1 /* $NetBSD: if_spppsubr.c,v 1.180 2018/03/30 13:29:19 mlelstv Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak@cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun@iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.180 2018/03/30 13:29:19 mlelstv Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 72 #include <net/if.h> 73 #include <net/netisr.h> 74 #include <net/if_types.h> 75 #include <net/route.h> 76 #include <net/ppp_defs.h> 77 78 #include <netinet/in.h> 79 #include <netinet/in_systm.h> 80 #include <netinet/in_var.h> 81 #ifdef INET 82 #include <netinet/ip.h> 83 #include <netinet/tcp.h> 84 #endif 85 #include <net/ethertypes.h> 86 87 #ifdef INET6 88 #include <netinet6/scope6_var.h> 89 #endif 90 91 #include <net/if_sppp.h> 92 #include <net/if_spppvar.h> 93 94 #ifdef NET_MPSAFE 95 #define SPPPSUBR_MPSAFE 1 96 #endif 97 98 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 99 #define LOOPALIVECNT 3 /* loopback detection tries */ 100 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 101 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 102 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 103 104 /* 105 * Interface flags that can be set in an ifconfig command. 106 * 107 * Setting link0 will make the link passive, i.e. it will be marked 108 * as being administrative openable, but won't be opened to begin 109 * with. Incoming calls will be answered, or subsequent calls with 110 * -link1 will cause the administrative open of the LCP layer. 111 * 112 * Setting link1 will cause the link to auto-dial only as packets 113 * arrive to be sent. 114 * 115 * Setting IFF_DEBUG will syslog the option negotiation and state 116 * transitions at level kern.debug. Note: all logs consistently look 117 * like 118 * 119 * <if-name><unit>: <proto-name> <additional info...> 120 * 121 * with <if-name><unit> being something like "bppp0", and <proto-name> 122 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 123 */ 124 125 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 126 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 127 128 #define CONF_REQ 1 /* PPP configure request */ 129 #define CONF_ACK 2 /* PPP configure acknowledge */ 130 #define CONF_NAK 3 /* PPP configure negative ack */ 131 #define CONF_REJ 4 /* PPP configure reject */ 132 #define TERM_REQ 5 /* PPP terminate request */ 133 #define TERM_ACK 6 /* PPP terminate acknowledge */ 134 #define CODE_REJ 7 /* PPP code reject */ 135 #define PROTO_REJ 8 /* PPP protocol reject */ 136 #define ECHO_REQ 9 /* PPP echo request */ 137 #define ECHO_REPLY 10 /* PPP echo reply */ 138 #define DISC_REQ 11 /* PPP discard request */ 139 140 #define LCP_OPT_MRU 1 /* maximum receive unit */ 141 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 142 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 143 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 144 #define LCP_OPT_MAGIC 5 /* magic number */ 145 #define LCP_OPT_RESERVED 6 /* reserved */ 146 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 147 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 148 149 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 150 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 151 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 152 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 153 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 154 155 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 156 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 157 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 158 159 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 160 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 161 162 #define PAP_REQ 1 /* PAP name/password request */ 163 #define PAP_ACK 2 /* PAP acknowledge */ 164 #define PAP_NAK 3 /* PAP fail */ 165 166 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 167 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 168 #define CHAP_SUCCESS 3 /* CHAP response ok */ 169 #define CHAP_FAILURE 4 /* CHAP response failed */ 170 171 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 172 173 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 174 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 175 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 176 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 177 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 178 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 179 180 /* states are named and numbered according to RFC 1661 */ 181 #define STATE_INITIAL 0 182 #define STATE_STARTING 1 183 #define STATE_CLOSED 2 184 #define STATE_STOPPED 3 185 #define STATE_CLOSING 4 186 #define STATE_STOPPING 5 187 #define STATE_REQ_SENT 6 188 #define STATE_ACK_RCVD 7 189 #define STATE_ACK_SENT 8 190 #define STATE_OPENED 9 191 192 struct ppp_header { 193 uint8_t address; 194 uint8_t control; 195 uint16_t protocol; 196 } __packed; 197 #define PPP_HEADER_LEN sizeof (struct ppp_header) 198 199 struct lcp_header { 200 uint8_t type; 201 uint8_t ident; 202 uint16_t len; 203 } __packed; 204 #define LCP_HEADER_LEN sizeof (struct lcp_header) 205 206 struct cisco_packet { 207 uint32_t type; 208 uint32_t par1; 209 uint32_t par2; 210 uint16_t rel; 211 uint16_t time0; 212 uint16_t time1; 213 } __packed; 214 #define CISCO_PACKET_LEN 18 215 216 /* 217 * We follow the spelling and capitalization of RFC 1661 here, to make 218 * it easier comparing with the standard. Please refer to this RFC in 219 * case you can't make sense out of these abbreviation; it will also 220 * explain the semantics related to the various events and actions. 221 */ 222 struct cp { 223 u_short proto; /* PPP control protocol number */ 224 u_char protoidx; /* index into state table in struct sppp */ 225 u_char flags; 226 #define CP_LCP 0x01 /* this is the LCP */ 227 #define CP_AUTH 0x02 /* this is an authentication protocol */ 228 #define CP_NCP 0x04 /* this is a NCP */ 229 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 230 const char *name; /* name of this control protocol */ 231 /* event handlers */ 232 void (*Up)(struct sppp *sp); 233 void (*Down)(struct sppp *sp); 234 void (*Open)(struct sppp *sp); 235 void (*Close)(struct sppp *sp); 236 void (*TO)(void *sp); 237 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 238 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 239 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 240 /* actions */ 241 void (*tlu)(struct sppp *sp); 242 void (*tld)(struct sppp *sp); 243 void (*tls)(struct sppp *sp); 244 void (*tlf)(struct sppp *sp); 245 void (*scr)(struct sppp *sp); 246 }; 247 248 static struct sppp *spppq; 249 static kmutex_t *spppq_lock = NULL; 250 static callout_t keepalive_ch; 251 252 #define SPPPQ_LOCK() if (spppq_lock) \ 253 mutex_enter(spppq_lock); 254 #define SPPPQ_UNLOCK() if (spppq_lock) \ 255 mutex_exit(spppq_lock); 256 257 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 258 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 259 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 260 #define SPPP_UPGRADE(_sp) do{ \ 261 SPPP_UNLOCK(_sp); \ 262 SPPP_LOCK(_sp, RW_WRITER); \ 263 }while (0) 264 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 265 266 #ifdef INET 267 #ifndef SPPPSUBR_MPSAFE 268 /* 269 * The following disgusting hack gets around the problem that IP TOS 270 * can't be set yet. We want to put "interactive" traffic on a high 271 * priority queue. To decide if traffic is interactive, we check that 272 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 273 * 274 * XXX is this really still necessary? - joerg - 275 */ 276 static u_short interactive_ports[8] = { 277 0, 513, 0, 0, 278 0, 21, 0, 23, 279 }; 280 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 281 #endif /* SPPPSUBR_MPSAFE */ 282 #endif 283 284 /* almost every function needs these */ 285 #define STDDCL \ 286 struct ifnet *ifp = &sp->pp_if; \ 287 int debug = ifp->if_flags & IFF_DEBUG 288 289 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 290 const struct sockaddr *dst, const struct rtentry *rt); 291 292 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 293 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 294 295 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 296 struct mbuf *m); 297 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 298 u_char ident, u_short len, void *data); 299 /* static void sppp_cp_timeout(void *arg); */ 300 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 301 int newstate); 302 static void sppp_auth_send(const struct cp *cp, 303 struct sppp *sp, unsigned int type, unsigned int id, 304 ...); 305 306 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 307 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 308 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 309 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 310 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 311 312 static void sppp_null(struct sppp *sp); 313 314 static void sppp_lcp_init(struct sppp *sp); 315 static void sppp_lcp_up(struct sppp *sp); 316 static void sppp_lcp_down(struct sppp *sp); 317 static void sppp_lcp_open(struct sppp *sp); 318 static void sppp_lcp_close(struct sppp *sp); 319 static void sppp_lcp_TO(void *sp); 320 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 321 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 322 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 323 static void sppp_lcp_tlu(struct sppp *sp); 324 static void sppp_lcp_tld(struct sppp *sp); 325 static void sppp_lcp_tls(struct sppp *sp); 326 static void sppp_lcp_tlf(struct sppp *sp); 327 static void sppp_lcp_scr(struct sppp *sp); 328 static void sppp_lcp_check_and_close(struct sppp *sp); 329 static int sppp_ncp_check(struct sppp *sp); 330 331 static void sppp_ipcp_init(struct sppp *sp); 332 static void sppp_ipcp_up(struct sppp *sp); 333 static void sppp_ipcp_down(struct sppp *sp); 334 static void sppp_ipcp_open(struct sppp *sp); 335 static void sppp_ipcp_close(struct sppp *sp); 336 static void sppp_ipcp_TO(void *sp); 337 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 338 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 339 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 340 static void sppp_ipcp_tlu(struct sppp *sp); 341 static void sppp_ipcp_tld(struct sppp *sp); 342 static void sppp_ipcp_tls(struct sppp *sp); 343 static void sppp_ipcp_tlf(struct sppp *sp); 344 static void sppp_ipcp_scr(struct sppp *sp); 345 346 static void sppp_ipv6cp_init(struct sppp *sp); 347 static void sppp_ipv6cp_up(struct sppp *sp); 348 static void sppp_ipv6cp_down(struct sppp *sp); 349 static void sppp_ipv6cp_open(struct sppp *sp); 350 static void sppp_ipv6cp_close(struct sppp *sp); 351 static void sppp_ipv6cp_TO(void *sp); 352 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 353 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 354 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipv6cp_tlu(struct sppp *sp); 356 static void sppp_ipv6cp_tld(struct sppp *sp); 357 static void sppp_ipv6cp_tls(struct sppp *sp); 358 static void sppp_ipv6cp_tlf(struct sppp *sp); 359 static void sppp_ipv6cp_scr(struct sppp *sp); 360 361 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 362 static void sppp_pap_init(struct sppp *sp); 363 static void sppp_pap_open(struct sppp *sp); 364 static void sppp_pap_close(struct sppp *sp); 365 static void sppp_pap_TO(void *sp); 366 static void sppp_pap_my_TO(void *sp); 367 static void sppp_pap_tlu(struct sppp *sp); 368 static void sppp_pap_tld(struct sppp *sp); 369 static void sppp_pap_scr(struct sppp *sp); 370 371 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 372 static void sppp_chap_init(struct sppp *sp); 373 static void sppp_chap_open(struct sppp *sp); 374 static void sppp_chap_close(struct sppp *sp); 375 static void sppp_chap_TO(void *sp); 376 static void sppp_chap_tlu(struct sppp *sp); 377 static void sppp_chap_tld(struct sppp *sp); 378 static void sppp_chap_scr(struct sppp *sp); 379 380 static const char *sppp_auth_type_name(u_short proto, u_char type); 381 static const char *sppp_cp_type_name(u_char type); 382 static const char *sppp_dotted_quad(uint32_t addr); 383 static const char *sppp_ipcp_opt_name(u_char opt); 384 #ifdef INET6 385 static const char *sppp_ipv6cp_opt_name(u_char opt); 386 #endif 387 static const char *sppp_lcp_opt_name(u_char opt); 388 static const char *sppp_phase_name(int phase); 389 static const char *sppp_proto_name(u_short proto); 390 static const char *sppp_state_name(int state); 391 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 392 #ifdef INET 393 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 394 uint32_t *srcmask); 395 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 396 static void sppp_set_ip_addrs(struct sppp *sp); 397 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 398 static void sppp_clear_ip_addrs(struct sppp *sp); 399 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 400 #endif 401 static void sppp_keepalive(void *dummy); 402 static void sppp_phase_network(struct sppp *sp); 403 static void sppp_print_bytes(const u_char *p, u_short len); 404 static void sppp_print_string(const char *p, u_short len); 405 #ifdef INET6 406 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 407 struct in6_addr *dst, struct in6_addr *srcmask); 408 #ifdef IPV6CP_MYIFID_DYN 409 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 410 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 411 #endif 412 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 413 #endif 414 415 static void sppp_notify_up(struct sppp *); 416 static void sppp_notify_down(struct sppp *); 417 static void sppp_notify_tls_wlocked(struct sppp *); 418 static void sppp_notify_tlf_wlocked(struct sppp *); 419 #ifdef INET6 420 static void sppp_notify_con_wlocked(struct sppp *); 421 #endif 422 static void sppp_notify_con(struct sppp *); 423 424 static void sppp_notify_chg_wlocked(struct sppp *); 425 426 427 /* our control protocol descriptors */ 428 static const struct cp lcp = { 429 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 430 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 431 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 432 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 433 sppp_lcp_scr 434 }; 435 436 static const struct cp ipcp = { 437 PPP_IPCP, IDX_IPCP, 438 #ifdef INET 439 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 440 #else 441 0, 442 #endif 443 "ipcp", 444 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 445 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 446 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 447 sppp_ipcp_scr 448 }; 449 450 static const struct cp ipv6cp = { 451 PPP_IPV6CP, IDX_IPV6CP, 452 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 453 CP_NCP, 454 #else 455 0, 456 #endif 457 "ipv6cp", 458 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 459 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 460 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 461 sppp_ipv6cp_scr 462 }; 463 464 static const struct cp pap = { 465 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 466 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 467 sppp_pap_TO, 0, 0, 0, 468 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 469 sppp_pap_scr 470 }; 471 472 static const struct cp chap = { 473 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 474 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 475 sppp_chap_TO, 0, 0, 0, 476 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 477 sppp_chap_scr 478 }; 479 480 static const struct cp *cps[IDX_COUNT] = { 481 &lcp, /* IDX_LCP */ 482 &ipcp, /* IDX_IPCP */ 483 &ipv6cp, /* IDX_IPV6CP */ 484 &pap, /* IDX_PAP */ 485 &chap, /* IDX_CHAP */ 486 }; 487 488 static void 489 sppp_change_phase(struct sppp *sp, int phase) 490 { 491 STDDCL; 492 493 KASSERT(SPPP_WLOCKED(sp)); 494 495 if (sp->pp_phase == phase) 496 return; 497 498 sp->pp_phase = phase; 499 500 if (phase == SPPP_PHASE_NETWORK) 501 if_link_state_change(ifp, LINK_STATE_UP); 502 else 503 if_link_state_change(ifp, LINK_STATE_DOWN); 504 505 if (debug) 506 { 507 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 508 sppp_phase_name(sp->pp_phase)); 509 } 510 } 511 512 /* 513 * Exported functions, comprising our interface to the lower layer. 514 */ 515 516 /* 517 * Process the received packet. 518 */ 519 void 520 sppp_input(struct ifnet *ifp, struct mbuf *m) 521 { 522 struct ppp_header *h = NULL; 523 pktqueue_t *pktq = NULL; 524 struct ifqueue *inq = NULL; 525 uint16_t protocol; 526 struct sppp *sp = (struct sppp *)ifp; 527 int debug = ifp->if_flags & IFF_DEBUG; 528 int isr = 0; 529 530 SPPP_LOCK(sp, RW_READER); 531 532 if (ifp->if_flags & IFF_UP) { 533 /* Count received bytes, add hardware framing */ 534 ifp->if_ibytes += m->m_pkthdr.len + sp->pp_framebytes; 535 /* Note time of last receive */ 536 sp->pp_last_receive = time_uptime; 537 } 538 539 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 540 /* Too small packet, drop it. */ 541 if (debug) 542 log(LOG_DEBUG, 543 "%s: input packet is too small, %d bytes\n", 544 ifp->if_xname, m->m_pkthdr.len); 545 drop: 546 ++ifp->if_ierrors; 547 ++ifp->if_iqdrops; 548 m_freem(m); 549 SPPP_UNLOCK(sp); 550 return; 551 } 552 553 if (sp->pp_flags & PP_NOFRAMING) { 554 memcpy(&protocol, mtod(m, void *), 2); 555 protocol = ntohs(protocol); 556 m_adj(m, 2); 557 } else { 558 559 /* Get PPP header. */ 560 h = mtod(m, struct ppp_header *); 561 m_adj(m, PPP_HEADER_LEN); 562 563 switch (h->address) { 564 case PPP_ALLSTATIONS: 565 if (h->control != PPP_UI) 566 goto invalid; 567 if (sp->pp_flags & PP_CISCO) { 568 if (debug) 569 log(LOG_DEBUG, 570 "%s: PPP packet in Cisco mode " 571 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 572 ifp->if_xname, 573 h->address, h->control, ntohs(h->protocol)); 574 goto drop; 575 } 576 break; 577 case CISCO_MULTICAST: 578 case CISCO_UNICAST: 579 /* Don't check the control field here (RFC 1547). */ 580 if (! (sp->pp_flags & PP_CISCO)) { 581 if (debug) 582 log(LOG_DEBUG, 583 "%s: Cisco packet in PPP mode " 584 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 585 ifp->if_xname, 586 h->address, h->control, ntohs(h->protocol)); 587 goto drop; 588 } 589 switch (ntohs(h->protocol)) { 590 default: 591 ++ifp->if_noproto; 592 goto invalid; 593 case CISCO_KEEPALIVE: 594 SPPP_UNLOCK(sp); 595 sppp_cisco_input((struct sppp *) ifp, m); 596 m_freem(m); 597 return; 598 #ifdef INET 599 case ETHERTYPE_IP: 600 pktq = ip_pktq; 601 break; 602 #endif 603 #ifdef INET6 604 case ETHERTYPE_IPV6: 605 pktq = ip6_pktq; 606 break; 607 #endif 608 } 609 goto queue_pkt; 610 default: /* Invalid PPP packet. */ 611 invalid: 612 if (debug) 613 log(LOG_DEBUG, 614 "%s: invalid input packet " 615 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 616 ifp->if_xname, 617 h->address, h->control, ntohs(h->protocol)); 618 goto drop; 619 } 620 protocol = ntohs(h->protocol); 621 } 622 623 switch (protocol) { 624 default: 625 if (sp->state[IDX_LCP] == STATE_OPENED) { 626 uint16_t prot = htons(protocol); 627 628 SPPP_UPGRADE(sp); 629 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 630 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 631 &prot); 632 SPPP_DOWNGRADE(sp); 633 } 634 if (debug) 635 log(LOG_DEBUG, 636 "%s: invalid input protocol " 637 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 638 ++ifp->if_noproto; 639 goto drop; 640 case PPP_LCP: 641 SPPP_UNLOCK(sp); 642 sppp_cp_input(&lcp, sp, m); 643 m_freem(m); 644 return; 645 case PPP_PAP: 646 SPPP_UNLOCK(sp); 647 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 648 sppp_pap_input(sp, m); 649 } 650 m_freem(m); 651 return; 652 case PPP_CHAP: 653 SPPP_UNLOCK(sp); 654 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 655 sppp_chap_input(sp, m); 656 } 657 m_freem(m); 658 return; 659 #ifdef INET 660 case PPP_IPCP: 661 SPPP_UNLOCK(sp); 662 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 663 sppp_cp_input(&ipcp, sp, m); 664 } 665 m_freem(m); 666 return; 667 case PPP_IP: 668 if (sp->state[IDX_IPCP] == STATE_OPENED) { 669 sp->pp_last_activity = time_uptime; 670 pktq = ip_pktq; 671 } 672 break; 673 #endif 674 #ifdef INET6 675 case PPP_IPV6CP: 676 SPPP_UNLOCK(sp); 677 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 678 sppp_cp_input(&ipv6cp, sp, m); 679 } 680 m_freem(m); 681 return; 682 683 case PPP_IPV6: 684 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 685 sp->pp_last_activity = time_uptime; 686 pktq = ip6_pktq; 687 } 688 break; 689 #endif 690 } 691 692 queue_pkt: 693 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 694 goto drop; 695 } 696 697 /* Check queue. */ 698 if (__predict_true(pktq)) { 699 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 700 goto drop; 701 } 702 SPPP_UNLOCK(sp); 703 return; 704 } 705 706 SPPP_UNLOCK(sp); 707 708 IFQ_LOCK(inq); 709 if (IF_QFULL(inq)) { 710 /* Queue overflow. */ 711 IF_DROP(inq); 712 IFQ_UNLOCK(inq); 713 if (debug) 714 log(LOG_DEBUG, "%s: protocol queue overflow\n", 715 ifp->if_xname); 716 717 SPPP_LOCK(sp, RW_READER); 718 goto drop; 719 } 720 IF_ENQUEUE(inq, m); 721 IFQ_UNLOCK(inq); 722 schednetisr(isr); 723 } 724 725 /* 726 * Enqueue transmit packet. 727 */ 728 static int 729 sppp_output(struct ifnet *ifp, struct mbuf *m, 730 const struct sockaddr *dst, const struct rtentry *rt) 731 { 732 struct sppp *sp = (struct sppp *) ifp; 733 struct ppp_header *h = NULL; 734 #ifndef SPPPSUBR_MPSAFE 735 struct ifqueue *ifq = NULL; /* XXX */ 736 #endif 737 int s, error = 0; 738 uint16_t protocol; 739 size_t pktlen; 740 741 s = splnet(); 742 SPPP_LOCK(sp, RW_READER); 743 744 sp->pp_last_activity = time_uptime; 745 746 if ((ifp->if_flags & IFF_UP) == 0 || 747 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 748 SPPP_UNLOCK(sp); 749 splx(s); 750 751 m_freem(m); 752 753 return (ENETDOWN); 754 } 755 756 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 757 /* 758 * Interface is not yet running, but auto-dial. Need 759 * to start LCP for it. 760 */ 761 ifp->if_flags |= IFF_RUNNING; 762 763 SPPP_UNLOCK(sp); 764 splx(s); 765 766 SPPP_LOCK(sp, RW_WRITER); 767 lcp.Open(sp); 768 SPPP_UNLOCK(sp); 769 770 s = splnet(); 771 SPPP_LOCK(sp, RW_READER); 772 } 773 774 /* 775 * If the queueing discipline needs packet classification, 776 * do it before prepending link headers. 777 */ 778 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 779 780 #ifdef INET 781 if (dst->sa_family == AF_INET) { 782 struct ip *ip = NULL; 783 #ifndef SPPPSUBR_MPSAFE 784 struct tcphdr *th = NULL; 785 #endif 786 787 if (m->m_len >= sizeof(struct ip)) { 788 ip = mtod(m, struct ip *); 789 #ifndef SPPPSUBR_MPSAFE 790 if (ip->ip_p == IPPROTO_TCP && 791 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 792 sizeof(struct tcphdr)) { 793 th = (struct tcphdr *) 794 ((char *)ip + (ip->ip_hl << 2)); 795 } 796 #endif 797 } else 798 ip = NULL; 799 800 /* 801 * When using dynamic local IP address assignment by using 802 * 0.0.0.0 as a local address, the first TCP session will 803 * not connect because the local TCP checksum is computed 804 * using 0.0.0.0 which will later become our real IP address 805 * so the TCP checksum computed at the remote end will 806 * become invalid. So we 807 * - don't let packets with src ip addr 0 thru 808 * - we flag TCP packets with src ip 0 as an error 809 */ 810 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 811 uint8_t proto = ip->ip_p; 812 813 SPPP_UNLOCK(sp); 814 splx(s); 815 816 m_freem(m); 817 if (proto == IPPROTO_TCP) 818 return (EADDRNOTAVAIL); 819 else 820 return (0); 821 } 822 823 #ifndef SPPPSUBR_MPSAFE 824 /* 825 * Put low delay, telnet, rlogin and ftp control packets 826 * in front of the queue. 827 */ 828 if (!IF_QFULL(&sp->pp_fastq) && 829 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 830 (th && (INTERACTIVE(ntohs(th->th_sport)) || 831 INTERACTIVE(ntohs(th->th_dport)))))) 832 ifq = &sp->pp_fastq; 833 #endif /* !SPPPSUBR_MPSAFE */ 834 } 835 #endif 836 837 #ifdef INET6 838 if (dst->sa_family == AF_INET6) { 839 /* XXX do something tricky here? */ 840 } 841 #endif 842 843 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 844 /* 845 * Prepend general data packet PPP header. For now, IP only. 846 */ 847 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 848 if (! m) { 849 if (ifp->if_flags & IFF_DEBUG) 850 log(LOG_DEBUG, "%s: no memory for transmit header\n", 851 ifp->if_xname); 852 ++ifp->if_oerrors; 853 SPPP_UNLOCK(sp); 854 splx(s); 855 return (ENOBUFS); 856 } 857 /* 858 * May want to check size of packet 859 * (albeit due to the implementation it's always enough) 860 */ 861 h = mtod(m, struct ppp_header *); 862 if (sp->pp_flags & PP_CISCO) { 863 h->address = CISCO_UNICAST; /* unicast address */ 864 h->control = 0; 865 } else { 866 h->address = PPP_ALLSTATIONS; /* broadcast address */ 867 h->control = PPP_UI; /* Unnumbered Info */ 868 } 869 } 870 871 switch (dst->sa_family) { 872 #ifdef INET 873 case AF_INET: /* Internet Protocol */ 874 if (sp->pp_flags & PP_CISCO) 875 protocol = htons(ETHERTYPE_IP); 876 else { 877 /* 878 * Don't choke with an ENETDOWN early. It's 879 * possible that we just started dialing out, 880 * so don't drop the packet immediately. If 881 * we notice that we run out of buffer space 882 * below, we will however remember that we are 883 * not ready to carry IP packets, and return 884 * ENETDOWN, as opposed to ENOBUFS. 885 */ 886 protocol = htons(PPP_IP); 887 if (sp->state[IDX_IPCP] != STATE_OPENED) 888 error = ENETDOWN; 889 } 890 break; 891 #endif 892 #ifdef INET6 893 case AF_INET6: /* Internet Protocol version 6 */ 894 if (sp->pp_flags & PP_CISCO) 895 protocol = htons(ETHERTYPE_IPV6); 896 else { 897 /* 898 * Don't choke with an ENETDOWN early. It's 899 * possible that we just started dialing out, 900 * so don't drop the packet immediately. If 901 * we notice that we run out of buffer space 902 * below, we will however remember that we are 903 * not ready to carry IP packets, and return 904 * ENETDOWN, as opposed to ENOBUFS. 905 */ 906 protocol = htons(PPP_IPV6); 907 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 908 error = ENETDOWN; 909 } 910 break; 911 #endif 912 default: 913 m_freem(m); 914 ++ifp->if_oerrors; 915 SPPP_UNLOCK(sp); 916 splx(s); 917 return (EAFNOSUPPORT); 918 } 919 920 if (sp->pp_flags & PP_NOFRAMING) { 921 M_PREPEND(m, 2, M_DONTWAIT); 922 if (m == NULL) { 923 if (ifp->if_flags & IFF_DEBUG) 924 log(LOG_DEBUG, "%s: no memory for transmit header\n", 925 ifp->if_xname); 926 ++ifp->if_oerrors; 927 SPPP_UNLOCK(sp); 928 splx(s); 929 return (ENOBUFS); 930 } 931 *mtod(m, uint16_t *) = protocol; 932 } else { 933 h->protocol = protocol; 934 } 935 936 pktlen = m->m_pkthdr.len; 937 #ifdef SPPPSUBR_MPSAFE 938 SPPP_UNLOCK(sp); 939 error = if_transmit_lock(ifp, m); 940 SPPP_LOCK(sp, RW_READER); 941 if (error == 0) 942 ifp->if_obytes += pktlen + sp->pp_framebytes; 943 #else /* !SPPPSUBR_MPSAFE */ 944 error = ifq_enqueue2(ifp, ifq, m); 945 946 if (error == 0) { 947 /* 948 * Count output packets and bytes. 949 * The packet length includes header + additional hardware 950 * framing according to RFC 1333. 951 */ 952 if (!(ifp->if_flags & IFF_OACTIVE)) { 953 SPPP_UNLOCK(sp); 954 if_start_lock(ifp); 955 SPPP_LOCK(sp, RW_READER); 956 } 957 ifp->if_obytes += pktlen + sp->pp_framebytes; 958 } 959 #endif /* !SPPPSUBR_MPSAFE */ 960 SPPP_UNLOCK(sp); 961 splx(s); 962 return error; 963 } 964 965 static int 966 sppp_mediachange(struct ifnet *ifp) 967 { 968 969 return (0); 970 } 971 972 static void 973 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 974 { 975 struct sppp *sp = (struct sppp *)ifp; 976 977 SPPP_LOCK(sp, RW_WRITER); 978 979 switch (ifp->if_link_state) { 980 case LINK_STATE_UP: 981 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 982 break; 983 case LINK_STATE_DOWN: 984 imr->ifm_status = IFM_AVALID; 985 break; 986 default: 987 /* Should be impossible as we set link state down in attach. */ 988 imr->ifm_status = 0; 989 break; 990 } 991 992 SPPP_UNLOCK(sp); 993 } 994 995 void 996 sppp_attach(struct ifnet *ifp) 997 { 998 struct sppp *sp = (struct sppp *) ifp; 999 1000 /* Initialize keepalive handler. */ 1001 if (! spppq) { 1002 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1003 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1004 } 1005 1006 if (! spppq_lock) 1007 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1008 1009 /* Insert new entry into the keepalive list. */ 1010 sp->pp_next = spppq; 1011 spppq = sp; 1012 1013 sp->pp_if.if_type = IFT_PPP; 1014 sp->pp_if.if_output = sppp_output; 1015 sp->pp_fastq.ifq_maxlen = 32; 1016 sp->pp_cpq.ifq_maxlen = 20; 1017 sp->pp_loopcnt = 0; 1018 sp->pp_alivecnt = 0; 1019 sp->pp_last_activity = 0; 1020 sp->pp_last_receive = 0; 1021 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1022 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1023 sp->pp_idle_timeout = 0; 1024 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1025 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1026 sp->pp_auth_failures = 0; 1027 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1028 sp->pp_phase = SPPP_PHASE_DEAD; 1029 sp->pp_up = sppp_notify_up; 1030 sp->pp_down = sppp_notify_down; 1031 rw_init(&sp->pp_lock); 1032 1033 if_alloc_sadl(ifp); 1034 1035 /* Lets not beat about the bush, we know we're down. */ 1036 ifp->if_link_state = LINK_STATE_DOWN; 1037 /* There is no media for PPP, but it's needed to report link status. */ 1038 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1039 1040 memset(&sp->myauth, 0, sizeof sp->myauth); 1041 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1042 SPPP_LOCK(sp, RW_WRITER); 1043 sppp_lcp_init(sp); 1044 sppp_ipcp_init(sp); 1045 sppp_ipv6cp_init(sp); 1046 sppp_pap_init(sp); 1047 sppp_chap_init(sp); 1048 SPPP_UNLOCK(sp); 1049 } 1050 1051 void 1052 sppp_detach(struct ifnet *ifp) 1053 { 1054 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1055 1056 /* Remove the entry from the keepalive list. */ 1057 SPPPQ_LOCK(); 1058 for (q = &spppq; (p = *q); q = &p->pp_next) 1059 if (p == sp) { 1060 *q = p->pp_next; 1061 break; 1062 } 1063 SPPPQ_UNLOCK(); 1064 1065 if (! spppq) { 1066 /* Stop keepalive handler. */ 1067 callout_stop(&keepalive_ch); 1068 mutex_obj_free(spppq_lock); 1069 spppq_lock = NULL; 1070 } 1071 1072 SPPP_LOCK(sp, RW_WRITER); 1073 1074 /* to avoid workqueue enqueued */ 1075 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1076 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1077 workqueue_destroy(sp->ipcp.update_addrs_wq); 1078 pcq_destroy(sp->ipcp.update_addrs_q); 1079 1080 callout_stop(&sp->ch[IDX_LCP]); 1081 callout_stop(&sp->ch[IDX_IPCP]); 1082 callout_stop(&sp->ch[IDX_PAP]); 1083 callout_stop(&sp->ch[IDX_CHAP]); 1084 #ifdef INET6 1085 callout_stop(&sp->ch[IDX_IPV6CP]); 1086 #endif 1087 callout_stop(&sp->pap_my_to_ch); 1088 1089 /* free authentication info */ 1090 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1091 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1092 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1093 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1094 SPPP_UNLOCK(sp); 1095 rw_destroy(&sp->pp_lock); 1096 1097 /* Safety - shouldn't be needed as there is no media to set. */ 1098 ifmedia_delete_instance(&sp->pp_im, IFM_INST_ANY); 1099 } 1100 1101 /* 1102 * Flush the interface output queue. 1103 */ 1104 void 1105 sppp_flush(struct ifnet *ifp) 1106 { 1107 struct sppp *sp = (struct sppp *) ifp; 1108 1109 SPPP_LOCK(sp, RW_WRITER); 1110 IFQ_PURGE(&sp->pp_if.if_snd); 1111 IF_PURGE(&sp->pp_fastq); 1112 IF_PURGE(&sp->pp_cpq); 1113 SPPP_UNLOCK(sp); 1114 } 1115 1116 /* 1117 * Check if the output queue is empty. 1118 */ 1119 int 1120 sppp_isempty(struct ifnet *ifp) 1121 { 1122 struct sppp *sp = (struct sppp *) ifp; 1123 int empty, s; 1124 1125 s = splnet(); 1126 SPPP_LOCK(sp, RW_READER); 1127 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1128 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1129 SPPP_UNLOCK(sp); 1130 splx(s); 1131 return (empty); 1132 } 1133 1134 /* 1135 * Get next packet to send. 1136 */ 1137 struct mbuf * 1138 sppp_dequeue(struct ifnet *ifp) 1139 { 1140 struct sppp *sp = (struct sppp *) ifp; 1141 struct mbuf *m; 1142 int s; 1143 1144 s = splnet(); 1145 SPPP_LOCK(sp, RW_WRITER); 1146 /* 1147 * Process only the control protocol queue until we have at 1148 * least one NCP open. 1149 * 1150 * Do always serve all three queues in Cisco mode. 1151 */ 1152 IF_DEQUEUE(&sp->pp_cpq, m); 1153 if (m == NULL && 1154 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1155 IF_DEQUEUE(&sp->pp_fastq, m); 1156 if (m == NULL) 1157 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1158 } 1159 SPPP_UNLOCK(sp); 1160 splx(s); 1161 return m; 1162 } 1163 1164 /* 1165 * Process an ioctl request. Called on low priority level. 1166 */ 1167 int 1168 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1169 { 1170 struct lwp *l = curlwp; /* XXX */ 1171 struct ifreq *ifr = (struct ifreq *) data; 1172 struct ifaddr *ifa = (struct ifaddr *) data; 1173 struct sppp *sp = (struct sppp *) ifp; 1174 int s, error=0, going_up, going_down, newmode; 1175 1176 s = splnet(); 1177 switch (cmd) { 1178 case SIOCINITIFADDR: 1179 ifa->ifa_rtrequest = p2p_rtrequest; 1180 break; 1181 1182 case SIOCSIFFLAGS: 1183 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1184 break; 1185 1186 SPPP_LOCK(sp, RW_WRITER); 1187 going_up = ifp->if_flags & IFF_UP && 1188 (ifp->if_flags & IFF_RUNNING) == 0; 1189 going_down = (ifp->if_flags & IFF_UP) == 0 && 1190 ifp->if_flags & IFF_RUNNING; 1191 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1192 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1193 /* sanity */ 1194 newmode = IFF_PASSIVE; 1195 ifp->if_flags &= ~IFF_AUTO; 1196 } 1197 1198 if (going_up || going_down) { 1199 lcp.Close(sp); 1200 } 1201 if (going_up && newmode == 0) { 1202 /* neither auto-dial nor passive */ 1203 ifp->if_flags |= IFF_RUNNING; 1204 if (!(sp->pp_flags & PP_CISCO)) 1205 lcp.Open(sp); 1206 } else if (going_down) { 1207 SPPP_UNLOCK(sp); 1208 sppp_flush(ifp); 1209 SPPP_LOCK(sp, RW_WRITER); 1210 1211 ifp->if_flags &= ~IFF_RUNNING; 1212 } 1213 SPPP_UNLOCK(sp); 1214 break; 1215 1216 case SIOCSIFMTU: 1217 if (ifr->ifr_mtu < PPP_MINMRU || 1218 ifr->ifr_mtu > sp->lcp.their_mru) { 1219 error = EINVAL; 1220 break; 1221 } 1222 /*FALLTHROUGH*/ 1223 case SIOCGIFMTU: 1224 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1225 error = 0; 1226 break; 1227 case SIOCADDMULTI: 1228 case SIOCDELMULTI: 1229 break; 1230 1231 case SPPPSETAUTHCFG: 1232 case SPPPSETLCPCFG: 1233 case SPPPSETIDLETO: 1234 case SPPPSETAUTHFAILURE: 1235 case SPPPSETDNSOPTS: 1236 case SPPPSETKEEPALIVE: 1237 #if defined(COMPAT_50) || defined(MODULAR) 1238 case __SPPPSETIDLETO50: 1239 case __SPPPSETKEEPALIVE50: 1240 #endif /* COMPAT_50 || MODULAR */ 1241 error = kauth_authorize_network(l->l_cred, 1242 KAUTH_NETWORK_INTERFACE, 1243 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1244 NULL); 1245 if (error) 1246 break; 1247 error = sppp_params(sp, cmd, data); 1248 break; 1249 1250 case SPPPGETAUTHCFG: 1251 case SPPPGETLCPCFG: 1252 case SPPPGETAUTHFAILURES: 1253 error = kauth_authorize_network(l->l_cred, 1254 KAUTH_NETWORK_INTERFACE, 1255 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1256 NULL); 1257 if (error) 1258 break; 1259 error = sppp_params(sp, cmd, data); 1260 break; 1261 1262 case SPPPGETSTATUS: 1263 case SPPPGETSTATUSNCP: 1264 case SPPPGETIDLETO: 1265 case SPPPGETDNSOPTS: 1266 case SPPPGETDNSADDRS: 1267 case SPPPGETKEEPALIVE: 1268 #if defined(COMPAT_50) || defined(MODULAR) 1269 case __SPPPGETIDLETO50: 1270 case __SPPPGETKEEPALIVE50: 1271 #endif /* COMPAT_50 || MODULAR */ 1272 error = sppp_params(sp, cmd, data); 1273 break; 1274 1275 case SIOCGIFMEDIA: 1276 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1277 break; 1278 1279 default: 1280 error = ifioctl_common(ifp, cmd, data); 1281 break; 1282 } 1283 splx(s); 1284 return (error); 1285 } 1286 1287 1288 /* 1289 * Cisco framing implementation. 1290 */ 1291 1292 /* 1293 * Handle incoming Cisco keepalive protocol packets. 1294 */ 1295 static void 1296 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1297 { 1298 STDDCL; 1299 struct cisco_packet *h; 1300 #ifdef INET 1301 uint32_t me, mymask = 0; /* XXX: GCC */ 1302 #endif 1303 1304 SPPP_LOCK(sp, RW_WRITER); 1305 1306 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1307 if (debug) 1308 log(LOG_DEBUG, 1309 "%s: cisco invalid packet length: %d bytes\n", 1310 ifp->if_xname, m->m_pkthdr.len); 1311 SPPP_UNLOCK(sp); 1312 return; 1313 } 1314 h = mtod(m, struct cisco_packet *); 1315 if (debug) 1316 log(LOG_DEBUG, 1317 "%s: cisco input: %d bytes " 1318 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1319 ifp->if_xname, m->m_pkthdr.len, 1320 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1321 (u_int)h->time0, (u_int)h->time1); 1322 switch (ntohl(h->type)) { 1323 default: 1324 if (debug) 1325 addlog("%s: cisco unknown packet type: 0x%x\n", 1326 ifp->if_xname, ntohl(h->type)); 1327 break; 1328 case CISCO_ADDR_REPLY: 1329 /* Reply on address request, ignore */ 1330 break; 1331 case CISCO_KEEPALIVE_REQ: 1332 sp->pp_alivecnt = 0; 1333 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1334 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1335 /* Local and remote sequence numbers are equal. 1336 * Probably, the line is in loopback mode. */ 1337 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1338 printf ("%s: loopback\n", 1339 ifp->if_xname); 1340 sp->pp_loopcnt = 0; 1341 if (ifp->if_flags & IFF_UP) { 1342 SPPP_UNLOCK(sp); 1343 if_down(ifp); 1344 SPPP_LOCK(sp, RW_WRITER); 1345 1346 IF_PURGE(&sp->pp_cpq); 1347 } 1348 } 1349 ++sp->pp_loopcnt; 1350 1351 /* Generate new local sequence number */ 1352 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1353 break; 1354 } 1355 sp->pp_loopcnt = 0; 1356 if (! (ifp->if_flags & IFF_UP) && 1357 (ifp->if_flags & IFF_RUNNING)) { 1358 SPPP_UNLOCK(sp); 1359 if_up(ifp); 1360 SPPP_LOCK(sp, RW_WRITER); 1361 } 1362 break; 1363 case CISCO_ADDR_REQ: 1364 #ifdef INET 1365 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1366 if (me != 0L) 1367 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1368 #endif 1369 break; 1370 } 1371 SPPP_UNLOCK(sp); 1372 } 1373 1374 /* 1375 * Send Cisco keepalive packet. 1376 */ 1377 static void 1378 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1379 { 1380 STDDCL; 1381 struct ppp_header *h; 1382 struct cisco_packet *ch; 1383 struct mbuf *m; 1384 uint32_t t; 1385 1386 KASSERT(SPPP_WLOCKED(sp)); 1387 1388 t = time_uptime * 1000; 1389 MGETHDR(m, M_DONTWAIT, MT_DATA); 1390 if (! m) 1391 return; 1392 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1393 m_reset_rcvif(m); 1394 1395 h = mtod(m, struct ppp_header *); 1396 h->address = CISCO_MULTICAST; 1397 h->control = 0; 1398 h->protocol = htons(CISCO_KEEPALIVE); 1399 1400 ch = (struct cisco_packet *)(h + 1); 1401 ch->type = htonl(type); 1402 ch->par1 = htonl(par1); 1403 ch->par2 = htonl(par2); 1404 ch->rel = -1; 1405 1406 ch->time0 = htons((u_short)(t >> 16)); 1407 ch->time1 = htons((u_short) t); 1408 1409 if (debug) 1410 log(LOG_DEBUG, 1411 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1412 ifp->if_xname, ntohl(ch->type), ch->par1, 1413 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1414 (u_int)ch->time1); 1415 1416 if (IF_QFULL(&sp->pp_cpq)) { 1417 IF_DROP(&sp->pp_fastq); 1418 IF_DROP(&ifp->if_snd); 1419 m_freem(m); 1420 ++ifp->if_oerrors; 1421 return; 1422 } 1423 1424 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1425 IF_ENQUEUE(&sp->pp_cpq, m); 1426 1427 if (! (ifp->if_flags & IFF_OACTIVE)) { 1428 SPPP_UNLOCK(sp); 1429 if_start_lock(ifp); 1430 SPPP_LOCK(sp, RW_WRITER); 1431 } 1432 } 1433 1434 /* 1435 * PPP protocol implementation. 1436 */ 1437 1438 /* 1439 * Send PPP control protocol packet. 1440 */ 1441 static void 1442 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1443 u_char ident, u_short len, void *data) 1444 { 1445 STDDCL; 1446 struct lcp_header *lh; 1447 struct mbuf *m; 1448 size_t pkthdrlen; 1449 1450 KASSERT(SPPP_WLOCKED(sp)); 1451 1452 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1453 1454 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1455 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1456 MGETHDR(m, M_DONTWAIT, MT_DATA); 1457 if (! m) { 1458 return; 1459 } 1460 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1461 m_reset_rcvif(m); 1462 1463 if (sp->pp_flags & PP_NOFRAMING) { 1464 *mtod(m, uint16_t *) = htons(proto); 1465 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1466 } else { 1467 struct ppp_header *h; 1468 h = mtod(m, struct ppp_header *); 1469 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1470 h->control = PPP_UI; /* Unnumbered Info */ 1471 h->protocol = htons(proto); /* Link Control Protocol */ 1472 lh = (struct lcp_header *)(h + 1); 1473 } 1474 lh->type = type; 1475 lh->ident = ident; 1476 lh->len = htons(LCP_HEADER_LEN + len); 1477 if (len) 1478 memcpy(lh + 1, data, len); 1479 1480 if (debug) { 1481 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1482 ifp->if_xname, 1483 sppp_proto_name(proto), 1484 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1485 if (len) 1486 sppp_print_bytes((u_char *)(lh + 1), len); 1487 addlog(">\n"); 1488 } 1489 if (IF_QFULL(&sp->pp_cpq)) { 1490 IF_DROP(&sp->pp_fastq); 1491 IF_DROP(&ifp->if_snd); 1492 m_freem(m); 1493 ++ifp->if_oerrors; 1494 return; 1495 } 1496 1497 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 1498 IF_ENQUEUE(&sp->pp_cpq, m); 1499 1500 1501 if (! (ifp->if_flags & IFF_OACTIVE)) { 1502 SPPP_UNLOCK(sp); 1503 if_start_lock(ifp); 1504 SPPP_LOCK(sp, RW_WRITER); 1505 } 1506 } 1507 1508 /* 1509 * Handle incoming PPP control protocol packets. 1510 */ 1511 static void 1512 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1513 { 1514 STDDCL; 1515 struct lcp_header *h; 1516 int printlen, len = m->m_pkthdr.len; 1517 int rv; 1518 u_char *p; 1519 uint32_t u32; 1520 1521 SPPP_LOCK(sp, RW_WRITER); 1522 1523 if (len < 4) { 1524 if (debug) 1525 log(LOG_DEBUG, 1526 "%s: %s invalid packet length: %d bytes\n", 1527 ifp->if_xname, cp->name, len); 1528 SPPP_UNLOCK(sp); 1529 return; 1530 } 1531 h = mtod(m, struct lcp_header *); 1532 if (debug) { 1533 printlen = ntohs(h->len); 1534 log(LOG_DEBUG, 1535 "%s: %s input(%s): <%s id=0x%x len=%d", 1536 ifp->if_xname, cp->name, 1537 sppp_state_name(sp->state[cp->protoidx]), 1538 sppp_cp_type_name(h->type), h->ident, printlen); 1539 if (len < printlen) 1540 printlen = len; 1541 if (printlen > 4) 1542 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1543 addlog(">\n"); 1544 } 1545 if (len > ntohs(h->len)) 1546 len = ntohs(h->len); 1547 p = (u_char *)(h + 1); 1548 switch (h->type) { 1549 case CONF_REQ: 1550 if (len < 4) { 1551 if (debug) 1552 addlog("%s: %s invalid conf-req length %d\n", 1553 ifp->if_xname, cp->name, 1554 len); 1555 ++ifp->if_ierrors; 1556 break; 1557 } 1558 /* handle states where RCR doesn't get a SCA/SCN */ 1559 switch (sp->state[cp->protoidx]) { 1560 case STATE_CLOSING: 1561 case STATE_STOPPING: 1562 SPPP_UNLOCK(sp); 1563 return; 1564 case STATE_CLOSED: 1565 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1566 0, 0); 1567 SPPP_UNLOCK(sp); 1568 return; 1569 } 1570 rv = (cp->RCR)(sp, h, len); 1571 if (rv < 0) { 1572 /* fatal error, shut down */ 1573 (cp->tld)(sp); 1574 sppp_lcp_tlf(sp); 1575 SPPP_UNLOCK(sp); 1576 return; 1577 } 1578 switch (sp->state[cp->protoidx]) { 1579 case STATE_OPENED: 1580 (cp->tld)(sp); 1581 (cp->scr)(sp); 1582 /* fall through... */ 1583 case STATE_ACK_SENT: 1584 case STATE_REQ_SENT: 1585 sppp_cp_change_state(cp, sp, rv? 1586 STATE_ACK_SENT: STATE_REQ_SENT); 1587 break; 1588 case STATE_STOPPED: 1589 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1590 (cp->scr)(sp); 1591 sppp_cp_change_state(cp, sp, rv? 1592 STATE_ACK_SENT: STATE_REQ_SENT); 1593 break; 1594 case STATE_ACK_RCVD: 1595 if (rv) { 1596 sppp_cp_change_state(cp, sp, STATE_OPENED); 1597 if (debug) 1598 log(LOG_DEBUG, "%s: %s tlu\n", 1599 ifp->if_xname, 1600 cp->name); 1601 (cp->tlu)(sp); 1602 } else 1603 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1604 break; 1605 default: 1606 printf("%s: %s illegal %s in state %s\n", 1607 ifp->if_xname, cp->name, 1608 sppp_cp_type_name(h->type), 1609 sppp_state_name(sp->state[cp->protoidx])); 1610 ++ifp->if_ierrors; 1611 } 1612 break; 1613 case CONF_ACK: 1614 if (h->ident != sp->confid[cp->protoidx]) { 1615 if (debug) 1616 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1617 ifp->if_xname, cp->name, 1618 h->ident, sp->confid[cp->protoidx]); 1619 ++ifp->if_ierrors; 1620 break; 1621 } 1622 switch (sp->state[cp->protoidx]) { 1623 case STATE_CLOSED: 1624 case STATE_STOPPED: 1625 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1626 break; 1627 case STATE_CLOSING: 1628 case STATE_STOPPING: 1629 break; 1630 case STATE_REQ_SENT: 1631 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1632 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1633 break; 1634 case STATE_OPENED: 1635 (cp->tld)(sp); 1636 /* fall through */ 1637 case STATE_ACK_RCVD: 1638 (cp->scr)(sp); 1639 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1640 break; 1641 case STATE_ACK_SENT: 1642 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1643 sppp_cp_change_state(cp, sp, STATE_OPENED); 1644 if (debug) 1645 log(LOG_DEBUG, "%s: %s tlu\n", 1646 ifp->if_xname, cp->name); 1647 (cp->tlu)(sp); 1648 break; 1649 default: 1650 printf("%s: %s illegal %s in state %s\n", 1651 ifp->if_xname, cp->name, 1652 sppp_cp_type_name(h->type), 1653 sppp_state_name(sp->state[cp->protoidx])); 1654 ++ifp->if_ierrors; 1655 } 1656 break; 1657 case CONF_NAK: 1658 case CONF_REJ: 1659 if (h->ident != sp->confid[cp->protoidx]) { 1660 if (debug) 1661 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1662 ifp->if_xname, cp->name, 1663 h->ident, sp->confid[cp->protoidx]); 1664 ++ifp->if_ierrors; 1665 break; 1666 } 1667 if (h->type == CONF_NAK) 1668 (cp->RCN_nak)(sp, h, len); 1669 else /* CONF_REJ */ 1670 (cp->RCN_rej)(sp, h, len); 1671 1672 switch (sp->state[cp->protoidx]) { 1673 case STATE_CLOSED: 1674 case STATE_STOPPED: 1675 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1676 break; 1677 case STATE_REQ_SENT: 1678 case STATE_ACK_SENT: 1679 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1680 (cp->scr)(sp); 1681 break; 1682 case STATE_OPENED: 1683 (cp->tld)(sp); 1684 /* fall through */ 1685 case STATE_ACK_RCVD: 1686 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1687 (cp->scr)(sp); 1688 break; 1689 case STATE_CLOSING: 1690 case STATE_STOPPING: 1691 break; 1692 default: 1693 printf("%s: %s illegal %s in state %s\n", 1694 ifp->if_xname, cp->name, 1695 sppp_cp_type_name(h->type), 1696 sppp_state_name(sp->state[cp->protoidx])); 1697 ++ifp->if_ierrors; 1698 } 1699 break; 1700 1701 case TERM_REQ: 1702 switch (sp->state[cp->protoidx]) { 1703 case STATE_ACK_RCVD: 1704 case STATE_ACK_SENT: 1705 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1706 /* fall through */ 1707 case STATE_CLOSED: 1708 case STATE_STOPPED: 1709 case STATE_CLOSING: 1710 case STATE_STOPPING: 1711 case STATE_REQ_SENT: 1712 sta: 1713 /* Send Terminate-Ack packet. */ 1714 if (debug) 1715 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1716 ifp->if_xname, cp->name); 1717 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1718 break; 1719 case STATE_OPENED: 1720 (cp->tld)(sp); 1721 sp->rst_counter[cp->protoidx] = 0; 1722 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1723 goto sta; 1724 default: 1725 printf("%s: %s illegal %s in state %s\n", 1726 ifp->if_xname, cp->name, 1727 sppp_cp_type_name(h->type), 1728 sppp_state_name(sp->state[cp->protoidx])); 1729 ++ifp->if_ierrors; 1730 } 1731 break; 1732 case TERM_ACK: 1733 switch (sp->state[cp->protoidx]) { 1734 case STATE_CLOSED: 1735 case STATE_STOPPED: 1736 case STATE_REQ_SENT: 1737 case STATE_ACK_SENT: 1738 break; 1739 case STATE_CLOSING: 1740 (cp->tlf)(sp); 1741 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1742 sppp_lcp_check_and_close(sp); 1743 break; 1744 case STATE_STOPPING: 1745 (cp->tlf)(sp); 1746 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1747 sppp_lcp_check_and_close(sp); 1748 break; 1749 case STATE_ACK_RCVD: 1750 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1751 break; 1752 case STATE_OPENED: 1753 (cp->tld)(sp); 1754 (cp->scr)(sp); 1755 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1756 break; 1757 default: 1758 printf("%s: %s illegal %s in state %s\n", 1759 ifp->if_xname, cp->name, 1760 sppp_cp_type_name(h->type), 1761 sppp_state_name(sp->state[cp->protoidx])); 1762 ++ifp->if_ierrors; 1763 } 1764 break; 1765 case CODE_REJ: 1766 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1767 log(LOG_INFO, 1768 "%s: %s: ignoring RXJ (%s) for code ?, " 1769 "danger will robinson\n", 1770 ifp->if_xname, cp->name, 1771 sppp_cp_type_name(h->type)); 1772 switch (sp->state[cp->protoidx]) { 1773 case STATE_CLOSED: 1774 case STATE_STOPPED: 1775 case STATE_REQ_SENT: 1776 case STATE_ACK_SENT: 1777 case STATE_CLOSING: 1778 case STATE_STOPPING: 1779 case STATE_OPENED: 1780 break; 1781 case STATE_ACK_RCVD: 1782 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1783 break; 1784 default: 1785 printf("%s: %s illegal %s in state %s\n", 1786 ifp->if_xname, cp->name, 1787 sppp_cp_type_name(h->type), 1788 sppp_state_name(sp->state[cp->protoidx])); 1789 ++ifp->if_ierrors; 1790 } 1791 break; 1792 case PROTO_REJ: 1793 { 1794 int catastrophic; 1795 const struct cp *upper; 1796 int i; 1797 uint16_t proto; 1798 1799 catastrophic = 0; 1800 upper = NULL; 1801 proto = p[0] << 8 | p[1]; 1802 for (i = 0; i < IDX_COUNT; i++) { 1803 if (cps[i]->proto == proto) { 1804 upper = cps[i]; 1805 break; 1806 } 1807 } 1808 if (upper == NULL) 1809 catastrophic++; 1810 1811 if (debug) 1812 log(LOG_INFO, 1813 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1814 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1815 sppp_cp_type_name(h->type), proto, 1816 upper ? upper->name : "unknown", 1817 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1818 1819 /* 1820 * if we got RXJ+ against conf-req, the peer does not implement 1821 * this particular protocol type. terminate the protocol. 1822 */ 1823 if (upper && !catastrophic) { 1824 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1825 upper->Close(sp); 1826 break; 1827 } 1828 } 1829 1830 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1831 switch (sp->state[cp->protoidx]) { 1832 case STATE_CLOSED: 1833 case STATE_STOPPED: 1834 case STATE_REQ_SENT: 1835 case STATE_ACK_SENT: 1836 case STATE_CLOSING: 1837 case STATE_STOPPING: 1838 case STATE_OPENED: 1839 break; 1840 case STATE_ACK_RCVD: 1841 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1842 break; 1843 default: 1844 printf("%s: %s illegal %s in state %s\n", 1845 ifp->if_xname, cp->name, 1846 sppp_cp_type_name(h->type), 1847 sppp_state_name(sp->state[cp->protoidx])); 1848 ++ifp->if_ierrors; 1849 } 1850 break; 1851 } 1852 case DISC_REQ: 1853 if (cp->proto != PPP_LCP) 1854 goto illegal; 1855 /* Discard the packet. */ 1856 break; 1857 case ECHO_REQ: 1858 if (cp->proto != PPP_LCP) 1859 goto illegal; 1860 if (sp->state[cp->protoidx] != STATE_OPENED) { 1861 if (debug) 1862 addlog("%s: lcp echo req but lcp closed\n", 1863 ifp->if_xname); 1864 ++ifp->if_ierrors; 1865 break; 1866 } 1867 if (len < 8) { 1868 if (debug) 1869 addlog("%s: invalid lcp echo request " 1870 "packet length: %d bytes\n", 1871 ifp->if_xname, len); 1872 break; 1873 } 1874 memcpy(&u32, h + 1, sizeof u32); 1875 if (ntohl(u32) == sp->lcp.magic) { 1876 /* Line loopback mode detected. */ 1877 printf("%s: loopback\n", ifp->if_xname); 1878 SPPP_UNLOCK(sp); 1879 if_down(ifp); 1880 SPPP_LOCK(sp, RW_WRITER); 1881 1882 IF_PURGE(&sp->pp_cpq); 1883 1884 /* Shut down the PPP link. */ 1885 /* XXX */ 1886 lcp.Down(sp); 1887 lcp.Up(sp); 1888 break; 1889 } 1890 u32 = htonl(sp->lcp.magic); 1891 memcpy(h + 1, &u32, sizeof u32); 1892 if (debug) 1893 addlog("%s: got lcp echo req, sending echo rep\n", 1894 ifp->if_xname); 1895 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1896 h + 1); 1897 break; 1898 case ECHO_REPLY: 1899 if (cp->proto != PPP_LCP) 1900 goto illegal; 1901 if (h->ident != sp->lcp.echoid) { 1902 ++ifp->if_ierrors; 1903 break; 1904 } 1905 if (len < 8) { 1906 if (debug) 1907 addlog("%s: lcp invalid echo reply " 1908 "packet length: %d bytes\n", 1909 ifp->if_xname, len); 1910 break; 1911 } 1912 if (debug) 1913 addlog("%s: lcp got echo rep\n", 1914 ifp->if_xname); 1915 memcpy(&u32, h + 1, sizeof u32); 1916 if (ntohl(u32) != sp->lcp.magic) 1917 sp->pp_alivecnt = 0; 1918 break; 1919 default: 1920 /* Unknown packet type -- send Code-Reject packet. */ 1921 illegal: 1922 if (debug) 1923 addlog("%s: %s send code-rej for 0x%x\n", 1924 ifp->if_xname, cp->name, h->type); 1925 sppp_cp_send(sp, cp->proto, CODE_REJ, 1926 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1927 ++ifp->if_ierrors; 1928 } 1929 1930 SPPP_UNLOCK(sp); 1931 } 1932 1933 1934 /* 1935 * The generic part of all Up/Down/Open/Close/TO event handlers. 1936 * Basically, the state transition handling in the automaton. 1937 */ 1938 static void 1939 sppp_up_event(const struct cp *cp, struct sppp *sp) 1940 { 1941 STDDCL; 1942 1943 KASSERT(SPPP_WLOCKED(sp)); 1944 1945 if (debug) 1946 log(LOG_DEBUG, "%s: %s up(%s)\n", 1947 ifp->if_xname, cp->name, 1948 sppp_state_name(sp->state[cp->protoidx])); 1949 1950 switch (sp->state[cp->protoidx]) { 1951 case STATE_INITIAL: 1952 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1953 break; 1954 case STATE_STARTING: 1955 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1956 (cp->scr)(sp); 1957 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1958 break; 1959 default: 1960 printf("%s: %s illegal up in state %s\n", 1961 ifp->if_xname, cp->name, 1962 sppp_state_name(sp->state[cp->protoidx])); 1963 } 1964 } 1965 1966 static void 1967 sppp_down_event(const struct cp *cp, struct sppp *sp) 1968 { 1969 STDDCL; 1970 1971 KASSERT(SPPP_WLOCKED(sp)); 1972 1973 if (debug) 1974 log(LOG_DEBUG, "%s: %s down(%s)\n", 1975 ifp->if_xname, cp->name, 1976 sppp_state_name(sp->state[cp->protoidx])); 1977 1978 switch (sp->state[cp->protoidx]) { 1979 case STATE_CLOSED: 1980 case STATE_CLOSING: 1981 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1982 break; 1983 case STATE_STOPPED: 1984 (cp->tls)(sp); 1985 /* fall through */ 1986 case STATE_STOPPING: 1987 case STATE_REQ_SENT: 1988 case STATE_ACK_RCVD: 1989 case STATE_ACK_SENT: 1990 sppp_cp_change_state(cp, sp, STATE_STARTING); 1991 break; 1992 case STATE_OPENED: 1993 (cp->tld)(sp); 1994 sppp_cp_change_state(cp, sp, STATE_STARTING); 1995 break; 1996 default: 1997 printf("%s: %s illegal down in state %s\n", 1998 ifp->if_xname, cp->name, 1999 sppp_state_name(sp->state[cp->protoidx])); 2000 } 2001 } 2002 2003 2004 static void 2005 sppp_open_event(const struct cp *cp, struct sppp *sp) 2006 { 2007 STDDCL; 2008 2009 KASSERT(SPPP_WLOCKED(sp)); 2010 2011 if (debug) 2012 log(LOG_DEBUG, "%s: %s open(%s)\n", 2013 ifp->if_xname, cp->name, 2014 sppp_state_name(sp->state[cp->protoidx])); 2015 2016 switch (sp->state[cp->protoidx]) { 2017 case STATE_INITIAL: 2018 sppp_cp_change_state(cp, sp, STATE_STARTING); 2019 (cp->tls)(sp); 2020 break; 2021 case STATE_STARTING: 2022 break; 2023 case STATE_CLOSED: 2024 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2025 (cp->scr)(sp); 2026 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2027 break; 2028 case STATE_STOPPED: 2029 case STATE_STOPPING: 2030 case STATE_REQ_SENT: 2031 case STATE_ACK_RCVD: 2032 case STATE_ACK_SENT: 2033 case STATE_OPENED: 2034 break; 2035 case STATE_CLOSING: 2036 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2037 break; 2038 } 2039 } 2040 2041 2042 static void 2043 sppp_close_event(const struct cp *cp, struct sppp *sp) 2044 { 2045 STDDCL; 2046 2047 KASSERT(SPPP_WLOCKED(sp)); 2048 2049 if (debug) 2050 log(LOG_DEBUG, "%s: %s close(%s)\n", 2051 ifp->if_xname, cp->name, 2052 sppp_state_name(sp->state[cp->protoidx])); 2053 2054 switch (sp->state[cp->protoidx]) { 2055 case STATE_INITIAL: 2056 case STATE_CLOSED: 2057 case STATE_CLOSING: 2058 break; 2059 case STATE_STARTING: 2060 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2061 (cp->tlf)(sp); 2062 break; 2063 case STATE_STOPPED: 2064 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2065 break; 2066 case STATE_STOPPING: 2067 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2068 break; 2069 case STATE_OPENED: 2070 (cp->tld)(sp); 2071 /* fall through */ 2072 case STATE_REQ_SENT: 2073 case STATE_ACK_RCVD: 2074 case STATE_ACK_SENT: 2075 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2076 sppp_cp_send(sp, cp->proto, TERM_REQ, 2077 ++sp->pp_seq[cp->protoidx], 0, 0); 2078 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2079 break; 2080 } 2081 } 2082 2083 static void 2084 sppp_to_event(const struct cp *cp, struct sppp *sp) 2085 { 2086 STDDCL; 2087 int s; 2088 2089 KASSERT(SPPP_WLOCKED(sp)); 2090 2091 s = splnet(); 2092 2093 if (debug) 2094 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2095 ifp->if_xname, cp->name, 2096 sppp_state_name(sp->state[cp->protoidx]), 2097 sp->rst_counter[cp->protoidx]); 2098 2099 if (--sp->rst_counter[cp->protoidx] < 0) 2100 /* TO- event */ 2101 switch (sp->state[cp->protoidx]) { 2102 case STATE_CLOSING: 2103 (cp->tlf)(sp); 2104 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2105 sppp_lcp_check_and_close(sp); 2106 break; 2107 case STATE_STOPPING: 2108 (cp->tlf)(sp); 2109 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2110 sppp_lcp_check_and_close(sp); 2111 break; 2112 case STATE_REQ_SENT: 2113 case STATE_ACK_RCVD: 2114 case STATE_ACK_SENT: 2115 (cp->tlf)(sp); 2116 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2117 sppp_lcp_check_and_close(sp); 2118 break; 2119 } 2120 else 2121 /* TO+ event */ 2122 switch (sp->state[cp->protoidx]) { 2123 case STATE_CLOSING: 2124 case STATE_STOPPING: 2125 sppp_cp_send(sp, cp->proto, TERM_REQ, 2126 ++sp->pp_seq[cp->protoidx], 0, 0); 2127 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2128 cp->TO, sp); 2129 break; 2130 case STATE_REQ_SENT: 2131 case STATE_ACK_RCVD: 2132 (cp->scr)(sp); 2133 /* sppp_cp_change_state() will restart the timer */ 2134 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2135 break; 2136 case STATE_ACK_SENT: 2137 (cp->scr)(sp); 2138 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2139 cp->TO, sp); 2140 break; 2141 } 2142 2143 splx(s); 2144 } 2145 2146 /* 2147 * Change the state of a control protocol in the state automaton. 2148 * Takes care of starting/stopping the restart timer. 2149 */ 2150 void 2151 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2152 { 2153 2154 KASSERT(SPPP_WLOCKED(sp)); 2155 2156 sp->state[cp->protoidx] = newstate; 2157 callout_stop(&sp->ch[cp->protoidx]); 2158 switch (newstate) { 2159 case STATE_INITIAL: 2160 case STATE_STARTING: 2161 case STATE_CLOSED: 2162 case STATE_STOPPED: 2163 case STATE_OPENED: 2164 break; 2165 case STATE_CLOSING: 2166 case STATE_STOPPING: 2167 case STATE_REQ_SENT: 2168 case STATE_ACK_RCVD: 2169 case STATE_ACK_SENT: 2170 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2171 cp->TO, sp); 2172 break; 2173 } 2174 } 2175 2176 /* 2177 *--------------------------------------------------------------------------* 2178 * * 2179 * The LCP implementation. * 2180 * * 2181 *--------------------------------------------------------------------------* 2182 */ 2183 static void 2184 sppp_lcp_init(struct sppp *sp) 2185 { 2186 2187 KASSERT(SPPP_WLOCKED(sp)); 2188 2189 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2190 sp->lcp.magic = 0; 2191 sp->state[IDX_LCP] = STATE_INITIAL; 2192 sp->fail_counter[IDX_LCP] = 0; 2193 sp->pp_seq[IDX_LCP] = 0; 2194 sp->pp_rseq[IDX_LCP] = 0; 2195 sp->lcp.protos = 0; 2196 2197 /* 2198 * Initialize counters and timeout values. Note that we don't 2199 * use the 3 seconds suggested in RFC 1661 since we are likely 2200 * running on a fast link. XXX We should probably implement 2201 * the exponential backoff option. Note that these values are 2202 * relevant for all control protocols, not just LCP only. 2203 */ 2204 sp->lcp.timeout = 1 * hz; 2205 sp->lcp.max_terminate = 2; 2206 sp->lcp.max_configure = 10; 2207 sp->lcp.max_failure = 10; 2208 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2209 } 2210 2211 static void 2212 sppp_lcp_up(struct sppp *sp) 2213 { 2214 STDDCL; 2215 2216 KASSERT(SPPP_WLOCKED(sp)); 2217 2218 /* Initialize activity timestamp: opening a connection is an activity */ 2219 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2220 2221 /* 2222 * If this interface is passive or dial-on-demand, and we are 2223 * still in Initial state, it means we've got an incoming 2224 * call. Activate the interface. 2225 */ 2226 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2227 if (debug) 2228 log(LOG_DEBUG, 2229 "%s: Up event", ifp->if_xname); 2230 ifp->if_flags |= IFF_RUNNING; 2231 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2232 if (debug) 2233 addlog("(incoming call)\n"); 2234 sp->pp_flags |= PP_CALLIN; 2235 lcp.Open(sp); 2236 } else if (debug) 2237 addlog("\n"); 2238 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2239 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2240 ifp->if_flags |= IFF_RUNNING; 2241 lcp.Open(sp); 2242 } 2243 2244 sppp_up_event(&lcp, sp); 2245 } 2246 2247 static void 2248 sppp_lcp_down(struct sppp *sp) 2249 { 2250 STDDCL; 2251 2252 KASSERT(SPPP_WLOCKED(sp)); 2253 2254 sppp_down_event(&lcp, sp); 2255 2256 /* 2257 * If this is neither a dial-on-demand nor a passive 2258 * interface, simulate an ``ifconfig down'' action, so the 2259 * administrator can force a redial by another ``ifconfig 2260 * up''. XXX For leased line operation, should we immediately 2261 * try to reopen the connection here? 2262 */ 2263 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2264 if (debug) 2265 log(LOG_INFO, 2266 "%s: Down event (carrier loss), taking interface down.\n", 2267 ifp->if_xname); 2268 SPPP_UNLOCK(sp); 2269 if_down(ifp); 2270 SPPP_LOCK(sp, RW_WRITER); 2271 } else { 2272 if (debug) 2273 log(LOG_DEBUG, 2274 "%s: Down event (carrier loss)\n", 2275 ifp->if_xname); 2276 } 2277 sp->fail_counter[IDX_LCP] = 0; 2278 sp->pp_flags &= ~PP_CALLIN; 2279 if (sp->state[IDX_LCP] != STATE_INITIAL) 2280 lcp.Close(sp); 2281 ifp->if_flags &= ~IFF_RUNNING; 2282 } 2283 2284 static void 2285 sppp_lcp_open(struct sppp *sp) 2286 { 2287 2288 KASSERT(SPPP_WLOCKED(sp)); 2289 2290 if (sp->pp_if.if_mtu < PP_MTU) { 2291 sp->lcp.mru = sp->pp_if.if_mtu; 2292 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2293 } else 2294 sp->lcp.mru = PP_MTU; 2295 sp->lcp.their_mru = PP_MTU; 2296 2297 /* 2298 * If we are authenticator, negotiate LCP_AUTH 2299 */ 2300 if (sp->hisauth.proto != 0) 2301 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2302 else 2303 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2304 sp->pp_flags &= ~PP_NEEDAUTH; 2305 sppp_open_event(&lcp, sp); 2306 } 2307 2308 static void 2309 sppp_lcp_close(struct sppp *sp) 2310 { 2311 2312 KASSERT(SPPP_WLOCKED(sp)); 2313 sppp_close_event(&lcp, sp); 2314 } 2315 2316 static void 2317 sppp_lcp_TO(void *cookie) 2318 { 2319 struct sppp *sp = (struct sppp*)cookie; 2320 2321 SPPP_LOCK(sp, RW_WRITER); 2322 sppp_to_event(&lcp, sp); 2323 SPPP_UNLOCK(sp); 2324 } 2325 2326 /* 2327 * Analyze a configure request. Return true if it was agreeable, and 2328 * caused action sca, false if it has been rejected or nak'ed, and 2329 * caused action scn. (The return value is used to make the state 2330 * transition decision in the state automaton.) 2331 */ 2332 static int 2333 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2334 { 2335 STDDCL; 2336 u_char *buf, *r, *p, l, blen; 2337 int origlen, rlen; 2338 uint32_t nmagic; 2339 u_short authproto; 2340 2341 KASSERT(SPPP_WLOCKED(sp)); 2342 2343 len -= 4; 2344 origlen = len; 2345 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2346 if (! buf) 2347 return (0); 2348 2349 if (debug) 2350 log(LOG_DEBUG, "%s: lcp parse opts:", 2351 ifp->if_xname); 2352 2353 /* pass 1: check for things that need to be rejected */ 2354 p = (void *)(h + 1); 2355 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2356 /* Sanity check option length */ 2357 if (l > len) { 2358 /* 2359 * Malicious option - drop immediately. 2360 * XXX Maybe we should just RXJ it? 2361 */ 2362 addlog("%s: received malicious LCP option 0x%02x, " 2363 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2364 p[0], l, len); 2365 goto drop; 2366 } 2367 if (debug) 2368 addlog(" %s", sppp_lcp_opt_name(*p)); 2369 switch (*p) { 2370 case LCP_OPT_MAGIC: 2371 /* Magic number. */ 2372 /* fall through, both are same length */ 2373 case LCP_OPT_ASYNC_MAP: 2374 /* Async control character map. */ 2375 if (len >= 6 || l == 6) 2376 continue; 2377 if (debug) 2378 addlog(" [invalid]"); 2379 break; 2380 case LCP_OPT_MRU: 2381 /* Maximum receive unit. */ 2382 if (len >= 4 && l == 4) 2383 continue; 2384 if (debug) 2385 addlog(" [invalid]"); 2386 break; 2387 case LCP_OPT_AUTH_PROTO: 2388 if (len < 4) { 2389 if (debug) 2390 addlog(" [invalid]"); 2391 break; 2392 } 2393 authproto = (p[2] << 8) + p[3]; 2394 if (authproto == PPP_CHAP && l != 5) { 2395 if (debug) 2396 addlog(" [invalid chap len]"); 2397 break; 2398 } 2399 if (sp->myauth.proto == 0) { 2400 /* we are not configured to do auth */ 2401 if (debug) 2402 addlog(" [not configured]"); 2403 break; 2404 } 2405 /* 2406 * Remote want us to authenticate, remember this, 2407 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2408 * up. 2409 */ 2410 sp->pp_flags |= PP_NEEDAUTH; 2411 continue; 2412 default: 2413 /* Others not supported. */ 2414 if (debug) 2415 addlog(" [rej]"); 2416 break; 2417 } 2418 if (rlen + l > blen) { 2419 if (debug) 2420 addlog(" [overflow]"); 2421 continue; 2422 } 2423 /* Add the option to rejected list. */ 2424 memcpy(r, p, l); 2425 r += l; 2426 rlen += l; 2427 } 2428 if (rlen) { 2429 if (debug) 2430 addlog(" send conf-rej\n"); 2431 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2432 goto end; 2433 } else if (debug) 2434 addlog("\n"); 2435 2436 /* 2437 * pass 2: check for option values that are unacceptable and 2438 * thus require to be nak'ed. 2439 */ 2440 if (debug) 2441 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2442 ifp->if_xname); 2443 2444 p = (void *)(h + 1); 2445 len = origlen; 2446 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2447 if (debug) 2448 addlog(" %s", sppp_lcp_opt_name(*p)); 2449 switch (*p) { 2450 case LCP_OPT_MAGIC: 2451 /* Magic number -- extract. */ 2452 nmagic = (uint32_t)p[2] << 24 | 2453 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2454 if (nmagic != sp->lcp.magic) { 2455 if (debug) 2456 addlog(" 0x%x", nmagic); 2457 continue; 2458 } 2459 /* 2460 * Local and remote magics equal -- loopback? 2461 */ 2462 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2463 printf ("%s: loopback\n", 2464 ifp->if_xname); 2465 sp->pp_loopcnt = 0; 2466 if (ifp->if_flags & IFF_UP) { 2467 SPPP_UNLOCK(sp); 2468 if_down(ifp); 2469 SPPP_LOCK(sp, RW_WRITER); 2470 2471 IF_PURGE(&sp->pp_cpq); 2472 /* XXX ? */ 2473 lcp.Down(sp); 2474 lcp.Up(sp); 2475 } 2476 } else if (debug) 2477 addlog(" [glitch]"); 2478 ++sp->pp_loopcnt; 2479 /* 2480 * We negate our magic here, and NAK it. If 2481 * we see it later in an NAK packet, we 2482 * suggest a new one. 2483 */ 2484 nmagic = ~sp->lcp.magic; 2485 /* Gonna NAK it. */ 2486 p[2] = nmagic >> 24; 2487 p[3] = nmagic >> 16; 2488 p[4] = nmagic >> 8; 2489 p[5] = nmagic; 2490 break; 2491 2492 case LCP_OPT_ASYNC_MAP: 2493 /* 2494 * Async control character map -- just ignore it. 2495 * 2496 * Quote from RFC 1662, chapter 6: 2497 * To enable this functionality, synchronous PPP 2498 * implementations MUST always respond to the 2499 * Async-Control-Character-Map Configuration 2500 * Option with the LCP Configure-Ack. However, 2501 * acceptance of the Configuration Option does 2502 * not imply that the synchronous implementation 2503 * will do any ACCM mapping. Instead, all such 2504 * octet mapping will be performed by the 2505 * asynchronous-to-synchronous converter. 2506 */ 2507 continue; 2508 2509 case LCP_OPT_MRU: 2510 /* 2511 * Maximum receive unit. Always agreeable, 2512 * but ignored by now. 2513 */ 2514 sp->lcp.their_mru = p[2] * 256 + p[3]; 2515 if (debug) 2516 addlog(" %ld", sp->lcp.their_mru); 2517 continue; 2518 2519 case LCP_OPT_AUTH_PROTO: 2520 authproto = (p[2] << 8) + p[3]; 2521 if (sp->myauth.proto != authproto) { 2522 /* not agreed, nak */ 2523 if (debug) 2524 addlog(" [mine %s != his %s]", 2525 sppp_proto_name(sp->myauth.proto), 2526 sppp_proto_name(authproto)); 2527 p[2] = sp->myauth.proto >> 8; 2528 p[3] = sp->myauth.proto; 2529 break; 2530 } 2531 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2532 if (debug) 2533 addlog(" [chap not MD5]"); 2534 p[4] = CHAP_MD5; 2535 break; 2536 } 2537 continue; 2538 } 2539 if (rlen + l > blen) { 2540 if (debug) 2541 addlog(" [overflow]"); 2542 continue; 2543 } 2544 /* Add the option to nak'ed list. */ 2545 memcpy(r, p, l); 2546 r += l; 2547 rlen += l; 2548 } 2549 if (rlen) { 2550 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2551 if (debug) 2552 addlog(" max_failure (%d) exceeded, " 2553 "send conf-rej\n", 2554 sp->lcp.max_failure); 2555 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2556 } else { 2557 if (debug) 2558 addlog(" send conf-nak\n"); 2559 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2560 } 2561 goto end; 2562 } else { 2563 if (debug) 2564 addlog(" send conf-ack\n"); 2565 sp->fail_counter[IDX_LCP] = 0; 2566 sp->pp_loopcnt = 0; 2567 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2568 } 2569 2570 end: 2571 free(buf, M_TEMP); 2572 return (rlen == 0); 2573 2574 drop: 2575 free(buf, M_TEMP); 2576 return -1; 2577 } 2578 2579 /* 2580 * Analyze the LCP Configure-Reject option list, and adjust our 2581 * negotiation. 2582 */ 2583 static void 2584 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2585 { 2586 STDDCL; 2587 u_char *buf, *p, l; 2588 2589 KASSERT(SPPP_WLOCKED(sp)); 2590 2591 len -= 4; 2592 buf = malloc (len, M_TEMP, M_NOWAIT); 2593 if (!buf) 2594 return; 2595 2596 if (debug) 2597 log(LOG_DEBUG, "%s: lcp rej opts:", 2598 ifp->if_xname); 2599 2600 p = (void *)(h + 1); 2601 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2602 /* Sanity check option length */ 2603 if (l > len) { 2604 /* 2605 * Malicious option - drop immediately. 2606 * XXX Maybe we should just RXJ it? 2607 */ 2608 addlog("%s: received malicious LCP option, " 2609 "dropping.\n", ifp->if_xname); 2610 goto drop; 2611 } 2612 if (debug) 2613 addlog(" %s", sppp_lcp_opt_name(*p)); 2614 switch (*p) { 2615 case LCP_OPT_MAGIC: 2616 /* Magic number -- can't use it, use 0 */ 2617 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2618 sp->lcp.magic = 0; 2619 break; 2620 case LCP_OPT_MRU: 2621 /* 2622 * We try to negotiate a lower MRU if the underlying 2623 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2624 * peer rejects this lower rate, fallback to the 2625 * default. 2626 */ 2627 if (debug) { 2628 addlog("%s: warning: peer rejected our MRU of " 2629 "%ld bytes. Defaulting to %d bytes\n", 2630 ifp->if_xname, sp->lcp.mru, PP_MTU); 2631 } 2632 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2633 sp->lcp.mru = PP_MTU; 2634 break; 2635 case LCP_OPT_AUTH_PROTO: 2636 /* 2637 * Peer doesn't want to authenticate himself, 2638 * deny unless this is a dialout call, and 2639 * SPPP_AUTHFLAG_NOCALLOUT is set. 2640 */ 2641 if ((sp->pp_flags & PP_CALLIN) == 0 && 2642 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2643 if (debug) 2644 addlog(" [don't insist on auth " 2645 "for callout]"); 2646 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2647 break; 2648 } 2649 if (debug) 2650 addlog("[access denied]\n"); 2651 lcp.Close(sp); 2652 break; 2653 } 2654 } 2655 if (debug) 2656 addlog("\n"); 2657 drop: 2658 free(buf, M_TEMP); 2659 return; 2660 } 2661 2662 /* 2663 * Analyze the LCP Configure-NAK option list, and adjust our 2664 * negotiation. 2665 */ 2666 static void 2667 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2668 { 2669 STDDCL; 2670 u_char *buf, *p, l, blen; 2671 uint32_t magic; 2672 2673 KASSERT(SPPP_WLOCKED(sp)); 2674 2675 len -= 4; 2676 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2677 if (!buf) 2678 return; 2679 2680 if (debug) 2681 log(LOG_DEBUG, "%s: lcp nak opts:", 2682 ifp->if_xname); 2683 2684 p = (void *)(h + 1); 2685 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2686 /* Sanity check option length */ 2687 if (l > len) { 2688 /* 2689 * Malicious option - drop immediately. 2690 * XXX Maybe we should just RXJ it? 2691 */ 2692 addlog("%s: received malicious LCP option, " 2693 "dropping.\n", ifp->if_xname); 2694 goto drop; 2695 } 2696 if (debug) 2697 addlog(" %s", sppp_lcp_opt_name(*p)); 2698 switch (*p) { 2699 case LCP_OPT_MAGIC: 2700 /* Magic number -- renegotiate */ 2701 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2702 len >= 6 && l == 6) { 2703 magic = (uint32_t)p[2] << 24 | 2704 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2705 /* 2706 * If the remote magic is our negated one, 2707 * this looks like a loopback problem. 2708 * Suggest a new magic to make sure. 2709 */ 2710 if (magic == ~sp->lcp.magic) { 2711 if (debug) 2712 addlog(" magic glitch"); 2713 sp->lcp.magic = cprng_fast32(); 2714 } else { 2715 sp->lcp.magic = magic; 2716 if (debug) 2717 addlog(" %d", magic); 2718 } 2719 } 2720 break; 2721 case LCP_OPT_MRU: 2722 /* 2723 * Peer wants to advise us to negotiate an MRU. 2724 * Agree on it if it's reasonable, or use 2725 * default otherwise. 2726 */ 2727 if (len >= 4 && l == 4) { 2728 u_int mru = p[2] * 256 + p[3]; 2729 if (debug) 2730 addlog(" %d", mru); 2731 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2732 mru = sp->pp_if.if_mtu; 2733 sp->lcp.mru = mru; 2734 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2735 } 2736 break; 2737 case LCP_OPT_AUTH_PROTO: 2738 /* 2739 * Peer doesn't like our authentication method, 2740 * deny. 2741 */ 2742 if (debug) 2743 addlog("[access denied]\n"); 2744 lcp.Close(sp); 2745 break; 2746 } 2747 } 2748 if (debug) 2749 addlog("\n"); 2750 drop: 2751 free(buf, M_TEMP); 2752 return; 2753 } 2754 2755 static void 2756 sppp_lcp_tlu(struct sppp *sp) 2757 { 2758 struct ifnet *ifp = &sp->pp_if; 2759 int i; 2760 uint32_t mask; 2761 2762 KASSERT(SPPP_WLOCKED(sp)); 2763 2764 /* XXX ? */ 2765 if (! (ifp->if_flags & IFF_UP) && 2766 (ifp->if_flags & IFF_RUNNING)) { 2767 /* Coming out of loopback mode. */ 2768 SPPP_UNLOCK(sp); 2769 if_up(ifp); 2770 SPPP_LOCK(sp, RW_WRITER); 2771 } 2772 2773 for (i = 0; i < IDX_COUNT; i++) 2774 if ((cps[i])->flags & CP_QUAL) 2775 (cps[i])->Open(sp); 2776 2777 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2778 (sp->pp_flags & PP_NEEDAUTH) != 0) 2779 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2780 else 2781 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2782 2783 /* 2784 * Open all authentication protocols. This is even required 2785 * if we already proceeded to network phase, since it might be 2786 * that remote wants us to authenticate, so we might have to 2787 * send a PAP request. Undesired authentication protocols 2788 * don't do anything when they get an Open event. 2789 */ 2790 for (i = 0; i < IDX_COUNT; i++) 2791 if ((cps[i])->flags & CP_AUTH) 2792 (cps[i])->Open(sp); 2793 2794 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2795 /* Notify all NCPs. */ 2796 for (i = 0; i < IDX_COUNT; i++) 2797 if ((cps[i])->flags & CP_NCP) 2798 (cps[i])->Open(sp); 2799 } 2800 2801 /* Send Up events to all started protos. */ 2802 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2803 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2804 (cps[i])->Up(sp); 2805 } 2806 } 2807 2808 /* notify low-level driver of state change */ 2809 sppp_notify_chg_wlocked(sp); 2810 2811 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2812 /* if no NCP is starting, close down */ 2813 sppp_lcp_check_and_close(sp); 2814 } 2815 2816 static void 2817 sppp_lcp_tld(struct sppp *sp) 2818 { 2819 int i; 2820 uint32_t mask; 2821 2822 KASSERT(SPPP_WLOCKED(sp)); 2823 2824 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2825 2826 /* 2827 * Take upper layers down. We send the Down event first and 2828 * the Close second to prevent the upper layers from sending 2829 * ``a flurry of terminate-request packets'', as the RFC 2830 * describes it. 2831 */ 2832 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2833 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2834 (cps[i])->Down(sp); 2835 (cps[i])->Close(sp); 2836 } 2837 } 2838 } 2839 2840 static void 2841 sppp_lcp_tls(struct sppp *sp) 2842 { 2843 2844 KASSERT(SPPP_WLOCKED(sp)); 2845 2846 2847 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2848 printf("%s: authentication failed %d times, not retrying again\n", 2849 sp->pp_if.if_xname, sp->pp_auth_failures); 2850 2851 SPPP_UNLOCK(sp); 2852 if_down(&sp->pp_if); 2853 SPPP_LOCK(sp, RW_WRITER); 2854 return; 2855 } 2856 2857 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2858 2859 /* Notify lower layer if desired. */ 2860 sppp_notify_tls_wlocked(sp); 2861 } 2862 2863 static void 2864 sppp_lcp_tlf(struct sppp *sp) 2865 { 2866 2867 KASSERT(SPPP_WLOCKED(sp)); 2868 2869 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2870 2871 /* Notify lower layer if desired. */ 2872 sppp_notify_tlf_wlocked(sp); 2873 } 2874 2875 static void 2876 sppp_lcp_scr(struct sppp *sp) 2877 { 2878 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2879 int i = 0; 2880 u_short authproto; 2881 2882 KASSERT(SPPP_WLOCKED(sp)); 2883 2884 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2885 if (! sp->lcp.magic) 2886 sp->lcp.magic = cprng_fast32(); 2887 opt[i++] = LCP_OPT_MAGIC; 2888 opt[i++] = 6; 2889 opt[i++] = sp->lcp.magic >> 24; 2890 opt[i++] = sp->lcp.magic >> 16; 2891 opt[i++] = sp->lcp.magic >> 8; 2892 opt[i++] = sp->lcp.magic; 2893 } 2894 2895 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2896 opt[i++] = LCP_OPT_MRU; 2897 opt[i++] = 4; 2898 opt[i++] = sp->lcp.mru >> 8; 2899 opt[i++] = sp->lcp.mru; 2900 } 2901 2902 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2903 authproto = sp->hisauth.proto; 2904 opt[i++] = LCP_OPT_AUTH_PROTO; 2905 opt[i++] = authproto == PPP_CHAP? 5: 4; 2906 opt[i++] = authproto >> 8; 2907 opt[i++] = authproto; 2908 if (authproto == PPP_CHAP) 2909 opt[i++] = CHAP_MD5; 2910 } 2911 2912 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2913 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2914 } 2915 2916 /* 2917 * Check the open NCPs, return true if at least one NCP is open. 2918 */ 2919 static int 2920 sppp_ncp_check(struct sppp *sp) 2921 { 2922 int i, mask; 2923 2924 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2925 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2926 return 1; 2927 return 0; 2928 } 2929 2930 /* 2931 * Re-check the open NCPs and see if we should terminate the link. 2932 * Called by the NCPs during their tlf action handling. 2933 */ 2934 static void 2935 sppp_lcp_check_and_close(struct sppp *sp) 2936 { 2937 2938 KASSERT(SPPP_WLOCKED(sp)); 2939 2940 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2941 /* don't bother, we are already going down */ 2942 return; 2943 2944 if (sppp_ncp_check(sp)) 2945 return; 2946 lcp.Close(sp); 2947 } 2948 2949 2950 /* 2951 *--------------------------------------------------------------------------* 2952 * * 2953 * The IPCP implementation. * 2954 * * 2955 *--------------------------------------------------------------------------* 2956 */ 2957 2958 static void 2959 sppp_ipcp_init(struct sppp *sp) 2960 { 2961 int error; 2962 2963 KASSERT(SPPP_WLOCKED(sp)); 2964 2965 sp->ipcp.opts = 0; 2966 sp->ipcp.flags = 0; 2967 sp->state[IDX_IPCP] = STATE_INITIAL; 2968 sp->fail_counter[IDX_IPCP] = 0; 2969 sp->pp_seq[IDX_IPCP] = 0; 2970 sp->pp_rseq[IDX_IPCP] = 0; 2971 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 2972 2973 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 2974 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 2975 if (error) 2976 panic("%s: update_addrs workqueue_create failed (%d)\n", 2977 __func__, error); 2978 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 2979 2980 sp->ipcp.update_addrs_enqueued = 0; 2981 } 2982 2983 static void 2984 sppp_ipcp_up(struct sppp *sp) 2985 { 2986 KASSERT(SPPP_WLOCKED(sp)); 2987 sppp_up_event(&ipcp, sp); 2988 } 2989 2990 static void 2991 sppp_ipcp_down(struct sppp *sp) 2992 { 2993 KASSERT(SPPP_WLOCKED(sp)); 2994 sppp_down_event(&ipcp, sp); 2995 } 2996 2997 static void 2998 sppp_ipcp_open(struct sppp *sp) 2999 { 3000 STDDCL; 3001 uint32_t myaddr, hisaddr; 3002 3003 KASSERT(SPPP_WLOCKED(sp)); 3004 3005 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3006 sp->ipcp.req_myaddr = 0; 3007 sp->ipcp.req_hisaddr = 0; 3008 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3009 3010 #ifdef INET 3011 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3012 #else 3013 myaddr = hisaddr = 0; 3014 #endif 3015 /* 3016 * If we don't have his address, this probably means our 3017 * interface doesn't want to talk IP at all. (This could 3018 * be the case if somebody wants to speak only IPX, for 3019 * example.) Don't open IPCP in this case. 3020 */ 3021 if (hisaddr == 0) { 3022 /* XXX this message should go away */ 3023 if (debug) 3024 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3025 ifp->if_xname); 3026 return; 3027 } 3028 3029 if (myaddr == 0) { 3030 /* 3031 * I don't have an assigned address, so i need to 3032 * negotiate my address. 3033 */ 3034 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3035 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3036 } 3037 if (hisaddr == 1) { 3038 /* 3039 * XXX - remove this hack! 3040 * remote has no valid address, we need to get one assigned. 3041 */ 3042 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3043 } 3044 sppp_open_event(&ipcp, sp); 3045 } 3046 3047 static void 3048 sppp_ipcp_close(struct sppp *sp) 3049 { 3050 3051 KASSERT(SPPP_WLOCKED(sp)); 3052 3053 sppp_close_event(&ipcp, sp); 3054 3055 #ifdef INET 3056 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3057 /* 3058 * Some address was dynamic, clear it again. 3059 */ 3060 sppp_clear_ip_addrs(sp); 3061 #endif 3062 } 3063 3064 static void 3065 sppp_ipcp_TO(void *cookie) 3066 { 3067 struct sppp *sp = cookie; 3068 3069 SPPP_LOCK(sp, RW_WRITER); 3070 sppp_to_event(&ipcp, sp); 3071 SPPP_UNLOCK(sp); 3072 } 3073 3074 /* 3075 * Analyze a configure request. Return true if it was agreeable, and 3076 * caused action sca, false if it has been rejected or nak'ed, and 3077 * caused action scn. (The return value is used to make the state 3078 * transition decision in the state automaton.) 3079 */ 3080 static int 3081 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3082 { 3083 u_char *buf, *r, *p, l, blen; 3084 struct ifnet *ifp = &sp->pp_if; 3085 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3086 uint32_t hisaddr, desiredaddr; 3087 3088 KASSERT(SPPP_WLOCKED(sp)); 3089 3090 len -= 4; 3091 origlen = len; 3092 /* 3093 * Make sure to allocate a buf that can at least hold a 3094 * conf-nak with an `address' option. We might need it below. 3095 */ 3096 blen = len < 6 ? 6 : len; 3097 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3098 if (! buf) 3099 return (0); 3100 3101 /* pass 1: see if we can recognize them */ 3102 if (debug) 3103 log(LOG_DEBUG, "%s: ipcp parse opts:", 3104 ifp->if_xname); 3105 p = (void *)(h + 1); 3106 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3107 /* Sanity check option length */ 3108 if (l > len) { 3109 /* XXX should we just RXJ? */ 3110 addlog("%s: malicious IPCP option received, dropping\n", 3111 ifp->if_xname); 3112 goto drop; 3113 } 3114 if (debug) 3115 addlog(" %s", sppp_ipcp_opt_name(*p)); 3116 switch (*p) { 3117 #ifdef notyet 3118 case IPCP_OPT_COMPRESSION: 3119 if (len >= 6 && l >= 6) { 3120 /* correctly formed compress option */ 3121 continue; 3122 } 3123 if (debug) 3124 addlog(" [invalid]"); 3125 break; 3126 #endif 3127 case IPCP_OPT_ADDRESS: 3128 if (len >= 6 && l == 6) { 3129 /* correctly formed address option */ 3130 continue; 3131 } 3132 if (debug) 3133 addlog(" [invalid]"); 3134 break; 3135 default: 3136 /* Others not supported. */ 3137 if (debug) 3138 addlog(" [rej]"); 3139 break; 3140 } 3141 /* Add the option to rejected list. */ 3142 if (rlen + l > blen) { 3143 if (debug) 3144 addlog(" [overflow]"); 3145 continue; 3146 } 3147 memcpy(r, p, l); 3148 r += l; 3149 rlen += l; 3150 } 3151 if (rlen) { 3152 if (debug) 3153 addlog(" send conf-rej\n"); 3154 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3155 goto end; 3156 } else if (debug) 3157 addlog("\n"); 3158 3159 /* pass 2: parse option values */ 3160 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3161 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3162 else 3163 #ifdef INET 3164 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3165 #else 3166 hisaddr = 0; 3167 #endif 3168 if (debug) 3169 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3170 ifp->if_xname); 3171 p = (void *)(h + 1); 3172 len = origlen; 3173 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3174 if (debug) 3175 addlog(" %s", sppp_ipcp_opt_name(*p)); 3176 switch (*p) { 3177 #ifdef notyet 3178 case IPCP_OPT_COMPRESSION: 3179 continue; 3180 #endif 3181 case IPCP_OPT_ADDRESS: 3182 desiredaddr = p[2] << 24 | p[3] << 16 | 3183 p[4] << 8 | p[5]; 3184 if (desiredaddr == hisaddr || 3185 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3186 /* 3187 * Peer's address is same as our value, 3188 * this is agreeable. Gonna conf-ack 3189 * it. 3190 */ 3191 if (debug) 3192 addlog(" %s [ack]", 3193 sppp_dotted_quad(hisaddr)); 3194 /* record that we've seen it already */ 3195 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3196 sp->ipcp.req_hisaddr = desiredaddr; 3197 hisaddr = desiredaddr; 3198 continue; 3199 } 3200 /* 3201 * The address wasn't agreeable. This is either 3202 * he sent us 0.0.0.0, asking to assign him an 3203 * address, or he send us another address not 3204 * matching our value. Either case, we gonna 3205 * conf-nak it with our value. 3206 */ 3207 if (debug) { 3208 if (desiredaddr == 0) 3209 addlog(" [addr requested]"); 3210 else 3211 addlog(" %s [not agreed]", 3212 sppp_dotted_quad(desiredaddr)); 3213 } 3214 3215 p[2] = hisaddr >> 24; 3216 p[3] = hisaddr >> 16; 3217 p[4] = hisaddr >> 8; 3218 p[5] = hisaddr; 3219 break; 3220 } 3221 if (rlen + l > blen) { 3222 if (debug) 3223 addlog(" [overflow]"); 3224 continue; 3225 } 3226 /* Add the option to nak'ed list. */ 3227 memcpy(r, p, l); 3228 r += l; 3229 rlen += l; 3230 } 3231 3232 /* 3233 * If we are about to conf-ack the request, but haven't seen 3234 * his address so far, gonna conf-nak it instead, with the 3235 * `address' option present and our idea of his address being 3236 * filled in there, to request negotiation of both addresses. 3237 * 3238 * XXX This can result in an endless req - nak loop if peer 3239 * doesn't want to send us his address. Q: What should we do 3240 * about it? XXX A: implement the max-failure counter. 3241 */ 3242 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3243 buf[0] = IPCP_OPT_ADDRESS; 3244 buf[1] = 6; 3245 buf[2] = hisaddr >> 24; 3246 buf[3] = hisaddr >> 16; 3247 buf[4] = hisaddr >> 8; 3248 buf[5] = hisaddr; 3249 rlen = 6; 3250 if (debug) 3251 addlog(" still need hisaddr"); 3252 } 3253 3254 if (rlen) { 3255 if (debug) 3256 addlog(" send conf-nak\n"); 3257 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3258 } else { 3259 if (debug) 3260 addlog(" send conf-ack\n"); 3261 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3262 } 3263 3264 end: 3265 free(buf, M_TEMP); 3266 return (rlen == 0); 3267 3268 drop: 3269 free(buf, M_TEMP); 3270 return -1; 3271 } 3272 3273 /* 3274 * Analyze the IPCP Configure-Reject option list, and adjust our 3275 * negotiation. 3276 */ 3277 static void 3278 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3279 { 3280 u_char *buf, *p, l, blen; 3281 struct ifnet *ifp = &sp->pp_if; 3282 int debug = ifp->if_flags & IFF_DEBUG; 3283 3284 KASSERT(SPPP_WLOCKED(sp)); 3285 3286 len -= 4; 3287 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3288 if (!buf) 3289 return; 3290 3291 if (debug) 3292 log(LOG_DEBUG, "%s: ipcp rej opts:", 3293 ifp->if_xname); 3294 3295 p = (void *)(h + 1); 3296 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3297 /* Sanity check option length */ 3298 if (l > len) { 3299 /* XXX should we just RXJ? */ 3300 addlog("%s: malicious IPCP option received, dropping\n", 3301 ifp->if_xname); 3302 goto drop; 3303 } 3304 if (debug) 3305 addlog(" %s", sppp_ipcp_opt_name(*p)); 3306 switch (*p) { 3307 case IPCP_OPT_ADDRESS: 3308 /* 3309 * Peer doesn't grok address option. This is 3310 * bad. XXX Should we better give up here? 3311 */ 3312 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3313 break; 3314 #ifdef notyet 3315 case IPCP_OPT_COMPRESS: 3316 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3317 break; 3318 #endif 3319 } 3320 } 3321 if (debug) 3322 addlog("\n"); 3323 drop: 3324 free(buf, M_TEMP); 3325 return; 3326 } 3327 3328 /* 3329 * Analyze the IPCP Configure-NAK option list, and adjust our 3330 * negotiation. 3331 */ 3332 static void 3333 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3334 { 3335 u_char *p, l; 3336 struct ifnet *ifp = &sp->pp_if; 3337 int debug = ifp->if_flags & IFF_DEBUG; 3338 uint32_t wantaddr; 3339 3340 KASSERT(SPPP_WLOCKED(sp)); 3341 3342 len -= 4; 3343 3344 if (debug) 3345 log(LOG_DEBUG, "%s: ipcp nak opts:", 3346 ifp->if_xname); 3347 3348 p = (void *)(h + 1); 3349 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3350 /* Sanity check option length */ 3351 if (l > len) { 3352 /* XXX should we just RXJ? */ 3353 addlog("%s: malicious IPCP option received, dropping\n", 3354 ifp->if_xname); 3355 return; 3356 } 3357 if (debug) 3358 addlog(" %s", sppp_ipcp_opt_name(*p)); 3359 switch (*p) { 3360 case IPCP_OPT_ADDRESS: 3361 /* 3362 * Peer doesn't like our local IP address. See 3363 * if we can do something for him. We'll drop 3364 * him our address then. 3365 */ 3366 if (len >= 6 && l == 6) { 3367 wantaddr = p[2] << 24 | p[3] << 16 | 3368 p[4] << 8 | p[5]; 3369 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3370 if (debug) 3371 addlog(" [wantaddr %s]", 3372 sppp_dotted_quad(wantaddr)); 3373 /* 3374 * When doing dynamic address assignment, 3375 * we accept his offer. Otherwise, we 3376 * ignore it and thus continue to negotiate 3377 * our already existing value. 3378 */ 3379 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3380 if (debug) 3381 addlog(" [agree]"); 3382 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3383 sp->ipcp.req_myaddr = wantaddr; 3384 } 3385 } 3386 break; 3387 3388 case IPCP_OPT_PRIMDNS: 3389 if (len >= 6 && l == 6) { 3390 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3391 p[4] << 8 | p[5]; 3392 } 3393 break; 3394 3395 case IPCP_OPT_SECDNS: 3396 if (len >= 6 && l == 6) { 3397 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3398 p[4] << 8 | p[5]; 3399 } 3400 break; 3401 #ifdef notyet 3402 case IPCP_OPT_COMPRESS: 3403 /* 3404 * Peer wants different compression parameters. 3405 */ 3406 break; 3407 #endif 3408 } 3409 } 3410 if (debug) 3411 addlog("\n"); 3412 } 3413 3414 static void 3415 sppp_ipcp_tlu(struct sppp *sp) 3416 { 3417 #ifdef INET 3418 KASSERT(SPPP_WLOCKED(sp)); 3419 /* we are up. Set addresses and notify anyone interested */ 3420 sppp_set_ip_addrs(sp); 3421 #endif 3422 } 3423 3424 static void 3425 sppp_ipcp_tld(struct sppp *sp) 3426 { 3427 3428 KASSERT(SPPP_WLOCKED(sp)); 3429 } 3430 3431 static void 3432 sppp_ipcp_tls(struct sppp *sp) 3433 { 3434 3435 KASSERT(SPPP_WLOCKED(sp)); 3436 /* indicate to LCP that it must stay alive */ 3437 sp->lcp.protos |= (1 << IDX_IPCP); 3438 } 3439 3440 static void 3441 sppp_ipcp_tlf(struct sppp *sp) 3442 { 3443 3444 KASSERT(SPPP_WLOCKED(sp)); 3445 3446 /* we no longer need LCP */ 3447 sp->lcp.protos &= ~(1 << IDX_IPCP); 3448 } 3449 3450 static void 3451 sppp_ipcp_scr(struct sppp *sp) 3452 { 3453 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3454 #ifdef INET 3455 uint32_t ouraddr; 3456 #endif 3457 int i = 0; 3458 3459 KASSERT(SPPP_WLOCKED(sp)); 3460 3461 #ifdef notyet 3462 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3463 opt[i++] = IPCP_OPT_COMPRESSION; 3464 opt[i++] = 6; 3465 opt[i++] = 0; /* VJ header compression */ 3466 opt[i++] = 0x2d; /* VJ header compression */ 3467 opt[i++] = max_slot_id; 3468 opt[i++] = comp_slot_id; 3469 } 3470 #endif 3471 3472 #ifdef INET 3473 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3474 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3475 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3476 else 3477 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3478 opt[i++] = IPCP_OPT_ADDRESS; 3479 opt[i++] = 6; 3480 opt[i++] = ouraddr >> 24; 3481 opt[i++] = ouraddr >> 16; 3482 opt[i++] = ouraddr >> 8; 3483 opt[i++] = ouraddr; 3484 } 3485 #endif 3486 3487 if (sp->query_dns & 1) { 3488 opt[i++] = IPCP_OPT_PRIMDNS; 3489 opt[i++] = 6; 3490 opt[i++] = sp->dns_addrs[0] >> 24; 3491 opt[i++] = sp->dns_addrs[0] >> 16; 3492 opt[i++] = sp->dns_addrs[0] >> 8; 3493 opt[i++] = sp->dns_addrs[0]; 3494 } 3495 if (sp->query_dns & 2) { 3496 opt[i++] = IPCP_OPT_SECDNS; 3497 opt[i++] = 6; 3498 opt[i++] = sp->dns_addrs[1] >> 24; 3499 opt[i++] = sp->dns_addrs[1] >> 16; 3500 opt[i++] = sp->dns_addrs[1] >> 8; 3501 opt[i++] = sp->dns_addrs[1]; 3502 } 3503 3504 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3505 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3506 } 3507 3508 3509 /* 3510 *--------------------------------------------------------------------------* 3511 * * 3512 * The IPv6CP implementation. * 3513 * * 3514 *--------------------------------------------------------------------------* 3515 */ 3516 3517 #ifdef INET6 3518 static void 3519 sppp_ipv6cp_init(struct sppp *sp) 3520 { 3521 3522 KASSERT(SPPP_WLOCKED(sp)); 3523 3524 sp->ipv6cp.opts = 0; 3525 sp->ipv6cp.flags = 0; 3526 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3527 sp->fail_counter[IDX_IPV6CP] = 0; 3528 sp->pp_seq[IDX_IPV6CP] = 0; 3529 sp->pp_rseq[IDX_IPV6CP] = 0; 3530 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3531 } 3532 3533 static void 3534 sppp_ipv6cp_up(struct sppp *sp) 3535 { 3536 3537 KASSERT(SPPP_WLOCKED(sp)); 3538 sppp_up_event(&ipv6cp, sp); 3539 } 3540 3541 static void 3542 sppp_ipv6cp_down(struct sppp *sp) 3543 { 3544 3545 KASSERT(SPPP_WLOCKED(sp)); 3546 sppp_down_event(&ipv6cp, sp); 3547 } 3548 3549 static void 3550 sppp_ipv6cp_open(struct sppp *sp) 3551 { 3552 STDDCL; 3553 struct in6_addr myaddr, hisaddr; 3554 3555 KASSERT(SPPP_WLOCKED(sp)); 3556 3557 #ifdef IPV6CP_MYIFID_DYN 3558 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3559 #else 3560 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3561 #endif 3562 3563 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3564 /* 3565 * If we don't have our address, this probably means our 3566 * interface doesn't want to talk IPv6 at all. (This could 3567 * be the case if somebody wants to speak only IPX, for 3568 * example.) Don't open IPv6CP in this case. 3569 */ 3570 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3571 /* XXX this message should go away */ 3572 if (debug) 3573 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3574 ifp->if_xname); 3575 return; 3576 } 3577 3578 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3579 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3580 sppp_open_event(&ipv6cp, sp); 3581 } 3582 3583 static void 3584 sppp_ipv6cp_close(struct sppp *sp) 3585 { 3586 3587 KASSERT(SPPP_WLOCKED(sp)); 3588 sppp_close_event(&ipv6cp, sp); 3589 } 3590 3591 static void 3592 sppp_ipv6cp_TO(void *cookie) 3593 { 3594 struct sppp *sp = cookie; 3595 3596 SPPP_LOCK(sp, RW_WRITER); 3597 sppp_to_event(&ipv6cp, sp); 3598 SPPP_UNLOCK(sp); 3599 } 3600 3601 /* 3602 * Analyze a configure request. Return true if it was agreeable, and 3603 * caused action sca, false if it has been rejected or nak'ed, and 3604 * caused action scn. (The return value is used to make the state 3605 * transition decision in the state automaton.) 3606 */ 3607 static int 3608 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3609 { 3610 u_char *buf, *r, *p, l, blen; 3611 struct ifnet *ifp = &sp->pp_if; 3612 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3613 struct in6_addr myaddr, desiredaddr, suggestaddr; 3614 int ifidcount; 3615 int type; 3616 int collision, nohisaddr; 3617 char ip6buf[INET6_ADDRSTRLEN]; 3618 3619 KASSERT(SPPP_WLOCKED(sp)); 3620 3621 len -= 4; 3622 origlen = len; 3623 /* 3624 * Make sure to allocate a buf that can at least hold a 3625 * conf-nak with an `address' option. We might need it below. 3626 */ 3627 blen = len < 6 ? 6 : len; 3628 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3629 if (! buf) 3630 return (0); 3631 3632 /* pass 1: see if we can recognize them */ 3633 if (debug) 3634 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3635 ifp->if_xname); 3636 p = (void *)(h + 1); 3637 ifidcount = 0; 3638 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3639 /* Sanity check option length */ 3640 if (l > len) { 3641 /* XXX just RXJ? */ 3642 addlog("%s: received malicious IPCPv6 option, " 3643 "dropping\n", ifp->if_xname); 3644 goto drop; 3645 } 3646 if (debug) 3647 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3648 switch (*p) { 3649 case IPV6CP_OPT_IFID: 3650 if (len >= 10 && l == 10 && ifidcount == 0) { 3651 /* correctly formed address option */ 3652 ifidcount++; 3653 continue; 3654 } 3655 if (debug) 3656 addlog(" [invalid]"); 3657 break; 3658 #ifdef notyet 3659 case IPV6CP_OPT_COMPRESSION: 3660 if (len >= 4 && l >= 4) { 3661 /* correctly formed compress option */ 3662 continue; 3663 } 3664 if (debug) 3665 addlog(" [invalid]"); 3666 break; 3667 #endif 3668 default: 3669 /* Others not supported. */ 3670 if (debug) 3671 addlog(" [rej]"); 3672 break; 3673 } 3674 if (rlen + l > blen) { 3675 if (debug) 3676 addlog(" [overflow]"); 3677 continue; 3678 } 3679 /* Add the option to rejected list. */ 3680 memcpy(r, p, l); 3681 r += l; 3682 rlen += l; 3683 } 3684 if (rlen) { 3685 if (debug) 3686 addlog(" send conf-rej\n"); 3687 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3688 goto end; 3689 } else if (debug) 3690 addlog("\n"); 3691 3692 /* pass 2: parse option values */ 3693 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3694 if (debug) 3695 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3696 ifp->if_xname); 3697 p = (void *)(h + 1); 3698 len = origlen; 3699 type = CONF_ACK; 3700 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3701 if (debug) 3702 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3703 switch (*p) { 3704 #ifdef notyet 3705 case IPV6CP_OPT_COMPRESSION: 3706 continue; 3707 #endif 3708 case IPV6CP_OPT_IFID: 3709 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3710 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3711 collision = (memcmp(&desiredaddr.s6_addr[8], 3712 &myaddr.s6_addr[8], 8) == 0); 3713 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3714 3715 desiredaddr.s6_addr16[0] = htons(0xfe80); 3716 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3717 3718 if (!collision && !nohisaddr) { 3719 /* no collision, hisaddr known - Conf-Ack */ 3720 type = CONF_ACK; 3721 3722 if (debug) { 3723 addlog(" %s [%s]", 3724 IN6_PRINT(ip6buf, &desiredaddr), 3725 sppp_cp_type_name(type)); 3726 } 3727 continue; 3728 } 3729 3730 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3731 if (collision && nohisaddr) { 3732 /* collision, hisaddr unknown - Conf-Rej */ 3733 type = CONF_REJ; 3734 memset(&p[2], 0, 8); 3735 } else { 3736 /* 3737 * - no collision, hisaddr unknown, or 3738 * - collision, hisaddr known 3739 * Conf-Nak, suggest hisaddr 3740 */ 3741 type = CONF_NAK; 3742 sppp_suggest_ip6_addr(sp, &suggestaddr); 3743 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3744 } 3745 if (debug) 3746 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3747 sppp_cp_type_name(type)); 3748 break; 3749 } 3750 if (rlen + l > blen) { 3751 if (debug) 3752 addlog(" [overflow]"); 3753 continue; 3754 } 3755 /* Add the option to nak'ed list. */ 3756 memcpy(r, p, l); 3757 r += l; 3758 rlen += l; 3759 } 3760 3761 if (rlen == 0 && type == CONF_ACK) { 3762 if (debug) 3763 addlog(" send %s\n", sppp_cp_type_name(type)); 3764 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3765 } else { 3766 #ifdef notdef 3767 if (type == CONF_ACK) 3768 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3769 #endif 3770 3771 if (debug) { 3772 addlog(" send %s suggest %s\n", 3773 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3774 } 3775 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3776 } 3777 3778 end: 3779 free(buf, M_TEMP); 3780 return (rlen == 0); 3781 3782 drop: 3783 free(buf, M_TEMP); 3784 return -1; 3785 } 3786 3787 /* 3788 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3789 * negotiation. 3790 */ 3791 static void 3792 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3793 { 3794 u_char *buf, *p, l, blen; 3795 struct ifnet *ifp = &sp->pp_if; 3796 int debug = ifp->if_flags & IFF_DEBUG; 3797 3798 KASSERT(SPPP_WLOCKED(sp)); 3799 3800 len -= 4; 3801 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3802 if (!buf) 3803 return; 3804 3805 if (debug) 3806 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3807 ifp->if_xname); 3808 3809 p = (void *)(h + 1); 3810 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3811 if (l > len) { 3812 /* XXX just RXJ? */ 3813 addlog("%s: received malicious IPCPv6 option, " 3814 "dropping\n", ifp->if_xname); 3815 goto drop; 3816 } 3817 if (debug) 3818 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3819 switch (*p) { 3820 case IPV6CP_OPT_IFID: 3821 /* 3822 * Peer doesn't grok address option. This is 3823 * bad. XXX Should we better give up here? 3824 */ 3825 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3826 break; 3827 #ifdef notyet 3828 case IPV6CP_OPT_COMPRESS: 3829 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3830 break; 3831 #endif 3832 } 3833 } 3834 if (debug) 3835 addlog("\n"); 3836 drop: 3837 free(buf, M_TEMP); 3838 return; 3839 } 3840 3841 /* 3842 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3843 * negotiation. 3844 */ 3845 static void 3846 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3847 { 3848 u_char *buf, *p, l, blen; 3849 struct ifnet *ifp = &sp->pp_if; 3850 int debug = ifp->if_flags & IFF_DEBUG; 3851 struct in6_addr suggestaddr; 3852 char ip6buf[INET6_ADDRSTRLEN]; 3853 3854 KASSERT(SPPP_WLOCKED(sp)); 3855 3856 len -= 4; 3857 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3858 if (!buf) 3859 return; 3860 3861 if (debug) 3862 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3863 ifp->if_xname); 3864 3865 p = (void *)(h + 1); 3866 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3867 if (l > len) { 3868 /* XXX just RXJ? */ 3869 addlog("%s: received malicious IPCPv6 option, " 3870 "dropping\n", ifp->if_xname); 3871 goto drop; 3872 } 3873 if (debug) 3874 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3875 switch (*p) { 3876 case IPV6CP_OPT_IFID: 3877 /* 3878 * Peer doesn't like our local ifid. See 3879 * if we can do something for him. We'll drop 3880 * him our address then. 3881 */ 3882 if (len < 10 || l != 10) 3883 break; 3884 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3885 suggestaddr.s6_addr16[0] = htons(0xfe80); 3886 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3887 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3888 3889 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3890 if (debug) 3891 addlog(" [suggestaddr %s]", 3892 IN6_PRINT(ip6buf, &suggestaddr)); 3893 #ifdef IPV6CP_MYIFID_DYN 3894 /* 3895 * When doing dynamic address assignment, 3896 * we accept his offer. 3897 */ 3898 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3899 struct in6_addr lastsuggest; 3900 /* 3901 * If <suggested myaddr from peer> equals to 3902 * <hisaddr we have suggested last time>, 3903 * we have a collision. generate new random 3904 * ifid. 3905 */ 3906 sppp_suggest_ip6_addr(&lastsuggest); 3907 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3908 lastsuggest)) { 3909 if (debug) 3910 addlog(" [random]"); 3911 sppp_gen_ip6_addr(sp, &suggestaddr); 3912 } 3913 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3914 if (debug) 3915 addlog(" [agree]"); 3916 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3917 } 3918 #else 3919 /* 3920 * Since we do not do dynamic address assignment, 3921 * we ignore it and thus continue to negotiate 3922 * our already existing value. This can possibly 3923 * go into infinite request-reject loop. 3924 * 3925 * This is not likely because we normally use 3926 * ifid based on MAC-address. 3927 * If you have no ethernet card on the node, too bad. 3928 * XXX should we use fail_counter? 3929 */ 3930 #endif 3931 break; 3932 #ifdef notyet 3933 case IPV6CP_OPT_COMPRESS: 3934 /* 3935 * Peer wants different compression parameters. 3936 */ 3937 break; 3938 #endif 3939 } 3940 } 3941 if (debug) 3942 addlog("\n"); 3943 drop: 3944 free(buf, M_TEMP); 3945 return; 3946 } 3947 3948 static void 3949 sppp_ipv6cp_tlu(struct sppp *sp) 3950 { 3951 3952 KASSERT(SPPP_WLOCKED(sp)); 3953 /* we are up - notify isdn daemon */ 3954 sppp_notify_con_wlocked(sp); 3955 } 3956 3957 static void 3958 sppp_ipv6cp_tld(struct sppp *sp) 3959 { 3960 3961 KASSERT(SPPP_WLOCKED(sp)); 3962 } 3963 3964 static void 3965 sppp_ipv6cp_tls(struct sppp *sp) 3966 { 3967 3968 KASSERT(SPPP_WLOCKED(sp)); 3969 /* indicate to LCP that it must stay alive */ 3970 sp->lcp.protos |= (1 << IDX_IPV6CP); 3971 } 3972 3973 static void 3974 sppp_ipv6cp_tlf(struct sppp *sp) 3975 { 3976 3977 KASSERT(SPPP_WLOCKED(sp)); 3978 /* we no longer need LCP */ 3979 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 3980 } 3981 3982 static void 3983 sppp_ipv6cp_scr(struct sppp *sp) 3984 { 3985 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 3986 struct in6_addr ouraddr; 3987 int i = 0; 3988 3989 KASSERT(SPPP_WLOCKED(sp)); 3990 3991 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 3992 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 3993 opt[i++] = IPV6CP_OPT_IFID; 3994 opt[i++] = 10; 3995 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 3996 i += 8; 3997 } 3998 3999 #ifdef notyet 4000 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4001 opt[i++] = IPV6CP_OPT_COMPRESSION; 4002 opt[i++] = 4; 4003 opt[i++] = 0; /* TBD */ 4004 opt[i++] = 0; /* TBD */ 4005 /* variable length data may follow */ 4006 } 4007 #endif 4008 4009 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4010 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4011 } 4012 #else /*INET6*/ 4013 static void 4014 sppp_ipv6cp_init(struct sppp *sp) 4015 { 4016 4017 KASSERT(SPPP_WLOCKED(sp)); 4018 } 4019 4020 static void 4021 sppp_ipv6cp_up(struct sppp *sp) 4022 { 4023 4024 KASSERT(SPPP_WLOCKED(sp)); 4025 } 4026 4027 static void 4028 sppp_ipv6cp_down(struct sppp *sp) 4029 { 4030 4031 KASSERT(SPPP_WLOCKED(sp)); 4032 } 4033 4034 static void 4035 sppp_ipv6cp_open(struct sppp *sp) 4036 { 4037 4038 KASSERT(SPPP_WLOCKED(sp)); 4039 } 4040 4041 static void 4042 sppp_ipv6cp_close(struct sppp *sp) 4043 { 4044 4045 KASSERT(SPPP_WLOCKED(sp)); 4046 } 4047 4048 static void 4049 sppp_ipv6cp_TO(void *cookie) 4050 { 4051 struct sppp *sp __diagused = cookie; 4052 4053 KASSERT(SPPP_WLOCKED(sp)); 4054 } 4055 4056 static int 4057 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4058 int len) 4059 { 4060 4061 KASSERT(SPPP_WLOCKED(sp)); 4062 return 0; 4063 } 4064 4065 static void 4066 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4067 int len) 4068 { 4069 4070 KASSERT(SPPP_WLOCKED(sp)); 4071 } 4072 4073 static void 4074 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4075 int len) 4076 { 4077 4078 KASSERT(SPPP_WLOCKED(sp)); 4079 } 4080 4081 static void 4082 sppp_ipv6cp_tlu(struct sppp *sp) 4083 { 4084 4085 KASSERT(SPPP_WLOCKED(sp)); 4086 } 4087 4088 static void 4089 sppp_ipv6cp_tld(struct sppp *sp) 4090 { 4091 4092 KASSERT(SPPP_WLOCKED(sp)); 4093 } 4094 4095 static void 4096 sppp_ipv6cp_tls(struct sppp *sp) 4097 { 4098 4099 KASSERT(SPPP_WLOCKED(sp)); 4100 } 4101 4102 static void 4103 sppp_ipv6cp_tlf(struct sppp *sp) 4104 { 4105 4106 KASSERT(SPPP_WLOCKED(sp)); 4107 } 4108 4109 static void 4110 sppp_ipv6cp_scr(struct sppp *sp) 4111 { 4112 4113 KASSERT(SPPP_WLOCKED(sp)); 4114 } 4115 #endif /*INET6*/ 4116 4117 4118 /* 4119 *--------------------------------------------------------------------------* 4120 * * 4121 * The CHAP implementation. * 4122 * * 4123 *--------------------------------------------------------------------------* 4124 */ 4125 4126 /* 4127 * The authentication protocols don't employ a full-fledged state machine as 4128 * the control protocols do, since they do have Open and Close events, but 4129 * not Up and Down, nor are they explicitly terminated. Also, use of the 4130 * authentication protocols may be different in both directions (this makes 4131 * sense, think of a machine that never accepts incoming calls but only 4132 * calls out, it doesn't require the called party to authenticate itself). 4133 * 4134 * Our state machine for the local authentication protocol (we are requesting 4135 * the peer to authenticate) looks like: 4136 * 4137 * RCA- 4138 * +--------------------------------------------+ 4139 * V scn,tld| 4140 * +--------+ Close +---------+ RCA+ 4141 * | |<----------------------------------| |------+ 4142 * +--->| Closed | TO* | Opened | sca | 4143 * | | |-----+ +-------| |<-----+ 4144 * | +--------+ irc | | +---------+ 4145 * | ^ | | ^ 4146 * | | | | | 4147 * | | | | | 4148 * | TO-| | | | 4149 * | |tld TO+ V | | 4150 * | | +------->+ | | 4151 * | | | | | | 4152 * | +--------+ V | | 4153 * | | |<----+<--------------------+ | 4154 * | | Req- | scr | 4155 * | | Sent | | 4156 * | | | | 4157 * | +--------+ | 4158 * | RCA- | | RCA+ | 4159 * +------+ +------------------------------------------+ 4160 * scn,tld sca,irc,ict,tlu 4161 * 4162 * 4163 * with: 4164 * 4165 * Open: LCP reached authentication phase 4166 * Close: LCP reached terminate phase 4167 * 4168 * RCA+: received reply (pap-req, chap-response), acceptable 4169 * RCN: received reply (pap-req, chap-response), not acceptable 4170 * TO+: timeout with restart counter >= 0 4171 * TO-: timeout with restart counter < 0 4172 * TO*: reschedule timeout for CHAP 4173 * 4174 * scr: send request packet (none for PAP, chap-challenge) 4175 * sca: send ack packet (pap-ack, chap-success) 4176 * scn: send nak packet (pap-nak, chap-failure) 4177 * ict: initialize re-challenge timer (CHAP only) 4178 * 4179 * tlu: this-layer-up, LCP reaches network phase 4180 * tld: this-layer-down, LCP enters terminate phase 4181 * 4182 * Note that in CHAP mode, after sending a new challenge, while the state 4183 * automaton falls back into Req-Sent state, it doesn't signal a tld 4184 * event to LCP, so LCP remains in network phase. Only after not getting 4185 * any response (or after getting an unacceptable response), CHAP closes, 4186 * causing LCP to enter terminate phase. 4187 * 4188 * With PAP, there is no initial request that can be sent. The peer is 4189 * expected to send one based on the successful negotiation of PAP as 4190 * the authentication protocol during the LCP option negotiation. 4191 * 4192 * Incoming authentication protocol requests (remote requests 4193 * authentication, we are peer) don't employ a state machine at all, 4194 * they are simply answered. Some peers [Ascend P50 firmware rev 4195 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4196 * still in authentication phase (thereby violating the standard that 4197 * demands that these NCP packets are to be discarded), so we keep 4198 * track of the peer demanding us to authenticate, and only proceed to 4199 * phase network once we've seen a positive acknowledge for the 4200 * authentication. 4201 */ 4202 4203 /* 4204 * Handle incoming CHAP packets. 4205 */ 4206 void 4207 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4208 { 4209 STDDCL; 4210 struct lcp_header *h; 4211 int len, x; 4212 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4213 int value_len, name_len; 4214 MD5_CTX ctx; 4215 4216 len = m->m_pkthdr.len; 4217 if (len < 4) { 4218 if (debug) 4219 log(LOG_DEBUG, 4220 "%s: chap invalid packet length: %d bytes\n", 4221 ifp->if_xname, len); 4222 return; 4223 } 4224 h = mtod(m, struct lcp_header *); 4225 if (len > ntohs(h->len)) 4226 len = ntohs(h->len); 4227 4228 SPPP_LOCK(sp, RW_WRITER); 4229 4230 switch (h->type) { 4231 /* challenge, failure and success are his authproto */ 4232 case CHAP_CHALLENGE: 4233 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4234 /* can't do anything useful */ 4235 sp->pp_auth_failures++; 4236 printf("%s: chap input without my name and my secret being set\n", 4237 ifp->if_xname); 4238 break; 4239 } 4240 value = 1 + (u_char *)(h + 1); 4241 value_len = value[-1]; 4242 name = value + value_len; 4243 name_len = len - value_len - 5; 4244 if (name_len < 0) { 4245 if (debug) { 4246 log(LOG_DEBUG, 4247 "%s: chap corrupted challenge " 4248 "<%s id=0x%x len=%d", 4249 ifp->if_xname, 4250 sppp_auth_type_name(PPP_CHAP, h->type), 4251 h->ident, ntohs(h->len)); 4252 if (len > 4) 4253 sppp_print_bytes((u_char *)(h + 1), 4254 len - 4); 4255 addlog(">\n"); 4256 } 4257 break; 4258 } 4259 4260 if (debug) { 4261 log(LOG_DEBUG, 4262 "%s: chap input <%s id=0x%x len=%d name=", 4263 ifp->if_xname, 4264 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4265 ntohs(h->len)); 4266 sppp_print_string((char *) name, name_len); 4267 addlog(" value-size=%d value=", value_len); 4268 sppp_print_bytes(value, value_len); 4269 addlog(">\n"); 4270 } 4271 4272 /* Compute reply value. */ 4273 MD5Init(&ctx); 4274 MD5Update(&ctx, &h->ident, 1); 4275 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4276 MD5Update(&ctx, value, value_len); 4277 MD5Final(digest, &ctx); 4278 dsize = sizeof digest; 4279 4280 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4281 sizeof dsize, (const char *)&dsize, 4282 sizeof digest, digest, 4283 sp->myauth.name_len, 4284 sp->myauth.name, 4285 0); 4286 break; 4287 4288 case CHAP_SUCCESS: 4289 if (debug) { 4290 log(LOG_DEBUG, "%s: chap success", 4291 ifp->if_xname); 4292 if (len > 4) { 4293 addlog(": "); 4294 sppp_print_string((char *)(h + 1), len - 4); 4295 } 4296 addlog("\n"); 4297 } 4298 x = splnet(); 4299 sp->pp_auth_failures = 0; 4300 sp->pp_flags &= ~PP_NEEDAUTH; 4301 if (sp->myauth.proto == PPP_CHAP && 4302 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4303 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4304 /* 4305 * We are authenticator for CHAP but didn't 4306 * complete yet. Leave it to tlu to proceed 4307 * to network phase. 4308 */ 4309 splx(x); 4310 break; 4311 } 4312 splx(x); 4313 sppp_phase_network(sp); 4314 break; 4315 4316 case CHAP_FAILURE: 4317 x = splnet(); 4318 sp->pp_auth_failures++; 4319 splx(x); 4320 if (debug) { 4321 log(LOG_INFO, "%s: chap failure", 4322 ifp->if_xname); 4323 if (len > 4) { 4324 addlog(": "); 4325 sppp_print_string((char *)(h + 1), len - 4); 4326 } 4327 addlog("\n"); 4328 } else 4329 log(LOG_INFO, "%s: chap failure\n", 4330 ifp->if_xname); 4331 /* await LCP shutdown by authenticator */ 4332 break; 4333 4334 /* response is my authproto */ 4335 case CHAP_RESPONSE: 4336 if (sp->hisauth.secret == NULL) { 4337 /* can't do anything useful */ 4338 printf("%s: chap input without his secret being set\n", 4339 ifp->if_xname); 4340 break; 4341 } 4342 value = 1 + (u_char *)(h + 1); 4343 value_len = value[-1]; 4344 name = value + value_len; 4345 name_len = len - value_len - 5; 4346 if (name_len < 0) { 4347 if (debug) { 4348 log(LOG_DEBUG, 4349 "%s: chap corrupted response " 4350 "<%s id=0x%x len=%d", 4351 ifp->if_xname, 4352 sppp_auth_type_name(PPP_CHAP, h->type), 4353 h->ident, ntohs(h->len)); 4354 if (len > 4) 4355 sppp_print_bytes((u_char *)(h + 1), 4356 len - 4); 4357 addlog(">\n"); 4358 } 4359 break; 4360 } 4361 if (h->ident != sp->confid[IDX_CHAP]) { 4362 if (debug) 4363 log(LOG_DEBUG, 4364 "%s: chap dropping response for old ID " 4365 "(got %d, expected %d)\n", 4366 ifp->if_xname, 4367 h->ident, sp->confid[IDX_CHAP]); 4368 break; 4369 } 4370 if (sp->hisauth.name != NULL && 4371 (name_len != sp->hisauth.name_len 4372 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4373 log(LOG_INFO, "%s: chap response, his name ", 4374 ifp->if_xname); 4375 sppp_print_string(name, name_len); 4376 addlog(" != expected "); 4377 sppp_print_string(sp->hisauth.name, 4378 sp->hisauth.name_len); 4379 addlog("\n"); 4380 goto chap_failure; 4381 } 4382 if (debug) { 4383 log(LOG_DEBUG, "%s: chap input(%s) " 4384 "<%s id=0x%x len=%d name=", 4385 ifp->if_xname, 4386 sppp_state_name(sp->state[IDX_CHAP]), 4387 sppp_auth_type_name(PPP_CHAP, h->type), 4388 h->ident, ntohs(h->len)); 4389 sppp_print_string((char *)name, name_len); 4390 addlog(" value-size=%d value=", value_len); 4391 sppp_print_bytes(value, value_len); 4392 addlog(">\n"); 4393 } 4394 if (value_len != sizeof(sp->hisauth.challenge)) { 4395 if (debug) 4396 log(LOG_DEBUG, 4397 "%s: chap bad hash value length: " 4398 "%d bytes, should be %zu\n", 4399 ifp->if_xname, value_len, 4400 sizeof(sp->hisauth.challenge)); 4401 goto chap_failure; 4402 } 4403 4404 MD5Init(&ctx); 4405 MD5Update(&ctx, &h->ident, 1); 4406 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4407 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4408 MD5Final(digest, &ctx); 4409 4410 #define FAILMSG "Failed..." 4411 #define SUCCMSG "Welcome!" 4412 4413 if (value_len != sizeof digest || 4414 memcmp(digest, value, value_len) != 0) { 4415 chap_failure: 4416 KASSERT(SPPP_WLOCKED(sp)); 4417 /* action scn, tld */ 4418 sp->pp_auth_failures++; 4419 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4420 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4421 0); 4422 chap.tld(sp); 4423 break; 4424 } 4425 sp->pp_auth_failures = 0; 4426 /* action sca, perhaps tlu */ 4427 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4428 sp->state[IDX_CHAP] == STATE_OPENED) 4429 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4430 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4431 0); 4432 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4433 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4434 chap.tlu(sp); 4435 } 4436 break; 4437 4438 default: 4439 /* Unknown CHAP packet type -- ignore. */ 4440 if (debug) { 4441 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4442 "<0x%x id=0x%xh len=%d", 4443 ifp->if_xname, 4444 sppp_state_name(sp->state[IDX_CHAP]), 4445 h->type, h->ident, ntohs(h->len)); 4446 if (len > 4) 4447 sppp_print_bytes((u_char *)(h + 1), len - 4); 4448 addlog(">\n"); 4449 } 4450 break; 4451 4452 } 4453 4454 SPPP_UNLOCK(sp); 4455 } 4456 4457 static void 4458 sppp_chap_init(struct sppp *sp) 4459 { 4460 4461 KASSERT(SPPP_WLOCKED(sp)); 4462 4463 /* Chap doesn't have STATE_INITIAL at all. */ 4464 sp->state[IDX_CHAP] = STATE_CLOSED; 4465 sp->fail_counter[IDX_CHAP] = 0; 4466 sp->pp_seq[IDX_CHAP] = 0; 4467 sp->pp_rseq[IDX_CHAP] = 0; 4468 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4469 } 4470 4471 static void 4472 sppp_chap_open(struct sppp *sp) 4473 { 4474 4475 KASSERT(SPPP_WLOCKED(sp)); 4476 if (sp->hisauth.proto == PPP_CHAP && 4477 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4478 /* we are authenticator for CHAP, start it */ 4479 chap.scr(sp); 4480 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4481 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4482 } 4483 /* nothing to be done if we are peer, await a challenge */ 4484 } 4485 4486 static void 4487 sppp_chap_close(struct sppp *sp) 4488 { 4489 4490 KASSERT(SPPP_WLOCKED(sp)); 4491 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4492 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4493 } 4494 4495 static void 4496 sppp_chap_TO(void *cookie) 4497 { 4498 struct sppp *sp = (struct sppp *)cookie; 4499 STDDCL; 4500 int s; 4501 4502 s = splnet(); 4503 4504 SPPP_LOCK(sp, RW_WRITER); 4505 4506 if (debug) 4507 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4508 ifp->if_xname, 4509 sppp_state_name(sp->state[IDX_CHAP]), 4510 sp->rst_counter[IDX_CHAP]); 4511 4512 if (--sp->rst_counter[IDX_CHAP] < 0) 4513 /* TO- event */ 4514 switch (sp->state[IDX_CHAP]) { 4515 case STATE_REQ_SENT: 4516 chap.tld(sp); 4517 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4518 break; 4519 } 4520 else 4521 /* TO+ (or TO*) event */ 4522 switch (sp->state[IDX_CHAP]) { 4523 case STATE_OPENED: 4524 /* TO* event */ 4525 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4526 /* fall through */ 4527 case STATE_REQ_SENT: 4528 chap.scr(sp); 4529 /* sppp_cp_change_state() will restart the timer */ 4530 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4531 break; 4532 } 4533 4534 SPPP_UNLOCK(sp); 4535 splx(s); 4536 } 4537 4538 static void 4539 sppp_chap_tlu(struct sppp *sp) 4540 { 4541 STDDCL; 4542 int i, x; 4543 4544 KASSERT(SPPP_WLOCKED(sp)); 4545 4546 i = 0; 4547 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4548 4549 /* 4550 * Some broken CHAP implementations (Conware CoNet, firmware 4551 * 4.0.?) don't want to re-authenticate their CHAP once the 4552 * initial challenge-response exchange has taken place. 4553 * Provide for an option to avoid rechallenges. 4554 */ 4555 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4556 /* 4557 * Compute the re-challenge timeout. This will yield 4558 * a number between 300 and 810 seconds. 4559 */ 4560 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4561 4562 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4563 } 4564 4565 if (debug) { 4566 log(LOG_DEBUG, 4567 "%s: chap %s, ", 4568 ifp->if_xname, 4569 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4570 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4571 addlog("next re-challenge in %d seconds\n", i); 4572 else 4573 addlog("re-challenging supressed\n"); 4574 } 4575 4576 x = splnet(); 4577 sp->pp_auth_failures = 0; 4578 /* indicate to LCP that we need to be closed down */ 4579 sp->lcp.protos |= (1 << IDX_CHAP); 4580 4581 if (sp->pp_flags & PP_NEEDAUTH) { 4582 /* 4583 * Remote is authenticator, but his auth proto didn't 4584 * complete yet. Defer the transition to network 4585 * phase. 4586 */ 4587 splx(x); 4588 return; 4589 } 4590 splx(x); 4591 4592 /* 4593 * If we are already in phase network, we are done here. This 4594 * is the case if this is a dummy tlu event after a re-challenge. 4595 */ 4596 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4597 sppp_phase_network(sp); 4598 } 4599 4600 static void 4601 sppp_chap_tld(struct sppp *sp) 4602 { 4603 STDDCL; 4604 4605 KASSERT(SPPP_WLOCKED(sp)); 4606 4607 if (debug) 4608 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4609 callout_stop(&sp->ch[IDX_CHAP]); 4610 sp->lcp.protos &= ~(1 << IDX_CHAP); 4611 4612 lcp.Close(sp); 4613 } 4614 4615 static void 4616 sppp_chap_scr(struct sppp *sp) 4617 { 4618 uint32_t *ch; 4619 u_char clen = 4 * sizeof(uint32_t); 4620 4621 KASSERT(SPPP_WLOCKED(sp)); 4622 4623 if (sp->hisauth.name == NULL) { 4624 /* can't do anything useful */ 4625 printf("%s: chap starting without his name being set\n", 4626 sp->pp_if.if_xname); 4627 return; 4628 } 4629 4630 /* Compute random challenge. */ 4631 ch = (uint32_t *)sp->hisauth.challenge; 4632 cprng_strong(kern_cprng, ch, clen, 0); 4633 4634 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4635 4636 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4637 sizeof clen, (const char *)&clen, 4638 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4639 0); 4640 } 4641 4642 /* 4643 *--------------------------------------------------------------------------* 4644 * * 4645 * The PAP implementation. * 4646 * * 4647 *--------------------------------------------------------------------------* 4648 */ 4649 /* 4650 * For PAP, we need to keep a little state also if we are the peer, not the 4651 * authenticator. This is since we don't get a request to authenticate, but 4652 * have to repeatedly authenticate ourself until we got a response (or the 4653 * retry counter is expired). 4654 */ 4655 4656 /* 4657 * Handle incoming PAP packets. */ 4658 static void 4659 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4660 { 4661 STDDCL; 4662 struct lcp_header *h; 4663 int len, x; 4664 u_char mlen; 4665 char *name, *secret; 4666 int name_len, secret_len; 4667 4668 /* 4669 * Malicious input might leave this uninitialized, so 4670 * init to an impossible value. 4671 */ 4672 secret_len = -1; 4673 4674 len = m->m_pkthdr.len; 4675 if (len < 5) { 4676 if (debug) 4677 log(LOG_DEBUG, 4678 "%s: pap invalid packet length: %d bytes\n", 4679 ifp->if_xname, len); 4680 return; 4681 } 4682 h = mtod(m, struct lcp_header *); 4683 if (len > ntohs(h->len)) 4684 len = ntohs(h->len); 4685 4686 SPPP_LOCK(sp, RW_WRITER); 4687 4688 switch (h->type) { 4689 /* PAP request is my authproto */ 4690 case PAP_REQ: 4691 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4692 /* can't do anything useful */ 4693 printf("%s: " 4694 "pap request without his name and his secret being set\n", 4695 ifp->if_xname); 4696 break; 4697 } 4698 name = 1 + (u_char *)(h + 1); 4699 name_len = name[-1]; 4700 secret = name + name_len + 1; 4701 if (name_len > len - 6 || 4702 (secret_len = secret[-1]) > len - 6 - name_len) { 4703 if (debug) { 4704 log(LOG_DEBUG, "%s: pap corrupted input " 4705 "<%s id=0x%x len=%d", 4706 ifp->if_xname, 4707 sppp_auth_type_name(PPP_PAP, h->type), 4708 h->ident, ntohs(h->len)); 4709 if (len > 4) 4710 sppp_print_bytes((u_char *)(h + 1), 4711 len - 4); 4712 addlog(">\n"); 4713 } 4714 break; 4715 } 4716 if (debug) { 4717 log(LOG_DEBUG, "%s: pap input(%s) " 4718 "<%s id=0x%x len=%d name=", 4719 ifp->if_xname, 4720 sppp_state_name(sp->state[IDX_PAP]), 4721 sppp_auth_type_name(PPP_PAP, h->type), 4722 h->ident, ntohs(h->len)); 4723 sppp_print_string((char *)name, name_len); 4724 addlog(" secret="); 4725 sppp_print_string((char *)secret, secret_len); 4726 addlog(">\n"); 4727 } 4728 if (name_len != sp->hisauth.name_len || 4729 secret_len != sp->hisauth.secret_len || 4730 memcmp(name, sp->hisauth.name, name_len) != 0 || 4731 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4732 /* action scn, tld */ 4733 sp->pp_auth_failures++; 4734 mlen = sizeof(FAILMSG) - 1; 4735 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4736 sizeof mlen, (const char *)&mlen, 4737 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4738 0); 4739 pap.tld(sp); 4740 break; 4741 } 4742 /* action sca, perhaps tlu */ 4743 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4744 sp->state[IDX_PAP] == STATE_OPENED) { 4745 mlen = sizeof(SUCCMSG) - 1; 4746 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4747 sizeof mlen, (const char *)&mlen, 4748 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4749 0); 4750 } 4751 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4752 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4753 pap.tlu(sp); 4754 } 4755 break; 4756 4757 /* ack and nak are his authproto */ 4758 case PAP_ACK: 4759 callout_stop(&sp->pap_my_to_ch); 4760 if (debug) { 4761 log(LOG_DEBUG, "%s: pap success", 4762 ifp->if_xname); 4763 name = 1 + (u_char *)(h + 1); 4764 name_len = name[-1]; 4765 if (len > 5 && name_len < len+4) { 4766 addlog(": "); 4767 sppp_print_string(name, name_len); 4768 } 4769 addlog("\n"); 4770 } 4771 x = splnet(); 4772 sp->pp_auth_failures = 0; 4773 sp->pp_flags &= ~PP_NEEDAUTH; 4774 if (sp->myauth.proto == PPP_PAP && 4775 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4776 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4777 /* 4778 * We are authenticator for PAP but didn't 4779 * complete yet. Leave it to tlu to proceed 4780 * to network phase. 4781 */ 4782 splx(x); 4783 break; 4784 } 4785 splx(x); 4786 sppp_phase_network(sp); 4787 break; 4788 4789 case PAP_NAK: 4790 callout_stop(&sp->pap_my_to_ch); 4791 sp->pp_auth_failures++; 4792 if (debug) { 4793 log(LOG_INFO, "%s: pap failure", 4794 ifp->if_xname); 4795 name = 1 + (u_char *)(h + 1); 4796 name_len = name[-1]; 4797 if (len > 5 && name_len < len+4) { 4798 addlog(": "); 4799 sppp_print_string(name, name_len); 4800 } 4801 addlog("\n"); 4802 } else 4803 log(LOG_INFO, "%s: pap failure\n", 4804 ifp->if_xname); 4805 /* await LCP shutdown by authenticator */ 4806 break; 4807 4808 default: 4809 /* Unknown PAP packet type -- ignore. */ 4810 if (debug) { 4811 log(LOG_DEBUG, "%s: pap corrupted input " 4812 "<0x%x id=0x%x len=%d", 4813 ifp->if_xname, 4814 h->type, h->ident, ntohs(h->len)); 4815 if (len > 4) 4816 sppp_print_bytes((u_char *)(h + 1), len - 4); 4817 addlog(">\n"); 4818 } 4819 break; 4820 } 4821 4822 SPPP_UNLOCK(sp); 4823 } 4824 4825 static void 4826 sppp_pap_init(struct sppp *sp) 4827 { 4828 4829 KASSERT(SPPP_WLOCKED(sp)); 4830 4831 /* PAP doesn't have STATE_INITIAL at all. */ 4832 sp->state[IDX_PAP] = STATE_CLOSED; 4833 sp->fail_counter[IDX_PAP] = 0; 4834 sp->pp_seq[IDX_PAP] = 0; 4835 sp->pp_rseq[IDX_PAP] = 0; 4836 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 4837 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 4838 } 4839 4840 static void 4841 sppp_pap_open(struct sppp *sp) 4842 { 4843 4844 KASSERT(SPPP_WLOCKED(sp)); 4845 4846 if (sp->hisauth.proto == PPP_PAP && 4847 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4848 /* we are authenticator for PAP, start our timer */ 4849 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4850 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4851 } 4852 if (sp->myauth.proto == PPP_PAP) { 4853 /* we are peer, send a request, and start a timer */ 4854 pap.scr(sp); 4855 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4856 sppp_pap_my_TO, sp); 4857 } 4858 } 4859 4860 static void 4861 sppp_pap_close(struct sppp *sp) 4862 { 4863 4864 KASSERT(SPPP_WLOCKED(sp)); 4865 4866 if (sp->state[IDX_PAP] != STATE_CLOSED) 4867 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4868 } 4869 4870 /* 4871 * That's the timeout routine if we are authenticator. Since the 4872 * authenticator is basically passive in PAP, we can't do much here. 4873 */ 4874 static void 4875 sppp_pap_TO(void *cookie) 4876 { 4877 struct sppp *sp = (struct sppp *)cookie; 4878 STDDCL; 4879 int s; 4880 4881 s = splnet(); 4882 SPPP_LOCK(sp, RW_WRITER); 4883 4884 if (debug) 4885 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4886 ifp->if_xname, 4887 sppp_state_name(sp->state[IDX_PAP]), 4888 sp->rst_counter[IDX_PAP]); 4889 4890 if (--sp->rst_counter[IDX_PAP] < 0) 4891 /* TO- event */ 4892 switch (sp->state[IDX_PAP]) { 4893 case STATE_REQ_SENT: 4894 pap.tld(sp); 4895 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4896 break; 4897 } 4898 else 4899 /* TO+ event, not very much we could do */ 4900 switch (sp->state[IDX_PAP]) { 4901 case STATE_REQ_SENT: 4902 /* sppp_cp_change_state() will restart the timer */ 4903 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4904 break; 4905 } 4906 4907 SPPP_UNLOCK(sp); 4908 splx(s); 4909 } 4910 4911 /* 4912 * That's the timeout handler if we are peer. Since the peer is active, 4913 * we need to retransmit our PAP request since it is apparently lost. 4914 * XXX We should impose a max counter. 4915 */ 4916 static void 4917 sppp_pap_my_TO(void *cookie) 4918 { 4919 struct sppp *sp = (struct sppp *)cookie; 4920 STDDCL; 4921 4922 SPPP_LOCK(sp, RW_WRITER); 4923 if (debug) 4924 log(LOG_DEBUG, "%s: pap peer TO\n", 4925 ifp->if_xname); 4926 4927 pap.scr(sp); 4928 4929 SPPP_UNLOCK(sp); 4930 } 4931 4932 static void 4933 sppp_pap_tlu(struct sppp *sp) 4934 { 4935 STDDCL; 4936 int x; 4937 4938 KASSERT(SPPP_WLOCKED(sp)); 4939 4940 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4941 4942 if (debug) 4943 log(LOG_DEBUG, "%s: %s tlu\n", 4944 ifp->if_xname, pap.name); 4945 4946 x = splnet(); 4947 sp->pp_auth_failures = 0; 4948 /* indicate to LCP that we need to be closed down */ 4949 sp->lcp.protos |= (1 << IDX_PAP); 4950 4951 if (sp->pp_flags & PP_NEEDAUTH) { 4952 /* 4953 * Remote is authenticator, but his auth proto didn't 4954 * complete yet. Defer the transition to network 4955 * phase. 4956 */ 4957 splx(x); 4958 return; 4959 } 4960 splx(x); 4961 sppp_phase_network(sp); 4962 } 4963 4964 static void 4965 sppp_pap_tld(struct sppp *sp) 4966 { 4967 STDDCL; 4968 4969 KASSERT(SPPP_WLOCKED(sp)); 4970 4971 if (debug) 4972 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 4973 callout_stop(&sp->ch[IDX_PAP]); 4974 callout_stop(&sp->pap_my_to_ch); 4975 sp->lcp.protos &= ~(1 << IDX_PAP); 4976 4977 lcp.Close(sp); 4978 } 4979 4980 static void 4981 sppp_pap_scr(struct sppp *sp) 4982 { 4983 u_char idlen, pwdlen; 4984 4985 KASSERT(SPPP_WLOCKED(sp)); 4986 4987 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4988 /* can't do anything useful */ 4989 printf("%s: pap starting without my name and secret being set\n", 4990 sp->pp_if.if_xname); 4991 return; 4992 } 4993 4994 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 4995 pwdlen = sp->myauth.secret_len; 4996 idlen = sp->myauth.name_len; 4997 4998 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 4999 sizeof idlen, (const char *)&idlen, 5000 idlen, sp->myauth.name, 5001 sizeof pwdlen, (const char *)&pwdlen, 5002 pwdlen, sp->myauth.secret, 5003 0); 5004 } 5005 5006 /* 5007 * Random miscellaneous functions. 5008 */ 5009 5010 /* 5011 * Send a PAP or CHAP proto packet. 5012 * 5013 * Varadic function, each of the elements for the ellipsis is of type 5014 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5015 * mlen == 0. 5016 * NOTE: never declare variadic functions with types subject to type 5017 * promotion (i.e. u_char). This is asking for big trouble depending 5018 * on the architecture you are on... 5019 */ 5020 5021 static void 5022 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5023 unsigned int type, unsigned int id, 5024 ...) 5025 { 5026 STDDCL; 5027 struct lcp_header *lh; 5028 struct mbuf *m; 5029 u_char *p; 5030 int len; 5031 size_t pkthdrlen; 5032 unsigned int mlen; 5033 const char *msg; 5034 va_list ap; 5035 5036 KASSERT(SPPP_WLOCKED(sp)); 5037 5038 MGETHDR(m, M_DONTWAIT, MT_DATA); 5039 if (! m) 5040 return; 5041 m_reset_rcvif(m); 5042 5043 if (sp->pp_flags & PP_NOFRAMING) { 5044 *mtod(m, uint16_t *) = htons(cp->proto); 5045 pkthdrlen = 2; 5046 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5047 } else { 5048 struct ppp_header *h; 5049 h = mtod(m, struct ppp_header *); 5050 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5051 h->control = PPP_UI; /* Unnumbered Info */ 5052 h->protocol = htons(cp->proto); 5053 pkthdrlen = PPP_HEADER_LEN; 5054 5055 lh = (struct lcp_header *)(h + 1); 5056 } 5057 5058 lh->type = type; 5059 lh->ident = id; 5060 p = (u_char *)(lh + 1); 5061 5062 va_start(ap, id); 5063 len = 0; 5064 5065 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5066 msg = va_arg(ap, const char *); 5067 len += mlen; 5068 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5069 va_end(ap); 5070 m_freem(m); 5071 return; 5072 } 5073 5074 memcpy(p, msg, mlen); 5075 p += mlen; 5076 } 5077 va_end(ap); 5078 5079 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5080 lh->len = htons(LCP_HEADER_LEN + len); 5081 5082 if (debug) { 5083 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5084 ifp->if_xname, cp->name, 5085 sppp_auth_type_name(cp->proto, lh->type), 5086 lh->ident, ntohs(lh->len)); 5087 if (len) 5088 sppp_print_bytes((u_char *)(lh + 1), len); 5089 addlog(">\n"); 5090 } 5091 if (IF_QFULL(&sp->pp_cpq)) { 5092 IF_DROP(&sp->pp_fastq); 5093 IF_DROP(&ifp->if_snd); 5094 m_freem(m); 5095 ++ifp->if_oerrors; 5096 return; 5097 } 5098 5099 ifp->if_obytes += m->m_pkthdr.len + sp->pp_framebytes; 5100 IF_ENQUEUE(&sp->pp_cpq, m); 5101 5102 if (! (ifp->if_flags & IFF_OACTIVE)) { 5103 SPPP_UNLOCK(sp); 5104 if_start_lock(ifp); 5105 SPPP_LOCK(sp, RW_WRITER); 5106 } 5107 } 5108 5109 /* 5110 * Send keepalive packets, every 10 seconds. 5111 */ 5112 static void 5113 sppp_keepalive(void *dummy) 5114 { 5115 struct sppp *sp; 5116 int s; 5117 time_t now; 5118 5119 SPPPQ_LOCK(); 5120 5121 s = splnet(); 5122 now = time_uptime; 5123 for (sp=spppq; sp; sp=sp->pp_next) { 5124 struct ifnet *ifp = NULL; 5125 5126 SPPP_LOCK(sp, RW_WRITER); 5127 ifp = &sp->pp_if; 5128 5129 /* check idle timeout */ 5130 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5131 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5132 /* idle timeout is enabled for this interface */ 5133 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5134 if (ifp->if_flags & IFF_DEBUG) 5135 printf("%s: no activity for %lu seconds\n", 5136 sp->pp_if.if_xname, 5137 (unsigned long)(now-sp->pp_last_activity)); 5138 lcp.Close(sp); 5139 SPPP_UNLOCK(sp); 5140 continue; 5141 } 5142 } 5143 5144 /* Keepalive mode disabled or channel down? */ 5145 if (! (sp->pp_flags & PP_KEEPALIVE) || 5146 ! (ifp->if_flags & IFF_RUNNING)) { 5147 SPPP_UNLOCK(sp); 5148 continue; 5149 } 5150 5151 5152 /* No keepalive in PPP mode if LCP not opened yet. */ 5153 if (! (sp->pp_flags & PP_CISCO) && 5154 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5155 SPPP_UNLOCK(sp); 5156 continue; 5157 } 5158 5159 /* No echo reply, but maybe user data passed through? */ 5160 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5161 sp->pp_alivecnt = 0; 5162 SPPP_UNLOCK(sp); 5163 continue; 5164 } 5165 5166 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5167 /* No keepalive packets got. Stop the interface. */ 5168 SPPP_UNLOCK(sp); 5169 if_down (ifp); 5170 SPPP_LOCK(sp, RW_WRITER); 5171 5172 IF_PURGE(&sp->pp_cpq); 5173 5174 if (! (sp->pp_flags & PP_CISCO)) { 5175 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5176 ifp->if_xname); 5177 sp->pp_alivecnt = 0; 5178 5179 /* we are down, close all open protocols */ 5180 lcp.Close(sp); 5181 5182 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5183 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5184 5185 /* Close connection immediately, completition of this 5186 * will summon the magic needed to reestablish it. */ 5187 sppp_notify_tlf_wlocked(sp); 5188 5189 SPPP_UNLOCK(sp); 5190 continue; 5191 } 5192 } 5193 if (sp->pp_alivecnt < sp->pp_maxalive) 5194 ++sp->pp_alivecnt; 5195 if (sp->pp_flags & PP_CISCO) 5196 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5197 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5198 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5199 int32_t nmagic = htonl(sp->lcp.magic); 5200 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5201 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5202 sp->lcp.echoid, 4, &nmagic); 5203 } 5204 5205 SPPP_UNLOCK(sp); 5206 } 5207 splx(s); 5208 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5209 5210 SPPPQ_UNLOCK(); 5211 } 5212 5213 #ifdef INET 5214 /* 5215 * Get both IP addresses. 5216 */ 5217 static void 5218 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5219 { 5220 struct ifnet *ifp = &sp->pp_if; 5221 struct ifaddr *ifa; 5222 struct sockaddr_in *si, *sm; 5223 uint32_t ssrc, ddst; 5224 int s; 5225 struct psref psref; 5226 5227 sm = NULL; 5228 ssrc = ddst = 0; 5229 /* 5230 * Pick the first AF_INET address from the list, 5231 * aliases don't make any sense on a p2p link anyway. 5232 */ 5233 si = 0; 5234 s = pserialize_read_enter(); 5235 IFADDR_READER_FOREACH(ifa, ifp) { 5236 if (ifa->ifa_addr->sa_family == AF_INET) { 5237 si = (struct sockaddr_in *)ifa->ifa_addr; 5238 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5239 if (si) { 5240 ifa_acquire(ifa, &psref); 5241 break; 5242 } 5243 } 5244 } 5245 pserialize_read_exit(s); 5246 if (ifa) { 5247 if (si && si->sin_addr.s_addr) { 5248 ssrc = si->sin_addr.s_addr; 5249 if (srcmask) 5250 *srcmask = ntohl(sm->sin_addr.s_addr); 5251 } 5252 5253 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5254 if (si && si->sin_addr.s_addr) 5255 ddst = si->sin_addr.s_addr; 5256 ifa_release(ifa, &psref); 5257 } 5258 5259 if (dst) *dst = ntohl(ddst); 5260 if (src) *src = ntohl(ssrc); 5261 } 5262 5263 /* 5264 * Set IP addresses. Must be called at splnet. 5265 * If an address is 0, leave it the way it is. 5266 */ 5267 static void 5268 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5269 { 5270 STDDCL; 5271 struct ifaddr *ifa; 5272 struct sockaddr_in *si, *dest; 5273 uint32_t myaddr = 0, hisaddr = 0; 5274 int s; 5275 5276 IFNET_LOCK(ifp); 5277 5278 /* 5279 * Pick the first AF_INET address from the list, 5280 * aliases don't make any sense on a p2p link anyway. 5281 */ 5282 si = dest = NULL; 5283 s = pserialize_read_enter(); 5284 IFADDR_READER_FOREACH(ifa, ifp) { 5285 if (ifa->ifa_addr->sa_family == AF_INET) { 5286 si = (struct sockaddr_in *)ifa->ifa_addr; 5287 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5288 break; 5289 } 5290 } 5291 pserialize_read_exit(s); 5292 5293 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5294 myaddr = sp->ipcp.req_myaddr; 5295 else if (si != NULL) 5296 myaddr = ntohl(si->sin_addr.s_addr); 5297 5298 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5299 hisaddr = sp->ipcp.req_hisaddr; 5300 else if (dest != NULL) 5301 hisaddr = ntohl(dest->sin_addr.s_addr); 5302 5303 if (si != NULL && dest != NULL) { 5304 int error; 5305 struct sockaddr_in new_sin = *si; 5306 struct sockaddr_in new_dst = *dest; 5307 5308 if (myaddr != 0) 5309 new_sin.sin_addr.s_addr = htonl(myaddr); 5310 if (hisaddr != 0) { 5311 new_dst.sin_addr.s_addr = htonl(hisaddr); 5312 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5313 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5314 } 5315 5316 in_addrhash_remove(ifatoia(ifa)); 5317 5318 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5319 5320 in_addrhash_insert(ifatoia(ifa)); 5321 5322 if (debug && error) 5323 { 5324 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5325 ifp->if_xname, __func__, error); 5326 } 5327 if (!error) { 5328 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5329 } 5330 } 5331 5332 if (ifp->if_mtu > sp->lcp.their_mru) { 5333 sp->pp_saved_mtu = ifp->if_mtu; 5334 ifp->if_mtu = sp->lcp.their_mru; 5335 if (debug) 5336 log(LOG_DEBUG, 5337 "%s: setting MTU to %" PRIu64 " bytes\n", 5338 ifp->if_xname, ifp->if_mtu); 5339 } 5340 5341 IFNET_UNLOCK(ifp); 5342 5343 sppp_notify_con(sp); 5344 } 5345 5346 static void 5347 sppp_set_ip_addrs(struct sppp *sp) 5348 { 5349 struct ifnet *ifp = &sp->pp_if; 5350 5351 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5352 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5353 ifp->if_xname); 5354 return; 5355 } 5356 5357 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5358 return; 5359 5360 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5361 } 5362 5363 /* 5364 * Clear IP addresses. Must be called at splnet. 5365 */ 5366 static void 5367 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5368 { 5369 STDDCL; 5370 struct ifaddr *ifa; 5371 struct sockaddr_in *si, *dest; 5372 int s; 5373 5374 IFNET_LOCK(ifp); 5375 5376 /* 5377 * Pick the first AF_INET address from the list, 5378 * aliases don't make any sense on a p2p link anyway. 5379 */ 5380 si = dest = NULL; 5381 s = pserialize_read_enter(); 5382 IFADDR_READER_FOREACH(ifa, ifp) { 5383 if (ifa->ifa_addr->sa_family == AF_INET) { 5384 si = (struct sockaddr_in *)ifa->ifa_addr; 5385 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5386 break; 5387 } 5388 } 5389 pserialize_read_exit(s); 5390 5391 if (si != NULL) { 5392 struct sockaddr_in new_sin = *si; 5393 struct sockaddr_in new_dst = *dest; 5394 int error; 5395 5396 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5397 new_sin.sin_addr.s_addr = 0; 5398 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5399 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5400 5401 in_addrhash_remove(ifatoia(ifa)); 5402 5403 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5404 5405 in_addrhash_insert(ifatoia(ifa)); 5406 5407 if (debug && error) 5408 { 5409 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5410 ifp->if_xname, __func__, error); 5411 } 5412 if (!error) { 5413 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5414 } 5415 } 5416 5417 if (sp->pp_saved_mtu > 0) { 5418 ifp->if_mtu = sp->pp_saved_mtu; 5419 sp->pp_saved_mtu = 0; 5420 if (debug) 5421 log(LOG_DEBUG, 5422 "%s: resetting MTU to %" PRIu64 " bytes\n", 5423 ifp->if_xname, ifp->if_mtu); 5424 } 5425 5426 IFNET_UNLOCK(ifp); 5427 } 5428 5429 static void 5430 sppp_clear_ip_addrs(struct sppp *sp) 5431 { 5432 struct ifnet *ifp = &sp->pp_if; 5433 5434 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5435 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5436 ifp->if_xname); 5437 return; 5438 } 5439 5440 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5441 return; 5442 5443 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5444 } 5445 5446 static void 5447 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5448 { 5449 struct sppp *sp = arg; 5450 void *work; 5451 5452 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5453 5454 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5455 int update = (intptr_t)work; 5456 5457 if (update == IPCP_SET_ADDRS) 5458 sppp_set_ip_addrs_work(wk, sp); 5459 else if (update == IPCP_CLEAR_ADDRS) 5460 sppp_clear_ip_addrs_work(wk, sp); 5461 } 5462 } 5463 #endif 5464 5465 #ifdef INET6 5466 /* 5467 * Get both IPv6 addresses. 5468 */ 5469 static void 5470 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5471 struct in6_addr *srcmask) 5472 { 5473 struct ifnet *ifp = &sp->pp_if; 5474 struct ifaddr *ifa; 5475 struct sockaddr_in6 *si, *sm; 5476 struct in6_addr ssrc, ddst; 5477 int s; 5478 struct psref psref; 5479 5480 sm = NULL; 5481 memset(&ssrc, 0, sizeof(ssrc)); 5482 memset(&ddst, 0, sizeof(ddst)); 5483 /* 5484 * Pick the first link-local AF_INET6 address from the list, 5485 * aliases don't make any sense on a p2p link anyway. 5486 */ 5487 si = 0; 5488 s = pserialize_read_enter(); 5489 IFADDR_READER_FOREACH(ifa, ifp) { 5490 if (ifa->ifa_addr->sa_family == AF_INET6) { 5491 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5492 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5493 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5494 ifa_acquire(ifa, &psref); 5495 break; 5496 } 5497 } 5498 } 5499 pserialize_read_exit(s); 5500 5501 if (ifa) { 5502 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5503 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5504 if (srcmask) { 5505 memcpy(srcmask, &sm->sin6_addr, 5506 sizeof(*srcmask)); 5507 } 5508 } 5509 5510 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5511 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5512 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5513 ifa_release(ifa, &psref); 5514 } 5515 5516 if (dst) 5517 memcpy(dst, &ddst, sizeof(*dst)); 5518 if (src) 5519 memcpy(src, &ssrc, sizeof(*src)); 5520 } 5521 5522 #ifdef IPV6CP_MYIFID_DYN 5523 /* 5524 * Generate random ifid. 5525 */ 5526 static void 5527 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5528 { 5529 /* TBD */ 5530 } 5531 5532 /* 5533 * Set my IPv6 address. Must be called at splnet. 5534 */ 5535 static void 5536 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5537 { 5538 STDDCL; 5539 struct ifaddr *ifa; 5540 struct sockaddr_in6 *sin6; 5541 int s; 5542 struct psref psref; 5543 5544 IFNET_LOCK(ifp); 5545 5546 /* 5547 * Pick the first link-local AF_INET6 address from the list, 5548 * aliases don't make any sense on a p2p link anyway. 5549 */ 5550 5551 sin6 = NULL; 5552 s = pserialize_read_enter(); 5553 IFADDR_READER_FOREACH(ifa, ifp) 5554 { 5555 if (ifa->ifa_addr->sa_family == AF_INET6) 5556 { 5557 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5558 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5559 ifa_acquire(ifa, &psref); 5560 break; 5561 } 5562 } 5563 } 5564 pserialize_read_exit(s); 5565 5566 if (ifa && sin6) 5567 { 5568 int error; 5569 struct sockaddr_in6 new_sin6 = *sin6; 5570 5571 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5572 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5573 if (debug && error) 5574 { 5575 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5576 ifp->if_xname, __func__, error); 5577 } 5578 if (!error) { 5579 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5580 } 5581 ifa_release(ifa, &psref); 5582 } 5583 5584 IFNET_UNLOCK(ifp); 5585 } 5586 #endif 5587 5588 /* 5589 * Suggest a candidate address to be used by peer. 5590 */ 5591 static void 5592 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5593 { 5594 struct in6_addr myaddr; 5595 struct timeval tv; 5596 5597 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5598 5599 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5600 microtime(&tv); 5601 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5602 myaddr.s6_addr[14] ^= 0xff; 5603 myaddr.s6_addr[15] ^= 0xff; 5604 } else { 5605 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5606 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5607 } 5608 if (suggest) 5609 memcpy(suggest, &myaddr, sizeof(myaddr)); 5610 } 5611 #endif /*INET6*/ 5612 5613 /* 5614 * Process ioctl requests specific to the PPP interface. 5615 * Permissions have already been checked. 5616 */ 5617 static int 5618 sppp_params(struct sppp *sp, u_long cmd, void *data) 5619 { 5620 switch (cmd) { 5621 case SPPPGETAUTHCFG: 5622 { 5623 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5624 int error; 5625 size_t len; 5626 5627 SPPP_LOCK(sp, RW_READER); 5628 5629 cfg->myauthflags = sp->myauth.flags; 5630 cfg->hisauthflags = sp->hisauth.flags; 5631 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5632 cfg->hisauth = 0; 5633 if (sp->hisauth.proto) 5634 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5635 cfg->myauth = 0; 5636 if (sp->myauth.proto) 5637 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5638 if (cfg->myname_length == 0) { 5639 if (sp->myauth.name != NULL) 5640 cfg->myname_length = sp->myauth.name_len + 1; 5641 } else { 5642 if (sp->myauth.name == NULL) { 5643 cfg->myname_length = 0; 5644 } else { 5645 len = sp->myauth.name_len + 1; 5646 5647 5648 if (cfg->myname_length < len) { 5649 SPPP_UNLOCK(sp); 5650 return (ENAMETOOLONG); 5651 } 5652 error = copyout(sp->myauth.name, cfg->myname, len); 5653 if (error) { 5654 SPPP_UNLOCK(sp); 5655 return error; 5656 } 5657 } 5658 } 5659 if (cfg->hisname_length == 0) { 5660 if (sp->hisauth.name != NULL) 5661 cfg->hisname_length = sp->hisauth.name_len + 1; 5662 } else { 5663 if (sp->hisauth.name == NULL) { 5664 cfg->hisname_length = 0; 5665 } else { 5666 len = sp->hisauth.name_len + 1; 5667 5668 if (cfg->hisname_length < len) { 5669 SPPP_UNLOCK(sp); 5670 return (ENAMETOOLONG); 5671 } 5672 error = copyout(sp->hisauth.name, cfg->hisname, len); 5673 if (error) { 5674 SPPP_UNLOCK(sp); 5675 return error; 5676 } 5677 } 5678 } 5679 SPPP_UNLOCK(sp); 5680 } 5681 break; 5682 case SPPPSETAUTHCFG: 5683 { 5684 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5685 int error; 5686 5687 SPPP_LOCK(sp, RW_WRITER); 5688 5689 if (sp->myauth.name) { 5690 free(sp->myauth.name, M_DEVBUF); 5691 sp->myauth.name = NULL; 5692 } 5693 if (sp->myauth.secret) { 5694 free(sp->myauth.secret, M_DEVBUF); 5695 sp->myauth.secret = NULL; 5696 } 5697 if (sp->hisauth.name) { 5698 free(sp->hisauth.name, M_DEVBUF); 5699 sp->hisauth.name = NULL; 5700 } 5701 if (sp->hisauth.secret) { 5702 free(sp->hisauth.secret, M_DEVBUF); 5703 sp->hisauth.secret = NULL; 5704 } 5705 5706 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5707 if (cfg->hisname_length >= MCLBYTES) { 5708 SPPP_UNLOCK(sp); 5709 return (ENAMETOOLONG); 5710 } 5711 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5712 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5713 if (error) { 5714 free(sp->hisauth.name, M_DEVBUF); 5715 sp->hisauth.name = NULL; 5716 SPPP_UNLOCK(sp); 5717 return error; 5718 } 5719 sp->hisauth.name_len = cfg->hisname_length - 1; 5720 sp->hisauth.name[sp->hisauth.name_len] = 0; 5721 } 5722 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5723 if (cfg->hissecret_length >= MCLBYTES) { 5724 SPPP_UNLOCK(sp); 5725 return (ENAMETOOLONG); 5726 } 5727 sp->hisauth.secret = malloc(cfg->hissecret_length, 5728 M_DEVBUF, M_WAITOK); 5729 error = copyin(cfg->hissecret, sp->hisauth.secret, 5730 cfg->hissecret_length); 5731 if (error) { 5732 free(sp->hisauth.secret, M_DEVBUF); 5733 sp->hisauth.secret = NULL; 5734 SPPP_UNLOCK(sp); 5735 return error; 5736 } 5737 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5738 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5739 } 5740 if (cfg->myname != NULL && cfg->myname_length > 0) { 5741 if (cfg->myname_length >= MCLBYTES) { 5742 SPPP_UNLOCK(sp); 5743 return (ENAMETOOLONG); 5744 } 5745 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5746 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5747 if (error) { 5748 free(sp->myauth.name, M_DEVBUF); 5749 sp->myauth.name = NULL; 5750 SPPP_UNLOCK(sp); 5751 return error; 5752 } 5753 sp->myauth.name_len = cfg->myname_length - 1; 5754 sp->myauth.name[sp->myauth.name_len] = 0; 5755 } 5756 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5757 if (cfg->mysecret_length >= MCLBYTES) { 5758 SPPP_UNLOCK(sp); 5759 return (ENAMETOOLONG); 5760 } 5761 sp->myauth.secret = malloc(cfg->mysecret_length, 5762 M_DEVBUF, M_WAITOK); 5763 error = copyin(cfg->mysecret, sp->myauth.secret, 5764 cfg->mysecret_length); 5765 if (error) { 5766 free(sp->myauth.secret, M_DEVBUF); 5767 sp->myauth.secret = NULL; 5768 SPPP_UNLOCK(sp); 5769 return error; 5770 } 5771 sp->myauth.secret_len = cfg->mysecret_length - 1; 5772 sp->myauth.secret[sp->myauth.secret_len] = 0; 5773 } 5774 sp->myauth.flags = cfg->myauthflags; 5775 if (cfg->myauth) 5776 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5777 sp->hisauth.flags = cfg->hisauthflags; 5778 if (cfg->hisauth) 5779 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5780 sp->pp_auth_failures = 0; 5781 if (sp->hisauth.proto != 0) 5782 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5783 else 5784 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5785 5786 SPPP_UNLOCK(sp); 5787 } 5788 break; 5789 case SPPPGETLCPCFG: 5790 { 5791 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5792 5793 SPPP_LOCK(sp, RW_READER); 5794 lcpp->lcp_timeout = sp->lcp.timeout; 5795 SPPP_UNLOCK(sp); 5796 } 5797 break; 5798 case SPPPSETLCPCFG: 5799 { 5800 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5801 5802 SPPP_LOCK(sp, RW_WRITER); 5803 sp->lcp.timeout = lcpp->lcp_timeout; 5804 SPPP_UNLOCK(sp); 5805 } 5806 break; 5807 case SPPPGETSTATUS: 5808 { 5809 struct spppstatus *status = (struct spppstatus *)data; 5810 5811 SPPP_LOCK(sp, RW_READER); 5812 status->phase = sp->pp_phase; 5813 SPPP_UNLOCK(sp); 5814 } 5815 break; 5816 case SPPPGETSTATUSNCP: 5817 { 5818 struct spppstatusncp *status = (struct spppstatusncp *)data; 5819 5820 SPPP_LOCK(sp, RW_READER); 5821 status->phase = sp->pp_phase; 5822 status->ncpup = sppp_ncp_check(sp); 5823 SPPP_UNLOCK(sp); 5824 } 5825 break; 5826 case SPPPGETIDLETO: 5827 { 5828 struct spppidletimeout *to = (struct spppidletimeout *)data; 5829 5830 SPPP_LOCK(sp, RW_READER); 5831 to->idle_seconds = sp->pp_idle_timeout; 5832 SPPP_UNLOCK(sp); 5833 } 5834 break; 5835 case SPPPSETIDLETO: 5836 { 5837 struct spppidletimeout *to = (struct spppidletimeout *)data; 5838 5839 SPPP_LOCK(sp, RW_WRITER); 5840 sp->pp_idle_timeout = to->idle_seconds; 5841 SPPP_UNLOCK(sp); 5842 } 5843 break; 5844 case SPPPSETAUTHFAILURE: 5845 { 5846 struct spppauthfailuresettings *afsettings = 5847 (struct spppauthfailuresettings *)data; 5848 5849 SPPP_LOCK(sp, RW_WRITER); 5850 sp->pp_max_auth_fail = afsettings->max_failures; 5851 sp->pp_auth_failures = 0; 5852 SPPP_UNLOCK(sp); 5853 } 5854 break; 5855 case SPPPGETAUTHFAILURES: 5856 { 5857 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5858 5859 SPPP_LOCK(sp, RW_READER); 5860 stats->auth_failures = sp->pp_auth_failures; 5861 stats->max_failures = sp->pp_max_auth_fail; 5862 SPPP_UNLOCK(sp); 5863 } 5864 break; 5865 case SPPPSETDNSOPTS: 5866 { 5867 struct spppdnssettings *req = (struct spppdnssettings *)data; 5868 5869 SPPP_LOCK(sp, RW_WRITER); 5870 sp->query_dns = req->query_dns & 3; 5871 SPPP_UNLOCK(sp); 5872 } 5873 break; 5874 case SPPPGETDNSOPTS: 5875 { 5876 struct spppdnssettings *req = (struct spppdnssettings *)data; 5877 5878 SPPP_LOCK(sp, RW_READER); 5879 req->query_dns = sp->query_dns; 5880 SPPP_UNLOCK(sp); 5881 } 5882 break; 5883 case SPPPGETDNSADDRS: 5884 { 5885 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5886 5887 SPPP_LOCK(sp, RW_READER); 5888 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5889 SPPP_UNLOCK(sp); 5890 } 5891 break; 5892 case SPPPGETKEEPALIVE: 5893 { 5894 struct spppkeepalivesettings *settings = 5895 (struct spppkeepalivesettings*)data; 5896 5897 SPPP_LOCK(sp, RW_READER); 5898 settings->maxalive = sp->pp_maxalive; 5899 settings->max_noreceive = sp->pp_max_noreceive; 5900 SPPP_UNLOCK(sp); 5901 } 5902 break; 5903 case SPPPSETKEEPALIVE: 5904 { 5905 struct spppkeepalivesettings *settings = 5906 (struct spppkeepalivesettings*)data; 5907 5908 SPPP_LOCK(sp, RW_WRITER); 5909 sp->pp_maxalive = settings->maxalive; 5910 sp->pp_max_noreceive = settings->max_noreceive; 5911 SPPP_UNLOCK(sp); 5912 } 5913 break; 5914 #if defined(COMPAT_50) || defined(MODULAR) 5915 case __SPPPGETIDLETO50: 5916 { 5917 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5918 5919 SPPP_LOCK(sp, RW_READER); 5920 to->idle_seconds = (uint32_t)sp->pp_idle_timeout; 5921 SPPP_UNLOCK(sp); 5922 } 5923 break; 5924 case __SPPPSETIDLETO50: 5925 { 5926 struct spppidletimeout50 *to = (struct spppidletimeout50 *)data; 5927 5928 SPPP_LOCK(sp, RW_WRITER); 5929 sp->pp_idle_timeout = (time_t)to->idle_seconds; 5930 SPPP_UNLOCK(sp); 5931 } 5932 break; 5933 case __SPPPGETKEEPALIVE50: 5934 { 5935 struct spppkeepalivesettings50 *settings = 5936 (struct spppkeepalivesettings50*)data; 5937 5938 SPPP_LOCK(sp, RW_READER); 5939 settings->maxalive = sp->pp_maxalive; 5940 settings->max_noreceive = (uint32_t)sp->pp_max_noreceive; 5941 SPPP_UNLOCK(sp); 5942 } 5943 break; 5944 case __SPPPSETKEEPALIVE50: 5945 { 5946 struct spppkeepalivesettings50 *settings = 5947 (struct spppkeepalivesettings50*)data; 5948 5949 SPPP_LOCK(sp, RW_WRITER); 5950 sp->pp_maxalive = settings->maxalive; 5951 sp->pp_max_noreceive = (time_t)settings->max_noreceive; 5952 SPPP_UNLOCK(sp); 5953 } 5954 break; 5955 #endif /* COMPAT_50 || MODULAR */ 5956 default: 5957 return (EINVAL); 5958 } 5959 5960 return (0); 5961 } 5962 5963 static void 5964 sppp_phase_network(struct sppp *sp) 5965 { 5966 int i; 5967 uint32_t mask; 5968 5969 KASSERT(SPPP_WLOCKED(sp)); 5970 5971 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5972 5973 /* Notify NCPs now. */ 5974 for (i = 0; i < IDX_COUNT; i++) 5975 if ((cps[i])->flags & CP_NCP) 5976 (cps[i])->Open(sp); 5977 5978 /* Send Up events to all NCPs. */ 5979 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5980 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 5981 (cps[i])->Up(sp); 5982 } 5983 5984 /* if no NCP is starting, all this was in vain, close down */ 5985 sppp_lcp_check_and_close(sp); 5986 } 5987 5988 5989 static const char * 5990 sppp_cp_type_name(u_char type) 5991 { 5992 static char buf[12]; 5993 switch (type) { 5994 case CONF_REQ: return "conf-req"; 5995 case CONF_ACK: return "conf-ack"; 5996 case CONF_NAK: return "conf-nak"; 5997 case CONF_REJ: return "conf-rej"; 5998 case TERM_REQ: return "term-req"; 5999 case TERM_ACK: return "term-ack"; 6000 case CODE_REJ: return "code-rej"; 6001 case PROTO_REJ: return "proto-rej"; 6002 case ECHO_REQ: return "echo-req"; 6003 case ECHO_REPLY: return "echo-reply"; 6004 case DISC_REQ: return "discard-req"; 6005 } 6006 snprintf(buf, sizeof(buf), "0x%x", type); 6007 return buf; 6008 } 6009 6010 static const char * 6011 sppp_auth_type_name(u_short proto, u_char type) 6012 { 6013 static char buf[32]; 6014 const char *name; 6015 6016 switch (proto) { 6017 case PPP_CHAP: 6018 switch (type) { 6019 case CHAP_CHALLENGE: return "challenge"; 6020 case CHAP_RESPONSE: return "response"; 6021 case CHAP_SUCCESS: return "success"; 6022 case CHAP_FAILURE: return "failure"; 6023 default: name = "chap"; break; 6024 } 6025 break; 6026 6027 case PPP_PAP: 6028 switch (type) { 6029 case PAP_REQ: return "req"; 6030 case PAP_ACK: return "ack"; 6031 case PAP_NAK: return "nak"; 6032 default: name = "pap"; break; 6033 } 6034 break; 6035 6036 default: 6037 name = "bad"; 6038 break; 6039 } 6040 6041 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6042 return buf; 6043 } 6044 6045 static const char * 6046 sppp_lcp_opt_name(u_char opt) 6047 { 6048 static char buf[12]; 6049 switch (opt) { 6050 case LCP_OPT_MRU: return "mru"; 6051 case LCP_OPT_ASYNC_MAP: return "async-map"; 6052 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6053 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6054 case LCP_OPT_MAGIC: return "magic"; 6055 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6056 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6057 } 6058 snprintf(buf, sizeof(buf), "0x%x", opt); 6059 return buf; 6060 } 6061 6062 static const char * 6063 sppp_ipcp_opt_name(u_char opt) 6064 { 6065 static char buf[12]; 6066 switch (opt) { 6067 case IPCP_OPT_ADDRESSES: return "addresses"; 6068 case IPCP_OPT_COMPRESSION: return "compression"; 6069 case IPCP_OPT_ADDRESS: return "address"; 6070 } 6071 snprintf(buf, sizeof(buf), "0x%x", opt); 6072 return buf; 6073 } 6074 6075 #ifdef INET6 6076 static const char * 6077 sppp_ipv6cp_opt_name(u_char opt) 6078 { 6079 static char buf[12]; 6080 switch (opt) { 6081 case IPV6CP_OPT_IFID: return "ifid"; 6082 case IPV6CP_OPT_COMPRESSION: return "compression"; 6083 } 6084 snprintf(buf, sizeof(buf), "0x%x", opt); 6085 return buf; 6086 } 6087 #endif 6088 6089 static const char * 6090 sppp_state_name(int state) 6091 { 6092 switch (state) { 6093 case STATE_INITIAL: return "initial"; 6094 case STATE_STARTING: return "starting"; 6095 case STATE_CLOSED: return "closed"; 6096 case STATE_STOPPED: return "stopped"; 6097 case STATE_CLOSING: return "closing"; 6098 case STATE_STOPPING: return "stopping"; 6099 case STATE_REQ_SENT: return "req-sent"; 6100 case STATE_ACK_RCVD: return "ack-rcvd"; 6101 case STATE_ACK_SENT: return "ack-sent"; 6102 case STATE_OPENED: return "opened"; 6103 } 6104 return "illegal"; 6105 } 6106 6107 static const char * 6108 sppp_phase_name(int phase) 6109 { 6110 switch (phase) { 6111 case SPPP_PHASE_DEAD: return "dead"; 6112 case SPPP_PHASE_ESTABLISH: return "establish"; 6113 case SPPP_PHASE_TERMINATE: return "terminate"; 6114 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6115 case SPPP_PHASE_NETWORK: return "network"; 6116 } 6117 return "illegal"; 6118 } 6119 6120 static const char * 6121 sppp_proto_name(u_short proto) 6122 { 6123 static char buf[12]; 6124 switch (proto) { 6125 case PPP_LCP: return "lcp"; 6126 case PPP_IPCP: return "ipcp"; 6127 case PPP_PAP: return "pap"; 6128 case PPP_CHAP: return "chap"; 6129 case PPP_IPV6CP: return "ipv6cp"; 6130 } 6131 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6132 return buf; 6133 } 6134 6135 static void 6136 sppp_print_bytes(const u_char *p, u_short len) 6137 { 6138 addlog(" %02x", *p++); 6139 while (--len > 0) 6140 addlog("-%02x", *p++); 6141 } 6142 6143 static void 6144 sppp_print_string(const char *p, u_short len) 6145 { 6146 u_char c; 6147 6148 while (len-- > 0) { 6149 c = *p++; 6150 /* 6151 * Print only ASCII chars directly. RFC 1994 recommends 6152 * using only them, but we don't rely on it. */ 6153 if (c < ' ' || c > '~') 6154 addlog("\\x%x", c); 6155 else 6156 addlog("%c", c); 6157 } 6158 } 6159 6160 static const char * 6161 sppp_dotted_quad(uint32_t addr) 6162 { 6163 static char s[16]; 6164 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6165 (int)((addr >> 24) & 0xff), 6166 (int)((addr >> 16) & 0xff), 6167 (int)((addr >> 8) & 0xff), 6168 (int)(addr & 0xff)); 6169 return s; 6170 } 6171 6172 /* a dummy, used to drop uninteresting events */ 6173 static void 6174 sppp_null(struct sppp *unused) 6175 { 6176 /* do just nothing */ 6177 } 6178 /* 6179 * This file is large. Tell emacs to highlight it nevertheless. 6180 * 6181 * Local Variables: 6182 * hilit-auto-highlight-maxout: 120000 6183 * End: 6184 */ 6185 6186 /* 6187 * Module glue 6188 */ 6189 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6190 6191 static int 6192 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6193 { 6194 switch (cmd) { 6195 case MODULE_CMD_INIT: 6196 case MODULE_CMD_FINI: 6197 return 0; 6198 case MODULE_CMD_STAT: 6199 case MODULE_CMD_AUTOUNLOAD: 6200 default: 6201 return ENOTTY; 6202 } 6203 } 6204 6205 static void 6206 sppp_notify_up(struct sppp *sp) 6207 { 6208 6209 SPPP_LOCK(sp, RW_WRITER); 6210 lcp.Up(sp); 6211 SPPP_UNLOCK(sp); 6212 } 6213 6214 static void 6215 sppp_notify_down(struct sppp *sp) 6216 { 6217 6218 SPPP_LOCK(sp, RW_WRITER); 6219 lcp.Down(sp); 6220 SPPP_UNLOCK(sp); 6221 } 6222 6223 static void 6224 sppp_notify_tls_wlocked(struct sppp *sp) 6225 { 6226 6227 KASSERT(SPPP_WLOCKED(sp)); 6228 6229 if (!sp->pp_tls) 6230 return; 6231 6232 SPPP_UNLOCK(sp); 6233 sp->pp_tls(sp); 6234 SPPP_LOCK(sp, RW_WRITER); 6235 } 6236 6237 static void 6238 sppp_notify_tlf_wlocked(struct sppp *sp) 6239 { 6240 6241 KASSERT(SPPP_WLOCKED(sp)); 6242 6243 if (!sp->pp_tlf) 6244 return; 6245 6246 SPPP_UNLOCK(sp); 6247 sp->pp_tlf(sp); 6248 SPPP_LOCK(sp, RW_WRITER); 6249 } 6250 6251 static void 6252 sppp_notify_con(struct sppp *sp) 6253 { 6254 6255 if (!sp->pp_con) 6256 return; 6257 6258 sp->pp_con(sp); 6259 } 6260 6261 #ifdef INET6 6262 static void 6263 sppp_notify_con_wlocked(struct sppp *sp) 6264 { 6265 6266 KASSERT(SPPP_WLOCKED(sp)); 6267 6268 SPPP_UNLOCK(sp); 6269 sppp_notify_con(sp); 6270 SPPP_LOCK(sp, RW_WRITER); 6271 6272 } 6273 #endif 6274 6275 static void 6276 sppp_notify_chg_wlocked(struct sppp *sp) 6277 { 6278 6279 KASSERT(SPPP_WLOCKED(sp)); 6280 6281 if (!sp->pp_chg) 6282 return; 6283 6284 SPPP_UNLOCK(sp); 6285 sp->pp_chg(sp, sp->pp_phase); 6286 SPPP_LOCK(sp, RW_WRITER); 6287 } 6288