1 /* $NetBSD: if_spppsubr.c,v 1.246 2021/05/19 02:14:19 yamaguchi Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.246 2021/05/19 02:14:19 yamaguchi Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #include "opt_sppp.h" 52 #endif 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 #include <sys/cpu.h> 73 74 #include <net/if.h> 75 #include <net/netisr.h> 76 #include <net/if_types.h> 77 #include <net/route.h> 78 #include <net/ppp_defs.h> 79 80 #include <netinet/in.h> 81 #include <netinet/in_systm.h> 82 #include <netinet/in_var.h> 83 #ifdef INET 84 #include <netinet/ip.h> 85 #include <netinet/tcp.h> 86 #endif 87 #include <net/ethertypes.h> 88 89 #ifdef INET6 90 #include <netinet6/scope6_var.h> 91 #endif 92 93 #include <net/if_sppp.h> 94 #include <net/if_spppvar.h> 95 96 #ifdef NET_MPSAFE 97 #define SPPPSUBR_MPSAFE 1 98 #endif 99 100 #define DEFAULT_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 101 #define DEFAULT_ALIVE_INTERVAL 1 /* count of sppp_keepalive */ 102 #define LOOPALIVECNT 3 /* loopback detection tries */ 103 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 104 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 105 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 106 107 #ifndef SPPP_KEEPALIVE_INTERVAL 108 #define SPPP_KEEPALIVE_INTERVAL DEFAULT_KEEPALIVE_INTERVAL 109 #endif 110 111 #ifndef SPPP_NORECV_TIME 112 #define SPPP_NORECV_TIME DEFAULT_NORECV_TIME 113 #endif 114 115 #ifndef SPPP_ALIVE_INTERVAL 116 #define SPPP_ALIVE_INTERVAL DEFAULT_ALIVE_INTERVAL 117 #endif 118 119 #define SPPP_CPTYPE_NAMELEN 5 /* buf size of cp type name */ 120 #define SPPP_AUTHTYPE_NAMELEN 32 /* buf size of auth type name */ 121 #define SPPP_LCPOPT_NAMELEN 5 /* buf size of lcp option name */ 122 #define SPPP_IPCPOPT_NAMELEN 5 /* buf size of ipcp option name */ 123 #define SPPP_IPV6CPOPT_NAMELEN 5 /* buf size of ipv6cp option name */ 124 #define SPPP_PROTO_NAMELEN 7 /* buf size of protocol name */ 125 #define SPPP_DOTQUAD_BUFLEN 16 /* length of "aa.bb.cc.dd" */ 126 127 /* 128 * Interface flags that can be set in an ifconfig command. 129 * 130 * Setting link0 will make the link passive, i.e. it will be marked 131 * as being administrative openable, but won't be opened to begin 132 * with. Incoming calls will be answered, or subsequent calls with 133 * -link1 will cause the administrative open of the LCP layer. 134 * 135 * Setting link1 will cause the link to auto-dial only as packets 136 * arrive to be sent. 137 * 138 * Setting IFF_DEBUG will syslog the option negotiation and state 139 * transitions at level kern.debug. Note: all logs consistently look 140 * like 141 * 142 * <if-name><unit>: <proto-name> <additional info...> 143 * 144 * with <if-name><unit> being something like "bppp0", and <proto-name> 145 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 146 */ 147 148 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 149 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 150 151 #define CONF_REQ 1 /* PPP configure request */ 152 #define CONF_ACK 2 /* PPP configure acknowledge */ 153 #define CONF_NAK 3 /* PPP configure negative ack */ 154 #define CONF_REJ 4 /* PPP configure reject */ 155 #define TERM_REQ 5 /* PPP terminate request */ 156 #define TERM_ACK 6 /* PPP terminate acknowledge */ 157 #define CODE_REJ 7 /* PPP code reject */ 158 #define PROTO_REJ 8 /* PPP protocol reject */ 159 #define ECHO_REQ 9 /* PPP echo request */ 160 #define ECHO_REPLY 10 /* PPP echo reply */ 161 #define DISC_REQ 11 /* PPP discard request */ 162 163 #define LCP_OPT_MRU 1 /* maximum receive unit */ 164 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 165 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 166 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 167 #define LCP_OPT_MAGIC 5 /* magic number */ 168 #define LCP_OPT_RESERVED 6 /* reserved */ 169 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 170 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 171 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 172 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 173 #define LCP_OPT_CALL_BACK 13 /* callback */ 174 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 175 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 176 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 177 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 178 179 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 180 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 181 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 182 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 183 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 184 185 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 186 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 187 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 188 189 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 190 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 191 192 #define PAP_REQ 1 /* PAP name/password request */ 193 #define PAP_ACK 2 /* PAP acknowledge */ 194 #define PAP_NAK 3 /* PAP fail */ 195 196 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 197 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 198 #define CHAP_SUCCESS 3 /* CHAP response ok */ 199 #define CHAP_FAILURE 4 /* CHAP response failed */ 200 201 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 202 203 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 204 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 205 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 206 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 207 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 208 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 209 210 #define PPP_NOPROTO 0 /* no authentication protocol */ 211 212 enum { 213 STATE_INITIAL = SPPP_STATE_INITIAL, 214 STATE_STARTING = SPPP_STATE_STARTING, 215 STATE_CLOSED = SPPP_STATE_CLOSED, 216 STATE_STOPPED = SPPP_STATE_STOPPED, 217 STATE_CLOSING = SPPP_STATE_CLOSING, 218 STATE_STOPPING = SPPP_STATE_STOPPING, 219 STATE_REQ_SENT = SPPP_STATE_REQ_SENT, 220 STATE_ACK_RCVD = SPPP_STATE_ACK_RCVD, 221 STATE_ACK_SENT = SPPP_STATE_ACK_SENT, 222 STATE_OPENED = SPPP_STATE_OPENED, 223 }; 224 225 enum cp_rcr_type { 226 CP_RCR_NONE = 0, /* initial value */ 227 CP_RCR_ACK, /* RCR+ */ 228 CP_RCR_NAK, /* RCR- */ 229 CP_RCR_REJ, /* RCR- */ 230 CP_RCR_DROP, /* DROP message */ 231 CP_RCR_ERR, /* internal error */ 232 }; 233 234 struct ppp_header { 235 uint8_t address; 236 uint8_t control; 237 uint16_t protocol; 238 } __packed; 239 #define PPP_HEADER_LEN sizeof (struct ppp_header) 240 241 struct lcp_header { 242 uint8_t type; 243 uint8_t ident; 244 uint16_t len; 245 } __packed; 246 #define LCP_HEADER_LEN sizeof (struct lcp_header) 247 248 struct cisco_packet { 249 uint32_t type; 250 uint32_t par1; 251 uint32_t par2; 252 uint16_t rel; 253 uint16_t time0; 254 uint16_t time1; 255 } __packed; 256 #define CISCO_PACKET_LEN 18 257 258 /* 259 * We follow the spelling and capitalization of RFC 1661 here, to make 260 * it easier comparing with the standard. Please refer to this RFC in 261 * case you can't make sense out of these abbreviation; it will also 262 * explain the semantics related to the various events and actions. 263 */ 264 struct cp { 265 u_short proto; /* PPP control protocol number */ 266 u_char protoidx; /* index into state table in struct sppp */ 267 u_char flags; 268 #define CP_LCP 0x01 /* this is the LCP */ 269 #define CP_AUTH 0x02 /* this is an authentication protocol */ 270 #define CP_NCP 0x04 /* this is a NCP */ 271 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 272 const char *name; /* name of this control protocol */ 273 /* event handlers */ 274 void (*Up)(struct sppp *, void *); 275 void (*Down)(struct sppp *, void *); 276 void (*Open)(struct sppp *, void *); 277 void (*Close)(struct sppp *, void *); 278 void (*TO)(struct sppp *, void *); 279 /* actions */ 280 void (*tlu)(struct sppp *); 281 void (*tld)(struct sppp *); 282 void (*tls)(const struct cp *, struct sppp *); 283 void (*tlf)(const struct cp *, struct sppp *); 284 void (*scr)(struct sppp *); 285 void (*screply)(const struct cp *, struct sppp *, u_char, 286 uint8_t, size_t, void *); 287 288 /* message parser */ 289 enum cp_rcr_type 290 (*parse_confreq)(struct sppp *, struct lcp_header *, int, 291 uint8_t **, size_t *, size_t *); 292 void (*parse_confrej)(struct sppp *, struct lcp_header *, int); 293 void (*parse_confnak)(struct sppp *, struct lcp_header *, int); 294 }; 295 296 enum auth_role { 297 SPPP_AUTH_NOROLE = 0, 298 SPPP_AUTH_SERV = __BIT(0), 299 SPPP_AUTH_PEER = __BIT(1), 300 }; 301 302 static struct sppp *spppq; 303 static kmutex_t *spppq_lock = NULL; 304 static callout_t keepalive_ch; 305 static unsigned int sppp_keepalive_cnt = 0; 306 307 #define SPPPQ_LOCK() if (spppq_lock) \ 308 mutex_enter(spppq_lock); 309 #define SPPPQ_UNLOCK() if (spppq_lock) \ 310 mutex_exit(spppq_lock); 311 312 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 313 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 314 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 315 #define SPPP_UPGRADE(_sp) do{ \ 316 SPPP_UNLOCK(_sp); \ 317 SPPP_LOCK(_sp, RW_WRITER); \ 318 }while (0) 319 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 320 #define SPPP_WQ_SET(_wk, _func, _arg) \ 321 sppp_wq_set((_wk), (_func), __UNCONST((_arg))) 322 323 #ifdef INET 324 #ifndef SPPPSUBR_MPSAFE 325 /* 326 * The following disgusting hack gets around the problem that IP TOS 327 * can't be set yet. We want to put "interactive" traffic on a high 328 * priority queue. To decide if traffic is interactive, we check that 329 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 330 * 331 * XXX is this really still necessary? - joerg - 332 */ 333 static u_short interactive_ports[8] = { 334 0, 513, 0, 0, 335 0, 21, 0, 23, 336 }; 337 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 338 #endif /* SPPPSUBR_MPSAFE */ 339 #endif 340 341 /* almost every function needs these */ 342 #define STDDCL \ 343 struct ifnet *ifp = &sp->pp_if; \ 344 int debug = ifp->if_flags & IFF_DEBUG 345 346 static int sppp_output(struct ifnet *, struct mbuf *, 347 const struct sockaddr *, const struct rtentry *); 348 349 static void sppp_cisco_send(struct sppp *, int, int32_t, int32_t); 350 static void sppp_cisco_input(struct sppp *, struct mbuf *); 351 352 static void sppp_cp_init(const struct cp *, struct sppp *); 353 static void sppp_cp_fini(const struct cp *, struct sppp *); 354 static void sppp_cp_input(const struct cp *, struct sppp *, 355 struct mbuf *); 356 static void sppp_cp_input(const struct cp *, struct sppp *, 357 struct mbuf *); 358 static void sppp_cp_send(struct sppp *, u_short, u_char, 359 u_char, u_short, void *); 360 /* static void sppp_cp_timeout(void *arg); */ 361 static void sppp_cp_change_state(const struct cp *, struct sppp *, int); 362 static struct workqueue * 363 sppp_wq_create(struct sppp *, const char *, pri_t, int, int); 364 static void sppp_wq_destroy(struct sppp *, struct workqueue *); 365 static void sppp_wq_set(struct sppp_work *, 366 void (*)(struct sppp *, void *), void *); 367 static void sppp_wq_add(struct workqueue *, struct sppp_work *); 368 static void sppp_wq_wait(struct workqueue *, struct sppp_work *); 369 static void sppp_cp_to_lcp(void *); 370 static void sppp_cp_to_ipcp(void *); 371 static void sppp_cp_to_ipv6cp(void *); 372 static void sppp_auth_send(const struct cp *, struct sppp *, 373 unsigned int, unsigned int, ...); 374 static int sppp_auth_role(const struct cp *, struct sppp *); 375 static void sppp_auth_to_event(struct sppp *, void *); 376 static void sppp_auth_screply(const struct cp *, struct sppp *, 377 u_char, uint8_t, size_t, void *); 378 static void sppp_up_event(struct sppp *, void *); 379 static void sppp_down_event(struct sppp *, void *); 380 static void sppp_open_event(struct sppp *, void *); 381 static void sppp_close_event(struct sppp *, void *); 382 static void sppp_to_event(struct sppp *, void *); 383 static void sppp_rcr_event(struct sppp *, void *); 384 static void sppp_rca_event(struct sppp *, void *); 385 static void sppp_rcn_event(struct sppp *, void *); 386 static void sppp_rtr_event(struct sppp *, void *); 387 static void sppp_rta_event(struct sppp *, void *); 388 static void sppp_rxj_event(struct sppp *, void *); 389 390 static void sppp_null(struct sppp *); 391 static void sppp_tls(const struct cp *, struct sppp *); 392 static void sppp_tlf(const struct cp *, struct sppp *); 393 static void sppp_screply(const struct cp *, struct sppp *, 394 u_char, uint8_t, size_t, void *); 395 static void sppp_ifdown(struct sppp *, void *); 396 397 static void sppp_lcp_init(struct sppp *); 398 static void sppp_lcp_up(struct sppp *, void *); 399 static void sppp_lcp_down(struct sppp *, void *); 400 static void sppp_lcp_open(struct sppp *, void *); 401 static enum cp_rcr_type 402 sppp_lcp_confreq(struct sppp *, struct lcp_header *, int, 403 uint8_t **, size_t *, size_t *); 404 static void sppp_lcp_confrej(struct sppp *, struct lcp_header *, int); 405 static void sppp_lcp_confnak(struct sppp *, struct lcp_header *, int); 406 static void sppp_lcp_tlu(struct sppp *); 407 static void sppp_lcp_tld(struct sppp *); 408 static void sppp_lcp_tls(const struct cp *, struct sppp *); 409 static void sppp_lcp_tlf(const struct cp *, struct sppp *); 410 static void sppp_lcp_scr(struct sppp *); 411 static void sppp_lcp_check_and_close(struct sppp *); 412 static int sppp_cp_check(struct sppp *, u_char); 413 414 static void sppp_ipcp_init(struct sppp *); 415 static void sppp_ipcp_open(struct sppp *, void *); 416 static void sppp_ipcp_close(struct sppp *, void *); 417 static enum cp_rcr_type 418 sppp_ipcp_confreq(struct sppp *, struct lcp_header *, int, 419 uint8_t **, size_t *, size_t *); 420 static void sppp_ipcp_confrej(struct sppp *, struct lcp_header *, int); 421 static void sppp_ipcp_confnak(struct sppp *, struct lcp_header *, int); 422 static void sppp_ipcp_tlu(struct sppp *); 423 static void sppp_ipcp_scr(struct sppp *); 424 425 static void sppp_ipv6cp_init(struct sppp *); 426 static void sppp_ipv6cp_open(struct sppp *, void *); 427 static enum cp_rcr_type 428 sppp_ipv6cp_confreq(struct sppp *, struct lcp_header *, int, 429 uint8_t **, size_t *, size_t *); 430 static void sppp_ipv6cp_confrej(struct sppp *, struct lcp_header *, int); 431 static void sppp_ipv6cp_confnak(struct sppp *, struct lcp_header *, int); 432 static void sppp_ipv6cp_tlu(struct sppp *); 433 static void sppp_ipv6cp_scr(struct sppp *); 434 435 static void sppp_pap_input(struct sppp *, struct mbuf *); 436 static void sppp_pap_init(struct sppp *); 437 static void sppp_pap_tlu(struct sppp *); 438 static void sppp_pap_scr(struct sppp *); 439 static void sppp_pap_scr(struct sppp *); 440 441 static void sppp_chap_input(struct sppp *, struct mbuf *); 442 static void sppp_chap_init(struct sppp *); 443 static void sppp_chap_open(struct sppp *, void *); 444 static void sppp_chap_tlu(struct sppp *); 445 static void sppp_chap_scr(struct sppp *); 446 static void sppp_chap_rcv_challenge_event(struct sppp *, void *); 447 448 static const char *sppp_auth_type_name(char *, size_t, u_short, u_char); 449 static const char *sppp_cp_type_name(char *, size_t, u_char); 450 static const char *sppp_dotted_quad(char *, size_t, uint32_t); 451 static const char *sppp_ipcp_opt_name(char *, size_t, u_char); 452 #ifdef INET6 453 static const char *sppp_ipv6cp_opt_name(char *, size_t, u_char); 454 #endif 455 static const char *sppp_lcp_opt_name(char *, size_t, u_char); 456 static const char *sppp_phase_name(int); 457 static const char *sppp_proto_name(char *, size_t, u_short); 458 static const char *sppp_state_name(int); 459 static int sppp_params(struct sppp *, u_long, void *); 460 #ifdef INET 461 static void sppp_get_ip_addrs(struct sppp *, uint32_t *, uint32_t *, uint32_t *); 462 static void sppp_set_ip_addrs(struct sppp *); 463 static void sppp_clear_ip_addrs(struct sppp *); 464 #endif 465 static void sppp_keepalive(void *); 466 static void sppp_phase_network(struct sppp *); 467 static void sppp_print_bytes(const u_char *, u_short); 468 static void sppp_print_string(const char *, u_short); 469 #ifdef INET6 470 static void sppp_get_ip6_addrs(struct sppp *, struct in6_addr *, 471 struct in6_addr *, struct in6_addr *); 472 #ifdef IPV6CP_MYIFID_DYN 473 static void sppp_set_ip6_addr(struct sppp *, const struct in6_addr *); 474 static void sppp_gen_ip6_addr(struct sppp *, const struct in6_addr *); 475 #endif 476 static void sppp_suggest_ip6_addr(struct sppp *, struct in6_addr *); 477 #endif 478 479 static void sppp_notify_up(struct sppp *); 480 static void sppp_notify_down(struct sppp *); 481 static void sppp_notify_tls_wlocked(struct sppp *); 482 static void sppp_notify_tlf_wlocked(struct sppp *); 483 #ifdef INET6 484 static void sppp_notify_con_wlocked(struct sppp *); 485 #endif 486 static void sppp_notify_con(struct sppp *); 487 488 static void sppp_notify_chg_wlocked(struct sppp *); 489 490 /* our control protocol descriptors */ 491 static const struct cp lcp = { 492 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 493 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, 494 sppp_close_event, sppp_to_event, 495 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, 496 sppp_lcp_tlf, sppp_lcp_scr, sppp_screply, 497 sppp_lcp_confreq, sppp_lcp_confrej, sppp_lcp_confnak 498 }; 499 500 static const struct cp ipcp = { 501 PPP_IPCP, IDX_IPCP, 502 #ifdef INET 503 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 504 #else 505 0, 506 #endif 507 "ipcp", 508 sppp_up_event, sppp_down_event, sppp_ipcp_open, 509 sppp_ipcp_close, sppp_to_event, 510 sppp_ipcp_tlu, sppp_null, sppp_tls, 511 sppp_tlf, sppp_ipcp_scr, sppp_screply, 512 sppp_ipcp_confreq, sppp_ipcp_confrej, sppp_ipcp_confnak, 513 }; 514 515 static const struct cp ipv6cp = { 516 PPP_IPV6CP, IDX_IPV6CP, 517 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 518 CP_NCP, 519 #else 520 0, 521 #endif 522 "ipv6cp", 523 sppp_up_event, sppp_down_event, sppp_ipv6cp_open, 524 sppp_close_event, sppp_to_event, 525 sppp_ipv6cp_tlu, sppp_null, sppp_tls, 526 sppp_tlf, sppp_ipv6cp_scr, sppp_screply, 527 sppp_ipv6cp_confreq, sppp_ipv6cp_confrej, sppp_ipv6cp_confnak, 528 }; 529 530 static const struct cp pap = { 531 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 532 sppp_up_event, sppp_down_event, sppp_open_event, 533 sppp_close_event, sppp_to_event, 534 sppp_pap_tlu, sppp_null, sppp_tls, sppp_tlf, 535 sppp_pap_scr, sppp_auth_screply, 536 NULL, NULL, NULL 537 }; 538 539 static const struct cp chap = { 540 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 541 sppp_up_event, sppp_down_event, sppp_chap_open, 542 sppp_close_event, sppp_auth_to_event, 543 sppp_chap_tlu, sppp_null, sppp_tls, sppp_tlf, 544 sppp_chap_scr, sppp_auth_screply, 545 NULL, NULL, NULL 546 }; 547 548 static const struct cp *cps[IDX_COUNT] = { 549 &lcp, /* IDX_LCP */ 550 &ipcp, /* IDX_IPCP */ 551 &ipv6cp, /* IDX_IPV6CP */ 552 &pap, /* IDX_PAP */ 553 &chap, /* IDX_CHAP */ 554 }; 555 556 static inline u_int 557 sppp_proto2authproto(u_short proto) 558 { 559 560 switch (proto) { 561 case PPP_PAP: 562 return SPPP_AUTHPROTO_PAP; 563 case PPP_CHAP: 564 return SPPP_AUTHPROTO_CHAP; 565 } 566 567 return SPPP_AUTHPROTO_NONE; 568 } 569 570 static inline u_short 571 sppp_authproto2proto(u_int authproto) 572 { 573 574 switch (authproto) { 575 case SPPP_AUTHPROTO_PAP: 576 return PPP_PAP; 577 case SPPP_AUTHPROTO_CHAP: 578 return PPP_CHAP; 579 } 580 581 return PPP_NOPROTO; 582 } 583 584 static void 585 sppp_change_phase(struct sppp *sp, int phase) 586 { 587 STDDCL; 588 589 KASSERT(SPPP_WLOCKED(sp)); 590 591 if (sp->pp_phase == phase) 592 return; 593 594 sp->pp_phase = phase; 595 596 if (phase == SPPP_PHASE_NETWORK) 597 if_link_state_change(ifp, LINK_STATE_UP); 598 else 599 if_link_state_change(ifp, LINK_STATE_DOWN); 600 601 if (debug) 602 { 603 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 604 sppp_phase_name(sp->pp_phase)); 605 } 606 } 607 608 /* 609 * Exported functions, comprising our interface to the lower layer. 610 */ 611 612 /* 613 * Process the received packet. 614 */ 615 void 616 sppp_input(struct ifnet *ifp, struct mbuf *m) 617 { 618 struct ppp_header *h = NULL; 619 pktqueue_t *pktq = NULL; 620 struct ifqueue *inq = NULL; 621 uint16_t protocol; 622 struct sppp *sp = (struct sppp *)ifp; 623 int debug = ifp->if_flags & IFF_DEBUG; 624 int isr = 0; 625 626 SPPP_LOCK(sp, RW_READER); 627 628 if (ifp->if_flags & IFF_UP) { 629 /* Count received bytes, add hardware framing */ 630 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 631 /* Note time of last receive */ 632 sp->pp_last_receive = time_uptime; 633 } 634 635 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 636 /* Too small packet, drop it. */ 637 if (debug) 638 log(LOG_DEBUG, 639 "%s: input packet is too small, %d bytes\n", 640 ifp->if_xname, m->m_pkthdr.len); 641 goto drop; 642 } 643 644 if (sp->pp_flags & PP_NOFRAMING) { 645 memcpy(&protocol, mtod(m, void *), 2); 646 protocol = ntohs(protocol); 647 m_adj(m, 2); 648 } else { 649 650 /* Get PPP header. */ 651 h = mtod(m, struct ppp_header *); 652 m_adj(m, PPP_HEADER_LEN); 653 654 switch (h->address) { 655 case PPP_ALLSTATIONS: 656 if (h->control != PPP_UI) 657 goto invalid; 658 if (sp->pp_flags & PP_CISCO) { 659 if (debug) 660 log(LOG_DEBUG, 661 "%s: PPP packet in Cisco mode " 662 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 663 ifp->if_xname, 664 h->address, h->control, ntohs(h->protocol)); 665 goto drop; 666 } 667 break; 668 case CISCO_MULTICAST: 669 case CISCO_UNICAST: 670 /* Don't check the control field here (RFC 1547). */ 671 if (! (sp->pp_flags & PP_CISCO)) { 672 if (debug) 673 log(LOG_DEBUG, 674 "%s: Cisco packet in PPP mode " 675 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 676 ifp->if_xname, 677 h->address, h->control, ntohs(h->protocol)); 678 goto drop; 679 } 680 switch (ntohs(h->protocol)) { 681 default: 682 if_statinc(ifp, if_noproto); 683 goto invalid; 684 case CISCO_KEEPALIVE: 685 SPPP_UNLOCK(sp); 686 sppp_cisco_input((struct sppp *) ifp, m); 687 m_freem(m); 688 return; 689 #ifdef INET 690 case ETHERTYPE_IP: 691 pktq = ip_pktq; 692 break; 693 #endif 694 #ifdef INET6 695 case ETHERTYPE_IPV6: 696 pktq = ip6_pktq; 697 break; 698 #endif 699 } 700 goto queue_pkt; 701 default: /* Invalid PPP packet. */ 702 invalid: 703 if (debug) 704 log(LOG_DEBUG, 705 "%s: invalid input packet " 706 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 707 ifp->if_xname, 708 h->address, h->control, ntohs(h->protocol)); 709 goto drop; 710 } 711 protocol = ntohs(h->protocol); 712 } 713 714 switch (protocol) { 715 reject_protocol: 716 if (sp->scp[IDX_LCP].state == STATE_OPENED) { 717 uint16_t prot = htons(protocol); 718 719 SPPP_UPGRADE(sp); 720 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 721 ++sp->scp[IDX_LCP].seq, m->m_pkthdr.len + 2, 722 &prot); 723 SPPP_DOWNGRADE(sp); 724 } 725 if_statinc(ifp, if_noproto); 726 goto drop; 727 default: 728 if (debug) { 729 log(LOG_DEBUG, 730 "%s: invalid input protocol " 731 "<proto=0x%x>\n", ifp->if_xname, protocol); 732 } 733 goto reject_protocol; 734 case PPP_LCP: 735 SPPP_UNLOCK(sp); 736 sppp_cp_input(&lcp, sp, m); 737 /* already m_freem(m) */ 738 return; 739 case PPP_PAP: 740 SPPP_UNLOCK(sp); 741 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 742 sppp_pap_input(sp, m); 743 } 744 m_freem(m); 745 return; 746 case PPP_CHAP: 747 SPPP_UNLOCK(sp); 748 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 749 sppp_chap_input(sp, m); 750 } 751 m_freem(m); 752 return; 753 #ifdef INET 754 case PPP_IPCP: 755 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) { 756 log(LOG_INFO, "%s: reject IPCP packet " 757 "because IPCP is disabled\n", 758 ifp->if_xname); 759 goto reject_protocol; 760 } 761 SPPP_UNLOCK(sp); 762 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 763 sppp_cp_input(&ipcp, sp, m); 764 /* already m_freem(m) */ 765 } else { 766 m_freem(m); 767 } 768 return; 769 case PPP_IP: 770 if (sp->scp[IDX_IPCP].state == STATE_OPENED) { 771 sp->pp_last_activity = time_uptime; 772 pktq = ip_pktq; 773 } 774 break; 775 #endif 776 #ifdef INET6 777 case PPP_IPV6CP: 778 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) { 779 log(LOG_INFO, "%s: reject IPv6CP packet " 780 "because IPv6CP is disabled\n", 781 ifp->if_xname); 782 goto reject_protocol; 783 } 784 SPPP_UNLOCK(sp); 785 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 786 sppp_cp_input(&ipv6cp, sp, m); 787 /* already m_freem(m) */ 788 } else { 789 m_freem(m); 790 } 791 return; 792 793 case PPP_IPV6: 794 if (sp->scp[IDX_IPV6CP].state == STATE_OPENED) { 795 sp->pp_last_activity = time_uptime; 796 pktq = ip6_pktq; 797 } 798 break; 799 #endif 800 } 801 802 queue_pkt: 803 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 804 goto drop; 805 } 806 807 /* Check queue. */ 808 if (__predict_true(pktq)) { 809 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 810 goto drop; 811 } 812 SPPP_UNLOCK(sp); 813 return; 814 } 815 816 SPPP_UNLOCK(sp); 817 818 IFQ_LOCK(inq); 819 if (IF_QFULL(inq)) { 820 /* Queue overflow. */ 821 IF_DROP(inq); 822 IFQ_UNLOCK(inq); 823 if (debug) 824 log(LOG_DEBUG, "%s: protocol queue overflow\n", 825 ifp->if_xname); 826 827 SPPP_LOCK(sp, RW_READER); 828 goto drop; 829 } 830 IF_ENQUEUE(inq, m); 831 IFQ_UNLOCK(inq); 832 schednetisr(isr); 833 return; 834 835 drop: 836 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 837 m_freem(m); 838 SPPP_UNLOCK(sp); 839 return; 840 } 841 842 /* 843 * Enqueue transmit packet. 844 */ 845 static int 846 sppp_output(struct ifnet *ifp, struct mbuf *m, 847 const struct sockaddr *dst, const struct rtentry *rt) 848 { 849 struct sppp *sp = (struct sppp *) ifp; 850 struct ppp_header *h = NULL; 851 #ifndef SPPPSUBR_MPSAFE 852 struct ifqueue *ifq = NULL; /* XXX */ 853 #endif 854 int s, error = 0; 855 uint16_t protocol; 856 size_t pktlen; 857 858 s = splnet(); 859 SPPP_LOCK(sp, RW_READER); 860 861 sp->pp_last_activity = time_uptime; 862 863 if ((ifp->if_flags & IFF_UP) == 0 || 864 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 865 SPPP_UNLOCK(sp); 866 splx(s); 867 868 m_freem(m); 869 if_statinc(ifp, if_oerrors); 870 return (ENETDOWN); 871 } 872 873 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 874 /* ignore packets that have no enabled NCP */ 875 if ((dst->sa_family == AF_INET && 876 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) || 877 (dst->sa_family == AF_INET6 && 878 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP))) { 879 SPPP_UNLOCK(sp); 880 splx(s); 881 882 m_freem(m); 883 if_statinc(ifp, if_oerrors); 884 return (ENETDOWN); 885 } 886 /* 887 * Interface is not yet running, but auto-dial. Need 888 * to start LCP for it. 889 */ 890 ifp->if_flags |= IFF_RUNNING; 891 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 892 } 893 894 /* 895 * If the queueing discipline needs packet classification, 896 * do it before prepending link headers. 897 */ 898 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 899 900 #ifdef INET 901 if (dst->sa_family == AF_INET) { 902 struct ip *ip = NULL; 903 #ifndef SPPPSUBR_MPSAFE 904 struct tcphdr *th = NULL; 905 #endif 906 907 if (m->m_len >= sizeof(struct ip)) { 908 ip = mtod(m, struct ip *); 909 #ifndef SPPPSUBR_MPSAFE 910 if (ip->ip_p == IPPROTO_TCP && 911 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 912 sizeof(struct tcphdr)) { 913 th = (struct tcphdr *) 914 ((char *)ip + (ip->ip_hl << 2)); 915 } 916 #endif 917 } else 918 ip = NULL; 919 920 /* 921 * When using dynamic local IP address assignment by using 922 * 0.0.0.0 as a local address, the first TCP session will 923 * not connect because the local TCP checksum is computed 924 * using 0.0.0.0 which will later become our real IP address 925 * so the TCP checksum computed at the remote end will 926 * become invalid. So we 927 * - don't let packets with src ip addr 0 thru 928 * - we flag TCP packets with src ip 0 as an error 929 */ 930 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 931 uint8_t proto = ip->ip_p; 932 933 SPPP_UNLOCK(sp); 934 splx(s); 935 936 m_freem(m); 937 if (proto == IPPROTO_TCP) 938 return (EADDRNOTAVAIL); 939 else 940 return (0); 941 } 942 943 #ifndef SPPPSUBR_MPSAFE 944 /* 945 * Put low delay, telnet, rlogin and ftp control packets 946 * in front of the queue. 947 */ 948 if (!IF_QFULL(&sp->pp_fastq) && 949 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 950 (th && (INTERACTIVE(ntohs(th->th_sport)) || 951 INTERACTIVE(ntohs(th->th_dport)))))) 952 ifq = &sp->pp_fastq; 953 #endif /* !SPPPSUBR_MPSAFE */ 954 } 955 #endif 956 957 #ifdef INET6 958 if (dst->sa_family == AF_INET6) { 959 /* XXX do something tricky here? */ 960 } 961 #endif 962 963 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 964 /* 965 * Prepend general data packet PPP header. For now, IP only. 966 */ 967 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 968 if (! m) { 969 if (ifp->if_flags & IFF_DEBUG) 970 log(LOG_DEBUG, "%s: no memory for transmit header\n", 971 ifp->if_xname); 972 if_statinc(ifp, if_oerrors); 973 SPPP_UNLOCK(sp); 974 splx(s); 975 return (ENOBUFS); 976 } 977 /* 978 * May want to check size of packet 979 * (albeit due to the implementation it's always enough) 980 */ 981 h = mtod(m, struct ppp_header *); 982 if (sp->pp_flags & PP_CISCO) { 983 h->address = CISCO_UNICAST; /* unicast address */ 984 h->control = 0; 985 } else { 986 h->address = PPP_ALLSTATIONS; /* broadcast address */ 987 h->control = PPP_UI; /* Unnumbered Info */ 988 } 989 } 990 991 switch (dst->sa_family) { 992 #ifdef INET 993 case AF_INET: /* Internet Protocol */ 994 if (sp->pp_flags & PP_CISCO) 995 protocol = htons(ETHERTYPE_IP); 996 else { 997 /* 998 * Don't choke with an ENETDOWN early. It's 999 * possible that we just started dialing out, 1000 * so don't drop the packet immediately. If 1001 * we notice that we run out of buffer space 1002 * below, we will however remember that we are 1003 * not ready to carry IP packets, and return 1004 * ENETDOWN, as opposed to ENOBUFS. 1005 */ 1006 protocol = htons(PPP_IP); 1007 if (sp->scp[IDX_IPCP].state != STATE_OPENED) { 1008 if (ifp->if_flags & IFF_AUTO) { 1009 error = ENETDOWN; 1010 } else { 1011 IF_DROP(&ifp->if_snd); 1012 SPPP_UNLOCK(sp); 1013 splx(s); 1014 1015 m_freem(m); 1016 if_statinc(ifp, if_oerrors); 1017 return (ENETDOWN); 1018 } 1019 } 1020 } 1021 break; 1022 #endif 1023 #ifdef INET6 1024 case AF_INET6: /* Internet Protocol version 6 */ 1025 if (sp->pp_flags & PP_CISCO) 1026 protocol = htons(ETHERTYPE_IPV6); 1027 else { 1028 /* 1029 * Don't choke with an ENETDOWN early. It's 1030 * possible that we just started dialing out, 1031 * so don't drop the packet immediately. If 1032 * we notice that we run out of buffer space 1033 * below, we will however remember that we are 1034 * not ready to carry IP packets, and return 1035 * ENETDOWN, as opposed to ENOBUFS. 1036 */ 1037 protocol = htons(PPP_IPV6); 1038 if (sp->scp[IDX_IPV6CP].state != STATE_OPENED) { 1039 if (ifp->if_flags & IFF_AUTO) { 1040 error = ENETDOWN; 1041 } else { 1042 IF_DROP(&ifp->if_snd); 1043 SPPP_UNLOCK(sp); 1044 splx(s); 1045 1046 m_freem(m); 1047 if_statinc(ifp, if_oerrors); 1048 return (ENETDOWN); 1049 } 1050 } 1051 } 1052 break; 1053 #endif 1054 default: 1055 m_freem(m); 1056 if_statinc(ifp, if_oerrors); 1057 SPPP_UNLOCK(sp); 1058 splx(s); 1059 return (EAFNOSUPPORT); 1060 } 1061 1062 if (sp->pp_flags & PP_NOFRAMING) { 1063 M_PREPEND(m, 2, M_DONTWAIT); 1064 if (m == NULL) { 1065 if (ifp->if_flags & IFF_DEBUG) 1066 log(LOG_DEBUG, "%s: no memory for transmit header\n", 1067 ifp->if_xname); 1068 if_statinc(ifp, if_oerrors); 1069 SPPP_UNLOCK(sp); 1070 splx(s); 1071 return (ENOBUFS); 1072 } 1073 *mtod(m, uint16_t *) = protocol; 1074 } else { 1075 h->protocol = protocol; 1076 } 1077 1078 pktlen = m->m_pkthdr.len; 1079 #ifdef SPPPSUBR_MPSAFE 1080 SPPP_UNLOCK(sp); 1081 error = if_transmit_lock(ifp, m); 1082 SPPP_LOCK(sp, RW_READER); 1083 if (error == 0) 1084 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1085 #else /* !SPPPSUBR_MPSAFE */ 1086 error = ifq_enqueue2(ifp, ifq, m); 1087 1088 if (error == 0) { 1089 /* 1090 * Count output packets and bytes. 1091 * The packet length includes header + additional hardware 1092 * framing according to RFC 1333. 1093 */ 1094 if (!(ifp->if_flags & IFF_OACTIVE)) { 1095 SPPP_UNLOCK(sp); 1096 if_start_lock(ifp); 1097 SPPP_LOCK(sp, RW_READER); 1098 } 1099 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1100 } 1101 #endif /* !SPPPSUBR_MPSAFE */ 1102 SPPP_UNLOCK(sp); 1103 splx(s); 1104 return error; 1105 } 1106 1107 void 1108 sppp_attach(struct ifnet *ifp) 1109 { 1110 struct sppp *sp = (struct sppp *) ifp; 1111 char xnamebuf[MAXCOMLEN]; 1112 1113 /* Initialize keepalive handler. */ 1114 if (! spppq) { 1115 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1116 callout_reset(&keepalive_ch, hz * SPPP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1117 } 1118 1119 if (! spppq_lock) 1120 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1121 1122 sp->pp_if.if_type = IFT_PPP; 1123 sp->pp_if.if_output = sppp_output; 1124 sp->pp_fastq.ifq_maxlen = 32; 1125 sp->pp_cpq.ifq_maxlen = 20; 1126 sp->pp_loopcnt = 0; 1127 sp->pp_alivecnt = 0; 1128 sp->pp_alive_interval = SPPP_ALIVE_INTERVAL; 1129 sp->pp_last_activity = 0; 1130 sp->pp_last_receive = 0; 1131 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1132 sp->pp_max_noreceive = SPPP_NORECV_TIME; 1133 sp->pp_idle_timeout = 0; 1134 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1135 sp->pp_phase = SPPP_PHASE_DEAD; 1136 sp->pp_up = sppp_notify_up; 1137 sp->pp_down = sppp_notify_down; 1138 sp->pp_ncpflags = SPPP_NCP_IPCP | SPPP_NCP_IPV6CP; 1139 sppp_wq_set(&sp->work_ifdown, sppp_ifdown, NULL); 1140 memset(sp->scp, 0, sizeof(sp->scp)); 1141 rw_init(&sp->pp_lock); 1142 1143 if_alloc_sadl(ifp); 1144 1145 /* Lets not beat about the bush, we know we're down. */ 1146 ifp->if_link_state = LINK_STATE_DOWN; 1147 1148 snprintf(xnamebuf, sizeof(xnamebuf), "%s.wq_cp", ifp->if_xname); 1149 sp->wq_cp = sppp_wq_create(sp, xnamebuf, 1150 PRI_SOFTNET, IPL_SOFTNET, WQ_MPSAFE); 1151 1152 memset(&sp->myauth, 0, sizeof sp->myauth); 1153 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1154 SPPP_LOCK(sp, RW_WRITER); 1155 sppp_lcp_init(sp); 1156 sppp_ipcp_init(sp); 1157 sppp_ipv6cp_init(sp); 1158 sppp_pap_init(sp); 1159 sppp_chap_init(sp); 1160 SPPP_UNLOCK(sp); 1161 1162 SPPPQ_LOCK(); 1163 /* Insert new entry into the keepalive list. */ 1164 sp->pp_next = spppq; 1165 spppq = sp; 1166 SPPPQ_UNLOCK(); 1167 } 1168 1169 void 1170 sppp_detach(struct ifnet *ifp) 1171 { 1172 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1173 1174 /* Remove the entry from the keepalive list. */ 1175 SPPPQ_LOCK(); 1176 for (q = &spppq; (p = *q); q = &p->pp_next) 1177 if (p == sp) { 1178 *q = p->pp_next; 1179 break; 1180 } 1181 SPPPQ_UNLOCK(); 1182 1183 if (! spppq) { 1184 /* Stop keepalive handler. */ 1185 callout_stop(&keepalive_ch); 1186 mutex_obj_free(spppq_lock); 1187 spppq_lock = NULL; 1188 } 1189 1190 sppp_cp_fini(&lcp, sp); 1191 sppp_cp_fini(&ipcp, sp); 1192 sppp_cp_fini(&pap, sp); 1193 sppp_cp_fini(&chap, sp); 1194 #ifdef INET6 1195 sppp_cp_fini(&ipv6cp, sp); 1196 #endif 1197 sppp_wq_destroy(sp, sp->wq_cp); 1198 1199 /* free authentication info */ 1200 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1201 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1202 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1203 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1204 rw_destroy(&sp->pp_lock); 1205 } 1206 1207 /* 1208 * Flush the interface output queue. 1209 */ 1210 void 1211 sppp_flush(struct ifnet *ifp) 1212 { 1213 struct sppp *sp = (struct sppp *) ifp; 1214 1215 SPPP_LOCK(sp, RW_WRITER); 1216 IFQ_PURGE(&sp->pp_if.if_snd); 1217 IF_PURGE(&sp->pp_fastq); 1218 IF_PURGE(&sp->pp_cpq); 1219 SPPP_UNLOCK(sp); 1220 } 1221 1222 /* 1223 * Check if the output queue is empty. 1224 */ 1225 int 1226 sppp_isempty(struct ifnet *ifp) 1227 { 1228 struct sppp *sp = (struct sppp *) ifp; 1229 int empty, s; 1230 1231 s = splnet(); 1232 SPPP_LOCK(sp, RW_READER); 1233 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1234 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1235 SPPP_UNLOCK(sp); 1236 splx(s); 1237 return (empty); 1238 } 1239 1240 /* 1241 * Get next packet to send. 1242 */ 1243 struct mbuf * 1244 sppp_dequeue(struct ifnet *ifp) 1245 { 1246 struct sppp *sp = (struct sppp *) ifp; 1247 struct mbuf *m; 1248 int s; 1249 1250 s = splnet(); 1251 SPPP_LOCK(sp, RW_WRITER); 1252 /* 1253 * Process only the control protocol queue until we have at 1254 * least one NCP open. 1255 * 1256 * Do always serve all three queues in Cisco mode. 1257 */ 1258 IF_DEQUEUE(&sp->pp_cpq, m); 1259 if (m == NULL && 1260 (sppp_cp_check(sp, CP_NCP) || (sp->pp_flags & PP_CISCO) != 0)) { 1261 IF_DEQUEUE(&sp->pp_fastq, m); 1262 if (m == NULL) 1263 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1264 } 1265 SPPP_UNLOCK(sp); 1266 splx(s); 1267 return m; 1268 } 1269 1270 /* 1271 * Process an ioctl request. Called on low priority level. 1272 */ 1273 int 1274 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1275 { 1276 struct lwp *l = curlwp; /* XXX */ 1277 struct ifreq *ifr = (struct ifreq *) data; 1278 struct ifaddr *ifa = (struct ifaddr *) data; 1279 struct sppp *sp = (struct sppp *) ifp; 1280 int s, error=0, going_up, going_down; 1281 u_short newmode; 1282 u_long lcp_mru; 1283 1284 s = splnet(); 1285 switch (cmd) { 1286 case SIOCINITIFADDR: 1287 ifa->ifa_rtrequest = p2p_rtrequest; 1288 break; 1289 1290 case SIOCSIFFLAGS: 1291 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1292 break; 1293 1294 SPPP_LOCK(sp, RW_WRITER); 1295 going_up = ifp->if_flags & IFF_UP && 1296 (ifp->if_flags & IFF_RUNNING) == 0; 1297 going_down = (ifp->if_flags & IFF_UP) == 0 && 1298 ifp->if_flags & IFF_RUNNING; 1299 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1300 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1301 /* sanity */ 1302 newmode = IFF_PASSIVE; 1303 ifp->if_flags &= ~IFF_AUTO; 1304 } 1305 1306 if (going_up || going_down) { 1307 sp->lcp.reestablish = false; 1308 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 1309 } 1310 if (going_up && newmode == 0) { 1311 /* neither auto-dial nor passive */ 1312 ifp->if_flags |= IFF_RUNNING; 1313 if (!(sp->pp_flags & PP_CISCO)) { 1314 sppp_wq_add(sp->wq_cp, 1315 &sp->scp[IDX_LCP].work_open); 1316 } 1317 } else if (going_down) { 1318 SPPP_UNLOCK(sp); 1319 sppp_flush(ifp); 1320 SPPP_LOCK(sp, RW_WRITER); 1321 1322 ifp->if_flags &= ~IFF_RUNNING; 1323 } 1324 SPPP_UNLOCK(sp); 1325 break; 1326 1327 case SIOCSIFMTU: 1328 if (ifr->ifr_mtu < PPP_MINMRU || 1329 ifr->ifr_mtu > PP_MTU) { 1330 error = EINVAL; 1331 break; 1332 } 1333 1334 error = ifioctl_common(ifp, cmd, data); 1335 if (error == ENETRESET) 1336 error = 0; 1337 1338 SPPP_LOCK(sp, RW_WRITER); 1339 lcp_mru = sp->lcp.mru; 1340 if (ifp->if_mtu < PP_MTU) { 1341 sp->lcp.mru = ifp->if_mtu; 1342 } else { 1343 sp->lcp.mru = PP_MTU; 1344 } 1345 if (lcp_mru != sp->lcp.mru) 1346 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 1347 1348 if (sp->scp[IDX_LCP].state == STATE_OPENED && 1349 ifp->if_mtu > sp->lcp.their_mru) { 1350 sp->pp_saved_mtu = ifp->if_mtu; 1351 ifp->if_mtu = sp->lcp.their_mru; 1352 1353 if (ifp->if_flags & IFF_DEBUG) { 1354 log(LOG_DEBUG, 1355 "%s: setting MTU " 1356 "from %"PRIu64" bytes " 1357 "to %"PRIu64" bytes\n", 1358 ifp->if_xname, sp->pp_saved_mtu, 1359 ifp->if_mtu); 1360 } 1361 } 1362 SPPP_UNLOCK(sp); 1363 break; 1364 1365 case SIOCGIFMTU: 1366 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1367 error = 0; 1368 break; 1369 case SIOCADDMULTI: 1370 case SIOCDELMULTI: 1371 break; 1372 1373 case SPPPSETAUTHCFG: 1374 case SPPPSETLCPCFG: 1375 case SPPPSETNCPCFG: 1376 case SPPPSETIDLETO: 1377 case SPPPSETAUTHFAILURE: 1378 case SPPPSETDNSOPTS: 1379 case SPPPSETKEEPALIVE: 1380 #if defined(COMPAT_50) || defined(MODULAR) 1381 case __SPPPSETIDLETO50: 1382 case __SPPPSETKEEPALIVE50: 1383 #endif /* COMPAT_50 || MODULAR */ 1384 error = kauth_authorize_network(l->l_cred, 1385 KAUTH_NETWORK_INTERFACE, 1386 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1387 NULL); 1388 if (error) 1389 break; 1390 error = sppp_params(sp, cmd, data); 1391 break; 1392 1393 case SPPPGETAUTHCFG: 1394 case SPPPGETLCPCFG: 1395 case SPPPGETNCPCFG: 1396 case SPPPGETAUTHFAILURES: 1397 error = kauth_authorize_network(l->l_cred, 1398 KAUTH_NETWORK_INTERFACE, 1399 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1400 NULL); 1401 if (error) 1402 break; 1403 error = sppp_params(sp, cmd, data); 1404 break; 1405 1406 case SPPPGETSTATUS: 1407 case SPPPGETSTATUSNCP: 1408 case SPPPGETIDLETO: 1409 case SPPPGETDNSOPTS: 1410 case SPPPGETDNSADDRS: 1411 case SPPPGETKEEPALIVE: 1412 #if defined(COMPAT_50) || defined(MODULAR) 1413 case __SPPPGETIDLETO50: 1414 case __SPPPGETKEEPALIVE50: 1415 #endif /* COMPAT_50 || MODULAR */ 1416 case SPPPGETLCPSTATUS: 1417 case SPPPGETIPCPSTATUS: 1418 case SPPPGETIPV6CPSTATUS: 1419 error = sppp_params(sp, cmd, data); 1420 break; 1421 1422 default: 1423 error = ifioctl_common(ifp, cmd, data); 1424 break; 1425 } 1426 splx(s); 1427 return (error); 1428 } 1429 1430 /* 1431 * Cisco framing implementation. 1432 */ 1433 1434 /* 1435 * Handle incoming Cisco keepalive protocol packets. 1436 */ 1437 static void 1438 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1439 { 1440 STDDCL; 1441 struct cisco_packet *h; 1442 #ifdef INET 1443 uint32_t me, mymask = 0; /* XXX: GCC */ 1444 #endif 1445 1446 SPPP_LOCK(sp, RW_WRITER); 1447 1448 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1449 if (debug) 1450 log(LOG_DEBUG, 1451 "%s: cisco invalid packet length: %d bytes\n", 1452 ifp->if_xname, m->m_pkthdr.len); 1453 SPPP_UNLOCK(sp); 1454 return; 1455 } 1456 h = mtod(m, struct cisco_packet *); 1457 if (debug) 1458 log(LOG_DEBUG, 1459 "%s: cisco input: %d bytes " 1460 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1461 ifp->if_xname, m->m_pkthdr.len, 1462 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1463 (u_int)h->time0, (u_int)h->time1); 1464 switch (ntohl(h->type)) { 1465 default: 1466 if (debug) 1467 addlog("%s: cisco unknown packet type: 0x%x\n", 1468 ifp->if_xname, ntohl(h->type)); 1469 break; 1470 case CISCO_ADDR_REPLY: 1471 /* Reply on address request, ignore */ 1472 break; 1473 case CISCO_KEEPALIVE_REQ: 1474 sp->pp_alivecnt = 0; 1475 sp->scp[IDX_LCP].rseq = ntohl(h->par1); 1476 if (sp->scp[IDX_LCP].seq == sp->scp[IDX_LCP].rseq) { 1477 /* Local and remote sequence numbers are equal. 1478 * Probably, the line is in loopback mode. */ 1479 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1480 printf ("%s: loopback\n", 1481 ifp->if_xname); 1482 sp->pp_loopcnt = 0; 1483 if (ifp->if_flags & IFF_UP) { 1484 SPPP_UNLOCK(sp); 1485 if_down(ifp); 1486 SPPP_LOCK(sp, RW_WRITER); 1487 1488 IF_PURGE(&sp->pp_cpq); 1489 } 1490 } 1491 ++sp->pp_loopcnt; 1492 1493 /* Generate new local sequence number */ 1494 sp->scp[IDX_LCP].seq = cprng_fast32(); 1495 break; 1496 } 1497 sp->pp_loopcnt = 0; 1498 if (! (ifp->if_flags & IFF_UP) && 1499 (ifp->if_flags & IFF_RUNNING)) { 1500 SPPP_UNLOCK(sp); 1501 if_up(ifp); 1502 SPPP_LOCK(sp, RW_WRITER); 1503 } 1504 break; 1505 case CISCO_ADDR_REQ: 1506 #ifdef INET 1507 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1508 if (me != 0L) 1509 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1510 #endif 1511 break; 1512 } 1513 SPPP_UNLOCK(sp); 1514 } 1515 1516 /* 1517 * Send Cisco keepalive packet. 1518 */ 1519 static void 1520 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1521 { 1522 STDDCL; 1523 struct ppp_header *h; 1524 struct cisco_packet *ch; 1525 struct mbuf *m; 1526 uint32_t t; 1527 1528 KASSERT(SPPP_WLOCKED(sp)); 1529 1530 t = time_uptime * 1000; 1531 MGETHDR(m, M_DONTWAIT, MT_DATA); 1532 if (! m) 1533 return; 1534 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1535 m_reset_rcvif(m); 1536 1537 h = mtod(m, struct ppp_header *); 1538 h->address = CISCO_MULTICAST; 1539 h->control = 0; 1540 h->protocol = htons(CISCO_KEEPALIVE); 1541 1542 ch = (struct cisco_packet *)(h + 1); 1543 ch->type = htonl(type); 1544 ch->par1 = htonl(par1); 1545 ch->par2 = htonl(par2); 1546 ch->rel = -1; 1547 1548 ch->time0 = htons((u_short)(t >> 16)); 1549 ch->time1 = htons((u_short) t); 1550 1551 if (debug) 1552 log(LOG_DEBUG, 1553 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1554 ifp->if_xname, ntohl(ch->type), ch->par1, 1555 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1556 (u_int)ch->time1); 1557 1558 if (IF_QFULL(&sp->pp_cpq)) { 1559 IF_DROP(&sp->pp_fastq); 1560 IF_DROP(&ifp->if_snd); 1561 m_freem(m); 1562 if_statinc(ifp, if_oerrors); 1563 return; 1564 } 1565 1566 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1567 IF_ENQUEUE(&sp->pp_cpq, m); 1568 1569 if (! (ifp->if_flags & IFF_OACTIVE)) { 1570 SPPP_UNLOCK(sp); 1571 if_start_lock(ifp); 1572 SPPP_LOCK(sp, RW_WRITER); 1573 } 1574 } 1575 1576 /* 1577 * PPP protocol implementation. 1578 */ 1579 1580 /* 1581 * Send PPP control protocol packet. 1582 */ 1583 static void 1584 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1585 u_char ident, u_short len, void *data) 1586 { 1587 STDDCL; 1588 struct lcp_header *lh; 1589 struct mbuf *m; 1590 size_t pkthdrlen; 1591 1592 KASSERT(SPPP_WLOCKED(sp)); 1593 1594 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1595 1596 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1597 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1598 MGETHDR(m, M_DONTWAIT, MT_DATA); 1599 if (! m) { 1600 return; 1601 } 1602 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1603 m_reset_rcvif(m); 1604 1605 if (sp->pp_flags & PP_NOFRAMING) { 1606 *mtod(m, uint16_t *) = htons(proto); 1607 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1608 } else { 1609 struct ppp_header *h; 1610 h = mtod(m, struct ppp_header *); 1611 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1612 h->control = PPP_UI; /* Unnumbered Info */ 1613 h->protocol = htons(proto); /* Link Control Protocol */ 1614 lh = (struct lcp_header *)(h + 1); 1615 } 1616 lh->type = type; 1617 lh->ident = ident; 1618 lh->len = htons(LCP_HEADER_LEN + len); 1619 if (len) 1620 memcpy(lh + 1, data, len); 1621 1622 if (debug) { 1623 char pbuf[SPPP_PROTO_NAMELEN]; 1624 char tbuf[SPPP_CPTYPE_NAMELEN]; 1625 const char *pname, *cpname; 1626 1627 pname = sppp_proto_name(pbuf, sizeof(pbuf), proto); 1628 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), lh->type); 1629 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1630 ifp->if_xname, pname, cpname, 1631 lh->ident, ntohs(lh->len)); 1632 if (len) 1633 sppp_print_bytes((u_char *)(lh + 1), len); 1634 addlog(">\n"); 1635 } 1636 if (IF_QFULL(&sp->pp_cpq)) { 1637 IF_DROP(&sp->pp_fastq); 1638 IF_DROP(&ifp->if_snd); 1639 m_freem(m); 1640 if_statinc(ifp, if_oerrors); 1641 return; 1642 } 1643 1644 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1645 IF_ENQUEUE(&sp->pp_cpq, m); 1646 1647 if (! (ifp->if_flags & IFF_OACTIVE)) { 1648 SPPP_UNLOCK(sp); 1649 if_start_lock(ifp); 1650 SPPP_LOCK(sp, RW_WRITER); 1651 } 1652 } 1653 1654 static void 1655 sppp_cp_to_lcp(void *xsp) 1656 { 1657 struct sppp *sp = xsp; 1658 1659 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_to); 1660 } 1661 1662 static void 1663 sppp_cp_to_ipcp(void *xsp) 1664 { 1665 struct sppp *sp = xsp; 1666 1667 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPCP].work_to); 1668 } 1669 1670 static void 1671 sppp_cp_to_ipv6cp(void *xsp) 1672 { 1673 struct sppp *sp = xsp; 1674 1675 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPV6CP].work_to); 1676 } 1677 1678 static void 1679 sppp_cp_to_pap(void *xsp) 1680 { 1681 struct sppp *sp = xsp; 1682 1683 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_to); 1684 } 1685 1686 static void 1687 sppp_cp_to_chap(void *xsp) 1688 { 1689 struct sppp *sp = xsp; 1690 1691 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_to); 1692 } 1693 1694 static void 1695 sppp_cp_init(const struct cp *cp, struct sppp *sp) 1696 { 1697 struct sppp_cp *scp; 1698 typedef void (*sppp_co_cb_t)(void *); 1699 static const sppp_co_cb_t to_cb[IDX_COUNT] = { 1700 [IDX_LCP] = sppp_cp_to_lcp, 1701 [IDX_IPCP] = sppp_cp_to_ipcp, 1702 [IDX_IPV6CP] = sppp_cp_to_ipv6cp, 1703 [IDX_PAP] = sppp_cp_to_pap, 1704 [IDX_CHAP] = sppp_cp_to_chap, 1705 }; 1706 1707 scp = &sp->scp[cp->protoidx]; 1708 scp->state = STATE_INITIAL; 1709 scp->fail_counter = 0; 1710 scp->seq = 0; 1711 scp->rseq = 0; 1712 1713 SPPP_WQ_SET(&scp->work_up, cp->Up, cp); 1714 SPPP_WQ_SET(&scp->work_down, cp->Down, cp); 1715 SPPP_WQ_SET(&scp->work_open, cp->Open, cp); 1716 SPPP_WQ_SET(&scp->work_close, cp->Close, cp); 1717 SPPP_WQ_SET(&scp->work_to, cp->TO, cp); 1718 SPPP_WQ_SET(&scp->work_rcr, sppp_rcr_event, cp); 1719 SPPP_WQ_SET(&scp->work_rca, sppp_rca_event, cp); 1720 SPPP_WQ_SET(&scp->work_rcn, sppp_rcn_event, cp); 1721 SPPP_WQ_SET(&scp->work_rtr, sppp_rtr_event, cp); 1722 SPPP_WQ_SET(&scp->work_rta, sppp_rta_event, cp); 1723 SPPP_WQ_SET(&scp->work_rxj, sppp_rxj_event, cp); 1724 1725 callout_init(&scp->ch, CALLOUT_MPSAFE); 1726 callout_setfunc(&scp->ch, to_cb[cp->protoidx], sp); 1727 } 1728 1729 static void 1730 sppp_cp_fini(const struct cp *cp, struct sppp *sp) 1731 { 1732 struct sppp_cp *scp; 1733 scp = &sp->scp[cp->protoidx]; 1734 1735 sppp_wq_wait(sp->wq_cp, &scp->work_up); 1736 sppp_wq_wait(sp->wq_cp, &scp->work_down); 1737 sppp_wq_wait(sp->wq_cp, &scp->work_open); 1738 sppp_wq_wait(sp->wq_cp, &scp->work_close); 1739 sppp_wq_wait(sp->wq_cp, &scp->work_to); 1740 sppp_wq_wait(sp->wq_cp, &scp->work_rcr); 1741 sppp_wq_wait(sp->wq_cp, &scp->work_rca); 1742 sppp_wq_wait(sp->wq_cp, &scp->work_rcn); 1743 sppp_wq_wait(sp->wq_cp, &scp->work_rtr); 1744 sppp_wq_wait(sp->wq_cp, &scp->work_rta); 1745 sppp_wq_wait(sp->wq_cp, &scp->work_rxj); 1746 1747 callout_halt(&scp->ch, NULL); 1748 callout_destroy(&scp->ch); 1749 1750 if (scp->mbuf_confreq != NULL) { 1751 m_freem(scp->mbuf_confreq); 1752 scp->mbuf_confreq = NULL; 1753 } 1754 if (scp->mbuf_confnak != NULL) { 1755 m_freem(scp->mbuf_confnak); 1756 scp->mbuf_confnak = NULL; 1757 } 1758 } 1759 1760 /* 1761 * Handle incoming PPP control protocol packets. 1762 */ 1763 static void 1764 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1765 { 1766 STDDCL; 1767 struct lcp_header *h; 1768 struct sppp_cp *scp; 1769 int printlen, len = m->m_pkthdr.len; 1770 u_char *p; 1771 uint32_t u32; 1772 char tbuf[SPPP_CPTYPE_NAMELEN]; 1773 const char *cpname; 1774 1775 SPPP_LOCK(sp, RW_WRITER); 1776 1777 scp = &sp->scp[cp->protoidx]; 1778 1779 if (len < 4) { 1780 if (debug) 1781 log(LOG_DEBUG, 1782 "%s: %s invalid packet length: %d bytes\n", 1783 ifp->if_xname, cp->name, len); 1784 goto out; 1785 } 1786 h = mtod(m, struct lcp_header *); 1787 if (debug) { 1788 printlen = ntohs(h->len); 1789 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1790 log(LOG_DEBUG, 1791 "%s: %s input(%s): <%s id=0x%x len=%d", 1792 ifp->if_xname, cp->name, 1793 sppp_state_name(scp->state), 1794 cpname, h->ident, printlen); 1795 if (len < printlen) 1796 printlen = len; 1797 if (printlen > 4) 1798 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1799 addlog(">\n"); 1800 } 1801 if (len > ntohs(h->len)) 1802 len = ntohs(h->len); 1803 p = (u_char *)(h + 1); 1804 switch (h->type) { 1805 case CONF_REQ: 1806 if (len < 4) { 1807 if (debug) 1808 addlog("%s: %s invalid conf-req length %d\n", 1809 ifp->if_xname, cp->name, 1810 len); 1811 if_statinc(ifp, if_ierrors); 1812 break; 1813 } 1814 1815 scp->rcr_type = CP_RCR_NONE; 1816 scp->rconfid = h->ident; 1817 if (scp->mbuf_confreq != NULL) { 1818 m_freem(scp->mbuf_confreq); 1819 } 1820 scp->mbuf_confreq = m; 1821 m = NULL; 1822 sppp_wq_add(sp->wq_cp, &scp->work_rcr); 1823 break; 1824 case CONF_ACK: 1825 if (h->ident != scp->confid) { 1826 if (debug) 1827 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1828 ifp->if_xname, cp->name, 1829 h->ident, scp->confid); 1830 if_statinc(ifp, if_ierrors); 1831 break; 1832 } 1833 sppp_wq_add(sp->wq_cp, &scp->work_rca); 1834 break; 1835 case CONF_NAK: 1836 case CONF_REJ: 1837 if (h->ident != scp->confid) { 1838 if (debug) 1839 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1840 ifp->if_xname, cp->name, 1841 h->ident, scp->confid); 1842 if_statinc(ifp, if_ierrors); 1843 break; 1844 } 1845 1846 if (scp->mbuf_confnak) { 1847 m_freem(scp->mbuf_confnak); 1848 } 1849 scp->mbuf_confnak = m; 1850 m = NULL; 1851 sppp_wq_add(sp->wq_cp, &scp->work_rcn); 1852 break; 1853 case TERM_REQ: 1854 scp->rseq = h->ident; 1855 sppp_wq_add(sp->wq_cp, &scp->work_rtr); 1856 break; 1857 case TERM_ACK: 1858 if (h->ident != scp->confid && 1859 h->ident != scp->seq) { 1860 if (debug) 1861 addlog("%s: %s id mismatch " 1862 "0x%x != 0x%x and 0x%x != %0lx\n", 1863 ifp->if_xname, cp->name, 1864 h->ident, scp->confid, 1865 h->ident, scp->seq); 1866 if_statinc(ifp, if_ierrors); 1867 break; 1868 } 1869 1870 sppp_wq_add(sp->wq_cp, &scp->work_rta); 1871 break; 1872 case CODE_REJ: 1873 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1874 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1875 log(LOG_INFO, 1876 "%s: %s: ignoring RXJ (%s) for code ?, " 1877 "danger will robinson\n", 1878 ifp->if_xname, cp->name, cpname); 1879 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1880 break; 1881 case PROTO_REJ: 1882 { 1883 int catastrophic; 1884 const struct cp *upper; 1885 int i; 1886 uint16_t proto; 1887 1888 catastrophic = 0; 1889 upper = NULL; 1890 proto = p[0] << 8 | p[1]; 1891 for (i = 0; i < IDX_COUNT; i++) { 1892 if (cps[i]->proto == proto) { 1893 upper = cps[i]; 1894 break; 1895 } 1896 } 1897 if (upper == NULL) 1898 catastrophic++; 1899 1900 if (debug) { 1901 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1902 log(LOG_INFO, 1903 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1904 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1905 cpname, proto, upper ? upper->name : "unknown", 1906 upper ? sppp_state_name(sp->scp[upper->protoidx].state) : "?"); 1907 } 1908 1909 /* 1910 * if we got RXJ+ against conf-req, the peer does not implement 1911 * this particular protocol type. terminate the protocol. 1912 */ 1913 if (upper && !catastrophic) { 1914 if (sp->scp[upper->protoidx].state == STATE_REQ_SENT) { 1915 sppp_wq_add(sp->wq_cp, 1916 &sp->scp[upper->protoidx].work_close); 1917 break; 1918 } 1919 } 1920 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1921 break; 1922 } 1923 case DISC_REQ: 1924 if (cp->proto != PPP_LCP) 1925 goto illegal; 1926 /* Discard the packet. */ 1927 break; 1928 case ECHO_REQ: 1929 if (cp->proto != PPP_LCP) 1930 goto illegal; 1931 if (scp->state != STATE_OPENED) { 1932 if (debug) 1933 addlog("%s: lcp echo req but lcp closed\n", 1934 ifp->if_xname); 1935 if_statinc(ifp, if_ierrors); 1936 break; 1937 } 1938 if (len < 8) { 1939 if (debug) 1940 addlog("%s: invalid lcp echo request " 1941 "packet length: %d bytes\n", 1942 ifp->if_xname, len); 1943 break; 1944 } 1945 memcpy(&u32, h + 1, sizeof u32); 1946 if (ntohl(u32) == sp->lcp.magic) { 1947 /* Line loopback mode detected. */ 1948 printf("%s: loopback\n", ifp->if_xname); 1949 /* 1950 * There is no change for items of sp->scp[cp->protoidx] 1951 * while if_down() even without SPPP_LOCK 1952 */ 1953 SPPP_UNLOCK(sp); 1954 if_down(ifp); 1955 SPPP_LOCK(sp, RW_WRITER); 1956 1957 IF_PURGE(&sp->pp_cpq); 1958 1959 /* Shut down the PPP link. */ 1960 /* XXX */ 1961 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_down); 1962 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_up); 1963 break; 1964 } 1965 u32 = htonl(sp->lcp.magic); 1966 memcpy(h + 1, &u32, sizeof u32); 1967 if (debug) 1968 addlog("%s: got lcp echo req, sending echo rep\n", 1969 ifp->if_xname); 1970 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1971 h + 1); 1972 break; 1973 case ECHO_REPLY: 1974 if (cp->proto != PPP_LCP) 1975 goto illegal; 1976 if (h->ident != sp->lcp.echoid) { 1977 if_statinc(ifp, if_ierrors); 1978 break; 1979 } 1980 if (len < 8) { 1981 if (debug) 1982 addlog("%s: lcp invalid echo reply " 1983 "packet length: %d bytes\n", 1984 ifp->if_xname, len); 1985 break; 1986 } 1987 if (debug) 1988 addlog("%s: lcp got echo rep\n", 1989 ifp->if_xname); 1990 memcpy(&u32, h + 1, sizeof u32); 1991 if (ntohl(u32) != sp->lcp.magic) 1992 sp->pp_alivecnt = 0; 1993 break; 1994 default: 1995 /* Unknown packet type -- send Code-Reject packet. */ 1996 illegal: 1997 if (debug) 1998 addlog("%s: %s send code-rej for 0x%x\n", 1999 ifp->if_xname, cp->name, h->type); 2000 sppp_cp_send(sp, cp->proto, CODE_REJ, 2001 ++scp->seq, m->m_pkthdr.len, h); 2002 if_statinc(ifp, if_ierrors); 2003 } 2004 2005 out: 2006 SPPP_UNLOCK(sp); 2007 if (m != NULL) 2008 m_freem(m); 2009 } 2010 2011 /* 2012 * The generic part of all Up/Down/Open/Close/TO event handlers. 2013 * Basically, the state transition handling in the automaton. 2014 */ 2015 static void 2016 sppp_up_event(struct sppp *sp, void *xcp) 2017 { 2018 const struct cp *cp = xcp; 2019 STDDCL; 2020 2021 KASSERT(SPPP_WLOCKED(sp)); 2022 KASSERT(!cpu_softintr_p()); 2023 2024 if ((cp->flags & CP_AUTH) != 0 && 2025 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2026 return; 2027 2028 if (debug) 2029 log(LOG_DEBUG, "%s: %s up(%s)\n", 2030 ifp->if_xname, cp->name, 2031 sppp_state_name(sp->scp[cp->protoidx].state)); 2032 2033 switch (sp->scp[cp->protoidx].state) { 2034 case STATE_INITIAL: 2035 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2036 break; 2037 case STATE_STARTING: 2038 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2039 (cp->scr)(sp); 2040 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2041 break; 2042 default: 2043 printf("%s: %s illegal up in state %s\n", 2044 ifp->if_xname, cp->name, 2045 sppp_state_name(sp->scp[cp->protoidx].state)); 2046 } 2047 } 2048 2049 static void 2050 sppp_down_event(struct sppp *sp, void *xcp) 2051 { 2052 const struct cp *cp = xcp; 2053 STDDCL; 2054 2055 KASSERT(SPPP_WLOCKED(sp)); 2056 KASSERT(!cpu_softintr_p()); 2057 2058 if ((cp->flags & CP_AUTH) != 0 && 2059 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2060 return; 2061 2062 if (debug) 2063 log(LOG_DEBUG, "%s: %s down(%s)\n", 2064 ifp->if_xname, cp->name, 2065 sppp_state_name(sp->scp[cp->protoidx].state)); 2066 2067 switch (sp->scp[cp->protoidx].state) { 2068 case STATE_CLOSED: 2069 case STATE_CLOSING: 2070 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2071 break; 2072 case STATE_STOPPED: 2073 (cp->tls)(cp, sp); 2074 /* fall through */ 2075 case STATE_STOPPING: 2076 case STATE_REQ_SENT: 2077 case STATE_ACK_RCVD: 2078 case STATE_ACK_SENT: 2079 sppp_cp_change_state(cp, sp, STATE_STARTING); 2080 break; 2081 case STATE_OPENED: 2082 (cp->tld)(sp); 2083 sppp_cp_change_state(cp, sp, STATE_STARTING); 2084 break; 2085 default: 2086 /* 2087 * a down event may be caused regardless 2088 * of state just in LCP case. 2089 */ 2090 if (cp->proto == PPP_LCP) 2091 break; 2092 2093 printf("%s: %s illegal down in state %s\n", 2094 ifp->if_xname, cp->name, 2095 sppp_state_name(sp->scp[cp->protoidx].state)); 2096 } 2097 } 2098 2099 static void 2100 sppp_open_event(struct sppp *sp, void *xcp) 2101 { 2102 const struct cp *cp = xcp; 2103 STDDCL; 2104 2105 KASSERT(SPPP_WLOCKED(sp)); 2106 KASSERT(!cpu_softintr_p()); 2107 2108 if ((cp->flags & CP_AUTH) != 0 && 2109 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2110 return; 2111 2112 if (debug) 2113 log(LOG_DEBUG, "%s: %s open(%s)\n", 2114 ifp->if_xname, cp->name, 2115 sppp_state_name(sp->scp[cp->protoidx].state)); 2116 2117 switch (sp->scp[cp->protoidx].state) { 2118 case STATE_INITIAL: 2119 sppp_cp_change_state(cp, sp, STATE_STARTING); 2120 (cp->tls)(cp, sp); 2121 break; 2122 case STATE_STARTING: 2123 break; 2124 case STATE_CLOSED: 2125 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2126 (cp->scr)(sp); 2127 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2128 break; 2129 case STATE_STOPPED: 2130 case STATE_STOPPING: 2131 case STATE_REQ_SENT: 2132 case STATE_ACK_RCVD: 2133 case STATE_ACK_SENT: 2134 case STATE_OPENED: 2135 break; 2136 case STATE_CLOSING: 2137 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2138 break; 2139 } 2140 } 2141 2142 static void 2143 sppp_close_event(struct sppp *sp, void *xcp) 2144 { 2145 const struct cp *cp = xcp; 2146 STDDCL; 2147 2148 KASSERT(SPPP_WLOCKED(sp)); 2149 KASSERT(!cpu_softintr_p()); 2150 2151 if ((cp->flags & CP_AUTH) != 0 && 2152 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2153 return; 2154 2155 if (debug) 2156 log(LOG_DEBUG, "%s: %s close(%s)\n", 2157 ifp->if_xname, cp->name, 2158 sppp_state_name(sp->scp[cp->protoidx].state)); 2159 2160 switch (sp->scp[cp->protoidx].state) { 2161 case STATE_INITIAL: 2162 case STATE_CLOSED: 2163 case STATE_CLOSING: 2164 break; 2165 case STATE_STARTING: 2166 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2167 (cp->tlf)(cp, sp); 2168 break; 2169 case STATE_STOPPED: 2170 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2171 break; 2172 case STATE_STOPPING: 2173 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2174 break; 2175 case STATE_OPENED: 2176 (cp->tld)(sp); 2177 /* fall through */ 2178 case STATE_REQ_SENT: 2179 case STATE_ACK_RCVD: 2180 case STATE_ACK_SENT: 2181 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_terminate; 2182 if ((cp->flags & CP_AUTH) == 0) { 2183 sppp_cp_send(sp, cp->proto, TERM_REQ, 2184 ++sp->scp[cp->protoidx].seq, 0, 0); 2185 } 2186 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2187 break; 2188 } 2189 } 2190 2191 static void 2192 sppp_to_event(struct sppp *sp, void *xcp) 2193 { 2194 const struct cp *cp = xcp; 2195 int s; 2196 STDDCL; 2197 2198 KASSERT(SPPP_WLOCKED(sp)); 2199 KASSERT(!cpu_softintr_p()); 2200 2201 s = splnet(); 2202 2203 if (debug) 2204 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2205 ifp->if_xname, cp->name, 2206 sppp_state_name(sp->scp[cp->protoidx].state), 2207 sp->scp[cp->protoidx].rst_counter); 2208 2209 if (--sp->scp[cp->protoidx].rst_counter < 0) 2210 /* TO- event */ 2211 switch (sp->scp[cp->protoidx].state) { 2212 case STATE_CLOSING: 2213 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2214 (cp->tlf)(cp, sp); 2215 break; 2216 case STATE_STOPPING: 2217 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2218 (cp->tlf)(cp, sp); 2219 break; 2220 case STATE_REQ_SENT: 2221 case STATE_ACK_RCVD: 2222 case STATE_ACK_SENT: 2223 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2224 (cp->tlf)(cp, sp); 2225 break; 2226 } 2227 else 2228 /* TO+ event */ 2229 switch (sp->scp[cp->protoidx].state) { 2230 case STATE_CLOSING: 2231 case STATE_STOPPING: 2232 if ((cp->flags & CP_AUTH) == 0) { 2233 sppp_cp_send(sp, cp->proto, TERM_REQ, 2234 ++sp->scp[cp->protoidx].seq, 0, 0); 2235 } 2236 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2237 break; 2238 case STATE_REQ_SENT: 2239 case STATE_ACK_RCVD: 2240 (cp->scr)(sp); 2241 /* sppp_cp_change_state() will restart the timer */ 2242 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2243 break; 2244 case STATE_ACK_SENT: 2245 (cp->scr)(sp); 2246 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2247 break; 2248 } 2249 2250 splx(s); 2251 } 2252 static void 2253 sppp_rcr_update_state(const struct cp *cp, struct sppp *sp, 2254 enum cp_rcr_type type, uint8_t ident, size_t msglen, void *msg) 2255 { 2256 STDDCL; 2257 u_char ctype; 2258 2259 if (type == CP_RCR_ERR) { 2260 /* parse error, shut down */ 2261 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 2262 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2263 } else if (type == CP_RCR_ACK) { 2264 /* RCR+ event */ 2265 ctype = CONF_ACK; 2266 switch (sp->scp[cp->protoidx].state) { 2267 case STATE_OPENED: 2268 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2269 cp->tld(sp); 2270 cp->scr(sp); 2271 cp->screply(cp, sp, ctype, ident, msglen, msg); 2272 break; 2273 case STATE_REQ_SENT: 2274 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2275 /* fall through */ 2276 case STATE_ACK_SENT: 2277 cp->screply(cp, sp, ctype, ident, msglen, msg); 2278 break; 2279 case STATE_STOPPED: 2280 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2281 cp->scr(sp); 2282 cp->screply(cp, sp, ctype, ident, msglen, msg); 2283 break; 2284 case STATE_ACK_RCVD: 2285 sppp_cp_change_state(cp, sp, STATE_OPENED); 2286 if (debug) 2287 log(LOG_DEBUG, "%s: %s tlu\n", 2288 ifp->if_xname, 2289 cp->name); 2290 cp->tlu(sp); 2291 cp->screply(cp, sp, ctype, ident, msglen, msg); 2292 break; 2293 case STATE_CLOSING: 2294 case STATE_STOPPING: 2295 break; 2296 case STATE_CLOSED: 2297 if ((cp->flags & CP_AUTH) == 0) { 2298 sppp_cp_send(sp, cp->proto, TERM_ACK, 2299 ident, 0, 0); 2300 } 2301 break; 2302 default: 2303 printf("%s: %s illegal RCR+ in state %s\n", 2304 ifp->if_xname, cp->name, 2305 sppp_state_name(sp->scp[cp->protoidx].state)); 2306 if_statinc(ifp, if_ierrors); 2307 } 2308 } else if (type == CP_RCR_NAK || type == CP_RCR_REJ) { 2309 ctype = type == CP_RCR_NAK ? CONF_NAK : CONF_REJ; 2310 /* RCR- event */ 2311 switch (sp->scp[cp->protoidx].state) { 2312 case STATE_OPENED: 2313 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2314 cp->tld(sp); 2315 cp->scr(sp); 2316 cp->screply(cp, sp, ctype, ident, msglen, msg); 2317 break; 2318 case STATE_ACK_SENT: 2319 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2320 /* fall through */ 2321 case STATE_REQ_SENT: 2322 cp->screply(cp, sp, ctype, ident, msglen, msg); 2323 break; 2324 case STATE_STOPPED: 2325 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2326 cp->scr(sp); 2327 cp->screply(cp, sp, ctype, ident, msglen, msg); 2328 break; 2329 case STATE_ACK_RCVD: 2330 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2331 cp->screply(cp, sp, ctype, ident, msglen, msg); 2332 break; 2333 case STATE_CLOSING: 2334 case STATE_STOPPING: 2335 break; 2336 case STATE_CLOSED: 2337 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2338 if ((cp->flags & CP_AUTH) == 0) { 2339 sppp_cp_send(sp, cp->proto, TERM_ACK, 2340 ident, 0, 0); 2341 } 2342 break; 2343 default: 2344 printf("%s: %s illegal RCR- in state %s\n", 2345 ifp->if_xname, cp->name, 2346 sppp_state_name(sp->scp[cp->protoidx].state)); 2347 if_statinc(ifp, if_ierrors); 2348 } 2349 } 2350 } 2351 2352 static void 2353 sppp_rcr_event(struct sppp *sp, void *xcp) 2354 { 2355 const struct cp *cp = xcp; 2356 struct sppp_cp *scp; 2357 struct lcp_header *h; 2358 struct mbuf *m; 2359 enum cp_rcr_type type; 2360 size_t len; 2361 uint8_t *buf; 2362 size_t blen, rlen; 2363 uint8_t ident; 2364 2365 KASSERT(!cpu_softintr_p()); 2366 2367 scp = &sp->scp[cp->protoidx]; 2368 2369 if (cp->parse_confreq != NULL) { 2370 m = scp->mbuf_confreq; 2371 if (m == NULL) 2372 return; 2373 scp->mbuf_confreq = NULL; 2374 2375 h = mtod(m, struct lcp_header *); 2376 if (h->type != CONF_REQ) { 2377 m_freem(m); 2378 return; 2379 } 2380 2381 ident = h->ident; 2382 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2383 2384 type = (cp->parse_confreq)(sp, h, len, 2385 &buf, &blen, &rlen); 2386 m_freem(m); 2387 } else { 2388 /* mbuf_cofreq is already parsed and freed */ 2389 type = scp->rcr_type; 2390 ident = scp->rconfid; 2391 buf = NULL; 2392 blen = rlen = 0; 2393 } 2394 2395 sppp_rcr_update_state(cp, sp, type, ident, rlen, (void *)buf); 2396 2397 if (buf != NULL) 2398 kmem_free(buf, blen); 2399 } 2400 2401 static void 2402 sppp_rca_event(struct sppp *sp, void *xcp) 2403 { 2404 const struct cp *cp = xcp; 2405 STDDCL; 2406 2407 KASSERT(!cpu_softintr_p()); 2408 2409 switch (sp->scp[cp->protoidx].state) { 2410 case STATE_CLOSED: 2411 case STATE_STOPPED: 2412 if ((cp->flags & CP_AUTH) == 0) { 2413 sppp_cp_send(sp, cp->proto, TERM_ACK, 2414 sp->scp[cp->protoidx].rconfid, 0, 0); 2415 } 2416 break; 2417 case STATE_CLOSING: 2418 case STATE_STOPPING: 2419 break; 2420 case STATE_REQ_SENT: 2421 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2422 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2423 break; 2424 case STATE_OPENED: 2425 (cp->tld)(sp); 2426 /* fall through */ 2427 case STATE_ACK_RCVD: 2428 (cp->scr)(sp); 2429 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2430 break; 2431 case STATE_ACK_SENT: 2432 sppp_cp_change_state(cp, sp, STATE_OPENED); 2433 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2434 if (debug) 2435 log(LOG_DEBUG, "%s: %s tlu\n", 2436 ifp->if_xname, cp->name); 2437 (cp->tlu)(sp); 2438 break; 2439 default: 2440 printf("%s: %s illegal RCA in state %s\n", 2441 ifp->if_xname, cp->name, 2442 sppp_state_name(sp->scp[cp->protoidx].state)); 2443 if_statinc(ifp, if_ierrors); 2444 } 2445 } 2446 2447 static void 2448 sppp_rcn_event(struct sppp *sp, void *xcp) 2449 { 2450 const struct cp *cp = xcp; 2451 struct sppp_cp *scp; 2452 struct lcp_header *h; 2453 struct mbuf *m; 2454 struct ifnet *ifp = &sp->pp_if; 2455 size_t len; 2456 2457 KASSERT(!cpu_softintr_p()); 2458 2459 scp = &sp->scp[cp->protoidx]; 2460 m = scp->mbuf_confnak; 2461 if (m == NULL) 2462 return; 2463 scp->mbuf_confnak = NULL; 2464 2465 h = mtod(m, struct lcp_header *); 2466 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2467 2468 switch (h->type) { 2469 case CONF_NAK: 2470 (cp->parse_confnak)(sp, h, len); 2471 break; 2472 case CONF_REJ: 2473 (cp->parse_confrej)(sp, h, len); 2474 break; 2475 default: 2476 m_freem(m); 2477 return; 2478 } 2479 2480 m_freem(m); 2481 2482 switch (scp->state) { 2483 case STATE_CLOSED: 2484 case STATE_STOPPED: 2485 if ((cp->flags & CP_AUTH) == 0) { 2486 sppp_cp_send(sp, cp->proto, TERM_ACK, 2487 scp->rconfid, 0, 0); 2488 } 2489 break; 2490 case STATE_REQ_SENT: 2491 case STATE_ACK_SENT: 2492 scp->rst_counter = sp->lcp.max_configure; 2493 (cp->scr)(sp); 2494 break; 2495 case STATE_OPENED: 2496 (cp->tld)(sp); 2497 /* fall through */ 2498 case STATE_ACK_RCVD: 2499 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2500 (cp->scr)(sp); 2501 break; 2502 case STATE_CLOSING: 2503 case STATE_STOPPING: 2504 break; 2505 default: 2506 printf("%s: %s illegal RCN in state %s\n", 2507 ifp->if_xname, cp->name, 2508 sppp_state_name(scp->state)); 2509 if_statinc(ifp, if_ierrors); 2510 } 2511 } 2512 2513 static void 2514 sppp_rtr_event(struct sppp *sp, void *xcp) 2515 { 2516 const struct cp *cp = xcp; 2517 STDDCL; 2518 2519 KASSERT(!cpu_softintr_p()); 2520 2521 switch (sp->scp[cp->protoidx].state) { 2522 case STATE_ACK_RCVD: 2523 case STATE_ACK_SENT: 2524 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2525 break; 2526 case STATE_CLOSED: 2527 case STATE_STOPPED: 2528 case STATE_CLOSING: 2529 case STATE_STOPPING: 2530 case STATE_REQ_SENT: 2531 break; 2532 case STATE_OPENED: 2533 (cp->tld)(sp); 2534 sp->scp[cp->protoidx].rst_counter = 0; 2535 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2536 break; 2537 default: 2538 printf("%s: %s illegal RTR in state %s\n", 2539 ifp->if_xname, cp->name, 2540 sppp_state_name(sp->scp[cp->protoidx].state)); 2541 if_statinc(ifp, if_ierrors); 2542 return; 2543 } 2544 2545 /* Send Terminate-Ack packet. */ 2546 if (debug) 2547 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 2548 ifp->if_xname, cp->name); 2549 if ((cp->flags & CP_AUTH) == 0) { 2550 sppp_cp_send(sp, cp->proto, TERM_ACK, 2551 sp->scp[cp->protoidx].rseq, 0, 0); 2552 } 2553 } 2554 2555 static void 2556 sppp_rta_event(struct sppp *sp, void *xcp) 2557 { 2558 const struct cp *cp = xcp; 2559 struct ifnet *ifp = &sp->pp_if; 2560 2561 KASSERT(!cpu_softintr_p()); 2562 2563 switch (sp->scp[cp->protoidx].state) { 2564 case STATE_CLOSED: 2565 case STATE_STOPPED: 2566 case STATE_REQ_SENT: 2567 case STATE_ACK_SENT: 2568 break; 2569 case STATE_CLOSING: 2570 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2571 (cp->tlf)(cp, sp); 2572 break; 2573 case STATE_STOPPING: 2574 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2575 (cp->tlf)(cp, sp); 2576 break; 2577 case STATE_ACK_RCVD: 2578 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2579 break; 2580 case STATE_OPENED: 2581 (cp->tld)(sp); 2582 (cp->scr)(sp); 2583 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2584 break; 2585 default: 2586 printf("%s: %s illegal RTA in state %s\n", 2587 ifp->if_xname, cp->name, 2588 sppp_state_name(sp->scp[cp->protoidx].state)); 2589 if_statinc(ifp, if_ierrors); 2590 } 2591 } 2592 2593 static void 2594 sppp_rxj_event(struct sppp *sp, void *xcp) 2595 { 2596 const struct cp *cp = xcp; 2597 struct ifnet *ifp = &sp->pp_if; 2598 2599 KASSERT(!cpu_softintr_p()); 2600 2601 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 2602 switch (sp->scp[cp->protoidx].state) { 2603 case STATE_CLOSED: 2604 case STATE_STOPPED: 2605 case STATE_REQ_SENT: 2606 case STATE_ACK_SENT: 2607 case STATE_CLOSING: 2608 case STATE_STOPPING: 2609 case STATE_OPENED: 2610 break; 2611 case STATE_ACK_RCVD: 2612 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2613 break; 2614 default: 2615 printf("%s: %s illegal RXJ- in state %s\n", 2616 ifp->if_xname, cp->name, 2617 sppp_state_name(sp->scp[cp->protoidx].state)); 2618 if_statinc(ifp, if_ierrors); 2619 } 2620 } 2621 2622 /* 2623 * Change the state of a control protocol in the state automaton. 2624 * Takes care of starting/stopping the restart timer. 2625 */ 2626 void 2627 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2628 { 2629 2630 KASSERT(SPPP_WLOCKED(sp)); 2631 2632 sp->scp[cp->protoidx].state = newstate; 2633 callout_stop(&sp->scp[cp->protoidx].ch); 2634 switch (newstate) { 2635 case STATE_INITIAL: 2636 case STATE_STARTING: 2637 case STATE_CLOSED: 2638 case STATE_STOPPED: 2639 case STATE_OPENED: 2640 break; 2641 case STATE_CLOSING: 2642 case STATE_STOPPING: 2643 case STATE_REQ_SENT: 2644 case STATE_ACK_RCVD: 2645 case STATE_ACK_SENT: 2646 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2647 break; 2648 } 2649 } 2650 2651 /* 2652 *--------------------------------------------------------------------------* 2653 * * 2654 * The LCP implementation. * 2655 * * 2656 *--------------------------------------------------------------------------* 2657 */ 2658 static void 2659 sppp_lcp_init(struct sppp *sp) 2660 { 2661 2662 KASSERT(SPPP_WLOCKED(sp)); 2663 2664 sppp_cp_init(&lcp, sp); 2665 2666 SET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 2667 sp->lcp.magic = 0; 2668 sp->lcp.protos = 0; 2669 sp->lcp.max_terminate = 2; 2670 sp->lcp.max_configure = 10; 2671 sp->lcp.max_failure = 10; 2672 sp->lcp.tlf_sent = false; 2673 2674 /* 2675 * Initialize counters and timeout values. Note that we don't 2676 * use the 3 seconds suggested in RFC 1661 since we are likely 2677 * running on a fast link. XXX We should probably implement 2678 * the exponential backoff option. Note that these values are 2679 * relevant for all control protocols, not just LCP only. 2680 */ 2681 sp->lcp.timeout = 1 * hz; 2682 } 2683 2684 static void 2685 sppp_lcp_up(struct sppp *sp, void *xcp) 2686 { 2687 const struct cp *cp = xcp; 2688 int pidx; 2689 STDDCL; 2690 2691 KASSERT(SPPP_WLOCKED(sp)); 2692 2693 pidx = cp->protoidx; 2694 /* Initialize activity timestamp: opening a connection is an activity */ 2695 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2696 2697 /* 2698 * If this interface is passive or dial-on-demand, and we are 2699 * still in Initial state, it means we've got an incoming 2700 * call. Activate the interface. 2701 */ 2702 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2703 if (debug) 2704 log(LOG_DEBUG, 2705 "%s: Up event", ifp->if_xname); 2706 ifp->if_flags |= IFF_RUNNING; 2707 if (sp->scp[pidx].state == STATE_INITIAL) { 2708 if (debug) 2709 addlog("(incoming call)\n"); 2710 sp->pp_flags |= PP_CALLIN; 2711 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_open); 2712 } else if (debug) 2713 addlog("\n"); 2714 } 2715 2716 sppp_up_event(sp, xcp); 2717 } 2718 2719 static void 2720 sppp_lcp_down(struct sppp *sp, void *xcp) 2721 { 2722 const struct cp *cp = xcp; 2723 int pidx; 2724 STDDCL; 2725 2726 KASSERT(SPPP_WLOCKED(sp)); 2727 KASSERT(!cpu_softintr_p()); 2728 2729 pidx = cp->protoidx; 2730 sppp_down_event(sp, xcp); 2731 2732 /* 2733 * We need to do tls to restart when a down event is caused 2734 * by the last tlf. 2735 */ 2736 if (sp->scp[pidx].state == STATE_STARTING && 2737 sp->lcp.tlf_sent) { 2738 cp->tls(cp, sp); 2739 sp->lcp.tlf_sent = false; 2740 } 2741 2742 /* 2743 * If this is neither a dial-on-demand nor a passive 2744 * interface, simulate an ``ifconfig down'' action, so the 2745 * administrator can force a redial by another ``ifconfig 2746 * up''. XXX For leased line operation, should we immediately 2747 * try to reopen the connection here? 2748 */ 2749 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2750 if (debug) 2751 log(LOG_INFO, 2752 "%s: Down event (carrier loss), taking interface down.\n", 2753 ifp->if_xname); 2754 SPPP_UNLOCK(sp); 2755 if_down(ifp); 2756 SPPP_LOCK(sp, RW_WRITER); 2757 2758 if (sp->lcp.reestablish) 2759 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2760 } else { 2761 if (debug) 2762 log(LOG_DEBUG, 2763 "%s: Down event (carrier loss)\n", 2764 ifp->if_xname); 2765 2766 sp->pp_flags &= ~PP_CALLIN; 2767 if (sp->scp[pidx].state != STATE_INITIAL) 2768 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_close); 2769 ifp->if_flags &= ~IFF_RUNNING; 2770 } 2771 sp->scp[pidx].fail_counter = 0; 2772 } 2773 2774 static void 2775 sppp_lcp_open(struct sppp *sp, void *xcp) 2776 { 2777 2778 KASSERT(SPPP_WLOCKED(sp)); 2779 KASSERT(!cpu_softintr_p()); 2780 2781 sp->lcp.reestablish = false; 2782 sp->scp[IDX_LCP].fail_counter = 0; 2783 2784 if (sp->pp_if.if_mtu < PP_MTU) { 2785 sp->lcp.mru = sp->pp_if.if_mtu; 2786 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 2787 } else { 2788 sp->lcp.mru = PP_MTU; 2789 } 2790 sp->lcp.their_mru = PP_MTU; 2791 2792 /* 2793 * If we are authenticator, negotiate LCP_AUTH 2794 */ 2795 if (sp->hisauth.proto != PPP_NOPROTO) 2796 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2797 else 2798 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2799 sp->pp_flags &= ~PP_NEEDAUTH; 2800 sppp_open_event(sp, xcp); 2801 } 2802 2803 2804 /* 2805 * Analyze a configure request. Return true if it was agreeable, and 2806 * caused action sca, false if it has been rejected or nak'ed, and 2807 * caused action scn. (The return value is used to make the state 2808 * transition decision in the state automaton.) 2809 */ 2810 static enum cp_rcr_type 2811 sppp_lcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 2812 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 2813 { 2814 STDDCL; 2815 u_char *buf, *r, *p, l, blen; 2816 enum cp_rcr_type type; 2817 int len, rlen; 2818 uint32_t nmagic; 2819 u_short authproto; 2820 char lbuf[SPPP_LCPOPT_NAMELEN]; 2821 2822 KASSERT(SPPP_WLOCKED(sp)); 2823 2824 if (origlen < sizeof(*h)) 2825 return CP_RCR_DROP; 2826 2827 origlen -= sizeof(*h); 2828 type = CP_RCR_NONE; 2829 type = 0; 2830 2831 if (origlen <= 0) 2832 return CP_RCR_DROP; 2833 else 2834 blen = origlen; 2835 2836 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 2837 if (buf == NULL) 2838 return CP_RCR_DROP; 2839 2840 if (debug) 2841 log(LOG_DEBUG, "%s: lcp parse opts:", 2842 ifp->if_xname); 2843 2844 /* pass 1: check for things that need to be rejected */ 2845 p = (void *)(h + 1); 2846 r = buf; 2847 rlen = 0; 2848 for (len = origlen; len > 1; len-= l, p += l) { 2849 l = p[1]; 2850 if (l == 0) 2851 break; 2852 2853 /* Sanity check option length */ 2854 if (l > len) { 2855 /* 2856 * Malicious option - drop immediately. 2857 * XXX Maybe we should just RXJ it? 2858 */ 2859 addlog("%s: received malicious LCP option 0x%02x, " 2860 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2861 p[0], l, len); 2862 type = CP_RCR_ERR; 2863 goto end; 2864 } 2865 if (debug) 2866 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2867 switch (p[0]) { 2868 case LCP_OPT_MAGIC: 2869 /* Magic number. */ 2870 /* fall through, both are same length */ 2871 case LCP_OPT_ASYNC_MAP: 2872 /* Async control character map. */ 2873 if (len >= 6 || l == 6) 2874 continue; 2875 if (debug) 2876 addlog(" [invalid]"); 2877 break; 2878 case LCP_OPT_MP_EID: 2879 if (len >= l && l >= 3) { 2880 switch (p[2]) { 2881 case 0: if (l==3+ 0) continue;break; 2882 case 2: if (l==3+ 4) continue;break; 2883 case 3: if (l==3+ 6) continue;break; 2884 case 6: if (l==3+16) continue;break; 2885 case 1: /* FALLTHROUGH */ 2886 case 4: if (l<=3+20) continue;break; 2887 case 5: if (l<=3+15) continue;break; 2888 /* XXX should it be default: continue;? */ 2889 } 2890 } 2891 if (debug) 2892 addlog(" [invalid class %d len %d]", p[2], l); 2893 break; 2894 case LCP_OPT_MP_SSNHF: 2895 if (len >= 2 && l == 2) { 2896 if (debug) 2897 addlog(" [rej]"); 2898 break; 2899 } 2900 if (debug) 2901 addlog(" [invalid]"); 2902 break; 2903 case LCP_OPT_MP_MRRU: 2904 /* Multilink maximum received reconstructed unit */ 2905 /* should be fall through, both are same length */ 2906 /* FALLTHROUGH */ 2907 case LCP_OPT_MRU: 2908 /* Maximum receive unit. */ 2909 if (len >= 4 && l == 4) 2910 continue; 2911 if (debug) 2912 addlog(" [invalid]"); 2913 break; 2914 case LCP_OPT_AUTH_PROTO: 2915 if (len < 4) { 2916 if (debug) 2917 addlog(" [invalid]"); 2918 break; 2919 } 2920 authproto = (p[2] << 8) + p[3]; 2921 if (authproto == PPP_CHAP && l != 5) { 2922 if (debug) 2923 addlog(" [invalid chap len]"); 2924 break; 2925 } 2926 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 2927 if (authproto == PPP_PAP || authproto == PPP_CHAP) 2928 sp->myauth.proto = authproto; 2929 } 2930 if (sp->myauth.proto == PPP_NOPROTO) { 2931 /* we are not configured to do auth */ 2932 if (debug) 2933 addlog(" [not configured]"); 2934 break; 2935 } 2936 /* 2937 * Remote want us to authenticate, remember this, 2938 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2939 * up. 2940 */ 2941 sp->pp_flags |= PP_NEEDAUTH; 2942 continue; 2943 default: 2944 /* Others not supported. */ 2945 if (debug) 2946 addlog(" [rej]"); 2947 break; 2948 } 2949 if (rlen + l > blen) { 2950 if (debug) 2951 addlog(" [overflow]"); 2952 continue; 2953 } 2954 /* Add the option to rejected list. */ 2955 memcpy(r, p, l); 2956 r += l; 2957 rlen += l; 2958 } 2959 2960 if (rlen > 0) { 2961 type = CP_RCR_REJ; 2962 goto end; 2963 } 2964 2965 if (debug) 2966 addlog("\n"); 2967 2968 /* 2969 * pass 2: check for option values that are unacceptable and 2970 * thus require to be nak'ed. 2971 */ 2972 if (debug) 2973 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2974 ifp->if_xname); 2975 2976 p = (void *)(h + 1); 2977 r = buf; 2978 rlen = 0; 2979 for (len = origlen; len > 0; len -= l, p += l) { 2980 l = p[1]; 2981 if (l == 0) 2982 break; 2983 2984 if (debug) 2985 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2986 switch (p[0]) { 2987 case LCP_OPT_MAGIC: 2988 /* Magic number -- extract. */ 2989 nmagic = (uint32_t)p[2] << 24 | 2990 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2991 if (nmagic != sp->lcp.magic) { 2992 if (debug) 2993 addlog(" 0x%x", nmagic); 2994 continue; 2995 } 2996 /* 2997 * Local and remote magics equal -- loopback? 2998 */ 2999 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 3000 printf ("%s: loopback\n", 3001 ifp->if_xname); 3002 sp->pp_loopcnt = 0; 3003 if (ifp->if_flags & IFF_UP) { 3004 SPPP_UNLOCK(sp); 3005 if_down(ifp); 3006 SPPP_LOCK(sp, RW_WRITER); 3007 3008 IF_PURGE(&sp->pp_cpq); 3009 /* XXX ? */ 3010 sppp_wq_add(sp->wq_cp, 3011 &sp->scp[IDX_LCP].work_down); 3012 sppp_wq_add(sp->wq_cp, 3013 &sp->scp[IDX_LCP].work_up); 3014 } 3015 } else if (debug) 3016 addlog(" [glitch]"); 3017 ++sp->pp_loopcnt; 3018 /* 3019 * We negate our magic here, and NAK it. If 3020 * we see it later in an NAK packet, we 3021 * suggest a new one. 3022 */ 3023 nmagic = ~sp->lcp.magic; 3024 /* Gonna NAK it. */ 3025 p[2] = nmagic >> 24; 3026 p[3] = nmagic >> 16; 3027 p[4] = nmagic >> 8; 3028 p[5] = nmagic; 3029 break; 3030 3031 case LCP_OPT_ASYNC_MAP: 3032 /* 3033 * Async control character map -- just ignore it. 3034 * 3035 * Quote from RFC 1662, chapter 6: 3036 * To enable this functionality, synchronous PPP 3037 * implementations MUST always respond to the 3038 * Async-Control-Character-Map Configuration 3039 * Option with the LCP Configure-Ack. However, 3040 * acceptance of the Configuration Option does 3041 * not imply that the synchronous implementation 3042 * will do any ACCM mapping. Instead, all such 3043 * octet mapping will be performed by the 3044 * asynchronous-to-synchronous converter. 3045 */ 3046 continue; 3047 3048 case LCP_OPT_MRU: 3049 /* 3050 * Maximum receive unit. Always agreeable, 3051 * but ignored by now. 3052 */ 3053 sp->lcp.their_mru = p[2] * 256 + p[3]; 3054 if (debug) 3055 addlog(" %ld", sp->lcp.their_mru); 3056 continue; 3057 3058 case LCP_OPT_AUTH_PROTO: 3059 authproto = (p[2] << 8) + p[3]; 3060 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 3061 if (authproto == PPP_PAP || authproto == PPP_CHAP) 3062 sp->myauth.proto = authproto; 3063 } 3064 if (sp->myauth.proto == authproto) { 3065 if (authproto != PPP_CHAP || p[4] == CHAP_MD5) { 3066 continue; 3067 } 3068 if (debug) 3069 addlog(" [chap without MD5]"); 3070 } else { 3071 if (debug) { 3072 char pbuf1[SPPP_PROTO_NAMELEN]; 3073 char pbuf2[SPPP_PROTO_NAMELEN]; 3074 const char *pname1, *pname2; 3075 3076 pname1 = sppp_proto_name(pbuf1, 3077 sizeof(pbuf1), sp->myauth.proto); 3078 pname2 = sppp_proto_name(pbuf2, 3079 sizeof(pbuf2), authproto); 3080 addlog(" [mine %s != his %s]", 3081 pname1, pname2); 3082 } 3083 } 3084 /* not agreed, nak */ 3085 if (sp->myauth.proto == PPP_CHAP) { 3086 l = 5; 3087 } else { 3088 l = 4; 3089 } 3090 3091 if (rlen + l > blen) { 3092 if (debug) 3093 addlog(" [overflow]"); 3094 continue; 3095 } 3096 3097 r[0] = LCP_OPT_AUTH_PROTO; 3098 r[1] = l; 3099 r[2] = sp->myauth.proto >> 8; 3100 r[3] = sp->myauth.proto & 0xff; 3101 if (sp->myauth.proto == PPP_CHAP) 3102 r[4] = CHAP_MD5; 3103 rlen += l; 3104 r += l; 3105 continue; 3106 case LCP_OPT_MP_EID: 3107 /* 3108 * Endpoint identification. 3109 * Always agreeable, 3110 * but ignored by now. 3111 */ 3112 if (debug) { 3113 addlog(" type %d", p[2]); 3114 sppp_print_bytes(p+3, p[1]-3); 3115 } 3116 continue; 3117 case LCP_OPT_MP_MRRU: 3118 /* 3119 * Maximum received reconstructed unit. 3120 * Always agreeable, 3121 * but ignored by now. 3122 */ 3123 sp->lcp.their_mrru = p[2] * 256 + p[3]; 3124 if (debug) 3125 addlog(" %ld", sp->lcp.their_mrru); 3126 continue; 3127 } 3128 if (rlen + l > blen) { 3129 if (debug) 3130 addlog(" [overflow]"); 3131 continue; 3132 } 3133 /* Add the option to nak'ed list. */ 3134 memcpy(r, p, l); 3135 r += l; 3136 rlen += l; 3137 } 3138 3139 if (rlen > 0) { 3140 if (++sp->scp[IDX_LCP].fail_counter >= sp->lcp.max_failure) { 3141 if (debug) 3142 addlog(" max_failure (%d) exceeded, ", 3143 sp->lcp.max_failure); 3144 type = CP_RCR_REJ; 3145 } else { 3146 type = CP_RCR_NAK; 3147 } 3148 } else { 3149 type = CP_RCR_ACK; 3150 rlen = origlen; 3151 memcpy(r, h + 1, rlen); 3152 sp->scp[IDX_LCP].fail_counter = 0; 3153 sp->pp_loopcnt = 0; 3154 } 3155 3156 end: 3157 if (debug) 3158 addlog("\n"); 3159 3160 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3161 if (buf != NULL) 3162 kmem_intr_free(buf, blen); 3163 } else { 3164 *msgbuf = buf; 3165 *buflen = blen; 3166 *msglen = rlen; 3167 } 3168 3169 return type; 3170 } 3171 3172 /* 3173 * Analyze the LCP Configure-Reject option list, and adjust our 3174 * negotiation. 3175 */ 3176 static void 3177 sppp_lcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3178 { 3179 STDDCL; 3180 u_char *p, l; 3181 3182 KASSERT(SPPP_WLOCKED(sp)); 3183 3184 if (len <= sizeof(*h)) 3185 return; 3186 3187 len -= sizeof(*h); 3188 3189 if (debug) 3190 log(LOG_DEBUG, "%s: lcp rej opts:", 3191 ifp->if_xname); 3192 3193 p = (void *)(h + 1); 3194 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3195 /* Sanity check option length */ 3196 if (l > len) { 3197 /* 3198 * Malicious option - drop immediately. 3199 * XXX Maybe we should just RXJ it? 3200 */ 3201 addlog("%s: received malicious LCP option, " 3202 "dropping.\n", ifp->if_xname); 3203 goto end; 3204 } 3205 if (debug) { 3206 char lbuf[SPPP_LCPOPT_NAMELEN]; 3207 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 3208 } 3209 switch (p[0]) { 3210 case LCP_OPT_MAGIC: 3211 /* Magic number -- can't use it, use 0 */ 3212 CLR(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 3213 sp->lcp.magic = 0; 3214 break; 3215 case LCP_OPT_MRU: 3216 /* 3217 * We try to negotiate a lower MRU if the underlying 3218 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 3219 * peer rejects this lower rate, fallback to the 3220 * default. 3221 */ 3222 if (debug) { 3223 addlog("%s: warning: peer rejected our MRU of " 3224 "%ld bytes. Defaulting to %d bytes\n", 3225 ifp->if_xname, sp->lcp.mru, PP_MTU); 3226 } 3227 CLR(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3228 sp->lcp.mru = PP_MTU; 3229 break; 3230 case LCP_OPT_AUTH_PROTO: 3231 /* 3232 * Peer doesn't want to authenticate himself, 3233 * deny unless this is a dialout call, and 3234 * SPPP_AUTHFLAG_NOCALLOUT is set. 3235 */ 3236 if ((sp->pp_flags & PP_CALLIN) == 0 && 3237 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 3238 if (debug) 3239 addlog(" [don't insist on auth " 3240 "for callout]"); 3241 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 3242 break; 3243 } 3244 if (debug) 3245 addlog("[access denied]\n"); 3246 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3247 break; 3248 } 3249 } 3250 if (debug) 3251 addlog("\n"); 3252 end: 3253 return; 3254 } 3255 3256 /* 3257 * Analyze the LCP Configure-NAK option list, and adjust our 3258 * negotiation. 3259 */ 3260 static void 3261 sppp_lcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 3262 { 3263 STDDCL; 3264 u_char *p, l; 3265 uint32_t magic; 3266 3267 KASSERT(SPPP_WLOCKED(sp)); 3268 3269 if (len <= sizeof(*h)) 3270 return; 3271 len -= sizeof(*h); 3272 3273 if (debug) 3274 log(LOG_DEBUG, "%s: lcp nak opts:", 3275 ifp->if_xname); 3276 3277 p = (void *)(h + 1); 3278 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3279 /* Sanity check option length */ 3280 if (l > len) { 3281 /* 3282 * Malicious option - drop immediately. 3283 * XXX Maybe we should just RXJ it? 3284 */ 3285 addlog("%s: received malicious LCP option, " 3286 "dropping.\n", ifp->if_xname); 3287 goto end; 3288 } 3289 if (debug) { 3290 char lbuf[SPPP_LCPOPT_NAMELEN]; 3291 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf),*p)); 3292 } 3293 switch (p[0]) { 3294 case LCP_OPT_MAGIC: 3295 /* Magic number -- renegotiate */ 3296 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC) && 3297 len >= 6 && l == 6) { 3298 magic = (uint32_t)p[2] << 24 | 3299 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 3300 /* 3301 * If the remote magic is our negated one, 3302 * this looks like a loopback problem. 3303 * Suggest a new magic to make sure. 3304 */ 3305 if (magic == ~sp->lcp.magic) { 3306 if (debug) 3307 addlog(" magic glitch"); 3308 sp->lcp.magic = cprng_fast32(); 3309 } else { 3310 sp->lcp.magic = magic; 3311 if (debug) 3312 addlog(" %d", magic); 3313 } 3314 } 3315 break; 3316 case LCP_OPT_MRU: 3317 /* 3318 * Peer wants to advise us to negotiate an MRU. 3319 * Agree on it if it's reasonable, or use 3320 * default otherwise. 3321 */ 3322 if (len >= 4 && l == 4) { 3323 u_int mru = p[2] * 256 + p[3]; 3324 if (debug) 3325 addlog(" %d", mru); 3326 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 3327 mru = sp->pp_if.if_mtu; 3328 sp->lcp.mru = mru; 3329 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3330 } 3331 break; 3332 case LCP_OPT_AUTH_PROTO: 3333 /* 3334 * Peer doesn't like our authentication method, 3335 * deny. 3336 */ 3337 if (debug) 3338 addlog("[access denied]\n"); 3339 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3340 break; 3341 } 3342 } 3343 if (debug) 3344 addlog("\n"); 3345 end: 3346 return; 3347 } 3348 3349 static void 3350 sppp_lcp_tlu(struct sppp *sp) 3351 { 3352 STDDCL; 3353 int i; 3354 3355 KASSERT(SPPP_WLOCKED(sp)); 3356 3357 /* unlock for IFNET_LOCK and if_up() */ 3358 SPPP_UNLOCK(sp); 3359 3360 /* XXX ? */ 3361 if (! (ifp->if_flags & IFF_UP) && 3362 (ifp->if_flags & IFF_RUNNING)) { 3363 /* Coming out of loopback mode. */ 3364 if_up(ifp); 3365 } 3366 3367 IFNET_LOCK(ifp); 3368 SPPP_LOCK(sp, RW_WRITER); 3369 3370 if (ifp->if_mtu > sp->lcp.their_mru) { 3371 sp->pp_saved_mtu = ifp->if_mtu; 3372 ifp->if_mtu = sp->lcp.their_mru; 3373 if (debug) { 3374 log(LOG_DEBUG, 3375 "%s: setting MTU " 3376 "from %"PRIu64" bytes " 3377 "to %"PRIu64" bytes\n", 3378 ifp->if_xname, sp->pp_saved_mtu, 3379 ifp->if_mtu); 3380 } 3381 } 3382 IFNET_UNLOCK(ifp); 3383 3384 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO) || 3385 (sp->pp_flags & PP_NEEDAUTH) != 0) 3386 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 3387 else 3388 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 3389 3390 /* 3391 * Open all authentication protocols. This is even required 3392 * if we already proceeded to network phase, since it might be 3393 * that remote wants us to authenticate, so we might have to 3394 * send a PAP request. Undesired authentication protocols 3395 * don't do anything when they get an Open event. 3396 */ 3397 for (i = 0; i < IDX_COUNT; i++) 3398 if ((cps[i])->flags & CP_AUTH) { 3399 sppp_wq_add(sp->wq_cp, 3400 &sp->scp[(cps[i])->protoidx].work_open); 3401 } 3402 3403 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 3404 /* Notify all NCPs. */ 3405 for (i = 0; i < IDX_COUNT; i++) 3406 if ((cps[i])->flags & CP_NCP) { 3407 sppp_wq_add(sp->wq_cp, 3408 &sp->scp[(cps[i])->protoidx].work_open); 3409 } 3410 } 3411 3412 /* notify low-level driver of state change */ 3413 sppp_notify_chg_wlocked(sp); 3414 } 3415 3416 static void 3417 sppp_lcp_tld(struct sppp *sp) 3418 { 3419 STDDCL; 3420 int i, pi, phase; 3421 3422 KASSERT(SPPP_WLOCKED(sp)); 3423 3424 phase = sp->pp_phase; 3425 3426 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3427 3428 if (sp->pp_saved_mtu > 0) { 3429 SPPP_UNLOCK(sp); 3430 IFNET_LOCK(ifp); 3431 SPPP_LOCK(sp, RW_WRITER); 3432 3433 if (debug) { 3434 log(LOG_DEBUG, 3435 "%s: setting MTU " 3436 "from %"PRIu64" bytes " 3437 "to %"PRIu64" bytes\n", 3438 ifp->if_xname, ifp->if_mtu, 3439 sp->pp_saved_mtu); 3440 } 3441 3442 ifp->if_mtu = sp->pp_saved_mtu; 3443 sp->pp_saved_mtu = 0; 3444 IFNET_UNLOCK(ifp); 3445 } 3446 3447 /* 3448 * Take upper layers down. We send the Down event first and 3449 * the Close second to prevent the upper layers from sending 3450 * ``a flurry of terminate-request packets'', as the RFC 3451 * describes it. 3452 */ 3453 for (i = 0; i < IDX_COUNT; i++) { 3454 pi = (cps[i])->protoidx; 3455 if (((cps[i])->flags & CP_LCP) == 0) { 3456 /* skip if ncp was not started */ 3457 if (phase != SPPP_PHASE_NETWORK && 3458 ((cps[i])->flags & CP_NCP) != 0) 3459 continue; 3460 3461 sppp_wq_add(sp->wq_cp, &sp->scp[pi].work_down); 3462 sppp_wq_add(sp->wq_cp, &sp->scp[pi].work_close); 3463 } 3464 } 3465 } 3466 3467 static void 3468 sppp_lcp_tls(const struct cp *cp __unused, struct sppp *sp) 3469 { 3470 3471 KASSERT(SPPP_WLOCKED(sp)); 3472 3473 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3474 printf("%s: authentication failed %d times, not retrying again\n", 3475 sp->pp_if.if_xname, sp->pp_auth_failures); 3476 3477 SPPP_UNLOCK(sp); 3478 if_down(&sp->pp_if); 3479 SPPP_LOCK(sp, RW_WRITER); 3480 return; 3481 } 3482 3483 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3484 3485 /* Notify lower layer if desired. */ 3486 sppp_notify_tls_wlocked(sp); 3487 sp->lcp.tlf_sent = false; 3488 } 3489 3490 static void 3491 sppp_lcp_tlf(const struct cp *cp __unused, struct sppp *sp) 3492 { 3493 3494 KASSERT(SPPP_WLOCKED(sp)); 3495 3496 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3497 3498 /* Notify lower layer if desired. */ 3499 sppp_notify_tlf_wlocked(sp); 3500 3501 switch (sp->scp[IDX_LCP].state) { 3502 case STATE_CLOSED: 3503 case STATE_STOPPED: 3504 sp->lcp.tlf_sent = true; 3505 break; 3506 case STATE_INITIAL: 3507 default: 3508 /* just in case */ 3509 sp->lcp.tlf_sent = false; 3510 } 3511 } 3512 3513 static void 3514 sppp_lcp_scr(struct sppp *sp) 3515 { 3516 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3517 int i = 0; 3518 u_short authproto; 3519 3520 KASSERT(SPPP_WLOCKED(sp)); 3521 3522 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC)) { 3523 if (! sp->lcp.magic) 3524 sp->lcp.magic = cprng_fast32(); 3525 opt[i++] = LCP_OPT_MAGIC; 3526 opt[i++] = 6; 3527 opt[i++] = sp->lcp.magic >> 24; 3528 opt[i++] = sp->lcp.magic >> 16; 3529 opt[i++] = sp->lcp.magic >> 8; 3530 opt[i++] = sp->lcp.magic; 3531 } 3532 3533 if (ISSET(sp->lcp.opts,SPPP_LCP_OPT_MRU)) { 3534 opt[i++] = LCP_OPT_MRU; 3535 opt[i++] = 4; 3536 opt[i++] = sp->lcp.mru >> 8; 3537 opt[i++] = sp->lcp.mru; 3538 } 3539 3540 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) { 3541 authproto = sp->hisauth.proto; 3542 opt[i++] = LCP_OPT_AUTH_PROTO; 3543 opt[i++] = authproto == PPP_CHAP? 5: 4; 3544 opt[i++] = authproto >> 8; 3545 opt[i++] = authproto; 3546 if (authproto == PPP_CHAP) 3547 opt[i++] = CHAP_MD5; 3548 } 3549 3550 sp->scp[IDX_LCP].confid = ++sp->scp[IDX_LCP].seq; 3551 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->scp[IDX_LCP].confid, i, &opt); 3552 } 3553 3554 /* 3555 * Check the open NCPs, return true if at least one NCP is open. 3556 */ 3557 3558 static int 3559 sppp_cp_check(struct sppp *sp, u_char cp_flags) 3560 { 3561 int i, mask; 3562 3563 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3564 if ((sp->lcp.protos & mask) && (cps[i])->flags & cp_flags) 3565 return 1; 3566 return 0; 3567 } 3568 3569 /* 3570 * Re-check the open NCPs and see if we should terminate the link. 3571 * Called by the NCPs during their tlf action handling. 3572 */ 3573 static void 3574 sppp_lcp_check_and_close(struct sppp *sp) 3575 { 3576 3577 KASSERT(SPPP_WLOCKED(sp)); 3578 3579 if (sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 3580 /* don't bother, we are already going down */ 3581 return; 3582 } 3583 3584 if (sp->pp_phase == SPPP_PHASE_AUTHENTICATE && 3585 sppp_cp_check(sp, CP_AUTH)) 3586 return; 3587 3588 if (sp->pp_phase >= SPPP_PHASE_NETWORK && 3589 sppp_cp_check(sp, CP_NCP)) 3590 return; 3591 3592 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3593 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 3594 } 3595 3596 /* 3597 *--------------------------------------------------------------------------* 3598 * * 3599 * The IPCP implementation. * 3600 * * 3601 *--------------------------------------------------------------------------* 3602 */ 3603 3604 static void 3605 sppp_ipcp_init(struct sppp *sp) 3606 { 3607 3608 KASSERT(SPPP_WLOCKED(sp)); 3609 3610 sppp_cp_init(&ipcp, sp); 3611 3612 sp->ipcp.opts = 0; 3613 sp->ipcp.flags = 0; 3614 } 3615 3616 static void 3617 sppp_ipcp_open(struct sppp *sp, void *xcp) 3618 { 3619 STDDCL; 3620 uint32_t myaddr, hisaddr; 3621 3622 KASSERT(SPPP_WLOCKED(sp)); 3623 KASSERT(!cpu_softintr_p()); 3624 3625 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) 3626 return; 3627 3628 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3629 sp->ipcp.req_myaddr = 0; 3630 sp->ipcp.req_hisaddr = 0; 3631 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3632 3633 #ifdef INET 3634 kpreempt_disable(); 3635 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3636 kpreempt_enable(); 3637 #else 3638 myaddr = hisaddr = 0; 3639 #endif 3640 /* 3641 * If we don't have his address, this probably means our 3642 * interface doesn't want to talk IP at all. (This could 3643 * be the case if somebody wants to speak only IPX, for 3644 * example.) Don't open IPCP in this case. 3645 */ 3646 if (hisaddr == 0) { 3647 /* XXX this message should go away */ 3648 if (debug) 3649 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3650 ifp->if_xname); 3651 return; 3652 } 3653 3654 if (myaddr == 0) { 3655 /* 3656 * I don't have an assigned address, so i need to 3657 * negotiate my address. 3658 */ 3659 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3660 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3661 } 3662 if (hisaddr == 1) { 3663 /* 3664 * XXX - remove this hack! 3665 * remote has no valid address, we need to get one assigned. 3666 */ 3667 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3668 sp->ipcp.saved_hisaddr = htonl(hisaddr); 3669 } 3670 3671 if (sp->query_dns & 1) { 3672 SET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3673 } else { 3674 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3675 } 3676 3677 if (sp->query_dns & 2) { 3678 SET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3679 } else { 3680 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3681 } 3682 sppp_open_event(sp, xcp); 3683 } 3684 3685 static void 3686 sppp_ipcp_close(struct sppp *sp, void *xcp) 3687 { 3688 3689 KASSERT(SPPP_WLOCKED(sp)); 3690 KASSERT(!cpu_softintr_p()); 3691 3692 sppp_close_event(sp, xcp); 3693 3694 #ifdef INET 3695 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) { 3696 /* 3697 * Some address was dynamic, clear it again. 3698 */ 3699 sppp_clear_ip_addrs(sp); 3700 } 3701 #endif 3702 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3703 } 3704 3705 /* 3706 * Analyze a configure request. Return true if it was agreeable, and 3707 * caused action sca, false if it has been rejected or nak'ed, and 3708 * caused action scn. (The return value is used to make the state 3709 * transition decision in the state automaton.) 3710 */ 3711 static enum cp_rcr_type 3712 sppp_ipcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 3713 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 3714 { 3715 u_char *buf, *r, *p, l, blen; 3716 enum cp_rcr_type type; 3717 struct ifnet *ifp = &sp->pp_if; 3718 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 3719 uint32_t hisaddr, desiredaddr; 3720 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3721 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 3722 const char *dq; 3723 3724 KASSERT(SPPP_WLOCKED(sp)); 3725 3726 type = CP_RCR_NONE; 3727 origlen -= sizeof(*h); 3728 3729 if (origlen < 0) 3730 return CP_RCR_DROP; 3731 3732 /* 3733 * Make sure to allocate a buf that can at least hold a 3734 * conf-nak with an `address' option. We might need it below. 3735 */ 3736 blen = MAX(6, origlen); 3737 3738 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 3739 if (buf == NULL) 3740 return CP_RCR_DROP; 3741 3742 /* pass 1: see if we can recognize them */ 3743 if (debug) 3744 log(LOG_DEBUG, "%s: ipcp parse opts:", 3745 ifp->if_xname); 3746 p = (void *)(h + 1); 3747 r = buf; 3748 rlen = 0; 3749 for (len = origlen; len > 1; len -= l, p += l) { 3750 l = p[1]; 3751 if (l == 0) 3752 break; 3753 3754 /* Sanity check option length */ 3755 if (l > len) { 3756 /* XXX should we just RXJ? */ 3757 addlog("%s: malicious IPCP option received, dropping\n", 3758 ifp->if_xname); 3759 type = CP_RCR_ERR; 3760 goto end; 3761 } 3762 if (debug) { 3763 addlog(" %s", 3764 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3765 } 3766 switch (p[0]) { 3767 #ifdef notyet 3768 case IPCP_OPT_COMPRESSION: 3769 if (len >= 6 && l >= 6) { 3770 /* correctly formed compress option */ 3771 continue; 3772 } 3773 if (debug) 3774 addlog(" [invalid]"); 3775 break; 3776 #endif 3777 case IPCP_OPT_ADDRESS: 3778 if (len >= 6 && l == 6) { 3779 /* correctly formed address option */ 3780 continue; 3781 } 3782 if (debug) 3783 addlog(" [invalid]"); 3784 break; 3785 default: 3786 /* Others not supported. */ 3787 if (debug) 3788 addlog(" [rej]"); 3789 break; 3790 } 3791 /* Add the option to rejected list. */ 3792 if (rlen + l > blen) { 3793 if (debug) 3794 addlog(" [overflow]"); 3795 continue; 3796 } 3797 memcpy(r, p, l); 3798 r += l; 3799 rlen += l; 3800 } 3801 3802 if (rlen > 0) { 3803 type = CP_RCR_REJ; 3804 goto end; 3805 } 3806 3807 if (debug) 3808 addlog("\n"); 3809 3810 /* pass 2: parse option values */ 3811 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3812 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3813 else 3814 #ifdef INET 3815 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3816 #else 3817 hisaddr = 0; 3818 #endif 3819 if (debug) 3820 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3821 ifp->if_xname); 3822 p = (void *)(h + 1); 3823 r = buf; 3824 rlen = 0; 3825 for (len = origlen; len > 1; len -= l, p += l) { 3826 l = p[1]; 3827 if (l == 0) 3828 break; 3829 3830 if (debug) { 3831 addlog(" %s", 3832 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3833 } 3834 switch (p[0]) { 3835 #ifdef notyet 3836 case IPCP_OPT_COMPRESSION: 3837 continue; 3838 #endif 3839 case IPCP_OPT_ADDRESS: 3840 desiredaddr = p[2] << 24 | p[3] << 16 | 3841 p[4] << 8 | p[5]; 3842 if (desiredaddr == hisaddr || 3843 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3844 /* 3845 * Peer's address is same as our value, 3846 * this is agreeable. Gonna conf-ack 3847 * it. 3848 */ 3849 if (debug) { 3850 dq = sppp_dotted_quad(dqbuf, 3851 sizeof(dqbuf), hisaddr); 3852 addlog(" %s [ack]", dq); 3853 } 3854 /* record that we've seen it already */ 3855 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3856 sp->ipcp.req_hisaddr = desiredaddr; 3857 hisaddr = desiredaddr; 3858 continue; 3859 } 3860 /* 3861 * The address wasn't agreeable. This is either 3862 * he sent us 0.0.0.0, asking to assign him an 3863 * address, or he send us another address not 3864 * matching our value. Either case, we gonna 3865 * conf-nak it with our value. 3866 */ 3867 if (debug) { 3868 if (desiredaddr == 0) { 3869 addlog(" [addr requested]"); 3870 } else { 3871 dq = sppp_dotted_quad(dqbuf, 3872 sizeof(dqbuf), desiredaddr); 3873 addlog(" %s [not agreed]", dq); 3874 } 3875 } 3876 3877 p[2] = hisaddr >> 24; 3878 p[3] = hisaddr >> 16; 3879 p[4] = hisaddr >> 8; 3880 p[5] = hisaddr; 3881 break; 3882 } 3883 if (rlen + l > blen) { 3884 if (debug) 3885 addlog(" [overflow]"); 3886 continue; 3887 } 3888 /* Add the option to nak'ed list. */ 3889 memcpy(r, p, l); 3890 r += l; 3891 rlen += l; 3892 } 3893 3894 if (rlen > 0) { 3895 type = CP_RCR_NAK; 3896 } else { 3897 if ((sp->ipcp.flags & IPCP_HISADDR_SEEN) == 0) { 3898 /* 3899 * If we are about to conf-ack the request, but haven't seen 3900 * his address so far, gonna conf-nak it instead, with the 3901 * `address' option present and our idea of his address being 3902 * filled in there, to request negotiation of both addresses. 3903 * 3904 * XXX This can result in an endless req - nak loop if peer 3905 * doesn't want to send us his address. Q: What should we do 3906 * about it? XXX A: implement the max-failure counter. 3907 */ 3908 buf[0] = IPCP_OPT_ADDRESS; 3909 buf[1] = 6; 3910 buf[2] = hisaddr >> 24; 3911 buf[3] = hisaddr >> 16; 3912 buf[4] = hisaddr >> 8; 3913 buf[5] = hisaddr; 3914 rlen = 6; 3915 if (debug) 3916 addlog(" still need hisaddr"); 3917 type = CP_RCR_NAK; 3918 } else { 3919 type = CP_RCR_ACK; 3920 rlen = origlen; 3921 memcpy(r, h + 1, rlen); 3922 } 3923 } 3924 3925 end: 3926 if (debug) 3927 addlog("\n"); 3928 3929 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3930 if (buf != NULL) 3931 kmem_intr_free(buf, blen); 3932 } else { 3933 *msgbuf = buf; 3934 *buflen = blen; 3935 *msglen = rlen; 3936 } 3937 3938 return type; 3939 } 3940 3941 /* 3942 * Analyze the IPCP Configure-Reject option list, and adjust our 3943 * negotiation. 3944 */ 3945 static void 3946 sppp_ipcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3947 { 3948 u_char *p, l; 3949 struct ifnet *ifp = &sp->pp_if; 3950 int debug = ifp->if_flags & IFF_DEBUG; 3951 3952 KASSERT(SPPP_WLOCKED(sp)); 3953 3954 if (len <= sizeof(*h)) 3955 return; 3956 3957 len -= sizeof(*h); 3958 3959 if (debug) 3960 log(LOG_DEBUG, "%s: ipcp rej opts:", 3961 ifp->if_xname); 3962 3963 p = (void *)(h + 1); 3964 for (; len > 1; len -= l, p += l) { 3965 l = p[1]; 3966 if (l == 0) 3967 break; 3968 3969 /* Sanity check option length */ 3970 if (l > len) { 3971 /* XXX should we just RXJ? */ 3972 addlog("%s: malicious IPCP option received, dropping\n", 3973 ifp->if_xname); 3974 goto end; 3975 } 3976 if (debug) { 3977 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3978 addlog(" %s", 3979 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3980 } 3981 switch (p[0]) { 3982 case IPCP_OPT_ADDRESS: 3983 /* 3984 * Peer doesn't grok address option. This is 3985 * bad. XXX Should we better give up here? 3986 */ 3987 if (!debug) { 3988 log(LOG_ERR, "%s: " 3989 "IPCP address option rejected\n", 3990 ifp->if_xname); 3991 } 3992 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3993 break; 3994 #ifdef notyet 3995 case IPCP_OPT_COMPRESS: 3996 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_COMPRESS); 3997 break; 3998 #endif 3999 case IPCP_OPT_PRIMDNS: 4000 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 4001 break; 4002 4003 case IPCP_OPT_SECDNS: 4004 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 4005 break; 4006 } 4007 } 4008 if (debug) 4009 addlog("\n"); 4010 end: 4011 return; 4012 } 4013 4014 /* 4015 * Analyze the IPCP Configure-NAK option list, and adjust our 4016 * negotiation. 4017 */ 4018 static void 4019 sppp_ipcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4020 { 4021 u_char *p, l; 4022 struct ifnet *ifp = &sp->pp_if; 4023 int debug = ifp->if_flags & IFF_DEBUG; 4024 uint32_t wantaddr; 4025 4026 KASSERT(SPPP_WLOCKED(sp)); 4027 4028 len -= sizeof(*h); 4029 4030 if (debug) 4031 log(LOG_DEBUG, "%s: ipcp nak opts:", 4032 ifp->if_xname); 4033 4034 p = (void *)(h + 1); 4035 for (; len > 1; len -= l, p += l) { 4036 l = p[1]; 4037 if (l == 0) 4038 break; 4039 4040 /* Sanity check option length */ 4041 if (l > len) { 4042 /* XXX should we just RXJ? */ 4043 addlog("%s: malicious IPCP option received, dropping\n", 4044 ifp->if_xname); 4045 return; 4046 } 4047 if (debug) { 4048 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 4049 addlog(" %s", 4050 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 4051 } 4052 switch (*p) { 4053 case IPCP_OPT_ADDRESS: 4054 /* 4055 * Peer doesn't like our local IP address. See 4056 * if we can do something for him. We'll drop 4057 * him our address then. 4058 */ 4059 if (len >= 6 && l == 6) { 4060 wantaddr = p[2] << 24 | p[3] << 16 | 4061 p[4] << 8 | p[5]; 4062 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 4063 if (debug) { 4064 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 4065 const char *dq; 4066 4067 dq = sppp_dotted_quad(dqbuf, 4068 sizeof(dqbuf), wantaddr); 4069 addlog(" [wantaddr %s]", dq); 4070 } 4071 /* 4072 * When doing dynamic address assignment, 4073 * we accept his offer. Otherwise, we 4074 * ignore it and thus continue to negotiate 4075 * our already existing value. 4076 */ 4077 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 4078 if (ntohl(wantaddr) != INADDR_ANY) { 4079 if (debug) 4080 addlog(" [agree]"); 4081 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 4082 sp->ipcp.req_myaddr = wantaddr; 4083 } else { 4084 if (debug) 4085 addlog(" [not agreed]"); 4086 } 4087 } 4088 } 4089 break; 4090 4091 case IPCP_OPT_PRIMDNS: 4092 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS) && 4093 len >= 6 && l == 6) { 4094 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 4095 p[4] << 8 | p[5]; 4096 } 4097 break; 4098 4099 case IPCP_OPT_SECDNS: 4100 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS) && 4101 len >= 6 && l == 6) { 4102 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 4103 p[4] << 8 | p[5]; 4104 } 4105 break; 4106 #ifdef notyet 4107 case IPCP_OPT_COMPRESS: 4108 /* 4109 * Peer wants different compression parameters. 4110 */ 4111 break; 4112 #endif 4113 } 4114 } 4115 if (debug) 4116 addlog("\n"); 4117 } 4118 4119 static void 4120 sppp_ipcp_tlu(struct sppp *sp) 4121 { 4122 #ifdef INET 4123 struct ifnet *ifp; 4124 4125 ifp = &sp->pp_if; 4126 KASSERT(SPPP_WLOCKED(sp)); 4127 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && 4128 ((sp->ipcp.flags & IPCP_MYADDR_SEEN) == 0)) { 4129 log(LOG_WARNING, "%s: no IP address, closing IPCP\n", 4130 ifp->if_xname); 4131 sppp_wq_add(sp->wq_cp, 4132 &sp->scp[IDX_IPCP].work_close); 4133 } else { 4134 /* we are up. Set addresses and notify anyone interested */ 4135 sppp_set_ip_addrs(sp); 4136 } 4137 #endif 4138 } 4139 4140 static void 4141 sppp_ipcp_scr(struct sppp *sp) 4142 { 4143 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 4144 #ifdef INET 4145 uint32_t ouraddr; 4146 #endif 4147 int i = 0; 4148 4149 KASSERT(SPPP_WLOCKED(sp)); 4150 4151 #ifdef notyet 4152 if (ISSET(sp->ipcp.opts,SPPP_IPCP_OPT_COMPRESSION)) { 4153 opt[i++] = IPCP_OPT_COMPRESSION; 4154 opt[i++] = 6; 4155 opt[i++] = 0; /* VJ header compression */ 4156 opt[i++] = 0x2d; /* VJ header compression */ 4157 opt[i++] = max_slot_id; 4158 opt[i++] = comp_slot_id; 4159 } 4160 #endif 4161 4162 #ifdef INET 4163 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS)) { 4164 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) { 4165 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 4166 } else { 4167 kpreempt_disable(); 4168 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 4169 kpreempt_enable(); 4170 } 4171 opt[i++] = IPCP_OPT_ADDRESS; 4172 opt[i++] = 6; 4173 opt[i++] = ouraddr >> 24; 4174 opt[i++] = ouraddr >> 16; 4175 opt[i++] = ouraddr >> 8; 4176 opt[i++] = ouraddr; 4177 } 4178 #endif 4179 4180 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS)) { 4181 opt[i++] = IPCP_OPT_PRIMDNS; 4182 opt[i++] = 6; 4183 opt[i++] = sp->dns_addrs[0] >> 24; 4184 opt[i++] = sp->dns_addrs[0] >> 16; 4185 opt[i++] = sp->dns_addrs[0] >> 8; 4186 opt[i++] = sp->dns_addrs[0]; 4187 } 4188 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS)) { 4189 opt[i++] = IPCP_OPT_SECDNS; 4190 opt[i++] = 6; 4191 opt[i++] = sp->dns_addrs[1] >> 24; 4192 opt[i++] = sp->dns_addrs[1] >> 16; 4193 opt[i++] = sp->dns_addrs[1] >> 8; 4194 opt[i++] = sp->dns_addrs[1]; 4195 } 4196 4197 sp->scp[IDX_IPCP].confid = ++sp->scp[IDX_IPCP].seq; 4198 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->scp[IDX_IPCP].confid, i, &opt); 4199 } 4200 4201 /* 4202 *--------------------------------------------------------------------------* 4203 * * 4204 * The IPv6CP implementation. * 4205 * * 4206 *--------------------------------------------------------------------------* 4207 */ 4208 4209 #ifdef INET6 4210 static void 4211 sppp_ipv6cp_init(struct sppp *sp) 4212 { 4213 4214 KASSERT(SPPP_WLOCKED(sp)); 4215 4216 sppp_cp_init(&ipv6cp, sp); 4217 4218 sp->ipv6cp.opts = 0; 4219 sp->ipv6cp.flags = 0; 4220 } 4221 4222 static void 4223 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4224 { 4225 STDDCL; 4226 struct in6_addr myaddr, hisaddr; 4227 4228 KASSERT(SPPP_WLOCKED(sp)); 4229 KASSERT(!cpu_softintr_p()); 4230 4231 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) 4232 return; 4233 4234 #ifdef IPV6CP_MYIFID_DYN 4235 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 4236 #else 4237 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 4238 #endif 4239 4240 kpreempt_disable(); 4241 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 4242 kpreempt_enable(); 4243 /* 4244 * If we don't have our address, this probably means our 4245 * interface doesn't want to talk IPv6 at all. (This could 4246 * be the case if somebody wants to speak only IPX, for 4247 * example.) Don't open IPv6CP in this case. 4248 */ 4249 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 4250 /* XXX this message should go away */ 4251 if (debug) 4252 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 4253 ifp->if_xname); 4254 return; 4255 } 4256 4257 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4258 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4259 sppp_open_event(sp, xcp); 4260 } 4261 4262 /* 4263 * Analyze a configure request. Return true if it was agreeable, and 4264 * caused action sca, false if it has been rejected or nak'ed, and 4265 * caused action scn. (The return value is used to make the state 4266 * transition decision in the state automaton.) 4267 */ 4268 static enum cp_rcr_type 4269 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 4270 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4271 { 4272 u_char *buf, *r, *p, l, blen; 4273 struct ifnet *ifp = &sp->pp_if; 4274 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 4275 struct in6_addr myaddr, desiredaddr, suggestaddr; 4276 enum cp_rcr_type type; 4277 int ifidcount; 4278 int collision, nohisaddr; 4279 char ip6buf[INET6_ADDRSTRLEN]; 4280 char tbuf[SPPP_CPTYPE_NAMELEN]; 4281 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4282 const char *cpname; 4283 4284 KASSERT(SPPP_WLOCKED(sp)); 4285 4286 type = CP_RCR_NONE; 4287 origlen -= sizeof(*h); 4288 4289 if (origlen < 0) 4290 return CP_RCR_DROP; 4291 4292 /* 4293 * Make sure to allocate a buf that can at least hold a 4294 * conf-nak with an `address' option. We might need it below. 4295 */ 4296 blen = MAX(6, origlen); 4297 4298 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 4299 if (buf == NULL) 4300 return CP_RCR_DROP; 4301 4302 /* pass 1: see if we can recognize them */ 4303 if (debug) 4304 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 4305 ifp->if_xname); 4306 p = (void *)(h + 1); 4307 r = buf; 4308 rlen = 0; 4309 ifidcount = 0; 4310 for (len = origlen; len > 1; len -= l, p += l) { 4311 l = p[1]; 4312 if (l == 0) 4313 break; 4314 4315 /* Sanity check option length */ 4316 if (l > len) { 4317 /* XXX just RXJ? */ 4318 addlog("%s: received malicious IPCPv6 option, " 4319 "dropping\n", ifp->if_xname); 4320 type = CP_RCR_ERR; 4321 goto end; 4322 } 4323 if (debug) { 4324 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4325 sizeof(ipv6buf),*p)); 4326 } 4327 switch (p[0]) { 4328 case IPV6CP_OPT_IFID: 4329 if (len >= 10 && l == 10 && ifidcount == 0) { 4330 /* correctly formed address option */ 4331 ifidcount++; 4332 continue; 4333 } 4334 if (debug) 4335 addlog(" [invalid]"); 4336 break; 4337 #ifdef notyet 4338 case IPV6CP_OPT_COMPRESSION: 4339 if (len >= 4 && l >= 4) { 4340 /* correctly formed compress option */ 4341 continue; 4342 } 4343 if (debug) 4344 addlog(" [invalid]"); 4345 break; 4346 #endif 4347 default: 4348 /* Others not supported. */ 4349 if (debug) 4350 addlog(" [rej]"); 4351 break; 4352 } 4353 if (rlen + l > blen) { 4354 if (debug) 4355 addlog(" [overflow]"); 4356 continue; 4357 } 4358 /* Add the option to rejected list. */ 4359 memcpy(r, p, l); 4360 r += l; 4361 rlen += l; 4362 } 4363 4364 if (rlen > 0) { 4365 type = CP_RCR_REJ; 4366 goto end; 4367 } 4368 4369 if (debug) 4370 addlog("\n"); 4371 4372 /* pass 2: parse option values */ 4373 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4374 if (debug) 4375 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 4376 ifp->if_xname); 4377 p = (void *)(h + 1); 4378 r = buf; 4379 rlen = 0; 4380 type = CP_RCR_ACK; 4381 for (len = origlen; len > 1; len -= l, p += l) { 4382 l = p[1]; 4383 if (l == 0) 4384 break; 4385 4386 if (debug) { 4387 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4388 sizeof(ipv6buf), *p)); 4389 } 4390 switch (p[0]) { 4391 #ifdef notyet 4392 case IPV6CP_OPT_COMPRESSION: 4393 continue; 4394 #endif 4395 case IPV6CP_OPT_IFID: 4396 memset(&desiredaddr, 0, sizeof(desiredaddr)); 4397 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 4398 collision = (memcmp(&desiredaddr.s6_addr[8], 4399 &myaddr.s6_addr[8], 8) == 0); 4400 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 4401 4402 desiredaddr.s6_addr16[0] = htons(0xfe80); 4403 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 4404 4405 if (!collision && !nohisaddr) { 4406 /* no collision, hisaddr known - Conf-Ack */ 4407 type = CP_RCR_ACK; 4408 memcpy(sp->ipv6cp.my_ifid, &myaddr.s6_addr[8], 4409 sizeof(sp->ipv6cp.my_ifid)); 4410 memcpy(sp->ipv6cp.his_ifid, 4411 &desiredaddr.s6_addr[8], 4412 sizeof(sp->ipv6cp.my_ifid)); 4413 4414 if (debug) { 4415 cpname = sppp_cp_type_name(tbuf, 4416 sizeof(tbuf), CONF_ACK); 4417 addlog(" %s [%s]", 4418 IN6_PRINT(ip6buf, &desiredaddr), 4419 cpname); 4420 } 4421 continue; 4422 } 4423 4424 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4425 if (collision && nohisaddr) { 4426 /* collision, hisaddr unknown - Conf-Rej */ 4427 type = CP_RCR_REJ; 4428 memset(&p[2], 0, 8); 4429 } else { 4430 /* 4431 * - no collision, hisaddr unknown, or 4432 * - collision, hisaddr known 4433 * Conf-Nak, suggest hisaddr 4434 */ 4435 type = CP_RCR_NAK; 4436 sppp_suggest_ip6_addr(sp, &suggestaddr); 4437 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 4438 } 4439 if (debug) { 4440 int ctype = type == CP_RCR_REJ ? CONF_REJ : CONF_NAK; 4441 4442 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4443 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 4444 cpname); 4445 } 4446 break; 4447 } 4448 if (rlen + l > blen) { 4449 if (debug) 4450 addlog(" [overflow]"); 4451 continue; 4452 } 4453 /* Add the option to nak'ed list. */ 4454 memcpy(r, p, l); 4455 r += l; 4456 rlen += l; 4457 } 4458 4459 if (rlen > 0) { 4460 if (type != CP_RCR_ACK) { 4461 if (debug) { 4462 int ctype ; 4463 ctype = type == CP_RCR_REJ ? 4464 CONF_REJ : CONF_NAK; 4465 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4466 addlog(" send %s suggest %s\n", 4467 cpname, IN6_PRINT(ip6buf, &suggestaddr)); 4468 } 4469 } 4470 #ifdef notdef 4471 if (type == CP_RCR_ACK) 4472 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 4473 #endif 4474 } else { 4475 if (type == CP_RCR_ACK) { 4476 rlen = origlen; 4477 memcpy(r, h + 1, rlen); 4478 } 4479 } 4480 end: 4481 if (debug) 4482 addlog("\n"); 4483 4484 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 4485 if (buf != NULL) 4486 kmem_intr_free(buf, blen); 4487 } else { 4488 *msgbuf = buf; 4489 *buflen = blen; 4490 *msglen = rlen; 4491 } 4492 4493 return type; 4494 } 4495 4496 /* 4497 * Analyze the IPv6CP Configure-Reject option list, and adjust our 4498 * negotiation. 4499 */ 4500 static void 4501 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, int len) 4502 { 4503 u_char *p, l; 4504 struct ifnet *ifp = &sp->pp_if; 4505 int debug = ifp->if_flags & IFF_DEBUG; 4506 4507 KASSERT(SPPP_WLOCKED(sp)); 4508 4509 if (len <= sizeof(*h)) 4510 return; 4511 4512 len -= sizeof(*h); 4513 4514 if (debug) 4515 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 4516 ifp->if_xname); 4517 4518 p = (void *)(h + 1); 4519 for (; len > 1; len -= l, p += l) { 4520 l = p[1]; 4521 if (l == 0) 4522 break; 4523 4524 if (l > len) { 4525 /* XXX just RXJ? */ 4526 addlog("%s: received malicious IPCPv6 option, " 4527 "dropping\n", ifp->if_xname); 4528 goto end; 4529 } 4530 if (debug) { 4531 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4532 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4533 sizeof(ipv6buf), *p)); 4534 } 4535 switch (p[0]) { 4536 case IPV6CP_OPT_IFID: 4537 /* 4538 * Peer doesn't grok address option. This is 4539 * bad. XXX Should we better give up here? 4540 */ 4541 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4542 break; 4543 #ifdef notyet 4544 case IPV6CP_OPT_COMPRESS: 4545 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESS); 4546 break; 4547 #endif 4548 } 4549 } 4550 if (debug) 4551 addlog("\n"); 4552 end: 4553 return; 4554 } 4555 4556 /* 4557 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4558 * negotiation. 4559 */ 4560 static void 4561 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4562 { 4563 u_char *p, l; 4564 struct ifnet *ifp = &sp->pp_if; 4565 int debug = ifp->if_flags & IFF_DEBUG; 4566 struct in6_addr suggestaddr; 4567 char ip6buf[INET6_ADDRSTRLEN]; 4568 4569 KASSERT(SPPP_WLOCKED(sp)); 4570 4571 if (len <= sizeof(*h)) 4572 return; 4573 4574 len -= sizeof(*h); 4575 4576 if (debug) 4577 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 4578 ifp->if_xname); 4579 4580 p = (void *)(h + 1); 4581 for (; len > 1; len -= l, p += l) { 4582 l = p[1]; 4583 if (l == 0) 4584 break; 4585 4586 if (l > len) { 4587 /* XXX just RXJ? */ 4588 addlog("%s: received malicious IPCPv6 option, " 4589 "dropping\n", ifp->if_xname); 4590 goto end; 4591 } 4592 if (debug) { 4593 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4594 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4595 sizeof(ipv6buf), *p)); 4596 } 4597 switch (p[0]) { 4598 case IPV6CP_OPT_IFID: 4599 /* 4600 * Peer doesn't like our local ifid. See 4601 * if we can do something for him. We'll drop 4602 * him our address then. 4603 */ 4604 if (len < 10 || l != 10) 4605 break; 4606 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4607 suggestaddr.s6_addr16[0] = htons(0xfe80); 4608 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4609 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4610 4611 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4612 if (debug) 4613 addlog(" [suggestaddr %s]", 4614 IN6_PRINT(ip6buf, &suggestaddr)); 4615 #ifdef IPV6CP_MYIFID_DYN 4616 /* 4617 * When doing dynamic address assignment, 4618 * we accept his offer. 4619 */ 4620 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4621 struct in6_addr lastsuggest; 4622 /* 4623 * If <suggested myaddr from peer> equals to 4624 * <hisaddr we have suggested last time>, 4625 * we have a collision. generate new random 4626 * ifid. 4627 */ 4628 sppp_suggest_ip6_addr(&lastsuggest); 4629 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4630 lastsuggest)) { 4631 if (debug) 4632 addlog(" [random]"); 4633 sppp_gen_ip6_addr(sp, &suggestaddr); 4634 } 4635 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4636 if (debug) 4637 addlog(" [agree]"); 4638 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4639 } 4640 #else 4641 /* 4642 * Since we do not do dynamic address assignment, 4643 * we ignore it and thus continue to negotiate 4644 * our already existing value. This can possibly 4645 * go into infinite request-reject loop. 4646 * 4647 * This is not likely because we normally use 4648 * ifid based on MAC-address. 4649 * If you have no ethernet card on the node, too bad. 4650 * XXX should we use fail_counter? 4651 */ 4652 #endif 4653 break; 4654 #ifdef notyet 4655 case IPV6CP_OPT_COMPRESS: 4656 /* 4657 * Peer wants different compression parameters. 4658 */ 4659 break; 4660 #endif 4661 } 4662 } 4663 if (debug) 4664 addlog("\n"); 4665 end: 4666 return; 4667 } 4668 4669 static void 4670 sppp_ipv6cp_tlu(struct sppp *sp) 4671 { 4672 4673 KASSERT(SPPP_WLOCKED(sp)); 4674 /* we are up - notify isdn daemon */ 4675 sppp_notify_con_wlocked(sp); 4676 } 4677 4678 static void 4679 sppp_ipv6cp_scr(struct sppp *sp) 4680 { 4681 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4682 struct in6_addr ouraddr; 4683 int i = 0; 4684 4685 KASSERT(SPPP_WLOCKED(sp)); 4686 4687 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID)) { 4688 kpreempt_disable(); 4689 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4690 kpreempt_enable(); 4691 4692 opt[i++] = IPV6CP_OPT_IFID; 4693 opt[i++] = 10; 4694 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4695 i += 8; 4696 } 4697 4698 #ifdef notyet 4699 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESSION)) { 4700 opt[i++] = IPV6CP_OPT_COMPRESSION; 4701 opt[i++] = 4; 4702 opt[i++] = 0; /* TBD */ 4703 opt[i++] = 0; /* TBD */ 4704 /* variable length data may follow */ 4705 } 4706 #endif 4707 4708 sp->scp[IDX_IPV6CP].confid = ++sp->scp[IDX_IPV6CP].seq; 4709 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->scp[IDX_IPV6CP].confid, i, &opt); 4710 } 4711 #else /*INET6*/ 4712 static void 4713 sppp_ipv6cp_init(struct sppp *sp) 4714 { 4715 4716 KASSERT(SPPP_WLOCKED(sp)); 4717 } 4718 4719 static void 4720 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4721 { 4722 4723 KASSERT(SPPP_WLOCKED(sp)); 4724 } 4725 4726 static enum cp_rcr_type 4727 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, 4728 int len, uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4729 { 4730 4731 KASSERT(SPPP_WLOCKED(sp)); 4732 return 0; 4733 } 4734 4735 static void 4736 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, 4737 int len) 4738 { 4739 4740 KASSERT(SPPP_WLOCKED(sp)); 4741 } 4742 4743 static void 4744 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, 4745 int len) 4746 { 4747 4748 KASSERT(SPPP_WLOCKED(sp)); 4749 } 4750 4751 static void 4752 sppp_ipv6cp_tlu(struct sppp *sp) 4753 { 4754 4755 KASSERT(SPPP_WLOCKED(sp)); 4756 } 4757 4758 static void 4759 sppp_ipv6cp_scr(struct sppp *sp) 4760 { 4761 4762 KASSERT(SPPP_WLOCKED(sp)); 4763 } 4764 #endif /*INET6*/ 4765 4766 /* 4767 *--------------------------------------------------------------------------* 4768 * * 4769 * The CHAP implementation. * 4770 * * 4771 *--------------------------------------------------------------------------* 4772 */ 4773 /* 4774 * The authentication protocols is implemented on the state machine for 4775 * control protocols. And it uses following actions and events. 4776 * 4777 * Actions: 4778 * - scr: send CHAP_CHALLENGE and CHAP_RESPONSE 4779 * - sca: send CHAP_SUCCESS 4780 * - scn: send CHAP_FAILURE and shutdown lcp 4781 * Events: 4782 * - RCR+: receive CHAP_RESPONSE containing correct digest 4783 * - RCR-: receive CHAP_RESPONSE containing wrong digest 4784 * - RCA: receive CHAP_SUCCESS 4785 * - RCN: (this event is unused) 4786 * - TO+: re-send CHAP_CHALLENGE and CHAP_RESPONSE 4787 * - TO-: this layer finish 4788 */ 4789 4790 /* 4791 * Handle incoming CHAP packets. 4792 */ 4793 void 4794 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4795 { 4796 STDDCL; 4797 struct lcp_header *h; 4798 int len, x; 4799 u_char *value, *name, digest[sizeof(sp->chap.challenge)]; 4800 int value_len, name_len; 4801 MD5_CTX ctx; 4802 char abuf[SPPP_AUTHTYPE_NAMELEN]; 4803 const char *authname; 4804 4805 len = m->m_pkthdr.len; 4806 if (len < 4) { 4807 if (debug) 4808 log(LOG_DEBUG, 4809 "%s: chap invalid packet length: %d bytes\n", 4810 ifp->if_xname, len); 4811 return; 4812 } 4813 h = mtod(m, struct lcp_header *); 4814 if (len > ntohs(h->len)) 4815 len = ntohs(h->len); 4816 4817 SPPP_LOCK(sp, RW_WRITER); 4818 4819 switch (h->type) { 4820 /* challenge, failure and success are his authproto */ 4821 case CHAP_CHALLENGE: 4822 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4823 /* can't do anything useful */ 4824 sp->pp_auth_failures++; 4825 printf("%s: chap input without my name and my secret being set\n", 4826 ifp->if_xname); 4827 break; 4828 } 4829 value = 1 + (u_char *)(h + 1); 4830 value_len = value[-1]; 4831 name = value + value_len; 4832 name_len = len - value_len - 5; 4833 if (name_len < 0) { 4834 if (debug) { 4835 authname = sppp_auth_type_name(abuf, 4836 sizeof(abuf), PPP_CHAP, h->type); 4837 log(LOG_DEBUG, 4838 "%s: chap corrupted challenge " 4839 "<%s id=0x%x len=%d", 4840 ifp->if_xname, authname, 4841 h->ident, ntohs(h->len)); 4842 if (len > 4) 4843 sppp_print_bytes((u_char *)(h + 1), 4844 len - 4); 4845 addlog(">\n"); 4846 } 4847 break; 4848 } 4849 4850 if (debug) { 4851 authname = sppp_auth_type_name(abuf, 4852 sizeof(abuf), PPP_CHAP, h->type); 4853 log(LOG_DEBUG, 4854 "%s: chap input <%s id=0x%x len=%d name=", 4855 ifp->if_xname, authname, h->ident, 4856 ntohs(h->len)); 4857 sppp_print_string((char *) name, name_len); 4858 addlog(" value-size=%d value=", value_len); 4859 sppp_print_bytes(value, value_len); 4860 addlog(">\n"); 4861 } 4862 4863 /* Compute reply value. */ 4864 MD5Init(&ctx); 4865 MD5Update(&ctx, &h->ident, 1); 4866 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4867 MD5Update(&ctx, value, value_len); 4868 MD5Final(sp->chap.digest, &ctx); 4869 sp->chap.digest_len = sizeof(sp->chap.digest); 4870 sp->scp[IDX_CHAP].rconfid = h->ident; 4871 4872 sppp_wq_add(sp->wq_cp, &sp->chap.work_challenge_rcvd); 4873 break; 4874 4875 case CHAP_SUCCESS: 4876 if (debug) { 4877 log(LOG_DEBUG, "%s: chap success", 4878 ifp->if_xname); 4879 if (len > 4) { 4880 addlog(": "); 4881 sppp_print_string((char *)(h + 1), len - 4); 4882 } 4883 addlog("\n"); 4884 } 4885 4886 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4887 if (debug) { 4888 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 4889 ifp->if_xname, chap.name, 4890 h->ident, sp->scp[IDX_CHAP].rconfid); 4891 } 4892 if_statinc(ifp, if_ierrors); 4893 break; 4894 } 4895 4896 if (sp->chap.digest_len == 0) { 4897 if (debug) { 4898 log(LOG_DEBUG, 4899 "%s: receive CHAP success without challenge\n", 4900 ifp->if_xname); 4901 } 4902 if_statinc(ifp, if_ierrors); 4903 break; 4904 } 4905 4906 x = splnet(); 4907 sp->pp_auth_failures = 0; 4908 sp->pp_flags &= ~PP_NEEDAUTH; 4909 splx(x); 4910 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4911 sp->chap.digest_len = 0; 4912 4913 if (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV)) { 4914 /* 4915 * we are not authenticator for CHAP, 4916 * generate a dummy RCR+ event without CHAP_RESPONSE 4917 */ 4918 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 4919 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4920 } 4921 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 4922 break; 4923 4924 case CHAP_FAILURE: 4925 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4926 if (debug) { 4927 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 4928 ifp->if_xname, chap.name, 4929 h->ident, sp->scp[IDX_CHAP].rconfid); 4930 } 4931 if_statinc(ifp, if_ierrors); 4932 break; 4933 } 4934 4935 if (sp->chap.digest_len == 0) { 4936 if (debug) { 4937 log(LOG_DEBUG, 4938 "%s: receive CHAP failure without challenge\n", 4939 ifp->if_xname); 4940 } 4941 if_statinc(ifp, if_ierrors); 4942 break; 4943 } 4944 4945 x = splnet(); 4946 sp->pp_auth_failures++; 4947 splx(x); 4948 if (debug) { 4949 log(LOG_INFO, "%s: chap failure", 4950 ifp->if_xname); 4951 if (len > 4) { 4952 addlog(": "); 4953 sppp_print_string((char *)(h + 1), len - 4); 4954 } 4955 addlog("\n"); 4956 } else 4957 log(LOG_INFO, "%s: chap failure\n", 4958 ifp->if_xname); 4959 4960 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4961 sp->chap.digest_len = 0; 4962 /* 4963 * await LCP shutdown by authenticator, 4964 * so we don't have to enqueue sc->scp[IDX_CHAP].work_rcn 4965 */ 4966 break; 4967 4968 /* response is my authproto */ 4969 case CHAP_RESPONSE: 4970 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4971 /* can't do anything useful */ 4972 printf("%s: chap response" 4973 " without his name and his secret being set\n", 4974 ifp->if_xname); 4975 break; 4976 } 4977 value = 1 + (u_char *)(h + 1); 4978 value_len = value[-1]; 4979 name = value + value_len; 4980 name_len = len - value_len - 5; 4981 if (name_len < 0) { 4982 if (debug) { 4983 authname = sppp_auth_type_name(abuf, 4984 sizeof(abuf), PPP_CHAP, h->type); 4985 log(LOG_DEBUG, 4986 "%s: chap corrupted response " 4987 "<%s id=0x%x len=%d", 4988 ifp->if_xname, authname, 4989 h->ident, ntohs(h->len)); 4990 if (len > 4) 4991 sppp_print_bytes((u_char *)(h + 1), 4992 len - 4); 4993 addlog(">\n"); 4994 } 4995 break; 4996 } 4997 if (h->ident != sp->scp[IDX_CHAP].confid) { 4998 if (debug) 4999 log(LOG_DEBUG, 5000 "%s: chap dropping response for old ID " 5001 "(got %d, expected %d)\n", 5002 ifp->if_xname, 5003 h->ident, sp->scp[IDX_CHAP].confid); 5004 break; 5005 } else { 5006 sp->scp[IDX_CHAP].rconfid = h->ident; 5007 } 5008 5009 if (sp->hisauth.name != NULL && 5010 (name_len != sp->hisauth.name_len 5011 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 5012 log(LOG_INFO, "%s: chap response, his name ", 5013 ifp->if_xname); 5014 sppp_print_string(name, name_len); 5015 addlog(" != expected "); 5016 sppp_print_string(sp->hisauth.name, 5017 sp->hisauth.name_len); 5018 addlog("\n"); 5019 5020 /* generate RCR- event */ 5021 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5022 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 5023 break; 5024 } 5025 5026 if (debug) { 5027 authname = sppp_auth_type_name(abuf, 5028 sizeof(abuf), PPP_CHAP, h->type); 5029 log(LOG_DEBUG, "%s: chap input(%s) " 5030 "<%s id=0x%x len=%d name=", 5031 ifp->if_xname, 5032 sppp_state_name(sp->scp[IDX_CHAP].state), 5033 authname, h->ident, ntohs(h->len)); 5034 sppp_print_string((char *)name, name_len); 5035 addlog(" value-size=%d value=", value_len); 5036 sppp_print_bytes(value, value_len); 5037 addlog(">\n"); 5038 } 5039 5040 if (value_len == sizeof(sp->chap.challenge) && 5041 value_len == sizeof(sp->chap.digest)) { 5042 MD5Init(&ctx); 5043 MD5Update(&ctx, &h->ident, 1); 5044 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 5045 MD5Update(&ctx, sp->chap.challenge, sizeof(sp->chap.challenge)); 5046 MD5Final(digest, &ctx); 5047 5048 if (memcmp(digest, value, value_len) == 0) { 5049 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 5050 } else { 5051 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5052 } 5053 } else { 5054 if (debug) 5055 log(LOG_DEBUG, 5056 "%s: chap bad hash value length: " 5057 "%d bytes, should be %zu\n", 5058 ifp->if_xname, value_len, 5059 sizeof(sp->chap.challenge)); 5060 5061 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5062 } 5063 5064 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 5065 5066 /* generate a dummy RCA event */ 5067 if (sp->scp[IDX_CHAP].rcr_type == CP_RCR_ACK && 5068 (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_PEER) || 5069 sp->chap.rechallenging)) { 5070 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 5071 } 5072 break; 5073 5074 default: 5075 /* Unknown CHAP packet type -- ignore. */ 5076 if (debug) { 5077 log(LOG_DEBUG, "%s: chap unknown input(%s) " 5078 "<0x%x id=0x%xh len=%d", 5079 ifp->if_xname, 5080 sppp_state_name(sp->scp[IDX_CHAP].state), 5081 h->type, h->ident, ntohs(h->len)); 5082 if (len > 4) 5083 sppp_print_bytes((u_char *)(h + 1), len - 4); 5084 addlog(">\n"); 5085 } 5086 break; 5087 5088 } 5089 5090 SPPP_UNLOCK(sp); 5091 } 5092 5093 static void 5094 sppp_chap_init(struct sppp *sp) 5095 { 5096 5097 KASSERT(SPPP_WLOCKED(sp)); 5098 5099 sppp_cp_init(&chap, sp); 5100 5101 SPPP_WQ_SET(&sp->chap.work_challenge_rcvd, 5102 sppp_chap_rcv_challenge_event, &chap); 5103 } 5104 5105 static void 5106 sppp_chap_open(struct sppp *sp, void *xcp) 5107 { 5108 5109 KASSERT(SPPP_WLOCKED(sp)); 5110 5111 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 5112 sp->chap.digest_len = 0; 5113 sp->chap.rechallenging = false; 5114 sp->chap.response_rcvd = false; 5115 sppp_open_event(sp, xcp); 5116 } 5117 5118 static void 5119 sppp_chap_tlu(struct sppp *sp) 5120 { 5121 STDDCL; 5122 int i, x; 5123 5124 KASSERT(SPPP_WLOCKED(sp)); 5125 5126 i = 0; 5127 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 5128 x = splnet(); 5129 sp->pp_auth_failures = 0; 5130 splx(x); 5131 5132 log(LOG_DEBUG, "%s: chap %s", ifp->if_xname, 5133 sp->pp_phase == SPPP_PHASE_NETWORK ? "reconfirmed" : "tlu"); 5134 5135 /* 5136 * Some broken CHAP implementations (Conware CoNet, firmware 5137 * 4.0.?) don't want to re-authenticate their CHAP once the 5138 * initial challenge-response exchange has taken place. 5139 * Provide for an option to avoid rechallenges. 5140 */ 5141 if (ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV) && 5142 (sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5143 /* 5144 * Compute the re-challenge timeout. This will yield 5145 * a number between 300 and 810 seconds. 5146 */ 5147 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 5148 callout_schedule(&sp->scp[IDX_CHAP].ch, i * hz); 5149 5150 if (debug) { 5151 addlog(", next rechallenge in %d seconds", i); 5152 } 5153 } 5154 5155 addlog("\n"); 5156 5157 /* 5158 * If we are already in phase network, we are done here. This 5159 * is the case if this is a dummy tlu event after a re-challenge. 5160 */ 5161 if (sp->pp_phase != SPPP_PHASE_NETWORK) 5162 sppp_phase_network(sp); 5163 } 5164 5165 static void 5166 sppp_chap_scr(struct sppp *sp) 5167 { 5168 uint32_t *ch; 5169 u_char clen, dsize; 5170 int role; 5171 5172 KASSERT(SPPP_WLOCKED(sp)); 5173 5174 role = sppp_auth_role(&chap, sp); 5175 5176 if (ISSET(role, SPPP_AUTH_SERV) && 5177 !sp->chap.response_rcvd) { 5178 /* we are authenticator for CHAP, send challenge */ 5179 ch = (uint32_t *)sp->chap.challenge; 5180 clen = sizeof(sp->chap.challenge); 5181 /* Compute random challenge. */ 5182 cprng_strong(kern_cprng, ch, clen, 0); 5183 5184 sp->scp[IDX_CHAP].confid = ++sp->scp[IDX_CHAP].seq; 5185 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->scp[IDX_CHAP].confid, 5186 sizeof(clen), (const char *)&clen, 5187 sizeof(sp->chap.challenge), sp->chap.challenge, 5188 0); 5189 } 5190 5191 if (ISSET(role, SPPP_AUTH_PEER) && 5192 sp->chap.digest_len > 0) { 5193 /* we are peer for CHAP, send response */ 5194 dsize = sp->chap.digest_len; 5195 5196 sppp_auth_send(&chap, sp, CHAP_RESPONSE, sp->scp[IDX_CHAP].rconfid, 5197 sizeof(dsize), (const char *)&dsize, 5198 sp->chap.digest_len, sp->chap.digest, 5199 sp->myauth.name_len, sp->myauth.name, 0); 5200 } 5201 } 5202 5203 static void 5204 sppp_chap_rcv_challenge_event(struct sppp *sp, void *xcp) 5205 { 5206 const struct cp *cp = xcp; 5207 5208 KASSERT(!cpu_softintr_p()); 5209 5210 sp->chap.rechallenging = false; 5211 5212 switch (sp->scp[IDX_CHAP].state) { 5213 case STATE_REQ_SENT: 5214 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5215 cp->scr(sp); 5216 break; 5217 case STATE_OPENED: 5218 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 5219 cp->scr(sp); 5220 break; 5221 } 5222 } 5223 5224 /* 5225 *--------------------------------------------------------------------------* 5226 * * 5227 * The PAP implementation. * 5228 * * 5229 *--------------------------------------------------------------------------* 5230 */ 5231 /* 5232 * PAP uses following actions and events. 5233 * Actions: 5234 * - scr: send PAP_REQ 5235 * - sca: send PAP_ACK 5236 * - scn: send PAP_NAK 5237 * Events: 5238 * - RCR+: receive PAP_REQ containing correct username and password 5239 * - RCR-: receive PAP_REQ containing wrong username and password 5240 * - RCA: receive PAP_ACK 5241 * - RCN: (this event is unused) 5242 * - TO+: re-send PAP_REQ 5243 * - TO-: this layer finish 5244 */ 5245 5246 /* 5247 * Handle incoming PAP packets. */ 5248 static void 5249 sppp_pap_input(struct sppp *sp, struct mbuf *m) 5250 { 5251 STDDCL; 5252 struct lcp_header *h; 5253 int len, x; 5254 char *name, *secret; 5255 int name_len, secret_len; 5256 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5257 const char *authname; 5258 5259 /* 5260 * Malicious input might leave this uninitialized, so 5261 * init to an impossible value. 5262 */ 5263 secret_len = -1; 5264 5265 len = m->m_pkthdr.len; 5266 if (len < 5) { 5267 if (debug) 5268 log(LOG_DEBUG, 5269 "%s: pap invalid packet length: %d bytes\n", 5270 ifp->if_xname, len); 5271 return; 5272 } 5273 h = mtod(m, struct lcp_header *); 5274 if (len > ntohs(h->len)) 5275 len = ntohs(h->len); 5276 5277 SPPP_LOCK(sp, RW_WRITER); 5278 5279 switch (h->type) { 5280 /* PAP request is my authproto */ 5281 case PAP_REQ: 5282 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 5283 /* can't do anything useful */ 5284 printf("%s: pap request" 5285 " without his name and his secret being set\n", 5286 ifp->if_xname); 5287 break; 5288 } 5289 name = 1 + (u_char *)(h + 1); 5290 name_len = name[-1]; 5291 secret = name + name_len + 1; 5292 if (name_len > len - 6 || 5293 (secret_len = secret[-1]) > len - 6 - name_len) { 5294 if (debug) { 5295 authname = sppp_auth_type_name(abuf, 5296 sizeof(abuf), PPP_PAP, h->type); 5297 log(LOG_DEBUG, "%s: pap corrupted input " 5298 "<%s id=0x%x len=%d", 5299 ifp->if_xname, authname, 5300 h->ident, ntohs(h->len)); 5301 if (len > 4) 5302 sppp_print_bytes((u_char *)(h + 1), 5303 len - 4); 5304 addlog(">\n"); 5305 } 5306 break; 5307 } 5308 if (debug) { 5309 authname = sppp_auth_type_name(abuf, 5310 sizeof(abuf), PPP_PAP, h->type); 5311 log(LOG_DEBUG, "%s: pap input(%s) " 5312 "<%s id=0x%x len=%d name=", 5313 ifp->if_xname, 5314 sppp_state_name(sp->scp[IDX_PAP].state), 5315 authname, h->ident, ntohs(h->len)); 5316 sppp_print_string((char *)name, name_len); 5317 addlog(" secret="); 5318 sppp_print_string((char *)secret, secret_len); 5319 addlog(">\n"); 5320 } 5321 5322 sp->scp[IDX_PAP].rconfid = h->ident; 5323 5324 if (name_len == sp->hisauth.name_len && 5325 memcmp(name, sp->hisauth.name, name_len) == 0 && 5326 secret_len == sp->hisauth.secret_len && 5327 memcmp(secret, sp->hisauth.secret, secret_len) == 0) { 5328 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5329 } else { 5330 sp->scp[IDX_PAP].rcr_type = CP_RCR_NAK; 5331 } 5332 5333 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5334 5335 /* generate a dummy RCA event */ 5336 if (sp->scp[IDX_PAP].rcr_type == CP_RCR_ACK && 5337 !ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER)) { 5338 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5339 } 5340 break; 5341 5342 /* ack and nak are his authproto */ 5343 case PAP_ACK: 5344 if (debug) { 5345 log(LOG_DEBUG, "%s: pap success", 5346 ifp->if_xname); 5347 name = 1 + (u_char *)(h + 1); 5348 name_len = name[-1]; 5349 if (len > 5 && name_len < len+4) { 5350 addlog(": "); 5351 sppp_print_string(name, name_len); 5352 } 5353 addlog("\n"); 5354 } 5355 5356 if (h->ident != sp->scp[IDX_PAP].confid) { 5357 if (debug) { 5358 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 5359 ifp->if_xname, pap.name, 5360 h->ident, sp->scp[IDX_PAP].rconfid); 5361 } 5362 if_statinc(ifp, if_ierrors); 5363 break; 5364 } 5365 5366 x = splnet(); 5367 sp->pp_auth_failures = 0; 5368 sp->pp_flags &= ~PP_NEEDAUTH; 5369 splx(x); 5370 5371 /* we are not authenticator, generate a dummy RCR+ event */ 5372 if (!ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_SERV)) { 5373 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5374 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5375 } 5376 5377 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5378 break; 5379 5380 case PAP_NAK: 5381 if (debug) { 5382 log(LOG_INFO, "%s: pap failure", 5383 ifp->if_xname); 5384 name = 1 + (u_char *)(h + 1); 5385 name_len = name[-1]; 5386 if (len > 5 && name_len < len+4) { 5387 addlog(": "); 5388 sppp_print_string(name, name_len); 5389 } 5390 addlog("\n"); 5391 } else 5392 log(LOG_INFO, "%s: pap failure\n", 5393 ifp->if_xname); 5394 5395 if (h->ident != sp->scp[IDX_PAP].confid) { 5396 if (debug) { 5397 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 5398 ifp->if_xname, pap.name, 5399 h->ident, sp->scp[IDX_PAP].rconfid); 5400 } 5401 if_statinc(ifp, if_ierrors); 5402 break; 5403 } 5404 5405 sp->pp_auth_failures++; 5406 /* 5407 * await LCP shutdown by authenticator, 5408 * so we don't have to enqueue sc->scp[IDX_PAP].work_rcn 5409 */ 5410 break; 5411 5412 default: 5413 /* Unknown PAP packet type -- ignore. */ 5414 if (debug) { 5415 log(LOG_DEBUG, "%s: pap corrupted input " 5416 "<0x%x id=0x%x len=%d", 5417 ifp->if_xname, 5418 h->type, h->ident, ntohs(h->len)); 5419 if (len > 4) 5420 sppp_print_bytes((u_char *)(h + 1), len - 4); 5421 addlog(">\n"); 5422 } 5423 break; 5424 } 5425 5426 SPPP_UNLOCK(sp); 5427 } 5428 5429 static void 5430 sppp_pap_init(struct sppp *sp) 5431 { 5432 5433 KASSERT(SPPP_WLOCKED(sp)); 5434 sppp_cp_init(&pap, sp); 5435 } 5436 5437 static void 5438 sppp_pap_tlu(struct sppp *sp) 5439 { 5440 STDDCL; 5441 int x; 5442 5443 sp->scp[IDX_PAP].rst_counter = sp->lcp.max_configure; 5444 5445 if (debug) 5446 log(LOG_DEBUG, "%s: %s tlu\n", 5447 ifp->if_xname, pap.name); 5448 5449 x = splnet(); 5450 sp->pp_auth_failures = 0; 5451 splx(x); 5452 5453 if (sp->pp_phase < SPPP_PHASE_NETWORK) 5454 sppp_phase_network(sp); 5455 } 5456 5457 static void 5458 sppp_pap_scr(struct sppp *sp) 5459 { 5460 u_char idlen, pwdlen; 5461 5462 KASSERT(SPPP_WLOCKED(sp)); 5463 5464 if (ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER) && 5465 sp->scp[IDX_PAP].state != STATE_ACK_RCVD) { 5466 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5467 log(LOG_DEBUG, "%s: couldn't send PAP_REQ " 5468 "because of no name or no secret\n", 5469 sp->pp_if.if_xname); 5470 } else { 5471 sp->scp[IDX_PAP].confid = ++sp->scp[IDX_PAP].seq; 5472 pwdlen = sp->myauth.secret_len; 5473 idlen = sp->myauth.name_len; 5474 5475 sppp_auth_send(&pap, sp, PAP_REQ, sp->scp[IDX_PAP].confid, 5476 sizeof idlen, (const char *)&idlen, 5477 idlen, sp->myauth.name, 5478 sizeof pwdlen, (const char *)&pwdlen, 5479 pwdlen, sp->myauth.secret, 5480 0); 5481 } 5482 } 5483 } 5484 5485 /* 5486 * Random miscellaneous functions. 5487 */ 5488 5489 /* 5490 * Send a PAP or CHAP proto packet. 5491 * 5492 * Varadic function, each of the elements for the ellipsis is of type 5493 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5494 * mlen == 0. 5495 * NOTE: never declare variadic functions with types subject to type 5496 * promotion (i.e. u_char). This is asking for big trouble depending 5497 * on the architecture you are on... 5498 */ 5499 5500 static void 5501 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5502 unsigned int type, unsigned int id, 5503 ...) 5504 { 5505 STDDCL; 5506 struct lcp_header *lh; 5507 struct mbuf *m; 5508 u_char *p; 5509 int len; 5510 size_t pkthdrlen; 5511 unsigned int mlen; 5512 const char *msg; 5513 va_list ap; 5514 5515 KASSERT(SPPP_WLOCKED(sp)); 5516 5517 MGETHDR(m, M_DONTWAIT, MT_DATA); 5518 if (! m) 5519 return; 5520 m_reset_rcvif(m); 5521 5522 if (sp->pp_flags & PP_NOFRAMING) { 5523 *mtod(m, uint16_t *) = htons(cp->proto); 5524 pkthdrlen = 2; 5525 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5526 } else { 5527 struct ppp_header *h; 5528 h = mtod(m, struct ppp_header *); 5529 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5530 h->control = PPP_UI; /* Unnumbered Info */ 5531 h->protocol = htons(cp->proto); 5532 pkthdrlen = PPP_HEADER_LEN; 5533 5534 lh = (struct lcp_header *)(h + 1); 5535 } 5536 5537 lh->type = type; 5538 lh->ident = id; 5539 p = (u_char *)(lh + 1); 5540 5541 va_start(ap, id); 5542 len = 0; 5543 5544 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5545 msg = va_arg(ap, const char *); 5546 len += mlen; 5547 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5548 va_end(ap); 5549 m_freem(m); 5550 return; 5551 } 5552 5553 memcpy(p, msg, mlen); 5554 p += mlen; 5555 } 5556 va_end(ap); 5557 5558 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5559 lh->len = htons(LCP_HEADER_LEN + len); 5560 5561 if (debug) { 5562 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5563 const char *authname; 5564 5565 authname = sppp_auth_type_name(abuf, 5566 sizeof(abuf), cp->proto, lh->type); 5567 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5568 ifp->if_xname, cp->name, authname, 5569 lh->ident, ntohs(lh->len)); 5570 if (len) 5571 sppp_print_bytes((u_char *)(lh + 1), len); 5572 addlog(">\n"); 5573 } 5574 if (IF_QFULL(&sp->pp_cpq)) { 5575 IF_DROP(&sp->pp_fastq); 5576 IF_DROP(&ifp->if_snd); 5577 m_freem(m); 5578 if_statinc(ifp, if_oerrors); 5579 return; 5580 } 5581 5582 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5583 IF_ENQUEUE(&sp->pp_cpq, m); 5584 5585 if (! (ifp->if_flags & IFF_OACTIVE)) { 5586 SPPP_UNLOCK(sp); 5587 if_start_lock(ifp); 5588 SPPP_LOCK(sp, RW_WRITER); 5589 } 5590 } 5591 5592 static int 5593 sppp_auth_role(const struct cp *cp, struct sppp *sp) 5594 { 5595 int role; 5596 5597 role = SPPP_AUTH_NOROLE; 5598 5599 if (sp->hisauth.proto == cp->proto && 5600 ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) 5601 SET(role, SPPP_AUTH_SERV); 5602 5603 if (sp->myauth.proto == cp->proto) 5604 SET(role, SPPP_AUTH_PEER); 5605 5606 return role; 5607 } 5608 5609 static void 5610 sppp_auth_to_event(struct sppp *sp, void *xcp) 5611 { 5612 const struct cp *cp = xcp; 5613 bool override; 5614 int state; 5615 STDDCL; 5616 5617 KASSERT(SPPP_WLOCKED(sp)); 5618 KASSERT(!cpu_softintr_p()); 5619 5620 override = false; 5621 state = sp->scp[cp->protoidx].state; 5622 5623 if (sp->scp[cp->protoidx].rst_counter > 0) { 5624 /* override TO+ event */ 5625 switch (state) { 5626 case STATE_OPENED: 5627 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5628 override = true; 5629 sp->chap.rechallenging = true; 5630 sp->chap.response_rcvd = false; 5631 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5632 cp->scr(sp); 5633 } 5634 break; 5635 5636 case STATE_ACK_RCVD: 5637 override = true; 5638 cp->scr(sp); 5639 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 5640 break; 5641 } 5642 } 5643 5644 if (override) { 5645 if (debug) 5646 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 5647 ifp->if_xname, cp->name, 5648 sppp_state_name(state), 5649 sp->scp[cp->protoidx].rst_counter); 5650 sp->scp[cp->protoidx].rst_counter--; 5651 } else { 5652 sppp_to_event(sp, xcp); 5653 } 5654 } 5655 5656 static void 5657 sppp_auth_screply(const struct cp *cp, struct sppp *sp, u_char ctype, 5658 uint8_t ident, size_t _mlen __unused, void *_msg __unused) 5659 { 5660 static const char *succmsg = "Welcome!"; 5661 static const char *failmsg = "Failed..."; 5662 const char *msg; 5663 u_char type, mlen; 5664 5665 KASSERT(SPPP_WLOCKED(sp)); 5666 5667 if (!ISSET(sppp_auth_role(cp, sp), SPPP_AUTH_SERV)) 5668 return; 5669 5670 if (ctype == CONF_ACK) { 5671 type = cp->proto == PPP_CHAP ? CHAP_SUCCESS : PAP_ACK; 5672 msg = succmsg; 5673 mlen = sizeof(succmsg) - 1; 5674 5675 sp->pp_auth_failures = 0; 5676 } else { 5677 type = cp->proto == PPP_CHAP ? CHAP_FAILURE : PAP_NAK; 5678 msg = failmsg; 5679 mlen = sizeof(failmsg) - 1; 5680 5681 /* shutdown LCP if auth failed */ 5682 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5683 sp->pp_auth_failures++; 5684 } 5685 5686 sppp_auth_send(cp, sp, type, ident, mlen, (const u_char *)msg, 0); 5687 } 5688 5689 /* 5690 * Send keepalive packets, every 10 seconds. 5691 */ 5692 static void 5693 sppp_keepalive(void *dummy) 5694 { 5695 struct sppp *sp; 5696 int s; 5697 time_t now; 5698 5699 SPPPQ_LOCK(); 5700 5701 s = splnet(); 5702 now = time_uptime; 5703 for (sp=spppq; sp; sp=sp->pp_next) { 5704 struct ifnet *ifp = NULL; 5705 5706 SPPP_LOCK(sp, RW_WRITER); 5707 ifp = &sp->pp_if; 5708 5709 /* check idle timeout */ 5710 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5711 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5712 /* idle timeout is enabled for this interface */ 5713 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5714 if (ifp->if_flags & IFF_DEBUG) 5715 printf("%s: no activity for %lu seconds\n", 5716 sp->pp_if.if_xname, 5717 (unsigned long)(now-sp->pp_last_activity)); 5718 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5719 SPPP_UNLOCK(sp); 5720 continue; 5721 } 5722 } 5723 5724 /* Keepalive mode disabled or channel down? */ 5725 if (! (sp->pp_flags & PP_KEEPALIVE) || 5726 ! (ifp->if_flags & IFF_RUNNING)) { 5727 SPPP_UNLOCK(sp); 5728 continue; 5729 } 5730 5731 /* No keepalive in PPP mode if LCP not opened yet. */ 5732 if (! (sp->pp_flags & PP_CISCO) && 5733 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5734 SPPP_UNLOCK(sp); 5735 continue; 5736 } 5737 5738 /* No echo reply, but maybe user data passed through? */ 5739 if (sp->pp_max_noreceive != 0 && 5740 (now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5741 sp->pp_alivecnt = 0; 5742 SPPP_UNLOCK(sp); 5743 continue; 5744 } 5745 5746 /* No echo request */ 5747 if (sp->pp_alive_interval == 0) { 5748 SPPP_UNLOCK(sp); 5749 continue; 5750 } 5751 5752 /* send a ECHO_REQ once in sp->pp_alive_interval times */ 5753 if ((sppp_keepalive_cnt % sp->pp_alive_interval) != 0) { 5754 SPPP_UNLOCK(sp); 5755 continue; 5756 } 5757 5758 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5759 /* No keepalive packets got. Stop the interface. */ 5760 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 5761 5762 if (! (sp->pp_flags & PP_CISCO)) { 5763 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5764 ifp->if_xname); 5765 sp->pp_alivecnt = 0; 5766 5767 /* we are down, close all open protocols */ 5768 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5769 5770 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5771 sp->lcp.reestablish = true; 5772 5773 SPPP_UNLOCK(sp); 5774 continue; 5775 } 5776 } 5777 if (sp->pp_alivecnt < sp->pp_maxalive) 5778 ++sp->pp_alivecnt; 5779 if (sp->pp_flags & PP_CISCO) 5780 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5781 ++sp->scp[IDX_LCP].seq, sp->scp[IDX_LCP].rseq); 5782 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5783 int32_t nmagic = htonl(sp->lcp.magic); 5784 sp->lcp.echoid = ++sp->scp[IDX_LCP].seq; 5785 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5786 sp->lcp.echoid, 4, &nmagic); 5787 } 5788 5789 SPPP_UNLOCK(sp); 5790 } 5791 splx(s); 5792 sppp_keepalive_cnt++; 5793 callout_reset(&keepalive_ch, hz * SPPP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5794 5795 SPPPQ_UNLOCK(); 5796 } 5797 5798 #ifdef INET 5799 /* 5800 * Get both IP addresses. 5801 */ 5802 static void 5803 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5804 { 5805 struct ifnet *ifp = &sp->pp_if; 5806 struct ifaddr *ifa; 5807 struct sockaddr_in *si, *sm; 5808 uint32_t ssrc, ddst; 5809 int s; 5810 struct psref psref; 5811 5812 sm = NULL; 5813 ssrc = ddst = 0; 5814 /* 5815 * Pick the first AF_INET address from the list, 5816 * aliases don't make any sense on a p2p link anyway. 5817 */ 5818 si = 0; 5819 s = pserialize_read_enter(); 5820 IFADDR_READER_FOREACH(ifa, ifp) { 5821 if (ifa->ifa_addr->sa_family == AF_INET) { 5822 si = (struct sockaddr_in *)ifa->ifa_addr; 5823 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5824 if (si) { 5825 ifa_acquire(ifa, &psref); 5826 break; 5827 } 5828 } 5829 } 5830 pserialize_read_exit(s); 5831 if (ifa) { 5832 if (si && si->sin_addr.s_addr) { 5833 ssrc = si->sin_addr.s_addr; 5834 if (srcmask) 5835 *srcmask = ntohl(sm->sin_addr.s_addr); 5836 } 5837 5838 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5839 if (si && si->sin_addr.s_addr) 5840 ddst = si->sin_addr.s_addr; 5841 ifa_release(ifa, &psref); 5842 } 5843 5844 if (dst) *dst = ntohl(ddst); 5845 if (src) *src = ntohl(ssrc); 5846 } 5847 5848 /* 5849 * Set IP addresses. Must be called at splnet. 5850 * If an address is 0, leave it the way it is. 5851 */ 5852 static void 5853 sppp_set_ip_addrs(struct sppp *sp) 5854 { 5855 STDDCL; 5856 struct ifaddr *ifa; 5857 struct sockaddr_in *si, *dest; 5858 uint32_t myaddr = 0, hisaddr = 0; 5859 int s; 5860 5861 KASSERT(SPPP_WLOCKED(sp)); 5862 SPPP_UNLOCK(sp); 5863 IFNET_LOCK(ifp); 5864 SPPP_LOCK(sp, RW_WRITER); 5865 5866 /* 5867 * Pick the first AF_INET address from the list, 5868 * aliases don't make any sense on a p2p link anyway. 5869 */ 5870 si = dest = NULL; 5871 s = pserialize_read_enter(); 5872 IFADDR_READER_FOREACH(ifa, ifp) { 5873 if (ifa->ifa_addr->sa_family == AF_INET) { 5874 si = (struct sockaddr_in *)ifa->ifa_addr; 5875 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5876 break; 5877 } 5878 } 5879 pserialize_read_exit(s); 5880 5881 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5882 myaddr = sp->ipcp.req_myaddr; 5883 else if (si != NULL) 5884 myaddr = ntohl(si->sin_addr.s_addr); 5885 5886 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5887 hisaddr = sp->ipcp.req_hisaddr; 5888 else if (dest != NULL) 5889 hisaddr = ntohl(dest->sin_addr.s_addr); 5890 5891 if (si != NULL && dest != NULL) { 5892 int error; 5893 struct sockaddr_in new_sin = *si; 5894 struct sockaddr_in new_dst = *dest; 5895 5896 if (myaddr != 0) 5897 new_sin.sin_addr.s_addr = htonl(myaddr); 5898 if (hisaddr != 0) { 5899 new_dst.sin_addr.s_addr = htonl(hisaddr); 5900 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5901 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5902 } 5903 5904 in_addrhash_remove(ifatoia(ifa)); 5905 5906 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5907 5908 in_addrhash_insert(ifatoia(ifa)); 5909 5910 if (debug && error) 5911 { 5912 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5913 ifp->if_xname, __func__, error); 5914 } 5915 if (!error) { 5916 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5917 } 5918 } 5919 5920 IFNET_UNLOCK(ifp); 5921 5922 sppp_notify_con(sp); 5923 } 5924 5925 /* 5926 * Clear IP addresses. Must be called at splnet. 5927 */ 5928 static void 5929 sppp_clear_ip_addrs(struct sppp *sp) 5930 { 5931 STDDCL; 5932 struct ifaddr *ifa; 5933 struct sockaddr_in *si, *dest; 5934 int s; 5935 5936 KASSERT(SPPP_WLOCKED(sp)); 5937 SPPP_UNLOCK(sp); 5938 IFNET_LOCK(ifp); 5939 SPPP_LOCK(sp, RW_WRITER); 5940 5941 /* 5942 * Pick the first AF_INET address from the list, 5943 * aliases don't make any sense on a p2p link anyway. 5944 */ 5945 si = dest = NULL; 5946 s = pserialize_read_enter(); 5947 IFADDR_READER_FOREACH(ifa, ifp) { 5948 if (ifa->ifa_addr->sa_family == AF_INET) { 5949 si = (struct sockaddr_in *)ifa->ifa_addr; 5950 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5951 break; 5952 } 5953 } 5954 pserialize_read_exit(s); 5955 5956 if (si != NULL) { 5957 struct sockaddr_in new_sin = *si; 5958 struct sockaddr_in new_dst = *dest; 5959 int error; 5960 5961 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5962 new_sin.sin_addr.s_addr = 0; 5963 if (sp->ipcp.flags & IPCP_HISADDR_DYN && 5964 ntohl(sp->ipcp.saved_hisaddr) != 0) 5965 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5966 5967 in_addrhash_remove(ifatoia(ifa)); 5968 5969 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5970 5971 in_addrhash_insert(ifatoia(ifa)); 5972 5973 if (debug && error) 5974 { 5975 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5976 ifp->if_xname, __func__, error); 5977 } 5978 if (!error) { 5979 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5980 } 5981 } 5982 5983 IFNET_UNLOCK(ifp); 5984 } 5985 #endif 5986 5987 #ifdef INET6 5988 /* 5989 * Get both IPv6 addresses. 5990 */ 5991 static void 5992 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5993 struct in6_addr *srcmask) 5994 { 5995 struct ifnet *ifp = &sp->pp_if; 5996 struct ifaddr *ifa; 5997 struct sockaddr_in6 *si, *sm; 5998 struct in6_addr ssrc, ddst; 5999 int s; 6000 struct psref psref; 6001 6002 sm = NULL; 6003 memset(&ssrc, 0, sizeof(ssrc)); 6004 memset(&ddst, 0, sizeof(ddst)); 6005 /* 6006 * Pick the first link-local AF_INET6 address from the list, 6007 * aliases don't make any sense on a p2p link anyway. 6008 */ 6009 si = 0; 6010 s = pserialize_read_enter(); 6011 IFADDR_READER_FOREACH(ifa, ifp) { 6012 if (ifa->ifa_addr->sa_family == AF_INET6) { 6013 si = (struct sockaddr_in6 *)ifa->ifa_addr; 6014 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 6015 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 6016 ifa_acquire(ifa, &psref); 6017 break; 6018 } 6019 } 6020 } 6021 pserialize_read_exit(s); 6022 6023 if (ifa) { 6024 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 6025 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 6026 if (srcmask) { 6027 memcpy(srcmask, &sm->sin6_addr, 6028 sizeof(*srcmask)); 6029 } 6030 } 6031 6032 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 6033 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 6034 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 6035 ifa_release(ifa, &psref); 6036 } 6037 6038 if (dst) 6039 memcpy(dst, &ddst, sizeof(*dst)); 6040 if (src) 6041 memcpy(src, &ssrc, sizeof(*src)); 6042 } 6043 6044 #ifdef IPV6CP_MYIFID_DYN 6045 /* 6046 * Generate random ifid. 6047 */ 6048 static void 6049 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 6050 { 6051 /* TBD */ 6052 } 6053 6054 /* 6055 * Set my IPv6 address. Must be called at splnet. 6056 */ 6057 static void 6058 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 6059 { 6060 STDDCL; 6061 struct ifaddr *ifa; 6062 struct sockaddr_in6 *sin6; 6063 int s; 6064 struct psref psref; 6065 6066 KASSERT(SPPP_WLOCKED(sp)); 6067 SPPP_UNLOCK(sp); 6068 IFNET_LOCK(ifp); 6069 SPPP_LOCK(sp, RW_WRITER); 6070 6071 /* 6072 * Pick the first link-local AF_INET6 address from the list, 6073 * aliases don't make any sense on a p2p link anyway. 6074 */ 6075 6076 sin6 = NULL; 6077 s = pserialize_read_enter(); 6078 IFADDR_READER_FOREACH(ifa, ifp) 6079 { 6080 if (ifa->ifa_addr->sa_family == AF_INET6) 6081 { 6082 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 6083 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 6084 ifa_acquire(ifa, &psref); 6085 break; 6086 } 6087 } 6088 } 6089 pserialize_read_exit(s); 6090 6091 if (ifa && sin6) 6092 { 6093 int error; 6094 struct sockaddr_in6 new_sin6 = *sin6; 6095 6096 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 6097 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 6098 if (debug && error) 6099 { 6100 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 6101 ifp->if_xname, __func__, error); 6102 } 6103 if (!error) { 6104 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 6105 } 6106 ifa_release(ifa, &psref); 6107 } 6108 6109 IFNET_UNLOCK(ifp); 6110 } 6111 #endif 6112 6113 /* 6114 * Suggest a candidate address to be used by peer. 6115 */ 6116 static void 6117 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 6118 { 6119 struct in6_addr myaddr; 6120 struct timeval tv; 6121 6122 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 6123 6124 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 6125 microtime(&tv); 6126 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 6127 myaddr.s6_addr[14] ^= 0xff; 6128 myaddr.s6_addr[15] ^= 0xff; 6129 } else { 6130 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 6131 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 6132 } 6133 if (suggest) 6134 memcpy(suggest, &myaddr, sizeof(myaddr)); 6135 } 6136 #endif /*INET6*/ 6137 6138 /* 6139 * Process ioctl requests specific to the PPP interface. 6140 * Permissions have already been checked. 6141 */ 6142 static int 6143 sppp_params(struct sppp *sp, u_long cmd, void *data) 6144 { 6145 switch (cmd) { 6146 case SPPPGETAUTHCFG: 6147 { 6148 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 6149 int error; 6150 size_t len; 6151 6152 SPPP_LOCK(sp, RW_READER); 6153 6154 cfg->myauthflags = sp->myauth.flags; 6155 cfg->hisauthflags = sp->hisauth.flags; 6156 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 6157 cfg->hisauth = sppp_proto2authproto(sp->hisauth.proto); 6158 cfg->myauth = sppp_proto2authproto(sp->myauth.proto); 6159 if (cfg->myname_length == 0) { 6160 if (sp->myauth.name != NULL) 6161 cfg->myname_length = sp->myauth.name_len + 1; 6162 } else { 6163 if (sp->myauth.name == NULL) { 6164 cfg->myname_length = 0; 6165 } else { 6166 len = sp->myauth.name_len + 1; 6167 6168 if (cfg->myname_length < len) { 6169 SPPP_UNLOCK(sp); 6170 return (ENAMETOOLONG); 6171 } 6172 error = copyout(sp->myauth.name, cfg->myname, len); 6173 if (error) { 6174 SPPP_UNLOCK(sp); 6175 return error; 6176 } 6177 } 6178 } 6179 if (cfg->hisname_length == 0) { 6180 if (sp->hisauth.name != NULL) 6181 cfg->hisname_length = sp->hisauth.name_len + 1; 6182 } else { 6183 if (sp->hisauth.name == NULL) { 6184 cfg->hisname_length = 0; 6185 } else { 6186 len = sp->hisauth.name_len + 1; 6187 6188 if (cfg->hisname_length < len) { 6189 SPPP_UNLOCK(sp); 6190 return (ENAMETOOLONG); 6191 } 6192 error = copyout(sp->hisauth.name, cfg->hisname, len); 6193 if (error) { 6194 SPPP_UNLOCK(sp); 6195 return error; 6196 } 6197 } 6198 } 6199 SPPP_UNLOCK(sp); 6200 } 6201 break; 6202 case SPPPSETAUTHCFG: 6203 { 6204 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 6205 int error; 6206 6207 SPPP_LOCK(sp, RW_WRITER); 6208 6209 if (sp->myauth.name) { 6210 free(sp->myauth.name, M_DEVBUF); 6211 sp->myauth.name = NULL; 6212 } 6213 if (sp->myauth.secret) { 6214 free(sp->myauth.secret, M_DEVBUF); 6215 sp->myauth.secret = NULL; 6216 } 6217 if (sp->hisauth.name) { 6218 free(sp->hisauth.name, M_DEVBUF); 6219 sp->hisauth.name = NULL; 6220 } 6221 if (sp->hisauth.secret) { 6222 free(sp->hisauth.secret, M_DEVBUF); 6223 sp->hisauth.secret = NULL; 6224 } 6225 6226 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 6227 if (cfg->hisname_length >= MCLBYTES) { 6228 SPPP_UNLOCK(sp); 6229 return (ENAMETOOLONG); 6230 } 6231 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 6232 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 6233 if (error) { 6234 free(sp->hisauth.name, M_DEVBUF); 6235 sp->hisauth.name = NULL; 6236 SPPP_UNLOCK(sp); 6237 return error; 6238 } 6239 sp->hisauth.name_len = cfg->hisname_length - 1; 6240 sp->hisauth.name[sp->hisauth.name_len] = 0; 6241 } 6242 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 6243 if (cfg->hissecret_length >= MCLBYTES) { 6244 SPPP_UNLOCK(sp); 6245 return (ENAMETOOLONG); 6246 } 6247 sp->hisauth.secret = malloc(cfg->hissecret_length, 6248 M_DEVBUF, M_WAITOK); 6249 error = copyin(cfg->hissecret, sp->hisauth.secret, 6250 cfg->hissecret_length); 6251 if (error) { 6252 free(sp->hisauth.secret, M_DEVBUF); 6253 sp->hisauth.secret = NULL; 6254 SPPP_UNLOCK(sp); 6255 return error; 6256 } 6257 sp->hisauth.secret_len = cfg->hissecret_length - 1; 6258 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 6259 } 6260 if (cfg->myname != NULL && cfg->myname_length > 0) { 6261 if (cfg->myname_length >= MCLBYTES) { 6262 SPPP_UNLOCK(sp); 6263 return (ENAMETOOLONG); 6264 } 6265 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 6266 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 6267 if (error) { 6268 free(sp->myauth.name, M_DEVBUF); 6269 sp->myauth.name = NULL; 6270 SPPP_UNLOCK(sp); 6271 return error; 6272 } 6273 sp->myauth.name_len = cfg->myname_length - 1; 6274 sp->myauth.name[sp->myauth.name_len] = 0; 6275 } 6276 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 6277 if (cfg->mysecret_length >= MCLBYTES) { 6278 SPPP_UNLOCK(sp); 6279 return (ENAMETOOLONG); 6280 } 6281 sp->myauth.secret = malloc(cfg->mysecret_length, 6282 M_DEVBUF, M_WAITOK); 6283 error = copyin(cfg->mysecret, sp->myauth.secret, 6284 cfg->mysecret_length); 6285 if (error) { 6286 free(sp->myauth.secret, M_DEVBUF); 6287 sp->myauth.secret = NULL; 6288 SPPP_UNLOCK(sp); 6289 return error; 6290 } 6291 sp->myauth.secret_len = cfg->mysecret_length - 1; 6292 sp->myauth.secret[sp->myauth.secret_len] = 0; 6293 } 6294 sp->myauth.flags = cfg->myauthflags; 6295 if (cfg->myauth != SPPP_AUTHPROTO_NOCHG) { 6296 sp->myauth.proto = sppp_authproto2proto(cfg->myauth); 6297 } 6298 sp->hisauth.flags = cfg->hisauthflags; 6299 if (cfg->hisauth != SPPP_AUTHPROTO_NOCHG) { 6300 sp->hisauth.proto = sppp_authproto2proto(cfg->hisauth); 6301 } 6302 sp->pp_auth_failures = 0; 6303 if (sp->hisauth.proto != PPP_NOPROTO) 6304 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6305 else 6306 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6307 6308 SPPP_UNLOCK(sp); 6309 } 6310 break; 6311 case SPPPGETLCPCFG: 6312 { 6313 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6314 6315 SPPP_LOCK(sp, RW_READER); 6316 lcpp->lcp_timeout = sp->lcp.timeout; 6317 SPPP_UNLOCK(sp); 6318 } 6319 break; 6320 case SPPPSETLCPCFG: 6321 { 6322 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6323 6324 SPPP_LOCK(sp, RW_WRITER); 6325 sp->lcp.timeout = lcpp->lcp_timeout; 6326 SPPP_UNLOCK(sp); 6327 } 6328 break; 6329 case SPPPGETNCPCFG: 6330 { 6331 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6332 6333 SPPP_LOCK(sp, RW_READER); 6334 ncpp->ncp_flags = sp->pp_ncpflags; 6335 SPPP_UNLOCK(sp); 6336 } 6337 break; 6338 case SPPPSETNCPCFG: 6339 { 6340 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6341 6342 SPPP_LOCK(sp, RW_WRITER); 6343 sp->pp_ncpflags = ncpp->ncp_flags; 6344 SPPP_UNLOCK(sp); 6345 } 6346 break; 6347 case SPPPGETSTATUS: 6348 { 6349 struct spppstatus *status = (struct spppstatus *)data; 6350 6351 SPPP_LOCK(sp, RW_READER); 6352 status->phase = sp->pp_phase; 6353 SPPP_UNLOCK(sp); 6354 } 6355 break; 6356 case SPPPGETSTATUSNCP: 6357 { 6358 struct spppstatusncp *status = (struct spppstatusncp *)data; 6359 6360 SPPP_LOCK(sp, RW_READER); 6361 status->phase = sp->pp_phase; 6362 status->ncpup = sppp_cp_check(sp, CP_NCP); 6363 SPPP_UNLOCK(sp); 6364 } 6365 break; 6366 case SPPPGETIDLETO: 6367 { 6368 struct spppidletimeout *to = (struct spppidletimeout *)data; 6369 6370 SPPP_LOCK(sp, RW_READER); 6371 to->idle_seconds = sp->pp_idle_timeout; 6372 SPPP_UNLOCK(sp); 6373 } 6374 break; 6375 case SPPPSETIDLETO: 6376 { 6377 struct spppidletimeout *to = (struct spppidletimeout *)data; 6378 6379 SPPP_LOCK(sp, RW_WRITER); 6380 sp->pp_idle_timeout = to->idle_seconds; 6381 SPPP_UNLOCK(sp); 6382 } 6383 break; 6384 case SPPPSETAUTHFAILURE: 6385 { 6386 struct spppauthfailuresettings *afsettings = 6387 (struct spppauthfailuresettings *)data; 6388 6389 SPPP_LOCK(sp, RW_WRITER); 6390 sp->pp_max_auth_fail = afsettings->max_failures; 6391 sp->pp_auth_failures = 0; 6392 SPPP_UNLOCK(sp); 6393 } 6394 break; 6395 case SPPPGETAUTHFAILURES: 6396 { 6397 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6398 6399 SPPP_LOCK(sp, RW_READER); 6400 stats->auth_failures = sp->pp_auth_failures; 6401 stats->max_failures = sp->pp_max_auth_fail; 6402 SPPP_UNLOCK(sp); 6403 } 6404 break; 6405 case SPPPSETDNSOPTS: 6406 { 6407 struct spppdnssettings *req = (struct spppdnssettings *)data; 6408 6409 SPPP_LOCK(sp, RW_WRITER); 6410 sp->query_dns = req->query_dns & 3; 6411 SPPP_UNLOCK(sp); 6412 } 6413 break; 6414 case SPPPGETDNSOPTS: 6415 { 6416 struct spppdnssettings *req = (struct spppdnssettings *)data; 6417 6418 SPPP_LOCK(sp, RW_READER); 6419 req->query_dns = sp->query_dns; 6420 SPPP_UNLOCK(sp); 6421 } 6422 break; 6423 case SPPPGETDNSADDRS: 6424 { 6425 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6426 6427 SPPP_LOCK(sp, RW_READER); 6428 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6429 SPPP_UNLOCK(sp); 6430 } 6431 break; 6432 case SPPPGETKEEPALIVE: 6433 { 6434 struct spppkeepalivesettings *settings = 6435 (struct spppkeepalivesettings*)data; 6436 6437 SPPP_LOCK(sp, RW_READER); 6438 settings->maxalive = sp->pp_maxalive; 6439 settings->max_noreceive = sp->pp_max_noreceive; 6440 settings->alive_interval = sp->pp_alive_interval; 6441 SPPP_UNLOCK(sp); 6442 } 6443 break; 6444 case SPPPSETKEEPALIVE: 6445 { 6446 struct spppkeepalivesettings *settings = 6447 (struct spppkeepalivesettings*)data; 6448 6449 SPPP_LOCK(sp, RW_WRITER); 6450 sp->pp_maxalive = settings->maxalive; 6451 sp->pp_max_noreceive = settings->max_noreceive; 6452 sp->pp_alive_interval = settings->alive_interval; 6453 SPPP_UNLOCK(sp); 6454 } 6455 break; 6456 case SPPPGETLCPSTATUS: 6457 { 6458 struct sppplcpstatus *status = 6459 (struct sppplcpstatus *)data; 6460 6461 SPPP_LOCK(sp, RW_READER); 6462 status->state = sp->scp[IDX_LCP].state; 6463 status->opts = sp->lcp.opts; 6464 status->magic = sp->lcp.magic; 6465 status->mru = sp->lcp.mru; 6466 SPPP_UNLOCK(sp); 6467 } 6468 break; 6469 case SPPPGETIPCPSTATUS: 6470 { 6471 struct spppipcpstatus *status = 6472 (struct spppipcpstatus *)data; 6473 u_int32_t myaddr; 6474 6475 SPPP_LOCK(sp, RW_READER); 6476 status->state = sp->scp[IDX_IPCP].state; 6477 status->opts = sp->ipcp.opts; 6478 #ifdef INET 6479 kpreempt_disable(); 6480 sppp_get_ip_addrs(sp, &myaddr, 0, 0); 6481 kpreempt_enable(); 6482 #else 6483 myaddr = 0; 6484 #endif 6485 status->myaddr = ntohl(myaddr); 6486 SPPP_UNLOCK(sp); 6487 } 6488 break; 6489 case SPPPGETIPV6CPSTATUS: 6490 { 6491 struct spppipv6cpstatus *status = 6492 (struct spppipv6cpstatus *)data; 6493 6494 SPPP_LOCK(sp, RW_READER); 6495 status->state = sp->scp[IDX_IPV6CP].state; 6496 memcpy(status->my_ifid, sp->ipv6cp.my_ifid, 6497 sizeof(status->my_ifid)); 6498 memcpy(status->his_ifid, sp->ipv6cp.his_ifid, 6499 sizeof(status->his_ifid)); 6500 SPPP_UNLOCK(sp); 6501 } 6502 break; 6503 default: 6504 { 6505 int ret; 6506 6507 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6508 enosys(), ret); 6509 if (ret != ENOSYS) 6510 return ret; 6511 return (EINVAL); 6512 } 6513 } 6514 return (0); 6515 } 6516 6517 static void 6518 sppp_phase_network(struct sppp *sp) 6519 { 6520 int i; 6521 6522 KASSERT(SPPP_WLOCKED(sp)); 6523 6524 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6525 6526 /* Notify NCPs now. */ 6527 for (i = 0; i < IDX_COUNT; i++) 6528 if ((cps[i])->flags & CP_NCP) 6529 sppp_wq_add(sp->wq_cp, &sp->scp[i].work_open); 6530 } 6531 6532 static const char * 6533 sppp_cp_type_name(char *buf, size_t buflen, u_char type) 6534 { 6535 6536 switch (type) { 6537 case CONF_REQ: return "conf-req"; 6538 case CONF_ACK: return "conf-ack"; 6539 case CONF_NAK: return "conf-nak"; 6540 case CONF_REJ: return "conf-rej"; 6541 case TERM_REQ: return "term-req"; 6542 case TERM_ACK: return "term-ack"; 6543 case CODE_REJ: return "code-rej"; 6544 case PROTO_REJ: return "proto-rej"; 6545 case ECHO_REQ: return "echo-req"; 6546 case ECHO_REPLY: return "echo-reply"; 6547 case DISC_REQ: return "discard-req"; 6548 } 6549 if (buf != NULL) 6550 snprintf(buf, buflen, "0x%02x", type); 6551 return buf; 6552 } 6553 6554 static const char * 6555 sppp_auth_type_name(char *buf, size_t buflen, u_short proto, u_char type) 6556 { 6557 const char *name; 6558 6559 switch (proto) { 6560 case PPP_CHAP: 6561 switch (type) { 6562 case CHAP_CHALLENGE: return "challenge"; 6563 case CHAP_RESPONSE: return "response"; 6564 case CHAP_SUCCESS: return "success"; 6565 case CHAP_FAILURE: return "failure"; 6566 default: name = "chap"; break; 6567 } 6568 break; 6569 6570 case PPP_PAP: 6571 switch (type) { 6572 case PAP_REQ: return "req"; 6573 case PAP_ACK: return "ack"; 6574 case PAP_NAK: return "nak"; 6575 default: name = "pap"; break; 6576 } 6577 break; 6578 6579 default: 6580 name = "bad"; 6581 break; 6582 } 6583 6584 if (buf != NULL) 6585 snprintf(buf, buflen, "%s(%#x) 0x%02x", name, proto, type); 6586 return buf; 6587 } 6588 6589 static const char * 6590 sppp_lcp_opt_name(char *buf, size_t buflen, u_char opt) 6591 { 6592 6593 switch (opt) { 6594 case LCP_OPT_MRU: return "mru"; 6595 case LCP_OPT_ASYNC_MAP: return "async-map"; 6596 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6597 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6598 case LCP_OPT_MAGIC: return "magic"; 6599 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6600 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6601 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6602 case LCP_OPT_CALL_BACK: return "callback"; 6603 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6604 case LCP_OPT_MP_MRRU: return "mrru"; 6605 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6606 case LCP_OPT_MP_EID: return "mp-eid"; 6607 } 6608 if (buf != NULL) 6609 snprintf(buf, buflen, "0x%02x", opt); 6610 return buf; 6611 } 6612 6613 static const char * 6614 sppp_ipcp_opt_name(char *buf, size_t buflen, u_char opt) 6615 { 6616 6617 switch (opt) { 6618 case IPCP_OPT_ADDRESSES: return "addresses"; 6619 case IPCP_OPT_COMPRESSION: return "compression"; 6620 case IPCP_OPT_ADDRESS: return "address"; 6621 case IPCP_OPT_PRIMDNS: return "primdns"; 6622 case IPCP_OPT_SECDNS: return "secdns"; 6623 } 6624 if (buf != NULL) 6625 snprintf(buf, buflen, "0x%02x", opt); 6626 return buf; 6627 } 6628 6629 #ifdef INET6 6630 static const char * 6631 sppp_ipv6cp_opt_name(char *buf, size_t buflen, u_char opt) 6632 { 6633 6634 switch (opt) { 6635 case IPV6CP_OPT_IFID: return "ifid"; 6636 case IPV6CP_OPT_COMPRESSION: return "compression"; 6637 } 6638 if (buf != NULL) 6639 snprintf(buf, buflen, "0x%02x", opt); 6640 return buf; 6641 } 6642 #endif 6643 6644 static const char * 6645 sppp_state_name(int state) 6646 { 6647 6648 switch (state) { 6649 case STATE_INITIAL: return "initial"; 6650 case STATE_STARTING: return "starting"; 6651 case STATE_CLOSED: return "closed"; 6652 case STATE_STOPPED: return "stopped"; 6653 case STATE_CLOSING: return "closing"; 6654 case STATE_STOPPING: return "stopping"; 6655 case STATE_REQ_SENT: return "req-sent"; 6656 case STATE_ACK_RCVD: return "ack-rcvd"; 6657 case STATE_ACK_SENT: return "ack-sent"; 6658 case STATE_OPENED: return "opened"; 6659 } 6660 return "illegal"; 6661 } 6662 6663 static const char * 6664 sppp_phase_name(int phase) 6665 { 6666 6667 switch (phase) { 6668 case SPPP_PHASE_DEAD: return "dead"; 6669 case SPPP_PHASE_ESTABLISH: return "establish"; 6670 case SPPP_PHASE_TERMINATE: return "terminate"; 6671 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6672 case SPPP_PHASE_NETWORK: return "network"; 6673 } 6674 return "illegal"; 6675 } 6676 6677 static const char * 6678 sppp_proto_name(char *buf, size_t buflen, u_short proto) 6679 { 6680 6681 switch (proto) { 6682 case PPP_LCP: return "lcp"; 6683 case PPP_IPCP: return "ipcp"; 6684 case PPP_PAP: return "pap"; 6685 case PPP_CHAP: return "chap"; 6686 case PPP_IPV6CP: return "ipv6cp"; 6687 } 6688 if (buf != NULL) { 6689 snprintf(buf, sizeof(buf), "0x%04x", 6690 (unsigned)proto); 6691 } 6692 return buf; 6693 } 6694 6695 static void 6696 sppp_print_bytes(const u_char *p, u_short len) 6697 { 6698 addlog(" %02x", *p++); 6699 while (--len > 0) 6700 addlog("-%02x", *p++); 6701 } 6702 6703 static void 6704 sppp_print_string(const char *p, u_short len) 6705 { 6706 u_char c; 6707 6708 while (len-- > 0) { 6709 c = *p++; 6710 /* 6711 * Print only ASCII chars directly. RFC 1994 recommends 6712 * using only them, but we don't rely on it. */ 6713 if (c < ' ' || c > '~') 6714 addlog("\\x%x", c); 6715 else 6716 addlog("%c", c); 6717 } 6718 } 6719 6720 static const char * 6721 sppp_dotted_quad(char *buf, size_t buflen, uint32_t addr) 6722 { 6723 6724 if (buf != NULL) { 6725 snprintf(buf, buflen, "%u.%u.%u.%u", 6726 (unsigned int)((addr >> 24) & 0xff), 6727 (unsigned int)((addr >> 16) & 0xff), 6728 (unsigned int)((addr >> 8) & 0xff), 6729 (unsigned int)(addr & 0xff)); 6730 } 6731 return buf; 6732 } 6733 6734 /* a dummy, used to drop uninteresting events */ 6735 static void 6736 sppp_null(struct sppp *unused) 6737 { 6738 /* do just nothing */ 6739 } 6740 6741 static void 6742 sppp_tls(const struct cp *cp, struct sppp *sp) 6743 { 6744 6745 /* notify lcp that is lower layer */ 6746 sp->lcp.protos |= (1 << cp->protoidx); 6747 6748 if (sp->scp[IDX_LCP].state == STATE_OPENED) 6749 sppp_wq_add(sp->wq_cp, &sp->scp[cp->protoidx].work_up); 6750 } 6751 6752 static void 6753 sppp_tlf(const struct cp *cp, struct sppp *sp) 6754 { 6755 STDDCL; 6756 6757 if (debug) 6758 log(LOG_DEBUG, "%s: %s tlf\n", ifp->if_xname, cp->name); 6759 6760 /* notify lcp that is lower layer */ 6761 sp->lcp.protos &= ~(1 << cp->protoidx); 6762 6763 /* cleanup */ 6764 if (sp->scp[cp->protoidx].mbuf_confreq != NULL) { 6765 m_freem(sp->scp[cp->protoidx].mbuf_confreq); 6766 sp->scp[cp->protoidx].mbuf_confreq = NULL; 6767 } 6768 if (sp->scp[cp->protoidx].mbuf_confnak != NULL) { 6769 m_freem(sp->scp[cp->protoidx].mbuf_confnak); 6770 sp->scp[cp->protoidx].mbuf_confnak = NULL; 6771 } 6772 6773 sppp_lcp_check_and_close(sp); 6774 } 6775 6776 static void 6777 sppp_screply(const struct cp *cp, struct sppp *sp, u_char type, 6778 uint8_t ident, size_t msglen, void *msg) 6779 { 6780 STDDCL; 6781 6782 if (msglen == 0) 6783 return; 6784 6785 switch (type) { 6786 case CONF_ACK: 6787 case CONF_NAK: 6788 case CONF_REJ: 6789 break; 6790 default: 6791 return; 6792 } 6793 6794 if (debug) { 6795 char tbuf[SPPP_CPTYPE_NAMELEN]; 6796 const char *cpname; 6797 6798 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), type); 6799 log(LOG_DEBUG, "%s: send %s\n", ifp->if_xname, cpname); 6800 } 6801 6802 sppp_cp_send(sp, cp->proto, type, ident, msglen, msg); 6803 } 6804 6805 static void 6806 sppp_ifdown(struct sppp *sp, void *xcp __unused) 6807 { 6808 6809 SPPP_UNLOCK(sp); 6810 if_down(&sp->pp_if); 6811 IF_PURGE(&sp->pp_cpq); 6812 SPPP_LOCK(sp, RW_WRITER); 6813 } 6814 6815 static void 6816 sppp_notify_up(struct sppp *sp) 6817 { 6818 6819 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_up); 6820 } 6821 6822 static void 6823 sppp_notify_down(struct sppp *sp) 6824 { 6825 6826 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_down); 6827 } 6828 6829 static void 6830 sppp_notify_tls_wlocked(struct sppp *sp) 6831 { 6832 6833 KASSERT(SPPP_WLOCKED(sp)); 6834 6835 if (!sp->pp_tls) 6836 return; 6837 6838 SPPP_UNLOCK(sp); 6839 sp->pp_tls(sp); 6840 SPPP_LOCK(sp, RW_WRITER); 6841 } 6842 6843 static void 6844 sppp_notify_tlf_wlocked(struct sppp *sp) 6845 { 6846 6847 KASSERT(SPPP_WLOCKED(sp)); 6848 6849 if (!sp->pp_tlf) 6850 return; 6851 6852 SPPP_UNLOCK(sp); 6853 sp->pp_tlf(sp); 6854 SPPP_LOCK(sp, RW_WRITER); 6855 } 6856 6857 static void 6858 sppp_notify_con(struct sppp *sp) 6859 { 6860 6861 if (!sp->pp_con) 6862 return; 6863 6864 sp->pp_con(sp); 6865 } 6866 6867 #ifdef INET6 6868 static void 6869 sppp_notify_con_wlocked(struct sppp *sp) 6870 { 6871 6872 KASSERT(SPPP_WLOCKED(sp)); 6873 6874 SPPP_UNLOCK(sp); 6875 sppp_notify_con(sp); 6876 SPPP_LOCK(sp, RW_WRITER); 6877 6878 } 6879 #endif 6880 6881 static void 6882 sppp_notify_chg_wlocked(struct sppp *sp) 6883 { 6884 6885 KASSERT(SPPP_WLOCKED(sp)); 6886 6887 if (!sp->pp_chg) 6888 return; 6889 6890 SPPP_UNLOCK(sp); 6891 sp->pp_chg(sp, sp->pp_phase); 6892 SPPP_LOCK(sp, RW_WRITER); 6893 } 6894 6895 static void 6896 sppp_wq_work(struct work *wk, void *xsp) 6897 { 6898 struct sppp *sp; 6899 struct sppp_work *work; 6900 6901 sp = xsp; 6902 work = container_of(wk, struct sppp_work, work); 6903 atomic_cas_uint(&work->state, SPPP_WK_BUSY, SPPP_WK_FREE); 6904 6905 SPPP_LOCK(sp, RW_WRITER); 6906 work->func(sp, work->arg); 6907 SPPP_UNLOCK(sp); 6908 } 6909 6910 static struct workqueue * 6911 sppp_wq_create(struct sppp *sp, const char *xnamebuf, pri_t prio, int ipl, int flags) 6912 { 6913 struct workqueue *wq; 6914 int error; 6915 6916 error = workqueue_create(&wq, xnamebuf, sppp_wq_work, 6917 (void *)sp, prio, ipl, flags); 6918 if (error) { 6919 panic("%s: workqueue_create failed [%s, %d]\n", 6920 sp->pp_if.if_xname, xnamebuf, error); 6921 } 6922 6923 return wq; 6924 } 6925 6926 static void 6927 sppp_wq_destroy(struct sppp *sp __unused, struct workqueue *wq) 6928 { 6929 6930 workqueue_destroy(wq); 6931 } 6932 6933 static void 6934 sppp_wq_set(struct sppp_work *work, 6935 void (*func)(struct sppp *, void *), void *arg) 6936 { 6937 6938 work->func = func; 6939 work->arg = arg; 6940 } 6941 6942 static void 6943 sppp_wq_add(struct workqueue *wq, struct sppp_work *work) 6944 { 6945 6946 if (atomic_cas_uint(&work->state, SPPP_WK_FREE, SPPP_WK_BUSY) 6947 != SPPP_WK_FREE) 6948 return; 6949 6950 KASSERT(work->func != NULL); 6951 kpreempt_disable(); 6952 workqueue_enqueue(wq, &work->work, NULL); 6953 kpreempt_enable(); 6954 } 6955 static void 6956 sppp_wq_wait(struct workqueue *wq, struct sppp_work *work) 6957 { 6958 6959 atomic_swap_uint(&work->state, SPPP_WK_UNAVAIL); 6960 workqueue_wait(wq, &work->work); 6961 } 6962 6963 /* 6964 * This file is large. Tell emacs to highlight it nevertheless. 6965 * 6966 * Local Variables: 6967 * hilit-auto-highlight-maxout: 120000 6968 * End: 6969 */ 6970 6971 /* 6972 * Module glue 6973 */ 6974 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6975 6976 static int 6977 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6978 { 6979 6980 switch (cmd) { 6981 case MODULE_CMD_INIT: 6982 case MODULE_CMD_FINI: 6983 return 0; 6984 case MODULE_CMD_STAT: 6985 case MODULE_CMD_AUTOUNLOAD: 6986 default: 6987 return ENOTTY; 6988 } 6989 } 6990