1/* $NetBSD: if_spppsubr.c,v 1.124 2011/11/19 22:51:25 tls Exp $ */ 2 3/* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43#include <sys/cdefs.h> 44__KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.124 2011/11/19 22:51:25 tls Exp $"); 45 46#if defined(_KERNEL_OPT) 47#include "opt_inet.h" 48#include "opt_ipx.h" 49#include "opt_iso.h" 50#include "opt_pfil_hooks.h" 51#include "opt_modular.h" 52#include "opt_compat_netbsd.h" 53#endif 54 55 56#include <sys/param.h> 57#include <sys/proc.h> 58#include <sys/systm.h> 59#include <sys/kernel.h> 60#include <sys/sockio.h> 61#include <sys/socket.h> 62#include <sys/syslog.h> 63#include <sys/malloc.h> 64#include <sys/mbuf.h> 65#include <sys/callout.h> 66#include <sys/md5.h> 67#include <sys/inttypes.h> 68#include <sys/kauth.h> 69#include <sys/cprng.h> 70 71#include <net/if.h> 72#include <net/netisr.h> 73#include <net/if_types.h> 74#include <net/route.h> 75#include <net/ppp_defs.h> 76 77#include <netinet/in.h> 78#include <netinet/in_systm.h> 79#include <netinet/in_var.h> 80#ifdef INET 81#include <netinet/ip.h> 82#include <netinet/tcp.h> 83#endif 84#include <net/ethertypes.h> 85 86#ifdef INET6 87#include <netinet6/scope6_var.h> 88#endif 89 90#ifdef IPX 91#include <netipx/ipx.h> 92#include <netipx/ipx_if.h> 93#endif 94 95 96#ifdef ISO 97#include <netiso/argo_debug.h> 98#include <netiso/iso.h> 99#include <netiso/iso_var.h> 100#include <netiso/iso_snpac.h> 101#endif 102 103#include <net/if_sppp.h> 104#include <net/if_spppvar.h> 105 106#define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 107#define LOOPALIVECNT 3 /* loopback detection tries */ 108#define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 109#define DEFAULT_NORECV_TIME 15 /* before we get worried */ 110#define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 111 112/* 113 * Interface flags that can be set in an ifconfig command. 114 * 115 * Setting link0 will make the link passive, i.e. it will be marked 116 * as being administrative openable, but won't be opened to begin 117 * with. Incoming calls will be answered, or subsequent calls with 118 * -link1 will cause the administrative open of the LCP layer. 119 * 120 * Setting link1 will cause the link to auto-dial only as packets 121 * arrive to be sent. 122 * 123 * Setting IFF_DEBUG will syslog the option negotiation and state 124 * transitions at level kern.debug. Note: all logs consistently look 125 * like 126 * 127 * <if-name><unit>: <proto-name> <additional info...> 128 * 129 * with <if-name><unit> being something like "bppp0", and <proto-name> 130 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 131 */ 132 133#define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 134#define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 135 136#define CONF_REQ 1 /* PPP configure request */ 137#define CONF_ACK 2 /* PPP configure acknowledge */ 138#define CONF_NAK 3 /* PPP configure negative ack */ 139#define CONF_REJ 4 /* PPP configure reject */ 140#define TERM_REQ 5 /* PPP terminate request */ 141#define TERM_ACK 6 /* PPP terminate acknowledge */ 142#define CODE_REJ 7 /* PPP code reject */ 143#define PROTO_REJ 8 /* PPP protocol reject */ 144#define ECHO_REQ 9 /* PPP echo request */ 145#define ECHO_REPLY 10 /* PPP echo reply */ 146#define DISC_REQ 11 /* PPP discard request */ 147 148#define LCP_OPT_MRU 1 /* maximum receive unit */ 149#define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 150#define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 151#define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 152#define LCP_OPT_MAGIC 5 /* magic number */ 153#define LCP_OPT_RESERVED 6 /* reserved */ 154#define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 155#define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 156 157#define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 158#define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 159#define IPCP_OPT_ADDRESS 3 /* local IP address */ 160#define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 161#define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 162 163#define IPV6CP_OPT_IFID 1 /* interface identifier */ 164#define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 165 166#define PAP_REQ 1 /* PAP name/password request */ 167#define PAP_ACK 2 /* PAP acknowledge */ 168#define PAP_NAK 3 /* PAP fail */ 169 170#define CHAP_CHALLENGE 1 /* CHAP challenge request */ 171#define CHAP_RESPONSE 2 /* CHAP challenge response */ 172#define CHAP_SUCCESS 3 /* CHAP response ok */ 173#define CHAP_FAILURE 4 /* CHAP response failed */ 174 175#define CHAP_MD5 5 /* hash algorithm - MD5 */ 176 177#define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 178#define CISCO_UNICAST 0x0f /* Cisco unicast address */ 179#define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 180#define CISCO_ADDR_REQ 0 /* Cisco address request */ 181#define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 182#define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 183 184/* states are named and numbered according to RFC 1661 */ 185#define STATE_INITIAL 0 186#define STATE_STARTING 1 187#define STATE_CLOSED 2 188#define STATE_STOPPED 3 189#define STATE_CLOSING 4 190#define STATE_STOPPING 5 191#define STATE_REQ_SENT 6 192#define STATE_ACK_RCVD 7 193#define STATE_ACK_SENT 8 194#define STATE_OPENED 9 195 196struct ppp_header { 197 uint8_t address; 198 uint8_t control; 199 uint16_t protocol; 200} __packed; 201#define PPP_HEADER_LEN sizeof (struct ppp_header) 202 203struct lcp_header { 204 uint8_t type; 205 uint8_t ident; 206 uint16_t len; 207} __packed; 208#define LCP_HEADER_LEN sizeof (struct lcp_header) 209 210struct cisco_packet { 211 uint32_t type; 212 uint32_t par1; 213 uint32_t par2; 214 uint16_t rel; 215 uint16_t time0; 216 uint16_t time1; 217} __packed; 218#define CISCO_PACKET_LEN 18 219 220/* 221 * We follow the spelling and capitalization of RFC 1661 here, to make 222 * it easier comparing with the standard. Please refer to this RFC in 223 * case you can't make sense out of these abbreviation; it will also 224 * explain the semantics related to the various events and actions. 225 */ 226struct cp { 227 u_short proto; /* PPP control protocol number */ 228 u_char protoidx; /* index into state table in struct sppp */ 229 u_char flags; 230#define CP_LCP 0x01 /* this is the LCP */ 231#define CP_AUTH 0x02 /* this is an authentication protocol */ 232#define CP_NCP 0x04 /* this is a NCP */ 233#define CP_QUAL 0x08 /* this is a quality reporting protocol */ 234 const char *name; /* name of this control protocol */ 235 /* event handlers */ 236 void (*Up)(struct sppp *sp); 237 void (*Down)(struct sppp *sp); 238 void (*Open)(struct sppp *sp); 239 void (*Close)(struct sppp *sp); 240 void (*TO)(void *sp); 241 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 242 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 243 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 244 /* actions */ 245 void (*tlu)(struct sppp *sp); 246 void (*tld)(struct sppp *sp); 247 void (*tls)(struct sppp *sp); 248 void (*tlf)(struct sppp *sp); 249 void (*scr)(struct sppp *sp); 250}; 251 252static struct sppp *spppq; 253static callout_t keepalive_ch; 254 255#ifdef INET 256/* 257 * The following disgusting hack gets around the problem that IP TOS 258 * can't be set yet. We want to put "interactive" traffic on a high 259 * priority queue. To decide if traffic is interactive, we check that 260 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 261 * 262 * XXX is this really still necessary? - joerg - 263 */ 264static u_short interactive_ports[8] = { 265 0, 513, 0, 0, 266 0, 21, 0, 23, 267}; 268#define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 269#endif 270 271/* almost every function needs these */ 272#define STDDCL \ 273 struct ifnet *ifp = &sp->pp_if; \ 274 int debug = ifp->if_flags & IFF_DEBUG 275 276static int sppp_output(struct ifnet *ifp, struct mbuf *m, 277 const struct sockaddr *dst, struct rtentry *rt); 278 279static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 280static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 281 282static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 283 struct mbuf *m); 284static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 285 u_char ident, u_short len, void *data); 286/* static void sppp_cp_timeout(void *arg); */ 287static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 288 int newstate); 289static void sppp_auth_send(const struct cp *cp, 290 struct sppp *sp, unsigned int type, unsigned int id, 291 ...); 292 293static void sppp_up_event(const struct cp *cp, struct sppp *sp); 294static void sppp_down_event(const struct cp *cp, struct sppp *sp); 295static void sppp_open_event(const struct cp *cp, struct sppp *sp); 296static void sppp_close_event(const struct cp *cp, struct sppp *sp); 297static void sppp_to_event(const struct cp *cp, struct sppp *sp); 298 299static void sppp_null(struct sppp *sp); 300 301static void sppp_lcp_init(struct sppp *sp); 302static void sppp_lcp_up(struct sppp *sp); 303static void sppp_lcp_down(struct sppp *sp); 304static void sppp_lcp_open(struct sppp *sp); 305static void sppp_lcp_close(struct sppp *sp); 306static void sppp_lcp_TO(void *sp); 307static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 308static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 309static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 310static void sppp_lcp_tlu(struct sppp *sp); 311static void sppp_lcp_tld(struct sppp *sp); 312static void sppp_lcp_tls(struct sppp *sp); 313static void sppp_lcp_tlf(struct sppp *sp); 314static void sppp_lcp_scr(struct sppp *sp); 315static void sppp_lcp_check_and_close(struct sppp *sp); 316static int sppp_ncp_check(struct sppp *sp); 317 318static void sppp_ipcp_init(struct sppp *sp); 319static void sppp_ipcp_up(struct sppp *sp); 320static void sppp_ipcp_down(struct sppp *sp); 321static void sppp_ipcp_open(struct sppp *sp); 322static void sppp_ipcp_close(struct sppp *sp); 323static void sppp_ipcp_TO(void *sp); 324static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 325static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 326static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 327static void sppp_ipcp_tlu(struct sppp *sp); 328static void sppp_ipcp_tld(struct sppp *sp); 329static void sppp_ipcp_tls(struct sppp *sp); 330static void sppp_ipcp_tlf(struct sppp *sp); 331static void sppp_ipcp_scr(struct sppp *sp); 332 333static void sppp_ipv6cp_init(struct sppp *sp); 334static void sppp_ipv6cp_up(struct sppp *sp); 335static void sppp_ipv6cp_down(struct sppp *sp); 336static void sppp_ipv6cp_open(struct sppp *sp); 337static void sppp_ipv6cp_close(struct sppp *sp); 338static void sppp_ipv6cp_TO(void *sp); 339static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 340static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 341static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 342static void sppp_ipv6cp_tlu(struct sppp *sp); 343static void sppp_ipv6cp_tld(struct sppp *sp); 344static void sppp_ipv6cp_tls(struct sppp *sp); 345static void sppp_ipv6cp_tlf(struct sppp *sp); 346static void sppp_ipv6cp_scr(struct sppp *sp); 347 348static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 349static void sppp_pap_init(struct sppp *sp); 350static void sppp_pap_open(struct sppp *sp); 351static void sppp_pap_close(struct sppp *sp); 352static void sppp_pap_TO(void *sp); 353static void sppp_pap_my_TO(void *sp); 354static void sppp_pap_tlu(struct sppp *sp); 355static void sppp_pap_tld(struct sppp *sp); 356static void sppp_pap_scr(struct sppp *sp); 357 358static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 359static void sppp_chap_init(struct sppp *sp); 360static void sppp_chap_open(struct sppp *sp); 361static void sppp_chap_close(struct sppp *sp); 362static void sppp_chap_TO(void *sp); 363static void sppp_chap_tlu(struct sppp *sp); 364static void sppp_chap_tld(struct sppp *sp); 365static void sppp_chap_scr(struct sppp *sp); 366 367static const char *sppp_auth_type_name(u_short proto, u_char type); 368static const char *sppp_cp_type_name(u_char type); 369static const char *sppp_dotted_quad(uint32_t addr); 370static const char *sppp_ipcp_opt_name(u_char opt); 371#ifdef INET6 372static const char *sppp_ipv6cp_opt_name(u_char opt); 373#endif 374static const char *sppp_lcp_opt_name(u_char opt); 375static const char *sppp_phase_name(int phase); 376static const char *sppp_proto_name(u_short proto); 377static const char *sppp_state_name(int state); 378static int sppp_params(struct sppp *sp, u_long cmd, void *data); 379#ifdef INET 380static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 381 uint32_t *srcmask); 382static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr); 383static void sppp_clear_ip_addrs(struct sppp *sp); 384#endif 385static void sppp_keepalive(void *dummy); 386static void sppp_phase_network(struct sppp *sp); 387static void sppp_print_bytes(const u_char *p, u_short len); 388static void sppp_print_string(const char *p, u_short len); 389#ifdef INET6 390static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 391 struct in6_addr *dst, struct in6_addr *srcmask); 392#ifdef IPV6CP_MYIFID_DYN 393static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 394static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 395#endif 396static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 397#endif 398 399/* our control protocol descriptors */ 400static const struct cp lcp = { 401 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 402 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 403 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 404 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 405 sppp_lcp_scr 406}; 407 408static const struct cp ipcp = { 409 PPP_IPCP, IDX_IPCP, 410#ifdef INET 411 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 412#else 413 0, 414#endif 415 "ipcp", 416 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 417 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 418 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 419 sppp_ipcp_scr 420}; 421 422static const struct cp ipv6cp = { 423 PPP_IPV6CP, IDX_IPV6CP, 424#ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 425 CP_NCP, 426#else 427 0, 428#endif 429 "ipv6cp", 430 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 431 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 432 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 433 sppp_ipv6cp_scr 434}; 435 436static const struct cp pap = { 437 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 438 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 439 sppp_pap_TO, 0, 0, 0, 440 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 441 sppp_pap_scr 442}; 443 444static const struct cp chap = { 445 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 446 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 447 sppp_chap_TO, 0, 0, 0, 448 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 449 sppp_chap_scr 450}; 451 452static const struct cp *cps[IDX_COUNT] = { 453 &lcp, /* IDX_LCP */ 454 &ipcp, /* IDX_IPCP */ 455 &ipv6cp, /* IDX_IPV6CP */ 456 &pap, /* IDX_PAP */ 457 &chap, /* IDX_CHAP */ 458}; 459 460 461void spppattach(int); 462void 463/*ARGSUSED*/ 464spppattach(int count) 465{ 466} 467 468/* 469 * Exported functions, comprising our interface to the lower layer. 470 */ 471 472/* 473 * Process the received packet. 474 */ 475void 476sppp_input(struct ifnet *ifp, struct mbuf *m) 477{ 478 struct ppp_header *h = NULL; 479 struct ifqueue *inq = 0; 480 uint16_t protocol; 481 int s; 482 struct sppp *sp = (struct sppp *)ifp; 483 int debug = ifp->if_flags & IFF_DEBUG; 484 485 if (ifp->if_flags & IFF_UP) { 486 /* Count received bytes, add hardware framing */ 487 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 488 /* Note time of last receive */ 489 sp->pp_last_receive = time_uptime; 490 } 491 492 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 493 /* Too small packet, drop it. */ 494 if (debug) 495 log(LOG_DEBUG, 496 "%s: input packet is too small, %d bytes\n", 497 ifp->if_xname, m->m_pkthdr.len); 498 drop: 499 ++ifp->if_ierrors; 500 ++ifp->if_iqdrops; 501 m_freem(m); 502 return; 503 } 504 505 if (sp->pp_flags & PP_NOFRAMING) { 506 memcpy(&protocol, mtod(m, void *), 2); 507 protocol = ntohs(protocol); 508 m_adj(m, 2); 509 } else { 510 511 /* Get PPP header. */ 512 h = mtod(m, struct ppp_header *); 513 m_adj(m, PPP_HEADER_LEN); 514 515 switch (h->address) { 516 case PPP_ALLSTATIONS: 517 if (h->control != PPP_UI) 518 goto invalid; 519 if (sp->pp_flags & PP_CISCO) { 520 if (debug) 521 log(LOG_DEBUG, 522 "%s: PPP packet in Cisco mode " 523 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 524 ifp->if_xname, 525 h->address, h->control, ntohs(h->protocol)); 526 goto drop; 527 } 528 break; 529 case CISCO_MULTICAST: 530 case CISCO_UNICAST: 531 /* Don't check the control field here (RFC 1547). */ 532 if (! (sp->pp_flags & PP_CISCO)) { 533 if (debug) 534 log(LOG_DEBUG, 535 "%s: Cisco packet in PPP mode " 536 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 537 ifp->if_xname, 538 h->address, h->control, ntohs(h->protocol)); 539 goto drop; 540 } 541 switch (ntohs(h->protocol)) { 542 default: 543 ++ifp->if_noproto; 544 goto invalid; 545 case CISCO_KEEPALIVE: 546 sppp_cisco_input((struct sppp *) ifp, m); 547 m_freem(m); 548 return; 549#ifdef INET 550 case ETHERTYPE_IP: 551 schednetisr(NETISR_IP); 552 inq = &ipintrq; 553 break; 554#endif 555#ifdef INET6 556 case ETHERTYPE_IPV6: 557 schednetisr(NETISR_IPV6); 558 inq = &ip6intrq; 559 break; 560#endif 561#ifdef IPX 562 case ETHERTYPE_IPX: 563 schednetisr(NETISR_IPX); 564 inq = &ipxintrq; 565 break; 566#endif 567 } 568 goto queue_pkt; 569 default: /* Invalid PPP packet. */ 570 invalid: 571 if (debug) 572 log(LOG_DEBUG, 573 "%s: invalid input packet " 574 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 575 ifp->if_xname, 576 h->address, h->control, ntohs(h->protocol)); 577 goto drop; 578 } 579 protocol = ntohs(h->protocol); 580 } 581 582 switch (protocol) { 583 default: 584 if (sp->state[IDX_LCP] == STATE_OPENED) { 585 uint16_t prot = htons(protocol); 586 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 587 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 588 &prot); 589 } 590 if (debug) 591 log(LOG_DEBUG, 592 "%s: invalid input protocol " 593 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 594 ++ifp->if_noproto; 595 goto drop; 596 case PPP_LCP: 597 sppp_cp_input(&lcp, sp, m); 598 m_freem(m); 599 return; 600 case PPP_PAP: 601 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 602 sppp_pap_input(sp, m); 603 m_freem(m); 604 return; 605 case PPP_CHAP: 606 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) 607 sppp_chap_input(sp, m); 608 m_freem(m); 609 return; 610#ifdef INET 611 case PPP_IPCP: 612 if (sp->pp_phase == SPPP_PHASE_NETWORK) 613 sppp_cp_input(&ipcp, sp, m); 614 m_freem(m); 615 return; 616 case PPP_IP: 617 if (sp->state[IDX_IPCP] == STATE_OPENED) { 618 schednetisr(NETISR_IP); 619 inq = &ipintrq; 620 sp->pp_last_activity = time_uptime; 621 } 622 break; 623#endif 624#ifdef INET6 625 case PPP_IPV6CP: 626 if (sp->pp_phase == SPPP_PHASE_NETWORK) 627 sppp_cp_input(&ipv6cp, sp, m); 628 m_freem(m); 629 return; 630 631 case PPP_IPV6: 632 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 633 schednetisr(NETISR_IPV6); 634 inq = &ip6intrq; 635 sp->pp_last_activity = time_uptime; 636 } 637 break; 638#endif 639#ifdef IPX 640 case PPP_IPX: 641 /* IPX IPXCP not implemented yet */ 642 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 643 schednetisr(NETISR_IPX); 644 inq = &ipxintrq; 645 } 646 break; 647#endif 648#ifdef ISO 649 case PPP_ISO: 650 /* OSI NLCP not implemented yet */ 651 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 652 schednetisr(NETISR_ISO); 653 inq = &clnlintrq; 654 } 655 break; 656#endif 657 } 658 659queue_pkt: 660 if (! (ifp->if_flags & IFF_UP) || ! inq) 661 goto drop; 662 663 /* Check queue. */ 664 s = splnet(); 665 if (IF_QFULL(inq)) { 666 /* Queue overflow. */ 667 IF_DROP(inq); 668 splx(s); 669 if (debug) 670 log(LOG_DEBUG, "%s: protocol queue overflow\n", 671 ifp->if_xname); 672 goto drop; 673 } 674 IF_ENQUEUE(inq, m); 675 splx(s); 676} 677 678/* 679 * Enqueue transmit packet. 680 */ 681static int 682sppp_output(struct ifnet *ifp, struct mbuf *m, 683 const struct sockaddr *dst, struct rtentry *rt) 684{ 685 struct sppp *sp = (struct sppp *) ifp; 686 struct ppp_header *h = NULL; 687 struct ifqueue *ifq = NULL; /* XXX */ 688 int s, error = 0; 689 uint16_t protocol; 690 ALTQ_DECL(struct altq_pktattr pktattr;) 691 692 s = splnet(); 693 694 sp->pp_last_activity = time_uptime; 695 696 if ((ifp->if_flags & IFF_UP) == 0 || 697 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 698 m_freem(m); 699 splx(s); 700 return (ENETDOWN); 701 } 702 703 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 704 /* 705 * Interface is not yet running, but auto-dial. Need 706 * to start LCP for it. 707 */ 708 ifp->if_flags |= IFF_RUNNING; 709 splx(s); 710 lcp.Open(sp); 711 s = splnet(); 712 } 713 714 /* 715 * If the queueing discipline needs packet classification, 716 * do it before prepending link headers. 717 */ 718 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family, &pktattr); 719 720#ifdef INET 721 if (dst->sa_family == AF_INET) { 722 struct ip *ip = NULL; 723 struct tcphdr *th = NULL; 724 725 if (m->m_len >= sizeof(struct ip)) { 726 ip = mtod(m, struct ip *); 727 if (ip->ip_p == IPPROTO_TCP && 728 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 729 sizeof(struct tcphdr)) { 730 th = (struct tcphdr *) 731 ((char *)ip + (ip->ip_hl << 2)); 732 } 733 } else 734 ip = NULL; 735 736 /* 737 * When using dynamic local IP address assignment by using 738 * 0.0.0.0 as a local address, the first TCP session will 739 * not connect because the local TCP checksum is computed 740 * using 0.0.0.0 which will later become our real IP address 741 * so the TCP checksum computed at the remote end will 742 * become invalid. So we 743 * - don't let packets with src ip addr 0 thru 744 * - we flag TCP packets with src ip 0 as an error 745 */ 746 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 747 uint8_t proto = ip->ip_p; 748 749 m_freem(m); 750 splx(s); 751 if (proto == IPPROTO_TCP) 752 return (EADDRNOTAVAIL); 753 else 754 return (0); 755 } 756 757 /* 758 * Put low delay, telnet, rlogin and ftp control packets 759 * in front of the queue. 760 */ 761 762 if (!IF_QFULL(&sp->pp_fastq) && 763 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 764 (th && (INTERACTIVE(ntohs(th->th_sport)) || 765 INTERACTIVE(ntohs(th->th_dport)))))) 766 ifq = &sp->pp_fastq; 767 } 768#endif 769 770#ifdef INET6 771 if (dst->sa_family == AF_INET6) { 772 /* XXX do something tricky here? */ 773 } 774#endif 775 776 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 777 /* 778 * Prepend general data packet PPP header. For now, IP only. 779 */ 780 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 781 if (! m) { 782 if (ifp->if_flags & IFF_DEBUG) 783 log(LOG_DEBUG, "%s: no memory for transmit header\n", 784 ifp->if_xname); 785 ++ifp->if_oerrors; 786 splx(s); 787 return (ENOBUFS); 788 } 789 /* 790 * May want to check size of packet 791 * (albeit due to the implementation it's always enough) 792 */ 793 h = mtod(m, struct ppp_header *); 794 if (sp->pp_flags & PP_CISCO) { 795 h->address = CISCO_UNICAST; /* unicast address */ 796 h->control = 0; 797 } else { 798 h->address = PPP_ALLSTATIONS; /* broadcast address */ 799 h->control = PPP_UI; /* Unnumbered Info */ 800 } 801 } 802 803 switch (dst->sa_family) { 804#ifdef INET 805 case AF_INET: /* Internet Protocol */ 806 if (sp->pp_flags & PP_CISCO) 807 protocol = htons(ETHERTYPE_IP); 808 else { 809 /* 810 * Don't choke with an ENETDOWN early. It's 811 * possible that we just started dialing out, 812 * so don't drop the packet immediately. If 813 * we notice that we run out of buffer space 814 * below, we will however remember that we are 815 * not ready to carry IP packets, and return 816 * ENETDOWN, as opposed to ENOBUFS. 817 */ 818 protocol = htons(PPP_IP); 819 if (sp->state[IDX_IPCP] != STATE_OPENED) 820 error = ENETDOWN; 821 } 822 break; 823#endif 824#ifdef INET6 825 case AF_INET6: /* Internet Protocol version 6 */ 826 if (sp->pp_flags & PP_CISCO) 827 protocol = htons(ETHERTYPE_IPV6); 828 else { 829 /* 830 * Don't choke with an ENETDOWN early. It's 831 * possible that we just started dialing out, 832 * so don't drop the packet immediately. If 833 * we notice that we run out of buffer space 834 * below, we will however remember that we are 835 * not ready to carry IP packets, and return 836 * ENETDOWN, as opposed to ENOBUFS. 837 */ 838 protocol = htons(PPP_IPV6); 839 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 840 error = ENETDOWN; 841 } 842 break; 843#endif 844#ifdef IPX 845 case AF_IPX: /* Novell IPX Protocol */ 846 protocol = htons((sp->pp_flags & PP_CISCO) ? 847 ETHERTYPE_IPX : PPP_IPX); 848 break; 849#endif 850#ifdef ISO 851 case AF_ISO: /* ISO OSI Protocol */ 852 if (sp->pp_flags & PP_CISCO) 853 goto nosupport; 854 protocol = htons(PPP_ISO); 855 break; 856nosupport: 857#endif 858 default: 859 m_freem(m); 860 ++ifp->if_oerrors; 861 splx(s); 862 return (EAFNOSUPPORT); 863 } 864 865 if (sp->pp_flags & PP_NOFRAMING) { 866 M_PREPEND(m, 2, M_DONTWAIT); 867 if (m == NULL) { 868 if (ifp->if_flags & IFF_DEBUG) 869 log(LOG_DEBUG, "%s: no memory for transmit header\n", 870 ifp->if_xname); 871 ++ifp->if_oerrors; 872 splx(s); 873 return (ENOBUFS); 874 } 875 *mtod(m, uint16_t *) = protocol; 876 } else { 877 h->protocol = protocol; 878 } 879 880 881 error = ifq_enqueue2(ifp, ifq, m ALTQ_COMMA ALTQ_DECL(&pktattr)); 882 883 if (error == 0) { 884 /* 885 * Count output packets and bytes. 886 * The packet length includes header + additional hardware 887 * framing according to RFC 1333. 888 */ 889 if (!(ifp->if_flags & IFF_OACTIVE)) 890 (*ifp->if_start)(ifp); 891 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 892 } 893 splx(s); 894 return error; 895} 896 897void 898sppp_attach(struct ifnet *ifp) 899{ 900 struct sppp *sp = (struct sppp *) ifp; 901 902 /* Initialize keepalive handler. */ 903 if (! spppq) { 904 callout_init(&keepalive_ch, 0); 905 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 906 } 907 908 /* Insert new entry into the keepalive list. */ 909 sp->pp_next = spppq; 910 spppq = sp; 911 912 sp->pp_if.if_type = IFT_PPP; 913 sp->pp_if.if_output = sppp_output; 914 sp->pp_fastq.ifq_maxlen = 32; 915 sp->pp_cpq.ifq_maxlen = 20; 916 sp->pp_loopcnt = 0; 917 sp->pp_alivecnt = 0; 918 sp->pp_last_activity = 0; 919 sp->pp_last_receive = 0; 920 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 921 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 922 sp->pp_idle_timeout = 0; 923 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 924 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 925 sp->pp_auth_failures = 0; 926 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 927 sp->pp_phase = SPPP_PHASE_DEAD; 928 sp->pp_up = lcp.Up; 929 sp->pp_down = lcp.Down; 930 931 if_alloc_sadl(ifp); 932 933 memset(&sp->myauth, 0, sizeof sp->myauth); 934 memset(&sp->hisauth, 0, sizeof sp->hisauth); 935 sppp_lcp_init(sp); 936 sppp_ipcp_init(sp); 937 sppp_ipv6cp_init(sp); 938 sppp_pap_init(sp); 939 sppp_chap_init(sp); 940} 941 942void 943sppp_detach(struct ifnet *ifp) 944{ 945 struct sppp **q, *p, *sp = (struct sppp *) ifp; 946 947 /* Remove the entry from the keepalive list. */ 948 for (q = &spppq; (p = *q); q = &p->pp_next) 949 if (p == sp) { 950 *q = p->pp_next; 951 break; 952 } 953 954 /* Stop keepalive handler. */ 955 if (! spppq) { 956 callout_stop(&keepalive_ch); 957 } 958 959 callout_stop(&sp->ch[IDX_LCP]); 960 callout_stop(&sp->ch[IDX_IPCP]); 961 callout_stop(&sp->ch[IDX_PAP]); 962 callout_stop(&sp->ch[IDX_CHAP]); 963#ifdef INET6 964 callout_stop(&sp->ch[IDX_IPV6CP]); 965#endif 966 callout_stop(&sp->pap_my_to_ch); 967 968 /* free authentication info */ 969 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 970 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 971 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 972 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 973 974#if 0 /* done in if_detach() */ 975 if_free_sadl(ifp); 976#endif 977} 978 979/* 980 * Flush the interface output queue. 981 */ 982void 983sppp_flush(struct ifnet *ifp) 984{ 985 struct sppp *sp = (struct sppp *) ifp; 986 987 IFQ_PURGE(&sp->pp_if.if_snd); 988 IF_PURGE(&sp->pp_fastq); 989 IF_PURGE(&sp->pp_cpq); 990} 991 992/* 993 * Check if the output queue is empty. 994 */ 995int 996sppp_isempty(struct ifnet *ifp) 997{ 998 struct sppp *sp = (struct sppp *) ifp; 999 int empty, s; 1000 1001 s = splnet(); 1002 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1003 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1004 splx(s); 1005 return (empty); 1006} 1007 1008/* 1009 * Get next packet to send. 1010 */ 1011struct mbuf * 1012sppp_dequeue(struct ifnet *ifp) 1013{ 1014 struct sppp *sp = (struct sppp *) ifp; 1015 struct mbuf *m; 1016 int s; 1017 1018 s = splnet(); 1019 /* 1020 * Process only the control protocol queue until we have at 1021 * least one NCP open. 1022 * 1023 * Do always serve all three queues in Cisco mode. 1024 */ 1025 IF_DEQUEUE(&sp->pp_cpq, m); 1026 if (m == NULL && 1027 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1028 IF_DEQUEUE(&sp->pp_fastq, m); 1029 if (m == NULL) 1030 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1031 } 1032 splx(s); 1033 return m; 1034} 1035 1036/* 1037 * Process an ioctl request. Called on low priority level. 1038 */ 1039int 1040sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1041{ 1042 struct lwp *l = curlwp; /* XXX */ 1043 struct ifreq *ifr = (struct ifreq *) data; 1044 struct sppp *sp = (struct sppp *) ifp; 1045 int s, error=0, going_up, going_down, newmode; 1046 1047 s = splnet(); 1048 switch (cmd) { 1049 case SIOCINITIFADDR: 1050 break; 1051 1052 case SIOCSIFFLAGS: 1053 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1054 break; 1055 going_up = ifp->if_flags & IFF_UP && 1056 (ifp->if_flags & IFF_RUNNING) == 0; 1057 going_down = (ifp->if_flags & IFF_UP) == 0 && 1058 ifp->if_flags & IFF_RUNNING; 1059 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1060 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1061 /* sanity */ 1062 newmode = IFF_PASSIVE; 1063 ifp->if_flags &= ~IFF_AUTO; 1064 } 1065 1066 if (going_up || going_down) 1067 lcp.Close(sp); 1068 if (going_up && newmode == 0) { 1069 /* neither auto-dial nor passive */ 1070 ifp->if_flags |= IFF_RUNNING; 1071 if (!(sp->pp_flags & PP_CISCO)) 1072 lcp.Open(sp); 1073 } else if (going_down) { 1074 sppp_flush(ifp); 1075 ifp->if_flags &= ~IFF_RUNNING; 1076 } 1077 1078 break; 1079 1080 case SIOCSIFMTU: 1081 if (ifr->ifr_mtu < PPP_MINMRU || 1082 ifr->ifr_mtu > sp->lcp.their_mru) { 1083 error = EINVAL; 1084 break; 1085 } 1086 /*FALLTHROUGH*/ 1087 case SIOCGIFMTU: 1088 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1089 error = 0; 1090 break; 1091 case SIOCADDMULTI: 1092 case SIOCDELMULTI: 1093 break; 1094 1095 case SPPPSETAUTHCFG: 1096 case SPPPSETLCPCFG: 1097 case SPPPSETIDLETO: 1098 case SPPPSETAUTHFAILURE: 1099 case SPPPSETDNSOPTS: 1100 case SPPPSETKEEPALIVE: 1101#if defined(COMPAT_50) || defined(MODULAR) 1102 case __SPPPSETIDLETO50: 1103 case __SPPPSETKEEPALIVE50: 1104#endif /* COMPAT_50 || MODULAR */ 1105 error = kauth_authorize_network(l->l_cred, 1106 KAUTH_NETWORK_INTERFACE, 1107 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1108 NULL); 1109 if (error) 1110 break; 1111 error = sppp_params(sp, cmd, data); 1112 break; 1113 1114 case SPPPGETAUTHCFG: 1115 case SPPPGETLCPCFG: 1116 case SPPPGETAUTHFAILURES: 1117 error = kauth_authorize_network(l->l_cred, 1118 KAUTH_NETWORK_INTERFACE, 1119 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1120 NULL); 1121 if (error) 1122 break; 1123 error = sppp_params(sp, cmd, data); 1124 break; 1125 1126 case SPPPGETSTATUS: 1127 case SPPPGETSTATUSNCP: 1128 case SPPPGETIDLETO: 1129 case SPPPGETDNSOPTS: 1130 case SPPPGETDNSADDRS: 1131 case SPPPGETKEEPALIVE: 1132#if defined(COMPAT_50) || defined(MODULAR) 1133 case __SPPPGETIDLETO50: 1134 case __SPPPGETKEEPALIVE50: 1135#endif /* COMPAT_50 || MODULAR */ 1136 error = sppp_params(sp, cmd, data); 1137 break; 1138 1139 default: 1140 error = ifioctl_common(ifp, cmd, data); 1141 break; 1142 } 1143 splx(s); 1144 return (error); 1145} 1146 1147 1148/* 1149 * Cisco framing implementation. 1150 */ 1151 1152/* 1153 * Handle incoming Cisco keepalive protocol packets. 1154 */ 1155static void 1156sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1157{ 1158 STDDCL; 1159 struct cisco_packet *h; 1160#ifdef INET 1161 uint32_t me, mymask = 0; /* XXX: GCC */ 1162#endif 1163 1164 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1165 if (debug) 1166 log(LOG_DEBUG, 1167 "%s: cisco invalid packet length: %d bytes\n", 1168 ifp->if_xname, m->m_pkthdr.len); 1169 return; 1170 } 1171 h = mtod(m, struct cisco_packet *); 1172 if (debug) 1173 log(LOG_DEBUG, 1174 "%s: cisco input: %d bytes " 1175 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1176 ifp->if_xname, m->m_pkthdr.len, 1177 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1178 (u_int)h->time0, (u_int)h->time1); 1179 switch (ntohl(h->type)) { 1180 default: 1181 if (debug) 1182 addlog("%s: cisco unknown packet type: 0x%x\n", 1183 ifp->if_xname, ntohl(h->type)); 1184 break; 1185 case CISCO_ADDR_REPLY: 1186 /* Reply on address request, ignore */ 1187 break; 1188 case CISCO_KEEPALIVE_REQ: 1189 sp->pp_alivecnt = 0; 1190 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1191 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1192 /* Local and remote sequence numbers are equal. 1193 * Probably, the line is in loopback mode. */ 1194 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1195 printf ("%s: loopback\n", 1196 ifp->if_xname); 1197 sp->pp_loopcnt = 0; 1198 if (ifp->if_flags & IFF_UP) { 1199 if_down(ifp); 1200 IF_PURGE(&sp->pp_cpq); 1201 } 1202 } 1203 ++sp->pp_loopcnt; 1204 1205 /* Generate new local sequence number */ 1206 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1207 break; 1208 } 1209 sp->pp_loopcnt = 0; 1210 if (! (ifp->if_flags & IFF_UP) && 1211 (ifp->if_flags & IFF_RUNNING)) { 1212 if_up(ifp); 1213 } 1214 break; 1215 case CISCO_ADDR_REQ: 1216#ifdef INET 1217 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1218 if (me != 0L) 1219 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1220#endif 1221 break; 1222 } 1223} 1224 1225/* 1226 * Send Cisco keepalive packet. 1227 */ 1228static void 1229sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1230{ 1231 STDDCL; 1232 struct ppp_header *h; 1233 struct cisco_packet *ch; 1234 struct mbuf *m; 1235 uint32_t t; 1236 1237 t = time_uptime * 1000; 1238 MGETHDR(m, M_DONTWAIT, MT_DATA); 1239 if (! m) 1240 return; 1241 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1242 m->m_pkthdr.rcvif = 0; 1243 1244 h = mtod(m, struct ppp_header *); 1245 h->address = CISCO_MULTICAST; 1246 h->control = 0; 1247 h->protocol = htons(CISCO_KEEPALIVE); 1248 1249 ch = (struct cisco_packet *)(h + 1); 1250 ch->type = htonl(type); 1251 ch->par1 = htonl(par1); 1252 ch->par2 = htonl(par2); 1253 ch->rel = -1; 1254 1255 ch->time0 = htons((u_short)(t >> 16)); 1256 ch->time1 = htons((u_short) t); 1257 1258 if (debug) 1259 log(LOG_DEBUG, 1260 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1261 ifp->if_xname, ntohl(ch->type), ch->par1, 1262 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1263 (u_int)ch->time1); 1264 1265 if (IF_QFULL(&sp->pp_cpq)) { 1266 IF_DROP(&sp->pp_fastq); 1267 IF_DROP(&ifp->if_snd); 1268 m_freem(m); 1269 ++ifp->if_oerrors; 1270 return; 1271 } else 1272 IF_ENQUEUE(&sp->pp_cpq, m); 1273 if (! (ifp->if_flags & IFF_OACTIVE)) 1274 (*ifp->if_start)(ifp); 1275 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1276} 1277 1278/* 1279 * PPP protocol implementation. 1280 */ 1281 1282/* 1283 * Send PPP control protocol packet. 1284 */ 1285static void 1286sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1287 u_char ident, u_short len, void *data) 1288{ 1289 STDDCL; 1290 struct lcp_header *lh; 1291 struct mbuf *m; 1292 size_t pkthdrlen; 1293 1294 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1295 1296 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1297 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1298 MGETHDR(m, M_DONTWAIT, MT_DATA); 1299 if (! m) 1300 return; 1301 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1302 m->m_pkthdr.rcvif = 0; 1303 1304 if (sp->pp_flags & PP_NOFRAMING) { 1305 *mtod(m, uint16_t *) = htons(proto); 1306 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1307 } else { 1308 struct ppp_header *h; 1309 h = mtod(m, struct ppp_header *); 1310 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1311 h->control = PPP_UI; /* Unnumbered Info */ 1312 h->protocol = htons(proto); /* Link Control Protocol */ 1313 lh = (struct lcp_header *)(h + 1); 1314 } 1315 lh->type = type; 1316 lh->ident = ident; 1317 lh->len = htons(LCP_HEADER_LEN + len); 1318 if (len) 1319 bcopy (data, lh + 1, len); 1320 1321 if (debug) { 1322 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1323 ifp->if_xname, 1324 sppp_proto_name(proto), 1325 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1326 if (len) 1327 sppp_print_bytes((u_char *)(lh + 1), len); 1328 addlog(">\n"); 1329 } 1330 if (IF_QFULL(&sp->pp_cpq)) { 1331 IF_DROP(&sp->pp_fastq); 1332 IF_DROP(&ifp->if_snd); 1333 m_freem(m); 1334 ++ifp->if_oerrors; 1335 return; 1336 } else 1337 IF_ENQUEUE(&sp->pp_cpq, m); 1338 if (! (ifp->if_flags & IFF_OACTIVE)) 1339 (*ifp->if_start)(ifp); 1340 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1341} 1342 1343/* 1344 * Handle incoming PPP control protocol packets. 1345 */ 1346static void 1347sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1348{ 1349 STDDCL; 1350 struct lcp_header *h; 1351 int printlen, len = m->m_pkthdr.len; 1352 int rv; 1353 u_char *p; 1354 uint32_t u32; 1355 1356 if (len < 4) { 1357 if (debug) 1358 log(LOG_DEBUG, 1359 "%s: %s invalid packet length: %d bytes\n", 1360 ifp->if_xname, cp->name, len); 1361 return; 1362 } 1363 h = mtod(m, struct lcp_header *); 1364 if (debug) { 1365 printlen = ntohs(h->len); 1366 log(LOG_DEBUG, 1367 "%s: %s input(%s): <%s id=0x%x len=%d", 1368 ifp->if_xname, cp->name, 1369 sppp_state_name(sp->state[cp->protoidx]), 1370 sppp_cp_type_name(h->type), h->ident, printlen); 1371 if (len < printlen) 1372 printlen = len; 1373 if (printlen > 4) 1374 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1375 addlog(">\n"); 1376 } 1377 if (len > ntohs(h->len)) 1378 len = ntohs(h->len); 1379 p = (u_char *)(h + 1); 1380 switch (h->type) { 1381 case CONF_REQ: 1382 if (len < 4) { 1383 if (debug) 1384 addlog("%s: %s invalid conf-req length %d\n", 1385 ifp->if_xname, cp->name, 1386 len); 1387 ++ifp->if_ierrors; 1388 break; 1389 } 1390 /* handle states where RCR doesn't get a SCA/SCN */ 1391 switch (sp->state[cp->protoidx]) { 1392 case STATE_CLOSING: 1393 case STATE_STOPPING: 1394 return; 1395 case STATE_CLOSED: 1396 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1397 0, 0); 1398 return; 1399 } 1400 rv = (cp->RCR)(sp, h, len); 1401 if (rv < 0) { 1402 /* fatal error, shut down */ 1403 (cp->tld)(sp); 1404 sppp_lcp_tlf(sp); 1405 return; 1406 } 1407 switch (sp->state[cp->protoidx]) { 1408 case STATE_OPENED: 1409 (cp->tld)(sp); 1410 (cp->scr)(sp); 1411 /* fall through... */ 1412 case STATE_ACK_SENT: 1413 case STATE_REQ_SENT: 1414 sppp_cp_change_state(cp, sp, rv? 1415 STATE_ACK_SENT: STATE_REQ_SENT); 1416 break; 1417 case STATE_STOPPED: 1418 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1419 (cp->scr)(sp); 1420 sppp_cp_change_state(cp, sp, rv? 1421 STATE_ACK_SENT: STATE_REQ_SENT); 1422 break; 1423 case STATE_ACK_RCVD: 1424 if (rv) { 1425 sppp_cp_change_state(cp, sp, STATE_OPENED); 1426 if (debug) 1427 log(LOG_DEBUG, "%s: %s tlu\n", 1428 ifp->if_xname, 1429 cp->name); 1430 (cp->tlu)(sp); 1431 } else 1432 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1433 break; 1434 default: 1435 printf("%s: %s illegal %s in state %s\n", 1436 ifp->if_xname, cp->name, 1437 sppp_cp_type_name(h->type), 1438 sppp_state_name(sp->state[cp->protoidx])); 1439 ++ifp->if_ierrors; 1440 } 1441 break; 1442 case CONF_ACK: 1443 if (h->ident != sp->confid[cp->protoidx]) { 1444 if (debug) 1445 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1446 ifp->if_xname, cp->name, 1447 h->ident, sp->confid[cp->protoidx]); 1448 ++ifp->if_ierrors; 1449 break; 1450 } 1451 switch (sp->state[cp->protoidx]) { 1452 case STATE_CLOSED: 1453 case STATE_STOPPED: 1454 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1455 break; 1456 case STATE_CLOSING: 1457 case STATE_STOPPING: 1458 break; 1459 case STATE_REQ_SENT: 1460 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1461 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1462 break; 1463 case STATE_OPENED: 1464 (cp->tld)(sp); 1465 /* fall through */ 1466 case STATE_ACK_RCVD: 1467 (cp->scr)(sp); 1468 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1469 break; 1470 case STATE_ACK_SENT: 1471 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1472 sppp_cp_change_state(cp, sp, STATE_OPENED); 1473 if (debug) 1474 log(LOG_DEBUG, "%s: %s tlu\n", 1475 ifp->if_xname, cp->name); 1476 (cp->tlu)(sp); 1477 break; 1478 default: 1479 printf("%s: %s illegal %s in state %s\n", 1480 ifp->if_xname, cp->name, 1481 sppp_cp_type_name(h->type), 1482 sppp_state_name(sp->state[cp->protoidx])); 1483 ++ifp->if_ierrors; 1484 } 1485 break; 1486 case CONF_NAK: 1487 case CONF_REJ: 1488 if (h->ident != sp->confid[cp->protoidx]) { 1489 if (debug) 1490 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1491 ifp->if_xname, cp->name, 1492 h->ident, sp->confid[cp->protoidx]); 1493 ++ifp->if_ierrors; 1494 break; 1495 } 1496 if (h->type == CONF_NAK) 1497 (cp->RCN_nak)(sp, h, len); 1498 else /* CONF_REJ */ 1499 (cp->RCN_rej)(sp, h, len); 1500 1501 switch (sp->state[cp->protoidx]) { 1502 case STATE_CLOSED: 1503 case STATE_STOPPED: 1504 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1505 break; 1506 case STATE_REQ_SENT: 1507 case STATE_ACK_SENT: 1508 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1509 (cp->scr)(sp); 1510 break; 1511 case STATE_OPENED: 1512 (cp->tld)(sp); 1513 /* fall through */ 1514 case STATE_ACK_RCVD: 1515 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1516 (cp->scr)(sp); 1517 break; 1518 case STATE_CLOSING: 1519 case STATE_STOPPING: 1520 break; 1521 default: 1522 printf("%s: %s illegal %s in state %s\n", 1523 ifp->if_xname, cp->name, 1524 sppp_cp_type_name(h->type), 1525 sppp_state_name(sp->state[cp->protoidx])); 1526 ++ifp->if_ierrors; 1527 } 1528 break; 1529 1530 case TERM_REQ: 1531 switch (sp->state[cp->protoidx]) { 1532 case STATE_ACK_RCVD: 1533 case STATE_ACK_SENT: 1534 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1535 /* fall through */ 1536 case STATE_CLOSED: 1537 case STATE_STOPPED: 1538 case STATE_CLOSING: 1539 case STATE_STOPPING: 1540 case STATE_REQ_SENT: 1541 sta: 1542 /* Send Terminate-Ack packet. */ 1543 if (debug) 1544 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1545 ifp->if_xname, cp->name); 1546 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1547 break; 1548 case STATE_OPENED: 1549 (cp->tld)(sp); 1550 sp->rst_counter[cp->protoidx] = 0; 1551 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1552 goto sta; 1553 default: 1554 printf("%s: %s illegal %s in state %s\n", 1555 ifp->if_xname, cp->name, 1556 sppp_cp_type_name(h->type), 1557 sppp_state_name(sp->state[cp->protoidx])); 1558 ++ifp->if_ierrors; 1559 } 1560 break; 1561 case TERM_ACK: 1562 switch (sp->state[cp->protoidx]) { 1563 case STATE_CLOSED: 1564 case STATE_STOPPED: 1565 case STATE_REQ_SENT: 1566 case STATE_ACK_SENT: 1567 break; 1568 case STATE_CLOSING: 1569 (cp->tlf)(sp); 1570 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1571 sppp_lcp_check_and_close(sp); 1572 break; 1573 case STATE_STOPPING: 1574 (cp->tlf)(sp); 1575 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1576 sppp_lcp_check_and_close(sp); 1577 break; 1578 case STATE_ACK_RCVD: 1579 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1580 break; 1581 case STATE_OPENED: 1582 (cp->tld)(sp); 1583 (cp->scr)(sp); 1584 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1585 break; 1586 default: 1587 printf("%s: %s illegal %s in state %s\n", 1588 ifp->if_xname, cp->name, 1589 sppp_cp_type_name(h->type), 1590 sppp_state_name(sp->state[cp->protoidx])); 1591 ++ifp->if_ierrors; 1592 } 1593 break; 1594 case CODE_REJ: 1595 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1596 log(LOG_INFO, 1597 "%s: %s: ignoring RXJ (%s) for code ?, " 1598 "danger will robinson\n", 1599 ifp->if_xname, cp->name, 1600 sppp_cp_type_name(h->type)); 1601 switch (sp->state[cp->protoidx]) { 1602 case STATE_CLOSED: 1603 case STATE_STOPPED: 1604 case STATE_REQ_SENT: 1605 case STATE_ACK_SENT: 1606 case STATE_CLOSING: 1607 case STATE_STOPPING: 1608 case STATE_OPENED: 1609 break; 1610 case STATE_ACK_RCVD: 1611 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1612 break; 1613 default: 1614 printf("%s: %s illegal %s in state %s\n", 1615 ifp->if_xname, cp->name, 1616 sppp_cp_type_name(h->type), 1617 sppp_state_name(sp->state[cp->protoidx])); 1618 ++ifp->if_ierrors; 1619 } 1620 break; 1621 case PROTO_REJ: 1622 { 1623 int catastrophic; 1624 const struct cp *upper; 1625 int i; 1626 uint16_t proto; 1627 1628 catastrophic = 0; 1629 upper = NULL; 1630 proto = p[0] << 8 | p[1]; 1631 for (i = 0; i < IDX_COUNT; i++) { 1632 if (cps[i]->proto == proto) { 1633 upper = cps[i]; 1634 break; 1635 } 1636 } 1637 if (upper == NULL) 1638 catastrophic++; 1639 1640 if (debug) 1641 log(LOG_INFO, 1642 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1643 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1644 sppp_cp_type_name(h->type), proto, 1645 upper ? upper->name : "unknown", 1646 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1647 1648 /* 1649 * if we got RXJ+ against conf-req, the peer does not implement 1650 * this particular protocol type. terminate the protocol. 1651 */ 1652 if (upper && !catastrophic) { 1653 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1654 upper->Close(sp); 1655 break; 1656 } 1657 } 1658 1659 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1660 switch (sp->state[cp->protoidx]) { 1661 case STATE_CLOSED: 1662 case STATE_STOPPED: 1663 case STATE_REQ_SENT: 1664 case STATE_ACK_SENT: 1665 case STATE_CLOSING: 1666 case STATE_STOPPING: 1667 case STATE_OPENED: 1668 break; 1669 case STATE_ACK_RCVD: 1670 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1671 break; 1672 default: 1673 printf("%s: %s illegal %s in state %s\n", 1674 ifp->if_xname, cp->name, 1675 sppp_cp_type_name(h->type), 1676 sppp_state_name(sp->state[cp->protoidx])); 1677 ++ifp->if_ierrors; 1678 } 1679 break; 1680 } 1681 case DISC_REQ: 1682 if (cp->proto != PPP_LCP) 1683 goto illegal; 1684 /* Discard the packet. */ 1685 break; 1686 case ECHO_REQ: 1687 if (cp->proto != PPP_LCP) 1688 goto illegal; 1689 if (sp->state[cp->protoidx] != STATE_OPENED) { 1690 if (debug) 1691 addlog("%s: lcp echo req but lcp closed\n", 1692 ifp->if_xname); 1693 ++ifp->if_ierrors; 1694 break; 1695 } 1696 if (len < 8) { 1697 if (debug) 1698 addlog("%s: invalid lcp echo request " 1699 "packet length: %d bytes\n", 1700 ifp->if_xname, len); 1701 break; 1702 } 1703 memcpy(&u32, h + 1, sizeof u32); 1704 if (ntohl(u32) == sp->lcp.magic) { 1705 /* Line loopback mode detected. */ 1706 printf("%s: loopback\n", ifp->if_xname); 1707 if_down(ifp); 1708 IF_PURGE(&sp->pp_cpq); 1709 1710 /* Shut down the PPP link. */ 1711 /* XXX */ 1712 lcp.Down(sp); 1713 lcp.Up(sp); 1714 break; 1715 } 1716 u32 = htonl(sp->lcp.magic); 1717 memcpy(h + 1, &u32, sizeof u32); 1718 if (debug) 1719 addlog("%s: got lcp echo req, sending echo rep\n", 1720 ifp->if_xname); 1721 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1722 h + 1); 1723 break; 1724 case ECHO_REPLY: 1725 if (cp->proto != PPP_LCP) 1726 goto illegal; 1727 if (h->ident != sp->lcp.echoid) { 1728 ++ifp->if_ierrors; 1729 break; 1730 } 1731 if (len < 8) { 1732 if (debug) 1733 addlog("%s: lcp invalid echo reply " 1734 "packet length: %d bytes\n", 1735 ifp->if_xname, len); 1736 break; 1737 } 1738 if (debug) 1739 addlog("%s: lcp got echo rep\n", 1740 ifp->if_xname); 1741 memcpy(&u32, h + 1, sizeof u32); 1742 if (ntohl(u32) != sp->lcp.magic) 1743 sp->pp_alivecnt = 0; 1744 break; 1745 default: 1746 /* Unknown packet type -- send Code-Reject packet. */ 1747 illegal: 1748 if (debug) 1749 addlog("%s: %s send code-rej for 0x%x\n", 1750 ifp->if_xname, cp->name, h->type); 1751 sppp_cp_send(sp, cp->proto, CODE_REJ, 1752 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1753 ++ifp->if_ierrors; 1754 } 1755} 1756 1757 1758/* 1759 * The generic part of all Up/Down/Open/Close/TO event handlers. 1760 * Basically, the state transition handling in the automaton. 1761 */ 1762static void 1763sppp_up_event(const struct cp *cp, struct sppp *sp) 1764{ 1765 STDDCL; 1766 1767 if (debug) 1768 log(LOG_DEBUG, "%s: %s up(%s)\n", 1769 ifp->if_xname, cp->name, 1770 sppp_state_name(sp->state[cp->protoidx])); 1771 1772 switch (sp->state[cp->protoidx]) { 1773 case STATE_INITIAL: 1774 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1775 break; 1776 case STATE_STARTING: 1777 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1778 (cp->scr)(sp); 1779 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1780 break; 1781 default: 1782 printf("%s: %s illegal up in state %s\n", 1783 ifp->if_xname, cp->name, 1784 sppp_state_name(sp->state[cp->protoidx])); 1785 } 1786} 1787 1788static void 1789sppp_down_event(const struct cp *cp, struct sppp *sp) 1790{ 1791 STDDCL; 1792 1793 if (debug) 1794 log(LOG_DEBUG, "%s: %s down(%s)\n", 1795 ifp->if_xname, cp->name, 1796 sppp_state_name(sp->state[cp->protoidx])); 1797 1798 switch (sp->state[cp->protoidx]) { 1799 case STATE_CLOSED: 1800 case STATE_CLOSING: 1801 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1802 break; 1803 case STATE_STOPPED: 1804 (cp->tls)(sp); 1805 /* fall through */ 1806 case STATE_STOPPING: 1807 case STATE_REQ_SENT: 1808 case STATE_ACK_RCVD: 1809 case STATE_ACK_SENT: 1810 sppp_cp_change_state(cp, sp, STATE_STARTING); 1811 break; 1812 case STATE_OPENED: 1813 (cp->tld)(sp); 1814 sppp_cp_change_state(cp, sp, STATE_STARTING); 1815 break; 1816 default: 1817 printf("%s: %s illegal down in state %s\n", 1818 ifp->if_xname, cp->name, 1819 sppp_state_name(sp->state[cp->protoidx])); 1820 } 1821} 1822 1823 1824static void 1825sppp_open_event(const struct cp *cp, struct sppp *sp) 1826{ 1827 STDDCL; 1828 1829 if (debug) 1830 log(LOG_DEBUG, "%s: %s open(%s)\n", 1831 ifp->if_xname, cp->name, 1832 sppp_state_name(sp->state[cp->protoidx])); 1833 1834 switch (sp->state[cp->protoidx]) { 1835 case STATE_INITIAL: 1836 sppp_cp_change_state(cp, sp, STATE_STARTING); 1837 (cp->tls)(sp); 1838 break; 1839 case STATE_STARTING: 1840 break; 1841 case STATE_CLOSED: 1842 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1843 (cp->scr)(sp); 1844 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1845 break; 1846 case STATE_STOPPED: 1847 case STATE_STOPPING: 1848 case STATE_REQ_SENT: 1849 case STATE_ACK_RCVD: 1850 case STATE_ACK_SENT: 1851 case STATE_OPENED: 1852 break; 1853 case STATE_CLOSING: 1854 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1855 break; 1856 } 1857} 1858 1859 1860static void 1861sppp_close_event(const struct cp *cp, struct sppp *sp) 1862{ 1863 STDDCL; 1864 1865 if (debug) 1866 log(LOG_DEBUG, "%s: %s close(%s)\n", 1867 ifp->if_xname, cp->name, 1868 sppp_state_name(sp->state[cp->protoidx])); 1869 1870 switch (sp->state[cp->protoidx]) { 1871 case STATE_INITIAL: 1872 case STATE_CLOSED: 1873 case STATE_CLOSING: 1874 break; 1875 case STATE_STARTING: 1876 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1877 (cp->tlf)(sp); 1878 break; 1879 case STATE_STOPPED: 1880 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1881 break; 1882 case STATE_STOPPING: 1883 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1884 break; 1885 case STATE_OPENED: 1886 (cp->tld)(sp); 1887 /* fall through */ 1888 case STATE_REQ_SENT: 1889 case STATE_ACK_RCVD: 1890 case STATE_ACK_SENT: 1891 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 1892 sppp_cp_send(sp, cp->proto, TERM_REQ, 1893 ++sp->pp_seq[cp->protoidx], 0, 0); 1894 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1895 break; 1896 } 1897} 1898 1899static void 1900sppp_to_event(const struct cp *cp, struct sppp *sp) 1901{ 1902 STDDCL; 1903 int s; 1904 1905 s = splnet(); 1906 if (debug) 1907 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1908 ifp->if_xname, cp->name, 1909 sppp_state_name(sp->state[cp->protoidx]), 1910 sp->rst_counter[cp->protoidx]); 1911 1912 if (--sp->rst_counter[cp->protoidx] < 0) 1913 /* TO- event */ 1914 switch (sp->state[cp->protoidx]) { 1915 case STATE_CLOSING: 1916 (cp->tlf)(sp); 1917 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1918 sppp_lcp_check_and_close(sp); 1919 break; 1920 case STATE_STOPPING: 1921 (cp->tlf)(sp); 1922 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1923 sppp_lcp_check_and_close(sp); 1924 break; 1925 case STATE_REQ_SENT: 1926 case STATE_ACK_RCVD: 1927 case STATE_ACK_SENT: 1928 (cp->tlf)(sp); 1929 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1930 sppp_lcp_check_and_close(sp); 1931 break; 1932 } 1933 else 1934 /* TO+ event */ 1935 switch (sp->state[cp->protoidx]) { 1936 case STATE_CLOSING: 1937 case STATE_STOPPING: 1938 sppp_cp_send(sp, cp->proto, TERM_REQ, 1939 ++sp->pp_seq[cp->protoidx], 0, 0); 1940 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1941 cp->TO, sp); 1942 break; 1943 case STATE_REQ_SENT: 1944 case STATE_ACK_RCVD: 1945 (cp->scr)(sp); 1946 /* sppp_cp_change_state() will restart the timer */ 1947 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1948 break; 1949 case STATE_ACK_SENT: 1950 (cp->scr)(sp); 1951 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1952 cp->TO, sp); 1953 break; 1954 } 1955 1956 splx(s); 1957} 1958 1959/* 1960 * Change the state of a control protocol in the state automaton. 1961 * Takes care of starting/stopping the restart timer. 1962 */ 1963void 1964sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 1965{ 1966 sp->state[cp->protoidx] = newstate; 1967 callout_stop(&sp->ch[cp->protoidx]); 1968 switch (newstate) { 1969 case STATE_INITIAL: 1970 case STATE_STARTING: 1971 case STATE_CLOSED: 1972 case STATE_STOPPED: 1973 case STATE_OPENED: 1974 break; 1975 case STATE_CLOSING: 1976 case STATE_STOPPING: 1977 case STATE_REQ_SENT: 1978 case STATE_ACK_RCVD: 1979 case STATE_ACK_SENT: 1980 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 1981 cp->TO, sp); 1982 break; 1983 } 1984} 1985 1986/* 1987 *--------------------------------------------------------------------------* 1988 * * 1989 * The LCP implementation. * 1990 * * 1991 *--------------------------------------------------------------------------* 1992 */ 1993static void 1994sppp_lcp_init(struct sppp *sp) 1995{ 1996 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 1997 sp->lcp.magic = 0; 1998 sp->state[IDX_LCP] = STATE_INITIAL; 1999 sp->fail_counter[IDX_LCP] = 0; 2000 sp->pp_seq[IDX_LCP] = 0; 2001 sp->pp_rseq[IDX_LCP] = 0; 2002 sp->lcp.protos = 0; 2003 2004 /* 2005 * Initialize counters and timeout values. Note that we don't 2006 * use the 3 seconds suggested in RFC 1661 since we are likely 2007 * running on a fast link. XXX We should probably implement 2008 * the exponential backoff option. Note that these values are 2009 * relevant for all control protocols, not just LCP only. 2010 */ 2011 sp->lcp.timeout = 1 * hz; 2012 sp->lcp.max_terminate = 2; 2013 sp->lcp.max_configure = 10; 2014 sp->lcp.max_failure = 10; 2015 callout_init(&sp->ch[IDX_LCP], 0); 2016} 2017 2018static void 2019sppp_lcp_up(struct sppp *sp) 2020{ 2021 STDDCL; 2022 2023 /* Initialize activity timestamp: opening a connection is an activity */ 2024 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2025 2026 /* 2027 * If this interface is passive or dial-on-demand, and we are 2028 * still in Initial state, it means we've got an incoming 2029 * call. Activate the interface. 2030 */ 2031 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2032 if (debug) 2033 log(LOG_DEBUG, 2034 "%s: Up event", ifp->if_xname); 2035 ifp->if_flags |= IFF_RUNNING; 2036 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2037 if (debug) 2038 addlog("(incoming call)\n"); 2039 sp->pp_flags |= PP_CALLIN; 2040 lcp.Open(sp); 2041 } else if (debug) 2042 addlog("\n"); 2043 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2044 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2045 ifp->if_flags |= IFF_RUNNING; 2046 lcp.Open(sp); 2047 } 2048 2049 sppp_up_event(&lcp, sp); 2050} 2051 2052static void 2053sppp_lcp_down(struct sppp *sp) 2054{ 2055 STDDCL; 2056 2057 sppp_down_event(&lcp, sp); 2058 2059 /* 2060 * If this is neither a dial-on-demand nor a passive 2061 * interface, simulate an ``ifconfig down'' action, so the 2062 * administrator can force a redial by another ``ifconfig 2063 * up''. XXX For leased line operation, should we immediately 2064 * try to reopen the connection here? 2065 */ 2066 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2067 if (debug) 2068 log(LOG_INFO, 2069 "%s: Down event (carrier loss), taking interface down.\n", 2070 ifp->if_xname); 2071 if_down(ifp); 2072 } else { 2073 if (debug) 2074 log(LOG_DEBUG, 2075 "%s: Down event (carrier loss)\n", 2076 ifp->if_xname); 2077 } 2078 sp->pp_flags &= ~PP_CALLIN; 2079 if (sp->state[IDX_LCP] != STATE_INITIAL) 2080 lcp.Close(sp); 2081 ifp->if_flags &= ~IFF_RUNNING; 2082} 2083 2084static void 2085sppp_lcp_open(struct sppp *sp) 2086{ 2087 if (sp->pp_if.if_mtu < PP_MTU) { 2088 sp->lcp.mru = sp->pp_if.if_mtu; 2089 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2090 } else 2091 sp->lcp.mru = PP_MTU; 2092 sp->lcp.their_mru = PP_MTU; 2093 2094 /* 2095 * If we are authenticator, negotiate LCP_AUTH 2096 */ 2097 if (sp->hisauth.proto != 0) 2098 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2099 else 2100 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2101 sp->pp_flags &= ~PP_NEEDAUTH; 2102 sppp_open_event(&lcp, sp); 2103} 2104 2105static void 2106sppp_lcp_close(struct sppp *sp) 2107{ 2108 sppp_close_event(&lcp, sp); 2109} 2110 2111static void 2112sppp_lcp_TO(void *cookie) 2113{ 2114 sppp_to_event(&lcp, (struct sppp *)cookie); 2115} 2116 2117/* 2118 * Analyze a configure request. Return true if it was agreeable, and 2119 * caused action sca, false if it has been rejected or nak'ed, and 2120 * caused action scn. (The return value is used to make the state 2121 * transition decision in the state automaton.) 2122 */ 2123static int 2124sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2125{ 2126 STDDCL; 2127 u_char *buf, *r, *p; 2128 int origlen, rlen; 2129 uint32_t nmagic; 2130 u_short authproto; 2131 2132 len -= 4; 2133 origlen = len; 2134 buf = r = malloc (len, M_TEMP, M_NOWAIT); 2135 if (! buf) 2136 return (0); 2137 2138 if (debug) 2139 log(LOG_DEBUG, "%s: lcp parse opts:", 2140 ifp->if_xname); 2141 2142 /* pass 1: check for things that need to be rejected */ 2143 p = (void *)(h + 1); 2144 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2145 /* Sanity check option length */ 2146 if (p[1] > len) { 2147 /* 2148 * Malicious option - drop immediately. 2149 * XXX Maybe we should just RXJ it? 2150 */ 2151 addlog("%s: received malicious LCP option 0x%02x, " 2152 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2153 p[0], p[1], len); 2154 goto drop; 2155 } 2156 if (debug) 2157 addlog(" %s", sppp_lcp_opt_name(*p)); 2158 switch (*p) { 2159 case LCP_OPT_MAGIC: 2160 /* Magic number. */ 2161 /* fall through, both are same length */ 2162 case LCP_OPT_ASYNC_MAP: 2163 /* Async control character map. */ 2164 if (len >= 6 || p[1] == 6) 2165 continue; 2166 if (debug) 2167 addlog(" [invalid]"); 2168 break; 2169 case LCP_OPT_MRU: 2170 /* Maximum receive unit. */ 2171 if (len >= 4 && p[1] == 4) 2172 continue; 2173 if (debug) 2174 addlog(" [invalid]"); 2175 break; 2176 case LCP_OPT_AUTH_PROTO: 2177 if (len < 4) { 2178 if (debug) 2179 addlog(" [invalid]"); 2180 break; 2181 } 2182 authproto = (p[2] << 8) + p[3]; 2183 if (authproto == PPP_CHAP && p[1] != 5) { 2184 if (debug) 2185 addlog(" [invalid chap len]"); 2186 break; 2187 } 2188 if (sp->myauth.proto == 0) { 2189 /* we are not configured to do auth */ 2190 if (debug) 2191 addlog(" [not configured]"); 2192 break; 2193 } 2194 /* 2195 * Remote want us to authenticate, remember this, 2196 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2197 * up. 2198 */ 2199 sp->pp_flags |= PP_NEEDAUTH; 2200 continue; 2201 default: 2202 /* Others not supported. */ 2203 if (debug) 2204 addlog(" [rej]"); 2205 break; 2206 } 2207 /* Add the option to rejected list. */ 2208 bcopy (p, r, p[1]); 2209 r += p[1]; 2210 rlen += p[1]; 2211 } 2212 if (rlen) { 2213 if (debug) 2214 addlog(" send conf-rej\n"); 2215 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2216 goto end; 2217 } else if (debug) 2218 addlog("\n"); 2219 2220 /* 2221 * pass 2: check for option values that are unacceptable and 2222 * thus require to be nak'ed. 2223 */ 2224 if (debug) 2225 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2226 ifp->if_xname); 2227 2228 p = (void *)(h + 1); 2229 len = origlen; 2230 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2231 if (debug) 2232 addlog(" %s", sppp_lcp_opt_name(*p)); 2233 switch (*p) { 2234 case LCP_OPT_MAGIC: 2235 /* Magic number -- extract. */ 2236 nmagic = (uint32_t)p[2] << 24 | 2237 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2238 if (nmagic != sp->lcp.magic) { 2239 if (debug) 2240 addlog(" 0x%x", nmagic); 2241 continue; 2242 } 2243 /* 2244 * Local and remote magics equal -- loopback? 2245 */ 2246 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2247 printf ("%s: loopback\n", 2248 ifp->if_xname); 2249 sp->pp_loopcnt = 0; 2250 if (ifp->if_flags & IFF_UP) { 2251 if_down(ifp); 2252 IF_PURGE(&sp->pp_cpq); 2253 /* XXX ? */ 2254 lcp.Down(sp); 2255 lcp.Up(sp); 2256 } 2257 } else if (debug) 2258 addlog(" [glitch]"); 2259 ++sp->pp_loopcnt; 2260 /* 2261 * We negate our magic here, and NAK it. If 2262 * we see it later in an NAK packet, we 2263 * suggest a new one. 2264 */ 2265 nmagic = ~sp->lcp.magic; 2266 /* Gonna NAK it. */ 2267 p[2] = nmagic >> 24; 2268 p[3] = nmagic >> 16; 2269 p[4] = nmagic >> 8; 2270 p[5] = nmagic; 2271 break; 2272 2273 case LCP_OPT_ASYNC_MAP: 2274 /* 2275 * Async control character map -- just ignore it. 2276 * 2277 * Quote from RFC 1662, chapter 6: 2278 * To enable this functionality, synchronous PPP 2279 * implementations MUST always respond to the 2280 * Async-Control-Character-Map Configuration 2281 * Option with the LCP Configure-Ack. However, 2282 * acceptance of the Configuration Option does 2283 * not imply that the synchronous implementation 2284 * will do any ACCM mapping. Instead, all such 2285 * octet mapping will be performed by the 2286 * asynchronous-to-synchronous converter. 2287 */ 2288 continue; 2289 2290 case LCP_OPT_MRU: 2291 /* 2292 * Maximum receive unit. Always agreeable, 2293 * but ignored by now. 2294 */ 2295 sp->lcp.their_mru = p[2] * 256 + p[3]; 2296 if (debug) 2297 addlog(" %ld", sp->lcp.their_mru); 2298 continue; 2299 2300 case LCP_OPT_AUTH_PROTO: 2301 authproto = (p[2] << 8) + p[3]; 2302 if (sp->myauth.proto != authproto) { 2303 /* not agreed, nak */ 2304 if (debug) 2305 addlog(" [mine %s != his %s]", 2306 sppp_proto_name(sp->myauth.proto), 2307 sppp_proto_name(authproto)); 2308 p[2] = sp->myauth.proto >> 8; 2309 p[3] = sp->myauth.proto; 2310 break; 2311 } 2312 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2313 if (debug) 2314 addlog(" [chap not MD5]"); 2315 p[4] = CHAP_MD5; 2316 break; 2317 } 2318 continue; 2319 } 2320 /* Add the option to nak'ed list. */ 2321 bcopy (p, r, p[1]); 2322 r += p[1]; 2323 rlen += p[1]; 2324 } 2325 if (rlen) { 2326 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2327 if (debug) 2328 addlog(" max_failure (%d) exceeded, " 2329 "send conf-rej\n", 2330 sp->lcp.max_failure); 2331 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2332 } else { 2333 if (debug) 2334 addlog(" send conf-nak\n"); 2335 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2336 } 2337 goto end; 2338 } else { 2339 if (debug) 2340 addlog(" send conf-ack\n"); 2341 sp->fail_counter[IDX_LCP] = 0; 2342 sp->pp_loopcnt = 0; 2343 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2344 } 2345 2346 end: 2347 free(buf, M_TEMP); 2348 return (rlen == 0); 2349 2350 drop: 2351 free(buf, M_TEMP); 2352 return -1; 2353} 2354 2355/* 2356 * Analyze the LCP Configure-Reject option list, and adjust our 2357 * negotiation. 2358 */ 2359static void 2360sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2361{ 2362 STDDCL; 2363 u_char *buf, *p; 2364 2365 len -= 4; 2366 buf = malloc (len, M_TEMP, M_NOWAIT); 2367 if (!buf) 2368 return; 2369 2370 if (debug) 2371 log(LOG_DEBUG, "%s: lcp rej opts:", 2372 ifp->if_xname); 2373 2374 p = (void *)(h + 1); 2375 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2376 /* Sanity check option length */ 2377 if (p[1] > len) { 2378 /* 2379 * Malicious option - drop immediately. 2380 * XXX Maybe we should just RXJ it? 2381 */ 2382 addlog("%s: received malicious LCP option, " 2383 "dropping.\n", ifp->if_xname); 2384 goto drop; 2385 } 2386 if (debug) 2387 addlog(" %s", sppp_lcp_opt_name(*p)); 2388 switch (*p) { 2389 case LCP_OPT_MAGIC: 2390 /* Magic number -- can't use it, use 0 */ 2391 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2392 sp->lcp.magic = 0; 2393 break; 2394 case LCP_OPT_MRU: 2395 /* 2396 * We try to negotiate a lower MRU if the underlying 2397 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2398 * peer rejects this lower rate, fallback to the 2399 * default. 2400 */ 2401 if (debug) { 2402 addlog("%s: warning: peer rejected our MRU of " 2403 "%ld bytes. Defaulting to %d bytes\n", 2404 ifp->if_xname, sp->lcp.mru, PP_MTU); 2405 } 2406 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2407 sp->lcp.mru = PP_MTU; 2408 break; 2409 case LCP_OPT_AUTH_PROTO: 2410 /* 2411 * Peer doesn't want to authenticate himself, 2412 * deny unless this is a dialout call, and 2413 * SPPP_AUTHFLAG_NOCALLOUT is set. 2414 */ 2415 if ((sp->pp_flags & PP_CALLIN) == 0 && 2416 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2417 if (debug) 2418 addlog(" [don't insist on auth " 2419 "for callout]"); 2420 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2421 break; 2422 } 2423 if (debug) 2424 addlog("[access denied]\n"); 2425 lcp.Close(sp); 2426 break; 2427 } 2428 } 2429 if (debug) 2430 addlog("\n"); 2431drop: 2432 free(buf, M_TEMP); 2433 return; 2434} 2435 2436/* 2437 * Analyze the LCP Configure-NAK option list, and adjust our 2438 * negotiation. 2439 */ 2440static void 2441sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2442{ 2443 STDDCL; 2444 u_char *buf, *p; 2445 uint32_t magic; 2446 2447 len -= 4; 2448 buf = malloc (len, M_TEMP, M_NOWAIT); 2449 if (!buf) 2450 return; 2451 2452 if (debug) 2453 log(LOG_DEBUG, "%s: lcp nak opts:", 2454 ifp->if_xname); 2455 2456 p = (void *)(h + 1); 2457 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 2458 /* Sanity check option length */ 2459 if (p[1] > len) { 2460 /* 2461 * Malicious option - drop immediately. 2462 * XXX Maybe we should just RXJ it? 2463 */ 2464 addlog("%s: received malicious LCP option, " 2465 "dropping.\n", ifp->if_xname); 2466 goto drop; 2467 } 2468 if (debug) 2469 addlog(" %s", sppp_lcp_opt_name(*p)); 2470 switch (*p) { 2471 case LCP_OPT_MAGIC: 2472 /* Magic number -- renegotiate */ 2473 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2474 len >= 6 && p[1] == 6) { 2475 magic = (uint32_t)p[2] << 24 | 2476 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2477 /* 2478 * If the remote magic is our negated one, 2479 * this looks like a loopback problem. 2480 * Suggest a new magic to make sure. 2481 */ 2482 if (magic == ~sp->lcp.magic) { 2483 if (debug) 2484 addlog(" magic glitch"); 2485 sp->lcp.magic = cprng_fast32(); 2486 } else { 2487 sp->lcp.magic = magic; 2488 if (debug) 2489 addlog(" %d", magic); 2490 } 2491 } 2492 break; 2493 case LCP_OPT_MRU: 2494 /* 2495 * Peer wants to advise us to negotiate an MRU. 2496 * Agree on it if it's reasonable, or use 2497 * default otherwise. 2498 */ 2499 if (len >= 4 && p[1] == 4) { 2500 u_int mru = p[2] * 256 + p[3]; 2501 if (debug) 2502 addlog(" %d", mru); 2503 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2504 mru = sp->pp_if.if_mtu; 2505 sp->lcp.mru = mru; 2506 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2507 } 2508 break; 2509 case LCP_OPT_AUTH_PROTO: 2510 /* 2511 * Peer doesn't like our authentication method, 2512 * deny. 2513 */ 2514 if (debug) 2515 addlog("[access denied]\n"); 2516 lcp.Close(sp); 2517 break; 2518 } 2519 } 2520 if (debug) 2521 addlog("\n"); 2522drop: 2523 free(buf, M_TEMP); 2524 return; 2525} 2526 2527static void 2528sppp_lcp_tlu(struct sppp *sp) 2529{ 2530 STDDCL; 2531 int i; 2532 uint32_t mask; 2533 2534 /* XXX ? */ 2535 if (! (ifp->if_flags & IFF_UP) && 2536 (ifp->if_flags & IFF_RUNNING)) { 2537 /* Coming out of loopback mode. */ 2538 if_up(ifp); 2539 } 2540 2541 for (i = 0; i < IDX_COUNT; i++) 2542 if ((cps[i])->flags & CP_QUAL) 2543 (cps[i])->Open(sp); 2544 2545 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2546 (sp->pp_flags & PP_NEEDAUTH) != 0) 2547 sp->pp_phase = SPPP_PHASE_AUTHENTICATE; 2548 else 2549 sp->pp_phase = SPPP_PHASE_NETWORK; 2550 2551 if (debug) 2552 { 2553 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2554 sppp_phase_name(sp->pp_phase)); 2555 } 2556 2557 /* 2558 * Open all authentication protocols. This is even required 2559 * if we already proceeded to network phase, since it might be 2560 * that remote wants us to authenticate, so we might have to 2561 * send a PAP request. Undesired authentication protocols 2562 * don't do anything when they get an Open event. 2563 */ 2564 for (i = 0; i < IDX_COUNT; i++) 2565 if ((cps[i])->flags & CP_AUTH) 2566 (cps[i])->Open(sp); 2567 2568 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2569 /* Notify all NCPs. */ 2570 for (i = 0; i < IDX_COUNT; i++) 2571 if ((cps[i])->flags & CP_NCP) 2572 (cps[i])->Open(sp); 2573 } 2574 2575 /* Send Up events to all started protos. */ 2576 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2577 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) 2578 (cps[i])->Up(sp); 2579 2580 /* notify low-level driver of state change */ 2581 if (sp->pp_chg) 2582 sp->pp_chg(sp, (int)sp->pp_phase); 2583 2584 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2585 /* if no NCP is starting, close down */ 2586 sppp_lcp_check_and_close(sp); 2587} 2588 2589static void 2590sppp_lcp_tld(struct sppp *sp) 2591{ 2592 STDDCL; 2593 int i; 2594 uint32_t mask; 2595 2596 sp->pp_phase = SPPP_PHASE_TERMINATE; 2597 2598 if (debug) 2599 { 2600 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2601 sppp_phase_name(sp->pp_phase)); 2602 } 2603 2604 /* 2605 * Take upper layers down. We send the Down event first and 2606 * the Close second to prevent the upper layers from sending 2607 * ``a flurry of terminate-request packets'', as the RFC 2608 * describes it. 2609 */ 2610 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2611 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2612 (cps[i])->Down(sp); 2613 (cps[i])->Close(sp); 2614 } 2615} 2616 2617static void 2618sppp_lcp_tls(struct sppp *sp) 2619{ 2620 STDDCL; 2621 2622 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2623 printf("%s: authentication failed %d times, not retrying again\n", 2624 sp->pp_if.if_xname, sp->pp_auth_failures); 2625 if_down(&sp->pp_if); 2626 return; 2627 } 2628 2629 sp->pp_phase = SPPP_PHASE_ESTABLISH; 2630 2631 if (debug) 2632 { 2633 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2634 sppp_phase_name(sp->pp_phase)); 2635 } 2636 2637 /* Notify lower layer if desired. */ 2638 if (sp->pp_tls) 2639 (sp->pp_tls)(sp); 2640} 2641 2642static void 2643sppp_lcp_tlf(struct sppp *sp) 2644{ 2645 STDDCL; 2646 2647 sp->pp_phase = SPPP_PHASE_DEAD; 2648 2649 if (debug) 2650 { 2651 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 2652 sppp_phase_name(sp->pp_phase)); 2653 } 2654 2655 /* Notify lower layer if desired. */ 2656 if (sp->pp_tlf) 2657 (sp->pp_tlf)(sp); 2658} 2659 2660static void 2661sppp_lcp_scr(struct sppp *sp) 2662{ 2663 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2664 int i = 0; 2665 u_short authproto; 2666 2667 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2668 if (! sp->lcp.magic) 2669 sp->lcp.magic = cprng_fast32(); 2670 opt[i++] = LCP_OPT_MAGIC; 2671 opt[i++] = 6; 2672 opt[i++] = sp->lcp.magic >> 24; 2673 opt[i++] = sp->lcp.magic >> 16; 2674 opt[i++] = sp->lcp.magic >> 8; 2675 opt[i++] = sp->lcp.magic; 2676 } 2677 2678 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2679 opt[i++] = LCP_OPT_MRU; 2680 opt[i++] = 4; 2681 opt[i++] = sp->lcp.mru >> 8; 2682 opt[i++] = sp->lcp.mru; 2683 } 2684 2685 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2686 authproto = sp->hisauth.proto; 2687 opt[i++] = LCP_OPT_AUTH_PROTO; 2688 opt[i++] = authproto == PPP_CHAP? 5: 4; 2689 opt[i++] = authproto >> 8; 2690 opt[i++] = authproto; 2691 if (authproto == PPP_CHAP) 2692 opt[i++] = CHAP_MD5; 2693 } 2694 2695 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2696 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2697} 2698 2699/* 2700 * Check the open NCPs, return true if at least one NCP is open. 2701 */ 2702static int 2703sppp_ncp_check(struct sppp *sp) 2704{ 2705 int i, mask; 2706 2707 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2708 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2709 return 1; 2710 return 0; 2711} 2712 2713/* 2714 * Re-check the open NCPs and see if we should terminate the link. 2715 * Called by the NCPs during their tlf action handling. 2716 */ 2717static void 2718sppp_lcp_check_and_close(struct sppp *sp) 2719{ 2720 2721 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2722 /* don't bother, we are already going down */ 2723 return; 2724 2725 if (sppp_ncp_check(sp)) 2726 return; 2727 2728 lcp.Close(sp); 2729} 2730 2731 2732/* 2733 *--------------------------------------------------------------------------* 2734 * * 2735 * The IPCP implementation. * 2736 * * 2737 *--------------------------------------------------------------------------* 2738 */ 2739 2740static void 2741sppp_ipcp_init(struct sppp *sp) 2742{ 2743 sp->ipcp.opts = 0; 2744 sp->ipcp.flags = 0; 2745 sp->state[IDX_IPCP] = STATE_INITIAL; 2746 sp->fail_counter[IDX_IPCP] = 0; 2747 sp->pp_seq[IDX_IPCP] = 0; 2748 sp->pp_rseq[IDX_IPCP] = 0; 2749 callout_init(&sp->ch[IDX_IPCP], 0); 2750} 2751 2752static void 2753sppp_ipcp_up(struct sppp *sp) 2754{ 2755 sppp_up_event(&ipcp, sp); 2756} 2757 2758static void 2759sppp_ipcp_down(struct sppp *sp) 2760{ 2761 sppp_down_event(&ipcp, sp); 2762} 2763 2764static void 2765sppp_ipcp_open(struct sppp *sp) 2766{ 2767 STDDCL; 2768 uint32_t myaddr, hisaddr; 2769 2770 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 2771 sp->ipcp.req_myaddr = 0; 2772 sp->ipcp.req_hisaddr = 0; 2773 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 2774 2775#ifdef INET 2776 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 2777#else 2778 myaddr = hisaddr = 0; 2779#endif 2780 /* 2781 * If we don't have his address, this probably means our 2782 * interface doesn't want to talk IP at all. (This could 2783 * be the case if somebody wants to speak only IPX, for 2784 * example.) Don't open IPCP in this case. 2785 */ 2786 if (hisaddr == 0) { 2787 /* XXX this message should go away */ 2788 if (debug) 2789 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 2790 ifp->if_xname); 2791 return; 2792 } 2793 2794 if (myaddr == 0) { 2795 /* 2796 * I don't have an assigned address, so i need to 2797 * negotiate my address. 2798 */ 2799 sp->ipcp.flags |= IPCP_MYADDR_DYN; 2800 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 2801 } 2802 if (hisaddr == 1) { 2803 /* 2804 * XXX - remove this hack! 2805 * remote has no valid address, we need to get one assigned. 2806 */ 2807 sp->ipcp.flags |= IPCP_HISADDR_DYN; 2808 } 2809 sppp_open_event(&ipcp, sp); 2810} 2811 2812static void 2813sppp_ipcp_close(struct sppp *sp) 2814{ 2815 STDDCL; 2816 2817 sppp_close_event(&ipcp, sp); 2818#ifdef INET 2819 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 2820 /* 2821 * Some address was dynamic, clear it again. 2822 */ 2823 sppp_clear_ip_addrs(sp); 2824#endif 2825 2826 if (sp->pp_saved_mtu > 0) { 2827 ifp->if_mtu = sp->pp_saved_mtu; 2828 sp->pp_saved_mtu = 0; 2829 if (debug) 2830 log(LOG_DEBUG, 2831 "%s: resetting MTU to %" PRIu64 " bytes\n", 2832 ifp->if_xname, ifp->if_mtu); 2833 } 2834} 2835 2836static void 2837sppp_ipcp_TO(void *cookie) 2838{ 2839 sppp_to_event(&ipcp, (struct sppp *)cookie); 2840} 2841 2842/* 2843 * Analyze a configure request. Return true if it was agreeable, and 2844 * caused action sca, false if it has been rejected or nak'ed, and 2845 * caused action scn. (The return value is used to make the state 2846 * transition decision in the state automaton.) 2847 */ 2848static int 2849sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2850{ 2851 u_char *buf, *r, *p; 2852 struct ifnet *ifp = &sp->pp_if; 2853 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 2854 uint32_t hisaddr, desiredaddr; 2855 2856 len -= 4; 2857 origlen = len; 2858 /* 2859 * Make sure to allocate a buf that can at least hold a 2860 * conf-nak with an `address' option. We might need it below. 2861 */ 2862 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 2863 if (! buf) 2864 return (0); 2865 2866 /* pass 1: see if we can recognize them */ 2867 if (debug) 2868 log(LOG_DEBUG, "%s: ipcp parse opts:", 2869 ifp->if_xname); 2870 p = (void *)(h + 1); 2871 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2872 /* Sanity check option length */ 2873 if (p[1] > len) { 2874 /* XXX should we just RXJ? */ 2875 addlog("%s: malicious IPCP option received, dropping\n", 2876 ifp->if_xname); 2877 goto drop; 2878 } 2879 if (debug) 2880 addlog(" %s", sppp_ipcp_opt_name(*p)); 2881 switch (*p) { 2882#ifdef notyet 2883 case IPCP_OPT_COMPRESSION: 2884 if (len >= 6 && p[1] >= 6) { 2885 /* correctly formed compress option */ 2886 continue; 2887 } 2888 if (debug) 2889 addlog(" [invalid]"); 2890 break; 2891#endif 2892 case IPCP_OPT_ADDRESS: 2893 if (len >= 6 && p[1] == 6) { 2894 /* correctly formed address option */ 2895 continue; 2896 } 2897 if (debug) 2898 addlog(" [invalid]"); 2899 break; 2900 default: 2901 /* Others not supported. */ 2902 if (debug) 2903 addlog(" [rej]"); 2904 break; 2905 } 2906 /* Add the option to rejected list. */ 2907 bcopy (p, r, p[1]); 2908 r += p[1]; 2909 rlen += p[1]; 2910 } 2911 if (rlen) { 2912 if (debug) 2913 addlog(" send conf-rej\n"); 2914 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 2915 goto end; 2916 } else if (debug) 2917 addlog("\n"); 2918 2919 /* pass 2: parse option values */ 2920 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 2921 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 2922 else 2923#ifdef INET 2924 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 2925#else 2926 hisaddr = 0; 2927#endif 2928 if (debug) 2929 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 2930 ifp->if_xname); 2931 p = (void *)(h + 1); 2932 len = origlen; 2933 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 2934 if (debug) 2935 addlog(" %s", sppp_ipcp_opt_name(*p)); 2936 switch (*p) { 2937#ifdef notyet 2938 case IPCP_OPT_COMPRESSION: 2939 continue; 2940#endif 2941 case IPCP_OPT_ADDRESS: 2942 desiredaddr = p[2] << 24 | p[3] << 16 | 2943 p[4] << 8 | p[5]; 2944 if (desiredaddr == hisaddr || 2945 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 2946 /* 2947 * Peer's address is same as our value, 2948 * this is agreeable. Gonna conf-ack 2949 * it. 2950 */ 2951 if (debug) 2952 addlog(" %s [ack]", 2953 sppp_dotted_quad(hisaddr)); 2954 /* record that we've seen it already */ 2955 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 2956 sp->ipcp.req_hisaddr = desiredaddr; 2957 hisaddr = desiredaddr; 2958 continue; 2959 } 2960 /* 2961 * The address wasn't agreeable. This is either 2962 * he sent us 0.0.0.0, asking to assign him an 2963 * address, or he send us another address not 2964 * matching our value. Either case, we gonna 2965 * conf-nak it with our value. 2966 */ 2967 if (debug) { 2968 if (desiredaddr == 0) 2969 addlog(" [addr requested]"); 2970 else 2971 addlog(" %s [not agreed]", 2972 sppp_dotted_quad(desiredaddr)); 2973 } 2974 2975 p[2] = hisaddr >> 24; 2976 p[3] = hisaddr >> 16; 2977 p[4] = hisaddr >> 8; 2978 p[5] = hisaddr; 2979 break; 2980 } 2981 /* Add the option to nak'ed list. */ 2982 bcopy (p, r, p[1]); 2983 r += p[1]; 2984 rlen += p[1]; 2985 } 2986 2987 /* 2988 * If we are about to conf-ack the request, but haven't seen 2989 * his address so far, gonna conf-nak it instead, with the 2990 * `address' option present and our idea of his address being 2991 * filled in there, to request negotiation of both addresses. 2992 * 2993 * XXX This can result in an endless req - nak loop if peer 2994 * doesn't want to send us his address. Q: What should we do 2995 * about it? XXX A: implement the max-failure counter. 2996 */ 2997 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 2998 buf[0] = IPCP_OPT_ADDRESS; 2999 buf[1] = 6; 3000 buf[2] = hisaddr >> 24; 3001 buf[3] = hisaddr >> 16; 3002 buf[4] = hisaddr >> 8; 3003 buf[5] = hisaddr; 3004 rlen = 6; 3005 if (debug) 3006 addlog(" still need hisaddr"); 3007 } 3008 3009 if (rlen) { 3010 if (debug) 3011 addlog(" send conf-nak\n"); 3012 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3013 } else { 3014 if (debug) 3015 addlog(" send conf-ack\n"); 3016 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3017 } 3018 3019 end: 3020 free(buf, M_TEMP); 3021 return (rlen == 0); 3022 3023 drop: 3024 free(buf, M_TEMP); 3025 return -1; 3026} 3027 3028/* 3029 * Analyze the IPCP Configure-Reject option list, and adjust our 3030 * negotiation. 3031 */ 3032static void 3033sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3034{ 3035 u_char *buf, *p; 3036 struct ifnet *ifp = &sp->pp_if; 3037 int debug = ifp->if_flags & IFF_DEBUG; 3038 3039 len -= 4; 3040 buf = malloc (len, M_TEMP, M_NOWAIT); 3041 if (!buf) 3042 return; 3043 3044 if (debug) 3045 log(LOG_DEBUG, "%s: ipcp rej opts:", 3046 ifp->if_xname); 3047 3048 p = (void *)(h + 1); 3049 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3050 /* Sanity check option length */ 3051 if (p[1] > len) { 3052 /* XXX should we just RXJ? */ 3053 addlog("%s: malicious IPCP option received, dropping\n", 3054 ifp->if_xname); 3055 goto drop; 3056 } 3057 if (debug) 3058 addlog(" %s", sppp_ipcp_opt_name(*p)); 3059 switch (*p) { 3060 case IPCP_OPT_ADDRESS: 3061 /* 3062 * Peer doesn't grok address option. This is 3063 * bad. XXX Should we better give up here? 3064 */ 3065 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3066 break; 3067#ifdef notyet 3068 case IPCP_OPT_COMPRESS: 3069 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3070 break; 3071#endif 3072 } 3073 } 3074 if (debug) 3075 addlog("\n"); 3076drop: 3077 free(buf, M_TEMP); 3078 return; 3079} 3080 3081/* 3082 * Analyze the IPCP Configure-NAK option list, and adjust our 3083 * negotiation. 3084 */ 3085static void 3086sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3087{ 3088 u_char *p; 3089 struct ifnet *ifp = &sp->pp_if; 3090 int debug = ifp->if_flags & IFF_DEBUG; 3091 uint32_t wantaddr; 3092 3093 len -= 4; 3094 3095 if (debug) 3096 log(LOG_DEBUG, "%s: ipcp nak opts:", 3097 ifp->if_xname); 3098 3099 p = (void *)(h + 1); 3100 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3101 /* Sanity check option length */ 3102 if (p[1] > len) { 3103 /* XXX should we just RXJ? */ 3104 addlog("%s: malicious IPCP option received, dropping\n", 3105 ifp->if_xname); 3106 return; 3107 } 3108 if (debug) 3109 addlog(" %s", sppp_ipcp_opt_name(*p)); 3110 switch (*p) { 3111 case IPCP_OPT_ADDRESS: 3112 /* 3113 * Peer doesn't like our local IP address. See 3114 * if we can do something for him. We'll drop 3115 * him our address then. 3116 */ 3117 if (len >= 6 && p[1] == 6) { 3118 wantaddr = p[2] << 24 | p[3] << 16 | 3119 p[4] << 8 | p[5]; 3120 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3121 if (debug) 3122 addlog(" [wantaddr %s]", 3123 sppp_dotted_quad(wantaddr)); 3124 /* 3125 * When doing dynamic address assignment, 3126 * we accept his offer. Otherwise, we 3127 * ignore it and thus continue to negotiate 3128 * our already existing value. 3129 */ 3130 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3131 if (debug) 3132 addlog(" [agree]"); 3133 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3134 sp->ipcp.req_myaddr = wantaddr; 3135 } 3136 } 3137 break; 3138 3139 case IPCP_OPT_PRIMDNS: 3140 if (len >= 6 && p[1] == 6) { 3141 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3142 p[4] << 8 | p[5]; 3143 } 3144 break; 3145 3146 case IPCP_OPT_SECDNS: 3147 if (len >= 6 && p[1] == 6) { 3148 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3149 p[4] << 8 | p[5]; 3150 } 3151 break; 3152#ifdef notyet 3153 case IPCP_OPT_COMPRESS: 3154 /* 3155 * Peer wants different compression parameters. 3156 */ 3157 break; 3158#endif 3159 } 3160 } 3161 if (debug) 3162 addlog("\n"); 3163} 3164 3165static void 3166sppp_ipcp_tlu(struct sppp *sp) 3167{ 3168#ifdef INET 3169 /* we are up. Set addresses and notify anyone interested */ 3170 STDDCL; 3171 uint32_t myaddr, hisaddr; 3172 3173 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3174 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 3175 myaddr = sp->ipcp.req_myaddr; 3176 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 3177 hisaddr = sp->ipcp.req_hisaddr; 3178 sppp_set_ip_addrs(sp, myaddr, hisaddr); 3179 3180 if (ifp->if_mtu > sp->lcp.their_mru) { 3181 sp->pp_saved_mtu = ifp->if_mtu; 3182 ifp->if_mtu = sp->lcp.their_mru; 3183 if (debug) 3184 log(LOG_DEBUG, 3185 "%s: setting MTU to %" PRIu64 " bytes\n", 3186 ifp->if_xname, ifp->if_mtu); 3187 } 3188 3189 if (sp->pp_con) 3190 sp->pp_con(sp); 3191#endif 3192} 3193 3194static void 3195sppp_ipcp_tld(struct sppp *sp) 3196{ 3197} 3198 3199static void 3200sppp_ipcp_tls(struct sppp *sp) 3201{ 3202 /* indicate to LCP that it must stay alive */ 3203 sp->lcp.protos |= (1 << IDX_IPCP); 3204} 3205 3206static void 3207sppp_ipcp_tlf(struct sppp *sp) 3208{ 3209 /* we no longer need LCP */ 3210 sp->lcp.protos &= ~(1 << IDX_IPCP); 3211} 3212 3213static void 3214sppp_ipcp_scr(struct sppp *sp) 3215{ 3216 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3217#ifdef INET 3218 uint32_t ouraddr; 3219#endif 3220 int i = 0; 3221 3222#ifdef notyet 3223 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3224 opt[i++] = IPCP_OPT_COMPRESSION; 3225 opt[i++] = 6; 3226 opt[i++] = 0; /* VJ header compression */ 3227 opt[i++] = 0x2d; /* VJ header compression */ 3228 opt[i++] = max_slot_id; 3229 opt[i++] = comp_slot_id; 3230 } 3231#endif 3232 3233#ifdef INET 3234 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3235 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3236 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3237 else 3238 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3239 opt[i++] = IPCP_OPT_ADDRESS; 3240 opt[i++] = 6; 3241 opt[i++] = ouraddr >> 24; 3242 opt[i++] = ouraddr >> 16; 3243 opt[i++] = ouraddr >> 8; 3244 opt[i++] = ouraddr; 3245 } 3246#endif 3247 3248 if (sp->query_dns & 1) { 3249 opt[i++] = IPCP_OPT_PRIMDNS; 3250 opt[i++] = 6; 3251 opt[i++] = sp->dns_addrs[0] >> 24; 3252 opt[i++] = sp->dns_addrs[0] >> 16; 3253 opt[i++] = sp->dns_addrs[0] >> 8; 3254 opt[i++] = sp->dns_addrs[0]; 3255 } 3256 if (sp->query_dns & 2) { 3257 opt[i++] = IPCP_OPT_SECDNS; 3258 opt[i++] = 6; 3259 opt[i++] = sp->dns_addrs[1] >> 24; 3260 opt[i++] = sp->dns_addrs[1] >> 16; 3261 opt[i++] = sp->dns_addrs[1] >> 8; 3262 opt[i++] = sp->dns_addrs[1]; 3263 } 3264 3265 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3266 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3267} 3268 3269 3270/* 3271 *--------------------------------------------------------------------------* 3272 * * 3273 * The IPv6CP implementation. * 3274 * * 3275 *--------------------------------------------------------------------------* 3276 */ 3277 3278#ifdef INET6 3279static void 3280sppp_ipv6cp_init(struct sppp *sp) 3281{ 3282 sp->ipv6cp.opts = 0; 3283 sp->ipv6cp.flags = 0; 3284 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3285 sp->fail_counter[IDX_IPV6CP] = 0; 3286 sp->pp_seq[IDX_IPV6CP] = 0; 3287 sp->pp_rseq[IDX_IPV6CP] = 0; 3288 callout_init(&sp->ch[IDX_IPV6CP], 0); 3289} 3290 3291static void 3292sppp_ipv6cp_up(struct sppp *sp) 3293{ 3294 sppp_up_event(&ipv6cp, sp); 3295} 3296 3297static void 3298sppp_ipv6cp_down(struct sppp *sp) 3299{ 3300 sppp_down_event(&ipv6cp, sp); 3301} 3302 3303static void 3304sppp_ipv6cp_open(struct sppp *sp) 3305{ 3306 STDDCL; 3307 struct in6_addr myaddr, hisaddr; 3308 3309#ifdef IPV6CP_MYIFID_DYN 3310 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3311#else 3312 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3313#endif 3314 3315 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3316 /* 3317 * If we don't have our address, this probably means our 3318 * interface doesn't want to talk IPv6 at all. (This could 3319 * be the case if somebody wants to speak only IPX, for 3320 * example.) Don't open IPv6CP in this case. 3321 */ 3322 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3323 /* XXX this message should go away */ 3324 if (debug) 3325 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3326 ifp->if_xname); 3327 return; 3328 } 3329 3330 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3331 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3332 sppp_open_event(&ipv6cp, sp); 3333} 3334 3335static void 3336sppp_ipv6cp_close(struct sppp *sp) 3337{ 3338 sppp_close_event(&ipv6cp, sp); 3339} 3340 3341static void 3342sppp_ipv6cp_TO(void *cookie) 3343{ 3344 sppp_to_event(&ipv6cp, (struct sppp *)cookie); 3345} 3346 3347/* 3348 * Analyze a configure request. Return true if it was agreeable, and 3349 * caused action sca, false if it has been rejected or nak'ed, and 3350 * caused action scn. (The return value is used to make the state 3351 * transition decision in the state automaton.) 3352 */ 3353static int 3354sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3355{ 3356 u_char *buf, *r, *p; 3357 struct ifnet *ifp = &sp->pp_if; 3358 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3359 struct in6_addr myaddr, desiredaddr, suggestaddr; 3360 int ifidcount; 3361 int type; 3362 int collision, nohisaddr; 3363 3364 len -= 4; 3365 origlen = len; 3366 /* 3367 * Make sure to allocate a buf that can at least hold a 3368 * conf-nak with an `address' option. We might need it below. 3369 */ 3370 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT); 3371 if (! buf) 3372 return (0); 3373 3374 /* pass 1: see if we can recognize them */ 3375 if (debug) 3376 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3377 ifp->if_xname); 3378 p = (void *)(h + 1); 3379 ifidcount = 0; 3380 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3381 /* Sanity check option length */ 3382 if (p[1] > len) { 3383 /* XXX just RXJ? */ 3384 addlog("%s: received malicious IPCPv6 option, " 3385 "dropping\n", ifp->if_xname); 3386 goto drop; 3387 } 3388 if (debug) 3389 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3390 switch (*p) { 3391 case IPV6CP_OPT_IFID: 3392 if (len >= 10 && p[1] == 10 && ifidcount == 0) { 3393 /* correctly formed address option */ 3394 ifidcount++; 3395 continue; 3396 } 3397 if (debug) 3398 addlog(" [invalid]"); 3399 break; 3400#ifdef notyet 3401 case IPV6CP_OPT_COMPRESSION: 3402 if (len >= 4 && p[1] >= 4) { 3403 /* correctly formed compress option */ 3404 continue; 3405 } 3406 if (debug) 3407 addlog(" [invalid]"); 3408 break; 3409#endif 3410 default: 3411 /* Others not supported. */ 3412 if (debug) 3413 addlog(" [rej]"); 3414 break; 3415 } 3416 /* Add the option to rejected list. */ 3417 bcopy (p, r, p[1]); 3418 r += p[1]; 3419 rlen += p[1]; 3420 } 3421 if (rlen) { 3422 if (debug) 3423 addlog(" send conf-rej\n"); 3424 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3425 goto end; 3426 } else if (debug) 3427 addlog("\n"); 3428 3429 /* pass 2: parse option values */ 3430 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3431 if (debug) 3432 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3433 ifp->if_xname); 3434 p = (void *)(h + 1); 3435 len = origlen; 3436 type = CONF_ACK; 3437 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { 3438 if (debug) 3439 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3440 switch (*p) { 3441#ifdef notyet 3442 case IPV6CP_OPT_COMPRESSION: 3443 continue; 3444#endif 3445 case IPV6CP_OPT_IFID: 3446 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3447 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3448 collision = (memcmp(&desiredaddr.s6_addr[8], 3449 &myaddr.s6_addr[8], 8) == 0); 3450 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3451 3452 desiredaddr.s6_addr16[0] = htons(0xfe80); 3453 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3454 3455 if (!collision && !nohisaddr) { 3456 /* no collision, hisaddr known - Conf-Ack */ 3457 type = CONF_ACK; 3458 3459 if (debug) { 3460 addlog(" %s [%s]", 3461 ip6_sprintf(&desiredaddr), 3462 sppp_cp_type_name(type)); 3463 } 3464 continue; 3465 } 3466 3467 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3468 if (collision && nohisaddr) { 3469 /* collision, hisaddr unknown - Conf-Rej */ 3470 type = CONF_REJ; 3471 memset(&p[2], 0, 8); 3472 } else { 3473 /* 3474 * - no collision, hisaddr unknown, or 3475 * - collision, hisaddr known 3476 * Conf-Nak, suggest hisaddr 3477 */ 3478 type = CONF_NAK; 3479 sppp_suggest_ip6_addr(sp, &suggestaddr); 3480 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3481 } 3482 if (debug) 3483 addlog(" %s [%s]", ip6_sprintf(&desiredaddr), 3484 sppp_cp_type_name(type)); 3485 break; 3486 } 3487 /* Add the option to nak'ed list. */ 3488 bcopy (p, r, p[1]); 3489 r += p[1]; 3490 rlen += p[1]; 3491 } 3492 3493 if (rlen == 0 && type == CONF_ACK) { 3494 if (debug) 3495 addlog(" send %s\n", sppp_cp_type_name(type)); 3496 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3497 } else { 3498#ifdef notdef 3499 if (type == CONF_ACK) 3500 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3501#endif 3502 3503 if (debug) { 3504 addlog(" send %s suggest %s\n", 3505 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr)); 3506 } 3507 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3508 } 3509 3510 end: 3511 free(buf, M_TEMP); 3512 return (rlen == 0); 3513 3514 drop: 3515 free(buf, M_TEMP); 3516 return -1; 3517} 3518 3519/* 3520 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3521 * negotiation. 3522 */ 3523static void 3524sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3525{ 3526 u_char *buf, *p; 3527 struct ifnet *ifp = &sp->pp_if; 3528 int debug = ifp->if_flags & IFF_DEBUG; 3529 3530 len -= 4; 3531 buf = malloc (len, M_TEMP, M_NOWAIT); 3532 if (!buf) 3533 return; 3534 3535 if (debug) 3536 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3537 ifp->if_xname); 3538 3539 p = (void *)(h + 1); 3540 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3541 if (p[1] > len) { 3542 /* XXX just RXJ? */ 3543 addlog("%s: received malicious IPCPv6 option, " 3544 "dropping\n", ifp->if_xname); 3545 goto drop; 3546 } 3547 if (debug) 3548 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3549 switch (*p) { 3550 case IPV6CP_OPT_IFID: 3551 /* 3552 * Peer doesn't grok address option. This is 3553 * bad. XXX Should we better give up here? 3554 */ 3555 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3556 break; 3557#ifdef notyet 3558 case IPV6CP_OPT_COMPRESS: 3559 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3560 break; 3561#endif 3562 } 3563 } 3564 if (debug) 3565 addlog("\n"); 3566drop: 3567 free(buf, M_TEMP); 3568 return; 3569} 3570 3571/* 3572 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3573 * negotiation. 3574 */ 3575static void 3576sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3577{ 3578 u_char *buf, *p; 3579 struct ifnet *ifp = &sp->pp_if; 3580 int debug = ifp->if_flags & IFF_DEBUG; 3581 struct in6_addr suggestaddr; 3582 3583 len -= 4; 3584 buf = malloc (len, M_TEMP, M_NOWAIT); 3585 if (!buf) 3586 return; 3587 3588 if (debug) 3589 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3590 ifp->if_xname); 3591 3592 p = (void *)(h + 1); 3593 for (; len > 1 && p[1]; len -= p[1], p += p[1]) { 3594 if (p[1] > len) { 3595 /* XXX just RXJ? */ 3596 addlog("%s: received malicious IPCPv6 option, " 3597 "dropping\n", ifp->if_xname); 3598 goto drop; 3599 } 3600 if (debug) 3601 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3602 switch (*p) { 3603 case IPV6CP_OPT_IFID: 3604 /* 3605 * Peer doesn't like our local ifid. See 3606 * if we can do something for him. We'll drop 3607 * him our address then. 3608 */ 3609 if (len < 10 || p[1] != 10) 3610 break; 3611 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3612 suggestaddr.s6_addr16[0] = htons(0xfe80); 3613 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3614 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3615 3616 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3617 if (debug) 3618 addlog(" [suggestaddr %s]", 3619 ip6_sprintf(&suggestaddr)); 3620#ifdef IPV6CP_MYIFID_DYN 3621 /* 3622 * When doing dynamic address assignment, 3623 * we accept his offer. 3624 */ 3625 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3626 struct in6_addr lastsuggest; 3627 /* 3628 * If <suggested myaddr from peer> equals to 3629 * <hisaddr we have suggested last time>, 3630 * we have a collision. generate new random 3631 * ifid. 3632 */ 3633 sppp_suggest_ip6_addr(&lastsuggest); 3634 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3635 lastsuggest)) { 3636 if (debug) 3637 addlog(" [random]"); 3638 sppp_gen_ip6_addr(sp, &suggestaddr); 3639 } 3640 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3641 if (debug) 3642 addlog(" [agree]"); 3643 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3644 } 3645#else 3646 /* 3647 * Since we do not do dynamic address assignment, 3648 * we ignore it and thus continue to negotiate 3649 * our already existing value. This can possibly 3650 * go into infinite request-reject loop. 3651 * 3652 * This is not likely because we normally use 3653 * ifid based on MAC-address. 3654 * If you have no ethernet card on the node, too bad. 3655 * XXX should we use fail_counter? 3656 */ 3657#endif 3658 break; 3659#ifdef notyet 3660 case IPV6CP_OPT_COMPRESS: 3661 /* 3662 * Peer wants different compression parameters. 3663 */ 3664 break; 3665#endif 3666 } 3667 } 3668 if (debug) 3669 addlog("\n"); 3670drop: 3671 free(buf, M_TEMP); 3672 return; 3673} 3674 3675static void 3676sppp_ipv6cp_tlu(struct sppp *sp) 3677{ 3678 /* we are up - notify isdn daemon */ 3679 if (sp->pp_con) 3680 sp->pp_con(sp); 3681} 3682 3683static void 3684sppp_ipv6cp_tld(struct sppp *sp) 3685{ 3686} 3687 3688static void 3689sppp_ipv6cp_tls(struct sppp *sp) 3690{ 3691 /* indicate to LCP that it must stay alive */ 3692 sp->lcp.protos |= (1 << IDX_IPV6CP); 3693} 3694 3695static void 3696sppp_ipv6cp_tlf(struct sppp *sp) 3697{ 3698 /* we no longer need LCP */ 3699 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3700} 3701 3702static void 3703sppp_ipv6cp_scr(struct sppp *sp) 3704{ 3705 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3706 struct in6_addr ouraddr; 3707 int i = 0; 3708 3709 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3710 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3711 opt[i++] = IPV6CP_OPT_IFID; 3712 opt[i++] = 10; 3713 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3714 i += 8; 3715 } 3716 3717#ifdef notyet 3718 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3719 opt[i++] = IPV6CP_OPT_COMPRESSION; 3720 opt[i++] = 4; 3721 opt[i++] = 0; /* TBD */ 3722 opt[i++] = 0; /* TBD */ 3723 /* variable length data may follow */ 3724 } 3725#endif 3726 3727 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 3728 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 3729} 3730#else /*INET6*/ 3731static void 3732sppp_ipv6cp_init(struct sppp *sp) 3733{ 3734} 3735 3736static void 3737sppp_ipv6cp_up(struct sppp *sp) 3738{ 3739} 3740 3741static void 3742sppp_ipv6cp_down(struct sppp *sp) 3743{ 3744} 3745 3746static void 3747sppp_ipv6cp_open(struct sppp *sp) 3748{ 3749} 3750 3751static void 3752sppp_ipv6cp_close(struct sppp *sp) 3753{ 3754} 3755 3756static void 3757sppp_ipv6cp_TO(void *sp) 3758{ 3759} 3760 3761static int 3762sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 3763 int len) 3764{ 3765 return 0; 3766} 3767 3768static void 3769sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 3770 int len) 3771{ 3772} 3773 3774static void 3775sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 3776 int len) 3777{ 3778} 3779 3780static void 3781sppp_ipv6cp_tlu(struct sppp *sp) 3782{ 3783} 3784 3785static void 3786sppp_ipv6cp_tld(struct sppp *sp) 3787{ 3788} 3789 3790static void 3791sppp_ipv6cp_tls(struct sppp *sp) 3792{ 3793} 3794 3795static void 3796sppp_ipv6cp_tlf(struct sppp *sp) 3797{ 3798} 3799 3800static void 3801sppp_ipv6cp_scr(struct sppp *sp) 3802{ 3803} 3804#endif /*INET6*/ 3805 3806 3807/* 3808 *--------------------------------------------------------------------------* 3809 * * 3810 * The CHAP implementation. * 3811 * * 3812 *--------------------------------------------------------------------------* 3813 */ 3814 3815/* 3816 * The authentication protocols don't employ a full-fledged state machine as 3817 * the control protocols do, since they do have Open and Close events, but 3818 * not Up and Down, nor are they explicitly terminated. Also, use of the 3819 * authentication protocols may be different in both directions (this makes 3820 * sense, think of a machine that never accepts incoming calls but only 3821 * calls out, it doesn't require the called party to authenticate itself). 3822 * 3823 * Our state machine for the local authentication protocol (we are requesting 3824 * the peer to authenticate) looks like: 3825 * 3826 * RCA- 3827 * +--------------------------------------------+ 3828 * V scn,tld| 3829 * +--------+ Close +---------+ RCA+ 3830 * | |<----------------------------------| |------+ 3831 * +--->| Closed | TO* | Opened | sca | 3832 * | | |-----+ +-------| |<-----+ 3833 * | +--------+ irc | | +---------+ 3834 * | ^ | | ^ 3835 * | | | | | 3836 * | | | | | 3837 * | TO-| | | | 3838 * | |tld TO+ V | | 3839 * | | +------->+ | | 3840 * | | | | | | 3841 * | +--------+ V | | 3842 * | | |<----+<--------------------+ | 3843 * | | Req- | scr | 3844 * | | Sent | | 3845 * | | | | 3846 * | +--------+ | 3847 * | RCA- | | RCA+ | 3848 * +------+ +------------------------------------------+ 3849 * scn,tld sca,irc,ict,tlu 3850 * 3851 * 3852 * with: 3853 * 3854 * Open: LCP reached authentication phase 3855 * Close: LCP reached terminate phase 3856 * 3857 * RCA+: received reply (pap-req, chap-response), acceptable 3858 * RCN: received reply (pap-req, chap-response), not acceptable 3859 * TO+: timeout with restart counter >= 0 3860 * TO-: timeout with restart counter < 0 3861 * TO*: reschedule timeout for CHAP 3862 * 3863 * scr: send request packet (none for PAP, chap-challenge) 3864 * sca: send ack packet (pap-ack, chap-success) 3865 * scn: send nak packet (pap-nak, chap-failure) 3866 * ict: initialize re-challenge timer (CHAP only) 3867 * 3868 * tlu: this-layer-up, LCP reaches network phase 3869 * tld: this-layer-down, LCP enters terminate phase 3870 * 3871 * Note that in CHAP mode, after sending a new challenge, while the state 3872 * automaton falls back into Req-Sent state, it doesn't signal a tld 3873 * event to LCP, so LCP remains in network phase. Only after not getting 3874 * any response (or after getting an unacceptable response), CHAP closes, 3875 * causing LCP to enter terminate phase. 3876 * 3877 * With PAP, there is no initial request that can be sent. The peer is 3878 * expected to send one based on the successful negotiation of PAP as 3879 * the authentication protocol during the LCP option negotiation. 3880 * 3881 * Incoming authentication protocol requests (remote requests 3882 * authentication, we are peer) don't employ a state machine at all, 3883 * they are simply answered. Some peers [Ascend P50 firmware rev 3884 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 3885 * still in authentication phase (thereby violating the standard that 3886 * demands that these NCP packets are to be discarded), so we keep 3887 * track of the peer demanding us to authenticate, and only proceed to 3888 * phase network once we've seen a positive acknowledge for the 3889 * authentication. 3890 */ 3891 3892/* 3893 * Handle incoming CHAP packets. 3894 */ 3895void 3896sppp_chap_input(struct sppp *sp, struct mbuf *m) 3897{ 3898 STDDCL; 3899 struct lcp_header *h; 3900 int len, x; 3901 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 3902 int value_len, name_len; 3903 MD5_CTX ctx; 3904 3905 len = m->m_pkthdr.len; 3906 if (len < 4) { 3907 if (debug) 3908 log(LOG_DEBUG, 3909 "%s: chap invalid packet length: %d bytes\n", 3910 ifp->if_xname, len); 3911 return; 3912 } 3913 h = mtod(m, struct lcp_header *); 3914 if (len > ntohs(h->len)) 3915 len = ntohs(h->len); 3916 3917 switch (h->type) { 3918 /* challenge, failure and success are his authproto */ 3919 case CHAP_CHALLENGE: 3920 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 3921 /* can't do anything useful */ 3922 sp->pp_auth_failures++; 3923 printf("%s: chap input without my name and my secret being set\n", 3924 ifp->if_xname); 3925 break; 3926 } 3927 value = 1 + (u_char *)(h + 1); 3928 value_len = value[-1]; 3929 name = value + value_len; 3930 name_len = len - value_len - 5; 3931 if (name_len < 0) { 3932 if (debug) { 3933 log(LOG_DEBUG, 3934 "%s: chap corrupted challenge " 3935 "<%s id=0x%x len=%d", 3936 ifp->if_xname, 3937 sppp_auth_type_name(PPP_CHAP, h->type), 3938 h->ident, ntohs(h->len)); 3939 if (len > 4) 3940 sppp_print_bytes((u_char *)(h + 1), 3941 len - 4); 3942 addlog(">\n"); 3943 } 3944 break; 3945 } 3946 3947 if (debug) { 3948 log(LOG_DEBUG, 3949 "%s: chap input <%s id=0x%x len=%d name=", 3950 ifp->if_xname, 3951 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 3952 ntohs(h->len)); 3953 sppp_print_string((char *) name, name_len); 3954 addlog(" value-size=%d value=", value_len); 3955 sppp_print_bytes(value, value_len); 3956 addlog(">\n"); 3957 } 3958 3959 /* Compute reply value. */ 3960 MD5Init(&ctx); 3961 MD5Update(&ctx, &h->ident, 1); 3962 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 3963 MD5Update(&ctx, value, value_len); 3964 MD5Final(digest, &ctx); 3965 dsize = sizeof digest; 3966 3967 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 3968 sizeof dsize, (const char *)&dsize, 3969 sizeof digest, digest, 3970 sp->myauth.name_len, 3971 sp->myauth.name, 3972 0); 3973 break; 3974 3975 case CHAP_SUCCESS: 3976 if (debug) { 3977 log(LOG_DEBUG, "%s: chap success", 3978 ifp->if_xname); 3979 if (len > 4) { 3980 addlog(": "); 3981 sppp_print_string((char *)(h + 1), len - 4); 3982 } 3983 addlog("\n"); 3984 } 3985 x = splnet(); 3986 sp->pp_auth_failures = 0; 3987 sp->pp_flags &= ~PP_NEEDAUTH; 3988 if (sp->myauth.proto == PPP_CHAP && 3989 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 3990 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 3991 /* 3992 * We are authenticator for CHAP but didn't 3993 * complete yet. Leave it to tlu to proceed 3994 * to network phase. 3995 */ 3996 splx(x); 3997 break; 3998 } 3999 splx(x); 4000 sppp_phase_network(sp); 4001 break; 4002 4003 case CHAP_FAILURE: 4004 x = splnet(); 4005 sp->pp_auth_failures++; 4006 splx(x); 4007 if (debug) { 4008 log(LOG_INFO, "%s: chap failure", 4009 ifp->if_xname); 4010 if (len > 4) { 4011 addlog(": "); 4012 sppp_print_string((char *)(h + 1), len - 4); 4013 } 4014 addlog("\n"); 4015 } else 4016 log(LOG_INFO, "%s: chap failure\n", 4017 ifp->if_xname); 4018 /* await LCP shutdown by authenticator */ 4019 break; 4020 4021 /* response is my authproto */ 4022 case CHAP_RESPONSE: 4023 if (sp->hisauth.secret == NULL) { 4024 /* can't do anything useful */ 4025 printf("%s: chap input without his secret being set\n", 4026 ifp->if_xname); 4027 break; 4028 } 4029 value = 1 + (u_char *)(h + 1); 4030 value_len = value[-1]; 4031 name = value + value_len; 4032 name_len = len - value_len - 5; 4033 if (name_len < 0) { 4034 if (debug) { 4035 log(LOG_DEBUG, 4036 "%s: chap corrupted response " 4037 "<%s id=0x%x len=%d", 4038 ifp->if_xname, 4039 sppp_auth_type_name(PPP_CHAP, h->type), 4040 h->ident, ntohs(h->len)); 4041 if (len > 4) 4042 sppp_print_bytes((u_char *)(h + 1), 4043 len - 4); 4044 addlog(">\n"); 4045 } 4046 break; 4047 } 4048 if (h->ident != sp->confid[IDX_CHAP]) { 4049 if (debug) 4050 log(LOG_DEBUG, 4051 "%s: chap dropping response for old ID " 4052 "(got %d, expected %d)\n", 4053 ifp->if_xname, 4054 h->ident, sp->confid[IDX_CHAP]); 4055 break; 4056 } 4057 if (sp->hisauth.name != NULL && 4058 (name_len != sp->hisauth.name_len 4059 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4060 log(LOG_INFO, "%s: chap response, his name ", 4061 ifp->if_xname); 4062 sppp_print_string(name, name_len); 4063 addlog(" != expected "); 4064 sppp_print_string(sp->hisauth.name, 4065 sp->hisauth.name_len); 4066 addlog("\n"); 4067 goto chap_failure; 4068 } 4069 if (debug) { 4070 log(LOG_DEBUG, "%s: chap input(%s) " 4071 "<%s id=0x%x len=%d name=", 4072 ifp->if_xname, 4073 sppp_state_name(sp->state[IDX_CHAP]), 4074 sppp_auth_type_name(PPP_CHAP, h->type), 4075 h->ident, ntohs(h->len)); 4076 sppp_print_string((char *)name, name_len); 4077 addlog(" value-size=%d value=", value_len); 4078 sppp_print_bytes(value, value_len); 4079 addlog(">\n"); 4080 } 4081 if (value_len != sizeof(sp->myauth.challenge)) { 4082 if (debug) 4083 log(LOG_DEBUG, 4084 "%s: chap bad hash value length: " 4085 "%d bytes, should be %ld\n", 4086 ifp->if_xname, value_len, 4087 (long) sizeof(sp->myauth.challenge)); 4088 goto chap_failure; 4089 } 4090 4091 MD5Init(&ctx); 4092 MD5Update(&ctx, &h->ident, 1); 4093 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4094 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge)); 4095 MD5Final(digest, &ctx); 4096 4097#define FAILMSG "Failed..." 4098#define SUCCMSG "Welcome!" 4099 4100 if (value_len != sizeof digest || 4101 memcmp(digest, value, value_len) != 0) { 4102chap_failure: 4103 /* action scn, tld */ 4104 x = splnet(); 4105 sp->pp_auth_failures++; 4106 splx(x); 4107 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4108 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4109 0); 4110 chap.tld(sp); 4111 break; 4112 } 4113 sp->pp_auth_failures = 0; 4114 /* action sca, perhaps tlu */ 4115 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4116 sp->state[IDX_CHAP] == STATE_OPENED) 4117 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4118 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4119 0); 4120 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4121 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4122 chap.tlu(sp); 4123 } 4124 break; 4125 4126 default: 4127 /* Unknown CHAP packet type -- ignore. */ 4128 if (debug) { 4129 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4130 "<0x%x id=0x%xh len=%d", 4131 ifp->if_xname, 4132 sppp_state_name(sp->state[IDX_CHAP]), 4133 h->type, h->ident, ntohs(h->len)); 4134 if (len > 4) 4135 sppp_print_bytes((u_char *)(h + 1), len - 4); 4136 addlog(">\n"); 4137 } 4138 break; 4139 4140 } 4141} 4142 4143static void 4144sppp_chap_init(struct sppp *sp) 4145{ 4146 /* Chap doesn't have STATE_INITIAL at all. */ 4147 sp->state[IDX_CHAP] = STATE_CLOSED; 4148 sp->fail_counter[IDX_CHAP] = 0; 4149 sp->pp_seq[IDX_CHAP] = 0; 4150 sp->pp_rseq[IDX_CHAP] = 0; 4151 callout_init(&sp->ch[IDX_CHAP], 0); 4152} 4153 4154static void 4155sppp_chap_open(struct sppp *sp) 4156{ 4157 if (sp->myauth.proto == PPP_CHAP && 4158 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4159 /* we are authenticator for CHAP, start it */ 4160 chap.scr(sp); 4161 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4162 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4163 } 4164 /* nothing to be done if we are peer, await a challenge */ 4165} 4166 4167static void 4168sppp_chap_close(struct sppp *sp) 4169{ 4170 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4171 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4172} 4173 4174static void 4175sppp_chap_TO(void *cookie) 4176{ 4177 struct sppp *sp = (struct sppp *)cookie; 4178 STDDCL; 4179 int s; 4180 4181 s = splnet(); 4182 if (debug) 4183 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4184 ifp->if_xname, 4185 sppp_state_name(sp->state[IDX_CHAP]), 4186 sp->rst_counter[IDX_CHAP]); 4187 4188 if (--sp->rst_counter[IDX_CHAP] < 0) 4189 /* TO- event */ 4190 switch (sp->state[IDX_CHAP]) { 4191 case STATE_REQ_SENT: 4192 chap.tld(sp); 4193 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4194 break; 4195 } 4196 else 4197 /* TO+ (or TO*) event */ 4198 switch (sp->state[IDX_CHAP]) { 4199 case STATE_OPENED: 4200 /* TO* event */ 4201 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4202 /* fall through */ 4203 case STATE_REQ_SENT: 4204 chap.scr(sp); 4205 /* sppp_cp_change_state() will restart the timer */ 4206 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4207 break; 4208 } 4209 4210 splx(s); 4211} 4212 4213static void 4214sppp_chap_tlu(struct sppp *sp) 4215{ 4216 STDDCL; 4217 int i, x; 4218 4219 i = 0; 4220 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4221 4222 /* 4223 * Some broken CHAP implementations (Conware CoNet, firmware 4224 * 4.0.?) don't want to re-authenticate their CHAP once the 4225 * initial challenge-response exchange has taken place. 4226 * Provide for an option to avoid rechallenges. 4227 */ 4228 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4229 /* 4230 * Compute the re-challenge timeout. This will yield 4231 * a number between 300 and 810 seconds. 4232 */ 4233 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4234 4235 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4236 } 4237 4238 if (debug) { 4239 log(LOG_DEBUG, 4240 "%s: chap %s, ", 4241 ifp->if_xname, 4242 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4243 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4244 addlog("next re-challenge in %d seconds\n", i); 4245 else 4246 addlog("re-challenging supressed\n"); 4247 } 4248 4249 x = splnet(); 4250 sp->pp_auth_failures = 0; 4251 /* indicate to LCP that we need to be closed down */ 4252 sp->lcp.protos |= (1 << IDX_CHAP); 4253 4254 if (sp->pp_flags & PP_NEEDAUTH) { 4255 /* 4256 * Remote is authenticator, but his auth proto didn't 4257 * complete yet. Defer the transition to network 4258 * phase. 4259 */ 4260 splx(x); 4261 return; 4262 } 4263 splx(x); 4264 4265 /* 4266 * If we are already in phase network, we are done here. This 4267 * is the case if this is a dummy tlu event after a re-challenge. 4268 */ 4269 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4270 sppp_phase_network(sp); 4271} 4272 4273static void 4274sppp_chap_tld(struct sppp *sp) 4275{ 4276 STDDCL; 4277 4278 if (debug) 4279 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4280 callout_stop(&sp->ch[IDX_CHAP]); 4281 sp->lcp.protos &= ~(1 << IDX_CHAP); 4282 4283 lcp.Close(sp); 4284} 4285 4286static void 4287sppp_chap_scr(struct sppp *sp) 4288{ 4289 uint32_t *ch; 4290 u_char clen = 4 * sizeof(uint32_t); 4291 4292 if (sp->myauth.name == NULL) { 4293 /* can't do anything useful */ 4294 printf("%s: chap starting without my name being set\n", 4295 sp->pp_if.if_xname); 4296 return; 4297 } 4298 4299 /* Compute random challenge. */ 4300 ch = (uint32_t *)sp->myauth.challenge; 4301 cprng_strong(kern_cprng, ch, clen, 0); 4302 4303 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4304 4305 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4306 sizeof clen, (const char *)&clen, 4307 sizeof(sp->myauth.challenge), sp->myauth.challenge, 4308 sp->myauth.name_len, 4309 sp->myauth.name, 4310 0); 4311} 4312 4313/* 4314 *--------------------------------------------------------------------------* 4315 * * 4316 * The PAP implementation. * 4317 * * 4318 *--------------------------------------------------------------------------* 4319 */ 4320/* 4321 * For PAP, we need to keep a little state also if we are the peer, not the 4322 * authenticator. This is since we don't get a request to authenticate, but 4323 * have to repeatedly authenticate ourself until we got a response (or the 4324 * retry counter is expired). 4325 */ 4326 4327/* 4328 * Handle incoming PAP packets. */ 4329static void 4330sppp_pap_input(struct sppp *sp, struct mbuf *m) 4331{ 4332 STDDCL; 4333 struct lcp_header *h; 4334 int len, x; 4335 u_char mlen; 4336 char *name, *secret; 4337 int name_len, secret_len; 4338 4339 /* 4340 * Malicious input might leave this uninitialized, so 4341 * init to an impossible value. 4342 */ 4343 secret_len = -1; 4344 4345 len = m->m_pkthdr.len; 4346 if (len < 5) { 4347 if (debug) 4348 log(LOG_DEBUG, 4349 "%s: pap invalid packet length: %d bytes\n", 4350 ifp->if_xname, len); 4351 return; 4352 } 4353 h = mtod(m, struct lcp_header *); 4354 if (len > ntohs(h->len)) 4355 len = ntohs(h->len); 4356 switch (h->type) { 4357 /* PAP request is my authproto */ 4358 case PAP_REQ: 4359 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4360 /* can't do anything useful */ 4361 printf("%s: pap request without his name and his secret being set\n", 4362 ifp->if_xname); 4363 break; 4364 } 4365 name = 1 + (u_char *)(h + 1); 4366 name_len = name[-1]; 4367 secret = name + name_len + 1; 4368 if (name_len > len - 6 || 4369 (secret_len = secret[-1]) > len - 6 - name_len) { 4370 if (debug) { 4371 log(LOG_DEBUG, "%s: pap corrupted input " 4372 "<%s id=0x%x len=%d", 4373 ifp->if_xname, 4374 sppp_auth_type_name(PPP_PAP, h->type), 4375 h->ident, ntohs(h->len)); 4376 if (len > 4) 4377 sppp_print_bytes((u_char *)(h + 1), 4378 len - 4); 4379 addlog(">\n"); 4380 } 4381 break; 4382 } 4383 if (debug) { 4384 log(LOG_DEBUG, "%s: pap input(%s) " 4385 "<%s id=0x%x len=%d name=", 4386 ifp->if_xname, 4387 sppp_state_name(sp->state[IDX_PAP]), 4388 sppp_auth_type_name(PPP_PAP, h->type), 4389 h->ident, ntohs(h->len)); 4390 sppp_print_string((char *)name, name_len); 4391 addlog(" secret="); 4392 sppp_print_string((char *)secret, secret_len); 4393 addlog(">\n"); 4394 } 4395 if (name_len != sp->hisauth.name_len || 4396 secret_len != sp->hisauth.secret_len || 4397 memcmp(name, sp->hisauth.name, name_len) != 0 || 4398 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4399 /* action scn, tld */ 4400 sp->pp_auth_failures++; 4401 mlen = sizeof(FAILMSG) - 1; 4402 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4403 sizeof mlen, (const char *)&mlen, 4404 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4405 0); 4406 pap.tld(sp); 4407 break; 4408 } 4409 /* action sca, perhaps tlu */ 4410 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4411 sp->state[IDX_PAP] == STATE_OPENED) { 4412 mlen = sizeof(SUCCMSG) - 1; 4413 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4414 sizeof mlen, (const char *)&mlen, 4415 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4416 0); 4417 } 4418 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4419 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4420 pap.tlu(sp); 4421 } 4422 break; 4423 4424 /* ack and nak are his authproto */ 4425 case PAP_ACK: 4426 callout_stop(&sp->pap_my_to_ch); 4427 if (debug) { 4428 log(LOG_DEBUG, "%s: pap success", 4429 ifp->if_xname); 4430 name = 1 + (u_char *)(h + 1); 4431 name_len = name[-1]; 4432 if (len > 5 && name_len < len+4) { 4433 addlog(": "); 4434 sppp_print_string(name, name_len); 4435 } 4436 addlog("\n"); 4437 } 4438 x = splnet(); 4439 sp->pp_auth_failures = 0; 4440 sp->pp_flags &= ~PP_NEEDAUTH; 4441 if (sp->myauth.proto == PPP_PAP && 4442 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4443 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4444 /* 4445 * We are authenticator for PAP but didn't 4446 * complete yet. Leave it to tlu to proceed 4447 * to network phase. 4448 */ 4449 splx(x); 4450 break; 4451 } 4452 splx(x); 4453 sppp_phase_network(sp); 4454 break; 4455 4456 case PAP_NAK: 4457 callout_stop(&sp->pap_my_to_ch); 4458 sp->pp_auth_failures++; 4459 if (debug) { 4460 log(LOG_INFO, "%s: pap failure", 4461 ifp->if_xname); 4462 name = 1 + (u_char *)(h + 1); 4463 name_len = name[-1]; 4464 if (len > 5 && name_len < len+4) { 4465 addlog(": "); 4466 sppp_print_string(name, name_len); 4467 } 4468 addlog("\n"); 4469 } else 4470 log(LOG_INFO, "%s: pap failure\n", 4471 ifp->if_xname); 4472 /* await LCP shutdown by authenticator */ 4473 break; 4474 4475 default: 4476 /* Unknown PAP packet type -- ignore. */ 4477 if (debug) { 4478 log(LOG_DEBUG, "%s: pap corrupted input " 4479 "<0x%x id=0x%x len=%d", 4480 ifp->if_xname, 4481 h->type, h->ident, ntohs(h->len)); 4482 if (len > 4) 4483 sppp_print_bytes((u_char *)(h + 1), len - 4); 4484 addlog(">\n"); 4485 } 4486 break; 4487 4488 } 4489} 4490 4491static void 4492sppp_pap_init(struct sppp *sp) 4493{ 4494 /* PAP doesn't have STATE_INITIAL at all. */ 4495 sp->state[IDX_PAP] = STATE_CLOSED; 4496 sp->fail_counter[IDX_PAP] = 0; 4497 sp->pp_seq[IDX_PAP] = 0; 4498 sp->pp_rseq[IDX_PAP] = 0; 4499 callout_init(&sp->ch[IDX_PAP], 0); 4500 callout_init(&sp->pap_my_to_ch, 0); 4501} 4502 4503static void 4504sppp_pap_open(struct sppp *sp) 4505{ 4506 if (sp->hisauth.proto == PPP_PAP && 4507 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4508 /* we are authenticator for PAP, start our timer */ 4509 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4510 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4511 } 4512 if (sp->myauth.proto == PPP_PAP) { 4513 /* we are peer, send a request, and start a timer */ 4514 pap.scr(sp); 4515 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4516 sppp_pap_my_TO, sp); 4517 } 4518} 4519 4520static void 4521sppp_pap_close(struct sppp *sp) 4522{ 4523 if (sp->state[IDX_PAP] != STATE_CLOSED) 4524 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4525} 4526 4527/* 4528 * That's the timeout routine if we are authenticator. Since the 4529 * authenticator is basically passive in PAP, we can't do much here. 4530 */ 4531static void 4532sppp_pap_TO(void *cookie) 4533{ 4534 struct sppp *sp = (struct sppp *)cookie; 4535 STDDCL; 4536 int s; 4537 4538 s = splnet(); 4539 if (debug) 4540 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4541 ifp->if_xname, 4542 sppp_state_name(sp->state[IDX_PAP]), 4543 sp->rst_counter[IDX_PAP]); 4544 4545 if (--sp->rst_counter[IDX_PAP] < 0) 4546 /* TO- event */ 4547 switch (sp->state[IDX_PAP]) { 4548 case STATE_REQ_SENT: 4549 pap.tld(sp); 4550 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4551 break; 4552 } 4553 else 4554 /* TO+ event, not very much we could do */ 4555 switch (sp->state[IDX_PAP]) { 4556 case STATE_REQ_SENT: 4557 /* sppp_cp_change_state() will restart the timer */ 4558 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4559 break; 4560 } 4561 4562 splx(s); 4563} 4564 4565/* 4566 * That's the timeout handler if we are peer. Since the peer is active, 4567 * we need to retransmit our PAP request since it is apparently lost. 4568 * XXX We should impose a max counter. 4569 */ 4570static void 4571sppp_pap_my_TO(void *cookie) 4572{ 4573 struct sppp *sp = (struct sppp *)cookie; 4574 STDDCL; 4575 4576 if (debug) 4577 log(LOG_DEBUG, "%s: pap peer TO\n", 4578 ifp->if_xname); 4579 4580 pap.scr(sp); 4581} 4582 4583static void 4584sppp_pap_tlu(struct sppp *sp) 4585{ 4586 STDDCL; 4587 int x; 4588 4589 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4590 4591 if (debug) 4592 log(LOG_DEBUG, "%s: %s tlu\n", 4593 ifp->if_xname, pap.name); 4594 4595 x = splnet(); 4596 sp->pp_auth_failures = 0; 4597 /* indicate to LCP that we need to be closed down */ 4598 sp->lcp.protos |= (1 << IDX_PAP); 4599 4600 if (sp->pp_flags & PP_NEEDAUTH) { 4601 /* 4602 * Remote is authenticator, but his auth proto didn't 4603 * complete yet. Defer the transition to network 4604 * phase. 4605 */ 4606 splx(x); 4607 return; 4608 } 4609 splx(x); 4610 sppp_phase_network(sp); 4611} 4612 4613static void 4614sppp_pap_tld(struct sppp *sp) 4615{ 4616 STDDCL; 4617 4618 if (debug) 4619 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4620 callout_stop(&sp->ch[IDX_PAP]); 4621 callout_stop(&sp->pap_my_to_ch); 4622 sp->lcp.protos &= ~(1 << IDX_PAP); 4623 4624 lcp.Close(sp); 4625} 4626 4627static void 4628sppp_pap_scr(struct sppp *sp) 4629{ 4630 u_char idlen, pwdlen; 4631 4632 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4633 /* can't do anything useful */ 4634 printf("%s: pap starting without my name and secret being set\n", 4635 sp->pp_if.if_xname); 4636 return; 4637 } 4638 4639 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4640 pwdlen = sp->myauth.secret_len; 4641 idlen = sp->myauth.name_len; 4642 4643 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4644 sizeof idlen, (const char *)&idlen, 4645 idlen, sp->myauth.name, 4646 sizeof pwdlen, (const char *)&pwdlen, 4647 pwdlen, sp->myauth.secret, 4648 0); 4649} 4650 4651/* 4652 * Random miscellaneous functions. 4653 */ 4654 4655/* 4656 * Send a PAP or CHAP proto packet. 4657 * 4658 * Varadic function, each of the elements for the ellipsis is of type 4659 * ``size_t mlen, const u_char *msg''. Processing will stop iff 4660 * mlen == 0. 4661 * NOTE: never declare variadic functions with types subject to type 4662 * promotion (i.e. u_char). This is asking for big trouble depending 4663 * on the architecture you are on... 4664 */ 4665 4666static void 4667sppp_auth_send(const struct cp *cp, struct sppp *sp, 4668 unsigned int type, unsigned int id, 4669 ...) 4670{ 4671 STDDCL; 4672 struct lcp_header *lh; 4673 struct mbuf *m; 4674 u_char *p; 4675 int len; 4676 size_t pkthdrlen; 4677 unsigned int mlen; 4678 const char *msg; 4679 va_list ap; 4680 4681 MGETHDR(m, M_DONTWAIT, MT_DATA); 4682 if (! m) 4683 return; 4684 m->m_pkthdr.rcvif = 0; 4685 4686 if (sp->pp_flags & PP_NOFRAMING) { 4687 *mtod(m, uint16_t *) = htons(cp->proto); 4688 pkthdrlen = 2; 4689 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 4690 } else { 4691 struct ppp_header *h; 4692 h = mtod(m, struct ppp_header *); 4693 h->address = PPP_ALLSTATIONS; /* broadcast address */ 4694 h->control = PPP_UI; /* Unnumbered Info */ 4695 h->protocol = htons(cp->proto); 4696 pkthdrlen = PPP_HEADER_LEN; 4697 4698 lh = (struct lcp_header *)(h + 1); 4699 } 4700 4701 lh->type = type; 4702 lh->ident = id; 4703 p = (u_char *)(lh + 1); 4704 4705 va_start(ap, id); 4706 len = 0; 4707 4708 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 4709 msg = va_arg(ap, const char *); 4710 len += mlen; 4711 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 4712 va_end(ap); 4713 m_freem(m); 4714 return; 4715 } 4716 4717 memcpy(p, msg, mlen); 4718 p += mlen; 4719 } 4720 va_end(ap); 4721 4722 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 4723 lh->len = htons(LCP_HEADER_LEN + len); 4724 4725 if (debug) { 4726 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 4727 ifp->if_xname, cp->name, 4728 sppp_auth_type_name(cp->proto, lh->type), 4729 lh->ident, ntohs(lh->len)); 4730 if (len) 4731 sppp_print_bytes((u_char *)(lh + 1), len); 4732 addlog(">\n"); 4733 } 4734 if (IF_QFULL(&sp->pp_cpq)) { 4735 IF_DROP(&sp->pp_fastq); 4736 IF_DROP(&ifp->if_snd); 4737 m_freem(m); 4738 ++ifp->if_oerrors; 4739 return; 4740 } else 4741 IF_ENQUEUE(&sp->pp_cpq, m); 4742 if (! (ifp->if_flags & IFF_OACTIVE)) 4743 (*ifp->if_start)(ifp); 4744 ifp->if_obytes += m->m_pkthdr.len + 3; 4745} 4746 4747/* 4748 * Send keepalive packets, every 10 seconds. 4749 */ 4750static void 4751sppp_keepalive(void *dummy) 4752{ 4753 struct sppp *sp; 4754 int s; 4755 time_t now; 4756 4757 s = splnet(); 4758 now = time_uptime; 4759 for (sp=spppq; sp; sp=sp->pp_next) { 4760 struct ifnet *ifp = &sp->pp_if; 4761 4762 /* check idle timeout */ 4763 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 4764 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 4765 /* idle timeout is enabled for this interface */ 4766 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 4767 if (ifp->if_flags & IFF_DEBUG) 4768 printf("%s: no activity for %lu seconds\n", 4769 sp->pp_if.if_xname, 4770 (unsigned long)(now-sp->pp_last_activity)); 4771 lcp.Close(sp); 4772 continue; 4773 } 4774 } 4775 4776 /* Keepalive mode disabled or channel down? */ 4777 if (! (sp->pp_flags & PP_KEEPALIVE) || 4778 ! (ifp->if_flags & IFF_RUNNING)) 4779 continue; 4780 4781 /* No keepalive in PPP mode if LCP not opened yet. */ 4782 if (! (sp->pp_flags & PP_CISCO) && 4783 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) 4784 continue; 4785 4786 /* No echo reply, but maybe user data passed through? */ 4787 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 4788 sp->pp_alivecnt = 0; 4789 continue; 4790 } 4791 4792 if (sp->pp_alivecnt >= sp->pp_maxalive) { 4793 /* No keepalive packets got. Stop the interface. */ 4794 if_down (ifp); 4795 IF_PURGE(&sp->pp_cpq); 4796 if (! (sp->pp_flags & PP_CISCO)) { 4797 printf("%s: LCP keepalive timed out, going to restart the connection\n", 4798 ifp->if_xname); 4799 sp->pp_alivecnt = 0; 4800 4801 /* we are down, close all open protocols */ 4802 lcp.Close(sp); 4803 4804 /* And now prepare LCP to reestablish the link, if configured to do so. */ 4805 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 4806 4807 /* Close connection immediately, completition of this 4808 * will summon the magic needed to reestablish it. */ 4809 if (sp->pp_tlf) 4810 sp->pp_tlf(sp); 4811 continue; 4812 } 4813 } 4814 if (sp->pp_alivecnt < sp->pp_maxalive) 4815 ++sp->pp_alivecnt; 4816 if (sp->pp_flags & PP_CISCO) 4817 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 4818 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 4819 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 4820 int32_t nmagic = htonl(sp->lcp.magic); 4821 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 4822 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 4823 sp->lcp.echoid, 4, &nmagic); 4824 } 4825 } 4826 splx(s); 4827 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 4828} 4829 4830#ifdef INET 4831/* 4832 * Get both IP addresses. 4833 */ 4834static void 4835sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 4836{ 4837 struct ifnet *ifp = &sp->pp_if; 4838 struct ifaddr *ifa; 4839 struct sockaddr_in *si, *sm; 4840 uint32_t ssrc, ddst; 4841 4842 sm = NULL; 4843 ssrc = ddst = 0; 4844 /* 4845 * Pick the first AF_INET address from the list, 4846 * aliases don't make any sense on a p2p link anyway. 4847 */ 4848 si = 0; 4849 IFADDR_FOREACH(ifa, ifp) { 4850 if (ifa->ifa_addr->sa_family == AF_INET) { 4851 si = (struct sockaddr_in *)ifa->ifa_addr; 4852 sm = (struct sockaddr_in *)ifa->ifa_netmask; 4853 if (si) 4854 break; 4855 } 4856 } 4857 if (ifa) { 4858 if (si && si->sin_addr.s_addr) { 4859 ssrc = si->sin_addr.s_addr; 4860 if (srcmask) 4861 *srcmask = ntohl(sm->sin_addr.s_addr); 4862 } 4863 4864 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 4865 if (si && si->sin_addr.s_addr) 4866 ddst = si->sin_addr.s_addr; 4867 } 4868 4869 if (dst) *dst = ntohl(ddst); 4870 if (src) *src = ntohl(ssrc); 4871} 4872 4873/* 4874 * Set IP addresses. Must be called at splnet. 4875 * If an address is 0, leave it the way it is. 4876 */ 4877static void 4878sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr) 4879{ 4880 STDDCL; 4881 struct ifaddr *ifa; 4882 struct sockaddr_in *si, *dest; 4883 4884 /* 4885 * Pick the first AF_INET address from the list, 4886 * aliases don't make any sense on a p2p link anyway. 4887 */ 4888 4889 IFADDR_FOREACH(ifa, ifp) { 4890 if (ifa->ifa_addr->sa_family == AF_INET) { 4891 si = (struct sockaddr_in *)ifa->ifa_addr; 4892 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4893 goto found; 4894 } 4895 } 4896 return; 4897 4898found: 4899 { 4900 int error; 4901 struct sockaddr_in new_sin = *si; 4902 struct sockaddr_in new_dst = *dest; 4903 4904 /* 4905 * Scrub old routes now instead of calling in_ifinit with 4906 * scrub=1, because we may change the dstaddr 4907 * before the call to in_ifinit. 4908 */ 4909 in_ifscrub(ifp, ifatoia(ifa)); 4910 4911 if (myaddr != 0) 4912 new_sin.sin_addr.s_addr = htonl(myaddr); 4913 if (hisaddr != 0) { 4914 new_dst.sin_addr.s_addr = htonl(hisaddr); 4915 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) { 4916 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 4917 *dest = new_dst; /* fix dstaddr in place */ 4918 } 4919 } 4920 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4921 if (debug && error) 4922 { 4923 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit " 4924 " failed, error=%d\n", ifp->if_xname, error); 4925 } 4926#ifdef PFIL_HOOKS 4927 if (!error) 4928 (void)pfil_run_hooks(&if_pfil, 4929 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR); 4930#endif 4931 } 4932} 4933 4934/* 4935 * Clear IP addresses. Must be called at splnet. 4936 */ 4937static void 4938sppp_clear_ip_addrs(struct sppp *sp) 4939{ 4940 struct ifnet *ifp = &sp->pp_if; 4941 struct ifaddr *ifa; 4942 struct sockaddr_in *si, *dest; 4943 4944 uint32_t remote; 4945 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4946 remote = sp->ipcp.saved_hisaddr; 4947 else 4948 sppp_get_ip_addrs(sp, 0, &remote, 0); 4949 4950 /* 4951 * Pick the first AF_INET address from the list, 4952 * aliases don't make any sense on a p2p link anyway. 4953 */ 4954 4955 IFADDR_FOREACH(ifa, ifp) { 4956 if (ifa->ifa_addr->sa_family == AF_INET) { 4957 si = (struct sockaddr_in *)ifa->ifa_addr; 4958 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 4959 goto found; 4960 } 4961 } 4962 return; 4963 4964found: 4965 { 4966 struct sockaddr_in new_sin = *si; 4967 4968 in_ifscrub(ifp, ifatoia(ifa)); 4969 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 4970 new_sin.sin_addr.s_addr = 0; 4971 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 4972 /* replace peer addr in place */ 4973 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr; 4974 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0); 4975#ifdef PFIL_HOOKS 4976 (void)pfil_run_hooks(&if_pfil, 4977 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR); 4978#endif 4979 } 4980} 4981#endif 4982 4983#ifdef INET6 4984/* 4985 * Get both IPv6 addresses. 4986 */ 4987static void 4988sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 4989 struct in6_addr *srcmask) 4990{ 4991 struct ifnet *ifp = &sp->pp_if; 4992 struct ifaddr *ifa; 4993 struct sockaddr_in6 *si, *sm; 4994 struct in6_addr ssrc, ddst; 4995 4996 sm = NULL; 4997 memset(&ssrc, 0, sizeof(ssrc)); 4998 memset(&ddst, 0, sizeof(ddst)); 4999 /* 5000 * Pick the first link-local AF_INET6 address from the list, 5001 * aliases don't make any sense on a p2p link anyway. 5002 */ 5003 si = 0; 5004 IFADDR_FOREACH(ifa, ifp) 5005 if (ifa->ifa_addr->sa_family == AF_INET6) { 5006 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5007 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5008 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) 5009 break; 5010 } 5011 if (ifa) { 5012 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5013 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5014 if (srcmask) { 5015 memcpy(srcmask, &sm->sin6_addr, 5016 sizeof(*srcmask)); 5017 } 5018 } 5019 5020 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5021 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5022 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5023 } 5024 5025 if (dst) 5026 memcpy(dst, &ddst, sizeof(*dst)); 5027 if (src) 5028 memcpy(src, &ssrc, sizeof(*src)); 5029} 5030 5031#ifdef IPV6CP_MYIFID_DYN 5032/* 5033 * Generate random ifid. 5034 */ 5035static void 5036sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5037{ 5038 /* TBD */ 5039} 5040 5041/* 5042 * Set my IPv6 address. Must be called at splnet. 5043 */ 5044static void 5045sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5046{ 5047 STDDCL; 5048 struct ifaddr *ifa; 5049 struct sockaddr_in6 *sin6; 5050 5051 /* 5052 * Pick the first link-local AF_INET6 address from the list, 5053 * aliases don't make any sense on a p2p link anyway. 5054 */ 5055 5056 sin6 = NULL; 5057 IFADDR_FOREACH(ifa, ifp) 5058 { 5059 if (ifa->ifa_addr->sa_family == AF_INET6) 5060 { 5061 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5062 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 5063 break; 5064 } 5065 } 5066 5067 if (ifa && sin6) 5068 { 5069 int error; 5070 struct sockaddr_in6 new_sin6 = *sin6; 5071 5072 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5073 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5074 if (debug && error) 5075 { 5076 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit " 5077 " failed, error=%d\n", ifp->if_xname, error); 5078 } 5079#ifdef PFIL_HOOKS 5080 if (!error) 5081 (void)pfil_run_hooks(&if_pfil, 5082 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR); 5083#endif 5084 } 5085} 5086#endif 5087 5088/* 5089 * Suggest a candidate address to be used by peer. 5090 */ 5091static void 5092sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5093{ 5094 struct in6_addr myaddr; 5095 struct timeval tv; 5096 5097 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5098 5099 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5100 microtime(&tv); 5101 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5102 myaddr.s6_addr[14] ^= 0xff; 5103 myaddr.s6_addr[15] ^= 0xff; 5104 } else { 5105 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5106 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5107 } 5108 if (suggest) 5109 memcpy(suggest, &myaddr, sizeof(myaddr)); 5110} 5111#endif /*INET6*/ 5112 5113/* 5114 * Process ioctl requests specific to the PPP interface. 5115 * Permissions have already been checked. 5116 */ 5117static int 5118sppp_params(struct sppp *sp, u_long cmd, void *data) 5119{ 5120 switch (cmd) { 5121 case SPPPGETAUTHCFG: 5122 { 5123 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5124 int error; 5125 size_t len; 5126 5127 cfg->myauthflags = sp->myauth.flags; 5128 cfg->hisauthflags = sp->hisauth.flags; 5129 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ); 5130 cfg->hisauth = 0; 5131 if (sp->hisauth.proto) 5132 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5133 cfg->myauth = 0; 5134 if (sp->myauth.proto) 5135 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5136 if (cfg->myname_length == 0) { 5137 if (sp->myauth.name != NULL) 5138 cfg->myname_length = sp->myauth.name_len + 1; 5139 } else { 5140 if (sp->myauth.name == NULL) { 5141 cfg->myname_length = 0; 5142 } else { 5143 len = sp->myauth.name_len + 1; 5144 if (cfg->myname_length < len) 5145 return (ENAMETOOLONG); 5146 error = copyout(sp->myauth.name, cfg->myname, len); 5147 if (error) return error; 5148 } 5149 } 5150 if (cfg->hisname_length == 0) { 5151 if (sp->hisauth.name != NULL) 5152 cfg->hisname_length = sp->hisauth.name_len + 1; 5153 } else { 5154 if (sp->hisauth.name == NULL) { 5155 cfg->hisname_length = 0; 5156 } else { 5157 len = sp->hisauth.name_len + 1; 5158 if (cfg->hisname_length < len) 5159 return (ENAMETOOLONG); 5160 error = copyout(sp->hisauth.name, cfg->hisname, len); 5161 if (error) return error; 5162 } 5163 } 5164 } 5165 break; 5166 case SPPPSETAUTHCFG: 5167 { 5168 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5169 int error; 5170 5171 if (sp->myauth.name) { 5172 free(sp->myauth.name, M_DEVBUF); 5173 sp->myauth.name = NULL; 5174 } 5175 if (sp->myauth.secret) { 5176 free(sp->myauth.secret, M_DEVBUF); 5177 sp->myauth.secret = NULL; 5178 } 5179 if (sp->hisauth.name) { 5180 free(sp->hisauth.name, M_DEVBUF); 5181 sp->hisauth.name = NULL; 5182 } 5183 if (sp->hisauth.secret) { 5184 free(sp->hisauth.secret, M_DEVBUF); 5185 sp->hisauth.secret = NULL; 5186 } 5187 5188 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5189 if (cfg->hisname_length >= MCLBYTES) 5190 return (ENAMETOOLONG); 5191 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5192 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5193 if (error) { 5194 free(sp->hisauth.name, M_DEVBUF); 5195 sp->hisauth.name = NULL; 5196 return error; 5197 } 5198 sp->hisauth.name_len = cfg->hisname_length - 1; 5199 sp->hisauth.name[sp->hisauth.name_len] = 0; 5200 } 5201 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5202 if (cfg->hissecret_length >= MCLBYTES) 5203 return (ENAMETOOLONG); 5204 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK); 5205 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length); 5206 if (error) { 5207 free(sp->hisauth.secret, M_DEVBUF); 5208 sp->hisauth.secret = NULL; 5209 return error; 5210 } 5211 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5212 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5213 } 5214 if (cfg->myname != NULL && cfg->myname_length > 0) { 5215 if (cfg->myname_length >= MCLBYTES) 5216 return (ENAMETOOLONG); 5217 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5218 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5219 if (error) { 5220 free(sp->myauth.name, M_DEVBUF); 5221 sp->myauth.name = NULL; 5222 return error; 5223 } 5224 sp->myauth.name_len = cfg->myname_length - 1; 5225 sp->myauth.name[sp->myauth.name_len] = 0; 5226 } 5227 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5228 if (cfg->mysecret_length >= MCLBYTES) 5229 return (ENAMETOOLONG); 5230 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK); 5231 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length); 5232 if (error) { 5233 free(sp->myauth.secret, M_DEVBUF); 5234 sp->myauth.secret = NULL; 5235 return error; 5236 } 5237 sp->myauth.secret_len = cfg->mysecret_length - 1; 5238 sp->myauth.secret[sp->myauth.secret_len] = 0; 5239 } 5240 sp->myauth.flags = cfg->myauthflags; 5241 if (cfg->myauth) 5242 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5243 sp->hisauth.flags = cfg->hisauthflags; 5244 if (cfg->hisauth) 5245 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5246 sp->pp_auth_failures = 0; 5247 if (sp->hisauth.proto != 0) 5248 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5249 else 5250 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5251 } 5252 break; 5253 case SPPPGETLCPCFG: 5254 { 5255 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5256 lcpp->lcp_timeout = sp->lcp.timeout; 5257 } 5258 break; 5259 case SPPPSETLCPCFG: 5260 { 5261 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5262 sp->lcp.timeout = lcpp->lcp_timeout; 5263 } 5264 break; 5265 case SPPPGETSTATUS: 5266 { 5267 struct spppstatus *status = (struct spppstatus *)data; 5268 status->phase = sp->pp_phase; 5269 } 5270 break; 5271 case SPPPGETSTATUSNCP: 5272 { 5273 struct spppstatusncp *status = (struct spppstatusncp *)data; 5274 status->phase = sp->pp_phase; 5275 status->ncpup = sppp_ncp_check(sp); 5276 } 5277 break; 5278 case SPPPGETIDLETO: 5279 { 5280 struct spppidletimeout *to = (struct spppidletimeout *)data; 5281 to->idle_seconds = sp->pp_idle_timeout; 5282 } 5283 break; 5284 case SPPPSETIDLETO: 5285 { 5286 struct spppidletimeout *to = (struct spppidletimeout *)data; 5287 sp->pp_idle_timeout = to->idle_seconds; 5288 } 5289 break; 5290 case SPPPSETAUTHFAILURE: 5291 { 5292 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data; 5293 sp->pp_max_auth_fail = afsettings->max_failures; 5294 sp->pp_auth_failures = 0; 5295 } 5296 break; 5297 case SPPPGETAUTHFAILURES: 5298 { 5299 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5300 stats->auth_failures = sp->pp_auth_failures; 5301 stats->max_failures = sp->pp_max_auth_fail; 5302 } 5303 break; 5304 case SPPPSETDNSOPTS: 5305 { 5306 struct spppdnssettings *req = (struct spppdnssettings *)data; 5307 sp->query_dns = req->query_dns & 3; 5308 } 5309 break; 5310 case SPPPGETDNSOPTS: 5311 { 5312 struct spppdnssettings *req = (struct spppdnssettings *)data; 5313 req->query_dns = sp->query_dns; 5314 } 5315 break; 5316 case SPPPGETDNSADDRS: 5317 { 5318 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5319 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5320 } 5321 break; 5322 case SPPPGETKEEPALIVE: 5323 { 5324 struct spppkeepalivesettings *settings = 5325 (struct spppkeepalivesettings*)data; 5326 settings->maxalive = sp->pp_maxalive; 5327 settings->max_noreceive = sp->pp_max_noreceive; 5328 } 5329 break; 5330 case SPPPSETKEEPALIVE: 5331 { 5332 struct spppkeepalivesettings *settings = 5333 (struct spppkeepalivesettings*)data; 5334 sp->pp_maxalive = settings->maxalive; 5335 sp->pp_max_noreceive = settings->max_noreceive; 5336 } 5337 break; 5338#if defined(COMPAT_50) || defined(MODULAR) 5339 case __SPPPGETIDLETO50: 5340 { 5341 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5342 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5343 } 5344 break; 5345 case __SPPPSETIDLETO50: 5346 { 5347 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5348 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5349 } 5350 break; 5351 case __SPPPGETKEEPALIVE50: 5352 { 5353 struct spppkeepalivesettings50 *settings = 5354 (struct spppkeepalivesettings50*)data; 5355 settings->maxalive = sp->pp_maxalive; 5356 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5357 } 5358 break; 5359 case __SPPPSETKEEPALIVE50: 5360 { 5361 struct spppkeepalivesettings50 *settings = 5362 (struct spppkeepalivesettings50*)data; 5363 sp->pp_maxalive = settings->maxalive; 5364 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5365 } 5366 break; 5367#endif /* COMPAT_50 || MODULAR */ 5368 default: 5369 return (EINVAL); 5370 } 5371 5372 return (0); 5373} 5374 5375static void 5376sppp_phase_network(struct sppp *sp) 5377{ 5378 STDDCL; 5379 int i; 5380 uint32_t mask; 5381 5382 sp->pp_phase = SPPP_PHASE_NETWORK; 5383 5384 if (debug) 5385 { 5386 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 5387 sppp_phase_name(sp->pp_phase)); 5388 } 5389 5390 /* Notify NCPs now. */ 5391 for (i = 0; i < IDX_COUNT; i++) 5392 if ((cps[i])->flags & CP_NCP) 5393 (cps[i])->Open(sp); 5394 5395 /* Send Up events to all NCPs. */ 5396 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5397 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) 5398 (cps[i])->Up(sp); 5399 5400 /* if no NCP is starting, all this was in vain, close down */ 5401 sppp_lcp_check_and_close(sp); 5402} 5403 5404 5405static const char * 5406sppp_cp_type_name(u_char type) 5407{ 5408 static char buf[12]; 5409 switch (type) { 5410 case CONF_REQ: return "conf-req"; 5411 case CONF_ACK: return "conf-ack"; 5412 case CONF_NAK: return "conf-nak"; 5413 case CONF_REJ: return "conf-rej"; 5414 case TERM_REQ: return "term-req"; 5415 case TERM_ACK: return "term-ack"; 5416 case CODE_REJ: return "code-rej"; 5417 case PROTO_REJ: return "proto-rej"; 5418 case ECHO_REQ: return "echo-req"; 5419 case ECHO_REPLY: return "echo-reply"; 5420 case DISC_REQ: return "discard-req"; 5421 } 5422 snprintf(buf, sizeof(buf), "0x%x", type); 5423 return buf; 5424} 5425 5426static const char * 5427sppp_auth_type_name(u_short proto, u_char type) 5428{ 5429 static char buf[12]; 5430 switch (proto) { 5431 case PPP_CHAP: 5432 switch (type) { 5433 case CHAP_CHALLENGE: return "challenge"; 5434 case CHAP_RESPONSE: return "response"; 5435 case CHAP_SUCCESS: return "success"; 5436 case CHAP_FAILURE: return "failure"; 5437 } 5438 case PPP_PAP: 5439 switch (type) { 5440 case PAP_REQ: return "req"; 5441 case PAP_ACK: return "ack"; 5442 case PAP_NAK: return "nak"; 5443 } 5444 } 5445 snprintf(buf, sizeof(buf), "0x%x", type); 5446 return buf; 5447} 5448 5449static const char * 5450sppp_lcp_opt_name(u_char opt) 5451{ 5452 static char buf[12]; 5453 switch (opt) { 5454 case LCP_OPT_MRU: return "mru"; 5455 case LCP_OPT_ASYNC_MAP: return "async-map"; 5456 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 5457 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 5458 case LCP_OPT_MAGIC: return "magic"; 5459 case LCP_OPT_PROTO_COMP: return "proto-comp"; 5460 case LCP_OPT_ADDR_COMP: return "addr-comp"; 5461 } 5462 snprintf(buf, sizeof(buf), "0x%x", opt); 5463 return buf; 5464} 5465 5466static const char * 5467sppp_ipcp_opt_name(u_char opt) 5468{ 5469 static char buf[12]; 5470 switch (opt) { 5471 case IPCP_OPT_ADDRESSES: return "addresses"; 5472 case IPCP_OPT_COMPRESSION: return "compression"; 5473 case IPCP_OPT_ADDRESS: return "address"; 5474 } 5475 snprintf(buf, sizeof(buf), "0x%x", opt); 5476 return buf; 5477} 5478 5479#ifdef INET6 5480static const char * 5481sppp_ipv6cp_opt_name(u_char opt) 5482{ 5483 static char buf[12]; 5484 switch (opt) { 5485 case IPV6CP_OPT_IFID: return "ifid"; 5486 case IPV6CP_OPT_COMPRESSION: return "compression"; 5487 } 5488 snprintf(buf, sizeof(buf), "0x%x", opt); 5489 return buf; 5490} 5491#endif 5492 5493static const char * 5494sppp_state_name(int state) 5495{ 5496 switch (state) { 5497 case STATE_INITIAL: return "initial"; 5498 case STATE_STARTING: return "starting"; 5499 case STATE_CLOSED: return "closed"; 5500 case STATE_STOPPED: return "stopped"; 5501 case STATE_CLOSING: return "closing"; 5502 case STATE_STOPPING: return "stopping"; 5503 case STATE_REQ_SENT: return "req-sent"; 5504 case STATE_ACK_RCVD: return "ack-rcvd"; 5505 case STATE_ACK_SENT: return "ack-sent"; 5506 case STATE_OPENED: return "opened"; 5507 } 5508 return "illegal"; 5509} 5510 5511static const char * 5512sppp_phase_name(int phase) 5513{ 5514 switch (phase) { 5515 case SPPP_PHASE_DEAD: return "dead"; 5516 case SPPP_PHASE_ESTABLISH: return "establish"; 5517 case SPPP_PHASE_TERMINATE: return "terminate"; 5518 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 5519 case SPPP_PHASE_NETWORK: return "network"; 5520 } 5521 return "illegal"; 5522} 5523 5524static const char * 5525sppp_proto_name(u_short proto) 5526{ 5527 static char buf[12]; 5528 switch (proto) { 5529 case PPP_LCP: return "lcp"; 5530 case PPP_IPCP: return "ipcp"; 5531 case PPP_PAP: return "pap"; 5532 case PPP_CHAP: return "chap"; 5533 case PPP_IPV6CP: return "ipv6cp"; 5534 } 5535 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 5536 return buf; 5537} 5538 5539static void 5540sppp_print_bytes(const u_char *p, u_short len) 5541{ 5542 addlog(" %02x", *p++); 5543 while (--len > 0) 5544 addlog("-%02x", *p++); 5545} 5546 5547static void 5548sppp_print_string(const char *p, u_short len) 5549{ 5550 u_char c; 5551 5552 while (len-- > 0) { 5553 c = *p++; 5554 /* 5555 * Print only ASCII chars directly. RFC 1994 recommends 5556 * using only them, but we don't rely on it. */ 5557 if (c < ' ' || c > '~') 5558 addlog("\\x%x", c); 5559 else 5560 addlog("%c", c); 5561 } 5562} 5563 5564static const char * 5565sppp_dotted_quad(uint32_t addr) 5566{ 5567 static char s[16]; 5568 snprintf(s, sizeof(s), "%d.%d.%d.%d", 5569 (int)((addr >> 24) & 0xff), 5570 (int)((addr >> 16) & 0xff), 5571 (int)((addr >> 8) & 0xff), 5572 (int)(addr & 0xff)); 5573 return s; 5574} 5575 5576/* a dummy, used to drop uninteresting events */ 5577static void 5578sppp_null(struct sppp *unused) 5579{ 5580 /* do just nothing */ 5581} 5582/* 5583 * This file is large. Tell emacs to highlight it nevertheless. 5584 * 5585 * Local Variables: 5586 * hilit-auto-highlight-maxout: 120000 5587 * End: 5588 */ 5589