1 /* $NetBSD: if_spppsubr.c,v 1.147 2016/08/06 22:03:45 pgoyette Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.147 2016/08/06 22:03:45 pgoyette Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #endif 51 52 53 #include <sys/param.h> 54 #include <sys/proc.h> 55 #include <sys/systm.h> 56 #include <sys/kernel.h> 57 #include <sys/sockio.h> 58 #include <sys/socket.h> 59 #include <sys/syslog.h> 60 #include <sys/malloc.h> 61 #include <sys/mbuf.h> 62 #include <sys/callout.h> 63 #include <sys/md5.h> 64 #include <sys/inttypes.h> 65 #include <sys/kauth.h> 66 #include <sys/cprng.h> 67 #include <sys/module.h> 68 69 #include <net/if.h> 70 #include <net/netisr.h> 71 #include <net/if_types.h> 72 #include <net/route.h> 73 #include <net/ppp_defs.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/in_var.h> 78 #ifdef INET 79 #include <netinet/ip.h> 80 #include <netinet/tcp.h> 81 #endif 82 #include <net/ethertypes.h> 83 84 #ifdef INET6 85 #include <netinet6/scope6_var.h> 86 #endif 87 88 #include <net/if_sppp.h> 89 #include <net/if_spppvar.h> 90 91 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 92 #define LOOPALIVECNT 3 /* loopback detection tries */ 93 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 94 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 95 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 96 97 /* 98 * Interface flags that can be set in an ifconfig command. 99 * 100 * Setting link0 will make the link passive, i.e. it will be marked 101 * as being administrative openable, but won't be opened to begin 102 * with. Incoming calls will be answered, or subsequent calls with 103 * -link1 will cause the administrative open of the LCP layer. 104 * 105 * Setting link1 will cause the link to auto-dial only as packets 106 * arrive to be sent. 107 * 108 * Setting IFF_DEBUG will syslog the option negotiation and state 109 * transitions at level kern.debug. Note: all logs consistently look 110 * like 111 * 112 * <if-name><unit>: <proto-name> <additional info...> 113 * 114 * with <if-name><unit> being something like "bppp0", and <proto-name> 115 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 116 */ 117 118 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 119 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 120 121 #define CONF_REQ 1 /* PPP configure request */ 122 #define CONF_ACK 2 /* PPP configure acknowledge */ 123 #define CONF_NAK 3 /* PPP configure negative ack */ 124 #define CONF_REJ 4 /* PPP configure reject */ 125 #define TERM_REQ 5 /* PPP terminate request */ 126 #define TERM_ACK 6 /* PPP terminate acknowledge */ 127 #define CODE_REJ 7 /* PPP code reject */ 128 #define PROTO_REJ 8 /* PPP protocol reject */ 129 #define ECHO_REQ 9 /* PPP echo request */ 130 #define ECHO_REPLY 10 /* PPP echo reply */ 131 #define DISC_REQ 11 /* PPP discard request */ 132 133 #define LCP_OPT_MRU 1 /* maximum receive unit */ 134 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 135 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 136 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 137 #define LCP_OPT_MAGIC 5 /* magic number */ 138 #define LCP_OPT_RESERVED 6 /* reserved */ 139 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 140 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 141 142 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 143 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 144 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 145 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 146 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 147 148 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 149 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 150 151 #define PAP_REQ 1 /* PAP name/password request */ 152 #define PAP_ACK 2 /* PAP acknowledge */ 153 #define PAP_NAK 3 /* PAP fail */ 154 155 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 156 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 157 #define CHAP_SUCCESS 3 /* CHAP response ok */ 158 #define CHAP_FAILURE 4 /* CHAP response failed */ 159 160 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 161 162 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 163 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 164 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 165 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 166 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 167 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 168 169 /* states are named and numbered according to RFC 1661 */ 170 #define STATE_INITIAL 0 171 #define STATE_STARTING 1 172 #define STATE_CLOSED 2 173 #define STATE_STOPPED 3 174 #define STATE_CLOSING 4 175 #define STATE_STOPPING 5 176 #define STATE_REQ_SENT 6 177 #define STATE_ACK_RCVD 7 178 #define STATE_ACK_SENT 8 179 #define STATE_OPENED 9 180 181 struct ppp_header { 182 uint8_t address; 183 uint8_t control; 184 uint16_t protocol; 185 } __packed; 186 #define PPP_HEADER_LEN sizeof (struct ppp_header) 187 188 struct lcp_header { 189 uint8_t type; 190 uint8_t ident; 191 uint16_t len; 192 } __packed; 193 #define LCP_HEADER_LEN sizeof (struct lcp_header) 194 195 struct cisco_packet { 196 uint32_t type; 197 uint32_t par1; 198 uint32_t par2; 199 uint16_t rel; 200 uint16_t time0; 201 uint16_t time1; 202 } __packed; 203 #define CISCO_PACKET_LEN 18 204 205 /* 206 * We follow the spelling and capitalization of RFC 1661 here, to make 207 * it easier comparing with the standard. Please refer to this RFC in 208 * case you can't make sense out of these abbreviation; it will also 209 * explain the semantics related to the various events and actions. 210 */ 211 struct cp { 212 u_short proto; /* PPP control protocol number */ 213 u_char protoidx; /* index into state table in struct sppp */ 214 u_char flags; 215 #define CP_LCP 0x01 /* this is the LCP */ 216 #define CP_AUTH 0x02 /* this is an authentication protocol */ 217 #define CP_NCP 0x04 /* this is a NCP */ 218 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 219 const char *name; /* name of this control protocol */ 220 /* event handlers */ 221 void (*Up)(struct sppp *sp); 222 void (*Down)(struct sppp *sp); 223 void (*Open)(struct sppp *sp); 224 void (*Close)(struct sppp *sp); 225 void (*TO)(void *sp); 226 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 227 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 228 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 229 /* actions */ 230 void (*tlu)(struct sppp *sp); 231 void (*tld)(struct sppp *sp); 232 void (*tls)(struct sppp *sp); 233 void (*tlf)(struct sppp *sp); 234 void (*scr)(struct sppp *sp); 235 }; 236 237 static struct sppp *spppq; 238 static callout_t keepalive_ch; 239 240 #ifdef INET 241 /* 242 * The following disgusting hack gets around the problem that IP TOS 243 * can't be set yet. We want to put "interactive" traffic on a high 244 * priority queue. To decide if traffic is interactive, we check that 245 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 246 * 247 * XXX is this really still necessary? - joerg - 248 */ 249 static u_short interactive_ports[8] = { 250 0, 513, 0, 0, 251 0, 21, 0, 23, 252 }; 253 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 254 #endif 255 256 /* almost every function needs these */ 257 #define STDDCL \ 258 struct ifnet *ifp = &sp->pp_if; \ 259 int debug = ifp->if_flags & IFF_DEBUG 260 261 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 262 const struct sockaddr *dst, const struct rtentry *rt); 263 264 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 265 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 266 267 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 268 struct mbuf *m); 269 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 270 u_char ident, u_short len, void *data); 271 /* static void sppp_cp_timeout(void *arg); */ 272 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 273 int newstate); 274 static void sppp_auth_send(const struct cp *cp, 275 struct sppp *sp, unsigned int type, unsigned int id, 276 ...); 277 278 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 279 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 280 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 281 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 282 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 283 284 static void sppp_null(struct sppp *sp); 285 286 static void sppp_lcp_init(struct sppp *sp); 287 static void sppp_lcp_up(struct sppp *sp); 288 static void sppp_lcp_down(struct sppp *sp); 289 static void sppp_lcp_open(struct sppp *sp); 290 static void sppp_lcp_close(struct sppp *sp); 291 static void sppp_lcp_TO(void *sp); 292 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 293 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 294 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 295 static void sppp_lcp_tlu(struct sppp *sp); 296 static void sppp_lcp_tld(struct sppp *sp); 297 static void sppp_lcp_tls(struct sppp *sp); 298 static void sppp_lcp_tlf(struct sppp *sp); 299 static void sppp_lcp_scr(struct sppp *sp); 300 static void sppp_lcp_check_and_close(struct sppp *sp); 301 static int sppp_ncp_check(struct sppp *sp); 302 303 static void sppp_ipcp_init(struct sppp *sp); 304 static void sppp_ipcp_up(struct sppp *sp); 305 static void sppp_ipcp_down(struct sppp *sp); 306 static void sppp_ipcp_open(struct sppp *sp); 307 static void sppp_ipcp_close(struct sppp *sp); 308 static void sppp_ipcp_TO(void *sp); 309 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 310 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 311 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 312 static void sppp_ipcp_tlu(struct sppp *sp); 313 static void sppp_ipcp_tld(struct sppp *sp); 314 static void sppp_ipcp_tls(struct sppp *sp); 315 static void sppp_ipcp_tlf(struct sppp *sp); 316 static void sppp_ipcp_scr(struct sppp *sp); 317 318 static void sppp_ipv6cp_init(struct sppp *sp); 319 static void sppp_ipv6cp_up(struct sppp *sp); 320 static void sppp_ipv6cp_down(struct sppp *sp); 321 static void sppp_ipv6cp_open(struct sppp *sp); 322 static void sppp_ipv6cp_close(struct sppp *sp); 323 static void sppp_ipv6cp_TO(void *sp); 324 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 325 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 326 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 327 static void sppp_ipv6cp_tlu(struct sppp *sp); 328 static void sppp_ipv6cp_tld(struct sppp *sp); 329 static void sppp_ipv6cp_tls(struct sppp *sp); 330 static void sppp_ipv6cp_tlf(struct sppp *sp); 331 static void sppp_ipv6cp_scr(struct sppp *sp); 332 333 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 334 static void sppp_pap_init(struct sppp *sp); 335 static void sppp_pap_open(struct sppp *sp); 336 static void sppp_pap_close(struct sppp *sp); 337 static void sppp_pap_TO(void *sp); 338 static void sppp_pap_my_TO(void *sp); 339 static void sppp_pap_tlu(struct sppp *sp); 340 static void sppp_pap_tld(struct sppp *sp); 341 static void sppp_pap_scr(struct sppp *sp); 342 343 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 344 static void sppp_chap_init(struct sppp *sp); 345 static void sppp_chap_open(struct sppp *sp); 346 static void sppp_chap_close(struct sppp *sp); 347 static void sppp_chap_TO(void *sp); 348 static void sppp_chap_tlu(struct sppp *sp); 349 static void sppp_chap_tld(struct sppp *sp); 350 static void sppp_chap_scr(struct sppp *sp); 351 352 static const char *sppp_auth_type_name(u_short proto, u_char type); 353 static const char *sppp_cp_type_name(u_char type); 354 static const char *sppp_dotted_quad(uint32_t addr); 355 static const char *sppp_ipcp_opt_name(u_char opt); 356 #ifdef INET6 357 static const char *sppp_ipv6cp_opt_name(u_char opt); 358 #endif 359 static const char *sppp_lcp_opt_name(u_char opt); 360 static const char *sppp_phase_name(int phase); 361 static const char *sppp_proto_name(u_short proto); 362 static const char *sppp_state_name(int state); 363 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 364 #ifdef INET 365 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 366 uint32_t *srcmask); 367 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 368 static void sppp_clear_ip_addrs(struct sppp *sp); 369 #endif 370 static void sppp_keepalive(void *dummy); 371 static void sppp_phase_network(struct sppp *sp); 372 static void sppp_print_bytes(const u_char *p, u_short len); 373 static void sppp_print_string(const char *p, u_short len); 374 #ifdef INET6 375 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 376 struct in6_addr *dst, struct in6_addr *srcmask); 377 #ifdef IPV6CP_MYIFID_DYN 378 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 379 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 380 #endif 381 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 382 #endif 383 384 /* our control protocol descriptors */ 385 static const struct cp lcp = { 386 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 387 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 388 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 389 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 390 sppp_lcp_scr 391 }; 392 393 static const struct cp ipcp = { 394 PPP_IPCP, IDX_IPCP, 395 #ifdef INET 396 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 397 #else 398 0, 399 #endif 400 "ipcp", 401 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 402 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 403 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 404 sppp_ipcp_scr 405 }; 406 407 static const struct cp ipv6cp = { 408 PPP_IPV6CP, IDX_IPV6CP, 409 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 410 CP_NCP, 411 #else 412 0, 413 #endif 414 "ipv6cp", 415 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 416 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 417 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 418 sppp_ipv6cp_scr 419 }; 420 421 static const struct cp pap = { 422 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 423 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 424 sppp_pap_TO, 0, 0, 0, 425 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 426 sppp_pap_scr 427 }; 428 429 static const struct cp chap = { 430 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 431 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 432 sppp_chap_TO, 0, 0, 0, 433 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 434 sppp_chap_scr 435 }; 436 437 static const struct cp *cps[IDX_COUNT] = { 438 &lcp, /* IDX_LCP */ 439 &ipcp, /* IDX_IPCP */ 440 &ipv6cp, /* IDX_IPV6CP */ 441 &pap, /* IDX_PAP */ 442 &chap, /* IDX_CHAP */ 443 }; 444 445 446 /* 447 * Exported functions, comprising our interface to the lower layer. 448 */ 449 450 /* 451 * Process the received packet. 452 */ 453 void 454 sppp_input(struct ifnet *ifp, struct mbuf *m) 455 { 456 struct ppp_header *h = NULL; 457 pktqueue_t *pktq = NULL; 458 struct ifqueue *inq = NULL; 459 uint16_t protocol; 460 int s; 461 struct sppp *sp = (struct sppp *)ifp; 462 int debug = ifp->if_flags & IFF_DEBUG; 463 int isr = 0; 464 465 if (ifp->if_flags & IFF_UP) { 466 /* Count received bytes, add hardware framing */ 467 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 468 /* Note time of last receive */ 469 sp->pp_last_receive = time_uptime; 470 } 471 472 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 473 /* Too small packet, drop it. */ 474 if (debug) 475 log(LOG_DEBUG, 476 "%s: input packet is too small, %d bytes\n", 477 ifp->if_xname, m->m_pkthdr.len); 478 drop: 479 ++ifp->if_ierrors; 480 ++ifp->if_iqdrops; 481 m_freem(m); 482 return; 483 } 484 485 if (sp->pp_flags & PP_NOFRAMING) { 486 memcpy(&protocol, mtod(m, void *), 2); 487 protocol = ntohs(protocol); 488 m_adj(m, 2); 489 } else { 490 491 /* Get PPP header. */ 492 h = mtod(m, struct ppp_header *); 493 m_adj(m, PPP_HEADER_LEN); 494 495 switch (h->address) { 496 case PPP_ALLSTATIONS: 497 if (h->control != PPP_UI) 498 goto invalid; 499 if (sp->pp_flags & PP_CISCO) { 500 if (debug) 501 log(LOG_DEBUG, 502 "%s: PPP packet in Cisco mode " 503 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 504 ifp->if_xname, 505 h->address, h->control, ntohs(h->protocol)); 506 goto drop; 507 } 508 break; 509 case CISCO_MULTICAST: 510 case CISCO_UNICAST: 511 /* Don't check the control field here (RFC 1547). */ 512 if (! (sp->pp_flags & PP_CISCO)) { 513 if (debug) 514 log(LOG_DEBUG, 515 "%s: Cisco packet in PPP mode " 516 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 517 ifp->if_xname, 518 h->address, h->control, ntohs(h->protocol)); 519 goto drop; 520 } 521 switch (ntohs(h->protocol)) { 522 default: 523 ++ifp->if_noproto; 524 goto invalid; 525 case CISCO_KEEPALIVE: 526 sppp_cisco_input((struct sppp *) ifp, m); 527 m_freem(m); 528 return; 529 #ifdef INET 530 case ETHERTYPE_IP: 531 pktq = ip_pktq; 532 break; 533 #endif 534 #ifdef INET6 535 case ETHERTYPE_IPV6: 536 pktq = ip6_pktq; 537 break; 538 #endif 539 } 540 goto queue_pkt; 541 default: /* Invalid PPP packet. */ 542 invalid: 543 if (debug) 544 log(LOG_DEBUG, 545 "%s: invalid input packet " 546 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 547 ifp->if_xname, 548 h->address, h->control, ntohs(h->protocol)); 549 goto drop; 550 } 551 protocol = ntohs(h->protocol); 552 } 553 554 switch (protocol) { 555 default: 556 if (sp->state[IDX_LCP] == STATE_OPENED) { 557 uint16_t prot = htons(protocol); 558 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 559 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 560 &prot); 561 } 562 if (debug) 563 log(LOG_DEBUG, 564 "%s: invalid input protocol " 565 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 566 ++ifp->if_noproto; 567 goto drop; 568 case PPP_LCP: 569 sppp_cp_input(&lcp, sp, m); 570 m_freem(m); 571 return; 572 case PPP_PAP: 573 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 574 sppp_pap_input(sp, m); 575 m_freem(m); 576 return; 577 case PPP_CHAP: 578 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 579 sppp_chap_input(sp, m); 580 m_freem(m); 581 return; 582 #ifdef INET 583 case PPP_IPCP: 584 if (sp->pp_phase == SPPP_PHASE_NETWORK) 585 sppp_cp_input(&ipcp, sp, m); 586 m_freem(m); 587 return; 588 case PPP_IP: 589 if (sp->state[IDX_IPCP] == STATE_OPENED) { 590 sp->pp_last_activity = time_uptime; 591 pktq = ip_pktq; 592 } 593 break; 594 #endif 595 #ifdef INET6 596 case PPP_IPV6CP: 597 if (sp->pp_phase == SPPP_PHASE_NETWORK) 598 sppp_cp_input(&ipv6cp, sp, m); 599 m_freem(m); 600 return; 601 602 case PPP_IPV6: 603 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 604 sp->pp_last_activity = time_uptime; 605 pktq = ip6_pktq; 606 } 607 break; 608 #endif 609 } 610 611 queue_pkt: 612 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 613 goto drop; 614 } 615 616 /* Check queue. */ 617 if (__predict_true(pktq)) { 618 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 619 goto drop; 620 } 621 return; 622 } 623 624 s = splnet(); 625 if (IF_QFULL(inq)) { 626 /* Queue overflow. */ 627 IF_DROP(inq); 628 splx(s); 629 if (debug) 630 log(LOG_DEBUG, "%s: protocol queue overflow\n", 631 ifp->if_xname); 632 goto drop; 633 } 634 IF_ENQUEUE(inq, m); 635 schednetisr(isr); 636 splx(s); 637 } 638 639 /* 640 * Enqueue transmit packet. 641 */ 642 static int 643 sppp_output(struct ifnet *ifp, struct mbuf *m, 644 const struct sockaddr *dst, const struct rtentry *rt) 645 { 646 struct sppp *sp = (struct sppp *) ifp; 647 struct ppp_header *h = NULL; 648 struct ifqueue *ifq = NULL; /* XXX */ 649 int s, error = 0; 650 uint16_t protocol; 651 652 s = splnet(); 653 654 sp->pp_last_activity = time_uptime; 655 656 if ((ifp->if_flags & IFF_UP) == 0 || 657 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 658 m_freem(m); 659 splx(s); 660 return (ENETDOWN); 661 } 662 663 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 664 /* 665 * Interface is not yet running, but auto-dial. Need 666 * to start LCP for it. 667 */ 668 ifp->if_flags |= IFF_RUNNING; 669 splx(s); 670 lcp.Open(sp); 671 s = splnet(); 672 } 673 674 /* 675 * If the queueing discipline needs packet classification, 676 * do it before prepending link headers. 677 */ 678 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 679 680 #ifdef INET 681 if (dst->sa_family == AF_INET) { 682 struct ip *ip = NULL; 683 struct tcphdr *th = NULL; 684 685 if (m->m_len >= sizeof(struct ip)) { 686 ip = mtod(m, struct ip *); 687 if (ip->ip_p == IPPROTO_TCP && 688 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 689 sizeof(struct tcphdr)) { 690 th = (struct tcphdr *) 691 ((char *)ip + (ip->ip_hl << 2)); 692 } 693 } else 694 ip = NULL; 695 696 /* 697 * When using dynamic local IP address assignment by using 698 * 0.0.0.0 as a local address, the first TCP session will 699 * not connect because the local TCP checksum is computed 700 * using 0.0.0.0 which will later become our real IP address 701 * so the TCP checksum computed at the remote end will 702 * become invalid. So we 703 * - don't let packets with src ip addr 0 thru 704 * - we flag TCP packets with src ip 0 as an error 705 */ 706 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 707 uint8_t proto = ip->ip_p; 708 709 m_freem(m); 710 splx(s); 711 if (proto == IPPROTO_TCP) 712 return (EADDRNOTAVAIL); 713 else 714 return (0); 715 } 716 717 /* 718 * Put low delay, telnet, rlogin and ftp control packets 719 * in front of the queue. 720 */ 721 722 if (!IF_QFULL(&sp->pp_fastq) && 723 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 724 (th && (INTERACTIVE(ntohs(th->th_sport)) || 725 INTERACTIVE(ntohs(th->th_dport)))))) 726 ifq = &sp->pp_fastq; 727 } 728 #endif 729 730 #ifdef INET6 731 if (dst->sa_family == AF_INET6) { 732 /* XXX do something tricky here? */ 733 } 734 #endif 735 736 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 737 /* 738 * Prepend general data packet PPP header. For now, IP only. 739 */ 740 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 741 if (! m) { 742 if (ifp->if_flags & IFF_DEBUG) 743 log(LOG_DEBUG, "%s: no memory for transmit header\n", 744 ifp->if_xname); 745 ++ifp->if_oerrors; 746 splx(s); 747 return (ENOBUFS); 748 } 749 /* 750 * May want to check size of packet 751 * (albeit due to the implementation it's always enough) 752 */ 753 h = mtod(m, struct ppp_header *); 754 if (sp->pp_flags & PP_CISCO) { 755 h->address = CISCO_UNICAST; /* unicast address */ 756 h->control = 0; 757 } else { 758 h->address = PPP_ALLSTATIONS; /* broadcast address */ 759 h->control = PPP_UI; /* Unnumbered Info */ 760 } 761 } 762 763 switch (dst->sa_family) { 764 #ifdef INET 765 case AF_INET: /* Internet Protocol */ 766 if (sp->pp_flags & PP_CISCO) 767 protocol = htons(ETHERTYPE_IP); 768 else { 769 /* 770 * Don't choke with an ENETDOWN early. It's 771 * possible that we just started dialing out, 772 * so don't drop the packet immediately. If 773 * we notice that we run out of buffer space 774 * below, we will however remember that we are 775 * not ready to carry IP packets, and return 776 * ENETDOWN, as opposed to ENOBUFS. 777 */ 778 protocol = htons(PPP_IP); 779 if (sp->state[IDX_IPCP] != STATE_OPENED) 780 error = ENETDOWN; 781 } 782 break; 783 #endif 784 #ifdef INET6 785 case AF_INET6: /* Internet Protocol version 6 */ 786 if (sp->pp_flags & PP_CISCO) 787 protocol = htons(ETHERTYPE_IPV6); 788 else { 789 /* 790 * Don't choke with an ENETDOWN early. It's 791 * possible that we just started dialing out, 792 * so don't drop the packet immediately. If 793 * we notice that we run out of buffer space 794 * below, we will however remember that we are 795 * not ready to carry IP packets, and return 796 * ENETDOWN, as opposed to ENOBUFS. 797 */ 798 protocol = htons(PPP_IPV6); 799 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 800 error = ENETDOWN; 801 } 802 break; 803 #endif 804 default: 805 m_freem(m); 806 ++ifp->if_oerrors; 807 splx(s); 808 return (EAFNOSUPPORT); 809 } 810 811 if (sp->pp_flags & PP_NOFRAMING) { 812 M_PREPEND(m, 2, M_DONTWAIT); 813 if (m == NULL) { 814 if (ifp->if_flags & IFF_DEBUG) 815 log(LOG_DEBUG, "%s: no memory for transmit header\n", 816 ifp->if_xname); 817 ++ifp->if_oerrors; 818 splx(s); 819 return (ENOBUFS); 820 } 821 *mtod(m, uint16_t *) = protocol; 822 } else { 823 h->protocol = protocol; 824 } 825 826 827 error = ifq_enqueue2(ifp, ifq, m); 828 829 if (error == 0) { 830 /* 831 * Count output packets and bytes. 832 * The packet length includes header + additional hardware 833 * framing according to RFC 1333. 834 */ 835 if (!(ifp->if_flags & IFF_OACTIVE)) 836 if_start_lock(ifp); 837 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 838 } 839 splx(s); 840 return error; 841 } 842 843 void 844 sppp_attach(struct ifnet *ifp) 845 { 846 struct sppp *sp = (struct sppp *) ifp; 847 848 /* Initialize keepalive handler. */ 849 if (! spppq) { 850 callout_init(&keepalive_ch, 0); 851 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 852 } 853 854 /* Insert new entry into the keepalive list. */ 855 sp->pp_next = spppq; 856 spppq = sp; 857 858 sp->pp_if.if_type = IFT_PPP; 859 sp->pp_if.if_output = sppp_output; 860 sp->pp_fastq.ifq_maxlen = 32; 861 sp->pp_cpq.ifq_maxlen = 20; 862 sp->pp_loopcnt = 0; 863 sp->pp_alivecnt = 0; 864 sp->pp_last_activity = 0; 865 sp->pp_last_receive = 0; 866 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 867 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 868 sp->pp_idle_timeout = 0; 869 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 870 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 871 sp->pp_auth_failures = 0; 872 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 873 sp->pp_phase = SPPP_PHASE_DEAD; 874 sp->pp_up = lcp.Up; 875 sp->pp_down = lcp.Down; 876 877 if_alloc_sadl(ifp); 878 879 memset(&sp->myauth, 0, sizeof sp->myauth); 880 memset(&sp->hisauth, 0, sizeof sp->hisauth); 881 sppp_lcp_init(sp); 882 sppp_ipcp_init(sp); 883 sppp_ipv6cp_init(sp); 884 sppp_pap_init(sp); 885 sppp_chap_init(sp); 886 } 887 888 void 889 sppp_detach(struct ifnet *ifp) 890 { 891 struct sppp **q, *p, *sp = (struct sppp *) ifp; 892 893 /* Remove the entry from the keepalive list. */ 894 for (q = &spppq; (p = *q); q = &p->pp_next) 895 if (p == sp) { 896 *q = p->pp_next; 897 break; 898 } 899 900 /* Stop keepalive handler. */ 901 if (! spppq) { 902 callout_stop(&keepalive_ch); 903 } 904 905 callout_stop(&sp->ch[IDX_LCP]); 906 callout_stop(&sp->ch[IDX_IPCP]); 907 callout_stop(&sp->ch[IDX_PAP]); 908 callout_stop(&sp->ch[IDX_CHAP]); 909 #ifdef INET6 910 callout_stop(&sp->ch[IDX_IPV6CP]); 911 #endif 912 callout_stop(&sp->pap_my_to_ch); 913 914 /* free authentication info */ 915 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 916 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 917 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 918 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 919 } 920 921 /* 922 * Flush the interface output queue. 923 */ 924 void 925 sppp_flush(struct ifnet *ifp) 926 { 927 struct sppp *sp = (struct sppp *) ifp; 928 929 IFQ_PURGE(&sp->pp_if.if_snd); 930 IF_PURGE(&sp->pp_fastq); 931 IF_PURGE(&sp->pp_cpq); 932 } 933 934 /* 935 * Check if the output queue is empty. 936 */ 937 int 938 sppp_isempty(struct ifnet *ifp) 939 { 940 struct sppp *sp = (struct sppp *) ifp; 941 int empty, s; 942 943 s = splnet(); 944 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 945 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 946 splx(s); 947 return (empty); 948 } 949 950 /* 951 * Get next packet to send. 952 */ 953 struct mbuf * 954 sppp_dequeue(struct ifnet *ifp) 955 { 956 struct sppp *sp = (struct sppp *) ifp; 957 struct mbuf *m; 958 int s; 959 960 s = splnet(); 961 /* 962 * Process only the control protocol queue until we have at 963 * least one NCP open. 964 * 965 * Do always serve all three queues in Cisco mode. 966 */ 967 IF_DEQUEUE(&sp->pp_cpq, m); 968 if (m == NULL && 969 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 970 IF_DEQUEUE(&sp->pp_fastq, m); 971 if (m == NULL) 972 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 973 } 974 splx(s); 975 return m; 976 } 977 978 /* 979 * Process an ioctl request. Called on low priority level. 980 */ 981 int 982 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 983 { 984 struct lwp *l = curlwp; /* XXX */ 985 struct ifreq *ifr = (struct ifreq *) data; 986 struct ifaddr *ifa = (struct ifaddr *) data; 987 struct sppp *sp = (struct sppp *) ifp; 988 int s, error=0, going_up, going_down, newmode; 989 990 s = splnet(); 991 switch (cmd) { 992 case SIOCINITIFADDR: 993 ifa->ifa_rtrequest = p2p_rtrequest; 994 break; 995 996 case SIOCSIFFLAGS: 997 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 998 break; 999 going_up = ifp->if_flags & IFF_UP && 1000 (ifp->if_flags & IFF_RUNNING) == 0; 1001 going_down = (ifp->if_flags & IFF_UP) == 0 && 1002 ifp->if_flags & IFF_RUNNING; 1003 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1004 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1005 /* sanity */ 1006 newmode = IFF_PASSIVE; 1007 ifp->if_flags &= ~IFF_AUTO; 1008 } 1009 1010 if (going_up || going_down) 1011 lcp.Close(sp); 1012 if (going_up && newmode == 0) { 1013 /* neither auto-dial nor passive */ 1014 ifp->if_flags |= IFF_RUNNING; 1015 if (!(sp->pp_flags & PP_CISCO)) 1016 lcp.Open(sp); 1017 } else if (going_down) { 1018 sppp_flush(ifp); 1019 ifp->if_flags &= ~IFF_RUNNING; 1020 } 1021 1022 break; 1023 1024 case SIOCSIFMTU: 1025 if (ifr->ifr_mtu < PPP_MINMRU || 1026 ifr->ifr_mtu > sp->lcp.their_mru) { 1027 error = EINVAL; 1028 break; 1029 } 1030 /*FALLTHROUGH*/ 1031 case SIOCGIFMTU: 1032 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1033 error = 0; 1034 break; 1035 case SIOCADDMULTI: 1036 case SIOCDELMULTI: 1037 break; 1038 1039 case SPPPSETAUTHCFG: 1040 case SPPPSETLCPCFG: 1041 case SPPPSETIDLETO: 1042 case SPPPSETAUTHFAILURE: 1043 case SPPPSETDNSOPTS: 1044 case SPPPSETKEEPALIVE: 1045 #if defined(COMPAT_50) || defined(MODULAR) 1046 case __SPPPSETIDLETO50: 1047 case __SPPPSETKEEPALIVE50: 1048 #endif /* COMPAT_50 || MODULAR */ 1049 error = kauth_authorize_network(l->l_cred, 1050 KAUTH_NETWORK_INTERFACE, 1051 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1052 NULL); 1053 if (error) 1054 break; 1055 error = sppp_params(sp, cmd, data); 1056 break; 1057 1058 case SPPPGETAUTHCFG: 1059 case SPPPGETLCPCFG: 1060 case SPPPGETAUTHFAILURES: 1061 error = kauth_authorize_network(l->l_cred, 1062 KAUTH_NETWORK_INTERFACE, 1063 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1064 NULL); 1065 if (error) 1066 break; 1067 error = sppp_params(sp, cmd, data); 1068 break; 1069 1070 case SPPPGETSTATUS: 1071 case SPPPGETSTATUSNCP: 1072 case SPPPGETIDLETO: 1073 case SPPPGETDNSOPTS: 1074 case SPPPGETDNSADDRS: 1075 case SPPPGETKEEPALIVE: 1076 #if defined(COMPAT_50) || defined(MODULAR) 1077 case __SPPPGETIDLETO50: 1078 case __SPPPGETKEEPALIVE50: 1079 #endif /* COMPAT_50 || MODULAR */ 1080 error = sppp_params(sp, cmd, data); 1081 break; 1082 1083 default: 1084 error = ifioctl_common(ifp, cmd, data); 1085 break; 1086 } 1087 splx(s); 1088 return (error); 1089 } 1090 1091 1092 /* 1093 * Cisco framing implementation. 1094 */ 1095 1096 /* 1097 * Handle incoming Cisco keepalive protocol packets. 1098 */ 1099 static void 1100 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1101 { 1102 STDDCL; 1103 struct cisco_packet *h; 1104 #ifdef INET 1105 uint32_t me, mymask = 0; /* XXX: GCC */ 1106 #endif 1107 1108 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1109 if (debug) 1110 log(LOG_DEBUG, 1111 "%s: cisco invalid packet length: %d bytes\n", 1112 ifp->if_xname, m->m_pkthdr.len); 1113 return; 1114 } 1115 h = mtod(m, struct cisco_packet *); 1116 if (debug) 1117 log(LOG_DEBUG, 1118 "%s: cisco input: %d bytes " 1119 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1120 ifp->if_xname, m->m_pkthdr.len, 1121 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1122 (u_int)h->time0, (u_int)h->time1); 1123 switch (ntohl(h->type)) { 1124 default: 1125 if (debug) 1126 addlog("%s: cisco unknown packet type: 0x%x\n", 1127 ifp->if_xname, ntohl(h->type)); 1128 break; 1129 case CISCO_ADDR_REPLY: 1130 /* Reply on address request, ignore */ 1131 break; 1132 case CISCO_KEEPALIVE_REQ: 1133 sp->pp_alivecnt = 0; 1134 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1135 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1136 /* Local and remote sequence numbers are equal. 1137 * Probably, the line is in loopback mode. */ 1138 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1139 printf ("%s: loopback\n", 1140 ifp->if_xname); 1141 sp->pp_loopcnt = 0; 1142 if (ifp->if_flags & IFF_UP) { 1143 if_down(ifp); 1144 IF_PURGE(&sp->pp_cpq); 1145 } 1146 } 1147 ++sp->pp_loopcnt; 1148 1149 /* Generate new local sequence number */ 1150 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1151 break; 1152 } 1153 sp->pp_loopcnt = 0; 1154 if (! (ifp->if_flags & IFF_UP) && 1155 (ifp->if_flags & IFF_RUNNING)) { 1156 if_up(ifp); 1157 } 1158 break; 1159 case CISCO_ADDR_REQ: 1160 #ifdef INET 1161 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1162 if (me != 0L) 1163 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1164 #endif 1165 break; 1166 } 1167 } 1168 1169 /* 1170 * Send Cisco keepalive packet. 1171 */ 1172 static void 1173 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1174 { 1175 STDDCL; 1176 struct ppp_header *h; 1177 struct cisco_packet *ch; 1178 struct mbuf *m; 1179 uint32_t t; 1180 1181 t = time_uptime * 1000; 1182 MGETHDR(m, M_DONTWAIT, MT_DATA); 1183 if (! m) 1184 return; 1185 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1186 m_reset_rcvif(m); 1187 1188 h = mtod(m, struct ppp_header *); 1189 h->address = CISCO_MULTICAST; 1190 h->control = 0; 1191 h->protocol = htons(CISCO_KEEPALIVE); 1192 1193 ch = (struct cisco_packet *)(h + 1); 1194 ch->type = htonl(type); 1195 ch->par1 = htonl(par1); 1196 ch->par2 = htonl(par2); 1197 ch->rel = -1; 1198 1199 ch->time0 = htons((u_short)(t >> 16)); 1200 ch->time1 = htons((u_short) t); 1201 1202 if (debug) 1203 log(LOG_DEBUG, 1204 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1205 ifp->if_xname, ntohl(ch->type), ch->par1, 1206 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1207 (u_int)ch->time1); 1208 1209 if (IF_QFULL(&sp->pp_cpq)) { 1210 IF_DROP(&sp->pp_fastq); 1211 IF_DROP(&ifp->if_snd); 1212 m_freem(m); 1213 ++ifp->if_oerrors; 1214 return; 1215 } else 1216 IF_ENQUEUE(&sp->pp_cpq, m); 1217 if (! (ifp->if_flags & IFF_OACTIVE)) 1218 if_start_lock(ifp); 1219 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1220 } 1221 1222 /* 1223 * PPP protocol implementation. 1224 */ 1225 1226 /* 1227 * Send PPP control protocol packet. 1228 */ 1229 static void 1230 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1231 u_char ident, u_short len, void *data) 1232 { 1233 STDDCL; 1234 struct lcp_header *lh; 1235 struct mbuf *m; 1236 size_t pkthdrlen; 1237 1238 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1239 1240 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1241 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1242 MGETHDR(m, M_DONTWAIT, MT_DATA); 1243 if (! m) 1244 return; 1245 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1246 m_reset_rcvif(m); 1247 1248 if (sp->pp_flags & PP_NOFRAMING) { 1249 *mtod(m, uint16_t *) = htons(proto); 1250 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1251 } else { 1252 struct ppp_header *h; 1253 h = mtod(m, struct ppp_header *); 1254 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1255 h->control = PPP_UI; /* Unnumbered Info */ 1256 h->protocol = htons(proto); /* Link Control Protocol */ 1257 lh = (struct lcp_header *)(h + 1); 1258 } 1259 lh->type = type; 1260 lh->ident = ident; 1261 lh->len = htons(LCP_HEADER_LEN + len); 1262 if (len) 1263 memcpy(lh + 1, data, len); 1264 1265 if (debug) { 1266 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1267 ifp->if_xname, 1268 sppp_proto_name(proto), 1269 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1270 if (len) 1271 sppp_print_bytes((u_char *)(lh + 1), len); 1272 addlog(">\n"); 1273 } 1274 if (IF_QFULL(&sp->pp_cpq)) { 1275 IF_DROP(&sp->pp_fastq); 1276 IF_DROP(&ifp->if_snd); 1277 m_freem(m); 1278 ++ifp->if_oerrors; 1279 return; 1280 } else 1281 IF_ENQUEUE(&sp->pp_cpq, m); 1282 if (! (ifp->if_flags & IFF_OACTIVE)) 1283 if_start_lock(ifp); 1284 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1285 } 1286 1287 /* 1288 * Handle incoming PPP control protocol packets. 1289 */ 1290 static void 1291 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1292 { 1293 STDDCL; 1294 struct lcp_header *h; 1295 int printlen, len = m->m_pkthdr.len; 1296 int rv; 1297 u_char *p; 1298 uint32_t u32; 1299 1300 if (len < 4) { 1301 if (debug) 1302 log(LOG_DEBUG, 1303 "%s: %s invalid packet length: %d bytes\n", 1304 ifp->if_xname, cp->name, len); 1305 return; 1306 } 1307 h = mtod(m, struct lcp_header *); 1308 if (debug) { 1309 printlen = ntohs(h->len); 1310 log(LOG_DEBUG, 1311 "%s: %s input(%s): <%s id=0x%x len=%d", 1312 ifp->if_xname, cp->name, 1313 sppp_state_name(sp->state[cp->protoidx]), 1314 sppp_cp_type_name(h->type), h->ident, printlen); 1315 if (len < printlen) 1316 printlen = len; 1317 if (printlen > 4) 1318 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1319 addlog(">\n"); 1320 } 1321 if (len > ntohs(h->len)) 1322 len = ntohs(h->len); 1323 p = (u_char *)(h + 1); 1324 switch (h->type) { 1325 case CONF_REQ: 1326 if (len < 4) { 1327 if (debug) 1328 addlog("%s: %s invalid conf-req length %d\n", 1329 ifp->if_xname, cp->name, 1330 len); 1331 ++ifp->if_ierrors; 1332 break; 1333 } 1334 /* handle states where RCR doesn't get a SCA/SCN */ 1335 switch (sp->state[cp->protoidx]) { 1336 case STATE_CLOSING: 1337 case STATE_STOPPING: 1338 return; 1339 case STATE_CLOSED: 1340 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1341 0, 0); 1342 return; 1343 } 1344 rv = (cp->RCR)(sp, h, len); 1345 if (rv < 0) { 1346 /* fatal error, shut down */ 1347 (cp->tld)(sp); 1348 sppp_lcp_tlf(sp); 1349 return; 1350 } 1351 switch (sp->state[cp->protoidx]) { 1352 case STATE_OPENED: 1353 (cp->tld)(sp); 1354 (cp->scr)(sp); 1355 /* fall through... */ 1356 case STATE_ACK_SENT: 1357 case STATE_REQ_SENT: 1358 sppp_cp_change_state(cp, sp, rv? 1359 STATE_ACK_SENT: STATE_REQ_SENT); 1360 break; 1361 case STATE_STOPPED: 1362 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1363 (cp->scr)(sp); 1364 sppp_cp_change_state(cp, sp, rv? 1365 STATE_ACK_SENT: STATE_REQ_SENT); 1366 break; 1367 case STATE_ACK_RCVD: 1368 if (rv) { 1369 sppp_cp_change_state(cp, sp, STATE_OPENED); 1370 if (debug) 1371 log(LOG_DEBUG, "%s: %s tlu\n", 1372 ifp->if_xname, 1373 cp->name); 1374 (cp->tlu)(sp); 1375 } else 1376 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1377 break; 1378 default: 1379 printf("%s: %s illegal %s in state %s\n", 1380 ifp->if_xname, cp->name, 1381 sppp_cp_type_name(h->type), 1382 sppp_state_name(sp->state[cp->protoidx])); 1383 ++ifp->if_ierrors; 1384 } 1385 break; 1386 case CONF_ACK: 1387 if (h->ident != sp->confid[cp->protoidx]) { 1388 if (debug) 1389 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1390 ifp->if_xname, cp->name, 1391 h->ident, sp->confid[cp->protoidx]); 1392 ++ifp->if_ierrors; 1393 break; 1394 } 1395 switch (sp->state[cp->protoidx]) { 1396 case STATE_CLOSED: 1397 case STATE_STOPPED: 1398 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1399 break; 1400 case STATE_CLOSING: 1401 case STATE_STOPPING: 1402 break; 1403 case STATE_REQ_SENT: 1404 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1405 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1406 break; 1407 case STATE_OPENED: 1408 (cp->tld)(sp); 1409 /* fall through */ 1410 case STATE_ACK_RCVD: 1411 (cp->scr)(sp); 1412 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1413 break; 1414 case STATE_ACK_SENT: 1415 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1416 sppp_cp_change_state(cp, sp, STATE_OPENED); 1417 if (debug) 1418 log(LOG_DEBUG, "%s: %s tlu\n", 1419 ifp->if_xname, cp->name); 1420 (cp->tlu)(sp); 1421 break; 1422 default: 1423 printf("%s: %s illegal %s in state %s\n", 1424 ifp->if_xname, cp->name, 1425 sppp_cp_type_name(h->type), 1426 sppp_state_name(sp->state[cp->protoidx])); 1427 ++ifp->if_ierrors; 1428 } 1429 break; 1430 case CONF_NAK: 1431 case CONF_REJ: 1432 if (h->ident != sp->confid[cp->protoidx]) { 1433 if (debug) 1434 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1435 ifp->if_xname, cp->name, 1436 h->ident, sp->confid[cp->protoidx]); 1437 ++ifp->if_ierrors; 1438 break; 1439 } 1440 if (h->type == CONF_NAK) 1441 (cp->RCN_nak)(sp, h, len); 1442 else /* CONF_REJ */ 1443 (cp->RCN_rej)(sp, h, len); 1444 1445 switch (sp->state[cp->protoidx]) { 1446 case STATE_CLOSED: 1447 case STATE_STOPPED: 1448 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1449 break; 1450 case STATE_REQ_SENT: 1451 case STATE_ACK_SENT: 1452 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1453 (cp->scr)(sp); 1454 break; 1455 case STATE_OPENED: 1456 (cp->tld)(sp); 1457 /* fall through */ 1458 case STATE_ACK_RCVD: 1459 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1460 (cp->scr)(sp); 1461 break; 1462 case STATE_CLOSING: 1463 case STATE_STOPPING: 1464 break; 1465 default: 1466 printf("%s: %s illegal %s in state %s\n", 1467 ifp->if_xname, cp->name, 1468 sppp_cp_type_name(h->type), 1469 sppp_state_name(sp->state[cp->protoidx])); 1470 ++ifp->if_ierrors; 1471 } 1472 break; 1473 1474 case TERM_REQ: 1475 switch (sp->state[cp->protoidx]) { 1476 case STATE_ACK_RCVD: 1477 case STATE_ACK_SENT: 1478 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1479 /* fall through */ 1480 case STATE_CLOSED: 1481 case STATE_STOPPED: 1482 case STATE_CLOSING: 1483 case STATE_STOPPING: 1484 case STATE_REQ_SENT: 1485 sta: 1486 /* Send Terminate-Ack packet. */ 1487 if (debug) 1488 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1489 ifp->if_xname, cp->name); 1490 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1491 break; 1492 case STATE_OPENED: 1493 (cp->tld)(sp); 1494 sp->rst_counter[cp->protoidx] = 0; 1495 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1496 goto sta; 1497 default: 1498 printf("%s: %s illegal %s in state %s\n", 1499 ifp->if_xname, cp->name, 1500 sppp_cp_type_name(h->type), 1501 sppp_state_name(sp->state[cp->protoidx])); 1502 ++ifp->if_ierrors; 1503 } 1504 break; 1505 case TERM_ACK: 1506 switch (sp->state[cp->protoidx]) { 1507 case STATE_CLOSED: 1508 case STATE_STOPPED: 1509 case STATE_REQ_SENT: 1510 case STATE_ACK_SENT: 1511 break; 1512 case STATE_CLOSING: 1513 (cp->tlf)(sp); 1514 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1515 sppp_lcp_check_and_close(sp); 1516 break; 1517 case STATE_STOPPING: 1518 (cp->tlf)(sp); 1519 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1520 sppp_lcp_check_and_close(sp); 1521 break; 1522 case STATE_ACK_RCVD: 1523 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1524 break; 1525 case STATE_OPENED: 1526 (cp->tld)(sp); 1527 (cp->scr)(sp); 1528 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1529 break; 1530 default: 1531 printf("%s: %s illegal %s in state %s\n", 1532 ifp->if_xname, cp->name, 1533 sppp_cp_type_name(h->type), 1534 sppp_state_name(sp->state[cp->protoidx])); 1535 ++ifp->if_ierrors; 1536 } 1537 break; 1538 case CODE_REJ: 1539 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1540 log(LOG_INFO, 1541 "%s: %s: ignoring RXJ (%s) for code ?, " 1542 "danger will robinson\n", 1543 ifp->if_xname, cp->name, 1544 sppp_cp_type_name(h->type)); 1545 switch (sp->state[cp->protoidx]) { 1546 case STATE_CLOSED: 1547 case STATE_STOPPED: 1548 case STATE_REQ_SENT: 1549 case STATE_ACK_SENT: 1550 case STATE_CLOSING: 1551 case STATE_STOPPING: 1552 case STATE_OPENED: 1553 break; 1554 case STATE_ACK_RCVD: 1555 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1556 break; 1557 default: 1558 printf("%s: %s illegal %s in state %s\n", 1559 ifp->if_xname, cp->name, 1560 sppp_cp_type_name(h->type), 1561 sppp_state_name(sp->state[cp->protoidx])); 1562 ++ifp->if_ierrors; 1563 } 1564 break; 1565 case PROTO_REJ: 1566 { 1567 int catastrophic; 1568 const struct cp *upper; 1569 int i; 1570 uint16_t proto; 1571 1572 catastrophic = 0; 1573 upper = NULL; 1574 proto = p[0] << 8 | p[1]; 1575 for (i = 0; i < IDX_COUNT; i++) { 1576 if (cps[i]->proto == proto) { 1577 upper = cps[i]; 1578 break; 1579 } 1580 } 1581 if (upper == NULL) 1582 catastrophic++; 1583 1584 if (debug) 1585 log(LOG_INFO, 1586 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1587 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1588 sppp_cp_type_name(h->type), proto, 1589 upper ? upper->name : "unknown", 1590 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1591 1592 /* 1593 * if we got RXJ+ against conf-req, the peer does not implement 1594 * this particular protocol type. terminate the protocol. 1595 */ 1596 if (upper && !catastrophic) { 1597 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1598 upper->Close(sp); 1599 break; 1600 } 1601 } 1602 1603 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1604 switch (sp->state[cp->protoidx]) { 1605 case STATE_CLOSED: 1606 case STATE_STOPPED: 1607 case STATE_REQ_SENT: 1608 case STATE_ACK_SENT: 1609 case STATE_CLOSING: 1610 case STATE_STOPPING: 1611 case STATE_OPENED: 1612 break; 1613 case STATE_ACK_RCVD: 1614 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1615 break; 1616 default: 1617 printf("%s: %s illegal %s in state %s\n", 1618 ifp->if_xname, cp->name, 1619 sppp_cp_type_name(h->type), 1620 sppp_state_name(sp->state[cp->protoidx])); 1621 ++ifp->if_ierrors; 1622 } 1623 break; 1624 } 1625 case DISC_REQ: 1626 if (cp->proto != PPP_LCP) 1627 goto illegal; 1628 /* Discard the packet. */ 1629 break; 1630 case ECHO_REQ: 1631 if (cp->proto != PPP_LCP) 1632 goto illegal; 1633 if (sp->state[cp->protoidx] != STATE_OPENED) { 1634 if (debug) 1635 addlog("%s: lcp echo req but lcp closed\n", 1636 ifp->if_xname); 1637 ++ifp->if_ierrors; 1638 break; 1639 } 1640 if (len < 8) { 1641 if (debug) 1642 addlog("%s: invalid lcp echo request " 1643 "packet length: %d bytes\n", 1644 ifp->if_xname, len); 1645 break; 1646 } 1647 memcpy(&u32, h + 1, sizeof u32); 1648 if (ntohl(u32) == sp->lcp.magic) { 1649 /* Line loopback mode detected. */ 1650 printf("%s: loopback\n", ifp->if_xname); 1651 if_down(ifp); 1652 IF_PURGE(&sp->pp_cpq); 1653 1654 /* Shut down the PPP link. */ 1655 /* XXX */ 1656 lcp.Down(sp); 1657 lcp.Up(sp); 1658 break; 1659 } 1660 u32 = htonl(sp->lcp.magic); 1661 memcpy(h + 1, &u32, sizeof u32); 1662 if (debug) 1663 addlog("%s: got lcp echo req, sending echo rep\n", 1664 ifp->if_xname); 1665 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1666 h + 1); 1667 break; 1668 case ECHO_REPLY: 1669 if (cp->proto != PPP_LCP) 1670 goto illegal; 1671 if (h->ident != sp->lcp.echoid) { 1672 ++ifp->if_ierrors; 1673 break; 1674 } 1675 if (len < 8) { 1676 if (debug) 1677 addlog("%s: lcp invalid echo reply " 1678 "packet length: %d bytes\n", 1679 ifp->if_xname, len); 1680 break; 1681 } 1682 if (debug) 1683 addlog("%s: lcp got echo rep\n", 1684 ifp->if_xname); 1685 memcpy(&u32, h + 1, sizeof u32); 1686 if (ntohl(u32) != sp->lcp.magic) 1687 sp->pp_alivecnt = 0; 1688 break; 1689 default: 1690 /* Unknown packet type -- send Code-Reject packet. */ 1691 illegal: 1692 if (debug) 1693 addlog("%s: %s send code-rej for 0x%x\n", 1694 ifp->if_xname, cp->name, h->type); 1695 sppp_cp_send(sp, cp->proto, CODE_REJ, 1696 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1697 ++ifp->if_ierrors; 1698 } 1699 } 1700 1701 1702 /* 1703 * The generic part of all Up/Down/Open/Close/TO event handlers. 1704 * Basically, the state transition handling in the automaton. 1705 */ 1706 static void 1707 sppp_up_event(const struct cp *cp, struct sppp *sp) 1708 { 1709 STDDCL; 1710 1711 if (debug) 1712 log(LOG_DEBUG, "%s: %s up(%s)\n", 1713 ifp->if_xname, cp->name, 1714 sppp_state_name(sp->state[cp->protoidx])); 1715 1716 switch (sp->state[cp->protoidx]) { 1717 case STATE_INITIAL: 1718 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1719 break; 1720 case STATE_STARTING: 1721 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1722 (cp->scr)(sp); 1723 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1724 break; 1725 default: 1726 printf("%s: %s illegal up in state %s\n", 1727 ifp->if_xname, cp->name, 1728 sppp_state_name(sp->state[cp->protoidx])); 1729 } 1730 } 1731 1732 static void 1733 sppp_down_event(const struct cp *cp, struct sppp *sp) 1734 { 1735 STDDCL; 1736 1737 if (debug) 1738 log(LOG_DEBUG, "%s: %s down(%s)\n", 1739 ifp->if_xname, cp->name, 1740 sppp_state_name(sp->state[cp->protoidx])); 1741 1742 switch (sp->state[cp->protoidx]) { 1743 case STATE_CLOSED: 1744 case STATE_CLOSING: 1745 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1746 break; 1747 case STATE_STOPPED: 1748 (cp->tls)(sp); 1749 /* fall through */ 1750 case STATE_STOPPING: 1751 case STATE_REQ_SENT: 1752 case STATE_ACK_RCVD: 1753 case STATE_ACK_SENT: 1754 sppp_cp_change_state(cp, sp, STATE_STARTING); 1755 break; 1756 case STATE_OPENED: 1757 (cp->tld)(sp); 1758 sppp_cp_change_state(cp, sp, STATE_STARTING); 1759 break; 1760 default: 1761 printf("%s: %s illegal down in state %s\n", 1762 ifp->if_xname, cp->name, 1763 sppp_state_name(sp->state[cp->protoidx])); 1764 } 1765 } 1766 1767 1768 static void 1769 sppp_open_event(const struct cp *cp, struct sppp *sp) 1770 { 1771 STDDCL; 1772 1773 if (debug) 1774 log(LOG_DEBUG, "%s: %s open(%s)\n", 1775 ifp->if_xname, cp->name, 1776 sppp_state_name(sp->state[cp->protoidx])); 1777 1778 switch (sp->state[cp->protoidx]) { 1779 case STATE_INITIAL: 1780 sppp_cp_change_state(cp, sp, STATE_STARTING); 1781 (cp->tls)(sp); 1782 break; 1783 case STATE_STARTING: 1784 break; 1785 case STATE_CLOSED: 1786 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1787 (cp->scr)(sp); 1788 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1789 break; 1790 case STATE_STOPPED: 1791 case STATE_STOPPING: 1792 case STATE_REQ_SENT: 1793 case STATE_ACK_RCVD: 1794 case STATE_ACK_SENT: 1795 case STATE_OPENED: 1796 break; 1797 case STATE_CLOSING: 1798 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1799 break; 1800 } 1801 } 1802 1803 1804 static void 1805 sppp_close_event(const struct cp *cp, struct sppp *sp) 1806 { 1807 STDDCL; 1808 1809 if (debug) 1810 log(LOG_DEBUG, "%s: %s close(%s)\n", 1811 ifp->if_xname, cp->name, 1812 sppp_state_name(sp->state[cp->protoidx])); 1813 1814 switch (sp->state[cp->protoidx]) { 1815 case STATE_INITIAL: 1816 case STATE_CLOSED: 1817 case STATE_CLOSING: 1818 break; 1819 case STATE_STARTING: 1820 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1821 (cp->tlf)(sp); 1822 break; 1823 case STATE_STOPPED: 1824 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1825 break; 1826 case STATE_STOPPING: 1827 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1828 break; 1829 case STATE_OPENED: 1830 (cp->tld)(sp); 1831 /* fall through */ 1832 case STATE_REQ_SENT: 1833 case STATE_ACK_RCVD: 1834 case STATE_ACK_SENT: 1835 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1836 sppp_cp_send(sp, cp->proto, TERM_REQ, 1837 ++sp->pp_seq[cp->protoidx], 0, 0); 1838 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1839 break; 1840 } 1841 } 1842 1843 static void 1844 sppp_to_event(const struct cp *cp, struct sppp *sp) 1845 { 1846 STDDCL; 1847 int s; 1848 1849 s = splnet(); 1850 if (debug) 1851 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1852 ifp->if_xname, cp->name, 1853 sppp_state_name(sp->state[cp->protoidx]), 1854 sp->rst_counter[cp->protoidx]); 1855 1856 if (--sp->rst_counter[cp->protoidx] < 0) 1857 /* TO- event */ 1858 switch (sp->state[cp->protoidx]) { 1859 case STATE_CLOSING: 1860 (cp->tlf)(sp); 1861 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1862 sppp_lcp_check_and_close(sp); 1863 break; 1864 case STATE_STOPPING: 1865 (cp->tlf)(sp); 1866 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1867 sppp_lcp_check_and_close(sp); 1868 break; 1869 case STATE_REQ_SENT: 1870 case STATE_ACK_RCVD: 1871 case STATE_ACK_SENT: 1872 (cp->tlf)(sp); 1873 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1874 sppp_lcp_check_and_close(sp); 1875 break; 1876 } 1877 else 1878 /* TO+ event */ 1879 switch (sp->state[cp->protoidx]) { 1880 case STATE_CLOSING: 1881 case STATE_STOPPING: 1882 sppp_cp_send(sp, cp->proto, TERM_REQ, 1883 ++sp->pp_seq[cp->protoidx], 0, 0); 1884 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1885 cp->TO, sp); 1886 break; 1887 case STATE_REQ_SENT: 1888 case STATE_ACK_RCVD: 1889 (cp->scr)(sp); 1890 /* sppp_cp_change_state() will restart the timer */ 1891 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1892 break; 1893 case STATE_ACK_SENT: 1894 (cp->scr)(sp); 1895 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1896 cp->TO, sp); 1897 break; 1898 } 1899 1900 splx(s); 1901 } 1902 1903 /* 1904 * Change the state of a control protocol in the state automaton. 1905 * Takes care of starting/stopping the restart timer. 1906 */ 1907 void 1908 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1909 { 1910 sp->state[cp->protoidx] = newstate; 1911 callout_stop(&sp->ch[cp->protoidx]); 1912 switch (newstate) { 1913 case STATE_INITIAL: 1914 case STATE_STARTING: 1915 case STATE_CLOSED: 1916 case STATE_STOPPED: 1917 case STATE_OPENED: 1918 break; 1919 case STATE_CLOSING: 1920 case STATE_STOPPING: 1921 case STATE_REQ_SENT: 1922 case STATE_ACK_RCVD: 1923 case STATE_ACK_SENT: 1924 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1925 cp->TO, sp); 1926 break; 1927 } 1928 } 1929 1930 /* 1931 *--------------------------------------------------------------------------* 1932 * * 1933 * The LCP implementation. * 1934 * * 1935 *--------------------------------------------------------------------------* 1936 */ 1937 static void 1938 sppp_lcp_init(struct sppp *sp) 1939 { 1940 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1941 sp->lcp.magic = 0; 1942 sp->state[IDX_LCP] = STATE_INITIAL; 1943 sp->fail_counter[IDX_LCP] = 0; 1944 sp->pp_seq[IDX_LCP] = 0; 1945 sp->pp_rseq[IDX_LCP] = 0; 1946 sp->lcp.protos = 0; 1947 1948 /* 1949 * Initialize counters and timeout values. Note that we don't 1950 * use the 3 seconds suggested in RFC 1661 since we are likely 1951 * running on a fast link. XXX We should probably implement 1952 * the exponential backoff option. Note that these values are 1953 * relevant for all control protocols, not just LCP only. 1954 */ 1955 sp->lcp.timeout = 1 * hz; 1956 sp->lcp.max_terminate = 2; 1957 sp->lcp.max_configure = 10; 1958 sp->lcp.max_failure = 10; 1959 callout_init(&sp->ch[IDX_LCP], 0); 1960 } 1961 1962 static void 1963 sppp_lcp_up(struct sppp *sp) 1964 { 1965 STDDCL; 1966 1967 /* Initialize activity timestamp: opening a connection is an activity */ 1968 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 1969 1970 /* 1971 * If this interface is passive or dial-on-demand, and we are 1972 * still in Initial state, it means we've got an incoming 1973 * call. Activate the interface. 1974 */ 1975 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 1976 if (debug) 1977 log(LOG_DEBUG, 1978 "%s: Up event", ifp->if_xname); 1979 ifp->if_flags |= IFF_RUNNING; 1980 if (sp->state[IDX_LCP] == STATE_INITIAL) { 1981 if (debug) 1982 addlog("(incoming call)\n"); 1983 sp->pp_flags |= PP_CALLIN; 1984 lcp.Open(sp); 1985 } else if (debug) 1986 addlog("\n"); 1987 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 1988 (sp->state[IDX_LCP] == STATE_INITIAL)) { 1989 ifp->if_flags |= IFF_RUNNING; 1990 lcp.Open(sp); 1991 } 1992 1993 sppp_up_event(&lcp, sp); 1994 } 1995 1996 static void 1997 sppp_lcp_down(struct sppp *sp) 1998 { 1999 STDDCL; 2000 2001 sppp_down_event(&lcp, sp); 2002 2003 /* 2004 * If this is neither a dial-on-demand nor a passive 2005 * interface, simulate an ``ifconfig down'' action, so the 2006 * administrator can force a redial by another ``ifconfig 2007 * up''. XXX For leased line operation, should we immediately 2008 * try to reopen the connection here? 2009 */ 2010 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2011 if (debug) 2012 log(LOG_INFO, 2013 "%s: Down event (carrier loss), taking interface down.\n", 2014 ifp->if_xname); 2015 if_down(ifp); 2016 } else { 2017 if (debug) 2018 log(LOG_DEBUG, 2019 "%s: Down event (carrier loss)\n", 2020 ifp->if_xname); 2021 } 2022 sp->pp_flags &= ~PP_CALLIN; 2023 if (sp->state[IDX_LCP] != STATE_INITIAL) 2024 lcp.Close(sp); 2025 ifp->if_flags &= ~IFF_RUNNING; 2026 } 2027 2028 static void 2029 sppp_lcp_open(struct sppp *sp) 2030 { 2031 if (sp->pp_if.if_mtu < PP_MTU) { 2032 sp->lcp.mru = sp->pp_if.if_mtu; 2033 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2034 } else 2035 sp->lcp.mru = PP_MTU; 2036 sp->lcp.their_mru = PP_MTU; 2037 2038 /* 2039 * If we are authenticator, negotiate LCP_AUTH 2040 */ 2041 if (sp->hisauth.proto != 0) 2042 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2043 else 2044 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2045 sp->pp_flags &= ~PP_NEEDAUTH; 2046 sppp_open_event(&lcp, sp); 2047 } 2048 2049 static void 2050 sppp_lcp_close(struct sppp *sp) 2051 { 2052 sppp_close_event(&lcp, sp); 2053 } 2054 2055 static void 2056 sppp_lcp_TO(void *cookie) 2057 { 2058 sppp_to_event(&lcp, (struct sppp *)cookie); 2059 } 2060 2061 /* 2062 * Analyze a configure request. Return true if it was agreeable, and 2063 * caused action sca, false if it has been rejected or nak'ed, and 2064 * caused action scn. (The return value is used to make the state 2065 * transition decision in the state automaton.) 2066 */ 2067 static int 2068 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2069 { 2070 STDDCL; 2071 u_char *buf, *r, *p, l, blen; 2072 int origlen, rlen; 2073 uint32_t nmagic; 2074 u_short authproto; 2075 2076 len -= 4; 2077 origlen = len; 2078 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2079 if (! buf) 2080 return (0); 2081 2082 if (debug) 2083 log(LOG_DEBUG, "%s: lcp parse opts:", 2084 ifp->if_xname); 2085 2086 /* pass 1: check for things that need to be rejected */ 2087 p = (void *)(h + 1); 2088 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2089 /* Sanity check option length */ 2090 if (l > len) { 2091 /* 2092 * Malicious option - drop immediately. 2093 * XXX Maybe we should just RXJ it? 2094 */ 2095 addlog("%s: received malicious LCP option 0x%02x, " 2096 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2097 p[0], l, len); 2098 goto drop; 2099 } 2100 if (debug) 2101 addlog(" %s", sppp_lcp_opt_name(*p)); 2102 switch (*p) { 2103 case LCP_OPT_MAGIC: 2104 /* Magic number. */ 2105 /* fall through, both are same length */ 2106 case LCP_OPT_ASYNC_MAP: 2107 /* Async control character map. */ 2108 if (len >= 6 || l == 6) 2109 continue; 2110 if (debug) 2111 addlog(" [invalid]"); 2112 break; 2113 case LCP_OPT_MRU: 2114 /* Maximum receive unit. */ 2115 if (len >= 4 && l == 4) 2116 continue; 2117 if (debug) 2118 addlog(" [invalid]"); 2119 break; 2120 case LCP_OPT_AUTH_PROTO: 2121 if (len < 4) { 2122 if (debug) 2123 addlog(" [invalid]"); 2124 break; 2125 } 2126 authproto = (p[2] << 8) + p[3]; 2127 if (authproto == PPP_CHAP && l != 5) { 2128 if (debug) 2129 addlog(" [invalid chap len]"); 2130 break; 2131 } 2132 if (sp->myauth.proto == 0) { 2133 /* we are not configured to do auth */ 2134 if (debug) 2135 addlog(" [not configured]"); 2136 break; 2137 } 2138 /* 2139 * Remote want us to authenticate, remember this, 2140 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2141 * up. 2142 */ 2143 sp->pp_flags |= PP_NEEDAUTH; 2144 continue; 2145 default: 2146 /* Others not supported. */ 2147 if (debug) 2148 addlog(" [rej]"); 2149 break; 2150 } 2151 if (rlen + l > blen) { 2152 if (debug) 2153 addlog(" [overflow]"); 2154 continue; 2155 } 2156 /* Add the option to rejected list. */ 2157 memcpy(r, p, l); 2158 r += l; 2159 rlen += l; 2160 } 2161 if (rlen) { 2162 if (debug) 2163 addlog(" send conf-rej\n"); 2164 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2165 goto end; 2166 } else if (debug) 2167 addlog("\n"); 2168 2169 /* 2170 * pass 2: check for option values that are unacceptable and 2171 * thus require to be nak'ed. 2172 */ 2173 if (debug) 2174 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2175 ifp->if_xname); 2176 2177 p = (void *)(h + 1); 2178 len = origlen; 2179 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2180 if (debug) 2181 addlog(" %s", sppp_lcp_opt_name(*p)); 2182 switch (*p) { 2183 case LCP_OPT_MAGIC: 2184 /* Magic number -- extract. */ 2185 nmagic = (uint32_t)p[2] << 24 | 2186 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2187 if (nmagic != sp->lcp.magic) { 2188 if (debug) 2189 addlog(" 0x%x", nmagic); 2190 continue; 2191 } 2192 /* 2193 * Local and remote magics equal -- loopback? 2194 */ 2195 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2196 printf ("%s: loopback\n", 2197 ifp->if_xname); 2198 sp->pp_loopcnt = 0; 2199 if (ifp->if_flags & IFF_UP) { 2200 if_down(ifp); 2201 IF_PURGE(&sp->pp_cpq); 2202 /* XXX ? */ 2203 lcp.Down(sp); 2204 lcp.Up(sp); 2205 } 2206 } else if (debug) 2207 addlog(" [glitch]"); 2208 ++sp->pp_loopcnt; 2209 /* 2210 * We negate our magic here, and NAK it. If 2211 * we see it later in an NAK packet, we 2212 * suggest a new one. 2213 */ 2214 nmagic = ~sp->lcp.magic; 2215 /* Gonna NAK it. */ 2216 p[2] = nmagic >> 24; 2217 p[3] = nmagic >> 16; 2218 p[4] = nmagic >> 8; 2219 p[5] = nmagic; 2220 break; 2221 2222 case LCP_OPT_ASYNC_MAP: 2223 /* 2224 * Async control character map -- just ignore it. 2225 * 2226 * Quote from RFC 1662, chapter 6: 2227 * To enable this functionality, synchronous PPP 2228 * implementations MUST always respond to the 2229 * Async-Control-Character-Map Configuration 2230 * Option with the LCP Configure-Ack. However, 2231 * acceptance of the Configuration Option does 2232 * not imply that the synchronous implementation 2233 * will do any ACCM mapping. Instead, all such 2234 * octet mapping will be performed by the 2235 * asynchronous-to-synchronous converter. 2236 */ 2237 continue; 2238 2239 case LCP_OPT_MRU: 2240 /* 2241 * Maximum receive unit. Always agreeable, 2242 * but ignored by now. 2243 */ 2244 sp->lcp.their_mru = p[2] * 256 + p[3]; 2245 if (debug) 2246 addlog(" %ld", sp->lcp.their_mru); 2247 continue; 2248 2249 case LCP_OPT_AUTH_PROTO: 2250 authproto = (p[2] << 8) + p[3]; 2251 if (sp->myauth.proto != authproto) { 2252 /* not agreed, nak */ 2253 if (debug) 2254 addlog(" [mine %s != his %s]", 2255 sppp_proto_name(sp->myauth.proto), 2256 sppp_proto_name(authproto)); 2257 p[2] = sp->myauth.proto >> 8; 2258 p[3] = sp->myauth.proto; 2259 break; 2260 } 2261 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2262 if (debug) 2263 addlog(" [chap not MD5]"); 2264 p[4] = CHAP_MD5; 2265 break; 2266 } 2267 continue; 2268 } 2269 if (rlen + l > blen) { 2270 if (debug) 2271 addlog(" [overflow]"); 2272 continue; 2273 } 2274 /* Add the option to nak'ed list. */ 2275 memcpy(r, p, l); 2276 r += l; 2277 rlen += l; 2278 } 2279 if (rlen) { 2280 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2281 if (debug) 2282 addlog(" max_failure (%d) exceeded, " 2283 "send conf-rej\n", 2284 sp->lcp.max_failure); 2285 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2286 } else { 2287 if (debug) 2288 addlog(" send conf-nak\n"); 2289 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2290 } 2291 goto end; 2292 } else { 2293 if (debug) 2294 addlog(" send conf-ack\n"); 2295 sp->fail_counter[IDX_LCP] = 0; 2296 sp->pp_loopcnt = 0; 2297 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2298 } 2299 2300 end: 2301 free(buf, M_TEMP); 2302 return (rlen == 0); 2303 2304 drop: 2305 free(buf, M_TEMP); 2306 return -1; 2307 } 2308 2309 /* 2310 * Analyze the LCP Configure-Reject option list, and adjust our 2311 * negotiation. 2312 */ 2313 static void 2314 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2315 { 2316 STDDCL; 2317 u_char *buf, *p, l; 2318 2319 len -= 4; 2320 buf = malloc (len, M_TEMP, M_NOWAIT); 2321 if (!buf) 2322 return; 2323 2324 if (debug) 2325 log(LOG_DEBUG, "%s: lcp rej opts:", 2326 ifp->if_xname); 2327 2328 p = (void *)(h + 1); 2329 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2330 /* Sanity check option length */ 2331 if (l > len) { 2332 /* 2333 * Malicious option - drop immediately. 2334 * XXX Maybe we should just RXJ it? 2335 */ 2336 addlog("%s: received malicious LCP option, " 2337 "dropping.\n", ifp->if_xname); 2338 goto drop; 2339 } 2340 if (debug) 2341 addlog(" %s", sppp_lcp_opt_name(*p)); 2342 switch (*p) { 2343 case LCP_OPT_MAGIC: 2344 /* Magic number -- can't use it, use 0 */ 2345 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2346 sp->lcp.magic = 0; 2347 break; 2348 case LCP_OPT_MRU: 2349 /* 2350 * We try to negotiate a lower MRU if the underlying 2351 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2352 * peer rejects this lower rate, fallback to the 2353 * default. 2354 */ 2355 if (debug) { 2356 addlog("%s: warning: peer rejected our MRU of " 2357 "%ld bytes. Defaulting to %d bytes\n", 2358 ifp->if_xname, sp->lcp.mru, PP_MTU); 2359 } 2360 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2361 sp->lcp.mru = PP_MTU; 2362 break; 2363 case LCP_OPT_AUTH_PROTO: 2364 /* 2365 * Peer doesn't want to authenticate himself, 2366 * deny unless this is a dialout call, and 2367 * SPPP_AUTHFLAG_NOCALLOUT is set. 2368 */ 2369 if ((sp->pp_flags & PP_CALLIN) == 0 && 2370 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2371 if (debug) 2372 addlog(" [don't insist on auth " 2373 "for callout]"); 2374 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2375 break; 2376 } 2377 if (debug) 2378 addlog("[access denied]\n"); 2379 lcp.Close(sp); 2380 break; 2381 } 2382 } 2383 if (debug) 2384 addlog("\n"); 2385 drop: 2386 free(buf, M_TEMP); 2387 return; 2388 } 2389 2390 /* 2391 * Analyze the LCP Configure-NAK option list, and adjust our 2392 * negotiation. 2393 */ 2394 static void 2395 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2396 { 2397 STDDCL; 2398 u_char *buf, *p, l, blen; 2399 uint32_t magic; 2400 2401 len -= 4; 2402 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2403 if (!buf) 2404 return; 2405 2406 if (debug) 2407 log(LOG_DEBUG, "%s: lcp nak opts:", 2408 ifp->if_xname); 2409 2410 p = (void *)(h + 1); 2411 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2412 /* Sanity check option length */ 2413 if (l > len) { 2414 /* 2415 * Malicious option - drop immediately. 2416 * XXX Maybe we should just RXJ it? 2417 */ 2418 addlog("%s: received malicious LCP option, " 2419 "dropping.\n", ifp->if_xname); 2420 goto drop; 2421 } 2422 if (debug) 2423 addlog(" %s", sppp_lcp_opt_name(*p)); 2424 switch (*p) { 2425 case LCP_OPT_MAGIC: 2426 /* Magic number -- renegotiate */ 2427 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2428 len >= 6 && l == 6) { 2429 magic = (uint32_t)p[2] << 24 | 2430 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2431 /* 2432 * If the remote magic is our negated one, 2433 * this looks like a loopback problem. 2434 * Suggest a new magic to make sure. 2435 */ 2436 if (magic == ~sp->lcp.magic) { 2437 if (debug) 2438 addlog(" magic glitch"); 2439 sp->lcp.magic = cprng_fast32(); 2440 } else { 2441 sp->lcp.magic = magic; 2442 if (debug) 2443 addlog(" %d", magic); 2444 } 2445 } 2446 break; 2447 case LCP_OPT_MRU: 2448 /* 2449 * Peer wants to advise us to negotiate an MRU. 2450 * Agree on it if it's reasonable, or use 2451 * default otherwise. 2452 */ 2453 if (len >= 4 && l == 4) { 2454 u_int mru = p[2] * 256 + p[3]; 2455 if (debug) 2456 addlog(" %d", mru); 2457 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2458 mru = sp->pp_if.if_mtu; 2459 sp->lcp.mru = mru; 2460 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2461 } 2462 break; 2463 case LCP_OPT_AUTH_PROTO: 2464 /* 2465 * Peer doesn't like our authentication method, 2466 * deny. 2467 */ 2468 if (debug) 2469 addlog("[access denied]\n"); 2470 lcp.Close(sp); 2471 break; 2472 } 2473 } 2474 if (debug) 2475 addlog("\n"); 2476 drop: 2477 free(buf, M_TEMP); 2478 return; 2479 } 2480 2481 static void 2482 sppp_lcp_tlu(struct sppp *sp) 2483 { 2484 STDDCL; 2485 int i; 2486 uint32_t mask; 2487 2488 /* XXX ? */ 2489 if (! (ifp->if_flags & IFF_UP) && 2490 (ifp->if_flags & IFF_RUNNING)) { 2491 /* Coming out of loopback mode. */ 2492 if_up(ifp); 2493 } 2494 2495 for (i = 0; i < IDX_COUNT; i++) 2496 if ((cps[i])->flags & CP_QUAL) 2497 (cps[i])->Open(sp); 2498 2499 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2500 (sp->pp_flags & PP_NEEDAUTH) != 0) 2501 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2502 else 2503 sp->pp_phase = SPPP_PHASE_NETWORK; 2504 2505 if (debug) 2506 { 2507 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2508 sppp_phase_name(sp->pp_phase)); 2509 } 2510 2511 /* 2512 * Open all authentication protocols. This is even required 2513 * if we already proceeded to network phase, since it might be 2514 * that remote wants us to authenticate, so we might have to 2515 * send a PAP request. Undesired authentication protocols 2516 * don't do anything when they get an Open event. 2517 */ 2518 for (i = 0; i < IDX_COUNT; i++) 2519 if ((cps[i])->flags & CP_AUTH) 2520 (cps[i])->Open(sp); 2521 2522 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2523 /* Notify all NCPs. */ 2524 for (i = 0; i < IDX_COUNT; i++) 2525 if ((cps[i])->flags & CP_NCP) 2526 (cps[i])->Open(sp); 2527 } 2528 2529 /* Send Up events to all started protos. */ 2530 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2531 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2532 (cps[i])->Up(sp); 2533 2534 /* notify low-level driver of state change */ 2535 if (sp->pp_chg) 2536 sp->pp_chg(sp, (int)sp->pp_phase); 2537 2538 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2539 /* if no NCP is starting, close down */ 2540 sppp_lcp_check_and_close(sp); 2541 } 2542 2543 static void 2544 sppp_lcp_tld(struct sppp *sp) 2545 { 2546 STDDCL; 2547 int i; 2548 uint32_t mask; 2549 2550 sp->pp_phase = SPPP_PHASE_TERMINATE; 2551 2552 if (debug) 2553 { 2554 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2555 sppp_phase_name(sp->pp_phase)); 2556 } 2557 2558 /* 2559 * Take upper layers down. We send the Down event first and 2560 * the Close second to prevent the upper layers from sending 2561 * ``a flurry of terminate-request packets'', as the RFC 2562 * describes it. 2563 */ 2564 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2565 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2566 (cps[i])->Down(sp); 2567 (cps[i])->Close(sp); 2568 } 2569 } 2570 2571 static void 2572 sppp_lcp_tls(struct sppp *sp) 2573 { 2574 STDDCL; 2575 2576 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2577 printf("%s: authentication failed %d times, not retrying again\n", 2578 sp->pp_if.if_xname, sp->pp_auth_failures); 2579 if_down(&sp->pp_if); 2580 return; 2581 } 2582 2583 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2584 2585 if (debug) 2586 { 2587 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2588 sppp_phase_name(sp->pp_phase)); 2589 } 2590 2591 /* Notify lower layer if desired. */ 2592 if (sp->pp_tls) 2593 (sp->pp_tls)(sp); 2594 } 2595 2596 static void 2597 sppp_lcp_tlf(struct sppp *sp) 2598 { 2599 STDDCL; 2600 2601 sp->pp_phase = SPPP_PHASE_DEAD; 2602 2603 if (debug) 2604 { 2605 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2606 sppp_phase_name(sp->pp_phase)); 2607 } 2608 2609 /* Notify lower layer if desired. */ 2610 if (sp->pp_tlf) 2611 (sp->pp_tlf)(sp); 2612 } 2613 2614 static void 2615 sppp_lcp_scr(struct sppp *sp) 2616 { 2617 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2618 int i = 0; 2619 u_short authproto; 2620 2621 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2622 if (! sp->lcp.magic) 2623 sp->lcp.magic = cprng_fast32(); 2624 opt[i++] = LCP_OPT_MAGIC; 2625 opt[i++] = 6; 2626 opt[i++] = sp->lcp.magic >> 24; 2627 opt[i++] = sp->lcp.magic >> 16; 2628 opt[i++] = sp->lcp.magic >> 8; 2629 opt[i++] = sp->lcp.magic; 2630 } 2631 2632 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2633 opt[i++] = LCP_OPT_MRU; 2634 opt[i++] = 4; 2635 opt[i++] = sp->lcp.mru >> 8; 2636 opt[i++] = sp->lcp.mru; 2637 } 2638 2639 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2640 authproto = sp->hisauth.proto; 2641 opt[i++] = LCP_OPT_AUTH_PROTO; 2642 opt[i++] = authproto == PPP_CHAP? 5: 4; 2643 opt[i++] = authproto >> 8; 2644 opt[i++] = authproto; 2645 if (authproto == PPP_CHAP) 2646 opt[i++] = CHAP_MD5; 2647 } 2648 2649 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2650 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2651 } 2652 2653 /* 2654 * Check the open NCPs, return true if at least one NCP is open. 2655 */ 2656 static int 2657 sppp_ncp_check(struct sppp *sp) 2658 { 2659 int i, mask; 2660 2661 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2662 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2663 return 1; 2664 return 0; 2665 } 2666 2667 /* 2668 * Re-check the open NCPs and see if we should terminate the link. 2669 * Called by the NCPs during their tlf action handling. 2670 */ 2671 static void 2672 sppp_lcp_check_and_close(struct sppp *sp) 2673 { 2674 2675 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2676 /* don't bother, we are already going down */ 2677 return; 2678 2679 if (sppp_ncp_check(sp)) 2680 return; 2681 2682 lcp.Close(sp); 2683 } 2684 2685 2686 /* 2687 *--------------------------------------------------------------------------* 2688 * * 2689 * The IPCP implementation. * 2690 * * 2691 *--------------------------------------------------------------------------* 2692 */ 2693 2694 static void 2695 sppp_ipcp_init(struct sppp *sp) 2696 { 2697 sp->ipcp.opts = 0; 2698 sp->ipcp.flags = 0; 2699 sp->state[IDX_IPCP] = STATE_INITIAL; 2700 sp->fail_counter[IDX_IPCP] = 0; 2701 sp->pp_seq[IDX_IPCP] = 0; 2702 sp->pp_rseq[IDX_IPCP] = 0; 2703 callout_init(&sp->ch[IDX_IPCP], 0); 2704 } 2705 2706 static void 2707 sppp_ipcp_up(struct sppp *sp) 2708 { 2709 sppp_up_event(&ipcp, sp); 2710 } 2711 2712 static void 2713 sppp_ipcp_down(struct sppp *sp) 2714 { 2715 sppp_down_event(&ipcp, sp); 2716 } 2717 2718 static void 2719 sppp_ipcp_open(struct sppp *sp) 2720 { 2721 STDDCL; 2722 uint32_t myaddr, hisaddr; 2723 2724 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2725 sp->ipcp.req_myaddr = 0; 2726 sp->ipcp.req_hisaddr = 0; 2727 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2728 2729 #ifdef INET 2730 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2731 #else 2732 myaddr = hisaddr = 0; 2733 #endif 2734 /* 2735 * If we don't have his address, this probably means our 2736 * interface doesn't want to talk IP at all. (This could 2737 * be the case if somebody wants to speak only IPX, for 2738 * example.) Don't open IPCP in this case. 2739 */ 2740 if (hisaddr == 0) { 2741 /* XXX this message should go away */ 2742 if (debug) 2743 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2744 ifp->if_xname); 2745 return; 2746 } 2747 2748 if (myaddr == 0) { 2749 /* 2750 * I don't have an assigned address, so i need to 2751 * negotiate my address. 2752 */ 2753 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2754 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2755 } 2756 if (hisaddr == 1) { 2757 /* 2758 * XXX - remove this hack! 2759 * remote has no valid address, we need to get one assigned. 2760 */ 2761 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2762 } 2763 sppp_open_event(&ipcp, sp); 2764 } 2765 2766 static void 2767 sppp_ipcp_close(struct sppp *sp) 2768 { 2769 STDDCL; 2770 2771 sppp_close_event(&ipcp, sp); 2772 #ifdef INET 2773 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2774 /* 2775 * Some address was dynamic, clear it again. 2776 */ 2777 sppp_clear_ip_addrs(sp); 2778 #endif 2779 2780 if (sp->pp_saved_mtu > 0) { 2781 ifp->if_mtu = sp->pp_saved_mtu; 2782 sp->pp_saved_mtu = 0; 2783 if (debug) 2784 log(LOG_DEBUG, 2785 "%s: resetting MTU to %" PRIu64 " bytes\n", 2786 ifp->if_xname, ifp->if_mtu); 2787 } 2788 } 2789 2790 static void 2791 sppp_ipcp_TO(void *cookie) 2792 { 2793 sppp_to_event(&ipcp, (struct sppp *)cookie); 2794 } 2795 2796 /* 2797 * Analyze a configure request. Return true if it was agreeable, and 2798 * caused action sca, false if it has been rejected or nak'ed, and 2799 * caused action scn. (The return value is used to make the state 2800 * transition decision in the state automaton.) 2801 */ 2802 static int 2803 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2804 { 2805 u_char *buf, *r, *p, l, blen; 2806 struct ifnet *ifp = &sp->pp_if; 2807 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2808 uint32_t hisaddr, desiredaddr; 2809 2810 len -= 4; 2811 origlen = len; 2812 /* 2813 * Make sure to allocate a buf that can at least hold a 2814 * conf-nak with an `address' option. We might need it below. 2815 */ 2816 blen = len < 6 ? 6 : len; 2817 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 2818 if (! buf) 2819 return (0); 2820 2821 /* pass 1: see if we can recognize them */ 2822 if (debug) 2823 log(LOG_DEBUG, "%s: ipcp parse opts:", 2824 ifp->if_xname); 2825 p = (void *)(h + 1); 2826 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2827 /* Sanity check option length */ 2828 if (l > len) { 2829 /* XXX should we just RXJ? */ 2830 addlog("%s: malicious IPCP option received, dropping\n", 2831 ifp->if_xname); 2832 goto drop; 2833 } 2834 if (debug) 2835 addlog(" %s", sppp_ipcp_opt_name(*p)); 2836 switch (*p) { 2837 #ifdef notyet 2838 case IPCP_OPT_COMPRESSION: 2839 if (len >= 6 && l >= 6) { 2840 /* correctly formed compress option */ 2841 continue; 2842 } 2843 if (debug) 2844 addlog(" [invalid]"); 2845 break; 2846 #endif 2847 case IPCP_OPT_ADDRESS: 2848 if (len >= 6 && l == 6) { 2849 /* correctly formed address option */ 2850 continue; 2851 } 2852 if (debug) 2853 addlog(" [invalid]"); 2854 break; 2855 default: 2856 /* Others not supported. */ 2857 if (debug) 2858 addlog(" [rej]"); 2859 break; 2860 } 2861 /* Add the option to rejected list. */ 2862 if (rlen + l > blen) { 2863 if (debug) 2864 addlog(" [overflow]"); 2865 continue; 2866 } 2867 memcpy(r, p, l); 2868 r += l; 2869 rlen += l; 2870 } 2871 if (rlen) { 2872 if (debug) 2873 addlog(" send conf-rej\n"); 2874 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2875 goto end; 2876 } else if (debug) 2877 addlog("\n"); 2878 2879 /* pass 2: parse option values */ 2880 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2881 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2882 else 2883 #ifdef INET 2884 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2885 #else 2886 hisaddr = 0; 2887 #endif 2888 if (debug) 2889 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2890 ifp->if_xname); 2891 p = (void *)(h + 1); 2892 len = origlen; 2893 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2894 if (debug) 2895 addlog(" %s", sppp_ipcp_opt_name(*p)); 2896 switch (*p) { 2897 #ifdef notyet 2898 case IPCP_OPT_COMPRESSION: 2899 continue; 2900 #endif 2901 case IPCP_OPT_ADDRESS: 2902 desiredaddr = p[2] << 24 | p[3] << 16 | 2903 p[4] << 8 | p[5]; 2904 if (desiredaddr == hisaddr || 2905 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2906 /* 2907 * Peer's address is same as our value, 2908 * this is agreeable. Gonna conf-ack 2909 * it. 2910 */ 2911 if (debug) 2912 addlog(" %s [ack]", 2913 sppp_dotted_quad(hisaddr)); 2914 /* record that we've seen it already */ 2915 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2916 sp->ipcp.req_hisaddr = desiredaddr; 2917 hisaddr = desiredaddr; 2918 continue; 2919 } 2920 /* 2921 * The address wasn't agreeable. This is either 2922 * he sent us 0.0.0.0, asking to assign him an 2923 * address, or he send us another address not 2924 * matching our value. Either case, we gonna 2925 * conf-nak it with our value. 2926 */ 2927 if (debug) { 2928 if (desiredaddr == 0) 2929 addlog(" [addr requested]"); 2930 else 2931 addlog(" %s [not agreed]", 2932 sppp_dotted_quad(desiredaddr)); 2933 } 2934 2935 p[2] = hisaddr >> 24; 2936 p[3] = hisaddr >> 16; 2937 p[4] = hisaddr >> 8; 2938 p[5] = hisaddr; 2939 break; 2940 } 2941 if (rlen + l > blen) { 2942 if (debug) 2943 addlog(" [overflow]"); 2944 continue; 2945 } 2946 /* Add the option to nak'ed list. */ 2947 memcpy(r, p, l); 2948 r += l; 2949 rlen += l; 2950 } 2951 2952 /* 2953 * If we are about to conf-ack the request, but haven't seen 2954 * his address so far, gonna conf-nak it instead, with the 2955 * `address' option present and our idea of his address being 2956 * filled in there, to request negotiation of both addresses. 2957 * 2958 * XXX This can result in an endless req - nak loop if peer 2959 * doesn't want to send us his address. Q: What should we do 2960 * about it? XXX A: implement the max-failure counter. 2961 */ 2962 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2963 buf[0] = IPCP_OPT_ADDRESS; 2964 buf[1] = 6; 2965 buf[2] = hisaddr >> 24; 2966 buf[3] = hisaddr >> 16; 2967 buf[4] = hisaddr >> 8; 2968 buf[5] = hisaddr; 2969 rlen = 6; 2970 if (debug) 2971 addlog(" still need hisaddr"); 2972 } 2973 2974 if (rlen) { 2975 if (debug) 2976 addlog(" send conf-nak\n"); 2977 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 2978 } else { 2979 if (debug) 2980 addlog(" send conf-ack\n"); 2981 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 2982 } 2983 2984 end: 2985 free(buf, M_TEMP); 2986 return (rlen == 0); 2987 2988 drop: 2989 free(buf, M_TEMP); 2990 return -1; 2991 } 2992 2993 /* 2994 * Analyze the IPCP Configure-Reject option list, and adjust our 2995 * negotiation. 2996 */ 2997 static void 2998 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2999 { 3000 u_char *buf, *p, l, blen; 3001 struct ifnet *ifp = &sp->pp_if; 3002 int debug = ifp->if_flags & IFF_DEBUG; 3003 3004 len -= 4; 3005 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3006 if (!buf) 3007 return; 3008 3009 if (debug) 3010 log(LOG_DEBUG, "%s: ipcp rej opts:", 3011 ifp->if_xname); 3012 3013 p = (void *)(h + 1); 3014 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3015 /* Sanity check option length */ 3016 if (l > len) { 3017 /* XXX should we just RXJ? */ 3018 addlog("%s: malicious IPCP option received, dropping\n", 3019 ifp->if_xname); 3020 goto drop; 3021 } 3022 if (debug) 3023 addlog(" %s", sppp_ipcp_opt_name(*p)); 3024 switch (*p) { 3025 case IPCP_OPT_ADDRESS: 3026 /* 3027 * Peer doesn't grok address option. This is 3028 * bad. XXX Should we better give up here? 3029 */ 3030 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3031 break; 3032 #ifdef notyet 3033 case IPCP_OPT_COMPRESS: 3034 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3035 break; 3036 #endif 3037 } 3038 } 3039 if (debug) 3040 addlog("\n"); 3041 drop: 3042 free(buf, M_TEMP); 3043 return; 3044 } 3045 3046 /* 3047 * Analyze the IPCP Configure-NAK option list, and adjust our 3048 * negotiation. 3049 */ 3050 static void 3051 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3052 { 3053 u_char *p, l; 3054 struct ifnet *ifp = &sp->pp_if; 3055 int debug = ifp->if_flags & IFF_DEBUG; 3056 uint32_t wantaddr; 3057 3058 len -= 4; 3059 3060 if (debug) 3061 log(LOG_DEBUG, "%s: ipcp nak opts:", 3062 ifp->if_xname); 3063 3064 p = (void *)(h + 1); 3065 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3066 /* Sanity check option length */ 3067 if (l > len) { 3068 /* XXX should we just RXJ? */ 3069 addlog("%s: malicious IPCP option received, dropping\n", 3070 ifp->if_xname); 3071 return; 3072 } 3073 if (debug) 3074 addlog(" %s", sppp_ipcp_opt_name(*p)); 3075 switch (*p) { 3076 case IPCP_OPT_ADDRESS: 3077 /* 3078 * Peer doesn't like our local IP address. See 3079 * if we can do something for him. We'll drop 3080 * him our address then. 3081 */ 3082 if (len >= 6 && l == 6) { 3083 wantaddr = p[2] << 24 | p[3] << 16 | 3084 p[4] << 8 | p[5]; 3085 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3086 if (debug) 3087 addlog(" [wantaddr %s]", 3088 sppp_dotted_quad(wantaddr)); 3089 /* 3090 * When doing dynamic address assignment, 3091 * we accept his offer. Otherwise, we 3092 * ignore it and thus continue to negotiate 3093 * our already existing value. 3094 */ 3095 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3096 if (debug) 3097 addlog(" [agree]"); 3098 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3099 sp->ipcp.req_myaddr = wantaddr; 3100 } 3101 } 3102 break; 3103 3104 case IPCP_OPT_PRIMDNS: 3105 if (len >= 6 && l == 6) { 3106 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3107 p[4] << 8 | p[5]; 3108 } 3109 break; 3110 3111 case IPCP_OPT_SECDNS: 3112 if (len >= 6 && l == 6) { 3113 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3114 p[4] << 8 | p[5]; 3115 } 3116 break; 3117 #ifdef notyet 3118 case IPCP_OPT_COMPRESS: 3119 /* 3120 * Peer wants different compression parameters. 3121 */ 3122 break; 3123 #endif 3124 } 3125 } 3126 if (debug) 3127 addlog("\n"); 3128 } 3129 3130 static void 3131 sppp_ipcp_tlu(struct sppp *sp) 3132 { 3133 #ifdef INET 3134 /* we are up. Set addresses and notify anyone interested */ 3135 STDDCL; 3136 uint32_t myaddr, hisaddr; 3137 3138 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3139 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3140 myaddr = sp->ipcp.req_myaddr; 3141 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3142 hisaddr = sp->ipcp.req_hisaddr; 3143 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3144 3145 if (ifp->if_mtu > sp->lcp.their_mru) { 3146 sp->pp_saved_mtu = ifp->if_mtu; 3147 ifp->if_mtu = sp->lcp.their_mru; 3148 if (debug) 3149 log(LOG_DEBUG, 3150 "%s: setting MTU to %" PRIu64 " bytes\n", 3151 ifp->if_xname, ifp->if_mtu); 3152 } 3153 3154 if (sp->pp_con) 3155 sp->pp_con(sp); 3156 #endif 3157 } 3158 3159 static void 3160 sppp_ipcp_tld(struct sppp *sp) 3161 { 3162 } 3163 3164 static void 3165 sppp_ipcp_tls(struct sppp *sp) 3166 { 3167 /* indicate to LCP that it must stay alive */ 3168 sp->lcp.protos |= (1 << IDX_IPCP); 3169 } 3170 3171 static void 3172 sppp_ipcp_tlf(struct sppp *sp) 3173 { 3174 /* we no longer need LCP */ 3175 sp->lcp.protos &= ~(1 << IDX_IPCP); 3176 } 3177 3178 static void 3179 sppp_ipcp_scr(struct sppp *sp) 3180 { 3181 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3182 #ifdef INET 3183 uint32_t ouraddr; 3184 #endif 3185 int i = 0; 3186 3187 #ifdef notyet 3188 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3189 opt[i++] = IPCP_OPT_COMPRESSION; 3190 opt[i++] = 6; 3191 opt[i++] = 0; /* VJ header compression */ 3192 opt[i++] = 0x2d; /* VJ header compression */ 3193 opt[i++] = max_slot_id; 3194 opt[i++] = comp_slot_id; 3195 } 3196 #endif 3197 3198 #ifdef INET 3199 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3200 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3201 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3202 else 3203 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3204 opt[i++] = IPCP_OPT_ADDRESS; 3205 opt[i++] = 6; 3206 opt[i++] = ouraddr >> 24; 3207 opt[i++] = ouraddr >> 16; 3208 opt[i++] = ouraddr >> 8; 3209 opt[i++] = ouraddr; 3210 } 3211 #endif 3212 3213 if (sp->query_dns & 1) { 3214 opt[i++] = IPCP_OPT_PRIMDNS; 3215 opt[i++] = 6; 3216 opt[i++] = sp->dns_addrs[0] >> 24; 3217 opt[i++] = sp->dns_addrs[0] >> 16; 3218 opt[i++] = sp->dns_addrs[0] >> 8; 3219 opt[i++] = sp->dns_addrs[0]; 3220 } 3221 if (sp->query_dns & 2) { 3222 opt[i++] = IPCP_OPT_SECDNS; 3223 opt[i++] = 6; 3224 opt[i++] = sp->dns_addrs[1] >> 24; 3225 opt[i++] = sp->dns_addrs[1] >> 16; 3226 opt[i++] = sp->dns_addrs[1] >> 8; 3227 opt[i++] = sp->dns_addrs[1]; 3228 } 3229 3230 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3231 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3232 } 3233 3234 3235 /* 3236 *--------------------------------------------------------------------------* 3237 * * 3238 * The IPv6CP implementation. * 3239 * * 3240 *--------------------------------------------------------------------------* 3241 */ 3242 3243 #ifdef INET6 3244 static void 3245 sppp_ipv6cp_init(struct sppp *sp) 3246 { 3247 sp->ipv6cp.opts = 0; 3248 sp->ipv6cp.flags = 0; 3249 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3250 sp->fail_counter[IDX_IPV6CP] = 0; 3251 sp->pp_seq[IDX_IPV6CP] = 0; 3252 sp->pp_rseq[IDX_IPV6CP] = 0; 3253 callout_init(&sp->ch[IDX_IPV6CP], 0); 3254 } 3255 3256 static void 3257 sppp_ipv6cp_up(struct sppp *sp) 3258 { 3259 sppp_up_event(&ipv6cp, sp); 3260 } 3261 3262 static void 3263 sppp_ipv6cp_down(struct sppp *sp) 3264 { 3265 sppp_down_event(&ipv6cp, sp); 3266 } 3267 3268 static void 3269 sppp_ipv6cp_open(struct sppp *sp) 3270 { 3271 STDDCL; 3272 struct in6_addr myaddr, hisaddr; 3273 3274 #ifdef IPV6CP_MYIFID_DYN 3275 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3276 #else 3277 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3278 #endif 3279 3280 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3281 /* 3282 * If we don't have our address, this probably means our 3283 * interface doesn't want to talk IPv6 at all. (This could 3284 * be the case if somebody wants to speak only IPX, for 3285 * example.) Don't open IPv6CP in this case. 3286 */ 3287 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3288 /* XXX this message should go away */ 3289 if (debug) 3290 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3291 ifp->if_xname); 3292 return; 3293 } 3294 3295 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3296 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3297 sppp_open_event(&ipv6cp, sp); 3298 } 3299 3300 static void 3301 sppp_ipv6cp_close(struct sppp *sp) 3302 { 3303 sppp_close_event(&ipv6cp, sp); 3304 } 3305 3306 static void 3307 sppp_ipv6cp_TO(void *cookie) 3308 { 3309 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3310 } 3311 3312 /* 3313 * Analyze a configure request. Return true if it was agreeable, and 3314 * caused action sca, false if it has been rejected or nak'ed, and 3315 * caused action scn. (The return value is used to make the state 3316 * transition decision in the state automaton.) 3317 */ 3318 static int 3319 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3320 { 3321 u_char *buf, *r, *p, l, blen; 3322 struct ifnet *ifp = &sp->pp_if; 3323 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3324 struct in6_addr myaddr, desiredaddr, suggestaddr; 3325 int ifidcount; 3326 int type; 3327 int collision, nohisaddr; 3328 3329 len -= 4; 3330 origlen = len; 3331 /* 3332 * Make sure to allocate a buf that can at least hold a 3333 * conf-nak with an `address' option. We might need it below. 3334 */ 3335 blen = len < 6 ? 6 : len; 3336 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3337 if (! buf) 3338 return (0); 3339 3340 /* pass 1: see if we can recognize them */ 3341 if (debug) 3342 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3343 ifp->if_xname); 3344 p = (void *)(h + 1); 3345 ifidcount = 0; 3346 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3347 /* Sanity check option length */ 3348 if (l > len) { 3349 /* XXX just RXJ? */ 3350 addlog("%s: received malicious IPCPv6 option, " 3351 "dropping\n", ifp->if_xname); 3352 goto drop; 3353 } 3354 if (debug) 3355 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3356 switch (*p) { 3357 case IPV6CP_OPT_IFID: 3358 if (len >= 10 && l == 10 && ifidcount == 0) { 3359 /* correctly formed address option */ 3360 ifidcount++; 3361 continue; 3362 } 3363 if (debug) 3364 addlog(" [invalid]"); 3365 break; 3366 #ifdef notyet 3367 case IPV6CP_OPT_COMPRESSION: 3368 if (len >= 4 && l >= 4) { 3369 /* correctly formed compress option */ 3370 continue; 3371 } 3372 if (debug) 3373 addlog(" [invalid]"); 3374 break; 3375 #endif 3376 default: 3377 /* Others not supported. */ 3378 if (debug) 3379 addlog(" [rej]"); 3380 break; 3381 } 3382 if (rlen + l > blen) { 3383 if (debug) 3384 addlog(" [overflow]"); 3385 continue; 3386 } 3387 /* Add the option to rejected list. */ 3388 memcpy(r, p, l); 3389 r += l; 3390 rlen += l; 3391 } 3392 if (rlen) { 3393 if (debug) 3394 addlog(" send conf-rej\n"); 3395 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3396 goto end; 3397 } else if (debug) 3398 addlog("\n"); 3399 3400 /* pass 2: parse option values */ 3401 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3402 if (debug) 3403 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3404 ifp->if_xname); 3405 p = (void *)(h + 1); 3406 len = origlen; 3407 type = CONF_ACK; 3408 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3409 if (debug) 3410 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3411 switch (*p) { 3412 #ifdef notyet 3413 case IPV6CP_OPT_COMPRESSION: 3414 continue; 3415 #endif 3416 case IPV6CP_OPT_IFID: 3417 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3418 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3419 collision = (memcmp(&desiredaddr.s6_addr[8], 3420 &myaddr.s6_addr[8], 8) == 0); 3421 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3422 3423 desiredaddr.s6_addr16[0] = htons(0xfe80); 3424 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3425 3426 if (!collision && !nohisaddr) { 3427 /* no collision, hisaddr known - Conf-Ack */ 3428 type = CONF_ACK; 3429 3430 if (debug) { 3431 addlog(" %s [%s]", 3432 ip6_sprintf(&desiredaddr), 3433 sppp_cp_type_name(type)); 3434 } 3435 continue; 3436 } 3437 3438 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3439 if (collision && nohisaddr) { 3440 /* collision, hisaddr unknown - Conf-Rej */ 3441 type = CONF_REJ; 3442 memset(&p[2], 0, 8); 3443 } else { 3444 /* 3445 * - no collision, hisaddr unknown, or 3446 * - collision, hisaddr known 3447 * Conf-Nak, suggest hisaddr 3448 */ 3449 type = CONF_NAK; 3450 sppp_suggest_ip6_addr(sp, &suggestaddr); 3451 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3452 } 3453 if (debug) 3454 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3455 sppp_cp_type_name(type)); 3456 break; 3457 } 3458 if (rlen + l > blen) { 3459 if (debug) 3460 addlog(" [overflow]"); 3461 continue; 3462 } 3463 /* Add the option to nak'ed list. */ 3464 memcpy(r, p, l); 3465 r += l; 3466 rlen += l; 3467 } 3468 3469 if (rlen == 0 && type == CONF_ACK) { 3470 if (debug) 3471 addlog(" send %s\n", sppp_cp_type_name(type)); 3472 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3473 } else { 3474 #ifdef notdef 3475 if (type == CONF_ACK) 3476 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3477 #endif 3478 3479 if (debug) { 3480 addlog(" send %s suggest %s\n", 3481 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3482 } 3483 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3484 } 3485 3486 end: 3487 free(buf, M_TEMP); 3488 return (rlen == 0); 3489 3490 drop: 3491 free(buf, M_TEMP); 3492 return -1; 3493 } 3494 3495 /* 3496 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3497 * negotiation. 3498 */ 3499 static void 3500 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3501 { 3502 u_char *buf, *p, l, blen; 3503 struct ifnet *ifp = &sp->pp_if; 3504 int debug = ifp->if_flags & IFF_DEBUG; 3505 3506 len -= 4; 3507 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3508 if (!buf) 3509 return; 3510 3511 if (debug) 3512 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3513 ifp->if_xname); 3514 3515 p = (void *)(h + 1); 3516 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3517 if (l > len) { 3518 /* XXX just RXJ? */ 3519 addlog("%s: received malicious IPCPv6 option, " 3520 "dropping\n", ifp->if_xname); 3521 goto drop; 3522 } 3523 if (debug) 3524 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3525 switch (*p) { 3526 case IPV6CP_OPT_IFID: 3527 /* 3528 * Peer doesn't grok address option. This is 3529 * bad. XXX Should we better give up here? 3530 */ 3531 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3532 break; 3533 #ifdef notyet 3534 case IPV6CP_OPT_COMPRESS: 3535 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3536 break; 3537 #endif 3538 } 3539 } 3540 if (debug) 3541 addlog("\n"); 3542 drop: 3543 free(buf, M_TEMP); 3544 return; 3545 } 3546 3547 /* 3548 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3549 * negotiation. 3550 */ 3551 static void 3552 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3553 { 3554 u_char *buf, *p, l, blen; 3555 struct ifnet *ifp = &sp->pp_if; 3556 int debug = ifp->if_flags & IFF_DEBUG; 3557 struct in6_addr suggestaddr; 3558 3559 len -= 4; 3560 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3561 if (!buf) 3562 return; 3563 3564 if (debug) 3565 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3566 ifp->if_xname); 3567 3568 p = (void *)(h + 1); 3569 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3570 if (l > len) { 3571 /* XXX just RXJ? */ 3572 addlog("%s: received malicious IPCPv6 option, " 3573 "dropping\n", ifp->if_xname); 3574 goto drop; 3575 } 3576 if (debug) 3577 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3578 switch (*p) { 3579 case IPV6CP_OPT_IFID: 3580 /* 3581 * Peer doesn't like our local ifid. See 3582 * if we can do something for him. We'll drop 3583 * him our address then. 3584 */ 3585 if (len < 10 || l != 10) 3586 break; 3587 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3588 suggestaddr.s6_addr16[0] = htons(0xfe80); 3589 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3590 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3591 3592 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3593 if (debug) 3594 addlog(" [suggestaddr %s]", 3595 ip6_sprintf(&suggestaddr)); 3596 #ifdef IPV6CP_MYIFID_DYN 3597 /* 3598 * When doing dynamic address assignment, 3599 * we accept his offer. 3600 */ 3601 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3602 struct in6_addr lastsuggest; 3603 /* 3604 * If <suggested myaddr from peer> equals to 3605 * <hisaddr we have suggested last time>, 3606 * we have a collision. generate new random 3607 * ifid. 3608 */ 3609 sppp_suggest_ip6_addr(&lastsuggest); 3610 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3611 lastsuggest)) { 3612 if (debug) 3613 addlog(" [random]"); 3614 sppp_gen_ip6_addr(sp, &suggestaddr); 3615 } 3616 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3617 if (debug) 3618 addlog(" [agree]"); 3619 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3620 } 3621 #else 3622 /* 3623 * Since we do not do dynamic address assignment, 3624 * we ignore it and thus continue to negotiate 3625 * our already existing value. This can possibly 3626 * go into infinite request-reject loop. 3627 * 3628 * This is not likely because we normally use 3629 * ifid based on MAC-address. 3630 * If you have no ethernet card on the node, too bad. 3631 * XXX should we use fail_counter? 3632 */ 3633 #endif 3634 break; 3635 #ifdef notyet 3636 case IPV6CP_OPT_COMPRESS: 3637 /* 3638 * Peer wants different compression parameters. 3639 */ 3640 break; 3641 #endif 3642 } 3643 } 3644 if (debug) 3645 addlog("\n"); 3646 drop: 3647 free(buf, M_TEMP); 3648 return; 3649 } 3650 3651 static void 3652 sppp_ipv6cp_tlu(struct sppp *sp) 3653 { 3654 /* we are up - notify isdn daemon */ 3655 if (sp->pp_con) 3656 sp->pp_con(sp); 3657 } 3658 3659 static void 3660 sppp_ipv6cp_tld(struct sppp *sp) 3661 { 3662 } 3663 3664 static void 3665 sppp_ipv6cp_tls(struct sppp *sp) 3666 { 3667 /* indicate to LCP that it must stay alive */ 3668 sp->lcp.protos |= (1 << IDX_IPV6CP); 3669 } 3670 3671 static void 3672 sppp_ipv6cp_tlf(struct sppp *sp) 3673 { 3674 /* we no longer need LCP */ 3675 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3676 } 3677 3678 static void 3679 sppp_ipv6cp_scr(struct sppp *sp) 3680 { 3681 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3682 struct in6_addr ouraddr; 3683 int i = 0; 3684 3685 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3686 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3687 opt[i++] = IPV6CP_OPT_IFID; 3688 opt[i++] = 10; 3689 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3690 i += 8; 3691 } 3692 3693 #ifdef notyet 3694 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3695 opt[i++] = IPV6CP_OPT_COMPRESSION; 3696 opt[i++] = 4; 3697 opt[i++] = 0; /* TBD */ 3698 opt[i++] = 0; /* TBD */ 3699 /* variable length data may follow */ 3700 } 3701 #endif 3702 3703 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3704 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3705 } 3706 #else /*INET6*/ 3707 static void 3708 sppp_ipv6cp_init(struct sppp *sp) 3709 { 3710 } 3711 3712 static void 3713 sppp_ipv6cp_up(struct sppp *sp) 3714 { 3715 } 3716 3717 static void 3718 sppp_ipv6cp_down(struct sppp *sp) 3719 { 3720 } 3721 3722 static void 3723 sppp_ipv6cp_open(struct sppp *sp) 3724 { 3725 } 3726 3727 static void 3728 sppp_ipv6cp_close(struct sppp *sp) 3729 { 3730 } 3731 3732 static void 3733 sppp_ipv6cp_TO(void *sp) 3734 { 3735 } 3736 3737 static int 3738 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3739 int len) 3740 { 3741 return 0; 3742 } 3743 3744 static void 3745 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3746 int len) 3747 { 3748 } 3749 3750 static void 3751 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3752 int len) 3753 { 3754 } 3755 3756 static void 3757 sppp_ipv6cp_tlu(struct sppp *sp) 3758 { 3759 } 3760 3761 static void 3762 sppp_ipv6cp_tld(struct sppp *sp) 3763 { 3764 } 3765 3766 static void 3767 sppp_ipv6cp_tls(struct sppp *sp) 3768 { 3769 } 3770 3771 static void 3772 sppp_ipv6cp_tlf(struct sppp *sp) 3773 { 3774 } 3775 3776 static void 3777 sppp_ipv6cp_scr(struct sppp *sp) 3778 { 3779 } 3780 #endif /*INET6*/ 3781 3782 3783 /* 3784 *--------------------------------------------------------------------------* 3785 * * 3786 * The CHAP implementation. * 3787 * * 3788 *--------------------------------------------------------------------------* 3789 */ 3790 3791 /* 3792 * The authentication protocols don't employ a full-fledged state machine as 3793 * the control protocols do, since they do have Open and Close events, but 3794 * not Up and Down, nor are they explicitly terminated. Also, use of the 3795 * authentication protocols may be different in both directions (this makes 3796 * sense, think of a machine that never accepts incoming calls but only 3797 * calls out, it doesn't require the called party to authenticate itself). 3798 * 3799 * Our state machine for the local authentication protocol (we are requesting 3800 * the peer to authenticate) looks like: 3801 * 3802 * RCA- 3803 * +--------------------------------------------+ 3804 * V scn,tld| 3805 * +--------+ Close +---------+ RCA+ 3806 * | |<----------------------------------| |------+ 3807 * +--->| Closed | TO* | Opened | sca | 3808 * | | |-----+ +-------| |<-----+ 3809 * | +--------+ irc | | +---------+ 3810 * | ^ | | ^ 3811 * | | | | | 3812 * | | | | | 3813 * | TO-| | | | 3814 * | |tld TO+ V | | 3815 * | | +------->+ | | 3816 * | | | | | | 3817 * | +--------+ V | | 3818 * | | |<----+<--------------------+ | 3819 * | | Req- | scr | 3820 * | | Sent | | 3821 * | | | | 3822 * | +--------+ | 3823 * | RCA- | | RCA+ | 3824 * +------+ +------------------------------------------+ 3825 * scn,tld sca,irc,ict,tlu 3826 * 3827 * 3828 * with: 3829 * 3830 * Open: LCP reached authentication phase 3831 * Close: LCP reached terminate phase 3832 * 3833 * RCA+: received reply (pap-req, chap-response), acceptable 3834 * RCN: received reply (pap-req, chap-response), not acceptable 3835 * TO+: timeout with restart counter >= 0 3836 * TO-: timeout with restart counter < 0 3837 * TO*: reschedule timeout for CHAP 3838 * 3839 * scr: send request packet (none for PAP, chap-challenge) 3840 * sca: send ack packet (pap-ack, chap-success) 3841 * scn: send nak packet (pap-nak, chap-failure) 3842 * ict: initialize re-challenge timer (CHAP only) 3843 * 3844 * tlu: this-layer-up, LCP reaches network phase 3845 * tld: this-layer-down, LCP enters terminate phase 3846 * 3847 * Note that in CHAP mode, after sending a new challenge, while the state 3848 * automaton falls back into Req-Sent state, it doesn't signal a tld 3849 * event to LCP, so LCP remains in network phase. Only after not getting 3850 * any response (or after getting an unacceptable response), CHAP closes, 3851 * causing LCP to enter terminate phase. 3852 * 3853 * With PAP, there is no initial request that can be sent. The peer is 3854 * expected to send one based on the successful negotiation of PAP as 3855 * the authentication protocol during the LCP option negotiation. 3856 * 3857 * Incoming authentication protocol requests (remote requests 3858 * authentication, we are peer) don't employ a state machine at all, 3859 * they are simply answered. Some peers [Ascend P50 firmware rev 3860 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3861 * still in authentication phase (thereby violating the standard that 3862 * demands that these NCP packets are to be discarded), so we keep 3863 * track of the peer demanding us to authenticate, and only proceed to 3864 * phase network once we've seen a positive acknowledge for the 3865 * authentication. 3866 */ 3867 3868 /* 3869 * Handle incoming CHAP packets. 3870 */ 3871 void 3872 sppp_chap_input(struct sppp *sp, struct mbuf *m) 3873 { 3874 STDDCL; 3875 struct lcp_header *h; 3876 int len, x; 3877 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3878 int value_len, name_len; 3879 MD5_CTX ctx; 3880 3881 len = m->m_pkthdr.len; 3882 if (len < 4) { 3883 if (debug) 3884 log(LOG_DEBUG, 3885 "%s: chap invalid packet length: %d bytes\n", 3886 ifp->if_xname, len); 3887 return; 3888 } 3889 h = mtod(m, struct lcp_header *); 3890 if (len > ntohs(h->len)) 3891 len = ntohs(h->len); 3892 3893 switch (h->type) { 3894 /* challenge, failure and success are his authproto */ 3895 case CHAP_CHALLENGE: 3896 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3897 /* can't do anything useful */ 3898 sp->pp_auth_failures++; 3899 printf("%s: chap input without my name and my secret being set\n", 3900 ifp->if_xname); 3901 break; 3902 } 3903 value = 1 + (u_char *)(h + 1); 3904 value_len = value[-1]; 3905 name = value + value_len; 3906 name_len = len - value_len - 5; 3907 if (name_len < 0) { 3908 if (debug) { 3909 log(LOG_DEBUG, 3910 "%s: chap corrupted challenge " 3911 "<%s id=0x%x len=%d", 3912 ifp->if_xname, 3913 sppp_auth_type_name(PPP_CHAP, h->type), 3914 h->ident, ntohs(h->len)); 3915 if (len > 4) 3916 sppp_print_bytes((u_char *)(h + 1), 3917 len - 4); 3918 addlog(">\n"); 3919 } 3920 break; 3921 } 3922 3923 if (debug) { 3924 log(LOG_DEBUG, 3925 "%s: chap input <%s id=0x%x len=%d name=", 3926 ifp->if_xname, 3927 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3928 ntohs(h->len)); 3929 sppp_print_string((char *) name, name_len); 3930 addlog(" value-size=%d value=", value_len); 3931 sppp_print_bytes(value, value_len); 3932 addlog(">\n"); 3933 } 3934 3935 /* Compute reply value. */ 3936 MD5Init(&ctx); 3937 MD5Update(&ctx, &h->ident, 1); 3938 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3939 MD5Update(&ctx, value, value_len); 3940 MD5Final(digest, &ctx); 3941 dsize = sizeof digest; 3942 3943 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3944 sizeof dsize, (const char *)&dsize, 3945 sizeof digest, digest, 3946 sp->myauth.name_len, 3947 sp->myauth.name, 3948 0); 3949 break; 3950 3951 case CHAP_SUCCESS: 3952 if (debug) { 3953 log(LOG_DEBUG, "%s: chap success", 3954 ifp->if_xname); 3955 if (len > 4) { 3956 addlog(": "); 3957 sppp_print_string((char *)(h + 1), len - 4); 3958 } 3959 addlog("\n"); 3960 } 3961 x = splnet(); 3962 sp->pp_auth_failures = 0; 3963 sp->pp_flags &= ~PP_NEEDAUTH; 3964 if (sp->myauth.proto == PPP_CHAP && 3965 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3966 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3967 /* 3968 * We are authenticator for CHAP but didn't 3969 * complete yet. Leave it to tlu to proceed 3970 * to network phase. 3971 */ 3972 splx(x); 3973 break; 3974 } 3975 splx(x); 3976 sppp_phase_network(sp); 3977 break; 3978 3979 case CHAP_FAILURE: 3980 x = splnet(); 3981 sp->pp_auth_failures++; 3982 splx(x); 3983 if (debug) { 3984 log(LOG_INFO, "%s: chap failure", 3985 ifp->if_xname); 3986 if (len > 4) { 3987 addlog(": "); 3988 sppp_print_string((char *)(h + 1), len - 4); 3989 } 3990 addlog("\n"); 3991 } else 3992 log(LOG_INFO, "%s: chap failure\n", 3993 ifp->if_xname); 3994 /* await LCP shutdown by authenticator */ 3995 break; 3996 3997 /* response is my authproto */ 3998 case CHAP_RESPONSE: 3999 if (sp->hisauth.secret == NULL) { 4000 /* can't do anything useful */ 4001 printf("%s: chap input without his secret being set\n", 4002 ifp->if_xname); 4003 break; 4004 } 4005 value = 1 + (u_char *)(h + 1); 4006 value_len = value[-1]; 4007 name = value + value_len; 4008 name_len = len - value_len - 5; 4009 if (name_len < 0) { 4010 if (debug) { 4011 log(LOG_DEBUG, 4012 "%s: chap corrupted response " 4013 "<%s id=0x%x len=%d", 4014 ifp->if_xname, 4015 sppp_auth_type_name(PPP_CHAP, h->type), 4016 h->ident, ntohs(h->len)); 4017 if (len > 4) 4018 sppp_print_bytes((u_char *)(h + 1), 4019 len - 4); 4020 addlog(">\n"); 4021 } 4022 break; 4023 } 4024 if (h->ident != sp->confid[IDX_CHAP]) { 4025 if (debug) 4026 log(LOG_DEBUG, 4027 "%s: chap dropping response for old ID " 4028 "(got %d, expected %d)\n", 4029 ifp->if_xname, 4030 h->ident, sp->confid[IDX_CHAP]); 4031 break; 4032 } 4033 if (sp->hisauth.name != NULL && 4034 (name_len != sp->hisauth.name_len 4035 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4036 log(LOG_INFO, "%s: chap response, his name ", 4037 ifp->if_xname); 4038 sppp_print_string(name, name_len); 4039 addlog(" != expected "); 4040 sppp_print_string(sp->hisauth.name, 4041 sp->hisauth.name_len); 4042 addlog("\n"); 4043 goto chap_failure; 4044 } 4045 if (debug) { 4046 log(LOG_DEBUG, "%s: chap input(%s) " 4047 "<%s id=0x%x len=%d name=", 4048 ifp->if_xname, 4049 sppp_state_name(sp->state[IDX_CHAP]), 4050 sppp_auth_type_name(PPP_CHAP, h->type), 4051 h->ident, ntohs(h->len)); 4052 sppp_print_string((char *)name, name_len); 4053 addlog(" value-size=%d value=", value_len); 4054 sppp_print_bytes(value, value_len); 4055 addlog(">\n"); 4056 } 4057 if (value_len != sizeof(sp->myauth.challenge)) { 4058 if (debug) 4059 log(LOG_DEBUG, 4060 "%s: chap bad hash value length: " 4061 "%d bytes, should be %ld\n", 4062 ifp->if_xname, value_len, 4063 (long) sizeof(sp->myauth.challenge)); 4064 goto chap_failure; 4065 } 4066 4067 MD5Init(&ctx); 4068 MD5Update(&ctx, &h->ident, 1); 4069 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4070 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4071 MD5Final(digest, &ctx); 4072 4073 #define FAILMSG "Failed..." 4074 #define SUCCMSG "Welcome!" 4075 4076 if (value_len != sizeof digest || 4077 memcmp(digest, value, value_len) != 0) { 4078 chap_failure: 4079 /* action scn, tld */ 4080 x = splnet(); 4081 sp->pp_auth_failures++; 4082 splx(x); 4083 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4084 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4085 0); 4086 chap.tld(sp); 4087 break; 4088 } 4089 sp->pp_auth_failures = 0; 4090 /* action sca, perhaps tlu */ 4091 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4092 sp->state[IDX_CHAP] == STATE_OPENED) 4093 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4094 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4095 0); 4096 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4097 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4098 chap.tlu(sp); 4099 } 4100 break; 4101 4102 default: 4103 /* Unknown CHAP packet type -- ignore. */ 4104 if (debug) { 4105 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4106 "<0x%x id=0x%xh len=%d", 4107 ifp->if_xname, 4108 sppp_state_name(sp->state[IDX_CHAP]), 4109 h->type, h->ident, ntohs(h->len)); 4110 if (len > 4) 4111 sppp_print_bytes((u_char *)(h + 1), len - 4); 4112 addlog(">\n"); 4113 } 4114 break; 4115 4116 } 4117 } 4118 4119 static void 4120 sppp_chap_init(struct sppp *sp) 4121 { 4122 /* Chap doesn't have STATE_INITIAL at all. */ 4123 sp->state[IDX_CHAP] = STATE_CLOSED; 4124 sp->fail_counter[IDX_CHAP] = 0; 4125 sp->pp_seq[IDX_CHAP] = 0; 4126 sp->pp_rseq[IDX_CHAP] = 0; 4127 callout_init(&sp->ch[IDX_CHAP], 0); 4128 } 4129 4130 static void 4131 sppp_chap_open(struct sppp *sp) 4132 { 4133 if (sp->myauth.proto == PPP_CHAP && 4134 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4135 /* we are authenticator for CHAP, start it */ 4136 chap.scr(sp); 4137 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4138 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4139 } 4140 /* nothing to be done if we are peer, await a challenge */ 4141 } 4142 4143 static void 4144 sppp_chap_close(struct sppp *sp) 4145 { 4146 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4147 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4148 } 4149 4150 static void 4151 sppp_chap_TO(void *cookie) 4152 { 4153 struct sppp *sp = (struct sppp *)cookie; 4154 STDDCL; 4155 int s; 4156 4157 s = splnet(); 4158 if (debug) 4159 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4160 ifp->if_xname, 4161 sppp_state_name(sp->state[IDX_CHAP]), 4162 sp->rst_counter[IDX_CHAP]); 4163 4164 if (--sp->rst_counter[IDX_CHAP] < 0) 4165 /* TO- event */ 4166 switch (sp->state[IDX_CHAP]) { 4167 case STATE_REQ_SENT: 4168 chap.tld(sp); 4169 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4170 break; 4171 } 4172 else 4173 /* TO+ (or TO*) event */ 4174 switch (sp->state[IDX_CHAP]) { 4175 case STATE_OPENED: 4176 /* TO* event */ 4177 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4178 /* fall through */ 4179 case STATE_REQ_SENT: 4180 chap.scr(sp); 4181 /* sppp_cp_change_state() will restart the timer */ 4182 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4183 break; 4184 } 4185 4186 splx(s); 4187 } 4188 4189 static void 4190 sppp_chap_tlu(struct sppp *sp) 4191 { 4192 STDDCL; 4193 int i, x; 4194 4195 i = 0; 4196 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4197 4198 /* 4199 * Some broken CHAP implementations (Conware CoNet, firmware 4200 * 4.0.?) don't want to re-authenticate their CHAP once the 4201 * initial challenge-response exchange has taken place. 4202 * Provide for an option to avoid rechallenges. 4203 */ 4204 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4205 /* 4206 * Compute the re-challenge timeout. This will yield 4207 * a number between 300 and 810 seconds. 4208 */ 4209 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4210 4211 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4212 } 4213 4214 if (debug) { 4215 log(LOG_DEBUG, 4216 "%s: chap %s, ", 4217 ifp->if_xname, 4218 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4219 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4220 addlog("next re-challenge in %d seconds\n", i); 4221 else 4222 addlog("re-challenging supressed\n"); 4223 } 4224 4225 x = splnet(); 4226 sp->pp_auth_failures = 0; 4227 /* indicate to LCP that we need to be closed down */ 4228 sp->lcp.protos |= (1 << IDX_CHAP); 4229 4230 if (sp->pp_flags & PP_NEEDAUTH) { 4231 /* 4232 * Remote is authenticator, but his auth proto didn't 4233 * complete yet. Defer the transition to network 4234 * phase. 4235 */ 4236 splx(x); 4237 return; 4238 } 4239 splx(x); 4240 4241 /* 4242 * If we are already in phase network, we are done here. This 4243 * is the case if this is a dummy tlu event after a re-challenge. 4244 */ 4245 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4246 sppp_phase_network(sp); 4247 } 4248 4249 static void 4250 sppp_chap_tld(struct sppp *sp) 4251 { 4252 STDDCL; 4253 4254 if (debug) 4255 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4256 callout_stop(&sp->ch[IDX_CHAP]); 4257 sp->lcp.protos &= ~(1 << IDX_CHAP); 4258 4259 lcp.Close(sp); 4260 } 4261 4262 static void 4263 sppp_chap_scr(struct sppp *sp) 4264 { 4265 uint32_t *ch; 4266 u_char clen = 4 * sizeof(uint32_t); 4267 4268 if (sp->myauth.name == NULL) { 4269 /* can't do anything useful */ 4270 printf("%s: chap starting without my name being set\n", 4271 sp->pp_if.if_xname); 4272 return; 4273 } 4274 4275 /* Compute random challenge. */ 4276 ch = (uint32_t *)sp->myauth.challenge; 4277 cprng_strong(kern_cprng, ch, clen, 0); 4278 4279 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4280 4281 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4282 sizeof clen, (const char *)&clen, 4283 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4284 sp->myauth.name_len, 4285 sp->myauth.name, 4286 0); 4287 } 4288 4289 /* 4290 *--------------------------------------------------------------------------* 4291 * * 4292 * The PAP implementation. * 4293 * * 4294 *--------------------------------------------------------------------------* 4295 */ 4296 /* 4297 * For PAP, we need to keep a little state also if we are the peer, not the 4298 * authenticator. This is since we don't get a request to authenticate, but 4299 * have to repeatedly authenticate ourself until we got a response (or the 4300 * retry counter is expired). 4301 */ 4302 4303 /* 4304 * Handle incoming PAP packets. */ 4305 static void 4306 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4307 { 4308 STDDCL; 4309 struct lcp_header *h; 4310 int len, x; 4311 u_char mlen; 4312 char *name, *secret; 4313 int name_len, secret_len; 4314 4315 /* 4316 * Malicious input might leave this uninitialized, so 4317 * init to an impossible value. 4318 */ 4319 secret_len = -1; 4320 4321 len = m->m_pkthdr.len; 4322 if (len < 5) { 4323 if (debug) 4324 log(LOG_DEBUG, 4325 "%s: pap invalid packet length: %d bytes\n", 4326 ifp->if_xname, len); 4327 return; 4328 } 4329 h = mtod(m, struct lcp_header *); 4330 if (len > ntohs(h->len)) 4331 len = ntohs(h->len); 4332 switch (h->type) { 4333 /* PAP request is my authproto */ 4334 case PAP_REQ: 4335 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4336 /* can't do anything useful */ 4337 printf("%s: pap request without his name and his secret being set\n", 4338 ifp->if_xname); 4339 break; 4340 } 4341 name = 1 + (u_char *)(h + 1); 4342 name_len = name[-1]; 4343 secret = name + name_len + 1; 4344 if (name_len > len - 6 || 4345 (secret_len = secret[-1]) > len - 6 - name_len) { 4346 if (debug) { 4347 log(LOG_DEBUG, "%s: pap corrupted input " 4348 "<%s id=0x%x len=%d", 4349 ifp->if_xname, 4350 sppp_auth_type_name(PPP_PAP, h->type), 4351 h->ident, ntohs(h->len)); 4352 if (len > 4) 4353 sppp_print_bytes((u_char *)(h + 1), 4354 len - 4); 4355 addlog(">\n"); 4356 } 4357 break; 4358 } 4359 if (debug) { 4360 log(LOG_DEBUG, "%s: pap input(%s) " 4361 "<%s id=0x%x len=%d name=", 4362 ifp->if_xname, 4363 sppp_state_name(sp->state[IDX_PAP]), 4364 sppp_auth_type_name(PPP_PAP, h->type), 4365 h->ident, ntohs(h->len)); 4366 sppp_print_string((char *)name, name_len); 4367 addlog(" secret="); 4368 sppp_print_string((char *)secret, secret_len); 4369 addlog(">\n"); 4370 } 4371 if (name_len != sp->hisauth.name_len || 4372 secret_len != sp->hisauth.secret_len || 4373 memcmp(name, sp->hisauth.name, name_len) != 0 || 4374 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4375 /* action scn, tld */ 4376 sp->pp_auth_failures++; 4377 mlen = sizeof(FAILMSG) - 1; 4378 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4379 sizeof mlen, (const char *)&mlen, 4380 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4381 0); 4382 pap.tld(sp); 4383 break; 4384 } 4385 /* action sca, perhaps tlu */ 4386 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4387 sp->state[IDX_PAP] == STATE_OPENED) { 4388 mlen = sizeof(SUCCMSG) - 1; 4389 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4390 sizeof mlen, (const char *)&mlen, 4391 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4392 0); 4393 } 4394 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4395 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4396 pap.tlu(sp); 4397 } 4398 break; 4399 4400 /* ack and nak are his authproto */ 4401 case PAP_ACK: 4402 callout_stop(&sp->pap_my_to_ch); 4403 if (debug) { 4404 log(LOG_DEBUG, "%s: pap success", 4405 ifp->if_xname); 4406 name = 1 + (u_char *)(h + 1); 4407 name_len = name[-1]; 4408 if (len > 5 && name_len < len+4) { 4409 addlog(": "); 4410 sppp_print_string(name, name_len); 4411 } 4412 addlog("\n"); 4413 } 4414 x = splnet(); 4415 sp->pp_auth_failures = 0; 4416 sp->pp_flags &= ~PP_NEEDAUTH; 4417 if (sp->myauth.proto == PPP_PAP && 4418 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4419 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4420 /* 4421 * We are authenticator for PAP but didn't 4422 * complete yet. Leave it to tlu to proceed 4423 * to network phase. 4424 */ 4425 splx(x); 4426 break; 4427 } 4428 splx(x); 4429 sppp_phase_network(sp); 4430 break; 4431 4432 case PAP_NAK: 4433 callout_stop(&sp->pap_my_to_ch); 4434 sp->pp_auth_failures++; 4435 if (debug) { 4436 log(LOG_INFO, "%s: pap failure", 4437 ifp->if_xname); 4438 name = 1 + (u_char *)(h + 1); 4439 name_len = name[-1]; 4440 if (len > 5 && name_len < len+4) { 4441 addlog(": "); 4442 sppp_print_string(name, name_len); 4443 } 4444 addlog("\n"); 4445 } else 4446 log(LOG_INFO, "%s: pap failure\n", 4447 ifp->if_xname); 4448 /* await LCP shutdown by authenticator */ 4449 break; 4450 4451 default: 4452 /* Unknown PAP packet type -- ignore. */ 4453 if (debug) { 4454 log(LOG_DEBUG, "%s: pap corrupted input " 4455 "<0x%x id=0x%x len=%d", 4456 ifp->if_xname, 4457 h->type, h->ident, ntohs(h->len)); 4458 if (len > 4) 4459 sppp_print_bytes((u_char *)(h + 1), len - 4); 4460 addlog(">\n"); 4461 } 4462 break; 4463 4464 } 4465 } 4466 4467 static void 4468 sppp_pap_init(struct sppp *sp) 4469 { 4470 /* PAP doesn't have STATE_INITIAL at all. */ 4471 sp->state[IDX_PAP] = STATE_CLOSED; 4472 sp->fail_counter[IDX_PAP] = 0; 4473 sp->pp_seq[IDX_PAP] = 0; 4474 sp->pp_rseq[IDX_PAP] = 0; 4475 callout_init(&sp->ch[IDX_PAP], 0); 4476 callout_init(&sp->pap_my_to_ch, 0); 4477 } 4478 4479 static void 4480 sppp_pap_open(struct sppp *sp) 4481 { 4482 if (sp->hisauth.proto == PPP_PAP && 4483 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4484 /* we are authenticator for PAP, start our timer */ 4485 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4486 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4487 } 4488 if (sp->myauth.proto == PPP_PAP) { 4489 /* we are peer, send a request, and start a timer */ 4490 pap.scr(sp); 4491 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4492 sppp_pap_my_TO, sp); 4493 } 4494 } 4495 4496 static void 4497 sppp_pap_close(struct sppp *sp) 4498 { 4499 if (sp->state[IDX_PAP] != STATE_CLOSED) 4500 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4501 } 4502 4503 /* 4504 * That's the timeout routine if we are authenticator. Since the 4505 * authenticator is basically passive in PAP, we can't do much here. 4506 */ 4507 static void 4508 sppp_pap_TO(void *cookie) 4509 { 4510 struct sppp *sp = (struct sppp *)cookie; 4511 STDDCL; 4512 int s; 4513 4514 s = splnet(); 4515 if (debug) 4516 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4517 ifp->if_xname, 4518 sppp_state_name(sp->state[IDX_PAP]), 4519 sp->rst_counter[IDX_PAP]); 4520 4521 if (--sp->rst_counter[IDX_PAP] < 0) 4522 /* TO- event */ 4523 switch (sp->state[IDX_PAP]) { 4524 case STATE_REQ_SENT: 4525 pap.tld(sp); 4526 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4527 break; 4528 } 4529 else 4530 /* TO+ event, not very much we could do */ 4531 switch (sp->state[IDX_PAP]) { 4532 case STATE_REQ_SENT: 4533 /* sppp_cp_change_state() will restart the timer */ 4534 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4535 break; 4536 } 4537 4538 splx(s); 4539 } 4540 4541 /* 4542 * That's the timeout handler if we are peer. Since the peer is active, 4543 * we need to retransmit our PAP request since it is apparently lost. 4544 * XXX We should impose a max counter. 4545 */ 4546 static void 4547 sppp_pap_my_TO(void *cookie) 4548 { 4549 struct sppp *sp = (struct sppp *)cookie; 4550 STDDCL; 4551 4552 if (debug) 4553 log(LOG_DEBUG, "%s: pap peer TO\n", 4554 ifp->if_xname); 4555 4556 pap.scr(sp); 4557 } 4558 4559 static void 4560 sppp_pap_tlu(struct sppp *sp) 4561 { 4562 STDDCL; 4563 int x; 4564 4565 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4566 4567 if (debug) 4568 log(LOG_DEBUG, "%s: %s tlu\n", 4569 ifp->if_xname, pap.name); 4570 4571 x = splnet(); 4572 sp->pp_auth_failures = 0; 4573 /* indicate to LCP that we need to be closed down */ 4574 sp->lcp.protos |= (1 << IDX_PAP); 4575 4576 if (sp->pp_flags & PP_NEEDAUTH) { 4577 /* 4578 * Remote is authenticator, but his auth proto didn't 4579 * complete yet. Defer the transition to network 4580 * phase. 4581 */ 4582 splx(x); 4583 return; 4584 } 4585 splx(x); 4586 sppp_phase_network(sp); 4587 } 4588 4589 static void 4590 sppp_pap_tld(struct sppp *sp) 4591 { 4592 STDDCL; 4593 4594 if (debug) 4595 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4596 callout_stop(&sp->ch[IDX_PAP]); 4597 callout_stop(&sp->pap_my_to_ch); 4598 sp->lcp.protos &= ~(1 << IDX_PAP); 4599 4600 lcp.Close(sp); 4601 } 4602 4603 static void 4604 sppp_pap_scr(struct sppp *sp) 4605 { 4606 u_char idlen, pwdlen; 4607 4608 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4609 /* can't do anything useful */ 4610 printf("%s: pap starting without my name and secret being set\n", 4611 sp->pp_if.if_xname); 4612 return; 4613 } 4614 4615 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4616 pwdlen = sp->myauth.secret_len; 4617 idlen = sp->myauth.name_len; 4618 4619 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4620 sizeof idlen, (const char *)&idlen, 4621 idlen, sp->myauth.name, 4622 sizeof pwdlen, (const char *)&pwdlen, 4623 pwdlen, sp->myauth.secret, 4624 0); 4625 } 4626 4627 /* 4628 * Random miscellaneous functions. 4629 */ 4630 4631 /* 4632 * Send a PAP or CHAP proto packet. 4633 * 4634 * Varadic function, each of the elements for the ellipsis is of type 4635 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4636 * mlen == 0. 4637 * NOTE: never declare variadic functions with types subject to type 4638 * promotion (i.e. u_char). This is asking for big trouble depending 4639 * on the architecture you are on... 4640 */ 4641 4642 static void 4643 sppp_auth_send(const struct cp *cp, struct sppp *sp, 4644 unsigned int type, unsigned int id, 4645 ...) 4646 { 4647 STDDCL; 4648 struct lcp_header *lh; 4649 struct mbuf *m; 4650 u_char *p; 4651 int len; 4652 size_t pkthdrlen; 4653 unsigned int mlen; 4654 const char *msg; 4655 va_list ap; 4656 4657 MGETHDR(m, M_DONTWAIT, MT_DATA); 4658 if (! m) 4659 return; 4660 m_reset_rcvif(m); 4661 4662 if (sp->pp_flags & PP_NOFRAMING) { 4663 *mtod(m, uint16_t *) = htons(cp->proto); 4664 pkthdrlen = 2; 4665 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4666 } else { 4667 struct ppp_header *h; 4668 h = mtod(m, struct ppp_header *); 4669 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4670 h->control = PPP_UI; /* Unnumbered Info */ 4671 h->protocol = htons(cp->proto); 4672 pkthdrlen = PPP_HEADER_LEN; 4673 4674 lh = (struct lcp_header *)(h + 1); 4675 } 4676 4677 lh->type = type; 4678 lh->ident = id; 4679 p = (u_char *)(lh + 1); 4680 4681 va_start(ap, id); 4682 len = 0; 4683 4684 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4685 msg = va_arg(ap, const char *); 4686 len += mlen; 4687 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4688 va_end(ap); 4689 m_freem(m); 4690 return; 4691 } 4692 4693 memcpy(p, msg, mlen); 4694 p += mlen; 4695 } 4696 va_end(ap); 4697 4698 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4699 lh->len = htons(LCP_HEADER_LEN + len); 4700 4701 if (debug) { 4702 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4703 ifp->if_xname, cp->name, 4704 sppp_auth_type_name(cp->proto, lh->type), 4705 lh->ident, ntohs(lh->len)); 4706 if (len) 4707 sppp_print_bytes((u_char *)(lh + 1), len); 4708 addlog(">\n"); 4709 } 4710 if (IF_QFULL(&sp->pp_cpq)) { 4711 IF_DROP(&sp->pp_fastq); 4712 IF_DROP(&ifp->if_snd); 4713 m_freem(m); 4714 ++ifp->if_oerrors; 4715 return; 4716 } else 4717 IF_ENQUEUE(&sp->pp_cpq, m); 4718 if (! (ifp->if_flags & IFF_OACTIVE)) 4719 if_start_lock(ifp); 4720 ifp->if_obytes += m->m_pkthdr.len + 3; 4721 } 4722 4723 /* 4724 * Send keepalive packets, every 10 seconds. 4725 */ 4726 static void 4727 sppp_keepalive(void *dummy) 4728 { 4729 struct sppp *sp; 4730 int s; 4731 time_t now; 4732 4733 s = splnet(); 4734 now = time_uptime; 4735 for (sp=spppq; sp; sp=sp->pp_next) { 4736 struct ifnet *ifp = &sp->pp_if; 4737 4738 /* check idle timeout */ 4739 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4740 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4741 /* idle timeout is enabled for this interface */ 4742 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4743 if (ifp->if_flags & IFF_DEBUG) 4744 printf("%s: no activity for %lu seconds\n", 4745 sp->pp_if.if_xname, 4746 (unsigned long)(now-sp->pp_last_activity)); 4747 lcp.Close(sp); 4748 continue; 4749 } 4750 } 4751 4752 /* Keepalive mode disabled or channel down? */ 4753 if (! (sp->pp_flags & PP_KEEPALIVE) || 4754 ! (ifp->if_flags & IFF_RUNNING)) 4755 continue; 4756 4757 /* No keepalive in PPP mode if LCP not opened yet. */ 4758 if (! (sp->pp_flags & PP_CISCO) && 4759 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4760 continue; 4761 4762 /* No echo reply, but maybe user data passed through? */ 4763 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4764 sp->pp_alivecnt = 0; 4765 continue; 4766 } 4767 4768 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4769 /* No keepalive packets got. Stop the interface. */ 4770 if_down (ifp); 4771 IF_PURGE(&sp->pp_cpq); 4772 if (! (sp->pp_flags & PP_CISCO)) { 4773 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4774 ifp->if_xname); 4775 sp->pp_alivecnt = 0; 4776 4777 /* we are down, close all open protocols */ 4778 lcp.Close(sp); 4779 4780 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4781 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4782 4783 /* Close connection immediately, completition of this 4784 * will summon the magic needed to reestablish it. */ 4785 if (sp->pp_tlf) 4786 sp->pp_tlf(sp); 4787 continue; 4788 } 4789 } 4790 if (sp->pp_alivecnt < sp->pp_maxalive) 4791 ++sp->pp_alivecnt; 4792 if (sp->pp_flags & PP_CISCO) 4793 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4794 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4795 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4796 int32_t nmagic = htonl(sp->lcp.magic); 4797 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4798 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4799 sp->lcp.echoid, 4, &nmagic); 4800 } 4801 } 4802 splx(s); 4803 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4804 } 4805 4806 #ifdef INET 4807 /* 4808 * Get both IP addresses. 4809 */ 4810 static void 4811 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4812 { 4813 struct ifnet *ifp = &sp->pp_if; 4814 struct ifaddr *ifa; 4815 struct sockaddr_in *si, *sm; 4816 uint32_t ssrc, ddst; 4817 4818 sm = NULL; 4819 ssrc = ddst = 0; 4820 /* 4821 * Pick the first AF_INET address from the list, 4822 * aliases don't make any sense on a p2p link anyway. 4823 */ 4824 si = 0; 4825 IFADDR_READER_FOREACH(ifa, ifp) { 4826 if (ifa->ifa_addr->sa_family == AF_INET) { 4827 si = (struct sockaddr_in *)ifa->ifa_addr; 4828 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4829 if (si) 4830 break; 4831 } 4832 } 4833 if (ifa) { 4834 if (si && si->sin_addr.s_addr) { 4835 ssrc = si->sin_addr.s_addr; 4836 if (srcmask) 4837 *srcmask = ntohl(sm->sin_addr.s_addr); 4838 } 4839 4840 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4841 if (si && si->sin_addr.s_addr) 4842 ddst = si->sin_addr.s_addr; 4843 } 4844 4845 if (dst) *dst = ntohl(ddst); 4846 if (src) *src = ntohl(ssrc); 4847 } 4848 4849 /* 4850 * Set IP addresses. Must be called at splnet. 4851 * If an address is 0, leave it the way it is. 4852 */ 4853 static void 4854 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4855 { 4856 STDDCL; 4857 struct ifaddr *ifa; 4858 struct sockaddr_in *si, *dest; 4859 4860 /* 4861 * Pick the first AF_INET address from the list, 4862 * aliases don't make any sense on a p2p link anyway. 4863 */ 4864 4865 IFADDR_READER_FOREACH(ifa, ifp) { 4866 if (ifa->ifa_addr->sa_family == AF_INET) { 4867 si = (struct sockaddr_in *)ifa->ifa_addr; 4868 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4869 goto found; 4870 } 4871 } 4872 return; 4873 4874 found: 4875 { 4876 int error, hostIsNew; 4877 struct sockaddr_in new_sin = *si; 4878 struct sockaddr_in new_dst = *dest; 4879 4880 /* 4881 * Scrub old routes now instead of calling in_ifinit with 4882 * scrub=1, because we may change the dstaddr 4883 * before the call to in_ifinit. 4884 */ 4885 in_ifscrub(ifp, ifatoia(ifa)); 4886 4887 hostIsNew = 0; 4888 if (myaddr != 0) { 4889 if (new_sin.sin_addr.s_addr != htonl(myaddr)) { 4890 new_sin.sin_addr.s_addr = htonl(myaddr); 4891 hostIsNew = 1; 4892 } 4893 } 4894 if (hisaddr != 0) { 4895 new_dst.sin_addr.s_addr = htonl(hisaddr); 4896 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4897 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4898 *dest = new_dst; /* fix dstaddr in place */ 4899 } 4900 } 4901 4902 LIST_REMOVE(ifatoia(ifa), ia_hash); 4903 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4904 4905 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, hostIsNew); 4906 4907 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4908 ifatoia(ifa), ia_hash); 4909 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4910 4911 if (debug && error) 4912 { 4913 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4914 " failed, error=%d\n", ifp->if_xname, error); 4915 } 4916 if (!error) { 4917 (void)pfil_run_hooks(if_pfil, 4918 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4919 } 4920 } 4921 } 4922 4923 /* 4924 * Clear IP addresses. Must be called at splnet. 4925 */ 4926 static void 4927 sppp_clear_ip_addrs(struct sppp *sp) 4928 { 4929 struct ifnet *ifp = &sp->pp_if; 4930 struct ifaddr *ifa; 4931 struct sockaddr_in *si, *dest; 4932 4933 uint32_t remote; 4934 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4935 remote = sp->ipcp.saved_hisaddr; 4936 else 4937 sppp_get_ip_addrs(sp, 0, &remote, 0); 4938 4939 /* 4940 * Pick the first AF_INET address from the list, 4941 * aliases don't make any sense on a p2p link anyway. 4942 */ 4943 4944 IFADDR_READER_FOREACH(ifa, ifp) { 4945 if (ifa->ifa_addr->sa_family == AF_INET) { 4946 si = (struct sockaddr_in *)ifa->ifa_addr; 4947 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4948 goto found; 4949 } 4950 } 4951 return; 4952 4953 found: 4954 { 4955 struct sockaddr_in new_sin = *si; 4956 4957 in_ifscrub(ifp, ifatoia(ifa)); 4958 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4959 new_sin.sin_addr.s_addr = 0; 4960 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4961 /* replace peer addr in place */ 4962 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4963 4964 LIST_REMOVE(ifatoia(ifa), ia_hash); 4965 IN_ADDRHASH_WRITER_REMOVE(ifatoia(ifa)); 4966 4967 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0, 0); 4968 4969 LIST_INSERT_HEAD(&IN_IFADDR_HASH(ifatoia(ifa)->ia_addr.sin_addr.s_addr), 4970 ifatoia(ifa), ia_hash); 4971 IN_ADDRHASH_WRITER_INSERT_HEAD(ifatoia(ifa)); 4972 4973 (void)pfil_run_hooks(if_pfil, 4974 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4975 } 4976 } 4977 #endif 4978 4979 #ifdef INET6 4980 /* 4981 * Get both IPv6 addresses. 4982 */ 4983 static void 4984 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4985 struct in6_addr *srcmask) 4986 { 4987 struct ifnet *ifp = &sp->pp_if; 4988 struct ifaddr *ifa; 4989 struct sockaddr_in6 *si, *sm; 4990 struct in6_addr ssrc, ddst; 4991 4992 sm = NULL; 4993 memset(&ssrc, 0, sizeof(ssrc)); 4994 memset(&ddst, 0, sizeof(ddst)); 4995 /* 4996 * Pick the first link-local AF_INET6 address from the list, 4997 * aliases don't make any sense on a p2p link anyway. 4998 */ 4999 si = 0; 5000 IFADDR_READER_FOREACH(ifa, ifp) 5001 if (ifa->ifa_addr->sa_family == AF_INET6) { 5002 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5003 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5004 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5005 break; 5006 } 5007 if (ifa) { 5008 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5009 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5010 if (srcmask) { 5011 memcpy(srcmask, &sm->sin6_addr, 5012 sizeof(*srcmask)); 5013 } 5014 } 5015 5016 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5017 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5018 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5019 } 5020 5021 if (dst) 5022 memcpy(dst, &ddst, sizeof(*dst)); 5023 if (src) 5024 memcpy(src, &ssrc, sizeof(*src)); 5025 } 5026 5027 #ifdef IPV6CP_MYIFID_DYN 5028 /* 5029 * Generate random ifid. 5030 */ 5031 static void 5032 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5033 { 5034 /* TBD */ 5035 } 5036 5037 /* 5038 * Set my IPv6 address. Must be called at splnet. 5039 */ 5040 static void 5041 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5042 { 5043 STDDCL; 5044 struct ifaddr *ifa; 5045 struct sockaddr_in6 *sin6; 5046 5047 /* 5048 * Pick the first link-local AF_INET6 address from the list, 5049 * aliases don't make any sense on a p2p link anyway. 5050 */ 5051 5052 sin6 = NULL; 5053 IFADDR_READER_FOREACH(ifa, ifp) 5054 { 5055 if (ifa->ifa_addr->sa_family == AF_INET6) 5056 { 5057 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5058 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5059 break; 5060 } 5061 } 5062 5063 if (ifa && sin6) 5064 { 5065 int error; 5066 struct sockaddr_in6 new_sin6 = *sin6; 5067 5068 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5069 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5070 if (debug && error) 5071 { 5072 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5073 " failed, error=%d\n", ifp->if_xname, error); 5074 } 5075 if (!error) { 5076 (void)pfil_run_hooks(if_pfil, 5077 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5078 } 5079 } 5080 } 5081 #endif 5082 5083 /* 5084 * Suggest a candidate address to be used by peer. 5085 */ 5086 static void 5087 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5088 { 5089 struct in6_addr myaddr; 5090 struct timeval tv; 5091 5092 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5093 5094 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5095 microtime(&tv); 5096 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5097 myaddr.s6_addr[14] ^= 0xff; 5098 myaddr.s6_addr[15] ^= 0xff; 5099 } else { 5100 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5101 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5102 } 5103 if (suggest) 5104 memcpy(suggest, &myaddr, sizeof(myaddr)); 5105 } 5106 #endif /*INET6*/ 5107 5108 /* 5109 * Process ioctl requests specific to the PPP interface. 5110 * Permissions have already been checked. 5111 */ 5112 static int 5113 sppp_params(struct sppp *sp, u_long cmd, void *data) 5114 { 5115 switch (cmd) { 5116 case SPPPGETAUTHCFG: 5117 { 5118 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5119 int error; 5120 size_t len; 5121 5122 cfg->myauthflags = sp->myauth.flags; 5123 cfg->hisauthflags = sp->hisauth.flags; 5124 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5125 cfg->hisauth = 0; 5126 if (sp->hisauth.proto) 5127 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5128 cfg->myauth = 0; 5129 if (sp->myauth.proto) 5130 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5131 if (cfg->myname_length == 0) { 5132 if (sp->myauth.name != NULL) 5133 cfg->myname_length = sp->myauth.name_len + 1; 5134 } else { 5135 if (sp->myauth.name == NULL) { 5136 cfg->myname_length = 0; 5137 } else { 5138 len = sp->myauth.name_len + 1; 5139 if (cfg->myname_length < len) 5140 return (ENAMETOOLONG); 5141 error = copyout(sp->myauth.name, cfg->myname, len); 5142 if (error) return error; 5143 } 5144 } 5145 if (cfg->hisname_length == 0) { 5146 if (sp->hisauth.name != NULL) 5147 cfg->hisname_length = sp->hisauth.name_len + 1; 5148 } else { 5149 if (sp->hisauth.name == NULL) { 5150 cfg->hisname_length = 0; 5151 } else { 5152 len = sp->hisauth.name_len + 1; 5153 if (cfg->hisname_length < len) 5154 return (ENAMETOOLONG); 5155 error = copyout(sp->hisauth.name, cfg->hisname, len); 5156 if (error) return error; 5157 } 5158 } 5159 } 5160 break; 5161 case SPPPSETAUTHCFG: 5162 { 5163 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5164 int error; 5165 5166 if (sp->myauth.name) { 5167 free(sp->myauth.name, M_DEVBUF); 5168 sp->myauth.name = NULL; 5169 } 5170 if (sp->myauth.secret) { 5171 free(sp->myauth.secret, M_DEVBUF); 5172 sp->myauth.secret = NULL; 5173 } 5174 if (sp->hisauth.name) { 5175 free(sp->hisauth.name, M_DEVBUF); 5176 sp->hisauth.name = NULL; 5177 } 5178 if (sp->hisauth.secret) { 5179 free(sp->hisauth.secret, M_DEVBUF); 5180 sp->hisauth.secret = NULL; 5181 } 5182 5183 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5184 if (cfg->hisname_length >= MCLBYTES) 5185 return (ENAMETOOLONG); 5186 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5187 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5188 if (error) { 5189 free(sp->hisauth.name, M_DEVBUF); 5190 sp->hisauth.name = NULL; 5191 return error; 5192 } 5193 sp->hisauth.name_len = cfg->hisname_length - 1; 5194 sp->hisauth.name[sp->hisauth.name_len] = 0; 5195 } 5196 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5197 if (cfg->hissecret_length >= MCLBYTES) 5198 return (ENAMETOOLONG); 5199 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5200 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5201 if (error) { 5202 free(sp->hisauth.secret, M_DEVBUF); 5203 sp->hisauth.secret = NULL; 5204 return error; 5205 } 5206 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5207 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5208 } 5209 if (cfg->myname != NULL && cfg->myname_length > 0) { 5210 if (cfg->myname_length >= MCLBYTES) 5211 return (ENAMETOOLONG); 5212 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5213 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5214 if (error) { 5215 free(sp->myauth.name, M_DEVBUF); 5216 sp->myauth.name = NULL; 5217 return error; 5218 } 5219 sp->myauth.name_len = cfg->myname_length - 1; 5220 sp->myauth.name[sp->myauth.name_len] = 0; 5221 } 5222 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5223 if (cfg->mysecret_length >= MCLBYTES) 5224 return (ENAMETOOLONG); 5225 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5226 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5227 if (error) { 5228 free(sp->myauth.secret, M_DEVBUF); 5229 sp->myauth.secret = NULL; 5230 return error; 5231 } 5232 sp->myauth.secret_len = cfg->mysecret_length - 1; 5233 sp->myauth.secret[sp->myauth.secret_len] = 0; 5234 } 5235 sp->myauth.flags = cfg->myauthflags; 5236 if (cfg->myauth) 5237 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5238 sp->hisauth.flags = cfg->hisauthflags; 5239 if (cfg->hisauth) 5240 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5241 sp->pp_auth_failures = 0; 5242 if (sp->hisauth.proto != 0) 5243 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5244 else 5245 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5246 } 5247 break; 5248 case SPPPGETLCPCFG: 5249 { 5250 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5251 lcpp->lcp_timeout = sp->lcp.timeout; 5252 } 5253 break; 5254 case SPPPSETLCPCFG: 5255 { 5256 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5257 sp->lcp.timeout = lcpp->lcp_timeout; 5258 } 5259 break; 5260 case SPPPGETSTATUS: 5261 { 5262 struct spppstatus *status = (struct spppstatus *)data; 5263 status->phase = sp->pp_phase; 5264 } 5265 break; 5266 case SPPPGETSTATUSNCP: 5267 { 5268 struct spppstatusncp *status = (struct spppstatusncp *)data; 5269 status->phase = sp->pp_phase; 5270 status->ncpup = sppp_ncp_check(sp); 5271 } 5272 break; 5273 case SPPPGETIDLETO: 5274 { 5275 struct spppidletimeout *to = (struct spppidletimeout *)data; 5276 to->idle_seconds = sp->pp_idle_timeout; 5277 } 5278 break; 5279 case SPPPSETIDLETO: 5280 { 5281 struct spppidletimeout *to = (struct spppidletimeout *)data; 5282 sp->pp_idle_timeout = to->idle_seconds; 5283 } 5284 break; 5285 case SPPPSETAUTHFAILURE: 5286 { 5287 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5288 sp->pp_max_auth_fail = afsettings->max_failures; 5289 sp->pp_auth_failures = 0; 5290 } 5291 break; 5292 case SPPPGETAUTHFAILURES: 5293 { 5294 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5295 stats->auth_failures = sp->pp_auth_failures; 5296 stats->max_failures = sp->pp_max_auth_fail; 5297 } 5298 break; 5299 case SPPPSETDNSOPTS: 5300 { 5301 struct spppdnssettings *req = (struct spppdnssettings *)data; 5302 sp->query_dns = req->query_dns & 3; 5303 } 5304 break; 5305 case SPPPGETDNSOPTS: 5306 { 5307 struct spppdnssettings *req = (struct spppdnssettings *)data; 5308 req->query_dns = sp->query_dns; 5309 } 5310 break; 5311 case SPPPGETDNSADDRS: 5312 { 5313 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5314 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5315 } 5316 break; 5317 case SPPPGETKEEPALIVE: 5318 { 5319 struct spppkeepalivesettings *settings = 5320 (struct spppkeepalivesettings*)data; 5321 settings->maxalive = sp->pp_maxalive; 5322 settings->max_noreceive = sp->pp_max_noreceive; 5323 } 5324 break; 5325 case SPPPSETKEEPALIVE: 5326 { 5327 struct spppkeepalivesettings *settings = 5328 (struct spppkeepalivesettings*)data; 5329 sp->pp_maxalive = settings->maxalive; 5330 sp->pp_max_noreceive = settings->max_noreceive; 5331 } 5332 break; 5333 #if defined(COMPAT_50) || defined(MODULAR) 5334 case __SPPPGETIDLETO50: 5335 { 5336 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5337 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5338 } 5339 break; 5340 case __SPPPSETIDLETO50: 5341 { 5342 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5343 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5344 } 5345 break; 5346 case __SPPPGETKEEPALIVE50: 5347 { 5348 struct spppkeepalivesettings50 *settings = 5349 (struct spppkeepalivesettings50*)data; 5350 settings->maxalive = sp->pp_maxalive; 5351 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5352 } 5353 break; 5354 case __SPPPSETKEEPALIVE50: 5355 { 5356 struct spppkeepalivesettings50 *settings = 5357 (struct spppkeepalivesettings50*)data; 5358 sp->pp_maxalive = settings->maxalive; 5359 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5360 } 5361 break; 5362 #endif /* COMPAT_50 || MODULAR */ 5363 default: 5364 return (EINVAL); 5365 } 5366 5367 return (0); 5368 } 5369 5370 static void 5371 sppp_phase_network(struct sppp *sp) 5372 { 5373 STDDCL; 5374 int i; 5375 uint32_t mask; 5376 5377 sp->pp_phase = SPPP_PHASE_NETWORK; 5378 5379 if (debug) 5380 { 5381 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5382 sppp_phase_name(sp->pp_phase)); 5383 } 5384 5385 /* Notify NCPs now. */ 5386 for (i = 0; i < IDX_COUNT; i++) 5387 if ((cps[i])->flags & CP_NCP) 5388 (cps[i])->Open(sp); 5389 5390 /* Send Up events to all NCPs. */ 5391 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5392 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5393 (cps[i])->Up(sp); 5394 5395 /* if no NCP is starting, all this was in vain, close down */ 5396 sppp_lcp_check_and_close(sp); 5397 } 5398 5399 5400 static const char * 5401 sppp_cp_type_name(u_char type) 5402 { 5403 static char buf[12]; 5404 switch (type) { 5405 case CONF_REQ: return "conf-req"; 5406 case CONF_ACK: return "conf-ack"; 5407 case CONF_NAK: return "conf-nak"; 5408 case CONF_REJ: return "conf-rej"; 5409 case TERM_REQ: return "term-req"; 5410 case TERM_ACK: return "term-ack"; 5411 case CODE_REJ: return "code-rej"; 5412 case PROTO_REJ: return "proto-rej"; 5413 case ECHO_REQ: return "echo-req"; 5414 case ECHO_REPLY: return "echo-reply"; 5415 case DISC_REQ: return "discard-req"; 5416 } 5417 snprintf(buf, sizeof(buf), "0x%x", type); 5418 return buf; 5419 } 5420 5421 static const char * 5422 sppp_auth_type_name(u_short proto, u_char type) 5423 { 5424 static char buf[32]; 5425 const char *name; 5426 5427 switch (proto) { 5428 case PPP_CHAP: 5429 switch (type) { 5430 case CHAP_CHALLENGE: return "challenge"; 5431 case CHAP_RESPONSE: return "response"; 5432 case CHAP_SUCCESS: return "success"; 5433 case CHAP_FAILURE: return "failure"; 5434 default: name = "chap"; break; 5435 } 5436 break; 5437 5438 case PPP_PAP: 5439 switch (type) { 5440 case PAP_REQ: return "req"; 5441 case PAP_ACK: return "ack"; 5442 case PAP_NAK: return "nak"; 5443 default: name = "pap"; break; 5444 } 5445 break; 5446 5447 default: 5448 name = "bad"; 5449 break; 5450 } 5451 5452 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 5453 return buf; 5454 } 5455 5456 static const char * 5457 sppp_lcp_opt_name(u_char opt) 5458 { 5459 static char buf[12]; 5460 switch (opt) { 5461 case LCP_OPT_MRU: return "mru"; 5462 case LCP_OPT_ASYNC_MAP: return "async-map"; 5463 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5464 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5465 case LCP_OPT_MAGIC: return "magic"; 5466 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5467 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5468 } 5469 snprintf(buf, sizeof(buf), "0x%x", opt); 5470 return buf; 5471 } 5472 5473 static const char * 5474 sppp_ipcp_opt_name(u_char opt) 5475 { 5476 static char buf[12]; 5477 switch (opt) { 5478 case IPCP_OPT_ADDRESSES: return "addresses"; 5479 case IPCP_OPT_COMPRESSION: return "compression"; 5480 case IPCP_OPT_ADDRESS: return "address"; 5481 } 5482 snprintf(buf, sizeof(buf), "0x%x", opt); 5483 return buf; 5484 } 5485 5486 #ifdef INET6 5487 static const char * 5488 sppp_ipv6cp_opt_name(u_char opt) 5489 { 5490 static char buf[12]; 5491 switch (opt) { 5492 case IPV6CP_OPT_IFID: return "ifid"; 5493 case IPV6CP_OPT_COMPRESSION: return "compression"; 5494 } 5495 snprintf(buf, sizeof(buf), "0x%x", opt); 5496 return buf; 5497 } 5498 #endif 5499 5500 static const char * 5501 sppp_state_name(int state) 5502 { 5503 switch (state) { 5504 case STATE_INITIAL: return "initial"; 5505 case STATE_STARTING: return "starting"; 5506 case STATE_CLOSED: return "closed"; 5507 case STATE_STOPPED: return "stopped"; 5508 case STATE_CLOSING: return "closing"; 5509 case STATE_STOPPING: return "stopping"; 5510 case STATE_REQ_SENT: return "req-sent"; 5511 case STATE_ACK_RCVD: return "ack-rcvd"; 5512 case STATE_ACK_SENT: return "ack-sent"; 5513 case STATE_OPENED: return "opened"; 5514 } 5515 return "illegal"; 5516 } 5517 5518 static const char * 5519 sppp_phase_name(int phase) 5520 { 5521 switch (phase) { 5522 case SPPP_PHASE_DEAD: return "dead"; 5523 case SPPP_PHASE_ESTABLISH: return "establish"; 5524 case SPPP_PHASE_TERMINATE: return "terminate"; 5525 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5526 case SPPP_PHASE_NETWORK: return "network"; 5527 } 5528 return "illegal"; 5529 } 5530 5531 static const char * 5532 sppp_proto_name(u_short proto) 5533 { 5534 static char buf[12]; 5535 switch (proto) { 5536 case PPP_LCP: return "lcp"; 5537 case PPP_IPCP: return "ipcp"; 5538 case PPP_PAP: return "pap"; 5539 case PPP_CHAP: return "chap"; 5540 case PPP_IPV6CP: return "ipv6cp"; 5541 } 5542 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5543 return buf; 5544 } 5545 5546 static void 5547 sppp_print_bytes(const u_char *p, u_short len) 5548 { 5549 addlog(" %02x", *p++); 5550 while (--len > 0) 5551 addlog("-%02x", *p++); 5552 } 5553 5554 static void 5555 sppp_print_string(const char *p, u_short len) 5556 { 5557 u_char c; 5558 5559 while (len-- > 0) { 5560 c = *p++; 5561 /* 5562 * Print only ASCII chars directly. RFC 1994 recommends 5563 * using only them, but we don't rely on it. */ 5564 if (c < ' ' || c > '~') 5565 addlog("\\x%x", c); 5566 else 5567 addlog("%c", c); 5568 } 5569 } 5570 5571 static const char * 5572 sppp_dotted_quad(uint32_t addr) 5573 { 5574 static char s[16]; 5575 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5576 (int)((addr >> 24) & 0xff), 5577 (int)((addr >> 16) & 0xff), 5578 (int)((addr >> 8) & 0xff), 5579 (int)(addr & 0xff)); 5580 return s; 5581 } 5582 5583 /* a dummy, used to drop uninteresting events */ 5584 static void 5585 sppp_null(struct sppp *unused) 5586 { 5587 /* do just nothing */ 5588 } 5589 /* 5590 * This file is large. Tell emacs to highlight it nevertheless. 5591 * 5592 * Local Variables: 5593 * hilit-auto-highlight-maxout: 120000 5594 * End: 5595 */ 5596 5597 /* 5598 * Module glue 5599 */ 5600 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 5601 5602 static int 5603 sppp_subr_modcmd(modcmd_t cmd, void *arg) 5604 { 5605 switch (cmd) { 5606 case MODULE_CMD_INIT: 5607 case MODULE_CMD_FINI: 5608 return 0; 5609 case MODULE_CMD_STAT: 5610 case MODULE_CMD_AUTOUNLOAD: 5611 default: 5612 return ENOTTY; 5613 } 5614 } 5615 5616