The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/net/if_spppsubr.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*
    2  * Synchronous PPP/Cisco/Frame Relay link level subroutines.
    3  * Keepalive protocol implemented in both Cisco and PPP modes.
    4  */
    5 /*-
    6  * Copyright (C) 1994-2000 Cronyx Engineering.
    7  * Author: Serge Vakulenko, <vak@cronyx.ru>
    8  *
    9  * Heavily revamped to conform to RFC 1661.
   10  * Copyright (C) 1997, 2001 Joerg Wunsch.
   11  *
   12  * This software is distributed with NO WARRANTIES, not even the implied
   13  * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
   14  *
   15  * Authors grant any other persons or organisations permission to use
   16  * or modify this software as long as this message is kept with the software,
   17  * all derivative works or modified versions.
   18  *
   19  * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997
   20  *
   21  * $FreeBSD: releng/6.1/sys/net/if_spppsubr.c 161557 2006-08-23 22:06:40Z cperciva $
   22  */
   23 
   24 #include <sys/param.h>
   25 
   26 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
   27 #include "opt_inet.h"
   28 #include "opt_inet6.h"
   29 #include "opt_ipx.h"
   30 #endif
   31 
   32 #ifdef NetBSD1_3
   33 #  if NetBSD1_3 > 6
   34 #      include "opt_inet.h"
   35 #      include "opt_inet6.h"
   36 #      include "opt_iso.h"
   37 #  endif
   38 #endif
   39 
   40 #include <sys/systm.h>
   41 #include <sys/kernel.h>
   42 #include <sys/module.h>
   43 #include <sys/sockio.h>
   44 #include <sys/socket.h>
   45 #include <sys/syslog.h>
   46 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
   47 #include <sys/random.h>
   48 #endif
   49 #include <sys/malloc.h>
   50 #include <sys/mbuf.h>
   51 
   52 #if defined (__OpenBSD__)
   53 #include <sys/md5k.h>
   54 #else
   55 #include <sys/md5.h>
   56 #endif
   57 
   58 #include <net/if.h>
   59 #include <net/netisr.h>
   60 #include <net/if_types.h>
   61 #include <net/route.h>
   62 #include <netinet/in.h>
   63 #include <netinet/in_systm.h>
   64 #include <netinet/ip.h>
   65 #include <net/slcompress.h>
   66 
   67 #if defined (__NetBSD__) || defined (__OpenBSD__)
   68 #include <machine/cpu.h> /* XXX for softnet */
   69 #endif
   70 
   71 #include <machine/stdarg.h>
   72 
   73 #include <netinet/in_var.h>
   74 
   75 #ifdef INET
   76 #include <netinet/ip.h>
   77 #include <netinet/tcp.h>
   78 #endif
   79 
   80 #ifdef INET6
   81 #include <netinet6/scope6_var.h>
   82 #endif
   83 
   84 #if defined (__FreeBSD__) || defined (__OpenBSD__)
   85 # include <netinet/if_ether.h>
   86 #else
   87 # include <net/ethertypes.h>
   88 #endif
   89 
   90 #ifdef IPX
   91 #include <netipx/ipx.h>
   92 #include <netipx/ipx_if.h>
   93 #endif
   94 
   95 #include <net/if_sppp.h>
   96 
   97 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
   98 # define IOCTL_CMD_T    u_long
   99 #else
  100 # define IOCTL_CMD_T    int
  101 #endif
  102 
  103 #define MAXALIVECNT     3               /* max. alive packets */
  104 
  105 /*
  106  * Interface flags that can be set in an ifconfig command.
  107  *
  108  * Setting link0 will make the link passive, i.e. it will be marked
  109  * as being administrative openable, but won't be opened to begin
  110  * with.  Incoming calls will be answered, or subsequent calls with
  111  * -link1 will cause the administrative open of the LCP layer.
  112  *
  113  * Setting link1 will cause the link to auto-dial only as packets
  114  * arrive to be sent.
  115  *
  116  * Setting IFF_DEBUG will syslog the option negotiation and state
  117  * transitions at level kern.debug.  Note: all logs consistently look
  118  * like
  119  *
  120  *   <if-name><unit>: <proto-name> <additional info...>
  121  *
  122  * with <if-name><unit> being something like "bppp0", and <proto-name>
  123  * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc.
  124  */
  125 
  126 #define IFF_PASSIVE     IFF_LINK0       /* wait passively for connection */
  127 #define IFF_AUTO        IFF_LINK1       /* auto-dial on output */
  128 #define IFF_CISCO       IFF_LINK2       /* auto-dial on output */
  129 
  130 #define PPP_ALLSTATIONS 0xff            /* All-Stations broadcast address */
  131 #define PPP_UI          0x03            /* Unnumbered Information */
  132 #define PPP_IP          0x0021          /* Internet Protocol */
  133 #define PPP_ISO         0x0023          /* ISO OSI Protocol */
  134 #define PPP_XNS         0x0025          /* Xerox NS Protocol */
  135 #define PPP_IPX         0x002b          /* Novell IPX Protocol */
  136 #define PPP_VJ_COMP     0x002d          /* VJ compressed TCP/IP */
  137 #define PPP_VJ_UCOMP    0x002f          /* VJ uncompressed TCP/IP */
  138 #define PPP_IPV6        0x0057          /* Internet Protocol Version 6 */
  139 #define PPP_LCP         0xc021          /* Link Control Protocol */
  140 #define PPP_PAP         0xc023          /* Password Authentication Protocol */
  141 #define PPP_CHAP        0xc223          /* Challenge-Handshake Auth Protocol */
  142 #define PPP_IPCP        0x8021          /* Internet Protocol Control Protocol */
  143 #define PPP_IPV6CP      0x8057          /* IPv6 Control Protocol */
  144 
  145 #define CONF_REQ        1               /* PPP configure request */
  146 #define CONF_ACK        2               /* PPP configure acknowledge */
  147 #define CONF_NAK        3               /* PPP configure negative ack */
  148 #define CONF_REJ        4               /* PPP configure reject */
  149 #define TERM_REQ        5               /* PPP terminate request */
  150 #define TERM_ACK        6               /* PPP terminate acknowledge */
  151 #define CODE_REJ        7               /* PPP code reject */
  152 #define PROTO_REJ       8               /* PPP protocol reject */
  153 #define ECHO_REQ        9               /* PPP echo request */
  154 #define ECHO_REPLY      10              /* PPP echo reply */
  155 #define DISC_REQ        11              /* PPP discard request */
  156 
  157 #define LCP_OPT_MRU             1       /* maximum receive unit */
  158 #define LCP_OPT_ASYNC_MAP       2       /* async control character map */
  159 #define LCP_OPT_AUTH_PROTO      3       /* authentication protocol */
  160 #define LCP_OPT_QUAL_PROTO      4       /* quality protocol */
  161 #define LCP_OPT_MAGIC           5       /* magic number */
  162 #define LCP_OPT_RESERVED        6       /* reserved */
  163 #define LCP_OPT_PROTO_COMP      7       /* protocol field compression */
  164 #define LCP_OPT_ADDR_COMP       8       /* address/control field compression */
  165 
  166 #define IPCP_OPT_ADDRESSES      1       /* both IP addresses; deprecated */
  167 #define IPCP_OPT_COMPRESSION    2       /* IP compression protocol (VJ) */
  168 #define IPCP_OPT_ADDRESS        3       /* local IP address */
  169 
  170 #define IPV6CP_OPT_IFID 1       /* interface identifier */
  171 #define IPV6CP_OPT_COMPRESSION  2       /* IPv6 compression protocol */
  172 
  173 #define IPCP_COMP_VJ            0x2d    /* Code for VJ compression */
  174 
  175 #define PAP_REQ                 1       /* PAP name/password request */
  176 #define PAP_ACK                 2       /* PAP acknowledge */
  177 #define PAP_NAK                 3       /* PAP fail */
  178 
  179 #define CHAP_CHALLENGE          1       /* CHAP challenge request */
  180 #define CHAP_RESPONSE           2       /* CHAP challenge response */
  181 #define CHAP_SUCCESS            3       /* CHAP response ok */
  182 #define CHAP_FAILURE            4       /* CHAP response failed */
  183 
  184 #define CHAP_MD5                5       /* hash algorithm - MD5 */
  185 
  186 #define CISCO_MULTICAST         0x8f    /* Cisco multicast address */
  187 #define CISCO_UNICAST           0x0f    /* Cisco unicast address */
  188 #define CISCO_KEEPALIVE         0x8035  /* Cisco keepalive protocol */
  189 #define CISCO_ADDR_REQ          0       /* Cisco address request */
  190 #define CISCO_ADDR_REPLY        1       /* Cisco address reply */
  191 #define CISCO_KEEPALIVE_REQ     2       /* Cisco keepalive request */
  192 
  193 /* states are named and numbered according to RFC 1661 */
  194 #define STATE_INITIAL   0
  195 #define STATE_STARTING  1
  196 #define STATE_CLOSED    2
  197 #define STATE_STOPPED   3
  198 #define STATE_CLOSING   4
  199 #define STATE_STOPPING  5
  200 #define STATE_REQ_SENT  6
  201 #define STATE_ACK_RCVD  7
  202 #define STATE_ACK_SENT  8
  203 #define STATE_OPENED    9
  204 
  205 MALLOC_DEFINE(M_SPPP, "sppp", "synchronous PPP interface internals");
  206 
  207 struct ppp_header {
  208         u_char address;
  209         u_char control;
  210         u_short protocol;
  211 } __packed;
  212 #define PPP_HEADER_LEN          sizeof (struct ppp_header)
  213 
  214 struct lcp_header {
  215         u_char type;
  216         u_char ident;
  217         u_short len;
  218 } __packed;
  219 #define LCP_HEADER_LEN          sizeof (struct lcp_header)
  220 
  221 struct cisco_packet {
  222         u_long type;
  223         u_long par1;
  224         u_long par2;
  225         u_short rel;
  226         u_short time0;
  227         u_short time1;
  228 } __packed;
  229 #define CISCO_PACKET_LEN        sizeof (struct cisco_packet)
  230 
  231 /*
  232  * We follow the spelling and capitalization of RFC 1661 here, to make
  233  * it easier comparing with the standard.  Please refer to this RFC in
  234  * case you can't make sense out of these abbreviation; it will also
  235  * explain the semantics related to the various events and actions.
  236  */
  237 struct cp {
  238         u_short proto;          /* PPP control protocol number */
  239         u_char protoidx;        /* index into state table in struct sppp */
  240         u_char flags;
  241 #define CP_LCP          0x01    /* this is the LCP */
  242 #define CP_AUTH         0x02    /* this is an authentication protocol */
  243 #define CP_NCP          0x04    /* this is a NCP */
  244 #define CP_QUAL         0x08    /* this is a quality reporting protocol */
  245         const char *name;       /* name of this control protocol */
  246         /* event handlers */
  247         void    (*Up)(struct sppp *sp);
  248         void    (*Down)(struct sppp *sp);
  249         void    (*Open)(struct sppp *sp);
  250         void    (*Close)(struct sppp *sp);
  251         void    (*TO)(void *sp);
  252         int     (*RCR)(struct sppp *sp, struct lcp_header *h, int len);
  253         void    (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len);
  254         void    (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len);
  255         /* actions */
  256         void    (*tlu)(struct sppp *sp);
  257         void    (*tld)(struct sppp *sp);
  258         void    (*tls)(struct sppp *sp);
  259         void    (*tlf)(struct sppp *sp);
  260         void    (*scr)(struct sppp *sp);
  261 };
  262 
  263 #if defined(__FreeBSD__) && __FreeBSD__ >= 3 && __FreeBSD_version < 501113
  264 #define SPP_FMT         "%s%d: "
  265 #define SPP_ARGS(ifp)   (ifp)->if_name, (ifp)->if_unit
  266 #else
  267 #define SPP_FMT         "%s: "
  268 #define SPP_ARGS(ifp)   (ifp)->if_xname
  269 #endif
  270 
  271 #define SPPP_LOCK(sp) \
  272                 do { \
  273                     if (!(SP2IFP(sp)->if_flags & IFF_NEEDSGIANT)) \
  274                         mtx_lock (&(sp)->mtx); \
  275                 } while (0)
  276 #define SPPP_UNLOCK(sp) \
  277                 do { \
  278                     if (!(SP2IFP(sp)->if_flags & IFF_NEEDSGIANT)) \
  279                         mtx_unlock (&(sp)->mtx); \
  280                 } while (0)
  281 
  282 #define SPPP_LOCK_ASSERT(sp) \
  283                 do { \
  284                     if (!(SP2IFP(sp)->if_flags & IFF_NEEDSGIANT)) \
  285                         mtx_assert (&(sp)->mtx, MA_OWNED); \
  286                 } while (0)
  287 #define SPPP_LOCK_OWNED(sp) \
  288                 (!(SP2IFP(sp)->if_flags & IFF_NEEDSGIANT) && \
  289                  mtx_owned (&sp->mtx))
  290 
  291 #ifdef INET
  292 /*
  293  * The following disgusting hack gets around the problem that IP TOS
  294  * can't be set yet.  We want to put "interactive" traffic on a high
  295  * priority queue.  To decide if traffic is interactive, we check that
  296  * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control.
  297  *
  298  * XXX is this really still necessary?  - joerg -
  299  */
  300 static const u_short interactive_ports[8] = {
  301         0,      513,    0,      0,
  302         0,      21,     0,      23,
  303 };
  304 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p))
  305 #endif
  306 
  307 /* almost every function needs these */
  308 #define STDDCL                                                  \
  309         struct ifnet *ifp = SP2IFP(sp);                         \
  310         int debug = ifp->if_flags & IFF_DEBUG
  311 
  312 static int sppp_output(struct ifnet *ifp, struct mbuf *m,
  313                        struct sockaddr *dst, struct rtentry *rt);
  314 
  315 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2);
  316 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m);
  317 
  318 static void sppp_cp_input(const struct cp *cp, struct sppp *sp,
  319                           struct mbuf *m);
  320 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
  321                          u_char ident, u_short len, void *data);
  322 /* static void sppp_cp_timeout(void *arg); */
  323 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp,
  324                                  int newstate);
  325 static void sppp_auth_send(const struct cp *cp,
  326                            struct sppp *sp, unsigned int type, unsigned int id,
  327                            ...);
  328 
  329 static void sppp_up_event(const struct cp *cp, struct sppp *sp);
  330 static void sppp_down_event(const struct cp *cp, struct sppp *sp);
  331 static void sppp_open_event(const struct cp *cp, struct sppp *sp);
  332 static void sppp_close_event(const struct cp *cp, struct sppp *sp);
  333 static void sppp_to_event(const struct cp *cp, struct sppp *sp);
  334 
  335 static void sppp_null(struct sppp *sp);
  336 
  337 static void sppp_pp_up(struct sppp *sp);
  338 static void sppp_pp_down(struct sppp *sp);
  339 
  340 static void sppp_lcp_init(struct sppp *sp);
  341 static void sppp_lcp_up(struct sppp *sp);
  342 static void sppp_lcp_down(struct sppp *sp);
  343 static void sppp_lcp_open(struct sppp *sp);
  344 static void sppp_lcp_close(struct sppp *sp);
  345 static void sppp_lcp_TO(void *sp);
  346 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
  347 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
  348 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
  349 static void sppp_lcp_tlu(struct sppp *sp);
  350 static void sppp_lcp_tld(struct sppp *sp);
  351 static void sppp_lcp_tls(struct sppp *sp);
  352 static void sppp_lcp_tlf(struct sppp *sp);
  353 static void sppp_lcp_scr(struct sppp *sp);
  354 static void sppp_lcp_check_and_close(struct sppp *sp);
  355 static int sppp_ncp_check(struct sppp *sp);
  356 
  357 static void sppp_ipcp_init(struct sppp *sp);
  358 static void sppp_ipcp_up(struct sppp *sp);
  359 static void sppp_ipcp_down(struct sppp *sp);
  360 static void sppp_ipcp_open(struct sppp *sp);
  361 static void sppp_ipcp_close(struct sppp *sp);
  362 static void sppp_ipcp_TO(void *sp);
  363 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
  364 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
  365 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
  366 static void sppp_ipcp_tlu(struct sppp *sp);
  367 static void sppp_ipcp_tld(struct sppp *sp);
  368 static void sppp_ipcp_tls(struct sppp *sp);
  369 static void sppp_ipcp_tlf(struct sppp *sp);
  370 static void sppp_ipcp_scr(struct sppp *sp);
  371 
  372 static void sppp_ipv6cp_init(struct sppp *sp);
  373 static void sppp_ipv6cp_up(struct sppp *sp);
  374 static void sppp_ipv6cp_down(struct sppp *sp);
  375 static void sppp_ipv6cp_open(struct sppp *sp);
  376 static void sppp_ipv6cp_close(struct sppp *sp);
  377 static void sppp_ipv6cp_TO(void *sp);
  378 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len);
  379 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
  380 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
  381 static void sppp_ipv6cp_tlu(struct sppp *sp);
  382 static void sppp_ipv6cp_tld(struct sppp *sp);
  383 static void sppp_ipv6cp_tls(struct sppp *sp);
  384 static void sppp_ipv6cp_tlf(struct sppp *sp);
  385 static void sppp_ipv6cp_scr(struct sppp *sp);
  386 
  387 static void sppp_pap_input(struct sppp *sp, struct mbuf *m);
  388 static void sppp_pap_init(struct sppp *sp);
  389 static void sppp_pap_open(struct sppp *sp);
  390 static void sppp_pap_close(struct sppp *sp);
  391 static void sppp_pap_TO(void *sp);
  392 static void sppp_pap_my_TO(void *sp);
  393 static void sppp_pap_tlu(struct sppp *sp);
  394 static void sppp_pap_tld(struct sppp *sp);
  395 static void sppp_pap_scr(struct sppp *sp);
  396 
  397 static void sppp_chap_input(struct sppp *sp, struct mbuf *m);
  398 static void sppp_chap_init(struct sppp *sp);
  399 static void sppp_chap_open(struct sppp *sp);
  400 static void sppp_chap_close(struct sppp *sp);
  401 static void sppp_chap_TO(void *sp);
  402 static void sppp_chap_tlu(struct sppp *sp);
  403 static void sppp_chap_tld(struct sppp *sp);
  404 static void sppp_chap_scr(struct sppp *sp);
  405 
  406 static const char *sppp_auth_type_name(u_short proto, u_char type);
  407 static const char *sppp_cp_type_name(u_char type);
  408 static const char *sppp_dotted_quad(u_long addr);
  409 static const char *sppp_ipcp_opt_name(u_char opt);
  410 #ifdef INET6
  411 static const char *sppp_ipv6cp_opt_name(u_char opt);
  412 #endif
  413 static const char *sppp_lcp_opt_name(u_char opt);
  414 static const char *sppp_phase_name(enum ppp_phase phase);
  415 static const char *sppp_proto_name(u_short proto);
  416 static const char *sppp_state_name(int state);
  417 static int sppp_params(struct sppp *sp, u_long cmd, void *data);
  418 static int sppp_strnlen(u_char *p, int max);
  419 static void sppp_keepalive(void *dummy);
  420 static void sppp_phase_network(struct sppp *sp);
  421 static void sppp_print_bytes(const u_char *p, u_short len);
  422 static void sppp_print_string(const char *p, u_short len);
  423 static void sppp_qflush(struct ifqueue *ifq);
  424 static void sppp_set_ip_addr(struct sppp *sp, u_long src);
  425 #ifdef INET6
  426 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src,
  427                                struct in6_addr *dst, struct in6_addr *srcmask);
  428 #ifdef IPV6CP_MYIFID_DYN
  429 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src);
  430 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src);
  431 #endif
  432 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src);
  433 #endif
  434 
  435 /* if_start () wrapper */
  436 static void sppp_ifstart (struct ifnet *ifp);
  437 
  438 /* our control protocol descriptors */
  439 static const struct cp lcp = {
  440         PPP_LCP, IDX_LCP, CP_LCP, "lcp",
  441         sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close,
  442         sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak,
  443         sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf,
  444         sppp_lcp_scr
  445 };
  446 
  447 static const struct cp ipcp = {
  448         PPP_IPCP, IDX_IPCP,
  449 #ifdef INET     /* don't run IPCP if there's no IPv4 support */
  450         CP_NCP,
  451 #else
  452         0,
  453 #endif
  454         "ipcp",
  455         sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close,
  456         sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak,
  457         sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf,
  458         sppp_ipcp_scr
  459 };
  460 
  461 static const struct cp ipv6cp = {
  462         PPP_IPV6CP, IDX_IPV6CP,
  463 #ifdef INET6    /*don't run IPv6CP if there's no IPv6 support*/
  464         CP_NCP,
  465 #else
  466         0,
  467 #endif
  468         "ipv6cp",
  469         sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close,
  470         sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak,
  471         sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf,
  472         sppp_ipv6cp_scr
  473 };
  474 
  475 static const struct cp pap = {
  476         PPP_PAP, IDX_PAP, CP_AUTH, "pap",
  477         sppp_null, sppp_null, sppp_pap_open, sppp_pap_close,
  478         sppp_pap_TO, 0, 0, 0,
  479         sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null,
  480         sppp_pap_scr
  481 };
  482 
  483 static const struct cp chap = {
  484         PPP_CHAP, IDX_CHAP, CP_AUTH, "chap",
  485         sppp_null, sppp_null, sppp_chap_open, sppp_chap_close,
  486         sppp_chap_TO, 0, 0, 0,
  487         sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null,
  488         sppp_chap_scr
  489 };
  490 
  491 static const struct cp *cps[IDX_COUNT] = {
  492         &lcp,                   /* IDX_LCP */
  493         &ipcp,                  /* IDX_IPCP */
  494         &ipv6cp,                /* IDX_IPV6CP */
  495         &pap,                   /* IDX_PAP */
  496         &chap,                  /* IDX_CHAP */
  497 };
  498 
  499 static void*
  500 sppp_alloc(u_char type, struct ifnet *ifp)
  501 {
  502         struct sppp     *sp;
  503 
  504         sp = malloc(sizeof(struct sppp), M_SPPP, M_WAITOK | M_ZERO);
  505         sp->pp_ifp = ifp;
  506 
  507         return (sp);
  508 }
  509 
  510 static void
  511 sppp_free(void *com, u_char type)
  512 {
  513 
  514         free(com, M_SPPP);
  515 }
  516 
  517 static int
  518 sppp_modevent(module_t mod, int type, void *unused)
  519 {
  520         switch (type) {
  521         case MOD_LOAD:
  522                 /*
  523                  * XXX: should probably be IFT_SPPP, but it's fairly
  524                  * harmless to allocate struct sppp's for non-sppp
  525                  * interfaces.
  526                  */
  527 
  528                 if_register_com_alloc(IFT_PPP, sppp_alloc, sppp_free);
  529                 break;
  530         case MOD_UNLOAD:
  531                 /* if_deregister_com_alloc(IFT_PPP); */
  532                 return EACCES;
  533         default:
  534                 return EOPNOTSUPP;
  535         }
  536         return 0;
  537 }
  538 static moduledata_t spppmod = {
  539         "sppp",
  540         sppp_modevent,
  541         0
  542 };
  543 MODULE_VERSION(sppp, 1);
  544 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY);
  545 
  546 /*
  547  * Exported functions, comprising our interface to the lower layer.
  548  */
  549 
  550 /*
  551  * Process the received packet.
  552  */
  553 void
  554 sppp_input(struct ifnet *ifp, struct mbuf *m)
  555 {
  556         struct ppp_header *h;
  557         int isr = -1;
  558         struct sppp *sp = IFP2SP(ifp);
  559         u_char *iphdr;
  560         int hlen, vjlen, do_account = 0;
  561         int debug;
  562 
  563         SPPP_LOCK(sp);
  564         debug = ifp->if_flags & IFF_DEBUG;
  565 
  566         if (ifp->if_flags & IFF_UP)
  567                 /* Count received bytes, add FCS and one flag */
  568                 ifp->if_ibytes += m->m_pkthdr.len + 3;
  569 
  570         if (m->m_pkthdr.len <= PPP_HEADER_LEN) {
  571                 /* Too small packet, drop it. */
  572                 if (debug)
  573                         log(LOG_DEBUG,
  574                             SPP_FMT "input packet is too small, %d bytes\n",
  575                             SPP_ARGS(ifp), m->m_pkthdr.len);
  576           drop:
  577                 m_freem (m);
  578                 SPPP_UNLOCK(sp);
  579           drop2:
  580                 ++ifp->if_ierrors;
  581                 ++ifp->if_iqdrops;
  582                 return;
  583         }
  584 
  585         if (sp->pp_mode == PP_FR) {
  586                 sppp_fr_input (sp, m);
  587                 SPPP_UNLOCK(sp);
  588                 return;
  589         }
  590 
  591         /* Get PPP header. */
  592         h = mtod (m, struct ppp_header*);
  593         m_adj (m, PPP_HEADER_LEN);
  594 
  595         switch (h->address) {
  596         case PPP_ALLSTATIONS:
  597                 if (h->control != PPP_UI)
  598                         goto invalid;
  599                 if (sp->pp_mode == IFF_CISCO) {
  600                         if (debug)
  601                                 log(LOG_DEBUG,
  602                                     SPP_FMT "PPP packet in Cisco mode "
  603                                     "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
  604                                     SPP_ARGS(ifp),
  605                                     h->address, h->control, ntohs(h->protocol));
  606                         goto drop;
  607                 }
  608                 switch (ntohs (h->protocol)) {
  609                 default:
  610                         if (debug)
  611                                 log(LOG_DEBUG,
  612                                     SPP_FMT "rejecting protocol "
  613                                     "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
  614                                     SPP_ARGS(ifp),
  615                                     h->address, h->control, ntohs(h->protocol));
  616                         if (sp->state[IDX_LCP] == STATE_OPENED)
  617                                 sppp_cp_send (sp, PPP_LCP, PROTO_REJ,
  618                                         ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2,
  619                                         &h->protocol);
  620                         ++ifp->if_noproto;
  621                         goto drop;
  622                 case PPP_LCP:
  623                         sppp_cp_input(&lcp, sp, m);
  624                         m_freem (m);
  625                         SPPP_UNLOCK(sp);
  626                         return;
  627                 case PPP_PAP:
  628                         if (sp->pp_phase >= PHASE_AUTHENTICATE)
  629                                 sppp_pap_input(sp, m);
  630                         m_freem (m);
  631                         SPPP_UNLOCK(sp);
  632                         return;
  633                 case PPP_CHAP:
  634                         if (sp->pp_phase >= PHASE_AUTHENTICATE)
  635                                 sppp_chap_input(sp, m);
  636                         m_freem (m);
  637                         SPPP_UNLOCK(sp);
  638                         return;
  639 #ifdef INET
  640                 case PPP_IPCP:
  641                         if (sp->pp_phase == PHASE_NETWORK)
  642                                 sppp_cp_input(&ipcp, sp, m);
  643                         m_freem (m);
  644                         SPPP_UNLOCK(sp);
  645                         return;
  646                 case PPP_IP:
  647                         if (sp->state[IDX_IPCP] == STATE_OPENED) {
  648                                 isr = NETISR_IP;
  649                         }
  650                         do_account++;
  651                         break;
  652                 case PPP_VJ_COMP:
  653                         if (sp->state[IDX_IPCP] == STATE_OPENED) {
  654                                 if ((vjlen =
  655                                      sl_uncompress_tcp_core(mtod(m, u_char *),
  656                                                             m->m_len, m->m_len,
  657                                                             TYPE_COMPRESSED_TCP,
  658                                                             sp->pp_comp,
  659                                                             &iphdr, &hlen)) <= 0) {
  660                                         if (debug)
  661                                                 log(LOG_INFO,
  662                             SPP_FMT "VJ uncompress failed on compressed packet\n",
  663                                                     SPP_ARGS(ifp));
  664                                         goto drop;
  665                                 }
  666 
  667                                 /*
  668                                  * Trim the VJ header off the packet, and prepend
  669                                  * the uncompressed IP header (which will usually
  670                                  * end up in two chained mbufs since there's not
  671                                  * enough leading space in the existing mbuf).
  672                                  */
  673                                 m_adj(m, vjlen);
  674                                 M_PREPEND(m, hlen, M_DONTWAIT);
  675                                 if (m == NULL) {
  676                                         SPPP_UNLOCK(sp);
  677                                         goto drop2;
  678                                 }
  679                                 bcopy(iphdr, mtod(m, u_char *), hlen);
  680                                 isr = NETISR_IP;
  681                         }
  682                         do_account++;
  683                         break;
  684                 case PPP_VJ_UCOMP:
  685                         if (sp->state[IDX_IPCP] == STATE_OPENED) {
  686                                 if (sl_uncompress_tcp_core(mtod(m, u_char *),
  687                                                            m->m_len, m->m_len,
  688                                                            TYPE_UNCOMPRESSED_TCP,
  689                                                            sp->pp_comp,
  690                                                            &iphdr, &hlen) != 0) {
  691                                         if (debug)
  692                                                 log(LOG_INFO,
  693                             SPP_FMT "VJ uncompress failed on uncompressed packet\n",
  694                                                     SPP_ARGS(ifp));
  695                                         goto drop;
  696                                 }
  697                                 isr = NETISR_IP;
  698                         }
  699                         do_account++;
  700                         break;
  701 #endif
  702 #ifdef INET6
  703                 case PPP_IPV6CP:
  704                         if (sp->pp_phase == PHASE_NETWORK)
  705                             sppp_cp_input(&ipv6cp, sp, m);
  706                         m_freem (m);
  707                         SPPP_UNLOCK(sp);
  708                         return;
  709 
  710                 case PPP_IPV6:
  711                         if (sp->state[IDX_IPV6CP] == STATE_OPENED)
  712                                 isr = NETISR_IPV6;
  713                         do_account++;
  714                         break;
  715 #endif
  716 #ifdef IPX
  717                 case PPP_IPX:
  718                         /* IPX IPXCP not implemented yet */
  719                         if (sp->pp_phase == PHASE_NETWORK)
  720                                 isr = NETISR_IPX;
  721                         do_account++;
  722                         break;
  723 #endif
  724                 }
  725                 break;
  726         case CISCO_MULTICAST:
  727         case CISCO_UNICAST:
  728                 /* Don't check the control field here (RFC 1547). */
  729                 if (sp->pp_mode != IFF_CISCO) {
  730                         if (debug)
  731                                 log(LOG_DEBUG,
  732                                     SPP_FMT "Cisco packet in PPP mode "
  733                                     "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
  734                                     SPP_ARGS(ifp),
  735                                     h->address, h->control, ntohs(h->protocol));
  736                         goto drop;
  737                 }
  738                 switch (ntohs (h->protocol)) {
  739                 default:
  740                         ++ifp->if_noproto;
  741                         goto invalid;
  742                 case CISCO_KEEPALIVE:
  743                         sppp_cisco_input (sp, m);
  744                         m_freem (m);
  745                         SPPP_UNLOCK(sp);
  746                         return;
  747 #ifdef INET
  748                 case ETHERTYPE_IP:
  749                         isr = NETISR_IP;
  750                         do_account++;
  751                         break;
  752 #endif
  753 #ifdef INET6
  754                 case ETHERTYPE_IPV6:
  755                         isr = NETISR_IPV6;
  756                         do_account++;
  757                         break;
  758 #endif
  759 #ifdef IPX
  760                 case ETHERTYPE_IPX:
  761                         isr = NETISR_IPX;
  762                         do_account++;
  763                         break;
  764 #endif
  765                 }
  766                 break;
  767         default:        /* Invalid PPP packet. */
  768           invalid:
  769                 if (debug)
  770                         log(LOG_DEBUG,
  771                             SPP_FMT "invalid input packet "
  772                             "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
  773                             SPP_ARGS(ifp),
  774                             h->address, h->control, ntohs(h->protocol));
  775                 goto drop;
  776         }
  777 
  778         if (! (ifp->if_flags & IFF_UP) || isr == -1)
  779                 goto drop;
  780 
  781         SPPP_UNLOCK(sp);
  782         /* Check queue. */
  783         if (netisr_queue(isr, m)) {     /* (0) on success. */
  784                 if (debug)
  785                         log(LOG_DEBUG, SPP_FMT "protocol queue overflow\n",
  786                                 SPP_ARGS(ifp));
  787                 goto drop2;
  788         }
  789 
  790         if (do_account)
  791                 /*
  792                  * Do only account for network packets, not for control
  793                  * packets.  This is used by some subsystems to detect
  794                  * idle lines.
  795                  */
  796                 sp->pp_last_recv = time_second;
  797 }
  798 
  799 static void
  800 sppp_ifstart_sched(void *dummy)
  801 {
  802         struct sppp *sp = dummy;
  803         
  804         sp->if_start(SP2IFP(sp));
  805 }
  806 
  807 /* if_start () wrapper function. We use it to schedule real if_start () for
  808  * execution. We can't call it directly
  809  */
  810 static void
  811 sppp_ifstart(struct ifnet *ifp)
  812 {
  813         struct sppp *sp = IFP2SP(ifp);
  814 
  815         if (SPPP_LOCK_OWNED(sp)) {
  816                 if (callout_pending(&sp->ifstart_callout))
  817                         return;
  818                 callout_reset(&sp->ifstart_callout, 1, sppp_ifstart_sched,
  819                     (void *)sp); 
  820         } else {
  821                 sp->if_start(ifp);
  822         }
  823 }
  824 
  825 /*
  826  * Enqueue transmit packet.
  827  */
  828 static int
  829 sppp_output(struct ifnet *ifp, struct mbuf *m,
  830             struct sockaddr *dst, struct rtentry *rt)
  831 {
  832         struct sppp *sp = IFP2SP(ifp);
  833         struct ppp_header *h;
  834         struct ifqueue *ifq = NULL;
  835         int s, error, rv = 0;
  836         int ipproto = PPP_IP;
  837         int debug = ifp->if_flags & IFF_DEBUG;
  838 
  839         s = splimp();
  840         SPPP_LOCK(sp);
  841 
  842         if (!(ifp->if_flags & IFF_UP) ||
  843             (!(ifp->if_flags & IFF_AUTO) &&
  844             !(ifp->if_drv_flags & IFF_DRV_RUNNING))) {
  845 #ifdef INET6
  846           drop:
  847 #endif
  848                 m_freem (m);
  849                 SPPP_UNLOCK(sp);
  850                 splx (s);
  851                 return (ENETDOWN);
  852         }
  853 
  854         if ((ifp->if_flags & IFF_AUTO) &&
  855             !(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
  856 #ifdef INET6
  857                 /*
  858                  * XXX
  859                  *
  860                  * Hack to prevent the initialization-time generated
  861                  * IPv6 multicast packet to erroneously cause a
  862                  * dialout event in case IPv6 has been
  863                  * administratively disabled on that interface.
  864                  */
  865                 if (dst->sa_family == AF_INET6 &&
  866                     !(sp->confflags & CONF_ENABLE_IPV6))
  867                         goto drop;
  868 #endif
  869                 /*
  870                  * Interface is not yet running, but auto-dial.  Need
  871                  * to start LCP for it.
  872                  */
  873                 ifp->if_drv_flags |= IFF_DRV_RUNNING;
  874                 splx(s);
  875                 lcp.Open(sp);
  876                 s = splimp();
  877         }
  878 
  879 #ifdef INET
  880         if (dst->sa_family == AF_INET) {
  881                 /* XXX Check mbuf length here? */
  882                 struct ip *ip = mtod (m, struct ip*);
  883                 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl);
  884 
  885                 /*
  886                  * When using dynamic local IP address assignment by using
  887                  * 0.0.0.0 as a local address, the first TCP session will
  888                  * not connect because the local TCP checksum is computed
  889                  * using 0.0.0.0 which will later become our real IP address
  890                  * so the TCP checksum computed at the remote end will
  891                  * become invalid. So we
  892                  * - don't let packets with src ip addr 0 thru
  893                  * - we flag TCP packets with src ip 0 as an error
  894                  */
  895 
  896                 if(ip->ip_src.s_addr == INADDR_ANY)     /* -hm */
  897                 {
  898                         m_freem(m);
  899                         SPPP_UNLOCK(sp);
  900                         splx(s);
  901                         if(ip->ip_p == IPPROTO_TCP)
  902                                 return(EADDRNOTAVAIL);
  903                         else
  904                                 return(0);
  905                 }
  906 
  907                 /*
  908                  * Put low delay, telnet, rlogin and ftp control packets
  909                  * in front of the queue or let ALTQ take care.
  910                  */
  911                 if (ALTQ_IS_ENABLED(&ifp->if_snd))
  912                         ;
  913                 else if (_IF_QFULL(&sp->pp_fastq))
  914                         ;
  915                 else if (ip->ip_tos & IPTOS_LOWDELAY)
  916                         ifq = &sp->pp_fastq;
  917                 else if (m->m_len < sizeof *ip + sizeof *tcp)
  918                         ;
  919                 else if (ip->ip_p != IPPROTO_TCP)
  920                         ;
  921                 else if (INTERACTIVE (ntohs (tcp->th_sport)))
  922                         ifq = &sp->pp_fastq;
  923                 else if (INTERACTIVE (ntohs (tcp->th_dport)))
  924                         ifq = &sp->pp_fastq;
  925 
  926                 /*
  927                  * Do IP Header compression
  928                  */
  929                 if (sp->pp_mode != IFF_CISCO && sp->pp_mode != PP_FR &&
  930                     (sp->ipcp.flags & IPCP_VJ) && ip->ip_p == IPPROTO_TCP)
  931                         switch (sl_compress_tcp(m, ip, sp->pp_comp,
  932                                                 sp->ipcp.compress_cid)) {
  933                         case TYPE_COMPRESSED_TCP:
  934                                 ipproto = PPP_VJ_COMP;
  935                                 break;
  936                         case TYPE_UNCOMPRESSED_TCP:
  937                                 ipproto = PPP_VJ_UCOMP;
  938                                 break;
  939                         case TYPE_IP:
  940                                 ipproto = PPP_IP;
  941                                 break;
  942                         default:
  943                                 m_freem(m);
  944                                 SPPP_UNLOCK(sp);
  945                                 splx(s);
  946                                 return (EINVAL);
  947                         }
  948         }
  949 #endif
  950 
  951 #ifdef INET6
  952         if (dst->sa_family == AF_INET6) {
  953                 /* XXX do something tricky here? */
  954         }
  955 #endif
  956 
  957         if (sp->pp_mode == PP_FR) {
  958                 /* Add frame relay header. */
  959                 m = sppp_fr_header (sp, m, dst->sa_family);
  960                 if (! m)
  961                         goto nobufs;
  962                 goto out;
  963         }
  964 
  965         /*
  966          * Prepend general data packet PPP header. For now, IP only.
  967          */
  968         M_PREPEND (m, PPP_HEADER_LEN, M_DONTWAIT);
  969         if (! m) {
  970 nobufs:         if (debug)
  971                         log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n",
  972                                 SPP_ARGS(ifp));
  973                 ++ifp->if_oerrors;
  974                 SPPP_UNLOCK(sp);
  975                 splx (s);
  976                 return (ENOBUFS);
  977         }
  978         /*
  979          * May want to check size of packet
  980          * (albeit due to the implementation it's always enough)
  981          */
  982         h = mtod (m, struct ppp_header*);
  983         if (sp->pp_mode == IFF_CISCO) {
  984                 h->address = CISCO_UNICAST;        /* unicast address */
  985                 h->control = 0;
  986         } else {
  987                 h->address = PPP_ALLSTATIONS;        /* broadcast address */
  988                 h->control = PPP_UI;                 /* Unnumbered Info */
  989         }
  990 
  991         switch (dst->sa_family) {
  992 #ifdef INET
  993         case AF_INET:   /* Internet Protocol */
  994                 if (sp->pp_mode == IFF_CISCO)
  995                         h->protocol = htons (ETHERTYPE_IP);
  996                 else {
  997                         /*
  998                          * Don't choke with an ENETDOWN early.  It's
  999                          * possible that we just started dialing out,
 1000                          * so don't drop the packet immediately.  If
 1001                          * we notice that we run out of buffer space
 1002                          * below, we will however remember that we are
 1003                          * not ready to carry IP packets, and return
 1004                          * ENETDOWN, as opposed to ENOBUFS.
 1005                          */
 1006                         h->protocol = htons(ipproto);
 1007                         if (sp->state[IDX_IPCP] != STATE_OPENED)
 1008                                 rv = ENETDOWN;
 1009                 }
 1010                 break;
 1011 #endif
 1012 #ifdef INET6
 1013         case AF_INET6:   /* Internet Protocol */
 1014                 if (sp->pp_mode == IFF_CISCO)
 1015                         h->protocol = htons (ETHERTYPE_IPV6);
 1016                 else {
 1017                         /*
 1018                          * Don't choke with an ENETDOWN early.  It's
 1019                          * possible that we just started dialing out,
 1020                          * so don't drop the packet immediately.  If
 1021                          * we notice that we run out of buffer space
 1022                          * below, we will however remember that we are
 1023                          * not ready to carry IP packets, and return
 1024                          * ENETDOWN, as opposed to ENOBUFS.
 1025                          */
 1026                         h->protocol = htons(PPP_IPV6);
 1027                         if (sp->state[IDX_IPV6CP] != STATE_OPENED)
 1028                                 rv = ENETDOWN;
 1029                 }
 1030                 break;
 1031 #endif
 1032 #ifdef IPX
 1033         case AF_IPX:     /* Novell IPX Protocol */
 1034                 h->protocol = htons (sp->pp_mode == IFF_CISCO ?
 1035                         ETHERTYPE_IPX : PPP_IPX);
 1036                 break;
 1037 #endif
 1038         default:
 1039                 m_freem (m);
 1040                 ++ifp->if_oerrors;
 1041                 SPPP_UNLOCK(sp);
 1042                 splx (s);
 1043                 return (EAFNOSUPPORT);
 1044         }
 1045 
 1046         /*
 1047          * Queue message on interface, and start output if interface
 1048          * not yet active.
 1049          */
 1050 out:
 1051         if (ifq != NULL)
 1052                 error = !(IF_HANDOFF_ADJ(ifq, m, ifp, 3));
 1053         else
 1054                 IFQ_HANDOFF_ADJ(ifp, m, 3, error);
 1055         if (error) {
 1056                 ++ifp->if_oerrors;
 1057                 SPPP_UNLOCK(sp);
 1058                 splx (s);
 1059                 return (rv? rv: ENOBUFS);
 1060         }
 1061         SPPP_UNLOCK(sp);
 1062         splx (s);
 1063         /*
 1064          * Unlike in sppp_input(), we can always bump the timestamp
 1065          * here since sppp_output() is only called on behalf of
 1066          * network-layer traffic; control-layer traffic is handled
 1067          * by sppp_cp_send().
 1068          */
 1069         sp->pp_last_sent = time_second;
 1070         return (0);
 1071 }
 1072 
 1073 void
 1074 sppp_attach(struct ifnet *ifp)
 1075 {
 1076         struct sppp *sp = IFP2SP(ifp);
 1077 
 1078         /* Initialize mtx lock */
 1079         mtx_init(&sp->mtx, "sppp", MTX_NETWORK_LOCK, MTX_DEF | MTX_RECURSE);
 1080         
 1081         /* Initialize keepalive handler. */
 1082         callout_init(&sp->keepalive_callout,
 1083                     (ifp->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 1084         callout_reset(&sp->keepalive_callout, hz * 10, sppp_keepalive,
 1085                     (void *)sp); 
 1086 
 1087         ifp->if_mtu = PP_MTU;
 1088         ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
 1089         ifp->if_output = sppp_output;
 1090 #if 0
 1091         sp->pp_flags = PP_KEEPALIVE;
 1092 #endif
 1093         ifp->if_snd.ifq_maxlen = 32;
 1094         sp->pp_fastq.ifq_maxlen = 32;
 1095         sp->pp_cpq.ifq_maxlen = 20;
 1096         sp->pp_loopcnt = 0;
 1097         sp->pp_alivecnt = 0;
 1098         bzero(&sp->pp_seq[0], sizeof(sp->pp_seq));
 1099         bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq));
 1100         sp->pp_phase = PHASE_DEAD;
 1101         sp->pp_up = sppp_pp_up;
 1102         sp->pp_down = sppp_pp_down;
 1103         if(!mtx_initialized(&sp->pp_cpq.ifq_mtx))
 1104                 mtx_init(&sp->pp_cpq.ifq_mtx, "sppp_cpq", NULL, MTX_DEF);
 1105         if(!mtx_initialized(&sp->pp_fastq.ifq_mtx))
 1106                 mtx_init(&sp->pp_fastq.ifq_mtx, "sppp_fastq", NULL, MTX_DEF);
 1107         sp->pp_last_recv = sp->pp_last_sent = time_second;
 1108         sp->confflags = 0;
 1109 #ifdef INET
 1110         sp->confflags |= CONF_ENABLE_VJ;
 1111 #endif
 1112 #ifdef INET6
 1113         sp->confflags |= CONF_ENABLE_IPV6;
 1114 #endif
 1115         callout_init(&sp->ifstart_callout,
 1116                     (ifp->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 1117         sp->if_start = ifp->if_start;
 1118         ifp->if_start = sppp_ifstart;
 1119         sp->pp_comp = malloc(sizeof(struct slcompress), M_TEMP, M_WAITOK);
 1120         sl_compress_init(sp->pp_comp, -1);
 1121         sppp_lcp_init(sp);
 1122         sppp_ipcp_init(sp);
 1123         sppp_ipv6cp_init(sp);
 1124         sppp_pap_init(sp);
 1125         sppp_chap_init(sp);
 1126 }
 1127 
 1128 void
 1129 sppp_detach(struct ifnet *ifp)
 1130 {
 1131         struct sppp *sp = IFP2SP(ifp);
 1132         int i;
 1133 
 1134         KASSERT(mtx_initialized(&sp->mtx), ("sppp mutex is not initialized"));
 1135 
 1136         /* Stop keepalive handler. */
 1137         if (!callout_drain(&sp->keepalive_callout))
 1138                 callout_stop(&sp->keepalive_callout);
 1139 
 1140         for (i = 0; i < IDX_COUNT; i++) {
 1141                 if (!callout_drain(&sp->ch[i]))
 1142                         callout_stop(&sp->ch[i]);
 1143         }
 1144         if (!callout_drain(&sp->pap_my_to_ch))
 1145                 callout_stop(&sp->pap_my_to_ch);
 1146         mtx_destroy(&sp->pp_cpq.ifq_mtx);
 1147         mtx_destroy(&sp->pp_fastq.ifq_mtx);
 1148         mtx_destroy(&sp->mtx);
 1149 }
 1150 
 1151 /*
 1152  * Flush the interface output queue.
 1153  */
 1154 static void
 1155 sppp_flush_unlocked(struct ifnet *ifp)
 1156 {
 1157         struct sppp *sp = IFP2SP(ifp);
 1158 
 1159         sppp_qflush ((struct ifqueue *)&SP2IFP(sp)->if_snd);
 1160         sppp_qflush (&sp->pp_fastq);
 1161         sppp_qflush (&sp->pp_cpq);
 1162 }
 1163 
 1164 void
 1165 sppp_flush(struct ifnet *ifp)
 1166 {
 1167         struct sppp *sp = IFP2SP(ifp);
 1168 
 1169         SPPP_LOCK(sp);
 1170         sppp_flush_unlocked (ifp);
 1171         SPPP_UNLOCK(sp);
 1172 }
 1173 
 1174 /*
 1175  * Check if the output queue is empty.
 1176  */
 1177 int
 1178 sppp_isempty(struct ifnet *ifp)
 1179 {
 1180         struct sppp *sp = IFP2SP(ifp);
 1181         int empty, s;
 1182 
 1183         s = splimp();
 1184         SPPP_LOCK(sp);
 1185         empty = !sp->pp_fastq.ifq_head && !sp->pp_cpq.ifq_head &&
 1186                 !SP2IFP(sp)->if_snd.ifq_head;
 1187         SPPP_UNLOCK(sp);
 1188         splx(s);
 1189         return (empty);
 1190 }
 1191 
 1192 /*
 1193  * Get next packet to send.
 1194  */
 1195 struct mbuf *
 1196 sppp_dequeue(struct ifnet *ifp)
 1197 {
 1198         struct sppp *sp = IFP2SP(ifp);
 1199         struct mbuf *m;
 1200         int s;
 1201 
 1202         s = splimp();
 1203         SPPP_LOCK(sp);
 1204         /*
 1205          * Process only the control protocol queue until we have at
 1206          * least one NCP open.
 1207          *
 1208          * Do always serve all three queues in Cisco mode.
 1209          */
 1210         IF_DEQUEUE(&sp->pp_cpq, m);
 1211         if (m == NULL &&
 1212             (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO ||
 1213              sp->pp_mode == PP_FR)) {
 1214                 IF_DEQUEUE(&sp->pp_fastq, m);
 1215                 if (m == NULL)
 1216                         IF_DEQUEUE (&SP2IFP(sp)->if_snd, m);
 1217         }
 1218         SPPP_UNLOCK(sp);
 1219         splx(s);
 1220         return m;
 1221 }
 1222 
 1223 /*
 1224  * Pick the next packet, do not remove it from the queue.
 1225  */
 1226 struct mbuf *
 1227 sppp_pick(struct ifnet *ifp)
 1228 {
 1229         struct sppp *sp = IFP2SP(ifp);
 1230         struct mbuf *m;
 1231         int s;
 1232 
 1233         s = splimp ();
 1234         SPPP_LOCK(sp);
 1235 
 1236         m = sp->pp_cpq.ifq_head;
 1237         if (m == NULL &&
 1238             (sp->pp_phase == PHASE_NETWORK ||
 1239              sp->pp_mode == IFF_CISCO ||
 1240              sp->pp_mode == PP_FR))
 1241                 if ((m = sp->pp_fastq.ifq_head) == NULL)
 1242                         m = SP2IFP(sp)->if_snd.ifq_head;
 1243         SPPP_UNLOCK(sp);
 1244         splx (s);
 1245         return (m);
 1246 }
 1247 
 1248 /*
 1249  * Process an ioctl request.  Called on low priority level.
 1250  */
 1251 int
 1252 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data)
 1253 {
 1254         struct ifreq *ifr = (struct ifreq*) data;
 1255         struct sppp *sp = IFP2SP(ifp);
 1256         int s, rv, going_up, going_down, newmode;
 1257 
 1258         s = splimp();
 1259         SPPP_LOCK(sp);
 1260         rv = 0;
 1261         switch (cmd) {
 1262         case SIOCAIFADDR:
 1263         case SIOCSIFDSTADDR:
 1264                 break;
 1265 
 1266         case SIOCSIFADDR:
 1267                 /* set the interface "up" when assigning an IP address */
 1268                 ifp->if_flags |= IFF_UP;
 1269                 /* FALLTHROUGH */
 1270 
 1271         case SIOCSIFFLAGS:
 1272                 going_up = ifp->if_flags & IFF_UP &&
 1273                         (ifp->if_drv_flags & IFF_DRV_RUNNING) == 0;
 1274                 going_down = (ifp->if_flags & IFF_UP) == 0 &&
 1275                         ifp->if_drv_flags & IFF_DRV_RUNNING;
 1276 
 1277                 newmode = ifp->if_flags & IFF_PASSIVE;
 1278                 if (!newmode)
 1279                         newmode = ifp->if_flags & IFF_AUTO;
 1280                 if (!newmode)
 1281                         newmode = ifp->if_flags & IFF_CISCO;
 1282                 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO);
 1283                 ifp->if_flags |= newmode;
 1284 
 1285                 if (!newmode)
 1286                         newmode = sp->pp_flags & PP_FR;
 1287 
 1288                 if (newmode != sp->pp_mode) {
 1289                         going_down = 1;
 1290                         if (!going_up)
 1291                                 going_up = ifp->if_drv_flags & IFF_DRV_RUNNING;
 1292                 }
 1293 
 1294                 if (going_down) {
 1295                         if (sp->pp_mode != IFF_CISCO &&
 1296                             sp->pp_mode != PP_FR)
 1297                                 lcp.Close(sp);
 1298                         else if (sp->pp_tlf)
 1299                                 (sp->pp_tlf)(sp);
 1300                         sppp_flush_unlocked(ifp);
 1301                         ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
 1302                         sp->pp_mode = newmode;
 1303                 }
 1304 
 1305                 if (going_up) {
 1306                         if (sp->pp_mode != IFF_CISCO &&
 1307                             sp->pp_mode != PP_FR)
 1308                                 lcp.Close(sp);
 1309                         sp->pp_mode = newmode;
 1310                         if (sp->pp_mode == 0) {
 1311                                 ifp->if_drv_flags |= IFF_DRV_RUNNING;
 1312                                 lcp.Open(sp);
 1313                         }
 1314                         if ((sp->pp_mode == IFF_CISCO) ||
 1315                             (sp->pp_mode == PP_FR)) {
 1316                                 if (sp->pp_tls)
 1317                                         (sp->pp_tls)(sp);
 1318                                 ifp->if_drv_flags |= IFF_DRV_RUNNING;
 1319                         }
 1320                 }
 1321 
 1322                 break;
 1323 
 1324 #ifdef SIOCSIFMTU
 1325 #ifndef ifr_mtu
 1326 #define ifr_mtu ifr_metric
 1327 #endif
 1328         case SIOCSIFMTU:
 1329                 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru)
 1330                         return (EINVAL);
 1331                 ifp->if_mtu = ifr->ifr_mtu;
 1332                 break;
 1333 #endif
 1334 #ifdef SLIOCSETMTU
 1335         case SLIOCSETMTU:
 1336                 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru)
 1337                         return (EINVAL);
 1338                 ifp->if_mtu = *(short*)data;
 1339                 break;
 1340 #endif
 1341 #ifdef SIOCGIFMTU
 1342         case SIOCGIFMTU:
 1343                 ifr->ifr_mtu = ifp->if_mtu;
 1344                 break;
 1345 #endif
 1346 #ifdef SLIOCGETMTU
 1347         case SLIOCGETMTU:
 1348                 *(short*)data = ifp->if_mtu;
 1349                 break;
 1350 #endif
 1351         case SIOCADDMULTI:
 1352         case SIOCDELMULTI:
 1353                 break;
 1354 
 1355         case SIOCGIFGENERIC:
 1356         case SIOCSIFGENERIC:
 1357                 rv = sppp_params(sp, cmd, data);
 1358                 break;
 1359 
 1360         default:
 1361                 rv = ENOTTY;
 1362         }
 1363         SPPP_UNLOCK(sp);
 1364         splx(s);
 1365         return rv;
 1366 }
 1367 
 1368 /*
 1369  * Cisco framing implementation.
 1370  */
 1371 
 1372 /*
 1373  * Handle incoming Cisco keepalive protocol packets.
 1374  */
 1375 static void
 1376 sppp_cisco_input(struct sppp *sp, struct mbuf *m)
 1377 {
 1378         STDDCL;
 1379         struct cisco_packet *h;
 1380         u_long me, mymask;
 1381 
 1382         if (m->m_pkthdr.len < CISCO_PACKET_LEN) {
 1383                 if (debug)
 1384                         log(LOG_DEBUG,
 1385                             SPP_FMT "cisco invalid packet length: %d bytes\n",
 1386                             SPP_ARGS(ifp), m->m_pkthdr.len);
 1387                 return;
 1388         }
 1389         h = mtod (m, struct cisco_packet*);
 1390         if (debug)
 1391                 log(LOG_DEBUG,
 1392                     SPP_FMT "cisco input: %d bytes "
 1393                     "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n",
 1394                     SPP_ARGS(ifp), m->m_pkthdr.len,
 1395                     (u_long)ntohl (h->type), (u_long)h->par1, (u_long)h->par2, (u_int)h->rel,
 1396                     (u_int)h->time0, (u_int)h->time1);
 1397         switch (ntohl (h->type)) {
 1398         default:
 1399                 if (debug)
 1400                         log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n",
 1401                                SPP_ARGS(ifp), (u_long)ntohl (h->type));
 1402                 break;
 1403         case CISCO_ADDR_REPLY:
 1404                 /* Reply on address request, ignore */
 1405                 break;
 1406         case CISCO_KEEPALIVE_REQ:
 1407                 sp->pp_alivecnt = 0;
 1408                 sp->pp_rseq[IDX_LCP] = ntohl (h->par1);
 1409                 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) {
 1410                         /* Local and remote sequence numbers are equal.
 1411                          * Probably, the line is in loopback mode. */
 1412                         if (sp->pp_loopcnt >= MAXALIVECNT) {
 1413                                 printf (SPP_FMT "loopback\n",
 1414                                         SPP_ARGS(ifp));
 1415                                 sp->pp_loopcnt = 0;
 1416                                 if (ifp->if_flags & IFF_UP) {
 1417                                         if_down (ifp);
 1418                                         sppp_qflush (&sp->pp_cpq);
 1419                                 }
 1420                         }
 1421                         ++sp->pp_loopcnt;
 1422 
 1423                         /* Generate new local sequence number */
 1424 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 1425                         sp->pp_seq[IDX_LCP] = random();
 1426 #else
 1427                         sp->pp_seq[IDX_LCP] ^= time.tv_sec ^ time.tv_usec;
 1428 #endif
 1429                         break;
 1430                 }
 1431                 sp->pp_loopcnt = 0;
 1432                 if (! (ifp->if_flags & IFF_UP) &&
 1433                     (ifp->if_drv_flags & IFF_DRV_RUNNING)) {
 1434                         if_up(ifp);
 1435                         printf (SPP_FMT "up\n", SPP_ARGS(ifp));
 1436                 }
 1437                 break;
 1438         case CISCO_ADDR_REQ:
 1439                 sppp_get_ip_addrs(sp, &me, 0, &mymask);
 1440                 if (me != 0L)
 1441                         sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask);
 1442                 break;
 1443         }
 1444 }
 1445 
 1446 /*
 1447  * Send Cisco keepalive packet.
 1448  */
 1449 static void
 1450 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2)
 1451 {
 1452         STDDCL;
 1453         struct ppp_header *h;
 1454         struct cisco_packet *ch;
 1455         struct mbuf *m;
 1456         struct timeval tv;
 1457 
 1458         getmicrouptime(&tv);
 1459 
 1460         MGETHDR (m, M_DONTWAIT, MT_DATA);
 1461         if (! m)
 1462                 return;
 1463         m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN;
 1464         m->m_pkthdr.rcvif = 0;
 1465 
 1466         h = mtod (m, struct ppp_header*);
 1467         h->address = CISCO_MULTICAST;
 1468         h->control = 0;
 1469         h->protocol = htons (CISCO_KEEPALIVE);
 1470 
 1471         ch = (struct cisco_packet*) (h + 1);
 1472         ch->type = htonl (type);
 1473         ch->par1 = htonl (par1);
 1474         ch->par2 = htonl (par2);
 1475         ch->rel = -1;
 1476 
 1477         ch->time0 = htons ((u_short) (tv.tv_sec >> 16));
 1478         ch->time1 = htons ((u_short) tv.tv_sec);
 1479 
 1480         if (debug)
 1481                 log(LOG_DEBUG,
 1482                     SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n",
 1483                         SPP_ARGS(ifp), (u_long)ntohl (ch->type), (u_long)ch->par1,
 1484                         (u_long)ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1);
 1485 
 1486         if (! IF_HANDOFF_ADJ(&sp->pp_cpq, m, ifp, 3))
 1487                 ifp->if_oerrors++;
 1488 }
 1489 
 1490 /*
 1491  * PPP protocol implementation.
 1492  */
 1493 
 1494 /*
 1495  * Send PPP control protocol packet.
 1496  */
 1497 static void
 1498 sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
 1499              u_char ident, u_short len, void *data)
 1500 {
 1501         STDDCL;
 1502         struct ppp_header *h;
 1503         struct lcp_header *lh;
 1504         struct mbuf *m;
 1505 
 1506         if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN)
 1507                 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN;
 1508         MGETHDR (m, M_DONTWAIT, MT_DATA);
 1509         if (! m)
 1510                 return;
 1511         m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len;
 1512         m->m_pkthdr.rcvif = 0;
 1513 
 1514         h = mtod (m, struct ppp_header*);
 1515         h->address = PPP_ALLSTATIONS;        /* broadcast address */
 1516         h->control = PPP_UI;                 /* Unnumbered Info */
 1517         h->protocol = htons (proto);         /* Link Control Protocol */
 1518 
 1519         lh = (struct lcp_header*) (h + 1);
 1520         lh->type = type;
 1521         lh->ident = ident;
 1522         lh->len = htons (LCP_HEADER_LEN + len);
 1523         if (len)
 1524                 bcopy (data, lh+1, len);
 1525 
 1526         if (debug) {
 1527                 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d",
 1528                     SPP_ARGS(ifp),
 1529                     sppp_proto_name(proto),
 1530                     sppp_cp_type_name (lh->type), lh->ident,
 1531                     ntohs (lh->len));
 1532                 sppp_print_bytes ((u_char*) (lh+1), len);
 1533                 log(-1, ">\n");
 1534         }
 1535         if (! IF_HANDOFF_ADJ(&sp->pp_cpq, m, ifp, 3))
 1536                 ifp->if_oerrors++;
 1537 }
 1538 
 1539 /*
 1540  * Handle incoming PPP control protocol packets.
 1541  */
 1542 static void
 1543 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m)
 1544 {
 1545         STDDCL;
 1546         struct lcp_header *h;
 1547         int len = m->m_pkthdr.len;
 1548         int rv;
 1549         u_char *p;
 1550 
 1551         if (len < 4) {
 1552                 if (debug)
 1553                         log(LOG_DEBUG,
 1554                             SPP_FMT "%s invalid packet length: %d bytes\n",
 1555                             SPP_ARGS(ifp), cp->name, len);
 1556                 return;
 1557         }
 1558         h = mtod (m, struct lcp_header*);
 1559         if (debug) {
 1560                 log(LOG_DEBUG,
 1561                     SPP_FMT "%s input(%s): <%s id=0x%x len=%d",
 1562                     SPP_ARGS(ifp), cp->name,
 1563                     sppp_state_name(sp->state[cp->protoidx]),
 1564                     sppp_cp_type_name (h->type), h->ident, ntohs (h->len));
 1565                 sppp_print_bytes ((u_char*) (h+1), len-4);
 1566                 log(-1, ">\n");
 1567         }
 1568         if (len > ntohs (h->len))
 1569                 len = ntohs (h->len);
 1570         p = (u_char *)(h + 1);
 1571         switch (h->type) {
 1572         case CONF_REQ:
 1573                 if (len < 4) {
 1574                         if (debug)
 1575                                 log(-1, SPP_FMT "%s invalid conf-req length %d\n",
 1576                                        SPP_ARGS(ifp), cp->name,
 1577                                        len);
 1578                         ++ifp->if_ierrors;
 1579                         break;
 1580                 }
 1581                 /* handle states where RCR doesn't get a SCA/SCN */
 1582                 switch (sp->state[cp->protoidx]) {
 1583                 case STATE_CLOSING:
 1584                 case STATE_STOPPING:
 1585                         return;
 1586                 case STATE_CLOSED:
 1587                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident,
 1588                                      0, 0);
 1589                         return;
 1590                 }
 1591                 rv = (cp->RCR)(sp, h, len);
 1592                 switch (sp->state[cp->protoidx]) {
 1593                 case STATE_OPENED:
 1594                         (cp->tld)(sp);
 1595                         (cp->scr)(sp);
 1596                         /* FALLTHROUGH */
 1597                 case STATE_ACK_SENT:
 1598                 case STATE_REQ_SENT:
 1599                         /*
 1600                          * sppp_cp_change_state() have the side effect of
 1601                          * restarting the timeouts. We want to avoid that
 1602                          * if the state don't change, otherwise we won't
 1603                          * ever timeout and resend a configuration request
 1604                          * that got lost.
 1605                          */
 1606                         if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT:
 1607                             STATE_REQ_SENT))
 1608                                 break;
 1609                         sppp_cp_change_state(cp, sp, rv?
 1610                                              STATE_ACK_SENT: STATE_REQ_SENT);
 1611                         break;
 1612                 case STATE_STOPPED:
 1613                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
 1614                         (cp->scr)(sp);
 1615                         sppp_cp_change_state(cp, sp, rv?
 1616                                              STATE_ACK_SENT: STATE_REQ_SENT);
 1617                         break;
 1618                 case STATE_ACK_RCVD:
 1619                         if (rv) {
 1620                                 sppp_cp_change_state(cp, sp, STATE_OPENED);
 1621                                 if (debug)
 1622                                         log(LOG_DEBUG, SPP_FMT "%s tlu\n",
 1623                                             SPP_ARGS(ifp),
 1624                                             cp->name);
 1625                                 (cp->tlu)(sp);
 1626                         } else
 1627                                 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
 1628                         break;
 1629                 default:
 1630                         printf(SPP_FMT "%s illegal %s in state %s\n",
 1631                                SPP_ARGS(ifp), cp->name,
 1632                                sppp_cp_type_name(h->type),
 1633                                sppp_state_name(sp->state[cp->protoidx]));
 1634                         ++ifp->if_ierrors;
 1635                 }
 1636                 break;
 1637         case CONF_ACK:
 1638                 if (h->ident != sp->confid[cp->protoidx]) {
 1639                         if (debug)
 1640                                 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n",
 1641                                        SPP_ARGS(ifp), cp->name,
 1642                                        h->ident, sp->confid[cp->protoidx]);
 1643                         ++ifp->if_ierrors;
 1644                         break;
 1645                 }
 1646                 switch (sp->state[cp->protoidx]) {
 1647                 case STATE_CLOSED:
 1648                 case STATE_STOPPED:
 1649                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
 1650                         break;
 1651                 case STATE_CLOSING:
 1652                 case STATE_STOPPING:
 1653                         break;
 1654                 case STATE_REQ_SENT:
 1655                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
 1656                         sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
 1657                         break;
 1658                 case STATE_OPENED:
 1659                         (cp->tld)(sp);
 1660                         /* FALLTHROUGH */
 1661                 case STATE_ACK_RCVD:
 1662                         (cp->scr)(sp);
 1663                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 1664                         break;
 1665                 case STATE_ACK_SENT:
 1666                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
 1667                         sppp_cp_change_state(cp, sp, STATE_OPENED);
 1668                         if (debug)
 1669                                 log(LOG_DEBUG, SPP_FMT "%s tlu\n",
 1670                                        SPP_ARGS(ifp), cp->name);
 1671                         (cp->tlu)(sp);
 1672                         break;
 1673                 default:
 1674                         printf(SPP_FMT "%s illegal %s in state %s\n",
 1675                                SPP_ARGS(ifp), cp->name,
 1676                                sppp_cp_type_name(h->type),
 1677                                sppp_state_name(sp->state[cp->protoidx]));
 1678                         ++ifp->if_ierrors;
 1679                 }
 1680                 break;
 1681         case CONF_NAK:
 1682         case CONF_REJ:
 1683                 if (h->ident != sp->confid[cp->protoidx]) {
 1684                         if (debug)
 1685                                 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n",
 1686                                        SPP_ARGS(ifp), cp->name,
 1687                                        h->ident, sp->confid[cp->protoidx]);
 1688                         ++ifp->if_ierrors;
 1689                         break;
 1690                 }
 1691                 if (h->type == CONF_NAK)
 1692                         (cp->RCN_nak)(sp, h, len);
 1693                 else /* CONF_REJ */
 1694                         (cp->RCN_rej)(sp, h, len);
 1695 
 1696                 switch (sp->state[cp->protoidx]) {
 1697                 case STATE_CLOSED:
 1698                 case STATE_STOPPED:
 1699                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
 1700                         break;
 1701                 case STATE_REQ_SENT:
 1702                 case STATE_ACK_SENT:
 1703                         sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
 1704                         /*
 1705                          * Slow things down a bit if we think we might be
 1706                          * in loopback. Depend on the timeout to send the
 1707                          * next configuration request.
 1708                          */
 1709                         if (sp->pp_loopcnt)
 1710                                 break;
 1711                         (cp->scr)(sp);
 1712                         break;
 1713                 case STATE_OPENED:
 1714                         (cp->tld)(sp);
 1715                         /* FALLTHROUGH */
 1716                 case STATE_ACK_RCVD:
 1717                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 1718                         (cp->scr)(sp);
 1719                         break;
 1720                 case STATE_CLOSING:
 1721                 case STATE_STOPPING:
 1722                         break;
 1723                 default:
 1724                         printf(SPP_FMT "%s illegal %s in state %s\n",
 1725                                SPP_ARGS(ifp), cp->name,
 1726                                sppp_cp_type_name(h->type),
 1727                                sppp_state_name(sp->state[cp->protoidx]));
 1728                         ++ifp->if_ierrors;
 1729                 }
 1730                 break;
 1731 
 1732         case TERM_REQ:
 1733                 switch (sp->state[cp->protoidx]) {
 1734                 case STATE_ACK_RCVD:
 1735                 case STATE_ACK_SENT:
 1736                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 1737                         /* FALLTHROUGH */
 1738                 case STATE_CLOSED:
 1739                 case STATE_STOPPED:
 1740                 case STATE_CLOSING:
 1741                 case STATE_STOPPING:
 1742                 case STATE_REQ_SENT:
 1743                   sta:
 1744                         /* Send Terminate-Ack packet. */
 1745                         if (debug)
 1746                                 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n",
 1747                                     SPP_ARGS(ifp), cp->name);
 1748                         sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
 1749                         break;
 1750                 case STATE_OPENED:
 1751                         (cp->tld)(sp);
 1752                         sp->rst_counter[cp->protoidx] = 0;
 1753                         sppp_cp_change_state(cp, sp, STATE_STOPPING);
 1754                         goto sta;
 1755                         break;
 1756                 default:
 1757                         printf(SPP_FMT "%s illegal %s in state %s\n",
 1758                                SPP_ARGS(ifp), cp->name,
 1759                                sppp_cp_type_name(h->type),
 1760                                sppp_state_name(sp->state[cp->protoidx]));
 1761                         ++ifp->if_ierrors;
 1762                 }
 1763                 break;
 1764         case TERM_ACK:
 1765                 switch (sp->state[cp->protoidx]) {
 1766                 case STATE_CLOSED:
 1767                 case STATE_STOPPED:
 1768                 case STATE_REQ_SENT:
 1769                 case STATE_ACK_SENT:
 1770                         break;
 1771                 case STATE_CLOSING:
 1772                         sppp_cp_change_state(cp, sp, STATE_CLOSED);
 1773                         (cp->tlf)(sp);
 1774                         break;
 1775                 case STATE_STOPPING:
 1776                         sppp_cp_change_state(cp, sp, STATE_STOPPED);
 1777                         (cp->tlf)(sp);
 1778                         break;
 1779                 case STATE_ACK_RCVD:
 1780                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 1781                         break;
 1782                 case STATE_OPENED:
 1783                         (cp->tld)(sp);
 1784                         (cp->scr)(sp);
 1785                         sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
 1786                         break;
 1787                 default:
 1788                         printf(SPP_FMT "%s illegal %s in state %s\n",
 1789                                SPP_ARGS(ifp), cp->name,
 1790                                sppp_cp_type_name(h->type),
 1791                                sppp_state_name(sp->state[cp->protoidx]));
 1792                         ++ifp->if_ierrors;
 1793                 }
 1794                 break;
 1795         case CODE_REJ:
 1796                 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
 1797                 log(LOG_INFO,
 1798                     SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, "
 1799                     "danger will robinson\n",
 1800                     SPP_ARGS(ifp), cp->name,
 1801                     sppp_cp_type_name(h->type), ntohs(*((u_short *)p)));
 1802                 switch (sp->state[cp->protoidx]) {
 1803                 case STATE_CLOSED:
 1804                 case STATE_STOPPED:
 1805                 case STATE_REQ_SENT:
 1806                 case STATE_ACK_SENT:
 1807                 case STATE_CLOSING:
 1808                 case STATE_STOPPING:
 1809                 case STATE_OPENED:
 1810                         break;
 1811                 case STATE_ACK_RCVD:
 1812                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 1813                         break;
 1814                 default:
 1815                         printf(SPP_FMT "%s illegal %s in state %s\n",
 1816                                SPP_ARGS(ifp), cp->name,
 1817                                sppp_cp_type_name(h->type),
 1818                                sppp_state_name(sp->state[cp->protoidx]));
 1819                         ++ifp->if_ierrors;
 1820                 }
 1821                 break;
 1822         case PROTO_REJ:
 1823             {
 1824                 int catastrophic;
 1825                 const struct cp *upper;
 1826                 int i;
 1827                 u_int16_t proto;
 1828 
 1829                 catastrophic = 0;
 1830                 upper = NULL;
 1831                 proto = ntohs(*((u_int16_t *)p));
 1832                 for (i = 0; i < IDX_COUNT; i++) {
 1833                         if (cps[i]->proto == proto) {
 1834                                 upper = cps[i];
 1835                                 break;
 1836                         }
 1837                 }
 1838                 if (upper == NULL)
 1839                         catastrophic++;
 1840 
 1841                 if (catastrophic || debug)
 1842                         log(catastrophic? LOG_INFO: LOG_DEBUG,
 1843                             SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n",
 1844                             SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+',
 1845                             sppp_cp_type_name(h->type), proto,
 1846                             upper ? upper->name : "unknown",
 1847                             upper ? sppp_state_name(sp->state[upper->protoidx]) : "?");
 1848 
 1849                 /*
 1850                  * if we got RXJ+ against conf-req, the peer does not implement
 1851                  * this particular protocol type.  terminate the protocol.
 1852                  */
 1853                 if (upper && !catastrophic) {
 1854                         if (sp->state[upper->protoidx] == STATE_REQ_SENT) {
 1855                                 upper->Close(sp);
 1856                                 break;
 1857                         }
 1858                 }
 1859 
 1860                 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
 1861                 switch (sp->state[cp->protoidx]) {
 1862                 case STATE_CLOSED:
 1863                 case STATE_STOPPED:
 1864                 case STATE_REQ_SENT:
 1865                 case STATE_ACK_SENT:
 1866                 case STATE_CLOSING:
 1867                 case STATE_STOPPING:
 1868                 case STATE_OPENED:
 1869                         break;
 1870                 case STATE_ACK_RCVD:
 1871                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 1872                         break;
 1873                 default:
 1874                         printf(SPP_FMT "%s illegal %s in state %s\n",
 1875                                SPP_ARGS(ifp), cp->name,
 1876                                sppp_cp_type_name(h->type),
 1877                                sppp_state_name(sp->state[cp->protoidx]));
 1878                         ++ifp->if_ierrors;
 1879                 }
 1880                 break;
 1881             }
 1882         case DISC_REQ:
 1883                 if (cp->proto != PPP_LCP)
 1884                         goto illegal;
 1885                 /* Discard the packet. */
 1886                 break;
 1887         case ECHO_REQ:
 1888                 if (cp->proto != PPP_LCP)
 1889                         goto illegal;
 1890                 if (sp->state[cp->protoidx] != STATE_OPENED) {
 1891                         if (debug)
 1892                                 log(-1, SPP_FMT "lcp echo req but lcp closed\n",
 1893                                        SPP_ARGS(ifp));
 1894                         ++ifp->if_ierrors;
 1895                         break;
 1896                 }
 1897                 if (len < 8) {
 1898                         if (debug)
 1899                                 log(-1, SPP_FMT "invalid lcp echo request "
 1900                                        "packet length: %d bytes\n",
 1901                                        SPP_ARGS(ifp), len);
 1902                         break;
 1903                 }
 1904                 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
 1905                     ntohl (*(long*)(h+1)) == sp->lcp.magic) {
 1906                         /* Line loopback mode detected. */
 1907                         printf(SPP_FMT "loopback\n", SPP_ARGS(ifp));
 1908                         sp->pp_loopcnt = MAXALIVECNT * 5;
 1909                         if_down (ifp);
 1910                         sppp_qflush (&sp->pp_cpq);
 1911 
 1912                         /* Shut down the PPP link. */
 1913                         /* XXX */
 1914                         lcp.Down(sp);
 1915                         lcp.Up(sp);
 1916                         break;
 1917                 }
 1918                 *(long*)(h+1) = htonl (sp->lcp.magic);
 1919                 if (debug)
 1920                         log(-1, SPP_FMT "got lcp echo req, sending echo rep\n",
 1921                                SPP_ARGS(ifp));
 1922                 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1);
 1923                 break;
 1924         case ECHO_REPLY:
 1925                 if (cp->proto != PPP_LCP)
 1926                         goto illegal;
 1927                 if (h->ident != sp->lcp.echoid) {
 1928                         ++ifp->if_ierrors;
 1929                         break;
 1930                 }
 1931                 if (len < 8) {
 1932                         if (debug)
 1933                                 log(-1, SPP_FMT "lcp invalid echo reply "
 1934                                        "packet length: %d bytes\n",
 1935                                        SPP_ARGS(ifp), len);
 1936                         break;
 1937                 }
 1938                 if (debug)
 1939                         log(-1, SPP_FMT "lcp got echo rep\n",
 1940                                SPP_ARGS(ifp));
 1941                 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) ||
 1942                     ntohl (*(long*)(h+1)) != sp->lcp.magic)
 1943                         sp->pp_alivecnt = 0;
 1944                 break;
 1945         default:
 1946                 /* Unknown packet type -- send Code-Reject packet. */
 1947           illegal:
 1948                 if (debug)
 1949                         log(-1, SPP_FMT "%s send code-rej for 0x%x\n",
 1950                                SPP_ARGS(ifp), cp->name, h->type);
 1951                 sppp_cp_send(sp, cp->proto, CODE_REJ,
 1952                              ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h);
 1953                 ++ifp->if_ierrors;
 1954         }
 1955 }
 1956 
 1957 
 1958 /*
 1959  * The generic part of all Up/Down/Open/Close/TO event handlers.
 1960  * Basically, the state transition handling in the automaton.
 1961  */
 1962 static void
 1963 sppp_up_event(const struct cp *cp, struct sppp *sp)
 1964 {
 1965         STDDCL;
 1966 
 1967         if (debug)
 1968                 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n",
 1969                     SPP_ARGS(ifp), cp->name,
 1970                     sppp_state_name(sp->state[cp->protoidx]));
 1971 
 1972         switch (sp->state[cp->protoidx]) {
 1973         case STATE_INITIAL:
 1974                 sppp_cp_change_state(cp, sp, STATE_CLOSED);
 1975                 break;
 1976         case STATE_STARTING:
 1977                 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
 1978                 (cp->scr)(sp);
 1979                 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 1980                 break;
 1981         default:
 1982                 printf(SPP_FMT "%s illegal up in state %s\n",
 1983                        SPP_ARGS(ifp), cp->name,
 1984                        sppp_state_name(sp->state[cp->protoidx]));
 1985         }
 1986 }
 1987 
 1988 static void
 1989 sppp_down_event(const struct cp *cp, struct sppp *sp)
 1990 {
 1991         STDDCL;
 1992 
 1993         if (debug)
 1994                 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n",
 1995                     SPP_ARGS(ifp), cp->name,
 1996                     sppp_state_name(sp->state[cp->protoidx]));
 1997 
 1998         switch (sp->state[cp->protoidx]) {
 1999         case STATE_CLOSED:
 2000         case STATE_CLOSING:
 2001                 sppp_cp_change_state(cp, sp, STATE_INITIAL);
 2002                 break;
 2003         case STATE_STOPPED:
 2004                 sppp_cp_change_state(cp, sp, STATE_STARTING);
 2005                 (cp->tls)(sp);
 2006                 break;
 2007         case STATE_STOPPING:
 2008         case STATE_REQ_SENT:
 2009         case STATE_ACK_RCVD:
 2010         case STATE_ACK_SENT:
 2011                 sppp_cp_change_state(cp, sp, STATE_STARTING);
 2012                 break;
 2013         case STATE_OPENED:
 2014                 (cp->tld)(sp);
 2015                 sppp_cp_change_state(cp, sp, STATE_STARTING);
 2016                 break;
 2017         default:
 2018                 printf(SPP_FMT "%s illegal down in state %s\n",
 2019                        SPP_ARGS(ifp), cp->name,
 2020                        sppp_state_name(sp->state[cp->protoidx]));
 2021         }
 2022 }
 2023 
 2024 
 2025 static void
 2026 sppp_open_event(const struct cp *cp, struct sppp *sp)
 2027 {
 2028         STDDCL;
 2029 
 2030         if (debug)
 2031                 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n",
 2032                     SPP_ARGS(ifp), cp->name,
 2033                     sppp_state_name(sp->state[cp->protoidx]));
 2034 
 2035         switch (sp->state[cp->protoidx]) {
 2036         case STATE_INITIAL:
 2037                 sppp_cp_change_state(cp, sp, STATE_STARTING);
 2038                 (cp->tls)(sp);
 2039                 break;
 2040         case STATE_STARTING:
 2041                 break;
 2042         case STATE_CLOSED:
 2043                 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
 2044                 (cp->scr)(sp);
 2045                 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 2046                 break;
 2047         case STATE_STOPPED:
 2048                 /*
 2049                  * Try escaping stopped state.  This seems to bite
 2050                  * people occasionally, in particular for IPCP,
 2051                  * presumably following previous IPCP negotiation
 2052                  * aborts.  Somehow, we must have missed a Down event
 2053                  * which would have caused a transition into starting
 2054                  * state, so as a bandaid we force the Down event now.
 2055                  * This effectively implements (something like the)
 2056                  * `restart' option mentioned in the state transition
 2057                  * table of RFC 1661.
 2058                  */
 2059                 sppp_cp_change_state(cp, sp, STATE_STARTING);
 2060                 (cp->tls)(sp);
 2061                 break;
 2062         case STATE_STOPPING:
 2063         case STATE_REQ_SENT:
 2064         case STATE_ACK_RCVD:
 2065         case STATE_ACK_SENT:
 2066         case STATE_OPENED:
 2067                 break;
 2068         case STATE_CLOSING:
 2069                 sppp_cp_change_state(cp, sp, STATE_STOPPING);
 2070                 break;
 2071         }
 2072 }
 2073 
 2074 
 2075 static void
 2076 sppp_close_event(const struct cp *cp, struct sppp *sp)
 2077 {
 2078         STDDCL;
 2079 
 2080         if (debug)
 2081                 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n",
 2082                     SPP_ARGS(ifp), cp->name,
 2083                     sppp_state_name(sp->state[cp->protoidx]));
 2084 
 2085         switch (sp->state[cp->protoidx]) {
 2086         case STATE_INITIAL:
 2087         case STATE_CLOSED:
 2088         case STATE_CLOSING:
 2089                 break;
 2090         case STATE_STARTING:
 2091                 sppp_cp_change_state(cp, sp, STATE_INITIAL);
 2092                 (cp->tlf)(sp);
 2093                 break;
 2094         case STATE_STOPPED:
 2095                 sppp_cp_change_state(cp, sp, STATE_CLOSED);
 2096                 break;
 2097         case STATE_STOPPING:
 2098                 sppp_cp_change_state(cp, sp, STATE_CLOSING);
 2099                 break;
 2100         case STATE_OPENED:
 2101                 (cp->tld)(sp);
 2102                 /* FALLTHROUGH */
 2103         case STATE_REQ_SENT:
 2104         case STATE_ACK_RCVD:
 2105         case STATE_ACK_SENT:
 2106                 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate;
 2107                 sppp_cp_send(sp, cp->proto, TERM_REQ,
 2108                              ++sp->pp_seq[cp->protoidx], 0, 0);
 2109                 sppp_cp_change_state(cp, sp, STATE_CLOSING);
 2110                 break;
 2111         }
 2112 }
 2113 
 2114 static void
 2115 sppp_to_event(const struct cp *cp, struct sppp *sp)
 2116 {
 2117         STDDCL;
 2118         int s;
 2119 
 2120         s = splimp();
 2121         SPPP_LOCK(sp);
 2122         if (debug)
 2123                 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n",
 2124                     SPP_ARGS(ifp), cp->name,
 2125                     sppp_state_name(sp->state[cp->protoidx]),
 2126                     sp->rst_counter[cp->protoidx]);
 2127 
 2128         if (--sp->rst_counter[cp->protoidx] < 0)
 2129                 /* TO- event */
 2130                 switch (sp->state[cp->protoidx]) {
 2131                 case STATE_CLOSING:
 2132                         sppp_cp_change_state(cp, sp, STATE_CLOSED);
 2133                         (cp->tlf)(sp);
 2134                         break;
 2135                 case STATE_STOPPING:
 2136                         sppp_cp_change_state(cp, sp, STATE_STOPPED);
 2137                         (cp->tlf)(sp);
 2138                         break;
 2139                 case STATE_REQ_SENT:
 2140                 case STATE_ACK_RCVD:
 2141                 case STATE_ACK_SENT:
 2142                         sppp_cp_change_state(cp, sp, STATE_STOPPED);
 2143                         (cp->tlf)(sp);
 2144                         break;
 2145                 }
 2146         else
 2147                 /* TO+ event */
 2148                 switch (sp->state[cp->protoidx]) {
 2149                 case STATE_CLOSING:
 2150                 case STATE_STOPPING:
 2151                         sppp_cp_send(sp, cp->proto, TERM_REQ,
 2152                                      ++sp->pp_seq[cp->protoidx], 0, 0);
 2153                         callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
 2154                                       cp->TO, (void *)sp);
 2155                         break;
 2156                 case STATE_REQ_SENT:
 2157                 case STATE_ACK_RCVD:
 2158                         (cp->scr)(sp);
 2159                         /* sppp_cp_change_state() will restart the timer */
 2160                         sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
 2161                         break;
 2162                 case STATE_ACK_SENT:
 2163                         (cp->scr)(sp);
 2164                         callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
 2165                                       cp->TO, (void *)sp);
 2166                         break;
 2167                 }
 2168 
 2169         SPPP_UNLOCK(sp);
 2170         splx(s);
 2171 }
 2172 
 2173 /*
 2174  * Change the state of a control protocol in the state automaton.
 2175  * Takes care of starting/stopping the restart timer.
 2176  */
 2177 static void
 2178 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate)
 2179 {
 2180         sp->state[cp->protoidx] = newstate;
 2181 
 2182         callout_stop (&sp->ch[cp->protoidx]);
 2183 
 2184         switch (newstate) {
 2185         case STATE_INITIAL:
 2186         case STATE_STARTING:
 2187         case STATE_CLOSED:
 2188         case STATE_STOPPED:
 2189         case STATE_OPENED:
 2190                 break;
 2191         case STATE_CLOSING:
 2192         case STATE_STOPPING:
 2193         case STATE_REQ_SENT:
 2194         case STATE_ACK_RCVD:
 2195         case STATE_ACK_SENT:
 2196                 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
 2197                               cp->TO, (void *)sp);
 2198                 break;
 2199         }
 2200 }
 2201 
 2202 /*
 2203  *--------------------------------------------------------------------------*
 2204  *                                                                          *
 2205  *                         The LCP implementation.                          *
 2206  *                                                                          *
 2207  *--------------------------------------------------------------------------*
 2208  */
 2209 static void
 2210 sppp_pp_up(struct sppp *sp)
 2211 {
 2212         SPPP_LOCK(sp);
 2213         lcp.Up(sp);
 2214         SPPP_UNLOCK(sp);
 2215 }
 2216 
 2217 static void
 2218 sppp_pp_down(struct sppp *sp)
 2219 {
 2220         SPPP_LOCK(sp);
 2221         lcp.Down(sp);
 2222         SPPP_UNLOCK(sp);
 2223 }
 2224 
 2225 static void
 2226 sppp_lcp_init(struct sppp *sp)
 2227 {
 2228         sp->lcp.opts = (1 << LCP_OPT_MAGIC);
 2229         sp->lcp.magic = 0;
 2230         sp->state[IDX_LCP] = STATE_INITIAL;
 2231         sp->fail_counter[IDX_LCP] = 0;
 2232         sp->pp_seq[IDX_LCP] = 0;
 2233         sp->pp_rseq[IDX_LCP] = 0;
 2234         sp->lcp.protos = 0;
 2235         sp->lcp.mru = sp->lcp.their_mru = PP_MTU;
 2236 
 2237         /* Note that these values are  relevant for all control protocols */
 2238         sp->lcp.timeout = 3 * hz;
 2239         sp->lcp.max_terminate = 2;
 2240         sp->lcp.max_configure = 10;
 2241         sp->lcp.max_failure = 10;
 2242         callout_init(&sp->ch[IDX_LCP],
 2243                     (SP2IFP(sp)->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 2244 }
 2245 
 2246 static void
 2247 sppp_lcp_up(struct sppp *sp)
 2248 {
 2249         STDDCL;
 2250 
 2251         sp->pp_alivecnt = 0;
 2252         sp->lcp.opts = (1 << LCP_OPT_MAGIC);
 2253         sp->lcp.magic = 0;
 2254         sp->lcp.protos = 0;
 2255         sp->lcp.mru = sp->lcp.their_mru = PP_MTU;
 2256         /*
 2257          * If we are authenticator, negotiate LCP_AUTH
 2258          */
 2259         if (sp->hisauth.proto != 0)
 2260                 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO);
 2261         else
 2262                 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
 2263         sp->pp_flags &= ~PP_NEEDAUTH;
 2264         /*
 2265          * If this interface is passive or dial-on-demand, and we are
 2266          * still in Initial state, it means we've got an incoming
 2267          * call.  Activate the interface.
 2268          */
 2269         if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) {
 2270                 if (debug)
 2271                         log(LOG_DEBUG,
 2272                             SPP_FMT "Up event", SPP_ARGS(ifp));
 2273                 ifp->if_drv_flags |= IFF_DRV_RUNNING;
 2274                 if (sp->state[IDX_LCP] == STATE_INITIAL) {
 2275                         if (debug)
 2276                                 log(-1, "(incoming call)\n");
 2277                         sp->pp_flags |= PP_CALLIN;
 2278                         lcp.Open(sp);
 2279                 } else if (debug)
 2280                         log(-1, "\n");
 2281         } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 &&
 2282                    (sp->state[IDX_LCP] == STATE_INITIAL)) {
 2283                 ifp->if_drv_flags |= IFF_DRV_RUNNING;
 2284                 lcp.Open(sp);
 2285         }
 2286 
 2287         sppp_up_event(&lcp, sp);
 2288 }
 2289 
 2290 static void
 2291 sppp_lcp_down(struct sppp *sp)
 2292 {
 2293         STDDCL;
 2294 
 2295         sppp_down_event(&lcp, sp);
 2296 
 2297         /*
 2298          * If this is neither a dial-on-demand nor a passive
 2299          * interface, simulate an ``ifconfig down'' action, so the
 2300          * administrator can force a redial by another ``ifconfig
 2301          * up''.  XXX For leased line operation, should we immediately
 2302          * try to reopen the connection here?
 2303          */
 2304         if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) {
 2305                 log(LOG_INFO,
 2306                     SPP_FMT "Down event, taking interface down.\n",
 2307                     SPP_ARGS(ifp));
 2308                 if_down(ifp);
 2309         } else {
 2310                 if (debug)
 2311                         log(LOG_DEBUG,
 2312                             SPP_FMT "Down event (carrier loss)\n",
 2313                             SPP_ARGS(ifp));
 2314                 sp->pp_flags &= ~PP_CALLIN;
 2315                 if (sp->state[IDX_LCP] != STATE_INITIAL)
 2316                         lcp.Close(sp);
 2317                 ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
 2318         }
 2319 }
 2320 
 2321 static void
 2322 sppp_lcp_open(struct sppp *sp)
 2323 {
 2324         sppp_open_event(&lcp, sp);
 2325 }
 2326 
 2327 static void
 2328 sppp_lcp_close(struct sppp *sp)
 2329 {
 2330         sppp_close_event(&lcp, sp);
 2331 }
 2332 
 2333 static void
 2334 sppp_lcp_TO(void *cookie)
 2335 {
 2336         sppp_to_event(&lcp, (struct sppp *)cookie);
 2337 }
 2338 
 2339 /*
 2340  * Analyze a configure request.  Return true if it was agreeable, and
 2341  * caused action sca, false if it has been rejected or nak'ed, and
 2342  * caused action scn.  (The return value is used to make the state
 2343  * transition decision in the state automaton.)
 2344  */
 2345 static int
 2346 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 2347 {
 2348         STDDCL;
 2349         u_char *buf, *r, *p;
 2350         int origlen, rlen;
 2351         u_long nmagic;
 2352         u_short authproto;
 2353 
 2354         len -= 4;
 2355         origlen = len;
 2356         buf = r = malloc (len, M_TEMP, M_NOWAIT);
 2357         if (! buf)
 2358                 return (0);
 2359 
 2360         if (debug)
 2361                 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ",
 2362                     SPP_ARGS(ifp));
 2363 
 2364         /* pass 1: check for things that need to be rejected */
 2365         p = (void*) (h+1);
 2366         for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
 2367             len-=p[1], p+=p[1]) {
 2368                 if (debug)
 2369                         log(-1, " %s ", sppp_lcp_opt_name(*p));
 2370                 switch (*p) {
 2371                 case LCP_OPT_MAGIC:
 2372                         /* Magic number. */
 2373                         if (len >= 6 && p[1] == 6)
 2374                                 continue;
 2375                         if (debug)
 2376                                 log(-1, "[invalid] ");
 2377                         break;
 2378                 case LCP_OPT_ASYNC_MAP:
 2379                         /* Async control character map. */
 2380                         if (len >= 6 && p[1] == 6)
 2381                                 continue;
 2382                         if (debug)
 2383                                 log(-1, "[invalid] ");
 2384                         break;
 2385                 case LCP_OPT_MRU:
 2386                         /* Maximum receive unit. */
 2387                         if (len >= 4 && p[1] == 4)
 2388                                 continue;
 2389                         if (debug)
 2390                                 log(-1, "[invalid] ");
 2391                         break;
 2392                 case LCP_OPT_AUTH_PROTO:
 2393                         if (len < 4) {
 2394                                 if (debug)
 2395                                         log(-1, "[invalid] ");
 2396                                 break;
 2397                         }
 2398                         authproto = (p[2] << 8) + p[3];
 2399                         if (authproto == PPP_CHAP && p[1] != 5) {
 2400                                 if (debug)
 2401                                         log(-1, "[invalid chap len] ");
 2402                                 break;
 2403                         }
 2404                         if (sp->myauth.proto == 0) {
 2405                                 /* we are not configured to do auth */
 2406                                 if (debug)
 2407                                         log(-1, "[not configured] ");
 2408                                 break;
 2409                         }
 2410                         /*
 2411                          * Remote want us to authenticate, remember this,
 2412                          * so we stay in PHASE_AUTHENTICATE after LCP got
 2413                          * up.
 2414                          */
 2415                         sp->pp_flags |= PP_NEEDAUTH;
 2416                         continue;
 2417                 default:
 2418                         /* Others not supported. */
 2419                         if (debug)
 2420                                 log(-1, "[rej] ");
 2421                         break;
 2422                 }
 2423                 /* Add the option to rejected list. */
 2424                 bcopy (p, r, p[1]);
 2425                 r += p[1];
 2426                 rlen += p[1];
 2427         }
 2428         if (rlen) {
 2429                 if (debug)
 2430                         log(-1, " send conf-rej\n");
 2431                 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
 2432                 return 0;
 2433         } else if (debug)
 2434                 log(-1, "\n");
 2435 
 2436         /*
 2437          * pass 2: check for option values that are unacceptable and
 2438          * thus require to be nak'ed.
 2439          */
 2440         if (debug)
 2441                 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ",
 2442                     SPP_ARGS(ifp));
 2443 
 2444         p = (void*) (h+1);
 2445         len = origlen;
 2446         for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
 2447             len-=p[1], p+=p[1]) {
 2448                 if (debug)
 2449                         log(-1, " %s ", sppp_lcp_opt_name(*p));
 2450                 switch (*p) {
 2451                 case LCP_OPT_MAGIC:
 2452                         /* Magic number -- extract. */
 2453                         nmagic = (u_long)p[2] << 24 |
 2454                                 (u_long)p[3] << 16 | p[4] << 8 | p[5];
 2455                         if (nmagic != sp->lcp.magic) {
 2456                                 sp->pp_loopcnt = 0;
 2457                                 if (debug)
 2458                                         log(-1, "0x%lx ", nmagic);
 2459                                 continue;
 2460                         }
 2461                         if (debug && sp->pp_loopcnt < MAXALIVECNT*5)
 2462                                 log(-1, "[glitch] ");
 2463                         ++sp->pp_loopcnt;
 2464                         /*
 2465                          * We negate our magic here, and NAK it.  If
 2466                          * we see it later in an NAK packet, we
 2467                          * suggest a new one.
 2468                          */
 2469                         nmagic = ~sp->lcp.magic;
 2470                         /* Gonna NAK it. */
 2471                         p[2] = nmagic >> 24;
 2472                         p[3] = nmagic >> 16;
 2473                         p[4] = nmagic >> 8;
 2474                         p[5] = nmagic;
 2475                         break;
 2476 
 2477                 case LCP_OPT_ASYNC_MAP:
 2478                         /*
 2479                          * Async control character map -- just ignore it.
 2480                          *
 2481                          * Quote from RFC 1662, chapter 6:
 2482                          * To enable this functionality, synchronous PPP
 2483                          * implementations MUST always respond to the
 2484                          * Async-Control-Character-Map Configuration
 2485                          * Option with the LCP Configure-Ack.  However,
 2486                          * acceptance of the Configuration Option does
 2487                          * not imply that the synchronous implementation
 2488                          * will do any ACCM mapping.  Instead, all such
 2489                          * octet mapping will be performed by the
 2490                          * asynchronous-to-synchronous converter.
 2491                          */
 2492                         continue;
 2493 
 2494                 case LCP_OPT_MRU:
 2495                         /*
 2496                          * Maximum receive unit.  Always agreeable,
 2497                          * but ignored by now.
 2498                          */
 2499                         sp->lcp.their_mru = p[2] * 256 + p[3];
 2500                         if (debug)
 2501                                 log(-1, "%lu ", sp->lcp.their_mru);
 2502                         continue;
 2503 
 2504                 case LCP_OPT_AUTH_PROTO:
 2505                         authproto = (p[2] << 8) + p[3];
 2506                         if (sp->myauth.proto != authproto) {
 2507                                 /* not agreed, nak */
 2508                                 if (debug)
 2509                                         log(-1, "[mine %s != his %s] ",
 2510                                                sppp_proto_name(sp->hisauth.proto),
 2511                                                sppp_proto_name(authproto));
 2512                                 p[2] = sp->myauth.proto >> 8;
 2513                                 p[3] = sp->myauth.proto;
 2514                                 break;
 2515                         }
 2516                         if (authproto == PPP_CHAP && p[4] != CHAP_MD5) {
 2517                                 if (debug)
 2518                                         log(-1, "[chap not MD5] ");
 2519                                 p[4] = CHAP_MD5;
 2520                                 break;
 2521                         }
 2522                         continue;
 2523                 }
 2524                 /* Add the option to nak'ed list. */
 2525                 bcopy (p, r, p[1]);
 2526                 r += p[1];
 2527                 rlen += p[1];
 2528         }
 2529         if (rlen) {
 2530                 /*
 2531                  * Local and remote magics equal -- loopback?
 2532                  */
 2533                 if (sp->pp_loopcnt >= MAXALIVECNT*5) {
 2534                         if (sp->pp_loopcnt == MAXALIVECNT*5)
 2535                                 printf (SPP_FMT "loopback\n",
 2536                                         SPP_ARGS(ifp));
 2537                         if (ifp->if_flags & IFF_UP) {
 2538                                 if_down(ifp);
 2539                                 sppp_qflush(&sp->pp_cpq);
 2540                                 /* XXX ? */
 2541                                 lcp.Down(sp);
 2542                                 lcp.Up(sp);
 2543                         }
 2544                 } else if (!sp->pp_loopcnt &&
 2545                            ++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
 2546                         if (debug)
 2547                                 log(-1, " max_failure (%d) exceeded, "
 2548                                        "send conf-rej\n",
 2549                                        sp->lcp.max_failure);
 2550                         sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
 2551                 } else {
 2552                         if (debug)
 2553                                 log(-1, " send conf-nak\n");
 2554                         sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf);
 2555                 }
 2556         } else {
 2557                 if (debug)
 2558                         log(-1, " send conf-ack\n");
 2559                 sp->fail_counter[IDX_LCP] = 0;
 2560                 sp->pp_loopcnt = 0;
 2561                 sppp_cp_send (sp, PPP_LCP, CONF_ACK,
 2562                               h->ident, origlen, h+1);
 2563         }
 2564 
 2565         free (buf, M_TEMP);
 2566         return (rlen == 0);
 2567 }
 2568 
 2569 /*
 2570  * Analyze the LCP Configure-Reject option list, and adjust our
 2571  * negotiation.
 2572  */
 2573 static void
 2574 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
 2575 {
 2576         STDDCL;
 2577         u_char *buf, *p;
 2578 
 2579         len -= 4;
 2580         buf = malloc (len, M_TEMP, M_NOWAIT);
 2581         if (!buf)
 2582                 return;
 2583 
 2584         if (debug)
 2585                 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ",
 2586                     SPP_ARGS(ifp));
 2587 
 2588         p = (void*) (h+1);
 2589         for (; len >= 2 && p[1] >= 2 && len >= p[1];
 2590             len -= p[1], p += p[1]) {
 2591                 if (debug)
 2592                         log(-1, " %s ", sppp_lcp_opt_name(*p));
 2593                 switch (*p) {
 2594                 case LCP_OPT_MAGIC:
 2595                         /* Magic number -- can't use it, use 0 */
 2596                         sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC);
 2597                         sp->lcp.magic = 0;
 2598                         break;
 2599                 case LCP_OPT_MRU:
 2600                         /*
 2601                          * Should not be rejected anyway, since we only
 2602                          * negotiate a MRU if explicitly requested by
 2603                          * peer.
 2604                          */
 2605                         sp->lcp.opts &= ~(1 << LCP_OPT_MRU);
 2606                         break;
 2607                 case LCP_OPT_AUTH_PROTO:
 2608                         /*
 2609                          * Peer doesn't want to authenticate himself,
 2610                          * deny unless this is a dialout call, and
 2611                          * AUTHFLAG_NOCALLOUT is set.
 2612                          */
 2613                         if ((sp->pp_flags & PP_CALLIN) == 0 &&
 2614                             (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) {
 2615                                 if (debug)
 2616                                         log(-1, "[don't insist on auth "
 2617                                                "for callout]");
 2618                                 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
 2619                                 break;
 2620                         }
 2621                         if (debug)
 2622                                 log(-1, "[access denied]\n");
 2623                         lcp.Close(sp);
 2624                         break;
 2625                 }
 2626         }
 2627         if (debug)
 2628                 log(-1, "\n");
 2629         free (buf, M_TEMP);
 2630         return;
 2631 }
 2632 
 2633 /*
 2634  * Analyze the LCP Configure-NAK option list, and adjust our
 2635  * negotiation.
 2636  */
 2637 static void
 2638 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
 2639 {
 2640         STDDCL;
 2641         u_char *buf, *p;
 2642         u_long magic;
 2643 
 2644         len -= 4;
 2645         buf = malloc (len, M_TEMP, M_NOWAIT);
 2646         if (!buf)
 2647                 return;
 2648 
 2649         if (debug)
 2650                 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ",
 2651                     SPP_ARGS(ifp));
 2652 
 2653         p = (void*) (h+1);
 2654         for (; len >= 2 && p[1] >= 2 && len >= p[1];
 2655             len -= p[1], p += p[1]) {
 2656                 if (debug)
 2657                         log(-1, " %s ", sppp_lcp_opt_name(*p));
 2658                 switch (*p) {
 2659                 case LCP_OPT_MAGIC:
 2660                         /* Magic number -- renegotiate */
 2661                         if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
 2662                             len >= 6 && p[1] == 6) {
 2663                                 magic = (u_long)p[2] << 24 |
 2664                                         (u_long)p[3] << 16 | p[4] << 8 | p[5];
 2665                                 /*
 2666                                  * If the remote magic is our negated one,
 2667                                  * this looks like a loopback problem.
 2668                                  * Suggest a new magic to make sure.
 2669                                  */
 2670                                 if (magic == ~sp->lcp.magic) {
 2671                                         if (debug)
 2672                                                 log(-1, "magic glitch ");
 2673 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 2674                                         sp->lcp.magic = random();
 2675 #else
 2676                                         sp->lcp.magic = time.tv_sec + time.tv_usec;
 2677 #endif
 2678                                 } else {
 2679                                         sp->lcp.magic = magic;
 2680                                         if (debug)
 2681                                                 log(-1, "%lu ", magic);
 2682                                 }
 2683                         }
 2684                         break;
 2685                 case LCP_OPT_MRU:
 2686                         /*
 2687                          * Peer wants to advise us to negotiate an MRU.
 2688                          * Agree on it if it's reasonable, or use
 2689                          * default otherwise.
 2690                          */
 2691                         if (len >= 4 && p[1] == 4) {
 2692                                 u_int mru = p[2] * 256 + p[3];
 2693                                 if (debug)
 2694                                         log(-1, "%d ", mru);
 2695                                 if (mru < PP_MTU || mru > PP_MAX_MRU)
 2696                                         mru = PP_MTU;
 2697                                 sp->lcp.mru = mru;
 2698                                 sp->lcp.opts |= (1 << LCP_OPT_MRU);
 2699                         }
 2700                         break;
 2701                 case LCP_OPT_AUTH_PROTO:
 2702                         /*
 2703                          * Peer doesn't like our authentication method,
 2704                          * deny.
 2705                          */
 2706                         if (debug)
 2707                                 log(-1, "[access denied]\n");
 2708                         lcp.Close(sp);
 2709                         break;
 2710                 }
 2711         }
 2712         if (debug)
 2713                 log(-1, "\n");
 2714         free (buf, M_TEMP);
 2715         return;
 2716 }
 2717 
 2718 static void
 2719 sppp_lcp_tlu(struct sppp *sp)
 2720 {
 2721         STDDCL;
 2722         int i;
 2723         u_long mask;
 2724 
 2725         /* XXX ? */
 2726         if (! (ifp->if_flags & IFF_UP) &&
 2727             (ifp->if_drv_flags & IFF_DRV_RUNNING)) {
 2728                 /* Coming out of loopback mode. */
 2729                 if_up(ifp);
 2730                 printf (SPP_FMT "up\n", SPP_ARGS(ifp));
 2731         }
 2732 
 2733         for (i = 0; i < IDX_COUNT; i++)
 2734                 if ((cps[i])->flags & CP_QUAL)
 2735                         (cps[i])->Open(sp);
 2736 
 2737         if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 ||
 2738             (sp->pp_flags & PP_NEEDAUTH) != 0)
 2739                 sp->pp_phase = PHASE_AUTHENTICATE;
 2740         else
 2741                 sp->pp_phase = PHASE_NETWORK;
 2742 
 2743         if (debug)
 2744                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
 2745                     sppp_phase_name(sp->pp_phase));
 2746 
 2747         /*
 2748          * Open all authentication protocols.  This is even required
 2749          * if we already proceeded to network phase, since it might be
 2750          * that remote wants us to authenticate, so we might have to
 2751          * send a PAP request.  Undesired authentication protocols
 2752          * don't do anything when they get an Open event.
 2753          */
 2754         for (i = 0; i < IDX_COUNT; i++)
 2755                 if ((cps[i])->flags & CP_AUTH)
 2756                         (cps[i])->Open(sp);
 2757 
 2758         if (sp->pp_phase == PHASE_NETWORK) {
 2759                 /* Notify all NCPs. */
 2760                 for (i = 0; i < IDX_COUNT; i++)
 2761                         if (((cps[i])->flags & CP_NCP) &&
 2762                             /*
 2763                              * XXX
 2764                              * Hack to administratively disable IPv6 if
 2765                              * not desired.  Perhaps we should have another
 2766                              * flag for this, but right now, we can make
 2767                              * all struct cp's read/only.
 2768                              */
 2769                             (cps[i] != &ipv6cp ||
 2770                              (sp->confflags & CONF_ENABLE_IPV6)))
 2771                                 (cps[i])->Open(sp);
 2772         }
 2773 
 2774         /* Send Up events to all started protos. */
 2775         for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
 2776                 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0)
 2777                         (cps[i])->Up(sp);
 2778 
 2779         /* notify low-level driver of state change */
 2780         if (sp->pp_chg)
 2781                 sp->pp_chg(sp, (int)sp->pp_phase);
 2782         
 2783         if (sp->pp_phase == PHASE_NETWORK)
 2784                 /* if no NCP is starting, close down */
 2785                 sppp_lcp_check_and_close(sp);
 2786 }
 2787 
 2788 static void
 2789 sppp_lcp_tld(struct sppp *sp)
 2790 {
 2791         STDDCL;
 2792         int i;
 2793         u_long mask;
 2794 
 2795         sp->pp_phase = PHASE_TERMINATE;
 2796 
 2797         if (debug)
 2798                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
 2799                     sppp_phase_name(sp->pp_phase));
 2800 
 2801         /*
 2802          * Take upper layers down.  We send the Down event first and
 2803          * the Close second to prevent the upper layers from sending
 2804          * ``a flurry of terminate-request packets'', as the RFC
 2805          * describes it.
 2806          */
 2807         for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
 2808                 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) {
 2809                         (cps[i])->Down(sp);
 2810                         (cps[i])->Close(sp);
 2811                 }
 2812 }
 2813 
 2814 static void
 2815 sppp_lcp_tls(struct sppp *sp)
 2816 {
 2817         STDDCL;
 2818 
 2819         sp->pp_phase = PHASE_ESTABLISH;
 2820 
 2821         if (debug)
 2822                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
 2823                     sppp_phase_name(sp->pp_phase));
 2824 
 2825         /* Notify lower layer if desired. */
 2826         if (sp->pp_tls)
 2827                 (sp->pp_tls)(sp);
 2828         else
 2829                 (sp->pp_up)(sp);
 2830 }
 2831 
 2832 static void
 2833 sppp_lcp_tlf(struct sppp *sp)
 2834 {
 2835         STDDCL;
 2836 
 2837         sp->pp_phase = PHASE_DEAD;
 2838         if (debug)
 2839                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
 2840                     sppp_phase_name(sp->pp_phase));
 2841 
 2842         /* Notify lower layer if desired. */
 2843         if (sp->pp_tlf)
 2844                 (sp->pp_tlf)(sp);
 2845         else
 2846                 (sp->pp_down)(sp);
 2847 }
 2848 
 2849 static void
 2850 sppp_lcp_scr(struct sppp *sp)
 2851 {
 2852         char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */];
 2853         int i = 0;
 2854         u_short authproto;
 2855 
 2856         if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) {
 2857                 if (! sp->lcp.magic)
 2858 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 2859                         sp->lcp.magic = random();
 2860 #else
 2861                         sp->lcp.magic = time.tv_sec + time.tv_usec;
 2862 #endif
 2863                 opt[i++] = LCP_OPT_MAGIC;
 2864                 opt[i++] = 6;
 2865                 opt[i++] = sp->lcp.magic >> 24;
 2866                 opt[i++] = sp->lcp.magic >> 16;
 2867                 opt[i++] = sp->lcp.magic >> 8;
 2868                 opt[i++] = sp->lcp.magic;
 2869         }
 2870 
 2871         if (sp->lcp.opts & (1 << LCP_OPT_MRU)) {
 2872                 opt[i++] = LCP_OPT_MRU;
 2873                 opt[i++] = 4;
 2874                 opt[i++] = sp->lcp.mru >> 8;
 2875                 opt[i++] = sp->lcp.mru;
 2876         }
 2877 
 2878         if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) {
 2879                 authproto = sp->hisauth.proto;
 2880                 opt[i++] = LCP_OPT_AUTH_PROTO;
 2881                 opt[i++] = authproto == PPP_CHAP? 5: 4;
 2882                 opt[i++] = authproto >> 8;
 2883                 opt[i++] = authproto;
 2884                 if (authproto == PPP_CHAP)
 2885                         opt[i++] = CHAP_MD5;
 2886         }
 2887 
 2888         sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP];
 2889         sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt);
 2890 }
 2891 
 2892 /*
 2893  * Check the open NCPs, return true if at least one NCP is open.
 2894  */
 2895 static int
 2896 sppp_ncp_check(struct sppp *sp)
 2897 {
 2898         int i, mask;
 2899 
 2900         for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
 2901                 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP)
 2902                         return 1;
 2903         return 0;
 2904 }
 2905 
 2906 /*
 2907  * Re-check the open NCPs and see if we should terminate the link.
 2908  * Called by the NCPs during their tlf action handling.
 2909  */
 2910 static void
 2911 sppp_lcp_check_and_close(struct sppp *sp)
 2912 {
 2913 
 2914         if (sp->pp_phase < PHASE_NETWORK)
 2915                 /* don't bother, we are already going down */
 2916                 return;
 2917 
 2918         if (sppp_ncp_check(sp))
 2919                 return;
 2920 
 2921         lcp.Close(sp);
 2922 }
 2923 
 2924 /*
 2925  *--------------------------------------------------------------------------*
 2926  *                                                                          *
 2927  *                        The IPCP implementation.                          *
 2928  *                                                                          *
 2929  *--------------------------------------------------------------------------*
 2930  */
 2931 
 2932 static void
 2933 sppp_ipcp_init(struct sppp *sp)
 2934 {
 2935         sp->ipcp.opts = 0;
 2936         sp->ipcp.flags = 0;
 2937         sp->state[IDX_IPCP] = STATE_INITIAL;
 2938         sp->fail_counter[IDX_IPCP] = 0;
 2939         sp->pp_seq[IDX_IPCP] = 0;
 2940         sp->pp_rseq[IDX_IPCP] = 0;
 2941         callout_init(&sp->ch[IDX_IPCP],
 2942                     (SP2IFP(sp)->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 2943 }
 2944 
 2945 static void
 2946 sppp_ipcp_up(struct sppp *sp)
 2947 {
 2948         sppp_up_event(&ipcp, sp);
 2949 }
 2950 
 2951 static void
 2952 sppp_ipcp_down(struct sppp *sp)
 2953 {
 2954         sppp_down_event(&ipcp, sp);
 2955 }
 2956 
 2957 static void
 2958 sppp_ipcp_open(struct sppp *sp)
 2959 {
 2960         STDDCL;
 2961         u_long myaddr, hisaddr;
 2962 
 2963         sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN |
 2964                             IPCP_MYADDR_DYN | IPCP_VJ);
 2965         sp->ipcp.opts = 0;
 2966 
 2967         sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0);
 2968         /*
 2969          * If we don't have his address, this probably means our
 2970          * interface doesn't want to talk IP at all.  (This could
 2971          * be the case if somebody wants to speak only IPX, for
 2972          * example.)  Don't open IPCP in this case.
 2973          */
 2974         if (hisaddr == 0L) {
 2975                 /* XXX this message should go away */
 2976                 if (debug)
 2977                         log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n",
 2978                             SPP_ARGS(ifp));
 2979                 return;
 2980         }
 2981         if (myaddr == 0L) {
 2982                 /*
 2983                  * I don't have an assigned address, so i need to
 2984                  * negotiate my address.
 2985                  */
 2986                 sp->ipcp.flags |= IPCP_MYADDR_DYN;
 2987                 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
 2988         } else
 2989                 sp->ipcp.flags |= IPCP_MYADDR_SEEN;
 2990         if (sp->confflags & CONF_ENABLE_VJ) {
 2991                 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION);
 2992                 sp->ipcp.max_state = MAX_STATES - 1;
 2993                 sp->ipcp.compress_cid = 1;
 2994         }
 2995         sppp_open_event(&ipcp, sp);
 2996 }
 2997 
 2998 static void
 2999 sppp_ipcp_close(struct sppp *sp)
 3000 {
 3001         sppp_close_event(&ipcp, sp);
 3002         if (sp->ipcp.flags & IPCP_MYADDR_DYN)
 3003                 /*
 3004                  * My address was dynamic, clear it again.
 3005                  */
 3006                 sppp_set_ip_addr(sp, 0L);
 3007 }
 3008 
 3009 static void
 3010 sppp_ipcp_TO(void *cookie)
 3011 {
 3012         sppp_to_event(&ipcp, (struct sppp *)cookie);
 3013 }
 3014 
 3015 /*
 3016  * Analyze a configure request.  Return true if it was agreeable, and
 3017  * caused action sca, false if it has been rejected or nak'ed, and
 3018  * caused action scn.  (The return value is used to make the state
 3019  * transition decision in the state automaton.)
 3020  */
 3021 static int
 3022 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 3023 {
 3024         u_char *buf, *r, *p;
 3025         struct ifnet *ifp = SP2IFP(sp);
 3026         int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
 3027         u_long hisaddr, desiredaddr;
 3028         int gotmyaddr = 0;
 3029         int desiredcomp;
 3030 
 3031         len -= 4;
 3032         origlen = len;
 3033         /*
 3034          * Make sure to allocate a buf that can at least hold a
 3035          * conf-nak with an `address' option.  We might need it below.
 3036          */
 3037         buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
 3038         if (! buf)
 3039                 return (0);
 3040 
 3041         /* pass 1: see if we can recognize them */
 3042         if (debug)
 3043                 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ",
 3044                     SPP_ARGS(ifp));
 3045         p = (void*) (h+1);
 3046         for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
 3047             len-=p[1], p+=p[1]) {
 3048                 if (debug)
 3049                         log(-1, " %s ", sppp_ipcp_opt_name(*p));
 3050                 switch (*p) {
 3051                 case IPCP_OPT_COMPRESSION:
 3052                         if (!(sp->confflags & CONF_ENABLE_VJ)) {
 3053                                 /* VJ compression administratively disabled */
 3054                                 if (debug)
 3055                                         log(-1, "[locally disabled] ");
 3056                                 break;
 3057                         }
 3058                         /*
 3059                          * In theory, we should only conf-rej an
 3060                          * option that is shorter than RFC 1618
 3061                          * requires (i.e. < 4), and should conf-nak
 3062                          * anything else that is not VJ.  However,
 3063                          * since our algorithm always uses the
 3064                          * original option to NAK it with new values,
 3065                          * things would become more complicated.  In
 3066                          * pratice, the only commonly implemented IP
 3067                          * compression option is VJ anyway, so the
 3068                          * difference is negligible.
 3069                          */
 3070                         if (len >= 6 && p[1] == 6) {
 3071                                 /*
 3072                                  * correctly formed compression option
 3073                                  * that could be VJ compression
 3074                                  */
 3075                                 continue;
 3076                         }
 3077                         if (debug)
 3078                                 log(-1,
 3079                                     "optlen %d [invalid/unsupported] ",
 3080                                     p[1]);
 3081                         break;
 3082                 case IPCP_OPT_ADDRESS:
 3083                         if (len >= 6 && p[1] == 6) {
 3084                                 /* correctly formed address option */
 3085                                 continue;
 3086                         }
 3087                         if (debug)
 3088                                 log(-1, "[invalid] ");
 3089                         break;
 3090                 default:
 3091                         /* Others not supported. */
 3092                         if (debug)
 3093                                 log(-1, "[rej] ");
 3094                         break;
 3095                 }
 3096                 /* Add the option to rejected list. */
 3097                 bcopy (p, r, p[1]);
 3098                 r += p[1];
 3099                 rlen += p[1];
 3100         }
 3101         if (rlen) {
 3102                 if (debug)
 3103                         log(-1, " send conf-rej\n");
 3104                 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf);
 3105                 return 0;
 3106         } else if (debug)
 3107                 log(-1, "\n");
 3108 
 3109         /* pass 2: parse option values */
 3110         sppp_get_ip_addrs(sp, 0, &hisaddr, 0);
 3111         if (debug)
 3112                 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ",
 3113                        SPP_ARGS(ifp));
 3114         p = (void*) (h+1);
 3115         len = origlen;
 3116         for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
 3117             len-=p[1], p+=p[1]) {
 3118                 if (debug)
 3119                         log(-1, " %s ", sppp_ipcp_opt_name(*p));
 3120                 switch (*p) {
 3121                 case IPCP_OPT_COMPRESSION:
 3122                         desiredcomp = p[2] << 8 | p[3];
 3123                         /* We only support VJ */
 3124                         if (desiredcomp == IPCP_COMP_VJ) {
 3125                                 if (debug)
 3126                                         log(-1, "VJ [ack] ");
 3127                                 sp->ipcp.flags |= IPCP_VJ;
 3128                                 sl_compress_init(sp->pp_comp, p[4]);
 3129                                 sp->ipcp.max_state = p[4];
 3130                                 sp->ipcp.compress_cid = p[5];
 3131                                 continue;
 3132                         }
 3133                         if (debug)
 3134                                 log(-1,
 3135                                     "compproto %#04x [not supported] ",
 3136                                     desiredcomp);
 3137                         p[2] = IPCP_COMP_VJ >> 8;
 3138                         p[3] = IPCP_COMP_VJ;
 3139                         p[4] = sp->ipcp.max_state;
 3140                         p[5] = sp->ipcp.compress_cid;
 3141                         break;
 3142                 case IPCP_OPT_ADDRESS:
 3143                         /* This is the address he wants in his end */
 3144                         desiredaddr = p[2] << 24 | p[3] << 16 |
 3145                                 p[4] << 8 | p[5];
 3146                         if (desiredaddr == hisaddr ||
 3147                             (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) {
 3148                                 /*
 3149                                  * Peer's address is same as our value,
 3150                                  * or we have set it to 0.0.0.* to
 3151                                  * indicate that we do not really care,
 3152                                  * this is agreeable.  Gonna conf-ack
 3153                                  * it.
 3154                                  */
 3155                                 if (debug)
 3156                                         log(-1, "%s [ack] ",
 3157                                                 sppp_dotted_quad(hisaddr));
 3158                                 /* record that we've seen it already */
 3159                                 sp->ipcp.flags |= IPCP_HISADDR_SEEN;
 3160                                 continue;
 3161                         }
 3162                         /*
 3163                          * The address wasn't agreeable.  This is either
 3164                          * he sent us 0.0.0.0, asking to assign him an
 3165                          * address, or he send us another address not
 3166                          * matching our value.  Either case, we gonna
 3167                          * conf-nak it with our value.
 3168                          * XXX: we should "rej" if hisaddr == 0
 3169                          */
 3170                         if (debug) {
 3171                                 if (desiredaddr == 0)
 3172                                         log(-1, "[addr requested] ");
 3173                                 else
 3174                                         log(-1, "%s [not agreed] ",
 3175                                                 sppp_dotted_quad(desiredaddr));
 3176 
 3177                         }
 3178                         p[2] = hisaddr >> 24;
 3179                         p[3] = hisaddr >> 16;
 3180                         p[4] = hisaddr >> 8;
 3181                         p[5] = hisaddr;
 3182                         break;
 3183                 }
 3184                 /* Add the option to nak'ed list. */
 3185                 bcopy (p, r, p[1]);
 3186                 r += p[1];
 3187                 rlen += p[1];
 3188         }
 3189 
 3190         /*
 3191          * If we are about to conf-ack the request, but haven't seen
 3192          * his address so far, gonna conf-nak it instead, with the
 3193          * `address' option present and our idea of his address being
 3194          * filled in there, to request negotiation of both addresses.
 3195          *
 3196          * XXX This can result in an endless req - nak loop if peer
 3197          * doesn't want to send us his address.  Q: What should we do
 3198          * about it?  XXX  A: implement the max-failure counter.
 3199          */
 3200         if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) {
 3201                 buf[0] = IPCP_OPT_ADDRESS;
 3202                 buf[1] = 6;
 3203                 buf[2] = hisaddr >> 24;
 3204                 buf[3] = hisaddr >> 16;
 3205                 buf[4] = hisaddr >> 8;
 3206                 buf[5] = hisaddr;
 3207                 rlen = 6;
 3208                 if (debug)
 3209                         log(-1, "still need hisaddr ");
 3210         }
 3211 
 3212         if (rlen) {
 3213                 if (debug)
 3214                         log(-1, " send conf-nak\n");
 3215                 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf);
 3216         } else {
 3217                 if (debug)
 3218                         log(-1, " send conf-ack\n");
 3219                 sppp_cp_send (sp, PPP_IPCP, CONF_ACK,
 3220                               h->ident, origlen, h+1);
 3221         }
 3222 
 3223         free (buf, M_TEMP);
 3224         return (rlen == 0);
 3225 }
 3226 
 3227 /*
 3228  * Analyze the IPCP Configure-Reject option list, and adjust our
 3229  * negotiation.
 3230  */
 3231 static void
 3232 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
 3233 {
 3234         u_char *buf, *p;
 3235         struct ifnet *ifp = SP2IFP(sp);
 3236         int debug = ifp->if_flags & IFF_DEBUG;
 3237 
 3238         len -= 4;
 3239         buf = malloc (len, M_TEMP, M_NOWAIT);
 3240         if (!buf)
 3241                 return;
 3242 
 3243         if (debug)
 3244                 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ",
 3245                     SPP_ARGS(ifp));
 3246 
 3247         p = (void*) (h+1);
 3248         for (; len >= 2 && p[1] >= 2 && len >= p[1];
 3249             len -= p[1], p += p[1]) {
 3250                 if (debug)
 3251                         log(-1, " %s ", sppp_ipcp_opt_name(*p));
 3252                 switch (*p) {
 3253                 case IPCP_OPT_COMPRESSION:
 3254                         sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION);
 3255                         break;
 3256                 case IPCP_OPT_ADDRESS:
 3257                         /*
 3258                          * Peer doesn't grok address option.  This is
 3259                          * bad.  XXX  Should we better give up here?
 3260                          * XXX We could try old "addresses" option...
 3261                          */
 3262                         sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS);
 3263                         break;
 3264                 }
 3265         }
 3266         if (debug)
 3267                 log(-1, "\n");
 3268         free (buf, M_TEMP);
 3269         return;
 3270 }
 3271 
 3272 /*
 3273  * Analyze the IPCP Configure-NAK option list, and adjust our
 3274  * negotiation.
 3275  */
 3276 static void
 3277 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
 3278 {
 3279         u_char *buf, *p;
 3280         struct ifnet *ifp = SP2IFP(sp);
 3281         int debug = ifp->if_flags & IFF_DEBUG;
 3282         int desiredcomp;
 3283         u_long wantaddr;
 3284 
 3285         len -= 4;
 3286         buf = malloc (len, M_TEMP, M_NOWAIT);
 3287         if (!buf)
 3288                 return;
 3289 
 3290         if (debug)
 3291                 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ",
 3292                     SPP_ARGS(ifp));
 3293 
 3294         p = (void*) (h+1);
 3295         for (; len >= 2 && p[1] >= 2 && len >= p[1];
 3296             len -= p[1], p += p[1]) {
 3297                 if (debug)
 3298                         log(-1, " %s ", sppp_ipcp_opt_name(*p));
 3299                 switch (*p) {
 3300                 case IPCP_OPT_COMPRESSION:
 3301                         if (len >= 6 && p[1] == 6) {
 3302                                 desiredcomp = p[2] << 8 | p[3];
 3303                                 if (debug)
 3304                                         log(-1, "[wantcomp %#04x] ",
 3305                                                 desiredcomp);
 3306                                 if (desiredcomp == IPCP_COMP_VJ) {
 3307                                         sl_compress_init(sp->pp_comp, p[4]);
 3308                                         sp->ipcp.max_state = p[4];
 3309                                         sp->ipcp.compress_cid = p[5];
 3310                                         if (debug)
 3311                                                 log(-1, "[agree] ");
 3312                                 } else
 3313                                         sp->ipcp.opts &=
 3314                                                 ~(1 << IPCP_OPT_COMPRESSION);
 3315                         }
 3316                         break;
 3317                 case IPCP_OPT_ADDRESS:
 3318                         /*
 3319                          * Peer doesn't like our local IP address.  See
 3320                          * if we can do something for him.  We'll drop
 3321                          * him our address then.
 3322                          */
 3323                         if (len >= 6 && p[1] == 6) {
 3324                                 wantaddr = p[2] << 24 | p[3] << 16 |
 3325                                         p[4] << 8 | p[5];
 3326                                 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
 3327                                 if (debug)
 3328                                         log(-1, "[wantaddr %s] ",
 3329                                                sppp_dotted_quad(wantaddr));
 3330                                 /*
 3331                                  * When doing dynamic address assignment,
 3332                                  * we accept his offer.  Otherwise, we
 3333                                  * ignore it and thus continue to negotiate
 3334                                  * our already existing value.
 3335                                  * XXX: Bogus, if he said no once, he'll
 3336                                  * just say no again, might as well die.
 3337                                  */
 3338                                 if (sp->ipcp.flags & IPCP_MYADDR_DYN) {
 3339                                         sppp_set_ip_addr(sp, wantaddr);
 3340                                         if (debug)
 3341                                                 log(-1, "[agree] ");
 3342                                         sp->ipcp.flags |= IPCP_MYADDR_SEEN;
 3343                                 }
 3344                         }
 3345                         break;
 3346                 }
 3347         }
 3348         if (debug)
 3349                 log(-1, "\n");
 3350         free (buf, M_TEMP);
 3351         return;
 3352 }
 3353 
 3354 static void
 3355 sppp_ipcp_tlu(struct sppp *sp)
 3356 {
 3357         /* we are up - notify isdn daemon */
 3358         if (sp->pp_con)
 3359                 sp->pp_con(sp);
 3360 }
 3361 
 3362 static void
 3363 sppp_ipcp_tld(struct sppp *sp)
 3364 {
 3365 }
 3366 
 3367 static void
 3368 sppp_ipcp_tls(struct sppp *sp)
 3369 {
 3370         /* indicate to LCP that it must stay alive */
 3371         sp->lcp.protos |= (1 << IDX_IPCP);
 3372 }
 3373 
 3374 static void
 3375 sppp_ipcp_tlf(struct sppp *sp)
 3376 {
 3377         /* we no longer need LCP */
 3378         sp->lcp.protos &= ~(1 << IDX_IPCP);
 3379         sppp_lcp_check_and_close(sp);
 3380 }
 3381 
 3382 static void
 3383 sppp_ipcp_scr(struct sppp *sp)
 3384 {
 3385         char opt[6 /* compression */ + 6 /* address */];
 3386         u_long ouraddr;
 3387         int i = 0;
 3388 
 3389         if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) {
 3390                 opt[i++] = IPCP_OPT_COMPRESSION;
 3391                 opt[i++] = 6;
 3392                 opt[i++] = IPCP_COMP_VJ >> 8;
 3393                 opt[i++] = IPCP_COMP_VJ;
 3394                 opt[i++] = sp->ipcp.max_state;
 3395                 opt[i++] = sp->ipcp.compress_cid;
 3396         }
 3397         if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) {
 3398                 sppp_get_ip_addrs(sp, &ouraddr, 0, 0);
 3399                 opt[i++] = IPCP_OPT_ADDRESS;
 3400                 opt[i++] = 6;
 3401                 opt[i++] = ouraddr >> 24;
 3402                 opt[i++] = ouraddr >> 16;
 3403                 opt[i++] = ouraddr >> 8;
 3404                 opt[i++] = ouraddr;
 3405         }
 3406 
 3407         sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP];
 3408         sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt);
 3409 }
 3410 
 3411 /*
 3412  *--------------------------------------------------------------------------*
 3413  *                                                                          *
 3414  *                      The IPv6CP implementation.                          *
 3415  *                                                                          *
 3416  *--------------------------------------------------------------------------*
 3417  */
 3418 
 3419 #ifdef INET6
 3420 static void
 3421 sppp_ipv6cp_init(struct sppp *sp)
 3422 {
 3423         sp->ipv6cp.opts = 0;
 3424         sp->ipv6cp.flags = 0;
 3425         sp->state[IDX_IPV6CP] = STATE_INITIAL;
 3426         sp->fail_counter[IDX_IPV6CP] = 0;
 3427         sp->pp_seq[IDX_IPV6CP] = 0;
 3428         sp->pp_rseq[IDX_IPV6CP] = 0;
 3429         callout_init(&sp->ch[IDX_IPV6CP],
 3430                     (SP2IFP(sp)->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 3431 }
 3432 
 3433 static void
 3434 sppp_ipv6cp_up(struct sppp *sp)
 3435 {
 3436         sppp_up_event(&ipv6cp, sp);
 3437 }
 3438 
 3439 static void
 3440 sppp_ipv6cp_down(struct sppp *sp)
 3441 {
 3442         sppp_down_event(&ipv6cp, sp);
 3443 }
 3444 
 3445 static void
 3446 sppp_ipv6cp_open(struct sppp *sp)
 3447 {
 3448         STDDCL;
 3449         struct in6_addr myaddr, hisaddr;
 3450 
 3451 #ifdef IPV6CP_MYIFID_DYN
 3452         sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN);
 3453 #else
 3454         sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN;
 3455 #endif
 3456 
 3457         sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0);
 3458         /*
 3459          * If we don't have our address, this probably means our
 3460          * interface doesn't want to talk IPv6 at all.  (This could
 3461          * be the case if somebody wants to speak only IPX, for
 3462          * example.)  Don't open IPv6CP in this case.
 3463          */
 3464         if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) {
 3465                 /* XXX this message should go away */
 3466                 if (debug)
 3467                         log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n",
 3468                             SPP_ARGS(ifp));
 3469                 return;
 3470         }
 3471 
 3472         sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
 3473         sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
 3474         sppp_open_event(&ipv6cp, sp);
 3475 }
 3476 
 3477 static void
 3478 sppp_ipv6cp_close(struct sppp *sp)
 3479 {
 3480         sppp_close_event(&ipv6cp, sp);
 3481 }
 3482 
 3483 static void
 3484 sppp_ipv6cp_TO(void *cookie)
 3485 {
 3486         sppp_to_event(&ipv6cp, (struct sppp *)cookie);
 3487 }
 3488 
 3489 /*
 3490  * Analyze a configure request.  Return true if it was agreeable, and
 3491  * caused action sca, false if it has been rejected or nak'ed, and
 3492  * caused action scn.  (The return value is used to make the state
 3493  * transition decision in the state automaton.)
 3494  */
 3495 static int
 3496 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 3497 {
 3498         u_char *buf, *r, *p;
 3499         struct ifnet *ifp = SP2IFP(sp);
 3500         int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
 3501         struct in6_addr myaddr, desiredaddr, suggestaddr;
 3502         int ifidcount;
 3503         int type;
 3504         int collision, nohisaddr;
 3505 
 3506         len -= 4;
 3507         origlen = len;
 3508         /*
 3509          * Make sure to allocate a buf that can at least hold a
 3510          * conf-nak with an `address' option.  We might need it below.
 3511          */
 3512         buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
 3513         if (! buf)
 3514                 return (0);
 3515 
 3516         /* pass 1: see if we can recognize them */
 3517         if (debug)
 3518                 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:",
 3519                     SPP_ARGS(ifp));
 3520         p = (void*) (h+1);
 3521         ifidcount = 0;
 3522         for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
 3523             len-=p[1], p+=p[1]) {
 3524                 if (debug)
 3525                         log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 3526                 switch (*p) {
 3527                 case IPV6CP_OPT_IFID:
 3528                         if (len >= 10 && p[1] == 10 && ifidcount == 0) {
 3529                                 /* correctly formed address option */
 3530                                 ifidcount++;
 3531                                 continue;
 3532                         }
 3533                         if (debug)
 3534                                 log(-1, " [invalid]");
 3535                         break;
 3536 #ifdef notyet
 3537                 case IPV6CP_OPT_COMPRESSION:
 3538                         if (len >= 4 && p[1] >= 4) {
 3539                                 /* correctly formed compress option */
 3540                                 continue;
 3541                         }
 3542                         if (debug)
 3543                                 log(-1, " [invalid]");
 3544                         break;
 3545 #endif
 3546                 default:
 3547                         /* Others not supported. */
 3548                         if (debug)
 3549                                 log(-1, " [rej]");
 3550                         break;
 3551                 }
 3552                 /* Add the option to rejected list. */
 3553                 bcopy (p, r, p[1]);
 3554                 r += p[1];
 3555                 rlen += p[1];
 3556         }
 3557         if (rlen) {
 3558                 if (debug)
 3559                         log(-1, " send conf-rej\n");
 3560                 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf);
 3561                 goto end;
 3562         } else if (debug)
 3563                 log(-1, "\n");
 3564 
 3565         /* pass 2: parse option values */
 3566         sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
 3567         if (debug)
 3568                 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ",
 3569                     SPP_ARGS(ifp));
 3570         p = (void*) (h+1);
 3571         len = origlen;
 3572         type = CONF_ACK;
 3573         for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
 3574             len-=p[1], p+=p[1]) {
 3575                 if (debug)
 3576                         log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 3577                 switch (*p) {
 3578 #ifdef notyet
 3579                 case IPV6CP_OPT_COMPRESSION:
 3580                         continue;
 3581 #endif
 3582                 case IPV6CP_OPT_IFID:
 3583                         bzero(&desiredaddr, sizeof(desiredaddr));
 3584                         bcopy(&p[2], &desiredaddr.s6_addr[8], 8);
 3585                         collision = (bcmp(&desiredaddr.s6_addr[8],
 3586                                           &myaddr.s6_addr[8], 8) == 0);
 3587                         nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr);
 3588 
 3589                         desiredaddr.s6_addr16[0] = htons(0xfe80);
 3590                         (void)in6_setscope(&desiredaddr, SP2IFP(sp), NULL);
 3591 
 3592                         if (!collision && !nohisaddr) {
 3593                                 /* no collision, hisaddr known - Conf-Ack */
 3594                                 type = CONF_ACK;
 3595 
 3596                                 if (debug) {
 3597                                         log(-1, " %s [%s]",
 3598                                                ip6_sprintf(&desiredaddr),
 3599                                                sppp_cp_type_name(type));
 3600                                 }
 3601                                 continue;
 3602                         }
 3603 
 3604                         bzero(&suggestaddr, sizeof(&suggestaddr));
 3605                         if (collision && nohisaddr) {
 3606                                 /* collision, hisaddr unknown - Conf-Rej */
 3607                                 type = CONF_REJ;
 3608                                 bzero(&p[2], 8);
 3609                         } else {
 3610                                 /*
 3611                                  * - no collision, hisaddr unknown, or
 3612                                  * - collision, hisaddr known
 3613                                  * Conf-Nak, suggest hisaddr
 3614                                  */
 3615                                 type = CONF_NAK;
 3616                                 sppp_suggest_ip6_addr(sp, &suggestaddr);
 3617                                 bcopy(&suggestaddr.s6_addr[8], &p[2], 8);
 3618                         }
 3619                         if (debug)
 3620                                 log(-1, " %s [%s]", ip6_sprintf(&desiredaddr),
 3621                                        sppp_cp_type_name(type));
 3622                         break;
 3623                 }
 3624                 /* Add the option to nak'ed list. */
 3625                 bcopy (p, r, p[1]);
 3626                 r += p[1];
 3627                 rlen += p[1];
 3628         }
 3629 
 3630         if (rlen == 0 && type == CONF_ACK) {
 3631                 if (debug)
 3632                         log(-1, " send %s\n", sppp_cp_type_name(type));
 3633                 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1);
 3634         } else {
 3635 #ifdef DIAGNOSTIC
 3636                 if (type == CONF_ACK)
 3637                         panic("IPv6CP RCR: CONF_ACK with non-zero rlen");
 3638 #endif
 3639 
 3640                 if (debug) {
 3641                         log(-1, " send %s suggest %s\n",
 3642                                sppp_cp_type_name(type), ip6_sprintf(&suggestaddr));
 3643                 }
 3644                 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf);
 3645         }
 3646 
 3647  end:
 3648         free (buf, M_TEMP);
 3649         return (rlen == 0);
 3650 }
 3651 
 3652 /*
 3653  * Analyze the IPv6CP Configure-Reject option list, and adjust our
 3654  * negotiation.
 3655  */
 3656 static void
 3657 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
 3658 {
 3659         u_char *buf, *p;
 3660         struct ifnet *ifp = SP2IFP(sp);
 3661         int debug = ifp->if_flags & IFF_DEBUG;
 3662 
 3663         len -= 4;
 3664         buf = malloc (len, M_TEMP, M_NOWAIT);
 3665         if (!buf)
 3666                 return;
 3667 
 3668         if (debug)
 3669                 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:",
 3670                     SPP_ARGS(ifp));
 3671 
 3672         p = (void*) (h+1);
 3673         for (; len >= 2 && p[1] >= 2 && len >= p[1];
 3674             len -= p[1], p += p[1]) {
 3675                 if (debug)
 3676                         log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 3677                 switch (*p) {
 3678                 case IPV6CP_OPT_IFID:
 3679                         /*
 3680                          * Peer doesn't grok address option.  This is
 3681                          * bad.  XXX  Should we better give up here?
 3682                          */
 3683                         sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID);
 3684                         break;
 3685 #ifdef notyet
 3686                 case IPV6CP_OPT_COMPRESS:
 3687                         sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS);
 3688                         break;
 3689 #endif
 3690                 }
 3691         }
 3692         if (debug)
 3693                 log(-1, "\n");
 3694         free (buf, M_TEMP);
 3695         return;
 3696 }
 3697 
 3698 /*
 3699  * Analyze the IPv6CP Configure-NAK option list, and adjust our
 3700  * negotiation.
 3701  */
 3702 static void
 3703 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
 3704 {
 3705         u_char *buf, *p;
 3706         struct ifnet *ifp = SP2IFP(sp);
 3707         int debug = ifp->if_flags & IFF_DEBUG;
 3708         struct in6_addr suggestaddr;
 3709 
 3710         len -= 4;
 3711         buf = malloc (len, M_TEMP, M_NOWAIT);
 3712         if (!buf)
 3713                 return;
 3714 
 3715         if (debug)
 3716                 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:",
 3717                     SPP_ARGS(ifp));
 3718 
 3719         p = (void*) (h+1);
 3720         for (; len >= 2 && p[1] >= 2 && len >= p[1];
 3721             len -= p[1], p += p[1]) {
 3722                 if (debug)
 3723                         log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 3724                 switch (*p) {
 3725                 case IPV6CP_OPT_IFID:
 3726                         /*
 3727                          * Peer doesn't like our local ifid.  See
 3728                          * if we can do something for him.  We'll drop
 3729                          * him our address then.
 3730                          */
 3731                         if (len < 10 || p[1] != 10)
 3732                                 break;
 3733                         bzero(&suggestaddr, sizeof(suggestaddr));
 3734                         suggestaddr.s6_addr16[0] = htons(0xfe80);
 3735                         (void)in6_setscope(&suggestaddr, SP2IFP(sp), NULL);
 3736                         bcopy(&p[2], &suggestaddr.s6_addr[8], 8);
 3737 
 3738                         sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
 3739                         if (debug)
 3740                                 log(-1, " [suggestaddr %s]",
 3741                                        ip6_sprintf(&suggestaddr));
 3742 #ifdef IPV6CP_MYIFID_DYN
 3743                         /*
 3744                          * When doing dynamic address assignment,
 3745                          * we accept his offer.
 3746                          */
 3747                         if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) {
 3748                                 struct in6_addr lastsuggest;
 3749                                 /*
 3750                                  * If <suggested myaddr from peer> equals to
 3751                                  * <hisaddr we have suggested last time>,
 3752                                  * we have a collision.  generate new random
 3753                                  * ifid.
 3754                                  */
 3755                                 sppp_suggest_ip6_addr(&lastsuggest);
 3756                                 if (IN6_ARE_ADDR_EQUAL(&suggestaddr,
 3757                                                        lastsuggest)) {
 3758                                         if (debug)
 3759                                                 log(-1, " [random]");
 3760                                         sppp_gen_ip6_addr(sp, &suggestaddr);
 3761                                 }
 3762                                 sppp_set_ip6_addr(sp, &suggestaddr, 0);
 3763                                 if (debug)
 3764                                         log(-1, " [agree]");
 3765                                 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
 3766                         }
 3767 #else
 3768                         /*
 3769                          * Since we do not do dynamic address assignment,
 3770                          * we ignore it and thus continue to negotiate
 3771                          * our already existing value.  This can possibly
 3772                          * go into infinite request-reject loop.
 3773                          *
 3774                          * This is not likely because we normally use
 3775                          * ifid based on MAC-address.
 3776                          * If you have no ethernet card on the node, too bad.
 3777                          * XXX should we use fail_counter?
 3778                          */
 3779 #endif
 3780                         break;
 3781 #ifdef notyet
 3782                 case IPV6CP_OPT_COMPRESS:
 3783                         /*
 3784                          * Peer wants different compression parameters.
 3785                          */
 3786                         break;
 3787 #endif
 3788                 }
 3789         }
 3790         if (debug)
 3791                 log(-1, "\n");
 3792         free (buf, M_TEMP);
 3793         return;
 3794 }
 3795 static void
 3796 sppp_ipv6cp_tlu(struct sppp *sp)
 3797 {
 3798         /* we are up - notify isdn daemon */
 3799         if (sp->pp_con)
 3800                 sp->pp_con(sp);
 3801 }
 3802 
 3803 static void
 3804 sppp_ipv6cp_tld(struct sppp *sp)
 3805 {
 3806 }
 3807 
 3808 static void
 3809 sppp_ipv6cp_tls(struct sppp *sp)
 3810 {
 3811         /* indicate to LCP that it must stay alive */
 3812         sp->lcp.protos |= (1 << IDX_IPV6CP);
 3813 }
 3814 
 3815 static void
 3816 sppp_ipv6cp_tlf(struct sppp *sp)
 3817 {
 3818 
 3819 #if 0   /* need #if 0 to close IPv6CP properly */
 3820         /* we no longer need LCP */
 3821         sp->lcp.protos &= ~(1 << IDX_IPV6CP);
 3822         sppp_lcp_check_and_close(sp);
 3823 #endif
 3824 }
 3825 
 3826 static void
 3827 sppp_ipv6cp_scr(struct sppp *sp)
 3828 {
 3829         char opt[10 /* ifid */ + 4 /* compression, minimum */];
 3830         struct in6_addr ouraddr;
 3831         int i = 0;
 3832 
 3833         if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) {
 3834                 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0);
 3835                 opt[i++] = IPV6CP_OPT_IFID;
 3836                 opt[i++] = 10;
 3837                 bcopy(&ouraddr.s6_addr[8], &opt[i], 8);
 3838                 i += 8;
 3839         }
 3840 
 3841 #ifdef notyet
 3842         if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) {
 3843                 opt[i++] = IPV6CP_OPT_COMPRESSION;
 3844                 opt[i++] = 4;
 3845                 opt[i++] = 0;   /* TBD */
 3846                 opt[i++] = 0;   /* TBD */
 3847                 /* variable length data may follow */
 3848         }
 3849 #endif
 3850 
 3851         sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP];
 3852         sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt);
 3853 }
 3854 #else /*INET6*/
 3855 static void sppp_ipv6cp_init(struct sppp *sp)
 3856 {
 3857 }
 3858 
 3859 static void sppp_ipv6cp_up(struct sppp *sp)
 3860 {
 3861 }
 3862 
 3863 static void sppp_ipv6cp_down(struct sppp *sp)
 3864 {
 3865 }
 3866 
 3867 
 3868 static void sppp_ipv6cp_open(struct sppp *sp)
 3869 {
 3870 }
 3871 
 3872 static void sppp_ipv6cp_close(struct sppp *sp)
 3873 {
 3874 }
 3875 
 3876 static void sppp_ipv6cp_TO(void *sp)
 3877 {
 3878 }
 3879 
 3880 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 3881 {
 3882         return 0;
 3883 }
 3884 
 3885 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
 3886 {
 3887 }
 3888 
 3889 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
 3890 {
 3891 }
 3892 
 3893 static void sppp_ipv6cp_tlu(struct sppp *sp)
 3894 {
 3895 }
 3896 
 3897 static void sppp_ipv6cp_tld(struct sppp *sp)
 3898 {
 3899 }
 3900 
 3901 static void sppp_ipv6cp_tls(struct sppp *sp)
 3902 {
 3903 }
 3904 
 3905 static void sppp_ipv6cp_tlf(struct sppp *sp)
 3906 {
 3907 }
 3908 
 3909 static void sppp_ipv6cp_scr(struct sppp *sp)
 3910 {
 3911 }
 3912 #endif /*INET6*/
 3913 
 3914 /*
 3915  *--------------------------------------------------------------------------*
 3916  *                                                                          *
 3917  *                        The CHAP implementation.                          *
 3918  *                                                                          *
 3919  *--------------------------------------------------------------------------*
 3920  */
 3921 
 3922 /*
 3923  * The authentication protocols don't employ a full-fledged state machine as
 3924  * the control protocols do, since they do have Open and Close events, but
 3925  * not Up and Down, nor are they explicitly terminated.  Also, use of the
 3926  * authentication protocols may be different in both directions (this makes
 3927  * sense, think of a machine that never accepts incoming calls but only
 3928  * calls out, it doesn't require the called party to authenticate itself).
 3929  *
 3930  * Our state machine for the local authentication protocol (we are requesting
 3931  * the peer to authenticate) looks like:
 3932  *
 3933  *                                                  RCA-
 3934  *            +--------------------------------------------+
 3935  *            V                                     scn,tld|
 3936  *        +--------+                           Close   +---------+ RCA+
 3937  *        |        |<----------------------------------|         |------+
 3938  *   +--->| Closed |                            TO*    | Opened  | sca  |
 3939  *   |    |        |-----+                     +-------|         |<-----+
 3940  *   |    +--------+ irc |                     |       +---------+
 3941  *   |      ^            |                     |           ^
 3942  *   |      |            |                     |           |
 3943  *   |      |            |                     |           |
 3944  *   |   TO-|            |                     |           |
 3945  *   |      |tld  TO+    V                     |           |
 3946  *   |      |   +------->+                     |           |
 3947  *   |      |   |        |                     |           |
 3948  *   |    +--------+     V                     |           |
 3949  *   |    |        |<----+<--------------------+           |
 3950  *   |    | Req-   | scr                                   |
 3951  *   |    | Sent   |                                       |
 3952  *   |    |        |                                       |
 3953  *   |    +--------+                                       |
 3954  *   | RCA- |   | RCA+                                     |
 3955  *   +------+   +------------------------------------------+
 3956  *   scn,tld      sca,irc,ict,tlu
 3957  *
 3958  *
 3959  *   with:
 3960  *
 3961  *      Open:   LCP reached authentication phase
 3962  *      Close:  LCP reached terminate phase
 3963  *
 3964  *      RCA+:   received reply (pap-req, chap-response), acceptable
 3965  *      RCN:    received reply (pap-req, chap-response), not acceptable
 3966  *      TO+:    timeout with restart counter >= 0
 3967  *      TO-:    timeout with restart counter < 0
 3968  *      TO*:    reschedule timeout for CHAP
 3969  *
 3970  *      scr:    send request packet (none for PAP, chap-challenge)
 3971  *      sca:    send ack packet (pap-ack, chap-success)
 3972  *      scn:    send nak packet (pap-nak, chap-failure)
 3973  *      ict:    initialize re-challenge timer (CHAP only)
 3974  *
 3975  *      tlu:    this-layer-up, LCP reaches network phase
 3976  *      tld:    this-layer-down, LCP enters terminate phase
 3977  *
 3978  * Note that in CHAP mode, after sending a new challenge, while the state
 3979  * automaton falls back into Req-Sent state, it doesn't signal a tld
 3980  * event to LCP, so LCP remains in network phase.  Only after not getting
 3981  * any response (or after getting an unacceptable response), CHAP closes,
 3982  * causing LCP to enter terminate phase.
 3983  *
 3984  * With PAP, there is no initial request that can be sent.  The peer is
 3985  * expected to send one based on the successful negotiation of PAP as
 3986  * the authentication protocol during the LCP option negotiation.
 3987  *
 3988  * Incoming authentication protocol requests (remote requests
 3989  * authentication, we are peer) don't employ a state machine at all,
 3990  * they are simply answered.  Some peers [Ascend P50 firmware rev
 3991  * 4.50] react allergically when sending IPCP requests while they are
 3992  * still in authentication phase (thereby violating the standard that
 3993  * demands that these NCP packets are to be discarded), so we keep
 3994  * track of the peer demanding us to authenticate, and only proceed to
 3995  * phase network once we've seen a positive acknowledge for the
 3996  * authentication.
 3997  */
 3998 
 3999 /*
 4000  * Handle incoming CHAP packets.
 4001  */
 4002 static void
 4003 sppp_chap_input(struct sppp *sp, struct mbuf *m)
 4004 {
 4005         STDDCL;
 4006         struct lcp_header *h;
 4007         int len, x;
 4008         u_char *value, *name, digest[AUTHKEYLEN], dsize;
 4009         int value_len, name_len;
 4010         MD5_CTX ctx;
 4011 
 4012         len = m->m_pkthdr.len;
 4013         if (len < 4) {
 4014                 if (debug)
 4015                         log(LOG_DEBUG,
 4016                             SPP_FMT "chap invalid packet length: %d bytes\n",
 4017                             SPP_ARGS(ifp), len);
 4018                 return;
 4019         }
 4020         h = mtod (m, struct lcp_header*);
 4021         if (len > ntohs (h->len))
 4022                 len = ntohs (h->len);
 4023 
 4024         switch (h->type) {
 4025         /* challenge, failure and success are his authproto */
 4026         case CHAP_CHALLENGE:
 4027                 value = 1 + (u_char*)(h+1);
 4028                 value_len = value[-1];
 4029                 name = value + value_len;
 4030                 name_len = len - value_len - 5;
 4031                 if (name_len < 0) {
 4032                         if (debug) {
 4033                                 log(LOG_DEBUG,
 4034                                     SPP_FMT "chap corrupted challenge "
 4035                                     "<%s id=0x%x len=%d",
 4036                                     SPP_ARGS(ifp),
 4037                                     sppp_auth_type_name(PPP_CHAP, h->type),
 4038                                     h->ident, ntohs(h->len));
 4039                                 sppp_print_bytes((u_char*) (h+1), len-4);
 4040                                 log(-1, ">\n");
 4041                         }
 4042                         break;
 4043                 }
 4044 
 4045                 if (debug) {
 4046                         log(LOG_DEBUG,
 4047                             SPP_FMT "chap input <%s id=0x%x len=%d name=",
 4048                             SPP_ARGS(ifp),
 4049                             sppp_auth_type_name(PPP_CHAP, h->type), h->ident,
 4050                             ntohs(h->len));
 4051                         sppp_print_string((char*) name, name_len);
 4052                         log(-1, " value-size=%d value=", value_len);
 4053                         sppp_print_bytes(value, value_len);
 4054                         log(-1, ">\n");
 4055                 }
 4056 
 4057                 /* Compute reply value. */
 4058                 MD5Init(&ctx);
 4059                 MD5Update(&ctx, &h->ident, 1);
 4060                 MD5Update(&ctx, sp->myauth.secret,
 4061                           sppp_strnlen(sp->myauth.secret, AUTHKEYLEN));
 4062                 MD5Update(&ctx, value, value_len);
 4063                 MD5Final(digest, &ctx);
 4064                 dsize = sizeof digest;
 4065 
 4066                 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident,
 4067                                sizeof dsize, (const char *)&dsize,
 4068                                sizeof digest, digest,
 4069                                (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN),
 4070                                sp->myauth.name,
 4071                                0);
 4072                 break;
 4073 
 4074         case CHAP_SUCCESS:
 4075                 if (debug) {
 4076                         log(LOG_DEBUG, SPP_FMT "chap success",
 4077                             SPP_ARGS(ifp));
 4078                         if (len > 4) {
 4079                                 log(-1, ": ");
 4080                                 sppp_print_string((char*)(h + 1), len - 4);
 4081                         }
 4082                         log(-1, "\n");
 4083                 }
 4084                 x = splimp();
 4085                 SPPP_LOCK(sp);
 4086                 sp->pp_flags &= ~PP_NEEDAUTH;
 4087                 if (sp->myauth.proto == PPP_CHAP &&
 4088                     (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
 4089                     (sp->lcp.protos & (1 << IDX_CHAP)) == 0) {
 4090                         /*
 4091                          * We are authenticator for CHAP but didn't
 4092                          * complete yet.  Leave it to tlu to proceed
 4093                          * to network phase.
 4094                          */
 4095                         SPPP_UNLOCK(sp);
 4096                         splx(x);
 4097                         break;
 4098                 }
 4099                 SPPP_UNLOCK(sp);
 4100                 splx(x);
 4101                 sppp_phase_network(sp);
 4102                 break;
 4103 
 4104         case CHAP_FAILURE:
 4105                 if (debug) {
 4106                         log(LOG_INFO, SPP_FMT "chap failure",
 4107                             SPP_ARGS(ifp));
 4108                         if (len > 4) {
 4109                                 log(-1, ": ");
 4110                                 sppp_print_string((char*)(h + 1), len - 4);
 4111                         }
 4112                         log(-1, "\n");
 4113                 } else
 4114                         log(LOG_INFO, SPP_FMT "chap failure\n",
 4115                             SPP_ARGS(ifp));
 4116                 /* await LCP shutdown by authenticator */
 4117                 break;
 4118 
 4119         /* response is my authproto */
 4120         case CHAP_RESPONSE:
 4121                 value = 1 + (u_char*)(h+1);
 4122                 value_len = value[-1];
 4123                 name = value + value_len;
 4124                 name_len = len - value_len - 5;
 4125                 if (name_len < 0) {
 4126                         if (debug) {
 4127                                 log(LOG_DEBUG,
 4128                                     SPP_FMT "chap corrupted response "
 4129                                     "<%s id=0x%x len=%d",
 4130                                     SPP_ARGS(ifp),
 4131                                     sppp_auth_type_name(PPP_CHAP, h->type),
 4132                                     h->ident, ntohs(h->len));
 4133                                 sppp_print_bytes((u_char*)(h+1), len-4);
 4134                                 log(-1, ">\n");
 4135                         }
 4136                         break;
 4137                 }
 4138                 if (h->ident != sp->confid[IDX_CHAP]) {
 4139                         if (debug)
 4140                                 log(LOG_DEBUG,
 4141                                     SPP_FMT "chap dropping response for old ID "
 4142                                     "(got %d, expected %d)\n",
 4143                                     SPP_ARGS(ifp),
 4144                                     h->ident, sp->confid[IDX_CHAP]);
 4145                         break;
 4146                 }
 4147                 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)
 4148                     || bcmp(name, sp->hisauth.name, name_len) != 0) {
 4149                         log(LOG_INFO, SPP_FMT "chap response, his name ",
 4150                             SPP_ARGS(ifp));
 4151                         sppp_print_string(name, name_len);
 4152                         log(-1, " != expected ");
 4153                         sppp_print_string(sp->hisauth.name,
 4154                                           sppp_strnlen(sp->hisauth.name, AUTHNAMELEN));
 4155                         log(-1, "\n");
 4156                 }
 4157                 if (debug) {
 4158                         log(LOG_DEBUG, SPP_FMT "chap input(%s) "
 4159                             "<%s id=0x%x len=%d name=",
 4160                             SPP_ARGS(ifp),
 4161                             sppp_state_name(sp->state[IDX_CHAP]),
 4162                             sppp_auth_type_name(PPP_CHAP, h->type),
 4163                             h->ident, ntohs (h->len));
 4164                         sppp_print_string((char*)name, name_len);
 4165                         log(-1, " value-size=%d value=", value_len);
 4166                         sppp_print_bytes(value, value_len);
 4167                         log(-1, ">\n");
 4168                 }
 4169                 if (value_len != AUTHKEYLEN) {
 4170                         if (debug)
 4171                                 log(LOG_DEBUG,
 4172                                     SPP_FMT "chap bad hash value length: "
 4173                                     "%d bytes, should be %d\n",
 4174                                     SPP_ARGS(ifp), value_len,
 4175                                     AUTHKEYLEN);
 4176                         break;
 4177                 }
 4178 
 4179                 MD5Init(&ctx);
 4180                 MD5Update(&ctx, &h->ident, 1);
 4181                 MD5Update(&ctx, sp->hisauth.secret,
 4182                           sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN));
 4183                 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN);
 4184                 MD5Final(digest, &ctx);
 4185 
 4186 #define FAILMSG "Failed..."
 4187 #define SUCCMSG "Welcome!"
 4188 
 4189                 if (value_len != sizeof digest ||
 4190                     bcmp(digest, value, value_len) != 0) {
 4191                         /* action scn, tld */
 4192                         sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident,
 4193                                        sizeof(FAILMSG) - 1, (u_char *)FAILMSG,
 4194                                        0);
 4195                         chap.tld(sp);
 4196                         break;
 4197                 }
 4198                 /* action sca, perhaps tlu */
 4199                 if (sp->state[IDX_CHAP] == STATE_REQ_SENT ||
 4200                     sp->state[IDX_CHAP] == STATE_OPENED)
 4201                         sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident,
 4202                                        sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG,
 4203                                        0);
 4204                 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) {
 4205                         sppp_cp_change_state(&chap, sp, STATE_OPENED);
 4206                         chap.tlu(sp);
 4207                 }
 4208                 break;
 4209 
 4210         default:
 4211                 /* Unknown CHAP packet type -- ignore. */
 4212                 if (debug) {
 4213                         log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) "
 4214                             "<0x%x id=0x%xh len=%d",
 4215                             SPP_ARGS(ifp),
 4216                             sppp_state_name(sp->state[IDX_CHAP]),
 4217                             h->type, h->ident, ntohs(h->len));
 4218                         sppp_print_bytes((u_char*)(h+1), len-4);
 4219                         log(-1, ">\n");
 4220                 }
 4221                 break;
 4222 
 4223         }
 4224 }
 4225 
 4226 static void
 4227 sppp_chap_init(struct sppp *sp)
 4228 {
 4229         /* Chap doesn't have STATE_INITIAL at all. */
 4230         sp->state[IDX_CHAP] = STATE_CLOSED;
 4231         sp->fail_counter[IDX_CHAP] = 0;
 4232         sp->pp_seq[IDX_CHAP] = 0;
 4233         sp->pp_rseq[IDX_CHAP] = 0;
 4234         callout_init(&sp->ch[IDX_CHAP],
 4235                     (SP2IFP(sp)->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 4236 }
 4237 
 4238 static void
 4239 sppp_chap_open(struct sppp *sp)
 4240 {
 4241         if (sp->myauth.proto == PPP_CHAP &&
 4242             (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
 4243                 /* we are authenticator for CHAP, start it */
 4244                 chap.scr(sp);
 4245                 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
 4246                 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
 4247         }
 4248         /* nothing to be done if we are peer, await a challenge */
 4249 }
 4250 
 4251 static void
 4252 sppp_chap_close(struct sppp *sp)
 4253 {
 4254         if (sp->state[IDX_CHAP] != STATE_CLOSED)
 4255                 sppp_cp_change_state(&chap, sp, STATE_CLOSED);
 4256 }
 4257 
 4258 static void
 4259 sppp_chap_TO(void *cookie)
 4260 {
 4261         struct sppp *sp = (struct sppp *)cookie;
 4262         STDDCL;
 4263         int s;
 4264 
 4265         s = splimp();
 4266         SPPP_LOCK(sp);
 4267         if (debug)
 4268                 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n",
 4269                     SPP_ARGS(ifp),
 4270                     sppp_state_name(sp->state[IDX_CHAP]),
 4271                     sp->rst_counter[IDX_CHAP]);
 4272 
 4273         if (--sp->rst_counter[IDX_CHAP] < 0)
 4274                 /* TO- event */
 4275                 switch (sp->state[IDX_CHAP]) {
 4276                 case STATE_REQ_SENT:
 4277                         chap.tld(sp);
 4278                         sppp_cp_change_state(&chap, sp, STATE_CLOSED);
 4279                         break;
 4280                 }
 4281         else
 4282                 /* TO+ (or TO*) event */
 4283                 switch (sp->state[IDX_CHAP]) {
 4284                 case STATE_OPENED:
 4285                         /* TO* event */
 4286                         sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
 4287                         /* FALLTHROUGH */
 4288                 case STATE_REQ_SENT:
 4289                         chap.scr(sp);
 4290                         /* sppp_cp_change_state() will restart the timer */
 4291                         sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
 4292                         break;
 4293                 }
 4294 
 4295         SPPP_UNLOCK(sp);
 4296         splx(s);
 4297 }
 4298 
 4299 static void
 4300 sppp_chap_tlu(struct sppp *sp)
 4301 {
 4302         STDDCL;
 4303         int i, x;
 4304 
 4305         i = 0;
 4306         sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
 4307 
 4308         /*
 4309          * Some broken CHAP implementations (Conware CoNet, firmware
 4310          * 4.0.?) don't want to re-authenticate their CHAP once the
 4311          * initial challenge-response exchange has taken place.
 4312          * Provide for an option to avoid rechallenges.
 4313          */
 4314         if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) {
 4315                 /*
 4316                  * Compute the re-challenge timeout.  This will yield
 4317                  * a number between 300 and 810 seconds.
 4318                  */
 4319                 i = 300 + ((unsigned)(random() & 0xff00) >> 7);
 4320                 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, (void *)sp);
 4321         }
 4322 
 4323         if (debug) {
 4324                 log(LOG_DEBUG,
 4325                     SPP_FMT "chap %s, ",
 4326                     SPP_ARGS(ifp),
 4327                     sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu");
 4328                 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0)
 4329                         log(-1, "next re-challenge in %d seconds\n", i);
 4330                 else
 4331                         log(-1, "re-challenging supressed\n");
 4332         }
 4333 
 4334         x = splimp();
 4335         SPPP_LOCK(sp);
 4336         /* indicate to LCP that we need to be closed down */
 4337         sp->lcp.protos |= (1 << IDX_CHAP);
 4338 
 4339         if (sp->pp_flags & PP_NEEDAUTH) {
 4340                 /*
 4341                  * Remote is authenticator, but his auth proto didn't
 4342                  * complete yet.  Defer the transition to network
 4343                  * phase.
 4344                  */
 4345                 SPPP_UNLOCK(sp);
 4346                 splx(x);
 4347                 return;
 4348         }
 4349         SPPP_UNLOCK(sp);
 4350         splx(x);
 4351 
 4352         /*
 4353          * If we are already in phase network, we are done here.  This
 4354          * is the case if this is a dummy tlu event after a re-challenge.
 4355          */
 4356         if (sp->pp_phase != PHASE_NETWORK)
 4357                 sppp_phase_network(sp);
 4358 }
 4359 
 4360 static void
 4361 sppp_chap_tld(struct sppp *sp)
 4362 {
 4363         STDDCL;
 4364 
 4365         if (debug)
 4366                 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp));
 4367         callout_stop(&sp->ch[IDX_CHAP]);
 4368         sp->lcp.protos &= ~(1 << IDX_CHAP);
 4369 
 4370         lcp.Close(sp);
 4371 }
 4372 
 4373 static void
 4374 sppp_chap_scr(struct sppp *sp)
 4375 {
 4376         u_long *ch, seed;
 4377         u_char clen;
 4378 
 4379         /* Compute random challenge. */
 4380         ch = (u_long *)sp->myauth.challenge;
 4381 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 4382         read_random(&seed, sizeof seed);
 4383 #else
 4384         {
 4385         struct timeval tv;
 4386         microtime(&tv);
 4387         seed = tv.tv_sec ^ tv.tv_usec;
 4388         }
 4389 #endif
 4390         ch[0] = seed ^ random();
 4391         ch[1] = seed ^ random();
 4392         ch[2] = seed ^ random();
 4393         ch[3] = seed ^ random();
 4394         clen = AUTHKEYLEN;
 4395 
 4396         sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP];
 4397 
 4398         sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP],
 4399                        sizeof clen, (const char *)&clen,
 4400                        (size_t)AUTHKEYLEN, sp->myauth.challenge,
 4401                        (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN),
 4402                        sp->myauth.name,
 4403                        0);
 4404 }
 4405 
 4406 /*
 4407  *--------------------------------------------------------------------------*
 4408  *                                                                          *
 4409  *                        The PAP implementation.                           *
 4410  *                                                                          *
 4411  *--------------------------------------------------------------------------*
 4412  */
 4413 /*
 4414  * For PAP, we need to keep a little state also if we are the peer, not the
 4415  * authenticator.  This is since we don't get a request to authenticate, but
 4416  * have to repeatedly authenticate ourself until we got a response (or the
 4417  * retry counter is expired).
 4418  */
 4419 
 4420 /*
 4421  * Handle incoming PAP packets.  */
 4422 static void
 4423 sppp_pap_input(struct sppp *sp, struct mbuf *m)
 4424 {
 4425         STDDCL;
 4426         struct lcp_header *h;
 4427         int len, x;
 4428         u_char *name, *passwd, mlen;
 4429         int name_len, passwd_len;
 4430 
 4431         len = m->m_pkthdr.len;
 4432         if (len < 5) {
 4433                 if (debug)
 4434                         log(LOG_DEBUG,
 4435                             SPP_FMT "pap invalid packet length: %d bytes\n",
 4436                             SPP_ARGS(ifp), len);
 4437                 return;
 4438         }
 4439         h = mtod (m, struct lcp_header*);
 4440         if (len > ntohs (h->len))
 4441                 len = ntohs (h->len);
 4442         switch (h->type) {
 4443         /* PAP request is my authproto */
 4444         case PAP_REQ:
 4445                 name = 1 + (u_char*)(h+1);
 4446                 name_len = name[-1];
 4447                 passwd = name + name_len + 1;
 4448                 if (name_len > len - 6 ||
 4449                     (passwd_len = passwd[-1]) > len - 6 - name_len) {
 4450                         if (debug) {
 4451                                 log(LOG_DEBUG, SPP_FMT "pap corrupted input "
 4452                                     "<%s id=0x%x len=%d",
 4453                                     SPP_ARGS(ifp),
 4454                                     sppp_auth_type_name(PPP_PAP, h->type),
 4455                                     h->ident, ntohs(h->len));
 4456                                 sppp_print_bytes((u_char*)(h+1), len-4);
 4457                                 log(-1, ">\n");
 4458                         }
 4459                         break;
 4460                 }
 4461                 if (debug) {
 4462                         log(LOG_DEBUG, SPP_FMT "pap input(%s) "
 4463                             "<%s id=0x%x len=%d name=",
 4464                             SPP_ARGS(ifp),
 4465                             sppp_state_name(sp->state[IDX_PAP]),
 4466                             sppp_auth_type_name(PPP_PAP, h->type),
 4467                             h->ident, ntohs(h->len));
 4468                         sppp_print_string((char*)name, name_len);
 4469                         log(-1, " passwd=");
 4470                         sppp_print_string((char*)passwd, passwd_len);
 4471                         log(-1, ">\n");
 4472                 }
 4473                 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) ||
 4474                     passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) ||
 4475                     bcmp(name, sp->hisauth.name, name_len) != 0 ||
 4476                     bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
 4477                         /* action scn, tld */
 4478                         mlen = sizeof(FAILMSG) - 1;
 4479                         sppp_auth_send(&pap, sp, PAP_NAK, h->ident,
 4480                                        sizeof mlen, (const char *)&mlen,
 4481                                        sizeof(FAILMSG) - 1, (u_char *)FAILMSG,
 4482                                        0);
 4483                         pap.tld(sp);
 4484                         break;
 4485                 }
 4486                 /* action sca, perhaps tlu */
 4487                 if (sp->state[IDX_PAP] == STATE_REQ_SENT ||
 4488                     sp->state[IDX_PAP] == STATE_OPENED) {
 4489                         mlen = sizeof(SUCCMSG) - 1;
 4490                         sppp_auth_send(&pap, sp, PAP_ACK, h->ident,
 4491                                        sizeof mlen, (const char *)&mlen,
 4492                                        sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG,
 4493                                        0);
 4494                 }
 4495                 if (sp->state[IDX_PAP] == STATE_REQ_SENT) {
 4496                         sppp_cp_change_state(&pap, sp, STATE_OPENED);
 4497                         pap.tlu(sp);
 4498                 }
 4499                 break;
 4500 
 4501         /* ack and nak are his authproto */
 4502         case PAP_ACK:
 4503                 callout_stop(&sp->pap_my_to_ch);
 4504                 if (debug) {
 4505                         log(LOG_DEBUG, SPP_FMT "pap success",
 4506                             SPP_ARGS(ifp));
 4507                         name_len = *((char *)h);
 4508                         if (len > 5 && name_len) {
 4509                                 log(-1, ": ");
 4510                                 sppp_print_string((char*)(h+1), name_len);
 4511                         }
 4512                         log(-1, "\n");
 4513                 }
 4514                 x = splimp();
 4515                 SPPP_LOCK(sp);
 4516                 sp->pp_flags &= ~PP_NEEDAUTH;
 4517                 if (sp->myauth.proto == PPP_PAP &&
 4518                     (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
 4519                     (sp->lcp.protos & (1 << IDX_PAP)) == 0) {
 4520                         /*
 4521                          * We are authenticator for PAP but didn't
 4522                          * complete yet.  Leave it to tlu to proceed
 4523                          * to network phase.
 4524                          */
 4525                         SPPP_UNLOCK(sp);
 4526                         splx(x);
 4527                         break;
 4528                 }
 4529                 SPPP_UNLOCK(sp);
 4530                 splx(x);
 4531                 sppp_phase_network(sp);
 4532                 break;
 4533 
 4534         case PAP_NAK:
 4535                 callout_stop (&sp->pap_my_to_ch);
 4536                 if (debug) {
 4537                         log(LOG_INFO, SPP_FMT "pap failure",
 4538                             SPP_ARGS(ifp));
 4539                         name_len = *((char *)h);
 4540                         if (len > 5 && name_len) {
 4541                                 log(-1, ": ");
 4542                                 sppp_print_string((char*)(h+1), name_len);
 4543                         }
 4544                         log(-1, "\n");
 4545                 } else
 4546                         log(LOG_INFO, SPP_FMT "pap failure\n",
 4547                             SPP_ARGS(ifp));
 4548                 /* await LCP shutdown by authenticator */
 4549                 break;
 4550 
 4551         default:
 4552                 /* Unknown PAP packet type -- ignore. */
 4553                 if (debug) {
 4554                         log(LOG_DEBUG, SPP_FMT "pap corrupted input "
 4555                             "<0x%x id=0x%x len=%d",
 4556                             SPP_ARGS(ifp),
 4557                             h->type, h->ident, ntohs(h->len));
 4558                         sppp_print_bytes((u_char*)(h+1), len-4);
 4559                         log(-1, ">\n");
 4560                 }
 4561                 break;
 4562 
 4563         }
 4564 }
 4565 
 4566 static void
 4567 sppp_pap_init(struct sppp *sp)
 4568 {
 4569         /* PAP doesn't have STATE_INITIAL at all. */
 4570         sp->state[IDX_PAP] = STATE_CLOSED;
 4571         sp->fail_counter[IDX_PAP] = 0;
 4572         sp->pp_seq[IDX_PAP] = 0;
 4573         sp->pp_rseq[IDX_PAP] = 0;
 4574         callout_init(&sp->ch[IDX_PAP],
 4575                     (SP2IFP(sp)->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 4576         callout_init(&sp->pap_my_to_ch,
 4577                     (SP2IFP(sp)->if_flags & IFF_NEEDSGIANT) ? 0 : CALLOUT_MPSAFE);
 4578 }
 4579 
 4580 static void
 4581 sppp_pap_open(struct sppp *sp)
 4582 {
 4583         if (sp->hisauth.proto == PPP_PAP &&
 4584             (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
 4585                 /* we are authenticator for PAP, start our timer */
 4586                 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
 4587                 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
 4588         }
 4589         if (sp->myauth.proto == PPP_PAP) {
 4590                 /* we are peer, send a request, and start a timer */
 4591                 pap.scr(sp);
 4592                 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout,
 4593                               sppp_pap_my_TO, (void *)sp);
 4594         }
 4595 }
 4596 
 4597 static void
 4598 sppp_pap_close(struct sppp *sp)
 4599 {
 4600         if (sp->state[IDX_PAP] != STATE_CLOSED)
 4601                 sppp_cp_change_state(&pap, sp, STATE_CLOSED);
 4602 }
 4603 
 4604 /*
 4605  * That's the timeout routine if we are authenticator.  Since the
 4606  * authenticator is basically passive in PAP, we can't do much here.
 4607  */
 4608 static void
 4609 sppp_pap_TO(void *cookie)
 4610 {
 4611         struct sppp *sp = (struct sppp *)cookie;
 4612         STDDCL;
 4613         int s;
 4614 
 4615         s = splimp();
 4616         SPPP_LOCK(sp);
 4617         if (debug)
 4618                 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n",
 4619                     SPP_ARGS(ifp),
 4620                     sppp_state_name(sp->state[IDX_PAP]),
 4621                     sp->rst_counter[IDX_PAP]);
 4622 
 4623         if (--sp->rst_counter[IDX_PAP] < 0)
 4624                 /* TO- event */
 4625                 switch (sp->state[IDX_PAP]) {
 4626                 case STATE_REQ_SENT:
 4627                         pap.tld(sp);
 4628                         sppp_cp_change_state(&pap, sp, STATE_CLOSED);
 4629                         break;
 4630                 }
 4631         else
 4632                 /* TO+ event, not very much we could do */
 4633                 switch (sp->state[IDX_PAP]) {
 4634                 case STATE_REQ_SENT:
 4635                         /* sppp_cp_change_state() will restart the timer */
 4636                         sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
 4637                         break;
 4638                 }
 4639 
 4640         SPPP_UNLOCK(sp);
 4641         splx(s);
 4642 }
 4643 
 4644 /*
 4645  * That's the timeout handler if we are peer.  Since the peer is active,
 4646  * we need to retransmit our PAP request since it is apparently lost.
 4647  * XXX We should impose a max counter.
 4648  */
 4649 static void
 4650 sppp_pap_my_TO(void *cookie)
 4651 {
 4652         struct sppp *sp = (struct sppp *)cookie;
 4653         STDDCL;
 4654 
 4655         if (debug)
 4656                 log(LOG_DEBUG, SPP_FMT "pap peer TO\n",
 4657                     SPP_ARGS(ifp));
 4658 
 4659         SPPP_LOCK(sp);
 4660         pap.scr(sp);
 4661         SPPP_UNLOCK(sp);
 4662 }
 4663 
 4664 static void
 4665 sppp_pap_tlu(struct sppp *sp)
 4666 {
 4667         STDDCL;
 4668         int x;
 4669 
 4670         sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
 4671 
 4672         if (debug)
 4673                 log(LOG_DEBUG, SPP_FMT "%s tlu\n",
 4674                     SPP_ARGS(ifp), pap.name);
 4675 
 4676         x = splimp();
 4677         SPPP_LOCK(sp);
 4678         /* indicate to LCP that we need to be closed down */
 4679         sp->lcp.protos |= (1 << IDX_PAP);
 4680 
 4681         if (sp->pp_flags & PP_NEEDAUTH) {
 4682                 /*
 4683                  * Remote is authenticator, but his auth proto didn't
 4684                  * complete yet.  Defer the transition to network
 4685                  * phase.
 4686                  */
 4687                 SPPP_UNLOCK(sp);
 4688                 splx(x);
 4689                 return;
 4690         }
 4691         SPPP_UNLOCK(sp);
 4692         splx(x);
 4693         sppp_phase_network(sp);
 4694 }
 4695 
 4696 static void
 4697 sppp_pap_tld(struct sppp *sp)
 4698 {
 4699         STDDCL;
 4700 
 4701         if (debug)
 4702                 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp));
 4703         callout_stop (&sp->ch[IDX_PAP]);
 4704         callout_stop (&sp->pap_my_to_ch);
 4705         sp->lcp.protos &= ~(1 << IDX_PAP);
 4706 
 4707         lcp.Close(sp);
 4708 }
 4709 
 4710 static void
 4711 sppp_pap_scr(struct sppp *sp)
 4712 {
 4713         u_char idlen, pwdlen;
 4714 
 4715         sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP];
 4716         pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN);
 4717         idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN);
 4718 
 4719         sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP],
 4720                        sizeof idlen, (const char *)&idlen,
 4721                        (size_t)idlen, sp->myauth.name,
 4722                        sizeof pwdlen, (const char *)&pwdlen,
 4723                        (size_t)pwdlen, sp->myauth.secret,
 4724                        0);
 4725 }
 4726 
 4727 /*
 4728  * Random miscellaneous functions.
 4729  */
 4730 
 4731 /*
 4732  * Send a PAP or CHAP proto packet.
 4733  *
 4734  * Varadic function, each of the elements for the ellipsis is of type
 4735  * ``size_t mlen, const u_char *msg''.  Processing will stop iff
 4736  * mlen == 0.
 4737  * NOTE: never declare variadic functions with types subject to type
 4738  * promotion (i.e. u_char). This is asking for big trouble depending
 4739  * on the architecture you are on...
 4740  */
 4741 
 4742 static void
 4743 sppp_auth_send(const struct cp *cp, struct sppp *sp,
 4744                unsigned int type, unsigned int id,
 4745                ...)
 4746 {
 4747         STDDCL;
 4748         struct ppp_header *h;
 4749         struct lcp_header *lh;
 4750         struct mbuf *m;
 4751         u_char *p;
 4752         int len;
 4753         unsigned int mlen;
 4754         const char *msg;
 4755         va_list ap;
 4756 
 4757         MGETHDR (m, M_DONTWAIT, MT_DATA);
 4758         if (! m)
 4759                 return;
 4760         m->m_pkthdr.rcvif = 0;
 4761 
 4762         h = mtod (m, struct ppp_header*);
 4763         h->address = PPP_ALLSTATIONS;           /* broadcast address */
 4764         h->control = PPP_UI;                    /* Unnumbered Info */
 4765         h->protocol = htons(cp->proto);
 4766 
 4767         lh = (struct lcp_header*)(h + 1);
 4768         lh->type = type;
 4769         lh->ident = id;
 4770         p = (u_char*) (lh+1);
 4771 
 4772         va_start(ap, id);
 4773         len = 0;
 4774 
 4775         while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) {
 4776                 msg = va_arg(ap, const char *);
 4777                 len += mlen;
 4778                 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) {
 4779                         va_end(ap);
 4780                         m_freem(m);
 4781                         return;
 4782                 }
 4783 
 4784                 bcopy(msg, p, mlen);
 4785                 p += mlen;
 4786         }
 4787         va_end(ap);
 4788 
 4789         m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len;
 4790         lh->len = htons (LCP_HEADER_LEN + len);
 4791 
 4792         if (debug) {
 4793                 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d",
 4794                     SPP_ARGS(ifp), cp->name,
 4795                     sppp_auth_type_name(cp->proto, lh->type),
 4796                     lh->ident, ntohs(lh->len));
 4797                 sppp_print_bytes((u_char*) (lh+1), len);
 4798                 log(-1, ">\n");
 4799         }
 4800         if (! IF_HANDOFF_ADJ(&sp->pp_cpq, m, ifp, 3))
 4801                 ifp->if_oerrors++;
 4802 }
 4803 
 4804 /*
 4805  * Flush interface queue.
 4806  */
 4807 static void
 4808 sppp_qflush(struct ifqueue *ifq)
 4809 {
 4810         struct mbuf *m, *n;
 4811 
 4812         n = ifq->ifq_head;
 4813         while ((m = n)) {
 4814                 n = m->m_act;
 4815                 m_freem (m);
 4816         }
 4817         ifq->ifq_head = 0;
 4818         ifq->ifq_tail = 0;
 4819         ifq->ifq_len = 0;
 4820 }
 4821 
 4822 /*
 4823  * Send keepalive packets, every 10 seconds.
 4824  */
 4825 static void
 4826 sppp_keepalive(void *dummy)
 4827 {
 4828         struct sppp *sp = (struct sppp*)dummy;
 4829         struct ifnet *ifp = SP2IFP(sp);
 4830         int s;
 4831 
 4832         s = splimp();
 4833         SPPP_LOCK(sp);
 4834         /* Keepalive mode disabled or channel down? */
 4835         if (! (sp->pp_flags & PP_KEEPALIVE) ||
 4836             ! (ifp->if_drv_flags & IFF_DRV_RUNNING))
 4837                 goto out;
 4838 
 4839         if (sp->pp_mode == PP_FR) {
 4840                 sppp_fr_keepalive (sp);
 4841                 goto out;
 4842         }
 4843 
 4844         /* No keepalive in PPP mode if LCP not opened yet. */
 4845         if (sp->pp_mode != IFF_CISCO &&
 4846             sp->pp_phase < PHASE_AUTHENTICATE)
 4847                 goto out;
 4848 
 4849         if (sp->pp_alivecnt == MAXALIVECNT) {
 4850                 /* No keepalive packets got.  Stop the interface. */
 4851                 printf (SPP_FMT "down\n", SPP_ARGS(ifp));
 4852                 if_down (ifp);
 4853                 sppp_qflush (&sp->pp_cpq);
 4854                 if (sp->pp_mode != IFF_CISCO) {
 4855                         /* XXX */
 4856                         /* Shut down the PPP link. */
 4857                         lcp.Down(sp);
 4858                         /* Initiate negotiation. XXX */
 4859                         lcp.Up(sp);
 4860                 }
 4861         }
 4862         if (sp->pp_alivecnt <= MAXALIVECNT)
 4863                 ++sp->pp_alivecnt;
 4864         if (sp->pp_mode == IFF_CISCO)
 4865                 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ,
 4866                          ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]);
 4867         else if (sp->pp_phase >= PHASE_AUTHENTICATE) {
 4868                 long nmagic = htonl (sp->lcp.magic);
 4869                 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP];
 4870                 sppp_cp_send (sp, PPP_LCP, ECHO_REQ,
 4871                         sp->lcp.echoid, 4, &nmagic);
 4872         }
 4873 out:
 4874         SPPP_UNLOCK(sp);
 4875         splx(s);
 4876         callout_reset(&sp->keepalive_callout, hz * 10, sppp_keepalive,
 4877                       (void *)sp);
 4878 }
 4879 
 4880 /*
 4881  * Get both IP addresses.
 4882  */
 4883 void
 4884 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask)
 4885 {
 4886         struct ifnet *ifp = SP2IFP(sp);
 4887         struct ifaddr *ifa;
 4888         struct sockaddr_in *si, *sm;
 4889         u_long ssrc, ddst;
 4890 
 4891         sm = NULL;
 4892         ssrc = ddst = 0L;
 4893         /*
 4894          * Pick the first AF_INET address from the list,
 4895          * aliases don't make any sense on a p2p link anyway.
 4896          */
 4897         si = 0;
 4898 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 4899         TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link)
 4900 #elif defined(__NetBSD__) || defined (__OpenBSD__)
 4901         for (ifa = TAILQ_FIRST(&ifp->if_addrlist);
 4902              ifa;
 4903              ifa = TAILQ_NEXT(ifa, ifa_list))
 4904 #else
 4905         for (ifa = ifp->if_addrlist;
 4906              ifa;
 4907              ifa = ifa->ifa_next)
 4908 #endif
 4909                 if (ifa->ifa_addr->sa_family == AF_INET) {
 4910                         si = (struct sockaddr_in *)ifa->ifa_addr;
 4911                         sm = (struct sockaddr_in *)ifa->ifa_netmask;
 4912                         if (si)
 4913                                 break;
 4914                 }
 4915         if (ifa) {
 4916                 if (si && si->sin_addr.s_addr) {
 4917                         ssrc = si->sin_addr.s_addr;
 4918                         if (srcmask)
 4919                                 *srcmask = ntohl(sm->sin_addr.s_addr);
 4920                 }
 4921 
 4922                 si = (struct sockaddr_in *)ifa->ifa_dstaddr;
 4923                 if (si && si->sin_addr.s_addr)
 4924                         ddst = si->sin_addr.s_addr;
 4925         }
 4926 
 4927         if (dst) *dst = ntohl(ddst);
 4928         if (src) *src = ntohl(ssrc);
 4929 }
 4930 
 4931 /*
 4932  * Set my IP address.  Must be called at splimp.
 4933  */
 4934 static void
 4935 sppp_set_ip_addr(struct sppp *sp, u_long src)
 4936 {
 4937         STDDCL;
 4938         struct ifaddr *ifa;
 4939         struct sockaddr_in *si;
 4940         struct in_ifaddr *ia;
 4941 
 4942         /*
 4943          * Pick the first AF_INET address from the list,
 4944          * aliases don't make any sense on a p2p link anyway.
 4945          */
 4946         si = 0;
 4947 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 4948         TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link)
 4949 #elif defined(__NetBSD__) || defined (__OpenBSD__)
 4950         for (ifa = TAILQ_FIRST(&ifp->if_addrlist);
 4951              ifa;
 4952              ifa = TAILQ_NEXT(ifa, ifa_list))
 4953 #else
 4954         for (ifa = ifp->if_addrlist;
 4955              ifa;
 4956              ifa = ifa->ifa_next)
 4957 #endif
 4958         {
 4959                 if (ifa->ifa_addr->sa_family == AF_INET)
 4960                 {
 4961                         si = (struct sockaddr_in *)ifa->ifa_addr;
 4962                         if (si)
 4963                                 break;
 4964                 }
 4965         }
 4966 
 4967         if (ifa && si)
 4968         {
 4969                 int error;
 4970 #if __NetBSD_Version__ >= 103080000
 4971                 struct sockaddr_in new_sin = *si;
 4972 
 4973                 new_sin.sin_addr.s_addr = htonl(src);
 4974                 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 1);
 4975                 if(debug && error)
 4976                 {
 4977                         log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: in_ifinit "
 4978                         " failed, error=%d\n", SPP_ARGS(ifp), error);
 4979                 }
 4980 #else
 4981                 /* delete old route */
 4982                 error = rtinit(ifa, (int)RTM_DELETE, RTF_HOST);
 4983                 if(debug && error)
 4984                 {
 4985                         log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n",
 4986                                 SPP_ARGS(ifp), error);
 4987                 }
 4988 
 4989                 /* set new address */
 4990                 si->sin_addr.s_addr = htonl(src);
 4991                 ia = ifatoia(ifa);
 4992                 LIST_REMOVE(ia, ia_hash);
 4993                 LIST_INSERT_HEAD(INADDR_HASH(si->sin_addr.s_addr), ia, ia_hash);
 4994 
 4995                 /* add new route */
 4996                 error = rtinit(ifa, (int)RTM_ADD, RTF_HOST);
 4997                 if (debug && error)
 4998                 {
 4999                         log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d",
 5000                                 SPP_ARGS(ifp), error);
 5001                 }
 5002 #endif
 5003         }
 5004 }
 5005 
 5006 #ifdef INET6
 5007 /*
 5008  * Get both IPv6 addresses.
 5009  */
 5010 static void
 5011 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst,
 5012                    struct in6_addr *srcmask)
 5013 {
 5014         struct ifnet *ifp = SP2IFP(sp);
 5015         struct ifaddr *ifa;
 5016         struct sockaddr_in6 *si, *sm;
 5017         struct in6_addr ssrc, ddst;
 5018 
 5019         sm = NULL;
 5020         bzero(&ssrc, sizeof(ssrc));
 5021         bzero(&ddst, sizeof(ddst));
 5022         /*
 5023          * Pick the first link-local AF_INET6 address from the list,
 5024          * aliases don't make any sense on a p2p link anyway.
 5025          */
 5026 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 5027         for (ifa = ifp->if_addrhead.tqh_first, si = 0;
 5028              ifa;
 5029              ifa = ifa->ifa_link.tqe_next)
 5030 #elif defined(__NetBSD__) || defined (__OpenBSD__)
 5031         for (ifa = ifp->if_addrlist.tqh_first, si = 0;
 5032              ifa;
 5033              ifa = ifa->ifa_list.tqe_next)
 5034 #else
 5035         for (ifa = ifp->if_addrlist, si = 0;
 5036              ifa;
 5037              ifa = ifa->ifa_next)
 5038 #endif
 5039                 if (ifa->ifa_addr->sa_family == AF_INET6) {
 5040                         si = (struct sockaddr_in6 *)ifa->ifa_addr;
 5041                         sm = (struct sockaddr_in6 *)ifa->ifa_netmask;
 5042                         if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr))
 5043                                 break;
 5044                 }
 5045         if (ifa) {
 5046                 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) {
 5047                         bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc));
 5048                         if (srcmask) {
 5049                                 bcopy(&sm->sin6_addr, srcmask,
 5050                                       sizeof(*srcmask));
 5051                         }
 5052                 }
 5053 
 5054                 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr;
 5055                 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr))
 5056                         bcopy(&si->sin6_addr, &ddst, sizeof(ddst));
 5057         }
 5058 
 5059         if (dst)
 5060                 bcopy(&ddst, dst, sizeof(*dst));
 5061         if (src)
 5062                 bcopy(&ssrc, src, sizeof(*src));
 5063 }
 5064 
 5065 #ifdef IPV6CP_MYIFID_DYN
 5066 /*
 5067  * Generate random ifid.
 5068  */
 5069 static void
 5070 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr)
 5071 {
 5072         /* TBD */
 5073 }
 5074 
 5075 /*
 5076  * Set my IPv6 address.  Must be called at splimp.
 5077  */
 5078 static void
 5079 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src)
 5080 {
 5081         STDDCL;
 5082         struct ifaddr *ifa;
 5083         struct sockaddr_in6 *sin6;
 5084 
 5085         /*
 5086          * Pick the first link-local AF_INET6 address from the list,
 5087          * aliases don't make any sense on a p2p link anyway.
 5088          */
 5089 
 5090         sin6 = NULL;
 5091 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
 5092         for (ifa = ifp->if_addrhead.tqh_first;
 5093              ifa;
 5094              ifa = ifa->ifa_link.tqe_next)
 5095 #elif defined(__NetBSD__) || defined (__OpenBSD__)
 5096         for (ifa = ifp->if_addrlist.tqh_first;
 5097              ifa;
 5098              ifa = ifa->ifa_list.tqe_next)
 5099 #else
 5100         for (ifa = ifp->if_addrlist; ifa; ifa = ifa->ifa_next)
 5101 #endif
 5102         {
 5103                 if (ifa->ifa_addr->sa_family == AF_INET6)
 5104                 {
 5105                         sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
 5106                         if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
 5107                                 break;
 5108                 }
 5109         }
 5110 
 5111         if (ifa && sin6)
 5112         {
 5113                 int error;
 5114                 struct sockaddr_in6 new_sin6 = *sin6;
 5115 
 5116                 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr));
 5117                 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1);
 5118                 if (debug && error)
 5119                 {
 5120                         log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit "
 5121                             " failed, error=%d\n", SPP_ARGS(ifp), error);
 5122                 }
 5123         }
 5124 }
 5125 #endif
 5126 
 5127 /*
 5128  * Suggest a candidate address to be used by peer.
 5129  */
 5130 static void
 5131 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest)
 5132 {
 5133         struct in6_addr myaddr;
 5134         struct timeval tv;
 5135 
 5136         sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
 5137 
 5138         myaddr.s6_addr[8] &= ~0x02;     /* u bit to "local" */
 5139         microtime(&tv);
 5140         if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) {
 5141                 myaddr.s6_addr[14] ^= 0xff;
 5142                 myaddr.s6_addr[15] ^= 0xff;
 5143         } else {
 5144                 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff);
 5145                 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff);
 5146         }
 5147         if (suggest)
 5148                 bcopy(&myaddr, suggest, sizeof(myaddr));
 5149 }
 5150 #endif /*INET6*/
 5151 
 5152 static int
 5153 sppp_params(struct sppp *sp, u_long cmd, void *data)
 5154 {
 5155         u_long subcmd;
 5156         struct ifreq *ifr = (struct ifreq *)data;
 5157         struct spppreq *spr;
 5158         int rv = 0;
 5159 
 5160         if ((spr = malloc(sizeof(struct spppreq), M_TEMP, M_NOWAIT)) == 0)
 5161                 return (EAGAIN);
 5162         /*
 5163          * ifr->ifr_data is supposed to point to a struct spppreq.
 5164          * Check the cmd word first before attempting to fetch all the
 5165          * data.
 5166          */
 5167         if ((subcmd = fuword(ifr->ifr_data)) == -1) {
 5168                 rv = EFAULT;
 5169                 goto quit;
 5170         }
 5171 
 5172         if (copyin((caddr_t)ifr->ifr_data, spr, sizeof(struct spppreq)) != 0) {
 5173                 rv = EFAULT;
 5174                 goto quit;
 5175         }
 5176 
 5177         switch (subcmd) {
 5178         case (int)SPPPIOGDEFS:
 5179                 if (cmd != SIOCGIFGENERIC) {
 5180                         rv = EINVAL;
 5181                         break;
 5182                 }
 5183                 /*
 5184                  * We copy over the entire current state, but clean
 5185                  * out some of the stuff we don't wanna pass up.
 5186                  * Remember, SIOCGIFGENERIC is unprotected, and can be
 5187                  * called by any user.  No need to ever get PAP or
 5188                  * CHAP secrets back to userland anyway.
 5189                  */
 5190                 spr->defs.pp_phase = sp->pp_phase;
 5191                 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0;
 5192                 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0;
 5193                 spr->defs.lcp = sp->lcp;
 5194                 spr->defs.ipcp = sp->ipcp;
 5195                 spr->defs.ipv6cp = sp->ipv6cp;
 5196                 spr->defs.myauth = sp->myauth;
 5197                 spr->defs.hisauth = sp->hisauth;
 5198                 bzero(spr->defs.myauth.secret, AUTHKEYLEN);
 5199                 bzero(spr->defs.myauth.challenge, AUTHKEYLEN);
 5200                 bzero(spr->defs.hisauth.secret, AUTHKEYLEN);
 5201                 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN);
 5202                 /*
 5203                  * Fixup the LCP timeout value to milliseconds so
 5204                  * spppcontrol doesn't need to bother about the value
 5205                  * of "hz".  We do the reverse calculation below when
 5206                  * setting it.
 5207                  */
 5208                 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz;
 5209                 rv = copyout(spr, (caddr_t)ifr->ifr_data,
 5210                              sizeof(struct spppreq));
 5211                 break;
 5212 
 5213         case (int)SPPPIOSDEFS:
 5214                 if (cmd != SIOCSIFGENERIC) {
 5215                         rv = EINVAL;
 5216                         break;
 5217                 }
 5218                 /*
 5219                  * We have a very specific idea of which fields we
 5220                  * allow being passed back from userland, so to not
 5221                  * clobber our current state.  For one, we only allow
 5222                  * setting anything if LCP is in dead or establish
 5223                  * phase.  Once the authentication negotiations
 5224                  * started, the authentication settings must not be
 5225                  * changed again.  (The administrator can force an
 5226                  * ifconfig down in order to get LCP back into dead
 5227                  * phase.)
 5228                  *
 5229                  * Also, we only allow for authentication parameters to be
 5230                  * specified.
 5231                  *
 5232                  * XXX Should allow to set or clear pp_flags.
 5233                  *
 5234                  * Finally, if the respective authentication protocol to
 5235                  * be used is set differently than 0, but the secret is
 5236                  * passed as all zeros, we don't trash the existing secret.
 5237                  * This allows an administrator to change the system name
 5238                  * only without clobbering the secret (which he didn't get
 5239                  * back in a previous SPPPIOGDEFS call).  However, the
 5240                  * secrets are cleared if the authentication protocol is
 5241                  * reset to 0.  */
 5242                 if (sp->pp_phase != PHASE_DEAD &&
 5243                     sp->pp_phase != PHASE_ESTABLISH) {
 5244                         rv = EBUSY;
 5245                         break;
 5246                 }
 5247 
 5248                 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP &&
 5249                      spr->defs.myauth.proto != PPP_CHAP) ||
 5250                     (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP &&
 5251                      spr->defs.hisauth.proto != PPP_CHAP)) {
 5252                         rv = EINVAL;
 5253                         break;
 5254                 }
 5255 
 5256                 if (spr->defs.myauth.proto == 0)
 5257                         /* resetting myauth */
 5258                         bzero(&sp->myauth, sizeof sp->myauth);
 5259                 else {
 5260                         /* setting/changing myauth */
 5261                         sp->myauth.proto = spr->defs.myauth.proto;
 5262                         bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN);
 5263                         if (spr->defs.myauth.secret[0] != '\0')
 5264                                 bcopy(spr->defs.myauth.secret, sp->myauth.secret,
 5265                                       AUTHKEYLEN);
 5266                 }
 5267                 if (spr->defs.hisauth.proto == 0)
 5268                         /* resetting hisauth */
 5269                         bzero(&sp->hisauth, sizeof sp->hisauth);
 5270                 else {
 5271                         /* setting/changing hisauth */
 5272                         sp->hisauth.proto = spr->defs.hisauth.proto;
 5273                         sp->hisauth.flags = spr->defs.hisauth.flags;
 5274                         bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN);
 5275                         if (spr->defs.hisauth.secret[0] != '\0')
 5276                                 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret,
 5277                                       AUTHKEYLEN);
 5278                 }
 5279                 /* set LCP restart timer timeout */
 5280                 if (spr->defs.lcp.timeout != 0)
 5281                         sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000;
 5282                 /* set VJ enable and IPv6 disable flags */
 5283 #ifdef INET
 5284                 if (spr->defs.enable_vj)
 5285                         sp->confflags |= CONF_ENABLE_VJ;
 5286                 else
 5287                         sp->confflags &= ~CONF_ENABLE_VJ;
 5288 #endif
 5289 #ifdef INET6
 5290                 if (spr->defs.enable_ipv6)
 5291                         sp->confflags |= CONF_ENABLE_IPV6;
 5292                 else
 5293                         sp->confflags &= ~CONF_ENABLE_IPV6;
 5294 #endif
 5295                 break;
 5296 
 5297         default:
 5298                 rv = EINVAL;
 5299         }
 5300 
 5301  quit:
 5302         free(spr, M_TEMP);
 5303 
 5304         return (rv);
 5305 }
 5306 
 5307 static void
 5308 sppp_phase_network(struct sppp *sp)
 5309 {
 5310         STDDCL;
 5311         int i;
 5312         u_long mask;
 5313 
 5314         sp->pp_phase = PHASE_NETWORK;
 5315 
 5316         if (debug)
 5317                 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
 5318                     sppp_phase_name(sp->pp_phase));
 5319 
 5320         /* Notify NCPs now. */
 5321         for (i = 0; i < IDX_COUNT; i++)
 5322                 if ((cps[i])->flags & CP_NCP)
 5323                         (cps[i])->Open(sp);
 5324 
 5325         /* Send Up events to all NCPs. */
 5326         for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
 5327                 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP))
 5328                         (cps[i])->Up(sp);
 5329 
 5330         /* if no NCP is starting, all this was in vain, close down */
 5331         sppp_lcp_check_and_close(sp);
 5332 }
 5333 
 5334 
 5335 static const char *
 5336 sppp_cp_type_name(u_char type)
 5337 {
 5338         static char buf[12];
 5339         switch (type) {
 5340         case CONF_REQ:   return "conf-req";
 5341         case CONF_ACK:   return "conf-ack";
 5342         case CONF_NAK:   return "conf-nak";
 5343         case CONF_REJ:   return "conf-rej";
 5344         case TERM_REQ:   return "term-req";
 5345         case TERM_ACK:   return "term-ack";
 5346         case CODE_REJ:   return "code-rej";
 5347         case PROTO_REJ:  return "proto-rej";
 5348         case ECHO_REQ:   return "echo-req";
 5349         case ECHO_REPLY: return "echo-reply";
 5350         case DISC_REQ:   return "discard-req";
 5351         }
 5352         snprintf (buf, sizeof(buf), "cp/0x%x", type);
 5353         return buf;
 5354 }
 5355 
 5356 static const char *
 5357 sppp_auth_type_name(u_short proto, u_char type)
 5358 {
 5359         static char buf[12];
 5360         switch (proto) {
 5361         case PPP_CHAP:
 5362                 switch (type) {
 5363                 case CHAP_CHALLENGE:    return "challenge";
 5364                 case CHAP_RESPONSE:     return "response";
 5365                 case CHAP_SUCCESS:      return "success";
 5366                 case CHAP_FAILURE:      return "failure";
 5367                 }
 5368         case PPP_PAP:
 5369                 switch (type) {
 5370                 case PAP_REQ:           return "req";
 5371                 case PAP_ACK:           return "ack";
 5372                 case PAP_NAK:           return "nak";
 5373                 }
 5374         }
 5375         snprintf (buf, sizeof(buf), "auth/0x%x", type);
 5376         return buf;
 5377 }
 5378 
 5379 static const char *
 5380 sppp_lcp_opt_name(u_char opt)
 5381 {
 5382         static char buf[12];
 5383         switch (opt) {
 5384         case LCP_OPT_MRU:               return "mru";
 5385         case LCP_OPT_ASYNC_MAP:         return "async-map";
 5386         case LCP_OPT_AUTH_PROTO:        return "auth-proto";
 5387         case LCP_OPT_QUAL_PROTO:        return "qual-proto";
 5388         case LCP_OPT_MAGIC:             return "magic";
 5389         case LCP_OPT_PROTO_COMP:        return "proto-comp";
 5390         case LCP_OPT_ADDR_COMP:         return "addr-comp";
 5391         }
 5392         snprintf (buf, sizeof(buf), "lcp/0x%x", opt);
 5393         return buf;
 5394 }
 5395 
 5396 static const char *
 5397 sppp_ipcp_opt_name(u_char opt)
 5398 {
 5399         static char buf[12];
 5400         switch (opt) {
 5401         case IPCP_OPT_ADDRESSES:        return "addresses";
 5402         case IPCP_OPT_COMPRESSION:      return "compression";
 5403         case IPCP_OPT_ADDRESS:          return "address";
 5404         }
 5405         snprintf (buf, sizeof(buf), "ipcp/0x%x", opt);
 5406         return buf;
 5407 }
 5408 
 5409 #ifdef INET6
 5410 static const char *
 5411 sppp_ipv6cp_opt_name(u_char opt)
 5412 {
 5413         static char buf[12];
 5414         switch (opt) {
 5415         case IPV6CP_OPT_IFID:           return "ifid";
 5416         case IPV6CP_OPT_COMPRESSION:    return "compression";
 5417         }
 5418         sprintf (buf, "0x%x", opt);
 5419         return buf;
 5420 }
 5421 #endif
 5422 
 5423 static const char *
 5424 sppp_state_name(int state)
 5425 {
 5426         switch (state) {
 5427         case STATE_INITIAL:     return "initial";
 5428         case STATE_STARTING:    return "starting";
 5429         case STATE_CLOSED:      return "closed";
 5430         case STATE_STOPPED:     return "stopped";
 5431         case STATE_CLOSING:     return "closing";
 5432         case STATE_STOPPING:    return "stopping";
 5433         case STATE_REQ_SENT:    return "req-sent";
 5434         case STATE_ACK_RCVD:    return "ack-rcvd";
 5435         case STATE_ACK_SENT:    return "ack-sent";
 5436         case STATE_OPENED:      return "opened";
 5437         }
 5438         return "illegal";
 5439 }
 5440 
 5441 static const char *
 5442 sppp_phase_name(enum ppp_phase phase)
 5443 {
 5444         switch (phase) {
 5445         case PHASE_DEAD:        return "dead";
 5446         case PHASE_ESTABLISH:   return "establish";
 5447         case PHASE_TERMINATE:   return "terminate";
 5448         case PHASE_AUTHENTICATE: return "authenticate";
 5449         case PHASE_NETWORK:     return "network";
 5450         }
 5451         return "illegal";
 5452 }
 5453 
 5454 static const char *
 5455 sppp_proto_name(u_short proto)
 5456 {
 5457         static char buf[12];
 5458         switch (proto) {
 5459         case PPP_LCP:   return "lcp";
 5460         case PPP_IPCP:  return "ipcp";
 5461         case PPP_PAP:   return "pap";
 5462         case PPP_CHAP:  return "chap";
 5463         case PPP_IPV6CP: return "ipv6cp";
 5464         }
 5465         snprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto);
 5466         return buf;
 5467 }
 5468 
 5469 static void
 5470 sppp_print_bytes(const u_char *p, u_short len)
 5471 {
 5472         if (len)
 5473                 log(-1, " %*D", len, p, "-");
 5474 }
 5475 
 5476 static void
 5477 sppp_print_string(const char *p, u_short len)
 5478 {
 5479         u_char c;
 5480 
 5481         while (len-- > 0) {
 5482                 c = *p++;
 5483                 /*
 5484                  * Print only ASCII chars directly.  RFC 1994 recommends
 5485                  * using only them, but we don't rely on it.  */
 5486                 if (c < ' ' || c > '~')
 5487                         log(-1, "\\x%x", c);
 5488                 else
 5489                         log(-1, "%c", c);
 5490         }
 5491 }
 5492 
 5493 static const char *
 5494 sppp_dotted_quad(u_long addr)
 5495 {
 5496         static char s[16];
 5497         sprintf(s, "%d.%d.%d.%d",
 5498                 (int)((addr >> 24) & 0xff),
 5499                 (int)((addr >> 16) & 0xff),
 5500                 (int)((addr >> 8) & 0xff),
 5501                 (int)(addr & 0xff));
 5502         return s;
 5503 }
 5504 
 5505 static int
 5506 sppp_strnlen(u_char *p, int max)
 5507 {
 5508         int len;
 5509 
 5510         for (len = 0; len < max && *p; ++p)
 5511                 ++len;
 5512         return len;
 5513 }
 5514 
 5515 /* a dummy, used to drop uninteresting events */
 5516 static void
 5517 sppp_null(struct sppp *unused)
 5518 {
 5519         /* do just nothing */
 5520 }

Cache object: 1598f1ca6e7ab67eed82a610f1fd5036


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.