1 /* $NetBSD: if_spppsubr.c,v 1.175 2017/11/22 17:11:51 christos Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.175 2017/11/22 17:11:51 christos Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 72 #include <net/if.h> 73 #include <net/netisr.h> 74 #include <net/if_types.h> 75 #include <net/route.h> 76 #include <net/ppp_defs.h> 77 78 #include <netinet/in.h> 79 #include <netinet/in_systm.h> 80 #include <netinet/in_var.h> 81 #ifdef INET 82 #include <netinet/ip.h> 83 #include <netinet/tcp.h> 84 #endif 85 #include <net/ethertypes.h> 86 87 #ifdef INET6 88 #include <netinet6/scope6_var.h> 89 #endif 90 91 #include <net/if_sppp.h> 92 #include <net/if_spppvar.h> 93 94 #ifdef NET_MPSAFE 95 #define SPPPSUBR_MPSAFE 1 96 #endif 97 98 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 99 #define LOOPALIVECNT 3 /* loopback detection tries */ 100 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 101 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 102 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 103 104 /* 105 * Interface flags that can be set in an ifconfig command. 106 * 107 * Setting link0 will make the link passive, i.e. it will be marked 108 * as being administrative openable, but won't be opened to begin 109 * with. Incoming calls will be answered, or subsequent calls with 110 * -link1 will cause the administrative open of the LCP layer. 111 * 112 * Setting link1 will cause the link to auto-dial only as packets 113 * arrive to be sent. 114 * 115 * Setting IFF_DEBUG will syslog the option negotiation and state 116 * transitions at level kern.debug. Note: all logs consistently look 117 * like 118 * 119 * <if-name><unit>: <proto-name> <additional info...> 120 * 121 * with <if-name><unit> being something like "bppp0", and <proto-name> 122 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 123 */ 124 125 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 126 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 127 128 #define CONF_REQ 1 /* PPP configure request */ 129 #define CONF_ACK 2 /* PPP configure acknowledge */ 130 #define CONF_NAK 3 /* PPP configure negative ack */ 131 #define CONF_REJ 4 /* PPP configure reject */ 132 #define TERM_REQ 5 /* PPP terminate request */ 133 #define TERM_ACK 6 /* PPP terminate acknowledge */ 134 #define CODE_REJ 7 /* PPP code reject */ 135 #define PROTO_REJ 8 /* PPP protocol reject */ 136 #define ECHO_REQ 9 /* PPP echo request */ 137 #define ECHO_REPLY 10 /* PPP echo reply */ 138 #define DISC_REQ 11 /* PPP discard request */ 139 140 #define LCP_OPT_MRU 1 /* maximum receive unit */ 141 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 142 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 143 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 144 #define LCP_OPT_MAGIC 5 /* magic number */ 145 #define LCP_OPT_RESERVED 6 /* reserved */ 146 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 147 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 148 149 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 150 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 151 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 152 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 153 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 154 155 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 156 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 157 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 158 159 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 160 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 161 162 #define PAP_REQ 1 /* PAP name/password request */ 163 #define PAP_ACK 2 /* PAP acknowledge */ 164 #define PAP_NAK 3 /* PAP fail */ 165 166 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 167 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 168 #define CHAP_SUCCESS 3 /* CHAP response ok */ 169 #define CHAP_FAILURE 4 /* CHAP response failed */ 170 171 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 172 173 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 174 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 175 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 176 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 177 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 178 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 179 180 /* states are named and numbered according to RFC 1661 */ 181 #define STATE_INITIAL 0 182 #define STATE_STARTING 1 183 #define STATE_CLOSED 2 184 #define STATE_STOPPED 3 185 #define STATE_CLOSING 4 186 #define STATE_STOPPING 5 187 #define STATE_REQ_SENT 6 188 #define STATE_ACK_RCVD 7 189 #define STATE_ACK_SENT 8 190 #define STATE_OPENED 9 191 192 struct ppp_header { 193 uint8_t address; 194 uint8_t control; 195 uint16_t protocol; 196 } __packed; 197 #define PPP_HEADER_LEN sizeof (struct ppp_header) 198 199 struct lcp_header { 200 uint8_t type; 201 uint8_t ident; 202 uint16_t len; 203 } __packed; 204 #define LCP_HEADER_LEN sizeof (struct lcp_header) 205 206 struct cisco_packet { 207 uint32_t type; 208 uint32_t par1; 209 uint32_t par2; 210 uint16_t rel; 211 uint16_t time0; 212 uint16_t time1; 213 } __packed; 214 #define CISCO_PACKET_LEN 18 215 216 /* 217 * We follow the spelling and capitalization of RFC 1661 here, to make 218 * it easier comparing with the standard. Please refer to this RFC in 219 * case you can't make sense out of these abbreviation; it will also 220 * explain the semantics related to the various events and actions. 221 */ 222 struct cp { 223 u_short proto; /* PPP control protocol number */ 224 u_char protoidx; /* index into state table in struct sppp */ 225 u_char flags; 226 #define CP_LCP 0x01 /* this is the LCP */ 227 #define CP_AUTH 0x02 /* this is an authentication protocol */ 228 #define CP_NCP 0x04 /* this is a NCP */ 229 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 230 const char *name; /* name of this control protocol */ 231 /* event handlers */ 232 void (*Up)(struct sppp *sp); 233 void (*Down)(struct sppp *sp); 234 void (*Open)(struct sppp *sp); 235 void (*Close)(struct sppp *sp); 236 void (*TO)(void *sp); 237 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 238 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 239 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 240 /* actions */ 241 void (*tlu)(struct sppp *sp); 242 void (*tld)(struct sppp *sp); 243 void (*tls)(struct sppp *sp); 244 void (*tlf)(struct sppp *sp); 245 void (*scr)(struct sppp *sp); 246 }; 247 248 static struct sppp *spppq; 249 static kmutex_t *spppq_lock = NULL; 250 static callout_t keepalive_ch; 251 252 #define SPPPQ_LOCK() if (spppq_lock) \ 253 mutex_enter(spppq_lock); 254 #define SPPPQ_UNLOCK() if (spppq_lock) \ 255 mutex_exit(spppq_lock); 256 257 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 258 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 259 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 260 #define SPPP_UPGRADE(_sp) do{ \ 261 SPPP_UNLOCK(_sp); \ 262 SPPP_LOCK(_sp, RW_WRITER); \ 263 }while (0) 264 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 265 266 #ifdef INET 267 #ifndef SPPPSUBR_MPSAFE 268 /* 269 * The following disgusting hack gets around the problem that IP TOS 270 * can't be set yet. We want to put "interactive" traffic on a high 271 * priority queue. To decide if traffic is interactive, we check that 272 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 273 * 274 * XXX is this really still necessary? - joerg - 275 */ 276 static u_short interactive_ports[8] = { 277 0, 513, 0, 0, 278 0, 21, 0, 23, 279 }; 280 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 281 #endif /* SPPPSUBR_MPSAFE */ 282 #endif 283 284 /* almost every function needs these */ 285 #define STDDCL \ 286 struct ifnet *ifp = &sp->pp_if; \ 287 int debug = ifp->if_flags & IFF_DEBUG 288 289 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 290 const struct sockaddr *dst, const struct rtentry *rt); 291 292 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 293 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 294 295 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 296 struct mbuf *m); 297 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 298 u_char ident, u_short len, void *data); 299 /* static void sppp_cp_timeout(void *arg); */ 300 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 301 int newstate); 302 static void sppp_auth_send(const struct cp *cp, 303 struct sppp *sp, unsigned int type, unsigned int id, 304 ...); 305 306 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 307 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 308 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 309 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 310 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 311 312 static void sppp_null(struct sppp *sp); 313 314 static void sppp_lcp_init(struct sppp *sp); 315 static void sppp_lcp_up(struct sppp *sp); 316 static void sppp_lcp_down(struct sppp *sp); 317 static void sppp_lcp_open(struct sppp *sp); 318 static void sppp_lcp_close(struct sppp *sp); 319 static void sppp_lcp_TO(void *sp); 320 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 321 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 322 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 323 static void sppp_lcp_tlu(struct sppp *sp); 324 static void sppp_lcp_tld(struct sppp *sp); 325 static void sppp_lcp_tls(struct sppp *sp); 326 static void sppp_lcp_tlf(struct sppp *sp); 327 static void sppp_lcp_scr(struct sppp *sp); 328 static void sppp_lcp_check_and_close(struct sppp *sp); 329 static int sppp_ncp_check(struct sppp *sp); 330 331 static void sppp_ipcp_init(struct sppp *sp); 332 static void sppp_ipcp_up(struct sppp *sp); 333 static void sppp_ipcp_down(struct sppp *sp); 334 static void sppp_ipcp_open(struct sppp *sp); 335 static void sppp_ipcp_close(struct sppp *sp); 336 static void sppp_ipcp_TO(void *sp); 337 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 338 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 339 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 340 static void sppp_ipcp_tlu(struct sppp *sp); 341 static void sppp_ipcp_tld(struct sppp *sp); 342 static void sppp_ipcp_tls(struct sppp *sp); 343 static void sppp_ipcp_tlf(struct sppp *sp); 344 static void sppp_ipcp_scr(struct sppp *sp); 345 346 static void sppp_ipv6cp_init(struct sppp *sp); 347 static void sppp_ipv6cp_up(struct sppp *sp); 348 static void sppp_ipv6cp_down(struct sppp *sp); 349 static void sppp_ipv6cp_open(struct sppp *sp); 350 static void sppp_ipv6cp_close(struct sppp *sp); 351 static void sppp_ipv6cp_TO(void *sp); 352 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 353 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 354 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipv6cp_tlu(struct sppp *sp); 356 static void sppp_ipv6cp_tld(struct sppp *sp); 357 static void sppp_ipv6cp_tls(struct sppp *sp); 358 static void sppp_ipv6cp_tlf(struct sppp *sp); 359 static void sppp_ipv6cp_scr(struct sppp *sp); 360 361 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 362 static void sppp_pap_init(struct sppp *sp); 363 static void sppp_pap_open(struct sppp *sp); 364 static void sppp_pap_close(struct sppp *sp); 365 static void sppp_pap_TO(void *sp); 366 static void sppp_pap_my_TO(void *sp); 367 static void sppp_pap_tlu(struct sppp *sp); 368 static void sppp_pap_tld(struct sppp *sp); 369 static void sppp_pap_scr(struct sppp *sp); 370 371 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 372 static void sppp_chap_init(struct sppp *sp); 373 static void sppp_chap_open(struct sppp *sp); 374 static void sppp_chap_close(struct sppp *sp); 375 static void sppp_chap_TO(void *sp); 376 static void sppp_chap_tlu(struct sppp *sp); 377 static void sppp_chap_tld(struct sppp *sp); 378 static void sppp_chap_scr(struct sppp *sp); 379 380 static const char *sppp_auth_type_name(u_short proto, u_char type); 381 static const char *sppp_cp_type_name(u_char type); 382 static const char *sppp_dotted_quad(uint32_t addr); 383 static const char *sppp_ipcp_opt_name(u_char opt); 384 #ifdef INET6 385 static const char *sppp_ipv6cp_opt_name(u_char opt); 386 #endif 387 static const char *sppp_lcp_opt_name(u_char opt); 388 static const char *sppp_phase_name(int phase); 389 static const char *sppp_proto_name(u_short proto); 390 static const char *sppp_state_name(int state); 391 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 392 #ifdef INET 393 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 394 uint32_t *srcmask); 395 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 396 static void sppp_set_ip_addrs(struct sppp *sp); 397 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 398 static void sppp_clear_ip_addrs(struct sppp *sp); 399 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 400 #endif 401 static void sppp_keepalive(void *dummy); 402 static void sppp_phase_network(struct sppp *sp); 403 static void sppp_print_bytes(const u_char *p, u_short len); 404 static void sppp_print_string(const char *p, u_short len); 405 #ifdef INET6 406 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 407 struct in6_addr *dst, struct in6_addr *srcmask); 408 #ifdef IPV6CP_MYIFID_DYN 409 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 410 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 411 #endif 412 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 413 #endif 414 415 static void sppp_notify_up(struct sppp *); 416 static void sppp_notify_down(struct sppp *); 417 static void sppp_notify_tls_wlocked(struct sppp *); 418 static void sppp_notify_tlf_wlocked(struct sppp *); 419 #ifdef INET6 420 static void sppp_notify_con_wlocked(struct sppp *); 421 #endif 422 static void sppp_notify_con(struct sppp *); 423 424 static void sppp_notify_chg_wlocked(struct sppp *); 425 426 427 /* our control protocol descriptors */ 428 static const struct cp lcp = { 429 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 430 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 431 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 432 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 433 sppp_lcp_scr 434 }; 435 436 static const struct cp ipcp = { 437 PPP_IPCP, IDX_IPCP, 438 #ifdef INET 439 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 440 #else 441 0, 442 #endif 443 "ipcp", 444 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 445 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 446 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 447 sppp_ipcp_scr 448 }; 449 450 static const struct cp ipv6cp = { 451 PPP_IPV6CP, IDX_IPV6CP, 452 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 453 CP_NCP, 454 #else 455 0, 456 #endif 457 "ipv6cp", 458 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 459 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 460 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 461 sppp_ipv6cp_scr 462 }; 463 464 static const struct cp pap = { 465 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 466 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 467 sppp_pap_TO, 0, 0, 0, 468 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 469 sppp_pap_scr 470 }; 471 472 static const struct cp chap = { 473 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 474 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 475 sppp_chap_TO, 0, 0, 0, 476 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 477 sppp_chap_scr 478 }; 479 480 static const struct cp *cps[IDX_COUNT] = { 481 &lcp, /* IDX_LCP */ 482 &ipcp, /* IDX_IPCP */ 483 &ipv6cp, /* IDX_IPV6CP */ 484 &pap, /* IDX_PAP */ 485 &chap, /* IDX_CHAP */ 486 }; 487 488 static void 489 sppp_change_phase(struct sppp *sp, int phase) 490 { 491 STDDCL; 492 493 KASSERT(SPPP_WLOCKED(sp)); 494 495 if (sp->pp_phase == phase) 496 return; 497 498 sp->pp_phase = phase; 499 500 if (phase == SPPP_PHASE_NETWORK) 501 if_link_state_change(ifp, LINK_STATE_UP); 502 else 503 if_link_state_change(ifp, LINK_STATE_DOWN); 504 505 if (debug) 506 { 507 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 508 sppp_phase_name(sp->pp_phase)); 509 } 510 } 511 512 /* 513 * Exported functions, comprising our interface to the lower layer. 514 */ 515 516 /* 517 * Process the received packet. 518 */ 519 void 520 sppp_input(struct ifnet *ifp, struct mbuf *m) 521 { 522 struct ppp_header *h = NULL; 523 pktqueue_t *pktq = NULL; 524 struct ifqueue *inq = NULL; 525 uint16_t protocol; 526 struct sppp *sp = (struct sppp *)ifp; 527 int debug = ifp->if_flags & IFF_DEBUG; 528 int isr = 0; 529 530 SPPP_LOCK(sp, RW_READER); 531 532 if (ifp->if_flags & IFF_UP) { 533 /* Count received bytes, add hardware framing */ 534 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 535 /* Note time of last receive */ 536 sp->pp_last_receive = time_uptime; 537 } 538 539 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 540 /* Too small packet, drop it. */ 541 if (debug) 542 log(LOG_DEBUG, 543 "%s: input packet is too small, %d bytes\n", 544 ifp->if_xname, m->m_pkthdr.len); 545 drop: 546 ++ifp->if_ierrors; 547 ++ifp->if_iqdrops; 548 m_freem(m); 549 SPPP_UNLOCK(sp); 550 return; 551 } 552 553 if (sp->pp_flags & PP_NOFRAMING) { 554 memcpy(&protocol, mtod(m, void *), 2); 555 protocol = ntohs(protocol); 556 m_adj(m, 2); 557 } else { 558 559 /* Get PPP header. */ 560 h = mtod(m, struct ppp_header *); 561 m_adj(m, PPP_HEADER_LEN); 562 563 switch (h->address) { 564 case PPP_ALLSTATIONS: 565 if (h->control != PPP_UI) 566 goto invalid; 567 if (sp->pp_flags & PP_CISCO) { 568 if (debug) 569 log(LOG_DEBUG, 570 "%s: PPP packet in Cisco mode " 571 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 572 ifp->if_xname, 573 h->address, h->control, ntohs(h->protocol)); 574 goto drop; 575 } 576 break; 577 case CISCO_MULTICAST: 578 case CISCO_UNICAST: 579 /* Don't check the control field here (RFC 1547). */ 580 if (! (sp->pp_flags & PP_CISCO)) { 581 if (debug) 582 log(LOG_DEBUG, 583 "%s: Cisco packet in PPP mode " 584 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 585 ifp->if_xname, 586 h->address, h->control, ntohs(h->protocol)); 587 goto drop; 588 } 589 switch (ntohs(h->protocol)) { 590 default: 591 ++ifp->if_noproto; 592 goto invalid; 593 case CISCO_KEEPALIVE: 594 SPPP_UNLOCK(sp); 595 sppp_cisco_input((struct sppp *) ifp, m); 596 m_freem(m); 597 return; 598 #ifdef INET 599 case ETHERTYPE_IP: 600 pktq = ip_pktq; 601 break; 602 #endif 603 #ifdef INET6 604 case ETHERTYPE_IPV6: 605 pktq = ip6_pktq; 606 break; 607 #endif 608 } 609 goto queue_pkt; 610 default: /* Invalid PPP packet. */ 611 invalid: 612 if (debug) 613 log(LOG_DEBUG, 614 "%s: invalid input packet " 615 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 616 ifp->if_xname, 617 h->address, h->control, ntohs(h->protocol)); 618 goto drop; 619 } 620 protocol = ntohs(h->protocol); 621 } 622 623 switch (protocol) { 624 default: 625 if (sp->state[IDX_LCP] == STATE_OPENED) { 626 uint16_t prot = htons(protocol); 627 628 SPPP_UPGRADE(sp); 629 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 630 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 631 &prot); 632 SPPP_DOWNGRADE(sp); 633 } 634 if (debug) 635 log(LOG_DEBUG, 636 "%s: invalid input protocol " 637 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 638 ++ifp->if_noproto; 639 goto drop; 640 case PPP_LCP: 641 SPPP_UNLOCK(sp); 642 sppp_cp_input(&lcp, sp, m); 643 m_freem(m); 644 return; 645 case PPP_PAP: 646 SPPP_UNLOCK(sp); 647 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 648 sppp_pap_input(sp, m); 649 } 650 m_freem(m); 651 return; 652 case PPP_CHAP: 653 SPPP_UNLOCK(sp); 654 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 655 sppp_chap_input(sp, m); 656 } 657 m_freem(m); 658 return; 659 #ifdef INET 660 case PPP_IPCP: 661 SPPP_UNLOCK(sp); 662 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 663 sppp_cp_input(&ipcp, sp, m); 664 } 665 m_freem(m); 666 return; 667 case PPP_IP: 668 if (sp->state[IDX_IPCP] == STATE_OPENED) { 669 sp->pp_last_activity = time_uptime; 670 pktq = ip_pktq; 671 } 672 break; 673 #endif 674 #ifdef INET6 675 case PPP_IPV6CP: 676 SPPP_UNLOCK(sp); 677 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 678 sppp_cp_input(&ipv6cp, sp, m); 679 } 680 m_freem(m); 681 return; 682 683 case PPP_IPV6: 684 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 685 sp->pp_last_activity = time_uptime; 686 pktq = ip6_pktq; 687 } 688 break; 689 #endif 690 } 691 692 queue_pkt: 693 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 694 goto drop; 695 } 696 697 /* Check queue. */ 698 if (__predict_true(pktq)) { 699 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 700 goto drop; 701 } 702 SPPP_UNLOCK(sp); 703 return; 704 } 705 706 SPPP_UNLOCK(sp); 707 708 IFQ_LOCK(inq); 709 if (IF_QFULL(inq)) { 710 /* Queue overflow. */ 711 IF_DROP(inq); 712 IFQ_UNLOCK(inq); 713 if (debug) 714 log(LOG_DEBUG, "%s: protocol queue overflow\n", 715 ifp->if_xname); 716 717 SPPP_LOCK(sp, RW_READER); 718 goto drop; 719 } 720 IF_ENQUEUE(inq, m); 721 IFQ_UNLOCK(inq); 722 schednetisr(isr); 723 } 724 725 /* 726 * Enqueue transmit packet. 727 */ 728 static int 729 sppp_output(struct ifnet *ifp, struct mbuf *m, 730 const struct sockaddr *dst, const struct rtentry *rt) 731 { 732 struct sppp *sp = (struct sppp *) ifp; 733 struct ppp_header *h = NULL; 734 #ifndef SPPPSUBR_MPSAFE 735 struct ifqueue *ifq = NULL; /* XXX */ 736 #endif 737 int s, error = 0; 738 uint16_t protocol; 739 size_t pktlen; 740 741 s = splnet(); 742 SPPP_LOCK(sp, RW_READER); 743 744 sp->pp_last_activity = time_uptime; 745 746 if ((ifp->if_flags & IFF_UP) == 0 || 747 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 748 SPPP_UNLOCK(sp); 749 splx(s); 750 751 m_freem(m); 752 753 return (ENETDOWN); 754 } 755 756 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 757 /* 758 * Interface is not yet running, but auto-dial. Need 759 * to start LCP for it. 760 */ 761 ifp->if_flags |= IFF_RUNNING; 762 763 SPPP_UNLOCK(sp); 764 splx(s); 765 766 SPPP_LOCK(sp, RW_WRITER); 767 lcp.Open(sp); 768 SPPP_UNLOCK(sp); 769 770 s = splnet(); 771 SPPP_LOCK(sp, RW_READER); 772 } 773 774 /* 775 * If the queueing discipline needs packet classification, 776 * do it before prepending link headers. 777 */ 778 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 779 780 #ifdef INET 781 if (dst->sa_family == AF_INET) { 782 struct ip *ip = NULL; 783 #ifndef SPPPSUBR_MPSAFE 784 struct tcphdr *th = NULL; 785 #endif 786 787 if (m->m_len >= sizeof(struct ip)) { 788 ip = mtod(m, struct ip *); 789 #ifndef SPPPSUBR_MPSAFE 790 if (ip->ip_p == IPPROTO_TCP && 791 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 792 sizeof(struct tcphdr)) { 793 th = (struct tcphdr *) 794 ((char *)ip + (ip->ip_hl << 2)); 795 } 796 #endif 797 } else 798 ip = NULL; 799 800 /* 801 * When using dynamic local IP address assignment by using 802 * 0.0.0.0 as a local address, the first TCP session will 803 * not connect because the local TCP checksum is computed 804 * using 0.0.0.0 which will later become our real IP address 805 * so the TCP checksum computed at the remote end will 806 * become invalid. So we 807 * - don't let packets with src ip addr 0 thru 808 * - we flag TCP packets with src ip 0 as an error 809 */ 810 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 811 uint8_t proto = ip->ip_p; 812 813 SPPP_UNLOCK(sp); 814 splx(s); 815 816 m_freem(m); 817 if (proto == IPPROTO_TCP) 818 return (EADDRNOTAVAIL); 819 else 820 return (0); 821 } 822 823 #ifndef SPPPSUBR_MPSAFE 824 /* 825 * Put low delay, telnet, rlogin and ftp control packets 826 * in front of the queue. 827 */ 828 if (!IF_QFULL(&sp->pp_fastq) && 829 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 830 (th && (INTERACTIVE(ntohs(th->th_sport)) || 831 INTERACTIVE(ntohs(th->th_dport)))))) 832 ifq = &sp->pp_fastq; 833 #endif /* !SPPPSUBR_MPSAFE */ 834 } 835 #endif 836 837 #ifdef INET6 838 if (dst->sa_family == AF_INET6) { 839 /* XXX do something tricky here? */ 840 } 841 #endif 842 843 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 844 /* 845 * Prepend general data packet PPP header. For now, IP only. 846 */ 847 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 848 if (! m) { 849 if (ifp->if_flags & IFF_DEBUG) 850 log(LOG_DEBUG, "%s: no memory for transmit header\n", 851 ifp->if_xname); 852 ++ifp->if_oerrors; 853 SPPP_UNLOCK(sp); 854 splx(s); 855 return (ENOBUFS); 856 } 857 /* 858 * May want to check size of packet 859 * (albeit due to the implementation it's always enough) 860 */ 861 h = mtod(m, struct ppp_header *); 862 if (sp->pp_flags & PP_CISCO) { 863 h->address = CISCO_UNICAST; /* unicast address */ 864 h->control = 0; 865 } else { 866 h->address = PPP_ALLSTATIONS; /* broadcast address */ 867 h->control = PPP_UI; /* Unnumbered Info */ 868 } 869 } 870 871 switch (dst->sa_family) { 872 #ifdef INET 873 case AF_INET: /* Internet Protocol */ 874 if (sp->pp_flags & PP_CISCO) 875 protocol = htons(ETHERTYPE_IP); 876 else { 877 /* 878 * Don't choke with an ENETDOWN early. It's 879 * possible that we just started dialing out, 880 * so don't drop the packet immediately. If 881 * we notice that we run out of buffer space 882 * below, we will however remember that we are 883 * not ready to carry IP packets, and return 884 * ENETDOWN, as opposed to ENOBUFS. 885 */ 886 protocol = htons(PPP_IP); 887 if (sp->state[IDX_IPCP] != STATE_OPENED) 888 error = ENETDOWN; 889 } 890 break; 891 #endif 892 #ifdef INET6 893 case AF_INET6: /* Internet Protocol version 6 */ 894 if (sp->pp_flags & PP_CISCO) 895 protocol = htons(ETHERTYPE_IPV6); 896 else { 897 /* 898 * Don't choke with an ENETDOWN early. It's 899 * possible that we just started dialing out, 900 * so don't drop the packet immediately. If 901 * we notice that we run out of buffer space 902 * below, we will however remember that we are 903 * not ready to carry IP packets, and return 904 * ENETDOWN, as opposed to ENOBUFS. 905 */ 906 protocol = htons(PPP_IPV6); 907 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 908 error = ENETDOWN; 909 } 910 break; 911 #endif 912 default: 913 m_freem(m); 914 ++ifp->if_oerrors; 915 SPPP_UNLOCK(sp); 916 splx(s); 917 return (EAFNOSUPPORT); 918 } 919 920 if (sp->pp_flags & PP_NOFRAMING) { 921 M_PREPEND(m, 2, M_DONTWAIT); 922 if (m == NULL) { 923 if (ifp->if_flags & IFF_DEBUG) 924 log(LOG_DEBUG, "%s: no memory for transmit header\n", 925 ifp->if_xname); 926 ++ifp->if_oerrors; 927 SPPP_UNLOCK(sp); 928 splx(s); 929 return (ENOBUFS); 930 } 931 *mtod(m, uint16_t *) = protocol; 932 } else { 933 h->protocol = protocol; 934 } 935 936 pktlen = m->m_pkthdr.len; 937 #ifdef SPPPSUBR_MPSAFE 938 SPPP_UNLOCK(sp); 939 error = if_transmit_lock(ifp, m); 940 SPPP_LOCK(sp, RW_READER); 941 if (error == 0) 942 ifp->if_obytes += pktlen + sp->pp_framebytes; 943 #else /* !SPPPSUBR_MPSAFE */ 944 error = ifq_enqueue2(ifp, ifq, m); 945 946 if (error == 0) { 947 /* 948 * Count output packets and bytes. 949 * The packet length includes header + additional hardware 950 * framing according to RFC 1333. 951 */ 952 if (!(ifp->if_flags & IFF_OACTIVE)) { 953 SPPP_UNLOCK(sp); 954 if_start_lock(ifp); 955 SPPP_LOCK(sp, RW_READER); 956 } 957 ifp->if_obytes += pktlen + sp->pp_framebytes; 958 } 959 #endif /* !SPPPSUBR_MPSAFE */ 960 SPPP_UNLOCK(sp); 961 splx(s); 962 return error; 963 } 964 965 static int 966 sppp_mediachange(struct ifnet *ifp) 967 { 968 969 return (0); 970 } 971 972 static void 973 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 974 { 975 struct sppp *sp = (struct sppp *)ifp; 976 977 SPPP_LOCK(sp, RW_WRITER); 978 979 switch (ifp->if_link_state) { 980 case LINK_STATE_UP: 981 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 982 break; 983 case LINK_STATE_DOWN: 984 imr->ifm_status = IFM_AVALID; 985 break; 986 default: 987 /* Should be impossible as we set link state down in attach. */ 988 imr->ifm_status = 0; 989 break; 990 } 991 992 SPPP_UNLOCK(sp); 993 } 994 995 void 996 sppp_attach(struct ifnet *ifp) 997 { 998 struct sppp *sp = (struct sppp *) ifp; 999 1000 /* Initialize keepalive handler. */ 1001 if (! spppq) { 1002 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1003 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1004 } 1005 1006 if (! spppq_lock) 1007 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1008 1009 /* Insert new entry into the keepalive list. */ 1010 sp->pp_next = spppq; 1011 spppq = sp; 1012 1013 sp->pp_if.if_type = IFT_PPP; 1014 sp->pp_if.if_output = sppp_output; 1015 sp->pp_fastq.ifq_maxlen = 32; 1016 sp->pp_cpq.ifq_maxlen = 20; 1017 sp->pp_loopcnt = 0; 1018 sp->pp_alivecnt = 0; 1019 sp->pp_last_activity = 0; 1020 sp->pp_last_receive = 0; 1021 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1022 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1023 sp->pp_idle_timeout = 0; 1024 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1025 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1026 sp->pp_auth_failures = 0; 1027 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1028 sp->pp_phase = SPPP_PHASE_DEAD; 1029 sp->pp_up = sppp_notify_up; 1030 sp->pp_down = sppp_notify_down; 1031 rw_init(&sp->pp_lock); 1032 1033 if_alloc_sadl(ifp); 1034 1035 /* Lets not beat about the bush, we know we're down. */ 1036 ifp->if_link_state = LINK_STATE_DOWN; 1037 /* There is no media for PPP, but it's needed to report link status. */ 1038 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1039 1040 memset(&sp->myauth, 0, sizeof sp->myauth); 1041 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1042 SPPP_LOCK(sp, RW_WRITER); 1043 sppp_lcp_init(sp); 1044 sppp_ipcp_init(sp); 1045 sppp_ipv6cp_init(sp); 1046 sppp_pap_init(sp); 1047 sppp_chap_init(sp); 1048 SPPP_UNLOCK(sp); 1049 } 1050 1051 void 1052 sppp_detach(struct ifnet *ifp) 1053 { 1054 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1055 1056 /* Remove the entry from the keepalive list. */ 1057 SPPPQ_LOCK(); 1058 for (q = &spppq; (p = *q); q = &p->pp_next) 1059 if (p == sp) { 1060 *q = p->pp_next; 1061 break; 1062 } 1063 SPPPQ_UNLOCK(); 1064 1065 if (! spppq) { 1066 /* Stop keepalive handler. */ 1067 callout_stop(&keepalive_ch); 1068 mutex_obj_free(spppq_lock); 1069 spppq_lock = NULL; 1070 } 1071 1072 SPPP_LOCK(sp, RW_WRITER); 1073 1074 /* to avoid workqueue enqueued */ 1075 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1076 workqueue_destroy(sp->ipcp.update_addrs_wq); 1077 pcq_destroy(sp->ipcp.update_addrs_q); 1078 1079 callout_stop(&sp->ch[IDX_LCP]); 1080 callout_stop(&sp->ch[IDX_IPCP]); 1081 callout_stop(&sp->ch[IDX_PAP]); 1082 callout_stop(&sp->ch[IDX_CHAP]); 1083 #ifdef INET6 1084 callout_stop(&sp->ch[IDX_IPV6CP]); 1085 #endif 1086 callout_stop(&sp->pap_my_to_ch); 1087 1088 /* free authentication info */ 1089 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1090 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1091 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1092 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1093 SPPP_UNLOCK(sp); 1094 rw_destroy(&sp->pp_lock); 1095 1096 /* Safety - shouldn't be needed as there is no media to set. */ 1097 ifmedia_delete_instance(&sp->pp_im, IFM_INST_ANY); 1098 } 1099 1100 /* 1101 * Flush the interface output queue. 1102 */ 1103 void 1104 sppp_flush(struct ifnet *ifp) 1105 { 1106 struct sppp *sp = (struct sppp *) ifp; 1107 1108 SPPP_LOCK(sp, RW_WRITER); 1109 IFQ_PURGE(&sp->pp_if.if_snd); 1110 IF_PURGE(&sp->pp_fastq); 1111 IF_PURGE(&sp->pp_cpq); 1112 SPPP_UNLOCK(sp); 1113 } 1114 1115 /* 1116 * Check if the output queue is empty. 1117 */ 1118 int 1119 sppp_isempty(struct ifnet *ifp) 1120 { 1121 struct sppp *sp = (struct sppp *) ifp; 1122 int empty, s; 1123 1124 s = splnet(); 1125 SPPP_LOCK(sp, RW_READER); 1126 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1127 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1128 SPPP_UNLOCK(sp); 1129 splx(s); 1130 return (empty); 1131 } 1132 1133 /* 1134 * Get next packet to send. 1135 */ 1136 struct mbuf * 1137 sppp_dequeue(struct ifnet *ifp) 1138 { 1139 struct sppp *sp = (struct sppp *) ifp; 1140 struct mbuf *m; 1141 int s; 1142 1143 s = splnet(); 1144 SPPP_LOCK(sp, RW_WRITER); 1145 /* 1146 * Process only the control protocol queue until we have at 1147 * least one NCP open. 1148 * 1149 * Do always serve all three queues in Cisco mode. 1150 */ 1151 IF_DEQUEUE(&sp->pp_cpq, m); 1152 if (m == NULL && 1153 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1154 IF_DEQUEUE(&sp->pp_fastq, m); 1155 if (m == NULL) 1156 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1157 } 1158 SPPP_UNLOCK(sp); 1159 splx(s); 1160 return m; 1161 } 1162 1163 /* 1164 * Process an ioctl request. Called on low priority level. 1165 */ 1166 int 1167 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1168 { 1169 struct lwp *l = curlwp; /* XXX */ 1170 struct ifreq *ifr = (struct ifreq *) data; 1171 struct ifaddr *ifa = (struct ifaddr *) data; 1172 struct sppp *sp = (struct sppp *) ifp; 1173 int s, error=0, going_up, going_down, newmode; 1174 1175 s = splnet(); 1176 switch (cmd) { 1177 case SIOCINITIFADDR: 1178 ifa->ifa_rtrequest = p2p_rtrequest; 1179 break; 1180 1181 case SIOCSIFFLAGS: 1182 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1183 break; 1184 1185 SPPP_LOCK(sp, RW_WRITER); 1186 going_up = ifp->if_flags & IFF_UP && 1187 (ifp->if_flags & IFF_RUNNING) == 0; 1188 going_down = (ifp->if_flags & IFF_UP) == 0 && 1189 ifp->if_flags & IFF_RUNNING; 1190 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1191 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1192 /* sanity */ 1193 newmode = IFF_PASSIVE; 1194 ifp->if_flags &= ~IFF_AUTO; 1195 } 1196 1197 if (going_up || going_down) { 1198 lcp.Close(sp); 1199 } 1200 if (going_up && newmode == 0) { 1201 /* neither auto-dial nor passive */ 1202 ifp->if_flags |= IFF_RUNNING; 1203 if (!(sp->pp_flags & PP_CISCO)) 1204 lcp.Open(sp); 1205 } else if (going_down) { 1206 SPPP_UNLOCK(sp); 1207 sppp_flush(ifp); 1208 SPPP_LOCK(sp, RW_WRITER); 1209 1210 ifp->if_flags &= ~IFF_RUNNING; 1211 } 1212 SPPP_UNLOCK(sp); 1213 break; 1214 1215 case SIOCSIFMTU: 1216 if (ifr->ifr_mtu < PPP_MINMRU || 1217 ifr->ifr_mtu > sp->lcp.their_mru) { 1218 error = EINVAL; 1219 break; 1220 } 1221 /*FALLTHROUGH*/ 1222 case SIOCGIFMTU: 1223 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1224 error = 0; 1225 break; 1226 case SIOCADDMULTI: 1227 case SIOCDELMULTI: 1228 break; 1229 1230 case SPPPSETAUTHCFG: 1231 case SPPPSETLCPCFG: 1232 case SPPPSETIDLETO: 1233 case SPPPSETAUTHFAILURE: 1234 case SPPPSETDNSOPTS: 1235 case SPPPSETKEEPALIVE: 1236 #if defined(COMPAT_50) || defined(MODULAR) 1237 case __SPPPSETIDLETO50: 1238 case __SPPPSETKEEPALIVE50: 1239 #endif /* COMPAT_50 || MODULAR */ 1240 error = kauth_authorize_network(l->l_cred, 1241 KAUTH_NETWORK_INTERFACE, 1242 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1243 NULL); 1244 if (error) 1245 break; 1246 error = sppp_params(sp, cmd, data); 1247 break; 1248 1249 case SPPPGETAUTHCFG: 1250 case SPPPGETLCPCFG: 1251 case SPPPGETAUTHFAILURES: 1252 error = kauth_authorize_network(l->l_cred, 1253 KAUTH_NETWORK_INTERFACE, 1254 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1255 NULL); 1256 if (error) 1257 break; 1258 error = sppp_params(sp, cmd, data); 1259 break; 1260 1261 case SPPPGETSTATUS: 1262 case SPPPGETSTATUSNCP: 1263 case SPPPGETIDLETO: 1264 case SPPPGETDNSOPTS: 1265 case SPPPGETDNSADDRS: 1266 case SPPPGETKEEPALIVE: 1267 #if defined(COMPAT_50) || defined(MODULAR) 1268 case __SPPPGETIDLETO50: 1269 case __SPPPGETKEEPALIVE50: 1270 #endif /* COMPAT_50 || MODULAR */ 1271 error = sppp_params(sp, cmd, data); 1272 break; 1273 1274 case SIOCGIFMEDIA: 1275 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1276 break; 1277 1278 default: 1279 error = ifioctl_common(ifp, cmd, data); 1280 break; 1281 } 1282 splx(s); 1283 return (error); 1284 } 1285 1286 1287 /* 1288 * Cisco framing implementation. 1289 */ 1290 1291 /* 1292 * Handle incoming Cisco keepalive protocol packets. 1293 */ 1294 static void 1295 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1296 { 1297 STDDCL; 1298 struct cisco_packet *h; 1299 #ifdef INET 1300 uint32_t me, mymask = 0; /* XXX: GCC */ 1301 #endif 1302 1303 SPPP_LOCK(sp, RW_WRITER); 1304 1305 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1306 if (debug) 1307 log(LOG_DEBUG, 1308 "%s: cisco invalid packet length: %d bytes\n", 1309 ifp->if_xname, m->m_pkthdr.len); 1310 SPPP_UNLOCK(sp); 1311 return; 1312 } 1313 h = mtod(m, struct cisco_packet *); 1314 if (debug) 1315 log(LOG_DEBUG, 1316 "%s: cisco input: %d bytes " 1317 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1318 ifp->if_xname, m->m_pkthdr.len, 1319 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1320 (u_int)h->time0, (u_int)h->time1); 1321 switch (ntohl(h->type)) { 1322 default: 1323 if (debug) 1324 addlog("%s: cisco unknown packet type: 0x%x\n", 1325 ifp->if_xname, ntohl(h->type)); 1326 break; 1327 case CISCO_ADDR_REPLY: 1328 /* Reply on address request, ignore */ 1329 break; 1330 case CISCO_KEEPALIVE_REQ: 1331 sp->pp_alivecnt = 0; 1332 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1333 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1334 /* Local and remote sequence numbers are equal. 1335 * Probably, the line is in loopback mode. */ 1336 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1337 printf ("%s: loopback\n", 1338 ifp->if_xname); 1339 sp->pp_loopcnt = 0; 1340 if (ifp->if_flags & IFF_UP) { 1341 SPPP_UNLOCK(sp); 1342 if_down(ifp); 1343 SPPP_LOCK(sp, RW_WRITER); 1344 1345 IF_PURGE(&sp->pp_cpq); 1346 } 1347 } 1348 ++sp->pp_loopcnt; 1349 1350 /* Generate new local sequence number */ 1351 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1352 break; 1353 } 1354 sp->pp_loopcnt = 0; 1355 if (! (ifp->if_flags & IFF_UP) && 1356 (ifp->if_flags & IFF_RUNNING)) { 1357 SPPP_UNLOCK(sp); 1358 if_up(ifp); 1359 SPPP_LOCK(sp, RW_WRITER); 1360 } 1361 break; 1362 case CISCO_ADDR_REQ: 1363 #ifdef INET 1364 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1365 if (me != 0L) 1366 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1367 #endif 1368 break; 1369 } 1370 SPPP_UNLOCK(sp); 1371 } 1372 1373 /* 1374 * Send Cisco keepalive packet. 1375 */ 1376 static void 1377 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1378 { 1379 STDDCL; 1380 struct ppp_header *h; 1381 struct cisco_packet *ch; 1382 struct mbuf *m; 1383 uint32_t t; 1384 1385 KASSERT(SPPP_WLOCKED(sp)); 1386 1387 t = time_uptime * 1000; 1388 MGETHDR(m, M_DONTWAIT, MT_DATA); 1389 if (! m) 1390 return; 1391 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1392 m_reset_rcvif(m); 1393 1394 h = mtod(m, struct ppp_header *); 1395 h->address = CISCO_MULTICAST; 1396 h->control = 0; 1397 h->protocol = htons(CISCO_KEEPALIVE); 1398 1399 ch = (struct cisco_packet *)(h + 1); 1400 ch->type = htonl(type); 1401 ch->par1 = htonl(par1); 1402 ch->par2 = htonl(par2); 1403 ch->rel = -1; 1404 1405 ch->time0 = htons((u_short)(t >> 16)); 1406 ch->time1 = htons((u_short) t); 1407 1408 if (debug) 1409 log(LOG_DEBUG, 1410 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1411 ifp->if_xname, ntohl(ch->type), ch->par1, 1412 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1413 (u_int)ch->time1); 1414 1415 if (IF_QFULL(&sp->pp_cpq)) { 1416 IF_DROP(&sp->pp_fastq); 1417 IF_DROP(&ifp->if_snd); 1418 m_freem(m); 1419 ++ifp->if_oerrors; 1420 return; 1421 } 1422 1423 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1424 IF_ENQUEUE(&sp->pp_cpq, m); 1425 1426 if (! (ifp->if_flags & IFF_OACTIVE)) { 1427 SPPP_UNLOCK(sp); 1428 if_start_lock(ifp); 1429 SPPP_LOCK(sp, RW_WRITER); 1430 } 1431 } 1432 1433 /* 1434 * PPP protocol implementation. 1435 */ 1436 1437 /* 1438 * Send PPP control protocol packet. 1439 */ 1440 static void 1441 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1442 u_char ident, u_short len, void *data) 1443 { 1444 STDDCL; 1445 struct lcp_header *lh; 1446 struct mbuf *m; 1447 size_t pkthdrlen; 1448 1449 KASSERT(SPPP_WLOCKED(sp)); 1450 1451 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1452 1453 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1454 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1455 MGETHDR(m, M_DONTWAIT, MT_DATA); 1456 if (! m) { 1457 return; 1458 } 1459 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1460 m_reset_rcvif(m); 1461 1462 if (sp->pp_flags & PP_NOFRAMING) { 1463 *mtod(m, uint16_t *) = htons(proto); 1464 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1465 } else { 1466 struct ppp_header *h; 1467 h = mtod(m, struct ppp_header *); 1468 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1469 h->control = PPP_UI; /* Unnumbered Info */ 1470 h->protocol = htons(proto); /* Link Control Protocol */ 1471 lh = (struct lcp_header *)(h + 1); 1472 } 1473 lh->type = type; 1474 lh->ident = ident; 1475 lh->len = htons(LCP_HEADER_LEN + len); 1476 if (len) 1477 memcpy(lh + 1, data, len); 1478 1479 if (debug) { 1480 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1481 ifp->if_xname, 1482 sppp_proto_name(proto), 1483 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1484 if (len) 1485 sppp_print_bytes((u_char *)(lh + 1), len); 1486 addlog(">\n"); 1487 } 1488 if (IF_QFULL(&sp->pp_cpq)) { 1489 IF_DROP(&sp->pp_fastq); 1490 IF_DROP(&ifp->if_snd); 1491 m_freem(m); 1492 ++ifp->if_oerrors; 1493 return; 1494 } 1495 1496 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1497 IF_ENQUEUE(&sp->pp_cpq, m); 1498 1499 1500 if (! (ifp->if_flags & IFF_OACTIVE)) { 1501 SPPP_UNLOCK(sp); 1502 if_start_lock(ifp); 1503 SPPP_LOCK(sp, RW_WRITER); 1504 } 1505 } 1506 1507 /* 1508 * Handle incoming PPP control protocol packets. 1509 */ 1510 static void 1511 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1512 { 1513 STDDCL; 1514 struct lcp_header *h; 1515 int printlen, len = m->m_pkthdr.len; 1516 int rv; 1517 u_char *p; 1518 uint32_t u32; 1519 1520 SPPP_LOCK(sp, RW_WRITER); 1521 1522 if (len < 4) { 1523 if (debug) 1524 log(LOG_DEBUG, 1525 "%s: %s invalid packet length: %d bytes\n", 1526 ifp->if_xname, cp->name, len); 1527 SPPP_UNLOCK(sp); 1528 return; 1529 } 1530 h = mtod(m, struct lcp_header *); 1531 if (debug) { 1532 printlen = ntohs(h->len); 1533 log(LOG_DEBUG, 1534 "%s: %s input(%s): <%s id=0x%x len=%d", 1535 ifp->if_xname, cp->name, 1536 sppp_state_name(sp->state[cp->protoidx]), 1537 sppp_cp_type_name(h->type), h->ident, printlen); 1538 if (len < printlen) 1539 printlen = len; 1540 if (printlen > 4) 1541 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1542 addlog(">\n"); 1543 } 1544 if (len > ntohs(h->len)) 1545 len = ntohs(h->len); 1546 p = (u_char *)(h + 1); 1547 switch (h->type) { 1548 case CONF_REQ: 1549 if (len < 4) { 1550 if (debug) 1551 addlog("%s: %s invalid conf-req length %d\n", 1552 ifp->if_xname, cp->name, 1553 len); 1554 ++ifp->if_ierrors; 1555 break; 1556 } 1557 /* handle states where RCR doesn't get a SCA/SCN */ 1558 switch (sp->state[cp->protoidx]) { 1559 case STATE_CLOSING: 1560 case STATE_STOPPING: 1561 SPPP_UNLOCK(sp); 1562 return; 1563 case STATE_CLOSED: 1564 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1565 0, 0); 1566 SPPP_UNLOCK(sp); 1567 return; 1568 } 1569 rv = (cp->RCR)(sp, h, len); 1570 if (rv < 0) { 1571 /* fatal error, shut down */ 1572 (cp->tld)(sp); 1573 sppp_lcp_tlf(sp); 1574 SPPP_UNLOCK(sp); 1575 return; 1576 } 1577 switch (sp->state[cp->protoidx]) { 1578 case STATE_OPENED: 1579 (cp->tld)(sp); 1580 (cp->scr)(sp); 1581 /* fall through... */ 1582 case STATE_ACK_SENT: 1583 case STATE_REQ_SENT: 1584 sppp_cp_change_state(cp, sp, rv? 1585 STATE_ACK_SENT: STATE_REQ_SENT); 1586 break; 1587 case STATE_STOPPED: 1588 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1589 (cp->scr)(sp); 1590 sppp_cp_change_state(cp, sp, rv? 1591 STATE_ACK_SENT: STATE_REQ_SENT); 1592 break; 1593 case STATE_ACK_RCVD: 1594 if (rv) { 1595 sppp_cp_change_state(cp, sp, STATE_OPENED); 1596 if (debug) 1597 log(LOG_DEBUG, "%s: %s tlu\n", 1598 ifp->if_xname, 1599 cp->name); 1600 (cp->tlu)(sp); 1601 } else 1602 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1603 break; 1604 default: 1605 printf("%s: %s illegal %s in state %s\n", 1606 ifp->if_xname, cp->name, 1607 sppp_cp_type_name(h->type), 1608 sppp_state_name(sp->state[cp->protoidx])); 1609 ++ifp->if_ierrors; 1610 } 1611 break; 1612 case CONF_ACK: 1613 if (h->ident != sp->confid[cp->protoidx]) { 1614 if (debug) 1615 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1616 ifp->if_xname, cp->name, 1617 h->ident, sp->confid[cp->protoidx]); 1618 ++ifp->if_ierrors; 1619 break; 1620 } 1621 switch (sp->state[cp->protoidx]) { 1622 case STATE_CLOSED: 1623 case STATE_STOPPED: 1624 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1625 break; 1626 case STATE_CLOSING: 1627 case STATE_STOPPING: 1628 break; 1629 case STATE_REQ_SENT: 1630 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1631 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1632 break; 1633 case STATE_OPENED: 1634 (cp->tld)(sp); 1635 /* fall through */ 1636 case STATE_ACK_RCVD: 1637 (cp->scr)(sp); 1638 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1639 break; 1640 case STATE_ACK_SENT: 1641 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1642 sppp_cp_change_state(cp, sp, STATE_OPENED); 1643 if (debug) 1644 log(LOG_DEBUG, "%s: %s tlu\n", 1645 ifp->if_xname, cp->name); 1646 (cp->tlu)(sp); 1647 break; 1648 default: 1649 printf("%s: %s illegal %s in state %s\n", 1650 ifp->if_xname, cp->name, 1651 sppp_cp_type_name(h->type), 1652 sppp_state_name(sp->state[cp->protoidx])); 1653 ++ifp->if_ierrors; 1654 } 1655 break; 1656 case CONF_NAK: 1657 case CONF_REJ: 1658 if (h->ident != sp->confid[cp->protoidx]) { 1659 if (debug) 1660 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1661 ifp->if_xname, cp->name, 1662 h->ident, sp->confid[cp->protoidx]); 1663 ++ifp->if_ierrors; 1664 break; 1665 } 1666 if (h->type == CONF_NAK) 1667 (cp->RCN_nak)(sp, h, len); 1668 else /* CONF_REJ */ 1669 (cp->RCN_rej)(sp, h, len); 1670 1671 switch (sp->state[cp->protoidx]) { 1672 case STATE_CLOSED: 1673 case STATE_STOPPED: 1674 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1675 break; 1676 case STATE_REQ_SENT: 1677 case STATE_ACK_SENT: 1678 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1679 (cp->scr)(sp); 1680 break; 1681 case STATE_OPENED: 1682 (cp->tld)(sp); 1683 /* fall through */ 1684 case STATE_ACK_RCVD: 1685 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1686 (cp->scr)(sp); 1687 break; 1688 case STATE_CLOSING: 1689 case STATE_STOPPING: 1690 break; 1691 default: 1692 printf("%s: %s illegal %s in state %s\n", 1693 ifp->if_xname, cp->name, 1694 sppp_cp_type_name(h->type), 1695 sppp_state_name(sp->state[cp->protoidx])); 1696 ++ifp->if_ierrors; 1697 } 1698 break; 1699 1700 case TERM_REQ: 1701 switch (sp->state[cp->protoidx]) { 1702 case STATE_ACK_RCVD: 1703 case STATE_ACK_SENT: 1704 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1705 /* fall through */ 1706 case STATE_CLOSED: 1707 case STATE_STOPPED: 1708 case STATE_CLOSING: 1709 case STATE_STOPPING: 1710 case STATE_REQ_SENT: 1711 sta: 1712 /* Send Terminate-Ack packet. */ 1713 if (debug) 1714 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1715 ifp->if_xname, cp->name); 1716 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1717 break; 1718 case STATE_OPENED: 1719 (cp->tld)(sp); 1720 sp->rst_counter[cp->protoidx] = 0; 1721 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1722 goto sta; 1723 default: 1724 printf("%s: %s illegal %s in state %s\n", 1725 ifp->if_xname, cp->name, 1726 sppp_cp_type_name(h->type), 1727 sppp_state_name(sp->state[cp->protoidx])); 1728 ++ifp->if_ierrors; 1729 } 1730 break; 1731 case TERM_ACK: 1732 switch (sp->state[cp->protoidx]) { 1733 case STATE_CLOSED: 1734 case STATE_STOPPED: 1735 case STATE_REQ_SENT: 1736 case STATE_ACK_SENT: 1737 break; 1738 case STATE_CLOSING: 1739 (cp->tlf)(sp); 1740 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1741 sppp_lcp_check_and_close(sp); 1742 break; 1743 case STATE_STOPPING: 1744 (cp->tlf)(sp); 1745 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1746 sppp_lcp_check_and_close(sp); 1747 break; 1748 case STATE_ACK_RCVD: 1749 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1750 break; 1751 case STATE_OPENED: 1752 (cp->tld)(sp); 1753 (cp->scr)(sp); 1754 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1755 break; 1756 default: 1757 printf("%s: %s illegal %s in state %s\n", 1758 ifp->if_xname, cp->name, 1759 sppp_cp_type_name(h->type), 1760 sppp_state_name(sp->state[cp->protoidx])); 1761 ++ifp->if_ierrors; 1762 } 1763 break; 1764 case CODE_REJ: 1765 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1766 log(LOG_INFO, 1767 "%s: %s: ignoring RXJ (%s) for code ?, " 1768 "danger will robinson\n", 1769 ifp->if_xname, cp->name, 1770 sppp_cp_type_name(h->type)); 1771 switch (sp->state[cp->protoidx]) { 1772 case STATE_CLOSED: 1773 case STATE_STOPPED: 1774 case STATE_REQ_SENT: 1775 case STATE_ACK_SENT: 1776 case STATE_CLOSING: 1777 case STATE_STOPPING: 1778 case STATE_OPENED: 1779 break; 1780 case STATE_ACK_RCVD: 1781 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1782 break; 1783 default: 1784 printf("%s: %s illegal %s in state %s\n", 1785 ifp->if_xname, cp->name, 1786 sppp_cp_type_name(h->type), 1787 sppp_state_name(sp->state[cp->protoidx])); 1788 ++ifp->if_ierrors; 1789 } 1790 break; 1791 case PROTO_REJ: 1792 { 1793 int catastrophic; 1794 const struct cp *upper; 1795 int i; 1796 uint16_t proto; 1797 1798 catastrophic = 0; 1799 upper = NULL; 1800 proto = p[0] << 8 | p[1]; 1801 for (i = 0; i < IDX_COUNT; i++) { 1802 if (cps[i]->proto == proto) { 1803 upper = cps[i]; 1804 break; 1805 } 1806 } 1807 if (upper == NULL) 1808 catastrophic++; 1809 1810 if (debug) 1811 log(LOG_INFO, 1812 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1813 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1814 sppp_cp_type_name(h->type), proto, 1815 upper ? upper->name : "unknown", 1816 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1817 1818 /* 1819 * if we got RXJ+ against conf-req, the peer does not implement 1820 * this particular protocol type. terminate the protocol. 1821 */ 1822 if (upper && !catastrophic) { 1823 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1824 upper->Close(sp); 1825 break; 1826 } 1827 } 1828 1829 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1830 switch (sp->state[cp->protoidx]) { 1831 case STATE_CLOSED: 1832 case STATE_STOPPED: 1833 case STATE_REQ_SENT: 1834 case STATE_ACK_SENT: 1835 case STATE_CLOSING: 1836 case STATE_STOPPING: 1837 case STATE_OPENED: 1838 break; 1839 case STATE_ACK_RCVD: 1840 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1841 break; 1842 default: 1843 printf("%s: %s illegal %s in state %s\n", 1844 ifp->if_xname, cp->name, 1845 sppp_cp_type_name(h->type), 1846 sppp_state_name(sp->state[cp->protoidx])); 1847 ++ifp->if_ierrors; 1848 } 1849 break; 1850 } 1851 case DISC_REQ: 1852 if (cp->proto != PPP_LCP) 1853 goto illegal; 1854 /* Discard the packet. */ 1855 break; 1856 case ECHO_REQ: 1857 if (cp->proto != PPP_LCP) 1858 goto illegal; 1859 if (sp->state[cp->protoidx] != STATE_OPENED) { 1860 if (debug) 1861 addlog("%s: lcp echo req but lcp closed\n", 1862 ifp->if_xname); 1863 ++ifp->if_ierrors; 1864 break; 1865 } 1866 if (len < 8) { 1867 if (debug) 1868 addlog("%s: invalid lcp echo request " 1869 "packet length: %d bytes\n", 1870 ifp->if_xname, len); 1871 break; 1872 } 1873 memcpy(&u32, h + 1, sizeof u32); 1874 if (ntohl(u32) == sp->lcp.magic) { 1875 /* Line loopback mode detected. */ 1876 printf("%s: loopback\n", ifp->if_xname); 1877 SPPP_UNLOCK(sp); 1878 if_down(ifp); 1879 SPPP_LOCK(sp, RW_WRITER); 1880 1881 IF_PURGE(&sp->pp_cpq); 1882 1883 /* Shut down the PPP link. */ 1884 /* XXX */ 1885 lcp.Down(sp); 1886 lcp.Up(sp); 1887 break; 1888 } 1889 u32 = htonl(sp->lcp.magic); 1890 memcpy(h + 1, &u32, sizeof u32); 1891 if (debug) 1892 addlog("%s: got lcp echo req, sending echo rep\n", 1893 ifp->if_xname); 1894 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1895 h + 1); 1896 break; 1897 case ECHO_REPLY: 1898 if (cp->proto != PPP_LCP) 1899 goto illegal; 1900 if (h->ident != sp->lcp.echoid) { 1901 ++ifp->if_ierrors; 1902 break; 1903 } 1904 if (len < 8) { 1905 if (debug) 1906 addlog("%s: lcp invalid echo reply " 1907 "packet length: %d bytes\n", 1908 ifp->if_xname, len); 1909 break; 1910 } 1911 if (debug) 1912 addlog("%s: lcp got echo rep\n", 1913 ifp->if_xname); 1914 memcpy(&u32, h + 1, sizeof u32); 1915 if (ntohl(u32) != sp->lcp.magic) 1916 sp->pp_alivecnt = 0; 1917 break; 1918 default: 1919 /* Unknown packet type -- send Code-Reject packet. */ 1920 illegal: 1921 if (debug) 1922 addlog("%s: %s send code-rej for 0x%x\n", 1923 ifp->if_xname, cp->name, h->type); 1924 sppp_cp_send(sp, cp->proto, CODE_REJ, 1925 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1926 ++ifp->if_ierrors; 1927 } 1928 1929 SPPP_UNLOCK(sp); 1930 } 1931 1932 1933 /* 1934 * The generic part of all Up/Down/Open/Close/TO event handlers. 1935 * Basically, the state transition handling in the automaton. 1936 */ 1937 static void 1938 sppp_up_event(const struct cp *cp, struct sppp *sp) 1939 { 1940 STDDCL; 1941 1942 KASSERT(SPPP_WLOCKED(sp)); 1943 1944 if (debug) 1945 log(LOG_DEBUG, "%s: %s up(%s)\n", 1946 ifp->if_xname, cp->name, 1947 sppp_state_name(sp->state[cp->protoidx])); 1948 1949 switch (sp->state[cp->protoidx]) { 1950 case STATE_INITIAL: 1951 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1952 break; 1953 case STATE_STARTING: 1954 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1955 (cp->scr)(sp); 1956 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1957 break; 1958 default: 1959 printf("%s: %s illegal up in state %s\n", 1960 ifp->if_xname, cp->name, 1961 sppp_state_name(sp->state[cp->protoidx])); 1962 } 1963 } 1964 1965 static void 1966 sppp_down_event(const struct cp *cp, struct sppp *sp) 1967 { 1968 STDDCL; 1969 1970 KASSERT(SPPP_WLOCKED(sp)); 1971 1972 if (debug) 1973 log(LOG_DEBUG, "%s: %s down(%s)\n", 1974 ifp->if_xname, cp->name, 1975 sppp_state_name(sp->state[cp->protoidx])); 1976 1977 switch (sp->state[cp->protoidx]) { 1978 case STATE_CLOSED: 1979 case STATE_CLOSING: 1980 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1981 break; 1982 case STATE_STOPPED: 1983 (cp->tls)(sp); 1984 /* fall through */ 1985 case STATE_STOPPING: 1986 case STATE_REQ_SENT: 1987 case STATE_ACK_RCVD: 1988 case STATE_ACK_SENT: 1989 sppp_cp_change_state(cp, sp, STATE_STARTING); 1990 break; 1991 case STATE_OPENED: 1992 (cp->tld)(sp); 1993 sppp_cp_change_state(cp, sp, STATE_STARTING); 1994 break; 1995 default: 1996 printf("%s: %s illegal down in state %s\n", 1997 ifp->if_xname, cp->name, 1998 sppp_state_name(sp->state[cp->protoidx])); 1999 } 2000 } 2001 2002 2003 static void 2004 sppp_open_event(const struct cp *cp, struct sppp *sp) 2005 { 2006 STDDCL; 2007 2008 KASSERT(SPPP_WLOCKED(sp)); 2009 2010 if (debug) 2011 log(LOG_DEBUG, "%s: %s open(%s)\n", 2012 ifp->if_xname, cp->name, 2013 sppp_state_name(sp->state[cp->protoidx])); 2014 2015 switch (sp->state[cp->protoidx]) { 2016 case STATE_INITIAL: 2017 sppp_cp_change_state(cp, sp, STATE_STARTING); 2018 (cp->tls)(sp); 2019 break; 2020 case STATE_STARTING: 2021 break; 2022 case STATE_CLOSED: 2023 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2024 (cp->scr)(sp); 2025 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2026 break; 2027 case STATE_STOPPED: 2028 case STATE_STOPPING: 2029 case STATE_REQ_SENT: 2030 case STATE_ACK_RCVD: 2031 case STATE_ACK_SENT: 2032 case STATE_OPENED: 2033 break; 2034 case STATE_CLOSING: 2035 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2036 break; 2037 } 2038 } 2039 2040 2041 static void 2042 sppp_close_event(const struct cp *cp, struct sppp *sp) 2043 { 2044 STDDCL; 2045 2046 KASSERT(SPPP_WLOCKED(sp)); 2047 2048 if (debug) 2049 log(LOG_DEBUG, "%s: %s close(%s)\n", 2050 ifp->if_xname, cp->name, 2051 sppp_state_name(sp->state[cp->protoidx])); 2052 2053 switch (sp->state[cp->protoidx]) { 2054 case STATE_INITIAL: 2055 case STATE_CLOSED: 2056 case STATE_CLOSING: 2057 break; 2058 case STATE_STARTING: 2059 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2060 (cp->tlf)(sp); 2061 break; 2062 case STATE_STOPPED: 2063 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2064 break; 2065 case STATE_STOPPING: 2066 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2067 break; 2068 case STATE_OPENED: 2069 (cp->tld)(sp); 2070 /* fall through */ 2071 case STATE_REQ_SENT: 2072 case STATE_ACK_RCVD: 2073 case STATE_ACK_SENT: 2074 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2075 sppp_cp_send(sp, cp->proto, TERM_REQ, 2076 ++sp->pp_seq[cp->protoidx], 0, 0); 2077 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2078 break; 2079 } 2080 } 2081 2082 static void 2083 sppp_to_event(const struct cp *cp, struct sppp *sp) 2084 { 2085 STDDCL; 2086 int s; 2087 2088 KASSERT(SPPP_WLOCKED(sp)); 2089 2090 s = splnet(); 2091 2092 if (debug) 2093 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2094 ifp->if_xname, cp->name, 2095 sppp_state_name(sp->state[cp->protoidx]), 2096 sp->rst_counter[cp->protoidx]); 2097 2098 if (--sp->rst_counter[cp->protoidx] < 0) 2099 /* TO- event */ 2100 switch (sp->state[cp->protoidx]) { 2101 case STATE_CLOSING: 2102 (cp->tlf)(sp); 2103 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2104 sppp_lcp_check_and_close(sp); 2105 break; 2106 case STATE_STOPPING: 2107 (cp->tlf)(sp); 2108 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2109 sppp_lcp_check_and_close(sp); 2110 break; 2111 case STATE_REQ_SENT: 2112 case STATE_ACK_RCVD: 2113 case STATE_ACK_SENT: 2114 (cp->tlf)(sp); 2115 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2116 sppp_lcp_check_and_close(sp); 2117 break; 2118 } 2119 else 2120 /* TO+ event */ 2121 switch (sp->state[cp->protoidx]) { 2122 case STATE_CLOSING: 2123 case STATE_STOPPING: 2124 sppp_cp_send(sp, cp->proto, TERM_REQ, 2125 ++sp->pp_seq[cp->protoidx], 0, 0); 2126 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2127 cp->TO, sp); 2128 break; 2129 case STATE_REQ_SENT: 2130 case STATE_ACK_RCVD: 2131 (cp->scr)(sp); 2132 /* sppp_cp_change_state() will restart the timer */ 2133 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2134 break; 2135 case STATE_ACK_SENT: 2136 (cp->scr)(sp); 2137 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2138 cp->TO, sp); 2139 break; 2140 } 2141 2142 splx(s); 2143 } 2144 2145 /* 2146 * Change the state of a control protocol in the state automaton. 2147 * Takes care of starting/stopping the restart timer. 2148 */ 2149 void 2150 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2151 { 2152 2153 KASSERT(SPPP_WLOCKED(sp)); 2154 2155 sp->state[cp->protoidx] = newstate; 2156 callout_stop(&sp->ch[cp->protoidx]); 2157 switch (newstate) { 2158 case STATE_INITIAL: 2159 case STATE_STARTING: 2160 case STATE_CLOSED: 2161 case STATE_STOPPED: 2162 case STATE_OPENED: 2163 break; 2164 case STATE_CLOSING: 2165 case STATE_STOPPING: 2166 case STATE_REQ_SENT: 2167 case STATE_ACK_RCVD: 2168 case STATE_ACK_SENT: 2169 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2170 cp->TO, sp); 2171 break; 2172 } 2173 } 2174 2175 /* 2176 *--------------------------------------------------------------------------* 2177 * * 2178 * The LCP implementation. * 2179 * * 2180 *--------------------------------------------------------------------------* 2181 */ 2182 static void 2183 sppp_lcp_init(struct sppp *sp) 2184 { 2185 2186 KASSERT(SPPP_WLOCKED(sp)); 2187 2188 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2189 sp->lcp.magic = 0; 2190 sp->state[IDX_LCP] = STATE_INITIAL; 2191 sp->fail_counter[IDX_LCP] = 0; 2192 sp->pp_seq[IDX_LCP] = 0; 2193 sp->pp_rseq[IDX_LCP] = 0; 2194 sp->lcp.protos = 0; 2195 2196 /* 2197 * Initialize counters and timeout values. Note that we don't 2198 * use the 3 seconds suggested in RFC 1661 since we are likely 2199 * running on a fast link. XXX We should probably implement 2200 * the exponential backoff option. Note that these values are 2201 * relevant for all control protocols, not just LCP only. 2202 */ 2203 sp->lcp.timeout = 1 * hz; 2204 sp->lcp.max_terminate = 2; 2205 sp->lcp.max_configure = 10; 2206 sp->lcp.max_failure = 10; 2207 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2208 } 2209 2210 static void 2211 sppp_lcp_up(struct sppp *sp) 2212 { 2213 STDDCL; 2214 2215 KASSERT(SPPP_WLOCKED(sp)); 2216 2217 /* Initialize activity timestamp: opening a connection is an activity */ 2218 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2219 2220 /* 2221 * If this interface is passive or dial-on-demand, and we are 2222 * still in Initial state, it means we've got an incoming 2223 * call. Activate the interface. 2224 */ 2225 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2226 if (debug) 2227 log(LOG_DEBUG, 2228 "%s: Up event", ifp->if_xname); 2229 ifp->if_flags |= IFF_RUNNING; 2230 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2231 if (debug) 2232 addlog("(incoming call)\n"); 2233 sp->pp_flags |= PP_CALLIN; 2234 lcp.Open(sp); 2235 } else if (debug) 2236 addlog("\n"); 2237 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2238 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2239 ifp->if_flags |= IFF_RUNNING; 2240 lcp.Open(sp); 2241 } 2242 2243 sppp_up_event(&lcp, sp); 2244 } 2245 2246 static void 2247 sppp_lcp_down(struct sppp *sp) 2248 { 2249 STDDCL; 2250 2251 KASSERT(SPPP_WLOCKED(sp)); 2252 2253 sppp_down_event(&lcp, sp); 2254 2255 /* 2256 * If this is neither a dial-on-demand nor a passive 2257 * interface, simulate an ``ifconfig down'' action, so the 2258 * administrator can force a redial by another ``ifconfig 2259 * up''. XXX For leased line operation, should we immediately 2260 * try to reopen the connection here? 2261 */ 2262 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2263 if (debug) 2264 log(LOG_INFO, 2265 "%s: Down event (carrier loss), taking interface down.\n", 2266 ifp->if_xname); 2267 SPPP_UNLOCK(sp); 2268 if_down(ifp); 2269 SPPP_LOCK(sp, RW_WRITER); 2270 } else { 2271 if (debug) 2272 log(LOG_DEBUG, 2273 "%s: Down event (carrier loss)\n", 2274 ifp->if_xname); 2275 } 2276 sp->pp_flags &= ~PP_CALLIN; 2277 if (sp->state[IDX_LCP] != STATE_INITIAL) 2278 lcp.Close(sp); 2279 ifp->if_flags &= ~IFF_RUNNING; 2280 } 2281 2282 static void 2283 sppp_lcp_open(struct sppp *sp) 2284 { 2285 2286 KASSERT(SPPP_WLOCKED(sp)); 2287 2288 if (sp->pp_if.if_mtu < PP_MTU) { 2289 sp->lcp.mru = sp->pp_if.if_mtu; 2290 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2291 } else 2292 sp->lcp.mru = PP_MTU; 2293 sp->lcp.their_mru = PP_MTU; 2294 2295 /* 2296 * If we are authenticator, negotiate LCP_AUTH 2297 */ 2298 if (sp->hisauth.proto != 0) 2299 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2300 else 2301 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2302 sp->pp_flags &= ~PP_NEEDAUTH; 2303 sppp_open_event(&lcp, sp); 2304 } 2305 2306 static void 2307 sppp_lcp_close(struct sppp *sp) 2308 { 2309 2310 KASSERT(SPPP_WLOCKED(sp)); 2311 sppp_close_event(&lcp, sp); 2312 } 2313 2314 static void 2315 sppp_lcp_TO(void *cookie) 2316 { 2317 struct sppp *sp = (struct sppp*)cookie; 2318 2319 SPPP_LOCK(sp, RW_WRITER); 2320 sppp_to_event(&lcp, sp); 2321 SPPP_UNLOCK(sp); 2322 } 2323 2324 /* 2325 * Analyze a configure request. Return true if it was agreeable, and 2326 * caused action sca, false if it has been rejected or nak'ed, and 2327 * caused action scn. (The return value is used to make the state 2328 * transition decision in the state automaton.) 2329 */ 2330 static int 2331 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2332 { 2333 STDDCL; 2334 u_char *buf, *r, *p, l, blen; 2335 int origlen, rlen; 2336 uint32_t nmagic; 2337 u_short authproto; 2338 2339 KASSERT(SPPP_WLOCKED(sp)); 2340 2341 len -= 4; 2342 origlen = len; 2343 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2344 if (! buf) 2345 return (0); 2346 2347 if (debug) 2348 log(LOG_DEBUG, "%s: lcp parse opts:", 2349 ifp->if_xname); 2350 2351 /* pass 1: check for things that need to be rejected */ 2352 p = (void *)(h + 1); 2353 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2354 /* Sanity check option length */ 2355 if (l > len) { 2356 /* 2357 * Malicious option - drop immediately. 2358 * XXX Maybe we should just RXJ it? 2359 */ 2360 addlog("%s: received malicious LCP option 0x%02x, " 2361 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2362 p[0], l, len); 2363 goto drop; 2364 } 2365 if (debug) 2366 addlog(" %s", sppp_lcp_opt_name(*p)); 2367 switch (*p) { 2368 case LCP_OPT_MAGIC: 2369 /* Magic number. */ 2370 /* fall through, both are same length */ 2371 case LCP_OPT_ASYNC_MAP: 2372 /* Async control character map. */ 2373 if (len >= 6 || l == 6) 2374 continue; 2375 if (debug) 2376 addlog(" [invalid]"); 2377 break; 2378 case LCP_OPT_MRU: 2379 /* Maximum receive unit. */ 2380 if (len >= 4 && l == 4) 2381 continue; 2382 if (debug) 2383 addlog(" [invalid]"); 2384 break; 2385 case LCP_OPT_AUTH_PROTO: 2386 if (len < 4) { 2387 if (debug) 2388 addlog(" [invalid]"); 2389 break; 2390 } 2391 authproto = (p[2] << 8) + p[3]; 2392 if (authproto == PPP_CHAP && l != 5) { 2393 if (debug) 2394 addlog(" [invalid chap len]"); 2395 break; 2396 } 2397 if (sp->myauth.proto == 0) { 2398 /* we are not configured to do auth */ 2399 if (debug) 2400 addlog(" [not configured]"); 2401 break; 2402 } 2403 /* 2404 * Remote want us to authenticate, remember this, 2405 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2406 * up. 2407 */ 2408 sp->pp_flags |= PP_NEEDAUTH; 2409 continue; 2410 default: 2411 /* Others not supported. */ 2412 if (debug) 2413 addlog(" [rej]"); 2414 break; 2415 } 2416 if (rlen + l > blen) { 2417 if (debug) 2418 addlog(" [overflow]"); 2419 continue; 2420 } 2421 /* Add the option to rejected list. */ 2422 memcpy(r, p, l); 2423 r += l; 2424 rlen += l; 2425 } 2426 if (rlen) { 2427 if (debug) 2428 addlog(" send conf-rej\n"); 2429 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2430 goto end; 2431 } else if (debug) 2432 addlog("\n"); 2433 2434 /* 2435 * pass 2: check for option values that are unacceptable and 2436 * thus require to be nak'ed. 2437 */ 2438 if (debug) 2439 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2440 ifp->if_xname); 2441 2442 p = (void *)(h + 1); 2443 len = origlen; 2444 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2445 if (debug) 2446 addlog(" %s", sppp_lcp_opt_name(*p)); 2447 switch (*p) { 2448 case LCP_OPT_MAGIC: 2449 /* Magic number -- extract. */ 2450 nmagic = (uint32_t)p[2] << 24 | 2451 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2452 if (nmagic != sp->lcp.magic) { 2453 if (debug) 2454 addlog(" 0x%x", nmagic); 2455 continue; 2456 } 2457 /* 2458 * Local and remote magics equal -- loopback? 2459 */ 2460 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2461 printf ("%s: loopback\n", 2462 ifp->if_xname); 2463 sp->pp_loopcnt = 0; 2464 if (ifp->if_flags & IFF_UP) { 2465 SPPP_UNLOCK(sp); 2466 if_down(ifp); 2467 SPPP_LOCK(sp, RW_WRITER); 2468 2469 IF_PURGE(&sp->pp_cpq); 2470 /* XXX ? */ 2471 lcp.Down(sp); 2472 lcp.Up(sp); 2473 } 2474 } else if (debug) 2475 addlog(" [glitch]"); 2476 ++sp->pp_loopcnt; 2477 /* 2478 * We negate our magic here, and NAK it. If 2479 * we see it later in an NAK packet, we 2480 * suggest a new one. 2481 */ 2482 nmagic = ~sp->lcp.magic; 2483 /* Gonna NAK it. */ 2484 p[2] = nmagic >> 24; 2485 p[3] = nmagic >> 16; 2486 p[4] = nmagic >> 8; 2487 p[5] = nmagic; 2488 break; 2489 2490 case LCP_OPT_ASYNC_MAP: 2491 /* 2492 * Async control character map -- just ignore it. 2493 * 2494 * Quote from RFC 1662, chapter 6: 2495 * To enable this functionality, synchronous PPP 2496 * implementations MUST always respond to the 2497 * Async-Control-Character-Map Configuration 2498 * Option with the LCP Configure-Ack. However, 2499 * acceptance of the Configuration Option does 2500 * not imply that the synchronous implementation 2501 * will do any ACCM mapping. Instead, all such 2502 * octet mapping will be performed by the 2503 * asynchronous-to-synchronous converter. 2504 */ 2505 continue; 2506 2507 case LCP_OPT_MRU: 2508 /* 2509 * Maximum receive unit. Always agreeable, 2510 * but ignored by now. 2511 */ 2512 sp->lcp.their_mru = p[2] * 256 + p[3]; 2513 if (debug) 2514 addlog(" %ld", sp->lcp.their_mru); 2515 continue; 2516 2517 case LCP_OPT_AUTH_PROTO: 2518 authproto = (p[2] << 8) + p[3]; 2519 if (sp->myauth.proto != authproto) { 2520 /* not agreed, nak */ 2521 if (debug) 2522 addlog(" [mine %s != his %s]", 2523 sppp_proto_name(sp->myauth.proto), 2524 sppp_proto_name(authproto)); 2525 p[2] = sp->myauth.proto >> 8; 2526 p[3] = sp->myauth.proto; 2527 break; 2528 } 2529 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2530 if (debug) 2531 addlog(" [chap not MD5]"); 2532 p[4] = CHAP_MD5; 2533 break; 2534 } 2535 continue; 2536 } 2537 if (rlen + l > blen) { 2538 if (debug) 2539 addlog(" [overflow]"); 2540 continue; 2541 } 2542 /* Add the option to nak'ed list. */ 2543 memcpy(r, p, l); 2544 r += l; 2545 rlen += l; 2546 } 2547 if (rlen) { 2548 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2549 if (debug) 2550 addlog(" max_failure (%d) exceeded, " 2551 "send conf-rej\n", 2552 sp->lcp.max_failure); 2553 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2554 } else { 2555 if (debug) 2556 addlog(" send conf-nak\n"); 2557 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2558 } 2559 goto end; 2560 } else { 2561 if (debug) 2562 addlog(" send conf-ack\n"); 2563 sp->fail_counter[IDX_LCP] = 0; 2564 sp->pp_loopcnt = 0; 2565 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2566 } 2567 2568 end: 2569 free(buf, M_TEMP); 2570 return (rlen == 0); 2571 2572 drop: 2573 free(buf, M_TEMP); 2574 return -1; 2575 } 2576 2577 /* 2578 * Analyze the LCP Configure-Reject option list, and adjust our 2579 * negotiation. 2580 */ 2581 static void 2582 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2583 { 2584 STDDCL; 2585 u_char *buf, *p, l; 2586 2587 KASSERT(SPPP_WLOCKED(sp)); 2588 2589 len -= 4; 2590 buf = malloc (len, M_TEMP, M_NOWAIT); 2591 if (!buf) 2592 return; 2593 2594 if (debug) 2595 log(LOG_DEBUG, "%s: lcp rej opts:", 2596 ifp->if_xname); 2597 2598 p = (void *)(h + 1); 2599 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2600 /* Sanity check option length */ 2601 if (l > len) { 2602 /* 2603 * Malicious option - drop immediately. 2604 * XXX Maybe we should just RXJ it? 2605 */ 2606 addlog("%s: received malicious LCP option, " 2607 "dropping.\n", ifp->if_xname); 2608 goto drop; 2609 } 2610 if (debug) 2611 addlog(" %s", sppp_lcp_opt_name(*p)); 2612 switch (*p) { 2613 case LCP_OPT_MAGIC: 2614 /* Magic number -- can't use it, use 0 */ 2615 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2616 sp->lcp.magic = 0; 2617 break; 2618 case LCP_OPT_MRU: 2619 /* 2620 * We try to negotiate a lower MRU if the underlying 2621 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2622 * peer rejects this lower rate, fallback to the 2623 * default. 2624 */ 2625 if (debug) { 2626 addlog("%s: warning: peer rejected our MRU of " 2627 "%ld bytes. Defaulting to %d bytes\n", 2628 ifp->if_xname, sp->lcp.mru, PP_MTU); 2629 } 2630 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2631 sp->lcp.mru = PP_MTU; 2632 break; 2633 case LCP_OPT_AUTH_PROTO: 2634 /* 2635 * Peer doesn't want to authenticate himself, 2636 * deny unless this is a dialout call, and 2637 * SPPP_AUTHFLAG_NOCALLOUT is set. 2638 */ 2639 if ((sp->pp_flags & PP_CALLIN) == 0 && 2640 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2641 if (debug) 2642 addlog(" [don't insist on auth " 2643 "for callout]"); 2644 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2645 break; 2646 } 2647 if (debug) 2648 addlog("[access denied]\n"); 2649 lcp.Close(sp); 2650 break; 2651 } 2652 } 2653 if (debug) 2654 addlog("\n"); 2655 drop: 2656 free(buf, M_TEMP); 2657 return; 2658 } 2659 2660 /* 2661 * Analyze the LCP Configure-NAK option list, and adjust our 2662 * negotiation. 2663 */ 2664 static void 2665 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2666 { 2667 STDDCL; 2668 u_char *buf, *p, l, blen; 2669 uint32_t magic; 2670 2671 KASSERT(SPPP_WLOCKED(sp)); 2672 2673 len -= 4; 2674 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2675 if (!buf) 2676 return; 2677 2678 if (debug) 2679 log(LOG_DEBUG, "%s: lcp nak opts:", 2680 ifp->if_xname); 2681 2682 p = (void *)(h + 1); 2683 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2684 /* Sanity check option length */ 2685 if (l > len) { 2686 /* 2687 * Malicious option - drop immediately. 2688 * XXX Maybe we should just RXJ it? 2689 */ 2690 addlog("%s: received malicious LCP option, " 2691 "dropping.\n", ifp->if_xname); 2692 goto drop; 2693 } 2694 if (debug) 2695 addlog(" %s", sppp_lcp_opt_name(*p)); 2696 switch (*p) { 2697 case LCP_OPT_MAGIC: 2698 /* Magic number -- renegotiate */ 2699 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2700 len >= 6 && l == 6) { 2701 magic = (uint32_t)p[2] << 24 | 2702 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2703 /* 2704 * If the remote magic is our negated one, 2705 * this looks like a loopback problem. 2706 * Suggest a new magic to make sure. 2707 */ 2708 if (magic == ~sp->lcp.magic) { 2709 if (debug) 2710 addlog(" magic glitch"); 2711 sp->lcp.magic = cprng_fast32(); 2712 } else { 2713 sp->lcp.magic = magic; 2714 if (debug) 2715 addlog(" %d", magic); 2716 } 2717 } 2718 break; 2719 case LCP_OPT_MRU: 2720 /* 2721 * Peer wants to advise us to negotiate an MRU. 2722 * Agree on it if it's reasonable, or use 2723 * default otherwise. 2724 */ 2725 if (len >= 4 && l == 4) { 2726 u_int mru = p[2] * 256 + p[3]; 2727 if (debug) 2728 addlog(" %d", mru); 2729 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2730 mru = sp->pp_if.if_mtu; 2731 sp->lcp.mru = mru; 2732 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2733 } 2734 break; 2735 case LCP_OPT_AUTH_PROTO: 2736 /* 2737 * Peer doesn't like our authentication method, 2738 * deny. 2739 */ 2740 if (debug) 2741 addlog("[access denied]\n"); 2742 lcp.Close(sp); 2743 break; 2744 } 2745 } 2746 if (debug) 2747 addlog("\n"); 2748 drop: 2749 free(buf, M_TEMP); 2750 return; 2751 } 2752 2753 static void 2754 sppp_lcp_tlu(struct sppp *sp) 2755 { 2756 struct ifnet *ifp = &sp->pp_if; 2757 int i; 2758 uint32_t mask; 2759 2760 KASSERT(SPPP_WLOCKED(sp)); 2761 2762 /* XXX ? */ 2763 if (! (ifp->if_flags & IFF_UP) && 2764 (ifp->if_flags & IFF_RUNNING)) { 2765 /* Coming out of loopback mode. */ 2766 SPPP_UNLOCK(sp); 2767 if_up(ifp); 2768 SPPP_LOCK(sp, RW_WRITER); 2769 } 2770 2771 for (i = 0; i < IDX_COUNT; i++) 2772 if ((cps[i])->flags & CP_QUAL) 2773 (cps[i])->Open(sp); 2774 2775 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2776 (sp->pp_flags & PP_NEEDAUTH) != 0) 2777 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2778 else 2779 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2780 2781 /* 2782 * Open all authentication protocols. This is even required 2783 * if we already proceeded to network phase, since it might be 2784 * that remote wants us to authenticate, so we might have to 2785 * send a PAP request. Undesired authentication protocols 2786 * don't do anything when they get an Open event. 2787 */ 2788 for (i = 0; i < IDX_COUNT; i++) 2789 if ((cps[i])->flags & CP_AUTH) 2790 (cps[i])->Open(sp); 2791 2792 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2793 /* Notify all NCPs. */ 2794 for (i = 0; i < IDX_COUNT; i++) 2795 if ((cps[i])->flags & CP_NCP) 2796 (cps[i])->Open(sp); 2797 } 2798 2799 /* Send Up events to all started protos. */ 2800 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2801 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2802 (cps[i])->Up(sp); 2803 } 2804 } 2805 2806 /* notify low-level driver of state change */ 2807 sppp_notify_chg_wlocked(sp); 2808 2809 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2810 /* if no NCP is starting, close down */ 2811 sppp_lcp_check_and_close(sp); 2812 } 2813 2814 static void 2815 sppp_lcp_tld(struct sppp *sp) 2816 { 2817 int i; 2818 uint32_t mask; 2819 2820 KASSERT(SPPP_WLOCKED(sp)); 2821 2822 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2823 2824 /* 2825 * Take upper layers down. We send the Down event first and 2826 * the Close second to prevent the upper layers from sending 2827 * ``a flurry of terminate-request packets'', as the RFC 2828 * describes it. 2829 */ 2830 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2831 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2832 (cps[i])->Down(sp); 2833 (cps[i])->Close(sp); 2834 } 2835 } 2836 } 2837 2838 static void 2839 sppp_lcp_tls(struct sppp *sp) 2840 { 2841 2842 KASSERT(SPPP_WLOCKED(sp)); 2843 2844 2845 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2846 printf("%s: authentication failed %d times, not retrying again\n", 2847 sp->pp_if.if_xname, sp->pp_auth_failures); 2848 2849 SPPP_UNLOCK(sp); 2850 if_down(&sp->pp_if); 2851 SPPP_LOCK(sp, RW_WRITER); 2852 return; 2853 } 2854 2855 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2856 2857 /* Notify lower layer if desired. */ 2858 sppp_notify_tls_wlocked(sp); 2859 } 2860 2861 static void 2862 sppp_lcp_tlf(struct sppp *sp) 2863 { 2864 2865 KASSERT(SPPP_WLOCKED(sp)); 2866 2867 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2868 2869 /* Notify lower layer if desired. */ 2870 sppp_notify_tlf_wlocked(sp); 2871 } 2872 2873 static void 2874 sppp_lcp_scr(struct sppp *sp) 2875 { 2876 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2877 int i = 0; 2878 u_short authproto; 2879 2880 KASSERT(SPPP_WLOCKED(sp)); 2881 2882 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2883 if (! sp->lcp.magic) 2884 sp->lcp.magic = cprng_fast32(); 2885 opt[i++] = LCP_OPT_MAGIC; 2886 opt[i++] = 6; 2887 opt[i++] = sp->lcp.magic >> 24; 2888 opt[i++] = sp->lcp.magic >> 16; 2889 opt[i++] = sp->lcp.magic >> 8; 2890 opt[i++] = sp->lcp.magic; 2891 } 2892 2893 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2894 opt[i++] = LCP_OPT_MRU; 2895 opt[i++] = 4; 2896 opt[i++] = sp->lcp.mru >> 8; 2897 opt[i++] = sp->lcp.mru; 2898 } 2899 2900 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2901 authproto = sp->hisauth.proto; 2902 opt[i++] = LCP_OPT_AUTH_PROTO; 2903 opt[i++] = authproto == PPP_CHAP? 5: 4; 2904 opt[i++] = authproto >> 8; 2905 opt[i++] = authproto; 2906 if (authproto == PPP_CHAP) 2907 opt[i++] = CHAP_MD5; 2908 } 2909 2910 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2911 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2912 } 2913 2914 /* 2915 * Check the open NCPs, return true if at least one NCP is open. 2916 */ 2917 static int 2918 sppp_ncp_check(struct sppp *sp) 2919 { 2920 int i, mask; 2921 2922 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2923 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2924 return 1; 2925 return 0; 2926 } 2927 2928 /* 2929 * Re-check the open NCPs and see if we should terminate the link. 2930 * Called by the NCPs during their tlf action handling. 2931 */ 2932 static void 2933 sppp_lcp_check_and_close(struct sppp *sp) 2934 { 2935 2936 KASSERT(SPPP_WLOCKED(sp)); 2937 2938 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2939 /* don't bother, we are already going down */ 2940 return; 2941 2942 if (sppp_ncp_check(sp)) 2943 return; 2944 lcp.Close(sp); 2945 } 2946 2947 2948 /* 2949 *--------------------------------------------------------------------------* 2950 * * 2951 * The IPCP implementation. * 2952 * * 2953 *--------------------------------------------------------------------------* 2954 */ 2955 2956 static void 2957 sppp_ipcp_init(struct sppp *sp) 2958 { 2959 int error; 2960 2961 KASSERT(SPPP_WLOCKED(sp)); 2962 2963 sp->ipcp.opts = 0; 2964 sp->ipcp.flags = 0; 2965 sp->state[IDX_IPCP] = STATE_INITIAL; 2966 sp->fail_counter[IDX_IPCP] = 0; 2967 sp->pp_seq[IDX_IPCP] = 0; 2968 sp->pp_rseq[IDX_IPCP] = 0; 2969 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 2970 2971 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_update_addrs", 2972 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 2973 if (error) 2974 panic("%s: update_addrs workqueue_create failed (%d)\n", 2975 __func__, error); 2976 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 2977 2978 sp->ipcp.update_addrs_enqueued = 0; 2979 } 2980 2981 static void 2982 sppp_ipcp_up(struct sppp *sp) 2983 { 2984 KASSERT(SPPP_WLOCKED(sp)); 2985 sppp_up_event(&ipcp, sp); 2986 } 2987 2988 static void 2989 sppp_ipcp_down(struct sppp *sp) 2990 { 2991 KASSERT(SPPP_WLOCKED(sp)); 2992 sppp_down_event(&ipcp, sp); 2993 } 2994 2995 static void 2996 sppp_ipcp_open(struct sppp *sp) 2997 { 2998 STDDCL; 2999 uint32_t myaddr, hisaddr; 3000 3001 KASSERT(SPPP_WLOCKED(sp)); 3002 3003 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3004 sp->ipcp.req_myaddr = 0; 3005 sp->ipcp.req_hisaddr = 0; 3006 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3007 3008 #ifdef INET 3009 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3010 #else 3011 myaddr = hisaddr = 0; 3012 #endif 3013 /* 3014 * If we don't have his address, this probably means our 3015 * interface doesn't want to talk IP at all. (This could 3016 * be the case if somebody wants to speak only IPX, for 3017 * example.) Don't open IPCP in this case. 3018 */ 3019 if (hisaddr == 0) { 3020 /* XXX this message should go away */ 3021 if (debug) 3022 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3023 ifp->if_xname); 3024 return; 3025 } 3026 3027 if (myaddr == 0) { 3028 /* 3029 * I don't have an assigned address, so i need to 3030 * negotiate my address. 3031 */ 3032 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3033 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3034 } 3035 if (hisaddr == 1) { 3036 /* 3037 * XXX - remove this hack! 3038 * remote has no valid address, we need to get one assigned. 3039 */ 3040 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3041 } 3042 sppp_open_event(&ipcp, sp); 3043 } 3044 3045 static void 3046 sppp_ipcp_close(struct sppp *sp) 3047 { 3048 3049 KASSERT(SPPP_WLOCKED(sp)); 3050 3051 sppp_close_event(&ipcp, sp); 3052 3053 #ifdef INET 3054 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3055 /* 3056 * Some address was dynamic, clear it again. 3057 */ 3058 sppp_clear_ip_addrs(sp); 3059 #endif 3060 } 3061 3062 static void 3063 sppp_ipcp_TO(void *cookie) 3064 { 3065 struct sppp *sp = cookie; 3066 3067 SPPP_LOCK(sp, RW_WRITER); 3068 sppp_to_event(&ipcp, sp); 3069 SPPP_UNLOCK(sp); 3070 } 3071 3072 /* 3073 * Analyze a configure request. Return true if it was agreeable, and 3074 * caused action sca, false if it has been rejected or nak'ed, and 3075 * caused action scn. (The return value is used to make the state 3076 * transition decision in the state automaton.) 3077 */ 3078 static int 3079 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3080 { 3081 u_char *buf, *r, *p, l, blen; 3082 struct ifnet *ifp = &sp->pp_if; 3083 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3084 uint32_t hisaddr, desiredaddr; 3085 3086 KASSERT(SPPP_WLOCKED(sp)); 3087 3088 len -= 4; 3089 origlen = len; 3090 /* 3091 * Make sure to allocate a buf that can at least hold a 3092 * conf-nak with an `address' option. We might need it below. 3093 */ 3094 blen = len < 6 ? 6 : len; 3095 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3096 if (! buf) 3097 return (0); 3098 3099 /* pass 1: see if we can recognize them */ 3100 if (debug) 3101 log(LOG_DEBUG, "%s: ipcp parse opts:", 3102 ifp->if_xname); 3103 p = (void *)(h + 1); 3104 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3105 /* Sanity check option length */ 3106 if (l > len) { 3107 /* XXX should we just RXJ? */ 3108 addlog("%s: malicious IPCP option received, dropping\n", 3109 ifp->if_xname); 3110 goto drop; 3111 } 3112 if (debug) 3113 addlog(" %s", sppp_ipcp_opt_name(*p)); 3114 switch (*p) { 3115 #ifdef notyet 3116 case IPCP_OPT_COMPRESSION: 3117 if (len >= 6 && l >= 6) { 3118 /* correctly formed compress option */ 3119 continue; 3120 } 3121 if (debug) 3122 addlog(" [invalid]"); 3123 break; 3124 #endif 3125 case IPCP_OPT_ADDRESS: 3126 if (len >= 6 && l == 6) { 3127 /* correctly formed address option */ 3128 continue; 3129 } 3130 if (debug) 3131 addlog(" [invalid]"); 3132 break; 3133 default: 3134 /* Others not supported. */ 3135 if (debug) 3136 addlog(" [rej]"); 3137 break; 3138 } 3139 /* Add the option to rejected list. */ 3140 if (rlen + l > blen) { 3141 if (debug) 3142 addlog(" [overflow]"); 3143 continue; 3144 } 3145 memcpy(r, p, l); 3146 r += l; 3147 rlen += l; 3148 } 3149 if (rlen) { 3150 if (debug) 3151 addlog(" send conf-rej\n"); 3152 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3153 goto end; 3154 } else if (debug) 3155 addlog("\n"); 3156 3157 /* pass 2: parse option values */ 3158 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3159 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3160 else 3161 #ifdef INET 3162 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3163 #else 3164 hisaddr = 0; 3165 #endif 3166 if (debug) 3167 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3168 ifp->if_xname); 3169 p = (void *)(h + 1); 3170 len = origlen; 3171 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3172 if (debug) 3173 addlog(" %s", sppp_ipcp_opt_name(*p)); 3174 switch (*p) { 3175 #ifdef notyet 3176 case IPCP_OPT_COMPRESSION: 3177 continue; 3178 #endif 3179 case IPCP_OPT_ADDRESS: 3180 desiredaddr = p[2] << 24 | p[3] << 16 | 3181 p[4] << 8 | p[5]; 3182 if (desiredaddr == hisaddr || 3183 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3184 /* 3185 * Peer's address is same as our value, 3186 * this is agreeable. Gonna conf-ack 3187 * it. 3188 */ 3189 if (debug) 3190 addlog(" %s [ack]", 3191 sppp_dotted_quad(hisaddr)); 3192 /* record that we've seen it already */ 3193 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3194 sp->ipcp.req_hisaddr = desiredaddr; 3195 hisaddr = desiredaddr; 3196 continue; 3197 } 3198 /* 3199 * The address wasn't agreeable. This is either 3200 * he sent us 0.0.0.0, asking to assign him an 3201 * address, or he send us another address not 3202 * matching our value. Either case, we gonna 3203 * conf-nak it with our value. 3204 */ 3205 if (debug) { 3206 if (desiredaddr == 0) 3207 addlog(" [addr requested]"); 3208 else 3209 addlog(" %s [not agreed]", 3210 sppp_dotted_quad(desiredaddr)); 3211 } 3212 3213 p[2] = hisaddr >> 24; 3214 p[3] = hisaddr >> 16; 3215 p[4] = hisaddr >> 8; 3216 p[5] = hisaddr; 3217 break; 3218 } 3219 if (rlen + l > blen) { 3220 if (debug) 3221 addlog(" [overflow]"); 3222 continue; 3223 } 3224 /* Add the option to nak'ed list. */ 3225 memcpy(r, p, l); 3226 r += l; 3227 rlen += l; 3228 } 3229 3230 /* 3231 * If we are about to conf-ack the request, but haven't seen 3232 * his address so far, gonna conf-nak it instead, with the 3233 * `address' option present and our idea of his address being 3234 * filled in there, to request negotiation of both addresses. 3235 * 3236 * XXX This can result in an endless req - nak loop if peer 3237 * doesn't want to send us his address. Q: What should we do 3238 * about it? XXX A: implement the max-failure counter. 3239 */ 3240 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3241 buf[0] = IPCP_OPT_ADDRESS; 3242 buf[1] = 6; 3243 buf[2] = hisaddr >> 24; 3244 buf[3] = hisaddr >> 16; 3245 buf[4] = hisaddr >> 8; 3246 buf[5] = hisaddr; 3247 rlen = 6; 3248 if (debug) 3249 addlog(" still need hisaddr"); 3250 } 3251 3252 if (rlen) { 3253 if (debug) 3254 addlog(" send conf-nak\n"); 3255 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3256 } else { 3257 if (debug) 3258 addlog(" send conf-ack\n"); 3259 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3260 } 3261 3262 end: 3263 free(buf, M_TEMP); 3264 return (rlen == 0); 3265 3266 drop: 3267 free(buf, M_TEMP); 3268 return -1; 3269 } 3270 3271 /* 3272 * Analyze the IPCP Configure-Reject option list, and adjust our 3273 * negotiation. 3274 */ 3275 static void 3276 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3277 { 3278 u_char *buf, *p, l, blen; 3279 struct ifnet *ifp = &sp->pp_if; 3280 int debug = ifp->if_flags & IFF_DEBUG; 3281 3282 KASSERT(SPPP_WLOCKED(sp)); 3283 3284 len -= 4; 3285 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3286 if (!buf) 3287 return; 3288 3289 if (debug) 3290 log(LOG_DEBUG, "%s: ipcp rej opts:", 3291 ifp->if_xname); 3292 3293 p = (void *)(h + 1); 3294 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3295 /* Sanity check option length */ 3296 if (l > len) { 3297 /* XXX should we just RXJ? */ 3298 addlog("%s: malicious IPCP option received, dropping\n", 3299 ifp->if_xname); 3300 goto drop; 3301 } 3302 if (debug) 3303 addlog(" %s", sppp_ipcp_opt_name(*p)); 3304 switch (*p) { 3305 case IPCP_OPT_ADDRESS: 3306 /* 3307 * Peer doesn't grok address option. This is 3308 * bad. XXX Should we better give up here? 3309 */ 3310 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3311 break; 3312 #ifdef notyet 3313 case IPCP_OPT_COMPRESS: 3314 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3315 break; 3316 #endif 3317 } 3318 } 3319 if (debug) 3320 addlog("\n"); 3321 drop: 3322 free(buf, M_TEMP); 3323 return; 3324 } 3325 3326 /* 3327 * Analyze the IPCP Configure-NAK option list, and adjust our 3328 * negotiation. 3329 */ 3330 static void 3331 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3332 { 3333 u_char *p, l; 3334 struct ifnet *ifp = &sp->pp_if; 3335 int debug = ifp->if_flags & IFF_DEBUG; 3336 uint32_t wantaddr; 3337 3338 KASSERT(SPPP_WLOCKED(sp)); 3339 3340 len -= 4; 3341 3342 if (debug) 3343 log(LOG_DEBUG, "%s: ipcp nak opts:", 3344 ifp->if_xname); 3345 3346 p = (void *)(h + 1); 3347 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3348 /* Sanity check option length */ 3349 if (l > len) { 3350 /* XXX should we just RXJ? */ 3351 addlog("%s: malicious IPCP option received, dropping\n", 3352 ifp->if_xname); 3353 return; 3354 } 3355 if (debug) 3356 addlog(" %s", sppp_ipcp_opt_name(*p)); 3357 switch (*p) { 3358 case IPCP_OPT_ADDRESS: 3359 /* 3360 * Peer doesn't like our local IP address. See 3361 * if we can do something for him. We'll drop 3362 * him our address then. 3363 */ 3364 if (len >= 6 && l == 6) { 3365 wantaddr = p[2] << 24 | p[3] << 16 | 3366 p[4] << 8 | p[5]; 3367 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3368 if (debug) 3369 addlog(" [wantaddr %s]", 3370 sppp_dotted_quad(wantaddr)); 3371 /* 3372 * When doing dynamic address assignment, 3373 * we accept his offer. Otherwise, we 3374 * ignore it and thus continue to negotiate 3375 * our already existing value. 3376 */ 3377 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3378 if (debug) 3379 addlog(" [agree]"); 3380 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3381 sp->ipcp.req_myaddr = wantaddr; 3382 } 3383 } 3384 break; 3385 3386 case IPCP_OPT_PRIMDNS: 3387 if (len >= 6 && l == 6) { 3388 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3389 p[4] << 8 | p[5]; 3390 } 3391 break; 3392 3393 case IPCP_OPT_SECDNS: 3394 if (len >= 6 && l == 6) { 3395 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3396 p[4] << 8 | p[5]; 3397 } 3398 break; 3399 #ifdef notyet 3400 case IPCP_OPT_COMPRESS: 3401 /* 3402 * Peer wants different compression parameters. 3403 */ 3404 break; 3405 #endif 3406 } 3407 } 3408 if (debug) 3409 addlog("\n"); 3410 } 3411 3412 static void 3413 sppp_ipcp_tlu(struct sppp *sp) 3414 { 3415 #ifdef INET 3416 KASSERT(SPPP_WLOCKED(sp)); 3417 /* we are up. Set addresses and notify anyone interested */ 3418 sppp_set_ip_addrs(sp); 3419 #endif 3420 } 3421 3422 static void 3423 sppp_ipcp_tld(struct sppp *sp) 3424 { 3425 3426 KASSERT(SPPP_WLOCKED(sp)); 3427 } 3428 3429 static void 3430 sppp_ipcp_tls(struct sppp *sp) 3431 { 3432 3433 KASSERT(SPPP_WLOCKED(sp)); 3434 /* indicate to LCP that it must stay alive */ 3435 sp->lcp.protos |= (1 << IDX_IPCP); 3436 } 3437 3438 static void 3439 sppp_ipcp_tlf(struct sppp *sp) 3440 { 3441 3442 KASSERT(SPPP_WLOCKED(sp)); 3443 3444 /* we no longer need LCP */ 3445 sp->lcp.protos &= ~(1 << IDX_IPCP); 3446 } 3447 3448 static void 3449 sppp_ipcp_scr(struct sppp *sp) 3450 { 3451 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3452 #ifdef INET 3453 uint32_t ouraddr; 3454 #endif 3455 int i = 0; 3456 3457 KASSERT(SPPP_WLOCKED(sp)); 3458 3459 #ifdef notyet 3460 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3461 opt[i++] = IPCP_OPT_COMPRESSION; 3462 opt[i++] = 6; 3463 opt[i++] = 0; /* VJ header compression */ 3464 opt[i++] = 0x2d; /* VJ header compression */ 3465 opt[i++] = max_slot_id; 3466 opt[i++] = comp_slot_id; 3467 } 3468 #endif 3469 3470 #ifdef INET 3471 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3472 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3473 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3474 else 3475 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3476 opt[i++] = IPCP_OPT_ADDRESS; 3477 opt[i++] = 6; 3478 opt[i++] = ouraddr >> 24; 3479 opt[i++] = ouraddr >> 16; 3480 opt[i++] = ouraddr >> 8; 3481 opt[i++] = ouraddr; 3482 } 3483 #endif 3484 3485 if (sp->query_dns & 1) { 3486 opt[i++] = IPCP_OPT_PRIMDNS; 3487 opt[i++] = 6; 3488 opt[i++] = sp->dns_addrs[0] >> 24; 3489 opt[i++] = sp->dns_addrs[0] >> 16; 3490 opt[i++] = sp->dns_addrs[0] >> 8; 3491 opt[i++] = sp->dns_addrs[0]; 3492 } 3493 if (sp->query_dns & 2) { 3494 opt[i++] = IPCP_OPT_SECDNS; 3495 opt[i++] = 6; 3496 opt[i++] = sp->dns_addrs[1] >> 24; 3497 opt[i++] = sp->dns_addrs[1] >> 16; 3498 opt[i++] = sp->dns_addrs[1] >> 8; 3499 opt[i++] = sp->dns_addrs[1]; 3500 } 3501 3502 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3503 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3504 } 3505 3506 3507 /* 3508 *--------------------------------------------------------------------------* 3509 * * 3510 * The IPv6CP implementation. * 3511 * * 3512 *--------------------------------------------------------------------------* 3513 */ 3514 3515 #ifdef INET6 3516 static void 3517 sppp_ipv6cp_init(struct sppp *sp) 3518 { 3519 3520 KASSERT(SPPP_WLOCKED(sp)); 3521 3522 sp->ipv6cp.opts = 0; 3523 sp->ipv6cp.flags = 0; 3524 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3525 sp->fail_counter[IDX_IPV6CP] = 0; 3526 sp->pp_seq[IDX_IPV6CP] = 0; 3527 sp->pp_rseq[IDX_IPV6CP] = 0; 3528 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3529 } 3530 3531 static void 3532 sppp_ipv6cp_up(struct sppp *sp) 3533 { 3534 3535 KASSERT(SPPP_WLOCKED(sp)); 3536 sppp_up_event(&ipv6cp, sp); 3537 } 3538 3539 static void 3540 sppp_ipv6cp_down(struct sppp *sp) 3541 { 3542 3543 KASSERT(SPPP_WLOCKED(sp)); 3544 sppp_down_event(&ipv6cp, sp); 3545 } 3546 3547 static void 3548 sppp_ipv6cp_open(struct sppp *sp) 3549 { 3550 STDDCL; 3551 struct in6_addr myaddr, hisaddr; 3552 3553 KASSERT(SPPP_WLOCKED(sp)); 3554 3555 #ifdef IPV6CP_MYIFID_DYN 3556 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3557 #else 3558 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3559 #endif 3560 3561 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3562 /* 3563 * If we don't have our address, this probably means our 3564 * interface doesn't want to talk IPv6 at all. (This could 3565 * be the case if somebody wants to speak only IPX, for 3566 * example.) Don't open IPv6CP in this case. 3567 */ 3568 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3569 /* XXX this message should go away */ 3570 if (debug) 3571 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3572 ifp->if_xname); 3573 return; 3574 } 3575 3576 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3577 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3578 sppp_open_event(&ipv6cp, sp); 3579 } 3580 3581 static void 3582 sppp_ipv6cp_close(struct sppp *sp) 3583 { 3584 3585 KASSERT(SPPP_WLOCKED(sp)); 3586 sppp_close_event(&ipv6cp, sp); 3587 } 3588 3589 static void 3590 sppp_ipv6cp_TO(void *cookie) 3591 { 3592 struct sppp *sp = cookie; 3593 3594 SPPP_LOCK(sp, RW_WRITER); 3595 sppp_to_event(&ipv6cp, sp); 3596 SPPP_UNLOCK(sp); 3597 } 3598 3599 /* 3600 * Analyze a configure request. Return true if it was agreeable, and 3601 * caused action sca, false if it has been rejected or nak'ed, and 3602 * caused action scn. (The return value is used to make the state 3603 * transition decision in the state automaton.) 3604 */ 3605 static int 3606 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3607 { 3608 u_char *buf, *r, *p, l, blen; 3609 struct ifnet *ifp = &sp->pp_if; 3610 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3611 struct in6_addr myaddr, desiredaddr, suggestaddr; 3612 int ifidcount; 3613 int type; 3614 int collision, nohisaddr; 3615 char ip6buf[INET6_ADDRSTRLEN]; 3616 3617 KASSERT(SPPP_WLOCKED(sp)); 3618 3619 len -= 4; 3620 origlen = len; 3621 /* 3622 * Make sure to allocate a buf that can at least hold a 3623 * conf-nak with an `address' option. We might need it below. 3624 */ 3625 blen = len < 6 ? 6 : len; 3626 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3627 if (! buf) 3628 return (0); 3629 3630 /* pass 1: see if we can recognize them */ 3631 if (debug) 3632 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3633 ifp->if_xname); 3634 p = (void *)(h + 1); 3635 ifidcount = 0; 3636 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3637 /* Sanity check option length */ 3638 if (l > len) { 3639 /* XXX just RXJ? */ 3640 addlog("%s: received malicious IPCPv6 option, " 3641 "dropping\n", ifp->if_xname); 3642 goto drop; 3643 } 3644 if (debug) 3645 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3646 switch (*p) { 3647 case IPV6CP_OPT_IFID: 3648 if (len >= 10 && l == 10 && ifidcount == 0) { 3649 /* correctly formed address option */ 3650 ifidcount++; 3651 continue; 3652 } 3653 if (debug) 3654 addlog(" [invalid]"); 3655 break; 3656 #ifdef notyet 3657 case IPV6CP_OPT_COMPRESSION: 3658 if (len >= 4 && l >= 4) { 3659 /* correctly formed compress option */ 3660 continue; 3661 } 3662 if (debug) 3663 addlog(" [invalid]"); 3664 break; 3665 #endif 3666 default: 3667 /* Others not supported. */ 3668 if (debug) 3669 addlog(" [rej]"); 3670 break; 3671 } 3672 if (rlen + l > blen) { 3673 if (debug) 3674 addlog(" [overflow]"); 3675 continue; 3676 } 3677 /* Add the option to rejected list. */ 3678 memcpy(r, p, l); 3679 r += l; 3680 rlen += l; 3681 } 3682 if (rlen) { 3683 if (debug) 3684 addlog(" send conf-rej\n"); 3685 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3686 goto end; 3687 } else if (debug) 3688 addlog("\n"); 3689 3690 /* pass 2: parse option values */ 3691 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3692 if (debug) 3693 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3694 ifp->if_xname); 3695 p = (void *)(h + 1); 3696 len = origlen; 3697 type = CONF_ACK; 3698 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3699 if (debug) 3700 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3701 switch (*p) { 3702 #ifdef notyet 3703 case IPV6CP_OPT_COMPRESSION: 3704 continue; 3705 #endif 3706 case IPV6CP_OPT_IFID: 3707 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3708 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3709 collision = (memcmp(&desiredaddr.s6_addr[8], 3710 &myaddr.s6_addr[8], 8) == 0); 3711 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3712 3713 desiredaddr.s6_addr16[0] = htons(0xfe80); 3714 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3715 3716 if (!collision && !nohisaddr) { 3717 /* no collision, hisaddr known - Conf-Ack */ 3718 type = CONF_ACK; 3719 3720 if (debug) { 3721 addlog(" %s [%s]", 3722 IN6_PRINT(ip6buf, &desiredaddr), 3723 sppp_cp_type_name(type)); 3724 } 3725 continue; 3726 } 3727 3728 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3729 if (collision && nohisaddr) { 3730 /* collision, hisaddr unknown - Conf-Rej */ 3731 type = CONF_REJ; 3732 memset(&p[2], 0, 8); 3733 } else { 3734 /* 3735 * - no collision, hisaddr unknown, or 3736 * - collision, hisaddr known 3737 * Conf-Nak, suggest hisaddr 3738 */ 3739 type = CONF_NAK; 3740 sppp_suggest_ip6_addr(sp, &suggestaddr); 3741 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3742 } 3743 if (debug) 3744 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3745 sppp_cp_type_name(type)); 3746 break; 3747 } 3748 if (rlen + l > blen) { 3749 if (debug) 3750 addlog(" [overflow]"); 3751 continue; 3752 } 3753 /* Add the option to nak'ed list. */ 3754 memcpy(r, p, l); 3755 r += l; 3756 rlen += l; 3757 } 3758 3759 if (rlen == 0 && type == CONF_ACK) { 3760 if (debug) 3761 addlog(" send %s\n", sppp_cp_type_name(type)); 3762 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3763 } else { 3764 #ifdef notdef 3765 if (type == CONF_ACK) 3766 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3767 #endif 3768 3769 if (debug) { 3770 addlog(" send %s suggest %s\n", 3771 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3772 } 3773 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3774 } 3775 3776 end: 3777 free(buf, M_TEMP); 3778 return (rlen == 0); 3779 3780 drop: 3781 free(buf, M_TEMP); 3782 return -1; 3783 } 3784 3785 /* 3786 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3787 * negotiation. 3788 */ 3789 static void 3790 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3791 { 3792 u_char *buf, *p, l, blen; 3793 struct ifnet *ifp = &sp->pp_if; 3794 int debug = ifp->if_flags & IFF_DEBUG; 3795 3796 KASSERT(SPPP_WLOCKED(sp)); 3797 3798 len -= 4; 3799 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3800 if (!buf) 3801 return; 3802 3803 if (debug) 3804 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3805 ifp->if_xname); 3806 3807 p = (void *)(h + 1); 3808 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3809 if (l > len) { 3810 /* XXX just RXJ? */ 3811 addlog("%s: received malicious IPCPv6 option, " 3812 "dropping\n", ifp->if_xname); 3813 goto drop; 3814 } 3815 if (debug) 3816 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3817 switch (*p) { 3818 case IPV6CP_OPT_IFID: 3819 /* 3820 * Peer doesn't grok address option. This is 3821 * bad. XXX Should we better give up here? 3822 */ 3823 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3824 break; 3825 #ifdef notyet 3826 case IPV6CP_OPT_COMPRESS: 3827 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3828 break; 3829 #endif 3830 } 3831 } 3832 if (debug) 3833 addlog("\n"); 3834 drop: 3835 free(buf, M_TEMP); 3836 return; 3837 } 3838 3839 /* 3840 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3841 * negotiation. 3842 */ 3843 static void 3844 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3845 { 3846 u_char *buf, *p, l, blen; 3847 struct ifnet *ifp = &sp->pp_if; 3848 int debug = ifp->if_flags & IFF_DEBUG; 3849 struct in6_addr suggestaddr; 3850 char ip6buf[INET6_ADDRSTRLEN]; 3851 3852 KASSERT(SPPP_WLOCKED(sp)); 3853 3854 len -= 4; 3855 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3856 if (!buf) 3857 return; 3858 3859 if (debug) 3860 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3861 ifp->if_xname); 3862 3863 p = (void *)(h + 1); 3864 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3865 if (l > len) { 3866 /* XXX just RXJ? */ 3867 addlog("%s: received malicious IPCPv6 option, " 3868 "dropping\n", ifp->if_xname); 3869 goto drop; 3870 } 3871 if (debug) 3872 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3873 switch (*p) { 3874 case IPV6CP_OPT_IFID: 3875 /* 3876 * Peer doesn't like our local ifid. See 3877 * if we can do something for him. We'll drop 3878 * him our address then. 3879 */ 3880 if (len < 10 || l != 10) 3881 break; 3882 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3883 suggestaddr.s6_addr16[0] = htons(0xfe80); 3884 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3885 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3886 3887 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3888 if (debug) 3889 addlog(" [suggestaddr %s]", 3890 IN6_PRINT(ip6buf, &suggestaddr)); 3891 #ifdef IPV6CP_MYIFID_DYN 3892 /* 3893 * When doing dynamic address assignment, 3894 * we accept his offer. 3895 */ 3896 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3897 struct in6_addr lastsuggest; 3898 /* 3899 * If <suggested myaddr from peer> equals to 3900 * <hisaddr we have suggested last time>, 3901 * we have a collision. generate new random 3902 * ifid. 3903 */ 3904 sppp_suggest_ip6_addr(&lastsuggest); 3905 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3906 lastsuggest)) { 3907 if (debug) 3908 addlog(" [random]"); 3909 sppp_gen_ip6_addr(sp, &suggestaddr); 3910 } 3911 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3912 if (debug) 3913 addlog(" [agree]"); 3914 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3915 } 3916 #else 3917 /* 3918 * Since we do not do dynamic address assignment, 3919 * we ignore it and thus continue to negotiate 3920 * our already existing value. This can possibly 3921 * go into infinite request-reject loop. 3922 * 3923 * This is not likely because we normally use 3924 * ifid based on MAC-address. 3925 * If you have no ethernet card on the node, too bad. 3926 * XXX should we use fail_counter? 3927 */ 3928 #endif 3929 break; 3930 #ifdef notyet 3931 case IPV6CP_OPT_COMPRESS: 3932 /* 3933 * Peer wants different compression parameters. 3934 */ 3935 break; 3936 #endif 3937 } 3938 } 3939 if (debug) 3940 addlog("\n"); 3941 drop: 3942 free(buf, M_TEMP); 3943 return; 3944 } 3945 3946 static void 3947 sppp_ipv6cp_tlu(struct sppp *sp) 3948 { 3949 3950 KASSERT(SPPP_WLOCKED(sp)); 3951 /* we are up - notify isdn daemon */ 3952 sppp_notify_con_wlocked(sp); 3953 } 3954 3955 static void 3956 sppp_ipv6cp_tld(struct sppp *sp) 3957 { 3958 3959 KASSERT(SPPP_WLOCKED(sp)); 3960 } 3961 3962 static void 3963 sppp_ipv6cp_tls(struct sppp *sp) 3964 { 3965 3966 KASSERT(SPPP_WLOCKED(sp)); 3967 /* indicate to LCP that it must stay alive */ 3968 sp->lcp.protos |= (1 << IDX_IPV6CP); 3969 } 3970 3971 static void 3972 sppp_ipv6cp_tlf(struct sppp *sp) 3973 { 3974 3975 KASSERT(SPPP_WLOCKED(sp)); 3976 /* we no longer need LCP */ 3977 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3978 } 3979 3980 static void 3981 sppp_ipv6cp_scr(struct sppp *sp) 3982 { 3983 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3984 struct in6_addr ouraddr; 3985 int i = 0; 3986 3987 KASSERT(SPPP_WLOCKED(sp)); 3988 3989 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3990 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3991 opt[i++] = IPV6CP_OPT_IFID; 3992 opt[i++] = 10; 3993 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3994 i += 8; 3995 } 3996 3997 #ifdef notyet 3998 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 3999 opt[i++] = IPV6CP_OPT_COMPRESSION; 4000 opt[i++] = 4; 4001 opt[i++] = 0; /* TBD */ 4002 opt[i++] = 0; /* TBD */ 4003 /* variable length data may follow */ 4004 } 4005 #endif 4006 4007 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4008 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4009 } 4010 #else /*INET6*/ 4011 static void 4012 sppp_ipv6cp_init(struct sppp *sp) 4013 { 4014 4015 KASSERT(SPPP_WLOCKED(sp)); 4016 } 4017 4018 static void 4019 sppp_ipv6cp_up(struct sppp *sp) 4020 { 4021 4022 KASSERT(SPPP_WLOCKED(sp)); 4023 } 4024 4025 static void 4026 sppp_ipv6cp_down(struct sppp *sp) 4027 { 4028 4029 KASSERT(SPPP_WLOCKED(sp)); 4030 } 4031 4032 static void 4033 sppp_ipv6cp_open(struct sppp *sp) 4034 { 4035 4036 KASSERT(SPPP_WLOCKED(sp)); 4037 } 4038 4039 static void 4040 sppp_ipv6cp_close(struct sppp *sp) 4041 { 4042 4043 KASSERT(SPPP_WLOCKED(sp)); 4044 } 4045 4046 static void 4047 sppp_ipv6cp_TO(void *cookie) 4048 { 4049 struct sppp *sp __diagused = cookie; 4050 4051 KASSERT(SPPP_WLOCKED(sp)); 4052 } 4053 4054 static int 4055 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4056 int len) 4057 { 4058 4059 KASSERT(SPPP_WLOCKED(sp)); 4060 return 0; 4061 } 4062 4063 static void 4064 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4065 int len) 4066 { 4067 4068 KASSERT(SPPP_WLOCKED(sp)); 4069 } 4070 4071 static void 4072 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4073 int len) 4074 { 4075 4076 KASSERT(SPPP_WLOCKED(sp)); 4077 } 4078 4079 static void 4080 sppp_ipv6cp_tlu(struct sppp *sp) 4081 { 4082 4083 KASSERT(SPPP_WLOCKED(sp)); 4084 } 4085 4086 static void 4087 sppp_ipv6cp_tld(struct sppp *sp) 4088 { 4089 4090 KASSERT(SPPP_WLOCKED(sp)); 4091 } 4092 4093 static void 4094 sppp_ipv6cp_tls(struct sppp *sp) 4095 { 4096 4097 KASSERT(SPPP_WLOCKED(sp)); 4098 } 4099 4100 static void 4101 sppp_ipv6cp_tlf(struct sppp *sp) 4102 { 4103 4104 KASSERT(SPPP_WLOCKED(sp)); 4105 } 4106 4107 static void 4108 sppp_ipv6cp_scr(struct sppp *sp) 4109 { 4110 4111 KASSERT(SPPP_WLOCKED(sp)); 4112 } 4113 #endif /*INET6*/ 4114 4115 4116 /* 4117 *--------------------------------------------------------------------------* 4118 * * 4119 * The CHAP implementation. * 4120 * * 4121 *--------------------------------------------------------------------------* 4122 */ 4123 4124 /* 4125 * The authentication protocols don't employ a full-fledged state machine as 4126 * the control protocols do, since they do have Open and Close events, but 4127 * not Up and Down, nor are they explicitly terminated. Also, use of the 4128 * authentication protocols may be different in both directions (this makes 4129 * sense, think of a machine that never accepts incoming calls but only 4130 * calls out, it doesn't require the called party to authenticate itself). 4131 * 4132 * Our state machine for the local authentication protocol (we are requesting 4133 * the peer to authenticate) looks like: 4134 * 4135 * RCA- 4136 * +--------------------------------------------+ 4137 * V scn,tld| 4138 * +--------+ Close +---------+ RCA+ 4139 * | |<----------------------------------| |------+ 4140 * +--->| Closed | TO* | Opened | sca | 4141 * | | |-----+ +-------| |<-----+ 4142 * | +--------+ irc | | +---------+ 4143 * | ^ | | ^ 4144 * | | | | | 4145 * | | | | | 4146 * | TO-| | | | 4147 * | |tld TO+ V | | 4148 * | | +------->+ | | 4149 * | | | | | | 4150 * | +--------+ V | | 4151 * | | |<----+<--------------------+ | 4152 * | | Req- | scr | 4153 * | | Sent | | 4154 * | | | | 4155 * | +--------+ | 4156 * | RCA- | | RCA+ | 4157 * +------+ +------------------------------------------+ 4158 * scn,tld sca,irc,ict,tlu 4159 * 4160 * 4161 * with: 4162 * 4163 * Open: LCP reached authentication phase 4164 * Close: LCP reached terminate phase 4165 * 4166 * RCA+: received reply (pap-req, chap-response), acceptable 4167 * RCN: received reply (pap-req, chap-response), not acceptable 4168 * TO+: timeout with restart counter >= 0 4169 * TO-: timeout with restart counter < 0 4170 * TO*: reschedule timeout for CHAP 4171 * 4172 * scr: send request packet (none for PAP, chap-challenge) 4173 * sca: send ack packet (pap-ack, chap-success) 4174 * scn: send nak packet (pap-nak, chap-failure) 4175 * ict: initialize re-challenge timer (CHAP only) 4176 * 4177 * tlu: this-layer-up, LCP reaches network phase 4178 * tld: this-layer-down, LCP enters terminate phase 4179 * 4180 * Note that in CHAP mode, after sending a new challenge, while the state 4181 * automaton falls back into Req-Sent state, it doesn't signal a tld 4182 * event to LCP, so LCP remains in network phase. Only after not getting 4183 * any response (or after getting an unacceptable response), CHAP closes, 4184 * causing LCP to enter terminate phase. 4185 * 4186 * With PAP, there is no initial request that can be sent. The peer is 4187 * expected to send one based on the successful negotiation of PAP as 4188 * the authentication protocol during the LCP option negotiation. 4189 * 4190 * Incoming authentication protocol requests (remote requests 4191 * authentication, we are peer) don't employ a state machine at all, 4192 * they are simply answered. Some peers [Ascend P50 firmware rev 4193 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4194 * still in authentication phase (thereby violating the standard that 4195 * demands that these NCP packets are to be discarded), so we keep 4196 * track of the peer demanding us to authenticate, and only proceed to 4197 * phase network once we've seen a positive acknowledge for the 4198 * authentication. 4199 */ 4200 4201 /* 4202 * Handle incoming CHAP packets. 4203 */ 4204 void 4205 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4206 { 4207 STDDCL; 4208 struct lcp_header *h; 4209 int len, x; 4210 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4211 int value_len, name_len; 4212 MD5_CTX ctx; 4213 4214 len = m->m_pkthdr.len; 4215 if (len < 4) { 4216 if (debug) 4217 log(LOG_DEBUG, 4218 "%s: chap invalid packet length: %d bytes\n", 4219 ifp->if_xname, len); 4220 return; 4221 } 4222 h = mtod(m, struct lcp_header *); 4223 if (len > ntohs(h->len)) 4224 len = ntohs(h->len); 4225 4226 SPPP_LOCK(sp, RW_WRITER); 4227 4228 switch (h->type) { 4229 /* challenge, failure and success are his authproto */ 4230 case CHAP_CHALLENGE: 4231 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4232 /* can't do anything useful */ 4233 sp->pp_auth_failures++; 4234 printf("%s: chap input without my name and my secret being set\n", 4235 ifp->if_xname); 4236 break; 4237 } 4238 value = 1 + (u_char *)(h + 1); 4239 value_len = value[-1]; 4240 name = value + value_len; 4241 name_len = len - value_len - 5; 4242 if (name_len < 0) { 4243 if (debug) { 4244 log(LOG_DEBUG, 4245 "%s: chap corrupted challenge " 4246 "<%s id=0x%x len=%d", 4247 ifp->if_xname, 4248 sppp_auth_type_name(PPP_CHAP, h->type), 4249 h->ident, ntohs(h->len)); 4250 if (len > 4) 4251 sppp_print_bytes((u_char *)(h + 1), 4252 len - 4); 4253 addlog(">\n"); 4254 } 4255 break; 4256 } 4257 4258 if (debug) { 4259 log(LOG_DEBUG, 4260 "%s: chap input <%s id=0x%x len=%d name=", 4261 ifp->if_xname, 4262 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4263 ntohs(h->len)); 4264 sppp_print_string((char *) name, name_len); 4265 addlog(" value-size=%d value=", value_len); 4266 sppp_print_bytes(value, value_len); 4267 addlog(">\n"); 4268 } 4269 4270 /* Compute reply value. */ 4271 MD5Init(&ctx); 4272 MD5Update(&ctx, &h->ident, 1); 4273 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4274 MD5Update(&ctx, value, value_len); 4275 MD5Final(digest, &ctx); 4276 dsize = sizeof digest; 4277 4278 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4279 sizeof dsize, (const char *)&dsize, 4280 sizeof digest, digest, 4281 sp->myauth.name_len, 4282 sp->myauth.name, 4283 0); 4284 break; 4285 4286 case CHAP_SUCCESS: 4287 if (debug) { 4288 log(LOG_DEBUG, "%s: chap success", 4289 ifp->if_xname); 4290 if (len > 4) { 4291 addlog(": "); 4292 sppp_print_string((char *)(h + 1), len - 4); 4293 } 4294 addlog("\n"); 4295 } 4296 x = splnet(); 4297 sp->pp_auth_failures = 0; 4298 sp->pp_flags &= ~PP_NEEDAUTH; 4299 if (sp->myauth.proto == PPP_CHAP && 4300 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4301 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4302 /* 4303 * We are authenticator for CHAP but didn't 4304 * complete yet. Leave it to tlu to proceed 4305 * to network phase. 4306 */ 4307 splx(x); 4308 break; 4309 } 4310 splx(x); 4311 sppp_phase_network(sp); 4312 break; 4313 4314 case CHAP_FAILURE: 4315 x = splnet(); 4316 sp->pp_auth_failures++; 4317 splx(x); 4318 if (debug) { 4319 log(LOG_INFO, "%s: chap failure", 4320 ifp->if_xname); 4321 if (len > 4) { 4322 addlog(": "); 4323 sppp_print_string((char *)(h + 1), len - 4); 4324 } 4325 addlog("\n"); 4326 } else 4327 log(LOG_INFO, "%s: chap failure\n", 4328 ifp->if_xname); 4329 /* await LCP shutdown by authenticator */ 4330 break; 4331 4332 /* response is my authproto */ 4333 case CHAP_RESPONSE: 4334 if (sp->hisauth.secret == NULL) { 4335 /* can't do anything useful */ 4336 printf("%s: chap input without his secret being set\n", 4337 ifp->if_xname); 4338 break; 4339 } 4340 value = 1 + (u_char *)(h + 1); 4341 value_len = value[-1]; 4342 name = value + value_len; 4343 name_len = len - value_len - 5; 4344 if (name_len < 0) { 4345 if (debug) { 4346 log(LOG_DEBUG, 4347 "%s: chap corrupted response " 4348 "<%s id=0x%x len=%d", 4349 ifp->if_xname, 4350 sppp_auth_type_name(PPP_CHAP, h->type), 4351 h->ident, ntohs(h->len)); 4352 if (len > 4) 4353 sppp_print_bytes((u_char *)(h + 1), 4354 len - 4); 4355 addlog(">\n"); 4356 } 4357 break; 4358 } 4359 if (h->ident != sp->confid[IDX_CHAP]) { 4360 if (debug) 4361 log(LOG_DEBUG, 4362 "%s: chap dropping response for old ID " 4363 "(got %d, expected %d)\n", 4364 ifp->if_xname, 4365 h->ident, sp->confid[IDX_CHAP]); 4366 break; 4367 } 4368 if (sp->hisauth.name != NULL && 4369 (name_len != sp->hisauth.name_len 4370 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4371 log(LOG_INFO, "%s: chap response, his name ", 4372 ifp->if_xname); 4373 sppp_print_string(name, name_len); 4374 addlog(" != expected "); 4375 sppp_print_string(sp->hisauth.name, 4376 sp->hisauth.name_len); 4377 addlog("\n"); 4378 goto chap_failure; 4379 } 4380 if (debug) { 4381 log(LOG_DEBUG, "%s: chap input(%s) " 4382 "<%s id=0x%x len=%d name=", 4383 ifp->if_xname, 4384 sppp_state_name(sp->state[IDX_CHAP]), 4385 sppp_auth_type_name(PPP_CHAP, h->type), 4386 h->ident, ntohs(h->len)); 4387 sppp_print_string((char *)name, name_len); 4388 addlog(" value-size=%d value=", value_len); 4389 sppp_print_bytes(value, value_len); 4390 addlog(">\n"); 4391 } 4392 if (value_len != sizeof(sp->hisauth.challenge)) { 4393 if (debug) 4394 log(LOG_DEBUG, 4395 "%s: chap bad hash value length: " 4396 "%d bytes, should be %zu\n", 4397 ifp->if_xname, value_len, 4398 sizeof(sp->hisauth.challenge)); 4399 goto chap_failure; 4400 } 4401 4402 MD5Init(&ctx); 4403 MD5Update(&ctx, &h->ident, 1); 4404 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4405 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4406 MD5Final(digest, &ctx); 4407 4408 #define FAILMSG "Failed..." 4409 #define SUCCMSG "Welcome!" 4410 4411 if (value_len != sizeof digest || 4412 memcmp(digest, value, value_len) != 0) { 4413 chap_failure: 4414 KASSERT(SPPP_WLOCKED(sp)); 4415 /* action scn, tld */ 4416 sp->pp_auth_failures++; 4417 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4418 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4419 0); 4420 chap.tld(sp); 4421 break; 4422 } 4423 sp->pp_auth_failures = 0; 4424 /* action sca, perhaps tlu */ 4425 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4426 sp->state[IDX_CHAP] == STATE_OPENED) 4427 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4428 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4429 0); 4430 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4431 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4432 chap.tlu(sp); 4433 } 4434 break; 4435 4436 default: 4437 /* Unknown CHAP packet type -- ignore. */ 4438 if (debug) { 4439 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4440 "<0x%x id=0x%xh len=%d", 4441 ifp->if_xname, 4442 sppp_state_name(sp->state[IDX_CHAP]), 4443 h->type, h->ident, ntohs(h->len)); 4444 if (len > 4) 4445 sppp_print_bytes((u_char *)(h + 1), len - 4); 4446 addlog(">\n"); 4447 } 4448 break; 4449 4450 } 4451 4452 SPPP_UNLOCK(sp); 4453 } 4454 4455 static void 4456 sppp_chap_init(struct sppp *sp) 4457 { 4458 4459 KASSERT(SPPP_WLOCKED(sp)); 4460 4461 /* Chap doesn't have STATE_INITIAL at all. */ 4462 sp->state[IDX_CHAP] = STATE_CLOSED; 4463 sp->fail_counter[IDX_CHAP] = 0; 4464 sp->pp_seq[IDX_CHAP] = 0; 4465 sp->pp_rseq[IDX_CHAP] = 0; 4466 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4467 } 4468 4469 static void 4470 sppp_chap_open(struct sppp *sp) 4471 { 4472 4473 KASSERT(SPPP_WLOCKED(sp)); 4474 if (sp->hisauth.proto == PPP_CHAP && 4475 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4476 /* we are authenticator for CHAP, start it */ 4477 chap.scr(sp); 4478 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4479 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4480 } 4481 /* nothing to be done if we are peer, await a challenge */ 4482 } 4483 4484 static void 4485 sppp_chap_close(struct sppp *sp) 4486 { 4487 4488 KASSERT(SPPP_WLOCKED(sp)); 4489 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4490 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4491 } 4492 4493 static void 4494 sppp_chap_TO(void *cookie) 4495 { 4496 struct sppp *sp = (struct sppp *)cookie; 4497 STDDCL; 4498 int s; 4499 4500 s = splnet(); 4501 4502 SPPP_LOCK(sp, RW_WRITER); 4503 4504 if (debug) 4505 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4506 ifp->if_xname, 4507 sppp_state_name(sp->state[IDX_CHAP]), 4508 sp->rst_counter[IDX_CHAP]); 4509 4510 if (--sp->rst_counter[IDX_CHAP] < 0) 4511 /* TO- event */ 4512 switch (sp->state[IDX_CHAP]) { 4513 case STATE_REQ_SENT: 4514 chap.tld(sp); 4515 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4516 break; 4517 } 4518 else 4519 /* TO+ (or TO*) event */ 4520 switch (sp->state[IDX_CHAP]) { 4521 case STATE_OPENED: 4522 /* TO* event */ 4523 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4524 /* fall through */ 4525 case STATE_REQ_SENT: 4526 chap.scr(sp); 4527 /* sppp_cp_change_state() will restart the timer */ 4528 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4529 break; 4530 } 4531 4532 SPPP_UNLOCK(sp); 4533 splx(s); 4534 } 4535 4536 static void 4537 sppp_chap_tlu(struct sppp *sp) 4538 { 4539 STDDCL; 4540 int i, x; 4541 4542 KASSERT(SPPP_WLOCKED(sp)); 4543 4544 i = 0; 4545 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4546 4547 /* 4548 * Some broken CHAP implementations (Conware CoNet, firmware 4549 * 4.0.?) don't want to re-authenticate their CHAP once the 4550 * initial challenge-response exchange has taken place. 4551 * Provide for an option to avoid rechallenges. 4552 */ 4553 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4554 /* 4555 * Compute the re-challenge timeout. This will yield 4556 * a number between 300 and 810 seconds. 4557 */ 4558 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4559 4560 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4561 } 4562 4563 if (debug) { 4564 log(LOG_DEBUG, 4565 "%s: chap %s, ", 4566 ifp->if_xname, 4567 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4568 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4569 addlog("next re-challenge in %d seconds\n", i); 4570 else 4571 addlog("re-challenging supressed\n"); 4572 } 4573 4574 x = splnet(); 4575 sp->pp_auth_failures = 0; 4576 /* indicate to LCP that we need to be closed down */ 4577 sp->lcp.protos |= (1 << IDX_CHAP); 4578 4579 if (sp->pp_flags & PP_NEEDAUTH) { 4580 /* 4581 * Remote is authenticator, but his auth proto didn't 4582 * complete yet. Defer the transition to network 4583 * phase. 4584 */ 4585 splx(x); 4586 return; 4587 } 4588 splx(x); 4589 4590 /* 4591 * If we are already in phase network, we are done here. This 4592 * is the case if this is a dummy tlu event after a re-challenge. 4593 */ 4594 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4595 sppp_phase_network(sp); 4596 } 4597 4598 static void 4599 sppp_chap_tld(struct sppp *sp) 4600 { 4601 STDDCL; 4602 4603 KASSERT(SPPP_WLOCKED(sp)); 4604 4605 if (debug) 4606 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4607 callout_stop(&sp->ch[IDX_CHAP]); 4608 sp->lcp.protos &= ~(1 << IDX_CHAP); 4609 4610 lcp.Close(sp); 4611 } 4612 4613 static void 4614 sppp_chap_scr(struct sppp *sp) 4615 { 4616 uint32_t *ch; 4617 u_char clen = 4 * sizeof(uint32_t); 4618 4619 KASSERT(SPPP_WLOCKED(sp)); 4620 4621 if (sp->hisauth.name == NULL) { 4622 /* can't do anything useful */ 4623 printf("%s: chap starting without his name being set\n", 4624 sp->pp_if.if_xname); 4625 return; 4626 } 4627 4628 /* Compute random challenge. */ 4629 ch = (uint32_t *)sp->hisauth.challenge; 4630 cprng_strong(kern_cprng, ch, clen, 0); 4631 4632 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4633 4634 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4635 sizeof clen, (const char *)&clen, 4636 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4637 0); 4638 } 4639 4640 /* 4641 *--------------------------------------------------------------------------* 4642 * * 4643 * The PAP implementation. * 4644 * * 4645 *--------------------------------------------------------------------------* 4646 */ 4647 /* 4648 * For PAP, we need to keep a little state also if we are the peer, not the 4649 * authenticator. This is since we don't get a request to authenticate, but 4650 * have to repeatedly authenticate ourself until we got a response (or the 4651 * retry counter is expired). 4652 */ 4653 4654 /* 4655 * Handle incoming PAP packets. */ 4656 static void 4657 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4658 { 4659 STDDCL; 4660 struct lcp_header *h; 4661 int len, x; 4662 u_char mlen; 4663 char *name, *secret; 4664 int name_len, secret_len; 4665 4666 /* 4667 * Malicious input might leave this uninitialized, so 4668 * init to an impossible value. 4669 */ 4670 secret_len = -1; 4671 4672 len = m->m_pkthdr.len; 4673 if (len < 5) { 4674 if (debug) 4675 log(LOG_DEBUG, 4676 "%s: pap invalid packet length: %d bytes\n", 4677 ifp->if_xname, len); 4678 return; 4679 } 4680 h = mtod(m, struct lcp_header *); 4681 if (len > ntohs(h->len)) 4682 len = ntohs(h->len); 4683 4684 SPPP_LOCK(sp, RW_WRITER); 4685 4686 switch (h->type) { 4687 /* PAP request is my authproto */ 4688 case PAP_REQ: 4689 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4690 /* can't do anything useful */ 4691 printf("%s: " 4692 "pap request without his name and his secret being set\n", 4693 ifp->if_xname); 4694 break; 4695 } 4696 name = 1 + (u_char *)(h + 1); 4697 name_len = name[-1]; 4698 secret = name + name_len + 1; 4699 if (name_len > len - 6 || 4700 (secret_len = secret[-1]) > len - 6 - name_len) { 4701 if (debug) { 4702 log(LOG_DEBUG, "%s: pap corrupted input " 4703 "<%s id=0x%x len=%d", 4704 ifp->if_xname, 4705 sppp_auth_type_name(PPP_PAP, h->type), 4706 h->ident, ntohs(h->len)); 4707 if (len > 4) 4708 sppp_print_bytes((u_char *)(h + 1), 4709 len - 4); 4710 addlog(">\n"); 4711 } 4712 break; 4713 } 4714 if (debug) { 4715 log(LOG_DEBUG, "%s: pap input(%s) " 4716 "<%s id=0x%x len=%d name=", 4717 ifp->if_xname, 4718 sppp_state_name(sp->state[IDX_PAP]), 4719 sppp_auth_type_name(PPP_PAP, h->type), 4720 h->ident, ntohs(h->len)); 4721 sppp_print_string((char *)name, name_len); 4722 addlog(" secret="); 4723 sppp_print_string((char *)secret, secret_len); 4724 addlog(">\n"); 4725 } 4726 if (name_len != sp->hisauth.name_len || 4727 secret_len != sp->hisauth.secret_len || 4728 memcmp(name, sp->hisauth.name, name_len) != 0 || 4729 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4730 /* action scn, tld */ 4731 sp->pp_auth_failures++; 4732 mlen = sizeof(FAILMSG) - 1; 4733 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4734 sizeof mlen, (const char *)&mlen, 4735 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4736 0); 4737 pap.tld(sp); 4738 break; 4739 } 4740 /* action sca, perhaps tlu */ 4741 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4742 sp->state[IDX_PAP] == STATE_OPENED) { 4743 mlen = sizeof(SUCCMSG) - 1; 4744 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4745 sizeof mlen, (const char *)&mlen, 4746 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4747 0); 4748 } 4749 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4750 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4751 pap.tlu(sp); 4752 } 4753 break; 4754 4755 /* ack and nak are his authproto */ 4756 case PAP_ACK: 4757 callout_stop(&sp->pap_my_to_ch); 4758 if (debug) { 4759 log(LOG_DEBUG, "%s: pap success", 4760 ifp->if_xname); 4761 name = 1 + (u_char *)(h + 1); 4762 name_len = name[-1]; 4763 if (len > 5 && name_len < len+4) { 4764 addlog(": "); 4765 sppp_print_string(name, name_len); 4766 } 4767 addlog("\n"); 4768 } 4769 x = splnet(); 4770 sp->pp_auth_failures = 0; 4771 sp->pp_flags &= ~PP_NEEDAUTH; 4772 if (sp->myauth.proto == PPP_PAP && 4773 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4774 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4775 /* 4776 * We are authenticator for PAP but didn't 4777 * complete yet. Leave it to tlu to proceed 4778 * to network phase. 4779 */ 4780 splx(x); 4781 break; 4782 } 4783 splx(x); 4784 sppp_phase_network(sp); 4785 break; 4786 4787 case PAP_NAK: 4788 callout_stop(&sp->pap_my_to_ch); 4789 sp->pp_auth_failures++; 4790 if (debug) { 4791 log(LOG_INFO, "%s: pap failure", 4792 ifp->if_xname); 4793 name = 1 + (u_char *)(h + 1); 4794 name_len = name[-1]; 4795 if (len > 5 && name_len < len+4) { 4796 addlog(": "); 4797 sppp_print_string(name, name_len); 4798 } 4799 addlog("\n"); 4800 } else 4801 log(LOG_INFO, "%s: pap failure\n", 4802 ifp->if_xname); 4803 /* await LCP shutdown by authenticator */ 4804 break; 4805 4806 default: 4807 /* Unknown PAP packet type -- ignore. */ 4808 if (debug) { 4809 log(LOG_DEBUG, "%s: pap corrupted input " 4810 "<0x%x id=0x%x len=%d", 4811 ifp->if_xname, 4812 h->type, h->ident, ntohs(h->len)); 4813 if (len > 4) 4814 sppp_print_bytes((u_char *)(h + 1), len - 4); 4815 addlog(">\n"); 4816 } 4817 break; 4818 } 4819 4820 SPPP_UNLOCK(sp); 4821 } 4822 4823 static void 4824 sppp_pap_init(struct sppp *sp) 4825 { 4826 4827 KASSERT(SPPP_WLOCKED(sp)); 4828 4829 /* PAP doesn't have STATE_INITIAL at all. */ 4830 sp->state[IDX_PAP] = STATE_CLOSED; 4831 sp->fail_counter[IDX_PAP] = 0; 4832 sp->pp_seq[IDX_PAP] = 0; 4833 sp->pp_rseq[IDX_PAP] = 0; 4834 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 4835 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 4836 } 4837 4838 static void 4839 sppp_pap_open(struct sppp *sp) 4840 { 4841 4842 KASSERT(SPPP_WLOCKED(sp)); 4843 4844 if (sp->hisauth.proto == PPP_PAP && 4845 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4846 /* we are authenticator for PAP, start our timer */ 4847 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4848 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4849 } 4850 if (sp->myauth.proto == PPP_PAP) { 4851 /* we are peer, send a request, and start a timer */ 4852 pap.scr(sp); 4853 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4854 sppp_pap_my_TO, sp); 4855 } 4856 } 4857 4858 static void 4859 sppp_pap_close(struct sppp *sp) 4860 { 4861 4862 KASSERT(SPPP_WLOCKED(sp)); 4863 4864 if (sp->state[IDX_PAP] != STATE_CLOSED) 4865 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4866 } 4867 4868 /* 4869 * That's the timeout routine if we are authenticator. Since the 4870 * authenticator is basically passive in PAP, we can't do much here. 4871 */ 4872 static void 4873 sppp_pap_TO(void *cookie) 4874 { 4875 struct sppp *sp = (struct sppp *)cookie; 4876 STDDCL; 4877 int s; 4878 4879 s = splnet(); 4880 SPPP_LOCK(sp, RW_WRITER); 4881 4882 if (debug) 4883 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4884 ifp->if_xname, 4885 sppp_state_name(sp->state[IDX_PAP]), 4886 sp->rst_counter[IDX_PAP]); 4887 4888 if (--sp->rst_counter[IDX_PAP] < 0) 4889 /* TO- event */ 4890 switch (sp->state[IDX_PAP]) { 4891 case STATE_REQ_SENT: 4892 pap.tld(sp); 4893 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4894 break; 4895 } 4896 else 4897 /* TO+ event, not very much we could do */ 4898 switch (sp->state[IDX_PAP]) { 4899 case STATE_REQ_SENT: 4900 /* sppp_cp_change_state() will restart the timer */ 4901 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4902 break; 4903 } 4904 4905 SPPP_UNLOCK(sp); 4906 splx(s); 4907 } 4908 4909 /* 4910 * That's the timeout handler if we are peer. Since the peer is active, 4911 * we need to retransmit our PAP request since it is apparently lost. 4912 * XXX We should impose a max counter. 4913 */ 4914 static void 4915 sppp_pap_my_TO(void *cookie) 4916 { 4917 struct sppp *sp = (struct sppp *)cookie; 4918 STDDCL; 4919 4920 SPPP_LOCK(sp, RW_WRITER); 4921 if (debug) 4922 log(LOG_DEBUG, "%s: pap peer TO\n", 4923 ifp->if_xname); 4924 4925 pap.scr(sp); 4926 4927 SPPP_UNLOCK(sp); 4928 } 4929 4930 static void 4931 sppp_pap_tlu(struct sppp *sp) 4932 { 4933 STDDCL; 4934 int x; 4935 4936 KASSERT(SPPP_WLOCKED(sp)); 4937 4938 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4939 4940 if (debug) 4941 log(LOG_DEBUG, "%s: %s tlu\n", 4942 ifp->if_xname, pap.name); 4943 4944 x = splnet(); 4945 sp->pp_auth_failures = 0; 4946 /* indicate to LCP that we need to be closed down */ 4947 sp->lcp.protos |= (1 << IDX_PAP); 4948 4949 if (sp->pp_flags & PP_NEEDAUTH) { 4950 /* 4951 * Remote is authenticator, but his auth proto didn't 4952 * complete yet. Defer the transition to network 4953 * phase. 4954 */ 4955 splx(x); 4956 return; 4957 } 4958 splx(x); 4959 sppp_phase_network(sp); 4960 } 4961 4962 static void 4963 sppp_pap_tld(struct sppp *sp) 4964 { 4965 STDDCL; 4966 4967 KASSERT(SPPP_WLOCKED(sp)); 4968 4969 if (debug) 4970 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4971 callout_stop(&sp->ch[IDX_PAP]); 4972 callout_stop(&sp->pap_my_to_ch); 4973 sp->lcp.protos &= ~(1 << IDX_PAP); 4974 4975 lcp.Close(sp); 4976 } 4977 4978 static void 4979 sppp_pap_scr(struct sppp *sp) 4980 { 4981 u_char idlen, pwdlen; 4982 4983 KASSERT(SPPP_WLOCKED(sp)); 4984 4985 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4986 /* can't do anything useful */ 4987 printf("%s: pap starting without my name and secret being set\n", 4988 sp->pp_if.if_xname); 4989 return; 4990 } 4991 4992 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4993 pwdlen = sp->myauth.secret_len; 4994 idlen = sp->myauth.name_len; 4995 4996 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4997 sizeof idlen, (const char *)&idlen, 4998 idlen, sp->myauth.name, 4999 sizeof pwdlen, (const char *)&pwdlen, 5000 pwdlen, sp->myauth.secret, 5001 0); 5002 } 5003 5004 /* 5005 * Random miscellaneous functions. 5006 */ 5007 5008 /* 5009 * Send a PAP or CHAP proto packet. 5010 * 5011 * Varadic function, each of the elements for the ellipsis is of type 5012 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5013 * mlen == 0. 5014 * NOTE: never declare variadic functions with types subject to type 5015 * promotion (i.e. u_char). This is asking for big trouble depending 5016 * on the architecture you are on... 5017 */ 5018 5019 static void 5020 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5021 unsigned int type, unsigned int id, 5022 ...) 5023 { 5024 STDDCL; 5025 struct lcp_header *lh; 5026 struct mbuf *m; 5027 u_char *p; 5028 int len; 5029 size_t pkthdrlen; 5030 unsigned int mlen; 5031 const char *msg; 5032 va_list ap; 5033 5034 KASSERT(SPPP_WLOCKED(sp)); 5035 5036 MGETHDR(m, M_DONTWAIT, MT_DATA); 5037 if (! m) 5038 return; 5039 m_reset_rcvif(m); 5040 5041 if (sp->pp_flags & PP_NOFRAMING) { 5042 *mtod(m, uint16_t *) = htons(cp->proto); 5043 pkthdrlen = 2; 5044 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5045 } else { 5046 struct ppp_header *h; 5047 h = mtod(m, struct ppp_header *); 5048 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5049 h->control = PPP_UI; /* Unnumbered Info */ 5050 h->protocol = htons(cp->proto); 5051 pkthdrlen = PPP_HEADER_LEN; 5052 5053 lh = (struct lcp_header *)(h + 1); 5054 } 5055 5056 lh->type = type; 5057 lh->ident = id; 5058 p = (u_char *)(lh + 1); 5059 5060 va_start(ap, id); 5061 len = 0; 5062 5063 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5064 msg = va_arg(ap, const char *); 5065 len += mlen; 5066 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5067 va_end(ap); 5068 m_freem(m); 5069 return; 5070 } 5071 5072 memcpy(p, msg, mlen); 5073 p += mlen; 5074 } 5075 va_end(ap); 5076 5077 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5078 lh->len = htons(LCP_HEADER_LEN + len); 5079 5080 if (debug) { 5081 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5082 ifp->if_xname, cp->name, 5083 sppp_auth_type_name(cp->proto, lh->type), 5084 lh->ident, ntohs(lh->len)); 5085 if (len) 5086 sppp_print_bytes((u_char *)(lh + 1), len); 5087 addlog(">\n"); 5088 } 5089 if (IF_QFULL(&sp->pp_cpq)) { 5090 IF_DROP(&sp->pp_fastq); 5091 IF_DROP(&ifp->if_snd); 5092 m_freem(m); 5093 ++ifp->if_oerrors; 5094 return; 5095 } 5096 5097 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 5098 IF_ENQUEUE(&sp->pp_cpq, m); 5099 5100 if (! (ifp->if_flags & IFF_OACTIVE)) { 5101 SPPP_UNLOCK(sp); 5102 if_start_lock(ifp); 5103 SPPP_LOCK(sp, RW_WRITER); 5104 } 5105 } 5106 5107 /* 5108 * Send keepalive packets, every 10 seconds. 5109 */ 5110 static void 5111 sppp_keepalive(void *dummy) 5112 { 5113 struct sppp *sp; 5114 int s; 5115 time_t now; 5116 5117 SPPPQ_LOCK(); 5118 5119 s = splnet(); 5120 now = time_uptime; 5121 for (sp=spppq; sp; sp=sp->pp_next) { 5122 struct ifnet *ifp = NULL; 5123 5124 SPPP_LOCK(sp, RW_WRITER); 5125 ifp = &sp->pp_if; 5126 5127 /* check idle timeout */ 5128 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5129 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5130 /* idle timeout is enabled for this interface */ 5131 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5132 if (ifp->if_flags & IFF_DEBUG) 5133 printf("%s: no activity for %lu seconds\n", 5134 sp->pp_if.if_xname, 5135 (unsigned long)(now-sp->pp_last_activity)); 5136 lcp.Close(sp); 5137 SPPP_UNLOCK(sp); 5138 continue; 5139 } 5140 } 5141 5142 /* Keepalive mode disabled or channel down? */ 5143 if (! (sp->pp_flags & PP_KEEPALIVE) || 5144 ! (ifp->if_flags & IFF_RUNNING)) { 5145 SPPP_UNLOCK(sp); 5146 continue; 5147 } 5148 5149 5150 /* No keepalive in PPP mode if LCP not opened yet. */ 5151 if (! (sp->pp_flags & PP_CISCO) && 5152 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5153 SPPP_UNLOCK(sp); 5154 continue; 5155 } 5156 5157 /* No echo reply, but maybe user data passed through? */ 5158 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5159 sp->pp_alivecnt = 0; 5160 SPPP_UNLOCK(sp); 5161 continue; 5162 } 5163 5164 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5165 /* No keepalive packets got. Stop the interface. */ 5166 SPPP_UNLOCK(sp); 5167 if_down (ifp); 5168 SPPP_LOCK(sp, RW_WRITER); 5169 5170 IF_PURGE(&sp->pp_cpq); 5171 5172 if (! (sp->pp_flags & PP_CISCO)) { 5173 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5174 ifp->if_xname); 5175 sp->pp_alivecnt = 0; 5176 5177 /* we are down, close all open protocols */ 5178 lcp.Close(sp); 5179 5180 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5181 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5182 5183 /* Close connection immediately, completition of this 5184 * will summon the magic needed to reestablish it. */ 5185 sppp_notify_tlf_wlocked(sp); 5186 5187 SPPP_UNLOCK(sp); 5188 continue; 5189 } 5190 } 5191 if (sp->pp_alivecnt < sp->pp_maxalive) 5192 ++sp->pp_alivecnt; 5193 if (sp->pp_flags & PP_CISCO) 5194 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5195 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5196 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5197 int32_t nmagic = htonl(sp->lcp.magic); 5198 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5199 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5200 sp->lcp.echoid, 4, &nmagic); 5201 } 5202 5203 SPPP_UNLOCK(sp); 5204 } 5205 splx(s); 5206 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5207 5208 SPPPQ_UNLOCK(); 5209 } 5210 5211 #ifdef INET 5212 /* 5213 * Get both IP addresses. 5214 */ 5215 static void 5216 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5217 { 5218 struct ifnet *ifp = &sp->pp_if; 5219 struct ifaddr *ifa; 5220 struct sockaddr_in *si, *sm; 5221 uint32_t ssrc, ddst; 5222 int s; 5223 struct psref psref; 5224 5225 sm = NULL; 5226 ssrc = ddst = 0; 5227 /* 5228 * Pick the first AF_INET address from the list, 5229 * aliases don't make any sense on a p2p link anyway. 5230 */ 5231 si = 0; 5232 s = pserialize_read_enter(); 5233 IFADDR_READER_FOREACH(ifa, ifp) { 5234 if (ifa->ifa_addr->sa_family == AF_INET) { 5235 si = (struct sockaddr_in *)ifa->ifa_addr; 5236 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5237 if (si) { 5238 ifa_acquire(ifa, &psref); 5239 break; 5240 } 5241 } 5242 } 5243 pserialize_read_exit(s); 5244 if (ifa) { 5245 if (si && si->sin_addr.s_addr) { 5246 ssrc = si->sin_addr.s_addr; 5247 if (srcmask) 5248 *srcmask = ntohl(sm->sin_addr.s_addr); 5249 } 5250 5251 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5252 if (si && si->sin_addr.s_addr) 5253 ddst = si->sin_addr.s_addr; 5254 ifa_release(ifa, &psref); 5255 } 5256 5257 if (dst) *dst = ntohl(ddst); 5258 if (src) *src = ntohl(ssrc); 5259 } 5260 5261 /* 5262 * Set IP addresses. Must be called at splnet. 5263 * If an address is 0, leave it the way it is. 5264 */ 5265 static void 5266 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5267 { 5268 STDDCL; 5269 struct ifaddr *ifa; 5270 struct sockaddr_in *si, *dest; 5271 uint32_t myaddr = 0, hisaddr = 0; 5272 int s; 5273 5274 /* 5275 * Pick the first AF_INET address from the list, 5276 * aliases don't make any sense on a p2p link anyway. 5277 */ 5278 si = dest = NULL; 5279 s = pserialize_read_enter(); 5280 IFADDR_READER_FOREACH(ifa, ifp) { 5281 if (ifa->ifa_addr->sa_family == AF_INET) { 5282 si = (struct sockaddr_in *)ifa->ifa_addr; 5283 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5284 break; 5285 } 5286 } 5287 pserialize_read_exit(s); 5288 5289 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5290 myaddr = sp->ipcp.req_myaddr; 5291 else if (si != NULL) 5292 myaddr = ntohl(si->sin_addr.s_addr); 5293 5294 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5295 hisaddr = sp->ipcp.req_hisaddr; 5296 else if (dest != NULL) 5297 hisaddr = ntohl(dest->sin_addr.s_addr); 5298 5299 if (si != NULL && dest != NULL) { 5300 int error; 5301 struct sockaddr_in new_sin = *si; 5302 struct sockaddr_in new_dst = *dest; 5303 5304 if (myaddr != 0) 5305 new_sin.sin_addr.s_addr = htonl(myaddr); 5306 if (hisaddr != 0) { 5307 new_dst.sin_addr.s_addr = htonl(hisaddr); 5308 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5309 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5310 } 5311 5312 in_addrhash_remove(ifatoia(ifa)); 5313 5314 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5315 5316 in_addrhash_insert(ifatoia(ifa)); 5317 5318 if (debug && error) 5319 { 5320 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5321 ifp->if_xname, __func__, error); 5322 } 5323 if (!error) { 5324 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5325 } 5326 } 5327 5328 if (ifp->if_mtu > sp->lcp.their_mru) { 5329 sp->pp_saved_mtu = ifp->if_mtu; 5330 ifp->if_mtu = sp->lcp.their_mru; 5331 if (debug) 5332 log(LOG_DEBUG, 5333 "%s: setting MTU to %" PRIu64 " bytes\n", 5334 ifp->if_xname, ifp->if_mtu); 5335 } 5336 5337 sppp_notify_con(sp); 5338 } 5339 5340 static void 5341 sppp_set_ip_addrs(struct sppp *sp) 5342 { 5343 struct ifnet *ifp = &sp->pp_if; 5344 5345 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5346 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5347 ifp->if_xname); 5348 return; 5349 } 5350 5351 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5352 return; 5353 5354 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5355 } 5356 5357 /* 5358 * Clear IP addresses. Must be called at splnet. 5359 */ 5360 static void 5361 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5362 { 5363 STDDCL; 5364 struct ifaddr *ifa; 5365 struct sockaddr_in *si, *dest; 5366 int s; 5367 5368 /* 5369 * Pick the first AF_INET address from the list, 5370 * aliases don't make any sense on a p2p link anyway. 5371 */ 5372 si = dest = NULL; 5373 s = pserialize_read_enter(); 5374 IFADDR_READER_FOREACH(ifa, ifp) { 5375 if (ifa->ifa_addr->sa_family == AF_INET) { 5376 si = (struct sockaddr_in *)ifa->ifa_addr; 5377 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5378 break; 5379 } 5380 } 5381 pserialize_read_exit(s); 5382 5383 if (si != NULL) { 5384 struct sockaddr_in new_sin = *si; 5385 struct sockaddr_in new_dst = *dest; 5386 int error; 5387 5388 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5389 new_sin.sin_addr.s_addr = 0; 5390 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5391 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5392 5393 in_addrhash_remove(ifatoia(ifa)); 5394 5395 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5396 5397 in_addrhash_insert(ifatoia(ifa)); 5398 5399 if (debug && error) 5400 { 5401 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5402 ifp->if_xname, __func__, error); 5403 } 5404 if (!error) { 5405 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5406 } 5407 } 5408 5409 if (sp->pp_saved_mtu > 0) { 5410 ifp->if_mtu = sp->pp_saved_mtu; 5411 sp->pp_saved_mtu = 0; 5412 if (debug) 5413 log(LOG_DEBUG, 5414 "%s: resetting MTU to %" PRIu64 " bytes\n", 5415 ifp->if_xname, ifp->if_mtu); 5416 } 5417 } 5418 5419 static void 5420 sppp_clear_ip_addrs(struct sppp *sp) 5421 { 5422 struct ifnet *ifp = &sp->pp_if; 5423 5424 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5425 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5426 ifp->if_xname); 5427 return; 5428 } 5429 5430 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5431 return; 5432 5433 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5434 } 5435 5436 static void 5437 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5438 { 5439 struct sppp *sp = arg; 5440 void *work; 5441 5442 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5443 5444 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5445 int update = (intptr_t)work; 5446 5447 if (update == IPCP_SET_ADDRS) 5448 sppp_set_ip_addrs_work(wk, sp); 5449 else if (update == IPCP_CLEAR_ADDRS) 5450 sppp_clear_ip_addrs_work(wk, sp); 5451 } 5452 } 5453 #endif 5454 5455 #ifdef INET6 5456 /* 5457 * Get both IPv6 addresses. 5458 */ 5459 static void 5460 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5461 struct in6_addr *srcmask) 5462 { 5463 struct ifnet *ifp = &sp->pp_if; 5464 struct ifaddr *ifa; 5465 struct sockaddr_in6 *si, *sm; 5466 struct in6_addr ssrc, ddst; 5467 int s; 5468 struct psref psref; 5469 5470 sm = NULL; 5471 memset(&ssrc, 0, sizeof(ssrc)); 5472 memset(&ddst, 0, sizeof(ddst)); 5473 /* 5474 * Pick the first link-local AF_INET6 address from the list, 5475 * aliases don't make any sense on a p2p link anyway. 5476 */ 5477 si = 0; 5478 s = pserialize_read_enter(); 5479 IFADDR_READER_FOREACH(ifa, ifp) { 5480 if (ifa->ifa_addr->sa_family == AF_INET6) { 5481 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5482 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5483 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5484 ifa_acquire(ifa, &psref); 5485 break; 5486 } 5487 } 5488 } 5489 pserialize_read_exit(s); 5490 5491 if (ifa) { 5492 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5493 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5494 if (srcmask) { 5495 memcpy(srcmask, &sm->sin6_addr, 5496 sizeof(*srcmask)); 5497 } 5498 } 5499 5500 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5501 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5502 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5503 ifa_release(ifa, &psref); 5504 } 5505 5506 if (dst) 5507 memcpy(dst, &ddst, sizeof(*dst)); 5508 if (src) 5509 memcpy(src, &ssrc, sizeof(*src)); 5510 } 5511 5512 #ifdef IPV6CP_MYIFID_DYN 5513 /* 5514 * Generate random ifid. 5515 */ 5516 static void 5517 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5518 { 5519 /* TBD */ 5520 } 5521 5522 /* 5523 * Set my IPv6 address. Must be called at splnet. 5524 */ 5525 static void 5526 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5527 { 5528 STDDCL; 5529 struct ifaddr *ifa; 5530 struct sockaddr_in6 *sin6; 5531 int s; 5532 struct psref psref; 5533 5534 /* 5535 * Pick the first link-local AF_INET6 address from the list, 5536 * aliases don't make any sense on a p2p link anyway. 5537 */ 5538 5539 sin6 = NULL; 5540 s = pserialize_read_enter(); 5541 IFADDR_READER_FOREACH(ifa, ifp) 5542 { 5543 if (ifa->ifa_addr->sa_family == AF_INET6) 5544 { 5545 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5546 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5547 ifa_acquire(ifa, &psref); 5548 break; 5549 } 5550 } 5551 } 5552 pserialize_read_exit(s); 5553 5554 if (ifa && sin6) 5555 { 5556 int error; 5557 struct sockaddr_in6 new_sin6 = *sin6; 5558 5559 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5560 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5561 if (debug && error) 5562 { 5563 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5564 ifp->if_xname, __func__, error); 5565 } 5566 if (!error) { 5567 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5568 } 5569 ifa_release(ifa, &psref); 5570 } 5571 } 5572 #endif 5573 5574 /* 5575 * Suggest a candidate address to be used by peer. 5576 */ 5577 static void 5578 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5579 { 5580 struct in6_addr myaddr; 5581 struct timeval tv; 5582 5583 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5584 5585 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5586 microtime(&tv); 5587 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5588 myaddr.s6_addr[14] ^= 0xff; 5589 myaddr.s6_addr[15] ^= 0xff; 5590 } else { 5591 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5592 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5593 } 5594 if (suggest) 5595 memcpy(suggest, &myaddr, sizeof(myaddr)); 5596 } 5597 #endif /*INET6*/ 5598 5599 /* 5600 * Process ioctl requests specific to the PPP interface. 5601 * Permissions have already been checked. 5602 */ 5603 static int 5604 sppp_params(struct sppp *sp, u_long cmd, void *data) 5605 { 5606 switch (cmd) { 5607 case SPPPGETAUTHCFG: 5608 { 5609 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5610 int error; 5611 size_t len; 5612 5613 SPPP_LOCK(sp, RW_READER); 5614 5615 cfg->myauthflags = sp->myauth.flags; 5616 cfg->hisauthflags = sp->hisauth.flags; 5617 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5618 cfg->hisauth = 0; 5619 if (sp->hisauth.proto) 5620 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5621 cfg->myauth = 0; 5622 if (sp->myauth.proto) 5623 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5624 if (cfg->myname_length == 0) { 5625 if (sp->myauth.name != NULL) 5626 cfg->myname_length = sp->myauth.name_len + 1; 5627 } else { 5628 if (sp->myauth.name == NULL) { 5629 cfg->myname_length = 0; 5630 } else { 5631 len = sp->myauth.name_len + 1; 5632 5633 5634 if (cfg->myname_length < len) { 5635 SPPP_UNLOCK(sp); 5636 return (ENAMETOOLONG); 5637 } 5638 error = copyout(sp->myauth.name, cfg->myname, len); 5639 if (error) { 5640 SPPP_UNLOCK(sp); 5641 return error; 5642 } 5643 } 5644 } 5645 if (cfg->hisname_length == 0) { 5646 if (sp->hisauth.name != NULL) 5647 cfg->hisname_length = sp->hisauth.name_len + 1; 5648 } else { 5649 if (sp->hisauth.name == NULL) { 5650 cfg->hisname_length = 0; 5651 } else { 5652 len = sp->hisauth.name_len + 1; 5653 5654 if (cfg->hisname_length < len) { 5655 SPPP_UNLOCK(sp); 5656 return (ENAMETOOLONG); 5657 } 5658 error = copyout(sp->hisauth.name, cfg->hisname, len); 5659 if (error) { 5660 SPPP_UNLOCK(sp); 5661 return error; 5662 } 5663 } 5664 } 5665 SPPP_UNLOCK(sp); 5666 } 5667 break; 5668 case SPPPSETAUTHCFG: 5669 { 5670 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5671 int error; 5672 5673 SPPP_LOCK(sp, RW_WRITER); 5674 5675 if (sp->myauth.name) { 5676 free(sp->myauth.name, M_DEVBUF); 5677 sp->myauth.name = NULL; 5678 } 5679 if (sp->myauth.secret) { 5680 free(sp->myauth.secret, M_DEVBUF); 5681 sp->myauth.secret = NULL; 5682 } 5683 if (sp->hisauth.name) { 5684 free(sp->hisauth.name, M_DEVBUF); 5685 sp->hisauth.name = NULL; 5686 } 5687 if (sp->hisauth.secret) { 5688 free(sp->hisauth.secret, M_DEVBUF); 5689 sp->hisauth.secret = NULL; 5690 } 5691 5692 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5693 if (cfg->hisname_length >= MCLBYTES) { 5694 SPPP_UNLOCK(sp); 5695 return (ENAMETOOLONG); 5696 } 5697 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5698 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5699 if (error) { 5700 free(sp->hisauth.name, M_DEVBUF); 5701 sp->hisauth.name = NULL; 5702 SPPP_UNLOCK(sp); 5703 return error; 5704 } 5705 sp->hisauth.name_len = cfg->hisname_length - 1; 5706 sp->hisauth.name[sp->hisauth.name_len] = 0; 5707 } 5708 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5709 if (cfg->hissecret_length >= MCLBYTES) { 5710 SPPP_UNLOCK(sp); 5711 return (ENAMETOOLONG); 5712 } 5713 sp->hisauth.secret = malloc(cfg->hissecret_length, 5714 M_DEVBUF, M_WAITOK); 5715 error = copyin(cfg->hissecret, sp->hisauth.secret, 5716 cfg->hissecret_length); 5717 if (error) { 5718 free(sp->hisauth.secret, M_DEVBUF); 5719 sp->hisauth.secret = NULL; 5720 SPPP_UNLOCK(sp); 5721 return error; 5722 } 5723 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5724 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5725 } 5726 if (cfg->myname != NULL && cfg->myname_length > 0) { 5727 if (cfg->myname_length >= MCLBYTES) { 5728 SPPP_UNLOCK(sp); 5729 return (ENAMETOOLONG); 5730 } 5731 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5732 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5733 if (error) { 5734 free(sp->myauth.name, M_DEVBUF); 5735 sp->myauth.name = NULL; 5736 SPPP_UNLOCK(sp); 5737 return error; 5738 } 5739 sp->myauth.name_len = cfg->myname_length - 1; 5740 sp->myauth.name[sp->myauth.name_len] = 0; 5741 } 5742 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5743 if (cfg->mysecret_length >= MCLBYTES) { 5744 SPPP_UNLOCK(sp); 5745 return (ENAMETOOLONG); 5746 } 5747 sp->myauth.secret = malloc(cfg->mysecret_length, 5748 M_DEVBUF, M_WAITOK); 5749 error = copyin(cfg->mysecret, sp->myauth.secret, 5750 cfg->mysecret_length); 5751 if (error) { 5752 free(sp->myauth.secret, M_DEVBUF); 5753 sp->myauth.secret = NULL; 5754 SPPP_UNLOCK(sp); 5755 return error; 5756 } 5757 sp->myauth.secret_len = cfg->mysecret_length - 1; 5758 sp->myauth.secret[sp->myauth.secret_len] = 0; 5759 } 5760 sp->myauth.flags = cfg->myauthflags; 5761 if (cfg->myauth) 5762 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5763 sp->hisauth.flags = cfg->hisauthflags; 5764 if (cfg->hisauth) 5765 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5766 sp->pp_auth_failures = 0; 5767 if (sp->hisauth.proto != 0) 5768 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5769 else 5770 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5771 5772 SPPP_UNLOCK(sp); 5773 } 5774 break; 5775 case SPPPGETLCPCFG: 5776 { 5777 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5778 5779 SPPP_LOCK(sp, RW_READER); 5780 lcpp->lcp_timeout = sp->lcp.timeout; 5781 SPPP_UNLOCK(sp); 5782 } 5783 break; 5784 case SPPPSETLCPCFG: 5785 { 5786 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5787 5788 SPPP_LOCK(sp, RW_WRITER); 5789 sp->lcp.timeout = lcpp->lcp_timeout; 5790 SPPP_UNLOCK(sp); 5791 } 5792 break; 5793 case SPPPGETSTATUS: 5794 { 5795 struct spppstatus *status = (struct spppstatus *)data; 5796 5797 SPPP_LOCK(sp, RW_READER); 5798 status->phase = sp->pp_phase; 5799 SPPP_UNLOCK(sp); 5800 } 5801 break; 5802 case SPPPGETSTATUSNCP: 5803 { 5804 struct spppstatusncp *status = (struct spppstatusncp *)data; 5805 5806 SPPP_LOCK(sp, RW_READER); 5807 status->phase = sp->pp_phase; 5808 status->ncpup = sppp_ncp_check(sp); 5809 SPPP_UNLOCK(sp); 5810 } 5811 break; 5812 case SPPPGETIDLETO: 5813 { 5814 struct spppidletimeout *to = (struct spppidletimeout *)data; 5815 5816 SPPP_LOCK(sp, RW_READER); 5817 to->idle_seconds = sp->pp_idle_timeout; 5818 SPPP_UNLOCK(sp); 5819 } 5820 break; 5821 case SPPPSETIDLETO: 5822 { 5823 struct spppidletimeout *to = (struct spppidletimeout *)data; 5824 5825 SPPP_LOCK(sp, RW_WRITER); 5826 sp->pp_idle_timeout = to->idle_seconds; 5827 SPPP_UNLOCK(sp); 5828 } 5829 break; 5830 case SPPPSETAUTHFAILURE: 5831 { 5832 struct spppauthfailuresettings *afsettings = 5833 (struct spppauthfailuresettings *)data; 5834 5835 SPPP_LOCK(sp, RW_WRITER); 5836 sp->pp_max_auth_fail = afsettings->max_failures; 5837 sp->pp_auth_failures = 0; 5838 SPPP_UNLOCK(sp); 5839 } 5840 break; 5841 case SPPPGETAUTHFAILURES: 5842 { 5843 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5844 5845 SPPP_LOCK(sp, RW_READER); 5846 stats->auth_failures = sp->pp_auth_failures; 5847 stats->max_failures = sp->pp_max_auth_fail; 5848 SPPP_UNLOCK(sp); 5849 } 5850 break; 5851 case SPPPSETDNSOPTS: 5852 { 5853 struct spppdnssettings *req = (struct spppdnssettings *)data; 5854 5855 SPPP_LOCK(sp, RW_WRITER); 5856 sp->query_dns = req->query_dns & 3; 5857 SPPP_UNLOCK(sp); 5858 } 5859 break; 5860 case SPPPGETDNSOPTS: 5861 { 5862 struct spppdnssettings *req = (struct spppdnssettings *)data; 5863 5864 SPPP_LOCK(sp, RW_READER); 5865 req->query_dns = sp->query_dns; 5866 SPPP_UNLOCK(sp); 5867 } 5868 break; 5869 case SPPPGETDNSADDRS: 5870 { 5871 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5872 5873 SPPP_LOCK(sp, RW_READER); 5874 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5875 SPPP_UNLOCK(sp); 5876 } 5877 break; 5878 case SPPPGETKEEPALIVE: 5879 { 5880 struct spppkeepalivesettings *settings = 5881 (struct spppkeepalivesettings*)data; 5882 5883 SPPP_LOCK(sp, RW_READER); 5884 settings->maxalive = sp->pp_maxalive; 5885 settings->max_noreceive = sp->pp_max_noreceive; 5886 SPPP_UNLOCK(sp); 5887 } 5888 break; 5889 case SPPPSETKEEPALIVE: 5890 { 5891 struct spppkeepalivesettings *settings = 5892 (struct spppkeepalivesettings*)data; 5893 5894 SPPP_LOCK(sp, RW_WRITER); 5895 sp->pp_maxalive = settings->maxalive; 5896 sp->pp_max_noreceive = settings->max_noreceive; 5897 SPPP_UNLOCK(sp); 5898 } 5899 break; 5900 #if defined(COMPAT_50) || defined(MODULAR) 5901 case __SPPPGETIDLETO50: 5902 { 5903 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5904 5905 SPPP_LOCK(sp, RW_READER); 5906 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5907 SPPP_UNLOCK(sp); 5908 } 5909 break; 5910 case __SPPPSETIDLETO50: 5911 { 5912 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5913 5914 SPPP_LOCK(sp, RW_WRITER); 5915 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5916 SPPP_UNLOCK(sp); 5917 } 5918 break; 5919 case __SPPPGETKEEPALIVE50: 5920 { 5921 struct spppkeepalivesettings50 *settings = 5922 (struct spppkeepalivesettings50*)data; 5923 5924 SPPP_LOCK(sp, RW_READER); 5925 settings->maxalive = sp->pp_maxalive; 5926 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5927 SPPP_UNLOCK(sp); 5928 } 5929 break; 5930 case __SPPPSETKEEPALIVE50: 5931 { 5932 struct spppkeepalivesettings50 *settings = 5933 (struct spppkeepalivesettings50*)data; 5934 5935 SPPP_LOCK(sp, RW_WRITER); 5936 sp->pp_maxalive = settings->maxalive; 5937 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5938 SPPP_UNLOCK(sp); 5939 } 5940 break; 5941 #endif /* COMPAT_50 || MODULAR */ 5942 default: 5943 return (EINVAL); 5944 } 5945 5946 return (0); 5947 } 5948 5949 static void 5950 sppp_phase_network(struct sppp *sp) 5951 { 5952 int i; 5953 uint32_t mask; 5954 5955 KASSERT(SPPP_WLOCKED(sp)); 5956 5957 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5958 5959 /* Notify NCPs now. */ 5960 for (i = 0; i < IDX_COUNT; i++) 5961 if ((cps[i])->flags & CP_NCP) 5962 (cps[i])->Open(sp); 5963 5964 /* Send Up events to all NCPs. */ 5965 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5966 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 5967 (cps[i])->Up(sp); 5968 } 5969 5970 /* if no NCP is starting, all this was in vain, close down */ 5971 sppp_lcp_check_and_close(sp); 5972 } 5973 5974 5975 static const char * 5976 sppp_cp_type_name(u_char type) 5977 { 5978 static char buf[12]; 5979 switch (type) { 5980 case CONF_REQ: return "conf-req"; 5981 case CONF_ACK: return "conf-ack"; 5982 case CONF_NAK: return "conf-nak"; 5983 case CONF_REJ: return "conf-rej"; 5984 case TERM_REQ: return "term-req"; 5985 case TERM_ACK: return "term-ack"; 5986 case CODE_REJ: return "code-rej"; 5987 case PROTO_REJ: return "proto-rej"; 5988 case ECHO_REQ: return "echo-req"; 5989 case ECHO_REPLY: return "echo-reply"; 5990 case DISC_REQ: return "discard-req"; 5991 } 5992 snprintf(buf, sizeof(buf), "0x%x", type); 5993 return buf; 5994 } 5995 5996 static const char * 5997 sppp_auth_type_name(u_short proto, u_char type) 5998 { 5999 static char buf[32]; 6000 const char *name; 6001 6002 switch (proto) { 6003 case PPP_CHAP: 6004 switch (type) { 6005 case CHAP_CHALLENGE: return "challenge"; 6006 case CHAP_RESPONSE: return "response"; 6007 case CHAP_SUCCESS: return "success"; 6008 case CHAP_FAILURE: return "failure"; 6009 default: name = "chap"; break; 6010 } 6011 break; 6012 6013 case PPP_PAP: 6014 switch (type) { 6015 case PAP_REQ: return "req"; 6016 case PAP_ACK: return "ack"; 6017 case PAP_NAK: return "nak"; 6018 default: name = "pap"; break; 6019 } 6020 break; 6021 6022 default: 6023 name = "bad"; 6024 break; 6025 } 6026 6027 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6028 return buf; 6029 } 6030 6031 static const char * 6032 sppp_lcp_opt_name(u_char opt) 6033 { 6034 static char buf[12]; 6035 switch (opt) { 6036 case LCP_OPT_MRU: return "mru"; 6037 case LCP_OPT_ASYNC_MAP: return "async-map"; 6038 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6039 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6040 case LCP_OPT_MAGIC: return "magic"; 6041 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6042 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6043 } 6044 snprintf(buf, sizeof(buf), "0x%x", opt); 6045 return buf; 6046 } 6047 6048 static const char * 6049 sppp_ipcp_opt_name(u_char opt) 6050 { 6051 static char buf[12]; 6052 switch (opt) { 6053 case IPCP_OPT_ADDRESSES: return "addresses"; 6054 case IPCP_OPT_COMPRESSION: return "compression"; 6055 case IPCP_OPT_ADDRESS: return "address"; 6056 } 6057 snprintf(buf, sizeof(buf), "0x%x", opt); 6058 return buf; 6059 } 6060 6061 #ifdef INET6 6062 static const char * 6063 sppp_ipv6cp_opt_name(u_char opt) 6064 { 6065 static char buf[12]; 6066 switch (opt) { 6067 case IPV6CP_OPT_IFID: return "ifid"; 6068 case IPV6CP_OPT_COMPRESSION: return "compression"; 6069 } 6070 snprintf(buf, sizeof(buf), "0x%x", opt); 6071 return buf; 6072 } 6073 #endif 6074 6075 static const char * 6076 sppp_state_name(int state) 6077 { 6078 switch (state) { 6079 case STATE_INITIAL: return "initial"; 6080 case STATE_STARTING: return "starting"; 6081 case STATE_CLOSED: return "closed"; 6082 case STATE_STOPPED: return "stopped"; 6083 case STATE_CLOSING: return "closing"; 6084 case STATE_STOPPING: return "stopping"; 6085 case STATE_REQ_SENT: return "req-sent"; 6086 case STATE_ACK_RCVD: return "ack-rcvd"; 6087 case STATE_ACK_SENT: return "ack-sent"; 6088 case STATE_OPENED: return "opened"; 6089 } 6090 return "illegal"; 6091 } 6092 6093 static const char * 6094 sppp_phase_name(int phase) 6095 { 6096 switch (phase) { 6097 case SPPP_PHASE_DEAD: return "dead"; 6098 case SPPP_PHASE_ESTABLISH: return "establish"; 6099 case SPPP_PHASE_TERMINATE: return "terminate"; 6100 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6101 case SPPP_PHASE_NETWORK: return "network"; 6102 } 6103 return "illegal"; 6104 } 6105 6106 static const char * 6107 sppp_proto_name(u_short proto) 6108 { 6109 static char buf[12]; 6110 switch (proto) { 6111 case PPP_LCP: return "lcp"; 6112 case PPP_IPCP: return "ipcp"; 6113 case PPP_PAP: return "pap"; 6114 case PPP_CHAP: return "chap"; 6115 case PPP_IPV6CP: return "ipv6cp"; 6116 } 6117 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6118 return buf; 6119 } 6120 6121 static void 6122 sppp_print_bytes(const u_char *p, u_short len) 6123 { 6124 addlog(" %02x", *p++); 6125 while (--len > 0) 6126 addlog("-%02x", *p++); 6127 } 6128 6129 static void 6130 sppp_print_string(const char *p, u_short len) 6131 { 6132 u_char c; 6133 6134 while (len-- > 0) { 6135 c = *p++; 6136 /* 6137 * Print only ASCII chars directly. RFC 1994 recommends 6138 * using only them, but we don't rely on it. */ 6139 if (c < ' ' || c > '~') 6140 addlog("\\x%x", c); 6141 else 6142 addlog("%c", c); 6143 } 6144 } 6145 6146 static const char * 6147 sppp_dotted_quad(uint32_t addr) 6148 { 6149 static char s[16]; 6150 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6151 (int)((addr >> 24) & 0xff), 6152 (int)((addr >> 16) & 0xff), 6153 (int)((addr >> 8) & 0xff), 6154 (int)(addr & 0xff)); 6155 return s; 6156 } 6157 6158 /* a dummy, used to drop uninteresting events */ 6159 static void 6160 sppp_null(struct sppp *unused) 6161 { 6162 /* do just nothing */ 6163 } 6164 /* 6165 * This file is large. Tell emacs to highlight it nevertheless. 6166 * 6167 * Local Variables: 6168 * hilit-auto-highlight-maxout: 120000 6169 * End: 6170 */ 6171 6172 /* 6173 * Module glue 6174 */ 6175 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6176 6177 static int 6178 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6179 { 6180 switch (cmd) { 6181 case MODULE_CMD_INIT: 6182 case MODULE_CMD_FINI: 6183 return 0; 6184 case MODULE_CMD_STAT: 6185 case MODULE_CMD_AUTOUNLOAD: 6186 default: 6187 return ENOTTY; 6188 } 6189 } 6190 6191 static void 6192 sppp_notify_up(struct sppp *sp) 6193 { 6194 6195 SPPP_LOCK(sp, RW_WRITER); 6196 lcp.Up(sp); 6197 SPPP_UNLOCK(sp); 6198 } 6199 6200 static void 6201 sppp_notify_down(struct sppp *sp) 6202 { 6203 6204 SPPP_LOCK(sp, RW_WRITER); 6205 lcp.Down(sp); 6206 SPPP_UNLOCK(sp); 6207 } 6208 6209 static void 6210 sppp_notify_tls_wlocked(struct sppp *sp) 6211 { 6212 6213 KASSERT(SPPP_WLOCKED(sp)); 6214 6215 if (!sp->pp_tls) 6216 return; 6217 6218 SPPP_UNLOCK(sp); 6219 sp->pp_tls(sp); 6220 SPPP_LOCK(sp, RW_WRITER); 6221 } 6222 6223 static void 6224 sppp_notify_tlf_wlocked(struct sppp *sp) 6225 { 6226 6227 KASSERT(SPPP_WLOCKED(sp)); 6228 6229 if (!sp->pp_tlf) 6230 return; 6231 6232 SPPP_UNLOCK(sp); 6233 sp->pp_tlf(sp); 6234 SPPP_LOCK(sp, RW_WRITER); 6235 } 6236 6237 static void 6238 sppp_notify_con(struct sppp *sp) 6239 { 6240 6241 if (!sp->pp_con) 6242 return; 6243 6244 sp->pp_con(sp); 6245 } 6246 6247 #ifdef INET6 6248 static void 6249 sppp_notify_con_wlocked(struct sppp *sp) 6250 { 6251 6252 KASSERT(SPPP_WLOCKED(sp)); 6253 6254 SPPP_UNLOCK(sp); 6255 sppp_notify_con(sp); 6256 SPPP_LOCK(sp, RW_WRITER); 6257 6258 } 6259 #endif 6260 6261 static void 6262 sppp_notify_chg_wlocked(struct sppp *sp) 6263 { 6264 6265 KASSERT(SPPP_WLOCKED(sp)); 6266 6267 if (!sp->pp_chg) 6268 return; 6269 6270 SPPP_UNLOCK(sp); 6271 sp->pp_chg(sp, sp->pp_phase); 6272 SPPP_LOCK(sp, RW_WRITER); 6273 } 6274