1 /* $NetBSD: if_spppsubr.c,v 1.189 2020/04/04 17:12:33 is Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.189 2020/04/04 17:12:33 is Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define LOOPALIVECNT 3 /* loopback detection tries */ 101 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 102 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 103 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 129 #define CONF_REQ 1 /* PPP configure request */ 130 #define CONF_ACK 2 /* PPP configure acknowledge */ 131 #define CONF_NAK 3 /* PPP configure negative ack */ 132 #define CONF_REJ 4 /* PPP configure reject */ 133 #define TERM_REQ 5 /* PPP terminate request */ 134 #define TERM_ACK 6 /* PPP terminate acknowledge */ 135 #define CODE_REJ 7 /* PPP code reject */ 136 #define PROTO_REJ 8 /* PPP protocol reject */ 137 #define ECHO_REQ 9 /* PPP echo request */ 138 #define ECHO_REPLY 10 /* PPP echo reply */ 139 #define DISC_REQ 11 /* PPP discard request */ 140 141 #define LCP_OPT_MRU 1 /* maximum receive unit */ 142 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 143 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 144 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 145 #define LCP_OPT_MAGIC 5 /* magic number */ 146 #define LCP_OPT_RESERVED 6 /* reserved */ 147 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 148 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 149 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 150 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 151 #define LCP_OPT_CALL_BACK 13 /* callback */ 152 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 153 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 154 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 155 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 156 157 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 158 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 159 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 160 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 161 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 162 163 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 164 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 165 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 166 167 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 168 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 169 170 #define PAP_REQ 1 /* PAP name/password request */ 171 #define PAP_ACK 2 /* PAP acknowledge */ 172 #define PAP_NAK 3 /* PAP fail */ 173 174 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 175 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 176 #define CHAP_SUCCESS 3 /* CHAP response ok */ 177 #define CHAP_FAILURE 4 /* CHAP response failed */ 178 179 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 180 181 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 182 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 183 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 184 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 185 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 186 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 187 188 /* states are named and numbered according to RFC 1661 */ 189 #define STATE_INITIAL 0 190 #define STATE_STARTING 1 191 #define STATE_CLOSED 2 192 #define STATE_STOPPED 3 193 #define STATE_CLOSING 4 194 #define STATE_STOPPING 5 195 #define STATE_REQ_SENT 6 196 #define STATE_ACK_RCVD 7 197 #define STATE_ACK_SENT 8 198 #define STATE_OPENED 9 199 200 struct ppp_header { 201 uint8_t address; 202 uint8_t control; 203 uint16_t protocol; 204 } __packed; 205 #define PPP_HEADER_LEN sizeof (struct ppp_header) 206 207 struct lcp_header { 208 uint8_t type; 209 uint8_t ident; 210 uint16_t len; 211 } __packed; 212 #define LCP_HEADER_LEN sizeof (struct lcp_header) 213 214 struct cisco_packet { 215 uint32_t type; 216 uint32_t par1; 217 uint32_t par2; 218 uint16_t rel; 219 uint16_t time0; 220 uint16_t time1; 221 } __packed; 222 #define CISCO_PACKET_LEN 18 223 224 /* 225 * We follow the spelling and capitalization of RFC 1661 here, to make 226 * it easier comparing with the standard. Please refer to this RFC in 227 * case you can't make sense out of these abbreviation; it will also 228 * explain the semantics related to the various events and actions. 229 */ 230 struct cp { 231 u_short proto; /* PPP control protocol number */ 232 u_char protoidx; /* index into state table in struct sppp */ 233 u_char flags; 234 #define CP_LCP 0x01 /* this is the LCP */ 235 #define CP_AUTH 0x02 /* this is an authentication protocol */ 236 #define CP_NCP 0x04 /* this is a NCP */ 237 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 238 const char *name; /* name of this control protocol */ 239 /* event handlers */ 240 void (*Up)(struct sppp *sp); 241 void (*Down)(struct sppp *sp); 242 void (*Open)(struct sppp *sp); 243 void (*Close)(struct sppp *sp); 244 void (*TO)(void *sp); 245 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 246 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 247 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 248 /* actions */ 249 void (*tlu)(struct sppp *sp); 250 void (*tld)(struct sppp *sp); 251 void (*tls)(struct sppp *sp); 252 void (*tlf)(struct sppp *sp); 253 void (*scr)(struct sppp *sp); 254 }; 255 256 static struct sppp *spppq; 257 static kmutex_t *spppq_lock = NULL; 258 static callout_t keepalive_ch; 259 260 #define SPPPQ_LOCK() if (spppq_lock) \ 261 mutex_enter(spppq_lock); 262 #define SPPPQ_UNLOCK() if (spppq_lock) \ 263 mutex_exit(spppq_lock); 264 265 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 266 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 267 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 268 #define SPPP_UPGRADE(_sp) do{ \ 269 SPPP_UNLOCK(_sp); \ 270 SPPP_LOCK(_sp, RW_WRITER); \ 271 }while (0) 272 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 273 274 #ifdef INET 275 #ifndef SPPPSUBR_MPSAFE 276 /* 277 * The following disgusting hack gets around the problem that IP TOS 278 * can't be set yet. We want to put "interactive" traffic on a high 279 * priority queue. To decide if traffic is interactive, we check that 280 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 281 * 282 * XXX is this really still necessary? - joerg - 283 */ 284 static u_short interactive_ports[8] = { 285 0, 513, 0, 0, 286 0, 21, 0, 23, 287 }; 288 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 289 #endif /* SPPPSUBR_MPSAFE */ 290 #endif 291 292 /* almost every function needs these */ 293 #define STDDCL \ 294 struct ifnet *ifp = &sp->pp_if; \ 295 int debug = ifp->if_flags & IFF_DEBUG 296 297 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 298 const struct sockaddr *dst, const struct rtentry *rt); 299 300 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 301 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 302 303 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 304 struct mbuf *m); 305 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 306 u_char ident, u_short len, void *data); 307 /* static void sppp_cp_timeout(void *arg); */ 308 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 309 int newstate); 310 static void sppp_auth_send(const struct cp *cp, 311 struct sppp *sp, unsigned int type, unsigned int id, 312 ...); 313 314 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 315 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 316 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 317 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 318 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 319 320 static void sppp_null(struct sppp *sp); 321 322 static void sppp_lcp_init(struct sppp *sp); 323 static void sppp_lcp_up(struct sppp *sp); 324 static void sppp_lcp_down(struct sppp *sp); 325 static void sppp_lcp_open(struct sppp *sp); 326 static void sppp_lcp_close(struct sppp *sp); 327 static void sppp_lcp_TO(void *sp); 328 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 329 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 330 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 331 static void sppp_lcp_tlu(struct sppp *sp); 332 static void sppp_lcp_tld(struct sppp *sp); 333 static void sppp_lcp_tls(struct sppp *sp); 334 static void sppp_lcp_tlf(struct sppp *sp); 335 static void sppp_lcp_scr(struct sppp *sp); 336 static void sppp_lcp_check_and_close(struct sppp *sp); 337 static int sppp_ncp_check(struct sppp *sp); 338 339 static void sppp_ipcp_init(struct sppp *sp); 340 static void sppp_ipcp_up(struct sppp *sp); 341 static void sppp_ipcp_down(struct sppp *sp); 342 static void sppp_ipcp_open(struct sppp *sp); 343 static void sppp_ipcp_close(struct sppp *sp); 344 static void sppp_ipcp_TO(void *sp); 345 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 346 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 347 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 348 static void sppp_ipcp_tlu(struct sppp *sp); 349 static void sppp_ipcp_tld(struct sppp *sp); 350 static void sppp_ipcp_tls(struct sppp *sp); 351 static void sppp_ipcp_tlf(struct sppp *sp); 352 static void sppp_ipcp_scr(struct sppp *sp); 353 354 static void sppp_ipv6cp_init(struct sppp *sp); 355 static void sppp_ipv6cp_up(struct sppp *sp); 356 static void sppp_ipv6cp_down(struct sppp *sp); 357 static void sppp_ipv6cp_open(struct sppp *sp); 358 static void sppp_ipv6cp_close(struct sppp *sp); 359 static void sppp_ipv6cp_TO(void *sp); 360 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 361 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 362 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 363 static void sppp_ipv6cp_tlu(struct sppp *sp); 364 static void sppp_ipv6cp_tld(struct sppp *sp); 365 static void sppp_ipv6cp_tls(struct sppp *sp); 366 static void sppp_ipv6cp_tlf(struct sppp *sp); 367 static void sppp_ipv6cp_scr(struct sppp *sp); 368 369 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 370 static void sppp_pap_init(struct sppp *sp); 371 static void sppp_pap_open(struct sppp *sp); 372 static void sppp_pap_close(struct sppp *sp); 373 static void sppp_pap_TO(void *sp); 374 static void sppp_pap_my_TO(void *sp); 375 static void sppp_pap_tlu(struct sppp *sp); 376 static void sppp_pap_tld(struct sppp *sp); 377 static void sppp_pap_scr(struct sppp *sp); 378 379 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 380 static void sppp_chap_init(struct sppp *sp); 381 static void sppp_chap_open(struct sppp *sp); 382 static void sppp_chap_close(struct sppp *sp); 383 static void sppp_chap_TO(void *sp); 384 static void sppp_chap_tlu(struct sppp *sp); 385 static void sppp_chap_tld(struct sppp *sp); 386 static void sppp_chap_scr(struct sppp *sp); 387 388 static const char *sppp_auth_type_name(u_short proto, u_char type); 389 static const char *sppp_cp_type_name(u_char type); 390 static const char *sppp_dotted_quad(uint32_t addr); 391 static const char *sppp_ipcp_opt_name(u_char opt); 392 #ifdef INET6 393 static const char *sppp_ipv6cp_opt_name(u_char opt); 394 #endif 395 static const char *sppp_lcp_opt_name(u_char opt); 396 static const char *sppp_phase_name(int phase); 397 static const char *sppp_proto_name(u_short proto); 398 static const char *sppp_state_name(int state); 399 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 400 #ifdef INET 401 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 402 uint32_t *srcmask); 403 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 404 static void sppp_set_ip_addrs(struct sppp *sp); 405 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 406 static void sppp_clear_ip_addrs(struct sppp *sp); 407 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 408 #endif 409 static void sppp_keepalive(void *dummy); 410 static void sppp_phase_network(struct sppp *sp); 411 static void sppp_print_bytes(const u_char *p, u_short len); 412 static void sppp_print_string(const char *p, u_short len); 413 #ifdef INET6 414 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 415 struct in6_addr *dst, struct in6_addr *srcmask); 416 #ifdef IPV6CP_MYIFID_DYN 417 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 418 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 419 #endif 420 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 421 #endif 422 423 static void sppp_notify_up(struct sppp *); 424 static void sppp_notify_down(struct sppp *); 425 static void sppp_notify_tls_wlocked(struct sppp *); 426 static void sppp_notify_tlf_wlocked(struct sppp *); 427 #ifdef INET6 428 static void sppp_notify_con_wlocked(struct sppp *); 429 #endif 430 static void sppp_notify_con(struct sppp *); 431 432 static void sppp_notify_chg_wlocked(struct sppp *); 433 434 435 /* our control protocol descriptors */ 436 static const struct cp lcp = { 437 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 438 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 439 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 440 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 441 sppp_lcp_scr 442 }; 443 444 static const struct cp ipcp = { 445 PPP_IPCP, IDX_IPCP, 446 #ifdef INET 447 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 448 #else 449 0, 450 #endif 451 "ipcp", 452 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 453 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 454 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 455 sppp_ipcp_scr 456 }; 457 458 static const struct cp ipv6cp = { 459 PPP_IPV6CP, IDX_IPV6CP, 460 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 461 CP_NCP, 462 #else 463 0, 464 #endif 465 "ipv6cp", 466 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 467 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 468 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 469 sppp_ipv6cp_scr 470 }; 471 472 static const struct cp pap = { 473 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 474 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 475 sppp_pap_TO, 0, 0, 0, 476 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 477 sppp_pap_scr 478 }; 479 480 static const struct cp chap = { 481 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 482 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 483 sppp_chap_TO, 0, 0, 0, 484 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 485 sppp_chap_scr 486 }; 487 488 static const struct cp *cps[IDX_COUNT] = { 489 &lcp, /* IDX_LCP */ 490 &ipcp, /* IDX_IPCP */ 491 &ipv6cp, /* IDX_IPV6CP */ 492 &pap, /* IDX_PAP */ 493 &chap, /* IDX_CHAP */ 494 }; 495 496 static void 497 sppp_change_phase(struct sppp *sp, int phase) 498 { 499 STDDCL; 500 501 KASSERT(SPPP_WLOCKED(sp)); 502 503 if (sp->pp_phase == phase) 504 return; 505 506 sp->pp_phase = phase; 507 508 if (phase == SPPP_PHASE_NETWORK) 509 if_link_state_change(ifp, LINK_STATE_UP); 510 else 511 if_link_state_change(ifp, LINK_STATE_DOWN); 512 513 if (debug) 514 { 515 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 516 sppp_phase_name(sp->pp_phase)); 517 } 518 } 519 520 /* 521 * Exported functions, comprising our interface to the lower layer. 522 */ 523 524 /* 525 * Process the received packet. 526 */ 527 void 528 sppp_input(struct ifnet *ifp, struct mbuf *m) 529 { 530 struct ppp_header *h = NULL; 531 pktqueue_t *pktq = NULL; 532 struct ifqueue *inq = NULL; 533 uint16_t protocol; 534 struct sppp *sp = (struct sppp *)ifp; 535 int debug = ifp->if_flags & IFF_DEBUG; 536 int isr = 0; 537 538 SPPP_LOCK(sp, RW_READER); 539 540 if (ifp->if_flags & IFF_UP) { 541 /* Count received bytes, add hardware framing */ 542 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 543 /* Note time of last receive */ 544 sp->pp_last_receive = time_uptime; 545 } 546 547 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 548 /* Too small packet, drop it. */ 549 if (debug) 550 log(LOG_DEBUG, 551 "%s: input packet is too small, %d bytes\n", 552 ifp->if_xname, m->m_pkthdr.len); 553 drop: 554 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 555 m_freem(m); 556 SPPP_UNLOCK(sp); 557 return; 558 } 559 560 if (sp->pp_flags & PP_NOFRAMING) { 561 memcpy(&protocol, mtod(m, void *), 2); 562 protocol = ntohs(protocol); 563 m_adj(m, 2); 564 } else { 565 566 /* Get PPP header. */ 567 h = mtod(m, struct ppp_header *); 568 m_adj(m, PPP_HEADER_LEN); 569 570 switch (h->address) { 571 case PPP_ALLSTATIONS: 572 if (h->control != PPP_UI) 573 goto invalid; 574 if (sp->pp_flags & PP_CISCO) { 575 if (debug) 576 log(LOG_DEBUG, 577 "%s: PPP packet in Cisco mode " 578 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 579 ifp->if_xname, 580 h->address, h->control, ntohs(h->protocol)); 581 goto drop; 582 } 583 break; 584 case CISCO_MULTICAST: 585 case CISCO_UNICAST: 586 /* Don't check the control field here (RFC 1547). */ 587 if (! (sp->pp_flags & PP_CISCO)) { 588 if (debug) 589 log(LOG_DEBUG, 590 "%s: Cisco packet in PPP mode " 591 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 592 ifp->if_xname, 593 h->address, h->control, ntohs(h->protocol)); 594 goto drop; 595 } 596 switch (ntohs(h->protocol)) { 597 default: 598 if_statinc(ifp, if_noproto); 599 goto invalid; 600 case CISCO_KEEPALIVE: 601 SPPP_UNLOCK(sp); 602 sppp_cisco_input((struct sppp *) ifp, m); 603 m_freem(m); 604 return; 605 #ifdef INET 606 case ETHERTYPE_IP: 607 pktq = ip_pktq; 608 break; 609 #endif 610 #ifdef INET6 611 case ETHERTYPE_IPV6: 612 pktq = ip6_pktq; 613 break; 614 #endif 615 } 616 goto queue_pkt; 617 default: /* Invalid PPP packet. */ 618 invalid: 619 if (debug) 620 log(LOG_DEBUG, 621 "%s: invalid input packet " 622 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 623 ifp->if_xname, 624 h->address, h->control, ntohs(h->protocol)); 625 goto drop; 626 } 627 protocol = ntohs(h->protocol); 628 } 629 630 switch (protocol) { 631 default: 632 if (sp->state[IDX_LCP] == STATE_OPENED) { 633 uint16_t prot = htons(protocol); 634 635 SPPP_UPGRADE(sp); 636 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 637 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 638 &prot); 639 SPPP_DOWNGRADE(sp); 640 } 641 if (debug) 642 log(LOG_DEBUG, 643 "%s: invalid input protocol " 644 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 645 if_statinc(ifp, if_noproto); 646 goto drop; 647 case PPP_LCP: 648 SPPP_UNLOCK(sp); 649 sppp_cp_input(&lcp, sp, m); 650 m_freem(m); 651 return; 652 case PPP_PAP: 653 SPPP_UNLOCK(sp); 654 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 655 sppp_pap_input(sp, m); 656 } 657 m_freem(m); 658 return; 659 case PPP_CHAP: 660 SPPP_UNLOCK(sp); 661 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 662 sppp_chap_input(sp, m); 663 } 664 m_freem(m); 665 return; 666 #ifdef INET 667 case PPP_IPCP: 668 SPPP_UNLOCK(sp); 669 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 670 sppp_cp_input(&ipcp, sp, m); 671 } 672 m_freem(m); 673 return; 674 case PPP_IP: 675 if (sp->state[IDX_IPCP] == STATE_OPENED) { 676 sp->pp_last_activity = time_uptime; 677 pktq = ip_pktq; 678 } 679 break; 680 #endif 681 #ifdef INET6 682 case PPP_IPV6CP: 683 SPPP_UNLOCK(sp); 684 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 685 sppp_cp_input(&ipv6cp, sp, m); 686 } 687 m_freem(m); 688 return; 689 690 case PPP_IPV6: 691 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 692 sp->pp_last_activity = time_uptime; 693 pktq = ip6_pktq; 694 } 695 break; 696 #endif 697 } 698 699 queue_pkt: 700 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 701 goto drop; 702 } 703 704 /* Check queue. */ 705 if (__predict_true(pktq)) { 706 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 707 goto drop; 708 } 709 SPPP_UNLOCK(sp); 710 return; 711 } 712 713 SPPP_UNLOCK(sp); 714 715 IFQ_LOCK(inq); 716 if (IF_QFULL(inq)) { 717 /* Queue overflow. */ 718 IF_DROP(inq); 719 IFQ_UNLOCK(inq); 720 if (debug) 721 log(LOG_DEBUG, "%s: protocol queue overflow\n", 722 ifp->if_xname); 723 724 SPPP_LOCK(sp, RW_READER); 725 goto drop; 726 } 727 IF_ENQUEUE(inq, m); 728 IFQ_UNLOCK(inq); 729 schednetisr(isr); 730 } 731 732 /* 733 * Enqueue transmit packet. 734 */ 735 static int 736 sppp_output(struct ifnet *ifp, struct mbuf *m, 737 const struct sockaddr *dst, const struct rtentry *rt) 738 { 739 struct sppp *sp = (struct sppp *) ifp; 740 struct ppp_header *h = NULL; 741 #ifndef SPPPSUBR_MPSAFE 742 struct ifqueue *ifq = NULL; /* XXX */ 743 #endif 744 int s, error = 0; 745 uint16_t protocol; 746 size_t pktlen; 747 748 s = splnet(); 749 SPPP_LOCK(sp, RW_READER); 750 751 sp->pp_last_activity = time_uptime; 752 753 if ((ifp->if_flags & IFF_UP) == 0 || 754 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 755 SPPP_UNLOCK(sp); 756 splx(s); 757 758 m_freem(m); 759 760 return (ENETDOWN); 761 } 762 763 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 764 /* 765 * Interface is not yet running, but auto-dial. Need 766 * to start LCP for it. 767 */ 768 ifp->if_flags |= IFF_RUNNING; 769 770 SPPP_UNLOCK(sp); 771 splx(s); 772 773 SPPP_LOCK(sp, RW_WRITER); 774 lcp.Open(sp); 775 SPPP_UNLOCK(sp); 776 777 s = splnet(); 778 SPPP_LOCK(sp, RW_READER); 779 } 780 781 /* 782 * If the queueing discipline needs packet classification, 783 * do it before prepending link headers. 784 */ 785 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 786 787 #ifdef INET 788 if (dst->sa_family == AF_INET) { 789 struct ip *ip = NULL; 790 #ifndef SPPPSUBR_MPSAFE 791 struct tcphdr *th = NULL; 792 #endif 793 794 if (m->m_len >= sizeof(struct ip)) { 795 ip = mtod(m, struct ip *); 796 #ifndef SPPPSUBR_MPSAFE 797 if (ip->ip_p == IPPROTO_TCP && 798 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 799 sizeof(struct tcphdr)) { 800 th = (struct tcphdr *) 801 ((char *)ip + (ip->ip_hl << 2)); 802 } 803 #endif 804 } else 805 ip = NULL; 806 807 /* 808 * When using dynamic local IP address assignment by using 809 * 0.0.0.0 as a local address, the first TCP session will 810 * not connect because the local TCP checksum is computed 811 * using 0.0.0.0 which will later become our real IP address 812 * so the TCP checksum computed at the remote end will 813 * become invalid. So we 814 * - don't let packets with src ip addr 0 thru 815 * - we flag TCP packets with src ip 0 as an error 816 */ 817 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 818 uint8_t proto = ip->ip_p; 819 820 SPPP_UNLOCK(sp); 821 splx(s); 822 823 m_freem(m); 824 if (proto == IPPROTO_TCP) 825 return (EADDRNOTAVAIL); 826 else 827 return (0); 828 } 829 830 #ifndef SPPPSUBR_MPSAFE 831 /* 832 * Put low delay, telnet, rlogin and ftp control packets 833 * in front of the queue. 834 */ 835 if (!IF_QFULL(&sp->pp_fastq) && 836 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 837 (th && (INTERACTIVE(ntohs(th->th_sport)) || 838 INTERACTIVE(ntohs(th->th_dport)))))) 839 ifq = &sp->pp_fastq; 840 #endif /* !SPPPSUBR_MPSAFE */ 841 } 842 #endif 843 844 #ifdef INET6 845 if (dst->sa_family == AF_INET6) { 846 /* XXX do something tricky here? */ 847 } 848 #endif 849 850 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 851 /* 852 * Prepend general data packet PPP header. For now, IP only. 853 */ 854 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 855 if (! m) { 856 if (ifp->if_flags & IFF_DEBUG) 857 log(LOG_DEBUG, "%s: no memory for transmit header\n", 858 ifp->if_xname); 859 if_statinc(ifp, if_oerrors); 860 SPPP_UNLOCK(sp); 861 splx(s); 862 return (ENOBUFS); 863 } 864 /* 865 * May want to check size of packet 866 * (albeit due to the implementation it's always enough) 867 */ 868 h = mtod(m, struct ppp_header *); 869 if (sp->pp_flags & PP_CISCO) { 870 h->address = CISCO_UNICAST; /* unicast address */ 871 h->control = 0; 872 } else { 873 h->address = PPP_ALLSTATIONS; /* broadcast address */ 874 h->control = PPP_UI; /* Unnumbered Info */ 875 } 876 } 877 878 switch (dst->sa_family) { 879 #ifdef INET 880 case AF_INET: /* Internet Protocol */ 881 if (sp->pp_flags & PP_CISCO) 882 protocol = htons(ETHERTYPE_IP); 883 else { 884 /* 885 * Don't choke with an ENETDOWN early. It's 886 * possible that we just started dialing out, 887 * so don't drop the packet immediately. If 888 * we notice that we run out of buffer space 889 * below, we will however remember that we are 890 * not ready to carry IP packets, and return 891 * ENETDOWN, as opposed to ENOBUFS. 892 */ 893 protocol = htons(PPP_IP); 894 if (sp->state[IDX_IPCP] != STATE_OPENED) 895 error = ENETDOWN; 896 } 897 break; 898 #endif 899 #ifdef INET6 900 case AF_INET6: /* Internet Protocol version 6 */ 901 if (sp->pp_flags & PP_CISCO) 902 protocol = htons(ETHERTYPE_IPV6); 903 else { 904 /* 905 * Don't choke with an ENETDOWN early. It's 906 * possible that we just started dialing out, 907 * so don't drop the packet immediately. If 908 * we notice that we run out of buffer space 909 * below, we will however remember that we are 910 * not ready to carry IP packets, and return 911 * ENETDOWN, as opposed to ENOBUFS. 912 */ 913 protocol = htons(PPP_IPV6); 914 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 915 error = ENETDOWN; 916 } 917 break; 918 #endif 919 default: 920 m_freem(m); 921 if_statinc(ifp, if_oerrors); 922 SPPP_UNLOCK(sp); 923 splx(s); 924 return (EAFNOSUPPORT); 925 } 926 927 if (sp->pp_flags & PP_NOFRAMING) { 928 M_PREPEND(m, 2, M_DONTWAIT); 929 if (m == NULL) { 930 if (ifp->if_flags & IFF_DEBUG) 931 log(LOG_DEBUG, "%s: no memory for transmit header\n", 932 ifp->if_xname); 933 if_statinc(ifp, if_oerrors); 934 SPPP_UNLOCK(sp); 935 splx(s); 936 return (ENOBUFS); 937 } 938 *mtod(m, uint16_t *) = protocol; 939 } else { 940 h->protocol = protocol; 941 } 942 943 pktlen = m->m_pkthdr.len; 944 #ifdef SPPPSUBR_MPSAFE 945 SPPP_UNLOCK(sp); 946 error = if_transmit_lock(ifp, m); 947 SPPP_LOCK(sp, RW_READER); 948 if (error == 0) 949 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 950 #else /* !SPPPSUBR_MPSAFE */ 951 error = ifq_enqueue2(ifp, ifq, m); 952 953 if (error == 0) { 954 /* 955 * Count output packets and bytes. 956 * The packet length includes header + additional hardware 957 * framing according to RFC 1333. 958 */ 959 if (!(ifp->if_flags & IFF_OACTIVE)) { 960 SPPP_UNLOCK(sp); 961 if_start_lock(ifp); 962 SPPP_LOCK(sp, RW_READER); 963 } 964 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 965 } 966 #endif /* !SPPPSUBR_MPSAFE */ 967 SPPP_UNLOCK(sp); 968 splx(s); 969 return error; 970 } 971 972 static int 973 sppp_mediachange(struct ifnet *ifp) 974 { 975 976 return (0); 977 } 978 979 static void 980 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 981 { 982 int link_state; 983 984 link_state = atomic_load_relaxed(&ifp->if_link_state); 985 switch (link_state) { 986 case LINK_STATE_UP: 987 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 988 break; 989 case LINK_STATE_DOWN: 990 imr->ifm_status = IFM_AVALID; 991 break; 992 default: 993 /* Should be impossible as we set link state down in attach. */ 994 imr->ifm_status = 0; 995 break; 996 } 997 } 998 999 void 1000 sppp_attach(struct ifnet *ifp) 1001 { 1002 struct sppp *sp = (struct sppp *) ifp; 1003 1004 /* Initialize keepalive handler. */ 1005 if (! spppq) { 1006 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1007 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1008 } 1009 1010 if (! spppq_lock) 1011 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1012 1013 /* Insert new entry into the keepalive list. */ 1014 sp->pp_next = spppq; 1015 spppq = sp; 1016 1017 sp->pp_if.if_type = IFT_PPP; 1018 sp->pp_if.if_output = sppp_output; 1019 sp->pp_fastq.ifq_maxlen = 32; 1020 sp->pp_cpq.ifq_maxlen = 20; 1021 sp->pp_loopcnt = 0; 1022 sp->pp_alivecnt = 0; 1023 sp->pp_last_activity = 0; 1024 sp->pp_last_receive = 0; 1025 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1026 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1027 sp->pp_idle_timeout = 0; 1028 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1029 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1030 sp->pp_auth_failures = 0; 1031 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1032 sp->pp_phase = SPPP_PHASE_DEAD; 1033 sp->pp_up = sppp_notify_up; 1034 sp->pp_down = sppp_notify_down; 1035 rw_init(&sp->pp_lock); 1036 1037 if_alloc_sadl(ifp); 1038 1039 /* Lets not beat about the bush, we know we're down. */ 1040 ifp->if_link_state = LINK_STATE_DOWN; 1041 /* There is no media for PPP, but it's needed to report link status. */ 1042 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1043 1044 memset(&sp->myauth, 0, sizeof sp->myauth); 1045 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1046 SPPP_LOCK(sp, RW_WRITER); 1047 sppp_lcp_init(sp); 1048 sppp_ipcp_init(sp); 1049 sppp_ipv6cp_init(sp); 1050 sppp_pap_init(sp); 1051 sppp_chap_init(sp); 1052 SPPP_UNLOCK(sp); 1053 } 1054 1055 void 1056 sppp_detach(struct ifnet *ifp) 1057 { 1058 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1059 1060 /* Remove the entry from the keepalive list. */ 1061 SPPPQ_LOCK(); 1062 for (q = &spppq; (p = *q); q = &p->pp_next) 1063 if (p == sp) { 1064 *q = p->pp_next; 1065 break; 1066 } 1067 SPPPQ_UNLOCK(); 1068 1069 if (! spppq) { 1070 /* Stop keepalive handler. */ 1071 callout_stop(&keepalive_ch); 1072 mutex_obj_free(spppq_lock); 1073 spppq_lock = NULL; 1074 } 1075 1076 SPPP_LOCK(sp, RW_WRITER); 1077 1078 /* to avoid workqueue enqueued */ 1079 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1080 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1081 workqueue_destroy(sp->ipcp.update_addrs_wq); 1082 pcq_destroy(sp->ipcp.update_addrs_q); 1083 1084 callout_stop(&sp->ch[IDX_LCP]); 1085 callout_stop(&sp->ch[IDX_IPCP]); 1086 callout_stop(&sp->ch[IDX_PAP]); 1087 callout_stop(&sp->ch[IDX_CHAP]); 1088 #ifdef INET6 1089 callout_stop(&sp->ch[IDX_IPV6CP]); 1090 #endif 1091 callout_stop(&sp->pap_my_to_ch); 1092 1093 /* free authentication info */ 1094 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1095 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1096 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1097 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1098 SPPP_UNLOCK(sp); 1099 rw_destroy(&sp->pp_lock); 1100 1101 ifmedia_fini(&sp->pp_im); 1102 } 1103 1104 /* 1105 * Flush the interface output queue. 1106 */ 1107 void 1108 sppp_flush(struct ifnet *ifp) 1109 { 1110 struct sppp *sp = (struct sppp *) ifp; 1111 1112 SPPP_LOCK(sp, RW_WRITER); 1113 IFQ_PURGE(&sp->pp_if.if_snd); 1114 IF_PURGE(&sp->pp_fastq); 1115 IF_PURGE(&sp->pp_cpq); 1116 SPPP_UNLOCK(sp); 1117 } 1118 1119 /* 1120 * Check if the output queue is empty. 1121 */ 1122 int 1123 sppp_isempty(struct ifnet *ifp) 1124 { 1125 struct sppp *sp = (struct sppp *) ifp; 1126 int empty, s; 1127 1128 s = splnet(); 1129 SPPP_LOCK(sp, RW_READER); 1130 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1131 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1132 SPPP_UNLOCK(sp); 1133 splx(s); 1134 return (empty); 1135 } 1136 1137 /* 1138 * Get next packet to send. 1139 */ 1140 struct mbuf * 1141 sppp_dequeue(struct ifnet *ifp) 1142 { 1143 struct sppp *sp = (struct sppp *) ifp; 1144 struct mbuf *m; 1145 int s; 1146 1147 s = splnet(); 1148 SPPP_LOCK(sp, RW_WRITER); 1149 /* 1150 * Process only the control protocol queue until we have at 1151 * least one NCP open. 1152 * 1153 * Do always serve all three queues in Cisco mode. 1154 */ 1155 IF_DEQUEUE(&sp->pp_cpq, m); 1156 if (m == NULL && 1157 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1158 IF_DEQUEUE(&sp->pp_fastq, m); 1159 if (m == NULL) 1160 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1161 } 1162 SPPP_UNLOCK(sp); 1163 splx(s); 1164 return m; 1165 } 1166 1167 /* 1168 * Process an ioctl request. Called on low priority level. 1169 */ 1170 int 1171 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1172 { 1173 struct lwp *l = curlwp; /* XXX */ 1174 struct ifreq *ifr = (struct ifreq *) data; 1175 struct ifaddr *ifa = (struct ifaddr *) data; 1176 struct sppp *sp = (struct sppp *) ifp; 1177 int s, error=0, going_up, going_down; 1178 u_short newmode; 1179 1180 s = splnet(); 1181 switch (cmd) { 1182 case SIOCINITIFADDR: 1183 ifa->ifa_rtrequest = p2p_rtrequest; 1184 break; 1185 1186 case SIOCSIFFLAGS: 1187 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1188 break; 1189 1190 SPPP_LOCK(sp, RW_WRITER); 1191 going_up = ifp->if_flags & IFF_UP && 1192 (ifp->if_flags & IFF_RUNNING) == 0; 1193 going_down = (ifp->if_flags & IFF_UP) == 0 && 1194 ifp->if_flags & IFF_RUNNING; 1195 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1196 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1197 /* sanity */ 1198 newmode = IFF_PASSIVE; 1199 ifp->if_flags &= ~IFF_AUTO; 1200 } 1201 1202 if (going_up || going_down) { 1203 lcp.Close(sp); 1204 } 1205 if (going_up && newmode == 0) { 1206 /* neither auto-dial nor passive */ 1207 ifp->if_flags |= IFF_RUNNING; 1208 if (!(sp->pp_flags & PP_CISCO)) 1209 lcp.Open(sp); 1210 } else if (going_down) { 1211 SPPP_UNLOCK(sp); 1212 sppp_flush(ifp); 1213 SPPP_LOCK(sp, RW_WRITER); 1214 1215 ifp->if_flags &= ~IFF_RUNNING; 1216 } 1217 SPPP_UNLOCK(sp); 1218 break; 1219 1220 case SIOCSIFMTU: 1221 if (ifr->ifr_mtu < PPP_MINMRU || 1222 ifr->ifr_mtu > sp->lcp.their_mru) { 1223 error = EINVAL; 1224 break; 1225 } 1226 /*FALLTHROUGH*/ 1227 case SIOCGIFMTU: 1228 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1229 error = 0; 1230 break; 1231 case SIOCADDMULTI: 1232 case SIOCDELMULTI: 1233 break; 1234 1235 case SPPPSETAUTHCFG: 1236 case SPPPSETLCPCFG: 1237 case SPPPSETIDLETO: 1238 case SPPPSETAUTHFAILURE: 1239 case SPPPSETDNSOPTS: 1240 case SPPPSETKEEPALIVE: 1241 #if defined(COMPAT_50) || defined(MODULAR) 1242 case __SPPPSETIDLETO50: 1243 case __SPPPSETKEEPALIVE50: 1244 #endif /* COMPAT_50 || MODULAR */ 1245 error = kauth_authorize_network(l->l_cred, 1246 KAUTH_NETWORK_INTERFACE, 1247 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1248 NULL); 1249 if (error) 1250 break; 1251 error = sppp_params(sp, cmd, data); 1252 break; 1253 1254 case SPPPGETAUTHCFG: 1255 case SPPPGETLCPCFG: 1256 case SPPPGETAUTHFAILURES: 1257 error = kauth_authorize_network(l->l_cred, 1258 KAUTH_NETWORK_INTERFACE, 1259 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1260 NULL); 1261 if (error) 1262 break; 1263 error = sppp_params(sp, cmd, data); 1264 break; 1265 1266 case SPPPGETSTATUS: 1267 case SPPPGETSTATUSNCP: 1268 case SPPPGETIDLETO: 1269 case SPPPGETDNSOPTS: 1270 case SPPPGETDNSADDRS: 1271 case SPPPGETKEEPALIVE: 1272 #if defined(COMPAT_50) || defined(MODULAR) 1273 case __SPPPGETIDLETO50: 1274 case __SPPPGETKEEPALIVE50: 1275 #endif /* COMPAT_50 || MODULAR */ 1276 error = sppp_params(sp, cmd, data); 1277 break; 1278 1279 case SIOCGIFMEDIA: 1280 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1281 break; 1282 1283 default: 1284 error = ifioctl_common(ifp, cmd, data); 1285 break; 1286 } 1287 splx(s); 1288 return (error); 1289 } 1290 1291 1292 /* 1293 * Cisco framing implementation. 1294 */ 1295 1296 /* 1297 * Handle incoming Cisco keepalive protocol packets. 1298 */ 1299 static void 1300 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1301 { 1302 STDDCL; 1303 struct cisco_packet *h; 1304 #ifdef INET 1305 uint32_t me, mymask = 0; /* XXX: GCC */ 1306 #endif 1307 1308 SPPP_LOCK(sp, RW_WRITER); 1309 1310 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1311 if (debug) 1312 log(LOG_DEBUG, 1313 "%s: cisco invalid packet length: %d bytes\n", 1314 ifp->if_xname, m->m_pkthdr.len); 1315 SPPP_UNLOCK(sp); 1316 return; 1317 } 1318 h = mtod(m, struct cisco_packet *); 1319 if (debug) 1320 log(LOG_DEBUG, 1321 "%s: cisco input: %d bytes " 1322 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1323 ifp->if_xname, m->m_pkthdr.len, 1324 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1325 (u_int)h->time0, (u_int)h->time1); 1326 switch (ntohl(h->type)) { 1327 default: 1328 if (debug) 1329 addlog("%s: cisco unknown packet type: 0x%x\n", 1330 ifp->if_xname, ntohl(h->type)); 1331 break; 1332 case CISCO_ADDR_REPLY: 1333 /* Reply on address request, ignore */ 1334 break; 1335 case CISCO_KEEPALIVE_REQ: 1336 sp->pp_alivecnt = 0; 1337 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1338 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1339 /* Local and remote sequence numbers are equal. 1340 * Probably, the line is in loopback mode. */ 1341 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1342 printf ("%s: loopback\n", 1343 ifp->if_xname); 1344 sp->pp_loopcnt = 0; 1345 if (ifp->if_flags & IFF_UP) { 1346 SPPP_UNLOCK(sp); 1347 if_down(ifp); 1348 SPPP_LOCK(sp, RW_WRITER); 1349 1350 IF_PURGE(&sp->pp_cpq); 1351 } 1352 } 1353 ++sp->pp_loopcnt; 1354 1355 /* Generate new local sequence number */ 1356 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1357 break; 1358 } 1359 sp->pp_loopcnt = 0; 1360 if (! (ifp->if_flags & IFF_UP) && 1361 (ifp->if_flags & IFF_RUNNING)) { 1362 SPPP_UNLOCK(sp); 1363 if_up(ifp); 1364 SPPP_LOCK(sp, RW_WRITER); 1365 } 1366 break; 1367 case CISCO_ADDR_REQ: 1368 #ifdef INET 1369 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1370 if (me != 0L) 1371 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1372 #endif 1373 break; 1374 } 1375 SPPP_UNLOCK(sp); 1376 } 1377 1378 /* 1379 * Send Cisco keepalive packet. 1380 */ 1381 static void 1382 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1383 { 1384 STDDCL; 1385 struct ppp_header *h; 1386 struct cisco_packet *ch; 1387 struct mbuf *m; 1388 uint32_t t; 1389 1390 KASSERT(SPPP_WLOCKED(sp)); 1391 1392 t = time_uptime * 1000; 1393 MGETHDR(m, M_DONTWAIT, MT_DATA); 1394 if (! m) 1395 return; 1396 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1397 m_reset_rcvif(m); 1398 1399 h = mtod(m, struct ppp_header *); 1400 h->address = CISCO_MULTICAST; 1401 h->control = 0; 1402 h->protocol = htons(CISCO_KEEPALIVE); 1403 1404 ch = (struct cisco_packet *)(h + 1); 1405 ch->type = htonl(type); 1406 ch->par1 = htonl(par1); 1407 ch->par2 = htonl(par2); 1408 ch->rel = -1; 1409 1410 ch->time0 = htons((u_short)(t >> 16)); 1411 ch->time1 = htons((u_short) t); 1412 1413 if (debug) 1414 log(LOG_DEBUG, 1415 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1416 ifp->if_xname, ntohl(ch->type), ch->par1, 1417 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1418 (u_int)ch->time1); 1419 1420 if (IF_QFULL(&sp->pp_cpq)) { 1421 IF_DROP(&sp->pp_fastq); 1422 IF_DROP(&ifp->if_snd); 1423 m_freem(m); 1424 if_statinc(ifp, if_oerrors); 1425 return; 1426 } 1427 1428 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1429 IF_ENQUEUE(&sp->pp_cpq, m); 1430 1431 if (! (ifp->if_flags & IFF_OACTIVE)) { 1432 SPPP_UNLOCK(sp); 1433 if_start_lock(ifp); 1434 SPPP_LOCK(sp, RW_WRITER); 1435 } 1436 } 1437 1438 /* 1439 * PPP protocol implementation. 1440 */ 1441 1442 /* 1443 * Send PPP control protocol packet. 1444 */ 1445 static void 1446 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1447 u_char ident, u_short len, void *data) 1448 { 1449 STDDCL; 1450 struct lcp_header *lh; 1451 struct mbuf *m; 1452 size_t pkthdrlen; 1453 1454 KASSERT(SPPP_WLOCKED(sp)); 1455 1456 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1457 1458 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1459 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1460 MGETHDR(m, M_DONTWAIT, MT_DATA); 1461 if (! m) { 1462 return; 1463 } 1464 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1465 m_reset_rcvif(m); 1466 1467 if (sp->pp_flags & PP_NOFRAMING) { 1468 *mtod(m, uint16_t *) = htons(proto); 1469 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1470 } else { 1471 struct ppp_header *h; 1472 h = mtod(m, struct ppp_header *); 1473 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1474 h->control = PPP_UI; /* Unnumbered Info */ 1475 h->protocol = htons(proto); /* Link Control Protocol */ 1476 lh = (struct lcp_header *)(h + 1); 1477 } 1478 lh->type = type; 1479 lh->ident = ident; 1480 lh->len = htons(LCP_HEADER_LEN + len); 1481 if (len) 1482 memcpy(lh + 1, data, len); 1483 1484 if (debug) { 1485 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1486 ifp->if_xname, 1487 sppp_proto_name(proto), 1488 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1489 if (len) 1490 sppp_print_bytes((u_char *)(lh + 1), len); 1491 addlog(">\n"); 1492 } 1493 if (IF_QFULL(&sp->pp_cpq)) { 1494 IF_DROP(&sp->pp_fastq); 1495 IF_DROP(&ifp->if_snd); 1496 m_freem(m); 1497 if_statinc(ifp, if_oerrors); 1498 return; 1499 } 1500 1501 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1502 IF_ENQUEUE(&sp->pp_cpq, m); 1503 1504 1505 if (! (ifp->if_flags & IFF_OACTIVE)) { 1506 SPPP_UNLOCK(sp); 1507 if_start_lock(ifp); 1508 SPPP_LOCK(sp, RW_WRITER); 1509 } 1510 } 1511 1512 /* 1513 * Handle incoming PPP control protocol packets. 1514 */ 1515 static void 1516 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1517 { 1518 STDDCL; 1519 struct lcp_header *h; 1520 int printlen, len = m->m_pkthdr.len; 1521 int rv; 1522 u_char *p; 1523 uint32_t u32; 1524 1525 SPPP_LOCK(sp, RW_WRITER); 1526 1527 if (len < 4) { 1528 if (debug) 1529 log(LOG_DEBUG, 1530 "%s: %s invalid packet length: %d bytes\n", 1531 ifp->if_xname, cp->name, len); 1532 SPPP_UNLOCK(sp); 1533 return; 1534 } 1535 h = mtod(m, struct lcp_header *); 1536 if (debug) { 1537 printlen = ntohs(h->len); 1538 log(LOG_DEBUG, 1539 "%s: %s input(%s): <%s id=0x%x len=%d", 1540 ifp->if_xname, cp->name, 1541 sppp_state_name(sp->state[cp->protoidx]), 1542 sppp_cp_type_name(h->type), h->ident, printlen); 1543 if (len < printlen) 1544 printlen = len; 1545 if (printlen > 4) 1546 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1547 addlog(">\n"); 1548 } 1549 if (len > ntohs(h->len)) 1550 len = ntohs(h->len); 1551 p = (u_char *)(h + 1); 1552 switch (h->type) { 1553 case CONF_REQ: 1554 if (len < 4) { 1555 if (debug) 1556 addlog("%s: %s invalid conf-req length %d\n", 1557 ifp->if_xname, cp->name, 1558 len); 1559 if_statinc(ifp, if_ierrors); 1560 break; 1561 } 1562 /* handle states where RCR doesn't get a SCA/SCN */ 1563 switch (sp->state[cp->protoidx]) { 1564 case STATE_CLOSING: 1565 case STATE_STOPPING: 1566 SPPP_UNLOCK(sp); 1567 return; 1568 case STATE_CLOSED: 1569 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1570 0, 0); 1571 SPPP_UNLOCK(sp); 1572 return; 1573 } 1574 rv = (cp->RCR)(sp, h, len); 1575 if (rv < 0) { 1576 /* fatal error, shut down */ 1577 (cp->tld)(sp); 1578 sppp_lcp_tlf(sp); 1579 SPPP_UNLOCK(sp); 1580 return; 1581 } 1582 switch (sp->state[cp->protoidx]) { 1583 case STATE_OPENED: 1584 (cp->tld)(sp); 1585 (cp->scr)(sp); 1586 /* fall through... */ 1587 case STATE_ACK_SENT: 1588 case STATE_REQ_SENT: 1589 sppp_cp_change_state(cp, sp, rv? 1590 STATE_ACK_SENT: STATE_REQ_SENT); 1591 break; 1592 case STATE_STOPPED: 1593 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1594 (cp->scr)(sp); 1595 sppp_cp_change_state(cp, sp, rv? 1596 STATE_ACK_SENT: STATE_REQ_SENT); 1597 break; 1598 case STATE_ACK_RCVD: 1599 if (rv) { 1600 sppp_cp_change_state(cp, sp, STATE_OPENED); 1601 if (debug) 1602 log(LOG_DEBUG, "%s: %s tlu\n", 1603 ifp->if_xname, 1604 cp->name); 1605 (cp->tlu)(sp); 1606 } else 1607 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1608 break; 1609 default: 1610 printf("%s: %s illegal %s in state %s\n", 1611 ifp->if_xname, cp->name, 1612 sppp_cp_type_name(h->type), 1613 sppp_state_name(sp->state[cp->protoidx])); 1614 if_statinc(ifp, if_ierrors); 1615 } 1616 break; 1617 case CONF_ACK: 1618 if (h->ident != sp->confid[cp->protoidx]) { 1619 if (debug) 1620 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1621 ifp->if_xname, cp->name, 1622 h->ident, sp->confid[cp->protoidx]); 1623 if_statinc(ifp, if_ierrors); 1624 break; 1625 } 1626 switch (sp->state[cp->protoidx]) { 1627 case STATE_CLOSED: 1628 case STATE_STOPPED: 1629 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1630 break; 1631 case STATE_CLOSING: 1632 case STATE_STOPPING: 1633 break; 1634 case STATE_REQ_SENT: 1635 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1636 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1637 break; 1638 case STATE_OPENED: 1639 (cp->tld)(sp); 1640 /* fall through */ 1641 case STATE_ACK_RCVD: 1642 (cp->scr)(sp); 1643 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1644 break; 1645 case STATE_ACK_SENT: 1646 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1647 sppp_cp_change_state(cp, sp, STATE_OPENED); 1648 if (debug) 1649 log(LOG_DEBUG, "%s: %s tlu\n", 1650 ifp->if_xname, cp->name); 1651 (cp->tlu)(sp); 1652 break; 1653 default: 1654 printf("%s: %s illegal %s in state %s\n", 1655 ifp->if_xname, cp->name, 1656 sppp_cp_type_name(h->type), 1657 sppp_state_name(sp->state[cp->protoidx])); 1658 if_statinc(ifp, if_ierrors); 1659 } 1660 break; 1661 case CONF_NAK: 1662 case CONF_REJ: 1663 if (h->ident != sp->confid[cp->protoidx]) { 1664 if (debug) 1665 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1666 ifp->if_xname, cp->name, 1667 h->ident, sp->confid[cp->protoidx]); 1668 if_statinc(ifp, if_ierrors); 1669 break; 1670 } 1671 if (h->type == CONF_NAK) 1672 (cp->RCN_nak)(sp, h, len); 1673 else /* CONF_REJ */ 1674 (cp->RCN_rej)(sp, h, len); 1675 1676 switch (sp->state[cp->protoidx]) { 1677 case STATE_CLOSED: 1678 case STATE_STOPPED: 1679 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1680 break; 1681 case STATE_REQ_SENT: 1682 case STATE_ACK_SENT: 1683 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1684 (cp->scr)(sp); 1685 break; 1686 case STATE_OPENED: 1687 (cp->tld)(sp); 1688 /* fall through */ 1689 case STATE_ACK_RCVD: 1690 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1691 (cp->scr)(sp); 1692 break; 1693 case STATE_CLOSING: 1694 case STATE_STOPPING: 1695 break; 1696 default: 1697 printf("%s: %s illegal %s in state %s\n", 1698 ifp->if_xname, cp->name, 1699 sppp_cp_type_name(h->type), 1700 sppp_state_name(sp->state[cp->protoidx])); 1701 if_statinc(ifp, if_ierrors); 1702 } 1703 break; 1704 1705 case TERM_REQ: 1706 switch (sp->state[cp->protoidx]) { 1707 case STATE_ACK_RCVD: 1708 case STATE_ACK_SENT: 1709 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1710 /* fall through */ 1711 case STATE_CLOSED: 1712 case STATE_STOPPED: 1713 case STATE_CLOSING: 1714 case STATE_STOPPING: 1715 case STATE_REQ_SENT: 1716 sta: 1717 /* Send Terminate-Ack packet. */ 1718 if (debug) 1719 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1720 ifp->if_xname, cp->name); 1721 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1722 break; 1723 case STATE_OPENED: 1724 (cp->tld)(sp); 1725 sp->rst_counter[cp->protoidx] = 0; 1726 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1727 goto sta; 1728 default: 1729 printf("%s: %s illegal %s in state %s\n", 1730 ifp->if_xname, cp->name, 1731 sppp_cp_type_name(h->type), 1732 sppp_state_name(sp->state[cp->protoidx])); 1733 if_statinc(ifp, if_ierrors); 1734 } 1735 break; 1736 case TERM_ACK: 1737 switch (sp->state[cp->protoidx]) { 1738 case STATE_CLOSED: 1739 case STATE_STOPPED: 1740 case STATE_REQ_SENT: 1741 case STATE_ACK_SENT: 1742 break; 1743 case STATE_CLOSING: 1744 (cp->tlf)(sp); 1745 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1746 sppp_lcp_check_and_close(sp); 1747 break; 1748 case STATE_STOPPING: 1749 (cp->tlf)(sp); 1750 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1751 sppp_lcp_check_and_close(sp); 1752 break; 1753 case STATE_ACK_RCVD: 1754 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1755 break; 1756 case STATE_OPENED: 1757 (cp->tld)(sp); 1758 (cp->scr)(sp); 1759 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1760 break; 1761 default: 1762 printf("%s: %s illegal %s in state %s\n", 1763 ifp->if_xname, cp->name, 1764 sppp_cp_type_name(h->type), 1765 sppp_state_name(sp->state[cp->protoidx])); 1766 if_statinc(ifp, if_ierrors); 1767 } 1768 break; 1769 case CODE_REJ: 1770 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1771 log(LOG_INFO, 1772 "%s: %s: ignoring RXJ (%s) for code ?, " 1773 "danger will robinson\n", 1774 ifp->if_xname, cp->name, 1775 sppp_cp_type_name(h->type)); 1776 switch (sp->state[cp->protoidx]) { 1777 case STATE_CLOSED: 1778 case STATE_STOPPED: 1779 case STATE_REQ_SENT: 1780 case STATE_ACK_SENT: 1781 case STATE_CLOSING: 1782 case STATE_STOPPING: 1783 case STATE_OPENED: 1784 break; 1785 case STATE_ACK_RCVD: 1786 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1787 break; 1788 default: 1789 printf("%s: %s illegal %s in state %s\n", 1790 ifp->if_xname, cp->name, 1791 sppp_cp_type_name(h->type), 1792 sppp_state_name(sp->state[cp->protoidx])); 1793 if_statinc(ifp, if_ierrors); 1794 } 1795 break; 1796 case PROTO_REJ: 1797 { 1798 int catastrophic; 1799 const struct cp *upper; 1800 int i; 1801 uint16_t proto; 1802 1803 catastrophic = 0; 1804 upper = NULL; 1805 proto = p[0] << 8 | p[1]; 1806 for (i = 0; i < IDX_COUNT; i++) { 1807 if (cps[i]->proto == proto) { 1808 upper = cps[i]; 1809 break; 1810 } 1811 } 1812 if (upper == NULL) 1813 catastrophic++; 1814 1815 if (debug) 1816 log(LOG_INFO, 1817 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1818 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1819 sppp_cp_type_name(h->type), proto, 1820 upper ? upper->name : "unknown", 1821 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1822 1823 /* 1824 * if we got RXJ+ against conf-req, the peer does not implement 1825 * this particular protocol type. terminate the protocol. 1826 */ 1827 if (upper && !catastrophic) { 1828 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1829 upper->Close(sp); 1830 break; 1831 } 1832 } 1833 1834 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1835 switch (sp->state[cp->protoidx]) { 1836 case STATE_CLOSED: 1837 case STATE_STOPPED: 1838 case STATE_REQ_SENT: 1839 case STATE_ACK_SENT: 1840 case STATE_CLOSING: 1841 case STATE_STOPPING: 1842 case STATE_OPENED: 1843 break; 1844 case STATE_ACK_RCVD: 1845 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1846 break; 1847 default: 1848 printf("%s: %s illegal %s in state %s\n", 1849 ifp->if_xname, cp->name, 1850 sppp_cp_type_name(h->type), 1851 sppp_state_name(sp->state[cp->protoidx])); 1852 if_statinc(ifp, if_ierrors); 1853 } 1854 break; 1855 } 1856 case DISC_REQ: 1857 if (cp->proto != PPP_LCP) 1858 goto illegal; 1859 /* Discard the packet. */ 1860 break; 1861 case ECHO_REQ: 1862 if (cp->proto != PPP_LCP) 1863 goto illegal; 1864 if (sp->state[cp->protoidx] != STATE_OPENED) { 1865 if (debug) 1866 addlog("%s: lcp echo req but lcp closed\n", 1867 ifp->if_xname); 1868 if_statinc(ifp, if_ierrors); 1869 break; 1870 } 1871 if (len < 8) { 1872 if (debug) 1873 addlog("%s: invalid lcp echo request " 1874 "packet length: %d bytes\n", 1875 ifp->if_xname, len); 1876 break; 1877 } 1878 memcpy(&u32, h + 1, sizeof u32); 1879 if (ntohl(u32) == sp->lcp.magic) { 1880 /* Line loopback mode detected. */ 1881 printf("%s: loopback\n", ifp->if_xname); 1882 SPPP_UNLOCK(sp); 1883 if_down(ifp); 1884 SPPP_LOCK(sp, RW_WRITER); 1885 1886 IF_PURGE(&sp->pp_cpq); 1887 1888 /* Shut down the PPP link. */ 1889 /* XXX */ 1890 lcp.Down(sp); 1891 lcp.Up(sp); 1892 break; 1893 } 1894 u32 = htonl(sp->lcp.magic); 1895 memcpy(h + 1, &u32, sizeof u32); 1896 if (debug) 1897 addlog("%s: got lcp echo req, sending echo rep\n", 1898 ifp->if_xname); 1899 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1900 h + 1); 1901 break; 1902 case ECHO_REPLY: 1903 if (cp->proto != PPP_LCP) 1904 goto illegal; 1905 if (h->ident != sp->lcp.echoid) { 1906 if_statinc(ifp, if_ierrors); 1907 break; 1908 } 1909 if (len < 8) { 1910 if (debug) 1911 addlog("%s: lcp invalid echo reply " 1912 "packet length: %d bytes\n", 1913 ifp->if_xname, len); 1914 break; 1915 } 1916 if (debug) 1917 addlog("%s: lcp got echo rep\n", 1918 ifp->if_xname); 1919 memcpy(&u32, h + 1, sizeof u32); 1920 if (ntohl(u32) != sp->lcp.magic) 1921 sp->pp_alivecnt = 0; 1922 break; 1923 default: 1924 /* Unknown packet type -- send Code-Reject packet. */ 1925 illegal: 1926 if (debug) 1927 addlog("%s: %s send code-rej for 0x%x\n", 1928 ifp->if_xname, cp->name, h->type); 1929 sppp_cp_send(sp, cp->proto, CODE_REJ, 1930 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1931 if_statinc(ifp, if_ierrors); 1932 } 1933 1934 SPPP_UNLOCK(sp); 1935 } 1936 1937 1938 /* 1939 * The generic part of all Up/Down/Open/Close/TO event handlers. 1940 * Basically, the state transition handling in the automaton. 1941 */ 1942 static void 1943 sppp_up_event(const struct cp *cp, struct sppp *sp) 1944 { 1945 STDDCL; 1946 1947 KASSERT(SPPP_WLOCKED(sp)); 1948 1949 if (debug) 1950 log(LOG_DEBUG, "%s: %s up(%s)\n", 1951 ifp->if_xname, cp->name, 1952 sppp_state_name(sp->state[cp->protoidx])); 1953 1954 switch (sp->state[cp->protoidx]) { 1955 case STATE_INITIAL: 1956 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1957 break; 1958 case STATE_STARTING: 1959 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1960 (cp->scr)(sp); 1961 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1962 break; 1963 default: 1964 printf("%s: %s illegal up in state %s\n", 1965 ifp->if_xname, cp->name, 1966 sppp_state_name(sp->state[cp->protoidx])); 1967 } 1968 } 1969 1970 static void 1971 sppp_down_event(const struct cp *cp, struct sppp *sp) 1972 { 1973 STDDCL; 1974 1975 KASSERT(SPPP_WLOCKED(sp)); 1976 1977 if (debug) 1978 log(LOG_DEBUG, "%s: %s down(%s)\n", 1979 ifp->if_xname, cp->name, 1980 sppp_state_name(sp->state[cp->protoidx])); 1981 1982 switch (sp->state[cp->protoidx]) { 1983 case STATE_CLOSED: 1984 case STATE_CLOSING: 1985 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1986 break; 1987 case STATE_STOPPED: 1988 (cp->tls)(sp); 1989 /* fall through */ 1990 case STATE_STOPPING: 1991 case STATE_REQ_SENT: 1992 case STATE_ACK_RCVD: 1993 case STATE_ACK_SENT: 1994 sppp_cp_change_state(cp, sp, STATE_STARTING); 1995 break; 1996 case STATE_OPENED: 1997 (cp->tld)(sp); 1998 sppp_cp_change_state(cp, sp, STATE_STARTING); 1999 break; 2000 default: 2001 printf("%s: %s illegal down in state %s\n", 2002 ifp->if_xname, cp->name, 2003 sppp_state_name(sp->state[cp->protoidx])); 2004 } 2005 } 2006 2007 2008 static void 2009 sppp_open_event(const struct cp *cp, struct sppp *sp) 2010 { 2011 STDDCL; 2012 2013 KASSERT(SPPP_WLOCKED(sp)); 2014 2015 if (debug) 2016 log(LOG_DEBUG, "%s: %s open(%s)\n", 2017 ifp->if_xname, cp->name, 2018 sppp_state_name(sp->state[cp->protoidx])); 2019 2020 switch (sp->state[cp->protoidx]) { 2021 case STATE_INITIAL: 2022 sppp_cp_change_state(cp, sp, STATE_STARTING); 2023 (cp->tls)(sp); 2024 break; 2025 case STATE_STARTING: 2026 break; 2027 case STATE_CLOSED: 2028 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2029 (cp->scr)(sp); 2030 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2031 break; 2032 case STATE_STOPPED: 2033 case STATE_STOPPING: 2034 case STATE_REQ_SENT: 2035 case STATE_ACK_RCVD: 2036 case STATE_ACK_SENT: 2037 case STATE_OPENED: 2038 break; 2039 case STATE_CLOSING: 2040 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2041 break; 2042 } 2043 } 2044 2045 2046 static void 2047 sppp_close_event(const struct cp *cp, struct sppp *sp) 2048 { 2049 STDDCL; 2050 2051 KASSERT(SPPP_WLOCKED(sp)); 2052 2053 if (debug) 2054 log(LOG_DEBUG, "%s: %s close(%s)\n", 2055 ifp->if_xname, cp->name, 2056 sppp_state_name(sp->state[cp->protoidx])); 2057 2058 switch (sp->state[cp->protoidx]) { 2059 case STATE_INITIAL: 2060 case STATE_CLOSED: 2061 case STATE_CLOSING: 2062 break; 2063 case STATE_STARTING: 2064 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2065 (cp->tlf)(sp); 2066 break; 2067 case STATE_STOPPED: 2068 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2069 break; 2070 case STATE_STOPPING: 2071 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2072 break; 2073 case STATE_OPENED: 2074 (cp->tld)(sp); 2075 /* fall through */ 2076 case STATE_REQ_SENT: 2077 case STATE_ACK_RCVD: 2078 case STATE_ACK_SENT: 2079 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2080 sppp_cp_send(sp, cp->proto, TERM_REQ, 2081 ++sp->pp_seq[cp->protoidx], 0, 0); 2082 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2083 break; 2084 } 2085 } 2086 2087 static void 2088 sppp_to_event(const struct cp *cp, struct sppp *sp) 2089 { 2090 STDDCL; 2091 int s; 2092 2093 KASSERT(SPPP_WLOCKED(sp)); 2094 2095 s = splnet(); 2096 2097 if (debug) 2098 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2099 ifp->if_xname, cp->name, 2100 sppp_state_name(sp->state[cp->protoidx]), 2101 sp->rst_counter[cp->protoidx]); 2102 2103 if (--sp->rst_counter[cp->protoidx] < 0) 2104 /* TO- event */ 2105 switch (sp->state[cp->protoidx]) { 2106 case STATE_CLOSING: 2107 (cp->tlf)(sp); 2108 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2109 sppp_lcp_check_and_close(sp); 2110 break; 2111 case STATE_STOPPING: 2112 (cp->tlf)(sp); 2113 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2114 sppp_lcp_check_and_close(sp); 2115 break; 2116 case STATE_REQ_SENT: 2117 case STATE_ACK_RCVD: 2118 case STATE_ACK_SENT: 2119 (cp->tlf)(sp); 2120 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2121 sppp_lcp_check_and_close(sp); 2122 break; 2123 } 2124 else 2125 /* TO+ event */ 2126 switch (sp->state[cp->protoidx]) { 2127 case STATE_CLOSING: 2128 case STATE_STOPPING: 2129 sppp_cp_send(sp, cp->proto, TERM_REQ, 2130 ++sp->pp_seq[cp->protoidx], 0, 0); 2131 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2132 cp->TO, sp); 2133 break; 2134 case STATE_REQ_SENT: 2135 case STATE_ACK_RCVD: 2136 (cp->scr)(sp); 2137 /* sppp_cp_change_state() will restart the timer */ 2138 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2139 break; 2140 case STATE_ACK_SENT: 2141 (cp->scr)(sp); 2142 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2143 cp->TO, sp); 2144 break; 2145 } 2146 2147 splx(s); 2148 } 2149 2150 /* 2151 * Change the state of a control protocol in the state automaton. 2152 * Takes care of starting/stopping the restart timer. 2153 */ 2154 void 2155 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2156 { 2157 2158 KASSERT(SPPP_WLOCKED(sp)); 2159 2160 sp->state[cp->protoidx] = newstate; 2161 callout_stop(&sp->ch[cp->protoidx]); 2162 switch (newstate) { 2163 case STATE_INITIAL: 2164 case STATE_STARTING: 2165 case STATE_CLOSED: 2166 case STATE_STOPPED: 2167 case STATE_OPENED: 2168 break; 2169 case STATE_CLOSING: 2170 case STATE_STOPPING: 2171 case STATE_REQ_SENT: 2172 case STATE_ACK_RCVD: 2173 case STATE_ACK_SENT: 2174 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2175 cp->TO, sp); 2176 break; 2177 } 2178 } 2179 2180 /* 2181 *--------------------------------------------------------------------------* 2182 * * 2183 * The LCP implementation. * 2184 * * 2185 *--------------------------------------------------------------------------* 2186 */ 2187 static void 2188 sppp_lcp_init(struct sppp *sp) 2189 { 2190 2191 KASSERT(SPPP_WLOCKED(sp)); 2192 2193 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2194 sp->lcp.magic = 0; 2195 sp->state[IDX_LCP] = STATE_INITIAL; 2196 sp->fail_counter[IDX_LCP] = 0; 2197 sp->pp_seq[IDX_LCP] = 0; 2198 sp->pp_rseq[IDX_LCP] = 0; 2199 sp->lcp.protos = 0; 2200 2201 /* 2202 * Initialize counters and timeout values. Note that we don't 2203 * use the 3 seconds suggested in RFC 1661 since we are likely 2204 * running on a fast link. XXX We should probably implement 2205 * the exponential backoff option. Note that these values are 2206 * relevant for all control protocols, not just LCP only. 2207 */ 2208 sp->lcp.timeout = 1 * hz; 2209 sp->lcp.max_terminate = 2; 2210 sp->lcp.max_configure = 10; 2211 sp->lcp.max_failure = 10; 2212 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2213 } 2214 2215 static void 2216 sppp_lcp_up(struct sppp *sp) 2217 { 2218 STDDCL; 2219 2220 KASSERT(SPPP_WLOCKED(sp)); 2221 2222 /* Initialize activity timestamp: opening a connection is an activity */ 2223 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2224 2225 /* 2226 * If this interface is passive or dial-on-demand, and we are 2227 * still in Initial state, it means we've got an incoming 2228 * call. Activate the interface. 2229 */ 2230 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2231 if (debug) 2232 log(LOG_DEBUG, 2233 "%s: Up event", ifp->if_xname); 2234 ifp->if_flags |= IFF_RUNNING; 2235 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2236 if (debug) 2237 addlog("(incoming call)\n"); 2238 sp->pp_flags |= PP_CALLIN; 2239 lcp.Open(sp); 2240 } else if (debug) 2241 addlog("\n"); 2242 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2243 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2244 ifp->if_flags |= IFF_RUNNING; 2245 lcp.Open(sp); 2246 } 2247 2248 sppp_up_event(&lcp, sp); 2249 } 2250 2251 static void 2252 sppp_lcp_down(struct sppp *sp) 2253 { 2254 STDDCL; 2255 2256 KASSERT(SPPP_WLOCKED(sp)); 2257 2258 sppp_down_event(&lcp, sp); 2259 2260 /* 2261 * If this is neither a dial-on-demand nor a passive 2262 * interface, simulate an ``ifconfig down'' action, so the 2263 * administrator can force a redial by another ``ifconfig 2264 * up''. XXX For leased line operation, should we immediately 2265 * try to reopen the connection here? 2266 */ 2267 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2268 if (debug) 2269 log(LOG_INFO, 2270 "%s: Down event (carrier loss), taking interface down.\n", 2271 ifp->if_xname); 2272 SPPP_UNLOCK(sp); 2273 if_down(ifp); 2274 SPPP_LOCK(sp, RW_WRITER); 2275 } else { 2276 if (debug) 2277 log(LOG_DEBUG, 2278 "%s: Down event (carrier loss)\n", 2279 ifp->if_xname); 2280 } 2281 sp->fail_counter[IDX_LCP] = 0; 2282 sp->pp_flags &= ~PP_CALLIN; 2283 if (sp->state[IDX_LCP] != STATE_INITIAL) 2284 lcp.Close(sp); 2285 ifp->if_flags &= ~IFF_RUNNING; 2286 } 2287 2288 static void 2289 sppp_lcp_open(struct sppp *sp) 2290 { 2291 2292 KASSERT(SPPP_WLOCKED(sp)); 2293 2294 if (sp->pp_if.if_mtu < PP_MTU) { 2295 sp->lcp.mru = sp->pp_if.if_mtu; 2296 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2297 } else 2298 sp->lcp.mru = PP_MTU; 2299 sp->lcp.their_mru = PP_MTU; 2300 2301 /* 2302 * If we are authenticator, negotiate LCP_AUTH 2303 */ 2304 if (sp->hisauth.proto != 0) 2305 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2306 else 2307 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2308 sp->pp_flags &= ~PP_NEEDAUTH; 2309 sppp_open_event(&lcp, sp); 2310 } 2311 2312 static void 2313 sppp_lcp_close(struct sppp *sp) 2314 { 2315 2316 KASSERT(SPPP_WLOCKED(sp)); 2317 sppp_close_event(&lcp, sp); 2318 } 2319 2320 static void 2321 sppp_lcp_TO(void *cookie) 2322 { 2323 struct sppp *sp = (struct sppp*)cookie; 2324 2325 SPPP_LOCK(sp, RW_WRITER); 2326 sppp_to_event(&lcp, sp); 2327 SPPP_UNLOCK(sp); 2328 } 2329 2330 /* 2331 * Analyze a configure request. Return true if it was agreeable, and 2332 * caused action sca, false if it has been rejected or nak'ed, and 2333 * caused action scn. (The return value is used to make the state 2334 * transition decision in the state automaton.) 2335 */ 2336 static int 2337 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2338 { 2339 STDDCL; 2340 u_char *buf, *r, *p, l, blen; 2341 int origlen, rlen; 2342 uint32_t nmagic; 2343 u_short authproto; 2344 2345 KASSERT(SPPP_WLOCKED(sp)); 2346 2347 len -= 4; 2348 origlen = len; 2349 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2350 if (! buf) 2351 return (0); 2352 2353 if (debug) 2354 log(LOG_DEBUG, "%s: lcp parse opts:", 2355 ifp->if_xname); 2356 2357 /* pass 1: check for things that need to be rejected */ 2358 p = (void *)(h + 1); 2359 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2360 /* Sanity check option length */ 2361 if (l > len) { 2362 /* 2363 * Malicious option - drop immediately. 2364 * XXX Maybe we should just RXJ it? 2365 */ 2366 addlog("%s: received malicious LCP option 0x%02x, " 2367 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2368 p[0], l, len); 2369 goto drop; 2370 } 2371 if (debug) 2372 addlog(" %s", sppp_lcp_opt_name(*p)); 2373 switch (*p) { 2374 case LCP_OPT_MAGIC: 2375 /* Magic number. */ 2376 /* fall through, both are same length */ 2377 case LCP_OPT_ASYNC_MAP: 2378 /* Async control character map. */ 2379 if (len >= 6 || l == 6) 2380 continue; 2381 if (debug) 2382 addlog(" [invalid]"); 2383 break; 2384 case LCP_OPT_MP_EID: 2385 if (len >= l && l >= 3) { 2386 switch (p[2]) { 2387 case 0: if (l==3+ 0) continue;break; 2388 case 2: if (l==3+ 4) continue;break; 2389 case 3: if (l==3+ 6) continue;break; 2390 case 6: if (l==3+16) continue;break; 2391 case 1: /* FALLTHROUGH */ 2392 case 4: if (l<=3+20) continue;break; 2393 case 5: if (l<=3+15) continue;break; 2394 /* XXX should it be default: continue;? */ 2395 } 2396 } 2397 if (debug) 2398 addlog(" [invalid class %d len %d]", p[2], l); 2399 break; 2400 case LCP_OPT_MP_SSNHF: 2401 if (len >= 2 && l == 2) { 2402 if (debug) 2403 addlog(" [rej]"); 2404 break; 2405 } 2406 if (debug) 2407 addlog(" [invalid]"); 2408 break; 2409 case LCP_OPT_MP_MRRU: 2410 /* Multilink maximum received reconstructed unit */ 2411 /* should be fall through, both are same length */ 2412 /* FALLTHROUGH */ 2413 case LCP_OPT_MRU: 2414 /* Maximum receive unit. */ 2415 if (len >= 4 && l == 4) 2416 continue; 2417 if (debug) 2418 addlog(" [invalid]"); 2419 break; 2420 case LCP_OPT_AUTH_PROTO: 2421 if (len < 4) { 2422 if (debug) 2423 addlog(" [invalid]"); 2424 break; 2425 } 2426 authproto = (p[2] << 8) + p[3]; 2427 if (authproto == PPP_CHAP && l != 5) { 2428 if (debug) 2429 addlog(" [invalid chap len]"); 2430 break; 2431 } 2432 if (sp->myauth.proto == 0) { 2433 /* we are not configured to do auth */ 2434 if (debug) 2435 addlog(" [not configured]"); 2436 break; 2437 } 2438 /* 2439 * Remote want us to authenticate, remember this, 2440 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2441 * up. 2442 */ 2443 sp->pp_flags |= PP_NEEDAUTH; 2444 continue; 2445 default: 2446 /* Others not supported. */ 2447 if (debug) 2448 addlog(" [rej]"); 2449 break; 2450 } 2451 if (rlen + l > blen) { 2452 if (debug) 2453 addlog(" [overflow]"); 2454 continue; 2455 } 2456 /* Add the option to rejected list. */ 2457 memcpy(r, p, l); 2458 r += l; 2459 rlen += l; 2460 } 2461 if (rlen) { 2462 if (debug) 2463 addlog(" send conf-rej\n"); 2464 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2465 goto end; 2466 } else if (debug) 2467 addlog("\n"); 2468 2469 /* 2470 * pass 2: check for option values that are unacceptable and 2471 * thus require to be nak'ed. 2472 */ 2473 if (debug) 2474 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2475 ifp->if_xname); 2476 2477 p = (void *)(h + 1); 2478 len = origlen; 2479 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2480 if (debug) 2481 addlog(" %s", sppp_lcp_opt_name(*p)); 2482 switch (*p) { 2483 case LCP_OPT_MAGIC: 2484 /* Magic number -- extract. */ 2485 nmagic = (uint32_t)p[2] << 24 | 2486 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2487 if (nmagic != sp->lcp.magic) { 2488 if (debug) 2489 addlog(" 0x%x", nmagic); 2490 continue; 2491 } 2492 /* 2493 * Local and remote magics equal -- loopback? 2494 */ 2495 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2496 printf ("%s: loopback\n", 2497 ifp->if_xname); 2498 sp->pp_loopcnt = 0; 2499 if (ifp->if_flags & IFF_UP) { 2500 SPPP_UNLOCK(sp); 2501 if_down(ifp); 2502 SPPP_LOCK(sp, RW_WRITER); 2503 2504 IF_PURGE(&sp->pp_cpq); 2505 /* XXX ? */ 2506 lcp.Down(sp); 2507 lcp.Up(sp); 2508 } 2509 } else if (debug) 2510 addlog(" [glitch]"); 2511 ++sp->pp_loopcnt; 2512 /* 2513 * We negate our magic here, and NAK it. If 2514 * we see it later in an NAK packet, we 2515 * suggest a new one. 2516 */ 2517 nmagic = ~sp->lcp.magic; 2518 /* Gonna NAK it. */ 2519 p[2] = nmagic >> 24; 2520 p[3] = nmagic >> 16; 2521 p[4] = nmagic >> 8; 2522 p[5] = nmagic; 2523 break; 2524 2525 case LCP_OPT_ASYNC_MAP: 2526 /* 2527 * Async control character map -- just ignore it. 2528 * 2529 * Quote from RFC 1662, chapter 6: 2530 * To enable this functionality, synchronous PPP 2531 * implementations MUST always respond to the 2532 * Async-Control-Character-Map Configuration 2533 * Option with the LCP Configure-Ack. However, 2534 * acceptance of the Configuration Option does 2535 * not imply that the synchronous implementation 2536 * will do any ACCM mapping. Instead, all such 2537 * octet mapping will be performed by the 2538 * asynchronous-to-synchronous converter. 2539 */ 2540 continue; 2541 2542 case LCP_OPT_MRU: 2543 /* 2544 * Maximum receive unit. Always agreeable, 2545 * but ignored by now. 2546 */ 2547 sp->lcp.their_mru = p[2] * 256 + p[3]; 2548 if (debug) 2549 addlog(" %ld", sp->lcp.their_mru); 2550 continue; 2551 2552 case LCP_OPT_AUTH_PROTO: 2553 authproto = (p[2] << 8) + p[3]; 2554 if (sp->myauth.proto != authproto) { 2555 /* not agreed, nak */ 2556 if (debug) 2557 addlog(" [mine %s != his %s]", 2558 sppp_proto_name(sp->myauth.proto), 2559 sppp_proto_name(authproto)); 2560 p[2] = sp->myauth.proto >> 8; 2561 p[3] = sp->myauth.proto; 2562 break; 2563 } 2564 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2565 if (debug) 2566 addlog(" [chap not MD5]"); 2567 p[4] = CHAP_MD5; 2568 break; 2569 } 2570 continue; 2571 case LCP_OPT_MP_EID: 2572 /* 2573 * Endpoint identification. 2574 * Always agreeable, 2575 * but ignored by now. 2576 */ 2577 if (debug) { 2578 addlog(" type %d", p[2]); 2579 sppp_print_bytes(p+3, p[1]-3); 2580 } 2581 continue; 2582 case LCP_OPT_MP_MRRU: 2583 /* 2584 * Maximum received reconstructed unit. 2585 * Always agreeable, 2586 * but ignored by now. 2587 */ 2588 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2589 if (debug) 2590 addlog(" %ld", sp->lcp.their_mrru); 2591 continue; 2592 } 2593 if (rlen + l > blen) { 2594 if (debug) 2595 addlog(" [overflow]"); 2596 continue; 2597 } 2598 /* Add the option to nak'ed list. */ 2599 memcpy(r, p, l); 2600 r += l; 2601 rlen += l; 2602 } 2603 if (rlen) { 2604 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2605 if (debug) 2606 addlog(" max_failure (%d) exceeded, " 2607 "send conf-rej\n", 2608 sp->lcp.max_failure); 2609 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2610 } else { 2611 if (debug) 2612 addlog(" send conf-nak\n"); 2613 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2614 } 2615 goto end; 2616 } else { 2617 if (debug) 2618 addlog(" send conf-ack\n"); 2619 sp->fail_counter[IDX_LCP] = 0; 2620 sp->pp_loopcnt = 0; 2621 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2622 } 2623 2624 end: 2625 free(buf, M_TEMP); 2626 return (rlen == 0); 2627 2628 drop: 2629 free(buf, M_TEMP); 2630 return -1; 2631 } 2632 2633 /* 2634 * Analyze the LCP Configure-Reject option list, and adjust our 2635 * negotiation. 2636 */ 2637 static void 2638 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2639 { 2640 STDDCL; 2641 u_char *buf, *p, l; 2642 2643 KASSERT(SPPP_WLOCKED(sp)); 2644 2645 len -= 4; 2646 buf = malloc (len, M_TEMP, M_NOWAIT); 2647 if (!buf) 2648 return; 2649 2650 if (debug) 2651 log(LOG_DEBUG, "%s: lcp rej opts:", 2652 ifp->if_xname); 2653 2654 p = (void *)(h + 1); 2655 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2656 /* Sanity check option length */ 2657 if (l > len) { 2658 /* 2659 * Malicious option - drop immediately. 2660 * XXX Maybe we should just RXJ it? 2661 */ 2662 addlog("%s: received malicious LCP option, " 2663 "dropping.\n", ifp->if_xname); 2664 goto drop; 2665 } 2666 if (debug) 2667 addlog(" %s", sppp_lcp_opt_name(*p)); 2668 switch (*p) { 2669 case LCP_OPT_MAGIC: 2670 /* Magic number -- can't use it, use 0 */ 2671 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2672 sp->lcp.magic = 0; 2673 break; 2674 case LCP_OPT_MRU: 2675 /* 2676 * We try to negotiate a lower MRU if the underlying 2677 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2678 * peer rejects this lower rate, fallback to the 2679 * default. 2680 */ 2681 if (debug) { 2682 addlog("%s: warning: peer rejected our MRU of " 2683 "%ld bytes. Defaulting to %d bytes\n", 2684 ifp->if_xname, sp->lcp.mru, PP_MTU); 2685 } 2686 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2687 sp->lcp.mru = PP_MTU; 2688 break; 2689 case LCP_OPT_AUTH_PROTO: 2690 /* 2691 * Peer doesn't want to authenticate himself, 2692 * deny unless this is a dialout call, and 2693 * SPPP_AUTHFLAG_NOCALLOUT is set. 2694 */ 2695 if ((sp->pp_flags & PP_CALLIN) == 0 && 2696 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2697 if (debug) 2698 addlog(" [don't insist on auth " 2699 "for callout]"); 2700 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2701 break; 2702 } 2703 if (debug) 2704 addlog("[access denied]\n"); 2705 lcp.Close(sp); 2706 break; 2707 } 2708 } 2709 if (debug) 2710 addlog("\n"); 2711 drop: 2712 free(buf, M_TEMP); 2713 return; 2714 } 2715 2716 /* 2717 * Analyze the LCP Configure-NAK option list, and adjust our 2718 * negotiation. 2719 */ 2720 static void 2721 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2722 { 2723 STDDCL; 2724 u_char *buf, *p, l, blen; 2725 uint32_t magic; 2726 2727 KASSERT(SPPP_WLOCKED(sp)); 2728 2729 len -= 4; 2730 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2731 if (!buf) 2732 return; 2733 2734 if (debug) 2735 log(LOG_DEBUG, "%s: lcp nak opts:", 2736 ifp->if_xname); 2737 2738 p = (void *)(h + 1); 2739 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2740 /* Sanity check option length */ 2741 if (l > len) { 2742 /* 2743 * Malicious option - drop immediately. 2744 * XXX Maybe we should just RXJ it? 2745 */ 2746 addlog("%s: received malicious LCP option, " 2747 "dropping.\n", ifp->if_xname); 2748 goto drop; 2749 } 2750 if (debug) 2751 addlog(" %s", sppp_lcp_opt_name(*p)); 2752 switch (*p) { 2753 case LCP_OPT_MAGIC: 2754 /* Magic number -- renegotiate */ 2755 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2756 len >= 6 && l == 6) { 2757 magic = (uint32_t)p[2] << 24 | 2758 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2759 /* 2760 * If the remote magic is our negated one, 2761 * this looks like a loopback problem. 2762 * Suggest a new magic to make sure. 2763 */ 2764 if (magic == ~sp->lcp.magic) { 2765 if (debug) 2766 addlog(" magic glitch"); 2767 sp->lcp.magic = cprng_fast32(); 2768 } else { 2769 sp->lcp.magic = magic; 2770 if (debug) 2771 addlog(" %d", magic); 2772 } 2773 } 2774 break; 2775 case LCP_OPT_MRU: 2776 /* 2777 * Peer wants to advise us to negotiate an MRU. 2778 * Agree on it if it's reasonable, or use 2779 * default otherwise. 2780 */ 2781 if (len >= 4 && l == 4) { 2782 u_int mru = p[2] * 256 + p[3]; 2783 if (debug) 2784 addlog(" %d", mru); 2785 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2786 mru = sp->pp_if.if_mtu; 2787 sp->lcp.mru = mru; 2788 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2789 } 2790 break; 2791 case LCP_OPT_AUTH_PROTO: 2792 /* 2793 * Peer doesn't like our authentication method, 2794 * deny. 2795 */ 2796 if (debug) 2797 addlog("[access denied]\n"); 2798 lcp.Close(sp); 2799 break; 2800 } 2801 } 2802 if (debug) 2803 addlog("\n"); 2804 drop: 2805 free(buf, M_TEMP); 2806 return; 2807 } 2808 2809 static void 2810 sppp_lcp_tlu(struct sppp *sp) 2811 { 2812 struct ifnet *ifp = &sp->pp_if; 2813 int i; 2814 uint32_t mask; 2815 2816 KASSERT(SPPP_WLOCKED(sp)); 2817 2818 /* XXX ? */ 2819 if (! (ifp->if_flags & IFF_UP) && 2820 (ifp->if_flags & IFF_RUNNING)) { 2821 /* Coming out of loopback mode. */ 2822 SPPP_UNLOCK(sp); 2823 if_up(ifp); 2824 SPPP_LOCK(sp, RW_WRITER); 2825 } 2826 2827 for (i = 0; i < IDX_COUNT; i++) 2828 if ((cps[i])->flags & CP_QUAL) 2829 (cps[i])->Open(sp); 2830 2831 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2832 (sp->pp_flags & PP_NEEDAUTH) != 0) 2833 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2834 else 2835 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2836 2837 /* 2838 * Open all authentication protocols. This is even required 2839 * if we already proceeded to network phase, since it might be 2840 * that remote wants us to authenticate, so we might have to 2841 * send a PAP request. Undesired authentication protocols 2842 * don't do anything when they get an Open event. 2843 */ 2844 for (i = 0; i < IDX_COUNT; i++) 2845 if ((cps[i])->flags & CP_AUTH) 2846 (cps[i])->Open(sp); 2847 2848 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2849 /* Notify all NCPs. */ 2850 for (i = 0; i < IDX_COUNT; i++) 2851 if ((cps[i])->flags & CP_NCP) 2852 (cps[i])->Open(sp); 2853 } 2854 2855 /* Send Up events to all started protos. */ 2856 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2857 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2858 (cps[i])->Up(sp); 2859 } 2860 } 2861 2862 /* notify low-level driver of state change */ 2863 sppp_notify_chg_wlocked(sp); 2864 2865 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2866 /* if no NCP is starting, close down */ 2867 sppp_lcp_check_and_close(sp); 2868 } 2869 2870 static void 2871 sppp_lcp_tld(struct sppp *sp) 2872 { 2873 int i; 2874 uint32_t mask; 2875 2876 KASSERT(SPPP_WLOCKED(sp)); 2877 2878 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2879 2880 /* 2881 * Take upper layers down. We send the Down event first and 2882 * the Close second to prevent the upper layers from sending 2883 * ``a flurry of terminate-request packets'', as the RFC 2884 * describes it. 2885 */ 2886 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2887 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2888 (cps[i])->Down(sp); 2889 (cps[i])->Close(sp); 2890 } 2891 } 2892 } 2893 2894 static void 2895 sppp_lcp_tls(struct sppp *sp) 2896 { 2897 2898 KASSERT(SPPP_WLOCKED(sp)); 2899 2900 2901 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2902 printf("%s: authentication failed %d times, not retrying again\n", 2903 sp->pp_if.if_xname, sp->pp_auth_failures); 2904 2905 SPPP_UNLOCK(sp); 2906 if_down(&sp->pp_if); 2907 SPPP_LOCK(sp, RW_WRITER); 2908 return; 2909 } 2910 2911 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2912 2913 /* Notify lower layer if desired. */ 2914 sppp_notify_tls_wlocked(sp); 2915 } 2916 2917 static void 2918 sppp_lcp_tlf(struct sppp *sp) 2919 { 2920 2921 KASSERT(SPPP_WLOCKED(sp)); 2922 2923 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2924 2925 /* Notify lower layer if desired. */ 2926 sppp_notify_tlf_wlocked(sp); 2927 } 2928 2929 static void 2930 sppp_lcp_scr(struct sppp *sp) 2931 { 2932 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2933 int i = 0; 2934 u_short authproto; 2935 2936 KASSERT(SPPP_WLOCKED(sp)); 2937 2938 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2939 if (! sp->lcp.magic) 2940 sp->lcp.magic = cprng_fast32(); 2941 opt[i++] = LCP_OPT_MAGIC; 2942 opt[i++] = 6; 2943 opt[i++] = sp->lcp.magic >> 24; 2944 opt[i++] = sp->lcp.magic >> 16; 2945 opt[i++] = sp->lcp.magic >> 8; 2946 opt[i++] = sp->lcp.magic; 2947 } 2948 2949 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2950 opt[i++] = LCP_OPT_MRU; 2951 opt[i++] = 4; 2952 opt[i++] = sp->lcp.mru >> 8; 2953 opt[i++] = sp->lcp.mru; 2954 } 2955 2956 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2957 authproto = sp->hisauth.proto; 2958 opt[i++] = LCP_OPT_AUTH_PROTO; 2959 opt[i++] = authproto == PPP_CHAP? 5: 4; 2960 opt[i++] = authproto >> 8; 2961 opt[i++] = authproto; 2962 if (authproto == PPP_CHAP) 2963 opt[i++] = CHAP_MD5; 2964 } 2965 2966 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2967 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2968 } 2969 2970 /* 2971 * Check the open NCPs, return true if at least one NCP is open. 2972 */ 2973 static int 2974 sppp_ncp_check(struct sppp *sp) 2975 { 2976 int i, mask; 2977 2978 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2979 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2980 return 1; 2981 return 0; 2982 } 2983 2984 /* 2985 * Re-check the open NCPs and see if we should terminate the link. 2986 * Called by the NCPs during their tlf action handling. 2987 */ 2988 static void 2989 sppp_lcp_check_and_close(struct sppp *sp) 2990 { 2991 2992 KASSERT(SPPP_WLOCKED(sp)); 2993 2994 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2995 /* don't bother, we are already going down */ 2996 return; 2997 2998 if (sppp_ncp_check(sp)) 2999 return; 3000 lcp.Close(sp); 3001 } 3002 3003 3004 /* 3005 *--------------------------------------------------------------------------* 3006 * * 3007 * The IPCP implementation. * 3008 * * 3009 *--------------------------------------------------------------------------* 3010 */ 3011 3012 static void 3013 sppp_ipcp_init(struct sppp *sp) 3014 { 3015 int error; 3016 3017 KASSERT(SPPP_WLOCKED(sp)); 3018 3019 sp->ipcp.opts = 0; 3020 sp->ipcp.flags = 0; 3021 sp->state[IDX_IPCP] = STATE_INITIAL; 3022 sp->fail_counter[IDX_IPCP] = 0; 3023 sp->pp_seq[IDX_IPCP] = 0; 3024 sp->pp_rseq[IDX_IPCP] = 0; 3025 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 3026 3027 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 3028 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 3029 if (error) 3030 panic("%s: update_addrs workqueue_create failed (%d)\n", 3031 __func__, error); 3032 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 3033 3034 sp->ipcp.update_addrs_enqueued = 0; 3035 } 3036 3037 static void 3038 sppp_ipcp_up(struct sppp *sp) 3039 { 3040 KASSERT(SPPP_WLOCKED(sp)); 3041 sppp_up_event(&ipcp, sp); 3042 } 3043 3044 static void 3045 sppp_ipcp_down(struct sppp *sp) 3046 { 3047 KASSERT(SPPP_WLOCKED(sp)); 3048 sppp_down_event(&ipcp, sp); 3049 } 3050 3051 static void 3052 sppp_ipcp_open(struct sppp *sp) 3053 { 3054 STDDCL; 3055 uint32_t myaddr, hisaddr; 3056 3057 KASSERT(SPPP_WLOCKED(sp)); 3058 3059 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3060 sp->ipcp.req_myaddr = 0; 3061 sp->ipcp.req_hisaddr = 0; 3062 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3063 3064 #ifdef INET 3065 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3066 #else 3067 myaddr = hisaddr = 0; 3068 #endif 3069 /* 3070 * If we don't have his address, this probably means our 3071 * interface doesn't want to talk IP at all. (This could 3072 * be the case if somebody wants to speak only IPX, for 3073 * example.) Don't open IPCP in this case. 3074 */ 3075 if (hisaddr == 0) { 3076 /* XXX this message should go away */ 3077 if (debug) 3078 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3079 ifp->if_xname); 3080 return; 3081 } 3082 3083 if (myaddr == 0) { 3084 /* 3085 * I don't have an assigned address, so i need to 3086 * negotiate my address. 3087 */ 3088 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3089 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3090 } 3091 if (hisaddr == 1) { 3092 /* 3093 * XXX - remove this hack! 3094 * remote has no valid address, we need to get one assigned. 3095 */ 3096 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3097 } 3098 sppp_open_event(&ipcp, sp); 3099 } 3100 3101 static void 3102 sppp_ipcp_close(struct sppp *sp) 3103 { 3104 3105 KASSERT(SPPP_WLOCKED(sp)); 3106 3107 sppp_close_event(&ipcp, sp); 3108 3109 #ifdef INET 3110 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3111 /* 3112 * Some address was dynamic, clear it again. 3113 */ 3114 sppp_clear_ip_addrs(sp); 3115 #endif 3116 } 3117 3118 static void 3119 sppp_ipcp_TO(void *cookie) 3120 { 3121 struct sppp *sp = cookie; 3122 3123 SPPP_LOCK(sp, RW_WRITER); 3124 sppp_to_event(&ipcp, sp); 3125 SPPP_UNLOCK(sp); 3126 } 3127 3128 /* 3129 * Analyze a configure request. Return true if it was agreeable, and 3130 * caused action sca, false if it has been rejected or nak'ed, and 3131 * caused action scn. (The return value is used to make the state 3132 * transition decision in the state automaton.) 3133 */ 3134 static int 3135 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3136 { 3137 u_char *buf, *r, *p, l, blen; 3138 struct ifnet *ifp = &sp->pp_if; 3139 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3140 uint32_t hisaddr, desiredaddr; 3141 3142 KASSERT(SPPP_WLOCKED(sp)); 3143 3144 len -= 4; 3145 origlen = len; 3146 /* 3147 * Make sure to allocate a buf that can at least hold a 3148 * conf-nak with an `address' option. We might need it below. 3149 */ 3150 blen = len < 6 ? 6 : len; 3151 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3152 if (! buf) 3153 return (0); 3154 3155 /* pass 1: see if we can recognize them */ 3156 if (debug) 3157 log(LOG_DEBUG, "%s: ipcp parse opts:", 3158 ifp->if_xname); 3159 p = (void *)(h + 1); 3160 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3161 /* Sanity check option length */ 3162 if (l > len) { 3163 /* XXX should we just RXJ? */ 3164 addlog("%s: malicious IPCP option received, dropping\n", 3165 ifp->if_xname); 3166 goto drop; 3167 } 3168 if (debug) 3169 addlog(" %s", sppp_ipcp_opt_name(*p)); 3170 switch (*p) { 3171 #ifdef notyet 3172 case IPCP_OPT_COMPRESSION: 3173 if (len >= 6 && l >= 6) { 3174 /* correctly formed compress option */ 3175 continue; 3176 } 3177 if (debug) 3178 addlog(" [invalid]"); 3179 break; 3180 #endif 3181 case IPCP_OPT_ADDRESS: 3182 if (len >= 6 && l == 6) { 3183 /* correctly formed address option */ 3184 continue; 3185 } 3186 if (debug) 3187 addlog(" [invalid]"); 3188 break; 3189 default: 3190 /* Others not supported. */ 3191 if (debug) 3192 addlog(" [rej]"); 3193 break; 3194 } 3195 /* Add the option to rejected list. */ 3196 if (rlen + l > blen) { 3197 if (debug) 3198 addlog(" [overflow]"); 3199 continue; 3200 } 3201 memcpy(r, p, l); 3202 r += l; 3203 rlen += l; 3204 } 3205 if (rlen) { 3206 if (debug) 3207 addlog(" send conf-rej\n"); 3208 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3209 goto end; 3210 } else if (debug) 3211 addlog("\n"); 3212 3213 /* pass 2: parse option values */ 3214 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3215 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3216 else 3217 #ifdef INET 3218 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3219 #else 3220 hisaddr = 0; 3221 #endif 3222 if (debug) 3223 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3224 ifp->if_xname); 3225 p = (void *)(h + 1); 3226 len = origlen; 3227 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3228 if (debug) 3229 addlog(" %s", sppp_ipcp_opt_name(*p)); 3230 switch (*p) { 3231 #ifdef notyet 3232 case IPCP_OPT_COMPRESSION: 3233 continue; 3234 #endif 3235 case IPCP_OPT_ADDRESS: 3236 desiredaddr = p[2] << 24 | p[3] << 16 | 3237 p[4] << 8 | p[5]; 3238 if (desiredaddr == hisaddr || 3239 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3240 /* 3241 * Peer's address is same as our value, 3242 * this is agreeable. Gonna conf-ack 3243 * it. 3244 */ 3245 if (debug) 3246 addlog(" %s [ack]", 3247 sppp_dotted_quad(hisaddr)); 3248 /* record that we've seen it already */ 3249 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3250 sp->ipcp.req_hisaddr = desiredaddr; 3251 hisaddr = desiredaddr; 3252 continue; 3253 } 3254 /* 3255 * The address wasn't agreeable. This is either 3256 * he sent us 0.0.0.0, asking to assign him an 3257 * address, or he send us another address not 3258 * matching our value. Either case, we gonna 3259 * conf-nak it with our value. 3260 */ 3261 if (debug) { 3262 if (desiredaddr == 0) 3263 addlog(" [addr requested]"); 3264 else 3265 addlog(" %s [not agreed]", 3266 sppp_dotted_quad(desiredaddr)); 3267 } 3268 3269 p[2] = hisaddr >> 24; 3270 p[3] = hisaddr >> 16; 3271 p[4] = hisaddr >> 8; 3272 p[5] = hisaddr; 3273 break; 3274 } 3275 if (rlen + l > blen) { 3276 if (debug) 3277 addlog(" [overflow]"); 3278 continue; 3279 } 3280 /* Add the option to nak'ed list. */ 3281 memcpy(r, p, l); 3282 r += l; 3283 rlen += l; 3284 } 3285 3286 /* 3287 * If we are about to conf-ack the request, but haven't seen 3288 * his address so far, gonna conf-nak it instead, with the 3289 * `address' option present and our idea of his address being 3290 * filled in there, to request negotiation of both addresses. 3291 * 3292 * XXX This can result in an endless req - nak loop if peer 3293 * doesn't want to send us his address. Q: What should we do 3294 * about it? XXX A: implement the max-failure counter. 3295 */ 3296 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3297 buf[0] = IPCP_OPT_ADDRESS; 3298 buf[1] = 6; 3299 buf[2] = hisaddr >> 24; 3300 buf[3] = hisaddr >> 16; 3301 buf[4] = hisaddr >> 8; 3302 buf[5] = hisaddr; 3303 rlen = 6; 3304 if (debug) 3305 addlog(" still need hisaddr"); 3306 } 3307 3308 if (rlen) { 3309 if (debug) 3310 addlog(" send conf-nak\n"); 3311 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3312 } else { 3313 if (debug) 3314 addlog(" send conf-ack\n"); 3315 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3316 } 3317 3318 end: 3319 free(buf, M_TEMP); 3320 return (rlen == 0); 3321 3322 drop: 3323 free(buf, M_TEMP); 3324 return -1; 3325 } 3326 3327 /* 3328 * Analyze the IPCP Configure-Reject option list, and adjust our 3329 * negotiation. 3330 */ 3331 static void 3332 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3333 { 3334 u_char *buf, *p, l, blen; 3335 struct ifnet *ifp = &sp->pp_if; 3336 int debug = ifp->if_flags & IFF_DEBUG; 3337 3338 KASSERT(SPPP_WLOCKED(sp)); 3339 3340 len -= 4; 3341 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3342 if (!buf) 3343 return; 3344 3345 if (debug) 3346 log(LOG_DEBUG, "%s: ipcp rej opts:", 3347 ifp->if_xname); 3348 3349 p = (void *)(h + 1); 3350 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3351 /* Sanity check option length */ 3352 if (l > len) { 3353 /* XXX should we just RXJ? */ 3354 addlog("%s: malicious IPCP option received, dropping\n", 3355 ifp->if_xname); 3356 goto drop; 3357 } 3358 if (debug) 3359 addlog(" %s", sppp_ipcp_opt_name(*p)); 3360 switch (*p) { 3361 case IPCP_OPT_ADDRESS: 3362 /* 3363 * Peer doesn't grok address option. This is 3364 * bad. XXX Should we better give up here? 3365 */ 3366 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3367 break; 3368 #ifdef notyet 3369 case IPCP_OPT_COMPRESS: 3370 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3371 break; 3372 #endif 3373 } 3374 } 3375 if (debug) 3376 addlog("\n"); 3377 drop: 3378 free(buf, M_TEMP); 3379 return; 3380 } 3381 3382 /* 3383 * Analyze the IPCP Configure-NAK option list, and adjust our 3384 * negotiation. 3385 */ 3386 static void 3387 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3388 { 3389 u_char *p, l; 3390 struct ifnet *ifp = &sp->pp_if; 3391 int debug = ifp->if_flags & IFF_DEBUG; 3392 uint32_t wantaddr; 3393 3394 KASSERT(SPPP_WLOCKED(sp)); 3395 3396 len -= 4; 3397 3398 if (debug) 3399 log(LOG_DEBUG, "%s: ipcp nak opts:", 3400 ifp->if_xname); 3401 3402 p = (void *)(h + 1); 3403 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3404 /* Sanity check option length */ 3405 if (l > len) { 3406 /* XXX should we just RXJ? */ 3407 addlog("%s: malicious IPCP option received, dropping\n", 3408 ifp->if_xname); 3409 return; 3410 } 3411 if (debug) 3412 addlog(" %s", sppp_ipcp_opt_name(*p)); 3413 switch (*p) { 3414 case IPCP_OPT_ADDRESS: 3415 /* 3416 * Peer doesn't like our local IP address. See 3417 * if we can do something for him. We'll drop 3418 * him our address then. 3419 */ 3420 if (len >= 6 && l == 6) { 3421 wantaddr = p[2] << 24 | p[3] << 16 | 3422 p[4] << 8 | p[5]; 3423 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3424 if (debug) 3425 addlog(" [wantaddr %s]", 3426 sppp_dotted_quad(wantaddr)); 3427 /* 3428 * When doing dynamic address assignment, 3429 * we accept his offer. Otherwise, we 3430 * ignore it and thus continue to negotiate 3431 * our already existing value. 3432 */ 3433 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3434 if (debug) 3435 addlog(" [agree]"); 3436 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3437 sp->ipcp.req_myaddr = wantaddr; 3438 } 3439 } 3440 break; 3441 3442 case IPCP_OPT_PRIMDNS: 3443 if (len >= 6 && l == 6) { 3444 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3445 p[4] << 8 | p[5]; 3446 } 3447 break; 3448 3449 case IPCP_OPT_SECDNS: 3450 if (len >= 6 && l == 6) { 3451 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3452 p[4] << 8 | p[5]; 3453 } 3454 break; 3455 #ifdef notyet 3456 case IPCP_OPT_COMPRESS: 3457 /* 3458 * Peer wants different compression parameters. 3459 */ 3460 break; 3461 #endif 3462 } 3463 } 3464 if (debug) 3465 addlog("\n"); 3466 } 3467 3468 static void 3469 sppp_ipcp_tlu(struct sppp *sp) 3470 { 3471 #ifdef INET 3472 KASSERT(SPPP_WLOCKED(sp)); 3473 /* we are up. Set addresses and notify anyone interested */ 3474 sppp_set_ip_addrs(sp); 3475 #endif 3476 } 3477 3478 static void 3479 sppp_ipcp_tld(struct sppp *sp) 3480 { 3481 3482 KASSERT(SPPP_WLOCKED(sp)); 3483 } 3484 3485 static void 3486 sppp_ipcp_tls(struct sppp *sp) 3487 { 3488 3489 KASSERT(SPPP_WLOCKED(sp)); 3490 /* indicate to LCP that it must stay alive */ 3491 sp->lcp.protos |= (1 << IDX_IPCP); 3492 } 3493 3494 static void 3495 sppp_ipcp_tlf(struct sppp *sp) 3496 { 3497 3498 KASSERT(SPPP_WLOCKED(sp)); 3499 3500 /* we no longer need LCP */ 3501 sp->lcp.protos &= ~(1 << IDX_IPCP); 3502 } 3503 3504 static void 3505 sppp_ipcp_scr(struct sppp *sp) 3506 { 3507 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3508 #ifdef INET 3509 uint32_t ouraddr; 3510 #endif 3511 int i = 0; 3512 3513 KASSERT(SPPP_WLOCKED(sp)); 3514 3515 #ifdef notyet 3516 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3517 opt[i++] = IPCP_OPT_COMPRESSION; 3518 opt[i++] = 6; 3519 opt[i++] = 0; /* VJ header compression */ 3520 opt[i++] = 0x2d; /* VJ header compression */ 3521 opt[i++] = max_slot_id; 3522 opt[i++] = comp_slot_id; 3523 } 3524 #endif 3525 3526 #ifdef INET 3527 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3528 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3529 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3530 else 3531 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3532 opt[i++] = IPCP_OPT_ADDRESS; 3533 opt[i++] = 6; 3534 opt[i++] = ouraddr >> 24; 3535 opt[i++] = ouraddr >> 16; 3536 opt[i++] = ouraddr >> 8; 3537 opt[i++] = ouraddr; 3538 } 3539 #endif 3540 3541 if (sp->query_dns & 1) { 3542 opt[i++] = IPCP_OPT_PRIMDNS; 3543 opt[i++] = 6; 3544 opt[i++] = sp->dns_addrs[0] >> 24; 3545 opt[i++] = sp->dns_addrs[0] >> 16; 3546 opt[i++] = sp->dns_addrs[0] >> 8; 3547 opt[i++] = sp->dns_addrs[0]; 3548 } 3549 if (sp->query_dns & 2) { 3550 opt[i++] = IPCP_OPT_SECDNS; 3551 opt[i++] = 6; 3552 opt[i++] = sp->dns_addrs[1] >> 24; 3553 opt[i++] = sp->dns_addrs[1] >> 16; 3554 opt[i++] = sp->dns_addrs[1] >> 8; 3555 opt[i++] = sp->dns_addrs[1]; 3556 } 3557 3558 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3559 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3560 } 3561 3562 3563 /* 3564 *--------------------------------------------------------------------------* 3565 * * 3566 * The IPv6CP implementation. * 3567 * * 3568 *--------------------------------------------------------------------------* 3569 */ 3570 3571 #ifdef INET6 3572 static void 3573 sppp_ipv6cp_init(struct sppp *sp) 3574 { 3575 3576 KASSERT(SPPP_WLOCKED(sp)); 3577 3578 sp->ipv6cp.opts = 0; 3579 sp->ipv6cp.flags = 0; 3580 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3581 sp->fail_counter[IDX_IPV6CP] = 0; 3582 sp->pp_seq[IDX_IPV6CP] = 0; 3583 sp->pp_rseq[IDX_IPV6CP] = 0; 3584 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3585 } 3586 3587 static void 3588 sppp_ipv6cp_up(struct sppp *sp) 3589 { 3590 3591 KASSERT(SPPP_WLOCKED(sp)); 3592 sppp_up_event(&ipv6cp, sp); 3593 } 3594 3595 static void 3596 sppp_ipv6cp_down(struct sppp *sp) 3597 { 3598 3599 KASSERT(SPPP_WLOCKED(sp)); 3600 sppp_down_event(&ipv6cp, sp); 3601 } 3602 3603 static void 3604 sppp_ipv6cp_open(struct sppp *sp) 3605 { 3606 STDDCL; 3607 struct in6_addr myaddr, hisaddr; 3608 3609 KASSERT(SPPP_WLOCKED(sp)); 3610 3611 #ifdef IPV6CP_MYIFID_DYN 3612 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3613 #else 3614 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3615 #endif 3616 3617 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3618 /* 3619 * If we don't have our address, this probably means our 3620 * interface doesn't want to talk IPv6 at all. (This could 3621 * be the case if somebody wants to speak only IPX, for 3622 * example.) Don't open IPv6CP in this case. 3623 */ 3624 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3625 /* XXX this message should go away */ 3626 if (debug) 3627 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3628 ifp->if_xname); 3629 return; 3630 } 3631 3632 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3633 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3634 sppp_open_event(&ipv6cp, sp); 3635 } 3636 3637 static void 3638 sppp_ipv6cp_close(struct sppp *sp) 3639 { 3640 3641 KASSERT(SPPP_WLOCKED(sp)); 3642 sppp_close_event(&ipv6cp, sp); 3643 } 3644 3645 static void 3646 sppp_ipv6cp_TO(void *cookie) 3647 { 3648 struct sppp *sp = cookie; 3649 3650 SPPP_LOCK(sp, RW_WRITER); 3651 sppp_to_event(&ipv6cp, sp); 3652 SPPP_UNLOCK(sp); 3653 } 3654 3655 /* 3656 * Analyze a configure request. Return true if it was agreeable, and 3657 * caused action sca, false if it has been rejected or nak'ed, and 3658 * caused action scn. (The return value is used to make the state 3659 * transition decision in the state automaton.) 3660 */ 3661 static int 3662 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3663 { 3664 u_char *buf, *r, *p, l, blen; 3665 struct ifnet *ifp = &sp->pp_if; 3666 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3667 struct in6_addr myaddr, desiredaddr, suggestaddr; 3668 int ifidcount; 3669 int type; 3670 int collision, nohisaddr; 3671 char ip6buf[INET6_ADDRSTRLEN]; 3672 3673 KASSERT(SPPP_WLOCKED(sp)); 3674 3675 len -= 4; 3676 origlen = len; 3677 /* 3678 * Make sure to allocate a buf that can at least hold a 3679 * conf-nak with an `address' option. We might need it below. 3680 */ 3681 blen = len < 6 ? 6 : len; 3682 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3683 if (! buf) 3684 return (0); 3685 3686 /* pass 1: see if we can recognize them */ 3687 if (debug) 3688 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3689 ifp->if_xname); 3690 p = (void *)(h + 1); 3691 ifidcount = 0; 3692 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3693 /* Sanity check option length */ 3694 if (l > len) { 3695 /* XXX just RXJ? */ 3696 addlog("%s: received malicious IPCPv6 option, " 3697 "dropping\n", ifp->if_xname); 3698 goto drop; 3699 } 3700 if (debug) 3701 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3702 switch (*p) { 3703 case IPV6CP_OPT_IFID: 3704 if (len >= 10 && l == 10 && ifidcount == 0) { 3705 /* correctly formed address option */ 3706 ifidcount++; 3707 continue; 3708 } 3709 if (debug) 3710 addlog(" [invalid]"); 3711 break; 3712 #ifdef notyet 3713 case IPV6CP_OPT_COMPRESSION: 3714 if (len >= 4 && l >= 4) { 3715 /* correctly formed compress option */ 3716 continue; 3717 } 3718 if (debug) 3719 addlog(" [invalid]"); 3720 break; 3721 #endif 3722 default: 3723 /* Others not supported. */ 3724 if (debug) 3725 addlog(" [rej]"); 3726 break; 3727 } 3728 if (rlen + l > blen) { 3729 if (debug) 3730 addlog(" [overflow]"); 3731 continue; 3732 } 3733 /* Add the option to rejected list. */ 3734 memcpy(r, p, l); 3735 r += l; 3736 rlen += l; 3737 } 3738 if (rlen) { 3739 if (debug) 3740 addlog(" send conf-rej\n"); 3741 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3742 goto end; 3743 } else if (debug) 3744 addlog("\n"); 3745 3746 /* pass 2: parse option values */ 3747 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3748 if (debug) 3749 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3750 ifp->if_xname); 3751 p = (void *)(h + 1); 3752 len = origlen; 3753 type = CONF_ACK; 3754 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3755 if (debug) 3756 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3757 switch (*p) { 3758 #ifdef notyet 3759 case IPV6CP_OPT_COMPRESSION: 3760 continue; 3761 #endif 3762 case IPV6CP_OPT_IFID: 3763 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3764 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3765 collision = (memcmp(&desiredaddr.s6_addr[8], 3766 &myaddr.s6_addr[8], 8) == 0); 3767 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3768 3769 desiredaddr.s6_addr16[0] = htons(0xfe80); 3770 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3771 3772 if (!collision && !nohisaddr) { 3773 /* no collision, hisaddr known - Conf-Ack */ 3774 type = CONF_ACK; 3775 3776 if (debug) { 3777 addlog(" %s [%s]", 3778 IN6_PRINT(ip6buf, &desiredaddr), 3779 sppp_cp_type_name(type)); 3780 } 3781 continue; 3782 } 3783 3784 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3785 if (collision && nohisaddr) { 3786 /* collision, hisaddr unknown - Conf-Rej */ 3787 type = CONF_REJ; 3788 memset(&p[2], 0, 8); 3789 } else { 3790 /* 3791 * - no collision, hisaddr unknown, or 3792 * - collision, hisaddr known 3793 * Conf-Nak, suggest hisaddr 3794 */ 3795 type = CONF_NAK; 3796 sppp_suggest_ip6_addr(sp, &suggestaddr); 3797 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3798 } 3799 if (debug) 3800 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3801 sppp_cp_type_name(type)); 3802 break; 3803 } 3804 if (rlen + l > blen) { 3805 if (debug) 3806 addlog(" [overflow]"); 3807 continue; 3808 } 3809 /* Add the option to nak'ed list. */ 3810 memcpy(r, p, l); 3811 r += l; 3812 rlen += l; 3813 } 3814 3815 if (rlen == 0 && type == CONF_ACK) { 3816 if (debug) 3817 addlog(" send %s\n", sppp_cp_type_name(type)); 3818 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3819 } else { 3820 #ifdef notdef 3821 if (type == CONF_ACK) 3822 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3823 #endif 3824 3825 if (debug) { 3826 addlog(" send %s suggest %s\n", 3827 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3828 } 3829 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3830 } 3831 3832 end: 3833 free(buf, M_TEMP); 3834 return (rlen == 0); 3835 3836 drop: 3837 free(buf, M_TEMP); 3838 return -1; 3839 } 3840 3841 /* 3842 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3843 * negotiation. 3844 */ 3845 static void 3846 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3847 { 3848 u_char *buf, *p, l, blen; 3849 struct ifnet *ifp = &sp->pp_if; 3850 int debug = ifp->if_flags & IFF_DEBUG; 3851 3852 KASSERT(SPPP_WLOCKED(sp)); 3853 3854 len -= 4; 3855 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3856 if (!buf) 3857 return; 3858 3859 if (debug) 3860 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3861 ifp->if_xname); 3862 3863 p = (void *)(h + 1); 3864 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3865 if (l > len) { 3866 /* XXX just RXJ? */ 3867 addlog("%s: received malicious IPCPv6 option, " 3868 "dropping\n", ifp->if_xname); 3869 goto drop; 3870 } 3871 if (debug) 3872 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3873 switch (*p) { 3874 case IPV6CP_OPT_IFID: 3875 /* 3876 * Peer doesn't grok address option. This is 3877 * bad. XXX Should we better give up here? 3878 */ 3879 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3880 break; 3881 #ifdef notyet 3882 case IPV6CP_OPT_COMPRESS: 3883 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3884 break; 3885 #endif 3886 } 3887 } 3888 if (debug) 3889 addlog("\n"); 3890 drop: 3891 free(buf, M_TEMP); 3892 return; 3893 } 3894 3895 /* 3896 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3897 * negotiation. 3898 */ 3899 static void 3900 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3901 { 3902 u_char *buf, *p, l, blen; 3903 struct ifnet *ifp = &sp->pp_if; 3904 int debug = ifp->if_flags & IFF_DEBUG; 3905 struct in6_addr suggestaddr; 3906 char ip6buf[INET6_ADDRSTRLEN]; 3907 3908 KASSERT(SPPP_WLOCKED(sp)); 3909 3910 len -= 4; 3911 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3912 if (!buf) 3913 return; 3914 3915 if (debug) 3916 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3917 ifp->if_xname); 3918 3919 p = (void *)(h + 1); 3920 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3921 if (l > len) { 3922 /* XXX just RXJ? */ 3923 addlog("%s: received malicious IPCPv6 option, " 3924 "dropping\n", ifp->if_xname); 3925 goto drop; 3926 } 3927 if (debug) 3928 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3929 switch (*p) { 3930 case IPV6CP_OPT_IFID: 3931 /* 3932 * Peer doesn't like our local ifid. See 3933 * if we can do something for him. We'll drop 3934 * him our address then. 3935 */ 3936 if (len < 10 || l != 10) 3937 break; 3938 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3939 suggestaddr.s6_addr16[0] = htons(0xfe80); 3940 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3941 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3942 3943 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3944 if (debug) 3945 addlog(" [suggestaddr %s]", 3946 IN6_PRINT(ip6buf, &suggestaddr)); 3947 #ifdef IPV6CP_MYIFID_DYN 3948 /* 3949 * When doing dynamic address assignment, 3950 * we accept his offer. 3951 */ 3952 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3953 struct in6_addr lastsuggest; 3954 /* 3955 * If <suggested myaddr from peer> equals to 3956 * <hisaddr we have suggested last time>, 3957 * we have a collision. generate new random 3958 * ifid. 3959 */ 3960 sppp_suggest_ip6_addr(&lastsuggest); 3961 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3962 lastsuggest)) { 3963 if (debug) 3964 addlog(" [random]"); 3965 sppp_gen_ip6_addr(sp, &suggestaddr); 3966 } 3967 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3968 if (debug) 3969 addlog(" [agree]"); 3970 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3971 } 3972 #else 3973 /* 3974 * Since we do not do dynamic address assignment, 3975 * we ignore it and thus continue to negotiate 3976 * our already existing value. This can possibly 3977 * go into infinite request-reject loop. 3978 * 3979 * This is not likely because we normally use 3980 * ifid based on MAC-address. 3981 * If you have no ethernet card on the node, too bad. 3982 * XXX should we use fail_counter? 3983 */ 3984 #endif 3985 break; 3986 #ifdef notyet 3987 case IPV6CP_OPT_COMPRESS: 3988 /* 3989 * Peer wants different compression parameters. 3990 */ 3991 break; 3992 #endif 3993 } 3994 } 3995 if (debug) 3996 addlog("\n"); 3997 drop: 3998 free(buf, M_TEMP); 3999 return; 4000 } 4001 4002 static void 4003 sppp_ipv6cp_tlu(struct sppp *sp) 4004 { 4005 4006 KASSERT(SPPP_WLOCKED(sp)); 4007 /* we are up - notify isdn daemon */ 4008 sppp_notify_con_wlocked(sp); 4009 } 4010 4011 static void 4012 sppp_ipv6cp_tld(struct sppp *sp) 4013 { 4014 4015 KASSERT(SPPP_WLOCKED(sp)); 4016 } 4017 4018 static void 4019 sppp_ipv6cp_tls(struct sppp *sp) 4020 { 4021 4022 KASSERT(SPPP_WLOCKED(sp)); 4023 /* indicate to LCP that it must stay alive */ 4024 sp->lcp.protos |= (1 << IDX_IPV6CP); 4025 } 4026 4027 static void 4028 sppp_ipv6cp_tlf(struct sppp *sp) 4029 { 4030 4031 KASSERT(SPPP_WLOCKED(sp)); 4032 /* we no longer need LCP */ 4033 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 4034 } 4035 4036 static void 4037 sppp_ipv6cp_scr(struct sppp *sp) 4038 { 4039 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4040 struct in6_addr ouraddr; 4041 int i = 0; 4042 4043 KASSERT(SPPP_WLOCKED(sp)); 4044 4045 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 4046 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4047 opt[i++] = IPV6CP_OPT_IFID; 4048 opt[i++] = 10; 4049 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4050 i += 8; 4051 } 4052 4053 #ifdef notyet 4054 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4055 opt[i++] = IPV6CP_OPT_COMPRESSION; 4056 opt[i++] = 4; 4057 opt[i++] = 0; /* TBD */ 4058 opt[i++] = 0; /* TBD */ 4059 /* variable length data may follow */ 4060 } 4061 #endif 4062 4063 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4064 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4065 } 4066 #else /*INET6*/ 4067 static void 4068 sppp_ipv6cp_init(struct sppp *sp) 4069 { 4070 4071 KASSERT(SPPP_WLOCKED(sp)); 4072 } 4073 4074 static void 4075 sppp_ipv6cp_up(struct sppp *sp) 4076 { 4077 4078 KASSERT(SPPP_WLOCKED(sp)); 4079 } 4080 4081 static void 4082 sppp_ipv6cp_down(struct sppp *sp) 4083 { 4084 4085 KASSERT(SPPP_WLOCKED(sp)); 4086 } 4087 4088 static void 4089 sppp_ipv6cp_open(struct sppp *sp) 4090 { 4091 4092 KASSERT(SPPP_WLOCKED(sp)); 4093 } 4094 4095 static void 4096 sppp_ipv6cp_close(struct sppp *sp) 4097 { 4098 4099 KASSERT(SPPP_WLOCKED(sp)); 4100 } 4101 4102 static void 4103 sppp_ipv6cp_TO(void *cookie) 4104 { 4105 struct sppp *sp __diagused = cookie; 4106 4107 KASSERT(SPPP_WLOCKED(sp)); 4108 } 4109 4110 static int 4111 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4112 int len) 4113 { 4114 4115 KASSERT(SPPP_WLOCKED(sp)); 4116 return 0; 4117 } 4118 4119 static void 4120 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4121 int len) 4122 { 4123 4124 KASSERT(SPPP_WLOCKED(sp)); 4125 } 4126 4127 static void 4128 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4129 int len) 4130 { 4131 4132 KASSERT(SPPP_WLOCKED(sp)); 4133 } 4134 4135 static void 4136 sppp_ipv6cp_tlu(struct sppp *sp) 4137 { 4138 4139 KASSERT(SPPP_WLOCKED(sp)); 4140 } 4141 4142 static void 4143 sppp_ipv6cp_tld(struct sppp *sp) 4144 { 4145 4146 KASSERT(SPPP_WLOCKED(sp)); 4147 } 4148 4149 static void 4150 sppp_ipv6cp_tls(struct sppp *sp) 4151 { 4152 4153 KASSERT(SPPP_WLOCKED(sp)); 4154 } 4155 4156 static void 4157 sppp_ipv6cp_tlf(struct sppp *sp) 4158 { 4159 4160 KASSERT(SPPP_WLOCKED(sp)); 4161 } 4162 4163 static void 4164 sppp_ipv6cp_scr(struct sppp *sp) 4165 { 4166 4167 KASSERT(SPPP_WLOCKED(sp)); 4168 } 4169 #endif /*INET6*/ 4170 4171 4172 /* 4173 *--------------------------------------------------------------------------* 4174 * * 4175 * The CHAP implementation. * 4176 * * 4177 *--------------------------------------------------------------------------* 4178 */ 4179 4180 /* 4181 * The authentication protocols don't employ a full-fledged state machine as 4182 * the control protocols do, since they do have Open and Close events, but 4183 * not Up and Down, nor are they explicitly terminated. Also, use of the 4184 * authentication protocols may be different in both directions (this makes 4185 * sense, think of a machine that never accepts incoming calls but only 4186 * calls out, it doesn't require the called party to authenticate itself). 4187 * 4188 * Our state machine for the local authentication protocol (we are requesting 4189 * the peer to authenticate) looks like: 4190 * 4191 * RCA- 4192 * +--------------------------------------------+ 4193 * V scn,tld| 4194 * +--------+ Close +---------+ RCA+ 4195 * | |<----------------------------------| |------+ 4196 * +--->| Closed | TO* | Opened | sca | 4197 * | | |-----+ +-------| |<-----+ 4198 * | +--------+ irc | | +---------+ 4199 * | ^ | | ^ 4200 * | | | | | 4201 * | | | | | 4202 * | TO-| | | | 4203 * | |tld TO+ V | | 4204 * | | +------->+ | | 4205 * | | | | | | 4206 * | +--------+ V | | 4207 * | | |<----+<--------------------+ | 4208 * | | Req- | scr | 4209 * | | Sent | | 4210 * | | | | 4211 * | +--------+ | 4212 * | RCA- | | RCA+ | 4213 * +------+ +------------------------------------------+ 4214 * scn,tld sca,irc,ict,tlu 4215 * 4216 * 4217 * with: 4218 * 4219 * Open: LCP reached authentication phase 4220 * Close: LCP reached terminate phase 4221 * 4222 * RCA+: received reply (pap-req, chap-response), acceptable 4223 * RCN: received reply (pap-req, chap-response), not acceptable 4224 * TO+: timeout with restart counter >= 0 4225 * TO-: timeout with restart counter < 0 4226 * TO*: reschedule timeout for CHAP 4227 * 4228 * scr: send request packet (none for PAP, chap-challenge) 4229 * sca: send ack packet (pap-ack, chap-success) 4230 * scn: send nak packet (pap-nak, chap-failure) 4231 * ict: initialize re-challenge timer (CHAP only) 4232 * 4233 * tlu: this-layer-up, LCP reaches network phase 4234 * tld: this-layer-down, LCP enters terminate phase 4235 * 4236 * Note that in CHAP mode, after sending a new challenge, while the state 4237 * automaton falls back into Req-Sent state, it doesn't signal a tld 4238 * event to LCP, so LCP remains in network phase. Only after not getting 4239 * any response (or after getting an unacceptable response), CHAP closes, 4240 * causing LCP to enter terminate phase. 4241 * 4242 * With PAP, there is no initial request that can be sent. The peer is 4243 * expected to send one based on the successful negotiation of PAP as 4244 * the authentication protocol during the LCP option negotiation. 4245 * 4246 * Incoming authentication protocol requests (remote requests 4247 * authentication, we are peer) don't employ a state machine at all, 4248 * they are simply answered. Some peers [Ascend P50 firmware rev 4249 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4250 * still in authentication phase (thereby violating the standard that 4251 * demands that these NCP packets are to be discarded), so we keep 4252 * track of the peer demanding us to authenticate, and only proceed to 4253 * phase network once we've seen a positive acknowledge for the 4254 * authentication. 4255 */ 4256 4257 /* 4258 * Handle incoming CHAP packets. 4259 */ 4260 void 4261 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4262 { 4263 STDDCL; 4264 struct lcp_header *h; 4265 int len, x; 4266 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4267 int value_len, name_len; 4268 MD5_CTX ctx; 4269 4270 len = m->m_pkthdr.len; 4271 if (len < 4) { 4272 if (debug) 4273 log(LOG_DEBUG, 4274 "%s: chap invalid packet length: %d bytes\n", 4275 ifp->if_xname, len); 4276 return; 4277 } 4278 h = mtod(m, struct lcp_header *); 4279 if (len > ntohs(h->len)) 4280 len = ntohs(h->len); 4281 4282 SPPP_LOCK(sp, RW_WRITER); 4283 4284 switch (h->type) { 4285 /* challenge, failure and success are his authproto */ 4286 case CHAP_CHALLENGE: 4287 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4288 /* can't do anything useful */ 4289 sp->pp_auth_failures++; 4290 printf("%s: chap input without my name and my secret being set\n", 4291 ifp->if_xname); 4292 break; 4293 } 4294 value = 1 + (u_char *)(h + 1); 4295 value_len = value[-1]; 4296 name = value + value_len; 4297 name_len = len - value_len - 5; 4298 if (name_len < 0) { 4299 if (debug) { 4300 log(LOG_DEBUG, 4301 "%s: chap corrupted challenge " 4302 "<%s id=0x%x len=%d", 4303 ifp->if_xname, 4304 sppp_auth_type_name(PPP_CHAP, h->type), 4305 h->ident, ntohs(h->len)); 4306 if (len > 4) 4307 sppp_print_bytes((u_char *)(h + 1), 4308 len - 4); 4309 addlog(">\n"); 4310 } 4311 break; 4312 } 4313 4314 if (debug) { 4315 log(LOG_DEBUG, 4316 "%s: chap input <%s id=0x%x len=%d name=", 4317 ifp->if_xname, 4318 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4319 ntohs(h->len)); 4320 sppp_print_string((char *) name, name_len); 4321 addlog(" value-size=%d value=", value_len); 4322 sppp_print_bytes(value, value_len); 4323 addlog(">\n"); 4324 } 4325 4326 /* Compute reply value. */ 4327 MD5Init(&ctx); 4328 MD5Update(&ctx, &h->ident, 1); 4329 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4330 MD5Update(&ctx, value, value_len); 4331 MD5Final(digest, &ctx); 4332 dsize = sizeof digest; 4333 4334 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4335 sizeof dsize, (const char *)&dsize, 4336 sizeof digest, digest, 4337 sp->myauth.name_len, 4338 sp->myauth.name, 4339 0); 4340 break; 4341 4342 case CHAP_SUCCESS: 4343 if (debug) { 4344 log(LOG_DEBUG, "%s: chap success", 4345 ifp->if_xname); 4346 if (len > 4) { 4347 addlog(": "); 4348 sppp_print_string((char *)(h + 1), len - 4); 4349 } 4350 addlog("\n"); 4351 } 4352 x = splnet(); 4353 sp->pp_auth_failures = 0; 4354 sp->pp_flags &= ~PP_NEEDAUTH; 4355 if (sp->myauth.proto == PPP_CHAP && 4356 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4357 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4358 /* 4359 * We are authenticator for CHAP but didn't 4360 * complete yet. Leave it to tlu to proceed 4361 * to network phase. 4362 */ 4363 splx(x); 4364 break; 4365 } 4366 splx(x); 4367 sppp_phase_network(sp); 4368 break; 4369 4370 case CHAP_FAILURE: 4371 x = splnet(); 4372 sp->pp_auth_failures++; 4373 splx(x); 4374 if (debug) { 4375 log(LOG_INFO, "%s: chap failure", 4376 ifp->if_xname); 4377 if (len > 4) { 4378 addlog(": "); 4379 sppp_print_string((char *)(h + 1), len - 4); 4380 } 4381 addlog("\n"); 4382 } else 4383 log(LOG_INFO, "%s: chap failure\n", 4384 ifp->if_xname); 4385 /* await LCP shutdown by authenticator */ 4386 break; 4387 4388 /* response is my authproto */ 4389 case CHAP_RESPONSE: 4390 if (sp->hisauth.secret == NULL) { 4391 /* can't do anything useful */ 4392 printf("%s: chap input without his secret being set\n", 4393 ifp->if_xname); 4394 break; 4395 } 4396 value = 1 + (u_char *)(h + 1); 4397 value_len = value[-1]; 4398 name = value + value_len; 4399 name_len = len - value_len - 5; 4400 if (name_len < 0) { 4401 if (debug) { 4402 log(LOG_DEBUG, 4403 "%s: chap corrupted response " 4404 "<%s id=0x%x len=%d", 4405 ifp->if_xname, 4406 sppp_auth_type_name(PPP_CHAP, h->type), 4407 h->ident, ntohs(h->len)); 4408 if (len > 4) 4409 sppp_print_bytes((u_char *)(h + 1), 4410 len - 4); 4411 addlog(">\n"); 4412 } 4413 break; 4414 } 4415 if (h->ident != sp->confid[IDX_CHAP]) { 4416 if (debug) 4417 log(LOG_DEBUG, 4418 "%s: chap dropping response for old ID " 4419 "(got %d, expected %d)\n", 4420 ifp->if_xname, 4421 h->ident, sp->confid[IDX_CHAP]); 4422 break; 4423 } 4424 if (sp->hisauth.name != NULL && 4425 (name_len != sp->hisauth.name_len 4426 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4427 log(LOG_INFO, "%s: chap response, his name ", 4428 ifp->if_xname); 4429 sppp_print_string(name, name_len); 4430 addlog(" != expected "); 4431 sppp_print_string(sp->hisauth.name, 4432 sp->hisauth.name_len); 4433 addlog("\n"); 4434 goto chap_failure; 4435 } 4436 if (debug) { 4437 log(LOG_DEBUG, "%s: chap input(%s) " 4438 "<%s id=0x%x len=%d name=", 4439 ifp->if_xname, 4440 sppp_state_name(sp->state[IDX_CHAP]), 4441 sppp_auth_type_name(PPP_CHAP, h->type), 4442 h->ident, ntohs(h->len)); 4443 sppp_print_string((char *)name, name_len); 4444 addlog(" value-size=%d value=", value_len); 4445 sppp_print_bytes(value, value_len); 4446 addlog(">\n"); 4447 } 4448 if (value_len != sizeof(sp->hisauth.challenge)) { 4449 if (debug) 4450 log(LOG_DEBUG, 4451 "%s: chap bad hash value length: " 4452 "%d bytes, should be %zu\n", 4453 ifp->if_xname, value_len, 4454 sizeof(sp->hisauth.challenge)); 4455 goto chap_failure; 4456 } 4457 4458 MD5Init(&ctx); 4459 MD5Update(&ctx, &h->ident, 1); 4460 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4461 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4462 MD5Final(digest, &ctx); 4463 4464 #define FAILMSG "Failed..." 4465 #define SUCCMSG "Welcome!" 4466 4467 if (value_len != sizeof digest || 4468 memcmp(digest, value, value_len) != 0) { 4469 chap_failure: 4470 KASSERT(SPPP_WLOCKED(sp)); 4471 /* action scn, tld */ 4472 sp->pp_auth_failures++; 4473 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4474 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4475 0); 4476 chap.tld(sp); 4477 break; 4478 } 4479 sp->pp_auth_failures = 0; 4480 /* action sca, perhaps tlu */ 4481 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4482 sp->state[IDX_CHAP] == STATE_OPENED) 4483 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4484 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4485 0); 4486 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4487 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4488 chap.tlu(sp); 4489 } 4490 break; 4491 4492 default: 4493 /* Unknown CHAP packet type -- ignore. */ 4494 if (debug) { 4495 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4496 "<0x%x id=0x%xh len=%d", 4497 ifp->if_xname, 4498 sppp_state_name(sp->state[IDX_CHAP]), 4499 h->type, h->ident, ntohs(h->len)); 4500 if (len > 4) 4501 sppp_print_bytes((u_char *)(h + 1), len - 4); 4502 addlog(">\n"); 4503 } 4504 break; 4505 4506 } 4507 4508 SPPP_UNLOCK(sp); 4509 } 4510 4511 static void 4512 sppp_chap_init(struct sppp *sp) 4513 { 4514 4515 KASSERT(SPPP_WLOCKED(sp)); 4516 4517 /* Chap doesn't have STATE_INITIAL at all. */ 4518 sp->state[IDX_CHAP] = STATE_CLOSED; 4519 sp->fail_counter[IDX_CHAP] = 0; 4520 sp->pp_seq[IDX_CHAP] = 0; 4521 sp->pp_rseq[IDX_CHAP] = 0; 4522 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4523 } 4524 4525 static void 4526 sppp_chap_open(struct sppp *sp) 4527 { 4528 4529 KASSERT(SPPP_WLOCKED(sp)); 4530 if (sp->hisauth.proto == PPP_CHAP && 4531 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4532 /* we are authenticator for CHAP, start it */ 4533 chap.scr(sp); 4534 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4535 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4536 } 4537 /* nothing to be done if we are peer, await a challenge */ 4538 } 4539 4540 static void 4541 sppp_chap_close(struct sppp *sp) 4542 { 4543 4544 KASSERT(SPPP_WLOCKED(sp)); 4545 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4546 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4547 } 4548 4549 static void 4550 sppp_chap_TO(void *cookie) 4551 { 4552 struct sppp *sp = (struct sppp *)cookie; 4553 STDDCL; 4554 int s; 4555 4556 s = splnet(); 4557 4558 SPPP_LOCK(sp, RW_WRITER); 4559 4560 if (debug) 4561 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4562 ifp->if_xname, 4563 sppp_state_name(sp->state[IDX_CHAP]), 4564 sp->rst_counter[IDX_CHAP]); 4565 4566 if (--sp->rst_counter[IDX_CHAP] < 0) 4567 /* TO- event */ 4568 switch (sp->state[IDX_CHAP]) { 4569 case STATE_REQ_SENT: 4570 chap.tld(sp); 4571 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4572 break; 4573 } 4574 else 4575 /* TO+ (or TO*) event */ 4576 switch (sp->state[IDX_CHAP]) { 4577 case STATE_OPENED: 4578 /* TO* event */ 4579 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4580 /* fall through */ 4581 case STATE_REQ_SENT: 4582 chap.scr(sp); 4583 /* sppp_cp_change_state() will restart the timer */ 4584 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4585 break; 4586 } 4587 4588 SPPP_UNLOCK(sp); 4589 splx(s); 4590 } 4591 4592 static void 4593 sppp_chap_tlu(struct sppp *sp) 4594 { 4595 STDDCL; 4596 int i, x; 4597 4598 KASSERT(SPPP_WLOCKED(sp)); 4599 4600 i = 0; 4601 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4602 4603 /* 4604 * Some broken CHAP implementations (Conware CoNet, firmware 4605 * 4.0.?) don't want to re-authenticate their CHAP once the 4606 * initial challenge-response exchange has taken place. 4607 * Provide for an option to avoid rechallenges. 4608 */ 4609 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4610 /* 4611 * Compute the re-challenge timeout. This will yield 4612 * a number between 300 and 810 seconds. 4613 */ 4614 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4615 4616 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4617 } 4618 4619 if (debug) { 4620 log(LOG_DEBUG, 4621 "%s: chap %s, ", 4622 ifp->if_xname, 4623 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4624 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4625 addlog("next re-challenge in %d seconds\n", i); 4626 else 4627 addlog("re-challenging suppressed\n"); 4628 } 4629 4630 x = splnet(); 4631 sp->pp_auth_failures = 0; 4632 /* indicate to LCP that we need to be closed down */ 4633 sp->lcp.protos |= (1 << IDX_CHAP); 4634 4635 if (sp->pp_flags & PP_NEEDAUTH) { 4636 /* 4637 * Remote is authenticator, but his auth proto didn't 4638 * complete yet. Defer the transition to network 4639 * phase. 4640 */ 4641 splx(x); 4642 return; 4643 } 4644 splx(x); 4645 4646 /* 4647 * If we are already in phase network, we are done here. This 4648 * is the case if this is a dummy tlu event after a re-challenge. 4649 */ 4650 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4651 sppp_phase_network(sp); 4652 } 4653 4654 static void 4655 sppp_chap_tld(struct sppp *sp) 4656 { 4657 STDDCL; 4658 4659 KASSERT(SPPP_WLOCKED(sp)); 4660 4661 if (debug) 4662 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4663 callout_stop(&sp->ch[IDX_CHAP]); 4664 sp->lcp.protos &= ~(1 << IDX_CHAP); 4665 4666 lcp.Close(sp); 4667 } 4668 4669 static void 4670 sppp_chap_scr(struct sppp *sp) 4671 { 4672 uint32_t *ch; 4673 u_char clen = 4 * sizeof(uint32_t); 4674 4675 KASSERT(SPPP_WLOCKED(sp)); 4676 4677 if (sp->hisauth.name == NULL) { 4678 /* can't do anything useful */ 4679 printf("%s: chap starting without his name being set\n", 4680 sp->pp_if.if_xname); 4681 return; 4682 } 4683 4684 /* Compute random challenge. */ 4685 ch = (uint32_t *)sp->hisauth.challenge; 4686 cprng_strong(kern_cprng, ch, clen, 0); 4687 4688 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4689 4690 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4691 sizeof clen, (const char *)&clen, 4692 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4693 0); 4694 } 4695 4696 /* 4697 *--------------------------------------------------------------------------* 4698 * * 4699 * The PAP implementation. * 4700 * * 4701 *--------------------------------------------------------------------------* 4702 */ 4703 /* 4704 * For PAP, we need to keep a little state also if we are the peer, not the 4705 * authenticator. This is since we don't get a request to authenticate, but 4706 * have to repeatedly authenticate ourself until we got a response (or the 4707 * retry counter is expired). 4708 */ 4709 4710 /* 4711 * Handle incoming PAP packets. */ 4712 static void 4713 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4714 { 4715 STDDCL; 4716 struct lcp_header *h; 4717 int len, x; 4718 u_char mlen; 4719 char *name, *secret; 4720 int name_len, secret_len; 4721 4722 /* 4723 * Malicious input might leave this uninitialized, so 4724 * init to an impossible value. 4725 */ 4726 secret_len = -1; 4727 4728 len = m->m_pkthdr.len; 4729 if (len < 5) { 4730 if (debug) 4731 log(LOG_DEBUG, 4732 "%s: pap invalid packet length: %d bytes\n", 4733 ifp->if_xname, len); 4734 return; 4735 } 4736 h = mtod(m, struct lcp_header *); 4737 if (len > ntohs(h->len)) 4738 len = ntohs(h->len); 4739 4740 SPPP_LOCK(sp, RW_WRITER); 4741 4742 switch (h->type) { 4743 /* PAP request is my authproto */ 4744 case PAP_REQ: 4745 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4746 /* can't do anything useful */ 4747 printf("%s: " 4748 "pap request without his name and his secret being set\n", 4749 ifp->if_xname); 4750 break; 4751 } 4752 name = 1 + (u_char *)(h + 1); 4753 name_len = name[-1]; 4754 secret = name + name_len + 1; 4755 if (name_len > len - 6 || 4756 (secret_len = secret[-1]) > len - 6 - name_len) { 4757 if (debug) { 4758 log(LOG_DEBUG, "%s: pap corrupted input " 4759 "<%s id=0x%x len=%d", 4760 ifp->if_xname, 4761 sppp_auth_type_name(PPP_PAP, h->type), 4762 h->ident, ntohs(h->len)); 4763 if (len > 4) 4764 sppp_print_bytes((u_char *)(h + 1), 4765 len - 4); 4766 addlog(">\n"); 4767 } 4768 break; 4769 } 4770 if (debug) { 4771 log(LOG_DEBUG, "%s: pap input(%s) " 4772 "<%s id=0x%x len=%d name=", 4773 ifp->if_xname, 4774 sppp_state_name(sp->state[IDX_PAP]), 4775 sppp_auth_type_name(PPP_PAP, h->type), 4776 h->ident, ntohs(h->len)); 4777 sppp_print_string((char *)name, name_len); 4778 addlog(" secret="); 4779 sppp_print_string((char *)secret, secret_len); 4780 addlog(">\n"); 4781 } 4782 if (name_len != sp->hisauth.name_len || 4783 secret_len != sp->hisauth.secret_len || 4784 memcmp(name, sp->hisauth.name, name_len) != 0 || 4785 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4786 /* action scn, tld */ 4787 sp->pp_auth_failures++; 4788 mlen = sizeof(FAILMSG) - 1; 4789 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4790 sizeof mlen, (const char *)&mlen, 4791 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4792 0); 4793 pap.tld(sp); 4794 break; 4795 } 4796 /* action sca, perhaps tlu */ 4797 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4798 sp->state[IDX_PAP] == STATE_OPENED) { 4799 mlen = sizeof(SUCCMSG) - 1; 4800 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4801 sizeof mlen, (const char *)&mlen, 4802 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4803 0); 4804 } 4805 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4806 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4807 pap.tlu(sp); 4808 } 4809 break; 4810 4811 /* ack and nak are his authproto */ 4812 case PAP_ACK: 4813 callout_stop(&sp->pap_my_to_ch); 4814 if (debug) { 4815 log(LOG_DEBUG, "%s: pap success", 4816 ifp->if_xname); 4817 name = 1 + (u_char *)(h + 1); 4818 name_len = name[-1]; 4819 if (len > 5 && name_len < len+4) { 4820 addlog(": "); 4821 sppp_print_string(name, name_len); 4822 } 4823 addlog("\n"); 4824 } 4825 x = splnet(); 4826 sp->pp_auth_failures = 0; 4827 sp->pp_flags &= ~PP_NEEDAUTH; 4828 if (sp->myauth.proto == PPP_PAP && 4829 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4830 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4831 /* 4832 * We are authenticator for PAP but didn't 4833 * complete yet. Leave it to tlu to proceed 4834 * to network phase. 4835 */ 4836 splx(x); 4837 break; 4838 } 4839 splx(x); 4840 sppp_phase_network(sp); 4841 break; 4842 4843 case PAP_NAK: 4844 callout_stop(&sp->pap_my_to_ch); 4845 sp->pp_auth_failures++; 4846 if (debug) { 4847 log(LOG_INFO, "%s: pap failure", 4848 ifp->if_xname); 4849 name = 1 + (u_char *)(h + 1); 4850 name_len = name[-1]; 4851 if (len > 5 && name_len < len+4) { 4852 addlog(": "); 4853 sppp_print_string(name, name_len); 4854 } 4855 addlog("\n"); 4856 } else 4857 log(LOG_INFO, "%s: pap failure\n", 4858 ifp->if_xname); 4859 /* await LCP shutdown by authenticator */ 4860 break; 4861 4862 default: 4863 /* Unknown PAP packet type -- ignore. */ 4864 if (debug) { 4865 log(LOG_DEBUG, "%s: pap corrupted input " 4866 "<0x%x id=0x%x len=%d", 4867 ifp->if_xname, 4868 h->type, h->ident, ntohs(h->len)); 4869 if (len > 4) 4870 sppp_print_bytes((u_char *)(h + 1), len - 4); 4871 addlog(">\n"); 4872 } 4873 break; 4874 } 4875 4876 SPPP_UNLOCK(sp); 4877 } 4878 4879 static void 4880 sppp_pap_init(struct sppp *sp) 4881 { 4882 4883 KASSERT(SPPP_WLOCKED(sp)); 4884 4885 /* PAP doesn't have STATE_INITIAL at all. */ 4886 sp->state[IDX_PAP] = STATE_CLOSED; 4887 sp->fail_counter[IDX_PAP] = 0; 4888 sp->pp_seq[IDX_PAP] = 0; 4889 sp->pp_rseq[IDX_PAP] = 0; 4890 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 4891 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 4892 } 4893 4894 static void 4895 sppp_pap_open(struct sppp *sp) 4896 { 4897 4898 KASSERT(SPPP_WLOCKED(sp)); 4899 4900 if (sp->hisauth.proto == PPP_PAP && 4901 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4902 /* we are authenticator for PAP, start our timer */ 4903 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4904 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4905 } 4906 if (sp->myauth.proto == PPP_PAP) { 4907 /* we are peer, send a request, and start a timer */ 4908 pap.scr(sp); 4909 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4910 sppp_pap_my_TO, sp); 4911 } 4912 } 4913 4914 static void 4915 sppp_pap_close(struct sppp *sp) 4916 { 4917 4918 KASSERT(SPPP_WLOCKED(sp)); 4919 4920 if (sp->state[IDX_PAP] != STATE_CLOSED) 4921 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4922 } 4923 4924 /* 4925 * That's the timeout routine if we are authenticator. Since the 4926 * authenticator is basically passive in PAP, we can't do much here. 4927 */ 4928 static void 4929 sppp_pap_TO(void *cookie) 4930 { 4931 struct sppp *sp = (struct sppp *)cookie; 4932 STDDCL; 4933 int s; 4934 4935 s = splnet(); 4936 SPPP_LOCK(sp, RW_WRITER); 4937 4938 if (debug) 4939 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4940 ifp->if_xname, 4941 sppp_state_name(sp->state[IDX_PAP]), 4942 sp->rst_counter[IDX_PAP]); 4943 4944 if (--sp->rst_counter[IDX_PAP] < 0) 4945 /* TO- event */ 4946 switch (sp->state[IDX_PAP]) { 4947 case STATE_REQ_SENT: 4948 pap.tld(sp); 4949 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4950 break; 4951 } 4952 else 4953 /* TO+ event, not very much we could do */ 4954 switch (sp->state[IDX_PAP]) { 4955 case STATE_REQ_SENT: 4956 /* sppp_cp_change_state() will restart the timer */ 4957 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4958 break; 4959 } 4960 4961 SPPP_UNLOCK(sp); 4962 splx(s); 4963 } 4964 4965 /* 4966 * That's the timeout handler if we are peer. Since the peer is active, 4967 * we need to retransmit our PAP request since it is apparently lost. 4968 * XXX We should impose a max counter. 4969 */ 4970 static void 4971 sppp_pap_my_TO(void *cookie) 4972 { 4973 struct sppp *sp = (struct sppp *)cookie; 4974 STDDCL; 4975 4976 SPPP_LOCK(sp, RW_WRITER); 4977 if (debug) 4978 log(LOG_DEBUG, "%s: pap peer TO\n", 4979 ifp->if_xname); 4980 4981 pap.scr(sp); 4982 4983 SPPP_UNLOCK(sp); 4984 } 4985 4986 static void 4987 sppp_pap_tlu(struct sppp *sp) 4988 { 4989 STDDCL; 4990 int x; 4991 4992 KASSERT(SPPP_WLOCKED(sp)); 4993 4994 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4995 4996 if (debug) 4997 log(LOG_DEBUG, "%s: %s tlu\n", 4998 ifp->if_xname, pap.name); 4999 5000 x = splnet(); 5001 sp->pp_auth_failures = 0; 5002 /* indicate to LCP that we need to be closed down */ 5003 sp->lcp.protos |= (1 << IDX_PAP); 5004 5005 if (sp->pp_flags & PP_NEEDAUTH) { 5006 /* 5007 * Remote is authenticator, but his auth proto didn't 5008 * complete yet. Defer the transition to network 5009 * phase. 5010 */ 5011 splx(x); 5012 return; 5013 } 5014 splx(x); 5015 sppp_phase_network(sp); 5016 } 5017 5018 static void 5019 sppp_pap_tld(struct sppp *sp) 5020 { 5021 STDDCL; 5022 5023 KASSERT(SPPP_WLOCKED(sp)); 5024 5025 if (debug) 5026 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 5027 callout_stop(&sp->ch[IDX_PAP]); 5028 callout_stop(&sp->pap_my_to_ch); 5029 sp->lcp.protos &= ~(1 << IDX_PAP); 5030 5031 lcp.Close(sp); 5032 } 5033 5034 static void 5035 sppp_pap_scr(struct sppp *sp) 5036 { 5037 u_char idlen, pwdlen; 5038 5039 KASSERT(SPPP_WLOCKED(sp)); 5040 5041 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5042 /* can't do anything useful */ 5043 printf("%s: pap starting without my name and secret being set\n", 5044 sp->pp_if.if_xname); 5045 return; 5046 } 5047 5048 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 5049 pwdlen = sp->myauth.secret_len; 5050 idlen = sp->myauth.name_len; 5051 5052 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 5053 sizeof idlen, (const char *)&idlen, 5054 idlen, sp->myauth.name, 5055 sizeof pwdlen, (const char *)&pwdlen, 5056 pwdlen, sp->myauth.secret, 5057 0); 5058 } 5059 5060 /* 5061 * Random miscellaneous functions. 5062 */ 5063 5064 /* 5065 * Send a PAP or CHAP proto packet. 5066 * 5067 * Varadic function, each of the elements for the ellipsis is of type 5068 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5069 * mlen == 0. 5070 * NOTE: never declare variadic functions with types subject to type 5071 * promotion (i.e. u_char). This is asking for big trouble depending 5072 * on the architecture you are on... 5073 */ 5074 5075 static void 5076 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5077 unsigned int type, unsigned int id, 5078 ...) 5079 { 5080 STDDCL; 5081 struct lcp_header *lh; 5082 struct mbuf *m; 5083 u_char *p; 5084 int len; 5085 size_t pkthdrlen; 5086 unsigned int mlen; 5087 const char *msg; 5088 va_list ap; 5089 5090 KASSERT(SPPP_WLOCKED(sp)); 5091 5092 MGETHDR(m, M_DONTWAIT, MT_DATA); 5093 if (! m) 5094 return; 5095 m_reset_rcvif(m); 5096 5097 if (sp->pp_flags & PP_NOFRAMING) { 5098 *mtod(m, uint16_t *) = htons(cp->proto); 5099 pkthdrlen = 2; 5100 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5101 } else { 5102 struct ppp_header *h; 5103 h = mtod(m, struct ppp_header *); 5104 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5105 h->control = PPP_UI; /* Unnumbered Info */ 5106 h->protocol = htons(cp->proto); 5107 pkthdrlen = PPP_HEADER_LEN; 5108 5109 lh = (struct lcp_header *)(h + 1); 5110 } 5111 5112 lh->type = type; 5113 lh->ident = id; 5114 p = (u_char *)(lh + 1); 5115 5116 va_start(ap, id); 5117 len = 0; 5118 5119 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5120 msg = va_arg(ap, const char *); 5121 len += mlen; 5122 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5123 va_end(ap); 5124 m_freem(m); 5125 return; 5126 } 5127 5128 memcpy(p, msg, mlen); 5129 p += mlen; 5130 } 5131 va_end(ap); 5132 5133 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5134 lh->len = htons(LCP_HEADER_LEN + len); 5135 5136 if (debug) { 5137 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5138 ifp->if_xname, cp->name, 5139 sppp_auth_type_name(cp->proto, lh->type), 5140 lh->ident, ntohs(lh->len)); 5141 if (len) 5142 sppp_print_bytes((u_char *)(lh + 1), len); 5143 addlog(">\n"); 5144 } 5145 if (IF_QFULL(&sp->pp_cpq)) { 5146 IF_DROP(&sp->pp_fastq); 5147 IF_DROP(&ifp->if_snd); 5148 m_freem(m); 5149 if_statinc(ifp, if_oerrors); 5150 return; 5151 } 5152 5153 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5154 IF_ENQUEUE(&sp->pp_cpq, m); 5155 5156 if (! (ifp->if_flags & IFF_OACTIVE)) { 5157 SPPP_UNLOCK(sp); 5158 if_start_lock(ifp); 5159 SPPP_LOCK(sp, RW_WRITER); 5160 } 5161 } 5162 5163 /* 5164 * Send keepalive packets, every 10 seconds. 5165 */ 5166 static void 5167 sppp_keepalive(void *dummy) 5168 { 5169 struct sppp *sp; 5170 int s; 5171 time_t now; 5172 5173 SPPPQ_LOCK(); 5174 5175 s = splnet(); 5176 now = time_uptime; 5177 for (sp=spppq; sp; sp=sp->pp_next) { 5178 struct ifnet *ifp = NULL; 5179 5180 SPPP_LOCK(sp, RW_WRITER); 5181 ifp = &sp->pp_if; 5182 5183 /* check idle timeout */ 5184 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5185 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5186 /* idle timeout is enabled for this interface */ 5187 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5188 if (ifp->if_flags & IFF_DEBUG) 5189 printf("%s: no activity for %lu seconds\n", 5190 sp->pp_if.if_xname, 5191 (unsigned long)(now-sp->pp_last_activity)); 5192 lcp.Close(sp); 5193 SPPP_UNLOCK(sp); 5194 continue; 5195 } 5196 } 5197 5198 /* Keepalive mode disabled or channel down? */ 5199 if (! (sp->pp_flags & PP_KEEPALIVE) || 5200 ! (ifp->if_flags & IFF_RUNNING)) { 5201 SPPP_UNLOCK(sp); 5202 continue; 5203 } 5204 5205 5206 /* No keepalive in PPP mode if LCP not opened yet. */ 5207 if (! (sp->pp_flags & PP_CISCO) && 5208 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5209 SPPP_UNLOCK(sp); 5210 continue; 5211 } 5212 5213 /* No echo reply, but maybe user data passed through? */ 5214 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5215 sp->pp_alivecnt = 0; 5216 SPPP_UNLOCK(sp); 5217 continue; 5218 } 5219 5220 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5221 /* No keepalive packets got. Stop the interface. */ 5222 SPPP_UNLOCK(sp); 5223 if_down (ifp); 5224 SPPP_LOCK(sp, RW_WRITER); 5225 5226 IF_PURGE(&sp->pp_cpq); 5227 5228 if (! (sp->pp_flags & PP_CISCO)) { 5229 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5230 ifp->if_xname); 5231 sp->pp_alivecnt = 0; 5232 5233 /* we are down, close all open protocols */ 5234 lcp.Close(sp); 5235 5236 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5237 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5238 5239 /* Close connection immediately, completition of this 5240 * will summon the magic needed to reestablish it. */ 5241 sppp_notify_tlf_wlocked(sp); 5242 5243 SPPP_UNLOCK(sp); 5244 continue; 5245 } 5246 } 5247 if (sp->pp_alivecnt < sp->pp_maxalive) 5248 ++sp->pp_alivecnt; 5249 if (sp->pp_flags & PP_CISCO) 5250 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5251 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5252 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5253 int32_t nmagic = htonl(sp->lcp.magic); 5254 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5255 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5256 sp->lcp.echoid, 4, &nmagic); 5257 } 5258 5259 SPPP_UNLOCK(sp); 5260 } 5261 splx(s); 5262 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5263 5264 SPPPQ_UNLOCK(); 5265 } 5266 5267 #ifdef INET 5268 /* 5269 * Get both IP addresses. 5270 */ 5271 static void 5272 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5273 { 5274 struct ifnet *ifp = &sp->pp_if; 5275 struct ifaddr *ifa; 5276 struct sockaddr_in *si, *sm; 5277 uint32_t ssrc, ddst; 5278 int s; 5279 struct psref psref; 5280 5281 sm = NULL; 5282 ssrc = ddst = 0; 5283 /* 5284 * Pick the first AF_INET address from the list, 5285 * aliases don't make any sense on a p2p link anyway. 5286 */ 5287 si = 0; 5288 s = pserialize_read_enter(); 5289 IFADDR_READER_FOREACH(ifa, ifp) { 5290 if (ifa->ifa_addr->sa_family == AF_INET) { 5291 si = (struct sockaddr_in *)ifa->ifa_addr; 5292 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5293 if (si) { 5294 ifa_acquire(ifa, &psref); 5295 break; 5296 } 5297 } 5298 } 5299 pserialize_read_exit(s); 5300 if (ifa) { 5301 if (si && si->sin_addr.s_addr) { 5302 ssrc = si->sin_addr.s_addr; 5303 if (srcmask) 5304 *srcmask = ntohl(sm->sin_addr.s_addr); 5305 } 5306 5307 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5308 if (si && si->sin_addr.s_addr) 5309 ddst = si->sin_addr.s_addr; 5310 ifa_release(ifa, &psref); 5311 } 5312 5313 if (dst) *dst = ntohl(ddst); 5314 if (src) *src = ntohl(ssrc); 5315 } 5316 5317 /* 5318 * Set IP addresses. Must be called at splnet. 5319 * If an address is 0, leave it the way it is. 5320 */ 5321 static void 5322 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5323 { 5324 STDDCL; 5325 struct ifaddr *ifa; 5326 struct sockaddr_in *si, *dest; 5327 uint32_t myaddr = 0, hisaddr = 0; 5328 int s; 5329 5330 IFNET_LOCK(ifp); 5331 5332 /* 5333 * Pick the first AF_INET address from the list, 5334 * aliases don't make any sense on a p2p link anyway. 5335 */ 5336 si = dest = NULL; 5337 s = pserialize_read_enter(); 5338 IFADDR_READER_FOREACH(ifa, ifp) { 5339 if (ifa->ifa_addr->sa_family == AF_INET) { 5340 si = (struct sockaddr_in *)ifa->ifa_addr; 5341 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5342 break; 5343 } 5344 } 5345 pserialize_read_exit(s); 5346 5347 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5348 myaddr = sp->ipcp.req_myaddr; 5349 else if (si != NULL) 5350 myaddr = ntohl(si->sin_addr.s_addr); 5351 5352 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5353 hisaddr = sp->ipcp.req_hisaddr; 5354 else if (dest != NULL) 5355 hisaddr = ntohl(dest->sin_addr.s_addr); 5356 5357 if (si != NULL && dest != NULL) { 5358 int error; 5359 struct sockaddr_in new_sin = *si; 5360 struct sockaddr_in new_dst = *dest; 5361 5362 if (myaddr != 0) 5363 new_sin.sin_addr.s_addr = htonl(myaddr); 5364 if (hisaddr != 0) { 5365 new_dst.sin_addr.s_addr = htonl(hisaddr); 5366 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5367 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5368 } 5369 5370 in_addrhash_remove(ifatoia(ifa)); 5371 5372 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5373 5374 in_addrhash_insert(ifatoia(ifa)); 5375 5376 if (debug && error) 5377 { 5378 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5379 ifp->if_xname, __func__, error); 5380 } 5381 if (!error) { 5382 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5383 } 5384 } 5385 5386 if (ifp->if_mtu > sp->lcp.their_mru) { 5387 sp->pp_saved_mtu = ifp->if_mtu; 5388 ifp->if_mtu = sp->lcp.their_mru; 5389 if (debug) 5390 log(LOG_DEBUG, 5391 "%s: setting MTU to %" PRIu64 " bytes\n", 5392 ifp->if_xname, ifp->if_mtu); 5393 } 5394 5395 IFNET_UNLOCK(ifp); 5396 5397 sppp_notify_con(sp); 5398 } 5399 5400 static void 5401 sppp_set_ip_addrs(struct sppp *sp) 5402 { 5403 struct ifnet *ifp = &sp->pp_if; 5404 5405 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5406 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5407 ifp->if_xname); 5408 return; 5409 } 5410 5411 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5412 return; 5413 5414 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5415 } 5416 5417 /* 5418 * Clear IP addresses. Must be called at splnet. 5419 */ 5420 static void 5421 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5422 { 5423 STDDCL; 5424 struct ifaddr *ifa; 5425 struct sockaddr_in *si, *dest; 5426 int s; 5427 5428 IFNET_LOCK(ifp); 5429 5430 /* 5431 * Pick the first AF_INET address from the list, 5432 * aliases don't make any sense on a p2p link anyway. 5433 */ 5434 si = dest = NULL; 5435 s = pserialize_read_enter(); 5436 IFADDR_READER_FOREACH(ifa, ifp) { 5437 if (ifa->ifa_addr->sa_family == AF_INET) { 5438 si = (struct sockaddr_in *)ifa->ifa_addr; 5439 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5440 break; 5441 } 5442 } 5443 pserialize_read_exit(s); 5444 5445 if (si != NULL) { 5446 struct sockaddr_in new_sin = *si; 5447 struct sockaddr_in new_dst = *dest; 5448 int error; 5449 5450 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5451 new_sin.sin_addr.s_addr = 0; 5452 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5453 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5454 5455 in_addrhash_remove(ifatoia(ifa)); 5456 5457 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5458 5459 in_addrhash_insert(ifatoia(ifa)); 5460 5461 if (debug && error) 5462 { 5463 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5464 ifp->if_xname, __func__, error); 5465 } 5466 if (!error) { 5467 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5468 } 5469 } 5470 5471 if (sp->pp_saved_mtu > 0) { 5472 ifp->if_mtu = sp->pp_saved_mtu; 5473 sp->pp_saved_mtu = 0; 5474 if (debug) 5475 log(LOG_DEBUG, 5476 "%s: resetting MTU to %" PRIu64 " bytes\n", 5477 ifp->if_xname, ifp->if_mtu); 5478 } 5479 5480 IFNET_UNLOCK(ifp); 5481 } 5482 5483 static void 5484 sppp_clear_ip_addrs(struct sppp *sp) 5485 { 5486 struct ifnet *ifp = &sp->pp_if; 5487 5488 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5489 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5490 ifp->if_xname); 5491 return; 5492 } 5493 5494 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5495 return; 5496 5497 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5498 } 5499 5500 static void 5501 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5502 { 5503 struct sppp *sp = arg; 5504 void *work; 5505 5506 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5507 5508 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5509 int update = (intptr_t)work; 5510 5511 if (update == IPCP_SET_ADDRS) 5512 sppp_set_ip_addrs_work(wk, sp); 5513 else if (update == IPCP_CLEAR_ADDRS) 5514 sppp_clear_ip_addrs_work(wk, sp); 5515 } 5516 } 5517 #endif 5518 5519 #ifdef INET6 5520 /* 5521 * Get both IPv6 addresses. 5522 */ 5523 static void 5524 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5525 struct in6_addr *srcmask) 5526 { 5527 struct ifnet *ifp = &sp->pp_if; 5528 struct ifaddr *ifa; 5529 struct sockaddr_in6 *si, *sm; 5530 struct in6_addr ssrc, ddst; 5531 int s; 5532 struct psref psref; 5533 5534 sm = NULL; 5535 memset(&ssrc, 0, sizeof(ssrc)); 5536 memset(&ddst, 0, sizeof(ddst)); 5537 /* 5538 * Pick the first link-local AF_INET6 address from the list, 5539 * aliases don't make any sense on a p2p link anyway. 5540 */ 5541 si = 0; 5542 s = pserialize_read_enter(); 5543 IFADDR_READER_FOREACH(ifa, ifp) { 5544 if (ifa->ifa_addr->sa_family == AF_INET6) { 5545 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5546 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5547 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5548 ifa_acquire(ifa, &psref); 5549 break; 5550 } 5551 } 5552 } 5553 pserialize_read_exit(s); 5554 5555 if (ifa) { 5556 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5557 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5558 if (srcmask) { 5559 memcpy(srcmask, &sm->sin6_addr, 5560 sizeof(*srcmask)); 5561 } 5562 } 5563 5564 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5565 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5566 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5567 ifa_release(ifa, &psref); 5568 } 5569 5570 if (dst) 5571 memcpy(dst, &ddst, sizeof(*dst)); 5572 if (src) 5573 memcpy(src, &ssrc, sizeof(*src)); 5574 } 5575 5576 #ifdef IPV6CP_MYIFID_DYN 5577 /* 5578 * Generate random ifid. 5579 */ 5580 static void 5581 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5582 { 5583 /* TBD */ 5584 } 5585 5586 /* 5587 * Set my IPv6 address. Must be called at splnet. 5588 */ 5589 static void 5590 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5591 { 5592 STDDCL; 5593 struct ifaddr *ifa; 5594 struct sockaddr_in6 *sin6; 5595 int s; 5596 struct psref psref; 5597 5598 IFNET_LOCK(ifp); 5599 5600 /* 5601 * Pick the first link-local AF_INET6 address from the list, 5602 * aliases don't make any sense on a p2p link anyway. 5603 */ 5604 5605 sin6 = NULL; 5606 s = pserialize_read_enter(); 5607 IFADDR_READER_FOREACH(ifa, ifp) 5608 { 5609 if (ifa->ifa_addr->sa_family == AF_INET6) 5610 { 5611 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5612 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5613 ifa_acquire(ifa, &psref); 5614 break; 5615 } 5616 } 5617 } 5618 pserialize_read_exit(s); 5619 5620 if (ifa && sin6) 5621 { 5622 int error; 5623 struct sockaddr_in6 new_sin6 = *sin6; 5624 5625 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5626 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5627 if (debug && error) 5628 { 5629 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5630 ifp->if_xname, __func__, error); 5631 } 5632 if (!error) { 5633 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5634 } 5635 ifa_release(ifa, &psref); 5636 } 5637 5638 IFNET_UNLOCK(ifp); 5639 } 5640 #endif 5641 5642 /* 5643 * Suggest a candidate address to be used by peer. 5644 */ 5645 static void 5646 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5647 { 5648 struct in6_addr myaddr; 5649 struct timeval tv; 5650 5651 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5652 5653 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5654 microtime(&tv); 5655 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5656 myaddr.s6_addr[14] ^= 0xff; 5657 myaddr.s6_addr[15] ^= 0xff; 5658 } else { 5659 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5660 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5661 } 5662 if (suggest) 5663 memcpy(suggest, &myaddr, sizeof(myaddr)); 5664 } 5665 #endif /*INET6*/ 5666 5667 /* 5668 * Process ioctl requests specific to the PPP interface. 5669 * Permissions have already been checked. 5670 */ 5671 static int 5672 sppp_params(struct sppp *sp, u_long cmd, void *data) 5673 { 5674 switch (cmd) { 5675 case SPPPGETAUTHCFG: 5676 { 5677 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5678 int error; 5679 size_t len; 5680 5681 SPPP_LOCK(sp, RW_READER); 5682 5683 cfg->myauthflags = sp->myauth.flags; 5684 cfg->hisauthflags = sp->hisauth.flags; 5685 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5686 cfg->hisauth = 0; 5687 if (sp->hisauth.proto) 5688 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5689 cfg->myauth = 0; 5690 if (sp->myauth.proto) 5691 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5692 if (cfg->myname_length == 0) { 5693 if (sp->myauth.name != NULL) 5694 cfg->myname_length = sp->myauth.name_len + 1; 5695 } else { 5696 if (sp->myauth.name == NULL) { 5697 cfg->myname_length = 0; 5698 } else { 5699 len = sp->myauth.name_len + 1; 5700 5701 5702 if (cfg->myname_length < len) { 5703 SPPP_UNLOCK(sp); 5704 return (ENAMETOOLONG); 5705 } 5706 error = copyout(sp->myauth.name, cfg->myname, len); 5707 if (error) { 5708 SPPP_UNLOCK(sp); 5709 return error; 5710 } 5711 } 5712 } 5713 if (cfg->hisname_length == 0) { 5714 if (sp->hisauth.name != NULL) 5715 cfg->hisname_length = sp->hisauth.name_len + 1; 5716 } else { 5717 if (sp->hisauth.name == NULL) { 5718 cfg->hisname_length = 0; 5719 } else { 5720 len = sp->hisauth.name_len + 1; 5721 5722 if (cfg->hisname_length < len) { 5723 SPPP_UNLOCK(sp); 5724 return (ENAMETOOLONG); 5725 } 5726 error = copyout(sp->hisauth.name, cfg->hisname, len); 5727 if (error) { 5728 SPPP_UNLOCK(sp); 5729 return error; 5730 } 5731 } 5732 } 5733 SPPP_UNLOCK(sp); 5734 } 5735 break; 5736 case SPPPSETAUTHCFG: 5737 { 5738 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5739 int error; 5740 5741 SPPP_LOCK(sp, RW_WRITER); 5742 5743 if (sp->myauth.name) { 5744 free(sp->myauth.name, M_DEVBUF); 5745 sp->myauth.name = NULL; 5746 } 5747 if (sp->myauth.secret) { 5748 free(sp->myauth.secret, M_DEVBUF); 5749 sp->myauth.secret = NULL; 5750 } 5751 if (sp->hisauth.name) { 5752 free(sp->hisauth.name, M_DEVBUF); 5753 sp->hisauth.name = NULL; 5754 } 5755 if (sp->hisauth.secret) { 5756 free(sp->hisauth.secret, M_DEVBUF); 5757 sp->hisauth.secret = NULL; 5758 } 5759 5760 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5761 if (cfg->hisname_length >= MCLBYTES) { 5762 SPPP_UNLOCK(sp); 5763 return (ENAMETOOLONG); 5764 } 5765 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5766 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5767 if (error) { 5768 free(sp->hisauth.name, M_DEVBUF); 5769 sp->hisauth.name = NULL; 5770 SPPP_UNLOCK(sp); 5771 return error; 5772 } 5773 sp->hisauth.name_len = cfg->hisname_length - 1; 5774 sp->hisauth.name[sp->hisauth.name_len] = 0; 5775 } 5776 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5777 if (cfg->hissecret_length >= MCLBYTES) { 5778 SPPP_UNLOCK(sp); 5779 return (ENAMETOOLONG); 5780 } 5781 sp->hisauth.secret = malloc(cfg->hissecret_length, 5782 M_DEVBUF, M_WAITOK); 5783 error = copyin(cfg->hissecret, sp->hisauth.secret, 5784 cfg->hissecret_length); 5785 if (error) { 5786 free(sp->hisauth.secret, M_DEVBUF); 5787 sp->hisauth.secret = NULL; 5788 SPPP_UNLOCK(sp); 5789 return error; 5790 } 5791 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5792 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5793 } 5794 if (cfg->myname != NULL && cfg->myname_length > 0) { 5795 if (cfg->myname_length >= MCLBYTES) { 5796 SPPP_UNLOCK(sp); 5797 return (ENAMETOOLONG); 5798 } 5799 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5800 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5801 if (error) { 5802 free(sp->myauth.name, M_DEVBUF); 5803 sp->myauth.name = NULL; 5804 SPPP_UNLOCK(sp); 5805 return error; 5806 } 5807 sp->myauth.name_len = cfg->myname_length - 1; 5808 sp->myauth.name[sp->myauth.name_len] = 0; 5809 } 5810 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5811 if (cfg->mysecret_length >= MCLBYTES) { 5812 SPPP_UNLOCK(sp); 5813 return (ENAMETOOLONG); 5814 } 5815 sp->myauth.secret = malloc(cfg->mysecret_length, 5816 M_DEVBUF, M_WAITOK); 5817 error = copyin(cfg->mysecret, sp->myauth.secret, 5818 cfg->mysecret_length); 5819 if (error) { 5820 free(sp->myauth.secret, M_DEVBUF); 5821 sp->myauth.secret = NULL; 5822 SPPP_UNLOCK(sp); 5823 return error; 5824 } 5825 sp->myauth.secret_len = cfg->mysecret_length - 1; 5826 sp->myauth.secret[sp->myauth.secret_len] = 0; 5827 } 5828 sp->myauth.flags = cfg->myauthflags; 5829 if (cfg->myauth) 5830 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5831 sp->hisauth.flags = cfg->hisauthflags; 5832 if (cfg->hisauth) 5833 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5834 sp->pp_auth_failures = 0; 5835 if (sp->hisauth.proto != 0) 5836 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5837 else 5838 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5839 5840 SPPP_UNLOCK(sp); 5841 } 5842 break; 5843 case SPPPGETLCPCFG: 5844 { 5845 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5846 5847 SPPP_LOCK(sp, RW_READER); 5848 lcpp->lcp_timeout = sp->lcp.timeout; 5849 SPPP_UNLOCK(sp); 5850 } 5851 break; 5852 case SPPPSETLCPCFG: 5853 { 5854 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5855 5856 SPPP_LOCK(sp, RW_WRITER); 5857 sp->lcp.timeout = lcpp->lcp_timeout; 5858 SPPP_UNLOCK(sp); 5859 } 5860 break; 5861 case SPPPGETSTATUS: 5862 { 5863 struct spppstatus *status = (struct spppstatus *)data; 5864 5865 SPPP_LOCK(sp, RW_READER); 5866 status->phase = sp->pp_phase; 5867 SPPP_UNLOCK(sp); 5868 } 5869 break; 5870 case SPPPGETSTATUSNCP: 5871 { 5872 struct spppstatusncp *status = (struct spppstatusncp *)data; 5873 5874 SPPP_LOCK(sp, RW_READER); 5875 status->phase = sp->pp_phase; 5876 status->ncpup = sppp_ncp_check(sp); 5877 SPPP_UNLOCK(sp); 5878 } 5879 break; 5880 case SPPPGETIDLETO: 5881 { 5882 struct spppidletimeout *to = (struct spppidletimeout *)data; 5883 5884 SPPP_LOCK(sp, RW_READER); 5885 to->idle_seconds = sp->pp_idle_timeout; 5886 SPPP_UNLOCK(sp); 5887 } 5888 break; 5889 case SPPPSETIDLETO: 5890 { 5891 struct spppidletimeout *to = (struct spppidletimeout *)data; 5892 5893 SPPP_LOCK(sp, RW_WRITER); 5894 sp->pp_idle_timeout = to->idle_seconds; 5895 SPPP_UNLOCK(sp); 5896 } 5897 break; 5898 case SPPPSETAUTHFAILURE: 5899 { 5900 struct spppauthfailuresettings *afsettings = 5901 (struct spppauthfailuresettings *)data; 5902 5903 SPPP_LOCK(sp, RW_WRITER); 5904 sp->pp_max_auth_fail = afsettings->max_failures; 5905 sp->pp_auth_failures = 0; 5906 SPPP_UNLOCK(sp); 5907 } 5908 break; 5909 case SPPPGETAUTHFAILURES: 5910 { 5911 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5912 5913 SPPP_LOCK(sp, RW_READER); 5914 stats->auth_failures = sp->pp_auth_failures; 5915 stats->max_failures = sp->pp_max_auth_fail; 5916 SPPP_UNLOCK(sp); 5917 } 5918 break; 5919 case SPPPSETDNSOPTS: 5920 { 5921 struct spppdnssettings *req = (struct spppdnssettings *)data; 5922 5923 SPPP_LOCK(sp, RW_WRITER); 5924 sp->query_dns = req->query_dns & 3; 5925 SPPP_UNLOCK(sp); 5926 } 5927 break; 5928 case SPPPGETDNSOPTS: 5929 { 5930 struct spppdnssettings *req = (struct spppdnssettings *)data; 5931 5932 SPPP_LOCK(sp, RW_READER); 5933 req->query_dns = sp->query_dns; 5934 SPPP_UNLOCK(sp); 5935 } 5936 break; 5937 case SPPPGETDNSADDRS: 5938 { 5939 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5940 5941 SPPP_LOCK(sp, RW_READER); 5942 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5943 SPPP_UNLOCK(sp); 5944 } 5945 break; 5946 case SPPPGETKEEPALIVE: 5947 { 5948 struct spppkeepalivesettings *settings = 5949 (struct spppkeepalivesettings*)data; 5950 5951 SPPP_LOCK(sp, RW_READER); 5952 settings->maxalive = sp->pp_maxalive; 5953 settings->max_noreceive = sp->pp_max_noreceive; 5954 SPPP_UNLOCK(sp); 5955 } 5956 break; 5957 case SPPPSETKEEPALIVE: 5958 { 5959 struct spppkeepalivesettings *settings = 5960 (struct spppkeepalivesettings*)data; 5961 5962 SPPP_LOCK(sp, RW_WRITER); 5963 sp->pp_maxalive = settings->maxalive; 5964 sp->pp_max_noreceive = settings->max_noreceive; 5965 SPPP_UNLOCK(sp); 5966 } 5967 break; 5968 default: 5969 { 5970 int ret; 5971 5972 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 5973 enosys(), ret); 5974 if (ret != ENOSYS) 5975 return ret; 5976 return (EINVAL); 5977 } 5978 } 5979 return (0); 5980 } 5981 5982 static void 5983 sppp_phase_network(struct sppp *sp) 5984 { 5985 int i; 5986 uint32_t mask; 5987 5988 KASSERT(SPPP_WLOCKED(sp)); 5989 5990 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5991 5992 /* Notify NCPs now. */ 5993 for (i = 0; i < IDX_COUNT; i++) 5994 if ((cps[i])->flags & CP_NCP) 5995 (cps[i])->Open(sp); 5996 5997 /* Send Up events to all NCPs. */ 5998 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5999 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 6000 (cps[i])->Up(sp); 6001 } 6002 6003 /* if no NCP is starting, all this was in vain, close down */ 6004 sppp_lcp_check_and_close(sp); 6005 } 6006 6007 6008 static const char * 6009 sppp_cp_type_name(u_char type) 6010 { 6011 static char buf[12]; 6012 switch (type) { 6013 case CONF_REQ: return "conf-req"; 6014 case CONF_ACK: return "conf-ack"; 6015 case CONF_NAK: return "conf-nak"; 6016 case CONF_REJ: return "conf-rej"; 6017 case TERM_REQ: return "term-req"; 6018 case TERM_ACK: return "term-ack"; 6019 case CODE_REJ: return "code-rej"; 6020 case PROTO_REJ: return "proto-rej"; 6021 case ECHO_REQ: return "echo-req"; 6022 case ECHO_REPLY: return "echo-reply"; 6023 case DISC_REQ: return "discard-req"; 6024 } 6025 snprintf(buf, sizeof(buf), "0x%x", type); 6026 return buf; 6027 } 6028 6029 static const char * 6030 sppp_auth_type_name(u_short proto, u_char type) 6031 { 6032 static char buf[32]; 6033 const char *name; 6034 6035 switch (proto) { 6036 case PPP_CHAP: 6037 switch (type) { 6038 case CHAP_CHALLENGE: return "challenge"; 6039 case CHAP_RESPONSE: return "response"; 6040 case CHAP_SUCCESS: return "success"; 6041 case CHAP_FAILURE: return "failure"; 6042 default: name = "chap"; break; 6043 } 6044 break; 6045 6046 case PPP_PAP: 6047 switch (type) { 6048 case PAP_REQ: return "req"; 6049 case PAP_ACK: return "ack"; 6050 case PAP_NAK: return "nak"; 6051 default: name = "pap"; break; 6052 } 6053 break; 6054 6055 default: 6056 name = "bad"; 6057 break; 6058 } 6059 6060 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6061 return buf; 6062 } 6063 6064 static const char * 6065 sppp_lcp_opt_name(u_char opt) 6066 { 6067 static char buf[12]; 6068 switch (opt) { 6069 case LCP_OPT_MRU: return "mru"; 6070 case LCP_OPT_ASYNC_MAP: return "async-map"; 6071 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6072 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6073 case LCP_OPT_MAGIC: return "magic"; 6074 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6075 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6076 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6077 case LCP_OPT_CALL_BACK: return "callback"; 6078 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6079 case LCP_OPT_MP_MRRU: return "mrru"; 6080 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6081 case LCP_OPT_MP_EID: return "mp-eid"; 6082 } 6083 snprintf(buf, sizeof(buf), "0x%x", opt); 6084 return buf; 6085 } 6086 6087 static const char * 6088 sppp_ipcp_opt_name(u_char opt) 6089 { 6090 static char buf[12]; 6091 switch (opt) { 6092 case IPCP_OPT_ADDRESSES: return "addresses"; 6093 case IPCP_OPT_COMPRESSION: return "compression"; 6094 case IPCP_OPT_ADDRESS: return "address"; 6095 } 6096 snprintf(buf, sizeof(buf), "0x%x", opt); 6097 return buf; 6098 } 6099 6100 #ifdef INET6 6101 static const char * 6102 sppp_ipv6cp_opt_name(u_char opt) 6103 { 6104 static char buf[12]; 6105 switch (opt) { 6106 case IPV6CP_OPT_IFID: return "ifid"; 6107 case IPV6CP_OPT_COMPRESSION: return "compression"; 6108 } 6109 snprintf(buf, sizeof(buf), "0x%x", opt); 6110 return buf; 6111 } 6112 #endif 6113 6114 static const char * 6115 sppp_state_name(int state) 6116 { 6117 switch (state) { 6118 case STATE_INITIAL: return "initial"; 6119 case STATE_STARTING: return "starting"; 6120 case STATE_CLOSED: return "closed"; 6121 case STATE_STOPPED: return "stopped"; 6122 case STATE_CLOSING: return "closing"; 6123 case STATE_STOPPING: return "stopping"; 6124 case STATE_REQ_SENT: return "req-sent"; 6125 case STATE_ACK_RCVD: return "ack-rcvd"; 6126 case STATE_ACK_SENT: return "ack-sent"; 6127 case STATE_OPENED: return "opened"; 6128 } 6129 return "illegal"; 6130 } 6131 6132 static const char * 6133 sppp_phase_name(int phase) 6134 { 6135 switch (phase) { 6136 case SPPP_PHASE_DEAD: return "dead"; 6137 case SPPP_PHASE_ESTABLISH: return "establish"; 6138 case SPPP_PHASE_TERMINATE: return "terminate"; 6139 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6140 case SPPP_PHASE_NETWORK: return "network"; 6141 } 6142 return "illegal"; 6143 } 6144 6145 static const char * 6146 sppp_proto_name(u_short proto) 6147 { 6148 static char buf[12]; 6149 switch (proto) { 6150 case PPP_LCP: return "lcp"; 6151 case PPP_IPCP: return "ipcp"; 6152 case PPP_PAP: return "pap"; 6153 case PPP_CHAP: return "chap"; 6154 case PPP_IPV6CP: return "ipv6cp"; 6155 } 6156 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6157 return buf; 6158 } 6159 6160 static void 6161 sppp_print_bytes(const u_char *p, u_short len) 6162 { 6163 addlog(" %02x", *p++); 6164 while (--len > 0) 6165 addlog("-%02x", *p++); 6166 } 6167 6168 static void 6169 sppp_print_string(const char *p, u_short len) 6170 { 6171 u_char c; 6172 6173 while (len-- > 0) { 6174 c = *p++; 6175 /* 6176 * Print only ASCII chars directly. RFC 1994 recommends 6177 * using only them, but we don't rely on it. */ 6178 if (c < ' ' || c > '~') 6179 addlog("\\x%x", c); 6180 else 6181 addlog("%c", c); 6182 } 6183 } 6184 6185 static const char * 6186 sppp_dotted_quad(uint32_t addr) 6187 { 6188 static char s[16]; 6189 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6190 (int)((addr >> 24) & 0xff), 6191 (int)((addr >> 16) & 0xff), 6192 (int)((addr >> 8) & 0xff), 6193 (int)(addr & 0xff)); 6194 return s; 6195 } 6196 6197 /* a dummy, used to drop uninteresting events */ 6198 static void 6199 sppp_null(struct sppp *unused) 6200 { 6201 /* do just nothing */ 6202 } 6203 /* 6204 * This file is large. Tell emacs to highlight it nevertheless. 6205 * 6206 * Local Variables: 6207 * hilit-auto-highlight-maxout: 120000 6208 * End: 6209 */ 6210 6211 /* 6212 * Module glue 6213 */ 6214 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6215 6216 static int 6217 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6218 { 6219 switch (cmd) { 6220 case MODULE_CMD_INIT: 6221 case MODULE_CMD_FINI: 6222 return 0; 6223 case MODULE_CMD_STAT: 6224 case MODULE_CMD_AUTOUNLOAD: 6225 default: 6226 return ENOTTY; 6227 } 6228 } 6229 6230 static void 6231 sppp_notify_up(struct sppp *sp) 6232 { 6233 6234 SPPP_LOCK(sp, RW_WRITER); 6235 lcp.Up(sp); 6236 SPPP_UNLOCK(sp); 6237 } 6238 6239 static void 6240 sppp_notify_down(struct sppp *sp) 6241 { 6242 6243 SPPP_LOCK(sp, RW_WRITER); 6244 lcp.Down(sp); 6245 SPPP_UNLOCK(sp); 6246 } 6247 6248 static void 6249 sppp_notify_tls_wlocked(struct sppp *sp) 6250 { 6251 6252 KASSERT(SPPP_WLOCKED(sp)); 6253 6254 if (!sp->pp_tls) 6255 return; 6256 6257 SPPP_UNLOCK(sp); 6258 sp->pp_tls(sp); 6259 SPPP_LOCK(sp, RW_WRITER); 6260 } 6261 6262 static void 6263 sppp_notify_tlf_wlocked(struct sppp *sp) 6264 { 6265 6266 KASSERT(SPPP_WLOCKED(sp)); 6267 6268 if (!sp->pp_tlf) 6269 return; 6270 6271 SPPP_UNLOCK(sp); 6272 sp->pp_tlf(sp); 6273 SPPP_LOCK(sp, RW_WRITER); 6274 } 6275 6276 static void 6277 sppp_notify_con(struct sppp *sp) 6278 { 6279 6280 if (!sp->pp_con) 6281 return; 6282 6283 sp->pp_con(sp); 6284 } 6285 6286 #ifdef INET6 6287 static void 6288 sppp_notify_con_wlocked(struct sppp *sp) 6289 { 6290 6291 KASSERT(SPPP_WLOCKED(sp)); 6292 6293 SPPP_UNLOCK(sp); 6294 sppp_notify_con(sp); 6295 SPPP_LOCK(sp, RW_WRITER); 6296 6297 } 6298 #endif 6299 6300 static void 6301 sppp_notify_chg_wlocked(struct sppp *sp) 6302 { 6303 6304 KASSERT(SPPP_WLOCKED(sp)); 6305 6306 if (!sp->pp_chg) 6307 return; 6308 6309 SPPP_UNLOCK(sp); 6310 sp->pp_chg(sp, sp->pp_phase); 6311 SPPP_LOCK(sp, RW_WRITER); 6312 } 6313