FreeBSD/Linux Kernel Cross Reference
sys/net/if_spppsubr.c
1 /* $NetBSD: if_spppsubr.c,v 1.114 2008/10/03 18:33:06 pooka Exp $ */
2
3 /*
4 * Synchronous PPP/Cisco link level subroutines.
5 * Keepalive protocol implemented in both Cisco and PPP modes.
6 *
7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd.
8 * Author: Serge Vakulenko, <vak@cronyx.ru>
9 *
10 * Heavily revamped to conform to RFC 1661.
11 * Copyright (C) 1997, Joerg Wunsch.
12 *
13 * RFC2472 IPv6CP support.
14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions are met:
18 * 1. Redistributions of source code must retain the above copyright notice,
19 * this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright notice,
21 * this list of conditions and the following disclaimer in the documentation
22 * and/or other materials provided with the distribution.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY
25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE
28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
34 * POSSIBILITY OF SUCH DAMAGE.
35 *
36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997
37 *
38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp
39 *
40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp
41 */
42
43 #include <sys/cdefs.h>
44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.114 2008/10/03 18:33:06 pooka Exp $");
45
46 #include "opt_inet.h"
47 #include "opt_ipx.h"
48 #include "opt_iso.h"
49 #include "opt_pfil_hooks.h"
50
51 #include <sys/param.h>
52 #include <sys/proc.h>
53 #include <sys/systm.h>
54 #include <sys/kernel.h>
55 #include <sys/sockio.h>
56 #include <sys/socket.h>
57 #include <sys/syslog.h>
58 #include <sys/malloc.h>
59 #include <sys/mbuf.h>
60 #include <sys/callout.h>
61 #include <sys/md5.h>
62 #include <sys/inttypes.h>
63 #include <sys/kauth.h>
64
65 #include <net/if.h>
66 #include <net/netisr.h>
67 #include <net/if_types.h>
68 #include <net/route.h>
69 #include <net/ppp_defs.h>
70
71 #include <machine/stdarg.h>
72
73 #include <netinet/in.h>
74 #include <netinet/in_systm.h>
75 #include <netinet/in_var.h>
76 #ifdef INET
77 #include <netinet/ip.h>
78 #include <netinet/tcp.h>
79 #endif
80 #include <net/ethertypes.h>
81
82 #ifdef INET6
83 #include <netinet6/scope6_var.h>
84 #endif
85
86 #ifdef IPX
87 #include <netipx/ipx.h>
88 #include <netipx/ipx_if.h>
89 #endif
90
91
92 #ifdef ISO
93 #include <netiso/argo_debug.h>
94 #include <netiso/iso.h>
95 #include <netiso/iso_var.h>
96 #include <netiso/iso_snpac.h>
97 #endif
98
99 #include <net/if_sppp.h>
100 #include <net/if_spppvar.h>
101
102 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */
103 #define LOOPALIVECNT 3 /* loopback detection tries */
104 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */
105 #define DEFAULT_NORECV_TIME 15 /* before we get worried */
106 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */
107
108 /*
109 * Interface flags that can be set in an ifconfig command.
110 *
111 * Setting link0 will make the link passive, i.e. it will be marked
112 * as being administrative openable, but won't be opened to begin
113 * with. Incoming calls will be answered, or subsequent calls with
114 * -link1 will cause the administrative open of the LCP layer.
115 *
116 * Setting link1 will cause the link to auto-dial only as packets
117 * arrive to be sent.
118 *
119 * Setting IFF_DEBUG will syslog the option negotiation and state
120 * transitions at level kern.debug. Note: all logs consistently look
121 * like
122 *
123 * <if-name><unit>: <proto-name> <additional info...>
124 *
125 * with <if-name><unit> being something like "bppp0", and <proto-name>
126 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc.
127 */
128
129 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */
130 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */
131
132 #define CONF_REQ 1 /* PPP configure request */
133 #define CONF_ACK 2 /* PPP configure acknowledge */
134 #define CONF_NAK 3 /* PPP configure negative ack */
135 #define CONF_REJ 4 /* PPP configure reject */
136 #define TERM_REQ 5 /* PPP terminate request */
137 #define TERM_ACK 6 /* PPP terminate acknowledge */
138 #define CODE_REJ 7 /* PPP code reject */
139 #define PROTO_REJ 8 /* PPP protocol reject */
140 #define ECHO_REQ 9 /* PPP echo request */
141 #define ECHO_REPLY 10 /* PPP echo reply */
142 #define DISC_REQ 11 /* PPP discard request */
143
144 #define LCP_OPT_MRU 1 /* maximum receive unit */
145 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */
146 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */
147 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */
148 #define LCP_OPT_MAGIC 5 /* magic number */
149 #define LCP_OPT_RESERVED 6 /* reserved */
150 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */
151 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */
152
153 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */
154 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */
155 #define IPCP_OPT_ADDRESS 3 /* local IP address */
156 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */
157 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */
158
159 #define IPV6CP_OPT_IFID 1 /* interface identifier */
160 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */
161
162 #define PAP_REQ 1 /* PAP name/password request */
163 #define PAP_ACK 2 /* PAP acknowledge */
164 #define PAP_NAK 3 /* PAP fail */
165
166 #define CHAP_CHALLENGE 1 /* CHAP challenge request */
167 #define CHAP_RESPONSE 2 /* CHAP challenge response */
168 #define CHAP_SUCCESS 3 /* CHAP response ok */
169 #define CHAP_FAILURE 4 /* CHAP response failed */
170
171 #define CHAP_MD5 5 /* hash algorithm - MD5 */
172
173 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */
174 #define CISCO_UNICAST 0x0f /* Cisco unicast address */
175 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */
176 #define CISCO_ADDR_REQ 0 /* Cisco address request */
177 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */
178 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */
179
180 /* states are named and numbered according to RFC 1661 */
181 #define STATE_INITIAL 0
182 #define STATE_STARTING 1
183 #define STATE_CLOSED 2
184 #define STATE_STOPPED 3
185 #define STATE_CLOSING 4
186 #define STATE_STOPPING 5
187 #define STATE_REQ_SENT 6
188 #define STATE_ACK_RCVD 7
189 #define STATE_ACK_SENT 8
190 #define STATE_OPENED 9
191
192 struct ppp_header {
193 uint8_t address;
194 uint8_t control;
195 uint16_t protocol;
196 } __packed;
197 #define PPP_HEADER_LEN sizeof (struct ppp_header)
198
199 struct lcp_header {
200 uint8_t type;
201 uint8_t ident;
202 uint16_t len;
203 } __packed;
204 #define LCP_HEADER_LEN sizeof (struct lcp_header)
205
206 struct cisco_packet {
207 uint32_t type;
208 uint32_t par1;
209 uint32_t par2;
210 uint16_t rel;
211 uint16_t time0;
212 uint16_t time1;
213 } __packed;
214 #define CISCO_PACKET_LEN 18
215
216 /*
217 * We follow the spelling and capitalization of RFC 1661 here, to make
218 * it easier comparing with the standard. Please refer to this RFC in
219 * case you can't make sense out of these abbreviation; it will also
220 * explain the semantics related to the various events and actions.
221 */
222 struct cp {
223 u_short proto; /* PPP control protocol number */
224 u_char protoidx; /* index into state table in struct sppp */
225 u_char flags;
226 #define CP_LCP 0x01 /* this is the LCP */
227 #define CP_AUTH 0x02 /* this is an authentication protocol */
228 #define CP_NCP 0x04 /* this is a NCP */
229 #define CP_QUAL 0x08 /* this is a quality reporting protocol */
230 const char *name; /* name of this control protocol */
231 /* event handlers */
232 void (*Up)(struct sppp *sp);
233 void (*Down)(struct sppp *sp);
234 void (*Open)(struct sppp *sp);
235 void (*Close)(struct sppp *sp);
236 void (*TO)(void *sp);
237 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len);
238 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len);
239 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len);
240 /* actions */
241 void (*tlu)(struct sppp *sp);
242 void (*tld)(struct sppp *sp);
243 void (*tls)(struct sppp *sp);
244 void (*tlf)(struct sppp *sp);
245 void (*scr)(struct sppp *sp);
246 };
247
248 static struct sppp *spppq;
249 static callout_t keepalive_ch;
250
251 #ifdef INET
252 /*
253 * The following disgusting hack gets around the problem that IP TOS
254 * can't be set yet. We want to put "interactive" traffic on a high
255 * priority queue. To decide if traffic is interactive, we check that
256 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control.
257 *
258 * XXX is this really still necessary? - joerg -
259 */
260 static u_short interactive_ports[8] = {
261 0, 513, 0, 0,
262 0, 21, 0, 23,
263 };
264 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p))
265 #endif
266
267 /* almost every function needs these */
268 #define STDDCL \
269 struct ifnet *ifp = &sp->pp_if; \
270 int debug = ifp->if_flags & IFF_DEBUG
271
272 static int sppp_output(struct ifnet *ifp, struct mbuf *m,
273 const struct sockaddr *dst, struct rtentry *rt);
274
275 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2);
276 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m);
277
278 static void sppp_cp_input(const struct cp *cp, struct sppp *sp,
279 struct mbuf *m);
280 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
281 u_char ident, u_short len, void *data);
282 /* static void sppp_cp_timeout(void *arg); */
283 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp,
284 int newstate);
285 static void sppp_auth_send(const struct cp *cp,
286 struct sppp *sp, unsigned int type, unsigned int id,
287 ...);
288
289 static void sppp_up_event(const struct cp *cp, struct sppp *sp);
290 static void sppp_down_event(const struct cp *cp, struct sppp *sp);
291 static void sppp_open_event(const struct cp *cp, struct sppp *sp);
292 static void sppp_close_event(const struct cp *cp, struct sppp *sp);
293 static void sppp_to_event(const struct cp *cp, struct sppp *sp);
294
295 static void sppp_null(struct sppp *sp);
296
297 static void sppp_lcp_init(struct sppp *sp);
298 static void sppp_lcp_up(struct sppp *sp);
299 static void sppp_lcp_down(struct sppp *sp);
300 static void sppp_lcp_open(struct sppp *sp);
301 static void sppp_lcp_close(struct sppp *sp);
302 static void sppp_lcp_TO(void *sp);
303 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
304 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
305 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
306 static void sppp_lcp_tlu(struct sppp *sp);
307 static void sppp_lcp_tld(struct sppp *sp);
308 static void sppp_lcp_tls(struct sppp *sp);
309 static void sppp_lcp_tlf(struct sppp *sp);
310 static void sppp_lcp_scr(struct sppp *sp);
311 static void sppp_lcp_check_and_close(struct sppp *sp);
312 static int sppp_ncp_check(struct sppp *sp);
313
314 static void sppp_ipcp_init(struct sppp *sp);
315 static void sppp_ipcp_up(struct sppp *sp);
316 static void sppp_ipcp_down(struct sppp *sp);
317 static void sppp_ipcp_open(struct sppp *sp);
318 static void sppp_ipcp_close(struct sppp *sp);
319 static void sppp_ipcp_TO(void *sp);
320 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
321 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
322 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
323 static void sppp_ipcp_tlu(struct sppp *sp);
324 static void sppp_ipcp_tld(struct sppp *sp);
325 static void sppp_ipcp_tls(struct sppp *sp);
326 static void sppp_ipcp_tlf(struct sppp *sp);
327 static void sppp_ipcp_scr(struct sppp *sp);
328
329 static void sppp_ipv6cp_init(struct sppp *sp);
330 static void sppp_ipv6cp_up(struct sppp *sp);
331 static void sppp_ipv6cp_down(struct sppp *sp);
332 static void sppp_ipv6cp_open(struct sppp *sp);
333 static void sppp_ipv6cp_close(struct sppp *sp);
334 static void sppp_ipv6cp_TO(void *sp);
335 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len);
336 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
337 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
338 static void sppp_ipv6cp_tlu(struct sppp *sp);
339 static void sppp_ipv6cp_tld(struct sppp *sp);
340 static void sppp_ipv6cp_tls(struct sppp *sp);
341 static void sppp_ipv6cp_tlf(struct sppp *sp);
342 static void sppp_ipv6cp_scr(struct sppp *sp);
343
344 static void sppp_pap_input(struct sppp *sp, struct mbuf *m);
345 static void sppp_pap_init(struct sppp *sp);
346 static void sppp_pap_open(struct sppp *sp);
347 static void sppp_pap_close(struct sppp *sp);
348 static void sppp_pap_TO(void *sp);
349 static void sppp_pap_my_TO(void *sp);
350 static void sppp_pap_tlu(struct sppp *sp);
351 static void sppp_pap_tld(struct sppp *sp);
352 static void sppp_pap_scr(struct sppp *sp);
353
354 static void sppp_chap_input(struct sppp *sp, struct mbuf *m);
355 static void sppp_chap_init(struct sppp *sp);
356 static void sppp_chap_open(struct sppp *sp);
357 static void sppp_chap_close(struct sppp *sp);
358 static void sppp_chap_TO(void *sp);
359 static void sppp_chap_tlu(struct sppp *sp);
360 static void sppp_chap_tld(struct sppp *sp);
361 static void sppp_chap_scr(struct sppp *sp);
362
363 static const char *sppp_auth_type_name(u_short proto, u_char type);
364 static const char *sppp_cp_type_name(u_char type);
365 static const char *sppp_dotted_quad(uint32_t addr);
366 static const char *sppp_ipcp_opt_name(u_char opt);
367 #ifdef INET6
368 static const char *sppp_ipv6cp_opt_name(u_char opt);
369 #endif
370 static const char *sppp_lcp_opt_name(u_char opt);
371 static const char *sppp_phase_name(int phase);
372 static const char *sppp_proto_name(u_short proto);
373 static const char *sppp_state_name(int state);
374 static int sppp_params(struct sppp *sp, u_long cmd, void *data);
375 #ifdef INET
376 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst,
377 uint32_t *srcmask);
378 static void sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr);
379 static void sppp_clear_ip_addrs(struct sppp *sp);
380 #endif
381 static void sppp_keepalive(void *dummy);
382 static void sppp_phase_network(struct sppp *sp);
383 static void sppp_print_bytes(const u_char *p, u_short len);
384 static void sppp_print_string(const char *p, u_short len);
385 #ifdef INET6
386 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src,
387 struct in6_addr *dst, struct in6_addr *srcmask);
388 #ifdef IPV6CP_MYIFID_DYN
389 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src);
390 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src);
391 #endif
392 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src);
393 #endif
394
395 /* our control protocol descriptors */
396 static const struct cp lcp = {
397 PPP_LCP, IDX_LCP, CP_LCP, "lcp",
398 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close,
399 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak,
400 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf,
401 sppp_lcp_scr
402 };
403
404 static const struct cp ipcp = {
405 PPP_IPCP, IDX_IPCP,
406 #ifdef INET
407 CP_NCP, /*don't run IPCP if there's no IPv4 support*/
408 #else
409 0,
410 #endif
411 "ipcp",
412 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close,
413 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak,
414 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf,
415 sppp_ipcp_scr
416 };
417
418 static const struct cp ipv6cp = {
419 PPP_IPV6CP, IDX_IPV6CP,
420 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/
421 CP_NCP,
422 #else
423 0,
424 #endif
425 "ipv6cp",
426 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close,
427 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak,
428 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf,
429 sppp_ipv6cp_scr
430 };
431
432 static const struct cp pap = {
433 PPP_PAP, IDX_PAP, CP_AUTH, "pap",
434 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close,
435 sppp_pap_TO, 0, 0, 0,
436 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null,
437 sppp_pap_scr
438 };
439
440 static const struct cp chap = {
441 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap",
442 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close,
443 sppp_chap_TO, 0, 0, 0,
444 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null,
445 sppp_chap_scr
446 };
447
448 static const struct cp *cps[IDX_COUNT] = {
449 &lcp, /* IDX_LCP */
450 &ipcp, /* IDX_IPCP */
451 &ipv6cp, /* IDX_IPV6CP */
452 &pap, /* IDX_PAP */
453 &chap, /* IDX_CHAP */
454 };
455
456
457 void spppattach(int);
458 void
459 /*ARGSUSED*/
460 spppattach(int count)
461 {
462 }
463
464 /*
465 * Exported functions, comprising our interface to the lower layer.
466 */
467
468 /*
469 * Process the received packet.
470 */
471 void
472 sppp_input(struct ifnet *ifp, struct mbuf *m)
473 {
474 struct ppp_header *h = NULL;
475 struct ifqueue *inq = 0;
476 uint16_t protocol;
477 int s;
478 struct sppp *sp = (struct sppp *)ifp;
479 int debug = ifp->if_flags & IFF_DEBUG;
480
481 if (ifp->if_flags & IFF_UP) {
482 /* Count received bytes, add hardware framing */
483 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes;
484 /* Note time of last receive */
485 sp->pp_last_receive = time_uptime;
486 }
487
488 if (m->m_pkthdr.len <= PPP_HEADER_LEN) {
489 /* Too small packet, drop it. */
490 if (debug)
491 log(LOG_DEBUG,
492 "%s: input packet is too small, %d bytes\n",
493 ifp->if_xname, m->m_pkthdr.len);
494 drop:
495 ++ifp->if_ierrors;
496 ++ifp->if_iqdrops;
497 m_freem(m);
498 return;
499 }
500
501 if (sp->pp_flags & PP_NOFRAMING) {
502 memcpy(&protocol, mtod(m, void *), 2);
503 protocol = ntohs(protocol);
504 m_adj(m, 2);
505 } else {
506
507 /* Get PPP header. */
508 h = mtod(m, struct ppp_header *);
509 m_adj(m, PPP_HEADER_LEN);
510
511 switch (h->address) {
512 case PPP_ALLSTATIONS:
513 if (h->control != PPP_UI)
514 goto invalid;
515 if (sp->pp_flags & PP_CISCO) {
516 if (debug)
517 log(LOG_DEBUG,
518 "%s: PPP packet in Cisco mode "
519 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
520 ifp->if_xname,
521 h->address, h->control, ntohs(h->protocol));
522 goto drop;
523 }
524 break;
525 case CISCO_MULTICAST:
526 case CISCO_UNICAST:
527 /* Don't check the control field here (RFC 1547). */
528 if (! (sp->pp_flags & PP_CISCO)) {
529 if (debug)
530 log(LOG_DEBUG,
531 "%s: Cisco packet in PPP mode "
532 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
533 ifp->if_xname,
534 h->address, h->control, ntohs(h->protocol));
535 goto drop;
536 }
537 switch (ntohs(h->protocol)) {
538 default:
539 ++ifp->if_noproto;
540 goto invalid;
541 case CISCO_KEEPALIVE:
542 sppp_cisco_input((struct sppp *) ifp, m);
543 m_freem(m);
544 return;
545 #ifdef INET
546 case ETHERTYPE_IP:
547 schednetisr(NETISR_IP);
548 inq = &ipintrq;
549 break;
550 #endif
551 #ifdef INET6
552 case ETHERTYPE_IPV6:
553 schednetisr(NETISR_IPV6);
554 inq = &ip6intrq;
555 break;
556 #endif
557 #ifdef IPX
558 case ETHERTYPE_IPX:
559 schednetisr(NETISR_IPX);
560 inq = &ipxintrq;
561 break;
562 #endif
563 }
564 goto queue_pkt;
565 default: /* Invalid PPP packet. */
566 invalid:
567 if (debug)
568 log(LOG_DEBUG,
569 "%s: invalid input packet "
570 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
571 ifp->if_xname,
572 h->address, h->control, ntohs(h->protocol));
573 goto drop;
574 }
575 protocol = ntohs(h->protocol);
576 }
577
578 switch (protocol) {
579 default:
580 if (sp->state[IDX_LCP] == STATE_OPENED) {
581 uint16_t prot = htons(protocol);
582 sppp_cp_send(sp, PPP_LCP, PROTO_REJ,
583 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2,
584 &prot);
585 }
586 if (debug)
587 log(LOG_DEBUG,
588 "%s: invalid input protocol "
589 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol));
590 ++ifp->if_noproto;
591 goto drop;
592 case PPP_LCP:
593 sppp_cp_input(&lcp, sp, m);
594 m_freem(m);
595 return;
596 case PPP_PAP:
597 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE)
598 sppp_pap_input(sp, m);
599 m_freem(m);
600 return;
601 case PPP_CHAP:
602 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE)
603 sppp_chap_input(sp, m);
604 m_freem(m);
605 return;
606 #ifdef INET
607 case PPP_IPCP:
608 if (sp->pp_phase == SPPP_PHASE_NETWORK)
609 sppp_cp_input(&ipcp, sp, m);
610 m_freem(m);
611 return;
612 case PPP_IP:
613 if (sp->state[IDX_IPCP] == STATE_OPENED) {
614 schednetisr(NETISR_IP);
615 inq = &ipintrq;
616 sp->pp_last_activity = time_uptime;
617 }
618 break;
619 #endif
620 #ifdef INET6
621 case PPP_IPV6CP:
622 if (sp->pp_phase == SPPP_PHASE_NETWORK)
623 sppp_cp_input(&ipv6cp, sp, m);
624 m_freem(m);
625 return;
626
627 case PPP_IPV6:
628 if (sp->state[IDX_IPV6CP] == STATE_OPENED) {
629 schednetisr(NETISR_IPV6);
630 inq = &ip6intrq;
631 sp->pp_last_activity = time_uptime;
632 }
633 break;
634 #endif
635 #ifdef IPX
636 case PPP_IPX:
637 /* IPX IPXCP not implemented yet */
638 if (sp->pp_phase == SPPP_PHASE_NETWORK) {
639 schednetisr(NETISR_IPX);
640 inq = &ipxintrq;
641 }
642 break;
643 #endif
644 #ifdef ISO
645 case PPP_ISO:
646 /* OSI NLCP not implemented yet */
647 if (sp->pp_phase == SPPP_PHASE_NETWORK) {
648 schednetisr(NETISR_ISO);
649 inq = &clnlintrq;
650 }
651 break;
652 #endif
653 }
654
655 queue_pkt:
656 if (! (ifp->if_flags & IFF_UP) || ! inq)
657 goto drop;
658
659 /* Check queue. */
660 s = splnet();
661 if (IF_QFULL(inq)) {
662 /* Queue overflow. */
663 IF_DROP(inq);
664 splx(s);
665 if (debug)
666 log(LOG_DEBUG, "%s: protocol queue overflow\n",
667 ifp->if_xname);
668 goto drop;
669 }
670 IF_ENQUEUE(inq, m);
671 splx(s);
672 }
673
674 /*
675 * Enqueue transmit packet.
676 */
677 static int
678 sppp_output(struct ifnet *ifp, struct mbuf *m,
679 const struct sockaddr *dst, struct rtentry *rt)
680 {
681 struct sppp *sp = (struct sppp *) ifp;
682 struct ppp_header *h = NULL;
683 struct ifqueue *ifq = NULL; /* XXX */
684 int s, error = 0;
685 uint16_t protocol;
686 ALTQ_DECL(struct altq_pktattr pktattr;)
687
688 s = splnet();
689
690 sp->pp_last_activity = time_uptime;
691
692 if ((ifp->if_flags & IFF_UP) == 0 ||
693 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) {
694 m_freem(m);
695 splx(s);
696 return (ENETDOWN);
697 }
698
699 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) {
700 /*
701 * Interface is not yet running, but auto-dial. Need
702 * to start LCP for it.
703 */
704 ifp->if_flags |= IFF_RUNNING;
705 splx(s);
706 lcp.Open(sp);
707 s = splnet();
708 }
709
710 /*
711 * If the queueing discipline needs packet classification,
712 * do it before prepending link headers.
713 */
714 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family, &pktattr);
715
716 #ifdef INET
717 if (dst->sa_family == AF_INET) {
718 struct ip *ip = NULL;
719 struct tcphdr *th = NULL;
720
721 if (m->m_len >= sizeof(struct ip)) {
722 ip = mtod(m, struct ip *);
723 if (ip->ip_p == IPPROTO_TCP &&
724 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) +
725 sizeof(struct tcphdr)) {
726 th = (struct tcphdr *)
727 ((char *)ip + (ip->ip_hl << 2));
728 }
729 } else
730 ip = NULL;
731
732 /*
733 * When using dynamic local IP address assignment by using
734 * 0.0.0.0 as a local address, the first TCP session will
735 * not connect because the local TCP checksum is computed
736 * using 0.0.0.0 which will later become our real IP address
737 * so the TCP checksum computed at the remote end will
738 * become invalid. So we
739 * - don't let packets with src ip addr 0 thru
740 * - we flag TCP packets with src ip 0 as an error
741 */
742 if (ip && ip->ip_src.s_addr == INADDR_ANY) {
743 uint8_t proto = ip->ip_p;
744
745 m_freem(m);
746 splx(s);
747 if (proto == IPPROTO_TCP)
748 return (EADDRNOTAVAIL);
749 else
750 return (0);
751 }
752
753 /*
754 * Put low delay, telnet, rlogin and ftp control packets
755 * in front of the queue.
756 */
757
758 if (!IF_QFULL(&sp->pp_fastq) &&
759 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) ||
760 (th && (INTERACTIVE(ntohs(th->th_sport)) ||
761 INTERACTIVE(ntohs(th->th_dport))))))
762 ifq = &sp->pp_fastq;
763 }
764 #endif
765
766 #ifdef INET6
767 if (dst->sa_family == AF_INET6) {
768 /* XXX do something tricky here? */
769 }
770 #endif
771
772 if ((sp->pp_flags & PP_NOFRAMING) == 0) {
773 /*
774 * Prepend general data packet PPP header. For now, IP only.
775 */
776 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT);
777 if (! m) {
778 if (ifp->if_flags & IFF_DEBUG)
779 log(LOG_DEBUG, "%s: no memory for transmit header\n",
780 ifp->if_xname);
781 ++ifp->if_oerrors;
782 splx(s);
783 return (ENOBUFS);
784 }
785 /*
786 * May want to check size of packet
787 * (albeit due to the implementation it's always enough)
788 */
789 h = mtod(m, struct ppp_header *);
790 if (sp->pp_flags & PP_CISCO) {
791 h->address = CISCO_UNICAST; /* unicast address */
792 h->control = 0;
793 } else {
794 h->address = PPP_ALLSTATIONS; /* broadcast address */
795 h->control = PPP_UI; /* Unnumbered Info */
796 }
797 }
798
799 switch (dst->sa_family) {
800 #ifdef INET
801 case AF_INET: /* Internet Protocol */
802 if (sp->pp_flags & PP_CISCO)
803 protocol = htons(ETHERTYPE_IP);
804 else {
805 /*
806 * Don't choke with an ENETDOWN early. It's
807 * possible that we just started dialing out,
808 * so don't drop the packet immediately. If
809 * we notice that we run out of buffer space
810 * below, we will however remember that we are
811 * not ready to carry IP packets, and return
812 * ENETDOWN, as opposed to ENOBUFS.
813 */
814 protocol = htons(PPP_IP);
815 if (sp->state[IDX_IPCP] != STATE_OPENED)
816 error = ENETDOWN;
817 }
818 break;
819 #endif
820 #ifdef INET6
821 case AF_INET6: /* Internet Protocol version 6 */
822 if (sp->pp_flags & PP_CISCO)
823 protocol = htons(ETHERTYPE_IPV6);
824 else {
825 /*
826 * Don't choke with an ENETDOWN early. It's
827 * possible that we just started dialing out,
828 * so don't drop the packet immediately. If
829 * we notice that we run out of buffer space
830 * below, we will however remember that we are
831 * not ready to carry IP packets, and return
832 * ENETDOWN, as opposed to ENOBUFS.
833 */
834 protocol = htons(PPP_IPV6);
835 if (sp->state[IDX_IPV6CP] != STATE_OPENED)
836 error = ENETDOWN;
837 }
838 break;
839 #endif
840 #ifdef IPX
841 case AF_IPX: /* Novell IPX Protocol */
842 protocol = htons((sp->pp_flags & PP_CISCO) ?
843 ETHERTYPE_IPX : PPP_IPX);
844 break;
845 #endif
846 #ifdef ISO
847 case AF_ISO: /* ISO OSI Protocol */
848 if (sp->pp_flags & PP_CISCO)
849 goto nosupport;
850 protocol = htons(PPP_ISO);
851 break;
852 nosupport:
853 #endif
854 default:
855 m_freem(m);
856 ++ifp->if_oerrors;
857 splx(s);
858 return (EAFNOSUPPORT);
859 }
860
861 if (sp->pp_flags & PP_NOFRAMING) {
862 M_PREPEND(m, 2, M_DONTWAIT);
863 if (m == NULL) {
864 if (ifp->if_flags & IFF_DEBUG)
865 log(LOG_DEBUG, "%s: no memory for transmit header\n",
866 ifp->if_xname);
867 ++ifp->if_oerrors;
868 splx(s);
869 return (ENOBUFS);
870 }
871 *mtod(m, uint16_t *) = protocol;
872 } else {
873 h->protocol = protocol;
874 }
875
876
877 error = ifq_enqueue2(ifp, ifq, m ALTQ_COMMA ALTQ_DECL(&pktattr));
878
879 if (error == 0) {
880 /*
881 * Count output packets and bytes.
882 * The packet length includes header + additional hardware
883 * framing according to RFC 1333.
884 */
885 if (!(ifp->if_flags & IFF_OACTIVE))
886 (*ifp->if_start)(ifp);
887 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes;
888 }
889 splx(s);
890 return error;
891 }
892
893 void
894 sppp_attach(struct ifnet *ifp)
895 {
896 struct sppp *sp = (struct sppp *) ifp;
897
898 /* Initialize keepalive handler. */
899 if (! spppq) {
900 callout_init(&keepalive_ch, 0);
901 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL);
902 }
903
904 /* Insert new entry into the keepalive list. */
905 sp->pp_next = spppq;
906 spppq = sp;
907
908 sp->pp_if.if_type = IFT_PPP;
909 sp->pp_if.if_output = sppp_output;
910 sp->pp_fastq.ifq_maxlen = 32;
911 sp->pp_cpq.ifq_maxlen = 20;
912 sp->pp_loopcnt = 0;
913 sp->pp_alivecnt = 0;
914 sp->pp_last_activity = 0;
915 sp->pp_last_receive = 0;
916 sp->pp_maxalive = DEFAULT_MAXALIVECNT;
917 sp->pp_max_noreceive = DEFAULT_NORECV_TIME;
918 sp->pp_idle_timeout = 0;
919 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq));
920 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq));
921 sp->pp_auth_failures = 0;
922 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES;
923 sp->pp_phase = SPPP_PHASE_DEAD;
924 sp->pp_up = lcp.Up;
925 sp->pp_down = lcp.Down;
926
927 if_alloc_sadl(ifp);
928
929 memset(&sp->myauth, 0, sizeof sp->myauth);
930 memset(&sp->hisauth, 0, sizeof sp->hisauth);
931 sppp_lcp_init(sp);
932 sppp_ipcp_init(sp);
933 sppp_ipv6cp_init(sp);
934 sppp_pap_init(sp);
935 sppp_chap_init(sp);
936 }
937
938 void
939 sppp_detach(struct ifnet *ifp)
940 {
941 struct sppp **q, *p, *sp = (struct sppp *) ifp;
942
943 /* Remove the entry from the keepalive list. */
944 for (q = &spppq; (p = *q); q = &p->pp_next)
945 if (p == sp) {
946 *q = p->pp_next;
947 break;
948 }
949
950 /* Stop keepalive handler. */
951 if (! spppq) {
952 callout_stop(&keepalive_ch);
953 }
954
955 callout_stop(&sp->ch[IDX_LCP]);
956 callout_stop(&sp->ch[IDX_IPCP]);
957 callout_stop(&sp->ch[IDX_PAP]);
958 callout_stop(&sp->ch[IDX_CHAP]);
959 #ifdef INET6
960 callout_stop(&sp->ch[IDX_IPV6CP]);
961 #endif
962 callout_stop(&sp->pap_my_to_ch);
963
964 /* free authentication info */
965 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF);
966 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF);
967 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF);
968 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF);
969
970 #if 0 /* done in if_detach() */
971 if_free_sadl(ifp);
972 #endif
973 }
974
975 /*
976 * Flush the interface output queue.
977 */
978 void
979 sppp_flush(struct ifnet *ifp)
980 {
981 struct sppp *sp = (struct sppp *) ifp;
982
983 IFQ_PURGE(&sp->pp_if.if_snd);
984 IF_PURGE(&sp->pp_fastq);
985 IF_PURGE(&sp->pp_cpq);
986 }
987
988 /*
989 * Check if the output queue is empty.
990 */
991 int
992 sppp_isempty(struct ifnet *ifp)
993 {
994 struct sppp *sp = (struct sppp *) ifp;
995 int empty, s;
996
997 s = splnet();
998 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) &&
999 IFQ_IS_EMPTY(&sp->pp_if.if_snd);
1000 splx(s);
1001 return (empty);
1002 }
1003
1004 /*
1005 * Get next packet to send.
1006 */
1007 struct mbuf *
1008 sppp_dequeue(struct ifnet *ifp)
1009 {
1010 struct sppp *sp = (struct sppp *) ifp;
1011 struct mbuf *m;
1012 int s;
1013
1014 s = splnet();
1015 /*
1016 * Process only the control protocol queue until we have at
1017 * least one NCP open.
1018 *
1019 * Do always serve all three queues in Cisco mode.
1020 */
1021 IF_DEQUEUE(&sp->pp_cpq, m);
1022 if (m == NULL &&
1023 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) {
1024 IF_DEQUEUE(&sp->pp_fastq, m);
1025 if (m == NULL)
1026 IFQ_DEQUEUE(&sp->pp_if.if_snd, m);
1027 }
1028 splx(s);
1029 return m;
1030 }
1031
1032 /*
1033 * Process an ioctl request. Called on low priority level.
1034 */
1035 int
1036 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data)
1037 {
1038 struct lwp *l = curlwp; /* XXX */
1039 struct ifreq *ifr = (struct ifreq *) data;
1040 struct sppp *sp = (struct sppp *) ifp;
1041 int s, error=0, going_up, going_down, newmode;
1042
1043 s = splnet();
1044 switch (cmd) {
1045 case SIOCAIFADDR:
1046 case SIOCSIFDSTADDR:
1047 case SIOCSIFADDR:
1048 break;
1049
1050 case SIOCSIFFLAGS:
1051 going_up = ifp->if_flags & IFF_UP &&
1052 (ifp->if_flags & IFF_RUNNING) == 0;
1053 going_down = (ifp->if_flags & IFF_UP) == 0 &&
1054 ifp->if_flags & IFF_RUNNING;
1055 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE);
1056 if (newmode == (IFF_AUTO | IFF_PASSIVE)) {
1057 /* sanity */
1058 newmode = IFF_PASSIVE;
1059 ifp->if_flags &= ~IFF_AUTO;
1060 }
1061
1062 if (going_up || going_down)
1063 lcp.Close(sp);
1064 if (going_up && newmode == 0) {
1065 /* neither auto-dial nor passive */
1066 ifp->if_flags |= IFF_RUNNING;
1067 if (!(sp->pp_flags & PP_CISCO))
1068 lcp.Open(sp);
1069 } else if (going_down) {
1070 sppp_flush(ifp);
1071 ifp->if_flags &= ~IFF_RUNNING;
1072 }
1073
1074 break;
1075
1076 case SIOCSIFMTU:
1077 if (ifr->ifr_mtu < PPP_MINMRU ||
1078 ifr->ifr_mtu > sp->lcp.their_mru) {
1079 error = EINVAL;
1080 break;
1081 }
1082 /*FALLTHROUGH*/
1083 case SIOCGIFMTU:
1084 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET)
1085 error = 0;
1086 break;
1087 case SIOCADDMULTI:
1088 case SIOCDELMULTI:
1089 break;
1090
1091 case SPPPSETAUTHCFG:
1092 case SPPPSETLCPCFG:
1093 case SPPPSETIDLETO:
1094 case SPPPSETAUTHFAILURE:
1095 case SPPPSETDNSOPTS:
1096 case SPPPSETKEEPALIVE:
1097 error = kauth_authorize_network(l->l_cred,
1098 KAUTH_NETWORK_INTERFACE,
1099 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd,
1100 NULL);
1101 if (error)
1102 break;
1103 error = sppp_params(sp, cmd, data);
1104 break;
1105
1106 case SPPPGETAUTHCFG:
1107 case SPPPGETLCPCFG:
1108 case SPPPGETAUTHFAILURES:
1109 error = kauth_authorize_network(l->l_cred,
1110 KAUTH_NETWORK_INTERFACE,
1111 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd,
1112 NULL);
1113 if (error)
1114 break;
1115 error = sppp_params(sp, cmd, data);
1116 break;
1117
1118 case SPPPGETSTATUS:
1119 case SPPPGETSTATUSNCP:
1120 case SPPPGETIDLETO:
1121 case SPPPGETDNSOPTS:
1122 case SPPPGETDNSADDRS:
1123 case SPPPGETKEEPALIVE:
1124 error = sppp_params(sp, cmd, data);
1125 break;
1126
1127 default:
1128 error = ENOTTY;
1129 }
1130 splx(s);
1131 return (error);
1132 }
1133
1134
1135 /*
1136 * Cisco framing implementation.
1137 */
1138
1139 /*
1140 * Handle incoming Cisco keepalive protocol packets.
1141 */
1142 static void
1143 sppp_cisco_input(struct sppp *sp, struct mbuf *m)
1144 {
1145 STDDCL;
1146 struct cisco_packet *h;
1147 #ifdef INET
1148 uint32_t me, mymask = 0; /* XXX: GCC */
1149 #endif
1150
1151 if (m->m_pkthdr.len < CISCO_PACKET_LEN) {
1152 if (debug)
1153 log(LOG_DEBUG,
1154 "%s: cisco invalid packet length: %d bytes\n",
1155 ifp->if_xname, m->m_pkthdr.len);
1156 return;
1157 }
1158 h = mtod(m, struct cisco_packet *);
1159 if (debug)
1160 log(LOG_DEBUG,
1161 "%s: cisco input: %d bytes "
1162 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n",
1163 ifp->if_xname, m->m_pkthdr.len,
1164 ntohl(h->type), h->par1, h->par2, (u_int)h->rel,
1165 (u_int)h->time0, (u_int)h->time1);
1166 switch (ntohl(h->type)) {
1167 default:
1168 if (debug)
1169 addlog("%s: cisco unknown packet type: 0x%x\n",
1170 ifp->if_xname, ntohl(h->type));
1171 break;
1172 case CISCO_ADDR_REPLY:
1173 /* Reply on address request, ignore */
1174 break;
1175 case CISCO_KEEPALIVE_REQ:
1176 sp->pp_alivecnt = 0;
1177 sp->pp_rseq[IDX_LCP] = ntohl(h->par1);
1178 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) {
1179 /* Local and remote sequence numbers are equal.
1180 * Probably, the line is in loopback mode. */
1181 if (sp->pp_loopcnt >= LOOPALIVECNT) {
1182 printf ("%s: loopback\n",
1183 ifp->if_xname);
1184 sp->pp_loopcnt = 0;
1185 if (ifp->if_flags & IFF_UP) {
1186 if_down(ifp);
1187 IF_PURGE(&sp->pp_cpq);
1188 }
1189 }
1190 ++sp->pp_loopcnt;
1191
1192 /* Generate new local sequence number */
1193 sp->pp_seq[IDX_LCP] = arc4random();
1194 break;
1195 }
1196 sp->pp_loopcnt = 0;
1197 if (! (ifp->if_flags & IFF_UP) &&
1198 (ifp->if_flags & IFF_RUNNING)) {
1199 if_up(ifp);
1200 }
1201 break;
1202 case CISCO_ADDR_REQ:
1203 #ifdef INET
1204 sppp_get_ip_addrs(sp, &me, 0, &mymask);
1205 if (me != 0L)
1206 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask);
1207 #endif
1208 break;
1209 }
1210 }
1211
1212 /*
1213 * Send Cisco keepalive packet.
1214 */
1215 static void
1216 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2)
1217 {
1218 STDDCL;
1219 struct ppp_header *h;
1220 struct cisco_packet *ch;
1221 struct mbuf *m;
1222 uint32_t t;
1223
1224 t = time_uptime * 1000;
1225 MGETHDR(m, M_DONTWAIT, MT_DATA);
1226 if (! m)
1227 return;
1228 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN;
1229 m->m_pkthdr.rcvif = 0;
1230
1231 h = mtod(m, struct ppp_header *);
1232 h->address = CISCO_MULTICAST;
1233 h->control = 0;
1234 h->protocol = htons(CISCO_KEEPALIVE);
1235
1236 ch = (struct cisco_packet *)(h + 1);
1237 ch->type = htonl(type);
1238 ch->par1 = htonl(par1);
1239 ch->par2 = htonl(par2);
1240 ch->rel = -1;
1241
1242 ch->time0 = htons((u_short)(t >> 16));
1243 ch->time1 = htons((u_short) t);
1244
1245 if (debug)
1246 log(LOG_DEBUG,
1247 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n",
1248 ifp->if_xname, ntohl(ch->type), ch->par1,
1249 ch->par2, (u_int)ch->rel, (u_int)ch->time0,
1250 (u_int)ch->time1);
1251
1252 if (IF_QFULL(&sp->pp_cpq)) {
1253 IF_DROP(&sp->pp_fastq);
1254 IF_DROP(&ifp->if_snd);
1255 m_freem(m);
1256 ++ifp->if_oerrors;
1257 return;
1258 } else
1259 IF_ENQUEUE(&sp->pp_cpq, m);
1260 if (! (ifp->if_flags & IFF_OACTIVE))
1261 (*ifp->if_start)(ifp);
1262 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes;
1263 }
1264
1265 /*
1266 * PPP protocol implementation.
1267 */
1268
1269 /*
1270 * Send PPP control protocol packet.
1271 */
1272 static void
1273 sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
1274 u_char ident, u_short len, void *data)
1275 {
1276 STDDCL;
1277 struct lcp_header *lh;
1278 struct mbuf *m;
1279 size_t pkthdrlen;
1280
1281 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN;
1282
1283 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN)
1284 len = MHLEN - pkthdrlen - LCP_HEADER_LEN;
1285 MGETHDR(m, M_DONTWAIT, MT_DATA);
1286 if (! m)
1287 return;
1288 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len;
1289 m->m_pkthdr.rcvif = 0;
1290
1291 if (sp->pp_flags & PP_NOFRAMING) {
1292 *mtod(m, uint16_t *) = htons(proto);
1293 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2);
1294 } else {
1295 struct ppp_header *h;
1296 h = mtod(m, struct ppp_header *);
1297 h->address = PPP_ALLSTATIONS; /* broadcast address */
1298 h->control = PPP_UI; /* Unnumbered Info */
1299 h->protocol = htons(proto); /* Link Control Protocol */
1300 lh = (struct lcp_header *)(h + 1);
1301 }
1302 lh->type = type;
1303 lh->ident = ident;
1304 lh->len = htons(LCP_HEADER_LEN + len);
1305 if (len)
1306 bcopy (data, lh + 1, len);
1307
1308 if (debug) {
1309 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d",
1310 ifp->if_xname,
1311 sppp_proto_name(proto),
1312 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len));
1313 if (len)
1314 sppp_print_bytes((u_char *)(lh + 1), len);
1315 addlog(">\n");
1316 }
1317 if (IF_QFULL(&sp->pp_cpq)) {
1318 IF_DROP(&sp->pp_fastq);
1319 IF_DROP(&ifp->if_snd);
1320 m_freem(m);
1321 ++ifp->if_oerrors;
1322 return;
1323 } else
1324 IF_ENQUEUE(&sp->pp_cpq, m);
1325 if (! (ifp->if_flags & IFF_OACTIVE))
1326 (*ifp->if_start)(ifp);
1327 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes;
1328 }
1329
1330 /*
1331 * Handle incoming PPP control protocol packets.
1332 */
1333 static void
1334 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m)
1335 {
1336 STDDCL;
1337 struct lcp_header *h;
1338 int printlen, len = m->m_pkthdr.len;
1339 int rv;
1340 u_char *p;
1341 uint32_t u32;
1342
1343 if (len < 4) {
1344 if (debug)
1345 log(LOG_DEBUG,
1346 "%s: %s invalid packet length: %d bytes\n",
1347 ifp->if_xname, cp->name, len);
1348 return;
1349 }
1350 h = mtod(m, struct lcp_header *);
1351 if (debug) {
1352 printlen = ntohs(h->len);
1353 log(LOG_DEBUG,
1354 "%s: %s input(%s): <%s id=0x%x len=%d",
1355 ifp->if_xname, cp->name,
1356 sppp_state_name(sp->state[cp->protoidx]),
1357 sppp_cp_type_name(h->type), h->ident, printlen);
1358 if (len < printlen)
1359 printlen = len;
1360 if (printlen > 4)
1361 sppp_print_bytes((u_char *)(h + 1), printlen - 4);
1362 addlog(">\n");
1363 }
1364 if (len > ntohs(h->len))
1365 len = ntohs(h->len);
1366 p = (u_char *)(h + 1);
1367 switch (h->type) {
1368 case CONF_REQ:
1369 if (len < 4) {
1370 if (debug)
1371 addlog("%s: %s invalid conf-req length %d\n",
1372 ifp->if_xname, cp->name,
1373 len);
1374 ++ifp->if_ierrors;
1375 break;
1376 }
1377 /* handle states where RCR doesn't get a SCA/SCN */
1378 switch (sp->state[cp->protoidx]) {
1379 case STATE_CLOSING:
1380 case STATE_STOPPING:
1381 return;
1382 case STATE_CLOSED:
1383 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident,
1384 0, 0);
1385 return;
1386 }
1387 rv = (cp->RCR)(sp, h, len);
1388 if (rv < 0) {
1389 /* fatal error, shut down */
1390 (cp->tld)(sp);
1391 sppp_lcp_tlf(sp);
1392 return;
1393 }
1394 switch (sp->state[cp->protoidx]) {
1395 case STATE_OPENED:
1396 (cp->tld)(sp);
1397 (cp->scr)(sp);
1398 /* fall through... */
1399 case STATE_ACK_SENT:
1400 case STATE_REQ_SENT:
1401 sppp_cp_change_state(cp, sp, rv?
1402 STATE_ACK_SENT: STATE_REQ_SENT);
1403 break;
1404 case STATE_STOPPED:
1405 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1406 (cp->scr)(sp);
1407 sppp_cp_change_state(cp, sp, rv?
1408 STATE_ACK_SENT: STATE_REQ_SENT);
1409 break;
1410 case STATE_ACK_RCVD:
1411 if (rv) {
1412 sppp_cp_change_state(cp, sp, STATE_OPENED);
1413 if (debug)
1414 log(LOG_DEBUG, "%s: %s tlu\n",
1415 ifp->if_xname,
1416 cp->name);
1417 (cp->tlu)(sp);
1418 } else
1419 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1420 break;
1421 default:
1422 printf("%s: %s illegal %s in state %s\n",
1423 ifp->if_xname, cp->name,
1424 sppp_cp_type_name(h->type),
1425 sppp_state_name(sp->state[cp->protoidx]));
1426 ++ifp->if_ierrors;
1427 }
1428 break;
1429 case CONF_ACK:
1430 if (h->ident != sp->confid[cp->protoidx]) {
1431 if (debug)
1432 addlog("%s: %s id mismatch 0x%x != 0x%x\n",
1433 ifp->if_xname, cp->name,
1434 h->ident, sp->confid[cp->protoidx]);
1435 ++ifp->if_ierrors;
1436 break;
1437 }
1438 switch (sp->state[cp->protoidx]) {
1439 case STATE_CLOSED:
1440 case STATE_STOPPED:
1441 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1442 break;
1443 case STATE_CLOSING:
1444 case STATE_STOPPING:
1445 break;
1446 case STATE_REQ_SENT:
1447 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1448 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1449 break;
1450 case STATE_OPENED:
1451 (cp->tld)(sp);
1452 /* fall through */
1453 case STATE_ACK_RCVD:
1454 (cp->scr)(sp);
1455 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1456 break;
1457 case STATE_ACK_SENT:
1458 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1459 sppp_cp_change_state(cp, sp, STATE_OPENED);
1460 if (debug)
1461 log(LOG_DEBUG, "%s: %s tlu\n",
1462 ifp->if_xname, cp->name);
1463 (cp->tlu)(sp);
1464 break;
1465 default:
1466 printf("%s: %s illegal %s in state %s\n",
1467 ifp->if_xname, cp->name,
1468 sppp_cp_type_name(h->type),
1469 sppp_state_name(sp->state[cp->protoidx]));
1470 ++ifp->if_ierrors;
1471 }
1472 break;
1473 case CONF_NAK:
1474 case CONF_REJ:
1475 if (h->ident != sp->confid[cp->protoidx]) {
1476 if (debug)
1477 addlog("%s: %s id mismatch 0x%x != 0x%x\n",
1478 ifp->if_xname, cp->name,
1479 h->ident, sp->confid[cp->protoidx]);
1480 ++ifp->if_ierrors;
1481 break;
1482 }
1483 if (h->type == CONF_NAK)
1484 (cp->RCN_nak)(sp, h, len);
1485 else /* CONF_REJ */
1486 (cp->RCN_rej)(sp, h, len);
1487
1488 switch (sp->state[cp->protoidx]) {
1489 case STATE_CLOSED:
1490 case STATE_STOPPED:
1491 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1492 break;
1493 case STATE_REQ_SENT:
1494 case STATE_ACK_SENT:
1495 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1496 (cp->scr)(sp);
1497 break;
1498 case STATE_OPENED:
1499 (cp->tld)(sp);
1500 /* fall through */
1501 case STATE_ACK_RCVD:
1502 sppp_cp_change_state(cp, sp, STATE_ACK_SENT);
1503 (cp->scr)(sp);
1504 break;
1505 case STATE_CLOSING:
1506 case STATE_STOPPING:
1507 break;
1508 default:
1509 printf("%s: %s illegal %s in state %s\n",
1510 ifp->if_xname, cp->name,
1511 sppp_cp_type_name(h->type),
1512 sppp_state_name(sp->state[cp->protoidx]));
1513 ++ifp->if_ierrors;
1514 }
1515 break;
1516
1517 case TERM_REQ:
1518 switch (sp->state[cp->protoidx]) {
1519 case STATE_ACK_RCVD:
1520 case STATE_ACK_SENT:
1521 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1522 /* fall through */
1523 case STATE_CLOSED:
1524 case STATE_STOPPED:
1525 case STATE_CLOSING:
1526 case STATE_STOPPING:
1527 case STATE_REQ_SENT:
1528 sta:
1529 /* Send Terminate-Ack packet. */
1530 if (debug)
1531 log(LOG_DEBUG, "%s: %s send terminate-ack\n",
1532 ifp->if_xname, cp->name);
1533 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1534 break;
1535 case STATE_OPENED:
1536 (cp->tld)(sp);
1537 sp->rst_counter[cp->protoidx] = 0;
1538 sppp_cp_change_state(cp, sp, STATE_STOPPING);
1539 goto sta;
1540 default:
1541 printf("%s: %s illegal %s in state %s\n",
1542 ifp->if_xname, cp->name,
1543 sppp_cp_type_name(h->type),
1544 sppp_state_name(sp->state[cp->protoidx]));
1545 ++ifp->if_ierrors;
1546 }
1547 break;
1548 case TERM_ACK:
1549 switch (sp->state[cp->protoidx]) {
1550 case STATE_CLOSED:
1551 case STATE_STOPPED:
1552 case STATE_REQ_SENT:
1553 case STATE_ACK_SENT:
1554 break;
1555 case STATE_CLOSING:
1556 (cp->tlf)(sp);
1557 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1558 sppp_lcp_check_and_close(sp);
1559 break;
1560 case STATE_STOPPING:
1561 (cp->tlf)(sp);
1562 sppp_cp_change_state(cp, sp, STATE_STOPPED);
1563 sppp_lcp_check_and_close(sp);
1564 break;
1565 case STATE_ACK_RCVD:
1566 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1567 break;
1568 case STATE_OPENED:
1569 (cp->tld)(sp);
1570 (cp->scr)(sp);
1571 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1572 break;
1573 default:
1574 printf("%s: %s illegal %s in state %s\n",
1575 ifp->if_xname, cp->name,
1576 sppp_cp_type_name(h->type),
1577 sppp_state_name(sp->state[cp->protoidx]));
1578 ++ifp->if_ierrors;
1579 }
1580 break;
1581 case CODE_REJ:
1582 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1583 log(LOG_INFO,
1584 "%s: %s: ignoring RXJ (%s) for code ?, "
1585 "danger will robinson\n",
1586 ifp->if_xname, cp->name,
1587 sppp_cp_type_name(h->type));
1588 switch (sp->state[cp->protoidx]) {
1589 case STATE_CLOSED:
1590 case STATE_STOPPED:
1591 case STATE_REQ_SENT:
1592 case STATE_ACK_SENT:
1593 case STATE_CLOSING:
1594 case STATE_STOPPING:
1595 case STATE_OPENED:
1596 break;
1597 case STATE_ACK_RCVD:
1598 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1599 break;
1600 default:
1601 printf("%s: %s illegal %s in state %s\n",
1602 ifp->if_xname, cp->name,
1603 sppp_cp_type_name(h->type),
1604 sppp_state_name(sp->state[cp->protoidx]));
1605 ++ifp->if_ierrors;
1606 }
1607 break;
1608 case PROTO_REJ:
1609 {
1610 int catastrophic;
1611 const struct cp *upper;
1612 int i;
1613 uint16_t proto;
1614
1615 catastrophic = 0;
1616 upper = NULL;
1617 proto = p[0] << 8 | p[1];
1618 for (i = 0; i < IDX_COUNT; i++) {
1619 if (cps[i]->proto == proto) {
1620 upper = cps[i];
1621 break;
1622 }
1623 }
1624 if (upper == NULL)
1625 catastrophic++;
1626
1627 if (debug)
1628 log(LOG_INFO,
1629 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n",
1630 ifp->if_xname, cp->name, catastrophic ? '-' : '+',
1631 sppp_cp_type_name(h->type), proto,
1632 upper ? upper->name : "unknown",
1633 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?");
1634
1635 /*
1636 * if we got RXJ+ against conf-req, the peer does not implement
1637 * this particular protocol type. terminate the protocol.
1638 */
1639 if (upper && !catastrophic) {
1640 if (sp->state[upper->protoidx] == STATE_REQ_SENT) {
1641 upper->Close(sp);
1642 break;
1643 }
1644 }
1645
1646 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1647 switch (sp->state[cp->protoidx]) {
1648 case STATE_CLOSED:
1649 case STATE_STOPPED:
1650 case STATE_REQ_SENT:
1651 case STATE_ACK_SENT:
1652 case STATE_CLOSING:
1653 case STATE_STOPPING:
1654 case STATE_OPENED:
1655 break;
1656 case STATE_ACK_RCVD:
1657 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1658 break;
1659 default:
1660 printf("%s: %s illegal %s in state %s\n",
1661 ifp->if_xname, cp->name,
1662 sppp_cp_type_name(h->type),
1663 sppp_state_name(sp->state[cp->protoidx]));
1664 ++ifp->if_ierrors;
1665 }
1666 break;
1667 }
1668 case DISC_REQ:
1669 if (cp->proto != PPP_LCP)
1670 goto illegal;
1671 /* Discard the packet. */
1672 break;
1673 case ECHO_REQ:
1674 if (cp->proto != PPP_LCP)
1675 goto illegal;
1676 if (sp->state[cp->protoidx] != STATE_OPENED) {
1677 if (debug)
1678 addlog("%s: lcp echo req but lcp closed\n",
1679 ifp->if_xname);
1680 ++ifp->if_ierrors;
1681 break;
1682 }
1683 if (len < 8) {
1684 if (debug)
1685 addlog("%s: invalid lcp echo request "
1686 "packet length: %d bytes\n",
1687 ifp->if_xname, len);
1688 break;
1689 }
1690 memcpy(&u32, h + 1, sizeof u32);
1691 if (ntohl(u32) == sp->lcp.magic) {
1692 /* Line loopback mode detected. */
1693 printf("%s: loopback\n", ifp->if_xname);
1694 if_down(ifp);
1695 IF_PURGE(&sp->pp_cpq);
1696
1697 /* Shut down the PPP link. */
1698 /* XXX */
1699 lcp.Down(sp);
1700 lcp.Up(sp);
1701 break;
1702 }
1703 u32 = htonl(sp->lcp.magic);
1704 memcpy(h + 1, &u32, sizeof u32);
1705 if (debug)
1706 addlog("%s: got lcp echo req, sending echo rep\n",
1707 ifp->if_xname);
1708 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4,
1709 h + 1);
1710 break;
1711 case ECHO_REPLY:
1712 if (cp->proto != PPP_LCP)
1713 goto illegal;
1714 if (h->ident != sp->lcp.echoid) {
1715 ++ifp->if_ierrors;
1716 break;
1717 }
1718 if (len < 8) {
1719 if (debug)
1720 addlog("%s: lcp invalid echo reply "
1721 "packet length: %d bytes\n",
1722 ifp->if_xname, len);
1723 break;
1724 }
1725 if (debug)
1726 addlog("%s: lcp got echo rep\n",
1727 ifp->if_xname);
1728 memcpy(&u32, h + 1, sizeof u32);
1729 if (ntohl(u32) != sp->lcp.magic)
1730 sp->pp_alivecnt = 0;
1731 break;
1732 default:
1733 /* Unknown packet type -- send Code-Reject packet. */
1734 illegal:
1735 if (debug)
1736 addlog("%s: %s send code-rej for 0x%x\n",
1737 ifp->if_xname, cp->name, h->type);
1738 sppp_cp_send(sp, cp->proto, CODE_REJ,
1739 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h);
1740 ++ifp->if_ierrors;
1741 }
1742 }
1743
1744
1745 /*
1746 * The generic part of all Up/Down/Open/Close/TO event handlers.
1747 * Basically, the state transition handling in the automaton.
1748 */
1749 static void
1750 sppp_up_event(const struct cp *cp, struct sppp *sp)
1751 {
1752 STDDCL;
1753
1754 if (debug)
1755 log(LOG_DEBUG, "%s: %s up(%s)\n",
1756 ifp->if_xname, cp->name,
1757 sppp_state_name(sp->state[cp->protoidx]));
1758
1759 switch (sp->state[cp->protoidx]) {
1760 case STATE_INITIAL:
1761 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1762 break;
1763 case STATE_STARTING:
1764 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1765 (cp->scr)(sp);
1766 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1767 break;
1768 default:
1769 printf("%s: %s illegal up in state %s\n",
1770 ifp->if_xname, cp->name,
1771 sppp_state_name(sp->state[cp->protoidx]));
1772 }
1773 }
1774
1775 static void
1776 sppp_down_event(const struct cp *cp, struct sppp *sp)
1777 {
1778 STDDCL;
1779
1780 if (debug)
1781 log(LOG_DEBUG, "%s: %s down(%s)\n",
1782 ifp->if_xname, cp->name,
1783 sppp_state_name(sp->state[cp->protoidx]));
1784
1785 switch (sp->state[cp->protoidx]) {
1786 case STATE_CLOSED:
1787 case STATE_CLOSING:
1788 sppp_cp_change_state(cp, sp, STATE_INITIAL);
1789 break;
1790 case STATE_STOPPED:
1791 (cp->tls)(sp);
1792 /* fall through */
1793 case STATE_STOPPING:
1794 case STATE_REQ_SENT:
1795 case STATE_ACK_RCVD:
1796 case STATE_ACK_SENT:
1797 sppp_cp_change_state(cp, sp, STATE_STARTING);
1798 break;
1799 case STATE_OPENED:
1800 (cp->tld)(sp);
1801 sppp_cp_change_state(cp, sp, STATE_STARTING);
1802 break;
1803 default:
1804 printf("%s: %s illegal down in state %s\n",
1805 ifp->if_xname, cp->name,
1806 sppp_state_name(sp->state[cp->protoidx]));
1807 }
1808 }
1809
1810
1811 static void
1812 sppp_open_event(const struct cp *cp, struct sppp *sp)
1813 {
1814 STDDCL;
1815
1816 if (debug)
1817 log(LOG_DEBUG, "%s: %s open(%s)\n",
1818 ifp->if_xname, cp->name,
1819 sppp_state_name(sp->state[cp->protoidx]));
1820
1821 switch (sp->state[cp->protoidx]) {
1822 case STATE_INITIAL:
1823 sppp_cp_change_state(cp, sp, STATE_STARTING);
1824 (cp->tls)(sp);
1825 break;
1826 case STATE_STARTING:
1827 break;
1828 case STATE_CLOSED:
1829 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1830 (cp->scr)(sp);
1831 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1832 break;
1833 case STATE_STOPPED:
1834 case STATE_STOPPING:
1835 case STATE_REQ_SENT:
1836 case STATE_ACK_RCVD:
1837 case STATE_ACK_SENT:
1838 case STATE_OPENED:
1839 break;
1840 case STATE_CLOSING:
1841 sppp_cp_change_state(cp, sp, STATE_STOPPING);
1842 break;
1843 }
1844 }
1845
1846
1847 static void
1848 sppp_close_event(const struct cp *cp, struct sppp *sp)
1849 {
1850 STDDCL;
1851
1852 if (debug)
1853 log(LOG_DEBUG, "%s: %s close(%s)\n",
1854 ifp->if_xname, cp->name,
1855 sppp_state_name(sp->state[cp->protoidx]));
1856
1857 switch (sp->state[cp->protoidx]) {
1858 case STATE_INITIAL:
1859 case STATE_CLOSED:
1860 case STATE_CLOSING:
1861 break;
1862 case STATE_STARTING:
1863 sppp_cp_change_state(cp, sp, STATE_INITIAL);
1864 (cp->tlf)(sp);
1865 break;
1866 case STATE_STOPPED:
1867 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1868 break;
1869 case STATE_STOPPING:
1870 sppp_cp_change_state(cp, sp, STATE_CLOSING);
1871 break;
1872 case STATE_OPENED:
1873 (cp->tld)(sp);
1874 /* fall through */
1875 case STATE_REQ_SENT:
1876 case STATE_ACK_RCVD:
1877 case STATE_ACK_SENT:
1878 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate;
1879 sppp_cp_send(sp, cp->proto, TERM_REQ,
1880 ++sp->pp_seq[cp->protoidx], 0, 0);
1881 sppp_cp_change_state(cp, sp, STATE_CLOSING);
1882 break;
1883 }
1884 }
1885
1886 static void
1887 sppp_to_event(const struct cp *cp, struct sppp *sp)
1888 {
1889 STDDCL;
1890 int s;
1891
1892 s = splnet();
1893 if (debug)
1894 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n",
1895 ifp->if_xname, cp->name,
1896 sppp_state_name(sp->state[cp->protoidx]),
1897 sp->rst_counter[cp->protoidx]);
1898
1899 if (--sp->rst_counter[cp->protoidx] < 0)
1900 /* TO- event */
1901 switch (sp->state[cp->protoidx]) {
1902 case STATE_CLOSING:
1903 (cp->tlf)(sp);
1904 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1905 sppp_lcp_check_and_close(sp);
1906 break;
1907 case STATE_STOPPING:
1908 (cp->tlf)(sp);
1909 sppp_cp_change_state(cp, sp, STATE_STOPPED);
1910 sppp_lcp_check_and_close(sp);
1911 break;
1912 case STATE_REQ_SENT:
1913 case STATE_ACK_RCVD:
1914 case STATE_ACK_SENT:
1915 (cp->tlf)(sp);
1916 sppp_cp_change_state(cp, sp, STATE_STOPPED);
1917 sppp_lcp_check_and_close(sp);
1918 break;
1919 }
1920 else
1921 /* TO+ event */
1922 switch (sp->state[cp->protoidx]) {
1923 case STATE_CLOSING:
1924 case STATE_STOPPING:
1925 sppp_cp_send(sp, cp->proto, TERM_REQ,
1926 ++sp->pp_seq[cp->protoidx], 0, 0);
1927 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
1928 cp->TO, sp);
1929 break;
1930 case STATE_REQ_SENT:
1931 case STATE_ACK_RCVD:
1932 (cp->scr)(sp);
1933 /* sppp_cp_change_state() will restart the timer */
1934 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1935 break;
1936 case STATE_ACK_SENT:
1937 (cp->scr)(sp);
1938 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
1939 cp->TO, sp);
1940 break;
1941 }
1942
1943 splx(s);
1944 }
1945
1946 /*
1947 * Change the state of a control protocol in the state automaton.
1948 * Takes care of starting/stopping the restart timer.
1949 */
1950 void
1951 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate)
1952 {
1953 sp->state[cp->protoidx] = newstate;
1954 callout_stop(&sp->ch[cp->protoidx]);
1955 switch (newstate) {
1956 case STATE_INITIAL:
1957 case STATE_STARTING:
1958 case STATE_CLOSED:
1959 case STATE_STOPPED:
1960 case STATE_OPENED:
1961 break;
1962 case STATE_CLOSING:
1963 case STATE_STOPPING:
1964 case STATE_REQ_SENT:
1965 case STATE_ACK_RCVD:
1966 case STATE_ACK_SENT:
1967 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
1968 cp->TO, sp);
1969 break;
1970 }
1971 }
1972
1973 /*
1974 *--------------------------------------------------------------------------*
1975 * *
1976 * The LCP implementation. *
1977 * *
1978 *--------------------------------------------------------------------------*
1979 */
1980 static void
1981 sppp_lcp_init(struct sppp *sp)
1982 {
1983 sp->lcp.opts = (1 << LCP_OPT_MAGIC);
1984 sp->lcp.magic = 0;
1985 sp->state[IDX_LCP] = STATE_INITIAL;
1986 sp->fail_counter[IDX_LCP] = 0;
1987 sp->pp_seq[IDX_LCP] = 0;
1988 sp->pp_rseq[IDX_LCP] = 0;
1989 sp->lcp.protos = 0;
1990 if (sp->pp_if.if_mtu < PP_MTU) {
1991 sp->lcp.mru = sp->pp_if.if_mtu;
1992 sp->lcp.opts |= (1 << LCP_OPT_MRU);
1993 } else
1994 sp->lcp.mru = PP_MTU;
1995 sp->lcp.their_mru = PP_MTU;
1996
1997 /*
1998 * Initialize counters and timeout values. Note that we don't
1999 * use the 3 seconds suggested in RFC 1661 since we are likely
2000 * running on a fast link. XXX We should probably implement
2001 * the exponential backoff option. Note that these values are
2002 * relevant for all control protocols, not just LCP only.
2003 */
2004 sp->lcp.timeout = 1 * hz;
2005 sp->lcp.max_terminate = 2;
2006 sp->lcp.max_configure = 10;
2007 sp->lcp.max_failure = 10;
2008 callout_init(&sp->ch[IDX_LCP], 0);
2009 }
2010
2011 static void
2012 sppp_lcp_up(struct sppp *sp)
2013 {
2014 STDDCL;
2015
2016 /* Initialize activity timestamp: opening a connection is an activity */
2017 sp->pp_last_receive = sp->pp_last_activity = time_uptime;
2018
2019 /*
2020 * If this interface is passive or dial-on-demand, and we are
2021 * still in Initial state, it means we've got an incoming
2022 * call. Activate the interface.
2023 */
2024 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) {
2025 if (debug)
2026 log(LOG_DEBUG,
2027 "%s: Up event", ifp->if_xname);
2028 ifp->if_flags |= IFF_RUNNING;
2029 if (sp->state[IDX_LCP] == STATE_INITIAL) {
2030 if (debug)
2031 addlog("(incoming call)\n");
2032 sp->pp_flags |= PP_CALLIN;
2033 lcp.Open(sp);
2034 } else if (debug)
2035 addlog("\n");
2036 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 &&
2037 (sp->state[IDX_LCP] == STATE_INITIAL)) {
2038 ifp->if_flags |= IFF_RUNNING;
2039 lcp.Open(sp);
2040 }
2041
2042 sppp_up_event(&lcp, sp);
2043 }
2044
2045 static void
2046 sppp_lcp_down(struct sppp *sp)
2047 {
2048 STDDCL;
2049
2050 sppp_down_event(&lcp, sp);
2051
2052 /*
2053 * If this is neither a dial-on-demand nor a passive
2054 * interface, simulate an ``ifconfig down'' action, so the
2055 * administrator can force a redial by another ``ifconfig
2056 * up''. XXX For leased line operation, should we immediately
2057 * try to reopen the connection here?
2058 */
2059 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) {
2060 if (debug)
2061 log(LOG_INFO,
2062 "%s: Down event (carrier loss), taking interface down.\n",
2063 ifp->if_xname);
2064 if_down(ifp);
2065 } else {
2066 if (debug)
2067 log(LOG_DEBUG,
2068 "%s: Down event (carrier loss)\n",
2069 ifp->if_xname);
2070 }
2071 sp->pp_flags &= ~PP_CALLIN;
2072 if (sp->state[IDX_LCP] != STATE_INITIAL)
2073 lcp.Close(sp);
2074 ifp->if_flags &= ~IFF_RUNNING;
2075 }
2076
2077 static void
2078 sppp_lcp_open(struct sppp *sp)
2079 {
2080 /*
2081 * If we are authenticator, negotiate LCP_AUTH
2082 */
2083 if (sp->hisauth.proto != 0)
2084 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO);
2085 else
2086 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2087 sp->pp_flags &= ~PP_NEEDAUTH;
2088 sppp_open_event(&lcp, sp);
2089 }
2090
2091 static void
2092 sppp_lcp_close(struct sppp *sp)
2093 {
2094 sppp_close_event(&lcp, sp);
2095 }
2096
2097 static void
2098 sppp_lcp_TO(void *cookie)
2099 {
2100 sppp_to_event(&lcp, (struct sppp *)cookie);
2101 }
2102
2103 /*
2104 * Analyze a configure request. Return true if it was agreeable, and
2105 * caused action sca, false if it has been rejected or nak'ed, and
2106 * caused action scn. (The return value is used to make the state
2107 * transition decision in the state automaton.)
2108 */
2109 static int
2110 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2111 {
2112 STDDCL;
2113 u_char *buf, *r, *p;
2114 int origlen, rlen;
2115 uint32_t nmagic;
2116 u_short authproto;
2117
2118 len -= 4;
2119 origlen = len;
2120 buf = r = malloc (len, M_TEMP, M_NOWAIT);
2121 if (! buf)
2122 return (0);
2123
2124 if (debug)
2125 log(LOG_DEBUG, "%s: lcp parse opts:",
2126 ifp->if_xname);
2127
2128 /* pass 1: check for things that need to be rejected */
2129 p = (void *)(h + 1);
2130 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
2131 /* Sanity check option length */
2132 if (p[1] > len) {
2133 /*
2134 * Malicious option - drop immediately.
2135 * XXX Maybe we should just RXJ it?
2136 */
2137 addlog("%s: received malicious LCP option 0x%02x, "
2138 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname,
2139 p[0], p[1], len);
2140 goto drop;
2141 }
2142 if (debug)
2143 addlog(" %s", sppp_lcp_opt_name(*p));
2144 switch (*p) {
2145 case LCP_OPT_MAGIC:
2146 /* Magic number. */
2147 /* fall through, both are same length */
2148 case LCP_OPT_ASYNC_MAP:
2149 /* Async control character map. */
2150 if (len >= 6 || p[1] == 6)
2151 continue;
2152 if (debug)
2153 addlog(" [invalid]");
2154 break;
2155 case LCP_OPT_MRU:
2156 /* Maximum receive unit. */
2157 if (len >= 4 && p[1] == 4)
2158 continue;
2159 if (debug)
2160 addlog(" [invalid]");
2161 break;
2162 case LCP_OPT_AUTH_PROTO:
2163 if (len < 4) {
2164 if (debug)
2165 addlog(" [invalid]");
2166 break;
2167 }
2168 authproto = (p[2] << 8) + p[3];
2169 if (authproto == PPP_CHAP && p[1] != 5) {
2170 if (debug)
2171 addlog(" [invalid chap len]");
2172 break;
2173 }
2174 if (sp->myauth.proto == 0) {
2175 /* we are not configured to do auth */
2176 if (debug)
2177 addlog(" [not configured]");
2178 break;
2179 }
2180 /*
2181 * Remote want us to authenticate, remember this,
2182 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got
2183 * up.
2184 */
2185 sp->pp_flags |= PP_NEEDAUTH;
2186 continue;
2187 default:
2188 /* Others not supported. */
2189 if (debug)
2190 addlog(" [rej]");
2191 break;
2192 }
2193 /* Add the option to rejected list. */
2194 bcopy (p, r, p[1]);
2195 r += p[1];
2196 rlen += p[1];
2197 }
2198 if (rlen) {
2199 if (debug)
2200 addlog(" send conf-rej\n");
2201 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2202 goto end;
2203 } else if (debug)
2204 addlog("\n");
2205
2206 /*
2207 * pass 2: check for option values that are unacceptable and
2208 * thus require to be nak'ed.
2209 */
2210 if (debug)
2211 log(LOG_DEBUG, "%s: lcp parse opt values: ",
2212 ifp->if_xname);
2213
2214 p = (void *)(h + 1);
2215 len = origlen;
2216 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
2217 if (debug)
2218 addlog(" %s", sppp_lcp_opt_name(*p));
2219 switch (*p) {
2220 case LCP_OPT_MAGIC:
2221 /* Magic number -- extract. */
2222 nmagic = (uint32_t)p[2] << 24 |
2223 (uint32_t)p[3] << 16 | p[4] << 8 | p[5];
2224 if (nmagic != sp->lcp.magic) {
2225 if (debug)
2226 addlog(" 0x%x", nmagic);
2227 continue;
2228 }
2229 /*
2230 * Local and remote magics equal -- loopback?
2231 */
2232 if (sp->pp_loopcnt >= LOOPALIVECNT*5) {
2233 printf ("%s: loopback\n",
2234 ifp->if_xname);
2235 sp->pp_loopcnt = 0;
2236 if (ifp->if_flags & IFF_UP) {
2237 if_down(ifp);
2238 IF_PURGE(&sp->pp_cpq);
2239 /* XXX ? */
2240 lcp.Down(sp);
2241 lcp.Up(sp);
2242 }
2243 } else if (debug)
2244 addlog(" [glitch]");
2245 ++sp->pp_loopcnt;
2246 /*
2247 * We negate our magic here, and NAK it. If
2248 * we see it later in an NAK packet, we
2249 * suggest a new one.
2250 */
2251 nmagic = ~sp->lcp.magic;
2252 /* Gonna NAK it. */
2253 p[2] = nmagic >> 24;
2254 p[3] = nmagic >> 16;
2255 p[4] = nmagic >> 8;
2256 p[5] = nmagic;
2257 break;
2258
2259 case LCP_OPT_ASYNC_MAP:
2260 /*
2261 * Async control character map -- just ignore it.
2262 *
2263 * Quote from RFC 1662, chapter 6:
2264 * To enable this functionality, synchronous PPP
2265 * implementations MUST always respond to the
2266 * Async-Control-Character-Map Configuration
2267 * Option with the LCP Configure-Ack. However,
2268 * acceptance of the Configuration Option does
2269 * not imply that the synchronous implementation
2270 * will do any ACCM mapping. Instead, all such
2271 * octet mapping will be performed by the
2272 * asynchronous-to-synchronous converter.
2273 */
2274 continue;
2275
2276 case LCP_OPT_MRU:
2277 /*
2278 * Maximum receive unit. Always agreeable,
2279 * but ignored by now.
2280 */
2281 sp->lcp.their_mru = p[2] * 256 + p[3];
2282 if (debug)
2283 addlog(" %ld", sp->lcp.their_mru);
2284 continue;
2285
2286 case LCP_OPT_AUTH_PROTO:
2287 authproto = (p[2] << 8) + p[3];
2288 if (sp->myauth.proto != authproto) {
2289 /* not agreed, nak */
2290 if (debug)
2291 addlog(" [mine %s != his %s]",
2292 sppp_proto_name(sp->myauth.proto),
2293 sppp_proto_name(authproto));
2294 p[2] = sp->myauth.proto >> 8;
2295 p[3] = sp->myauth.proto;
2296 break;
2297 }
2298 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) {
2299 if (debug)
2300 addlog(" [chap not MD5]");
2301 p[4] = CHAP_MD5;
2302 break;
2303 }
2304 continue;
2305 }
2306 /* Add the option to nak'ed list. */
2307 bcopy (p, r, p[1]);
2308 r += p[1];
2309 rlen += p[1];
2310 }
2311 if (rlen) {
2312 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
2313 if (debug)
2314 addlog(" max_failure (%d) exceeded, "
2315 "send conf-rej\n",
2316 sp->lcp.max_failure);
2317 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2318 } else {
2319 if (debug)
2320 addlog(" send conf-nak\n");
2321 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf);
2322 }
2323 goto end;
2324 } else {
2325 if (debug)
2326 addlog(" send conf-ack\n");
2327 sp->fail_counter[IDX_LCP] = 0;
2328 sp->pp_loopcnt = 0;
2329 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1);
2330 }
2331
2332 end:
2333 free(buf, M_TEMP);
2334 return (rlen == 0);
2335
2336 drop:
2337 free(buf, M_TEMP);
2338 return -1;
2339 }
2340
2341 /*
2342 * Analyze the LCP Configure-Reject option list, and adjust our
2343 * negotiation.
2344 */
2345 static void
2346 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
2347 {
2348 STDDCL;
2349 u_char *buf, *p;
2350
2351 len -= 4;
2352 buf = malloc (len, M_TEMP, M_NOWAIT);
2353 if (!buf)
2354 return;
2355
2356 if (debug)
2357 log(LOG_DEBUG, "%s: lcp rej opts:",
2358 ifp->if_xname);
2359
2360 p = (void *)(h + 1);
2361 for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
2362 /* Sanity check option length */
2363 if (p[1] > len) {
2364 /*
2365 * Malicious option - drop immediately.
2366 * XXX Maybe we should just RXJ it?
2367 */
2368 addlog("%s: received malicious LCP option, "
2369 "dropping.\n", ifp->if_xname);
2370 goto drop;
2371 }
2372 if (debug)
2373 addlog(" %s", sppp_lcp_opt_name(*p));
2374 switch (*p) {
2375 case LCP_OPT_MAGIC:
2376 /* Magic number -- can't use it, use 0 */
2377 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC);
2378 sp->lcp.magic = 0;
2379 break;
2380 case LCP_OPT_MRU:
2381 /*
2382 * We try to negotiate a lower MRU if the underlying
2383 * link's MTU is less than PP_MTU (e.g. PPPoE). If the
2384 * peer rejects this lower rate, fallback to the
2385 * default.
2386 */
2387 if (debug) {
2388 addlog("%s: warning: peer rejected our MRU of "
2389 "%ld bytes. Defaulting to %d bytes\n",
2390 ifp->if_xname, sp->lcp.mru, PP_MTU);
2391 }
2392 sp->lcp.opts &= ~(1 << LCP_OPT_MRU);
2393 sp->lcp.mru = PP_MTU;
2394 break;
2395 case LCP_OPT_AUTH_PROTO:
2396 /*
2397 * Peer doesn't want to authenticate himself,
2398 * deny unless this is a dialout call, and
2399 * SPPP_AUTHFLAG_NOCALLOUT is set.
2400 */
2401 if ((sp->pp_flags & PP_CALLIN) == 0 &&
2402 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) {
2403 if (debug)
2404 addlog(" [don't insist on auth "
2405 "for callout]");
2406 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2407 break;
2408 }
2409 if (debug)
2410 addlog("[access denied]\n");
2411 lcp.Close(sp);
2412 break;
2413 }
2414 }
2415 if (debug)
2416 addlog("\n");
2417 drop:
2418 free(buf, M_TEMP);
2419 return;
2420 }
2421
2422 /*
2423 * Analyze the LCP Configure-NAK option list, and adjust our
2424 * negotiation.
2425 */
2426 static void
2427 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
2428 {
2429 STDDCL;
2430 u_char *buf, *p;
2431 uint32_t magic;
2432
2433 len -= 4;
2434 buf = malloc (len, M_TEMP, M_NOWAIT);
2435 if (!buf)
2436 return;
2437
2438 if (debug)
2439 log(LOG_DEBUG, "%s: lcp nak opts:",
2440 ifp->if_xname);
2441
2442 p = (void *)(h + 1);
2443 for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
2444 /* Sanity check option length */
2445 if (p[1] > len) {
2446 /*
2447 * Malicious option - drop immediately.
2448 * XXX Maybe we should just RXJ it?
2449 */
2450 addlog("%s: received malicious LCP option, "
2451 "dropping.\n", ifp->if_xname);
2452 goto drop;
2453 }
2454 if (debug)
2455 addlog(" %s", sppp_lcp_opt_name(*p));
2456 switch (*p) {
2457 case LCP_OPT_MAGIC:
2458 /* Magic number -- renegotiate */
2459 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
2460 len >= 6 && p[1] == 6) {
2461 magic = (uint32_t)p[2] << 24 |
2462 (uint32_t)p[3] << 16 | p[4] << 8 | p[5];
2463 /*
2464 * If the remote magic is our negated one,
2465 * this looks like a loopback problem.
2466 * Suggest a new magic to make sure.
2467 */
2468 if (magic == ~sp->lcp.magic) {
2469 if (debug)
2470 addlog(" magic glitch");
2471 sp->lcp.magic = arc4random();
2472 } else {
2473 sp->lcp.magic = magic;
2474 if (debug)
2475 addlog(" %d", magic);
2476 }
2477 }
2478 break;
2479 case LCP_OPT_MRU:
2480 /*
2481 * Peer wants to advise us to negotiate an MRU.
2482 * Agree on it if it's reasonable, or use
2483 * default otherwise.
2484 */
2485 if (len >= 4 && p[1] == 4) {
2486 u_int mru = p[2] * 256 + p[3];
2487 if (debug)
2488 addlog(" %d", mru);
2489 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu)
2490 mru = sp->pp_if.if_mtu;
2491 sp->lcp.mru = mru;
2492 sp->lcp.opts |= (1 << LCP_OPT_MRU);
2493 }
2494 break;
2495 case LCP_OPT_AUTH_PROTO:
2496 /*
2497 * Peer doesn't like our authentication method,
2498 * deny.
2499 */
2500 if (debug)
2501 addlog("[access denied]\n");
2502 lcp.Close(sp);
2503 break;
2504 }
2505 }
2506 if (debug)
2507 addlog("\n");
2508 drop:
2509 free(buf, M_TEMP);
2510 return;
2511 }
2512
2513 static void
2514 sppp_lcp_tlu(struct sppp *sp)
2515 {
2516 STDDCL;
2517 int i;
2518 uint32_t mask;
2519
2520 /* XXX ? */
2521 if (! (ifp->if_flags & IFF_UP) &&
2522 (ifp->if_flags & IFF_RUNNING)) {
2523 /* Coming out of loopback mode. */
2524 if_up(ifp);
2525 }
2526
2527 for (i = 0; i < IDX_COUNT; i++)
2528 if ((cps[i])->flags & CP_QUAL)
2529 (cps[i])->Open(sp);
2530
2531 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 ||
2532 (sp->pp_flags & PP_NEEDAUTH) != 0)
2533 sp->pp_phase = SPPP_PHASE_AUTHENTICATE;
2534 else
2535 sp->pp_phase = SPPP_PHASE_NETWORK;
2536
2537 if (debug)
2538 {
2539 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2540 sppp_phase_name(sp->pp_phase));
2541 }
2542
2543 /*
2544 * Open all authentication protocols. This is even required
2545 * if we already proceeded to network phase, since it might be
2546 * that remote wants us to authenticate, so we might have to
2547 * send a PAP request. Undesired authentication protocols
2548 * don't do anything when they get an Open event.
2549 */
2550 for (i = 0; i < IDX_COUNT; i++)
2551 if ((cps[i])->flags & CP_AUTH)
2552 (cps[i])->Open(sp);
2553
2554 if (sp->pp_phase == SPPP_PHASE_NETWORK) {
2555 /* Notify all NCPs. */
2556 for (i = 0; i < IDX_COUNT; i++)
2557 if ((cps[i])->flags & CP_NCP)
2558 (cps[i])->Open(sp);
2559 }
2560
2561 /* Send Up events to all started protos. */
2562 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2563 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0)
2564 (cps[i])->Up(sp);
2565
2566 /* notify low-level driver of state change */
2567 if (sp->pp_chg)
2568 sp->pp_chg(sp, (int)sp->pp_phase);
2569
2570 if (sp->pp_phase == SPPP_PHASE_NETWORK)
2571 /* if no NCP is starting, close down */
2572 sppp_lcp_check_and_close(sp);
2573 }
2574
2575 static void
2576 sppp_lcp_tld(struct sppp *sp)
2577 {
2578 STDDCL;
2579 int i;
2580 uint32_t mask;
2581
2582 sp->pp_phase = SPPP_PHASE_TERMINATE;
2583
2584 if (debug)
2585 {
2586 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2587 sppp_phase_name(sp->pp_phase));
2588 }
2589
2590 /*
2591 * Take upper layers down. We send the Down event first and
2592 * the Close second to prevent the upper layers from sending
2593 * ``a flurry of terminate-request packets'', as the RFC
2594 * describes it.
2595 */
2596 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2597 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) {
2598 (cps[i])->Down(sp);
2599 (cps[i])->Close(sp);
2600 }
2601 }
2602
2603 static void
2604 sppp_lcp_tls(struct sppp *sp)
2605 {
2606 STDDCL;
2607
2608 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) {
2609 printf("%s: authentication failed %d times, not retrying again\n",
2610 sp->pp_if.if_xname, sp->pp_auth_failures);
2611 if_down(&sp->pp_if);
2612 return;
2613 }
2614
2615 sp->pp_phase = SPPP_PHASE_ESTABLISH;
2616
2617 if (debug)
2618 {
2619 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2620 sppp_phase_name(sp->pp_phase));
2621 }
2622
2623 /* Notify lower layer if desired. */
2624 if (sp->pp_tls)
2625 (sp->pp_tls)(sp);
2626 }
2627
2628 static void
2629 sppp_lcp_tlf(struct sppp *sp)
2630 {
2631 STDDCL;
2632
2633 sp->pp_phase = SPPP_PHASE_DEAD;
2634
2635 if (debug)
2636 {
2637 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
2638 sppp_phase_name(sp->pp_phase));
2639 }
2640
2641 /* Notify lower layer if desired. */
2642 if (sp->pp_tlf)
2643 (sp->pp_tlf)(sp);
2644 }
2645
2646 static void
2647 sppp_lcp_scr(struct sppp *sp)
2648 {
2649 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */];
2650 int i = 0;
2651 u_short authproto;
2652
2653 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) {
2654 if (! sp->lcp.magic)
2655 sp->lcp.magic = arc4random();
2656 opt[i++] = LCP_OPT_MAGIC;
2657 opt[i++] = 6;
2658 opt[i++] = sp->lcp.magic >> 24;
2659 opt[i++] = sp->lcp.magic >> 16;
2660 opt[i++] = sp->lcp.magic >> 8;
2661 opt[i++] = sp->lcp.magic;
2662 }
2663
2664 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) {
2665 opt[i++] = LCP_OPT_MRU;
2666 opt[i++] = 4;
2667 opt[i++] = sp->lcp.mru >> 8;
2668 opt[i++] = sp->lcp.mru;
2669 }
2670
2671 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) {
2672 authproto = sp->hisauth.proto;
2673 opt[i++] = LCP_OPT_AUTH_PROTO;
2674 opt[i++] = authproto == PPP_CHAP? 5: 4;
2675 opt[i++] = authproto >> 8;
2676 opt[i++] = authproto;
2677 if (authproto == PPP_CHAP)
2678 opt[i++] = CHAP_MD5;
2679 }
2680
2681 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP];
2682 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt);
2683 }
2684
2685 /*
2686 * Check the open NCPs, return true if at least one NCP is open.
2687 */
2688 static int
2689 sppp_ncp_check(struct sppp *sp)
2690 {
2691 int i, mask;
2692
2693 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2694 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP)
2695 return 1;
2696 return 0;
2697 }
2698
2699 /*
2700 * Re-check the open NCPs and see if we should terminate the link.
2701 * Called by the NCPs during their tlf action handling.
2702 */
2703 static void
2704 sppp_lcp_check_and_close(struct sppp *sp)
2705 {
2706
2707 if (sp->pp_phase < SPPP_PHASE_NETWORK)
2708 /* don't bother, we are already going down */
2709 return;
2710
2711 if (sppp_ncp_check(sp))
2712 return;
2713
2714 lcp.Close(sp);
2715 }
2716
2717
2718 /*
2719 *--------------------------------------------------------------------------*
2720 * *
2721 * The IPCP implementation. *
2722 * *
2723 *--------------------------------------------------------------------------*
2724 */
2725
2726 static void
2727 sppp_ipcp_init(struct sppp *sp)
2728 {
2729 sp->ipcp.opts = 0;
2730 sp->ipcp.flags = 0;
2731 sp->state[IDX_IPCP] = STATE_INITIAL;
2732 sp->fail_counter[IDX_IPCP] = 0;
2733 sp->pp_seq[IDX_IPCP] = 0;
2734 sp->pp_rseq[IDX_IPCP] = 0;
2735 callout_init(&sp->ch[IDX_IPCP], 0);
2736 }
2737
2738 static void
2739 sppp_ipcp_up(struct sppp *sp)
2740 {
2741 sppp_up_event(&ipcp, sp);
2742 }
2743
2744 static void
2745 sppp_ipcp_down(struct sppp *sp)
2746 {
2747 sppp_down_event(&ipcp, sp);
2748 }
2749
2750 static void
2751 sppp_ipcp_open(struct sppp *sp)
2752 {
2753 STDDCL;
2754 uint32_t myaddr, hisaddr;
2755
2756 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN);
2757 sp->ipcp.req_myaddr = 0;
2758 sp->ipcp.req_hisaddr = 0;
2759 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs);
2760
2761 #ifdef INET
2762 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0);
2763 #else
2764 myaddr = hisaddr = 0;
2765 #endif
2766 /*
2767 * If we don't have his address, this probably means our
2768 * interface doesn't want to talk IP at all. (This could
2769 * be the case if somebody wants to speak only IPX, for
2770 * example.) Don't open IPCP in this case.
2771 */
2772 if (hisaddr == 0) {
2773 /* XXX this message should go away */
2774 if (debug)
2775 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n",
2776 ifp->if_xname);
2777 return;
2778 }
2779
2780 if (myaddr == 0) {
2781 /*
2782 * I don't have an assigned address, so i need to
2783 * negotiate my address.
2784 */
2785 sp->ipcp.flags |= IPCP_MYADDR_DYN;
2786 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
2787 }
2788 if (hisaddr == 1) {
2789 /*
2790 * XXX - remove this hack!
2791 * remote has no valid address, we need to get one assigned.
2792 */
2793 sp->ipcp.flags |= IPCP_HISADDR_DYN;
2794 }
2795 sppp_open_event(&ipcp, sp);
2796 }
2797
2798 static void
2799 sppp_ipcp_close(struct sppp *sp)
2800 {
2801 STDDCL;
2802
2803 sppp_close_event(&ipcp, sp);
2804 #ifdef INET
2805 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN))
2806 /*
2807 * Some address was dynamic, clear it again.
2808 */
2809 sppp_clear_ip_addrs(sp);
2810 #endif
2811
2812 if (sp->pp_saved_mtu > 0) {
2813 ifp->if_mtu = sp->pp_saved_mtu;
2814 sp->pp_saved_mtu = 0;
2815 if (debug)
2816 log(LOG_DEBUG,
2817 "%s: resetting MTU to %" PRIu64 " bytes\n",
2818 ifp->if_xname, ifp->if_mtu);
2819 }
2820 }
2821
2822 static void
2823 sppp_ipcp_TO(void *cookie)
2824 {
2825 sppp_to_event(&ipcp, (struct sppp *)cookie);
2826 }
2827
2828 /*
2829 * Analyze a configure request. Return true if it was agreeable, and
2830 * caused action sca, false if it has been rejected or nak'ed, and
2831 * caused action scn. (The return value is used to make the state
2832 * transition decision in the state automaton.)
2833 */
2834 static int
2835 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2836 {
2837 u_char *buf, *r, *p;
2838 struct ifnet *ifp = &sp->pp_if;
2839 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
2840 uint32_t hisaddr, desiredaddr;
2841
2842 len -= 4;
2843 origlen = len;
2844 /*
2845 * Make sure to allocate a buf that can at least hold a
2846 * conf-nak with an `address' option. We might need it below.
2847 */
2848 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
2849 if (! buf)
2850 return (0);
2851
2852 /* pass 1: see if we can recognize them */
2853 if (debug)
2854 log(LOG_DEBUG, "%s: ipcp parse opts:",
2855 ifp->if_xname);
2856 p = (void *)(h + 1);
2857 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
2858 /* Sanity check option length */
2859 if (p[1] > len) {
2860 /* XXX should we just RXJ? */
2861 addlog("%s: malicious IPCP option received, dropping\n",
2862 ifp->if_xname);
2863 goto drop;
2864 }
2865 if (debug)
2866 addlog(" %s", sppp_ipcp_opt_name(*p));
2867 switch (*p) {
2868 #ifdef notyet
2869 case IPCP_OPT_COMPRESSION:
2870 if (len >= 6 && p[1] >= 6) {
2871 /* correctly formed compress option */
2872 continue;
2873 }
2874 if (debug)
2875 addlog(" [invalid]");
2876 break;
2877 #endif
2878 case IPCP_OPT_ADDRESS:
2879 if (len >= 6 && p[1] == 6) {
2880 /* correctly formed address option */
2881 continue;
2882 }
2883 if (debug)
2884 addlog(" [invalid]");
2885 break;
2886 default:
2887 /* Others not supported. */
2888 if (debug)
2889 addlog(" [rej]");
2890 break;
2891 }
2892 /* Add the option to rejected list. */
2893 bcopy (p, r, p[1]);
2894 r += p[1];
2895 rlen += p[1];
2896 }
2897 if (rlen) {
2898 if (debug)
2899 addlog(" send conf-rej\n");
2900 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf);
2901 goto end;
2902 } else if (debug)
2903 addlog("\n");
2904
2905 /* pass 2: parse option values */
2906 if (sp->ipcp.flags & IPCP_HISADDR_SEEN)
2907 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */
2908 else
2909 #ifdef INET
2910 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */
2911 #else
2912 hisaddr = 0;
2913 #endif
2914 if (debug)
2915 log(LOG_DEBUG, "%s: ipcp parse opt values: ",
2916 ifp->if_xname);
2917 p = (void *)(h + 1);
2918 len = origlen;
2919 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
2920 if (debug)
2921 addlog(" %s", sppp_ipcp_opt_name(*p));
2922 switch (*p) {
2923 #ifdef notyet
2924 case IPCP_OPT_COMPRESSION:
2925 continue;
2926 #endif
2927 case IPCP_OPT_ADDRESS:
2928 desiredaddr = p[2] << 24 | p[3] << 16 |
2929 p[4] << 8 | p[5];
2930 if (desiredaddr == hisaddr ||
2931 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) {
2932 /*
2933 * Peer's address is same as our value,
2934 * this is agreeable. Gonna conf-ack
2935 * it.
2936 */
2937 if (debug)
2938 addlog(" %s [ack]",
2939 sppp_dotted_quad(hisaddr));
2940 /* record that we've seen it already */
2941 sp->ipcp.flags |= IPCP_HISADDR_SEEN;
2942 sp->ipcp.req_hisaddr = desiredaddr;
2943 hisaddr = desiredaddr;
2944 continue;
2945 }
2946 /*
2947 * The address wasn't agreeable. This is either
2948 * he sent us 0.0.0.0, asking to assign him an
2949 * address, or he send us another address not
2950 * matching our value. Either case, we gonna
2951 * conf-nak it with our value.
2952 */
2953 if (debug) {
2954 if (desiredaddr == 0)
2955 addlog(" [addr requested]");
2956 else
2957 addlog(" %s [not agreed]",
2958 sppp_dotted_quad(desiredaddr));
2959 }
2960
2961 p[2] = hisaddr >> 24;
2962 p[3] = hisaddr >> 16;
2963 p[4] = hisaddr >> 8;
2964 p[5] = hisaddr;
2965 break;
2966 }
2967 /* Add the option to nak'ed list. */
2968 bcopy (p, r, p[1]);
2969 r += p[1];
2970 rlen += p[1];
2971 }
2972
2973 /*
2974 * If we are about to conf-ack the request, but haven't seen
2975 * his address so far, gonna conf-nak it instead, with the
2976 * `address' option present and our idea of his address being
2977 * filled in there, to request negotiation of both addresses.
2978 *
2979 * XXX This can result in an endless req - nak loop if peer
2980 * doesn't want to send us his address. Q: What should we do
2981 * about it? XXX A: implement the max-failure counter.
2982 */
2983 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) {
2984 buf[0] = IPCP_OPT_ADDRESS;
2985 buf[1] = 6;
2986 buf[2] = hisaddr >> 24;
2987 buf[3] = hisaddr >> 16;
2988 buf[4] = hisaddr >> 8;
2989 buf[5] = hisaddr;
2990 rlen = 6;
2991 if (debug)
2992 addlog(" still need hisaddr");
2993 }
2994
2995 if (rlen) {
2996 if (debug)
2997 addlog(" send conf-nak\n");
2998 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf);
2999 } else {
3000 if (debug)
3001 addlog(" send conf-ack\n");
3002 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1);
3003 }
3004
3005 end:
3006 free(buf, M_TEMP);
3007 return (rlen == 0);
3008
3009 drop:
3010 free(buf, M_TEMP);
3011 return -1;
3012 }
3013
3014 /*
3015 * Analyze the IPCP Configure-Reject option list, and adjust our
3016 * negotiation.
3017 */
3018 static void
3019 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3020 {
3021 u_char *buf, *p;
3022 struct ifnet *ifp = &sp->pp_if;
3023 int debug = ifp->if_flags & IFF_DEBUG;
3024
3025 len -= 4;
3026 buf = malloc (len, M_TEMP, M_NOWAIT);
3027 if (!buf)
3028 return;
3029
3030 if (debug)
3031 log(LOG_DEBUG, "%s: ipcp rej opts:",
3032 ifp->if_xname);
3033
3034 p = (void *)(h + 1);
3035 for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3036 /* Sanity check option length */
3037 if (p[1] > len) {
3038 /* XXX should we just RXJ? */
3039 addlog("%s: malicious IPCP option received, dropping\n",
3040 ifp->if_xname);
3041 goto drop;
3042 }
3043 if (debug)
3044 addlog(" %s", sppp_ipcp_opt_name(*p));
3045 switch (*p) {
3046 case IPCP_OPT_ADDRESS:
3047 /*
3048 * Peer doesn't grok address option. This is
3049 * bad. XXX Should we better give up here?
3050 */
3051 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS);
3052 break;
3053 #ifdef notyet
3054 case IPCP_OPT_COMPRESS:
3055 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS);
3056 break;
3057 #endif
3058 }
3059 }
3060 if (debug)
3061 addlog("\n");
3062 drop:
3063 free(buf, M_TEMP);
3064 return;
3065 }
3066
3067 /*
3068 * Analyze the IPCP Configure-NAK option list, and adjust our
3069 * negotiation.
3070 */
3071 static void
3072 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3073 {
3074 u_char *p;
3075 struct ifnet *ifp = &sp->pp_if;
3076 int debug = ifp->if_flags & IFF_DEBUG;
3077 uint32_t wantaddr;
3078
3079 len -= 4;
3080
3081 if (debug)
3082 log(LOG_DEBUG, "%s: ipcp nak opts:",
3083 ifp->if_xname);
3084
3085 p = (void *)(h + 1);
3086 for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3087 /* Sanity check option length */
3088 if (p[1] > len) {
3089 /* XXX should we just RXJ? */
3090 addlog("%s: malicious IPCP option received, dropping\n",
3091 ifp->if_xname);
3092 return;
3093 }
3094 if (debug)
3095 addlog(" %s", sppp_ipcp_opt_name(*p));
3096 switch (*p) {
3097 case IPCP_OPT_ADDRESS:
3098 /*
3099 * Peer doesn't like our local IP address. See
3100 * if we can do something for him. We'll drop
3101 * him our address then.
3102 */
3103 if (len >= 6 && p[1] == 6) {
3104 wantaddr = p[2] << 24 | p[3] << 16 |
3105 p[4] << 8 | p[5];
3106 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
3107 if (debug)
3108 addlog(" [wantaddr %s]",
3109 sppp_dotted_quad(wantaddr));
3110 /*
3111 * When doing dynamic address assignment,
3112 * we accept his offer. Otherwise, we
3113 * ignore it and thus continue to negotiate
3114 * our already existing value.
3115 */
3116 if (sp->ipcp.flags & IPCP_MYADDR_DYN) {
3117 if (debug)
3118 addlog(" [agree]");
3119 sp->ipcp.flags |= IPCP_MYADDR_SEEN;
3120 sp->ipcp.req_myaddr = wantaddr;
3121 }
3122 }
3123 break;
3124
3125 case IPCP_OPT_PRIMDNS:
3126 if (len >= 6 && p[1] == 6) {
3127 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 |
3128 p[4] << 8 | p[5];
3129 }
3130 break;
3131
3132 case IPCP_OPT_SECDNS:
3133 if (len >= 6 && p[1] == 6) {
3134 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 |
3135 p[4] << 8 | p[5];
3136 }
3137 break;
3138 #ifdef notyet
3139 case IPCP_OPT_COMPRESS:
3140 /*
3141 * Peer wants different compression parameters.
3142 */
3143 break;
3144 #endif
3145 }
3146 }
3147 if (debug)
3148 addlog("\n");
3149 }
3150
3151 static void
3152 sppp_ipcp_tlu(struct sppp *sp)
3153 {
3154 #ifdef INET
3155 /* we are up. Set addresses and notify anyone interested */
3156 STDDCL;
3157 uint32_t myaddr, hisaddr;
3158
3159 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0);
3160 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN))
3161 myaddr = sp->ipcp.req_myaddr;
3162 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN))
3163 hisaddr = sp->ipcp.req_hisaddr;
3164 sppp_set_ip_addrs(sp, myaddr, hisaddr);
3165
3166 if (ifp->if_mtu > sp->lcp.their_mru) {
3167 sp->pp_saved_mtu = ifp->if_mtu;
3168 ifp->if_mtu = sp->lcp.their_mru;
3169 if (debug)
3170 log(LOG_DEBUG,
3171 "%s: setting MTU to %" PRIu64 " bytes\n",
3172 ifp->if_xname, ifp->if_mtu);
3173 }
3174
3175 if (sp->pp_con)
3176 sp->pp_con(sp);
3177 #endif
3178 }
3179
3180 static void
3181 sppp_ipcp_tld(struct sppp *sp)
3182 {
3183 }
3184
3185 static void
3186 sppp_ipcp_tls(struct sppp *sp)
3187 {
3188 /* indicate to LCP that it must stay alive */
3189 sp->lcp.protos |= (1 << IDX_IPCP);
3190 }
3191
3192 static void
3193 sppp_ipcp_tlf(struct sppp *sp)
3194 {
3195 /* we no longer need LCP */
3196 sp->lcp.protos &= ~(1 << IDX_IPCP);
3197 }
3198
3199 static void
3200 sppp_ipcp_scr(struct sppp *sp)
3201 {
3202 char opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */];
3203 #ifdef INET
3204 uint32_t ouraddr;
3205 #endif
3206 int i = 0;
3207
3208 #ifdef notyet
3209 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) {
3210 opt[i++] = IPCP_OPT_COMPRESSION;
3211 opt[i++] = 6;
3212 opt[i++] = 0; /* VJ header compression */
3213 opt[i++] = 0x2d; /* VJ header compression */
3214 opt[i++] = max_slot_id;
3215 opt[i++] = comp_slot_id;
3216 }
3217 #endif
3218
3219 #ifdef INET
3220 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) {
3221 if (sp->ipcp.flags & IPCP_MYADDR_SEEN)
3222 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */
3223 else
3224 sppp_get_ip_addrs(sp, &ouraddr, 0, 0);
3225 opt[i++] = IPCP_OPT_ADDRESS;
3226 opt[i++] = 6;
3227 opt[i++] = ouraddr >> 24;
3228 opt[i++] = ouraddr >> 16;
3229 opt[i++] = ouraddr >> 8;
3230 opt[i++] = ouraddr;
3231 }
3232 #endif
3233
3234 if (sp->query_dns & 1) {
3235 opt[i++] = IPCP_OPT_PRIMDNS;
3236 opt[i++] = 6;
3237 opt[i++] = sp->dns_addrs[0] >> 24;
3238 opt[i++] = sp->dns_addrs[0] >> 16;
3239 opt[i++] = sp->dns_addrs[0] >> 8;
3240 opt[i++] = sp->dns_addrs[0];
3241 }
3242 if (sp->query_dns & 2) {
3243 opt[i++] = IPCP_OPT_SECDNS;
3244 opt[i++] = 6;
3245 opt[i++] = sp->dns_addrs[1] >> 24;
3246 opt[i++] = sp->dns_addrs[1] >> 16;
3247 opt[i++] = sp->dns_addrs[1] >> 8;
3248 opt[i++] = sp->dns_addrs[1];
3249 }
3250
3251 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP];
3252 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt);
3253 }
3254
3255
3256 /*
3257 *--------------------------------------------------------------------------*
3258 * *
3259 * The IPv6CP implementation. *
3260 * *
3261 *--------------------------------------------------------------------------*
3262 */
3263
3264 #ifdef INET6
3265 static void
3266 sppp_ipv6cp_init(struct sppp *sp)
3267 {
3268 sp->ipv6cp.opts = 0;
3269 sp->ipv6cp.flags = 0;
3270 sp->state[IDX_IPV6CP] = STATE_INITIAL;
3271 sp->fail_counter[IDX_IPV6CP] = 0;
3272 sp->pp_seq[IDX_IPV6CP] = 0;
3273 sp->pp_rseq[IDX_IPV6CP] = 0;
3274 callout_init(&sp->ch[IDX_IPV6CP], 0);
3275 }
3276
3277 static void
3278 sppp_ipv6cp_up(struct sppp *sp)
3279 {
3280 sppp_up_event(&ipv6cp, sp);
3281 }
3282
3283 static void
3284 sppp_ipv6cp_down(struct sppp *sp)
3285 {
3286 sppp_down_event(&ipv6cp, sp);
3287 }
3288
3289 static void
3290 sppp_ipv6cp_open(struct sppp *sp)
3291 {
3292 STDDCL;
3293 struct in6_addr myaddr, hisaddr;
3294
3295 #ifdef IPV6CP_MYIFID_DYN
3296 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN);
3297 #else
3298 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN;
3299 #endif
3300
3301 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0);
3302 /*
3303 * If we don't have our address, this probably means our
3304 * interface doesn't want to talk IPv6 at all. (This could
3305 * be the case if somebody wants to speak only IPX, for
3306 * example.) Don't open IPv6CP in this case.
3307 */
3308 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) {
3309 /* XXX this message should go away */
3310 if (debug)
3311 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n",
3312 ifp->if_xname);
3313 return;
3314 }
3315
3316 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3317 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3318 sppp_open_event(&ipv6cp, sp);
3319 }
3320
3321 static void
3322 sppp_ipv6cp_close(struct sppp *sp)
3323 {
3324 sppp_close_event(&ipv6cp, sp);
3325 }
3326
3327 static void
3328 sppp_ipv6cp_TO(void *cookie)
3329 {
3330 sppp_to_event(&ipv6cp, (struct sppp *)cookie);
3331 }
3332
3333 /*
3334 * Analyze a configure request. Return true if it was agreeable, and
3335 * caused action sca, false if it has been rejected or nak'ed, and
3336 * caused action scn. (The return value is used to make the state
3337 * transition decision in the state automaton.)
3338 */
3339 static int
3340 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
3341 {
3342 u_char *buf, *r, *p;
3343 struct ifnet *ifp = &sp->pp_if;
3344 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
3345 struct in6_addr myaddr, desiredaddr, suggestaddr;
3346 int ifidcount;
3347 int type;
3348 int collision, nohisaddr;
3349
3350 len -= 4;
3351 origlen = len;
3352 /*
3353 * Make sure to allocate a buf that can at least hold a
3354 * conf-nak with an `address' option. We might need it below.
3355 */
3356 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
3357 if (! buf)
3358 return (0);
3359
3360 /* pass 1: see if we can recognize them */
3361 if (debug)
3362 log(LOG_DEBUG, "%s: ipv6cp parse opts:",
3363 ifp->if_xname);
3364 p = (void *)(h + 1);
3365 ifidcount = 0;
3366 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
3367 /* Sanity check option length */
3368 if (p[1] > len) {
3369 /* XXX just RXJ? */
3370 addlog("%s: received malicious IPCPv6 option, "
3371 "dropping\n", ifp->if_xname);
3372 goto drop;
3373 }
3374 if (debug)
3375 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3376 switch (*p) {
3377 case IPV6CP_OPT_IFID:
3378 if (len >= 10 && p[1] == 10 && ifidcount == 0) {
3379 /* correctly formed address option */
3380 ifidcount++;
3381 continue;
3382 }
3383 if (debug)
3384 addlog(" [invalid]");
3385 break;
3386 #ifdef notyet
3387 case IPV6CP_OPT_COMPRESSION:
3388 if (len >= 4 && p[1] >= 4) {
3389 /* correctly formed compress option */
3390 continue;
3391 }
3392 if (debug)
3393 addlog(" [invalid]");
3394 break;
3395 #endif
3396 default:
3397 /* Others not supported. */
3398 if (debug)
3399 addlog(" [rej]");
3400 break;
3401 }
3402 /* Add the option to rejected list. */
3403 bcopy (p, r, p[1]);
3404 r += p[1];
3405 rlen += p[1];
3406 }
3407 if (rlen) {
3408 if (debug)
3409 addlog(" send conf-rej\n");
3410 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf);
3411 goto end;
3412 } else if (debug)
3413 addlog("\n");
3414
3415 /* pass 2: parse option values */
3416 sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
3417 if (debug)
3418 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ",
3419 ifp->if_xname);
3420 p = (void *)(h + 1);
3421 len = origlen;
3422 type = CONF_ACK;
3423 for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
3424 if (debug)
3425 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3426 switch (*p) {
3427 #ifdef notyet
3428 case IPV6CP_OPT_COMPRESSION:
3429 continue;
3430 #endif
3431 case IPV6CP_OPT_IFID:
3432 memset(&desiredaddr, 0, sizeof(desiredaddr));
3433 bcopy(&p[2], &desiredaddr.s6_addr[8], 8);
3434 collision = (memcmp(&desiredaddr.s6_addr[8],
3435 &myaddr.s6_addr[8], 8) == 0);
3436 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr);
3437
3438 desiredaddr.s6_addr16[0] = htons(0xfe80);
3439 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL);
3440
3441 if (!collision && !nohisaddr) {
3442 /* no collision, hisaddr known - Conf-Ack */
3443 type = CONF_ACK;
3444
3445 if (debug) {
3446 addlog(" %s [%s]",
3447 ip6_sprintf(&desiredaddr),
3448 sppp_cp_type_name(type));
3449 }
3450 continue;
3451 }
3452
3453 memset(&suggestaddr, 0, sizeof(suggestaddr));
3454 if (collision && nohisaddr) {
3455 /* collision, hisaddr unknown - Conf-Rej */
3456 type = CONF_REJ;
3457 memset(&p[2], 0, 8);
3458 } else {
3459 /*
3460 * - no collision, hisaddr unknown, or
3461 * - collision, hisaddr known
3462 * Conf-Nak, suggest hisaddr
3463 */
3464 type = CONF_NAK;
3465 sppp_suggest_ip6_addr(sp, &suggestaddr);
3466 bcopy(&suggestaddr.s6_addr[8], &p[2], 8);
3467 }
3468 if (debug)
3469 addlog(" %s [%s]", ip6_sprintf(&desiredaddr),
3470 sppp_cp_type_name(type));
3471 break;
3472 }
3473 /* Add the option to nak'ed list. */
3474 bcopy (p, r, p[1]);
3475 r += p[1];
3476 rlen += p[1];
3477 }
3478
3479 if (rlen == 0 && type == CONF_ACK) {
3480 if (debug)
3481 addlog(" send %s\n", sppp_cp_type_name(type));
3482 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1);
3483 } else {
3484 #ifdef notdef
3485 if (type == CONF_ACK)
3486 panic("IPv6CP RCR: CONF_ACK with non-zero rlen");
3487 #endif
3488
3489 if (debug) {
3490 addlog(" send %s suggest %s\n",
3491 sppp_cp_type_name(type), ip6_sprintf(&suggestaddr));
3492 }
3493 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf);
3494 }
3495
3496 end:
3497 free(buf, M_TEMP);
3498 return (rlen == 0);
3499
3500 drop:
3501 free(buf, M_TEMP);
3502 return -1;
3503 }
3504
3505 /*
3506 * Analyze the IPv6CP Configure-Reject option list, and adjust our
3507 * negotiation.
3508 */
3509 static void
3510 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3511 {
3512 u_char *buf, *p;
3513 struct ifnet *ifp = &sp->pp_if;
3514 int debug = ifp->if_flags & IFF_DEBUG;
3515
3516 len -= 4;
3517 buf = malloc (len, M_TEMP, M_NOWAIT);
3518 if (!buf)
3519 return;
3520
3521 if (debug)
3522 log(LOG_DEBUG, "%s: ipv6cp rej opts:",
3523 ifp->if_xname);
3524
3525 p = (void *)(h + 1);
3526 for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3527 if (p[1] > len) {
3528 /* XXX just RXJ? */
3529 addlog("%s: received malicious IPCPv6 option, "
3530 "dropping\n", ifp->if_xname);
3531 goto drop;
3532 }
3533 if (debug)
3534 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3535 switch (*p) {
3536 case IPV6CP_OPT_IFID:
3537 /*
3538 * Peer doesn't grok address option. This is
3539 * bad. XXX Should we better give up here?
3540 */
3541 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID);
3542 break;
3543 #ifdef notyet
3544 case IPV6CP_OPT_COMPRESS:
3545 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS);
3546 break;
3547 #endif
3548 }
3549 }
3550 if (debug)
3551 addlog("\n");
3552 drop:
3553 free(buf, M_TEMP);
3554 return;
3555 }
3556
3557 /*
3558 * Analyze the IPv6CP Configure-NAK option list, and adjust our
3559 * negotiation.
3560 */
3561 static void
3562 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3563 {
3564 u_char *buf, *p;
3565 struct ifnet *ifp = &sp->pp_if;
3566 int debug = ifp->if_flags & IFF_DEBUG;
3567 struct in6_addr suggestaddr;
3568
3569 len -= 4;
3570 buf = malloc (len, M_TEMP, M_NOWAIT);
3571 if (!buf)
3572 return;
3573
3574 if (debug)
3575 log(LOG_DEBUG, "%s: ipv6cp nak opts:",
3576 ifp->if_xname);
3577
3578 p = (void *)(h + 1);
3579 for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
3580 if (p[1] > len) {
3581 /* XXX just RXJ? */
3582 addlog("%s: received malicious IPCPv6 option, "
3583 "dropping\n", ifp->if_xname);
3584 goto drop;
3585 }
3586 if (debug)
3587 addlog(" %s", sppp_ipv6cp_opt_name(*p));
3588 switch (*p) {
3589 case IPV6CP_OPT_IFID:
3590 /*
3591 * Peer doesn't like our local ifid. See
3592 * if we can do something for him. We'll drop
3593 * him our address then.
3594 */
3595 if (len < 10 || p[1] != 10)
3596 break;
3597 memset(&suggestaddr, 0, sizeof(suggestaddr));
3598 suggestaddr.s6_addr16[0] = htons(0xfe80);
3599 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL);
3600 bcopy(&p[2], &suggestaddr.s6_addr[8], 8);
3601
3602 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3603 if (debug)
3604 addlog(" [suggestaddr %s]",
3605 ip6_sprintf(&suggestaddr));
3606 #ifdef IPV6CP_MYIFID_DYN
3607 /*
3608 * When doing dynamic address assignment,
3609 * we accept his offer.
3610 */
3611 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) {
3612 struct in6_addr lastsuggest;
3613 /*
3614 * If <suggested myaddr from peer> equals to
3615 * <hisaddr we have suggested last time>,
3616 * we have a collision. generate new random
3617 * ifid.
3618 */
3619 sppp_suggest_ip6_addr(&lastsuggest);
3620 if (IN6_ARE_ADDR_EQUAL(&suggestaddr,
3621 lastsuggest)) {
3622 if (debug)
3623 addlog(" [random]");
3624 sppp_gen_ip6_addr(sp, &suggestaddr);
3625 }
3626 sppp_set_ip6_addr(sp, &suggestaddr, 0);
3627 if (debug)
3628 addlog(" [agree]");
3629 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3630 }
3631 #else
3632 /*
3633 * Since we do not do dynamic address assignment,
3634 * we ignore it and thus continue to negotiate
3635 * our already existing value. This can possibly
3636 * go into infinite request-reject loop.
3637 *
3638 * This is not likely because we normally use
3639 * ifid based on MAC-address.
3640 * If you have no ethernet card on the node, too bad.
3641 * XXX should we use fail_counter?
3642 */
3643 #endif
3644 break;
3645 #ifdef notyet
3646 case IPV6CP_OPT_COMPRESS:
3647 /*
3648 * Peer wants different compression parameters.
3649 */
3650 break;
3651 #endif
3652 }
3653 }
3654 if (debug)
3655 addlog("\n");
3656 drop:
3657 free(buf, M_TEMP);
3658 return;
3659 }
3660
3661 static void
3662 sppp_ipv6cp_tlu(struct sppp *sp)
3663 {
3664 /* we are up - notify isdn daemon */
3665 if (sp->pp_con)
3666 sp->pp_con(sp);
3667 }
3668
3669 static void
3670 sppp_ipv6cp_tld(struct sppp *sp)
3671 {
3672 }
3673
3674 static void
3675 sppp_ipv6cp_tls(struct sppp *sp)
3676 {
3677 /* indicate to LCP that it must stay alive */
3678 sp->lcp.protos |= (1 << IDX_IPV6CP);
3679 }
3680
3681 static void
3682 sppp_ipv6cp_tlf(struct sppp *sp)
3683 {
3684 /* we no longer need LCP */
3685 sp->lcp.protos &= ~(1 << IDX_IPV6CP);
3686 }
3687
3688 static void
3689 sppp_ipv6cp_scr(struct sppp *sp)
3690 {
3691 char opt[10 /* ifid */ + 4 /* compression, minimum */];
3692 struct in6_addr ouraddr;
3693 int i = 0;
3694
3695 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) {
3696 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0);
3697 opt[i++] = IPV6CP_OPT_IFID;
3698 opt[i++] = 10;
3699 bcopy(&ouraddr.s6_addr[8], &opt[i], 8);
3700 i += 8;
3701 }
3702
3703 #ifdef notyet
3704 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) {
3705 opt[i++] = IPV6CP_OPT_COMPRESSION;
3706 opt[i++] = 4;
3707 opt[i++] = 0; /* TBD */
3708 opt[i++] = 0; /* TBD */
3709 /* variable length data may follow */
3710 }
3711 #endif
3712
3713 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP];
3714 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt);
3715 }
3716 #else /*INET6*/
3717 static void
3718 sppp_ipv6cp_init(struct sppp *sp)
3719 {
3720 }
3721
3722 static void
3723 sppp_ipv6cp_up(struct sppp *sp)
3724 {
3725 }
3726
3727 static void
3728 sppp_ipv6cp_down(struct sppp *sp)
3729 {
3730 }
3731
3732 static void
3733 sppp_ipv6cp_open(struct sppp *sp)
3734 {
3735 }
3736
3737 static void
3738 sppp_ipv6cp_close(struct sppp *sp)
3739 {
3740 }
3741
3742 static void
3743 sppp_ipv6cp_TO(void *sp)
3744 {
3745 }
3746
3747 static int
3748 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h,
3749 int len)
3750 {
3751 return 0;
3752 }
3753
3754 static void
3755 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h,
3756 int len)
3757 {
3758 }
3759
3760 static void
3761 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h,
3762 int len)
3763 {
3764 }
3765
3766 static void
3767 sppp_ipv6cp_tlu(struct sppp *sp)
3768 {
3769 }
3770
3771 static void
3772 sppp_ipv6cp_tld(struct sppp *sp)
3773 {
3774 }
3775
3776 static void
3777 sppp_ipv6cp_tls(struct sppp *sp)
3778 {
3779 }
3780
3781 static void
3782 sppp_ipv6cp_tlf(struct sppp *sp)
3783 {
3784 }
3785
3786 static void
3787 sppp_ipv6cp_scr(struct sppp *sp)
3788 {
3789 }
3790 #endif /*INET6*/
3791
3792
3793 /*
3794 *--------------------------------------------------------------------------*
3795 * *
3796 * The CHAP implementation. *
3797 * *
3798 *--------------------------------------------------------------------------*
3799 */
3800
3801 /*
3802 * The authentication protocols don't employ a full-fledged state machine as
3803 * the control protocols do, since they do have Open and Close events, but
3804 * not Up and Down, nor are they explicitly terminated. Also, use of the
3805 * authentication protocols may be different in both directions (this makes
3806 * sense, think of a machine that never accepts incoming calls but only
3807 * calls out, it doesn't require the called party to authenticate itself).
3808 *
3809 * Our state machine for the local authentication protocol (we are requesting
3810 * the peer to authenticate) looks like:
3811 *
3812 * RCA-
3813 * +--------------------------------------------+
3814 * V scn,tld|
3815 * +--------+ Close +---------+ RCA+
3816 * | |<----------------------------------| |------+
3817 * +--->| Closed | TO* | Opened | sca |
3818 * | | |-----+ +-------| |<-----+
3819 * | +--------+ irc | | +---------+
3820 * | ^ | | ^
3821 * | | | | |
3822 * | | | | |
3823 * | TO-| | | |
3824 * | |tld TO+ V | |
3825 * | | +------->+ | |
3826 * | | | | | |
3827 * | +--------+ V | |
3828 * | | |<----+<--------------------+ |
3829 * | | Req- | scr |
3830 * | | Sent | |
3831 * | | | |
3832 * | +--------+ |
3833 * | RCA- | | RCA+ |
3834 * +------+ +------------------------------------------+
3835 * scn,tld sca,irc,ict,tlu
3836 *
3837 *
3838 * with:
3839 *
3840 * Open: LCP reached authentication phase
3841 * Close: LCP reached terminate phase
3842 *
3843 * RCA+: received reply (pap-req, chap-response), acceptable
3844 * RCN: received reply (pap-req, chap-response), not acceptable
3845 * TO+: timeout with restart counter >= 0
3846 * TO-: timeout with restart counter < 0
3847 * TO*: reschedule timeout for CHAP
3848 *
3849 * scr: send request packet (none for PAP, chap-challenge)
3850 * sca: send ack packet (pap-ack, chap-success)
3851 * scn: send nak packet (pap-nak, chap-failure)
3852 * ict: initialize re-challenge timer (CHAP only)
3853 *
3854 * tlu: this-layer-up, LCP reaches network phase
3855 * tld: this-layer-down, LCP enters terminate phase
3856 *
3857 * Note that in CHAP mode, after sending a new challenge, while the state
3858 * automaton falls back into Req-Sent state, it doesn't signal a tld
3859 * event to LCP, so LCP remains in network phase. Only after not getting
3860 * any response (or after getting an unacceptable response), CHAP closes,
3861 * causing LCP to enter terminate phase.
3862 *
3863 * With PAP, there is no initial request that can be sent. The peer is
3864 * expected to send one based on the successful negotiation of PAP as
3865 * the authentication protocol during the LCP option negotiation.
3866 *
3867 * Incoming authentication protocol requests (remote requests
3868 * authentication, we are peer) don't employ a state machine at all,
3869 * they are simply answered. Some peers [Ascend P50 firmware rev
3870 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are
3871 * still in authentication phase (thereby violating the standard that
3872 * demands that these NCP packets are to be discarded), so we keep
3873 * track of the peer demanding us to authenticate, and only proceed to
3874 * phase network once we've seen a positive acknowledge for the
3875 * authentication.
3876 */
3877
3878 /*
3879 * Handle incoming CHAP packets.
3880 */
3881 void
3882 sppp_chap_input(struct sppp *sp, struct mbuf *m)
3883 {
3884 STDDCL;
3885 struct lcp_header *h;
3886 int len, x;
3887 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize;
3888 int value_len, name_len;
3889 MD5_CTX ctx;
3890
3891 len = m->m_pkthdr.len;
3892 if (len < 4) {
3893 if (debug)
3894 log(LOG_DEBUG,
3895 "%s: chap invalid packet length: %d bytes\n",
3896 ifp->if_xname, len);
3897 return;
3898 }
3899 h = mtod(m, struct lcp_header *);
3900 if (len > ntohs(h->len))
3901 len = ntohs(h->len);
3902
3903 switch (h->type) {
3904 /* challenge, failure and success are his authproto */
3905 case CHAP_CHALLENGE:
3906 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) {
3907 /* can't do anything usefull */
3908 sp->pp_auth_failures++;
3909 printf("%s: chap input without my name and my secret being set\n",
3910 ifp->if_xname);
3911 break;
3912 }
3913 value = 1 + (u_char *)(h + 1);
3914 value_len = value[-1];
3915 name = value + value_len;
3916 name_len = len - value_len - 5;
3917 if (name_len < 0) {
3918 if (debug) {
3919 log(LOG_DEBUG,
3920 "%s: chap corrupted challenge "
3921 "<%s id=0x%x len=%d",
3922 ifp->if_xname,
3923 sppp_auth_type_name(PPP_CHAP, h->type),
3924 h->ident, ntohs(h->len));
3925 if (len > 4)
3926 sppp_print_bytes((u_char *)(h + 1),
3927 len - 4);
3928 addlog(">\n");
3929 }
3930 break;
3931 }
3932
3933 if (debug) {
3934 log(LOG_DEBUG,
3935 "%s: chap input <%s id=0x%x len=%d name=",
3936 ifp->if_xname,
3937 sppp_auth_type_name(PPP_CHAP, h->type), h->ident,
3938 ntohs(h->len));
3939 sppp_print_string((char *) name, name_len);
3940 addlog(" value-size=%d value=", value_len);
3941 sppp_print_bytes(value, value_len);
3942 addlog(">\n");
3943 }
3944
3945 /* Compute reply value. */
3946 MD5Init(&ctx);
3947 MD5Update(&ctx, &h->ident, 1);
3948 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len);
3949 MD5Update(&ctx, value, value_len);
3950 MD5Final(digest, &ctx);
3951 dsize = sizeof digest;
3952
3953 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident,
3954 sizeof dsize, (const char *)&dsize,
3955 sizeof digest, digest,
3956 sp->myauth.name_len,
3957 sp->myauth.name,
3958 0);
3959 break;
3960
3961 case CHAP_SUCCESS:
3962 if (debug) {
3963 log(LOG_DEBUG, "%s: chap success",
3964 ifp->if_xname);
3965 if (len > 4) {
3966 addlog(": ");
3967 sppp_print_string((char *)(h + 1), len - 4);
3968 }
3969 addlog("\n");
3970 }
3971 x = splnet();
3972 sp->pp_auth_failures = 0;
3973 sp->pp_flags &= ~PP_NEEDAUTH;
3974 if (sp->myauth.proto == PPP_CHAP &&
3975 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
3976 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) {
3977 /*
3978 * We are authenticator for CHAP but didn't
3979 * complete yet. Leave it to tlu to proceed
3980 * to network phase.
3981 */
3982 splx(x);
3983 break;
3984 }
3985 splx(x);
3986 sppp_phase_network(sp);
3987 break;
3988
3989 case CHAP_FAILURE:
3990 x = splnet();
3991 sp->pp_auth_failures++;
3992 splx(x);
3993 if (debug) {
3994 log(LOG_INFO, "%s: chap failure",
3995 ifp->if_xname);
3996 if (len > 4) {
3997 addlog(": ");
3998 sppp_print_string((char *)(h + 1), len - 4);
3999 }
4000 addlog("\n");
4001 } else
4002 log(LOG_INFO, "%s: chap failure\n",
4003 ifp->if_xname);
4004 /* await LCP shutdown by authenticator */
4005 break;
4006
4007 /* response is my authproto */
4008 case CHAP_RESPONSE:
4009 if (sp->hisauth.secret == NULL) {
4010 /* can't do anything usefull */
4011 printf("%s: chap input without his secret being set\n",
4012 ifp->if_xname);
4013 break;
4014 }
4015 value = 1 + (u_char *)(h + 1);
4016 value_len = value[-1];
4017 name = value + value_len;
4018 name_len = len - value_len - 5;
4019 if (name_len < 0) {
4020 if (debug) {
4021 log(LOG_DEBUG,
4022 "%s: chap corrupted response "
4023 "<%s id=0x%x len=%d",
4024 ifp->if_xname,
4025 sppp_auth_type_name(PPP_CHAP, h->type),
4026 h->ident, ntohs(h->len));
4027 if (len > 4)
4028 sppp_print_bytes((u_char *)(h + 1),
4029 len - 4);
4030 addlog(">\n");
4031 }
4032 break;
4033 }
4034 if (h->ident != sp->confid[IDX_CHAP]) {
4035 if (debug)
4036 log(LOG_DEBUG,
4037 "%s: chap dropping response for old ID "
4038 "(got %d, expected %d)\n",
4039 ifp->if_xname,
4040 h->ident, sp->confid[IDX_CHAP]);
4041 break;
4042 }
4043 if (sp->hisauth.name != NULL &&
4044 (name_len != sp->hisauth.name_len
4045 || memcmp(name, sp->hisauth.name, name_len) != 0)) {
4046 log(LOG_INFO, "%s: chap response, his name ",
4047 ifp->if_xname);
4048 sppp_print_string(name, name_len);
4049 addlog(" != expected ");
4050 sppp_print_string(sp->hisauth.name,
4051 sp->hisauth.name_len);
4052 addlog("\n");
4053 goto chap_failure;
4054 }
4055 if (debug) {
4056 log(LOG_DEBUG, "%s: chap input(%s) "
4057 "<%s id=0x%x len=%d name=",
4058 ifp->if_xname,
4059 sppp_state_name(sp->state[IDX_CHAP]),
4060 sppp_auth_type_name(PPP_CHAP, h->type),
4061 h->ident, ntohs(h->len));
4062 sppp_print_string((char *)name, name_len);
4063 addlog(" value-size=%d value=", value_len);
4064 sppp_print_bytes(value, value_len);
4065 addlog(">\n");
4066 }
4067 if (value_len != sizeof(sp->myauth.challenge)) {
4068 if (debug)
4069 log(LOG_DEBUG,
4070 "%s: chap bad hash value length: "
4071 "%d bytes, should be %ld\n",
4072 ifp->if_xname, value_len,
4073 (long) sizeof(sp->myauth.challenge));
4074 goto chap_failure;
4075 }
4076
4077 MD5Init(&ctx);
4078 MD5Update(&ctx, &h->ident, 1);
4079 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len);
4080 MD5Update(&ctx, sp->myauth.challenge, sizeof(sp->myauth.challenge));
4081 MD5Final(digest, &ctx);
4082
4083 #define FAILMSG "Failed..."
4084 #define SUCCMSG "Welcome!"
4085
4086 if (value_len != sizeof digest ||
4087 memcmp(digest, value, value_len) != 0) {
4088 chap_failure:
4089 /* action scn, tld */
4090 x = splnet();
4091 sp->pp_auth_failures++;
4092 splx(x);
4093 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident,
4094 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG,
4095 0);
4096 chap.tld(sp);
4097 break;
4098 }
4099 sp->pp_auth_failures = 0;
4100 /* action sca, perhaps tlu */
4101 if (sp->state[IDX_CHAP] == STATE_REQ_SENT ||
4102 sp->state[IDX_CHAP] == STATE_OPENED)
4103 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident,
4104 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG,
4105 0);
4106 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) {
4107 sppp_cp_change_state(&chap, sp, STATE_OPENED);
4108 chap.tlu(sp);
4109 }
4110 break;
4111
4112 default:
4113 /* Unknown CHAP packet type -- ignore. */
4114 if (debug) {
4115 log(LOG_DEBUG, "%s: chap unknown input(%s) "
4116 "<0x%x id=0x%xh len=%d",
4117 ifp->if_xname,
4118 sppp_state_name(sp->state[IDX_CHAP]),
4119 h->type, h->ident, ntohs(h->len));
4120 if (len > 4)
4121 sppp_print_bytes((u_char *)(h + 1), len - 4);
4122 addlog(">\n");
4123 }
4124 break;
4125
4126 }
4127 }
4128
4129 static void
4130 sppp_chap_init(struct sppp *sp)
4131 {
4132 /* Chap doesn't have STATE_INITIAL at all. */
4133 sp->state[IDX_CHAP] = STATE_CLOSED;
4134 sp->fail_counter[IDX_CHAP] = 0;
4135 sp->pp_seq[IDX_CHAP] = 0;
4136 sp->pp_rseq[IDX_CHAP] = 0;
4137 callout_init(&sp->ch[IDX_CHAP], 0);
4138 }
4139
4140 static void
4141 sppp_chap_open(struct sppp *sp)
4142 {
4143 if (sp->myauth.proto == PPP_CHAP &&
4144 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
4145 /* we are authenticator for CHAP, start it */
4146 chap.scr(sp);
4147 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4148 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
4149 }
4150 /* nothing to be done if we are peer, await a challenge */
4151 }
4152
4153 static void
4154 sppp_chap_close(struct sppp *sp)
4155 {
4156 if (sp->state[IDX_CHAP] != STATE_CLOSED)
4157 sppp_cp_change_state(&chap, sp, STATE_CLOSED);
4158 }
4159
4160 static void
4161 sppp_chap_TO(void *cookie)
4162 {
4163 struct sppp *sp = (struct sppp *)cookie;
4164 STDDCL;
4165 int s;
4166
4167 s = splnet();
4168 if (debug)
4169 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n",
4170 ifp->if_xname,
4171 sppp_state_name(sp->state[IDX_CHAP]),
4172 sp->rst_counter[IDX_CHAP]);
4173
4174 if (--sp->rst_counter[IDX_CHAP] < 0)
4175 /* TO- event */
4176 switch (sp->state[IDX_CHAP]) {
4177 case STATE_REQ_SENT:
4178 chap.tld(sp);
4179 sppp_cp_change_state(&chap, sp, STATE_CLOSED);
4180 break;
4181 }
4182 else
4183 /* TO+ (or TO*) event */
4184 switch (sp->state[IDX_CHAP]) {
4185 case STATE_OPENED:
4186 /* TO* event */
4187 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4188 /* fall through */
4189 case STATE_REQ_SENT:
4190 chap.scr(sp);
4191 /* sppp_cp_change_state() will restart the timer */
4192 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
4193 break;
4194 }
4195
4196 splx(s);
4197 }
4198
4199 static void
4200 sppp_chap_tlu(struct sppp *sp)
4201 {
4202 STDDCL;
4203 int i, x;
4204
4205 i = 0;
4206 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4207
4208 /*
4209 * Some broken CHAP implementations (Conware CoNet, firmware
4210 * 4.0.?) don't want to re-authenticate their CHAP once the
4211 * initial challenge-response exchange has taken place.
4212 * Provide for an option to avoid rechallenges.
4213 */
4214 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) {
4215 /*
4216 * Compute the re-challenge timeout. This will yield
4217 * a number between 300 and 810 seconds.
4218 */
4219 i = 300 + ((unsigned)(arc4random() & 0xff00) >> 7);
4220
4221 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp);
4222 }
4223
4224 if (debug) {
4225 log(LOG_DEBUG,
4226 "%s: chap %s, ",
4227 ifp->if_xname,
4228 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu");
4229 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0)
4230 addlog("next re-challenge in %d seconds\n", i);
4231 else
4232 addlog("re-challenging supressed\n");
4233 }
4234
4235 x = splnet();
4236 sp->pp_auth_failures = 0;
4237 /* indicate to LCP that we need to be closed down */
4238 sp->lcp.protos |= (1 << IDX_CHAP);
4239
4240 if (sp->pp_flags & PP_NEEDAUTH) {
4241 /*
4242 * Remote is authenticator, but his auth proto didn't
4243 * complete yet. Defer the transition to network
4244 * phase.
4245 */
4246 splx(x);
4247 return;
4248 }
4249 splx(x);
4250
4251 /*
4252 * If we are already in phase network, we are done here. This
4253 * is the case if this is a dummy tlu event after a re-challenge.
4254 */
4255 if (sp->pp_phase != SPPP_PHASE_NETWORK)
4256 sppp_phase_network(sp);
4257 }
4258
4259 static void
4260 sppp_chap_tld(struct sppp *sp)
4261 {
4262 STDDCL;
4263
4264 if (debug)
4265 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname);
4266 callout_stop(&sp->ch[IDX_CHAP]);
4267 sp->lcp.protos &= ~(1 << IDX_CHAP);
4268
4269 lcp.Close(sp);
4270 }
4271
4272 static void
4273 sppp_chap_scr(struct sppp *sp)
4274 {
4275 uint32_t *ch;
4276 u_char clen;
4277
4278 if (sp->myauth.name == NULL) {
4279 /* can't do anything usefull */
4280 printf("%s: chap starting without my name being set\n",
4281 sp->pp_if.if_xname);
4282 return;
4283 }
4284
4285 /* Compute random challenge. */
4286 ch = (uint32_t *)sp->myauth.challenge;
4287 ch[0] = arc4random();
4288 ch[1] = arc4random();
4289 ch[2] = arc4random();
4290 ch[3] = arc4random();
4291 clen = 16; /* 4 * sizeof(uint32_t) */
4292
4293 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP];
4294
4295 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP],
4296 sizeof clen, (const char *)&clen,
4297 sizeof(sp->myauth.challenge), sp->myauth.challenge,
4298 sp->myauth.name_len,
4299 sp->myauth.name,
4300 0);
4301 }
4302
4303 /*
4304 *--------------------------------------------------------------------------*
4305 * *
4306 * The PAP implementation. *
4307 * *
4308 *--------------------------------------------------------------------------*
4309 */
4310 /*
4311 * For PAP, we need to keep a little state also if we are the peer, not the
4312 * authenticator. This is since we don't get a request to authenticate, but
4313 * have to repeatedly authenticate ourself until we got a response (or the
4314 * retry counter is expired).
4315 */
4316
4317 /*
4318 * Handle incoming PAP packets. */
4319 static void
4320 sppp_pap_input(struct sppp *sp, struct mbuf *m)
4321 {
4322 STDDCL;
4323 struct lcp_header *h;
4324 int len, x;
4325 u_char mlen;
4326 char *name, *secret;
4327 int name_len, secret_len;
4328
4329 /*
4330 * Malicious input might leave this uninitialized, so
4331 * init to an impossible value.
4332 */
4333 secret_len = -1;
4334
4335 len = m->m_pkthdr.len;
4336 if (len < 5) {
4337 if (debug)
4338 log(LOG_DEBUG,
4339 "%s: pap invalid packet length: %d bytes\n",
4340 ifp->if_xname, len);
4341 return;
4342 }
4343 h = mtod(m, struct lcp_header *);
4344 if (len > ntohs(h->len))
4345 len = ntohs(h->len);
4346 switch (h->type) {
4347 /* PAP request is my authproto */
4348 case PAP_REQ:
4349 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) {
4350 /* can't do anything usefull */
4351 printf("%s: pap request without his name and his secret being set\n",
4352 ifp->if_xname);
4353 break;
4354 }
4355 name = 1 + (u_char *)(h + 1);
4356 name_len = name[-1];
4357 secret = name + name_len + 1;
4358 if (name_len > len - 6 ||
4359 (secret_len = secret[-1]) > len - 6 - name_len) {
4360 if (debug) {
4361 log(LOG_DEBUG, "%s: pap corrupted input "
4362 "<%s id=0x%x len=%d",
4363 ifp->if_xname,
4364 sppp_auth_type_name(PPP_PAP, h->type),
4365 h->ident, ntohs(h->len));
4366 if (len > 4)
4367 sppp_print_bytes((u_char *)(h + 1),
4368 len - 4);
4369 addlog(">\n");
4370 }
4371 break;
4372 }
4373 if (debug) {
4374 log(LOG_DEBUG, "%s: pap input(%s) "
4375 "<%s id=0x%x len=%d name=",
4376 ifp->if_xname,
4377 sppp_state_name(sp->state[IDX_PAP]),
4378 sppp_auth_type_name(PPP_PAP, h->type),
4379 h->ident, ntohs(h->len));
4380 sppp_print_string((char *)name, name_len);
4381 addlog(" secret=");
4382 sppp_print_string((char *)secret, secret_len);
4383 addlog(">\n");
4384 }
4385 if (name_len != sp->hisauth.name_len ||
4386 secret_len != sp->hisauth.secret_len ||
4387 memcmp(name, sp->hisauth.name, name_len) != 0 ||
4388 memcmp(secret, sp->hisauth.secret, secret_len) != 0) {
4389 /* action scn, tld */
4390 sp->pp_auth_failures++;
4391 mlen = sizeof(FAILMSG) - 1;
4392 sppp_auth_send(&pap, sp, PAP_NAK, h->ident,
4393 sizeof mlen, (const char *)&mlen,
4394 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG,
4395 0);
4396 pap.tld(sp);
4397 break;
4398 }
4399 /* action sca, perhaps tlu */
4400 if (sp->state[IDX_PAP] == STATE_REQ_SENT ||
4401 sp->state[IDX_PAP] == STATE_OPENED) {
4402 mlen = sizeof(SUCCMSG) - 1;
4403 sppp_auth_send(&pap, sp, PAP_ACK, h->ident,
4404 sizeof mlen, (const char *)&mlen,
4405 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG,
4406 0);
4407 }
4408 if (sp->state[IDX_PAP] == STATE_REQ_SENT) {
4409 sppp_cp_change_state(&pap, sp, STATE_OPENED);
4410 pap.tlu(sp);
4411 }
4412 break;
4413
4414 /* ack and nak are his authproto */
4415 case PAP_ACK:
4416 callout_stop(&sp->pap_my_to_ch);
4417 if (debug) {
4418 log(LOG_DEBUG, "%s: pap success",
4419 ifp->if_xname);
4420 name = 1 + (u_char *)(h + 1);
4421 name_len = name[-1];
4422 if (len > 5 && name_len < len+4) {
4423 addlog(": ");
4424 sppp_print_string(name, name_len);
4425 }
4426 addlog("\n");
4427 }
4428 x = splnet();
4429 sp->pp_auth_failures = 0;
4430 sp->pp_flags &= ~PP_NEEDAUTH;
4431 if (sp->myauth.proto == PPP_PAP &&
4432 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
4433 (sp->lcp.protos & (1 << IDX_PAP)) == 0) {
4434 /*
4435 * We are authenticator for PAP but didn't
4436 * complete yet. Leave it to tlu to proceed
4437 * to network phase.
4438 */
4439 splx(x);
4440 break;
4441 }
4442 splx(x);
4443 sppp_phase_network(sp);
4444 break;
4445
4446 case PAP_NAK:
4447 callout_stop(&sp->pap_my_to_ch);
4448 sp->pp_auth_failures++;
4449 if (debug) {
4450 log(LOG_INFO, "%s: pap failure",
4451 ifp->if_xname);
4452 name = 1 + (u_char *)(h + 1);
4453 name_len = name[-1];
4454 if (len > 5 && name_len < len+4) {
4455 addlog(": ");
4456 sppp_print_string(name, name_len);
4457 }
4458 addlog("\n");
4459 } else
4460 log(LOG_INFO, "%s: pap failure\n",
4461 ifp->if_xname);
4462 /* await LCP shutdown by authenticator */
4463 break;
4464
4465 default:
4466 /* Unknown PAP packet type -- ignore. */
4467 if (debug) {
4468 log(LOG_DEBUG, "%s: pap corrupted input "
4469 "<0x%x id=0x%x len=%d",
4470 ifp->if_xname,
4471 h->type, h->ident, ntohs(h->len));
4472 if (len > 4)
4473 sppp_print_bytes((u_char *)(h + 1), len - 4);
4474 addlog(">\n");
4475 }
4476 break;
4477
4478 }
4479 }
4480
4481 static void
4482 sppp_pap_init(struct sppp *sp)
4483 {
4484 /* PAP doesn't have STATE_INITIAL at all. */
4485 sp->state[IDX_PAP] = STATE_CLOSED;
4486 sp->fail_counter[IDX_PAP] = 0;
4487 sp->pp_seq[IDX_PAP] = 0;
4488 sp->pp_rseq[IDX_PAP] = 0;
4489 callout_init(&sp->ch[IDX_PAP], 0);
4490 callout_init(&sp->pap_my_to_ch, 0);
4491 }
4492
4493 static void
4494 sppp_pap_open(struct sppp *sp)
4495 {
4496 if (sp->hisauth.proto == PPP_PAP &&
4497 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
4498 /* we are authenticator for PAP, start our timer */
4499 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
4500 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
4501 }
4502 if (sp->myauth.proto == PPP_PAP) {
4503 /* we are peer, send a request, and start a timer */
4504 pap.scr(sp);
4505 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout,
4506 sppp_pap_my_TO, sp);
4507 }
4508 }
4509
4510 static void
4511 sppp_pap_close(struct sppp *sp)
4512 {
4513 if (sp->state[IDX_PAP] != STATE_CLOSED)
4514 sppp_cp_change_state(&pap, sp, STATE_CLOSED);
4515 }
4516
4517 /*
4518 * That's the timeout routine if we are authenticator. Since the
4519 * authenticator is basically passive in PAP, we can't do much here.
4520 */
4521 static void
4522 sppp_pap_TO(void *cookie)
4523 {
4524 struct sppp *sp = (struct sppp *)cookie;
4525 STDDCL;
4526 int s;
4527
4528 s = splnet();
4529 if (debug)
4530 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n",
4531 ifp->if_xname,
4532 sppp_state_name(sp->state[IDX_PAP]),
4533 sp->rst_counter[IDX_PAP]);
4534
4535 if (--sp->rst_counter[IDX_PAP] < 0)
4536 /* TO- event */
4537 switch (sp->state[IDX_PAP]) {
4538 case STATE_REQ_SENT:
4539 pap.tld(sp);
4540 sppp_cp_change_state(&pap, sp, STATE_CLOSED);
4541 break;
4542 }
4543 else
4544 /* TO+ event, not very much we could do */
4545 switch (sp->state[IDX_PAP]) {
4546 case STATE_REQ_SENT:
4547 /* sppp_cp_change_state() will restart the timer */
4548 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
4549 break;
4550 }
4551
4552 splx(s);
4553 }
4554
4555 /*
4556 * That's the timeout handler if we are peer. Since the peer is active,
4557 * we need to retransmit our PAP request since it is apparently lost.
4558 * XXX We should impose a max counter.
4559 */
4560 static void
4561 sppp_pap_my_TO(void *cookie)
4562 {
4563 struct sppp *sp = (struct sppp *)cookie;
4564 STDDCL;
4565
4566 if (debug)
4567 log(LOG_DEBUG, "%s: pap peer TO\n",
4568 ifp->if_xname);
4569
4570 pap.scr(sp);
4571 }
4572
4573 static void
4574 sppp_pap_tlu(struct sppp *sp)
4575 {
4576 STDDCL;
4577 int x;
4578
4579 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
4580
4581 if (debug)
4582 log(LOG_DEBUG, "%s: %s tlu\n",
4583 ifp->if_xname, pap.name);
4584
4585 x = splnet();
4586 sp->pp_auth_failures = 0;
4587 /* indicate to LCP that we need to be closed down */
4588 sp->lcp.protos |= (1 << IDX_PAP);
4589
4590 if (sp->pp_flags & PP_NEEDAUTH) {
4591 /*
4592 * Remote is authenticator, but his auth proto didn't
4593 * complete yet. Defer the transition to network
4594 * phase.
4595 */
4596 splx(x);
4597 return;
4598 }
4599 splx(x);
4600 sppp_phase_network(sp);
4601 }
4602
4603 static void
4604 sppp_pap_tld(struct sppp *sp)
4605 {
4606 STDDCL;
4607
4608 if (debug)
4609 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname);
4610 callout_stop(&sp->ch[IDX_PAP]);
4611 callout_stop(&sp->pap_my_to_ch);
4612 sp->lcp.protos &= ~(1 << IDX_PAP);
4613
4614 lcp.Close(sp);
4615 }
4616
4617 static void
4618 sppp_pap_scr(struct sppp *sp)
4619 {
4620 u_char idlen, pwdlen;
4621
4622 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) {
4623 /* can't do anything usefull */
4624 printf("%s: pap starting without my name and secret being set\n",
4625 sp->pp_if.if_xname);
4626 return;
4627 }
4628
4629 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP];
4630 pwdlen = sp->myauth.secret_len;
4631 idlen = sp->myauth.name_len;
4632
4633 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP],
4634 sizeof idlen, (const char *)&idlen,
4635 idlen, sp->myauth.name,
4636 sizeof pwdlen, (const char *)&pwdlen,
4637 pwdlen, sp->myauth.secret,
4638 0);
4639 }
4640
4641 /*
4642 * Random miscellaneous functions.
4643 */
4644
4645 /*
4646 * Send a PAP or CHAP proto packet.
4647 *
4648 * Varadic function, each of the elements for the ellipsis is of type
4649 * ``size_t mlen, const u_char *msg''. Processing will stop iff
4650 * mlen == 0.
4651 * NOTE: never declare variadic functions with types subject to type
4652 * promotion (i.e. u_char). This is asking for big trouble depending
4653 * on the architecture you are on...
4654 */
4655
4656 static void
4657 sppp_auth_send(const struct cp *cp, struct sppp *sp,
4658 unsigned int type, unsigned int id,
4659 ...)
4660 {
4661 STDDCL;
4662 struct lcp_header *lh;
4663 struct mbuf *m;
4664 u_char *p;
4665 int len;
4666 size_t pkthdrlen;
4667 unsigned int mlen;
4668 const char *msg;
4669 va_list ap;
4670
4671 MGETHDR(m, M_DONTWAIT, MT_DATA);
4672 if (! m)
4673 return;
4674 m->m_pkthdr.rcvif = 0;
4675
4676 if (sp->pp_flags & PP_NOFRAMING) {
4677 *mtod(m, uint16_t *) = htons(cp->proto);
4678 pkthdrlen = 2;
4679 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2);
4680 } else {
4681 struct ppp_header *h;
4682 h = mtod(m, struct ppp_header *);
4683 h->address = PPP_ALLSTATIONS; /* broadcast address */
4684 h->control = PPP_UI; /* Unnumbered Info */
4685 h->protocol = htons(cp->proto);
4686 pkthdrlen = PPP_HEADER_LEN;
4687
4688 lh = (struct lcp_header *)(h + 1);
4689 }
4690
4691 lh->type = type;
4692 lh->ident = id;
4693 p = (u_char *)(lh + 1);
4694
4695 va_start(ap, id);
4696 len = 0;
4697
4698 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) {
4699 msg = va_arg(ap, const char *);
4700 len += mlen;
4701 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) {
4702 va_end(ap);
4703 m_freem(m);
4704 return;
4705 }
4706
4707 bcopy(msg, p, mlen);
4708 p += mlen;
4709 }
4710 va_end(ap);
4711
4712 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len;
4713 lh->len = htons(LCP_HEADER_LEN + len);
4714
4715 if (debug) {
4716 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d",
4717 ifp->if_xname, cp->name,
4718 sppp_auth_type_name(cp->proto, lh->type),
4719 lh->ident, ntohs(lh->len));
4720 if (len)
4721 sppp_print_bytes((u_char *)(lh + 1), len);
4722 addlog(">\n");
4723 }
4724 if (IF_QFULL(&sp->pp_cpq)) {
4725 IF_DROP(&sp->pp_fastq);
4726 IF_DROP(&ifp->if_snd);
4727 m_freem(m);
4728 ++ifp->if_oerrors;
4729 return;
4730 } else
4731 IF_ENQUEUE(&sp->pp_cpq, m);
4732 if (! (ifp->if_flags & IFF_OACTIVE))
4733 (*ifp->if_start)(ifp);
4734 ifp->if_obytes += m->m_pkthdr.len + 3;
4735 }
4736
4737 /*
4738 * Send keepalive packets, every 10 seconds.
4739 */
4740 static void
4741 sppp_keepalive(void *dummy)
4742 {
4743 struct sppp *sp;
4744 int s;
4745 time_t now;
4746
4747 s = splnet();
4748 now = time_uptime;
4749 for (sp=spppq; sp; sp=sp->pp_next) {
4750 struct ifnet *ifp = &sp->pp_if;
4751
4752 /* check idle timeout */
4753 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING)
4754 && (sp->pp_phase == SPPP_PHASE_NETWORK)) {
4755 /* idle timeout is enabled for this interface */
4756 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) {
4757 if (ifp->if_flags & IFF_DEBUG)
4758 printf("%s: no activity for %lu seconds\n",
4759 sp->pp_if.if_xname,
4760 (unsigned long)(now-sp->pp_last_activity));
4761 lcp.Close(sp);
4762 continue;
4763 }
4764 }
4765
4766 /* Keepalive mode disabled or channel down? */
4767 if (! (sp->pp_flags & PP_KEEPALIVE) ||
4768 ! (ifp->if_flags & IFF_RUNNING))
4769 continue;
4770
4771 /* No keepalive in PPP mode if LCP not opened yet. */
4772 if (! (sp->pp_flags & PP_CISCO) &&
4773 sp->pp_phase < SPPP_PHASE_AUTHENTICATE)
4774 continue;
4775
4776 /* No echo reply, but maybe user data passed through? */
4777 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) {
4778 sp->pp_alivecnt = 0;
4779 continue;
4780 }
4781
4782 if (sp->pp_alivecnt >= sp->pp_maxalive) {
4783 /* No keepalive packets got. Stop the interface. */
4784 if_down (ifp);
4785 IF_PURGE(&sp->pp_cpq);
4786 if (! (sp->pp_flags & PP_CISCO)) {
4787 printf("%s: LCP keepalive timed out, going to restart the connection\n",
4788 ifp->if_xname);
4789 sp->pp_alivecnt = 0;
4790
4791 /* we are down, close all open protocols */
4792 lcp.Close(sp);
4793
4794 /* And now prepare LCP to reestablish the link, if configured to do so. */
4795 sppp_cp_change_state(&lcp, sp, STATE_STOPPED);
4796
4797 /* Close connection immediately, completition of this
4798 * will summon the magic needed to reestablish it. */
4799 if (sp->pp_tlf)
4800 sp->pp_tlf(sp);
4801 continue;
4802 }
4803 }
4804 if (sp->pp_alivecnt < sp->pp_maxalive)
4805 ++sp->pp_alivecnt;
4806 if (sp->pp_flags & PP_CISCO)
4807 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ,
4808 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]);
4809 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) {
4810 int32_t nmagic = htonl(sp->lcp.magic);
4811 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP];
4812 sppp_cp_send(sp, PPP_LCP, ECHO_REQ,
4813 sp->lcp.echoid, 4, &nmagic);
4814 }
4815 }
4816 splx(s);
4817 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL);
4818 }
4819
4820 #ifdef INET
4821 /*
4822 * Get both IP addresses.
4823 */
4824 static void
4825 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask)
4826 {
4827 struct ifnet *ifp = &sp->pp_if;
4828 struct ifaddr *ifa;
4829 struct sockaddr_in *si, *sm;
4830 uint32_t ssrc, ddst;
4831
4832 sm = NULL;
4833 ssrc = ddst = 0;
4834 /*
4835 * Pick the first AF_INET address from the list,
4836 * aliases don't make any sense on a p2p link anyway.
4837 */
4838 si = 0;
4839 IFADDR_FOREACH(ifa, ifp) {
4840 if (ifa->ifa_addr->sa_family == AF_INET) {
4841 si = (struct sockaddr_in *)ifa->ifa_addr;
4842 sm = (struct sockaddr_in *)ifa->ifa_netmask;
4843 if (si)
4844 break;
4845 }
4846 }
4847 if (ifa) {
4848 if (si && si->sin_addr.s_addr) {
4849 ssrc = si->sin_addr.s_addr;
4850 if (srcmask)
4851 *srcmask = ntohl(sm->sin_addr.s_addr);
4852 }
4853
4854 si = (struct sockaddr_in *)ifa->ifa_dstaddr;
4855 if (si && si->sin_addr.s_addr)
4856 ddst = si->sin_addr.s_addr;
4857 }
4858
4859 if (dst) *dst = ntohl(ddst);
4860 if (src) *src = ntohl(ssrc);
4861 }
4862
4863 /*
4864 * Set IP addresses. Must be called at splnet.
4865 * If an address is 0, leave it the way it is.
4866 */
4867 static void
4868 sppp_set_ip_addrs(struct sppp *sp, uint32_t myaddr, uint32_t hisaddr)
4869 {
4870 STDDCL;
4871 struct ifaddr *ifa;
4872 struct sockaddr_in *si, *dest;
4873
4874 /*
4875 * Pick the first AF_INET address from the list,
4876 * aliases don't make any sense on a p2p link anyway.
4877 */
4878
4879 IFADDR_FOREACH(ifa, ifp) {
4880 if (ifa->ifa_addr->sa_family == AF_INET) {
4881 si = (struct sockaddr_in *)ifa->ifa_addr;
4882 dest = (struct sockaddr_in *)ifa->ifa_dstaddr;
4883 goto found;
4884 }
4885 }
4886 return;
4887
4888 found:
4889 {
4890 int error;
4891 struct sockaddr_in new_sin = *si;
4892 struct sockaddr_in new_dst = *dest;
4893
4894 /*
4895 * Scrub old routes now instead of calling in_ifinit with
4896 * scrub=1, because we may change the dstaddr
4897 * before the call to in_ifinit.
4898 */
4899 in_ifscrub(ifp, ifatoia(ifa));
4900
4901 if (myaddr != 0)
4902 new_sin.sin_addr.s_addr = htonl(myaddr);
4903 if (hisaddr != 0) {
4904 new_dst.sin_addr.s_addr = htonl(hisaddr);
4905 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) {
4906 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr;
4907 *dest = new_dst; /* fix dstaddr in place */
4908 }
4909 }
4910 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, 0);
4911 if (debug && error)
4912 {
4913 log(LOG_DEBUG, "%s: sppp_set_ip_addrs: in_ifinit "
4914 " failed, error=%d\n", ifp->if_xname, error);
4915 }
4916 #ifdef PFIL_HOOKS
4917 if (!error)
4918 (void)pfil_run_hooks(&if_pfil,
4919 (struct mbuf **)SIOCAIFADDR, ifp, PFIL_IFADDR);
4920 #endif
4921 }
4922 }
4923
4924 /*
4925 * Clear IP addresses. Must be called at splnet.
4926 */
4927 static void
4928 sppp_clear_ip_addrs(struct sppp *sp)
4929 {
4930 struct ifnet *ifp = &sp->pp_if;
4931 struct ifaddr *ifa;
4932 struct sockaddr_in *si, *dest;
4933
4934 uint32_t remote;
4935 if (sp->ipcp.flags & IPCP_HISADDR_DYN)
4936 remote = sp->ipcp.saved_hisaddr;
4937 else
4938 sppp_get_ip_addrs(sp, 0, &remote, 0);
4939
4940 /*
4941 * Pick the first AF_INET address from the list,
4942 * aliases don't make any sense on a p2p link anyway.
4943 */
4944
4945 IFADDR_FOREACH(ifa, ifp) {
4946 if (ifa->ifa_addr->sa_family == AF_INET) {
4947 si = (struct sockaddr_in *)ifa->ifa_addr;
4948 dest = (struct sockaddr_in *)ifa->ifa_dstaddr;
4949 goto found;
4950 }
4951 }
4952 return;
4953
4954 found:
4955 {
4956 struct sockaddr_in new_sin = *si;
4957
4958 in_ifscrub(ifp, ifatoia(ifa));
4959 if (sp->ipcp.flags & IPCP_MYADDR_DYN)
4960 new_sin.sin_addr.s_addr = 0;
4961 if (sp->ipcp.flags & IPCP_HISADDR_DYN)
4962 /* replace peer addr in place */
4963 dest->sin_addr.s_addr = sp->ipcp.saved_hisaddr;
4964 in_ifinit(ifp, ifatoia(ifa), &new_sin, 0);
4965 #ifdef PFIL_HOOKS
4966 (void)pfil_run_hooks(&if_pfil,
4967 (struct mbuf **)SIOCDIFADDR, ifp, PFIL_IFADDR);
4968 #endif
4969 }
4970 }
4971 #endif
4972
4973 #ifdef INET6
4974 /*
4975 * Get both IPv6 addresses.
4976 */
4977 static void
4978 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst,
4979 struct in6_addr *srcmask)
4980 {
4981 struct ifnet *ifp = &sp->pp_if;
4982 struct ifaddr *ifa;
4983 struct sockaddr_in6 *si, *sm;
4984 struct in6_addr ssrc, ddst;
4985
4986 sm = NULL;
4987 memset(&ssrc, 0, sizeof(ssrc));
4988 memset(&ddst, 0, sizeof(ddst));
4989 /*
4990 * Pick the first link-local AF_INET6 address from the list,
4991 * aliases don't make any sense on a p2p link anyway.
4992 */
4993 si = 0;
4994 IFADDR_FOREACH(ifa, ifp)
4995 if (ifa->ifa_addr->sa_family == AF_INET6) {
4996 si = (struct sockaddr_in6 *)ifa->ifa_addr;
4997 sm = (struct sockaddr_in6 *)ifa->ifa_netmask;
4998 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr))
4999 break;
5000 }
5001 if (ifa) {
5002 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) {
5003 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc));
5004 if (srcmask) {
5005 bcopy(&sm->sin6_addr, srcmask,
5006 sizeof(*srcmask));
5007 }
5008 }
5009
5010 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr;
5011 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr))
5012 bcopy(&si->sin6_addr, &ddst, sizeof(ddst));
5013 }
5014
5015 if (dst)
5016 bcopy(&ddst, dst, sizeof(*dst));
5017 if (src)
5018 bcopy(&ssrc, src, sizeof(*src));
5019 }
5020
5021 #ifdef IPV6CP_MYIFID_DYN
5022 /*
5023 * Generate random ifid.
5024 */
5025 static void
5026 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr)
5027 {
5028 /* TBD */
5029 }
5030
5031 /*
5032 * Set my IPv6 address. Must be called at splnet.
5033 */
5034 static void
5035 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src)
5036 {
5037 STDDCL;
5038 struct ifaddr *ifa;
5039 struct sockaddr_in6 *sin6;
5040
5041 /*
5042 * Pick the first link-local AF_INET6 address from the list,
5043 * aliases don't make any sense on a p2p link anyway.
5044 */
5045
5046 sin6 = NULL;
5047 IFADDR_FOREACH(ifa, ifp)
5048 {
5049 if (ifa->ifa_addr->sa_family == AF_INET6)
5050 {
5051 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
5052 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
5053 break;
5054 }
5055 }
5056
5057 if (ifa && sin6)
5058 {
5059 int error;
5060 struct sockaddr_in6 new_sin6 = *sin6;
5061
5062 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr));
5063 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1);
5064 if (debug && error)
5065 {
5066 log(LOG_DEBUG, "%s: sppp_set_ip6_addr: in6_ifinit "
5067 " failed, error=%d\n", ifp->if_xname, error);
5068 }
5069 #ifdef PFIL_HOOKS
5070 if (!error)
5071 (void)pfil_run_hooks(&if_pfil,
5072 (struct mbuf **)SIOCAIFADDR_IN6, ifp, PFIL_IFADDR);
5073 #endif
5074 }
5075 }
5076 #endif
5077
5078 /*
5079 * Suggest a candidate address to be used by peer.
5080 */
5081 static void
5082 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest)
5083 {
5084 struct in6_addr myaddr;
5085 struct timeval tv;
5086
5087 sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
5088
5089 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */
5090 microtime(&tv);
5091 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) {
5092 myaddr.s6_addr[14] ^= 0xff;
5093 myaddr.s6_addr[15] ^= 0xff;
5094 } else {
5095 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff);
5096 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff);
5097 }
5098 if (suggest)
5099 bcopy(&myaddr, suggest, sizeof(myaddr));
5100 }
5101 #endif /*INET6*/
5102
5103 /*
5104 * Process ioctl requests specific to the PPP interface.
5105 * Permissions have already been checked.
5106 */
5107 static int
5108 sppp_params(struct sppp *sp, u_long cmd, void *data)
5109 {
5110 switch (cmd) {
5111 case SPPPGETAUTHCFG:
5112 {
5113 struct spppauthcfg *cfg = (struct spppauthcfg *)data;
5114 int error;
5115 size_t len;
5116
5117 cfg->myauthflags = sp->myauth.flags;
5118 cfg->hisauthflags = sp->hisauth.flags;
5119 strncpy(cfg->ifname, sp->pp_if.if_xname, IFNAMSIZ);
5120 cfg->hisauth = 0;
5121 if (sp->hisauth.proto)
5122 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP;
5123 cfg->myauth = 0;
5124 if (sp->myauth.proto)
5125 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP;
5126 if (cfg->myname_length == 0) {
5127 if (sp->myauth.name != NULL)
5128 cfg->myname_length = sp->myauth.name_len + 1;
5129 } else {
5130 if (sp->myauth.name == NULL) {
5131 cfg->myname_length = 0;
5132 } else {
5133 len = sp->myauth.name_len + 1;
5134 if (cfg->myname_length < len)
5135 return (ENAMETOOLONG);
5136 error = copyout(sp->myauth.name, cfg->myname, len);
5137 if (error) return error;
5138 }
5139 }
5140 if (cfg->hisname_length == 0) {
5141 if (sp->hisauth.name != NULL)
5142 cfg->hisname_length = sp->hisauth.name_len + 1;
5143 } else {
5144 if (sp->hisauth.name == NULL) {
5145 cfg->hisname_length = 0;
5146 } else {
5147 len = sp->hisauth.name_len + 1;
5148 if (cfg->hisname_length < len)
5149 return (ENAMETOOLONG);
5150 error = copyout(sp->hisauth.name, cfg->hisname, len);
5151 if (error) return error;
5152 }
5153 }
5154 }
5155 break;
5156 case SPPPSETAUTHCFG:
5157 {
5158 struct spppauthcfg *cfg = (struct spppauthcfg *)data;
5159 int error;
5160
5161 if (sp->myauth.name) {
5162 free(sp->myauth.name, M_DEVBUF);
5163 sp->myauth.name = NULL;
5164 }
5165 if (sp->myauth.secret) {
5166 free(sp->myauth.secret, M_DEVBUF);
5167 sp->myauth.secret = NULL;
5168 }
5169 if (sp->hisauth.name) {
5170 free(sp->hisauth.name, M_DEVBUF);
5171 sp->hisauth.name = NULL;
5172 }
5173 if (sp->hisauth.secret) {
5174 free(sp->hisauth.secret, M_DEVBUF);
5175 sp->hisauth.secret = NULL;
5176 }
5177
5178 if (cfg->hisname != NULL && cfg->hisname_length > 0) {
5179 if (cfg->hisname_length >= MCLBYTES)
5180 return (ENAMETOOLONG);
5181 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK);
5182 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length);
5183 if (error) {
5184 free(sp->hisauth.name, M_DEVBUF);
5185 sp->hisauth.name = NULL;
5186 return error;
5187 }
5188 sp->hisauth.name_len = cfg->hisname_length - 1;
5189 sp->hisauth.name[sp->hisauth.name_len] = 0;
5190 }
5191 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) {
5192 if (cfg->hissecret_length >= MCLBYTES)
5193 return (ENAMETOOLONG);
5194 sp->hisauth.secret = malloc(cfg->hissecret_length, M_DEVBUF, M_WAITOK);
5195 error = copyin(cfg->hissecret, sp->hisauth.secret, cfg->hissecret_length);
5196 if (error) {
5197 free(sp->hisauth.secret, M_DEVBUF);
5198 sp->hisauth.secret = NULL;
5199 return error;
5200 }
5201 sp->hisauth.secret_len = cfg->hissecret_length - 1;
5202 sp->hisauth.secret[sp->hisauth.secret_len] = 0;
5203 }
5204 if (cfg->myname != NULL && cfg->myname_length > 0) {
5205 if (cfg->myname_length >= MCLBYTES)
5206 return (ENAMETOOLONG);
5207 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK);
5208 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length);
5209 if (error) {
5210 free(sp->myauth.name, M_DEVBUF);
5211 sp->myauth.name = NULL;
5212 return error;
5213 }
5214 sp->myauth.name_len = cfg->myname_length - 1;
5215 sp->myauth.name[sp->myauth.name_len] = 0;
5216 }
5217 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) {
5218 if (cfg->mysecret_length >= MCLBYTES)
5219 return (ENAMETOOLONG);
5220 sp->myauth.secret = malloc(cfg->mysecret_length, M_DEVBUF, M_WAITOK);
5221 error = copyin(cfg->mysecret, sp->myauth.secret, cfg->mysecret_length);
5222 if (error) {
5223 free(sp->myauth.secret, M_DEVBUF);
5224 sp->myauth.secret = NULL;
5225 return error;
5226 }
5227 sp->myauth.secret_len = cfg->mysecret_length - 1;
5228 sp->myauth.secret[sp->myauth.secret_len] = 0;
5229 }
5230 sp->myauth.flags = cfg->myauthflags;
5231 if (cfg->myauth)
5232 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP;
5233 sp->hisauth.flags = cfg->hisauthflags;
5234 if (cfg->hisauth)
5235 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP;
5236 sp->pp_auth_failures = 0;
5237 if (sp->hisauth.proto != 0)
5238 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO);
5239 else
5240 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
5241 }
5242 break;
5243 case SPPPGETLCPCFG:
5244 {
5245 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data;
5246 lcpp->lcp_timeout = sp->lcp.timeout;
5247 }
5248 break;
5249 case SPPPSETLCPCFG:
5250 {
5251 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data;
5252 sp->lcp.timeout = lcpp->lcp_timeout;
5253 }
5254 break;
5255 case SPPPGETSTATUS:
5256 {
5257 struct spppstatus *status = (struct spppstatus *)data;
5258 status->phase = sp->pp_phase;
5259 }
5260 break;
5261 case SPPPGETSTATUSNCP:
5262 {
5263 struct spppstatusncp *status = (struct spppstatusncp *)data;
5264 status->phase = sp->pp_phase;
5265 status->ncpup = sppp_ncp_check(sp);
5266 }
5267 break;
5268 case SPPPGETIDLETO:
5269 {
5270 struct spppidletimeout *to = (struct spppidletimeout *)data;
5271 to->idle_seconds = sp->pp_idle_timeout;
5272 }
5273 break;
5274 case SPPPSETIDLETO:
5275 {
5276 struct spppidletimeout *to = (struct spppidletimeout *)data;
5277 sp->pp_idle_timeout = to->idle_seconds;
5278 }
5279 break;
5280 case SPPPSETAUTHFAILURE:
5281 {
5282 struct spppauthfailuresettings *afsettings = (struct spppauthfailuresettings *)data;
5283 sp->pp_max_auth_fail = afsettings->max_failures;
5284 sp->pp_auth_failures = 0;
5285 }
5286 break;
5287 case SPPPGETAUTHFAILURES:
5288 {
5289 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data;
5290 stats->auth_failures = sp->pp_auth_failures;
5291 stats->max_failures = sp->pp_max_auth_fail;
5292 }
5293 break;
5294 case SPPPSETDNSOPTS:
5295 {
5296 struct spppdnssettings *req = (struct spppdnssettings *)data;
5297 sp->query_dns = req->query_dns & 3;
5298 }
5299 break;
5300 case SPPPGETDNSOPTS:
5301 {
5302 struct spppdnssettings *req = (struct spppdnssettings *)data;
5303 req->query_dns = sp->query_dns;
5304 }
5305 break;
5306 case SPPPGETDNSADDRS:
5307 {
5308 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data;
5309 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns);
5310 }
5311 break;
5312 case SPPPGETKEEPALIVE:
5313 {
5314 struct spppkeepalivesettings *settings =
5315 (struct spppkeepalivesettings*)data;
5316 settings->maxalive = sp->pp_maxalive;
5317 settings->max_noreceive = sp->pp_max_noreceive;
5318 }
5319 break;
5320 case SPPPSETKEEPALIVE:
5321 {
5322 struct spppkeepalivesettings *settings =
5323 (struct spppkeepalivesettings*)data;
5324 sp->pp_maxalive = settings->maxalive;
5325 sp->pp_max_noreceive = settings->max_noreceive;
5326 }
5327 break;
5328 default:
5329 return (EINVAL);
5330 }
5331
5332 return (0);
5333 }
5334
5335 static void
5336 sppp_phase_network(struct sppp *sp)
5337 {
5338 STDDCL;
5339 int i;
5340 uint32_t mask;
5341
5342 sp->pp_phase = SPPP_PHASE_NETWORK;
5343
5344 if (debug)
5345 {
5346 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname,
5347 sppp_phase_name(sp->pp_phase));
5348 }
5349
5350 /* Notify NCPs now. */
5351 for (i = 0; i < IDX_COUNT; i++)
5352 if ((cps[i])->flags & CP_NCP)
5353 (cps[i])->Open(sp);
5354
5355 /* Send Up events to all NCPs. */
5356 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
5357 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP))
5358 (cps[i])->Up(sp);
5359
5360 /* if no NCP is starting, all this was in vain, close down */
5361 sppp_lcp_check_and_close(sp);
5362 }
5363
5364
5365 static const char *
5366 sppp_cp_type_name(u_char type)
5367 {
5368 static char buf[12];
5369 switch (type) {
5370 case CONF_REQ: return "conf-req";
5371 case CONF_ACK: return "conf-ack";
5372 case CONF_NAK: return "conf-nak";
5373 case CONF_REJ: return "conf-rej";
5374 case TERM_REQ: return "term-req";
5375 case TERM_ACK: return "term-ack";
5376 case CODE_REJ: return "code-rej";
5377 case PROTO_REJ: return "proto-rej";
5378 case ECHO_REQ: return "echo-req";
5379 case ECHO_REPLY: return "echo-reply";
5380 case DISC_REQ: return "discard-req";
5381 }
5382 snprintf(buf, sizeof(buf), "0x%x", type);
5383 return buf;
5384 }
5385
5386 static const char *
5387 sppp_auth_type_name(u_short proto, u_char type)
5388 {
5389 static char buf[12];
5390 switch (proto) {
5391 case PPP_CHAP:
5392 switch (type) {
5393 case CHAP_CHALLENGE: return "challenge";
5394 case CHAP_RESPONSE: return "response";
5395 case CHAP_SUCCESS: return "success";
5396 case CHAP_FAILURE: return "failure";
5397 }
5398 case PPP_PAP:
5399 switch (type) {
5400 case PAP_REQ: return "req";
5401 case PAP_ACK: return "ack";
5402 case PAP_NAK: return "nak";
5403 }
5404 }
5405 snprintf(buf, sizeof(buf), "0x%x", type);
5406 return buf;
5407 }
5408
5409 static const char *
5410 sppp_lcp_opt_name(u_char opt)
5411 {
5412 static char buf[12];
5413 switch (opt) {
5414 case LCP_OPT_MRU: return "mru";
5415 case LCP_OPT_ASYNC_MAP: return "async-map";
5416 case LCP_OPT_AUTH_PROTO: return "auth-proto";
5417 case LCP_OPT_QUAL_PROTO: return "qual-proto";
5418 case LCP_OPT_MAGIC: return "magic";
5419 case LCP_OPT_PROTO_COMP: return "proto-comp";
5420 case LCP_OPT_ADDR_COMP: return "addr-comp";
5421 }
5422 snprintf(buf, sizeof(buf), "0x%x", opt);
5423 return buf;
5424 }
5425
5426 static const char *
5427 sppp_ipcp_opt_name(u_char opt)
5428 {
5429 static char buf[12];
5430 switch (opt) {
5431 case IPCP_OPT_ADDRESSES: return "addresses";
5432 case IPCP_OPT_COMPRESSION: return "compression";
5433 case IPCP_OPT_ADDRESS: return "address";
5434 }
5435 snprintf(buf, sizeof(buf), "0x%x", opt);
5436 return buf;
5437 }
5438
5439 #ifdef INET6
5440 static const char *
5441 sppp_ipv6cp_opt_name(u_char opt)
5442 {
5443 static char buf[12];
5444 switch (opt) {
5445 case IPV6CP_OPT_IFID: return "ifid";
5446 case IPV6CP_OPT_COMPRESSION: return "compression";
5447 }
5448 snprintf(buf, sizeof(buf), "0x%x", opt);
5449 return buf;
5450 }
5451 #endif
5452
5453 static const char *
5454 sppp_state_name(int state)
5455 {
5456 switch (state) {
5457 case STATE_INITIAL: return "initial";
5458 case STATE_STARTING: return "starting";
5459 case STATE_CLOSED: return "closed";
5460 case STATE_STOPPED: return "stopped";
5461 case STATE_CLOSING: return "closing";
5462 case STATE_STOPPING: return "stopping";
5463 case STATE_REQ_SENT: return "req-sent";
5464 case STATE_ACK_RCVD: return "ack-rcvd";
5465 case STATE_ACK_SENT: return "ack-sent";
5466 case STATE_OPENED: return "opened";
5467 }
5468 return "illegal";
5469 }
5470
5471 static const char *
5472 sppp_phase_name(int phase)
5473 {
5474 switch (phase) {
5475 case SPPP_PHASE_DEAD: return "dead";
5476 case SPPP_PHASE_ESTABLISH: return "establish";
5477 case SPPP_PHASE_TERMINATE: return "terminate";
5478 case SPPP_PHASE_AUTHENTICATE: return "authenticate";
5479 case SPPP_PHASE_NETWORK: return "network";
5480 }
5481 return "illegal";
5482 }
5483
5484 static const char *
5485 sppp_proto_name(u_short proto)
5486 {
5487 static char buf[12];
5488 switch (proto) {
5489 case PPP_LCP: return "lcp";
5490 case PPP_IPCP: return "ipcp";
5491 case PPP_PAP: return "pap";
5492 case PPP_CHAP: return "chap";
5493 case PPP_IPV6CP: return "ipv6cp";
5494 }
5495 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto);
5496 return buf;
5497 }
5498
5499 static void
5500 sppp_print_bytes(const u_char *p, u_short len)
5501 {
5502 addlog(" %02x", *p++);
5503 while (--len > 0)
5504 addlog("-%02x", *p++);
5505 }
5506
5507 static void
5508 sppp_print_string(const char *p, u_short len)
5509 {
5510 u_char c;
5511
5512 while (len-- > 0) {
5513 c = *p++;
5514 /*
5515 * Print only ASCII chars directly. RFC 1994 recommends
5516 * using only them, but we don't rely on it. */
5517 if (c < ' ' || c > '~')
5518 addlog("\\x%x", c);
5519 else
5520 addlog("%c", c);
5521 }
5522 }
5523
5524 static const char *
5525 sppp_dotted_quad(uint32_t addr)
5526 {
5527 static char s[16];
5528 snprintf(s, sizeof(s), "%d.%d.%d.%d",
5529 (int)((addr >> 24) & 0xff),
5530 (int)((addr >> 16) & 0xff),
5531 (int)((addr >> 8) & 0xff),
5532 (int)(addr & 0xff));
5533 return s;
5534 }
5535
5536 /* a dummy, used to drop uninteresting events */
5537 static void
5538 sppp_null(struct sppp *unused)
5539 {
5540 /* do just nothing */
5541 }
5542 /*
5543 * This file is large. Tell emacs to highlight it nevertheless.
5544 *
5545 * Local Variables:
5546 * hilit-auto-highlight-maxout: 120000
5547 * End:
5548 */
Cache object: b9a59baee6d54e4112f376665a3adc87
|