1 /* $NetBSD: if_spppsubr.c,v 1.297 2026/06/24 15:30:45 riastradh Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.297 2026/06/24 15:30:45 riastradh Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #include "opt_sppp.h" 52 #endif 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 #include <sys/cpu.h> 73 74 #include <net/if.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define DEFAULT_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define DEFAULT_ALIVE_INTERVAL 1 /* count of sppp_keepalive */ 101 #define LOOPALIVECNT 3 /* loopback detection tries */ 102 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 103 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 104 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 105 106 #ifndef SPPP_KEEPALIVE_INTERVAL 107 #define SPPP_KEEPALIVE_INTERVAL DEFAULT_KEEPALIVE_INTERVAL 108 #endif 109 110 #ifndef SPPP_NORECV_TIME 111 #define SPPP_NORECV_TIME DEFAULT_NORECV_TIME 112 #endif 113 114 #ifndef SPPP_ALIVE_INTERVAL 115 #define SPPP_ALIVE_INTERVAL DEFAULT_ALIVE_INTERVAL 116 #endif 117 118 #define SPPP_CPTYPE_NAMELEN 5 /* buf size of cp type name */ 119 #define SPPP_AUTHTYPE_NAMELEN 32 /* buf size of auth type name */ 120 #define SPPP_LCPOPT_NAMELEN 5 /* buf size of lcp option name */ 121 #define SPPP_IPCPOPT_NAMELEN 5 /* buf size of ipcp option name */ 122 #define SPPP_IPV6CPOPT_NAMELEN 5 /* buf size of ipv6cp option name */ 123 #define SPPP_PROTO_NAMELEN 7 /* buf size of protocol name */ 124 #define SPPP_DOTQUAD_BUFLEN 16 /* length of "aa.bb.cc.dd" */ 125 126 /* 127 * Interface flags that can be set in an ifconfig command. 128 * 129 * Setting link0 will make the link passive, i.e. it will be marked 130 * as being administrative openable, but won't be opened to begin 131 * with. Incoming calls will be answered, or subsequent calls with 132 * -link1 will cause the administrative open of the LCP layer. 133 * 134 * Setting link1 will cause the link to auto-dial only as packets 135 * arrive to be sent. 136 * 137 * Setting IFF_DEBUG will syslog the option negotiation and state 138 * transitions at level kern.debug. Note: all logs consistently look 139 * like 140 * 141 * <if-name><unit>: <proto-name> <additional info...> 142 * 143 * with <if-name><unit> being something like "bppp0", and <proto-name> 144 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 145 */ 146 147 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 148 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 149 150 #define CONF_REQ 1 /* PPP configure request */ 151 #define CONF_ACK 2 /* PPP configure acknowledge */ 152 #define CONF_NAK 3 /* PPP configure negative ack */ 153 #define CONF_REJ 4 /* PPP configure reject */ 154 #define TERM_REQ 5 /* PPP terminate request */ 155 #define TERM_ACK 6 /* PPP terminate acknowledge */ 156 #define CODE_REJ 7 /* PPP code reject */ 157 #define PROTO_REJ 8 /* PPP protocol reject */ 158 #define ECHO_REQ 9 /* PPP echo request */ 159 #define ECHO_REPLY 10 /* PPP echo reply */ 160 #define DISC_REQ 11 /* PPP discard request */ 161 162 #define LCP_OPT_MRU 1 /* maximum receive unit */ 163 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 164 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 165 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 166 #define LCP_OPT_MAGIC 5 /* magic number */ 167 #define LCP_OPT_RESERVED 6 /* reserved */ 168 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 169 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 170 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 171 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 172 #define LCP_OPT_CALL_BACK 13 /* callback */ 173 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 174 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 175 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 176 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 177 178 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 179 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 180 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 181 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 182 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 183 184 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 185 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 186 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 187 188 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 189 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 190 191 #define PAP_REQ 1 /* PAP name/password request */ 192 #define PAP_ACK 2 /* PAP acknowledge */ 193 #define PAP_NAK 3 /* PAP fail */ 194 195 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 196 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 197 #define CHAP_SUCCESS 3 /* CHAP response ok */ 198 #define CHAP_FAILURE 4 /* CHAP response failed */ 199 200 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 201 202 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 203 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 204 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 205 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 206 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 207 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 208 209 #define PPP_NOPROTO 0 /* no authentication protocol */ 210 211 enum { 212 STATE_INITIAL = SPPP_STATE_INITIAL, 213 STATE_STARTING = SPPP_STATE_STARTING, 214 STATE_CLOSED = SPPP_STATE_CLOSED, 215 STATE_STOPPED = SPPP_STATE_STOPPED, 216 STATE_CLOSING = SPPP_STATE_CLOSING, 217 STATE_STOPPING = SPPP_STATE_STOPPING, 218 STATE_REQ_SENT = SPPP_STATE_REQ_SENT, 219 STATE_ACK_RCVD = SPPP_STATE_ACK_RCVD, 220 STATE_ACK_SENT = SPPP_STATE_ACK_SENT, 221 STATE_OPENED = SPPP_STATE_OPENED, 222 }; 223 224 enum cp_rcr_type { 225 CP_RCR_NONE = 0, /* initial value */ 226 CP_RCR_ACK, /* RCR+ */ 227 CP_RCR_NAK, /* RCR- */ 228 CP_RCR_REJ, /* RCR- */ 229 CP_RCR_DROP, /* DROP message */ 230 CP_RCR_ERR, /* internal error */ 231 }; 232 233 struct ppp_header { 234 uint8_t address; 235 uint8_t control; 236 uint16_t protocol; 237 } __packed; 238 #define PPP_HEADER_LEN sizeof (struct ppp_header) 239 240 struct lcp_header { 241 uint8_t type; 242 uint8_t ident; 243 uint16_t len; 244 } __packed; 245 #define LCP_HEADER_LEN sizeof (struct lcp_header) 246 247 struct cisco_packet { 248 uint32_t type; 249 uint32_t par1; 250 uint32_t par2; 251 uint16_t rel; 252 uint16_t time0; 253 uint16_t time1; 254 } __packed; 255 #define CISCO_PACKET_LEN 18 256 257 /* 258 * We follow the spelling and capitalization of RFC 1661 here, to make 259 * it easier comparing with the standard. Please refer to this RFC in 260 * case you can't make sense out of these abbreviation; it will also 261 * explain the semantics related to the various events and actions. 262 */ 263 struct cp { 264 u_short proto; /* PPP control protocol number */ 265 u_char protoidx; /* index into state table in struct sppp */ 266 u_char flags; 267 #define CP_LCP 0x01 /* this is the LCP */ 268 #define CP_AUTH 0x02 /* this is an authentication protocol */ 269 #define CP_NCP 0x04 /* this is a NCP */ 270 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 271 const char *name; /* name of this control protocol */ 272 /* event handlers */ 273 void (*Up)(struct sppp *, void *); 274 void (*Down)(struct sppp *, void *); 275 void (*Open)(struct sppp *, void *); 276 void (*Close)(struct sppp *, void *); 277 void (*TO)(struct sppp *, void *); 278 /* actions */ 279 void (*tlu)(struct sppp *); 280 void (*tld)(struct sppp *); 281 void (*tls)(const struct cp *, struct sppp *); 282 void (*tlf)(const struct cp *, struct sppp *); 283 void (*scr)(struct sppp *); 284 void (*screply)(const struct cp *, struct sppp *, u_char, 285 uint8_t, size_t, void *); 286 287 /* message parser */ 288 enum cp_rcr_type 289 (*parse_confreq)(struct sppp *, struct lcp_header *, int, 290 uint8_t **, size_t *, size_t *); 291 void (*parse_confrej)(struct sppp *, struct lcp_header *, int); 292 void (*parse_confnak)(struct sppp *, struct lcp_header *, int); 293 }; 294 295 enum auth_role { 296 SPPP_AUTH_NOROLE = 0, 297 SPPP_AUTH_SERV = __BIT(0), 298 SPPP_AUTH_PEER = __BIT(1), 299 }; 300 301 static struct sppp *spppq; 302 static kmutex_t *spppq_lock = NULL; 303 static callout_t keepalive_ch; 304 static unsigned int sppp_keepalive_cnt = 0; 305 unsigned int sppp_keepalive_interval = SPPP_KEEPALIVE_INTERVAL; 306 307 pktq_rps_hash_func_t sppp_pktq_rps_hash_p; 308 309 #define SPPPQ_LOCK() if (spppq_lock) \ 310 mutex_enter(spppq_lock); 311 #define SPPPQ_UNLOCK() if (spppq_lock) \ 312 mutex_exit(spppq_lock); 313 314 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 315 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 316 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 317 #define SPPP_WQ_SET(_wk, _func, _arg) \ 318 sppp_wq_set((_wk), (_func), __UNCONST((_arg))) 319 #define SPPP_LOG(_sp, _lvl, _fmt, _args...) do { \ 320 if (__predict_true((_sp) != NULL)) { \ 321 log((_lvl), "%s: ", (_sp)->pp_if.if_xname); \ 322 } \ 323 addlog((_fmt), ##_args); \ 324 } while (0) 325 #define SPPP_DLOG(_sp, _fmt, _args...) do { \ 326 if (!sppp_debug_enabled(_sp)) \ 327 break; \ 328 SPPP_LOG(_sp, LOG_DEBUG, _fmt, ##_args); \ 329 } while (0) 330 331 #ifdef INET 332 #ifndef SPPPSUBR_MPSAFE 333 /* 334 * The following disgusting hack gets around the problem that IP TOS 335 * can't be set yet. We want to put "interactive" traffic on a high 336 * priority queue. To decide if traffic is interactive, we check that 337 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 338 * 339 * XXX is this really still necessary? - joerg - 340 */ 341 static u_short interactive_ports[8] = { 342 0, 513, 0, 0, 343 0, 21, 0, 23, 344 }; 345 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 346 #endif /* SPPPSUBR_MPSAFE */ 347 #endif 348 349 /* almost every function needs these */ 350 351 static bool sppp_debug_enabled(struct sppp *sp); 352 static int sppp_output(struct ifnet *, struct mbuf *, 353 const struct sockaddr *, const struct rtentry *); 354 355 static void sppp_cp_init(const struct cp *, struct sppp *); 356 static void sppp_cp_fini(const struct cp *, struct sppp *); 357 static void sppp_cp_input(const struct cp *, struct sppp *, 358 struct mbuf *); 359 static void sppp_cp_input(const struct cp *, struct sppp *, 360 struct mbuf *); 361 static void sppp_cp_send(struct sppp *, u_short, u_char, 362 u_char, u_short, void *); 363 /* static void sppp_cp_timeout(void *arg); */ 364 static void sppp_cp_change_state(const struct cp *, struct sppp *, int); 365 static struct workqueue * 366 sppp_wq_create(struct sppp *, const char *, pri_t, int, int); 367 static void sppp_wq_destroy(struct sppp *, struct workqueue *); 368 static void sppp_wq_set(struct sppp_work *, 369 void (*)(struct sppp *, void *), void *); 370 static void sppp_wq_add(struct workqueue *, struct sppp_work *); 371 static void sppp_wq_wait(struct workqueue *, struct sppp_work *); 372 static void sppp_cp_to_lcp(void *); 373 static void sppp_cp_to_ipcp(void *); 374 static void sppp_cp_to_ipv6cp(void *); 375 static void sppp_auth_send(const struct cp *, struct sppp *, 376 unsigned int, unsigned int, ...); 377 static int sppp_auth_role(const struct cp *, struct sppp *); 378 static void sppp_auth_to_event(struct sppp *, void *); 379 static void sppp_auth_screply(const struct cp *, struct sppp *, 380 u_char, uint8_t, size_t, void *); 381 static void sppp_up_event(struct sppp *, void *); 382 static void sppp_down_event(struct sppp *, void *); 383 static void sppp_open_event(struct sppp *, void *); 384 static void sppp_close_event(struct sppp *, void *); 385 static void sppp_to_event(struct sppp *, void *); 386 static void sppp_rcr_event(struct sppp *, void *); 387 static void sppp_rca_event(struct sppp *, void *); 388 static void sppp_rcn_event(struct sppp *, void *); 389 static void sppp_rtr_event(struct sppp *, void *); 390 static void sppp_rta_event(struct sppp *, void *); 391 static void sppp_rxj_event(struct sppp *, void *); 392 393 static void sppp_null(struct sppp *); 394 static void sppp_tls(const struct cp *, struct sppp *); 395 static void sppp_tlf(const struct cp *, struct sppp *); 396 static void sppp_screply(const struct cp *, struct sppp *, 397 u_char, uint8_t, size_t, void *); 398 static void sppp_ifdown(struct sppp *, void *); 399 400 static void sppp_lcp_init(struct sppp *); 401 static void sppp_lcp_up(struct sppp *, void *); 402 static void sppp_lcp_down(struct sppp *, void *); 403 static void sppp_lcp_open(struct sppp *, void *); 404 static enum cp_rcr_type 405 sppp_lcp_confreq(struct sppp *, struct lcp_header *, int, 406 uint8_t **, size_t *, size_t *); 407 static void sppp_lcp_confrej(struct sppp *, struct lcp_header *, int); 408 static void sppp_lcp_confnak(struct sppp *, struct lcp_header *, int); 409 static void sppp_lcp_tlu(struct sppp *); 410 static void sppp_lcp_tld(struct sppp *); 411 static void sppp_lcp_tls(const struct cp *, struct sppp *); 412 static void sppp_lcp_tlf(const struct cp *, struct sppp *); 413 static void sppp_lcp_scr(struct sppp *); 414 static void sppp_lcp_check_and_close(struct sppp *); 415 static int sppp_cp_check(struct sppp *, u_char); 416 static bool sppp_is_ncp_opened(struct sppp *); 417 418 static void sppp_ipcp_init(struct sppp *); 419 static void sppp_ipcp_open(struct sppp *, void *); 420 static void sppp_ipcp_close(struct sppp *, void *); 421 static enum cp_rcr_type 422 sppp_ipcp_confreq(struct sppp *, struct lcp_header *, int, 423 uint8_t **, size_t *, size_t *); 424 static void sppp_ipcp_confrej(struct sppp *, struct lcp_header *, int); 425 static void sppp_ipcp_confnak(struct sppp *, struct lcp_header *, int); 426 static void sppp_ipcp_tlu(struct sppp *); 427 static void sppp_ipcp_tld(struct sppp *); 428 static void sppp_ipcp_scr(struct sppp *); 429 430 static void sppp_ipv6cp_init(struct sppp *); 431 static void sppp_ipv6cp_open(struct sppp *, void *); 432 static enum cp_rcr_type 433 sppp_ipv6cp_confreq(struct sppp *, struct lcp_header *, int, 434 uint8_t **, size_t *, size_t *); 435 static void sppp_ipv6cp_confrej(struct sppp *, struct lcp_header *, int); 436 static void sppp_ipv6cp_confnak(struct sppp *, struct lcp_header *, int); 437 static void sppp_ipv6cp_tlu(struct sppp *); 438 static void sppp_ipv6cp_tld(struct sppp *); 439 static void sppp_ipv6cp_scr(struct sppp *); 440 441 static void sppp_pap_input(struct sppp *, struct mbuf *); 442 static void sppp_pap_init(struct sppp *); 443 static void sppp_pap_tlu(struct sppp *); 444 static void sppp_pap_scr(struct sppp *); 445 446 static void sppp_chap_input(struct sppp *, struct mbuf *); 447 static void sppp_chap_init(struct sppp *); 448 static void sppp_chap_open(struct sppp *, void *); 449 static void sppp_chap_tlu(struct sppp *); 450 static void sppp_chap_scr(struct sppp *); 451 static void sppp_chap_rcv_challenge_event(struct sppp *, void *); 452 453 static const char *sppp_auth_type_name(char *, size_t, u_short, u_char); 454 static const char *sppp_cp_type_name(char *, size_t, u_char); 455 static const char *sppp_dotted_quad(char *, size_t, uint32_t); 456 static const char *sppp_ipcp_opt_name(char *, size_t, u_char); 457 #ifdef INET6 458 static const char *sppp_ipv6cp_opt_name(char *, size_t, u_char); 459 #endif 460 static const char *sppp_lcp_opt_name(char *, size_t, u_char); 461 static const char *sppp_phase_name(int); 462 static const char *sppp_proto_name(char *, size_t, u_short); 463 static const char *sppp_state_name(int); 464 static int sppp_params(struct sppp *, u_long, void *); 465 #ifdef INET 466 static void sppp_get_ip_addrs(struct sppp *, uint32_t *, uint32_t *, uint32_t *); 467 static void sppp_set_ip_addrs(struct sppp *); 468 static void sppp_clear_ip_addrs(struct sppp *); 469 #endif 470 static void sppp_keepalive(void *); 471 static void sppp_phase_network(struct sppp *); 472 static void sppp_print_bytes(const u_char *, u_short); 473 static void sppp_print_string(const char *, u_short); 474 #ifdef INET6 475 static void sppp_get_ip6_addrs(struct sppp *, struct in6_addr *, 476 struct in6_addr *, struct in6_addr *); 477 #ifdef IPV6CP_MYIFID_DYN 478 static void sppp_set_ip6_addr(struct sppp *, const struct in6_addr *); 479 static void sppp_gen_ip6_addr(struct sppp *, const struct in6_addr *); 480 #endif 481 static void sppp_suggest_ip6_addr(struct sppp *, struct in6_addr *); 482 #endif 483 484 static void sppp_notify_up(struct sppp *); 485 static void sppp_notify_down(struct sppp *); 486 static void sppp_notify_tls_wlocked(struct sppp *); 487 static void sppp_notify_tlf_wlocked(struct sppp *); 488 489 /* our control protocol descriptors */ 490 static const struct cp lcp = { 491 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 492 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, 493 sppp_close_event, sppp_to_event, 494 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, 495 sppp_lcp_tlf, sppp_lcp_scr, sppp_screply, 496 sppp_lcp_confreq, sppp_lcp_confrej, sppp_lcp_confnak 497 }; 498 499 static const struct cp ipcp = { 500 PPP_IPCP, IDX_IPCP, 501 #ifdef INET 502 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 503 #else 504 0, 505 #endif 506 "ipcp", 507 sppp_up_event, sppp_down_event, sppp_ipcp_open, 508 sppp_ipcp_close, sppp_to_event, 509 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_tls, 510 sppp_tlf, sppp_ipcp_scr, sppp_screply, 511 sppp_ipcp_confreq, sppp_ipcp_confrej, sppp_ipcp_confnak, 512 }; 513 514 static const struct cp ipv6cp = { 515 PPP_IPV6CP, IDX_IPV6CP, 516 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 517 CP_NCP, 518 #else 519 0, 520 #endif 521 "ipv6cp", 522 sppp_up_event, sppp_down_event, sppp_ipv6cp_open, 523 sppp_close_event, sppp_to_event, 524 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_tls, 525 sppp_tlf, sppp_ipv6cp_scr, sppp_screply, 526 sppp_ipv6cp_confreq, sppp_ipv6cp_confrej, sppp_ipv6cp_confnak, 527 }; 528 529 static const struct cp pap = { 530 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 531 sppp_up_event, sppp_down_event, sppp_open_event, 532 sppp_close_event, sppp_auth_to_event, 533 sppp_pap_tlu, sppp_null, sppp_tls, sppp_tlf, 534 sppp_pap_scr, sppp_auth_screply, 535 NULL, NULL, NULL 536 }; 537 538 static const struct cp chap = { 539 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 540 sppp_up_event, sppp_down_event, sppp_chap_open, 541 sppp_close_event, sppp_auth_to_event, 542 sppp_chap_tlu, sppp_null, sppp_tls, sppp_tlf, 543 sppp_chap_scr, sppp_auth_screply, 544 NULL, NULL, NULL 545 }; 546 547 static const struct cp *cps[IDX_COUNT] = { 548 &lcp, /* IDX_LCP */ 549 &ipcp, /* IDX_IPCP */ 550 &ipv6cp, /* IDX_IPV6CP */ 551 &pap, /* IDX_PAP */ 552 &chap, /* IDX_CHAP */ 553 }; 554 555 static inline u_int 556 sppp_proto2authproto(u_short proto) 557 { 558 559 switch (proto) { 560 case PPP_PAP: 561 return SPPP_AUTHPROTO_PAP; 562 case PPP_CHAP: 563 return SPPP_AUTHPROTO_CHAP; 564 } 565 566 return SPPP_AUTHPROTO_NONE; 567 } 568 569 static inline u_short 570 sppp_authproto2proto(u_int authproto) 571 { 572 573 switch (authproto) { 574 case SPPP_AUTHPROTO_PAP: 575 return PPP_PAP; 576 case SPPP_AUTHPROTO_CHAP: 577 return PPP_CHAP; 578 } 579 580 return PPP_NOPROTO; 581 } 582 583 static inline bool 584 sppp_debug_enabled(struct sppp *sp) 585 { 586 587 if (__predict_false(sp == NULL)) 588 return false; 589 590 if ((sp->pp_if.if_flags & IFF_DEBUG) == 0) 591 return false; 592 593 return true; 594 } 595 596 static inline void 597 sppp_connect(struct sppp *sp) 598 { 599 KASSERT(SPPP_WLOCKED(sp)); 600 601 sp->pp_if.if_flags |= IFF_RUNNING; 602 atomic_store_relaxed(&sp->pp_connecting, true); 603 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 604 } 605 606 static inline void 607 sppp_disconnect(struct sppp *sp) 608 { 609 KASSERT(SPPP_WLOCKED(sp)); 610 611 sp->pp_if.if_flags &= ~IFF_RUNNING; 612 atomic_store_relaxed(&sp->pp_connecting, false); 613 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 614 } 615 616 static void 617 sppp_change_phase(struct sppp *sp, int phase) 618 { 619 struct ifnet *ifp = &sp->pp_if; 620 621 KASSERT(SPPP_WLOCKED(sp)); 622 623 if (sp->pp_phase == phase) 624 return; 625 626 sp->pp_phase = phase; 627 628 if (phase == SPPP_PHASE_NETWORK) 629 if_link_state_change(ifp, LINK_STATE_UP); 630 else 631 if_link_state_change(ifp, LINK_STATE_DOWN); 632 633 SPPP_DLOG(sp, "phase %s\n", 634 sppp_phase_name(sp->pp_phase)); 635 } 636 637 /* 638 * Exported functions, comprising our interface to the lower layer. 639 */ 640 641 /* 642 * Process the received packet. 643 */ 644 void 645 sppp_input(struct ifnet *ifp, struct mbuf *m) 646 { 647 struct ppp_header *h = NULL; 648 pktqueue_t *pktq = NULL; 649 uint16_t protocol; 650 struct sppp *sp = (struct sppp *)ifp; 651 652 /* No RPS for not-IP. */ 653 pktq_rps_hash_func_t rps_hash = NULL; 654 655 if (ifp->if_flags & IFF_UP) { 656 /* Count received bytes, add hardware framing */ 657 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 658 /* Note time of last receive */ 659 sp->pp_last_receive = time_uptime32; 660 } 661 662 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 663 /* Too small packet, drop it. */ 664 SPPP_DLOG(sp, "input packet is too small, " 665 "%d bytes\n", m->m_pkthdr.len); 666 goto drop; 667 } 668 669 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 670 memcpy(&protocol, mtod(m, void *), 2); 671 protocol = ntohs(protocol); 672 m_adj(m, 2); 673 } else { 674 675 /* Get PPP header. */ 676 h = mtod(m, struct ppp_header *); 677 m_adj(m, PPP_HEADER_LEN); 678 679 switch (h->address) { 680 case PPP_ALLSTATIONS: 681 if (h->control != PPP_UI) 682 goto invalid; 683 break; 684 case CISCO_MULTICAST: 685 case CISCO_UNICAST: 686 /* Don't check the control field here (RFC 1547). */ 687 SPPP_DLOG(sp, "Cisco packet in PPP mode " 688 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 689 h->address, h->control, ntohs(h->protocol)); 690 goto drop; 691 default: /* Invalid PPP packet. */ 692 invalid: 693 SPPP_DLOG(sp, "invalid input packet " 694 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 695 h->address, h->control, ntohs(h->protocol)); 696 goto drop; 697 } 698 protocol = ntohs(h->protocol); 699 } 700 701 switch (protocol) { 702 reject_protocol: 703 KASSERT(SPPP_WLOCKED(sp)); 704 705 if (sp->scp[IDX_LCP].state == STATE_OPENED) { 706 uint16_t prot = htons(protocol); 707 708 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 709 ++sp->scp[IDX_LCP].seq, sizeof(prot), &prot); 710 } 711 SPPP_UNLOCK(sp); 712 if_statinc(ifp, if_noproto); 713 goto drop; 714 default: 715 SPPP_DLOG(sp, "invalid input protocol " 716 "<proto=0x%x>\n", protocol); 717 goto reject_protocol; 718 case PPP_LCP: 719 SPPP_LOCK(sp, RW_WRITER); 720 sppp_cp_input(&lcp, sp, m); 721 /* already m_freem(m) */ 722 SPPP_UNLOCK(sp); 723 return; 724 case PPP_PAP: 725 SPPP_LOCK(sp, RW_WRITER); 726 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 727 sppp_pap_input(sp, m); 728 } 729 SPPP_UNLOCK(sp); 730 m_freem(m); 731 return; 732 case PPP_CHAP: 733 SPPP_LOCK(sp, RW_WRITER); 734 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 735 sppp_chap_input(sp, m); 736 } 737 SPPP_UNLOCK(sp); 738 m_freem(m); 739 return; 740 #ifdef INET 741 case PPP_IPCP: 742 SPPP_LOCK(sp, RW_WRITER); 743 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) { 744 SPPP_LOG(sp, LOG_INFO, "reject IPCP packet " 745 "because IPCP is disabled\n"); 746 goto reject_protocol; 747 } 748 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 749 sppp_cp_input(&ipcp, sp, m); 750 /* already m_freem(m) */ 751 } else { 752 m_freem(m); 753 } 754 SPPP_UNLOCK(sp); 755 return; 756 case PPP_IP: 757 SPPP_LOCK(sp, RW_READER); 758 if (sp->scp[IDX_IPCP].state == STATE_OPENED) { 759 atomic_store_relaxed(&sp->pp_last_activity, time_uptime); 760 pktq = ip_pktq; 761 rps_hash = atomic_load_relaxed(&sppp_pktq_rps_hash_p); 762 } 763 SPPP_UNLOCK(sp); 764 break; 765 #endif 766 #ifdef INET6 767 case PPP_IPV6CP: 768 SPPP_LOCK(sp, RW_WRITER); 769 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) { 770 SPPP_LOG(sp, LOG_INFO, "reject IPv6CP packet " 771 "because IPv6CP is disabled\n"); 772 goto reject_protocol; 773 } 774 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 775 sppp_cp_input(&ipv6cp, sp, m); 776 /* already m_freem(m) */ 777 } else { 778 m_freem(m); 779 } 780 SPPP_UNLOCK(sp); 781 return; 782 783 case PPP_IPV6: 784 SPPP_LOCK(sp, RW_WRITER); 785 if (sp->scp[IDX_IPV6CP].state == STATE_OPENED) { 786 atomic_store_relaxed(&sp->pp_last_activity, time_uptime); 787 pktq = ip6_pktq; 788 rps_hash = atomic_load_relaxed(&sppp_pktq_rps_hash_p); 789 } 790 SPPP_UNLOCK(sp); 791 break; 792 #endif 793 } 794 795 if ((ifp->if_flags & IFF_UP) == 0 || pktq == NULL) { 796 goto drop; 797 } 798 799 /* Check queue. */ 800 const uint32_t hash = rps_hash ? pktq_rps_hash(&rps_hash, m) : 0; 801 if (__predict_false(!pktq_enqueue(pktq, m, hash))) { 802 goto drop; 803 } 804 return; 805 806 drop: 807 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 808 m_freem(m); 809 return; 810 } 811 812 /* 813 * Enqueue transmit packet. 814 */ 815 static int 816 sppp_output(struct ifnet *ifp, struct mbuf *m, 817 const struct sockaddr *dst, const struct rtentry *rt) 818 { 819 struct sppp *sp = (struct sppp *) ifp; 820 struct ppp_header *h = NULL; 821 #ifndef SPPPSUBR_MPSAFE 822 struct ifqueue *ifq = NULL; /* XXX */ 823 #endif 824 int error = 0; 825 uint16_t protocol; 826 size_t pktlen; 827 828 atomic_store_relaxed(&sp->pp_last_activity, time_uptime); 829 830 if ((ifp->if_flags & IFF_UP) == 0) { 831 m_freem(m); 832 if_statinc(ifp, if_oerrors); 833 return (ENETDOWN); 834 } 835 836 if (!sppp_is_connecting(ifp)) { 837 SPPP_LOCK(sp, RW_WRITER); 838 if (!sp->pp_ondemand) { 839 SPPP_UNLOCK(sp); 840 m_freem(m); 841 if_statinc(ifp, if_oerrors); 842 return (ENETDOWN); 843 } else { 844 /* ignore packets that have no enabled NCP */ 845 if ((dst->sa_family == AF_INET && 846 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) || 847 (dst->sa_family == AF_INET6 && 848 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP))) { 849 SPPP_UNLOCK(sp); 850 851 m_freem(m); 852 if_statinc(ifp, if_oerrors); 853 return (ENETDOWN); 854 } 855 /* 856 * Interface is not yet running, but auto-dial. Need 857 * to start LCP for it. 858 * Re-check sp->pp_connecting 859 * under lock (Double-Checked Locking) 860 */ 861 if (!sp->pp_connecting) 862 sppp_connect(sp); 863 } 864 SPPP_UNLOCK(sp); 865 } 866 867 /* 868 * If the queueing discipline needs packet classification, 869 * do it before prepending link headers. 870 */ 871 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 872 873 #ifdef INET 874 if (dst->sa_family == AF_INET) { 875 struct ip *ip = NULL; 876 #ifndef SPPPSUBR_MPSAFE 877 struct tcphdr *th = NULL; 878 #endif 879 880 if (m->m_len >= sizeof(struct ip)) { 881 ip = mtod(m, struct ip *); 882 #ifndef SPPPSUBR_MPSAFE 883 if (ip->ip_p == IPPROTO_TCP && 884 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 885 sizeof(struct tcphdr)) { 886 th = (struct tcphdr *) 887 ((char *)ip + (ip->ip_hl << 2)); 888 } 889 #endif 890 } else 891 ip = NULL; 892 893 /* 894 * When using dynamic local IP address assignment by using 895 * 0.0.0.0 as a local address, the first TCP session will 896 * not connect because the local TCP checksum is computed 897 * using 0.0.0.0 which will later become our real IP address 898 * so the TCP checksum computed at the remote end will 899 * become invalid. So we 900 * - don't let packets with src ip addr 0 thru 901 * - we flag TCP packets with src ip 0 as an error 902 */ 903 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 904 uint8_t proto = ip->ip_p; 905 906 m_freem(m); 907 if (proto == IPPROTO_TCP) 908 return (EADDRNOTAVAIL); 909 else 910 return (0); 911 } 912 913 #ifndef SPPPSUBR_MPSAFE 914 /* 915 * Put low delay, telnet, rlogin and ftp control packets 916 * in front of the queue. 917 */ 918 if (!IF_QFULL(&sp->pp_fastq) && 919 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 920 (th && (INTERACTIVE(ntohs(th->th_sport)) || 921 INTERACTIVE(ntohs(th->th_dport)))))) 922 ifq = &sp->pp_fastq; 923 #endif /* !SPPPSUBR_MPSAFE */ 924 } 925 #endif 926 927 #ifdef INET6 928 if (dst->sa_family == AF_INET6) { 929 /* XXX do something tricky here? */ 930 } 931 #endif 932 933 if (!ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 934 /* 935 * Prepend general data packet PPP header. For now, IP only. 936 */ 937 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 938 if (! m) { 939 SPPP_DLOG(sp, "no memory for transmit header\n"); 940 if_statinc(ifp, if_oerrors); 941 return (ENOBUFS); 942 } 943 /* 944 * May want to check size of packet 945 * (albeit due to the implementation it's always enough) 946 */ 947 h = mtod(m, struct ppp_header *); 948 h->address = PPP_ALLSTATIONS; /* broadcast address */ 949 h->control = PPP_UI; /* Unnumbered Info */ 950 } 951 952 switch (dst->sa_family) { 953 #ifdef INET 954 case AF_INET: /* Internet Protocol */ 955 /* 956 * Don't choke with an ENETDOWN early. It's 957 * possible that we just started dialing out, 958 * so don't drop the packet immediately. If 959 * we notice that we run out of buffer space 960 * below, we will however remember that we are 961 * not ready to carry IP packets, and return 962 * ENETDOWN, as opposed to ENOBUFS. 963 */ 964 protocol = htons(PPP_IP); 965 SPPP_LOCK(sp, RW_READER); 966 if (sp->scp[IDX_IPCP].state != STATE_OPENED) { 967 if (ifp->if_flags & IFF_AUTO) { 968 error = ENETDOWN; 969 } else { 970 SPPP_UNLOCK(sp); 971 972 m_freem(m); 973 if_statinc(ifp, if_oerrors); 974 return (ENETDOWN); 975 } 976 } 977 SPPP_UNLOCK(sp); 978 break; 979 #endif 980 #ifdef INET6 981 case AF_INET6: /* Internet Protocol version 6 */ 982 /* 983 * Don't choke with an ENETDOWN early. It's 984 * possible that we just started dialing out, 985 * so don't drop the packet immediately. If 986 * we notice that we run out of buffer space 987 * below, we will however remember that we are 988 * not ready to carry IP packets, and return 989 * ENETDOWN, as opposed to ENOBUFS. 990 */ 991 protocol = htons(PPP_IPV6); 992 SPPP_LOCK(sp, RW_READER); 993 if (sp->scp[IDX_IPV6CP].state != STATE_OPENED) { 994 if (ifp->if_flags & IFF_AUTO) { 995 error = ENETDOWN; 996 } else { 997 SPPP_UNLOCK(sp); 998 999 m_freem(m); 1000 if_statinc(ifp, if_oerrors); 1001 return (ENETDOWN); 1002 } 1003 } 1004 SPPP_UNLOCK(sp); 1005 break; 1006 #endif 1007 default: 1008 m_freem(m); 1009 if_statinc(ifp, if_oerrors); 1010 return (EAFNOSUPPORT); 1011 } 1012 1013 if (error == ENETDOWN) { 1014 IF_DROP(&ifp->if_snd); 1015 m_freem(m); 1016 return error; 1017 } 1018 1019 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 1020 M_PREPEND(m, 2, M_DONTWAIT); 1021 if (m == NULL) { 1022 SPPP_DLOG(sp, "no memory for transmit header\n"); 1023 if_statinc(ifp, if_oerrors); 1024 return (ENOBUFS); 1025 } 1026 *mtod(m, uint16_t *) = protocol; 1027 } else { 1028 h->protocol = protocol; 1029 } 1030 1031 pktlen = m->m_pkthdr.len; 1032 #ifdef SPPPSUBR_MPSAFE 1033 error = if_transmit_lock(ifp, m); 1034 if (error == 0) 1035 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1036 #else /* !SPPPSUBR_MPSAFE */ 1037 error = ifq_enqueue2(ifp, ifq, m); 1038 1039 if (error == 0) { 1040 /* 1041 * Count output packets and bytes. 1042 * The packet length includes header + additional hardware 1043 * framing according to RFC 1333. 1044 */ 1045 if (!(ifp->if_flags & IFF_OACTIVE)) { 1046 if_start_lock(ifp); 1047 } 1048 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1049 } 1050 #endif /* !SPPPSUBR_MPSAFE */ 1051 return error; 1052 } 1053 1054 static int 1055 sppp_sysctl_flags(SYSCTLFN_ARGS) 1056 { 1057 struct sppp *sp = rnode->sysctl_data; 1058 const char *s = rnode->sysctl_name; 1059 struct sysctlnode node; 1060 int err, val; 1061 u_int flag; 1062 1063 if (strcmp(s, "ifdown") == 0) { 1064 flag = PP_IFDOWN; 1065 } else { 1066 return EINVAL; 1067 } 1068 1069 SPPP_LOCK(sp, RW_READER); 1070 val = (sp->pp_flags & flag) ? 1 : 0; 1071 SPPP_UNLOCK(sp); 1072 1073 node = *rnode; 1074 node.sysctl_data = &val; 1075 1076 err = sysctl_lookup(SYSCTLFN_CALL(&node)); 1077 if (err || newp == NULL) 1078 return err; 1079 1080 SPPP_LOCK(sp, RW_WRITER); 1081 if (val == 1) { 1082 sp->pp_flags |= flag; 1083 } else { 1084 sp->pp_flags &= ~flag; 1085 } 1086 SPPP_UNLOCK(sp); 1087 1088 return 0; 1089 } 1090 1091 static void 1092 sppp_sysctl_setup(struct sppp *sp) 1093 { 1094 struct sysctllog **clog = &sp->pp_sysctl_log; 1095 const struct sysctlnode *rnode = NULL, *cnode = NULL; 1096 int err; 1097 1098 err = sysctl_createv(clog, 0, NULL, &rnode, 1099 CTLFLAG_PERMANENT, 1100 CTLTYPE_NODE, "sppp", 1101 SYSCTL_DESCR("Synchronous Point-to-Point Protocol controls"), 1102 NULL, 0, NULL, 0, 1103 CTL_NET, CTL_CREATE, CTL_EOL); 1104 if (err != 0) 1105 goto bad; 1106 1107 err = sysctl_createv(clog, 0, &rnode, &rnode, 1108 CTLFLAG_PERMANENT, 1109 CTLTYPE_NODE, sp->pp_if.if_xname, 1110 SYSCTL_DESCR("Interface controls"), 1111 NULL, 0, NULL, 0, 1112 CTL_CREATE, CTL_EOL); 1113 if (err != 0) 1114 goto bad; 1115 1116 err = sysctl_createv(clog, 0, &rnode, &cnode, 1117 CTLFLAG_PERMANENT | CTLFLAG_READWRITE, 1118 CTLTYPE_INT, "ifdown", 1119 SYSCTL_DESCR("Down interface on no echo reply and loopback detected"), 1120 sppp_sysctl_flags, 0, (void *)sp, 0, 1121 CTL_CREATE, CTL_EOL); 1122 if (err != 0) 1123 goto bad; 1124 1125 return; 1126 bad: 1127 printf("%s: could not attach sysctl nodes for sppp\n", 1128 sp->pp_if.if_xname); 1129 return; 1130 } 1131 1132 void 1133 sppp_attach(struct ifnet *ifp) 1134 { 1135 struct sppp *sp = (struct sppp *) ifp; 1136 char xnamebuf[MAXCOMLEN]; 1137 1138 /* Initialize keepalive handler. */ 1139 if (! spppq) { 1140 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1141 callout_setfunc(&keepalive_ch, sppp_keepalive, NULL); 1142 callout_schedule(&keepalive_ch, hz * sppp_keepalive_interval); 1143 } 1144 1145 if (! spppq_lock) 1146 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1147 1148 sp->pp_if.if_type = IFT_PPP; 1149 sp->pp_if.if_output = sppp_output; 1150 IFQ_SET_MAXLEN(&sp->pp_fastq, 32); 1151 IFQ_LOCK_INIT(&sp->pp_fastq); 1152 IFQ_SET_MAXLEN(&sp->pp_cpq, 20); 1153 sp->pp_loopcnt = 0; 1154 sp->pp_alivecnt = 0; 1155 sp->pp_alive_interval = SPPP_ALIVE_INTERVAL; 1156 sp->pp_last_activity = 0; 1157 sp->pp_last_receive = 0; 1158 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1159 sp->pp_max_noreceive = SPPP_NORECV_TIME; 1160 sp->pp_idle_timeout = 0; 1161 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1162 sp->pp_phase = SPPP_PHASE_DEAD; 1163 sp->pp_up = sppp_notify_up; 1164 sp->pp_down = sppp_notify_down; 1165 sp->pp_ncpflags = SPPP_NCP_IPCP | SPPP_NCP_IPV6CP; 1166 #ifdef SPPP_IFDOWN_RECONNECT 1167 sp->pp_flags |= PP_IFDOWN; 1168 #endif 1169 sppp_wq_set(&sp->work_ifdown, sppp_ifdown, NULL); 1170 memset(sp->scp, 0, sizeof(sp->scp)); 1171 rw_init(&sp->pp_lock); 1172 sppp_sysctl_setup(sp); 1173 1174 if_alloc_sadl(ifp); 1175 1176 /* Lets not beat about the bush, we know we're down. */ 1177 if_link_state_change(ifp, LINK_STATE_DOWN); 1178 1179 snprintf(xnamebuf, sizeof(xnamebuf), "%s.wq_cp", ifp->if_xname); 1180 sp->wq_cp = sppp_wq_create(sp, xnamebuf, 1181 PRI_SOFTNET, IPL_SOFTNET, WQ_MPSAFE); 1182 1183 memset(&sp->myauth, 0, sizeof sp->myauth); 1184 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1185 SPPP_LOCK(sp, RW_WRITER); 1186 sppp_lcp_init(sp); 1187 sppp_ipcp_init(sp); 1188 sppp_ipv6cp_init(sp); 1189 sppp_pap_init(sp); 1190 sppp_chap_init(sp); 1191 SPPP_UNLOCK(sp); 1192 1193 SPPPQ_LOCK(); 1194 /* Insert new entry into the keepalive list. */ 1195 sp->pp_next = spppq; 1196 spppq = sp; 1197 SPPPQ_UNLOCK(); 1198 } 1199 1200 void 1201 sppp_detach(struct ifnet *ifp) 1202 { 1203 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1204 1205 /* Remove the entry from the keepalive list. */ 1206 SPPPQ_LOCK(); 1207 for (q = &spppq; (p = *q); q = &p->pp_next) 1208 if (p == sp) { 1209 *q = p->pp_next; 1210 break; 1211 } 1212 SPPPQ_UNLOCK(); 1213 1214 if (! spppq) { 1215 /* Stop keepalive handler. */ 1216 callout_stop(&keepalive_ch); 1217 mutex_obj_free(spppq_lock); 1218 spppq_lock = NULL; 1219 } 1220 1221 sysctl_teardown(&sp->pp_sysctl_log); 1222 sppp_cp_fini(&lcp, sp); 1223 sppp_cp_fini(&ipcp, sp); 1224 sppp_cp_fini(&pap, sp); 1225 sppp_cp_fini(&chap, sp); 1226 #ifdef INET6 1227 sppp_cp_fini(&ipv6cp, sp); 1228 #endif 1229 sppp_wq_destroy(sp, sp->wq_cp); 1230 1231 /* free authentication info */ 1232 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1233 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1234 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1235 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1236 1237 IFQ_LOCK_DESTROY(&sp->pp_fastq); 1238 rw_destroy(&sp->pp_lock); 1239 } 1240 1241 /* 1242 * Flush the interface output queue. 1243 */ 1244 void 1245 sppp_flush(struct ifnet *ifp) 1246 { 1247 struct sppp *sp = (struct sppp *) ifp; 1248 1249 SPPP_LOCK(sp, RW_WRITER); 1250 IFQ_PURGE(&sp->pp_if.if_snd); 1251 IF_PURGE(&sp->pp_fastq); 1252 IF_PURGE(&sp->pp_cpq); 1253 SPPP_UNLOCK(sp); 1254 } 1255 1256 /* 1257 * Check if the output queue is empty. 1258 */ 1259 int 1260 sppp_isempty(struct ifnet *ifp) 1261 { 1262 struct sppp *sp = (struct sppp *) ifp; 1263 int empty; 1264 1265 SPPP_LOCK(sp, RW_READER); 1266 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1267 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1268 SPPP_UNLOCK(sp); 1269 return (empty); 1270 } 1271 1272 /* 1273 * Get next packet to send. 1274 */ 1275 struct mbuf * 1276 sppp_dequeue(struct ifnet *ifp) 1277 { 1278 struct sppp *sp = (struct sppp *) ifp; 1279 struct mbuf *m; 1280 1281 SPPP_LOCK(sp, RW_WRITER); 1282 /* 1283 * Process only the control protocol queue until we have at 1284 * least one NCP opened. 1285 */ 1286 IF_DEQUEUE(&sp->pp_cpq, m); 1287 if (m == NULL && sppp_is_ncp_opened(sp)) { 1288 IF_DEQUEUE(&sp->pp_fastq, m); 1289 if (m == NULL) 1290 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1291 } 1292 SPPP_UNLOCK(sp); 1293 return m; 1294 } 1295 1296 void 1297 sppp_abort_connect(struct ifnet *ifp) 1298 { 1299 struct sppp *sp = (struct sppp *)ifp; 1300 1301 SPPP_LOCK(sp, RW_WRITER); 1302 if (sp->pp_ondemand) { 1303 if (sp->pp_connecting) 1304 sppp_disconnect(sp); 1305 } else { 1306 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 1307 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 1308 } 1309 SPPP_UNLOCK(sp); 1310 } 1311 1312 /* 1313 * Process an ioctl request. Called on low priority level. 1314 */ 1315 int 1316 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1317 { 1318 struct lwp *l = curlwp; /* XXX */ 1319 struct ifreq *ifr = (struct ifreq *) data; 1320 struct ifaddr *ifa = (struct ifaddr *) data; 1321 struct sppp *sp = (struct sppp *) ifp; 1322 int error=0, going_up, going_down; 1323 u_long lcp_mru; 1324 1325 switch (cmd) { 1326 case SIOCINITIFADDR: 1327 ifa->ifa_rtrequest = p2p_rtrequest; 1328 break; 1329 1330 case SIOCSIFFLAGS: 1331 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1332 break; 1333 1334 SPPP_LOCK(sp, RW_WRITER); 1335 going_up = 1336 (ifp->if_flags & IFF_UP) && !sp->pp_connecting; 1337 going_down = 1338 ((ifp->if_flags & IFF_UP) == 0) && sp->pp_connecting; 1339 if ((ifp->if_flags & IFF_AUTO) && 1340 (ifp->if_flags & IFF_PASSIVE)) { 1341 ifp->if_flags &= ~IFF_AUTO; 1342 } 1343 1344 atomic_store_relaxed(&sp->pp_ondemand, 1345 (ifp->if_flags & IFF_AUTO) ? true : false); 1346 1347 if (going_up || going_down) { 1348 sppp_disconnect(sp); 1349 } 1350 if (going_up) { 1351 /* Always-on connection */ 1352 if (!sp->pp_ondemand) 1353 sppp_connect(sp); 1354 } else if (going_down) { 1355 SPPP_UNLOCK(sp); 1356 sppp_flush(ifp); 1357 SPPP_LOCK(sp, RW_WRITER); 1358 } 1359 SPPP_UNLOCK(sp); 1360 break; 1361 1362 case SIOCSIFMTU: 1363 if (ifr->ifr_mtu < PPP_MINMRU || 1364 ifr->ifr_mtu > PP_MTU) { 1365 error = EINVAL; 1366 break; 1367 } 1368 1369 error = ifioctl_common(ifp, cmd, data); 1370 if (error == ENETRESET) 1371 error = 0; 1372 1373 SPPP_LOCK(sp, RW_WRITER); 1374 lcp_mru = sp->lcp.mru; 1375 if (ifp->if_mtu < PP_MTU) { 1376 sp->lcp.mru = ifp->if_mtu; 1377 } else { 1378 sp->lcp.mru = PP_MTU; 1379 } 1380 if (lcp_mru != sp->lcp.mru) 1381 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 1382 1383 if (sp->scp[IDX_LCP].state == STATE_OPENED && 1384 ifp->if_mtu > sp->lcp.their_mru) { 1385 sp->pp_saved_mtu = ifp->if_mtu; 1386 ifp->if_mtu = sp->lcp.their_mru; 1387 1388 SPPP_DLOG(sp, "setting MTU " 1389 "from %"PRIu64" bytes to %"PRIu64" bytes\n", 1390 sp->pp_saved_mtu, ifp->if_mtu); 1391 } 1392 SPPP_UNLOCK(sp); 1393 break; 1394 1395 case SIOCGIFMTU: 1396 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1397 error = 0; 1398 break; 1399 case SIOCADDMULTI: 1400 case SIOCDELMULTI: 1401 break; 1402 1403 case SPPPSETAUTHCFG: 1404 case SPPPSETLCPCFG: 1405 case SPPPSETNCPCFG: 1406 case SPPPSETIDLETO: 1407 case SPPPSETAUTHFAILURE: 1408 case SPPPSETDNSOPTS: 1409 case SPPPSETKEEPALIVE: 1410 #if defined(COMPAT_50) || defined(MODULAR) 1411 case __SPPPSETIDLETO50: 1412 case __SPPPSETKEEPALIVE50: 1413 #endif /* COMPAT_50 || MODULAR */ 1414 error = kauth_authorize_network(l->l_cred, 1415 KAUTH_NETWORK_INTERFACE, 1416 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1417 NULL); 1418 if (error) 1419 break; 1420 error = sppp_params(sp, cmd, data); 1421 break; 1422 1423 case SPPPGETAUTHCFG: 1424 case SPPPGETLCPCFG: 1425 case SPPPGETNCPCFG: 1426 case SPPPGETAUTHFAILURES: 1427 error = kauth_authorize_network(l->l_cred, 1428 KAUTH_NETWORK_INTERFACE, 1429 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1430 NULL); 1431 if (error) 1432 break; 1433 error = sppp_params(sp, cmd, data); 1434 break; 1435 1436 case SPPPGETSTATUS: 1437 case SPPPGETSTATUSNCP: 1438 case SPPPGETIDLETO: 1439 case SPPPGETDNSOPTS: 1440 case SPPPGETDNSADDRS: 1441 case SPPPGETKEEPALIVE: 1442 #if defined(COMPAT_50) || defined(MODULAR) 1443 case __SPPPGETIDLETO50: 1444 case __SPPPGETKEEPALIVE50: 1445 #endif /* COMPAT_50 || MODULAR */ 1446 case SPPPGETLCPSTATUS: 1447 case SPPPGETIPCPSTATUS: 1448 case SPPPGETIPV6CPSTATUS: 1449 error = sppp_params(sp, cmd, data); 1450 break; 1451 1452 default: 1453 error = ifioctl_common(ifp, cmd, data); 1454 break; 1455 } 1456 return (error); 1457 } 1458 1459 /* 1460 * PPP protocol implementation. 1461 */ 1462 1463 /* 1464 * Send PPP control protocol packet. 1465 */ 1466 static void 1467 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1468 u_char ident, u_short len, void *data) 1469 { 1470 struct ifnet *ifp = &sp->pp_if; 1471 struct lcp_header *lh; 1472 struct mbuf *m; 1473 size_t pkthdrlen; 1474 1475 KASSERT(SPPP_WLOCKED(sp)); 1476 1477 pkthdrlen = ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING) ? 1478 2 : PPP_HEADER_LEN; 1479 1480 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1481 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1482 MGETHDR(m, M_DONTWAIT, MT_DATA); 1483 if (! m) { 1484 return; 1485 } 1486 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1487 m_reset_rcvif(m); 1488 1489 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 1490 *mtod(m, uint16_t *) = htons(proto); 1491 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1492 } else { 1493 struct ppp_header *h; 1494 h = mtod(m, struct ppp_header *); 1495 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1496 h->control = PPP_UI; /* Unnumbered Info */ 1497 h->protocol = htons(proto); /* Link Control Protocol */ 1498 lh = (struct lcp_header *)(h + 1); 1499 } 1500 lh->type = type; 1501 lh->ident = ident; 1502 lh->len = htons(LCP_HEADER_LEN + len); 1503 if (len) 1504 memcpy(lh + 1, data, len); 1505 1506 if (sppp_debug_enabled(sp)) { 1507 char pbuf[SPPP_PROTO_NAMELEN]; 1508 char tbuf[SPPP_CPTYPE_NAMELEN]; 1509 const char *pname, *cpname; 1510 1511 pname = sppp_proto_name(pbuf, sizeof(pbuf), proto); 1512 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), lh->type); 1513 SPPP_LOG(sp, LOG_DEBUG, "%s output <%s id=0x%x len=%d", 1514 pname, cpname, lh->ident, ntohs(lh->len)); 1515 if (len) 1516 sppp_print_bytes((u_char *)(lh + 1), len); 1517 addlog(">\n"); 1518 } 1519 if (IF_QFULL(&sp->pp_cpq)) { 1520 IF_DROP(&sp->pp_fastq); 1521 IF_DROP(&ifp->if_snd); 1522 m_freem(m); 1523 return; 1524 } 1525 1526 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1527 IF_ENQUEUE(&sp->pp_cpq, m); 1528 1529 if (! (ifp->if_flags & IFF_OACTIVE)) { 1530 SPPP_UNLOCK(sp); 1531 if_start_lock(ifp); 1532 SPPP_LOCK(sp, RW_WRITER); 1533 } 1534 } 1535 1536 static void 1537 sppp_cp_to_lcp(void *xsp) 1538 { 1539 struct sppp *sp = xsp; 1540 1541 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_to); 1542 } 1543 1544 static void 1545 sppp_cp_to_ipcp(void *xsp) 1546 { 1547 struct sppp *sp = xsp; 1548 1549 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPCP].work_to); 1550 } 1551 1552 static void 1553 sppp_cp_to_ipv6cp(void *xsp) 1554 { 1555 struct sppp *sp = xsp; 1556 1557 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPV6CP].work_to); 1558 } 1559 1560 static void 1561 sppp_cp_to_pap(void *xsp) 1562 { 1563 struct sppp *sp = xsp; 1564 1565 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_to); 1566 } 1567 1568 static void 1569 sppp_cp_to_chap(void *xsp) 1570 { 1571 struct sppp *sp = xsp; 1572 1573 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_to); 1574 } 1575 1576 static void 1577 sppp_cp_init(const struct cp *cp, struct sppp *sp) 1578 { 1579 struct sppp_cp *scp; 1580 typedef void (*sppp_co_cb_t)(void *); 1581 static const sppp_co_cb_t to_cb[IDX_COUNT] = { 1582 [IDX_LCP] = sppp_cp_to_lcp, 1583 [IDX_IPCP] = sppp_cp_to_ipcp, 1584 [IDX_IPV6CP] = sppp_cp_to_ipv6cp, 1585 [IDX_PAP] = sppp_cp_to_pap, 1586 [IDX_CHAP] = sppp_cp_to_chap, 1587 }; 1588 1589 scp = &sp->scp[cp->protoidx]; 1590 scp->state = STATE_INITIAL; 1591 scp->fail_counter = 0; 1592 scp->seq = 0; 1593 scp->rseq = 0; 1594 1595 SPPP_WQ_SET(&scp->work_up, cp->Up, cp); 1596 SPPP_WQ_SET(&scp->work_down, cp->Down, cp); 1597 SPPP_WQ_SET(&scp->work_open, cp->Open, cp); 1598 SPPP_WQ_SET(&scp->work_close, cp->Close, cp); 1599 SPPP_WQ_SET(&scp->work_to, cp->TO, cp); 1600 SPPP_WQ_SET(&scp->work_rcr, sppp_rcr_event, cp); 1601 SPPP_WQ_SET(&scp->work_rca, sppp_rca_event, cp); 1602 SPPP_WQ_SET(&scp->work_rcn, sppp_rcn_event, cp); 1603 SPPP_WQ_SET(&scp->work_rtr, sppp_rtr_event, cp); 1604 SPPP_WQ_SET(&scp->work_rta, sppp_rta_event, cp); 1605 SPPP_WQ_SET(&scp->work_rxj, sppp_rxj_event, cp); 1606 1607 callout_init(&scp->ch, CALLOUT_MPSAFE); 1608 callout_setfunc(&scp->ch, to_cb[cp->protoidx], sp); 1609 } 1610 1611 static void 1612 sppp_cp_fini(const struct cp *cp, struct sppp *sp) 1613 { 1614 struct sppp_cp *scp; 1615 scp = &sp->scp[cp->protoidx]; 1616 1617 sppp_wq_wait(sp->wq_cp, &scp->work_up); 1618 sppp_wq_wait(sp->wq_cp, &scp->work_down); 1619 sppp_wq_wait(sp->wq_cp, &scp->work_open); 1620 sppp_wq_wait(sp->wq_cp, &scp->work_close); 1621 sppp_wq_wait(sp->wq_cp, &scp->work_to); 1622 sppp_wq_wait(sp->wq_cp, &scp->work_rcr); 1623 sppp_wq_wait(sp->wq_cp, &scp->work_rca); 1624 sppp_wq_wait(sp->wq_cp, &scp->work_rcn); 1625 sppp_wq_wait(sp->wq_cp, &scp->work_rtr); 1626 sppp_wq_wait(sp->wq_cp, &scp->work_rta); 1627 sppp_wq_wait(sp->wq_cp, &scp->work_rxj); 1628 1629 callout_halt(&scp->ch, NULL); 1630 callout_destroy(&scp->ch); 1631 1632 m_freem(scp->mbuf_confreq); 1633 scp->mbuf_confreq = NULL; 1634 m_freem(scp->mbuf_confnak); 1635 scp->mbuf_confnak = NULL; 1636 } 1637 1638 /* 1639 * Handle incoming PPP control protocol packets. 1640 */ 1641 static void 1642 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1643 { 1644 const bool debug = sppp_debug_enabled(sp); 1645 struct ifnet *ifp = &sp->pp_if; 1646 struct sppp_cp *scp = &sp->scp[cp->protoidx]; 1647 struct lcp_header *h; 1648 int printlen, len = m->m_pkthdr.len; 1649 u_char *p; 1650 uint32_t u32; 1651 char tbuf[SPPP_CPTYPE_NAMELEN]; 1652 const char *cpname; 1653 1654 KASSERT(SPPP_WLOCKED(sp)); 1655 1656 if (len < 4) { 1657 SPPP_DLOG(sp, "%s invalid packet length: %d bytes\n", 1658 cp->name, len); 1659 goto out; 1660 } 1661 h = mtod(m, struct lcp_header *); 1662 if (debug) { 1663 printlen = ntohs(h->len); 1664 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1665 SPPP_LOG(sp, LOG_DEBUG, "%s input(%s): <%s id=0x%x len=%d", 1666 cp->name, sppp_state_name(scp->state), 1667 cpname, h->ident, printlen); 1668 if (len < printlen) 1669 printlen = len; 1670 if (printlen > 4) 1671 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1672 addlog(">\n"); 1673 } 1674 if (len > ntohs(h->len)) 1675 len = ntohs(h->len); 1676 p = (u_char *)(h + 1); 1677 switch (h->type) { 1678 case CONF_REQ: 1679 if (len < 4) { 1680 SPPP_DLOG(sp,"%s invalid conf-req length %d\n", 1681 cp->name, len); 1682 if_statinc(ifp, if_ierrors); 1683 break; 1684 } 1685 1686 scp->rcr_type = CP_RCR_NONE; 1687 scp->rconfid = h->ident; 1688 m_freem(scp->mbuf_confreq); 1689 scp->mbuf_confreq = m; 1690 m = NULL; 1691 sppp_wq_add(sp->wq_cp, &scp->work_rcr); 1692 break; 1693 case CONF_ACK: 1694 if (h->ident != scp->confid) { 1695 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 1696 cp->name, h->ident, scp->confid); 1697 if_statinc(ifp, if_ierrors); 1698 break; 1699 } 1700 sppp_wq_add(sp->wq_cp, &scp->work_rca); 1701 break; 1702 case CONF_NAK: 1703 case CONF_REJ: 1704 if (h->ident != scp->confid) { 1705 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 1706 cp->name, h->ident, scp->confid); 1707 if_statinc(ifp, if_ierrors); 1708 break; 1709 } 1710 1711 m_freem(scp->mbuf_confnak); 1712 scp->mbuf_confnak = m; 1713 m = NULL; 1714 sppp_wq_add(sp->wq_cp, &scp->work_rcn); 1715 break; 1716 case TERM_REQ: 1717 scp->rseq = h->ident; 1718 sppp_wq_add(sp->wq_cp, &scp->work_rtr); 1719 break; 1720 case TERM_ACK: 1721 if (h->ident != scp->confid && 1722 h->ident != scp->seq) { 1723 SPPP_DLOG(sp, "%s id mismatch " 1724 "0x%x != 0x%x and 0x%x != %0lx\n", 1725 cp->name, h->ident, scp->confid, 1726 h->ident, scp->seq); 1727 if_statinc(ifp, if_ierrors); 1728 break; 1729 } 1730 1731 sppp_wq_add(sp->wq_cp, &scp->work_rta); 1732 break; 1733 case CODE_REJ: 1734 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1735 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1736 SPPP_LOG(sp, LOG_INFO, "%s: ignoring RXJ (%s) for code ?, " 1737 "danger will robinson\n", cp->name, cpname); 1738 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1739 break; 1740 case PROTO_REJ: 1741 { 1742 int catastrophic; 1743 const struct cp *upper; 1744 int i; 1745 uint16_t proto; 1746 1747 catastrophic = 0; 1748 upper = NULL; 1749 proto = p[0] << 8 | p[1]; 1750 for (i = 0; i < IDX_COUNT; i++) { 1751 if (cps[i]->proto == proto) { 1752 upper = cps[i]; 1753 break; 1754 } 1755 } 1756 if (upper == NULL) 1757 catastrophic++; 1758 1759 if (debug) { 1760 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1761 SPPP_LOG(sp, LOG_INFO, 1762 "%s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1763 cp->name, catastrophic ? '-' : '+', 1764 cpname, proto, upper ? upper->name : "unknown", 1765 upper ? sppp_state_name(sp->scp[upper->protoidx].state) : "?"); 1766 } 1767 1768 /* 1769 * if we got RXJ+ against conf-req, the peer does not implement 1770 * this particular protocol type. terminate the protocol. 1771 */ 1772 if (upper && !catastrophic) { 1773 if (sp->scp[upper->protoidx].state == STATE_REQ_SENT) { 1774 sppp_wq_add(sp->wq_cp, 1775 &sp->scp[upper->protoidx].work_close); 1776 break; 1777 } 1778 } 1779 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1780 break; 1781 } 1782 case DISC_REQ: 1783 if (cp->proto != PPP_LCP) 1784 goto illegal; 1785 /* Discard the packet. */ 1786 break; 1787 case ECHO_REQ: 1788 if (cp->proto != PPP_LCP) 1789 goto illegal; 1790 if (scp->state != STATE_OPENED) { 1791 SPPP_DLOG(sp, "lcp echo req but lcp closed\n"); 1792 if_statinc(ifp, if_ierrors); 1793 break; 1794 } 1795 if (len < 8) { 1796 SPPP_DLOG(sp, "invalid lcp echo request " 1797 "packet length: %d bytes\n", len); 1798 break; 1799 } 1800 memcpy(&u32, h + 1, sizeof u32); 1801 if (ntohl(u32) == sp->lcp.magic) { 1802 /* Line loopback mode detected. */ 1803 SPPP_DLOG(sp, "loopback\n"); 1804 1805 /* Shut down the PPP link. */ 1806 if (sp->pp_flags & PP_IFDOWN) 1807 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 1808 1809 /* Reset the PPP link. */ 1810 sppp_wq_add(sp->wq_cp, 1811 &sp->scp[IDX_LCP].work_close); 1812 sppp_wq_add(sp->wq_cp, 1813 &sp->scp[IDX_LCP].work_open); 1814 break; 1815 } 1816 u32 = htonl(sp->lcp.magic); 1817 memcpy(h + 1, &u32, sizeof u32); 1818 SPPP_DLOG(sp, "got lcp echo req, sending echo rep\n"); 1819 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1820 h + 1); 1821 break; 1822 case ECHO_REPLY: 1823 if (cp->proto != PPP_LCP) 1824 goto illegal; 1825 if (h->ident != sp->lcp.echoid) { 1826 if_statinc(ifp, if_ierrors); 1827 break; 1828 } 1829 if (len < 8) { 1830 SPPP_DLOG(sp, "lcp invalid echo reply " 1831 "packet length: %d bytes\n", len); 1832 break; 1833 } 1834 SPPP_DLOG(sp, "lcp got echo rep\n"); 1835 memcpy(&u32, h + 1, sizeof u32); 1836 if (ntohl(u32) != sp->lcp.magic) 1837 sp->pp_alivecnt = 0; 1838 break; 1839 default: 1840 /* Unknown packet type -- send Code-Reject packet. */ 1841 illegal: 1842 SPPP_DLOG(sp, "%s send code-rej for 0x%x\n", 1843 cp->name, h->type); 1844 sppp_cp_send(sp, cp->proto, CODE_REJ, 1845 ++scp->seq, m->m_pkthdr.len, h); 1846 if_statinc(ifp, if_ierrors); 1847 } 1848 1849 out: 1850 m_freem(m); 1851 } 1852 1853 /* 1854 * The generic part of all Up/Down/Open/Close/TO event handlers. 1855 * Basically, the state transition handling in the automaton. 1856 */ 1857 static void 1858 sppp_up_event(struct sppp *sp, void *xcp) 1859 { 1860 const struct cp *cp = xcp; 1861 1862 KASSERT(SPPP_WLOCKED(sp)); 1863 KASSERT(!cpu_softintr_p()); 1864 1865 if ((cp->flags & CP_AUTH) != 0 && 1866 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1867 return; 1868 1869 SPPP_DLOG(sp, "%s up(%s)\n", cp->name, 1870 sppp_state_name(sp->scp[cp->protoidx].state)); 1871 1872 switch (sp->scp[cp->protoidx].state) { 1873 case STATE_INITIAL: 1874 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1875 break; 1876 case STATE_STARTING: 1877 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 1878 (cp->scr)(sp); 1879 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1880 break; 1881 default: 1882 SPPP_LOG(sp, LOG_DEBUG, 1883 "%s illegal up in state %s\n", cp->name, 1884 sppp_state_name(sp->scp[cp->protoidx].state)); 1885 } 1886 } 1887 1888 static void 1889 sppp_down_event(struct sppp *sp, void *xcp) 1890 { 1891 const struct cp *cp = xcp; 1892 1893 KASSERT(SPPP_WLOCKED(sp)); 1894 KASSERT(!cpu_softintr_p()); 1895 1896 if ((cp->flags & CP_AUTH) != 0 && 1897 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1898 return; 1899 1900 SPPP_DLOG(sp, "%s down(%s)\n", cp->name, 1901 sppp_state_name(sp->scp[cp->protoidx].state)); 1902 1903 switch (sp->scp[cp->protoidx].state) { 1904 case STATE_CLOSED: 1905 case STATE_CLOSING: 1906 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1907 break; 1908 case STATE_STOPPED: 1909 (cp->tls)(cp, sp); 1910 /* fall through */ 1911 case STATE_STOPPING: 1912 case STATE_REQ_SENT: 1913 case STATE_ACK_RCVD: 1914 case STATE_ACK_SENT: 1915 sppp_cp_change_state(cp, sp, STATE_STARTING); 1916 break; 1917 case STATE_OPENED: 1918 (cp->tld)(sp); 1919 sppp_cp_change_state(cp, sp, STATE_STARTING); 1920 break; 1921 default: 1922 /* 1923 * a down event may be caused regardless 1924 * of state just in LCP case. 1925 */ 1926 if (cp->proto == PPP_LCP) 1927 break; 1928 1929 SPPP_LOG(sp, LOG_DEBUG, 1930 "%s illegal down in state %s\n", cp->name, 1931 sppp_state_name(sp->scp[cp->protoidx].state)); 1932 } 1933 } 1934 1935 static void 1936 sppp_open_event(struct sppp *sp, void *xcp) 1937 { 1938 const struct cp *cp = xcp; 1939 1940 KASSERT(SPPP_WLOCKED(sp)); 1941 KASSERT(!cpu_softintr_p()); 1942 1943 if ((cp->flags & CP_AUTH) != 0 && 1944 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1945 return; 1946 1947 SPPP_DLOG(sp, "%s open(%s)\n", cp->name, 1948 sppp_state_name(sp->scp[cp->protoidx].state)); 1949 1950 switch (sp->scp[cp->protoidx].state) { 1951 case STATE_INITIAL: 1952 sppp_cp_change_state(cp, sp, STATE_STARTING); 1953 (cp->tls)(cp, sp); 1954 break; 1955 case STATE_STARTING: 1956 break; 1957 case STATE_CLOSED: 1958 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 1959 sp->lcp.protos |= (1 << cp->protoidx); 1960 (cp->scr)(sp); 1961 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1962 break; 1963 case STATE_STOPPED: 1964 case STATE_STOPPING: 1965 case STATE_REQ_SENT: 1966 case STATE_ACK_RCVD: 1967 case STATE_ACK_SENT: 1968 case STATE_OPENED: 1969 break; 1970 case STATE_CLOSING: 1971 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1972 break; 1973 } 1974 } 1975 1976 static void 1977 sppp_close_event(struct sppp *sp, void *xcp) 1978 { 1979 const struct cp *cp = xcp; 1980 1981 KASSERT(SPPP_WLOCKED(sp)); 1982 KASSERT(!cpu_softintr_p()); 1983 1984 if ((cp->flags & CP_AUTH) != 0 && 1985 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 1986 return; 1987 1988 SPPP_DLOG(sp, "%s close(%s)\n", cp->name, 1989 sppp_state_name(sp->scp[cp->protoidx].state)); 1990 1991 switch (sp->scp[cp->protoidx].state) { 1992 case STATE_INITIAL: 1993 case STATE_CLOSED: 1994 case STATE_CLOSING: 1995 break; 1996 case STATE_STARTING: 1997 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1998 (cp->tlf)(cp, sp); 1999 break; 2000 case STATE_STOPPED: 2001 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2002 break; 2003 case STATE_STOPPING: 2004 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2005 break; 2006 case STATE_OPENED: 2007 (cp->tld)(sp); 2008 /* fall through */ 2009 case STATE_REQ_SENT: 2010 case STATE_ACK_RCVD: 2011 case STATE_ACK_SENT: 2012 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_terminate; 2013 if ((cp->flags & CP_AUTH) == 0) { 2014 sppp_cp_send(sp, cp->proto, TERM_REQ, 2015 ++sp->scp[cp->protoidx].seq, 0, 0); 2016 } 2017 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2018 break; 2019 } 2020 } 2021 2022 static void 2023 sppp_to_event(struct sppp *sp, void *xcp) 2024 { 2025 const struct cp *cp = xcp; 2026 2027 KASSERT(SPPP_WLOCKED(sp)); 2028 KASSERT(!cpu_softintr_p()); 2029 2030 SPPP_DLOG(sp, "%s TO(%s) rst_counter = %d\n", cp->name, 2031 sppp_state_name(sp->scp[cp->protoidx].state), 2032 sp->scp[cp->protoidx].rst_counter); 2033 2034 if (--sp->scp[cp->protoidx].rst_counter < 0) 2035 /* TO- event */ 2036 switch (sp->scp[cp->protoidx].state) { 2037 case STATE_CLOSING: 2038 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2039 (cp->tlf)(cp, sp); 2040 break; 2041 case STATE_STOPPING: 2042 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2043 (cp->tlf)(cp, sp); 2044 break; 2045 case STATE_REQ_SENT: 2046 case STATE_ACK_RCVD: 2047 case STATE_ACK_SENT: 2048 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2049 (cp->tlf)(cp, sp); 2050 break; 2051 } 2052 else 2053 /* TO+ event */ 2054 switch (sp->scp[cp->protoidx].state) { 2055 case STATE_CLOSING: 2056 case STATE_STOPPING: 2057 if ((cp->flags & CP_AUTH) == 0) { 2058 sppp_cp_send(sp, cp->proto, TERM_REQ, 2059 ++sp->scp[cp->protoidx].seq, 0, 0); 2060 } 2061 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2062 break; 2063 case STATE_REQ_SENT: 2064 case STATE_ACK_RCVD: 2065 (cp->scr)(sp); 2066 /* sppp_cp_change_state() will restart the timer */ 2067 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2068 break; 2069 case STATE_ACK_SENT: 2070 (cp->scr)(sp); 2071 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2072 break; 2073 } 2074 } 2075 static void 2076 sppp_rcr_update_state(const struct cp *cp, struct sppp *sp, 2077 enum cp_rcr_type type, uint8_t ident, size_t msglen, void *msg) 2078 { 2079 struct ifnet *ifp = &sp->pp_if; 2080 u_char ctype; 2081 2082 if (type == CP_RCR_ERR) { 2083 /* parse error, shut down */ 2084 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 2085 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2086 } else if (type == CP_RCR_ACK) { 2087 /* RCR+ event */ 2088 ctype = CONF_ACK; 2089 switch (sp->scp[cp->protoidx].state) { 2090 case STATE_OPENED: 2091 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2092 cp->tld(sp); 2093 cp->scr(sp); 2094 cp->screply(cp, sp, ctype, ident, msglen, msg); 2095 break; 2096 case STATE_REQ_SENT: 2097 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2098 /* fall through */ 2099 case STATE_ACK_SENT: 2100 cp->screply(cp, sp, ctype, ident, msglen, msg); 2101 break; 2102 case STATE_STOPPED: 2103 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2104 cp->scr(sp); 2105 cp->screply(cp, sp, ctype, ident, msglen, msg); 2106 break; 2107 case STATE_ACK_RCVD: 2108 sppp_cp_change_state(cp, sp, STATE_OPENED); 2109 SPPP_DLOG(sp, "%s tlu\n", cp->name); 2110 cp->tlu(sp); 2111 cp->screply(cp, sp, ctype, ident, msglen, msg); 2112 break; 2113 case STATE_CLOSING: 2114 case STATE_STOPPING: 2115 break; 2116 case STATE_CLOSED: 2117 if ((cp->flags & CP_AUTH) == 0) { 2118 sppp_cp_send(sp, cp->proto, TERM_ACK, 2119 ident, 0, 0); 2120 } 2121 break; 2122 default: 2123 SPPP_LOG(sp, LOG_DEBUG, 2124 "%s illegal RCR+ in state %s\n", cp->name, 2125 sppp_state_name(sp->scp[cp->protoidx].state)); 2126 if_statinc(ifp, if_ierrors); 2127 } 2128 } else if (type == CP_RCR_NAK || type == CP_RCR_REJ) { 2129 ctype = type == CP_RCR_NAK ? CONF_NAK : CONF_REJ; 2130 /* RCR- event */ 2131 switch (sp->scp[cp->protoidx].state) { 2132 case STATE_OPENED: 2133 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2134 cp->tld(sp); 2135 cp->scr(sp); 2136 cp->screply(cp, sp, ctype, ident, msglen, msg); 2137 break; 2138 case STATE_ACK_SENT: 2139 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2140 /* fall through */ 2141 case STATE_REQ_SENT: 2142 cp->screply(cp, sp, ctype, ident, msglen, msg); 2143 break; 2144 case STATE_STOPPED: 2145 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2146 cp->scr(sp); 2147 cp->screply(cp, sp, ctype, ident, msglen, msg); 2148 break; 2149 case STATE_ACK_RCVD: 2150 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2151 cp->screply(cp, sp, ctype, ident, msglen, msg); 2152 break; 2153 case STATE_CLOSING: 2154 case STATE_STOPPING: 2155 break; 2156 case STATE_CLOSED: 2157 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2158 if ((cp->flags & CP_AUTH) == 0) { 2159 sppp_cp_send(sp, cp->proto, TERM_ACK, 2160 ident, 0, 0); 2161 } 2162 break; 2163 default: 2164 SPPP_LOG(sp, LOG_DEBUG, 2165 "%s illegal RCR- in state %s\n", cp->name, 2166 sppp_state_name(sp->scp[cp->protoidx].state)); 2167 if_statinc(ifp, if_ierrors); 2168 } 2169 } 2170 } 2171 2172 static void 2173 sppp_rcr_event(struct sppp *sp, void *xcp) 2174 { 2175 const struct cp *cp = xcp; 2176 struct sppp_cp *scp; 2177 struct lcp_header *h; 2178 struct mbuf *m; 2179 enum cp_rcr_type type; 2180 size_t len; 2181 uint8_t *buf; 2182 size_t blen, rlen; 2183 uint8_t ident; 2184 2185 KASSERT(!cpu_softintr_p()); 2186 2187 scp = &sp->scp[cp->protoidx]; 2188 2189 if (cp->parse_confreq != NULL) { 2190 m = scp->mbuf_confreq; 2191 if (m == NULL) 2192 return; 2193 scp->mbuf_confreq = NULL; 2194 2195 h = mtod(m, struct lcp_header *); 2196 if (h->type != CONF_REQ) { 2197 m_freem(m); 2198 return; 2199 } 2200 2201 ident = h->ident; 2202 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2203 2204 type = (cp->parse_confreq)(sp, h, len, 2205 &buf, &blen, &rlen); 2206 m_freem(m); 2207 } else { 2208 /* mbuf_cofreq is already parsed and freed */ 2209 type = scp->rcr_type; 2210 ident = scp->rconfid; 2211 buf = NULL; 2212 blen = rlen = 0; 2213 } 2214 2215 sppp_rcr_update_state(cp, sp, type, ident, rlen, (void *)buf); 2216 2217 if (buf != NULL) 2218 kmem_free(buf, blen); 2219 } 2220 2221 static void 2222 sppp_rca_event(struct sppp *sp, void *xcp) 2223 { 2224 struct ifnet *ifp = &sp->pp_if; 2225 const struct cp *cp = xcp; 2226 2227 KASSERT(!cpu_softintr_p()); 2228 2229 switch (sp->scp[cp->protoidx].state) { 2230 case STATE_CLOSED: 2231 case STATE_STOPPED: 2232 if ((cp->flags & CP_AUTH) == 0) { 2233 sppp_cp_send(sp, cp->proto, TERM_ACK, 2234 sp->scp[cp->protoidx].rconfid, 0, 0); 2235 } 2236 break; 2237 case STATE_CLOSING: 2238 case STATE_STOPPING: 2239 break; 2240 case STATE_REQ_SENT: 2241 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2242 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2243 break; 2244 case STATE_OPENED: 2245 (cp->tld)(sp); 2246 /* fall through */ 2247 case STATE_ACK_RCVD: 2248 (cp->scr)(sp); 2249 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2250 break; 2251 case STATE_ACK_SENT: 2252 sppp_cp_change_state(cp, sp, STATE_OPENED); 2253 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2254 SPPP_DLOG(sp, "%s tlu\n", cp->name); 2255 (cp->tlu)(sp); 2256 break; 2257 default: 2258 SPPP_LOG(sp, LOG_DEBUG, 2259 "%s illegal RCA in state %s\n", cp->name, 2260 sppp_state_name(sp->scp[cp->protoidx].state)); 2261 if_statinc(ifp, if_ierrors); 2262 } 2263 } 2264 2265 static void 2266 sppp_rcn_event(struct sppp *sp, void *xcp) 2267 { 2268 const struct cp *cp = xcp; 2269 struct sppp_cp *scp; 2270 struct lcp_header *h; 2271 struct mbuf *m; 2272 struct ifnet *ifp = &sp->pp_if; 2273 size_t len; 2274 2275 KASSERT(!cpu_softintr_p()); 2276 2277 scp = &sp->scp[cp->protoidx]; 2278 m = scp->mbuf_confnak; 2279 if (m == NULL) 2280 return; 2281 scp->mbuf_confnak = NULL; 2282 2283 h = mtod(m, struct lcp_header *); 2284 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2285 2286 switch (h->type) { 2287 case CONF_NAK: 2288 (cp->parse_confnak)(sp, h, len); 2289 break; 2290 case CONF_REJ: 2291 (cp->parse_confrej)(sp, h, len); 2292 break; 2293 default: 2294 m_freem(m); 2295 return; 2296 } 2297 2298 m_freem(m); 2299 2300 switch (scp->state) { 2301 case STATE_CLOSED: 2302 case STATE_STOPPED: 2303 if ((cp->flags & CP_AUTH) == 0) { 2304 sppp_cp_send(sp, cp->proto, TERM_ACK, 2305 scp->rconfid, 0, 0); 2306 } 2307 break; 2308 case STATE_REQ_SENT: 2309 case STATE_ACK_SENT: 2310 scp->rst_counter = sp->lcp.max_configure; 2311 (cp->scr)(sp); 2312 break; 2313 case STATE_OPENED: 2314 (cp->tld)(sp); 2315 /* fall through */ 2316 case STATE_ACK_RCVD: 2317 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2318 (cp->scr)(sp); 2319 break; 2320 case STATE_CLOSING: 2321 case STATE_STOPPING: 2322 break; 2323 default: 2324 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RCN in state %s\n", 2325 cp->name, sppp_state_name(scp->state)); 2326 if_statinc(ifp, if_ierrors); 2327 } 2328 } 2329 2330 static void 2331 sppp_rtr_event(struct sppp *sp, void *xcp) 2332 { 2333 struct ifnet *ifp = &sp->pp_if; 2334 const struct cp *cp = xcp; 2335 2336 KASSERT(!cpu_softintr_p()); 2337 2338 switch (sp->scp[cp->protoidx].state) { 2339 case STATE_ACK_RCVD: 2340 case STATE_ACK_SENT: 2341 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2342 break; 2343 case STATE_CLOSED: 2344 case STATE_STOPPED: 2345 case STATE_CLOSING: 2346 case STATE_STOPPING: 2347 case STATE_REQ_SENT: 2348 break; 2349 case STATE_OPENED: 2350 (cp->tld)(sp); 2351 sp->scp[cp->protoidx].rst_counter = 0; 2352 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2353 break; 2354 default: 2355 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RTR in state %s\n", 2356 cp->name, 2357 sppp_state_name(sp->scp[cp->protoidx].state)); 2358 if_statinc(ifp, if_ierrors); 2359 return; 2360 } 2361 2362 /* Send Terminate-Ack packet. */ 2363 SPPP_DLOG(sp, "%s send terminate-ack\n", cp->name); 2364 if ((cp->flags & CP_AUTH) == 0) { 2365 sppp_cp_send(sp, cp->proto, TERM_ACK, 2366 sp->scp[cp->protoidx].rseq, 0, 0); 2367 } 2368 } 2369 2370 static void 2371 sppp_rta_event(struct sppp *sp, void *xcp) 2372 { 2373 const struct cp *cp = xcp; 2374 struct ifnet *ifp = &sp->pp_if; 2375 2376 KASSERT(!cpu_softintr_p()); 2377 2378 switch (sp->scp[cp->protoidx].state) { 2379 case STATE_CLOSED: 2380 case STATE_STOPPED: 2381 case STATE_REQ_SENT: 2382 case STATE_ACK_SENT: 2383 break; 2384 case STATE_CLOSING: 2385 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2386 (cp->tlf)(cp, sp); 2387 break; 2388 case STATE_STOPPING: 2389 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2390 (cp->tlf)(cp, sp); 2391 break; 2392 case STATE_ACK_RCVD: 2393 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2394 break; 2395 case STATE_OPENED: 2396 (cp->tld)(sp); 2397 (cp->scr)(sp); 2398 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2399 break; 2400 default: 2401 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RTA in state %s\n", 2402 cp->name, sppp_state_name(sp->scp[cp->protoidx].state)); 2403 if_statinc(ifp, if_ierrors); 2404 } 2405 } 2406 2407 static void 2408 sppp_rxj_event(struct sppp *sp, void *xcp) 2409 { 2410 const struct cp *cp = xcp; 2411 struct ifnet *ifp = &sp->pp_if; 2412 2413 KASSERT(!cpu_softintr_p()); 2414 2415 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 2416 switch (sp->scp[cp->protoidx].state) { 2417 case STATE_CLOSED: 2418 case STATE_STOPPED: 2419 case STATE_REQ_SENT: 2420 case STATE_ACK_SENT: 2421 case STATE_CLOSING: 2422 case STATE_STOPPING: 2423 case STATE_OPENED: 2424 break; 2425 case STATE_ACK_RCVD: 2426 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2427 break; 2428 default: 2429 SPPP_LOG(sp, LOG_DEBUG, "%s illegal RXJ- in state %s\n", 2430 cp->name, sppp_state_name(sp->scp[cp->protoidx].state)); 2431 if_statinc(ifp, if_ierrors); 2432 } 2433 } 2434 2435 /* 2436 * Change the state of a control protocol in the state automaton. 2437 * Takes care of starting/stopping the restart timer. 2438 */ 2439 void 2440 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2441 { 2442 2443 KASSERT(SPPP_WLOCKED(sp)); 2444 2445 sp->scp[cp->protoidx].state = newstate; 2446 callout_stop(&sp->scp[cp->protoidx].ch); 2447 switch (newstate) { 2448 case STATE_INITIAL: 2449 case STATE_STARTING: 2450 case STATE_CLOSED: 2451 case STATE_STOPPED: 2452 case STATE_OPENED: 2453 break; 2454 case STATE_CLOSING: 2455 case STATE_STOPPING: 2456 case STATE_REQ_SENT: 2457 case STATE_ACK_RCVD: 2458 case STATE_ACK_SENT: 2459 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2460 break; 2461 } 2462 } 2463 2464 /* 2465 *--------------------------------------------------------------------------* 2466 * * 2467 * The LCP implementation. * 2468 * * 2469 *--------------------------------------------------------------------------* 2470 */ 2471 static void 2472 sppp_lcp_init(struct sppp *sp) 2473 { 2474 2475 KASSERT(SPPP_WLOCKED(sp)); 2476 2477 sppp_cp_init(&lcp, sp); 2478 2479 SET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 2480 sp->lcp.magic = 0; 2481 sp->lcp.protos = 0; 2482 sp->lcp.max_terminate = 2; 2483 sp->lcp.max_configure = 10; 2484 sp->lcp.max_failure = 10; 2485 sp->lcp.lower_running = false; 2486 2487 /* 2488 * Initialize counters and timeout values. Note that we don't 2489 * use the 3 seconds suggested in RFC 1661 since we are likely 2490 * running on a fast link. XXX We should probably implement 2491 * the exponential backoff option. Note that these values are 2492 * relevant for all control protocols, not just LCP only. 2493 */ 2494 sp->lcp.timeout = 1 * hz; 2495 } 2496 2497 static void 2498 sppp_lcp_up(struct sppp *sp, void *xcp) 2499 { 2500 2501 KASSERT(SPPP_WLOCKED(sp)); 2502 2503 /* Initialize activity timestamp: opening a connection is an activity */ 2504 atomic_store_relaxed(&sp->pp_last_receive, time_uptime32); 2505 atomic_store_relaxed(&sp->pp_last_activity, time_uptime32); 2506 2507 sppp_up_event(sp, xcp); 2508 } 2509 2510 static void 2511 sppp_lcp_down(struct sppp *sp, void *xcp) 2512 { 2513 const struct cp *cp = xcp; 2514 int pidx = cp->protoidx; 2515 2516 KASSERT(SPPP_WLOCKED(sp)); 2517 KASSERT(!cpu_softintr_p()); 2518 2519 sppp_down_event(sp, xcp); 2520 2521 switch (sp->scp[pidx].state) { 2522 case STATE_STARTING: 2523 /* 2524 * Req-Sent/Ack-Sent/Ack-Rcvd -> Starting: 2525 * This transition requires an extra TLS action. 2526 * * sequence of events/actions: 2527 * 1. Closing -> Closed : Triggers TLF action. 2528 * 2. Closed -> Req-Sent : Occurs on Open event. 2529 * 3. Req-Sent -> Ack-Sent...: (Optional state progression) 2530 * 4. Req-Sent/Ack-Sent/Ack-Rcvd -> Starting: 2531 * - Triggered by a Down event caused by the previous TLF action. 2532 * - This specific transition does NOT trigger another TLS action. 2533 */ 2534 cp->tls(cp, sp); 2535 break; 2536 case STATE_INITIAL: 2537 /* 2538 * Closing -> Initial: 2539 * A Down event in the Closing state triggers a transition to 2540 * Initial state without a TLF action. Since the lower layer 2541 * will attempt to reconnect, we explicitly stop it here. 2542 */ 2543 cp->tlf(cp, sp); 2544 break; 2545 } 2546 2547 SPPP_DLOG(sp, "Down event (carrier loss)\n"); 2548 2549 sp->scp[pidx].fail_counter = 0; 2550 } 2551 2552 static void 2553 sppp_lcp_open(struct sppp *sp, void *xcp) 2554 { 2555 2556 KASSERT(SPPP_WLOCKED(sp)); 2557 KASSERT(!cpu_softintr_p()); 2558 2559 sp->scp[IDX_LCP].fail_counter = 0; 2560 2561 if (sp->pp_if.if_mtu < PP_MTU) { 2562 sp->lcp.mru = sp->pp_if.if_mtu; 2563 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 2564 } else { 2565 sp->lcp.mru = PP_MTU; 2566 } 2567 sp->lcp.their_mru = PP_MTU; 2568 2569 /* 2570 * If we are authenticator, negotiate LCP_AUTH 2571 */ 2572 if (sp->hisauth.proto != PPP_NOPROTO) 2573 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2574 else 2575 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2576 sp->pp_flags &= ~PP_NEEDAUTH; 2577 sppp_open_event(sp, xcp); 2578 } 2579 2580 /* 2581 * Analyze a configure request. Return true if it was agreeable, and 2582 * caused action sca, false if it has been rejected or nak'ed, and 2583 * caused action scn. (The return value is used to make the state 2584 * transition decision in the state automaton.) 2585 */ 2586 static enum cp_rcr_type 2587 sppp_lcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 2588 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 2589 { 2590 const bool debug = sppp_debug_enabled(sp); 2591 u_char *buf, *r, *p, l, blen; 2592 enum cp_rcr_type type; 2593 int len, rlen; 2594 uint32_t nmagic; 2595 u_short authproto; 2596 char lbuf[SPPP_LCPOPT_NAMELEN]; 2597 2598 KASSERT(SPPP_WLOCKED(sp)); 2599 2600 if (origlen < sizeof(*h)) 2601 return CP_RCR_DROP; 2602 2603 origlen -= sizeof(*h); 2604 type = CP_RCR_NONE; 2605 type = 0; 2606 2607 if (origlen <= 0) 2608 return CP_RCR_DROP; 2609 else 2610 blen = origlen; 2611 2612 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 2613 if (buf == NULL) 2614 return CP_RCR_DROP; 2615 2616 if (debug) 2617 SPPP_LOG(sp, LOG_DEBUG, "lcp parse opts:"); 2618 2619 /* pass 1: check for things that need to be rejected */ 2620 p = (void *)(h + 1); 2621 r = buf; 2622 rlen = 0; 2623 for (len = origlen; len > 1; len-= l, p += l) { 2624 l = p[1]; 2625 if (l == 0) 2626 break; 2627 2628 /* Sanity check option length */ 2629 if (l > len) { 2630 /* 2631 * Malicious option - drop immediately. 2632 * XXX Maybe we should just RXJ it? 2633 */ 2634 if (debug) 2635 addlog("\n"); 2636 2637 SPPP_LOG(sp, LOG_DEBUG, 2638 "received malicious LCP option 0x%02x, " 2639 "length 0x%02x, (len: 0x%02x) dropping.\n", 2640 p[0], l, len); 2641 type = CP_RCR_ERR; 2642 goto end; 2643 } 2644 if (debug) 2645 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2646 switch (p[0]) { 2647 case LCP_OPT_MAGIC: 2648 /* Magic number. */ 2649 /* fall through, both are same length */ 2650 case LCP_OPT_ASYNC_MAP: 2651 /* Async control character map. */ 2652 if (len >= 6 || l == 6) 2653 continue; 2654 if (debug) 2655 addlog(" [invalid]"); 2656 break; 2657 case LCP_OPT_MP_EID: 2658 if (len >= l && l >= 3) { 2659 switch (p[2]) { 2660 case 0: if (l==3+ 0) continue;break; 2661 case 2: if (l==3+ 4) continue;break; 2662 case 3: if (l==3+ 6) continue;break; 2663 case 6: if (l==3+16) continue;break; 2664 case 1: /* FALLTHROUGH */ 2665 case 4: if (l<=3+20) continue;break; 2666 case 5: if (l<=3+15) continue;break; 2667 /* XXX should it be default: continue;? */ 2668 } 2669 } 2670 if (debug) 2671 addlog(" [invalid class %d len %d]", p[2], l); 2672 break; 2673 case LCP_OPT_MP_SSNHF: 2674 if (len >= 2 && l == 2) { 2675 if (debug) 2676 addlog(" [rej]"); 2677 break; 2678 } 2679 if (debug) 2680 addlog(" [invalid]"); 2681 break; 2682 case LCP_OPT_MP_MRRU: 2683 /* Multilink maximum received reconstructed unit */ 2684 /* should be fall through, both are same length */ 2685 /* FALLTHROUGH */ 2686 case LCP_OPT_MRU: 2687 /* Maximum receive unit. */ 2688 if (len >= 4 && l == 4) 2689 continue; 2690 if (debug) 2691 addlog(" [invalid]"); 2692 break; 2693 case LCP_OPT_AUTH_PROTO: 2694 if (len < 4) { 2695 if (debug) 2696 addlog(" [invalid]"); 2697 break; 2698 } 2699 authproto = (p[2] << 8) + p[3]; 2700 if (authproto == PPP_CHAP && l != 5) { 2701 if (debug) 2702 addlog(" [invalid chap len]"); 2703 break; 2704 } 2705 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 2706 if (authproto == PPP_PAP || authproto == PPP_CHAP) 2707 sp->myauth.proto = authproto; 2708 } 2709 if (sp->myauth.proto == PPP_NOPROTO) { 2710 /* we are not configured to do auth */ 2711 if (debug) 2712 addlog(" [not configured]"); 2713 break; 2714 } 2715 /* 2716 * Remote want us to authenticate, remember this, 2717 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2718 * up. 2719 */ 2720 sp->pp_flags |= PP_NEEDAUTH; 2721 continue; 2722 default: 2723 /* Others not supported. */ 2724 if (debug) 2725 addlog(" [rej]"); 2726 break; 2727 } 2728 if (rlen + l > blen) { 2729 if (debug) 2730 addlog(" [overflow]"); 2731 continue; 2732 } 2733 /* Add the option to rejected list. */ 2734 memcpy(r, p, l); 2735 r += l; 2736 rlen += l; 2737 } 2738 2739 if (rlen > 0) { 2740 type = CP_RCR_REJ; 2741 goto end; 2742 } 2743 2744 if (debug) 2745 addlog("\n"); 2746 2747 /* 2748 * pass 2: check for option values that are unacceptable and 2749 * thus require to be nak'ed. 2750 */ 2751 if (debug) 2752 SPPP_LOG(sp, LOG_DEBUG, "lcp parse opt values:"); 2753 2754 p = (void *)(h + 1); 2755 r = buf; 2756 rlen = 0; 2757 for (len = origlen; len > 0; len -= l, p += l) { 2758 l = p[1]; 2759 if (l == 0) 2760 break; 2761 2762 if (debug) 2763 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2764 switch (p[0]) { 2765 case LCP_OPT_MAGIC: 2766 /* Magic number -- extract. */ 2767 nmagic = (uint32_t)p[2] << 24 | 2768 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2769 if (nmagic != sp->lcp.magic) { 2770 if (debug) 2771 addlog(" 0x%x", nmagic); 2772 continue; 2773 } 2774 /* 2775 * Local and remote magics equal -- loopback? 2776 */ 2777 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2778 SPPP_DLOG(sp, "loopback\n"); 2779 sp->pp_loopcnt = 0; 2780 2781 if (sp->pp_flags & PP_IFDOWN) 2782 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 2783 sppp_wq_add(sp->wq_cp, 2784 &sp->scp[IDX_LCP].work_close); 2785 sppp_wq_add(sp->wq_cp, 2786 &sp->scp[IDX_LCP].work_open); 2787 } else { 2788 if (debug) 2789 addlog(" [glitch]"); 2790 ++sp->pp_loopcnt; 2791 } 2792 /* 2793 * We negate our magic here, and NAK it. If 2794 * we see it later in an NAK packet, we 2795 * suggest a new one. 2796 */ 2797 nmagic = ~sp->lcp.magic; 2798 /* Gonna NAK it. */ 2799 p[2] = nmagic >> 24; 2800 p[3] = nmagic >> 16; 2801 p[4] = nmagic >> 8; 2802 p[5] = nmagic; 2803 break; 2804 2805 case LCP_OPT_ASYNC_MAP: 2806 /* 2807 * Async control character map -- just ignore it. 2808 * 2809 * Quote from RFC 1662, chapter 6: 2810 * To enable this functionality, synchronous PPP 2811 * implementations MUST always respond to the 2812 * Async-Control-Character-Map Configuration 2813 * Option with the LCP Configure-Ack. However, 2814 * acceptance of the Configuration Option does 2815 * not imply that the synchronous implementation 2816 * will do any ACCM mapping. Instead, all such 2817 * octet mapping will be performed by the 2818 * asynchronous-to-synchronous converter. 2819 */ 2820 continue; 2821 2822 case LCP_OPT_MRU: 2823 /* 2824 * Maximum receive unit. Always agreeable, 2825 * but ignored by now. 2826 */ 2827 sp->lcp.their_mru = p[2] * 256 + p[3]; 2828 if (debug) 2829 addlog(" %ld", sp->lcp.their_mru); 2830 continue; 2831 2832 case LCP_OPT_AUTH_PROTO: 2833 authproto = (p[2] << 8) + p[3]; 2834 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 2835 if (authproto == PPP_PAP || authproto == PPP_CHAP) 2836 sp->myauth.proto = authproto; 2837 } 2838 if (sp->myauth.proto == authproto) { 2839 if (authproto != PPP_CHAP || p[4] == CHAP_MD5) { 2840 continue; 2841 } 2842 if (debug) 2843 addlog(" [chap without MD5]"); 2844 } else { 2845 if (debug) { 2846 char pbuf1[SPPP_PROTO_NAMELEN]; 2847 char pbuf2[SPPP_PROTO_NAMELEN]; 2848 const char *pname1, *pname2; 2849 2850 pname1 = sppp_proto_name(pbuf1, 2851 sizeof(pbuf1), sp->myauth.proto); 2852 pname2 = sppp_proto_name(pbuf2, 2853 sizeof(pbuf2), authproto); 2854 addlog(" [mine %s != his %s]", 2855 pname1, pname2); 2856 } 2857 } 2858 /* not agreed, nak */ 2859 if (sp->myauth.proto == PPP_CHAP) { 2860 l = 5; 2861 } else { 2862 l = 4; 2863 } 2864 2865 if (rlen + l > blen) { 2866 if (debug) 2867 addlog(" [overflow]"); 2868 continue; 2869 } 2870 2871 r[0] = LCP_OPT_AUTH_PROTO; 2872 r[1] = l; 2873 r[2] = sp->myauth.proto >> 8; 2874 r[3] = sp->myauth.proto & 0xff; 2875 if (sp->myauth.proto == PPP_CHAP) 2876 r[4] = CHAP_MD5; 2877 rlen += l; 2878 r += l; 2879 continue; 2880 case LCP_OPT_MP_EID: 2881 /* 2882 * Endpoint identification. 2883 * Always agreeable, 2884 * but ignored by now. 2885 */ 2886 if (debug) { 2887 addlog(" type %d", p[2]); 2888 sppp_print_bytes(p+3, p[1]-3); 2889 } 2890 continue; 2891 case LCP_OPT_MP_MRRU: 2892 /* 2893 * Maximum received reconstructed unit. 2894 * Always agreeable, 2895 * but ignored by now. 2896 */ 2897 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2898 if (debug) 2899 addlog(" %ld", sp->lcp.their_mrru); 2900 continue; 2901 } 2902 if (rlen + l > blen) { 2903 if (debug) 2904 addlog(" [overflow]"); 2905 continue; 2906 } 2907 /* Add the option to nak'ed list. */ 2908 memcpy(r, p, l); 2909 r += l; 2910 rlen += l; 2911 } 2912 2913 if (rlen > 0) { 2914 if (++sp->scp[IDX_LCP].fail_counter >= sp->lcp.max_failure) { 2915 if (debug) 2916 addlog(" max_failure (%d) exceeded, ", 2917 sp->lcp.max_failure); 2918 type = CP_RCR_REJ; 2919 } else { 2920 type = CP_RCR_NAK; 2921 } 2922 } else { 2923 type = CP_RCR_ACK; 2924 rlen = origlen; 2925 memcpy(r, h + 1, rlen); 2926 sp->scp[IDX_LCP].fail_counter = 0; 2927 sp->pp_loopcnt = 0; 2928 } 2929 2930 end: 2931 if (debug) 2932 addlog("\n"); 2933 2934 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 2935 if (buf != NULL) 2936 kmem_intr_free(buf, blen); 2937 } else { 2938 *msgbuf = buf; 2939 *buflen = blen; 2940 *msglen = rlen; 2941 } 2942 2943 return type; 2944 } 2945 2946 /* 2947 * Analyze the LCP Configure-Reject option list, and adjust our 2948 * negotiation. 2949 */ 2950 static void 2951 sppp_lcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 2952 { 2953 const bool debug = sppp_debug_enabled(sp); 2954 u_char *p, l; 2955 2956 KASSERT(SPPP_WLOCKED(sp)); 2957 2958 if (len <= sizeof(*h)) 2959 return; 2960 2961 len -= sizeof(*h); 2962 2963 if (debug) 2964 SPPP_LOG(sp, LOG_DEBUG, "lcp rej opts:"); 2965 2966 p = (void *)(h + 1); 2967 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2968 /* Sanity check option length */ 2969 if (l > len) { 2970 /* 2971 * Malicious option - drop immediately. 2972 * XXX Maybe we should just RXJ it? 2973 */ 2974 if (debug) 2975 addlog("\n"); 2976 2977 SPPP_LOG(sp, LOG_DEBUG, 2978 "received malicious LCP option, dropping.\n"); 2979 goto end; 2980 } 2981 if (debug) { 2982 char lbuf[SPPP_LCPOPT_NAMELEN]; 2983 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2984 } 2985 switch (p[0]) { 2986 case LCP_OPT_MAGIC: 2987 /* Magic number -- can't use it, use 0 */ 2988 CLR(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 2989 sp->lcp.magic = 0; 2990 break; 2991 case LCP_OPT_MRU: 2992 /* 2993 * We try to negotiate a lower MRU if the underlying 2994 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2995 * peer rejects this lower rate, fallback to the 2996 * default. 2997 */ 2998 if (!debug) { 2999 SPPP_LOG(sp, LOG_INFO, 3000 "peer rejected our MRU of " 3001 "%ld bytes. Defaulting to %d bytes\n", 3002 sp->lcp.mru, PP_MTU); 3003 } 3004 CLR(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3005 sp->lcp.mru = PP_MTU; 3006 break; 3007 case LCP_OPT_AUTH_PROTO: 3008 /* 3009 * Peer doesn't want to authenticate himself, 3010 * deny unless SPPP_AUTHFLAG_NOCALLOUT is set. 3011 */ 3012 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 3013 if (debug) { 3014 addlog(" [don't insist on auth " 3015 "for callout]"); 3016 } 3017 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 3018 break; 3019 } 3020 if (debug) 3021 addlog("[access denied]\n"); 3022 sppp_disconnect(sp); 3023 break; 3024 } 3025 } 3026 if (debug) 3027 addlog("\n"); 3028 end: 3029 return; 3030 } 3031 3032 /* 3033 * Analyze the LCP Configure-NAK option list, and adjust our 3034 * negotiation. 3035 */ 3036 static void 3037 sppp_lcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 3038 { 3039 const bool debug = sppp_debug_enabled(sp); 3040 u_char *p, l; 3041 uint32_t magic; 3042 3043 KASSERT(SPPP_WLOCKED(sp)); 3044 3045 if (len <= sizeof(*h)) 3046 return; 3047 3048 len -= sizeof(*h); 3049 3050 if (debug) 3051 SPPP_LOG(sp, LOG_DEBUG, "lcp nak opts:"); 3052 3053 p = (void *)(h + 1); 3054 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3055 /* Sanity check option length */ 3056 if (l > len) { 3057 /* 3058 * Malicious option - drop immediately. 3059 * XXX Maybe we should just RXJ it? 3060 */ 3061 if (debug) 3062 addlog("\n"); 3063 3064 SPPP_LOG(sp, LOG_DEBUG, 3065 "received malicious LCP option, dropping.\n"); 3066 goto end; 3067 } 3068 if (debug) { 3069 char lbuf[SPPP_LCPOPT_NAMELEN]; 3070 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf),*p)); 3071 } 3072 switch (p[0]) { 3073 case LCP_OPT_MAGIC: 3074 /* Magic number -- renegotiate */ 3075 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC) && 3076 len >= 6 && l == 6) { 3077 magic = (uint32_t)p[2] << 24 | 3078 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 3079 /* 3080 * If the remote magic is our negated one, 3081 * this looks like a loopback problem. 3082 * Suggest a new magic to make sure. 3083 */ 3084 if (magic == ~sp->lcp.magic) { 3085 if (debug) 3086 addlog(" magic glitch"); 3087 sp->lcp.magic = cprng_fast32(); 3088 } else { 3089 sp->lcp.magic = magic; 3090 if (debug) 3091 addlog(" %d", magic); 3092 } 3093 } 3094 break; 3095 case LCP_OPT_MRU: 3096 /* 3097 * Peer wants to advise us to negotiate an MRU. 3098 * Agree on it if it's reasonable, or use 3099 * default otherwise. 3100 */ 3101 if (len >= 4 && l == 4) { 3102 u_int mru = p[2] * 256 + p[3]; 3103 if (debug) 3104 addlog(" %d", mru); 3105 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 3106 mru = sp->pp_if.if_mtu; 3107 sp->lcp.mru = mru; 3108 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3109 } 3110 break; 3111 case LCP_OPT_AUTH_PROTO: 3112 /* 3113 * Peer doesn't like our authentication method, 3114 * deny. 3115 */ 3116 if (debug) 3117 addlog("[access denied]\n"); 3118 sppp_disconnect(sp); 3119 break; 3120 } 3121 } 3122 if (debug) 3123 addlog("\n"); 3124 end: 3125 return; 3126 } 3127 3128 static void 3129 sppp_lcp_tlu(struct sppp *sp) 3130 { 3131 struct ifnet *ifp = &sp->pp_if; 3132 struct sppp_cp *scp; 3133 int i; 3134 3135 KASSERT(SPPP_WLOCKED(sp)); 3136 3137 /* unlock for IFNET_LOCK */ 3138 SPPP_UNLOCK(sp); 3139 3140 /* the interface was down by PP_IFDOWN flag */ 3141 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) == IFF_RUNNING) { 3142 SPPP_LOG(sp, LOG_DEBUG, "interface is going up\n"); 3143 if_up(ifp); 3144 } 3145 3146 IFNET_LOCK(ifp); 3147 SPPP_LOCK(sp, RW_WRITER); 3148 if (ifp->if_mtu > sp->lcp.their_mru) { 3149 sp->pp_saved_mtu = ifp->if_mtu; 3150 ifp->if_mtu = sp->lcp.their_mru; 3151 SPPP_DLOG(sp, "setting MTU " 3152 "from %"PRIu64" bytes to %"PRIu64" bytes\n", 3153 sp->pp_saved_mtu, ifp->if_mtu); 3154 } 3155 SPPP_UNLOCK(sp); 3156 IFNET_UNLOCK(ifp); 3157 3158 SPPP_LOCK(sp, RW_WRITER); 3159 3160 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO) || 3161 (sp->pp_flags & PP_NEEDAUTH) != 0) 3162 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 3163 else 3164 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 3165 3166 for (i = 0; i < IDX_COUNT; i++) { 3167 scp = &sp->scp[(cps[i])->protoidx]; 3168 3169 if (((cps[i])->flags & CP_LCP) == 0) 3170 sppp_wq_add(sp->wq_cp, &scp->work_up); 3171 3172 /* 3173 * Open all authentication protocols. This is even required 3174 * if we already proceeded to network phase, since it might be 3175 * that remote wants us to authenticate, so we might have to 3176 * send a PAP request. Undesired authentication protocols 3177 * don't do anything when they get an Open event. 3178 */ 3179 if ((cps[i])->flags & CP_AUTH) 3180 sppp_wq_add(sp->wq_cp, &scp->work_open); 3181 3182 /* Open all NCPs. */ 3183 if (sp->pp_phase == SPPP_PHASE_NETWORK && 3184 ((cps[i])->flags & CP_NCP) != 0) { 3185 sppp_wq_add(sp->wq_cp, &scp->work_open); 3186 } 3187 } 3188 } 3189 3190 static void 3191 sppp_lcp_tld(struct sppp *sp) 3192 { 3193 struct ifnet *ifp; 3194 struct sppp_cp *scp; 3195 int i, phase; 3196 3197 KASSERT(SPPP_WLOCKED(sp)); 3198 3199 phase = sp->pp_phase; 3200 3201 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3202 3203 if (sp->pp_saved_mtu > 0) { 3204 ifp = &sp->pp_if; 3205 3206 SPPP_UNLOCK(sp); 3207 IFNET_LOCK(ifp); 3208 SPPP_LOCK(sp, RW_WRITER); 3209 3210 SPPP_DLOG(sp, "setting MTU " 3211 "from %"PRIu64" bytes to %"PRIu64" bytes\n", 3212 ifp->if_mtu, sp->pp_saved_mtu); 3213 3214 ifp->if_mtu = sp->pp_saved_mtu; 3215 sp->pp_saved_mtu = 0; 3216 IFNET_UNLOCK(ifp); 3217 } 3218 3219 /* 3220 * Take upper layers down. We send the Down event first and 3221 * the Close second to prevent the upper layers from sending 3222 * ``a flurry of terminate-request packets'', as the RFC 3223 * describes it. 3224 */ 3225 for (i = 0; i < IDX_COUNT; i++) { 3226 scp = &sp->scp[(cps[i])->protoidx]; 3227 3228 if (((cps[i])->flags & CP_LCP) == 0) 3229 sppp_wq_add(sp->wq_cp, &scp->work_down); 3230 3231 if ((cps[i])->flags & CP_AUTH) { 3232 sppp_wq_add(sp->wq_cp, &scp->work_close); 3233 } 3234 3235 /* Close all NCPs. */ 3236 if (phase == SPPP_PHASE_NETWORK && 3237 ((cps[i])->flags & CP_NCP) != 0) { 3238 sppp_wq_add(sp->wq_cp, &scp->work_close); 3239 } 3240 } 3241 } 3242 3243 static void 3244 sppp_lcp_tls(const struct cp *cp __unused, struct sppp *sp) 3245 { 3246 3247 KASSERT(SPPP_WLOCKED(sp)); 3248 3249 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3250 3251 /* Notify lower layer if desired. */ 3252 if (!sp->lcp.lower_running) { 3253 sp->lcp.lower_running = true; 3254 sppp_notify_tls_wlocked(sp); 3255 } 3256 } 3257 3258 static void 3259 sppp_lcp_tlf(const struct cp *cp __unused, struct sppp *sp) 3260 { 3261 3262 KASSERT(SPPP_WLOCKED(sp)); 3263 3264 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3265 3266 /* Notify lower layer if desired. */ 3267 if (sp->lcp.lower_running) { 3268 sp->lcp.lower_running = false; 3269 sppp_notify_tlf_wlocked(sp); 3270 } 3271 } 3272 3273 static void 3274 sppp_lcp_scr(struct sppp *sp) 3275 { 3276 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3277 int i = 0; 3278 u_short authproto; 3279 3280 KASSERT(SPPP_WLOCKED(sp)); 3281 3282 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC)) { 3283 if (! sp->lcp.magic) 3284 sp->lcp.magic = cprng_fast32(); 3285 opt[i++] = LCP_OPT_MAGIC; 3286 opt[i++] = 6; 3287 opt[i++] = sp->lcp.magic >> 24; 3288 opt[i++] = sp->lcp.magic >> 16; 3289 opt[i++] = sp->lcp.magic >> 8; 3290 opt[i++] = sp->lcp.magic; 3291 } 3292 3293 if (ISSET(sp->lcp.opts,SPPP_LCP_OPT_MRU)) { 3294 opt[i++] = LCP_OPT_MRU; 3295 opt[i++] = 4; 3296 opt[i++] = sp->lcp.mru >> 8; 3297 opt[i++] = sp->lcp.mru; 3298 } 3299 3300 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) { 3301 authproto = sp->hisauth.proto; 3302 opt[i++] = LCP_OPT_AUTH_PROTO; 3303 opt[i++] = authproto == PPP_CHAP? 5: 4; 3304 opt[i++] = authproto >> 8; 3305 opt[i++] = authproto; 3306 if (authproto == PPP_CHAP) 3307 opt[i++] = CHAP_MD5; 3308 } 3309 3310 sp->scp[IDX_LCP].confid = ++sp->scp[IDX_LCP].seq; 3311 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->scp[IDX_LCP].confid, i, &opt); 3312 } 3313 3314 /* 3315 * Check the open NCPs, return true if at least one NCP is open. 3316 */ 3317 3318 static int 3319 sppp_cp_check(struct sppp *sp, u_char cp_flags) 3320 { 3321 int i, mask; 3322 3323 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3324 if ((sp->lcp.protos & mask) && (cps[i])->flags & cp_flags) 3325 return 1; 3326 return 0; 3327 } 3328 3329 /* 3330 * Check the opened NCPs, return true if at least one NCP is opened. 3331 */ 3332 static bool 3333 sppp_is_ncp_opened(struct sppp *sp) 3334 { 3335 int i, mask; 3336 3337 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3338 if (((cps[i])->flags & CP_NCP) && (sp->scp[i].state == STATE_OPENED)) 3339 return true; 3340 return false; 3341 } 3342 3343 /* 3344 * Re-check the open NCPs and see if we should terminate the link. 3345 * Called by the NCPs during their tlf action handling. 3346 */ 3347 static void 3348 sppp_lcp_check_and_close(struct sppp *sp) 3349 { 3350 3351 KASSERT(SPPP_WLOCKED(sp)); 3352 3353 if (sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 3354 /* don't bother, we are already going down */ 3355 return; 3356 } 3357 3358 if (sp->pp_phase == SPPP_PHASE_AUTHENTICATE && 3359 sppp_cp_check(sp, CP_AUTH)) 3360 return; 3361 3362 if (sp->pp_phase >= SPPP_PHASE_NETWORK && 3363 sppp_cp_check(sp, CP_NCP)) 3364 return; 3365 3366 if (sp->pp_max_auth_fail != 0 && 3367 sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3368 SPPP_LOG(sp, LOG_INFO, "authentication failed %d times, " 3369 "not retrying again\n", sp->pp_auth_failures); 3370 3371 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 3372 sppp_disconnect(sp); 3373 } else { 3374 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3375 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 3376 } 3377 } 3378 3379 /* 3380 *--------------------------------------------------------------------------* 3381 * * 3382 * The IPCP implementation. * 3383 * * 3384 *--------------------------------------------------------------------------* 3385 */ 3386 3387 static void 3388 sppp_ipcp_init(struct sppp *sp) 3389 { 3390 3391 KASSERT(SPPP_WLOCKED(sp)); 3392 3393 sppp_cp_init(&ipcp, sp); 3394 3395 sp->ipcp.opts = 0; 3396 sp->ipcp.flags = 0; 3397 } 3398 3399 static void 3400 sppp_ipcp_open(struct sppp *sp, void *xcp) 3401 { 3402 uint32_t myaddr, hisaddr; 3403 3404 KASSERT(SPPP_WLOCKED(sp)); 3405 KASSERT(!cpu_softintr_p()); 3406 3407 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) 3408 return; 3409 3410 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3411 sp->ipcp.req_myaddr = 0; 3412 sp->ipcp.req_hisaddr = 0; 3413 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3414 3415 #ifdef INET 3416 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3417 #else 3418 myaddr = hisaddr = 0; 3419 #endif 3420 /* 3421 * If we don't have his address, this probably means our 3422 * interface doesn't want to talk IP at all. (This could 3423 * be the case if somebody wants to speak only IPX, for 3424 * example.) Don't open IPCP in this case. 3425 */ 3426 if (hisaddr == 0) { 3427 /* XXX this message should go away */ 3428 SPPP_DLOG(sp, "ipcp_open(): no IP interface\n"); 3429 return; 3430 } 3431 3432 if (myaddr == 0) { 3433 /* 3434 * I don't have an assigned address, so i need to 3435 * negotiate my address. 3436 */ 3437 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3438 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3439 } 3440 if (hisaddr == 1) { 3441 /* 3442 * XXX - remove this hack! 3443 * remote has no valid address, we need to get one assigned. 3444 */ 3445 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3446 sp->ipcp.saved_hisaddr = htonl(hisaddr); 3447 } 3448 3449 if (sp->query_dns & 1) { 3450 SET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3451 } else { 3452 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3453 } 3454 3455 if (sp->query_dns & 2) { 3456 SET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3457 } else { 3458 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3459 } 3460 sppp_open_event(sp, xcp); 3461 } 3462 3463 static void 3464 sppp_ipcp_close(struct sppp *sp, void *xcp) 3465 { 3466 3467 KASSERT(SPPP_WLOCKED(sp)); 3468 KASSERT(!cpu_softintr_p()); 3469 3470 sppp_close_event(sp, xcp); 3471 3472 #ifdef INET 3473 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) { 3474 /* 3475 * Some address was dynamic, clear it again. 3476 */ 3477 sppp_clear_ip_addrs(sp); 3478 } 3479 #endif 3480 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3481 } 3482 3483 /* 3484 * Analyze a configure request. Return true if it was agreeable, and 3485 * caused action sca, false if it has been rejected or nak'ed, and 3486 * caused action scn. (The return value is used to make the state 3487 * transition decision in the state automaton.) 3488 */ 3489 static enum cp_rcr_type 3490 sppp_ipcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 3491 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 3492 { 3493 const bool debug = sppp_debug_enabled(sp); 3494 u_char *buf, *r, *p, l, blen; 3495 enum cp_rcr_type type; 3496 int rlen, len; 3497 uint32_t hisaddr, desiredaddr; 3498 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3499 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 3500 const char *dq; 3501 3502 KASSERT(SPPP_WLOCKED(sp)); 3503 3504 type = CP_RCR_NONE; 3505 origlen -= sizeof(*h); 3506 3507 if (origlen < 0) 3508 return CP_RCR_DROP; 3509 3510 /* 3511 * Make sure to allocate a buf that can at least hold a 3512 * conf-nak with an `address' option. We might need it below. 3513 */ 3514 blen = MAX(6, origlen); 3515 3516 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 3517 if (buf == NULL) 3518 return CP_RCR_DROP; 3519 3520 /* pass 1: see if we can recognize them */ 3521 if (debug) 3522 SPPP_LOG(sp, LOG_DEBUG, "ipcp parse opts:"); 3523 p = (void *)(h + 1); 3524 r = buf; 3525 rlen = 0; 3526 for (len = origlen; len > 1; len -= l, p += l) { 3527 l = p[1]; 3528 if (l == 0) 3529 break; 3530 3531 /* Sanity check option length */ 3532 if (l > len) { 3533 /* XXX should we just RXJ? */ 3534 if (debug) 3535 addlog("\n"); 3536 3537 SPPP_LOG(sp, LOG_DEBUG, 3538 " malicious IPCP option received, dropping\n"); 3539 type = CP_RCR_ERR; 3540 goto end; 3541 } 3542 if (debug) { 3543 addlog(" %s", 3544 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3545 } 3546 switch (p[0]) { 3547 #ifdef notyet 3548 case IPCP_OPT_COMPRESSION: 3549 if (len >= 6 && l >= 6) { 3550 /* correctly formed compress option */ 3551 continue; 3552 } 3553 if (debug) 3554 addlog(" [invalid]"); 3555 break; 3556 #endif 3557 case IPCP_OPT_ADDRESS: 3558 if (len >= 6 && l == 6) { 3559 /* correctly formed address option */ 3560 continue; 3561 } 3562 if (debug) 3563 addlog(" [invalid]"); 3564 break; 3565 default: 3566 /* Others not supported. */ 3567 if (debug) 3568 addlog(" [rej]"); 3569 break; 3570 } 3571 /* Add the option to rejected list. */ 3572 if (rlen + l > blen) { 3573 if (debug) 3574 addlog(" [overflow]"); 3575 continue; 3576 } 3577 memcpy(r, p, l); 3578 r += l; 3579 rlen += l; 3580 } 3581 3582 if (rlen > 0) { 3583 type = CP_RCR_REJ; 3584 goto end; 3585 } 3586 3587 if (debug) 3588 addlog("\n"); 3589 3590 /* pass 2: parse option values */ 3591 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3592 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3593 else 3594 #ifdef INET 3595 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3596 #else 3597 hisaddr = 0; 3598 #endif 3599 if (debug) 3600 SPPP_LOG(sp, LOG_DEBUG, "ipcp parse opt values:"); 3601 p = (void *)(h + 1); 3602 r = buf; 3603 rlen = 0; 3604 for (len = origlen; len > 1; len -= l, p += l) { 3605 l = p[1]; 3606 if (l == 0) 3607 break; 3608 3609 if (debug) { 3610 addlog(" %s", 3611 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3612 } 3613 switch (p[0]) { 3614 #ifdef notyet 3615 case IPCP_OPT_COMPRESSION: 3616 continue; 3617 #endif 3618 case IPCP_OPT_ADDRESS: 3619 desiredaddr = p[2] << 24 | p[3] << 16 | 3620 p[4] << 8 | p[5]; 3621 if (desiredaddr == hisaddr || 3622 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3623 /* 3624 * Peer's address is same as our value, 3625 * this is agreeable. Gonna conf-ack 3626 * it. 3627 */ 3628 if (debug) { 3629 dq = sppp_dotted_quad(dqbuf, 3630 sizeof(dqbuf), hisaddr); 3631 addlog(" %s [ack]", dq); 3632 } 3633 /* record that we've seen it already */ 3634 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3635 sp->ipcp.req_hisaddr = desiredaddr; 3636 hisaddr = desiredaddr; 3637 continue; 3638 } 3639 /* 3640 * The address wasn't agreeable. This is either 3641 * he sent us 0.0.0.0, asking to assign him an 3642 * address, or he send us another address not 3643 * matching our value. Either case, we gonna 3644 * conf-nak it with our value. 3645 */ 3646 if (debug) { 3647 if (desiredaddr == 0) { 3648 addlog(" [addr requested]"); 3649 } else { 3650 dq = sppp_dotted_quad(dqbuf, 3651 sizeof(dqbuf), desiredaddr); 3652 addlog(" %s [not agreed]", dq); 3653 } 3654 } 3655 3656 p[2] = hisaddr >> 24; 3657 p[3] = hisaddr >> 16; 3658 p[4] = hisaddr >> 8; 3659 p[5] = hisaddr; 3660 break; 3661 } 3662 if (rlen + l > blen) { 3663 if (debug) 3664 addlog(" [overflow]"); 3665 continue; 3666 } 3667 /* Add the option to nak'ed list. */ 3668 memcpy(r, p, l); 3669 r += l; 3670 rlen += l; 3671 } 3672 3673 if (rlen > 0) { 3674 type = CP_RCR_NAK; 3675 } else { 3676 if ((sp->ipcp.flags & IPCP_HISADDR_SEEN) == 0) { 3677 /* 3678 * If we are about to conf-ack the request, but haven't seen 3679 * his address so far, gonna conf-nak it instead, with the 3680 * `address' option present and our idea of his address being 3681 * filled in there, to request negotiation of both addresses. 3682 * 3683 * XXX This can result in an endless req - nak loop if peer 3684 * doesn't want to send us his address. Q: What should we do 3685 * about it? XXX A: implement the max-failure counter. 3686 */ 3687 buf[0] = IPCP_OPT_ADDRESS; 3688 buf[1] = 6; 3689 buf[2] = hisaddr >> 24; 3690 buf[3] = hisaddr >> 16; 3691 buf[4] = hisaddr >> 8; 3692 buf[5] = hisaddr; 3693 rlen = 6; 3694 if (debug) 3695 addlog(" still need hisaddr"); 3696 type = CP_RCR_NAK; 3697 } else { 3698 type = CP_RCR_ACK; 3699 rlen = origlen; 3700 memcpy(r, h + 1, rlen); 3701 } 3702 } 3703 3704 end: 3705 if (debug) 3706 addlog("\n"); 3707 3708 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3709 if (buf != NULL) 3710 kmem_intr_free(buf, blen); 3711 } else { 3712 *msgbuf = buf; 3713 *buflen = blen; 3714 *msglen = rlen; 3715 } 3716 3717 return type; 3718 } 3719 3720 /* 3721 * Analyze the IPCP Configure-Reject option list, and adjust our 3722 * negotiation. 3723 */ 3724 static void 3725 sppp_ipcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3726 { 3727 const bool debug = sppp_debug_enabled(sp); 3728 u_char *p, l; 3729 3730 KASSERT(SPPP_WLOCKED(sp)); 3731 3732 if (len <= sizeof(*h)) 3733 return; 3734 3735 len -= sizeof(*h); 3736 3737 if (debug) 3738 SPPP_LOG(sp, LOG_DEBUG, "ipcp rej opts:"); 3739 3740 p = (void *)(h + 1); 3741 for (; len > 1; len -= l, p += l) { 3742 l = p[1]; 3743 if (l == 0) 3744 break; 3745 3746 /* Sanity check option length */ 3747 if (l > len) { 3748 /* XXX should we just RXJ? */ 3749 if (debug) 3750 addlog("\n"); 3751 SPPP_LOG(sp, LOG_DEBUG, 3752 "malicious IPCP option received, dropping\n"); 3753 goto end; 3754 } 3755 if (debug) { 3756 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3757 addlog(" %s", 3758 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3759 } 3760 switch (p[0]) { 3761 case IPCP_OPT_ADDRESS: 3762 /* 3763 * Peer doesn't grok address option. This is 3764 * bad. XXX Should we better give up here? 3765 */ 3766 if (!debug) { 3767 SPPP_LOG(sp, LOG_ERR, 3768 "IPCP address option rejected\n"); 3769 } 3770 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3771 break; 3772 #ifdef notyet 3773 case IPCP_OPT_COMPRESS: 3774 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_COMPRESS); 3775 break; 3776 #endif 3777 case IPCP_OPT_PRIMDNS: 3778 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3779 break; 3780 3781 case IPCP_OPT_SECDNS: 3782 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3783 break; 3784 } 3785 } 3786 if (debug) 3787 addlog("\n"); 3788 end: 3789 return; 3790 } 3791 3792 /* 3793 * Analyze the IPCP Configure-NAK option list, and adjust our 3794 * negotiation. 3795 */ 3796 static void 3797 sppp_ipcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 3798 { 3799 const bool debug = sppp_debug_enabled(sp); 3800 u_char *p, l; 3801 uint32_t wantaddr; 3802 3803 KASSERT(SPPP_WLOCKED(sp)); 3804 3805 len -= sizeof(*h); 3806 3807 if (debug) 3808 SPPP_LOG(sp, LOG_DEBUG, "ipcp nak opts:"); 3809 3810 p = (void *)(h + 1); 3811 for (; len > 1; len -= l, p += l) { 3812 l = p[1]; 3813 if (l == 0) 3814 break; 3815 3816 /* Sanity check option length */ 3817 if (l > len) { 3818 /* XXX should we just RXJ? */ 3819 if (debug) 3820 addlog("\n"); 3821 SPPP_LOG(sp, LOG_DEBUG, 3822 "malicious IPCP option received, dropping\n"); 3823 return; 3824 } 3825 if (debug) { 3826 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3827 addlog(" %s", 3828 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3829 } 3830 switch (*p) { 3831 case IPCP_OPT_ADDRESS: 3832 /* 3833 * Peer doesn't like our local IP address. See 3834 * if we can do something for him. We'll drop 3835 * him our address then. 3836 */ 3837 if (len >= 6 && l == 6) { 3838 wantaddr = p[2] << 24 | p[3] << 16 | 3839 p[4] << 8 | p[5]; 3840 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3841 if (debug) { 3842 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 3843 const char *dq; 3844 3845 dq = sppp_dotted_quad(dqbuf, 3846 sizeof(dqbuf), wantaddr); 3847 addlog(" [wantaddr %s]", dq); 3848 } 3849 /* 3850 * When doing dynamic address assignment, 3851 * we accept his offer. Otherwise, we 3852 * ignore it and thus continue to negotiate 3853 * our already existing value. 3854 */ 3855 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3856 if (ntohl(wantaddr) != INADDR_ANY) { 3857 if (debug) 3858 addlog(" [agree]"); 3859 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3860 sp->ipcp.req_myaddr = wantaddr; 3861 } else { 3862 if (debug) 3863 addlog(" [not agreed]"); 3864 } 3865 } 3866 } 3867 break; 3868 3869 case IPCP_OPT_PRIMDNS: 3870 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS) && 3871 len >= 6 && l == 6) { 3872 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3873 p[4] << 8 | p[5]; 3874 } 3875 break; 3876 3877 case IPCP_OPT_SECDNS: 3878 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS) && 3879 len >= 6 && l == 6) { 3880 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3881 p[4] << 8 | p[5]; 3882 } 3883 break; 3884 #ifdef notyet 3885 case IPCP_OPT_COMPRESS: 3886 /* 3887 * Peer wants different compression parameters. 3888 */ 3889 break; 3890 #endif 3891 } 3892 } 3893 if (debug) 3894 addlog("\n"); 3895 } 3896 3897 /* 3898 * rt_ifmsg requires sppp to be unlocked as it will attempt to lock it again. 3899 * unlocking sppp is safe here because this logic runs in a single thread, 3900 * the workqueue, so concurrent state transitions are excluded on that basis; 3901 * other tlu functions already release and re-acquire the lock already, 3902 * which is only for coordination with threads _other_ than the workqueue 3903 * thread which doesn't change the state. 3904 */ 3905 static void 3906 sppp_rt_ifmsg(struct sppp *sp) 3907 { 3908 struct ifnet *ifp = &sp->pp_if; 3909 3910 KASSERT(SPPP_WLOCKED(sp)); 3911 3912 SPPP_UNLOCK(sp); 3913 rt_ifmsg(ifp); 3914 SPPP_LOCK(sp, RW_WRITER); 3915 } 3916 3917 static void 3918 sppp_ipcp_tlu(struct sppp *sp) 3919 { 3920 #ifdef INET 3921 3922 KASSERT(SPPP_WLOCKED(sp)); 3923 3924 SPPP_LOG(sp, LOG_INFO, "IPCP layer up\n"); 3925 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && 3926 ((sp->ipcp.flags & IPCP_MYADDR_SEEN) == 0)) { 3927 SPPP_LOG(sp, LOG_WARNING, 3928 "no IP address, closing IPCP\n"); 3929 sppp_wq_add(sp->wq_cp, 3930 &sp->scp[IDX_IPCP].work_close); 3931 } else { 3932 /* we are up. Set addresses and notify anyone interested */ 3933 sppp_set_ip_addrs(sp); 3934 sppp_rt_ifmsg(sp); 3935 } 3936 #endif 3937 } 3938 3939 static void 3940 sppp_ipcp_tld(struct sppp *sp) 3941 { 3942 #ifdef INET 3943 3944 SPPP_LOG(sp, LOG_INFO, "IPCP layer down\n"); 3945 sppp_rt_ifmsg(sp); 3946 #endif 3947 } 3948 3949 static void 3950 sppp_ipcp_scr(struct sppp *sp) 3951 { 3952 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3953 #ifdef INET 3954 uint32_t ouraddr; 3955 #endif 3956 int i = 0; 3957 3958 KASSERT(SPPP_WLOCKED(sp)); 3959 3960 #ifdef notyet 3961 if (ISSET(sp->ipcp.opts,SPPP_IPCP_OPT_COMPRESSION)) { 3962 opt[i++] = IPCP_OPT_COMPRESSION; 3963 opt[i++] = 6; 3964 opt[i++] = 0; /* VJ header compression */ 3965 opt[i++] = 0x2d; /* VJ header compression */ 3966 opt[i++] = max_slot_id; 3967 opt[i++] = comp_slot_id; 3968 } 3969 #endif 3970 3971 #ifdef INET 3972 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS)) { 3973 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) { 3974 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3975 } else { 3976 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3977 } 3978 opt[i++] = IPCP_OPT_ADDRESS; 3979 opt[i++] = 6; 3980 opt[i++] = ouraddr >> 24; 3981 opt[i++] = ouraddr >> 16; 3982 opt[i++] = ouraddr >> 8; 3983 opt[i++] = ouraddr; 3984 } 3985 #endif 3986 3987 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS)) { 3988 opt[i++] = IPCP_OPT_PRIMDNS; 3989 opt[i++] = 6; 3990 opt[i++] = sp->dns_addrs[0] >> 24; 3991 opt[i++] = sp->dns_addrs[0] >> 16; 3992 opt[i++] = sp->dns_addrs[0] >> 8; 3993 opt[i++] = sp->dns_addrs[0]; 3994 } 3995 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS)) { 3996 opt[i++] = IPCP_OPT_SECDNS; 3997 opt[i++] = 6; 3998 opt[i++] = sp->dns_addrs[1] >> 24; 3999 opt[i++] = sp->dns_addrs[1] >> 16; 4000 opt[i++] = sp->dns_addrs[1] >> 8; 4001 opt[i++] = sp->dns_addrs[1]; 4002 } 4003 4004 sp->scp[IDX_IPCP].confid = ++sp->scp[IDX_IPCP].seq; 4005 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->scp[IDX_IPCP].confid, i, &opt); 4006 } 4007 4008 /* 4009 *--------------------------------------------------------------------------* 4010 * * 4011 * The IPv6CP implementation. * 4012 * * 4013 *--------------------------------------------------------------------------* 4014 */ 4015 4016 #ifdef INET6 4017 static void 4018 sppp_ipv6cp_init(struct sppp *sp) 4019 { 4020 4021 KASSERT(SPPP_WLOCKED(sp)); 4022 4023 sppp_cp_init(&ipv6cp, sp); 4024 4025 sp->ipv6cp.opts = 0; 4026 sp->ipv6cp.flags = 0; 4027 } 4028 4029 static void 4030 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4031 { 4032 struct in6_addr myaddr, hisaddr; 4033 4034 KASSERT(SPPP_WLOCKED(sp)); 4035 KASSERT(!cpu_softintr_p()); 4036 4037 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) 4038 return; 4039 4040 #ifdef IPV6CP_MYIFID_DYN 4041 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 4042 #else 4043 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 4044 #endif 4045 4046 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 4047 /* 4048 * If we don't have our address, this probably means our 4049 * interface doesn't want to talk IPv6 at all. (This could 4050 * be the case if somebody wants to speak only IPX, for 4051 * example.) Don't open IPv6CP in this case. 4052 */ 4053 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 4054 /* XXX this message should go away */ 4055 SPPP_DLOG(sp, "ipv6cp_open(): no IPv6 interface\n"); 4056 return; 4057 } 4058 4059 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4060 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4061 sppp_open_event(sp, xcp); 4062 } 4063 4064 /* 4065 * Analyze a configure request. Return true if it was agreeable, and 4066 * caused action sca, false if it has been rejected or nak'ed, and 4067 * caused action scn. (The return value is used to make the state 4068 * transition decision in the state automaton.) 4069 */ 4070 static enum cp_rcr_type 4071 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 4072 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4073 { 4074 const bool debug = sppp_debug_enabled(sp); 4075 u_char *buf, *r, *p, l, blen; 4076 int rlen, len; 4077 struct in6_addr myaddr, desiredaddr, suggestaddr; 4078 enum cp_rcr_type type; 4079 int ifidcount; 4080 int collision, nohisaddr; 4081 char ip6buf[INET6_ADDRSTRLEN]; 4082 char tbuf[SPPP_CPTYPE_NAMELEN]; 4083 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4084 const char *cpname; 4085 4086 KASSERT(SPPP_WLOCKED(sp)); 4087 4088 type = CP_RCR_NONE; 4089 origlen -= sizeof(*h); 4090 4091 if (origlen < 0) 4092 return CP_RCR_DROP; 4093 4094 /* 4095 * Make sure to allocate a buf that can at least hold a 4096 * conf-nak with an `address' option. We might need it below. 4097 */ 4098 blen = MAX(6, origlen); 4099 4100 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 4101 if (buf == NULL) 4102 return CP_RCR_DROP; 4103 4104 /* pass 1: see if we can recognize them */ 4105 if (debug) 4106 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp parse opts:"); 4107 p = (void *)(h + 1); 4108 r = buf; 4109 rlen = 0; 4110 ifidcount = 0; 4111 for (len = origlen; len > 1; len -= l, p += l) { 4112 l = p[1]; 4113 if (l == 0) 4114 break; 4115 4116 /* Sanity check option length */ 4117 if (l > len) { 4118 /* XXX just RXJ? */ 4119 if (debug) 4120 addlog("\n"); 4121 SPPP_LOG(sp, LOG_DEBUG, 4122 "received malicious IPCPv6 option, " 4123 "dropping\n"); 4124 type = CP_RCR_ERR; 4125 goto end; 4126 } 4127 if (debug) { 4128 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4129 sizeof(ipv6buf),*p)); 4130 } 4131 switch (p[0]) { 4132 case IPV6CP_OPT_IFID: 4133 if (len >= 10 && l == 10 && ifidcount == 0) { 4134 /* correctly formed address option */ 4135 ifidcount++; 4136 continue; 4137 } 4138 if (debug) 4139 addlog(" [invalid]"); 4140 break; 4141 #ifdef notyet 4142 case IPV6CP_OPT_COMPRESSION: 4143 if (len >= 4 && l >= 4) { 4144 /* correctly formed compress option */ 4145 continue; 4146 } 4147 if (debug) 4148 addlog(" [invalid]"); 4149 break; 4150 #endif 4151 default: 4152 /* Others not supported. */ 4153 if (debug) 4154 addlog(" [rej]"); 4155 break; 4156 } 4157 if (rlen + l > blen) { 4158 if (debug) 4159 addlog(" [overflow]"); 4160 continue; 4161 } 4162 /* Add the option to rejected list. */ 4163 memcpy(r, p, l); 4164 r += l; 4165 rlen += l; 4166 } 4167 4168 if (rlen > 0) { 4169 type = CP_RCR_REJ; 4170 goto end; 4171 } 4172 4173 if (debug) 4174 addlog("\n"); 4175 4176 /* pass 2: parse option values */ 4177 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4178 if (debug) 4179 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp parse opt values:"); 4180 p = (void *)(h + 1); 4181 r = buf; 4182 rlen = 0; 4183 type = CP_RCR_ACK; 4184 for (len = origlen; len > 1; len -= l, p += l) { 4185 l = p[1]; 4186 if (l == 0) 4187 break; 4188 4189 if (debug) { 4190 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4191 sizeof(ipv6buf), *p)); 4192 } 4193 switch (p[0]) { 4194 #ifdef notyet 4195 case IPV6CP_OPT_COMPRESSION: 4196 continue; 4197 #endif 4198 case IPV6CP_OPT_IFID: 4199 memset(&desiredaddr, 0, sizeof(desiredaddr)); 4200 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 4201 collision = (memcmp(&desiredaddr.s6_addr[8], 4202 &myaddr.s6_addr[8], 8) == 0); 4203 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 4204 4205 desiredaddr.s6_addr16[0] = htons(0xfe80); 4206 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 4207 4208 if (!collision && !nohisaddr) { 4209 /* no collision, hisaddr known - Conf-Ack */ 4210 type = CP_RCR_ACK; 4211 memcpy(sp->ipv6cp.my_ifid, &myaddr.s6_addr[8], 4212 sizeof(sp->ipv6cp.my_ifid)); 4213 memcpy(sp->ipv6cp.his_ifid, 4214 &desiredaddr.s6_addr[8], 4215 sizeof(sp->ipv6cp.my_ifid)); 4216 4217 if (debug) { 4218 cpname = sppp_cp_type_name(tbuf, 4219 sizeof(tbuf), CONF_ACK); 4220 addlog(" %s [%s]", 4221 IN6_PRINT(ip6buf, &desiredaddr), 4222 cpname); 4223 } 4224 continue; 4225 } 4226 4227 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4228 if (collision && nohisaddr) { 4229 /* collision, hisaddr unknown - Conf-Rej */ 4230 type = CP_RCR_REJ; 4231 memset(&p[2], 0, 8); 4232 } else { 4233 /* 4234 * - no collision, hisaddr unknown, or 4235 * - collision, hisaddr known 4236 * Conf-Nak, suggest hisaddr 4237 */ 4238 type = CP_RCR_NAK; 4239 sppp_suggest_ip6_addr(sp, &suggestaddr); 4240 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 4241 } 4242 if (debug) { 4243 int ctype = type == CP_RCR_REJ ? CONF_REJ : CONF_NAK; 4244 4245 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4246 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 4247 cpname); 4248 } 4249 break; 4250 } 4251 if (rlen + l > blen) { 4252 if (debug) 4253 addlog(" [overflow]"); 4254 continue; 4255 } 4256 /* Add the option to nak'ed list. */ 4257 memcpy(r, p, l); 4258 r += l; 4259 rlen += l; 4260 } 4261 4262 if (rlen > 0) { 4263 if (type != CP_RCR_ACK) { 4264 if (debug) { 4265 int ctype ; 4266 ctype = type == CP_RCR_REJ ? 4267 CONF_REJ : CONF_NAK; 4268 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4269 addlog(" send %s suggest %s\n", 4270 cpname, IN6_PRINT(ip6buf, &suggestaddr)); 4271 } 4272 } 4273 #ifdef notdef 4274 if (type == CP_RCR_ACK) 4275 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 4276 #endif 4277 } else { 4278 if (type == CP_RCR_ACK) { 4279 rlen = origlen; 4280 memcpy(r, h + 1, rlen); 4281 } 4282 } 4283 end: 4284 if (debug) 4285 addlog("\n"); 4286 4287 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 4288 if (buf != NULL) 4289 kmem_intr_free(buf, blen); 4290 } else { 4291 *msgbuf = buf; 4292 *buflen = blen; 4293 *msglen = rlen; 4294 } 4295 4296 return type; 4297 } 4298 4299 /* 4300 * Analyze the IPv6CP Configure-Reject option list, and adjust our 4301 * negotiation. 4302 */ 4303 static void 4304 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, int len) 4305 { 4306 const bool debug = sppp_debug_enabled(sp); 4307 u_char *p, l; 4308 4309 KASSERT(SPPP_WLOCKED(sp)); 4310 4311 if (len <= sizeof(*h)) 4312 return; 4313 4314 len -= sizeof(*h); 4315 4316 if (debug) 4317 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp rej opts:"); 4318 4319 p = (void *)(h + 1); 4320 for (; len > 1; len -= l, p += l) { 4321 l = p[1]; 4322 if (l == 0) 4323 break; 4324 4325 if (l > len) { 4326 /* XXX just RXJ? */ 4327 if (debug) 4328 addlog("\n"); 4329 SPPP_LOG(sp, LOG_DEBUG, 4330 "received malicious IPCPv6 option, " 4331 "dropping\n"); 4332 goto end; 4333 } 4334 if (debug) { 4335 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4336 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4337 sizeof(ipv6buf), *p)); 4338 } 4339 switch (p[0]) { 4340 case IPV6CP_OPT_IFID: 4341 /* 4342 * Peer doesn't grok address option. This is 4343 * bad. XXX Should we better give up here? 4344 */ 4345 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4346 break; 4347 #ifdef notyet 4348 case IPV6CP_OPT_COMPRESS: 4349 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESS); 4350 break; 4351 #endif 4352 } 4353 } 4354 if (debug) 4355 addlog("\n"); 4356 end: 4357 return; 4358 } 4359 4360 /* 4361 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4362 * negotiation. 4363 */ 4364 static void 4365 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4366 { 4367 const bool debug = sppp_debug_enabled(sp); 4368 u_char *p, l; 4369 struct in6_addr suggestaddr; 4370 char ip6buf[INET6_ADDRSTRLEN]; 4371 4372 KASSERT(SPPP_WLOCKED(sp)); 4373 4374 if (len <= sizeof(*h)) 4375 return; 4376 4377 len -= sizeof(*h); 4378 4379 if (debug) 4380 SPPP_LOG(sp, LOG_DEBUG, "ipv6cp nak opts:"); 4381 4382 p = (void *)(h + 1); 4383 for (; len > 1; len -= l, p += l) { 4384 l = p[1]; 4385 if (l == 0) 4386 break; 4387 4388 if (l > len) { 4389 /* XXX just RXJ? */ 4390 if (debug) 4391 addlog("\n"); 4392 SPPP_LOG(sp, LOG_DEBUG, 4393 "received malicious IPCPv6 option, " 4394 "dropping\n"); 4395 goto end; 4396 } 4397 if (debug) { 4398 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4399 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4400 sizeof(ipv6buf), *p)); 4401 } 4402 switch (p[0]) { 4403 case IPV6CP_OPT_IFID: 4404 /* 4405 * Peer doesn't like our local ifid. See 4406 * if we can do something for him. We'll drop 4407 * him our address then. 4408 */ 4409 if (len < 10 || l != 10) 4410 break; 4411 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4412 suggestaddr.s6_addr16[0] = htons(0xfe80); 4413 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4414 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4415 4416 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4417 if (debug) 4418 addlog(" [suggestaddr %s]", 4419 IN6_PRINT(ip6buf, &suggestaddr)); 4420 #ifdef IPV6CP_MYIFID_DYN 4421 /* 4422 * When doing dynamic address assignment, 4423 * we accept his offer. 4424 */ 4425 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4426 struct in6_addr lastsuggest; 4427 /* 4428 * If <suggested myaddr from peer> equals to 4429 * <hisaddr we have suggested last time>, 4430 * we have a collision. generate new random 4431 * ifid. 4432 */ 4433 sppp_suggest_ip6_addr(&lastsuggest); 4434 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4435 lastsuggest)) { 4436 if (debug) 4437 addlog(" [random]"); 4438 sppp_gen_ip6_addr(sp, &suggestaddr); 4439 } 4440 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4441 if (debug) 4442 addlog(" [agree]"); 4443 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4444 } 4445 #else 4446 /* 4447 * Since we do not do dynamic address assignment, 4448 * we ignore it and thus continue to negotiate 4449 * our already existing value. This can possibly 4450 * go into infinite request-reject loop. 4451 * 4452 * This is not likely because we normally use 4453 * ifid based on MAC-address. 4454 * If you have no ethernet card on the node, too bad. 4455 * XXX should we use fail_counter? 4456 */ 4457 #endif 4458 break; 4459 #ifdef notyet 4460 case IPV6CP_OPT_COMPRESS: 4461 /* 4462 * Peer wants different compression parameters. 4463 */ 4464 break; 4465 #endif 4466 } 4467 } 4468 if (debug) 4469 addlog("\n"); 4470 end: 4471 return; 4472 } 4473 4474 static void 4475 sppp_ipv6cp_tlu(struct sppp *sp) 4476 { 4477 4478 SPPP_LOG(sp, LOG_INFO, "IPv6CP layer up\n"); 4479 sppp_rt_ifmsg(sp); 4480 } 4481 4482 static void 4483 sppp_ipv6cp_tld(struct sppp *sp) 4484 { 4485 4486 SPPP_LOG(sp, LOG_INFO, "IPv6CP layer down\n"); 4487 sppp_rt_ifmsg(sp); 4488 } 4489 4490 static void 4491 sppp_ipv6cp_scr(struct sppp *sp) 4492 { 4493 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4494 struct in6_addr ouraddr; 4495 int i = 0; 4496 4497 KASSERT(SPPP_WLOCKED(sp)); 4498 4499 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID)) { 4500 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4501 4502 opt[i++] = IPV6CP_OPT_IFID; 4503 opt[i++] = 10; 4504 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4505 i += 8; 4506 } 4507 4508 #ifdef notyet 4509 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESSION)) { 4510 opt[i++] = IPV6CP_OPT_COMPRESSION; 4511 opt[i++] = 4; 4512 opt[i++] = 0; /* TBD */ 4513 opt[i++] = 0; /* TBD */ 4514 /* variable length data may follow */ 4515 } 4516 #endif 4517 4518 sp->scp[IDX_IPV6CP].confid = ++sp->scp[IDX_IPV6CP].seq; 4519 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->scp[IDX_IPV6CP].confid, i, &opt); 4520 } 4521 #else /*INET6*/ 4522 static void 4523 sppp_ipv6cp_init(struct sppp *sp) 4524 { 4525 4526 KASSERT(SPPP_WLOCKED(sp)); 4527 } 4528 4529 static void 4530 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4531 { 4532 4533 KASSERT(SPPP_WLOCKED(sp)); 4534 } 4535 4536 static enum cp_rcr_type 4537 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, 4538 int len, uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4539 { 4540 4541 KASSERT(SPPP_WLOCKED(sp)); 4542 return 0; 4543 } 4544 4545 static void 4546 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, 4547 int len) 4548 { 4549 4550 KASSERT(SPPP_WLOCKED(sp)); 4551 } 4552 4553 static void 4554 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, 4555 int len) 4556 { 4557 4558 KASSERT(SPPP_WLOCKED(sp)); 4559 } 4560 4561 static void 4562 sppp_ipv6cp_tlu(struct sppp *sp) 4563 { 4564 4565 KASSERT(SPPP_WLOCKED(sp)); 4566 } 4567 4568 static void 4569 sppp_ipv6cp_tld(struct sppp *sp) 4570 { 4571 4572 KASSERT(SPPP_WLOCKED(sp)); 4573 } 4574 4575 static void 4576 sppp_ipv6cp_scr(struct sppp *sp) 4577 { 4578 4579 KASSERT(SPPP_WLOCKED(sp)); 4580 } 4581 #endif /*INET6*/ 4582 4583 /* 4584 *--------------------------------------------------------------------------* 4585 * * 4586 * The CHAP implementation. * 4587 * * 4588 *--------------------------------------------------------------------------* 4589 */ 4590 /* 4591 * The authentication protocols is implemented on the state machine for 4592 * control protocols. And it uses following actions and events. 4593 * 4594 * Actions: 4595 * - scr: send CHAP_CHALLENGE and CHAP_RESPONSE 4596 * - sca: send CHAP_SUCCESS 4597 * - scn: send CHAP_FAILURE and shutdown lcp 4598 * Events: 4599 * - RCR+: receive CHAP_RESPONSE containing correct digest 4600 * - RCR-: receive CHAP_RESPONSE containing wrong digest 4601 * - RCA: receive CHAP_SUCCESS 4602 * - RCN: (this event is unused) 4603 * - TO+: re-send CHAP_CHALLENGE and CHAP_RESPONSE 4604 * - TO-: this layer finish 4605 */ 4606 4607 /* 4608 * Handle incoming CHAP packets. 4609 */ 4610 void 4611 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4612 { 4613 const bool debug = sppp_debug_enabled(sp); 4614 struct ifnet *ifp = &sp->pp_if; 4615 struct lcp_header *h; 4616 int len = m->m_pkthdr.len; 4617 u_char *value, *name, digest[sizeof(sp->chap.challenge)]; 4618 int value_len, name_len; 4619 MD5_CTX ctx; 4620 char abuf[SPPP_AUTHTYPE_NAMELEN]; 4621 const char *authname; 4622 4623 KASSERT(SPPP_WLOCKED(sp)); 4624 4625 if (len < 4) { 4626 SPPP_DLOG(sp, "chap invalid packet length: " 4627 "%d bytes\n", len); 4628 return; 4629 } 4630 h = mtod(m, struct lcp_header *); 4631 if (len > ntohs(h->len)) 4632 len = ntohs(h->len); 4633 4634 switch (h->type) { 4635 /* challenge, failure and success are his authproto */ 4636 case CHAP_CHALLENGE: 4637 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4638 /* can't do anything useful */ 4639 sp->pp_auth_failures++; 4640 SPPP_DLOG(sp, "chap input " 4641 "without my name and my secret being set\n"); 4642 break; 4643 } 4644 value = 1 + (u_char *)(h + 1); 4645 value_len = value[-1]; 4646 name = value + value_len; 4647 name_len = len - value_len - 5; 4648 if (name_len < 0) { 4649 if (debug) { 4650 authname = sppp_auth_type_name(abuf, 4651 sizeof(abuf), PPP_CHAP, h->type); 4652 SPPP_LOG(sp, LOG_DEBUG, 4653 "chap corrupted challenge " 4654 "<%s id=0x%x len=%d", 4655 authname, h->ident, ntohs(h->len)); 4656 if (len > 4) 4657 sppp_print_bytes((u_char *)(h + 1), 4658 len - 4); 4659 addlog(">\n"); 4660 } 4661 break; 4662 } 4663 4664 if (debug) { 4665 authname = sppp_auth_type_name(abuf, 4666 sizeof(abuf), PPP_CHAP, h->type); 4667 SPPP_LOG(sp, LOG_DEBUG, 4668 "chap input <%s id=0x%x len=%d name=", 4669 authname, h->ident, ntohs(h->len)); 4670 sppp_print_string((char *) name, name_len); 4671 addlog(" value-size=%d value=", value_len); 4672 sppp_print_bytes(value, value_len); 4673 addlog(">\n"); 4674 } 4675 4676 /* Compute reply value. */ 4677 MD5Init(&ctx); 4678 MD5Update(&ctx, &h->ident, 1); 4679 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4680 MD5Update(&ctx, value, value_len); 4681 MD5Final(sp->chap.digest, &ctx); 4682 sp->chap.digest_len = sizeof(sp->chap.digest); 4683 sp->scp[IDX_CHAP].rconfid = h->ident; 4684 4685 sppp_wq_add(sp->wq_cp, &sp->chap.work_challenge_rcvd); 4686 break; 4687 4688 case CHAP_SUCCESS: 4689 if (debug) { 4690 SPPP_LOG(sp, LOG_DEBUG, "chap success"); 4691 if (len > 4) { 4692 addlog(": "); 4693 sppp_print_string((char *)(h + 1), len - 4); 4694 } 4695 addlog("\n"); 4696 } 4697 4698 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4699 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 4700 chap.name, h->ident, 4701 sp->scp[IDX_CHAP].rconfid); 4702 if_statinc(ifp, if_ierrors); 4703 break; 4704 } 4705 4706 if (sp->chap.digest_len == 0) { 4707 SPPP_DLOG(sp, "receive CHAP success" 4708 " without challenge\n"); 4709 if_statinc(ifp, if_ierrors); 4710 break; 4711 } 4712 4713 sp->pp_auth_failures = 0; 4714 sp->pp_flags &= ~PP_NEEDAUTH; 4715 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4716 sp->chap.digest_len = 0; 4717 4718 if (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV)) { 4719 /* 4720 * we are not authenticator for CHAP, 4721 * generate a dummy RCR+ event without CHAP_RESPONSE 4722 */ 4723 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 4724 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4725 } 4726 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 4727 break; 4728 4729 case CHAP_FAILURE: 4730 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4731 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 4732 chap.name, h->ident, sp->scp[IDX_CHAP].rconfid); 4733 if_statinc(ifp, if_ierrors); 4734 break; 4735 } 4736 4737 if (sp->chap.digest_len == 0) { 4738 SPPP_DLOG(sp, "receive CHAP failure " 4739 "without challenge\n"); 4740 if_statinc(ifp, if_ierrors); 4741 break; 4742 } 4743 4744 sp->pp_auth_failures++; 4745 SPPP_LOG(sp, LOG_INFO, "chap failure"); 4746 if (debug) { 4747 if (len > 4) { 4748 addlog(": "); 4749 sppp_print_string((char *)(h + 1), len - 4); 4750 } 4751 } 4752 addlog("\n"); 4753 4754 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4755 sp->chap.digest_len = 0; 4756 /* 4757 * await LCP shutdown by authenticator, 4758 * so we don't have to enqueue sc->scp[IDX_CHAP].work_rcn 4759 */ 4760 break; 4761 4762 /* response is my authproto */ 4763 case CHAP_RESPONSE: 4764 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4765 /* can't do anything useful */ 4766 SPPP_DLOG(sp, "chap response " 4767 "without his name and his secret being set\n"); 4768 break; 4769 } 4770 value = 1 + (u_char *)(h + 1); 4771 value_len = value[-1]; 4772 name = value + value_len; 4773 name_len = len - value_len - 5; 4774 if (name_len < 0) { 4775 if (debug) { 4776 authname = sppp_auth_type_name(abuf, 4777 sizeof(abuf), PPP_CHAP, h->type); 4778 SPPP_LOG(sp, LOG_DEBUG, 4779 "chap corrupted response " 4780 "<%s id=0x%x len=%d", 4781 authname, h->ident, ntohs(h->len)); 4782 if (len > 4) 4783 sppp_print_bytes((u_char *)(h + 1), 4784 len - 4); 4785 addlog(">\n"); 4786 } 4787 break; 4788 } 4789 if (h->ident != sp->scp[IDX_CHAP].confid) { 4790 SPPP_DLOG(sp, "chap dropping response for old ID " 4791 "(got %d, expected %d)\n", 4792 h->ident, sp->scp[IDX_CHAP].confid); 4793 break; 4794 } else { 4795 sp->scp[IDX_CHAP].rconfid = h->ident; 4796 } 4797 4798 if (sp->hisauth.name != NULL && 4799 (name_len != sp->hisauth.name_len 4800 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4801 SPPP_LOG(sp, LOG_INFO, 4802 "chap response, his name "); 4803 sppp_print_string(name, name_len); 4804 addlog(" != expected "); 4805 sppp_print_string(sp->hisauth.name, 4806 sp->hisauth.name_len); 4807 addlog("\n"); 4808 4809 /* generate RCR- event */ 4810 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 4811 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4812 break; 4813 } 4814 4815 if (debug) { 4816 authname = sppp_auth_type_name(abuf, 4817 sizeof(abuf), PPP_CHAP, h->type); 4818 SPPP_LOG(sp, LOG_DEBUG, "chap input(%s) " 4819 "<%s id=0x%x len=%d name=", 4820 sppp_state_name(sp->scp[IDX_CHAP].state), 4821 authname, h->ident, ntohs(h->len)); 4822 sppp_print_string((char *)name, name_len); 4823 addlog(" value-size=%d value=", value_len); 4824 sppp_print_bytes(value, value_len); 4825 addlog(">\n"); 4826 } 4827 4828 if (value_len == sizeof(sp->chap.challenge) && 4829 value_len == sizeof(sp->chap.digest)) { 4830 MD5Init(&ctx); 4831 MD5Update(&ctx, &h->ident, 1); 4832 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4833 MD5Update(&ctx, sp->chap.challenge, sizeof(sp->chap.challenge)); 4834 MD5Final(digest, &ctx); 4835 4836 if (memcmp(digest, value, value_len) == 0) { 4837 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 4838 } else { 4839 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 4840 } 4841 } else { 4842 if (debug) { 4843 SPPP_LOG(sp, LOG_DEBUG, 4844 "chap bad hash value length: " 4845 "%d bytes, should be %zu\n", 4846 value_len, sizeof(sp->chap.challenge)); 4847 } 4848 4849 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 4850 } 4851 4852 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4853 4854 /* generate a dummy RCA event */ 4855 if (sp->scp[IDX_CHAP].rcr_type == CP_RCR_ACK && 4856 (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_PEER) || 4857 sp->chap.rechallenging)) { 4858 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 4859 } 4860 break; 4861 4862 default: 4863 /* Unknown CHAP packet type -- ignore. */ 4864 if (debug) { 4865 SPPP_LOG(sp, LOG_DEBUG, "chap unknown input(%s) " 4866 "<0x%x id=0x%xh len=%d", 4867 sppp_state_name(sp->scp[IDX_CHAP].state), 4868 h->type, h->ident, ntohs(h->len)); 4869 if (len > 4) 4870 sppp_print_bytes((u_char *)(h + 1), len - 4); 4871 addlog(">\n"); 4872 } 4873 break; 4874 4875 } 4876 } 4877 4878 static void 4879 sppp_chap_init(struct sppp *sp) 4880 { 4881 4882 KASSERT(SPPP_WLOCKED(sp)); 4883 4884 sppp_cp_init(&chap, sp); 4885 4886 SPPP_WQ_SET(&sp->chap.work_challenge_rcvd, 4887 sppp_chap_rcv_challenge_event, &chap); 4888 } 4889 4890 static void 4891 sppp_chap_open(struct sppp *sp, void *xcp) 4892 { 4893 4894 KASSERT(SPPP_WLOCKED(sp)); 4895 4896 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4897 sp->chap.digest_len = 0; 4898 sp->chap.rechallenging = false; 4899 sp->chap.response_rcvd = false; 4900 sppp_open_event(sp, xcp); 4901 } 4902 4903 static void 4904 sppp_chap_tlu(struct sppp *sp) 4905 { 4906 int i; 4907 4908 KASSERT(SPPP_WLOCKED(sp)); 4909 4910 i = 0; 4911 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 4912 sp->pp_auth_failures = 0; 4913 4914 SPPP_LOG(sp, LOG_DEBUG, "chap %s", 4915 sp->pp_phase == SPPP_PHASE_NETWORK ? "reconfirmed" : "tlu"); 4916 4917 /* 4918 * Some broken CHAP implementations (Conware CoNet, firmware 4919 * 4.0.?) don't want to re-authenticate their CHAP once the 4920 * initial challenge-response exchange has taken place. 4921 * Provide for an option to avoid rechallenges. 4922 */ 4923 if (ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV) && 4924 (sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4925 /* 4926 * Compute the re-challenge timeout. This will yield 4927 * a number between 300 and 810 seconds. 4928 */ 4929 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4930 callout_schedule(&sp->scp[IDX_CHAP].ch, i * hz); 4931 4932 if (sppp_debug_enabled(sp)) { 4933 addlog(", next rechallenge in %d seconds", i); 4934 } 4935 } 4936 4937 addlog("\n"); 4938 4939 /* 4940 * If we are already in phase network, we are done here. This 4941 * is the case if this is a dummy tlu event after a re-challenge. 4942 */ 4943 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4944 sppp_phase_network(sp); 4945 } 4946 4947 static void 4948 sppp_chap_scr(struct sppp *sp) 4949 { 4950 uint32_t *ch; 4951 u_char clen, dsize; 4952 int role; 4953 4954 KASSERT(SPPP_WLOCKED(sp)); 4955 4956 role = sppp_auth_role(&chap, sp); 4957 4958 if (ISSET(role, SPPP_AUTH_SERV) && 4959 !sp->chap.response_rcvd) { 4960 /* we are authenticator for CHAP, send challenge */ 4961 ch = (uint32_t *)sp->chap.challenge; 4962 clen = sizeof(sp->chap.challenge); 4963 /* Compute random challenge. */ 4964 cprng_strong(kern_cprng, ch, clen, 0); 4965 4966 sp->scp[IDX_CHAP].confid = ++sp->scp[IDX_CHAP].seq; 4967 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->scp[IDX_CHAP].confid, 4968 sizeof(clen), (const char *)&clen, 4969 sizeof(sp->chap.challenge), sp->chap.challenge, 4970 0); 4971 } 4972 4973 if (ISSET(role, SPPP_AUTH_PEER) && 4974 sp->chap.digest_len > 0) { 4975 /* we are peer for CHAP, send response */ 4976 dsize = sp->chap.digest_len; 4977 4978 sppp_auth_send(&chap, sp, CHAP_RESPONSE, sp->scp[IDX_CHAP].rconfid, 4979 sizeof(dsize), (const char *)&dsize, 4980 sp->chap.digest_len, sp->chap.digest, 4981 sp->myauth.name_len, sp->myauth.name, 0); 4982 } 4983 } 4984 4985 static void 4986 sppp_chap_rcv_challenge_event(struct sppp *sp, void *xcp) 4987 { 4988 const struct cp *cp = xcp; 4989 4990 KASSERT(!cpu_softintr_p()); 4991 4992 sp->chap.rechallenging = false; 4993 4994 switch (sp->scp[IDX_CHAP].state) { 4995 case STATE_REQ_SENT: 4996 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 4997 cp->scr(sp); 4998 break; 4999 case STATE_OPENED: 5000 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 5001 cp->scr(sp); 5002 break; 5003 } 5004 } 5005 5006 /* 5007 *--------------------------------------------------------------------------* 5008 * * 5009 * The PAP implementation. * 5010 * * 5011 *--------------------------------------------------------------------------* 5012 */ 5013 /* 5014 * PAP uses following actions and events. 5015 * Actions: 5016 * - scr: send PAP_REQ 5017 * - sca: send PAP_ACK 5018 * - scn: send PAP_NAK 5019 * Events: 5020 * - RCR+: receive PAP_REQ containing correct username and password 5021 * - RCR-: receive PAP_REQ containing wrong username and password 5022 * - RCA: receive PAP_ACK 5023 * - RCN: (this event is unused) 5024 * - TO+: re-send PAP_REQ 5025 * - TO-: this layer finish 5026 */ 5027 5028 /* 5029 * Handle incoming PAP packets. */ 5030 static void 5031 sppp_pap_input(struct sppp *sp, struct mbuf *m) 5032 { 5033 const bool debug = sppp_debug_enabled(sp); 5034 struct ifnet *ifp = &sp->pp_if; 5035 struct lcp_header *h; 5036 int len; 5037 char *name, *secret; 5038 int name_len, secret_len; 5039 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5040 const char *authname; 5041 5042 KASSERT(SPPP_WLOCKED(sp)); 5043 /* 5044 * Malicious input might leave this uninitialized, so 5045 * init to an impossible value. 5046 */ 5047 secret_len = -1; 5048 5049 len = m->m_pkthdr.len; 5050 if (len < 5) { 5051 SPPP_DLOG(sp, "pap invalid packet length: " 5052 "%d bytes\n", len); 5053 return; 5054 } 5055 h = mtod(m, struct lcp_header *); 5056 if (len > ntohs(h->len)) 5057 len = ntohs(h->len); 5058 5059 switch (h->type) { 5060 /* PAP request is my authproto */ 5061 case PAP_REQ: 5062 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 5063 /* can't do anything useful */ 5064 SPPP_DLOG(sp, "pap request" 5065 " without his name and his secret being set\n"); 5066 break; 5067 } 5068 name = 1 + (u_char *)(h + 1); 5069 name_len = name[-1]; 5070 secret = name + name_len + 1; 5071 if (name_len > len - 6 || 5072 (secret_len = secret[-1]) > len - 6 - name_len) { 5073 if (debug) { 5074 authname = sppp_auth_type_name(abuf, 5075 sizeof(abuf), PPP_PAP, h->type); 5076 SPPP_LOG(sp, LOG_DEBUG, "pap corrupted input " 5077 "<%s id=0x%x len=%d", 5078 authname, h->ident, ntohs(h->len)); 5079 if (len > 4) 5080 sppp_print_bytes((u_char *)(h + 1), 5081 len - 4); 5082 addlog(">\n"); 5083 } 5084 break; 5085 } 5086 if (debug) { 5087 authname = sppp_auth_type_name(abuf, 5088 sizeof(abuf), PPP_PAP, h->type); 5089 SPPP_LOG(sp, LOG_DEBUG, "pap input(%s) " 5090 "<%s id=0x%x len=%d name=", 5091 sppp_state_name(sp->scp[IDX_PAP].state), 5092 authname, h->ident, ntohs(h->len)); 5093 sppp_print_string((char *)name, name_len); 5094 addlog(" secret="); 5095 sppp_print_string((char *)secret, secret_len); 5096 addlog(">\n"); 5097 } 5098 5099 sp->scp[IDX_PAP].rconfid = h->ident; 5100 5101 if (name_len == sp->hisauth.name_len && 5102 memcmp(name, sp->hisauth.name, name_len) == 0 && 5103 secret_len == sp->hisauth.secret_len && 5104 memcmp(secret, sp->hisauth.secret, secret_len) == 0) { 5105 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5106 } else { 5107 sp->scp[IDX_PAP].rcr_type = CP_RCR_NAK; 5108 } 5109 5110 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5111 5112 /* generate a dummy RCA event */ 5113 if (sp->scp[IDX_PAP].rcr_type == CP_RCR_ACK && 5114 !ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER)) { 5115 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5116 } 5117 break; 5118 5119 /* ack and nak are his authproto */ 5120 case PAP_ACK: 5121 if (debug) { 5122 SPPP_LOG(sp, LOG_DEBUG, "pap success"); 5123 name = 1 + (u_char *)(h + 1); 5124 name_len = name[-1]; 5125 if (len > 5 && name_len < len+4) { 5126 addlog(": "); 5127 sppp_print_string(name, name_len); 5128 } 5129 addlog("\n"); 5130 } 5131 5132 if (h->ident != sp->scp[IDX_PAP].confid) { 5133 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 5134 pap.name, h->ident, sp->scp[IDX_PAP].rconfid); 5135 if_statinc(ifp, if_ierrors); 5136 break; 5137 } 5138 5139 sp->pp_auth_failures = 0; 5140 sp->pp_flags &= ~PP_NEEDAUTH; 5141 5142 /* we are not authenticator, generate a dummy RCR+ event */ 5143 if (!ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_SERV)) { 5144 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5145 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5146 } 5147 5148 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5149 break; 5150 5151 case PAP_NAK: 5152 if (debug) { 5153 SPPP_LOG(sp, LOG_INFO, "pap failure"); 5154 name = 1 + (u_char *)(h + 1); 5155 name_len = name[-1]; 5156 if (len > 5 && name_len < len+4) { 5157 addlog(": "); 5158 sppp_print_string(name, name_len); 5159 } 5160 addlog("\n"); 5161 } else { 5162 SPPP_LOG(sp, LOG_INFO, "pap failure\n"); 5163 } 5164 5165 if (h->ident != sp->scp[IDX_PAP].confid) { 5166 SPPP_DLOG(sp, "%s id mismatch 0x%x != 0x%x\n", 5167 pap.name, h->ident, sp->scp[IDX_PAP].rconfid); 5168 if_statinc(ifp, if_ierrors); 5169 break; 5170 } 5171 5172 sp->pp_auth_failures++; 5173 /* 5174 * await LCP shutdown by authenticator, 5175 * so we don't have to enqueue sc->scp[IDX_PAP].work_rcn 5176 */ 5177 break; 5178 5179 default: 5180 /* Unknown PAP packet type -- ignore. */ 5181 if (debug) { 5182 SPPP_LOG(sp, LOG_DEBUG, "pap corrupted input " 5183 "<0x%x id=0x%x len=%d", 5184 h->type, h->ident, ntohs(h->len)); 5185 if (len > 4) 5186 sppp_print_bytes((u_char *)(h + 1), len - 4); 5187 addlog(">\n"); 5188 } 5189 break; 5190 } 5191 } 5192 5193 static void 5194 sppp_pap_init(struct sppp *sp) 5195 { 5196 5197 KASSERT(SPPP_WLOCKED(sp)); 5198 sppp_cp_init(&pap, sp); 5199 } 5200 5201 static void 5202 sppp_pap_tlu(struct sppp *sp) 5203 { 5204 5205 SPPP_DLOG(sp, "%s tlu\n", pap.name); 5206 5207 sp->scp[IDX_PAP].rst_counter = sp->lcp.max_configure; 5208 sp->pp_auth_failures = 0; 5209 5210 if (sp->pp_phase < SPPP_PHASE_NETWORK) 5211 sppp_phase_network(sp); 5212 } 5213 5214 static void 5215 sppp_pap_scr(struct sppp *sp) 5216 { 5217 u_char idlen, pwdlen; 5218 5219 KASSERT(SPPP_WLOCKED(sp)); 5220 5221 if (ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER) && 5222 sp->scp[IDX_PAP].state != STATE_ACK_RCVD) { 5223 if (sp->myauth.secret == NULL || 5224 sp->myauth.name == NULL) { 5225 SPPP_LOG(sp, LOG_DEBUG, 5226 "couldn't send PAP_REQ " 5227 "because of no name or no secret\n"); 5228 } else { 5229 sp->scp[IDX_PAP].confid = ++sp->scp[IDX_PAP].seq; 5230 pwdlen = sp->myauth.secret_len; 5231 idlen = sp->myauth.name_len; 5232 5233 sppp_auth_send(&pap, sp, PAP_REQ, sp->scp[IDX_PAP].confid, 5234 sizeof idlen, (const char *)&idlen, 5235 idlen, sp->myauth.name, 5236 sizeof pwdlen, (const char *)&pwdlen, 5237 pwdlen, sp->myauth.secret, 5238 0); 5239 } 5240 } 5241 } 5242 5243 /* 5244 * Random miscellaneous functions. 5245 */ 5246 5247 /* 5248 * Send a PAP or CHAP proto packet. 5249 * 5250 * Variadic function, each of the elements for the ellipsis is of type 5251 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5252 * mlen == 0. 5253 * NOTE: never declare variadic functions with types subject to type 5254 * promotion (i.e. u_char). This is asking for big trouble depending 5255 * on the architecture you are on... 5256 */ 5257 5258 static void 5259 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5260 unsigned int type, unsigned int id, 5261 ...) 5262 { 5263 struct ifnet *ifp = &sp->pp_if; 5264 struct lcp_header *lh; 5265 struct mbuf *m; 5266 u_char *p; 5267 int len; 5268 size_t pkthdrlen; 5269 unsigned int mlen; 5270 const char *msg; 5271 va_list ap; 5272 5273 KASSERT(SPPP_WLOCKED(sp)); 5274 5275 MGETHDR(m, M_DONTWAIT, MT_DATA); 5276 if (! m) 5277 return; 5278 m_reset_rcvif(m); 5279 5280 if (ISSET(sp->pp_dev_flags, PP_DEVF_NOFRAMING)) { 5281 *mtod(m, uint16_t *) = htons(cp->proto); 5282 pkthdrlen = 2; 5283 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5284 } else { 5285 struct ppp_header *h; 5286 h = mtod(m, struct ppp_header *); 5287 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5288 h->control = PPP_UI; /* Unnumbered Info */ 5289 h->protocol = htons(cp->proto); 5290 pkthdrlen = PPP_HEADER_LEN; 5291 5292 lh = (struct lcp_header *)(h + 1); 5293 } 5294 5295 lh->type = type; 5296 lh->ident = id; 5297 p = (u_char *)(lh + 1); 5298 5299 va_start(ap, id); 5300 len = 0; 5301 5302 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5303 msg = va_arg(ap, const char *); 5304 len += mlen; 5305 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5306 va_end(ap); 5307 m_freem(m); 5308 return; 5309 } 5310 5311 memcpy(p, msg, mlen); 5312 p += mlen; 5313 } 5314 va_end(ap); 5315 5316 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5317 lh->len = htons(LCP_HEADER_LEN + len); 5318 5319 if (sppp_debug_enabled(sp)) { 5320 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5321 const char *authname; 5322 5323 authname = sppp_auth_type_name(abuf, 5324 sizeof(abuf), cp->proto, lh->type); 5325 SPPP_LOG(sp, LOG_DEBUG, "%s output <%s id=0x%x len=%d", 5326 cp->name, authname, 5327 lh->ident, ntohs(lh->len)); 5328 if (len) 5329 sppp_print_bytes((u_char *)(lh + 1), len); 5330 addlog(">\n"); 5331 } 5332 if (IF_QFULL(&sp->pp_cpq)) { 5333 IF_DROP(&sp->pp_fastq); 5334 IF_DROP(&ifp->if_snd); 5335 m_freem(m); 5336 return; 5337 } 5338 5339 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5340 IF_ENQUEUE(&sp->pp_cpq, m); 5341 5342 if (! (ifp->if_flags & IFF_OACTIVE)) { 5343 SPPP_UNLOCK(sp); 5344 if_start_lock(ifp); 5345 SPPP_LOCK(sp, RW_WRITER); 5346 } 5347 } 5348 5349 static int 5350 sppp_auth_role(const struct cp *cp, struct sppp *sp) 5351 { 5352 int role; 5353 5354 role = SPPP_AUTH_NOROLE; 5355 5356 if (sp->hisauth.proto == cp->proto && 5357 ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) 5358 SET(role, SPPP_AUTH_SERV); 5359 5360 if (sp->myauth.proto == cp->proto) 5361 SET(role, SPPP_AUTH_PEER); 5362 5363 return role; 5364 } 5365 5366 static void 5367 sppp_auth_to_event(struct sppp *sp, void *xcp) 5368 { 5369 const struct cp *cp = xcp; 5370 bool override; 5371 int state; 5372 5373 KASSERT(SPPP_WLOCKED(sp)); 5374 KASSERT(!cpu_softintr_p()); 5375 5376 override = false; 5377 state = sp->scp[cp->protoidx].state; 5378 5379 if (sp->scp[cp->protoidx].rst_counter > 0) { 5380 /* override TO+ event */ 5381 switch (state) { 5382 case STATE_OPENED: 5383 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5384 override = true; 5385 sp->chap.rechallenging = true; 5386 sp->chap.response_rcvd = false; 5387 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5388 cp->scr(sp); 5389 } 5390 break; 5391 5392 case STATE_ACK_RCVD: 5393 override = true; 5394 cp->scr(sp); 5395 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 5396 break; 5397 } 5398 } 5399 5400 if (override) { 5401 SPPP_DLOG(sp, "%s TO(%s) rst_counter = %d\n", 5402 cp->name, sppp_state_name(state), 5403 sp->scp[cp->protoidx].rst_counter); 5404 sp->scp[cp->protoidx].rst_counter--; 5405 } else { 5406 sppp_to_event(sp, xcp); 5407 } 5408 } 5409 5410 static void 5411 sppp_auth_screply(const struct cp *cp, struct sppp *sp, u_char ctype, 5412 uint8_t ident, size_t _mlen __unused, void *_msg __unused) 5413 { 5414 static const char *succmsg = "Welcome!"; 5415 static const char *failmsg = "Failed..."; 5416 const char *msg; 5417 u_char type, mlen; 5418 5419 KASSERT(SPPP_WLOCKED(sp)); 5420 5421 if (!ISSET(sppp_auth_role(cp, sp), SPPP_AUTH_SERV)) 5422 return; 5423 5424 if (ctype == CONF_ACK) { 5425 type = cp->proto == PPP_CHAP ? CHAP_SUCCESS : PAP_ACK; 5426 msg = succmsg; 5427 mlen = sizeof(succmsg) - 1; 5428 5429 sp->pp_auth_failures = 0; 5430 } else { 5431 type = cp->proto == PPP_CHAP ? CHAP_FAILURE : PAP_NAK; 5432 msg = failmsg; 5433 mlen = sizeof(failmsg) - 1; 5434 5435 /* Reset LCP if auth failed */ 5436 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5437 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 5438 sp->pp_auth_failures++; 5439 } 5440 5441 sppp_auth_send(cp, sp, type, ident, mlen, (const u_char *)msg, 0); 5442 } 5443 5444 /* 5445 * Send keepalive packets, every 10 seconds. 5446 */ 5447 static void 5448 sppp_keepalive(void *dummy) 5449 { 5450 struct sppp *sp; 5451 uint32_t now, last_activity; 5452 5453 SPPPQ_LOCK(); 5454 5455 now = time_uptime32; 5456 for (sp=spppq; sp; sp=sp->pp_next) { 5457 SPPP_LOCK(sp, RW_WRITER); 5458 last_activity = atomic_load_relaxed(&sp->pp_last_activity); 5459 5460 /* check idle timeout */ 5461 if ((sp->pp_idle_timeout != 0) && sp->pp_connecting 5462 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5463 /* idle timeout is enabled for this interface */ 5464 if ((now - last_activity) >= sp->pp_idle_timeout) { 5465 SPPP_DLOG(sp, "no activity for %lu seconds\n", 5466 (unsigned long)(now - last_activity)); 5467 sppp_disconnect(sp); 5468 SPPP_UNLOCK(sp); 5469 continue; 5470 } 5471 } 5472 5473 /* Keepalive mode disabled or channel down? */ 5474 if (! ISSET(sp->pp_dev_flags, PP_DEVF_KEEPALIVE) || 5475 ! sp->pp_connecting) { 5476 SPPP_UNLOCK(sp); 5477 continue; 5478 } 5479 5480 /* No keepalive in PPP mode if LCP not opened yet. */ 5481 if (sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5482 SPPP_UNLOCK(sp); 5483 continue; 5484 } 5485 5486 /* No echo reply, but maybe user data passed through? */ 5487 if (sp->pp_max_noreceive != 0 && 5488 (now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5489 sp->pp_alivecnt = 0; 5490 SPPP_UNLOCK(sp); 5491 continue; 5492 } 5493 5494 /* No echo request */ 5495 if (sp->pp_alive_interval == 0) { 5496 SPPP_UNLOCK(sp); 5497 continue; 5498 } 5499 5500 /* send a ECHO_REQ once in sp->pp_alive_interval times */ 5501 if ((sppp_keepalive_cnt % sp->pp_alive_interval) != 0) { 5502 SPPP_UNLOCK(sp); 5503 continue; 5504 } 5505 5506 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5507 /* No keepalive packets got. Stop the interface. */ 5508 SPPP_LOG(sp, LOG_INFO,"LCP keepalive timed out, " 5509 "going to restart the connection\n"); 5510 5511 sp->pp_alivecnt = 0; 5512 5513 if (sp->pp_flags & PP_IFDOWN) 5514 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 5515 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5516 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 5517 5518 SPPP_UNLOCK(sp); 5519 continue; 5520 } 5521 if (sp->pp_alivecnt < sp->pp_maxalive) 5522 ++sp->pp_alivecnt; 5523 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5524 int32_t nmagic = htonl(sp->lcp.magic); 5525 sp->lcp.echoid = ++sp->scp[IDX_LCP].seq; 5526 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5527 sp->lcp.echoid, 4, &nmagic); 5528 } 5529 5530 SPPP_UNLOCK(sp); 5531 } 5532 sppp_keepalive_cnt++; 5533 callout_schedule(&keepalive_ch, hz * sppp_keepalive_interval); 5534 5535 SPPPQ_UNLOCK(); 5536 } 5537 5538 #ifdef INET 5539 /* 5540 * Get both IP addresses. 5541 */ 5542 static void 5543 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5544 { 5545 struct ifnet *ifp = &sp->pp_if; 5546 struct ifaddr *ifa; 5547 uint32_t ssrc, ddst; 5548 int bound; 5549 struct psref psref; 5550 5551 ssrc = ddst = 0; 5552 /* 5553 * Pick the first AF_INET address from the list, 5554 * aliases don't make any sense on a p2p link anyway. 5555 */ 5556 bound = curlwp_bind(); 5557 ifa = if_first_addr_psref(ifp, AF_INET, &psref); 5558 if (ifa != NULL) { 5559 struct sockaddr_in *si = satosin(ifa->ifa_addr); 5560 struct sockaddr_in *sm = satosin(ifa->ifa_netmask); 5561 if (si->sin_addr.s_addr) { 5562 ssrc = si->sin_addr.s_addr; 5563 if (srcmask) 5564 *srcmask = ntohl(sm->sin_addr.s_addr); 5565 } 5566 5567 si = satosin(ifa->ifa_dstaddr); 5568 if (si && si->sin_addr.s_addr) 5569 ddst = si->sin_addr.s_addr; 5570 ifa_release(ifa, &psref); 5571 } 5572 curlwp_bindx(bound); 5573 5574 if (dst) *dst = ntohl(ddst); 5575 if (src) *src = ntohl(ssrc); 5576 } 5577 5578 /* 5579 * Set IP addresses. 5580 * If an address is 0, leave it the way it is. 5581 */ 5582 static void 5583 sppp_set_ip_addrs(struct sppp *sp) 5584 { 5585 struct ifnet *ifp = &sp->pp_if; 5586 struct ifaddr *ifa; 5587 struct sockaddr_in *si, *dest; 5588 uint32_t myaddr = 0, hisaddr = 0; 5589 int bound; 5590 struct psref psref; 5591 5592 KASSERT(SPPP_WLOCKED(sp)); 5593 5594 SPPP_UNLOCK(sp); 5595 IFNET_LOCK(ifp); 5596 SPPP_LOCK(sp, RW_WRITER); 5597 5598 /* 5599 * Pick the first AF_INET address from the list, 5600 * aliases don't make any sense on a p2p link anyway. 5601 */ 5602 si = dest = NULL; 5603 bound = curlwp_bind(); 5604 ifa = if_first_addr_psref(ifp, AF_INET, &psref); 5605 if (ifa != NULL) { 5606 si = satosin(ifa->ifa_addr); 5607 dest = satosin(ifa->ifa_dstaddr); 5608 } 5609 5610 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5611 myaddr = sp->ipcp.req_myaddr; 5612 else if (si != NULL) 5613 myaddr = ntohl(si->sin_addr.s_addr); 5614 5615 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5616 hisaddr = sp->ipcp.req_hisaddr; 5617 else if (dest != NULL) 5618 hisaddr = ntohl(dest->sin_addr.s_addr); 5619 5620 if (si != NULL && dest != NULL) { 5621 int error; 5622 struct sockaddr_in new_sin = *si; 5623 struct sockaddr_in new_dst = *dest; 5624 5625 if (myaddr != 0) 5626 new_sin.sin_addr.s_addr = htonl(myaddr); 5627 if (hisaddr != 0) { 5628 new_dst.sin_addr.s_addr = htonl(hisaddr); 5629 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5630 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5631 } 5632 5633 in_addrhash_remove(ifatoia(ifa)); 5634 5635 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5636 5637 in_addrhash_insert(ifatoia(ifa)); 5638 5639 if (error) { 5640 SPPP_DLOG(sp, "%s: in_ifinit failed, error=%d\n", 5641 __func__, error); 5642 } else { 5643 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5644 } 5645 } 5646 if (ifa != NULL) 5647 ifa_release(ifa, &psref); 5648 curlwp_bindx(bound); 5649 5650 IFNET_UNLOCK(ifp); 5651 } 5652 5653 /* 5654 * Clear IP addresses. 5655 */ 5656 static void 5657 sppp_clear_ip_addrs(struct sppp *sp) 5658 { 5659 struct ifnet *ifp = &sp->pp_if; 5660 struct ifaddr *ifa; 5661 struct sockaddr_in *si, *dest; 5662 int bound; 5663 struct psref psref; 5664 5665 KASSERT(SPPP_WLOCKED(sp)); 5666 5667 SPPP_UNLOCK(sp); 5668 IFNET_LOCK(ifp); 5669 SPPP_LOCK(sp, RW_WRITER); 5670 5671 /* 5672 * Pick the first AF_INET address from the list, 5673 * aliases don't make any sense on a p2p link anyway. 5674 */ 5675 si = dest = NULL; 5676 bound = curlwp_bind(); 5677 ifa = if_first_addr_psref(ifp, AF_INET, &psref); 5678 if (ifa != NULL) { 5679 si = satosin(ifa->ifa_addr); 5680 dest = satosin(ifa->ifa_dstaddr); 5681 /* 5682 * ignore "0.0.0.0" which means ppp is not opened yet. 5683 */ 5684 if (si->sin_addr.s_addr == INADDR_ANY) 5685 si = NULL; 5686 } 5687 5688 if (si != NULL) { 5689 struct sockaddr_in new_sin = *si; 5690 struct sockaddr_in new_dst = *dest; 5691 int error; 5692 5693 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5694 new_sin.sin_addr.s_addr = 0; 5695 if (sp->ipcp.flags & IPCP_HISADDR_DYN && 5696 ntohl(sp->ipcp.saved_hisaddr) != 0) 5697 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5698 5699 in_addrhash_remove(ifatoia(ifa)); 5700 5701 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5702 5703 in_addrhash_insert(ifatoia(ifa)); 5704 5705 if (error) { 5706 SPPP_DLOG(sp, "%s: in_ifinit failed, error=%d\n", 5707 __func__, error); 5708 } else { 5709 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5710 } 5711 } 5712 if (ifa != NULL) 5713 ifa_release(ifa, &psref); 5714 curlwp_bindx(bound); 5715 5716 IFNET_UNLOCK(ifp); 5717 } 5718 #endif 5719 5720 #ifdef INET6 5721 /* 5722 * Get both IPv6 addresses. 5723 */ 5724 static void 5725 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5726 struct in6_addr *srcmask) 5727 { 5728 struct ifnet *ifp = &sp->pp_if; 5729 struct ifaddr *ifa; 5730 struct in6_addr ssrc, ddst; 5731 int bound; 5732 struct psref psref; 5733 5734 memset(&ssrc, 0, sizeof(ssrc)); 5735 memset(&ddst, 0, sizeof(ddst)); 5736 /* 5737 * Pick the first link-local AF_INET6 address from the list, 5738 * aliases don't make any sense on a p2p link anyway. 5739 */ 5740 bound = curlwp_bind(); 5741 ifa = in6ifa_first_lladdr_psref(ifp, &psref); 5742 if (ifa != NULL) { 5743 struct sockaddr_in6 *si = satosin6(ifa->ifa_addr); 5744 struct sockaddr_in6 *sm = satosin6(ifa->ifa_netmask); 5745 if (!IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5746 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5747 if (srcmask) { 5748 memcpy(srcmask, &sm->sin6_addr, 5749 sizeof(*srcmask)); 5750 } 5751 } 5752 5753 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5754 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5755 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5756 ifa_release(ifa, &psref); 5757 } 5758 curlwp_bindx(bound); 5759 5760 if (dst) 5761 memcpy(dst, &ddst, sizeof(*dst)); 5762 if (src) 5763 memcpy(src, &ssrc, sizeof(*src)); 5764 } 5765 5766 #ifdef IPV6CP_MYIFID_DYN 5767 /* 5768 * Generate random ifid. 5769 */ 5770 static void 5771 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5772 { 5773 /* TBD */ 5774 } 5775 5776 /* 5777 * Set my IPv6 address. 5778 */ 5779 static void 5780 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5781 { 5782 struct ifnet *ifp = &sp->pp_if; 5783 struct ifaddr *ifa; 5784 int bound; 5785 struct psref psref; 5786 5787 KASSERT(SPPP_WLOCKED(sp)); 5788 5789 SPPP_UNLOCK(sp); 5790 IFNET_LOCK(ifp); 5791 SPPP_LOCK(sp, RW_WRITER); 5792 5793 /* 5794 * Pick the first link-local AF_INET6 address from the list, 5795 * aliases don't make any sense on a p2p link anyway. 5796 */ 5797 bound = curlwp_bind(); 5798 ifa = in6ifa_first_lladdr_psref(ifp, &psref); 5799 if (ifa != NULL) { 5800 struct sockaddr_in6 *sin6 = satosin6(ifa->ifa_addr); 5801 struct sockaddr_in6 new_sin6 = *sin6; 5802 int error; 5803 5804 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5805 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5806 if (error) { 5807 SPPP_DLOG(sp, "%s: in6_ifinit failed, error=%d\n", 5808 __func__, error); 5809 } else { 5810 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5811 } 5812 ifa_release(ifa, &psref); 5813 } 5814 curlwp_bindx(bound); 5815 5816 IFNET_UNLOCK(ifp); 5817 } 5818 #endif 5819 5820 /* 5821 * Suggest a candidate address to be used by peer. 5822 */ 5823 static void 5824 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5825 { 5826 struct in6_addr myaddr; 5827 struct timeval tv; 5828 5829 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5830 5831 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5832 microtime(&tv); 5833 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5834 myaddr.s6_addr[14] ^= 0xff; 5835 myaddr.s6_addr[15] ^= 0xff; 5836 } else { 5837 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5838 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5839 } 5840 if (suggest) 5841 memcpy(suggest, &myaddr, sizeof(myaddr)); 5842 } 5843 #endif /*INET6*/ 5844 5845 /* 5846 * Process ioctl requests specific to the PPP interface. 5847 * Permissions have already been checked. 5848 */ 5849 static int 5850 sppp_params(struct sppp *sp, u_long cmd, void *data) 5851 { 5852 switch (cmd) { 5853 case SPPPGETAUTHCFG: 5854 { 5855 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5856 int error; 5857 size_t len; 5858 5859 SPPP_LOCK(sp, RW_READER); 5860 5861 cfg->myauthflags = sp->myauth.flags; 5862 cfg->hisauthflags = sp->hisauth.flags; 5863 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5864 cfg->hisauth = sppp_proto2authproto(sp->hisauth.proto); 5865 cfg->myauth = sppp_proto2authproto(sp->myauth.proto); 5866 if (cfg->myname_length == 0) { 5867 if (sp->myauth.name != NULL) 5868 cfg->myname_length = sp->myauth.name_len + 1; 5869 } else { 5870 if (sp->myauth.name == NULL) { 5871 cfg->myname_length = 0; 5872 } else { 5873 len = sp->myauth.name_len + 1; 5874 5875 if (cfg->myname_length < len) { 5876 SPPP_UNLOCK(sp); 5877 return (ENAMETOOLONG); 5878 } 5879 error = copyout(sp->myauth.name, cfg->myname, len); 5880 if (error) { 5881 SPPP_UNLOCK(sp); 5882 return error; 5883 } 5884 } 5885 } 5886 if (cfg->hisname_length == 0) { 5887 if (sp->hisauth.name != NULL) 5888 cfg->hisname_length = sp->hisauth.name_len + 1; 5889 } else { 5890 if (sp->hisauth.name == NULL) { 5891 cfg->hisname_length = 0; 5892 } else { 5893 len = sp->hisauth.name_len + 1; 5894 5895 if (cfg->hisname_length < len) { 5896 SPPP_UNLOCK(sp); 5897 return (ENAMETOOLONG); 5898 } 5899 error = copyout(sp->hisauth.name, cfg->hisname, len); 5900 if (error) { 5901 SPPP_UNLOCK(sp); 5902 return error; 5903 } 5904 } 5905 } 5906 SPPP_UNLOCK(sp); 5907 } 5908 break; 5909 case SPPPSETAUTHCFG: 5910 { 5911 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5912 int error; 5913 5914 SPPP_LOCK(sp, RW_WRITER); 5915 5916 if (sp->myauth.name) { 5917 free(sp->myauth.name, M_DEVBUF); 5918 sp->myauth.name = NULL; 5919 } 5920 if (sp->myauth.secret) { 5921 free(sp->myauth.secret, M_DEVBUF); 5922 sp->myauth.secret = NULL; 5923 } 5924 if (sp->hisauth.name) { 5925 free(sp->hisauth.name, M_DEVBUF); 5926 sp->hisauth.name = NULL; 5927 } 5928 if (sp->hisauth.secret) { 5929 free(sp->hisauth.secret, M_DEVBUF); 5930 sp->hisauth.secret = NULL; 5931 } 5932 5933 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5934 if (cfg->hisname_length >= MCLBYTES) { 5935 SPPP_UNLOCK(sp); 5936 return (ENAMETOOLONG); 5937 } 5938 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5939 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5940 if (error) { 5941 free(sp->hisauth.name, M_DEVBUF); 5942 sp->hisauth.name = NULL; 5943 SPPP_UNLOCK(sp); 5944 return error; 5945 } 5946 sp->hisauth.name_len = cfg->hisname_length - 1; 5947 sp->hisauth.name[sp->hisauth.name_len] = 0; 5948 } 5949 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5950 if (cfg->hissecret_length >= MCLBYTES) { 5951 SPPP_UNLOCK(sp); 5952 return (ENAMETOOLONG); 5953 } 5954 sp->hisauth.secret = malloc(cfg->hissecret_length, 5955 M_DEVBUF, M_WAITOK); 5956 error = copyin(cfg->hissecret, sp->hisauth.secret, 5957 cfg->hissecret_length); 5958 if (error) { 5959 free(sp->hisauth.secret, M_DEVBUF); 5960 sp->hisauth.secret = NULL; 5961 SPPP_UNLOCK(sp); 5962 return error; 5963 } 5964 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5965 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5966 } 5967 if (cfg->myname != NULL && cfg->myname_length > 0) { 5968 if (cfg->myname_length >= MCLBYTES) { 5969 SPPP_UNLOCK(sp); 5970 return (ENAMETOOLONG); 5971 } 5972 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5973 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5974 if (error) { 5975 free(sp->myauth.name, M_DEVBUF); 5976 sp->myauth.name = NULL; 5977 SPPP_UNLOCK(sp); 5978 return error; 5979 } 5980 sp->myauth.name_len = cfg->myname_length - 1; 5981 sp->myauth.name[sp->myauth.name_len] = 0; 5982 } 5983 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5984 if (cfg->mysecret_length >= MCLBYTES) { 5985 SPPP_UNLOCK(sp); 5986 return (ENAMETOOLONG); 5987 } 5988 sp->myauth.secret = malloc(cfg->mysecret_length, 5989 M_DEVBUF, M_WAITOK); 5990 error = copyin(cfg->mysecret, sp->myauth.secret, 5991 cfg->mysecret_length); 5992 if (error) { 5993 free(sp->myauth.secret, M_DEVBUF); 5994 sp->myauth.secret = NULL; 5995 SPPP_UNLOCK(sp); 5996 return error; 5997 } 5998 sp->myauth.secret_len = cfg->mysecret_length - 1; 5999 sp->myauth.secret[sp->myauth.secret_len] = 0; 6000 } 6001 sp->myauth.flags = cfg->myauthflags; 6002 if (cfg->myauth != SPPP_AUTHPROTO_NOCHG) { 6003 sp->myauth.proto = sppp_authproto2proto(cfg->myauth); 6004 } 6005 sp->hisauth.flags = cfg->hisauthflags; 6006 if (cfg->hisauth != SPPP_AUTHPROTO_NOCHG) { 6007 sp->hisauth.proto = sppp_authproto2proto(cfg->hisauth); 6008 } 6009 sp->pp_auth_failures = 0; 6010 if (sp->hisauth.proto != PPP_NOPROTO) 6011 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6012 else 6013 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6014 6015 SPPP_UNLOCK(sp); 6016 } 6017 break; 6018 case SPPPGETLCPCFG: 6019 { 6020 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6021 6022 SPPP_LOCK(sp, RW_READER); 6023 lcpp->lcp_timeout = sp->lcp.timeout; 6024 SPPP_UNLOCK(sp); 6025 } 6026 break; 6027 case SPPPSETLCPCFG: 6028 { 6029 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6030 6031 SPPP_LOCK(sp, RW_WRITER); 6032 sp->lcp.timeout = lcpp->lcp_timeout; 6033 SPPP_UNLOCK(sp); 6034 } 6035 break; 6036 case SPPPGETNCPCFG: 6037 { 6038 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6039 6040 SPPP_LOCK(sp, RW_READER); 6041 ncpp->ncp_flags = sp->pp_ncpflags; 6042 SPPP_UNLOCK(sp); 6043 } 6044 break; 6045 case SPPPSETNCPCFG: 6046 { 6047 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6048 6049 SPPP_LOCK(sp, RW_WRITER); 6050 sp->pp_ncpflags = ncpp->ncp_flags; 6051 SPPP_UNLOCK(sp); 6052 } 6053 break; 6054 case SPPPGETSTATUS: 6055 { 6056 struct spppstatus *status = (struct spppstatus *)data; 6057 6058 SPPP_LOCK(sp, RW_READER); 6059 status->phase = sp->pp_phase; 6060 SPPP_UNLOCK(sp); 6061 } 6062 break; 6063 case SPPPGETSTATUSNCP: 6064 { 6065 struct spppstatusncp *status = (struct spppstatusncp *)data; 6066 6067 SPPP_LOCK(sp, RW_READER); 6068 status->phase = sp->pp_phase; 6069 status->ncpup = sppp_cp_check(sp, CP_NCP); 6070 SPPP_UNLOCK(sp); 6071 } 6072 break; 6073 case SPPPGETIDLETO: 6074 { 6075 struct spppidletimeout *to = (struct spppidletimeout *)data; 6076 6077 SPPP_LOCK(sp, RW_READER); 6078 to->idle_seconds = sp->pp_idle_timeout; 6079 SPPP_UNLOCK(sp); 6080 } 6081 break; 6082 case SPPPSETIDLETO: 6083 { 6084 struct spppidletimeout *to = (struct spppidletimeout *)data; 6085 6086 SPPP_LOCK(sp, RW_WRITER); 6087 sp->pp_idle_timeout = MIN(to->idle_seconds, INT32_MAX/2); 6088 SPPP_UNLOCK(sp); 6089 } 6090 break; 6091 case SPPPSETAUTHFAILURE: 6092 { 6093 struct spppauthfailuresettings *afsettings = 6094 (struct spppauthfailuresettings *)data; 6095 6096 SPPP_LOCK(sp, RW_WRITER); 6097 sp->pp_max_auth_fail = afsettings->max_failures; 6098 sp->pp_auth_failures = 0; 6099 SPPP_UNLOCK(sp); 6100 } 6101 break; 6102 case SPPPGETAUTHFAILURES: 6103 { 6104 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6105 6106 SPPP_LOCK(sp, RW_READER); 6107 stats->auth_failures = sp->pp_auth_failures; 6108 stats->max_failures = sp->pp_max_auth_fail; 6109 SPPP_UNLOCK(sp); 6110 } 6111 break; 6112 case SPPPSETDNSOPTS: 6113 { 6114 struct spppdnssettings *req = (struct spppdnssettings *)data; 6115 6116 SPPP_LOCK(sp, RW_WRITER); 6117 sp->query_dns = req->query_dns & 3; 6118 SPPP_UNLOCK(sp); 6119 } 6120 break; 6121 case SPPPGETDNSOPTS: 6122 { 6123 struct spppdnssettings *req = (struct spppdnssettings *)data; 6124 6125 SPPP_LOCK(sp, RW_READER); 6126 req->query_dns = sp->query_dns; 6127 SPPP_UNLOCK(sp); 6128 } 6129 break; 6130 case SPPPGETDNSADDRS: 6131 { 6132 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6133 6134 SPPP_LOCK(sp, RW_READER); 6135 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6136 SPPP_UNLOCK(sp); 6137 } 6138 break; 6139 case SPPPGETKEEPALIVE: 6140 { 6141 struct spppkeepalivesettings *settings = 6142 (struct spppkeepalivesettings*)data; 6143 6144 SPPP_LOCK(sp, RW_READER); 6145 settings->maxalive = sp->pp_maxalive; 6146 settings->max_noreceive = sp->pp_max_noreceive; 6147 settings->alive_interval = sp->pp_alive_interval; 6148 SPPP_UNLOCK(sp); 6149 } 6150 break; 6151 case SPPPSETKEEPALIVE: 6152 { 6153 struct spppkeepalivesettings *settings = 6154 (struct spppkeepalivesettings*)data; 6155 6156 SPPP_LOCK(sp, RW_WRITER); 6157 sp->pp_maxalive = settings->maxalive; 6158 sp->pp_max_noreceive = MIN(settings->max_noreceive, 6159 INT32_MAX/2); 6160 sp->pp_alive_interval = settings->alive_interval; 6161 SPPP_UNLOCK(sp); 6162 } 6163 break; 6164 case SPPPGETLCPSTATUS: 6165 { 6166 struct sppplcpstatus *status = 6167 (struct sppplcpstatus *)data; 6168 6169 SPPP_LOCK(sp, RW_READER); 6170 status->state = sp->scp[IDX_LCP].state; 6171 status->opts = sp->lcp.opts; 6172 status->magic = sp->lcp.magic; 6173 status->mru = sp->lcp.mru; 6174 SPPP_UNLOCK(sp); 6175 } 6176 break; 6177 case SPPPGETIPCPSTATUS: 6178 { 6179 struct spppipcpstatus *status = 6180 (struct spppipcpstatus *)data; 6181 u_int32_t myaddr; 6182 6183 SPPP_LOCK(sp, RW_READER); 6184 status->state = sp->scp[IDX_IPCP].state; 6185 status->opts = sp->ipcp.opts; 6186 #ifdef INET 6187 sppp_get_ip_addrs(sp, &myaddr, 0, 0); 6188 #else 6189 myaddr = 0; 6190 #endif 6191 status->myaddr = ntohl(myaddr); 6192 SPPP_UNLOCK(sp); 6193 } 6194 break; 6195 case SPPPGETIPV6CPSTATUS: 6196 { 6197 struct spppipv6cpstatus *status = 6198 (struct spppipv6cpstatus *)data; 6199 6200 SPPP_LOCK(sp, RW_READER); 6201 status->state = sp->scp[IDX_IPV6CP].state; 6202 memcpy(status->my_ifid, sp->ipv6cp.my_ifid, 6203 sizeof(status->my_ifid)); 6204 memcpy(status->his_ifid, sp->ipv6cp.his_ifid, 6205 sizeof(status->his_ifid)); 6206 SPPP_UNLOCK(sp); 6207 } 6208 break; 6209 default: 6210 { 6211 int ret; 6212 6213 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6214 enosys(), ret); 6215 if (ret != ENOSYS) 6216 return ret; 6217 return (EINVAL); 6218 } 6219 } 6220 return (0); 6221 } 6222 6223 static void 6224 sppp_phase_network(struct sppp *sp) 6225 { 6226 int i; 6227 6228 KASSERT(SPPP_WLOCKED(sp)); 6229 6230 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6231 6232 /* Notify NCPs now. */ 6233 for (i = 0; i < IDX_COUNT; i++) 6234 if ((cps[i])->flags & CP_NCP) 6235 sppp_wq_add(sp->wq_cp, &sp->scp[i].work_open); 6236 } 6237 6238 static const char * 6239 sppp_cp_type_name(char *buf, size_t buflen, u_char type) 6240 { 6241 6242 switch (type) { 6243 case CONF_REQ: return "conf-req"; 6244 case CONF_ACK: return "conf-ack"; 6245 case CONF_NAK: return "conf-nak"; 6246 case CONF_REJ: return "conf-rej"; 6247 case TERM_REQ: return "term-req"; 6248 case TERM_ACK: return "term-ack"; 6249 case CODE_REJ: return "code-rej"; 6250 case PROTO_REJ: return "proto-rej"; 6251 case ECHO_REQ: return "echo-req"; 6252 case ECHO_REPLY: return "echo-reply"; 6253 case DISC_REQ: return "discard-req"; 6254 } 6255 if (buf != NULL) 6256 snprintf(buf, buflen, "0x%02x", type); 6257 return buf; 6258 } 6259 6260 static const char * 6261 sppp_auth_type_name(char *buf, size_t buflen, u_short proto, u_char type) 6262 { 6263 const char *name; 6264 6265 switch (proto) { 6266 case PPP_CHAP: 6267 switch (type) { 6268 case CHAP_CHALLENGE: return "challenge"; 6269 case CHAP_RESPONSE: return "response"; 6270 case CHAP_SUCCESS: return "success"; 6271 case CHAP_FAILURE: return "failure"; 6272 default: name = "chap"; break; 6273 } 6274 break; 6275 6276 case PPP_PAP: 6277 switch (type) { 6278 case PAP_REQ: return "req"; 6279 case PAP_ACK: return "ack"; 6280 case PAP_NAK: return "nak"; 6281 default: name = "pap"; break; 6282 } 6283 break; 6284 6285 default: 6286 name = "bad"; 6287 break; 6288 } 6289 6290 if (buf != NULL) 6291 snprintf(buf, buflen, "%s(%#x) 0x%02x", name, proto, type); 6292 return buf; 6293 } 6294 6295 static const char * 6296 sppp_lcp_opt_name(char *buf, size_t buflen, u_char opt) 6297 { 6298 6299 switch (opt) { 6300 case LCP_OPT_MRU: return "mru"; 6301 case LCP_OPT_ASYNC_MAP: return "async-map"; 6302 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6303 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6304 case LCP_OPT_MAGIC: return "magic"; 6305 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6306 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6307 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6308 case LCP_OPT_CALL_BACK: return "callback"; 6309 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6310 case LCP_OPT_MP_MRRU: return "mrru"; 6311 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6312 case LCP_OPT_MP_EID: return "mp-eid"; 6313 } 6314 if (buf != NULL) 6315 snprintf(buf, buflen, "0x%02x", opt); 6316 return buf; 6317 } 6318 6319 static const char * 6320 sppp_ipcp_opt_name(char *buf, size_t buflen, u_char opt) 6321 { 6322 6323 switch (opt) { 6324 case IPCP_OPT_ADDRESSES: return "addresses"; 6325 case IPCP_OPT_COMPRESSION: return "compression"; 6326 case IPCP_OPT_ADDRESS: return "address"; 6327 case IPCP_OPT_PRIMDNS: return "primdns"; 6328 case IPCP_OPT_SECDNS: return "secdns"; 6329 } 6330 if (buf != NULL) 6331 snprintf(buf, buflen, "0x%02x", opt); 6332 return buf; 6333 } 6334 6335 #ifdef INET6 6336 static const char * 6337 sppp_ipv6cp_opt_name(char *buf, size_t buflen, u_char opt) 6338 { 6339 6340 switch (opt) { 6341 case IPV6CP_OPT_IFID: return "ifid"; 6342 case IPV6CP_OPT_COMPRESSION: return "compression"; 6343 } 6344 if (buf != NULL) 6345 snprintf(buf, buflen, "0x%02x", opt); 6346 return buf; 6347 } 6348 #endif 6349 6350 static const char * 6351 sppp_state_name(int state) 6352 { 6353 6354 switch (state) { 6355 case STATE_INITIAL: return "initial"; 6356 case STATE_STARTING: return "starting"; 6357 case STATE_CLOSED: return "closed"; 6358 case STATE_STOPPED: return "stopped"; 6359 case STATE_CLOSING: return "closing"; 6360 case STATE_STOPPING: return "stopping"; 6361 case STATE_REQ_SENT: return "req-sent"; 6362 case STATE_ACK_RCVD: return "ack-rcvd"; 6363 case STATE_ACK_SENT: return "ack-sent"; 6364 case STATE_OPENED: return "opened"; 6365 } 6366 return "illegal"; 6367 } 6368 6369 static const char * 6370 sppp_phase_name(int phase) 6371 { 6372 6373 switch (phase) { 6374 case SPPP_PHASE_DEAD: return "dead"; 6375 case SPPP_PHASE_ESTABLISH: return "establish"; 6376 case SPPP_PHASE_TERMINATE: return "terminate"; 6377 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6378 case SPPP_PHASE_NETWORK: return "network"; 6379 } 6380 return "illegal"; 6381 } 6382 6383 static const char * 6384 sppp_proto_name(char *buf, size_t buflen, u_short proto) 6385 { 6386 6387 switch (proto) { 6388 case PPP_LCP: return "lcp"; 6389 case PPP_IPCP: return "ipcp"; 6390 case PPP_PAP: return "pap"; 6391 case PPP_CHAP: return "chap"; 6392 case PPP_IPV6CP: return "ipv6cp"; 6393 } 6394 if (buf != NULL) { 6395 snprintf(buf, sizeof(buf), "0x%04x", 6396 (unsigned)proto); 6397 } 6398 return buf; 6399 } 6400 6401 static void 6402 sppp_print_bytes(const u_char *p, u_short len) 6403 { 6404 addlog(" %02x", *p++); 6405 while (--len > 0) 6406 addlog("-%02x", *p++); 6407 } 6408 6409 static void 6410 sppp_print_string(const char *p, u_short len) 6411 { 6412 u_char c; 6413 6414 while (len-- > 0) { 6415 c = *p++; 6416 /* 6417 * Print only ASCII chars directly. RFC 1994 recommends 6418 * using only them, but we don't rely on it. */ 6419 if (c < ' ' || c > '~') 6420 addlog("\\x%x", c); 6421 else 6422 addlog("%c", c); 6423 } 6424 } 6425 6426 static const char * 6427 sppp_dotted_quad(char *buf, size_t buflen, uint32_t addr) 6428 { 6429 6430 if (buf != NULL) { 6431 snprintf(buf, buflen, "%u.%u.%u.%u", 6432 (unsigned int)((addr >> 24) & 0xff), 6433 (unsigned int)((addr >> 16) & 0xff), 6434 (unsigned int)((addr >> 8) & 0xff), 6435 (unsigned int)(addr & 0xff)); 6436 } 6437 return buf; 6438 } 6439 6440 /* a dummy, used to drop uninteresting events */ 6441 static void 6442 sppp_null(struct sppp *unused) 6443 { 6444 /* do just nothing */ 6445 } 6446 6447 static void 6448 sppp_tls(const struct cp *cp, struct sppp *sp) 6449 { 6450 6451 SPPP_DLOG(sp, "%s tls\n", cp->name); 6452 6453 /* notify lcp that is lower layer */ 6454 sp->lcp.protos |= (1 << cp->protoidx); 6455 } 6456 6457 static void 6458 sppp_tlf(const struct cp *cp, struct sppp *sp) 6459 { 6460 6461 SPPP_DLOG(sp, "%s tlf\n", cp->name); 6462 6463 /* notify lcp that is lower layer */ 6464 sp->lcp.protos &= ~(1 << cp->protoidx); 6465 6466 /* cleanup */ 6467 m_freem(sp->scp[cp->protoidx].mbuf_confreq); 6468 sp->scp[cp->protoidx].mbuf_confreq = NULL; 6469 m_freem(sp->scp[cp->protoidx].mbuf_confnak); 6470 sp->scp[cp->protoidx].mbuf_confnak = NULL; 6471 6472 sppp_lcp_check_and_close(sp); 6473 } 6474 6475 static void 6476 sppp_screply(const struct cp *cp, struct sppp *sp, u_char type, 6477 uint8_t ident, size_t msglen, void *msg) 6478 { 6479 6480 if (msglen == 0) 6481 return; 6482 6483 switch (type) { 6484 case CONF_ACK: 6485 case CONF_NAK: 6486 case CONF_REJ: 6487 break; 6488 default: 6489 return; 6490 } 6491 6492 if (sppp_debug_enabled(sp)) { 6493 char tbuf[SPPP_CPTYPE_NAMELEN]; 6494 const char *cpname; 6495 6496 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), type); 6497 SPPP_LOG(sp, LOG_DEBUG, "send %s\n", cpname); 6498 } 6499 6500 sppp_cp_send(sp, cp->proto, type, ident, msglen, msg); 6501 } 6502 6503 static void 6504 sppp_ifdown(struct sppp *sp, void *xcp __unused) 6505 { 6506 6507 SPPP_UNLOCK(sp); 6508 if_down(&sp->pp_if); 6509 IF_PURGE(&sp->pp_cpq); 6510 SPPP_LOCK(sp, RW_WRITER); 6511 } 6512 6513 static void 6514 sppp_notify_up(struct sppp *sp) 6515 { 6516 6517 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_up); 6518 } 6519 6520 static void 6521 sppp_notify_down(struct sppp *sp) 6522 { 6523 6524 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_down); 6525 } 6526 6527 static void 6528 sppp_notify_tls_wlocked(struct sppp *sp) 6529 { 6530 6531 KASSERT(SPPP_WLOCKED(sp)); 6532 6533 if (!sp->pp_tls) 6534 return; 6535 6536 SPPP_UNLOCK(sp); 6537 sp->pp_tls(sp); 6538 SPPP_LOCK(sp, RW_WRITER); 6539 } 6540 6541 static void 6542 sppp_notify_tlf_wlocked(struct sppp *sp) 6543 { 6544 6545 KASSERT(SPPP_WLOCKED(sp)); 6546 6547 if (!sp->pp_tlf) 6548 return; 6549 6550 SPPP_UNLOCK(sp); 6551 sp->pp_tlf(sp); 6552 SPPP_LOCK(sp, RW_WRITER); 6553 } 6554 6555 static void 6556 sppp_wq_work(struct work *wk, void *xsp) 6557 { 6558 struct sppp *sp; 6559 struct sppp_work *work; 6560 6561 sp = xsp; 6562 work = container_of(wk, struct sppp_work, work); 6563 atomic_cas_uint(&work->state, SPPP_WK_BUSY, SPPP_WK_FREE); 6564 6565 SPPP_LOCK(sp, RW_WRITER); 6566 work->func(sp, work->arg); 6567 SPPP_UNLOCK(sp); 6568 } 6569 6570 static struct workqueue * 6571 sppp_wq_create(struct sppp *sp, const char *xnamebuf, pri_t prio, int ipl, int flags) 6572 { 6573 struct workqueue *wq; 6574 int error; 6575 6576 error = workqueue_create(&wq, xnamebuf, sppp_wq_work, 6577 (void *)sp, prio, ipl, flags); 6578 if (error) { 6579 panic("%s: workqueue_create failed [%s, %d]\n", 6580 sp->pp_if.if_xname, xnamebuf, error); 6581 } 6582 6583 return wq; 6584 } 6585 6586 static void 6587 sppp_wq_destroy(struct sppp *sp __unused, struct workqueue *wq) 6588 { 6589 6590 workqueue_destroy(wq); 6591 } 6592 6593 static void 6594 sppp_wq_set(struct sppp_work *work, 6595 void (*func)(struct sppp *, void *), void *arg) 6596 { 6597 6598 work->func = func; 6599 work->arg = arg; 6600 } 6601 6602 static void 6603 sppp_wq_add(struct workqueue *wq, struct sppp_work *work) 6604 { 6605 6606 if (atomic_cas_uint(&work->state, SPPP_WK_FREE, SPPP_WK_BUSY) 6607 != SPPP_WK_FREE) 6608 return; 6609 6610 KASSERT(work->func != NULL); 6611 kpreempt_disable(); 6612 workqueue_enqueue(wq, &work->work, NULL); 6613 kpreempt_enable(); 6614 } 6615 static void 6616 sppp_wq_wait(struct workqueue *wq, struct sppp_work *work) 6617 { 6618 6619 atomic_swap_uint(&work->state, SPPP_WK_UNAVAIL); 6620 workqueue_wait(wq, &work->work); 6621 } 6622 6623 /* 6624 * This file is large. Tell emacs to highlight it nevertheless. 6625 * 6626 * Local Variables: 6627 * hilit-auto-highlight-maxout: 120000 6628 * End: 6629 */ 6630 6631 /* 6632 * Module glue 6633 */ 6634 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6635 6636 static int 6637 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6638 { 6639 6640 switch (cmd) { 6641 case MODULE_CMD_INIT: 6642 case MODULE_CMD_FINI: 6643 return 0; 6644 case MODULE_CMD_STAT: 6645 case MODULE_CMD_AUTOUNLOAD: 6646 default: 6647 return ENOTTY; 6648 } 6649 } 6650
Indexes created Thu Jun 25 00:25:11 UTC 2026