: return "opened"; 5510 } 5511 return "illegal"; 5512 } 5513 5514 static const char * 5515 sppp_phase_name(int phase) 5516 { 5517 switch (phase) { 5518 case SPPP_PHASE_DEAD: return "dead"; 5519 case SPPP_PHASE_ESTABLISH: return "establish"; 5520 case SPPP_PHASE_TERMINATE: return "terminate"; 5521 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5522 case SPPP_PHASE_NETWORK: return "network"; 5523 } 5524 return "illegal"; 5525 } 5526 5527 static const char * 5528 sppp_proto_name(u_short proto) 5529 { 5530 static char buf[12]; 5531 switch (proto) { 5532 case PPP_LCP: return "lcp"; 5533 case PPP_IPCP: return "ipcp"; 5534 case PPP_PAP: return "pap"; 5535 case PPP_CHAP: return "chap"; 5536 case PPP_IPV6CP: return "ipv6cp"; 5537 } 5538 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5539 return buf; 5540 } 5541 5542 static void 5543 sppp_print_bytes(const u_char *p, u_short len) 5544 { 5545 addlog(" %02x", *p++); 5546 while (--len > 0) 5547 addlog("-%02x", *p++); 5548 } 5549 5550 static void 5551 sppp_print_string(const char *p, u_short len) 5552 { 5553 u_char c; 5554 5555 while (len-- > 0) { 5556 c = *p++; 5557 /* 5558 * Print only ASCII chars directly. RFC 1994 recommends 5559 * using only them, but we don't rely on it. */ 5560 if (c < ' ' || c > '~') 5561 addlog("\\x%x", c); 5562 else 5563 addlog("%c", c); 5564 } 5565 } 5566 5567 static const char * 5568 sppp_dotted_quad(uint32_t addr) 5569 { 5570 static char s[16]; 5571 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5572 (int)((addr >> 24) & 0xff), 5573 (int)((addr >> 16) & 0xff), 5574 (int)((addr >> 8) & 0xff), 5575 (int)(addr & 0xff)); 5576 return s; 5577 } 5578 5579 /* a dummy, used to drop uninteresting events */ 5580 static void 5581 sppp_null(struct sppp *unused) 5582 { 5583 /* do just nothing */ 5584 } 5585 /* 5586 * This file is large. Tell emacs to highlight it nevertheless. 5587 * 5588 * Local Variables: 5589 * hilit-auto-highlight-maxout: 120000 5590 * End: 5591 */ 5592