1 /*        $NetBSD: lcp.c,v 1.6 2025/01/08 19:59:39 christos Exp $     */
2 
3 /*
4  * lcp.c - PPP Link Control Protocol.
5  *
6  * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. The name "Carnegie Mellon University" must not be used to
21  *    endorse or promote products derived from this software without
22  *    prior written permission. For permission or any legal
23  *    details, please contact
24  *      Office of Technology Transfer
25  *      Carnegie Mellon University
26  *      5000 Forbes Avenue
27  *      Pittsburgh, PA  15213-3890
28  *      (412) 268-4387, fax: (412) 268-7395
29  *      tech-transfer@andrew.cmu.edu
30  *
31  * 4. Redistributions of any form whatsoever must retain the following
32  *    acknowledgment:
33  *    "This product includes software developed by Computing Services
34  *     at Carnegie Mellon University (http://www.cmu.edu/computing/)."
35  *
36  * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
37  * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
38  * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
39  * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
40  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
41  * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
42  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
43  */
44 
45 #include <sys/cdefs.h>
46 __RCSID("$NetBSD: lcp.c,v 1.6 2025/01/08 19:59:39 christos Exp $");
47 
48 #ifdef HAVE_CONFIG_H
49 #include "config.h"
50 #endif
51 
52 #include <stdio.h>
53 #include <string.h>
54 #include <stdlib.h>
55 #include <fcntl.h>
56 #include <string.h>
57 #include <time.h>
58 #include <arpa/inet.h>
59 #include <sys/mman.h>
60 
61 #include "pppd-private.h"
62 #include "options.h"
63 #include "fsm.h"
64 #include "lcp.h"
65 #include "eap.h"
66 #include "chap.h"
67 #include "magic.h"
68 #include "multilink.h"
69 
70 /*
71  * When the link comes up we want to be able to wait for a short while,
72  * or until seeing some input from the peer, before starting to send
73  * configure-requests.  We do this by delaying the fsm_lowerup call.
74  */
75 /* steal a bit in fsm flags word */
76 #define DELAYED_UP  0x100
77 
78 static void lcp_delayed_up(void *);
79 
80 /*
81  * These definitions relate to the measurement and logging of round-trip
82  * time (RTT) of LCP echo-requests implemented in lcp_rtt_update_buffer().
83  */
84 #define LCP_RTT_MAGIC 0x19450425
85 #define LCP_RTT_HEADER_LENGTH 4
86 #define LCP_RTT_FILE_SIZE 8192
87 #define LCP_RTT_ELEMENTS (LCP_RTT_FILE_SIZE / sizeof(u_int32_t) - LCP_RTT_HEADER_LENGTH) / 2
88 
89 /*
90  * LCP-related command-line options.
91  */
92 int       lcp_echo_interval = 0;        /* Interval between LCP echo-requests */
93 int       lcp_echo_fails = 0; /* Tolerance to unanswered echo-requests */
94 bool      lcp_echo_adaptive = 0;        /* request echo only if the link was idle */
95 char      *lcp_rtt_file = NULL;         /* measure the RTT of LCP echo-requests */
96 bool      lax_recv = 0;                 /* accept control chars in asyncmap */
97 bool      noendpoint = 0;               /* don't send/accept endpoint discriminator */
98 
99 static int noopt(char **);
100 
101 #ifdef PPP_WITH_MULTILINK
102 static int setendpoint(char **);
103 static void printendpoint(option_t *, void (*)(void *, char *, ...), void *);
104 #endif /* PPP_WITH_MULTILINK */
105 
106 static struct option lcp_option_list[] = {
107     /* LCP options */
108     { "-all", o_special_noarg, (void *)noopt,
109       "Don't request/allow any LCP options" },
110 
111     { "noaccomp", o_bool, &lcp_wantoptions[0].neg_accompression,
112       "Disable address/control compression",
113       OPT_A2CLR, &lcp_allowoptions[0].neg_accompression },
114     { "-ac", o_bool, &lcp_wantoptions[0].neg_accompression,
115       "Disable address/control compression",
116       OPT_ALIAS | OPT_A2CLR, &lcp_allowoptions[0].neg_accompression },
117 
118     { "asyncmap", o_uint32, &lcp_wantoptions[0].asyncmap,
119       "Set asyncmap (for received packets)",
120       OPT_OR, &lcp_wantoptions[0].neg_asyncmap },
121     { "-as", o_uint32, &lcp_wantoptions[0].asyncmap,
122       "Set asyncmap (for received packets)",
123       OPT_ALIAS | OPT_OR, &lcp_wantoptions[0].neg_asyncmap },
124     { "default-asyncmap", o_uint32, &lcp_wantoptions[0].asyncmap,
125       "Disable asyncmap negotiation",
126       OPT_OR | OPT_NOARG | OPT_VAL(~0U) | OPT_A2CLR,
127       &lcp_allowoptions[0].neg_asyncmap },
128     { "-am", o_uint32, &lcp_wantoptions[0].asyncmap,
129       "Disable asyncmap negotiation",
130       OPT_ALIAS | OPT_OR | OPT_NOARG | OPT_VAL(~0U) | OPT_A2CLR,
131       &lcp_allowoptions[0].neg_asyncmap },
132 
133     { "nomagic", o_bool, &lcp_wantoptions[0].neg_magicnumber,
134       "Disable magic number negotiation (looped-back line detection)",
135       OPT_A2CLR, &lcp_allowoptions[0].neg_magicnumber },
136     { "-mn", o_bool, &lcp_wantoptions[0].neg_magicnumber,
137       "Disable magic number negotiation (looped-back line detection)",
138       OPT_ALIAS | OPT_A2CLR, &lcp_allowoptions[0].neg_magicnumber },
139 
140     { "mru", o_int, &lcp_wantoptions[0].mru,
141       "Set MRU (maximum received packet size) for negotiation",
142       OPT_PRIO, &lcp_wantoptions[0].neg_mru },
143     { "default-mru", o_bool, &lcp_wantoptions[0].neg_mru,
144       "Disable MRU negotiation (use default 1500)",
145       OPT_PRIOSUB | OPT_A2CLR, &lcp_allowoptions[0].neg_mru },
146     { "-mru", o_bool, &lcp_wantoptions[0].neg_mru,
147       "Disable MRU negotiation (use default 1500)",
148       OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLR, &lcp_allowoptions[0].neg_mru },
149 
150     { "mtu", o_int, &lcp_allowoptions[0].mru,
151       "Set our MTU", OPT_LIMITS, NULL, MAXMRU, MINMRU },
152 
153     { "nopcomp", o_bool, &lcp_wantoptions[0].neg_pcompression,
154       "Disable protocol field compression",
155       OPT_A2CLR, &lcp_allowoptions[0].neg_pcompression },
156     { "-pc", o_bool, &lcp_wantoptions[0].neg_pcompression,
157       "Disable protocol field compression",
158       OPT_ALIAS | OPT_A2CLR, &lcp_allowoptions[0].neg_pcompression },
159 
160     { "passive", o_bool, &lcp_wantoptions[0].passive,
161       "Set passive mode", 1 },
162     { "-p", o_bool, &lcp_wantoptions[0].passive,
163       "Set passive mode", OPT_ALIAS | 1 },
164 
165     { "silent", o_bool, &lcp_wantoptions[0].silent,
166       "Set silent mode", 1 },
167 
168     { "lcp-echo-failure", o_int, &lcp_echo_fails,
169       "Set number of consecutive echo failures to indicate link failure",
170       OPT_PRIO },
171     { "lcp-echo-interval", o_int, &lcp_echo_interval,
172       "Set time in seconds between LCP echo requests", OPT_PRIO },
173     { "lcp-echo-adaptive", o_bool, &lcp_echo_adaptive,
174       "Suppress LCP echo requests if traffic was received", 1 },
175     { "lcp-rtt-file", o_string, &lcp_rtt_file,
176       "Filename for logging the round-trip time of LCP echo requests",
177       OPT_PRIO | OPT_PRIV },
178     { "lcp-restart", o_int, &lcp_fsm[0].timeouttime,
179       "Set time in seconds between LCP retransmissions", OPT_PRIO },
180     { "lcp-max-terminate", o_int, &lcp_fsm[0].maxtermtransmits,
181       "Set maximum number of LCP terminate-request transmissions", OPT_PRIO },
182     { "lcp-max-configure", o_int, &lcp_fsm[0].maxconfreqtransmits,
183       "Set maximum number of LCP configure-request transmissions", OPT_PRIO },
184     { "lcp-max-failure", o_int, &lcp_fsm[0].maxnakloops,
185       "Set limit on number of LCP configure-naks", OPT_PRIO },
186 
187     { "receive-all", o_bool, &lax_recv,
188       "Accept all received control characters", 1 },
189 
190 #ifdef PPP_WITH_MULTILINK
191     { "mrru", o_int, &lcp_wantoptions[0].mrru,
192       "Maximum received packet size for multilink bundle",
193       OPT_PRIO, &lcp_wantoptions[0].neg_mrru },
194 
195     { "mpshortseq", o_bool, &lcp_wantoptions[0].neg_ssnhf,
196       "Use short sequence numbers in multilink headers",
197       OPT_PRIO | 1, &lcp_allowoptions[0].neg_ssnhf },
198     { "nompshortseq", o_bool, &lcp_wantoptions[0].neg_ssnhf,
199       "Don't use short sequence numbers in multilink headers",
200       OPT_PRIOSUB | OPT_A2CLR, &lcp_allowoptions[0].neg_ssnhf },
201 
202     { "endpoint", o_special, (void *) setendpoint,
203       "Endpoint discriminator for multilink",
204       OPT_PRIO | OPT_A2PRINTER, (void *) printendpoint },
205 #endif /* PPP_WITH_MULTILINK */
206 
207     { "noendpoint", o_bool, &noendpoint,
208       "Don't send or accept multilink endpoint discriminator", 1 },
209 
210     {NULL}
211 };
212 
213 /* global vars */
214 fsm lcp_fsm[NUM_PPP];                             /* LCP fsm structure (global)*/
215 lcp_options lcp_wantoptions[NUM_PPP];   /* Options that we want to request */
216 lcp_options lcp_gotoptions[NUM_PPP];    /* Options that peer ack'd */
217 lcp_options lcp_allowoptions[NUM_PPP];  /* Options we allow peer to request */
218 lcp_options lcp_hisoptions[NUM_PPP];    /* Options that we ack'd */
219 
220 static int lcp_echos_pending = 0;       /* Number of outstanding echo msgs */
221 static int lcp_echo_number   = 0;       /* ID number of next echo frame */
222 static int lcp_echo_timer_running = 0;  /* set if a timer is running */
223 static int lcp_rtt_file_fd = 0;                   /* fd for the opened LCP RTT file */
224 static u_int32_t *lcp_rtt_buffer = NULL; /* the mmap'ed LCP RTT file */
225 
226 static u_char nak_buffer[PPP_MRU];      /* where we construct a nak packet */
227 
228 /*
229  * Callbacks for fsm code.  (CI = Configuration Information)
230  */
231 static void lcp_resetci(fsm *);         /* Reset our CI */
232 static int  lcp_cilen(fsm *);           /* Return length of our CI */
233 static void lcp_addci(fsm *, u_char *, int *); /* Add our CI to pkt */
234 static int  lcp_ackci(fsm *, u_char *, int); /* Peer ack'd our CI */
235 static int  lcp_nakci(fsm *, u_char *, int, int); /* Peer nak'd our CI */
236 static int  lcp_rejci(fsm *, u_char *, int); /* Peer rej'd our CI */
237 static int  lcp_reqci(fsm *, u_char *, int *, int); /* Rcv peer CI */
238 static void lcp_up(fsm *);              /* We're UP */
239 static void lcp_down(fsm *);            /* We're DOWN */
240 static void lcp_starting(fsm *);        /* We need lower layer up */
241 static void lcp_finished(fsm *);        /* We need lower layer down */
242 static int  lcp_extcode(fsm *, int, int, u_char *, int);
243 static void lcp_rprotrej(fsm *, u_char *, int);
244 
245 /*
246  * routines to send LCP echos to peer
247  */
248 
249 static void lcp_echo_lowerup(int);
250 static void lcp_echo_lowerdown(int);
251 static void LcpEchoTimeout(void *);
252 static void lcp_received_echo_reply(fsm *, int, u_char *, int);
253 static void LcpSendEchoRequest(fsm *);
254 static void LcpLinkFailure(fsm *);
255 static void LcpEchoCheck(fsm *);
256 
257 static fsm_callbacks lcp_callbacks = {  /* LCP callback routines */
258     lcp_resetci,              /* Reset our Configuration Information */
259     lcp_cilen,                          /* Length of our Configuration Information */
260     lcp_addci,                          /* Add our Configuration Information */
261     lcp_ackci,                          /* ACK our Configuration Information */
262     lcp_nakci,                          /* NAK our Configuration Information */
263     lcp_rejci,                          /* Reject our Configuration Information */
264     lcp_reqci,                          /* Request peer's Configuration Information */
265     lcp_up,                             /* Called when fsm reaches OPENED state */
266     lcp_down,                           /* Called when fsm leaves OPENED state */
267     lcp_starting,             /* Called when we want the lower layer up */
268     lcp_finished,             /* Called when we want the lower layer down */
269     NULL,                     /* Called when Protocol-Reject received */
270     NULL,                     /* Retransmission is necessary */
271     lcp_extcode,              /* Called to handle LCP-specific codes */
272     "LCP"                     /* String name of protocol */
273 };
274 
275 /*
276  * Protocol entry points.
277  * Some of these are called directly.
278  */
279 
280 static void lcp_init(int);
281 static void lcp_input(int, u_char *, int);
282 static void lcp_protrej(int);
283 static int  lcp_printpkt(u_char *, int, void (*)(void *, char *, ...), void *);
284 
285 struct protent lcp_protent = {
286     PPP_LCP,
287     lcp_init,
288     lcp_input,
289     lcp_protrej,
290     lcp_lowerup,
291     lcp_lowerdown,
292     lcp_open,
293     lcp_close,
294     lcp_printpkt,
295     NULL,
296     1,
297     "LCP",
298     NULL,
299     lcp_option_list,
300     NULL,
301     NULL,
302     NULL
303 };
304 
305 int lcp_loopbackfail = DEFLOOPBACKFAIL;
306 
307 /*
308  * Length of each type of configuration option (in octets)
309  */
310 #define CILEN_VOID  2
311 #define CILEN_CHAR  3
312 #define CILEN_SHORT 4         /* CILEN_VOID + 2 */
313 #define CILEN_CHAP  5         /* CILEN_VOID + 2 + 1 */
314 #define CILEN_LONG  6         /* CILEN_VOID + 4 */
315 #define CILEN_LQR   8         /* CILEN_VOID + 2 + 4 */
316 #define CILEN_CBCP  3
317 
318 #define CODENAME(x) ((x) == CONFACK ? "ACK" : \
319                                (x) == CONFNAK ? "NAK" : "REJ")
320 
321 /*
322  * noopt - Disable all options (why?).
323  */
324 static int
noopt(char ** argv)325 noopt(char **argv)
326 {
327     BZERO((char *) &lcp_wantoptions[0], sizeof (struct lcp_options));
328     BZERO((char *) &lcp_allowoptions[0], sizeof (struct lcp_options));
329 
330     return (1);
331 }
332 
333 #ifdef PPP_WITH_MULTILINK
334 static int
setendpoint(char ** argv)335 setendpoint(char **argv)
336 {
337     if (str_to_epdisc(&lcp_wantoptions[0].endpoint, *argv)) {
338           lcp_wantoptions[0].neg_endpoint = 1;
339           return 1;
340     }
341     ppp_option_error("Can't parse '%s' as an endpoint discriminator", *argv);
342     return 0;
343 }
344 
345 static void
printendpoint(option_t * opt,void (* printer)(void *,char *,...),void * arg)346 printendpoint(option_t *opt, void (*printer)(void *, char *, ...), void *arg)
347 {
348           printer(arg, "%s", epdisc_to_str(&lcp_wantoptions[0].endpoint));
349 }
350 #endif /* PPP_WITH_MULTILINK */
351 
352 /*
353  * lcp_init - Initialize LCP.
354  */
355 static void
lcp_init(int unit)356 lcp_init(int unit)
357 {
358     fsm *f = &lcp_fsm[unit];
359     lcp_options *wo = &lcp_wantoptions[unit];
360     lcp_options *ao = &lcp_allowoptions[unit];
361 
362     f->unit = unit;
363     f->protocol = PPP_LCP;
364     f->callbacks = &lcp_callbacks;
365 
366     fsm_init(f);
367 
368     BZERO(wo, sizeof(*wo));
369     wo->neg_mru = 1;
370     wo->mru = DEFMRU;
371     wo->neg_asyncmap = 1;
372     wo->neg_magicnumber = 1;
373     wo->neg_pcompression = 1;
374     wo->neg_accompression = 1;
375 
376     BZERO(ao, sizeof(*ao));
377     ao->neg_mru = 1;
378     ao->mru = MAXMRU;
379     ao->neg_asyncmap = 1;
380     ao->neg_chap = 1;
381     ao->chap_mdtype = chap_mdtype_all;
382     ao->neg_upap = 1;
383     ao->neg_eap = 1;
384     ao->neg_magicnumber = 1;
385     ao->neg_pcompression = 1;
386     ao->neg_accompression = 1;
387     ao->neg_endpoint = 1;
388 }
389 
390 
391 /*
392  * lcp_open - LCP is allowed to come up.
393  */
394 void
lcp_open(int unit)395 lcp_open(int unit)
396 {
397     fsm *f = &lcp_fsm[unit];
398     lcp_options *wo = &lcp_wantoptions[unit];
399 
400     f->flags &= ~(OPT_PASSIVE | OPT_SILENT);
401     if (wo->passive)
402           f->flags |= OPT_PASSIVE;
403     if (wo->silent)
404           f->flags |= OPT_SILENT;
405     fsm_open(f);
406 }
407 
408 
409 /*
410  * lcp_close - Take LCP down.
411  */
412 void
lcp_close(int unit,char * reason)413 lcp_close(int unit, char *reason)
414 {
415     fsm *f = &lcp_fsm[unit];
416     int oldstate;
417 
418     if (!in_phase(PHASE_DEAD) && !in_phase(PHASE_MASTER))
419           new_phase(PHASE_TERMINATE);
420 
421     if (f->flags & DELAYED_UP) {
422           UNTIMEOUT(lcp_delayed_up, f);
423           f->state = STOPPED;
424     }
425     oldstate = f->state;
426 
427     fsm_close(f, reason);
428     if (oldstate == STOPPED && f->flags & (OPT_PASSIVE|OPT_SILENT|DELAYED_UP)) {
429           /*
430            * This action is not strictly according to the FSM in RFC1548,
431            * but it does mean that the program terminates if you do a
432            * lcp_close() when a connection hasn't been established
433            * because we are in passive/silent mode or because we have
434            * delayed the fsm_lowerup() call and it hasn't happened yet.
435            */
436           f->flags &= ~DELAYED_UP;
437           lcp_finished(f);
438     }
439 }
440 
441 
442 /*
443  * lcp_lowerup - The lower layer is up.
444  */
445 void
lcp_lowerup(int unit)446 lcp_lowerup(int unit)
447 {
448     lcp_options *wo = &lcp_wantoptions[unit];
449     fsm *f = &lcp_fsm[unit];
450 
451     /*
452      * Don't use A/C or protocol compression on transmission,
453      * but accept A/C and protocol compressed packets
454      * if we are going to ask for A/C and protocol compression.
455      */
456     if (ppp_send_config(unit, PPP_MRU, 0xffffffff, 0, 0) < 0
457           || ppp_recv_config(unit, PPP_MRU, (lax_recv? 0: 0xffffffff),
458                                  wo->neg_pcompression, wo->neg_accompression) < 0)
459               return;
460     peer_mru[unit] = PPP_MRU;
461 
462     if (listen_time != 0) {
463           f->flags |= DELAYED_UP;
464           ppp_timeout(lcp_delayed_up, f, 0, listen_time * 1000);
465     } else
466           fsm_lowerup(f);
467 }
468 
469 
470 /*
471  * lcp_lowerdown - The lower layer is down.
472  */
473 void
lcp_lowerdown(int unit)474 lcp_lowerdown(int unit)
475 {
476     fsm *f = &lcp_fsm[unit];
477 
478     if (f->flags & DELAYED_UP) {
479           f->flags &= ~DELAYED_UP;
480           UNTIMEOUT(lcp_delayed_up, f);
481     } else
482           fsm_lowerdown(&lcp_fsm[unit]);
483 }
484 
485 
486 /*
487  * lcp_delayed_up - Bring the lower layer up now.
488  */
489 static void
lcp_delayed_up(void * arg)490 lcp_delayed_up(void *arg)
491 {
492     fsm *f = arg;
493 
494     if (f->flags & DELAYED_UP) {
495           f->flags &= ~DELAYED_UP;
496           fsm_lowerup(f);
497     }
498 }
499 
500 
501 /*
502  * lcp_input - Input LCP packet.
503  */
504 static void
lcp_input(int unit,u_char * p,int len)505 lcp_input(int unit, u_char *p, int len)
506 {
507     fsm *f = &lcp_fsm[unit];
508 
509     if (f->flags & DELAYED_UP) {
510           f->flags &= ~DELAYED_UP;
511           UNTIMEOUT(lcp_delayed_up, f);
512           fsm_lowerup(f);
513     }
514     fsm_input(f, p, len);
515 }
516 
517 /*
518  * lcp_extcode - Handle a LCP-specific code.
519  */
520 static int
lcp_extcode(fsm * f,int code,int id,u_char * inp,int len)521 lcp_extcode(fsm *f, int code, int id, u_char *inp, int len)
522 {
523     u_char *magp;
524 
525     switch( code ){
526     case PROTREJ:
527           lcp_rprotrej(f, inp, len);
528           break;
529 
530     case ECHOREQ:
531           if (f->state != OPENED)
532               break;
533           magp = inp;
534           PUTLONG(lcp_gotoptions[f->unit].magicnumber, magp);
535           fsm_sdata(f, ECHOREP, id, inp, len);
536           break;
537 
538     case ECHOREP:
539           lcp_received_echo_reply(f, id, inp, len);
540           break;
541 
542     case DISCREQ:
543     case IDENTIF:
544     case TIMEREM:
545           break;
546 
547     default:
548           return 0;
549     }
550     return 1;
551 }
552 
553 
554 /*
555  * lcp_rprotrej - Receive an Protocol-Reject.
556  *
557  * Figure out which protocol is rejected and inform it.
558  */
559 static void
lcp_rprotrej(fsm * f,u_char * inp,int len)560 lcp_rprotrej(fsm *f, u_char *inp, int len)
561 {
562     int i;
563     struct protent *protp;
564     u_short prot;
565     const char *pname;
566 
567     if (len < 2) {
568           LCPDEBUG(("lcp_rprotrej: Rcvd short Protocol-Reject packet!"));
569           return;
570     }
571 
572     GETSHORT(prot, inp);
573 
574     /*
575      * Protocol-Reject packets received in any state other than the LCP
576      * OPENED state SHOULD be silently discarded.
577      */
578     if( f->state != OPENED ){
579           LCPDEBUG(("Protocol-Reject discarded: LCP in state %d", f->state));
580           return;
581     }
582 
583     pname = protocol_name(prot);
584 
585     /*
586      * Upcall the proper Protocol-Reject routine.
587      */
588     for (i = 0; (protp = protocols[i]) != NULL; ++i)
589           if (protp->protocol == prot && protp->enabled_flag) {
590               if (pname == NULL)
591                     dbglog("Protocol-Reject for 0x%x received", prot);
592               else
593                     dbglog("Protocol-Reject for '%s' (0x%x) received", pname,
594                            prot);
595               (*protp->protrej)(f->unit);
596               return;
597           }
598 
599     if (pname == NULL)
600           warn("Protocol-Reject for unsupported protocol 0x%x", prot);
601     else
602           warn("Protocol-Reject for unsupported protocol '%s' (0x%x)", pname,
603                prot);
604 }
605 
606 
607 /*
608  * lcp_protrej - A Protocol-Reject was received.
609  */
610 /*ARGSUSED*/
611 static void
lcp_protrej(int unit)612 lcp_protrej(int unit)
613 {
614     /*
615      * Can't reject LCP!
616      */
617     error("Received Protocol-Reject for LCP!");
618     fsm_protreject(&lcp_fsm[unit]);
619 }
620 
621 
622 /*
623  * lcp_sprotrej - Send a Protocol-Reject for some protocol.
624  */
625 void
lcp_sprotrej(int unit,u_char * p,int len)626 lcp_sprotrej(int unit, u_char *p, int len)
627 {
628     /*
629      * Send back the protocol and the information field of the
630      * rejected packet.  We only get here if LCP is in the OPENED state.
631      */
632     p += 2;
633     len -= 2;
634 
635     fsm_sdata(&lcp_fsm[unit], PROTREJ, ++lcp_fsm[unit].id,
636                 p, len);
637 }
638 
639 
640 /*
641  * lcp_resetci - Reset our CI.
642  */
643 static void
lcp_resetci(fsm * f)644 lcp_resetci(fsm *f)
645 {
646     lcp_options *wo = &lcp_wantoptions[f->unit];
647     lcp_options *go = &lcp_gotoptions[f->unit];
648     lcp_options *ao = &lcp_allowoptions[f->unit];
649 
650     wo->magicnumber = magic();
651     wo->numloops = 0;
652     *go = *wo;
653     if (!multilink) {
654           go->neg_mrru = 0;
655           go->neg_ssnhf = 0;
656           go->neg_endpoint = 0;
657     }
658     if (noendpoint)
659           ao->neg_endpoint = 0;
660     peer_mru[f->unit] = PPP_MRU;
661     auth_reset(f->unit);
662 }
663 
664 
665 /*
666  * lcp_cilen - Return length of our CI.
667  */
668 static int
lcp_cilen(fsm * f)669 lcp_cilen(fsm *f)
670 {
671     lcp_options *go = &lcp_gotoptions[f->unit];
672 
673 #define LENCIVOID(neg)        ((neg) ? CILEN_VOID : 0)
674 #define LENCICHAP(neg)        ((neg) ? CILEN_CHAP : 0)
675 #define LENCISHORT(neg)       ((neg) ? CILEN_SHORT : 0)
676 #define LENCILONG(neg)        ((neg) ? CILEN_LONG : 0)
677 #define LENCILQR(neg)         ((neg) ? CILEN_LQR: 0)
678 #define LENCICBCP(neg)        ((neg) ? CILEN_CBCP: 0)
679     /*
680      * NB: we only ask for one of CHAP, UPAP, or EAP, even if we will
681      * accept more than one.  We prefer EAP first, then CHAP, then
682      * PAP.
683      */
684     return (LENCISHORT(go->neg_mru && go->mru != DEFMRU) +
685               LENCILONG(go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF) +
686               LENCISHORT(go->neg_eap) +
687               LENCICHAP(!go->neg_eap && go->neg_chap) +
688               LENCISHORT(!go->neg_eap && !go->neg_chap && go->neg_upap) +
689               LENCILQR(go->neg_lqr) +
690               LENCICBCP(go->neg_cbcp) +
691               LENCILONG(go->neg_magicnumber) +
692               LENCIVOID(go->neg_pcompression) +
693               LENCIVOID(go->neg_accompression) +
694               LENCISHORT(go->neg_mrru) +
695               LENCIVOID(go->neg_ssnhf) +
696               (go->neg_endpoint? CILEN_CHAR + go->endpoint.length: 0));
697 }
698 
699 
700 /*
701  * lcp_addci - Add our desired CIs to a packet.
702  */
703 static void
lcp_addci(fsm * f,u_char * ucp,int * lenp)704 lcp_addci(fsm *f, u_char *ucp, int *lenp)
705 {
706     lcp_options *go = &lcp_gotoptions[f->unit];
707     u_char *start_ucp = ucp;
708 
709 #define ADDCIVOID(opt, neg) \
710     if (neg) { \
711           PUTCHAR(opt, ucp); \
712           PUTCHAR(CILEN_VOID, ucp); \
713     }
714 #define ADDCISHORT(opt, neg, val) \
715     if (neg) { \
716           PUTCHAR(opt, ucp); \
717           PUTCHAR(CILEN_SHORT, ucp); \
718           PUTSHORT(val, ucp); \
719     }
720 #define ADDCICHAP(opt, neg, val) \
721     if (neg) { \
722           PUTCHAR((opt), ucp); \
723           PUTCHAR(CILEN_CHAP, ucp); \
724           PUTSHORT(PPP_CHAP, ucp); \
725           PUTCHAR((CHAP_DIGEST(val)), ucp); \
726     }
727 #define ADDCILONG(opt, neg, val) \
728     if (neg) { \
729           PUTCHAR(opt, ucp); \
730           PUTCHAR(CILEN_LONG, ucp); \
731           PUTLONG(val, ucp); \
732     }
733 #define ADDCILQR(opt, neg, val) \
734     if (neg) { \
735           PUTCHAR(opt, ucp); \
736           PUTCHAR(CILEN_LQR, ucp); \
737           PUTSHORT(PPP_LQR, ucp); \
738           PUTLONG(val, ucp); \
739     }
740 #define ADDCICHAR(opt, neg, val) \
741     if (neg) { \
742           PUTCHAR(opt, ucp); \
743           PUTCHAR(CILEN_CHAR, ucp); \
744           PUTCHAR(val, ucp); \
745     }
746 #define ADDCIENDP(opt, neg, class, val, len) \
747     if (neg) { \
748           int i; \
749           PUTCHAR(opt, ucp); \
750           PUTCHAR(CILEN_CHAR + len, ucp); \
751           PUTCHAR(class, ucp); \
752           for (i = 0; i < len; ++i) \
753               PUTCHAR(val[i], ucp); \
754     }
755 
756     ADDCISHORT(CI_MRU, go->neg_mru && go->mru != DEFMRU, go->mru);
757     ADDCILONG(CI_ASYNCMAP, go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF,
758                 go->asyncmap);
759     ADDCISHORT(CI_AUTHTYPE, go->neg_eap, PPP_EAP);
760     ADDCICHAP(CI_AUTHTYPE, !go->neg_eap && go->neg_chap, go->chap_mdtype);
761     ADDCISHORT(CI_AUTHTYPE, !go->neg_eap && !go->neg_chap && go->neg_upap,
762                  PPP_PAP);
763     ADDCILQR(CI_QUALITY, go->neg_lqr, go->lqr_period);
764     ADDCICHAR(CI_CALLBACK, go->neg_cbcp, CBCP_OPT);
765     ADDCILONG(CI_MAGICNUMBER, go->neg_magicnumber, go->magicnumber);
766     ADDCIVOID(CI_PCOMPRESSION, go->neg_pcompression);
767     ADDCIVOID(CI_ACCOMPRESSION, go->neg_accompression);
768     ADDCISHORT(CI_MRRU, go->neg_mrru, go->mrru);
769     ADDCIVOID(CI_SSNHF, go->neg_ssnhf);
770     ADDCIENDP(CI_EPDISC, go->neg_endpoint, go->endpoint.class,
771                 go->endpoint.value, go->endpoint.length);
772 
773     if (ucp - start_ucp != *lenp) {
774           /* this should never happen, because peer_mtu should be 1500 */
775           error("Bug in lcp_addci: wrong length");
776     }
777 }
778 
779 
780 /*
781  * lcp_ackci - Ack our CIs.
782  * This should not modify any state if the Ack is bad.
783  *
784  * Returns:
785  *        0 - Ack was bad.
786  *        1 - Ack was good.
787  */
788 static int
lcp_ackci(fsm * f,u_char * p,int len)789 lcp_ackci(fsm *f, u_char *p, int len)
790 {
791     lcp_options *go = &lcp_gotoptions[f->unit];
792     u_char cilen, citype, cichar;
793     u_short cishort;
794     u_int32_t cilong;
795 
796     /*
797      * CIs must be in exactly the same order that we sent.
798      * Check packet length and CI length at each step.
799      * If we find any deviations, then this packet is bad.
800      */
801 #define ACKCIVOID(opt, neg) \
802     if (neg) { \
803           if ((len -= CILEN_VOID) < 0) \
804               goto bad; \
805           GETCHAR(citype, p); \
806           GETCHAR(cilen, p); \
807           if (cilen != CILEN_VOID || \
808               citype != opt) \
809               goto bad; \
810     }
811 #define ACKCISHORT(opt, neg, val) \
812     if (neg) { \
813           if ((len -= CILEN_SHORT) < 0) \
814               goto bad; \
815           GETCHAR(citype, p); \
816           GETCHAR(cilen, p); \
817           if (cilen != CILEN_SHORT || \
818               citype != opt) \
819               goto bad; \
820           GETSHORT(cishort, p); \
821           if (cishort != val) \
822               goto bad; \
823     }
824 #define ACKCICHAR(opt, neg, val) \
825     if (neg) { \
826           if ((len -= CILEN_CHAR) < 0) \
827               goto bad; \
828           GETCHAR(citype, p); \
829           GETCHAR(cilen, p); \
830           if (cilen != CILEN_CHAR || \
831               citype != opt) \
832               goto bad; \
833           GETCHAR(cichar, p); \
834           if (cichar != val) \
835               goto bad; \
836     }
837 #define ACKCICHAP(opt, neg, val) \
838     if (neg) { \
839           if ((len -= CILEN_CHAP) < 0) \
840               goto bad; \
841           GETCHAR(citype, p); \
842           GETCHAR(cilen, p); \
843           if (cilen != CILEN_CHAP || \
844               citype != (opt)) \
845               goto bad; \
846           GETSHORT(cishort, p); \
847           if (cishort != PPP_CHAP) \
848               goto bad; \
849           GETCHAR(cichar, p); \
850           if (cichar != (CHAP_DIGEST(val))) \
851             goto bad; \
852     }
853 #define ACKCILONG(opt, neg, val) \
854     if (neg) { \
855           if ((len -= CILEN_LONG) < 0) \
856               goto bad; \
857           GETCHAR(citype, p); \
858           GETCHAR(cilen, p); \
859           if (cilen != CILEN_LONG || \
860               citype != opt) \
861               goto bad; \
862           GETLONG(cilong, p); \
863           if (cilong != val) \
864               goto bad; \
865     }
866 #define ACKCILQR(opt, neg, val) \
867     if (neg) { \
868           if ((len -= CILEN_LQR) < 0) \
869               goto bad; \
870           GETCHAR(citype, p); \
871           GETCHAR(cilen, p); \
872           if (cilen != CILEN_LQR || \
873               citype != opt) \
874               goto bad; \
875           GETSHORT(cishort, p); \
876           if (cishort != PPP_LQR) \
877               goto bad; \
878           GETLONG(cilong, p); \
879           if (cilong != val) \
880             goto bad; \
881     }
882 #define ACKCIENDP(opt, neg, class, val, vlen) \
883     if (neg) { \
884           int i; \
885           if ((len -= CILEN_CHAR + vlen) < 0) \
886               goto bad; \
887           GETCHAR(citype, p); \
888           GETCHAR(cilen, p); \
889           if (cilen != CILEN_CHAR + vlen || \
890               citype != opt) \
891               goto bad; \
892           GETCHAR(cichar, p); \
893           if (cichar != class) \
894               goto bad; \
895           for (i = 0; i < vlen; ++i) { \
896               GETCHAR(cichar, p); \
897               if (cichar != val[i]) \
898                     goto bad; \
899           } \
900     }
901 
902     ACKCISHORT(CI_MRU, go->neg_mru && go->mru != DEFMRU, go->mru);
903     ACKCILONG(CI_ASYNCMAP, go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF,
904                 go->asyncmap);
905     ACKCISHORT(CI_AUTHTYPE, go->neg_eap, PPP_EAP);
906     ACKCICHAP(CI_AUTHTYPE, !go->neg_eap && go->neg_chap, go->chap_mdtype);
907     ACKCISHORT(CI_AUTHTYPE, !go->neg_eap && !go->neg_chap && go->neg_upap,
908                  PPP_PAP);
909     ACKCILQR(CI_QUALITY, go->neg_lqr, go->lqr_period);
910     ACKCICHAR(CI_CALLBACK, go->neg_cbcp, CBCP_OPT);
911     ACKCILONG(CI_MAGICNUMBER, go->neg_magicnumber, go->magicnumber);
912     ACKCIVOID(CI_PCOMPRESSION, go->neg_pcompression);
913     ACKCIVOID(CI_ACCOMPRESSION, go->neg_accompression);
914     ACKCISHORT(CI_MRRU, go->neg_mrru, go->mrru);
915     ACKCIVOID(CI_SSNHF, go->neg_ssnhf);
916     ACKCIENDP(CI_EPDISC, go->neg_endpoint, go->endpoint.class,
917                 go->endpoint.value, go->endpoint.length);
918 
919     /*
920      * If there are any remaining CIs, then this packet is bad.
921      */
922     if (len != 0)
923           goto bad;
924     return (1);
925 bad:
926     LCPDEBUG(("lcp_acki: received bad Ack!"));
927     return (0);
928 }
929 
930 
931 /*
932  * lcp_nakci - Peer has sent a NAK for some of our CIs.
933  * This should not modify any state if the Nak is bad
934  * or if LCP is in the OPENED state.
935  *
936  * Returns:
937  *        0 - Nak was bad.
938  *        1 - Nak was good.
939  */
940 static int
lcp_nakci(fsm * f,u_char * p,int len,int treat_as_reject)941 lcp_nakci(fsm *f, u_char *p, int len, int treat_as_reject)
942 {
943     lcp_options *go = &lcp_gotoptions[f->unit];
944     lcp_options *wo = &lcp_wantoptions[f->unit];
945     u_char citype, cichar, *next;
946     u_short cishort;
947     u_int32_t cilong;
948     lcp_options no;           /* options we've seen Naks for */
949     lcp_options try;                    /* options to request next time */
950     int looped_back = 0;
951     int cilen;
952 
953     BZERO(&no, sizeof(no));
954     try = *go;
955 
956     /*
957      * Any Nak'd CIs must be in exactly the same order that we sent.
958      * Check packet length and CI length at each step.
959      * If we find any deviations, then this packet is bad.
960      */
961 #define NAKCIVOID(opt, neg) \
962     if (go->neg && \
963           len >= CILEN_VOID && \
964           p[1] == CILEN_VOID && \
965           p[0] == opt) { \
966           len -= CILEN_VOID; \
967           INCPTR(CILEN_VOID, p); \
968           no.neg = 1; \
969           try.neg = 0; \
970     }
971 #define NAKCICHAP(opt, neg, code) \
972     if (go->neg && \
973           len >= CILEN_CHAP && \
974           p[1] == CILEN_CHAP && \
975           p[0] == opt) { \
976           len -= CILEN_CHAP; \
977           INCPTR(2, p); \
978           GETSHORT(cishort, p); \
979           GETCHAR(cichar, p); \
980           no.neg = 1; \
981           code \
982     }
983 #define NAKCICHAR(opt, neg, code) \
984     if (go->neg && \
985           len >= CILEN_CHAR && \
986           p[1] == CILEN_CHAR && \
987           p[0] == opt) { \
988           len -= CILEN_CHAR; \
989           INCPTR(2, p); \
990           GETCHAR(cichar, p); \
991           no.neg = 1; \
992           code \
993     }
994 #define NAKCISHORT(opt, neg, code) \
995     if (go->neg && \
996           len >= CILEN_SHORT && \
997           p[1] == CILEN_SHORT && \
998           p[0] == opt) { \
999           len -= CILEN_SHORT; \
1000           INCPTR(2, p); \
1001           GETSHORT(cishort, p); \
1002           no.neg = 1; \
1003           code \
1004     }
1005 #define NAKCILONG(opt, neg, code) \
1006     if (go->neg && \
1007           len >= CILEN_LONG && \
1008           p[1] == CILEN_LONG && \
1009           p[0] == opt) { \
1010           len -= CILEN_LONG; \
1011           INCPTR(2, p); \
1012           GETLONG(cilong, p); \
1013           no.neg = 1; \
1014           code \
1015     }
1016 #define NAKCILQR(opt, neg, code) \
1017     if (go->neg && \
1018           len >= CILEN_LQR && \
1019           p[1] == CILEN_LQR && \
1020           p[0] == opt) { \
1021           len -= CILEN_LQR; \
1022           INCPTR(2, p); \
1023           GETSHORT(cishort, p); \
1024           GETLONG(cilong, p); \
1025           no.neg = 1; \
1026           code \
1027     }
1028 #define NAKCIENDP(opt, neg) \
1029     if (go->neg && \
1030           len >= CILEN_CHAR && \
1031           p[0] == opt && \
1032           p[1] >= CILEN_CHAR && \
1033           p[1] <= len) { \
1034           len -= p[1]; \
1035           INCPTR(p[1], p); \
1036           no.neg = 1; \
1037           try.neg = 0; \
1038     }
1039 
1040     /*
1041      * NOTE!  There must be no assignments to individual fields of *go in
1042      * the code below.  Any such assignment is a BUG!
1043      */
1044     /*
1045      * We don't care if they want to send us smaller packets than
1046      * we want.  Therefore, accept any MRU less than what we asked for,
1047      * but then ignore the new value when setting the MRU in the kernel.
1048      * If they send us a bigger MRU than what we asked, accept it, up to
1049      * the limit of the default MRU we'd get if we didn't negotiate.
1050      */
1051     if (go->neg_mru && go->mru != DEFMRU) {
1052           NAKCISHORT(CI_MRU, neg_mru,
1053                        if (cishort <= wo->mru || cishort <= DEFMRU)
1054                            try.mru = cishort;
1055                        );
1056     }
1057 
1058     /*
1059      * Add any characters they want to our (receive-side) asyncmap.
1060      */
1061     if (go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF) {
1062           NAKCILONG(CI_ASYNCMAP, neg_asyncmap,
1063                       try.asyncmap = go->asyncmap | cilong;
1064                       );
1065     }
1066 
1067     /*
1068      * If they've nak'd our authentication-protocol, check whether
1069      * they are proposing a different protocol, or a different
1070      * hash algorithm for CHAP.
1071      */
1072     if ((go->neg_chap || go->neg_upap || go->neg_eap)
1073           && len >= CILEN_SHORT
1074           && p[0] == CI_AUTHTYPE && p[1] >= CILEN_SHORT && p[1] <= len) {
1075           cilen = p[1];
1076           len -= cilen;
1077           no.neg_chap = go->neg_chap;
1078           no.neg_upap = go->neg_upap;
1079           no.neg_eap = go->neg_eap;
1080           INCPTR(2, p);
1081           GETSHORT(cishort, p);
1082           if (cishort == PPP_PAP && cilen == CILEN_SHORT) {
1083               /* If we were asking for EAP, then we need to stop that. */
1084               if (go->neg_eap)
1085                     try.neg_eap = 0;
1086 
1087               /* If we were asking for CHAP, then we need to stop that. */
1088               else if (go->neg_chap)
1089                     try.neg_chap = 0;
1090               /*
1091                * If we weren't asking for CHAP or EAP, then we were asking for
1092                * PAP, in which case this Nak is bad.
1093                */
1094               else
1095                     goto bad;
1096 
1097           } else if (cishort == PPP_CHAP && cilen == CILEN_CHAP) {
1098               GETCHAR(cichar, p);
1099               /* Stop asking for EAP, if we were. */
1100               if (go->neg_eap) {
1101                     try.neg_eap = 0;
1102                     /* Try to set up to use their suggestion, if possible */
1103                     if (CHAP_CANDIGEST(go->chap_mdtype, cichar))
1104                         try.chap_mdtype = CHAP_MDTYPE_D(cichar);
1105               } else if (go->neg_chap) {
1106                     /*
1107                      * We were asking for our preferred algorithm, they must
1108                      * want something different.
1109                      */
1110                     if (cichar != CHAP_DIGEST(go->chap_mdtype)) {
1111                         if (CHAP_CANDIGEST(go->chap_mdtype, cichar)) {
1112                               /* Use their suggestion if we support it ... */
1113                               try.chap_mdtype = CHAP_MDTYPE_D(cichar);
1114                         } else {
1115                               /* ... otherwise, try our next-preferred algorithm. */
1116                               try.chap_mdtype &= ~(CHAP_MDTYPE(try.chap_mdtype));
1117                               if (try.chap_mdtype == MDTYPE_NONE) /* out of algos */
1118                                   try.neg_chap = 0;
1119                         }
1120                     } else {
1121                         /*
1122                          * Whoops, they Nak'd our algorithm of choice
1123                          * but then suggested it back to us.
1124                          */
1125                         goto bad;
1126                     }
1127               } else {
1128                     /*
1129                      * Stop asking for PAP if we were asking for it.
1130                      */
1131                     try.neg_upap = 0;
1132               }
1133 
1134           } else {
1135 
1136               /*
1137                * If we were asking for EAP, and they're Conf-Naking EAP,
1138                * well, that's just strange.  Nobody should do that.
1139                */
1140               if (cishort == PPP_EAP && cilen == CILEN_SHORT && go->neg_eap)
1141                     dbglog("Unexpected Conf-Nak for EAP");
1142 
1143               /*
1144                * We don't recognize what they're suggesting.
1145                * Stop asking for what we were asking for.
1146                */
1147               if (go->neg_eap)
1148                     try.neg_eap = 0;
1149               else if (go->neg_chap)
1150                     try.neg_chap = 0;
1151               else
1152                     try.neg_upap = 0;
1153               p += cilen - CILEN_SHORT;
1154           }
1155     }
1156 
1157     /*
1158      * If they can't cope with our link quality protocol, we'll have
1159      * to stop asking for LQR.  We haven't got any other protocol.
1160      * If they Nak the reporting period, take their value XXX ?
1161      */
1162     NAKCILQR(CI_QUALITY, neg_lqr,
1163                if (cishort != PPP_LQR)
1164                      try.neg_lqr = 0;
1165                else
1166                      try.lqr_period = cilong;
1167                );
1168 
1169     /*
1170      * Only implementing CBCP...not the rest of the callback options
1171      */
1172     NAKCICHAR(CI_CALLBACK, neg_cbcp,
1173               try.neg_cbcp = 0;
1174               );
1175 
1176     /*
1177      * Check for a looped-back line.
1178      */
1179     NAKCILONG(CI_MAGICNUMBER, neg_magicnumber,
1180                 try.magicnumber = magic();
1181                 looped_back = 1;
1182                 );
1183 
1184     /*
1185      * Peer shouldn't send Nak for protocol compression or
1186      * address/control compression requests; they should send
1187      * a Reject instead.  If they send a Nak, treat it as a Reject.
1188      */
1189     NAKCIVOID(CI_PCOMPRESSION, neg_pcompression);
1190     NAKCIVOID(CI_ACCOMPRESSION, neg_accompression);
1191 
1192     /*
1193      * Nak for MRRU option - accept their value if it is smaller
1194      * than the one we want.
1195      */
1196     if (go->neg_mrru) {
1197           NAKCISHORT(CI_MRRU, neg_mrru,
1198                        if (treat_as_reject)
1199                            try.neg_mrru = 0;
1200                        else if (cishort <= wo->mrru)
1201                            try.mrru = cishort;
1202                        );
1203     }
1204 
1205     /*
1206      * Nak for short sequence numbers shouldn't be sent, treat it
1207      * like a reject.
1208      */
1209     NAKCIVOID(CI_SSNHF, neg_ssnhf);
1210 
1211     /*
1212      * Nak of the endpoint discriminator option is not permitted,
1213      * treat it like a reject.
1214      */
1215     NAKCIENDP(CI_EPDISC, neg_endpoint);
1216 
1217     /*
1218      * There may be remaining CIs, if the peer is requesting negotiation
1219      * on an option that we didn't include in our request packet.
1220      * If we see an option that we requested, or one we've already seen
1221      * in this packet, then this packet is bad.
1222      * If we wanted to respond by starting to negotiate on the requested
1223      * option(s), we could, but we don't, because except for the
1224      * authentication type and quality protocol, if we are not negotiating
1225      * an option, it is because we were told not to.
1226      * For the authentication type, the Nak from the peer means
1227      * `let me authenticate myself with you' which is a bit pointless.
1228      * For the quality protocol, the Nak means `ask me to send you quality
1229      * reports', but if we didn't ask for them, we don't want them.
1230      * An option we don't recognize represents the peer asking to
1231      * negotiate some option we don't support, so ignore it.
1232      */
1233     while (len >= CILEN_VOID) {
1234           GETCHAR(citype, p);
1235           GETCHAR(cilen, p);
1236           if (cilen < CILEN_VOID || (len -= cilen) < 0)
1237               goto bad;
1238           next = p + cilen - 2;
1239 
1240           switch (citype) {
1241           case CI_MRU:
1242               if ((go->neg_mru && go->mru != DEFMRU)
1243                     || no.neg_mru || cilen != CILEN_SHORT)
1244                     goto bad;
1245               GETSHORT(cishort, p);
1246               if (cishort < DEFMRU) {
1247                     try.neg_mru = 1;
1248                     try.mru = cishort;
1249               }
1250               break;
1251           case CI_ASYNCMAP:
1252               if ((go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF)
1253                     || no.neg_asyncmap || cilen != CILEN_LONG)
1254                     goto bad;
1255               break;
1256           case CI_AUTHTYPE:
1257               if (go->neg_chap || no.neg_chap || go->neg_upap || no.neg_upap ||
1258                     go->neg_eap || no.neg_eap)
1259                     goto bad;
1260               break;
1261           case CI_MAGICNUMBER:
1262               if (go->neg_magicnumber || no.neg_magicnumber ||
1263                     cilen != CILEN_LONG)
1264                     goto bad;
1265               break;
1266           case CI_PCOMPRESSION:
1267               if (go->neg_pcompression || no.neg_pcompression
1268                     || cilen != CILEN_VOID)
1269                     goto bad;
1270               break;
1271           case CI_ACCOMPRESSION:
1272               if (go->neg_accompression || no.neg_accompression
1273                     || cilen != CILEN_VOID)
1274                     goto bad;
1275               break;
1276           case CI_QUALITY:
1277               if (go->neg_lqr || no.neg_lqr || cilen != CILEN_LQR)
1278                     goto bad;
1279               break;
1280           case CI_MRRU:
1281               if (go->neg_mrru || no.neg_mrru || cilen != CILEN_SHORT)
1282                     goto bad;
1283               break;
1284           case CI_SSNHF:
1285               if (go->neg_ssnhf || no.neg_ssnhf || cilen != CILEN_VOID)
1286                     goto bad;
1287               try.neg_ssnhf = 1;
1288               break;
1289           case CI_EPDISC:
1290               if (go->neg_endpoint || no.neg_endpoint || cilen < CILEN_CHAR)
1291                     goto bad;
1292               break;
1293           }
1294           p = next;
1295     }
1296 
1297     /*
1298      * OK, the Nak is good.  Now we can update state.
1299      * If there are any options left we ignore them.
1300      */
1301     if (f->state != OPENED) {
1302           if (looped_back) {
1303               if (++try.numloops >= lcp_loopbackfail) {
1304                     notice("Serial line is looped back.");
1305                     ppp_set_status(EXIT_LOOPBACK);
1306                     lcp_close(f->unit, "Loopback detected");
1307               }
1308           } else
1309               try.numloops = 0;
1310           *go = try;
1311     }
1312 
1313     return 1;
1314 
1315 bad:
1316     LCPDEBUG(("lcp_nakci: received bad Nak!"));
1317     return 0;
1318 }
1319 
1320 
1321 /*
1322  * lcp_rejci - Peer has Rejected some of our CIs.
1323  * This should not modify any state if the Reject is bad
1324  * or if LCP is in the OPENED state.
1325  *
1326  * Returns:
1327  *        0 - Reject was bad.
1328  *        1 - Reject was good.
1329  */
1330 static int
lcp_rejci(fsm * f,u_char * p,int len)1331 lcp_rejci(fsm *f, u_char *p, int len)
1332 {
1333     lcp_options *go = &lcp_gotoptions[f->unit];
1334     u_char cichar;
1335     u_short cishort;
1336     u_int32_t cilong;
1337     lcp_options try;                    /* options to request next time */
1338 
1339     try = *go;
1340 
1341     /*
1342      * Any Rejected CIs must be in exactly the same order that we sent.
1343      * Check packet length and CI length at each step.
1344      * If we find any deviations, then this packet is bad.
1345      */
1346 #define REJCIVOID(opt, neg) \
1347     if (go->neg && \
1348           len >= CILEN_VOID && \
1349           p[1] == CILEN_VOID && \
1350           p[0] == opt) { \
1351           len -= CILEN_VOID; \
1352           INCPTR(CILEN_VOID, p); \
1353           try.neg = 0; \
1354     }
1355 #define REJCISHORT(opt, neg, val) \
1356     if (go->neg && \
1357           len >= CILEN_SHORT && \
1358           p[1] == CILEN_SHORT && \
1359           p[0] == opt) { \
1360           len -= CILEN_SHORT; \
1361           INCPTR(2, p); \
1362           GETSHORT(cishort, p); \
1363           /* Check rejected value. */ \
1364           if (cishort != val) \
1365               goto bad; \
1366           try.neg = 0; \
1367     }
1368 #define REJCICHAP(opt, neg, val) \
1369     if (go->neg && \
1370           len >= CILEN_CHAP && \
1371           p[1] == CILEN_CHAP && \
1372           p[0] == opt) { \
1373           len -= CILEN_CHAP; \
1374           INCPTR(2, p); \
1375           GETSHORT(cishort, p); \
1376           GETCHAR(cichar, p); \
1377           /* Check rejected value. */ \
1378           if ((cishort != PPP_CHAP) || (cichar != (CHAP_DIGEST(val)))) \
1379               goto bad; \
1380           try.neg = 0; \
1381           try.neg_eap = try.neg_upap = 0; \
1382     }
1383 #define REJCILONG(opt, neg, val) \
1384     if (go->neg && \
1385           len >= CILEN_LONG && \
1386           p[1] == CILEN_LONG && \
1387           p[0] == opt) { \
1388           len -= CILEN_LONG; \
1389           INCPTR(2, p); \
1390           GETLONG(cilong, p); \
1391           /* Check rejected value. */ \
1392           if (cilong != val) \
1393               goto bad; \
1394           try.neg = 0; \
1395     }
1396 #define REJCILQR(opt, neg, val) \
1397     if (go->neg && \
1398           len >= CILEN_LQR && \
1399           p[1] == CILEN_LQR && \
1400           p[0] == opt) { \
1401           len -= CILEN_LQR; \
1402           INCPTR(2, p); \
1403           GETSHORT(cishort, p); \
1404           GETLONG(cilong, p); \
1405           /* Check rejected value. */ \
1406           if (cishort != PPP_LQR || cilong != val) \
1407               goto bad; \
1408           try.neg = 0; \
1409     }
1410 #define REJCICBCP(opt, neg, val) \
1411     if (go->neg && \
1412           len >= CILEN_CBCP && \
1413           p[1] == CILEN_CBCP && \
1414           p[0] == opt) { \
1415           len -= CILEN_CBCP; \
1416           INCPTR(2, p); \
1417           GETCHAR(cichar, p); \
1418           /* Check rejected value. */ \
1419           if (cichar != val) \
1420               goto bad; \
1421           try.neg = 0; \
1422     }
1423 #define REJCIENDP(opt, neg, class, val, vlen) \
1424     if (go->neg && \
1425           len >= CILEN_CHAR + vlen && \
1426           p[0] == opt && \
1427           p[1] == CILEN_CHAR + vlen) { \
1428           int i; \
1429           len -= CILEN_CHAR + vlen; \
1430           INCPTR(2, p); \
1431           GETCHAR(cichar, p); \
1432           if (cichar != class) \
1433               goto bad; \
1434           for (i = 0; i < vlen; ++i) { \
1435               GETCHAR(cichar, p); \
1436               if (cichar != val[i]) \
1437                     goto bad; \
1438           } \
1439           try.neg = 0; \
1440     }
1441 
1442     REJCISHORT(CI_MRU, neg_mru, go->mru);
1443     REJCILONG(CI_ASYNCMAP, neg_asyncmap, go->asyncmap);
1444     REJCISHORT(CI_AUTHTYPE, neg_eap, PPP_EAP);
1445     if (!go->neg_eap) {
1446           REJCICHAP(CI_AUTHTYPE, neg_chap, go->chap_mdtype);
1447           if (!go->neg_chap) {
1448               REJCISHORT(CI_AUTHTYPE, neg_upap, PPP_PAP);
1449           }
1450     }
1451     REJCILQR(CI_QUALITY, neg_lqr, go->lqr_period);
1452     REJCICBCP(CI_CALLBACK, neg_cbcp, CBCP_OPT);
1453     REJCILONG(CI_MAGICNUMBER, neg_magicnumber, go->magicnumber);
1454     REJCIVOID(CI_PCOMPRESSION, neg_pcompression);
1455     REJCIVOID(CI_ACCOMPRESSION, neg_accompression);
1456     REJCISHORT(CI_MRRU, neg_mrru, go->mrru);
1457     REJCIVOID(CI_SSNHF, neg_ssnhf);
1458     REJCIENDP(CI_EPDISC, neg_endpoint, go->endpoint.class,
1459                 go->endpoint.value, go->endpoint.length);
1460 
1461     /*
1462      * If there are any remaining CIs, then this packet is bad.
1463      */
1464     if (len != 0)
1465           goto bad;
1466     /*
1467      * Now we can update state.
1468      */
1469     if (f->state != OPENED)
1470           *go = try;
1471     return 1;
1472 
1473 bad:
1474     LCPDEBUG(("lcp_rejci: received bad Reject!"));
1475     return 0;
1476 }
1477 
1478 
1479 /*
1480  * lcp_reqci - Check the peer's requested CIs and send appropriate response.
1481  *
1482  * Returns: CONFACK, CONFNAK or CONFREJ and input packet modified
1483  * appropriately.  If reject_if_disagree is non-zero, doesn't return
1484  * CONFNAK; returns CONFREJ if it can't return CONFACK.
1485  */
1486 static int
lcp_reqci(fsm * f,u_char * inp,int * lenp,int reject_if_disagree)1487 lcp_reqci(fsm *f, u_char *inp, int *lenp, int reject_if_disagree)
1488 {
1489     lcp_options *go = &lcp_gotoptions[f->unit];
1490     lcp_options *ho = &lcp_hisoptions[f->unit];
1491     lcp_options *ao = &lcp_allowoptions[f->unit];
1492     u_char *cip, *next;                 /* Pointer to current and next CIs */
1493     int cilen, citype, cichar;          /* Parsed len, type, char value */
1494     u_short cishort;                    /* Parsed short value */
1495     u_int32_t cilong;                   /* Parse long value */
1496     int rc = CONFACK;                   /* Final packet return code */
1497     int orc;                            /* Individual option return code */
1498     u_char *p;                          /* Pointer to next char to parse */
1499     u_char *rejp;             /* Pointer to next char in reject frame */
1500     u_char *nakp;             /* Pointer to next char in Nak frame */
1501     int l = *lenp;            /* Length left */
1502 
1503     /*
1504      * Reset all his options.
1505      */
1506     BZERO(ho, sizeof(*ho));
1507 
1508     /*
1509      * Process all his options.
1510      */
1511     next = inp;
1512     nakp = nak_buffer;
1513     rejp = inp;
1514     while (l) {
1515           orc = CONFACK;                          /* Assume success */
1516           cip = p = next;                         /* Remember begining of CI */
1517           if (l < 2 ||                            /* Not enough data for CI header or */
1518               p[1] < 2 ||                         /*  CI length too small or */
1519               p[1] > l) {                         /*  CI length too big? */
1520               LCPDEBUG(("lcp_reqci: bad CI length!"));
1521               orc = CONFREJ;            /* Reject bad CI */
1522               cilen = l;                          /* Reject till end of packet */
1523               l = 0;                              /* Don't loop again */
1524               citype = 0;
1525               goto endswitch;
1526           }
1527           GETCHAR(citype, p);           /* Parse CI type */
1528           GETCHAR(cilen, p);            /* Parse CI length */
1529           l -= cilen;                             /* Adjust remaining length */
1530           next += cilen;                          /* Step to next CI */
1531 
1532           switch (citype) {             /* Check CI type */
1533           case CI_MRU:
1534               if (!ao->neg_mru ||                 /* Allow option? */
1535                     cilen != CILEN_SHORT) {       /* Check CI length */
1536                     orc = CONFREJ;                /* Reject CI */
1537                     break;
1538               }
1539               GETSHORT(cishort, p);     /* Parse MRU */
1540 
1541               /*
1542                * He must be able to receive at least our minimum.
1543                * No need to check a maximum.  If he sends a large number,
1544                * we'll just ignore it.
1545                */
1546               if (cishort < MINMRU) {
1547                     orc = CONFNAK;                /* Nak CI */
1548                     PUTCHAR(CI_MRU, nakp);
1549                     PUTCHAR(CILEN_SHORT, nakp);
1550                     PUTSHORT(MINMRU, nakp);       /* Give him a hint */
1551                     break;
1552               }
1553               ho->neg_mru = 1;                    /* Remember he sent MRU */
1554               ho->mru = cishort;                  /* And remember value */
1555               break;
1556 
1557           case CI_ASYNCMAP:
1558               if (!ao->neg_asyncmap ||
1559                     cilen != CILEN_LONG) {
1560                     orc = CONFREJ;
1561                     break;
1562               }
1563               GETLONG(cilong, p);
1564 
1565               /*
1566                * Asyncmap must have set at least the bits
1567                * which are set in lcp_allowoptions[unit].asyncmap.
1568                */
1569               if ((ao->asyncmap & ~cilong) != 0) {
1570                     orc = CONFNAK;
1571                     PUTCHAR(CI_ASYNCMAP, nakp);
1572                     PUTCHAR(CILEN_LONG, nakp);
1573                     PUTLONG(ao->asyncmap | cilong, nakp);
1574                     break;
1575               }
1576               ho->neg_asyncmap = 1;
1577               ho->asyncmap = cilong;
1578               break;
1579 
1580           case CI_AUTHTYPE:
1581               if (cilen < CILEN_SHORT ||
1582                     !(ao->neg_upap || ao->neg_chap || ao->neg_eap)) {
1583                     /*
1584                      * Reject the option if we're not willing to authenticate.
1585                      */
1586                     dbglog("No auth is possible");
1587                     orc = CONFREJ;
1588                     break;
1589               }
1590               GETSHORT(cishort, p);
1591 
1592               /*
1593                * Authtype must be PAP, CHAP, or EAP.
1594                *
1595                * Note: if more than one of ao->neg_upap, ao->neg_chap, and
1596                * ao->neg_eap are set, and the peer sends a Configure-Request
1597                * with two or more authenticate-protocol requests, then we will
1598                * reject the second request.
1599                * Whether we end up doing CHAP, UPAP, or EAP depends then on
1600                * the ordering of the CIs in the peer's Configure-Request.
1601              */
1602 
1603               if (cishort == PPP_PAP) {
1604                     /* we've already accepted CHAP or EAP */
1605                     if (ho->neg_chap || ho->neg_eap ||
1606                         cilen != CILEN_SHORT) {
1607                         LCPDEBUG(("lcp_reqci: rcvd AUTHTYPE PAP, rejecting..."));
1608                         orc = CONFREJ;
1609                         break;
1610                     }
1611                     if (!ao->neg_upap) {          /* we don't want to do PAP */
1612                         orc = CONFNAK;  /* NAK it and suggest CHAP or EAP */
1613                         PUTCHAR(CI_AUTHTYPE, nakp);
1614                         if (ao->neg_eap) {
1615                               PUTCHAR(CILEN_SHORT, nakp);
1616                               PUTSHORT(PPP_EAP, nakp);
1617                         } else {
1618                               PUTCHAR(CILEN_CHAP, nakp);
1619                               PUTSHORT(PPP_CHAP, nakp);
1620                               PUTCHAR(CHAP_DIGEST(ao->chap_mdtype), nakp);
1621                         }
1622                         break;
1623                     }
1624                     ho->neg_upap = 1;
1625                     break;
1626               }
1627               if (cishort == PPP_CHAP) {
1628                     /* we've already accepted PAP or EAP */
1629                     if (ho->neg_upap || ho->neg_eap ||
1630                         cilen != CILEN_CHAP) {
1631                         LCPDEBUG(("lcp_reqci: rcvd AUTHTYPE CHAP, rejecting..."));
1632                         orc = CONFREJ;
1633                         break;
1634                     }
1635                     if (!ao->neg_chap) {          /* we don't want to do CHAP */
1636                         orc = CONFNAK;  /* NAK it and suggest EAP or PAP */
1637                         PUTCHAR(CI_AUTHTYPE, nakp);
1638                         PUTCHAR(CILEN_SHORT, nakp);
1639                         if (ao->neg_eap) {
1640                               PUTSHORT(PPP_EAP, nakp);
1641                         } else {
1642                               PUTSHORT(PPP_PAP, nakp);
1643                         }
1644                         break;
1645                     }
1646                     GETCHAR(cichar, p); /* get digest type */
1647                     if (!(CHAP_CANDIGEST(ao->chap_mdtype, cichar))) {
1648                         /*
1649                          * We can't/won't do the requested type,
1650                          * suggest something else.
1651                          */
1652                         orc = CONFNAK;
1653                         PUTCHAR(CI_AUTHTYPE, nakp);
1654                         PUTCHAR(CILEN_CHAP, nakp);
1655                         PUTSHORT(PPP_CHAP, nakp);
1656                         PUTCHAR(CHAP_DIGEST(ao->chap_mdtype), nakp);
1657                         break;
1658                     }
1659                     ho->chap_mdtype = CHAP_MDTYPE_D(cichar); /* save md type */
1660                     ho->neg_chap = 1;
1661                     break;
1662               }
1663               if (cishort == PPP_EAP) {
1664                     /* we've already accepted CHAP or PAP */
1665                     if (ho->neg_chap || ho->neg_upap || cilen != CILEN_SHORT) {
1666                         LCPDEBUG(("lcp_reqci: rcvd AUTHTYPE EAP, rejecting..."));
1667                         orc = CONFREJ;
1668                         break;
1669                     }
1670                     if (!ao->neg_eap) { /* we don't want to do EAP */
1671                         orc = CONFNAK;  /* NAK it and suggest CHAP or PAP */
1672                         PUTCHAR(CI_AUTHTYPE, nakp);
1673                         if (ao->neg_chap) {
1674                               PUTCHAR(CILEN_CHAP, nakp);
1675                               PUTSHORT(PPP_CHAP, nakp);
1676                               PUTCHAR(CHAP_DIGEST(ao->chap_mdtype), nakp);
1677                         } else {
1678                               PUTCHAR(CILEN_SHORT, nakp);
1679                               PUTSHORT(PPP_PAP, nakp);
1680                         }
1681                         break;
1682                     }
1683                     ho->neg_eap = 1;
1684                     break;
1685               }
1686 
1687               /*
1688                * We don't recognize the protocol they're asking for.
1689                * Nak it with something we're willing to do.
1690                * (At this point we know ao->neg_upap || ao->neg_chap ||
1691                * ao->neg_eap.)
1692                */
1693               orc = CONFNAK;
1694               PUTCHAR(CI_AUTHTYPE, nakp);
1695               if (ao->neg_eap) {
1696                     PUTCHAR(CILEN_SHORT, nakp);
1697                     PUTSHORT(PPP_EAP, nakp);
1698               } else if (ao->neg_chap) {
1699                     PUTCHAR(CILEN_CHAP, nakp);
1700                     PUTSHORT(PPP_CHAP, nakp);
1701                     PUTCHAR(CHAP_DIGEST(ao->chap_mdtype), nakp);
1702               } else {
1703                     PUTCHAR(CILEN_SHORT, nakp);
1704                     PUTSHORT(PPP_PAP, nakp);
1705               }
1706               break;
1707 
1708           case CI_QUALITY:
1709               if (!ao->neg_lqr ||
1710                     cilen != CILEN_LQR) {
1711                     orc = CONFREJ;
1712                     break;
1713               }
1714 
1715               GETSHORT(cishort, p);
1716               GETLONG(cilong, p);
1717 
1718               /*
1719                * Check the protocol and the reporting period.
1720                * XXX When should we Nak this, and what with?
1721                */
1722               if (cishort != PPP_LQR) {
1723                     orc = CONFNAK;
1724                     PUTCHAR(CI_QUALITY, nakp);
1725                     PUTCHAR(CILEN_LQR, nakp);
1726                     PUTSHORT(PPP_LQR, nakp);
1727                     PUTLONG(ao->lqr_period, nakp);
1728                     break;
1729               }
1730               break;
1731 
1732           case CI_MAGICNUMBER:
1733               if (!(ao->neg_magicnumber || go->neg_magicnumber) ||
1734                     cilen != CILEN_LONG) {
1735                     orc = CONFREJ;
1736                     break;
1737               }
1738               GETLONG(cilong, p);
1739 
1740               /*
1741                * He must have a different magic number.
1742                */
1743               if (go->neg_magicnumber &&
1744                     cilong == go->magicnumber) {
1745                     cilong = magic();   /* Don't put magic() inside macro! */
1746                     orc = CONFNAK;
1747                     PUTCHAR(CI_MAGICNUMBER, nakp);
1748                     PUTCHAR(CILEN_LONG, nakp);
1749                     PUTLONG(cilong, nakp);
1750                     break;
1751               }
1752               ho->neg_magicnumber = 1;
1753               ho->magicnumber = cilong;
1754               break;
1755 
1756 
1757           case CI_PCOMPRESSION:
1758               if (!ao->neg_pcompression ||
1759                     cilen != CILEN_VOID) {
1760                     orc = CONFREJ;
1761                     break;
1762               }
1763               ho->neg_pcompression = 1;
1764               break;
1765 
1766           case CI_ACCOMPRESSION:
1767               if (!ao->neg_accompression ||
1768                     cilen != CILEN_VOID) {
1769                     orc = CONFREJ;
1770                     break;
1771               }
1772               ho->neg_accompression = 1;
1773               break;
1774 
1775           case CI_MRRU:
1776               if (!ao->neg_mrru || !multilink ||
1777                     cilen != CILEN_SHORT) {
1778                     orc = CONFREJ;
1779                     break;
1780               }
1781 
1782               GETSHORT(cishort, p);
1783               /* possibly should insist on a minimum/maximum MRRU here */
1784               ho->neg_mrru = 1;
1785               ho->mrru = cishort;
1786               break;
1787 
1788           case CI_SSNHF:
1789               if (!ao->neg_ssnhf || !multilink ||
1790                     cilen != CILEN_VOID) {
1791                     orc = CONFREJ;
1792                     break;
1793               }
1794               ho->neg_ssnhf = 1;
1795               break;
1796 
1797           case CI_EPDISC:
1798               if (!ao->neg_endpoint ||
1799                     cilen < CILEN_CHAR ||
1800                     cilen > CILEN_CHAR + MAX_ENDP_LEN) {
1801                     orc = CONFREJ;
1802                     break;
1803               }
1804               GETCHAR(cichar, p);
1805               cilen -= CILEN_CHAR;
1806               ho->neg_endpoint = 1;
1807               ho->endpoint.class = cichar;
1808               ho->endpoint.length = cilen;
1809               BCOPY(p, ho->endpoint.value, cilen);
1810               INCPTR(cilen, p);
1811               break;
1812 
1813           default:
1814               LCPDEBUG(("lcp_reqci: rcvd unknown option %d", citype));
1815               orc = CONFREJ;
1816               break;
1817           }
1818 
1819 endswitch:
1820           if (orc == CONFACK &&                   /* Good CI */
1821               rc != CONFACK)            /*  but prior CI wasnt? */
1822               continue;                           /* Don't send this one */
1823 
1824           if (orc == CONFNAK) {                   /* Nak this CI? */
1825               if (reject_if_disagree    /* Getting fed up with sending NAKs? */
1826                     && citype != CI_MAGICNUMBER) {
1827                     orc = CONFREJ;                /* Get tough if so */
1828               } else {
1829                     if (rc == CONFREJ)  /* Rejecting prior CI? */
1830                         continue;                 /* Don't send this one */
1831                     rc = CONFNAK;
1832               }
1833           }
1834           if (orc == CONFREJ) {                   /* Reject this CI */
1835               rc = CONFREJ;
1836               if (cip != rejp)                    /* Need to move rejected CI? */
1837                     BCOPY(cip, rejp, cilen); /* Move it */
1838               INCPTR(cilen, rejp);      /* Update output pointer */
1839           }
1840     }
1841 
1842     /*
1843      * If we wanted to send additional NAKs (for unsent CIs), the
1844      * code would go here.  The extra NAKs would go at *nakp.
1845      * At present there are no cases where we want to ask the
1846      * peer to negotiate an option.
1847      */
1848 
1849     switch (rc) {
1850     case CONFACK:
1851           *lenp = next - inp;
1852           break;
1853     case CONFNAK:
1854           /*
1855            * Copy the Nak'd options from the nak_buffer to the caller's buffer.
1856            */
1857           *lenp = nakp - nak_buffer;
1858           BCOPY(nak_buffer, inp, *lenp);
1859           break;
1860     case CONFREJ:
1861           *lenp = rejp - inp;
1862           break;
1863     }
1864 
1865     LCPDEBUG(("lcp_reqci: returning CONF%s.", CODENAME(rc)));
1866     return (rc);                        /* Return final code */
1867 }
1868 
1869 
1870 /*
1871  * lcp_up - LCP has come UP.
1872  */
1873 static void
lcp_up(fsm * f)1874 lcp_up(fsm *f)
1875 {
1876     lcp_options *wo = &lcp_wantoptions[f->unit];
1877     lcp_options *ho = &lcp_hisoptions[f->unit];
1878     lcp_options *go = &lcp_gotoptions[f->unit];
1879     lcp_options *ao = &lcp_allowoptions[f->unit];
1880     int mtu, mru;
1881 
1882     if (!go->neg_magicnumber)
1883           go->magicnumber = 0;
1884     if (!ho->neg_magicnumber)
1885           ho->magicnumber = 0;
1886 
1887     /*
1888      * Set our MTU to the smaller of the MTU we wanted and
1889      * the MRU our peer wanted.  If we negotiated an MRU,
1890      * set our MRU to the larger of value we wanted and
1891      * the value we got in the negotiation.
1892      * Note on the MTU: the link MTU can be the MRU the peer wanted,
1893      * the interface MTU is set to the lowest of that, the
1894      * MTU we want to use, and our link MRU.
1895      */
1896     mtu = ho->neg_mru? ho->mru: PPP_MRU;
1897     mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU;
1898 #ifdef PPP_WITH_MULTILINK
1899     if (!(multilink && go->neg_mrru && ho->neg_mrru))
1900 #endif /* PPP_WITH_MULTILINK */
1901           ppp_set_mtu(f->unit, MIN(MIN(mtu, mru), ao->mru));
1902     ppp_send_config(f->unit, mtu,
1903                         (ho->neg_asyncmap? ho->asyncmap: 0xffffffff),
1904                         ho->neg_pcompression, ho->neg_accompression);
1905     ppp_recv_config(f->unit, mru,
1906                         (lax_recv? 0: go->neg_asyncmap? go->asyncmap: 0xffffffff),
1907                         go->neg_pcompression, go->neg_accompression);
1908 
1909     if (ho->neg_mru)
1910           peer_mru[f->unit] = ho->mru;
1911 
1912     lcp_echo_lowerup(f->unit);  /* Enable echo messages */
1913 
1914     link_established(f->unit);
1915 }
1916 
1917 
1918 /*
1919  * lcp_down - LCP has gone DOWN.
1920  *
1921  * Alert other protocols.
1922  */
1923 static void
lcp_down(fsm * f)1924 lcp_down(fsm *f)
1925 {
1926     lcp_options *go = &lcp_gotoptions[f->unit];
1927 
1928     lcp_echo_lowerdown(f->unit);
1929 
1930     link_down(f->unit);
1931 
1932     ppp_send_config(f->unit, PPP_MRU, 0xffffffff, 0, 0);
1933     ppp_recv_config(f->unit, PPP_MRU,
1934                         (go->neg_asyncmap? go->asyncmap: 0xffffffff),
1935                         go->neg_pcompression, go->neg_accompression);
1936     peer_mru[f->unit] = PPP_MRU;
1937 }
1938 
1939 
1940 /*
1941  * lcp_starting - LCP needs the lower layer up.
1942  */
1943 static void
lcp_starting(fsm * f)1944 lcp_starting(fsm *f)
1945 {
1946     link_required(f->unit);
1947 }
1948 
1949 
1950 /*
1951  * lcp_finished - LCP has finished with the lower layer.
1952  */
1953 static void
lcp_finished(fsm * f)1954 lcp_finished(fsm *f)
1955 {
1956     link_terminated(f->unit);
1957 }
1958 
1959 
1960 /*
1961  * lcp_printpkt - print the contents of an LCP packet.
1962  */
1963 static char *lcp_codenames[] = {
1964     "ConfReq", "ConfAck", "ConfNak", "ConfRej",
1965     "TermReq", "TermAck", "CodeRej", "ProtRej",
1966     "EchoReq", "EchoRep", "DiscReq", "Ident",
1967     "TimeRem"
1968 };
1969 
1970 static int
lcp_printpkt(u_char * p,int plen,void (* printer)(void *,char *,...),void * arg)1971 lcp_printpkt(u_char *p, int plen, void (*printer)(void *, char *, ...), void *arg)
1972 {
1973     int code, id, len, olen, i;
1974     u_char *pstart, *optend;
1975     u_short cishort;
1976     u_int32_t cilong;
1977 
1978     if (plen < HEADERLEN)
1979           return 0;
1980     pstart = p;
1981     GETCHAR(code, p);
1982     GETCHAR(id, p);
1983     GETSHORT(len, p);
1984     if (len < HEADERLEN || len > plen)
1985           return 0;
1986 
1987     if (code >= 1 && code <= sizeof(lcp_codenames) / sizeof(char *))
1988           printer(arg, " %s", lcp_codenames[code-1]);
1989     else
1990           printer(arg, " code=0x%x", code);
1991     printer(arg, " id=0x%x", id);
1992     len -= HEADERLEN;
1993     switch (code) {
1994     case CONFREQ:
1995     case CONFACK:
1996     case CONFNAK:
1997     case CONFREJ:
1998           /* print option list */
1999           while (len >= 2) {
2000               GETCHAR(code, p);
2001               GETCHAR(olen, p);
2002               p -= 2;
2003               if (olen < 2 || olen > len) {
2004                     break;
2005               }
2006               printer(arg, " <");
2007               len -= olen;
2008               optend = p + olen;
2009               switch (code) {
2010               case CI_MRU:
2011                     if (olen == CILEN_SHORT) {
2012                         p += 2;
2013                         GETSHORT(cishort, p);
2014                         printer(arg, "mru %d", cishort);
2015                     }
2016                     break;
2017               case CI_ASYNCMAP:
2018                     if (olen == CILEN_LONG) {
2019                         p += 2;
2020                         GETLONG(cilong, p);
2021                         printer(arg, "asyncmap 0x%x", cilong);
2022                     }
2023                     break;
2024               case CI_AUTHTYPE:
2025                     if (olen >= CILEN_SHORT) {
2026                         p += 2;
2027                         printer(arg, "auth ");
2028                         GETSHORT(cishort, p);
2029                         switch (cishort) {
2030                         case PPP_PAP:
2031                               printer(arg, "pap");
2032                               break;
2033                         case PPP_CHAP:
2034                               printer(arg, "chap");
2035                               if (p < optend) {
2036                                   switch (*p) {
2037                                   case CHAP_MD5:
2038                                         printer(arg, " MD5");
2039                                         ++p;
2040                                         break;
2041                                   case CHAP_MICROSOFT:
2042                                         printer(arg, " MS");
2043                                         ++p;
2044                                         break;
2045 
2046                                   case CHAP_MICROSOFT_V2:
2047                                         printer(arg, " MS-v2");
2048                                         ++p;
2049                                         break;
2050                                   }
2051                               }
2052                               break;
2053                         case PPP_EAP:
2054                               printer(arg, "eap");
2055                               break;
2056                         default:
2057                               printer(arg, "0x%x", cishort);
2058                         }
2059                     }
2060                     break;
2061               case CI_QUALITY:
2062                     if (olen >= CILEN_SHORT) {
2063                         p += 2;
2064                         printer(arg, "quality ");
2065                         GETSHORT(cishort, p);
2066                         switch (cishort) {
2067                         case PPP_LQR:
2068                               printer(arg, "lqr");
2069                               break;
2070                         default:
2071                               printer(arg, "0x%x", cishort);
2072                         }
2073                     }
2074                     break;
2075               case CI_CALLBACK:
2076                     if (olen >= CILEN_CHAR) {
2077                         p += 2;
2078                         printer(arg, "callback ");
2079                         GETCHAR(cishort, p);
2080                         switch (cishort) {
2081                         case CBCP_OPT:
2082                               printer(arg, "CBCP");
2083                               break;
2084                         default:
2085                               printer(arg, "0x%x", cishort);
2086                         }
2087                     }
2088                     break;
2089               case CI_MAGICNUMBER:
2090                     if (olen == CILEN_LONG) {
2091                         p += 2;
2092                         GETLONG(cilong, p);
2093                         printer(arg, "magic 0x%x", cilong);
2094                     }
2095                     break;
2096               case CI_PCOMPRESSION:
2097                     if (olen == CILEN_VOID) {
2098                         p += 2;
2099                         printer(arg, "pcomp");
2100                     }
2101                     break;
2102               case CI_ACCOMPRESSION:
2103                     if (olen == CILEN_VOID) {
2104                         p += 2;
2105                         printer(arg, "accomp");
2106                     }
2107                     break;
2108               case CI_MRRU:
2109                     if (olen == CILEN_SHORT) {
2110                         p += 2;
2111                         GETSHORT(cishort, p);
2112                         printer(arg, "mrru %d", cishort);
2113                     }
2114                     break;
2115               case CI_SSNHF:
2116                     if (olen == CILEN_VOID) {
2117                         p += 2;
2118                         printer(arg, "ssnhf");
2119                     }
2120                     break;
2121               case CI_EPDISC:
2122 #ifdef PPP_WITH_MULTILINK
2123                     if (olen >= CILEN_CHAR) {
2124                         struct epdisc epd;
2125                         p += 2;
2126                         GETCHAR(epd.class, p);
2127                         epd.length = olen - CILEN_CHAR;
2128                         if (epd.length > MAX_ENDP_LEN)
2129                               epd.length = MAX_ENDP_LEN;
2130                         if (epd.length > 0) {
2131                               BCOPY(p, epd.value, epd.length);
2132                               p += epd.length;
2133                         }
2134                         printer(arg, "endpoint [%s]", epdisc_to_str(&epd));
2135                     }
2136 #else
2137                     printer(arg, "endpoint");
2138 #endif
2139                     break;
2140               }
2141               while (p < optend) {
2142                     GETCHAR(code, p);
2143                     printer(arg, " %.2x", code);
2144               }
2145               printer(arg, ">");
2146           }
2147           break;
2148 
2149     case TERMACK:
2150     case TERMREQ:
2151           if (len > 0 && *p >= ' ' && *p < 0x7f) {
2152               printer(arg, " ");
2153               print_string((char *)p, len, printer, arg);
2154               p += len;
2155               len = 0;
2156           }
2157           break;
2158 
2159     case ECHOREQ:
2160     case ECHOREP:
2161     case DISCREQ:
2162           if (len >= 4) {
2163               GETLONG(cilong, p);
2164               printer(arg, " magic=0x%x", cilong);
2165               len -= 4;
2166           }
2167           break;
2168 
2169     case IDENTIF:
2170     case TIMEREM:
2171           if (len >= 4) {
2172               GETLONG(cilong, p);
2173               printer(arg, " magic=0x%x", cilong);
2174               len -= 4;
2175           }
2176           if (code == TIMEREM) {
2177               if (len < 4)
2178                     break;
2179               GETLONG(cilong, p);
2180               printer(arg, " seconds=%u", cilong);
2181               len -= 4;
2182           }
2183           if (len > 0) {
2184               printer(arg, " ");
2185               print_string((char *)p, len, printer, arg);
2186               p += len;
2187               len = 0;
2188           }
2189           break;
2190     }
2191 
2192     /* print the rest of the bytes in the packet */
2193     for (i = 0; i < len && i < 32; ++i) {
2194           GETCHAR(code, p);
2195           printer(arg, " %.2x", code);
2196     }
2197     if (i < len) {
2198           printer(arg, " ...");
2199           p += len - i;
2200     }
2201 
2202     return p - pstart;
2203 }
2204 
2205 /*
2206  * Time to shut down the link because there is nothing out there.
2207  */
2208 
2209 static
LcpLinkFailure(fsm * f)2210 void LcpLinkFailure (fsm *f)
2211 {
2212     if (f->state == OPENED) {
2213           info("No response to %d echo-requests", lcp_echos_pending);
2214         notice("Serial link appears to be disconnected.");
2215           ppp_set_status(EXIT_PEER_DEAD);
2216           lcp_close(f->unit, "Peer not responding");
2217     }
2218 }
2219 
2220 /*
2221  * Timer expired for the LCP echo requests from this process.
2222  */
2223 
2224 static void
LcpEchoCheck(fsm * f)2225 LcpEchoCheck (fsm *f)
2226 {
2227     LcpSendEchoRequest (f);
2228     if (f->state != OPENED)
2229           return;
2230 
2231     /*
2232      * Start the timer for the next interval.
2233      */
2234     if (lcp_echo_timer_running)
2235           warn("assertion lcp_echo_timer_running==0 failed");
2236     TIMEOUT (LcpEchoTimeout, f, lcp_echo_interval);
2237     lcp_echo_timer_running = 1;
2238 }
2239 
2240 /*
2241  * LcpEchoTimeout - Timer expired on the LCP echo
2242  */
2243 
2244 static void
LcpEchoTimeout(void * arg)2245 LcpEchoTimeout (void *arg)
2246 {
2247     if (lcp_echo_timer_running != 0) {
2248         lcp_echo_timer_running = 0;
2249         LcpEchoCheck ((fsm *) arg);
2250     }
2251 }
2252 
2253 /*
2254  * Log the round-trip time (RTT) of the received LCP echo-request.
2255  *
2256  * The header section at the beginning of lcp_rtt_file contains
2257  * LCP_RTT_HEADER_LENGTH fields, each a u_int32_t in network byte order:
2258  * [0] LCP_RTT_MAGIC
2259  * [1] status (1: the file is open and is being written)
2260  * [2] index of the most recently updated element
2261  * [3] the value of the lcp-echo-interval parameter
2262  *
2263  * The header is followed by a ring buffer of LCP_RTT_ELEMENTS elements, each
2264  * containing a pair of u_int32_t in network byte order with this content:
2265  * [0] UNIX timestamp
2266  * [1] bits 24-31: the number of lost LCP echo replies
2267  *     bits 0-23:  the measured RTT in microseconds
2268  *
2269  * The timestamp is unsigned to support storing dates beyond 2038.
2270  *
2271  * Consumers of lcp_rtt_file are expected to:
2272  * - read the complete file of arbitrary length
2273  * - check the magic number
2274  * - process the data elements starting at the index
2275  * - ignore any elements with a timestamp of 0
2276  */
2277 static void
lcp_rtt_update_buffer(unsigned long rtt)2278 lcp_rtt_update_buffer (unsigned long rtt)
2279 {
2280     volatile u_int32_t *const ring_header = lcp_rtt_buffer;
2281     volatile u_int32_t *const ring_buffer = lcp_rtt_buffer
2282           + LCP_RTT_HEADER_LENGTH;
2283     unsigned int next_entry, lost;
2284 
2285     /* choose the next entry where the data will be stored */
2286     if (ntohl(ring_header[2]) >= (LCP_RTT_ELEMENTS - 1) * 2)
2287           next_entry = 0;                                   /* go back to the beginning */
2288     else
2289           next_entry = ntohl(ring_header[2]) + 2; /* use the next one */
2290 
2291     /* update the data element */
2292     /* storing the timestamp in an *unsigned* long allows dates up to 2106 */
2293     ring_buffer[next_entry] = htonl((u_int32_t) time(NULL));
2294     lost = lcp_echos_pending - 1;
2295     if (lost > 0xFF)
2296           lost = 0xFF;                  /* truncate the lost packets count to 256 */
2297     if (rtt > 0xFFFFFF)
2298           rtt = 0xFFFFFF;               /* truncate the RTT to 16777216 */
2299     /* use bits 24-31 for the lost packets count and bits 0-23 for the RTT */
2300     ring_buffer[next_entry + 1] = htonl((u_int32_t) ((lost << 24) + rtt));
2301 
2302     /* update the pointer to the (just updated) most current data element */
2303     ring_header[2] = htonl(next_entry);
2304 
2305     /* In theory, CPUs implementing a weakly-consistent memory model do not
2306      * guarantee that these three memory store operations to the buffer will
2307      * be seen in the same order by the reader process.
2308      * This means that a process reading the file could see the index
2309      * having been updated before the element that the index points to had
2310      * been written.
2311      * But in practice we expect that the read(2) system call used by
2312      * consumers processes is atomic with respect to the following msync(2)
2313      * call, so we ignore the issue.
2314      */
2315 
2316     if (msync(lcp_rtt_buffer, LCP_RTT_FILE_SIZE, MS_ASYNC) < 0)
2317           error("msync() for %s failed: %m", lcp_rtt_file);
2318 }
2319 
2320 /*
2321  * LcpEchoReply - LCP has received a reply to the echo
2322  */
2323 
2324 static void
lcp_received_echo_reply(fsm * f,int id,u_char * inp,int len)2325 lcp_received_echo_reply (fsm *f, int id, u_char *inp, int len)
2326 {
2327     u_int32_t magic;
2328 
2329     /* Check the magic number - don't count replies from ourselves. */
2330     if (len < 4) {
2331           dbglog("lcp: received short Echo-Reply, length %d", len);
2332           return;
2333     }
2334     GETLONG(magic, inp);
2335     if (lcp_gotoptions[f->unit].neg_magicnumber
2336           && magic == lcp_gotoptions[f->unit].magicnumber) {
2337           warn("appear to have received our own echo-reply!");
2338           return;
2339     }
2340 
2341     if (lcp_rtt_file_fd && len >= 16) {
2342           long lcp_rtt_magic;
2343 
2344           /*
2345            * If the magic word is found at the beginning of the data section
2346            * of the frame then read the timestamp which follows and subtract
2347            * it from the current time to compute the round trip time.
2348            */
2349           GETLONG(lcp_rtt_magic, inp);
2350           if (lcp_rtt_magic == LCP_RTT_MAGIC) {
2351               struct timespec ts;
2352               unsigned long req_sec, req_nsec, rtt;
2353 
2354               clock_gettime(CLOCK_MONOTONIC, &ts);
2355               GETLONG(req_sec, inp);
2356               GETLONG(req_nsec, inp);
2357               /* compute the RTT in microseconds */
2358               rtt = (ts.tv_sec - req_sec) * 1000000
2359                     + (ts.tv_nsec / 1000 - req_nsec / 1000);
2360               /* log the RTT */
2361               lcp_rtt_update_buffer(rtt);
2362           }
2363     }
2364 
2365     /* Reset the number of outstanding echo frames */
2366     lcp_echos_pending = 0;
2367 }
2368 
2369 /*
2370  * LcpSendEchoRequest - Send an echo request frame to the peer
2371  */
2372 
2373 static void
LcpSendEchoRequest(fsm * f)2374 LcpSendEchoRequest (fsm *f)
2375 {
2376     u_int32_t lcp_magic;
2377     u_char pkt[16], *pktp;
2378 
2379     /*
2380      * Detect the failure of the peer at this point.
2381      */
2382     if (lcp_echo_fails != 0) {
2383         if (lcp_echos_pending >= lcp_echo_fails) {
2384             LcpLinkFailure(f);
2385               lcp_echos_pending = 0;
2386           }
2387     }
2388 
2389     /*
2390      * If adaptive echos have been enabled, only send the echo request if
2391      * no traffic was received since the last one.
2392      */
2393     if (lcp_echo_adaptive) {
2394           static unsigned int last_pkts_in = 0;
2395           struct pppd_stats cur_stats;
2396 
2397           if (get_ppp_stats(f->unit, &cur_stats) && cur_stats.pkts_in != last_pkts_in) {
2398               last_pkts_in = cur_stats.pkts_in;
2399               /* receipt of traffic indicates the link is working... */
2400               lcp_echos_pending = 0;
2401               return;
2402           }
2403     }
2404 
2405     /*
2406      * Make and send the echo request frame.
2407      */
2408     if (f->state == OPENED) {
2409         lcp_magic = lcp_gotoptions[f->unit].magicnumber;
2410           pktp = pkt;
2411           PUTLONG(lcp_magic, pktp);
2412 
2413           /* Put a timestamp in the data section of the frame */
2414           if (lcp_rtt_file_fd) {
2415               struct timespec ts;
2416 
2417               PUTLONG(LCP_RTT_MAGIC, pktp);
2418               clock_gettime(CLOCK_MONOTONIC, &ts);
2419               PUTLONG((u_int32_t)ts.tv_sec, pktp);
2420               PUTLONG((u_int32_t)ts.tv_nsec, pktp);
2421           }
2422 
2423         fsm_sdata(f, ECHOREQ, lcp_echo_number++ & 0xFF, pkt, pktp - pkt);
2424           ++lcp_echos_pending;
2425     }
2426 }
2427 
2428 static void
lcp_rtt_open_file(void)2429 lcp_rtt_open_file (void)
2430 {
2431     volatile u_int32_t *ring_header;
2432 
2433     if (!lcp_rtt_file)
2434           return;
2435 
2436     lcp_rtt_file_fd = open(lcp_rtt_file, O_RDWR | O_CREAT, 0644);
2437     if (lcp_rtt_file_fd < 0) {
2438           error("Can't open the RTT log file %s: %m", lcp_rtt_file);
2439           lcp_rtt_file_fd = 0;
2440           return;
2441     }
2442 
2443     if (ftruncate(lcp_rtt_file_fd, LCP_RTT_FILE_SIZE) < 0)
2444           fatal("ftruncate() of %s failed: %m", lcp_rtt_file);
2445     lcp_rtt_buffer = mmap(0, LCP_RTT_FILE_SIZE, PROT_READ | PROT_WRITE,
2446               MAP_SHARED, lcp_rtt_file_fd, 0);
2447     if (lcp_rtt_buffer == MAP_FAILED)
2448           fatal("mmap() of %s failed: %m", lcp_rtt_file);
2449     ring_header = lcp_rtt_buffer;
2450 
2451     /* initialize the ring buffer */
2452     if (ring_header[0] != htonl(LCP_RTT_MAGIC)) {
2453           memset(lcp_rtt_buffer, 0, LCP_RTT_FILE_SIZE);
2454           ring_header[0] = htonl(LCP_RTT_MAGIC);
2455     }
2456 
2457     ring_header[3] = htonl(lcp_echo_interval);
2458     ring_header[1] = htonl(1); /* status: LCP up, file opened */
2459 }
2460 
2461 static void
lcp_rtt_close_file(void)2462 lcp_rtt_close_file (void)
2463 {
2464     volatile u_int32_t *const ring_header = lcp_rtt_buffer;
2465 
2466     if (!lcp_rtt_file_fd)
2467           return;
2468 
2469     ring_header[1] = htonl(0); /* status: LCP down, file closed */
2470 
2471     if (munmap(lcp_rtt_buffer, LCP_RTT_FILE_SIZE) < 0)
2472           error("munmap() of %s failed: %m", lcp_rtt_file);
2473     if (close(lcp_rtt_file_fd) < 0)
2474           error("close() of %s failed: %m", lcp_rtt_file);
2475     lcp_rtt_buffer = NULL;
2476     lcp_rtt_file_fd = 0;
2477 }
2478 
2479 /*
2480  * lcp_echo_lowerup - Start the timer for the LCP frame
2481  */
2482 
2483 static void
lcp_echo_lowerup(int unit)2484 lcp_echo_lowerup (int unit)
2485 {
2486     fsm *f = &lcp_fsm[unit];
2487 
2488     /* Clear the parameters for generating echo frames */
2489     lcp_echos_pending      = 0;
2490     lcp_echo_number        = 0;
2491     lcp_echo_timer_running = 0;
2492 
2493     /* Open the file where the LCP RTT data will be logged */
2494     lcp_rtt_open_file();
2495 
2496     /* If a timeout interval is specified then start the timer */
2497     if (lcp_echo_interval != 0)
2498         LcpEchoCheck (f);
2499 }
2500 
2501 /*
2502  * lcp_echo_lowerdown - Stop the timer for the LCP frame
2503  */
2504 
2505 static void
lcp_echo_lowerdown(int unit)2506 lcp_echo_lowerdown (int unit)
2507 {
2508     fsm *f = &lcp_fsm[unit];
2509 
2510     if (lcp_echo_timer_running != 0) {
2511         UNTIMEOUT (LcpEchoTimeout, f);
2512         lcp_echo_timer_running = 0;
2513     }
2514 
2515     /* Close the file containing the LCP RTT data */
2516     lcp_rtt_close_file();
2517 }
2518