diff options
| author | Peter Wemm <peter@FreeBSD.org> | 1997-08-19 14:29:42 +0000 |
|---|---|---|
| committer | Peter Wemm <peter@FreeBSD.org> | 1997-08-19 14:29:42 +0000 |
| commit | 78cf7258fdd4240ebba0801aed80655aa9035815 (patch) | |
| tree | 2f5d952dfccb7ab7bce7842ae3fe03ab44085c53 /usr.sbin/pppd | |
| parent | 93bdf68a3e7d44ef5a1ed644eb8d7c367c66d066 (diff) | |
| download | src-78cf7258fdd4240ebba0801aed80655aa9035815.tar.gz src-78cf7258fdd4240ebba0801aed80655aa9035815.zip | |
Import pppd-2.3.0 - this should not make much difference until it's merged
onto the mainline, although some new files will appear.
Notes
Notes:
svn path=/cvs2svn/branches/MACKERAS/; revision=28419
Diffstat (limited to 'usr.sbin/pppd')
| -rw-r--r-- | usr.sbin/pppd/Makefile | 12 | ||||
| -rw-r--r-- | usr.sbin/pppd/auth.c | 724 | ||||
| -rw-r--r-- | usr.sbin/pppd/ccp.c | 508 | ||||
| -rw-r--r-- | usr.sbin/pppd/ccp.h | 19 | ||||
| -rw-r--r-- | usr.sbin/pppd/chap.c | 133 | ||||
| -rw-r--r-- | usr.sbin/pppd/chap.h | 32 | ||||
| -rw-r--r-- | usr.sbin/pppd/fsm.c | 90 | ||||
| -rw-r--r-- | usr.sbin/pppd/fsm.h | 62 | ||||
| -rw-r--r-- | usr.sbin/pppd/ipcp.c | 496 | ||||
| -rw-r--r-- | usr.sbin/pppd/ipcp.h | 20 | ||||
| -rw-r--r-- | usr.sbin/pppd/lcp.c | 459 | ||||
| -rw-r--r-- | usr.sbin/pppd/lcp.h | 18 | ||||
| -rw-r--r-- | usr.sbin/pppd/magic.c | 7 | ||||
| -rw-r--r-- | usr.sbin/pppd/main.c | 997 | ||||
| -rw-r--r-- | usr.sbin/pppd/options.c | 1247 | ||||
| -rw-r--r-- | usr.sbin/pppd/patchlevel.h | 8 | ||||
| -rw-r--r-- | usr.sbin/pppd/pathnames.h | 10 | ||||
| -rw-r--r-- | usr.sbin/pppd/pppd.8 | 1411 | ||||
| -rw-r--r-- | usr.sbin/pppd/pppd.h | 267 | ||||
| -rw-r--r-- | usr.sbin/pppd/sys-bsd.c | 616 | ||||
| -rw-r--r-- | usr.sbin/pppd/upap.c | 100 | ||||
| -rw-r--r-- | usr.sbin/pppd/upap.h | 12 |
22 files changed, 5384 insertions, 1864 deletions
diff --git a/usr.sbin/pppd/Makefile b/usr.sbin/pppd/Makefile index ec15113e0d2b..a1f6b849d0d6 100644 --- a/usr.sbin/pppd/Makefile +++ b/usr.sbin/pppd/Makefile @@ -1,14 +1,16 @@ -# $Id: Makefile.bsd,v 1.7 1995/04/27 00:19:50 paulus Exp $ +# $Id: Makefile.bsd,v 1.13 1996/10/08 04:33:33 paulus Exp $ BINDIR?= /usr/sbin -CFLAGS+= -I.. -DHAVE_PATHS_H +# -D_BITYPES is for FreeBSD, which doesn't define anything to +# tell us that u_int32_t gets defined if <sys/types.h> is included. +# Remove for older *BSD systems for which this isn't true. +CFLAGS+= -g -I.. -DHAVE_PATHS_H -D_BITYPES PROG= pppd SRCS= main.c magic.c fsm.c lcp.c ipcp.c upap.c chap.c md5.c ccp.c \ - auth.c options.c sys-bsd.c -MAN8= pppd.0 -# The next line is for NetBSD-current systems. + demand.c auth.c options.c sys-bsd.c MAN= pppd.cat8 +MAN8= pppd.8 BINMODE=4555 BINOWN= root diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c index dd9735b89efd..1532a7476249 100644 --- a/usr.sbin/pppd/auth.c +++ b/usr.sbin/pppd/auth.c @@ -33,25 +33,34 @@ */ #ifndef lint -static char rcsid[] = "$Id: auth.c,v 1.17 1995/08/16 01:37:22 paulus Exp $"; +static char rcsid[] = "$Id: auth.c,v 1.31 1997/04/30 05:50:16 paulus Exp $"; #endif #include <stdio.h> #include <stddef.h> #include <stdlib.h> +#include <unistd.h> #include <syslog.h> #include <pwd.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> +#include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> +#ifdef USE_PAM +#include <security/pam_appl.h> +#include <security/pam_modules.h> +#endif + #ifdef HAS_SHADOW #include <shadow.h> +#ifndef SVR4 #include <shadow/pwauth.h> +#endif #ifndef PW_PPP #define PW_PPP PW_LOGIN #endif @@ -60,16 +69,14 @@ static char rcsid[] = "$Id: auth.c,v 1.17 1995/08/16 01:37:22 paulus Exp $"; #include "pppd.h" #include "fsm.h" #include "lcp.h" +#include "ipcp.h" #include "upap.h" #include "chap.h" -#include "ipcp.h" -#include "ccp.h" +#ifdef CBCP_SUPPORT +#include "cbcp.h" +#endif #include "pathnames.h" -#if defined(sun) && defined(sparc) -#include <alloca.h> -#endif /*sparc*/ - /* Used for storing a sequence of words. Usually malloced. */ struct wordlist { struct wordlist *next; @@ -85,32 +92,58 @@ struct wordlist { #define FALSE 0 #define TRUE 1 +/* The name by which the peer authenticated itself to us. */ +char peer_authname[MAXNAMELEN]; + /* Records which authentication operations haven't completed yet. */ static int auth_pending[NUM_PPP]; + +/* Set if we have successfully called login() */ static int logged_in; + +/* Set if we have run the /etc/ppp/auth-up script. */ +static int did_authup; + +/* List of addresses which the peer may use. */ static struct wordlist *addresses[NUM_PPP]; +/* Number of network protocols which we have opened. */ +static int num_np_open; + +/* Number of network protocols which have come up. */ +static int num_np_up; + +/* Set if we got the contents of passwd[] from the pap-secrets file. */ +static int passwd_from_file; + /* Bits in auth_pending[] */ -#define UPAP_WITHPEER 1 -#define UPAP_PEER 2 +#define PAP_WITHPEER 1 +#define PAP_PEER 2 #define CHAP_WITHPEER 4 #define CHAP_PEER 8 -/* Prototypes */ -void check_access __P((FILE *, char *)); +extern char *crypt __P((const char *, const char *)); + +/* Prototypes for procedures local to this file. */ static void network_phase __P((int)); +static void check_idle __P((void *)); +static void connect_time_expired __P((void *)); static int login __P((char *, char *, char **, int *)); static void logout __P((void)); static int null_login __P((int)); -static int get_upap_passwd __P((void)); -static int have_upap_secret __P((void)); -static int have_chap_secret __P((char *, char *)); -static int scan_authfile __P((FILE *, char *, char *, char *, - struct wordlist **, char *)); +static int get_pap_passwd __P((char *)); +static int have_pap_secret __P((void)); +static int have_chap_secret __P((char *, char *, u_int32_t)); +static int ip_addr_check __P((u_int32_t, struct wordlist *)); +static int scan_authfile __P((FILE *, char *, char *, u_int32_t, char *, + struct wordlist **, char *)); static void free_wordlist __P((struct wordlist *)); - -extern char *crypt __P((char *, char *)); +static void auth_script __P((char *)); +static void set_allowed_addrs __P((int, struct wordlist *)); +#ifdef CBCP_SUPPORT +static void callback_phase __P((int)); +#endif /* * An Open on LCP has requested a change from Dead to Establish phase. @@ -145,9 +178,25 @@ void link_down(unit) int unit; { - ipcp_close(0); - ccp_close(0); - phase = PHASE_TERMINATE; + int i; + struct protent *protp; + + if (did_authup) { + auth_script(_PATH_AUTHDOWN); + did_authup = 0; + } + for (i = 0; (protp = protocols[i]) != NULL; ++i) { + if (!protp->enabled_flag) + continue; + if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) + (*protp->lowerdown)(unit); + if (protp->protocol < 0xC000 && protp->close != NULL) + (*protp->close)(unit, "LCP down"); + } + num_np_open = 0; + num_np_up = 0; + if (phase != PHASE_DEAD) + phase = PHASE_TERMINATE; } /* @@ -162,6 +211,16 @@ link_established(unit) lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; + int i; + struct protent *protp; + + /* + * Tell higher-level protocols that LCP is up. + */ + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol != PPP_LCP && protp->enabled_flag + && protp->lowerup != NULL) + (*protp->lowerup)(unit); if (auth_required && !(go->neg_chap || go->neg_upap)) { /* @@ -171,8 +230,7 @@ link_established(unit) */ if (!wo->neg_upap || !null_login(unit)) { syslog(LOG_WARNING, "peer refused to authenticate"); - lcp_close(unit); - phase = PHASE_TERMINATE; + lcp_close(unit, "peer refused to authenticate"); return; } } @@ -184,14 +242,19 @@ link_established(unit) auth |= CHAP_PEER; } else if (go->neg_upap) { upap_authpeer(unit); - auth |= UPAP_PEER; + auth |= PAP_PEER; } if (ho->neg_chap) { - ChapAuthWithPeer(unit, our_name, ho->chap_mdtype); + ChapAuthWithPeer(unit, user, ho->chap_mdtype); auth |= CHAP_WITHPEER; } else if (ho->neg_upap) { + if (passwd[0] == 0) { + passwd_from_file = 1; + if (!get_pap_passwd(passwd)) + syslog(LOG_ERR, "No secret found for PAP login"); + } upap_authwithpeer(unit, user, passwd); - auth |= UPAP_WITHPEER; + auth |= PAP_WITHPEER; } auth_pending[unit] = auth; @@ -206,9 +269,41 @@ static void network_phase(unit) int unit; { + int i; + struct protent *protp; + lcp_options *go = &lcp_gotoptions[unit]; + + /* + * If the peer had to authenticate, run the auth-up script now. + */ + if ((go->neg_chap || go->neg_upap) && !did_authup) { + auth_script(_PATH_AUTHUP); + did_authup = 1; + } + +#ifdef CBCP_SUPPORT + /* + * If we negotiated callback, do it now. + */ + if (go->neg_cbcp) { + phase = PHASE_CALLBACK; + (*cbcp_protent.open)(unit); + return; + } +#endif + phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); +#if 0 + if (!demand) + set_filters(&pass_filter, &active_filter); +#endif + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol < 0xC000 && protp->enabled_flag + && protp->open != NULL) { + (*protp->open)(unit); + if (protp->protocol != PPP_CCP) + ++num_np_open; + } } /* @@ -221,16 +316,17 @@ auth_peer_fail(unit, protocol) /* * Authentication failure: take the link down */ - lcp_close(unit); - phase = PHASE_TERMINATE; + lcp_close(unit, "Authentication failed"); } /* * The peer has been successfully authenticated using `protocol'. */ void -auth_peer_success(unit, protocol) +auth_peer_success(unit, protocol, name, namelen) int unit, protocol; + char *name; + int namelen; { int bit; @@ -239,7 +335,7 @@ auth_peer_success(unit, protocol) bit = CHAP_PEER; break; case PPP_PAP: - bit = UPAP_PEER; + bit = PAP_PEER; break; default: syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", @@ -248,14 +344,19 @@ auth_peer_success(unit, protocol) } /* + * Save the authenticated name of the peer for later. + */ + if (namelen > sizeof(peer_authname) - 1) + namelen = sizeof(peer_authname) - 1; + BCOPY(name, peer_authname, namelen); + peer_authname[namelen] = 0; + + /* * If there is no more authentication still to be done, - * proceed to the network phase. + * proceed to the network (or callback) phase. */ - if ((auth_pending[unit] &= ~bit) == 0) { - phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); - } + if ((auth_pending[unit] &= ~bit) == 0) + network_phase(unit); } /* @@ -265,6 +366,8 @@ void auth_withpeer_fail(unit, protocol) int unit, protocol; { + if (passwd_from_file) + BZERO(passwd, MAXSECRETLEN); /* * We've failed to authenticate ourselves to our peer. * He'll probably take the link down, and there's not much @@ -286,7 +389,9 @@ auth_withpeer_success(unit, protocol) bit = CHAP_WITHPEER; break; case PPP_PAP: - bit = UPAP_WITHPEER; + if (passwd_from_file) + BZERO(passwd, MAXSECRETLEN); + bit = PAP_WITHPEER; break; default: syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", @@ -296,7 +401,7 @@ auth_withpeer_success(unit, protocol) /* * If there is no more authentication still being done, - * proceed to the network phase. + * proceed to the network (or callback) phase. */ if ((auth_pending[unit] &= ~bit) == 0) network_phase(unit); @@ -304,13 +409,95 @@ auth_withpeer_success(unit, protocol) /* - * check_auth_options - called to check authentication options. + * np_up - a network protocol has come up. + */ +void +np_up(unit, proto) + int unit, proto; +{ + if (num_np_up == 0 && idle_time_limit > 0) { + TIMEOUT(check_idle, NULL, idle_time_limit); + + /* + * Set a timeout to close the connection once the maximum + * connect time has expired. + */ + if (maxconnect > 0) + TIMEOUT(connect_time_expired, 0, maxconnect); + } + ++num_np_up; +} + +/* + * np_down - a network protocol has gone down. + */ +void +np_down(unit, proto) + int unit, proto; +{ + if (--num_np_up == 0 && idle_time_limit > 0) { + UNTIMEOUT(check_idle, NULL); + } +} + +/* + * np_finished - a network protocol has finished using the link. + */ +void +np_finished(unit, proto) + int unit, proto; +{ + if (--num_np_open <= 0) { + /* no further use for the link: shut up shop. */ + lcp_close(0, "No network protocols running"); + } +} + +/* + * check_idle - check whether the link has been idle for long + * enough that we can shut it down. + */ +static void +check_idle(arg) + void *arg; +{ + struct ppp_idle idle; + time_t itime; + + if (!get_idle_time(0, &idle)) + return; + itime = MIN(idle.xmit_idle, idle.recv_idle); + if (itime >= idle_time_limit) { + /* link is idle: shut it down. */ + syslog(LOG_INFO, "Terminating connection due to lack of activity."); + need_holdoff = 0; + lcp_close(0, "Link inactive"); + } else { + TIMEOUT(check_idle, NULL, idle_time_limit - itime); + } +} + +/* + * connect_time_expired - log a message and close the connection. + */ +static void +connect_time_expired(arg) + void *arg; +{ + syslog(LOG_INFO, "Connect time expired"); + lcp_close(0, "Connect time expired"); /* Close connection */ +} + +/* + * auth_check_options - called to check authentication options. */ void -check_auth_options() +auth_check_options() { lcp_options *wo = &lcp_wantoptions[0]; - lcp_options *ao = &lcp_allowoptions[0]; + int can_auth; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; /* Default our_name to hostname, and user to our_name */ if (our_name[0] == 0 || usehostname) @@ -326,23 +513,69 @@ check_auth_options() /* * Check whether we have appropriate secrets to use - * to authenticate ourselves and/or the peer. + * to authenticate the peer. */ - if (ao->neg_upap && passwd[0] == 0 && !get_upap_passwd()) - ao->neg_upap = 0; - if (wo->neg_upap && !uselogin && !have_upap_secret()) - wo->neg_upap = 0; - if (ao->neg_chap && !have_chap_secret(our_name, remote_name)) - ao->neg_chap = 0; - if (wo->neg_chap && !have_chap_secret(remote_name, our_name)) - wo->neg_chap = 0; + can_auth = wo->neg_upap && (uselogin || have_pap_secret()); + if (!can_auth && wo->neg_chap) { + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + can_auth = have_chap_secret(remote_name, our_name, remote); + } - if (auth_required && !wo->neg_chap && !wo->neg_upap) { - fprintf(stderr, "\ -pppd: peer authentication required but no authentication files accessible\n"); + if (auth_required && !can_auth) { + option_error("peer authentication required but no suitable secret(s) found\n"); + if (remote_name[0] == 0) + option_error("for authenticating any peer to us (%s)\n", our_name); + else + option_error("for authenticating peer %s to us (%s)\n", + remote_name, our_name); exit(1); } + /* + * Check whether the user tried to override certain values + * set by root. + */ + if (!auth_required && auth_req_info.priv > 0) { + if (!default_device && devnam_info.priv == 0) { + option_error("can't override device name when noauth option used"); + exit(1); + } + if ((connector != NULL && connector_info.priv == 0) + || (disconnector != NULL && disconnector_info.priv == 0) + || (welcomer != NULL && welcomer_info.priv == 0)) { + option_error("can't override connect, disconnect or welcome"); + option_error("option values when noauth option used"); + exit(1); + } + } +} + +/* + * auth_reset - called when LCP is starting negotiations to recheck + * authentication options, i.e. whether we have appropriate secrets + * to use for authenticating ourselves and/or the peer. + */ +void +auth_reset(unit) + int unit; +{ + lcp_options *go = &lcp_gotoptions[unit]; + lcp_options *ao = &lcp_allowoptions[0]; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; + + ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); + ao->neg_chap = !refuse_chap + && have_chap_secret(user, remote_name, (u_int32_t)0); + + if (go->neg_upap && !uselogin && !have_pap_secret()) + go->neg_upap = 0; + if (go->neg_chap) { + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + if (!have_chap_secret(remote_name, our_name, remote)) + go->neg_chap = 0; + } + } @@ -370,6 +603,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) char *filename; FILE *f; struct wordlist *addrs; + u_int32_t remote; + ipcp_options *ipwo = &ipcp_wantoptions[unit]; char passwd[256], user[256]; char secret[MAXWORDLEN]; static int attempts = 0; @@ -381,9 +616,10 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) passwd[passwdlen] = '\0'; BCOPY(auser, user, userlen); user[userlen] = '\0'; + *msg = (char *) 0; /* - * Open the file of upap secrets and scan for a suitable secret + * Open the file of pap secrets and scan for a suitable secret * for authenticating this user. */ filename = _PATH_UPAPFILE; @@ -391,17 +627,17 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) ret = UPAP_AUTHACK; f = fopen(filename, "r"); if (f == NULL) { - if (!uselogin) { - syslog(LOG_ERR, "Can't open upap password file %s: %m", filename); - ret = UPAP_AUTHNAK; - } + syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); + ret = UPAP_AUTHNAK; } else { check_access(f, filename); - if (scan_authfile(f, user, our_name, secret, &addrs, filename) < 0 + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + if (scan_authfile(f, user, our_name, remote, + secret, &addrs, filename) < 0 || (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0) && strcmp(crypt(passwd, secret), secret) != 0)) { - syslog(LOG_WARNING, "upap authentication failure for %s", user); + syslog(LOG_WARNING, "PAP authentication failure for %s", user); ret = UPAP_AUTHNAK; } fclose(f); @@ -410,12 +646,13 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) if (uselogin && ret == UPAP_AUTHACK) { ret = login(user, passwd, msg, msglen); if (ret == UPAP_AUTHNAK) { - syslog(LOG_WARNING, "upap login failure for %s", user); + syslog(LOG_WARNING, "PAP login failure for %s", user); } } if (ret == UPAP_AUTHNAK) { - *msg = "Login incorrect"; + if (*msg == (char *) 0) + *msg = "Login incorrect"; *msglen = strlen(*msg); /* * Frustrate passwd stealer programs. @@ -434,16 +671,30 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) } else { attempts = 0; /* Reset count */ - *msg = "Login ok"; + if (*msg == (char *) 0) + *msg = "Login ok"; *msglen = strlen(*msg); - if (addresses[unit] != NULL) - free_wordlist(addresses[unit]); - addresses[unit] = addrs; + set_allowed_addrs(unit, addrs); } + BZERO(passwd, sizeof(passwd)); + BZERO(secret, sizeof(secret)); + return ret; } +/* + * This function is needed for PAM. However, it should not be called. + * If it is, return the error code. + */ + +#ifdef USE_PAM +static int pam_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + return PAM_CONV_ERR; +} +#endif /* * login - Check the user name and password against the system @@ -454,6 +705,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. */ + static int login(user, passwd, msg, msglen) char *user; @@ -461,46 +713,84 @@ login(user, passwd, msg, msglen) char **msg; int *msglen; { - struct passwd *pw; - char *epasswd; char *tty; +#ifdef USE_PAM + struct pam_conv pam_conversation; + pam_handle_t *pamh; + int pam_error; + char *pass; + char *dev; +/* + * Fill the pam_conversion structure + */ + memset (&pam_conversation, '\0', sizeof (struct pam_conv)); + pam_conversation.conv = &pam_conv; + + pam_error = pam_start ("ppp", user, &pam_conversation, &pamh); + if (pam_error != PAM_SUCCESS) { + *msg = (char *) pam_strerror (pam_error); + return UPAP_AUTHNAK; + } +/* + * Define the fields for the credintial validation + */ + (void) pam_set_item (pamh, PAM_AUTHTOK, passwd); + (void) pam_set_item (pamh, PAM_TTY, devnam); +/* + * Validate the user + */ + pam_error = pam_authenticate (pamh, PAM_SILENT); + if (pam_error == PAM_SUCCESS) + pam_error = pam_acct_mgmt (pamh, PAM_SILENT); + + *msg = (char *) pam_strerror (pam_error); +/* + * Clean up the mess + */ + (void) pam_end (pamh, pam_error); + + if (pam_error != PAM_SUCCESS) + return UPAP_AUTHNAK; +/* + * Use the non-PAM methods directly + */ +#else /* #ifdef USE_PAM */ + + struct passwd *pw; + #ifdef HAS_SHADOW struct spwd *spwd; struct spwd *getspnam(); + extern int isexpired (struct passwd *, struct spwd *); /* in libshadow.a */ #endif - if ((pw = getpwnam(user)) == NULL) { + pw = getpwnam(user); + if (pw == NULL) { return (UPAP_AUTHNAK); } #ifdef HAS_SHADOW - if ((spwd = getspnam(user)) == NULL) { - pw->pw_passwd = ""; - } else { + spwd = getspnam(user); + endspent(); + if (spwd) { + /* check the age of the password entry */ + if (isexpired(pw, spwd)) { + syslog(LOG_WARNING,"Expired password for %s",user); + return (UPAP_AUTHNAK); + } pw->pw_passwd = spwd->sp_pwdp; } #endif /* - * XXX If no passwd, let them login without one. + * If no passwd, don't let them login. */ - if (pw->pw_passwd == '\0') { - return (UPAP_AUTHACK); - } - -#ifdef HAS_SHADOW - if ((pw->pw_passwd && pw->pw_passwd[0] == '@' - && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL)) - || !valid (passwd, pw)) { - return (UPAP_AUTHNAK); - } -#else - epasswd = crypt(passwd, pw->pw_passwd); - if (strcmp(epasswd, pw->pw_passwd)) { + if (pw->pw_passwd == NULL || *pw->pw_passwd == '\0' + || strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd) != 0) return (UPAP_AUTHNAK); - } -#endif + +#endif /* #ifdef USE_PAM */ syslog(LOG_INFO, "user %s logged in", user); @@ -510,7 +800,7 @@ login(user, passwd, msg, msglen) tty = devnam; if (strncmp(tty, "/dev/", 5) == 0) tty += 5; - logwtmp(tty, user, ""); /* Add wtmp login entry */ + logwtmp(tty, user, remote_name); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); @@ -548,7 +838,7 @@ null_login(unit) char secret[MAXWORDLEN]; /* - * Open the file of upap secrets and scan for a suitable secret. + * Open the file of pap secrets and scan for a suitable secret. * We don't accept a wildcard client. */ filename = _PATH_UPAPFILE; @@ -558,14 +848,14 @@ null_login(unit) return 0; check_access(f, filename); - i = scan_authfile(f, "", our_name, secret, &addrs, filename); + i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename); ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0; + BZERO(secret, sizeof(secret)); - if (ret) { - if (addresses[unit] != NULL) - free_wordlist(addresses[unit]); - addresses[unit] = addrs; - } + if (ret) + set_allowed_addrs(unit, addrs); + else + free_wordlist(addrs); fclose(f); return ret; @@ -573,12 +863,13 @@ null_login(unit) /* - * get_upap_passwd - get a password for authenticating ourselves with + * get_pap_passwd - get a password for authenticating ourselves with * our peer using PAP. Returns 1 on success, 0 if no suitable password * could be found. */ static int -get_upap_passwd() +get_pap_passwd(passwd) + char *passwd; { char *filename; FILE *f; @@ -591,31 +882,39 @@ get_upap_passwd() if (f == NULL) return 0; check_access(f, filename); - if (scan_authfile(f, user, remote_name, secret, NULL, filename) < 0) + if (scan_authfile(f, user, + remote_name[0]? remote_name: NULL, + (u_int32_t)0, secret, NULL, filename) < 0) return 0; - strncpy(passwd, secret, MAXSECRETLEN); - passwd[MAXSECRETLEN-1] = 0; + if (passwd != NULL) { + strncpy(passwd, secret, MAXSECRETLEN); + passwd[MAXSECRETLEN-1] = 0; + } + BZERO(secret, sizeof(secret)); return 1; } /* - * have_upap_secret - check whether we have a PAP file with any + * have_pap_secret - check whether we have a PAP file with any * secrets that we could possibly use for authenticating the peer. */ static int -have_upap_secret() +have_pap_secret() { FILE *f; int ret; char *filename; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; filename = _PATH_UPAPFILE; f = fopen(filename, "r"); if (f == NULL) return 0; - ret = scan_authfile(f, NULL, our_name, NULL, NULL, filename); + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + ret = scan_authfile(f, NULL, our_name, remote, NULL, NULL, filename); fclose(f); if (ret < 0) return 0; @@ -631,9 +930,10 @@ have_upap_secret() * know the identity yet. */ static int -have_chap_secret(client, server) +have_chap_secret(client, server, remote) char *client; char *server; + u_int32_t remote; { FILE *f; int ret; @@ -649,7 +949,7 @@ have_chap_secret(client, server) else if (server[0] == 0) server = NULL; - ret = scan_authfile(f, client, server, NULL, NULL, filename); + ret = scan_authfile(f, client, server, remote, NULL, NULL, filename); fclose(f); if (ret < 0) return 0; @@ -689,16 +989,14 @@ get_secret(unit, client, server, secret, secret_len, save_addrs) } check_access(f, filename); - ret = scan_authfile(f, client, server, secbuf, &addrs, filename); + ret = scan_authfile(f, client, server, (u_int32_t)0, + secbuf, &addrs, filename); fclose(f); if (ret < 0) return 0; - if (save_addrs) { - if (addresses[unit] != NULL) - free_wordlist(addresses[unit]); - addresses[unit] = addrs; - } + if (save_addrs) + set_allowed_addrs(unit, addrs); len = strlen(secbuf); if (len > MAXSECRETLEN) { @@ -706,12 +1004,48 @@ get_secret(unit, client, server, secret, secret_len, save_addrs) len = MAXSECRETLEN; } BCOPY(secbuf, secret, len); + BZERO(secbuf, sizeof(secbuf)); *secret_len = len; return 1; } /* + * set_allowed_addrs() - set the list of allowed addresses. + */ +static void +set_allowed_addrs(unit, addrs) + int unit; + struct wordlist *addrs; +{ + if (addresses[unit] != NULL) + free_wordlist(addresses[unit]); + addresses[unit] = addrs; + + /* + * If there's only one authorized address we might as well + * ask our peer for that one right away + */ + if (addrs != NULL && addrs->next == NULL) { + char *p = addrs->word; + struct ipcp_options *wo = &ipcp_wantoptions[unit]; + u_int32_t a; + struct hostent *hp; + + if (wo->hisaddr == 0 && *p != '!' && *p != '-' + && strchr(p, '/') == NULL) { + hp = gethostbyname(p); + if (hp != NULL && hp->h_addrtype == AF_INET) + a = *(u_int32_t *)hp->h_addr; + else + a = inet_addr(p); + if (a != (u_int32_t) -1) + wo->hisaddr = a; + } + } +} + +/* * auth_ip_addr - check whether the peer is authorized to use * a given IP address. Returns 1 if authorized, 0 otherwise. */ @@ -720,31 +1054,91 @@ auth_ip_addr(unit, addr) int unit; u_int32_t addr; { - u_int32_t a; - struct hostent *hp; + return ip_addr_check(addr, addresses[unit]); +} + +static int +ip_addr_check(addr, addrs) + u_int32_t addr; struct wordlist *addrs; +{ + u_int32_t a, mask, ah; + int accept; + char *ptr_word, *ptr_mask; + struct hostent *hp; + struct netent *np; /* don't allow loopback or multicast address */ if (bad_ip_adrs(addr)) return 0; - if ((addrs = addresses[unit]) == NULL) - return 1; /* no restriction */ + if (addrs == NULL) + return !auth_required; /* no addresses authorized */ for (; addrs != NULL; addrs = addrs->next) { - /* "-" means no addresses authorized */ - if (strcmp(addrs->word, "-") == 0) + /* "-" means no addresses authorized, "*" means any address allowed */ + ptr_word = addrs->word; + if (strcmp(ptr_word, "-") == 0) break; - if ((a = inet_addr(addrs->word)) == -1) { - if ((hp = gethostbyname(addrs->word)) == NULL) { - syslog(LOG_WARNING, "unknown host %s in auth. address list", - addrs->word); + if (strcmp(ptr_word, "*") == 0) + return 1; + + accept = 1; + if (*ptr_word == '!') { + accept = 0; + ++ptr_word; + } + + mask = ~ (u_int32_t) 0; + ptr_mask = strchr (ptr_word, '/'); + if (ptr_mask != NULL) { + int bit_count; + + bit_count = (int) strtol (ptr_mask+1, (char **) 0, 10); + if (bit_count <= 0 || bit_count > 32) { + syslog (LOG_WARNING, + "invalid address length %s in auth. address list", + ptr_mask); continue; - } else - a = *(u_int32_t *)hp->h_addr; + } + *ptr_mask = '\0'; + mask <<= 32 - bit_count; } - if (addr == a) - return 1; + + hp = gethostbyname(ptr_word); + if (hp != NULL && hp->h_addrtype == AF_INET) { + a = *(u_int32_t *)hp->h_addr; + } else { + np = getnetbyname (ptr_word); + if (np != NULL && np->n_addrtype == AF_INET) { + a = htonl (*(u_int32_t *)np->n_net); + if (ptr_mask == NULL) { + /* calculate appropriate mask for net */ + ah = ntohl(a); + if (IN_CLASSA(ah)) + mask = IN_CLASSA_NET; + else if (IN_CLASSB(ah)) + mask = IN_CLASSB_NET; + else if (IN_CLASSC(ah)) + mask = IN_CLASSC_NET; + } + } else { + a = inet_addr (ptr_word); + } + } + + if (ptr_mask != NULL) + *ptr_mask = '/'; + + if (a == (u_int32_t)-1L) + syslog (LOG_WARNING, + "unknown host %s in auth. address list", + addrs->word); + else + /* Here a and addr are in network byte order, + and mask is in host order. */ + if (((addr ^ a) & htonl(mask)) == 0) + return accept; } return 0; /* not in list => can't have it */ } @@ -791,10 +1185,11 @@ check_access(f, filename) * info) are placed in a wordlist and returned in *addrs. */ static int -scan_authfile(f, client, server, secret, addrs, filename) +scan_authfile(f, client, server, ipaddr, secret, addrs, filename) FILE *f; char *client; char *server; + u_int32_t ipaddr; char *secret; struct wordlist **addrs; char *filename; @@ -802,9 +1197,10 @@ scan_authfile(f, client, server, secret, addrs, filename) int newline, xxx; int got_flag, best_flag; FILE *sf; - struct wordlist *ap, *addr_list, *addr_last; + struct wordlist *ap, *addr_list, *alist, *alast; char word[MAXWORDLEN]; char atfile[MAXWORDLEN]; + char lsecret[MAXWORDLEN]; if (addrs != NULL) *addrs = NULL; @@ -880,16 +1276,12 @@ scan_authfile(f, client, server, secret, addrs, filename) fclose(sf); } if (secret != NULL) - strcpy(secret, word); - - best_flag = got_flag; + strcpy(lsecret, word); /* * Now read address authorization info and make a wordlist. */ - if (addr_list) - free_wordlist(addr_list); - addr_list = addr_last = NULL; + alist = alast = NULL; for (;;) { if (!getword(f, word, &newline, filename) || newline) break; @@ -899,12 +1291,31 @@ scan_authfile(f, client, server, secret, addrs, filename) novm("authorized addresses"); ap->next = NULL; strcpy(ap->word, word); - if (addr_list == NULL) - addr_list = ap; + if (alist == NULL) + alist = ap; else - addr_last->next = ap; - addr_last = ap; + alast->next = ap; + alast = ap; } + + /* + * Check if the given IP address is allowed by the wordlist. + */ + if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) { + free_wordlist(alist); + continue; + } + + /* + * This is the best so far; remember it. + */ + best_flag = got_flag; + if (addr_list) + free_wordlist(addr_list); + addr_list = alist; + if (secret != NULL) + strcpy(secret, lsecret); + if (!newline) break; } @@ -932,3 +1343,36 @@ free_wordlist(wp) wp = next; } } + +/* + * auth_script - execute a script with arguments + * interface-name peer-name real-user tty speed + */ +static void +auth_script(script) + char *script; +{ + char strspeed[32]; + struct passwd *pw; + char struid[32]; + char *user_name; + char *argv[8]; + + if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL) + user_name = pw->pw_name; + else { + sprintf(struid, "%d", getuid()); + user_name = struid; + } + sprintf(strspeed, "%d", baud_rate); + + argv[0] = script; + argv[1] = ifname; + argv[2] = peer_authname; + argv[3] = user_name; + argv[4] = devnam; + argv[5] = strspeed; + argv[6] = NULL; + + run_program(script, argv, 0); +} diff --git a/usr.sbin/pppd/ccp.c b/usr.sbin/pppd/ccp.c index ae6795228c64..d4e3b3c4b093 100644 --- a/usr.sbin/pppd/ccp.c +++ b/usr.sbin/pppd/ccp.c @@ -26,17 +26,53 @@ */ #ifndef lint -static char rcsid[] = "$Id: ccp.c,v 1.11 1995/08/16 04:15:38 paulus Exp $"; +static char rcsid[] = "$Id: ccp.c,v 1.21 1997/05/22 06:45:59 paulus Exp $"; #endif +#include <string.h> #include <syslog.h> #include <sys/ioctl.h> +#include <sys/types.h> +#include <net/ppp_defs.h> #include <net/ppp-comp.h> #include "pppd.h" #include "fsm.h" #include "ccp.h" +/* + * Protocol entry points from main code. + */ +static void ccp_init __P((int unit)); +static void ccp_open __P((int unit)); +static void ccp_close __P((int unit, char *)); +static void ccp_lowerup __P((int unit)); +static void ccp_lowerdown __P((int)); +static void ccp_input __P((int unit, u_char *pkt, int len)); +static void ccp_protrej __P((int unit)); +static int ccp_printpkt __P((u_char *pkt, int len, + void (*printer) __P((void *, char *, ...)), + void *arg)); +static void ccp_datainput __P((int unit, u_char *pkt, int len)); + +struct protent ccp_protent = { + PPP_CCP, + ccp_init, + ccp_input, + ccp_protrej, + ccp_lowerup, + ccp_lowerdown, + ccp_open, + ccp_close, + ccp_printpkt, + ccp_datainput, + 1, + "CCP", + NULL, + NULL, + NULL +}; + fsm ccp_fsm[NUM_PPP]; ccp_options ccp_wantoptions[NUM_PPP]; /* what to request the peer to use */ ccp_options ccp_gotoptions[NUM_PPP]; /* what the peer agreed to do */ @@ -56,7 +92,8 @@ static int ccp_reqci __P((fsm *, u_char *, int *, int)); static void ccp_up __P((fsm *)); static void ccp_down __P((fsm *)); static int ccp_extcode __P((fsm *, int, int, u_char *, int)); -static void ccp_rack_timeout __P(()); +static void ccp_rack_timeout __P((void *)); +static char *method_name __P((ccp_options *, ccp_options *)); static fsm_callbacks ccp_callbacks = { ccp_resetci, @@ -79,10 +116,11 @@ static fsm_callbacks ccp_callbacks = { /* * Do we want / did we get any compression? */ -#define ANY_COMPRESS(opt) ((opt).bsd_compress) +#define ANY_COMPRESS(opt) ((opt).deflate || (opt).bsd_compress \ + || (opt).predictor_1 || (opt).predictor_2) /* - * Local state (mainly for handling reset-reqs and reset-acks + * Local state (mainly for handling reset-reqs and reset-acks). */ static int ccp_localstate[NUM_PPP]; #define RACK_PENDING 1 /* waiting for reset-ack */ @@ -90,10 +128,12 @@ static int ccp_localstate[NUM_PPP]; #define RACKTIMEOUT 1 /* second */ +static int all_rejected[NUM_PPP]; /* we rejected all peer's options */ + /* * ccp_init - initialize CCP. */ -void +static void ccp_init(unit) int unit; { @@ -109,17 +149,23 @@ ccp_init(unit) memset(&ccp_allowoptions[unit], 0, sizeof(ccp_options)); memset(&ccp_hisoptions[unit], 0, sizeof(ccp_options)); - ccp_wantoptions[0].bsd_compress = 1; - ccp_wantoptions[0].bsd_bits = 12; /* default value */ + ccp_wantoptions[0].deflate = 1; + ccp_wantoptions[0].deflate_size = DEFLATE_MAX_SIZE; + ccp_allowoptions[0].deflate = 1; + ccp_allowoptions[0].deflate_size = DEFLATE_MAX_SIZE; + ccp_wantoptions[0].bsd_compress = 1; + ccp_wantoptions[0].bsd_bits = BSD_MAX_BITS; ccp_allowoptions[0].bsd_compress = 1; ccp_allowoptions[0].bsd_bits = BSD_MAX_BITS; + + ccp_allowoptions[0].predictor_1 = 1; } /* * ccp_open - CCP is allowed to come up. */ -void +static void ccp_open(unit) int unit; { @@ -127,26 +173,34 @@ ccp_open(unit) if (f->state != OPENED) ccp_flags_set(unit, 1, 0); - if (!ANY_COMPRESS(ccp_wantoptions[unit])) + + /* + * Find out which compressors the kernel supports before + * deciding whether to open in silent mode. + */ + ccp_resetci(f); + if (!ANY_COMPRESS(ccp_gotoptions[unit])) f->flags |= OPT_SILENT; + fsm_open(f); } /* * ccp_close - Terminate CCP. */ -void -ccp_close(unit) +static void +ccp_close(unit, reason) int unit; + char *reason; { ccp_flags_set(unit, 0, 0); - fsm_close(&ccp_fsm[unit]); + fsm_close(&ccp_fsm[unit], reason); } /* * ccp_lowerup - we may now transmit CCP packets. */ -void +static void ccp_lowerup(unit) int unit; { @@ -156,7 +210,7 @@ ccp_lowerup(unit) /* * ccp_lowerdown - we may not transmit CCP packets. */ -void +static void ccp_lowerdown(unit) int unit; { @@ -166,7 +220,7 @@ ccp_lowerdown(unit) /* * ccp_input - process a received CCP packet. */ -void +static void ccp_input(unit, p, len) int unit; u_char *p; @@ -189,7 +243,7 @@ ccp_input(unit, p, len) */ if (oldstate == REQSENT && p[0] == TERMACK && !ANY_COMPRESS(ccp_gotoptions[unit])) - ccp_close(unit); + ccp_close(unit, "No compression negotiated"); } /* @@ -214,7 +268,7 @@ ccp_extcode(f, code, id, p, len) case CCP_RESETACK: if (ccp_localstate[f->unit] & RACK_PENDING && id == f->reqid) { ccp_localstate[f->unit] &= ~(RACK_PENDING | RREQ_REPEAT); - UNTIMEOUT(ccp_rack_timeout, (caddr_t) f); + UNTIMEOUT(ccp_rack_timeout, f); } break; @@ -228,7 +282,7 @@ ccp_extcode(f, code, id, p, len) /* * ccp_protrej - peer doesn't talk CCP. */ -void +static void ccp_protrej(unit) int unit; { @@ -247,13 +301,39 @@ ccp_resetci(f) u_char opt_buf[16]; *go = ccp_wantoptions[f->unit]; + all_rejected[f->unit] = 0; + + /* + * Check whether the kernel knows about the various + * compression methods we might request. + */ if (go->bsd_compress) { opt_buf[0] = CI_BSD_COMPRESS; opt_buf[1] = CILEN_BSD_COMPRESS; - opt_buf[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits); - if (!ccp_test(f->unit, opt_buf, CILEN_BSD_COMPRESS, 0)) + opt_buf[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, BSD_MIN_BITS); + if (ccp_test(f->unit, opt_buf, CILEN_BSD_COMPRESS, 0) <= 0) go->bsd_compress = 0; } + if (go->deflate) { + opt_buf[0] = CI_DEFLATE; + opt_buf[1] = CILEN_DEFLATE; + opt_buf[2] = DEFLATE_MAKE_OPT(DEFLATE_MIN_SIZE); + opt_buf[3] = DEFLATE_CHK_SEQUENCE; + if (ccp_test(f->unit, opt_buf, CILEN_DEFLATE, 0) <= 0) + go->deflate = 0; + } + if (go->predictor_1) { + opt_buf[0] = CI_PREDICTOR_1; + opt_buf[1] = CILEN_PREDICTOR_1; + if (ccp_test(f->unit, opt_buf, CILEN_PREDICTOR_1, 0) <= 0) + go->predictor_1 = 0; + } + if (go->predictor_2) { + opt_buf[0] = CI_PREDICTOR_2; + opt_buf[1] = CILEN_PREDICTOR_2; + if (ccp_test(f->unit, opt_buf, CILEN_PREDICTOR_2, 0) <= 0) + go->predictor_2 = 0; + } } /* @@ -265,7 +345,10 @@ ccp_cilen(f) { ccp_options *go = &ccp_gotoptions[f->unit]; - return (go->bsd_compress? CILEN_BSD_COMPRESS: 0); + return (go->bsd_compress? CILEN_BSD_COMPRESS: 0) + + (go->deflate? CILEN_DEFLATE: 0) + + (go->predictor_1? CILEN_PREDICTOR_1: 0) + + (go->predictor_2? CILEN_PREDICTOR_2: 0); } /* @@ -277,18 +360,78 @@ ccp_addci(f, p, lenp) u_char *p; int *lenp; { + int res; ccp_options *go = &ccp_gotoptions[f->unit]; u_char *p0 = p; + /* + * Add the compression types that we can receive, in decreasing + * preference order. Get the kernel to allocate the first one + * in case it gets Acked. + */ + if (go->deflate) { + p[0] = CI_DEFLATE; + p[1] = CILEN_DEFLATE; + p[2] = DEFLATE_MAKE_OPT(go->deflate_size); + p[3] = DEFLATE_CHK_SEQUENCE; + for (;;) { + res = ccp_test(f->unit, p, CILEN_DEFLATE, 0); + if (res > 0) { + p += CILEN_DEFLATE; + break; + } + if (res < 0 || go->deflate_size <= DEFLATE_MIN_SIZE) { + go->deflate = 0; + break; + } + --go->deflate_size; + p[2] = DEFLATE_MAKE_OPT(go->deflate_size); + } + } if (go->bsd_compress) { p[0] = CI_BSD_COMPRESS; p[1] = CILEN_BSD_COMPRESS; p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits); - if (ccp_test(f->unit, p, CILEN_BSD_COMPRESS, 0)) - p += CILEN_BSD_COMPRESS; - else - go->bsd_compress = 0; + if (p != p0) { + p += CILEN_BSD_COMPRESS; /* not the first option */ + } else { + for (;;) { + res = ccp_test(f->unit, p, CILEN_BSD_COMPRESS, 0); + if (res > 0) { + p += CILEN_BSD_COMPRESS; + break; + } + if (res < 0 || go->bsd_bits <= BSD_MIN_BITS) { + go->bsd_compress = 0; + break; + } + --go->bsd_bits; + p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits); + } + } + } + /* XXX Should Predictor 2 be preferable to Predictor 1? */ + if (go->predictor_1) { + p[0] = CI_PREDICTOR_1; + p[1] = CILEN_PREDICTOR_1; + if (p == p0 && ccp_test(f->unit, p, CILEN_PREDICTOR_1, 0) <= 0) { + go->predictor_1 = 0; + } else { + p += CILEN_PREDICTOR_1; + } } + if (go->predictor_2) { + p[0] = CI_PREDICTOR_2; + p[1] = CILEN_PREDICTOR_2; + if (p == p0 && ccp_test(f->unit, p, CILEN_PREDICTOR_2, 0) <= 0) { + go->predictor_2 = 0; + } else { + p += CILEN_PREDICTOR_2; + } + } + + go->method = (p > p0)? p0[0]: -1; + *lenp = p - p0; } @@ -303,7 +446,20 @@ ccp_ackci(f, p, len) int len; { ccp_options *go = &ccp_gotoptions[f->unit]; + u_char *p0 = p; + if (go->deflate) { + if (len < CILEN_DEFLATE + || p[0] != CI_DEFLATE || p[1] != CILEN_DEFLATE + || p[2] != DEFLATE_MAKE_OPT(go->deflate_size) + || p[3] != DEFLATE_CHK_SEQUENCE) + return 0; + p += CILEN_DEFLATE; + len -= CILEN_DEFLATE; + /* XXX Cope with first/fast ack */ + if (len == 0) + return 1; + } if (go->bsd_compress) { if (len < CILEN_BSD_COMPRESS || p[0] != CI_BSD_COMPRESS || p[1] != CILEN_BSD_COMPRESS @@ -311,7 +467,31 @@ ccp_ackci(f, p, len) return 0; p += CILEN_BSD_COMPRESS; len -= CILEN_BSD_COMPRESS; + /* XXX Cope with first/fast ack */ + if (p == p0 && len == 0) + return 1; + } + if (go->predictor_1) { + if (len < CILEN_PREDICTOR_1 + || p[0] != CI_PREDICTOR_1 || p[1] != CILEN_PREDICTOR_1) + return 0; + p += CILEN_PREDICTOR_1; + len -= CILEN_PREDICTOR_1; + /* XXX Cope with first/fast ack */ + if (p == p0 && len == 0) + return 1; } + if (go->predictor_2) { + if (len < CILEN_PREDICTOR_2 + || p[0] != CI_PREDICTOR_2 || p[1] != CILEN_PREDICTOR_2) + return 0; + p += CILEN_PREDICTOR_2; + len -= CILEN_PREDICTOR_2; + /* XXX Cope with first/fast ack */ + if (p == p0 && len == 0) + return 1; + } + if (len != 0) return 0; return 1; @@ -334,7 +514,24 @@ ccp_nakci(f, p, len) memset(&no, 0, sizeof(no)); try = *go; - if (go->bsd_compress && !no.bsd_compress && len >= CILEN_BSD_COMPRESS + if (go->deflate && len >= CILEN_DEFLATE + && p[0] == CI_DEFLATE && p[1] == CILEN_DEFLATE) { + no.deflate = 1; + /* + * Peer wants us to use a different code size or something. + * Stop asking for Deflate if we don't understand his suggestion. + */ + if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL + || DEFLATE_SIZE(p[2]) < DEFLATE_MIN_SIZE + || p[3] != DEFLATE_CHK_SEQUENCE) + try.deflate = 0; + else if (DEFLATE_SIZE(p[2]) < go->deflate_size) + try.deflate_size = DEFLATE_SIZE(p[2]); + p += CILEN_DEFLATE; + len -= CILEN_DEFLATE; + } + + if (go->bsd_compress && len >= CILEN_BSD_COMPRESS && p[0] == CI_BSD_COMPRESS && p[1] == CILEN_BSD_COMPRESS) { no.bsd_compress = 1; /* @@ -350,7 +547,9 @@ ccp_nakci(f, p, len) } /* - * Have a look at any remaining options...??? + * Predictor-1 and 2 have no options, so they can't be Naked. + * + * XXX What should we do with any remaining options? */ if (len != 0) @@ -375,6 +574,22 @@ ccp_rejci(f, p, len) try = *go; + /* + * Cope with empty configure-rejects by ceasing to send + * configure-requests. + */ + if (len == 0 && all_rejected[f->unit]) + return -1; + + if (go->deflate && len >= CILEN_DEFLATE + && p[0] == CI_DEFLATE && p[1] == CILEN_DEFLATE) { + if (p[2] != DEFLATE_MAKE_OPT(go->deflate_size) + || p[3] != DEFLATE_CHK_SEQUENCE) + return 0; /* Rej is bad */ + try.deflate = 0; + p += CILEN_DEFLATE; + len -= CILEN_DEFLATE; + } if (go->bsd_compress && len >= CILEN_BSD_COMPRESS && p[0] == CI_BSD_COMPRESS && p[1] == CILEN_BSD_COMPRESS) { if (p[2] != BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits)) @@ -383,6 +598,18 @@ ccp_rejci(f, p, len) p += CILEN_BSD_COMPRESS; len -= CILEN_BSD_COMPRESS; } + if (go->predictor_1 && len >= CILEN_PREDICTOR_1 + && p[0] == CI_PREDICTOR_1 && p[1] == CILEN_PREDICTOR_1) { + try.predictor_1 = 0; + p += CILEN_PREDICTOR_1; + len -= CILEN_PREDICTOR_1; + } + if (go->predictor_2 && len >= CILEN_PREDICTOR_2 + && p[0] == CI_PREDICTOR_2 && p[1] == CILEN_PREDICTOR_2) { + try.predictor_2 = 0; + p += CILEN_PREDICTOR_2; + len -= CILEN_PREDICTOR_2; + } if (len != 0) return 0; @@ -405,7 +632,7 @@ ccp_reqci(f, p, lenp, dont_nak) int *lenp; int dont_nak; { - int ret, newret; + int ret, newret, res; u_char *p0, *retp; int len, clen, type, nb; ccp_options *ho = &ccp_hisoptions[f->unit]; @@ -416,6 +643,7 @@ ccp_reqci(f, p, lenp, dont_nak) len = *lenp; memset(ho, 0, sizeof(ccp_options)); + ho->method = (len > 0)? p[0]: -1; while (len > 0) { newret = CONFACK; @@ -429,6 +657,49 @@ ccp_reqci(f, p, lenp, dont_nak) clen = p[1]; switch (type) { + case CI_DEFLATE: + if (!ao->deflate || clen != CILEN_DEFLATE) { + newret = CONFREJ; + break; + } + + ho->deflate = 1; + ho->deflate_size = nb = DEFLATE_SIZE(p[2]); + if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL + || p[3] != DEFLATE_CHK_SEQUENCE + || nb > ao->deflate_size || nb < DEFLATE_MIN_SIZE) { + newret = CONFNAK; + if (!dont_nak) { + p[2] = DEFLATE_MAKE_OPT(ao->deflate_size); + p[3] = DEFLATE_CHK_SEQUENCE; + /* fall through to test this #bits below */ + } else + break; + } + + /* + * Check whether we can do Deflate with the window + * size they want. If the window is too big, reduce + * it until the kernel can cope and nak with that. + * We only check this for the first option. + */ + if (p == p0) { + for (;;) { + res = ccp_test(f->unit, p, CILEN_DEFLATE, 1); + if (res > 0) + break; /* it's OK now */ + if (res < 0 || nb == DEFLATE_MIN_SIZE || dont_nak) { + newret = CONFREJ; + p[2] = DEFLATE_MAKE_OPT(ho->deflate_size); + break; + } + newret = CONFNAK; + --nb; + p[2] = DEFLATE_MAKE_OPT(nb); + } + } + break; + case CI_BSD_COMPRESS: if (!ao->bsd_compress || clen != CILEN_BSD_COMPRESS) { newret = CONFREJ; @@ -438,22 +709,63 @@ ccp_reqci(f, p, lenp, dont_nak) ho->bsd_compress = 1; ho->bsd_bits = nb = BSD_NBITS(p[2]); if (BSD_VERSION(p[2]) != BSD_CURRENT_VERSION - || nb > ao->bsd_bits) { + || nb > ao->bsd_bits || nb < BSD_MIN_BITS) { newret = CONFNAK; - nb = ao->bsd_bits; - } else if (nb < BSD_MIN_BITS) { - newret = CONFREJ; - } else if (!ccp_test(f->unit, p, CILEN_BSD_COMPRESS, 1)) { - if (nb > BSD_MIN_BITS) { - --nb; - newret = CONFNAK; + if (!dont_nak) { + p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, ao->bsd_bits); + /* fall through to test this #bits below */ } else - newret = CONFREJ; + break; + } + + /* + * Check whether we can do BSD-Compress with the code + * size they want. If the code size is too big, reduce + * it until the kernel can cope and nak with that. + * We only check this for the first option. + */ + if (p == p0) { + for (;;) { + res = ccp_test(f->unit, p, CILEN_BSD_COMPRESS, 1); + if (res > 0) + break; + if (res < 0 || nb == BSD_MIN_BITS || dont_nak) { + newret = CONFREJ; + p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, + ho->bsd_bits); + break; + } + newret = CONFNAK; + --nb; + p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, nb); + } } - if (newret == CONFNAK && !dont_nak) { - p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, nb); + break; + + case CI_PREDICTOR_1: + if (!ao->predictor_1 || clen != CILEN_PREDICTOR_1) { + newret = CONFREJ; + break; } + ho->predictor_1 = 1; + if (p == p0 + && ccp_test(f->unit, p, CILEN_PREDICTOR_1, 1) <= 0) { + newret = CONFREJ; + } + break; + + case CI_PREDICTOR_2: + if (!ao->predictor_2 || clen != CILEN_PREDICTOR_2) { + newret = CONFREJ; + break; + } + + ho->predictor_2 = 1; + if (p == p0 + && ccp_test(f->unit, p, CILEN_PREDICTOR_2, 1) <= 0) { + newret = CONFREJ; + } break; default: @@ -463,7 +775,7 @@ ccp_reqci(f, p, lenp, dont_nak) if (newret == CONFNAK && dont_nak) newret = CONFREJ; - if (!(newret == CONFACK || newret == CONFNAK && ret == CONFREJ)) { + if (!(newret == CONFACK || (newret == CONFNAK && ret == CONFREJ))) { /* we're returning this option */ if (newret == CONFREJ && ret == CONFNAK) retp = p0; @@ -477,13 +789,53 @@ ccp_reqci(f, p, lenp, dont_nak) len -= clen; } - if (ret != CONFACK) - *lenp = retp - p0; + if (ret != CONFACK) { + if (ret == CONFREJ && *lenp == retp - p0) + all_rejected[f->unit] = 1; + else + *lenp = retp - p0; + } return ret; } /* - * CCP has come up - inform the kernel driver. + * Make a string name for a compression method (or 2). + */ +static char * +method_name(opt, opt2) + ccp_options *opt, *opt2; +{ + static char result[64]; + + if (!ANY_COMPRESS(*opt)) + return "(none)"; + switch (opt->method) { + case CI_DEFLATE: + if (opt2 != NULL && opt2->deflate_size != opt->deflate_size) + sprintf(result, "Deflate (%d/%d)", opt->deflate_size, + opt2->deflate_size); + else + sprintf(result, "Deflate (%d)", opt->deflate_size); + break; + case CI_BSD_COMPRESS: + if (opt2 != NULL && opt2->bsd_bits != opt->bsd_bits) + sprintf(result, "BSD-Compress (%d/%d)", opt->bsd_bits, + opt2->bsd_bits); + else + sprintf(result, "BSD-Compress (%d)", opt->bsd_bits); + break; + case CI_PREDICTOR_1: + return "Predictor 1"; + case CI_PREDICTOR_2: + return "Predictor 2"; + default: + sprintf(result, "Method %d", opt->method); + } + return result; +} + +/* + * CCP has come up - inform the kernel driver and log a message. */ static void ccp_up(f) @@ -491,12 +843,25 @@ ccp_up(f) { ccp_options *go = &ccp_gotoptions[f->unit]; ccp_options *ho = &ccp_hisoptions[f->unit]; + char method1[64]; ccp_flags_set(f->unit, 1, 1); - if (go->bsd_compress || ho->bsd_compress) - syslog(LOG_NOTICE, "%s enabled", - go->bsd_compress? ho->bsd_compress? "Compression": - "Receive compression": "Transmit compression"); + if (ANY_COMPRESS(*go)) { + if (ANY_COMPRESS(*ho)) { + if (go->method == ho->method) { + syslog(LOG_NOTICE, "%s compression enabled", + method_name(go, ho)); + } else { + strcpy(method1, method_name(go, NULL)); + syslog(LOG_NOTICE, "%s / %s compression enabled", + method1, method_name(ho, NULL)); + } + } else + syslog(LOG_NOTICE, "%s receive compression enabled", + method_name(go, NULL)); + } else if (ANY_COMPRESS(*ho)) + syslog(LOG_NOTICE, "%s transmit compression enabled", + method_name(ho, NULL)); } /* @@ -507,7 +872,7 @@ ccp_down(f) fsm *f; { if (ccp_localstate[f->unit] & RACK_PENDING) - UNTIMEOUT(ccp_rack_timeout, (caddr_t) f); + UNTIMEOUT(ccp_rack_timeout, f); ccp_localstate[f->unit] = 0; ccp_flags_set(f->unit, 1, 0); } @@ -515,14 +880,14 @@ ccp_down(f) /* * Print the contents of a CCP packet. */ -char *ccp_codenames[] = { +static char *ccp_codenames[] = { "ConfReq", "ConfAck", "ConfNak", "ConfRej", "TermReq", "TermAck", "CodeRej", NULL, NULL, NULL, NULL, NULL, NULL, "ResetReq", "ResetAck", }; -int +static int ccp_printpkt(p, plen, printer, arg) u_char *p; int plen; @@ -566,6 +931,16 @@ ccp_printpkt(p, plen, printer, arg) len -= optlen; optend = p + optlen; switch (code) { + case CI_DEFLATE: + if (optlen >= CILEN_DEFLATE) { + printer(arg, "deflate %d", DEFLATE_SIZE(p[2])); + if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL) + printer(arg, " method %d", DEFLATE_METHOD(p[2])); + if (p[3] != DEFLATE_CHK_SEQUENCE) + printer(arg, " check %d", p[3]); + p += CILEN_DEFLATE; + } + break; case CI_BSD_COMPRESS: if (optlen >= CILEN_BSD_COMPRESS) { printer(arg, "bsd v%d %d", BSD_VERSION(p[2]), @@ -573,12 +948,33 @@ ccp_printpkt(p, plen, printer, arg) p += CILEN_BSD_COMPRESS; } break; + case CI_PREDICTOR_1: + if (optlen >= CILEN_PREDICTOR_1) { + printer(arg, "predictor 1"); + p += CILEN_PREDICTOR_1; + } + break; + case CI_PREDICTOR_2: + if (optlen >= CILEN_PREDICTOR_2) { + printer(arg, "predictor 2"); + p += CILEN_PREDICTOR_2; + } + break; } while (p < optend) printer(arg, " %.2x", *p++); printer(arg, ">"); } break; + + case TERMACK: + case TERMREQ: + if (len > 0 && *p >= ' ' && *p < 0x7f) { + print_string(p, len, printer, arg); + p += len; + len = 0; + } + break; } /* dump out the rest of the packet in hex */ @@ -600,7 +996,7 @@ ccp_printpkt(p, plen, printer, arg) * decompression; if it was, we take CCP down, thus disabling * compression :-(, otherwise we issue the reset-request. */ -void +static void ccp_datainput(unit, pkt, len) int unit; u_char *pkt; @@ -615,7 +1011,7 @@ ccp_datainput(unit, pkt, len) * Disable compression by taking CCP down. */ syslog(LOG_ERR, "Lost compression sync: disabling compression"); - ccp_close(unit); + ccp_close(unit, "Lost compression sync"); } else { /* * Send a reset-request to reset the peer's compressor. @@ -624,7 +1020,7 @@ ccp_datainput(unit, pkt, len) */ if (!(ccp_localstate[f->unit] & RACK_PENDING)) { fsm_sdata(f, CCP_RESETREQ, f->reqid = ++f->id, NULL, 0); - TIMEOUT(ccp_rack_timeout, (caddr_t) f, RACKTIMEOUT); + TIMEOUT(ccp_rack_timeout, f, RACKTIMEOUT); ccp_localstate[f->unit] |= RACK_PENDING; } else ccp_localstate[f->unit] |= RREQ_REPEAT; @@ -637,13 +1033,13 @@ ccp_datainput(unit, pkt, len) */ static void ccp_rack_timeout(arg) - caddr_t arg; + void *arg; { - fsm *f = (fsm *) arg; + fsm *f = arg; if (f->state == OPENED && ccp_localstate[f->unit] & RREQ_REPEAT) { fsm_sdata(f, CCP_RESETREQ, f->reqid, NULL, 0); - TIMEOUT(ccp_rack_timeout, (caddr_t) f, RACKTIMEOUT); + TIMEOUT(ccp_rack_timeout, f, RACKTIMEOUT); ccp_localstate[f->unit] &= ~RREQ_REPEAT; } else ccp_localstate[f->unit] &= ~RACK_PENDING; diff --git a/usr.sbin/pppd/ccp.h b/usr.sbin/pppd/ccp.h index e403e56ee606..1f15345bc928 100644 --- a/usr.sbin/pppd/ccp.h +++ b/usr.sbin/pppd/ccp.h @@ -24,12 +24,17 @@ * OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, * OR MODIFICATIONS. * - * $Id: ccp.h,v 1.4 1995/04/24 06:00:54 paulus Exp $ + * $Id: ccp.h,v 1.7 1996/07/01 01:11:49 paulus Exp $ */ typedef struct ccp_options { u_int bsd_compress: 1; /* do BSD Compress? */ + u_int deflate: 1; /* do Deflate? */ + u_int predictor_1: 1; /* do Predictor-1? */ + u_int predictor_2: 1; /* do Predictor-2? */ u_short bsd_bits; /* # bits/code for BSD Compress */ + u_short deflate_size; /* lg(window size) for Deflate */ + short method; /* code for chosen compression method */ } ccp_options; extern fsm ccp_fsm[]; @@ -38,14 +43,4 @@ extern ccp_options ccp_gotoptions[]; extern ccp_options ccp_allowoptions[]; extern ccp_options ccp_hisoptions[]; -void ccp_init __P((int unit)); -void ccp_open __P((int unit)); -void ccp_close __P((int unit)); -void ccp_lowerup __P((int unit)); -void ccp_lowerdown __P((int)); -void ccp_input __P((int unit, u_char *pkt, int len)); -void ccp_protrej __P((int unit)); -int ccp_printpkt __P((u_char *pkt, int len, - void (*printer) __P((void *, char *, ...)), - void *arg)); -void ccp_datainput __P((int unit, u_char *pkt, int len)); +extern struct protent ccp_protent; diff --git a/usr.sbin/pppd/chap.c b/usr.sbin/pppd/chap.c index d72c36d4a989..b418f6f493f0 100644 --- a/usr.sbin/pppd/chap.c +++ b/usr.sbin/pppd/chap.c @@ -1,5 +1,20 @@ /* - * chap.c - Crytographic Handshake Authentication Protocol. + * chap.c - Challenge Handshake Authentication Protocol. + * + * Copyright (c) 1993 The Australian National University. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the Australian National University. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Copyright (c) 1991 Gregory M. Christy. * All rights reserved. @@ -19,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: chap.c,v 1.8 1995/07/04 12:32:26 paulus Exp $"; +static char rcsid[] = "$Id: chap.c,v 1.14 1997/04/30 05:51:08 paulus Exp $"; #endif /* @@ -35,12 +50,45 @@ static char rcsid[] = "$Id: chap.c,v 1.8 1995/07/04 12:32:26 paulus Exp $"; #include "pppd.h" #include "chap.h" #include "md5.h" +#ifdef CHAPMS +#include "chap_ms.h" +#endif + +/* + * Protocol entry points. + */ +static void ChapInit __P((int)); +static void ChapLowerUp __P((int)); +static void ChapLowerDown __P((int)); +static void ChapInput __P((int, u_char *, int)); +static void ChapProtocolReject __P((int)); +static int ChapPrintPkt __P((u_char *, int, + void (*) __P((void *, char *, ...)), void *)); + +struct protent chap_protent = { + PPP_CHAP, + ChapInit, + ChapInput, + ChapProtocolReject, + ChapLowerUp, + ChapLowerDown, + NULL, + NULL, + ChapPrintPkt, + NULL, + 1, + "CHAP", + NULL, + NULL, + NULL +}; chap_state chap[NUM_PPP]; /* CHAP state; one for each unit */ -static void ChapChallengeTimeout __P((caddr_t)); -static void ChapResponseTimeout __P((caddr_t)); +static void ChapChallengeTimeout __P((void *)); +static void ChapResponseTimeout __P((void *)); static void ChapReceiveChallenge __P((chap_state *, u_char *, int, int)); +static void ChapRechallenge __P((void *)); static void ChapReceiveResponse __P((chap_state *, u_char *, int, int)); static void ChapReceiveSuccess __P((chap_state *, u_char *, int, int)); static void ChapReceiveFailure __P((chap_state *, u_char *, int, int)); @@ -55,7 +103,7 @@ extern void srand48 __P((long)); /* * ChapInit - Initialize a CHAP unit. */ -void +static void ChapInit(unit) int unit; { @@ -134,7 +182,7 @@ ChapAuthPeer(unit, our_name, digest) */ static void ChapChallengeTimeout(arg) - caddr_t arg; + void *arg; { chap_state *cstate = (chap_state *) arg; @@ -161,7 +209,7 @@ ChapChallengeTimeout(arg) */ static void ChapResponseTimeout(arg) - caddr_t arg; + void *arg; { chap_state *cstate = (chap_state *) arg; @@ -178,7 +226,7 @@ ChapResponseTimeout(arg) */ static void ChapRechallenge(arg) - caddr_t arg; + void *arg; { chap_state *cstate = (chap_state *) arg; @@ -197,7 +245,7 @@ ChapRechallenge(arg) * * Start up if we have pending requests. */ -void +static void ChapLowerUp(unit) int unit; { @@ -223,7 +271,7 @@ ChapLowerUp(unit) * * Cancel all timeouts. */ -void +static void ChapLowerDown(unit) int unit; { @@ -232,12 +280,12 @@ ChapLowerDown(unit) /* Timeout(s) pending? Cancel if so. */ if (cstate->serverstate == CHAPSS_INITIAL_CHAL || cstate->serverstate == CHAPSS_RECHALLENGE) - UNTIMEOUT(ChapChallengeTimeout, (caddr_t) cstate); + UNTIMEOUT(ChapChallengeTimeout, cstate); else if (cstate->serverstate == CHAPSS_OPEN && cstate->chal_interval != 0) - UNTIMEOUT(ChapRechallenge, (caddr_t) cstate); + UNTIMEOUT(ChapRechallenge, cstate); if (cstate->clientstate == CHAPCS_RESPONSE) - UNTIMEOUT(ChapResponseTimeout, (caddr_t) cstate); + UNTIMEOUT(ChapResponseTimeout, cstate); cstate->clientstate = CHAPCS_INITIAL; cstate->serverstate = CHAPSS_INITIAL; @@ -247,7 +295,7 @@ ChapLowerDown(unit) /* * ChapProtocolReject - Peer doesn't grok CHAP. */ -void +static void ChapProtocolReject(unit) int unit; { @@ -266,7 +314,7 @@ ChapProtocolReject(unit) /* * ChapInput - Input CHAP packet. */ -void +static void ChapInput(unit, inpacket, packet_len) int unit; u_char *inpacket; @@ -342,6 +390,7 @@ ChapReceiveChallenge(cstate, inp, id, len) char secret[MAXSECRETLEN]; char rhostname[256]; MD5_CTX mdContext; + u_char hash[MD5_SIGNATURE_SIZE]; CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: Rcvd id %d.", id)); if (cstate->clientstate == CHAPCS_CLOSED || @@ -370,9 +419,17 @@ ChapReceiveChallenge(cstate, inp, id, len) BCOPY(inp, rhostname, len); rhostname[len] = '\000'; - CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: received name field: %s", + CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: received name field '%s'", rhostname)); + /* Microsoft doesn't send their name back in the PPP packet */ + if (remote_name[0] != 0 && (explicit_remote || rhostname[0] == 0)) { + strncpy(rhostname, remote_name, sizeof(rhostname)); + rhostname[sizeof(rhostname) - 1] = 0; + CHAPDEBUG((LOG_INFO, "ChapReceiveChallenge: using '%s' as remote name", + rhostname)); + } + /* get secret for authenticating ourselves with the specified host */ if (!get_secret(cstate->unit, cstate->resp_name, rhostname, secret, &secret_len, 0)) { @@ -383,7 +440,7 @@ ChapReceiveChallenge(cstate, inp, id, len) /* cancel response send timeout if necessary */ if (cstate->clientstate == CHAPCS_RESPONSE) - UNTIMEOUT(ChapResponseTimeout, (caddr_t) cstate); + UNTIMEOUT(ChapResponseTimeout, cstate); cstate->resp_id = id; cstate->resp_transmits = 0; @@ -391,21 +448,28 @@ ChapReceiveChallenge(cstate, inp, id, len) /* generate MD based on negotiated type */ switch (cstate->resp_type) { - case CHAP_DIGEST_MD5: /* only MD5 is defined for now */ + case CHAP_DIGEST_MD5: MD5Init(&mdContext); MD5Update(&mdContext, &cstate->resp_id, 1); MD5Update(&mdContext, secret, secret_len); MD5Update(&mdContext, rchallenge, rchallenge_len); - MD5Final(&mdContext); - BCOPY(mdContext.digest, cstate->response, MD5_SIGNATURE_SIZE); + MD5Final(hash, &mdContext); + BCOPY(hash, cstate->response, MD5_SIGNATURE_SIZE); cstate->resp_length = MD5_SIGNATURE_SIZE; break; +#ifdef CHAPMS + case CHAP_MICROSOFT: + ChapMS(cstate, rchallenge, rchallenge_len, secret, secret_len); + break; +#endif + default: CHAPDEBUG((LOG_INFO, "unknown digest type %d", cstate->resp_type)); return; } + BZERO(secret, sizeof(secret)); ChapSendResponse(cstate); } @@ -424,10 +488,9 @@ ChapReceiveResponse(cstate, inp, id, len) int secret_len, old_state; int code; char rhostname[256]; - u_char buf[256]; MD5_CTX mdContext; - u_char msg[256]; char secret[MAXSECRETLEN]; + u_char hash[MD5_SIGNATURE_SIZE]; CHAPDEBUG((LOG_INFO, "ChapReceiveResponse: Rcvd id %d.", id)); @@ -469,7 +532,7 @@ ChapReceiveResponse(cstate, inp, id, len) return; } - UNTIMEOUT(ChapChallengeTimeout, (caddr_t) cstate); + UNTIMEOUT(ChapChallengeTimeout, cstate); if (len >= sizeof(rhostname)) len = sizeof(rhostname) - 1; @@ -500,10 +563,10 @@ ChapReceiveResponse(cstate, inp, id, len) MD5Update(&mdContext, &cstate->chal_id, 1); MD5Update(&mdContext, secret, secret_len); MD5Update(&mdContext, cstate->challenge, cstate->chal_len); - MD5Final(&mdContext); + MD5Final(hash, &mdContext); /* compare local and remote MDs and send the appropriate status */ - if (memcmp (mdContext.digest, remmd, MD5_SIGNATURE_SIZE) == 0) + if (memcmp (hash, remmd, MD5_SIGNATURE_SIZE) == 0) code = CHAP_SUCCESS; /* they are the same! */ break; @@ -512,16 +575,17 @@ ChapReceiveResponse(cstate, inp, id, len) } } + BZERO(secret, sizeof(secret)); ChapSendStatus(cstate, code); if (code == CHAP_SUCCESS) { old_state = cstate->serverstate; cstate->serverstate = CHAPSS_OPEN; if (old_state == CHAPSS_INITIAL_CHAL) { - auth_peer_success(cstate->unit, PPP_CHAP); + auth_peer_success(cstate->unit, PPP_CHAP, rhostname, len); } if (cstate->chal_interval != 0) - TIMEOUT(ChapRechallenge, (caddr_t) cstate, cstate->chal_interval); + TIMEOUT(ChapRechallenge, cstate, cstate->chal_interval); } else { syslog(LOG_ERR, "CHAP peer authentication failed"); @@ -554,7 +618,7 @@ ChapReceiveSuccess(cstate, inp, id, len) return; } - UNTIMEOUT(ChapResponseTimeout, (caddr_t) cstate); + UNTIMEOUT(ChapResponseTimeout, cstate); /* * Print message. @@ -578,9 +642,6 @@ ChapReceiveFailure(cstate, inp, id, len) u_char id; int len; { - u_char msglen; - u_char *msg; - CHAPDEBUG((LOG_INFO, "ChapReceiveFailure: Rcvd id %d.", id)); if (cstate->clientstate != CHAPCS_RESPONSE) { @@ -590,7 +651,7 @@ ChapReceiveFailure(cstate, inp, id, len) return; } - UNTIMEOUT(ChapResponseTimeout, (caddr_t) cstate); + UNTIMEOUT(ChapResponseTimeout, cstate); /* * Print message. @@ -635,7 +696,7 @@ ChapSendChallenge(cstate) CHAPDEBUG((LOG_INFO, "ChapSendChallenge: Sent id %d.", cstate->chal_id)); - TIMEOUT(ChapChallengeTimeout, (caddr_t) cstate, cstate->timeouttime); + TIMEOUT(ChapChallengeTimeout, cstate, cstate->timeouttime); ++cstate->chal_transmits; } @@ -735,18 +796,18 @@ ChapSendResponse(cstate) output(cstate->unit, outpacket_buf, outlen + PPP_HDRLEN); cstate->clientstate = CHAPCS_RESPONSE; - TIMEOUT(ChapResponseTimeout, (caddr_t) cstate, cstate->timeouttime); + TIMEOUT(ChapResponseTimeout, cstate, cstate->timeouttime); ++cstate->resp_transmits; } /* * ChapPrintPkt - print the contents of a CHAP packet. */ -char *ChapCodenames[] = { +static char *ChapCodenames[] = { "Challenge", "Response", "Success", "Failure" }; -int +static int ChapPrintPkt(p, plen, printer, arg) u_char *p; int plen; diff --git a/usr.sbin/pppd/chap.h b/usr.sbin/pppd/chap.h index 44b08f2e205f..016cd83a9543 100644 --- a/usr.sbin/pppd/chap.h +++ b/usr.sbin/pppd/chap.h @@ -1,5 +1,20 @@ /* - * chap.h - Cryptographic Handshake Authentication Protocol definitions. + * chap.h - Challenge Handshake Authentication Protocol definitions. + * + * Copyright (c) 1993 The Australian National University. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the Australian National University. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Copyright (c) 1991 Gregory M. Christy * All rights reserved. @@ -15,7 +30,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: chap.h,v 1.3 1994/09/21 06:47:37 paulus Exp $ + * $Id: chap.h,v 1.7 1996/10/08 06:43:27 paulus Exp $ */ #ifndef __CHAP_INCLUDE__ @@ -29,6 +44,8 @@ #define CHAP_DIGEST_MD5 5 /* use MD5 algorithm */ #define MD5_SIGNATURE_SIZE 16 /* 16 bytes in a MD5 message digest */ +#define CHAP_MICROSOFT 0x80 /* use Microsoft-compatible alg. */ +#define MS_CHAP_RESPONSE_LEN 49 /* Response length for MS-CHAP */ #define CHAP_CHALLENGE 1 #define CHAP_RESPONSE 2 @@ -40,7 +57,7 @@ */ #define MIN_CHALLENGE_LENGTH 32 #define MAX_CHALLENGE_LENGTH 64 -#define MAX_RESPONSE_LENGTH 16 /* sufficient for MD5 */ +#define MAX_RESPONSE_LENGTH 64 /* sufficient for MD5 or MS-CHAP */ /* * Each interface is described by a chap structure. @@ -98,15 +115,10 @@ typedef struct chap_state { extern chap_state chap[]; -void ChapInit __P((int)); void ChapAuthWithPeer __P((int, char *, int)); void ChapAuthPeer __P((int, char *, int)); -void ChapLowerUp __P((int)); -void ChapLowerDown __P((int)); -void ChapInput __P((int, u_char *, int)); -void ChapProtocolReject __P((int)); -int ChapPrintPkt __P((u_char *, int, - void (*) __P((void *, char *, ...)), void *)); + +extern struct protent chap_protent; #define __CHAP_INCLUDE__ #endif /* __CHAP_INCLUDE__ */ diff --git a/usr.sbin/pppd/fsm.c b/usr.sbin/pppd/fsm.c index 5d2eca6880ad..1cf073e39ca3 100644 --- a/usr.sbin/pppd/fsm.c +++ b/usr.sbin/pppd/fsm.c @@ -18,7 +18,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: fsm.c,v 1.8 1994/11/10 01:52:05 paulus Exp $"; +static char rcsid[] = "$Id: fsm.c,v 1.13 1997/04/30 05:52:17 paulus Exp $"; #endif /* @@ -35,13 +35,11 @@ static char rcsid[] = "$Id: fsm.c,v 1.8 1994/11/10 01:52:05 paulus Exp $"; #include "pppd.h" #include "fsm.h" -extern char *proto_name(); - -static void fsm_timeout __P((caddr_t)); +static void fsm_timeout __P((void *)); static void fsm_rconfreq __P((fsm *, int, u_char *, int)); static void fsm_rconfack __P((fsm *, int, u_char *, int)); static void fsm_rconfnakrej __P((fsm *, int, int, u_char *, int)); -static void fsm_rtermreq __P((fsm *, int)); +static void fsm_rtermreq __P((fsm *, int, u_char *, int)); static void fsm_rtermack __P((fsm *)); static void fsm_rcoderej __P((fsm *, u_char *, int)); static void fsm_sconfreq __P((fsm *, int)); @@ -67,6 +65,7 @@ fsm_init(f) f->maxconfreqtransmits = DEFMAXCONFREQS; f->maxtermtransmits = DEFMAXTERMREQS; f->maxnakloops = DEFMAXNAKLOOPS; + f->term_reason_len = 0; } @@ -121,7 +120,7 @@ fsm_lowerdown(f) case CLOSING: f->state = INITIAL; - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ break; case STOPPING: @@ -129,7 +128,7 @@ fsm_lowerdown(f) case ACKRCVD: case ACKSENT: f->state = STARTING; - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ break; case OPENED: @@ -190,9 +189,12 @@ fsm_open(f) * the CLOSED state. */ void -fsm_close(f) +fsm_close(f, reason) fsm *f; + char *reason; { + f->term_reason = reason; + f->term_reason_len = (reason == NULL? 0: strlen(reason)); switch( f->state ){ case STARTING: f->state = INITIAL; @@ -209,14 +211,15 @@ fsm_close(f) case ACKSENT: case OPENED: if( f->state != OPENED ) - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ else if( f->callbacks->down ) (*f->callbacks->down)(f); /* Inform upper layers we're down */ /* Init restart counter, send Terminate-Request */ f->retransmits = f->maxtermtransmits; - fsm_sdata(f, TERMREQ, f->reqid = ++f->id, NULL, 0); - TIMEOUT(fsm_timeout, (caddr_t) f, f->timeouttime); + fsm_sdata(f, TERMREQ, f->reqid = ++f->id, + (u_char *) f->term_reason, f->term_reason_len); + TIMEOUT(fsm_timeout, f, f->timeouttime); --f->retransmits; f->state = CLOSING; @@ -230,7 +233,7 @@ fsm_close(f) */ static void fsm_timeout(arg) - caddr_t arg; + void *arg; { fsm *f = (fsm *) arg; @@ -246,8 +249,9 @@ fsm_timeout(arg) (*f->callbacks->finished)(f); } else { /* Send Terminate-Request */ - fsm_sdata(f, TERMREQ, f->reqid = ++f->id, NULL, 0); - TIMEOUT(fsm_timeout, (caddr_t) f, f->timeouttime); + fsm_sdata(f, TERMREQ, f->reqid = ++f->id, + (u_char *) f->term_reason, f->term_reason_len); + TIMEOUT(fsm_timeout, f, f->timeouttime); --f->retransmits; } break; @@ -288,7 +292,7 @@ fsm_input(f, inpacket, l) u_char *inpacket; int l; { - u_char *inp, *outp; + u_char *inp; u_char code, id; int len; @@ -341,7 +345,7 @@ fsm_input(f, inpacket, l) break; case TERMREQ: - fsm_rtermreq(f, id); + fsm_rtermreq(f, id, inp, len); break; case TERMACK: @@ -371,7 +375,6 @@ fsm_rconfreq(f, id, inp, len) u_char *inp; int len; { - u_char *outp; int code, reject_if_disagree; FSMDEBUG((LOG_INFO, "fsm_rconfreq(%s): Rcvd id %d.", PROTO_NAME(f), id)); @@ -415,7 +418,7 @@ fsm_rconfreq(f, id, inp, len) if (code == CONFACK) { if (f->state == ACKRCVD) { - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ f->state = OPENED; if (f->callbacks->up) (*f->callbacks->up)(f); /* Inform upper layers */ @@ -451,6 +454,7 @@ fsm_rconfack(f, id, inp, len) if( !(f->callbacks->ackci? (*f->callbacks->ackci)(f, inp, len): (len == 0)) ){ /* Ack is bad - ignore it */ + log_packet(inp, len, "Received bad configure-ack: ", LOG_ERR); FSMDEBUG((LOG_INFO, "%s: received bad Ack (length %d)", PROTO_NAME(f), len)); return; @@ -470,13 +474,13 @@ fsm_rconfack(f, id, inp, len) case ACKRCVD: /* Huh? an extra valid Ack? oh well... */ - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ fsm_sconfreq(f, 0); f->state = REQSENT; break; case ACKSENT: - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ f->state = OPENED; f->retransmits = f->maxconfreqtransmits; if (f->callbacks->up) @@ -504,7 +508,8 @@ fsm_rconfnakrej(f, code, id, inp, len) u_char *inp; int len; { - int (*proc)(); + int (*proc) __P((fsm *, u_char *, int)); + int ret; FSMDEBUG((LOG_INFO, "fsm_rconfnakrej(%s): Rcvd id %d.", PROTO_NAME(f), id)); @@ -512,8 +517,9 @@ fsm_rconfnakrej(f, code, id, inp, len) if (id != f->reqid || f->seen_ack) /* Expected id? */ return; /* Nope, toss... */ proc = (code == CONFNAK)? f->callbacks->nakci: f->callbacks->rejci; - if (!proc || !proc(f, inp, len)) { + if (!proc || !(ret = proc(f, inp, len))) { /* Nak/reject is bad - ignore it */ + log_packet(inp, len, "Received bad configure-nak/rej: ", LOG_ERR); FSMDEBUG((LOG_INFO, "%s: received bad %s (length %d)", PROTO_NAME(f), (code==CONFNAK? "Nak": "reject"), len)); return; @@ -529,13 +535,16 @@ fsm_rconfnakrej(f, code, id, inp, len) case REQSENT: case ACKSENT: /* They didn't agree to what we wanted - try another request */ - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ - fsm_sconfreq(f, 0); /* Send Configure-Request */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ + if (ret < 0) + f->state = STOPPED; /* kludge for stopping CCP */ + else + fsm_sconfreq(f, 0); /* Send Configure-Request */ break; case ACKRCVD: /* Got a Nak/reject when we had already had an Ack?? oh well... */ - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ fsm_sconfreq(f, 0); f->state = REQSENT; break; @@ -555,10 +564,14 @@ fsm_rconfnakrej(f, code, id, inp, len) * fsm_rtermreq - Receive Terminate-Req. */ static void -fsm_rtermreq(f, id) +fsm_rtermreq(f, id, p, len) fsm *f; int id; + u_char *p; + int len; { + char str[80]; + FSMDEBUG((LOG_INFO, "fsm_rtermreq(%s): Rcvd id %d.", PROTO_NAME(f), id)); @@ -569,12 +582,16 @@ fsm_rtermreq(f, id) break; case OPENED: - syslog(LOG_INFO, "%s terminated at peer's request", PROTO_NAME(f)); + if (len > 0) { + fmtmsg(str, sizeof(str), "%0.*v", len, p); + syslog(LOG_INFO, "%s terminated by peer (%s)", PROTO_NAME(f), str); + } else + syslog(LOG_INFO, "%s terminated by peer", PROTO_NAME(f)); if (f->callbacks->down) (*f->callbacks->down)(f); /* Inform upper layers */ f->retransmits = 0; f->state = STOPPING; - TIMEOUT(fsm_timeout, (caddr_t) f, f->timeouttime); + TIMEOUT(fsm_timeout, f, f->timeouttime); break; } @@ -593,13 +610,13 @@ fsm_rtermack(f) switch (f->state) { case CLOSING: - UNTIMEOUT(fsm_timeout, (caddr_t) f); + UNTIMEOUT(fsm_timeout, f); f->state = CLOSED; if( f->callbacks->finished ) (*f->callbacks->finished)(f); break; case STOPPING: - UNTIMEOUT(fsm_timeout, (caddr_t) f); + UNTIMEOUT(fsm_timeout, f); f->state = STOPPED; if( f->callbacks->finished ) (*f->callbacks->finished)(f); @@ -656,7 +673,7 @@ fsm_protreject(f) { switch( f->state ){ case CLOSING: - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ /* fall through */ case CLOSED: f->state = CLOSED; @@ -668,7 +685,7 @@ fsm_protreject(f) case REQSENT: case ACKRCVD: case ACKSENT: - UNTIMEOUT(fsm_timeout, (caddr_t) f); /* Cancel timeout */ + UNTIMEOUT(fsm_timeout, f); /* Cancel timeout */ /* fall through */ case STOPPED: f->state = STOPPED; @@ -682,8 +699,9 @@ fsm_protreject(f) /* Init restart counter, send Terminate-Request */ f->retransmits = f->maxtermtransmits; - fsm_sdata(f, TERMREQ, f->reqid = ++f->id, NULL, 0); - TIMEOUT(fsm_timeout, (caddr_t) f, f->timeouttime); + fsm_sdata(f, TERMREQ, f->reqid = ++f->id, + (u_char *) f->term_reason, f->term_reason_len); + TIMEOUT(fsm_timeout, f, f->timeouttime); --f->retransmits; f->state = STOPPING; @@ -705,7 +723,7 @@ fsm_sconfreq(f, retransmit) int retransmit; { u_char *outp; - int outlen, cilen; + int cilen; if( f->state != REQSENT && f->state != ACKRCVD && f->state != ACKSENT ){ /* Not currently negotiating - reset options */ @@ -740,7 +758,7 @@ fsm_sconfreq(f, retransmit) /* start the retransmit timer */ --f->retransmits; - TIMEOUT(fsm_timeout, (caddr_t) f, f->timeouttime); + TIMEOUT(fsm_timeout, f, f->timeouttime); FSMDEBUG((LOG_INFO, "%s: sending Configure-Request, id %d", PROTO_NAME(f), f->reqid)); diff --git a/usr.sbin/pppd/fsm.h b/usr.sbin/pppd/fsm.h index efe18bf92f00..1916342b6387 100644 --- a/usr.sbin/pppd/fsm.h +++ b/usr.sbin/pppd/fsm.h @@ -16,7 +16,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: fsm.h,v 1.5 1995/05/19 03:17:35 paulus Exp $ + * $Id: fsm.h,v 1.7 1997/04/30 05:52:37 paulus Exp $ */ /* @@ -38,27 +38,8 @@ /* - * Each FSM is described by a fsm_callbacks and a fsm structure. + * Each FSM is described by an fsm structure and fsm callbacks. */ -typedef struct fsm_callbacks { - void (*resetci)(); /* Reset our Configuration Information */ - int (*cilen)(); /* Length of our Configuration Information */ - void (*addci)(); /* Add our Configuration Information */ - int (*ackci)(); /* ACK our Configuration Information */ - int (*nakci)(); /* NAK our Configuration Information */ - int (*rejci)(); /* Reject our Configuration Information */ - int (*reqci)(); /* Request peer's Configuration Information */ - void (*up)(); /* Called when fsm reaches OPENED state */ - void (*down)(); /* Called when fsm leaves OPENED state */ - void (*starting)(); /* Called when we want the lower layer */ - void (*finished)(); /* Called when we don't want the lower layer */ - void (*protreject)(); /* Called when Protocol-Reject received */ - void (*retransmit)(); /* Retransmission is necessary */ - int (*extcode)(); /* Called when unknown code received */ - char *proto_name; /* String name for protocol (for messages) */ -} fsm_callbacks; - - typedef struct fsm { int unit; /* Interface unit number */ int protocol; /* Data Link Layer Protocol field value */ @@ -73,10 +54,45 @@ typedef struct fsm { int maxtermtransmits; /* Maximum Terminate-Request transmissions */ int nakloops; /* Number of nak loops since last ack */ int maxnakloops; /* Maximum number of nak loops tolerated */ - fsm_callbacks *callbacks; /* Callback routines */ + struct fsm_callbacks *callbacks; /* Callback routines */ + char *term_reason; /* Reason for closing protocol */ + int term_reason_len; /* Length of term_reason */ } fsm; +typedef struct fsm_callbacks { + void (*resetci) /* Reset our Configuration Information */ + __P((fsm *)); + int (*cilen) /* Length of our Configuration Information */ + __P((fsm *)); + void (*addci) /* Add our Configuration Information */ + __P((fsm *, u_char *, int *)); + int (*ackci) /* ACK our Configuration Information */ + __P((fsm *, u_char *, int)); + int (*nakci) /* NAK our Configuration Information */ + __P((fsm *, u_char *, int)); + int (*rejci) /* Reject our Configuration Information */ + __P((fsm *, u_char *, int)); + int (*reqci) /* Request peer's Configuration Information */ + __P((fsm *, u_char *, int *, int)); + void (*up) /* Called when fsm reaches OPENED state */ + __P((fsm *)); + void (*down) /* Called when fsm leaves OPENED state */ + __P((fsm *)); + void (*starting) /* Called when we want the lower layer */ + __P((fsm *)); + void (*finished) /* Called when we don't want the lower layer */ + __P((fsm *)); + void (*protreject) /* Called when Protocol-Reject received */ + __P((int)); + void (*retransmit) /* Retransmission is necessary */ + __P((fsm *)); + int (*extcode) /* Called when unknown code received */ + __P((fsm *, int, int, u_char *, int)); + char *proto_name; /* String name for protocol (for messages) */ +} fsm_callbacks; + + /* * Link states. */ @@ -116,7 +132,7 @@ void fsm_init __P((fsm *)); void fsm_lowerup __P((fsm *)); void fsm_lowerdown __P((fsm *)); void fsm_open __P((fsm *)); -void fsm_close __P((fsm *)); +void fsm_close __P((fsm *, char *)); void fsm_input __P((fsm *, u_char *, int)); void fsm_protreject __P((fsm *)); void fsm_sdata __P((fsm *, int, int, u_char *, int)); diff --git a/usr.sbin/pppd/ipcp.c b/usr.sbin/pppd/ipcp.c index 3d99235440b2..d7da0019681b 100644 --- a/usr.sbin/pppd/ipcp.c +++ b/usr.sbin/pppd/ipcp.c @@ -18,7 +18,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: ipcp.c,v 1.20 1995/08/10 06:51:04 paulus Exp $"; +static char rcsid[] = "$Id: ipcp.c,v 1.31 1997/04/30 05:52:48 paulus Exp $"; #endif /* @@ -28,6 +28,8 @@ static char rcsid[] = "$Id: ipcp.c,v 1.20 1995/08/10 06:51:04 paulus Exp $"; #include <stdio.h> #include <string.h> #include <syslog.h> +#include <netdb.h> +#include <sys/param.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> @@ -44,7 +46,9 @@ ipcp_options ipcp_allowoptions[NUM_PPP]; /* Options we allow peer to request */ ipcp_options ipcp_hisoptions[NUM_PPP]; /* Options that we ack'd */ /* local vars */ -static int cis_received[NUM_PPP]; /* # Conf-Reqs received */ +static int cis_received[NUM_PPP]; /* # Conf-Reqs received */ +static int default_route_set[NUM_PPP]; /* Have set up a default route */ +static int proxy_arp_set[NUM_PPP]; /* Have created proxy arp entry */ /* * Callbacks for fsm code. (CI = Configuration Information) @@ -59,6 +63,7 @@ static int ipcp_reqci __P((fsm *, u_char *, int *, int)); /* Rcv CI */ static void ipcp_up __P((fsm *)); /* We're UP */ static void ipcp_down __P((fsm *)); /* We're DOWN */ static void ipcp_script __P((fsm *, char *)); /* Run an up/down script */ +static void ipcp_finished __P((fsm *)); /* Don't need lower layer */ fsm ipcp_fsm[NUM_PPP]; /* IPCP fsm structure */ @@ -73,7 +78,7 @@ static fsm_callbacks ipcp_callbacks = { /* IPCP callback routines */ ipcp_up, /* Called when fsm reaches OPENED state */ ipcp_down, /* Called when fsm leaves OPENED state */ NULL, /* Called when we want the lower layer up */ - NULL, /* Called when we want the lower layer down */ + ipcp_finished, /* Called when we want the lower layer down */ NULL, /* Called when Protocol-Reject received */ NULL, /* Retransmission is necessary */ NULL, /* Called to handle protocol-specific codes */ @@ -81,6 +86,42 @@ static fsm_callbacks ipcp_callbacks = { /* IPCP callback routines */ }; /* + * Protocol entry points from main code. + */ +static void ipcp_init __P((int)); +static void ipcp_open __P((int)); +static void ipcp_close __P((int, char *)); +static void ipcp_lowerup __P((int)); +static void ipcp_lowerdown __P((int)); +static void ipcp_input __P((int, u_char *, int)); +static void ipcp_protrej __P((int)); +static int ipcp_printpkt __P((u_char *, int, + void (*) __P((void *, char *, ...)), void *)); +static void ip_check_options __P((void)); +static int ip_demand_conf __P((int)); +static int ip_active_pkt __P((u_char *, int)); + +struct protent ipcp_protent = { + PPP_IPCP, + ipcp_init, + ipcp_input, + ipcp_protrej, + ipcp_lowerup, + ipcp_lowerdown, + ipcp_open, + ipcp_close, + ipcp_printpkt, + NULL, + 1, + "IPCP", + ip_check_options, + ip_demand_conf, + ip_active_pkt +}; + +static void ipcp_clear_addrs __P((int)); + +/* * Lengths of configuration options. */ #define CILEN_VOID 2 @@ -117,7 +158,7 @@ u_int32_t ipaddr; /* * ipcp_init - Initialize IPCP. */ -void +static void ipcp_init(unit) int unit; { @@ -130,13 +171,11 @@ ipcp_init(unit) f->callbacks = &ipcp_callbacks; fsm_init(&ipcp_fsm[unit]); - wo->neg_addr = 1; - wo->old_addrs = 0; - wo->ouraddr = 0; - wo->hisaddr = 0; + memset(wo, 0, sizeof(*wo)); + memset(ao, 0, sizeof(*ao)); + wo->neg_addr = 1; wo->neg_vj = 1; - wo->old_vj = 0; wo->vj_protocol = IPCP_VJ_COMP; wo->maxslotindex = MAX_STATES - 1; /* really max index */ wo->cflag = 1; @@ -149,13 +188,20 @@ ipcp_init(unit) ao->neg_vj = 1; ao->maxslotindex = MAX_STATES - 1; ao->cflag = 1; + + /* + * XXX These control whether the user may use the proxyarp + * and defaultroute options. + */ + ao->proxy_arp = 1; + ao->default_route = 1; } /* * ipcp_open - IPCP is allowed to come up. */ -void +static void ipcp_open(unit) int unit; { @@ -166,18 +212,19 @@ ipcp_open(unit) /* * ipcp_close - Take IPCP down. */ -void -ipcp_close(unit) +static void +ipcp_close(unit, reason) int unit; + char *reason; { - fsm_close(&ipcp_fsm[unit]); + fsm_close(&ipcp_fsm[unit], reason); } /* * ipcp_lowerup - The lower layer is up. */ -void +static void ipcp_lowerup(unit) int unit; { @@ -188,7 +235,7 @@ ipcp_lowerup(unit) /* * ipcp_lowerdown - The lower layer is down. */ -void +static void ipcp_lowerdown(unit) int unit; { @@ -199,7 +246,7 @@ ipcp_lowerdown(unit) /* * ipcp_input - Input IPCP packet. */ -void +static void ipcp_input(unit, p, len) int unit; u_char *p; @@ -214,7 +261,7 @@ ipcp_input(unit, p, len) * * Pretend the lower layer went down, so we shut up. */ -void +static void ipcp_protrej(unit) int unit; { @@ -249,10 +296,36 @@ ipcp_cilen(f) fsm *f; { ipcp_options *go = &ipcp_gotoptions[f->unit]; + ipcp_options *wo = &ipcp_wantoptions[f->unit]; + ipcp_options *ho = &ipcp_hisoptions[f->unit]; #define LENCIVJ(neg, old) (neg ? (old? CILEN_COMPRESS : CILEN_VJ) : 0) #define LENCIADDR(neg, old) (neg ? (old? CILEN_ADDRS : CILEN_ADDR) : 0) + /* + * First see if we want to change our options to the old + * forms because we have received old forms from the peer. + */ + if (wo->neg_addr && !go->neg_addr && !go->old_addrs) { + /* use the old style of address negotiation */ + go->neg_addr = 1; + go->old_addrs = 1; + } + if (wo->neg_vj && !go->neg_vj && !go->old_vj) { + /* try an older style of VJ negotiation */ + if (cis_received[f->unit] == 0) { + /* keep trying the new style until we see some CI from the peer */ + go->neg_vj = 1; + } else { + /* use the old style only if the peer did */ + if (ho->neg_vj && ho->old_vj) { + go->neg_vj = 1; + go->old_vj = 1; + go->vj_protocol = ho->vj_protocol; + } + } + } + return (LENCIADDR(go->neg_addr, go->old_addrs) + LENCIVJ(go->neg_vj, go->old_vj)); } @@ -267,9 +340,7 @@ ipcp_addci(f, ucp, lenp) u_char *ucp; int *lenp; { - ipcp_options *wo = &ipcp_wantoptions[f->unit]; ipcp_options *go = &ipcp_gotoptions[f->unit]; - ipcp_options *ho = &ipcp_hisoptions[f->unit]; int len = *lenp; #define ADDCIVJ(opt, neg, val, old, maxslotindex, cflag) \ @@ -306,30 +377,6 @@ ipcp_addci(f, ucp, lenp) neg = 0; \ } - /* - * First see if we want to change our options to the old - * forms because we have received old forms from the peer. - */ - if (wo->neg_addr && !go->neg_addr && !go->old_addrs) { - /* use the old style of address negotiation */ - go->neg_addr = 1; - go->old_addrs = 1; - } - if (wo->neg_vj && !go->neg_vj && !go->old_vj) { - /* try an older style of VJ negotiation */ - if (cis_received[f->unit] == 0) { - /* keep trying the new style until we see some CI from the peer */ - go->neg_vj = 1; - } else { - /* use the old style only if the peer did */ - if (ho->neg_vj && ho->old_vj) { - go->neg_vj = 1; - go->old_vj = 1; - go->vj_protocol = ho->vj_protocol; - } - } - } - ADDCIADDR((go->old_addrs? CI_ADDRS: CI_ADDR), go->neg_addr, go->old_addrs, go->ouraddr, go->hisaddr); @@ -557,7 +604,7 @@ ipcp_nakci(f, p, len) no.neg_vj = 1; break; case CI_ADDRS: - if (go->neg_addr && go->old_addrs || no.old_addrs + if ((go->neg_addr && go->old_addrs) || no.old_addrs || cilen != CILEN_ADDRS) goto bad; try.neg_addr = 1; @@ -724,6 +771,9 @@ ipcp_reqci(f, inp, len, reject_if_disagree) u_char *ucp = inp; /* Pointer to current output char */ int l = *len; /* Length left */ u_char maxslotindex, cflag; + int d; + + cis_received[f->unit] = 1; /* * Reset all his options. @@ -850,6 +900,48 @@ ipcp_reqci(f, inp, len, reject_if_disagree) ho->neg_addr = 1; ho->hisaddr = ciaddr1; break; + + case CI_MS_DNS1: + case CI_MS_DNS2: + /* Microsoft primary or secondary DNS request */ + d = citype == CI_MS_DNS2; + IPCPDEBUG((LOG_INFO, "ipcp: received DNS%d Request ", d+1)); + + /* If we do not have a DNS address then we cannot send it */ + if (ao->dnsaddr[d] == 0 || + cilen != CILEN_ADDR) { /* Check CI length */ + orc = CONFREJ; /* Reject CI */ + break; + } + GETLONG(tl, p); + if (htonl(tl) != ao->dnsaddr[d]) { + DECPTR(sizeof(u_int32_t), p); + tl = ntohl(ao->dnsaddr[d]); + PUTLONG(tl, p); + orc = CONFNAK; + } + break; + + case CI_MS_WINS1: + case CI_MS_WINS2: + /* Microsoft primary or secondary WINS request */ + d = citype == CI_MS_WINS2; + IPCPDEBUG((LOG_INFO, "ipcp: received WINS%d Request ", d+1)); + + /* If we do not have a DNS address then we cannot send it */ + if (ao->winsaddr[d] == 0 || + cilen != CILEN_ADDR) { /* Check CI length */ + orc = CONFREJ; /* Reject CI */ + break; + } + GETLONG(tl, p); + if (htonl(tl) != ao->winsaddr[d]) { + DECPTR(sizeof(u_int32_t), p); + tl = ntohl(ao->winsaddr[d]); + PUTLONG(tl, p); + orc = CONFNAK; + } + break; case CI_COMPRESSTYPE: IPCPDEBUG((LOG_INFO, "ipcp: received COMPRESSTYPE ")); @@ -961,6 +1053,76 @@ endswitch: /* + * ip_check_options - check that any IP-related options are OK, + * and assign appropriate defaults. + */ +static void +ip_check_options() +{ + struct hostent *hp; + u_int32_t local; + ipcp_options *wo = &ipcp_wantoptions[0]; + + /* + * Default our local IP address based on our hostname. + * If local IP address already given, don't bother. + */ + if (wo->ouraddr == 0 && !disable_defaultip) { + /* + * Look up our hostname (possibly with domain name appended) + * and take the first IP address as our local IP address. + * If there isn't an IP address for our hostname, too bad. + */ + wo->accept_local = 1; /* don't insist on this default value */ + if ((hp = gethostbyname(hostname)) != NULL) { + local = *(u_int32_t *)hp->h_addr; + if (local != 0 && !bad_ip_adrs(local)) + wo->ouraddr = local; + } + } + + if (demand && wo->hisaddr == 0) { + option_error("remote IP address required for demand-dialling\n"); + exit(1); + } + if (demand && wo->accept_remote) { + option_error("ipcp-accept-remote is incompatible with demand\n"); + exit(1); + } +} + + +/* + * ip_demand_conf - configure the interface as though + * IPCP were up, for use with dial-on-demand. + */ +static int +ip_demand_conf(u) + int u; +{ + ipcp_options *wo = &ipcp_wantoptions[u]; + + if (!sifaddr(u, wo->ouraddr, wo->hisaddr, GetMask(wo->ouraddr))) + return 0; + if (!sifup(u)) + return 0; + if (!sifnpmode(u, PPP_IP, NPMODE_QUEUE)) + return 0; + if (wo->default_route) + if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr)) + default_route_set[u] = 1; + if (wo->proxy_arp) + if (sifproxyarp(u, wo->hisaddr)) + proxy_arp_set[u] = 1; + + syslog(LOG_NOTICE, "local IP address %s", ip_ntoa(wo->ouraddr)); + syslog(LOG_NOTICE, "remote IP address %s", ip_ntoa(wo->hisaddr)); + + return 1; +} + + +/* * ipcp_up - IPCP has come UP. * * Configure the IP network interface appropriately and bring it up. @@ -972,25 +1134,25 @@ ipcp_up(f) u_int32_t mask; ipcp_options *ho = &ipcp_hisoptions[f->unit]; ipcp_options *go = &ipcp_gotoptions[f->unit]; + ipcp_options *wo = &ipcp_wantoptions[f->unit]; + np_up(f->unit, PPP_IP); IPCPDEBUG((LOG_INFO, "ipcp: up")); - go->default_route = 0; - go->proxy_arp = 0; /* * We must have a non-zero IP address for both ends of the link. */ if (!ho->neg_addr) - ho->hisaddr = ipcp_wantoptions[f->unit].hisaddr; + ho->hisaddr = wo->hisaddr; if (ho->hisaddr == 0) { syslog(LOG_ERR, "Could not determine remote IP address"); - ipcp_close(f->unit); + ipcp_close(f->unit, "Could not determine remote IP address"); return; } if (go->ouraddr == 0) { syslog(LOG_ERR, "Could not determine local IP address"); - ipcp_close(f->unit); + ipcp_close(f->unit, "Could not determine local IP address"); return; } @@ -1000,42 +1162,93 @@ ipcp_up(f) if (!auth_ip_addr(f->unit, ho->hisaddr)) { syslog(LOG_ERR, "Peer is not authorized to use remote address %s", ip_ntoa(ho->hisaddr)); - ipcp_close(f->unit); + ipcp_close(f->unit, "Unauthorized remote IP address"); return; } - syslog(LOG_NOTICE, "local IP address %s", ip_ntoa(go->ouraddr)); - syslog(LOG_NOTICE, "remote IP address %s", ip_ntoa(ho->hisaddr)); + /* set tcp compression */ + sifvjcomp(f->unit, ho->neg_vj, ho->cflag, ho->maxslotindex); /* - * Set IP addresses and (if specified) netmask. + * If we are doing dial-on-demand, the interface is already + * configured, so we put out any saved-up packets, then set the + * interface to pass IP packets. */ - mask = GetMask(go->ouraddr); - if (!sifaddr(f->unit, go->ouraddr, ho->hisaddr, mask)) { - IPCPDEBUG((LOG_WARNING, "sifaddr failed")); - ipcp_close(f->unit); - return; - } + if (demand) { + if (go->ouraddr != wo->ouraddr || ho->hisaddr != wo->hisaddr) { + if (go->ouraddr != wo->ouraddr) + syslog(LOG_WARNING, "Local IP address changed to %s", + ip_ntoa(go->ouraddr)); + if (ho->hisaddr != wo->hisaddr) + syslog(LOG_WARNING, "Remote IP address changed to %s", + ip_ntoa(ho->hisaddr)); + ipcp_clear_addrs(f->unit); + + /* Set the interface to the new addresses */ + mask = GetMask(go->ouraddr); + if (!sifaddr(f->unit, go->ouraddr, ho->hisaddr, mask)) { + IPCPDEBUG((LOG_WARNING, "sifaddr failed")); + ipcp_close(f->unit, "Interface configuration failed"); + return; + } - /* set tcp compression */ - sifvjcomp(f->unit, ho->neg_vj, ho->cflag, ho->maxslotindex); + /* assign a default route through the interface if required */ + if (ipcp_wantoptions[f->unit].default_route) + if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr)) + default_route_set[f->unit] = 1; - /* bring the interface up for IP */ - if (!sifup(f->unit)) { - IPCPDEBUG((LOG_WARNING, "sifup failed")); - ipcp_close(f->unit); - return; - } + /* Make a proxy ARP entry if requested. */ + if (ipcp_wantoptions[f->unit].proxy_arp) + if (sifproxyarp(f->unit, ho->hisaddr)) + proxy_arp_set[f->unit] = 1; - /* assign a default route through the interface if required */ - if (ipcp_wantoptions[f->unit].default_route) - if (sifdefaultroute(f->unit, ho->hisaddr)) - go->default_route = 1; + } + demand_rexmit(PPP_IP); + sifnpmode(f->unit, PPP_IP, NPMODE_PASS); + + } else { + /* + * Set IP addresses and (if specified) netmask. + */ + mask = GetMask(go->ouraddr); + +#if !(defined(SVR4) && (defined(SNI) || defined(__USLC__))) + if (!sifaddr(f->unit, go->ouraddr, ho->hisaddr, mask)) { + IPCPDEBUG((LOG_WARNING, "sifaddr failed")); + ipcp_close(f->unit, "Interface configuration failed"); + return; + } +#endif - /* Make a proxy ARP entry if requested. */ - if (ipcp_wantoptions[f->unit].proxy_arp) - if (sifproxyarp(f->unit, ho->hisaddr)) - go->proxy_arp = 1; + /* bring the interface up for IP */ + if (!sifup(f->unit)) { + IPCPDEBUG((LOG_WARNING, "sifup failed")); + ipcp_close(f->unit, "Interface configuration failed"); + return; + } + +#if (defined(SVR4) && (defined(SNI) || defined(__USLC__))) + if (!sifaddr(f->unit, go->ouraddr, ho->hisaddr, mask)) { + IPCPDEBUG((LOG_WARNING, "sifaddr failed")); + ipcp_close(f->unit, "Interface configuration failed"); + return; + } +#endif + sifnpmode(f->unit, PPP_IP, NPMODE_PASS); + + /* assign a default route through the interface if required */ + if (ipcp_wantoptions[f->unit].default_route) + if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr)) + default_route_set[f->unit] = 1; + + /* Make a proxy ARP entry if requested. */ + if (ipcp_wantoptions[f->unit].proxy_arp) + if (sifproxyarp(f->unit, ho->hisaddr)) + proxy_arp_set[f->unit] = 1; + + syslog(LOG_NOTICE, "local IP address %s", ip_ntoa(go->ouraddr)); + syslog(LOG_NOTICE, "remote IP address %s", ip_ntoa(ho->hisaddr)); + } /* * Execute the ip-up script, like this: @@ -1056,18 +1269,20 @@ static void ipcp_down(f) fsm *f; { - u_int32_t ouraddr, hisaddr; - IPCPDEBUG((LOG_INFO, "ipcp: down")); + np_down(f->unit, PPP_IP); + sifvjcomp(f->unit, 0, 0, 0); - ouraddr = ipcp_gotoptions[f->unit].ouraddr; - hisaddr = ipcp_hisoptions[f->unit].hisaddr; - if (ipcp_gotoptions[f->unit].proxy_arp) - cifproxyarp(f->unit, hisaddr); - if (ipcp_gotoptions[f->unit].default_route) - cifdefaultroute(f->unit, hisaddr); - sifdown(f->unit); - cifaddr(f->unit, ouraddr, hisaddr); + /* + * If we are doing dial-on-demand, set the interface + * to queue up outgoing packets (for now). + */ + if (demand) { + sifnpmode(f->unit, PPP_IP, NPMODE_QUEUE); + } else { + sifdown(f->unit); + ipcp_clear_addrs(f->unit); + } /* Execute the ip-down script */ ipcp_script(f, _PATH_IPDOWN); @@ -1075,6 +1290,41 @@ ipcp_down(f) /* + * ipcp_clear_addrs() - clear the interface addresses, routes, + * proxy arp entries, etc. + */ +static void +ipcp_clear_addrs(unit) + int unit; +{ + u_int32_t ouraddr, hisaddr; + + ouraddr = ipcp_gotoptions[unit].ouraddr; + hisaddr = ipcp_hisoptions[unit].hisaddr; + if (proxy_arp_set[unit]) { + cifproxyarp(unit, hisaddr); + proxy_arp_set[unit] = 0; + } + if (default_route_set[unit]) { + cifdefaultroute(unit, ouraddr, hisaddr); + default_route_set[unit] = 0; + } + cifaddr(unit, ouraddr, hisaddr); +} + + +/* + * ipcp_finished - possibly shut down the lower layers. + */ +static void +ipcp_finished(f) + fsm *f; +{ + np_finished(f->unit, PPP_IP); +} + + +/* * ipcp_script - Execute a script with arguments * interface-name tty-name speed local-IP remote-IP. */ @@ -1104,16 +1354,16 @@ ipcp_script(f, script) /* * ipcp_printpkt - print the contents of an IPCP packet. */ -char *ipcp_codenames[] = { +static char *ipcp_codenames[] = { "ConfReq", "ConfAck", "ConfNak", "ConfRej", "TermReq", "TermAck", "CodeRej" }; -int +static int ipcp_printpkt(p, plen, printer, arg) u_char *p; int plen; - void (*printer)(); + void (*printer) __P((void *, char *, ...)); void *arg; { int code, id, len, olen; @@ -1186,6 +1436,18 @@ ipcp_printpkt(p, plen, printer, arg) printer(arg, "addr %s", ip_ntoa(htonl(cilong))); } break; + case CI_MS_DNS1: + case CI_MS_DNS2: + p += 2; + GETLONG(cilong, p); + printer(arg, "dns-addr %s", ip_ntoa(htonl(cilong))); + break; + case CI_MS_WINS1: + case CI_MS_WINS2: + p += 2; + GETLONG(cilong, p); + printer(arg, "wins-addr %s", ip_ntoa(htonl(cilong))); + break; } while (p < optend) { GETCHAR(code, p); @@ -1194,6 +1456,16 @@ ipcp_printpkt(p, plen, printer, arg) printer(arg, ">"); } break; + + case TERMACK: + case TERMREQ: + if (len > 0 && *p >= ' ' && *p < 0x7f) { + printer(arg, " "); + print_string(p, len, printer, arg); + p += len; + len = 0; + } + break; } /* print the rest of the bytes in the packet */ @@ -1204,3 +1476,51 @@ ipcp_printpkt(p, plen, printer, arg) return p - pstart; } + +/* + * ip_active_pkt - see if this IP packet is worth bringing the link up for. + * We don't bring the link up for IP fragments or for TCP FIN packets + * with no data. + */ +#define IP_HDRLEN 20 /* bytes */ +#define IP_OFFMASK 0x1fff +#define IPPROTO_TCP 6 +#define TCP_HDRLEN 20 +#define TH_FIN 0x01 + +/* + * We use these macros because the IP header may be at an odd address, + * and some compilers might use word loads to get th_off or ip_hl. + */ + +#define net_short(x) (((x)[0] << 8) + (x)[1]) +#define get_iphl(x) (((unsigned char *)(x))[0] & 0xF) +#define get_ipoff(x) net_short((unsigned char *)(x) + 6) +#define get_ipproto(x) (((unsigned char *)(x))[9]) +#define get_tcpoff(x) (((unsigned char *)(x))[12] >> 4) +#define get_tcpflags(x) (((unsigned char *)(x))[13]) + +static int +ip_active_pkt(pkt, len) + u_char *pkt; + int len; +{ + u_char *tcp; + int hlen; + + len -= PPP_HDRLEN; + pkt += PPP_HDRLEN; + if (len < IP_HDRLEN) + return 0; + if ((get_ipoff(pkt) & IP_OFFMASK) != 0) + return 0; + if (get_ipproto(pkt) != IPPROTO_TCP) + return 1; + hlen = get_iphl(pkt) * 4; + if (len < hlen + TCP_HDRLEN) + return 0; + tcp = pkt + hlen; + if ((get_tcpflags(tcp) & TH_FIN) != 0 && len == hlen + get_tcpoff(tcp) * 4) + return 0; + return 1; +} diff --git a/usr.sbin/pppd/ipcp.h b/usr.sbin/pppd/ipcp.h index b1f9b4032fd9..470c9ef00685 100644 --- a/usr.sbin/pppd/ipcp.h +++ b/usr.sbin/pppd/ipcp.h @@ -16,7 +16,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ipcp.h,v 1.5 1994/09/21 06:47:37 paulus Exp $ + * $Id: ipcp.h,v 1.10 1997/03/04 03:39:20 paulus Exp $ */ /* @@ -26,6 +26,11 @@ #define CI_COMPRESSTYPE 2 /* Compression Type */ #define CI_ADDR 3 +#define CI_MS_WINS1 128 /* Primary WINS value */ +#define CI_MS_DNS1 129 /* Primary DNS value */ +#define CI_MS_WINS2 130 /* Secondary WINS value */ +#define CI_MS_DNS2 131 /* Secondary DNS value */ + #define MAX_STATES 16 /* from slcompress.h */ #define IPCP_VJMODE_OLD 1 /* "old" mode (option # = 0x0037) */ @@ -50,6 +55,8 @@ typedef struct ipcp_options { u_short vj_protocol; /* protocol value to use in VJ option */ u_char maxslotindex, cflag; /* values for RFC1332 VJ compression neg. */ u_int32_t ouraddr, hisaddr; /* Addresses in NETWORK BYTE ORDER */ + u_int32_t dnsaddr[2]; /* Primary and secondary MS DNS entries */ + u_int32_t winsaddr[2]; /* Primary and secondary MS WINS entries */ } ipcp_options; extern fsm ipcp_fsm[]; @@ -58,11 +65,6 @@ extern ipcp_options ipcp_gotoptions[]; extern ipcp_options ipcp_allowoptions[]; extern ipcp_options ipcp_hisoptions[]; -void ipcp_init __P((int)); -void ipcp_open __P((int)); -void ipcp_close __P((int)); -void ipcp_lowerup __P((int)); -void ipcp_lowerdown __P((int)); -void ipcp_input __P((int, u_char *, int)); -void ipcp_protrej __P((int)); -int ipcp_printpkt __P((u_char *, int, void (*)(), void *)); +char *ip_ntoa __P((u_int32_t)); + +extern struct protent ipcp_protent; diff --git a/usr.sbin/pppd/lcp.c b/usr.sbin/pppd/lcp.c index f9d6c1cc9b9c..48c1b5168b64 100644 --- a/usr.sbin/pppd/lcp.c +++ b/usr.sbin/pppd/lcp.c @@ -18,7 +18,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: lcp.c,v 1.21 1995/08/10 06:51:06 paulus Exp $"; +static char rcsid[] = "$Id: lcp.c,v 1.30 1997/04/30 05:52:59 paulus Exp $"; #endif /* @@ -38,15 +38,8 @@ static char rcsid[] = "$Id: lcp.c,v 1.21 1995/08/10 06:51:06 paulus Exp $"; #include "pppd.h" #include "fsm.h" #include "lcp.h" -#include "magic.h" #include "chap.h" -#include "upap.h" -#include "ipcp.h" - -#ifdef _linux_ /* Needs ppp ioctls */ -#include <net/if.h> -#include <linux/if_ppp.h> -#endif +#include "magic.h" /* global vars */ fsm lcp_fsm[NUM_PPP]; /* LCP fsm structure (global)*/ @@ -62,11 +55,6 @@ static u_int32_t lcp_echo_timer_running = 0; /* TRUE if a timer is running */ static u_char nak_buffer[PPP_MRU]; /* where we construct a nak packet */ -#ifdef _linux_ -u_int32_t idle_timer_running = 0; -extern int idle_time_limit; -#endif - /* * Callbacks for fsm code. (CI = Configuration Information) */ @@ -90,10 +78,11 @@ static void lcp_rprotrej __P((fsm *, u_char *, int)); static void lcp_echo_lowerup __P((int)); static void lcp_echo_lowerdown __P((int)); -static void LcpEchoTimeout __P((caddr_t)); +static void LcpEchoTimeout __P((void *)); static void lcp_received_echo_reply __P((fsm *, int, u_char *, int)); static void LcpSendEchoRequest __P((fsm *)); static void LcpLinkFailure __P((fsm *)); +static void LcpEchoCheck __P((fsm *)); static fsm_callbacks lcp_callbacks = { /* LCP callback routines */ lcp_resetci, /* Reset our Configuration Information */ @@ -113,16 +102,47 @@ static fsm_callbacks lcp_callbacks = { /* LCP callback routines */ "LCP" /* String name of protocol */ }; +/* + * Protocol entry points. + * Some of these are called directly. + */ + +static void lcp_init __P((int)); +static void lcp_input __P((int, u_char *, int)); +static void lcp_protrej __P((int)); +static int lcp_printpkt __P((u_char *, int, + void (*) __P((void *, char *, ...)), void *)); + +struct protent lcp_protent = { + PPP_LCP, + lcp_init, + lcp_input, + lcp_protrej, + lcp_lowerup, + lcp_lowerdown, + lcp_open, + lcp_close, + lcp_printpkt, + NULL, + 1, + "LCP", + NULL, + NULL, + NULL +}; + int lcp_loopbackfail = DEFLOOPBACKFAIL; /* * Length of each type of configuration option (in octets) */ #define CILEN_VOID 2 +#define CILEN_CHAR 3 #define CILEN_SHORT 4 /* CILEN_VOID + sizeof(short) */ #define CILEN_CHAP 5 /* CILEN_VOID + sizeof(short) + 1 */ #define CILEN_LONG 6 /* CILEN_VOID + sizeof(long) */ #define CILEN_LQR 8 /* CILEN_VOID + sizeof(short) + sizeof(long) */ +#define CILEN_CBCP 3 #define CODENAME(x) ((x) == CONFACK ? "ACK" : \ (x) == CONFNAK ? "NAK" : "REJ") @@ -131,7 +151,7 @@ int lcp_loopbackfail = DEFLOOPBACKFAIL; /* * lcp_init - Initialize LCP. */ -void +static void lcp_init(unit) int unit; { @@ -160,6 +180,7 @@ lcp_init(unit) wo->neg_pcompression = 1; wo->neg_accompression = 1; wo->neg_lqr = 0; /* no LQR implementation yet */ + wo->neg_cbcp = 0; ao->neg_mru = 1; ao->mru = MAXMRU; @@ -172,6 +193,11 @@ lcp_init(unit) ao->neg_pcompression = 1; ao->neg_accompression = 1; ao->neg_lqr = 0; /* no LQR implementation yet */ +#ifdef CBCP_SUPPORT + ao->neg_cbcp = 1; +#else + ao->neg_cbcp = 0; +#endif memset(xmit_accm[unit], 0, sizeof(xmit_accm[0])); xmit_accm[unit][3] = 0x60000000; @@ -201,77 +227,28 @@ lcp_open(unit) * lcp_close - Take LCP down. */ void -lcp_close(unit) +lcp_close(unit, reason) int unit; + char *reason; { fsm *f = &lcp_fsm[unit]; + if (phase != PHASE_DEAD) + phase = PHASE_TERMINATE; if (f->state == STOPPED && f->flags & (OPT_PASSIVE|OPT_SILENT)) { /* * This action is not strictly according to the FSM in RFC1548, * but it does mean that the program terminates if you do a - * lcp_close(0) in passive/silent mode when a connection hasn't + * lcp_close() in passive/silent mode when a connection hasn't * been established. */ f->state = CLOSED; lcp_finished(f); } else - fsm_close(&lcp_fsm[unit]); -} - -#ifdef _linux_ -static void IdleTimeCheck __P((caddr_t)); - -/* - * Timer expired for the LCP echo requests from this process. - */ - -static void -RestartIdleTimer (f) - fsm *f; -{ - u_long delta; - struct ppp_idle ddinfo; -/* - * Read the time since the last packet was received. - */ - if (ioctl (fd, PPPIOCGIDLE, &ddinfo) < 0) { - syslog (LOG_ERR, "ioctl(PPPIOCGIDLE): %m"); - die (1); - } -/* - * Compute the time since the last packet was received. If the timer - * has expired then disconnect the line. - */ - delta = idle_time_limit - (u_long) ddinfo.recv_idle; - if (((int) delta <= 0L) && (f->state == OPENED)) { - syslog (LOG_NOTICE, "No IP frames received within idle time limit"); - lcp_close(f->unit); /* Reset connection */ - phase = PHASE_TERMINATE; /* Mark it down */ - } else { - if ((int) delta <= 0L) - delta = (u_long) idle_time_limit; - assert (idle_timer_running==0); - TIMEOUT (IdleTimeCheck, (caddr_t) f, delta); - idle_timer_running = 1; - } + fsm_close(&lcp_fsm[unit], reason); } -/* - * IdleTimeCheck - Timer expired on the IDLE detection for IP frames - */ - -static void -IdleTimeCheck (arg) - caddr_t arg; -{ - if (idle_timer_running != 0) { - idle_timer_running = 0; - RestartIdleTimer ((fsm *) arg); - } -} -#endif /* * lcp_lowerup - The lower layer is up. @@ -280,10 +257,17 @@ void lcp_lowerup(unit) int unit; { - sifdown(unit); + lcp_options *wo = &lcp_wantoptions[unit]; + + /* + * Don't use A/C or protocol compression on transmission, + * but accept A/C and protocol compressed packets + * if we are going to ask for A/C and protocol compression. + */ ppp_set_xaccm(unit, xmit_accm[unit]); ppp_send_config(unit, PPP_MRU, 0xffffffff, 0, 0); - ppp_recv_config(unit, PPP_MRU, 0x00000000, 0, 0); + ppp_recv_config(unit, PPP_MRU, 0x00000000, + wo->neg_pcompression, wo->neg_accompression); peer_mru[unit] = PPP_MRU; lcp_allowoptions[unit].asyncmap = xmit_accm[unit][0]; @@ -305,29 +289,15 @@ lcp_lowerdown(unit) /* * lcp_input - Input LCP packet. */ -void +static void lcp_input(unit, p, len) int unit; u_char *p; int len; { - int oldstate; fsm *f = &lcp_fsm[unit]; - lcp_options *go = &lcp_gotoptions[f->unit]; - oldstate = f->state; fsm_input(f, p, len); - if (oldstate == REQSENT && f->state == ACKSENT) { - /* - * The peer will probably send us an ack soon and then - * immediately start sending packets with the negotiated - * options. So as to be ready when that happens, we set - * our receive side to accept packets as negotiated now. - */ - ppp_recv_config(f->unit, PPP_MRU, - go->neg_asyncmap? go->asyncmap: 0x00000000, - go->neg_pcompression, go->neg_accompression); - } } @@ -382,6 +352,8 @@ lcp_rprotrej(f, inp, len) u_char *inp; int len; { + int i; + struct protent *protp; u_short prot; LCPDEBUG((LOG_INFO, "lcp_rprotrej.")); @@ -408,7 +380,17 @@ lcp_rprotrej(f, inp, len) return; } - DEMUXPROTREJ(f->unit, prot); /* Inform protocol */ + /* + * Upcall the proper Protocol-Reject routine. + */ + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol == prot && protp->enabled_flag) { + (*protp->protrej)(f->unit); + return; + } + + syslog(LOG_WARNING, "Protocol-Reject for unsupported protocol 0x%x", + prot); } @@ -416,7 +398,7 @@ lcp_rprotrej(f, inp, len) * lcp_protrej - A Protocol-Reject was received. */ /*ARGSUSED*/ -void +static void lcp_protrej(unit) int unit; { @@ -454,13 +436,14 @@ lcp_sprotrej(unit, p, len) * lcp_resetci - Reset our CI. */ static void - lcp_resetci(f) -fsm *f; +lcp_resetci(f) + fsm *f; { lcp_wantoptions[f->unit].magicnumber = magic(); lcp_wantoptions[f->unit].numloops = 0; lcp_gotoptions[f->unit] = lcp_wantoptions[f->unit]; peer_mru[f->unit] = PPP_MRU; + auth_reset(f->unit); } @@ -473,20 +456,22 @@ lcp_cilen(f) { lcp_options *go = &lcp_gotoptions[f->unit]; -#define LENCIVOID(neg) (neg ? CILEN_VOID : 0) -#define LENCICHAP(neg) (neg ? CILEN_CHAP : 0) -#define LENCISHORT(neg) (neg ? CILEN_SHORT : 0) -#define LENCILONG(neg) (neg ? CILEN_LONG : 0) -#define LENCILQR(neg) (neg ? CILEN_LQR: 0) +#define LENCIVOID(neg) ((neg) ? CILEN_VOID : 0) +#define LENCICHAP(neg) ((neg) ? CILEN_CHAP : 0) +#define LENCISHORT(neg) ((neg) ? CILEN_SHORT : 0) +#define LENCILONG(neg) ((neg) ? CILEN_LONG : 0) +#define LENCILQR(neg) ((neg) ? CILEN_LQR: 0) +#define LENCICBCP(neg) ((neg) ? CILEN_CBCP: 0) /* * NB: we only ask for one of CHAP and UPAP, even if we will * accept either. */ - return (LENCISHORT(go->neg_mru) + - LENCILONG(go->neg_asyncmap) + + return (LENCISHORT(go->neg_mru && go->mru != DEFMRU) + + LENCILONG(go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF) + LENCICHAP(go->neg_chap) + LENCISHORT(!go->neg_chap && go->neg_upap) + LENCILQR(go->neg_lqr) + + LENCICBCP(go->neg_cbcp) + LENCILONG(go->neg_magicnumber) + LENCIVOID(go->neg_pcompression) + LENCIVOID(go->neg_accompression)); @@ -536,12 +521,20 @@ lcp_addci(f, ucp, lenp) PUTSHORT(PPP_LQR, ucp); \ PUTLONG(val, ucp); \ } +#define ADDCICHAR(opt, neg, val) \ + if (neg) { \ + PUTCHAR(opt, ucp); \ + PUTCHAR(CILEN_CHAR, ucp); \ + PUTCHAR(val, ucp); \ + } - ADDCISHORT(CI_MRU, go->neg_mru, go->mru); - ADDCILONG(CI_ASYNCMAP, go->neg_asyncmap, go->asyncmap); + ADDCISHORT(CI_MRU, go->neg_mru && go->mru != DEFMRU, go->mru); + ADDCILONG(CI_ASYNCMAP, go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF, + go->asyncmap); ADDCICHAP(CI_AUTHTYPE, go->neg_chap, PPP_CHAP, go->chap_mdtype); ADDCISHORT(CI_AUTHTYPE, !go->neg_chap && go->neg_upap, PPP_PAP); ADDCILQR(CI_QUALITY, go->neg_lqr, go->lqr_period); + ADDCICHAR(CI_CALLBACK, go->neg_cbcp, CBCP_OPT); ADDCILONG(CI_MAGICNUMBER, go->neg_magicnumber, go->magicnumber); ADDCIVOID(CI_PCOMPRESSION, go->neg_pcompression); ADDCIVOID(CI_ACCOMPRESSION, go->neg_accompression); @@ -600,6 +593,19 @@ lcp_ackci(f, p, len) if (cishort != val) \ goto bad; \ } +#define ACKCICHAR(opt, neg, val) \ + if (neg) { \ + if ((len -= CILEN_CHAR) < 0) \ + goto bad; \ + GETCHAR(citype, p); \ + GETCHAR(cilen, p); \ + if (cilen != CILEN_CHAR || \ + citype != opt) \ + goto bad; \ + GETCHAR(cichar, p); \ + if (cichar != val) \ + goto bad; \ + } #define ACKCICHAP(opt, neg, val, digest) \ if (neg) { \ if ((len -= CILEN_CHAP) < 0) \ @@ -646,11 +652,13 @@ lcp_ackci(f, p, len) goto bad; \ } - ACKCISHORT(CI_MRU, go->neg_mru, go->mru); - ACKCILONG(CI_ASYNCMAP, go->neg_asyncmap, go->asyncmap); + ACKCISHORT(CI_MRU, go->neg_mru && go->mru != DEFMRU, go->mru); + ACKCILONG(CI_ASYNCMAP, go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF, + go->asyncmap); ACKCICHAP(CI_AUTHTYPE, go->neg_chap, PPP_CHAP, go->chap_mdtype); ACKCISHORT(CI_AUTHTYPE, !go->neg_chap && go->neg_upap, PPP_PAP); ACKCILQR(CI_QUALITY, go->neg_lqr, go->lqr_period); + ACKCICHAR(CI_CALLBACK, go->neg_cbcp, CBCP_OPT); ACKCILONG(CI_MAGICNUMBER, go->neg_magicnumber, go->magicnumber); ACKCIVOID(CI_PCOMPRESSION, go->neg_pcompression); ACKCIVOID(CI_ACCOMPRESSION, go->neg_accompression); @@ -722,6 +730,17 @@ lcp_nakci(f, p, len) no.neg = 1; \ code \ } +#define NAKCICHAR(opt, neg, code) \ + if (go->neg && \ + len >= CILEN_CHAR && \ + p[1] == CILEN_CHAR && \ + p[0] == opt) { \ + len -= CILEN_CHAR; \ + INCPTR(2, p); \ + GETCHAR(cichar, p); \ + no.neg = 1; \ + code \ + } #define NAKCISHORT(opt, neg, code) \ if (go->neg && \ len >= CILEN_SHORT && \ @@ -764,17 +783,21 @@ lcp_nakci(f, p, len) * If they send us a bigger MRU than what we asked, accept it, up to * the limit of the default MRU we'd get if we didn't negotiate. */ - NAKCISHORT(CI_MRU, neg_mru, - if (cishort <= wo->mru || cishort < DEFMRU) - try.mru = cishort; - ); + if (go->neg_mru && go->mru != DEFMRU) { + NAKCISHORT(CI_MRU, neg_mru, + if (cishort <= wo->mru || cishort < DEFMRU) + try.mru = cishort; + ); + } /* * Add any characters they want to our (receive-side) asyncmap. */ - NAKCILONG(CI_ASYNCMAP, neg_asyncmap, - try.asyncmap = go->asyncmap | cilong; - ); + if (go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF) { + NAKCILONG(CI_ASYNCMAP, neg_asyncmap, + try.asyncmap = go->asyncmap | cilong; + ); + } /* * If they've nak'd our authentication-protocol, check whether @@ -783,19 +806,22 @@ lcp_nakci(f, p, len) */ if ((go->neg_chap || go->neg_upap) && len >= CILEN_SHORT - && p[0] == CI_AUTHTYPE && p[1] >= CILEN_SHORT) { + && p[0] == CI_AUTHTYPE && p[1] >= CILEN_SHORT && p[1] <= len) { cilen = p[1]; + len -= cilen; + no.neg_chap = go->neg_chap; + no.neg_upap = go->neg_upap; INCPTR(2, p); GETSHORT(cishort, p); if (cishort == PPP_PAP && cilen == CILEN_SHORT) { /* - * If they are asking for PAP, then they don't want to do CHAP. + * If we were asking for CHAP, they obviously don't want to do it. * If we weren't asking for CHAP, then we were asking for PAP, * in which case this Nak is bad. */ if (!go->neg_chap) goto bad; - go->neg_chap = 0; + try.neg_chap = 0; } else if (cishort == PPP_CHAP && cilen == CILEN_CHAP) { GETCHAR(cichar, p); @@ -806,12 +832,12 @@ lcp_nakci(f, p, len) * asking for CHAP. */ if (cichar != go->chap_mdtype) - go->neg_chap = 0; + try.neg_chap = 0; } else { /* * Stop asking for PAP if we were asking for it. */ - go->neg_upap = 0; + try.neg_upap = 0; } } else { @@ -820,25 +846,14 @@ lcp_nakci(f, p, len) * Stop asking for what we were asking for. */ if (go->neg_chap) - go->neg_chap = 0; + try.neg_chap = 0; else - go->neg_upap = 0; + try.neg_upap = 0; p += cilen - CILEN_SHORT; } } /* - * Peer shouldn't send Nak for protocol compression or - * address/control compression requests; they should send - * a Reject instead. If they send a Nak, treat it as a Reject. - */ - if (!go->neg_chap ){ - NAKCISHORT(CI_AUTHTYPE, neg_upap, - try.neg_upap = 0; - ); - } - - /* * If they can't cope with our link quality protocol, we'll have * to stop asking for LQR. We haven't got any other protocol. * If they Nak the reporting period, take their value XXX ? @@ -851,6 +866,13 @@ lcp_nakci(f, p, len) ); /* + * Only implementing CBCP...not the rest of the callback options + */ + NAKCICHAR(CI_CALLBACK, neg_cbcp, + try.neg_cbcp = 0; + ); + + /* * Check for a looped-back line. */ NAKCILONG(CI_MAGICNUMBER, neg_magicnumber, @@ -858,6 +880,11 @@ lcp_nakci(f, p, len) looped_back = 1; ); + /* + * Peer shouldn't send Nak for protocol compression or + * address/control compression requests; they should send + * a Reject instead. If they send a Nak, treat it as a Reject. + */ NAKCIVOID(CI_PCOMPRESSION, neg_pcompression, try.neg_pcompression = 0; ); @@ -884,17 +911,22 @@ lcp_nakci(f, p, len) while (len > CILEN_VOID) { GETCHAR(citype, p); GETCHAR(cilen, p); - if ((len -= cilen) < 0) + if (cilen < CILEN_VOID || (len -= cilen) < 0) goto bad; next = p + cilen - 2; switch (citype) { case CI_MRU: - if (go->neg_mru || no.neg_mru || cilen != CILEN_SHORT) + if ((go->neg_mru && go->mru != DEFMRU) + || no.neg_mru || cilen != CILEN_SHORT) goto bad; + GETSHORT(cishort, p); + if (cishort < DEFMRU) + try.mru = cishort; break; case CI_ASYNCMAP: - if (go->neg_asyncmap || no.neg_asyncmap || cilen != CILEN_LONG) + if ((go->neg_asyncmap && go->asyncmap != 0xFFFFFFFF) + || no.neg_asyncmap || cilen != CILEN_LONG) goto bad; break; case CI_AUTHTYPE: @@ -935,7 +967,7 @@ lcp_nakci(f, p, len) if (looped_back) { if (++try.numloops >= lcp_loopbackfail) { syslog(LOG_NOTICE, "Serial line is looped back."); - lcp_close(f->unit); + lcp_close(f->unit, "Loopback detected"); } } else try.numloops = 0; @@ -969,8 +1001,6 @@ lcp_rejci(f, p, len) u_char cichar; u_short cishort; u_int32_t cilong; - u_char *start = p; - int plen = len; lcp_options try; /* options to request next time */ try = *go; @@ -1049,6 +1079,20 @@ lcp_rejci(f, p, len) try.neg = 0; \ LCPDEBUG((LOG_INFO,"lcp_rejci rejected LQR opt %d", opt)); \ } +#define REJCICBCP(opt, neg, val) \ + if (go->neg && \ + len >= CILEN_CBCP && \ + p[1] == CILEN_CBCP && \ + p[0] == opt) { \ + len -= CILEN_CBCP; \ + INCPTR(2, p); \ + GETCHAR(cichar, p); \ + /* Check rejected value. */ \ + if (cichar != val) \ + goto bad; \ + try.neg = 0; \ + LCPDEBUG((LOG_INFO,"lcp_rejci rejected Callback opt %d", opt)); \ + } REJCISHORT(CI_MRU, neg_mru, go->mru); REJCILONG(CI_ASYNCMAP, neg_asyncmap, go->asyncmap); @@ -1057,6 +1101,7 @@ lcp_rejci(f, p, len) REJCISHORT(CI_AUTHTYPE, neg_upap, PPP_PAP); } REJCILQR(CI_QUALITY, neg_lqr, go->lqr_period); + REJCICBCP(CI_CALLBACK, neg_cbcp, CBCP_OPT); REJCILONG(CI_MAGICNUMBER, neg_magicnumber, go->magicnumber); REJCIVOID(CI_PCOMPRESSION, neg_pcompression); REJCIVOID(CI_ACCOMPRESSION, neg_accompression); @@ -1075,8 +1120,6 @@ lcp_rejci(f, p, len) bad: LCPDEBUG((LOG_WARNING, "lcp_rejci: received bad Reject!")); - LCPDEBUG((LOG_WARNING, "lcp_rejci: plen %d len %d off %d", - plen, len, p - start)); return 0; } @@ -1099,7 +1142,7 @@ lcp_reqci(f, inp, lenp, reject_if_disagree) lcp_options *ho = &lcp_hisoptions[f->unit]; lcp_options *ao = &lcp_allowoptions[f->unit]; u_char *cip, *next; /* Pointer to current and next CIs */ - u_char cilen, citype, cichar;/* Parsed len, type, char value */ + int cilen, citype, cichar; /* Parsed len, type, char value */ u_short cishort; /* Parsed short value */ u_int32_t cilong; /* Parse long value */ int rc = CONFACK; /* Final packet return code */ @@ -1130,6 +1173,7 @@ lcp_reqci(f, inp, lenp, reject_if_disagree) orc = CONFREJ; /* Reject bad CI */ cilen = l; /* Reject till end of packet */ l = 0; /* Don't loop again */ + citype = 0; goto endswitch; } GETCHAR(citype, p); /* Parse CI type */ @@ -1248,7 +1292,11 @@ lcp_reqci(f, inp, lenp, reject_if_disagree) break; } GETCHAR(cichar, p); /* get digest type*/ - if (cichar != ao->chap_mdtype) { + if (cichar != CHAP_DIGEST_MD5 +#ifdef CHAPMS + && cichar != CHAP_MICROSOFT +#endif + ) { orc = CONFNAK; PUTCHAR(CI_AUTHTYPE, nakp); PUTCHAR(CILEN_CHAP, nakp); @@ -1412,8 +1460,6 @@ endswitch: /* * lcp_up - LCP has come UP. - * - * Start UPAP, IPCP, etc. */ static void lcp_up(f) @@ -1450,10 +1496,6 @@ lcp_up(f) if (ho->neg_mru) peer_mru[f->unit] = ho->mru; - ChapLowerUp(f->unit); /* Enable CHAP */ - upap_lowerup(f->unit); /* Enable UPAP */ - ipcp_lowerup(f->unit); /* Enable IPCP */ - ccp_lowerup(f->unit); /* Enable CCP */ lcp_echo_lowerup(f->unit); /* Enable echo messages */ link_established(f->unit); @@ -1469,18 +1511,17 @@ static void lcp_down(f) fsm *f; { + lcp_options *go = &lcp_gotoptions[f->unit]; + lcp_echo_lowerdown(f->unit); - ccp_lowerdown(f->unit); - ipcp_lowerdown(f->unit); - ChapLowerDown(f->unit); - upap_lowerdown(f->unit); - sifdown(f->unit); + link_down(f->unit); + ppp_send_config(f->unit, PPP_MRU, 0xffffffff, 0, 0); - ppp_recv_config(f->unit, PPP_MRU, 0x00000000, 0, 0); + ppp_recv_config(f->unit, PPP_MRU, + (go->neg_asyncmap? go->asyncmap: 0x00000000), + go->neg_pcompression, go->neg_accompression); peer_mru[f->unit] = PPP_MRU; - - link_down(f->unit); } @@ -1509,13 +1550,13 @@ lcp_finished(f) /* * lcp_printpkt - print the contents of an LCP packet. */ -char *lcp_codenames[] = { +static char *lcp_codenames[] = { "ConfReq", "ConfAck", "ConfNak", "ConfRej", "TermReq", "TermAck", "CodeRej", "ProtRej", "EchoReq", "EchoRep", "DiscReq" }; -int +static int lcp_printpkt(p, plen, printer, arg) u_char *p; int plen; @@ -1580,7 +1621,7 @@ lcp_printpkt(p, plen, printer, arg) GETSHORT(cishort, p); switch (cishort) { case PPP_PAP: - printer(arg, "upap"); + printer(arg, "pap"); break; case PPP_CHAP: printer(arg, "chap"); @@ -1604,6 +1645,20 @@ lcp_printpkt(p, plen, printer, arg) } } break; + case CI_CALLBACK: + if (olen >= CILEN_CHAR) { + p += 2; + printer(arg, "callback "); + GETSHORT(cishort, p); + switch (cishort) { + case CBCP_OPT: + printer(arg, "CBCP"); + break; + default: + printer(arg, "0x%x", cishort); + } + } + break; case CI_MAGICNUMBER: if (olen == CILEN_LONG) { p += 2; @@ -1631,6 +1686,27 @@ lcp_printpkt(p, plen, printer, arg) printer(arg, ">"); } break; + + case TERMACK: + case TERMREQ: + if (len > 0 && *p >= ' ' && *p < 0x7f) { + printer(arg, " "); + print_string(p, len, printer, arg); + p += len; + len = 0; + } + break; + + case ECHOREQ: + case ECHOREP: + case DISCREQ: + if (len >= 4) { + GETLONG(cilong, p); + printer(arg, " magic=0x%x", cilong); + p += 4; + len -= 4; + } + break; } /* print the rest of the bytes in the packet */ @@ -1651,8 +1727,9 @@ void LcpLinkFailure (f) fsm *f; { if (f->state == OPENED) { - syslog (LOG_NOTICE, "Excessive lack of response to LCP echo frames."); - lcp_close(f->unit); /* Reset connection */ + syslog(LOG_INFO, "No response to %d echo-requests", lcp_echos_pending); + syslog(LOG_NOTICE, "Serial link appears to be disconnected."); + lcp_close(f->unit, "Peer not responding"); } } @@ -1664,36 +1741,13 @@ static void LcpEchoCheck (f) fsm *f; { - long int delta; -#ifdef __linux__ - struct ppp_idle ddinfo; -/* - * Read the time since the last packet was received. - */ - if (ioctl (fd, PPPIOCGIDLE, &ddinfo) < 0) { - syslog (LOG_ERR, "ioctl(PPPIOCGIDLE): %m"); - die (1); - } -/* - * Compute the time since the last packet was received. If the timer - * has expired then send the echo request and reset the timer to maximum. - */ - delta = (long int) lcp_echo_interval - (long int) ddinfo.recv_idle; - if (delta < 0L) { - LcpSendEchoRequest (f); - delta = (int) lcp_echo_interval; - } - -#else /* Other implementations do not have ability to find delta */ LcpSendEchoRequest (f); - delta = (int) lcp_echo_interval; -#endif -/* - * Start the timer for the next interval. - */ + /* + * Start the timer for the next interval. + */ assert (lcp_echo_timer_running==0); - TIMEOUT (LcpEchoTimeout, (caddr_t) f, (u_int32_t) delta); + TIMEOUT (LcpEchoTimeout, f, lcp_echo_interval); lcp_echo_timer_running = 1; } @@ -1703,7 +1757,7 @@ LcpEchoCheck (f) static void LcpEchoTimeout (arg) - caddr_t arg; + void *arg; { if (lcp_echo_timer_running != 0) { lcp_echo_timer_running = 0; @@ -1749,27 +1803,24 @@ LcpSendEchoRequest (f) u_int32_t lcp_magic; u_char pkt[4], *pktp; -/* - * Detect the failure of the peer at this point. - */ + /* + * Detect the failure of the peer at this point. + */ if (lcp_echo_fails != 0) { if (lcp_echos_pending++ >= lcp_echo_fails) { LcpLinkFailure(f); lcp_echos_pending = 0; } } -/* - * Make and send the echo request frame. - */ + + /* + * Make and send the echo request frame. + */ if (f->state == OPENED) { - lcp_magic = lcp_gotoptions[f->unit].neg_magicnumber - ? lcp_gotoptions[f->unit].magicnumber - : 0L; + lcp_magic = lcp_gotoptions[f->unit].magicnumber; pktp = pkt; PUTLONG(lcp_magic, pktp); - - fsm_sdata(f, ECHOREQ, - lcp_echo_number++ & 0xFF, pkt, pktp - pkt); + fsm_sdata(f, ECHOREQ, lcp_echo_number++ & 0xFF, pkt, pktp - pkt); } } @@ -1791,11 +1842,6 @@ lcp_echo_lowerup (unit) /* If a timeout interval is specified then start the timer */ if (lcp_echo_interval != 0) LcpEchoCheck (f); -#ifdef _linux_ - /* If a idle time limit is given then start it */ - if (idle_time_limit != 0) - RestartIdleTimer (f); -#endif } /* @@ -1809,14 +1855,7 @@ lcp_echo_lowerdown (unit) fsm *f = &lcp_fsm[unit]; if (lcp_echo_timer_running != 0) { - UNTIMEOUT (LcpEchoTimeout, (caddr_t) f); + UNTIMEOUT (LcpEchoTimeout, f); lcp_echo_timer_running = 0; } -#ifdef _linux_ - /* If a idle time limit is running then stop it */ - if (idle_timer_running != 0) { - UNTIMEOUT (IdleTimeCheck, (caddr_t) f); - idle_timer_running = 0; - } -#endif } diff --git a/usr.sbin/pppd/lcp.h b/usr.sbin/pppd/lcp.h index 271ddc5ef3b6..ddb5c6bdd4a6 100644 --- a/usr.sbin/pppd/lcp.h +++ b/usr.sbin/pppd/lcp.h @@ -16,7 +16,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: lcp.h,v 1.8 1995/06/12 11:22:47 paulus Exp $ + * $Id: lcp.h,v 1.12 1996/10/08 04:35:02 paulus Exp $ */ /* @@ -29,6 +29,7 @@ #define CI_MAGICNUMBER 5 /* Magic Number */ #define CI_PCOMPRESSION 7 /* Protocol Field Compression */ #define CI_ACCOMPRESSION 8 /* Address/Control Field Compression */ +#define CI_CALLBACK 13 /* callback */ /* * LCP-specific packet types. @@ -37,6 +38,7 @@ #define ECHOREQ 9 /* Echo Request */ #define ECHOREP 10 /* Echo Reply */ #define DISCREQ 11 /* Discard Request */ +#define CBCP_OPT 6 /* Use callback control protocol */ /* * The state of options is described by an lcp_options structure. @@ -53,6 +55,7 @@ typedef struct lcp_options { int neg_pcompression : 1; /* HDLC Protocol Field Compression? */ int neg_accompression : 1; /* HDLC Address/Control Field Compression? */ int neg_lqr : 1; /* Negotiate use of Link Quality Reports */ + int neg_cbcp : 1; /* Negotiate use of CBCP */ u_short mru; /* Value of MRU */ u_char chap_mdtype; /* which MD type (hashing algorithm) */ u_int32_t asyncmap; /* Value of async map */ @@ -72,17 +75,14 @@ extern u_int32_t xmit_accm[][8]; #define MINMRU 128 /* No MRUs below this */ #define MAXMRU 16384 /* Normally limit MRU to this */ -void lcp_init __P((int)); void lcp_open __P((int)); -void lcp_close __P((int)); +void lcp_close __P((int, char *)); void lcp_lowerup __P((int)); void lcp_lowerdown __P((int)); -void lcp_input __P((int, u_char *, int)); -void lcp_protrej __P((int)); -void lcp_sprotrej __P((int, u_char *, int)); -int lcp_printpkt __P((u_char *, int, - void (*) __P((void *, char *, ...)), void *)); +void lcp_sprotrej __P((int, u_char *, int)); /* send protocol reject */ + +extern struct protent lcp_protent; /* Default number of times we receive our magic number from the peer before deciding the link is looped-back. */ -#define DEFLOOPBACKFAIL 5 +#define DEFLOOPBACKFAIL 10 diff --git a/usr.sbin/pppd/magic.c b/usr.sbin/pppd/magic.c index 4797f0b19fd6..9e9599495381 100644 --- a/usr.sbin/pppd/magic.c +++ b/usr.sbin/pppd/magic.c @@ -18,23 +18,20 @@ */ #ifndef lint -static char rcsid[] = "$Id: magic.c,v 1.5 1995/06/06 01:52:25 paulus Exp $"; +static char rcsid[] = "$Id: magic.c,v 1.6 1996/04/04 03:58:41 paulus Exp $"; #endif #include <stdio.h> +#include <unistd.h> #include <sys/types.h> #include <sys/time.h> #include "pppd.h" #include "magic.h" -static u_int32_t next; /* Next value to return */ - -extern int gethostid __P((void)); extern long mrand48 __P((void)); extern void srand48 __P((long)); - /* * magic_init - Initialize the magic number generator. * diff --git a/usr.sbin/pppd/main.c b/usr.sbin/pppd/main.c index f4913ff28e77..2f17a69ed0d6 100644 --- a/usr.sbin/pppd/main.c +++ b/usr.sbin/pppd/main.c @@ -18,12 +18,14 @@ */ #ifndef lint -static char rcsid[] = "$Id: main.c,v 1.27 1995/08/16 01:39:08 paulus Exp $"; +static char rcsid[] = "$Id: main.c,v 1.41 1997/04/30 05:54:52 paulus Exp $"; #endif #include <stdio.h> +#include <ctype.h> #include <stdlib.h> #include <string.h> +#include <unistd.h> #include <signal.h> #include <errno.h> #include <fcntl.h> @@ -51,12 +53,19 @@ static char rcsid[] = "$Id: main.c,v 1.27 1995/08/16 01:39:08 paulus Exp $"; #include "pathnames.h" #include "patchlevel.h" -/* - * If REQ_SYSOPTIONS is defined to 1, pppd will not run unless - * /etc/ppp/options exists. - */ -#ifndef REQ_SYSOPTIONS -#define REQ_SYSOPTIONS 1 +#ifdef CBCP_SUPPORT +#include "cbcp.h" +#endif + +#if defined(SUNOS4) +extern char *strerror(); +#endif + +#ifdef IPX_CHANGE +#include "ipxcp.h" +#endif /* IPX_CHANGE */ +#ifdef AT_CHANGE +#include "atcp.h" #endif /* interface vars */ @@ -67,134 +76,168 @@ char *progname; /* Name of this program */ char hostname[MAXNAMELEN]; /* Our hostname */ static char pidfilename[MAXPATHLEN]; /* name of pid file */ static char default_devnam[MAXPATHLEN]; /* name of default device */ -static pid_t pid; /* Our pid */ -static pid_t pgrpid; /* Process Group ID */ +static pid_t pid; /* Our pid */ static uid_t uid; /* Our real user-id */ +static int conn_running; /* we have a [dis]connector running */ -int fd = -1; /* Device file descriptor */ +int ttyfd = -1; /* Serial port file descriptor */ +mode_t tty_mode = -1; /* Original access permissions to tty */ +int baud_rate; /* Actual bits/second for serial device */ +int hungup; /* terminal has been hung up */ +int privileged; /* we're running as real uid root */ +int need_holdoff; /* need holdoff period before restarting */ int phase; /* where the link is at */ int kill_link; int open_ccp_flag; - -static int initfdflags = -1; /* Initial file descriptor flags */ +int redirect_stderr; /* Connector's stderr should go to file */ u_char outpacket_buf[PPP_MRU+PPP_HDRLEN]; /* buffer for outgoing packet */ -static u_char inpacket_buf[PPP_MRU+PPP_HDRLEN]; /* buffer for incoming packet */ +u_char inpacket_buf[PPP_MRU+PPP_HDRLEN]; /* buffer for incoming packet */ -int hungup; /* terminal has been hung up */ static int n_children; /* # child processes still running */ -int baud_rate; +static int locked; /* lock() has succeeded */ char *no_ppp_msg = "Sorry - this system lacks PPP kernel support\n"; -/* prototypes */ +/* Prototypes for procedures local to this file. */ + +static void cleanup __P((void)); +static void close_tty __P((void)); +static void get_input __P((void)); +static void calltimeout __P((void)); +static struct timeval *timeleft __P((struct timeval *)); +static void kill_my_pg __P((int)); static void hup __P((int)); static void term __P((int)); static void chld __P((int)); static void toggle_debug __P((int)); static void open_ccp __P((int)); static void bad_signal __P((int)); - -static void get_input __P((void)); -void establish_ppp __P((void)); -void calltimeout __P((void)); -struct timeval *timeleft __P((struct timeval *)); -void reap_kids __P((void)); -void cleanup __P((int, caddr_t)); -void close_fd __P((void)); -void die __P((int)); -void novm __P((char *)); - -void log_packet __P((u_char *, int, char *)); -void format_packet __P((u_char *, int, - void (*) (void *, char *, ...), void *)); -void pr_log __P((void *, char *, ...)); +static void holdoff_end __P((void *)); +static int device_script __P((char *, int, int)); +static void reap_kids __P((void)); +static void pr_log __P((void *, char *, ...)); extern char *ttyname __P((int)); extern char *getlogin __P((void)); +int main __P((int, char *[])); #ifdef ultrix #undef O_NONBLOCK #define O_NONBLOCK O_NDELAY #endif +#ifdef ULTRIX +#define setlogmask(x) +#endif + /* * PPP Data Link Layer "protocol" table. * One entry per supported protocol. + * The last entry must be NULL. */ -static struct protent { - u_short protocol; - void (*init)(); - void (*input)(); - void (*protrej)(); - int (*printpkt)(); - void (*datainput)(); - char *name; -} prottbl[] = { - { PPP_LCP, lcp_init, lcp_input, lcp_protrej, - lcp_printpkt, NULL, "LCP" }, - { PPP_IPCP, ipcp_init, ipcp_input, ipcp_protrej, - ipcp_printpkt, NULL, "IPCP" }, - { PPP_PAP, upap_init, upap_input, upap_protrej, - upap_printpkt, NULL, "PAP" }, - { PPP_CHAP, ChapInit, ChapInput, ChapProtocolReject, - ChapPrintPkt, NULL, "CHAP" }, - { PPP_CCP, ccp_init, ccp_input, ccp_protrej, - ccp_printpkt, ccp_datainput, "CCP" }, +struct protent *protocols[] = { + &lcp_protent, + &pap_protent, + &chap_protent, +#ifdef CBCP_SUPPORT + &cbcp_protent, +#endif + &ipcp_protent, + &ccp_protent, +#ifdef IPX_CHANGE + &ipxcp_protent, +#endif +#ifdef AT_CHANGE + &atcp_protent, +#endif + NULL }; -#define N_PROTO (sizeof(prottbl) / sizeof(prottbl[0])) - +int main(argc, argv) int argc; char *argv[]; { - int i, nonblock; + int i, nonblock, fdflags; struct sigaction sa; - struct cmd *cmdp; FILE *pidfile; char *p; struct passwd *pw; struct timeval timo; sigset_t mask; + struct protent *protp; + struct stat statbuf; + phase = PHASE_INITIALIZE; p = ttyname(0); if (p) strcpy(devnam, p); strcpy(default_devnam, devnam); + /* Initialize syslog facilities */ +#ifdef ULTRIX + openlog("pppd", LOG_PID); +#else + openlog("pppd", LOG_PID | LOG_NDELAY, LOG_PPP); + setlogmask(LOG_UPTO(LOG_INFO)); +#endif + if (gethostname(hostname, MAXNAMELEN) < 0 ) { - perror("couldn't get hostname"); + option_error("Couldn't get hostname: %m"); die(1); } hostname[MAXNAMELEN-1] = 0; uid = getuid(); - - if (!ppp_available()) { - fprintf(stderr, no_ppp_msg); - exit(1); - } + privileged = uid == 0; /* * Initialize to the standard option set, then parse, in order, - * the system options file, the user's options file, and the command - * line arguments. + * the system options file, the user's options file, + * the tty's options file, and the command line arguments. */ - for (i = 0; i < N_PROTO; i++) - (*prottbl[i].init)(0); + for (i = 0; (protp = protocols[i]) != NULL; ++i) + (*protp->init)(0); progname = *argv; - if (!options_from_file(_PATH_SYSOPTIONS, REQ_SYSOPTIONS, 0) || - !options_from_user() || - !parse_args(argc-1, argv+1) || - !options_for_tty()) + if (!options_from_file(_PATH_SYSOPTIONS, !privileged, 0, 1) + || !options_from_user()) + exit(1); + scan_args(argc-1, argv+1); /* look for tty name on command line */ + if (!options_for_tty() + || !parse_args(argc-1, argv+1)) + exit(1); + + /* + * Check that we are running as root. + */ + if (geteuid() != 0) { + option_error("must be root to run %s, since it is not setuid-root", + argv[0]); die(1); - check_auth_options(); - setipdefault(); + } + + if (!ppp_available()) { + option_error(no_ppp_msg); + exit(1); + } + + /* + * Check that the options given are valid and consistent. + */ + sys_check_options(); + auth_check_options(); + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->check_options != NULL) + (*protp->check_options)(); + if (demand && connector == 0) { + option_error("connect script required for demand-dialling\n"); + exit(1); + } /* * If the user has specified the default device name explicitly, @@ -202,12 +245,15 @@ main(argc, argv) */ if (!default_device && strcmp(devnam, default_devnam) == 0) default_device = 1; + redirect_stderr = !nodetach || default_device; /* * Initialize system-dependent stuff and magic number package. */ sys_init(); magic_init(); + if (debug) + setlogmask(LOG_UPTO(LOG_DEBUG)); /* * Detach ourselves from the terminal, if required, @@ -226,8 +272,8 @@ main(argc, argv) else p = "(unknown)"; } - syslog(LOG_NOTICE, "pppd %s.%d started by %s, uid %d", - VERSION, PATCHLEVEL, p, uid); + syslog(LOG_NOTICE, "pppd %s.%d%s started by %s, uid %d", + VERSION, PATCHLEVEL, IMPLEMENTATION, p, uid); /* * Compute mask of all interesting signals and install signal handlers @@ -298,54 +344,129 @@ main(argc, argv) #endif /* - * Lock the device if we've been asked to. + * Apparently we can get a SIGPIPE when we call syslog, if + * syslogd has died and been restarted. Ignoring it seems + * be sufficient. */ - if (lockflag && !default_device) - if (lock(devnam) < 0) - die(1); + signal(SIGPIPE, SIG_IGN); + + /* + * If we're doing dial-on-demand, set up the interface now. + */ + if (demand) { + /* + * Open the loopback channel and set it up to be the ppp interface. + */ + open_ppp_loopback(); - do { + syslog(LOG_INFO, "Using interface ppp%d", ifunit); + (void) sprintf(ifname, "ppp%d", ifunit); + + /* write pid to file */ + (void) sprintf(pidfilename, "%s%s.pid", _PATH_VARRUN, ifname); + if ((pidfile = fopen(pidfilename, "w")) != NULL) { + fprintf(pidfile, "%d\n", pid); + (void) fclose(pidfile); + } else { + syslog(LOG_ERR, "Failed to create pid file %s: %m", pidfilename); + pidfilename[0] = 0; + } /* - * Open the serial device and set it up to be the ppp interface. - * If we're dialling out, or we don't want to use the modem lines, - * we open it in non-blocking mode, but then we need to clear - * the non-blocking I/O bit. + * Configure the interface and mark it up, etc. */ - nonblock = (connector || !modem)? O_NONBLOCK: 0; - if ((fd = open(devnam, nonblock | O_RDWR, 0)) < 0) { - syslog(LOG_ERR, "Failed to open %s: %m", devnam); - die(1); + demand_conf(); + } + + for (;;) { + + need_holdoff = 1; + + if (demand) { + /* + * Don't do anything until we see some activity. + */ + phase = PHASE_DORMANT; + kill_link = 0; + demand_unblock(); + for (;;) { + wait_loop_output(timeleft(&timo)); + calltimeout(); + if (kill_link) { + if (!persist) + die(0); + kill_link = 0; + } + if (get_loop_output()) + break; + reap_kids(); + } + + /* + * Now we want to bring up the link. + */ + demand_block(); + syslog(LOG_INFO, "Starting link"); } - if ((initfdflags = fcntl(fd, F_GETFL)) == -1) { - syslog(LOG_ERR, "Couldn't get device fd flags: %m"); - die(1); + + /* + * Lock the device if we've been asked to. + */ + if (lockflag && !default_device) { + if (lock(devnam) < 0) + goto fail; + locked = 1; } - if (nonblock) { - initfdflags &= ~O_NONBLOCK; - fcntl(fd, F_SETFL, initfdflags); + + /* + * Open the serial device and set it up to be the ppp interface. + * First we open it in non-blocking mode so we can set the + * various termios flags appropriately. If we aren't dialling + * out and we want to use the modem lines, we reopen it later + * in order to wait for the carrier detect signal from the modem. + */ + while ((ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0)) < 0) { + if (errno != EINTR) + syslog(LOG_ERR, "Failed to open %s: %m", devnam); + if (!persist || errno != EINTR) + goto fail; } + if ((fdflags = fcntl(ttyfd, F_GETFL)) == -1 + || fcntl(ttyfd, F_SETFL, fdflags & ~O_NONBLOCK) < 0) + syslog(LOG_WARNING, + "Couldn't reset non-blocking mode on device: %m"); + hungup = 0; kill_link = 0; + /* + * Do the equivalent of `mesg n' to stop broadcast messages. + */ + if (fstat(ttyfd, &statbuf) < 0 + || fchmod(ttyfd, statbuf.st_mode & ~(S_IWGRP | S_IWOTH)) < 0) { + syslog(LOG_WARNING, + "Couldn't restrict write permissions to %s: %m", devnam); + } else + tty_mode = statbuf.st_mode; + /* run connection script */ if (connector && connector[0]) { MAINDEBUG((LOG_INFO, "Connecting with <%s>", connector)); /* set line speed, flow control, etc.; set CLOCAL for now */ - set_up_tty(fd, 1); + set_up_tty(ttyfd, 1); /* drop dtr to hang up in case modem is off hook */ if (!default_device && modem) { - setdtr(fd, FALSE); + setdtr(ttyfd, FALSE); sleep(1); - setdtr(fd, TRUE); + setdtr(ttyfd, TRUE); } - if (device_script(connector, fd, fd) < 0) { + if (device_script(connector, ttyfd, ttyfd) < 0) { syslog(LOG_ERR, "Connect script failed"); - setdtr(fd, FALSE); - die(1); + setdtr(ttyfd, FALSE); + goto fail; } syslog(LOG_INFO, "Serial connection established."); @@ -353,34 +474,47 @@ main(argc, argv) } /* set line speed, flow control, etc.; clear CLOCAL if modem option */ - set_up_tty(fd, 0); - - /* set up the serial device as a ppp interface */ - establish_ppp(); - - syslog(LOG_INFO, "Using interface ppp%d", ifunit); - (void) sprintf(ifname, "ppp%d", ifunit); + set_up_tty(ttyfd, 0); + + /* reopen tty if necessary to wait for carrier */ + if (connector == NULL && modem) { + while ((i = open(devnam, O_RDWR)) < 0) { + if (errno != EINTR) + syslog(LOG_ERR, "Failed to reopen %s: %m", devnam); + if (!persist || errno != EINTR) + goto fail; + } + close(i); + } - /* write pid to file */ - (void) sprintf(pidfilename, "%s%s.pid", _PATH_VARRUN, ifname); - if ((pidfile = fopen(pidfilename, "w")) != NULL) { - fprintf(pidfile, "%d\n", pid); - (void) fclose(pidfile); - } else { - syslog(LOG_ERR, "Failed to create pid file %s: %m", pidfilename); - pidfilename[0] = 0; + /* run welcome script, if any */ + if (welcomer && welcomer[0]) { + if (device_script(welcomer, ttyfd, ttyfd) < 0) + syslog(LOG_WARNING, "Welcome script failed"); } - /* - * Set device for non-blocking reads. - */ - if (fcntl(fd, F_SETFL, initfdflags | O_NONBLOCK) == -1) { - syslog(LOG_ERR, "Couldn't set device to non-blocking mode: %m"); - die(1); + /* set up the serial device as a ppp interface */ + establish_ppp(ttyfd); + + if (!demand) { + + syslog(LOG_INFO, "Using interface ppp%d", ifunit); + (void) sprintf(ifname, "ppp%d", ifunit); + + /* write pid to file */ + (void) sprintf(pidfilename, "%s%s.pid", _PATH_VARRUN, ifname); + if ((pidfile = fopen(pidfilename, "w")) != NULL) { + fprintf(pidfile, "%d\n", pid); + (void) fclose(pidfile); + } else { + syslog(LOG_ERR, "Failed to create pid file %s: %m", + pidfilename); + pidfilename[0] = 0; + } } - + /* - * Block all signals, start opening the connection, and wait for + * Start opening the connection and wait for * incoming events (reply, timeout, etc.). */ syslog(LOG_NOTICE, "Connect: %s <--> %s", ifname, devnam); @@ -391,13 +525,13 @@ main(argc, argv) calltimeout(); get_input(); if (kill_link) { - lcp_close(0); + lcp_close(0, "User request"); kill_link = 0; } if (open_ccp_flag) { if (phase == PHASE_NETWORK) { ccp_fsm[0].flags = OPT_RESTART; /* clears OPT_SILENT */ - ccp_open(0); + (*ccp_protent.open)(0); } open_ccp_flag = 0; } @@ -405,32 +539,78 @@ main(argc, argv) } /* + * If we may want to bring the link up again, transfer + * the ppp unit back to the loopback. Set the + * real serial device back to its normal mode of operation. + */ + clean_check(); + if (demand) + restore_loop(); + disestablish_ppp(ttyfd); + + /* * Run disconnector script, if requested. - * First we need to reset non-blocking mode. * XXX we may not be able to do this if the line has hung up! */ - if (initfdflags != -1 && fcntl(fd, F_SETFL, initfdflags) >= 0) - initfdflags = -1; - disestablish_ppp(); - if (disconnector) { - set_up_tty(fd, 1); - if (device_script(disconnector, fd, fd) < 0) { + if (disconnector && !hungup) { + set_up_tty(ttyfd, 1); + if (device_script(disconnector, ttyfd, ttyfd) < 0) { syslog(LOG_WARNING, "disconnect script failed"); } else { syslog(LOG_INFO, "Serial link disconnected."); } } - close_fd(); - if (unlink(pidfilename) < 0 && errno != ENOENT) - syslog(LOG_WARNING, "unable to delete pid file: %m"); - pidfilename[0] = 0; + fail: + if (ttyfd >= 0) + close_tty(); + if (locked) { + unlock(); + locked = 0; + } - } while (persist); + if (!demand) { + if (pidfilename[0] != 0 + && unlink(pidfilename) < 0 && errno != ENOENT) + syslog(LOG_WARNING, "unable to delete pid file: %m"); + pidfilename[0] = 0; + } + + if (!persist) + break; + + if (demand) + demand_discard(); + if (holdoff > 0 && need_holdoff) { + phase = PHASE_HOLDOFF; + TIMEOUT(holdoff_end, NULL, holdoff); + do { + wait_time(timeleft(&timo)); + calltimeout(); + if (kill_link) { + if (!persist) + die(0); + kill_link = 0; + phase = PHASE_DORMANT; /* allow signal to end holdoff */ + } + reap_kids(); + } while (phase == PHASE_HOLDOFF); + } + } die(0); + return 0; } +/* + * holdoff_end - called via a timeout when the holdoff period ends. + */ +static void +holdoff_end(arg) + void *arg; +{ + phase = PHASE_DORMANT; +} /* * get_input - called when incoming data is available. @@ -441,6 +621,7 @@ get_input() int len, i; u_char *p; u_short protocol; + struct protent *protp; p = inpacket_buf; /* point to beginning of packet buffer */ @@ -452,12 +633,12 @@ get_input() syslog(LOG_NOTICE, "Modem hangup"); hungup = 1; lcp_lowerdown(0); /* serial link is no longer available */ - phase = PHASE_DEAD; + link_terminated(0); return; } if (debug /*&& (debugflags & DBG_INPACKET)*/) - log_packet(p, len, "rcvd "); + log_packet(p, len, "rcvd ", LOG_DEBUG); if (len < PPP_HDRLEN) { MAINDEBUG((LOG_INFO, "io(): Received short packet.")); @@ -473,68 +654,44 @@ get_input() */ if (protocol != PPP_LCP && lcp_fsm[0].state != OPENED) { MAINDEBUG((LOG_INFO, - "io(): Received non-LCP packet when LCP not open.")); + "get_input: Received non-LCP packet when LCP not open.")); + return; + } + + /* + * Until we get past the authentication phase, toss all packets + * except LCP, LQR and authentication packets. + */ + if (phase <= PHASE_AUTHENTICATE + && !(protocol == PPP_LCP || protocol == PPP_LQR + || protocol == PPP_PAP || protocol == PPP_CHAP)) { + MAINDEBUG((LOG_INFO, "get_input: discarding proto 0x%x in phase %d", + protocol, phase)); return; } /* * Upcall the proper protocol input routine. */ - for (i = 0; i < sizeof (prottbl) / sizeof (struct protent); i++) { - if (prottbl[i].protocol == protocol) { - (*prottbl[i].input)(0, p, len); + for (i = 0; (protp = protocols[i]) != NULL; ++i) { + if (protp->protocol == protocol && protp->enabled_flag) { + (*protp->input)(0, p, len); return; } - if (protocol == (prottbl[i].protocol & ~0x8000) - && prottbl[i].datainput != NULL) { - (*prottbl[i].datainput)(0, p, len); + if (protocol == (protp->protocol & ~0x8000) && protp->enabled_flag + && protp->datainput != NULL) { + (*protp->datainput)(0, p, len); return; } } if (debug) - syslog(LOG_WARNING, "Unknown protocol (0x%x) received", protocol); + syslog(LOG_WARNING, "Unsupported protocol (0x%x) received", protocol); lcp_sprotrej(0, p - PPP_HDRLEN, len + PPP_HDRLEN); } /* - * demuxprotrej - Demultiplex a Protocol-Reject. - */ -void -demuxprotrej(unit, protocol) - int unit; - u_short protocol; -{ - int i; - - /* - * Upcall the proper Protocol-Reject routine. - */ - for (i = 0; i < sizeof (prottbl) / sizeof (struct protent); i++) - if (prottbl[i].protocol == protocol) { - (*prottbl[i].protrej)(unit); - return; - } - - syslog(LOG_WARNING, - "demuxprotrej: Unrecognized Protocol-Reject for protocol 0x%x", - protocol); -} - - -/* - * bad_signal - We've caught a fatal signal. Clean up state and exit. - */ -static void -bad_signal(sig) - int sig; -{ - syslog(LOG_ERR, "Fatal signal %d", sig); - die(1); -} - -/* * quit - Clean up state and exit (with an error indication). */ void @@ -550,7 +707,7 @@ void die(status) int status; { - cleanup(0, NULL); + cleanup(); syslog(LOG_INFO, "Exit."); exit(status); } @@ -559,49 +716,54 @@ die(status) * cleanup - restore anything which needs to be restored before we exit */ /* ARGSUSED */ -void -cleanup(status, arg) - int status; - caddr_t arg; +static void +cleanup() { - if (fd >= 0) - close_fd(); + sys_cleanup(); + + if (ttyfd >= 0) + close_tty(); if (pidfilename[0] != 0 && unlink(pidfilename) < 0 && errno != ENOENT) syslog(LOG_WARNING, "unable to delete pid file: %m"); pidfilename[0] = 0; - if (lockflag && !default_device) + if (locked) unlock(); } /* - * close_fd - restore the terminal device and close it. + * close_tty - restore the terminal device and close it. */ -void -close_fd() +static void +close_tty() { - disestablish_ppp(); + disestablish_ppp(ttyfd); /* drop dtr to hang up */ - if (modem) - setdtr(fd, FALSE); + if (modem) { + setdtr(ttyfd, FALSE); + /* + * This sleep is in case the serial port has CLOCAL set by default, + * and consequently will reassert DTR when we close the device. + */ + sleep(1); + } - if (initfdflags != -1 && fcntl(fd, F_SETFL, initfdflags) < 0) - syslog(LOG_WARNING, "Couldn't restore device fd flags: %m"); - initfdflags = -1; + restore_tty(ttyfd); - restore_tty(); + if (tty_mode != (mode_t) -1) + chmod(devnam, tty_mode); - close(fd); - fd = -1; + close(ttyfd); + ttyfd = -1; } struct callout { struct timeval c_time; /* time at which to call routine */ - caddr_t c_arg; /* argument to routine */ - void (*c_func)(); /* routine */ + void *c_arg; /* argument to routine */ + void (*c_func) __P((void *)); /* routine */ struct callout *c_next; }; @@ -616,8 +778,8 @@ static struct timeval timenow; /* Current time */ */ void timeout(func, arg, time) - void (*func)(); - caddr_t arg; + void (*func) __P((void *)); + void *arg; int time; { struct callout *newp, *p, **pp; @@ -656,12 +818,10 @@ timeout(func, arg, time) */ void untimeout(func, arg) - void (*func)(); - caddr_t arg; + void (*func) __P((void *)); + void *arg; { - struct itimerval itv; struct callout **copp, *freep; - int reschedule = 0; MAINDEBUG((LOG_DEBUG, "Untimeout %lx:%lx.", (long) func, (long) arg)); @@ -680,7 +840,7 @@ untimeout(func, arg) /* * calltimeout - Call any timeout routines which are now due. */ -void +static void calltimeout() { struct callout *p; @@ -708,7 +868,7 @@ calltimeout() /* * timeleft - return the length of time until the next timeout is due. */ -struct timeval * +static struct timeval * timeleft(tvp) struct timeval *tvp; { @@ -727,7 +887,24 @@ timeleft(tvp) return tvp; } - + + +/* + * kill_my_pg - send a signal to our process group, and ignore it ourselves. + */ +static void +kill_my_pg(sig) + int sig; +{ + struct sigaction act, oldact; + + act.sa_handler = SIG_IGN; + act.sa_flags = 0; + kill(0, sig); + sigaction(sig, &act, &oldact); + sigaction(sig, &oldact, NULL); +} + /* * hup - Catch SIGHUP signal. @@ -742,6 +919,9 @@ hup(sig) { syslog(LOG_INFO, "Hangup (SIGHUP)"); kill_link = 1; + if (conn_running) + /* Send the signal to the [dis]connector process(es) also */ + kill_my_pg(sig); } @@ -758,6 +938,9 @@ term(sig) syslog(LOG_INFO, "Terminating on signal %d.", sig); persist = 0; /* don't try to restart */ kill_link = 1; + if (conn_running) + /* Send the signal to the [dis]connector process(es) also */ + kill_my_pg(sig); } @@ -784,7 +967,11 @@ toggle_debug(sig) int sig; { debug = !debug; - note_debug_level(); + if (debug) { + setlogmask(LOG_UPTO(LOG_DEBUG)); + } else { + setlogmask(LOG_UPTO(LOG_WARNING)); + } } @@ -803,10 +990,24 @@ open_ccp(sig) /* + * bad_signal - We've caught a fatal signal. Clean up state and exit. + */ +static void +bad_signal(sig) + int sig; +{ + syslog(LOG_ERR, "Fatal signal %d", sig); + if (conn_running) + kill_my_pg(SIGTERM); + die(1); +} + + +/* * device_script - run a program to connect or disconnect the * serial device. */ -int +static int device_script(program, in, out) char *program; int in, out; @@ -815,19 +1016,44 @@ device_script(program, in, out) int status; int errfd; + conn_running = 1; pid = fork(); if (pid < 0) { + conn_running = 0; syslog(LOG_ERR, "Failed to create child process: %m"); die(1); } if (pid == 0) { - dup2(in, 0); - dup2(out, 1); - errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); - if (errfd >= 0) - dup2(errfd, 2); + sys_close(); + closelog(); + if (in == out) { + if (in != 0) { + dup2(in, 0); + close(in); + } + dup2(0, 1); + } else { + if (out == 0) + out = dup(out); + if (in != 0) { + dup2(in, 0); + close(in); + } + if (out != 1) { + dup2(out, 1); + close(out); + } + } + if (redirect_stderr) { + close(2); + errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); + if (errfd >= 0 && errfd != 2) { + dup2(errfd, 2); + close(errfd); + } + } setuid(getuid()); setgid(getgid()); execl("/bin/sh", "sh", "-c", program, (char *)0); @@ -842,6 +1068,7 @@ device_script(program, in, out) syslog(LOG_ERR, "error waiting for (dis)connection process: %m"); die(1); } + conn_running = 0; return (status == 0 ? 0 : -1); } @@ -878,11 +1105,12 @@ run_program(prog, args, must_exist) setgid(getegid()); /* Ensure that nothing of our device environment is inherited. */ + sys_close(); + closelog(); close (0); close (1); close (2); - close (fd); /* tty interface to the ppp device */ - /* XXX should call sysdep cleanup procedure here */ + close (ttyfd); /* tty interface to the ppp device */ /* Don't pass handles to the PPP device, even by accident. */ new_fd = open (_PATH_DEVNULL, O_RDWR); @@ -920,7 +1148,7 @@ run_program(prog, args, must_exist) * reap_kids - get status from any dead child processes, * and log a message for abnormal terminations. */ -void +static void reap_kids() { int pid, status; @@ -950,16 +1178,17 @@ char line[256]; /* line to be logged accumulated here */ char *linep; void -log_packet(p, len, prefix) +log_packet(p, len, prefix, level) u_char *p; int len; char *prefix; + int level; { strcpy(line, prefix); linep = line + strlen(line); format_packet(p, len, pr_log, NULL); if (linep != line) - syslog(LOG_DEBUG, "%s", line); + syslog(level, "%s", line); } /* @@ -976,17 +1205,18 @@ format_packet(p, len, printer, arg) int i, n; u_short proto; u_char x; + struct protent *protp; if (len >= PPP_HDRLEN && p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) { p += 2; GETSHORT(proto, p); len -= PPP_HDRLEN; - for (i = 0; i < N_PROTO; ++i) - if (proto == prottbl[i].protocol) + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (proto == protp->protocol) break; - if (i < N_PROTO) { - printer(arg, "[%s", prottbl[i].name); - n = (*prottbl[i].printpkt)(p, len, printer, arg); + if (protp != NULL) { + printer(arg, "[%s", protp->name); + n = (*protp->printpkt)(p, len, printer, arg); printer(arg, "]"); p += n; len -= n; @@ -1001,43 +1231,23 @@ format_packet(p, len, printer, arg) } } -#ifdef __STDC__ -#include <stdarg.h> - -void -pr_log(void *arg, char *fmt, ...) +static void +pr_log __V((void *arg, char *fmt, ...)) { int n; va_list pvar; char buf[256]; +#if __STDC__ va_start(pvar, fmt); - vsprintf(buf, fmt, pvar); - va_end(pvar); - - n = strlen(buf); - if (linep + n + 1 > line + sizeof(line)) { - syslog(LOG_DEBUG, "%s", line); - linep = line; - } - strcpy(linep, buf); - linep += n; -} - -#else /* __STDC__ */ -#include <varargs.h> - -void -pr_log(arg, fmt, va_alist) -void *arg; -char *fmt; -va_dcl -{ - int n; - va_list pvar; - char buf[256]; - +#else + void *arg; + char *fmt; va_start(pvar); + arg = va_arg(pvar, void *); + fmt = va_arg(pvar, char *); +#endif + vsprintf(buf, fmt, pvar); va_end(pvar); @@ -1049,7 +1259,6 @@ va_dcl strcpy(linep, buf); linep += n; } -#endif /* * print_string - print a readable representation of a string using @@ -1067,10 +1276,25 @@ print_string(p, len, printer, arg) printer(arg, "\""); for (; len > 0; --len) { c = *p++; - if (' ' <= c && c <= '~') + if (' ' <= c && c <= '~') { + if (c == '\\' || c == '"') + printer(arg, "\\"); printer(arg, "%c", c); - else - printer(arg, "\\%.3o", c); + } else { + switch (c) { + case '\n': + printer(arg, "\\n"); + break; + case '\r': + printer(arg, "\\r"); + break; + case '\t': + printer(arg, "\\t"); + break; + default: + printer(arg, "\\%.3o", c); + } + } } printer(arg, "\""); } @@ -1085,3 +1309,252 @@ novm(msg) syslog(LOG_ERR, "Virtual memory exhausted allocating %s\n", msg); die(1); } + +/* + * fmtmsg - format a message into a buffer. Like sprintf except we + * also specify the length of the output buffer, and we handle + * %r (recursive format), %m (error message) and %I (IP address) formats. + * Doesn't do floating-point formats. + * Returns the number of chars put into buf. + */ +int +fmtmsg __V((char *buf, int buflen, char *fmt, ...)) +{ + va_list args; + int n; + +#if __STDC__ + va_start(args, fmt); +#else + char *buf; + int buflen; + char *fmt; + va_start(args); + buf = va_arg(args, char *); + buflen = va_arg(args, int); + fmt = va_arg(args, char *); +#endif + n = vfmtmsg(buf, buflen, fmt, args); + va_end(args); + return n; +} + +/* + * vfmtmsg - like fmtmsg, takes a va_list instead of a list of args. + */ +#define OUTCHAR(c) (buflen > 0? (--buflen, *buf++ = (c)): 0) + +int +vfmtmsg(buf, buflen, fmt, args) + char *buf; + int buflen; + char *fmt; + va_list args; +{ + int c, i, n; + int width, prec, fillch; + int base, len, neg, quoted; + unsigned long val = 0; + char *str, *f, *buf0; + unsigned char *p; + char num[32]; + time_t t; + static char hexchars[] = "0123456789abcdef"; + + buf0 = buf; + --buflen; + while (buflen > 0) { + for (f = fmt; *f != '%' && *f != 0; ++f) + ; + if (f > fmt) { + len = f - fmt; + if (len > buflen) + len = buflen; + memcpy(buf, fmt, len); + buf += len; + buflen -= len; + fmt = f; + } + if (*fmt == 0) + break; + c = *++fmt; + width = prec = 0; + fillch = ' '; + if (c == '0') { + fillch = '0'; + c = *++fmt; + } + if (c == '*') { + width = va_arg(args, int); + c = *++fmt; + } else { + while (isdigit(c)) { + width = width * 10 + c - '0'; + c = *++fmt; + } + } + if (c == '.') { + c = *++fmt; + if (c == '*') { + prec = va_arg(args, int); + c = *++fmt; + } else { + while (isdigit(c)) { + prec = prec * 10 + c - '0'; + c = *++fmt; + } + } + } + str = 0; + base = 0; + neg = 0; + ++fmt; + switch (c) { + case 'd': + i = va_arg(args, int); + if (i < 0) { + neg = 1; + val = -i; + } else + val = i; + base = 10; + break; + case 'o': + val = va_arg(args, unsigned int); + base = 8; + break; + case 'x': + val = va_arg(args, unsigned int); + base = 16; + break; + case 'p': + val = (unsigned long) va_arg(args, void *); + base = 16; + neg = 2; + break; + case 's': + str = va_arg(args, char *); + break; + case 'c': + num[0] = va_arg(args, int); + num[1] = 0; + str = num; + break; + case 'm': + str = strerror(errno); + break; + case 'I': + str = ip_ntoa(va_arg(args, u_int32_t)); + break; + case 'r': + f = va_arg(args, char *); +#ifndef __powerpc__ + n = vfmtmsg(buf, buflen + 1, f, va_arg(args, va_list)); +#else + /* On the powerpc, a va_list is an array of 1 structure */ + n = vfmtmsg(buf, buflen + 1, f, va_arg(args, void *)); +#endif + buf += n; + buflen -= n; + continue; + case 't': + time(&t); + str = ctime(&t); + str += 4; /* chop off the day name */ + str[15] = 0; /* chop off year and newline */ + break; + case 'v': /* "visible" string */ + case 'q': /* quoted string */ + quoted = c == 'q'; + p = va_arg(args, unsigned char *); + if (fillch == '0' && prec > 0) { + n = prec; + } else { + n = strlen((char *)p); + if (prec > 0 && prec < n) + n = prec; + } + while (n > 0 && buflen > 0) { + c = *p++; + --n; + if (!quoted && c >= 0x80) { + OUTCHAR('M'); + OUTCHAR('-'); + c -= 0x80; + } + if (quoted && (c == '"' || c == '\\')) + OUTCHAR('\\'); + if (c < 0x20 || (0x7f <= c && c < 0xa0)) { + if (quoted) { + OUTCHAR('\\'); + switch (c) { + case '\t': OUTCHAR('t'); break; + case '\n': OUTCHAR('n'); break; + case '\b': OUTCHAR('b'); break; + case '\f': OUTCHAR('f'); break; + default: + OUTCHAR('x'); + OUTCHAR(hexchars[c >> 4]); + OUTCHAR(hexchars[c & 0xf]); + } + } else { + if (c == '\t') + OUTCHAR(c); + else { + OUTCHAR('^'); + OUTCHAR(c ^ 0x40); + } + } + } else + OUTCHAR(c); + } + continue; + default: + *buf++ = '%'; + if (c != '%') + --fmt; /* so %z outputs %z etc. */ + --buflen; + continue; + } + if (base != 0) { + str = num + sizeof(num); + *--str = 0; + while (str > num + neg) { + *--str = hexchars[val % base]; + val = val / base; + if (--prec <= 0 && val == 0) + break; + } + switch (neg) { + case 1: + *--str = '-'; + break; + case 2: + *--str = 'x'; + *--str = '0'; + break; + } + len = num + sizeof(num) - 1 - str; + } else { + len = strlen(str); + if (prec > 0 && len > prec) + len = prec; + } + if (width > 0) { + if (width > buflen) + width = buflen; + if ((n = width - len) > 0) { + buflen -= n; + for (; n > 0; --n) + *buf++ = fillch; + } + } + if (len > buflen) + len = buflen; + memcpy(buf, str, len); + buf += len; + buflen -= len; + } + *buf = 0; + return buf - buf0; +} diff --git a/usr.sbin/pppd/options.c b/usr.sbin/pppd/options.c index d6f89e2ab097..db132afd0709 100644 --- a/usr.sbin/pppd/options.c +++ b/usr.sbin/pppd/options.c @@ -18,9 +18,10 @@ */ #ifndef lint -static char rcsid[] = "$Id: options.c,v 1.24 1995/08/16 01:39:35 paulus Exp $"; +static char rcsid[] = "$Id: options.c,v 1.38 1997/04/30 05:55:54 paulus Exp $"; #endif +#include <ctype.h> #include <stdio.h> #include <errno.h> #include <unistd.h> @@ -34,6 +35,11 @@ static char rcsid[] = "$Id: options.c,v 1.24 1995/08/16 01:39:35 paulus Exp $"; #include <sys/types.h> #include <sys/stat.h> #include <netinet/in.h> +#include <arpa/inet.h> +#ifdef PPP_FILTER +#include <pcap.h> +#include <pcap-int.h> /* XXX: To get struct pcap */ +#endif #include "pppd.h" #include "pathnames.h" @@ -44,6 +50,13 @@ static char rcsid[] = "$Id: options.c,v 1.24 1995/08/16 01:39:35 paulus Exp $"; #include "upap.h" #include "chap.h" #include "ccp.h" +#ifdef CBCP_SUPPORT +#include "cbcp.h" +#endif + +#ifdef IPX_CHANGE +#include "ipxcp.h" +#endif /* IPX_CHANGE */ #include <net/ppp-comp.h> @@ -61,6 +74,9 @@ char *strdup __P((char *)); /* * Option variables and default values. */ +#ifdef PPP_FILTER +int dflag = 0; /* Tell libpcap we want debugging */ +#endif int debug = 0; /* Debug flag */ int kdebugflag = 0; /* Tell kernel to print debug messages */ int default_device = 1; /* Using /dev/tty or equivalent */ @@ -73,6 +89,8 @@ int lockflag = 0; /* Create lock file to lock the serial dev */ int nodetach = 0; /* Don't detach from controlling tty */ char *connector = NULL; /* Script to establish physical link */ char *disconnector = NULL; /* Script to disestablish physical link */ +char *welcomer = NULL; /* Script to run after phys link estab. */ +int maxconnect = 0; /* Maximum connect time */ char user[MAXNAMELEN]; /* Username for PAP */ char passwd[MAXSECRETLEN]; /* Password for PAP */ int auth_required = 0; /* Peer is required to authenticate */ @@ -84,67 +102,96 @@ int lcp_echo_interval = 0; /* Interval between LCP echo-requests */ int lcp_echo_fails = 0; /* Tolerance to unanswered echo-requests */ char our_name[MAXNAMELEN]; /* Our name for authentication purposes */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ +int explicit_remote = 0; /* User specified explicit remote name */ int usehostname = 0; /* Use hostname for our_name */ int disable_defaultip = 0; /* Don't use hostname for default IP adrs */ +int demand = 0; /* do dial-on-demand */ char *ipparam = NULL; /* Extra parameter for ip up/down scripts */ int cryptpap; /* Passwords in pap-secrets are encrypted */ +int idle_time_limit = 0; /* Disconnect if idle for this many seconds */ +int holdoff = 30; /* # seconds to pause before reconnecting */ +int refuse_pap = 0; /* Set to say we won't do PAP */ +int refuse_chap = 0; /* Set to say we won't do CHAP */ + +#ifdef MSLANMAN +int ms_lanman = 0; /* Nonzero if use LanMan password instead of NT */ + /* Has meaning only with MS-CHAP challenges */ +#endif -#ifdef _linux_ -int idle_time_limit = 0; -static int setidle __P((char **)); +struct option_info auth_req_info; +struct option_info connector_info; +struct option_info disconnector_info; +struct option_info welcomer_info; +struct option_info devnam_info; +#ifdef PPP_FILTER +struct bpf_program pass_filter;/* Filter program for packets to pass */ +struct bpf_program active_filter; /* Filter program for link-active pkts */ +pcap_t pc; /* Fake struct pcap so we can compile expr */ #endif /* * Prototypes */ -static int setdebug __P((void)); +static int setdevname __P((char *, int)); +static int setipaddr __P((char *)); +static int setspeed __P((char *)); +static int setdebug __P((char **)); static int setkdebug __P((char **)); -static int setpassive __P((void)); -static int setsilent __P((void)); -static int noopt __P((void)); -static int setnovj __P((void)); -static int setnovjccomp __P((void)); +static int setpassive __P((char **)); +static int setsilent __P((char **)); +static int noopt __P((char **)); +static int setnovj __P((char **)); +static int setnovjccomp __P((char **)); static int setvjslots __P((char **)); -static int reqpap __P((void)); -static int nopap __P((void)); +static int reqpap __P((char **)); +static int nopap __P((char **)); +#ifdef OLD_OPTIONS static int setupapfile __P((char **)); -static int nochap __P((void)); -static int reqchap __P((void)); -static int setspeed __P((char *)); -static int noaccomp __P((void)); -static int noasyncmap __P((void)); -static int noipaddr __P((void)); -static int nomagicnumber __P((void)); +#endif +static int nochap __P((char **)); +static int reqchap __P((char **)); +static int noaccomp __P((char **)); +static int noasyncmap __P((char **)); +static int noip __P((char **)); +static int nomagicnumber __P((char **)); static int setasyncmap __P((char **)); static int setescape __P((char **)); static int setmru __P((char **)); static int setmtu __P((char **)); -static int nomru __P((void)); -static int nopcomp __P((void)); +#ifdef CBCP_SUPPORT +static int setcbcp __P((char *)); +#endif +static int nomru __P((char **)); +static int nopcomp __P((char **)); static int setconnector __P((char **)); static int setdisconnector __P((char **)); +static int setwelcomer __P((char **)); +static int setmaxconnect __P((char **)); static int setdomain __P((char **)); static int setnetmask __P((char **)); -static int setcrtscts __P((void)); -static int setnocrtscts __P((void)); -static int setxonxoff __P((void)); -static int setnodetach __P((void)); -static int setmodem __P((void)); -static int setlocal __P((void)); -static int setlock __P((void)); +static int setcrtscts __P((char **)); +static int setnocrtscts __P((char **)); +static int setxonxoff __P((char **)); +static int setnodetach __P((char **)); +static int setmodem __P((char **)); +static int setlocal __P((char **)); +static int setlock __P((char **)); static int setname __P((char **)); static int setuser __P((char **)); static int setremote __P((char **)); -static int setauth __P((void)); +static int setauth __P((char **)); +static int setnoauth __P((char **)); static int readfile __P((char **)); -static int setdefaultroute __P((void)); -static int setnodefaultroute __P((void)); -static int setproxyarp __P((void)); -static int setnoproxyarp __P((void)); -static int setpersist __P((void)); -static int setdologin __P((void)); -static int setusehostname __P((void)); -static int setnoipdflt __P((void)); +static int callfile __P((char **)); +static int setdefaultroute __P((char **)); +static int setnodefaultroute __P((char **)); +static int setproxyarp __P((char **)); +static int setnoproxyarp __P((char **)); +static int setpersist __P((char **)); +static int setnopersist __P((char **)); +static int setdologin __P((char **)); +static int setusehostname __P((char **)); +static int setnoipdflt __P((char **)); static int setlcptimeout __P((char **)); static int setlcpterm __P((char **)); static int setlcpconf __P((char **)); @@ -159,52 +206,107 @@ static int setpapreqtime __P((char **)); static int setchaptimeout __P((char **)); static int setchapchal __P((char **)); static int setchapintv __P((char **)); -static int setipcpaccl __P((void)); -static int setipcpaccr __P((void)); +static int setipcpaccl __P((char **)); +static int setipcpaccr __P((char **)); static int setlcpechointv __P((char **)); static int setlcpechofails __P((char **)); +static int noccp __P((char **)); static int setbsdcomp __P((char **)); -static int setnobsdcomp __P((void)); +static int setnobsdcomp __P((char **)); +static int setdeflate __P((char **)); +static int setnodeflate __P((char **)); +static int setdemand __P((char **)); +static int setpred1comp __P((char **)); +static int setnopred1comp __P((char **)); static int setipparam __P((char **)); -static int setpapcrypt __P((void)); +static int setpapcrypt __P((char **)); +static int setidle __P((char **)); +static int setholdoff __P((char **)); +static int setdnsaddr __P((char **)); +static int resetipxproto __P((char **)); +static int setwinsaddr __P((char **)); +static int showversion __P((char **)); +static int showhelp __P((char **)); + +#ifdef PPP_FILTER +static int setpdebug __P((char **)); +static int setpassfilter __P((char **)); +static int setactivefilter __P((char **)); +#endif + +#ifdef IPX_CHANGE +static int setipxproto __P((char **)); +static int setipxanet __P((char **)); +static int setipxalcl __P((char **)); +static int setipxarmt __P((char **)); +static int setipxnetwork __P((char **)); +static int setipxnode __P((char **)); +static int setipxrouter __P((char **)); +static int setipxname __P((char **)); +static int setipxcptimeout __P((char **)); +static int setipxcpterm __P((char **)); +static int setipxcpconf __P((char **)); +static int setipxcpfails __P((char **)); +#endif /* IPX_CHANGE */ + +#ifdef MSLANMAN +static int setmslanman __P((void)); +#endif static int number_option __P((char *, u_int32_t *, int)); +static int int_option __P((char *, int *)); static int readable __P((int fd)); -void usage(); - /* * Valid arguments. */ static struct cmd { char *cmd_name; int num_args; - int (*cmd_func)(); + int (*cmd_func) __P((char **)); } cmds[] = { - {"-all", 0, noopt}, /* Don't request/allow any options */ + {"-all", 0, noopt}, /* Don't request/allow any options (useless) */ + {"noaccomp", 0, noaccomp}, /* Disable Address/Control compression */ {"-ac", 0, noaccomp}, /* Disable Address/Control compress */ + {"default-asyncmap", 0, noasyncmap}, /* Disable asyncmap negoatiation */ {"-am", 0, noasyncmap}, /* Disable asyncmap negotiation */ {"-as", 1, setasyncmap}, /* set the desired async map */ {"-d", 0, setdebug}, /* Increase debugging level */ + {"nodetach", 0, setnodetach}, /* Don't detach from controlling tty */ {"-detach", 0, setnodetach}, /* don't fork */ - {"-ip", 0, noipaddr}, /* Disable IP address negotiation */ + {"noip", 0, noip}, /* Disable IP and IPCP */ + {"-ip", 0, noip}, /* Disable IP and IPCP */ + {"nomagic", 0, nomagicnumber}, /* Disable magic number negotiation */ {"-mn", 0, nomagicnumber}, /* Disable magic number negotiation */ + {"default-mru", 0, nomru}, /* Disable MRU negotiation */ {"-mru", 0, nomru}, /* Disable mru negotiation */ {"-p", 0, setpassive}, /* Set passive mode */ + {"nopcomp", 0, nopcomp}, /* Disable protocol field compression */ {"-pc", 0, nopcomp}, /* Disable protocol field compress */ +#if OLD_OPTIONS {"+ua", 1, setupapfile}, /* Get PAP user and password from file */ +#endif + {"require-pap", 0, reqpap}, /* Require PAP authentication from peer */ {"+pap", 0, reqpap}, /* Require PAP auth from peer */ + {"refuse-pap", 0, nopap}, /* Don't agree to auth to peer with PAP */ {"-pap", 0, nopap}, /* Don't allow UPAP authentication with peer */ + {"require-chap", 0, reqchap}, /* Require CHAP authentication from peer */ {"+chap", 0, reqchap}, /* Require CHAP authentication from peer */ + {"refuse-chap", 0, nochap}, /* Don't agree to auth to peer with CHAP */ {"-chap", 0, nochap}, /* Don't allow CHAP authentication with peer */ + {"novj", 0, setnovj}, /* Disable VJ compression */ {"-vj", 0, setnovj}, /* disable VJ compression */ + {"novjccomp", 0, setnovjccomp}, /* disable VJ connection-ID compression */ {"-vjccomp", 0, setnovjccomp}, /* disable VJ connection-ID compression */ {"vj-max-slots", 1, setvjslots}, /* Set maximum VJ header slots */ {"asyncmap", 1, setasyncmap}, /* set the desired async map */ {"escape", 1, setescape}, /* set chars to escape on transmission */ {"connect", 1, setconnector}, /* A program to set up a connection */ {"disconnect", 1, setdisconnector}, /* program to disconnect serial dev. */ + {"welcome", 1, setwelcomer},/* Script to welcome client */ + {"maxconnect", 1, setmaxconnect}, /* specify a maximum connect time */ {"crtscts", 0, setcrtscts}, /* set h/w flow control */ + {"nocrtscts", 0, setnocrtscts}, /* clear h/w flow control */ {"-crtscts", 0, setnocrtscts}, /* clear h/w flow control */ {"xonxoff", 0, setxonxoff}, /* set s/w flow control */ {"debug", 0, setdebug}, /* Increase debugging level */ @@ -212,6 +314,9 @@ static struct cmd { {"domain", 1, setdomain}, /* Add given domain name to hostname*/ {"mru", 1, setmru}, /* Set MRU value for negotiation */ {"mtu", 1, setmtu}, /* Set our MTU */ +#ifdef CBCP_SUPPORT + {"callback", 1, setcbcp}, /* Ask for callback */ +#endif {"netmask", 1, setnetmask}, /* set netmask */ {"passive", 0, setpassive}, /* Set passive mode */ {"silent", 0, setsilent}, /* Set silent mode */ @@ -219,16 +324,22 @@ static struct cmd { {"local", 0, setlocal}, /* Don't use modem control lines */ {"lock", 0, setlock}, /* Lock serial device (with lock file) */ {"name", 1, setname}, /* Set local name for authentication */ - {"user", 1, setuser}, /* Set username for PAP auth with peer */ + {"user", 1, setuser}, /* Set name for auth with peer */ {"usehostname", 0, setusehostname}, /* Must use hostname for auth. */ {"remotename", 1, setremote}, /* Set remote name for authentication */ {"auth", 0, setauth}, /* Require authentication from peer */ + {"noauth", 0, setnoauth}, /* Don't require peer to authenticate */ {"file", 1, readfile}, /* Take options from a file */ + {"call", 1, callfile}, /* Take options from a privileged file */ {"defaultroute", 0, setdefaultroute}, /* Add default route */ + {"nodefaultroute", 0, setnodefaultroute}, /* disable defaultroute option */ {"-defaultroute", 0, setnodefaultroute}, /* disable defaultroute option */ {"proxyarp", 0, setproxyarp}, /* Add proxy ARP entry */ + {"noproxyarp", 0, setnoproxyarp}, /* disable proxyarp option */ {"-proxyarp", 0, setnoproxyarp}, /* disable proxyarp option */ {"persist", 0, setpersist}, /* Keep on reopening connection after close */ + {"nopersist", 0, setnopersist}, /* Turn off persist option */ + {"demand", 0, setdemand}, /* Dial on demand */ {"login", 0, setdologin}, /* Use system password database for UPAP */ {"noipdefault", 0, setnoipdflt}, /* Don't use name for default IP adrs */ {"lcp-echo-failure", 1, setlcpechofails}, /* consecutive echo failures */ @@ -249,13 +360,58 @@ static struct cmd { {"chap-interval", 1, setchapintv}, /* Set interval for rechallenge */ {"ipcp-accept-local", 0, setipcpaccl}, /* Accept peer's address for us */ {"ipcp-accept-remote", 0, setipcpaccr}, /* Accept peer's address for it */ + {"noccp", 0, noccp}, /* Disable CCP negotiation */ + {"-ccp", 0, noccp}, /* Disable CCP negotiation */ {"bsdcomp", 1, setbsdcomp}, /* request BSD-Compress */ + {"nobsdcomp", 0, setnobsdcomp}, /* don't allow BSD-Compress */ {"-bsdcomp", 0, setnobsdcomp}, /* don't allow BSD-Compress */ + {"deflate", 1, setdeflate}, /* request Deflate compression */ + {"nodeflate", 0, setnodeflate}, /* don't allow Deflate compression */ + {"-deflate", 0, setnodeflate}, /* don't allow Deflate compression */ + {"predictor1", 0, setpred1comp}, /* request Predictor-1 */ + {"nopredictor1", 0, setnopred1comp},/* don't allow Predictor-1 */ + {"-predictor1", 0, setnopred1comp}, /* don't allow Predictor-1 */ {"ipparam", 1, setipparam}, /* set ip script parameter */ {"papcrypt", 0, setpapcrypt}, /* PAP passwords encrypted */ -#ifdef _linux_ - {"idle-disconnect", 1, setidle}, /* seconds for disconnect of idle IP */ + {"idle", 1, setidle}, /* idle time limit (seconds) */ + {"holdoff", 1, setholdoff}, /* set holdoff time (seconds) */ + {"ms-dns", 1, setdnsaddr}, /* DNS address for the peer's use */ + {"ms-wins", 1, setwinsaddr}, /* Nameserver for SMB over TCP/IP for peer */ + {"noipx", 0, resetipxproto}, /* Disable IPXCP (and IPX) */ + {"-ipx", 0, resetipxproto}, /* Disable IPXCP (and IPX) */ + {"--version", 0, showversion}, /* Show version number */ + {"--help", 0, showhelp}, /* Show brief listing of options */ + {"-h", 0, showhelp}, /* ditto */ + +#ifdef PPP_FILTER + {"pdebug", 1, setpdebug}, /* libpcap debugging */ + {"pass-filter", 1, setpassfilter}, /* set filter for packets to pass */ + {"active-filter", 1, setactivefilter}, /* set filter for active pkts */ +#endif + +#ifdef IPX_CHANGE + {"ipx-network", 1, setipxnetwork}, /* IPX network number */ + {"ipxcp-accept-network", 0, setipxanet}, /* Accept peer netowrk */ + {"ipx-node", 1, setipxnode}, /* IPX node number */ + {"ipxcp-accept-local", 0, setipxalcl}, /* Accept our address */ + {"ipxcp-accept-remote", 0, setipxarmt}, /* Accept peer's address */ + {"ipx-routing", 1, setipxrouter}, /* IPX routing proto number */ + {"ipx-router-name", 1, setipxname}, /* IPX router name */ + {"ipxcp-restart", 1, setipxcptimeout}, /* Set timeout for IPXCP */ + {"ipxcp-max-terminate", 1, setipxcpterm}, /* max #xmits for term-reqs */ + {"ipxcp-max-configure", 1, setipxcpconf}, /* max #xmits for conf-reqs */ + {"ipxcp-max-failure", 1, setipxcpfails}, /* max #conf-naks for IPXCP */ +#if 0 + {"ipx-compression", 1, setipxcompression}, /* IPX compression number */ #endif + {"ipx", 0, setipxproto}, /* Enable IPXCP (and IPX) */ + {"+ipx", 0, setipxproto}, /* Enable IPXCP (and IPX) */ +#endif /* IPX_CHANGE */ + +#ifdef MSLANMAN + {"ms-lanman", 0, setmslanman}, /* Use LanMan psswd when using MS-CHAP */ +#endif + {NULL, 0, NULL} }; @@ -266,7 +422,7 @@ static struct cmd { static char *usage_string = "\ pppd version %s patch level %d%s\n\ -Usage: %s [ arguments ], where arguments are:\n\ +Usage: %s [ options ], where options are:\n\ <device> Communicate over the named device\n\ <speed> Set the baud rate to <speed>\n\ <loc>:<rem> Set the local and/or remote interface IP\n\ @@ -279,24 +435,27 @@ Usage: %s [ arguments ], where arguments are:\n\ file <f> Take options from file <f>\n\ modem Use modem control lines\n\ mru <n> Set MRU value to <n> for negotiation\n\ - netmask <n> Set interface netmask to <n>\n\ See pppd(8) for more options.\n\ "; +static char *current_option; /* the name of the option being parsed */ +static int privileged_option; /* set iff the current option came from root */ +static char *option_source; /* string saying where the option came from */ /* - * parse_args - parse a string of arguments, from the command - * line or from a file. + * parse_args - parse a string of arguments from the command line. */ int parse_args(argc, argv) int argc; char **argv; { - char *arg, *val; + char *arg; struct cmd *cmdp; int ret; + privileged_option = privileged; + option_source = "command line"; while (argc > 0) { arg = *argv++; --argc; @@ -310,9 +469,10 @@ parse_args(argc, argv) if (cmdp->cmd_name != NULL) { if (argc < cmdp->num_args) { - fprintf(stderr, "Too few parameters for command %s\n", arg); + option_error("too few parameters for option %s", arg); return 0; } + current_option = arg; if (!(*cmdp->cmd_func)(argv)) return 0; argc -= cmdp->num_args; @@ -322,10 +482,10 @@ parse_args(argc, argv) /* * Maybe a tty name, speed or IP address? */ - if ((ret = setdevname(arg)) == 0 + if ((ret = setdevname(arg, 0)) == 0 && (ret = setspeed(arg)) == 0 && (ret = setipaddr(arg)) == 0) { - fprintf(stderr, "%s: unrecognized command\n", arg); + option_error("unrecognized option '%s'", arg); usage(); return 0; } @@ -337,13 +497,75 @@ parse_args(argc, argv) } /* + * scan_args - scan the command line arguments to get the tty name, + * if specified. + */ +void +scan_args(argc, argv) + int argc; + char **argv; +{ + char *arg; + struct cmd *cmdp; + + while (argc > 0) { + arg = *argv++; + --argc; + + /* Skip options and their arguments */ + for (cmdp = cmds; cmdp->cmd_name; cmdp++) + if (!strcmp(arg, cmdp->cmd_name)) + break; + + if (cmdp->cmd_name != NULL) { + argc -= cmdp->num_args; + argv += cmdp->num_args; + continue; + } + + /* Check if it's a tty name and copy it if so */ + (void) setdevname(arg, 1); + } +} + +/* * usage - print out a message telling how to use the program. */ void usage() { - fprintf(stderr, usage_string, VERSION, PATCHLEVEL, IMPLEMENTATION, - progname); + if (phase == PHASE_INITIALIZE) + fprintf(stderr, usage_string, VERSION, PATCHLEVEL, IMPLEMENTATION, + progname); +} + +/* + * showhelp - print out usage message and exit. + */ +static int +showhelp(argv) + char **argv; +{ + if (phase == PHASE_INITIALIZE) { + usage(); + exit(0); + } + return 0; +} + +/* + * showversion - print out the version number and exit. + */ +static int +showversion(argv) + char **argv; +{ + if (phase == PHASE_INITIALIZE) { + fprintf(stderr, "pppd version %s patch level %d%s\n", + VERSION, PATCHLEVEL, IMPLEMENTATION); + exit(0); + } + return 0; } /* @@ -351,14 +573,16 @@ usage() * and interpret them. */ int -options_from_file(filename, must_exist, check_prot) +options_from_file(filename, must_exist, check_prot, priv) char *filename; int must_exist; int check_prot; + int priv; { FILE *f; int i, newline, ret; struct cmd *cmdp; + int oldpriv; char *argv[MAXARGS]; char args[MAXARGS][MAXWORDLEN]; char cmd[MAXWORDLEN]; @@ -366,15 +590,18 @@ options_from_file(filename, must_exist, check_prot) if ((f = fopen(filename, "r")) == NULL) { if (!must_exist && errno == ENOENT) return 1; - perror(filename); + option_error("Can't open options file %s: %m", filename); return 0; } if (check_prot && !readable(fileno(f))) { - fprintf(stderr, "%s: access denied\n", filename); + option_error("Can't open options file %s: access denied", filename); fclose(f); return 0; } + oldpriv = privileged_option; + privileged_option = priv; + ret = 0; while (getword(f, cmd, &newline, filename)) { /* * First see if it's a command. @@ -386,36 +613,38 @@ options_from_file(filename, must_exist, check_prot) if (cmdp->cmd_name != NULL) { for (i = 0; i < cmdp->num_args; ++i) { if (!getword(f, args[i], &newline, filename)) { - fprintf(stderr, - "In file %s: too few parameters for command %s\n", - filename, cmd); - fclose(f); - return 0; + option_error( + "In file %s: too few parameters for option '%s'", + filename, cmd); + goto err; } argv[i] = args[i]; } - if (!(*cmdp->cmd_func)(argv)) { - fclose(f); - return 0; - } + current_option = cmd; + if (!(*cmdp->cmd_func)(argv)) + goto err; } else { /* * Maybe a tty name, speed or IP address? */ - if ((ret = setdevname(cmd)) == 0 - && (ret = setspeed(cmd)) == 0 - && (ret = setipaddr(cmd)) == 0) { - fprintf(stderr, "In file %s: unrecognized command %s\n", - filename, cmd); - fclose(f); - return 0; + if ((i = setdevname(cmd, 0)) == 0 + && (i = setspeed(cmd)) == 0 + && (i = setipaddr(cmd)) == 0) { + option_error("In file %s: unrecognized option '%s'", + filename, cmd); + goto err; } - if (ret < 0) /* error */ - return 0; + if (i < 0) /* error */ + goto err; } } - return 1; + ret = 1; + +err: + fclose(f); + privileged_option = oldpriv; + return ret; } /* @@ -439,7 +668,7 @@ options_from_user() strcpy(path, user); strcat(path, "/"); strcat(path, file); - ret = options_from_file(path, 0, 1); + ret = options_from_file(path, 0, 1, privileged); free(path); return ret; } @@ -451,27 +680,53 @@ options_from_user() int options_for_tty() { - char *dev, *path; + char *dev, *path, *p; int ret; - dev = strrchr(devnam, '/'); - if (dev == NULL) - dev = devnam; - else - ++dev; + dev = devnam; + if (strncmp(dev, "/dev/", 5) == 0) + dev += 5; if (strcmp(dev, "tty") == 0) return 1; /* don't look for /etc/ppp/options.tty */ path = malloc(strlen(_PATH_TTYOPT) + strlen(dev) + 1); if (path == NULL) novm("tty init file name"); strcpy(path, _PATH_TTYOPT); - strcat(path, dev); - ret = options_from_file(path, 0, 0); + /* Turn slashes into dots, for Solaris case (e.g. /dev/term/a) */ + for (p = path + strlen(path); *dev != 0; ++dev) + *p++ = (*dev == '/'? '.': *dev); + *p = 0; + ret = options_from_file(path, 0, 0, 1); free(path); return ret; } /* + * option_error - print a message about an error in an option. + * The message is logged, and also sent to + * stderr if phase == PHASE_INITIALIZE. + */ +void +option_error __V((char *fmt, ...)) +{ + va_list args; + char buf[256]; + +#if __STDC__ + va_start(args, fmt); +#else + char *fmt; + va_start(args); + fmt = va_arg(args, char *); +#endif + vfmtmsg(buf, sizeof(buf), fmt, args); + va_end(args); + if (phase == PHASE_INITIALIZE) + fprintf(stderr, "%s: %s\n", progname, buf); + syslog(LOG_ERR, "%s", buf); +} + +/* * readable - check if a file is readable by the real user. */ static int @@ -505,7 +760,6 @@ readable(fd) * Quotes, white-space and \ may be escaped with \. * \<newline> is ignored. */ - int getword(f, word, newlinep, filename) FILE *f; @@ -719,7 +973,7 @@ getword(f, word, newlinep, filename) if (ferror(f)) { if (errno == 0) errno = EIO; - perror(filename); + option_error("Error reading %s: %m", filename); die(1); } /* @@ -734,8 +988,8 @@ getword(f, word, newlinep, filename) * Warn if the word was too long, and append a terminating null. */ if (len >= MAXWORDLEN) { - fprintf(stderr, "%s: warning: word in file %s too long (%.20s...)\n", - progname, filename, word); + option_error("warning: word in file %s too long (%.20s...)", + filename, word); len = MAXWORDLEN - 1; } word[len] = 0; @@ -759,7 +1013,8 @@ number_option(str, valp, base) *valp = strtoul(str, &ptr, base); if (ptr == str) { - fprintf(stderr, "%s: invalid number: %s\n", progname, str); + option_error("invalid numeric parameter '%s' for %s option", + str, current_option); return 0; } return 1; @@ -786,7 +1041,7 @@ int_option(str, valp) /* - * The following procedures execute commands. + * The following procedures parse options. */ /* @@ -796,14 +1051,60 @@ static int readfile(argv) char **argv; { - return options_from_file(*argv, 1, 1); + return options_from_file(*argv, 1, 1, privileged_option); } /* + * callfile - take commands from /etc/ppp/peers/<name>. + * Name may not contain /../, start with / or ../, or end in /.. + */ +static int +callfile(argv) + char **argv; +{ + char *fname, *arg, *p; + int l, ok; + + arg = *argv; + ok = 1; + if (arg[0] == '/' || arg[0] == 0) + ok = 0; + else { + for (p = arg; *p != 0; ) { + if (p[0] == '.' && p[1] == '.' && (p[2] == '/' || p[2] == 0)) { + ok = 0; + break; + } + while (*p != '/' && *p != 0) + ++p; + if (*p == '/') + ++p; + } + } + if (!ok) { + option_error("call option value may not contain .. or start with /"); + return 0; + } + + l = strlen(arg) + strlen(_PATH_PEERFILES) + 1; + if ((fname = (char *) malloc(l)) == NULL) + novm("call file name"); + strcpy(fname, _PATH_PEERFILES); + strcat(fname, arg); + + ok = options_from_file(fname, 1, 1, 1); + + free(fname); + return ok; +} + + +/* * setdebug - Set debug (command line argument). */ static int -setdebug() +setdebug(argv) + char **argv; { debug++; return (1); @@ -819,16 +1120,67 @@ setkdebug(argv) return int_option(*argv, &kdebugflag); } +#ifdef PPP_FILTER +/* + * setpdebug - Set libpcap debugging level. + */ +static int +setpdebug(argv) + char **argv; +{ + return int_option(*argv, &dflag); +} + +/* + * setpassfilter - Set the pass filter for packets + */ +static int +setpassfilter(argv) + char **argv; +{ + pc.linktype = DLT_PPP; + pc.snapshot = PPP_HDRLEN; + + if (pcap_compile(&pc, &pass_filter, *argv, 1, netmask) == 0) + return 1; + option_error("error in pass-filter expression: %s\n", pcap_geterr(&pc)); + return 0; +} + +/* + * setactivefilter - Set the active filter for packets + */ +static int +setactivefilter(argv) + char **argv; +{ + pc.linktype = DLT_PPP; + pc.snapshot = PPP_HDRLEN; + + if (pcap_compile(&pc, &active_filter, *argv, 1, netmask) == 0) + return 1; + option_error("error in active-filter expression: %s\n", pcap_geterr(&pc)); + return 0; +} +#endif + /* * noopt - Disable all options. */ static int -noopt() +noopt(argv) + char **argv; { BZERO((char *) &lcp_wantoptions[0], sizeof (struct lcp_options)); BZERO((char *) &lcp_allowoptions[0], sizeof (struct lcp_options)); BZERO((char *) &ipcp_wantoptions[0], sizeof (struct ipcp_options)); BZERO((char *) &ipcp_allowoptions[0], sizeof (struct ipcp_options)); + +#ifdef IPX_CHANGE + BZERO((char *) &ipxcp_wantoptions[0], sizeof (struct ipxcp_options)); + BZERO((char *) &ipxcp_allowoptions[0], sizeof (struct ipxcp_options)); +#endif /* IPX_CHANGE */ + return (1); } @@ -836,7 +1188,8 @@ noopt() * noaccomp - Disable Address/Control field compression negotiation. */ static int -noaccomp() +noaccomp(argv) + char **argv; { lcp_wantoptions[0].neg_accompression = 0; lcp_allowoptions[0].neg_accompression = 0; @@ -848,7 +1201,8 @@ noaccomp() * noasyncmap - Disable async map negotiation. */ static int -noasyncmap() +noasyncmap(argv) + char **argv; { lcp_wantoptions[0].neg_asyncmap = 0; lcp_allowoptions[0].neg_asyncmap = 0; @@ -857,13 +1211,13 @@ noasyncmap() /* - * noipaddr - Disable IP address negotiation. + * noip - Disable IP and IPCP. */ static int -noipaddr() +noip(argv) + char **argv; { - ipcp_wantoptions[0].neg_addr = 0; - ipcp_allowoptions[0].neg_addr = 0; + ipcp_protent.enabled_flag = 0; return (1); } @@ -872,7 +1226,8 @@ noipaddr() * nomagicnumber - Disable magic number negotiation. */ static int -nomagicnumber() +nomagicnumber(argv) + char **argv; { lcp_wantoptions[0].neg_magicnumber = 0; lcp_allowoptions[0].neg_magicnumber = 0; @@ -884,7 +1239,8 @@ nomagicnumber() * nomru - Disable mru negotiation. */ static int -nomru() +nomru(argv) + char **argv; { lcp_wantoptions[0].neg_mru = 0; lcp_allowoptions[0].neg_mru = 0; @@ -921,20 +1277,36 @@ setmtu(argv) if (!number_option(*argv, &mtu, 0)) return 0; if (mtu < MINMRU || mtu > MAXMRU) { - fprintf(stderr, "mtu option value of %ld is too %s\n", mtu, - (mtu < MINMRU? "small": "large")); + option_error("mtu option value of %u is too %s", mtu, + (mtu < MINMRU? "small": "large")); return 0; } lcp_allowoptions[0].mru = mtu; return (1); } +#ifdef CBCP_SUPPORT +static int +setcbcp(argv) + char **argv; +{ + lcp_wantoptions[0].neg_cbcp = 1; + cbcp_protent.enabled_flag = 1; + cbcp[0].us_number = strdup(*argv); + if (cbcp[0].us_number == 0) + novm("callback number"); + cbcp[0].us_type |= (1 << CB_CONF_USER); + cbcp[0].us_type |= (1 << CB_CONF_ADMIN); + return (1); +} +#endif /* * nopcomp - Disable Protocol field compression negotiation. */ static int -nopcomp() +nopcomp(argv) + char **argv; { lcp_wantoptions[0].neg_pcompression = 0; lcp_allowoptions[0].neg_pcompression = 0; @@ -947,7 +1319,8 @@ nopcomp() * LCP configure-requests). */ static int -setpassive() +setpassive(argv) + char **argv; { lcp_wantoptions[0].passive = 1; return (1); @@ -959,7 +1332,8 @@ setpassive() * until we get one from the peer). */ static int -setsilent() +setsilent(argv) + char **argv; { lcp_wantoptions[0].silent = 1; return 1; @@ -970,9 +1344,10 @@ setsilent() * nopap - Disable PAP authentication with peer. */ static int -nopap() +nopap(argv) + char **argv; { - lcp_allowoptions[0].neg_upap = 0; + refuse_pap = 1; return (1); } @@ -981,14 +1356,15 @@ nopap() * reqpap - Require PAP authentication from peer. */ static int -reqpap() +reqpap(argv) + char **argv; { lcp_wantoptions[0].neg_upap = 1; - auth_required = 1; + setauth(NULL); return 1; } - +#if OLD_OPTIONS /* * setupapfile - specifies UPAP info for authenticating with peer. */ @@ -1003,11 +1379,11 @@ setupapfile(argv) /* open user info file */ if ((ufile = fopen(*argv, "r")) == NULL) { - fprintf(stderr, "unable to open user login data file %s\n", *argv); + option_error("unable to open user login data file %s", *argv); return 0; } if (!readable(fileno(ufile))) { - fprintf(stderr, "%s: access denied\n", *argv); + option_error("%s: access denied", *argv); return 0; } check_access(ufile, *argv); @@ -1015,7 +1391,7 @@ setupapfile(argv) /* get username */ if (fgets(user, MAXNAMELEN - 1, ufile) == NULL || fgets(passwd, MAXSECRETLEN - 1, ufile) == NULL){ - fprintf(stderr, "Unable to read user login data file %s.\n", *argv); + option_error("unable to read user login data file %s", *argv); return 0; } fclose(ufile); @@ -1030,15 +1406,16 @@ setupapfile(argv) return (1); } - +#endif /* * nochap - Disable CHAP authentication with peer. */ static int -nochap() +nochap(argv) + char **argv; { - lcp_allowoptions[0].neg_chap = 0; + refuse_chap = 1; return (1); } @@ -1047,10 +1424,11 @@ nochap() * reqchap - Require CHAP authentication from peer. */ static int -reqchap() +reqchap(argv) + char **argv; { lcp_wantoptions[0].neg_chap = 1; - auth_required = 1; + setauth(NULL); return (1); } @@ -1059,7 +1437,8 @@ reqchap() * setnovj - disable vj compression */ static int -setnovj() +setnovj(argv) + char **argv; { ipcp_wantoptions[0].neg_vj = 0; ipcp_allowoptions[0].neg_vj = 0; @@ -1071,7 +1450,8 @@ setnovj() * setnovjccomp - disable VJ connection-ID compression */ static int -setnovjccomp() +setnovjccomp(argv) + char **argv; { ipcp_wantoptions[0].cflag = 0; ipcp_allowoptions[0].cflag = 0; @@ -1091,7 +1471,7 @@ setvjslots(argv) if (!int_option(*argv, &value)) return 0; if (value < 2 || value > 16) { - fprintf(stderr, "pppd: vj-max-slots value must be between 2 and 16\n"); + option_error("vj-max-slots value must be between 2 and 16"); return 0; } ipcp_wantoptions [0].maxslotindex = @@ -1109,8 +1489,10 @@ setconnector(argv) { connector = strdup(*argv); if (connector == NULL) - novm("connector string"); - + novm("connect script"); + connector_info.priv = privileged_option; + connector_info.source = option_source; + return (1); } @@ -1123,11 +1505,51 @@ setdisconnector(argv) { disconnector = strdup(*argv); if (disconnector == NULL) - novm("disconnector string"); + novm("disconnect script"); + disconnector_info.priv = privileged_option; + disconnector_info.source = option_source; return (1); } +/* + * setwelcomer - Set a program to welcome a client after connection + */ +static int +setwelcomer(argv) + char **argv; +{ + welcomer = strdup(*argv); + if (welcomer == NULL) + novm("welcome script"); + welcomer_info.priv = privileged_option; + welcomer_info.source = option_source; + + return (1); +} + +/* + * setmaxconnect - Set the maximum connect time + */ +static int +setmaxconnect(argv) + char **argv; +{ + int value; + + if (!int_option(*argv, &value)) + return 0; + if (value < 0) { + option_error("maxconnect time must be positive"); + return 0; + } + if (maxconnect > 0 && (value == 0 || value > maxconnect)) { + option_error("maxconnect time cannot be increased"); + return 0; + } + maxconnect = value; + return 1; +} /* * setdomain - Set domain name to append to hostname @@ -1136,6 +1558,10 @@ static int setdomain(argv) char **argv; { + if (!privileged_option) { + option_error("using the domain option requires root privilege"); + return 0; + } gethostname(hostname, MAXNAMELEN); if (**argv != 0) { if (**argv != '.') @@ -1179,12 +1605,13 @@ setescape(argv) while (*p) { n = strtol(p, &endp, 16); if (p == endp) { - fprintf(stderr, "%s: invalid hex number: %s\n", progname, p); + option_error("escape parameter contains invalid hex number '%s'", + p); return 0; } p = endp; - if (n < 0 || 0x20 <= n && n <= 0x3F || n == 0x5E || n > 0xFF) { - fprintf(stderr, "%s: can't escape character 0x%x\n", progname, n); + if (n < 0 || (0x20 <= n && n <= 0x3F) || n == 0x5E || n > 0xFF) { + option_error("can't escape character 0x%x", n); ret = 0; } else xmit_accm[0][n >> 5] |= 1 << (n & 0x1F); @@ -1216,14 +1643,17 @@ setspeed(arg) /* * setdevname - Set the device name. */ -int -setdevname(cp) +static int +setdevname(cp, quiet) char *cp; + int quiet; { struct stat statbuf; - char *tty, *ttyname(); char dev[MAXPATHLEN]; - + + if (*cp == 0) + return 0; + if (strncmp("/dev/", cp, 5) != 0) { strcpy(dev, "/dev/"); strncat(dev, cp, MAXPATHLEN - 5); @@ -1235,15 +1665,17 @@ setdevname(cp) * Check if there is a device by this name. */ if (stat(cp, &statbuf) < 0) { - if (errno == ENOENT) + if (errno == ENOENT || quiet) return 0; - syslog(LOG_ERR, cp); + option_error("Couldn't stat %s: %m", cp); return -1; } - + (void) strncpy(devnam, cp, MAXPATHLEN); devnam[MAXPATHLEN-1] = 0; default_device = FALSE; + devnam_info.priv = privileged_option; + devnam_info.source = option_source; return 1; } @@ -1252,7 +1684,7 @@ setdevname(cp) /* * setipaddr - Set the IP address */ -int +static int setipaddr(arg) char *arg; { @@ -1274,18 +1706,14 @@ setipaddr(arg) *colon = '\0'; if ((local = inet_addr(arg)) == -1) { if ((hp = gethostbyname(arg)) == NULL) { - fprintf(stderr, "unknown host: %s\n", arg); + option_error("unknown host: %s", arg); return -1; } else { local = *(u_int32_t *)hp->h_addr; - if (our_name[0] == 0) { - strncpy(our_name, arg, MAXNAMELEN); - our_name[MAXNAMELEN-1] = 0; - } } } if (bad_ip_adrs(local)) { - fprintf(stderr, "bad local IP address %s\n", ip_ntoa(local)); + option_error("bad local IP address %s", ip_ntoa(local)); return -1; } if (local != 0) @@ -1299,7 +1727,7 @@ setipaddr(arg) if (*++colon != '\0') { if ((remote = inet_addr(colon)) == -1) { if ((hp = gethostbyname(colon)) == NULL) { - fprintf(stderr, "unknown host: %s\n", colon); + option_error("unknown host: %s", colon); return -1; } else { remote = *(u_int32_t *)hp->h_addr; @@ -1310,7 +1738,7 @@ setipaddr(arg) } } if (bad_ip_adrs(remote)) { - fprintf(stderr, "bad remote IP address %s\n", ip_ntoa(remote)); + option_error("bad remote IP address %s", ip_ntoa(remote)); return -1; } if (remote != 0) @@ -1325,7 +1753,8 @@ setipaddr(arg) * setnoipdflt - disable setipdefault() */ static int -setnoipdflt() +setnoipdflt(argv) + char **argv; { disable_defaultip = 1; return 1; @@ -1336,7 +1765,8 @@ setnoipdflt() * setipcpaccl - accept peer's idea of our address */ static int -setipcpaccl() +setipcpaccl(argv) + char **argv; { ipcp_wantoptions[0].accept_local = 1; return 1; @@ -1347,7 +1777,8 @@ setipcpaccl() * setipcpaccr - accept peer's idea of its address */ static int -setipcpaccr() +setipcpaccr(argv) + char **argv; { ipcp_wantoptions[0].accept_remote = 1; return 1; @@ -1355,107 +1786,123 @@ setipcpaccr() /* - * setipdefault - default our local IP address based on our hostname. - */ -void -setipdefault() -{ - struct hostent *hp; - u_int32_t local; - ipcp_options *wo = &ipcp_wantoptions[0]; - - /* - * If local IP address already given, don't bother. - */ - if (wo->ouraddr != 0 || disable_defaultip) - return; - - /* - * Look up our hostname (possibly with domain name appended) - * and take the first IP address as our local IP address. - * If there isn't an IP address for our hostname, too bad. - */ - wo->accept_local = 1; /* don't insist on this default value */ - if ((hp = gethostbyname(hostname)) == NULL) - return; - local = *(u_int32_t *)hp->h_addr; - if (local != 0 && !bad_ip_adrs(local)) - wo->ouraddr = local; -} - - -/* * setnetmask - set the netmask to be used on the interface. */ static int setnetmask(argv) char **argv; { - u_int32_t mask; + u_int32_t mask, b; + int n, ok; + char *p, *endp; - if ((mask = inet_addr(*argv)) == -1 || (netmask & ~mask) != 0) { - fprintf(stderr, "Invalid netmask %s\n", *argv); + /* + * Unfortunately, if we use inet_addr, we can't tell whether + * a result of all 1s is an error or a valid 255.255.255.255. + */ + p = *argv; + ok = 0; + mask = 0; + for (n = 3;; --n) { + b = strtoul(p, &endp, 0); + if (endp == p) + break; + if (b < 0 || b > 255) { + if (n == 3) { + /* accept e.g. 0xffffff00 */ + p = endp; + mask = b; + } + break; + } + mask |= b << (n * 8); + p = endp; + if (*p != '.' || n == 0) + break; + ++p; + } + + mask = htonl(mask); + + if (*p != 0 || (netmask & ~mask) != 0) { + option_error("invalid netmask value '%s'", *argv); return 0; } - netmask = mask; return (1); } static int -setcrtscts() +setcrtscts(argv) + char **argv; { crtscts = 1; return (1); } static int -setnocrtscts() +setnocrtscts(argv) + char **argv; { crtscts = -1; return (1); } static int -setxonxoff() +setxonxoff(argv) + char **argv; { lcp_wantoptions[0].asyncmap |= 0x000A0000; /* escape ^S and ^Q */ lcp_wantoptions[0].neg_asyncmap = 1; - crtscts = 2; + crtscts = -2; return (1); } static int -setnodetach() +setnodetach(argv) + char **argv; { nodetach = 1; return (1); } static int -setmodem() +setdemand(argv) + char **argv; +{ + demand = 1; + persist = 1; + return 1; +} + +static int +setmodem(argv) + char **argv; { modem = 1; return 1; } static int -setlocal() +setlocal(argv) + char **argv; { modem = 0; return 1; } static int -setlock() +setlock(argv) + char **argv; { lockflag = 1; return 1; } static int -setusehostname() +setusehostname(argv) + char **argv; { usehostname = 1; return 1; @@ -1465,10 +1912,12 @@ static int setname(argv) char **argv; { - if (our_name[0] == 0) { - strncpy(our_name, argv[0], MAXNAMELEN); - our_name[MAXNAMELEN-1] = 0; + if (!privileged_option) { + option_error("using the name option requires root privilege"); + return 0; } + strncpy(our_name, argv[0], MAXNAMELEN); + our_name[MAXNAMELEN-1] = 0; return 1; } @@ -1491,17 +1940,36 @@ setremote(argv) } static int -setauth() +setauth(argv) + char **argv; { auth_required = 1; + if (privileged_option > auth_req_info.priv) { + auth_req_info.priv = privileged_option; + auth_req_info.source = option_source; + } return 1; } static int -setdefaultroute() +setnoauth(argv) + char **argv; +{ + if (auth_required && privileged_option < auth_req_info.priv) { + option_error("cannot override auth option set by %s", + auth_req_info.source); + return 0; + } + auth_required = 0; + return 1; +} + +static int +setdefaultroute(argv) + char **argv; { if (!ipcp_allowoptions[0].default_route) { - fprintf(stderr, "%s: defaultroute option is disabled\n", progname); + option_error("defaultroute option is disabled"); return 0; } ipcp_wantoptions[0].default_route = 1; @@ -1509,7 +1977,8 @@ setdefaultroute() } static int -setnodefaultroute() +setnodefaultroute(argv) + char **argv; { ipcp_allowoptions[0].default_route = 0; ipcp_wantoptions[0].default_route = 0; @@ -1517,10 +1986,11 @@ setnodefaultroute() } static int -setproxyarp() +setproxyarp(argv) + char **argv; { if (!ipcp_allowoptions[0].proxy_arp) { - fprintf(stderr, "%s: proxyarp option is disabled\n", progname); + option_error("proxyarp option is disabled"); return 0; } ipcp_wantoptions[0].proxy_arp = 1; @@ -1528,7 +1998,8 @@ setproxyarp() } static int -setnoproxyarp() +setnoproxyarp(argv) + char **argv; { ipcp_wantoptions[0].proxy_arp = 0; ipcp_allowoptions[0].proxy_arp = 0; @@ -1536,14 +2007,24 @@ setnoproxyarp() } static int -setpersist() +setpersist(argv) + char **argv; { persist = 1; return 1; } static int -setdologin() +setnopersist(argv) + char **argv; +{ + persist = 0; + return 1; +} + +static int +setdologin(argv) + char **argv; { uselogin = 1; return 1; @@ -1669,6 +2150,14 @@ setchapintv(argv) } static int +noccp(argv) + char **argv; +{ + ccp_protent.enabled_flag = 0; + return 1; +} + +static int setbsdcomp(argv) char **argv; { @@ -1682,14 +2171,13 @@ setbsdcomp(argv) abits = strtol(str, &endp, 0); } if (*endp != 0 || endp == str) { - fprintf(stderr, "%s: invalid argument format for bsdcomp option\n", - progname); + option_error("invalid parameter '%s' for bsdcomp option", *argv); return 0; } - if (rbits != 0 && (rbits < BSD_MIN_BITS || rbits > BSD_MAX_BITS) - || abits != 0 && (abits < BSD_MIN_BITS || abits > BSD_MAX_BITS)) { - fprintf(stderr, "%s: bsdcomp option values must be 0 or %d .. %d\n", - progname, BSD_MIN_BITS, BSD_MAX_BITS); + if ((rbits != 0 && (rbits < BSD_MIN_BITS || rbits > BSD_MAX_BITS)) + || (abits != 0 && (abits < BSD_MIN_BITS || abits > BSD_MAX_BITS))) { + option_error("bsdcomp option values must be 0 or %d .. %d", + BSD_MIN_BITS, BSD_MAX_BITS); return 0; } if (rbits > 0) { @@ -1706,7 +2194,8 @@ setbsdcomp(argv) } static int -setnobsdcomp() +setnobsdcomp(argv) + char **argv; { ccp_wantoptions[0].bsd_compress = 0; ccp_allowoptions[0].bsd_compress = 0; @@ -1714,6 +2203,70 @@ setnobsdcomp() } static int +setdeflate(argv) + char **argv; +{ + int rbits, abits; + char *str, *endp; + + str = *argv; + abits = rbits = strtol(str, &endp, 0); + if (endp != str && *endp == ',') { + str = endp + 1; + abits = strtol(str, &endp, 0); + } + if (*endp != 0 || endp == str) { + option_error("invalid parameter '%s' for deflate option", *argv); + return 0; + } + if ((rbits != 0 && (rbits < DEFLATE_MIN_SIZE || rbits > DEFLATE_MAX_SIZE)) + || (abits != 0 && (abits < DEFLATE_MIN_SIZE + || abits > DEFLATE_MAX_SIZE))) { + option_error("deflate option values must be 0 or %d .. %d", + DEFLATE_MIN_SIZE, DEFLATE_MAX_SIZE); + return 0; + } + if (rbits > 0) { + ccp_wantoptions[0].deflate = 1; + ccp_wantoptions[0].deflate_size = rbits; + } else + ccp_wantoptions[0].deflate = 0; + if (abits > 0) { + ccp_allowoptions[0].deflate = 1; + ccp_allowoptions[0].deflate_size = abits; + } else + ccp_allowoptions[0].deflate = 0; + return 1; +} + +static int +setnodeflate(argv) + char **argv; +{ + ccp_wantoptions[0].deflate = 0; + ccp_allowoptions[0].deflate = 0; + return 1; +} + +static int +setpred1comp(argv) + char **argv; +{ + ccp_wantoptions[0].predictor_1 = 1; + ccp_allowoptions[0].predictor_1 = 1; + return 1; +} + +static int +setnopred1comp(argv) + char **argv; +{ + ccp_wantoptions[0].predictor_1 = 0; + ccp_allowoptions[0].predictor_1 = 0; + return 1; +} + +static int setipparam(argv) char **argv; { @@ -1725,16 +2278,274 @@ setipparam(argv) } static int -setpapcrypt() +setpapcrypt(argv) + char **argv; { cryptpap = 1; return 1; } -#ifdef _linux_ -static int setidle (argv) +static int +setidle(argv) char **argv; { return int_option(*argv, &idle_time_limit); } + +static int +setholdoff(argv) + char **argv; +{ + return int_option(*argv, &holdoff); +} + +/* + * setdnsaddr - set the dns address(es) + */ +static int +setdnsaddr(argv) + char **argv; +{ + u_int32_t dns; + struct hostent *hp; + + dns = inet_addr(*argv); + if (dns == -1) { + if ((hp = gethostbyname(*argv)) == NULL) { + option_error("invalid address parameter '%s' for ms-dns option", + *argv); + return 0; + } + dns = *(u_int32_t *)hp->h_addr; + } + + if (ipcp_allowoptions[0].dnsaddr[0] == 0) { + ipcp_allowoptions[0].dnsaddr[0] = dns; + } else { + ipcp_allowoptions[0].dnsaddr[1] = dns; + } + + return (1); +} + +/* + * setwinsaddr - set the wins address(es) + * This is primrarly used with the Samba package under UNIX or for pointing + * the caller to the existing WINS server on a Windows NT platform. + */ +static int +setwinsaddr(argv) + char **argv; +{ + u_int32_t wins; + struct hostent *hp; + + wins = inet_addr(*argv); + if (wins == -1) { + if ((hp = gethostbyname(*argv)) == NULL) { + option_error("invalid address parameter '%s' for ms-wins option", + *argv); + return 0; + } + wins = *(u_int32_t *)hp->h_addr; + } + + if (ipcp_allowoptions[0].winsaddr[0] == 0) { + ipcp_allowoptions[0].winsaddr[0] = wins; + } else { + ipcp_allowoptions[0].winsaddr[1] = wins; + } + + return (1); +} + +#ifdef IPX_CHANGE +static int +setipxrouter (argv) + char **argv; +{ + ipxcp_wantoptions[0].neg_router = 1; + ipxcp_allowoptions[0].neg_router = 1; + return int_option(*argv, &ipxcp_wantoptions[0].router); +} + +static int +setipxname (argv) + char **argv; +{ + char *dest = ipxcp_wantoptions[0].name; + char *src = *argv; + int count; + char ch; + + ipxcp_wantoptions[0].neg_name = 1; + ipxcp_allowoptions[0].neg_name = 1; + memset (dest, '\0', sizeof (ipxcp_wantoptions[0].name)); + + count = 0; + while (*src) { + ch = *src++; + if (! isalnum (ch) && ch != '_') { + option_error("IPX router name must be alphanumeric or _"); + return 0; + } + + if (count >= sizeof (ipxcp_wantoptions[0].name)) { + option_error("IPX router name is limited to %d characters", + sizeof (ipxcp_wantoptions[0].name) - 1); + return 0; + } + + dest[count++] = toupper (ch); + } + + return 1; +} + +static int +setipxcptimeout (argv) + char **argv; +{ + return int_option(*argv, &ipxcp_fsm[0].timeouttime); +} + +static int +setipxcpterm (argv) + char **argv; +{ + return int_option(*argv, &ipxcp_fsm[0].maxtermtransmits); +} + +static int +setipxcpconf (argv) + char **argv; +{ + return int_option(*argv, &ipxcp_fsm[0].maxconfreqtransmits); +} + +static int +setipxcpfails (argv) + char **argv; +{ + return int_option(*argv, &ipxcp_fsm[0].maxnakloops); +} + +static int +setipxnetwork(argv) + char **argv; +{ + u_int32_t v; + + if (!number_option(*argv, &v, 16)) + return 0; + + ipxcp_wantoptions[0].our_network = (int) v; + ipxcp_wantoptions[0].neg_nn = 1; + return 1; +} + +static int +setipxanet(argv) + char **argv; +{ + ipxcp_wantoptions[0].accept_network = 1; + ipxcp_allowoptions[0].accept_network = 1; +} + +static int +setipxalcl(argv) + char **argv; +{ + ipxcp_wantoptions[0].accept_local = 1; + ipxcp_allowoptions[0].accept_local = 1; +} + +static int +setipxarmt(argv) + char **argv; +{ + ipxcp_wantoptions[0].accept_remote = 1; + ipxcp_allowoptions[0].accept_remote = 1; +} + +static u_char * +setipxnodevalue(src,dst) +u_char *src, *dst; +{ + int indx; + int item; + + for (;;) { + if (!isxdigit (*src)) + break; + + for (indx = 0; indx < 5; ++indx) { + dst[indx] <<= 4; + dst[indx] |= (dst[indx + 1] >> 4) & 0x0F; + } + + item = toupper (*src) - '0'; + if (item > 9) + item -= 7; + + dst[5] = (dst[5] << 4) | item; + ++src; + } + return src; +} + +static int +setipxnode(argv) + char **argv; +{ + char *end; + + memset (&ipxcp_wantoptions[0].our_node[0], 0, 6); + memset (&ipxcp_wantoptions[0].his_node[0], 0, 6); + + end = setipxnodevalue (*argv, &ipxcp_wantoptions[0].our_node[0]); + if (*end == ':') + end = setipxnodevalue (++end, &ipxcp_wantoptions[0].his_node[0]); + + if (*end == '\0') { + ipxcp_wantoptions[0].neg_node = 1; + return 1; + } + + option_error("invalid parameter '%s' for ipx-node option", *argv); + return 0; +} + +static int +setipxproto(argv) + char **argv; +{ + ipxcp_protent.enabled_flag = 1; + return 1; +} + +static int +resetipxproto(argv) + char **argv; +{ + ipxcp_protent.enabled_flag = 0; + return 1; +} +#else + +static int +resetipxproto(argv) + char **argv; +{ + return 1; +} +#endif /* IPX_CHANGE */ + +#ifdef MSLANMAN +static int +setmslanman() +{ + ms_lanman = 1; + return (1); +} #endif diff --git a/usr.sbin/pppd/patchlevel.h b/usr.sbin/pppd/patchlevel.h index c722443f029d..a566952c25a3 100644 --- a/usr.sbin/pppd/patchlevel.h +++ b/usr.sbin/pppd/patchlevel.h @@ -1,6 +1,6 @@ -/* $Id: patchlevel.h,v 1.16 1995/07/11 06:41:07 paulus Exp $ */ +/* $Id: patchlevel.h,v 1.28 1997/05/22 06:46:29 paulus Exp $ */ #define PATCHLEVEL 0 -#define VERSION "2.2" -#define IMPLEMENTATION "beta3" -#define DATE "11 July 95" +#define VERSION "2.3" +#define IMPLEMENTATION "" +#define DATE "22 May 97" diff --git a/usr.sbin/pppd/pathnames.h b/usr.sbin/pppd/pathnames.h index 4562a967017b..4bca84f508da 100644 --- a/usr.sbin/pppd/pathnames.h +++ b/usr.sbin/pppd/pathnames.h @@ -1,7 +1,7 @@ /* * define path names * - * $Id: pathnames.h,v 1.6 1995/06/12 11:22:53 paulus Exp $ + * $Id: pathnames.h,v 1.9 1996/08/28 06:41:46 paulus Exp $ */ #ifdef HAVE_PATHS_H @@ -17,6 +17,14 @@ #define _PATH_SYSOPTIONS "/etc/ppp/options" #define _PATH_IPUP "/etc/ppp/ip-up" #define _PATH_IPDOWN "/etc/ppp/ip-down" +#define _PATH_AUTHUP "/etc/ppp/auth-up" +#define _PATH_AUTHDOWN "/etc/ppp/auth-down" #define _PATH_TTYOPT "/etc/ppp/options." #define _PATH_CONNERRS "/etc/ppp/connect-errors" #define _PATH_USEROPT ".ppprc" +#define _PATH_PEERFILES "/etc/ppp/peers/" + +#ifdef IPX_CHANGE +#define _PATH_IPXUP "/etc/ppp/ipx-up" +#define _PATH_IPXDOWN "/etc/ppp/ipx-down" +#endif /* IPX_CHANGE */ diff --git a/usr.sbin/pppd/pppd.8 b/usr.sbin/pppd/pppd.8 index e1c7bbdd9886..6a891b9a217c 100644 --- a/usr.sbin/pppd/pppd.8 +++ b/usr.sbin/pppd/pppd.8 @@ -1,5 +1,5 @@ -.\" manual page [] for pppd 2.0 -.\" $Id: pppd.8,v 1.14 1995/08/16 01:39:53 paulus Exp $ +.\" manual page [] for pppd 2.3 +.\" $Id: pppd.8,v 1.26 1997/04/30 05:56:22 paulus Exp $ .\" SH section heading .\" SS subsection heading .\" LP paragraph @@ -11,11 +11,11 @@ pppd \- Point to Point Protocol daemon .SH SYNOPSIS .B pppd [ -.I options -] [ .I tty_name ] [ .I speed +] [ +.I options ] .SH DESCRIPTION .LP @@ -27,120 +27,126 @@ a family of Network Control Protocols (NCP) for establishing and configuring different network-layer protocols. .LP The encapsulation scheme is provided by driver code in the kernel. -.B pppd -provides the basic LCP, authentication support, and an -NCP for establishing and configuring the Internet Protocol (IP) -(called the IP Control Protocol, IPCP). +Pppd provides the basic LCP, authentication support, and an NCP for +establishing and configuring the Internet Protocol (IP) (called the IP +Control Protocol, IPCP). .SH FREQUENTLY USED OPTIONS .TP .I <tty_name> -Communicate over the named device. The string "/dev/" -is prepended if necessary. If no device name is given, -or if the name of the controlling terminal is given, -.I pppd -will use the controlling terminal, and will not fork to put itself in -the background. +Communicate over the named device. The string "/dev/" is prepended if +necessary. If no device name is given, or if the name of the terminal +connected to the standard input is given, pppd +will use that terminal, and will not fork to put itself in the +background. This option is privileged if the \fInoauth\fR option is +used. .TP .I <speed> -Set the baud rate to <speed>. On systems such as 4.4BSD and NetBSD, -any speed can be specified. Other systems (e.g. SunOS) allow only a -limited set of speeds. +Set the baud rate to <speed> (a decimal number). On systems such as +4.4BSD and NetBSD, any speed can be specified. Other systems +(e.g. SunOS) allow only a limited set of speeds. +.TP +.B active-filter \fIfilter-expression +Specifies a packet filter to be applied to data packets to determine +which packets are to be regarded as link activity, and therefore reset +the idle timer, or cause the link to be brought up in demand-dialling +mode. This option is useful in conjunction with the +\fBidle\fR option if there are packets being sent or received +regularly over the link (for example, routing information packets) +which would otherwise prevent the link from ever appearing to be idle. +The \fIfilter-expression\fR syntax is as described for tcpdump(1), +except that qualifiers which are inappropriate for a PPP link, such as +\fBether\fR and \fBarp\fR, are not permitted. Generally the filter +expression should be enclosed in single-quotes to prevent whitespace +in the expression from being interpreted by the shell. This option +is currently only available under NetBSD, and then only +if both the kernel and pppd were compiled with PPP_FILTER defined. .TP .B asyncmap \fI<map> -Set the async character map to <map>. -This map describes which control characters cannot be successfully -received over the serial line. -.I pppd -will ask the peer to send these characters as a 2-byte escape sequence. -The argument is a 32 bit hex number -with each bit representing a character to escape. -Bit 0 (00000001) represents the character 0x00; -bit 31 (80000000) represents the character 0x1f or ^_. -If multiple \fBasyncmap\fR options are -given, the values are ORed together. -If no \fBasyncmap\fR option is given, no async character map will be -negotiated for the receive direction; the peer should then escape -\fIall\fR control characters. +Set the async character map to <map>. This map describes which +control characters cannot be successfully received over the serial +line. Pppd will ask the peer to send these characters as a 2-byte +escape sequence. The argument is a 32 bit hex number with each bit +representing a character to escape. Bit 0 (00000001) represents the +character 0x00; bit 31 (80000000) represents the character 0x1f or ^_. +If multiple \fIasyncmap\fR options are given, the values are ORed +together. If no \fIasyncmap\fR option is given, no async character +map will be negotiated for the receive direction; the peer should then +escape \fIall\fR control characters. To escape transmitted +characters, use the \fIescape\fR option. .TP .B auth Require the peer to authenticate itself before allowing network packets to be sent or received. .TP -.B connect \fI<p> -Use the executable or shell command specified by \fI<p>\fR to set up the -serial line. This script would typically use the "chat" program to -dial the modem and start the remote ppp session. -.TP -.B crtscts -Use hardware flow control (i.e. RTS/CTS) to control the flow of data on -the serial port. +.B call \fIname +Read options from the file /etc/ppp/peers/\fIname\fR. This file may +contain privileged options, such as \fInoauth\fR, even if pppd +is not being run by root. The \fIname\fR string may not begin with / +or include .. as a pathname component. The format of the options file +is described below. .TP -.B -crtscts -Disable hardware flow control (i.e. RTS/CTS) on the serial port. If -neither the \fBcrtscts\fR nor the \fB\-crtscts\fR option is given, -the hardware flow control setting for the serial port is left -unchanged. +.B connect \fIscript +Use the executable or shell command specified by \fIscript\fR to set +up the serial line. This script would typically use the chat(8) +program to dial the modem and start the remote ppp session. This +option is privileged if the \fInoauth\fR option is used. .TP -.B xonxoff -Use software flow control (i.e. XON/XOFF) to control the flow of data on -the serial port. This option is only implemented on Linux systems -at present. +.B crtscts +Use hardware flow control (i.e. RTS/CTS) to control the flow of data +on the serial port. If neither the \fIcrtscts\fR nor the +\fInocrtscts\fR option is given, the hardware flow control setting +for the serial port is left unchanged. .TP .B defaultroute Add a default route to the system routing tables, using the peer as the gateway, when IPCP negotiation is successfully completed. -This entry is removed when the PPP connection is broken. +This entry is removed when the PPP connection is broken. This option +is privileged if the \fInodefaultroute\fR option has been specified. .TP -.B disconnect \fI<p> -Run the executable or shell command specified by \fI<p>\fR after -\fIpppd\fR has terminated the link. This script could, for example, -issue commands to the modem to cause it to hang up if hardware modem -control signals were not available. +.B disconnect \fIscript +Run the executable or shell command specified by \fIscript\fR after +pppd has terminated the link. This script could, for example, issue +commands to the modem to cause it to hang up if hardware modem control +signals were not available. The disconnect script is not run if the +modem has already hung up. This option is privileged if the +\fInoauth\fR option is used. .TP .B escape \fIxx,yy,... Specifies that certain characters should be escaped on transmission (regardless of whether the peer requests them to be escaped with its async control character map). The characters to be escaped are specified as a list of hex numbers separated by commas. Note that -almost any character can be specified for the \fBescape\fR option, -unlike the \fBasyncmap\fR option which only allows control characters +almost any character can be specified for the \fIescape\fR option, +unlike the \fIasyncmap\fR option which only allows control characters to be specified. The characters which may not be escaped are those with hex values 0x20 - 0x3f or 0x5e. .TP -.B file \fI<f> -Read options from file <f> (the format is described below). +.B file \fIname +Read options from file \fIname\fR (the format is described below). +The file must be readable by the user who has invoked pppd. .TP .B lock -Specifies that \fIpppd\fR should use a UUCP-style lock on the serial -device to ensure exclusive access to the device. -.TP -.B mru \fI<n> -Set the MRU [Maximum Receive Unit] value to <n> for negotiation. -.I pppd -will ask the peer to send packets of no more than <n> bytes. -The minimum MRU value is 128. -The default MRU value is 1500. A value of 296 is recommended for slow -links (40 bytes for TCP/IP header + 256 bytes of data). -.TP -.B netmask \fI<n> -Set the interface netmask to <n>, a 32 bit netmask in "decimal dot" notation -(e.g. 255.255.255.0). +Specifies that pppd should create a UUCP-style lock file for the +serial device to ensure exclusive access to the device. +.TP +.B mru \fIn +Set the MRU [Maximum Receive Unit] value to \fIn\fR. Pppd +will ask the peer to send packets of no more than \fIn\fR bytes. The +minimum MRU value is 128. The default MRU value is 1500. A value of +296 is recommended for slow links (40 bytes for TCP/IP header + 256 +bytes of data). +.TP +.B mtu \fIn +Set the MTU [Maximum Transmit Unit] value to \fIn\fR. Unless the +peer requests a smaller value via MRU negotiation, pppd will +request that the kernel networking code send data packets of no more +than \fIn\fR bytes through the PPP network interface. .TP .B passive -Enables the "passive" option in the LCP. With this option, -.I pppd -will attempt to initiate a connection; if no reply is received from -the peer, -.I pppd -will then just wait passively for a valid LCP packet from the peer -(instead of exiting, as it does without this option). -.TP -.B silent -With this option, -.I pppd -will not transmit LCP packets to initiate a connection until a valid -LCP packet is received from the peer (as for the `passive' option with -old versions of \fIpppd\fR). +Enables the "passive" option in the LCP. With this option, pppd will +attempt to initiate a connection; if no reply is received from the +peer, pppd will then just wait passively for a valid LCP packet from +the peer, instead of exiting, as it would without this option. .SH OPTIONS .TP .I <local_IP_address>\fB:\fI<remote_IP_address> @@ -148,89 +154,14 @@ Set the local and/or remote interface IP addresses. Either one may be omitted. The IP addresses can be specified with a host name or in decimal dot notation (e.g. 150.234.56.78). The default local address is the (first) IP address of the system (unless the -.B noipdefault +\fInoipdefault\fR option is given). The remote address will be obtained from the peer if not specified in any option. Thus, in simple cases, this option is -not required. -If a local and/or remote IP address is specified with this option, -.I pppd +not required. If a local and/or remote IP address is specified with +this option, pppd will not accept a different value from the peer in the IPCP -negotiation, unless the -.B ipcp-accept-local -and/or -.B ipcp-accept-remote -options are given, respectively. -.TP -.B -all -Don't request or allow negotiation of any options for LCP and IPCP (use -default values). -.TP -.B -ac -Disable Address/Control compression negotiation (use default, i.e. -address/control field disabled). -.TP -.B -am -Disable asyncmap negotiation (use the default asyncmap, i.e. escape -all control characters). -.TP -.B -as \fI<n> -Same as -.B asyncmap \fI<n> -.TP -.B -d -Increase debugging level (same as the \fBdebug\fR option). -.TP -.B -detach -Don't fork to become a background process (otherwise -.I pppd -will do so if a serial device is specified). -.TP -.B -ip -Disable IP address negotiation (with this option, the remote IP -address must be specified with an option on the command line or in an -options file). -.TP -.B -mn -Disable magic number negotiation. With this option, -.I pppd -cannot detect a looped-back line. -.TP -.B -mru -Disable MRU [Maximum Receive Unit] negotiation (use default, i.e. 1500). -.TP -.B -p -Same as the -.B passive -option. -.TP -.B -pc -Disable protocol field compression negotiation (use default, i.e. -protocol field compression disabled). -.TP -.B +ua \fI<p> -Agree to authenticate using PAP [Password Authentication Protocol] if -requested by the peer, and -use the data in file <p> for the user and password to send to the -peer. The file contains the remote user name, followed by a newline, -followed by the remote password, followed by a newline. This option -is obsolescent. -.TP -.B +pap -Require the peer to authenticate itself using PAP. -.TP -.B -pap -Don't agree to authenticate using PAP. -.TP -.B +chap -Require the peer to authenticate itself using CHAP [Cryptographic -Handshake Authentication Protocol] authentication. -.TP -.B -chap -Don't agree to authenticate using CHAP. -.TP -.B -vj -Disable negotiation of Van Jacobson style IP header compression (use -default, i.e. no compression). +negotiation, unless the \fIipcp-accept-local\fR and/or +\fIipcp-accept-remote\fR options are given, respectively. .TP .B bsdcomp \fInr,nt Request that the peer compress packets that it sends, using the @@ -241,109 +172,326 @@ given for \fInr\fR. Values in the range 9 to 15 may be used for \fInr\fR and \fInt\fR; larger values give better compression but consume more kernel memory for compression dictionaries. Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables -compression in the corresponding direction. +compression in the corresponding direction. Use \fInobsdcomp\fR or +\fIbsdcomp 0\fR to disable BSD-Compress compression entirely. +.TP +.B chap-interval \fIn +If this option is given, pppd will rechallenge the peer every \fIn\fR +seconds. +.TP +.B chap-max-challenge \fIn +Set the maximum number of CHAP challenge transmissions to \fIn\fR +(default 10). .TP -.B \-bsdcomp -Disables compression; \fBpppd\fR will not request or agree to compress -packets using the BSD-Compress scheme. +.B chap-restart \fIn +Set the CHAP restart interval (retransmission timeout for challenges) +to \fIn\fR seconds (default 3). .TP .B debug -Increase debugging level (same as \fB\-d\fR). -If this -option is given, \fIpppd\fR will log the contents of all control -packets sent or received in a readable form. The packets are logged -through syslog with facility \fIdaemon\fR and level \fIdebug\fR. This -information can be directed to a file by setting up /etc/syslog.conf -appropriately (see syslog.conf(5)). -.TP -.B \-defaultroute -Disable the \fBdefaultroute\fR option. The system administrator who -wishes to prevent users from creating default routes with \fIpppd\fR -can do so by placing this option in the /etc/ppp/options file. +Enables connection debugging facilities. +If this option is given, pppd will log the contents of all +control packets sent or received in a readable form. The packets are +logged through syslog with facility \fIdaemon\fR and level +\fIdebug\fR. This information can be directed to a file by setting up +/etc/syslog.conf appropriately (see syslog.conf(5)). +.TP +.B default-asyncmap +Disable asyncmap negotiation, forcing all control characters to be +escaped for both the transmit and the receive direction. +.TP +.B default-mru +Disable MRU [Maximum Receive Unit] negotiation. With this option, +pppd will use the default MRU value of 1500 bytes for both the +transmit and receive direction. +.TP +.B deflate \fInr,nt +Request that the peer compress packets that it sends, using the +Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and +agree to compress packets sent to the peer with a maximum window size +of \fI2**nt\fR bytes. If \fInt\fR is not specified, it defaults to +the value given for \fInr\fR. Values in the range 8 to 15 may be used +for \fInr\fR and \fInt\fR; larger values give better compression but +consume more kernel memory for compression dictionaries. +Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables +compression in the corresponding direction. Use \fInodeflate\fR or +\fIdeflate 0\fR to disable Deflate compression entirely. (Note: pppd +requests Deflate compression in preference to BSD-Compress if the peer +can do either.) +.TP +.B demand +Initiate the link only on demand, i.e. when data traffic is present. +With this option, the remote IP address must be specified by the user +on the command line or in an options file. Pppd will initially +configure the interface and enable it for IP traffic without +connecting to the peer. When traffic is available, pppd will +connect to the peer and perform negotiation, authentication, etc. +When this is completed, pppd will commence passing data packets +(i.e., IP packets) across the link. + +The \fIdemand\fR option implies the \fIpersist\fR option. If this +behaviour is not desired, use the \fInopersist\fR option after the +\fIdemand\fR option. The \fIidle\fR and \fIholdoff\fR +options are also useful in conjuction with the \fIdemand\fR option. +.TP +.B domain \fId +Append the domain name \fId\fR to the local host name for authentication +purposes. For example, if gethostname() returns the name porsche, but +the fully qualified domain name is porsche.Quotron.COM, you could +specify \fIdomain Quotron.COM\fR. Pppd would then use the name +\fIporsche.Quotron.COM\fR for looking up secrets in the secrets file, +and as the default name to send to the peer when authenticating itself +to the peer. This option is privileged. +.TP +.B holdoff \fIn +Specifies how many seconds to wait before re-initiating the link after +it terminates. This option only has any effect if the \fIpersist\fR +or \fIdemand\fR option is used. The holdoff period is not applied if +the link was terminated because it was idle. +.TP +.B idle \fIn +Specifies that pppd should disconnect if the link is idle for \fIn\fR +seconds. The link is idle when no data packets (i.e. IP packets) are +being sent or received. Note: it is not advisable to use this option +with the \fIpersist\fR option without the \fIdemand\fR option. +If the \fBactive-filter\fR +option is given, data packets which are rejected by the specified +activity filter also count as the link being idle. +.TP +.B ipcp-accept-local +With this option, pppd will accept the peer's idea of our local IP +address, even if the local IP address was specified in an option. .TP -.B domain \fI<d> -Append the domain name <d> to the local host name for authentication -purposes. For example, if gethostname() returns the name porsche, but the -fully qualified domain name is porsche.Quotron.COM, you would use the -domain option to set the domain name to Quotron.COM. +.B ipcp-accept-remote +With this option, pppd will accept the peer's idea of its (remote) IP +address, even if the remote IP address was specified in an option. +.TP +.B ipcp-max-configure \fIn +Set the maximum number of IPCP configure-request transmissions to +\fIn\fR (default 10). +.TP +.B ipcp-max-failure \fIn +Set the maximum number of IPCP configure-NAKs returned before starting +to send configure-Rejects instead to \fIn\fR (default 10). +.TP +.B ipcp-max-terminate \fIn +Set the maximum number of IPCP terminate-request transmissions to +\fIn\fR (default 3). +.TP +.B ipcp-restart \fIn +Set the IPCP restart interval (retransmission timeout) to \fIn\fR +seconds (default 3). .TP .B ipparam \fIstring Provides an extra parameter to the ip-up and ip-down scripts. If this option is given, the \fIstring\fR supplied is given as the 6th parameter to those scripts. .TP -.B modem -Use the modem control lines. This option is the default. With this -option, -.B pppd -will wait for the CD (Carrier Detect) signal from the modem to be asserted -when opening the serial device -(unless a connect script is specified), and it will drop the DTR (Data -Terminal Ready) signal briefly when the connection is terminated and before -executing the connect script. -On Ultrix, this option implies hardware -flow control, as for the \fBcrtscts\fR option. +.B ipx +Enable the IPXCP and IPX protocols. This option is presently only +supported under Linux, and only if your kernel has been configured to +include IPX support. +.TP +.B ipx-network \fIn +Set the IPX network number in the IPXCP configure request frame to +\fIn\fR, a hexadecimal number (without a leading 0x). There is no +valid default. If this option is not specified, the network number is +obtained from the peer. If the peer does not have the network number, +the IPX protocol will not be started. +.TP +.B ipx-node \fIn\fB:\fIm +Set the IPX node numbers. The two node numbers are separated from each +other with a colon character. The first number \fIn\fR is the local +node number. The second number \fIm\fR is the peer's node number. Each +node number is a hexadecimal number, at most 10 digits long. The node +numbers on the ipx-network must be unique. There is no valid +default. If this option is not specified then the node numbers are +obtained from the peer. +.TP +.B ipx-router-name \fI<string> +Set the name of the router. This is a string and is sent to the peer +as information data. +.TP +.B ipx-routing \fIn +Set the routing protocol to be received by this option. More than one +instance of \fIipx-routing\fR may be specified. The '\fInone\fR' +option (0) may be specified as the only instance of ipx-routing. The +values may be \fI0\fR for \fINONE\fR, \fI2\fR for \fIRIP/SAP\fR, and +\fI4\fR for \fINLSP\fR. +.TP +.B ipxcp-accept-local +Accept the peer's NAK for the node number specified in the ipx-node +option. If a node number was specified, and non-zero, the default is +to insist that the value be used. If you include this option then you +will permit the peer to override the entry of the node number. +.TP +.B ipxcp-accept-network +Accept the peer's NAK for the network number specified in the +ipx-network option. If a network number was specified, and non-zero, the +default is to insist that the value be used. If you include this +option then you will permit the peer to override the entry of the node +number. +.TP +.B ipxcp-accept-remote +Use the peer's network number specified in the configure request +frame. If a node number was specified for the peer and this option was +not specified, the peer will be forced to use the value which you have +specified. +.TP +.B ipxcp-max-configure \fIn +Set the maximum number of IPXCP configure request frames which the +system will send to \fIn\fR. The default is 10. +.TP +.B ipxcp-max-failure \fIn +Set the maximum number of IPXCP NAK frames which the local system will +send before it rejects the options. The default value is 3. +.TP +.B ipxcp-max-terminate \fIn +Set the maximum nuber of IPXCP terminate request frames before the +local system considers that the peer is not listening to them. The +default value is 3. .TP .B kdebug \fIn Enable debugging code in the kernel-level PPP driver. The argument \fIn\fR is a number which is the sum of the following values: 1 to enable general debug messages, 2 to request that the contents of received packets be printed, and 4 to request that the contents of -transmitted packets be printed. +transmitted packets be printed. On most systems, messages printed by +the kernel are logged by syslog(1) to a file as directed in the +/etc/syslog.conf configuration file. .TP -.B local -Don't use the modem control lines. With this option, -.B pppd -will ignore the state of the CD (Carrier Detect) signal from the modem and -will not change the state of the DTR (Data Terminal Ready) signal. +.B lcp-echo-failure \fIn +If this option is given, pppd will presume the peer to be dead +if \fIn\fR LCP echo-requests are sent without receiving a valid LCP +echo-reply. If this happens, pppd will terminate the +connection. Use of this option requires a non-zero value for the +\fIlcp-echo-interval\fR parameter. This option can be used to enable +pppd to terminate after the physical connection has been broken +(e.g., the modem has hung up) in situations where no hardware modem +control lines are available. .TP -.B mtu \fI<n> -Set the MTU [Maximum Transmit Unit] value to \fI<n>\fR. Unless the -peer requests a smaller value via MRU negotiation, \fIpppd\fR will -request that the kernel networking code send data packets of no more -than \fIn\fR bytes through the PPP network interface. +.B lcp-echo-interval \fIn +If this option is given, pppd will send an LCP echo-request frame to +the peer every \fIn\fR seconds. Normally the peer should respond to +the echo-request by sending an echo-reply. This option can be used +with the \fIlcp-echo-failure\fR option to detect that the peer is no +longer connected. .TP -.B name \fI<n> -Set the name of the local system for authentication purposes to <n>. +.B lcp-max-configure \fIn +Set the maximum number of LCP configure-request transmissions to +\fIn\fR (default 10). .TP -.B user \fI<u> -Set the user name to use for authenticating this machine with the peer -using PAP to <u>. +.B lcp-max-failure \fIn +Set the maximum number of LCP configure-NAKs returned before starting +to send configure-Rejects instead to \fIn\fR (default 10). .TP -.B usehostname -Enforce the use of the hostname as the name of the local system for -authentication purposes (overrides the -.B name -option). +.B lcp-max-terminate \fIn +Set the maximum number of LCP terminate-request transmissions to +\fIn\fR (default 3). .TP -.B remotename \fI<n> -Set the assumed name of the remote system for authentication purposes -to <n>. +.B lcp-restart \fIn +Set the LCP restart interval (retransmission timeout) to \fIn\fR +seconds (default 3). .TP -.B papcrypt -Indicates that all secrets in the /etc/ppp/pap-secrets file which -are used for checking the identity of the peer are encrypted, and thus -pppd should not accept a password which (before encryption) is -identical to the secret from the /etc/ppp/pap-secrets file. +.B local +Don't use the modem control lines. With this option, pppd will ignore +the state of the CD (Carrier Detect) signal from the modem and will +not change the state of the DTR (Data Terminal Ready) signal. .TP -.B proxyarp -Add an entry to this system's ARP [Address Resolution Protocol] table -with the IP address of the peer and the Ethernet address of this -system. +.B login +Use the system password database for authenticating the peer using +PAP, and record the user in the system wtmp file. Note that the peer +must have an entry in the /etc/ppp/pap-secrets file as well as the +system password database to be allowed access. .TP -.B \-proxyarp -Disable the \fBproxyarp\fR option. The system administrator who -wishes to prevent users from creating proxy ARP entries with -\fIpppd\fR can do so by placing this option in the /etc/ppp/options -file. +.B maxconnect \fIn +Terminate the connection when it has been available for network +traffic for \fIn\fR seconds (i.e. \fIn\fR seconds after the first +network control protocol comes up). .TP -.B persist -Do not exit after a connection is terminated; instead try to reopen -the connection. +.B modem +Use the modem control lines. This option is the default. With this +option, pppd will wait for the CD (Carrier Detect) signal from the +modem to be asserted when opening the serial device (unless a connect +script is specified), and it will drop the DTR (Data Terminal Ready) +signal briefly when the connection is terminated and before executing +the connect script. On Ultrix, this option implies hardware flow +control, as for the \fIcrtscts\fR option. +.TP +.B ms-dns \fI<addr> +If pppd is acting as a server for Microsoft Windows clients, this +option allows pppd to supply one or two DNS (Domain Name Server) +addresses to the clients. The first instance of this option specifies +the primary DNS address; the second instance (if given) specifies the +secondary DNS address. (This option was present in some older +versions of pppd under the name \fBdns-addr\fR.) +.TP +.B ms-wins \fI<addr> +If pppd is acting as a server for Microsoft Windows or "Samba" +clients, this option allows pppd to supply one or two WINS (Windows +Internet Name Services) server addresses to the clients. The first +instance of this option specifies the primary WINS address; the second +instance (if given) specifies the secondary WINS address. +.TP +.B name \fIname +Set the name of the local system for authentication purposes to +\fIname\fR. This is a privileged option. With this option, pppd will +use lines in the secrets files which have \fIname\fR as the second +field when looking for a secret to use in authenticating the peer. In +addition, unless overridden with the \fIuser\fR option, \fIname\fR +will be used as the name to send to the peer when authenticating the +local system to the peer. (Note that pppd does not append the domain +name to \fIname\fR.) +.TP +.B netmask \fIn +Set the interface netmask to \fIn\fR, a 32 bit netmask in "decimal dot" +notation (e.g. 255.255.255.0). If this option is given, the value +specified is ORed with the default netmask. The default netmask is +chosen based on the negotiated remote IP address; it is the +appropriate network mask for the class of the remote IP address, ORed +with the netmasks for any non point-to-point network interfaces in the +system which are on the same network. +.TP +.B noaccomp +Disable Address/Control compression in both directions (send and +receive). +.TP +.B noauth +Do not require the peer to authenticate itself. This option is +privileged if the \fIauth\fR option is specified in /etc/ppp/options. +.TP +.B nobsdcomp +Disables BSD-Compress compression; \fBpppd\fR will not request or +agree to compress packets using the BSD-Compress scheme. +.TP +.B noccp +Disable CCP (Compression Control Protocol) negotiation. This option +should only be required if the peer is buggy and gets confused by +requests from pppd for CCP negotiation. +.TP +.B nocrtscts +Disable hardware flow control (i.e. RTS/CTS) on the serial port. If +neither the \fIcrtscts\fR nor the \fInocrtscts\fR option is given, +the hardware flow control setting for the serial port is left +unchanged. .TP -.B login -Use the system password database for authenticating the peer using -PAP. +.B nodefaultroute +Disable the \fIdefaultroute\fR option. The system administrator who +wishes to prevent users from creating default routes with pppd +can do so by placing this option in the /etc/ppp/options file. +.TP +.B nodeflate +Disables Deflate compression; pppd will not request or agree to +compress packets using the Deflate scheme. +.TP +.B nodetach +Don't detach from the controlling terminal. Without this option, if a +serial device other than the terminal on the standard input is +specified, pppd will fork to become a background process. +.TP +.B noip +Disable IPCP negotiation and IP communication. This option should +only be required if the peer is buggy and gets confused by requests +from pppd for IPCP negotiation. .TP .B noipdefault Disables the default behaviour when no local IP address is specified, @@ -352,319 +500,477 @@ hostname. With this option, the peer will have to supply the local IP address during IPCP negotiation (unless it specified explicitly on the command line or in an options file). .TP -.B lcp-echo-interval \fI<n> -If this option is given, \fIpppd\fR will send an LCP echo-request -frame to the peer every \fIn\fR seconds. Under Linux, the -echo-request is sent when no packets have been received from the peer -for \fIn\fR seconds. Normally the peer should respond to the -echo-request by sending an echo-reply. This option can be used with -the \fIlcp-echo-failure\fR option to detect that the peer is no longer -connected. -.TP -.B lcp-echo-failure \fI<n> -If this option is given, \fIpppd\fR will presume the peer to be dead -if \fIn\fR LCP echo-requests are sent without receiving a valid LCP -echo-reply. If this happens, \fIpppd\fR will terminate the -connection. Use of this option requires a non-zero value for the -\fIlcp-echo-interval\fR parameter. This option can be used to enable -\fIpppd\fR to terminate after the physical connection has been broken -(e.g., the modem has hung up) in situations where no hardware modem -control lines are available. -.TP -.B lcp-restart \fI<n> -Set the LCP restart interval (retransmission timeout) to <n> seconds -(default 3). +.B noipx +Disable the IPXCP and IPX protocols. This option should only be +required if the peer is buggy and gets confused by requests from pppd +for IPXCP negotiation. .TP -.B lcp-max-terminate \fI<n> -Set the maximum number of LCP terminate-request transmissions to <n> -(default 3). +.B nomagic +Disable magic number negotiation. With this option, pppd cannot +detect a looped-back line. This option should only be needed if the +peer is buggy. .TP -.B lcp-max-configure \fI<n> -Set the maximum number of LCP configure-request transmissions to <n> -(default 10). +.B nopcomp +Disable protocol field compression negotiation in both the receive and +the transmit direction. .TP -.B lcp-max-failure \fI<n> -Set the maximum number of LCP configure-NAKs returned before starting -to send configure-Rejects instead to <n> (default 10). +.B nopersist +Exit once a connection has been made and terminated. This is the +default unless the \fIpersist\fR or \fIdemand\fR option has been +specified. .TP -.B ipcp-restart \fI<n> -Set the IPCP restart interval (retransmission timeout) to <n> seconds -(default 3). +.B nopredictor1 +Do not accept or agree to Predictor-1 comprssion. .TP -.B ipcp-max-terminate \fI<n> -Set the maximum number of IPCP terminate-request transmissions to <n> -(default 3). +.B noproxyarp +Disable the \fIproxyarp\fR option. The system administrator who +wishes to prevent users from creating proxy ARP entries with pppd can +do so by placing this option in the /etc/ppp/options file. .TP -.B ipcp-max-configure \fI<n> -Set the maximum number of IPCP configure-request transmissions to <n> -(default 10). +.B novj +Disable Van Jacobson style TCP/IP header compression in both the +transmit and the receive direction. .TP -.B ipcp-max-failure \fI<n> -Set the maximum number of IPCP configure-NAKs returned before starting -to send configure-Rejects instead to <n> (default 10). +.B novjccomp +Disable the connection-ID compression option in Van Jacobson style +TCP/IP header compression. With this option, pppd will not omit the +connection-ID byte from Van Jacobson compressed TCP/IP headers, nor +ask the peer to do so. .TP -.B pap-restart \fI<n> -Set the PAP restart interval (retransmission timeout) to <n> seconds -(default 3). +.B papcrypt +Indicates that all secrets in the /etc/ppp/pap-secrets file which are +used for checking the identity of the peer are encrypted, and thus +pppd should not accept a password which, before encryption, is +identical to the secret from the /etc/ppp/pap-secrets file. .TP -.B pap-max-authreq \fI<n> +.B pap-max-authreq \fIn Set the maximum number of PAP authenticate-request transmissions to -<n> (default 10). +\fIn\fR (default 10). +.TP +.B pap-restart \fIn +Set the PAP restart interval (retransmission timeout) to \fIn\fR +seconds (default 3). +.TP +.B pap-timeout \fIn +Set the maximum time that pppd will wait for the peer to authenticate +itself with PAP to \fIn\fR seconds (0 means no limit). +.TP +.B pass-filter \fIfilter-expression +Specifies a packet filter to applied to data packets being sent or +received to determine which packets should be allowed to pass. +Packets which are rejected by the filter are silently discarded. This +option can be used to prevent specific network daemons (such as +routed) using up link bandwidth, or to provide a basic firewall +capability. +The \fIfilter-expression\fR syntax is as described for tcpdump(1), +except that qualifiers which are inappropriate for a PPP link, such as +\fBether\fR and \fBarp\fR, are not permitted. Generally the filter +expression should be enclosed in single-quotes to prevent whitespace +in the expression from being interpreted by the shell. Note that it +is possible to apply different constraints to incoming and outgoing +packets using the \fBinbound\fR and \fBoutbound\fR qualifiers. This +option is currently only available under NetBSD, and then only if both +the kernel and pppd were compiled with PPP_FILTER defined. .TP -.B pap-timeout \fI<n> -Set the maximum time that -.I pppd -will wait for the peer to authenticate itself with PAP to -<n> seconds (0 means no limit). +.B persist +Do not exit after a connection is terminated; instead try to reopen +the connection. .TP -.B chap-restart \fI<n> -Set the CHAP restart interval (retransmission timeout for challenges) -to <n> seconds (default 3). +.B predictor1 +Request that the peer compress frames that it sends using Predictor-1 +compression, and agree to compress transmitted frames with Predictor-1 +if requested. This option has no effect unless the kernel driver +supports Predictor-1 compression. .TP -.B chap-max-challenge \fI<n> -Set the maximum number of CHAP challenge transmissions to <n> (default -10). +.B proxyarp +Add an entry to this system's ARP [Address Resolution Protocol] table +with the IP address of the peer and the Ethernet address of this +system. This will have the effect of making the peer appear to other +systems to be on the local ethernet. .TP -.B chap-interval \fI<n> -If this option is given, -.I pppd -will rechallenge the peer every <n> seconds. +.B remotename \fIname +Set the assumed name of the remote system for authentication purposes +to \fIname\fR. .TP -.B ipcp-accept-local -With this option, -.I pppd -will accept the peer's idea of our local IP address, even if the -local IP address was specified in an option. +.B refuse-chap +With this option, pppd will not agree to authenticate itself to the +peer using CHAP. .TP -.B ipcp-accept-remote -With this option, -.I pppd -will accept the peer's idea of its (remote) IP address, even if the -remote IP address was specified in an option. +.B refuse-pap +With this option, pppd will not agree to authenticate itself to the +peer using PAP. +.TP +.B require-chap +Require the peer to authenticate itself using CHAP [Challenge +Handshake Authentication Protocol] authentication. +.TP +.B require-pap +Require the peer to authenticate itself using PAP [Password +Authentication Protocol] authentication. +.TP +.B silent +With this option, pppd will not transmit LCP packets to initiate a +connection until a valid LCP packet is received from the peer (as for +the `passive' option with ancient versions of pppd). +.TP +.B usehostname +Enforce the use of the hostname (with domain name appended, if given) +as the name of the local system for authentication purposes (overrides +the \fIname\fR option). +.TP +.B user \fIname +Sets the name used for authenticating the local system to the peer to +\fIname\fR. +.TP +.B vj-max-slots \fIn +Sets the number of connection slots to be used by the Van Jacobson +TCP/IP header compression and decompression code to \fIn\fR, which +must be between 2 and 16 (inclusive). +.TP +.B welcome \fIscript +Run the executable or shell command specified by \fIscript\fR before +initiating PPP negotiation, after the connect script (if any) has +completed. This option is privileged if the \fInoauth\fR option is +used. +.TP +.B xonxoff +Use software flow control (i.e. XON/XOFF) to control the flow of data on +the serial port. .SH OPTIONS FILES -Options can be taken from files as well as the command line. -.I pppd -reads options from the files /etc/ppp/options and ~/.ppprc before -looking at the command line. An options file is parsed into a series -of words, delimited by whitespace. Whitespace can be included in a -word by enclosing the word in quotes ("). A backslash (\\) quotes the -following character. A hash (#) starts a comment, which continues -until the end of the line. -.SH AUTHENTICATION +Options can be taken from files as well as the command line. Pppd +reads options from the files /etc/ppp/options, ~/.ppprc and +/etc/ppp/options.\fIttyname\fR (in that order) before processing the +options on the command line. (In fact, the command-line options are +scanned to find the terminal name before the options.\fIttyname\fR +file is read.) In forming the name of the options.\fIttyname\fR file, +the initial /dev/ is removed from the terminal name, and any remaining +/ characters are replaced with dots. +.PP +An options file is parsed into a series of words, delimited by +whitespace. Whitespace can be included in a word by enclosing the +word in quotes ("). A backslash (\\) quotes the following character. +A hash (#) starts a comment, which continues until the end of the +line. There is no restriction on using the \fIfile\fR or \fIcall\fR +options within an options file. +.SH SECURITY .I pppd provides system administrators with sufficient access control that PPP access to a server machine can be provided to legitimate users without fear of compromising the security of the server or the network it's on. In part this is provided by the /etc/ppp/options file, where the -administrator can place options to require authentication whenever -.I pppd -is run, and in part by the PAP and CHAP secrets files, where the +administrator can place options to restrict the ways in which pppd can +be used, and in part by the PAP and CHAP secrets files, where the administrator can restrict the set of IP addresses which individual users may use. +.PP +The normal way that pppd should be set up is to have the \fIauth\fR +option in the /etc/ppp/options file. (This may become the default in +later releases.) If users wish to use pppd to dial out to a peer +which will refuse to authenticate itself (such as an internet service +provider), the system administrator should create an options file +under /etc/ppp/peers containing the \fInoauth\fR option, the name of +the serial port to use, and the \fIconnect\fR option (if required), +plus any other appropriate options. In this way, pppd can be set up +to allow non-privileged users to make unauthenticated connections only +to trusted peers. +.PP +As indicated above, some security-sensitive options are privileged, +which means that they may not be used by an ordinary non-privileged +user running a setuid-root pppd, either on the command line, in the +user's ~/.ppprc file, or in an options file read using the \fIfile\fR +option. Privileged options may be used in /etc/ppp/options file or in +an options file read using the \fIcall\fR option. If pppd is being +run by the root user, privileged options can be used without +restriction. +.SH AUTHENTICATION +Authentication is the process whereby one peer convinces the other of +its identity. This involves the first peer sending its name to the +other, together with some kind of secret information which could only +come from the genuine authorized user of that name. In such an +exchange, we will call the first peer the "client" and the other the +"server". The client has a name by which it identifies itself to the +server, and the server also has a name by which it identifies itself +to the client. Generally the genuine client shares some secret (or +password) with the server, and authenticates itself by proving that it +knows that secret. Very often, the names used for authentication +correspond to the internet hostnames of the peers, but this is not +essential. .LP -The default behaviour of -.I pppd -is to agree to authenticate if requested, and to not -require authentication from the peer. However, -.I pppd -will not agree to -authenticate itself with a particular protocol if it has no secrets -which could be used to do so. +At present, pppd supports two authentication protocols: the Password +Authentication Protocol (PAP) and the Challenge Handshake +Authentication Protocol (CHAP). PAP involves the client sending its +name and a cleartext password to the server to authenticate itself. +In contrast, the server initiates the CHAP authentication exchange by +sending a challenge to the client (the challenge packet includes the +server's name). The client must respond with a response which +includes its name plus a hash value derived from the shared secret and +the challenge, in order to prove that it knows the secret. .LP -Authentication is based on secrets, which are selected from secrets -files (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets for CHAP). -Both secrets files have the same format, and both can store secrets -for several combinations of server (authenticating peer) and client -(peer being authenticated). Note that -.I pppd -can be both a server -and client, and that different protocols can be used in the two -directions if desired. +The PPP protocol, being symmetrical, allows both peers to require the +other to authenticate itself. In that case, two separate and +independent authentication exchanges will occur. The two exchanges +could use different authentication protocols, and in principle, +different names could be used in the two exchanges. .LP -A secrets file is parsed into words as for a options file. A secret -is specified by a line containing at least 3 words, in the order -client name, server name, secret. Any following words on the same line are -taken to be a list of acceptable IP addresses for that client. If -there are only 3 words on the line, it is assumed that any IP address -is OK; to disallow all IP addresses, use "-". If the secret starts -with an `@', what follows is assumed to be the name of a file from -which to read the secret. A "*" as the client or server name matches -any name. When selecting a secret, \fIpppd\fR takes the best match, i.e. -the match with the fewest wildcards. +The default behaviour of pppd is to agree to authenticate if +requested, and to not require authentication from the peer. However, +pppd will not agree to authenticate itself with a particular protocol +if it has no secrets which could be used to do so. .LP -Thus a secrets file contains both secrets for use in authenticating -other hosts, plus secrets which we use for authenticating ourselves to -others. Which secret to use is chosen based on the names of the host -(the `local name') and its peer (the `remote name'). The local name -is set as follows: -.TP 3 -if the \fBusehostname\fR option is given, -then the local name is the hostname of this machine -(with the domain appended, if given) -.TP 3 -else if the \fBname\fR option is given, -then use the argument of the first \fBname\fR option seen -.TP 3 -else if the local IP address is specified with a hostname, -then use that name -.TP 3 -else use the hostname of this machine (with the domain appended, if given) +Pppd stores secrets for use in authentication in secrets +files (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets for CHAP). +Both secrets files have the same format. The secrets files can +contain secrets for pppd to use in authenticating itself to other +systems, as well as secrets for pppd to use when authenticating other +systems to itself. .LP -When authenticating ourselves using PAP, there is also a `username' -which is the local name by default, but can be set with the \fBuser\fR -option or the \fB+ua\fR option. +Each line in a secrets file contains one secret. A given secret is +specific to a particular combination of client and server - it can +only be used by that client to authenticate itself to that server. +Thus each line in a secrets file has at least 3 fields: the name of +the client, the name of the server, and the secret. These fields may +be followed by a list of the IP addresses that the specified client +may use when connecting to the specified server. .LP -The remote name is set as follows: -.TP 3 -if the \fBremotename\fR option is given, -then use the argument of the last \fBremotename\fR option seen -.TP 3 -else if the remote IP address is specified with a hostname, -then use that host name -.TP 3 -else the remote name is the null string "". +A secrets file is parsed into words as for a options file, so the +client name, server name and secrets fields must each be one word, +with any embedded spaces or other special characters quoted or +escaped. Any following words on the same line are taken to be a list +of acceptable IP addresses for that client. If there are only 3 words +on the line, or if the first word is "-", then all IP addresses are +disallowed. To allow any address, use "*". +A word starting with "!" indicates that the +specified address is \fInot\fR acceptable. An address may be followed +by "/" and a number \fIn\fR, to indicate a whole subnet, i.e. all +addresses which have the same value in the most significant \fIn\fR +bits. Note that case is significant in the client and server names +and in the secret. .LP -Secrets are selected from the PAP secrets file as follows: -.TP 2 -* -For authenticating the peer, look for a secret with client == -username specified in the PAP authenticate-request, and server == -local name. -.TP 2 -* -For authenticating ourselves to the peer, look for a secret with -client == our username, server == remote name. +If the secret starts with an `@', what follows is assumed to be the +name of a file from which to read the secret. A "*" as the client or +server name matches any name. When selecting a secret, pppd takes the +best match, i.e. the match with the fewest wildcards. .LP -When authenticating the peer with PAP, a secret of "" matches any -password supplied by the peer. If the password doesn't match the -secret, the password is encrypted using crypt() and checked against -the secret again; thus secrets for authenticating the peer can be -stored in encrypted form. If the \fBpapcrypt\fR option is given, the -first (unencrypted) comparison is omitted, for better security. +Thus a secrets file contains both secrets for use in authenticating +other hosts, plus secrets which we use for authenticating ourselves to +others. When pppd is authenticating the peer (checking the peer's +identity), it chooses a secret with the peer's name in the first +field and the name of the local system in the second field. The +name of the local system defaults to the hostname, with the domain +name appended if the \fIdomain\fR option is used. This default can be +overridden with the \fIname\fR option, except when the +\fIusehostname\fR option is used. .LP -If the \fBlogin\fR option was specified, the -username and password are also checked against the system password -database. Thus, the system administrator can set up the pap-secrets -file to allow PPP access only to certain users, and to restrict the -set of IP addresses that each user can use. Typically, when using the -\fBlogin\fR option, the secret in /etc/ppp/pap-secrets would be "", to -avoid the need to have the same secret in two places. +When pppd is choosing a secret to use in authenticating itself to the +peer, it first determines what name it is going to use to identify +itself to the peer. This name can be specified by the user with the +\fIuser\fR option. If this option is not used, the name defaults to +the name of the local system, determined as described in the previous +paragraph. Then pppd looks for a secret with this name in the first +field and the peer's name in the second field. Pppd will know the +name of the peer if CHAP authentication is being used, because the +peer will have sent it in the challenge packet. However, if PAP is being +used, pppd will have to determine the peer's name from the options +specified by the user. The user can specify the peer's name directly +with the \fIremotename\fR option. Otherwise, if the remote IP address +was specified by a name (rather than in numeric form), that name will +be used as the peer's name. Failing that, pppd will use the null +string as the peer's name. .LP -Secrets are selected from the CHAP secrets file as follows: -.TP 2 -* -For authenticating the peer, look for a secret with client == name -specified in the CHAP-Response message, and server == local name. -.TP 2 -* -For authenticating ourselves to the peer, look for a secret with -client == local name, and server == name specified in the -CHAP-Challenge message. +When authenticating the peer with PAP, the supplied password is first +compared with the secret from the secrets file. If the password +doesn't match the secret, the password is encrypted using crypt() and +checked against the secret again. Thus secrets for authenticating the +peer can be stored in encrypted form if desired. If the +\fIpapcrypt\fR option is given, the first (unencrypted) comparison is +omitted, for better security. +.LP +Furthermore, if the \fIlogin\fR option was specified, the username and +password are also checked against the system password database. Thus, +the system administrator can set up the pap-secrets file to allow PPP +access only to certain users, and to restrict the set of IP addresses +that each user can use. Typically, when using the \fIlogin\fR option, +the secret in /etc/ppp/pap-secrets would be "", which will match any +password supplied by the peer. This avoids the need to have the same +secret in two places. .LP Authentication must be satisfactorily completed before IPCP (or any -other Network Control Protocol) can be started. If authentication -fails, \fIpppd\fR will terminated the link (by closing LCP). If IPCP -negotiates an unacceptable IP address for the remote host, IPCP will -be closed. IP packets can only be sent or received when IPCP is open. +other Network Control Protocol) can be started. If the peer is +required to authenticate itself, and fails to do so, pppd will +terminated the link (by closing LCP). If IPCP negotiates an +unacceptable IP address for the remote host, IPCP will be closed. IP +packets can only be sent or received when IPCP is open. .LP In some cases it is desirable to allow some hosts which can't authenticate themselves to connect and use one of a restricted set of IP addresses, even when the local host generally requires authentication. If the peer refuses to authenticate itself when -requested, \fIpppd\fR takes that as equivalent to authenticating with -PAP using the empty string for the username and password. Thus, by -adding a line to the pap-secrets file which specifies the empty string -for the client and password, it is possible to allow restricted access -to hosts which refuse to authenticate themselves. +requested, pppd takes that as equivalent to authenticating with PAP +using the empty string for the username and password. Thus, by adding +a line to the pap-secrets file which specifies the empty string for +the client and password, it is possible to allow restricted access to +hosts which refuse to authenticate themselves. .SH ROUTING .LP -When IPCP negotiation is completed successfully, -.I pppd -will inform the kernel of the local and remote IP addresses for the -ppp interface. This is sufficient to create a -host route to the remote end of the link, which will enable the peers -to exchange IP packets. Communication with other machines generally -requires further modification to routing tables and/or ARP (Address -Resolution Protocol) tables. In some cases this will be done -automatically through the actions of the \fIrouted\fR or \fIgated\fR -daemons, but in most cases some further intervention is required. +When IPCP negotiation is completed successfully, pppd will inform the +kernel of the local and remote IP addresses for the ppp interface. +This is sufficient to create a host route to the remote end of the +link, which will enable the peers to exchange IP packets. +Communication with other machines generally requires further +modification to routing tables and/or ARP (Address Resolution +Protocol) tables. In most cases the \fIdefaultroute\fR and/or +\fIproxyarp\fR options are sufficient for this, but in some cases +further intervention is required. The /etc/ppp/ip-up script can be +used for this. .LP -Sometimes it is desirable -to add a default route through the remote host, as in the case of a -machine whose only connection to the Internet is through the ppp -interface. The \fBdefaultroute\fR option causes \fIpppd\fR to create such a -default route when IPCP comes up, and delete it when the link is -terminated. +Sometimes it is desirable to add a default route through the remote +host, as in the case of a machine whose only connection to the +Internet is through the ppp interface. The \fIdefaultroute\fR option +causes pppd to create such a default route when IPCP comes up, and +delete it when the link is terminated. .LP In some cases it is desirable to use proxy ARP, for example on a server machine connected to a LAN, in order to allow other hosts to -communicate with the remote host. The \fBproxyarp\fR option causes \fIpppd\fR -to look for a network interface on the same subnet as the remote host -(an interface supporting broadcast and ARP, which is up and not a -point-to-point or loopback interface). If found, \fIpppd\fR creates a +communicate with the remote host. The \fIproxyarp\fR option causes +pppd to look for a network interface on the same subnet as the remote +host (an interface supporting broadcast and ARP, which is up and not a +point-to-point or loopback interface). If found, pppd creates a permanent, published ARP entry with the IP address of the remote host and the hardware address of the network interface found. +.LP +When the \fIdemand\fR option is used, the interface IP addresses have +already been set at the point when IPCP comes up. If pppd has not +been able to negotiate the same addresses that it used to configure +the interface (for example when the peer is an ISP that uses dynamic +IP address assignment), pppd has to change the interface IP addresses +to the negotiated addresses. This may disrupt existing connections, +and the use of demand dialling with peers that do dynamic IP address +assignment is not recommended. .SH EXAMPLES .LP -In the simplest case, you can connect the serial ports of two machines -and issue a command like +The following examples assume that the /etc/ppp/options file contains +the \fIauth\fR option (as in the default /etc/ppp/options file in the +ppp distribution). +.LP +Probably the most common use of pppd is to dial out to an ISP. This +can be done with a command such as +.IP +pppd call isp +.LP +where the /etc/ppp/peers/isp file is set up by the system +administrator to contain something like this: .IP -pppd /dev/ttya 9600 passive +ttyS0 19200 crtscts +.br +connect '/usr/sbin/chat -v -f /etc/ppp/chat-isp' +.br +noauth .LP -to each machine, assuming there is no \fIgetty\fR running on the -serial ports. If one machine has a \fIgetty\fR running, you can use -\fIkermit\fR or \fItip\fR on the other machine to log in to the first -machine and issue a command like +In this example, we are using chat to dial the ISP's modem and go +through any logon sequence required. The /etc/ppp/chat-isp file +contains the script used by chat; it could for example contain +something like this: .IP -pppd passive +ABORT "NO CARRIER" +.br +ABORT "NO DIALTONE" +.br +ABORT "ERROR" +.br +ABORT "NO ANSWER" +.br +ABORT "BUSY" +.br +ABORT "Username/Password Incorrect" +.br +"" "at" +.br +OK "at&d0&c1" +.br +OK "atdt2468135" +.br +"name:" "^Umyuserid" +.br +"word:" "\\qmypassword" +.br +"ispts" "\\q^Uppp" +.br +"~-^Uppp-~" +.LP +See the chat(8) man page for details of chat scripts. .LP -Then exit from the communications program (making sure the connection -isn't dropped), and issue a command like +Pppd can also be used to provide a dial-in ppp service for users. If +the users already have login accounts, the simplest way to set up the +ppp service is to let the users log in to their accounts and run pppd +(installed setuid-root) with a command such as .IP -pppd /dev/ttya 9600 +pppd proxyarp .LP -The process of logging in to the other machine and starting \fIpppd\fR -can be automated by using the \fBconnect\fR option to run \fIchat\fR, -for example: +To allow a user to use the PPP facilities, you need to allocate an IP +address for that user's machine and create an entry in +/etc/ppp/pap-secrets or /etc/ppp/chap-secrets (depending on which +authentication method the PPP implementation on the user's machine +supports), so that the user's +machine can authenticate itself. For example, if Joe has a machine +called "joespc" which is to be allowed to dial in to the machine +called "server" and use the IP address joespc.my.net, you would add an +entry like this to /etc/ppp/pap-secrets or /etc/ppp/chap-secrets: .IP -pppd /dev/ttya 38400 connect 'chat "" "" "login:" "username" -"Password:" "password" "% " "exec pppd passive"' +joespc server "joe's secret" joespc.my.net .LP -(Note however that running chat like this will leave the password -visible in the parameter list of pppd and chat.) +Alternatively, you can create a username called (for example) "ppp", +whose login shell is pppd and whose home directory is /etc/ppp. +Options to be used when pppd is run this way can be put in +/etc/ppp/.ppprc. .LP If your serial connection is any more complicated than a piece of wire, you may need to arrange for some control characters to be escaped. In particular, it is often useful to escape XON (^Q) and -XOFF (^S), using \fBasyncmap a0000\fR. If the path includes a telnet, -you probably should escape ^] as well (\fBasyncmap 200a0000\fR). -If the path includes an rlogin, you will need to use the \fBescape -ff\fR option on the end which is running the rlogin client, since many -rlogin implementations are not -transparent; they will remove the sequence [0xff, 0xff, 0x73, 0x73, -followed by any 8 bytes] from the stream. +XOFF (^S), using \fIasyncmap a0000\fR. If the path includes a telnet, +you probably should escape ^] as well (\fIasyncmap 200a0000\fR). If +the path includes an rlogin, you will need to use the \fIescape ff\fR +option on the end which is running the rlogin client, since many +rlogin implementations are not transparent; they will remove the +sequence [0xff, 0xff, 0x73, 0x73, followed by any 8 bytes] from the +stream. .SH DIAGNOSTICS .LP Messages are sent to the syslog daemon using facility LOG_DAEMON. -(This can be overriden by recompiling \fIpppd\fR with the macro +(This can be overriden by recompiling pppd with the macro LOG_PPP defined as the desired facility.) In order to see the error and debug messages, you will need to edit your /etc/syslog.conf file to direct the messages to the desired output device or file. .LP -The \fBdebug\fR option causes the contents of all control packets sent +The \fIdebug\fR option causes the contents of all control packets sent or received to be logged, that is, all LCP, PAP, CHAP or IPCP packets. -This can be useful if the PPP negotiation does not succeed. -If debugging is enabled at compile time, the \fBdebug\fR option also +This can be useful if the PPP negotiation does not succeed or if +authentication fails. +If debugging is enabled at compile time, the \fIdebug\fR option also causes other debugging messages to be logged. .LP -Debugging can also be enabled or disabled by sending a -SIGUSR1 to the -.I pppd -process. This signal acts as a toggle. +Debugging can also be enabled or disabled by sending a SIGUSR1 signal +to the pppd process. This signal acts as a toggle. .SH FILES .TP .B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others) -Process-ID for \fIpppd\fR process on ppp interface unit \fIn\fR. +Process-ID for pppd process on ppp interface unit \fIn\fR. +.TP +.B /etc/ppp/auth-up +A program or script which is executed after the remote system +successfully authenticates itself. It is executed with the parameters +.IP +\fIinterface-name peer-name user-name tty-device speed\fR +.IP +and with its standard input, output and error redirected to +/dev/null. This program or script is executed with the real and +effective user-IDs set to root, and with an empty environment. (Note +that this script is not executed if the peer doesn't authenticate +itself, for example when the \fInoauth\fR option is used.) +.TP +.B /etc/ppp/auth-down +A program or script which is executed when the link goes down, if +/etc/ppp/auth-up was previously executed. It is executed in the same +manner with the same parameters as /etc/ppp/auth-up. .TP .B /etc/ppp/ip-up A program or script which is executed when the link is available for @@ -672,104 +978,157 @@ sending and receiving IP packets (that is, IPCP has come up). It is executed with the parameters .IP \fIinterface-name tty-device speed local-IP-address -remote-IP-address\fR +remote-IP-address ipparam\fR .IP and with its standard input, -output and error streams redirected to \fB/dev/null\fR. +output and error streams redirected to /dev/null. +.IP +This program or script is executed with the real and effective +user-IDs set to root. This is so that it can be used to manipulate +routes, run privileged daemons (e.g. \fIsendmail\fR), etc. Be +careful that the contents of the /etc/ppp/ip-up and /etc/ppp/ip-down +scripts do not compromise your system's security. .IP -This program or script is executed with the same real and effective -user-ID as \fIpppd\fR, that is, at least the effective user-ID and -possibly the real user-ID will be \fBroot\fR. This is so that it can -be used to manipulate routes, run privileged daemons (e.g. -\fBsendmail\fR), etc. Be careful that the contents of the -/etc/ppp/ip-up and /etc/ppp/ip-down scripts do not compromise your -system's security. +This program or script is executed with an empty environment, so you +must either specify a PATH or use full pathnames. .TP .B /etc/ppp/ip-down A program or script which is executed when the link is no longer available for sending and receiving IP packets. This script can be used for undoing the effects of the /etc/ppp/ip-up script. It is -invoked with the same parameters as the ip-up script, and the same -security considerations apply, since it is executed with the same -effective and real user-IDs as \fIpppd\fR. +invoked in the same manner and with the same parameters as the ip-up +script, and the same security considerations apply. +.TP +.B /etc/ppp/ipx-up +A program or script which is executed when the link is available for +sending and receiving IPX packets (that is, IPXCP has come up). It is +executed with the parameters +.IP +\fIinterface-name tty-device speed network-number local-IPX-node-address +remote-IPX-node-address local-IPX-routing-protocol remote-IPX-routing-protocol +local-IPX-router-name remote-IPX-router-name ipparam pppd-pid\fR +.IP +and with its standard input, +output and error streams redirected to /dev/null. +.br +.IP +The local-IPX-routing-protocol and remote-IPX-routing-protocol field +may be one of the following: +.IP +NONE to indicate that there is no routing protocol +.br +RIP to indicate that RIP/SAP should be used +.br +NLSP to indicate that Novell NLSP should be used +.br +RIP NLSP to indicate that both RIP/SAP and NLSP should be used +.br +.IP +This program or script is executed with the real and effective +user-IDs set to root, and with an empty environment. This is so +that it can be used to manipulate routes, run privileged daemons (e.g. +\fIripd\fR), etc. Be careful that the contents of the /etc/ppp/ipx-up +and /etc/ppp/ipx-down scripts do not compromise your system's +security. +.TP +.B /etc/ppp/ipx-down +A program or script which is executed when the link is no longer +available for sending and receiving IPX packets. This script can be +used for undoing the effects of the /etc/ppp/ipx-up script. It is +invoked in the same manner and with the same parameters as the ipx-up +script, and the same security considerations apply. .TP .B /etc/ppp/pap-secrets -Usernames, passwords and IP addresses for PAP authentication. +Usernames, passwords and IP addresses for PAP authentication. This +file should be owned by root and not readable or writable by any other +user. Pppd will log a warning if this is not the case. .TP .B /etc/ppp/chap-secrets -Names, secrets and IP addresses for CHAP authentication. +Names, secrets and IP addresses for CHAP authentication. As for +/etc/ppp/pap-secrets, this file should be owned by root and not +readable or writable by any other user. Pppd will log a warning if +this is not the case. .TP .B /etc/ppp/options -System default options for -.I pppd, -read before user default options or command-line options. +System default options for pppd, read before user default options or +command-line options. .TP .B ~/.ppprc -User default options, read before command-line options. +User default options, read before /etc/ppp/options.\fIttyname\fR. .TP .B /etc/ppp/options.\fIttyname System default options for the serial port being used, read after -command-line options. +~/.ppprc. In forming the \fIttyname\fR part of this +filename, an initial /dev/ is stripped from the port name (if +present), and any slashes in the remaining part are converted to +dots. +.TP +.B /etc/ppp/peers +A directory containing options files which may contain privileged +options, even if pppd was invoked by a user other than root. The +system administrator can create options files in this directory to +permit non-privileged users to dial out without requiring the peer to +authenticate, but only to certain trusted peers. .SH SEE ALSO .TP .B RFC1144 Jacobson, V. -.I Compressing TCP/IP headers for low-speed serial links. -1990 February. +\fICompressing TCP/IP headers for low-speed serial links.\fR +February 1990. .TP .B RFC1321 Rivest, R. .I The MD5 Message-Digest Algorithm. -1992 April. +April 1992. .TP .B RFC1332 McGregor, G. .I PPP Internet Protocol Control Protocol (IPCP). -1992 May. +May 1992. .TP .B RFC1334 Lloyd, B.; Simpson, W.A. .I PPP authentication protocols. -1992 October. +October 1992. .TP -.B RFC1548 +.B RFC1661 Simpson, W.A. .I The Point\-to\-Point Protocol (PPP). -1993 December. +July 1994. .TP -.B RFC1549 +.B RFC1662 Simpson, W.A. -.I PPP in HDLC Framing. -1993 December +.I PPP in HDLC-like Framing. +July 1994. .SH NOTES -The following signals have the specified effect when sent to the -.I pppd -process. +The following signals have the specified effect when sent to pppd. .TP .B SIGINT, SIGTERM -These signals cause \fBpppd\fR to terminate the link (by closing LCP), +These signals cause pppd to terminate the link (by closing LCP), restore the serial device settings, and exit. .TP .B SIGHUP -This signal causes \fBpppd\fR to terminate the link, restore the -serial device settings, and close the serial device. If the -\fBpersist\fR option has been specified, \fBpppd\fR will try to reopen -the serial device and start another connection. Otherwise \fBpppd\fR -will exit. +This signal causes pppd to terminate the link, restore the serial +device settings, and close the serial device. If the \fIpersist\fR or +\fIdemand\fR option has been specified, pppd will try to reopen the +serial device and start another connection (after the holdoff period). +Otherwise pppd will exit. If this signal is received during the +holdoff period, it causes pppd to end the holdoff period immediately. +.TP +.B SIGUSR1 +This signal toggles the state of the \fIdebug\fR option. .TP .B SIGUSR2 -This signal causes -.B pppd -to renegotiate compression. This can be useful to re-enable -compression after it has been disabled as a result of a fatal -decompression error. With the BSD Compress scheme, fatal -decompression errors generally indicate a bug in one or other -implementation. +This signal causes pppd to renegotiate compression. This can be +useful to re-enable compression after it has been disabled as a result +of a fatal decompression error. (Fatal decompression errors generally +indicate a bug in one or other implementation.) .SH AUTHORS +Paul Mackerras (Paul.Mackerras@cs.anu.edu.au), based on earlier work by Drew Perkins, Brad Clements, Karl Fox, Greg Christy, -Brad Parker, -Paul Mackerras (paulus@cs.anu.edu.au). +and +Brad Parker. diff --git a/usr.sbin/pppd/pppd.h b/usr.sbin/pppd/pppd.h index 66b0107efca7..e164bb573a36 100644 --- a/usr.sbin/pppd/pppd.h +++ b/usr.sbin/pppd/pppd.h @@ -16,7 +16,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: pppd.h,v 1.8 1995/04/26 06:46:31 paulus Exp $ + * $Id: pppd.h,v 1.19 1997/04/30 05:56:55 paulus Exp $ */ /* @@ -26,16 +26,26 @@ #ifndef __PPPD_H__ #define __PPPD_H__ +#include <stdio.h> /* for FILE */ #include <sys/param.h> /* for MAXPATHLEN and BSD4_4, if defined */ #include <sys/types.h> /* for u_int32_t, if defined */ +#include <sys/time.h> /* for struct timeval */ #include <net/ppp_defs.h> -#define NUM_PPP 1 /* One PPP interface supported (per process) */ +#if __STDC__ +#include <stdarg.h> +#define __V(x) x +#else +#include <varargs.h> +#define __V(x) (va_alist) va_dcl +#define const +#endif /* * Limits. */ +#define NUM_PPP 1 /* One PPP interface supported (per process) */ #define MAXWORDLEN 1024 /* max length of word in file (incl null) */ #define MAXARGS 1 /* max # args to a command */ #define MAXNAMELEN 256 /* max length of hostname or name for auth */ @@ -48,12 +58,16 @@ extern int hungup; /* Physical layer has disconnected */ extern int ifunit; /* Interface unit number */ extern char ifname[]; /* Interface name */ -extern int fd; /* Serial device file descriptor */ +extern int ttyfd; /* Serial device file descriptor */ extern char hostname[]; /* Our hostname */ extern u_char outpacket_buf[]; /* Buffer for outgoing packets */ extern int phase; /* Current state of link - see values below */ extern int baud_rate; /* Current link speed in bits/sec */ extern char *progname; /* Name of this program */ +extern int redirect_stderr;/* Connector's stderr should go to file */ +extern char peer_authname[];/* Authenticated name of peer */ +extern int privileged; /* We were run by real-uid root */ +extern int need_holdoff; /* Need holdoff period after link terminates */ /* * Variables set by command-line options. @@ -71,7 +85,9 @@ extern int lockflag; /* Create lock file to lock the serial dev */ extern int nodetach; /* Don't detach from controlling tty */ extern char *connector; /* Script to establish physical link */ extern char *disconnector; /* Script to disestablish physical link */ -extern char user[]; /* Username for PAP */ +extern char *welcomer; /* Script to welcome client after connection */ +extern int maxconnect; /* Maximum connect time (seconds) */ +extern char user[]; /* Our name for authenticating ourselves */ extern char passwd[]; /* Password for PAP */ extern int auth_required; /* Peer is required to authenticate */ extern int proxyarp; /* Set up proxy ARP entry for peer */ @@ -81,38 +97,239 @@ extern int lcp_echo_interval; /* Interval between LCP echo-requests */ extern int lcp_echo_fails; /* Tolerance to unanswered echo-requests */ extern char our_name[]; /* Our name for authentication purposes */ extern char remote_name[]; /* Peer's name for authentication */ +extern int explicit_remote;/* remote_name specified with remotename opt */ extern int usehostname; /* Use hostname for our_name */ extern int disable_defaultip; /* Don't use hostname for default IP adrs */ +extern int demand; /* Do dial-on-demand */ extern char *ipparam; /* Extra parameter for ip up/down scripts */ extern int cryptpap; /* Others' PAP passwords are encrypted */ +extern int idle_time_limit;/* Shut down link if idle for this long */ +extern int holdoff; /* Dead time before restarting */ +extern int refuse_pap; /* Don't wanna auth. ourselves with PAP */ +extern int refuse_chap; /* Don't wanna auth. ourselves with CHAP */ +#ifdef PPP_FILTER +extern struct bpf_program pass_filter; /* Filter for pkts to pass */ +extern struct bpf_program active_filter; /* Filter for link-active pkts */ +#endif + + +#ifdef MSLANMAN +extern int ms_lanman; /* Nonzero if use LanMan password instead of NT */ + /* Has meaning only with MS-CHAP challenges */ +#endif /* * Values for phase. */ #define PHASE_DEAD 0 -#define PHASE_ESTABLISH 1 -#define PHASE_AUTHENTICATE 2 -#define PHASE_NETWORK 3 -#define PHASE_TERMINATE 4 +#define PHASE_INITIALIZE 1 +#define PHASE_DORMANT 2 +#define PHASE_ESTABLISH 3 +#define PHASE_AUTHENTICATE 4 +#define PHASE_CALLBACK 5 +#define PHASE_NETWORK 6 +#define PHASE_TERMINATE 7 +#define PHASE_HOLDOFF 8 + +/* + * The following struct gives the addresses of procedures to call + * for a particular protocol. + */ +struct protent { + u_short protocol; /* PPP protocol number */ + /* Initialization procedure */ + void (*init) __P((int unit)); + /* Process a received packet */ + void (*input) __P((int unit, u_char *pkt, int len)); + /* Process a received protocol-reject */ + void (*protrej) __P((int unit)); + /* Lower layer has come up */ + void (*lowerup) __P((int unit)); + /* Lower layer has gone down */ + void (*lowerdown) __P((int unit)); + /* Open the protocol */ + void (*open) __P((int unit)); + /* Close the protocol */ + void (*close) __P((int unit, char *reason)); + /* Print a packet in readable form */ + int (*printpkt) __P((u_char *pkt, int len, + void (*printer) __P((void *, char *, ...)), + void *arg)); + /* Process a received data packet */ + void (*datainput) __P((int unit, u_char *pkt, int len)); + int enabled_flag; /* 0 iff protocol is disabled */ + char *name; /* Text name of protocol */ + /* Check requested options, assign defaults */ + void (*check_options) __P((void)); + /* Configure interface for demand-dial */ + int (*demand_conf) __P((int unit)); + /* Say whether to bring up link for this pkt */ + int (*active_pkt) __P((u_char *pkt, int len)); +}; + +/* Table of pointers to supported protocols */ +extern struct protent *protocols[]; /* * Prototypes. */ -void quit __P((void)); /* Cleanup and exit */ -void timeout __P((void (*)(), caddr_t, int)); - /* Look-alike of kernel's timeout() */ -void untimeout __P((void (*)(), caddr_t)); - /* Look-alike of kernel's untimeout() */ -void output __P((int, u_char *, int)); - /* Output a PPP packet */ + +/* Procedures exported from main.c. */ +void die __P((int)); /* Cleanup and exit */ +void quit __P((void)); /* like die(1) */ +void novm __P((char *)); /* Say we ran out of memory, and die */ +void timeout __P((void (*func)(void *), void *arg, int t)); + /* Call func(arg) after t seconds */ +void untimeout __P((void (*func)(void *), void *arg)); + /* Cancel call to func(arg) */ +int run_program __P((char *prog, char **args, int must_exist)); + /* Run program prog with args in child */ void demuxprotrej __P((int, int)); /* Demultiplex a Protocol-Reject */ +void format_packet __P((u_char *, int, void (*) (void *, char *, ...), + void *)); /* Format a packet in human-readable form */ +void log_packet __P((u_char *, int, char *, int)); + /* Format a packet and log it with syslog */ +void print_string __P((char *, int, void (*) (void *, char *, ...), + void *)); /* Format a string for output */ +int fmtmsg __P((char *, int, char *, ...)); /* sprintf++ */ +int vfmtmsg __P((char *, int, char *, va_list)); /* vsprintf++ */ + +/* Procedures exported from auth.c */ +void link_required __P((int)); /* we are starting to use the link */ +void link_terminated __P((int)); /* we are finished with the link */ +void link_down __P((int)); /* the LCP layer has left the Opened state */ +void link_established __P((int)); /* the link is up; authenticate now */ +void np_up __P((int, int)); /* a network protocol has come up */ +void np_down __P((int, int)); /* a network protocol has gone down */ +void np_finished __P((int, int)); /* a network protocol no longer needs link */ +void auth_peer_fail __P((int, int)); + /* peer failed to authenticate itself */ +void auth_peer_success __P((int, int, char *, int)); + /* peer successfully authenticated itself */ +void auth_withpeer_fail __P((int, int)); + /* we failed to authenticate ourselves */ +void auth_withpeer_success __P((int, int)); + /* we successfully authenticated ourselves */ +void auth_check_options __P((void)); + /* check authentication options supplied */ +void auth_reset __P((int)); /* check what secrets we have */ int check_passwd __P((int, char *, int, char *, int, char **, int *)); /* Check peer-supplied username/password */ int get_secret __P((int, char *, char *, char *, int *, int)); /* get "secret" for chap */ -u_int32_t GetMask __P((u_int32_t)); /* get netmask for address */ -void die __P((int)); +int auth_ip_addr __P((int, u_int32_t)); + /* check if IP address is authorized */ +int bad_ip_adrs __P((u_int32_t)); + /* check if IP address is unreasonable */ +void check_access __P((FILE *, char *)); + /* check permissions on secrets file */ + +/* Procedures exported from demand.c */ +void demand_conf __P((void)); /* config interface(s) for demand-dial */ +void demand_block __P((void)); /* set all NPs to queue up packets */ +void demand_unblock __P((void)); /* set all NPs to pass packets */ +void demand_discard __P((void)); /* set all NPs to discard packets */ +void demand_rexmit __P((int)); /* retransmit saved frames for an NP */ +int loop_chars __P((unsigned char *, int)); /* process chars from loopback */ +int loop_frame __P((unsigned char *, int)); /* process frame from loopback */ + +/* Procedures exported from sys-*.c */ +void sys_init __P((void)); /* Do system-dependent initialization */ +void sys_cleanup __P((void)); /* Restore system state before exiting */ +void sys_check_options __P((void)); /* Check options specified */ +void sys_close __P((void)); /* Clean up in a child before execing */ +int ppp_available __P((void)); /* Test whether ppp kernel support exists */ +void open_ppp_loopback __P((void)); /* Open loopback for demand-dialling */ +void establish_ppp __P((int)); /* Turn serial port into a ppp interface */ +void restore_loop __P((void)); /* Transfer ppp unit back to loopback */ +void disestablish_ppp __P((int)); /* Restore port to normal operation */ +void clean_check __P((void)); /* Check if line was 8-bit clean */ +void set_up_tty __P((int, int)); /* Set up port's speed, parameters, etc. */ +void restore_tty __P((int)); /* Restore port's original parameters */ +void setdtr __P((int, int)); /* Raise or lower port's DTR line */ +void output __P((int, u_char *, int)); /* Output a PPP packet */ +void wait_input __P((struct timeval *)); + /* Wait for input, with timeout */ +void wait_loop_output __P((struct timeval *)); + /* Wait for pkt from loopback, with timeout */ +void wait_time __P((struct timeval *)); /* Wait for given length of time */ +int read_packet __P((u_char *)); /* Read PPP packet */ +int get_loop_output __P((void)); /* Read pkts from loopback */ +void ppp_send_config __P((int, int, u_int32_t, int, int)); + /* Configure i/f transmit parameters */ +void ppp_set_xaccm __P((int, ext_accm)); + /* Set extended transmit ACCM */ +void ppp_recv_config __P((int, int, u_int32_t, int, int)); + /* Configure i/f receive parameters */ +int ccp_test __P((int, u_char *, int, int)); + /* Test support for compression scheme */ +void ccp_flags_set __P((int, int, int)); + /* Set kernel CCP state */ +int ccp_fatal_error __P((int)); /* Test for fatal decomp error in kernel */ +int get_idle_time __P((int, struct ppp_idle *)); + /* Find out how long link has been idle */ +int sifvjcomp __P((int, int, int, int)); + /* Configure VJ TCP header compression */ +int sifup __P((int)); /* Configure i/f up (for IP) */ +int sifnpmode __P((int u, int proto, enum NPmode mode)); + /* Set mode for handling packets for proto */ +int sifdown __P((int)); /* Configure i/f down (for IP) */ +int sifaddr __P((int, u_int32_t, u_int32_t, u_int32_t)); + /* Configure IP addresses for i/f */ +int cifaddr __P((int, u_int32_t, u_int32_t)); + /* Reset i/f IP addresses */ +int sifdefaultroute __P((int, u_int32_t, u_int32_t)); + /* Create default route through i/f */ +int cifdefaultroute __P((int, u_int32_t, u_int32_t)); + /* Delete default route through i/f */ +int sifproxyarp __P((int, u_int32_t)); + /* Add proxy ARP entry for peer */ +int cifproxyarp __P((int, u_int32_t)); + /* Delete proxy ARP entry for peer */ +u_int32_t GetMask __P((u_int32_t)); /* Get appropriate netmask for address */ +int lock __P((char *)); /* Create lock file for device */ +void unlock __P((void)); /* Delete previously-created lock file */ +int daemon __P((int, int)); /* Detach us from terminal session */ +void logwtmp __P((const char *, const char *, const char *)); + /* Write entry to wtmp file */ +#ifdef PPP_FILTER +int set_filters __P((struct bpf_program *pass, struct bpf_program *active)); + /* Set filter programs in kernel */ +#endif + +/* Procedures exported from options.c */ +int parse_args __P((int argc, char **argv)); + /* Parse options from arguments given */ +void usage __P((void)); /* Print a usage message */ +int options_from_file __P((char *filename, int must_exist, int check_prot, + int privileged)); + /* Parse options from an options file */ +int options_from_user __P((void)); /* Parse options from user's .ppprc */ +int options_for_tty __P((void)); /* Parse options from /etc/ppp/options.tty */ +void scan_args __P((int argc, char **argv)); + /* Look for tty name in command-line args */ +int getword __P((FILE *f, char *word, int *newlinep, char *filename)); + /* Read a word from a file */ +void option_error __P((char *fmt, ...)); + /* Print an error message about an option */ + +/* + * This structure is used to store information about certain + * options, such as where the option value came from (/etc/ppp/options, + * command line, etc.) and whether it came from a privileged source. + */ + +struct option_info { + int priv; /* was value set by sysadmin? */ + char *source; /* where option came from */ +}; + +extern struct option_info auth_req_info; +extern struct option_info connector_info; +extern struct option_info disconnector_info; +extern struct option_info welcomer_info; +extern struct option_info devnam_info; /* * Inline versions of get/put char/short/long. @@ -192,9 +409,9 @@ void die __P((int)); #endif #ifndef LOG_PPP /* we use LOG_LOCAL2 for syslog by default */ -#if defined(DEBUGMAIN) || defined(DEBUGFSM) || defined(DEBUG) \ +#if defined(DEBUGMAIN) || defined(DEBUGFSM) || defined(DEBUGSYS) \ || defined(DEBUGLCP) || defined(DEBUGIPCP) || defined(DEBUGUPAP) \ - || defined(DEBUGCHAP) + || defined(DEBUGCHAP) || defined(DEBUG) #define LOG_PPP LOG_LOCAL2 #else #define LOG_PPP LOG_DAEMON @@ -207,6 +424,12 @@ void die __P((int)); #define MAINDEBUG(x) #endif +#ifdef DEBUGSYS +#define SYSDEBUG(x) if (debug) syslog x +#else +#define SYSDEBUG(x) +#endif + #ifdef DEBUGFSM #define FSMDEBUG(x) if (debug) syslog x #else @@ -237,6 +460,12 @@ void die __P((int)); #define CHAPDEBUG(x) #endif +#ifdef DEBUGIPXCP +#define IPXCPDEBUG(x) if (debug) syslog x +#else +#define IPXCPDEBUG(x) +#endif + #ifndef SIGTYPE #if defined(sun) || defined(SYSV) || defined(POSIX_SOURCE) #define SIGTYPE void diff --git a/usr.sbin/pppd/sys-bsd.c b/usr.sbin/pppd/sys-bsd.c index eea6125b3352..0aee267b6b65 100644 --- a/usr.sbin/pppd/sys-bsd.c +++ b/usr.sbin/pppd/sys-bsd.c @@ -3,6 +3,7 @@ * PPP interfaces on bsd-4.4-ish systems (including 386BSD, NetBSD, etc.) * * Copyright (c) 1989 Carnegie Mellon University. + * Copyright (c) 1995 The Australian National University. * All rights reserved. * * Redistribution and use in source and binary forms are permitted @@ -10,16 +11,17 @@ * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed - * by Carnegie Mellon University. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. + * by Carnegie Mellon University and The Australian National University. + * The names of the Universities may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint -static char rcsid[] = "$Id: sys-bsd.c,v 1.21 1995/08/16 01:40:23 paulus Exp $"; +static char rcsid[] = "$Id: sys-bsd.c,v 1.28 1997/04/30 05:57:46 paulus Exp $"; #endif /* @@ -30,14 +32,23 @@ static char rcsid[] = "$Id: sys-bsd.c,v 1.21 1995/08/16 01:40:23 paulus Exp $"; #include <syslog.h> #include <string.h> #include <stdlib.h> +#include <unistd.h> #include <errno.h> #include <fcntl.h> #include <termios.h> +#include <signal.h> #include <sys/ioctl.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <sys/stat.h> +#include <sys/param.h> +#ifdef NetBSD1_2 +#include <util.h> +#endif +#ifdef PPP_FILTER +#include <net/bpf.h> +#endif #include <net/if.h> #include <net/ppp_defs.h> @@ -51,17 +62,37 @@ static char rcsid[] = "$Id: sys-bsd.c,v 1.21 1995/08/16 01:40:23 paulus Exp $"; #endif #include "pppd.h" +#include "fsm.h" +#include "ipcp.h" -static int initdisc = -1; /* Initial TTY discipline */ +static int initdisc = -1; /* Initial TTY discipline for ppp_fd */ +static int initfdflags = -1; /* Initial file descriptor flags for ppp_fd */ +static int ppp_fd = -1; /* fd which is set to PPP discipline */ static int rtm_seq; -static int restore_term; /* 1 => we've munged the terminal */ +static int restore_term; /* 1 => we've munged the terminal */ static struct termios inittermios; /* Initial TTY termios */ static struct winsize wsinfo; /* Initial window size info */ static char *lock_file; /* name of lock file created */ -int sockfd; /* socket for doing interface ioctls */ +static int loop_slave = -1; +static int loop_master; +static char loop_name[20]; + +static unsigned char inbuf[512]; /* buffer for chars read from loopback */ + +static int sockfd; /* socket for doing interface ioctls */ + +static int if_is_up; /* the interface is currently up */ +static u_int32_t ifaddrs[2]; /* local and remote addresses we set */ +static u_int32_t default_route_gateway; /* gateway addr for default route */ +static u_int32_t proxy_arp_addr; /* remote addr for proxy arp */ + +/* Prototypes for procedures local to this file. */ +static int dodefaultroute __P((u_int32_t, int)); +static int get_ether_addr __P((u_int32_t, struct sockaddr_dl *)); + /* * sys_init - System-dependent initialization. @@ -69,11 +100,6 @@ int sockfd; /* socket for doing interface ioctls */ void sys_init() { - openlog("pppd", LOG_PID | LOG_NDELAY, LOG_PPP); - setlogmask(LOG_UPTO(LOG_INFO)); - if (debug) - setlogmask(LOG_UPTO(LOG_DEBUG)); - /* Get an internet socket for doing socket ioctl's on. */ if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { syslog(LOG_ERR, "Couldn't create IP socket: %m"); @@ -82,17 +108,50 @@ sys_init() } /* - * note_debug_level - note a change in the debug level. + * sys_cleanup - restore any system state we modified before exiting: + * mark the interface down, delete default route and/or proxy arp entry. + * This should call die() because it's called from die(). */ void -note_debug_level() +sys_cleanup() { - if (debug) { - syslog(LOG_INFO, "Debug turned ON, Level %d", debug); - setlogmask(LOG_UPTO(LOG_DEBUG)); - } else { - setlogmask(LOG_UPTO(LOG_WARNING)); + struct ifreq ifr; + + if (if_is_up) { + strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); + if (ioctl(sockfd, SIOCGIFFLAGS, &ifr) >= 0 + && ((ifr.ifr_flags & IFF_UP) != 0)) { + ifr.ifr_flags &= ~IFF_UP; + ioctl(sockfd, SIOCSIFFLAGS, &ifr); + } } + if (ifaddrs[0] != 0) + cifaddr(0, ifaddrs[0], ifaddrs[1]); + if (default_route_gateway) + cifdefaultroute(0, 0, default_route_gateway); + if (proxy_arp_addr) + cifproxyarp(0, proxy_arp_addr); +} + +/* + * sys_close - Clean up in a child process before execing. + */ +void +sys_close() +{ + close(sockfd); + if (loop_slave >= 0) { + close(loop_slave); + close(loop_master); + } +} + +/* + * sys_check_options - check the options that the user specified + */ +void +sys_check_options() +{ } /* @@ -124,11 +183,25 @@ file in the ppp-2.2 distribution.\n"; * establish_ppp - Turn the serial port into a ppp interface. */ void -establish_ppp() +establish_ppp(fd) + int fd; { int pppdisc = PPPDISC; int x; + if (demand) { + /* + * Demand mode - prime the old ppp device to relinquish the unit. + */ + if (ioctl(ppp_fd, PPPIOCXFERUNIT, 0) < 0) { + syslog(LOG_ERR, "ioctl(transfer ppp unit): %m"); + die(1); + } + } + + /* + * Save the old line discipline of fd, and set it to PPP. + */ if (ioctl(fd, TIOCGETD, &initdisc) < 0) { syslog(LOG_ERR, "ioctl(TIOCGETD): %m"); die(1); @@ -138,14 +211,33 @@ establish_ppp() die(1); } - /* - * Find out which interface we were given. - */ - if (ioctl(fd, PPPIOCGUNIT, &ifunit) < 0) { - syslog(LOG_ERR, "ioctl(PPPIOCGUNIT): %m"); - die(1); + if (!demand) { + /* + * Find out which interface we were given. + */ + if (ioctl(fd, PPPIOCGUNIT, &ifunit) < 0) { + syslog(LOG_ERR, "ioctl(PPPIOCGUNIT): %m"); + die(1); + } + } else { + /* + * Check that we got the same unit again. + */ + if (ioctl(fd, PPPIOCGUNIT, &x) < 0) { + syslog(LOG_ERR, "ioctl(PPPIOCGUNIT): %m"); + die(1); + } + if (x != ifunit) { + syslog(LOG_ERR, "transfer_ppp failed: wanted unit %d, got %d", + ifunit, x); + die(1); + } + x = TTYDISC; + ioctl(loop_slave, TIOCSETD, &x); } + ppp_fd = fd; + /* * Enable debug in the driver if requested. */ @@ -158,6 +250,50 @@ establish_ppp() syslog(LOG_WARNING, "ioctl(PPPIOCSFLAGS): %m"); } } + + /* + * Set device for non-blocking reads. + */ + if ((initfdflags = fcntl(fd, F_GETFL)) == -1 + || fcntl(fd, F_SETFL, initfdflags | O_NONBLOCK) == -1) { + syslog(LOG_WARNING, "Couldn't set device to non-blocking mode: %m"); + } +} + +/* + * restore_loop - reattach the ppp unit to the loopback. + */ +void +restore_loop() +{ + int x; + + /* + * Transfer the ppp interface back to the loopback. + */ + if (ioctl(ppp_fd, PPPIOCXFERUNIT, 0) < 0) { + syslog(LOG_ERR, "ioctl(transfer ppp unit): %m"); + die(1); + } + x = PPPDISC; + if (ioctl(loop_slave, TIOCSETD, &x) < 0) { + syslog(LOG_ERR, "ioctl(TIOCSETD): %m"); + die(1); + } + + /* + * Check that we got the same unit again. + */ + if (ioctl(loop_slave, PPPIOCGUNIT, &x) < 0) { + syslog(LOG_ERR, "ioctl(PPPIOCGUNIT): %m"); + die(1); + } + if (x != ifunit) { + syslog(LOG_ERR, "transfer_ppp failed: wanted unit %d, got %d", + ifunit, x); + die(1); + } + ppp_fd = loop_slave; } @@ -166,42 +302,55 @@ establish_ppp() * This shouldn't call die() because it's called from die(). */ void -disestablish_ppp() +disestablish_ppp(fd) + int fd; +{ + /* Reset non-blocking mode on fd. */ + if (initfdflags != -1 && fcntl(fd, F_SETFL, initfdflags) < 0) + syslog(LOG_WARNING, "Couldn't restore device fd flags: %m"); + initfdflags = -1; + + /* Restore old line discipline. */ + if (initdisc >= 0 && ioctl(fd, TIOCSETD, &initdisc) < 0) + syslog(LOG_ERR, "ioctl(TIOCSETD): %m"); + initdisc = -1; + + if (fd == ppp_fd) + ppp_fd = -1; +} + +/* + * Check whether the link seems not to be 8-bit clean. + */ +void +clean_check() { int x; char *s; - if (initdisc >= 0) { - /* - * Check whether the link seems not to be 8-bit clean. - */ - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) == 0) { - s = NULL; - switch (~x & (SC_RCV_B7_0|SC_RCV_B7_1|SC_RCV_EVNP|SC_RCV_ODDP)) { - case SC_RCV_B7_0: - s = "bit 7 set to 1"; - break; - case SC_RCV_B7_1: - s = "bit 7 set to 0"; - break; - case SC_RCV_EVNP: - s = "odd parity"; - break; - case SC_RCV_ODDP: - s = "even parity"; - break; - } - if (s != NULL) { - syslog(LOG_WARNING, "Serial link is not 8-bit clean:"); - syslog(LOG_WARNING, "All received characters had %s", s); - } + if (ioctl(ppp_fd, PPPIOCGFLAGS, (caddr_t) &x) == 0) { + s = NULL; + switch (~x & (SC_RCV_B7_0|SC_RCV_B7_1|SC_RCV_EVNP|SC_RCV_ODDP)) { + case SC_RCV_B7_0: + s = "bit 7 set to 1"; + break; + case SC_RCV_B7_1: + s = "bit 7 set to 0"; + break; + case SC_RCV_EVNP: + s = "odd parity"; + break; + case SC_RCV_ODDP: + s = "even parity"; + break; + } + if (s != NULL) { + syslog(LOG_WARNING, "Serial link is not 8-bit clean:"); + syslog(LOG_WARNING, "All received characters had %s", s); } - if (ioctl(fd, TIOCSETD, &initdisc) < 0) - syslog(LOG_ERR, "ioctl(TIOCSETD): %m"); } } - /* * set_up_tty: Set up the serial port on `fd' for 8 bits, no parity, * at the requested speed, etc. If `local' is true, set CLOCAL @@ -209,6 +358,7 @@ disestablish_ppp() * * For *BSD, we assume that speed_t values numerically equal bits/second. */ +void set_up_tty(fd, local) int fd, local; { @@ -225,7 +375,7 @@ set_up_tty(fd, local) } tios.c_cflag &= ~(CSIZE | CSTOPB | PARENB | CLOCAL); - if (crtscts > 0) + if (crtscts > 0 && !local) tios.c_cflag |= CRTSCTS; else if (crtscts < 0) tios.c_cflag &= ~CRTSCTS; @@ -239,8 +389,8 @@ set_up_tty(fd, local) tios.c_cc[VMIN] = 1; tios.c_cc[VTIME] = 0; - if (crtscts == 2) { - tios.c_iflag |= IXOFF; + if (crtscts == -2) { + tios.c_iflag |= IXON | IXOFF; tios.c_cc[VSTOP] = 0x13; /* DC3 = XOFF = ^S */ tios.c_cc[VSTART] = 0x11; /* DC1 = XON = ^Q */ } @@ -274,7 +424,8 @@ set_up_tty(fd, local) * restore_tty - restore the terminal to the saved settings. */ void -restore_tty() +restore_tty(fd) + int fd; { if (restore_term) { if (!default_device) { @@ -298,6 +449,7 @@ restore_tty() * setdtr - control the DTR line on the serial port. * This is called from die(), so it shouldn't call die(). */ +void setdtr(fd, on) int fd, on; { @@ -308,6 +460,68 @@ int fd, on; /* + * open_ppp_loopback - open the device we use for getting + * packets in demand mode, and connect it to a ppp interface. + * Here we use a pty. + */ +void +open_ppp_loopback() +{ + int flags; + struct termios tios; + int pppdisc = PPPDISC; + + if (openpty(&loop_master, &loop_slave, loop_name, NULL, NULL) < 0) { + syslog(LOG_ERR, "No free pty for loopback"); + die(1); + } + SYSDEBUG((LOG_DEBUG, "using %s for loopback", loop_name)); + + if (tcgetattr(loop_slave, &tios) == 0) { + tios.c_cflag &= ~(CSIZE | CSTOPB | PARENB); + tios.c_cflag |= CS8 | CREAD; + tios.c_iflag = IGNPAR; + tios.c_oflag = 0; + tios.c_lflag = 0; + if (tcsetattr(loop_slave, TCSAFLUSH, &tios) < 0) + syslog(LOG_WARNING, "couldn't set attributes on loopback: %m"); + } + + if ((flags = fcntl(loop_master, F_GETFL)) != -1) + if (fcntl(loop_master, F_SETFL, flags | O_NONBLOCK) == -1) + syslog(LOG_WARNING, "couldn't set loopback to nonblock: %m"); + + ppp_fd = loop_slave; + if (ioctl(ppp_fd, TIOCSETD, &pppdisc) < 0) { + syslog(LOG_ERR, "ioctl(TIOCSETD): %m"); + die(1); + } + + /* + * Find out which interface we were given. + */ + if (ioctl(ppp_fd, PPPIOCGUNIT, &ifunit) < 0) { + syslog(LOG_ERR, "ioctl(PPPIOCGUNIT): %m"); + die(1); + } + + /* + * Enable debug in the driver if requested. + */ + if (kdebugflag) { + if (ioctl(ppp_fd, PPPIOCGFLAGS, (caddr_t) &flags) < 0) { + syslog(LOG_WARNING, "ioctl (PPPIOCGFLAGS): %m"); + } else { + flags |= (kdebugflag & 0xFF) * SC_DEBUG; + if (ioctl(ppp_fd, PPPIOCSFLAGS, (caddr_t) &flags) < 0) + syslog(LOG_WARNING, "ioctl(PPPIOCSFLAGS): %m"); + } + } + +} + + +/* * output - Output PPP packet. */ void @@ -316,23 +530,22 @@ output(unit, p, len) u_char *p; int len; { - if (unit != 0) - MAINDEBUG((LOG_WARNING, "output: unit != 0!")); if (debug) - log_packet(p, len, "sent "); + log_packet(p, len, "sent ", LOG_DEBUG); - if (write(fd, p, len) < 0) { - syslog(LOG_ERR, "write: %m"); - die(1); + if (write(ttyfd, p, len) < 0) { + if (errno != EIO) + syslog(LOG_ERR, "write: %m"); } } /* - * wait_input - wait until there is data available on fd, + * wait_input - wait until there is data available on ttyfd, * for the length of time specified by *timo (indefinite * if timo is NULL). */ +void wait_input(timo) struct timeval *timo; { @@ -340,8 +553,48 @@ wait_input(timo) int n; FD_ZERO(&ready); - FD_SET(fd, &ready); - n = select(fd+1, &ready, NULL, &ready, timo); + FD_SET(ttyfd, &ready); + n = select(ttyfd+1, &ready, NULL, &ready, timo); + if (n < 0 && errno != EINTR) { + syslog(LOG_ERR, "select: %m"); + die(1); + } +} + + +/* + * wait_loop_output - wait until there is data available on the + * loopback, for the length of time specified by *timo (indefinite + * if timo is NULL). + */ +void +wait_loop_output(timo) + struct timeval *timo; +{ + fd_set ready; + int n; + + FD_ZERO(&ready); + FD_SET(loop_master, &ready); + n = select(loop_master + 1, &ready, NULL, &ready, timo); + if (n < 0 && errno != EINTR) { + syslog(LOG_ERR, "select: %m"); + die(1); + } +} + + +/* + * wait_time - wait for a given length of time or until a + * signal is received. + */ +void +wait_time(timo) + struct timeval *timo; +{ + int n; + + n = select(0, NULL, NULL, NULL, timo); if (n < 0 && errno != EINTR) { syslog(LOG_ERR, "select: %m"); die(1); @@ -358,10 +611,10 @@ read_packet(buf) { int len; - if ((len = read(fd, buf, PPP_MTU + PPP_HDRLEN)) < 0) { + if ((len = read(ttyfd, buf, PPP_MTU + PPP_HDRLEN)) < 0) { if (errno == EWOULDBLOCK || errno == EINTR) return -1; - syslog(LOG_ERR, "read(fd): %m"); + syslog(LOG_ERR, "read: %m"); die(1); } return len; @@ -369,6 +622,34 @@ read_packet(buf) /* + * get_loop_output - read characters from the loopback, form them + * into frames, and detect when we want to bring the real link up. + * Return value is 1 if we need to bring up the link, 0 otherwise. + */ +int +get_loop_output() +{ + int rv = 0; + int n; + + while ((n = read(loop_master, inbuf, sizeof(inbuf))) >= 0) { + if (loop_chars(inbuf, n)) + rv = 1; + } + + if (n == 0) { + syslog(LOG_ERR, "eof on loopback"); + die(1); + } else if (errno != EWOULDBLOCK){ + syslog(LOG_ERR, "read from loopback: %m"); + die(1); + } + + return rv; +} + + +/* * ppp_send_config - configure the transmit characteristics of * the ppp interface. */ @@ -388,18 +669,18 @@ ppp_send_config(unit, mtu, asyncmap, pcomp, accomp) quit(); } - if (ioctl(fd, PPPIOCSASYNCMAP, (caddr_t) &asyncmap) < 0) { + if (ioctl(ppp_fd, PPPIOCSASYNCMAP, (caddr_t) &asyncmap) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCSASYNCMAP): %m"); quit(); } - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl (PPPIOCGFLAGS): %m"); quit(); } x = pcomp? x | SC_COMP_PROT: x &~ SC_COMP_PROT; x = accomp? x | SC_COMP_AC: x &~ SC_COMP_AC; - if (ioctl(fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCSFLAGS): %m"); quit(); } @@ -414,7 +695,7 @@ ppp_set_xaccm(unit, accm) int unit; ext_accm accm; { - if (ioctl(fd, PPPIOCSXASYNCMAP, accm) < 0 && errno != ENOTTY) + if (ioctl(ppp_fd, PPPIOCSXASYNCMAP, accm) < 0 && errno != ENOTTY) syslog(LOG_WARNING, "ioctl(set extended ACCM): %m"); } @@ -431,20 +712,20 @@ ppp_recv_config(unit, mru, asyncmap, pcomp, accomp) { int x; - if (ioctl(fd, PPPIOCSMRU, (caddr_t) &mru) < 0) { + if (ioctl(ppp_fd, PPPIOCSMRU, (caddr_t) &mru) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCSMRU): %m"); quit(); } - if (ioctl(fd, PPPIOCSRASYNCMAP, (caddr_t) &asyncmap) < 0) { + if (ioctl(ppp_fd, PPPIOCSRASYNCMAP, (caddr_t) &asyncmap) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCSRASYNCMAP): %m"); quit(); } - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl (PPPIOCGFLAGS): %m"); quit(); } x = !accomp? x | SC_REJ_COMP_AC: x &~ SC_REJ_COMP_AC; - if (ioctl(fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCSFLAGS): %m"); quit(); } @@ -452,8 +733,11 @@ ppp_recv_config(unit, mru, asyncmap, pcomp, accomp) /* * ccp_test - ask kernel whether a given compression method - * is acceptable for use. + * is acceptable for use. Returns 1 if the method and parameters + * are OK, 0 if the method is known but the parameters are not OK + * (e.g. code size should be reduced), or -1 if the method is unknown. */ +int ccp_test(unit, opt_ptr, opt_len, for_transmit) int unit, opt_len, for_transmit; u_char *opt_ptr; @@ -463,7 +747,9 @@ ccp_test(unit, opt_ptr, opt_len, for_transmit) data.ptr = opt_ptr; data.length = opt_len; data.transmit = for_transmit; - return ioctl(fd, PPPIOCSCOMPRESS, (caddr_t) &data) >= 0; + if (ioctl(ttyfd, PPPIOCSCOMPRESS, (caddr_t) &data) >= 0) + return 1; + return (errno == ENOBUFS)? 0: -1; } /* @@ -475,13 +761,13 @@ ccp_flags_set(unit, isopen, isup) { int x; - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl (PPPIOCGFLAGS): %m"); return; } x = isopen? x | SC_CCP_OPEN: x &~ SC_CCP_OPEN; x = isup? x | SC_CCP_UP: x &~ SC_CCP_UP; - if (ioctl(fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) + if (ioctl(ppp_fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) syslog(LOG_ERR, "ioctl(PPPIOCSFLAGS): %m"); } @@ -496,7 +782,7 @@ ccp_fatal_error(unit) { int x; - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCGFLAGS): %m"); return 0; } @@ -504,6 +790,44 @@ ccp_fatal_error(unit) } /* + * get_idle_time - return how long the link has been idle. + */ +int +get_idle_time(u, ip) + int u; + struct ppp_idle *ip; +{ + return ioctl(ppp_fd, PPPIOCGIDLE, ip) >= 0; +} + + +#ifdef PPP_FILTER +/* + * set_filters - transfer the pass and active filters to the kernel. + */ +int +set_filters(pass, active) + struct bpf_program *pass, *active; +{ + int ret = 1; + + if (pass->bf_len > 0) { + if (ioctl(ppp_fd, PPPIOCSPASS, pass) < 0) { + syslog(LOG_ERR, "Couldn't set pass-filter in kernel: %m"); + ret = 0; + } + } + if (active->bf_len > 0) { + if (ioctl(ppp_fd, PPPIOCSACTIVE, active) < 0) { + syslog(LOG_ERR, "Couldn't set active-filter in kernel: %m"); + ret = 0; + } + } + return ret; +} +#endif + +/* * sifvjcomp - config tcp header compression */ int @@ -512,17 +836,17 @@ sifvjcomp(u, vjcomp, cidcomp, maxcid) { u_int x; - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl (PPPIOCGFLAGS): %m"); return 0; } x = vjcomp ? x | SC_COMP_TCP: x &~ SC_COMP_TCP; x = cidcomp? x & ~SC_NO_TCP_CCID: x | SC_NO_TCP_CCID; - if (ioctl(fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { + if (ioctl(ppp_fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCSFLAGS): %m"); return 0; } - if (ioctl(fd, PPPIOCSMAXCID, (caddr_t) &maxcid) < 0) { + if (vjcomp && ioctl(ppp_fd, PPPIOCSMAXCID, (caddr_t) &maxcid) < 0) { syslog(LOG_ERR, "ioctl(PPPIOCSFLAGS): %m"); return 0; } @@ -532,17 +856,11 @@ sifvjcomp(u, vjcomp, cidcomp, maxcid) /* * sifup - Config the interface up and enable IP packets to pass. */ -#ifndef SC_ENABLE_IP -#define SC_ENABLE_IP 0x100 /* compat for old versions of kernel code */ -#endif - int sifup(u) int u; { struct ifreq ifr; - u_int x; - struct npioctl npi; strncpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); if (ioctl(sockfd, SIOCGIFFLAGS, (caddr_t) &ifr) < 0) { @@ -554,23 +872,26 @@ sifup(u) syslog(LOG_ERR, "ioctl(SIOCSIFFLAGS): %m"); return 0; } - npi.protocol = PPP_IP; - npi.mode = NPMODE_PASS; - if (ioctl(fd, PPPIOCSNPMODE, &npi) < 0) { - if (errno != ENOTTY) { - syslog(LOG_ERR, "ioctl(PPPIOCSNPMODE): %m"); - return 0; - } - /* for backwards compatibility */ - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { - syslog(LOG_ERR, "ioctl (PPPIOCGFLAGS): %m"); - return 0; - } - x |= SC_ENABLE_IP; - if (ioctl(fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { - syslog(LOG_ERR, "ioctl(PPPIOCSFLAGS): %m"); - return 0; - } + if_is_up = 1; + return 1; +} + +/* + * sifnpmode - Set the mode for handling packets for a given NP. + */ +int +sifnpmode(u, proto, mode) + int u; + int proto; + enum NPmode mode; +{ + struct npioctl npi; + + npi.protocol = proto; + npi.mode = mode; + if (ioctl(ppp_fd, PPPIOCSNPMODE, &npi) < 0) { + syslog(LOG_ERR, "ioctl(set NP %d mode to %d): %m", proto, mode); + return 0; } return 1; } @@ -583,31 +904,14 @@ sifdown(u) int u; { struct ifreq ifr; - u_int x; int rv; struct npioctl npi; rv = 1; npi.protocol = PPP_IP; npi.mode = NPMODE_ERROR; - if (ioctl(fd, PPPIOCSNPMODE, (caddr_t) &npi) < 0) { - if (errno != ENOTTY) { - syslog(LOG_ERR, "ioctl(PPPIOCSNPMODE): %m"); - rv = 0; - } else { - /* backwards compatibility */ - if (ioctl(fd, PPPIOCGFLAGS, (caddr_t) &x) < 0) { - syslog(LOG_ERR, "ioctl (PPPIOCGFLAGS): %m"); - rv = 0; - } else { - x &= ~SC_ENABLE_IP; - if (ioctl(fd, PPPIOCSFLAGS, (caddr_t) &x) < 0) { - syslog(LOG_ERR, "ioctl(PPPIOCSFLAGS): %m"); - rv = 0; - } - } - } - } + ioctl(ppp_fd, PPPIOCSNPMODE, (caddr_t) &npi); + /* ignore errors, because ppp_fd might have been closed by now. */ strncpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); if (ioctl(sockfd, SIOCGIFFLAGS, (caddr_t) &ifr) < 0) { @@ -618,7 +922,8 @@ sifdown(u) if (ioctl(sockfd, SIOCSIFFLAGS, (caddr_t) &ifr) < 0) { syslog(LOG_ERR, "ioctl(SIOCSIFFLAGS): %m"); rv = 0; - } + } else + if_is_up = 0; } return rv; } @@ -654,11 +959,15 @@ sifaddr(u, o, h, m) BZERO(&ifra.ifra_mask, sizeof(ifra.ifra_mask)); if (ioctl(sockfd, SIOCAIFADDR, (caddr_t) &ifra) < 0) { if (errno != EEXIST) { - syslog(LOG_ERR, "ioctl(SIOCAIFADDR): %m"); + syslog(LOG_ERR, "Couldn't set interface address: %m"); return 0; } - syslog(LOG_WARNING, "ioctl(SIOCAIFADDR): Address already exists"); + syslog(LOG_WARNING, + "Couldn't set interface address: Address %s already exists", + ip_ntoa(o)); } + ifaddrs[0] = o; + ifaddrs[1] = h; return 1; } @@ -673,6 +982,7 @@ cifaddr(u, o, h) { struct ifaliasreq ifra; + ifaddrs[0] = 0; strncpy(ifra.ifra_name, ifname, sizeof(ifra.ifra_name)); SET_SA_FAMILY(ifra.ifra_addr, AF_INET); ((struct sockaddr_in *) &ifra.ifra_addr)->sin_addr.s_addr = o; @@ -680,7 +990,8 @@ cifaddr(u, o, h) ((struct sockaddr_in *) &ifra.ifra_broadaddr)->sin_addr.s_addr = h; BZERO(&ifra.ifra_mask, sizeof(ifra.ifra_mask)); if (ioctl(sockfd, SIOCDIFADDR, (caddr_t) &ifra) < 0) { - syslog(LOG_WARNING, "ioctl(SIOCDIFADDR): %m"); + if (errno != EADDRNOTAVAIL) + syslog(LOG_WARNING, "Couldn't delete interface address: %m"); return 0; } return 1; @@ -690,9 +1001,9 @@ cifaddr(u, o, h) * sifdefaultroute - assign a default route through the address given. */ int -sifdefaultroute(u, g) +sifdefaultroute(u, l, g) int u; - u_int32_t g; + u_int32_t l, g; { return dodefaultroute(g, 's'); } @@ -701,9 +1012,9 @@ sifdefaultroute(u, g) * cifdefaultroute - delete a default route through the address given. */ int -cifdefaultroute(u, g) +cifdefaultroute(u, l, g) int u; - u_int32_t g; + u_int32_t l, g; { return dodefaultroute(g, 'c'); } @@ -711,7 +1022,7 @@ cifdefaultroute(u, g) /* * dodefaultroute - talk to a routing socket to add/delete a default route. */ -int +static int dodefaultroute(g, cmd) u_int32_t g; int cmd; @@ -725,7 +1036,8 @@ dodefaultroute(g, cmd) } rtmsg; if ((routes = socket(PF_ROUTE, SOCK_RAW, AF_INET)) < 0) { - syslog(LOG_ERR, "%cifdefaultroute: opening routing socket: %m", cmd); + syslog(LOG_ERR, "Couldn't %s default route: socket: %m", + cmd=='s'? "add": "delete"); return 0; } @@ -745,12 +1057,14 @@ dodefaultroute(g, cmd) rtmsg.hdr.rtm_msglen = sizeof(rtmsg); if (write(routes, &rtmsg, sizeof(rtmsg)) < 0) { - syslog(LOG_ERR, "%s default route: %m", cmd=='s'? "add": "delete"); + syslog(LOG_ERR, "Couldn't %s default route: %m", + cmd=='s'? "add": "delete"); close(routes); return 0; } close(routes); + default_route_gateway = (cmd == 's')? g: 0; return 1; } @@ -774,7 +1088,6 @@ sifproxyarp(unit, hisaddr) u_int32_t hisaddr; { int routes; - int l; /* * Get the hardware address of an interface on the same subnet @@ -787,7 +1100,7 @@ sifproxyarp(unit, hisaddr) } if ((routes = socket(PF_ROUTE, SOCK_RAW, AF_INET)) < 0) { - syslog(LOG_ERR, "sifproxyarp: opening routing socket: %m"); + syslog(LOG_ERR, "Couldn't add proxy arp entry: socket: %m"); return 0; } @@ -805,13 +1118,14 @@ sifproxyarp(unit, hisaddr) arpmsg.hdr.rtm_msglen = (char *) &arpmsg.hwa - (char *) &arpmsg + arpmsg.hwa.sdl_len; if (write(routes, &arpmsg, arpmsg.hdr.rtm_msglen) < 0) { - syslog(LOG_ERR, "add proxy arp entry: %m"); + syslog(LOG_ERR, "Couldn't add proxy arp entry: %m"); close(routes); return 0; } close(routes); arpmsg_valid = 1; + proxy_arp_addr = hisaddr; return 1; } @@ -833,17 +1147,18 @@ cifproxyarp(unit, hisaddr) arpmsg.hdr.rtm_seq = ++rtm_seq; if ((routes = socket(PF_ROUTE, SOCK_RAW, AF_INET)) < 0) { - syslog(LOG_ERR, "sifproxyarp: opening routing socket: %m"); + syslog(LOG_ERR, "Couldn't delete proxy arp entry: socket: %m"); return 0; } if (write(routes, &arpmsg, arpmsg.hdr.rtm_msglen) < 0) { - syslog(LOG_ERR, "delete proxy arp entry: %m"); + syslog(LOG_ERR, "Couldn't delete proxy arp entry: %m"); close(routes); return 0; } close(routes); + proxy_arp_addr = 0; return 1; } @@ -881,10 +1196,11 @@ sifproxyarp(unit, hisaddr) ((struct sockaddr_in *) &arpreq.arp_pa)->sin_addr.s_addr = hisaddr; arpreq.arp_flags = ATF_PERM | ATF_PUBL; if (ioctl(sockfd, SIOCSARP, (caddr_t)&arpreq) < 0) { - syslog(LOG_ERR, "ioctl(SIOCSARP): %m"); + syslog(LOG_ERR, "Couldn't add proxy arp entry: %m"); return 0; } + proxy_arp_addr = hisaddr; return 1; } @@ -902,9 +1218,10 @@ cifproxyarp(unit, hisaddr) SET_SA_FAMILY(arpreq.arp_pa, AF_INET); ((struct sockaddr_in *) &arpreq.arp_pa)->sin_addr.s_addr = hisaddr; if (ioctl(sockfd, SIOCDARP, (caddr_t)&arpreq) < 0) { - syslog(LOG_WARNING, "ioctl(SIOCDARP): %m"); + syslog(LOG_WARNING, "Couldn't delete proxy arp entry: %m"); return 0; } + proxy_arp_addr = 0; return 1; } #endif /* RTM_VERSION */ @@ -916,7 +1233,7 @@ cifproxyarp(unit, hisaddr) */ #define MAX_IFS 32 -int +static int get_ether_addr(ipaddr, hwaddr) u_int32_t ipaddr; struct sockaddr_dl *hwaddr; @@ -1085,14 +1402,12 @@ lock(dev) && (fd = open(lock_file, O_RDONLY, 0)) >= 0) { /* Read the lock file to find out who has the device locked */ n = read(fd, hdb_lock_buffer, 11); - if (n > 0) { - hdb_lock_buffer[n] = 0; - pid = atoi(hdb_lock_buffer); - } if (n <= 0) { syslog(LOG_ERR, "Can't read pid from lock file %s", lock_file); close(fd); } else { + hdb_lock_buffer[n] = 0; + pid = atoi(hdb_lock_buffer); if (kill(pid, 0) == -1 && errno == ESRCH) { /* pid no longer exists - remove the lock file */ if (unlink(lock_file) == 0) { @@ -1125,6 +1440,7 @@ lock(dev) /* * unlock - remove our lockfile */ +void unlock() { if (lock_file) { diff --git a/usr.sbin/pppd/upap.c b/usr.sbin/pppd/upap.c index aed4a7b0e1a5..c4ffb401cedc 100644 --- a/usr.sbin/pppd/upap.c +++ b/usr.sbin/pppd/upap.c @@ -18,7 +18,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: upap.c,v 1.6 1995/06/12 12:02:24 paulus Exp $"; +static char rcsid[] = "$Id: upap.c,v 1.11 1997/04/30 05:59:56 paulus Exp $"; #endif /* @@ -34,12 +34,39 @@ static char rcsid[] = "$Id: upap.c,v 1.6 1995/06/12 12:02:24 paulus Exp $"; #include "pppd.h" #include "upap.h" +/* + * Protocol entry points. + */ +static void upap_init __P((int)); +static void upap_lowerup __P((int)); +static void upap_lowerdown __P((int)); +static void upap_input __P((int, u_char *, int)); +static void upap_protrej __P((int)); +static int upap_printpkt __P((u_char *, int, + void (*) __P((void *, char *, ...)), void *)); + +struct protent pap_protent = { + PPP_PAP, + upap_init, + upap_input, + upap_protrej, + upap_lowerup, + upap_lowerdown, + NULL, + NULL, + upap_printpkt, + NULL, + 1, + "PAP", + NULL, + NULL, + NULL +}; upap_state upap[NUM_PPP]; /* UPAP state; one for each unit */ - -static void upap_timeout __P((caddr_t)); -static void upap_reqtimeout __P((caddr_t)); +static void upap_timeout __P((void *)); +static void upap_reqtimeout __P((void *)); static void upap_rauthreq __P((upap_state *, u_char *, int, int)); static void upap_rauthack __P((upap_state *, u_char *, int, int)); static void upap_rauthnak __P((upap_state *, u_char *, int, int)); @@ -50,7 +77,7 @@ static void upap_sresp __P((upap_state *, int, int, char *, int)); /* * upap_init - Initialize a UPAP unit. */ -void +static void upap_init(unit) int unit; { @@ -120,7 +147,7 @@ upap_authpeer(unit) u->us_serverstate = UPAPSS_LISTEN; if (u->us_reqtimeout > 0) - TIMEOUT(upap_reqtimeout, (caddr_t) u, u->us_reqtimeout); + TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout); } @@ -129,7 +156,7 @@ upap_authpeer(unit) */ static void upap_timeout(arg) - caddr_t arg; + void *arg; { upap_state *u = (upap_state *) arg; @@ -153,7 +180,7 @@ upap_timeout(arg) */ static void upap_reqtimeout(arg) - caddr_t arg; + void *arg; { upap_state *u = (upap_state *) arg; @@ -170,7 +197,7 @@ upap_reqtimeout(arg) * * Start authenticating if pending. */ -void +static void upap_lowerup(unit) int unit; { @@ -187,7 +214,7 @@ upap_lowerup(unit) else if (u->us_serverstate == UPAPSS_PENDING) { u->us_serverstate = UPAPSS_LISTEN; if (u->us_reqtimeout > 0) - TIMEOUT(upap_reqtimeout, (caddr_t) u, u->us_reqtimeout); + TIMEOUT(upap_reqtimeout, u, u->us_reqtimeout); } } @@ -197,16 +224,16 @@ upap_lowerup(unit) * * Cancel all timeouts. */ -void +static void upap_lowerdown(unit) int unit; { upap_state *u = &upap[unit]; if (u->us_clientstate == UPAPCS_AUTHREQ) /* Timeout pending? */ - UNTIMEOUT(upap_timeout, (caddr_t) u); /* Cancel timeout */ + UNTIMEOUT(upap_timeout, u); /* Cancel timeout */ if (u->us_serverstate == UPAPSS_LISTEN && u->us_reqtimeout > 0) - UNTIMEOUT(upap_reqtimeout, (caddr_t) u); + UNTIMEOUT(upap_reqtimeout, u); u->us_clientstate = UPAPCS_INITIAL; u->us_serverstate = UPAPSS_INITIAL; @@ -218,7 +245,7 @@ upap_lowerdown(unit) * * This shouldn't happen. In any case, pretend lower layer went down. */ -void +static void upap_protrej(unit) int unit; { @@ -239,7 +266,7 @@ upap_protrej(unit) /* * upap_input - Input UPAP packet. */ -void +static void upap_input(unit, inpacket, l) int unit; u_char *inpacket; @@ -256,18 +283,18 @@ upap_input(unit, inpacket, l) */ inp = inpacket; if (l < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd short header.")); + UPAPDEBUG((LOG_INFO, "pap_input: rcvd short header.")); return; } GETCHAR(code, inp); GETCHAR(id, inp); GETSHORT(len, inp); if (len < UPAP_HEADERLEN) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd illegal length.")); + UPAPDEBUG((LOG_INFO, "pap_input: rcvd illegal length.")); return; } if (len > l) { - UPAPDEBUG((LOG_INFO, "upap_input: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_input: rcvd short packet.")); return; } len -= UPAP_HEADERLEN; @@ -310,7 +337,7 @@ upap_rauthreq(u, inp, id, len) char *msg; int msglen; - UPAPDEBUG((LOG_INFO, "upap_rauth: Rcvd id %d.", id)); + UPAPDEBUG((LOG_INFO, "pap_rauth: Rcvd id %d.", id)); if (u->us_serverstate < UPAPSS_LISTEN) return; @@ -332,20 +359,20 @@ upap_rauthreq(u, inp, id, len) * Parse user/passwd. */ if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_rauth: rcvd short packet.")); return; } GETCHAR(ruserlen, inp); len -= sizeof (u_char) + ruserlen + sizeof (u_char); if (len < 0) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_rauth: rcvd short packet.")); return; } ruser = (char *) inp; INCPTR(ruserlen, inp); GETCHAR(rpasswdlen, inp); if (len < rpasswdlen) { - UPAPDEBUG((LOG_INFO, "upap_rauth: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_rauth: rcvd short packet.")); return; } rpasswd = (char *) inp; @@ -355,19 +382,20 @@ upap_rauthreq(u, inp, id, len) */ retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, rpasswdlen, &msg, &msglen); + BZERO(rpasswd, rpasswdlen); upap_sresp(u, retcode, id, msg, msglen); if (retcode == UPAP_AUTHACK) { u->us_serverstate = UPAPSS_OPEN; - auth_peer_success(u->us_unit, PPP_PAP); + auth_peer_success(u->us_unit, PPP_PAP, ruser, ruserlen); } else { u->us_serverstate = UPAPSS_BADAUTH; auth_peer_fail(u->us_unit, PPP_PAP); } if (u->us_reqtimeout > 0) - UNTIMEOUT(upap_reqtimeout, (caddr_t) u); + UNTIMEOUT(upap_reqtimeout, u); } @@ -384,7 +412,7 @@ upap_rauthack(u, inp, id, len) u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "upap_rauthack: Rcvd id %d.", id)); + UPAPDEBUG((LOG_INFO, "pap_rauthack: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; @@ -392,13 +420,13 @@ upap_rauthack(u, inp, id, len) * Parse message. */ if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauthack: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_rauthack: rcvd short packet.")); return; } GETCHAR(msglen, inp); len -= sizeof (u_char); if (len < msglen) { - UPAPDEBUG((LOG_INFO, "upap_rauthack: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_rauthack: rcvd short packet.")); return; } msg = (char *) inp; @@ -423,7 +451,7 @@ upap_rauthnak(u, inp, id, len) u_char msglen; char *msg; - UPAPDEBUG((LOG_INFO, "upap_rauthnak: Rcvd id %d.", id)); + UPAPDEBUG((LOG_INFO, "pap_rauthnak: Rcvd id %d.", id)); if (u->us_clientstate != UPAPCS_AUTHREQ) /* XXX */ return; @@ -431,13 +459,13 @@ upap_rauthnak(u, inp, id, len) * Parse message. */ if (len < sizeof (u_char)) { - UPAPDEBUG((LOG_INFO, "upap_rauthnak: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_rauthnak: rcvd short packet.")); return; } GETCHAR(msglen, inp); len -= sizeof (u_char); if (len < msglen) { - UPAPDEBUG((LOG_INFO, "upap_rauthnak: rcvd short packet.")); + UPAPDEBUG((LOG_INFO, "pap_rauthnak: rcvd short packet.")); return; } msg = (char *) inp; @@ -477,9 +505,9 @@ upap_sauthreq(u) output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); - UPAPDEBUG((LOG_INFO, "upap_sauth: Sent id %d.", u->us_id)); + UPAPDEBUG((LOG_INFO, "pap_sauth: Sent id %d.", u->us_id)); - TIMEOUT(upap_timeout, (caddr_t) u, u->us_timeouttime); + TIMEOUT(upap_timeout, u, u->us_timeouttime); ++u->us_transmits; u->us_clientstate = UPAPCS_AUTHREQ; } @@ -509,17 +537,17 @@ upap_sresp(u, code, id, msg, msglen) BCOPY(msg, outp, msglen); output(u->us_unit, outpacket_buf, outlen + PPP_HDRLEN); - UPAPDEBUG((LOG_INFO, "upap_sresp: Sent code %d, id %d.", code, id)); + UPAPDEBUG((LOG_INFO, "pap_sresp: Sent code %d, id %d.", code, id)); } /* * upap_printpkt - print the contents of a PAP packet. */ -char *upap_codenames[] = { +static char *upap_codenames[] = { "AuthReq", "AuthAck", "AuthNak" }; -int +static int upap_printpkt(p, plen, printer, arg) u_char *p; int plen; @@ -575,7 +603,7 @@ upap_printpkt(p, plen, printer, arg) msg = (char *) (p + 1); p += mlen + 1; len -= mlen + 1; - printer(arg, "msg="); + printer(arg, " "); print_string(msg, mlen, printer, arg); break; } diff --git a/usr.sbin/pppd/upap.h b/usr.sbin/pppd/upap.h index 8b1501964ad2..ba4e153cb330 100644 --- a/usr.sbin/pppd/upap.h +++ b/usr.sbin/pppd/upap.h @@ -16,7 +16,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: upap.h,v 1.4 1995/06/12 12:02:25 paulus Exp $ + * $Id: upap.h,v 1.6 1996/07/01 01:21:45 paulus Exp $ */ /* @@ -79,15 +79,9 @@ typedef struct upap_state { #define UPAP_DEFTIMEOUT 3 /* Timeout (seconds) for retransmitting req */ #define UPAP_DEFREQTIME 30 /* Time to wait for auth-req from peer */ - extern upap_state upap[]; -void upap_init __P((int)); void upap_authwithpeer __P((int, char *, char *)); void upap_authpeer __P((int)); -void upap_lowerup __P((int)); -void upap_lowerdown __P((int)); -void upap_input __P((int, u_char *, int)); -void upap_protrej __P((int)); -int upap_printpkt __P((u_char *, int, - void (*) __P((void *, char *, ...)), void *)); + +extern struct protent pap_protent; |