1 /* $NetBSD: if_spppsubr.c,v 1.102 2006/11/24 21:23:07 wiz Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.102 2006/11/24 21:23:07 wiz Exp $"); 45 46 #include "opt_inet.h" 47 #include "opt_ipx.h" 48 #include "opt_iso.h" 49 #include "opt_pfil_hooks.h" 50 51 #include <sys/param.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/kernel.h> 55 #include <sys/sockio.h> 56 #include <sys/socket.h> 57 #include <sys/syslog.h> 58 #include <sys/malloc.h> 59 #include <sys/mbuf.h> 60 #include <sys/callout.h> 61 #include <sys/md5.h> 62 #include <sys/inttypes.h> 63 #include <sys/kauth.h> 64 65 #include <net/if.h> 66 #include <net/netisr.h> 67 #include <net/if_types.h> 68 #include <net/route.h> 69 #include <net/ppp_defs.h> 70 71 #include <machine/stdarg.h> 72 73 #include <netinet/in.h> 74 #include <netinet/in_systm.h> 75 #include <netinet/in_var.h> 76 #ifdef INET 77 #include <netinet/ip.h> 78 #include <netinet/tcp.h> 79 #endif 80 #include <net/ethertypes.h> 81 82 #ifdef INET6 83 #include <netinet6/scope6_var.h> 84 #endif 85 86 #ifdef IPX 87 #include <netipx/ipx.h> 88 #include <netipx/ipx_if.h> 89 #endif 90 91 92 #ifdef ISO 93 #include <netiso/argo_debug.h> 94 #include <netiso/iso.h> 95 #include <netiso/iso_var.h> 96 #include <netiso/iso_snpac.h> 97 #endif 98 99 #include <net/if_sppp.h> 100 #include <net/if_spppvar.h> 101 102 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 103 #define LOOPALIVECNT 3 /* loopback detection tries */ 104 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 105 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 106 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 107 108 /* 109 * Interface flags that can be set in an ifconfig command. 110 * 111 * Setting link0 will make the link passive, i.e. it will be marked 112 * as being administrative openable, but won't be opened to begin 113 * with. Incoming calls will be answered, or subsequent calls with 114 * -link1 will cause the administrative open of the LCP layer. 115 * 116 * Setting link1 will cause the link to auto-dial only as packets 117 * arrive to be sent. 118 * 119 * Setting IFF_DEBUG will syslog the option negotiation and state 120 * transitions at level kern.debug. Note: all logs consistently look 121 * like 122 * 123 * <if-name><unit>: <proto-name> <additional info...> 124 * 125 * with <if-name><unit> being something like "bppp0", and <proto-name> 126 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 127 */ 128 129 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 130 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 131 132 #define CONF_REQ 1 /* PPP configure request */ 133 #define CONF_ACK 2 /* PPP configure acknowledge */ 134 #define CONF_NAK 3 /* PPP configure negative ack */ 135 #define CONF_REJ 4 /* PPP configure reject */ 136 #define TERM_REQ 5 /* PPP terminate request */ 137 #define TERM_ACK 6 /* PPP terminate acknowledge */ 138 #define CODE_REJ 7 /* PPP code reject */ 139 #define PROTO_REJ 8 /* PPP protocol reject */ 140 #define ECHO_REQ 9 /* PPP echo request */ 141 #define ECHO_REPLY 10 /* PPP echo reply */ 142 #define DISC_REQ 11 /* PPP discard request */ 143 144 #define LCP_OPT_MRU 1 /* maximum receive unit */ 145 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 146 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 147 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 148 #define LCP_OPT_MAGIC 5 /* magic number */ 149 #define LCP_OPT_RESERVED 6 /* reserved */ 150 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 151 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 152 153 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 154 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 155 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 156 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 157 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 158 159 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 160 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 161 162 #define PAP_REQ 1 /* PAP name/password request */ 163 #define PAP_ACK 2 /* PAP acknowledge */ 164 #define PAP_NAK 3 /* PAP fail */ 165 166 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 167 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 168 #define CHAP_SUCCESS 3 /* CHAP response ok */ 169 #define CHAP_FAILURE 4 /* CHAP response failed */ 170 171 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 172 173 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 174 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 175 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 176 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 177 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 178 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 179 180 /* states are named and numbered according to RFC 1661 */ 181 #define STATE_INITIAL 0 182 #define STATE_STARTING 1 183 #define STATE_CLOSED 2 184 #define STATE_STOPPED 3 185 #define STATE_CLOSING 4 186 #define STATE_STOPPING 5 187 #define STATE_REQ_SENT 6 188 #define STATE_ACK_RCVD 7 189 #define STATE_ACK_SENT 8 190 #define STATE_OPENED 9 191 192 struct ppp_header { 193 u_int8_t address; 194 u_int8_t control; 195 u_int16_t protocol; 196 } __attribute__((__packed__)); 197 #define PPP_HEADER_LEN sizeof (struct ppp_header) 198 199 struct lcp_header { 200 u_int8_t type; 201 u_int8_t ident; 202 u_int16_t len; 203 } __attribute__((__packed__)); 204 #define LCP_HEADER_LEN sizeof (struct lcp_header) 205 206 struct cisco_packet { 207 u_int32_t type; 208 u_int32_t par1; 209 u_int32_t par2; 210 u_int16_t rel; 211 u_int16_t time0; 212 u_int16_t time1; 213 } __attribute__((__packed__)); 214 #define CISCO_PACKET_LEN 18 215 216 /* 217 * We follow the spelling and capitalization of RFC 1661 here, to make 218 * it easier comparing with the standard. Please refer to this RFC in 219 * case you can't make sense out of these abbreviation; it will also 220 * explain the semantics related to the various events and actions. 221 */ 222 struct cp { 223 u_short proto; /* PPP control protocol number */ 224 u_char protoidx; /* index into state table in struct sppp */ 225 u_char flags; 226 #define CP_LCP 0x01 /* this is the LCP */ 227 #define CP_AUTH 0x02 /* this is an authentication protocol */ 228 #define CP_NCP 0x04 /* this is a NCP */ 229 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 230 const char *name; /* name of this control protocol */ 231 /* event handlers */ 232 void (*Up)(struct sppp *sp); 233 void (*Down)(struct sppp *sp); 234 void (*Open)(struct sppp *sp); 235 void (*Close)(struct sppp *sp); 236 void (*TO)(void *sp); 237 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 238 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 239 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 240 /* actions */ 241 void (*tlu)(struct sppp *sp); 242 void (*tld)(struct sppp *sp); 243 void (*tls)(struct sppp *sp); 244 void (*tlf)(struct sppp *sp); 245 void (*scr)(struct sppp *sp); 246 }; 247 248 static struct sppp *spppq; 249 static struct callout keepalive_ch; 250 251 #ifdef INET 252 /* 253 * The following disgusting hack gets around the problem that IP TOS 254 * can't be set yet. We want to put "interactive" traffic on a high 255 * priority queue. To decide if traffic is interactive, we check that 256 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 257 * 258 * XXX is this really still necessary? - joerg - 259 */ 260 static u_short interactive_ports[8] = { 261 0, 513, 0, 0, 262 0, 21, 0, 23, 263 }; 264 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 265 #endif 266 267 /* almost every function needs these */ 268 #define STDDCL \ 269 struct ifnet *ifp = &sp->pp_if; \ 270 int debug = ifp->if_flags & IFF_DEBUG 271 272 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 273 struct sockaddr *dst, struct rtentry *rt); 274 275 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 276 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 277 278 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 279 struct mbuf *m); 280 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 281 u_char ident, u_short len, void *data); 282 /* static void sppp_cp_timeout(void *arg); */ 283 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 284 int newstate); 285 static void sppp_auth_send(const struct cp *cp, 286 struct sppp *sp, unsigned int type, unsigned int id, 287 ...); 288 289 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 290 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 291 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 292 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 293 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 294 295 static void sppp_null(struct sppp *sp); 296 297 static void sppp_lcp_init(struct sppp *sp); 298 static void sppp_lcp_up(struct sppp *sp); 299 static void sppp_lcp_down(struct sppp *sp); 300 static void sppp_lcp_open(struct sppp *sp); 301 static void sppp_lcp_close(struct sppp *sp); 302 static void sppp_lcp_TO(void *sp); 303 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 304 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 305 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 306 static void sppp_lcp_tlu(struct sppp *sp); 307 static void sppp_lcp_tld(struct sppp *sp); 308 static void sppp_lcp_tls(struct sppp *sp); 309 static void sppp_lcp_tlf(struct sppp *sp); 310 static void sppp_lcp_scr(struct sppp *sp); 311 static void sppp_lcp_check_and_close(struct sppp *sp); 312 static int sppp_ncp_check(struct sppp *sp); 313 314 static void sppp_ipcp_init(struct sppp *sp); 315 static void sppp_ipcp_up(struct sppp *sp); 316 static void sppp_ipcp_down(struct sppp *sp); 317 static void sppp_ipcp_open(struct sppp *sp); 318 static void sppp_ipcp_close(struct sppp *sp); 319 static void sppp_ipcp_TO(void *sp); 320 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 321 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 322 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 323 static void sppp_ipcp_tlu(struct sppp *sp); 324 static void sppp_ipcp_tld(struct sppp *sp); 325 static void sppp_ipcp_tls(struct sppp *sp); 326 static void sppp_ipcp_tlf(struct sppp *sp); 327 static void sppp_ipcp_scr(struct sppp *sp); 328 329 static void sppp_ipv6cp_init(struct sppp *sp); 330 static void sppp_ipv6cp_up(struct sppp *sp); 331 static void sppp_ipv6cp_down(struct sppp *sp); 332 static void sppp_ipv6cp_open(struct sppp *sp); 333 static void sppp_ipv6cp_close(struct sppp *sp); 334 static void sppp_ipv6cp_TO(void *sp); 335 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 336 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 337 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 338 static void sppp_ipv6cp_tlu(struct sppp *sp); 339 static void sppp_ipv6cp_tld(struct sppp *sp); 340 static void sppp_ipv6cp_tls(struct sppp *sp); 341 static void sppp_ipv6cp_tlf(struct sppp *sp); 342 static void sppp_ipv6cp_scr(struct sppp *sp); 343 344 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 345 static void sppp_pap_init(struct sppp *sp); 346 static void sppp_pap_open(struct sppp *sp); 347 static void sppp_pap_close(struct sppp *sp); 348 static void sppp_pap_TO(void *sp); 349 static void sppp_pap_my_TO(void *sp); 350 static void sppp_pap_tlu(struct sppp *sp); 351 static void sppp_pap_tld(struct sppp *sp); 352 static void sppp_pap_scr(struct sppp *sp); 353 354 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 355 static void sppp_chap_init(struct sppp *sp); 356 static void sppp_chap_open(struct sppp *sp); 357 static void sppp_chap_close(struct sppp *sp); 358 static void sppp_chap_TO(void *sp); 359 static void sppp_chap_tlu(struct sppp *sp); 360 static void sppp_chap_tld(struct sppp *sp); 361 static void sppp_chap_scr(struct sppp *sp); 362 363 static const char *sppp_auth_type_name(u_short proto, u_char type); 364 static const char *sppp_cp_type_name(u_char type); 365 static const char *sppp_dotted_quad(u_int32_t addr); 366 static const char *sppp_ipcp_opt_name(u_char opt); 367 #ifdef INET6 368 static const char *sppp_ipv6cp_opt_name(u_char opt); 369 #endif 370 static const char *sppp_lcp_opt_name(u_char opt); 371 static const char *sppp_phase_name(int phase); 372 static const char *sppp_proto_name(u_short proto); 373 static const char *sppp_state_name(int state); 374 static int sppp_params(struct sppp *sp, int cmd, void *data); 375 #ifdef INET 376 static void sppp_get_ip_addrs(struct sppp *sp, u_int32_t *src, u_int32_t *dst, 377 u_int32_t *srcmask); 378 static void sppp_set_ip_addrs(struct sppp *sp, u_int32_t myaddr, u_int32_t hisaddr); 379 static void sppp_clear_ip_addrs(struct sppp *sp); 380 #endif 381 static void sppp_keepalive(void *dummy); 382 static void sppp_phase_network(struct sppp *sp); 383 static void sppp_print_bytes(const u_char *p, u_short len); 384 static void sppp_print_string(const char *p, u_short len); 385 #ifdef INET6 386 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 387 struct in6_addr *dst, struct in6_addr *srcmask); 388 #ifdef IPV6CP_MYIFID_DYN 389 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 390 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 391 #endif 392 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 393 #endif 394 395 /* our control protocol descriptors */ 396 static const struct cp lcp = { 397 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 398 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 399 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 400 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 401 sppp_lcp_scr 402 }; 403 404 static const struct cp ipcp = { 405 PPP_IPCP, IDX_IPCP, 406 #ifdef INET 407 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 408 #else 409 0, 410 #endif 411 "ipcp", 412 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 413 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 414 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 415 sppp_ipcp_scr 416 }; 417 418 static const struct cp ipv6cp = { 419 PPP_IPV6CP, IDX_IPV6CP, 420 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 421 CP_NCP, 422 #else 423 0, 424 #endif 425 "ipv6cp", 426 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 427 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 428 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 429 sppp_ipv6cp_scr 430 }; 431 432 static const struct cp pap = { 433 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 434 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 435 sppp_pap_TO, 0, 0, 0, 436 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 437 sppp_pap_scr 438 }; 439 440 static const struct cp chap = { 441 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 442 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 443 sppp_chap_TO, 0, 0, 0, 444 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 445 sppp_chap_scr 446 }; 447 448 static const struct cp *cps[IDX_COUNT] = { 449 &lcp, /* IDX_LCP */ 450 &ipcp, /* IDX_IPCP */ 451 &ipv6cp, /* IDX_IPV6CP */ 452 &pap, /* IDX_PAP */ 453 &chap, /* IDX_CHAP */ 454 }; 455 456 457 void spppattach(int); 458 void 459 /*ARGSUSED*/ 460 spppattach(int count) 461 { 462 } 463 464 /* 465 * Exported functions, comprising our interface to the lower layer. 466 */ 467 468 /* 469 * Process the received packet. 470 */ 471 void 472 sppp_input(struct ifnet *ifp, struct mbuf *m) 473 { 474 struct ppp_header *h = NULL; 475 struct ifqueue *inq = 0; 476 u_int16_t protocol; 477 int s; 478 struct sppp *sp = (struct sppp *)ifp; 479 int debug = ifp->if_flags & IFF_DEBUG; 480 481 if (ifp->if_flags & IFF_UP) { 482 /* Count received bytes, add hardware framing */ 483 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 484 /* Note time of last receive */ 485 sp->pp_last_receive = time_uptime; 486 } 487 488 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 489 /* Too small packet, drop it. */ 490 if (debug) 491 log(LOG_DEBUG, 492 "%s: input packet is too small, %d bytes\n", 493 ifp->if_xname, m->m_pkthdr.len); 494 drop: 495 ++ifp->if_ierrors; 496 ++ifp->if_iqdrops; 497 m_freem(m); 498 return; 499 } 500 501 if (sp->pp_flags & PP_NOFRAMING) { 502 memcpy(&protocol, mtod(m, void *), 2); 503 protocol = ntohs(protocol); 504 m_adj(m, 2); 505 } else { 506 507 /* Get PPP header. */ 508 h = mtod(m, struct ppp_header *); 509 m_adj(m, PPP_HEADER_LEN); 510 511 switch (h->address) { 512 case PPP_ALLSTATIONS: 513 if (h->control != PPP_UI) 514 goto invalid; 515 if (sp->pp_flags & PP_CISCO) { 516 if (debug) 517 log(LOG_DEBUG, 518 "%s: PPP packet in Cisco mode " 519 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 520 ifp->if_xname, 521 h->address, h->control, ntohs(h->protocol)); 522 goto drop; 523 } 524 break; 525 case CISCO_MULTICAST: 526 case CISCO_UNICAST: 527 /* Don't check the control field here (RFC 1547). */ 528 if (! (sp->pp_flags & PP_CISCO)) { 529 if (debug) 530 log(LOG_DEBUG, 531 "%s: Cisco packet in PPP mode " 532 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 533 ifp->if_xname, 534 h->address, h->control, ntohs(h->protocol)); 535 goto drop; 536 } 537 switch (ntohs(h->protocol)) { 538 default: 539 ++ifp->if_noproto; 540 goto invalid; 541 case CISCO_KEEPALIVE: 542 sppp_cisco_input((struct sppp *) ifp, m); 543 m_freem(m); 544 return; 545 #ifdef INET 546 case ETHERTYPE_IP: 547 schednetisr(NETISR_IP); 548 inq = &ipintrq; 549 break; 550 #endif 551 #ifdef INET6 552 case ETHERTYPE_IPV6: 553 schednetisr(NETISR_IPV6); 554 inq = &ip6intrq; 555 break; 556 #endif 557 #ifdef IPX 558 case ETHERTYPE_IPX: 559 schednetisr(NETISR_IPX); 560 inq = &ipxintrq; 561 break; 562 #endif 563 } 564 goto queue_pkt; 565 default: /* Invalid PPP packet. */ 566 invalid: 567 if (debug) 568 log(LOG_DEBUG, 569 "%s: invalid input packet " 570 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 571 ifp->if_xname, 572 h->address, h->control, ntohs(h->protocol)); 573 goto drop; 574 } 575 protocol = ntohs(h->protocol); 576 } 577 578 switch (protocol) { 579 default: 580 if (sp->state[IDX_LCP] == STATE_OPENED) { 581 u_int16_t prot = htons(protocol); 582 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 583 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 584 &prot); 585 } 586 if (debug) 587 log(LOG_DEBUG, 588 "%s: invalid input protocol " 589 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 590 ++ifp->if_noproto; 591 goto drop; 592 case PPP_LCP: 593 sppp_cp_input(&lcp, sp, m); 594 m_freem(m); 595 return; 596 case PPP_PAP: 597 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 598 sppp_pap_input(sp, m); 599 m_freem(m); 600 return; 601 case PPP_CHAP: 602 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 603 sppp_chap_input(sp, m); 604 m_freem(m); 605 return; 606 #ifdef INET 607 case PPP_IPCP: 608 if (sp->pp_phase == SPPP_PHASE_NETWORK) 609 sppp_cp_input(&ipcp, sp, m); 610 m_freem(m); 611 return; 612 case PPP_IP: 613 if (sp->state[IDX_IPCP] == STATE_OPENED) { 614 schednetisr(NETISR_IP); 615 inq = &ipintrq; 616 sp->pp_last_activity = time_uptime; 617 } 618 break; 619 #endif 620 #ifdef INET6 621 case PPP_IPV6CP: 622 if (sp->pp_phase == SPPP_PHASE_NETWORK) 623 sppp_cp_input(&ipv6cp, sp, m); 624 m_freem(m); 625 return; 626 627 case PPP_IPV6: 628 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 629 schednetisr(NETISR_IPV6); 630 inq = &ip6intrq; 631 sp->pp_last_activity = time_uptime; 632 } 633 break; 634 #endif 635 #ifdef IPX 636 case PPP_IPX: 637 /* IPX IPXCP not implemented yet */ 638 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 639 schednetisr(NETISR_IPX); 640 inq = &ipxintrq; 641 } 642 break; 643 #endif 644 #ifdef ISO 645 case PPP_ISO: 646 /* OSI NLCP not implemented yet */ 647 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 648 schednetisr(NETISR_ISO); 649 inq = &clnlintrq; 650 } 651 break; 652 #endif 653 } 654 655 queue_pkt: 656 if (! (ifp->if_flags & IFF_UP) || ! inq) 657 goto drop; 658 659 /* Check queue. */ 660 s = splnet(); 661 if (IF_QFULL(inq)) { 662 /* Queue overflow. */ 663 IF_DROP(inq); 664 splx(s); 665 if (debug) 666 log(LOG_DEBUG, "%s: protocol queue overflow\n", 667 ifp->if_xname); 668 goto drop; 669 } 670 IF_ENQUEUE(inq, m); 671 splx(s); 672 } 673 674 /* 675 * Enqueue transmit packet. 676 */ 677 static int 678 sppp_output(struct ifnet *ifp, struct mbuf *m, 679 struct sockaddr *dst, struct rtentry *rt) 680 { 681 struct sppp *sp = (struct sppp *) ifp; 682 struct ppp_header *h = NULL; 683 struct ifqueue *ifq = NULL; /* XXX */ 684 int s, error = 0; 685 u_int16_t protocol; 686 ALTQ_DECL(struct altq_pktattr pktattr;) 687 688 s = splnet(); 689 690 sp->pp_last_activity = time_uptime; 691 692 if ((ifp->if_flags & IFF_UP) == 0 || 693 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 694 m_freem(m); 695 splx(s); 696 return (ENETDOWN); 697 } 698 699 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 700 /* 701 * Interface is not yet running, but auto-dial. Need 702 * to start LCP for it. 703 */ 704 ifp->if_flags |= IFF_RUNNING; 705 splx(s); 706 lcp.Open(sp); 707 s = splnet(); 708 } 709 710 /* 711 * If the queueing discipline needs packet classification, 712 * do it before prepending link headers. 713 */ 714 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family, &pktattr); 715 716 #ifdef INET 717 if (dst->sa_family == AF_INET) { 718 struct ip *ip = NULL; 719 struct tcphdr *th = NULL; 720 721 if (m->m_len >= sizeof(struct ip)) { 722 ip = mtod(m, struct ip *); 723 if (ip->ip_p == IPPROTO_TCP && 724 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 725 sizeof(struct tcphdr)) { 726 th = (struct tcphdr *) 727 ((caddr_t)ip + (ip->ip_hl << 2)); 728 } 729 } else 730 ip = NULL; 731 732 /* 733 * When using dynamic local IP address assignment by using 734 * 0.0.0.0 as a local address, the first TCP session will 735 * not connect because the local TCP checksum is computed 736 * using 0.0.0.0 which will later become our real IP address 737 * so the TCP checksum computed at the remote end will 738 * become invalid. So we 739 * - don't let packets with src ip addr 0 thru 740 * - we flag TCP packets with src ip 0 as an error 741 */ 742 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 743 u_int8_t proto = ip->ip_p; 744 745 m_freem(m); 746 splx(s); 747 if (proto == IPPROTO_TCP) 748 return (EADDRNOTAVAIL); 749 else 750 return (0); 751 } 752 753 /* 754 * Put low delay, telnet, rlogin and ftp control packets 755 * in front of the queue. 756 */ 757 758 if (!IF_QFULL(&sp->pp_fastq) && 759 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 760 (th && (INTERACTIVE(ntohs(th->th_sport)) || 761 INTERACTIVE(ntohs(th->th_dport)))))) 762 ifq = &sp->pp_fastq; 763 } 764 #endif 765 766 #ifdef INET6 767 if (dst->sa_family == AF_INET6) { 768 /* XXX do something tricky here? */ 769 } 770 #endif 771 772 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 773 /* 774 * Prepend general data packet PPP header. For now, IP only. 775 */ 776 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 777 if (! m) { 778 if (ifp->if_flags & IFF_DEBUG) 779 log(LOG_DEBUG, "%s: no memory for transmit header\n", 780 ifp->if_xname); 781 ++ifp->if_oerrors; 782 splx(s); 783 return (ENOBUFS); 784 } 785 /* 786 * May want to check size of packet 787 * (albeit due to the implementation it's always enough) 788 */ 789 h = mtod(m, struct ppp_header *); 790 if (sp->pp_flags & PP_CISCO) { 791 h->address = CISCO_UNICAST; /* unicast address */ 792 h->control = 0; 793 } else { 794 h->address = PPP_ALLSTATIONS; /* broadcast address */ 795 h->control = PPP_UI; /* Unnumbered Info */ 796 } 797 } 798 799 switch (dst->sa_family) { 800 #ifdef INET 801 case AF_INET: /* Internet Protocol */ 802 if (sp->pp_flags & PP_CISCO) 803 protocol = htons(ETHERTYPE_IP); 804 else { 805 /* 806 * Don't choke with an ENETDOWN early. It's 807 * possible that we just started dialing out, 808 * so don't drop the packet immediately. If 809 * we notice that we run out of buffer space 810 * below, we will however remember that we are 811 * not ready to carry IP packets, and return 812 * ENETDOWN, as opposed to ENOBUFS. 813 */ 814 protocol = htons(PPP_IP); 815 if (sp->state[IDX_IPCP] != STATE_OPENED) 816 error = ENETDOWN; 817 } 818 break; 819 #endif 820 #ifdef INET6 821 case AF_INET6: /* Internet Protocol version 6 */ 822 if (sp->pp_flags & PP_CISCO) 823 protocol = htons(ETHERTYPE_IPV6); 824 else { 825 /* 826 * Don't choke with an ENETDOWN early. It's 827 * possible that we just started dialing out, 828 * so don't drop the packet immediately. If 829 * we notice that we run out of buffer space 830 * below, we will however remember that we are 831 * not ready to carry IP packets, and return 832 * ENETDOWN, as opposed to ENOBUFS. 833 */ 834 protocol = htons(PPP_IPV6); 835 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 836 error = ENETDOWN; 837 } 838 break; 839 #endif 840 #ifdef IPX 841 case AF_IPX: /* Novell IPX Protocol */ 842 protocol = htons((sp->pp_flags & PP_CISCO) ? 843 ETHERTYPE_IPX : PPP_IPX); 844 break; 845 #endif 846 #ifdef ISO 847 case AF_ISO: /* ISO OSI Protocol */ 848 if (sp->pp_flags & PP_CISCO) 849 goto nosupport; 850 protocol = htons(PPP_ISO); 851 break; 852 nosupport: 853 #endif 854 default: 855 m_freem(m); 856 ++ifp->if_oerrors; 857 splx(s); 858 return (EAFNOSUPPORT); 859 } 860 861 if (sp->pp_flags & PP_NOFRAMING) { 862 M_PREPEND(m, 2, M_DONTWAIT); 863 if (m == NULL) { 864 if (ifp->if_flags & IFF_DEBUG) 865 log(LOG_DEBUG, "%s: no memory for transmit header\n", 866 ifp->if_xname); 867 ++ifp->if_oerrors; 868 splx(s); 869 return (ENOBUFS); 870 } 871 *mtod(m, u_int16_t *) = protocol; 872 } else { 873 h->protocol = protocol; 874 } 875 876 877 error = ifq_enqueue2(ifp, ifq, m ALTQ_COMMA ALTQ_DECL(&pktattr)); 878 879 if (error == 0) { 880 /* 881 * Count output packets and bytes. 882 * The packet length includes header + additional hardware 883 * framing according to RFC 1333. 884 */ 885 if (!(ifp->if_flags & IFF_OACTIVE)) 886 (*ifp->if_start)(ifp); 887 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 888 } 889 splx(s); 890 return error; 891 } 892 893 void 894 sppp_attach(struct ifnet *ifp) 895 { 896 struct sppp *sp = (struct sppp *) ifp; 897 898 /* Initialize keepalive handler. */ 899 if (! spppq) { 900 callout_init(&keepalive_ch); 901 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 902 } 903 904 /* Insert new entry into the keepalive list. */ 905 sp->pp_next = spppq; 906 spppq = sp; 907 908 sp->pp_if.if_type = IFT_PPP; 909 sp->pp_if.if_output = sppp_output; 910 sp->pp_fastq.ifq_maxlen = 32; 911 sp->pp_cpq.ifq_maxlen = 20; 912 sp->pp_loopcnt = 0; 913 sp->pp_alivecnt = 0; 914 sp->pp_last_activity = 0; 915 sp->pp_last_receive = 0; 916 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 917 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 918 sp->pp_idle_timeout = 0; 919 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 920 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 921 sp->pp_auth_failures = 0; 922 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 923 sp->pp_phase = SPPP_PHASE_DEAD; 924 sp->pp_up = lcp.Up; 925 sp->pp_down = lcp.Down; 926 927 if_alloc_sadl(ifp); 928 929 memset(&sp->myauth, 0, sizeof sp->myauth); 930 memset(&sp->hisauth, 0, sizeof sp->hisauth); 931 sppp_lcp_init(sp); 932 sppp_ipcp_init(sp); 933 sppp_ipv6cp_init(sp); 934 sppp_pap_init(sp); 935 sppp_chap_init(sp); 936 } 937 938 void 939 sppp_detach(struct ifnet *ifp) 940 { 941 struct sppp **q, *p, *sp = (struct sppp *) ifp; 942 int i; 943 944 /* Remove the entry from the keepalive list. */ 945 for (q = &spppq; (p = *q); q = &p->pp_next) 946 if (p == sp) { 947 *q = p->pp_next; 948 break; 949 } 950 951 /* Stop keepalive handler. */ 952 if (! spppq) { 953 callout_stop(&keepalive_ch); 954 } 955 956 for (i = 0; i < IDX_COUNT; i++) { 957 callout_stop(&sp->ch[i]); 958 } 959 callout_stop(&sp->pap_my_to_ch); 960 961 /* free authentication info */ 962 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 963 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 964 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 965 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 966 967 #if 0 /* done in if_detach() */ 968 if_free_sadl(ifp); 969 #endif 970 } 971 972 /* 973 * Flush the interface output queue. 974 */ 975 void 976 sppp_flush(struct ifnet *ifp) 977 { 978 struct sppp *sp = (struct sppp *) ifp; 979 980 IFQ_PURGE(&sp->pp_if.if_snd); 981 IF_PURGE(&sp->pp_fastq); 982 IF_PURGE(&sp->pp_cpq); 983 } 984 985 /* 986 * Check if the output queue is empty. 987 */ 988 int 989 sppp_isempty(struct ifnet *ifp) 990 { 991 struct sppp *sp = (struct sppp *) ifp; 992 int empty, s; 993 994 s = splnet(); 995 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 996 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 997 splx(s); 998 return (empty); 999 } 1000 1001 /* 1002 * Get next packet to send. 1003 */ 1004 struct mbuf * 1005 sppp_dequeue(struct ifnet *ifp) 1006 { 1007 struct sppp *sp = (struct sppp *) ifp; 1008 struct mbuf *m; 1009 int s; 1010 1011 s = splnet(); 1012 /* 1013 * Process only the control protocol queue until we have at 1014 * least one NCP open. 1015 * 1016 * Do always serve all three queues in Cisco mode. 1017 */ 1018 IF_DEQUEUE(&sp->pp_cpq, m); 1019 if (m == NULL && 1020 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1021 IF_DEQUEUE(&sp->pp_fastq, m); 1022 if (m == NULL) 1023 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1024 } 1025 splx(s); 1026 return m; 1027 } 1028 1029 /* 1030 * Process an ioctl request. Called on low priority level. 1031 */ 1032 int 1033 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1034 { 1035 struct lwp *l = curlwp; /* XXX */ 1036 struct ifreq *ifr = (struct ifreq *) data; 1037 struct sppp *sp = (struct sppp *) ifp; 1038 int s, error=0, going_up, going_down, newmode; 1039 1040 s = splnet(); 1041 switch (cmd) { 1042 case SIOCAIFADDR: 1043 case SIOCSIFDSTADDR: 1044 case SIOCSIFADDR: 1045 break; 1046 1047 case SIOCSIFFLAGS: 1048 going_up = ifp->if_flags & IFF_UP && 1049 (ifp->if_flags & IFF_RUNNING) == 0; 1050 going_down = (ifp->if_flags & IFF_UP) == 0 && 1051 ifp->if_flags & IFF_RUNNING; 1052 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1053 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1054 /* sanity */ 1055 newmode = IFF_PASSIVE; 1056 ifp->if_flags &= ~IFF_AUTO; 1057 } 1058 1059 if (going_up || going_down) 1060 lcp.Close(sp); 1061 if (going_up && newmode == 0) { 1062 /* neither auto-dial nor passive */ 1063 ifp->if_flags |= IFF_RUNNING; 1064 if (!(sp->pp_flags & PP_CISCO)) 1065 lcp.Open(sp); 1066 } else if (going_down) { 1067 sppp_flush(ifp); 1068 ifp->if_flags &= ~IFF_RUNNING; 1069 } 1070 1071 break; 1072 1073 #ifdef SIOCSIFMTU 1074 #ifndef ifr_mtu 1075 #define ifr_mtu ifr_metric 1076 #endif 1077 case SIOCSIFMTU: 1078 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru) { 1079 error = EINVAL; 1080 break; 1081 } 1082 1083 ifp->if_mtu = ifr->ifr_mtu; 1084 break; 1085 #endif 1086 #ifdef SLIOCSETMTU 1087 case SLIOCSETMTU: 1088 if (*(short *)data < 128 || *(short *)data > sp->lcp.their_mru) 1089 { 1090 error = EINVAL; 1091 break; 1092 } 1093 1094 ifp->if_mtu = *(short *)data; 1095 break; 1096 #endif 1097 #ifdef SIOCGIFMTU 1098 case SIOCGIFMTU: 1099 ifr->ifr_mtu = ifp->if_mtu; 1100 break; 1101 #endif 1102 #ifdef SLIOCGETMTU 1103 case SLIOCGETMTU: 1104 *(short *)data = ifp->if_mtu; 1105 break; 1106 #endif 1107 case SIOCADDMULTI: 1108 case SIOCDELMULTI: 1109 break; 1110 1111 case SPPPSETAUTHCFG: 1112 case SPPPSETLCPCFG: 1113 case SPPPSETIDLETO: 1114 case SPPPSETAUTHFAILURE: 1115 case SPPPSETDNSOPTS: 1116 case SPPPSETKEEPALIVE: 1117 error = kauth_authorize_network(l->l_cred, 1118 KAUTH_NETWORK_INTERFACE, 1119 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1120 NULL); 1121 if (error) 1122 break; 1123 error = sppp_params(sp, cmd, data); 1124 break; 1125 1126 case SPPPGETAUTHCFG: 1127 case SPPPGETLCPCFG: 1128 case SPPPGETAUTHFAILURES: 1129 error = kauth_authorize_network(l->l_cred, 1130 KAUTH_NETWORK_INTERFACE, 1131 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1132 NULL); 1133 if (error) 1134 break; 1135 error = sppp_params(sp, cmd, data); 1136 break; 1137 1138 case SPPPGETSTATUS: 1139 case SPPPGETSTATUSNCP: 1140 case SPPPGETIDLETO: 1141 case SPPPGETDNSOPTS: 1142 case SPPPGETDNSADDRS: 1143 case SPPPGETKEEPALIVE: 1144 error = sppp_params(sp, cmd, data); 1145 break; 1146 1147 default: 1148 error = ENOTTY; 1149 } 1150 splx(s); 1151 return (error); 1152 } 1153 1154 1155 /* 1156 * Cisco framing implementation. 1157 */ 1158 1159 /* 1160 * Handle incoming Cisco keepalive protocol packets. 1161 */ 1162 static void 1163 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1164 { 1165 STDDCL; 1166 struct cisco_packet *h; 1167 #ifdef INET 1168 u_int32_t me, mymask = 0; /* XXX: GCC */ 1169 #endif 1170 1171 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1172 if (debug) 1173 log(LOG_DEBUG, 1174 "%s: cisco invalid packet length: %d bytes\n", 1175 ifp->if_xname, m->m_pkthdr.len); 1176 return; 1177 } 1178 h = mtod(m, struct cisco_packet *); 1179 if (debug) 1180 log(LOG_DEBUG, 1181 "%s: cisco input: %d bytes " 1182 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1183 ifp->if_xname, m->m_pkthdr.len, 1184 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1185 (u_int)h->time0, (u_int)h->time1); 1186 switch (ntohl(h->type)) { 1187 default: 1188 if (debug) 1189 addlog("%s: cisco unknown packet type: 0x%x\n", 1190 ifp->if_xname, ntohl(h->type)); 1191 break; 1192 case CISCO_ADDR_REPLY: 1193 /* Reply on address request, ignore */ 1194 break; 1195 case CISCO_KEEPALIVE_REQ: 1196 sp->pp_alivecnt = 0; 1197 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1198 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1199 /* Local and remote sequence numbers are equal. 1200 * Probably, the line is in loopback mode. */ 1201 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1202 printf ("%s: loopback\n", 1203 ifp->if_xname); 1204 sp->pp_loopcnt = 0; 1205 if (ifp->if_flags & IFF_UP) { 1206 if_down(ifp); 1207 IF_PURGE(&sp->pp_cpq); 1208 } 1209 } 1210 ++sp->pp_loopcnt; 1211 1212 /* Generate new local sequence number */ 1213 sp->pp_seq[IDX_LCP] = arc4random(); 1214 break; 1215 } 1216 sp->pp_loopcnt = 0; 1217 if (! (ifp->if_flags & IFF_UP) && 1218 (ifp->if_flags & IFF_RUNNING)) { 1219 if_up(ifp); 1220 } 1221 break; 1222 case CISCO_ADDR_REQ: 1223 #ifdef INET 1224 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1225 if (me != 0L) 1226 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1227 #endif 1228 break; 1229 } 1230 } 1231 1232 /* 1233 * Send Cisco keepalive packet. 1234 */ 1235 static void 1236 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1237 { 1238 STDDCL; 1239 struct ppp_header *h; 1240 struct cisco_packet *ch; 1241 struct mbuf *m; 1242 u_int32_t t; 1243 1244 t = time_uptime * 1000; 1245 MGETHDR(m, M_DONTWAIT, MT_DATA); 1246 if (! m) 1247 return; 1248 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1249 m->m_pkthdr.rcvif = 0; 1250 1251 h = mtod(m, struct ppp_header *); 1252 h->address = CISCO_MULTICAST; 1253 h->control = 0; 1254 h->protocol = htons(CISCO_KEEPALIVE); 1255 1256 ch = (struct cisco_packet *)(h + 1); 1257 ch->type = htonl(type); 1258 ch->par1 = htonl(par1); 1259 ch->par2 = htonl(par2); 1260 ch->rel = -1; 1261 1262 ch->time0 = htons((u_short)(t >> 16)); 1263 ch->time1 = htons((u_short) t); 1264 1265 if (debug) 1266 log(LOG_DEBUG, 1267 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1268 ifp->if_xname, ntohl(ch->type), ch->par1, 1269 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1270 (u_int)ch->time1); 1271 1272 if (IF_QFULL(&sp->pp_cpq)) { 1273 IF_DROP(&sp->pp_fastq); 1274 IF_DROP(&ifp->if_snd); 1275 m_freem(m); 1276 ++ifp->if_oerrors; 1277 return; 1278 } else 1279 IF_ENQUEUE(&sp->pp_cpq, m); 1280 if (! (ifp->if_flags & IFF_OACTIVE)) 1281 (*ifp->if_start)(ifp); 1282 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1283 } 1284 1285 /* 1286 * PPP protocol implementation. 1287 */ 1288 1289 /* 1290 * Send PPP control protocol packet. 1291 */ 1292 static void 1293 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1294 u_char ident, u_short len, void *data) 1295 { 1296 STDDCL; 1297 struct lcp_header *lh; 1298 struct mbuf *m; 1299 size_t pkthdrlen; 1300 1301 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1302 1303 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1304 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1305 MGETHDR(m, M_DONTWAIT, MT_DATA); 1306 if (! m) 1307 return; 1308 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1309 m->m_pkthdr.rcvif = 0; 1310 1311 if (sp->pp_flags & PP_NOFRAMING) { 1312 *mtod(m, u_int16_t *) = htons(proto); 1313 lh = (struct lcp_header *)(mtod(m, u_int8_t *) + 2); 1314 } else { 1315 struct ppp_header *h; 1316 h = mtod(m, struct ppp_header *); 1317 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1318 h->control = PPP_UI; /* Unnumbered Info */ 1319 h->protocol = htons(proto); /* Link Control Protocol */ 1320 lh = (struct lcp_header *)(h + 1); 1321 } 1322 lh->type = type; 1323 lh->ident = ident; 1324 lh->len = htons(LCP_HEADER_LEN + len); 1325 if (len) 1326 bcopy (data, lh + 1, len); 1327 1328 if (debug) { 1329 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1330 ifp->if_xname, 1331 sppp_proto_name(proto), 1332 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1333 if (len) 1334 sppp_print_bytes((u_char *)(lh + 1), len); 1335 addlog(">\n"); 1336 } 1337 if (IF_QFULL(&sp->pp_cpq)) { 1338 IF_DROP(&sp->pp_fastq); 1339 IF_DROP(&ifp->if_snd); 1340 m_freem(m); 1341 ++ifp->if_oerrors; 1342 return; 1343 } else 1344 IF_ENQUEUE(&sp->pp_cpq, m); 1345 if (! (ifp->if_flags & IFF_OACTIVE)) 1346 (*ifp->if_start)(ifp); 1347 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1348 } 1349 1350 /* 1351 * Handle incoming PPP control protocol packets. 1352 */ 1353 static void 1354 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1355 { 1356 STDDCL; 1357 struct lcp_header *h; 1358 int printlen, len = m->m_pkthdr.len; 1359 int rv; 1360 u_char *p; 1361 u_int32_t u32; 1362 1363 if (len < 4) { 1364 if (debug) 1365 log(LOG_DEBUG, 1366 "%s: %s invalid packet length: %d bytes\n", 1367 ifp->if_xname, cp->name, len); 1368 return; 1369 } 1370 h = mtod(m, struct lcp_header *); 1371 if (debug) { 1372 printlen = ntohs(h->len); 1373 log(LOG_DEBUG, 1374 "%s: %s input(%s): <%s id=0x%x len=%d", 1375 ifp->if_xname, cp->name, 1376 sppp_state_name(sp->state[cp->protoidx]), 1377 sppp_cp_type_name(h->type), h->ident, printlen); 1378 if (len < printlen) 1379 printlen = len; 1380 if (printlen > 4) 1381 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1382 addlog(">\n"); 1383 } 1384 if (len > ntohs(h->len)) 1385 len = ntohs(h->len); 1386 p = (u_char *)(h + 1); 1387 switch (h->type) { 1388 case CONF_REQ: 1389 if (len < 4) { 1390 if (debug) 1391 addlog("%s: %s invalid conf-req length %d\n", 1392 ifp->if_xname, cp->name, 1393 len); 1394 ++ifp->if_ierrors; 1395 break; 1396 } 1397 /* handle states where RCR doesn't get a SCA/SCN */ 1398 switch (sp->state[cp->protoidx]) { 1399 case STATE_CLOSING: 1400 case STATE_STOPPING: 1401 return; 1402 case STATE_CLOSED: 1403 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1404 0, 0); 1405 return; 1406 } 1407 rv = (cp->RCR)(sp, h, len); 1408 if (rv < 0) { 1409 /* fatal error, shut down */ 1410 (cp->tld)(sp); 1411 sppp_lcp_tlf(sp); 1412 return; 1413 } 1414 switch (sp->state[cp->protoidx]) { 1415 case STATE_OPENED: 1416 (cp->tld)(sp); 1417 (cp->scr)(sp); 1418 /* fall through... */ 1419 case STATE_ACK_SENT: 1420 case STATE_REQ_SENT: 1421 sppp_cp_change_state(cp, sp, rv? 1422 STATE_ACK_SENT: STATE_REQ_SENT); 1423 break; 1424 case STATE_STOPPED: 1425 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1426 (cp->scr)(sp); 1427 sppp_cp_change_state(cp, sp, rv? 1428 STATE_ACK_SENT: STATE_REQ_SENT); 1429 break; 1430 case STATE_ACK_RCVD: 1431 if (rv) { 1432 sppp_cp_change_state(cp, sp, STATE_OPENED); 1433 if (debug) 1434 log(LOG_DEBUG, "%s: %s tlu\n", 1435 ifp->if_xname, 1436 cp->name); 1437 (cp->tlu)(sp); 1438 } else 1439 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1440 break; 1441 default: 1442 printf("%s: %s illegal %s in state %s\n", 1443 ifp->if_xname, cp->name, 1444 sppp_cp_type_name(h->type), 1445 sppp_state_name(sp->state[cp->protoidx])); 1446 ++ifp->if_ierrors; 1447 } 1448 break; 1449 case CONF_ACK: 1450 if (h->ident != sp->confid[cp->protoidx]) { 1451 if (debug) 1452 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1453 ifp->if_xname, cp->name, 1454 h->ident, sp->confid[cp->protoidx]); 1455 ++ifp->if_ierrors; 1456 break; 1457 } 1458 switch (sp->state[cp->protoidx]) { 1459 case STATE_CLOSED: 1460 case STATE_STOPPED: 1461 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1462 break; 1463 case STATE_CLOSING: 1464 case STATE_STOPPING: 1465 break; 1466 case STATE_REQ_SENT: 1467 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1468 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1469 break; 1470 case STATE_OPENED: 1471 (cp->tld)(sp); 1472 /* fall through */ 1473 case STATE_ACK_RCVD: 1474 (cp->scr)(sp); 1475 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1476 break; 1477 case STATE_ACK_SENT: 1478 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1479 sppp_cp_change_state(cp, sp, STATE_OPENED); 1480 if (debug) 1481 log(LOG_DEBUG, "%s: %s tlu\n", 1482 ifp->if_xname, cp->name); 1483 (cp->tlu)(sp); 1484 break; 1485 default: 1486 printf("%s: %s illegal %s in state %s\n", 1487 ifp->if_xname, cp->name, 1488 sppp_cp_type_name(h->type), 1489 sppp_state_name(sp->state[cp->protoidx])); 1490 ++ifp->if_ierrors; 1491 } 1492 break; 1493 case CONF_NAK: 1494 case CONF_REJ: 1495 if (h->ident != sp->confid[cp->protoidx]) { 1496 if (debug) 1497 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1498 ifp->if_xname, cp->name, 1499 h->ident, sp->confid[cp->protoidx]); 1500 ++ifp->if_ierrors; 1501 break; 1502 } 1503 if (h->type == CONF_NAK) 1504 (cp->RCN_nak)(sp, h, len); 1505 else /* CONF_REJ */ 1506 (cp->RCN_rej)(sp, h, len); 1507 1508 switch (sp->state[cp->protoidx]) { 1509 case STATE_CLOSED: 1510 case STATE_STOPPED: 1511 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1512 break; 1513 case STATE_REQ_SENT: 1514 case STATE_ACK_SENT: 1515 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1516 (cp->scr)(sp); 1517 break; 1518 case STATE_OPENED: 1519 (cp->tld)(sp); 1520 /* fall through */ 1521 case STATE_ACK_RCVD: 1522 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1523 (cp->scr)(sp); 1524 break; 1525 case STATE_CLOSING: 1526 case STATE_STOPPING: 1527 break; 1528 default: 1529 printf("%s: %s illegal %s in state %s\n", 1530 ifp->if_xname, cp->name, 1531 sppp_cp_type_name(h->type), 1532 sppp_state_name(sp->state[cp->protoidx])); 1533 ++ifp->if_ierrors; 1534 } 1535 break; 1536 1537 case TERM_REQ: 1538 switch (sp->state[cp->protoidx]) { 1539 case STATE_ACK_RCVD: 1540 case STATE_ACK_SENT: 1541 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1542 /* fall through */ 1543 case STATE_CLOSED: 1544 case STATE_STOPPED: 1545 case STATE_CLOSING: 1546 case STATE_STOPPING: 1547 case STATE_REQ_SENT: 1548 sta: 1549 /* Send Terminate-Ack packet. */ 1550 if (debug) 1551 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1552 ifp->if_xname, cp->name); 1553 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1554 break; 1555 case STATE_OPENED: 1556 (cp->tld)(sp); 1557 sp->rst_counter[cp->protoidx] = 0; 1558 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1559 goto sta; 1560 default: 1561 printf("%s: %s illegal %s in state %s\n", 1562 ifp->if_xname, cp->name, 1563 sppp_cp_type_name(h->type), 1564 sppp_state_name(sp->state[cp->protoidx])); 1565 ++ifp->if_ierrors; 1566 } 1567 break; 1568 case TERM_ACK: 1569 switch (sp->state[cp->protoidx]) { 1570 case STATE_CLOSED: 1571 case STATE_STOPPED: 1572 case STATE_REQ_SENT: 1573 case STATE_ACK_SENT: 1574 break; 1575 case STATE_CLOSING: 1576 (cp->tlf)(sp); 1577 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1578 sppp_lcp_check_and_close(sp); 1579 break; 1580 case STATE_STOPPING: 1581 (cp->tlf)(sp); 1582 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1583 sppp_lcp_check_and_close(sp); 1584 break; 1585 case STATE_ACK_RCVD: 1586 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1587 break; 1588 case STATE_OPENED: 1589 (cp->tld)(sp); 1590 (cp->scr)(sp); 1591 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1592 break; 1593 default: 1594 printf("%s: %s illegal %s in state %s\n", 1595 ifp->if_xname, cp->name, 1596 sppp_cp_type_name(h->type), 1597 sppp_state_name(sp->state[cp->protoidx])); 1598 ++ifp->if_ierrors; 1599 } 1600 break; 1601 case CODE_REJ: 1602 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1603 log(LOG_INFO, 1604 "%s: %s: ignoring RXJ (%s) for code ?, " 1605 "danger will robinson\n", 1606 ifp->if_xname, cp->name, 1607 sppp_cp_type_name(h->type)); 1608 switch (sp->state[cp->protoidx]) { 1609 case STATE_CLOSED: 1610 case STATE_STOPPED: 1611 case STATE_REQ_SENT: 1612 case STATE_ACK_SENT: 1613 case STATE_CLOSING: 1614 case STATE_STOPPING: 1615 case STATE_OPENED: 1616 break; 1617 case STATE_ACK_RCVD: 1618 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1619 break; 1620 default: 1621 printf("%s: %s illegal %s in state %s\n", 1622 ifp->if_xname, cp->name, 1623 sppp_cp_type_name(h->type), 1624 sppp_state_name(sp->state[cp->protoidx])); 1625 ++ifp->if_ierrors; 1626 } 1627 break; 1628 case PROTO_REJ: 1629 { 1630 int catastrophic; 1631 const struct cp *upper; 1632 int i; 1633 u_int16_t proto; 1634 1635 catastrophic = 0; 1636 upper = NULL; 1637 proto = p[0] << 8 | p[1]; 1638 for (i = 0; i < IDX_COUNT; i++) { 1639 if (cps[i]->proto == proto) { 1640 upper = cps[i]; 1641 break; 1642 } 1643 } 1644 if (upper == NULL) 1645 catastrophic++; 1646 1647 if (debug) 1648 log(LOG_INFO, 1649 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1650 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1651 sppp_cp_type_name(h->type), proto, 1652 upper ? upper->name : "unknown", 1653 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1654 1655 /* 1656 * if we got RXJ+ against conf-req, the peer does not implement 1657 * this particular protocol type. terminate the protocol. 1658 */ 1659 if (upper && !catastrophic) { 1660 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1661 upper->Close(sp); 1662 break; 1663 } 1664 } 1665 1666 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1667 switch (sp->state[cp->protoidx]) { 1668 case STATE_CLOSED: 1669 case STATE_STOPPED: 1670 case STATE_REQ_SENT: 1671 case STATE_ACK_SENT: 1672 case STATE_CLOSING: 1673 case STATE_STOPPING: 1674 case STATE_OPENED: 1675 break; 1676 case STATE_ACK_RCVD: 1677 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1678 break; 1679 default: 1680 printf("%s: %s illegal %s in state %s\n", 1681 ifp->if_xname, cp->name, 1682 sppp_cp_type_name(h->type), 1683 sppp_state_name(sp->state[cp->protoidx])); 1684 ++ifp->if_ierrors; 1685 } 1686 break; 1687 } 1688 case DISC_REQ: 1689 if (cp->proto != PPP_LCP) 1690 goto illegal; 1691 /* Discard the packet. */ 1692 break; 1693 case ECHO_REQ: 1694 if (cp->proto != PPP_LCP) 1695 goto illegal; 1696 if (sp->state[cp->protoidx] != STATE_OPENED) { 1697 if (debug) 1698 addlog("%s: lcp echo req but lcp closed\n", 1699 ifp->if_xname); 1700 ++ifp->if_ierrors; 1701 break; 1702 } 1703 if (len < 8) { 1704 if (debug) 1705 addlog("%s: invalid lcp echo request " 1706 "packet length: %d bytes\n", 1707 ifp->if_xname, len); 1708 break; 1709 } 1710 memcpy(&u32, h + 1, sizeof u32); 1711 if (ntohl(u32) == sp->lcp.magic) { 1712 /* Line loopback mode detected. */ 1713 printf("%s: loopback\n", ifp->if_xname); 1714 if_down(ifp); 1715 IF_PURGE(&sp->pp_cpq); 1716 1717 /* Shut down the PPP link. */ 1718 /* XXX */ 1719 lcp.Down(sp); 1720 lcp.Up(sp); 1721 break; 1722 } 1723 u32 = htonl(sp->lcp.magic); 1724 memcpy(h + 1, &u32, sizeof u32); 1725 if (debug) 1726 addlog("%s: got lcp echo req, sending echo rep\n", 1727 ifp->if_xname); 1728 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1729 h + 1); 1730 break; 1731 case ECHO_REPLY: 1732 if (cp->proto != PPP_LCP) 1733 goto illegal; 1734 if (h->ident != sp->lcp.echoid) { 1735 ++ifp->if_ierrors; 1736 break; 1737 } 1738 if (len < 8) { 1739 if (debug) 1740 addlog("%s: lcp invalid echo reply " 1741 "packet length: %d bytes\n", 1742 ifp->if_xname, len); 1743 break; 1744 } 1745 if (debug) 1746 addlog("%s: lcp got echo rep\n", 1747 ifp->if_xname); 1748 memcpy(&u32, h + 1, sizeof u32); 1749 if (ntohl(u32) != sp->lcp.magic) 1750 sp->pp_alivecnt = 0; 1751 break; 1752 default: 1753 /* Unknown packet type -- send Code-Reject packet. */ 1754 illegal: 1755 if (debug) 1756 addlog("%s: %s send code-rej for 0x%x\n", 1757 ifp->if_xname, cp->name, h->type); 1758 sppp_cp_send(sp, cp->proto, CODE_REJ, 1759 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1760 ++ifp->if_ierrors; 1761 } 1762 } 1763 1764 1765 /* 1766 * The generic part of all Up/Down/Open/Close/TO event handlers. 1767 * Basically, the state transition handling in the automaton. 1768 */ 1769 static void 1770 sppp_up_event(const struct cp *cp, struct sppp *sp) 1771 { 1772 STDDCL; 1773 1774 if (debug) 1775 log(LOG_DEBUG, "%s: %s up(%s)\n", 1776 ifp->if_xname, cp->name, 1777 sppp_state_name(sp->state[cp->protoidx])); 1778 1779 switch (sp->state[cp->protoidx]) { 1780 case STATE_INITIAL: 1781 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1782 break; 1783 case STATE_STARTING: 1784 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1785 (cp->scr)(sp); 1786 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1787 break; 1788 default: 1789 printf("%s: %s illegal up in state %s\n", 1790 ifp->if_xname, cp->name, 1791 sppp_state_name(sp->state[cp->protoidx])); 1792 } 1793 } 1794 1795 static void 1796 sppp_down_event(const struct cp *cp, struct sppp *sp) 1797 { 1798 STDDCL; 1799 1800 if (debug) 1801 log(LOG_DEBUG, "%s: %s down(%s)\n", 1802 ifp->if_xname, cp->name, 1803 sppp_state_name(sp->state[cp->protoidx])); 1804 1805 switch (sp->state[cp->protoidx]) { 1806 case STATE_CLOSED: 1807 case STATE_CLOSING: 1808 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1809 break; 1810 case STATE_STOPPED: 1811 (cp->tls)(sp); 1812 /* fall through */ 1813 case STATE_STOPPING: 1814 case STATE_REQ_SENT: 1815 case STATE_ACK_RCVD: 1816 case STATE_ACK_SENT: 1817 sppp_cp_change_state(cp, sp, STATE_STARTING); 1818 break; 1819 case STATE_OPENED: 1820 (cp->tld)(sp); 1821 sppp_cp_change_state(cp, sp, STATE_STARTING); 1822 break; 1823 default: 1824 printf("%s: %s illegal down in state %s\n", 1825 ifp->if_xname, cp->name, 1826 sppp_state_name(sp->state[cp->protoidx])); 1827 } 1828 } 1829 1830 1831 static void 1832 sppp_open_event(const struct cp *cp, struct sppp *sp) 1833 { 1834 STDDCL; 1835 1836 if (debug) 1837 log(LOG_DEBUG, "%s: %s open(%s)\n", 1838 ifp->if_xname, cp->name, 1839 sppp_state_name(sp->state[cp->protoidx])); 1840 1841 switch (sp->state[cp->protoidx]) { 1842 case STATE_INITIAL: 1843 sppp_cp_change_state(cp, sp, STATE_STARTING); 1844 (cp->tls)(sp); 1845 break; 1846 case STATE_STARTING: 1847 break; 1848 case STATE_CLOSED: 1849 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1850 (cp->scr)(sp); 1851 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1852 break; 1853 case STATE_STOPPED: 1854 case STATE_STOPPING: 1855 case STATE_REQ_SENT: 1856 case STATE_ACK_RCVD: 1857 case STATE_ACK_SENT: 1858 case STATE_OPENED: 1859 break; 1860 case STATE_CLOSING: 1861 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1862 break; 1863 } 1864 } 1865 1866 1867 static void 1868 sppp_close_event(const struct cp *cp, struct sppp *sp) 1869 { 1870 STDDCL; 1871 1872 if (debug) 1873 log(LOG_DEBUG, "%s: %s close(%s)\n", 1874 ifp->if_xname, cp->name, 1875 sppp_state_name(sp->state[cp->protoidx])); 1876 1877 switch (sp->state[cp->protoidx]) { 1878 case STATE_INITIAL: 1879 case STATE_CLOSED: 1880 case STATE_CLOSING: 1881 break; 1882 case STATE_STARTING: 1883 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1884 (cp->tlf)(sp); 1885 break; 1886 case STATE_STOPPED: 1887 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1888 break; 1889 case STATE_STOPPING: 1890 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1891 break; 1892 case STATE_OPENED: 1893 (cp->tld)(sp); 1894 /* fall through */ 1895 case STATE_REQ_SENT: 1896 case STATE_ACK_RCVD: 1897 case STATE_ACK_SENT: 1898 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1899 sppp_cp_send(sp, cp->proto, TERM_REQ, 1900 ++sp->pp_seq[cp->protoidx], 0, 0); 1901 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1902 break; 1903 } 1904 } 1905 1906 static void 1907 sppp_to_event(const struct cp *cp, struct sppp *sp) 1908 { 1909 STDDCL; 1910 int s; 1911 1912 s = splnet(); 1913 if (debug) 1914 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1915 ifp->if_xname, cp->name, 1916 sppp_state_name(sp->state[cp->protoidx]), 1917 sp->rst_counter[cp->protoidx]); 1918 1919 if (--sp->rst_counter[cp->protoidx] < 0) 1920 /* TO- event */ 1921 switch (sp->state[cp->protoidx]) { 1922 case STATE_CLOSING: 1923 (cp->tlf)(sp); 1924 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1925 sppp_lcp_check_and_close(sp); 1926 break; 1927 case STATE_STOPPING: 1928 (cp->tlf)(sp); 1929 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1930 sppp_lcp_check_and_close(sp); 1931 break; 1932 case STATE_REQ_SENT: 1933 case STATE_ACK_RCVD: 1934 case STATE_ACK_SENT: 1935 (cp->tlf)(sp); 1936 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1937 sppp_lcp_check_and_close(sp); 1938 break; 1939 } 1940 else 1941 /* TO+ event */ 1942 switch (sp->state[cp->protoidx]) { 1943 case STATE_CLOSING: 1944 case STATE_STOPPING: 1945 sppp_cp_send(sp, cp->proto, TERM_REQ, 1946 ++sp->pp_seq[cp->protoidx], 0, 0); 1947 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1948 cp->TO, sp); 1949 break; 1950 case STATE_REQ_SENT: 1951 case STATE_ACK_RCVD: 1952 (cp->scr)(sp); 1953 /* sppp_cp_change_state() will restart the timer */ 1954 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1955 break; 1956 case STATE_ACK_SENT: 1957 (cp->scr)(sp); 1958 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1959 cp->TO, sp); 1960 break; 1961 } 1962 1963 splx(s); 1964 } 1965 1966 /* 1967 * Change the state of a control protocol in the state automaton. 1968 * Takes care of starting/stopping the restart timer. 1969 */ 1970 void 1971 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1972 { 1973 sp->state[cp->protoidx] = newstate; 1974 callout_stop(&sp->ch[cp->protoidx]); 1975 switch (newstate) { 1976 case STATE_INITIAL: 1977 case STATE_STARTING: 1978 case STATE_CLOSED: 1979 case STATE_STOPPED: 1980 case STATE_OPENED: 1981 break; 1982 case STATE_CLOSING: 1983 case STATE_STOPPING: 1984 case STATE_REQ_SENT: 1985 case STATE_ACK_RCVD: 1986 case STATE_ACK_SENT: 1987 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1988 cp->TO, sp); 1989 break; 1990 } 1991 } 1992 1993 /* 1994 *--------------------------------------------------------------------------* 1995 * * 1996 * The LCP implementation. * 1997 * * 1998 *--------------------------------------------------------------------------* 1999 */ 2000 static void 2001 sppp_lcp_init(struct sppp *sp) 2002 { 2003 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2004 sp->lcp.magic = 0; 2005 sp->state[IDX_LCP] = STATE_INITIAL; 2006 sp->fail_counter[IDX_LCP] = 0; 2007 sp->pp_seq[IDX_LCP] = 0; 2008 sp->pp_rseq[IDX_LCP] = 0; 2009 sp->lcp.protos = 0; 2010 sp->lcp.mru = sp->lcp.their_mru = PP_MTU; 2011 2012 /* 2013 * Initialize counters and timeout values. Note that we don't 2014 * use the 3 seconds suggested in RFC 1661 since we are likely 2015 * running on a fast link. XXX We should probably implement 2016 * the exponential backoff option. Note that these values are 2017 * relevant for all control protocols, not just LCP only. 2018 */ 2019 sp->lcp.timeout = 1 * hz; 2020 sp->lcp.max_terminate = 2; 2021 sp->lcp.max_configure = 10; 2022 sp->lcp.max_failure = 10; 2023 callout_init(&sp->ch[IDX_LCP]); 2024 } 2025 2026 static void 2027 sppp_lcp_up(struct sppp *sp) 2028 { 2029 STDDCL; 2030 2031 /* Initialize activity timestamp: opening a connection is an activity */ 2032 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2033 2034 /* 2035 * If this interface is passive or dial-on-demand, and we are 2036 * still in Initial state, it means we've got an incoming 2037 * call. Activate the interface. 2038 */ 2039 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2040 if (debug) 2041 log(LOG_DEBUG, 2042 "%s: Up event", ifp->if_xname); 2043 ifp->if_flags |= IFF_RUNNING; 2044 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2045 if (debug) 2046 addlog("(incoming call)\n"); 2047 sp->pp_flags |= PP_CALLIN; 2048 lcp.Open(sp); 2049 } else if (debug) 2050 addlog("\n"); 2051 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2052 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2053 ifp->if_flags |= IFF_RUNNING; 2054 lcp.Open(sp); 2055 } 2056 2057 sppp_up_event(&lcp, sp); 2058 } 2059 2060 static void 2061 sppp_lcp_down(struct sppp *sp) 2062 { 2063 STDDCL; 2064 2065 sppp_down_event(&lcp, sp); 2066 2067 /* 2068 * If this is neither a dial-on-demand nor a passive 2069 * interface, simulate an ``ifconfig down'' action, so the 2070 * administrator can force a redial by another ``ifconfig 2071 * up''. XXX For leased line operation, should we immediately 2072 * try to reopen the connection here? 2073 */ 2074 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2075 if (debug) 2076 log(LOG_INFO, 2077 "%s: Down event (carrier loss), taking interface down.\n", 2078 ifp->if_xname); 2079 if_down(ifp); 2080 } else { 2081 if (debug) 2082 log(LOG_DEBUG, 2083 "%s: Down event (carrier loss)\n", 2084 ifp->if_xname); 2085 } 2086 sp->pp_flags &= ~PP_CALLIN; 2087 if (sp->state[IDX_LCP] != STATE_INITIAL) 2088 lcp.Close(sp); 2089 ifp->if_flags &= ~IFF_RUNNING; 2090 } 2091 2092 static void 2093 sppp_lcp_open(struct sppp *sp) 2094 { 2095 /* 2096 * If we are authenticator, negotiate LCP_AUTH 2097 */ 2098 if (sp->hisauth.proto != 0) 2099 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2100 else 2101 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2102 sp->pp_flags &= ~PP_NEEDAUTH; 2103 sppp_open_event(&lcp, sp); 2104 } 2105 2106 static void 2107 sppp_lcp_close(struct sppp *sp) 2108 { 2109 sppp_close_event(&lcp, sp); 2110 } 2111 2112 static void 2113 sppp_lcp_TO(void *cookie) 2114 { 2115 sppp_to_event(&lcp, (struct sppp *)cookie); 2116 } 2117 2118 /* 2119 * Analyze a configure request. Return true if it was agreeable, and 2120 * caused action sca, false if it has been rejected or nak'ed, and 2121 * caused action scn. (The return value is used to make the state 2122 * transition decision in the state automaton.) 2123 */ 2124 static int 2125 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2126 { 2127 STDDCL; 2128 u_char *buf, *r, *p; 2129 int origlen, rlen; 2130 u_int32_t nmagic; 2131 u_short authproto; 2132 2133 len -= 4; 2134 origlen = len; 2135 buf = r = malloc (len, M_TEMP, M_NOWAIT); 2136 if (! buf) 2137 return (0); 2138 2139 if (debug) 2140 log(LOG_DEBUG, "%s: lcp parse opts:", 2141 ifp->if_xname); 2142 2143 /* pass 1: check for things that need to be rejected */ 2144 p = (void *)(h + 1); 2145 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2146 /* Sanity check option length */ 2147 if (p[1] > len) { 2148 /* 2149 * Malicious option - drop immediately. 2150 * XXX Maybe we should just RXJ it? 2151 */ 2152 addlog("%s: received malicious LCP option 0x%02x, " 2153 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2154 p[0], p[1], len); 2155 goto drop; 2156 } 2157 if (debug) 2158 addlog(" %s", sppp_lcp_opt_name(*p)); 2159 switch (*p) { 2160 case LCP_OPT_MAGIC: 2161 /* Magic number. */ 2162 /* fall through, both are same length */ 2163 case LCP_OPT_ASYNC_MAP: 2164 /* Async control character map. */ 2165 if (len >= 6 || p[1] == 6) 2166 continue; 2167 if (debug) 2168 addlog(" [invalid]"); 2169 break; 2170 case LCP_OPT_MRU: 2171 /* Maximum receive unit. */ 2172 if (len >= 4 && p[1] == 4) 2173 continue; 2174 if (debug) 2175 addlog(" [invalid]"); 2176 break; 2177 case LCP_OPT_AUTH_PROTO: 2178 if (len < 4) { 2179 if (debug) 2180 addlog(" [invalid]"); 2181 break; 2182 } 2183 authproto = (p[2] << 8) + p[3]; 2184 if (authproto == PPP_CHAP && p[1] != 5) { 2185 if (debug) 2186 addlog(" [invalid chap len]"); 2187 break; 2188 } 2189 if (sp->myauth.proto == 0) { 2190 /* we are not configured to do auth */ 2191 if (debug) 2192 addlog(" [not configured]"); 2193 break; 2194 } 2195 /* 2196 * Remote want us to authenticate, remember this, 2197 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2198 * up. 2199 */ 2200 sp->pp_flags |= PP_NEEDAUTH; 2201 continue; 2202 default: 2203 /* Others not supported. */ 2204 if (debug) 2205 addlog(" [rej]"); 2206 break; 2207 } 2208 /* Add the option to rejected list. */ 2209 bcopy (p, r, p[1]); 2210 r += p[1]; 2211 rlen += p[1]; 2212 } 2213 if (rlen) { 2214 if (debug) 2215 addlog(" send conf-rej\n"); 2216 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2217 goto end; 2218 } else if (debug) 2219 addlog("\n"); 2220 2221 /* 2222 * pass 2: check for option values that are unacceptable and 2223 * thus require to be nak'ed. 2224 */ 2225 if (debug) 2226 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2227 ifp->if_xname); 2228 2229 p = (void *)(h + 1); 2230 len = origlen; 2231 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2232 if (debug) 2233 addlog(" %s", sppp_lcp_opt_name(*p)); 2234 switch (*p) { 2235 case LCP_OPT_MAGIC: 2236 /* Magic number -- extract. */ 2237 nmagic = (u_int32_t)p[2] << 24 | 2238 (u_int32_t)p[3] << 16 | p[4] << 8 | p[5]; 2239 if (nmagic != sp->lcp.magic) { 2240 if (debug) 2241 addlog(" 0x%x", nmagic); 2242 continue; 2243 } 2244 /* 2245 * Local and remote magics equal -- loopback? 2246 */ 2247 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2248 printf ("%s: loopback\n", 2249 ifp->if_xname); 2250 sp->pp_loopcnt = 0; 2251 if (ifp->if_flags & IFF_UP) { 2252 if_down(ifp); 2253 IF_PURGE(&sp->pp_cpq); 2254 /* XXX ? */ 2255 lcp.Down(sp); 2256 lcp.Up(sp); 2257 } 2258 } else if (debug) 2259 addlog(" [glitch]"); 2260 ++sp->pp_loopcnt; 2261 /* 2262 * We negate our magic here, and NAK it. If 2263 * we see it later in an NAK packet, we 2264 * suggest a new one. 2265 */ 2266 nmagic = ~sp->lcp.magic; 2267 /* Gonna NAK it. */ 2268 p[2] = nmagic >> 24; 2269 p[3] = nmagic >> 16; 2270 p[4] = nmagic >> 8; 2271 p[5] = nmagic; 2272 break; 2273 2274 case LCP_OPT_ASYNC_MAP: 2275 /* 2276 * Async control character map -- just ignore it. 2277 * 2278 * Quote from RFC 1662, chapter 6: 2279 * To enable this functionality, synchronous PPP 2280 * implementations MUST always respond to the 2281 * Async-Control-Character-Map Configuration 2282 * Option with the LCP Configure-Ack. However, 2283 * acceptance of the Configuration Option does 2284 * not imply that the synchronous implementation 2285 * will do any ACCM mapping. Instead, all such 2286 * octet mapping will be performed by the 2287 * asynchronous-to-synchronous converter. 2288 */ 2289 continue; 2290 2291 case LCP_OPT_MRU: 2292 /* 2293 * Maximum receive unit. Always agreeable, 2294 * but ignored by now. 2295 */ 2296 sp->lcp.their_mru = p[2] * 256 + p[3]; 2297 if (debug) 2298 addlog(" %ld", sp->lcp.their_mru); 2299 continue; 2300 2301 case LCP_OPT_AUTH_PROTO: 2302 authproto = (p[2] << 8) + p[3]; 2303 if (sp->myauth.proto != authproto) { 2304 /* not agreed, nak */ 2305 if (debug) 2306 addlog(" [mine %s != his %s]", 2307 sppp_proto_name(sp->myauth.proto), 2308 sppp_proto_name(authproto)); 2309 p[2] = sp->myauth.proto >> 8; 2310 p[3] = sp->myauth.proto; 2311 break; 2312 } 2313 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2314 if (debug) 2315 addlog(" [chap not MD5]"); 2316 p[4] = CHAP_MD5; 2317 break; 2318 } 2319 continue; 2320 } 2321 /* Add the option to nak'ed list. */ 2322 bcopy (p, r, p[1]); 2323 r += p[1]; 2324 rlen += p[1]; 2325 } 2326 if (rlen) { 2327 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2328 if (debug) 2329 addlog(" max_failure (%d) exceeded, " 2330 "send conf-rej\n", 2331 sp->lcp.max_failure); 2332 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2333 } else { 2334 if (debug) 2335 addlog(" send conf-nak\n"); 2336 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2337 } 2338 goto end; 2339 } else { 2340 if (debug) 2341 addlog(" send conf-ack\n"); 2342 sp->fail_counter[IDX_LCP] = 0; 2343 sp->pp_loopcnt = 0; 2344 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2345 } 2346 2347 end: 2348 free(buf, M_TEMP); 2349 return (rlen == 0); 2350 2351 drop: 2352 free(buf, M_TEMP); 2353 return -1; 2354 } 2355 2356 /* 2357 * Analyze the LCP Configure-Reject option list, and adjust our 2358 * negotiation. 2359 */ 2360 static void 2361 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2362 { 2363 STDDCL; 2364 u_char *buf, *p; 2365 2366 len -= 4; 2367 buf = malloc (len, M_TEMP, M_NOWAIT); 2368 if (!buf) 2369 return; 2370 2371 if (debug) 2372 log(LOG_DEBUG, "%s: lcp rej opts:", 2373 ifp->if_xname); 2374 2375 p = (void *)(h + 1); 2376 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2377 /* Sanity check option length */ 2378 if (p[1] > len) { 2379 /* 2380 * Malicious option - drop immediately. 2381 * XXX Maybe we should just RXJ it? 2382 */ 2383 addlog("%s: received malicious LCP option, " 2384 "dropping.\n", ifp->if_xname); 2385 goto drop; 2386 } 2387 if (debug) 2388 addlog(" %s", sppp_lcp_opt_name(*p)); 2389 switch (*p) { 2390 case LCP_OPT_MAGIC: 2391 /* Magic number -- can't use it, use 0 */ 2392 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2393 sp->lcp.magic = 0; 2394 break; 2395 case LCP_OPT_MRU: 2396 /* 2397 * Should not be rejected anyway, since we only 2398 * negotiate a MRU if explicitly requested by 2399 * peer. 2400 */ 2401 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2402 break; 2403 case LCP_OPT_AUTH_PROTO: 2404 /* 2405 * Peer doesn't want to authenticate himself, 2406 * deny unless this is a dialout call, and 2407 * SPPP_AUTHFLAG_NOCALLOUT is set. 2408 */ 2409 if ((sp->pp_flags & PP_CALLIN) == 0 && 2410 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2411 if (debug) 2412 addlog(" [don't insist on auth " 2413 "for callout]"); 2414 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2415 break; 2416 } 2417 if (debug) 2418 addlog("[access denied]\n"); 2419 lcp.Close(sp); 2420 break; 2421 } 2422 } 2423 if (debug) 2424 addlog("\n"); 2425 drop: 2426 free(buf, M_TEMP); 2427 return; 2428 } 2429 2430 /* 2431 * Analyze the LCP Configure-NAK option list, and adjust our 2432 * negotiation. 2433 */ 2434 static void 2435 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2436 { 2437 STDDCL; 2438 u_char *buf, *p; 2439 u_int32_t magic; 2440 2441 len -= 4; 2442 buf = malloc (len, M_TEMP, M_NOWAIT); 2443 if (!buf) 2444 return; 2445 2446 if (debug) 2447 log(LOG_DEBUG, "%s: lcp nak opts:", 2448 ifp->if_xname); 2449 2450 p = (void *)(h + 1); 2451 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2452 /* Sanity check option length */ 2453 if (p[1] > len) { 2454 /* 2455 * Malicious option - drop immediately. 2456 * XXX Maybe we should just RXJ it? 2457 */ 2458 addlog("%s: received malicious LCP option, " 2459 "dropping.\n", ifp->if_xname); 2460 goto drop; 2461 } 2462 if (debug) 2463 addlog(" %s", sppp_lcp_opt_name(*p)); 2464 switch (*p) { 2465 case LCP_OPT_MAGIC: 2466 /* Magic number -- renegotiate */ 2467 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2468 len >= 6 && p[1] == 6) { 2469 magic = (u_int32_t)p[2] << 24 | 2470 (u_int32_t)p[3] << 16 | p[4] << 8 | p[5]; 2471 /* 2472 * If the remote magic is our negated one, 2473 * this looks like a loopback problem. 2474 * Suggest a new magic to make sure. 2475 */ 2476 if (magic == ~sp->lcp.magic) { 2477 if (debug) 2478 addlog(" magic glitch"); 2479 sp->lcp.magic = arc4random(); 2480 } else { 2481 sp->lcp.magic = magic; 2482 if (debug) 2483 addlog(" %d", magic); 2484 } 2485 } 2486 break; 2487 case LCP_OPT_MRU: 2488 /* 2489 * Peer wants to advise us to negotiate an MRU. 2490 * Agree on it if it's reasonable, or use 2491 * default otherwise. 2492 */ 2493 if (len >= 4 && p[1] == 4) { 2494 u_int mru = p[2] * 256 + p[3]; 2495 if (debug) 2496 addlog(" %d", mru); 2497 if (mru < PP_MTU || mru > PP_MAX_MRU) 2498 mru = PP_MTU; 2499 sp->lcp.mru = mru; 2500 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2501 } 2502 break; 2503 case LCP_OPT_AUTH_PROTO: 2504 /* 2505 * Peer doesn't like our authentication method, 2506 * deny. 2507 */ 2508 if (debug) 2509 addlog("[access denied]\n"); 2510 lcp.Close(sp); 2511 break; 2512 } 2513 } 2514 if (debug) 2515 addlog("\n"); 2516 drop: 2517 free(buf, M_TEMP); 2518 return; 2519 } 2520 2521 static void 2522 sppp_lcp_tlu(struct sppp *sp) 2523 { 2524 STDDCL; 2525 int i; 2526 u_int32_t mask; 2527 2528 /* XXX ? */ 2529 if (! (ifp->if_flags & IFF_UP) && 2530 (ifp->if_flags & IFF_RUNNING)) { 2531 /* Coming out of loopback mode. */ 2532 if_up(ifp); 2533 } 2534 2535 for (i = 0; i < IDX_COUNT; i++) 2536 if ((cps[i])->flags & CP_QUAL) 2537 (cps[i])->Open(sp); 2538 2539 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2540 (sp->pp_flags & PP_NEEDAUTH) != 0) 2541 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2542 else 2543 sp->pp_phase = SPPP_PHASE_NETWORK; 2544 2545 if (debug) 2546 { 2547 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2548 sppp_phase_name(sp->pp_phase)); 2549 } 2550 2551 /* 2552 * Open all authentication protocols. This is even required 2553 * if we already proceeded to network phase, since it might be 2554 * that remote wants us to authenticate, so we might have to 2555 * send a PAP request. Undesired authentication protocols 2556 * don't do anything when they get an Open event. 2557 */ 2558 for (i = 0; i < IDX_COUNT; i++) 2559 if ((cps[i])->flags & CP_AUTH) 2560 (cps[i])->Open(sp); 2561 2562 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2563 /* Notify all NCPs. */ 2564 for (i = 0; i < IDX_COUNT; i++) 2565 if ((cps[i])->flags & CP_NCP) 2566 (cps[i])->Open(sp); 2567 } 2568 2569 /* Send Up events to all started protos. */ 2570 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2571 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2572 (cps[i])->Up(sp); 2573 2574 /* notify low-level driver of state change */ 2575 if (sp->pp_chg) 2576 sp->pp_chg(sp, (int)sp->pp_phase); 2577 2578 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2579 /* if no NCP is starting, close down */ 2580 sppp_lcp_check_and_close(sp); 2581 } 2582 2583 static void 2584 sppp_lcp_tld(struct sppp *sp) 2585 { 2586 STDDCL; 2587 int i; 2588 u_int32_t mask; 2589 2590 sp->pp_phase = SPPP_PHASE_TERMINATE; 2591 2592 if (debug) 2593 { 2594 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2595 sppp_phase_name(sp->pp_phase)); 2596 } 2597 2598 /* 2599 * Take upper layers down. We send the Down event first and 2600 * the Close second to prevent the upper layers from sending 2601 * ``a flurry of terminate-request packets'', as the RFC 2602 * describes it. 2603 */ 2604 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2605 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2606 (cps[i])->Down(sp); 2607 (cps[i])->Close(sp); 2608 } 2609 } 2610 2611 static void 2612 sppp_lcp_tls(struct sppp *sp) 2613 { 2614 STDDCL; 2615 2616 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2617 printf("%s: authentication failed %d times, not retrying again\n", 2618 sp->pp_if.if_xname, sp->pp_auth_failures); 2619 if_down(&sp->pp_if); 2620 return; 2621 } 2622 2623 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2624 2625 if (debug) 2626 { 2627 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2628 sppp_phase_name(sp->pp_phase)); 2629 } 2630 2631 /* Notify lower layer if desired. */ 2632 if (sp->pp_tls) 2633 (sp->pp_tls)(sp); 2634 } 2635 2636 static void 2637 sppp_lcp_tlf(struct sppp *sp) 2638 { 2639 STDDCL; 2640 2641 sp->pp_phase = SPPP_PHASE_DEAD; 2642 2643 if (debug) 2644 { 2645 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2646 sppp_phase_name(sp->pp_phase)); 2647 } 2648 2649 /* Notify lower layer if desired. */ 2650 if (sp->pp_tlf) 2651 (sp->pp_tlf)(sp); 2652 } 2653 2654 static void 2655 sppp_lcp_scr(struct sppp *sp) 2656 { 2657 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2658 int i = 0; 2659 u_short authproto; 2660 2661 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2662 if (! sp->lcp.magic) 2663 sp->lcp.magic = arc4random(); 2664 opt[i++] = LCP_OPT_MAGIC; 2665 opt[i++] = 6; 2666 opt[i++] = sp->lcp.magic >> 24; 2667 opt[i++] = sp->lcp.magic >> 16; 2668 opt[i++] = sp->lcp.magic >> 8; 2669 opt[i++] = sp->lcp.magic; 2670 } 2671 2672 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2673 opt[i++] = LCP_OPT_MRU; 2674 opt[i++] = 4; 2675 opt[i++] = sp->lcp.mru >> 8; 2676 opt[i++] = sp->lcp.mru; 2677 } 2678 2679 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2680 authproto = sp->hisauth.proto; 2681 opt[i++] = LCP_OPT_AUTH_PROTO; 2682 opt[i++] = authproto == PPP_CHAP? 5: 4; 2683 opt[i++] = authproto >> 8; 2684 opt[i++] = authproto; 2685 if (authproto == PPP_CHAP) 2686 opt[i++] = CHAP_MD5; 2687 } 2688 2689 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2690 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2691 } 2692 2693 /* 2694 * Check the open NCPs, return true if at least one NCP is open. 2695 */ 2696 static int 2697 sppp_ncp_check(struct sppp *sp) 2698 { 2699 int i, mask; 2700 2701 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2702 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2703 return 1; 2704 return 0; 2705 } 2706 2707 /* 2708 * Re-check the open NCPs and see if we should terminate the link. 2709 * Called by the NCPs during their tlf action handling. 2710 */ 2711 static void 2712 sppp_lcp_check_and_close(struct sppp *sp) 2713 { 2714 2715 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2716 /* don't bother, we are already going down */ 2717 return; 2718 2719 if (sppp_ncp_check(sp)) 2720 return; 2721 2722 lcp.Close(sp); 2723 } 2724 2725 2726 /* 2727 *--------------------------------------------------------------------------* 2728 * * 2729 * The IPCP implementation. * 2730 * * 2731 *--------------------------------------------------------------------------* 2732 */ 2733 2734 static void 2735 sppp_ipcp_init(struct sppp *sp) 2736 { 2737 sp->ipcp.opts = 0; 2738 sp->ipcp.flags = 0; 2739 sp->state[IDX_IPCP] = STATE_INITIAL; 2740 sp->fail_counter[IDX_IPCP] = 0; 2741 sp->pp_seq[IDX_IPCP] = 0; 2742 sp->pp_rseq[IDX_IPCP] = 0; 2743 callout_init(&sp->ch[IDX_IPCP]); 2744 } 2745 2746 static void 2747 sppp_ipcp_up(struct sppp *sp) 2748 { 2749 sppp_up_event(&ipcp, sp); 2750 } 2751 2752 static void 2753 sppp_ipcp_down(struct sppp *sp) 2754 { 2755 sppp_down_event(&ipcp, sp); 2756 } 2757 2758 static void 2759 sppp_ipcp_open(struct sppp *sp) 2760 { 2761 STDDCL; 2762 u_int32_t myaddr, hisaddr; 2763 2764 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2765 sp->ipcp.req_myaddr = 0; 2766 sp->ipcp.req_hisaddr = 0; 2767 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2768 2769 #ifdef INET 2770 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2771 #else 2772 myaddr = hisaddr = 0; 2773 #endif 2774 /* 2775 * If we don't have his address, this probably means our 2776 * interface doesn't want to talk IP at all. (This could 2777 * be the case if somebody wants to speak only IPX, for 2778 * example.) Don't open IPCP in this case. 2779 */ 2780 if (hisaddr == 0) { 2781 /* XXX this message should go away */ 2782 if (debug) 2783 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2784 ifp->if_xname); 2785 return; 2786 } 2787 2788 if (myaddr == 0) { 2789 /* 2790 * I don't have an assigned address, so i need to 2791 * negotiate my address. 2792 */ 2793 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2794 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2795 } 2796 if (hisaddr == 1) { 2797 /* 2798 * XXX - remove this hack! 2799 * remote has no valid address, we need to get one assigned. 2800 */ 2801 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2802 } 2803 sppp_open_event(&ipcp, sp); 2804 } 2805 2806 static void 2807 sppp_ipcp_close(struct sppp *sp) 2808 { 2809 STDDCL; 2810 2811 sppp_close_event(&ipcp, sp); 2812 #ifdef INET 2813 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2814 /* 2815 * Some address was dynamic, clear it again. 2816 */ 2817 sppp_clear_ip_addrs(sp); 2818 #endif 2819 2820 if (sp->pp_saved_mtu > 0) { 2821 ifp->if_mtu = sp->pp_saved_mtu; 2822 sp->pp_saved_mtu = 0; 2823 if (debug) 2824 log(LOG_DEBUG, 2825 "%s: resetting MTU to %" PRIu64 " bytes\n", 2826 ifp->if_xname, ifp->if_mtu); 2827 } 2828 } 2829 2830 static void 2831 sppp_ipcp_TO(void *cookie) 2832 { 2833 sppp_to_event(&ipcp, (struct sppp *)cookie); 2834 } 2835 2836 /* 2837 * Analyze a configure request. Return true if it was agreeable, and 2838 * caused action sca, false if it has been rejected or nak'ed, and 2839 * caused action scn. (The return value is used to make the state 2840 * transition decision in the state automaton.) 2841 */ 2842 static int 2843 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2844 { 2845 u_char *buf, *r, *p; 2846 struct ifnet *ifp = &sp->pp_if; 2847 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2848 u_int32_t hisaddr, desiredaddr; 2849 2850 len -= 4; 2851 origlen = len; 2852 /* 2853 * Make sure to allocate a buf that can at least hold a 2854 * conf-nak with an `address' option. We might need it below. 2855 */ 2856 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 2857 if (! buf) 2858 return (0); 2859 2860 /* pass 1: see if we can recognize them */ 2861 if (debug) 2862 log(LOG_DEBUG, "%s: ipcp parse opts:", 2863 ifp->if_xname); 2864 p = (void *)(h + 1); 2865 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2866 /* Sanity check option length */ 2867 if (p[1] > len) { 2868 /* XXX should we just RXJ? */ 2869 addlog("%s: malicious IPCP option received, dropping\n", 2870 ifp->if_xname); 2871 goto drop; 2872 } 2873 if (debug) 2874 addlog(" %s", sppp_ipcp_opt_name(*p)); 2875 switch (*p) { 2876 #ifdef notyet 2877 case IPCP_OPT_COMPRESSION: 2878 if (len >= 6 && p[1] >= 6) { 2879 /* correctly formed compress option */ 2880 continue; 2881 } 2882 if (debug) 2883 addlog(" [invalid]"); 2884 break; 2885 #endif 2886 case IPCP_OPT_ADDRESS: 2887 if (len >= 6 && p[1] == 6) { 2888 /* correctly formed address option */ 2889 continue; 2890 } 2891 if (debug) 2892 addlog(" [invalid]"); 2893 break; 2894 default: 2895 /* Others not supported. */ 2896 if (debug) 2897 addlog(" [rej]"); 2898 break; 2899 } 2900 /* Add the option to rejected list. */ 2901 bcopy (p, r, p[1]); 2902 r += p[1]; 2903 rlen += p[1]; 2904 } 2905 if (rlen) { 2906 if (debug) 2907 addlog(" send conf-rej\n"); 2908 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2909 goto end; 2910 } else if (debug) 2911 addlog("\n"); 2912 2913 /* pass 2: parse option values */ 2914 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2915 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2916 else 2917 #ifdef INET 2918 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2919 #else 2920 hisaddr = 0; 2921 #endif 2922 if (debug) 2923 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2924 ifp->if_xname); 2925 p = (void *)(h + 1); 2926 len = origlen; 2927 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2928 if (debug) 2929 addlog(" %s", sppp_ipcp_opt_name(*p)); 2930 switch (*p) { 2931 #ifdef notyet 2932 case IPCP_OPT_COMPRESSION: 2933 continue; 2934 #endif 2935 case IPCP_OPT_ADDRESS: 2936 desiredaddr = p[2] << 24 | p[3] << 16 | 2937 p[4] << 8 | p[5]; 2938 if (desiredaddr == hisaddr || 2939 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2940 /* 2941 * Peer's address is same as our value, 2942 * this is agreeable. Gonna conf-ack 2943 * it. 2944 */ 2945 if (debug) 2946 addlog(" %s [ack]", 2947 sppp_dotted_quad(hisaddr)); 2948 /* record that we've seen it already */ 2949 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2950 sp->ipcp.req_hisaddr = desiredaddr; 2951 hisaddr = desiredaddr; 2952 continue; 2953 } 2954 /* 2955 * The address wasn't agreeable. This is either 2956 * he sent us 0.0.0.0, asking to assign him an 2957 * address, or he send us another address not 2958 * matching our value. Either case, we gonna 2959 * conf-nak it with our value. 2960 */ 2961 if (debug) { 2962 if (desiredaddr == 0) 2963 addlog(" [addr requested]"); 2964 else 2965 addlog(" %s [not agreed]", 2966 sppp_dotted_quad(desiredaddr)); 2967 } 2968 2969 p[2] = hisaddr >> 24; 2970 p[3] = hisaddr >> 16; 2971 p[4] = hisaddr >> 8; 2972 p[5] = hisaddr; 2973 break; 2974 } 2975 /* Add the option to nak'ed list. */ 2976 bcopy (p, r, p[1]); 2977 r += p[1]; 2978 rlen += p[1]; 2979 } 2980 2981 /* 2982 * If we are about to conf-ack the request, but haven't seen 2983 * his address so far, gonna conf-nak it instead, with the 2984 * `address' option present and our idea of his address being 2985 * filled in there, to request negotiation of both addresses. 2986 * 2987 * XXX This can result in an endless req - nak loop if peer 2988 * doesn't want to send us his address. Q: What should we do 2989 * about it? XXX A: implement the max-failure counter. 2990 */ 2991 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2992 buf[0] = IPCP_OPT_ADDRESS; 2993 buf[1] = 6; 2994 buf[2] = hisaddr >> 24; 2995 buf[3] = hisaddr >> 16; 2996 buf[4] = hisaddr >> 8; 2997 buf[5] = hisaddr; 2998 rlen = 6; 2999 if (debug) 3000 addlog(" still need hisaddr"); 3001 } 3002 3003 if (rlen) { 3004 if (debug) 3005 addlog(" send conf-nak\n"); 3006 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3007 } else { 3008 if (debug) 3009 addlog(" send conf-ack\n"); 3010 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3011 } 3012 3013 end: 3014 free(buf, M_TEMP); 3015 return (rlen == 0); 3016 3017 drop: 3018 free(buf, M_TEMP); 3019 return -1; 3020 } 3021 3022 /* 3023 * Analyze the IPCP Configure-Reject option list, and adjust our 3024 * negotiation. 3025 */ 3026 static void 3027 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3028 { 3029 u_char *buf, *p; 3030 struct ifnet *ifp = &sp->pp_if; 3031 int debug = ifp->if_flags & IFF_DEBUG; 3032 3033 len -= 4; 3034 buf = malloc (len, M_TEMP, M_NOWAIT); 3035 if (!buf) 3036 return; 3037 3038 if (debug) 3039 log(LOG_DEBUG, "%s: ipcp rej opts:", 3040 ifp->if_xname); 3041 3042 p = (void *)(h + 1); 3043 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3044 /* Sanity check option length */ 3045 if (p[1] > len) { 3046 /* XXX should we just RXJ? */ 3047 addlog("%s: malicious IPCP option received, dropping\n", 3048 ifp->if_xname); 3049 goto drop; 3050 } 3051 if (debug) 3052 addlog(" %s", sppp_ipcp_opt_name(*p)); 3053 switch (*p) { 3054 case IPCP_OPT_ADDRESS: 3055 /* 3056 * Peer doesn't grok address option. This is 3057 * bad. XXX Should we better give up here? 3058 */ 3059 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3060 break; 3061 #ifdef notyet 3062 case IPCP_OPT_COMPRESS: 3063 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3064 break; 3065 #endif 3066 } 3067 } 3068 if (debug) 3069 addlog("\n"); 3070 drop: 3071 free(buf, M_TEMP); 3072 return; 3073 } 3074 3075 /* 3076 * Analyze the IPCP Configure-NAK option list, and adjust our 3077 * negotiation. 3078 */ 3079 static void 3080 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3081 { 3082 u_char *p; 3083 struct ifnet *ifp = &sp->pp_if; 3084 int debug = ifp->if_flags & IFF_DEBUG; 3085 u_int32_t wantaddr; 3086 3087 len -= 4; 3088 3089 if (debug) 3090 log(LOG_DEBUG, "%s: ipcp nak opts:", 3091 ifp->if_xname); 3092 3093 p = (void *)(h + 1); 3094 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3095 /* Sanity check option length */ 3096 if (p[1] > len) { 3097 /* XXX should we just RXJ? */ 3098 addlog("%s: malicious IPCP option received, dropping\n", 3099 ifp->if_xname); 3100 return; 3101 } 3102 if (debug) 3103 addlog(" %s", sppp_ipcp_opt_name(*p)); 3104 switch (*p) { 3105 case IPCP_OPT_ADDRESS: 3106 /* 3107 * Peer doesn't like our local IP address. See 3108 * if we can do something for him. We'll drop 3109 * him our address then. 3110 */ 3111 if (len >= 6 && p[1] == 6) { 3112 wantaddr = p[2] << 24 | p[3] << 16 | 3113 p[4] << 8 | p[5]; 3114 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3115 if (debug) 3116 addlog(" [wantaddr %s]", 3117 sppp_dotted_quad(wantaddr)); 3118 /* 3119 * When doing dynamic address assignment, 3120 * we accept his offer. Otherwise, we 3121 * ignore it and thus continue to negotiate 3122 * our already existing value. 3123 */ 3124 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3125 if (debug) 3126 addlog(" [agree]"); 3127 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3128 sp->ipcp.req_myaddr = wantaddr; 3129 } 3130 } 3131 break; 3132 3133 case IPCP_OPT_PRIMDNS: 3134 if (len >= 6 && p[1] == 6) { 3135 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3136 p[4] << 8 | p[5]; 3137 } 3138 break; 3139 3140 case IPCP_OPT_SECDNS: 3141 if (len >= 6 && p[1] == 6) { 3142 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3143 p[4] << 8 | p[5]; 3144 } 3145 break; 3146 #ifdef notyet 3147 case IPCP_OPT_COMPRESS: 3148 /* 3149 * Peer wants different compression parameters. 3150 */ 3151 break; 3152 #endif 3153 } 3154 } 3155 if (debug) 3156 addlog("\n"); 3157 } 3158 3159 static void 3160 sppp_ipcp_tlu(struct sppp *sp) 3161 { 3162 #ifdef INET 3163 /* we are up. Set addresses and notify anyone interested */ 3164 STDDCL; 3165 u_int32_t myaddr, hisaddr; 3166 3167 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3168 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3169 myaddr = sp->ipcp.req_myaddr; 3170 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3171 hisaddr = sp->ipcp.req_hisaddr; 3172 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3173 3174 if (ifp->if_mtu > sp->lcp.their_mru) { 3175 sp->pp_saved_mtu = ifp->if_mtu; 3176 ifp->if_mtu = sp->lcp.their_mru; 3177 if (debug) 3178 log(LOG_DEBUG, 3179 "%s: setting MTU to %" PRIu64 " bytes\n", 3180 ifp->if_xname, ifp->if_mtu); 3181 } 3182 3183 if (sp->pp_con) 3184 sp->pp_con(sp); 3185 #endif 3186 } 3187 3188 static void 3189 sppp_ipcp_tld(struct sppp *sp) 3190 { 3191 } 3192 3193 static void 3194 sppp_ipcp_tls(struct sppp *sp) 3195 { 3196 /* indicate to LCP that it must stay alive */ 3197 sp->lcp.protos |= (1 << IDX_IPCP); 3198 } 3199 3200 static void 3201 sppp_ipcp_tlf(struct sppp *sp) 3202 { 3203 /* we no longer need LCP */ 3204 sp->lcp.protos &= ~(1 << IDX_IPCP); 3205 } 3206 3207 static void 3208 sppp_ipcp_scr(struct sppp *sp) 3209 { 3210 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3211 #ifdef INET 3212 u_int32_t ouraddr; 3213 #endif 3214 int i = 0; 3215 3216 #ifdef notyet 3217 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3218 opt[i++] = IPCP_OPT_COMPRESSION; 3219 opt[i++] = 6; 3220 opt[i++] = 0; /* VJ header compression */ 3221 opt[i++] = 0x2d; /* VJ header compression */ 3222 opt[i++] = max_slot_id; 3223 opt[i++] = comp_slot_id; 3224 } 3225 #endif 3226 3227 #ifdef INET 3228 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3229 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3230 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3231 else 3232 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3233 opt[i++] = IPCP_OPT_ADDRESS; 3234 opt[i++] = 6; 3235 opt[i++] = ouraddr >> 24; 3236 opt[i++] = ouraddr >> 16; 3237 opt[i++] = ouraddr >> 8; 3238 opt[i++] = ouraddr; 3239 } 3240 #endif 3241 3242 if (sp->query_dns & 1) { 3243 opt[i++] = IPCP_OPT_PRIMDNS; 3244 opt[i++] = 6; 3245 opt[i++] = sp->dns_addrs[0] >> 24; 3246 opt[i++] = sp->dns_addrs[0] >> 16; 3247 opt[i++] = sp->dns_addrs[0] >> 8; 3248 opt[i++] = sp->dns_addrs[0]; 3249 } 3250 if (sp->query_dns & 2) { 3251 opt[i++] = IPCP_OPT_SECDNS; 3252 opt[i++] = 6; 3253 opt[i++] = sp->dns_addrs[1] >> 24; 3254 opt[i++] = sp->dns_addrs[1] >> 16; 3255 opt[i++] = sp->dns_addrs[1] >> 8; 3256 opt[i++] = sp->dns_addrs[1]; 3257 } 3258 3259 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3260 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3261 } 3262 3263 3264 /* 3265 *--------------------------------------------------------------------------* 3266 * * 3267 * The IPv6CP implementation. * 3268 * * 3269 *--------------------------------------------------------------------------* 3270 */ 3271 3272 #ifdef INET6 3273 static void 3274 sppp_ipv6cp_init(struct sppp *sp) 3275 { 3276 sp->ipv6cp.opts = 0; 3277 sp->ipv6cp.flags = 0; 3278 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3279 sp->fail_counter[IDX_IPV6CP] = 0; 3280 sp->pp_seq[IDX_IPV6CP] = 0; 3281 sp->pp_rseq[IDX_IPV6CP] = 0; 3282 callout_init(&sp->ch[IDX_IPV6CP]); 3283 } 3284 3285 static void 3286 sppp_ipv6cp_up(struct sppp *sp) 3287 { 3288 sppp_up_event(&ipv6cp, sp); 3289 } 3290 3291 static void 3292 sppp_ipv6cp_down(struct sppp *sp) 3293 { 3294 sppp_down_event(&ipv6cp, sp); 3295 } 3296 3297 static void 3298 sppp_ipv6cp_open(struct sppp *sp) 3299 { 3300 STDDCL; 3301 struct in6_addr myaddr, hisaddr; 3302 3303 #ifdef IPV6CP_MYIFID_DYN 3304 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3305 #else 3306 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3307 #endif 3308 3309 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3310 /* 3311 * If we don't have our address, this probably means our 3312 * interface doesn't want to talk IPv6 at all. (This could 3313 * be the case if somebody wants to speak only IPX, for 3314 * example.) Don't open IPv6CP in this case. 3315 */ 3316 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3317 /* XXX this message should go away */ 3318 if (debug) 3319 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3320 ifp->if_xname); 3321 return; 3322 } 3323 3324 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3325 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3326 sppp_open_event(&ipv6cp, sp); 3327 } 3328 3329 static void 3330 sppp_ipv6cp_close(struct sppp *sp) 3331 { 3332 sppp_close_event(&ipv6cp, sp); 3333 } 3334 3335 static void 3336 sppp_ipv6cp_TO(void *cookie) 3337 { 3338 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3339 } 3340 3341 /* 3342 * Analyze a configure request. Return true if it was agreeable, and 3343 * caused action sca, false if it has been rejected or nak'ed, and 3344 * caused action scn. (The return value is used to make the state 3345 * transition decision in the state automaton.) 3346 */ 3347 static int 3348 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3349 { 3350 u_char *buf, *r, *p; 3351 struct ifnet *ifp = &sp->pp_if; 3352 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3353 struct in6_addr myaddr, desiredaddr, suggestaddr; 3354 int ifidcount; 3355 int type; 3356 int collision, nohisaddr; 3357 3358 len -= 4; 3359 origlen = len; 3360 /* 3361 * Make sure to allocate a buf that can at least hold a 3362 * conf-nak with an `address' option. We might need it below. 3363 */ 3364 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 3365 if (! buf) 3366 return (0); 3367 3368 /* pass 1: see if we can recognize them */ 3369 if (debug) 3370 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3371 ifp->if_xname); 3372 p = (void *)(h + 1); 3373 ifidcount = 0; 3374 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3375 /* Sanity check option length */ 3376 if (p[1] > len) { 3377 /* XXX just RXJ? */ 3378 addlog("%s: received malicious IPCPv6 option, " 3379 "dropping\n", ifp->if_xname); 3380 goto drop; 3381 } 3382 if (debug) 3383 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3384 switch (*p) { 3385 case IPV6CP_OPT_IFID: 3386 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3387 /* correctly formed address option */ 3388 ifidcount++; 3389 continue; 3390 } 3391 if (debug) 3392 addlog(" [invalid]"); 3393 break; 3394 #ifdef notyet 3395 case IPV6CP_OPT_COMPRESSION: 3396 if (len >= 4 && p[1] >= 4) { 3397 /* correctly formed compress option */ 3398 continue; 3399 } 3400 if (debug) 3401 addlog(" [invalid]"); 3402 break; 3403 #endif 3404 default: 3405 /* Others not supported. */ 3406 if (debug) 3407 addlog(" [rej]"); 3408 break; 3409 } 3410 /* Add the option to rejected list. */ 3411 bcopy (p, r, p[1]); 3412 r += p[1]; 3413 rlen += p[1]; 3414 } 3415 if (rlen) { 3416 if (debug) 3417 addlog(" send conf-rej\n"); 3418 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3419 goto end; 3420 } else if (debug) 3421 addlog("\n"); 3422 3423 /* pass 2: parse option values */ 3424 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3425 if (debug) 3426 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3427 ifp->if_xname); 3428 p = (void *)(h + 1); 3429 len = origlen; 3430 type = CONF_ACK; 3431 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3432 if (debug) 3433 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3434 switch (*p) { 3435 #ifdef notyet 3436 case IPV6CP_OPT_COMPRESSION: 3437 continue; 3438 #endif 3439 case IPV6CP_OPT_IFID: 3440 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3441 bcopy(&p[2], &desiredaddr.s6_addr[8], 8); 3442 collision = (memcmp(&desiredaddr.s6_addr[8], 3443 &myaddr.s6_addr[8], 8) == 0); 3444 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3445 3446 desiredaddr.s6_addr16[0] = htons(0xfe80); 3447 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3448 3449 if (!collision && !nohisaddr) { 3450 /* no collision, hisaddr known - Conf-Ack */ 3451 type = CONF_ACK; 3452 3453 if (debug) { 3454 addlog(" %s [%s]", 3455 ip6_sprintf(&desiredaddr), 3456 sppp_cp_type_name(type)); 3457 } 3458 continue; 3459 } 3460 3461 memset(&suggestaddr, 0, sizeof(&suggestaddr)); 3462 if (collision && nohisaddr) { 3463 /* collision, hisaddr unknown - Conf-Rej */ 3464 type = CONF_REJ; 3465 memset(&p[2], 0, 8); 3466 } else { 3467 /* 3468 * - no collision, hisaddr unknown, or 3469 * - collision, hisaddr known 3470 * Conf-Nak, suggest hisaddr 3471 */ 3472 type = CONF_NAK; 3473 sppp_suggest_ip6_addr(sp, &suggestaddr); 3474 bcopy(&suggestaddr.s6_addr[8], &p[2], 8); 3475 } 3476 if (debug) 3477 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3478 sppp_cp_type_name(type)); 3479 break; 3480 } 3481 /* Add the option to nak'ed list. */ 3482 bcopy (p, r, p[1]); 3483 r += p[1]; 3484 rlen += p[1]; 3485 } 3486 3487 if (rlen == 0 && type == CONF_ACK) { 3488 if (debug) 3489 addlog(" send %s\n", sppp_cp_type_name(type)); 3490 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3491 } else { 3492 #ifdef notdef 3493 if (type == CONF_ACK) 3494 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3495 #endif 3496 3497 if (debug) { 3498 addlog(" send %s suggest %s\n", 3499 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3500 } 3501 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3502 } 3503 3504 end: 3505 free(buf, M_TEMP); 3506 return (rlen == 0); 3507 3508 drop: 3509 free(buf, M_TEMP); 3510 return -1; 3511 } 3512 3513 /* 3514 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3515 * negotiation. 3516 */ 3517 static void 3518 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3519 { 3520 u_char *buf, *p; 3521 struct ifnet *ifp = &sp->pp_if; 3522 int debug = ifp->if_flags & IFF_DEBUG; 3523 3524 len -= 4; 3525 buf = malloc (len, M_TEMP, M_NOWAIT); 3526 if (!buf) 3527 return; 3528 3529 if (debug) 3530 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3531 ifp->if_xname); 3532 3533 p = (void *)(h + 1); 3534 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3535 if (p[1] > len) { 3536 /* XXX just RXJ? */ 3537 addlog("%s: received malicious IPCPv6 option, " 3538 "dropping\n", ifp->if_xname); 3539 goto drop; 3540 } 3541 if (debug) 3542 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3543 switch (*p) { 3544 case IPV6CP_OPT_IFID: 3545 /* 3546 * Peer doesn't grok address option. This is 3547 * bad. XXX Should we better give up here? 3548 */ 3549 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3550 break; 3551 #ifdef notyet 3552 case IPV6CP_OPT_COMPRESS: 3553 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3554 break; 3555 #endif 3556 } 3557 } 3558 if (debug) 3559 addlog("\n"); 3560 drop: 3561 free(buf, M_TEMP); 3562 return; 3563 } 3564 3565 /* 3566 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3567 * negotiation. 3568 */ 3569 static void 3570 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3571 { 3572 u_char *buf, *p; 3573 struct ifnet *ifp = &sp->pp_if; 3574 int debug = ifp->if_flags & IFF_DEBUG; 3575 struct in6_addr suggestaddr; 3576 3577 len -= 4; 3578 buf = malloc (len, M_TEMP, M_NOWAIT); 3579 if (!buf) 3580 return; 3581 3582 if (debug) 3583 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3584 ifp->if_xname); 3585 3586 p = (void *)(h + 1); 3587 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3588 if (p[1] > len) { 3589 /* XXX just RXJ? */ 3590 addlog("%s: received malicious IPCPv6 option, " 3591 "dropping\n", ifp->if_xname); 3592 goto drop; 3593 } 3594 if (debug) 3595 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3596 switch (*p) { 3597 case IPV6CP_OPT_IFID: 3598 /* 3599 * Peer doesn't like our local ifid. See 3600 * if we can do something for him. We'll drop 3601 * him our address then. 3602 */ 3603 if (len < 10 || p[1] != 10) 3604 break; 3605 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3606 suggestaddr.s6_addr16[0] = htons(0xfe80); 3607 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3608 bcopy(&p[2], &suggestaddr.s6_addr[8], 8); 3609 3610 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3611 if (debug) 3612 addlog(" [suggestaddr %s]", 3613 ip6_sprintf(&suggestaddr)); 3614 #ifdef IPV6CP_MYIFID_DYN 3615 /* 3616 * When doing dynamic address assignment, 3617 * we accept his offer. 3618 */ 3619 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3620 struct in6_addr lastsuggest; 3621 /* 3622 * If <suggested myaddr from peer> equals to 3623 * <hisaddr we have suggested last time>, 3624 * we have a collision. generate new random 3625 * ifid. 3626 */ 3627 sppp_suggest_ip6_addr(&lastsuggest); 3628 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3629 lastsuggest)) { 3630 if (debug) 3631 addlog(" [random]"); 3632 sppp_gen_ip6_addr(sp, &suggestaddr); 3633 } 3634 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3635 if (debug) 3636 addlog(" [agree]"); 3637 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3638 } 3639 #else 3640 /* 3641 * Since we do not do dynamic address assignment, 3642 * we ignore it and thus continue to negotiate 3643 * our already existing value. This can possibly 3644 * go into infinite request-reject loop. 3645 * 3646 * This is not likely because we normally use 3647 * ifid based on MAC-address. 3648 * If you have no ethernet card on the node, too bad. 3649 * XXX should we use fail_counter? 3650 */ 3651 #endif 3652 break; 3653 #ifdef notyet 3654 case IPV6CP_OPT_COMPRESS: 3655 /* 3656 * Peer wants different compression parameters. 3657 */ 3658 break; 3659 #endif 3660 } 3661 } 3662 if (debug) 3663 addlog("\n"); 3664 drop: 3665 free(buf, M_TEMP); 3666 return; 3667 } 3668 3669 static void 3670 sppp_ipv6cp_tlu(struct sppp *sp) 3671 { 3672 /* we are up - notify isdn daemon */ 3673 if (sp->pp_con) 3674 sp->pp_con(sp); 3675 } 3676 3677 static void 3678 sppp_ipv6cp_tld(struct sppp *sp) 3679 { 3680 } 3681 3682 static void 3683 sppp_ipv6cp_tls(struct sppp *sp) 3684 { 3685 /* indicate to LCP that it must stay alive */ 3686 sp->lcp.protos |= (1 << IDX_IPV6CP); 3687 } 3688 3689 static void 3690 sppp_ipv6cp_tlf(struct sppp *sp) 3691 { 3692 /* we no longer need LCP */ 3693 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3694 } 3695 3696 static void 3697 sppp_ipv6cp_scr(struct sppp *sp) 3698 { 3699 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3700 struct in6_addr ouraddr; 3701 int i = 0; 3702 3703 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3704 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3705 opt[i++] = IPV6CP_OPT_IFID; 3706 opt[i++] = 10; 3707 bcopy(&ouraddr.s6_addr[8], &opt[i], 8); 3708 i += 8; 3709 } 3710 3711 #ifdef notyet 3712 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3713 opt[i++] = IPV6CP_OPT_COMPRESSION; 3714 opt[i++] = 4; 3715 opt[i++] = 0; /* TBD */ 3716 opt[i++] = 0; /* TBD */ 3717 /* variable length data may follow */ 3718 } 3719 #endif 3720 3721 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3722 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3723 } 3724 #else /*INET6*/ 3725 static void 3726 sppp_ipv6cp_init(struct sppp *sp) 3727 { 3728 } 3729 3730 static void 3731 sppp_ipv6cp_up(struct sppp *sp) 3732 { 3733 } 3734 3735 static void 3736 sppp_ipv6cp_down(struct sppp *sp) 3737 { 3738 } 3739 3740 static void 3741 sppp_ipv6cp_open(struct sppp *sp) 3742 { 3743 } 3744 3745 static void 3746 sppp_ipv6cp_close(struct sppp *sp) 3747 { 3748 } 3749 3750 static void 3751 sppp_ipv6cp_TO(void *sp) 3752 { 3753 } 3754 3755 static int 3756 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3757 int len) 3758 { 3759 return 0; 3760 } 3761 3762 static void 3763 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3764 int len) 3765 { 3766 } 3767 3768 static void 3769 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3770 int len) 3771 { 3772 } 3773 3774 static void 3775 sppp_ipv6cp_tlu(struct sppp *sp) 3776 { 3777 } 3778 3779 static void 3780 sppp_ipv6cp_tld(struct sppp *sp) 3781 { 3782 } 3783 3784 static void 3785 sppp_ipv6cp_tls(struct sppp *sp) 3786 { 3787 } 3788 3789 static void 3790 sppp_ipv6cp_tlf(struct sppp *sp) 3791 { 3792 } 3793 3794 static void 3795 sppp_ipv6cp_scr(struct sppp *sp) 3796 { 3797 } 3798 #endif /*INET6*/ 3799 3800 3801 /* 3802 *--------------------------------------------------------------------------* 3803 * * 3804 * The CHAP implementation. * 3805 * * 3806 *--------------------------------------------------------------------------* 3807 */ 3808 3809 /* 3810 * The authentication protocols don't employ a full-fledged state machine as 3811 * the control protocols do, since they do have Open and Close events, but 3812 * not Up and Down, nor are they explicitly terminated. Also, use of the 3813 * authentication protocols may be different in both directions (this makes 3814 * sense, think of a machine that never accepts incoming calls but only 3815 * calls out, it doesn't require the called party to authenticate itself). 3816 * 3817 * Our state machine for the local authentication protocol (we are requesting 3818 * the peer to authenticate) looks like: 3819 * 3820 * RCA- 3821 * +--------------------------------------------+ 3822 * V scn,tld| 3823 * +--------+ Close +---------+ RCA+ 3824 * | |<----------------------------------| |------+ 3825 * +--->| Closed | TO* | Opened | sca | 3826 * | | |-----+ +-------| |<-----+ 3827 * | +--------+ irc | | +---------+ 3828 * | ^ | | ^ 3829 * | | | | | 3830 * | | | | | 3831 * | TO-| | | | 3832 * | |tld TO+ V | | 3833 * | | +------->+ | | 3834 * | | | | | | 3835 * | +--------+ V | | 3836 * | | |<----+<--------------------+ | 3837 * | | Req- | scr | 3838 * | | Sent | | 3839 * | | | | 3840 * | +--------+ | 3841 * | RCA- | | RCA+ | 3842 * +------+ +------------------------------------------+ 3843 * scn,tld sca,irc,ict,tlu 3844 * 3845 * 3846 * with: 3847 * 3848 * Open: LCP reached authentication phase 3849 * Close: LCP reached terminate phase 3850 * 3851 * RCA+: received reply (pap-req, chap-response), acceptable 3852 * RCN: received reply (pap-req, chap-response), not acceptable 3853 * TO+: timeout with restart counter >= 0 3854 * TO-: timeout with restart counter < 0 3855 * TO*: reschedule timeout for CHAP 3856 * 3857 * scr: send request packet (none for PAP, chap-challenge) 3858 * sca: send ack packet (pap-ack, chap-success) 3859 * scn: send nak packet (pap-nak, chap-failure) 3860 * ict: initialize re-challenge timer (CHAP only) 3861 * 3862 * tlu: this-layer-up, LCP reaches network phase 3863 * tld: this-layer-down, LCP enters terminate phase 3864 * 3865 * Note that in CHAP mode, after sending a new challenge, while the state 3866 * automaton falls back into Req-Sent state, it doesn't signal a tld 3867 * event to LCP, so LCP remains in network phase. Only after not getting 3868 * any response (or after getting an unacceptable response), CHAP closes, 3869 * causing LCP to enter terminate phase. 3870 * 3871 * With PAP, there is no initial request that can be sent. The peer is 3872 * expected to send one based on the successful negotiation of PAP as 3873 * the authentication protocol during the LCP option negotiation. 3874 * 3875 * Incoming authentication protocol requests (remote requests 3876 * authentication, we are peer) don't employ a state machine at all, 3877 * they are simply answered. Some peers [Ascend P50 firmware rev 3878 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3879 * still in authentication phase (thereby violating the standard that 3880 * demands that these NCP packets are to be discarded), so we keep 3881 * track of the peer demanding us to authenticate, and only proceed to 3882 * phase network once we've seen a positive acknowledge for the 3883 * authentication. 3884 */ 3885 3886 /* 3887 * Handle incoming CHAP packets. 3888 */ 3889 void 3890 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3891 { 3892 STDDCL; 3893 struct lcp_header *h; 3894 int len, x; 3895 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3896 int value_len, name_len; 3897 MD5_CTX ctx; 3898 3899 len = m->m_pkthdr.len; 3900 if (len < 4) { 3901 if (debug) 3902 log(LOG_DEBUG, 3903 "%s: chap invalid packet length: %d bytes\n", 3904 ifp->if_xname, len); 3905 return; 3906 } 3907 h = mtod(m, struct lcp_header *); 3908 if (len > ntohs(h->len)) 3909 len = ntohs(h->len); 3910 3911 switch (h->type) { 3912 /* challenge, failure and success are his authproto */ 3913 case CHAP_CHALLENGE: 3914 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3915 /* can't do anything usefull */ 3916 sp->pp_auth_failures++; 3917 printf("%s: chap input without my name and my secret being set\n", 3918 ifp->if_xname); 3919 break; 3920 } 3921 value = 1 + (u_char *)(h + 1); 3922 value_len = value[-1]; 3923 name = value + value_len; 3924 name_len = len - value_len - 5; 3925 if (name_len < 0) { 3926 if (debug) { 3927 log(LOG_DEBUG, 3928 "%s: chap corrupted challenge " 3929 "<%s id=0x%x len=%d", 3930 ifp->if_xname, 3931 sppp_auth_type_name(PPP_CHAP, h->type), 3932 h->ident, ntohs(h->len)); 3933 if (len > 4) 3934 sppp_print_bytes((u_char *)(h + 1), 3935 len - 4); 3936 addlog(">\n"); 3937 } 3938 break; 3939 } 3940 3941 if (debug) { 3942 log(LOG_DEBUG, 3943 "%s: chap input <%s id=0x%x len=%d name=", 3944 ifp->if_xname, 3945 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3946 ntohs(h->len)); 3947 sppp_print_string((char *) name, name_len); 3948 addlog(" value-size=%d value=", value_len); 3949 sppp_print_bytes(value, value_len); 3950 addlog(">\n"); 3951 } 3952 3953 /* Compute reply value. */ 3954 MD5Init(&ctx); 3955 MD5Update(&ctx, &h->ident, 1); 3956 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3957 MD5Update(&ctx, value, value_len); 3958 MD5Final(digest, &ctx); 3959 dsize = sizeof digest; 3960 3961 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3962 sizeof dsize, (const char *)&dsize, 3963 sizeof digest, digest, 3964 sp->myauth.name_len, 3965 sp->myauth.name, 3966 0); 3967 break; 3968 3969 case CHAP_SUCCESS: 3970 if (debug) { 3971 log(LOG_DEBUG, "%s: chap success", 3972 ifp->if_xname); 3973 if (len > 4) { 3974 addlog(": "); 3975 sppp_print_string((char *)(h + 1), len - 4); 3976 } 3977 addlog("\n"); 3978 } 3979 x = splnet(); 3980 sp->pp_auth_failures = 0; 3981 sp->pp_flags &= ~PP_NEEDAUTH; 3982 if (sp->myauth.proto == PPP_CHAP && 3983 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3984 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3985 /* 3986 * We are authenticator for CHAP but didn't 3987 * complete yet. Leave it to tlu to proceed 3988 * to network phase. 3989 */ 3990 splx(x); 3991 break; 3992 } 3993 splx(x); 3994 sppp_phase_network(sp); 3995 break; 3996 3997 case CHAP_FAILURE: 3998 x = splnet(); 3999 sp->pp_auth_failures++; 4000 splx(x); 4001 if (debug) { 4002 log(LOG_INFO, "%s: chap failure", 4003 ifp->if_xname); 4004 if (len > 4) { 4005 addlog(": "); 4006 sppp_print_string((char *)(h + 1), len - 4); 4007 } 4008 addlog("\n"); 4009 } else 4010 log(LOG_INFO, "%s: chap failure\n", 4011 ifp->if_xname); 4012 /* await LCP shutdown by authenticator */ 4013 break; 4014 4015 /* response is my authproto */ 4016 case CHAP_RESPONSE: 4017 if (sp->hisauth.secret == NULL) { 4018 /* can't do anything usefull */ 4019 printf("%s: chap input without his secret being set\n", 4020 ifp->if_xname); 4021 break; 4022 } 4023 value = 1 + (u_char *)(h + 1); 4024 value_len = value[-1]; 4025 name = value + value_len; 4026 name_len = len - value_len - 5; 4027 if (name_len < 0) { 4028 if (debug) { 4029 log(LOG_DEBUG, 4030 "%s: chap corrupted response " 4031 "<%s id=0x%x len=%d", 4032 ifp->if_xname, 4033 sppp_auth_type_name(PPP_CHAP, h->type), 4034 h->ident, ntohs(h->len)); 4035 if (len > 4) 4036 sppp_print_bytes((u_char *)(h + 1), 4037 len - 4); 4038 addlog(">\n"); 4039 } 4040 break; 4041 } 4042 if (h->ident != sp->confid[IDX_CHAP]) { 4043 if (debug) 4044 log(LOG_DEBUG, 4045 "%s: chap dropping response for old ID " 4046 "(got %d, expected %d)\n", 4047 ifp->if_xname, 4048 h->ident, sp->confid[IDX_CHAP]); 4049 break; 4050 } 4051 if (sp->hisauth.name != NULL && 4052 (name_len != sp->hisauth.name_len 4053 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4054 log(LOG_INFO, "%s: chap response, his name ", 4055 ifp->if_xname); 4056 sppp_print_string(name, name_len); 4057 addlog(" != expected "); 4058 sppp_print_string(sp->hisauth.name, 4059 sp->hisauth.name_len); 4060 addlog("\n"); 4061 goto chap_failure; 4062 } 4063 if (debug) { 4064 log(LOG_DEBUG, "%s: chap input(%s) " 4065 "<%s id=0x%x len=%d name=", 4066 ifp->if_xname, 4067 sppp_state_name(sp->state[IDX_CHAP]), 4068 sppp_auth_type_name(PPP_CHAP, h->type), 4069 h->ident, ntohs(h->len)); 4070 sppp_print_string((char *)name, name_len); 4071 addlog(" value-size=%d value=", value_len); 4072 sppp_print_bytes(value, value_len); 4073 addlog(">\n"); 4074 } 4075 if (value_len != sizeof(sp->myauth.challenge)) { 4076 if (debug) 4077 log(LOG_DEBUG, 4078 "%s: chap bad hash value length: " 4079 "%d bytes, should be %ld\n", 4080 ifp->if_xname, value_len, 4081 (long) sizeof(sp->myauth.challenge)); 4082 goto chap_failure; 4083 } 4084 4085 MD5Init(&ctx); 4086 MD5Update(&ctx, &h->ident, 1); 4087 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4088 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4089 MD5Final(digest, &ctx); 4090 4091 #define FAILMSG "Failed..." 4092 #define SUCCMSG "Welcome!" 4093 4094 if (value_len != sizeof digest || 4095 memcmp(digest, value, value_len) != 0) { 4096 chap_failure: 4097 /* action scn, tld */ 4098 x = splnet(); 4099 sp->pp_auth_failures++; 4100 splx(x); 4101 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4102 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4103 0); 4104 chap.tld(sp); 4105 break; 4106 } 4107 sp->pp_auth_failures = 0; 4108 /* action sca, perhaps tlu */ 4109 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4110 sp->state[IDX_CHAP] == STATE_OPENED) 4111 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4112 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4113 0); 4114 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4115 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4116 chap.tlu(sp); 4117 } 4118 break; 4119 4120 default: 4121 /* Unknown CHAP packet type -- ignore. */ 4122 if (debug) { 4123 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4124 "<0x%x id=0x%xh len=%d", 4125 ifp->if_xname, 4126 sppp_state_name(sp->state[IDX_CHAP]), 4127 h->type, h->ident, ntohs(h->len)); 4128 if (len > 4) 4129 sppp_print_bytes((u_char *)(h + 1), len - 4); 4130 addlog(">\n"); 4131 } 4132 break; 4133 4134 } 4135 } 4136 4137 static void 4138 sppp_chap_init(struct sppp *sp) 4139 { 4140 /* Chap doesn't have STATE_INITIAL at all. */ 4141 sp->state[IDX_CHAP] = STATE_CLOSED; 4142 sp->fail_counter[IDX_CHAP] = 0; 4143 sp->pp_seq[IDX_CHAP] = 0; 4144 sp->pp_rseq[IDX_CHAP] = 0; 4145 callout_init(&sp->ch[IDX_CHAP]); 4146 } 4147 4148 static void 4149 sppp_chap_open(struct sppp *sp) 4150 { 4151 if (sp->myauth.proto == PPP_CHAP && 4152 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4153 /* we are authenticator for CHAP, start it */ 4154 chap.scr(sp); 4155 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4156 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4157 } 4158 /* nothing to be done if we are peer, await a challenge */ 4159 } 4160 4161 static void 4162 sppp_chap_close(struct sppp *sp) 4163 { 4164 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4165 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4166 } 4167 4168 static void 4169 sppp_chap_TO(void *cookie) 4170 { 4171 struct sppp *sp = (struct sppp *)cookie; 4172 STDDCL; 4173 int s; 4174 4175 s = splnet(); 4176 if (debug) 4177 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4178 ifp->if_xname, 4179 sppp_state_name(sp->state[IDX_CHAP]), 4180 sp->rst_counter[IDX_CHAP]); 4181 4182 if (--sp->rst_counter[IDX_CHAP] < 0) 4183 /* TO- event */ 4184 switch (sp->state[IDX_CHAP]) { 4185 case STATE_REQ_SENT: 4186 chap.tld(sp); 4187 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4188 break; 4189 } 4190 else 4191 /* TO+ (or TO*) event */ 4192 switch (sp->state[IDX_CHAP]) { 4193 case STATE_OPENED: 4194 /* TO* event */ 4195 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4196 /* fall through */ 4197 case STATE_REQ_SENT: 4198 chap.scr(sp); 4199 /* sppp_cp_change_state() will restart the timer */ 4200 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4201 break; 4202 } 4203 4204 splx(s); 4205 } 4206 4207 static void 4208 sppp_chap_tlu(struct sppp *sp) 4209 { 4210 STDDCL; 4211 int i, x; 4212 4213 i = 0; 4214 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4215 4216 /* 4217 * Some broken CHAP implementations (Conware CoNet, firmware 4218 * 4.0.?) don't want to re-authenticate their CHAP once the 4219 * initial challenge-response exchange has taken place. 4220 * Provide for an option to avoid rechallenges. 4221 */ 4222 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4223 /* 4224 * Compute the re-challenge timeout. This will yield 4225 * a number between 300 and 810 seconds. 4226 */ 4227 i = 300 + ((unsigned)(arc4random() & 0xff00) >> 7); 4228 4229 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4230 } 4231 4232 if (debug) { 4233 log(LOG_DEBUG, 4234 "%s: chap %s, ", 4235 ifp->if_xname, 4236 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4237 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4238 addlog("next re-challenge in %d seconds\n", i); 4239 else 4240 addlog("re-challenging supressed\n"); 4241 } 4242 4243 x = splnet(); 4244 sp->pp_auth_failures = 0; 4245 /* indicate to LCP that we need to be closed down */ 4246 sp->lcp.protos |= (1 << IDX_CHAP); 4247 4248 if (sp->pp_flags & PP_NEEDAUTH) { 4249 /* 4250 * Remote is authenticator, but his auth proto didn't 4251 * complete yet. Defer the transition to network 4252 * phase. 4253 */ 4254 splx(x); 4255 return; 4256 } 4257 splx(x); 4258 4259 /* 4260 * If we are already in phase network, we are done here. This 4261 * is the case if this is a dummy tlu event after a re-challenge. 4262 */ 4263 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4264 sppp_phase_network(sp); 4265 } 4266 4267 static void 4268 sppp_chap_tld(struct sppp *sp) 4269 { 4270 STDDCL; 4271 4272 if (debug) 4273 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4274 callout_stop(&sp->ch[IDX_CHAP]); 4275 sp->lcp.protos &= ~(1 << IDX_CHAP); 4276 4277 lcp.Close(sp); 4278 } 4279 4280 static void 4281 sppp_chap_scr(struct sppp *sp) 4282 { 4283 u_int32_t *ch; 4284 u_char clen; 4285 4286 if (sp->myauth.name == NULL) { 4287 /* can't do anything usefull */ 4288 printf("%s: chap starting without my name being set\n", 4289 sp->pp_if.if_xname); 4290 return; 4291 } 4292 4293 /* Compute random challenge. */ 4294 ch = (u_int32_t *)sp->myauth.challenge; 4295 ch[0] = arc4random(); 4296 ch[1] = arc4random(); 4297 ch[2] = arc4random(); 4298 ch[3] = arc4random(); 4299 clen = 16; /* 4 * sizeof(u_int32_t) */ 4300 4301 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4302 4303 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4304 sizeof clen, (const char *)&clen, 4305 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4306 sp->myauth.name_len, 4307 sp->myauth.name, 4308 0); 4309 } 4310 4311 /* 4312 *--------------------------------------------------------------------------* 4313 * * 4314 * The PAP implementation. * 4315 * * 4316 *--------------------------------------------------------------------------* 4317 */ 4318 /* 4319 * For PAP, we need to keep a little state also if we are the peer, not the 4320 * authenticator. This is since we don't get a request to authenticate, but 4321 * have to repeatedly authenticate ourself until we got a response (or the 4322 * retry counter is expired). 4323 */ 4324 4325 /* 4326 * Handle incoming PAP packets. */ 4327 static void 4328 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4329 { 4330 STDDCL; 4331 struct lcp_header *h; 4332 int len, x; 4333 u_char mlen; 4334 char *name, *secret; 4335 int name_len, secret_len; 4336 4337 /* 4338 * Malicious input might leave this uninitialized, so 4339 * init to an impossible value. 4340 */ 4341 secret_len = -1; 4342 4343 len = m->m_pkthdr.len; 4344 if (len < 5) { 4345 if (debug) 4346 log(LOG_DEBUG, 4347 "%s: pap invalid packet length: %d bytes\n", 4348 ifp->if_xname, len); 4349 return; 4350 } 4351 h = mtod(m, struct lcp_header *); 4352 if (len > ntohs(h->len)) 4353 len = ntohs(h->len); 4354 switch (h->type) { 4355 /* PAP request is my authproto */ 4356 case PAP_REQ: 4357 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4358 /* can't do anything usefull */ 4359 printf("%s: pap request without his name and his secret being set\n", 4360 ifp->if_xname); 4361 break; 4362 } 4363 name = 1 + (u_char *)(h + 1); 4364 name_len = name[-1]; 4365 secret = name + name_len + 1; 4366 if (name_len > len - 6 || 4367 (secret_len = secret[-1]) > len - 6 - name_len) { 4368 if (debug) { 4369 log(LOG_DEBUG, "%s: pap corrupted input " 4370 "<%s id=0x%x len=%d", 4371 ifp->if_xname, 4372 sppp_auth_type_name(PPP_PAP, h->type), 4373 h->ident, ntohs(h->len)); 4374 if (len > 4) 4375 sppp_print_bytes((u_char *)(h + 1), 4376 len - 4); 4377 addlog(">\n"); 4378 } 4379 break; 4380 } 4381 if (debug) { 4382 log(LOG_DEBUG, "%s: pap input(%s) " 4383 "<%s id=0x%x len=%d name=", 4384 ifp->if_xname, 4385 sppp_state_name(sp->state[IDX_PAP]), 4386 sppp_auth_type_name(PPP_PAP, h->type), 4387 h->ident, ntohs(h->len)); 4388 sppp_print_string((char *)name, name_len); 4389 addlog(" secret="); 4390 sppp_print_string((char *)secret, secret_len); 4391 addlog(">\n"); 4392 } 4393 if (name_len != sp->hisauth.name_len || 4394 secret_len != sp->hisauth.secret_len || 4395 memcmp(name, sp->hisauth.name, name_len) != 0 || 4396 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4397 /* action scn, tld */ 4398 sp->pp_auth_failures++; 4399 mlen = sizeof(FAILMSG) - 1; 4400 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4401 sizeof mlen, (const char *)&mlen, 4402 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4403 0); 4404 pap.tld(sp); 4405 break; 4406 } 4407 /* action sca, perhaps tlu */ 4408 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4409 sp->state[IDX_PAP] == STATE_OPENED) { 4410 mlen = sizeof(SUCCMSG) - 1; 4411 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4412 sizeof mlen, (const char *)&mlen, 4413 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4414 0); 4415 } 4416 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4417 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4418 pap.tlu(sp); 4419 } 4420 break; 4421 4422 /* ack and nak are his authproto */ 4423 case PAP_ACK: 4424 callout_stop(&sp->pap_my_to_ch); 4425 if (debug) { 4426 log(LOG_DEBUG, "%s: pap success", 4427 ifp->if_xname); 4428 name = 1 + (u_char *)(h + 1); 4429 name_len = name[-1]; 4430 if (len > 5 && name_len < len+4) { 4431 addlog(": "); 4432 sppp_print_string(name, name_len); 4433 } 4434 addlog("\n"); 4435 } 4436 x = splnet(); 4437 sp->pp_auth_failures = 0; 4438 sp->pp_flags &= ~PP_NEEDAUTH; 4439 if (sp->myauth.proto == PPP_PAP && 4440 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4441 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4442 /* 4443 * We are authenticator for PAP but didn't 4444 * complete yet. Leave it to tlu to proceed 4445 * to network phase. 4446 */ 4447 splx(x); 4448 break; 4449 } 4450 splx(x); 4451 sppp_phase_network(sp); 4452 break; 4453 4454 case PAP_NAK: 4455 callout_stop(&sp->pap_my_to_ch); 4456 sp->pp_auth_failures++; 4457 if (debug) { 4458 log(LOG_INFO, "%s: pap failure", 4459 ifp->if_xname); 4460 name = 1 + (u_char *)(h + 1); 4461 name_len = name[-1]; 4462 if (len > 5 && name_len < len+4) { 4463 addlog(": "); 4464 sppp_print_string(name, name_len); 4465 } 4466 addlog("\n"); 4467 } else 4468 log(LOG_INFO, "%s: pap failure\n", 4469 ifp->if_xname); 4470 /* await LCP shutdown by authenticator */ 4471 break; 4472 4473 default: 4474 /* Unknown PAP packet type -- ignore. */ 4475 if (debug) { 4476 log(LOG_DEBUG, "%s: pap corrupted input " 4477 "<0x%x id=0x%x len=%d", 4478 ifp->if_xname, 4479 h->type, h->ident, ntohs(h->len)); 4480 if (len > 4) 4481 sppp_print_bytes((u_char *)(h + 1), len - 4); 4482 addlog(">\n"); 4483 } 4484 break; 4485 4486 } 4487 } 4488 4489 static void 4490 sppp_pap_init(struct sppp *sp) 4491 { 4492 /* PAP doesn't have STATE_INITIAL at all. */ 4493 sp->state[IDX_PAP] = STATE_CLOSED; 4494 sp->fail_counter[IDX_PAP] = 0; 4495 sp->pp_seq[IDX_PAP] = 0; 4496 sp->pp_rseq[IDX_PAP] = 0; 4497 callout_init(&sp->ch[IDX_PAP]); 4498 callout_init(&sp->pap_my_to_ch); 4499 } 4500 4501 static void 4502 sppp_pap_open(struct sppp *sp) 4503 { 4504 if (sp->hisauth.proto == PPP_PAP && 4505 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4506 /* we are authenticator for PAP, start our timer */ 4507 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4508 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4509 } 4510 if (sp->myauth.proto == PPP_PAP) { 4511 /* we are peer, send a request, and start a timer */ 4512 pap.scr(sp); 4513 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4514 sppp_pap_my_TO, sp); 4515 } 4516 } 4517 4518 static void 4519 sppp_pap_close(struct sppp *sp) 4520 { 4521 if (sp->state[IDX_PAP] != STATE_CLOSED) 4522 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4523 } 4524 4525 /* 4526 * That's the timeout routine if we are authenticator. Since the 4527 * authenticator is basically passive in PAP, we can't do much here. 4528 */ 4529 static void 4530 sppp_pap_TO(void *cookie) 4531 { 4532 struct sppp *sp = (struct sppp *)cookie; 4533 STDDCL; 4534 int s; 4535 4536 s = splnet(); 4537 if (debug) 4538 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4539 ifp->if_xname, 4540 sppp_state_name(sp->state[IDX_PAP]), 4541 sp->rst_counter[IDX_PAP]); 4542 4543 if (--sp->rst_counter[IDX_PAP] < 0) 4544 /* TO- event */ 4545 switch (sp->state[IDX_PAP]) { 4546 case STATE_REQ_SENT: 4547 pap.tld(sp); 4548 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4549 break; 4550 } 4551 else 4552 /* TO+ event, not very much we could do */ 4553 switch (sp->state[IDX_PAP]) { 4554 case STATE_REQ_SENT: 4555 /* sppp_cp_change_state() will restart the timer */ 4556 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4557 break; 4558 } 4559 4560 splx(s); 4561 } 4562 4563 /* 4564 * That's the timeout handler if we are peer. Since the peer is active, 4565 * we need to retransmit our PAP request since it is apparently lost. 4566 * XXX We should impose a max counter. 4567 */ 4568 static void 4569 sppp_pap_my_TO(void *cookie) 4570 { 4571 struct sppp *sp = (struct sppp *)cookie; 4572 STDDCL; 4573 4574 if (debug) 4575 log(LOG_DEBUG, "%s: pap peer TO\n", 4576 ifp->if_xname); 4577 4578 pap.scr(sp); 4579 } 4580 4581 static void 4582 sppp_pap_tlu(struct sppp *sp) 4583 { 4584 STDDCL; 4585 int x; 4586 4587 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4588 4589 if (debug) 4590 log(LOG_DEBUG, "%s: %s tlu\n", 4591 ifp->if_xname, pap.name); 4592 4593 x = splnet(); 4594 sp->pp_auth_failures = 0; 4595 /* indicate to LCP that we need to be closed down */ 4596 sp->lcp.protos |= (1 << IDX_PAP); 4597 4598 if (sp->pp_flags & PP_NEEDAUTH) { 4599 /* 4600 * Remote is authenticator, but his auth proto didn't 4601 * complete yet. Defer the transition to network 4602 * phase. 4603 */ 4604 splx(x); 4605 return; 4606 } 4607 splx(x); 4608 sppp_phase_network(sp); 4609 } 4610 4611 static void 4612 sppp_pap_tld(struct sppp *sp) 4613 { 4614 STDDCL; 4615 4616 if (debug) 4617 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4618 callout_stop(&sp->ch[IDX_PAP]); 4619 callout_stop(&sp->pap_my_to_ch); 4620 sp->lcp.protos &= ~(1 << IDX_PAP); 4621 4622 lcp.Close(sp); 4623 } 4624 4625 static void 4626 sppp_pap_scr(struct sppp *sp) 4627 { 4628 u_char idlen, pwdlen; 4629 4630 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4631 /* can't do anything usefull */ 4632 printf("%s: pap starting without my name and secret being set\n", 4633 sp->pp_if.if_xname); 4634 return; 4635 } 4636 4637 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4638 pwdlen = sp->myauth.secret_len; 4639 idlen = sp->myauth.name_len; 4640 4641 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4642 sizeof idlen, (const char *)&idlen, 4643 idlen, sp->myauth.name, 4644 sizeof pwdlen, (const char *)&pwdlen, 4645 pwdlen, sp->myauth.secret, 4646 0); 4647 } 4648 4649 /* 4650 * Random miscellaneous functions. 4651 */ 4652 4653 /* 4654 * Send a PAP or CHAP proto packet. 4655 * 4656 * Varadic function, each of the elements for the ellipsis is of type 4657 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4658 * mlen == 0. 4659 * NOTE: never declare variadic functions with types subject to type 4660 * promotion (i.e. u_char). This is asking for big trouble depending 4661 * on the architecture you are on... 4662 */ 4663 4664 static void 4665 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4666 unsigned int type, unsigned int id, 4667 ...) 4668 { 4669 STDDCL; 4670 struct lcp_header *lh; 4671 struct mbuf *m; 4672 u_char *p; 4673 int len; 4674 size_t pkthdrlen; 4675 unsigned int mlen; 4676 const char *msg; 4677 va_list ap; 4678 4679 MGETHDR(m, M_DONTWAIT, MT_DATA); 4680 if (! m) 4681 return; 4682 m->m_pkthdr.rcvif = 0; 4683 4684 if (sp->pp_flags & PP_NOFRAMING) { 4685 *mtod(m, u_int16_t *) = htons(cp->proto); 4686 pkthdrlen = 2; 4687 lh = (struct lcp_header *)(mtod(m, u_int8_t *)+2); 4688 } else { 4689 struct ppp_header *h; 4690 h = mtod(m, struct ppp_header *); 4691 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4692 h->control = PPP_UI; /* Unnumbered Info */ 4693 h->protocol = htons(cp->proto); 4694 pkthdrlen = PPP_HEADER_LEN; 4695 4696 lh = (struct lcp_header *)(h + 1); 4697 } 4698 4699 lh->type = type; 4700 lh->ident = id; 4701 p = (u_char *)(lh + 1); 4702 4703 va_start(ap, id); 4704 len = 0; 4705 4706 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4707 msg = va_arg(ap, const char *); 4708 len += mlen; 4709 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4710 va_end(ap); 4711 m_freem(m); 4712 return; 4713 } 4714 4715 bcopy(msg, p, mlen); 4716 p += mlen; 4717 } 4718 va_end(ap); 4719 4720 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4721 lh->len = htons(LCP_HEADER_LEN + len); 4722 4723 if (debug) { 4724 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4725 ifp->if_xname, cp->name, 4726 sppp_auth_type_name(cp->proto, lh->type), 4727 lh->ident, ntohs(lh->len)); 4728 if (len) 4729 sppp_print_bytes((u_char *)(lh + 1), len); 4730 addlog(">\n"); 4731 } 4732 if (IF_QFULL(&sp->pp_cpq)) { 4733 IF_DROP(&sp->pp_fastq); 4734 IF_DROP(&ifp->if_snd); 4735 m_freem(m); 4736 ++ifp->if_oerrors; 4737 return; 4738 } else 4739 IF_ENQUEUE(&sp->pp_cpq, m); 4740 if (! (ifp->if_flags & IFF_OACTIVE)) 4741 (*ifp->if_start)(ifp); 4742 ifp->if_obytes += m->m_pkthdr.len + 3; 4743 } 4744 4745 /* 4746 * Send keepalive packets, every 10 seconds. 4747 */ 4748 static void 4749 sppp_keepalive(void *dummy) 4750 { 4751 struct sppp *sp; 4752 int s; 4753 time_t now; 4754 4755 s = splnet(); 4756 now = time_uptime; 4757 for (sp=spppq; sp; sp=sp->pp_next) { 4758 struct ifnet *ifp = &sp->pp_if; 4759 4760 /* check idle timeout */ 4761 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4762 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4763 /* idle timeout is enabled for this interface */ 4764 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4765 if (ifp->if_flags & IFF_DEBUG) 4766 printf("%s: no activity for %lu seconds\n", 4767 sp->pp_if.if_xname, 4768 (unsigned long)(now-sp->pp_last_activity)); 4769 lcp.Close(sp); 4770 continue; 4771 } 4772 } 4773 4774 /* Keepalive mode disabled or channel down? */ 4775 if (! (sp->pp_flags & PP_KEEPALIVE) || 4776 ! (ifp->if_flags & IFF_RUNNING)) 4777 continue; 4778 4779 /* No keepalive in PPP mode if LCP not opened yet. */ 4780 if (! (sp->pp_flags & PP_CISCO) && 4781 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4782 continue; 4783 4784 /* No echo reply, but maybe user data passed through? */ 4785 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4786 sp->pp_alivecnt = 0; 4787 continue; 4788 } 4789 4790 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4791 /* No keepalive packets got. Stop the interface. */ 4792 if_down (ifp); 4793 IF_PURGE(&sp->pp_cpq); 4794 if (! (sp->pp_flags & PP_CISCO)) { 4795 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4796 ifp->if_xname); 4797 sp->pp_alivecnt = 0; 4798 4799 /* we are down, close all open protocols */ 4800 lcp.Close(sp); 4801 4802 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4803 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4804 4805 /* Close connection immediately, completition of this 4806 * will summon the magic needed to reestablish it. */ 4807 if (sp->pp_tlf) 4808 sp->pp_tlf(sp); 4809 continue; 4810 } 4811 } 4812 if (sp->pp_alivecnt < sp->pp_maxalive) 4813 ++sp->pp_alivecnt; 4814 if (sp->pp_flags & PP_CISCO) 4815 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4816 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4817 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4818 int32_t nmagic = htonl(sp->lcp.magic); 4819 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4820 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4821 sp->lcp.echoid, 4, &nmagic); 4822 } 4823 } 4824 splx(s); 4825 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4826 } 4827 4828 #ifdef INET 4829 /* 4830 * Get both IP addresses. 4831 */ 4832 static void 4833 sppp_get_ip_addrs(struct sppp *sp, u_int32_t *src, u_int32_t *dst, u_int32_t *srcmask) 4834 { 4835 struct ifnet *ifp = &sp->pp_if; 4836 struct ifaddr *ifa; 4837 struct sockaddr_in *si, *sm; 4838 u_int32_t ssrc, ddst; 4839 4840 sm = NULL; 4841 ssrc = ddst = 0; 4842 /* 4843 * Pick the first AF_INET address from the list, 4844 * aliases don't make any sense on a p2p link anyway. 4845 */ 4846 si = 0; 4847 IFADDR_FOREACH(ifa, ifp) { 4848 if (ifa->ifa_addr->sa_family == AF_INET) { 4849 si = (struct sockaddr_in *)ifa->ifa_addr; 4850 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4851 if (si) 4852 break; 4853 } 4854 } 4855 if (ifa) { 4856 if (si && si->sin_addr.s_addr) { 4857 ssrc = si->sin_addr.s_addr; 4858 if (srcmask) 4859 *srcmask = ntohl(sm->sin_addr.s_addr); 4860 } 4861 4862 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4863 if (si && si->sin_addr.s_addr) 4864 ddst = si->sin_addr.s_addr; 4865 } 4866 4867 if (dst) *dst = ntohl(ddst); 4868 if (src) *src = ntohl(ssrc); 4869 } 4870 4871 /* 4872 * Set IP addresses. Must be called at splnet. 4873 * If an address is 0, leave it the way it is. 4874 */ 4875 static void 4876 sppp_set_ip_addrs(struct sppp *sp, u_int32_t myaddr, u_int32_t hisaddr) 4877 { 4878 STDDCL; 4879 struct ifaddr *ifa; 4880 struct sockaddr_in *si, *dest; 4881 4882 /* 4883 * Pick the first AF_INET address from the list, 4884 * aliases don't make any sense on a p2p link anyway. 4885 */ 4886 4887 IFADDR_FOREACH(ifa, ifp) { 4888 if (ifa->ifa_addr->sa_family == AF_INET) { 4889 si = (struct sockaddr_in *)ifa->ifa_addr; 4890 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4891 goto found; 4892 } 4893 } 4894 return; 4895 4896 found: 4897 { 4898 int error; 4899 struct sockaddr_in new_sin = *si; 4900 struct sockaddr_in new_dst = *dest; 4901 4902 /* 4903 * Scrub old routes now instead of calling in_ifinit with 4904 * scrub=1, because we may change the dstaddr 4905 * before the call to in_ifinit. 4906 */ 4907 in_ifscrub(ifp, ifatoia(ifa)); 4908 4909 if (myaddr != 0) 4910 new_sin.sin_addr.s_addr = htonl(myaddr); 4911 if (hisaddr != 0) { 4912 new_dst.sin_addr.s_addr = htonl(hisaddr); 4913 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4914 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4915 *dest = new_dst; /* fix dstaddr in place */ 4916 } 4917 } 4918 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4919 if (debug && error) 4920 { 4921 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4922 " failed, error=%d\n", ifp->if_xname, error); 4923 } 4924 #ifdef PFIL_HOOKS 4925 if (!error) 4926 (void)pfil_run_hooks(&if_pfil, 4927 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4928 #endif 4929 } 4930 } 4931 4932 /* 4933 * Clear IP addresses. Must be called at splnet. 4934 */ 4935 static void 4936 sppp_clear_ip_addrs(struct sppp *sp) 4937 { 4938 struct ifnet *ifp = &sp->pp_if; 4939 struct ifaddr *ifa; 4940 struct sockaddr_in *si, *dest; 4941 4942 u_int32_t remote; 4943 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4944 remote = sp->ipcp.saved_hisaddr; 4945 else 4946 sppp_get_ip_addrs(sp, 0, &remote, 0); 4947 4948 /* 4949 * Pick the first AF_INET address from the list, 4950 * aliases don't make any sense on a p2p link anyway. 4951 */ 4952 4953 IFADDR_FOREACH(ifa, ifp) { 4954 if (ifa->ifa_addr->sa_family == AF_INET) { 4955 si = (struct sockaddr_in *)ifa->ifa_addr; 4956 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4957 goto found; 4958 } 4959 } 4960 return; 4961 4962 found: 4963 { 4964 struct sockaddr_in new_sin = *si; 4965 4966 in_ifscrub(ifp, ifatoia(ifa)); 4967 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4968 new_sin.sin_addr.s_addr = 0; 4969 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4970 /* replace peer addr in place */ 4971 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4972 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4973 #ifdef PFIL_HOOKS 4974 (void)pfil_run_hooks(&if_pfil, 4975 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4976 #endif 4977 } 4978 } 4979 #endif 4980 4981 #ifdef INET6 4982 /* 4983 * Get both IPv6 addresses. 4984 */ 4985 static void 4986 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4987 struct in6_addr *srcmask) 4988 { 4989 struct ifnet *ifp = &sp->pp_if; 4990 struct ifaddr *ifa; 4991 struct sockaddr_in6 *si, *sm; 4992 struct in6_addr ssrc, ddst; 4993 4994 sm = NULL; 4995 memset(&ssrc, 0, sizeof(ssrc)); 4996 memset(&ddst, 0, sizeof(ddst)); 4997 /* 4998 * Pick the first link-local AF_INET6 address from the list, 4999 * aliases don't make any sense on a p2p link anyway. 5000 */ 5001 si = 0; 5002 IFADDR_FOREACH(ifa, ifp) 5003 if (ifa->ifa_addr->sa_family == AF_INET6) { 5004 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5005 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5006 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5007 break; 5008 } 5009 if (ifa) { 5010 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5011 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc)); 5012 if (srcmask) { 5013 bcopy(&sm->sin6_addr, srcmask, 5014 sizeof(*srcmask)); 5015 } 5016 } 5017 5018 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5019 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5020 bcopy(&si->sin6_addr, &ddst, sizeof(ddst)); 5021 } 5022 5023 if (dst) 5024 bcopy(&ddst, dst, sizeof(*dst)); 5025 if (src) 5026 bcopy(&ssrc, src, sizeof(*src)); 5027 } 5028 5029 #ifdef IPV6CP_MYIFID_DYN 5030 /* 5031 * Generate random ifid. 5032 */ 5033 static void 5034 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5035 { 5036 /* TBD */ 5037 } 5038 5039 /* 5040 * Set my IPv6 address. Must be called at splnet. 5041 */ 5042 static void 5043 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5044 { 5045 STDDCL; 5046 struct ifaddr *ifa; 5047 struct sockaddr_in6 *sin6; 5048 5049 /* 5050 * Pick the first link-local AF_INET6 address from the list, 5051 * aliases don't make any sense on a p2p link anyway. 5052 */ 5053 5054 sin6 = NULL; 5055 IFADDR_FOREACH(ifa, ifp) 5056 { 5057 if (ifa->ifa_addr->sa_family == AF_INET6) 5058 { 5059 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5060 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5061 break; 5062 } 5063 } 5064 5065 if (ifa && sin6) 5066 { 5067 int error; 5068 struct sockaddr_in6 new_sin6 = *sin6; 5069 5070 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr)); 5071 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5072 if (debug && error) 5073 { 5074 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5075 " failed, error=%d\n", ifp->if_xname, error); 5076 } 5077 #ifdef PFIL_HOOKS 5078 if (!error) 5079 (void)pfil_run_hooks(&if_pfil, 5080 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5081 #endif 5082 } 5083 } 5084 #endif 5085 5086 /* 5087 * Suggest a candidate address to be used by peer. 5088 */ 5089 static void 5090 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5091 { 5092 struct in6_addr myaddr; 5093 struct timeval tv; 5094 5095 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5096 5097 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5098 microtime(&tv); 5099 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5100 myaddr.s6_addr[14] ^= 0xff; 5101 myaddr.s6_addr[15] ^= 0xff; 5102 } else { 5103 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5104 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5105 } 5106 if (suggest) 5107 bcopy(&myaddr, suggest, sizeof(myaddr)); 5108 } 5109 #endif /*INET6*/ 5110 5111 /* 5112 * Process ioctl requests specific to the PPP interface. 5113 * Permissions have already been checked. 5114 */ 5115 static int 5116 sppp_params(struct sppp *sp, int cmd, void *data) 5117 { 5118 switch (cmd) { 5119 case SPPPGETAUTHCFG: 5120 { 5121 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5122 int error; 5123 size_t len; 5124 5125 cfg->myauthflags = sp->myauth.flags; 5126 cfg->hisauthflags = sp->hisauth.flags; 5127 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ); 5128 cfg->hisauth = 0; 5129 if (sp->hisauth.proto) 5130 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5131 cfg->myauth = 0; 5132 if (sp->myauth.proto) 5133 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5134 if (cfg->myname_length == 0) { 5135 if (sp->myauth.name != NULL) 5136 cfg->myname_length = sp->myauth.name_len + 1; 5137 } else { 5138 if (sp->myauth.name == NULL) { 5139 cfg->myname_length = 0; 5140 } else { 5141 len = sp->myauth.name_len + 1; 5142 if (cfg->myname_length < len) 5143 return (ENAMETOOLONG); 5144 error = copyout(sp->myauth.name, cfg->myname, len); 5145 if (error) return error; 5146 } 5147 } 5148 if (cfg->hisname_length == 0) { 5149 if (sp->hisauth.name != NULL) 5150 cfg->hisname_length = sp->hisauth.name_len + 1; 5151 } else { 5152 if (sp->hisauth.name == NULL) { 5153 cfg->hisname_length = 0; 5154 } else { 5155 len = sp->hisauth.name_len + 1; 5156 if (cfg->hisname_length < len) 5157 return (ENAMETOOLONG); 5158 error = copyout(sp->hisauth.name, cfg->hisname, len); 5159 if (error) return error; 5160 } 5161 } 5162 } 5163 break; 5164 case SPPPSETAUTHCFG: 5165 { 5166 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5167 int error; 5168 5169 if (sp->myauth.name) { 5170 free(sp->myauth.name, M_DEVBUF); 5171 sp->myauth.name = NULL; 5172 } 5173 if (sp->myauth.secret) { 5174 free(sp->myauth.secret, M_DEVBUF); 5175 sp->myauth.secret = NULL; 5176 } 5177 if (sp->hisauth.name) { 5178 free(sp->hisauth.name, M_DEVBUF); 5179 sp->hisauth.name = NULL; 5180 } 5181 if (sp->hisauth.secret) { 5182 free(sp->hisauth.secret, M_DEVBUF); 5183 sp->hisauth.secret = NULL; 5184 } 5185 5186 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5187 if (cfg->hisname_length >= MCLBYTES) 5188 return (ENAMETOOLONG); 5189 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5190 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5191 if (error) { 5192 free(sp->hisauth.name, M_DEVBUF); 5193 sp->hisauth.name = NULL; 5194 return error; 5195 } 5196 sp->hisauth.name_len = cfg->hisname_length - 1; 5197 sp->hisauth.name[sp->hisauth.name_len] = 0; 5198 } 5199 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5200 if (cfg->hissecret_length >= MCLBYTES) 5201 return (ENAMETOOLONG); 5202 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5203 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5204 if (error) { 5205 free(sp->hisauth.secret, M_DEVBUF); 5206 sp->hisauth.secret = NULL; 5207 return error; 5208 } 5209 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5210 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5211 } 5212 if (cfg->myname != NULL && cfg->myname_length > 0) { 5213 if (cfg->myname_length >= MCLBYTES) 5214 return (ENAMETOOLONG); 5215 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5216 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5217 if (error) { 5218 free(sp->myauth.name, M_DEVBUF); 5219 sp->myauth.name = NULL; 5220 return error; 5221 } 5222 sp->myauth.name_len = cfg->myname_length - 1; 5223 sp->myauth.name[sp->myauth.name_len] = 0; 5224 } 5225 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5226 if (cfg->mysecret_length >= MCLBYTES) 5227 return (ENAMETOOLONG); 5228 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5229 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5230 if (error) { 5231 free(sp->myauth.secret, M_DEVBUF); 5232 sp->myauth.secret = NULL; 5233 return error; 5234 } 5235 sp->myauth.secret_len = cfg->mysecret_length - 1; 5236 sp->myauth.secret[sp->myauth.secret_len] = 0; 5237 } 5238 sp->myauth.flags = cfg->myauthflags; 5239 if (cfg->myauth) 5240 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5241 sp->hisauth.flags = cfg->hisauthflags; 5242 if (cfg->hisauth) 5243 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5244 sp->pp_auth_failures = 0; 5245 if (sp->hisauth.proto != 0) 5246 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5247 else 5248 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5249 } 5250 break; 5251 case SPPPGETLCPCFG: 5252 { 5253 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5254 lcpp->lcp_timeout = sp->lcp.timeout; 5255 } 5256 break; 5257 case SPPPSETLCPCFG: 5258 { 5259 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5260 sp->lcp.timeout = lcpp->lcp_timeout; 5261 } 5262 break; 5263 case SPPPGETSTATUS: 5264 { 5265 struct spppstatus *status = (struct spppstatus *)data; 5266 status->phase = sp->pp_phase; 5267 } 5268 break; 5269 case SPPPGETSTATUSNCP: 5270 { 5271 struct spppstatusncp *status = (struct spppstatusncp *)data; 5272 status->phase = sp->pp_phase; 5273 status->ncpup = sppp_ncp_check(sp); 5274 } 5275 break; 5276 case SPPPGETIDLETO: 5277 { 5278 struct spppidletimeout *to = (struct spppidletimeout *)data; 5279 to->idle_seconds = sp->pp_idle_timeout; 5280 } 5281 break; 5282 case SPPPSETIDLETO: 5283 { 5284 struct spppidletimeout *to = (struct spppidletimeout *)data; 5285 sp->pp_idle_timeout = to->idle_seconds; 5286 } 5287 break; 5288 case SPPPSETAUTHFAILURE: 5289 { 5290 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5291 sp->pp_max_auth_fail = afsettings->max_failures; 5292 sp->pp_auth_failures = 0; 5293 } 5294 break; 5295 case SPPPGETAUTHFAILURES: 5296 { 5297 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5298 stats->auth_failures = sp->pp_auth_failures; 5299 stats->max_failures = sp->pp_max_auth_fail; 5300 } 5301 break; 5302 case SPPPSETDNSOPTS: 5303 { 5304 struct spppdnssettings *req = (struct spppdnssettings *)data; 5305 sp->query_dns = req->query_dns & 3; 5306 } 5307 break; 5308 case SPPPGETDNSOPTS: 5309 { 5310 struct spppdnssettings *req = (struct spppdnssettings *)data; 5311 req->query_dns = sp->query_dns; 5312 } 5313 break; 5314 case SPPPGETDNSADDRS: 5315 { 5316 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5317 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5318 } 5319 break; 5320 case SPPPGETKEEPALIVE: 5321 { 5322 struct spppkeepalivesettings *settings = 5323 (struct spppkeepalivesettings*)data; 5324 settings->maxalive = sp->pp_maxalive; 5325 settings->max_noreceive = sp->pp_max_noreceive; 5326 } 5327 break; 5328 case SPPPSETKEEPALIVE: 5329 { 5330 struct spppkeepalivesettings *settings = 5331 (struct spppkeepalivesettings*)data; 5332 sp->pp_maxalive = settings->maxalive; 5333 sp->pp_max_noreceive = settings->max_noreceive; 5334 } 5335 break; 5336 default: 5337 return (EINVAL); 5338 } 5339 5340 return (0); 5341 } 5342 5343 static void 5344 sppp_phase_network(struct sppp *sp) 5345 { 5346 STDDCL; 5347 int i; 5348 u_int32_t mask; 5349 5350 sp->pp_phase = SPPP_PHASE_NETWORK; 5351 5352 if (debug) 5353 { 5354 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5355 sppp_phase_name(sp->pp_phase)); 5356 } 5357 5358 /* Notify NCPs now. */ 5359 for (i = 0; i < IDX_COUNT; i++) 5360 if ((cps[i])->flags & CP_NCP) 5361 (cps[i])->Open(sp); 5362 5363 /* Send Up events to all NCPs. */ 5364 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5365 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5366 (cps[i])->Up(sp); 5367 5368 /* if no NCP is starting, all this was in vain, close down */ 5369 sppp_lcp_check_and_close(sp); 5370 } 5371 5372 5373 static const char * 5374 sppp_cp_type_name(u_char type) 5375 { 5376 static char buf[12]; 5377 switch (type) { 5378 case CONF_REQ: return "conf-req"; 5379 case CONF_ACK: return "conf-ack"; 5380 case CONF_NAK: return "conf-nak"; 5381 case CONF_REJ: return "conf-rej"; 5382 case TERM_REQ: return "term-req"; 5383 case TERM_ACK: return "term-ack"; 5384 case CODE_REJ: return "code-rej"; 5385 case PROTO_REJ: return "proto-rej"; 5386 case ECHO_REQ: return "echo-req"; 5387 case ECHO_REPLY: return "echo-reply"; 5388 case DISC_REQ: return "discard-req"; 5389 } 5390 snprintf(buf, sizeof(buf), "0x%x", type); 5391 return buf; 5392 } 5393 5394 static const char * 5395 sppp_auth_type_name(u_short proto, u_char type) 5396 { 5397 static char buf[12]; 5398 switch (proto) { 5399 case PPP_CHAP: 5400 switch (type) { 5401 case CHAP_CHALLENGE: return "challenge"; 5402 case CHAP_RESPONSE: return "response"; 5403 case CHAP_SUCCESS: return "success"; 5404 case CHAP_FAILURE: return "failure"; 5405 } 5406 case PPP_PAP: 5407 switch (type) { 5408 case PAP_REQ: return "req"; 5409 case PAP_ACK: return "ack"; 5410 case PAP_NAK: return "nak"; 5411 } 5412 } 5413 snprintf(buf, sizeof(buf), "0x%x", type); 5414 return buf; 5415 } 5416 5417 static const char * 5418 sppp_lcp_opt_name(u_char opt) 5419 { 5420 static char buf[12]; 5421 switch (opt) { 5422 case LCP_OPT_MRU: return "mru"; 5423 case LCP_OPT_ASYNC_MAP: return "async-map"; 5424 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5425 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5426 case LCP_OPT_MAGIC: return "magic"; 5427 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5428 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5429 } 5430 snprintf(buf, sizeof(buf), "0x%x", opt); 5431 return buf; 5432 } 5433 5434 static const char * 5435 sppp_ipcp_opt_name(u_char opt) 5436 { 5437 static char buf[12]; 5438 switch (opt) { 5439 case IPCP_OPT_ADDRESSES: return "addresses"; 5440 case IPCP_OPT_COMPRESSION: return "compression"; 5441 case IPCP_OPT_ADDRESS: return "address"; 5442 } 5443 snprintf(buf, sizeof(buf), "0x%x", opt); 5444 return buf; 5445 } 5446 5447 #ifdef INET6 5448 static const char * 5449 sppp_ipv6cp_opt_name(u_char opt) 5450 { 5451 static char buf[12]; 5452 switch (opt) { 5453 case IPV6CP_OPT_IFID: return "ifid"; 5454 case IPV6CP_OPT_COMPRESSION: return "compression"; 5455 } 5456 snprintf(buf, sizeof(buf), "0x%x", opt); 5457 return buf; 5458 } 5459 #endif 5460 5461 static const char * 5462 sppp_state_name(int state) 5463 { 5464 switch (state) { 5465 case STATE_INITIAL: return "initial"; 5466 case STATE_STARTING: return "starting"; 5467 case STATE_CLOSED: return "closed"; 5468 case STATE_STOPPED: return "stopped"; 5469 case STATE_CLOSING: return "closing"; 5470 case STATE_STOPPING: return "stopping"; 5471 case STATE_REQ_SENT: return "req-sent"; 5472 case STATE_ACK_RCVD: return "ack-rcvd"; 5473 case STATE_ACK_SENT: return "ack-sent"; 5474 case STATE_OPENED: return "opened"; 5475 } 5476 return "illegal"; 5477 } 5478 5479 static const char * 5480 sppp_phase_name(int phase) 5481 { 5482 switch (phase) { 5483 case SPPP_PHASE_DEAD: return "dead"; 5484 case SPPP_PHASE_ESTABLISH: return "establish"; 5485 case SPPP_PHASE_TERMINATE: return "terminate"; 5486 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5487 case SPPP_PHASE_NETWORK: return "network"; 5488 } 5489 return "illegal"; 5490 } 5491 5492 static const char * 5493 sppp_proto_name(u_short proto) 5494 { 5495 static char buf[12]; 5496 switch (proto) { 5497 case PPP_LCP: return "lcp"; 5498 case PPP_IPCP: return "ipcp"; 5499 case PPP_PAP: return "pap"; 5500 case PPP_CHAP: return "chap"; 5501 case PPP_IPV6CP: return "ipv6cp"; 5502 } 5503 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5504 return buf; 5505 } 5506 5507 static void 5508 sppp_print_bytes(const u_char *p, u_short len) 5509 { 5510 addlog(" %02x", *p++); 5511 while (--len > 0) 5512 addlog("-%02x", *p++); 5513 } 5514 5515 static void 5516 sppp_print_string(const char *p, u_short len) 5517 { 5518 u_char c; 5519 5520 while (len-- > 0) { 5521 c = *p++; 5522 /* 5523 * Print only ASCII chars directly. RFC 1994 recommends 5524 * using only them, but we don't rely on it. */ 5525 if (c < ' ' || c > '~') 5526 addlog("\\x%x", c); 5527 else 5528 addlog("%c", c); 5529 } 5530 } 5531 5532 static const char * 5533 sppp_dotted_quad(u_int32_t addr) 5534 { 5535 static char s[16]; 5536 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5537 (int)((addr >> 24) & 0xff), 5538 (int)((addr >> 16) & 0xff), 5539 (int)((addr >> 8) & 0xff), 5540 (int)(addr & 0xff)); 5541 return s; 5542 } 5543 5544 /* a dummy, used to drop uninteresting events */ 5545 static void 5546 sppp_null(struct sppp *unused) 5547 { 5548 /* do just nothing */ 5549 } 5550 /* 5551 * This file is large. Tell emacs to highlight it nevertheless. 5552 * 5553 * Local Variables: 5554 * hilit-auto-highlight-maxout: 120000 5555 * End: 5556 */ 5557