1 /* $NetBSD: if_spppsubr.c,v 1.184 2019/09/13 07:55:07 msaitoh Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.184 2019/09/13 07:55:07 msaitoh Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define LOOPALIVECNT 3 /* loopback detection tries */ 101 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 102 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 103 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 129 #define CONF_REQ 1 /* PPP configure request */ 130 #define CONF_ACK 2 /* PPP configure acknowledge */ 131 #define CONF_NAK 3 /* PPP configure negative ack */ 132 #define CONF_REJ 4 /* PPP configure reject */ 133 #define TERM_REQ 5 /* PPP terminate request */ 134 #define TERM_ACK 6 /* PPP terminate acknowledge */ 135 #define CODE_REJ 7 /* PPP code reject */ 136 #define PROTO_REJ 8 /* PPP protocol reject */ 137 #define ECHO_REQ 9 /* PPP echo request */ 138 #define ECHO_REPLY 10 /* PPP echo reply */ 139 #define DISC_REQ 11 /* PPP discard request */ 140 141 #define LCP_OPT_MRU 1 /* maximum receive unit */ 142 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 143 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 144 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 145 #define LCP_OPT_MAGIC 5 /* magic number */ 146 #define LCP_OPT_RESERVED 6 /* reserved */ 147 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 148 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 149 150 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 151 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 152 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 153 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 154 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 155 156 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 157 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 158 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 159 160 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 161 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 162 163 #define PAP_REQ 1 /* PAP name/password request */ 164 #define PAP_ACK 2 /* PAP acknowledge */ 165 #define PAP_NAK 3 /* PAP fail */ 166 167 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 168 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 169 #define CHAP_SUCCESS 3 /* CHAP response ok */ 170 #define CHAP_FAILURE 4 /* CHAP response failed */ 171 172 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 173 174 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 175 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 176 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 177 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 178 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 179 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 180 181 /* states are named and numbered according to RFC 1661 */ 182 #define STATE_INITIAL 0 183 #define STATE_STARTING 1 184 #define STATE_CLOSED 2 185 #define STATE_STOPPED 3 186 #define STATE_CLOSING 4 187 #define STATE_STOPPING 5 188 #define STATE_REQ_SENT 6 189 #define STATE_ACK_RCVD 7 190 #define STATE_ACK_SENT 8 191 #define STATE_OPENED 9 192 193 struct ppp_header { 194 uint8_t address; 195 uint8_t control; 196 uint16_t protocol; 197 } __packed; 198 #define PPP_HEADER_LEN sizeof (struct ppp_header) 199 200 struct lcp_header { 201 uint8_t type; 202 uint8_t ident; 203 uint16_t len; 204 } __packed; 205 #define LCP_HEADER_LEN sizeof (struct lcp_header) 206 207 struct cisco_packet { 208 uint32_t type; 209 uint32_t par1; 210 uint32_t par2; 211 uint16_t rel; 212 uint16_t time0; 213 uint16_t time1; 214 } __packed; 215 #define CISCO_PACKET_LEN 18 216 217 /* 218 * We follow the spelling and capitalization of RFC 1661 here, to make 219 * it easier comparing with the standard. Please refer to this RFC in 220 * case you can't make sense out of these abbreviation; it will also 221 * explain the semantics related to the various events and actions. 222 */ 223 struct cp { 224 u_short proto; /* PPP control protocol number */ 225 u_char protoidx; /* index into state table in struct sppp */ 226 u_char flags; 227 #define CP_LCP 0x01 /* this is the LCP */ 228 #define CP_AUTH 0x02 /* this is an authentication protocol */ 229 #define CP_NCP 0x04 /* this is a NCP */ 230 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 231 const char *name; /* name of this control protocol */ 232 /* event handlers */ 233 void (*Up)(struct sppp *sp); 234 void (*Down)(struct sppp *sp); 235 void (*Open)(struct sppp *sp); 236 void (*Close)(struct sppp *sp); 237 void (*TO)(void *sp); 238 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 239 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 240 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 241 /* actions */ 242 void (*tlu)(struct sppp *sp); 243 void (*tld)(struct sppp *sp); 244 void (*tls)(struct sppp *sp); 245 void (*tlf)(struct sppp *sp); 246 void (*scr)(struct sppp *sp); 247 }; 248 249 static struct sppp *spppq; 250 static kmutex_t *spppq_lock = NULL; 251 static callout_t keepalive_ch; 252 253 #define SPPPQ_LOCK() if (spppq_lock) \ 254 mutex_enter(spppq_lock); 255 #define SPPPQ_UNLOCK() if (spppq_lock) \ 256 mutex_exit(spppq_lock); 257 258 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 259 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 260 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 261 #define SPPP_UPGRADE(_sp) do{ \ 262 SPPP_UNLOCK(_sp); \ 263 SPPP_LOCK(_sp, RW_WRITER); \ 264 }while (0) 265 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 266 267 #ifdef INET 268 #ifndef SPPPSUBR_MPSAFE 269 /* 270 * The following disgusting hack gets around the problem that IP TOS 271 * can't be set yet. We want to put "interactive" traffic on a high 272 * priority queue. To decide if traffic is interactive, we check that 273 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 274 * 275 * XXX is this really still necessary? - joerg - 276 */ 277 static u_short interactive_ports[8] = { 278 0, 513, 0, 0, 279 0, 21, 0, 23, 280 }; 281 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 282 #endif /* SPPPSUBR_MPSAFE */ 283 #endif 284 285 /* almost every function needs these */ 286 #define STDDCL \ 287 struct ifnet *ifp = &sp->pp_if; \ 288 int debug = ifp->if_flags & IFF_DEBUG 289 290 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 291 const struct sockaddr *dst, const struct rtentry *rt); 292 293 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 294 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 295 296 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 297 struct mbuf *m); 298 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 299 u_char ident, u_short len, void *data); 300 /* static void sppp_cp_timeout(void *arg); */ 301 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 302 int newstate); 303 static void sppp_auth_send(const struct cp *cp, 304 struct sppp *sp, unsigned int type, unsigned int id, 305 ...); 306 307 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 308 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 309 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 310 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 311 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 312 313 static void sppp_null(struct sppp *sp); 314 315 static void sppp_lcp_init(struct sppp *sp); 316 static void sppp_lcp_up(struct sppp *sp); 317 static void sppp_lcp_down(struct sppp *sp); 318 static void sppp_lcp_open(struct sppp *sp); 319 static void sppp_lcp_close(struct sppp *sp); 320 static void sppp_lcp_TO(void *sp); 321 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 322 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 323 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 324 static void sppp_lcp_tlu(struct sppp *sp); 325 static void sppp_lcp_tld(struct sppp *sp); 326 static void sppp_lcp_tls(struct sppp *sp); 327 static void sppp_lcp_tlf(struct sppp *sp); 328 static void sppp_lcp_scr(struct sppp *sp); 329 static void sppp_lcp_check_and_close(struct sppp *sp); 330 static int sppp_ncp_check(struct sppp *sp); 331 332 static void sppp_ipcp_init(struct sppp *sp); 333 static void sppp_ipcp_up(struct sppp *sp); 334 static void sppp_ipcp_down(struct sppp *sp); 335 static void sppp_ipcp_open(struct sppp *sp); 336 static void sppp_ipcp_close(struct sppp *sp); 337 static void sppp_ipcp_TO(void *sp); 338 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 339 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 340 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 341 static void sppp_ipcp_tlu(struct sppp *sp); 342 static void sppp_ipcp_tld(struct sppp *sp); 343 static void sppp_ipcp_tls(struct sppp *sp); 344 static void sppp_ipcp_tlf(struct sppp *sp); 345 static void sppp_ipcp_scr(struct sppp *sp); 346 347 static void sppp_ipv6cp_init(struct sppp *sp); 348 static void sppp_ipv6cp_up(struct sppp *sp); 349 static void sppp_ipv6cp_down(struct sppp *sp); 350 static void sppp_ipv6cp_open(struct sppp *sp); 351 static void sppp_ipv6cp_close(struct sppp *sp); 352 static void sppp_ipv6cp_TO(void *sp); 353 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 354 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 356 static void sppp_ipv6cp_tlu(struct sppp *sp); 357 static void sppp_ipv6cp_tld(struct sppp *sp); 358 static void sppp_ipv6cp_tls(struct sppp *sp); 359 static void sppp_ipv6cp_tlf(struct sppp *sp); 360 static void sppp_ipv6cp_scr(struct sppp *sp); 361 362 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 363 static void sppp_pap_init(struct sppp *sp); 364 static void sppp_pap_open(struct sppp *sp); 365 static void sppp_pap_close(struct sppp *sp); 366 static void sppp_pap_TO(void *sp); 367 static void sppp_pap_my_TO(void *sp); 368 static void sppp_pap_tlu(struct sppp *sp); 369 static void sppp_pap_tld(struct sppp *sp); 370 static void sppp_pap_scr(struct sppp *sp); 371 372 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 373 static void sppp_chap_init(struct sppp *sp); 374 static void sppp_chap_open(struct sppp *sp); 375 static void sppp_chap_close(struct sppp *sp); 376 static void sppp_chap_TO(void *sp); 377 static void sppp_chap_tlu(struct sppp *sp); 378 static void sppp_chap_tld(struct sppp *sp); 379 static void sppp_chap_scr(struct sppp *sp); 380 381 static const char *sppp_auth_type_name(u_short proto, u_char type); 382 static const char *sppp_cp_type_name(u_char type); 383 static const char *sppp_dotted_quad(uint32_t addr); 384 static const char *sppp_ipcp_opt_name(u_char opt); 385 #ifdef INET6 386 static const char *sppp_ipv6cp_opt_name(u_char opt); 387 #endif 388 static const char *sppp_lcp_opt_name(u_char opt); 389 static const char *sppp_phase_name(int phase); 390 static const char *sppp_proto_name(u_short proto); 391 static const char *sppp_state_name(int state); 392 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 393 #ifdef INET 394 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 395 uint32_t *srcmask); 396 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 397 static void sppp_set_ip_addrs(struct sppp *sp); 398 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 399 static void sppp_clear_ip_addrs(struct sppp *sp); 400 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 401 #endif 402 static void sppp_keepalive(void *dummy); 403 static void sppp_phase_network(struct sppp *sp); 404 static void sppp_print_bytes(const u_char *p, u_short len); 405 static void sppp_print_string(const char *p, u_short len); 406 #ifdef INET6 407 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 408 struct in6_addr *dst, struct in6_addr *srcmask); 409 #ifdef IPV6CP_MYIFID_DYN 410 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 411 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 412 #endif 413 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 414 #endif 415 416 static void sppp_notify_up(struct sppp *); 417 static void sppp_notify_down(struct sppp *); 418 static void sppp_notify_tls_wlocked(struct sppp *); 419 static void sppp_notify_tlf_wlocked(struct sppp *); 420 #ifdef INET6 421 static void sppp_notify_con_wlocked(struct sppp *); 422 #endif 423 static void sppp_notify_con(struct sppp *); 424 425 static void sppp_notify_chg_wlocked(struct sppp *); 426 427 428 /* our control protocol descriptors */ 429 static const struct cp lcp = { 430 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 431 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 432 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 433 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 434 sppp_lcp_scr 435 }; 436 437 static const struct cp ipcp = { 438 PPP_IPCP, IDX_IPCP, 439 #ifdef INET 440 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 441 #else 442 0, 443 #endif 444 "ipcp", 445 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 446 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 447 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 448 sppp_ipcp_scr 449 }; 450 451 static const struct cp ipv6cp = { 452 PPP_IPV6CP, IDX_IPV6CP, 453 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 454 CP_NCP, 455 #else 456 0, 457 #endif 458 "ipv6cp", 459 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 460 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 461 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 462 sppp_ipv6cp_scr 463 }; 464 465 static const struct cp pap = { 466 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 467 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 468 sppp_pap_TO, 0, 0, 0, 469 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 470 sppp_pap_scr 471 }; 472 473 static const struct cp chap = { 474 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 475 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 476 sppp_chap_TO, 0, 0, 0, 477 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 478 sppp_chap_scr 479 }; 480 481 static const struct cp *cps[IDX_COUNT] = { 482 &lcp, /* IDX_LCP */ 483 &ipcp, /* IDX_IPCP */ 484 &ipv6cp, /* IDX_IPV6CP */ 485 &pap, /* IDX_PAP */ 486 &chap, /* IDX_CHAP */ 487 }; 488 489 static void 490 sppp_change_phase(struct sppp *sp, int phase) 491 { 492 STDDCL; 493 494 KASSERT(SPPP_WLOCKED(sp)); 495 496 if (sp->pp_phase == phase) 497 return; 498 499 sp->pp_phase = phase; 500 501 if (phase == SPPP_PHASE_NETWORK) 502 if_link_state_change(ifp, LINK_STATE_UP); 503 else 504 if_link_state_change(ifp, LINK_STATE_DOWN); 505 506 if (debug) 507 { 508 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 509 sppp_phase_name(sp->pp_phase)); 510 } 511 } 512 513 /* 514 * Exported functions, comprising our interface to the lower layer. 515 */ 516 517 /* 518 * Process the received packet. 519 */ 520 void 521 sppp_input(struct ifnet *ifp, struct mbuf *m) 522 { 523 struct ppp_header *h = NULL; 524 pktqueue_t *pktq = NULL; 525 struct ifqueue *inq = NULL; 526 uint16_t protocol; 527 struct sppp *sp = (struct sppp *)ifp; 528 int debug = ifp->if_flags & IFF_DEBUG; 529 int isr = 0; 530 531 SPPP_LOCK(sp, RW_READER); 532 533 if (ifp->if_flags & IFF_UP) { 534 /* Count received bytes, add hardware framing */ 535 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 536 /* Note time of last receive */ 537 sp->pp_last_receive = time_uptime; 538 } 539 540 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 541 /* Too small packet, drop it. */ 542 if (debug) 543 log(LOG_DEBUG, 544 "%s: input packet is too small, %d bytes\n", 545 ifp->if_xname, m->m_pkthdr.len); 546 drop: 547 ++ifp->if_ierrors; 548 ++ifp->if_iqdrops; 549 m_freem(m); 550 SPPP_UNLOCK(sp); 551 return; 552 } 553 554 if (sp->pp_flags & PP_NOFRAMING) { 555 memcpy(&protocol, mtod(m, void *), 2); 556 protocol = ntohs(protocol); 557 m_adj(m, 2); 558 } else { 559 560 /* Get PPP header. */ 561 h = mtod(m, struct ppp_header *); 562 m_adj(m, PPP_HEADER_LEN); 563 564 switch (h->address) { 565 case PPP_ALLSTATIONS: 566 if (h->control != PPP_UI) 567 goto invalid; 568 if (sp->pp_flags & PP_CISCO) { 569 if (debug) 570 log(LOG_DEBUG, 571 "%s: PPP packet in Cisco mode " 572 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 573 ifp->if_xname, 574 h->address, h->control, ntohs(h->protocol)); 575 goto drop; 576 } 577 break; 578 case CISCO_MULTICAST: 579 case CISCO_UNICAST: 580 /* Don't check the control field here (RFC 1547). */ 581 if (! (sp->pp_flags & PP_CISCO)) { 582 if (debug) 583 log(LOG_DEBUG, 584 "%s: Cisco packet in PPP mode " 585 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 586 ifp->if_xname, 587 h->address, h->control, ntohs(h->protocol)); 588 goto drop; 589 } 590 switch (ntohs(h->protocol)) { 591 default: 592 ++ifp->if_noproto; 593 goto invalid; 594 case CISCO_KEEPALIVE: 595 SPPP_UNLOCK(sp); 596 sppp_cisco_input((struct sppp *) ifp, m); 597 m_freem(m); 598 return; 599 #ifdef INET 600 case ETHERTYPE_IP: 601 pktq = ip_pktq; 602 break; 603 #endif 604 #ifdef INET6 605 case ETHERTYPE_IPV6: 606 pktq = ip6_pktq; 607 break; 608 #endif 609 } 610 goto queue_pkt; 611 default: /* Invalid PPP packet. */ 612 invalid: 613 if (debug) 614 log(LOG_DEBUG, 615 "%s: invalid input packet " 616 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 617 ifp->if_xname, 618 h->address, h->control, ntohs(h->protocol)); 619 goto drop; 620 } 621 protocol = ntohs(h->protocol); 622 } 623 624 switch (protocol) { 625 default: 626 if (sp->state[IDX_LCP] == STATE_OPENED) { 627 uint16_t prot = htons(protocol); 628 629 SPPP_UPGRADE(sp); 630 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 631 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 632 &prot); 633 SPPP_DOWNGRADE(sp); 634 } 635 if (debug) 636 log(LOG_DEBUG, 637 "%s: invalid input protocol " 638 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 639 ++ifp->if_noproto; 640 goto drop; 641 case PPP_LCP: 642 SPPP_UNLOCK(sp); 643 sppp_cp_input(&lcp, sp, m); 644 m_freem(m); 645 return; 646 case PPP_PAP: 647 SPPP_UNLOCK(sp); 648 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 649 sppp_pap_input(sp, m); 650 } 651 m_freem(m); 652 return; 653 case PPP_CHAP: 654 SPPP_UNLOCK(sp); 655 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 656 sppp_chap_input(sp, m); 657 } 658 m_freem(m); 659 return; 660 #ifdef INET 661 case PPP_IPCP: 662 SPPP_UNLOCK(sp); 663 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 664 sppp_cp_input(&ipcp, sp, m); 665 } 666 m_freem(m); 667 return; 668 case PPP_IP: 669 if (sp->state[IDX_IPCP] == STATE_OPENED) { 670 sp->pp_last_activity = time_uptime; 671 pktq = ip_pktq; 672 } 673 break; 674 #endif 675 #ifdef INET6 676 case PPP_IPV6CP: 677 SPPP_UNLOCK(sp); 678 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 679 sppp_cp_input(&ipv6cp, sp, m); 680 } 681 m_freem(m); 682 return; 683 684 case PPP_IPV6: 685 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 686 sp->pp_last_activity = time_uptime; 687 pktq = ip6_pktq; 688 } 689 break; 690 #endif 691 } 692 693 queue_pkt: 694 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 695 goto drop; 696 } 697 698 /* Check queue. */ 699 if (__predict_true(pktq)) { 700 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 701 goto drop; 702 } 703 SPPP_UNLOCK(sp); 704 return; 705 } 706 707 SPPP_UNLOCK(sp); 708 709 IFQ_LOCK(inq); 710 if (IF_QFULL(inq)) { 711 /* Queue overflow. */ 712 IF_DROP(inq); 713 IFQ_UNLOCK(inq); 714 if (debug) 715 log(LOG_DEBUG, "%s: protocol queue overflow\n", 716 ifp->if_xname); 717 718 SPPP_LOCK(sp, RW_READER); 719 goto drop; 720 } 721 IF_ENQUEUE(inq, m); 722 IFQ_UNLOCK(inq); 723 schednetisr(isr); 724 } 725 726 /* 727 * Enqueue transmit packet. 728 */ 729 static int 730 sppp_output(struct ifnet *ifp, struct mbuf *m, 731 const struct sockaddr *dst, const struct rtentry *rt) 732 { 733 struct sppp *sp = (struct sppp *) ifp; 734 struct ppp_header *h = NULL; 735 #ifndef SPPPSUBR_MPSAFE 736 struct ifqueue *ifq = NULL; /* XXX */ 737 #endif 738 int s, error = 0; 739 uint16_t protocol; 740 size_t pktlen; 741 742 s = splnet(); 743 SPPP_LOCK(sp, RW_READER); 744 745 sp->pp_last_activity = time_uptime; 746 747 if ((ifp->if_flags & IFF_UP) == 0 || 748 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 749 SPPP_UNLOCK(sp); 750 splx(s); 751 752 m_freem(m); 753 754 return (ENETDOWN); 755 } 756 757 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 758 /* 759 * Interface is not yet running, but auto-dial. Need 760 * to start LCP for it. 761 */ 762 ifp->if_flags |= IFF_RUNNING; 763 764 SPPP_UNLOCK(sp); 765 splx(s); 766 767 SPPP_LOCK(sp, RW_WRITER); 768 lcp.Open(sp); 769 SPPP_UNLOCK(sp); 770 771 s = splnet(); 772 SPPP_LOCK(sp, RW_READER); 773 } 774 775 /* 776 * If the queueing discipline needs packet classification, 777 * do it before prepending link headers. 778 */ 779 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 780 781 #ifdef INET 782 if (dst->sa_family == AF_INET) { 783 struct ip *ip = NULL; 784 #ifndef SPPPSUBR_MPSAFE 785 struct tcphdr *th = NULL; 786 #endif 787 788 if (m->m_len >= sizeof(struct ip)) { 789 ip = mtod(m, struct ip *); 790 #ifndef SPPPSUBR_MPSAFE 791 if (ip->ip_p == IPPROTO_TCP && 792 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 793 sizeof(struct tcphdr)) { 794 th = (struct tcphdr *) 795 ((char *)ip + (ip->ip_hl << 2)); 796 } 797 #endif 798 } else 799 ip = NULL; 800 801 /* 802 * When using dynamic local IP address assignment by using 803 * 0.0.0.0 as a local address, the first TCP session will 804 * not connect because the local TCP checksum is computed 805 * using 0.0.0.0 which will later become our real IP address 806 * so the TCP checksum computed at the remote end will 807 * become invalid. So we 808 * - don't let packets with src ip addr 0 thru 809 * - we flag TCP packets with src ip 0 as an error 810 */ 811 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 812 uint8_t proto = ip->ip_p; 813 814 SPPP_UNLOCK(sp); 815 splx(s); 816 817 m_freem(m); 818 if (proto == IPPROTO_TCP) 819 return (EADDRNOTAVAIL); 820 else 821 return (0); 822 } 823 824 #ifndef SPPPSUBR_MPSAFE 825 /* 826 * Put low delay, telnet, rlogin and ftp control packets 827 * in front of the queue. 828 */ 829 if (!IF_QFULL(&sp->pp_fastq) && 830 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 831 (th && (INTERACTIVE(ntohs(th->th_sport)) || 832 INTERACTIVE(ntohs(th->th_dport)))))) 833 ifq = &sp->pp_fastq; 834 #endif /* !SPPPSUBR_MPSAFE */ 835 } 836 #endif 837 838 #ifdef INET6 839 if (dst->sa_family == AF_INET6) { 840 /* XXX do something tricky here? */ 841 } 842 #endif 843 844 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 845 /* 846 * Prepend general data packet PPP header. For now, IP only. 847 */ 848 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 849 if (! m) { 850 if (ifp->if_flags & IFF_DEBUG) 851 log(LOG_DEBUG, "%s: no memory for transmit header\n", 852 ifp->if_xname); 853 ++ifp->if_oerrors; 854 SPPP_UNLOCK(sp); 855 splx(s); 856 return (ENOBUFS); 857 } 858 /* 859 * May want to check size of packet 860 * (albeit due to the implementation it's always enough) 861 */ 862 h = mtod(m, struct ppp_header *); 863 if (sp->pp_flags & PP_CISCO) { 864 h->address = CISCO_UNICAST; /* unicast address */ 865 h->control = 0; 866 } else { 867 h->address = PPP_ALLSTATIONS; /* broadcast address */ 868 h->control = PPP_UI; /* Unnumbered Info */ 869 } 870 } 871 872 switch (dst->sa_family) { 873 #ifdef INET 874 case AF_INET: /* Internet Protocol */ 875 if (sp->pp_flags & PP_CISCO) 876 protocol = htons(ETHERTYPE_IP); 877 else { 878 /* 879 * Don't choke with an ENETDOWN early. It's 880 * possible that we just started dialing out, 881 * so don't drop the packet immediately. If 882 * we notice that we run out of buffer space 883 * below, we will however remember that we are 884 * not ready to carry IP packets, and return 885 * ENETDOWN, as opposed to ENOBUFS. 886 */ 887 protocol = htons(PPP_IP); 888 if (sp->state[IDX_IPCP] != STATE_OPENED) 889 error = ENETDOWN; 890 } 891 break; 892 #endif 893 #ifdef INET6 894 case AF_INET6: /* Internet Protocol version 6 */ 895 if (sp->pp_flags & PP_CISCO) 896 protocol = htons(ETHERTYPE_IPV6); 897 else { 898 /* 899 * Don't choke with an ENETDOWN early. It's 900 * possible that we just started dialing out, 901 * so don't drop the packet immediately. If 902 * we notice that we run out of buffer space 903 * below, we will however remember that we are 904 * not ready to carry IP packets, and return 905 * ENETDOWN, as opposed to ENOBUFS. 906 */ 907 protocol = htons(PPP_IPV6); 908 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 909 error = ENETDOWN; 910 } 911 break; 912 #endif 913 default: 914 m_freem(m); 915 ++ifp->if_oerrors; 916 SPPP_UNLOCK(sp); 917 splx(s); 918 return (EAFNOSUPPORT); 919 } 920 921 if (sp->pp_flags & PP_NOFRAMING) { 922 M_PREPEND(m, 2, M_DONTWAIT); 923 if (m == NULL) { 924 if (ifp->if_flags & IFF_DEBUG) 925 log(LOG_DEBUG, "%s: no memory for transmit header\n", 926 ifp->if_xname); 927 ++ifp->if_oerrors; 928 SPPP_UNLOCK(sp); 929 splx(s); 930 return (ENOBUFS); 931 } 932 *mtod(m, uint16_t *) = protocol; 933 } else { 934 h->protocol = protocol; 935 } 936 937 pktlen = m->m_pkthdr.len; 938 #ifdef SPPPSUBR_MPSAFE 939 SPPP_UNLOCK(sp); 940 error = if_transmit_lock(ifp, m); 941 SPPP_LOCK(sp, RW_READER); 942 if (error == 0) 943 ifp->if_obytes += pktlen + sp->pp_framebytes; 944 #else /* !SPPPSUBR_MPSAFE */ 945 error = ifq_enqueue2(ifp, ifq, m); 946 947 if (error == 0) { 948 /* 949 * Count output packets and bytes. 950 * The packet length includes header + additional hardware 951 * framing according to RFC 1333. 952 */ 953 if (!(ifp->if_flags & IFF_OACTIVE)) { 954 SPPP_UNLOCK(sp); 955 if_start_lock(ifp); 956 SPPP_LOCK(sp, RW_READER); 957 } 958 ifp->if_obytes += pktlen + sp->pp_framebytes; 959 } 960 #endif /* !SPPPSUBR_MPSAFE */ 961 SPPP_UNLOCK(sp); 962 splx(s); 963 return error; 964 } 965 966 static int 967 sppp_mediachange(struct ifnet *ifp) 968 { 969 970 return (0); 971 } 972 973 static void 974 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 975 { 976 struct sppp *sp = (struct sppp *)ifp; 977 978 SPPP_LOCK(sp, RW_WRITER); 979 980 switch (ifp->if_link_state) { 981 case LINK_STATE_UP: 982 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 983 break; 984 case LINK_STATE_DOWN: 985 imr->ifm_status = IFM_AVALID; 986 break; 987 default: 988 /* Should be impossible as we set link state down in attach. */ 989 imr->ifm_status = 0; 990 break; 991 } 992 993 SPPP_UNLOCK(sp); 994 } 995 996 void 997 sppp_attach(struct ifnet *ifp) 998 { 999 struct sppp *sp = (struct sppp *) ifp; 1000 1001 /* Initialize keepalive handler. */ 1002 if (! spppq) { 1003 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1004 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1005 } 1006 1007 if (! spppq_lock) 1008 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1009 1010 /* Insert new entry into the keepalive list. */ 1011 sp->pp_next = spppq; 1012 spppq = sp; 1013 1014 sp->pp_if.if_type = IFT_PPP; 1015 sp->pp_if.if_output = sppp_output; 1016 sp->pp_fastq.ifq_maxlen = 32; 1017 sp->pp_cpq.ifq_maxlen = 20; 1018 sp->pp_loopcnt = 0; 1019 sp->pp_alivecnt = 0; 1020 sp->pp_last_activity = 0; 1021 sp->pp_last_receive = 0; 1022 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1023 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1024 sp->pp_idle_timeout = 0; 1025 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1026 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1027 sp->pp_auth_failures = 0; 1028 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1029 sp->pp_phase = SPPP_PHASE_DEAD; 1030 sp->pp_up = sppp_notify_up; 1031 sp->pp_down = sppp_notify_down; 1032 rw_init(&sp->pp_lock); 1033 1034 if_alloc_sadl(ifp); 1035 1036 /* Lets not beat about the bush, we know we're down. */ 1037 ifp->if_link_state = LINK_STATE_DOWN; 1038 /* There is no media for PPP, but it's needed to report link status. */ 1039 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1040 1041 memset(&sp->myauth, 0, sizeof sp->myauth); 1042 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1043 SPPP_LOCK(sp, RW_WRITER); 1044 sppp_lcp_init(sp); 1045 sppp_ipcp_init(sp); 1046 sppp_ipv6cp_init(sp); 1047 sppp_pap_init(sp); 1048 sppp_chap_init(sp); 1049 SPPP_UNLOCK(sp); 1050 } 1051 1052 void 1053 sppp_detach(struct ifnet *ifp) 1054 { 1055 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1056 1057 /* Remove the entry from the keepalive list. */ 1058 SPPPQ_LOCK(); 1059 for (q = &spppq; (p = *q); q = &p->pp_next) 1060 if (p == sp) { 1061 *q = p->pp_next; 1062 break; 1063 } 1064 SPPPQ_UNLOCK(); 1065 1066 if (! spppq) { 1067 /* Stop keepalive handler. */ 1068 callout_stop(&keepalive_ch); 1069 mutex_obj_free(spppq_lock); 1070 spppq_lock = NULL; 1071 } 1072 1073 SPPP_LOCK(sp, RW_WRITER); 1074 1075 /* to avoid workqueue enqueued */ 1076 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1077 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1078 workqueue_destroy(sp->ipcp.update_addrs_wq); 1079 pcq_destroy(sp->ipcp.update_addrs_q); 1080 1081 callout_stop(&sp->ch[IDX_LCP]); 1082 callout_stop(&sp->ch[IDX_IPCP]); 1083 callout_stop(&sp->ch[IDX_PAP]); 1084 callout_stop(&sp->ch[IDX_CHAP]); 1085 #ifdef INET6 1086 callout_stop(&sp->ch[IDX_IPV6CP]); 1087 #endif 1088 callout_stop(&sp->pap_my_to_ch); 1089 1090 /* free authentication info */ 1091 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1092 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1093 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1094 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1095 SPPP_UNLOCK(sp); 1096 rw_destroy(&sp->pp_lock); 1097 1098 /* Safety - shouldn't be needed as there is no media to set. */ 1099 ifmedia_delete_instance(&sp->pp_im, IFM_INST_ANY); 1100 } 1101 1102 /* 1103 * Flush the interface output queue. 1104 */ 1105 void 1106 sppp_flush(struct ifnet *ifp) 1107 { 1108 struct sppp *sp = (struct sppp *) ifp; 1109 1110 SPPP_LOCK(sp, RW_WRITER); 1111 IFQ_PURGE(&sp->pp_if.if_snd); 1112 IF_PURGE(&sp->pp_fastq); 1113 IF_PURGE(&sp->pp_cpq); 1114 SPPP_UNLOCK(sp); 1115 } 1116 1117 /* 1118 * Check if the output queue is empty. 1119 */ 1120 int 1121 sppp_isempty(struct ifnet *ifp) 1122 { 1123 struct sppp *sp = (struct sppp *) ifp; 1124 int empty, s; 1125 1126 s = splnet(); 1127 SPPP_LOCK(sp, RW_READER); 1128 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1129 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1130 SPPP_UNLOCK(sp); 1131 splx(s); 1132 return (empty); 1133 } 1134 1135 /* 1136 * Get next packet to send. 1137 */ 1138 struct mbuf * 1139 sppp_dequeue(struct ifnet *ifp) 1140 { 1141 struct sppp *sp = (struct sppp *) ifp; 1142 struct mbuf *m; 1143 int s; 1144 1145 s = splnet(); 1146 SPPP_LOCK(sp, RW_WRITER); 1147 /* 1148 * Process only the control protocol queue until we have at 1149 * least one NCP open. 1150 * 1151 * Do always serve all three queues in Cisco mode. 1152 */ 1153 IF_DEQUEUE(&sp->pp_cpq, m); 1154 if (m == NULL && 1155 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1156 IF_DEQUEUE(&sp->pp_fastq, m); 1157 if (m == NULL) 1158 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1159 } 1160 SPPP_UNLOCK(sp); 1161 splx(s); 1162 return m; 1163 } 1164 1165 /* 1166 * Process an ioctl request. Called on low priority level. 1167 */ 1168 int 1169 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1170 { 1171 struct lwp *l = curlwp; /* XXX */ 1172 struct ifreq *ifr = (struct ifreq *) data; 1173 struct ifaddr *ifa = (struct ifaddr *) data; 1174 struct sppp *sp = (struct sppp *) ifp; 1175 int s, error=0, going_up, going_down; 1176 u_short newmode; 1177 1178 s = splnet(); 1179 switch (cmd) { 1180 case SIOCINITIFADDR: 1181 ifa->ifa_rtrequest = p2p_rtrequest; 1182 break; 1183 1184 case SIOCSIFFLAGS: 1185 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1186 break; 1187 1188 SPPP_LOCK(sp, RW_WRITER); 1189 going_up = ifp->if_flags & IFF_UP && 1190 (ifp->if_flags & IFF_RUNNING) == 0; 1191 going_down = (ifp->if_flags & IFF_UP) == 0 && 1192 ifp->if_flags & IFF_RUNNING; 1193 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1194 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1195 /* sanity */ 1196 newmode = IFF_PASSIVE; 1197 ifp->if_flags &= ~IFF_AUTO; 1198 } 1199 1200 if (going_up || going_down) { 1201 lcp.Close(sp); 1202 } 1203 if (going_up && newmode == 0) { 1204 /* neither auto-dial nor passive */ 1205 ifp->if_flags |= IFF_RUNNING; 1206 if (!(sp->pp_flags & PP_CISCO)) 1207 lcp.Open(sp); 1208 } else if (going_down) { 1209 SPPP_UNLOCK(sp); 1210 sppp_flush(ifp); 1211 SPPP_LOCK(sp, RW_WRITER); 1212 1213 ifp->if_flags &= ~IFF_RUNNING; 1214 } 1215 SPPP_UNLOCK(sp); 1216 break; 1217 1218 case SIOCSIFMTU: 1219 if (ifr->ifr_mtu < PPP_MINMRU || 1220 ifr->ifr_mtu > sp->lcp.their_mru) { 1221 error = EINVAL; 1222 break; 1223 } 1224 /*FALLTHROUGH*/ 1225 case SIOCGIFMTU: 1226 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1227 error = 0; 1228 break; 1229 case SIOCADDMULTI: 1230 case SIOCDELMULTI: 1231 break; 1232 1233 case SPPPSETAUTHCFG: 1234 case SPPPSETLCPCFG: 1235 case SPPPSETIDLETO: 1236 case SPPPSETAUTHFAILURE: 1237 case SPPPSETDNSOPTS: 1238 case SPPPSETKEEPALIVE: 1239 #if defined(COMPAT_50) || defined(MODULAR) 1240 case __SPPPSETIDLETO50: 1241 case __SPPPSETKEEPALIVE50: 1242 #endif /* COMPAT_50 || MODULAR */ 1243 error = kauth_authorize_network(l->l_cred, 1244 KAUTH_NETWORK_INTERFACE, 1245 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1246 NULL); 1247 if (error) 1248 break; 1249 error = sppp_params(sp, cmd, data); 1250 break; 1251 1252 case SPPPGETAUTHCFG: 1253 case SPPPGETLCPCFG: 1254 case SPPPGETAUTHFAILURES: 1255 error = kauth_authorize_network(l->l_cred, 1256 KAUTH_NETWORK_INTERFACE, 1257 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1258 NULL); 1259 if (error) 1260 break; 1261 error = sppp_params(sp, cmd, data); 1262 break; 1263 1264 case SPPPGETSTATUS: 1265 case SPPPGETSTATUSNCP: 1266 case SPPPGETIDLETO: 1267 case SPPPGETDNSOPTS: 1268 case SPPPGETDNSADDRS: 1269 case SPPPGETKEEPALIVE: 1270 #if defined(COMPAT_50) || defined(MODULAR) 1271 case __SPPPGETIDLETO50: 1272 case __SPPPGETKEEPALIVE50: 1273 #endif /* COMPAT_50 || MODULAR */ 1274 error = sppp_params(sp, cmd, data); 1275 break; 1276 1277 case SIOCGIFMEDIA: 1278 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1279 break; 1280 1281 default: 1282 error = ifioctl_common(ifp, cmd, data); 1283 break; 1284 } 1285 splx(s); 1286 return (error); 1287 } 1288 1289 1290 /* 1291 * Cisco framing implementation. 1292 */ 1293 1294 /* 1295 * Handle incoming Cisco keepalive protocol packets. 1296 */ 1297 static void 1298 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1299 { 1300 STDDCL; 1301 struct cisco_packet *h; 1302 #ifdef INET 1303 uint32_t me, mymask = 0; /* XXX: GCC */ 1304 #endif 1305 1306 SPPP_LOCK(sp, RW_WRITER); 1307 1308 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1309 if (debug) 1310 log(LOG_DEBUG, 1311 "%s: cisco invalid packet length: %d bytes\n", 1312 ifp->if_xname, m->m_pkthdr.len); 1313 SPPP_UNLOCK(sp); 1314 return; 1315 } 1316 h = mtod(m, struct cisco_packet *); 1317 if (debug) 1318 log(LOG_DEBUG, 1319 "%s: cisco input: %d bytes " 1320 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1321 ifp->if_xname, m->m_pkthdr.len, 1322 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1323 (u_int)h->time0, (u_int)h->time1); 1324 switch (ntohl(h->type)) { 1325 default: 1326 if (debug) 1327 addlog("%s: cisco unknown packet type: 0x%x\n", 1328 ifp->if_xname, ntohl(h->type)); 1329 break; 1330 case CISCO_ADDR_REPLY: 1331 /* Reply on address request, ignore */ 1332 break; 1333 case CISCO_KEEPALIVE_REQ: 1334 sp->pp_alivecnt = 0; 1335 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1336 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1337 /* Local and remote sequence numbers are equal. 1338 * Probably, the line is in loopback mode. */ 1339 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1340 printf ("%s: loopback\n", 1341 ifp->if_xname); 1342 sp->pp_loopcnt = 0; 1343 if (ifp->if_flags & IFF_UP) { 1344 SPPP_UNLOCK(sp); 1345 if_down(ifp); 1346 SPPP_LOCK(sp, RW_WRITER); 1347 1348 IF_PURGE(&sp->pp_cpq); 1349 } 1350 } 1351 ++sp->pp_loopcnt; 1352 1353 /* Generate new local sequence number */ 1354 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1355 break; 1356 } 1357 sp->pp_loopcnt = 0; 1358 if (! (ifp->if_flags & IFF_UP) && 1359 (ifp->if_flags & IFF_RUNNING)) { 1360 SPPP_UNLOCK(sp); 1361 if_up(ifp); 1362 SPPP_LOCK(sp, RW_WRITER); 1363 } 1364 break; 1365 case CISCO_ADDR_REQ: 1366 #ifdef INET 1367 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1368 if (me != 0L) 1369 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1370 #endif 1371 break; 1372 } 1373 SPPP_UNLOCK(sp); 1374 } 1375 1376 /* 1377 * Send Cisco keepalive packet. 1378 */ 1379 static void 1380 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1381 { 1382 STDDCL; 1383 struct ppp_header *h; 1384 struct cisco_packet *ch; 1385 struct mbuf *m; 1386 uint32_t t; 1387 1388 KASSERT(SPPP_WLOCKED(sp)); 1389 1390 t = time_uptime * 1000; 1391 MGETHDR(m, M_DONTWAIT, MT_DATA); 1392 if (! m) 1393 return; 1394 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1395 m_reset_rcvif(m); 1396 1397 h = mtod(m, struct ppp_header *); 1398 h->address = CISCO_MULTICAST; 1399 h->control = 0; 1400 h->protocol = htons(CISCO_KEEPALIVE); 1401 1402 ch = (struct cisco_packet *)(h + 1); 1403 ch->type = htonl(type); 1404 ch->par1 = htonl(par1); 1405 ch->par2 = htonl(par2); 1406 ch->rel = -1; 1407 1408 ch->time0 = htons((u_short)(t >> 16)); 1409 ch->time1 = htons((u_short) t); 1410 1411 if (debug) 1412 log(LOG_DEBUG, 1413 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1414 ifp->if_xname, ntohl(ch->type), ch->par1, 1415 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1416 (u_int)ch->time1); 1417 1418 if (IF_QFULL(&sp->pp_cpq)) { 1419 IF_DROP(&sp->pp_fastq); 1420 IF_DROP(&ifp->if_snd); 1421 m_freem(m); 1422 ++ifp->if_oerrors; 1423 return; 1424 } 1425 1426 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1427 IF_ENQUEUE(&sp->pp_cpq, m); 1428 1429 if (! (ifp->if_flags & IFF_OACTIVE)) { 1430 SPPP_UNLOCK(sp); 1431 if_start_lock(ifp); 1432 SPPP_LOCK(sp, RW_WRITER); 1433 } 1434 } 1435 1436 /* 1437 * PPP protocol implementation. 1438 */ 1439 1440 /* 1441 * Send PPP control protocol packet. 1442 */ 1443 static void 1444 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1445 u_char ident, u_short len, void *data) 1446 { 1447 STDDCL; 1448 struct lcp_header *lh; 1449 struct mbuf *m; 1450 size_t pkthdrlen; 1451 1452 KASSERT(SPPP_WLOCKED(sp)); 1453 1454 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1455 1456 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1457 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1458 MGETHDR(m, M_DONTWAIT, MT_DATA); 1459 if (! m) { 1460 return; 1461 } 1462 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1463 m_reset_rcvif(m); 1464 1465 if (sp->pp_flags & PP_NOFRAMING) { 1466 *mtod(m, uint16_t *) = htons(proto); 1467 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1468 } else { 1469 struct ppp_header *h; 1470 h = mtod(m, struct ppp_header *); 1471 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1472 h->control = PPP_UI; /* Unnumbered Info */ 1473 h->protocol = htons(proto); /* Link Control Protocol */ 1474 lh = (struct lcp_header *)(h + 1); 1475 } 1476 lh->type = type; 1477 lh->ident = ident; 1478 lh->len = htons(LCP_HEADER_LEN + len); 1479 if (len) 1480 memcpy(lh + 1, data, len); 1481 1482 if (debug) { 1483 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1484 ifp->if_xname, 1485 sppp_proto_name(proto), 1486 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1487 if (len) 1488 sppp_print_bytes((u_char *)(lh + 1), len); 1489 addlog(">\n"); 1490 } 1491 if (IF_QFULL(&sp->pp_cpq)) { 1492 IF_DROP(&sp->pp_fastq); 1493 IF_DROP(&ifp->if_snd); 1494 m_freem(m); 1495 ++ifp->if_oerrors; 1496 return; 1497 } 1498 1499 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1500 IF_ENQUEUE(&sp->pp_cpq, m); 1501 1502 1503 if (! (ifp->if_flags & IFF_OACTIVE)) { 1504 SPPP_UNLOCK(sp); 1505 if_start_lock(ifp); 1506 SPPP_LOCK(sp, RW_WRITER); 1507 } 1508 } 1509 1510 /* 1511 * Handle incoming PPP control protocol packets. 1512 */ 1513 static void 1514 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1515 { 1516 STDDCL; 1517 struct lcp_header *h; 1518 int printlen, len = m->m_pkthdr.len; 1519 int rv; 1520 u_char *p; 1521 uint32_t u32; 1522 1523 SPPP_LOCK(sp, RW_WRITER); 1524 1525 if (len < 4) { 1526 if (debug) 1527 log(LOG_DEBUG, 1528 "%s: %s invalid packet length: %d bytes\n", 1529 ifp->if_xname, cp->name, len); 1530 SPPP_UNLOCK(sp); 1531 return; 1532 } 1533 h = mtod(m, struct lcp_header *); 1534 if (debug) { 1535 printlen = ntohs(h->len); 1536 log(LOG_DEBUG, 1537 "%s: %s input(%s): <%s id=0x%x len=%d", 1538 ifp->if_xname, cp->name, 1539 sppp_state_name(sp->state[cp->protoidx]), 1540 sppp_cp_type_name(h->type), h->ident, printlen); 1541 if (len < printlen) 1542 printlen = len; 1543 if (printlen > 4) 1544 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1545 addlog(">\n"); 1546 } 1547 if (len > ntohs(h->len)) 1548 len = ntohs(h->len); 1549 p = (u_char *)(h + 1); 1550 switch (h->type) { 1551 case CONF_REQ: 1552 if (len < 4) { 1553 if (debug) 1554 addlog("%s: %s invalid conf-req length %d\n", 1555 ifp->if_xname, cp->name, 1556 len); 1557 ++ifp->if_ierrors; 1558 break; 1559 } 1560 /* handle states where RCR doesn't get a SCA/SCN */ 1561 switch (sp->state[cp->protoidx]) { 1562 case STATE_CLOSING: 1563 case STATE_STOPPING: 1564 SPPP_UNLOCK(sp); 1565 return; 1566 case STATE_CLOSED: 1567 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1568 0, 0); 1569 SPPP_UNLOCK(sp); 1570 return; 1571 } 1572 rv = (cp->RCR)(sp, h, len); 1573 if (rv < 0) { 1574 /* fatal error, shut down */ 1575 (cp->tld)(sp); 1576 sppp_lcp_tlf(sp); 1577 SPPP_UNLOCK(sp); 1578 return; 1579 } 1580 switch (sp->state[cp->protoidx]) { 1581 case STATE_OPENED: 1582 (cp->tld)(sp); 1583 (cp->scr)(sp); 1584 /* fall through... */ 1585 case STATE_ACK_SENT: 1586 case STATE_REQ_SENT: 1587 sppp_cp_change_state(cp, sp, rv? 1588 STATE_ACK_SENT: STATE_REQ_SENT); 1589 break; 1590 case STATE_STOPPED: 1591 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1592 (cp->scr)(sp); 1593 sppp_cp_change_state(cp, sp, rv? 1594 STATE_ACK_SENT: STATE_REQ_SENT); 1595 break; 1596 case STATE_ACK_RCVD: 1597 if (rv) { 1598 sppp_cp_change_state(cp, sp, STATE_OPENED); 1599 if (debug) 1600 log(LOG_DEBUG, "%s: %s tlu\n", 1601 ifp->if_xname, 1602 cp->name); 1603 (cp->tlu)(sp); 1604 } else 1605 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1606 break; 1607 default: 1608 printf("%s: %s illegal %s in state %s\n", 1609 ifp->if_xname, cp->name, 1610 sppp_cp_type_name(h->type), 1611 sppp_state_name(sp->state[cp->protoidx])); 1612 ++ifp->if_ierrors; 1613 } 1614 break; 1615 case CONF_ACK: 1616 if (h->ident != sp->confid[cp->protoidx]) { 1617 if (debug) 1618 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1619 ifp->if_xname, cp->name, 1620 h->ident, sp->confid[cp->protoidx]); 1621 ++ifp->if_ierrors; 1622 break; 1623 } 1624 switch (sp->state[cp->protoidx]) { 1625 case STATE_CLOSED: 1626 case STATE_STOPPED: 1627 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1628 break; 1629 case STATE_CLOSING: 1630 case STATE_STOPPING: 1631 break; 1632 case STATE_REQ_SENT: 1633 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1634 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1635 break; 1636 case STATE_OPENED: 1637 (cp->tld)(sp); 1638 /* fall through */ 1639 case STATE_ACK_RCVD: 1640 (cp->scr)(sp); 1641 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1642 break; 1643 case STATE_ACK_SENT: 1644 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1645 sppp_cp_change_state(cp, sp, STATE_OPENED); 1646 if (debug) 1647 log(LOG_DEBUG, "%s: %s tlu\n", 1648 ifp->if_xname, cp->name); 1649 (cp->tlu)(sp); 1650 break; 1651 default: 1652 printf("%s: %s illegal %s in state %s\n", 1653 ifp->if_xname, cp->name, 1654 sppp_cp_type_name(h->type), 1655 sppp_state_name(sp->state[cp->protoidx])); 1656 ++ifp->if_ierrors; 1657 } 1658 break; 1659 case CONF_NAK: 1660 case CONF_REJ: 1661 if (h->ident != sp->confid[cp->protoidx]) { 1662 if (debug) 1663 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1664 ifp->if_xname, cp->name, 1665 h->ident, sp->confid[cp->protoidx]); 1666 ++ifp->if_ierrors; 1667 break; 1668 } 1669 if (h->type == CONF_NAK) 1670 (cp->RCN_nak)(sp, h, len); 1671 else /* CONF_REJ */ 1672 (cp->RCN_rej)(sp, h, len); 1673 1674 switch (sp->state[cp->protoidx]) { 1675 case STATE_CLOSED: 1676 case STATE_STOPPED: 1677 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1678 break; 1679 case STATE_REQ_SENT: 1680 case STATE_ACK_SENT: 1681 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1682 (cp->scr)(sp); 1683 break; 1684 case STATE_OPENED: 1685 (cp->tld)(sp); 1686 /* fall through */ 1687 case STATE_ACK_RCVD: 1688 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1689 (cp->scr)(sp); 1690 break; 1691 case STATE_CLOSING: 1692 case STATE_STOPPING: 1693 break; 1694 default: 1695 printf("%s: %s illegal %s in state %s\n", 1696 ifp->if_xname, cp->name, 1697 sppp_cp_type_name(h->type), 1698 sppp_state_name(sp->state[cp->protoidx])); 1699 ++ifp->if_ierrors; 1700 } 1701 break; 1702 1703 case TERM_REQ: 1704 switch (sp->state[cp->protoidx]) { 1705 case STATE_ACK_RCVD: 1706 case STATE_ACK_SENT: 1707 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1708 /* fall through */ 1709 case STATE_CLOSED: 1710 case STATE_STOPPED: 1711 case STATE_CLOSING: 1712 case STATE_STOPPING: 1713 case STATE_REQ_SENT: 1714 sta: 1715 /* Send Terminate-Ack packet. */ 1716 if (debug) 1717 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1718 ifp->if_xname, cp->name); 1719 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1720 break; 1721 case STATE_OPENED: 1722 (cp->tld)(sp); 1723 sp->rst_counter[cp->protoidx] = 0; 1724 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1725 goto sta; 1726 default: 1727 printf("%s: %s illegal %s in state %s\n", 1728 ifp->if_xname, cp->name, 1729 sppp_cp_type_name(h->type), 1730 sppp_state_name(sp->state[cp->protoidx])); 1731 ++ifp->if_ierrors; 1732 } 1733 break; 1734 case TERM_ACK: 1735 switch (sp->state[cp->protoidx]) { 1736 case STATE_CLOSED: 1737 case STATE_STOPPED: 1738 case STATE_REQ_SENT: 1739 case STATE_ACK_SENT: 1740 break; 1741 case STATE_CLOSING: 1742 (cp->tlf)(sp); 1743 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1744 sppp_lcp_check_and_close(sp); 1745 break; 1746 case STATE_STOPPING: 1747 (cp->tlf)(sp); 1748 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1749 sppp_lcp_check_and_close(sp); 1750 break; 1751 case STATE_ACK_RCVD: 1752 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1753 break; 1754 case STATE_OPENED: 1755 (cp->tld)(sp); 1756 (cp->scr)(sp); 1757 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1758 break; 1759 default: 1760 printf("%s: %s illegal %s in state %s\n", 1761 ifp->if_xname, cp->name, 1762 sppp_cp_type_name(h->type), 1763 sppp_state_name(sp->state[cp->protoidx])); 1764 ++ifp->if_ierrors; 1765 } 1766 break; 1767 case CODE_REJ: 1768 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1769 log(LOG_INFO, 1770 "%s: %s: ignoring RXJ (%s) for code ?, " 1771 "danger will robinson\n", 1772 ifp->if_xname, cp->name, 1773 sppp_cp_type_name(h->type)); 1774 switch (sp->state[cp->protoidx]) { 1775 case STATE_CLOSED: 1776 case STATE_STOPPED: 1777 case STATE_REQ_SENT: 1778 case STATE_ACK_SENT: 1779 case STATE_CLOSING: 1780 case STATE_STOPPING: 1781 case STATE_OPENED: 1782 break; 1783 case STATE_ACK_RCVD: 1784 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1785 break; 1786 default: 1787 printf("%s: %s illegal %s in state %s\n", 1788 ifp->if_xname, cp->name, 1789 sppp_cp_type_name(h->type), 1790 sppp_state_name(sp->state[cp->protoidx])); 1791 ++ifp->if_ierrors; 1792 } 1793 break; 1794 case PROTO_REJ: 1795 { 1796 int catastrophic; 1797 const struct cp *upper; 1798 int i; 1799 uint16_t proto; 1800 1801 catastrophic = 0; 1802 upper = NULL; 1803 proto = p[0] << 8 | p[1]; 1804 for (i = 0; i < IDX_COUNT; i++) { 1805 if (cps[i]->proto == proto) { 1806 upper = cps[i]; 1807 break; 1808 } 1809 } 1810 if (upper == NULL) 1811 catastrophic++; 1812 1813 if (debug) 1814 log(LOG_INFO, 1815 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1816 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1817 sppp_cp_type_name(h->type), proto, 1818 upper ? upper->name : "unknown", 1819 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1820 1821 /* 1822 * if we got RXJ+ against conf-req, the peer does not implement 1823 * this particular protocol type. terminate the protocol. 1824 */ 1825 if (upper && !catastrophic) { 1826 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1827 upper->Close(sp); 1828 break; 1829 } 1830 } 1831 1832 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1833 switch (sp->state[cp->protoidx]) { 1834 case STATE_CLOSED: 1835 case STATE_STOPPED: 1836 case STATE_REQ_SENT: 1837 case STATE_ACK_SENT: 1838 case STATE_CLOSING: 1839 case STATE_STOPPING: 1840 case STATE_OPENED: 1841 break; 1842 case STATE_ACK_RCVD: 1843 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1844 break; 1845 default: 1846 printf("%s: %s illegal %s in state %s\n", 1847 ifp->if_xname, cp->name, 1848 sppp_cp_type_name(h->type), 1849 sppp_state_name(sp->state[cp->protoidx])); 1850 ++ifp->if_ierrors; 1851 } 1852 break; 1853 } 1854 case DISC_REQ: 1855 if (cp->proto != PPP_LCP) 1856 goto illegal; 1857 /* Discard the packet. */ 1858 break; 1859 case ECHO_REQ: 1860 if (cp->proto != PPP_LCP) 1861 goto illegal; 1862 if (sp->state[cp->protoidx] != STATE_OPENED) { 1863 if (debug) 1864 addlog("%s: lcp echo req but lcp closed\n", 1865 ifp->if_xname); 1866 ++ifp->if_ierrors; 1867 break; 1868 } 1869 if (len < 8) { 1870 if (debug) 1871 addlog("%s: invalid lcp echo request " 1872 "packet length: %d bytes\n", 1873 ifp->if_xname, len); 1874 break; 1875 } 1876 memcpy(&u32, h + 1, sizeof u32); 1877 if (ntohl(u32) == sp->lcp.magic) { 1878 /* Line loopback mode detected. */ 1879 printf("%s: loopback\n", ifp->if_xname); 1880 SPPP_UNLOCK(sp); 1881 if_down(ifp); 1882 SPPP_LOCK(sp, RW_WRITER); 1883 1884 IF_PURGE(&sp->pp_cpq); 1885 1886 /* Shut down the PPP link. */ 1887 /* XXX */ 1888 lcp.Down(sp); 1889 lcp.Up(sp); 1890 break; 1891 } 1892 u32 = htonl(sp->lcp.magic); 1893 memcpy(h + 1, &u32, sizeof u32); 1894 if (debug) 1895 addlog("%s: got lcp echo req, sending echo rep\n", 1896 ifp->if_xname); 1897 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1898 h + 1); 1899 break; 1900 case ECHO_REPLY: 1901 if (cp->proto != PPP_LCP) 1902 goto illegal; 1903 if (h->ident != sp->lcp.echoid) { 1904 ++ifp->if_ierrors; 1905 break; 1906 } 1907 if (len < 8) { 1908 if (debug) 1909 addlog("%s: lcp invalid echo reply " 1910 "packet length: %d bytes\n", 1911 ifp->if_xname, len); 1912 break; 1913 } 1914 if (debug) 1915 addlog("%s: lcp got echo rep\n", 1916 ifp->if_xname); 1917 memcpy(&u32, h + 1, sizeof u32); 1918 if (ntohl(u32) != sp->lcp.magic) 1919 sp->pp_alivecnt = 0; 1920 break; 1921 default: 1922 /* Unknown packet type -- send Code-Reject packet. */ 1923 illegal: 1924 if (debug) 1925 addlog("%s: %s send code-rej for 0x%x\n", 1926 ifp->if_xname, cp->name, h->type); 1927 sppp_cp_send(sp, cp->proto, CODE_REJ, 1928 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1929 ++ifp->if_ierrors; 1930 } 1931 1932 SPPP_UNLOCK(sp); 1933 } 1934 1935 1936 /* 1937 * The generic part of all Up/Down/Open/Close/TO event handlers. 1938 * Basically, the state transition handling in the automaton. 1939 */ 1940 static void 1941 sppp_up_event(const struct cp *cp, struct sppp *sp) 1942 { 1943 STDDCL; 1944 1945 KASSERT(SPPP_WLOCKED(sp)); 1946 1947 if (debug) 1948 log(LOG_DEBUG, "%s: %s up(%s)\n", 1949 ifp->if_xname, cp->name, 1950 sppp_state_name(sp->state[cp->protoidx])); 1951 1952 switch (sp->state[cp->protoidx]) { 1953 case STATE_INITIAL: 1954 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1955 break; 1956 case STATE_STARTING: 1957 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1958 (cp->scr)(sp); 1959 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1960 break; 1961 default: 1962 printf("%s: %s illegal up in state %s\n", 1963 ifp->if_xname, cp->name, 1964 sppp_state_name(sp->state[cp->protoidx])); 1965 } 1966 } 1967 1968 static void 1969 sppp_down_event(const struct cp *cp, struct sppp *sp) 1970 { 1971 STDDCL; 1972 1973 KASSERT(SPPP_WLOCKED(sp)); 1974 1975 if (debug) 1976 log(LOG_DEBUG, "%s: %s down(%s)\n", 1977 ifp->if_xname, cp->name, 1978 sppp_state_name(sp->state[cp->protoidx])); 1979 1980 switch (sp->state[cp->protoidx]) { 1981 case STATE_CLOSED: 1982 case STATE_CLOSING: 1983 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1984 break; 1985 case STATE_STOPPED: 1986 (cp->tls)(sp); 1987 /* fall through */ 1988 case STATE_STOPPING: 1989 case STATE_REQ_SENT: 1990 case STATE_ACK_RCVD: 1991 case STATE_ACK_SENT: 1992 sppp_cp_change_state(cp, sp, STATE_STARTING); 1993 break; 1994 case STATE_OPENED: 1995 (cp->tld)(sp); 1996 sppp_cp_change_state(cp, sp, STATE_STARTING); 1997 break; 1998 default: 1999 printf("%s: %s illegal down in state %s\n", 2000 ifp->if_xname, cp->name, 2001 sppp_state_name(sp->state[cp->protoidx])); 2002 } 2003 } 2004 2005 2006 static void 2007 sppp_open_event(const struct cp *cp, struct sppp *sp) 2008 { 2009 STDDCL; 2010 2011 KASSERT(SPPP_WLOCKED(sp)); 2012 2013 if (debug) 2014 log(LOG_DEBUG, "%s: %s open(%s)\n", 2015 ifp->if_xname, cp->name, 2016 sppp_state_name(sp->state[cp->protoidx])); 2017 2018 switch (sp->state[cp->protoidx]) { 2019 case STATE_INITIAL: 2020 sppp_cp_change_state(cp, sp, STATE_STARTING); 2021 (cp->tls)(sp); 2022 break; 2023 case STATE_STARTING: 2024 break; 2025 case STATE_CLOSED: 2026 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2027 (cp->scr)(sp); 2028 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2029 break; 2030 case STATE_STOPPED: 2031 case STATE_STOPPING: 2032 case STATE_REQ_SENT: 2033 case STATE_ACK_RCVD: 2034 case STATE_ACK_SENT: 2035 case STATE_OPENED: 2036 break; 2037 case STATE_CLOSING: 2038 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2039 break; 2040 } 2041 } 2042 2043 2044 static void 2045 sppp_close_event(const struct cp *cp, struct sppp *sp) 2046 { 2047 STDDCL; 2048 2049 KASSERT(SPPP_WLOCKED(sp)); 2050 2051 if (debug) 2052 log(LOG_DEBUG, "%s: %s close(%s)\n", 2053 ifp->if_xname, cp->name, 2054 sppp_state_name(sp->state[cp->protoidx])); 2055 2056 switch (sp->state[cp->protoidx]) { 2057 case STATE_INITIAL: 2058 case STATE_CLOSED: 2059 case STATE_CLOSING: 2060 break; 2061 case STATE_STARTING: 2062 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2063 (cp->tlf)(sp); 2064 break; 2065 case STATE_STOPPED: 2066 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2067 break; 2068 case STATE_STOPPING: 2069 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2070 break; 2071 case STATE_OPENED: 2072 (cp->tld)(sp); 2073 /* fall through */ 2074 case STATE_REQ_SENT: 2075 case STATE_ACK_RCVD: 2076 case STATE_ACK_SENT: 2077 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2078 sppp_cp_send(sp, cp->proto, TERM_REQ, 2079 ++sp->pp_seq[cp->protoidx], 0, 0); 2080 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2081 break; 2082 } 2083 } 2084 2085 static void 2086 sppp_to_event(const struct cp *cp, struct sppp *sp) 2087 { 2088 STDDCL; 2089 int s; 2090 2091 KASSERT(SPPP_WLOCKED(sp)); 2092 2093 s = splnet(); 2094 2095 if (debug) 2096 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2097 ifp->if_xname, cp->name, 2098 sppp_state_name(sp->state[cp->protoidx]), 2099 sp->rst_counter[cp->protoidx]); 2100 2101 if (--sp->rst_counter[cp->protoidx] < 0) 2102 /* TO- event */ 2103 switch (sp->state[cp->protoidx]) { 2104 case STATE_CLOSING: 2105 (cp->tlf)(sp); 2106 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2107 sppp_lcp_check_and_close(sp); 2108 break; 2109 case STATE_STOPPING: 2110 (cp->tlf)(sp); 2111 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2112 sppp_lcp_check_and_close(sp); 2113 break; 2114 case STATE_REQ_SENT: 2115 case STATE_ACK_RCVD: 2116 case STATE_ACK_SENT: 2117 (cp->tlf)(sp); 2118 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2119 sppp_lcp_check_and_close(sp); 2120 break; 2121 } 2122 else 2123 /* TO+ event */ 2124 switch (sp->state[cp->protoidx]) { 2125 case STATE_CLOSING: 2126 case STATE_STOPPING: 2127 sppp_cp_send(sp, cp->proto, TERM_REQ, 2128 ++sp->pp_seq[cp->protoidx], 0, 0); 2129 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2130 cp->TO, sp); 2131 break; 2132 case STATE_REQ_SENT: 2133 case STATE_ACK_RCVD: 2134 (cp->scr)(sp); 2135 /* sppp_cp_change_state() will restart the timer */ 2136 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2137 break; 2138 case STATE_ACK_SENT: 2139 (cp->scr)(sp); 2140 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2141 cp->TO, sp); 2142 break; 2143 } 2144 2145 splx(s); 2146 } 2147 2148 /* 2149 * Change the state of a control protocol in the state automaton. 2150 * Takes care of starting/stopping the restart timer. 2151 */ 2152 void 2153 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2154 { 2155 2156 KASSERT(SPPP_WLOCKED(sp)); 2157 2158 sp->state[cp->protoidx] = newstate; 2159 callout_stop(&sp->ch[cp->protoidx]); 2160 switch (newstate) { 2161 case STATE_INITIAL: 2162 case STATE_STARTING: 2163 case STATE_CLOSED: 2164 case STATE_STOPPED: 2165 case STATE_OPENED: 2166 break; 2167 case STATE_CLOSING: 2168 case STATE_STOPPING: 2169 case STATE_REQ_SENT: 2170 case STATE_ACK_RCVD: 2171 case STATE_ACK_SENT: 2172 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2173 cp->TO, sp); 2174 break; 2175 } 2176 } 2177 2178 /* 2179 *--------------------------------------------------------------------------* 2180 * * 2181 * The LCP implementation. * 2182 * * 2183 *--------------------------------------------------------------------------* 2184 */ 2185 static void 2186 sppp_lcp_init(struct sppp *sp) 2187 { 2188 2189 KASSERT(SPPP_WLOCKED(sp)); 2190 2191 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2192 sp->lcp.magic = 0; 2193 sp->state[IDX_LCP] = STATE_INITIAL; 2194 sp->fail_counter[IDX_LCP] = 0; 2195 sp->pp_seq[IDX_LCP] = 0; 2196 sp->pp_rseq[IDX_LCP] = 0; 2197 sp->lcp.protos = 0; 2198 2199 /* 2200 * Initialize counters and timeout values. Note that we don't 2201 * use the 3 seconds suggested in RFC 1661 since we are likely 2202 * running on a fast link. XXX We should probably implement 2203 * the exponential backoff option. Note that these values are 2204 * relevant for all control protocols, not just LCP only. 2205 */ 2206 sp->lcp.timeout = 1 * hz; 2207 sp->lcp.max_terminate = 2; 2208 sp->lcp.max_configure = 10; 2209 sp->lcp.max_failure = 10; 2210 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2211 } 2212 2213 static void 2214 sppp_lcp_up(struct sppp *sp) 2215 { 2216 STDDCL; 2217 2218 KASSERT(SPPP_WLOCKED(sp)); 2219 2220 /* Initialize activity timestamp: opening a connection is an activity */ 2221 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2222 2223 /* 2224 * If this interface is passive or dial-on-demand, and we are 2225 * still in Initial state, it means we've got an incoming 2226 * call. Activate the interface. 2227 */ 2228 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2229 if (debug) 2230 log(LOG_DEBUG, 2231 "%s: Up event", ifp->if_xname); 2232 ifp->if_flags |= IFF_RUNNING; 2233 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2234 if (debug) 2235 addlog("(incoming call)\n"); 2236 sp->pp_flags |= PP_CALLIN; 2237 lcp.Open(sp); 2238 } else if (debug) 2239 addlog("\n"); 2240 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2241 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2242 ifp->if_flags |= IFF_RUNNING; 2243 lcp.Open(sp); 2244 } 2245 2246 sppp_up_event(&lcp, sp); 2247 } 2248 2249 static void 2250 sppp_lcp_down(struct sppp *sp) 2251 { 2252 STDDCL; 2253 2254 KASSERT(SPPP_WLOCKED(sp)); 2255 2256 sppp_down_event(&lcp, sp); 2257 2258 /* 2259 * If this is neither a dial-on-demand nor a passive 2260 * interface, simulate an ``ifconfig down'' action, so the 2261 * administrator can force a redial by another ``ifconfig 2262 * up''. XXX For leased line operation, should we immediately 2263 * try to reopen the connection here? 2264 */ 2265 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2266 if (debug) 2267 log(LOG_INFO, 2268 "%s: Down event (carrier loss), taking interface down.\n", 2269 ifp->if_xname); 2270 SPPP_UNLOCK(sp); 2271 if_down(ifp); 2272 SPPP_LOCK(sp, RW_WRITER); 2273 } else { 2274 if (debug) 2275 log(LOG_DEBUG, 2276 "%s: Down event (carrier loss)\n", 2277 ifp->if_xname); 2278 } 2279 sp->fail_counter[IDX_LCP] = 0; 2280 sp->pp_flags &= ~PP_CALLIN; 2281 if (sp->state[IDX_LCP] != STATE_INITIAL) 2282 lcp.Close(sp); 2283 ifp->if_flags &= ~IFF_RUNNING; 2284 } 2285 2286 static void 2287 sppp_lcp_open(struct sppp *sp) 2288 { 2289 2290 KASSERT(SPPP_WLOCKED(sp)); 2291 2292 if (sp->pp_if.if_mtu < PP_MTU) { 2293 sp->lcp.mru = sp->pp_if.if_mtu; 2294 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2295 } else 2296 sp->lcp.mru = PP_MTU; 2297 sp->lcp.their_mru = PP_MTU; 2298 2299 /* 2300 * If we are authenticator, negotiate LCP_AUTH 2301 */ 2302 if (sp->hisauth.proto != 0) 2303 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2304 else 2305 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2306 sp->pp_flags &= ~PP_NEEDAUTH; 2307 sppp_open_event(&lcp, sp); 2308 } 2309 2310 static void 2311 sppp_lcp_close(struct sppp *sp) 2312 { 2313 2314 KASSERT(SPPP_WLOCKED(sp)); 2315 sppp_close_event(&lcp, sp); 2316 } 2317 2318 static void 2319 sppp_lcp_TO(void *cookie) 2320 { 2321 struct sppp *sp = (struct sppp*)cookie; 2322 2323 SPPP_LOCK(sp, RW_WRITER); 2324 sppp_to_event(&lcp, sp); 2325 SPPP_UNLOCK(sp); 2326 } 2327 2328 /* 2329 * Analyze a configure request. Return true if it was agreeable, and 2330 * caused action sca, false if it has been rejected or nak'ed, and 2331 * caused action scn. (The return value is used to make the state 2332 * transition decision in the state automaton.) 2333 */ 2334 static int 2335 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2336 { 2337 STDDCL; 2338 u_char *buf, *r, *p, l, blen; 2339 int origlen, rlen; 2340 uint32_t nmagic; 2341 u_short authproto; 2342 2343 KASSERT(SPPP_WLOCKED(sp)); 2344 2345 len -= 4; 2346 origlen = len; 2347 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2348 if (! buf) 2349 return (0); 2350 2351 if (debug) 2352 log(LOG_DEBUG, "%s: lcp parse opts:", 2353 ifp->if_xname); 2354 2355 /* pass 1: check for things that need to be rejected */ 2356 p = (void *)(h + 1); 2357 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2358 /* Sanity check option length */ 2359 if (l > len) { 2360 /* 2361 * Malicious option - drop immediately. 2362 * XXX Maybe we should just RXJ it? 2363 */ 2364 addlog("%s: received malicious LCP option 0x%02x, " 2365 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2366 p[0], l, len); 2367 goto drop; 2368 } 2369 if (debug) 2370 addlog(" %s", sppp_lcp_opt_name(*p)); 2371 switch (*p) { 2372 case LCP_OPT_MAGIC: 2373 /* Magic number. */ 2374 /* fall through, both are same length */ 2375 case LCP_OPT_ASYNC_MAP: 2376 /* Async control character map. */ 2377 if (len >= 6 || l == 6) 2378 continue; 2379 if (debug) 2380 addlog(" [invalid]"); 2381 break; 2382 case LCP_OPT_MRU: 2383 /* Maximum receive unit. */ 2384 if (len >= 4 && l == 4) 2385 continue; 2386 if (debug) 2387 addlog(" [invalid]"); 2388 break; 2389 case LCP_OPT_AUTH_PROTO: 2390 if (len < 4) { 2391 if (debug) 2392 addlog(" [invalid]"); 2393 break; 2394 } 2395 authproto = (p[2] << 8) + p[3]; 2396 if (authproto == PPP_CHAP && l != 5) { 2397 if (debug) 2398 addlog(" [invalid chap len]"); 2399 break; 2400 } 2401 if (sp->myauth.proto == 0) { 2402 /* we are not configured to do auth */ 2403 if (debug) 2404 addlog(" [not configured]"); 2405 break; 2406 } 2407 /* 2408 * Remote want us to authenticate, remember this, 2409 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2410 * up. 2411 */ 2412 sp->pp_flags |= PP_NEEDAUTH; 2413 continue; 2414 default: 2415 /* Others not supported. */ 2416 if (debug) 2417 addlog(" [rej]"); 2418 break; 2419 } 2420 if (rlen + l > blen) { 2421 if (debug) 2422 addlog(" [overflow]"); 2423 continue; 2424 } 2425 /* Add the option to rejected list. */ 2426 memcpy(r, p, l); 2427 r += l; 2428 rlen += l; 2429 } 2430 if (rlen) { 2431 if (debug) 2432 addlog(" send conf-rej\n"); 2433 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2434 goto end; 2435 } else if (debug) 2436 addlog("\n"); 2437 2438 /* 2439 * pass 2: check for option values that are unacceptable and 2440 * thus require to be nak'ed. 2441 */ 2442 if (debug) 2443 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2444 ifp->if_xname); 2445 2446 p = (void *)(h + 1); 2447 len = origlen; 2448 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2449 if (debug) 2450 addlog(" %s", sppp_lcp_opt_name(*p)); 2451 switch (*p) { 2452 case LCP_OPT_MAGIC: 2453 /* Magic number -- extract. */ 2454 nmagic = (uint32_t)p[2] << 24 | 2455 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2456 if (nmagic != sp->lcp.magic) { 2457 if (debug) 2458 addlog(" 0x%x", nmagic); 2459 continue; 2460 } 2461 /* 2462 * Local and remote magics equal -- loopback? 2463 */ 2464 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2465 printf ("%s: loopback\n", 2466 ifp->if_xname); 2467 sp->pp_loopcnt = 0; 2468 if (ifp->if_flags & IFF_UP) { 2469 SPPP_UNLOCK(sp); 2470 if_down(ifp); 2471 SPPP_LOCK(sp, RW_WRITER); 2472 2473 IF_PURGE(&sp->pp_cpq); 2474 /* XXX ? */ 2475 lcp.Down(sp); 2476 lcp.Up(sp); 2477 } 2478 } else if (debug) 2479 addlog(" [glitch]"); 2480 ++sp->pp_loopcnt; 2481 /* 2482 * We negate our magic here, and NAK it. If 2483 * we see it later in an NAK packet, we 2484 * suggest a new one. 2485 */ 2486 nmagic = ~sp->lcp.magic; 2487 /* Gonna NAK it. */ 2488 p[2] = nmagic >> 24; 2489 p[3] = nmagic >> 16; 2490 p[4] = nmagic >> 8; 2491 p[5] = nmagic; 2492 break; 2493 2494 case LCP_OPT_ASYNC_MAP: 2495 /* 2496 * Async control character map -- just ignore it. 2497 * 2498 * Quote from RFC 1662, chapter 6: 2499 * To enable this functionality, synchronous PPP 2500 * implementations MUST always respond to the 2501 * Async-Control-Character-Map Configuration 2502 * Option with the LCP Configure-Ack. However, 2503 * acceptance of the Configuration Option does 2504 * not imply that the synchronous implementation 2505 * will do any ACCM mapping. Instead, all such 2506 * octet mapping will be performed by the 2507 * asynchronous-to-synchronous converter. 2508 */ 2509 continue; 2510 2511 case LCP_OPT_MRU: 2512 /* 2513 * Maximum receive unit. Always agreeable, 2514 * but ignored by now. 2515 */ 2516 sp->lcp.their_mru = p[2] * 256 + p[3]; 2517 if (debug) 2518 addlog(" %ld", sp->lcp.their_mru); 2519 continue; 2520 2521 case LCP_OPT_AUTH_PROTO: 2522 authproto = (p[2] << 8) + p[3]; 2523 if (sp->myauth.proto != authproto) { 2524 /* not agreed, nak */ 2525 if (debug) 2526 addlog(" [mine %s != his %s]", 2527 sppp_proto_name(sp->myauth.proto), 2528 sppp_proto_name(authproto)); 2529 p[2] = sp->myauth.proto >> 8; 2530 p[3] = sp->myauth.proto; 2531 break; 2532 } 2533 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2534 if (debug) 2535 addlog(" [chap not MD5]"); 2536 p[4] = CHAP_MD5; 2537 break; 2538 } 2539 continue; 2540 } 2541 if (rlen + l > blen) { 2542 if (debug) 2543 addlog(" [overflow]"); 2544 continue; 2545 } 2546 /* Add the option to nak'ed list. */ 2547 memcpy(r, p, l); 2548 r += l; 2549 rlen += l; 2550 } 2551 if (rlen) { 2552 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2553 if (debug) 2554 addlog(" max_failure (%d) exceeded, " 2555 "send conf-rej\n", 2556 sp->lcp.max_failure); 2557 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2558 } else { 2559 if (debug) 2560 addlog(" send conf-nak\n"); 2561 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2562 } 2563 goto end; 2564 } else { 2565 if (debug) 2566 addlog(" send conf-ack\n"); 2567 sp->fail_counter[IDX_LCP] = 0; 2568 sp->pp_loopcnt = 0; 2569 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2570 } 2571 2572 end: 2573 free(buf, M_TEMP); 2574 return (rlen == 0); 2575 2576 drop: 2577 free(buf, M_TEMP); 2578 return -1; 2579 } 2580 2581 /* 2582 * Analyze the LCP Configure-Reject option list, and adjust our 2583 * negotiation. 2584 */ 2585 static void 2586 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2587 { 2588 STDDCL; 2589 u_char *buf, *p, l; 2590 2591 KASSERT(SPPP_WLOCKED(sp)); 2592 2593 len -= 4; 2594 buf = malloc (len, M_TEMP, M_NOWAIT); 2595 if (!buf) 2596 return; 2597 2598 if (debug) 2599 log(LOG_DEBUG, "%s: lcp rej opts:", 2600 ifp->if_xname); 2601 2602 p = (void *)(h + 1); 2603 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2604 /* Sanity check option length */ 2605 if (l > len) { 2606 /* 2607 * Malicious option - drop immediately. 2608 * XXX Maybe we should just RXJ it? 2609 */ 2610 addlog("%s: received malicious LCP option, " 2611 "dropping.\n", ifp->if_xname); 2612 goto drop; 2613 } 2614 if (debug) 2615 addlog(" %s", sppp_lcp_opt_name(*p)); 2616 switch (*p) { 2617 case LCP_OPT_MAGIC: 2618 /* Magic number -- can't use it, use 0 */ 2619 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2620 sp->lcp.magic = 0; 2621 break; 2622 case LCP_OPT_MRU: 2623 /* 2624 * We try to negotiate a lower MRU if the underlying 2625 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2626 * peer rejects this lower rate, fallback to the 2627 * default. 2628 */ 2629 if (debug) { 2630 addlog("%s: warning: peer rejected our MRU of " 2631 "%ld bytes. Defaulting to %d bytes\n", 2632 ifp->if_xname, sp->lcp.mru, PP_MTU); 2633 } 2634 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2635 sp->lcp.mru = PP_MTU; 2636 break; 2637 case LCP_OPT_AUTH_PROTO: 2638 /* 2639 * Peer doesn't want to authenticate himself, 2640 * deny unless this is a dialout call, and 2641 * SPPP_AUTHFLAG_NOCALLOUT is set. 2642 */ 2643 if ((sp->pp_flags & PP_CALLIN) == 0 && 2644 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2645 if (debug) 2646 addlog(" [don't insist on auth " 2647 "for callout]"); 2648 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2649 break; 2650 } 2651 if (debug) 2652 addlog("[access denied]\n"); 2653 lcp.Close(sp); 2654 break; 2655 } 2656 } 2657 if (debug) 2658 addlog("\n"); 2659 drop: 2660 free(buf, M_TEMP); 2661 return; 2662 } 2663 2664 /* 2665 * Analyze the LCP Configure-NAK option list, and adjust our 2666 * negotiation. 2667 */ 2668 static void 2669 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2670 { 2671 STDDCL; 2672 u_char *buf, *p, l, blen; 2673 uint32_t magic; 2674 2675 KASSERT(SPPP_WLOCKED(sp)); 2676 2677 len -= 4; 2678 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2679 if (!buf) 2680 return; 2681 2682 if (debug) 2683 log(LOG_DEBUG, "%s: lcp nak opts:", 2684 ifp->if_xname); 2685 2686 p = (void *)(h + 1); 2687 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2688 /* Sanity check option length */ 2689 if (l > len) { 2690 /* 2691 * Malicious option - drop immediately. 2692 * XXX Maybe we should just RXJ it? 2693 */ 2694 addlog("%s: received malicious LCP option, " 2695 "dropping.\n", ifp->if_xname); 2696 goto drop; 2697 } 2698 if (debug) 2699 addlog(" %s", sppp_lcp_opt_name(*p)); 2700 switch (*p) { 2701 case LCP_OPT_MAGIC: 2702 /* Magic number -- renegotiate */ 2703 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2704 len >= 6 && l == 6) { 2705 magic = (uint32_t)p[2] << 24 | 2706 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2707 /* 2708 * If the remote magic is our negated one, 2709 * this looks like a loopback problem. 2710 * Suggest a new magic to make sure. 2711 */ 2712 if (magic == ~sp->lcp.magic) { 2713 if (debug) 2714 addlog(" magic glitch"); 2715 sp->lcp.magic = cprng_fast32(); 2716 } else { 2717 sp->lcp.magic = magic; 2718 if (debug) 2719 addlog(" %d", magic); 2720 } 2721 } 2722 break; 2723 case LCP_OPT_MRU: 2724 /* 2725 * Peer wants to advise us to negotiate an MRU. 2726 * Agree on it if it's reasonable, or use 2727 * default otherwise. 2728 */ 2729 if (len >= 4 && l == 4) { 2730 u_int mru = p[2] * 256 + p[3]; 2731 if (debug) 2732 addlog(" %d", mru); 2733 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2734 mru = sp->pp_if.if_mtu; 2735 sp->lcp.mru = mru; 2736 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2737 } 2738 break; 2739 case LCP_OPT_AUTH_PROTO: 2740 /* 2741 * Peer doesn't like our authentication method, 2742 * deny. 2743 */ 2744 if (debug) 2745 addlog("[access denied]\n"); 2746 lcp.Close(sp); 2747 break; 2748 } 2749 } 2750 if (debug) 2751 addlog("\n"); 2752 drop: 2753 free(buf, M_TEMP); 2754 return; 2755 } 2756 2757 static void 2758 sppp_lcp_tlu(struct sppp *sp) 2759 { 2760 struct ifnet *ifp = &sp->pp_if; 2761 int i; 2762 uint32_t mask; 2763 2764 KASSERT(SPPP_WLOCKED(sp)); 2765 2766 /* XXX ? */ 2767 if (! (ifp->if_flags & IFF_UP) && 2768 (ifp->if_flags & IFF_RUNNING)) { 2769 /* Coming out of loopback mode. */ 2770 SPPP_UNLOCK(sp); 2771 if_up(ifp); 2772 SPPP_LOCK(sp, RW_WRITER); 2773 } 2774 2775 for (i = 0; i < IDX_COUNT; i++) 2776 if ((cps[i])->flags & CP_QUAL) 2777 (cps[i])->Open(sp); 2778 2779 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2780 (sp->pp_flags & PP_NEEDAUTH) != 0) 2781 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2782 else 2783 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2784 2785 /* 2786 * Open all authentication protocols. This is even required 2787 * if we already proceeded to network phase, since it might be 2788 * that remote wants us to authenticate, so we might have to 2789 * send a PAP request. Undesired authentication protocols 2790 * don't do anything when they get an Open event. 2791 */ 2792 for (i = 0; i < IDX_COUNT; i++) 2793 if ((cps[i])->flags & CP_AUTH) 2794 (cps[i])->Open(sp); 2795 2796 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2797 /* Notify all NCPs. */ 2798 for (i = 0; i < IDX_COUNT; i++) 2799 if ((cps[i])->flags & CP_NCP) 2800 (cps[i])->Open(sp); 2801 } 2802 2803 /* Send Up events to all started protos. */ 2804 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2805 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2806 (cps[i])->Up(sp); 2807 } 2808 } 2809 2810 /* notify low-level driver of state change */ 2811 sppp_notify_chg_wlocked(sp); 2812 2813 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2814 /* if no NCP is starting, close down */ 2815 sppp_lcp_check_and_close(sp); 2816 } 2817 2818 static void 2819 sppp_lcp_tld(struct sppp *sp) 2820 { 2821 int i; 2822 uint32_t mask; 2823 2824 KASSERT(SPPP_WLOCKED(sp)); 2825 2826 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2827 2828 /* 2829 * Take upper layers down. We send the Down event first and 2830 * the Close second to prevent the upper layers from sending 2831 * ``a flurry of terminate-request packets'', as the RFC 2832 * describes it. 2833 */ 2834 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2835 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2836 (cps[i])->Down(sp); 2837 (cps[i])->Close(sp); 2838 } 2839 } 2840 } 2841 2842 static void 2843 sppp_lcp_tls(struct sppp *sp) 2844 { 2845 2846 KASSERT(SPPP_WLOCKED(sp)); 2847 2848 2849 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2850 printf("%s: authentication failed %d times, not retrying again\n", 2851 sp->pp_if.if_xname, sp->pp_auth_failures); 2852 2853 SPPP_UNLOCK(sp); 2854 if_down(&sp->pp_if); 2855 SPPP_LOCK(sp, RW_WRITER); 2856 return; 2857 } 2858 2859 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2860 2861 /* Notify lower layer if desired. */ 2862 sppp_notify_tls_wlocked(sp); 2863 } 2864 2865 static void 2866 sppp_lcp_tlf(struct sppp *sp) 2867 { 2868 2869 KASSERT(SPPP_WLOCKED(sp)); 2870 2871 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2872 2873 /* Notify lower layer if desired. */ 2874 sppp_notify_tlf_wlocked(sp); 2875 } 2876 2877 static void 2878 sppp_lcp_scr(struct sppp *sp) 2879 { 2880 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2881 int i = 0; 2882 u_short authproto; 2883 2884 KASSERT(SPPP_WLOCKED(sp)); 2885 2886 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2887 if (! sp->lcp.magic) 2888 sp->lcp.magic = cprng_fast32(); 2889 opt[i++] = LCP_OPT_MAGIC; 2890 opt[i++] = 6; 2891 opt[i++] = sp->lcp.magic >> 24; 2892 opt[i++] = sp->lcp.magic >> 16; 2893 opt[i++] = sp->lcp.magic >> 8; 2894 opt[i++] = sp->lcp.magic; 2895 } 2896 2897 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2898 opt[i++] = LCP_OPT_MRU; 2899 opt[i++] = 4; 2900 opt[i++] = sp->lcp.mru >> 8; 2901 opt[i++] = sp->lcp.mru; 2902 } 2903 2904 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2905 authproto = sp->hisauth.proto; 2906 opt[i++] = LCP_OPT_AUTH_PROTO; 2907 opt[i++] = authproto == PPP_CHAP? 5: 4; 2908 opt[i++] = authproto >> 8; 2909 opt[i++] = authproto; 2910 if (authproto == PPP_CHAP) 2911 opt[i++] = CHAP_MD5; 2912 } 2913 2914 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2915 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2916 } 2917 2918 /* 2919 * Check the open NCPs, return true if at least one NCP is open. 2920 */ 2921 static int 2922 sppp_ncp_check(struct sppp *sp) 2923 { 2924 int i, mask; 2925 2926 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2927 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2928 return 1; 2929 return 0; 2930 } 2931 2932 /* 2933 * Re-check the open NCPs and see if we should terminate the link. 2934 * Called by the NCPs during their tlf action handling. 2935 */ 2936 static void 2937 sppp_lcp_check_and_close(struct sppp *sp) 2938 { 2939 2940 KASSERT(SPPP_WLOCKED(sp)); 2941 2942 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2943 /* don't bother, we are already going down */ 2944 return; 2945 2946 if (sppp_ncp_check(sp)) 2947 return; 2948 lcp.Close(sp); 2949 } 2950 2951 2952 /* 2953 *--------------------------------------------------------------------------* 2954 * * 2955 * The IPCP implementation. * 2956 * * 2957 *--------------------------------------------------------------------------* 2958 */ 2959 2960 static void 2961 sppp_ipcp_init(struct sppp *sp) 2962 { 2963 int error; 2964 2965 KASSERT(SPPP_WLOCKED(sp)); 2966 2967 sp->ipcp.opts = 0; 2968 sp->ipcp.flags = 0; 2969 sp->state[IDX_IPCP] = STATE_INITIAL; 2970 sp->fail_counter[IDX_IPCP] = 0; 2971 sp->pp_seq[IDX_IPCP] = 0; 2972 sp->pp_rseq[IDX_IPCP] = 0; 2973 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 2974 2975 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 2976 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 2977 if (error) 2978 panic("%s: update_addrs workqueue_create failed (%d)\n", 2979 __func__, error); 2980 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 2981 2982 sp->ipcp.update_addrs_enqueued = 0; 2983 } 2984 2985 static void 2986 sppp_ipcp_up(struct sppp *sp) 2987 { 2988 KASSERT(SPPP_WLOCKED(sp)); 2989 sppp_up_event(&ipcp, sp); 2990 } 2991 2992 static void 2993 sppp_ipcp_down(struct sppp *sp) 2994 { 2995 KASSERT(SPPP_WLOCKED(sp)); 2996 sppp_down_event(&ipcp, sp); 2997 } 2998 2999 static void 3000 sppp_ipcp_open(struct sppp *sp) 3001 { 3002 STDDCL; 3003 uint32_t myaddr, hisaddr; 3004 3005 KASSERT(SPPP_WLOCKED(sp)); 3006 3007 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3008 sp->ipcp.req_myaddr = 0; 3009 sp->ipcp.req_hisaddr = 0; 3010 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3011 3012 #ifdef INET 3013 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3014 #else 3015 myaddr = hisaddr = 0; 3016 #endif 3017 /* 3018 * If we don't have his address, this probably means our 3019 * interface doesn't want to talk IP at all. (This could 3020 * be the case if somebody wants to speak only IPX, for 3021 * example.) Don't open IPCP in this case. 3022 */ 3023 if (hisaddr == 0) { 3024 /* XXX this message should go away */ 3025 if (debug) 3026 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3027 ifp->if_xname); 3028 return; 3029 } 3030 3031 if (myaddr == 0) { 3032 /* 3033 * I don't have an assigned address, so i need to 3034 * negotiate my address. 3035 */ 3036 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3037 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3038 } 3039 if (hisaddr == 1) { 3040 /* 3041 * XXX - remove this hack! 3042 * remote has no valid address, we need to get one assigned. 3043 */ 3044 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3045 } 3046 sppp_open_event(&ipcp, sp); 3047 } 3048 3049 static void 3050 sppp_ipcp_close(struct sppp *sp) 3051 { 3052 3053 KASSERT(SPPP_WLOCKED(sp)); 3054 3055 sppp_close_event(&ipcp, sp); 3056 3057 #ifdef INET 3058 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3059 /* 3060 * Some address was dynamic, clear it again. 3061 */ 3062 sppp_clear_ip_addrs(sp); 3063 #endif 3064 } 3065 3066 static void 3067 sppp_ipcp_TO(void *cookie) 3068 { 3069 struct sppp *sp = cookie; 3070 3071 SPPP_LOCK(sp, RW_WRITER); 3072 sppp_to_event(&ipcp, sp); 3073 SPPP_UNLOCK(sp); 3074 } 3075 3076 /* 3077 * Analyze a configure request. Return true if it was agreeable, and 3078 * caused action sca, false if it has been rejected or nak'ed, and 3079 * caused action scn. (The return value is used to make the state 3080 * transition decision in the state automaton.) 3081 */ 3082 static int 3083 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3084 { 3085 u_char *buf, *r, *p, l, blen; 3086 struct ifnet *ifp = &sp->pp_if; 3087 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3088 uint32_t hisaddr, desiredaddr; 3089 3090 KASSERT(SPPP_WLOCKED(sp)); 3091 3092 len -= 4; 3093 origlen = len; 3094 /* 3095 * Make sure to allocate a buf that can at least hold a 3096 * conf-nak with an `address' option. We might need it below. 3097 */ 3098 blen = len < 6 ? 6 : len; 3099 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3100 if (! buf) 3101 return (0); 3102 3103 /* pass 1: see if we can recognize them */ 3104 if (debug) 3105 log(LOG_DEBUG, "%s: ipcp parse opts:", 3106 ifp->if_xname); 3107 p = (void *)(h + 1); 3108 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3109 /* Sanity check option length */ 3110 if (l > len) { 3111 /* XXX should we just RXJ? */ 3112 addlog("%s: malicious IPCP option received, dropping\n", 3113 ifp->if_xname); 3114 goto drop; 3115 } 3116 if (debug) 3117 addlog(" %s", sppp_ipcp_opt_name(*p)); 3118 switch (*p) { 3119 #ifdef notyet 3120 case IPCP_OPT_COMPRESSION: 3121 if (len >= 6 && l >= 6) { 3122 /* correctly formed compress option */ 3123 continue; 3124 } 3125 if (debug) 3126 addlog(" [invalid]"); 3127 break; 3128 #endif 3129 case IPCP_OPT_ADDRESS: 3130 if (len >= 6 && l == 6) { 3131 /* correctly formed address option */ 3132 continue; 3133 } 3134 if (debug) 3135 addlog(" [invalid]"); 3136 break; 3137 default: 3138 /* Others not supported. */ 3139 if (debug) 3140 addlog(" [rej]"); 3141 break; 3142 } 3143 /* Add the option to rejected list. */ 3144 if (rlen + l > blen) { 3145 if (debug) 3146 addlog(" [overflow]"); 3147 continue; 3148 } 3149 memcpy(r, p, l); 3150 r += l; 3151 rlen += l; 3152 } 3153 if (rlen) { 3154 if (debug) 3155 addlog(" send conf-rej\n"); 3156 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3157 goto end; 3158 } else if (debug) 3159 addlog("\n"); 3160 3161 /* pass 2: parse option values */ 3162 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3163 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3164 else 3165 #ifdef INET 3166 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3167 #else 3168 hisaddr = 0; 3169 #endif 3170 if (debug) 3171 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3172 ifp->if_xname); 3173 p = (void *)(h + 1); 3174 len = origlen; 3175 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3176 if (debug) 3177 addlog(" %s", sppp_ipcp_opt_name(*p)); 3178 switch (*p) { 3179 #ifdef notyet 3180 case IPCP_OPT_COMPRESSION: 3181 continue; 3182 #endif 3183 case IPCP_OPT_ADDRESS: 3184 desiredaddr = p[2] << 24 | p[3] << 16 | 3185 p[4] << 8 | p[5]; 3186 if (desiredaddr == hisaddr || 3187 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3188 /* 3189 * Peer's address is same as our value, 3190 * this is agreeable. Gonna conf-ack 3191 * it. 3192 */ 3193 if (debug) 3194 addlog(" %s [ack]", 3195 sppp_dotted_quad(hisaddr)); 3196 /* record that we've seen it already */ 3197 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3198 sp->ipcp.req_hisaddr = desiredaddr; 3199 hisaddr = desiredaddr; 3200 continue; 3201 } 3202 /* 3203 * The address wasn't agreeable. This is either 3204 * he sent us 0.0.0.0, asking to assign him an 3205 * address, or he send us another address not 3206 * matching our value. Either case, we gonna 3207 * conf-nak it with our value. 3208 */ 3209 if (debug) { 3210 if (desiredaddr == 0) 3211 addlog(" [addr requested]"); 3212 else 3213 addlog(" %s [not agreed]", 3214 sppp_dotted_quad(desiredaddr)); 3215 } 3216 3217 p[2] = hisaddr >> 24; 3218 p[3] = hisaddr >> 16; 3219 p[4] = hisaddr >> 8; 3220 p[5] = hisaddr; 3221 break; 3222 } 3223 if (rlen + l > blen) { 3224 if (debug) 3225 addlog(" [overflow]"); 3226 continue; 3227 } 3228 /* Add the option to nak'ed list. */ 3229 memcpy(r, p, l); 3230 r += l; 3231 rlen += l; 3232 } 3233 3234 /* 3235 * If we are about to conf-ack the request, but haven't seen 3236 * his address so far, gonna conf-nak it instead, with the 3237 * `address' option present and our idea of his address being 3238 * filled in there, to request negotiation of both addresses. 3239 * 3240 * XXX This can result in an endless req - nak loop if peer 3241 * doesn't want to send us his address. Q: What should we do 3242 * about it? XXX A: implement the max-failure counter. 3243 */ 3244 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3245 buf[0] = IPCP_OPT_ADDRESS; 3246 buf[1] = 6; 3247 buf[2] = hisaddr >> 24; 3248 buf[3] = hisaddr >> 16; 3249 buf[4] = hisaddr >> 8; 3250 buf[5] = hisaddr; 3251 rlen = 6; 3252 if (debug) 3253 addlog(" still need hisaddr"); 3254 } 3255 3256 if (rlen) { 3257 if (debug) 3258 addlog(" send conf-nak\n"); 3259 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3260 } else { 3261 if (debug) 3262 addlog(" send conf-ack\n"); 3263 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3264 } 3265 3266 end: 3267 free(buf, M_TEMP); 3268 return (rlen == 0); 3269 3270 drop: 3271 free(buf, M_TEMP); 3272 return -1; 3273 } 3274 3275 /* 3276 * Analyze the IPCP Configure-Reject option list, and adjust our 3277 * negotiation. 3278 */ 3279 static void 3280 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3281 { 3282 u_char *buf, *p, l, blen; 3283 struct ifnet *ifp = &sp->pp_if; 3284 int debug = ifp->if_flags & IFF_DEBUG; 3285 3286 KASSERT(SPPP_WLOCKED(sp)); 3287 3288 len -= 4; 3289 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3290 if (!buf) 3291 return; 3292 3293 if (debug) 3294 log(LOG_DEBUG, "%s: ipcp rej opts:", 3295 ifp->if_xname); 3296 3297 p = (void *)(h + 1); 3298 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3299 /* Sanity check option length */ 3300 if (l > len) { 3301 /* XXX should we just RXJ? */ 3302 addlog("%s: malicious IPCP option received, dropping\n", 3303 ifp->if_xname); 3304 goto drop; 3305 } 3306 if (debug) 3307 addlog(" %s", sppp_ipcp_opt_name(*p)); 3308 switch (*p) { 3309 case IPCP_OPT_ADDRESS: 3310 /* 3311 * Peer doesn't grok address option. This is 3312 * bad. XXX Should we better give up here? 3313 */ 3314 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3315 break; 3316 #ifdef notyet 3317 case IPCP_OPT_COMPRESS: 3318 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3319 break; 3320 #endif 3321 } 3322 } 3323 if (debug) 3324 addlog("\n"); 3325 drop: 3326 free(buf, M_TEMP); 3327 return; 3328 } 3329 3330 /* 3331 * Analyze the IPCP Configure-NAK option list, and adjust our 3332 * negotiation. 3333 */ 3334 static void 3335 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3336 { 3337 u_char *p, l; 3338 struct ifnet *ifp = &sp->pp_if; 3339 int debug = ifp->if_flags & IFF_DEBUG; 3340 uint32_t wantaddr; 3341 3342 KASSERT(SPPP_WLOCKED(sp)); 3343 3344 len -= 4; 3345 3346 if (debug) 3347 log(LOG_DEBUG, "%s: ipcp nak opts:", 3348 ifp->if_xname); 3349 3350 p = (void *)(h + 1); 3351 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3352 /* Sanity check option length */ 3353 if (l > len) { 3354 /* XXX should we just RXJ? */ 3355 addlog("%s: malicious IPCP option received, dropping\n", 3356 ifp->if_xname); 3357 return; 3358 } 3359 if (debug) 3360 addlog(" %s", sppp_ipcp_opt_name(*p)); 3361 switch (*p) { 3362 case IPCP_OPT_ADDRESS: 3363 /* 3364 * Peer doesn't like our local IP address. See 3365 * if we can do something for him. We'll drop 3366 * him our address then. 3367 */ 3368 if (len >= 6 && l == 6) { 3369 wantaddr = p[2] << 24 | p[3] << 16 | 3370 p[4] << 8 | p[5]; 3371 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3372 if (debug) 3373 addlog(" [wantaddr %s]", 3374 sppp_dotted_quad(wantaddr)); 3375 /* 3376 * When doing dynamic address assignment, 3377 * we accept his offer. Otherwise, we 3378 * ignore it and thus continue to negotiate 3379 * our already existing value. 3380 */ 3381 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3382 if (debug) 3383 addlog(" [agree]"); 3384 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3385 sp->ipcp.req_myaddr = wantaddr; 3386 } 3387 } 3388 break; 3389 3390 case IPCP_OPT_PRIMDNS: 3391 if (len >= 6 && l == 6) { 3392 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3393 p[4] << 8 | p[5]; 3394 } 3395 break; 3396 3397 case IPCP_OPT_SECDNS: 3398 if (len >= 6 && l == 6) { 3399 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3400 p[4] << 8 | p[5]; 3401 } 3402 break; 3403 #ifdef notyet 3404 case IPCP_OPT_COMPRESS: 3405 /* 3406 * Peer wants different compression parameters. 3407 */ 3408 break; 3409 #endif 3410 } 3411 } 3412 if (debug) 3413 addlog("\n"); 3414 } 3415 3416 static void 3417 sppp_ipcp_tlu(struct sppp *sp) 3418 { 3419 #ifdef INET 3420 KASSERT(SPPP_WLOCKED(sp)); 3421 /* we are up. Set addresses and notify anyone interested */ 3422 sppp_set_ip_addrs(sp); 3423 #endif 3424 } 3425 3426 static void 3427 sppp_ipcp_tld(struct sppp *sp) 3428 { 3429 3430 KASSERT(SPPP_WLOCKED(sp)); 3431 } 3432 3433 static void 3434 sppp_ipcp_tls(struct sppp *sp) 3435 { 3436 3437 KASSERT(SPPP_WLOCKED(sp)); 3438 /* indicate to LCP that it must stay alive */ 3439 sp->lcp.protos |= (1 << IDX_IPCP); 3440 } 3441 3442 static void 3443 sppp_ipcp_tlf(struct sppp *sp) 3444 { 3445 3446 KASSERT(SPPP_WLOCKED(sp)); 3447 3448 /* we no longer need LCP */ 3449 sp->lcp.protos &= ~(1 << IDX_IPCP); 3450 } 3451 3452 static void 3453 sppp_ipcp_scr(struct sppp *sp) 3454 { 3455 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3456 #ifdef INET 3457 uint32_t ouraddr; 3458 #endif 3459 int i = 0; 3460 3461 KASSERT(SPPP_WLOCKED(sp)); 3462 3463 #ifdef notyet 3464 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3465 opt[i++] = IPCP_OPT_COMPRESSION; 3466 opt[i++] = 6; 3467 opt[i++] = 0; /* VJ header compression */ 3468 opt[i++] = 0x2d; /* VJ header compression */ 3469 opt[i++] = max_slot_id; 3470 opt[i++] = comp_slot_id; 3471 } 3472 #endif 3473 3474 #ifdef INET 3475 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3476 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3477 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3478 else 3479 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3480 opt[i++] = IPCP_OPT_ADDRESS; 3481 opt[i++] = 6; 3482 opt[i++] = ouraddr >> 24; 3483 opt[i++] = ouraddr >> 16; 3484 opt[i++] = ouraddr >> 8; 3485 opt[i++] = ouraddr; 3486 } 3487 #endif 3488 3489 if (sp->query_dns & 1) { 3490 opt[i++] = IPCP_OPT_PRIMDNS; 3491 opt[i++] = 6; 3492 opt[i++] = sp->dns_addrs[0] >> 24; 3493 opt[i++] = sp->dns_addrs[0] >> 16; 3494 opt[i++] = sp->dns_addrs[0] >> 8; 3495 opt[i++] = sp->dns_addrs[0]; 3496 } 3497 if (sp->query_dns & 2) { 3498 opt[i++] = IPCP_OPT_SECDNS; 3499 opt[i++] = 6; 3500 opt[i++] = sp->dns_addrs[1] >> 24; 3501 opt[i++] = sp->dns_addrs[1] >> 16; 3502 opt[i++] = sp->dns_addrs[1] >> 8; 3503 opt[i++] = sp->dns_addrs[1]; 3504 } 3505 3506 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3507 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3508 } 3509 3510 3511 /* 3512 *--------------------------------------------------------------------------* 3513 * * 3514 * The IPv6CP implementation. * 3515 * * 3516 *--------------------------------------------------------------------------* 3517 */ 3518 3519 #ifdef INET6 3520 static void 3521 sppp_ipv6cp_init(struct sppp *sp) 3522 { 3523 3524 KASSERT(SPPP_WLOCKED(sp)); 3525 3526 sp->ipv6cp.opts = 0; 3527 sp->ipv6cp.flags = 0; 3528 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3529 sp->fail_counter[IDX_IPV6CP] = 0; 3530 sp->pp_seq[IDX_IPV6CP] = 0; 3531 sp->pp_rseq[IDX_IPV6CP] = 0; 3532 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3533 } 3534 3535 static void 3536 sppp_ipv6cp_up(struct sppp *sp) 3537 { 3538 3539 KASSERT(SPPP_WLOCKED(sp)); 3540 sppp_up_event(&ipv6cp, sp); 3541 } 3542 3543 static void 3544 sppp_ipv6cp_down(struct sppp *sp) 3545 { 3546 3547 KASSERT(SPPP_WLOCKED(sp)); 3548 sppp_down_event(&ipv6cp, sp); 3549 } 3550 3551 static void 3552 sppp_ipv6cp_open(struct sppp *sp) 3553 { 3554 STDDCL; 3555 struct in6_addr myaddr, hisaddr; 3556 3557 KASSERT(SPPP_WLOCKED(sp)); 3558 3559 #ifdef IPV6CP_MYIFID_DYN 3560 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3561 #else 3562 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3563 #endif 3564 3565 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3566 /* 3567 * If we don't have our address, this probably means our 3568 * interface doesn't want to talk IPv6 at all. (This could 3569 * be the case if somebody wants to speak only IPX, for 3570 * example.) Don't open IPv6CP in this case. 3571 */ 3572 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3573 /* XXX this message should go away */ 3574 if (debug) 3575 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3576 ifp->if_xname); 3577 return; 3578 } 3579 3580 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3581 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3582 sppp_open_event(&ipv6cp, sp); 3583 } 3584 3585 static void 3586 sppp_ipv6cp_close(struct sppp *sp) 3587 { 3588 3589 KASSERT(SPPP_WLOCKED(sp)); 3590 sppp_close_event(&ipv6cp, sp); 3591 } 3592 3593 static void 3594 sppp_ipv6cp_TO(void *cookie) 3595 { 3596 struct sppp *sp = cookie; 3597 3598 SPPP_LOCK(sp, RW_WRITER); 3599 sppp_to_event(&ipv6cp, sp); 3600 SPPP_UNLOCK(sp); 3601 } 3602 3603 /* 3604 * Analyze a configure request. Return true if it was agreeable, and 3605 * caused action sca, false if it has been rejected or nak'ed, and 3606 * caused action scn. (The return value is used to make the state 3607 * transition decision in the state automaton.) 3608 */ 3609 static int 3610 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3611 { 3612 u_char *buf, *r, *p, l, blen; 3613 struct ifnet *ifp = &sp->pp_if; 3614 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3615 struct in6_addr myaddr, desiredaddr, suggestaddr; 3616 int ifidcount; 3617 int type; 3618 int collision, nohisaddr; 3619 char ip6buf[INET6_ADDRSTRLEN]; 3620 3621 KASSERT(SPPP_WLOCKED(sp)); 3622 3623 len -= 4; 3624 origlen = len; 3625 /* 3626 * Make sure to allocate a buf that can at least hold a 3627 * conf-nak with an `address' option. We might need it below. 3628 */ 3629 blen = len < 6 ? 6 : len; 3630 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3631 if (! buf) 3632 return (0); 3633 3634 /* pass 1: see if we can recognize them */ 3635 if (debug) 3636 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3637 ifp->if_xname); 3638 p = (void *)(h + 1); 3639 ifidcount = 0; 3640 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3641 /* Sanity check option length */ 3642 if (l > len) { 3643 /* XXX just RXJ? */ 3644 addlog("%s: received malicious IPCPv6 option, " 3645 "dropping\n", ifp->if_xname); 3646 goto drop; 3647 } 3648 if (debug) 3649 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3650 switch (*p) { 3651 case IPV6CP_OPT_IFID: 3652 if (len >= 10 && l == 10 && ifidcount == 0) { 3653 /* correctly formed address option */ 3654 ifidcount++; 3655 continue; 3656 } 3657 if (debug) 3658 addlog(" [invalid]"); 3659 break; 3660 #ifdef notyet 3661 case IPV6CP_OPT_COMPRESSION: 3662 if (len >= 4 && l >= 4) { 3663 /* correctly formed compress option */ 3664 continue; 3665 } 3666 if (debug) 3667 addlog(" [invalid]"); 3668 break; 3669 #endif 3670 default: 3671 /* Others not supported. */ 3672 if (debug) 3673 addlog(" [rej]"); 3674 break; 3675 } 3676 if (rlen + l > blen) { 3677 if (debug) 3678 addlog(" [overflow]"); 3679 continue; 3680 } 3681 /* Add the option to rejected list. */ 3682 memcpy(r, p, l); 3683 r += l; 3684 rlen += l; 3685 } 3686 if (rlen) { 3687 if (debug) 3688 addlog(" send conf-rej\n"); 3689 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3690 goto end; 3691 } else if (debug) 3692 addlog("\n"); 3693 3694 /* pass 2: parse option values */ 3695 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3696 if (debug) 3697 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3698 ifp->if_xname); 3699 p = (void *)(h + 1); 3700 len = origlen; 3701 type = CONF_ACK; 3702 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3703 if (debug) 3704 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3705 switch (*p) { 3706 #ifdef notyet 3707 case IPV6CP_OPT_COMPRESSION: 3708 continue; 3709 #endif 3710 case IPV6CP_OPT_IFID: 3711 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3712 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3713 collision = (memcmp(&desiredaddr.s6_addr[8], 3714 &myaddr.s6_addr[8], 8) == 0); 3715 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3716 3717 desiredaddr.s6_addr16[0] = htons(0xfe80); 3718 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3719 3720 if (!collision && !nohisaddr) { 3721 /* no collision, hisaddr known - Conf-Ack */ 3722 type = CONF_ACK; 3723 3724 if (debug) { 3725 addlog(" %s [%s]", 3726 IN6_PRINT(ip6buf, &desiredaddr), 3727 sppp_cp_type_name(type)); 3728 } 3729 continue; 3730 } 3731 3732 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3733 if (collision && nohisaddr) { 3734 /* collision, hisaddr unknown - Conf-Rej */ 3735 type = CONF_REJ; 3736 memset(&p[2], 0, 8); 3737 } else { 3738 /* 3739 * - no collision, hisaddr unknown, or 3740 * - collision, hisaddr known 3741 * Conf-Nak, suggest hisaddr 3742 */ 3743 type = CONF_NAK; 3744 sppp_suggest_ip6_addr(sp, &suggestaddr); 3745 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3746 } 3747 if (debug) 3748 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3749 sppp_cp_type_name(type)); 3750 break; 3751 } 3752 if (rlen + l > blen) { 3753 if (debug) 3754 addlog(" [overflow]"); 3755 continue; 3756 } 3757 /* Add the option to nak'ed list. */ 3758 memcpy(r, p, l); 3759 r += l; 3760 rlen += l; 3761 } 3762 3763 if (rlen == 0 && type == CONF_ACK) { 3764 if (debug) 3765 addlog(" send %s\n", sppp_cp_type_name(type)); 3766 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3767 } else { 3768 #ifdef notdef 3769 if (type == CONF_ACK) 3770 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3771 #endif 3772 3773 if (debug) { 3774 addlog(" send %s suggest %s\n", 3775 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3776 } 3777 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3778 } 3779 3780 end: 3781 free(buf, M_TEMP); 3782 return (rlen == 0); 3783 3784 drop: 3785 free(buf, M_TEMP); 3786 return -1; 3787 } 3788 3789 /* 3790 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3791 * negotiation. 3792 */ 3793 static void 3794 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3795 { 3796 u_char *buf, *p, l, blen; 3797 struct ifnet *ifp = &sp->pp_if; 3798 int debug = ifp->if_flags & IFF_DEBUG; 3799 3800 KASSERT(SPPP_WLOCKED(sp)); 3801 3802 len -= 4; 3803 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3804 if (!buf) 3805 return; 3806 3807 if (debug) 3808 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3809 ifp->if_xname); 3810 3811 p = (void *)(h + 1); 3812 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3813 if (l > len) { 3814 /* XXX just RXJ? */ 3815 addlog("%s: received malicious IPCPv6 option, " 3816 "dropping\n", ifp->if_xname); 3817 goto drop; 3818 } 3819 if (debug) 3820 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3821 switch (*p) { 3822 case IPV6CP_OPT_IFID: 3823 /* 3824 * Peer doesn't grok address option. This is 3825 * bad. XXX Should we better give up here? 3826 */ 3827 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3828 break; 3829 #ifdef notyet 3830 case IPV6CP_OPT_COMPRESS: 3831 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3832 break; 3833 #endif 3834 } 3835 } 3836 if (debug) 3837 addlog("\n"); 3838 drop: 3839 free(buf, M_TEMP); 3840 return; 3841 } 3842 3843 /* 3844 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3845 * negotiation. 3846 */ 3847 static void 3848 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3849 { 3850 u_char *buf, *p, l, blen; 3851 struct ifnet *ifp = &sp->pp_if; 3852 int debug = ifp->if_flags & IFF_DEBUG; 3853 struct in6_addr suggestaddr; 3854 char ip6buf[INET6_ADDRSTRLEN]; 3855 3856 KASSERT(SPPP_WLOCKED(sp)); 3857 3858 len -= 4; 3859 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3860 if (!buf) 3861 return; 3862 3863 if (debug) 3864 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3865 ifp->if_xname); 3866 3867 p = (void *)(h + 1); 3868 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3869 if (l > len) { 3870 /* XXX just RXJ? */ 3871 addlog("%s: received malicious IPCPv6 option, " 3872 "dropping\n", ifp->if_xname); 3873 goto drop; 3874 } 3875 if (debug) 3876 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3877 switch (*p) { 3878 case IPV6CP_OPT_IFID: 3879 /* 3880 * Peer doesn't like our local ifid. See 3881 * if we can do something for him. We'll drop 3882 * him our address then. 3883 */ 3884 if (len < 10 || l != 10) 3885 break; 3886 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3887 suggestaddr.s6_addr16[0] = htons(0xfe80); 3888 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3889 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3890 3891 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3892 if (debug) 3893 addlog(" [suggestaddr %s]", 3894 IN6_PRINT(ip6buf, &suggestaddr)); 3895 #ifdef IPV6CP_MYIFID_DYN 3896 /* 3897 * When doing dynamic address assignment, 3898 * we accept his offer. 3899 */ 3900 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3901 struct in6_addr lastsuggest; 3902 /* 3903 * If <suggested myaddr from peer> equals to 3904 * <hisaddr we have suggested last time>, 3905 * we have a collision. generate new random 3906 * ifid. 3907 */ 3908 sppp_suggest_ip6_addr(&lastsuggest); 3909 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3910 lastsuggest)) { 3911 if (debug) 3912 addlog(" [random]"); 3913 sppp_gen_ip6_addr(sp, &suggestaddr); 3914 } 3915 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3916 if (debug) 3917 addlog(" [agree]"); 3918 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3919 } 3920 #else 3921 /* 3922 * Since we do not do dynamic address assignment, 3923 * we ignore it and thus continue to negotiate 3924 * our already existing value. This can possibly 3925 * go into infinite request-reject loop. 3926 * 3927 * This is not likely because we normally use 3928 * ifid based on MAC-address. 3929 * If you have no ethernet card on the node, too bad. 3930 * XXX should we use fail_counter? 3931 */ 3932 #endif 3933 break; 3934 #ifdef notyet 3935 case IPV6CP_OPT_COMPRESS: 3936 /* 3937 * Peer wants different compression parameters. 3938 */ 3939 break; 3940 #endif 3941 } 3942 } 3943 if (debug) 3944 addlog("\n"); 3945 drop: 3946 free(buf, M_TEMP); 3947 return; 3948 } 3949 3950 static void 3951 sppp_ipv6cp_tlu(struct sppp *sp) 3952 { 3953 3954 KASSERT(SPPP_WLOCKED(sp)); 3955 /* we are up - notify isdn daemon */ 3956 sppp_notify_con_wlocked(sp); 3957 } 3958 3959 static void 3960 sppp_ipv6cp_tld(struct sppp *sp) 3961 { 3962 3963 KASSERT(SPPP_WLOCKED(sp)); 3964 } 3965 3966 static void 3967 sppp_ipv6cp_tls(struct sppp *sp) 3968 { 3969 3970 KASSERT(SPPP_WLOCKED(sp)); 3971 /* indicate to LCP that it must stay alive */ 3972 sp->lcp.protos |= (1 << IDX_IPV6CP); 3973 } 3974 3975 static void 3976 sppp_ipv6cp_tlf(struct sppp *sp) 3977 { 3978 3979 KASSERT(SPPP_WLOCKED(sp)); 3980 /* we no longer need LCP */ 3981 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3982 } 3983 3984 static void 3985 sppp_ipv6cp_scr(struct sppp *sp) 3986 { 3987 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3988 struct in6_addr ouraddr; 3989 int i = 0; 3990 3991 KASSERT(SPPP_WLOCKED(sp)); 3992 3993 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3994 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3995 opt[i++] = IPV6CP_OPT_IFID; 3996 opt[i++] = 10; 3997 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3998 i += 8; 3999 } 4000 4001 #ifdef notyet 4002 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4003 opt[i++] = IPV6CP_OPT_COMPRESSION; 4004 opt[i++] = 4; 4005 opt[i++] = 0; /* TBD */ 4006 opt[i++] = 0; /* TBD */ 4007 /* variable length data may follow */ 4008 } 4009 #endif 4010 4011 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4012 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4013 } 4014 #else /*INET6*/ 4015 static void 4016 sppp_ipv6cp_init(struct sppp *sp) 4017 { 4018 4019 KASSERT(SPPP_WLOCKED(sp)); 4020 } 4021 4022 static void 4023 sppp_ipv6cp_up(struct sppp *sp) 4024 { 4025 4026 KASSERT(SPPP_WLOCKED(sp)); 4027 } 4028 4029 static void 4030 sppp_ipv6cp_down(struct sppp *sp) 4031 { 4032 4033 KASSERT(SPPP_WLOCKED(sp)); 4034 } 4035 4036 static void 4037 sppp_ipv6cp_open(struct sppp *sp) 4038 { 4039 4040 KASSERT(SPPP_WLOCKED(sp)); 4041 } 4042 4043 static void 4044 sppp_ipv6cp_close(struct sppp *sp) 4045 { 4046 4047 KASSERT(SPPP_WLOCKED(sp)); 4048 } 4049 4050 static void 4051 sppp_ipv6cp_TO(void *cookie) 4052 { 4053 struct sppp *sp __diagused = cookie; 4054 4055 KASSERT(SPPP_WLOCKED(sp)); 4056 } 4057 4058 static int 4059 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4060 int len) 4061 { 4062 4063 KASSERT(SPPP_WLOCKED(sp)); 4064 return 0; 4065 } 4066 4067 static void 4068 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4069 int len) 4070 { 4071 4072 KASSERT(SPPP_WLOCKED(sp)); 4073 } 4074 4075 static void 4076 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4077 int len) 4078 { 4079 4080 KASSERT(SPPP_WLOCKED(sp)); 4081 } 4082 4083 static void 4084 sppp_ipv6cp_tlu(struct sppp *sp) 4085 { 4086 4087 KASSERT(SPPP_WLOCKED(sp)); 4088 } 4089 4090 static void 4091 sppp_ipv6cp_tld(struct sppp *sp) 4092 { 4093 4094 KASSERT(SPPP_WLOCKED(sp)); 4095 } 4096 4097 static void 4098 sppp_ipv6cp_tls(struct sppp *sp) 4099 { 4100 4101 KASSERT(SPPP_WLOCKED(sp)); 4102 } 4103 4104 static void 4105 sppp_ipv6cp_tlf(struct sppp *sp) 4106 { 4107 4108 KASSERT(SPPP_WLOCKED(sp)); 4109 } 4110 4111 static void 4112 sppp_ipv6cp_scr(struct sppp *sp) 4113 { 4114 4115 KASSERT(SPPP_WLOCKED(sp)); 4116 } 4117 #endif /*INET6*/ 4118 4119 4120 /* 4121 *--------------------------------------------------------------------------* 4122 * * 4123 * The CHAP implementation. * 4124 * * 4125 *--------------------------------------------------------------------------* 4126 */ 4127 4128 /* 4129 * The authentication protocols don't employ a full-fledged state machine as 4130 * the control protocols do, since they do have Open and Close events, but 4131 * not Up and Down, nor are they explicitly terminated. Also, use of the 4132 * authentication protocols may be different in both directions (this makes 4133 * sense, think of a machine that never accepts incoming calls but only 4134 * calls out, it doesn't require the called party to authenticate itself). 4135 * 4136 * Our state machine for the local authentication protocol (we are requesting 4137 * the peer to authenticate) looks like: 4138 * 4139 * RCA- 4140 * +--------------------------------------------+ 4141 * V scn,tld| 4142 * +--------+ Close +---------+ RCA+ 4143 * | |<----------------------------------| |------+ 4144 * +--->| Closed | TO* | Opened | sca | 4145 * | | |-----+ +-------| |<-----+ 4146 * | +--------+ irc | | +---------+ 4147 * | ^ | | ^ 4148 * | | | | | 4149 * | | | | | 4150 * | TO-| | | | 4151 * | |tld TO+ V | | 4152 * | | +------->+ | | 4153 * | | | | | | 4154 * | +--------+ V | | 4155 * | | |<----+<--------------------+ | 4156 * | | Req- | scr | 4157 * | | Sent | | 4158 * | | | | 4159 * | +--------+ | 4160 * | RCA- | | RCA+ | 4161 * +------+ +------------------------------------------+ 4162 * scn,tld sca,irc,ict,tlu 4163 * 4164 * 4165 * with: 4166 * 4167 * Open: LCP reached authentication phase 4168 * Close: LCP reached terminate phase 4169 * 4170 * RCA+: received reply (pap-req, chap-response), acceptable 4171 * RCN: received reply (pap-req, chap-response), not acceptable 4172 * TO+: timeout with restart counter >= 0 4173 * TO-: timeout with restart counter < 0 4174 * TO*: reschedule timeout for CHAP 4175 * 4176 * scr: send request packet (none for PAP, chap-challenge) 4177 * sca: send ack packet (pap-ack, chap-success) 4178 * scn: send nak packet (pap-nak, chap-failure) 4179 * ict: initialize re-challenge timer (CHAP only) 4180 * 4181 * tlu: this-layer-up, LCP reaches network phase 4182 * tld: this-layer-down, LCP enters terminate phase 4183 * 4184 * Note that in CHAP mode, after sending a new challenge, while the state 4185 * automaton falls back into Req-Sent state, it doesn't signal a tld 4186 * event to LCP, so LCP remains in network phase. Only after not getting 4187 * any response (or after getting an unacceptable response), CHAP closes, 4188 * causing LCP to enter terminate phase. 4189 * 4190 * With PAP, there is no initial request that can be sent. The peer is 4191 * expected to send one based on the successful negotiation of PAP as 4192 * the authentication protocol during the LCP option negotiation. 4193 * 4194 * Incoming authentication protocol requests (remote requests 4195 * authentication, we are peer) don't employ a state machine at all, 4196 * they are simply answered. Some peers [Ascend P50 firmware rev 4197 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4198 * still in authentication phase (thereby violating the standard that 4199 * demands that these NCP packets are to be discarded), so we keep 4200 * track of the peer demanding us to authenticate, and only proceed to 4201 * phase network once we've seen a positive acknowledge for the 4202 * authentication. 4203 */ 4204 4205 /* 4206 * Handle incoming CHAP packets. 4207 */ 4208 void 4209 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4210 { 4211 STDDCL; 4212 struct lcp_header *h; 4213 int len, x; 4214 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4215 int value_len, name_len; 4216 MD5_CTX ctx; 4217 4218 len = m->m_pkthdr.len; 4219 if (len < 4) { 4220 if (debug) 4221 log(LOG_DEBUG, 4222 "%s: chap invalid packet length: %d bytes\n", 4223 ifp->if_xname, len); 4224 return; 4225 } 4226 h = mtod(m, struct lcp_header *); 4227 if (len > ntohs(h->len)) 4228 len = ntohs(h->len); 4229 4230 SPPP_LOCK(sp, RW_WRITER); 4231 4232 switch (h->type) { 4233 /* challenge, failure and success are his authproto */ 4234 case CHAP_CHALLENGE: 4235 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4236 /* can't do anything useful */ 4237 sp->pp_auth_failures++; 4238 printf("%s: chap input without my name and my secret being set\n", 4239 ifp->if_xname); 4240 break; 4241 } 4242 value = 1 + (u_char *)(h + 1); 4243 value_len = value[-1]; 4244 name = value + value_len; 4245 name_len = len - value_len - 5; 4246 if (name_len < 0) { 4247 if (debug) { 4248 log(LOG_DEBUG, 4249 "%s: chap corrupted challenge " 4250 "<%s id=0x%x len=%d", 4251 ifp->if_xname, 4252 sppp_auth_type_name(PPP_CHAP, h->type), 4253 h->ident, ntohs(h->len)); 4254 if (len > 4) 4255 sppp_print_bytes((u_char *)(h + 1), 4256 len - 4); 4257 addlog(">\n"); 4258 } 4259 break; 4260 } 4261 4262 if (debug) { 4263 log(LOG_DEBUG, 4264 "%s: chap input <%s id=0x%x len=%d name=", 4265 ifp->if_xname, 4266 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4267 ntohs(h->len)); 4268 sppp_print_string((char *) name, name_len); 4269 addlog(" value-size=%d value=", value_len); 4270 sppp_print_bytes(value, value_len); 4271 addlog(">\n"); 4272 } 4273 4274 /* Compute reply value. */ 4275 MD5Init(&ctx); 4276 MD5Update(&ctx, &h->ident, 1); 4277 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4278 MD5Update(&ctx, value, value_len); 4279 MD5Final(digest, &ctx); 4280 dsize = sizeof digest; 4281 4282 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4283 sizeof dsize, (const char *)&dsize, 4284 sizeof digest, digest, 4285 sp->myauth.name_len, 4286 sp->myauth.name, 4287 0); 4288 break; 4289 4290 case CHAP_SUCCESS: 4291 if (debug) { 4292 log(LOG_DEBUG, "%s: chap success", 4293 ifp->if_xname); 4294 if (len > 4) { 4295 addlog(": "); 4296 sppp_print_string((char *)(h + 1), len - 4); 4297 } 4298 addlog("\n"); 4299 } 4300 x = splnet(); 4301 sp->pp_auth_failures = 0; 4302 sp->pp_flags &= ~PP_NEEDAUTH; 4303 if (sp->myauth.proto == PPP_CHAP && 4304 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4305 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4306 /* 4307 * We are authenticator for CHAP but didn't 4308 * complete yet. Leave it to tlu to proceed 4309 * to network phase. 4310 */ 4311 splx(x); 4312 break; 4313 } 4314 splx(x); 4315 sppp_phase_network(sp); 4316 break; 4317 4318 case CHAP_FAILURE: 4319 x = splnet(); 4320 sp->pp_auth_failures++; 4321 splx(x); 4322 if (debug) { 4323 log(LOG_INFO, "%s: chap failure", 4324 ifp->if_xname); 4325 if (len > 4) { 4326 addlog(": "); 4327 sppp_print_string((char *)(h + 1), len - 4); 4328 } 4329 addlog("\n"); 4330 } else 4331 log(LOG_INFO, "%s: chap failure\n", 4332 ifp->if_xname); 4333 /* await LCP shutdown by authenticator */ 4334 break; 4335 4336 /* response is my authproto */ 4337 case CHAP_RESPONSE: 4338 if (sp->hisauth.secret == NULL) { 4339 /* can't do anything useful */ 4340 printf("%s: chap input without his secret being set\n", 4341 ifp->if_xname); 4342 break; 4343 } 4344 value = 1 + (u_char *)(h + 1); 4345 value_len = value[-1]; 4346 name = value + value_len; 4347 name_len = len - value_len - 5; 4348 if (name_len < 0) { 4349 if (debug) { 4350 log(LOG_DEBUG, 4351 "%s: chap corrupted response " 4352 "<%s id=0x%x len=%d", 4353 ifp->if_xname, 4354 sppp_auth_type_name(PPP_CHAP, h->type), 4355 h->ident, ntohs(h->len)); 4356 if (len > 4) 4357 sppp_print_bytes((u_char *)(h + 1), 4358 len - 4); 4359 addlog(">\n"); 4360 } 4361 break; 4362 } 4363 if (h->ident != sp->confid[IDX_CHAP]) { 4364 if (debug) 4365 log(LOG_DEBUG, 4366 "%s: chap dropping response for old ID " 4367 "(got %d, expected %d)\n", 4368 ifp->if_xname, 4369 h->ident, sp->confid[IDX_CHAP]); 4370 break; 4371 } 4372 if (sp->hisauth.name != NULL && 4373 (name_len != sp->hisauth.name_len 4374 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4375 log(LOG_INFO, "%s: chap response, his name ", 4376 ifp->if_xname); 4377 sppp_print_string(name, name_len); 4378 addlog(" != expected "); 4379 sppp_print_string(sp->hisauth.name, 4380 sp->hisauth.name_len); 4381 addlog("\n"); 4382 goto chap_failure; 4383 } 4384 if (debug) { 4385 log(LOG_DEBUG, "%s: chap input(%s) " 4386 "<%s id=0x%x len=%d name=", 4387 ifp->if_xname, 4388 sppp_state_name(sp->state[IDX_CHAP]), 4389 sppp_auth_type_name(PPP_CHAP, h->type), 4390 h->ident, ntohs(h->len)); 4391 sppp_print_string((char *)name, name_len); 4392 addlog(" value-size=%d value=", value_len); 4393 sppp_print_bytes(value, value_len); 4394 addlog(">\n"); 4395 } 4396 if (value_len != sizeof(sp->hisauth.challenge)) { 4397 if (debug) 4398 log(LOG_DEBUG, 4399 "%s: chap bad hash value length: " 4400 "%d bytes, should be %zu\n", 4401 ifp->if_xname, value_len, 4402 sizeof(sp->hisauth.challenge)); 4403 goto chap_failure; 4404 } 4405 4406 MD5Init(&ctx); 4407 MD5Update(&ctx, &h->ident, 1); 4408 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4409 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4410 MD5Final(digest, &ctx); 4411 4412 #define FAILMSG "Failed..." 4413 #define SUCCMSG "Welcome!" 4414 4415 if (value_len != sizeof digest || 4416 memcmp(digest, value, value_len) != 0) { 4417 chap_failure: 4418 KASSERT(SPPP_WLOCKED(sp)); 4419 /* action scn, tld */ 4420 sp->pp_auth_failures++; 4421 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4422 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4423 0); 4424 chap.tld(sp); 4425 break; 4426 } 4427 sp->pp_auth_failures = 0; 4428 /* action sca, perhaps tlu */ 4429 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4430 sp->state[IDX_CHAP] == STATE_OPENED) 4431 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4432 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4433 0); 4434 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4435 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4436 chap.tlu(sp); 4437 } 4438 break; 4439 4440 default: 4441 /* Unknown CHAP packet type -- ignore. */ 4442 if (debug) { 4443 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4444 "<0x%x id=0x%xh len=%d", 4445 ifp->if_xname, 4446 sppp_state_name(sp->state[IDX_CHAP]), 4447 h->type, h->ident, ntohs(h->len)); 4448 if (len > 4) 4449 sppp_print_bytes((u_char *)(h + 1), len - 4); 4450 addlog(">\n"); 4451 } 4452 break; 4453 4454 } 4455 4456 SPPP_UNLOCK(sp); 4457 } 4458 4459 static void 4460 sppp_chap_init(struct sppp *sp) 4461 { 4462 4463 KASSERT(SPPP_WLOCKED(sp)); 4464 4465 /* Chap doesn't have STATE_INITIAL at all. */ 4466 sp->state[IDX_CHAP] = STATE_CLOSED; 4467 sp->fail_counter[IDX_CHAP] = 0; 4468 sp->pp_seq[IDX_CHAP] = 0; 4469 sp->pp_rseq[IDX_CHAP] = 0; 4470 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4471 } 4472 4473 static void 4474 sppp_chap_open(struct sppp *sp) 4475 { 4476 4477 KASSERT(SPPP_WLOCKED(sp)); 4478 if (sp->hisauth.proto == PPP_CHAP && 4479 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4480 /* we are authenticator for CHAP, start it */ 4481 chap.scr(sp); 4482 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4483 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4484 } 4485 /* nothing to be done if we are peer, await a challenge */ 4486 } 4487 4488 static void 4489 sppp_chap_close(struct sppp *sp) 4490 { 4491 4492 KASSERT(SPPP_WLOCKED(sp)); 4493 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4494 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4495 } 4496 4497 static void 4498 sppp_chap_TO(void *cookie) 4499 { 4500 struct sppp *sp = (struct sppp *)cookie; 4501 STDDCL; 4502 int s; 4503 4504 s = splnet(); 4505 4506 SPPP_LOCK(sp, RW_WRITER); 4507 4508 if (debug) 4509 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4510 ifp->if_xname, 4511 sppp_state_name(sp->state[IDX_CHAP]), 4512 sp->rst_counter[IDX_CHAP]); 4513 4514 if (--sp->rst_counter[IDX_CHAP] < 0) 4515 /* TO- event */ 4516 switch (sp->state[IDX_CHAP]) { 4517 case STATE_REQ_SENT: 4518 chap.tld(sp); 4519 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4520 break; 4521 } 4522 else 4523 /* TO+ (or TO*) event */ 4524 switch (sp->state[IDX_CHAP]) { 4525 case STATE_OPENED: 4526 /* TO* event */ 4527 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4528 /* fall through */ 4529 case STATE_REQ_SENT: 4530 chap.scr(sp); 4531 /* sppp_cp_change_state() will restart the timer */ 4532 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4533 break; 4534 } 4535 4536 SPPP_UNLOCK(sp); 4537 splx(s); 4538 } 4539 4540 static void 4541 sppp_chap_tlu(struct sppp *sp) 4542 { 4543 STDDCL; 4544 int i, x; 4545 4546 KASSERT(SPPP_WLOCKED(sp)); 4547 4548 i = 0; 4549 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4550 4551 /* 4552 * Some broken CHAP implementations (Conware CoNet, firmware 4553 * 4.0.?) don't want to re-authenticate their CHAP once the 4554 * initial challenge-response exchange has taken place. 4555 * Provide for an option to avoid rechallenges. 4556 */ 4557 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4558 /* 4559 * Compute the re-challenge timeout. This will yield 4560 * a number between 300 and 810 seconds. 4561 */ 4562 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4563 4564 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4565 } 4566 4567 if (debug) { 4568 log(LOG_DEBUG, 4569 "%s: chap %s, ", 4570 ifp->if_xname, 4571 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4572 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4573 addlog("next re-challenge in %d seconds\n", i); 4574 else 4575 addlog("re-challenging suppressed\n"); 4576 } 4577 4578 x = splnet(); 4579 sp->pp_auth_failures = 0; 4580 /* indicate to LCP that we need to be closed down */ 4581 sp->lcp.protos |= (1 << IDX_CHAP); 4582 4583 if (sp->pp_flags & PP_NEEDAUTH) { 4584 /* 4585 * Remote is authenticator, but his auth proto didn't 4586 * complete yet. Defer the transition to network 4587 * phase. 4588 */ 4589 splx(x); 4590 return; 4591 } 4592 splx(x); 4593 4594 /* 4595 * If we are already in phase network, we are done here. This 4596 * is the case if this is a dummy tlu event after a re-challenge. 4597 */ 4598 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4599 sppp_phase_network(sp); 4600 } 4601 4602 static void 4603 sppp_chap_tld(struct sppp *sp) 4604 { 4605 STDDCL; 4606 4607 KASSERT(SPPP_WLOCKED(sp)); 4608 4609 if (debug) 4610 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4611 callout_stop(&sp->ch[IDX_CHAP]); 4612 sp->lcp.protos &= ~(1 << IDX_CHAP); 4613 4614 lcp.Close(sp); 4615 } 4616 4617 static void 4618 sppp_chap_scr(struct sppp *sp) 4619 { 4620 uint32_t *ch; 4621 u_char clen = 4 * sizeof(uint32_t); 4622 4623 KASSERT(SPPP_WLOCKED(sp)); 4624 4625 if (sp->hisauth.name == NULL) { 4626 /* can't do anything useful */ 4627 printf("%s: chap starting without his name being set\n", 4628 sp->pp_if.if_xname); 4629 return; 4630 } 4631 4632 /* Compute random challenge. */ 4633 ch = (uint32_t *)sp->hisauth.challenge; 4634 cprng_strong(kern_cprng, ch, clen, 0); 4635 4636 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4637 4638 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4639 sizeof clen, (const char *)&clen, 4640 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4641 0); 4642 } 4643 4644 /* 4645 *--------------------------------------------------------------------------* 4646 * * 4647 * The PAP implementation. * 4648 * * 4649 *--------------------------------------------------------------------------* 4650 */ 4651 /* 4652 * For PAP, we need to keep a little state also if we are the peer, not the 4653 * authenticator. This is since we don't get a request to authenticate, but 4654 * have to repeatedly authenticate ourself until we got a response (or the 4655 * retry counter is expired). 4656 */ 4657 4658 /* 4659 * Handle incoming PAP packets. */ 4660 static void 4661 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4662 { 4663 STDDCL; 4664 struct lcp_header *h; 4665 int len, x; 4666 u_char mlen; 4667 char *name, *secret; 4668 int name_len, secret_len; 4669 4670 /* 4671 * Malicious input might leave this uninitialized, so 4672 * init to an impossible value. 4673 */ 4674 secret_len = -1; 4675 4676 len = m->m_pkthdr.len; 4677 if (len < 5) { 4678 if (debug) 4679 log(LOG_DEBUG, 4680 "%s: pap invalid packet length: %d bytes\n", 4681 ifp->if_xname, len); 4682 return; 4683 } 4684 h = mtod(m, struct lcp_header *); 4685 if (len > ntohs(h->len)) 4686 len = ntohs(h->len); 4687 4688 SPPP_LOCK(sp, RW_WRITER); 4689 4690 switch (h->type) { 4691 /* PAP request is my authproto */ 4692 case PAP_REQ: 4693 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4694 /* can't do anything useful */ 4695 printf("%s: " 4696 "pap request without his name and his secret being set\n", 4697 ifp->if_xname); 4698 break; 4699 } 4700 name = 1 + (u_char *)(h + 1); 4701 name_len = name[-1]; 4702 secret = name + name_len + 1; 4703 if (name_len > len - 6 || 4704 (secret_len = secret[-1]) > len - 6 - name_len) { 4705 if (debug) { 4706 log(LOG_DEBUG, "%s: pap corrupted input " 4707 "<%s id=0x%x len=%d", 4708 ifp->if_xname, 4709 sppp_auth_type_name(PPP_PAP, h->type), 4710 h->ident, ntohs(h->len)); 4711 if (len > 4) 4712 sppp_print_bytes((u_char *)(h + 1), 4713 len - 4); 4714 addlog(">\n"); 4715 } 4716 break; 4717 } 4718 if (debug) { 4719 log(LOG_DEBUG, "%s: pap input(%s) " 4720 "<%s id=0x%x len=%d name=", 4721 ifp->if_xname, 4722 sppp_state_name(sp->state[IDX_PAP]), 4723 sppp_auth_type_name(PPP_PAP, h->type), 4724 h->ident, ntohs(h->len)); 4725 sppp_print_string((char *)name, name_len); 4726 addlog(" secret="); 4727 sppp_print_string((char *)secret, secret_len); 4728 addlog(">\n"); 4729 } 4730 if (name_len != sp->hisauth.name_len || 4731 secret_len != sp->hisauth.secret_len || 4732 memcmp(name, sp->hisauth.name, name_len) != 0 || 4733 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4734 /* action scn, tld */ 4735 sp->pp_auth_failures++; 4736 mlen = sizeof(FAILMSG) - 1; 4737 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4738 sizeof mlen, (const char *)&mlen, 4739 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4740 0); 4741 pap.tld(sp); 4742 break; 4743 } 4744 /* action sca, perhaps tlu */ 4745 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4746 sp->state[IDX_PAP] == STATE_OPENED) { 4747 mlen = sizeof(SUCCMSG) - 1; 4748 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4749 sizeof mlen, (const char *)&mlen, 4750 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4751 0); 4752 } 4753 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4754 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4755 pap.tlu(sp); 4756 } 4757 break; 4758 4759 /* ack and nak are his authproto */ 4760 case PAP_ACK: 4761 callout_stop(&sp->pap_my_to_ch); 4762 if (debug) { 4763 log(LOG_DEBUG, "%s: pap success", 4764 ifp->if_xname); 4765 name = 1 + (u_char *)(h + 1); 4766 name_len = name[-1]; 4767 if (len > 5 && name_len < len+4) { 4768 addlog(": "); 4769 sppp_print_string(name, name_len); 4770 } 4771 addlog("\n"); 4772 } 4773 x = splnet(); 4774 sp->pp_auth_failures = 0; 4775 sp->pp_flags &= ~PP_NEEDAUTH; 4776 if (sp->myauth.proto == PPP_PAP && 4777 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4778 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4779 /* 4780 * We are authenticator for PAP but didn't 4781 * complete yet. Leave it to tlu to proceed 4782 * to network phase. 4783 */ 4784 splx(x); 4785 break; 4786 } 4787 splx(x); 4788 sppp_phase_network(sp); 4789 break; 4790 4791 case PAP_NAK: 4792 callout_stop(&sp->pap_my_to_ch); 4793 sp->pp_auth_failures++; 4794 if (debug) { 4795 log(LOG_INFO, "%s: pap failure", 4796 ifp->if_xname); 4797 name = 1 + (u_char *)(h + 1); 4798 name_len = name[-1]; 4799 if (len > 5 && name_len < len+4) { 4800 addlog(": "); 4801 sppp_print_string(name, name_len); 4802 } 4803 addlog("\n"); 4804 } else 4805 log(LOG_INFO, "%s: pap failure\n", 4806 ifp->if_xname); 4807 /* await LCP shutdown by authenticator */ 4808 break; 4809 4810 default: 4811 /* Unknown PAP packet type -- ignore. */ 4812 if (debug) { 4813 log(LOG_DEBUG, "%s: pap corrupted input " 4814 "<0x%x id=0x%x len=%d", 4815 ifp->if_xname, 4816 h->type, h->ident, ntohs(h->len)); 4817 if (len > 4) 4818 sppp_print_bytes((u_char *)(h + 1), len - 4); 4819 addlog(">\n"); 4820 } 4821 break; 4822 } 4823 4824 SPPP_UNLOCK(sp); 4825 } 4826 4827 static void 4828 sppp_pap_init(struct sppp *sp) 4829 { 4830 4831 KASSERT(SPPP_WLOCKED(sp)); 4832 4833 /* PAP doesn't have STATE_INITIAL at all. */ 4834 sp->state[IDX_PAP] = STATE_CLOSED; 4835 sp->fail_counter[IDX_PAP] = 0; 4836 sp->pp_seq[IDX_PAP] = 0; 4837 sp->pp_rseq[IDX_PAP] = 0; 4838 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 4839 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 4840 } 4841 4842 static void 4843 sppp_pap_open(struct sppp *sp) 4844 { 4845 4846 KASSERT(SPPP_WLOCKED(sp)); 4847 4848 if (sp->hisauth.proto == PPP_PAP && 4849 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4850 /* we are authenticator for PAP, start our timer */ 4851 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4852 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4853 } 4854 if (sp->myauth.proto == PPP_PAP) { 4855 /* we are peer, send a request, and start a timer */ 4856 pap.scr(sp); 4857 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4858 sppp_pap_my_TO, sp); 4859 } 4860 } 4861 4862 static void 4863 sppp_pap_close(struct sppp *sp) 4864 { 4865 4866 KASSERT(SPPP_WLOCKED(sp)); 4867 4868 if (sp->state[IDX_PAP] != STATE_CLOSED) 4869 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4870 } 4871 4872 /* 4873 * That's the timeout routine if we are authenticator. Since the 4874 * authenticator is basically passive in PAP, we can't do much here. 4875 */ 4876 static void 4877 sppp_pap_TO(void *cookie) 4878 { 4879 struct sppp *sp = (struct sppp *)cookie; 4880 STDDCL; 4881 int s; 4882 4883 s = splnet(); 4884 SPPP_LOCK(sp, RW_WRITER); 4885 4886 if (debug) 4887 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4888 ifp->if_xname, 4889 sppp_state_name(sp->state[IDX_PAP]), 4890 sp->rst_counter[IDX_PAP]); 4891 4892 if (--sp->rst_counter[IDX_PAP] < 0) 4893 /* TO- event */ 4894 switch (sp->state[IDX_PAP]) { 4895 case STATE_REQ_SENT: 4896 pap.tld(sp); 4897 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4898 break; 4899 } 4900 else 4901 /* TO+ event, not very much we could do */ 4902 switch (sp->state[IDX_PAP]) { 4903 case STATE_REQ_SENT: 4904 /* sppp_cp_change_state() will restart the timer */ 4905 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4906 break; 4907 } 4908 4909 SPPP_UNLOCK(sp); 4910 splx(s); 4911 } 4912 4913 /* 4914 * That's the timeout handler if we are peer. Since the peer is active, 4915 * we need to retransmit our PAP request since it is apparently lost. 4916 * XXX We should impose a max counter. 4917 */ 4918 static void 4919 sppp_pap_my_TO(void *cookie) 4920 { 4921 struct sppp *sp = (struct sppp *)cookie; 4922 STDDCL; 4923 4924 SPPP_LOCK(sp, RW_WRITER); 4925 if (debug) 4926 log(LOG_DEBUG, "%s: pap peer TO\n", 4927 ifp->if_xname); 4928 4929 pap.scr(sp); 4930 4931 SPPP_UNLOCK(sp); 4932 } 4933 4934 static void 4935 sppp_pap_tlu(struct sppp *sp) 4936 { 4937 STDDCL; 4938 int x; 4939 4940 KASSERT(SPPP_WLOCKED(sp)); 4941 4942 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4943 4944 if (debug) 4945 log(LOG_DEBUG, "%s: %s tlu\n", 4946 ifp->if_xname, pap.name); 4947 4948 x = splnet(); 4949 sp->pp_auth_failures = 0; 4950 /* indicate to LCP that we need to be closed down */ 4951 sp->lcp.protos |= (1 << IDX_PAP); 4952 4953 if (sp->pp_flags & PP_NEEDAUTH) { 4954 /* 4955 * Remote is authenticator, but his auth proto didn't 4956 * complete yet. Defer the transition to network 4957 * phase. 4958 */ 4959 splx(x); 4960 return; 4961 } 4962 splx(x); 4963 sppp_phase_network(sp); 4964 } 4965 4966 static void 4967 sppp_pap_tld(struct sppp *sp) 4968 { 4969 STDDCL; 4970 4971 KASSERT(SPPP_WLOCKED(sp)); 4972 4973 if (debug) 4974 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4975 callout_stop(&sp->ch[IDX_PAP]); 4976 callout_stop(&sp->pap_my_to_ch); 4977 sp->lcp.protos &= ~(1 << IDX_PAP); 4978 4979 lcp.Close(sp); 4980 } 4981 4982 static void 4983 sppp_pap_scr(struct sppp *sp) 4984 { 4985 u_char idlen, pwdlen; 4986 4987 KASSERT(SPPP_WLOCKED(sp)); 4988 4989 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4990 /* can't do anything useful */ 4991 printf("%s: pap starting without my name and secret being set\n", 4992 sp->pp_if.if_xname); 4993 return; 4994 } 4995 4996 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4997 pwdlen = sp->myauth.secret_len; 4998 idlen = sp->myauth.name_len; 4999 5000 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 5001 sizeof idlen, (const char *)&idlen, 5002 idlen, sp->myauth.name, 5003 sizeof pwdlen, (const char *)&pwdlen, 5004 pwdlen, sp->myauth.secret, 5005 0); 5006 } 5007 5008 /* 5009 * Random miscellaneous functions. 5010 */ 5011 5012 /* 5013 * Send a PAP or CHAP proto packet. 5014 * 5015 * Varadic function, each of the elements for the ellipsis is of type 5016 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5017 * mlen == 0. 5018 * NOTE: never declare variadic functions with types subject to type 5019 * promotion (i.e. u_char). This is asking for big trouble depending 5020 * on the architecture you are on... 5021 */ 5022 5023 static void 5024 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5025 unsigned int type, unsigned int id, 5026 ...) 5027 { 5028 STDDCL; 5029 struct lcp_header *lh; 5030 struct mbuf *m; 5031 u_char *p; 5032 int len; 5033 size_t pkthdrlen; 5034 unsigned int mlen; 5035 const char *msg; 5036 va_list ap; 5037 5038 KASSERT(SPPP_WLOCKED(sp)); 5039 5040 MGETHDR(m, M_DONTWAIT, MT_DATA); 5041 if (! m) 5042 return; 5043 m_reset_rcvif(m); 5044 5045 if (sp->pp_flags & PP_NOFRAMING) { 5046 *mtod(m, uint16_t *) = htons(cp->proto); 5047 pkthdrlen = 2; 5048 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5049 } else { 5050 struct ppp_header *h; 5051 h = mtod(m, struct ppp_header *); 5052 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5053 h->control = PPP_UI; /* Unnumbered Info */ 5054 h->protocol = htons(cp->proto); 5055 pkthdrlen = PPP_HEADER_LEN; 5056 5057 lh = (struct lcp_header *)(h + 1); 5058 } 5059 5060 lh->type = type; 5061 lh->ident = id; 5062 p = (u_char *)(lh + 1); 5063 5064 va_start(ap, id); 5065 len = 0; 5066 5067 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5068 msg = va_arg(ap, const char *); 5069 len += mlen; 5070 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5071 va_end(ap); 5072 m_freem(m); 5073 return; 5074 } 5075 5076 memcpy(p, msg, mlen); 5077 p += mlen; 5078 } 5079 va_end(ap); 5080 5081 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5082 lh->len = htons(LCP_HEADER_LEN + len); 5083 5084 if (debug) { 5085 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5086 ifp->if_xname, cp->name, 5087 sppp_auth_type_name(cp->proto, lh->type), 5088 lh->ident, ntohs(lh->len)); 5089 if (len) 5090 sppp_print_bytes((u_char *)(lh + 1), len); 5091 addlog(">\n"); 5092 } 5093 if (IF_QFULL(&sp->pp_cpq)) { 5094 IF_DROP(&sp->pp_fastq); 5095 IF_DROP(&ifp->if_snd); 5096 m_freem(m); 5097 ++ifp->if_oerrors; 5098 return; 5099 } 5100 5101 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 5102 IF_ENQUEUE(&sp->pp_cpq, m); 5103 5104 if (! (ifp->if_flags & IFF_OACTIVE)) { 5105 SPPP_UNLOCK(sp); 5106 if_start_lock(ifp); 5107 SPPP_LOCK(sp, RW_WRITER); 5108 } 5109 } 5110 5111 /* 5112 * Send keepalive packets, every 10 seconds. 5113 */ 5114 static void 5115 sppp_keepalive(void *dummy) 5116 { 5117 struct sppp *sp; 5118 int s; 5119 time_t now; 5120 5121 SPPPQ_LOCK(); 5122 5123 s = splnet(); 5124 now = time_uptime; 5125 for (sp=spppq; sp; sp=sp->pp_next) { 5126 struct ifnet *ifp = NULL; 5127 5128 SPPP_LOCK(sp, RW_WRITER); 5129 ifp = &sp->pp_if; 5130 5131 /* check idle timeout */ 5132 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5133 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5134 /* idle timeout is enabled for this interface */ 5135 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5136 if (ifp->if_flags & IFF_DEBUG) 5137 printf("%s: no activity for %lu seconds\n", 5138 sp->pp_if.if_xname, 5139 (unsigned long)(now-sp->pp_last_activity)); 5140 lcp.Close(sp); 5141 SPPP_UNLOCK(sp); 5142 continue; 5143 } 5144 } 5145 5146 /* Keepalive mode disabled or channel down? */ 5147 if (! (sp->pp_flags & PP_KEEPALIVE) || 5148 ! (ifp->if_flags & IFF_RUNNING)) { 5149 SPPP_UNLOCK(sp); 5150 continue; 5151 } 5152 5153 5154 /* No keepalive in PPP mode if LCP not opened yet. */ 5155 if (! (sp->pp_flags & PP_CISCO) && 5156 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5157 SPPP_UNLOCK(sp); 5158 continue; 5159 } 5160 5161 /* No echo reply, but maybe user data passed through? */ 5162 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5163 sp->pp_alivecnt = 0; 5164 SPPP_UNLOCK(sp); 5165 continue; 5166 } 5167 5168 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5169 /* No keepalive packets got. Stop the interface. */ 5170 SPPP_UNLOCK(sp); 5171 if_down (ifp); 5172 SPPP_LOCK(sp, RW_WRITER); 5173 5174 IF_PURGE(&sp->pp_cpq); 5175 5176 if (! (sp->pp_flags & PP_CISCO)) { 5177 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5178 ifp->if_xname); 5179 sp->pp_alivecnt = 0; 5180 5181 /* we are down, close all open protocols */ 5182 lcp.Close(sp); 5183 5184 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5185 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5186 5187 /* Close connection immediately, completition of this 5188 * will summon the magic needed to reestablish it. */ 5189 sppp_notify_tlf_wlocked(sp); 5190 5191 SPPP_UNLOCK(sp); 5192 continue; 5193 } 5194 } 5195 if (sp->pp_alivecnt < sp->pp_maxalive) 5196 ++sp->pp_alivecnt; 5197 if (sp->pp_flags & PP_CISCO) 5198 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5199 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5200 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5201 int32_t nmagic = htonl(sp->lcp.magic); 5202 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5203 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5204 sp->lcp.echoid, 4, &nmagic); 5205 } 5206 5207 SPPP_UNLOCK(sp); 5208 } 5209 splx(s); 5210 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5211 5212 SPPPQ_UNLOCK(); 5213 } 5214 5215 #ifdef INET 5216 /* 5217 * Get both IP addresses. 5218 */ 5219 static void 5220 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5221 { 5222 struct ifnet *ifp = &sp->pp_if; 5223 struct ifaddr *ifa; 5224 struct sockaddr_in *si, *sm; 5225 uint32_t ssrc, ddst; 5226 int s; 5227 struct psref psref; 5228 5229 sm = NULL; 5230 ssrc = ddst = 0; 5231 /* 5232 * Pick the first AF_INET address from the list, 5233 * aliases don't make any sense on a p2p link anyway. 5234 */ 5235 si = 0; 5236 s = pserialize_read_enter(); 5237 IFADDR_READER_FOREACH(ifa, ifp) { 5238 if (ifa->ifa_addr->sa_family == AF_INET) { 5239 si = (struct sockaddr_in *)ifa->ifa_addr; 5240 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5241 if (si) { 5242 ifa_acquire(ifa, &psref); 5243 break; 5244 } 5245 } 5246 } 5247 pserialize_read_exit(s); 5248 if (ifa) { 5249 if (si && si->sin_addr.s_addr) { 5250 ssrc = si->sin_addr.s_addr; 5251 if (srcmask) 5252 *srcmask = ntohl(sm->sin_addr.s_addr); 5253 } 5254 5255 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5256 if (si && si->sin_addr.s_addr) 5257 ddst = si->sin_addr.s_addr; 5258 ifa_release(ifa, &psref); 5259 } 5260 5261 if (dst) *dst = ntohl(ddst); 5262 if (src) *src = ntohl(ssrc); 5263 } 5264 5265 /* 5266 * Set IP addresses. Must be called at splnet. 5267 * If an address is 0, leave it the way it is. 5268 */ 5269 static void 5270 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5271 { 5272 STDDCL; 5273 struct ifaddr *ifa; 5274 struct sockaddr_in *si, *dest; 5275 uint32_t myaddr = 0, hisaddr = 0; 5276 int s; 5277 5278 IFNET_LOCK(ifp); 5279 5280 /* 5281 * Pick the first AF_INET address from the list, 5282 * aliases don't make any sense on a p2p link anyway. 5283 */ 5284 si = dest = NULL; 5285 s = pserialize_read_enter(); 5286 IFADDR_READER_FOREACH(ifa, ifp) { 5287 if (ifa->ifa_addr->sa_family == AF_INET) { 5288 si = (struct sockaddr_in *)ifa->ifa_addr; 5289 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5290 break; 5291 } 5292 } 5293 pserialize_read_exit(s); 5294 5295 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5296 myaddr = sp->ipcp.req_myaddr; 5297 else if (si != NULL) 5298 myaddr = ntohl(si->sin_addr.s_addr); 5299 5300 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5301 hisaddr = sp->ipcp.req_hisaddr; 5302 else if (dest != NULL) 5303 hisaddr = ntohl(dest->sin_addr.s_addr); 5304 5305 if (si != NULL && dest != NULL) { 5306 int error; 5307 struct sockaddr_in new_sin = *si; 5308 struct sockaddr_in new_dst = *dest; 5309 5310 if (myaddr != 0) 5311 new_sin.sin_addr.s_addr = htonl(myaddr); 5312 if (hisaddr != 0) { 5313 new_dst.sin_addr.s_addr = htonl(hisaddr); 5314 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5315 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5316 } 5317 5318 in_addrhash_remove(ifatoia(ifa)); 5319 5320 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5321 5322 in_addrhash_insert(ifatoia(ifa)); 5323 5324 if (debug && error) 5325 { 5326 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5327 ifp->if_xname, __func__, error); 5328 } 5329 if (!error) { 5330 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5331 } 5332 } 5333 5334 if (ifp->if_mtu > sp->lcp.their_mru) { 5335 sp->pp_saved_mtu = ifp->if_mtu; 5336 ifp->if_mtu = sp->lcp.their_mru; 5337 if (debug) 5338 log(LOG_DEBUG, 5339 "%s: setting MTU to %" PRIu64 " bytes\n", 5340 ifp->if_xname, ifp->if_mtu); 5341 } 5342 5343 IFNET_UNLOCK(ifp); 5344 5345 sppp_notify_con(sp); 5346 } 5347 5348 static void 5349 sppp_set_ip_addrs(struct sppp *sp) 5350 { 5351 struct ifnet *ifp = &sp->pp_if; 5352 5353 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5354 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5355 ifp->if_xname); 5356 return; 5357 } 5358 5359 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5360 return; 5361 5362 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5363 } 5364 5365 /* 5366 * Clear IP addresses. Must be called at splnet. 5367 */ 5368 static void 5369 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5370 { 5371 STDDCL; 5372 struct ifaddr *ifa; 5373 struct sockaddr_in *si, *dest; 5374 int s; 5375 5376 IFNET_LOCK(ifp); 5377 5378 /* 5379 * Pick the first AF_INET address from the list, 5380 * aliases don't make any sense on a p2p link anyway. 5381 */ 5382 si = dest = NULL; 5383 s = pserialize_read_enter(); 5384 IFADDR_READER_FOREACH(ifa, ifp) { 5385 if (ifa->ifa_addr->sa_family == AF_INET) { 5386 si = (struct sockaddr_in *)ifa->ifa_addr; 5387 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5388 break; 5389 } 5390 } 5391 pserialize_read_exit(s); 5392 5393 if (si != NULL) { 5394 struct sockaddr_in new_sin = *si; 5395 struct sockaddr_in new_dst = *dest; 5396 int error; 5397 5398 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5399 new_sin.sin_addr.s_addr = 0; 5400 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5401 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5402 5403 in_addrhash_remove(ifatoia(ifa)); 5404 5405 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5406 5407 in_addrhash_insert(ifatoia(ifa)); 5408 5409 if (debug && error) 5410 { 5411 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5412 ifp->if_xname, __func__, error); 5413 } 5414 if (!error) { 5415 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5416 } 5417 } 5418 5419 if (sp->pp_saved_mtu > 0) { 5420 ifp->if_mtu = sp->pp_saved_mtu; 5421 sp->pp_saved_mtu = 0; 5422 if (debug) 5423 log(LOG_DEBUG, 5424 "%s: resetting MTU to %" PRIu64 " bytes\n", 5425 ifp->if_xname, ifp->if_mtu); 5426 } 5427 5428 IFNET_UNLOCK(ifp); 5429 } 5430 5431 static void 5432 sppp_clear_ip_addrs(struct sppp *sp) 5433 { 5434 struct ifnet *ifp = &sp->pp_if; 5435 5436 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5437 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5438 ifp->if_xname); 5439 return; 5440 } 5441 5442 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5443 return; 5444 5445 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5446 } 5447 5448 static void 5449 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5450 { 5451 struct sppp *sp = arg; 5452 void *work; 5453 5454 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5455 5456 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5457 int update = (intptr_t)work; 5458 5459 if (update == IPCP_SET_ADDRS) 5460 sppp_set_ip_addrs_work(wk, sp); 5461 else if (update == IPCP_CLEAR_ADDRS) 5462 sppp_clear_ip_addrs_work(wk, sp); 5463 } 5464 } 5465 #endif 5466 5467 #ifdef INET6 5468 /* 5469 * Get both IPv6 addresses. 5470 */ 5471 static void 5472 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5473 struct in6_addr *srcmask) 5474 { 5475 struct ifnet *ifp = &sp->pp_if; 5476 struct ifaddr *ifa; 5477 struct sockaddr_in6 *si, *sm; 5478 struct in6_addr ssrc, ddst; 5479 int s; 5480 struct psref psref; 5481 5482 sm = NULL; 5483 memset(&ssrc, 0, sizeof(ssrc)); 5484 memset(&ddst, 0, sizeof(ddst)); 5485 /* 5486 * Pick the first link-local AF_INET6 address from the list, 5487 * aliases don't make any sense on a p2p link anyway. 5488 */ 5489 si = 0; 5490 s = pserialize_read_enter(); 5491 IFADDR_READER_FOREACH(ifa, ifp) { 5492 if (ifa->ifa_addr->sa_family == AF_INET6) { 5493 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5494 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5495 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5496 ifa_acquire(ifa, &psref); 5497 break; 5498 } 5499 } 5500 } 5501 pserialize_read_exit(s); 5502 5503 if (ifa) { 5504 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5505 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5506 if (srcmask) { 5507 memcpy(srcmask, &sm->sin6_addr, 5508 sizeof(*srcmask)); 5509 } 5510 } 5511 5512 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5513 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5514 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5515 ifa_release(ifa, &psref); 5516 } 5517 5518 if (dst) 5519 memcpy(dst, &ddst, sizeof(*dst)); 5520 if (src) 5521 memcpy(src, &ssrc, sizeof(*src)); 5522 } 5523 5524 #ifdef IPV6CP_MYIFID_DYN 5525 /* 5526 * Generate random ifid. 5527 */ 5528 static void 5529 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5530 { 5531 /* TBD */ 5532 } 5533 5534 /* 5535 * Set my IPv6 address. Must be called at splnet. 5536 */ 5537 static void 5538 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5539 { 5540 STDDCL; 5541 struct ifaddr *ifa; 5542 struct sockaddr_in6 *sin6; 5543 int s; 5544 struct psref psref; 5545 5546 IFNET_LOCK(ifp); 5547 5548 /* 5549 * Pick the first link-local AF_INET6 address from the list, 5550 * aliases don't make any sense on a p2p link anyway. 5551 */ 5552 5553 sin6 = NULL; 5554 s = pserialize_read_enter(); 5555 IFADDR_READER_FOREACH(ifa, ifp) 5556 { 5557 if (ifa->ifa_addr->sa_family == AF_INET6) 5558 { 5559 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5560 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5561 ifa_acquire(ifa, &psref); 5562 break; 5563 } 5564 } 5565 } 5566 pserialize_read_exit(s); 5567 5568 if (ifa && sin6) 5569 { 5570 int error; 5571 struct sockaddr_in6 new_sin6 = *sin6; 5572 5573 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5574 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5575 if (debug && error) 5576 { 5577 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5578 ifp->if_xname, __func__, error); 5579 } 5580 if (!error) { 5581 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5582 } 5583 ifa_release(ifa, &psref); 5584 } 5585 5586 IFNET_UNLOCK(ifp); 5587 } 5588 #endif 5589 5590 /* 5591 * Suggest a candidate address to be used by peer. 5592 */ 5593 static void 5594 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5595 { 5596 struct in6_addr myaddr; 5597 struct timeval tv; 5598 5599 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5600 5601 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5602 microtime(&tv); 5603 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5604 myaddr.s6_addr[14] ^= 0xff; 5605 myaddr.s6_addr[15] ^= 0xff; 5606 } else { 5607 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5608 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5609 } 5610 if (suggest) 5611 memcpy(suggest, &myaddr, sizeof(myaddr)); 5612 } 5613 #endif /*INET6*/ 5614 5615 /* 5616 * Process ioctl requests specific to the PPP interface. 5617 * Permissions have already been checked. 5618 */ 5619 static int 5620 sppp_params(struct sppp *sp, u_long cmd, void *data) 5621 { 5622 switch (cmd) { 5623 case SPPPGETAUTHCFG: 5624 { 5625 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5626 int error; 5627 size_t len; 5628 5629 SPPP_LOCK(sp, RW_READER); 5630 5631 cfg->myauthflags = sp->myauth.flags; 5632 cfg->hisauthflags = sp->hisauth.flags; 5633 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5634 cfg->hisauth = 0; 5635 if (sp->hisauth.proto) 5636 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5637 cfg->myauth = 0; 5638 if (sp->myauth.proto) 5639 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5640 if (cfg->myname_length == 0) { 5641 if (sp->myauth.name != NULL) 5642 cfg->myname_length = sp->myauth.name_len + 1; 5643 } else { 5644 if (sp->myauth.name == NULL) { 5645 cfg->myname_length = 0; 5646 } else { 5647 len = sp->myauth.name_len + 1; 5648 5649 5650 if (cfg->myname_length < len) { 5651 SPPP_UNLOCK(sp); 5652 return (ENAMETOOLONG); 5653 } 5654 error = copyout(sp->myauth.name, cfg->myname, len); 5655 if (error) { 5656 SPPP_UNLOCK(sp); 5657 return error; 5658 } 5659 } 5660 } 5661 if (cfg->hisname_length == 0) { 5662 if (sp->hisauth.name != NULL) 5663 cfg->hisname_length = sp->hisauth.name_len + 1; 5664 } else { 5665 if (sp->hisauth.name == NULL) { 5666 cfg->hisname_length = 0; 5667 } else { 5668 len = sp->hisauth.name_len + 1; 5669 5670 if (cfg->hisname_length < len) { 5671 SPPP_UNLOCK(sp); 5672 return (ENAMETOOLONG); 5673 } 5674 error = copyout(sp->hisauth.name, cfg->hisname, len); 5675 if (error) { 5676 SPPP_UNLOCK(sp); 5677 return error; 5678 } 5679 } 5680 } 5681 SPPP_UNLOCK(sp); 5682 } 5683 break; 5684 case SPPPSETAUTHCFG: 5685 { 5686 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5687 int error; 5688 5689 SPPP_LOCK(sp, RW_WRITER); 5690 5691 if (sp->myauth.name) { 5692 free(sp->myauth.name, M_DEVBUF); 5693 sp->myauth.name = NULL; 5694 } 5695 if (sp->myauth.secret) { 5696 free(sp->myauth.secret, M_DEVBUF); 5697 sp->myauth.secret = NULL; 5698 } 5699 if (sp->hisauth.name) { 5700 free(sp->hisauth.name, M_DEVBUF); 5701 sp->hisauth.name = NULL; 5702 } 5703 if (sp->hisauth.secret) { 5704 free(sp->hisauth.secret, M_DEVBUF); 5705 sp->hisauth.secret = NULL; 5706 } 5707 5708 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5709 if (cfg->hisname_length >= MCLBYTES) { 5710 SPPP_UNLOCK(sp); 5711 return (ENAMETOOLONG); 5712 } 5713 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5714 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5715 if (error) { 5716 free(sp->hisauth.name, M_DEVBUF); 5717 sp->hisauth.name = NULL; 5718 SPPP_UNLOCK(sp); 5719 return error; 5720 } 5721 sp->hisauth.name_len = cfg->hisname_length - 1; 5722 sp->hisauth.name[sp->hisauth.name_len] = 0; 5723 } 5724 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5725 if (cfg->hissecret_length >= MCLBYTES) { 5726 SPPP_UNLOCK(sp); 5727 return (ENAMETOOLONG); 5728 } 5729 sp->hisauth.secret = malloc(cfg->hissecret_length, 5730 M_DEVBUF, M_WAITOK); 5731 error = copyin(cfg->hissecret, sp->hisauth.secret, 5732 cfg->hissecret_length); 5733 if (error) { 5734 free(sp->hisauth.secret, M_DEVBUF); 5735 sp->hisauth.secret = NULL; 5736 SPPP_UNLOCK(sp); 5737 return error; 5738 } 5739 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5740 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5741 } 5742 if (cfg->myname != NULL && cfg->myname_length > 0) { 5743 if (cfg->myname_length >= MCLBYTES) { 5744 SPPP_UNLOCK(sp); 5745 return (ENAMETOOLONG); 5746 } 5747 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5748 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5749 if (error) { 5750 free(sp->myauth.name, M_DEVBUF); 5751 sp->myauth.name = NULL; 5752 SPPP_UNLOCK(sp); 5753 return error; 5754 } 5755 sp->myauth.name_len = cfg->myname_length - 1; 5756 sp->myauth.name[sp->myauth.name_len] = 0; 5757 } 5758 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5759 if (cfg->mysecret_length >= MCLBYTES) { 5760 SPPP_UNLOCK(sp); 5761 return (ENAMETOOLONG); 5762 } 5763 sp->myauth.secret = malloc(cfg->mysecret_length, 5764 M_DEVBUF, M_WAITOK); 5765 error = copyin(cfg->mysecret, sp->myauth.secret, 5766 cfg->mysecret_length); 5767 if (error) { 5768 free(sp->myauth.secret, M_DEVBUF); 5769 sp->myauth.secret = NULL; 5770 SPPP_UNLOCK(sp); 5771 return error; 5772 } 5773 sp->myauth.secret_len = cfg->mysecret_length - 1; 5774 sp->myauth.secret[sp->myauth.secret_len] = 0; 5775 } 5776 sp->myauth.flags = cfg->myauthflags; 5777 if (cfg->myauth) 5778 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5779 sp->hisauth.flags = cfg->hisauthflags; 5780 if (cfg->hisauth) 5781 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5782 sp->pp_auth_failures = 0; 5783 if (sp->hisauth.proto != 0) 5784 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5785 else 5786 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5787 5788 SPPP_UNLOCK(sp); 5789 } 5790 break; 5791 case SPPPGETLCPCFG: 5792 { 5793 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5794 5795 SPPP_LOCK(sp, RW_READER); 5796 lcpp->lcp_timeout = sp->lcp.timeout; 5797 SPPP_UNLOCK(sp); 5798 } 5799 break; 5800 case SPPPSETLCPCFG: 5801 { 5802 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5803 5804 SPPP_LOCK(sp, RW_WRITER); 5805 sp->lcp.timeout = lcpp->lcp_timeout; 5806 SPPP_UNLOCK(sp); 5807 } 5808 break; 5809 case SPPPGETSTATUS: 5810 { 5811 struct spppstatus *status = (struct spppstatus *)data; 5812 5813 SPPP_LOCK(sp, RW_READER); 5814 status->phase = sp->pp_phase; 5815 SPPP_UNLOCK(sp); 5816 } 5817 break; 5818 case SPPPGETSTATUSNCP: 5819 { 5820 struct spppstatusncp *status = (struct spppstatusncp *)data; 5821 5822 SPPP_LOCK(sp, RW_READER); 5823 status->phase = sp->pp_phase; 5824 status->ncpup = sppp_ncp_check(sp); 5825 SPPP_UNLOCK(sp); 5826 } 5827 break; 5828 case SPPPGETIDLETO: 5829 { 5830 struct spppidletimeout *to = (struct spppidletimeout *)data; 5831 5832 SPPP_LOCK(sp, RW_READER); 5833 to->idle_seconds = sp->pp_idle_timeout; 5834 SPPP_UNLOCK(sp); 5835 } 5836 break; 5837 case SPPPSETIDLETO: 5838 { 5839 struct spppidletimeout *to = (struct spppidletimeout *)data; 5840 5841 SPPP_LOCK(sp, RW_WRITER); 5842 sp->pp_idle_timeout = to->idle_seconds; 5843 SPPP_UNLOCK(sp); 5844 } 5845 break; 5846 case SPPPSETAUTHFAILURE: 5847 { 5848 struct spppauthfailuresettings *afsettings = 5849 (struct spppauthfailuresettings *)data; 5850 5851 SPPP_LOCK(sp, RW_WRITER); 5852 sp->pp_max_auth_fail = afsettings->max_failures; 5853 sp->pp_auth_failures = 0; 5854 SPPP_UNLOCK(sp); 5855 } 5856 break; 5857 case SPPPGETAUTHFAILURES: 5858 { 5859 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5860 5861 SPPP_LOCK(sp, RW_READER); 5862 stats->auth_failures = sp->pp_auth_failures; 5863 stats->max_failures = sp->pp_max_auth_fail; 5864 SPPP_UNLOCK(sp); 5865 } 5866 break; 5867 case SPPPSETDNSOPTS: 5868 { 5869 struct spppdnssettings *req = (struct spppdnssettings *)data; 5870 5871 SPPP_LOCK(sp, RW_WRITER); 5872 sp->query_dns = req->query_dns & 3; 5873 SPPP_UNLOCK(sp); 5874 } 5875 break; 5876 case SPPPGETDNSOPTS: 5877 { 5878 struct spppdnssettings *req = (struct spppdnssettings *)data; 5879 5880 SPPP_LOCK(sp, RW_READER); 5881 req->query_dns = sp->query_dns; 5882 SPPP_UNLOCK(sp); 5883 } 5884 break; 5885 case SPPPGETDNSADDRS: 5886 { 5887 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5888 5889 SPPP_LOCK(sp, RW_READER); 5890 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5891 SPPP_UNLOCK(sp); 5892 } 5893 break; 5894 case SPPPGETKEEPALIVE: 5895 { 5896 struct spppkeepalivesettings *settings = 5897 (struct spppkeepalivesettings*)data; 5898 5899 SPPP_LOCK(sp, RW_READER); 5900 settings->maxalive = sp->pp_maxalive; 5901 settings->max_noreceive = sp->pp_max_noreceive; 5902 SPPP_UNLOCK(sp); 5903 } 5904 break; 5905 case SPPPSETKEEPALIVE: 5906 { 5907 struct spppkeepalivesettings *settings = 5908 (struct spppkeepalivesettings*)data; 5909 5910 SPPP_LOCK(sp, RW_WRITER); 5911 sp->pp_maxalive = settings->maxalive; 5912 sp->pp_max_noreceive = settings->max_noreceive; 5913 SPPP_UNLOCK(sp); 5914 } 5915 break; 5916 default: 5917 { 5918 int ret; 5919 5920 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 5921 enosys(), ret); 5922 if (ret != ENOSYS) 5923 return ret; 5924 return (EINVAL); 5925 } 5926 } 5927 return (0); 5928 } 5929 5930 static void 5931 sppp_phase_network(struct sppp *sp) 5932 { 5933 int i; 5934 uint32_t mask; 5935 5936 KASSERT(SPPP_WLOCKED(sp)); 5937 5938 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5939 5940 /* Notify NCPs now. */ 5941 for (i = 0; i < IDX_COUNT; i++) 5942 if ((cps[i])->flags & CP_NCP) 5943 (cps[i])->Open(sp); 5944 5945 /* Send Up events to all NCPs. */ 5946 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5947 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 5948 (cps[i])->Up(sp); 5949 } 5950 5951 /* if no NCP is starting, all this was in vain, close down */ 5952 sppp_lcp_check_and_close(sp); 5953 } 5954 5955 5956 static const char * 5957 sppp_cp_type_name(u_char type) 5958 { 5959 static char buf[12]; 5960 switch (type) { 5961 case CONF_REQ: return "conf-req"; 5962 case CONF_ACK: return "conf-ack"; 5963 case CONF_NAK: return "conf-nak"; 5964 case CONF_REJ: return "conf-rej"; 5965 case TERM_REQ: return "term-req"; 5966 case TERM_ACK: return "term-ack"; 5967 case CODE_REJ: return "code-rej"; 5968 case PROTO_REJ: return "proto-rej"; 5969 case ECHO_REQ: return "echo-req"; 5970 case ECHO_REPLY: return "echo-reply"; 5971 case DISC_REQ: return "discard-req"; 5972 } 5973 snprintf(buf, sizeof(buf), "0x%x", type); 5974 return buf; 5975 } 5976 5977 static const char * 5978 sppp_auth_type_name(u_short proto, u_char type) 5979 { 5980 static char buf[32]; 5981 const char *name; 5982 5983 switch (proto) { 5984 case PPP_CHAP: 5985 switch (type) { 5986 case CHAP_CHALLENGE: return "challenge"; 5987 case CHAP_RESPONSE: return "response"; 5988 case CHAP_SUCCESS: return "success"; 5989 case CHAP_FAILURE: return "failure"; 5990 default: name = "chap"; break; 5991 } 5992 break; 5993 5994 case PPP_PAP: 5995 switch (type) { 5996 case PAP_REQ: return "req"; 5997 case PAP_ACK: return "ack"; 5998 case PAP_NAK: return "nak"; 5999 default: name = "pap"; break; 6000 } 6001 break; 6002 6003 default: 6004 name = "bad"; 6005 break; 6006 } 6007 6008 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6009 return buf; 6010 } 6011 6012 static const char * 6013 sppp_lcp_opt_name(u_char opt) 6014 { 6015 static char buf[12]; 6016 switch (opt) { 6017 case LCP_OPT_MRU: return "mru"; 6018 case LCP_OPT_ASYNC_MAP: return "async-map"; 6019 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6020 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6021 case LCP_OPT_MAGIC: return "magic"; 6022 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6023 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6024 } 6025 snprintf(buf, sizeof(buf), "0x%x", opt); 6026 return buf; 6027 } 6028 6029 static const char * 6030 sppp_ipcp_opt_name(u_char opt) 6031 { 6032 static char buf[12]; 6033 switch (opt) { 6034 case IPCP_OPT_ADDRESSES: return "addresses"; 6035 case IPCP_OPT_COMPRESSION: return "compression"; 6036 case IPCP_OPT_ADDRESS: return "address"; 6037 } 6038 snprintf(buf, sizeof(buf), "0x%x", opt); 6039 return buf; 6040 } 6041 6042 #ifdef INET6 6043 static const char * 6044 sppp_ipv6cp_opt_name(u_char opt) 6045 { 6046 static char buf[12]; 6047 switch (opt) { 6048 case IPV6CP_OPT_IFID: return "ifid"; 6049 case IPV6CP_OPT_COMPRESSION: return "compression"; 6050 } 6051 snprintf(buf, sizeof(buf), "0x%x", opt); 6052 return buf; 6053 } 6054 #endif 6055 6056 static const char * 6057 sppp_state_name(int state) 6058 { 6059 switch (state) { 6060 case STATE_INITIAL: return "initial"; 6061 case STATE_STARTING: return "starting"; 6062 case STATE_CLOSED: return "closed"; 6063 case STATE_STOPPED: return "stopped"; 6064 case STATE_CLOSING: return "closing"; 6065 case STATE_STOPPING: return "stopping"; 6066 case STATE_REQ_SENT: return "req-sent"; 6067 case STATE_ACK_RCVD: return "ack-rcvd"; 6068 case STATE_ACK_SENT: return "ack-sent"; 6069 case STATE_OPENED: return "opened"; 6070 } 6071 return "illegal"; 6072 } 6073 6074 static const char * 6075 sppp_phase_name(int phase) 6076 { 6077 switch (phase) { 6078 case SPPP_PHASE_DEAD: return "dead"; 6079 case SPPP_PHASE_ESTABLISH: return "establish"; 6080 case SPPP_PHASE_TERMINATE: return "terminate"; 6081 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6082 case SPPP_PHASE_NETWORK: return "network"; 6083 } 6084 return "illegal"; 6085 } 6086 6087 static const char * 6088 sppp_proto_name(u_short proto) 6089 { 6090 static char buf[12]; 6091 switch (proto) { 6092 case PPP_LCP: return "lcp"; 6093 case PPP_IPCP: return "ipcp"; 6094 case PPP_PAP: return "pap"; 6095 case PPP_CHAP: return "chap"; 6096 case PPP_IPV6CP: return "ipv6cp"; 6097 } 6098 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6099 return buf; 6100 } 6101 6102 static void 6103 sppp_print_bytes(const u_char *p, u_short len) 6104 { 6105 addlog(" %02x", *p++); 6106 while (--len > 0) 6107 addlog("-%02x", *p++); 6108 } 6109 6110 static void 6111 sppp_print_string(const char *p, u_short len) 6112 { 6113 u_char c; 6114 6115 while (len-- > 0) { 6116 c = *p++; 6117 /* 6118 * Print only ASCII chars directly. RFC 1994 recommends 6119 * using only them, but we don't rely on it. */ 6120 if (c < ' ' || c > '~') 6121 addlog("\\x%x", c); 6122 else 6123 addlog("%c", c); 6124 } 6125 } 6126 6127 static const char * 6128 sppp_dotted_quad(uint32_t addr) 6129 { 6130 static char s[16]; 6131 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6132 (int)((addr >> 24) & 0xff), 6133 (int)((addr >> 16) & 0xff), 6134 (int)((addr >> 8) & 0xff), 6135 (int)(addr & 0xff)); 6136 return s; 6137 } 6138 6139 /* a dummy, used to drop uninteresting events */ 6140 static void 6141 sppp_null(struct sppp *unused) 6142 { 6143 /* do just nothing */ 6144 } 6145 /* 6146 * This file is large. Tell emacs to highlight it nevertheless. 6147 * 6148 * Local Variables: 6149 * hilit-auto-highlight-maxout: 120000 6150 * End: 6151 */ 6152 6153 /* 6154 * Module glue 6155 */ 6156 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6157 6158 static int 6159 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6160 { 6161 switch (cmd) { 6162 case MODULE_CMD_INIT: 6163 case MODULE_CMD_FINI: 6164 return 0; 6165 case MODULE_CMD_STAT: 6166 case MODULE_CMD_AUTOUNLOAD: 6167 default: 6168 return ENOTTY; 6169 } 6170 } 6171 6172 static void 6173 sppp_notify_up(struct sppp *sp) 6174 { 6175 6176 SPPP_LOCK(sp, RW_WRITER); 6177 lcp.Up(sp); 6178 SPPP_UNLOCK(sp); 6179 } 6180 6181 static void 6182 sppp_notify_down(struct sppp *sp) 6183 { 6184 6185 SPPP_LOCK(sp, RW_WRITER); 6186 lcp.Down(sp); 6187 SPPP_UNLOCK(sp); 6188 } 6189 6190 static void 6191 sppp_notify_tls_wlocked(struct sppp *sp) 6192 { 6193 6194 KASSERT(SPPP_WLOCKED(sp)); 6195 6196 if (!sp->pp_tls) 6197 return; 6198 6199 SPPP_UNLOCK(sp); 6200 sp->pp_tls(sp); 6201 SPPP_LOCK(sp, RW_WRITER); 6202 } 6203 6204 static void 6205 sppp_notify_tlf_wlocked(struct sppp *sp) 6206 { 6207 6208 KASSERT(SPPP_WLOCKED(sp)); 6209 6210 if (!sp->pp_tlf) 6211 return; 6212 6213 SPPP_UNLOCK(sp); 6214 sp->pp_tlf(sp); 6215 SPPP_LOCK(sp, RW_WRITER); 6216 } 6217 6218 static void 6219 sppp_notify_con(struct sppp *sp) 6220 { 6221 6222 if (!sp->pp_con) 6223 return; 6224 6225 sp->pp_con(sp); 6226 } 6227 6228 #ifdef INET6 6229 static void 6230 sppp_notify_con_wlocked(struct sppp *sp) 6231 { 6232 6233 KASSERT(SPPP_WLOCKED(sp)); 6234 6235 SPPP_UNLOCK(sp); 6236 sppp_notify_con(sp); 6237 SPPP_LOCK(sp, RW_WRITER); 6238 6239 } 6240 #endif 6241 6242 static void 6243 sppp_notify_chg_wlocked(struct sppp *sp) 6244 { 6245 6246 KASSERT(SPPP_WLOCKED(sp)); 6247 6248 if (!sp->pp_chg) 6249 return; 6250 6251 SPPP_UNLOCK(sp); 6252 sp->pp_chg(sp, sp->pp_phase); 6253 SPPP_LOCK(sp, RW_WRITER); 6254 } 6255