1 /*
2 * Synchronous PPP/Cisco/Frame Relay link level subroutines.
3 * Keepalive protocol implemented in both Cisco and PPP modes.
4 */
5 /*-
6 * Copyright (C) 1994-2000 Cronyx Engineering.
7 * Author: Serge Vakulenko, <[email protected]>
8 *
9 * Heavily revamped to conform to RFC 1661.
10 * Copyright (C) 1997, 2001 Joerg Wunsch.
11 *
12 * This software is distributed with NO WARRANTIES, not even the implied
13 * warranties for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
14 *
15 * Authors grant any other persons or organisations permission to use
16 * or modify this software as long as this message is kept with the software,
17 * all derivative works or modified versions.
18 *
19 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997
20 *
21 * $FreeBSD$
22 */
23
24 #include <sys/param.h>
25
26 #include "opt_inet.h"
27 #include "opt_inet6.h"
28
29 #include <sys/systm.h>
30 #include <sys/kernel.h>
31 #include <sys/lock.h>
32 #include <sys/module.h>
33 #include <sys/rmlock.h>
34 #include <sys/sockio.h>
35 #include <sys/socket.h>
36 #include <sys/syslog.h>
37 #include <sys/random.h>
38 #include <sys/malloc.h>
39 #include <sys/mbuf.h>
40
41 #include <sys/md5.h>
42
43 #include <net/if.h>
44 #include <net/if_var.h>
45 #include <net/netisr.h>
46 #include <net/if_types.h>
47 #include <net/route.h>
48 #include <net/vnet.h>
49 #include <netinet/in.h>
50 #include <netinet/in_var.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <net/slcompress.h>
54
55 #include <machine/stdarg.h>
56
57 #include <netinet/in_var.h>
58
59 #ifdef INET
60 #include <netinet/ip.h>
61 #include <netinet/tcp.h>
62 #endif
63
64 #ifdef INET6
65 #include <netinet6/scope6_var.h>
66 #endif
67
68 #include <netinet/if_ether.h>
69
70 #include <net/if_sppp.h>
71
72 #define IOCTL_CMD_T u_long
73 #define MAXALIVECNT 3 /* max. alive packets */
74
75 /*
76 * Interface flags that can be set in an ifconfig command.
77 *
78 * Setting link0 will make the link passive, i.e. it will be marked
79 * as being administrative openable, but won't be opened to begin
80 * with. Incoming calls will be answered, or subsequent calls with
81 * -link1 will cause the administrative open of the LCP layer.
82 *
83 * Setting link1 will cause the link to auto-dial only as packets
84 * arrive to be sent.
85 *
86 * Setting IFF_DEBUG will syslog the option negotiation and state
87 * transitions at level kern.debug. Note: all logs consistently look
88 * like
89 *
90 * <if-name><unit>: <proto-name> <additional info...>
91 *
92 * with <if-name><unit> being something like "bppp0", and <proto-name>
93 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc.
94 */
95
96 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */
97 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */
98 #define IFF_CISCO IFF_LINK2 /* auto-dial on output */
99
100 #define PPP_ALLSTATIONS 0xff /* All-Stations broadcast address */
101 #define PPP_UI 0x03 /* Unnumbered Information */
102 #define PPP_IP 0x0021 /* Internet Protocol */
103 #define PPP_ISO 0x0023 /* ISO OSI Protocol */
104 #define PPP_XNS 0x0025 /* Xerox NS Protocol */
105 #define PPP_IPX 0x002b /* Novell IPX Protocol */
106 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */
107 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */
108 #define PPP_IPV6 0x0057 /* Internet Protocol Version 6 */
109 #define PPP_LCP 0xc021 /* Link Control Protocol */
110 #define PPP_PAP 0xc023 /* Password Authentication Protocol */
111 #define PPP_CHAP 0xc223 /* Challenge-Handshake Auth Protocol */
112 #define PPP_IPCP 0x8021 /* Internet Protocol Control Protocol */
113 #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */
114
115 #define CONF_REQ 1 /* PPP configure request */
116 #define CONF_ACK 2 /* PPP configure acknowledge */
117 #define CONF_NAK 3 /* PPP configure negative ack */
118 #define CONF_REJ 4 /* PPP configure reject */
119 #define TERM_REQ 5 /* PPP terminate request */
120 #define TERM_ACK 6 /* PPP terminate acknowledge */
121 #define CODE_REJ 7 /* PPP code reject */
122 #define PROTO_REJ 8 /* PPP protocol reject */
123 #define ECHO_REQ 9 /* PPP echo request */
124 #define ECHO_REPLY 10 /* PPP echo reply */
125 #define DISC_REQ 11 /* PPP discard request */
126
127 #define LCP_OPT_MRU 1 /* maximum receive unit */
128 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */
129 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */
130 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */
131 #define LCP_OPT_MAGIC 5 /* magic number */
132 #define LCP_OPT_RESERVED 6 /* reserved */
133 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */
134 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */
135
136 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */
137 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol (VJ) */
138 #define IPCP_OPT_ADDRESS 3 /* local IP address */
139
140 #define IPV6CP_OPT_IFID 1 /* interface identifier */
141 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */
142
143 #define IPCP_COMP_VJ 0x2d /* Code for VJ compression */
144
145 #define PAP_REQ 1 /* PAP name/password request */
146 #define PAP_ACK 2 /* PAP acknowledge */
147 #define PAP_NAK 3 /* PAP fail */
148
149 #define CHAP_CHALLENGE 1 /* CHAP challenge request */
150 #define CHAP_RESPONSE 2 /* CHAP challenge response */
151 #define CHAP_SUCCESS 3 /* CHAP response ok */
152 #define CHAP_FAILURE 4 /* CHAP response failed */
153
154 #define CHAP_MD5 5 /* hash algorithm - MD5 */
155
156 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */
157 #define CISCO_UNICAST 0x0f /* Cisco unicast address */
158 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */
159 #define CISCO_ADDR_REQ 0 /* Cisco address request */
160 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */
161 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */
162
163 /* states are named and numbered according to RFC 1661 */
164 #define STATE_INITIAL 0
165 #define STATE_STARTING 1
166 #define STATE_CLOSED 2
167 #define STATE_STOPPED 3
168 #define STATE_CLOSING 4
169 #define STATE_STOPPING 5
170 #define STATE_REQ_SENT 6
171 #define STATE_ACK_RCVD 7
172 #define STATE_ACK_SENT 8
173 #define STATE_OPENED 9
174
175 static MALLOC_DEFINE(M_SPPP, "sppp", "synchronous PPP interface internals");
176
177 struct ppp_header {
178 u_char address;
179 u_char control;
180 u_short protocol;
181 } __packed;
182 #define PPP_HEADER_LEN sizeof (struct ppp_header)
183
184 struct lcp_header {
185 u_char type;
186 u_char ident;
187 u_short len;
188 } __packed;
189 #define LCP_HEADER_LEN sizeof (struct lcp_header)
190
191 struct cisco_packet {
192 u_long type;
193 u_long par1;
194 u_long par2;
195 u_short rel;
196 u_short time0;
197 u_short time1;
198 } __packed;
199 #define CISCO_PACKET_LEN sizeof (struct cisco_packet)
200
201 /*
202 * We follow the spelling and capitalization of RFC 1661 here, to make
203 * it easier comparing with the standard. Please refer to this RFC in
204 * case you can't make sense out of these abbreviation; it will also
205 * explain the semantics related to the various events and actions.
206 */
207 struct cp {
208 u_short proto; /* PPP control protocol number */
209 u_char protoidx; /* index into state table in struct sppp */
210 u_char flags;
211 #define CP_LCP 0x01 /* this is the LCP */
212 #define CP_AUTH 0x02 /* this is an authentication protocol */
213 #define CP_NCP 0x04 /* this is a NCP */
214 #define CP_QUAL 0x08 /* this is a quality reporting protocol */
215 const char *name; /* name of this control protocol */
216 /* event handlers */
217 void (*Up)(struct sppp *sp);
218 void (*Down)(struct sppp *sp);
219 void (*Open)(struct sppp *sp);
220 void (*Close)(struct sppp *sp);
221 void (*TO)(void *sp);
222 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len);
223 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len);
224 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len);
225 /* actions */
226 void (*tlu)(struct sppp *sp);
227 void (*tld)(struct sppp *sp);
228 void (*tls)(struct sppp *sp);
229 void (*tlf)(struct sppp *sp);
230 void (*scr)(struct sppp *sp);
231 };
232
233 #define SPP_FMT "%s: "
234 #define SPP_ARGS(ifp) (ifp)->if_xname
235
236 #define SPPP_LOCK(sp) mtx_lock (&(sp)->mtx)
237 #define SPPP_UNLOCK(sp) mtx_unlock (&(sp)->mtx)
238 #define SPPP_LOCK_ASSERT(sp) mtx_assert (&(sp)->mtx, MA_OWNED)
239 #define SPPP_LOCK_OWNED(sp) mtx_owned (&(sp)->mtx)
240
241 #ifdef INET
242 /*
243 * The following disgusting hack gets around the problem that IP TOS
244 * can't be set yet. We want to put "interactive" traffic on a high
245 * priority queue. To decide if traffic is interactive, we check that
246 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control.
247 *
248 * XXX is this really still necessary? - joerg -
249 */
250 static const u_short interactive_ports[8] = {
251 0, 513, 0, 0,
252 0, 21, 0, 23,
253 };
254 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p))
255 #endif
256
257 /* almost every function needs these */
258 #define STDDCL \
259 struct ifnet *ifp = SP2IFP(sp); \
260 int debug = ifp->if_flags & IFF_DEBUG
261
262 static int sppp_output(struct ifnet *ifp, struct mbuf *m,
263 const struct sockaddr *dst, struct route *ro);
264
265 static void sppp_cisco_send(struct sppp *sp, int type, long par1, long par2);
266 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m);
267
268 static void sppp_cp_input(const struct cp *cp, struct sppp *sp,
269 struct mbuf *m);
270 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
271 u_char ident, u_short len, void *data);
272 /* static void sppp_cp_timeout(void *arg); */
273 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp,
274 int newstate);
275 static void sppp_auth_send(const struct cp *cp,
276 struct sppp *sp, unsigned int type, unsigned int id,
277 ...);
278
279 static void sppp_up_event(const struct cp *cp, struct sppp *sp);
280 static void sppp_down_event(const struct cp *cp, struct sppp *sp);
281 static void sppp_open_event(const struct cp *cp, struct sppp *sp);
282 static void sppp_close_event(const struct cp *cp, struct sppp *sp);
283 static void sppp_to_event(const struct cp *cp, struct sppp *sp);
284
285 static void sppp_null(struct sppp *sp);
286
287 static void sppp_pp_up(struct sppp *sp);
288 static void sppp_pp_down(struct sppp *sp);
289
290 static void sppp_lcp_init(struct sppp *sp);
291 static void sppp_lcp_up(struct sppp *sp);
292 static void sppp_lcp_down(struct sppp *sp);
293 static void sppp_lcp_open(struct sppp *sp);
294 static void sppp_lcp_close(struct sppp *sp);
295 static void sppp_lcp_TO(void *sp);
296 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
297 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
298 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
299 static void sppp_lcp_tlu(struct sppp *sp);
300 static void sppp_lcp_tld(struct sppp *sp);
301 static void sppp_lcp_tls(struct sppp *sp);
302 static void sppp_lcp_tlf(struct sppp *sp);
303 static void sppp_lcp_scr(struct sppp *sp);
304 static void sppp_lcp_check_and_close(struct sppp *sp);
305 static int sppp_ncp_check(struct sppp *sp);
306
307 static void sppp_ipcp_init(struct sppp *sp);
308 static void sppp_ipcp_up(struct sppp *sp);
309 static void sppp_ipcp_down(struct sppp *sp);
310 static void sppp_ipcp_open(struct sppp *sp);
311 static void sppp_ipcp_close(struct sppp *sp);
312 static void sppp_ipcp_TO(void *sp);
313 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len);
314 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
315 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
316 static void sppp_ipcp_tlu(struct sppp *sp);
317 static void sppp_ipcp_tld(struct sppp *sp);
318 static void sppp_ipcp_tls(struct sppp *sp);
319 static void sppp_ipcp_tlf(struct sppp *sp);
320 static void sppp_ipcp_scr(struct sppp *sp);
321
322 static void sppp_ipv6cp_init(struct sppp *sp);
323 static void sppp_ipv6cp_up(struct sppp *sp);
324 static void sppp_ipv6cp_down(struct sppp *sp);
325 static void sppp_ipv6cp_open(struct sppp *sp);
326 static void sppp_ipv6cp_close(struct sppp *sp);
327 static void sppp_ipv6cp_TO(void *sp);
328 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len);
329 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len);
330 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len);
331 static void sppp_ipv6cp_tlu(struct sppp *sp);
332 static void sppp_ipv6cp_tld(struct sppp *sp);
333 static void sppp_ipv6cp_tls(struct sppp *sp);
334 static void sppp_ipv6cp_tlf(struct sppp *sp);
335 static void sppp_ipv6cp_scr(struct sppp *sp);
336
337 static void sppp_pap_input(struct sppp *sp, struct mbuf *m);
338 static void sppp_pap_init(struct sppp *sp);
339 static void sppp_pap_open(struct sppp *sp);
340 static void sppp_pap_close(struct sppp *sp);
341 static void sppp_pap_TO(void *sp);
342 static void sppp_pap_my_TO(void *sp);
343 static void sppp_pap_tlu(struct sppp *sp);
344 static void sppp_pap_tld(struct sppp *sp);
345 static void sppp_pap_scr(struct sppp *sp);
346
347 static void sppp_chap_input(struct sppp *sp, struct mbuf *m);
348 static void sppp_chap_init(struct sppp *sp);
349 static void sppp_chap_open(struct sppp *sp);
350 static void sppp_chap_close(struct sppp *sp);
351 static void sppp_chap_TO(void *sp);
352 static void sppp_chap_tlu(struct sppp *sp);
353 static void sppp_chap_tld(struct sppp *sp);
354 static void sppp_chap_scr(struct sppp *sp);
355
356 static const char *sppp_auth_type_name(u_short proto, u_char type);
357 static const char *sppp_cp_type_name(u_char type);
358 #ifdef INET
359 static const char *sppp_dotted_quad(u_long addr);
360 static const char *sppp_ipcp_opt_name(u_char opt);
361 #endif
362 #ifdef INET6
363 static const char *sppp_ipv6cp_opt_name(u_char opt);
364 #endif
365 static const char *sppp_lcp_opt_name(u_char opt);
366 static const char *sppp_phase_name(enum ppp_phase phase);
367 static const char *sppp_proto_name(u_short proto);
368 static const char *sppp_state_name(int state);
369 static int sppp_params(struct sppp *sp, u_long cmd, void *data);
370 static int sppp_strnlen(u_char *p, int max);
371 static void sppp_keepalive(void *dummy);
372 static void sppp_phase_network(struct sppp *sp);
373 static void sppp_print_bytes(const u_char *p, u_short len);
374 static void sppp_print_string(const char *p, u_short len);
375 static void sppp_qflush(struct ifqueue *ifq);
376 #ifdef INET
377 static void sppp_set_ip_addr(struct sppp *sp, u_long src);
378 #endif
379 #ifdef INET6
380 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src,
381 struct in6_addr *dst, struct in6_addr *srcmask);
382 #ifdef IPV6CP_MYIFID_DYN
383 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src);
384 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src);
385 #endif
386 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src);
387 #endif
388
389 /* if_start () wrapper */
390 static void sppp_ifstart (struct ifnet *ifp);
391
392 /* our control protocol descriptors */
393 static const struct cp lcp = {
394 PPP_LCP, IDX_LCP, CP_LCP, "lcp",
395 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close,
396 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak,
397 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf,
398 sppp_lcp_scr
399 };
400
401 static const struct cp ipcp = {
402 PPP_IPCP, IDX_IPCP,
403 #ifdef INET /* don't run IPCP if there's no IPv4 support */
404 CP_NCP,
405 #else
406 0,
407 #endif
408 "ipcp",
409 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close,
410 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak,
411 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf,
412 sppp_ipcp_scr
413 };
414
415 static const struct cp ipv6cp = {
416 PPP_IPV6CP, IDX_IPV6CP,
417 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/
418 CP_NCP,
419 #else
420 0,
421 #endif
422 "ipv6cp",
423 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close,
424 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak,
425 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf,
426 sppp_ipv6cp_scr
427 };
428
429 static const struct cp pap = {
430 PPP_PAP, IDX_PAP, CP_AUTH, "pap",
431 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close,
432 sppp_pap_TO, 0, 0, 0,
433 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null,
434 sppp_pap_scr
435 };
436
437 static const struct cp chap = {
438 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap",
439 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close,
440 sppp_chap_TO, 0, 0, 0,
441 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null,
442 sppp_chap_scr
443 };
444
445 static const struct cp *cps[IDX_COUNT] = {
446 &lcp, /* IDX_LCP */
447 &ipcp, /* IDX_IPCP */
448 &ipv6cp, /* IDX_IPV6CP */
449 &pap, /* IDX_PAP */
450 &chap, /* IDX_CHAP */
451 };
452
453 static void*
sppp_alloc(u_char type,struct ifnet * ifp)454 sppp_alloc(u_char type, struct ifnet *ifp)
455 {
456 struct sppp *sp;
457
458 sp = malloc(sizeof(struct sppp), M_SPPP, M_WAITOK | M_ZERO);
459 sp->pp_ifp = ifp;
460
461 return (sp);
462 }
463
464 static void
sppp_free(void * com,u_char type)465 sppp_free(void *com, u_char type)
466 {
467
468 free(com, M_SPPP);
469 }
470
471 static int
sppp_modevent(module_t mod,int type,void * unused)472 sppp_modevent(module_t mod, int type, void *unused)
473 {
474 switch (type) {
475 case MOD_LOAD:
476 /*
477 * XXX: should probably be IFT_SPPP, but it's fairly
478 * harmless to allocate struct sppp's for non-sppp
479 * interfaces.
480 */
481
482 if_register_com_alloc(IFT_PPP, sppp_alloc, sppp_free);
483 break;
484 case MOD_UNLOAD:
485 /* if_deregister_com_alloc(IFT_PPP); */
486 return EACCES;
487 default:
488 return EOPNOTSUPP;
489 }
490 return 0;
491 }
492 static moduledata_t spppmod = {
493 "sppp",
494 sppp_modevent,
495 0
496 };
497 MODULE_VERSION(sppp, 1);
498 DECLARE_MODULE(sppp, spppmod, SI_SUB_DRIVERS, SI_ORDER_ANY);
499
500 /*
501 * Exported functions, comprising our interface to the lower layer.
502 */
503
504 /*
505 * Process the received packet.
506 */
507 void
sppp_input(struct ifnet * ifp,struct mbuf * m)508 sppp_input(struct ifnet *ifp, struct mbuf *m)
509 {
510 struct ppp_header *h;
511 int isr = -1;
512 struct sppp *sp = IFP2SP(ifp);
513 int debug, do_account = 0;
514 #ifdef INET
515 int hlen, vjlen;
516 u_char *iphdr;
517 #endif
518
519 SPPP_LOCK(sp);
520 debug = ifp->if_flags & IFF_DEBUG;
521
522 if (ifp->if_flags & IFF_UP)
523 /* Count received bytes, add FCS and one flag */
524 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len + 3);
525
526 if (m->m_pkthdr.len <= PPP_HEADER_LEN) {
527 /* Too small packet, drop it. */
528 if (debug)
529 log(LOG_DEBUG,
530 SPP_FMT "input packet is too small, %d bytes\n",
531 SPP_ARGS(ifp), m->m_pkthdr.len);
532 drop:
533 m_freem (m);
534 SPPP_UNLOCK(sp);
535 drop2:
536 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
537 if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
538 return;
539 }
540
541 if (sp->pp_mode == PP_FR) {
542 sppp_fr_input (sp, m);
543 SPPP_UNLOCK(sp);
544 return;
545 }
546
547 /* Get PPP header. */
548 h = mtod (m, struct ppp_header*);
549 m_adj (m, PPP_HEADER_LEN);
550
551 switch (h->address) {
552 case PPP_ALLSTATIONS:
553 if (h->control != PPP_UI)
554 goto invalid;
555 if (sp->pp_mode == IFF_CISCO) {
556 if (debug)
557 log(LOG_DEBUG,
558 SPP_FMT "PPP packet in Cisco mode "
559 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
560 SPP_ARGS(ifp),
561 h->address, h->control, ntohs(h->protocol));
562 goto drop;
563 }
564 switch (ntohs (h->protocol)) {
565 default:
566 if (debug)
567 log(LOG_DEBUG,
568 SPP_FMT "rejecting protocol "
569 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
570 SPP_ARGS(ifp),
571 h->address, h->control, ntohs(h->protocol));
572 if (sp->state[IDX_LCP] == STATE_OPENED)
573 sppp_cp_send (sp, PPP_LCP, PROTO_REJ,
574 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2,
575 &h->protocol);
576 if_inc_counter(ifp, IFCOUNTER_NOPROTO, 1);
577 goto drop;
578 case PPP_LCP:
579 sppp_cp_input(&lcp, sp, m);
580 m_freem (m);
581 SPPP_UNLOCK(sp);
582 return;
583 case PPP_PAP:
584 if (sp->pp_phase >= PHASE_AUTHENTICATE)
585 sppp_pap_input(sp, m);
586 m_freem (m);
587 SPPP_UNLOCK(sp);
588 return;
589 case PPP_CHAP:
590 if (sp->pp_phase >= PHASE_AUTHENTICATE)
591 sppp_chap_input(sp, m);
592 m_freem (m);
593 SPPP_UNLOCK(sp);
594 return;
595 #ifdef INET
596 case PPP_IPCP:
597 if (sp->pp_phase == PHASE_NETWORK)
598 sppp_cp_input(&ipcp, sp, m);
599 m_freem (m);
600 SPPP_UNLOCK(sp);
601 return;
602 case PPP_IP:
603 if (sp->state[IDX_IPCP] == STATE_OPENED) {
604 isr = NETISR_IP;
605 }
606 do_account++;
607 break;
608 case PPP_VJ_COMP:
609 if (sp->state[IDX_IPCP] == STATE_OPENED) {
610 if ((vjlen =
611 sl_uncompress_tcp_core(mtod(m, u_char *),
612 m->m_len, m->m_len,
613 TYPE_COMPRESSED_TCP,
614 sp->pp_comp,
615 &iphdr, &hlen)) <= 0) {
616 if (debug)
617 log(LOG_INFO,
618 SPP_FMT "VJ uncompress failed on compressed packet\n",
619 SPP_ARGS(ifp));
620 goto drop;
621 }
622
623 /*
624 * Trim the VJ header off the packet, and prepend
625 * the uncompressed IP header (which will usually
626 * end up in two chained mbufs since there's not
627 * enough leading space in the existing mbuf).
628 */
629 m_adj(m, vjlen);
630 M_PREPEND(m, hlen, M_NOWAIT);
631 if (m == NULL) {
632 SPPP_UNLOCK(sp);
633 goto drop2;
634 }
635 bcopy(iphdr, mtod(m, u_char *), hlen);
636 isr = NETISR_IP;
637 }
638 do_account++;
639 break;
640 case PPP_VJ_UCOMP:
641 if (sp->state[IDX_IPCP] == STATE_OPENED) {
642 if (sl_uncompress_tcp_core(mtod(m, u_char *),
643 m->m_len, m->m_len,
644 TYPE_UNCOMPRESSED_TCP,
645 sp->pp_comp,
646 &iphdr, &hlen) != 0) {
647 if (debug)
648 log(LOG_INFO,
649 SPP_FMT "VJ uncompress failed on uncompressed packet\n",
650 SPP_ARGS(ifp));
651 goto drop;
652 }
653 isr = NETISR_IP;
654 }
655 do_account++;
656 break;
657 #endif
658 #ifdef INET6
659 case PPP_IPV6CP:
660 if (sp->pp_phase == PHASE_NETWORK)
661 sppp_cp_input(&ipv6cp, sp, m);
662 m_freem (m);
663 SPPP_UNLOCK(sp);
664 return;
665
666 case PPP_IPV6:
667 if (sp->state[IDX_IPV6CP] == STATE_OPENED)
668 isr = NETISR_IPV6;
669 do_account++;
670 break;
671 #endif
672 }
673 break;
674 case CISCO_MULTICAST:
675 case CISCO_UNICAST:
676 /* Don't check the control field here (RFC 1547). */
677 if (sp->pp_mode != IFF_CISCO) {
678 if (debug)
679 log(LOG_DEBUG,
680 SPP_FMT "Cisco packet in PPP mode "
681 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
682 SPP_ARGS(ifp),
683 h->address, h->control, ntohs(h->protocol));
684 goto drop;
685 }
686 switch (ntohs (h->protocol)) {
687 default:
688 if_inc_counter(ifp, IFCOUNTER_NOPROTO, 1);
689 goto invalid;
690 case CISCO_KEEPALIVE:
691 sppp_cisco_input (sp, m);
692 m_freem (m);
693 SPPP_UNLOCK(sp);
694 return;
695 #ifdef INET
696 case ETHERTYPE_IP:
697 isr = NETISR_IP;
698 do_account++;
699 break;
700 #endif
701 #ifdef INET6
702 case ETHERTYPE_IPV6:
703 isr = NETISR_IPV6;
704 do_account++;
705 break;
706 #endif
707 }
708 break;
709 default: /* Invalid PPP packet. */
710 invalid:
711 if (debug)
712 log(LOG_DEBUG,
713 SPP_FMT "invalid input packet "
714 "<addr=0x%x ctrl=0x%x proto=0x%x>\n",
715 SPP_ARGS(ifp),
716 h->address, h->control, ntohs(h->protocol));
717 goto drop;
718 }
719
720 if (! (ifp->if_flags & IFF_UP) || isr == -1)
721 goto drop;
722
723 SPPP_UNLOCK(sp);
724 M_SETFIB(m, ifp->if_fib);
725 /* Check queue. */
726 if (netisr_queue(isr, m)) { /* (0) on success. */
727 if (debug)
728 log(LOG_DEBUG, SPP_FMT "protocol queue overflow\n",
729 SPP_ARGS(ifp));
730 goto drop2;
731 }
732
733 if (do_account)
734 /*
735 * Do only account for network packets, not for control
736 * packets. This is used by some subsystems to detect
737 * idle lines.
738 */
739 sp->pp_last_recv = time_uptime;
740 }
741
742 static void
sppp_ifstart_sched(void * dummy)743 sppp_ifstart_sched(void *dummy)
744 {
745 struct sppp *sp = dummy;
746
747 sp->if_start(SP2IFP(sp));
748 }
749
750 /* if_start () wrapper function. We use it to schedule real if_start () for
751 * execution. We can't call it directly
752 */
753 static void
sppp_ifstart(struct ifnet * ifp)754 sppp_ifstart(struct ifnet *ifp)
755 {
756 struct sppp *sp = IFP2SP(ifp);
757
758 if (SPPP_LOCK_OWNED(sp)) {
759 if (callout_pending(&sp->ifstart_callout))
760 return;
761 callout_reset(&sp->ifstart_callout, 1, sppp_ifstart_sched,
762 (void *)sp);
763 } else {
764 sp->if_start(ifp);
765 }
766 }
767
768 /*
769 * Enqueue transmit packet.
770 */
771 static int
sppp_output(struct ifnet * ifp,struct mbuf * m,const struct sockaddr * dst,struct route * ro)772 sppp_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
773 struct route *ro)
774 {
775 struct sppp *sp = IFP2SP(ifp);
776 struct ppp_header *h;
777 struct ifqueue *ifq = NULL;
778 int error, rv = 0;
779 #ifdef INET
780 int ipproto = PPP_IP;
781 #endif
782 int debug = ifp->if_flags & IFF_DEBUG;
783 int af = RO_GET_FAMILY(ro, dst);
784
785 SPPP_LOCK(sp);
786
787 if (!(ifp->if_flags & IFF_UP) ||
788 (!(ifp->if_flags & IFF_AUTO) &&
789 !(ifp->if_drv_flags & IFF_DRV_RUNNING))) {
790 #ifdef INET6
791 drop:
792 #endif
793 m_freem (m);
794 SPPP_UNLOCK(sp);
795 return (ENETDOWN);
796 }
797
798 if ((ifp->if_flags & IFF_AUTO) &&
799 !(ifp->if_drv_flags & IFF_DRV_RUNNING)) {
800 #ifdef INET6
801 /*
802 * XXX
803 *
804 * Hack to prevent the initialization-time generated
805 * IPv6 multicast packet to erroneously cause a
806 * dialout event in case IPv6 has been
807 * administratively disabled on that interface.
808 */
809 if (af == AF_INET6 &&
810 !(sp->confflags & CONF_ENABLE_IPV6))
811 goto drop;
812 #endif
813 /*
814 * Interface is not yet running, but auto-dial. Need
815 * to start LCP for it.
816 */
817 ifp->if_drv_flags |= IFF_DRV_RUNNING;
818 lcp.Open(sp);
819 }
820
821 #ifdef INET
822 if (af == AF_INET) {
823 /* XXX Check mbuf length here? */
824 struct ip *ip = mtod (m, struct ip*);
825 struct tcphdr *tcp = (struct tcphdr*) ((long*)ip + ip->ip_hl);
826
827 /*
828 * When using dynamic local IP address assignment by using
829 * 0.0.0.0 as a local address, the first TCP session will
830 * not connect because the local TCP checksum is computed
831 * using 0.0.0.0 which will later become our real IP address
832 * so the TCP checksum computed at the remote end will
833 * become invalid. So we
834 * - don't let packets with src ip addr 0 thru
835 * - we flag TCP packets with src ip 0 as an error
836 */
837
838 if(ip->ip_src.s_addr == INADDR_ANY) /* -hm */
839 {
840 m_freem(m);
841 SPPP_UNLOCK(sp);
842 if(ip->ip_p == IPPROTO_TCP)
843 return(EADDRNOTAVAIL);
844 else
845 return(0);
846 }
847
848 /*
849 * Put low delay, telnet, rlogin and ftp control packets
850 * in front of the queue or let ALTQ take care.
851 */
852 if (ALTQ_IS_ENABLED(&ifp->if_snd))
853 ;
854 else if (_IF_QFULL(&sp->pp_fastq))
855 ;
856 else if (ip->ip_tos & IPTOS_LOWDELAY)
857 ifq = &sp->pp_fastq;
858 else if (m->m_len < sizeof *ip + sizeof *tcp)
859 ;
860 else if (ip->ip_p != IPPROTO_TCP)
861 ;
862 else if (INTERACTIVE (ntohs (tcp->th_sport)))
863 ifq = &sp->pp_fastq;
864 else if (INTERACTIVE (ntohs (tcp->th_dport)))
865 ifq = &sp->pp_fastq;
866
867 /*
868 * Do IP Header compression
869 */
870 if (sp->pp_mode != IFF_CISCO && sp->pp_mode != PP_FR &&
871 (sp->ipcp.flags & IPCP_VJ) && ip->ip_p == IPPROTO_TCP)
872 switch (sl_compress_tcp(m, ip, sp->pp_comp,
873 sp->ipcp.compress_cid)) {
874 case TYPE_COMPRESSED_TCP:
875 ipproto = PPP_VJ_COMP;
876 break;
877 case TYPE_UNCOMPRESSED_TCP:
878 ipproto = PPP_VJ_UCOMP;
879 break;
880 case TYPE_IP:
881 ipproto = PPP_IP;
882 break;
883 default:
884 m_freem(m);
885 SPPP_UNLOCK(sp);
886 return (EINVAL);
887 }
888 }
889 #endif
890
891 #ifdef INET6
892 if (af == AF_INET6) {
893 /* XXX do something tricky here? */
894 }
895 #endif
896
897 if (sp->pp_mode == PP_FR) {
898 /* Add frame relay header. */
899 m = sppp_fr_header (sp, m, af);
900 if (! m)
901 goto nobufs;
902 goto out;
903 }
904
905 /*
906 * Prepend general data packet PPP header. For now, IP only.
907 */
908 M_PREPEND (m, PPP_HEADER_LEN, M_NOWAIT);
909 if (! m) {
910 nobufs: if (debug)
911 log(LOG_DEBUG, SPP_FMT "no memory for transmit header\n",
912 SPP_ARGS(ifp));
913 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
914 SPPP_UNLOCK(sp);
915 return (ENOBUFS);
916 }
917 /*
918 * May want to check size of packet
919 * (albeit due to the implementation it's always enough)
920 */
921 h = mtod (m, struct ppp_header*);
922 if (sp->pp_mode == IFF_CISCO) {
923 h->address = CISCO_UNICAST; /* unicast address */
924 h->control = 0;
925 } else {
926 h->address = PPP_ALLSTATIONS; /* broadcast address */
927 h->control = PPP_UI; /* Unnumbered Info */
928 }
929
930 switch (af) {
931 #ifdef INET
932 case AF_INET: /* Internet Protocol */
933 if (sp->pp_mode == IFF_CISCO)
934 h->protocol = htons (ETHERTYPE_IP);
935 else {
936 /*
937 * Don't choke with an ENETDOWN early. It's
938 * possible that we just started dialing out,
939 * so don't drop the packet immediately. If
940 * we notice that we run out of buffer space
941 * below, we will however remember that we are
942 * not ready to carry IP packets, and return
943 * ENETDOWN, as opposed to ENOBUFS.
944 */
945 h->protocol = htons(ipproto);
946 if (sp->state[IDX_IPCP] != STATE_OPENED)
947 rv = ENETDOWN;
948 }
949 break;
950 #endif
951 #ifdef INET6
952 case AF_INET6: /* Internet Protocol */
953 if (sp->pp_mode == IFF_CISCO)
954 h->protocol = htons (ETHERTYPE_IPV6);
955 else {
956 /*
957 * Don't choke with an ENETDOWN early. It's
958 * possible that we just started dialing out,
959 * so don't drop the packet immediately. If
960 * we notice that we run out of buffer space
961 * below, we will however remember that we are
962 * not ready to carry IP packets, and return
963 * ENETDOWN, as opposed to ENOBUFS.
964 */
965 h->protocol = htons(PPP_IPV6);
966 if (sp->state[IDX_IPV6CP] != STATE_OPENED)
967 rv = ENETDOWN;
968 }
969 break;
970 #endif
971 default:
972 m_freem (m);
973 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
974 SPPP_UNLOCK(sp);
975 return (EAFNOSUPPORT);
976 }
977
978 /*
979 * Queue message on interface, and start output if interface
980 * not yet active.
981 */
982 out:
983 if (ifq != NULL)
984 error = !(IF_HANDOFF_ADJ(ifq, m, ifp, 3));
985 else
986 IFQ_HANDOFF_ADJ(ifp, m, 3, error);
987 if (error) {
988 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
989 SPPP_UNLOCK(sp);
990 return (rv? rv: ENOBUFS);
991 }
992 SPPP_UNLOCK(sp);
993 /*
994 * Unlike in sppp_input(), we can always bump the timestamp
995 * here since sppp_output() is only called on behalf of
996 * network-layer traffic; control-layer traffic is handled
997 * by sppp_cp_send().
998 */
999 sp->pp_last_sent = time_uptime;
1000 return (0);
1001 }
1002
1003 void
sppp_attach(struct ifnet * ifp)1004 sppp_attach(struct ifnet *ifp)
1005 {
1006 struct sppp *sp = IFP2SP(ifp);
1007
1008 /* Initialize mtx lock */
1009 mtx_init(&sp->mtx, "sppp", MTX_NETWORK_LOCK, MTX_DEF | MTX_RECURSE);
1010
1011 /* Initialize keepalive handler. */
1012 callout_init(&sp->keepalive_callout, 1);
1013 callout_reset(&sp->keepalive_callout, hz * 10, sppp_keepalive,
1014 (void *)sp);
1015
1016 ifp->if_mtu = PP_MTU;
1017 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
1018 ifp->if_output = sppp_output;
1019 #if 0
1020 sp->pp_flags = PP_KEEPALIVE;
1021 #endif
1022 ifp->if_snd.ifq_maxlen = 32;
1023 sp->pp_fastq.ifq_maxlen = 32;
1024 sp->pp_cpq.ifq_maxlen = 20;
1025 sp->pp_loopcnt = 0;
1026 sp->pp_alivecnt = 0;
1027 bzero(&sp->pp_seq[0], sizeof(sp->pp_seq));
1028 bzero(&sp->pp_rseq[0], sizeof(sp->pp_rseq));
1029 sp->pp_phase = PHASE_DEAD;
1030 sp->pp_up = sppp_pp_up;
1031 sp->pp_down = sppp_pp_down;
1032 if(!mtx_initialized(&sp->pp_cpq.ifq_mtx))
1033 mtx_init(&sp->pp_cpq.ifq_mtx, "sppp_cpq", NULL, MTX_DEF);
1034 if(!mtx_initialized(&sp->pp_fastq.ifq_mtx))
1035 mtx_init(&sp->pp_fastq.ifq_mtx, "sppp_fastq", NULL, MTX_DEF);
1036 sp->pp_last_recv = sp->pp_last_sent = time_uptime;
1037 sp->confflags = 0;
1038 #ifdef INET
1039 sp->confflags |= CONF_ENABLE_VJ;
1040 #endif
1041 #ifdef INET6
1042 sp->confflags |= CONF_ENABLE_IPV6;
1043 #endif
1044 callout_init(&sp->ifstart_callout, 1);
1045 sp->if_start = ifp->if_start;
1046 ifp->if_start = sppp_ifstart;
1047 sp->pp_comp = malloc(sizeof(struct slcompress), M_TEMP, M_WAITOK);
1048 sl_compress_init(sp->pp_comp, -1);
1049 sppp_lcp_init(sp);
1050 sppp_ipcp_init(sp);
1051 sppp_ipv6cp_init(sp);
1052 sppp_pap_init(sp);
1053 sppp_chap_init(sp);
1054 }
1055
1056 void
sppp_detach(struct ifnet * ifp)1057 sppp_detach(struct ifnet *ifp)
1058 {
1059 struct sppp *sp = IFP2SP(ifp);
1060 int i;
1061
1062 KASSERT(mtx_initialized(&sp->mtx), ("sppp mutex is not initialized"));
1063
1064 /* Stop keepalive handler. */
1065 callout_drain(&sp->keepalive_callout);
1066
1067 for (i = 0; i < IDX_COUNT; i++) {
1068 callout_drain(&sp->ch[i]);
1069 }
1070 callout_drain(&sp->pap_my_to_ch);
1071
1072 mtx_destroy(&sp->pp_cpq.ifq_mtx);
1073 mtx_destroy(&sp->pp_fastq.ifq_mtx);
1074 mtx_destroy(&sp->mtx);
1075 }
1076
1077 /*
1078 * Flush the interface output queue.
1079 */
1080 static void
sppp_flush_unlocked(struct ifnet * ifp)1081 sppp_flush_unlocked(struct ifnet *ifp)
1082 {
1083 struct sppp *sp = IFP2SP(ifp);
1084
1085 sppp_qflush ((struct ifqueue *)&SP2IFP(sp)->if_snd);
1086 sppp_qflush (&sp->pp_fastq);
1087 sppp_qflush (&sp->pp_cpq);
1088 }
1089
1090 void
sppp_flush(struct ifnet * ifp)1091 sppp_flush(struct ifnet *ifp)
1092 {
1093 struct sppp *sp = IFP2SP(ifp);
1094
1095 SPPP_LOCK(sp);
1096 sppp_flush_unlocked (ifp);
1097 SPPP_UNLOCK(sp);
1098 }
1099
1100 /*
1101 * Check if the output queue is empty.
1102 */
1103 int
sppp_isempty(struct ifnet * ifp)1104 sppp_isempty(struct ifnet *ifp)
1105 {
1106 struct sppp *sp = IFP2SP(ifp);
1107 int empty;
1108
1109 SPPP_LOCK(sp);
1110 empty = !sp->pp_fastq.ifq_head && !sp->pp_cpq.ifq_head &&
1111 !SP2IFP(sp)->if_snd.ifq_head;
1112 SPPP_UNLOCK(sp);
1113 return (empty);
1114 }
1115
1116 /*
1117 * Get next packet to send.
1118 */
1119 struct mbuf *
sppp_dequeue(struct ifnet * ifp)1120 sppp_dequeue(struct ifnet *ifp)
1121 {
1122 struct sppp *sp = IFP2SP(ifp);
1123 struct mbuf *m;
1124
1125 SPPP_LOCK(sp);
1126 /*
1127 * Process only the control protocol queue until we have at
1128 * least one NCP open.
1129 *
1130 * Do always serve all three queues in Cisco mode.
1131 */
1132 IF_DEQUEUE(&sp->pp_cpq, m);
1133 if (m == NULL &&
1134 (sppp_ncp_check(sp) || sp->pp_mode == IFF_CISCO ||
1135 sp->pp_mode == PP_FR)) {
1136 IF_DEQUEUE(&sp->pp_fastq, m);
1137 if (m == NULL)
1138 IF_DEQUEUE (&SP2IFP(sp)->if_snd, m);
1139 }
1140 SPPP_UNLOCK(sp);
1141 return m;
1142 }
1143
1144 /*
1145 * Pick the next packet, do not remove it from the queue.
1146 */
1147 struct mbuf *
sppp_pick(struct ifnet * ifp)1148 sppp_pick(struct ifnet *ifp)
1149 {
1150 struct sppp *sp = IFP2SP(ifp);
1151 struct mbuf *m;
1152
1153 SPPP_LOCK(sp);
1154
1155 m = sp->pp_cpq.ifq_head;
1156 if (m == NULL &&
1157 (sp->pp_phase == PHASE_NETWORK ||
1158 sp->pp_mode == IFF_CISCO ||
1159 sp->pp_mode == PP_FR))
1160 if ((m = sp->pp_fastq.ifq_head) == NULL)
1161 m = SP2IFP(sp)->if_snd.ifq_head;
1162 SPPP_UNLOCK(sp);
1163 return (m);
1164 }
1165
1166 /*
1167 * Process an ioctl request. Called on low priority level.
1168 */
1169 int
sppp_ioctl(struct ifnet * ifp,IOCTL_CMD_T cmd,void * data)1170 sppp_ioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, void *data)
1171 {
1172 struct ifreq *ifr = (struct ifreq*) data;
1173 struct sppp *sp = IFP2SP(ifp);
1174 int rv, going_up, going_down, newmode;
1175
1176 SPPP_LOCK(sp);
1177 rv = 0;
1178 switch (cmd) {
1179 case SIOCAIFADDR:
1180 break;
1181
1182 case SIOCSIFADDR:
1183 /* set the interface "up" when assigning an IP address */
1184 ifp->if_flags |= IFF_UP;
1185 /* FALLTHROUGH */
1186
1187 case SIOCSIFFLAGS:
1188 going_up = ifp->if_flags & IFF_UP &&
1189 (ifp->if_drv_flags & IFF_DRV_RUNNING) == 0;
1190 going_down = (ifp->if_flags & IFF_UP) == 0 &&
1191 ifp->if_drv_flags & IFF_DRV_RUNNING;
1192
1193 newmode = ifp->if_flags & IFF_PASSIVE;
1194 if (!newmode)
1195 newmode = ifp->if_flags & IFF_AUTO;
1196 if (!newmode)
1197 newmode = ifp->if_flags & IFF_CISCO;
1198 ifp->if_flags &= ~(IFF_PASSIVE | IFF_AUTO | IFF_CISCO);
1199 ifp->if_flags |= newmode;
1200
1201 if (!newmode)
1202 newmode = sp->pp_flags & PP_FR;
1203
1204 if (newmode != sp->pp_mode) {
1205 going_down = 1;
1206 if (!going_up)
1207 going_up = ifp->if_drv_flags & IFF_DRV_RUNNING;
1208 }
1209
1210 if (going_down) {
1211 if (sp->pp_mode != IFF_CISCO &&
1212 sp->pp_mode != PP_FR)
1213 lcp.Close(sp);
1214 else if (sp->pp_tlf)
1215 (sp->pp_tlf)(sp);
1216 sppp_flush_unlocked(ifp);
1217 ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1218 sp->pp_mode = newmode;
1219 }
1220
1221 if (going_up) {
1222 if (sp->pp_mode != IFF_CISCO &&
1223 sp->pp_mode != PP_FR)
1224 lcp.Close(sp);
1225 sp->pp_mode = newmode;
1226 if (sp->pp_mode == 0) {
1227 ifp->if_drv_flags |= IFF_DRV_RUNNING;
1228 lcp.Open(sp);
1229 }
1230 if ((sp->pp_mode == IFF_CISCO) ||
1231 (sp->pp_mode == PP_FR)) {
1232 if (sp->pp_tls)
1233 (sp->pp_tls)(sp);
1234 ifp->if_drv_flags |= IFF_DRV_RUNNING;
1235 }
1236 }
1237
1238 break;
1239
1240 #ifdef SIOCSIFMTU
1241 #ifndef ifr_mtu
1242 #define ifr_mtu ifr_metric
1243 #endif
1244 case SIOCSIFMTU:
1245 if (ifr->ifr_mtu < 128 || ifr->ifr_mtu > sp->lcp.their_mru)
1246 return (EINVAL);
1247 ifp->if_mtu = ifr->ifr_mtu;
1248 break;
1249 #endif
1250 #ifdef SLIOCSETMTU
1251 case SLIOCSETMTU:
1252 if (*(short*)data < 128 || *(short*)data > sp->lcp.their_mru)
1253 return (EINVAL);
1254 ifp->if_mtu = *(short*)data;
1255 break;
1256 #endif
1257 #ifdef SIOCGIFMTU
1258 case SIOCGIFMTU:
1259 ifr->ifr_mtu = ifp->if_mtu;
1260 break;
1261 #endif
1262 #ifdef SLIOCGETMTU
1263 case SLIOCGETMTU:
1264 *(short*)data = ifp->if_mtu;
1265 break;
1266 #endif
1267 case SIOCADDMULTI:
1268 case SIOCDELMULTI:
1269 break;
1270
1271 case SIOCGIFGENERIC:
1272 case SIOCSIFGENERIC:
1273 rv = sppp_params(sp, cmd, data);
1274 break;
1275
1276 default:
1277 rv = ENOTTY;
1278 }
1279 SPPP_UNLOCK(sp);
1280 return rv;
1281 }
1282
1283 /*
1284 * Cisco framing implementation.
1285 */
1286
1287 /*
1288 * Handle incoming Cisco keepalive protocol packets.
1289 */
1290 static void
sppp_cisco_input(struct sppp * sp,struct mbuf * m)1291 sppp_cisco_input(struct sppp *sp, struct mbuf *m)
1292 {
1293 STDDCL;
1294 struct cisco_packet *h;
1295 u_long me, mymask;
1296
1297 if (m->m_pkthdr.len < CISCO_PACKET_LEN) {
1298 if (debug)
1299 log(LOG_DEBUG,
1300 SPP_FMT "cisco invalid packet length: %d bytes\n",
1301 SPP_ARGS(ifp), m->m_pkthdr.len);
1302 return;
1303 }
1304 h = mtod (m, struct cisco_packet*);
1305 if (debug)
1306 log(LOG_DEBUG,
1307 SPP_FMT "cisco input: %d bytes "
1308 "<0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n",
1309 SPP_ARGS(ifp), m->m_pkthdr.len,
1310 (u_long)ntohl (h->type), (u_long)h->par1, (u_long)h->par2, (u_int)h->rel,
1311 (u_int)h->time0, (u_int)h->time1);
1312 switch (ntohl (h->type)) {
1313 default:
1314 if (debug)
1315 log(-1, SPP_FMT "cisco unknown packet type: 0x%lx\n",
1316 SPP_ARGS(ifp), (u_long)ntohl (h->type));
1317 break;
1318 case CISCO_ADDR_REPLY:
1319 /* Reply on address request, ignore */
1320 break;
1321 case CISCO_KEEPALIVE_REQ:
1322 sp->pp_alivecnt = 0;
1323 sp->pp_rseq[IDX_LCP] = ntohl (h->par1);
1324 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) {
1325 /* Local and remote sequence numbers are equal.
1326 * Probably, the line is in loopback mode. */
1327 if (sp->pp_loopcnt >= MAXALIVECNT) {
1328 printf (SPP_FMT "loopback\n",
1329 SPP_ARGS(ifp));
1330 sp->pp_loopcnt = 0;
1331 if (ifp->if_flags & IFF_UP) {
1332 if_down (ifp);
1333 sppp_qflush (&sp->pp_cpq);
1334 }
1335 }
1336 ++sp->pp_loopcnt;
1337
1338 /* Generate new local sequence number */
1339 sp->pp_seq[IDX_LCP] = random();
1340 break;
1341 }
1342 sp->pp_loopcnt = 0;
1343 if (! (ifp->if_flags & IFF_UP) &&
1344 (ifp->if_drv_flags & IFF_DRV_RUNNING)) {
1345 if_up(ifp);
1346 printf (SPP_FMT "up\n", SPP_ARGS(ifp));
1347 }
1348 break;
1349 case CISCO_ADDR_REQ:
1350 sppp_get_ip_addrs(sp, &me, 0, &mymask);
1351 if (me != 0L)
1352 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask);
1353 break;
1354 }
1355 }
1356
1357 /*
1358 * Send Cisco keepalive packet.
1359 */
1360 static void
sppp_cisco_send(struct sppp * sp,int type,long par1,long par2)1361 sppp_cisco_send(struct sppp *sp, int type, long par1, long par2)
1362 {
1363 STDDCL;
1364 struct ppp_header *h;
1365 struct cisco_packet *ch;
1366 struct mbuf *m;
1367 struct timeval tv;
1368
1369 getmicrouptime(&tv);
1370
1371 MGETHDR (m, M_NOWAIT, MT_DATA);
1372 if (! m)
1373 return;
1374 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN;
1375 m->m_pkthdr.rcvif = 0;
1376
1377 h = mtod (m, struct ppp_header*);
1378 h->address = CISCO_MULTICAST;
1379 h->control = 0;
1380 h->protocol = htons (CISCO_KEEPALIVE);
1381
1382 ch = (struct cisco_packet*) (h + 1);
1383 ch->type = htonl (type);
1384 ch->par1 = htonl (par1);
1385 ch->par2 = htonl (par2);
1386 ch->rel = -1;
1387
1388 ch->time0 = htons ((u_short) (tv.tv_sec >> 16));
1389 ch->time1 = htons ((u_short) tv.tv_sec);
1390
1391 if (debug)
1392 log(LOG_DEBUG,
1393 SPP_FMT "cisco output: <0x%lx 0x%lx 0x%lx 0x%x 0x%x-0x%x>\n",
1394 SPP_ARGS(ifp), (u_long)ntohl (ch->type), (u_long)ch->par1,
1395 (u_long)ch->par2, (u_int)ch->rel, (u_int)ch->time0, (u_int)ch->time1);
1396
1397 if (! IF_HANDOFF_ADJ(&sp->pp_cpq, m, ifp, 3))
1398 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
1399 }
1400
1401 /*
1402 * PPP protocol implementation.
1403 */
1404
1405 /*
1406 * Send PPP control protocol packet.
1407 */
1408 static void
sppp_cp_send(struct sppp * sp,u_short proto,u_char type,u_char ident,u_short len,void * data)1409 sppp_cp_send(struct sppp *sp, u_short proto, u_char type,
1410 u_char ident, u_short len, void *data)
1411 {
1412 STDDCL;
1413 struct ppp_header *h;
1414 struct lcp_header *lh;
1415 struct mbuf *m;
1416
1417 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN)
1418 len = MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN;
1419 MGETHDR (m, M_NOWAIT, MT_DATA);
1420 if (! m)
1421 return;
1422 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len;
1423 m->m_pkthdr.rcvif = 0;
1424
1425 h = mtod (m, struct ppp_header*);
1426 h->address = PPP_ALLSTATIONS; /* broadcast address */
1427 h->control = PPP_UI; /* Unnumbered Info */
1428 h->protocol = htons (proto); /* Link Control Protocol */
1429
1430 lh = (struct lcp_header*) (h + 1);
1431 lh->type = type;
1432 lh->ident = ident;
1433 lh->len = htons (LCP_HEADER_LEN + len);
1434 if (len)
1435 bcopy (data, lh+1, len);
1436
1437 if (debug) {
1438 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d",
1439 SPP_ARGS(ifp),
1440 sppp_proto_name(proto),
1441 sppp_cp_type_name (lh->type), lh->ident,
1442 ntohs (lh->len));
1443 sppp_print_bytes ((u_char*) (lh+1), len);
1444 log(-1, ">\n");
1445 }
1446 if (! IF_HANDOFF_ADJ(&sp->pp_cpq, m, ifp, 3))
1447 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
1448 }
1449
1450 /*
1451 * Handle incoming PPP control protocol packets.
1452 */
1453 static void
sppp_cp_input(const struct cp * cp,struct sppp * sp,struct mbuf * m)1454 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m)
1455 {
1456 STDDCL;
1457 struct lcp_header *h;
1458 int len = m->m_pkthdr.len;
1459 int rv;
1460 u_char *p;
1461
1462 if (len < 4) {
1463 if (debug)
1464 log(LOG_DEBUG,
1465 SPP_FMT "%s invalid packet length: %d bytes\n",
1466 SPP_ARGS(ifp), cp->name, len);
1467 return;
1468 }
1469 h = mtod (m, struct lcp_header*);
1470 if (debug) {
1471 log(LOG_DEBUG,
1472 SPP_FMT "%s input(%s): <%s id=0x%x len=%d",
1473 SPP_ARGS(ifp), cp->name,
1474 sppp_state_name(sp->state[cp->protoidx]),
1475 sppp_cp_type_name (h->type), h->ident, ntohs (h->len));
1476 sppp_print_bytes ((u_char*) (h+1), len-4);
1477 log(-1, ">\n");
1478 }
1479 if (len > ntohs (h->len))
1480 len = ntohs (h->len);
1481 p = (u_char *)(h + 1);
1482 switch (h->type) {
1483 case CONF_REQ:
1484 if (len < 4) {
1485 if (debug)
1486 log(-1, SPP_FMT "%s invalid conf-req length %d\n",
1487 SPP_ARGS(ifp), cp->name,
1488 len);
1489 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1490 break;
1491 }
1492 /* handle states where RCR doesn't get a SCA/SCN */
1493 switch (sp->state[cp->protoidx]) {
1494 case STATE_CLOSING:
1495 case STATE_STOPPING:
1496 return;
1497 case STATE_CLOSED:
1498 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident,
1499 0, 0);
1500 return;
1501 }
1502 rv = (cp->RCR)(sp, h, len);
1503 switch (sp->state[cp->protoidx]) {
1504 case STATE_OPENED:
1505 (cp->tld)(sp);
1506 (cp->scr)(sp);
1507 /* FALLTHROUGH */
1508 case STATE_ACK_SENT:
1509 case STATE_REQ_SENT:
1510 /*
1511 * sppp_cp_change_state() have the side effect of
1512 * restarting the timeouts. We want to avoid that
1513 * if the state don't change, otherwise we won't
1514 * ever timeout and resend a configuration request
1515 * that got lost.
1516 */
1517 if (sp->state[cp->protoidx] == (rv ? STATE_ACK_SENT:
1518 STATE_REQ_SENT))
1519 break;
1520 sppp_cp_change_state(cp, sp, rv?
1521 STATE_ACK_SENT: STATE_REQ_SENT);
1522 break;
1523 case STATE_STOPPED:
1524 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1525 (cp->scr)(sp);
1526 sppp_cp_change_state(cp, sp, rv?
1527 STATE_ACK_SENT: STATE_REQ_SENT);
1528 break;
1529 case STATE_ACK_RCVD:
1530 if (rv) {
1531 sppp_cp_change_state(cp, sp, STATE_OPENED);
1532 if (debug)
1533 log(LOG_DEBUG, SPP_FMT "%s tlu\n",
1534 SPP_ARGS(ifp),
1535 cp->name);
1536 (cp->tlu)(sp);
1537 } else
1538 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1539 break;
1540 default:
1541 printf(SPP_FMT "%s illegal %s in state %s\n",
1542 SPP_ARGS(ifp), cp->name,
1543 sppp_cp_type_name(h->type),
1544 sppp_state_name(sp->state[cp->protoidx]));
1545 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1546 }
1547 break;
1548 case CONF_ACK:
1549 if (h->ident != sp->confid[cp->protoidx]) {
1550 if (debug)
1551 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n",
1552 SPP_ARGS(ifp), cp->name,
1553 h->ident, sp->confid[cp->protoidx]);
1554 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1555 break;
1556 }
1557 switch (sp->state[cp->protoidx]) {
1558 case STATE_CLOSED:
1559 case STATE_STOPPED:
1560 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1561 break;
1562 case STATE_CLOSING:
1563 case STATE_STOPPING:
1564 break;
1565 case STATE_REQ_SENT:
1566 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1567 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1568 break;
1569 case STATE_OPENED:
1570 (cp->tld)(sp);
1571 /* FALLTHROUGH */
1572 case STATE_ACK_RCVD:
1573 (cp->scr)(sp);
1574 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1575 break;
1576 case STATE_ACK_SENT:
1577 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1578 sppp_cp_change_state(cp, sp, STATE_OPENED);
1579 if (debug)
1580 log(LOG_DEBUG, SPP_FMT "%s tlu\n",
1581 SPP_ARGS(ifp), cp->name);
1582 (cp->tlu)(sp);
1583 break;
1584 default:
1585 printf(SPP_FMT "%s illegal %s in state %s\n",
1586 SPP_ARGS(ifp), cp->name,
1587 sppp_cp_type_name(h->type),
1588 sppp_state_name(sp->state[cp->protoidx]));
1589 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1590 }
1591 break;
1592 case CONF_NAK:
1593 case CONF_REJ:
1594 if (h->ident != sp->confid[cp->protoidx]) {
1595 if (debug)
1596 log(-1, SPP_FMT "%s id mismatch 0x%x != 0x%x\n",
1597 SPP_ARGS(ifp), cp->name,
1598 h->ident, sp->confid[cp->protoidx]);
1599 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1600 break;
1601 }
1602 if (h->type == CONF_NAK)
1603 (cp->RCN_nak)(sp, h, len);
1604 else /* CONF_REJ */
1605 (cp->RCN_rej)(sp, h, len);
1606
1607 switch (sp->state[cp->protoidx]) {
1608 case STATE_CLOSED:
1609 case STATE_STOPPED:
1610 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1611 break;
1612 case STATE_REQ_SENT:
1613 case STATE_ACK_SENT:
1614 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1615 /*
1616 * Slow things down a bit if we think we might be
1617 * in loopback. Depend on the timeout to send the
1618 * next configuration request.
1619 */
1620 if (sp->pp_loopcnt)
1621 break;
1622 (cp->scr)(sp);
1623 break;
1624 case STATE_OPENED:
1625 (cp->tld)(sp);
1626 /* FALLTHROUGH */
1627 case STATE_ACK_RCVD:
1628 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1629 (cp->scr)(sp);
1630 break;
1631 case STATE_CLOSING:
1632 case STATE_STOPPING:
1633 break;
1634 default:
1635 printf(SPP_FMT "%s illegal %s in state %s\n",
1636 SPP_ARGS(ifp), cp->name,
1637 sppp_cp_type_name(h->type),
1638 sppp_state_name(sp->state[cp->protoidx]));
1639 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1640 }
1641 break;
1642
1643 case TERM_REQ:
1644 switch (sp->state[cp->protoidx]) {
1645 case STATE_ACK_RCVD:
1646 case STATE_ACK_SENT:
1647 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1648 /* FALLTHROUGH */
1649 case STATE_CLOSED:
1650 case STATE_STOPPED:
1651 case STATE_CLOSING:
1652 case STATE_STOPPING:
1653 case STATE_REQ_SENT:
1654 sta:
1655 /* Send Terminate-Ack packet. */
1656 if (debug)
1657 log(LOG_DEBUG, SPP_FMT "%s send terminate-ack\n",
1658 SPP_ARGS(ifp), cp->name);
1659 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0);
1660 break;
1661 case STATE_OPENED:
1662 (cp->tld)(sp);
1663 sp->rst_counter[cp->protoidx] = 0;
1664 sppp_cp_change_state(cp, sp, STATE_STOPPING);
1665 goto sta;
1666 break;
1667 default:
1668 printf(SPP_FMT "%s illegal %s in state %s\n",
1669 SPP_ARGS(ifp), cp->name,
1670 sppp_cp_type_name(h->type),
1671 sppp_state_name(sp->state[cp->protoidx]));
1672 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1673 }
1674 break;
1675 case TERM_ACK:
1676 switch (sp->state[cp->protoidx]) {
1677 case STATE_CLOSED:
1678 case STATE_STOPPED:
1679 case STATE_REQ_SENT:
1680 case STATE_ACK_SENT:
1681 break;
1682 case STATE_CLOSING:
1683 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1684 (cp->tlf)(sp);
1685 break;
1686 case STATE_STOPPING:
1687 sppp_cp_change_state(cp, sp, STATE_STOPPED);
1688 (cp->tlf)(sp);
1689 break;
1690 case STATE_ACK_RCVD:
1691 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1692 break;
1693 case STATE_OPENED:
1694 (cp->tld)(sp);
1695 (cp->scr)(sp);
1696 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD);
1697 break;
1698 default:
1699 printf(SPP_FMT "%s illegal %s in state %s\n",
1700 SPP_ARGS(ifp), cp->name,
1701 sppp_cp_type_name(h->type),
1702 sppp_state_name(sp->state[cp->protoidx]));
1703 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1704 }
1705 break;
1706 case CODE_REJ:
1707 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1708 log(LOG_INFO,
1709 SPP_FMT "%s: ignoring RXJ (%s) for proto 0x%x, "
1710 "danger will robinson\n",
1711 SPP_ARGS(ifp), cp->name,
1712 sppp_cp_type_name(h->type), ntohs(*((u_short *)p)));
1713 switch (sp->state[cp->protoidx]) {
1714 case STATE_CLOSED:
1715 case STATE_STOPPED:
1716 case STATE_REQ_SENT:
1717 case STATE_ACK_SENT:
1718 case STATE_CLOSING:
1719 case STATE_STOPPING:
1720 case STATE_OPENED:
1721 break;
1722 case STATE_ACK_RCVD:
1723 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1724 break;
1725 default:
1726 printf(SPP_FMT "%s illegal %s in state %s\n",
1727 SPP_ARGS(ifp), cp->name,
1728 sppp_cp_type_name(h->type),
1729 sppp_state_name(sp->state[cp->protoidx]));
1730 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1731 }
1732 break;
1733 case PROTO_REJ:
1734 {
1735 int catastrophic;
1736 const struct cp *upper;
1737 int i;
1738 u_int16_t proto;
1739
1740 catastrophic = 0;
1741 upper = NULL;
1742 proto = ntohs(*((u_int16_t *)p));
1743 for (i = 0; i < IDX_COUNT; i++) {
1744 if (cps[i]->proto == proto) {
1745 upper = cps[i];
1746 break;
1747 }
1748 }
1749 if (upper == NULL)
1750 catastrophic++;
1751
1752 if (catastrophic || debug)
1753 log(catastrophic? LOG_INFO: LOG_DEBUG,
1754 SPP_FMT "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n",
1755 SPP_ARGS(ifp), cp->name, catastrophic ? '-' : '+',
1756 sppp_cp_type_name(h->type), proto,
1757 upper ? upper->name : "unknown",
1758 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?");
1759
1760 /*
1761 * if we got RXJ+ against conf-req, the peer does not implement
1762 * this particular protocol type. terminate the protocol.
1763 */
1764 if (upper && !catastrophic) {
1765 if (sp->state[upper->protoidx] == STATE_REQ_SENT) {
1766 upper->Close(sp);
1767 break;
1768 }
1769 }
1770
1771 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */
1772 switch (sp->state[cp->protoidx]) {
1773 case STATE_CLOSED:
1774 case STATE_STOPPED:
1775 case STATE_REQ_SENT:
1776 case STATE_ACK_SENT:
1777 case STATE_CLOSING:
1778 case STATE_STOPPING:
1779 case STATE_OPENED:
1780 break;
1781 case STATE_ACK_RCVD:
1782 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1783 break;
1784 default:
1785 printf(SPP_FMT "%s illegal %s in state %s\n",
1786 SPP_ARGS(ifp), cp->name,
1787 sppp_cp_type_name(h->type),
1788 sppp_state_name(sp->state[cp->protoidx]));
1789 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1790 }
1791 break;
1792 }
1793 case DISC_REQ:
1794 if (cp->proto != PPP_LCP)
1795 goto illegal;
1796 /* Discard the packet. */
1797 break;
1798 case ECHO_REQ:
1799 if (cp->proto != PPP_LCP)
1800 goto illegal;
1801 if (sp->state[cp->protoidx] != STATE_OPENED) {
1802 if (debug)
1803 log(-1, SPP_FMT "lcp echo req but lcp closed\n",
1804 SPP_ARGS(ifp));
1805 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1806 break;
1807 }
1808 if (len < 8) {
1809 if (debug)
1810 log(-1, SPP_FMT "invalid lcp echo request "
1811 "packet length: %d bytes\n",
1812 SPP_ARGS(ifp), len);
1813 break;
1814 }
1815 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
1816 ntohl (*(long*)(h+1)) == sp->lcp.magic) {
1817 /* Line loopback mode detected. */
1818 printf(SPP_FMT "loopback\n", SPP_ARGS(ifp));
1819 sp->pp_loopcnt = MAXALIVECNT * 5;
1820 if_down (ifp);
1821 sppp_qflush (&sp->pp_cpq);
1822
1823 /* Shut down the PPP link. */
1824 /* XXX */
1825 lcp.Down(sp);
1826 lcp.Up(sp);
1827 break;
1828 }
1829 *(long*)(h+1) = htonl (sp->lcp.magic);
1830 if (debug)
1831 log(-1, SPP_FMT "got lcp echo req, sending echo rep\n",
1832 SPP_ARGS(ifp));
1833 sppp_cp_send (sp, PPP_LCP, ECHO_REPLY, h->ident, len-4, h+1);
1834 break;
1835 case ECHO_REPLY:
1836 if (cp->proto != PPP_LCP)
1837 goto illegal;
1838 if (h->ident != sp->lcp.echoid) {
1839 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1840 break;
1841 }
1842 if (len < 8) {
1843 if (debug)
1844 log(-1, SPP_FMT "lcp invalid echo reply "
1845 "packet length: %d bytes\n",
1846 SPP_ARGS(ifp), len);
1847 break;
1848 }
1849 if (debug)
1850 log(-1, SPP_FMT "lcp got echo rep\n",
1851 SPP_ARGS(ifp));
1852 if (!(sp->lcp.opts & (1 << LCP_OPT_MAGIC)) ||
1853 ntohl (*(long*)(h+1)) != sp->lcp.magic)
1854 sp->pp_alivecnt = 0;
1855 break;
1856 default:
1857 /* Unknown packet type -- send Code-Reject packet. */
1858 illegal:
1859 if (debug)
1860 log(-1, SPP_FMT "%s send code-rej for 0x%x\n",
1861 SPP_ARGS(ifp), cp->name, h->type);
1862 sppp_cp_send(sp, cp->proto, CODE_REJ,
1863 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h);
1864 if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
1865 }
1866 }
1867
1868 /*
1869 * The generic part of all Up/Down/Open/Close/TO event handlers.
1870 * Basically, the state transition handling in the automaton.
1871 */
1872 static void
sppp_up_event(const struct cp * cp,struct sppp * sp)1873 sppp_up_event(const struct cp *cp, struct sppp *sp)
1874 {
1875 STDDCL;
1876
1877 if (debug)
1878 log(LOG_DEBUG, SPP_FMT "%s up(%s)\n",
1879 SPP_ARGS(ifp), cp->name,
1880 sppp_state_name(sp->state[cp->protoidx]));
1881
1882 switch (sp->state[cp->protoidx]) {
1883 case STATE_INITIAL:
1884 sppp_cp_change_state(cp, sp, STATE_CLOSED);
1885 break;
1886 case STATE_STARTING:
1887 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1888 (cp->scr)(sp);
1889 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1890 break;
1891 default:
1892 printf(SPP_FMT "%s illegal up in state %s\n",
1893 SPP_ARGS(ifp), cp->name,
1894 sppp_state_name(sp->state[cp->protoidx]));
1895 }
1896 }
1897
1898 static void
sppp_down_event(const struct cp * cp,struct sppp * sp)1899 sppp_down_event(const struct cp *cp, struct sppp *sp)
1900 {
1901 STDDCL;
1902
1903 if (debug)
1904 log(LOG_DEBUG, SPP_FMT "%s down(%s)\n",
1905 SPP_ARGS(ifp), cp->name,
1906 sppp_state_name(sp->state[cp->protoidx]));
1907
1908 switch (sp->state[cp->protoidx]) {
1909 case STATE_CLOSED:
1910 case STATE_CLOSING:
1911 sppp_cp_change_state(cp, sp, STATE_INITIAL);
1912 break;
1913 case STATE_STOPPED:
1914 sppp_cp_change_state(cp, sp, STATE_STARTING);
1915 (cp->tls)(sp);
1916 break;
1917 case STATE_STOPPING:
1918 case STATE_REQ_SENT:
1919 case STATE_ACK_RCVD:
1920 case STATE_ACK_SENT:
1921 sppp_cp_change_state(cp, sp, STATE_STARTING);
1922 break;
1923 case STATE_OPENED:
1924 (cp->tld)(sp);
1925 sppp_cp_change_state(cp, sp, STATE_STARTING);
1926 break;
1927 default:
1928 printf(SPP_FMT "%s illegal down in state %s\n",
1929 SPP_ARGS(ifp), cp->name,
1930 sppp_state_name(sp->state[cp->protoidx]));
1931 }
1932 }
1933
1934 static void
sppp_open_event(const struct cp * cp,struct sppp * sp)1935 sppp_open_event(const struct cp *cp, struct sppp *sp)
1936 {
1937 STDDCL;
1938
1939 if (debug)
1940 log(LOG_DEBUG, SPP_FMT "%s open(%s)\n",
1941 SPP_ARGS(ifp), cp->name,
1942 sppp_state_name(sp->state[cp->protoidx]));
1943
1944 switch (sp->state[cp->protoidx]) {
1945 case STATE_INITIAL:
1946 sppp_cp_change_state(cp, sp, STATE_STARTING);
1947 (cp->tls)(sp);
1948 break;
1949 case STATE_STARTING:
1950 break;
1951 case STATE_CLOSED:
1952 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure;
1953 (cp->scr)(sp);
1954 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
1955 break;
1956 case STATE_STOPPED:
1957 /*
1958 * Try escaping stopped state. This seems to bite
1959 * people occasionally, in particular for IPCP,
1960 * presumably following previous IPCP negotiation
1961 * aborts. Somehow, we must have missed a Down event
1962 * which would have caused a transition into starting
1963 * state, so as a bandaid we force the Down event now.
1964 * This effectively implements (something like the)
1965 * `restart' option mentioned in the state transition
1966 * table of RFC 1661.
1967 */
1968 sppp_cp_change_state(cp, sp, STATE_STARTING);
1969 (cp->tls)(sp);
1970 break;
1971 case STATE_STOPPING:
1972 case STATE_REQ_SENT:
1973 case STATE_ACK_RCVD:
1974 case STATE_ACK_SENT:
1975 case STATE_OPENED:
1976 break;
1977 case STATE_CLOSING:
1978 sppp_cp_change_state(cp, sp, STATE_STOPPING);
1979 break;
1980 }
1981 }
1982
1983 static void
sppp_close_event(const struct cp * cp,struct sppp * sp)1984 sppp_close_event(const struct cp *cp, struct sppp *sp)
1985 {
1986 STDDCL;
1987
1988 if (debug)
1989 log(LOG_DEBUG, SPP_FMT "%s close(%s)\n",
1990 SPP_ARGS(ifp), cp->name,
1991 sppp_state_name(sp->state[cp->protoidx]));
1992
1993 switch (sp->state[cp->protoidx]) {
1994 case STATE_INITIAL:
1995 case STATE_CLOSED:
1996 case STATE_CLOSING:
1997 break;
1998 case STATE_STARTING:
1999 sppp_cp_change_state(cp, sp, STATE_INITIAL);
2000 (cp->tlf)(sp);
2001 break;
2002 case STATE_STOPPED:
2003 sppp_cp_change_state(cp, sp, STATE_CLOSED);
2004 break;
2005 case STATE_STOPPING:
2006 sppp_cp_change_state(cp, sp, STATE_CLOSING);
2007 break;
2008 case STATE_OPENED:
2009 (cp->tld)(sp);
2010 /* FALLTHROUGH */
2011 case STATE_REQ_SENT:
2012 case STATE_ACK_RCVD:
2013 case STATE_ACK_SENT:
2014 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate;
2015 sppp_cp_send(sp, cp->proto, TERM_REQ,
2016 ++sp->pp_seq[cp->protoidx], 0, 0);
2017 sppp_cp_change_state(cp, sp, STATE_CLOSING);
2018 break;
2019 }
2020 }
2021
2022 static void
sppp_to_event(const struct cp * cp,struct sppp * sp)2023 sppp_to_event(const struct cp *cp, struct sppp *sp)
2024 {
2025 STDDCL;
2026
2027 SPPP_LOCK(sp);
2028 if (debug)
2029 log(LOG_DEBUG, SPP_FMT "%s TO(%s) rst_counter = %d\n",
2030 SPP_ARGS(ifp), cp->name,
2031 sppp_state_name(sp->state[cp->protoidx]),
2032 sp->rst_counter[cp->protoidx]);
2033
2034 if (--sp->rst_counter[cp->protoidx] < 0)
2035 /* TO- event */
2036 switch (sp->state[cp->protoidx]) {
2037 case STATE_CLOSING:
2038 sppp_cp_change_state(cp, sp, STATE_CLOSED);
2039 (cp->tlf)(sp);
2040 break;
2041 case STATE_STOPPING:
2042 sppp_cp_change_state(cp, sp, STATE_STOPPED);
2043 (cp->tlf)(sp);
2044 break;
2045 case STATE_REQ_SENT:
2046 case STATE_ACK_RCVD:
2047 case STATE_ACK_SENT:
2048 sppp_cp_change_state(cp, sp, STATE_STOPPED);
2049 (cp->tlf)(sp);
2050 break;
2051 }
2052 else
2053 /* TO+ event */
2054 switch (sp->state[cp->protoidx]) {
2055 case STATE_CLOSING:
2056 case STATE_STOPPING:
2057 sppp_cp_send(sp, cp->proto, TERM_REQ,
2058 ++sp->pp_seq[cp->protoidx], 0, 0);
2059 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
2060 cp->TO, (void *)sp);
2061 break;
2062 case STATE_REQ_SENT:
2063 case STATE_ACK_RCVD:
2064 (cp->scr)(sp);
2065 /* sppp_cp_change_state() will restart the timer */
2066 sppp_cp_change_state(cp, sp, STATE_REQ_SENT);
2067 break;
2068 case STATE_ACK_SENT:
2069 (cp->scr)(sp);
2070 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
2071 cp->TO, (void *)sp);
2072 break;
2073 }
2074
2075 SPPP_UNLOCK(sp);
2076 }
2077
2078 /*
2079 * Change the state of a control protocol in the state automaton.
2080 * Takes care of starting/stopping the restart timer.
2081 */
2082 static void
sppp_cp_change_state(const struct cp * cp,struct sppp * sp,int newstate)2083 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate)
2084 {
2085 sp->state[cp->protoidx] = newstate;
2086
2087 callout_stop (&sp->ch[cp->protoidx]);
2088
2089 switch (newstate) {
2090 case STATE_INITIAL:
2091 case STATE_STARTING:
2092 case STATE_CLOSED:
2093 case STATE_STOPPED:
2094 case STATE_OPENED:
2095 break;
2096 case STATE_CLOSING:
2097 case STATE_STOPPING:
2098 case STATE_REQ_SENT:
2099 case STATE_ACK_RCVD:
2100 case STATE_ACK_SENT:
2101 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout,
2102 cp->TO, (void *)sp);
2103 break;
2104 }
2105 }
2106
2107 /*
2108 *--------------------------------------------------------------------------*
2109 * *
2110 * The LCP implementation. *
2111 * *
2112 *--------------------------------------------------------------------------*
2113 */
2114 static void
sppp_pp_up(struct sppp * sp)2115 sppp_pp_up(struct sppp *sp)
2116 {
2117 SPPP_LOCK(sp);
2118 lcp.Up(sp);
2119 SPPP_UNLOCK(sp);
2120 }
2121
2122 static void
sppp_pp_down(struct sppp * sp)2123 sppp_pp_down(struct sppp *sp)
2124 {
2125 SPPP_LOCK(sp);
2126 lcp.Down(sp);
2127 SPPP_UNLOCK(sp);
2128 }
2129
2130 static void
sppp_lcp_init(struct sppp * sp)2131 sppp_lcp_init(struct sppp *sp)
2132 {
2133 sp->lcp.opts = (1 << LCP_OPT_MAGIC);
2134 sp->lcp.magic = 0;
2135 sp->state[IDX_LCP] = STATE_INITIAL;
2136 sp->fail_counter[IDX_LCP] = 0;
2137 sp->pp_seq[IDX_LCP] = 0;
2138 sp->pp_rseq[IDX_LCP] = 0;
2139 sp->lcp.protos = 0;
2140 sp->lcp.mru = sp->lcp.their_mru = PP_MTU;
2141
2142 /* Note that these values are relevant for all control protocols */
2143 sp->lcp.timeout = 3 * hz;
2144 sp->lcp.max_terminate = 2;
2145 sp->lcp.max_configure = 10;
2146 sp->lcp.max_failure = 10;
2147 callout_init(&sp->ch[IDX_LCP], 1);
2148 }
2149
2150 static void
sppp_lcp_up(struct sppp * sp)2151 sppp_lcp_up(struct sppp *sp)
2152 {
2153 STDDCL;
2154
2155 sp->pp_alivecnt = 0;
2156 sp->lcp.opts = (1 << LCP_OPT_MAGIC);
2157 sp->lcp.magic = 0;
2158 sp->lcp.protos = 0;
2159 sp->lcp.mru = sp->lcp.their_mru = PP_MTU;
2160 /*
2161 * If we are authenticator, negotiate LCP_AUTH
2162 */
2163 if (sp->hisauth.proto != 0)
2164 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO);
2165 else
2166 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2167 sp->pp_flags &= ~PP_NEEDAUTH;
2168 /*
2169 * If this interface is passive or dial-on-demand, and we are
2170 * still in Initial state, it means we've got an incoming
2171 * call. Activate the interface.
2172 */
2173 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) {
2174 if (debug)
2175 log(LOG_DEBUG,
2176 SPP_FMT "Up event", SPP_ARGS(ifp));
2177 ifp->if_drv_flags |= IFF_DRV_RUNNING;
2178 if (sp->state[IDX_LCP] == STATE_INITIAL) {
2179 if (debug)
2180 log(-1, "(incoming call)\n");
2181 sp->pp_flags |= PP_CALLIN;
2182 lcp.Open(sp);
2183 } else if (debug)
2184 log(-1, "\n");
2185 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 &&
2186 (sp->state[IDX_LCP] == STATE_INITIAL)) {
2187 ifp->if_drv_flags |= IFF_DRV_RUNNING;
2188 lcp.Open(sp);
2189 }
2190
2191 sppp_up_event(&lcp, sp);
2192 }
2193
2194 static void
sppp_lcp_down(struct sppp * sp)2195 sppp_lcp_down(struct sppp *sp)
2196 {
2197 STDDCL;
2198
2199 sppp_down_event(&lcp, sp);
2200
2201 /*
2202 * If this is neither a dial-on-demand nor a passive
2203 * interface, simulate an ``ifconfig down'' action, so the
2204 * administrator can force a redial by another ``ifconfig
2205 * up''. XXX For leased line operation, should we immediately
2206 * try to reopen the connection here?
2207 */
2208 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) {
2209 log(LOG_INFO,
2210 SPP_FMT "Down event, taking interface down.\n",
2211 SPP_ARGS(ifp));
2212 if_down(ifp);
2213 } else {
2214 if (debug)
2215 log(LOG_DEBUG,
2216 SPP_FMT "Down event (carrier loss)\n",
2217 SPP_ARGS(ifp));
2218 sp->pp_flags &= ~PP_CALLIN;
2219 if (sp->state[IDX_LCP] != STATE_INITIAL)
2220 lcp.Close(sp);
2221 ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
2222 }
2223 }
2224
2225 static void
sppp_lcp_open(struct sppp * sp)2226 sppp_lcp_open(struct sppp *sp)
2227 {
2228 sppp_open_event(&lcp, sp);
2229 }
2230
2231 static void
sppp_lcp_close(struct sppp * sp)2232 sppp_lcp_close(struct sppp *sp)
2233 {
2234 sppp_close_event(&lcp, sp);
2235 }
2236
2237 static void
sppp_lcp_TO(void * cookie)2238 sppp_lcp_TO(void *cookie)
2239 {
2240 sppp_to_event(&lcp, (struct sppp *)cookie);
2241 }
2242
2243 /*
2244 * Analyze a configure request. Return true if it was agreeable, and
2245 * caused action sca, false if it has been rejected or nak'ed, and
2246 * caused action scn. (The return value is used to make the state
2247 * transition decision in the state automaton.)
2248 */
2249 static int
sppp_lcp_RCR(struct sppp * sp,struct lcp_header * h,int len)2250 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2251 {
2252 STDDCL;
2253 u_char *buf, *r, *p;
2254 int origlen, rlen;
2255 u_long nmagic;
2256 u_short authproto;
2257
2258 len -= 4;
2259 origlen = len;
2260 buf = r = malloc (len, M_TEMP, M_NOWAIT);
2261 if (! buf)
2262 return (0);
2263
2264 if (debug)
2265 log(LOG_DEBUG, SPP_FMT "lcp parse opts: ",
2266 SPP_ARGS(ifp));
2267
2268 /* pass 1: check for things that need to be rejected */
2269 p = (void*) (h+1);
2270 for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
2271 len-=p[1], p+=p[1]) {
2272 if (debug)
2273 log(-1, " %s ", sppp_lcp_opt_name(*p));
2274 switch (*p) {
2275 case LCP_OPT_MAGIC:
2276 /* Magic number. */
2277 if (len >= 6 && p[1] == 6)
2278 continue;
2279 if (debug)
2280 log(-1, "[invalid] ");
2281 break;
2282 case LCP_OPT_ASYNC_MAP:
2283 /* Async control character map. */
2284 if (len >= 6 && p[1] == 6)
2285 continue;
2286 if (debug)
2287 log(-1, "[invalid] ");
2288 break;
2289 case LCP_OPT_MRU:
2290 /* Maximum receive unit. */
2291 if (len >= 4 && p[1] == 4)
2292 continue;
2293 if (debug)
2294 log(-1, "[invalid] ");
2295 break;
2296 case LCP_OPT_AUTH_PROTO:
2297 if (len < 4) {
2298 if (debug)
2299 log(-1, "[invalid] ");
2300 break;
2301 }
2302 authproto = (p[2] << 8) + p[3];
2303 if (authproto == PPP_CHAP && p[1] != 5) {
2304 if (debug)
2305 log(-1, "[invalid chap len] ");
2306 break;
2307 }
2308 if (sp->myauth.proto == 0) {
2309 /* we are not configured to do auth */
2310 if (debug)
2311 log(-1, "[not configured] ");
2312 break;
2313 }
2314 /*
2315 * Remote want us to authenticate, remember this,
2316 * so we stay in PHASE_AUTHENTICATE after LCP got
2317 * up.
2318 */
2319 sp->pp_flags |= PP_NEEDAUTH;
2320 continue;
2321 default:
2322 /* Others not supported. */
2323 if (debug)
2324 log(-1, "[rej] ");
2325 break;
2326 }
2327 /* Add the option to rejected list. */
2328 bcopy (p, r, p[1]);
2329 r += p[1];
2330 rlen += p[1];
2331 }
2332 if (rlen) {
2333 if (debug)
2334 log(-1, " send conf-rej\n");
2335 sppp_cp_send (sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2336 return 0;
2337 } else if (debug)
2338 log(-1, "\n");
2339
2340 /*
2341 * pass 2: check for option values that are unacceptable and
2342 * thus require to be nak'ed.
2343 */
2344 if (debug)
2345 log(LOG_DEBUG, SPP_FMT "lcp parse opt values: ",
2346 SPP_ARGS(ifp));
2347
2348 p = (void*) (h+1);
2349 len = origlen;
2350 for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
2351 len-=p[1], p+=p[1]) {
2352 if (debug)
2353 log(-1, " %s ", sppp_lcp_opt_name(*p));
2354 switch (*p) {
2355 case LCP_OPT_MAGIC:
2356 /* Magic number -- extract. */
2357 nmagic = (u_long)p[2] << 24 |
2358 (u_long)p[3] << 16 | p[4] << 8 | p[5];
2359 if (nmagic != sp->lcp.magic) {
2360 sp->pp_loopcnt = 0;
2361 if (debug)
2362 log(-1, "0x%lx ", nmagic);
2363 continue;
2364 }
2365 if (debug && sp->pp_loopcnt < MAXALIVECNT*5)
2366 log(-1, "[glitch] ");
2367 ++sp->pp_loopcnt;
2368 /*
2369 * We negate our magic here, and NAK it. If
2370 * we see it later in an NAK packet, we
2371 * suggest a new one.
2372 */
2373 nmagic = ~sp->lcp.magic;
2374 /* Gonna NAK it. */
2375 p[2] = nmagic >> 24;
2376 p[3] = nmagic >> 16;
2377 p[4] = nmagic >> 8;
2378 p[5] = nmagic;
2379 break;
2380
2381 case LCP_OPT_ASYNC_MAP:
2382 /*
2383 * Async control character map -- just ignore it.
2384 *
2385 * Quote from RFC 1662, chapter 6:
2386 * To enable this functionality, synchronous PPP
2387 * implementations MUST always respond to the
2388 * Async-Control-Character-Map Configuration
2389 * Option with the LCP Configure-Ack. However,
2390 * acceptance of the Configuration Option does
2391 * not imply that the synchronous implementation
2392 * will do any ACCM mapping. Instead, all such
2393 * octet mapping will be performed by the
2394 * asynchronous-to-synchronous converter.
2395 */
2396 continue;
2397
2398 case LCP_OPT_MRU:
2399 /*
2400 * Maximum receive unit. Always agreeable,
2401 * but ignored by now.
2402 */
2403 sp->lcp.their_mru = p[2] * 256 + p[3];
2404 if (debug)
2405 log(-1, "%lu ", sp->lcp.their_mru);
2406 continue;
2407
2408 case LCP_OPT_AUTH_PROTO:
2409 authproto = (p[2] << 8) + p[3];
2410 if (sp->myauth.proto != authproto) {
2411 /* not agreed, nak */
2412 if (debug)
2413 log(-1, "[mine %s != his %s] ",
2414 sppp_proto_name(sp->hisauth.proto),
2415 sppp_proto_name(authproto));
2416 p[2] = sp->myauth.proto >> 8;
2417 p[3] = sp->myauth.proto;
2418 break;
2419 }
2420 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) {
2421 if (debug)
2422 log(-1, "[chap not MD5] ");
2423 p[4] = CHAP_MD5;
2424 break;
2425 }
2426 continue;
2427 }
2428 /* Add the option to nak'ed list. */
2429 bcopy (p, r, p[1]);
2430 r += p[1];
2431 rlen += p[1];
2432 }
2433 if (rlen) {
2434 /*
2435 * Local and remote magics equal -- loopback?
2436 */
2437 if (sp->pp_loopcnt >= MAXALIVECNT*5) {
2438 if (sp->pp_loopcnt == MAXALIVECNT*5)
2439 printf (SPP_FMT "loopback\n",
2440 SPP_ARGS(ifp));
2441 if (ifp->if_flags & IFF_UP) {
2442 if_down(ifp);
2443 sppp_qflush(&sp->pp_cpq);
2444 /* XXX ? */
2445 lcp.Down(sp);
2446 lcp.Up(sp);
2447 }
2448 } else if (!sp->pp_loopcnt &&
2449 ++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
2450 if (debug)
2451 log(-1, " max_failure (%d) exceeded, "
2452 "send conf-rej\n",
2453 sp->lcp.max_failure);
2454 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf);
2455 } else {
2456 if (debug)
2457 log(-1, " send conf-nak\n");
2458 sppp_cp_send (sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf);
2459 }
2460 } else {
2461 if (debug)
2462 log(-1, " send conf-ack\n");
2463 sp->fail_counter[IDX_LCP] = 0;
2464 sp->pp_loopcnt = 0;
2465 sppp_cp_send (sp, PPP_LCP, CONF_ACK,
2466 h->ident, origlen, h+1);
2467 }
2468
2469 free (buf, M_TEMP);
2470 return (rlen == 0);
2471 }
2472
2473 /*
2474 * Analyze the LCP Configure-Reject option list, and adjust our
2475 * negotiation.
2476 */
2477 static void
sppp_lcp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)2478 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
2479 {
2480 STDDCL;
2481 u_char *buf, *p;
2482
2483 len -= 4;
2484 buf = malloc (len, M_TEMP, M_NOWAIT);
2485 if (!buf)
2486 return;
2487
2488 if (debug)
2489 log(LOG_DEBUG, SPP_FMT "lcp rej opts: ",
2490 SPP_ARGS(ifp));
2491
2492 p = (void*) (h+1);
2493 for (; len >= 2 && p[1] >= 2 && len >= p[1];
2494 len -= p[1], p += p[1]) {
2495 if (debug)
2496 log(-1, " %s ", sppp_lcp_opt_name(*p));
2497 switch (*p) {
2498 case LCP_OPT_MAGIC:
2499 /* Magic number -- can't use it, use 0 */
2500 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC);
2501 sp->lcp.magic = 0;
2502 break;
2503 case LCP_OPT_MRU:
2504 /*
2505 * Should not be rejected anyway, since we only
2506 * negotiate a MRU if explicitly requested by
2507 * peer.
2508 */
2509 sp->lcp.opts &= ~(1 << LCP_OPT_MRU);
2510 break;
2511 case LCP_OPT_AUTH_PROTO:
2512 /*
2513 * Peer doesn't want to authenticate himself,
2514 * deny unless this is a dialout call, and
2515 * AUTHFLAG_NOCALLOUT is set.
2516 */
2517 if ((sp->pp_flags & PP_CALLIN) == 0 &&
2518 (sp->hisauth.flags & AUTHFLAG_NOCALLOUT) != 0) {
2519 if (debug)
2520 log(-1, "[don't insist on auth "
2521 "for callout]");
2522 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO);
2523 break;
2524 }
2525 if (debug)
2526 log(-1, "[access denied]\n");
2527 lcp.Close(sp);
2528 break;
2529 }
2530 }
2531 if (debug)
2532 log(-1, "\n");
2533 free (buf, M_TEMP);
2534 return;
2535 }
2536
2537 /*
2538 * Analyze the LCP Configure-NAK option list, and adjust our
2539 * negotiation.
2540 */
2541 static void
sppp_lcp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)2542 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
2543 {
2544 STDDCL;
2545 u_char *buf, *p;
2546 u_long magic;
2547
2548 len -= 4;
2549 buf = malloc (len, M_TEMP, M_NOWAIT);
2550 if (!buf)
2551 return;
2552
2553 if (debug)
2554 log(LOG_DEBUG, SPP_FMT "lcp nak opts: ",
2555 SPP_ARGS(ifp));
2556
2557 p = (void*) (h+1);
2558 for (; len >= 2 && p[1] >= 2 && len >= p[1];
2559 len -= p[1], p += p[1]) {
2560 if (debug)
2561 log(-1, " %s ", sppp_lcp_opt_name(*p));
2562 switch (*p) {
2563 case LCP_OPT_MAGIC:
2564 /* Magic number -- renegotiate */
2565 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) &&
2566 len >= 6 && p[1] == 6) {
2567 magic = (u_long)p[2] << 24 |
2568 (u_long)p[3] << 16 | p[4] << 8 | p[5];
2569 /*
2570 * If the remote magic is our negated one,
2571 * this looks like a loopback problem.
2572 * Suggest a new magic to make sure.
2573 */
2574 if (magic == ~sp->lcp.magic) {
2575 if (debug)
2576 log(-1, "magic glitch ");
2577 sp->lcp.magic = random();
2578 } else {
2579 sp->lcp.magic = magic;
2580 if (debug)
2581 log(-1, "%lu ", magic);
2582 }
2583 }
2584 break;
2585 case LCP_OPT_MRU:
2586 /*
2587 * Peer wants to advise us to negotiate an MRU.
2588 * Agree on it if it's reasonable, or use
2589 * default otherwise.
2590 */
2591 if (len >= 4 && p[1] == 4) {
2592 u_int mru = p[2] * 256 + p[3];
2593 if (debug)
2594 log(-1, "%d ", mru);
2595 if (mru < PP_MTU || mru > PP_MAX_MRU)
2596 mru = PP_MTU;
2597 sp->lcp.mru = mru;
2598 sp->lcp.opts |= (1 << LCP_OPT_MRU);
2599 }
2600 break;
2601 case LCP_OPT_AUTH_PROTO:
2602 /*
2603 * Peer doesn't like our authentication method,
2604 * deny.
2605 */
2606 if (debug)
2607 log(-1, "[access denied]\n");
2608 lcp.Close(sp);
2609 break;
2610 }
2611 }
2612 if (debug)
2613 log(-1, "\n");
2614 free (buf, M_TEMP);
2615 return;
2616 }
2617
2618 static void
sppp_lcp_tlu(struct sppp * sp)2619 sppp_lcp_tlu(struct sppp *sp)
2620 {
2621 STDDCL;
2622 int i;
2623 u_long mask;
2624
2625 /* XXX ? */
2626 if (! (ifp->if_flags & IFF_UP) &&
2627 (ifp->if_drv_flags & IFF_DRV_RUNNING)) {
2628 /* Coming out of loopback mode. */
2629 if_up(ifp);
2630 printf (SPP_FMT "up\n", SPP_ARGS(ifp));
2631 }
2632
2633 for (i = 0; i < IDX_COUNT; i++)
2634 if ((cps[i])->flags & CP_QUAL)
2635 (cps[i])->Open(sp);
2636
2637 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 ||
2638 (sp->pp_flags & PP_NEEDAUTH) != 0)
2639 sp->pp_phase = PHASE_AUTHENTICATE;
2640 else
2641 sp->pp_phase = PHASE_NETWORK;
2642
2643 if (debug)
2644 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2645 sppp_phase_name(sp->pp_phase));
2646
2647 /*
2648 * Open all authentication protocols. This is even required
2649 * if we already proceeded to network phase, since it might be
2650 * that remote wants us to authenticate, so we might have to
2651 * send a PAP request. Undesired authentication protocols
2652 * don't do anything when they get an Open event.
2653 */
2654 for (i = 0; i < IDX_COUNT; i++)
2655 if ((cps[i])->flags & CP_AUTH)
2656 (cps[i])->Open(sp);
2657
2658 if (sp->pp_phase == PHASE_NETWORK) {
2659 /* Notify all NCPs. */
2660 for (i = 0; i < IDX_COUNT; i++)
2661 if (((cps[i])->flags & CP_NCP) &&
2662 /*
2663 * XXX
2664 * Hack to administratively disable IPv6 if
2665 * not desired. Perhaps we should have another
2666 * flag for this, but right now, we can make
2667 * all struct cp's read/only.
2668 */
2669 (cps[i] != &ipv6cp ||
2670 (sp->confflags & CONF_ENABLE_IPV6)))
2671 (cps[i])->Open(sp);
2672 }
2673
2674 /* Send Up events to all started protos. */
2675 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2676 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0)
2677 (cps[i])->Up(sp);
2678
2679 /* notify low-level driver of state change */
2680 if (sp->pp_chg)
2681 sp->pp_chg(sp, (int)sp->pp_phase);
2682
2683 if (sp->pp_phase == PHASE_NETWORK)
2684 /* if no NCP is starting, close down */
2685 sppp_lcp_check_and_close(sp);
2686 }
2687
2688 static void
sppp_lcp_tld(struct sppp * sp)2689 sppp_lcp_tld(struct sppp *sp)
2690 {
2691 STDDCL;
2692 int i;
2693 u_long mask;
2694
2695 sp->pp_phase = PHASE_TERMINATE;
2696
2697 if (debug)
2698 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2699 sppp_phase_name(sp->pp_phase));
2700
2701 /*
2702 * Take upper layers down. We send the Down event first and
2703 * the Close second to prevent the upper layers from sending
2704 * ``a flurry of terminate-request packets'', as the RFC
2705 * describes it.
2706 */
2707 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2708 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) {
2709 (cps[i])->Down(sp);
2710 (cps[i])->Close(sp);
2711 }
2712 }
2713
2714 static void
sppp_lcp_tls(struct sppp * sp)2715 sppp_lcp_tls(struct sppp *sp)
2716 {
2717 STDDCL;
2718
2719 sp->pp_phase = PHASE_ESTABLISH;
2720
2721 if (debug)
2722 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2723 sppp_phase_name(sp->pp_phase));
2724
2725 /* Notify lower layer if desired. */
2726 if (sp->pp_tls)
2727 (sp->pp_tls)(sp);
2728 else
2729 (sp->pp_up)(sp);
2730 }
2731
2732 static void
sppp_lcp_tlf(struct sppp * sp)2733 sppp_lcp_tlf(struct sppp *sp)
2734 {
2735 STDDCL;
2736
2737 sp->pp_phase = PHASE_DEAD;
2738 if (debug)
2739 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
2740 sppp_phase_name(sp->pp_phase));
2741
2742 /* Notify lower layer if desired. */
2743 if (sp->pp_tlf)
2744 (sp->pp_tlf)(sp);
2745 else
2746 (sp->pp_down)(sp);
2747 }
2748
2749 static void
sppp_lcp_scr(struct sppp * sp)2750 sppp_lcp_scr(struct sppp *sp)
2751 {
2752 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */];
2753 int i = 0;
2754 u_short authproto;
2755
2756 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) {
2757 if (! sp->lcp.magic)
2758 sp->lcp.magic = random();
2759 opt[i++] = LCP_OPT_MAGIC;
2760 opt[i++] = 6;
2761 opt[i++] = sp->lcp.magic >> 24;
2762 opt[i++] = sp->lcp.magic >> 16;
2763 opt[i++] = sp->lcp.magic >> 8;
2764 opt[i++] = sp->lcp.magic;
2765 }
2766
2767 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) {
2768 opt[i++] = LCP_OPT_MRU;
2769 opt[i++] = 4;
2770 opt[i++] = sp->lcp.mru >> 8;
2771 opt[i++] = sp->lcp.mru;
2772 }
2773
2774 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) {
2775 authproto = sp->hisauth.proto;
2776 opt[i++] = LCP_OPT_AUTH_PROTO;
2777 opt[i++] = authproto == PPP_CHAP? 5: 4;
2778 opt[i++] = authproto >> 8;
2779 opt[i++] = authproto;
2780 if (authproto == PPP_CHAP)
2781 opt[i++] = CHAP_MD5;
2782 }
2783
2784 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP];
2785 sppp_cp_send (sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt);
2786 }
2787
2788 /*
2789 * Check the open NCPs, return true if at least one NCP is open.
2790 */
2791 static int
sppp_ncp_check(struct sppp * sp)2792 sppp_ncp_check(struct sppp *sp)
2793 {
2794 int i, mask;
2795
2796 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
2797 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP)
2798 return 1;
2799 return 0;
2800 }
2801
2802 /*
2803 * Re-check the open NCPs and see if we should terminate the link.
2804 * Called by the NCPs during their tlf action handling.
2805 */
2806 static void
sppp_lcp_check_and_close(struct sppp * sp)2807 sppp_lcp_check_and_close(struct sppp *sp)
2808 {
2809
2810 if (sp->pp_phase < PHASE_NETWORK)
2811 /* don't bother, we are already going down */
2812 return;
2813
2814 if (sppp_ncp_check(sp))
2815 return;
2816
2817 lcp.Close(sp);
2818 }
2819
2820 /*
2821 *--------------------------------------------------------------------------*
2822 * *
2823 * The IPCP implementation. *
2824 * *
2825 *--------------------------------------------------------------------------*
2826 */
2827
2828 #ifdef INET
2829 static void
sppp_ipcp_init(struct sppp * sp)2830 sppp_ipcp_init(struct sppp *sp)
2831 {
2832 sp->ipcp.opts = 0;
2833 sp->ipcp.flags = 0;
2834 sp->state[IDX_IPCP] = STATE_INITIAL;
2835 sp->fail_counter[IDX_IPCP] = 0;
2836 sp->pp_seq[IDX_IPCP] = 0;
2837 sp->pp_rseq[IDX_IPCP] = 0;
2838 callout_init(&sp->ch[IDX_IPCP], 1);
2839 }
2840
2841 static void
sppp_ipcp_up(struct sppp * sp)2842 sppp_ipcp_up(struct sppp *sp)
2843 {
2844 sppp_up_event(&ipcp, sp);
2845 }
2846
2847 static void
sppp_ipcp_down(struct sppp * sp)2848 sppp_ipcp_down(struct sppp *sp)
2849 {
2850 sppp_down_event(&ipcp, sp);
2851 }
2852
2853 static void
sppp_ipcp_open(struct sppp * sp)2854 sppp_ipcp_open(struct sppp *sp)
2855 {
2856 STDDCL;
2857 u_long myaddr, hisaddr;
2858
2859 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN | IPCP_MYADDR_SEEN |
2860 IPCP_MYADDR_DYN | IPCP_VJ);
2861 sp->ipcp.opts = 0;
2862
2863 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0);
2864 /*
2865 * If we don't have his address, this probably means our
2866 * interface doesn't want to talk IP at all. (This could
2867 * be the case if somebody wants to speak only IPX, for
2868 * example.) Don't open IPCP in this case.
2869 */
2870 if (hisaddr == 0L) {
2871 /* XXX this message should go away */
2872 if (debug)
2873 log(LOG_DEBUG, SPP_FMT "ipcp_open(): no IP interface\n",
2874 SPP_ARGS(ifp));
2875 return;
2876 }
2877 if (myaddr == 0L) {
2878 /*
2879 * I don't have an assigned address, so i need to
2880 * negotiate my address.
2881 */
2882 sp->ipcp.flags |= IPCP_MYADDR_DYN;
2883 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
2884 } else
2885 sp->ipcp.flags |= IPCP_MYADDR_SEEN;
2886 if (sp->confflags & CONF_ENABLE_VJ) {
2887 sp->ipcp.opts |= (1 << IPCP_OPT_COMPRESSION);
2888 sp->ipcp.max_state = MAX_STATES - 1;
2889 sp->ipcp.compress_cid = 1;
2890 }
2891 sppp_open_event(&ipcp, sp);
2892 }
2893
2894 static void
sppp_ipcp_close(struct sppp * sp)2895 sppp_ipcp_close(struct sppp *sp)
2896 {
2897 sppp_close_event(&ipcp, sp);
2898 if (sp->ipcp.flags & IPCP_MYADDR_DYN)
2899 /*
2900 * My address was dynamic, clear it again.
2901 */
2902 sppp_set_ip_addr(sp, 0L);
2903 }
2904
2905 static void
sppp_ipcp_TO(void * cookie)2906 sppp_ipcp_TO(void *cookie)
2907 {
2908 sppp_to_event(&ipcp, (struct sppp *)cookie);
2909 }
2910
2911 /*
2912 * Analyze a configure request. Return true if it was agreeable, and
2913 * caused action sca, false if it has been rejected or nak'ed, and
2914 * caused action scn. (The return value is used to make the state
2915 * transition decision in the state automaton.)
2916 */
2917 static int
sppp_ipcp_RCR(struct sppp * sp,struct lcp_header * h,int len)2918 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
2919 {
2920 u_char *buf, *r, *p;
2921 struct ifnet *ifp = SP2IFP(sp);
2922 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
2923 u_long hisaddr, desiredaddr;
2924 int gotmyaddr = 0;
2925 int desiredcomp;
2926
2927 len -= 4;
2928 origlen = len;
2929 /*
2930 * Make sure to allocate a buf that can at least hold a
2931 * conf-nak with an `address' option. We might need it below.
2932 */
2933 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
2934 if (! buf)
2935 return (0);
2936
2937 /* pass 1: see if we can recognize them */
2938 if (debug)
2939 log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ",
2940 SPP_ARGS(ifp));
2941 p = (void*) (h+1);
2942 for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
2943 len-=p[1], p+=p[1]) {
2944 if (debug)
2945 log(-1, " %s ", sppp_ipcp_opt_name(*p));
2946 switch (*p) {
2947 case IPCP_OPT_COMPRESSION:
2948 if (!(sp->confflags & CONF_ENABLE_VJ)) {
2949 /* VJ compression administratively disabled */
2950 if (debug)
2951 log(-1, "[locally disabled] ");
2952 break;
2953 }
2954 /*
2955 * In theory, we should only conf-rej an
2956 * option that is shorter than RFC 1618
2957 * requires (i.e. < 4), and should conf-nak
2958 * anything else that is not VJ. However,
2959 * since our algorithm always uses the
2960 * original option to NAK it with new values,
2961 * things would become more complicated. In
2962 * practice, the only commonly implemented IP
2963 * compression option is VJ anyway, so the
2964 * difference is negligible.
2965 */
2966 if (len >= 6 && p[1] == 6) {
2967 /*
2968 * correctly formed compression option
2969 * that could be VJ compression
2970 */
2971 continue;
2972 }
2973 if (debug)
2974 log(-1,
2975 "optlen %d [invalid/unsupported] ",
2976 p[1]);
2977 break;
2978 case IPCP_OPT_ADDRESS:
2979 if (len >= 6 && p[1] == 6) {
2980 /* correctly formed address option */
2981 continue;
2982 }
2983 if (debug)
2984 log(-1, "[invalid] ");
2985 break;
2986 default:
2987 /* Others not supported. */
2988 if (debug)
2989 log(-1, "[rej] ");
2990 break;
2991 }
2992 /* Add the option to rejected list. */
2993 bcopy (p, r, p[1]);
2994 r += p[1];
2995 rlen += p[1];
2996 }
2997 if (rlen) {
2998 if (debug)
2999 log(-1, " send conf-rej\n");
3000 sppp_cp_send (sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf);
3001 return 0;
3002 } else if (debug)
3003 log(-1, "\n");
3004
3005 /* pass 2: parse option values */
3006 sppp_get_ip_addrs(sp, 0, &hisaddr, 0);
3007 if (debug)
3008 log(LOG_DEBUG, SPP_FMT "ipcp parse opt values: ",
3009 SPP_ARGS(ifp));
3010 p = (void*) (h+1);
3011 len = origlen;
3012 for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
3013 len-=p[1], p+=p[1]) {
3014 if (debug)
3015 log(-1, " %s ", sppp_ipcp_opt_name(*p));
3016 switch (*p) {
3017 case IPCP_OPT_COMPRESSION:
3018 desiredcomp = p[2] << 8 | p[3];
3019 /* We only support VJ */
3020 if (desiredcomp == IPCP_COMP_VJ) {
3021 if (debug)
3022 log(-1, "VJ [ack] ");
3023 sp->ipcp.flags |= IPCP_VJ;
3024 sl_compress_init(sp->pp_comp, p[4]);
3025 sp->ipcp.max_state = p[4];
3026 sp->ipcp.compress_cid = p[5];
3027 continue;
3028 }
3029 if (debug)
3030 log(-1,
3031 "compproto %#04x [not supported] ",
3032 desiredcomp);
3033 p[2] = IPCP_COMP_VJ >> 8;
3034 p[3] = IPCP_COMP_VJ;
3035 p[4] = sp->ipcp.max_state;
3036 p[5] = sp->ipcp.compress_cid;
3037 break;
3038 case IPCP_OPT_ADDRESS:
3039 /* This is the address he wants in his end */
3040 desiredaddr = p[2] << 24 | p[3] << 16 |
3041 p[4] << 8 | p[5];
3042 if (desiredaddr == hisaddr ||
3043 (hisaddr >= 1 && hisaddr <= 254 && desiredaddr != 0)) {
3044 /*
3045 * Peer's address is same as our value,
3046 * or we have set it to 0.0.0.* to
3047 * indicate that we do not really care,
3048 * this is agreeable. Gonna conf-ack
3049 * it.
3050 */
3051 if (debug)
3052 log(-1, "%s [ack] ",
3053 sppp_dotted_quad(hisaddr));
3054 /* record that we've seen it already */
3055 sp->ipcp.flags |= IPCP_HISADDR_SEEN;
3056 continue;
3057 }
3058 /*
3059 * The address wasn't agreeable. This is either
3060 * he sent us 0.0.0.0, asking to assign him an
3061 * address, or he send us another address not
3062 * matching our value. Either case, we gonna
3063 * conf-nak it with our value.
3064 * XXX: we should "rej" if hisaddr == 0
3065 */
3066 if (debug) {
3067 if (desiredaddr == 0)
3068 log(-1, "[addr requested] ");
3069 else
3070 log(-1, "%s [not agreed] ",
3071 sppp_dotted_quad(desiredaddr));
3072 }
3073 p[2] = hisaddr >> 24;
3074 p[3] = hisaddr >> 16;
3075 p[4] = hisaddr >> 8;
3076 p[5] = hisaddr;
3077 break;
3078 }
3079 /* Add the option to nak'ed list. */
3080 bcopy (p, r, p[1]);
3081 r += p[1];
3082 rlen += p[1];
3083 }
3084
3085 /*
3086 * If we are about to conf-ack the request, but haven't seen
3087 * his address so far, gonna conf-nak it instead, with the
3088 * `address' option present and our idea of his address being
3089 * filled in there, to request negotiation of both addresses.
3090 *
3091 * XXX This can result in an endless req - nak loop if peer
3092 * doesn't want to send us his address. Q: What should we do
3093 * about it? XXX A: implement the max-failure counter.
3094 */
3095 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN) && !gotmyaddr) {
3096 buf[0] = IPCP_OPT_ADDRESS;
3097 buf[1] = 6;
3098 buf[2] = hisaddr >> 24;
3099 buf[3] = hisaddr >> 16;
3100 buf[4] = hisaddr >> 8;
3101 buf[5] = hisaddr;
3102 rlen = 6;
3103 if (debug)
3104 log(-1, "still need hisaddr ");
3105 }
3106
3107 if (rlen) {
3108 if (debug)
3109 log(-1, " send conf-nak\n");
3110 sppp_cp_send (sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf);
3111 } else {
3112 if (debug)
3113 log(-1, " send conf-ack\n");
3114 sppp_cp_send (sp, PPP_IPCP, CONF_ACK,
3115 h->ident, origlen, h+1);
3116 }
3117
3118 free (buf, M_TEMP);
3119 return (rlen == 0);
3120 }
3121
3122 /*
3123 * Analyze the IPCP Configure-Reject option list, and adjust our
3124 * negotiation.
3125 */
3126 static void
sppp_ipcp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)3127 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3128 {
3129 u_char *buf, *p;
3130 struct ifnet *ifp = SP2IFP(sp);
3131 int debug = ifp->if_flags & IFF_DEBUG;
3132
3133 len -= 4;
3134 buf = malloc (len, M_TEMP, M_NOWAIT);
3135 if (!buf)
3136 return;
3137
3138 if (debug)
3139 log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ",
3140 SPP_ARGS(ifp));
3141
3142 p = (void*) (h+1);
3143 for (; len >= 2 && p[1] >= 2 && len >= p[1];
3144 len -= p[1], p += p[1]) {
3145 if (debug)
3146 log(-1, " %s ", sppp_ipcp_opt_name(*p));
3147 switch (*p) {
3148 case IPCP_OPT_COMPRESSION:
3149 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESSION);
3150 break;
3151 case IPCP_OPT_ADDRESS:
3152 /*
3153 * Peer doesn't grok address option. This is
3154 * bad. XXX Should we better give up here?
3155 * XXX We could try old "addresses" option...
3156 */
3157 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS);
3158 break;
3159 }
3160 }
3161 if (debug)
3162 log(-1, "\n");
3163 free (buf, M_TEMP);
3164 return;
3165 }
3166
3167 /*
3168 * Analyze the IPCP Configure-NAK option list, and adjust our
3169 * negotiation.
3170 */
3171 static void
sppp_ipcp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)3172 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3173 {
3174 u_char *buf, *p;
3175 struct ifnet *ifp = SP2IFP(sp);
3176 int debug = ifp->if_flags & IFF_DEBUG;
3177 int desiredcomp;
3178 u_long wantaddr;
3179
3180 len -= 4;
3181 buf = malloc (len, M_TEMP, M_NOWAIT);
3182 if (!buf)
3183 return;
3184
3185 if (debug)
3186 log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ",
3187 SPP_ARGS(ifp));
3188
3189 p = (void*) (h+1);
3190 for (; len >= 2 && p[1] >= 2 && len >= p[1];
3191 len -= p[1], p += p[1]) {
3192 if (debug)
3193 log(-1, " %s ", sppp_ipcp_opt_name(*p));
3194 switch (*p) {
3195 case IPCP_OPT_COMPRESSION:
3196 if (len >= 6 && p[1] == 6) {
3197 desiredcomp = p[2] << 8 | p[3];
3198 if (debug)
3199 log(-1, "[wantcomp %#04x] ",
3200 desiredcomp);
3201 if (desiredcomp == IPCP_COMP_VJ) {
3202 sl_compress_init(sp->pp_comp, p[4]);
3203 sp->ipcp.max_state = p[4];
3204 sp->ipcp.compress_cid = p[5];
3205 if (debug)
3206 log(-1, "[agree] ");
3207 } else
3208 sp->ipcp.opts &=
3209 ~(1 << IPCP_OPT_COMPRESSION);
3210 }
3211 break;
3212 case IPCP_OPT_ADDRESS:
3213 /*
3214 * Peer doesn't like our local IP address. See
3215 * if we can do something for him. We'll drop
3216 * him our address then.
3217 */
3218 if (len >= 6 && p[1] == 6) {
3219 wantaddr = p[2] << 24 | p[3] << 16 |
3220 p[4] << 8 | p[5];
3221 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS);
3222 if (debug)
3223 log(-1, "[wantaddr %s] ",
3224 sppp_dotted_quad(wantaddr));
3225 /*
3226 * When doing dynamic address assignment,
3227 * we accept his offer. Otherwise, we
3228 * ignore it and thus continue to negotiate
3229 * our already existing value.
3230 * XXX: Bogus, if he said no once, he'll
3231 * just say no again, might as well die.
3232 */
3233 if (sp->ipcp.flags & IPCP_MYADDR_DYN) {
3234 sppp_set_ip_addr(sp, wantaddr);
3235 if (debug)
3236 log(-1, "[agree] ");
3237 sp->ipcp.flags |= IPCP_MYADDR_SEEN;
3238 }
3239 }
3240 break;
3241 }
3242 }
3243 if (debug)
3244 log(-1, "\n");
3245 free (buf, M_TEMP);
3246 return;
3247 }
3248
3249 static void
sppp_ipcp_tlu(struct sppp * sp)3250 sppp_ipcp_tlu(struct sppp *sp)
3251 {
3252 /* we are up - notify isdn daemon */
3253 if (sp->pp_con)
3254 sp->pp_con(sp);
3255 }
3256
3257 static void
sppp_ipcp_tld(struct sppp * sp)3258 sppp_ipcp_tld(struct sppp *sp)
3259 {
3260 }
3261
3262 static void
sppp_ipcp_tls(struct sppp * sp)3263 sppp_ipcp_tls(struct sppp *sp)
3264 {
3265 /* indicate to LCP that it must stay alive */
3266 sp->lcp.protos |= (1 << IDX_IPCP);
3267 }
3268
3269 static void
sppp_ipcp_tlf(struct sppp * sp)3270 sppp_ipcp_tlf(struct sppp *sp)
3271 {
3272 /* we no longer need LCP */
3273 sp->lcp.protos &= ~(1 << IDX_IPCP);
3274 sppp_lcp_check_and_close(sp);
3275 }
3276
3277 static void
sppp_ipcp_scr(struct sppp * sp)3278 sppp_ipcp_scr(struct sppp *sp)
3279 {
3280 char opt[6 /* compression */ + 6 /* address */];
3281 u_long ouraddr;
3282 int i = 0;
3283
3284 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) {
3285 opt[i++] = IPCP_OPT_COMPRESSION;
3286 opt[i++] = 6;
3287 opt[i++] = IPCP_COMP_VJ >> 8;
3288 opt[i++] = IPCP_COMP_VJ;
3289 opt[i++] = sp->ipcp.max_state;
3290 opt[i++] = sp->ipcp.compress_cid;
3291 }
3292 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) {
3293 sppp_get_ip_addrs(sp, &ouraddr, 0, 0);
3294 opt[i++] = IPCP_OPT_ADDRESS;
3295 opt[i++] = 6;
3296 opt[i++] = ouraddr >> 24;
3297 opt[i++] = ouraddr >> 16;
3298 opt[i++] = ouraddr >> 8;
3299 opt[i++] = ouraddr;
3300 }
3301
3302 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP];
3303 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt);
3304 }
3305 #else /* !INET */
3306 static void
sppp_ipcp_init(struct sppp * sp)3307 sppp_ipcp_init(struct sppp *sp)
3308 {
3309 }
3310
3311 static void
sppp_ipcp_up(struct sppp * sp)3312 sppp_ipcp_up(struct sppp *sp)
3313 {
3314 }
3315
3316 static void
sppp_ipcp_down(struct sppp * sp)3317 sppp_ipcp_down(struct sppp *sp)
3318 {
3319 }
3320
3321 static void
sppp_ipcp_open(struct sppp * sp)3322 sppp_ipcp_open(struct sppp *sp)
3323 {
3324 }
3325
3326 static void
sppp_ipcp_close(struct sppp * sp)3327 sppp_ipcp_close(struct sppp *sp)
3328 {
3329 }
3330
3331 static void
sppp_ipcp_TO(void * cookie)3332 sppp_ipcp_TO(void *cookie)
3333 {
3334 }
3335
3336 static int
sppp_ipcp_RCR(struct sppp * sp,struct lcp_header * h,int len)3337 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
3338 {
3339 return (0);
3340 }
3341
3342 static void
sppp_ipcp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)3343 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3344 {
3345 }
3346
3347 static void
sppp_ipcp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)3348 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3349 {
3350 }
3351
3352 static void
sppp_ipcp_tlu(struct sppp * sp)3353 sppp_ipcp_tlu(struct sppp *sp)
3354 {
3355 }
3356
3357 static void
sppp_ipcp_tld(struct sppp * sp)3358 sppp_ipcp_tld(struct sppp *sp)
3359 {
3360 }
3361
3362 static void
sppp_ipcp_tls(struct sppp * sp)3363 sppp_ipcp_tls(struct sppp *sp)
3364 {
3365 }
3366
3367 static void
sppp_ipcp_tlf(struct sppp * sp)3368 sppp_ipcp_tlf(struct sppp *sp)
3369 {
3370 }
3371
3372 static void
sppp_ipcp_scr(struct sppp * sp)3373 sppp_ipcp_scr(struct sppp *sp)
3374 {
3375 }
3376 #endif
3377
3378 /*
3379 *--------------------------------------------------------------------------*
3380 * *
3381 * The IPv6CP implementation. *
3382 * *
3383 *--------------------------------------------------------------------------*
3384 */
3385
3386 #ifdef INET6
3387 static void
sppp_ipv6cp_init(struct sppp * sp)3388 sppp_ipv6cp_init(struct sppp *sp)
3389 {
3390 sp->ipv6cp.opts = 0;
3391 sp->ipv6cp.flags = 0;
3392 sp->state[IDX_IPV6CP] = STATE_INITIAL;
3393 sp->fail_counter[IDX_IPV6CP] = 0;
3394 sp->pp_seq[IDX_IPV6CP] = 0;
3395 sp->pp_rseq[IDX_IPV6CP] = 0;
3396 callout_init(&sp->ch[IDX_IPV6CP], 1);
3397 }
3398
3399 static void
sppp_ipv6cp_up(struct sppp * sp)3400 sppp_ipv6cp_up(struct sppp *sp)
3401 {
3402 sppp_up_event(&ipv6cp, sp);
3403 }
3404
3405 static void
sppp_ipv6cp_down(struct sppp * sp)3406 sppp_ipv6cp_down(struct sppp *sp)
3407 {
3408 sppp_down_event(&ipv6cp, sp);
3409 }
3410
3411 static void
sppp_ipv6cp_open(struct sppp * sp)3412 sppp_ipv6cp_open(struct sppp *sp)
3413 {
3414 STDDCL;
3415 struct in6_addr myaddr, hisaddr;
3416
3417 #ifdef IPV6CP_MYIFID_DYN
3418 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN);
3419 #else
3420 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN;
3421 #endif
3422
3423 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0);
3424 /*
3425 * If we don't have our address, this probably means our
3426 * interface doesn't want to talk IPv6 at all. (This could
3427 * be the case if somebody wants to speak only IPX, for
3428 * example.) Don't open IPv6CP in this case.
3429 */
3430 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) {
3431 /* XXX this message should go away */
3432 if (debug)
3433 log(LOG_DEBUG, SPP_FMT "ipv6cp_open(): no IPv6 interface\n",
3434 SPP_ARGS(ifp));
3435 return;
3436 }
3437
3438 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3439 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3440 sppp_open_event(&ipv6cp, sp);
3441 }
3442
3443 static void
sppp_ipv6cp_close(struct sppp * sp)3444 sppp_ipv6cp_close(struct sppp *sp)
3445 {
3446 sppp_close_event(&ipv6cp, sp);
3447 }
3448
3449 static void
sppp_ipv6cp_TO(void * cookie)3450 sppp_ipv6cp_TO(void *cookie)
3451 {
3452 sppp_to_event(&ipv6cp, (struct sppp *)cookie);
3453 }
3454
3455 /*
3456 * Analyze a configure request. Return true if it was agreeable, and
3457 * caused action sca, false if it has been rejected or nak'ed, and
3458 * caused action scn. (The return value is used to make the state
3459 * transition decision in the state automaton.)
3460 */
3461 static int
sppp_ipv6cp_RCR(struct sppp * sp,struct lcp_header * h,int len)3462 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
3463 {
3464 u_char *buf, *r, *p;
3465 struct ifnet *ifp = SP2IFP(sp);
3466 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG;
3467 struct in6_addr myaddr, desiredaddr, suggestaddr;
3468 int ifidcount;
3469 int type;
3470 int collision, nohisaddr;
3471 char ip6buf[INET6_ADDRSTRLEN];
3472
3473 len -= 4;
3474 origlen = len;
3475 /*
3476 * Make sure to allocate a buf that can at least hold a
3477 * conf-nak with an `address' option. We might need it below.
3478 */
3479 buf = r = malloc ((len < 6? 6: len), M_TEMP, M_NOWAIT);
3480 if (! buf)
3481 return (0);
3482
3483 /* pass 1: see if we can recognize them */
3484 if (debug)
3485 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opts:",
3486 SPP_ARGS(ifp));
3487 p = (void*) (h+1);
3488 ifidcount = 0;
3489 for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
3490 len-=p[1], p+=p[1]) {
3491 if (debug)
3492 log(-1, " %s", sppp_ipv6cp_opt_name(*p));
3493 switch (*p) {
3494 case IPV6CP_OPT_IFID:
3495 if (len >= 10 && p[1] == 10 && ifidcount == 0) {
3496 /* correctly formed address option */
3497 ifidcount++;
3498 continue;
3499 }
3500 if (debug)
3501 log(-1, " [invalid]");
3502 break;
3503 #ifdef notyet
3504 case IPV6CP_OPT_COMPRESSION:
3505 if (len >= 4 && p[1] >= 4) {
3506 /* correctly formed compress option */
3507 continue;
3508 }
3509 if (debug)
3510 log(-1, " [invalid]");
3511 break;
3512 #endif
3513 default:
3514 /* Others not supported. */
3515 if (debug)
3516 log(-1, " [rej]");
3517 break;
3518 }
3519 /* Add the option to rejected list. */
3520 bcopy (p, r, p[1]);
3521 r += p[1];
3522 rlen += p[1];
3523 }
3524 if (rlen) {
3525 if (debug)
3526 log(-1, " send conf-rej\n");
3527 sppp_cp_send (sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf);
3528 goto end;
3529 } else if (debug)
3530 log(-1, "\n");
3531
3532 /* pass 2: parse option values */
3533 sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
3534 if (debug)
3535 log(LOG_DEBUG, SPP_FMT "ipv6cp parse opt values: ",
3536 SPP_ARGS(ifp));
3537 p = (void*) (h+1);
3538 len = origlen;
3539 type = CONF_ACK;
3540 for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
3541 len-=p[1], p+=p[1]) {
3542 if (debug)
3543 log(-1, " %s", sppp_ipv6cp_opt_name(*p));
3544 switch (*p) {
3545 #ifdef notyet
3546 case IPV6CP_OPT_COMPRESSION:
3547 continue;
3548 #endif
3549 case IPV6CP_OPT_IFID:
3550 bzero(&desiredaddr, sizeof(desiredaddr));
3551 bcopy(&p[2], &desiredaddr.s6_addr[8], 8);
3552 collision = (bcmp(&desiredaddr.s6_addr[8],
3553 &myaddr.s6_addr[8], 8) == 0);
3554 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr);
3555
3556 desiredaddr.s6_addr16[0] = htons(0xfe80);
3557 (void)in6_setscope(&desiredaddr, SP2IFP(sp), NULL);
3558
3559 if (!collision && !nohisaddr) {
3560 /* no collision, hisaddr known - Conf-Ack */
3561 type = CONF_ACK;
3562
3563 if (debug) {
3564 log(-1, " %s [%s]",
3565 ip6_sprintf(ip6buf, &desiredaddr),
3566 sppp_cp_type_name(type));
3567 }
3568 continue;
3569 }
3570
3571 bzero(&suggestaddr, sizeof(suggestaddr));
3572 if (collision && nohisaddr) {
3573 /* collision, hisaddr unknown - Conf-Rej */
3574 type = CONF_REJ;
3575 bzero(&p[2], 8);
3576 } else {
3577 /*
3578 * - no collision, hisaddr unknown, or
3579 * - collision, hisaddr known
3580 * Conf-Nak, suggest hisaddr
3581 */
3582 type = CONF_NAK;
3583 sppp_suggest_ip6_addr(sp, &suggestaddr);
3584 bcopy(&suggestaddr.s6_addr[8], &p[2], 8);
3585 }
3586 if (debug)
3587 log(-1, " %s [%s]",
3588 ip6_sprintf(ip6buf, &desiredaddr),
3589 sppp_cp_type_name(type));
3590 break;
3591 }
3592 /* Add the option to nak'ed list. */
3593 bcopy (p, r, p[1]);
3594 r += p[1];
3595 rlen += p[1];
3596 }
3597
3598 if (rlen == 0 && type == CONF_ACK) {
3599 if (debug)
3600 log(-1, " send %s\n", sppp_cp_type_name(type));
3601 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, origlen, h+1);
3602 } else {
3603 #ifdef DIAGNOSTIC
3604 if (type == CONF_ACK)
3605 panic("IPv6CP RCR: CONF_ACK with non-zero rlen");
3606 #endif
3607
3608 if (debug) {
3609 log(-1, " send %s suggest %s\n",
3610 sppp_cp_type_name(type),
3611 ip6_sprintf(ip6buf, &suggestaddr));
3612 }
3613 sppp_cp_send (sp, PPP_IPV6CP, type, h->ident, rlen, buf);
3614 }
3615
3616 end:
3617 free (buf, M_TEMP);
3618 return (rlen == 0);
3619 }
3620
3621 /*
3622 * Analyze the IPv6CP Configure-Reject option list, and adjust our
3623 * negotiation.
3624 */
3625 static void
sppp_ipv6cp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)3626 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3627 {
3628 u_char *buf, *p;
3629 struct ifnet *ifp = SP2IFP(sp);
3630 int debug = ifp->if_flags & IFF_DEBUG;
3631
3632 len -= 4;
3633 buf = malloc (len, M_TEMP, M_NOWAIT);
3634 if (!buf)
3635 return;
3636
3637 if (debug)
3638 log(LOG_DEBUG, SPP_FMT "ipv6cp rej opts:",
3639 SPP_ARGS(ifp));
3640
3641 p = (void*) (h+1);
3642 for (; len >= 2 && p[1] >= 2 && len >= p[1];
3643 len -= p[1], p += p[1]) {
3644 if (debug)
3645 log(-1, " %s", sppp_ipv6cp_opt_name(*p));
3646 switch (*p) {
3647 case IPV6CP_OPT_IFID:
3648 /*
3649 * Peer doesn't grok address option. This is
3650 * bad. XXX Should we better give up here?
3651 */
3652 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID);
3653 break;
3654 #ifdef notyet
3655 case IPV6CP_OPT_COMPRESS:
3656 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS);
3657 break;
3658 #endif
3659 }
3660 }
3661 if (debug)
3662 log(-1, "\n");
3663 free (buf, M_TEMP);
3664 return;
3665 }
3666
3667 /*
3668 * Analyze the IPv6CP Configure-NAK option list, and adjust our
3669 * negotiation.
3670 */
3671 static void
sppp_ipv6cp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)3672 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3673 {
3674 u_char *buf, *p;
3675 struct ifnet *ifp = SP2IFP(sp);
3676 int debug = ifp->if_flags & IFF_DEBUG;
3677 struct in6_addr suggestaddr;
3678 char ip6buf[INET6_ADDRSTRLEN];
3679
3680 len -= 4;
3681 buf = malloc (len, M_TEMP, M_NOWAIT);
3682 if (!buf)
3683 return;
3684
3685 if (debug)
3686 log(LOG_DEBUG, SPP_FMT "ipv6cp nak opts:",
3687 SPP_ARGS(ifp));
3688
3689 p = (void*) (h+1);
3690 for (; len >= 2 && p[1] >= 2 && len >= p[1];
3691 len -= p[1], p += p[1]) {
3692 if (debug)
3693 log(-1, " %s", sppp_ipv6cp_opt_name(*p));
3694 switch (*p) {
3695 case IPV6CP_OPT_IFID:
3696 /*
3697 * Peer doesn't like our local ifid. See
3698 * if we can do something for him. We'll drop
3699 * him our address then.
3700 */
3701 if (len < 10 || p[1] != 10)
3702 break;
3703 bzero(&suggestaddr, sizeof(suggestaddr));
3704 suggestaddr.s6_addr16[0] = htons(0xfe80);
3705 (void)in6_setscope(&suggestaddr, SP2IFP(sp), NULL);
3706 bcopy(&p[2], &suggestaddr.s6_addr[8], 8);
3707
3708 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID);
3709 if (debug)
3710 log(-1, " [suggestaddr %s]",
3711 ip6_sprintf(ip6buf, &suggestaddr));
3712 #ifdef IPV6CP_MYIFID_DYN
3713 /*
3714 * When doing dynamic address assignment,
3715 * we accept his offer.
3716 */
3717 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) {
3718 struct in6_addr lastsuggest;
3719 /*
3720 * If <suggested myaddr from peer> equals to
3721 * <hisaddr we have suggested last time>,
3722 * we have a collision. generate new random
3723 * ifid.
3724 */
3725 sppp_suggest_ip6_addr(&lastsuggest);
3726 if (IN6_ARE_ADDR_EQUAL(&suggestaddr,
3727 lastsuggest)) {
3728 if (debug)
3729 log(-1, " [random]");
3730 sppp_gen_ip6_addr(sp, &suggestaddr);
3731 }
3732 sppp_set_ip6_addr(sp, &suggestaddr, 0);
3733 if (debug)
3734 log(-1, " [agree]");
3735 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN;
3736 }
3737 #else
3738 /*
3739 * Since we do not do dynamic address assignment,
3740 * we ignore it and thus continue to negotiate
3741 * our already existing value. This can possibly
3742 * go into infinite request-reject loop.
3743 *
3744 * This is not likely because we normally use
3745 * ifid based on MAC-address.
3746 * If you have no ethernet card on the node, too bad.
3747 * XXX should we use fail_counter?
3748 */
3749 #endif
3750 break;
3751 #ifdef notyet
3752 case IPV6CP_OPT_COMPRESS:
3753 /*
3754 * Peer wants different compression parameters.
3755 */
3756 break;
3757 #endif
3758 }
3759 }
3760 if (debug)
3761 log(-1, "\n");
3762 free (buf, M_TEMP);
3763 return;
3764 }
3765 static void
sppp_ipv6cp_tlu(struct sppp * sp)3766 sppp_ipv6cp_tlu(struct sppp *sp)
3767 {
3768 /* we are up - notify isdn daemon */
3769 if (sp->pp_con)
3770 sp->pp_con(sp);
3771 }
3772
3773 static void
sppp_ipv6cp_tld(struct sppp * sp)3774 sppp_ipv6cp_tld(struct sppp *sp)
3775 {
3776 }
3777
3778 static void
sppp_ipv6cp_tls(struct sppp * sp)3779 sppp_ipv6cp_tls(struct sppp *sp)
3780 {
3781 /* indicate to LCP that it must stay alive */
3782 sp->lcp.protos |= (1 << IDX_IPV6CP);
3783 }
3784
3785 static void
sppp_ipv6cp_tlf(struct sppp * sp)3786 sppp_ipv6cp_tlf(struct sppp *sp)
3787 {
3788
3789 #if 0 /* need #if 0 to close IPv6CP properly */
3790 /* we no longer need LCP */
3791 sp->lcp.protos &= ~(1 << IDX_IPV6CP);
3792 sppp_lcp_check_and_close(sp);
3793 #endif
3794 }
3795
3796 static void
sppp_ipv6cp_scr(struct sppp * sp)3797 sppp_ipv6cp_scr(struct sppp *sp)
3798 {
3799 char opt[10 /* ifid */ + 4 /* compression, minimum */];
3800 struct in6_addr ouraddr;
3801 int i = 0;
3802
3803 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) {
3804 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0);
3805 opt[i++] = IPV6CP_OPT_IFID;
3806 opt[i++] = 10;
3807 bcopy(&ouraddr.s6_addr[8], &opt[i], 8);
3808 i += 8;
3809 }
3810
3811 #ifdef notyet
3812 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) {
3813 opt[i++] = IPV6CP_OPT_COMPRESSION;
3814 opt[i++] = 4;
3815 opt[i++] = 0; /* TBD */
3816 opt[i++] = 0; /* TBD */
3817 /* variable length data may follow */
3818 }
3819 #endif
3820
3821 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP];
3822 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt);
3823 }
3824 #else /*INET6*/
sppp_ipv6cp_init(struct sppp * sp)3825 static void sppp_ipv6cp_init(struct sppp *sp)
3826 {
3827 }
3828
sppp_ipv6cp_up(struct sppp * sp)3829 static void sppp_ipv6cp_up(struct sppp *sp)
3830 {
3831 }
3832
sppp_ipv6cp_down(struct sppp * sp)3833 static void sppp_ipv6cp_down(struct sppp *sp)
3834 {
3835 }
3836
sppp_ipv6cp_open(struct sppp * sp)3837 static void sppp_ipv6cp_open(struct sppp *sp)
3838 {
3839 }
3840
sppp_ipv6cp_close(struct sppp * sp)3841 static void sppp_ipv6cp_close(struct sppp *sp)
3842 {
3843 }
3844
sppp_ipv6cp_TO(void * sp)3845 static void sppp_ipv6cp_TO(void *sp)
3846 {
3847 }
3848
sppp_ipv6cp_RCR(struct sppp * sp,struct lcp_header * h,int len)3849 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
3850 {
3851 return 0;
3852 }
3853
sppp_ipv6cp_RCN_rej(struct sppp * sp,struct lcp_header * h,int len)3854 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
3855 {
3856 }
3857
sppp_ipv6cp_RCN_nak(struct sppp * sp,struct lcp_header * h,int len)3858 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
3859 {
3860 }
3861
sppp_ipv6cp_tlu(struct sppp * sp)3862 static void sppp_ipv6cp_tlu(struct sppp *sp)
3863 {
3864 }
3865
sppp_ipv6cp_tld(struct sppp * sp)3866 static void sppp_ipv6cp_tld(struct sppp *sp)
3867 {
3868 }
3869
sppp_ipv6cp_tls(struct sppp * sp)3870 static void sppp_ipv6cp_tls(struct sppp *sp)
3871 {
3872 }
3873
sppp_ipv6cp_tlf(struct sppp * sp)3874 static void sppp_ipv6cp_tlf(struct sppp *sp)
3875 {
3876 }
3877
sppp_ipv6cp_scr(struct sppp * sp)3878 static void sppp_ipv6cp_scr(struct sppp *sp)
3879 {
3880 }
3881 #endif /*INET6*/
3882
3883 /*
3884 *--------------------------------------------------------------------------*
3885 * *
3886 * The CHAP implementation. *
3887 * *
3888 *--------------------------------------------------------------------------*
3889 */
3890
3891 /*
3892 * The authentication protocols don't employ a full-fledged state machine as
3893 * the control protocols do, since they do have Open and Close events, but
3894 * not Up and Down, nor are they explicitly terminated. Also, use of the
3895 * authentication protocols may be different in both directions (this makes
3896 * sense, think of a machine that never accepts incoming calls but only
3897 * calls out, it doesn't require the called party to authenticate itself).
3898 *
3899 * Our state machine for the local authentication protocol (we are requesting
3900 * the peer to authenticate) looks like:
3901 *
3902 * RCA-
3903 * +--------------------------------------------+
3904 * V scn,tld|
3905 * +--------+ Close +---------+ RCA+
3906 * | |<----------------------------------| |------+
3907 * +--->| Closed | TO* | Opened | sca |
3908 * | | |-----+ +-------| |<-----+
3909 * | +--------+ irc | | +---------+
3910 * | ^ | | ^
3911 * | | | | |
3912 * | | | | |
3913 * | TO-| | | |
3914 * | |tld TO+ V | |
3915 * | | +------->+ | |
3916 * | | | | | |
3917 * | +--------+ V | |
3918 * | | |<----+<--------------------+ |
3919 * | | Req- | scr |
3920 * | | Sent | |
3921 * | | | |
3922 * | +--------+ |
3923 * | RCA- | | RCA+ |
3924 * +------+ +------------------------------------------+
3925 * scn,tld sca,irc,ict,tlu
3926 *
3927 *
3928 * with:
3929 *
3930 * Open: LCP reached authentication phase
3931 * Close: LCP reached terminate phase
3932 *
3933 * RCA+: received reply (pap-req, chap-response), acceptable
3934 * RCN: received reply (pap-req, chap-response), not acceptable
3935 * TO+: timeout with restart counter >= 0
3936 * TO-: timeout with restart counter < 0
3937 * TO*: reschedule timeout for CHAP
3938 *
3939 * scr: send request packet (none for PAP, chap-challenge)
3940 * sca: send ack packet (pap-ack, chap-success)
3941 * scn: send nak packet (pap-nak, chap-failure)
3942 * ict: initialize re-challenge timer (CHAP only)
3943 *
3944 * tlu: this-layer-up, LCP reaches network phase
3945 * tld: this-layer-down, LCP enters terminate phase
3946 *
3947 * Note that in CHAP mode, after sending a new challenge, while the state
3948 * automaton falls back into Req-Sent state, it doesn't signal a tld
3949 * event to LCP, so LCP remains in network phase. Only after not getting
3950 * any response (or after getting an unacceptable response), CHAP closes,
3951 * causing LCP to enter terminate phase.
3952 *
3953 * With PAP, there is no initial request that can be sent. The peer is
3954 * expected to send one based on the successful negotiation of PAP as
3955 * the authentication protocol during the LCP option negotiation.
3956 *
3957 * Incoming authentication protocol requests (remote requests
3958 * authentication, we are peer) don't employ a state machine at all,
3959 * they are simply answered. Some peers [Ascend P50 firmware rev
3960 * 4.50] react allergically when sending IPCP requests while they are
3961 * still in authentication phase (thereby violating the standard that
3962 * demands that these NCP packets are to be discarded), so we keep
3963 * track of the peer demanding us to authenticate, and only proceed to
3964 * phase network once we've seen a positive acknowledge for the
3965 * authentication.
3966 */
3967
3968 /*
3969 * Handle incoming CHAP packets.
3970 */
3971 static void
sppp_chap_input(struct sppp * sp,struct mbuf * m)3972 sppp_chap_input(struct sppp *sp, struct mbuf *m)
3973 {
3974 STDDCL;
3975 struct lcp_header *h;
3976 int len;
3977 u_char *value, *name, digest[AUTHKEYLEN], dsize;
3978 int value_len, name_len;
3979 MD5_CTX ctx;
3980
3981 len = m->m_pkthdr.len;
3982 if (len < 4) {
3983 if (debug)
3984 log(LOG_DEBUG,
3985 SPP_FMT "chap invalid packet length: %d bytes\n",
3986 SPP_ARGS(ifp), len);
3987 return;
3988 }
3989 h = mtod (m, struct lcp_header*);
3990 if (len > ntohs (h->len))
3991 len = ntohs (h->len);
3992
3993 switch (h->type) {
3994 /* challenge, failure and success are his authproto */
3995 case CHAP_CHALLENGE:
3996 value = 1 + (u_char*)(h+1);
3997 value_len = value[-1];
3998 name = value + value_len;
3999 name_len = len - value_len - 5;
4000 if (name_len < 0) {
4001 if (debug) {
4002 log(LOG_DEBUG,
4003 SPP_FMT "chap corrupted challenge "
4004 "<%s id=0x%x len=%d",
4005 SPP_ARGS(ifp),
4006 sppp_auth_type_name(PPP_CHAP, h->type),
4007 h->ident, ntohs(h->len));
4008 sppp_print_bytes((u_char*) (h+1), len-4);
4009 log(-1, ">\n");
4010 }
4011 break;
4012 }
4013
4014 if (debug) {
4015 log(LOG_DEBUG,
4016 SPP_FMT "chap input <%s id=0x%x len=%d name=",
4017 SPP_ARGS(ifp),
4018 sppp_auth_type_name(PPP_CHAP, h->type), h->ident,
4019 ntohs(h->len));
4020 sppp_print_string((char*) name, name_len);
4021 log(-1, " value-size=%d value=", value_len);
4022 sppp_print_bytes(value, value_len);
4023 log(-1, ">\n");
4024 }
4025
4026 /* Compute reply value. */
4027 MD5Init(&ctx);
4028 MD5Update(&ctx, &h->ident, 1);
4029 MD5Update(&ctx, sp->myauth.secret,
4030 sppp_strnlen(sp->myauth.secret, AUTHKEYLEN));
4031 MD5Update(&ctx, value, value_len);
4032 MD5Final(digest, &ctx);
4033 dsize = sizeof digest;
4034
4035 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident,
4036 sizeof dsize, (const char *)&dsize,
4037 sizeof digest, digest,
4038 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN),
4039 sp->myauth.name,
4040 0);
4041 break;
4042
4043 case CHAP_SUCCESS:
4044 if (debug) {
4045 log(LOG_DEBUG, SPP_FMT "chap success",
4046 SPP_ARGS(ifp));
4047 if (len > 4) {
4048 log(-1, ": ");
4049 sppp_print_string((char*)(h + 1), len - 4);
4050 }
4051 log(-1, "\n");
4052 }
4053 SPPP_LOCK(sp);
4054 sp->pp_flags &= ~PP_NEEDAUTH;
4055 if (sp->myauth.proto == PPP_CHAP &&
4056 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
4057 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) {
4058 /*
4059 * We are authenticator for CHAP but didn't
4060 * complete yet. Leave it to tlu to proceed
4061 * to network phase.
4062 */
4063 SPPP_UNLOCK(sp);
4064 break;
4065 }
4066 SPPP_UNLOCK(sp);
4067 sppp_phase_network(sp);
4068 break;
4069
4070 case CHAP_FAILURE:
4071 if (debug) {
4072 log(LOG_INFO, SPP_FMT "chap failure",
4073 SPP_ARGS(ifp));
4074 if (len > 4) {
4075 log(-1, ": ");
4076 sppp_print_string((char*)(h + 1), len - 4);
4077 }
4078 log(-1, "\n");
4079 } else
4080 log(LOG_INFO, SPP_FMT "chap failure\n",
4081 SPP_ARGS(ifp));
4082 /* await LCP shutdown by authenticator */
4083 break;
4084
4085 /* response is my authproto */
4086 case CHAP_RESPONSE:
4087 value = 1 + (u_char*)(h+1);
4088 value_len = value[-1];
4089 name = value + value_len;
4090 name_len = len - value_len - 5;
4091 if (name_len < 0) {
4092 if (debug) {
4093 log(LOG_DEBUG,
4094 SPP_FMT "chap corrupted response "
4095 "<%s id=0x%x len=%d",
4096 SPP_ARGS(ifp),
4097 sppp_auth_type_name(PPP_CHAP, h->type),
4098 h->ident, ntohs(h->len));
4099 sppp_print_bytes((u_char*)(h+1), len-4);
4100 log(-1, ">\n");
4101 }
4102 break;
4103 }
4104 if (h->ident != sp->confid[IDX_CHAP]) {
4105 if (debug)
4106 log(LOG_DEBUG,
4107 SPP_FMT "chap dropping response for old ID "
4108 "(got %d, expected %d)\n",
4109 SPP_ARGS(ifp),
4110 h->ident, sp->confid[IDX_CHAP]);
4111 break;
4112 }
4113 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN)
4114 || bcmp(name, sp->hisauth.name, name_len) != 0) {
4115 log(LOG_INFO, SPP_FMT "chap response, his name ",
4116 SPP_ARGS(ifp));
4117 sppp_print_string(name, name_len);
4118 log(-1, " != expected ");
4119 sppp_print_string(sp->hisauth.name,
4120 sppp_strnlen(sp->hisauth.name, AUTHNAMELEN));
4121 log(-1, "\n");
4122 }
4123 if (debug) {
4124 log(LOG_DEBUG, SPP_FMT "chap input(%s) "
4125 "<%s id=0x%x len=%d name=",
4126 SPP_ARGS(ifp),
4127 sppp_state_name(sp->state[IDX_CHAP]),
4128 sppp_auth_type_name(PPP_CHAP, h->type),
4129 h->ident, ntohs (h->len));
4130 sppp_print_string((char*)name, name_len);
4131 log(-1, " value-size=%d value=", value_len);
4132 sppp_print_bytes(value, value_len);
4133 log(-1, ">\n");
4134 }
4135 if (value_len != AUTHKEYLEN) {
4136 if (debug)
4137 log(LOG_DEBUG,
4138 SPP_FMT "chap bad hash value length: "
4139 "%d bytes, should be %d\n",
4140 SPP_ARGS(ifp), value_len,
4141 AUTHKEYLEN);
4142 break;
4143 }
4144
4145 MD5Init(&ctx);
4146 MD5Update(&ctx, &h->ident, 1);
4147 MD5Update(&ctx, sp->hisauth.secret,
4148 sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN));
4149 MD5Update(&ctx, sp->myauth.challenge, AUTHKEYLEN);
4150 MD5Final(digest, &ctx);
4151
4152 #define FAILMSG "Failed..."
4153 #define SUCCMSG "Welcome!"
4154
4155 if (value_len != sizeof digest ||
4156 bcmp(digest, value, value_len) != 0) {
4157 /* action scn, tld */
4158 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident,
4159 sizeof(FAILMSG) - 1, (u_char *)FAILMSG,
4160 0);
4161 chap.tld(sp);
4162 break;
4163 }
4164 /* action sca, perhaps tlu */
4165 if (sp->state[IDX_CHAP] == STATE_REQ_SENT ||
4166 sp->state[IDX_CHAP] == STATE_OPENED)
4167 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident,
4168 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG,
4169 0);
4170 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) {
4171 sppp_cp_change_state(&chap, sp, STATE_OPENED);
4172 chap.tlu(sp);
4173 }
4174 break;
4175
4176 default:
4177 /* Unknown CHAP packet type -- ignore. */
4178 if (debug) {
4179 log(LOG_DEBUG, SPP_FMT "chap unknown input(%s) "
4180 "<0x%x id=0x%xh len=%d",
4181 SPP_ARGS(ifp),
4182 sppp_state_name(sp->state[IDX_CHAP]),
4183 h->type, h->ident, ntohs(h->len));
4184 sppp_print_bytes((u_char*)(h+1), len-4);
4185 log(-1, ">\n");
4186 }
4187 break;
4188 }
4189 }
4190
4191 static void
sppp_chap_init(struct sppp * sp)4192 sppp_chap_init(struct sppp *sp)
4193 {
4194 /* Chap doesn't have STATE_INITIAL at all. */
4195 sp->state[IDX_CHAP] = STATE_CLOSED;
4196 sp->fail_counter[IDX_CHAP] = 0;
4197 sp->pp_seq[IDX_CHAP] = 0;
4198 sp->pp_rseq[IDX_CHAP] = 0;
4199 callout_init(&sp->ch[IDX_CHAP], 1);
4200 }
4201
4202 static void
sppp_chap_open(struct sppp * sp)4203 sppp_chap_open(struct sppp *sp)
4204 {
4205 if (sp->myauth.proto == PPP_CHAP &&
4206 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
4207 /* we are authenticator for CHAP, start it */
4208 chap.scr(sp);
4209 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4210 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
4211 }
4212 /* nothing to be done if we are peer, await a challenge */
4213 }
4214
4215 static void
sppp_chap_close(struct sppp * sp)4216 sppp_chap_close(struct sppp *sp)
4217 {
4218 if (sp->state[IDX_CHAP] != STATE_CLOSED)
4219 sppp_cp_change_state(&chap, sp, STATE_CLOSED);
4220 }
4221
4222 static void
sppp_chap_TO(void * cookie)4223 sppp_chap_TO(void *cookie)
4224 {
4225 struct sppp *sp = (struct sppp *)cookie;
4226 STDDCL;
4227
4228 SPPP_LOCK(sp);
4229 if (debug)
4230 log(LOG_DEBUG, SPP_FMT "chap TO(%s) rst_counter = %d\n",
4231 SPP_ARGS(ifp),
4232 sppp_state_name(sp->state[IDX_CHAP]),
4233 sp->rst_counter[IDX_CHAP]);
4234
4235 if (--sp->rst_counter[IDX_CHAP] < 0)
4236 /* TO- event */
4237 switch (sp->state[IDX_CHAP]) {
4238 case STATE_REQ_SENT:
4239 chap.tld(sp);
4240 sppp_cp_change_state(&chap, sp, STATE_CLOSED);
4241 break;
4242 }
4243 else
4244 /* TO+ (or TO*) event */
4245 switch (sp->state[IDX_CHAP]) {
4246 case STATE_OPENED:
4247 /* TO* event */
4248 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4249 /* FALLTHROUGH */
4250 case STATE_REQ_SENT:
4251 chap.scr(sp);
4252 /* sppp_cp_change_state() will restart the timer */
4253 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT);
4254 break;
4255 }
4256
4257 SPPP_UNLOCK(sp);
4258 }
4259
4260 static void
sppp_chap_tlu(struct sppp * sp)4261 sppp_chap_tlu(struct sppp *sp)
4262 {
4263 STDDCL;
4264 int i;
4265
4266 i = 0;
4267 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure;
4268
4269 /*
4270 * Some broken CHAP implementations (Conware CoNet, firmware
4271 * 4.0.?) don't want to re-authenticate their CHAP once the
4272 * initial challenge-response exchange has taken place.
4273 * Provide for an option to avoid rechallenges.
4274 */
4275 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0) {
4276 /*
4277 * Compute the re-challenge timeout. This will yield
4278 * a number between 300 and 810 seconds.
4279 */
4280 i = 300 + ((unsigned)(random() & 0xff00) >> 7);
4281 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, (void *)sp);
4282 }
4283
4284 if (debug) {
4285 log(LOG_DEBUG,
4286 SPP_FMT "chap %s, ",
4287 SPP_ARGS(ifp),
4288 sp->pp_phase == PHASE_NETWORK? "reconfirmed": "tlu");
4289 if ((sp->hisauth.flags & AUTHFLAG_NORECHALLENGE) == 0)
4290 log(-1, "next re-challenge in %d seconds\n", i);
4291 else
4292 log(-1, "re-challenging suppressed\n");
4293 }
4294
4295 SPPP_LOCK(sp);
4296 /* indicate to LCP that we need to be closed down */
4297 sp->lcp.protos |= (1 << IDX_CHAP);
4298
4299 if (sp->pp_flags & PP_NEEDAUTH) {
4300 /*
4301 * Remote is authenticator, but his auth proto didn't
4302 * complete yet. Defer the transition to network
4303 * phase.
4304 */
4305 SPPP_UNLOCK(sp);
4306 return;
4307 }
4308 SPPP_UNLOCK(sp);
4309
4310 /*
4311 * If we are already in phase network, we are done here. This
4312 * is the case if this is a dummy tlu event after a re-challenge.
4313 */
4314 if (sp->pp_phase != PHASE_NETWORK)
4315 sppp_phase_network(sp);
4316 }
4317
4318 static void
sppp_chap_tld(struct sppp * sp)4319 sppp_chap_tld(struct sppp *sp)
4320 {
4321 STDDCL;
4322
4323 if (debug)
4324 log(LOG_DEBUG, SPP_FMT "chap tld\n", SPP_ARGS(ifp));
4325 callout_stop(&sp->ch[IDX_CHAP]);
4326 sp->lcp.protos &= ~(1 << IDX_CHAP);
4327
4328 lcp.Close(sp);
4329 }
4330
4331 static void
sppp_chap_scr(struct sppp * sp)4332 sppp_chap_scr(struct sppp *sp)
4333 {
4334 u_long *ch;
4335 u_char clen;
4336
4337 /* Compute random challenge. */
4338 ch = (u_long *)sp->myauth.challenge;
4339 arc4random_buf(ch, 4 * sizeof(*ch));
4340 clen = AUTHKEYLEN;
4341
4342 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP];
4343
4344 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP],
4345 sizeof clen, (const char *)&clen,
4346 (size_t)AUTHKEYLEN, sp->myauth.challenge,
4347 (size_t)sppp_strnlen(sp->myauth.name, AUTHNAMELEN),
4348 sp->myauth.name,
4349 0);
4350 }
4351
4352 /*
4353 *--------------------------------------------------------------------------*
4354 * *
4355 * The PAP implementation. *
4356 * *
4357 *--------------------------------------------------------------------------*
4358 */
4359 /*
4360 * For PAP, we need to keep a little state also if we are the peer, not the
4361 * authenticator. This is since we don't get a request to authenticate, but
4362 * have to repeatedly authenticate ourself until we got a response (or the
4363 * retry counter is expired).
4364 */
4365
4366 /*
4367 * Handle incoming PAP packets. */
4368 static void
sppp_pap_input(struct sppp * sp,struct mbuf * m)4369 sppp_pap_input(struct sppp *sp, struct mbuf *m)
4370 {
4371 STDDCL;
4372 struct lcp_header *h;
4373 int len;
4374 u_char *name, *passwd, mlen;
4375 int name_len, passwd_len;
4376
4377 len = m->m_pkthdr.len;
4378 if (len < 5) {
4379 if (debug)
4380 log(LOG_DEBUG,
4381 SPP_FMT "pap invalid packet length: %d bytes\n",
4382 SPP_ARGS(ifp), len);
4383 return;
4384 }
4385 h = mtod (m, struct lcp_header*);
4386 if (len > ntohs (h->len))
4387 len = ntohs (h->len);
4388 switch (h->type) {
4389 /* PAP request is my authproto */
4390 case PAP_REQ:
4391 name = 1 + (u_char*)(h+1);
4392 name_len = name[-1];
4393 passwd = name + name_len + 1;
4394 if (name_len > len - 6 ||
4395 (passwd_len = passwd[-1]) > len - 6 - name_len) {
4396 if (debug) {
4397 log(LOG_DEBUG, SPP_FMT "pap corrupted input "
4398 "<%s id=0x%x len=%d",
4399 SPP_ARGS(ifp),
4400 sppp_auth_type_name(PPP_PAP, h->type),
4401 h->ident, ntohs(h->len));
4402 sppp_print_bytes((u_char*)(h+1), len-4);
4403 log(-1, ">\n");
4404 }
4405 break;
4406 }
4407 if (debug) {
4408 log(LOG_DEBUG, SPP_FMT "pap input(%s) "
4409 "<%s id=0x%x len=%d name=",
4410 SPP_ARGS(ifp),
4411 sppp_state_name(sp->state[IDX_PAP]),
4412 sppp_auth_type_name(PPP_PAP, h->type),
4413 h->ident, ntohs(h->len));
4414 sppp_print_string((char*)name, name_len);
4415 log(-1, " passwd=");
4416 sppp_print_string((char*)passwd, passwd_len);
4417 log(-1, ">\n");
4418 }
4419 if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) ||
4420 passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) ||
4421 bcmp(name, sp->hisauth.name, name_len) != 0 ||
4422 bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
4423 /* action scn, tld */
4424 mlen = sizeof(FAILMSG) - 1;
4425 sppp_auth_send(&pap, sp, PAP_NAK, h->ident,
4426 sizeof mlen, (const char *)&mlen,
4427 sizeof(FAILMSG) - 1, (u_char *)FAILMSG,
4428 0);
4429 pap.tld(sp);
4430 break;
4431 }
4432 /* action sca, perhaps tlu */
4433 if (sp->state[IDX_PAP] == STATE_REQ_SENT ||
4434 sp->state[IDX_PAP] == STATE_OPENED) {
4435 mlen = sizeof(SUCCMSG) - 1;
4436 sppp_auth_send(&pap, sp, PAP_ACK, h->ident,
4437 sizeof mlen, (const char *)&mlen,
4438 sizeof(SUCCMSG) - 1, (u_char *)SUCCMSG,
4439 0);
4440 }
4441 if (sp->state[IDX_PAP] == STATE_REQ_SENT) {
4442 sppp_cp_change_state(&pap, sp, STATE_OPENED);
4443 pap.tlu(sp);
4444 }
4445 break;
4446
4447 /* ack and nak are his authproto */
4448 case PAP_ACK:
4449 callout_stop(&sp->pap_my_to_ch);
4450 if (debug) {
4451 log(LOG_DEBUG, SPP_FMT "pap success",
4452 SPP_ARGS(ifp));
4453 name_len = *((char *)h);
4454 if (len > 5 && name_len) {
4455 log(-1, ": ");
4456 sppp_print_string((char*)(h+1), name_len);
4457 }
4458 log(-1, "\n");
4459 }
4460 SPPP_LOCK(sp);
4461 sp->pp_flags &= ~PP_NEEDAUTH;
4462 if (sp->myauth.proto == PPP_PAP &&
4463 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) &&
4464 (sp->lcp.protos & (1 << IDX_PAP)) == 0) {
4465 /*
4466 * We are authenticator for PAP but didn't
4467 * complete yet. Leave it to tlu to proceed
4468 * to network phase.
4469 */
4470 SPPP_UNLOCK(sp);
4471 break;
4472 }
4473 SPPP_UNLOCK(sp);
4474 sppp_phase_network(sp);
4475 break;
4476
4477 case PAP_NAK:
4478 callout_stop (&sp->pap_my_to_ch);
4479 if (debug) {
4480 log(LOG_INFO, SPP_FMT "pap failure",
4481 SPP_ARGS(ifp));
4482 name_len = *((char *)h);
4483 if (len > 5 && name_len) {
4484 log(-1, ": ");
4485 sppp_print_string((char*)(h+1), name_len);
4486 }
4487 log(-1, "\n");
4488 } else
4489 log(LOG_INFO, SPP_FMT "pap failure\n",
4490 SPP_ARGS(ifp));
4491 /* await LCP shutdown by authenticator */
4492 break;
4493
4494 default:
4495 /* Unknown PAP packet type -- ignore. */
4496 if (debug) {
4497 log(LOG_DEBUG, SPP_FMT "pap corrupted input "
4498 "<0x%x id=0x%x len=%d",
4499 SPP_ARGS(ifp),
4500 h->type, h->ident, ntohs(h->len));
4501 sppp_print_bytes((u_char*)(h+1), len-4);
4502 log(-1, ">\n");
4503 }
4504 break;
4505 }
4506 }
4507
4508 static void
sppp_pap_init(struct sppp * sp)4509 sppp_pap_init(struct sppp *sp)
4510 {
4511 /* PAP doesn't have STATE_INITIAL at all. */
4512 sp->state[IDX_PAP] = STATE_CLOSED;
4513 sp->fail_counter[IDX_PAP] = 0;
4514 sp->pp_seq[IDX_PAP] = 0;
4515 sp->pp_rseq[IDX_PAP] = 0;
4516 callout_init(&sp->ch[IDX_PAP], 1);
4517 callout_init(&sp->pap_my_to_ch, 1);
4518 }
4519
4520 static void
sppp_pap_open(struct sppp * sp)4521 sppp_pap_open(struct sppp *sp)
4522 {
4523 if (sp->hisauth.proto == PPP_PAP &&
4524 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) {
4525 /* we are authenticator for PAP, start our timer */
4526 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
4527 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
4528 }
4529 if (sp->myauth.proto == PPP_PAP) {
4530 /* we are peer, send a request, and start a timer */
4531 pap.scr(sp);
4532 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout,
4533 sppp_pap_my_TO, (void *)sp);
4534 }
4535 }
4536
4537 static void
sppp_pap_close(struct sppp * sp)4538 sppp_pap_close(struct sppp *sp)
4539 {
4540 if (sp->state[IDX_PAP] != STATE_CLOSED)
4541 sppp_cp_change_state(&pap, sp, STATE_CLOSED);
4542 }
4543
4544 /*
4545 * That's the timeout routine if we are authenticator. Since the
4546 * authenticator is basically passive in PAP, we can't do much here.
4547 */
4548 static void
sppp_pap_TO(void * cookie)4549 sppp_pap_TO(void *cookie)
4550 {
4551 struct sppp *sp = (struct sppp *)cookie;
4552 STDDCL;
4553
4554 SPPP_LOCK(sp);
4555 if (debug)
4556 log(LOG_DEBUG, SPP_FMT "pap TO(%s) rst_counter = %d\n",
4557 SPP_ARGS(ifp),
4558 sppp_state_name(sp->state[IDX_PAP]),
4559 sp->rst_counter[IDX_PAP]);
4560
4561 if (--sp->rst_counter[IDX_PAP] < 0)
4562 /* TO- event */
4563 switch (sp->state[IDX_PAP]) {
4564 case STATE_REQ_SENT:
4565 pap.tld(sp);
4566 sppp_cp_change_state(&pap, sp, STATE_CLOSED);
4567 break;
4568 }
4569 else
4570 /* TO+ event, not very much we could do */
4571 switch (sp->state[IDX_PAP]) {
4572 case STATE_REQ_SENT:
4573 /* sppp_cp_change_state() will restart the timer */
4574 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT);
4575 break;
4576 }
4577
4578 SPPP_UNLOCK(sp);
4579 }
4580
4581 /*
4582 * That's the timeout handler if we are peer. Since the peer is active,
4583 * we need to retransmit our PAP request since it is apparently lost.
4584 * XXX We should impose a max counter.
4585 */
4586 static void
sppp_pap_my_TO(void * cookie)4587 sppp_pap_my_TO(void *cookie)
4588 {
4589 struct sppp *sp = (struct sppp *)cookie;
4590 STDDCL;
4591
4592 if (debug)
4593 log(LOG_DEBUG, SPP_FMT "pap peer TO\n",
4594 SPP_ARGS(ifp));
4595
4596 SPPP_LOCK(sp);
4597 pap.scr(sp);
4598 SPPP_UNLOCK(sp);
4599 }
4600
4601 static void
sppp_pap_tlu(struct sppp * sp)4602 sppp_pap_tlu(struct sppp *sp)
4603 {
4604 STDDCL;
4605
4606 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure;
4607
4608 if (debug)
4609 log(LOG_DEBUG, SPP_FMT "%s tlu\n",
4610 SPP_ARGS(ifp), pap.name);
4611
4612 SPPP_LOCK(sp);
4613 /* indicate to LCP that we need to be closed down */
4614 sp->lcp.protos |= (1 << IDX_PAP);
4615
4616 if (sp->pp_flags & PP_NEEDAUTH) {
4617 /*
4618 * Remote is authenticator, but his auth proto didn't
4619 * complete yet. Defer the transition to network
4620 * phase.
4621 */
4622 SPPP_UNLOCK(sp);
4623 return;
4624 }
4625 SPPP_UNLOCK(sp);
4626 sppp_phase_network(sp);
4627 }
4628
4629 static void
sppp_pap_tld(struct sppp * sp)4630 sppp_pap_tld(struct sppp *sp)
4631 {
4632 STDDCL;
4633
4634 if (debug)
4635 log(LOG_DEBUG, SPP_FMT "pap tld\n", SPP_ARGS(ifp));
4636 callout_stop (&sp->ch[IDX_PAP]);
4637 callout_stop (&sp->pap_my_to_ch);
4638 sp->lcp.protos &= ~(1 << IDX_PAP);
4639
4640 lcp.Close(sp);
4641 }
4642
4643 static void
sppp_pap_scr(struct sppp * sp)4644 sppp_pap_scr(struct sppp *sp)
4645 {
4646 u_char idlen, pwdlen;
4647
4648 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP];
4649 pwdlen = sppp_strnlen(sp->myauth.secret, AUTHKEYLEN);
4650 idlen = sppp_strnlen(sp->myauth.name, AUTHNAMELEN);
4651
4652 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP],
4653 sizeof idlen, (const char *)&idlen,
4654 (size_t)idlen, sp->myauth.name,
4655 sizeof pwdlen, (const char *)&pwdlen,
4656 (size_t)pwdlen, sp->myauth.secret,
4657 0);
4658 }
4659
4660 /*
4661 * Random miscellaneous functions.
4662 */
4663
4664 /*
4665 * Send a PAP or CHAP proto packet.
4666 *
4667 * Varadic function, each of the elements for the ellipsis is of type
4668 * ``size_t mlen, const u_char *msg''. Processing will stop iff
4669 * mlen == 0.
4670 * NOTE: never declare variadic functions with types subject to type
4671 * promotion (i.e. u_char). This is asking for big trouble depending
4672 * on the architecture you are on...
4673 */
4674
4675 static void
sppp_auth_send(const struct cp * cp,struct sppp * sp,unsigned int type,unsigned int id,...)4676 sppp_auth_send(const struct cp *cp, struct sppp *sp,
4677 unsigned int type, unsigned int id,
4678 ...)
4679 {
4680 STDDCL;
4681 struct ppp_header *h;
4682 struct lcp_header *lh;
4683 struct mbuf *m;
4684 u_char *p;
4685 int len;
4686 unsigned int mlen;
4687 const char *msg;
4688 va_list ap;
4689
4690 MGETHDR (m, M_NOWAIT, MT_DATA);
4691 if (! m)
4692 return;
4693 m->m_pkthdr.rcvif = 0;
4694
4695 h = mtod (m, struct ppp_header*);
4696 h->address = PPP_ALLSTATIONS; /* broadcast address */
4697 h->control = PPP_UI; /* Unnumbered Info */
4698 h->protocol = htons(cp->proto);
4699
4700 lh = (struct lcp_header*)(h + 1);
4701 lh->type = type;
4702 lh->ident = id;
4703 p = (u_char*) (lh+1);
4704
4705 va_start(ap, id);
4706 len = 0;
4707
4708 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) {
4709 msg = va_arg(ap, const char *);
4710 len += mlen;
4711 if (len > MHLEN - PPP_HEADER_LEN - LCP_HEADER_LEN) {
4712 va_end(ap);
4713 m_freem(m);
4714 return;
4715 }
4716
4717 bcopy(msg, p, mlen);
4718 p += mlen;
4719 }
4720 va_end(ap);
4721
4722 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + LCP_HEADER_LEN + len;
4723 lh->len = htons (LCP_HEADER_LEN + len);
4724
4725 if (debug) {
4726 log(LOG_DEBUG, SPP_FMT "%s output <%s id=0x%x len=%d",
4727 SPP_ARGS(ifp), cp->name,
4728 sppp_auth_type_name(cp->proto, lh->type),
4729 lh->ident, ntohs(lh->len));
4730 sppp_print_bytes((u_char*) (lh+1), len);
4731 log(-1, ">\n");
4732 }
4733 if (! IF_HANDOFF_ADJ(&sp->pp_cpq, m, ifp, 3))
4734 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
4735 }
4736
4737 /*
4738 * Flush interface queue.
4739 */
4740 static void
sppp_qflush(struct ifqueue * ifq)4741 sppp_qflush(struct ifqueue *ifq)
4742 {
4743 struct mbuf *m, *n;
4744
4745 n = ifq->ifq_head;
4746 while ((m = n)) {
4747 n = m->m_nextpkt;
4748 m_freem (m);
4749 }
4750 ifq->ifq_head = 0;
4751 ifq->ifq_tail = 0;
4752 ifq->ifq_len = 0;
4753 }
4754
4755 /*
4756 * Send keepalive packets, every 10 seconds.
4757 */
4758 static void
sppp_keepalive(void * dummy)4759 sppp_keepalive(void *dummy)
4760 {
4761 struct sppp *sp = (struct sppp*)dummy;
4762 struct ifnet *ifp = SP2IFP(sp);
4763
4764 SPPP_LOCK(sp);
4765 /* Keepalive mode disabled or channel down? */
4766 if (! (sp->pp_flags & PP_KEEPALIVE) ||
4767 ! (ifp->if_drv_flags & IFF_DRV_RUNNING))
4768 goto out;
4769
4770 if (sp->pp_mode == PP_FR) {
4771 sppp_fr_keepalive (sp);
4772 goto out;
4773 }
4774
4775 /* No keepalive in PPP mode if LCP not opened yet. */
4776 if (sp->pp_mode != IFF_CISCO &&
4777 sp->pp_phase < PHASE_AUTHENTICATE)
4778 goto out;
4779
4780 if (sp->pp_alivecnt == MAXALIVECNT) {
4781 /* No keepalive packets got. Stop the interface. */
4782 printf (SPP_FMT "down\n", SPP_ARGS(ifp));
4783 if_down (ifp);
4784 sppp_qflush (&sp->pp_cpq);
4785 if (sp->pp_mode != IFF_CISCO) {
4786 /* XXX */
4787 /* Shut down the PPP link. */
4788 lcp.Down(sp);
4789 /* Initiate negotiation. XXX */
4790 lcp.Up(sp);
4791 }
4792 }
4793 if (sp->pp_alivecnt <= MAXALIVECNT)
4794 ++sp->pp_alivecnt;
4795 if (sp->pp_mode == IFF_CISCO)
4796 sppp_cisco_send (sp, CISCO_KEEPALIVE_REQ,
4797 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]);
4798 else if (sp->pp_phase >= PHASE_AUTHENTICATE) {
4799 uint32_t nmagic = htonl(sp->lcp.magic);
4800 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP];
4801 sppp_cp_send (sp, PPP_LCP, ECHO_REQ,
4802 sp->lcp.echoid, 4, &nmagic);
4803 }
4804 out:
4805 SPPP_UNLOCK(sp);
4806 callout_reset(&sp->keepalive_callout, hz * 10, sppp_keepalive,
4807 (void *)sp);
4808 }
4809
4810 /*
4811 * Get both IP addresses.
4812 */
4813 void
sppp_get_ip_addrs(struct sppp * sp,u_long * src,u_long * dst,u_long * srcmask)4814 sppp_get_ip_addrs(struct sppp *sp, u_long *src, u_long *dst, u_long *srcmask)
4815 {
4816 struct epoch_tracker et;
4817 struct ifnet *ifp = SP2IFP(sp);
4818 struct ifaddr *ifa;
4819 struct sockaddr_in *si, *sm;
4820 u_long ssrc, ddst;
4821
4822 sm = NULL;
4823 ssrc = ddst = 0L;
4824 /*
4825 * Pick the first AF_INET address from the list,
4826 * aliases don't make any sense on a p2p link anyway.
4827 */
4828 si = NULL;
4829 NET_EPOCH_ENTER(et);
4830 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link)
4831 if (ifa->ifa_addr->sa_family == AF_INET) {
4832 si = (struct sockaddr_in *)ifa->ifa_addr;
4833 sm = (struct sockaddr_in *)ifa->ifa_netmask;
4834 if (si)
4835 break;
4836 }
4837 if (ifa) {
4838 if (si && si->sin_addr.s_addr) {
4839 ssrc = si->sin_addr.s_addr;
4840 if (srcmask)
4841 *srcmask = ntohl(sm->sin_addr.s_addr);
4842 }
4843
4844 si = (struct sockaddr_in *)ifa->ifa_dstaddr;
4845 if (si && si->sin_addr.s_addr)
4846 ddst = si->sin_addr.s_addr;
4847 }
4848 NET_EPOCH_EXIT(et);
4849
4850 if (dst) *dst = ntohl(ddst);
4851 if (src) *src = ntohl(ssrc);
4852 }
4853
4854 #ifdef INET
4855 /*
4856 * Set my IP address.
4857 */
4858 static void
sppp_set_ip_addr(struct sppp * sp,u_long src)4859 sppp_set_ip_addr(struct sppp *sp, u_long src)
4860 {
4861 STDDCL;
4862 struct epoch_tracker et;
4863 struct ifaddr *ifa;
4864 struct sockaddr_in *si;
4865 struct in_ifaddr *ia;
4866
4867 /*
4868 * Pick the first AF_INET address from the list,
4869 * aliases don't make any sense on a p2p link anyway.
4870 */
4871 si = NULL;
4872 NET_EPOCH_ENTER(et);
4873 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
4874 if (ifa->ifa_addr->sa_family == AF_INET) {
4875 si = (struct sockaddr_in *)ifa->ifa_addr;
4876 if (si != NULL) {
4877 ifa_ref(ifa);
4878 break;
4879 }
4880 }
4881 }
4882 NET_EPOCH_EXIT(et);
4883
4884 if (ifa != NULL) {
4885 int error;
4886 int fibnum = ifp->if_fib;
4887
4888 rt_addrmsg(RTM_DELETE, ifa, fibnum);
4889 /* delete old route */
4890 ia = ifatoia(ifa);
4891 error = in_handle_ifaddr_route(RTM_DELETE, ia);
4892 if (debug && error) {
4893 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit DEL failed, error=%d\n",
4894 SPP_ARGS(ifp), error);
4895 }
4896
4897 /* set new address */
4898 si->sin_addr.s_addr = htonl(src);
4899 IN_IFADDR_WLOCK();
4900 LIST_REMOVE(ia, ia_hash);
4901 LIST_INSERT_HEAD(INADDR_HASH(si->sin_addr.s_addr), ia, ia_hash);
4902 IN_IFADDR_WUNLOCK();
4903
4904 rt_addrmsg(RTM_ADD, ifa, fibnum);
4905 /* add new route */
4906 error = in_handle_ifaddr_route(RTM_ADD, ia);
4907 if (debug && error) {
4908 log(LOG_DEBUG, SPP_FMT "sppp_set_ip_addr: rtinit ADD failed, error=%d",
4909 SPP_ARGS(ifp), error);
4910 }
4911 ifa_free(ifa);
4912 }
4913 }
4914 #endif
4915
4916 #ifdef INET6
4917 /*
4918 * Get both IPv6 addresses.
4919 */
4920 static void
sppp_get_ip6_addrs(struct sppp * sp,struct in6_addr * src,struct in6_addr * dst,struct in6_addr * srcmask)4921 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst,
4922 struct in6_addr *srcmask)
4923 {
4924 struct epoch_tracker et;
4925 struct ifnet *ifp = SP2IFP(sp);
4926 struct ifaddr *ifa;
4927 struct sockaddr_in6 *si, *sm;
4928 struct in6_addr ssrc, ddst;
4929
4930 sm = NULL;
4931 bzero(&ssrc, sizeof(ssrc));
4932 bzero(&ddst, sizeof(ddst));
4933 /*
4934 * Pick the first link-local AF_INET6 address from the list,
4935 * aliases don't make any sense on a p2p link anyway.
4936 */
4937 si = NULL;
4938 NET_EPOCH_ENTER(et);
4939 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link)
4940 if (ifa->ifa_addr->sa_family == AF_INET6) {
4941 si = (struct sockaddr_in6 *)ifa->ifa_addr;
4942 sm = (struct sockaddr_in6 *)ifa->ifa_netmask;
4943 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr))
4944 break;
4945 }
4946 if (ifa) {
4947 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) {
4948 bcopy(&si->sin6_addr, &ssrc, sizeof(ssrc));
4949 if (srcmask) {
4950 bcopy(&sm->sin6_addr, srcmask,
4951 sizeof(*srcmask));
4952 }
4953 }
4954
4955 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr;
4956 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr))
4957 bcopy(&si->sin6_addr, &ddst, sizeof(ddst));
4958 }
4959
4960 if (dst)
4961 bcopy(&ddst, dst, sizeof(*dst));
4962 if (src)
4963 bcopy(&ssrc, src, sizeof(*src));
4964 NET_EPOCH_EXIT(et);
4965 }
4966
4967 #ifdef IPV6CP_MYIFID_DYN
4968 /*
4969 * Generate random ifid.
4970 */
4971 static void
sppp_gen_ip6_addr(struct sppp * sp,struct in6_addr * addr)4972 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr)
4973 {
4974 /* TBD */
4975 }
4976
4977 /*
4978 * Set my IPv6 address.
4979 */
4980 static void
sppp_set_ip6_addr(struct sppp * sp,const struct in6_addr * src)4981 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src)
4982 {
4983 STDDCL;
4984 struct epoch_tracker et;
4985 struct ifaddr *ifa;
4986 struct sockaddr_in6 *sin6;
4987
4988 /*
4989 * Pick the first link-local AF_INET6 address from the list,
4990 * aliases don't make any sense on a p2p link anyway.
4991 */
4992
4993 sin6 = NULL;
4994 NET_EPOCH_ENTER(et);
4995 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
4996 if (ifa->ifa_addr->sa_family == AF_INET6) {
4997 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
4998 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
4999 ifa_ref(ifa);
5000 break;
5001 }
5002 }
5003 }
5004 NET_EPOCH_EXIT(et);
5005
5006 if (ifa != NULL) {
5007 int error;
5008 struct sockaddr_in6 new_sin6 = *sin6;
5009
5010 bcopy(src, &new_sin6.sin6_addr, sizeof(new_sin6.sin6_addr));
5011 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1);
5012 if (debug && error) {
5013 log(LOG_DEBUG, SPP_FMT "sppp_set_ip6_addr: in6_ifinit "
5014 " failed, error=%d\n", SPP_ARGS(ifp), error);
5015 }
5016 ifa_free(ifa);
5017 }
5018 }
5019 #endif
5020
5021 /*
5022 * Suggest a candidate address to be used by peer.
5023 */
5024 static void
sppp_suggest_ip6_addr(struct sppp * sp,struct in6_addr * suggest)5025 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest)
5026 {
5027 struct in6_addr myaddr;
5028 struct timeval tv;
5029
5030 sppp_get_ip6_addrs(sp, &myaddr, 0, 0);
5031
5032 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */
5033 microtime(&tv);
5034 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) {
5035 myaddr.s6_addr[14] ^= 0xff;
5036 myaddr.s6_addr[15] ^= 0xff;
5037 } else {
5038 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff);
5039 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff);
5040 }
5041 if (suggest)
5042 bcopy(&myaddr, suggest, sizeof(myaddr));
5043 }
5044 #endif /*INET6*/
5045
5046 static int
sppp_params(struct sppp * sp,u_long cmd,void * data)5047 sppp_params(struct sppp *sp, u_long cmd, void *data)
5048 {
5049 u_long subcmd;
5050 struct ifreq *ifr = (struct ifreq *)data;
5051 struct spppreq *spr;
5052 int rv = 0;
5053
5054 if ((spr = malloc(sizeof(struct spppreq), M_TEMP, M_NOWAIT)) == NULL)
5055 return (EAGAIN);
5056 /*
5057 * ifr_data_get_ptr(ifr) is supposed to point to a struct spppreq.
5058 * Check the cmd word first before attempting to fetch all the
5059 * data.
5060 */
5061 rv = fueword(ifr_data_get_ptr(ifr), &subcmd);
5062 if (rv == -1) {
5063 rv = EFAULT;
5064 goto quit;
5065 }
5066
5067 if (copyin(ifr_data_get_ptr(ifr), spr, sizeof(struct spppreq)) != 0) {
5068 rv = EFAULT;
5069 goto quit;
5070 }
5071
5072 switch (subcmd) {
5073 case (u_long)SPPPIOGDEFS:
5074 if (cmd != SIOCGIFGENERIC) {
5075 rv = EINVAL;
5076 break;
5077 }
5078 /*
5079 * We copy over the entire current state, but clean
5080 * out some of the stuff we don't wanna pass up.
5081 * Remember, SIOCGIFGENERIC is unprotected, and can be
5082 * called by any user. No need to ever get PAP or
5083 * CHAP secrets back to userland anyway.
5084 */
5085 spr->defs.pp_phase = sp->pp_phase;
5086 spr->defs.enable_vj = (sp->confflags & CONF_ENABLE_VJ) != 0;
5087 spr->defs.enable_ipv6 = (sp->confflags & CONF_ENABLE_IPV6) != 0;
5088 spr->defs.lcp = sp->lcp;
5089 spr->defs.ipcp = sp->ipcp;
5090 spr->defs.ipv6cp = sp->ipv6cp;
5091 spr->defs.myauth = sp->myauth;
5092 spr->defs.hisauth = sp->hisauth;
5093 bzero(spr->defs.myauth.secret, AUTHKEYLEN);
5094 bzero(spr->defs.myauth.challenge, AUTHKEYLEN);
5095 bzero(spr->defs.hisauth.secret, AUTHKEYLEN);
5096 bzero(spr->defs.hisauth.challenge, AUTHKEYLEN);
5097 /*
5098 * Fixup the LCP timeout value to milliseconds so
5099 * spppcontrol doesn't need to bother about the value
5100 * of "hz". We do the reverse calculation below when
5101 * setting it.
5102 */
5103 spr->defs.lcp.timeout = sp->lcp.timeout * 1000 / hz;
5104 rv = copyout(spr, ifr_data_get_ptr(ifr),
5105 sizeof(struct spppreq));
5106 break;
5107
5108 case (u_long)SPPPIOSDEFS:
5109 if (cmd != SIOCSIFGENERIC) {
5110 rv = EINVAL;
5111 break;
5112 }
5113 /*
5114 * We have a very specific idea of which fields we
5115 * allow being passed back from userland, so to not
5116 * clobber our current state. For one, we only allow
5117 * setting anything if LCP is in dead or establish
5118 * phase. Once the authentication negotiations
5119 * started, the authentication settings must not be
5120 * changed again. (The administrator can force an
5121 * ifconfig down in order to get LCP back into dead
5122 * phase.)
5123 *
5124 * Also, we only allow for authentication parameters to be
5125 * specified.
5126 *
5127 * XXX Should allow to set or clear pp_flags.
5128 *
5129 * Finally, if the respective authentication protocol to
5130 * be used is set differently than 0, but the secret is
5131 * passed as all zeros, we don't trash the existing secret.
5132 * This allows an administrator to change the system name
5133 * only without clobbering the secret (which he didn't get
5134 * back in a previous SPPPIOGDEFS call). However, the
5135 * secrets are cleared if the authentication protocol is
5136 * reset to 0. */
5137 if (sp->pp_phase != PHASE_DEAD &&
5138 sp->pp_phase != PHASE_ESTABLISH) {
5139 rv = EBUSY;
5140 break;
5141 }
5142
5143 if ((spr->defs.myauth.proto != 0 && spr->defs.myauth.proto != PPP_PAP &&
5144 spr->defs.myauth.proto != PPP_CHAP) ||
5145 (spr->defs.hisauth.proto != 0 && spr->defs.hisauth.proto != PPP_PAP &&
5146 spr->defs.hisauth.proto != PPP_CHAP)) {
5147 rv = EINVAL;
5148 break;
5149 }
5150
5151 if (spr->defs.myauth.proto == 0)
5152 /* resetting myauth */
5153 bzero(&sp->myauth, sizeof sp->myauth);
5154 else {
5155 /* setting/changing myauth */
5156 sp->myauth.proto = spr->defs.myauth.proto;
5157 bcopy(spr->defs.myauth.name, sp->myauth.name, AUTHNAMELEN);
5158 if (spr->defs.myauth.secret[0] != '\0')
5159 bcopy(spr->defs.myauth.secret, sp->myauth.secret,
5160 AUTHKEYLEN);
5161 }
5162 if (spr->defs.hisauth.proto == 0)
5163 /* resetting hisauth */
5164 bzero(&sp->hisauth, sizeof sp->hisauth);
5165 else {
5166 /* setting/changing hisauth */
5167 sp->hisauth.proto = spr->defs.hisauth.proto;
5168 sp->hisauth.flags = spr->defs.hisauth.flags;
5169 bcopy(spr->defs.hisauth.name, sp->hisauth.name, AUTHNAMELEN);
5170 if (spr->defs.hisauth.secret[0] != '\0')
5171 bcopy(spr->defs.hisauth.secret, sp->hisauth.secret,
5172 AUTHKEYLEN);
5173 }
5174 /* set LCP restart timer timeout */
5175 if (spr->defs.lcp.timeout != 0)
5176 sp->lcp.timeout = spr->defs.lcp.timeout * hz / 1000;
5177 /* set VJ enable and IPv6 disable flags */
5178 #ifdef INET
5179 if (spr->defs.enable_vj)
5180 sp->confflags |= CONF_ENABLE_VJ;
5181 else
5182 sp->confflags &= ~CONF_ENABLE_VJ;
5183 #endif
5184 #ifdef INET6
5185 if (spr->defs.enable_ipv6)
5186 sp->confflags |= CONF_ENABLE_IPV6;
5187 else
5188 sp->confflags &= ~CONF_ENABLE_IPV6;
5189 #endif
5190 break;
5191
5192 default:
5193 rv = EINVAL;
5194 }
5195
5196 quit:
5197 free(spr, M_TEMP);
5198
5199 return (rv);
5200 }
5201
5202 static void
sppp_phase_network(struct sppp * sp)5203 sppp_phase_network(struct sppp *sp)
5204 {
5205 STDDCL;
5206 int i;
5207 u_long mask;
5208
5209 sp->pp_phase = PHASE_NETWORK;
5210
5211 if (debug)
5212 log(LOG_DEBUG, SPP_FMT "phase %s\n", SPP_ARGS(ifp),
5213 sppp_phase_name(sp->pp_phase));
5214
5215 /* Notify NCPs now. */
5216 for (i = 0; i < IDX_COUNT; i++)
5217 if ((cps[i])->flags & CP_NCP)
5218 (cps[i])->Open(sp);
5219
5220 /* Send Up events to all NCPs. */
5221 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1)
5222 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP))
5223 (cps[i])->Up(sp);
5224
5225 /* if no NCP is starting, all this was in vain, close down */
5226 sppp_lcp_check_and_close(sp);
5227 }
5228
5229 static const char *
sppp_cp_type_name(u_char type)5230 sppp_cp_type_name(u_char type)
5231 {
5232 static char buf[12];
5233 switch (type) {
5234 case CONF_REQ: return "conf-req";
5235 case CONF_ACK: return "conf-ack";
5236 case CONF_NAK: return "conf-nak";
5237 case CONF_REJ: return "conf-rej";
5238 case TERM_REQ: return "term-req";
5239 case TERM_ACK: return "term-ack";
5240 case CODE_REJ: return "code-rej";
5241 case PROTO_REJ: return "proto-rej";
5242 case ECHO_REQ: return "echo-req";
5243 case ECHO_REPLY: return "echo-reply";
5244 case DISC_REQ: return "discard-req";
5245 }
5246 snprintf (buf, sizeof(buf), "cp/0x%x", type);
5247 return buf;
5248 }
5249
5250 static const char *
sppp_auth_type_name(u_short proto,u_char type)5251 sppp_auth_type_name(u_short proto, u_char type)
5252 {
5253 static char buf[12];
5254 switch (proto) {
5255 case PPP_CHAP:
5256 switch (type) {
5257 case CHAP_CHALLENGE: return "challenge";
5258 case CHAP_RESPONSE: return "response";
5259 case CHAP_SUCCESS: return "success";
5260 case CHAP_FAILURE: return "failure";
5261 }
5262 case PPP_PAP:
5263 switch (type) {
5264 case PAP_REQ: return "req";
5265 case PAP_ACK: return "ack";
5266 case PAP_NAK: return "nak";
5267 }
5268 }
5269 snprintf (buf, sizeof(buf), "auth/0x%x", type);
5270 return buf;
5271 }
5272
5273 static const char *
sppp_lcp_opt_name(u_char opt)5274 sppp_lcp_opt_name(u_char opt)
5275 {
5276 static char buf[12];
5277 switch (opt) {
5278 case LCP_OPT_MRU: return "mru";
5279 case LCP_OPT_ASYNC_MAP: return "async-map";
5280 case LCP_OPT_AUTH_PROTO: return "auth-proto";
5281 case LCP_OPT_QUAL_PROTO: return "qual-proto";
5282 case LCP_OPT_MAGIC: return "magic";
5283 case LCP_OPT_PROTO_COMP: return "proto-comp";
5284 case LCP_OPT_ADDR_COMP: return "addr-comp";
5285 }
5286 snprintf (buf, sizeof(buf), "lcp/0x%x", opt);
5287 return buf;
5288 }
5289
5290 #ifdef INET
5291 static const char *
sppp_ipcp_opt_name(u_char opt)5292 sppp_ipcp_opt_name(u_char opt)
5293 {
5294 static char buf[12];
5295 switch (opt) {
5296 case IPCP_OPT_ADDRESSES: return "addresses";
5297 case IPCP_OPT_COMPRESSION: return "compression";
5298 case IPCP_OPT_ADDRESS: return "address";
5299 }
5300 snprintf (buf, sizeof(buf), "ipcp/0x%x", opt);
5301 return buf;
5302 }
5303 #endif
5304
5305 #ifdef INET6
5306 static const char *
sppp_ipv6cp_opt_name(u_char opt)5307 sppp_ipv6cp_opt_name(u_char opt)
5308 {
5309 static char buf[12];
5310 switch (opt) {
5311 case IPV6CP_OPT_IFID: return "ifid";
5312 case IPV6CP_OPT_COMPRESSION: return "compression";
5313 }
5314 sprintf (buf, "0x%x", opt);
5315 return buf;
5316 }
5317 #endif
5318
5319 static const char *
sppp_state_name(int state)5320 sppp_state_name(int state)
5321 {
5322 switch (state) {
5323 case STATE_INITIAL: return "initial";
5324 case STATE_STARTING: return "starting";
5325 case STATE_CLOSED: return "closed";
5326 case STATE_STOPPED: return "stopped";
5327 case STATE_CLOSING: return "closing";
5328 case STATE_STOPPING: return "stopping";
5329 case STATE_REQ_SENT: return "req-sent";
5330 case STATE_ACK_RCVD: return "ack-rcvd";
5331 case STATE_ACK_SENT: return "ack-sent";
5332 case STATE_OPENED: return "opened";
5333 }
5334 return "illegal";
5335 }
5336
5337 static const char *
sppp_phase_name(enum ppp_phase phase)5338 sppp_phase_name(enum ppp_phase phase)
5339 {
5340 switch (phase) {
5341 case PHASE_DEAD: return "dead";
5342 case PHASE_ESTABLISH: return "establish";
5343 case PHASE_TERMINATE: return "terminate";
5344 case PHASE_AUTHENTICATE: return "authenticate";
5345 case PHASE_NETWORK: return "network";
5346 }
5347 return "illegal";
5348 }
5349
5350 static const char *
sppp_proto_name(u_short proto)5351 sppp_proto_name(u_short proto)
5352 {
5353 static char buf[12];
5354 switch (proto) {
5355 case PPP_LCP: return "lcp";
5356 case PPP_IPCP: return "ipcp";
5357 case PPP_PAP: return "pap";
5358 case PPP_CHAP: return "chap";
5359 case PPP_IPV6CP: return "ipv6cp";
5360 }
5361 snprintf(buf, sizeof(buf), "proto/0x%x", (unsigned)proto);
5362 return buf;
5363 }
5364
5365 static void
sppp_print_bytes(const u_char * p,u_short len)5366 sppp_print_bytes(const u_char *p, u_short len)
5367 {
5368 if (len)
5369 log(-1, " %*D", len, p, "-");
5370 }
5371
5372 static void
sppp_print_string(const char * p,u_short len)5373 sppp_print_string(const char *p, u_short len)
5374 {
5375 u_char c;
5376
5377 while (len-- > 0) {
5378 c = *p++;
5379 /*
5380 * Print only ASCII chars directly. RFC 1994 recommends
5381 * using only them, but we don't rely on it. */
5382 if (c < ' ' || c > '~')
5383 log(-1, "\\x%x", c);
5384 else
5385 log(-1, "%c", c);
5386 }
5387 }
5388
5389 #ifdef INET
5390 static const char *
sppp_dotted_quad(u_long addr)5391 sppp_dotted_quad(u_long addr)
5392 {
5393 static char s[16];
5394 sprintf(s, "%d.%d.%d.%d",
5395 (int)((addr >> 24) & 0xff),
5396 (int)((addr >> 16) & 0xff),
5397 (int)((addr >> 8) & 0xff),
5398 (int)(addr & 0xff));
5399 return s;
5400 }
5401 #endif
5402
5403 static int
sppp_strnlen(u_char * p,int max)5404 sppp_strnlen(u_char *p, int max)
5405 {
5406 int len;
5407
5408 for (len = 0; len < max && *p; ++p)
5409 ++len;
5410 return len;
5411 }
5412
5413 /* a dummy, used to drop uninteresting events */
5414 static void
sppp_null(struct sppp * unused)5415 sppp_null(struct sppp *unused)
5416 {
5417 /* do just nothing */
5418 }
5419