1 /* $NetBSD: if_spppsubr.c,v 1.183 2019/07/11 03:49:51 msaitoh Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.183 2019/07/11 03:49:51 msaitoh Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define LOOPALIVECNT 3 /* loopback detection tries */ 101 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 102 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 103 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 129 #define CONF_REQ 1 /* PPP configure request */ 130 #define CONF_ACK 2 /* PPP configure acknowledge */ 131 #define CONF_NAK 3 /* PPP configure negative ack */ 132 #define CONF_REJ 4 /* PPP configure reject */ 133 #define TERM_REQ 5 /* PPP terminate request */ 134 #define TERM_ACK 6 /* PPP terminate acknowledge */ 135 #define CODE_REJ 7 /* PPP code reject */ 136 #define PROTO_REJ 8 /* PPP protocol reject */ 137 #define ECHO_REQ 9 /* PPP echo request */ 138 #define ECHO_REPLY 10 /* PPP echo reply */ 139 #define DISC_REQ 11 /* PPP discard request */ 140 141 #define LCP_OPT_MRU 1 /* maximum receive unit */ 142 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 143 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 144 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 145 #define LCP_OPT_MAGIC 5 /* magic number */ 146 #define LCP_OPT_RESERVED 6 /* reserved */ 147 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 148 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 149 150 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 151 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 152 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 153 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 154 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 155 156 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 157 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 158 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 159 160 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 161 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 162 163 #define PAP_REQ 1 /* PAP name/password request */ 164 #define PAP_ACK 2 /* PAP acknowledge */ 165 #define PAP_NAK 3 /* PAP fail */ 166 167 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 168 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 169 #define CHAP_SUCCESS 3 /* CHAP response ok */ 170 #define CHAP_FAILURE 4 /* CHAP response failed */ 171 172 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 173 174 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 175 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 176 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 177 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 178 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 179 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 180 181 /* states are named and numbered according to RFC 1661 */ 182 #define STATE_INITIAL 0 183 #define STATE_STARTING 1 184 #define STATE_CLOSED 2 185 #define STATE_STOPPED 3 186 #define STATE_CLOSING 4 187 #define STATE_STOPPING 5 188 #define STATE_REQ_SENT 6 189 #define STATE_ACK_RCVD 7 190 #define STATE_ACK_SENT 8 191 #define STATE_OPENED 9 192 193 struct ppp_header { 194 uint8_t address; 195 uint8_t control; 196 uint16_t protocol; 197 } __packed; 198 #define PPP_HEADER_LEN sizeof (struct ppp_header) 199 200 struct lcp_header { 201 uint8_t type; 202 uint8_t ident; 203 uint16_t len; 204 } __packed; 205 #define LCP_HEADER_LEN sizeof (struct lcp_header) 206 207 struct cisco_packet { 208 uint32_t type; 209 uint32_t par1; 210 uint32_t par2; 211 uint16_t rel; 212 uint16_t time0; 213 uint16_t time1; 214 } __packed; 215 #define CISCO_PACKET_LEN 18 216 217 /* 218 * We follow the spelling and capitalization of RFC 1661 here, to make 219 * it easier comparing with the standard. Please refer to this RFC in 220 * case you can't make sense out of these abbreviation; it will also 221 * explain the semantics related to the various events and actions. 222 */ 223 struct cp { 224 u_short proto; /* PPP control protocol number */ 225 u_char protoidx; /* index into state table in struct sppp */ 226 u_char flags; 227 #define CP_LCP 0x01 /* this is the LCP */ 228 #define CP_AUTH 0x02 /* this is an authentication protocol */ 229 #define CP_NCP 0x04 /* this is a NCP */ 230 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 231 const char *name; /* name of this control protocol */ 232 /* event handlers */ 233 void (*Up)(struct sppp *sp); 234 void (*Down)(struct sppp *sp); 235 void (*Open)(struct sppp *sp); 236 void (*Close)(struct sppp *sp); 237 void (*TO)(void *sp); 238 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 239 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 240 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 241 /* actions */ 242 void (*tlu)(struct sppp *sp); 243 void (*tld)(struct sppp *sp); 244 void (*tls)(struct sppp *sp); 245 void (*tlf)(struct sppp *sp); 246 void (*scr)(struct sppp *sp); 247 }; 248 249 static struct sppp *spppq; 250 static kmutex_t *spppq_lock = NULL; 251 static callout_t keepalive_ch; 252 253 #define SPPPQ_LOCK() if (spppq_lock) \ 254 mutex_enter(spppq_lock); 255 #define SPPPQ_UNLOCK() if (spppq_lock) \ 256 mutex_exit(spppq_lock); 257 258 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 259 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 260 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 261 #define SPPP_UPGRADE(_sp) do{ \ 262 SPPP_UNLOCK(_sp); \ 263 SPPP_LOCK(_sp, RW_WRITER); \ 264 }while (0) 265 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 266 267 #ifdef INET 268 #ifndef SPPPSUBR_MPSAFE 269 /* 270 * The following disgusting hack gets around the problem that IP TOS 271 * can't be set yet. We want to put "interactive" traffic on a high 272 * priority queue. To decide if traffic is interactive, we check that 273 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 274 * 275 * XXX is this really still necessary? - joerg - 276 */ 277 static u_short interactive_ports[8] = { 278 0, 513, 0, 0, 279 0, 21, 0, 23, 280 }; 281 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 282 #endif /* SPPPSUBR_MPSAFE */ 283 #endif 284 285 /* almost every function needs these */ 286 #define STDDCL \ 287 struct ifnet *ifp = &sp->pp_if; \ 288 int debug = ifp->if_flags & IFF_DEBUG 289 290 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 291 const struct sockaddr *dst, const struct rtentry *rt); 292 293 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 294 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 295 296 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 297 struct mbuf *m); 298 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 299 u_char ident, u_short len, void *data); 300 /* static void sppp_cp_timeout(void *arg); */ 301 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 302 int newstate); 303 static void sppp_auth_send(const struct cp *cp, 304 struct sppp *sp, unsigned int type, unsigned int id, 305 ...); 306 307 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 308 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 309 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 310 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 311 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 312 313 static void sppp_null(struct sppp *sp); 314 315 static void sppp_lcp_init(struct sppp *sp); 316 static void sppp_lcp_up(struct sppp *sp); 317 static void sppp_lcp_down(struct sppp *sp); 318 static void sppp_lcp_open(struct sppp *sp); 319 static void sppp_lcp_close(struct sppp *sp); 320 static void sppp_lcp_TO(void *sp); 321 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 322 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 323 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 324 static void sppp_lcp_tlu(struct sppp *sp); 325 static void sppp_lcp_tld(struct sppp *sp); 326 static void sppp_lcp_tls(struct sppp *sp); 327 static void sppp_lcp_tlf(struct sppp *sp); 328 static void sppp_lcp_scr(struct sppp *sp); 329 static void sppp_lcp_check_and_close(struct sppp *sp); 330 static int sppp_ncp_check(struct sppp *sp); 331 332 static void sppp_ipcp_init(struct sppp *sp); 333 static void sppp_ipcp_up(struct sppp *sp); 334 static void sppp_ipcp_down(struct sppp *sp); 335 static void sppp_ipcp_open(struct sppp *sp); 336 static void sppp_ipcp_close(struct sppp *sp); 337 static void sppp_ipcp_TO(void *sp); 338 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 339 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 340 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 341 static void sppp_ipcp_tlu(struct sppp *sp); 342 static void sppp_ipcp_tld(struct sppp *sp); 343 static void sppp_ipcp_tls(struct sppp *sp); 344 static void sppp_ipcp_tlf(struct sppp *sp); 345 static void sppp_ipcp_scr(struct sppp *sp); 346 347 static void sppp_ipv6cp_init(struct sppp *sp); 348 static void sppp_ipv6cp_up(struct sppp *sp); 349 static void sppp_ipv6cp_down(struct sppp *sp); 350 static void sppp_ipv6cp_open(struct sppp *sp); 351 static void sppp_ipv6cp_close(struct sppp *sp); 352 static void sppp_ipv6cp_TO(void *sp); 353 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 354 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 356 static void sppp_ipv6cp_tlu(struct sppp *sp); 357 static void sppp_ipv6cp_tld(struct sppp *sp); 358 static void sppp_ipv6cp_tls(struct sppp *sp); 359 static void sppp_ipv6cp_tlf(struct sppp *sp); 360 static void sppp_ipv6cp_scr(struct sppp *sp); 361 362 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 363 static void sppp_pap_init(struct sppp *sp); 364 static void sppp_pap_open(struct sppp *sp); 365 static void sppp_pap_close(struct sppp *sp); 366 static void sppp_pap_TO(void *sp); 367 static void sppp_pap_my_TO(void *sp); 368 static void sppp_pap_tlu(struct sppp *sp); 369 static void sppp_pap_tld(struct sppp *sp); 370 static void sppp_pap_scr(struct sppp *sp); 371 372 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 373 static void sppp_chap_init(struct sppp *sp); 374 static void sppp_chap_open(struct sppp *sp); 375 static void sppp_chap_close(struct sppp *sp); 376 static void sppp_chap_TO(void *sp); 377 static void sppp_chap_tlu(struct sppp *sp); 378 static void sppp_chap_tld(struct sppp *sp); 379 static void sppp_chap_scr(struct sppp *sp); 380 381 static const char *sppp_auth_type_name(u_short proto, u_char type); 382 static const char *sppp_cp_type_name(u_char type); 383 static const char *sppp_dotted_quad(uint32_t addr); 384 static const char *sppp_ipcp_opt_name(u_char opt); 385 #ifdef INET6 386 static const char *sppp_ipv6cp_opt_name(u_char opt); 387 #endif 388 static const char *sppp_lcp_opt_name(u_char opt); 389 static const char *sppp_phase_name(int phase); 390 static const char *sppp_proto_name(u_short proto); 391 static const char *sppp_state_name(int state); 392 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 393 #ifdef INET 394 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 395 uint32_t *srcmask); 396 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 397 static void sppp_set_ip_addrs(struct sppp *sp); 398 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 399 static void sppp_clear_ip_addrs(struct sppp *sp); 400 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 401 #endif 402 static void sppp_keepalive(void *dummy); 403 static void sppp_phase_network(struct sppp *sp); 404 static void sppp_print_bytes(const u_char *p, u_short len); 405 static void sppp_print_string(const char *p, u_short len); 406 #ifdef INET6 407 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 408 struct in6_addr *dst, struct in6_addr *srcmask); 409 #ifdef IPV6CP_MYIFID_DYN 410 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 411 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 412 #endif 413 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 414 #endif 415 416 static void sppp_notify_up(struct sppp *); 417 static void sppp_notify_down(struct sppp *); 418 static void sppp_notify_tls_wlocked(struct sppp *); 419 static void sppp_notify_tlf_wlocked(struct sppp *); 420 #ifdef INET6 421 static void sppp_notify_con_wlocked(struct sppp *); 422 #endif 423 static void sppp_notify_con(struct sppp *); 424 425 static void sppp_notify_chg_wlocked(struct sppp *); 426 427 428 /* our control protocol descriptors */ 429 static const struct cp lcp = { 430 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 431 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 432 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 433 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 434 sppp_lcp_scr 435 }; 436 437 static const struct cp ipcp = { 438 PPP_IPCP, IDX_IPCP, 439 #ifdef INET 440 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 441 #else 442 0, 443 #endif 444 "ipcp", 445 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 446 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 447 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 448 sppp_ipcp_scr 449 }; 450 451 static const struct cp ipv6cp = { 452 PPP_IPV6CP, IDX_IPV6CP, 453 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 454 CP_NCP, 455 #else 456 0, 457 #endif 458 "ipv6cp", 459 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 460 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 461 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 462 sppp_ipv6cp_scr 463 }; 464 465 static const struct cp pap = { 466 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 467 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 468 sppp_pap_TO, 0, 0, 0, 469 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 470 sppp_pap_scr 471 }; 472 473 static const struct cp chap = { 474 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 475 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 476 sppp_chap_TO, 0, 0, 0, 477 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 478 sppp_chap_scr 479 }; 480 481 static const struct cp *cps[IDX_COUNT] = { 482 &lcp, /* IDX_LCP */ 483 &ipcp, /* IDX_IPCP */ 484 &ipv6cp, /* IDX_IPV6CP */ 485 &pap, /* IDX_PAP */ 486 &chap, /* IDX_CHAP */ 487 }; 488 489 static void 490 sppp_change_phase(struct sppp *sp, int phase) 491 { 492 STDDCL; 493 494 KASSERT(SPPP_WLOCKED(sp)); 495 496 if (sp->pp_phase == phase) 497 return; 498 499 sp->pp_phase = phase; 500 501 if (phase == SPPP_PHASE_NETWORK) 502 if_link_state_change(ifp, LINK_STATE_UP); 503 else 504 if_link_state_change(ifp, LINK_STATE_DOWN); 505 506 if (debug) 507 { 508 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 509 sppp_phase_name(sp->pp_phase)); 510 } 511 } 512 513 /* 514 * Exported functions, comprising our interface to the lower layer. 515 */ 516 517 /* 518 * Process the received packet. 519 */ 520 void 521 sppp_input(struct ifnet *ifp, struct mbuf *m) 522 { 523 struct ppp_header *h = NULL; 524 pktqueue_t *pktq = NULL; 525 struct ifqueue *inq = NULL; 526 uint16_t protocol; 527 struct sppp *sp = (struct sppp *)ifp; 528 int debug = ifp->if_flags & IFF_DEBUG; 529 int isr = 0; 530 531 SPPP_LOCK(sp, RW_READER); 532 533 if (ifp->if_flags & IFF_UP) { 534 /* Count received bytes, add hardware framing */ 535 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 536 /* Note time of last receive */ 537 sp->pp_last_receive = time_uptime; 538 } 539 540 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 541 /* Too small packet, drop it. */ 542 if (debug) 543 log(LOG_DEBUG, 544 "%s: input packet is too small, %d bytes\n", 545 ifp->if_xname, m->m_pkthdr.len); 546 drop: 547 ++ifp->if_ierrors; 548 ++ifp->if_iqdrops; 549 m_freem(m); 550 SPPP_UNLOCK(sp); 551 return; 552 } 553 554 if (sp->pp_flags & PP_NOFRAMING) { 555 memcpy(&protocol, mtod(m, void *), 2); 556 protocol = ntohs(protocol); 557 m_adj(m, 2); 558 } else { 559 560 /* Get PPP header. */ 561 h = mtod(m, struct ppp_header *); 562 m_adj(m, PPP_HEADER_LEN); 563 564 switch (h->address) { 565 case PPP_ALLSTATIONS: 566 if (h->control != PPP_UI) 567 goto invalid; 568 if (sp->pp_flags & PP_CISCO) { 569 if (debug) 570 log(LOG_DEBUG, 571 "%s: PPP packet in Cisco mode " 572 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 573 ifp->if_xname, 574 h->address, h->control, ntohs(h->protocol)); 575 goto drop; 576 } 577 break; 578 case CISCO_MULTICAST: 579 case CISCO_UNICAST: 580 /* Don't check the control field here (RFC 1547). */ 581 if (! (sp->pp_flags & PP_CISCO)) { 582 if (debug) 583 log(LOG_DEBUG, 584 "%s: Cisco packet in PPP mode " 585 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 586 ifp->if_xname, 587 h->address, h->control, ntohs(h->protocol)); 588 goto drop; 589 } 590 switch (ntohs(h->protocol)) { 591 default: 592 ++ifp->if_noproto; 593 goto invalid; 594 case CISCO_KEEPALIVE: 595 SPPP_UNLOCK(sp); 596 sppp_cisco_input((struct sppp *) ifp, m); 597 m_freem(m); 598 return; 599 #ifdef INET 600 case ETHERTYPE_IP: 601 pktq = ip_pktq; 602 break; 603 #endif 604 #ifdef INET6 605 case ETHERTYPE_IPV6: 606 pktq = ip6_pktq; 607 break; 608 #endif 609 } 610 goto queue_pkt; 611 default: /* Invalid PPP packet. */ 612 invalid: 613 if (debug) 614 log(LOG_DEBUG, 615 "%s: invalid input packet " 616 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 617 ifp->if_xname, 618 h->address, h->control, ntohs(h->protocol)); 619 goto drop; 620 } 621 protocol = ntohs(h->protocol); 622 } 623 624 switch (protocol) { 625 default: 626 if (sp->state[IDX_LCP] == STATE_OPENED) { 627 uint16_t prot = htons(protocol); 628 629 SPPP_UPGRADE(sp); 630 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 631 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 632 &prot); 633 SPPP_DOWNGRADE(sp); 634 } 635 if (debug) 636 log(LOG_DEBUG, 637 "%s: invalid input protocol " 638 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 639 ++ifp->if_noproto; 640 goto drop; 641 case PPP_LCP: 642 SPPP_UNLOCK(sp); 643 sppp_cp_input(&lcp, sp, m); 644 m_freem(m); 645 return; 646 case PPP_PAP: 647 SPPP_UNLOCK(sp); 648 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 649 sppp_pap_input(sp, m); 650 } 651 m_freem(m); 652 return; 653 case PPP_CHAP: 654 SPPP_UNLOCK(sp); 655 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 656 sppp_chap_input(sp, m); 657 } 658 m_freem(m); 659 return; 660 #ifdef INET 661 case PPP_IPCP: 662 SPPP_UNLOCK(sp); 663 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 664 sppp_cp_input(&ipcp, sp, m); 665 } 666 m_freem(m); 667 return; 668 case PPP_IP: 669 if (sp->state[IDX_IPCP] == STATE_OPENED) { 670 sp->pp_last_activity = time_uptime; 671 pktq = ip_pktq; 672 } 673 break; 674 #endif 675 #ifdef INET6 676 case PPP_IPV6CP: 677 SPPP_UNLOCK(sp); 678 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 679 sppp_cp_input(&ipv6cp, sp, m); 680 } 681 m_freem(m); 682 return; 683 684 case PPP_IPV6: 685 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 686 sp->pp_last_activity = time_uptime; 687 pktq = ip6_pktq; 688 } 689 break; 690 #endif 691 } 692 693 queue_pkt: 694 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 695 goto drop; 696 } 697 698 /* Check queue. */ 699 if (__predict_true(pktq)) { 700 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 701 goto drop; 702 } 703 SPPP_UNLOCK(sp); 704 return; 705 } 706 707 SPPP_UNLOCK(sp); 708 709 IFQ_LOCK(inq); 710 if (IF_QFULL(inq)) { 711 /* Queue overflow. */ 712 IF_DROP(inq); 713 IFQ_UNLOCK(inq); 714 if (debug) 715 log(LOG_DEBUG, "%s: protocol queue overflow\n", 716 ifp->if_xname); 717 718 SPPP_LOCK(sp, RW_READER); 719 goto drop; 720 } 721 IF_ENQUEUE(inq, m); 722 IFQ_UNLOCK(inq); 723 schednetisr(isr); 724 } 725 726 /* 727 * Enqueue transmit packet. 728 */ 729 static int 730 sppp_output(struct ifnet *ifp, struct mbuf *m, 731 const struct sockaddr *dst, const struct rtentry *rt) 732 { 733 struct sppp *sp = (struct sppp *) ifp; 734 struct ppp_header *h = NULL; 735 #ifndef SPPPSUBR_MPSAFE 736 struct ifqueue *ifq = NULL; /* XXX */ 737 #endif 738 int s, error = 0; 739 uint16_t protocol; 740 size_t pktlen; 741 742 s = splnet(); 743 SPPP_LOCK(sp, RW_READER); 744 745 sp->pp_last_activity = time_uptime; 746 747 if ((ifp->if_flags & IFF_UP) == 0 || 748 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 749 SPPP_UNLOCK(sp); 750 splx(s); 751 752 m_freem(m); 753 754 return (ENETDOWN); 755 } 756 757 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 758 /* 759 * Interface is not yet running, but auto-dial. Need 760 * to start LCP for it. 761 */ 762 ifp->if_flags |= IFF_RUNNING; 763 764 SPPP_UNLOCK(sp); 765 splx(s); 766 767 SPPP_LOCK(sp, RW_WRITER); 768 lcp.Open(sp); 769 SPPP_UNLOCK(sp); 770 771 s = splnet(); 772 SPPP_LOCK(sp, RW_READER); 773 } 774 775 /* 776 * If the queueing discipline needs packet classification, 777 * do it before prepending link headers. 778 */ 779 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 780 781 #ifdef INET 782 if (dst->sa_family == AF_INET) { 783 struct ip *ip = NULL; 784 #ifndef SPPPSUBR_MPSAFE 785 struct tcphdr *th = NULL; 786 #endif 787 788 if (m->m_len >= sizeof(struct ip)) { 789 ip = mtod(m, struct ip *); 790 #ifndef SPPPSUBR_MPSAFE 791 if (ip->ip_p == IPPROTO_TCP && 792 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 793 sizeof(struct tcphdr)) { 794 th = (struct tcphdr *) 795 ((char *)ip + (ip->ip_hl << 2)); 796 } 797 #endif 798 } else 799 ip = NULL; 800 801 /* 802 * When using dynamic local IP address assignment by using 803 * 0.0.0.0 as a local address, the first TCP session will 804 * not connect because the local TCP checksum is computed 805 * using 0.0.0.0 which will later become our real IP address 806 * so the TCP checksum computed at the remote end will 807 * become invalid. So we 808 * - don't let packets with src ip addr 0 thru 809 * - we flag TCP packets with src ip 0 as an error 810 */ 811 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 812 uint8_t proto = ip->ip_p; 813 814 SPPP_UNLOCK(sp); 815 splx(s); 816 817 m_freem(m); 818 if (proto == IPPROTO_TCP) 819 return (EADDRNOTAVAIL); 820 else 821 return (0); 822 } 823 824 #ifndef SPPPSUBR_MPSAFE 825 /* 826 * Put low delay, telnet, rlogin and ftp control packets 827 * in front of the queue. 828 */ 829 if (!IF_QFULL(&sp->pp_fastq) && 830 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 831 (th && (INTERACTIVE(ntohs(th->th_sport)) || 832 INTERACTIVE(ntohs(th->th_dport)))))) 833 ifq = &sp->pp_fastq; 834 #endif /* !SPPPSUBR_MPSAFE */ 835 } 836 #endif 837 838 #ifdef INET6 839 if (dst->sa_family == AF_INET6) { 840 /* XXX do something tricky here? */ 841 } 842 #endif 843 844 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 845 /* 846 * Prepend general data packet PPP header. For now, IP only. 847 */ 848 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 849 if (! m) { 850 if (ifp->if_flags & IFF_DEBUG) 851 log(LOG_DEBUG, "%s: no memory for transmit header\n", 852 ifp->if_xname); 853 ++ifp->if_oerrors; 854 SPPP_UNLOCK(sp); 855 splx(s); 856 return (ENOBUFS); 857 } 858 /* 859 * May want to check size of packet 860 * (albeit due to the implementation it's always enough) 861 */ 862 h = mtod(m, struct ppp_header *); 863 if (sp->pp_flags & PP_CISCO) { 864 h->address = CISCO_UNICAST; /* unicast address */ 865 h->control = 0; 866 } else { 867 h->address = PPP_ALLSTATIONS; /* broadcast address */ 868 h->control = PPP_UI; /* Unnumbered Info */ 869 } 870 } 871 872 switch (dst->sa_family) { 873 #ifdef INET 874 case AF_INET: /* Internet Protocol */ 875 if (sp->pp_flags & PP_CISCO) 876 protocol = htons(ETHERTYPE_IP); 877 else { 878 /* 879 * Don't choke with an ENETDOWN early. It's 880 * possible that we just started dialing out, 881 * so don't drop the packet immediately. If 882 * we notice that we run out of buffer space 883 * below, we will however remember that we are 884 * not ready to carry IP packets, and return 885 * ENETDOWN, as opposed to ENOBUFS. 886 */ 887 protocol = htons(PPP_IP); 888 if (sp->state[IDX_IPCP] != STATE_OPENED) 889 error = ENETDOWN; 890 } 891 break; 892 #endif 893 #ifdef INET6 894 case AF_INET6: /* Internet Protocol version 6 */ 895 if (sp->pp_flags & PP_CISCO) 896 protocol = htons(ETHERTYPE_IPV6); 897 else { 898 /* 899 * Don't choke with an ENETDOWN early. It's 900 * possible that we just started dialing out, 901 * so don't drop the packet immediately. If 902 * we notice that we run out of buffer space 903 * below, we will however remember that we are 904 * not ready to carry IP packets, and return 905 * ENETDOWN, as opposed to ENOBUFS. 906 */ 907 protocol = htons(PPP_IPV6); 908 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 909 error = ENETDOWN; 910 } 911 break; 912 #endif 913 default: 914 m_freem(m); 915 ++ifp->if_oerrors; 916 SPPP_UNLOCK(sp); 917 splx(s); 918 return (EAFNOSUPPORT); 919 } 920 921 if (sp->pp_flags & PP_NOFRAMING) { 922 M_PREPEND(m, 2, M_DONTWAIT); 923 if (m == NULL) { 924 if (ifp->if_flags & IFF_DEBUG) 925 log(LOG_DEBUG, "%s: no memory for transmit header\n", 926 ifp->if_xname); 927 ++ifp->if_oerrors; 928 SPPP_UNLOCK(sp); 929 splx(s); 930 return (ENOBUFS); 931 } 932 *mtod(m, uint16_t *) = protocol; 933 } else { 934 h->protocol = protocol; 935 } 936 937 pktlen = m->m_pkthdr.len; 938 #ifdef SPPPSUBR_MPSAFE 939 SPPP_UNLOCK(sp); 940 error = if_transmit_lock(ifp, m); 941 SPPP_LOCK(sp, RW_READER); 942 if (error == 0) 943 ifp->if_obytes += pktlen + sp->pp_framebytes; 944 #else /* !SPPPSUBR_MPSAFE */ 945 error = ifq_enqueue2(ifp, ifq, m); 946 947 if (error == 0) { 948 /* 949 * Count output packets and bytes. 950 * The packet length includes header + additional hardware 951 * framing according to RFC 1333. 952 */ 953 if (!(ifp->if_flags & IFF_OACTIVE)) { 954 SPPP_UNLOCK(sp); 955 if_start_lock(ifp); 956 SPPP_LOCK(sp, RW_READER); 957 } 958 ifp->if_obytes += pktlen + sp->pp_framebytes; 959 } 960 #endif /* !SPPPSUBR_MPSAFE */ 961 SPPP_UNLOCK(sp); 962 splx(s); 963 return error; 964 } 965 966 static int 967 sppp_mediachange(struct ifnet *ifp) 968 { 969 970 return (0); 971 } 972 973 static void 974 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 975 { 976 struct sppp *sp = (struct sppp *)ifp; 977 978 SPPP_LOCK(sp, RW_WRITER); 979 980 switch (ifp->if_link_state) { 981 case LINK_STATE_UP: 982 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 983 break; 984 case LINK_STATE_DOWN: 985 imr->ifm_status = IFM_AVALID; 986 break; 987 default: 988 /* Should be impossible as we set link state down in attach. */ 989 imr->ifm_status = 0; 990 break; 991 } 992 993 SPPP_UNLOCK(sp); 994 } 995 996 void 997 sppp_attach(struct ifnet *ifp) 998 { 999 struct sppp *sp = (struct sppp *) ifp; 1000 1001 /* Initialize keepalive handler. */ 1002 if (! spppq) { 1003 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1004 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1005 } 1006 1007 if (! spppq_lock) 1008 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1009 1010 /* Insert new entry into the keepalive list. */ 1011 sp->pp_next = spppq; 1012 spppq = sp; 1013 1014 sp->pp_if.if_type = IFT_PPP; 1015 sp->pp_if.if_output = sppp_output; 1016 sp->pp_fastq.ifq_maxlen = 32; 1017 sp->pp_cpq.ifq_maxlen = 20; 1018 sp->pp_loopcnt = 0; 1019 sp->pp_alivecnt = 0; 1020 sp->pp_last_activity = 0; 1021 sp->pp_last_receive = 0; 1022 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1023 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1024 sp->pp_idle_timeout = 0; 1025 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1026 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1027 sp->pp_auth_failures = 0; 1028 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1029 sp->pp_phase = SPPP_PHASE_DEAD; 1030 sp->pp_up = sppp_notify_up; 1031 sp->pp_down = sppp_notify_down; 1032 rw_init(&sp->pp_lock); 1033 1034 if_alloc_sadl(ifp); 1035 1036 /* Lets not beat about the bush, we know we're down. */ 1037 ifp->if_link_state = LINK_STATE_DOWN; 1038 /* There is no media for PPP, but it's needed to report link status. */ 1039 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1040 1041 memset(&sp->myauth, 0, sizeof sp->myauth); 1042 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1043 SPPP_LOCK(sp, RW_WRITER); 1044 sppp_lcp_init(sp); 1045 sppp_ipcp_init(sp); 1046 sppp_ipv6cp_init(sp); 1047 sppp_pap_init(sp); 1048 sppp_chap_init(sp); 1049 SPPP_UNLOCK(sp); 1050 } 1051 1052 void 1053 sppp_detach(struct ifnet *ifp) 1054 { 1055 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1056 1057 /* Remove the entry from the keepalive list. */ 1058 SPPPQ_LOCK(); 1059 for (q = &spppq; (p = *q); q = &p->pp_next) 1060 if (p == sp) { 1061 *q = p->pp_next; 1062 break; 1063 } 1064 SPPPQ_UNLOCK(); 1065 1066 if (! spppq) { 1067 /* Stop keepalive handler. */ 1068 callout_stop(&keepalive_ch); 1069 mutex_obj_free(spppq_lock); 1070 spppq_lock = NULL; 1071 } 1072 1073 SPPP_LOCK(sp, RW_WRITER); 1074 1075 /* to avoid workqueue enqueued */ 1076 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1077 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1078 workqueue_destroy(sp->ipcp.update_addrs_wq); 1079 pcq_destroy(sp->ipcp.update_addrs_q); 1080 1081 callout_stop(&sp->ch[IDX_LCP]); 1082 callout_stop(&sp->ch[IDX_IPCP]); 1083 callout_stop(&sp->ch[IDX_PAP]); 1084 callout_stop(&sp->ch[IDX_CHAP]); 1085 #ifdef INET6 1086 callout_stop(&sp->ch[IDX_IPV6CP]); 1087 #endif 1088 callout_stop(&sp->pap_my_to_ch); 1089 1090 /* free authentication info */ 1091 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1092 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1093 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1094 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1095 SPPP_UNLOCK(sp); 1096 rw_destroy(&sp->pp_lock); 1097 1098 /* Safety - shouldn't be needed as there is no media to set. */ 1099 ifmedia_delete_instance(&sp->pp_im, IFM_INST_ANY); 1100 } 1101 1102 /* 1103 * Flush the interface output queue. 1104 */ 1105 void 1106 sppp_flush(struct ifnet *ifp) 1107 { 1108 struct sppp *sp = (struct sppp *) ifp; 1109 1110 SPPP_LOCK(sp, RW_WRITER); 1111 IFQ_PURGE(&sp->pp_if.if_snd); 1112 IF_PURGE(&sp->pp_fastq); 1113 IF_PURGE(&sp->pp_cpq); 1114 SPPP_UNLOCK(sp); 1115 } 1116 1117 /* 1118 * Check if the output queue is empty. 1119 */ 1120 int 1121 sppp_isempty(struct ifnet *ifp) 1122 { 1123 struct sppp *sp = (struct sppp *) ifp; 1124 int empty, s; 1125 1126 s = splnet(); 1127 SPPP_LOCK(sp, RW_READER); 1128 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1129 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1130 SPPP_UNLOCK(sp); 1131 splx(s); 1132 return (empty); 1133 } 1134 1135 /* 1136 * Get next packet to send. 1137 */ 1138 struct mbuf * 1139 sppp_dequeue(struct ifnet *ifp) 1140 { 1141 struct sppp *sp = (struct sppp *) ifp; 1142 struct mbuf *m; 1143 int s; 1144 1145 s = splnet(); 1146 SPPP_LOCK(sp, RW_WRITER); 1147 /* 1148 * Process only the control protocol queue until we have at 1149 * least one NCP open. 1150 * 1151 * Do always serve all three queues in Cisco mode. 1152 */ 1153 IF_DEQUEUE(&sp->pp_cpq, m); 1154 if (m == NULL && 1155 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1156 IF_DEQUEUE(&sp->pp_fastq, m); 1157 if (m == NULL) 1158 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1159 } 1160 SPPP_UNLOCK(sp); 1161 splx(s); 1162 return m; 1163 } 1164 1165 /* 1166 * Process an ioctl request. Called on low priority level. 1167 */ 1168 int 1169 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1170 { 1171 struct lwp *l = curlwp; /* XXX */ 1172 struct ifreq *ifr = (struct ifreq *) data; 1173 struct ifaddr *ifa = (struct ifaddr *) data; 1174 struct sppp *sp = (struct sppp *) ifp; 1175 int s, error=0, going_up, going_down, newmode; 1176 1177 s = splnet(); 1178 switch (cmd) { 1179 case SIOCINITIFADDR: 1180 ifa->ifa_rtrequest = p2p_rtrequest; 1181 break; 1182 1183 case SIOCSIFFLAGS: 1184 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1185 break; 1186 1187 SPPP_LOCK(sp, RW_WRITER); 1188 going_up = ifp->if_flags & IFF_UP && 1189 (ifp->if_flags & IFF_RUNNING) == 0; 1190 going_down = (ifp->if_flags & IFF_UP) == 0 && 1191 ifp->if_flags & IFF_RUNNING; 1192 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1193 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1194 /* sanity */ 1195 newmode = IFF_PASSIVE; 1196 ifp->if_flags &= ~IFF_AUTO; 1197 } 1198 1199 if (going_up || going_down) { 1200 lcp.Close(sp); 1201 } 1202 if (going_up && newmode == 0) { 1203 /* neither auto-dial nor passive */ 1204 ifp->if_flags |= IFF_RUNNING; 1205 if (!(sp->pp_flags & PP_CISCO)) 1206 lcp.Open(sp); 1207 } else if (going_down) { 1208 SPPP_UNLOCK(sp); 1209 sppp_flush(ifp); 1210 SPPP_LOCK(sp, RW_WRITER); 1211 1212 ifp->if_flags &= ~IFF_RUNNING; 1213 } 1214 SPPP_UNLOCK(sp); 1215 break; 1216 1217 case SIOCSIFMTU: 1218 if (ifr->ifr_mtu < PPP_MINMRU || 1219 ifr->ifr_mtu > sp->lcp.their_mru) { 1220 error = EINVAL; 1221 break; 1222 } 1223 /*FALLTHROUGH*/ 1224 case SIOCGIFMTU: 1225 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1226 error = 0; 1227 break; 1228 case SIOCADDMULTI: 1229 case SIOCDELMULTI: 1230 break; 1231 1232 case SPPPSETAUTHCFG: 1233 case SPPPSETLCPCFG: 1234 case SPPPSETIDLETO: 1235 case SPPPSETAUTHFAILURE: 1236 case SPPPSETDNSOPTS: 1237 case SPPPSETKEEPALIVE: 1238 #if defined(COMPAT_50) || defined(MODULAR) 1239 case __SPPPSETIDLETO50: 1240 case __SPPPSETKEEPALIVE50: 1241 #endif /* COMPAT_50 || MODULAR */ 1242 error = kauth_authorize_network(l->l_cred, 1243 KAUTH_NETWORK_INTERFACE, 1244 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1245 NULL); 1246 if (error) 1247 break; 1248 error = sppp_params(sp, cmd, data); 1249 break; 1250 1251 case SPPPGETAUTHCFG: 1252 case SPPPGETLCPCFG: 1253 case SPPPGETAUTHFAILURES: 1254 error = kauth_authorize_network(l->l_cred, 1255 KAUTH_NETWORK_INTERFACE, 1256 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1257 NULL); 1258 if (error) 1259 break; 1260 error = sppp_params(sp, cmd, data); 1261 break; 1262 1263 case SPPPGETSTATUS: 1264 case SPPPGETSTATUSNCP: 1265 case SPPPGETIDLETO: 1266 case SPPPGETDNSOPTS: 1267 case SPPPGETDNSADDRS: 1268 case SPPPGETKEEPALIVE: 1269 #if defined(COMPAT_50) || defined(MODULAR) 1270 case __SPPPGETIDLETO50: 1271 case __SPPPGETKEEPALIVE50: 1272 #endif /* COMPAT_50 || MODULAR */ 1273 error = sppp_params(sp, cmd, data); 1274 break; 1275 1276 case SIOCGIFMEDIA: 1277 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1278 break; 1279 1280 default: 1281 error = ifioctl_common(ifp, cmd, data); 1282 break; 1283 } 1284 splx(s); 1285 return (error); 1286 } 1287 1288 1289 /* 1290 * Cisco framing implementation. 1291 */ 1292 1293 /* 1294 * Handle incoming Cisco keepalive protocol packets. 1295 */ 1296 static void 1297 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1298 { 1299 STDDCL; 1300 struct cisco_packet *h; 1301 #ifdef INET 1302 uint32_t me, mymask = 0; /* XXX: GCC */ 1303 #endif 1304 1305 SPPP_LOCK(sp, RW_WRITER); 1306 1307 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1308 if (debug) 1309 log(LOG_DEBUG, 1310 "%s: cisco invalid packet length: %d bytes\n", 1311 ifp->if_xname, m->m_pkthdr.len); 1312 SPPP_UNLOCK(sp); 1313 return; 1314 } 1315 h = mtod(m, struct cisco_packet *); 1316 if (debug) 1317 log(LOG_DEBUG, 1318 "%s: cisco input: %d bytes " 1319 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1320 ifp->if_xname, m->m_pkthdr.len, 1321 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1322 (u_int)h->time0, (u_int)h->time1); 1323 switch (ntohl(h->type)) { 1324 default: 1325 if (debug) 1326 addlog("%s: cisco unknown packet type: 0x%x\n", 1327 ifp->if_xname, ntohl(h->type)); 1328 break; 1329 case CISCO_ADDR_REPLY: 1330 /* Reply on address request, ignore */ 1331 break; 1332 case CISCO_KEEPALIVE_REQ: 1333 sp->pp_alivecnt = 0; 1334 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1335 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1336 /* Local and remote sequence numbers are equal. 1337 * Probably, the line is in loopback mode. */ 1338 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1339 printf ("%s: loopback\n", 1340 ifp->if_xname); 1341 sp->pp_loopcnt = 0; 1342 if (ifp->if_flags & IFF_UP) { 1343 SPPP_UNLOCK(sp); 1344 if_down(ifp); 1345 SPPP_LOCK(sp, RW_WRITER); 1346 1347 IF_PURGE(&sp->pp_cpq); 1348 } 1349 } 1350 ++sp->pp_loopcnt; 1351 1352 /* Generate new local sequence number */ 1353 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1354 break; 1355 } 1356 sp->pp_loopcnt = 0; 1357 if (! (ifp->if_flags & IFF_UP) && 1358 (ifp->if_flags & IFF_RUNNING)) { 1359 SPPP_UNLOCK(sp); 1360 if_up(ifp); 1361 SPPP_LOCK(sp, RW_WRITER); 1362 } 1363 break; 1364 case CISCO_ADDR_REQ: 1365 #ifdef INET 1366 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1367 if (me != 0L) 1368 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1369 #endif 1370 break; 1371 } 1372 SPPP_UNLOCK(sp); 1373 } 1374 1375 /* 1376 * Send Cisco keepalive packet. 1377 */ 1378 static void 1379 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1380 { 1381 STDDCL; 1382 struct ppp_header *h; 1383 struct cisco_packet *ch; 1384 struct mbuf *m; 1385 uint32_t t; 1386 1387 KASSERT(SPPP_WLOCKED(sp)); 1388 1389 t = time_uptime * 1000; 1390 MGETHDR(m, M_DONTWAIT, MT_DATA); 1391 if (! m) 1392 return; 1393 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1394 m_reset_rcvif(m); 1395 1396 h = mtod(m, struct ppp_header *); 1397 h->address = CISCO_MULTICAST; 1398 h->control = 0; 1399 h->protocol = htons(CISCO_KEEPALIVE); 1400 1401 ch = (struct cisco_packet *)(h + 1); 1402 ch->type = htonl(type); 1403 ch->par1 = htonl(par1); 1404 ch->par2 = htonl(par2); 1405 ch->rel = -1; 1406 1407 ch->time0 = htons((u_short)(t >> 16)); 1408 ch->time1 = htons((u_short) t); 1409 1410 if (debug) 1411 log(LOG_DEBUG, 1412 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1413 ifp->if_xname, ntohl(ch->type), ch->par1, 1414 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1415 (u_int)ch->time1); 1416 1417 if (IF_QFULL(&sp->pp_cpq)) { 1418 IF_DROP(&sp->pp_fastq); 1419 IF_DROP(&ifp->if_snd); 1420 m_freem(m); 1421 ++ifp->if_oerrors; 1422 return; 1423 } 1424 1425 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1426 IF_ENQUEUE(&sp->pp_cpq, m); 1427 1428 if (! (ifp->if_flags & IFF_OACTIVE)) { 1429 SPPP_UNLOCK(sp); 1430 if_start_lock(ifp); 1431 SPPP_LOCK(sp, RW_WRITER); 1432 } 1433 } 1434 1435 /* 1436 * PPP protocol implementation. 1437 */ 1438 1439 /* 1440 * Send PPP control protocol packet. 1441 */ 1442 static void 1443 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1444 u_char ident, u_short len, void *data) 1445 { 1446 STDDCL; 1447 struct lcp_header *lh; 1448 struct mbuf *m; 1449 size_t pkthdrlen; 1450 1451 KASSERT(SPPP_WLOCKED(sp)); 1452 1453 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1454 1455 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1456 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1457 MGETHDR(m, M_DONTWAIT, MT_DATA); 1458 if (! m) { 1459 return; 1460 } 1461 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1462 m_reset_rcvif(m); 1463 1464 if (sp->pp_flags & PP_NOFRAMING) { 1465 *mtod(m, uint16_t *) = htons(proto); 1466 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1467 } else { 1468 struct ppp_header *h; 1469 h = mtod(m, struct ppp_header *); 1470 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1471 h->control = PPP_UI; /* Unnumbered Info */ 1472 h->protocol = htons(proto); /* Link Control Protocol */ 1473 lh = (struct lcp_header *)(h + 1); 1474 } 1475 lh->type = type; 1476 lh->ident = ident; 1477 lh->len = htons(LCP_HEADER_LEN + len); 1478 if (len) 1479 memcpy(lh + 1, data, len); 1480 1481 if (debug) { 1482 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1483 ifp->if_xname, 1484 sppp_proto_name(proto), 1485 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1486 if (len) 1487 sppp_print_bytes((u_char *)(lh + 1), len); 1488 addlog(">\n"); 1489 } 1490 if (IF_QFULL(&sp->pp_cpq)) { 1491 IF_DROP(&sp->pp_fastq); 1492 IF_DROP(&ifp->if_snd); 1493 m_freem(m); 1494 ++ifp->if_oerrors; 1495 return; 1496 } 1497 1498 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1499 IF_ENQUEUE(&sp->pp_cpq, m); 1500 1501 1502 if (! (ifp->if_flags & IFF_OACTIVE)) { 1503 SPPP_UNLOCK(sp); 1504 if_start_lock(ifp); 1505 SPPP_LOCK(sp, RW_WRITER); 1506 } 1507 } 1508 1509 /* 1510 * Handle incoming PPP control protocol packets. 1511 */ 1512 static void 1513 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1514 { 1515 STDDCL; 1516 struct lcp_header *h; 1517 int printlen, len = m->m_pkthdr.len; 1518 int rv; 1519 u_char *p; 1520 uint32_t u32; 1521 1522 SPPP_LOCK(sp, RW_WRITER); 1523 1524 if (len < 4) { 1525 if (debug) 1526 log(LOG_DEBUG, 1527 "%s: %s invalid packet length: %d bytes\n", 1528 ifp->if_xname, cp->name, len); 1529 SPPP_UNLOCK(sp); 1530 return; 1531 } 1532 h = mtod(m, struct lcp_header *); 1533 if (debug) { 1534 printlen = ntohs(h->len); 1535 log(LOG_DEBUG, 1536 "%s: %s input(%s): <%s id=0x%x len=%d", 1537 ifp->if_xname, cp->name, 1538 sppp_state_name(sp->state[cp->protoidx]), 1539 sppp_cp_type_name(h->type), h->ident, printlen); 1540 if (len < printlen) 1541 printlen = len; 1542 if (printlen > 4) 1543 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1544 addlog(">\n"); 1545 } 1546 if (len > ntohs(h->len)) 1547 len = ntohs(h->len); 1548 p = (u_char *)(h + 1); 1549 switch (h->type) { 1550 case CONF_REQ: 1551 if (len < 4) { 1552 if (debug) 1553 addlog("%s: %s invalid conf-req length %d\n", 1554 ifp->if_xname, cp->name, 1555 len); 1556 ++ifp->if_ierrors; 1557 break; 1558 } 1559 /* handle states where RCR doesn't get a SCA/SCN */ 1560 switch (sp->state[cp->protoidx]) { 1561 case STATE_CLOSING: 1562 case STATE_STOPPING: 1563 SPPP_UNLOCK(sp); 1564 return; 1565 case STATE_CLOSED: 1566 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1567 0, 0); 1568 SPPP_UNLOCK(sp); 1569 return; 1570 } 1571 rv = (cp->RCR)(sp, h, len); 1572 if (rv < 0) { 1573 /* fatal error, shut down */ 1574 (cp->tld)(sp); 1575 sppp_lcp_tlf(sp); 1576 SPPP_UNLOCK(sp); 1577 return; 1578 } 1579 switch (sp->state[cp->protoidx]) { 1580 case STATE_OPENED: 1581 (cp->tld)(sp); 1582 (cp->scr)(sp); 1583 /* fall through... */ 1584 case STATE_ACK_SENT: 1585 case STATE_REQ_SENT: 1586 sppp_cp_change_state(cp, sp, rv? 1587 STATE_ACK_SENT: STATE_REQ_SENT); 1588 break; 1589 case STATE_STOPPED: 1590 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1591 (cp->scr)(sp); 1592 sppp_cp_change_state(cp, sp, rv? 1593 STATE_ACK_SENT: STATE_REQ_SENT); 1594 break; 1595 case STATE_ACK_RCVD: 1596 if (rv) { 1597 sppp_cp_change_state(cp, sp, STATE_OPENED); 1598 if (debug) 1599 log(LOG_DEBUG, "%s: %s tlu\n", 1600 ifp->if_xname, 1601 cp->name); 1602 (cp->tlu)(sp); 1603 } else 1604 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1605 break; 1606 default: 1607 printf("%s: %s illegal %s in state %s\n", 1608 ifp->if_xname, cp->name, 1609 sppp_cp_type_name(h->type), 1610 sppp_state_name(sp->state[cp->protoidx])); 1611 ++ifp->if_ierrors; 1612 } 1613 break; 1614 case CONF_ACK: 1615 if (h->ident != sp->confid[cp->protoidx]) { 1616 if (debug) 1617 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1618 ifp->if_xname, cp->name, 1619 h->ident, sp->confid[cp->protoidx]); 1620 ++ifp->if_ierrors; 1621 break; 1622 } 1623 switch (sp->state[cp->protoidx]) { 1624 case STATE_CLOSED: 1625 case STATE_STOPPED: 1626 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1627 break; 1628 case STATE_CLOSING: 1629 case STATE_STOPPING: 1630 break; 1631 case STATE_REQ_SENT: 1632 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1633 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1634 break; 1635 case STATE_OPENED: 1636 (cp->tld)(sp); 1637 /* fall through */ 1638 case STATE_ACK_RCVD: 1639 (cp->scr)(sp); 1640 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1641 break; 1642 case STATE_ACK_SENT: 1643 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1644 sppp_cp_change_state(cp, sp, STATE_OPENED); 1645 if (debug) 1646 log(LOG_DEBUG, "%s: %s tlu\n", 1647 ifp->if_xname, cp->name); 1648 (cp->tlu)(sp); 1649 break; 1650 default: 1651 printf("%s: %s illegal %s in state %s\n", 1652 ifp->if_xname, cp->name, 1653 sppp_cp_type_name(h->type), 1654 sppp_state_name(sp->state[cp->protoidx])); 1655 ++ifp->if_ierrors; 1656 } 1657 break; 1658 case CONF_NAK: 1659 case CONF_REJ: 1660 if (h->ident != sp->confid[cp->protoidx]) { 1661 if (debug) 1662 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1663 ifp->if_xname, cp->name, 1664 h->ident, sp->confid[cp->protoidx]); 1665 ++ifp->if_ierrors; 1666 break; 1667 } 1668 if (h->type == CONF_NAK) 1669 (cp->RCN_nak)(sp, h, len); 1670 else /* CONF_REJ */ 1671 (cp->RCN_rej)(sp, h, len); 1672 1673 switch (sp->state[cp->protoidx]) { 1674 case STATE_CLOSED: 1675 case STATE_STOPPED: 1676 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1677 break; 1678 case STATE_REQ_SENT: 1679 case STATE_ACK_SENT: 1680 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1681 (cp->scr)(sp); 1682 break; 1683 case STATE_OPENED: 1684 (cp->tld)(sp); 1685 /* fall through */ 1686 case STATE_ACK_RCVD: 1687 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1688 (cp->scr)(sp); 1689 break; 1690 case STATE_CLOSING: 1691 case STATE_STOPPING: 1692 break; 1693 default: 1694 printf("%s: %s illegal %s in state %s\n", 1695 ifp->if_xname, cp->name, 1696 sppp_cp_type_name(h->type), 1697 sppp_state_name(sp->state[cp->protoidx])); 1698 ++ifp->if_ierrors; 1699 } 1700 break; 1701 1702 case TERM_REQ: 1703 switch (sp->state[cp->protoidx]) { 1704 case STATE_ACK_RCVD: 1705 case STATE_ACK_SENT: 1706 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1707 /* fall through */ 1708 case STATE_CLOSED: 1709 case STATE_STOPPED: 1710 case STATE_CLOSING: 1711 case STATE_STOPPING: 1712 case STATE_REQ_SENT: 1713 sta: 1714 /* Send Terminate-Ack packet. */ 1715 if (debug) 1716 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1717 ifp->if_xname, cp->name); 1718 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1719 break; 1720 case STATE_OPENED: 1721 (cp->tld)(sp); 1722 sp->rst_counter[cp->protoidx] = 0; 1723 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1724 goto sta; 1725 default: 1726 printf("%s: %s illegal %s in state %s\n", 1727 ifp->if_xname, cp->name, 1728 sppp_cp_type_name(h->type), 1729 sppp_state_name(sp->state[cp->protoidx])); 1730 ++ifp->if_ierrors; 1731 } 1732 break; 1733 case TERM_ACK: 1734 switch (sp->state[cp->protoidx]) { 1735 case STATE_CLOSED: 1736 case STATE_STOPPED: 1737 case STATE_REQ_SENT: 1738 case STATE_ACK_SENT: 1739 break; 1740 case STATE_CLOSING: 1741 (cp->tlf)(sp); 1742 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1743 sppp_lcp_check_and_close(sp); 1744 break; 1745 case STATE_STOPPING: 1746 (cp->tlf)(sp); 1747 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1748 sppp_lcp_check_and_close(sp); 1749 break; 1750 case STATE_ACK_RCVD: 1751 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1752 break; 1753 case STATE_OPENED: 1754 (cp->tld)(sp); 1755 (cp->scr)(sp); 1756 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1757 break; 1758 default: 1759 printf("%s: %s illegal %s in state %s\n", 1760 ifp->if_xname, cp->name, 1761 sppp_cp_type_name(h->type), 1762 sppp_state_name(sp->state[cp->protoidx])); 1763 ++ifp->if_ierrors; 1764 } 1765 break; 1766 case CODE_REJ: 1767 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1768 log(LOG_INFO, 1769 "%s: %s: ignoring RXJ (%s) for code ?, " 1770 "danger will robinson\n", 1771 ifp->if_xname, cp->name, 1772 sppp_cp_type_name(h->type)); 1773 switch (sp->state[cp->protoidx]) { 1774 case STATE_CLOSED: 1775 case STATE_STOPPED: 1776 case STATE_REQ_SENT: 1777 case STATE_ACK_SENT: 1778 case STATE_CLOSING: 1779 case STATE_STOPPING: 1780 case STATE_OPENED: 1781 break; 1782 case STATE_ACK_RCVD: 1783 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1784 break; 1785 default: 1786 printf("%s: %s illegal %s in state %s\n", 1787 ifp->if_xname, cp->name, 1788 sppp_cp_type_name(h->type), 1789 sppp_state_name(sp->state[cp->protoidx])); 1790 ++ifp->if_ierrors; 1791 } 1792 break; 1793 case PROTO_REJ: 1794 { 1795 int catastrophic; 1796 const struct cp *upper; 1797 int i; 1798 uint16_t proto; 1799 1800 catastrophic = 0; 1801 upper = NULL; 1802 proto = p[0] << 8 | p[1]; 1803 for (i = 0; i < IDX_COUNT; i++) { 1804 if (cps[i]->proto == proto) { 1805 upper = cps[i]; 1806 break; 1807 } 1808 } 1809 if (upper == NULL) 1810 catastrophic++; 1811 1812 if (debug) 1813 log(LOG_INFO, 1814 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1815 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1816 sppp_cp_type_name(h->type), proto, 1817 upper ? upper->name : "unknown", 1818 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1819 1820 /* 1821 * if we got RXJ+ against conf-req, the peer does not implement 1822 * this particular protocol type. terminate the protocol. 1823 */ 1824 if (upper && !catastrophic) { 1825 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1826 upper->Close(sp); 1827 break; 1828 } 1829 } 1830 1831 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1832 switch (sp->state[cp->protoidx]) { 1833 case STATE_CLOSED: 1834 case STATE_STOPPED: 1835 case STATE_REQ_SENT: 1836 case STATE_ACK_SENT: 1837 case STATE_CLOSING: 1838 case STATE_STOPPING: 1839 case STATE_OPENED: 1840 break; 1841 case STATE_ACK_RCVD: 1842 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1843 break; 1844 default: 1845 printf("%s: %s illegal %s in state %s\n", 1846 ifp->if_xname, cp->name, 1847 sppp_cp_type_name(h->type), 1848 sppp_state_name(sp->state[cp->protoidx])); 1849 ++ifp->if_ierrors; 1850 } 1851 break; 1852 } 1853 case DISC_REQ: 1854 if (cp->proto != PPP_LCP) 1855 goto illegal; 1856 /* Discard the packet. */ 1857 break; 1858 case ECHO_REQ: 1859 if (cp->proto != PPP_LCP) 1860 goto illegal; 1861 if (sp->state[cp->protoidx] != STATE_OPENED) { 1862 if (debug) 1863 addlog("%s: lcp echo req but lcp closed\n", 1864 ifp->if_xname); 1865 ++ifp->if_ierrors; 1866 break; 1867 } 1868 if (len < 8) { 1869 if (debug) 1870 addlog("%s: invalid lcp echo request " 1871 "packet length: %d bytes\n", 1872 ifp->if_xname, len); 1873 break; 1874 } 1875 memcpy(&u32, h + 1, sizeof u32); 1876 if (ntohl(u32) == sp->lcp.magic) { 1877 /* Line loopback mode detected. */ 1878 printf("%s: loopback\n", ifp->if_xname); 1879 SPPP_UNLOCK(sp); 1880 if_down(ifp); 1881 SPPP_LOCK(sp, RW_WRITER); 1882 1883 IF_PURGE(&sp->pp_cpq); 1884 1885 /* Shut down the PPP link. */ 1886 /* XXX */ 1887 lcp.Down(sp); 1888 lcp.Up(sp); 1889 break; 1890 } 1891 u32 = htonl(sp->lcp.magic); 1892 memcpy(h + 1, &u32, sizeof u32); 1893 if (debug) 1894 addlog("%s: got lcp echo req, sending echo rep\n", 1895 ifp->if_xname); 1896 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1897 h + 1); 1898 break; 1899 case ECHO_REPLY: 1900 if (cp->proto != PPP_LCP) 1901 goto illegal; 1902 if (h->ident != sp->lcp.echoid) { 1903 ++ifp->if_ierrors; 1904 break; 1905 } 1906 if (len < 8) { 1907 if (debug) 1908 addlog("%s: lcp invalid echo reply " 1909 "packet length: %d bytes\n", 1910 ifp->if_xname, len); 1911 break; 1912 } 1913 if (debug) 1914 addlog("%s: lcp got echo rep\n", 1915 ifp->if_xname); 1916 memcpy(&u32, h + 1, sizeof u32); 1917 if (ntohl(u32) != sp->lcp.magic) 1918 sp->pp_alivecnt = 0; 1919 break; 1920 default: 1921 /* Unknown packet type -- send Code-Reject packet. */ 1922 illegal: 1923 if (debug) 1924 addlog("%s: %s send code-rej for 0x%x\n", 1925 ifp->if_xname, cp->name, h->type); 1926 sppp_cp_send(sp, cp->proto, CODE_REJ, 1927 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1928 ++ifp->if_ierrors; 1929 } 1930 1931 SPPP_UNLOCK(sp); 1932 } 1933 1934 1935 /* 1936 * The generic part of all Up/Down/Open/Close/TO event handlers. 1937 * Basically, the state transition handling in the automaton. 1938 */ 1939 static void 1940 sppp_up_event(const struct cp *cp, struct sppp *sp) 1941 { 1942 STDDCL; 1943 1944 KASSERT(SPPP_WLOCKED(sp)); 1945 1946 if (debug) 1947 log(LOG_DEBUG, "%s: %s up(%s)\n", 1948 ifp->if_xname, cp->name, 1949 sppp_state_name(sp->state[cp->protoidx])); 1950 1951 switch (sp->state[cp->protoidx]) { 1952 case STATE_INITIAL: 1953 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1954 break; 1955 case STATE_STARTING: 1956 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1957 (cp->scr)(sp); 1958 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1959 break; 1960 default: 1961 printf("%s: %s illegal up in state %s\n", 1962 ifp->if_xname, cp->name, 1963 sppp_state_name(sp->state[cp->protoidx])); 1964 } 1965 } 1966 1967 static void 1968 sppp_down_event(const struct cp *cp, struct sppp *sp) 1969 { 1970 STDDCL; 1971 1972 KASSERT(SPPP_WLOCKED(sp)); 1973 1974 if (debug) 1975 log(LOG_DEBUG, "%s: %s down(%s)\n", 1976 ifp->if_xname, cp->name, 1977 sppp_state_name(sp->state[cp->protoidx])); 1978 1979 switch (sp->state[cp->protoidx]) { 1980 case STATE_CLOSED: 1981 case STATE_CLOSING: 1982 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1983 break; 1984 case STATE_STOPPED: 1985 (cp->tls)(sp); 1986 /* fall through */ 1987 case STATE_STOPPING: 1988 case STATE_REQ_SENT: 1989 case STATE_ACK_RCVD: 1990 case STATE_ACK_SENT: 1991 sppp_cp_change_state(cp, sp, STATE_STARTING); 1992 break; 1993 case STATE_OPENED: 1994 (cp->tld)(sp); 1995 sppp_cp_change_state(cp, sp, STATE_STARTING); 1996 break; 1997 default: 1998 printf("%s: %s illegal down in state %s\n", 1999 ifp->if_xname, cp->name, 2000 sppp_state_name(sp->state[cp->protoidx])); 2001 } 2002 } 2003 2004 2005 static void 2006 sppp_open_event(const struct cp *cp, struct sppp *sp) 2007 { 2008 STDDCL; 2009 2010 KASSERT(SPPP_WLOCKED(sp)); 2011 2012 if (debug) 2013 log(LOG_DEBUG, "%s: %s open(%s)\n", 2014 ifp->if_xname, cp->name, 2015 sppp_state_name(sp->state[cp->protoidx])); 2016 2017 switch (sp->state[cp->protoidx]) { 2018 case STATE_INITIAL: 2019 sppp_cp_change_state(cp, sp, STATE_STARTING); 2020 (cp->tls)(sp); 2021 break; 2022 case STATE_STARTING: 2023 break; 2024 case STATE_CLOSED: 2025 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2026 (cp->scr)(sp); 2027 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2028 break; 2029 case STATE_STOPPED: 2030 case STATE_STOPPING: 2031 case STATE_REQ_SENT: 2032 case STATE_ACK_RCVD: 2033 case STATE_ACK_SENT: 2034 case STATE_OPENED: 2035 break; 2036 case STATE_CLOSING: 2037 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2038 break; 2039 } 2040 } 2041 2042 2043 static void 2044 sppp_close_event(const struct cp *cp, struct sppp *sp) 2045 { 2046 STDDCL; 2047 2048 KASSERT(SPPP_WLOCKED(sp)); 2049 2050 if (debug) 2051 log(LOG_DEBUG, "%s: %s close(%s)\n", 2052 ifp->if_xname, cp->name, 2053 sppp_state_name(sp->state[cp->protoidx])); 2054 2055 switch (sp->state[cp->protoidx]) { 2056 case STATE_INITIAL: 2057 case STATE_CLOSED: 2058 case STATE_CLOSING: 2059 break; 2060 case STATE_STARTING: 2061 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2062 (cp->tlf)(sp); 2063 break; 2064 case STATE_STOPPED: 2065 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2066 break; 2067 case STATE_STOPPING: 2068 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2069 break; 2070 case STATE_OPENED: 2071 (cp->tld)(sp); 2072 /* fall through */ 2073 case STATE_REQ_SENT: 2074 case STATE_ACK_RCVD: 2075 case STATE_ACK_SENT: 2076 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2077 sppp_cp_send(sp, cp->proto, TERM_REQ, 2078 ++sp->pp_seq[cp->protoidx], 0, 0); 2079 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2080 break; 2081 } 2082 } 2083 2084 static void 2085 sppp_to_event(const struct cp *cp, struct sppp *sp) 2086 { 2087 STDDCL; 2088 int s; 2089 2090 KASSERT(SPPP_WLOCKED(sp)); 2091 2092 s = splnet(); 2093 2094 if (debug) 2095 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2096 ifp->if_xname, cp->name, 2097 sppp_state_name(sp->state[cp->protoidx]), 2098 sp->rst_counter[cp->protoidx]); 2099 2100 if (--sp->rst_counter[cp->protoidx] < 0) 2101 /* TO- event */ 2102 switch (sp->state[cp->protoidx]) { 2103 case STATE_CLOSING: 2104 (cp->tlf)(sp); 2105 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2106 sppp_lcp_check_and_close(sp); 2107 break; 2108 case STATE_STOPPING: 2109 (cp->tlf)(sp); 2110 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2111 sppp_lcp_check_and_close(sp); 2112 break; 2113 case STATE_REQ_SENT: 2114 case STATE_ACK_RCVD: 2115 case STATE_ACK_SENT: 2116 (cp->tlf)(sp); 2117 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2118 sppp_lcp_check_and_close(sp); 2119 break; 2120 } 2121 else 2122 /* TO+ event */ 2123 switch (sp->state[cp->protoidx]) { 2124 case STATE_CLOSING: 2125 case STATE_STOPPING: 2126 sppp_cp_send(sp, cp->proto, TERM_REQ, 2127 ++sp->pp_seq[cp->protoidx], 0, 0); 2128 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2129 cp->TO, sp); 2130 break; 2131 case STATE_REQ_SENT: 2132 case STATE_ACK_RCVD: 2133 (cp->scr)(sp); 2134 /* sppp_cp_change_state() will restart the timer */ 2135 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2136 break; 2137 case STATE_ACK_SENT: 2138 (cp->scr)(sp); 2139 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2140 cp->TO, sp); 2141 break; 2142 } 2143 2144 splx(s); 2145 } 2146 2147 /* 2148 * Change the state of a control protocol in the state automaton. 2149 * Takes care of starting/stopping the restart timer. 2150 */ 2151 void 2152 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2153 { 2154 2155 KASSERT(SPPP_WLOCKED(sp)); 2156 2157 sp->state[cp->protoidx] = newstate; 2158 callout_stop(&sp->ch[cp->protoidx]); 2159 switch (newstate) { 2160 case STATE_INITIAL: 2161 case STATE_STARTING: 2162 case STATE_CLOSED: 2163 case STATE_STOPPED: 2164 case STATE_OPENED: 2165 break; 2166 case STATE_CLOSING: 2167 case STATE_STOPPING: 2168 case STATE_REQ_SENT: 2169 case STATE_ACK_RCVD: 2170 case STATE_ACK_SENT: 2171 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2172 cp->TO, sp); 2173 break; 2174 } 2175 } 2176 2177 /* 2178 *--------------------------------------------------------------------------* 2179 * * 2180 * The LCP implementation. * 2181 * * 2182 *--------------------------------------------------------------------------* 2183 */ 2184 static void 2185 sppp_lcp_init(struct sppp *sp) 2186 { 2187 2188 KASSERT(SPPP_WLOCKED(sp)); 2189 2190 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2191 sp->lcp.magic = 0; 2192 sp->state[IDX_LCP] = STATE_INITIAL; 2193 sp->fail_counter[IDX_LCP] = 0; 2194 sp->pp_seq[IDX_LCP] = 0; 2195 sp->pp_rseq[IDX_LCP] = 0; 2196 sp->lcp.protos = 0; 2197 2198 /* 2199 * Initialize counters and timeout values. Note that we don't 2200 * use the 3 seconds suggested in RFC 1661 since we are likely 2201 * running on a fast link. XXX We should probably implement 2202 * the exponential backoff option. Note that these values are 2203 * relevant for all control protocols, not just LCP only. 2204 */ 2205 sp->lcp.timeout = 1 * hz; 2206 sp->lcp.max_terminate = 2; 2207 sp->lcp.max_configure = 10; 2208 sp->lcp.max_failure = 10; 2209 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2210 } 2211 2212 static void 2213 sppp_lcp_up(struct sppp *sp) 2214 { 2215 STDDCL; 2216 2217 KASSERT(SPPP_WLOCKED(sp)); 2218 2219 /* Initialize activity timestamp: opening a connection is an activity */ 2220 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2221 2222 /* 2223 * If this interface is passive or dial-on-demand, and we are 2224 * still in Initial state, it means we've got an incoming 2225 * call. Activate the interface. 2226 */ 2227 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2228 if (debug) 2229 log(LOG_DEBUG, 2230 "%s: Up event", ifp->if_xname); 2231 ifp->if_flags |= IFF_RUNNING; 2232 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2233 if (debug) 2234 addlog("(incoming call)\n"); 2235 sp->pp_flags |= PP_CALLIN; 2236 lcp.Open(sp); 2237 } else if (debug) 2238 addlog("\n"); 2239 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2240 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2241 ifp->if_flags |= IFF_RUNNING; 2242 lcp.Open(sp); 2243 } 2244 2245 sppp_up_event(&lcp, sp); 2246 } 2247 2248 static void 2249 sppp_lcp_down(struct sppp *sp) 2250 { 2251 STDDCL; 2252 2253 KASSERT(SPPP_WLOCKED(sp)); 2254 2255 sppp_down_event(&lcp, sp); 2256 2257 /* 2258 * If this is neither a dial-on-demand nor a passive 2259 * interface, simulate an ``ifconfig down'' action, so the 2260 * administrator can force a redial by another ``ifconfig 2261 * up''. XXX For leased line operation, should we immediately 2262 * try to reopen the connection here? 2263 */ 2264 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2265 if (debug) 2266 log(LOG_INFO, 2267 "%s: Down event (carrier loss), taking interface down.\n", 2268 ifp->if_xname); 2269 SPPP_UNLOCK(sp); 2270 if_down(ifp); 2271 SPPP_LOCK(sp, RW_WRITER); 2272 } else { 2273 if (debug) 2274 log(LOG_DEBUG, 2275 "%s: Down event (carrier loss)\n", 2276 ifp->if_xname); 2277 } 2278 sp->fail_counter[IDX_LCP] = 0; 2279 sp->pp_flags &= ~PP_CALLIN; 2280 if (sp->state[IDX_LCP] != STATE_INITIAL) 2281 lcp.Close(sp); 2282 ifp->if_flags &= ~IFF_RUNNING; 2283 } 2284 2285 static void 2286 sppp_lcp_open(struct sppp *sp) 2287 { 2288 2289 KASSERT(SPPP_WLOCKED(sp)); 2290 2291 if (sp->pp_if.if_mtu < PP_MTU) { 2292 sp->lcp.mru = sp->pp_if.if_mtu; 2293 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2294 } else 2295 sp->lcp.mru = PP_MTU; 2296 sp->lcp.their_mru = PP_MTU; 2297 2298 /* 2299 * If we are authenticator, negotiate LCP_AUTH 2300 */ 2301 if (sp->hisauth.proto != 0) 2302 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2303 else 2304 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2305 sp->pp_flags &= ~PP_NEEDAUTH; 2306 sppp_open_event(&lcp, sp); 2307 } 2308 2309 static void 2310 sppp_lcp_close(struct sppp *sp) 2311 { 2312 2313 KASSERT(SPPP_WLOCKED(sp)); 2314 sppp_close_event(&lcp, sp); 2315 } 2316 2317 static void 2318 sppp_lcp_TO(void *cookie) 2319 { 2320 struct sppp *sp = (struct sppp*)cookie; 2321 2322 SPPP_LOCK(sp, RW_WRITER); 2323 sppp_to_event(&lcp, sp); 2324 SPPP_UNLOCK(sp); 2325 } 2326 2327 /* 2328 * Analyze a configure request. Return true if it was agreeable, and 2329 * caused action sca, false if it has been rejected or nak'ed, and 2330 * caused action scn. (The return value is used to make the state 2331 * transition decision in the state automaton.) 2332 */ 2333 static int 2334 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2335 { 2336 STDDCL; 2337 u_char *buf, *r, *p, l, blen; 2338 int origlen, rlen; 2339 uint32_t nmagic; 2340 u_short authproto; 2341 2342 KASSERT(SPPP_WLOCKED(sp)); 2343 2344 len -= 4; 2345 origlen = len; 2346 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2347 if (! buf) 2348 return (0); 2349 2350 if (debug) 2351 log(LOG_DEBUG, "%s: lcp parse opts:", 2352 ifp->if_xname); 2353 2354 /* pass 1: check for things that need to be rejected */ 2355 p = (void *)(h + 1); 2356 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2357 /* Sanity check option length */ 2358 if (l > len) { 2359 /* 2360 * Malicious option - drop immediately. 2361 * XXX Maybe we should just RXJ it? 2362 */ 2363 addlog("%s: received malicious LCP option 0x%02x, " 2364 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2365 p[0], l, len); 2366 goto drop; 2367 } 2368 if (debug) 2369 addlog(" %s", sppp_lcp_opt_name(*p)); 2370 switch (*p) { 2371 case LCP_OPT_MAGIC: 2372 /* Magic number. */ 2373 /* fall through, both are same length */ 2374 case LCP_OPT_ASYNC_MAP: 2375 /* Async control character map. */ 2376 if (len >= 6 || l == 6) 2377 continue; 2378 if (debug) 2379 addlog(" [invalid]"); 2380 break; 2381 case LCP_OPT_MRU: 2382 /* Maximum receive unit. */ 2383 if (len >= 4 && l == 4) 2384 continue; 2385 if (debug) 2386 addlog(" [invalid]"); 2387 break; 2388 case LCP_OPT_AUTH_PROTO: 2389 if (len < 4) { 2390 if (debug) 2391 addlog(" [invalid]"); 2392 break; 2393 } 2394 authproto = (p[2] << 8) + p[3]; 2395 if (authproto == PPP_CHAP && l != 5) { 2396 if (debug) 2397 addlog(" [invalid chap len]"); 2398 break; 2399 } 2400 if (sp->myauth.proto == 0) { 2401 /* we are not configured to do auth */ 2402 if (debug) 2403 addlog(" [not configured]"); 2404 break; 2405 } 2406 /* 2407 * Remote want us to authenticate, remember this, 2408 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2409 * up. 2410 */ 2411 sp->pp_flags |= PP_NEEDAUTH; 2412 continue; 2413 default: 2414 /* Others not supported. */ 2415 if (debug) 2416 addlog(" [rej]"); 2417 break; 2418 } 2419 if (rlen + l > blen) { 2420 if (debug) 2421 addlog(" [overflow]"); 2422 continue; 2423 } 2424 /* Add the option to rejected list. */ 2425 memcpy(r, p, l); 2426 r += l; 2427 rlen += l; 2428 } 2429 if (rlen) { 2430 if (debug) 2431 addlog(" send conf-rej\n"); 2432 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2433 goto end; 2434 } else if (debug) 2435 addlog("\n"); 2436 2437 /* 2438 * pass 2: check for option values that are unacceptable and 2439 * thus require to be nak'ed. 2440 */ 2441 if (debug) 2442 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2443 ifp->if_xname); 2444 2445 p = (void *)(h + 1); 2446 len = origlen; 2447 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2448 if (debug) 2449 addlog(" %s", sppp_lcp_opt_name(*p)); 2450 switch (*p) { 2451 case LCP_OPT_MAGIC: 2452 /* Magic number -- extract. */ 2453 nmagic = (uint32_t)p[2] << 24 | 2454 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2455 if (nmagic != sp->lcp.magic) { 2456 if (debug) 2457 addlog(" 0x%x", nmagic); 2458 continue; 2459 } 2460 /* 2461 * Local and remote magics equal -- loopback? 2462 */ 2463 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2464 printf ("%s: loopback\n", 2465 ifp->if_xname); 2466 sp->pp_loopcnt = 0; 2467 if (ifp->if_flags & IFF_UP) { 2468 SPPP_UNLOCK(sp); 2469 if_down(ifp); 2470 SPPP_LOCK(sp, RW_WRITER); 2471 2472 IF_PURGE(&sp->pp_cpq); 2473 /* XXX ? */ 2474 lcp.Down(sp); 2475 lcp.Up(sp); 2476 } 2477 } else if (debug) 2478 addlog(" [glitch]"); 2479 ++sp->pp_loopcnt; 2480 /* 2481 * We negate our magic here, and NAK it. If 2482 * we see it later in an NAK packet, we 2483 * suggest a new one. 2484 */ 2485 nmagic = ~sp->lcp.magic; 2486 /* Gonna NAK it. */ 2487 p[2] = nmagic >> 24; 2488 p[3] = nmagic >> 16; 2489 p[4] = nmagic >> 8; 2490 p[5] = nmagic; 2491 break; 2492 2493 case LCP_OPT_ASYNC_MAP: 2494 /* 2495 * Async control character map -- just ignore it. 2496 * 2497 * Quote from RFC 1662, chapter 6: 2498 * To enable this functionality, synchronous PPP 2499 * implementations MUST always respond to the 2500 * Async-Control-Character-Map Configuration 2501 * Option with the LCP Configure-Ack. However, 2502 * acceptance of the Configuration Option does 2503 * not imply that the synchronous implementation 2504 * will do any ACCM mapping. Instead, all such 2505 * octet mapping will be performed by the 2506 * asynchronous-to-synchronous converter. 2507 */ 2508 continue; 2509 2510 case LCP_OPT_MRU: 2511 /* 2512 * Maximum receive unit. Always agreeable, 2513 * but ignored by now. 2514 */ 2515 sp->lcp.their_mru = p[2] * 256 + p[3]; 2516 if (debug) 2517 addlog(" %ld", sp->lcp.their_mru); 2518 continue; 2519 2520 case LCP_OPT_AUTH_PROTO: 2521 authproto = (p[2] << 8) + p[3]; 2522 if (sp->myauth.proto != authproto) { 2523 /* not agreed, nak */ 2524 if (debug) 2525 addlog(" [mine %s != his %s]", 2526 sppp_proto_name(sp->myauth.proto), 2527 sppp_proto_name(authproto)); 2528 p[2] = sp->myauth.proto >> 8; 2529 p[3] = sp->myauth.proto; 2530 break; 2531 } 2532 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2533 if (debug) 2534 addlog(" [chap not MD5]"); 2535 p[4] = CHAP_MD5; 2536 break; 2537 } 2538 continue; 2539 } 2540 if (rlen + l > blen) { 2541 if (debug) 2542 addlog(" [overflow]"); 2543 continue; 2544 } 2545 /* Add the option to nak'ed list. */ 2546 memcpy(r, p, l); 2547 r += l; 2548 rlen += l; 2549 } 2550 if (rlen) { 2551 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2552 if (debug) 2553 addlog(" max_failure (%d) exceeded, " 2554 "send conf-rej\n", 2555 sp->lcp.max_failure); 2556 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2557 } else { 2558 if (debug) 2559 addlog(" send conf-nak\n"); 2560 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2561 } 2562 goto end; 2563 } else { 2564 if (debug) 2565 addlog(" send conf-ack\n"); 2566 sp->fail_counter[IDX_LCP] = 0; 2567 sp->pp_loopcnt = 0; 2568 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2569 } 2570 2571 end: 2572 free(buf, M_TEMP); 2573 return (rlen == 0); 2574 2575 drop: 2576 free(buf, M_TEMP); 2577 return -1; 2578 } 2579 2580 /* 2581 * Analyze the LCP Configure-Reject option list, and adjust our 2582 * negotiation. 2583 */ 2584 static void 2585 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2586 { 2587 STDDCL; 2588 u_char *buf, *p, l; 2589 2590 KASSERT(SPPP_WLOCKED(sp)); 2591 2592 len -= 4; 2593 buf = malloc (len, M_TEMP, M_NOWAIT); 2594 if (!buf) 2595 return; 2596 2597 if (debug) 2598 log(LOG_DEBUG, "%s: lcp rej opts:", 2599 ifp->if_xname); 2600 2601 p = (void *)(h + 1); 2602 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2603 /* Sanity check option length */ 2604 if (l > len) { 2605 /* 2606 * Malicious option - drop immediately. 2607 * XXX Maybe we should just RXJ it? 2608 */ 2609 addlog("%s: received malicious LCP option, " 2610 "dropping.\n", ifp->if_xname); 2611 goto drop; 2612 } 2613 if (debug) 2614 addlog(" %s", sppp_lcp_opt_name(*p)); 2615 switch (*p) { 2616 case LCP_OPT_MAGIC: 2617 /* Magic number -- can't use it, use 0 */ 2618 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2619 sp->lcp.magic = 0; 2620 break; 2621 case LCP_OPT_MRU: 2622 /* 2623 * We try to negotiate a lower MRU if the underlying 2624 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2625 * peer rejects this lower rate, fallback to the 2626 * default. 2627 */ 2628 if (debug) { 2629 addlog("%s: warning: peer rejected our MRU of " 2630 "%ld bytes. Defaulting to %d bytes\n", 2631 ifp->if_xname, sp->lcp.mru, PP_MTU); 2632 } 2633 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2634 sp->lcp.mru = PP_MTU; 2635 break; 2636 case LCP_OPT_AUTH_PROTO: 2637 /* 2638 * Peer doesn't want to authenticate himself, 2639 * deny unless this is a dialout call, and 2640 * SPPP_AUTHFLAG_NOCALLOUT is set. 2641 */ 2642 if ((sp->pp_flags & PP_CALLIN) == 0 && 2643 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2644 if (debug) 2645 addlog(" [don't insist on auth " 2646 "for callout]"); 2647 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2648 break; 2649 } 2650 if (debug) 2651 addlog("[access denied]\n"); 2652 lcp.Close(sp); 2653 break; 2654 } 2655 } 2656 if (debug) 2657 addlog("\n"); 2658 drop: 2659 free(buf, M_TEMP); 2660 return; 2661 } 2662 2663 /* 2664 * Analyze the LCP Configure-NAK option list, and adjust our 2665 * negotiation. 2666 */ 2667 static void 2668 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2669 { 2670 STDDCL; 2671 u_char *buf, *p, l, blen; 2672 uint32_t magic; 2673 2674 KASSERT(SPPP_WLOCKED(sp)); 2675 2676 len -= 4; 2677 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2678 if (!buf) 2679 return; 2680 2681 if (debug) 2682 log(LOG_DEBUG, "%s: lcp nak opts:", 2683 ifp->if_xname); 2684 2685 p = (void *)(h + 1); 2686 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2687 /* Sanity check option length */ 2688 if (l > len) { 2689 /* 2690 * Malicious option - drop immediately. 2691 * XXX Maybe we should just RXJ it? 2692 */ 2693 addlog("%s: received malicious LCP option, " 2694 "dropping.\n", ifp->if_xname); 2695 goto drop; 2696 } 2697 if (debug) 2698 addlog(" %s", sppp_lcp_opt_name(*p)); 2699 switch (*p) { 2700 case LCP_OPT_MAGIC: 2701 /* Magic number -- renegotiate */ 2702 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2703 len >= 6 && l == 6) { 2704 magic = (uint32_t)p[2] << 24 | 2705 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2706 /* 2707 * If the remote magic is our negated one, 2708 * this looks like a loopback problem. 2709 * Suggest a new magic to make sure. 2710 */ 2711 if (magic == ~sp->lcp.magic) { 2712 if (debug) 2713 addlog(" magic glitch"); 2714 sp->lcp.magic = cprng_fast32(); 2715 } else { 2716 sp->lcp.magic = magic; 2717 if (debug) 2718 addlog(" %d", magic); 2719 } 2720 } 2721 break; 2722 case LCP_OPT_MRU: 2723 /* 2724 * Peer wants to advise us to negotiate an MRU. 2725 * Agree on it if it's reasonable, or use 2726 * default otherwise. 2727 */ 2728 if (len >= 4 && l == 4) { 2729 u_int mru = p[2] * 256 + p[3]; 2730 if (debug) 2731 addlog(" %d", mru); 2732 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2733 mru = sp->pp_if.if_mtu; 2734 sp->lcp.mru = mru; 2735 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2736 } 2737 break; 2738 case LCP_OPT_AUTH_PROTO: 2739 /* 2740 * Peer doesn't like our authentication method, 2741 * deny. 2742 */ 2743 if (debug) 2744 addlog("[access denied]\n"); 2745 lcp.Close(sp); 2746 break; 2747 } 2748 } 2749 if (debug) 2750 addlog("\n"); 2751 drop: 2752 free(buf, M_TEMP); 2753 return; 2754 } 2755 2756 static void 2757 sppp_lcp_tlu(struct sppp *sp) 2758 { 2759 struct ifnet *ifp = &sp->pp_if; 2760 int i; 2761 uint32_t mask; 2762 2763 KASSERT(SPPP_WLOCKED(sp)); 2764 2765 /* XXX ? */ 2766 if (! (ifp->if_flags & IFF_UP) && 2767 (ifp->if_flags & IFF_RUNNING)) { 2768 /* Coming out of loopback mode. */ 2769 SPPP_UNLOCK(sp); 2770 if_up(ifp); 2771 SPPP_LOCK(sp, RW_WRITER); 2772 } 2773 2774 for (i = 0; i < IDX_COUNT; i++) 2775 if ((cps[i])->flags & CP_QUAL) 2776 (cps[i])->Open(sp); 2777 2778 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2779 (sp->pp_flags & PP_NEEDAUTH) != 0) 2780 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2781 else 2782 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2783 2784 /* 2785 * Open all authentication protocols. This is even required 2786 * if we already proceeded to network phase, since it might be 2787 * that remote wants us to authenticate, so we might have to 2788 * send a PAP request. Undesired authentication protocols 2789 * don't do anything when they get an Open event. 2790 */ 2791 for (i = 0; i < IDX_COUNT; i++) 2792 if ((cps[i])->flags & CP_AUTH) 2793 (cps[i])->Open(sp); 2794 2795 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2796 /* Notify all NCPs. */ 2797 for (i = 0; i < IDX_COUNT; i++) 2798 if ((cps[i])->flags & CP_NCP) 2799 (cps[i])->Open(sp); 2800 } 2801 2802 /* Send Up events to all started protos. */ 2803 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2804 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2805 (cps[i])->Up(sp); 2806 } 2807 } 2808 2809 /* notify low-level driver of state change */ 2810 sppp_notify_chg_wlocked(sp); 2811 2812 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2813 /* if no NCP is starting, close down */ 2814 sppp_lcp_check_and_close(sp); 2815 } 2816 2817 static void 2818 sppp_lcp_tld(struct sppp *sp) 2819 { 2820 int i; 2821 uint32_t mask; 2822 2823 KASSERT(SPPP_WLOCKED(sp)); 2824 2825 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2826 2827 /* 2828 * Take upper layers down. We send the Down event first and 2829 * the Close second to prevent the upper layers from sending 2830 * ``a flurry of terminate-request packets'', as the RFC 2831 * describes it. 2832 */ 2833 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2834 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2835 (cps[i])->Down(sp); 2836 (cps[i])->Close(sp); 2837 } 2838 } 2839 } 2840 2841 static void 2842 sppp_lcp_tls(struct sppp *sp) 2843 { 2844 2845 KASSERT(SPPP_WLOCKED(sp)); 2846 2847 2848 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2849 printf("%s: authentication failed %d times, not retrying again\n", 2850 sp->pp_if.if_xname, sp->pp_auth_failures); 2851 2852 SPPP_UNLOCK(sp); 2853 if_down(&sp->pp_if); 2854 SPPP_LOCK(sp, RW_WRITER); 2855 return; 2856 } 2857 2858 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2859 2860 /* Notify lower layer if desired. */ 2861 sppp_notify_tls_wlocked(sp); 2862 } 2863 2864 static void 2865 sppp_lcp_tlf(struct sppp *sp) 2866 { 2867 2868 KASSERT(SPPP_WLOCKED(sp)); 2869 2870 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2871 2872 /* Notify lower layer if desired. */ 2873 sppp_notify_tlf_wlocked(sp); 2874 } 2875 2876 static void 2877 sppp_lcp_scr(struct sppp *sp) 2878 { 2879 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2880 int i = 0; 2881 u_short authproto; 2882 2883 KASSERT(SPPP_WLOCKED(sp)); 2884 2885 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2886 if (! sp->lcp.magic) 2887 sp->lcp.magic = cprng_fast32(); 2888 opt[i++] = LCP_OPT_MAGIC; 2889 opt[i++] = 6; 2890 opt[i++] = sp->lcp.magic >> 24; 2891 opt[i++] = sp->lcp.magic >> 16; 2892 opt[i++] = sp->lcp.magic >> 8; 2893 opt[i++] = sp->lcp.magic; 2894 } 2895 2896 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2897 opt[i++] = LCP_OPT_MRU; 2898 opt[i++] = 4; 2899 opt[i++] = sp->lcp.mru >> 8; 2900 opt[i++] = sp->lcp.mru; 2901 } 2902 2903 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2904 authproto = sp->hisauth.proto; 2905 opt[i++] = LCP_OPT_AUTH_PROTO; 2906 opt[i++] = authproto == PPP_CHAP? 5: 4; 2907 opt[i++] = authproto >> 8; 2908 opt[i++] = authproto; 2909 if (authproto == PPP_CHAP) 2910 opt[i++] = CHAP_MD5; 2911 } 2912 2913 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2914 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2915 } 2916 2917 /* 2918 * Check the open NCPs, return true if at least one NCP is open. 2919 */ 2920 static int 2921 sppp_ncp_check(struct sppp *sp) 2922 { 2923 int i, mask; 2924 2925 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2926 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2927 return 1; 2928 return 0; 2929 } 2930 2931 /* 2932 * Re-check the open NCPs and see if we should terminate the link. 2933 * Called by the NCPs during their tlf action handling. 2934 */ 2935 static void 2936 sppp_lcp_check_and_close(struct sppp *sp) 2937 { 2938 2939 KASSERT(SPPP_WLOCKED(sp)); 2940 2941 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2942 /* don't bother, we are already going down */ 2943 return; 2944 2945 if (sppp_ncp_check(sp)) 2946 return; 2947 lcp.Close(sp); 2948 } 2949 2950 2951 /* 2952 *--------------------------------------------------------------------------* 2953 * * 2954 * The IPCP implementation. * 2955 * * 2956 *--------------------------------------------------------------------------* 2957 */ 2958 2959 static void 2960 sppp_ipcp_init(struct sppp *sp) 2961 { 2962 int error; 2963 2964 KASSERT(SPPP_WLOCKED(sp)); 2965 2966 sp->ipcp.opts = 0; 2967 sp->ipcp.flags = 0; 2968 sp->state[IDX_IPCP] = STATE_INITIAL; 2969 sp->fail_counter[IDX_IPCP] = 0; 2970 sp->pp_seq[IDX_IPCP] = 0; 2971 sp->pp_rseq[IDX_IPCP] = 0; 2972 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 2973 2974 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 2975 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 2976 if (error) 2977 panic("%s: update_addrs workqueue_create failed (%d)\n", 2978 __func__, error); 2979 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 2980 2981 sp->ipcp.update_addrs_enqueued = 0; 2982 } 2983 2984 static void 2985 sppp_ipcp_up(struct sppp *sp) 2986 { 2987 KASSERT(SPPP_WLOCKED(sp)); 2988 sppp_up_event(&ipcp, sp); 2989 } 2990 2991 static void 2992 sppp_ipcp_down(struct sppp *sp) 2993 { 2994 KASSERT(SPPP_WLOCKED(sp)); 2995 sppp_down_event(&ipcp, sp); 2996 } 2997 2998 static void 2999 sppp_ipcp_open(struct sppp *sp) 3000 { 3001 STDDCL; 3002 uint32_t myaddr, hisaddr; 3003 3004 KASSERT(SPPP_WLOCKED(sp)); 3005 3006 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3007 sp->ipcp.req_myaddr = 0; 3008 sp->ipcp.req_hisaddr = 0; 3009 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3010 3011 #ifdef INET 3012 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3013 #else 3014 myaddr = hisaddr = 0; 3015 #endif 3016 /* 3017 * If we don't have his address, this probably means our 3018 * interface doesn't want to talk IP at all. (This could 3019 * be the case if somebody wants to speak only IPX, for 3020 * example.) Don't open IPCP in this case. 3021 */ 3022 if (hisaddr == 0) { 3023 /* XXX this message should go away */ 3024 if (debug) 3025 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3026 ifp->if_xname); 3027 return; 3028 } 3029 3030 if (myaddr == 0) { 3031 /* 3032 * I don't have an assigned address, so i need to 3033 * negotiate my address. 3034 */ 3035 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3036 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3037 } 3038 if (hisaddr == 1) { 3039 /* 3040 * XXX - remove this hack! 3041 * remote has no valid address, we need to get one assigned. 3042 */ 3043 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3044 } 3045 sppp_open_event(&ipcp, sp); 3046 } 3047 3048 static void 3049 sppp_ipcp_close(struct sppp *sp) 3050 { 3051 3052 KASSERT(SPPP_WLOCKED(sp)); 3053 3054 sppp_close_event(&ipcp, sp); 3055 3056 #ifdef INET 3057 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3058 /* 3059 * Some address was dynamic, clear it again. 3060 */ 3061 sppp_clear_ip_addrs(sp); 3062 #endif 3063 } 3064 3065 static void 3066 sppp_ipcp_TO(void *cookie) 3067 { 3068 struct sppp *sp = cookie; 3069 3070 SPPP_LOCK(sp, RW_WRITER); 3071 sppp_to_event(&ipcp, sp); 3072 SPPP_UNLOCK(sp); 3073 } 3074 3075 /* 3076 * Analyze a configure request. Return true if it was agreeable, and 3077 * caused action sca, false if it has been rejected or nak'ed, and 3078 * caused action scn. (The return value is used to make the state 3079 * transition decision in the state automaton.) 3080 */ 3081 static int 3082 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3083 { 3084 u_char *buf, *r, *p, l, blen; 3085 struct ifnet *ifp = &sp->pp_if; 3086 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3087 uint32_t hisaddr, desiredaddr; 3088 3089 KASSERT(SPPP_WLOCKED(sp)); 3090 3091 len -= 4; 3092 origlen = len; 3093 /* 3094 * Make sure to allocate a buf that can at least hold a 3095 * conf-nak with an `address' option. We might need it below. 3096 */ 3097 blen = len < 6 ? 6 : len; 3098 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3099 if (! buf) 3100 return (0); 3101 3102 /* pass 1: see if we can recognize them */ 3103 if (debug) 3104 log(LOG_DEBUG, "%s: ipcp parse opts:", 3105 ifp->if_xname); 3106 p = (void *)(h + 1); 3107 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3108 /* Sanity check option length */ 3109 if (l > len) { 3110 /* XXX should we just RXJ? */ 3111 addlog("%s: malicious IPCP option received, dropping\n", 3112 ifp->if_xname); 3113 goto drop; 3114 } 3115 if (debug) 3116 addlog(" %s", sppp_ipcp_opt_name(*p)); 3117 switch (*p) { 3118 #ifdef notyet 3119 case IPCP_OPT_COMPRESSION: 3120 if (len >= 6 && l >= 6) { 3121 /* correctly formed compress option */ 3122 continue; 3123 } 3124 if (debug) 3125 addlog(" [invalid]"); 3126 break; 3127 #endif 3128 case IPCP_OPT_ADDRESS: 3129 if (len >= 6 && l == 6) { 3130 /* correctly formed address option */ 3131 continue; 3132 } 3133 if (debug) 3134 addlog(" [invalid]"); 3135 break; 3136 default: 3137 /* Others not supported. */ 3138 if (debug) 3139 addlog(" [rej]"); 3140 break; 3141 } 3142 /* Add the option to rejected list. */ 3143 if (rlen + l > blen) { 3144 if (debug) 3145 addlog(" [overflow]"); 3146 continue; 3147 } 3148 memcpy(r, p, l); 3149 r += l; 3150 rlen += l; 3151 } 3152 if (rlen) { 3153 if (debug) 3154 addlog(" send conf-rej\n"); 3155 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3156 goto end; 3157 } else if (debug) 3158 addlog("\n"); 3159 3160 /* pass 2: parse option values */ 3161 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3162 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3163 else 3164 #ifdef INET 3165 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3166 #else 3167 hisaddr = 0; 3168 #endif 3169 if (debug) 3170 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3171 ifp->if_xname); 3172 p = (void *)(h + 1); 3173 len = origlen; 3174 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3175 if (debug) 3176 addlog(" %s", sppp_ipcp_opt_name(*p)); 3177 switch (*p) { 3178 #ifdef notyet 3179 case IPCP_OPT_COMPRESSION: 3180 continue; 3181 #endif 3182 case IPCP_OPT_ADDRESS: 3183 desiredaddr = p[2] << 24 | p[3] << 16 | 3184 p[4] << 8 | p[5]; 3185 if (desiredaddr == hisaddr || 3186 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3187 /* 3188 * Peer's address is same as our value, 3189 * this is agreeable. Gonna conf-ack 3190 * it. 3191 */ 3192 if (debug) 3193 addlog(" %s [ack]", 3194 sppp_dotted_quad(hisaddr)); 3195 /* record that we've seen it already */ 3196 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3197 sp->ipcp.req_hisaddr = desiredaddr; 3198 hisaddr = desiredaddr; 3199 continue; 3200 } 3201 /* 3202 * The address wasn't agreeable. This is either 3203 * he sent us 0.0.0.0, asking to assign him an 3204 * address, or he send us another address not 3205 * matching our value. Either case, we gonna 3206 * conf-nak it with our value. 3207 */ 3208 if (debug) { 3209 if (desiredaddr == 0) 3210 addlog(" [addr requested]"); 3211 else 3212 addlog(" %s [not agreed]", 3213 sppp_dotted_quad(desiredaddr)); 3214 } 3215 3216 p[2] = hisaddr >> 24; 3217 p[3] = hisaddr >> 16; 3218 p[4] = hisaddr >> 8; 3219 p[5] = hisaddr; 3220 break; 3221 } 3222 if (rlen + l > blen) { 3223 if (debug) 3224 addlog(" [overflow]"); 3225 continue; 3226 } 3227 /* Add the option to nak'ed list. */ 3228 memcpy(r, p, l); 3229 r += l; 3230 rlen += l; 3231 } 3232 3233 /* 3234 * If we are about to conf-ack the request, but haven't seen 3235 * his address so far, gonna conf-nak it instead, with the 3236 * `address' option present and our idea of his address being 3237 * filled in there, to request negotiation of both addresses. 3238 * 3239 * XXX This can result in an endless req - nak loop if peer 3240 * doesn't want to send us his address. Q: What should we do 3241 * about it? XXX A: implement the max-failure counter. 3242 */ 3243 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3244 buf[0] = IPCP_OPT_ADDRESS; 3245 buf[1] = 6; 3246 buf[2] = hisaddr >> 24; 3247 buf[3] = hisaddr >> 16; 3248 buf[4] = hisaddr >> 8; 3249 buf[5] = hisaddr; 3250 rlen = 6; 3251 if (debug) 3252 addlog(" still need hisaddr"); 3253 } 3254 3255 if (rlen) { 3256 if (debug) 3257 addlog(" send conf-nak\n"); 3258 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3259 } else { 3260 if (debug) 3261 addlog(" send conf-ack\n"); 3262 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3263 } 3264 3265 end: 3266 free(buf, M_TEMP); 3267 return (rlen == 0); 3268 3269 drop: 3270 free(buf, M_TEMP); 3271 return -1; 3272 } 3273 3274 /* 3275 * Analyze the IPCP Configure-Reject option list, and adjust our 3276 * negotiation. 3277 */ 3278 static void 3279 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3280 { 3281 u_char *buf, *p, l, blen; 3282 struct ifnet *ifp = &sp->pp_if; 3283 int debug = ifp->if_flags & IFF_DEBUG; 3284 3285 KASSERT(SPPP_WLOCKED(sp)); 3286 3287 len -= 4; 3288 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3289 if (!buf) 3290 return; 3291 3292 if (debug) 3293 log(LOG_DEBUG, "%s: ipcp rej opts:", 3294 ifp->if_xname); 3295 3296 p = (void *)(h + 1); 3297 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3298 /* Sanity check option length */ 3299 if (l > len) { 3300 /* XXX should we just RXJ? */ 3301 addlog("%s: malicious IPCP option received, dropping\n", 3302 ifp->if_xname); 3303 goto drop; 3304 } 3305 if (debug) 3306 addlog(" %s", sppp_ipcp_opt_name(*p)); 3307 switch (*p) { 3308 case IPCP_OPT_ADDRESS: 3309 /* 3310 * Peer doesn't grok address option. This is 3311 * bad. XXX Should we better give up here? 3312 */ 3313 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3314 break; 3315 #ifdef notyet 3316 case IPCP_OPT_COMPRESS: 3317 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3318 break; 3319 #endif 3320 } 3321 } 3322 if (debug) 3323 addlog("\n"); 3324 drop: 3325 free(buf, M_TEMP); 3326 return; 3327 } 3328 3329 /* 3330 * Analyze the IPCP Configure-NAK option list, and adjust our 3331 * negotiation. 3332 */ 3333 static void 3334 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3335 { 3336 u_char *p, l; 3337 struct ifnet *ifp = &sp->pp_if; 3338 int debug = ifp->if_flags & IFF_DEBUG; 3339 uint32_t wantaddr; 3340 3341 KASSERT(SPPP_WLOCKED(sp)); 3342 3343 len -= 4; 3344 3345 if (debug) 3346 log(LOG_DEBUG, "%s: ipcp nak opts:", 3347 ifp->if_xname); 3348 3349 p = (void *)(h + 1); 3350 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3351 /* Sanity check option length */ 3352 if (l > len) { 3353 /* XXX should we just RXJ? */ 3354 addlog("%s: malicious IPCP option received, dropping\n", 3355 ifp->if_xname); 3356 return; 3357 } 3358 if (debug) 3359 addlog(" %s", sppp_ipcp_opt_name(*p)); 3360 switch (*p) { 3361 case IPCP_OPT_ADDRESS: 3362 /* 3363 * Peer doesn't like our local IP address. See 3364 * if we can do something for him. We'll drop 3365 * him our address then. 3366 */ 3367 if (len >= 6 && l == 6) { 3368 wantaddr = p[2] << 24 | p[3] << 16 | 3369 p[4] << 8 | p[5]; 3370 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3371 if (debug) 3372 addlog(" [wantaddr %s]", 3373 sppp_dotted_quad(wantaddr)); 3374 /* 3375 * When doing dynamic address assignment, 3376 * we accept his offer. Otherwise, we 3377 * ignore it and thus continue to negotiate 3378 * our already existing value. 3379 */ 3380 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3381 if (debug) 3382 addlog(" [agree]"); 3383 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3384 sp->ipcp.req_myaddr = wantaddr; 3385 } 3386 } 3387 break; 3388 3389 case IPCP_OPT_PRIMDNS: 3390 if (len >= 6 && l == 6) { 3391 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3392 p[4] << 8 | p[5]; 3393 } 3394 break; 3395 3396 case IPCP_OPT_SECDNS: 3397 if (len >= 6 && l == 6) { 3398 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3399 p[4] << 8 | p[5]; 3400 } 3401 break; 3402 #ifdef notyet 3403 case IPCP_OPT_COMPRESS: 3404 /* 3405 * Peer wants different compression parameters. 3406 */ 3407 break; 3408 #endif 3409 } 3410 } 3411 if (debug) 3412 addlog("\n"); 3413 } 3414 3415 static void 3416 sppp_ipcp_tlu(struct sppp *sp) 3417 { 3418 #ifdef INET 3419 KASSERT(SPPP_WLOCKED(sp)); 3420 /* we are up. Set addresses and notify anyone interested */ 3421 sppp_set_ip_addrs(sp); 3422 #endif 3423 } 3424 3425 static void 3426 sppp_ipcp_tld(struct sppp *sp) 3427 { 3428 3429 KASSERT(SPPP_WLOCKED(sp)); 3430 } 3431 3432 static void 3433 sppp_ipcp_tls(struct sppp *sp) 3434 { 3435 3436 KASSERT(SPPP_WLOCKED(sp)); 3437 /* indicate to LCP that it must stay alive */ 3438 sp->lcp.protos |= (1 << IDX_IPCP); 3439 } 3440 3441 static void 3442 sppp_ipcp_tlf(struct sppp *sp) 3443 { 3444 3445 KASSERT(SPPP_WLOCKED(sp)); 3446 3447 /* we no longer need LCP */ 3448 sp->lcp.protos &= ~(1 << IDX_IPCP); 3449 } 3450 3451 static void 3452 sppp_ipcp_scr(struct sppp *sp) 3453 { 3454 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3455 #ifdef INET 3456 uint32_t ouraddr; 3457 #endif 3458 int i = 0; 3459 3460 KASSERT(SPPP_WLOCKED(sp)); 3461 3462 #ifdef notyet 3463 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3464 opt[i++] = IPCP_OPT_COMPRESSION; 3465 opt[i++] = 6; 3466 opt[i++] = 0; /* VJ header compression */ 3467 opt[i++] = 0x2d; /* VJ header compression */ 3468 opt[i++] = max_slot_id; 3469 opt[i++] = comp_slot_id; 3470 } 3471 #endif 3472 3473 #ifdef INET 3474 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3475 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3476 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3477 else 3478 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3479 opt[i++] = IPCP_OPT_ADDRESS; 3480 opt[i++] = 6; 3481 opt[i++] = ouraddr >> 24; 3482 opt[i++] = ouraddr >> 16; 3483 opt[i++] = ouraddr >> 8; 3484 opt[i++] = ouraddr; 3485 } 3486 #endif 3487 3488 if (sp->query_dns & 1) { 3489 opt[i++] = IPCP_OPT_PRIMDNS; 3490 opt[i++] = 6; 3491 opt[i++] = sp->dns_addrs[0] >> 24; 3492 opt[i++] = sp->dns_addrs[0] >> 16; 3493 opt[i++] = sp->dns_addrs[0] >> 8; 3494 opt[i++] = sp->dns_addrs[0]; 3495 } 3496 if (sp->query_dns & 2) { 3497 opt[i++] = IPCP_OPT_SECDNS; 3498 opt[i++] = 6; 3499 opt[i++] = sp->dns_addrs[1] >> 24; 3500 opt[i++] = sp->dns_addrs[1] >> 16; 3501 opt[i++] = sp->dns_addrs[1] >> 8; 3502 opt[i++] = sp->dns_addrs[1]; 3503 } 3504 3505 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3506 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3507 } 3508 3509 3510 /* 3511 *--------------------------------------------------------------------------* 3512 * * 3513 * The IPv6CP implementation. * 3514 * * 3515 *--------------------------------------------------------------------------* 3516 */ 3517 3518 #ifdef INET6 3519 static void 3520 sppp_ipv6cp_init(struct sppp *sp) 3521 { 3522 3523 KASSERT(SPPP_WLOCKED(sp)); 3524 3525 sp->ipv6cp.opts = 0; 3526 sp->ipv6cp.flags = 0; 3527 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3528 sp->fail_counter[IDX_IPV6CP] = 0; 3529 sp->pp_seq[IDX_IPV6CP] = 0; 3530 sp->pp_rseq[IDX_IPV6CP] = 0; 3531 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3532 } 3533 3534 static void 3535 sppp_ipv6cp_up(struct sppp *sp) 3536 { 3537 3538 KASSERT(SPPP_WLOCKED(sp)); 3539 sppp_up_event(&ipv6cp, sp); 3540 } 3541 3542 static void 3543 sppp_ipv6cp_down(struct sppp *sp) 3544 { 3545 3546 KASSERT(SPPP_WLOCKED(sp)); 3547 sppp_down_event(&ipv6cp, sp); 3548 } 3549 3550 static void 3551 sppp_ipv6cp_open(struct sppp *sp) 3552 { 3553 STDDCL; 3554 struct in6_addr myaddr, hisaddr; 3555 3556 KASSERT(SPPP_WLOCKED(sp)); 3557 3558 #ifdef IPV6CP_MYIFID_DYN 3559 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3560 #else 3561 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3562 #endif 3563 3564 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3565 /* 3566 * If we don't have our address, this probably means our 3567 * interface doesn't want to talk IPv6 at all. (This could 3568 * be the case if somebody wants to speak only IPX, for 3569 * example.) Don't open IPv6CP in this case. 3570 */ 3571 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3572 /* XXX this message should go away */ 3573 if (debug) 3574 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3575 ifp->if_xname); 3576 return; 3577 } 3578 3579 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3580 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3581 sppp_open_event(&ipv6cp, sp); 3582 } 3583 3584 static void 3585 sppp_ipv6cp_close(struct sppp *sp) 3586 { 3587 3588 KASSERT(SPPP_WLOCKED(sp)); 3589 sppp_close_event(&ipv6cp, sp); 3590 } 3591 3592 static void 3593 sppp_ipv6cp_TO(void *cookie) 3594 { 3595 struct sppp *sp = cookie; 3596 3597 SPPP_LOCK(sp, RW_WRITER); 3598 sppp_to_event(&ipv6cp, sp); 3599 SPPP_UNLOCK(sp); 3600 } 3601 3602 /* 3603 * Analyze a configure request. Return true if it was agreeable, and 3604 * caused action sca, false if it has been rejected or nak'ed, and 3605 * caused action scn. (The return value is used to make the state 3606 * transition decision in the state automaton.) 3607 */ 3608 static int 3609 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3610 { 3611 u_char *buf, *r, *p, l, blen; 3612 struct ifnet *ifp = &sp->pp_if; 3613 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3614 struct in6_addr myaddr, desiredaddr, suggestaddr; 3615 int ifidcount; 3616 int type; 3617 int collision, nohisaddr; 3618 char ip6buf[INET6_ADDRSTRLEN]; 3619 3620 KASSERT(SPPP_WLOCKED(sp)); 3621 3622 len -= 4; 3623 origlen = len; 3624 /* 3625 * Make sure to allocate a buf that can at least hold a 3626 * conf-nak with an `address' option. We might need it below. 3627 */ 3628 blen = len < 6 ? 6 : len; 3629 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3630 if (! buf) 3631 return (0); 3632 3633 /* pass 1: see if we can recognize them */ 3634 if (debug) 3635 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3636 ifp->if_xname); 3637 p = (void *)(h + 1); 3638 ifidcount = 0; 3639 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3640 /* Sanity check option length */ 3641 if (l > len) { 3642 /* XXX just RXJ? */ 3643 addlog("%s: received malicious IPCPv6 option, " 3644 "dropping\n", ifp->if_xname); 3645 goto drop; 3646 } 3647 if (debug) 3648 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3649 switch (*p) { 3650 case IPV6CP_OPT_IFID: 3651 if (len >= 10 && l == 10 && ifidcount == 0) { 3652 /* correctly formed address option */ 3653 ifidcount++; 3654 continue; 3655 } 3656 if (debug) 3657 addlog(" [invalid]"); 3658 break; 3659 #ifdef notyet 3660 case IPV6CP_OPT_COMPRESSION: 3661 if (len >= 4 && l >= 4) { 3662 /* correctly formed compress option */ 3663 continue; 3664 } 3665 if (debug) 3666 addlog(" [invalid]"); 3667 break; 3668 #endif 3669 default: 3670 /* Others not supported. */ 3671 if (debug) 3672 addlog(" [rej]"); 3673 break; 3674 } 3675 if (rlen + l > blen) { 3676 if (debug) 3677 addlog(" [overflow]"); 3678 continue; 3679 } 3680 /* Add the option to rejected list. */ 3681 memcpy(r, p, l); 3682 r += l; 3683 rlen += l; 3684 } 3685 if (rlen) { 3686 if (debug) 3687 addlog(" send conf-rej\n"); 3688 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3689 goto end; 3690 } else if (debug) 3691 addlog("\n"); 3692 3693 /* pass 2: parse option values */ 3694 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3695 if (debug) 3696 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3697 ifp->if_xname); 3698 p = (void *)(h + 1); 3699 len = origlen; 3700 type = CONF_ACK; 3701 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3702 if (debug) 3703 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3704 switch (*p) { 3705 #ifdef notyet 3706 case IPV6CP_OPT_COMPRESSION: 3707 continue; 3708 #endif 3709 case IPV6CP_OPT_IFID: 3710 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3711 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3712 collision = (memcmp(&desiredaddr.s6_addr[8], 3713 &myaddr.s6_addr[8], 8) == 0); 3714 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3715 3716 desiredaddr.s6_addr16[0] = htons(0xfe80); 3717 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3718 3719 if (!collision && !nohisaddr) { 3720 /* no collision, hisaddr known - Conf-Ack */ 3721 type = CONF_ACK; 3722 3723 if (debug) { 3724 addlog(" %s [%s]", 3725 IN6_PRINT(ip6buf, &desiredaddr), 3726 sppp_cp_type_name(type)); 3727 } 3728 continue; 3729 } 3730 3731 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3732 if (collision && nohisaddr) { 3733 /* collision, hisaddr unknown - Conf-Rej */ 3734 type = CONF_REJ; 3735 memset(&p[2], 0, 8); 3736 } else { 3737 /* 3738 * - no collision, hisaddr unknown, or 3739 * - collision, hisaddr known 3740 * Conf-Nak, suggest hisaddr 3741 */ 3742 type = CONF_NAK; 3743 sppp_suggest_ip6_addr(sp, &suggestaddr); 3744 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3745 } 3746 if (debug) 3747 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3748 sppp_cp_type_name(type)); 3749 break; 3750 } 3751 if (rlen + l > blen) { 3752 if (debug) 3753 addlog(" [overflow]"); 3754 continue; 3755 } 3756 /* Add the option to nak'ed list. */ 3757 memcpy(r, p, l); 3758 r += l; 3759 rlen += l; 3760 } 3761 3762 if (rlen == 0 && type == CONF_ACK) { 3763 if (debug) 3764 addlog(" send %s\n", sppp_cp_type_name(type)); 3765 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3766 } else { 3767 #ifdef notdef 3768 if (type == CONF_ACK) 3769 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3770 #endif 3771 3772 if (debug) { 3773 addlog(" send %s suggest %s\n", 3774 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3775 } 3776 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3777 } 3778 3779 end: 3780 free(buf, M_TEMP); 3781 return (rlen == 0); 3782 3783 drop: 3784 free(buf, M_TEMP); 3785 return -1; 3786 } 3787 3788 /* 3789 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3790 * negotiation. 3791 */ 3792 static void 3793 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3794 { 3795 u_char *buf, *p, l, blen; 3796 struct ifnet *ifp = &sp->pp_if; 3797 int debug = ifp->if_flags & IFF_DEBUG; 3798 3799 KASSERT(SPPP_WLOCKED(sp)); 3800 3801 len -= 4; 3802 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3803 if (!buf) 3804 return; 3805 3806 if (debug) 3807 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3808 ifp->if_xname); 3809 3810 p = (void *)(h + 1); 3811 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3812 if (l > len) { 3813 /* XXX just RXJ? */ 3814 addlog("%s: received malicious IPCPv6 option, " 3815 "dropping\n", ifp->if_xname); 3816 goto drop; 3817 } 3818 if (debug) 3819 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3820 switch (*p) { 3821 case IPV6CP_OPT_IFID: 3822 /* 3823 * Peer doesn't grok address option. This is 3824 * bad. XXX Should we better give up here? 3825 */ 3826 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3827 break; 3828 #ifdef notyet 3829 case IPV6CP_OPT_COMPRESS: 3830 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3831 break; 3832 #endif 3833 } 3834 } 3835 if (debug) 3836 addlog("\n"); 3837 drop: 3838 free(buf, M_TEMP); 3839 return; 3840 } 3841 3842 /* 3843 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3844 * negotiation. 3845 */ 3846 static void 3847 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3848 { 3849 u_char *buf, *p, l, blen; 3850 struct ifnet *ifp = &sp->pp_if; 3851 int debug = ifp->if_flags & IFF_DEBUG; 3852 struct in6_addr suggestaddr; 3853 char ip6buf[INET6_ADDRSTRLEN]; 3854 3855 KASSERT(SPPP_WLOCKED(sp)); 3856 3857 len -= 4; 3858 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3859 if (!buf) 3860 return; 3861 3862 if (debug) 3863 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3864 ifp->if_xname); 3865 3866 p = (void *)(h + 1); 3867 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3868 if (l > len) { 3869 /* XXX just RXJ? */ 3870 addlog("%s: received malicious IPCPv6 option, " 3871 "dropping\n", ifp->if_xname); 3872 goto drop; 3873 } 3874 if (debug) 3875 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3876 switch (*p) { 3877 case IPV6CP_OPT_IFID: 3878 /* 3879 * Peer doesn't like our local ifid. See 3880 * if we can do something for him. We'll drop 3881 * him our address then. 3882 */ 3883 if (len < 10 || l != 10) 3884 break; 3885 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3886 suggestaddr.s6_addr16[0] = htons(0xfe80); 3887 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3888 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3889 3890 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3891 if (debug) 3892 addlog(" [suggestaddr %s]", 3893 IN6_PRINT(ip6buf, &suggestaddr)); 3894 #ifdef IPV6CP_MYIFID_DYN 3895 /* 3896 * When doing dynamic address assignment, 3897 * we accept his offer. 3898 */ 3899 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3900 struct in6_addr lastsuggest; 3901 /* 3902 * If <suggested myaddr from peer> equals to 3903 * <hisaddr we have suggested last time>, 3904 * we have a collision. generate new random 3905 * ifid. 3906 */ 3907 sppp_suggest_ip6_addr(&lastsuggest); 3908 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3909 lastsuggest)) { 3910 if (debug) 3911 addlog(" [random]"); 3912 sppp_gen_ip6_addr(sp, &suggestaddr); 3913 } 3914 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3915 if (debug) 3916 addlog(" [agree]"); 3917 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3918 } 3919 #else 3920 /* 3921 * Since we do not do dynamic address assignment, 3922 * we ignore it and thus continue to negotiate 3923 * our already existing value. This can possibly 3924 * go into infinite request-reject loop. 3925 * 3926 * This is not likely because we normally use 3927 * ifid based on MAC-address. 3928 * If you have no ethernet card on the node, too bad. 3929 * XXX should we use fail_counter? 3930 */ 3931 #endif 3932 break; 3933 #ifdef notyet 3934 case IPV6CP_OPT_COMPRESS: 3935 /* 3936 * Peer wants different compression parameters. 3937 */ 3938 break; 3939 #endif 3940 } 3941 } 3942 if (debug) 3943 addlog("\n"); 3944 drop: 3945 free(buf, M_TEMP); 3946 return; 3947 } 3948 3949 static void 3950 sppp_ipv6cp_tlu(struct sppp *sp) 3951 { 3952 3953 KASSERT(SPPP_WLOCKED(sp)); 3954 /* we are up - notify isdn daemon */ 3955 sppp_notify_con_wlocked(sp); 3956 } 3957 3958 static void 3959 sppp_ipv6cp_tld(struct sppp *sp) 3960 { 3961 3962 KASSERT(SPPP_WLOCKED(sp)); 3963 } 3964 3965 static void 3966 sppp_ipv6cp_tls(struct sppp *sp) 3967 { 3968 3969 KASSERT(SPPP_WLOCKED(sp)); 3970 /* indicate to LCP that it must stay alive */ 3971 sp->lcp.protos |= (1 << IDX_IPV6CP); 3972 } 3973 3974 static void 3975 sppp_ipv6cp_tlf(struct sppp *sp) 3976 { 3977 3978 KASSERT(SPPP_WLOCKED(sp)); 3979 /* we no longer need LCP */ 3980 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3981 } 3982 3983 static void 3984 sppp_ipv6cp_scr(struct sppp *sp) 3985 { 3986 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3987 struct in6_addr ouraddr; 3988 int i = 0; 3989 3990 KASSERT(SPPP_WLOCKED(sp)); 3991 3992 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3993 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3994 opt[i++] = IPV6CP_OPT_IFID; 3995 opt[i++] = 10; 3996 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3997 i += 8; 3998 } 3999 4000 #ifdef notyet 4001 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4002 opt[i++] = IPV6CP_OPT_COMPRESSION; 4003 opt[i++] = 4; 4004 opt[i++] = 0; /* TBD */ 4005 opt[i++] = 0; /* TBD */ 4006 /* variable length data may follow */ 4007 } 4008 #endif 4009 4010 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4011 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4012 } 4013 #else /*INET6*/ 4014 static void 4015 sppp_ipv6cp_init(struct sppp *sp) 4016 { 4017 4018 KASSERT(SPPP_WLOCKED(sp)); 4019 } 4020 4021 static void 4022 sppp_ipv6cp_up(struct sppp *sp) 4023 { 4024 4025 KASSERT(SPPP_WLOCKED(sp)); 4026 } 4027 4028 static void 4029 sppp_ipv6cp_down(struct sppp *sp) 4030 { 4031 4032 KASSERT(SPPP_WLOCKED(sp)); 4033 } 4034 4035 static void 4036 sppp_ipv6cp_open(struct sppp *sp) 4037 { 4038 4039 KASSERT(SPPP_WLOCKED(sp)); 4040 } 4041 4042 static void 4043 sppp_ipv6cp_close(struct sppp *sp) 4044 { 4045 4046 KASSERT(SPPP_WLOCKED(sp)); 4047 } 4048 4049 static void 4050 sppp_ipv6cp_TO(void *cookie) 4051 { 4052 struct sppp *sp __diagused = cookie; 4053 4054 KASSERT(SPPP_WLOCKED(sp)); 4055 } 4056 4057 static int 4058 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4059 int len) 4060 { 4061 4062 KASSERT(SPPP_WLOCKED(sp)); 4063 return 0; 4064 } 4065 4066 static void 4067 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4068 int len) 4069 { 4070 4071 KASSERT(SPPP_WLOCKED(sp)); 4072 } 4073 4074 static void 4075 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4076 int len) 4077 { 4078 4079 KASSERT(SPPP_WLOCKED(sp)); 4080 } 4081 4082 static void 4083 sppp_ipv6cp_tlu(struct sppp *sp) 4084 { 4085 4086 KASSERT(SPPP_WLOCKED(sp)); 4087 } 4088 4089 static void 4090 sppp_ipv6cp_tld(struct sppp *sp) 4091 { 4092 4093 KASSERT(SPPP_WLOCKED(sp)); 4094 } 4095 4096 static void 4097 sppp_ipv6cp_tls(struct sppp *sp) 4098 { 4099 4100 KASSERT(SPPP_WLOCKED(sp)); 4101 } 4102 4103 static void 4104 sppp_ipv6cp_tlf(struct sppp *sp) 4105 { 4106 4107 KASSERT(SPPP_WLOCKED(sp)); 4108 } 4109 4110 static void 4111 sppp_ipv6cp_scr(struct sppp *sp) 4112 { 4113 4114 KASSERT(SPPP_WLOCKED(sp)); 4115 } 4116 #endif /*INET6*/ 4117 4118 4119 /* 4120 *--------------------------------------------------------------------------* 4121 * * 4122 * The CHAP implementation. * 4123 * * 4124 *--------------------------------------------------------------------------* 4125 */ 4126 4127 /* 4128 * The authentication protocols don't employ a full-fledged state machine as 4129 * the control protocols do, since they do have Open and Close events, but 4130 * not Up and Down, nor are they explicitly terminated. Also, use of the 4131 * authentication protocols may be different in both directions (this makes 4132 * sense, think of a machine that never accepts incoming calls but only 4133 * calls out, it doesn't require the called party to authenticate itself). 4134 * 4135 * Our state machine for the local authentication protocol (we are requesting 4136 * the peer to authenticate) looks like: 4137 * 4138 * RCA- 4139 * +--------------------------------------------+ 4140 * V scn,tld| 4141 * +--------+ Close +---------+ RCA+ 4142 * | |<----------------------------------| |------+ 4143 * +--->| Closed | TO* | Opened | sca | 4144 * | | |-----+ +-------| |<-----+ 4145 * | +--------+ irc | | +---------+ 4146 * | ^ | | ^ 4147 * | | | | | 4148 * | | | | | 4149 * | TO-| | | | 4150 * | |tld TO+ V | | 4151 * | | +------->+ | | 4152 * | | | | | | 4153 * | +--------+ V | | 4154 * | | |<----+<--------------------+ | 4155 * | | Req- | scr | 4156 * | | Sent | | 4157 * | | | | 4158 * | +--------+ | 4159 * | RCA- | | RCA+ | 4160 * +------+ +------------------------------------------+ 4161 * scn,tld sca,irc,ict,tlu 4162 * 4163 * 4164 * with: 4165 * 4166 * Open: LCP reached authentication phase 4167 * Close: LCP reached terminate phase 4168 * 4169 * RCA+: received reply (pap-req, chap-response), acceptable 4170 * RCN: received reply (pap-req, chap-response), not acceptable 4171 * TO+: timeout with restart counter >= 0 4172 * TO-: timeout with restart counter < 0 4173 * TO*: reschedule timeout for CHAP 4174 * 4175 * scr: send request packet (none for PAP, chap-challenge) 4176 * sca: send ack packet (pap-ack, chap-success) 4177 * scn: send nak packet (pap-nak, chap-failure) 4178 * ict: initialize re-challenge timer (CHAP only) 4179 * 4180 * tlu: this-layer-up, LCP reaches network phase 4181 * tld: this-layer-down, LCP enters terminate phase 4182 * 4183 * Note that in CHAP mode, after sending a new challenge, while the state 4184 * automaton falls back into Req-Sent state, it doesn't signal a tld 4185 * event to LCP, so LCP remains in network phase. Only after not getting 4186 * any response (or after getting an unacceptable response), CHAP closes, 4187 * causing LCP to enter terminate phase. 4188 * 4189 * With PAP, there is no initial request that can be sent. The peer is 4190 * expected to send one based on the successful negotiation of PAP as 4191 * the authentication protocol during the LCP option negotiation. 4192 * 4193 * Incoming authentication protocol requests (remote requests 4194 * authentication, we are peer) don't employ a state machine at all, 4195 * they are simply answered. Some peers [Ascend P50 firmware rev 4196 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4197 * still in authentication phase (thereby violating the standard that 4198 * demands that these NCP packets are to be discarded), so we keep 4199 * track of the peer demanding us to authenticate, and only proceed to 4200 * phase network once we've seen a positive acknowledge for the 4201 * authentication. 4202 */ 4203 4204 /* 4205 * Handle incoming CHAP packets. 4206 */ 4207 void 4208 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4209 { 4210 STDDCL; 4211 struct lcp_header *h; 4212 int len, x; 4213 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4214 int value_len, name_len; 4215 MD5_CTX ctx; 4216 4217 len = m->m_pkthdr.len; 4218 if (len < 4) { 4219 if (debug) 4220 log(LOG_DEBUG, 4221 "%s: chap invalid packet length: %d bytes\n", 4222 ifp->if_xname, len); 4223 return; 4224 } 4225 h = mtod(m, struct lcp_header *); 4226 if (len > ntohs(h->len)) 4227 len = ntohs(h->len); 4228 4229 SPPP_LOCK(sp, RW_WRITER); 4230 4231 switch (h->type) { 4232 /* challenge, failure and success are his authproto */ 4233 case CHAP_CHALLENGE: 4234 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4235 /* can't do anything useful */ 4236 sp->pp_auth_failures++; 4237 printf("%s: chap input without my name and my secret being set\n", 4238 ifp->if_xname); 4239 break; 4240 } 4241 value = 1 + (u_char *)(h + 1); 4242 value_len = value[-1]; 4243 name = value + value_len; 4244 name_len = len - value_len - 5; 4245 if (name_len < 0) { 4246 if (debug) { 4247 log(LOG_DEBUG, 4248 "%s: chap corrupted challenge " 4249 "<%s id=0x%x len=%d", 4250 ifp->if_xname, 4251 sppp_auth_type_name(PPP_CHAP, h->type), 4252 h->ident, ntohs(h->len)); 4253 if (len > 4) 4254 sppp_print_bytes((u_char *)(h + 1), 4255 len - 4); 4256 addlog(">\n"); 4257 } 4258 break; 4259 } 4260 4261 if (debug) { 4262 log(LOG_DEBUG, 4263 "%s: chap input <%s id=0x%x len=%d name=", 4264 ifp->if_xname, 4265 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4266 ntohs(h->len)); 4267 sppp_print_string((char *) name, name_len); 4268 addlog(" value-size=%d value=", value_len); 4269 sppp_print_bytes(value, value_len); 4270 addlog(">\n"); 4271 } 4272 4273 /* Compute reply value. */ 4274 MD5Init(&ctx); 4275 MD5Update(&ctx, &h->ident, 1); 4276 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4277 MD5Update(&ctx, value, value_len); 4278 MD5Final(digest, &ctx); 4279 dsize = sizeof digest; 4280 4281 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4282 sizeof dsize, (const char *)&dsize, 4283 sizeof digest, digest, 4284 sp->myauth.name_len, 4285 sp->myauth.name, 4286 0); 4287 break; 4288 4289 case CHAP_SUCCESS: 4290 if (debug) { 4291 log(LOG_DEBUG, "%s: chap success", 4292 ifp->if_xname); 4293 if (len > 4) { 4294 addlog(": "); 4295 sppp_print_string((char *)(h + 1), len - 4); 4296 } 4297 addlog("\n"); 4298 } 4299 x = splnet(); 4300 sp->pp_auth_failures = 0; 4301 sp->pp_flags &= ~PP_NEEDAUTH; 4302 if (sp->myauth.proto == PPP_CHAP && 4303 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4304 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4305 /* 4306 * We are authenticator for CHAP but didn't 4307 * complete yet. Leave it to tlu to proceed 4308 * to network phase. 4309 */ 4310 splx(x); 4311 break; 4312 } 4313 splx(x); 4314 sppp_phase_network(sp); 4315 break; 4316 4317 case CHAP_FAILURE: 4318 x = splnet(); 4319 sp->pp_auth_failures++; 4320 splx(x); 4321 if (debug) { 4322 log(LOG_INFO, "%s: chap failure", 4323 ifp->if_xname); 4324 if (len > 4) { 4325 addlog(": "); 4326 sppp_print_string((char *)(h + 1), len - 4); 4327 } 4328 addlog("\n"); 4329 } else 4330 log(LOG_INFO, "%s: chap failure\n", 4331 ifp->if_xname); 4332 /* await LCP shutdown by authenticator */ 4333 break; 4334 4335 /* response is my authproto */ 4336 case CHAP_RESPONSE: 4337 if (sp->hisauth.secret == NULL) { 4338 /* can't do anything useful */ 4339 printf("%s: chap input without his secret being set\n", 4340 ifp->if_xname); 4341 break; 4342 } 4343 value = 1 + (u_char *)(h + 1); 4344 value_len = value[-1]; 4345 name = value + value_len; 4346 name_len = len - value_len - 5; 4347 if (name_len < 0) { 4348 if (debug) { 4349 log(LOG_DEBUG, 4350 "%s: chap corrupted response " 4351 "<%s id=0x%x len=%d", 4352 ifp->if_xname, 4353 sppp_auth_type_name(PPP_CHAP, h->type), 4354 h->ident, ntohs(h->len)); 4355 if (len > 4) 4356 sppp_print_bytes((u_char *)(h + 1), 4357 len - 4); 4358 addlog(">\n"); 4359 } 4360 break; 4361 } 4362 if (h->ident != sp->confid[IDX_CHAP]) { 4363 if (debug) 4364 log(LOG_DEBUG, 4365 "%s: chap dropping response for old ID " 4366 "(got %d, expected %d)\n", 4367 ifp->if_xname, 4368 h->ident, sp->confid[IDX_CHAP]); 4369 break; 4370 } 4371 if (sp->hisauth.name != NULL && 4372 (name_len != sp->hisauth.name_len 4373 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4374 log(LOG_INFO, "%s: chap response, his name ", 4375 ifp->if_xname); 4376 sppp_print_string(name, name_len); 4377 addlog(" != expected "); 4378 sppp_print_string(sp->hisauth.name, 4379 sp->hisauth.name_len); 4380 addlog("\n"); 4381 goto chap_failure; 4382 } 4383 if (debug) { 4384 log(LOG_DEBUG, "%s: chap input(%s) " 4385 "<%s id=0x%x len=%d name=", 4386 ifp->if_xname, 4387 sppp_state_name(sp->state[IDX_CHAP]), 4388 sppp_auth_type_name(PPP_CHAP, h->type), 4389 h->ident, ntohs(h->len)); 4390 sppp_print_string((char *)name, name_len); 4391 addlog(" value-size=%d value=", value_len); 4392 sppp_print_bytes(value, value_len); 4393 addlog(">\n"); 4394 } 4395 if (value_len != sizeof(sp->hisauth.challenge)) { 4396 if (debug) 4397 log(LOG_DEBUG, 4398 "%s: chap bad hash value length: " 4399 "%d bytes, should be %zu\n", 4400 ifp->if_xname, value_len, 4401 sizeof(sp->hisauth.challenge)); 4402 goto chap_failure; 4403 } 4404 4405 MD5Init(&ctx); 4406 MD5Update(&ctx, &h->ident, 1); 4407 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4408 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4409 MD5Final(digest, &ctx); 4410 4411 #define FAILMSG "Failed..." 4412 #define SUCCMSG "Welcome!" 4413 4414 if (value_len != sizeof digest || 4415 memcmp(digest, value, value_len) != 0) { 4416 chap_failure: 4417 KASSERT(SPPP_WLOCKED(sp)); 4418 /* action scn, tld */ 4419 sp->pp_auth_failures++; 4420 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4421 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4422 0); 4423 chap.tld(sp); 4424 break; 4425 } 4426 sp->pp_auth_failures = 0; 4427 /* action sca, perhaps tlu */ 4428 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4429 sp->state[IDX_CHAP] == STATE_OPENED) 4430 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4431 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4432 0); 4433 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4434 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4435 chap.tlu(sp); 4436 } 4437 break; 4438 4439 default: 4440 /* Unknown CHAP packet type -- ignore. */ 4441 if (debug) { 4442 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4443 "<0x%x id=0x%xh len=%d", 4444 ifp->if_xname, 4445 sppp_state_name(sp->state[IDX_CHAP]), 4446 h->type, h->ident, ntohs(h->len)); 4447 if (len > 4) 4448 sppp_print_bytes((u_char *)(h + 1), len - 4); 4449 addlog(">\n"); 4450 } 4451 break; 4452 4453 } 4454 4455 SPPP_UNLOCK(sp); 4456 } 4457 4458 static void 4459 sppp_chap_init(struct sppp *sp) 4460 { 4461 4462 KASSERT(SPPP_WLOCKED(sp)); 4463 4464 /* Chap doesn't have STATE_INITIAL at all. */ 4465 sp->state[IDX_CHAP] = STATE_CLOSED; 4466 sp->fail_counter[IDX_CHAP] = 0; 4467 sp->pp_seq[IDX_CHAP] = 0; 4468 sp->pp_rseq[IDX_CHAP] = 0; 4469 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4470 } 4471 4472 static void 4473 sppp_chap_open(struct sppp *sp) 4474 { 4475 4476 KASSERT(SPPP_WLOCKED(sp)); 4477 if (sp->hisauth.proto == PPP_CHAP && 4478 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4479 /* we are authenticator for CHAP, start it */ 4480 chap.scr(sp); 4481 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4482 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4483 } 4484 /* nothing to be done if we are peer, await a challenge */ 4485 } 4486 4487 static void 4488 sppp_chap_close(struct sppp *sp) 4489 { 4490 4491 KASSERT(SPPP_WLOCKED(sp)); 4492 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4493 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4494 } 4495 4496 static void 4497 sppp_chap_TO(void *cookie) 4498 { 4499 struct sppp *sp = (struct sppp *)cookie; 4500 STDDCL; 4501 int s; 4502 4503 s = splnet(); 4504 4505 SPPP_LOCK(sp, RW_WRITER); 4506 4507 if (debug) 4508 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4509 ifp->if_xname, 4510 sppp_state_name(sp->state[IDX_CHAP]), 4511 sp->rst_counter[IDX_CHAP]); 4512 4513 if (--sp->rst_counter[IDX_CHAP] < 0) 4514 /* TO- event */ 4515 switch (sp->state[IDX_CHAP]) { 4516 case STATE_REQ_SENT: 4517 chap.tld(sp); 4518 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4519 break; 4520 } 4521 else 4522 /* TO+ (or TO*) event */ 4523 switch (sp->state[IDX_CHAP]) { 4524 case STATE_OPENED: 4525 /* TO* event */ 4526 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4527 /* fall through */ 4528 case STATE_REQ_SENT: 4529 chap.scr(sp); 4530 /* sppp_cp_change_state() will restart the timer */ 4531 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4532 break; 4533 } 4534 4535 SPPP_UNLOCK(sp); 4536 splx(s); 4537 } 4538 4539 static void 4540 sppp_chap_tlu(struct sppp *sp) 4541 { 4542 STDDCL; 4543 int i, x; 4544 4545 KASSERT(SPPP_WLOCKED(sp)); 4546 4547 i = 0; 4548 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4549 4550 /* 4551 * Some broken CHAP implementations (Conware CoNet, firmware 4552 * 4.0.?) don't want to re-authenticate their CHAP once the 4553 * initial challenge-response exchange has taken place. 4554 * Provide for an option to avoid rechallenges. 4555 */ 4556 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4557 /* 4558 * Compute the re-challenge timeout. This will yield 4559 * a number between 300 and 810 seconds. 4560 */ 4561 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4562 4563 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4564 } 4565 4566 if (debug) { 4567 log(LOG_DEBUG, 4568 "%s: chap %s, ", 4569 ifp->if_xname, 4570 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4571 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4572 addlog("next re-challenge in %d seconds\n", i); 4573 else 4574 addlog("re-challenging suppressed\n"); 4575 } 4576 4577 x = splnet(); 4578 sp->pp_auth_failures = 0; 4579 /* indicate to LCP that we need to be closed down */ 4580 sp->lcp.protos |= (1 << IDX_CHAP); 4581 4582 if (sp->pp_flags & PP_NEEDAUTH) { 4583 /* 4584 * Remote is authenticator, but his auth proto didn't 4585 * complete yet. Defer the transition to network 4586 * phase. 4587 */ 4588 splx(x); 4589 return; 4590 } 4591 splx(x); 4592 4593 /* 4594 * If we are already in phase network, we are done here. This 4595 * is the case if this is a dummy tlu event after a re-challenge. 4596 */ 4597 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4598 sppp_phase_network(sp); 4599 } 4600 4601 static void 4602 sppp_chap_tld(struct sppp *sp) 4603 { 4604 STDDCL; 4605 4606 KASSERT(SPPP_WLOCKED(sp)); 4607 4608 if (debug) 4609 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4610 callout_stop(&sp->ch[IDX_CHAP]); 4611 sp->lcp.protos &= ~(1 << IDX_CHAP); 4612 4613 lcp.Close(sp); 4614 } 4615 4616 static void 4617 sppp_chap_scr(struct sppp *sp) 4618 { 4619 uint32_t *ch; 4620 u_char clen = 4 * sizeof(uint32_t); 4621 4622 KASSERT(SPPP_WLOCKED(sp)); 4623 4624 if (sp->hisauth.name == NULL) { 4625 /* can't do anything useful */ 4626 printf("%s: chap starting without his name being set\n", 4627 sp->pp_if.if_xname); 4628 return; 4629 } 4630 4631 /* Compute random challenge. */ 4632 ch = (uint32_t *)sp->hisauth.challenge; 4633 cprng_strong(kern_cprng, ch, clen, 0); 4634 4635 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4636 4637 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4638 sizeof clen, (const char *)&clen, 4639 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4640 0); 4641 } 4642 4643 /* 4644 *--------------------------------------------------------------------------* 4645 * * 4646 * The PAP implementation. * 4647 * * 4648 *--------------------------------------------------------------------------* 4649 */ 4650 /* 4651 * For PAP, we need to keep a little state also if we are the peer, not the 4652 * authenticator. This is since we don't get a request to authenticate, but 4653 * have to repeatedly authenticate ourself until we got a response (or the 4654 * retry counter is expired). 4655 */ 4656 4657 /* 4658 * Handle incoming PAP packets. */ 4659 static void 4660 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4661 { 4662 STDDCL; 4663 struct lcp_header *h; 4664 int len, x; 4665 u_char mlen; 4666 char *name, *secret; 4667 int name_len, secret_len; 4668 4669 /* 4670 * Malicious input might leave this uninitialized, so 4671 * init to an impossible value. 4672 */ 4673 secret_len = -1; 4674 4675 len = m->m_pkthdr.len; 4676 if (len < 5) { 4677 if (debug) 4678 log(LOG_DEBUG, 4679 "%s: pap invalid packet length: %d bytes\n", 4680 ifp->if_xname, len); 4681 return; 4682 } 4683 h = mtod(m, struct lcp_header *); 4684 if (len > ntohs(h->len)) 4685 len = ntohs(h->len); 4686 4687 SPPP_LOCK(sp, RW_WRITER); 4688 4689 switch (h->type) { 4690 /* PAP request is my authproto */ 4691 case PAP_REQ: 4692 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4693 /* can't do anything useful */ 4694 printf("%s: " 4695 "pap request without his name and his secret being set\n", 4696 ifp->if_xname); 4697 break; 4698 } 4699 name = 1 + (u_char *)(h + 1); 4700 name_len = name[-1]; 4701 secret = name + name_len + 1; 4702 if (name_len > len - 6 || 4703 (secret_len = secret[-1]) > len - 6 - name_len) { 4704 if (debug) { 4705 log(LOG_DEBUG, "%s: pap corrupted input " 4706 "<%s id=0x%x len=%d", 4707 ifp->if_xname, 4708 sppp_auth_type_name(PPP_PAP, h->type), 4709 h->ident, ntohs(h->len)); 4710 if (len > 4) 4711 sppp_print_bytes((u_char *)(h + 1), 4712 len - 4); 4713 addlog(">\n"); 4714 } 4715 break; 4716 } 4717 if (debug) { 4718 log(LOG_DEBUG, "%s: pap input(%s) " 4719 "<%s id=0x%x len=%d name=", 4720 ifp->if_xname, 4721 sppp_state_name(sp->state[IDX_PAP]), 4722 sppp_auth_type_name(PPP_PAP, h->type), 4723 h->ident, ntohs(h->len)); 4724 sppp_print_string((char *)name, name_len); 4725 addlog(" secret="); 4726 sppp_print_string((char *)secret, secret_len); 4727 addlog(">\n"); 4728 } 4729 if (name_len != sp->hisauth.name_len || 4730 secret_len != sp->hisauth.secret_len || 4731 memcmp(name, sp->hisauth.name, name_len) != 0 || 4732 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4733 /* action scn, tld */ 4734 sp->pp_auth_failures++; 4735 mlen = sizeof(FAILMSG) - 1; 4736 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4737 sizeof mlen, (const char *)&mlen, 4738 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4739 0); 4740 pap.tld(sp); 4741 break; 4742 } 4743 /* action sca, perhaps tlu */ 4744 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4745 sp->state[IDX_PAP] == STATE_OPENED) { 4746 mlen = sizeof(SUCCMSG) - 1; 4747 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4748 sizeof mlen, (const char *)&mlen, 4749 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4750 0); 4751 } 4752 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4753 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4754 pap.tlu(sp); 4755 } 4756 break; 4757 4758 /* ack and nak are his authproto */ 4759 case PAP_ACK: 4760 callout_stop(&sp->pap_my_to_ch); 4761 if (debug) { 4762 log(LOG_DEBUG, "%s: pap success", 4763 ifp->if_xname); 4764 name = 1 + (u_char *)(h + 1); 4765 name_len = name[-1]; 4766 if (len > 5 && name_len < len+4) { 4767 addlog(": "); 4768 sppp_print_string(name, name_len); 4769 } 4770 addlog("\n"); 4771 } 4772 x = splnet(); 4773 sp->pp_auth_failures = 0; 4774 sp->pp_flags &= ~PP_NEEDAUTH; 4775 if (sp->myauth.proto == PPP_PAP && 4776 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4777 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4778 /* 4779 * We are authenticator for PAP but didn't 4780 * complete yet. Leave it to tlu to proceed 4781 * to network phase. 4782 */ 4783 splx(x); 4784 break; 4785 } 4786 splx(x); 4787 sppp_phase_network(sp); 4788 break; 4789 4790 case PAP_NAK: 4791 callout_stop(&sp->pap_my_to_ch); 4792 sp->pp_auth_failures++; 4793 if (debug) { 4794 log(LOG_INFO, "%s: pap failure", 4795 ifp->if_xname); 4796 name = 1 + (u_char *)(h + 1); 4797 name_len = name[-1]; 4798 if (len > 5 && name_len < len+4) { 4799 addlog(": "); 4800 sppp_print_string(name, name_len); 4801 } 4802 addlog("\n"); 4803 } else 4804 log(LOG_INFO, "%s: pap failure\n", 4805 ifp->if_xname); 4806 /* await LCP shutdown by authenticator */ 4807 break; 4808 4809 default: 4810 /* Unknown PAP packet type -- ignore. */ 4811 if (debug) { 4812 log(LOG_DEBUG, "%s: pap corrupted input " 4813 "<0x%x id=0x%x len=%d", 4814 ifp->if_xname, 4815 h->type, h->ident, ntohs(h->len)); 4816 if (len > 4) 4817 sppp_print_bytes((u_char *)(h + 1), len - 4); 4818 addlog(">\n"); 4819 } 4820 break; 4821 } 4822 4823 SPPP_UNLOCK(sp); 4824 } 4825 4826 static void 4827 sppp_pap_init(struct sppp *sp) 4828 { 4829 4830 KASSERT(SPPP_WLOCKED(sp)); 4831 4832 /* PAP doesn't have STATE_INITIAL at all. */ 4833 sp->state[IDX_PAP] = STATE_CLOSED; 4834 sp->fail_counter[IDX_PAP] = 0; 4835 sp->pp_seq[IDX_PAP] = 0; 4836 sp->pp_rseq[IDX_PAP] = 0; 4837 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 4838 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 4839 } 4840 4841 static void 4842 sppp_pap_open(struct sppp *sp) 4843 { 4844 4845 KASSERT(SPPP_WLOCKED(sp)); 4846 4847 if (sp->hisauth.proto == PPP_PAP && 4848 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4849 /* we are authenticator for PAP, start our timer */ 4850 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4851 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4852 } 4853 if (sp->myauth.proto == PPP_PAP) { 4854 /* we are peer, send a request, and start a timer */ 4855 pap.scr(sp); 4856 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4857 sppp_pap_my_TO, sp); 4858 } 4859 } 4860 4861 static void 4862 sppp_pap_close(struct sppp *sp) 4863 { 4864 4865 KASSERT(SPPP_WLOCKED(sp)); 4866 4867 if (sp->state[IDX_PAP] != STATE_CLOSED) 4868 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4869 } 4870 4871 /* 4872 * That's the timeout routine if we are authenticator. Since the 4873 * authenticator is basically passive in PAP, we can't do much here. 4874 */ 4875 static void 4876 sppp_pap_TO(void *cookie) 4877 { 4878 struct sppp *sp = (struct sppp *)cookie; 4879 STDDCL; 4880 int s; 4881 4882 s = splnet(); 4883 SPPP_LOCK(sp, RW_WRITER); 4884 4885 if (debug) 4886 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4887 ifp->if_xname, 4888 sppp_state_name(sp->state[IDX_PAP]), 4889 sp->rst_counter[IDX_PAP]); 4890 4891 if (--sp->rst_counter[IDX_PAP] < 0) 4892 /* TO- event */ 4893 switch (sp->state[IDX_PAP]) { 4894 case STATE_REQ_SENT: 4895 pap.tld(sp); 4896 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4897 break; 4898 } 4899 else 4900 /* TO+ event, not very much we could do */ 4901 switch (sp->state[IDX_PAP]) { 4902 case STATE_REQ_SENT: 4903 /* sppp_cp_change_state() will restart the timer */ 4904 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4905 break; 4906 } 4907 4908 SPPP_UNLOCK(sp); 4909 splx(s); 4910 } 4911 4912 /* 4913 * That's the timeout handler if we are peer. Since the peer is active, 4914 * we need to retransmit our PAP request since it is apparently lost. 4915 * XXX We should impose a max counter. 4916 */ 4917 static void 4918 sppp_pap_my_TO(void *cookie) 4919 { 4920 struct sppp *sp = (struct sppp *)cookie; 4921 STDDCL; 4922 4923 SPPP_LOCK(sp, RW_WRITER); 4924 if (debug) 4925 log(LOG_DEBUG, "%s: pap peer TO\n", 4926 ifp->if_xname); 4927 4928 pap.scr(sp); 4929 4930 SPPP_UNLOCK(sp); 4931 } 4932 4933 static void 4934 sppp_pap_tlu(struct sppp *sp) 4935 { 4936 STDDCL; 4937 int x; 4938 4939 KASSERT(SPPP_WLOCKED(sp)); 4940 4941 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4942 4943 if (debug) 4944 log(LOG_DEBUG, "%s: %s tlu\n", 4945 ifp->if_xname, pap.name); 4946 4947 x = splnet(); 4948 sp->pp_auth_failures = 0; 4949 /* indicate to LCP that we need to be closed down */ 4950 sp->lcp.protos |= (1 << IDX_PAP); 4951 4952 if (sp->pp_flags & PP_NEEDAUTH) { 4953 /* 4954 * Remote is authenticator, but his auth proto didn't 4955 * complete yet. Defer the transition to network 4956 * phase. 4957 */ 4958 splx(x); 4959 return; 4960 } 4961 splx(x); 4962 sppp_phase_network(sp); 4963 } 4964 4965 static void 4966 sppp_pap_tld(struct sppp *sp) 4967 { 4968 STDDCL; 4969 4970 KASSERT(SPPP_WLOCKED(sp)); 4971 4972 if (debug) 4973 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4974 callout_stop(&sp->ch[IDX_PAP]); 4975 callout_stop(&sp->pap_my_to_ch); 4976 sp->lcp.protos &= ~(1 << IDX_PAP); 4977 4978 lcp.Close(sp); 4979 } 4980 4981 static void 4982 sppp_pap_scr(struct sppp *sp) 4983 { 4984 u_char idlen, pwdlen; 4985 4986 KASSERT(SPPP_WLOCKED(sp)); 4987 4988 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4989 /* can't do anything useful */ 4990 printf("%s: pap starting without my name and secret being set\n", 4991 sp->pp_if.if_xname); 4992 return; 4993 } 4994 4995 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4996 pwdlen = sp->myauth.secret_len; 4997 idlen = sp->myauth.name_len; 4998 4999 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 5000 sizeof idlen, (const char *)&idlen, 5001 idlen, sp->myauth.name, 5002 sizeof pwdlen, (const char *)&pwdlen, 5003 pwdlen, sp->myauth.secret, 5004 0); 5005 } 5006 5007 /* 5008 * Random miscellaneous functions. 5009 */ 5010 5011 /* 5012 * Send a PAP or CHAP proto packet. 5013 * 5014 * Varadic function, each of the elements for the ellipsis is of type 5015 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5016 * mlen == 0. 5017 * NOTE: never declare variadic functions with types subject to type 5018 * promotion (i.e. u_char). This is asking for big trouble depending 5019 * on the architecture you are on... 5020 */ 5021 5022 static void 5023 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5024 unsigned int type, unsigned int id, 5025 ...) 5026 { 5027 STDDCL; 5028 struct lcp_header *lh; 5029 struct mbuf *m; 5030 u_char *p; 5031 int len; 5032 size_t pkthdrlen; 5033 unsigned int mlen; 5034 const char *msg; 5035 va_list ap; 5036 5037 KASSERT(SPPP_WLOCKED(sp)); 5038 5039 MGETHDR(m, M_DONTWAIT, MT_DATA); 5040 if (! m) 5041 return; 5042 m_reset_rcvif(m); 5043 5044 if (sp->pp_flags & PP_NOFRAMING) { 5045 *mtod(m, uint16_t *) = htons(cp->proto); 5046 pkthdrlen = 2; 5047 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5048 } else { 5049 struct ppp_header *h; 5050 h = mtod(m, struct ppp_header *); 5051 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5052 h->control = PPP_UI; /* Unnumbered Info */ 5053 h->protocol = htons(cp->proto); 5054 pkthdrlen = PPP_HEADER_LEN; 5055 5056 lh = (struct lcp_header *)(h + 1); 5057 } 5058 5059 lh->type = type; 5060 lh->ident = id; 5061 p = (u_char *)(lh + 1); 5062 5063 va_start(ap, id); 5064 len = 0; 5065 5066 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5067 msg = va_arg(ap, const char *); 5068 len += mlen; 5069 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5070 va_end(ap); 5071 m_freem(m); 5072 return; 5073 } 5074 5075 memcpy(p, msg, mlen); 5076 p += mlen; 5077 } 5078 va_end(ap); 5079 5080 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5081 lh->len = htons(LCP_HEADER_LEN + len); 5082 5083 if (debug) { 5084 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5085 ifp->if_xname, cp->name, 5086 sppp_auth_type_name(cp->proto, lh->type), 5087 lh->ident, ntohs(lh->len)); 5088 if (len) 5089 sppp_print_bytes((u_char *)(lh + 1), len); 5090 addlog(">\n"); 5091 } 5092 if (IF_QFULL(&sp->pp_cpq)) { 5093 IF_DROP(&sp->pp_fastq); 5094 IF_DROP(&ifp->if_snd); 5095 m_freem(m); 5096 ++ifp->if_oerrors; 5097 return; 5098 } 5099 5100 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 5101 IF_ENQUEUE(&sp->pp_cpq, m); 5102 5103 if (! (ifp->if_flags & IFF_OACTIVE)) { 5104 SPPP_UNLOCK(sp); 5105 if_start_lock(ifp); 5106 SPPP_LOCK(sp, RW_WRITER); 5107 } 5108 } 5109 5110 /* 5111 * Send keepalive packets, every 10 seconds. 5112 */ 5113 static void 5114 sppp_keepalive(void *dummy) 5115 { 5116 struct sppp *sp; 5117 int s; 5118 time_t now; 5119 5120 SPPPQ_LOCK(); 5121 5122 s = splnet(); 5123 now = time_uptime; 5124 for (sp=spppq; sp; sp=sp->pp_next) { 5125 struct ifnet *ifp = NULL; 5126 5127 SPPP_LOCK(sp, RW_WRITER); 5128 ifp = &sp->pp_if; 5129 5130 /* check idle timeout */ 5131 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5132 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5133 /* idle timeout is enabled for this interface */ 5134 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5135 if (ifp->if_flags & IFF_DEBUG) 5136 printf("%s: no activity for %lu seconds\n", 5137 sp->pp_if.if_xname, 5138 (unsigned long)(now-sp->pp_last_activity)); 5139 lcp.Close(sp); 5140 SPPP_UNLOCK(sp); 5141 continue; 5142 } 5143 } 5144 5145 /* Keepalive mode disabled or channel down? */ 5146 if (! (sp->pp_flags & PP_KEEPALIVE) || 5147 ! (ifp->if_flags & IFF_RUNNING)) { 5148 SPPP_UNLOCK(sp); 5149 continue; 5150 } 5151 5152 5153 /* No keepalive in PPP mode if LCP not opened yet. */ 5154 if (! (sp->pp_flags & PP_CISCO) && 5155 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5156 SPPP_UNLOCK(sp); 5157 continue; 5158 } 5159 5160 /* No echo reply, but maybe user data passed through? */ 5161 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5162 sp->pp_alivecnt = 0; 5163 SPPP_UNLOCK(sp); 5164 continue; 5165 } 5166 5167 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5168 /* No keepalive packets got. Stop the interface. */ 5169 SPPP_UNLOCK(sp); 5170 if_down (ifp); 5171 SPPP_LOCK(sp, RW_WRITER); 5172 5173 IF_PURGE(&sp->pp_cpq); 5174 5175 if (! (sp->pp_flags & PP_CISCO)) { 5176 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5177 ifp->if_xname); 5178 sp->pp_alivecnt = 0; 5179 5180 /* we are down, close all open protocols */ 5181 lcp.Close(sp); 5182 5183 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5184 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5185 5186 /* Close connection immediately, completition of this 5187 * will summon the magic needed to reestablish it. */ 5188 sppp_notify_tlf_wlocked(sp); 5189 5190 SPPP_UNLOCK(sp); 5191 continue; 5192 } 5193 } 5194 if (sp->pp_alivecnt < sp->pp_maxalive) 5195 ++sp->pp_alivecnt; 5196 if (sp->pp_flags & PP_CISCO) 5197 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5198 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5199 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5200 int32_t nmagic = htonl(sp->lcp.magic); 5201 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5202 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5203 sp->lcp.echoid, 4, &nmagic); 5204 } 5205 5206 SPPP_UNLOCK(sp); 5207 } 5208 splx(s); 5209 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5210 5211 SPPPQ_UNLOCK(); 5212 } 5213 5214 #ifdef INET 5215 /* 5216 * Get both IP addresses. 5217 */ 5218 static void 5219 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5220 { 5221 struct ifnet *ifp = &sp->pp_if; 5222 struct ifaddr *ifa; 5223 struct sockaddr_in *si, *sm; 5224 uint32_t ssrc, ddst; 5225 int s; 5226 struct psref psref; 5227 5228 sm = NULL; 5229 ssrc = ddst = 0; 5230 /* 5231 * Pick the first AF_INET address from the list, 5232 * aliases don't make any sense on a p2p link anyway. 5233 */ 5234 si = 0; 5235 s = pserialize_read_enter(); 5236 IFADDR_READER_FOREACH(ifa, ifp) { 5237 if (ifa->ifa_addr->sa_family == AF_INET) { 5238 si = (struct sockaddr_in *)ifa->ifa_addr; 5239 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5240 if (si) { 5241 ifa_acquire(ifa, &psref); 5242 break; 5243 } 5244 } 5245 } 5246 pserialize_read_exit(s); 5247 if (ifa) { 5248 if (si && si->sin_addr.s_addr) { 5249 ssrc = si->sin_addr.s_addr; 5250 if (srcmask) 5251 *srcmask = ntohl(sm->sin_addr.s_addr); 5252 } 5253 5254 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5255 if (si && si->sin_addr.s_addr) 5256 ddst = si->sin_addr.s_addr; 5257 ifa_release(ifa, &psref); 5258 } 5259 5260 if (dst) *dst = ntohl(ddst); 5261 if (src) *src = ntohl(ssrc); 5262 } 5263 5264 /* 5265 * Set IP addresses. Must be called at splnet. 5266 * If an address is 0, leave it the way it is. 5267 */ 5268 static void 5269 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5270 { 5271 STDDCL; 5272 struct ifaddr *ifa; 5273 struct sockaddr_in *si, *dest; 5274 uint32_t myaddr = 0, hisaddr = 0; 5275 int s; 5276 5277 IFNET_LOCK(ifp); 5278 5279 /* 5280 * Pick the first AF_INET address from the list, 5281 * aliases don't make any sense on a p2p link anyway. 5282 */ 5283 si = dest = NULL; 5284 s = pserialize_read_enter(); 5285 IFADDR_READER_FOREACH(ifa, ifp) { 5286 if (ifa->ifa_addr->sa_family == AF_INET) { 5287 si = (struct sockaddr_in *)ifa->ifa_addr; 5288 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5289 break; 5290 } 5291 } 5292 pserialize_read_exit(s); 5293 5294 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5295 myaddr = sp->ipcp.req_myaddr; 5296 else if (si != NULL) 5297 myaddr = ntohl(si->sin_addr.s_addr); 5298 5299 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5300 hisaddr = sp->ipcp.req_hisaddr; 5301 else if (dest != NULL) 5302 hisaddr = ntohl(dest->sin_addr.s_addr); 5303 5304 if (si != NULL && dest != NULL) { 5305 int error; 5306 struct sockaddr_in new_sin = *si; 5307 struct sockaddr_in new_dst = *dest; 5308 5309 if (myaddr != 0) 5310 new_sin.sin_addr.s_addr = htonl(myaddr); 5311 if (hisaddr != 0) { 5312 new_dst.sin_addr.s_addr = htonl(hisaddr); 5313 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5314 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5315 } 5316 5317 in_addrhash_remove(ifatoia(ifa)); 5318 5319 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5320 5321 in_addrhash_insert(ifatoia(ifa)); 5322 5323 if (debug && error) 5324 { 5325 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5326 ifp->if_xname, __func__, error); 5327 } 5328 if (!error) { 5329 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5330 } 5331 } 5332 5333 if (ifp->if_mtu > sp->lcp.their_mru) { 5334 sp->pp_saved_mtu = ifp->if_mtu; 5335 ifp->if_mtu = sp->lcp.their_mru; 5336 if (debug) 5337 log(LOG_DEBUG, 5338 "%s: setting MTU to %" PRIu64 " bytes\n", 5339 ifp->if_xname, ifp->if_mtu); 5340 } 5341 5342 IFNET_UNLOCK(ifp); 5343 5344 sppp_notify_con(sp); 5345 } 5346 5347 static void 5348 sppp_set_ip_addrs(struct sppp *sp) 5349 { 5350 struct ifnet *ifp = &sp->pp_if; 5351 5352 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5353 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5354 ifp->if_xname); 5355 return; 5356 } 5357 5358 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5359 return; 5360 5361 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5362 } 5363 5364 /* 5365 * Clear IP addresses. Must be called at splnet. 5366 */ 5367 static void 5368 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5369 { 5370 STDDCL; 5371 struct ifaddr *ifa; 5372 struct sockaddr_in *si, *dest; 5373 int s; 5374 5375 IFNET_LOCK(ifp); 5376 5377 /* 5378 * Pick the first AF_INET address from the list, 5379 * aliases don't make any sense on a p2p link anyway. 5380 */ 5381 si = dest = NULL; 5382 s = pserialize_read_enter(); 5383 IFADDR_READER_FOREACH(ifa, ifp) { 5384 if (ifa->ifa_addr->sa_family == AF_INET) { 5385 si = (struct sockaddr_in *)ifa->ifa_addr; 5386 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5387 break; 5388 } 5389 } 5390 pserialize_read_exit(s); 5391 5392 if (si != NULL) { 5393 struct sockaddr_in new_sin = *si; 5394 struct sockaddr_in new_dst = *dest; 5395 int error; 5396 5397 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5398 new_sin.sin_addr.s_addr = 0; 5399 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5400 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5401 5402 in_addrhash_remove(ifatoia(ifa)); 5403 5404 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5405 5406 in_addrhash_insert(ifatoia(ifa)); 5407 5408 if (debug && error) 5409 { 5410 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5411 ifp->if_xname, __func__, error); 5412 } 5413 if (!error) { 5414 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5415 } 5416 } 5417 5418 if (sp->pp_saved_mtu > 0) { 5419 ifp->if_mtu = sp->pp_saved_mtu; 5420 sp->pp_saved_mtu = 0; 5421 if (debug) 5422 log(LOG_DEBUG, 5423 "%s: resetting MTU to %" PRIu64 " bytes\n", 5424 ifp->if_xname, ifp->if_mtu); 5425 } 5426 5427 IFNET_UNLOCK(ifp); 5428 } 5429 5430 static void 5431 sppp_clear_ip_addrs(struct sppp *sp) 5432 { 5433 struct ifnet *ifp = &sp->pp_if; 5434 5435 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5436 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5437 ifp->if_xname); 5438 return; 5439 } 5440 5441 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5442 return; 5443 5444 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5445 } 5446 5447 static void 5448 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5449 { 5450 struct sppp *sp = arg; 5451 void *work; 5452 5453 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5454 5455 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5456 int update = (intptr_t)work; 5457 5458 if (update == IPCP_SET_ADDRS) 5459 sppp_set_ip_addrs_work(wk, sp); 5460 else if (update == IPCP_CLEAR_ADDRS) 5461 sppp_clear_ip_addrs_work(wk, sp); 5462 } 5463 } 5464 #endif 5465 5466 #ifdef INET6 5467 /* 5468 * Get both IPv6 addresses. 5469 */ 5470 static void 5471 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5472 struct in6_addr *srcmask) 5473 { 5474 struct ifnet *ifp = &sp->pp_if; 5475 struct ifaddr *ifa; 5476 struct sockaddr_in6 *si, *sm; 5477 struct in6_addr ssrc, ddst; 5478 int s; 5479 struct psref psref; 5480 5481 sm = NULL; 5482 memset(&ssrc, 0, sizeof(ssrc)); 5483 memset(&ddst, 0, sizeof(ddst)); 5484 /* 5485 * Pick the first link-local AF_INET6 address from the list, 5486 * aliases don't make any sense on a p2p link anyway. 5487 */ 5488 si = 0; 5489 s = pserialize_read_enter(); 5490 IFADDR_READER_FOREACH(ifa, ifp) { 5491 if (ifa->ifa_addr->sa_family == AF_INET6) { 5492 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5493 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5494 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5495 ifa_acquire(ifa, &psref); 5496 break; 5497 } 5498 } 5499 } 5500 pserialize_read_exit(s); 5501 5502 if (ifa) { 5503 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5504 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5505 if (srcmask) { 5506 memcpy(srcmask, &sm->sin6_addr, 5507 sizeof(*srcmask)); 5508 } 5509 } 5510 5511 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5512 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5513 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5514 ifa_release(ifa, &psref); 5515 } 5516 5517 if (dst) 5518 memcpy(dst, &ddst, sizeof(*dst)); 5519 if (src) 5520 memcpy(src, &ssrc, sizeof(*src)); 5521 } 5522 5523 #ifdef IPV6CP_MYIFID_DYN 5524 /* 5525 * Generate random ifid. 5526 */ 5527 static void 5528 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5529 { 5530 /* TBD */ 5531 } 5532 5533 /* 5534 * Set my IPv6 address. Must be called at splnet. 5535 */ 5536 static void 5537 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5538 { 5539 STDDCL; 5540 struct ifaddr *ifa; 5541 struct sockaddr_in6 *sin6; 5542 int s; 5543 struct psref psref; 5544 5545 IFNET_LOCK(ifp); 5546 5547 /* 5548 * Pick the first link-local AF_INET6 address from the list, 5549 * aliases don't make any sense on a p2p link anyway. 5550 */ 5551 5552 sin6 = NULL; 5553 s = pserialize_read_enter(); 5554 IFADDR_READER_FOREACH(ifa, ifp) 5555 { 5556 if (ifa->ifa_addr->sa_family == AF_INET6) 5557 { 5558 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5559 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5560 ifa_acquire(ifa, &psref); 5561 break; 5562 } 5563 } 5564 } 5565 pserialize_read_exit(s); 5566 5567 if (ifa && sin6) 5568 { 5569 int error; 5570 struct sockaddr_in6 new_sin6 = *sin6; 5571 5572 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5573 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5574 if (debug && error) 5575 { 5576 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5577 ifp->if_xname, __func__, error); 5578 } 5579 if (!error) { 5580 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5581 } 5582 ifa_release(ifa, &psref); 5583 } 5584 5585 IFNET_UNLOCK(ifp); 5586 } 5587 #endif 5588 5589 /* 5590 * Suggest a candidate address to be used by peer. 5591 */ 5592 static void 5593 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5594 { 5595 struct in6_addr myaddr; 5596 struct timeval tv; 5597 5598 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5599 5600 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5601 microtime(&tv); 5602 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5603 myaddr.s6_addr[14] ^= 0xff; 5604 myaddr.s6_addr[15] ^= 0xff; 5605 } else { 5606 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5607 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5608 } 5609 if (suggest) 5610 memcpy(suggest, &myaddr, sizeof(myaddr)); 5611 } 5612 #endif /*INET6*/ 5613 5614 /* 5615 * Process ioctl requests specific to the PPP interface. 5616 * Permissions have already been checked. 5617 */ 5618 static int 5619 sppp_params(struct sppp *sp, u_long cmd, void *data) 5620 { 5621 switch (cmd) { 5622 case SPPPGETAUTHCFG: 5623 { 5624 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5625 int error; 5626 size_t len; 5627 5628 SPPP_LOCK(sp, RW_READER); 5629 5630 cfg->myauthflags = sp->myauth.flags; 5631 cfg->hisauthflags = sp->hisauth.flags; 5632 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5633 cfg->hisauth = 0; 5634 if (sp->hisauth.proto) 5635 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5636 cfg->myauth = 0; 5637 if (sp->myauth.proto) 5638 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5639 if (cfg->myname_length == 0) { 5640 if (sp->myauth.name != NULL) 5641 cfg->myname_length = sp->myauth.name_len + 1; 5642 } else { 5643 if (sp->myauth.name == NULL) { 5644 cfg->myname_length = 0; 5645 } else { 5646 len = sp->myauth.name_len + 1; 5647 5648 5649 if (cfg->myname_length < len) { 5650 SPPP_UNLOCK(sp); 5651 return (ENAMETOOLONG); 5652 } 5653 error = copyout(sp->myauth.name, cfg->myname, len); 5654 if (error) { 5655 SPPP_UNLOCK(sp); 5656 return error; 5657 } 5658 } 5659 } 5660 if (cfg->hisname_length == 0) { 5661 if (sp->hisauth.name != NULL) 5662 cfg->hisname_length = sp->hisauth.name_len + 1; 5663 } else { 5664 if (sp->hisauth.name == NULL) { 5665 cfg->hisname_length = 0; 5666 } else { 5667 len = sp->hisauth.name_len + 1; 5668 5669 if (cfg->hisname_length < len) { 5670 SPPP_UNLOCK(sp); 5671 return (ENAMETOOLONG); 5672 } 5673 error = copyout(sp->hisauth.name, cfg->hisname, len); 5674 if (error) { 5675 SPPP_UNLOCK(sp); 5676 return error; 5677 } 5678 } 5679 } 5680 SPPP_UNLOCK(sp); 5681 } 5682 break; 5683 case SPPPSETAUTHCFG: 5684 { 5685 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5686 int error; 5687 5688 SPPP_LOCK(sp, RW_WRITER); 5689 5690 if (sp->myauth.name) { 5691 free(sp->myauth.name, M_DEVBUF); 5692 sp->myauth.name = NULL; 5693 } 5694 if (sp->myauth.secret) { 5695 free(sp->myauth.secret, M_DEVBUF); 5696 sp->myauth.secret = NULL; 5697 } 5698 if (sp->hisauth.name) { 5699 free(sp->hisauth.name, M_DEVBUF); 5700 sp->hisauth.name = NULL; 5701 } 5702 if (sp->hisauth.secret) { 5703 free(sp->hisauth.secret, M_DEVBUF); 5704 sp->hisauth.secret = NULL; 5705 } 5706 5707 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5708 if (cfg->hisname_length >= MCLBYTES) { 5709 SPPP_UNLOCK(sp); 5710 return (ENAMETOOLONG); 5711 } 5712 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5713 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5714 if (error) { 5715 free(sp->hisauth.name, M_DEVBUF); 5716 sp->hisauth.name = NULL; 5717 SPPP_UNLOCK(sp); 5718 return error; 5719 } 5720 sp->hisauth.name_len = cfg->hisname_length - 1; 5721 sp->hisauth.name[sp->hisauth.name_len] = 0; 5722 } 5723 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5724 if (cfg->hissecret_length >= MCLBYTES) { 5725 SPPP_UNLOCK(sp); 5726 return (ENAMETOOLONG); 5727 } 5728 sp->hisauth.secret = malloc(cfg->hissecret_length, 5729 M_DEVBUF, M_WAITOK); 5730 error = copyin(cfg->hissecret, sp->hisauth.secret, 5731 cfg->hissecret_length); 5732 if (error) { 5733 free(sp->hisauth.secret, M_DEVBUF); 5734 sp->hisauth.secret = NULL; 5735 SPPP_UNLOCK(sp); 5736 return error; 5737 } 5738 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5739 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5740 } 5741 if (cfg->myname != NULL && cfg->myname_length > 0) { 5742 if (cfg->myname_length >= MCLBYTES) { 5743 SPPP_UNLOCK(sp); 5744 return (ENAMETOOLONG); 5745 } 5746 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5747 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5748 if (error) { 5749 free(sp->myauth.name, M_DEVBUF); 5750 sp->myauth.name = NULL; 5751 SPPP_UNLOCK(sp); 5752 return error; 5753 } 5754 sp->myauth.name_len = cfg->myname_length - 1; 5755 sp->myauth.name[sp->myauth.name_len] = 0; 5756 } 5757 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5758 if (cfg->mysecret_length >= MCLBYTES) { 5759 SPPP_UNLOCK(sp); 5760 return (ENAMETOOLONG); 5761 } 5762 sp->myauth.secret = malloc(cfg->mysecret_length, 5763 M_DEVBUF, M_WAITOK); 5764 error = copyin(cfg->mysecret, sp->myauth.secret, 5765 cfg->mysecret_length); 5766 if (error) { 5767 free(sp->myauth.secret, M_DEVBUF); 5768 sp->myauth.secret = NULL; 5769 SPPP_UNLOCK(sp); 5770 return error; 5771 } 5772 sp->myauth.secret_len = cfg->mysecret_length - 1; 5773 sp->myauth.secret[sp->myauth.secret_len] = 0; 5774 } 5775 sp->myauth.flags = cfg->myauthflags; 5776 if (cfg->myauth) 5777 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5778 sp->hisauth.flags = cfg->hisauthflags; 5779 if (cfg->hisauth) 5780 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5781 sp->pp_auth_failures = 0; 5782 if (sp->hisauth.proto != 0) 5783 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5784 else 5785 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5786 5787 SPPP_UNLOCK(sp); 5788 } 5789 break; 5790 case SPPPGETLCPCFG: 5791 { 5792 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5793 5794 SPPP_LOCK(sp, RW_READER); 5795 lcpp->lcp_timeout = sp->lcp.timeout; 5796 SPPP_UNLOCK(sp); 5797 } 5798 break; 5799 case SPPPSETLCPCFG: 5800 { 5801 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5802 5803 SPPP_LOCK(sp, RW_WRITER); 5804 sp->lcp.timeout = lcpp->lcp_timeout; 5805 SPPP_UNLOCK(sp); 5806 } 5807 break; 5808 case SPPPGETSTATUS: 5809 { 5810 struct spppstatus *status = (struct spppstatus *)data; 5811 5812 SPPP_LOCK(sp, RW_READER); 5813 status->phase = sp->pp_phase; 5814 SPPP_UNLOCK(sp); 5815 } 5816 break; 5817 case SPPPGETSTATUSNCP: 5818 { 5819 struct spppstatusncp *status = (struct spppstatusncp *)data; 5820 5821 SPPP_LOCK(sp, RW_READER); 5822 status->phase = sp->pp_phase; 5823 status->ncpup = sppp_ncp_check(sp); 5824 SPPP_UNLOCK(sp); 5825 } 5826 break; 5827 case SPPPGETIDLETO: 5828 { 5829 struct spppidletimeout *to = (struct spppidletimeout *)data; 5830 5831 SPPP_LOCK(sp, RW_READER); 5832 to->idle_seconds = sp->pp_idle_timeout; 5833 SPPP_UNLOCK(sp); 5834 } 5835 break; 5836 case SPPPSETIDLETO: 5837 { 5838 struct spppidletimeout *to = (struct spppidletimeout *)data; 5839 5840 SPPP_LOCK(sp, RW_WRITER); 5841 sp->pp_idle_timeout = to->idle_seconds; 5842 SPPP_UNLOCK(sp); 5843 } 5844 break; 5845 case SPPPSETAUTHFAILURE: 5846 { 5847 struct spppauthfailuresettings *afsettings = 5848 (struct spppauthfailuresettings *)data; 5849 5850 SPPP_LOCK(sp, RW_WRITER); 5851 sp->pp_max_auth_fail = afsettings->max_failures; 5852 sp->pp_auth_failures = 0; 5853 SPPP_UNLOCK(sp); 5854 } 5855 break; 5856 case SPPPGETAUTHFAILURES: 5857 { 5858 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5859 5860 SPPP_LOCK(sp, RW_READER); 5861 stats->auth_failures = sp->pp_auth_failures; 5862 stats->max_failures = sp->pp_max_auth_fail; 5863 SPPP_UNLOCK(sp); 5864 } 5865 break; 5866 case SPPPSETDNSOPTS: 5867 { 5868 struct spppdnssettings *req = (struct spppdnssettings *)data; 5869 5870 SPPP_LOCK(sp, RW_WRITER); 5871 sp->query_dns = req->query_dns & 3; 5872 SPPP_UNLOCK(sp); 5873 } 5874 break; 5875 case SPPPGETDNSOPTS: 5876 { 5877 struct spppdnssettings *req = (struct spppdnssettings *)data; 5878 5879 SPPP_LOCK(sp, RW_READER); 5880 req->query_dns = sp->query_dns; 5881 SPPP_UNLOCK(sp); 5882 } 5883 break; 5884 case SPPPGETDNSADDRS: 5885 { 5886 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5887 5888 SPPP_LOCK(sp, RW_READER); 5889 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5890 SPPP_UNLOCK(sp); 5891 } 5892 break; 5893 case SPPPGETKEEPALIVE: 5894 { 5895 struct spppkeepalivesettings *settings = 5896 (struct spppkeepalivesettings*)data; 5897 5898 SPPP_LOCK(sp, RW_READER); 5899 settings->maxalive = sp->pp_maxalive; 5900 settings->max_noreceive = sp->pp_max_noreceive; 5901 SPPP_UNLOCK(sp); 5902 } 5903 break; 5904 case SPPPSETKEEPALIVE: 5905 { 5906 struct spppkeepalivesettings *settings = 5907 (struct spppkeepalivesettings*)data; 5908 5909 SPPP_LOCK(sp, RW_WRITER); 5910 sp->pp_maxalive = settings->maxalive; 5911 sp->pp_max_noreceive = settings->max_noreceive; 5912 SPPP_UNLOCK(sp); 5913 } 5914 break; 5915 default: 5916 { 5917 int ret; 5918 5919 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 5920 enosys(), ret); 5921 if (ret != ENOSYS) 5922 return ret; 5923 return (EINVAL); 5924 } 5925 } 5926 return (0); 5927 } 5928 5929 static void 5930 sppp_phase_network(struct sppp *sp) 5931 { 5932 int i; 5933 uint32_t mask; 5934 5935 KASSERT(SPPP_WLOCKED(sp)); 5936 5937 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5938 5939 /* Notify NCPs now. */ 5940 for (i = 0; i < IDX_COUNT; i++) 5941 if ((cps[i])->flags & CP_NCP) 5942 (cps[i])->Open(sp); 5943 5944 /* Send Up events to all NCPs. */ 5945 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5946 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 5947 (cps[i])->Up(sp); 5948 } 5949 5950 /* if no NCP is starting, all this was in vain, close down */ 5951 sppp_lcp_check_and_close(sp); 5952 } 5953 5954 5955 static const char * 5956 sppp_cp_type_name(u_char type) 5957 { 5958 static char buf[12]; 5959 switch (type) { 5960 case CONF_REQ: return "conf-req"; 5961 case CONF_ACK: return "conf-ack"; 5962 case CONF_NAK: return "conf-nak"; 5963 case CONF_REJ: return "conf-rej"; 5964 case TERM_REQ: return "term-req"; 5965 case TERM_ACK: return "term-ack"; 5966 case CODE_REJ: return "code-rej"; 5967 case PROTO_REJ: return "proto-rej"; 5968 case ECHO_REQ: return "echo-req"; 5969 case ECHO_REPLY: return "echo-reply"; 5970 case DISC_REQ: return "discard-req"; 5971 } 5972 snprintf(buf, sizeof(buf), "0x%x", type); 5973 return buf; 5974 } 5975 5976 static const char * 5977 sppp_auth_type_name(u_short proto, u_char type) 5978 { 5979 static char buf[32]; 5980 const char *name; 5981 5982 switch (proto) { 5983 case PPP_CHAP: 5984 switch (type) { 5985 case CHAP_CHALLENGE: return "challenge"; 5986 case CHAP_RESPONSE: return "response"; 5987 case CHAP_SUCCESS: return "success"; 5988 case CHAP_FAILURE: return "failure"; 5989 default: name = "chap"; break; 5990 } 5991 break; 5992 5993 case PPP_PAP: 5994 switch (type) { 5995 case PAP_REQ: return "req"; 5996 case PAP_ACK: return "ack"; 5997 case PAP_NAK: return "nak"; 5998 default: name = "pap"; break; 5999 } 6000 break; 6001 6002 default: 6003 name = "bad"; 6004 break; 6005 } 6006 6007 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6008 return buf; 6009 } 6010 6011 static const char * 6012 sppp_lcp_opt_name(u_char opt) 6013 { 6014 static char buf[12]; 6015 switch (opt) { 6016 case LCP_OPT_MRU: return "mru"; 6017 case LCP_OPT_ASYNC_MAP: return "async-map"; 6018 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6019 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6020 case LCP_OPT_MAGIC: return "magic"; 6021 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6022 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6023 } 6024 snprintf(buf, sizeof(buf), "0x%x", opt); 6025 return buf; 6026 } 6027 6028 static const char * 6029 sppp_ipcp_opt_name(u_char opt) 6030 { 6031 static char buf[12]; 6032 switch (opt) { 6033 case IPCP_OPT_ADDRESSES: return "addresses"; 6034 case IPCP_OPT_COMPRESSION: return "compression"; 6035 case IPCP_OPT_ADDRESS: return "address"; 6036 } 6037 snprintf(buf, sizeof(buf), "0x%x", opt); 6038 return buf; 6039 } 6040 6041 #ifdef INET6 6042 static const char * 6043 sppp_ipv6cp_opt_name(u_char opt) 6044 { 6045 static char buf[12]; 6046 switch (opt) { 6047 case IPV6CP_OPT_IFID: return "ifid"; 6048 case IPV6CP_OPT_COMPRESSION: return "compression"; 6049 } 6050 snprintf(buf, sizeof(buf), "0x%x", opt); 6051 return buf; 6052 } 6053 #endif 6054 6055 static const char * 6056 sppp_state_name(int state) 6057 { 6058 switch (state) { 6059 case STATE_INITIAL: return "initial"; 6060 case STATE_STARTING: return "starting"; 6061 case STATE_CLOSED: return "closed"; 6062 case STATE_STOPPED: return "stopped"; 6063 case STATE_CLOSING: return "closing"; 6064 case STATE_STOPPING: return "stopping"; 6065 case STATE_REQ_SENT: return "req-sent"; 6066 case STATE_ACK_RCVD: return "ack-rcvd"; 6067 case STATE_ACK_SENT: return "ack-sent"; 6068 case STATE_OPENED: return "opened"; 6069 } 6070 return "illegal"; 6071 } 6072 6073 static const char * 6074 sppp_phase_name(int phase) 6075 { 6076 switch (phase) { 6077 case SPPP_PHASE_DEAD: return "dead"; 6078 case SPPP_PHASE_ESTABLISH: return "establish"; 6079 case SPPP_PHASE_TERMINATE: return "terminate"; 6080 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6081 case SPPP_PHASE_NETWORK: return "network"; 6082 } 6083 return "illegal"; 6084 } 6085 6086 static const char * 6087 sppp_proto_name(u_short proto) 6088 { 6089 static char buf[12]; 6090 switch (proto) { 6091 case PPP_LCP: return "lcp"; 6092 case PPP_IPCP: return "ipcp"; 6093 case PPP_PAP: return "pap"; 6094 case PPP_CHAP: return "chap"; 6095 case PPP_IPV6CP: return "ipv6cp"; 6096 } 6097 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6098 return buf; 6099 } 6100 6101 static void 6102 sppp_print_bytes(const u_char *p, u_short len) 6103 { 6104 addlog(" %02x", *p++); 6105 while (--len > 0) 6106 addlog("-%02x", *p++); 6107 } 6108 6109 static void 6110 sppp_print_string(const char *p, u_short len) 6111 { 6112 u_char c; 6113 6114 while (len-- > 0) { 6115 c = *p++; 6116 /* 6117 * Print only ASCII chars directly. RFC 1994 recommends 6118 * using only them, but we don't rely on it. */ 6119 if (c < ' ' || c > '~') 6120 addlog("\\x%x", c); 6121 else 6122 addlog("%c", c); 6123 } 6124 } 6125 6126 static const char * 6127 sppp_dotted_quad(uint32_t addr) 6128 { 6129 static char s[16]; 6130 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6131 (int)((addr >> 24) & 0xff), 6132 (int)((addr >> 16) & 0xff), 6133 (int)((addr >> 8) & 0xff), 6134 (int)(addr & 0xff)); 6135 return s; 6136 } 6137 6138 /* a dummy, used to drop uninteresting events */ 6139 static void 6140 sppp_null(struct sppp *unused) 6141 { 6142 /* do just nothing */ 6143 } 6144 /* 6145 * This file is large. Tell emacs to highlight it nevertheless. 6146 * 6147 * Local Variables: 6148 * hilit-auto-highlight-maxout: 120000 6149 * End: 6150 */ 6151 6152 /* 6153 * Module glue 6154 */ 6155 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6156 6157 static int 6158 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6159 { 6160 switch (cmd) { 6161 case MODULE_CMD_INIT: 6162 case MODULE_CMD_FINI: 6163 return 0; 6164 case MODULE_CMD_STAT: 6165 case MODULE_CMD_AUTOUNLOAD: 6166 default: 6167 return ENOTTY; 6168 } 6169 } 6170 6171 static void 6172 sppp_notify_up(struct sppp *sp) 6173 { 6174 6175 SPPP_LOCK(sp, RW_WRITER); 6176 lcp.Up(sp); 6177 SPPP_UNLOCK(sp); 6178 } 6179 6180 static void 6181 sppp_notify_down(struct sppp *sp) 6182 { 6183 6184 SPPP_LOCK(sp, RW_WRITER); 6185 lcp.Down(sp); 6186 SPPP_UNLOCK(sp); 6187 } 6188 6189 static void 6190 sppp_notify_tls_wlocked(struct sppp *sp) 6191 { 6192 6193 KASSERT(SPPP_WLOCKED(sp)); 6194 6195 if (!sp->pp_tls) 6196 return; 6197 6198 SPPP_UNLOCK(sp); 6199 sp->pp_tls(sp); 6200 SPPP_LOCK(sp, RW_WRITER); 6201 } 6202 6203 static void 6204 sppp_notify_tlf_wlocked(struct sppp *sp) 6205 { 6206 6207 KASSERT(SPPP_WLOCKED(sp)); 6208 6209 if (!sp->pp_tlf) 6210 return; 6211 6212 SPPP_UNLOCK(sp); 6213 sp->pp_tlf(sp); 6214 SPPP_LOCK(sp, RW_WRITER); 6215 } 6216 6217 static void 6218 sppp_notify_con(struct sppp *sp) 6219 { 6220 6221 if (!sp->pp_con) 6222 return; 6223 6224 sp->pp_con(sp); 6225 } 6226 6227 #ifdef INET6 6228 static void 6229 sppp_notify_con_wlocked(struct sppp *sp) 6230 { 6231 6232 KASSERT(SPPP_WLOCKED(sp)); 6233 6234 SPPP_UNLOCK(sp); 6235 sppp_notify_con(sp); 6236 SPPP_LOCK(sp, RW_WRITER); 6237 6238 } 6239 #endif 6240 6241 static void 6242 sppp_notify_chg_wlocked(struct sppp *sp) 6243 { 6244 6245 KASSERT(SPPP_WLOCKED(sp)); 6246 6247 if (!sp->pp_chg) 6248 return; 6249 6250 SPPP_UNLOCK(sp); 6251 sp->pp_chg(sp, sp->pp_phase); 6252 SPPP_LOCK(sp, RW_WRITER); 6253 } 6254