1 /* $NetBSD: if_spppsubr.c,v 1.292 2026/06/22 04:03:50 yamaguchi Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.292 2026/06/22 04:03:50 yamaguchi Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #include "opt_sppp.h" 52 #endif 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 #include <sys/cpu.h> 73 74 #include <net/if.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define DEFAULT_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define DEFAULT_ALIVE_INTERVAL 1 /* count of sppp_keepalive */ 101 #define LOOPALIVECNT 3 /* loopback detection tries */ 102 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 103 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 104 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 105 106 #ifndef SPPP_KEEPALIVE_INTERVAL 107 #define SPPP_KEEPALIVE_INTERVAL DEFAULT_KEEPALIVE_INTERVAL 108 #endif 109 110 #ifndef SPPP_NORECV_TIME 111 #define SPPP_NORECV_TIME DEFAULT_NORECV_TIME 112 #endif 113 114 #ifndef SPPP_ALIVE_INTERVAL 115 #define SPPP_ALIVE_INTERVAL DEFAULT_ALIVE_INTERVAL 116 #endif 117 118 #define SPPP_CPTYPE_NAMELEN 5 /* buf size of cp type name */ 119 #define SPPP_AUTHTYPE_NAMELEN 32 /* buf size of auth type name */ 120 #define SPPP_LCPOPT_NAMELEN 5 /* buf size of lcp option name */ 121 #define SPPP_IPCPOPT_NAMELEN 5 /* buf size of ipcp option name */ 122 #define SPPP_IPV6CPOPT_NAMELEN 5 /* buf size of ipv6cp option name */ 123 #define SPPP_PROTO_NAMELEN 7 /* buf size of protocol name */ 124 #define SPPP_DOTQUAD_BUFLEN 16 /* length of "aa.bb.cc.dd" */ 125 126 /* 127 * Interface flags that can be set in an ifconfig command. 128 * 129 * Setting link0 will make the link passive, i.e. it will be marked 130 * as being administrative openable, but won't be opened to begin 131 * with. Incoming calls will be answered, or subsequent calls with 132 * -link1 will cause the administrative open of the LCP layer. 133 * 134 * Setting link1 will cause the link to auto-dial only as packets 135 * arrive to be sent. 136 * 137 * Setting IFF_DEBUG will syslog the option negotiation and state 138 * transitions at level kern.debug. Note: all logs consistently look 139 * like 140 * 141 * <if-name><unit>: <proto-name> <additional info...> 142 * 143 * with <if-name><unit> being something like "bppp0", and <proto-name> 144 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 145 */ 146 147 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 148 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 149 150 #define CONF_REQ 1 /* PPP configure request */ 151 #define CONF_ACK 2 /* PPP configure acknowledge */ 152 #define CONF_NAK 3 /* PPP configure negative ack */ 153 #define CONF_REJ 4 /* PPP configure reject */ 154 #define TERM_REQ 5 /* PPP terminate request */ 155 #define TERM_ACK 6 /* PPP terminate acknowledge */ 156 #define CODE_REJ 7 /* PPP code reject */ 157 #define PROTO_REJ 8 /* PPP protocol reject */ 158 #define ECHO_REQ 9 /* PPP echo request */ 159 #define ECHO_REPLY 10 /* PPP echo reply */ 160 #define DISC_REQ 11 /* PPP discard request */ 161 162 #define LCP_OPT_MRU 1 /* maximum receive unit */ 163 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 164 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 165 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 166 #define LCP_OPT_MAGIC 5 /* magic number */ 167 #define LCP_OPT_RESERVED 6 /* reserved */ 168 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 169 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 170 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 171 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 172 #define LCP_OPT_CALL_BACK 13 /* callback */ 173 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 174 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 175 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 176 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 177 178 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 179 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 180 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 181 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 182 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 183 184 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 185 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 186 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 187 188 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 189 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 190 191 #define PAP_REQ 1 /* PAP name/password request */ 192 #define PAP_ACK 2 /* PAP acknowledge */ 193 #define PAP_NAK 3 /* PAP fail */ 194 195 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 196 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 197 #define CHAP_SUCCESS 3 /* CHAP response ok */ 198 #define CHAP_FAILURE 4 /* CHAP response failed */ 199 200 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 201 202 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 203 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 204 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 205 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 206 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 207 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 208 209 #define PPP_NOPROTO 0 /* no authentication protocol */ 210 211 enum { 212 STATE_INITIAL = SPPP_STATE_INITIAL, 213 STATE_STARTING = SPPP_STATE_STARTING, 214 STATE_CLOSED = SPPP_STATE_CLOSED, 215 STATE_STOPPED = SPPP_STATE_STOPPED, 216 STATE_CLOSING = SPPP_STATE_CLOSING, 217 STATE_STOPPING = SPPP_STATE_STOPPING, 218 STATE_REQ_SENT = SPPP_STATE_REQ_SENT, 219 STATE_ACK_RCVD = SPPP_STATE_ACK_RCVD, 220 STATE_ACK_SENT = SPPP_STATE_ACK_SENT, 221 STATE_OPENED = SPPP_STATE_OPENED, 222 }; 223 224 enum cp_rcr_type { 225 CP_RCR_NONE = 0, /* initial value */ 226 CP_RCR_ACK, /* RCR+ */ 227 CP_RCR_NAK, /* RCR- */ 228 CP_RCR_REJ, /* RCR- */ 229 CP_RCR_DROP, /* DROP message */ 230 CP_RCR_ERR, /* internal error */ 231 }; 232 233 struct ppp_header { 234 uint8_t address; 235 uint8_t control; 236 uint16_t protocol; 237 } __packed; 238 #define PPP_HEADER_LEN sizeof (struct ppp_header) 239 240 struct lcp_header { 241 uint8_t type; 242 uint8_t ident; 243 uint16_t len; 244 } __packed; 245 #define LCP_HEADER_LEN sizeof (struct lcp_header) 246 247 struct cisco_packet { 248 uint32_t type; 249 uint32_t par1; 250 uint32_t par2; 251 uint16_t rel; 252 uint16_t time0; 253 uint16_t time1; 254 } __packed; 255 #define CISCO_PACKET_LEN 18 256 257 /* 258 * We follow the spelling and capitalization of RFC 1661 here, to make 259 * it easier comparing with the standard. Please refer to this RFC in 260 * case you can't make sense out of these abbreviation; it will also 261 * explain the semantics related to the various events and actions. 262 */ 263 struct cp { 264 u_short proto; /* PPP control protocol number */ 265 u_char protoidx; /* index into state table in struct sppp */ 266 u_char flags; 267 #define CP_LCP 0x01 /* this is the LCP */ 268 #define CP_AUTH 0x02 /* this is an authentication protocol */ 269 #define CP_NCP 0x04 /* this is a NCP */ 270 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 271 const char *name; /* name of this control protocol */ 272 /* event handlers */ 273 void (*Up)(struct sppp *, void *); 274 void (*Down)(struct sppp *, void *); 275 void (*Open)(struct sppp *, void *); 276 void (*Close)(struct sppp *, void *); 277 void (*TO)(struct sppp *, void *); 278 /* actions */ 279 void (*tlu)(struct sppp *); 280 void (*tld)(struct sppp *); 281 void (*tls)(const struct cp *, struct sppp *); 282 void (*tlf)(const struct cp *, struct sppp *); 283 void (*scr)(struct sppp *); 284 void (*screply)(const struct cp *, struct sppp *, u_char, 285 uint8_t, size_t, void *); 286 287 /* message parser */ 288 enum cp_rcr_type 289 (*parse_confreq)(struct sppp *, struct lcp_header *, int, 290 uint8_t **, size_t *, size_t *); 291 void (*parse_confrej)(struct sppp *, struct lcp_header *, int); 292 void (*parse_confnak)(struct sppp *, struct lcp_header *, int); 293 }; 294 295 enum auth_role { 296 SPPP_AUTH_NOROLE = 0, 297 SPPP_AUTH_SERV = __BIT(0), 298 SPPP_AUTH_PEER = __BIT(1), 299 }; 300 301 static struct sppp *spppq; 302 static kmutex_t *spppq_lock = NULL; 303 static callout_t keepalive_ch; 304 static unsigned int sppp_keepalive_cnt = 0; 305 unsigned int sppp_keepalive_interval = SPPP_KEEPALIVE_INTERVAL; 306 307 pktq_rps_hash_func_t sppp_pktq_rps_hash_p; 308 309 #define SPPPQ_LOCK() if (spppq_lock) \ 310 mutex_enter(spppq_lock); 311 #define SPPPQ_UNLOCK() if (spppq_lock) \ 312 mutex_exit(spppq_lock); 313 314 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 315 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 316 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 317 #define SPPP_WQ_SET(_wk, _func, _arg) \ 318 sppp_wq_set((_wk), (_func), __UNCONST((_arg))) 319 #define SPPP_LOG(_sp, _lvl, _fmt, _args...) do { \ 320 if (__predict_true((_sp) != NULL)) { \ 321 log((_lvl), "%s: ", (_sp)->pp_if.if_xname); \ 322 } \ 323 addlog((_fmt), ##_args); \ 324 } while (0) 325 #define SPPP_DLOG(_sp, _fmt, _args...) do { \ 326 if (!sppp_debug_enabled(_sp)) \ 327 break; \ 328 SPPP_LOG(_sp, LOG_DEBUG, _fmt, ##_args); \ 329 } while (0) 330 331 #ifdef INET 332 #ifndef SPPPSUBR_MPSAFE 333 /* 334 * The following disgusting hack gets around the problem that IP TOS 335 * can't be set yet. We want to put "interactive" traffic on a high 336 * priority queue. To decide if traffic is interactive, we check that 337 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 338 * 339 * XXX is this really still necessary? - joerg - 340 */ 341 static u_short interactive_ports[8] = { 342 0, 513, 0, 0, 343 0, 21, 0, 23, 344 }; 345 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 346 #endif /* SPPPSUBR_MPSAFE */ 347 #endif 348 349 /* almost every function needs these */ 350 351 static bool sppp_debug_enabled(struct sppp *sp); 352 static int sppp_output(struct ifnet *, struct mbuf *, 353 const struct sockaddr *, const struct rtentry *); 354 355 static void sppp_cp_init(const struct cp *, struct sppp *); 356 static void sppp_cp_fini(const struct cp *, struct sppp *); 357 static void sppp_cp_input(const struct cp *, struct sppp *, 358 struct mbuf *); 359 static void sppp_cp_input(const struct cp *, struct sppp *, 360 struct mbuf *); 361 static void sppp_cp_send(struct sppp *, u_short, u_char, 362 u_char, u_short, void *); 363 /* static void sppp_cp_timeout(void *arg); */ 364 static void sppp_cp_change_state(const struct cp *, struct sppp *, int); 365 static struct workqueue * 366 sppp_wq_create(struct sppp *, const char *, pri_t, int, int); 367 static void sppp_wq_destroy(struct sppp *, struct workqueue *); 368 static void sppp_wq_set(struct sppp_work *, 369 void (*)(struct sppp *, void *), void *); 370 static void sppp_wq_add(struct workqueue *, struct sppp_work *); 371 static void sppp_wq_wait(struct workqueue *, struct sppp_work *); 372 static void sppp_cp_to_lcp(void *); 373 static void sppp_cp_to_ipcp(void *); 374 static void sppp_cp_to_ipv6cp(void *); 375 static void sppp_auth_send(const struct cp *, struct sppp *, 376 unsigned int, unsigned int, ...); 377 static int sppp_auth_role(const struct cp *, struct sppp *); 378 static void sppp_auth_to_event(struct sppp *, void *); 379 static void sppp_auth_screply(const struct cp *, struct sppp *, 380 u_char, uint8_t, size_t, void *); 381 static void sppp_up_event(struct sppp *, void *); 382 static void sppp_down_event(struct sppp *, void *); 383 static void sppp_open_event(struct sppp *, void *); 384 static void sppp_close_event(struct sppp *, void *); 385 static void sppp_to_event(struct sppp *, void *); 386 static void sppp_rcr_event(struct sppp *, void *); 387 static void sppp_rca_event(struct sppp *, void *); 388 static void sppp_rcn_event(struct sppp *, void *); 389 static void sppp_rtr_event(struct sppp *, void *); 390 static void sppp_rta_event(struct sppp *, void *); 391 static void sppp_rxj_event(struct sppp *, void *); 392 393 static void sppp_null(struct sppp *); 394 static void sppp_tls(const struct cp *, struct sppp *); 395 static void sppp_tlf(const struct cp *, struct sppp *); 396 static void sppp_screply(const struct cp *, struct sppp *, 397 u_char, uint8_t, size_t, void *); 398 static void sppp_ifdown(struct sppp *, void *); 399 400 static void sppp_lcp_init(struct sppp *); 401 static void sppp_lcp_up(struct sppp *, void *); 402 static void sppp_lcp_down(struct sppp *, void *); 403 static void sppp_lcp_open(struct sppp *, void *); 404 static enum cp_rcr_type 405 sppp_lcp_confreq(struct sppp *, struct lcp_header *, int, 406 uint8_t **, size_t *, size_t *); 407 static void sppp_lcp_confrej(struct sppp *, struct lcp_header *, int); 408 static void sppp_lcp_confnak(struct sppp *, struct lcp_header *, int); 409 static void sppp_lcp_tlu(struct sppp *); 410 static void sppp_lcp_tld(struct sppp *); 411 static void sppp_lcp_tls(const struct cp *, struct sppp *); 412 static void sppp_lcp_tlf(const struct cp *, struct sppp *); 413 static void sppp_lcp_scr(struct sppp *); 414 static void sppp_lcp_check_and_close(struct sppp *); 415 static int sppp_cp_check(struct sppp *, u_char); 416 static bool sppp_is_ncp_opened(struct sppp *); 417 418 static void sppp_ipcp_init(struct sppp *); 419 static void sppp_ipcp_open(struct sppp *, void *); 420 static void sppp_ipcp_close(struct sppp *, void *); 421 static enum cp_rcr_type 422 sppp_ipcp_confreq(struct sppp *, struct lcp_header *, int, 423 uint8_t **, size_t *, size_t *); 424 static void sppp_ipcp_confrej(struct sppp *, struct lcp_header *, int); 425 static void sppp_ipcp_confnak(struct sppp *, struct lcp_header *, int); 426 static void sppp_ipcp_tlu(struct sppp *); 427 static void sppp_ipcp_tld(struct sppp *); 428 static void sppp_ipcp_scr(struct sppp *); 429 430 static void sppp_ipv6cp_init(struct sppp *); 431 static void sppp_ipv6cp_open(struct sppp *, void *); 432 static enum cp_rcr_type 433 sppp_ipv6cp_confreq(struct sppp *, struct lcp_header *, int, 434 uint8_t **, size_t *, size_t *); 435 static void sppp_ipv6cp_confrej(struct sppp *, struct lcp_header *, int); 436 static void sppp_ipv6cp_confnak(struct sppp *, struct lcp_header *, int); 437 static void sppp_ipv6cp_tlu(struct sppp *); 438 static void sppp_ipv6cp_tld(struct sppp *); 439 static void sppp_ipv6cp_scr(struct sppp *); 440 441 static void sppp_pap_input(struct sppp *, struct mbuf *); 442 static void sppp_pap_init(struct sppp *); 443 static void sppp_pap_tlu(struct sppp *); 444 static void sppp_pap_scr(struct sppp *); 445 446 static void sppp_chap_input(struct sppp *, struct mbuf *); 447 static void sppp_chap_init(struct sppp *); 448 static void sppp_chap_open(struct sppp *, void *); 449 static void sppp_chap_tlu(struct sppp *); 450 static void sppp_chap_scr(struct sppp *); 451 static void sppp_chap_rcv_challenge_event(struct sppp *, void *); 452 453 static const char *sppp_auth_type_name(char *, size_t, u_short, u_char); 454 static const char *sppp_cp_type_name(char *, size_t, u_char); 455 static const char *sppp_dotted_quad(char *, size_t, uint32_t); 456 static const char *sppp_ipcp_opt_name(char *, size_t, u_char); 457 #ifdef INET6 458 static const char *sppp_ipv6cp_opt_name(char *, size_t, u_char); 459 #endif 460 static const char *sppp_lcp_opt_name(char *, size_t, u_char); 461 static const char *sppp_phase_name(int); 462 static const char *sppp_proto_name(char *, size_t, u_short); 463 static const char *sppp_state_name(int); 464 static int sppp_params(struct sppp *, u_long, void *); 465 #ifdef INET 466 static void sppp_get_ip_addrs(struct sppp *, uint32_t *, uint32_t *, uint32_t *); 467 static void sppp_set_ip_addrs(struct sppp *); 468 static void sppp_clear_ip_addrs(struct sppp *); 469 #endif 470 static void sppp_keepalive(void *); 471 static void sppp_phase_network(struct sppp *); 472 static void sppp_print_bytes(const u_char *, u_short); 473 static void sppp_print_string(const char *, u_short); 474 #ifdef INET6 475 static void sppp_get_ip6_addrs(struct sppp *, struct in6_addr *, 476 struct in6_addr *, struct in6_addr *); 477 #ifdef IPV6CP_MYIFID_DYN 478 static void sppp_set_ip6_addr(struct sppp *, const struct in6_addr *); 479 static void sppp_gen_ip6_addr(struct sppp *, const struct in6_addr *); 480 #endif 481 static void sppp_suggest_ip6_addr(struct sppp *, struct in6_addr *); 482 #endif 483 484 static void sppp_notify_up(struct sppp *); 485 static void sppp_notify_down(struct sppp *); 486 static void sppp_notify_tls_wlocked(struct sppp *); 487 static void sppp_notify_tlf_wlocked(struct sppp *); 488 489 /* our control protocol descriptors */ 490 static const struct cp lcp = { 491 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 492 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, 493 sppp_close_event, sppp_to_event, 494 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, 495 sppp_lcp_tlf, sppp_lcp_scr, sppp_screply, 496 sppp_lcp_confreq, sppp_lcp_confrej, sppp_lcp_confnak 497 }; 498 499 static const struct cp ipcp = { 500 PPP_IPCP, IDX_IPCP, 501 #ifdef INET 502 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 503 #else 504 0, 505 #endif 506 "ipcp", 507 sppp_up_event, sppp_down_event, sppp_ipcp_open, 508 sppp_ipcp_close, sppp_to_event, 509 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_tls, 510 sppp_tlf, sppp_ipcp_scr, sppp_screply, 511 sppp_ipcp_confreq, sppp_ipcp_confrej, sppp_ipcp_confnak, 512 }; 513 514 static const struct cp ipv6cp = { 515 PPP_IPV6CP, IDX_IPV6CP, 516 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 517 CP_NCP, 518 #else 519 0, 520 #endif 521 "ipv6cp", 522 sppp_up_event, sppp_down_event, sppp_ipv6cp_open, 523 sppp_close_event, sppp_to_event, 524 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_tls, 525 sppp_tlf, sppp_ipv6cp_scr, sppp_screply, 526 sppp_ipv6cp_confreq, sppp_ipv6cp_confrej, sppp_ipv6cp_confnak, 527 }; 528 529 static const struct cp pap = { 530 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 531 sppp_up_event, sppp_down_event, sppp_open_event, 532 sppp_close_event, sppp_auth_to_event, 533 sppp_pap_tlu, sppp_null, sppp_tls, sppp_tlf, 534 sppp_pap_scr, sppp_auth_screply, 535 NULL, NULL, NULL 536 }; 537 538 static const struct cp chap = { 539 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 540 sppp_up_event, sppp_down_event, sppp_chap_open, 541 sppp_close_event, sppp_auth_to_event, 542 sppp_chap_tlu, sppp_null, sppp_tls, sppp_tlf, 543 sppp_chap_scr, sppp_auth_screply, 544 NULL, NULL, NULL 545 }; 546 547 static const struct cp *cps[IDX_COUNT] = { 548 &lcp, /* IDX_LCP */ 549 &ipcp, /* IDX_IPCP */ 550 &ipv6cp, /* IDX_IPV6CP */ 551 &pap, /* IDX_PAP */ 552 &chap, /* IDX_CHAP */ 553 }; 554 555 static inline u_int 556 sppp_proto2authproto(u_short proto) 557 { 558 559 switch (proto) { 560 case PPP_PAP: 561 return SPPP_AUTHPROTO_PAP; 562 case PPP_CHAP: 563 return SPPP_AUTHPROTO_CHAP; 564 } 565 566 return SPPP_AUTHPROTO_NONE; 567 } 568 569 static inline u_short 570 sppp_authproto2proto(u_int authproto) 571 { 572 573 switch (authproto) { 574 case SPPP_AUTHPROTO_PAP: 575 return PPP_PAP; 576 case SPPP_AUTHPROTO_CHAP: 577 return PPP_CHAP; 578 } 579 580 return PPP_NOPROTO; 581 } 582 583 static inline bool 584 sppp_debug_enabled(struct sppp *sp) 585 { 586 587 if (__predict_false(sp == NULL)) 588 return false; 589 590 if ((sp->pp_if.if_flags & IFF_DEBUG) == 0) 591 return false; 592 593 return true; 594 } 595 596 static void 597 sppp_change_phase(struct sppp *sp, int phase) 598 { 599 struct ifnet *ifp = &sp->pp_if; 600 601 KASSERT(SPPP_WLOCKED(sp)); 602 603 if (sp->pp_phase == phase) 604 return; 605 606 sp->pp_phase = phase; 607 608 if (phase == SPPP_PHASE_NETWORK) 609 if_link_state_change(ifp, LINK_STATE_UP); 610 else 611 if_link_state_change(ifp, LINK_STATE_DOWN); 612 613 SPPP_DLOG(sp, "phase %s\n", 614 sppp_phase_name(sp->pp_phase)); 615 } 616 617 /* 618 * Exported functions, comprising our interface to the lower layer. 619 */ 620 621 /* 622 * Process the received packet. 623 */ 624 void 625 sppp_input(struct ifnet *ifp, struct mbuf *m) 626 { 627 struct ppp_header *h = NULL; 628 pktqueue_t *pktq = NULL; 629 uint16_t protocol; 630 struct sppp *sp = (struct sppp *)ifp; 631 632 /* No RPS for not-IP. */ 633 pktq_rps_hash_func_t rps_hash = NULL; 634 635 if (ifp->if_flags & IFF_UP) { 636 /* Count received bytes, add hardware framing */ 637 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 638 /* Note time of last receive */ 639 sp->pp_last_receive = time_uptime; 640 } 641 642 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 643 /* Too small packet, drop it. */ 644 SPPP_DLOG(sp, "input packet is too small, " 645 "%d bytes\n", m->m_pkthdr.len); 646 goto drop; 647 } 648 649 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 650 memcpy(&protocol, mtod(m, void *), 2); 651 protocol = ntohs(protocol); 652 m_adj(m, 2); 653 } else { 654 655 /* Get PPP header. */ 656 h = mtod(m, struct ppp_header *); 657 m_adj(m, PPP_HEADER_LEN); 658 659 switch (h->address) { 660 case PPP_ALLSTATIONS: 661 if (h->control != PPP_UI) 662 goto invalid; 663 break; 664 case CISCO_MULTICAST: 665 case CISCO_UNICAST: 666 /* Don't check the control field here (RFC 1547). */ 667 SPPP_DLOG(sp, "Cisco packet in PPP mode " 668 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 669 h->address, h->control, ntohs(h->protocol)); 670 goto drop; 671 default: /* Invalid PPP packet. */ 672 invalid: 673 SPPP_DLOG(sp, "invalid input packet " 674 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 675 h->address, h->control, ntohs(h->protocol)); 676 goto drop; 677 } 678 protocol = ntohs(h->protocol); 679 } 680 681 switch (protocol) { 682 reject_protocol: 683 KASSERT(SPPP_WLOCKED(sp)); 684 685 if (sp->scp[IDX_LCP].state == STATE_OPENED) { 686 uint16_t prot = htons(protocol); 687 688 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 689 ++sp->scp[IDX_LCP].seq, sizeof(prot), &prot); 690 } 691 SPPP_UNLOCK(sp); 692 if_statinc(ifp, if_noproto); 693 goto drop; 694 default: 695 SPPP_DLOG(sp, "invalid input protocol " 696 "<proto=0x%x>\n", protocol); 697 goto reject_protocol; 698 case PPP_LCP: 699 SPPP_LOCK(sp, RW_WRITER); 700 sppp_cp_input(&lcp, sp, m); 701 /* already m_freem(m) */ 702 SPPP_UNLOCK(sp); 703 return; 704 case PPP_PAP: 705 SPPP_LOCK(sp, RW_WRITER); 706 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 707 sppp_pap_input(sp, m); 708 } 709 SPPP_UNLOCK(sp); 710 m_freem(m); 711 return; 712 case PPP_CHAP: 713 SPPP_LOCK(sp, RW_WRITER); 714 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 715 sppp_chap_input(sp, m); 716 } 717 SPPP_UNLOCK(sp); 718 m_freem(m); 719 return; 720 #ifdef INET 721 case PPP_IPCP: 722 SPPP_LOCK(sp, RW_WRITER); 723 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) { 724 SPPP_LOG(sp, LOG_INFO, "reject IPCP packet " 725 "because IPCP is disabled\n"); 726 goto reject_protocol; 727 } 728 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 729 sppp_cp_input(&ipcp, sp, m); 730 /* already m_freem(m) */ 731 } else { 732 m_freem(m); 733 } 734 SPPP_UNLOCK(sp); 735 return; 736 case PPP_IP: 737 SPPP_LOCK(sp, RW_READER); 738 if (sp->scp[IDX_IPCP].state == STATE_OPENED) { 739 sp->pp_last_activity = time_uptime; 740 pktq = ip_pktq; 741 rps_hash = atomic_load_relaxed(&sppp_pktq_rps_hash_p); 742 } 743 SPPP_UNLOCK(sp); 744 break; 745 #endif 746 #ifdef INET6 747 case PPP_IPV6CP: 748 SPPP_LOCK(sp, RW_WRITER); 749 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) { 750 SPPP_LOG(sp, LOG_INFO, "reject IPv6CP packet " 751 "because IPv6CP is disabled\n"); 752 goto reject_protocol; 753 } 754 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 755 sppp_cp_input(&ipv6cp, sp, m); 756 /* already m_freem(m) */ 757 } else { 758 m_freem(m); 759 } 760 SPPP_UNLOCK(sp); 761 return; 762 763 case PPP_IPV6: 764 SPPP_LOCK(sp, RW_WRITER); 765 if (sp->scp[IDX_IPV6CP].state == STATE_OPENED) { 766 sp->pp_last_activity = time_uptime; 767 pktq = ip6_pktq; 768 rps_hash = atomic_load_relaxed(&sppp_pktq_rps_hash_p); 769 } 770 SPPP_UNLOCK(sp); 771 break; 772 #endif 773 } 774 775 if ((ifp->if_flags & IFF_UP) == 0 || pktq == NULL) { 776 goto drop; 777 } 778 779 /* Check queue. */ 780 const uint32_t hash = rps_hash ? pktq_rps_hash(&rps_hash, m) : 0; 781 if (__predict_false(!pktq_enqueue(pktq, m, hash))) { 782 goto drop; 783 } 784 return; 785 786 drop: 787 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 788 m_freem(m); 789 return; 790 } 791 792 /* 793 * Enqueue transmit packet. 794 */ 795 static int 796 sppp_output(struct ifnet *ifp, struct mbuf *m, 797 const struct sockaddr *dst, const struct rtentry *rt) 798 { 799 struct sppp *sp = (struct sppp *) ifp; 800 struct ppp_header *h = NULL; 801 #ifndef SPPPSUBR_MPSAFE 802 struct ifqueue *ifq = NULL; /* XXX */ 803 #endif 804 int error = 0; 805 uint16_t protocol; 806 size_t pktlen; 807 808 sp->pp_last_activity = time_uptime; 809 810 if ((ifp->if_flags & IFF_UP) == 0 || 811 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 812 m_freem(m); 813 if_statinc(ifp, if_oerrors); 814 return (ENETDOWN); 815 } 816 817 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 818 /* ignore packets that have no enabled NCP */ 819 SPPP_LOCK(sp, RW_READER); 820 if ((dst->sa_family == AF_INET && 821 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) || 822 (dst->sa_family == AF_INET6 && 823 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP))) { 824 SPPP_UNLOCK(sp); 825 826 m_freem(m); 827 if_statinc(ifp, if_oerrors); 828 return (ENETDOWN); 829 } 830 SPPP_UNLOCK(sp); 831 /* 832 * Interface is not yet running, but auto-dial. Need 833 * to start LCP for it. 834 */ 835 ifp->if_flags |= IFF_RUNNING; 836 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 837 } 838 839 /* 840 * If the queueing discipline needs packet classification, 841 * do it before prepending link headers. 842 */ 843 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 844 845 #ifdef INET 846 if (dst->sa_family == AF_INET) { 847 struct ip *ip = NULL; 848 #ifndef SPPPSUBR_MPSAFE 849 struct tcphdr *th = NULL; 850 #endif 851 852 if (m->m_len >= sizeof(struct ip)) { 853 ip = mtod(m, struct ip *); 854 #ifndef SPPPSUBR_MPSAFE 855 if (ip->ip_p == IPPROTO_TCP && 856 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 857 sizeof(struct tcphdr)) { 858 th = (struct tcphdr *) 859 ((char *)ip + (ip->ip_hl << 2)); 860 } 861 #endif 862 } else 863 ip = NULL; 864 865 /* 866 * When using dynamic local IP address assignment by using 867 * 0.0.0.0 as a local address, the first TCP session will 868 * not connect because the local TCP checksum is computed 869 * using 0.0.0.0 which will later become our real IP address 870 * so the TCP checksum computed at the remote end will 871 * become invalid. So we 872 * - don't let packets with src ip addr 0 thru 873 * - we flag TCP packets with src ip 0 as an error 874 */ 875 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 876 uint8_t proto = ip->ip_p; 877 878 m_freem(m); 879 if (proto == IPPROTO_TCP) 880 return (EADDRNOTAVAIL); 881 else 882 return (0); 883 } 884 885 #ifndef SPPPSUBR_MPSAFE 886 /* 887 * Put low delay, telnet, rlogin and ftp control packets 888 * in front of the queue. 889 */ 890 if (!IF_QFULL(&sp->pp_fastq) && 891 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 892 (th && (INTERACTIVE(ntohs(th->th_sport)) || 893 INTERACTIVE(ntohs(th->th_dport)))))) 894 ifq = &sp->pp_fastq; 895 #endif /* !SPPPSUBR_MPSAFE */ 896 } 897 #endif 898 899 #ifdef INET6 900 if (dst->sa_family == AF_INET6) { 901 /* XXX do something tricky here? */ 902 } 903 #endif 904 905 if (!ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 906 /* 907 * Prepend general data packet PPP header. For now, IP only. 908 */ 909 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 910 if (! m) { 911 SPPP_DLOG(sp, "no memory for transmit header\n"); 912 if_statinc(ifp, if_oerrors); 913 return (ENOBUFS); 914 } 915 /* 916 * May want to check size of packet 917 * (albeit due to the implementation it's always enough) 918 */ 919 h = mtod(m, struct ppp_header *); 920 h->address = PPP_ALLSTATIONS; /* broadcast address */ 921 h->control = PPP_UI; /* Unnumbered Info */ 922 } 923 924 switch (dst->sa_family) { 925 #ifdef INET 926 case AF_INET: /* Internet Protocol */ 927 /* 928 * Don't choke with an ENETDOWN early. It's 929 * possible that we just started dialing out, 930 * so don't drop the packet immediately. If 931 * we notice that we run out of buffer space 932 * below, we will however remember that we are 933 * not ready to carry IP packets, and return 934 * ENETDOWN, as opposed to ENOBUFS. 935 */ 936 protocol = htons(PPP_IP); 937 SPPP_LOCK(sp, RW_READER); 938 if (sp->scp[IDX_IPCP].state != STATE_OPENED) { 939 if (ifp->if_flags & IFF_AUTO) { 940 error = ENETDOWN; 941 } else { 942 SPPP_UNLOCK(sp); 943 944 m_freem(m); 945 if_statinc(ifp, if_oerrors); 946 return (ENETDOWN); 947 } 948 } 949 SPPP_UNLOCK(sp); 950 break; 951 #endif 952 #ifdef INET6 953 case AF_INET6: /* Internet Protocol version 6 */ 954 /* 955 * Don't choke with an ENETDOWN early. It's 956 * possible that we just started dialing out, 957 * so don't drop the packet immediately. If 958 * we notice that we run out of buffer space 959 * below, we will however remember that we are 960 * not ready to carry IP packets, and return 961 * ENETDOWN, as opposed to ENOBUFS. 962 */ 963 protocol = htons(PPP_IPV6); 964 SPPP_LOCK(sp, RW_READER); 965 if (sp->scp[IDX_IPV6CP].state != STATE_OPENED) { 966 if (ifp->if_flags & IFF_AUTO) { 967 error = ENETDOWN; 968 } else { 969 SPPP_UNLOCK(sp); 970 971 m_freem(m); 972 if_statinc(ifp, if_oerrors); 973 return (ENETDOWN); 974 } 975 } 976 SPPP_UNLOCK(sp); 977 break; 978 #endif 979 default: 980 m_freem(m); 981 if_statinc(ifp, if_oerrors); 982 return (EAFNOSUPPORT); 983 } 984 985 if (error == ENETDOWN) { 986 IF_DROP(&ifp->if_snd); 987 m_freem(m); 988 return error; 989 } 990 991 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 992 M_PREPEND(m, 2, M_DONTWAIT); 993 if (m == NULL) { 994 SPPP_DLOG(sp, "no memory for transmit header\n"); 995 if_statinc(ifp, if_oerrors); 996 return (ENOBUFS); 997 } 998 *mtod(m, uint16_t *) = protocol; 999 } else { 1000 h->protocol = protocol; 1001 } 1002 1003 pktlen = m->m_pkthdr.len; 1004 #ifdef SPPPSUBR_MPSAFE 1005 error = if_transmit_lock(ifp, m); 1006 if (error == 0) 1007 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1008 #else /* !SPPPSUBR_MPSAFE */ 1009 error = ifq_enqueue2(ifp, ifq, m); 1010 1011 if (error == 0) { 1012 /* 1013 * Count output packets and bytes. 1014 * The packet length includes header + additional hardware 1015 * framing according to RFC 1333. 1016 */ 1017 if (!(ifp->if_flags & IFF_OACTIVE)) { 1018 if_start_lock(ifp); 1019 } 1020 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1021 } 1022 #endif /* !SPPPSUBR_MPSAFE */ 1023 return error; 1024 } 1025 1026 static int 1027 sppp_sysctl_flags(SYSCTLFN_ARGS) 1028 { 1029 struct sppp *sp = rnode->sysctl_data; 1030 const char *s = rnode->sysctl_name; 1031 struct sysctlnode node; 1032 int err, val; 1033 u_int flag; 1034 1035 if (strcmp(s, "ifdown") == 0) { 1036 flag = PP_IFDOWN; 1037 } else { 1038 return EINVAL; 1039 } 1040 1041 SPPP_LOCK(sp, RW_READER); 1042 val = (sp->pp_flags & flag) ? 1 : 0; 1043 SPPP_UNLOCK(sp); 1044 1045 node = *rnode; 1046 node.sysctl_data = &val; 1047 1048 err = sysctl_lookup(SYSCTLFN_CALL(&node)); 1049 if (err || newp == NULL) 1050 return err; 1051 1052 SPPP_LOCK(sp, RW_WRITER); 1053 if (val == 1) { 1054 sp->pp_flags |= flag; 1055 } else { 1056 sp->pp_flags &= ~flag; 1057 } 1058 SPPP_UNLOCK(sp); 1059 1060 return 0; 1061 } 1062 1063 static void 1064 sppp_sysctl_setup(struct sppp *sp) 1065 { 1066 struct sysctllog **clog = &sp->pp_sysctl_log; 1067 const struct sysctlnode *rnode = NULL, *cnode = NULL; 1068 int err; 1069 1070 err = sysctl_createv(clog, 0, NULL, &rnode, 1071 CTLFLAG_PERMANENT, 1072 CTLTYPE_NODE, "sppp", 1073 SYSCTL_DESCR("Synchronous Point-to-Point Protocol controls"), 1074 NULL, 0, NULL, 0, 1075 CTL_NET, CTL_CREATE, CTL_EOL); 1076 if (err != 0) 1077 goto bad; 1078 1079 err = sysctl_createv(clog, 0, &rnode, &rnode, 1080 CTLFLAG_PERMANENT, 1081 CTLTYPE_NODE, sp->pp_if.if_xname, 1082 SYSCTL_DESCR("Interface controls"), 1083 NULL, 0, NULL, 0, 1084 CTL_CREATE, CTL_EOL); 1085 if (err != 0) 1086 goto bad; 1087 1088 err = sysctl_createv(clog, 0, &rnode, &cnode, 1089 CTLFLAG_PERMANENT | CTLFLAG_READWRITE, 1090 CTLTYPE_INT, "ifdown", 1091 SYSCTL_DESCR("Down interface on no echo reply and loopback detected"), 1092 sppp_sysctl_flags, 0, (void *)sp, 0, 1093 CTL_CREATE, CTL_EOL); 1094 if (err != 0) 1095 goto bad; 1096 1097 return; 1098 bad: 1099 printf("%s: could not attach sysctl nodes for sppp\n", 1100 sp->pp_if.if_xname); 1101 return; 1102 } 1103 1104 void 1105 sppp_attach(struct ifnet *ifp) 1106 { 1107 struct sppp *sp = (struct sppp *) ifp; 1108 char xnamebuf[MAXCOMLEN]; 1109 1110 /* Initialize keepalive handler. */ 1111 if (! spppq) { 1112 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1113 callout_setfunc(&keepalive_ch, sppp_keepalive, NULL); 1114 callout_schedule(&keepalive_ch, hz * sppp_keepalive_interval); 1115 } 1116 1117 if (! spppq_lock) 1118 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1119 1120 sp->pp_if.if_type = IFT_PPP; 1121 sp->pp_if.if_output = sppp_output; 1122 IFQ_SET_MAXLEN(&sp->pp_fastq, 32); 1123 IFQ_LOCK_INIT(&sp->pp_fastq); 1124 IFQ_SET_MAXLEN(&sp->pp_cpq, 20); 1125 sp->pp_loopcnt = 0; 1126 sp->pp_alivecnt = 0; 1127 sp->pp_alive_interval = SPPP_ALIVE_INTERVAL; 1128 sp->pp_last_activity = 0; 1129 sp->pp_last_receive = 0; 1130 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1131 sp->pp_max_noreceive = SPPP_NORECV_TIME; 1132 sp->pp_idle_timeout = 0; 1133 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1134 sp->pp_phase = SPPP_PHASE_DEAD; 1135 sp->pp_up = sppp_notify_up; 1136 sp->pp_down = sppp_notify_down; 1137 sp->pp_ncpflags = SPPP_NCP_IPCP | SPPP_NCP_IPV6CP; 1138 #ifdef SPPP_IFDOWN_RECONNECT 1139 sp->pp_flags |= PP_IFDOWN; 1140 #endif 1141 sppp_wq_set(&sp->work_ifdown, sppp_ifdown, NULL); 1142 memset(sp->scp, 0, sizeof(sp->scp)); 1143 rw_init(&sp->pp_lock); 1144 sppp_sysctl_setup(sp); 1145 1146 if_alloc_sadl(ifp); 1147 1148 /* Lets not beat about the bush, we know we're down. */ 1149 if_link_state_change(ifp, LINK_STATE_DOWN); 1150 1151 snprintf(xnamebuf, sizeof(xnamebuf), "%s.wq_cp", ifp->if_xname); 1152 sp->wq_cp = sppp_wq_create(sp, xnamebuf, 1153 PRI_SOFTNET, IPL_SOFTNET, WQ_MPSAFE); 1154 1155 memset(&sp->myauth, 0, sizeof sp->myauth); 1156 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1157 SPPP_LOCK(sp, RW_WRITER); 1158 sppp_lcp_init(sp); 1159 sppp_ipcp_init(sp); 1160 sppp_ipv6cp_init(sp); 1161 sppp_pap_init(sp); 1162 sppp_chap_init(sp); 1163 SPPP_UNLOCK(sp); 1164 1165 SPPPQ_LOCK(); 1166 /* Insert new entry into the keepalive list. */ 1167 sp->pp_next = spppq; 1168 spppq = sp; 1169 SPPPQ_UNLOCK(); 1170 } 1171 1172 void 1173 sppp_detach(struct ifnet *ifp) 1174 { 1175 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1176 1177 /* Remove the entry from the keepalive list. */ 1178 SPPPQ_LOCK(); 1179 for (q = &spppq; (p = *q); q = &p->pp_next) 1180 if (p == sp) { 1181 *q = p->pp_next; 1182 break; 1183 } 1184 SPPPQ_UNLOCK(); 1185 1186 if (! spppq) { 1187 /* Stop keepalive handler. */ 1188 callout_stop(&keepalive_ch); 1189 mutex_obj_free(spppq_lock); 1190 spppq_lock = NULL; 1191 } 1192 1193 sysctl_teardown(&sp->pp_sysctl_log); 1194 sppp_cp_fini(&lcp, sp); 1195 sppp_cp_fini(&ipcp, sp); 1196 sppp_cp_fini(&pap, sp); 1197 sppp_cp_fini(&chap, sp); 1198 #ifdef INET6 1199 sppp_cp_fini(&ipv6cp, sp); 1200 #endif 1201 sppp_wq_destroy(sp, sp->wq_cp); 1202 1203 /* free authentication info */ 1204 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1205 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1206 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1207 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1208 1209 IFQ_LOCK_DESTROY(&sp->pp_fastq); 1210 rw_destroy(&sp->pp_lock); 1211 } 1212 1213 /* 1214 * Flush the interface output queue. 1215 */ 1216 void 1217 sppp_flush(struct ifnet *ifp) 1218 { 1219 struct sppp *sp = (struct sppp *) ifp; 1220 1221 SPPP_LOCK(sp, RW_WRITER); 1222 IFQ_PURGE(&sp->pp_if.if_snd); 1223 IF_PURGE(&sp->pp_fastq); 1224 IF_PURGE(&sp->pp_cpq); 1225 SPPP_UNLOCK(sp); 1226 } 1227 1228 /* 1229 * Check if the output queue is empty. 1230 */ 1231 int 1232 sppp_isempty(struct ifnet *ifp) 1233 { 1234 struct sppp *sp = (struct sppp *) ifp; 1235 int empty; 1236 1237 SPPP_LOCK(sp, RW_READER); 1238 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1239 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1240 SPPP_UNLOCK(sp); 1241 return (empty); 1242 } 1243 1244 /* 1245 * Get next packet to send. 1246 */ 1247 struct mbuf * 1248 sppp_dequeue(struct ifnet *ifp) 1249 { 1250 struct sppp *sp = (struct sppp *) ifp; 1251 struct mbuf *m; 1252 1253 SPPP_LOCK(sp, RW_WRITER); 1254 /* 1255 * Process only the control protocol queue until we have at 1256 * least one NCP opened. 1257 */ 1258 IF_DEQUEUE(&sp->pp_cpq, m); 1259 if (m == NULL && sppp_is_ncp_opened(sp)) { 1260 IF_DEQUEUE(&sp->pp_fastq, m); 1261 if (m == NULL) 1262 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1263 } 1264 SPPP_UNLOCK(sp); 1265 return m; 1266 } 1267 1268 /* 1269 * Process an ioctl request. Called on low priority level. 1270 */ 1271 int 1272 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1273 { 1274 struct lwp *l = curlwp; /* XXX */ 1275 struct ifreq *ifr = (struct ifreq *) data; 1276 struct ifaddr *ifa = (struct ifaddr *) data; 1277 struct sppp *sp = (struct sppp *) ifp; 1278 int error=0, going_up, going_down; 1279 u_short newmode; 1280 u_long lcp_mru; 1281 1282 switch (cmd) { 1283 case SIOCINITIFADDR: 1284 ifa->ifa_rtrequest = p2p_rtrequest; 1285 break; 1286 1287 case SIOCSIFFLAGS: 1288 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1289 break; 1290 1291 SPPP_LOCK(sp, RW_WRITER); 1292 going_up = ifp->if_flags & IFF_UP && 1293 (ifp->if_flags & IFF_RUNNING) == 0; 1294 going_down = (ifp->if_flags & IFF_UP) == 0 && 1295 ifp->if_flags & IFF_RUNNING; 1296 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1297 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1298 /* sanity */ 1299 newmode = IFF_PASSIVE; 1300 ifp->if_flags &= ~IFF_AUTO; 1301 } 1302 1303 if (going_up || going_down) { 1304 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 1305 } 1306 if (going_up) { 1307 /* Always-on connection */ 1308 if (newmode != IFF_AUTO) { 1309 ifp->if_flags |= IFF_RUNNING; 1310 sppp_wq_add(sp->wq_cp, 1311 &sp->scp[IDX_LCP].work_open); 1312 } 1313 } else if (going_down) { 1314 SPPP_UNLOCK(sp); 1315 sppp_flush(ifp); 1316 SPPP_LOCK(sp, RW_WRITER); 1317 1318 ifp->if_flags &= ~IFF_RUNNING; 1319 } 1320 SPPP_UNLOCK(sp); 1321 break; 1322 1323 case SIOCSIFMTU: 1324 if (ifr->ifr_mtu < PPP_MINMRU || 1325 ifr->ifr_mtu > PP_MTU) { 1326 error = EINVAL; 1327 break; 1328 } 1329 1330 error = ifioctl_common(ifp, cmd, data); 1331 if (error == ENETRESET) 1332 error = 0; 1333 1334 SPPP_LOCK(sp, RW_WRITER); 1335 lcp_mru = sp->lcp.mru; 1336 if (ifp->if_mtu < PP_MTU) { 1337 sp->lcp.mru = ifp->if_mtu; 1338 } else { 1339 sp->lcp.mru = PP_MTU; 1340 } 1341 if (lcp_mru != sp->lcp.mru) 1342 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 1343 1344 if (sp->scp[IDX_LCP].state == STATE_OPENED && 1345 ifp->if_mtu > sp->lcp.their_mru) { 1346 sp->pp_saved_mtu = ifp->if_mtu; 1347 ifp->if_mtu = sp->lcp.their_mru; 1348 1349 SPPP_DLOG(sp, "setting MTU " 1350 "from %"PRIu64" bytes to %"PRIu64" bytes\n", 1351 sp->pp_saved_mtu, ifp->if_mtu); 1352 } 1353 SPPP_UNLOCK(sp); 1354 break; 1355 1356 case SIOCGIFMTU: 1357 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1358 error = 0; 1359 break; 1360 case SIOCADDMULTI: 1361 case SIOCDELMULTI: 1362 break; 1363 1364 case SPPPSETAUTHCFG: 1365 case SPPPSETLCPCFG: 1366 case SPPPSETNCPCFG: 1367 case SPPPSETIDLETO: 1368 case SPPPSETAUTHFAILURE: 1369 case SPPPSETDNSOPTS: 1370 case SPPPSETKEEPALIVE: 1371 #if defined(COMPAT_50) || defined(MODULAR) 1372 case __SPPPSETIDLETO50: 1373 case __SPPPSETKEEPALIVE50: 1374 #endif /* COMPAT_50 || MODULAR */ 1375 error = kauth_authorize_network(l->l_cred, 1376 KAUTH_NETWORK_INTERFACE, 1377 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1378 NULL); 1379 if (error) 1380 break; 1381 error = sppp_params(sp, cmd, data); 1382 break; 1383 1384 case SPPPGETAUTHCFG: 1385 case SPPPGETLCPCFG: 1386 case SPPPGETNCPCFG: 1387 case SPPPGETAUTHFAILURES: 1388 error = kauth_authorize_network(l->l_cred, 1389 KAUTH_NETWORK_INTERFACE, 1390 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1391 NULL); 1392 if (error) 1393 break; 1394 error = sppp_params(sp, cmd, data); 1395 break; 1396 1397 case SPPPGETSTATUS: 1398 case SPPPGETSTATUSNCP: 1399 case SPPPGETIDLETO: 1400 case SPPPGETDNSOPTS: 1401 case SPPPGETDNSADDRS: 1402 case SPPPGETKEEPALIVE: 1403 #if defined(COMPAT_50) || defined(MODULAR) 1404 case __SPPPGETIDLETO50: 1405 case __SPPPGETKEEPALIVE50: 1406 #endif /* COMPAT_50 || MODULAR */ 1407 case SPPPGETLCPSTATUS: 1408 case SPPPGETIPCPSTATUS: 1409 case SPPPGETIPV6CPSTATUS: 1410 error = sppp_params(sp, cmd, data); 1411 break; 1412 1413 default: 1414 error = ifioctl_common(ifp, cmd, data); 1415 break; 1416 } 1417 return (error); 1418 } 1419 1420 /* 1421 * PPP protocol implementation. 1422 */ 1423 1424 /* 1425 * Send PPP control protocol packet. 1426 */ 1427 static void 1428 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1429 u_char ident, u_short len, void *data) 1430 { 1431 struct ifnet *ifp = &sp->pp_if; 1432 struct lcp_header *lh; 1433 struct mbuf *m; 1434 size_t pkthdrlen; 1435 1436 KASSERT(SPPP_WLOCKED(sp)); 1437 1438 pkthdrlen = ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING) ? 1439 2 : PPP_HEADER_LEN; 1440 1441 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1442 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1443 MGETHDR(m, M_DONTWAIT, MT_DATA); 1444 if (! m) { 1445 return; 1446 } 1447 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1448 m_reset_rcvif(m); 1449 1450 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 1451 *mtod(m, uint16_t *) = htons(proto); 1452 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1453 } else { 1454 struct ppp_header *h; 1455 h = mtod(m, struct ppp_header *); 1456 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1457 h->control = PPP_UI; /* Unnumbered Info */ 1458 h->protocol = htons(proto); /* Link Control Protocol */ 1459 lh = (struct lcp_header *)(h + 1); 1460 } 1461 lh->type = type; 1462 lh->ident = ident; 1463 lh->len = htons(LCP_HEADER_LEN + len); 1464 if (len) 1465 memcpy(lh + 1, data, len); 1466 1467 if (sppp_debug_enabled(sp)) { 1468 char pbuf[SPPP_PROTO_NAMELEN]; 1469 char tbuf[SPPP_CPTYPE_NAMELEN]; 1470 const char *pname, *cpname; 1471 1472 pname = sppp_proto_name(pbuf, sizeof(pbuf), proto); 1473 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), lh->type); 1474 SPPP_LOG(sp, LOG_DEBUG, "%s output <%s id=0x%x len=%d", 1475 pname, cpname, lh->ident, ntohs(lh->len)); 1476 if (len) 1477 sppp_print_bytes((u_char *)(lh + 1), len); 1478 addlog(">\n"); 1479 } 1480 if (IF_QFULL(&sp->pp_cpq)) { 1481 IF_DROP(&sp->pp_fastq); 1482 IF_DROP(&ifp->if_snd); 1483 m_freem(m); 1484 return; 1485 } 1486 1487 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1488 IF_ENQUEUE(&sp->pp_cpq, m); 1489 1490 if (! (ifp->if_flags & IFF_OACTIVE)) { 1491 SPPP_UNLOCK(sp); 1492 if_start_lock(ifp); 1493 SPPP_LOCK(sp, RW_WRITER); 1494 } 1495 } 1496 1497 static void 1498 sppp_cp_to_lcp(void *xsp) 1499 { 1500 struct sppp *sp = xsp; 1501 1502 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_to); 1503 } 1504 1505 static void 1506 sppp_cp_to_ipcp(void *xsp) 1507 { 1508 struct sppp *sp = xsp; 1509 1510 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPCP].work_to); 1511 } 1512 1513 static void 1514 sppp_cp_to_ipv6cp(void *xsp) 1515 { 1516 struct sppp *sp = xsp; 1517 1518 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPV6CP].work_to); 1519 } 1520 1521 static void 1522 sppp_cp_to_pap(void *xsp) 1523 { 1524 struct sppp *sp = xsp; 1525 1526 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_to); 1527 } 1528 1529 static void 1530 sppp_cp_to_chap(void *xsp) 1531 { 1532 struct sppp *sp = xsp; 1533 1534 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_to); 1535 } 1536 1537 static void 1538 sppp_cp_init(const struct cp *cp, struct sppp *sp) 1539 { 1540 struct sppp_cp *scp; 1541 typedef void (*sppp_co_cb_t)(void *); 1542 static const sppp_co_cb_t to_cb[IDX_COUNT] = { 1543 [IDX_LCP] = sppp_cp_to_lcp, 1544 [IDX_IPCP] = sppp_cp_to_ipcp, 1545 [IDX_IPV6CP] = sppp_cp_to_ipv6cp, 1546 [IDX_PAP] = sppp_cp_to_pap, 1547 [IDX_CHAP] = sppp_cp_to_chap, 1548 }; 1549 1550 scp = &sp->scp[cp->protoidx]; 1551 scp->state = STATE_INITIAL; 1552 scp->fail_counter = 0; 1553 scp->seq = 0; 1554 scp->rseq = 0; 1555 1556 SPPP_WQ_SET(&scp->work_up, cp->Up, cp); 1557 SPPP_WQ_SET(&scp->work_down, cp->Down, cp); 1558 SPPP_WQ_SET(&scp->work_open, cp->Open, cp); 1559 SPPP_WQ_SET(&scp->work_close, cp->Close, cp); 1560 SPPP_WQ_SET(&scp->work_to, cp->TO, cp); 1561 SPPP_WQ_SET(&scp->work_rcr, sppp_rcr_event, cp); 1562 SPPP_WQ_SET(&scp->work_rca, sppp_rca_event, cp); 1563 SPPP_WQ_SET(&scp->work_rcn, sppp_rcn_event, cp); 1564 SPPP_WQ_SET(&scp->work_rtr, sppp_rtr_event, cp); 1565 SPPP_WQ_SET(&scp->work_rta, sppp_rta_event, cp); 1566 SPPP_WQ_SET(&scp->work_rxj, sppp_rxj_event, cp); 1567 1568 callout_init(&scp->ch, CALLOUT_MPSAFE); 1569 callout_setfunc(&scp->ch, to_cb[cp->protoidx], sp); 1570 } 1571 1572 static void 1573 sppp_cp_fini(const struct cp *cp, struct sppp *sp) 1574 { 1575 struct sppp_cp *scp; 1576 scp = &sp->scp[cp->protoidx]; 1577 1578 sppp_wq_wait(sp->wq_cp, &scp->work_up); 1579 sppp_wq_wait(sp->wq_cp, &scp->work_down); 1580 sppp_wq_wait(sp->wq_cp, &scp->work_open); 1581 sppp_wq_wait(sp->wq_cp, &scp->work_close); 1582 sppp_wq_wait(sp->wq_cp, &scp->work_to); 1583 sppp_wq_wait(sp->wq_cp, &scp->work_rcr); 1584 sppp_wq_wait(sp->wq_cp, &scp->work_rca); 1585 sppp_wq_wait(sp->wq_cp, &scp->work_rcn); 1586 sppp_wq_wait(sp->wq_cp, &scp->work_rtr); 1587 sppp_wq_wait(sp->wq_cp, &scp->work_rta); 1588 sppp_wq_wait(sp->wq_cp, &scp->work_rxj); 1589 1590 callout_halt(&scp->ch, NULL); 1591 callout_destroy(&scp->ch); 1592 1593 m_freem(scp->mbuf_confreq); 1594 scp->mbuf_confreq = NULL; 1595 m_freem(scp->mbuf_confnak); 1596 scp->mbuf_confnak = NULL; 1597 } 1598 1599 /* 1600 * Handle incoming PPP control protocol packets. 1601 */ 1602 static void 1603 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1604 { 1605 const bool debug = sppp_debug_enabled(sp); 1606 struct ifnet *ifp = &sp->pp_if; 1607 struct sppp_cp *scp = &sp->scp[cp->protoidx]; 1608 struct lcp_header *h; 1609 int printlen, len = m->m_pkthdr.len; 1610 u_char *p; 1611 uint32_t u32; 1612 char tbuf[SPPP_CPTYPE_NAMELEN]; 1613 const char *cpname; 1614 1615 KASSERT(SPPP_WLOCKED(sp)); 1616 1617 if (len < 4) { 1618 SPPP_DLOG(sp, "%s invalid packet length: %d bytes\n", 1619 cp->name, len); 1620 goto out; 1621 } 1622 h = mtod(m, struct lcp_header *); 1623 if (debug) { 1624 printlen = ntohs(h->len); 1625 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1626 SPPP_LOG(sp, LOG_DEBUG, "%s input(%s): <%s id=0x%x len=%d", 1627 cp->name, sppp_state_name(scp->state), 1628 cpname, h->ident, printlen); 1629 if (len < printlen) 1630 printlen = len; 1631 if (printlen > 4) 1632 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1633 addlog(">\n"); 1634 } 1635 if (len > ntohs(h->len)) 1636 len = ntohs(h->len); 1637 p = (u_char *)(h + 1); 1638 switch (h->type) { 1639 case CONF_REQ: 1640 if (len < 4) { 1641 SPPP_DLOG(sp,"%s invalid conf-req length %d\n", 1642 cp->name, len); 1643 if_statinc(ifp, if_ierrors); 1644 break; 1645 } 1646 1647 scp->rcr_type = CP_RCR_NONE; 1648 scp->rconfid = h->ident; 1649 m_freem(scp->mbuf_confreq); 1650 scp->mbuf_confreq = m; 1651 m = NULL; 1652 sppp_wq_add(sp->wq_cp, &scp->work_rcr); 1653 break; 1654 case CONF_ACK: 1655 if (h->ident != scp->confid) { 1656 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 1657 cp->name, h->ident, scp->confid); 1658 if_statinc(ifp, if_ierrors); 1659 break; 1660 } 1661 sppp_wq_add(sp->wq_cp, &scp->work_rca); 1662 break; 1663 case CONF_NAK: 1664 case CONF_REJ: 1665 if (h->ident != scp->confid) { 1666 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 1667 cp->name, h->ident, scp->confid); 1668 if_statinc(ifp, if_ierrors); 1669 break; 1670 } 1671 1672 m_freem(scp->mbuf_confnak); 1673 scp->mbuf_confnak = m; 1674 m = NULL; 1675 sppp_wq_add(sp->wq_cp, &scp->work_rcn); 1676 break; 1677 case TERM_REQ: 1678 scp->rseq = h->ident; 1679 sppp_wq_add(sp->wq_cp, &scp->work_rtr); 1680 break; 1681 case TERM_ACK: 1682 if (h->ident != scp->confid && 1683 h->ident != scp->seq) { 1684 SPPP_DLOG(sp, "%s id mismatch " 1685 "0x%x != 0x%x and 0x%x != %0lx\n", 1686 cp->name, h->ident, scp->confid, 1687 h->ident, scp->seq); 1688 if_statinc(ifp, if_ierrors); 1689 break; 1690 } 1691 1692 sppp_wq_add(sp->wq_cp, &scp->work_rta); 1693 break; 1694 case CODE_REJ: 1695 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1696 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1697 SPPP_LOG(sp, LOG_INFO, "%s: ignoring RXJ (%s) for code ?, " 1698 "danger will robinson\n", cp->name, cpname); 1699 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1700 break; 1701 case PROTO_REJ: 1702 { 1703 int catastrophic; 1704 const struct cp *upper; 1705 int i; 1706 uint16_t proto; 1707 1708 catastrophic = 0; 1709 upper = NULL; 1710 proto = p[0] << 8 | p[1]; 1711 for (i = 0; i < IDX_COUNT; i++) { 1712 if (cps[i]->proto == proto) { 1713 upper = cps[i]; 1714 break; 1715 } 1716 } 1717 if (upper == NULL) 1718 catastrophic++; 1719 1720 if (debug) { 1721 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1722 SPPP_LOG(sp, LOG_INFO, 1723 "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1724 cp->name, catastrophic ? '-' : '+', 1725 cpname, proto, upper ? upper->name : "unknown", 1726 upper ? sppp_state_name(sp->scp[upper->protoidx].state) : "?"); 1727 } 1728 1729 /* 1730 * if we got RXJ+ against conf-req, the peer does not implement 1731 * this particular protocol type. terminate the protocol. 1732 */ 1733 if (upper && !catastrophic) { 1734 if (sp->scp[upper->protoidx].state == STATE_REQ_SENT) { 1735 sppp_wq_add(sp->wq_cp, 1736 &sp->scp[upper->protoidx].work_close); 1737 break; 1738 } 1739 } 1740 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1741 break; 1742 } 1743 case DISC_REQ: 1744 if (cp->proto != PPP_LCP) 1745 goto illegal; 1746 /* Discard the packet. */ 1747 break; 1748 case ECHO_REQ: 1749 if (cp->proto != PPP_LCP) 1750 goto illegal; 1751 if (scp->state != STATE_OPENED) { 1752 SPPP_DLOG(sp, "lcp echo req but lcp closed\n"); 1753 if_statinc(ifp, if_ierrors); 1754 break; 1755 } 1756 if (len < 8) { 1757 SPPP_DLOG(sp, "invalid lcp echo request " 1758 "packet length: %d bytes\n", len); 1759 break; 1760 } 1761 memcpy(&u32, h + 1, sizeof u32); 1762 if (ntohl(u32) == sp->lcp.magic) { 1763 /* Line loopback mode detected. */ 1764 SPPP_DLOG(sp, "loopback\n"); 1765 1766 /* Shut down the PPP link. */ 1767 if (sp->pp_flags & PP_IFDOWN) 1768 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 1769 1770 /* Reset the PPP link. */ 1771 sppp_wq_add(sp->wq_cp, 1772 &sp->scp[IDX_LCP].work_close); 1773 sppp_wq_add(sp->wq_cp, 1774 &sp->scp[IDX_LCP].work_open); 1775 break; 1776 } 1777 u32 = htonl(sp->lcp.magic); 1778 memcpy(h + 1, &u32, sizeof u32); 1779 SPPP_DLOG(sp, "got lcp echo req, sending echo rep\n"); 1780 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1781 h + 1); 1782 break; 1783 case ECHO_REPLY: 1784 if (cp->proto != PPP_LCP) 1785 goto illegal; 1786 if (h->ident != sp->lcp.echoid) { 1787 if_statinc(ifp, if_ierrors); 1788 break; 1789 } 1790 if (len < 8) { 1791 SPPP_DLOG(sp, "lcp invalid echo reply " 1792 "packet length: %d bytes\n", len); 1793 break; 1794 } 1795 SPPP_DLOG(sp, "lcp got echo rep\n"); 1796 memcpy(&u32, h + 1, sizeof u32); 1797 if (ntohl(u32) != sp->lcp.magic) 1798 sp->pp_alivecnt = 0; 1799 break; 1800 default: 1801 /* Unknown packet type -- send Code-Reject packet. */ 1802 illegal: 1803 SPPP_DLOG(sp, "%s send code-rej for 0x%x\n", 1804 cp->name, h->type); 1805 sppp_cp_send(sp, cp->proto, CODE_REJ, 1806 ++scp->seq, m->m_pkthdr.len, h); 1807 if_statinc(ifp, if_ierrors); 1808 } 1809 1810 out: 1811 m_freem(m); 1812 } 1813 1814 /* 1815 * The generic part of all Up/Down/Open/Close/TO event handlers. 1816 * Basically, the state transition handling in the automaton. 1817 */ 1818 static void 1819 sppp_up_event(struct sppp *sp, void *xcp) 1820 { 1821 const struct cp *cp = xcp; 1822 1823 KASSERT(SPPP_WLOCKED(sp)); 1824 KASSERT(!cpu_softintr_p()); 1825 1826 if ((cp->flags & CP_AUTH) != 0 && 1827 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1828 return; 1829 1830 SPPP_DLOG(sp, "%s up(%s)\n", cp->name, 1831 sppp_state_name(sp->scp[cp->protoidx].state)); 1832 1833 switch (sp->scp[cp->protoidx].state) { 1834 case STATE_INITIAL: 1835 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1836 break; 1837 case STATE_STARTING: 1838 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 1839 (cp->scr)(sp); 1840 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1841 break; 1842 default: 1843 SPPP_LOG(sp, LOG_DEBUG, 1844 "%s illegal up in state %s\n", cp->name, 1845 sppp_state_name(sp->scp[cp->protoidx].state)); 1846 } 1847 } 1848 1849 static void 1850 sppp_down_event(struct sppp *sp, void *xcp) 1851 { 1852 const struct cp *cp = xcp; 1853 1854 KASSERT(SPPP_WLOCKED(sp)); 1855 KASSERT(!cpu_softintr_p()); 1856 1857 if ((cp->flags & CP_AUTH) != 0 && 1858 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1859 return; 1860 1861 SPPP_DLOG(sp, "%s down(%s)\n", cp->name, 1862 sppp_state_name(sp->scp[cp->protoidx].state)); 1863 1864 switch (sp->scp[cp->protoidx].state) { 1865 case STATE_CLOSED: 1866 case STATE_CLOSING: 1867 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1868 break; 1869 case STATE_STOPPED: 1870 (cp->tls)(cp, sp); 1871 /* fall through */ 1872 case STATE_STOPPING: 1873 case STATE_REQ_SENT: 1874 case STATE_ACK_RCVD: 1875 case STATE_ACK_SENT: 1876 sppp_cp_change_state(cp, sp, STATE_STARTING); 1877 break; 1878 case STATE_OPENED: 1879 (cp->tld)(sp); 1880 sppp_cp_change_state(cp, sp, STATE_STARTING); 1881 break; 1882 default: 1883 /* 1884 * a down event may be caused regardless 1885 * of state just in LCP case. 1886 */ 1887 if (cp->proto == PPP_LCP) 1888 break; 1889 1890 SPPP_LOG(sp, LOG_DEBUG, 1891 "%s illegal down in state %s\n", cp->name, 1892 sppp_state_name(sp->scp[cp->protoidx].state)); 1893 } 1894 } 1895 1896 static void 1897 sppp_open_event(struct sppp *sp, void *xcp) 1898 { 1899 const struct cp *cp = xcp; 1900 1901 KASSERT(SPPP_WLOCKED(sp)); 1902 KASSERT(!cpu_softintr_p()); 1903 1904 if ((cp->flags & CP_AUTH) != 0 && 1905 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1906 return; 1907 1908 SPPP_DLOG(sp, "%s open(%s)\n", cp->name, 1909 sppp_state_name(sp->scp[cp->protoidx].state)); 1910 1911 switch (sp->scp[cp->protoidx].state) { 1912 case STATE_INITIAL: 1913 sppp_cp_change_state(cp, sp, STATE_STARTING); 1914 (cp->tls)(cp, sp); 1915 break; 1916 case STATE_STARTING: 1917 break; 1918 case STATE_CLOSED: 1919 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 1920 sp->lcp.protos |= (1 << cp->protoidx); 1921 (cp->scr)(sp); 1922 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1923 break; 1924 case STATE_STOPPED: 1925 case STATE_STOPPING: 1926 case STATE_REQ_SENT: 1927 case STATE_ACK_RCVD: 1928 case STATE_ACK_SENT: 1929 case STATE_OPENED: 1930 break; 1931 case STATE_CLOSING: 1932 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1933 break; 1934 } 1935 } 1936 1937 static void 1938 sppp_close_event(struct sppp *sp, void *xcp) 1939 { 1940 const struct cp *cp = xcp; 1941 1942 KASSERT(SPPP_WLOCKED(sp)); 1943 KASSERT(!cpu_softintr_p()); 1944 1945 if ((cp->flags & CP_AUTH) != 0 && 1946 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1947 return; 1948 1949 SPPP_DLOG(sp, "%s close(%s)\n", cp->name, 1950 sppp_state_name(sp->scp[cp->protoidx].state)); 1951 1952 switch (sp->scp[cp->protoidx].state) { 1953 case STATE_INITIAL: 1954 case STATE_CLOSED: 1955 case STATE_CLOSING: 1956 break; 1957 case STATE_STARTING: 1958 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1959 (cp->tlf)(cp, sp); 1960 break; 1961 case STATE_STOPPED: 1962 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1963 break; 1964 case STATE_STOPPING: 1965 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1966 break; 1967 case STATE_OPENED: 1968 (cp->tld)(sp); 1969 /* fall through */ 1970 case STATE_REQ_SENT: 1971 case STATE_ACK_RCVD: 1972 case STATE_ACK_SENT: 1973 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_terminate; 1974 if ((cp->flags & CP_AUTH) == 0) { 1975 sppp_cp_send(sp, cp->proto, TERM_REQ, 1976 ++sp->scp[cp->protoidx].seq, 0, 0); 1977 } 1978 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1979 break; 1980 } 1981 } 1982 1983 static void 1984 sppp_to_event(struct sppp *sp, void *xcp) 1985 { 1986 const struct cp *cp = xcp; 1987 1988 KASSERT(SPPP_WLOCKED(sp)); 1989 KASSERT(!cpu_softintr_p()); 1990 1991 SPPP_DLOG(sp, "%s TO(%s) rst_counter = %d\n", cp->name, 1992 sppp_state_name(sp->scp[cp->protoidx].state), 1993 sp->scp[cp->protoidx].rst_counter); 1994 1995 if (--sp->scp[cp->protoidx].rst_counter < 0) 1996 /* TO- event */ 1997 switch (sp->scp[cp->protoidx].state) { 1998 case STATE_CLOSING: 1999 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2000 (cp->tlf)(cp, sp); 2001 break; 2002 case STATE_STOPPING: 2003 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2004 (cp->tlf)(cp, sp); 2005 break; 2006 case STATE_REQ_SENT: 2007 case STATE_ACK_RCVD: 2008 case STATE_ACK_SENT: 2009 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2010 (cp->tlf)(cp, sp); 2011 break; 2012 } 2013 else 2014 /* TO+ event */ 2015 switch (sp->scp[cp->protoidx].state) { 2016 case STATE_CLOSING: 2017 case STATE_STOPPING: 2018 if ((cp->flags & CP_AUTH) == 0) { 2019 sppp_cp_send(sp, cp->proto, TERM_REQ, 2020 ++sp->scp[cp->protoidx].seq, 0, 0); 2021 } 2022 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2023 break; 2024 case STATE_REQ_SENT: 2025 case STATE_ACK_RCVD: 2026 (cp->scr)(sp); 2027 /* sppp_cp_change_state() will restart the timer */ 2028 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2029 break; 2030 case STATE_ACK_SENT: 2031 (cp->scr)(sp); 2032 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2033 break; 2034 } 2035 } 2036 static void 2037 sppp_rcr_update_state(const struct cp *cp, struct sppp *sp, 2038 enum cp_rcr_type type, uint8_t ident, size_t msglen, void *msg) 2039 { 2040 struct ifnet *ifp = &sp->pp_if; 2041 u_char ctype; 2042 2043 if (type == CP_RCR_ERR) { 2044 /* parse error, shut down */ 2045 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 2046 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2047 } else if (type == CP_RCR_ACK) { 2048 /* RCR+ event */ 2049 ctype = CONF_ACK; 2050 switch (sp->scp[cp->protoidx].state) { 2051 case STATE_OPENED: 2052 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2053 cp->tld(sp); 2054 cp->scr(sp); 2055 cp->screply(cp, sp, ctype, ident, msglen, msg); 2056 break; 2057 case STATE_REQ_SENT: 2058 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2059 /* fall through */ 2060 case STATE_ACK_SENT: 2061 cp->screply(cp, sp, ctype, ident, msglen, msg); 2062 break; 2063 case STATE_STOPPED: 2064 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2065 cp->scr(sp); 2066 cp->screply(cp, sp, ctype, ident, msglen, msg); 2067 break; 2068 case STATE_ACK_RCVD: 2069 sppp_cp_change_state(cp, sp, STATE_OPENED); 2070 SPPP_DLOG(sp, "%s tlu\n", cp->name); 2071 cp->tlu(sp); 2072 cp->screply(cp, sp, ctype, ident, msglen, msg); 2073 break; 2074 case STATE_CLOSING: 2075 case STATE_STOPPING: 2076 break; 2077 case STATE_CLOSED: 2078 if ((cp->flags & CP_AUTH) == 0) { 2079 sppp_cp_send(sp, cp->proto, TERM_ACK, 2080 ident, 0, 0); 2081 } 2082 break; 2083 default: 2084 SPPP_LOG(sp, LOG_DEBUG, 2085 "%s illegal RCR+ in state %s\n", cp->name, 2086 sppp_state_name(sp->scp[cp->protoidx].state)); 2087 if_statinc(ifp, if_ierrors); 2088 } 2089 } else if (type == CP_RCR_NAK || type == CP_RCR_REJ) { 2090 ctype = type == CP_RCR_NAK ? CONF_NAK : CONF_REJ; 2091 /* RCR- event */ 2092 switch (sp->scp[cp->protoidx].state) { 2093 case STATE_OPENED: 2094 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2095 cp->tld(sp); 2096 cp->scr(sp); 2097 cp->screply(cp, sp, ctype, ident, msglen, msg); 2098 break; 2099 case STATE_ACK_SENT: 2100 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2101 /* fall through */ 2102 case STATE_REQ_SENT: 2103 cp->screply(cp, sp, ctype, ident, msglen, msg); 2104 break; 2105 case STATE_STOPPED: 2106 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2107 cp->scr(sp); 2108 cp->screply(cp, sp, ctype, ident, msglen, msg); 2109 break; 2110 case STATE_ACK_RCVD: 2111 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2112 cp->screply(cp, sp, ctype, ident, msglen, msg); 2113 break; 2114 case STATE_CLOSING: 2115 case STATE_STOPPING: 2116 break; 2117 case STATE_CLOSED: 2118 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2119 if ((cp->flags & CP_AUTH) == 0) { 2120 sppp_cp_send(sp, cp->proto, TERM_ACK, 2121 ident, 0, 0); 2122 } 2123 break; 2124 default: 2125 SPPP_LOG(sp, LOG_DEBUG, 2126 "%s illegal RCR- in state %s\n", cp->name, 2127 sppp_state_name(sp->scp[cp->protoidx].state)); 2128 if_statinc(ifp, if_ierrors); 2129 } 2130 } 2131 } 2132 2133 static void 2134 sppp_rcr_event(struct sppp *sp, void *xcp) 2135 { 2136 const struct cp *cp = xcp; 2137 struct sppp_cp *scp; 2138 struct lcp_header *h; 2139 struct mbuf *m; 2140 enum cp_rcr_type type; 2141 size_t len; 2142 uint8_t *buf; 2143 size_t blen, rlen; 2144 uint8_t ident; 2145 2146 KASSERT(!cpu_softintr_p()); 2147 2148 scp = &sp->scp[cp->protoidx]; 2149 2150 if (cp->parse_confreq != NULL) { 2151 m = scp->mbuf_confreq; 2152 if (m == NULL) 2153 return; 2154 scp->mbuf_confreq = NULL; 2155 2156 h = mtod(m, struct lcp_header *); 2157 if (h->type != CONF_REQ) { 2158 m_freem(m); 2159 return; 2160 } 2161 2162 ident = h->ident; 2163 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2164 2165 type = (cp->parse_confreq)(sp, h, len, 2166 &buf, &blen, &rlen); 2167 m_freem(m); 2168 } else { 2169 /* mbuf_cofreq is already parsed and freed */ 2170 type = scp->rcr_type; 2171 ident = scp->rconfid; 2172 buf = NULL; 2173 blen = rlen = 0; 2174 } 2175 2176 sppp_rcr_update_state(cp, sp, type, ident, rlen, (void *)buf); 2177 2178 if (buf != NULL) 2179 kmem_free(buf, blen); 2180 } 2181 2182 static void 2183 sppp_rca_event(struct sppp *sp, void *xcp) 2184 { 2185 struct ifnet *ifp = &sp->pp_if; 2186 const struct cp *cp = xcp; 2187 2188 KASSERT(!cpu_softintr_p()); 2189 2190 switch (sp->scp[cp->protoidx].state) { 2191 case STATE_CLOSED: 2192 case STATE_STOPPED: 2193 if ((cp->flags & CP_AUTH) == 0) { 2194 sppp_cp_send(sp, cp->proto, TERM_ACK, 2195 sp->scp[cp->protoidx].rconfid, 0, 0); 2196 } 2197 break; 2198 case STATE_CLOSING: 2199 case STATE_STOPPING: 2200 break; 2201 case STATE_REQ_SENT: 2202 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2203 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2204 break; 2205 case STATE_OPENED: 2206 (cp->tld)(sp); 2207 /* fall through */ 2208 case STATE_ACK_RCVD: 2209 (cp->scr)(sp); 2210 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2211 break; 2212 case STATE_ACK_SENT: 2213 sppp_cp_change_state(cp, sp, STATE_OPENED); 2214 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2215 SPPP_DLOG(sp, "%s tlu\n", cp->name); 2216 (cp->tlu)(sp); 2217 break; 2218 default: 2219 SPPP_LOG(sp, LOG_DEBUG, 2220 "%s illegal RCA in state %s\n", cp->name, 2221 sppp_state_name(sp->scp[cp->protoidx].state)); 2222 if_statinc(ifp, if_ierrors); 2223 } 2224 } 2225 2226 static void 2227 sppp_rcn_event(struct sppp *sp, void *xcp) 2228 { 2229 const struct cp *cp = xcp; 2230 struct sppp_cp *scp; 2231 struct lcp_header *h; 2232 struct mbuf *m; 2233 struct ifnet *ifp = &sp->pp_if; 2234 size_t len; 2235 2236 KASSERT(!cpu_softintr_p()); 2237 2238 scp = &sp->scp[cp->protoidx]; 2239 m = scp->mbuf_confnak; 2240 if (m == NULL) 2241 return; 2242 scp->mbuf_confnak = NULL; 2243 2244 h = mtod(m, struct lcp_header *); 2245 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2246 2247 switch (h->type) { 2248 case CONF_NAK: 2249 (cp->parse_confnak)(sp, h, len); 2250 break; 2251 case CONF_REJ: 2252 (cp->parse_confrej)(sp, h, len); 2253 break; 2254 default: 2255 m_freem(m); 2256 return; 2257 } 2258 2259 m_freem(m); 2260 2261 switch (scp->state) { 2262 case STATE_CLOSED: 2263 case STATE_STOPPED: 2264 if ((cp->flags & CP_AUTH) == 0) { 2265 sppp_cp_send(sp, cp->proto, TERM_ACK, 2266 scp->rconfid, 0, 0); 2267 } 2268 break; 2269 case STATE_REQ_SENT: 2270 case STATE_ACK_SENT: 2271 scp->rst_counter = sp->lcp.max_configure; 2272 (cp->scr)(sp); 2273 break; 2274 case STATE_OPENED: 2275 (cp->tld)(sp); 2276 /* fall through */ 2277 case STATE_ACK_RCVD: 2278 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2279 (cp->scr)(sp); 2280 break; 2281 case STATE_CLOSING: 2282 case STATE_STOPPING: 2283 break; 2284 default: 2285 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RCN in state %s\n", 2286 cp->name, sppp_state_name(scp->state)); 2287 if_statinc(ifp, if_ierrors); 2288 } 2289 } 2290 2291 static void 2292 sppp_rtr_event(struct sppp *sp, void *xcp) 2293 { 2294 struct ifnet *ifp = &sp->pp_if; 2295 const struct cp *cp = xcp; 2296 2297 KASSERT(!cpu_softintr_p()); 2298 2299 switch (sp->scp[cp->protoidx].state) { 2300 case STATE_ACK_RCVD: 2301 case STATE_ACK_SENT: 2302 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2303 break; 2304 case STATE_CLOSED: 2305 case STATE_STOPPED: 2306 case STATE_CLOSING: 2307 case STATE_STOPPING: 2308 case STATE_REQ_SENT: 2309 break; 2310 case STATE_OPENED: 2311 (cp->tld)(sp); 2312 sp->scp[cp->protoidx].rst_counter = 0; 2313 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2314 break; 2315 default: 2316 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RTR in state %s\n", 2317 cp->name, 2318 sppp_state_name(sp->scp[cp->protoidx].state)); 2319 if_statinc(ifp, if_ierrors); 2320 return; 2321 } 2322 2323 /* Send Terminate-Ack packet. */ 2324 SPPP_DLOG(sp, "%s send terminate-ack\n", cp->name); 2325 if ((cp->flags & CP_AUTH) == 0) { 2326 sppp_cp_send(sp, cp->proto, TERM_ACK, 2327 sp->scp[cp->protoidx].rseq, 0, 0); 2328 } 2329 } 2330 2331 static void 2332 sppp_rta_event(struct sppp *sp, void *xcp) 2333 { 2334 const struct cp *cp = xcp; 2335 struct ifnet *ifp = &sp->pp_if; 2336 2337 KASSERT(!cpu_softintr_p()); 2338 2339 switch (sp->scp[cp->protoidx].state) { 2340 case STATE_CLOSED: 2341 case STATE_STOPPED: 2342 case STATE_REQ_SENT: 2343 case STATE_ACK_SENT: 2344 break; 2345 case STATE_CLOSING: 2346 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2347 (cp->tlf)(cp, sp); 2348 break; 2349 case STATE_STOPPING: 2350 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2351 (cp->tlf)(cp, sp); 2352 break; 2353 case STATE_ACK_RCVD: 2354 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2355 break; 2356 case STATE_OPENED: 2357 (cp->tld)(sp); 2358 (cp->scr)(sp); 2359 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2360 break; 2361 default: 2362 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RTA in state %s\n", 2363 cp->name, sppp_state_name(sp->scp[cp->protoidx].state)); 2364 if_statinc(ifp, if_ierrors); 2365 } 2366 } 2367 2368 static void 2369 sppp_rxj_event(struct sppp *sp, void *xcp) 2370 { 2371 const struct cp *cp = xcp; 2372 struct ifnet *ifp = &sp->pp_if; 2373 2374 KASSERT(!cpu_softintr_p()); 2375 2376 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 2377 switch (sp->scp[cp->protoidx].state) { 2378 case STATE_CLOSED: 2379 case STATE_STOPPED: 2380 case STATE_REQ_SENT: 2381 case STATE_ACK_SENT: 2382 case STATE_CLOSING: 2383 case STATE_STOPPING: 2384 case STATE_OPENED: 2385 break; 2386 case STATE_ACK_RCVD: 2387 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2388 break; 2389 default: 2390 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RXJ- in state %s\n", 2391 cp->name, sppp_state_name(sp->scp[cp->protoidx].state)); 2392 if_statinc(ifp, if_ierrors); 2393 } 2394 } 2395 2396 /* 2397 * Change the state of a control protocol in the state automaton. 2398 * Takes care of starting/stopping the restart timer. 2399 */ 2400 void 2401 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2402 { 2403 2404 KASSERT(SPPP_WLOCKED(sp)); 2405 2406 sp->scp[cp->protoidx].state = newstate; 2407 callout_stop(&sp->scp[cp->protoidx].ch); 2408 switch (newstate) { 2409 case STATE_INITIAL: 2410 case STATE_STARTING: 2411 case STATE_CLOSED: 2412 case STATE_STOPPED: 2413 case STATE_OPENED: 2414 break; 2415 case STATE_CLOSING: 2416 case STATE_STOPPING: 2417 case STATE_REQ_SENT: 2418 case STATE_ACK_RCVD: 2419 case STATE_ACK_SENT: 2420 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2421 break; 2422 } 2423 } 2424 2425 /* 2426 *--------------------------------------------------------------------------* 2427 * * 2428 * The LCP implementation. * 2429 * * 2430 *--------------------------------------------------------------------------* 2431 */ 2432 static void 2433 sppp_lcp_init(struct sppp *sp) 2434 { 2435 2436 KASSERT(SPPP_WLOCKED(sp)); 2437 2438 sppp_cp_init(&lcp, sp); 2439 2440 SET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 2441 sp->lcp.magic = 0; 2442 sp->lcp.protos = 0; 2443 sp->lcp.max_terminate = 2; 2444 sp->lcp.max_configure = 10; 2445 sp->lcp.max_failure = 10; 2446 sp->lcp.lower_running = false; 2447 2448 /* 2449 * Initialize counters and timeout values. Note that we don't 2450 * use the 3 seconds suggested in RFC 1661 since we are likely 2451 * running on a fast link. XXX We should probably implement 2452 * the exponential backoff option. Note that these values are 2453 * relevant for all control protocols, not just LCP only. 2454 */ 2455 sp->lcp.timeout = 1 * hz; 2456 } 2457 2458 static void 2459 sppp_lcp_up(struct sppp *sp, void *xcp) 2460 { 2461 struct ifnet *ifp = &sp->pp_if; 2462 const struct cp *cp = xcp; 2463 int pidx; 2464 2465 KASSERT(SPPP_WLOCKED(sp)); 2466 2467 pidx = cp->protoidx; 2468 /* Initialize activity timestamp: opening a connection is an activity */ 2469 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2470 2471 /* 2472 * If this interface is passive or dial-on-demand, and we are 2473 * still in Initial state, it means we've got an incoming 2474 * call. Activate the interface. 2475 */ 2476 if (ifp->if_flags & IFF_AUTO) { 2477 ifp->if_flags |= IFF_RUNNING; 2478 if (sp->scp[pidx].state == STATE_INITIAL) { 2479 SPPP_DLOG(sp, "Up event (incoming call)\n"); 2480 sp->pp_flags |= PP_CALLIN; 2481 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_open); 2482 } else { 2483 SPPP_DLOG(sp, "Up event\n"); 2484 } 2485 } 2486 2487 sppp_up_event(sp, xcp); 2488 } 2489 2490 static void 2491 sppp_lcp_down(struct sppp *sp, void *xcp) 2492 { 2493 const struct cp *cp = xcp; 2494 struct ifnet *ifp = &sp->pp_if; 2495 int pidx = cp->protoidx; 2496 2497 KASSERT(SPPP_WLOCKED(sp)); 2498 KASSERT(!cpu_softintr_p()); 2499 2500 sppp_down_event(sp, xcp); 2501 2502 switch (sp->scp[pidx].state) { 2503 case STATE_STARTING: 2504 /* 2505 * Req-Sent/Ack-Sent/Ack-Rcvd -> Starting: 2506 * This transition requires an extra TLS action. 2507 * * sequence of events/actions: 2508 * 1. Closing -> Closed : Triggers TLF action. 2509 * 2. Closed -> Req-Sent : Occurs on Open event. 2510 * 3. Req-Sent -> Ack-Sent...: (Optional state progression) 2511 * 4. Req-Sent/Ack-Sent/Ack-Rcvd -> Starting: 2512 * - Triggered by a Down event caused by the previous TLF action. 2513 * - This specific transition does NOT trigger another TLS action. 2514 */ 2515 cp->tls(cp, sp); 2516 break; 2517 case STATE_INITIAL: 2518 /* 2519 * Closing -> Initial: 2520 * A Down event in the Closing state triggers a transition to 2521 * Initial state without a TLF action. Since the lower layer 2522 * will attempt to reconnect, we explicitly stop it here. 2523 */ 2524 cp->tlf(cp, sp); 2525 break; 2526 } 2527 2528 SPPP_DLOG(sp, "Down event (carrier loss)\n"); 2529 2530 if (ifp->if_flags & IFF_AUTO) { 2531 sp->pp_flags &= ~PP_CALLIN; 2532 if (sp->scp[pidx].state != STATE_INITIAL) 2533 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_close); 2534 ifp->if_flags &= ~IFF_RUNNING; 2535 } 2536 2537 sp->scp[pidx].fail_counter = 0; 2538 } 2539 2540 static void 2541 sppp_lcp_open(struct sppp *sp, void *xcp) 2542 { 2543 2544 KASSERT(SPPP_WLOCKED(sp)); 2545 KASSERT(!cpu_softintr_p()); 2546 2547 sp->scp[IDX_LCP].fail_counter = 0; 2548 2549 if (sp->pp_if.if_mtu < PP_MTU) { 2550 sp->lcp.mru = sp->pp_if.if_mtu; 2551 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 2552 } else { 2553 sp->lcp.mru = PP_MTU; 2554 } 2555 sp->lcp.their_mru = PP_MTU; 2556 2557 /* 2558 * If we are authenticator, negotiate LCP_AUTH 2559 */ 2560 if (sp->hisauth.proto != PPP_NOPROTO) 2561 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2562 else 2563 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2564 sp->pp_flags &= ~PP_NEEDAUTH; 2565 sppp_open_event(sp, xcp); 2566 } 2567 2568 /* 2569 * Analyze a configure request. Return true if it was agreeable, and 2570 * caused action sca, false if it has been rejected or nak'ed, and 2571 * caused action scn. (The return value is used to make the state 2572 * transition decision in the state automaton.) 2573 */ 2574 static enum cp_rcr_type 2575 sppp_lcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 2576 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 2577 { 2578 const bool debug = sppp_debug_enabled(sp); 2579 u_char *buf, *r, *p, l, blen; 2580 enum cp_rcr_type type; 2581 int len, rlen; 2582 uint32_t nmagic; 2583 u_short authproto; 2584 char lbuf[SPPP_LCPOPT_NAMELEN]; 2585 2586 KASSERT(SPPP_WLOCKED(sp)); 2587 2588 if (origlen < sizeof(*h)) 2589 return CP_RCR_DROP; 2590 2591 origlen -= sizeof(*h); 2592 type = CP_RCR_NONE; 2593 type = 0; 2594 2595 if (origlen <= 0) 2596 return CP_RCR_DROP; 2597 else 2598 blen = origlen; 2599 2600 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 2601 if (buf == NULL) 2602 return CP_RCR_DROP; 2603 2604 if (debug) 2605 SPPP_LOG(sp, LOG_DEBUG, "lcp parse opts:"); 2606 2607 /* pass 1: check for things that need to be rejected */ 2608 p = (void *)(h + 1); 2609 r = buf; 2610 rlen = 0; 2611 for (len = origlen; len > 1; len-= l, p += l) { 2612 l = p[1]; 2613 if (l == 0) 2614 break; 2615 2616 /* Sanity check option length */ 2617 if (l > len) { 2618 /* 2619 * Malicious option - drop immediately. 2620 * XXX Maybe we should just RXJ it? 2621 */ 2622 if (debug) 2623 addlog("\n"); 2624 2625 SPPP_LOG(sp, LOG_DEBUG, 2626 "received malicious LCP option 0x%02x, " 2627 "length 0x%02x, (len: 0x%02x) dropping.\n", 2628 p[0], l, len); 2629 type = CP_RCR_ERR; 2630 goto end; 2631 } 2632 if (debug) 2633 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2634 switch (p[0]) { 2635 case LCP_OPT_MAGIC: 2636 /* Magic number. */ 2637 /* fall through, both are same length */ 2638 case LCP_OPT_ASYNC_MAP: 2639 /* Async control character map. */ 2640 if (len >= 6 || l == 6) 2641 continue; 2642 if (debug) 2643 addlog(" [invalid]"); 2644 break; 2645 case LCP_OPT_MP_EID: 2646 if (len >= l && l >= 3) { 2647 switch (p[2]) { 2648 case 0: if (l==3+ 0) continue;break; 2649 case 2: if (l==3+ 4) continue;break; 2650 case 3: if (l==3+ 6) continue;break; 2651 case 6: if (l==3+16) continue;break; 2652 case 1: /* FALLTHROUGH */ 2653 case 4: if (l<=3+20) continue;break; 2654 case 5: if (l<=3+15) continue;break; 2655 /* XXX should it be default: continue;? */ 2656 } 2657 } 2658 if (debug) 2659 addlog(" [invalid class %d len %d]", p[2], l); 2660 break; 2661 case LCP_OPT_MP_SSNHF: 2662 if (len >= 2 && l == 2) { 2663 if (debug) 2664 addlog(" [rej]"); 2665 break; 2666 } 2667 if (debug) 2668 addlog(" [invalid]"); 2669 break; 2670 case LCP_OPT_MP_MRRU: 2671 /* Multilink maximum received reconstructed unit */ 2672 /* should be fall through, both are same length */ 2673 /* FALLTHROUGH */ 2674 case LCP_OPT_MRU: 2675 /* Maximum receive unit. */ 2676 if (len >= 4 && l == 4) 2677 continue; 2678 if (debug) 2679 addlog(" [invalid]"); 2680 break; 2681 case LCP_OPT_AUTH_PROTO: 2682 if (len < 4) { 2683 if (debug) 2684 addlog(" [invalid]"); 2685 break; 2686 } 2687 authproto = (p[2] << 8) + p[3]; 2688 if (authproto == PPP_CHAP && l != 5) { 2689 if (debug) 2690 addlog(" [invalid chap len]"); 2691 break; 2692 } 2693 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 2694 if (authproto == PPP_PAP || authproto == PPP_CHAP) 2695 sp->myauth.proto = authproto; 2696 } 2697 if (sp->myauth.proto == PPP_NOPROTO) { 2698 /* we are not configured to do auth */ 2699 if (debug) 2700 addlog(" [not configured]"); 2701 break; 2702 } 2703 /* 2704 * Remote want us to authenticate, remember this, 2705 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2706 * up. 2707 */ 2708 sp->pp_flags |= PP_NEEDAUTH; 2709 continue; 2710 default: 2711 /* Others not supported. */ 2712 if (debug) 2713 addlog(" [rej]"); 2714 break; 2715 } 2716 if (rlen + l > blen) { 2717 if (debug) 2718 addlog(" [overflow]"); 2719 continue; 2720 } 2721 /* Add the option to rejected list. */ 2722 memcpy(r, p, l); 2723 r += l; 2724 rlen += l; 2725 } 2726 2727 if (rlen > 0) { 2728 type = CP_RCR_REJ; 2729 goto end; 2730 } 2731 2732 if (debug) 2733 addlog("\n"); 2734 2735 /* 2736 * pass 2: check for option values that are unacceptable and 2737 * thus require to be nak'ed. 2738 */ 2739 if (debug) 2740 SPPP_LOG(sp, LOG_DEBUG, "lcp parse opt values:"); 2741 2742 p = (void *)(h + 1); 2743 r = buf; 2744 rlen = 0; 2745 for (len = origlen; len > 0; len -= l, p += l) { 2746 l = p[1]; 2747 if (l == 0) 2748 break; 2749 2750 if (debug) 2751 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2752 switch (p[0]) { 2753 case LCP_OPT_MAGIC: 2754 /* Magic number -- extract. */ 2755 nmagic = (uint32_t)p[2] << 24 | 2756 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2757 if (nmagic != sp->lcp.magic) { 2758 if (debug) 2759 addlog(" 0x%x", nmagic); 2760 continue; 2761 } 2762 /* 2763 * Local and remote magics equal -- loopback? 2764 */ 2765 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2766 SPPP_DLOG(sp, "loopback\n"); 2767 sp->pp_loopcnt = 0; 2768 2769 if (sp->pp_flags & PP_IFDOWN) 2770 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 2771 sppp_wq_add(sp->wq_cp, 2772 &sp->scp[IDX_LCP].work_close); 2773 sppp_wq_add(sp->wq_cp, 2774 &sp->scp[IDX_LCP].work_open); 2775 } else { 2776 if (debug) 2777 addlog(" [glitch]"); 2778 ++sp->pp_loopcnt; 2779 } 2780 /* 2781 * We negate our magic here, and NAK it. If 2782 * we see it later in an NAK packet, we 2783 * suggest a new one. 2784 */ 2785 nmagic = ~sp->lcp.magic; 2786 /* Gonna NAK it. */ 2787 p[2] = nmagic >> 24; 2788 p[3] = nmagic >> 16; 2789 p[4] = nmagic >> 8; 2790 p[5] = nmagic; 2791 break; 2792 2793 case LCP_OPT_ASYNC_MAP: 2794 /* 2795 * Async control character map -- just ignore it. 2796 * 2797 * Quote from RFC 1662, chapter 6: 2798 * To enable this functionality, synchronous PPP 2799 * implementations MUST always respond to the 2800 * Async-Control-Character-Map Configuration 2801 * Option with the LCP Configure-Ack. However, 2802 * acceptance of the Configuration Option does 2803 * not imply that the synchronous implementation 2804 * will do any ACCM mapping. Instead, all such 2805 * octet mapping will be performed by the 2806 * asynchronous-to-synchronous converter. 2807 */ 2808 continue; 2809 2810 case LCP_OPT_MRU: 2811 /* 2812 * Maximum receive unit. Always agreeable, 2813 * but ignored by now. 2814 */ 2815 sp->lcp.their_mru = p[2] * 256 + p[3]; 2816 if (debug) 2817 addlog(" %ld", sp->lcp.their_mru); 2818 continue; 2819 2820 case LCP_OPT_AUTH_PROTO: 2821 authproto = (p[2] << 8) + p[3]; 2822 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 2823 if (authproto == PPP_PAP || authproto == PPP_CHAP) 2824 sp->myauth.proto = authproto; 2825 } 2826 if (sp->myauth.proto == authproto) { 2827 if (authproto != PPP_CHAP || p[4] == CHAP_MD5) { 2828 continue; 2829 } 2830 if (debug) 2831 addlog(" [chap without MD5]"); 2832 } else { 2833 if (debug) { 2834 char pbuf1[SPPP_PROTO_NAMELEN]; 2835 char pbuf2[SPPP_PROTO_NAMELEN]; 2836 const char *pname1, *pname2; 2837 2838 pname1 = sppp_proto_name(pbuf1, 2839 sizeof(pbuf1), sp->myauth.proto); 2840 pname2 = sppp_proto_name(pbuf2, 2841 sizeof(pbuf2), authproto); 2842 addlog(" [mine %s != his %s]", 2843 pname1, pname2); 2844 } 2845 } 2846 /* not agreed, nak */ 2847 if (sp->myauth.proto == PPP_CHAP) { 2848 l = 5; 2849 } else { 2850 l = 4; 2851 } 2852 2853 if (rlen + l > blen) { 2854 if (debug) 2855 addlog(" [overflow]"); 2856 continue; 2857 } 2858 2859 r[0] = LCP_OPT_AUTH_PROTO; 2860 r[1] = l; 2861 r[2] = sp->myauth.proto >> 8; 2862 r[3] = sp->myauth.proto & 0xff; 2863 if (sp->myauth.proto == PPP_CHAP) 2864 r[4] = CHAP_MD5; 2865 rlen += l; 2866 r += l; 2867 continue; 2868 case LCP_OPT_MP_EID: 2869 /* 2870 * Endpoint identification. 2871 * Always agreeable, 2872 * but ignored by now. 2873 */ 2874 if (debug) { 2875 addlog(" type %d", p[2]); 2876 sppp_print_bytes(p+3, p[1]-3); 2877 } 2878 continue; 2879 case LCP_OPT_MP_MRRU: 2880 /* 2881 * Maximum received reconstructed unit. 2882 * Always agreeable, 2883 * but ignored by now. 2884 */ 2885 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2886 if (debug) 2887 addlog(" %ld", sp->lcp.their_mrru); 2888 continue; 2889 } 2890 if (rlen + l > blen) { 2891 if (debug) 2892 addlog(" [overflow]"); 2893 continue; 2894 } 2895 /* Add the option to nak'ed list. */ 2896 memcpy(r, p, l); 2897 r += l; 2898 rlen += l; 2899 } 2900 2901 if (rlen > 0) { 2902 if (++sp->scp[IDX_LCP].fail_counter >= sp->lcp.max_failure) { 2903 if (debug) 2904 addlog(" max_failure (%d) exceeded, ", 2905 sp->lcp.max_failure); 2906 type = CP_RCR_REJ; 2907 } else { 2908 type = CP_RCR_NAK; 2909 } 2910 } else { 2911 type = CP_RCR_ACK; 2912 rlen = origlen; 2913 memcpy(r, h + 1, rlen); 2914 sp->scp[IDX_LCP].fail_counter = 0; 2915 sp->pp_loopcnt = 0; 2916 } 2917 2918 end: 2919 if (debug) 2920 addlog("\n"); 2921 2922 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 2923 if (buf != NULL) 2924 kmem_intr_free(buf, blen); 2925 } else { 2926 *msgbuf = buf; 2927 *buflen = blen; 2928 *msglen = rlen; 2929 } 2930 2931 return type; 2932 } 2933 2934 /* 2935 * Analyze the LCP Configure-Reject option list, and adjust our 2936 * negotiation. 2937 */ 2938 static void 2939 sppp_lcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 2940 { 2941 const bool debug = sppp_debug_enabled(sp); 2942 u_char *p, l; 2943 2944 KASSERT(SPPP_WLOCKED(sp)); 2945 2946 if (len <= sizeof(*h)) 2947 return; 2948 2949 len -= sizeof(*h); 2950 2951 if (debug) 2952 SPPP_LOG(sp, LOG_DEBUG, "lcp rej opts:"); 2953 2954 p = (void *)(h + 1); 2955 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2956 /* Sanity check option length */ 2957 if (l > len) { 2958 /* 2959 * Malicious option - drop immediately. 2960 * XXX Maybe we should just RXJ it? 2961 */ 2962 if (debug) 2963 addlog("\n"); 2964 2965 SPPP_LOG(sp, LOG_DEBUG, 2966 "received malicious LCP option, dropping.\n"); 2967 goto end; 2968 } 2969 if (debug) { 2970 char lbuf[SPPP_LCPOPT_NAMELEN]; 2971 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2972 } 2973 switch (p[0]) { 2974 case LCP_OPT_MAGIC: 2975 /* Magic number -- can't use it, use 0 */ 2976 CLR(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 2977 sp->lcp.magic = 0; 2978 break; 2979 case LCP_OPT_MRU: 2980 /* 2981 * We try to negotiate a lower MRU if the underlying 2982 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2983 * peer rejects this lower rate, fallback to the 2984 * default. 2985 */ 2986 if (!debug) { 2987 SPPP_LOG(sp, LOG_INFO, 2988 "peer rejected our MRU of " 2989 "%ld bytes. Defaulting to %d bytes\n", 2990 sp->lcp.mru, PP_MTU); 2991 } 2992 CLR(sp->lcp.opts, SPPP_LCP_OPT_MRU); 2993 sp->lcp.mru = PP_MTU; 2994 break; 2995 case LCP_OPT_AUTH_PROTO: 2996 /* 2997 * Peer doesn't want to authenticate himself, 2998 * deny unless this is a dialout call, and 2999 * SPPP_AUTHFLAG_NOCALLOUT is set. 3000 */ 3001 if ((sp->pp_flags & PP_CALLIN) == 0 && 3002 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 3003 if (debug) { 3004 addlog(" [don't insist on auth " 3005 "for callout]"); 3006 } 3007 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 3008 break; 3009 } 3010 if (debug) 3011 addlog("[access denied]\n"); 3012 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3013 break; 3014 } 3015 } 3016 if (debug) 3017 addlog("\n"); 3018 end: 3019 return; 3020 } 3021 3022 /* 3023 * Analyze the LCP Configure-NAK option list, and adjust our 3024 * negotiation. 3025 */ 3026 static void 3027 sppp_lcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 3028 { 3029 const bool debug = sppp_debug_enabled(sp); 3030 u_char *p, l; 3031 uint32_t magic; 3032 3033 KASSERT(SPPP_WLOCKED(sp)); 3034 3035 if (len <= sizeof(*h)) 3036 return; 3037 3038 len -= sizeof(*h); 3039 3040 if (debug) 3041 SPPP_LOG(sp, LOG_DEBUG, "lcp nak opts:"); 3042 3043 p = (void *)(h + 1); 3044 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3045 /* Sanity check option length */ 3046 if (l > len) { 3047 /* 3048 * Malicious option - drop immediately. 3049 * XXX Maybe we should just RXJ it? 3050 */ 3051 if (debug) 3052 addlog("\n"); 3053 3054 SPPP_LOG(sp, LOG_DEBUG, 3055 "received malicious LCP option, dropping.\n"); 3056 goto end; 3057 } 3058 if (debug) { 3059 char lbuf[SPPP_LCPOPT_NAMELEN]; 3060 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf),*p)); 3061 } 3062 switch (p[0]) { 3063 case LCP_OPT_MAGIC: 3064 /* Magic number -- renegotiate */ 3065 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC) && 3066 len >= 6 && l == 6) { 3067 magic = (uint32_t)p[2] << 24 | 3068 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 3069 /* 3070 * If the remote magic is our negated one, 3071 * this looks like a loopback problem. 3072 * Suggest a new magic to make sure. 3073 */ 3074 if (magic == ~sp->lcp.magic) { 3075 if (debug) 3076 addlog(" magic glitch"); 3077 sp->lcp.magic = cprng_fast32(); 3078 } else { 3079 sp->lcp.magic = magic; 3080 if (debug) 3081 addlog(" %d", magic); 3082 } 3083 } 3084 break; 3085 case LCP_OPT_MRU: 3086 /* 3087 * Peer wants to advise us to negotiate an MRU. 3088 * Agree on it if it's reasonable, or use 3089 * default otherwise. 3090 */ 3091 if (len >= 4 && l == 4) { 3092 u_int mru = p[2] * 256 + p[3]; 3093 if (debug) 3094 addlog(" %d", mru); 3095 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 3096 mru = sp->pp_if.if_mtu; 3097 sp->lcp.mru = mru; 3098 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3099 } 3100 break; 3101 case LCP_OPT_AUTH_PROTO: 3102 /* 3103 * Peer doesn't like our authentication method, 3104 * deny. 3105 */ 3106 if (debug) 3107 addlog("[access denied]\n"); 3108 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3109 break; 3110 } 3111 } 3112 if (debug) 3113 addlog("\n"); 3114 end: 3115 return; 3116 } 3117 3118 static void 3119 sppp_lcp_tlu(struct sppp *sp) 3120 { 3121 struct ifnet *ifp = &sp->pp_if; 3122 struct sppp_cp *scp; 3123 int i; 3124 3125 KASSERT(SPPP_WLOCKED(sp)); 3126 3127 /* unlock for IFNET_LOCK */ 3128 SPPP_UNLOCK(sp); 3129 3130 /* the interface was down by PP_IFDOWN flag */ 3131 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) == IFF_RUNNING) { 3132 SPPP_LOG(sp, LOG_DEBUG, "interface is going up\n"); 3133 if_up(ifp); 3134 } 3135 3136 IFNET_LOCK(ifp); 3137 SPPP_LOCK(sp, RW_WRITER); 3138 if (ifp->if_mtu > sp->lcp.their_mru) { 3139 sp->pp_saved_mtu = ifp->if_mtu; 3140 ifp->if_mtu = sp->lcp.their_mru; 3141 SPPP_DLOG(sp, "setting MTU " 3142 "from %"PRIu64" bytes to %"PRIu64" bytes\n", 3143 sp->pp_saved_mtu, ifp->if_mtu); 3144 } 3145 SPPP_UNLOCK(sp); 3146 IFNET_UNLOCK(ifp); 3147 3148 SPPP_LOCK(sp, RW_WRITER); 3149 3150 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO) || 3151 (sp->pp_flags & PP_NEEDAUTH) != 0) 3152 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 3153 else 3154 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 3155 3156 for (i = 0; i < IDX_COUNT; i++) { 3157 scp = &sp->scp[(cps[i])->protoidx]; 3158 3159 if (((cps[i])->flags & CP_LCP) == 0) 3160 sppp_wq_add(sp->wq_cp, &scp->work_up); 3161 3162 /* 3163 * Open all authentication protocols. This is even required 3164 * if we already proceeded to network phase, since it might be 3165 * that remote wants us to authenticate, so we might have to 3166 * send a PAP request. Undesired authentication protocols 3167 * don't do anything when they get an Open event. 3168 */ 3169 if ((cps[i])->flags & CP_AUTH) 3170 sppp_wq_add(sp->wq_cp, &scp->work_open); 3171 3172 /* Open all NCPs. */ 3173 if (sp->pp_phase == SPPP_PHASE_NETWORK && 3174 ((cps[i])->flags & CP_NCP) != 0) { 3175 sppp_wq_add(sp->wq_cp, &scp->work_open); 3176 } 3177 } 3178 } 3179 3180 static void 3181 sppp_lcp_tld(struct sppp *sp) 3182 { 3183 struct ifnet *ifp; 3184 struct sppp_cp *scp; 3185 int i, phase; 3186 3187 KASSERT(SPPP_WLOCKED(sp)); 3188 3189 phase = sp->pp_phase; 3190 3191 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3192 3193 if (sp->pp_saved_mtu > 0) { 3194 ifp = &sp->pp_if; 3195 3196 SPPP_UNLOCK(sp); 3197 IFNET_LOCK(ifp); 3198 SPPP_LOCK(sp, RW_WRITER); 3199 3200 SPPP_DLOG(sp, "setting MTU " 3201 "from %"PRIu64" bytes to %"PRIu64" bytes\n", 3202 ifp->if_mtu, sp->pp_saved_mtu); 3203 3204 ifp->if_mtu = sp->pp_saved_mtu; 3205 sp->pp_saved_mtu = 0; 3206 IFNET_UNLOCK(ifp); 3207 } 3208 3209 /* 3210 * Take upper layers down. We send the Down event first and 3211 * the Close second to prevent the upper layers from sending 3212 * ``a flurry of terminate-request packets'', as the RFC 3213 * describes it. 3214 */ 3215 for (i = 0; i < IDX_COUNT; i++) { 3216 scp = &sp->scp[(cps[i])->protoidx]; 3217 3218 if (((cps[i])->flags & CP_LCP) == 0) 3219 sppp_wq_add(sp->wq_cp, &scp->work_down); 3220 3221 if ((cps[i])->flags & CP_AUTH) { 3222 sppp_wq_add(sp->wq_cp, &scp->work_close); 3223 } 3224 3225 /* Close all NCPs. */ 3226 if (phase == SPPP_PHASE_NETWORK && 3227 ((cps[i])->flags & CP_NCP) != 0) { 3228 sppp_wq_add(sp->wq_cp, &scp->work_close); 3229 } 3230 } 3231 } 3232 3233 static void 3234 sppp_lcp_tls(const struct cp *cp __unused, struct sppp *sp) 3235 { 3236 3237 KASSERT(SPPP_WLOCKED(sp)); 3238 3239 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3240 3241 /* Notify lower layer if desired. */ 3242 if (!sp->lcp.lower_running) { 3243 sp->lcp.lower_running = true; 3244 sppp_notify_tls_wlocked(sp); 3245 } 3246 } 3247 3248 static void 3249 sppp_lcp_tlf(const struct cp *cp __unused, struct sppp *sp) 3250 { 3251 3252 KASSERT(SPPP_WLOCKED(sp)); 3253 3254 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3255 3256 /* Notify lower layer if desired. */ 3257 if (sp->lcp.lower_running) { 3258 sp->lcp.lower_running = false; 3259 sppp_notify_tlf_wlocked(sp); 3260 } 3261 } 3262 3263 static void 3264 sppp_lcp_scr(struct sppp *sp) 3265 { 3266 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3267 int i = 0; 3268 u_short authproto; 3269 3270 KASSERT(SPPP_WLOCKED(sp)); 3271 3272 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC)) { 3273 if (! sp->lcp.magic) 3274 sp->lcp.magic = cprng_fast32(); 3275 opt[i++] = LCP_OPT_MAGIC; 3276 opt[i++] = 6; 3277 opt[i++] = sp->lcp.magic >> 24; 3278 opt[i++] = sp->lcp.magic >> 16; 3279 opt[i++] = sp->lcp.magic >> 8; 3280 opt[i++] = sp->lcp.magic; 3281 } 3282 3283 if (ISSET(sp->lcp.opts,SPPP_LCP_OPT_MRU)) { 3284 opt[i++] = LCP_OPT_MRU; 3285 opt[i++] = 4; 3286 opt[i++] = sp->lcp.mru >> 8; 3287 opt[i++] = sp->lcp.mru; 3288 } 3289 3290 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) { 3291 authproto = sp->hisauth.proto; 3292 opt[i++] = LCP_OPT_AUTH_PROTO; 3293 opt[i++] = authproto == PPP_CHAP? 5: 4; 3294 opt[i++] = authproto >> 8; 3295 opt[i++] = authproto; 3296 if (authproto == PPP_CHAP) 3297 opt[i++] = CHAP_MD5; 3298 } 3299 3300 sp->scp[IDX_LCP].confid = ++sp->scp[IDX_LCP].seq; 3301 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->scp[IDX_LCP].confid, i, &opt); 3302 } 3303 3304 /* 3305 * Check the open NCPs, return true if at least one NCP is open. 3306 */ 3307 3308 static int 3309 sppp_cp_check(struct sppp *sp, u_char cp_flags) 3310 { 3311 int i, mask; 3312 3313 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3314 if ((sp->lcp.protos & mask) && (cps[i])->flags & cp_flags) 3315 return 1; 3316 return 0; 3317 } 3318 3319 /* 3320 * Check the opened NCPs, return true if at least one NCP is opened. 3321 */ 3322 static bool 3323 sppp_is_ncp_opened(struct sppp *sp) 3324 { 3325 int i, mask; 3326 3327 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3328 if (((cps[i])->flags & CP_NCP) && (sp->scp[i].state == STATE_OPENED)) 3329 return true; 3330 return false; 3331 } 3332 3333 /* 3334 * Re-check the open NCPs and see if we should terminate the link. 3335 * Called by the NCPs during their tlf action handling. 3336 */ 3337 static void 3338 sppp_lcp_check_and_close(struct sppp *sp) 3339 { 3340 3341 KASSERT(SPPP_WLOCKED(sp)); 3342 3343 if (sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 3344 /* don't bother, we are already going down */ 3345 return; 3346 } 3347 3348 if (sp->pp_phase == SPPP_PHASE_AUTHENTICATE && 3349 sppp_cp_check(sp, CP_AUTH)) 3350 return; 3351 3352 if (sp->pp_phase >= SPPP_PHASE_NETWORK && 3353 sppp_cp_check(sp, CP_NCP)) 3354 return; 3355 3356 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3357 3358 if (sp->pp_max_auth_fail != 0 && 3359 sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3360 SPPP_LOG(sp, LOG_INFO, "authentication failed %d times, " 3361 "not retrying again\n", sp->pp_auth_failures); 3362 3363 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 3364 } else { 3365 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 3366 } 3367 } 3368 3369 /* 3370 *--------------------------------------------------------------------------* 3371 * * 3372 * The IPCP implementation. * 3373 * * 3374 *--------------------------------------------------------------------------* 3375 */ 3376 3377 static void 3378 sppp_ipcp_init(struct sppp *sp) 3379 { 3380 3381 KASSERT(SPPP_WLOCKED(sp)); 3382 3383 sppp_cp_init(&ipcp, sp); 3384 3385 sp->ipcp.opts = 0; 3386 sp->ipcp.flags = 0; 3387 } 3388 3389 static void 3390 sppp_ipcp_open(struct sppp *sp, void *xcp) 3391 { 3392 uint32_t myaddr, hisaddr; 3393 3394 KASSERT(SPPP_WLOCKED(sp)); 3395 KASSERT(!cpu_softintr_p()); 3396 3397 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) 3398 return; 3399 3400 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3401 sp->ipcp.req_myaddr = 0; 3402 sp->ipcp.req_hisaddr = 0; 3403 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3404 3405 #ifdef INET 3406 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3407 #else 3408 myaddr = hisaddr = 0; 3409 #endif 3410 /* 3411 * If we don't have his address, this probably means our 3412 * interface doesn't want to talk IP at all. (This could 3413 * be the case if somebody wants to speak only IPX, for 3414 * example.) Don't open IPCP in this case. 3415 */ 3416 if (hisaddr == 0) { 3417 /* XXX this message should go away */ 3418 SPPP_DLOG(sp, "ipcp_open(): no IP interface\n"); 3419 return; 3420 } 3421 3422 if (myaddr == 0) { 3423 /* 3424 * I don't have an assigned address, so i need to 3425 * negotiate my address. 3426 */ 3427 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3428 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3429 } 3430 if (hisaddr == 1) { 3431 /* 3432 * XXX - remove this hack! 3433 * remote has no valid address, we need to get one assigned. 3434 */ 3435 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3436 sp->ipcp.saved_hisaddr = htonl(hisaddr); 3437 } 3438 3439 if (sp->query_dns & 1) { 3440 SET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3441 } else { 3442 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3443 } 3444 3445 if (sp->query_dns & 2) { 3446 SET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3447 } else { 3448 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3449 } 3450 sppp_open_event(sp, xcp); 3451 } 3452 3453 static void 3454 sppp_ipcp_close(struct sppp *sp, void *xcp) 3455 { 3456 3457 KASSERT(SPPP_WLOCKED(sp)); 3458 KASSERT(!cpu_softintr_p()); 3459 3460 sppp_close_event(sp, xcp); 3461 3462 #ifdef INET 3463 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) { 3464 /* 3465 * Some address was dynamic, clear it again. 3466 */ 3467 sppp_clear_ip_addrs(sp); 3468 } 3469 #endif 3470 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3471 } 3472 3473 /* 3474 * Analyze a configure request. Return true if it was agreeable, and 3475 * caused action sca, false if it has been rejected or nak'ed, and 3476 * caused action scn. (The return value is used to make the state 3477 * transition decision in the state automaton.) 3478 */ 3479 static enum cp_rcr_type 3480 sppp_ipcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 3481 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 3482 { 3483 const bool debug = sppp_debug_enabled(sp); 3484 u_char *buf, *r, *p, l, blen; 3485 enum cp_rcr_type type; 3486 int rlen, len; 3487 uint32_t hisaddr, desiredaddr; 3488 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3489 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 3490 const char *dq; 3491 3492 KASSERT(SPPP_WLOCKED(sp)); 3493 3494 type = CP_RCR_NONE; 3495 origlen -= sizeof(*h); 3496 3497 if (origlen < 0) 3498 return CP_RCR_DROP; 3499 3500 /* 3501 * Make sure to allocate a buf that can at least hold a 3502 * conf-nak with an `address' option. We might need it below. 3503 */ 3504 blen = MAX(6, origlen); 3505 3506 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 3507 if (buf == NULL) 3508 return CP_RCR_DROP; 3509 3510 /* pass 1: see if we can recognize them */ 3511 if (debug) 3512 SPPP_LOG(sp, LOG_DEBUG, "ipcp parse opts:"); 3513 p = (void *)(h + 1); 3514 r = buf; 3515 rlen = 0; 3516 for (len = origlen; len > 1; len -= l, p += l) { 3517 l = p[1]; 3518 if (l == 0) 3519 break; 3520 3521 /* Sanity check option length */ 3522 if (l > len) { 3523 /* XXX should we just RXJ? */ 3524 if (debug) 3525 addlog("\n"); 3526 3527 SPPP_LOG(sp, LOG_DEBUG, 3528 " malicious IPCP option received, dropping\n"); 3529 type = CP_RCR_ERR; 3530 goto end; 3531 } 3532 if (debug) { 3533 addlog(" %s", 3534 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3535 } 3536 switch (p[0]) { 3537 #ifdef notyet 3538 case IPCP_OPT_COMPRESSION: 3539 if (len >= 6 && l >= 6) { 3540 /* correctly formed compress option */ 3541 continue; 3542 } 3543 if (debug) 3544 addlog(" [invalid]"); 3545 break; 3546 #endif 3547 case IPCP_OPT_ADDRESS: 3548 if (len >= 6 && l == 6) { 3549 /* correctly formed address option */ 3550 continue; 3551 } 3552 if (debug) 3553 addlog(" [invalid]"); 3554 break; 3555 default: 3556 /* Others not supported. */ 3557 if (debug) 3558 addlog(" [rej]"); 3559 break; 3560 } 3561 /* Add the option to rejected list. */ 3562 if (rlen + l > blen) { 3563 if (debug) 3564 addlog(" [overflow]"); 3565 continue; 3566 } 3567 memcpy(r, p, l); 3568 r += l; 3569 rlen += l; 3570 } 3571 3572 if (rlen > 0) { 3573 type = CP_RCR_REJ; 3574 goto end; 3575 } 3576 3577 if (debug) 3578 addlog("\n"); 3579 3580 /* pass 2: parse option values */ 3581 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3582 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3583 else 3584 #ifdef INET 3585 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3586 #else 3587 hisaddr = 0; 3588 #endif 3589 if (debug) 3590 SPPP_LOG(sp, LOG_DEBUG, "ipcp parse opt values:"); 3591 p = (void *)(h + 1); 3592 r = buf; 3593 rlen = 0; 3594 for (len = origlen; len > 1; len -= l, p += l) { 3595 l = p[1]; 3596 if (l == 0) 3597 break; 3598 3599 if (debug) { 3600 addlog(" %s", 3601 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3602 } 3603 switch (p[0]) { 3604 #ifdef notyet 3605 case IPCP_OPT_COMPRESSION: 3606 continue; 3607 #endif 3608 case IPCP_OPT_ADDRESS: 3609 desiredaddr = p[2] << 24 | p[3] << 16 | 3610 p[4] << 8 | p[5]; 3611 if (desiredaddr == hisaddr || 3612 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3613 /* 3614 * Peer's address is same as our value, 3615 * this is agreeable. Gonna conf-ack 3616 * it. 3617 */ 3618 if (debug) { 3619 dq = sppp_dotted_quad(dqbuf, 3620 sizeof(dqbuf), hisaddr); 3621 addlog(" %s [ack]", dq); 3622 } 3623 /* record that we've seen it already */ 3624 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3625 sp->ipcp.req_hisaddr = desiredaddr; 3626 hisaddr = desiredaddr; 3627 continue; 3628 } 3629 /* 3630 * The address wasn't agreeable. This is either 3631 * he sent us 0.0.0.0, asking to assign him an 3632 * address, or he send us another address not 3633 * matching our value. Either case, we gonna 3634 * conf-nak it with our value. 3635 */ 3636 if (debug) { 3637 if (desiredaddr == 0) { 3638 addlog(" [addr requested]"); 3639 } else { 3640 dq = sppp_dotted_quad(dqbuf, 3641 sizeof(dqbuf), desiredaddr); 3642 addlog(" %s [not agreed]", dq); 3643 } 3644 } 3645 3646 p[2] = hisaddr >> 24; 3647 p[3] = hisaddr >> 16; 3648 p[4] = hisaddr >> 8; 3649 p[5] = hisaddr; 3650 break; 3651 } 3652 if (rlen + l > blen) { 3653 if (debug) 3654 addlog(" [overflow]"); 3655 continue; 3656 } 3657 /* Add the option to nak'ed list. */ 3658 memcpy(r, p, l); 3659 r += l; 3660 rlen += l; 3661 } 3662 3663 if (rlen > 0) { 3664 type = CP_RCR_NAK; 3665 } else { 3666 if ((sp->ipcp.flags & IPCP_HISADDR_SEEN) == 0) { 3667 /* 3668 * If we are about to conf-ack the request, but haven't seen 3669 * his address so far, gonna conf-nak it instead, with the 3670 * `address' option present and our idea of his address being 3671 * filled in there, to request negotiation of both addresses. 3672 * 3673 * XXX This can result in an endless req - nak loop if peer 3674 * doesn't want to send us his address. Q: What should we do 3675 * about it? XXX A: implement the max-failure counter. 3676 */ 3677 buf[0] = IPCP_OPT_ADDRESS; 3678 buf[1] = 6; 3679 buf[2] = hisaddr >> 24; 3680 buf[3] = hisaddr >> 16; 3681 buf[4] = hisaddr >> 8; 3682 buf[5] = hisaddr; 3683 rlen = 6; 3684 if (debug) 3685 addlog(" still need hisaddr"); 3686 type = CP_RCR_NAK; 3687 } else { 3688 type = CP_RCR_ACK; 3689 rlen = origlen; 3690 memcpy(r, h + 1, rlen); 3691 } 3692 } 3693 3694 end: 3695 if (debug) 3696 addlog("\n"); 3697 3698 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3699 if (buf != NULL) 3700 kmem_intr_free(buf, blen); 3701 } else { 3702 *msgbuf = buf; 3703 *buflen = blen; 3704 *msglen = rlen; 3705 } 3706 3707 return type; 3708 } 3709 3710 /* 3711 * Analyze the IPCP Configure-Reject option list, and adjust our 3712 * negotiation. 3713 */ 3714 static void 3715 sppp_ipcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3716 { 3717 const bool debug = sppp_debug_enabled(sp); 3718 u_char *p, l; 3719 3720 KASSERT(SPPP_WLOCKED(sp)); 3721 3722 if (len <= sizeof(*h)) 3723 return; 3724 3725 len -= sizeof(*h); 3726 3727 if (debug) 3728 SPPP_LOG(sp, LOG_DEBUG, "ipcp rej opts:"); 3729 3730 p = (void *)(h + 1); 3731 for (; len > 1; len -= l, p += l) { 3732 l = p[1]; 3733 if (l == 0) 3734 break; 3735 3736 /* Sanity check option length */ 3737 if (l > len) { 3738 /* XXX should we just RXJ? */ 3739 if (debug) 3740 addlog("\n"); 3741 SPPP_LOG(sp, LOG_DEBUG, 3742 "malicious IPCP option received, dropping\n"); 3743 goto end; 3744 } 3745 if (debug) { 3746 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3747 addlog(" %s", 3748 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3749 } 3750 switch (p[0]) { 3751 case IPCP_OPT_ADDRESS: 3752 /* 3753 * Peer doesn't grok address option. This is 3754 * bad. XXX Should we better give up here? 3755 */ 3756 if (!debug) { 3757 SPPP_LOG(sp, LOG_ERR, 3758 "IPCP address option rejected\n"); 3759 } 3760 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3761 break; 3762 #ifdef notyet 3763 case IPCP_OPT_COMPRESS: 3764 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_COMPRESS); 3765 break; 3766 #endif 3767 case IPCP_OPT_PRIMDNS: 3768 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3769 break; 3770 3771 case IPCP_OPT_SECDNS: 3772 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3773 break; 3774 } 3775 } 3776 if (debug) 3777 addlog("\n"); 3778 end: 3779 return; 3780 } 3781 3782 /* 3783 * Analyze the IPCP Configure-NAK option list, and adjust our 3784 * negotiation. 3785 */ 3786 static void 3787 sppp_ipcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 3788 { 3789 const bool debug = sppp_debug_enabled(sp); 3790 u_char *p, l; 3791 uint32_t wantaddr; 3792 3793 KASSERT(SPPP_WLOCKED(sp)); 3794 3795 len -= sizeof(*h); 3796 3797 if (debug) 3798 SPPP_LOG(sp, LOG_DEBUG, "ipcp nak opts:"); 3799 3800 p = (void *)(h + 1); 3801 for (; len > 1; len -= l, p += l) { 3802 l = p[1]; 3803 if (l == 0) 3804 break; 3805 3806 /* Sanity check option length */ 3807 if (l > len) { 3808 /* XXX should we just RXJ? */ 3809 if (debug) 3810 addlog("\n"); 3811 SPPP_LOG(sp, LOG_DEBUG, 3812 "malicious IPCP option received, dropping\n"); 3813 return; 3814 } 3815 if (debug) { 3816 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3817 addlog(" %s", 3818 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3819 } 3820 switch (*p) { 3821 case IPCP_OPT_ADDRESS: 3822 /* 3823 * Peer doesn't like our local IP address. See 3824 * if we can do something for him. We'll drop 3825 * him our address then. 3826 */ 3827 if (len >= 6 && l == 6) { 3828 wantaddr = p[2] << 24 | p[3] << 16 | 3829 p[4] << 8 | p[5]; 3830 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3831 if (debug) { 3832 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 3833 const char *dq; 3834 3835 dq = sppp_dotted_quad(dqbuf, 3836 sizeof(dqbuf), wantaddr); 3837 addlog(" [wantaddr %s]", dq); 3838 } 3839 /* 3840 * When doing dynamic address assignment, 3841 * we accept his offer. Otherwise, we 3842 * ignore it and thus continue to negotiate 3843 * our already existing value. 3844 */ 3845 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3846 if (ntohl(wantaddr) != INADDR_ANY) { 3847 if (debug) 3848 addlog(" [agree]"); 3849 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3850 sp->ipcp.req_myaddr = wantaddr; 3851 } else { 3852 if (debug) 3853 addlog(" [not agreed]"); 3854 } 3855 } 3856 } 3857 break; 3858 3859 case IPCP_OPT_PRIMDNS: 3860 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS) && 3861 len >= 6 && l == 6) { 3862 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3863 p[4] << 8 | p[5]; 3864 } 3865 break; 3866 3867 case IPCP_OPT_SECDNS: 3868 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS) && 3869 len >= 6 && l == 6) { 3870 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3871 p[4] << 8 | p[5]; 3872 } 3873 break; 3874 #ifdef notyet 3875 case IPCP_OPT_COMPRESS: 3876 /* 3877 * Peer wants different compression parameters. 3878 */ 3879 break; 3880 #endif 3881 } 3882 } 3883 if (debug) 3884 addlog("\n"); 3885 } 3886 3887 /* 3888 * rt_ifmsg requires sppp to be unlocked as it will attempt to lock it again. 3889 * unlocking sppp is safe here because this logic runs in a single thread, 3890 * the workqueue, so concurrent state transitions are excluded on that basis; 3891 * other tlu functions already release and re-acquire the lock already, 3892 * which is only for coordination with threads _other_ than the workqueue 3893 * thread which doesn't change the state. 3894 */ 3895 static void 3896 sppp_rt_ifmsg(struct sppp *sp) 3897 { 3898 struct ifnet *ifp = &sp->pp_if; 3899 3900 KASSERT(SPPP_WLOCKED(sp)); 3901 3902 SPPP_UNLOCK(sp); 3903 rt_ifmsg(ifp); 3904 SPPP_LOCK(sp, RW_WRITER); 3905 } 3906 3907 static void 3908 sppp_ipcp_tlu(struct sppp *sp) 3909 { 3910 #ifdef INET 3911 3912 KASSERT(SPPP_WLOCKED(sp)); 3913 3914 SPPP_LOG(sp, LOG_INFO, "IPCP layer up\n"); 3915 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && 3916 ((sp->ipcp.flags & IPCP_MYADDR_SEEN) == 0)) { 3917 SPPP_LOG(sp, LOG_WARNING, 3918 "no IP address, closing IPCP\n"); 3919 sppp_wq_add(sp->wq_cp, 3920 &sp->scp[IDX_IPCP].work_close); 3921 } else { 3922 /* we are up. Set addresses and notify anyone interested */ 3923 sppp_set_ip_addrs(sp); 3924 sppp_rt_ifmsg(sp); 3925 } 3926 #endif 3927 } 3928 3929 static void 3930 sppp_ipcp_tld(struct sppp *sp) 3931 { 3932 #ifdef INET 3933 3934 SPPP_LOG(sp, LOG_INFO, "IPCP layer down\n"); 3935 sppp_rt_ifmsg(sp); 3936 #endif 3937 } 3938 3939 static void 3940 sppp_ipcp_scr(struct sppp *sp) 3941 { 3942 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3943 #ifdef INET 3944 uint32_t ouraddr; 3945 #endif 3946 int i = 0; 3947 3948 KASSERT(SPPP_WLOCKED(sp)); 3949 3950 #ifdef notyet 3951 if (ISSET(sp->ipcp.opts,SPPP_IPCP_OPT_COMPRESSION)) { 3952 opt[i++] = IPCP_OPT_COMPRESSION; 3953 opt[i++] = 6; 3954 opt[i++] = 0; /* VJ header compression */ 3955 opt[i++] = 0x2d; /* VJ header compression */ 3956 opt[i++] = max_slot_id; 3957 opt[i++] = comp_slot_id; 3958 } 3959 #endif 3960 3961 #ifdef INET 3962 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS)) { 3963 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) { 3964 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3965 } else { 3966 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3967 } 3968 opt[i++] = IPCP_OPT_ADDRESS; 3969 opt[i++] = 6; 3970 opt[i++] = ouraddr >> 24; 3971 opt[i++] = ouraddr >> 16; 3972 opt[i++] = ouraddr >> 8; 3973 opt[i++] = ouraddr; 3974 } 3975 #endif 3976 3977 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS)) { 3978 opt[i++] = IPCP_OPT_PRIMDNS; 3979 opt[i++] = 6; 3980 opt[i++] = sp->dns_addrs[0] >> 24; 3981 opt[i++] = sp->dns_addrs[0] >> 16; 3982 opt[i++] = sp->dns_addrs[0] >> 8; 3983 opt[i++] = sp->dns_addrs[0]; 3984 } 3985 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS)) { 3986 opt[i++] = IPCP_OPT_SECDNS; 3987 opt[i++] = 6; 3988 opt[i++] = sp->dns_addrs[1] >> 24; 3989 opt[i++] = sp->dns_addrs[1] >> 16; 3990 opt[i++] = sp->dns_addrs[1] >> 8; 3991 opt[i++] = sp->dns_addrs[1]; 3992 } 3993 3994 sp->scp[IDX_IPCP].confid = ++sp->scp[IDX_IPCP].seq; 3995 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->scp[IDX_IPCP].confid, i, &opt); 3996 } 3997 3998 /* 3999 *--------------------------------------------------------------------------* 4000 * * 4001 * The IPv6CP implementation. * 4002 * * 4003 *--------------------------------------------------------------------------* 4004 */ 4005 4006 #ifdef INET6 4007 static void 4008 sppp_ipv6cp_init(struct sppp *sp) 4009 { 4010 4011 KASSERT(SPPP_WLOCKED(sp)); 4012 4013 sppp_cp_init(&ipv6cp, sp); 4014 4015 sp->ipv6cp.opts = 0; 4016 sp->ipv6cp.flags = 0; 4017 } 4018 4019 static void 4020 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4021 { 4022 struct in6_addr myaddr, hisaddr; 4023 4024 KASSERT(SPPP_WLOCKED(sp)); 4025 KASSERT(!cpu_softintr_p()); 4026 4027 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) 4028 return; 4029 4030 #ifdef IPV6CP_MYIFID_DYN 4031 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 4032 #else 4033 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 4034 #endif 4035 4036 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 4037 /* 4038 * If we don't have our address, this probably means our 4039 * interface doesn't want to talk IPv6 at all. (This could 4040 * be the case if somebody wants to speak only IPX, for 4041 * example.) Don't open IPv6CP in this case. 4042 */ 4043 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 4044 /* XXX this message should go away */ 4045 SPPP_DLOG(sp, "ipv6cp_open(): no IPv6 interface\n"); 4046 return; 4047 } 4048 4049 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4050 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4051 sppp_open_event(sp, xcp); 4052 } 4053 4054 /* 4055 * Analyze a configure request. Return true if it was agreeable, and 4056 * caused action sca, false if it has been rejected or nak'ed, and 4057 * caused action scn. (The return value is used to make the state 4058 * transition decision in the state automaton.) 4059 */ 4060 static enum cp_rcr_type 4061 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 4062 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4063 { 4064 const bool debug = sppp_debug_enabled(sp); 4065 u_char *buf, *r, *p, l, blen; 4066 int rlen, len; 4067 struct in6_addr myaddr, desiredaddr, suggestaddr; 4068 enum cp_rcr_type type; 4069 int ifidcount; 4070 int collision, nohisaddr; 4071 char ip6buf[INET6_ADDRSTRLEN]; 4072 char tbuf[SPPP_CPTYPE_NAMELEN]; 4073 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4074 const char *cpname; 4075 4076 KASSERT(SPPP_WLOCKED(sp)); 4077 4078 type = CP_RCR_NONE; 4079 origlen -= sizeof(*h); 4080 4081 if (origlen < 0) 4082 return CP_RCR_DROP; 4083 4084 /* 4085 * Make sure to allocate a buf that can at least hold a 4086 * conf-nak with an `address' option. We might need it below. 4087 */ 4088 blen = MAX(6, origlen); 4089 4090 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 4091 if (buf == NULL) 4092 return CP_RCR_DROP; 4093 4094 /* pass 1: see if we can recognize them */ 4095 if (debug) 4096 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp parse opts:"); 4097 p = (void *)(h + 1); 4098 r = buf; 4099 rlen = 0; 4100 ifidcount = 0; 4101 for (len = origlen; len > 1; len -= l, p += l) { 4102 l = p[1]; 4103 if (l == 0) 4104 break; 4105 4106 /* Sanity check option length */ 4107 if (l > len) { 4108 /* XXX just RXJ? */ 4109 if (debug) 4110 addlog("\n"); 4111 SPPP_LOG(sp, LOG_DEBUG, 4112 "received malicious IPCPv6 option, " 4113 "dropping\n"); 4114 type = CP_RCR_ERR; 4115 goto end; 4116 } 4117 if (debug) { 4118 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4119 sizeof(ipv6buf),*p)); 4120 } 4121 switch (p[0]) { 4122 case IPV6CP_OPT_IFID: 4123 if (len >= 10 && l == 10 && ifidcount == 0) { 4124 /* correctly formed address option */ 4125 ifidcount++; 4126 continue; 4127 } 4128 if (debug) 4129 addlog(" [invalid]"); 4130 break; 4131 #ifdef notyet 4132 case IPV6CP_OPT_COMPRESSION: 4133 if (len >= 4 && l >= 4) { 4134 /* correctly formed compress option */ 4135 continue; 4136 } 4137 if (debug) 4138 addlog(" [invalid]"); 4139 break; 4140 #endif 4141 default: 4142 /* Others not supported. */ 4143 if (debug) 4144 addlog(" [rej]"); 4145 break; 4146 } 4147 if (rlen + l > blen) { 4148 if (debug) 4149 addlog(" [overflow]"); 4150 continue; 4151 } 4152 /* Add the option to rejected list. */ 4153 memcpy(r, p, l); 4154 r += l; 4155 rlen += l; 4156 } 4157 4158 if (rlen > 0) { 4159 type = CP_RCR_REJ; 4160 goto end; 4161 } 4162 4163 if (debug) 4164 addlog("\n"); 4165 4166 /* pass 2: parse option values */ 4167 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4168 if (debug) 4169 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp parse opt values:"); 4170 p = (void *)(h + 1); 4171 r = buf; 4172 rlen = 0; 4173 type = CP_RCR_ACK; 4174 for (len = origlen; len > 1; len -= l, p += l) { 4175 l = p[1]; 4176 if (l == 0) 4177 break; 4178 4179 if (debug) { 4180 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4181 sizeof(ipv6buf), *p)); 4182 } 4183 switch (p[0]) { 4184 #ifdef notyet 4185 case IPV6CP_OPT_COMPRESSION: 4186 continue; 4187 #endif 4188 case IPV6CP_OPT_IFID: 4189 memset(&desiredaddr, 0, sizeof(desiredaddr)); 4190 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 4191 collision = (memcmp(&desiredaddr.s6_addr[8], 4192 &myaddr.s6_addr[8], 8) == 0); 4193 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 4194 4195 desiredaddr.s6_addr16[0] = htons(0xfe80); 4196 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 4197 4198 if (!collision && !nohisaddr) { 4199 /* no collision, hisaddr known - Conf-Ack */ 4200 type = CP_RCR_ACK; 4201 memcpy(sp->ipv6cp.my_ifid, &myaddr.s6_addr[8], 4202 sizeof(sp->ipv6cp.my_ifid)); 4203 memcpy(sp->ipv6cp.his_ifid, 4204 &desiredaddr.s6_addr[8], 4205 sizeof(sp->ipv6cp.my_ifid)); 4206 4207 if (debug) { 4208 cpname = sppp_cp_type_name(tbuf, 4209 sizeof(tbuf), CONF_ACK); 4210 addlog(" %s [%s]", 4211 IN6_PRINT(ip6buf, &desiredaddr), 4212 cpname); 4213 } 4214 continue; 4215 } 4216 4217 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4218 if (collision && nohisaddr) { 4219 /* collision, hisaddr unknown - Conf-Rej */ 4220 type = CP_RCR_REJ; 4221 memset(&p[2], 0, 8); 4222 } else { 4223 /* 4224 * - no collision, hisaddr unknown, or 4225 * - collision, hisaddr known 4226 * Conf-Nak, suggest hisaddr 4227 */ 4228 type = CP_RCR_NAK; 4229 sppp_suggest_ip6_addr(sp, &suggestaddr); 4230 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 4231 } 4232 if (debug) { 4233 int ctype = type == CP_RCR_REJ ? CONF_REJ : CONF_NAK; 4234 4235 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4236 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 4237 cpname); 4238 } 4239 break; 4240 } 4241 if (rlen + l > blen) { 4242 if (debug) 4243 addlog(" [overflow]"); 4244 continue; 4245 } 4246 /* Add the option to nak'ed list. */ 4247 memcpy(r, p, l); 4248 r += l; 4249 rlen += l; 4250 } 4251 4252 if (rlen > 0) { 4253 if (type != CP_RCR_ACK) { 4254 if (debug) { 4255 int ctype ; 4256 ctype = type == CP_RCR_REJ ? 4257 CONF_REJ : CONF_NAK; 4258 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4259 addlog(" send %s suggest %s\n", 4260 cpname, IN6_PRINT(ip6buf, &suggestaddr)); 4261 } 4262 } 4263 #ifdef notdef 4264 if (type == CP_RCR_ACK) 4265 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 4266 #endif 4267 } else { 4268 if (type == CP_RCR_ACK) { 4269 rlen = origlen; 4270 memcpy(r, h + 1, rlen); 4271 } 4272 } 4273 end: 4274 if (debug) 4275 addlog("\n"); 4276 4277 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 4278 if (buf != NULL) 4279 kmem_intr_free(buf, blen); 4280 } else { 4281 *msgbuf = buf; 4282 *buflen = blen; 4283 *msglen = rlen; 4284 } 4285 4286 return type; 4287 } 4288 4289 /* 4290 * Analyze the IPv6CP Configure-Reject option list, and adjust our 4291 * negotiation. 4292 */ 4293 static void 4294 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, int len) 4295 { 4296 const bool debug = sppp_debug_enabled(sp); 4297 u_char *p, l; 4298 4299 KASSERT(SPPP_WLOCKED(sp)); 4300 4301 if (len <= sizeof(*h)) 4302 return; 4303 4304 len -= sizeof(*h); 4305 4306 if (debug) 4307 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp rej opts:"); 4308 4309 p = (void *)(h + 1); 4310 for (; len > 1; len -= l, p += l) { 4311 l = p[1]; 4312 if (l == 0) 4313 break; 4314 4315 if (l > len) { 4316 /* XXX just RXJ? */ 4317 if (debug) 4318 addlog("\n"); 4319 SPPP_LOG(sp, LOG_DEBUG, 4320 "received malicious IPCPv6 option, " 4321 "dropping\n"); 4322 goto end; 4323 } 4324 if (debug) { 4325 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4326 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4327 sizeof(ipv6buf), *p)); 4328 } 4329 switch (p[0]) { 4330 case IPV6CP_OPT_IFID: 4331 /* 4332 * Peer doesn't grok address option. This is 4333 * bad. XXX Should we better give up here? 4334 */ 4335 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4336 break; 4337 #ifdef notyet 4338 case IPV6CP_OPT_COMPRESS: 4339 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESS); 4340 break; 4341 #endif 4342 } 4343 } 4344 if (debug) 4345 addlog("\n"); 4346 end: 4347 return; 4348 } 4349 4350 /* 4351 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4352 * negotiation. 4353 */ 4354 static void 4355 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4356 { 4357 const bool debug = sppp_debug_enabled(sp); 4358 u_char *p, l; 4359 struct in6_addr suggestaddr; 4360 char ip6buf[INET6_ADDRSTRLEN]; 4361 4362 KASSERT(SPPP_WLOCKED(sp)); 4363 4364 if (len <= sizeof(*h)) 4365 return; 4366 4367 len -= sizeof(*h); 4368 4369 if (debug) 4370 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp nak opts:"); 4371 4372 p = (void *)(h + 1); 4373 for (; len > 1; len -= l, p += l) { 4374 l = p[1]; 4375 if (l == 0) 4376 break; 4377 4378 if (l > len) { 4379 /* XXX just RXJ? */ 4380 if (debug) 4381 addlog("\n"); 4382 SPPP_LOG(sp, LOG_DEBUG, 4383 "received malicious IPCPv6 option, " 4384 "dropping\n"); 4385 goto end; 4386 } 4387 if (debug) { 4388 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4389 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4390 sizeof(ipv6buf), *p)); 4391 } 4392 switch (p[0]) { 4393 case IPV6CP_OPT_IFID: 4394 /* 4395 * Peer doesn't like our local ifid. See 4396 * if we can do something for him. We'll drop 4397 * him our address then. 4398 */ 4399 if (len < 10 || l != 10) 4400 break; 4401 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4402 suggestaddr.s6_addr16[0] = htons(0xfe80); 4403 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4404 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4405 4406 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4407 if (debug) 4408 addlog(" [suggestaddr %s]", 4409 IN6_PRINT(ip6buf, &suggestaddr)); 4410 #ifdef IPV6CP_MYIFID_DYN 4411 /* 4412 * When doing dynamic address assignment, 4413 * we accept his offer. 4414 */ 4415 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4416 struct in6_addr lastsuggest; 4417 /* 4418 * If <suggested myaddr from peer> equals to 4419 * <hisaddr we have suggested last time>, 4420 * we have a collision. generate new random 4421 * ifid. 4422 */ 4423 sppp_suggest_ip6_addr(&lastsuggest); 4424 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4425 lastsuggest)) { 4426 if (debug) 4427 addlog(" [random]"); 4428 sppp_gen_ip6_addr(sp, &suggestaddr); 4429 } 4430 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4431 if (debug) 4432 addlog(" [agree]"); 4433 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4434 } 4435 #else 4436 /* 4437 * Since we do not do dynamic address assignment, 4438 * we ignore it and thus continue to negotiate 4439 * our already existing value. This can possibly 4440 * go into infinite request-reject loop. 4441 * 4442 * This is not likely because we normally use 4443 * ifid based on MAC-address. 4444 * If you have no ethernet card on the node, too bad. 4445 * XXX should we use fail_counter? 4446 */ 4447 #endif 4448 break; 4449 #ifdef notyet 4450 case IPV6CP_OPT_COMPRESS: 4451 /* 4452 * Peer wants different compression parameters. 4453 */ 4454 break; 4455 #endif 4456 } 4457 } 4458 if (debug) 4459 addlog("\n"); 4460 end: 4461 return; 4462 } 4463 4464 static void 4465 sppp_ipv6cp_tlu(struct sppp *sp) 4466 { 4467 4468 SPPP_LOG(sp, LOG_INFO, "IPv6CP layer up\n"); 4469 sppp_rt_ifmsg(sp); 4470 } 4471 4472 static void 4473 sppp_ipv6cp_tld(struct sppp *sp) 4474 { 4475 4476 SPPP_LOG(sp, LOG_INFO, "IPv6CP layer down\n"); 4477 sppp_rt_ifmsg(sp); 4478 } 4479 4480 static void 4481 sppp_ipv6cp_scr(struct sppp *sp) 4482 { 4483 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4484 struct in6_addr ouraddr; 4485 int i = 0; 4486 4487 KASSERT(SPPP_WLOCKED(sp)); 4488 4489 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID)) { 4490 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4491 4492 opt[i++] = IPV6CP_OPT_IFID; 4493 opt[i++] = 10; 4494 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4495 i += 8; 4496 } 4497 4498 #ifdef notyet 4499 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESSION)) { 4500 opt[i++] = IPV6CP_OPT_COMPRESSION; 4501 opt[i++] = 4; 4502 opt[i++] = 0; /* TBD */ 4503 opt[i++] = 0; /* TBD */ 4504 /* variable length data may follow */ 4505 } 4506 #endif 4507 4508 sp->scp[IDX_IPV6CP].confid = ++sp->scp[IDX_IPV6CP].seq; 4509 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->scp[IDX_IPV6CP].confid, i, &opt); 4510 } 4511 #else /*INET6*/ 4512 static void 4513 sppp_ipv6cp_init(struct sppp *sp) 4514 { 4515 4516 KASSERT(SPPP_WLOCKED(sp)); 4517 } 4518 4519 static void 4520 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4521 { 4522 4523 KASSERT(SPPP_WLOCKED(sp)); 4524 } 4525 4526 static enum cp_rcr_type 4527 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, 4528 int len, uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4529 { 4530 4531 KASSERT(SPPP_WLOCKED(sp)); 4532 return 0; 4533 } 4534 4535 static void 4536 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, 4537 int len) 4538 { 4539 4540 KASSERT(SPPP_WLOCKED(sp)); 4541 } 4542 4543 static void 4544 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, 4545 int len) 4546 { 4547 4548 KASSERT(SPPP_WLOCKED(sp)); 4549 } 4550 4551 static void 4552 sppp_ipv6cp_tlu(struct sppp *sp) 4553 { 4554 4555 KASSERT(SPPP_WLOCKED(sp)); 4556 } 4557 4558 static void 4559 sppp_ipv6cp_tld(struct sppp *sp) 4560 { 4561 4562 KASSERT(SPPP_WLOCKED(sp)); 4563 } 4564 4565 static void 4566 sppp_ipv6cp_scr(struct sppp *sp) 4567 { 4568 4569 KASSERT(SPPP_WLOCKED(sp)); 4570 } 4571 #endif /*INET6*/ 4572 4573 /* 4574 *--------------------------------------------------------------------------* 4575 * * 4576 * The CHAP implementation. * 4577 * * 4578 *--------------------------------------------------------------------------* 4579 */ 4580 /* 4581 * The authentication protocols is implemented on the state machine for 4582 * control protocols. And it uses following actions and events. 4583 * 4584 * Actions: 4585 * - scr: send CHAP_CHALLENGE and CHAP_RESPONSE 4586 * - sca: send CHAP_SUCCESS 4587 * - scn: send CHAP_FAILURE and shutdown lcp 4588 * Events: 4589 * - RCR+: receive CHAP_RESPONSE containing correct digest 4590 * - RCR-: receive CHAP_RESPONSE containing wrong digest 4591 * - RCA: receive CHAP_SUCCESS 4592 * - RCN: (this event is unused) 4593 * - TO+: re-send CHAP_CHALLENGE and CHAP_RESPONSE 4594 * - TO-: this layer finish 4595 */ 4596 4597 /* 4598 * Handle incoming CHAP packets. 4599 */ 4600 void 4601 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4602 { 4603 const bool debug = sppp_debug_enabled(sp); 4604 struct ifnet *ifp = &sp->pp_if; 4605 struct lcp_header *h; 4606 int len = m->m_pkthdr.len; 4607 u_char *value, *name, digest[sizeof(sp->chap.challenge)]; 4608 int value_len, name_len; 4609 MD5_CTX ctx; 4610 char abuf[SPPP_AUTHTYPE_NAMELEN]; 4611 const char *authname; 4612 4613 KASSERT(SPPP_WLOCKED(sp)); 4614 4615 if (len < 4) { 4616 SPPP_DLOG(sp, "chap invalid packet length: " 4617 "%d bytes\n", len); 4618 return; 4619 } 4620 h = mtod(m, struct lcp_header *); 4621 if (len > ntohs(h->len)) 4622 len = ntohs(h->len); 4623 4624 switch (h->type) { 4625 /* challenge, failure and success are his authproto */ 4626 case CHAP_CHALLENGE: 4627 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4628 /* can't do anything useful */ 4629 sp->pp_auth_failures++; 4630 SPPP_DLOG(sp, "chap input " 4631 "without my name and my secret being set\n"); 4632 break; 4633 } 4634 value = 1 + (u_char *)(h + 1); 4635 value_len = value[-1]; 4636 name = value + value_len; 4637 name_len = len - value_len - 5; 4638 if (name_len < 0) { 4639 if (debug) { 4640 authname = sppp_auth_type_name(abuf, 4641 sizeof(abuf), PPP_CHAP, h->type); 4642 SPPP_LOG(sp, LOG_DEBUG, 4643 "chap corrupted challenge " 4644 "<%s id=0x%x len=%d", 4645 authname, h->ident, ntohs(h->len)); 4646 if (len > 4) 4647 sppp_print_bytes((u_char *)(h + 1), 4648 len - 4); 4649 addlog(">\n"); 4650 } 4651 break; 4652 } 4653 4654 if (debug) { 4655 authname = sppp_auth_type_name(abuf, 4656 sizeof(abuf), PPP_CHAP, h->type); 4657 SPPP_LOG(sp, LOG_DEBUG, 4658 "chap input <%s id=0x%x len=%d name=", 4659 authname, h->ident, ntohs(h->len)); 4660 sppp_print_string((char *) name, name_len); 4661 addlog(" value-size=%d value=", value_len); 4662 sppp_print_bytes(value, value_len); 4663 addlog(">\n"); 4664 } 4665 4666 /* Compute reply value. */ 4667 MD5Init(&ctx); 4668 MD5Update(&ctx, &h->ident, 1); 4669 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4670 MD5Update(&ctx, value, value_len); 4671 MD5Final(sp->chap.digest, &ctx); 4672 sp->chap.digest_len = sizeof(sp->chap.digest); 4673 sp->scp[IDX_CHAP].rconfid = h->ident; 4674 4675 sppp_wq_add(sp->wq_cp, &sp->chap.work_challenge_rcvd); 4676 break; 4677 4678 case CHAP_SUCCESS: 4679 if (debug) { 4680 SPPP_LOG(sp, LOG_DEBUG, "chap success"); 4681 if (len > 4) { 4682 addlog(": "); 4683 sppp_print_string((char *)(h + 1), len - 4); 4684 } 4685 addlog("\n"); 4686 } 4687 4688 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4689 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 4690 chap.name, h->ident, 4691 sp->scp[IDX_CHAP].rconfid); 4692 if_statinc(ifp, if_ierrors); 4693 break; 4694 } 4695 4696 if (sp->chap.digest_len == 0) { 4697 SPPP_DLOG(sp, "receive CHAP success" 4698 " without challenge\n"); 4699 if_statinc(ifp, if_ierrors); 4700 break; 4701 } 4702 4703 sp->pp_auth_failures = 0; 4704 sp->pp_flags &= ~PP_NEEDAUTH; 4705 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4706 sp->chap.digest_len = 0; 4707 4708 if (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV)) { 4709 /* 4710 * we are not authenticator for CHAP, 4711 * generate a dummy RCR+ event without CHAP_RESPONSE 4712 */ 4713 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 4714 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4715 } 4716 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 4717 break; 4718 4719 case CHAP_FAILURE: 4720 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4721 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 4722 chap.name, h->ident, sp->scp[IDX_CHAP].rconfid); 4723 if_statinc(ifp, if_ierrors); 4724 break; 4725 } 4726 4727 if (sp->chap.digest_len == 0) { 4728 SPPP_DLOG(sp, "receive CHAP failure " 4729 "without challenge\n"); 4730 if_statinc(ifp, if_ierrors); 4731 break; 4732 } 4733 4734 sp->pp_auth_failures++; 4735 SPPP_LOG(sp, LOG_INFO, "chap failure"); 4736 if (debug) { 4737 if (len > 4) { 4738 addlog(": "); 4739 sppp_print_string((char *)(h + 1), len - 4); 4740 } 4741 } 4742 addlog("\n"); 4743 4744 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4745 sp->chap.digest_len = 0; 4746 /* 4747 * await LCP shutdown by authenticator, 4748 * so we don't have to enqueue sc->scp[IDX_CHAP].work_rcn 4749 */ 4750 break; 4751 4752 /* response is my authproto */ 4753 case CHAP_RESPONSE: 4754 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4755 /* can't do anything useful */ 4756 SPPP_DLOG(sp, "chap response " 4757 "without his name and his secret being set\n"); 4758 break; 4759 } 4760 value = 1 + (u_char *)(h + 1); 4761 value_len = value[-1]; 4762 name = value + value_len; 4763 name_len = len - value_len - 5; 4764 if (name_len < 0) { 4765 if (debug) { 4766 authname = sppp_auth_type_name(abuf, 4767 sizeof(abuf), PPP_CHAP, h->type); 4768 SPPP_LOG(sp, LOG_DEBUG, 4769 "chap corrupted response " 4770 "<%s id=0x%x len=%d", 4771 authname, h->ident, ntohs(h->len)); 4772 if (len > 4) 4773 sppp_print_bytes((u_char *)(h + 1), 4774 len - 4); 4775 addlog(">\n"); 4776 } 4777 break; 4778 } 4779 if (h->ident != sp->scp[IDX_CHAP].confid) { 4780 SPPP_DLOG(sp, "chap dropping response for old ID " 4781 "(got %d, expected %d)\n", 4782 h->ident, sp->scp[IDX_CHAP].confid); 4783 break; 4784 } else { 4785 sp->scp[IDX_CHAP].rconfid = h->ident; 4786 } 4787 4788 if (sp->hisauth.name != NULL && 4789 (name_len != sp->hisauth.name_len 4790 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4791 SPPP_LOG(sp, LOG_INFO, 4792 "chap response, his name "); 4793 sppp_print_string(name, name_len); 4794 addlog(" != expected "); 4795 sppp_print_string(sp->hisauth.name, 4796 sp->hisauth.name_len); 4797 addlog("\n"); 4798 4799 /* generate RCR- event */ 4800 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 4801 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4802 break; 4803 } 4804 4805 if (debug) { 4806 authname = sppp_auth_type_name(abuf, 4807 sizeof(abuf), PPP_CHAP, h->type); 4808 SPPP_LOG(sp, LOG_DEBUG, "chap input(%s) " 4809 "<%s id=0x%x len=%d name=", 4810 sppp_state_name(sp->scp[IDX_CHAP].state), 4811 authname, h->ident, ntohs(h->len)); 4812 sppp_print_string((char *)name, name_len); 4813 addlog(" value-size=%d value=", value_len); 4814 sppp_print_bytes(value, value_len); 4815 addlog(">\n"); 4816 } 4817 4818 if (value_len == sizeof(sp->chap.challenge) && 4819 value_len == sizeof(sp->chap.digest)) { 4820 MD5Init(&ctx); 4821 MD5Update(&ctx, &h->ident, 1); 4822 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4823 MD5Update(&ctx, sp->chap.challenge, sizeof(sp->chap.challenge)); 4824 MD5Final(digest, &ctx); 4825 4826 if (memcmp(digest, value, value_len) == 0) { 4827 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 4828 } else { 4829 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 4830 } 4831 } else { 4832 if (debug) { 4833 SPPP_LOG(sp, LOG_DEBUG, 4834 "chap bad hash value length: " 4835 "%d bytes, should be %zu\n", 4836 value_len, sizeof(sp->chap.challenge)); 4837 } 4838 4839 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 4840 } 4841 4842 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4843 4844 /* generate a dummy RCA event */ 4845 if (sp->scp[IDX_CHAP].rcr_type == CP_RCR_ACK && 4846 (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_PEER) || 4847 sp->chap.rechallenging)) { 4848 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 4849 } 4850 break; 4851 4852 default: 4853 /* Unknown CHAP packet type -- ignore. */ 4854 if (debug) { 4855 SPPP_LOG(sp, LOG_DEBUG, "chap unknown input(%s) " 4856 "<0x%x id=0x%xh len=%d", 4857 sppp_state_name(sp->scp[IDX_CHAP].state), 4858 h->type, h->ident, ntohs(h->len)); 4859 if (len > 4) 4860 sppp_print_bytes((u_char *)(h + 1), len - 4); 4861 addlog(">\n"); 4862 } 4863 break; 4864 4865 } 4866 } 4867 4868 static void 4869 sppp_chap_init(struct sppp *sp) 4870 { 4871 4872 KASSERT(SPPP_WLOCKED(sp)); 4873 4874 sppp_cp_init(&chap, sp); 4875 4876 SPPP_WQ_SET(&sp->chap.work_challenge_rcvd, 4877 sppp_chap_rcv_challenge_event, &chap); 4878 } 4879 4880 static void 4881 sppp_chap_open(struct sppp *sp, void *xcp) 4882 { 4883 4884 KASSERT(SPPP_WLOCKED(sp)); 4885 4886 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4887 sp->chap.digest_len = 0; 4888 sp->chap.rechallenging = false; 4889 sp->chap.response_rcvd = false; 4890 sppp_open_event(sp, xcp); 4891 } 4892 4893 static void 4894 sppp_chap_tlu(struct sppp *sp) 4895 { 4896 int i; 4897 4898 KASSERT(SPPP_WLOCKED(sp)); 4899 4900 i = 0; 4901 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 4902 sp->pp_auth_failures = 0; 4903 4904 SPPP_LOG(sp, LOG_DEBUG, "chap %s", 4905 sp->pp_phase == SPPP_PHASE_NETWORK ? "reconfirmed" : "tlu"); 4906 4907 /* 4908 * Some broken CHAP implementations (Conware CoNet, firmware 4909 * 4.0.?) don't want to re-authenticate their CHAP once the 4910 * initial challenge-response exchange has taken place. 4911 * Provide for an option to avoid rechallenges. 4912 */ 4913 if (ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV) && 4914 (sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4915 /* 4916 * Compute the re-challenge timeout. This will yield 4917 * a number between 300 and 810 seconds. 4918 */ 4919 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4920 callout_schedule(&sp->scp[IDX_CHAP].ch, i * hz); 4921 4922 if (sppp_debug_enabled(sp)) { 4923 addlog(", next rechallenge in %d seconds", i); 4924 } 4925 } 4926 4927 addlog("\n"); 4928 4929 /* 4930 * If we are already in phase network, we are done here. This 4931 * is the case if this is a dummy tlu event after a re-challenge. 4932 */ 4933 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4934 sppp_phase_network(sp); 4935 } 4936 4937 static void 4938 sppp_chap_scr(struct sppp *sp) 4939 { 4940 uint32_t *ch; 4941 u_char clen, dsize; 4942 int role; 4943 4944 KASSERT(SPPP_WLOCKED(sp)); 4945 4946 role = sppp_auth_role(&chap, sp); 4947 4948 if (ISSET(role, SPPP_AUTH_SERV) && 4949 !sp->chap.response_rcvd) { 4950 /* we are authenticator for CHAP, send challenge */ 4951 ch = (uint32_t *)sp->chap.challenge; 4952 clen = sizeof(sp->chap.challenge); 4953 /* Compute random challenge. */ 4954 cprng_strong(kern_cprng, ch, clen, 0); 4955 4956 sp->scp[IDX_CHAP].confid = ++sp->scp[IDX_CHAP].seq; 4957 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->scp[IDX_CHAP].confid, 4958 sizeof(clen), (const char *)&clen, 4959 sizeof(sp->chap.challenge), sp->chap.challenge, 4960 0); 4961 } 4962 4963 if (ISSET(role, SPPP_AUTH_PEER) && 4964 sp->chap.digest_len > 0) { 4965 /* we are peer for CHAP, send response */ 4966 dsize = sp->chap.digest_len; 4967 4968 sppp_auth_send(&chap, sp, CHAP_RESPONSE, sp->scp[IDX_CHAP].rconfid, 4969 sizeof(dsize), (const char *)&dsize, 4970 sp->chap.digest_len, sp->chap.digest, 4971 sp->myauth.name_len, sp->myauth.name, 0); 4972 } 4973 } 4974 4975 static void 4976 sppp_chap_rcv_challenge_event(struct sppp *sp, void *xcp) 4977 { 4978 const struct cp *cp = xcp; 4979 4980 KASSERT(!cpu_softintr_p()); 4981 4982 sp->chap.rechallenging = false; 4983 4984 switch (sp->scp[IDX_CHAP].state) { 4985 case STATE_REQ_SENT: 4986 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 4987 cp->scr(sp); 4988 break; 4989 case STATE_OPENED: 4990 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 4991 cp->scr(sp); 4992 break; 4993 } 4994 } 4995 4996 /* 4997 *--------------------------------------------------------------------------* 4998 * * 4999 * The PAP implementation. * 5000 * * 5001 *--------------------------------------------------------------------------* 5002 */ 5003 /* 5004 * PAP uses following actions and events. 5005 * Actions: 5006 * - scr: send PAP_REQ 5007 * - sca: send PAP_ACK 5008 * - scn: send PAP_NAK 5009 * Events: 5010 * - RCR+: receive PAP_REQ containing correct username and password 5011 * - RCR-: receive PAP_REQ containing wrong username and password 5012 * - RCA: receive PAP_ACK 5013 * - RCN: (this event is unused) 5014 * - TO+: re-send PAP_REQ 5015 * - TO-: this layer finish 5016 */ 5017 5018 /* 5019 * Handle incoming PAP packets. */ 5020 static void 5021 sppp_pap_input(struct sppp *sp, struct mbuf *m) 5022 { 5023 const bool debug = sppp_debug_enabled(sp); 5024 struct ifnet *ifp = &sp->pp_if; 5025 struct lcp_header *h; 5026 int len; 5027 char *name, *secret; 5028 int name_len, secret_len; 5029 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5030 const char *authname; 5031 5032 KASSERT(SPPP_WLOCKED(sp)); 5033 /* 5034 * Malicious input might leave this uninitialized, so 5035 * init to an impossible value. 5036 */ 5037 secret_len = -1; 5038 5039 len = m->m_pkthdr.len; 5040 if (len < 5) { 5041 SPPP_DLOG(sp, "pap invalid packet length: " 5042 "%d bytes\n", len); 5043 return; 5044 } 5045 h = mtod(m, struct lcp_header *); 5046 if (len > ntohs(h->len)) 5047 len = ntohs(h->len); 5048 5049 switch (h->type) { 5050 /* PAP request is my authproto */ 5051 case PAP_REQ: 5052 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 5053 /* can't do anything useful */ 5054 SPPP_DLOG(sp, "pap request" 5055 " without his name and his secret being set\n"); 5056 break; 5057 } 5058 name = 1 + (u_char *)(h + 1); 5059 name_len = name[-1]; 5060 secret = name + name_len + 1; 5061 if (name_len > len - 6 || 5062 (secret_len = secret[-1]) > len - 6 - name_len) { 5063 if (debug) { 5064 authname = sppp_auth_type_name(abuf, 5065 sizeof(abuf), PPP_PAP, h->type); 5066 SPPP_LOG(sp, LOG_DEBUG, "pap corrupted input " 5067 "<%s id=0x%x len=%d", 5068 authname, h->ident, ntohs(h->len)); 5069 if (len > 4) 5070 sppp_print_bytes((u_char *)(h + 1), 5071 len - 4); 5072 addlog(">\n"); 5073 } 5074 break; 5075 } 5076 if (debug) { 5077 authname = sppp_auth_type_name(abuf, 5078 sizeof(abuf), PPP_PAP, h->type); 5079 SPPP_LOG(sp, LOG_DEBUG, "pap input(%s) " 5080 "<%s id=0x%x len=%d name=", 5081 sppp_state_name(sp->scp[IDX_PAP].state), 5082 authname, h->ident, ntohs(h->len)); 5083 sppp_print_string((char *)name, name_len); 5084 addlog(" secret="); 5085 sppp_print_string((char *)secret, secret_len); 5086 addlog(">\n"); 5087 } 5088 5089 sp->scp[IDX_PAP].rconfid = h->ident; 5090 5091 if (name_len == sp->hisauth.name_len && 5092 memcmp(name, sp->hisauth.name, name_len) == 0 && 5093 secret_len == sp->hisauth.secret_len && 5094 memcmp(secret, sp->hisauth.secret, secret_len) == 0) { 5095 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5096 } else { 5097 sp->scp[IDX_PAP].rcr_type = CP_RCR_NAK; 5098 } 5099 5100 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5101 5102 /* generate a dummy RCA event */ 5103 if (sp->scp[IDX_PAP].rcr_type == CP_RCR_ACK && 5104 !ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER)) { 5105 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5106 } 5107 break; 5108 5109 /* ack and nak are his authproto */ 5110 case PAP_ACK: 5111 if (debug) { 5112 SPPP_LOG(sp, LOG_DEBUG, "pap success"); 5113 name = 1 + (u_char *)(h + 1); 5114 name_len = name[-1]; 5115 if (len > 5 && name_len < len+4) { 5116 addlog(": "); 5117 sppp_print_string(name, name_len); 5118 } 5119 addlog("\n"); 5120 } 5121 5122 if (h->ident != sp->scp[IDX_PAP].confid) { 5123 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 5124 pap.name, h->ident, sp->scp[IDX_PAP].rconfid); 5125 if_statinc(ifp, if_ierrors); 5126 break; 5127 } 5128 5129 sp->pp_auth_failures = 0; 5130 sp->pp_flags &= ~PP_NEEDAUTH; 5131 5132 /* we are not authenticator, generate a dummy RCR+ event */ 5133 if (!ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_SERV)) { 5134 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5135 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5136 } 5137 5138 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5139 break; 5140 5141 case PAP_NAK: 5142 if (debug) { 5143 SPPP_LOG(sp, LOG_INFO, "pap failure"); 5144 name = 1 + (u_char *)(h + 1); 5145 name_len = name[-1]; 5146 if (len > 5 && name_len < len+4) { 5147 addlog(": "); 5148 sppp_print_string(name, name_len); 5149 } 5150 addlog("\n"); 5151 } else { 5152 SPPP_LOG(sp, LOG_INFO, "pap failure\n"); 5153 } 5154 5155 if (h->ident != sp->scp[IDX_PAP].confid) { 5156 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 5157 pap.name, h->ident, sp->scp[IDX_PAP].rconfid); 5158 if_statinc(ifp, if_ierrors); 5159 break; 5160 } 5161 5162 sp->pp_auth_failures++; 5163 /* 5164 * await LCP shutdown by authenticator, 5165 * so we don't have to enqueue sc->scp[IDX_PAP].work_rcn 5166 */ 5167 break; 5168 5169 default: 5170 /* Unknown PAP packet type -- ignore. */ 5171 if (debug) { 5172 SPPP_LOG(sp, LOG_DEBUG, "pap corrupted input " 5173 "<0x%x id=0x%x len=%d", 5174 h->type, h->ident, ntohs(h->len)); 5175 if (len > 4) 5176 sppp_print_bytes((u_char *)(h + 1), len - 4); 5177 addlog(">\n"); 5178 } 5179 break; 5180 } 5181 } 5182 5183 static void 5184 sppp_pap_init(struct sppp *sp) 5185 { 5186 5187 KASSERT(SPPP_WLOCKED(sp)); 5188 sppp_cp_init(&pap, sp); 5189 } 5190 5191 static void 5192 sppp_pap_tlu(struct sppp *sp) 5193 { 5194 5195 SPPP_DLOG(sp, "%s tlu\n", pap.name); 5196 5197 sp->scp[IDX_PAP].rst_counter = sp->lcp.max_configure; 5198 sp->pp_auth_failures = 0; 5199 5200 if (sp->pp_phase < SPPP_PHASE_NETWORK) 5201 sppp_phase_network(sp); 5202 } 5203 5204 static void 5205 sppp_pap_scr(struct sppp *sp) 5206 { 5207 u_char idlen, pwdlen; 5208 5209 KASSERT(SPPP_WLOCKED(sp)); 5210 5211 if (ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER) && 5212 sp->scp[IDX_PAP].state != STATE_ACK_RCVD) { 5213 if (sp->myauth.secret == NULL || 5214 sp->myauth.name == NULL) { 5215 SPPP_LOG(sp, LOG_DEBUG, 5216 "couldn't send PAP_REQ " 5217 "because of no name or no secret\n"); 5218 } else { 5219 sp->scp[IDX_PAP].confid = ++sp->scp[IDX_PAP].seq; 5220 pwdlen = sp->myauth.secret_len; 5221 idlen = sp->myauth.name_len; 5222 5223 sppp_auth_send(&pap, sp, PAP_REQ, sp->scp[IDX_PAP].confid, 5224 sizeof idlen, (const char *)&idlen, 5225 idlen, sp->myauth.name, 5226 sizeof pwdlen, (const char *)&pwdlen, 5227 pwdlen, sp->myauth.secret, 5228 0); 5229 } 5230 } 5231 } 5232 5233 /* 5234 * Random miscellaneous functions. 5235 */ 5236 5237 /* 5238 * Send a PAP or CHAP proto packet. 5239 * 5240 * Variadic function, each of the elements for the ellipsis is of type 5241 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5242 * mlen == 0. 5243 * NOTE: never declare variadic functions with types subject to type 5244 * promotion (i.e. u_char). This is asking for big trouble depending 5245 * on the architecture you are on... 5246 */ 5247 5248 static void 5249 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5250 unsigned int type, unsigned int id, 5251 ...) 5252 { 5253 struct ifnet *ifp = &sp->pp_if; 5254 struct lcp_header *lh; 5255 struct mbuf *m; 5256 u_char *p; 5257 int len; 5258 size_t pkthdrlen; 5259 unsigned int mlen; 5260 const char *msg; 5261 va_list ap; 5262 5263 KASSERT(SPPP_WLOCKED(sp)); 5264 5265 MGETHDR(m, M_DONTWAIT, MT_DATA); 5266 if (! m) 5267 return; 5268 m_reset_rcvif(m); 5269 5270 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 5271 *mtod(m, uint16_t *) = htons(cp->proto); 5272 pkthdrlen = 2; 5273 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5274 } else { 5275 struct ppp_header *h; 5276 h = mtod(m, struct ppp_header *); 5277 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5278 h->control = PPP_UI; /* Unnumbered Info */ 5279 h->protocol = htons(cp->proto); 5280 pkthdrlen = PPP_HEADER_LEN; 5281 5282 lh = (struct lcp_header *)(h + 1); 5283 } 5284 5285 lh->type = type; 5286 lh->ident = id; 5287 p = (u_char *)(lh + 1); 5288 5289 va_start(ap, id); 5290 len = 0; 5291 5292 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5293 msg = va_arg(ap, const char *); 5294 len += mlen; 5295 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5296 va_end(ap); 5297 m_freem(m); 5298 return; 5299 } 5300 5301 memcpy(p, msg, mlen); 5302 p += mlen; 5303 } 5304 va_end(ap); 5305 5306 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5307 lh->len = htons(LCP_HEADER_LEN + len); 5308 5309 if (sppp_debug_enabled(sp)) { 5310 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5311 const char *authname; 5312 5313 authname = sppp_auth_type_name(abuf, 5314 sizeof(abuf), cp->proto, lh->type); 5315 SPPP_LOG(sp, LOG_DEBUG, "%s output <%s id=0x%x len=%d", 5316 cp->name, authname, 5317 lh->ident, ntohs(lh->len)); 5318 if (len) 5319 sppp_print_bytes((u_char *)(lh + 1), len); 5320 addlog(">\n"); 5321 } 5322 if (IF_QFULL(&sp->pp_cpq)) { 5323 IF_DROP(&sp->pp_fastq); 5324 IF_DROP(&ifp->if_snd); 5325 m_freem(m); 5326 return; 5327 } 5328 5329 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5330 IF_ENQUEUE(&sp->pp_cpq, m); 5331 5332 if (! (ifp->if_flags & IFF_OACTIVE)) { 5333 SPPP_UNLOCK(sp); 5334 if_start_lock(ifp); 5335 SPPP_LOCK(sp, RW_WRITER); 5336 } 5337 } 5338 5339 static int 5340 sppp_auth_role(const struct cp *cp, struct sppp *sp) 5341 { 5342 int role; 5343 5344 role = SPPP_AUTH_NOROLE; 5345 5346 if (sp->hisauth.proto == cp->proto && 5347 ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) 5348 SET(role, SPPP_AUTH_SERV); 5349 5350 if (sp->myauth.proto == cp->proto) 5351 SET(role, SPPP_AUTH_PEER); 5352 5353 return role; 5354 } 5355 5356 static void 5357 sppp_auth_to_event(struct sppp *sp, void *xcp) 5358 { 5359 const struct cp *cp = xcp; 5360 bool override; 5361 int state; 5362 5363 KASSERT(SPPP_WLOCKED(sp)); 5364 KASSERT(!cpu_softintr_p()); 5365 5366 override = false; 5367 state = sp->scp[cp->protoidx].state; 5368 5369 if (sp->scp[cp->protoidx].rst_counter > 0) { 5370 /* override TO+ event */ 5371 switch (state) { 5372 case STATE_OPENED: 5373 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5374 override = true; 5375 sp->chap.rechallenging = true; 5376 sp->chap.response_rcvd = false; 5377 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5378 cp->scr(sp); 5379 } 5380 break; 5381 5382 case STATE_ACK_RCVD: 5383 override = true; 5384 cp->scr(sp); 5385 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 5386 break; 5387 } 5388 } 5389 5390 if (override) { 5391 SPPP_DLOG(sp, "%s TO(%s) rst_counter = %d\n", 5392 cp->name, sppp_state_name(state), 5393 sp->scp[cp->protoidx].rst_counter); 5394 sp->scp[cp->protoidx].rst_counter--; 5395 } else { 5396 sppp_to_event(sp, xcp); 5397 } 5398 } 5399 5400 static void 5401 sppp_auth_screply(const struct cp *cp, struct sppp *sp, u_char ctype, 5402 uint8_t ident, size_t _mlen __unused, void *_msg __unused) 5403 { 5404 static const char *succmsg = "Welcome!"; 5405 static const char *failmsg = "Failed..."; 5406 const char *msg; 5407 u_char type, mlen; 5408 5409 KASSERT(SPPP_WLOCKED(sp)); 5410 5411 if (!ISSET(sppp_auth_role(cp, sp), SPPP_AUTH_SERV)) 5412 return; 5413 5414 if (ctype == CONF_ACK) { 5415 type = cp->proto == PPP_CHAP ? CHAP_SUCCESS : PAP_ACK; 5416 msg = succmsg; 5417 mlen = sizeof(succmsg) - 1; 5418 5419 sp->pp_auth_failures = 0; 5420 } else { 5421 type = cp->proto == PPP_CHAP ? CHAP_FAILURE : PAP_NAK; 5422 msg = failmsg; 5423 mlen = sizeof(failmsg) - 1; 5424 5425 /* Reset LCP if auth failed */ 5426 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5427 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 5428 sp->pp_auth_failures++; 5429 } 5430 5431 sppp_auth_send(cp, sp, type, ident, mlen, (const u_char *)msg, 0); 5432 } 5433 5434 /* 5435 * Send keepalive packets, every 10 seconds. 5436 */ 5437 static void 5438 sppp_keepalive(void *dummy) 5439 { 5440 struct sppp *sp; 5441 time_t now; 5442 5443 SPPPQ_LOCK(); 5444 5445 now = time_uptime; 5446 for (sp=spppq; sp; sp=sp->pp_next) { 5447 struct ifnet *ifp = NULL; 5448 5449 SPPP_LOCK(sp, RW_WRITER); 5450 ifp = &sp->pp_if; 5451 5452 /* check idle timeout */ 5453 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5454 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5455 /* idle timeout is enabled for this interface */ 5456 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5457 SPPP_DLOG(sp, "no activity for %lu seconds\n", 5458 (unsigned long)(now-sp->pp_last_activity)); 5459 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5460 SPPP_UNLOCK(sp); 5461 continue; 5462 } 5463 } 5464 5465 /* Keepalive mode disabled or channel down? */ 5466 if (! ISSET(sp->pp_dev_flags, PP_DEVF_KEEPALIVE) || 5467 ! (ifp->if_flags & IFF_RUNNING)) { 5468 SPPP_UNLOCK(sp); 5469 continue; 5470 } 5471 5472 /* No keepalive in PPP mode if LCP not opened yet. */ 5473 if (sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5474 SPPP_UNLOCK(sp); 5475 continue; 5476 } 5477 5478 /* No echo reply, but maybe user data passed through? */ 5479 if (sp->pp_max_noreceive != 0 && 5480 (now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5481 sp->pp_alivecnt = 0; 5482 SPPP_UNLOCK(sp); 5483 continue; 5484 } 5485 5486 /* No echo request */ 5487 if (sp->pp_alive_interval == 0) { 5488 SPPP_UNLOCK(sp); 5489 continue; 5490 } 5491 5492 /* send a ECHO_REQ once in sp->pp_alive_interval times */ 5493 if ((sppp_keepalive_cnt % sp->pp_alive_interval) != 0) { 5494 SPPP_UNLOCK(sp); 5495 continue; 5496 } 5497 5498 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5499 /* No keepalive packets got. Stop the interface. */ 5500 SPPP_LOG(sp, LOG_INFO,"LCP keepalive timed out, " 5501 "going to restart the connection\n"); 5502 5503 sp->pp_alivecnt = 0; 5504 5505 if (sp->pp_flags & PP_IFDOWN) 5506 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 5507 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5508 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 5509 5510 SPPP_UNLOCK(sp); 5511 continue; 5512 } 5513 if (sp->pp_alivecnt < sp->pp_maxalive) 5514 ++sp->pp_alivecnt; 5515 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5516 int32_t nmagic = htonl(sp->lcp.magic); 5517 sp->lcp.echoid = ++sp->scp[IDX_LCP].seq; 5518 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5519 sp->lcp.echoid, 4, &nmagic); 5520 } 5521 5522 SPPP_UNLOCK(sp); 5523 } 5524 sppp_keepalive_cnt++; 5525 callout_schedule(&keepalive_ch, hz * sppp_keepalive_interval); 5526 5527 SPPPQ_UNLOCK(); 5528 } 5529 5530 #ifdef INET 5531 /* 5532 * Get both IP addresses. 5533 */ 5534 static void 5535 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5536 { 5537 struct ifnet *ifp = &sp->pp_if; 5538 struct ifaddr *ifa; 5539 uint32_t ssrc, ddst; 5540 int bound; 5541 struct psref psref; 5542 5543 ssrc = ddst = 0; 5544 /* 5545 * Pick the first AF_INET address from the list, 5546 * aliases don't make any sense on a p2p link anyway. 5547 */ 5548 bound = curlwp_bind(); 5549 ifa = if_first_addr_psref(ifp, AF_INET, &psref); 5550 if (ifa != NULL) { 5551 struct sockaddr_in *si = satosin(ifa->ifa_addr); 5552 struct sockaddr_in *sm = satosin(ifa->ifa_netmask); 5553 if (si->sin_addr.s_addr) { 5554 ssrc = si->sin_addr.s_addr; 5555 if (srcmask) 5556 *srcmask = ntohl(sm->sin_addr.s_addr); 5557 } 5558 5559 si = satosin(ifa->ifa_dstaddr); 5560 if (si && si->sin_addr.s_addr) 5561 ddst = si->sin_addr.s_addr; 5562 ifa_release(ifa, &psref); 5563 } 5564 curlwp_bindx(bound); 5565 5566 if (dst) *dst = ntohl(ddst); 5567 if (src) *src = ntohl(ssrc); 5568 } 5569 5570 /* 5571 * Set IP addresses. 5572 * If an address is 0, leave it the way it is. 5573 */ 5574 static void 5575 sppp_set_ip_addrs(struct sppp *sp) 5576 { 5577 struct ifnet *ifp = &sp->pp_if; 5578 struct ifaddr *ifa; 5579 struct sockaddr_in *si, *dest; 5580 uint32_t myaddr = 0, hisaddr = 0; 5581 int bound; 5582 struct psref psref; 5583 5584 KASSERT(SPPP_WLOCKED(sp)); 5585 5586 SPPP_UNLOCK(sp); 5587 IFNET_LOCK(ifp); 5588 SPPP_LOCK(sp, RW_WRITER); 5589 5590 /* 5591 * Pick the first AF_INET address from the list, 5592 * aliases don't make any sense on a p2p link anyway. 5593 */ 5594 si = dest = NULL; 5595 bound = curlwp_bind(); 5596 ifa = if_first_addr_psref(ifp, AF_INET, &psref); 5597 if (ifa != NULL) { 5598 si = satosin(ifa->ifa_addr); 5599 dest = satosin(ifa->ifa_dstaddr); 5600 } 5601 5602 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5603 myaddr = sp->ipcp.req_myaddr; 5604 else if (si != NULL) 5605 myaddr = ntohl(si->sin_addr.s_addr); 5606 5607 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5608 hisaddr = sp->ipcp.req_hisaddr; 5609 else if (dest != NULL) 5610 hisaddr = ntohl(dest->sin_addr.s_addr); 5611 5612 if (si != NULL && dest != NULL) { 5613 int error; 5614 struct sockaddr_in new_sin = *si; 5615 struct sockaddr_in new_dst = *dest; 5616 5617 if (myaddr != 0) 5618 new_sin.sin_addr.s_addr = htonl(myaddr); 5619 if (hisaddr != 0) { 5620 new_dst.sin_addr.s_addr = htonl(hisaddr); 5621 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5622 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5623 } 5624 5625 in_addrhash_remove(ifatoia(ifa)); 5626 5627 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5628 5629 in_addrhash_insert(ifatoia(ifa)); 5630 5631 if (error) { 5632 SPPP_DLOG(sp, "%s: in_ifinit failed, error=%d\n", 5633 __func__, error); 5634 } else { 5635 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5636 } 5637 } 5638 if (ifa != NULL) 5639 ifa_release(ifa, &psref); 5640 curlwp_bindx(bound); 5641 5642 IFNET_UNLOCK(ifp); 5643 } 5644 5645 /* 5646 * Clear IP addresses. 5647 */ 5648 static void 5649 sppp_clear_ip_addrs(struct sppp *sp) 5650 { 5651 struct ifnet *ifp = &sp->pp_if; 5652 struct ifaddr *ifa; 5653 struct sockaddr_in *si, *dest; 5654 int bound; 5655 struct psref psref; 5656 5657 KASSERT(SPPP_WLOCKED(sp)); 5658 5659 SPPP_UNLOCK(sp); 5660 IFNET_LOCK(ifp); 5661 SPPP_LOCK(sp, RW_WRITER); 5662 5663 /* 5664 * Pick the first AF_INET address from the list, 5665 * aliases don't make any sense on a p2p link anyway. 5666 */ 5667 si = dest = NULL; 5668 bound = curlwp_bind(); 5669 ifa = if_first_addr_psref(ifp, AF_INET, &psref); 5670 if (ifa != NULL) { 5671 si = satosin(ifa->ifa_addr); 5672 dest = satosin(ifa->ifa_dstaddr); 5673 /* 5674 * ignore "0.0.0.0" which means ppp is not opened yet. 5675 */ 5676 if (si->sin_addr.s_addr == INADDR_ANY) 5677 si = NULL; 5678 } 5679 5680 if (si != NULL) { 5681 struct sockaddr_in new_sin = *si; 5682 struct sockaddr_in new_dst = *dest; 5683 int error; 5684 5685 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5686 new_sin.sin_addr.s_addr = 0; 5687 if (sp->ipcp.flags & IPCP_HISADDR_DYN && 5688 ntohl(sp->ipcp.saved_hisaddr) != 0) 5689 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5690 5691 in_addrhash_remove(ifatoia(ifa)); 5692 5693 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5694 5695 in_addrhash_insert(ifatoia(ifa)); 5696 5697 if (error) { 5698 SPPP_DLOG(sp, "%s: in_ifinit failed, error=%d\n", 5699 __func__, error); 5700 } else { 5701 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5702 } 5703 } 5704 if (ifa != NULL) 5705 ifa_release(ifa, &psref); 5706 curlwp_bindx(bound); 5707 5708 IFNET_UNLOCK(ifp); 5709 } 5710 #endif 5711 5712 #ifdef INET6 5713 /* 5714 * Get both IPv6 addresses. 5715 */ 5716 static void 5717 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5718 struct in6_addr *srcmask) 5719 { 5720 struct ifnet *ifp = &sp->pp_if; 5721 struct ifaddr *ifa; 5722 struct in6_addr ssrc, ddst; 5723 int bound; 5724 struct psref psref; 5725 5726 memset(&ssrc, 0, sizeof(ssrc)); 5727 memset(&ddst, 0, sizeof(ddst)); 5728 /* 5729 * Pick the first link-local AF_INET6 address from the list, 5730 * aliases don't make any sense on a p2p link anyway. 5731 */ 5732 bound = curlwp_bind(); 5733 ifa = in6ifa_first_lladdr_psref(ifp, &psref); 5734 if (ifa != NULL) { 5735 struct sockaddr_in6 *si = satosin6(ifa->ifa_addr); 5736 struct sockaddr_in6 *sm = satosin6(ifa->ifa_netmask); 5737 if (!IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5738 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5739 if (srcmask) { 5740 memcpy(srcmask, &sm->sin6_addr, 5741 sizeof(*srcmask)); 5742 } 5743 } 5744 5745 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5746 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5747 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5748 ifa_release(ifa, &psref); 5749 } 5750 curlwp_bindx(bound); 5751 5752 if (dst) 5753 memcpy(dst, &ddst, sizeof(*dst)); 5754 if (src) 5755 memcpy(src, &ssrc, sizeof(*src)); 5756 } 5757 5758 #ifdef IPV6CP_MYIFID_DYN 5759 /* 5760 * Generate random ifid. 5761 */ 5762 static void 5763 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5764 { 5765 /* TBD */ 5766 } 5767 5768 /* 5769 * Set my IPv6 address. 5770 */ 5771 static void 5772 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5773 { 5774 struct ifnet *ifp = &sp->pp_if; 5775 struct ifaddr *ifa; 5776 int bound; 5777 struct psref psref; 5778 5779 KASSERT(SPPP_WLOCKED(sp)); 5780 5781 SPPP_UNLOCK(sp); 5782 IFNET_LOCK(ifp); 5783 SPPP_LOCK(sp, RW_WRITER); 5784 5785 /* 5786 * Pick the first link-local AF_INET6 address from the list, 5787 * aliases don't make any sense on a p2p link anyway. 5788 */ 5789 bound = curlwp_bind(); 5790 ifa = in6ifa_first_lladdr_psref(ifp, &psref); 5791 if (ifa != NULL) { 5792 struct sockaddr_in6 *sin6 = satosin6(ifa->ifa_addr); 5793 struct sockaddr_in6 new_sin6 = *sin6; 5794 int error; 5795 5796 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5797 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5798 if (error) { 5799 SPPP_DLOG(sp, "%s: in6_ifinit failed, error=%d\n", 5800 __func__, error); 5801 } else { 5802 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5803 } 5804 ifa_release(ifa, &psref); 5805 } 5806 curlwp_bindx(bound); 5807 5808 IFNET_UNLOCK(ifp); 5809 } 5810 #endif 5811 5812 /* 5813 * Suggest a candidate address to be used by peer. 5814 */ 5815 static void 5816 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5817 { 5818 struct in6_addr myaddr; 5819 struct timeval tv; 5820 5821 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5822 5823 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5824 microtime(&tv); 5825 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5826 myaddr.s6_addr[14] ^= 0xff; 5827 myaddr.s6_addr[15] ^= 0xff; 5828 } else { 5829 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5830 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5831 } 5832 if (suggest) 5833 memcpy(suggest, &myaddr, sizeof(myaddr)); 5834 } 5835 #endif /*INET6*/ 5836 5837 /* 5838 * Process ioctl requests specific to the PPP interface. 5839 * Permissions have already been checked. 5840 */ 5841 static int 5842 sppp_params(struct sppp *sp, u_long cmd, void *data) 5843 { 5844 switch (cmd) { 5845 case SPPPGETAUTHCFG: 5846 { 5847 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5848 int error; 5849 size_t len; 5850 5851 SPPP_LOCK(sp, RW_READER); 5852 5853 cfg->myauthflags = sp->myauth.flags; 5854 cfg->hisauthflags = sp->hisauth.flags; 5855 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5856 cfg->hisauth = sppp_proto2authproto(sp->hisauth.proto); 5857 cfg->myauth = sppp_proto2authproto(sp->myauth.proto); 5858 if (cfg->myname_length == 0) { 5859 if (sp->myauth.name != NULL) 5860 cfg->myname_length = sp->myauth.name_len + 1; 5861 } else { 5862 if (sp->myauth.name == NULL) { 5863 cfg->myname_length = 0; 5864 } else { 5865 len = sp->myauth.name_len + 1; 5866 5867 if (cfg->myname_length < len) { 5868 SPPP_UNLOCK(sp); 5869 return (ENAMETOOLONG); 5870 } 5871 error = copyout(sp->myauth.name, cfg->myname, len); 5872 if (error) { 5873 SPPP_UNLOCK(sp); 5874 return error; 5875 } 5876 } 5877 } 5878 if (cfg->hisname_length == 0) { 5879 if (sp->hisauth.name != NULL) 5880 cfg->hisname_length = sp->hisauth.name_len + 1; 5881 } else { 5882 if (sp->hisauth.name == NULL) { 5883 cfg->hisname_length = 0; 5884 } else { 5885 len = sp->hisauth.name_len + 1; 5886 5887 if (cfg->hisname_length < len) { 5888 SPPP_UNLOCK(sp); 5889 return (ENAMETOOLONG); 5890 } 5891 error = copyout(sp->hisauth.name, cfg->hisname, len); 5892 if (error) { 5893 SPPP_UNLOCK(sp); 5894 return error; 5895 } 5896 } 5897 } 5898 SPPP_UNLOCK(sp); 5899 } 5900 break; 5901 case SPPPSETAUTHCFG: 5902 { 5903 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5904 int error; 5905 5906 SPPP_LOCK(sp, RW_WRITER); 5907 5908 if (sp->myauth.name) { 5909 free(sp->myauth.name, M_DEVBUF); 5910 sp->myauth.name = NULL; 5911 } 5912 if (sp->myauth.secret) { 5913 free(sp->myauth.secret, M_DEVBUF); 5914 sp->myauth.secret = NULL; 5915 } 5916 if (sp->hisauth.name) { 5917 free(sp->hisauth.name, M_DEVBUF); 5918 sp->hisauth.name = NULL; 5919 } 5920 if (sp->hisauth.secret) { 5921 free(sp->hisauth.secret, M_DEVBUF); 5922 sp->hisauth.secret = NULL; 5923 } 5924 5925 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5926 if (cfg->hisname_length >= MCLBYTES) { 5927 SPPP_UNLOCK(sp); 5928 return (ENAMETOOLONG); 5929 } 5930 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5931 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5932 if (error) { 5933 free(sp->hisauth.name, M_DEVBUF); 5934 sp->hisauth.name = NULL; 5935 SPPP_UNLOCK(sp); 5936 return error; 5937 } 5938 sp->hisauth.name_len = cfg->hisname_length - 1; 5939 sp->hisauth.name[sp->hisauth.name_len] = 0; 5940 } 5941 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5942 if (cfg->hissecret_length >= MCLBYTES) { 5943 SPPP_UNLOCK(sp); 5944 return (ENAMETOOLONG); 5945 } 5946 sp->hisauth.secret = malloc(cfg->hissecret_length, 5947 M_DEVBUF, M_WAITOK); 5948 error = copyin(cfg->hissecret, sp->hisauth.secret, 5949 cfg->hissecret_length); 5950 if (error) { 5951 free(sp->hisauth.secret, M_DEVBUF); 5952 sp->hisauth.secret = NULL; 5953 SPPP_UNLOCK(sp); 5954 return error; 5955 } 5956 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5957 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5958 } 5959 if (cfg->myname != NULL && cfg->myname_length > 0) { 5960 if (cfg->myname_length >= MCLBYTES) { 5961 SPPP_UNLOCK(sp); 5962 return (ENAMETOOLONG); 5963 } 5964 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5965 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5966 if (error) { 5967 free(sp->myauth.name, M_DEVBUF); 5968 sp->myauth.name = NULL; 5969 SPPP_UNLOCK(sp); 5970 return error; 5971 } 5972 sp->myauth.name_len = cfg->myname_length - 1; 5973 sp->myauth.name[sp->myauth.name_len] = 0; 5974 } 5975 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5976 if (cfg->mysecret_length >= MCLBYTES) { 5977 SPPP_UNLOCK(sp); 5978 return (ENAMETOOLONG); 5979 } 5980 sp->myauth.secret = malloc(cfg->mysecret_length, 5981 M_DEVBUF, M_WAITOK); 5982 error = copyin(cfg->mysecret, sp->myauth.secret, 5983 cfg->mysecret_length); 5984 if (error) { 5985 free(sp->myauth.secret, M_DEVBUF); 5986 sp->myauth.secret = NULL; 5987 SPPP_UNLOCK(sp); 5988 return error; 5989 } 5990 sp->myauth.secret_len = cfg->mysecret_length - 1; 5991 sp->myauth.secret[sp->myauth.secret_len] = 0; 5992 } 5993 sp->myauth.flags = cfg->myauthflags; 5994 if (cfg->myauth != SPPP_AUTHPROTO_NOCHG) { 5995 sp->myauth.proto = sppp_authproto2proto(cfg->myauth); 5996 } 5997 sp->hisauth.flags = cfg->hisauthflags; 5998 if (cfg->hisauth != SPPP_AUTHPROTO_NOCHG) { 5999 sp->hisauth.proto = sppp_authproto2proto(cfg->hisauth); 6000 } 6001 sp->pp_auth_failures = 0; 6002 if (sp->hisauth.proto != PPP_NOPROTO) 6003 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6004 else 6005 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6006 6007 SPPP_UNLOCK(sp); 6008 } 6009 break; 6010 case SPPPGETLCPCFG: 6011 { 6012 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6013 6014 SPPP_LOCK(sp, RW_READER); 6015 lcpp->lcp_timeout = sp->lcp.timeout; 6016 SPPP_UNLOCK(sp); 6017 } 6018 break; 6019 case SPPPSETLCPCFG: 6020 { 6021 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6022 6023 SPPP_LOCK(sp, RW_WRITER); 6024 sp->lcp.timeout = lcpp->lcp_timeout; 6025 SPPP_UNLOCK(sp); 6026 } 6027 break; 6028 case SPPPGETNCPCFG: 6029 { 6030 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6031 6032 SPPP_LOCK(sp, RW_READER); 6033 ncpp->ncp_flags = sp->pp_ncpflags; 6034 SPPP_UNLOCK(sp); 6035 } 6036 break; 6037 case SPPPSETNCPCFG: 6038 { 6039 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6040 6041 SPPP_LOCK(sp, RW_WRITER); 6042 sp->pp_ncpflags = ncpp->ncp_flags; 6043 SPPP_UNLOCK(sp); 6044 } 6045 break; 6046 case SPPPGETSTATUS: 6047 { 6048 struct spppstatus *status = (struct spppstatus *)data; 6049 6050 SPPP_LOCK(sp, RW_READER); 6051 status->phase = sp->pp_phase; 6052 SPPP_UNLOCK(sp); 6053 } 6054 break; 6055 case SPPPGETSTATUSNCP: 6056 { 6057 struct spppstatusncp *status = (struct spppstatusncp *)data; 6058 6059 SPPP_LOCK(sp, RW_READER); 6060 status->phase = sp->pp_phase; 6061 status->ncpup = sppp_cp_check(sp, CP_NCP); 6062 SPPP_UNLOCK(sp); 6063 } 6064 break; 6065 case SPPPGETIDLETO: 6066 { 6067 struct spppidletimeout *to = (struct spppidletimeout *)data; 6068 6069 SPPP_LOCK(sp, RW_READER); 6070 to->idle_seconds = sp->pp_idle_timeout; 6071 SPPP_UNLOCK(sp); 6072 } 6073 break; 6074 case SPPPSETIDLETO: 6075 { 6076 struct spppidletimeout *to = (struct spppidletimeout *)data; 6077 6078 SPPP_LOCK(sp, RW_WRITER); 6079 sp->pp_idle_timeout = to->idle_seconds; 6080 SPPP_UNLOCK(sp); 6081 } 6082 break; 6083 case SPPPSETAUTHFAILURE: 6084 { 6085 struct spppauthfailuresettings *afsettings = 6086 (struct spppauthfailuresettings *)data; 6087 6088 SPPP_LOCK(sp, RW_WRITER); 6089 sp->pp_max_auth_fail = afsettings->max_failures; 6090 sp->pp_auth_failures = 0; 6091 SPPP_UNLOCK(sp); 6092 } 6093 break; 6094 case SPPPGETAUTHFAILURES: 6095 { 6096 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6097 6098 SPPP_LOCK(sp, RW_READER); 6099 stats->auth_failures = sp->pp_auth_failures; 6100 stats->max_failures = sp->pp_max_auth_fail; 6101 SPPP_UNLOCK(sp); 6102 } 6103 break; 6104 case SPPPSETDNSOPTS: 6105 { 6106 struct spppdnssettings *req = (struct spppdnssettings *)data; 6107 6108 SPPP_LOCK(sp, RW_WRITER); 6109 sp->query_dns = req->query_dns & 3; 6110 SPPP_UNLOCK(sp); 6111 } 6112 break; 6113 case SPPPGETDNSOPTS: 6114 { 6115 struct spppdnssettings *req = (struct spppdnssettings *)data; 6116 6117 SPPP_LOCK(sp, RW_READER); 6118 req->query_dns = sp->query_dns; 6119 SPPP_UNLOCK(sp); 6120 } 6121 break; 6122 case SPPPGETDNSADDRS: 6123 { 6124 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6125 6126 SPPP_LOCK(sp, RW_READER); 6127 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6128 SPPP_UNLOCK(sp); 6129 } 6130 break; 6131 case SPPPGETKEEPALIVE: 6132 { 6133 struct spppkeepalivesettings *settings = 6134 (struct spppkeepalivesettings*)data; 6135 6136 SPPP_LOCK(sp, RW_READER); 6137 settings->maxalive = sp->pp_maxalive; 6138 settings->max_noreceive = sp->pp_max_noreceive; 6139 settings->alive_interval = sp->pp_alive_interval; 6140 SPPP_UNLOCK(sp); 6141 } 6142 break; 6143 case SPPPSETKEEPALIVE: 6144 { 6145 struct spppkeepalivesettings *settings = 6146 (struct spppkeepalivesettings*)data; 6147 6148 SPPP_LOCK(sp, RW_WRITER); 6149 sp->pp_maxalive = settings->maxalive; 6150 sp->pp_max_noreceive = settings->max_noreceive; 6151 sp->pp_alive_interval = settings->alive_interval; 6152 SPPP_UNLOCK(sp); 6153 } 6154 break; 6155 case SPPPGETLCPSTATUS: 6156 { 6157 struct sppplcpstatus *status = 6158 (struct sppplcpstatus *)data; 6159 6160 SPPP_LOCK(sp, RW_READER); 6161 status->state = sp->scp[IDX_LCP].state; 6162 status->opts = sp->lcp.opts; 6163 status->magic = sp->lcp.magic; 6164 status->mru = sp->lcp.mru; 6165 SPPP_UNLOCK(sp); 6166 } 6167 break; 6168 case SPPPGETIPCPSTATUS: 6169 { 6170 struct spppipcpstatus *status = 6171 (struct spppipcpstatus *)data; 6172 u_int32_t myaddr; 6173 6174 SPPP_LOCK(sp, RW_READER); 6175 status->state = sp->scp[IDX_IPCP].state; 6176 status->opts = sp->ipcp.opts; 6177 #ifdef INET 6178 sppp_get_ip_addrs(sp, &myaddr, 0, 0); 6179 #else 6180 myaddr = 0; 6181 #endif 6182 status->myaddr = ntohl(myaddr); 6183 SPPP_UNLOCK(sp); 6184 } 6185 break; 6186 case SPPPGETIPV6CPSTATUS: 6187 { 6188 struct spppipv6cpstatus *status = 6189 (struct spppipv6cpstatus *)data; 6190 6191 SPPP_LOCK(sp, RW_READER); 6192 status->state = sp->scp[IDX_IPV6CP].state; 6193 memcpy(status->my_ifid, sp->ipv6cp.my_ifid, 6194 sizeof(status->my_ifid)); 6195 memcpy(status->his_ifid, sp->ipv6cp.his_ifid, 6196 sizeof(status->his_ifid)); 6197 SPPP_UNLOCK(sp); 6198 } 6199 break; 6200 default: 6201 { 6202 int ret; 6203 6204 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6205 enosys(), ret); 6206 if (ret != ENOSYS) 6207 return ret; 6208 return (EINVAL); 6209 } 6210 } 6211 return (0); 6212 } 6213 6214 static void 6215 sppp_phase_network(struct sppp *sp) 6216 { 6217 int i; 6218 6219 KASSERT(SPPP_WLOCKED(sp)); 6220 6221 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6222 6223 /* Notify NCPs now. */ 6224 for (i = 0; i < IDX_COUNT; i++) 6225 if ((cps[i])->flags & CP_NCP) 6226 sppp_wq_add(sp->wq_cp, &sp->scp[i].work_open); 6227 } 6228 6229 static const char * 6230 sppp_cp_type_name(char *buf, size_t buflen, u_char type) 6231 { 6232 6233 switch (type) { 6234 case CONF_REQ: return "conf-req"; 6235 case CONF_ACK: return "conf-ack"; 6236 case CONF_NAK: return "conf-nak"; 6237 case CONF_REJ: return "conf-rej"; 6238 case TERM_REQ: return "term-req"; 6239 case TERM_ACK: return "term-ack"; 6240 case CODE_REJ: return "code-rej"; 6241 case PROTO_REJ: return "proto-rej"; 6242 case ECHO_REQ: return "echo-req"; 6243 case ECHO_REPLY: return "echo-reply"; 6244 case DISC_REQ: return "discard-req"; 6245 } 6246 if (buf != NULL) 6247 snprintf(buf, buflen, "0x%02x", type); 6248 return buf; 6249 } 6250 6251 static const char * 6252 sppp_auth_type_name(char *buf, size_t buflen, u_short proto, u_char type) 6253 { 6254 const char *name; 6255 6256 switch (proto) { 6257 case PPP_CHAP: 6258 switch (type) { 6259 case CHAP_CHALLENGE: return "challenge"; 6260 case CHAP_RESPONSE: return "response"; 6261 case CHAP_SUCCESS: return "success"; 6262 case CHAP_FAILURE: return "failure"; 6263 default: name = "chap"; break; 6264 } 6265 break; 6266 6267 case PPP_PAP: 6268 switch (type) { 6269 case PAP_REQ: return "req"; 6270 case PAP_ACK: return "ack"; 6271 case PAP_NAK: return "nak"; 6272 default: name = "pap"; break; 6273 } 6274 break; 6275 6276 default: 6277 name = "bad"; 6278 break; 6279 } 6280 6281 if (buf != NULL) 6282 snprintf(buf, buflen, "%s(%#x) 0x%02x", name, proto, type); 6283 return buf; 6284 } 6285 6286 static const char * 6287 sppp_lcp_opt_name(char *buf, size_t buflen, u_char opt) 6288 { 6289 6290 switch (opt) { 6291 case LCP_OPT_MRU: return "mru"; 6292 case LCP_OPT_ASYNC_MAP: return "async-map"; 6293 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6294 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6295 case LCP_OPT_MAGIC: return "magic"; 6296 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6297 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6298 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6299 case LCP_OPT_CALL_BACK: return "callback"; 6300 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6301 case LCP_OPT_MP_MRRU: return "mrru"; 6302 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6303 case LCP_OPT_MP_EID: return "mp-eid"; 6304 } 6305 if (buf != NULL) 6306 snprintf(buf, buflen, "0x%02x", opt); 6307 return buf; 6308 } 6309 6310 static const char * 6311 sppp_ipcp_opt_name(char *buf, size_t buflen, u_char opt) 6312 { 6313 6314 switch (opt) { 6315 case IPCP_OPT_ADDRESSES: return "addresses"; 6316 case IPCP_OPT_COMPRESSION: return "compression"; 6317 case IPCP_OPT_ADDRESS: return "address"; 6318 case IPCP_OPT_PRIMDNS: return "primdns"; 6319 case IPCP_OPT_SECDNS: return "secdns"; 6320 } 6321 if (buf != NULL) 6322 snprintf(buf, buflen, "0x%02x", opt); 6323 return buf; 6324 } 6325 6326 #ifdef INET6 6327 static const char * 6328 sppp_ipv6cp_opt_name(char *buf, size_t buflen, u_char opt) 6329 { 6330 6331 switch (opt) { 6332 case IPV6CP_OPT_IFID: return "ifid"; 6333 case IPV6CP_OPT_COMPRESSION: return "compression"; 6334 } 6335 if (buf != NULL) 6336 snprintf(buf, buflen, "0x%02x", opt); 6337 return buf; 6338 } 6339 #endif 6340 6341 static const char * 6342 sppp_state_name(int state) 6343 { 6344 6345 switch (state) { 6346 case STATE_INITIAL: return "initial"; 6347 case STATE_STARTING: return "starting"; 6348 case STATE_CLOSED: return "closed"; 6349 case STATE_STOPPED: return "stopped"; 6350 case STATE_CLOSING: return "closing"; 6351 case STATE_STOPPING: return "stopping"; 6352 case STATE_REQ_SENT: return "req-sent"; 6353 case STATE_ACK_RCVD: return "ack-rcvd"; 6354 case STATE_ACK_SENT: return "ack-sent"; 6355 case STATE_OPENED: return "opened"; 6356 } 6357 return "illegal"; 6358 } 6359 6360 static const char * 6361 sppp_phase_name(int phase) 6362 { 6363 6364 switch (phase) { 6365 case SPPP_PHASE_DEAD: return "dead"; 6366 case SPPP_PHASE_ESTABLISH: return "establish"; 6367 case SPPP_PHASE_TERMINATE: return "terminate"; 6368 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6369 case SPPP_PHASE_NETWORK: return "network"; 6370 } 6371 return "illegal"; 6372 } 6373 6374 static const char * 6375 sppp_proto_name(char *buf, size_t buflen, u_short proto) 6376 { 6377 6378 switch (proto) { 6379 case PPP_LCP: return "lcp"; 6380 case PPP_IPCP: return "ipcp"; 6381 case PPP_PAP: return "pap"; 6382 case PPP_CHAP: return "chap"; 6383 case PPP_IPV6CP: return "ipv6cp"; 6384 } 6385 if (buf != NULL) { 6386 snprintf(buf, sizeof(buf), "0x%04x", 6387 (unsigned)proto); 6388 } 6389 return buf; 6390 } 6391 6392 static void 6393 sppp_print_bytes(const u_char *p, u_short len) 6394 { 6395 addlog(" %02x", *p++); 6396 while (--len > 0) 6397 addlog("-%02x", *p++); 6398 } 6399 6400 static void 6401 sppp_print_string(const char *p, u_short len) 6402 { 6403 u_char c; 6404 6405 while (len-- > 0) { 6406 c = *p++; 6407 /* 6408 * Print only ASCII chars directly. RFC 1994 recommends 6409 * using only them, but we don't rely on it. */ 6410 if (c < ' ' || c > '~') 6411 addlog("\\x%x", c); 6412 else 6413 addlog("%c", c); 6414 } 6415 } 6416 6417 static const char * 6418 sppp_dotted_quad(char *buf, size_t buflen, uint32_t addr) 6419 { 6420 6421 if (buf != NULL) { 6422 snprintf(buf, buflen, "%u.%u.%u.%u", 6423 (unsigned int)((addr >> 24) & 0xff), 6424 (unsigned int)((addr >> 16) & 0xff), 6425 (unsigned int)((addr >> 8) & 0xff), 6426 (unsigned int)(addr & 0xff)); 6427 } 6428 return buf; 6429 } 6430 6431 /* a dummy, used to drop uninteresting events */ 6432 static void 6433 sppp_null(struct sppp *unused) 6434 { 6435 /* do just nothing */ 6436 } 6437 6438 static void 6439 sppp_tls(const struct cp *cp, struct sppp *sp) 6440 { 6441 6442 SPPP_DLOG(sp, "%s tls\n", cp->name); 6443 6444 /* notify lcp that is lower layer */ 6445 sp->lcp.protos |= (1 << cp->protoidx); 6446 } 6447 6448 static void 6449 sppp_tlf(const struct cp *cp, struct sppp *sp) 6450 { 6451 6452 SPPP_DLOG(sp, "%s tlf\n", cp->name); 6453 6454 /* notify lcp that is lower layer */ 6455 sp->lcp.protos &= ~(1 << cp->protoidx); 6456 6457 /* cleanup */ 6458 m_freem(sp->scp[cp->protoidx].mbuf_confreq); 6459 sp->scp[cp->protoidx].mbuf_confreq = NULL; 6460 m_freem(sp->scp[cp->protoidx].mbuf_confnak); 6461 sp->scp[cp->protoidx].mbuf_confnak = NULL; 6462 6463 sppp_lcp_check_and_close(sp); 6464 } 6465 6466 static void 6467 sppp_screply(const struct cp *cp, struct sppp *sp, u_char type, 6468 uint8_t ident, size_t msglen, void *msg) 6469 { 6470 6471 if (msglen == 0) 6472 return; 6473 6474 switch (type) { 6475 case CONF_ACK: 6476 case CONF_NAK: 6477 case CONF_REJ: 6478 break; 6479 default: 6480 return; 6481 } 6482 6483 if (sppp_debug_enabled(sp)) { 6484 char tbuf[SPPP_CPTYPE_NAMELEN]; 6485 const char *cpname; 6486 6487 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), type); 6488 SPPP_LOG(sp, LOG_DEBUG, "send %s\n", cpname); 6489 } 6490 6491 sppp_cp_send(sp, cp->proto, type, ident, msglen, msg); 6492 } 6493 6494 static void 6495 sppp_ifdown(struct sppp *sp, void *xcp __unused) 6496 { 6497 6498 SPPP_UNLOCK(sp); 6499 if_down(&sp->pp_if); 6500 IF_PURGE(&sp->pp_cpq); 6501 SPPP_LOCK(sp, RW_WRITER); 6502 } 6503 6504 static void 6505 sppp_notify_up(struct sppp *sp) 6506 { 6507 6508 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_up); 6509 } 6510 6511 static void 6512 sppp_notify_down(struct sppp *sp) 6513 { 6514 6515 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_down); 6516 } 6517 6518 static void 6519 sppp_notify_tls_wlocked(struct sppp *sp) 6520 { 6521 6522 KASSERT(SPPP_WLOCKED(sp)); 6523 6524 if (!sp->pp_tls) 6525 return; 6526 6527 SPPP_UNLOCK(sp); 6528 sp->pp_tls(sp); 6529 SPPP_LOCK(sp, RW_WRITER); 6530 } 6531 6532 static void 6533 sppp_notify_tlf_wlocked(struct sppp *sp) 6534 { 6535 6536 KASSERT(SPPP_WLOCKED(sp)); 6537 6538 if (!sp->pp_tlf) 6539 return; 6540 6541 SPPP_UNLOCK(sp); 6542 sp->pp_tlf(sp); 6543 SPPP_LOCK(sp, RW_WRITER); 6544 } 6545 6546 static void 6547 sppp_wq_work(struct work *wk, void *xsp) 6548 { 6549 struct sppp *sp; 6550 struct sppp_work *work; 6551 6552 sp = xsp; 6553 work = container_of(wk, struct sppp_work, work); 6554 atomic_cas_uint(&work->state, SPPP_WK_BUSY, SPPP_WK_FREE); 6555 6556 SPPP_LOCK(sp, RW_WRITER); 6557 work->func(sp, work->arg); 6558 SPPP_UNLOCK(sp); 6559 } 6560 6561 static struct workqueue * 6562 sppp_wq_create(struct sppp *sp, const char *xnamebuf, pri_t prio, int ipl, int flags) 6563 { 6564 struct workqueue *wq; 6565 int error; 6566 6567 error = workqueue_create(&wq, xnamebuf, sppp_wq_work, 6568 (void *)sp, prio, ipl, flags); 6569 if (error) { 6570 panic("%s: workqueue_create failed [%s, %d]\n", 6571 sp->pp_if.if_xname, xnamebuf, error); 6572 } 6573 6574 return wq; 6575 } 6576 6577 static void 6578 sppp_wq_destroy(struct sppp *sp __unused, struct workqueue *wq) 6579 { 6580 6581 workqueue_destroy(wq); 6582 } 6583 6584 static void 6585 sppp_wq_set(struct sppp_work *work, 6586 void (*func)(struct sppp *, void *), void *arg) 6587 { 6588 6589 work->func = func; 6590 work->arg = arg; 6591 } 6592 6593 static void 6594 sppp_wq_add(struct workqueue *wq, struct sppp_work *work) 6595 { 6596 6597 if (atomic_cas_uint(&work->state, SPPP_WK_FREE, SPPP_WK_BUSY) 6598 != SPPP_WK_FREE) 6599 return; 6600 6601 KASSERT(work->func != NULL); 6602 kpreempt_disable(); 6603 workqueue_enqueue(wq, &work->work, NULL); 6604 kpreempt_enable(); 6605 } 6606 static void 6607 sppp_wq_wait(struct workqueue *wq, struct sppp_work *work) 6608 { 6609 6610 atomic_swap_uint(&work->state, SPPP_WK_UNAVAIL); 6611 workqueue_wait(wq, &work->work); 6612 } 6613 6614 /* 6615 * This file is large. Tell emacs to highlight it nevertheless. 6616 * 6617 * Local Variables: 6618 * hilit-auto-highlight-maxout: 120000 6619 * End: 6620 */ 6621 6622 /* 6623 * Module glue 6624 */ 6625 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6626 6627 static int 6628 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6629 { 6630 6631 switch (cmd) { 6632 case MODULE_CMD_INIT: 6633 case MODULE_CMD_FINI: 6634 return 0; 6635 case MODULE_CMD_STAT: 6636 case MODULE_CMD_AUTOUNLOAD: 6637 default: 6638 return ENOTTY; 6639 } 6640 } 6641
Indexes created Tue Jun 23 00:25:03 UTC 2026