if_spppsubr.c revision 1.180.2.2
1 /* $NetBSD: if_spppsubr.c,v 1.180.2.2 2020/04/08 14:08:57 martin Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.180.2.2 2020/04/08 14:08:57 martin Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define LOOPALIVECNT 3 /* loopback detection tries */ 101 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 102 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 103 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 129 #define CONF_REQ 1 /* PPP configure request */ 130 #define CONF_ACK 2 /* PPP configure acknowledge */ 131 #define CONF_NAK 3 /* PPP configure negative ack */ 132 #define CONF_REJ 4 /* PPP configure reject */ 133 #define TERM_REQ 5 /* PPP terminate request */ 134 #define TERM_ACK 6 /* PPP terminate acknowledge */ 135 #define CODE_REJ 7 /* PPP code reject */ 136 #define PROTO_REJ 8 /* PPP protocol reject */ 137 #define ECHO_REQ 9 /* PPP echo request */ 138 #define ECHO_REPLY 10 /* PPP echo reply */ 139 #define DISC_REQ 11 /* PPP discard request */ 140 141 #define LCP_OPT_MRU 1 /* maximum receive unit */ 142 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 143 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 144 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 145 #define LCP_OPT_MAGIC 5 /* magic number */ 146 #define LCP_OPT_RESERVED 6 /* reserved */ 147 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 148 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 149 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 150 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 151 #define LCP_OPT_CALL_BACK 13 /* callback */ 152 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 153 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 154 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 155 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 156 157 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 158 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 159 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 160 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 161 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 162 163 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 164 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 165 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 166 167 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 168 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 169 170 #define PAP_REQ 1 /* PAP name/password request */ 171 #define PAP_ACK 2 /* PAP acknowledge */ 172 #define PAP_NAK 3 /* PAP fail */ 173 174 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 175 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 176 #define CHAP_SUCCESS 3 /* CHAP response ok */ 177 #define CHAP_FAILURE 4 /* CHAP response failed */ 178 179 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 180 181 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 182 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 183 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 184 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 185 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 186 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 187 188 /* states are named and numbered according to RFC 1661 */ 189 #define STATE_INITIAL 0 190 #define STATE_STARTING 1 191 #define STATE_CLOSED 2 192 #define STATE_STOPPED 3 193 #define STATE_CLOSING 4 194 #define STATE_STOPPING 5 195 #define STATE_REQ_SENT 6 196 #define STATE_ACK_RCVD 7 197 #define STATE_ACK_SENT 8 198 #define STATE_OPENED 9 199 200 struct ppp_header { 201 uint8_t address; 202 uint8_t control; 203 uint16_t protocol; 204 } __packed; 205 #define PPP_HEADER_LEN sizeof (struct ppp_header) 206 207 struct lcp_header { 208 uint8_t type; 209 uint8_t ident; 210 uint16_t len; 211 } __packed; 212 #define LCP_HEADER_LEN sizeof (struct lcp_header) 213 214 struct cisco_packet { 215 uint32_t type; 216 uint32_t par1; 217 uint32_t par2; 218 uint16_t rel; 219 uint16_t time0; 220 uint16_t time1; 221 } __packed; 222 #define CISCO_PACKET_LEN 18 223 224 /* 225 * We follow the spelling and capitalization of RFC 1661 here, to make 226 * it easier comparing with the standard. Please refer to this RFC in 227 * case you can't make sense out of these abbreviation; it will also 228 * explain the semantics related to the various events and actions. 229 */ 230 struct cp { 231 u_short proto; /* PPP control protocol number */ 232 u_char protoidx; /* index into state table in struct sppp */ 233 u_char flags; 234 #define CP_LCP 0x01 /* this is the LCP */ 235 #define CP_AUTH 0x02 /* this is an authentication protocol */ 236 #define CP_NCP 0x04 /* this is a NCP */ 237 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 238 const char *name; /* name of this control protocol */ 239 /* event handlers */ 240 void (*Up)(struct sppp *sp); 241 void (*Down)(struct sppp *sp); 242 void (*Open)(struct sppp *sp); 243 void (*Close)(struct sppp *sp); 244 void (*TO)(void *sp); 245 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 246 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 247 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 248 /* actions */ 249 void (*tlu)(struct sppp *sp); 250 void (*tld)(struct sppp *sp); 251 void (*tls)(struct sppp *sp); 252 void (*tlf)(struct sppp *sp); 253 void (*scr)(struct sppp *sp); 254 }; 255 256 static struct sppp *spppq; 257 static kmutex_t *spppq_lock = NULL; 258 static callout_t keepalive_ch; 259 260 #define SPPPQ_LOCK() if (spppq_lock) \ 261 mutex_enter(spppq_lock); 262 #define SPPPQ_UNLOCK() if (spppq_lock) \ 263 mutex_exit(spppq_lock); 264 265 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 266 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 267 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 268 #define SPPP_UPGRADE(_sp) do{ \ 269 SPPP_UNLOCK(_sp); \ 270 SPPP_LOCK(_sp, RW_WRITER); \ 271 }while (0) 272 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 273 274 #ifdef INET 275 #ifndef SPPPSUBR_MPSAFE 276 /* 277 * The following disgusting hack gets around the problem that IP TOS 278 * can't be set yet. We want to put "interactive" traffic on a high 279 * priority queue. To decide if traffic is interactive, we check that 280 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 281 * 282 * XXX is this really still necessary? - joerg - 283 */ 284 static u_short interactive_ports[8] = { 285 0, 513, 0, 0, 286 0, 21, 0, 23, 287 }; 288 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 289 #endif /* SPPPSUBR_MPSAFE */ 290 #endif 291 292 /* almost every function needs these */ 293 #define STDDCL \ 294 struct ifnet *ifp = &sp->pp_if; \ 295 int debug = ifp->if_flags & IFF_DEBUG 296 297 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 298 const struct sockaddr *dst, const struct rtentry *rt); 299 300 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 301 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 302 303 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 304 struct mbuf *m); 305 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 306 u_char ident, u_short len, void *data); 307 /* static void sppp_cp_timeout(void *arg); */ 308 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 309 int newstate); 310 static void sppp_auth_send(const struct cp *cp, 311 struct sppp *sp, unsigned int type, unsigned int id, 312 ...); 313 314 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 315 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 316 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 317 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 318 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 319 320 static void sppp_null(struct sppp *sp); 321 322 static void sppp_lcp_init(struct sppp *sp); 323 static void sppp_lcp_up(struct sppp *sp); 324 static void sppp_lcp_down(struct sppp *sp); 325 static void sppp_lcp_open(struct sppp *sp); 326 static void sppp_lcp_close(struct sppp *sp); 327 static void sppp_lcp_TO(void *sp); 328 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 329 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 330 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 331 static void sppp_lcp_tlu(struct sppp *sp); 332 static void sppp_lcp_tld(struct sppp *sp); 333 static void sppp_lcp_tls(struct sppp *sp); 334 static void sppp_lcp_tlf(struct sppp *sp); 335 static void sppp_lcp_scr(struct sppp *sp); 336 static void sppp_lcp_check_and_close(struct sppp *sp); 337 static int sppp_ncp_check(struct sppp *sp); 338 339 static void sppp_ipcp_init(struct sppp *sp); 340 static void sppp_ipcp_up(struct sppp *sp); 341 static void sppp_ipcp_down(struct sppp *sp); 342 static void sppp_ipcp_open(struct sppp *sp); 343 static void sppp_ipcp_close(struct sppp *sp); 344 static void sppp_ipcp_TO(void *sp); 345 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 346 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 347 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 348 static void sppp_ipcp_tlu(struct sppp *sp); 349 static void sppp_ipcp_tld(struct sppp *sp); 350 static void sppp_ipcp_tls(struct sppp *sp); 351 static void sppp_ipcp_tlf(struct sppp *sp); 352 static void sppp_ipcp_scr(struct sppp *sp); 353 354 static void sppp_ipv6cp_init(struct sppp *sp); 355 static void sppp_ipv6cp_up(struct sppp *sp); 356 static void sppp_ipv6cp_down(struct sppp *sp); 357 static void sppp_ipv6cp_open(struct sppp *sp); 358 static void sppp_ipv6cp_close(struct sppp *sp); 359 static void sppp_ipv6cp_TO(void *sp); 360 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 361 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 362 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 363 static void sppp_ipv6cp_tlu(struct sppp *sp); 364 static void sppp_ipv6cp_tld(struct sppp *sp); 365 static void sppp_ipv6cp_tls(struct sppp *sp); 366 static void sppp_ipv6cp_tlf(struct sppp *sp); 367 static void sppp_ipv6cp_scr(struct sppp *sp); 368 369 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 370 static void sppp_pap_init(struct sppp *sp); 371 static void sppp_pap_open(struct sppp *sp); 372 static void sppp_pap_close(struct sppp *sp); 373 static void sppp_pap_TO(void *sp); 374 static void sppp_pap_my_TO(void *sp); 375 static void sppp_pap_tlu(struct sppp *sp); 376 static void sppp_pap_tld(struct sppp *sp); 377 static void sppp_pap_scr(struct sppp *sp); 378 379 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 380 static void sppp_chap_init(struct sppp *sp); 381 static void sppp_chap_open(struct sppp *sp); 382 static void sppp_chap_close(struct sppp *sp); 383 static void sppp_chap_TO(void *sp); 384 static void sppp_chap_tlu(struct sppp *sp); 385 static void sppp_chap_tld(struct sppp *sp); 386 static void sppp_chap_scr(struct sppp *sp); 387 388 static const char *sppp_auth_type_name(u_short proto, u_char type); 389 static const char *sppp_cp_type_name(u_char type); 390 static const char *sppp_dotted_quad(uint32_t addr); 391 static const char *sppp_ipcp_opt_name(u_char opt); 392 #ifdef INET6 393 static const char *sppp_ipv6cp_opt_name(u_char opt); 394 #endif 395 static const char *sppp_lcp_opt_name(u_char opt); 396 static const char *sppp_phase_name(int phase); 397 static const char *sppp_proto_name(u_short proto); 398 static const char *sppp_state_name(int state); 399 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 400 #ifdef INET 401 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 402 uint32_t *srcmask); 403 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 404 static void sppp_set_ip_addrs(struct sppp *sp); 405 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 406 static void sppp_clear_ip_addrs(struct sppp *sp); 407 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 408 #endif 409 static void sppp_keepalive(void *dummy); 410 static void sppp_phase_network(struct sppp *sp); 411 static void sppp_print_bytes(const u_char *p, u_short len); 412 static void sppp_print_string(const char *p, u_short len); 413 #ifdef INET6 414 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 415 struct in6_addr *dst, struct in6_addr *srcmask); 416 #ifdef IPV6CP_MYIFID_DYN 417 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 418 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 419 #endif 420 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 421 #endif 422 423 static void sppp_notify_up(struct sppp *); 424 static void sppp_notify_down(struct sppp *); 425 static void sppp_notify_tls_wlocked(struct sppp *); 426 static void sppp_notify_tlf_wlocked(struct sppp *); 427 #ifdef INET6 428 static void sppp_notify_con_wlocked(struct sppp *); 429 #endif 430 static void sppp_notify_con(struct sppp *); 431 432 static void sppp_notify_chg_wlocked(struct sppp *); 433 434 435 /* our control protocol descriptors */ 436 static const struct cp lcp = { 437 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 438 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 439 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 440 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 441 sppp_lcp_scr 442 }; 443 444 static const struct cp ipcp = { 445 PPP_IPCP, IDX_IPCP, 446 #ifdef INET 447 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 448 #else 449 0, 450 #endif 451 "ipcp", 452 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 453 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 454 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 455 sppp_ipcp_scr 456 }; 457 458 static const struct cp ipv6cp = { 459 PPP_IPV6CP, IDX_IPV6CP, 460 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 461 CP_NCP, 462 #else 463 0, 464 #endif 465 "ipv6cp", 466 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 467 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 468 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 469 sppp_ipv6cp_scr 470 }; 471 472 static const struct cp pap = { 473 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 474 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 475 sppp_pap_TO, 0, 0, 0, 476 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 477 sppp_pap_scr 478 }; 479 480 static const struct cp chap = { 481 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 482 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 483 sppp_chap_TO, 0, 0, 0, 484 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 485 sppp_chap_scr 486 }; 487 488 static const struct cp *cps[IDX_COUNT] = { 489 &lcp, /* IDX_LCP */ 490 &ipcp, /* IDX_IPCP */ 491 &ipv6cp, /* IDX_IPV6CP */ 492 &pap, /* IDX_PAP */ 493 &chap, /* IDX_CHAP */ 494 }; 495 496 static void 497 sppp_change_phase(struct sppp *sp, int phase) 498 { 499 STDDCL; 500 501 KASSERT(SPPP_WLOCKED(sp)); 502 503 if (sp->pp_phase == phase) 504 return; 505 506 sp->pp_phase = phase; 507 508 if (phase == SPPP_PHASE_NETWORK) 509 if_link_state_change(ifp, LINK_STATE_UP); 510 else 511 if_link_state_change(ifp, LINK_STATE_DOWN); 512 513 if (debug) 514 { 515 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 516 sppp_phase_name(sp->pp_phase)); 517 } 518 } 519 520 /* 521 * Exported functions, comprising our interface to the lower layer. 522 */ 523 524 /* 525 * Process the received packet. 526 */ 527 void 528 sppp_input(struct ifnet *ifp, struct mbuf *m) 529 { 530 struct ppp_header *h = NULL; 531 pktqueue_t *pktq = NULL; 532 struct ifqueue *inq = NULL; 533 uint16_t protocol; 534 struct sppp *sp = (struct sppp *)ifp; 535 int debug = ifp->if_flags & IFF_DEBUG; 536 int isr = 0; 537 538 SPPP_LOCK(sp, RW_READER); 539 540 if (ifp->if_flags & IFF_UP) { 541 /* Count received bytes, add hardware framing */ 542 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 543 /* Note time of last receive */ 544 sp->pp_last_receive = time_uptime; 545 } 546 547 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 548 /* Too small packet, drop it. */ 549 if (debug) 550 log(LOG_DEBUG, 551 "%s: input packet is too small, %d bytes\n", 552 ifp->if_xname, m->m_pkthdr.len); 553 drop: 554 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 555 m_freem(m); 556 SPPP_UNLOCK(sp); 557 return; 558 } 559 560 if (sp->pp_flags & PP_NOFRAMING) { 561 memcpy(&protocol, mtod(m, void *), 2); 562 protocol = ntohs(protocol); 563 m_adj(m, 2); 564 } else { 565 566 /* Get PPP header. */ 567 h = mtod(m, struct ppp_header *); 568 m_adj(m, PPP_HEADER_LEN); 569 570 switch (h->address) { 571 case PPP_ALLSTATIONS: 572 if (h->control != PPP_UI) 573 goto invalid; 574 if (sp->pp_flags & PP_CISCO) { 575 if (debug) 576 log(LOG_DEBUG, 577 "%s: PPP packet in Cisco mode " 578 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 579 ifp->if_xname, 580 h->address, h->control, ntohs(h->protocol)); 581 goto drop; 582 } 583 break; 584 case CISCO_MULTICAST: 585 case CISCO_UNICAST: 586 /* Don't check the control field here (RFC 1547). */ 587 if (! (sp->pp_flags & PP_CISCO)) { 588 if (debug) 589 log(LOG_DEBUG, 590 "%s: Cisco packet in PPP mode " 591 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 592 ifp->if_xname, 593 h->address, h->control, ntohs(h->protocol)); 594 goto drop; 595 } 596 switch (ntohs(h->protocol)) { 597 default: 598 if_statinc(ifp, if_noproto); 599 goto invalid; 600 case CISCO_KEEPALIVE: 601 SPPP_UNLOCK(sp); 602 sppp_cisco_input((struct sppp *) ifp, m); 603 m_freem(m); 604 return; 605 #ifdef INET 606 case ETHERTYPE_IP: 607 pktq = ip_pktq; 608 break; 609 #endif 610 #ifdef INET6 611 case ETHERTYPE_IPV6: 612 pktq = ip6_pktq; 613 break; 614 #endif 615 } 616 goto queue_pkt; 617 default: /* Invalid PPP packet. */ 618 invalid: 619 if (debug) 620 log(LOG_DEBUG, 621 "%s: invalid input packet " 622 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 623 ifp->if_xname, 624 h->address, h->control, ntohs(h->protocol)); 625 goto drop; 626 } 627 protocol = ntohs(h->protocol); 628 } 629 630 switch (protocol) { 631 default: 632 if (sp->state[IDX_LCP] == STATE_OPENED) { 633 uint16_t prot = htons(protocol); 634 635 SPPP_UPGRADE(sp); 636 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 637 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 638 &prot); 639 SPPP_DOWNGRADE(sp); 640 } 641 if (debug) 642 log(LOG_DEBUG, 643 "%s: invalid input protocol " 644 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 645 if_statinc(ifp, if_noproto); 646 goto drop; 647 case PPP_LCP: 648 SPPP_UNLOCK(sp); 649 sppp_cp_input(&lcp, sp, m); 650 m_freem(m); 651 return; 652 case PPP_PAP: 653 SPPP_UNLOCK(sp); 654 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 655 sppp_pap_input(sp, m); 656 } 657 m_freem(m); 658 return; 659 case PPP_CHAP: 660 SPPP_UNLOCK(sp); 661 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 662 sppp_chap_input(sp, m); 663 } 664 m_freem(m); 665 return; 666 #ifdef INET 667 case PPP_IPCP: 668 SPPP_UNLOCK(sp); 669 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 670 sppp_cp_input(&ipcp, sp, m); 671 } 672 m_freem(m); 673 return; 674 case PPP_IP: 675 if (sp->state[IDX_IPCP] == STATE_OPENED) { 676 sp->pp_last_activity = time_uptime; 677 pktq = ip_pktq; 678 } 679 break; 680 #endif 681 #ifdef INET6 682 case PPP_IPV6CP: 683 SPPP_UNLOCK(sp); 684 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 685 sppp_cp_input(&ipv6cp, sp, m); 686 } 687 m_freem(m); 688 return; 689 690 case PPP_IPV6: 691 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 692 sp->pp_last_activity = time_uptime; 693 pktq = ip6_pktq; 694 } 695 break; 696 #endif 697 } 698 699 queue_pkt: 700 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 701 goto drop; 702 } 703 704 /* Check queue. */ 705 if (__predict_true(pktq)) { 706 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 707 goto drop; 708 } 709 SPPP_UNLOCK(sp); 710 return; 711 } 712 713 SPPP_UNLOCK(sp); 714 715 IFQ_LOCK(inq); 716 if (IF_QFULL(inq)) { 717 /* Queue overflow. */ 718 IF_DROP(inq); 719 IFQ_UNLOCK(inq); 720 if (debug) 721 log(LOG_DEBUG, "%s: protocol queue overflow\n", 722 ifp->if_xname); 723 724 SPPP_LOCK(sp, RW_READER); 725 goto drop; 726 } 727 IF_ENQUEUE(inq, m); 728 IFQ_UNLOCK(inq); 729 schednetisr(isr); 730 } 731 732 /* 733 * Enqueue transmit packet. 734 */ 735 static int 736 sppp_output(struct ifnet *ifp, struct mbuf *m, 737 const struct sockaddr *dst, const struct rtentry *rt) 738 { 739 struct sppp *sp = (struct sppp *) ifp; 740 struct ppp_header *h = NULL; 741 #ifndef SPPPSUBR_MPSAFE 742 struct ifqueue *ifq = NULL; /* XXX */ 743 #endif 744 int s, error = 0; 745 uint16_t protocol; 746 size_t pktlen; 747 748 s = splnet(); 749 SPPP_LOCK(sp, RW_READER); 750 751 sp->pp_last_activity = time_uptime; 752 753 if ((ifp->if_flags & IFF_UP) == 0 || 754 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 755 SPPP_UNLOCK(sp); 756 splx(s); 757 758 m_freem(m); 759 760 return (ENETDOWN); 761 } 762 763 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 764 /* 765 * Interface is not yet running, but auto-dial. Need 766 * to start LCP for it. 767 */ 768 ifp->if_flags |= IFF_RUNNING; 769 770 SPPP_UNLOCK(sp); 771 splx(s); 772 773 SPPP_LOCK(sp, RW_WRITER); 774 lcp.Open(sp); 775 SPPP_UNLOCK(sp); 776 777 s = splnet(); 778 SPPP_LOCK(sp, RW_READER); 779 } 780 781 /* 782 * If the queueing discipline needs packet classification, 783 * do it before prepending link headers. 784 */ 785 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 786 787 #ifdef INET 788 if (dst->sa_family == AF_INET) { 789 struct ip *ip = NULL; 790 #ifndef SPPPSUBR_MPSAFE 791 struct tcphdr *th = NULL; 792 #endif 793 794 if (m->m_len >= sizeof(struct ip)) { 795 ip = mtod(m, struct ip *); 796 #ifndef SPPPSUBR_MPSAFE 797 if (ip->ip_p == IPPROTO_TCP && 798 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 799 sizeof(struct tcphdr)) { 800 th = (struct tcphdr *) 801 ((char *)ip + (ip->ip_hl << 2)); 802 } 803 #endif 804 } else 805 ip = NULL; 806 807 /* 808 * When using dynamic local IP address assignment by using 809 * 0.0.0.0 as a local address, the first TCP session will 810 * not connect because the local TCP checksum is computed 811 * using 0.0.0.0 which will later become our real IP address 812 * so the TCP checksum computed at the remote end will 813 * become invalid. So we 814 * - don't let packets with src ip addr 0 thru 815 * - we flag TCP packets with src ip 0 as an error 816 */ 817 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 818 uint8_t proto = ip->ip_p; 819 820 SPPP_UNLOCK(sp); 821 splx(s); 822 823 m_freem(m); 824 if (proto == IPPROTO_TCP) 825 return (EADDRNOTAVAIL); 826 else 827 return (0); 828 } 829 830 #ifndef SPPPSUBR_MPSAFE 831 /* 832 * Put low delay, telnet, rlogin and ftp control packets 833 * in front of the queue. 834 */ 835 if (!IF_QFULL(&sp->pp_fastq) && 836 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 837 (th && (INTERACTIVE(ntohs(th->th_sport)) || 838 INTERACTIVE(ntohs(th->th_dport)))))) 839 ifq = &sp->pp_fastq; 840 #endif /* !SPPPSUBR_MPSAFE */ 841 } 842 #endif 843 844 #ifdef INET6 845 if (dst->sa_family == AF_INET6) { 846 /* XXX do something tricky here? */ 847 } 848 #endif 849 850 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 851 /* 852 * Prepend general data packet PPP header. For now, IP only. 853 */ 854 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 855 if (! m) { 856 if (ifp->if_flags & IFF_DEBUG) 857 log(LOG_DEBUG, "%s: no memory for transmit header\n", 858 ifp->if_xname); 859 if_statinc(ifp, if_oerrors); 860 SPPP_UNLOCK(sp); 861 splx(s); 862 return (ENOBUFS); 863 } 864 /* 865 * May want to check size of packet 866 * (albeit due to the implementation it's always enough) 867 */ 868 h = mtod(m, struct ppp_header *); 869 if (sp->pp_flags & PP_CISCO) { 870 h->address = CISCO_UNICAST; /* unicast address */ 871 h->control = 0; 872 } else { 873 h->address = PPP_ALLSTATIONS; /* broadcast address */ 874 h->control = PPP_UI; /* Unnumbered Info */ 875 } 876 } 877 878 switch (dst->sa_family) { 879 #ifdef INET 880 case AF_INET: /* Internet Protocol */ 881 if (sp->pp_flags & PP_CISCO) 882 protocol = htons(ETHERTYPE_IP); 883 else { 884 /* 885 * Don't choke with an ENETDOWN early. It's 886 * possible that we just started dialing out, 887 * so don't drop the packet immediately. If 888 * we notice that we run out of buffer space 889 * below, we will however remember that we are 890 * not ready to carry IP packets, and return 891 * ENETDOWN, as opposed to ENOBUFS. 892 */ 893 protocol = htons(PPP_IP); 894 if (sp->state[IDX_IPCP] != STATE_OPENED) 895 error = ENETDOWN; 896 } 897 break; 898 #endif 899 #ifdef INET6 900 case AF_INET6: /* Internet Protocol version 6 */ 901 if (sp->pp_flags & PP_CISCO) 902 protocol = htons(ETHERTYPE_IPV6); 903 else { 904 /* 905 * Don't choke with an ENETDOWN early. It's 906 * possible that we just started dialing out, 907 * so don't drop the packet immediately. If 908 * we notice that we run out of buffer space 909 * below, we will however remember that we are 910 * not ready to carry IP packets, and return 911 * ENETDOWN, as opposed to ENOBUFS. 912 */ 913 protocol = htons(PPP_IPV6); 914 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 915 error = ENETDOWN; 916 } 917 break; 918 #endif 919 default: 920 m_freem(m); 921 if_statinc(ifp, if_oerrors); 922 SPPP_UNLOCK(sp); 923 splx(s); 924 return (EAFNOSUPPORT); 925 } 926 927 if (sp->pp_flags & PP_NOFRAMING) { 928 M_PREPEND(m, 2, M_DONTWAIT); 929 if (m == NULL) { 930 if (ifp->if_flags & IFF_DEBUG) 931 log(LOG_DEBUG, "%s: no memory for transmit header\n", 932 ifp->if_xname); 933 if_statinc(ifp, if_oerrors); 934 SPPP_UNLOCK(sp); 935 splx(s); 936 return (ENOBUFS); 937 } 938 *mtod(m, uint16_t *) = protocol; 939 } else { 940 h->protocol = protocol; 941 } 942 943 pktlen = m->m_pkthdr.len; 944 #ifdef SPPPSUBR_MPSAFE 945 SPPP_UNLOCK(sp); 946 error = if_transmit_lock(ifp, m); 947 SPPP_LOCK(sp, RW_READER); 948 if (error == 0) 949 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 950 #else /* !SPPPSUBR_MPSAFE */ 951 error = ifq_enqueue2(ifp, ifq, m); 952 953 if (error == 0) { 954 /* 955 * Count output packets and bytes. 956 * The packet length includes header + additional hardware 957 * framing according to RFC 1333. 958 */ 959 if (!(ifp->if_flags & IFF_OACTIVE)) { 960 SPPP_UNLOCK(sp); 961 if_start_lock(ifp); 962 SPPP_LOCK(sp, RW_READER); 963 } 964 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 965 } 966 #endif /* !SPPPSUBR_MPSAFE */ 967 SPPP_UNLOCK(sp); 968 splx(s); 969 return error; 970 } 971 972 static int 973 sppp_mediachange(struct ifnet *ifp) 974 { 975 976 return (0); 977 } 978 979 static void 980 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 981 { 982 int link_state; 983 984 link_state = atomic_load_relaxed(&ifp->if_link_state); 985 switch (link_state) { 986 case LINK_STATE_UP: 987 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 988 break; 989 case LINK_STATE_DOWN: 990 imr->ifm_status = IFM_AVALID; 991 break; 992 default: 993 /* Should be impossible as we set link state down in attach. */ 994 imr->ifm_status = 0; 995 break; 996 } 997 } 998 999 void 1000 sppp_attach(struct ifnet *ifp) 1001 { 1002 struct sppp *sp = (struct sppp *) ifp; 1003 1004 /* Initialize keepalive handler. */ 1005 if (! spppq) { 1006 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1007 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1008 } 1009 1010 if (! spppq_lock) 1011 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1012 1013 /* Insert new entry into the keepalive list. */ 1014 sp->pp_next = spppq; 1015 spppq = sp; 1016 1017 sp->pp_if.if_type = IFT_PPP; 1018 sp->pp_if.if_output = sppp_output; 1019 sp->pp_fastq.ifq_maxlen = 32; 1020 sp->pp_cpq.ifq_maxlen = 20; 1021 sp->pp_loopcnt = 0; 1022 sp->pp_alivecnt = 0; 1023 sp->pp_last_activity = 0; 1024 sp->pp_last_receive = 0; 1025 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1026 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1027 sp->pp_idle_timeout = 0; 1028 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1029 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1030 sp->pp_auth_failures = 0; 1031 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1032 sp->pp_phase = SPPP_PHASE_DEAD; 1033 sp->pp_up = sppp_notify_up; 1034 sp->pp_down = sppp_notify_down; 1035 rw_init(&sp->pp_lock); 1036 1037 if_alloc_sadl(ifp); 1038 1039 /* Lets not beat about the bush, we know we're down. */ 1040 ifp->if_link_state = LINK_STATE_DOWN; 1041 /* There is no media for PPP, but it's needed to report link status. */ 1042 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1043 1044 memset(&sp->myauth, 0, sizeof sp->myauth); 1045 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1046 SPPP_LOCK(sp, RW_WRITER); 1047 sppp_lcp_init(sp); 1048 sppp_ipcp_init(sp); 1049 sppp_ipv6cp_init(sp); 1050 sppp_pap_init(sp); 1051 sppp_chap_init(sp); 1052 SPPP_UNLOCK(sp); 1053 } 1054 1055 void 1056 sppp_detach(struct ifnet *ifp) 1057 { 1058 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1059 1060 /* Remove the entry from the keepalive list. */ 1061 SPPPQ_LOCK(); 1062 for (q = &spppq; (p = *q); q = &p->pp_next) 1063 if (p == sp) { 1064 *q = p->pp_next; 1065 break; 1066 } 1067 SPPPQ_UNLOCK(); 1068 1069 if (! spppq) { 1070 /* Stop keepalive handler. */ 1071 callout_stop(&keepalive_ch); 1072 mutex_obj_free(spppq_lock); 1073 spppq_lock = NULL; 1074 } 1075 1076 SPPP_LOCK(sp, RW_WRITER); 1077 1078 /* to avoid workqueue enqueued */ 1079 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1080 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1081 workqueue_destroy(sp->ipcp.update_addrs_wq); 1082 pcq_destroy(sp->ipcp.update_addrs_q); 1083 1084 callout_stop(&sp->ch[IDX_LCP]); 1085 callout_stop(&sp->ch[IDX_IPCP]); 1086 callout_stop(&sp->ch[IDX_PAP]); 1087 callout_stop(&sp->ch[IDX_CHAP]); 1088 #ifdef INET6 1089 callout_stop(&sp->ch[IDX_IPV6CP]); 1090 #endif 1091 callout_stop(&sp->pap_my_to_ch); 1092 1093 /* free authentication info */ 1094 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1095 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1096 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1097 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1098 SPPP_UNLOCK(sp); 1099 rw_destroy(&sp->pp_lock); 1100 1101 ifmedia_fini(&sp->pp_im); 1102 } 1103 1104 /* 1105 * Flush the interface output queue. 1106 */ 1107 void 1108 sppp_flush(struct ifnet *ifp) 1109 { 1110 struct sppp *sp = (struct sppp *) ifp; 1111 1112 SPPP_LOCK(sp, RW_WRITER); 1113 IFQ_PURGE(&sp->pp_if.if_snd); 1114 IF_PURGE(&sp->pp_fastq); 1115 IF_PURGE(&sp->pp_cpq); 1116 SPPP_UNLOCK(sp); 1117 } 1118 1119 /* 1120 * Check if the output queue is empty. 1121 */ 1122 int 1123 sppp_isempty(struct ifnet *ifp) 1124 { 1125 struct sppp *sp = (struct sppp *) ifp; 1126 int empty, s; 1127 1128 s = splnet(); 1129 SPPP_LOCK(sp, RW_READER); 1130 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1131 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1132 SPPP_UNLOCK(sp); 1133 splx(s); 1134 return (empty); 1135 } 1136 1137 /* 1138 * Get next packet to send. 1139 */ 1140 struct mbuf * 1141 sppp_dequeue(struct ifnet *ifp) 1142 { 1143 struct sppp *sp = (struct sppp *) ifp; 1144 struct mbuf *m; 1145 int s; 1146 1147 s = splnet(); 1148 SPPP_LOCK(sp, RW_WRITER); 1149 /* 1150 * Process only the control protocol queue until we have at 1151 * least one NCP open. 1152 * 1153 * Do always serve all three queues in Cisco mode. 1154 */ 1155 IF_DEQUEUE(&sp->pp_cpq, m); 1156 if (m == NULL && 1157 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1158 IF_DEQUEUE(&sp->pp_fastq, m); 1159 if (m == NULL) 1160 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1161 } 1162 SPPP_UNLOCK(sp); 1163 splx(s); 1164 return m; 1165 } 1166 1167 /* 1168 * Process an ioctl request. Called on low priority level. 1169 */ 1170 int 1171 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1172 { 1173 struct lwp *l = curlwp; /* XXX */ 1174 struct ifreq *ifr = (struct ifreq *) data; 1175 struct ifaddr *ifa = (struct ifaddr *) data; 1176 struct sppp *sp = (struct sppp *) ifp; 1177 int s, error=0, going_up, going_down, newmode; 1178 1179 s = splnet(); 1180 switch (cmd) { 1181 case SIOCINITIFADDR: 1182 ifa->ifa_rtrequest = p2p_rtrequest; 1183 break; 1184 1185 case SIOCSIFFLAGS: 1186 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1187 break; 1188 1189 SPPP_LOCK(sp, RW_WRITER); 1190 going_up = ifp->if_flags & IFF_UP && 1191 (ifp->if_flags & IFF_RUNNING) == 0; 1192 going_down = (ifp->if_flags & IFF_UP) == 0 && 1193 ifp->if_flags & IFF_RUNNING; 1194 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1195 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1196 /* sanity */ 1197 newmode = IFF_PASSIVE; 1198 ifp->if_flags &= ~IFF_AUTO; 1199 } 1200 1201 if (going_up || going_down) { 1202 lcp.Close(sp); 1203 } 1204 if (going_up && newmode == 0) { 1205 /* neither auto-dial nor passive */ 1206 ifp->if_flags |= IFF_RUNNING; 1207 if (!(sp->pp_flags & PP_CISCO)) 1208 lcp.Open(sp); 1209 } else if (going_down) { 1210 SPPP_UNLOCK(sp); 1211 sppp_flush(ifp); 1212 SPPP_LOCK(sp, RW_WRITER); 1213 1214 ifp->if_flags &= ~IFF_RUNNING; 1215 } 1216 SPPP_UNLOCK(sp); 1217 break; 1218 1219 case SIOCSIFMTU: 1220 if (ifr->ifr_mtu < PPP_MINMRU || 1221 ifr->ifr_mtu > sp->lcp.their_mru) { 1222 error = EINVAL; 1223 break; 1224 } 1225 /*FALLTHROUGH*/ 1226 case SIOCGIFMTU: 1227 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1228 error = 0; 1229 break; 1230 case SIOCADDMULTI: 1231 case SIOCDELMULTI: 1232 break; 1233 1234 case SPPPSETAUTHCFG: 1235 case SPPPSETLCPCFG: 1236 case SPPPSETIDLETO: 1237 case SPPPSETAUTHFAILURE: 1238 case SPPPSETDNSOPTS: 1239 case SPPPSETKEEPALIVE: 1240 #if defined(COMPAT_50) || defined(MODULAR) 1241 case __SPPPSETIDLETO50: 1242 case __SPPPSETKEEPALIVE50: 1243 #endif /* COMPAT_50 || MODULAR */ 1244 error = kauth_authorize_network(l->l_cred, 1245 KAUTH_NETWORK_INTERFACE, 1246 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1247 NULL); 1248 if (error) 1249 break; 1250 error = sppp_params(sp, cmd, data); 1251 break; 1252 1253 case SPPPGETAUTHCFG: 1254 case SPPPGETLCPCFG: 1255 case SPPPGETAUTHFAILURES: 1256 error = kauth_authorize_network(l->l_cred, 1257 KAUTH_NETWORK_INTERFACE, 1258 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1259 NULL); 1260 if (error) 1261 break; 1262 error = sppp_params(sp, cmd, data); 1263 break; 1264 1265 case SPPPGETSTATUS: 1266 case SPPPGETSTATUSNCP: 1267 case SPPPGETIDLETO: 1268 case SPPPGETDNSOPTS: 1269 case SPPPGETDNSADDRS: 1270 case SPPPGETKEEPALIVE: 1271 #if defined(COMPAT_50) || defined(MODULAR) 1272 case __SPPPGETIDLETO50: 1273 case __SPPPGETKEEPALIVE50: 1274 #endif /* COMPAT_50 || MODULAR */ 1275 error = sppp_params(sp, cmd, data); 1276 break; 1277 1278 case SIOCGIFMEDIA: 1279 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1280 break; 1281 1282 default: 1283 error = ifioctl_common(ifp, cmd, data); 1284 break; 1285 } 1286 splx(s); 1287 return (error); 1288 } 1289 1290 1291 /* 1292 * Cisco framing implementation. 1293 */ 1294 1295 /* 1296 * Handle incoming Cisco keepalive protocol packets. 1297 */ 1298 static void 1299 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1300 { 1301 STDDCL; 1302 struct cisco_packet *h; 1303 #ifdef INET 1304 uint32_t me, mymask = 0; /* XXX: GCC */ 1305 #endif 1306 1307 SPPP_LOCK(sp, RW_WRITER); 1308 1309 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1310 if (debug) 1311 log(LOG_DEBUG, 1312 "%s: cisco invalid packet length: %d bytes\n", 1313 ifp->if_xname, m->m_pkthdr.len); 1314 SPPP_UNLOCK(sp); 1315 return; 1316 } 1317 h = mtod(m, struct cisco_packet *); 1318 if (debug) 1319 log(LOG_DEBUG, 1320 "%s: cisco input: %d bytes " 1321 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1322 ifp->if_xname, m->m_pkthdr.len, 1323 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1324 (u_int)h->time0, (u_int)h->time1); 1325 switch (ntohl(h->type)) { 1326 default: 1327 if (debug) 1328 addlog("%s: cisco unknown packet type: 0x%x\n", 1329 ifp->if_xname, ntohl(h->type)); 1330 break; 1331 case CISCO_ADDR_REPLY: 1332 /* Reply on address request, ignore */ 1333 break; 1334 case CISCO_KEEPALIVE_REQ: 1335 sp->pp_alivecnt = 0; 1336 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1337 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1338 /* Local and remote sequence numbers are equal. 1339 * Probably, the line is in loopback mode. */ 1340 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1341 printf ("%s: loopback\n", 1342 ifp->if_xname); 1343 sp->pp_loopcnt = 0; 1344 if (ifp->if_flags & IFF_UP) { 1345 SPPP_UNLOCK(sp); 1346 if_down(ifp); 1347 SPPP_LOCK(sp, RW_WRITER); 1348 1349 IF_PURGE(&sp->pp_cpq); 1350 } 1351 } 1352 ++sp->pp_loopcnt; 1353 1354 /* Generate new local sequence number */ 1355 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1356 break; 1357 } 1358 sp->pp_loopcnt = 0; 1359 if (! (ifp->if_flags & IFF_UP) && 1360 (ifp->if_flags & IFF_RUNNING)) { 1361 SPPP_UNLOCK(sp); 1362 if_up(ifp); 1363 SPPP_LOCK(sp, RW_WRITER); 1364 } 1365 break; 1366 case CISCO_ADDR_REQ: 1367 #ifdef INET 1368 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1369 if (me != 0L) 1370 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1371 #endif 1372 break; 1373 } 1374 SPPP_UNLOCK(sp); 1375 } 1376 1377 /* 1378 * Send Cisco keepalive packet. 1379 */ 1380 static void 1381 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1382 { 1383 STDDCL; 1384 struct ppp_header *h; 1385 struct cisco_packet *ch; 1386 struct mbuf *m; 1387 uint32_t t; 1388 1389 KASSERT(SPPP_WLOCKED(sp)); 1390 1391 t = time_uptime * 1000; 1392 MGETHDR(m, M_DONTWAIT, MT_DATA); 1393 if (! m) 1394 return; 1395 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1396 m_reset_rcvif(m); 1397 1398 h = mtod(m, struct ppp_header *); 1399 h->address = CISCO_MULTICAST; 1400 h->control = 0; 1401 h->protocol = htons(CISCO_KEEPALIVE); 1402 1403 ch = (struct cisco_packet *)(h + 1); 1404 ch->type = htonl(type); 1405 ch->par1 = htonl(par1); 1406 ch->par2 = htonl(par2); 1407 ch->rel = -1; 1408 1409 ch->time0 = htons((u_short)(t >> 16)); 1410 ch->time1 = htons((u_short) t); 1411 1412 if (debug) 1413 log(LOG_DEBUG, 1414 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1415 ifp->if_xname, ntohl(ch->type), ch->par1, 1416 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1417 (u_int)ch->time1); 1418 1419 if (IF_QFULL(&sp->pp_cpq)) { 1420 IF_DROP(&sp->pp_fastq); 1421 IF_DROP(&ifp->if_snd); 1422 m_freem(m); 1423 if_statinc(ifp, if_oerrors); 1424 return; 1425 } 1426 1427 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1428 IF_ENQUEUE(&sp->pp_cpq, m); 1429 1430 if (! (ifp->if_flags & IFF_OACTIVE)) { 1431 SPPP_UNLOCK(sp); 1432 if_start_lock(ifp); 1433 SPPP_LOCK(sp, RW_WRITER); 1434 } 1435 } 1436 1437 /* 1438 * PPP protocol implementation. 1439 */ 1440 1441 /* 1442 * Send PPP control protocol packet. 1443 */ 1444 static void 1445 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1446 u_char ident, u_short len, void *data) 1447 { 1448 STDDCL; 1449 struct lcp_header *lh; 1450 struct mbuf *m; 1451 size_t pkthdrlen; 1452 1453 KASSERT(SPPP_WLOCKED(sp)); 1454 1455 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1456 1457 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1458 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1459 MGETHDR(m, M_DONTWAIT, MT_DATA); 1460 if (! m) { 1461 return; 1462 } 1463 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1464 m_reset_rcvif(m); 1465 1466 if (sp->pp_flags & PP_NOFRAMING) { 1467 *mtod(m, uint16_t *) = htons(proto); 1468 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1469 } else { 1470 struct ppp_header *h; 1471 h = mtod(m, struct ppp_header *); 1472 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1473 h->control = PPP_UI; /* Unnumbered Info */ 1474 h->protocol = htons(proto); /* Link Control Protocol */ 1475 lh = (struct lcp_header *)(h + 1); 1476 } 1477 lh->type = type; 1478 lh->ident = ident; 1479 lh->len = htons(LCP_HEADER_LEN + len); 1480 if (len) 1481 memcpy(lh + 1, data, len); 1482 1483 if (debug) { 1484 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1485 ifp->if_xname, 1486 sppp_proto_name(proto), 1487 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1488 if (len) 1489 sppp_print_bytes((u_char *)(lh + 1), len); 1490 addlog(">\n"); 1491 } 1492 if (IF_QFULL(&sp->pp_cpq)) { 1493 IF_DROP(&sp->pp_fastq); 1494 IF_DROP(&ifp->if_snd); 1495 m_freem(m); 1496 if_statinc(ifp, if_oerrors); 1497 return; 1498 } 1499 1500 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1501 IF_ENQUEUE(&sp->pp_cpq, m); 1502 1503 1504 if (! (ifp->if_flags & IFF_OACTIVE)) { 1505 SPPP_UNLOCK(sp); 1506 if_start_lock(ifp); 1507 SPPP_LOCK(sp, RW_WRITER); 1508 } 1509 } 1510 1511 /* 1512 * Handle incoming PPP control protocol packets. 1513 */ 1514 static void 1515 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1516 { 1517 STDDCL; 1518 struct lcp_header *h; 1519 int printlen, len = m->m_pkthdr.len; 1520 int rv; 1521 u_char *p; 1522 uint32_t u32; 1523 1524 SPPP_LOCK(sp, RW_WRITER); 1525 1526 if (len < 4) { 1527 if (debug) 1528 log(LOG_DEBUG, 1529 "%s: %s invalid packet length: %d bytes\n", 1530 ifp->if_xname, cp->name, len); 1531 SPPP_UNLOCK(sp); 1532 return; 1533 } 1534 h = mtod(m, struct lcp_header *); 1535 if (debug) { 1536 printlen = ntohs(h->len); 1537 log(LOG_DEBUG, 1538 "%s: %s input(%s): <%s id=0x%x len=%d", 1539 ifp->if_xname, cp->name, 1540 sppp_state_name(sp->state[cp->protoidx]), 1541 sppp_cp_type_name(h->type), h->ident, printlen); 1542 if (len < printlen) 1543 printlen = len; 1544 if (printlen > 4) 1545 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1546 addlog(">\n"); 1547 } 1548 if (len > ntohs(h->len)) 1549 len = ntohs(h->len); 1550 p = (u_char *)(h + 1); 1551 switch (h->type) { 1552 case CONF_REQ: 1553 if (len < 4) { 1554 if (debug) 1555 addlog("%s: %s invalid conf-req length %d\n", 1556 ifp->if_xname, cp->name, 1557 len); 1558 if_statinc(ifp, if_ierrors); 1559 break; 1560 } 1561 /* handle states where RCR doesn't get a SCA/SCN */ 1562 switch (sp->state[cp->protoidx]) { 1563 case STATE_CLOSING: 1564 case STATE_STOPPING: 1565 SPPP_UNLOCK(sp); 1566 return; 1567 case STATE_CLOSED: 1568 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1569 0, 0); 1570 SPPP_UNLOCK(sp); 1571 return; 1572 } 1573 rv = (cp->RCR)(sp, h, len); 1574 if (rv < 0) { 1575 /* fatal error, shut down */ 1576 (cp->tld)(sp); 1577 sppp_lcp_tlf(sp); 1578 SPPP_UNLOCK(sp); 1579 return; 1580 } 1581 switch (sp->state[cp->protoidx]) { 1582 case STATE_OPENED: 1583 (cp->tld)(sp); 1584 (cp->scr)(sp); 1585 /* fall through... */ 1586 case STATE_ACK_SENT: 1587 case STATE_REQ_SENT: 1588 sppp_cp_change_state(cp, sp, rv? 1589 STATE_ACK_SENT: STATE_REQ_SENT); 1590 break; 1591 case STATE_STOPPED: 1592 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1593 (cp->scr)(sp); 1594 sppp_cp_change_state(cp, sp, rv? 1595 STATE_ACK_SENT: STATE_REQ_SENT); 1596 break; 1597 case STATE_ACK_RCVD: 1598 if (rv) { 1599 sppp_cp_change_state(cp, sp, STATE_OPENED); 1600 if (debug) 1601 log(LOG_DEBUG, "%s: %s tlu\n", 1602 ifp->if_xname, 1603 cp->name); 1604 (cp->tlu)(sp); 1605 } else 1606 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1607 break; 1608 default: 1609 printf("%s: %s illegal %s in state %s\n", 1610 ifp->if_xname, cp->name, 1611 sppp_cp_type_name(h->type), 1612 sppp_state_name(sp->state[cp->protoidx])); 1613 if_statinc(ifp, if_ierrors); 1614 } 1615 break; 1616 case CONF_ACK: 1617 if (h->ident != sp->confid[cp->protoidx]) { 1618 if (debug) 1619 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1620 ifp->if_xname, cp->name, 1621 h->ident, sp->confid[cp->protoidx]); 1622 if_statinc(ifp, if_ierrors); 1623 break; 1624 } 1625 switch (sp->state[cp->protoidx]) { 1626 case STATE_CLOSED: 1627 case STATE_STOPPED: 1628 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1629 break; 1630 case STATE_CLOSING: 1631 case STATE_STOPPING: 1632 break; 1633 case STATE_REQ_SENT: 1634 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1635 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1636 break; 1637 case STATE_OPENED: 1638 (cp->tld)(sp); 1639 /* fall through */ 1640 case STATE_ACK_RCVD: 1641 (cp->scr)(sp); 1642 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1643 break; 1644 case STATE_ACK_SENT: 1645 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1646 sppp_cp_change_state(cp, sp, STATE_OPENED); 1647 if (debug) 1648 log(LOG_DEBUG, "%s: %s tlu\n", 1649 ifp->if_xname, cp->name); 1650 (cp->tlu)(sp); 1651 break; 1652 default: 1653 printf("%s: %s illegal %s in state %s\n", 1654 ifp->if_xname, cp->name, 1655 sppp_cp_type_name(h->type), 1656 sppp_state_name(sp->state[cp->protoidx])); 1657 if_statinc(ifp, if_ierrors); 1658 } 1659 break; 1660 case CONF_NAK: 1661 case CONF_REJ: 1662 if (h->ident != sp->confid[cp->protoidx]) { 1663 if (debug) 1664 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1665 ifp->if_xname, cp->name, 1666 h->ident, sp->confid[cp->protoidx]); 1667 if_statinc(ifp, if_ierrors); 1668 break; 1669 } 1670 if (h->type == CONF_NAK) 1671 (cp->RCN_nak)(sp, h, len); 1672 else /* CONF_REJ */ 1673 (cp->RCN_rej)(sp, h, len); 1674 1675 switch (sp->state[cp->protoidx]) { 1676 case STATE_CLOSED: 1677 case STATE_STOPPED: 1678 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1679 break; 1680 case STATE_REQ_SENT: 1681 case STATE_ACK_SENT: 1682 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1683 (cp->scr)(sp); 1684 break; 1685 case STATE_OPENED: 1686 (cp->tld)(sp); 1687 /* fall through */ 1688 case STATE_ACK_RCVD: 1689 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1690 (cp->scr)(sp); 1691 break; 1692 case STATE_CLOSING: 1693 case STATE_STOPPING: 1694 break; 1695 default: 1696 printf("%s: %s illegal %s in state %s\n", 1697 ifp->if_xname, cp->name, 1698 sppp_cp_type_name(h->type), 1699 sppp_state_name(sp->state[cp->protoidx])); 1700 if_statinc(ifp, if_ierrors); 1701 } 1702 break; 1703 1704 case TERM_REQ: 1705 switch (sp->state[cp->protoidx]) { 1706 case STATE_ACK_RCVD: 1707 case STATE_ACK_SENT: 1708 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1709 /* fall through */ 1710 case STATE_CLOSED: 1711 case STATE_STOPPED: 1712 case STATE_CLOSING: 1713 case STATE_STOPPING: 1714 case STATE_REQ_SENT: 1715 sta: 1716 /* Send Terminate-Ack packet. */ 1717 if (debug) 1718 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1719 ifp->if_xname, cp->name); 1720 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1721 break; 1722 case STATE_OPENED: 1723 (cp->tld)(sp); 1724 sp->rst_counter[cp->protoidx] = 0; 1725 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1726 goto sta; 1727 default: 1728 printf("%s: %s illegal %s in state %s\n", 1729 ifp->if_xname, cp->name, 1730 sppp_cp_type_name(h->type), 1731 sppp_state_name(sp->state[cp->protoidx])); 1732 if_statinc(ifp, if_ierrors); 1733 } 1734 break; 1735 case TERM_ACK: 1736 switch (sp->state[cp->protoidx]) { 1737 case STATE_CLOSED: 1738 case STATE_STOPPED: 1739 case STATE_REQ_SENT: 1740 case STATE_ACK_SENT: 1741 break; 1742 case STATE_CLOSING: 1743 (cp->tlf)(sp); 1744 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1745 sppp_lcp_check_and_close(sp); 1746 break; 1747 case STATE_STOPPING: 1748 (cp->tlf)(sp); 1749 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1750 sppp_lcp_check_and_close(sp); 1751 break; 1752 case STATE_ACK_RCVD: 1753 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1754 break; 1755 case STATE_OPENED: 1756 (cp->tld)(sp); 1757 (cp->scr)(sp); 1758 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1759 break; 1760 default: 1761 printf("%s: %s illegal %s in state %s\n", 1762 ifp->if_xname, cp->name, 1763 sppp_cp_type_name(h->type), 1764 sppp_state_name(sp->state[cp->protoidx])); 1765 if_statinc(ifp, if_ierrors); 1766 } 1767 break; 1768 case CODE_REJ: 1769 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1770 log(LOG_INFO, 1771 "%s: %s: ignoring RXJ (%s) for code ?, " 1772 "danger will robinson\n", 1773 ifp->if_xname, cp->name, 1774 sppp_cp_type_name(h->type)); 1775 switch (sp->state[cp->protoidx]) { 1776 case STATE_CLOSED: 1777 case STATE_STOPPED: 1778 case STATE_REQ_SENT: 1779 case STATE_ACK_SENT: 1780 case STATE_CLOSING: 1781 case STATE_STOPPING: 1782 case STATE_OPENED: 1783 break; 1784 case STATE_ACK_RCVD: 1785 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1786 break; 1787 default: 1788 printf("%s: %s illegal %s in state %s\n", 1789 ifp->if_xname, cp->name, 1790 sppp_cp_type_name(h->type), 1791 sppp_state_name(sp->state[cp->protoidx])); 1792 if_statinc(ifp, if_ierrors); 1793 } 1794 break; 1795 case PROTO_REJ: 1796 { 1797 int catastrophic; 1798 const struct cp *upper; 1799 int i; 1800 uint16_t proto; 1801 1802 catastrophic = 0; 1803 upper = NULL; 1804 proto = p[0] << 8 | p[1]; 1805 for (i = 0; i < IDX_COUNT; i++) { 1806 if (cps[i]->proto == proto) { 1807 upper = cps[i]; 1808 break; 1809 } 1810 } 1811 if (upper == NULL) 1812 catastrophic++; 1813 1814 if (debug) 1815 log(LOG_INFO, 1816 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1817 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1818 sppp_cp_type_name(h->type), proto, 1819 upper ? upper->name : "unknown", 1820 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1821 1822 /* 1823 * if we got RXJ+ against conf-req, the peer does not implement 1824 * this particular protocol type. terminate the protocol. 1825 */ 1826 if (upper && !catastrophic) { 1827 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1828 upper->Close(sp); 1829 break; 1830 } 1831 } 1832 1833 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1834 switch (sp->state[cp->protoidx]) { 1835 case STATE_CLOSED: 1836 case STATE_STOPPED: 1837 case STATE_REQ_SENT: 1838 case STATE_ACK_SENT: 1839 case STATE_CLOSING: 1840 case STATE_STOPPING: 1841 case STATE_OPENED: 1842 break; 1843 case STATE_ACK_RCVD: 1844 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1845 break; 1846 default: 1847 printf("%s: %s illegal %s in state %s\n", 1848 ifp->if_xname, cp->name, 1849 sppp_cp_type_name(h->type), 1850 sppp_state_name(sp->state[cp->protoidx])); 1851 if_statinc(ifp, if_ierrors); 1852 } 1853 break; 1854 } 1855 case DISC_REQ: 1856 if (cp->proto != PPP_LCP) 1857 goto illegal; 1858 /* Discard the packet. */ 1859 break; 1860 case ECHO_REQ: 1861 if (cp->proto != PPP_LCP) 1862 goto illegal; 1863 if (sp->state[cp->protoidx] != STATE_OPENED) { 1864 if (debug) 1865 addlog("%s: lcp echo req but lcp closed\n", 1866 ifp->if_xname); 1867 if_statinc(ifp, if_ierrors); 1868 break; 1869 } 1870 if (len < 8) { 1871 if (debug) 1872 addlog("%s: invalid lcp echo request " 1873 "packet length: %d bytes\n", 1874 ifp->if_xname, len); 1875 break; 1876 } 1877 memcpy(&u32, h + 1, sizeof u32); 1878 if (ntohl(u32) == sp->lcp.magic) { 1879 /* Line loopback mode detected. */ 1880 printf("%s: loopback\n", ifp->if_xname); 1881 SPPP_UNLOCK(sp); 1882 if_down(ifp); 1883 SPPP_LOCK(sp, RW_WRITER); 1884 1885 IF_PURGE(&sp->pp_cpq); 1886 1887 /* Shut down the PPP link. */ 1888 /* XXX */ 1889 lcp.Down(sp); 1890 lcp.Up(sp); 1891 break; 1892 } 1893 u32 = htonl(sp->lcp.magic); 1894 memcpy(h + 1, &u32, sizeof u32); 1895 if (debug) 1896 addlog("%s: got lcp echo req, sending echo rep\n", 1897 ifp->if_xname); 1898 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1899 h + 1); 1900 break; 1901 case ECHO_REPLY: 1902 if (cp->proto != PPP_LCP) 1903 goto illegal; 1904 if (h->ident != sp->lcp.echoid) { 1905 if_statinc(ifp, if_ierrors); 1906 break; 1907 } 1908 if (len < 8) { 1909 if (debug) 1910 addlog("%s: lcp invalid echo reply " 1911 "packet length: %d bytes\n", 1912 ifp->if_xname, len); 1913 break; 1914 } 1915 if (debug) 1916 addlog("%s: lcp got echo rep\n", 1917 ifp->if_xname); 1918 memcpy(&u32, h + 1, sizeof u32); 1919 if (ntohl(u32) != sp->lcp.magic) 1920 sp->pp_alivecnt = 0; 1921 break; 1922 default: 1923 /* Unknown packet type -- send Code-Reject packet. */ 1924 illegal: 1925 if (debug) 1926 addlog("%s: %s send code-rej for 0x%x\n", 1927 ifp->if_xname, cp->name, h->type); 1928 sppp_cp_send(sp, cp->proto, CODE_REJ, 1929 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 1930 if_statinc(ifp, if_ierrors); 1931 } 1932 1933 SPPP_UNLOCK(sp); 1934 } 1935 1936 1937 /* 1938 * The generic part of all Up/Down/Open/Close/TO event handlers. 1939 * Basically, the state transition handling in the automaton. 1940 */ 1941 static void 1942 sppp_up_event(const struct cp *cp, struct sppp *sp) 1943 { 1944 STDDCL; 1945 1946 KASSERT(SPPP_WLOCKED(sp)); 1947 1948 if (debug) 1949 log(LOG_DEBUG, "%s: %s up(%s)\n", 1950 ifp->if_xname, cp->name, 1951 sppp_state_name(sp->state[cp->protoidx])); 1952 1953 switch (sp->state[cp->protoidx]) { 1954 case STATE_INITIAL: 1955 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1956 break; 1957 case STATE_STARTING: 1958 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1959 (cp->scr)(sp); 1960 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1961 break; 1962 default: 1963 printf("%s: %s illegal up in state %s\n", 1964 ifp->if_xname, cp->name, 1965 sppp_state_name(sp->state[cp->protoidx])); 1966 } 1967 } 1968 1969 static void 1970 sppp_down_event(const struct cp *cp, struct sppp *sp) 1971 { 1972 STDDCL; 1973 1974 KASSERT(SPPP_WLOCKED(sp)); 1975 1976 if (debug) 1977 log(LOG_DEBUG, "%s: %s down(%s)\n", 1978 ifp->if_xname, cp->name, 1979 sppp_state_name(sp->state[cp->protoidx])); 1980 1981 switch (sp->state[cp->protoidx]) { 1982 case STATE_CLOSED: 1983 case STATE_CLOSING: 1984 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1985 break; 1986 case STATE_STOPPED: 1987 (cp->tls)(sp); 1988 /* fall through */ 1989 case STATE_STOPPING: 1990 case STATE_REQ_SENT: 1991 case STATE_ACK_RCVD: 1992 case STATE_ACK_SENT: 1993 sppp_cp_change_state(cp, sp, STATE_STARTING); 1994 break; 1995 case STATE_OPENED: 1996 (cp->tld)(sp); 1997 sppp_cp_change_state(cp, sp, STATE_STARTING); 1998 break; 1999 default: 2000 printf("%s: %s illegal down in state %s\n", 2001 ifp->if_xname, cp->name, 2002 sppp_state_name(sp->state[cp->protoidx])); 2003 } 2004 } 2005 2006 2007 static void 2008 sppp_open_event(const struct cp *cp, struct sppp *sp) 2009 { 2010 STDDCL; 2011 2012 KASSERT(SPPP_WLOCKED(sp)); 2013 2014 if (debug) 2015 log(LOG_DEBUG, "%s: %s open(%s)\n", 2016 ifp->if_xname, cp->name, 2017 sppp_state_name(sp->state[cp->protoidx])); 2018 2019 switch (sp->state[cp->protoidx]) { 2020 case STATE_INITIAL: 2021 sppp_cp_change_state(cp, sp, STATE_STARTING); 2022 (cp->tls)(sp); 2023 break; 2024 case STATE_STARTING: 2025 break; 2026 case STATE_CLOSED: 2027 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2028 (cp->scr)(sp); 2029 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2030 break; 2031 case STATE_STOPPED: 2032 case STATE_STOPPING: 2033 case STATE_REQ_SENT: 2034 case STATE_ACK_RCVD: 2035 case STATE_ACK_SENT: 2036 case STATE_OPENED: 2037 break; 2038 case STATE_CLOSING: 2039 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2040 break; 2041 } 2042 } 2043 2044 2045 static void 2046 sppp_close_event(const struct cp *cp, struct sppp *sp) 2047 { 2048 STDDCL; 2049 2050 KASSERT(SPPP_WLOCKED(sp)); 2051 2052 if (debug) 2053 log(LOG_DEBUG, "%s: %s close(%s)\n", 2054 ifp->if_xname, cp->name, 2055 sppp_state_name(sp->state[cp->protoidx])); 2056 2057 switch (sp->state[cp->protoidx]) { 2058 case STATE_INITIAL: 2059 case STATE_CLOSED: 2060 case STATE_CLOSING: 2061 break; 2062 case STATE_STARTING: 2063 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2064 (cp->tlf)(sp); 2065 break; 2066 case STATE_STOPPED: 2067 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2068 break; 2069 case STATE_STOPPING: 2070 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2071 break; 2072 case STATE_OPENED: 2073 (cp->tld)(sp); 2074 /* fall through */ 2075 case STATE_REQ_SENT: 2076 case STATE_ACK_RCVD: 2077 case STATE_ACK_SENT: 2078 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2079 sppp_cp_send(sp, cp->proto, TERM_REQ, 2080 ++sp->pp_seq[cp->protoidx], 0, 0); 2081 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2082 break; 2083 } 2084 } 2085 2086 static void 2087 sppp_to_event(const struct cp *cp, struct sppp *sp) 2088 { 2089 STDDCL; 2090 int s; 2091 2092 KASSERT(SPPP_WLOCKED(sp)); 2093 2094 s = splnet(); 2095 2096 if (debug) 2097 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2098 ifp->if_xname, cp->name, 2099 sppp_state_name(sp->state[cp->protoidx]), 2100 sp->rst_counter[cp->protoidx]); 2101 2102 if (--sp->rst_counter[cp->protoidx] < 0) 2103 /* TO- event */ 2104 switch (sp->state[cp->protoidx]) { 2105 case STATE_CLOSING: 2106 (cp->tlf)(sp); 2107 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2108 sppp_lcp_check_and_close(sp); 2109 break; 2110 case STATE_STOPPING: 2111 (cp->tlf)(sp); 2112 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2113 sppp_lcp_check_and_close(sp); 2114 break; 2115 case STATE_REQ_SENT: 2116 case STATE_ACK_RCVD: 2117 case STATE_ACK_SENT: 2118 (cp->tlf)(sp); 2119 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2120 sppp_lcp_check_and_close(sp); 2121 break; 2122 } 2123 else 2124 /* TO+ event */ 2125 switch (sp->state[cp->protoidx]) { 2126 case STATE_CLOSING: 2127 case STATE_STOPPING: 2128 sppp_cp_send(sp, cp->proto, TERM_REQ, 2129 ++sp->pp_seq[cp->protoidx], 0, 0); 2130 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2131 cp->TO, sp); 2132 break; 2133 case STATE_REQ_SENT: 2134 case STATE_ACK_RCVD: 2135 (cp->scr)(sp); 2136 /* sppp_cp_change_state() will restart the timer */ 2137 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2138 break; 2139 case STATE_ACK_SENT: 2140 (cp->scr)(sp); 2141 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2142 cp->TO, sp); 2143 break; 2144 } 2145 2146 splx(s); 2147 } 2148 2149 /* 2150 * Change the state of a control protocol in the state automaton. 2151 * Takes care of starting/stopping the restart timer. 2152 */ 2153 void 2154 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2155 { 2156 2157 KASSERT(SPPP_WLOCKED(sp)); 2158 2159 sp->state[cp->protoidx] = newstate; 2160 callout_stop(&sp->ch[cp->protoidx]); 2161 switch (newstate) { 2162 case STATE_INITIAL: 2163 case STATE_STARTING: 2164 case STATE_CLOSED: 2165 case STATE_STOPPED: 2166 case STATE_OPENED: 2167 break; 2168 case STATE_CLOSING: 2169 case STATE_STOPPING: 2170 case STATE_REQ_SENT: 2171 case STATE_ACK_RCVD: 2172 case STATE_ACK_SENT: 2173 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2174 cp->TO, sp); 2175 break; 2176 } 2177 } 2178 2179 /* 2180 *--------------------------------------------------------------------------* 2181 * * 2182 * The LCP implementation. * 2183 * * 2184 *--------------------------------------------------------------------------* 2185 */ 2186 static void 2187 sppp_lcp_init(struct sppp *sp) 2188 { 2189 2190 KASSERT(SPPP_WLOCKED(sp)); 2191 2192 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2193 sp->lcp.magic = 0; 2194 sp->state[IDX_LCP] = STATE_INITIAL; 2195 sp->fail_counter[IDX_LCP] = 0; 2196 sp->pp_seq[IDX_LCP] = 0; 2197 sp->pp_rseq[IDX_LCP] = 0; 2198 sp->lcp.protos = 0; 2199 2200 /* 2201 * Initialize counters and timeout values. Note that we don't 2202 * use the 3 seconds suggested in RFC 1661 since we are likely 2203 * running on a fast link. XXX We should probably implement 2204 * the exponential backoff option. Note that these values are 2205 * relevant for all control protocols, not just LCP only. 2206 */ 2207 sp->lcp.timeout = 1 * hz; 2208 sp->lcp.max_terminate = 2; 2209 sp->lcp.max_configure = 10; 2210 sp->lcp.max_failure = 10; 2211 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2212 } 2213 2214 static void 2215 sppp_lcp_up(struct sppp *sp) 2216 { 2217 STDDCL; 2218 2219 KASSERT(SPPP_WLOCKED(sp)); 2220 2221 /* Initialize activity timestamp: opening a connection is an activity */ 2222 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2223 2224 /* 2225 * If this interface is passive or dial-on-demand, and we are 2226 * still in Initial state, it means we've got an incoming 2227 * call. Activate the interface. 2228 */ 2229 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2230 if (debug) 2231 log(LOG_DEBUG, 2232 "%s: Up event", ifp->if_xname); 2233 ifp->if_flags |= IFF_RUNNING; 2234 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2235 if (debug) 2236 addlog("(incoming call)\n"); 2237 sp->pp_flags |= PP_CALLIN; 2238 lcp.Open(sp); 2239 } else if (debug) 2240 addlog("\n"); 2241 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2242 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2243 ifp->if_flags |= IFF_RUNNING; 2244 lcp.Open(sp); 2245 } 2246 2247 sppp_up_event(&lcp, sp); 2248 } 2249 2250 static void 2251 sppp_lcp_down(struct sppp *sp) 2252 { 2253 STDDCL; 2254 2255 KASSERT(SPPP_WLOCKED(sp)); 2256 2257 sppp_down_event(&lcp, sp); 2258 2259 /* 2260 * If this is neither a dial-on-demand nor a passive 2261 * interface, simulate an ``ifconfig down'' action, so the 2262 * administrator can force a redial by another ``ifconfig 2263 * up''. XXX For leased line operation, should we immediately 2264 * try to reopen the connection here? 2265 */ 2266 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2267 if (debug) 2268 log(LOG_INFO, 2269 "%s: Down event (carrier loss), taking interface down.\n", 2270 ifp->if_xname); 2271 SPPP_UNLOCK(sp); 2272 if_down(ifp); 2273 SPPP_LOCK(sp, RW_WRITER); 2274 } else { 2275 if (debug) 2276 log(LOG_DEBUG, 2277 "%s: Down event (carrier loss)\n", 2278 ifp->if_xname); 2279 } 2280 sp->fail_counter[IDX_LCP] = 0; 2281 sp->pp_flags &= ~PP_CALLIN; 2282 if (sp->state[IDX_LCP] != STATE_INITIAL) 2283 lcp.Close(sp); 2284 ifp->if_flags &= ~IFF_RUNNING; 2285 } 2286 2287 static void 2288 sppp_lcp_open(struct sppp *sp) 2289 { 2290 2291 KASSERT(SPPP_WLOCKED(sp)); 2292 2293 if (sp->pp_if.if_mtu < PP_MTU) { 2294 sp->lcp.mru = sp->pp_if.if_mtu; 2295 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2296 } else 2297 sp->lcp.mru = PP_MTU; 2298 sp->lcp.their_mru = PP_MTU; 2299 2300 /* 2301 * If we are authenticator, negotiate LCP_AUTH 2302 */ 2303 if (sp->hisauth.proto != 0) 2304 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2305 else 2306 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2307 sp->pp_flags &= ~PP_NEEDAUTH; 2308 sppp_open_event(&lcp, sp); 2309 } 2310 2311 static void 2312 sppp_lcp_close(struct sppp *sp) 2313 { 2314 2315 KASSERT(SPPP_WLOCKED(sp)); 2316 sppp_close_event(&lcp, sp); 2317 } 2318 2319 static void 2320 sppp_lcp_TO(void *cookie) 2321 { 2322 struct sppp *sp = (struct sppp*)cookie; 2323 2324 SPPP_LOCK(sp, RW_WRITER); 2325 sppp_to_event(&lcp, sp); 2326 SPPP_UNLOCK(sp); 2327 } 2328 2329 /* 2330 * Analyze a configure request. Return true if it was agreeable, and 2331 * caused action sca, false if it has been rejected or nak'ed, and 2332 * caused action scn. (The return value is used to make the state 2333 * transition decision in the state automaton.) 2334 */ 2335 static int 2336 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2337 { 2338 STDDCL; 2339 u_char *buf, *r, *p, l, blen; 2340 int origlen, rlen; 2341 uint32_t nmagic; 2342 u_short authproto; 2343 2344 KASSERT(SPPP_WLOCKED(sp)); 2345 2346 len -= 4; 2347 origlen = len; 2348 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2349 if (! buf) 2350 return (0); 2351 2352 if (debug) 2353 log(LOG_DEBUG, "%s: lcp parse opts:", 2354 ifp->if_xname); 2355 2356 /* pass 1: check for things that need to be rejected */ 2357 p = (void *)(h + 1); 2358 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2359 /* Sanity check option length */ 2360 if (l > len) { 2361 /* 2362 * Malicious option - drop immediately. 2363 * XXX Maybe we should just RXJ it? 2364 */ 2365 addlog("%s: received malicious LCP option 0x%02x, " 2366 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2367 p[0], l, len); 2368 goto drop; 2369 } 2370 if (debug) 2371 addlog(" %s", sppp_lcp_opt_name(*p)); 2372 switch (*p) { 2373 case LCP_OPT_MAGIC: 2374 /* Magic number. */ 2375 /* fall through, both are same length */ 2376 case LCP_OPT_ASYNC_MAP: 2377 /* Async control character map. */ 2378 if (len >= 6 || l == 6) 2379 continue; 2380 if (debug) 2381 addlog(" [invalid]"); 2382 break; 2383 case LCP_OPT_MP_EID: 2384 if (len >= l && l >= 3) { 2385 switch (p[2]) { 2386 case 0: if (l==3+ 0) continue;break; 2387 case 2: if (l==3+ 4) continue;break; 2388 case 3: if (l==3+ 6) continue;break; 2389 case 6: if (l==3+16) continue;break; 2390 case 1: /* FALLTHROUGH */ 2391 case 4: if (l<=3+20) continue;break; 2392 case 5: if (l<=3+15) continue;break; 2393 /* XXX should it be default: continue;? */ 2394 } 2395 } 2396 if (debug) 2397 addlog(" [invalid class %d len %d]", p[2], l); 2398 break; 2399 case LCP_OPT_MP_SSNHF: 2400 if (len >= 2 && l == 2) { 2401 if (debug) 2402 addlog(" [rej]"); 2403 break; 2404 } 2405 if (debug) 2406 addlog(" [invalid]"); 2407 break; 2408 case LCP_OPT_MP_MRRU: 2409 /* Multilink maximum received reconstructed unit */ 2410 /* should be fall through, both are same length */ 2411 /* FALLTHROUGH */ 2412 case LCP_OPT_MRU: 2413 /* Maximum receive unit. */ 2414 if (len >= 4 && l == 4) 2415 continue; 2416 if (debug) 2417 addlog(" [invalid]"); 2418 break; 2419 case LCP_OPT_AUTH_PROTO: 2420 if (len < 4) { 2421 if (debug) 2422 addlog(" [invalid]"); 2423 break; 2424 } 2425 authproto = (p[2] << 8) + p[3]; 2426 if (authproto == PPP_CHAP && l != 5) { 2427 if (debug) 2428 addlog(" [invalid chap len]"); 2429 break; 2430 } 2431 if (sp->myauth.proto == 0) { 2432 /* we are not configured to do auth */ 2433 if (debug) 2434 addlog(" [not configured]"); 2435 break; 2436 } 2437 /* 2438 * Remote want us to authenticate, remember this, 2439 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2440 * up. 2441 */ 2442 sp->pp_flags |= PP_NEEDAUTH; 2443 continue; 2444 default: 2445 /* Others not supported. */ 2446 if (debug) 2447 addlog(" [rej]"); 2448 break; 2449 } 2450 if (rlen + l > blen) { 2451 if (debug) 2452 addlog(" [overflow]"); 2453 continue; 2454 } 2455 /* Add the option to rejected list. */ 2456 memcpy(r, p, l); 2457 r += l; 2458 rlen += l; 2459 } 2460 if (rlen) { 2461 if (debug) 2462 addlog(" send conf-rej\n"); 2463 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2464 goto end; 2465 } else if (debug) 2466 addlog("\n"); 2467 2468 /* 2469 * pass 2: check for option values that are unacceptable and 2470 * thus require to be nak'ed. 2471 */ 2472 if (debug) 2473 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2474 ifp->if_xname); 2475 2476 p = (void *)(h + 1); 2477 len = origlen; 2478 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2479 if (debug) 2480 addlog(" %s", sppp_lcp_opt_name(*p)); 2481 switch (*p) { 2482 case LCP_OPT_MAGIC: 2483 /* Magic number -- extract. */ 2484 nmagic = (uint32_t)p[2] << 24 | 2485 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2486 if (nmagic != sp->lcp.magic) { 2487 if (debug) 2488 addlog(" 0x%x", nmagic); 2489 continue; 2490 } 2491 /* 2492 * Local and remote magics equal -- loopback? 2493 */ 2494 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2495 printf ("%s: loopback\n", 2496 ifp->if_xname); 2497 sp->pp_loopcnt = 0; 2498 if (ifp->if_flags & IFF_UP) { 2499 SPPP_UNLOCK(sp); 2500 if_down(ifp); 2501 SPPP_LOCK(sp, RW_WRITER); 2502 2503 IF_PURGE(&sp->pp_cpq); 2504 /* XXX ? */ 2505 lcp.Down(sp); 2506 lcp.Up(sp); 2507 } 2508 } else if (debug) 2509 addlog(" [glitch]"); 2510 ++sp->pp_loopcnt; 2511 /* 2512 * We negate our magic here, and NAK it. If 2513 * we see it later in an NAK packet, we 2514 * suggest a new one. 2515 */ 2516 nmagic = ~sp->lcp.magic; 2517 /* Gonna NAK it. */ 2518 p[2] = nmagic >> 24; 2519 p[3] = nmagic >> 16; 2520 p[4] = nmagic >> 8; 2521 p[5] = nmagic; 2522 break; 2523 2524 case LCP_OPT_ASYNC_MAP: 2525 /* 2526 * Async control character map -- just ignore it. 2527 * 2528 * Quote from RFC 1662, chapter 6: 2529 * To enable this functionality, synchronous PPP 2530 * implementations MUST always respond to the 2531 * Async-Control-Character-Map Configuration 2532 * Option with the LCP Configure-Ack. However, 2533 * acceptance of the Configuration Option does 2534 * not imply that the synchronous implementation 2535 * will do any ACCM mapping. Instead, all such 2536 * octet mapping will be performed by the 2537 * asynchronous-to-synchronous converter. 2538 */ 2539 continue; 2540 2541 case LCP_OPT_MRU: 2542 /* 2543 * Maximum receive unit. Always agreeable, 2544 * but ignored by now. 2545 */ 2546 sp->lcp.their_mru = p[2] * 256 + p[3]; 2547 if (debug) 2548 addlog(" %ld", sp->lcp.their_mru); 2549 continue; 2550 2551 case LCP_OPT_AUTH_PROTO: 2552 authproto = (p[2] << 8) + p[3]; 2553 if (sp->myauth.proto != authproto) { 2554 /* not agreed, nak */ 2555 if (debug) 2556 addlog(" [mine %s != his %s]", 2557 sppp_proto_name(sp->myauth.proto), 2558 sppp_proto_name(authproto)); 2559 p[2] = sp->myauth.proto >> 8; 2560 p[3] = sp->myauth.proto; 2561 break; 2562 } 2563 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2564 if (debug) 2565 addlog(" [chap not MD5]"); 2566 p[4] = CHAP_MD5; 2567 break; 2568 } 2569 continue; 2570 case LCP_OPT_MP_EID: 2571 /* 2572 * Endpoint identification. 2573 * Always agreeable, 2574 * but ignored by now. 2575 */ 2576 if (debug) { 2577 addlog(" type %d", p[2]); 2578 sppp_print_bytes(p+3, p[1]-3); 2579 } 2580 continue; 2581 case LCP_OPT_MP_MRRU: 2582 /* 2583 * Maximum received reconstructed unit. 2584 * Always agreeable, 2585 * but ignored by now. 2586 */ 2587 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2588 if (debug) 2589 addlog(" %ld", sp->lcp.their_mrru); 2590 continue; 2591 } 2592 if (rlen + l > blen) { 2593 if (debug) 2594 addlog(" [overflow]"); 2595 continue; 2596 } 2597 /* Add the option to nak'ed list. */ 2598 memcpy(r, p, l); 2599 r += l; 2600 rlen += l; 2601 } 2602 if (rlen) { 2603 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2604 if (debug) 2605 addlog(" max_failure (%d) exceeded, " 2606 "send conf-rej\n", 2607 sp->lcp.max_failure); 2608 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2609 } else { 2610 if (debug) 2611 addlog(" send conf-nak\n"); 2612 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2613 } 2614 goto end; 2615 } else { 2616 if (debug) 2617 addlog(" send conf-ack\n"); 2618 sp->fail_counter[IDX_LCP] = 0; 2619 sp->pp_loopcnt = 0; 2620 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2621 } 2622 2623 end: 2624 free(buf, M_TEMP); 2625 return (rlen == 0); 2626 2627 drop: 2628 free(buf, M_TEMP); 2629 return -1; 2630 } 2631 2632 /* 2633 * Analyze the LCP Configure-Reject option list, and adjust our 2634 * negotiation. 2635 */ 2636 static void 2637 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2638 { 2639 STDDCL; 2640 u_char *buf, *p, l; 2641 2642 KASSERT(SPPP_WLOCKED(sp)); 2643 2644 len -= 4; 2645 buf = malloc (len, M_TEMP, M_NOWAIT); 2646 if (!buf) 2647 return; 2648 2649 if (debug) 2650 log(LOG_DEBUG, "%s: lcp rej opts:", 2651 ifp->if_xname); 2652 2653 p = (void *)(h + 1); 2654 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2655 /* Sanity check option length */ 2656 if (l > len) { 2657 /* 2658 * Malicious option - drop immediately. 2659 * XXX Maybe we should just RXJ it? 2660 */ 2661 addlog("%s: received malicious LCP option, " 2662 "dropping.\n", ifp->if_xname); 2663 goto drop; 2664 } 2665 if (debug) 2666 addlog(" %s", sppp_lcp_opt_name(*p)); 2667 switch (*p) { 2668 case LCP_OPT_MAGIC: 2669 /* Magic number -- can't use it, use 0 */ 2670 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2671 sp->lcp.magic = 0; 2672 break; 2673 case LCP_OPT_MRU: 2674 /* 2675 * We try to negotiate a lower MRU if the underlying 2676 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2677 * peer rejects this lower rate, fallback to the 2678 * default. 2679 */ 2680 if (debug) { 2681 addlog("%s: warning: peer rejected our MRU of " 2682 "%ld bytes. Defaulting to %d bytes\n", 2683 ifp->if_xname, sp->lcp.mru, PP_MTU); 2684 } 2685 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2686 sp->lcp.mru = PP_MTU; 2687 break; 2688 case LCP_OPT_AUTH_PROTO: 2689 /* 2690 * Peer doesn't want to authenticate himself, 2691 * deny unless this is a dialout call, and 2692 * SPPP_AUTHFLAG_NOCALLOUT is set. 2693 */ 2694 if ((sp->pp_flags & PP_CALLIN) == 0 && 2695 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2696 if (debug) 2697 addlog(" [don't insist on auth " 2698 "for callout]"); 2699 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2700 break; 2701 } 2702 if (debug) 2703 addlog("[access denied]\n"); 2704 lcp.Close(sp); 2705 break; 2706 } 2707 } 2708 if (debug) 2709 addlog("\n"); 2710 drop: 2711 free(buf, M_TEMP); 2712 return; 2713 } 2714 2715 /* 2716 * Analyze the LCP Configure-NAK option list, and adjust our 2717 * negotiation. 2718 */ 2719 static void 2720 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2721 { 2722 STDDCL; 2723 u_char *buf, *p, l, blen; 2724 uint32_t magic; 2725 2726 KASSERT(SPPP_WLOCKED(sp)); 2727 2728 len -= 4; 2729 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2730 if (!buf) 2731 return; 2732 2733 if (debug) 2734 log(LOG_DEBUG, "%s: lcp nak opts:", 2735 ifp->if_xname); 2736 2737 p = (void *)(h + 1); 2738 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2739 /* Sanity check option length */ 2740 if (l > len) { 2741 /* 2742 * Malicious option - drop immediately. 2743 * XXX Maybe we should just RXJ it? 2744 */ 2745 addlog("%s: received malicious LCP option, " 2746 "dropping.\n", ifp->if_xname); 2747 goto drop; 2748 } 2749 if (debug) 2750 addlog(" %s", sppp_lcp_opt_name(*p)); 2751 switch (*p) { 2752 case LCP_OPT_MAGIC: 2753 /* Magic number -- renegotiate */ 2754 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2755 len >= 6 && l == 6) { 2756 magic = (uint32_t)p[2] << 24 | 2757 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2758 /* 2759 * If the remote magic is our negated one, 2760 * this looks like a loopback problem. 2761 * Suggest a new magic to make sure. 2762 */ 2763 if (magic == ~sp->lcp.magic) { 2764 if (debug) 2765 addlog(" magic glitch"); 2766 sp->lcp.magic = cprng_fast32(); 2767 } else { 2768 sp->lcp.magic = magic; 2769 if (debug) 2770 addlog(" %d", magic); 2771 } 2772 } 2773 break; 2774 case LCP_OPT_MRU: 2775 /* 2776 * Peer wants to advise us to negotiate an MRU. 2777 * Agree on it if it's reasonable, or use 2778 * default otherwise. 2779 */ 2780 if (len >= 4 && l == 4) { 2781 u_int mru = p[2] * 256 + p[3]; 2782 if (debug) 2783 addlog(" %d", mru); 2784 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2785 mru = sp->pp_if.if_mtu; 2786 sp->lcp.mru = mru; 2787 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2788 } 2789 break; 2790 case LCP_OPT_AUTH_PROTO: 2791 /* 2792 * Peer doesn't like our authentication method, 2793 * deny. 2794 */ 2795 if (debug) 2796 addlog("[access denied]\n"); 2797 lcp.Close(sp); 2798 break; 2799 } 2800 } 2801 if (debug) 2802 addlog("\n"); 2803 drop: 2804 free(buf, M_TEMP); 2805 return; 2806 } 2807 2808 static void 2809 sppp_lcp_tlu(struct sppp *sp) 2810 { 2811 struct ifnet *ifp = &sp->pp_if; 2812 int i; 2813 uint32_t mask; 2814 2815 KASSERT(SPPP_WLOCKED(sp)); 2816 2817 /* XXX ? */ 2818 if (! (ifp->if_flags & IFF_UP) && 2819 (ifp->if_flags & IFF_RUNNING)) { 2820 /* Coming out of loopback mode. */ 2821 SPPP_UNLOCK(sp); 2822 if_up(ifp); 2823 SPPP_LOCK(sp, RW_WRITER); 2824 } 2825 2826 for (i = 0; i < IDX_COUNT; i++) 2827 if ((cps[i])->flags & CP_QUAL) 2828 (cps[i])->Open(sp); 2829 2830 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2831 (sp->pp_flags & PP_NEEDAUTH) != 0) 2832 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2833 else 2834 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2835 2836 /* 2837 * Open all authentication protocols. This is even required 2838 * if we already proceeded to network phase, since it might be 2839 * that remote wants us to authenticate, so we might have to 2840 * send a PAP request. Undesired authentication protocols 2841 * don't do anything when they get an Open event. 2842 */ 2843 for (i = 0; i < IDX_COUNT; i++) 2844 if ((cps[i])->flags & CP_AUTH) 2845 (cps[i])->Open(sp); 2846 2847 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2848 /* Notify all NCPs. */ 2849 for (i = 0; i < IDX_COUNT; i++) 2850 if ((cps[i])->flags & CP_NCP) 2851 (cps[i])->Open(sp); 2852 } 2853 2854 /* Send Up events to all started protos. */ 2855 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2856 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2857 (cps[i])->Up(sp); 2858 } 2859 } 2860 2861 /* notify low-level driver of state change */ 2862 sppp_notify_chg_wlocked(sp); 2863 2864 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2865 /* if no NCP is starting, close down */ 2866 sppp_lcp_check_and_close(sp); 2867 } 2868 2869 static void 2870 sppp_lcp_tld(struct sppp *sp) 2871 { 2872 int i; 2873 uint32_t mask; 2874 2875 KASSERT(SPPP_WLOCKED(sp)); 2876 2877 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2878 2879 /* 2880 * Take upper layers down. We send the Down event first and 2881 * the Close second to prevent the upper layers from sending 2882 * ``a flurry of terminate-request packets'', as the RFC 2883 * describes it. 2884 */ 2885 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2886 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2887 (cps[i])->Down(sp); 2888 (cps[i])->Close(sp); 2889 } 2890 } 2891 } 2892 2893 static void 2894 sppp_lcp_tls(struct sppp *sp) 2895 { 2896 2897 KASSERT(SPPP_WLOCKED(sp)); 2898 2899 2900 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2901 printf("%s: authentication failed %d times, not retrying again\n", 2902 sp->pp_if.if_xname, sp->pp_auth_failures); 2903 2904 SPPP_UNLOCK(sp); 2905 if_down(&sp->pp_if); 2906 SPPP_LOCK(sp, RW_WRITER); 2907 return; 2908 } 2909 2910 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2911 2912 /* Notify lower layer if desired. */ 2913 sppp_notify_tls_wlocked(sp); 2914 } 2915 2916 static void 2917 sppp_lcp_tlf(struct sppp *sp) 2918 { 2919 2920 KASSERT(SPPP_WLOCKED(sp)); 2921 2922 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2923 2924 /* Notify lower layer if desired. */ 2925 sppp_notify_tlf_wlocked(sp); 2926 } 2927 2928 static void 2929 sppp_lcp_scr(struct sppp *sp) 2930 { 2931 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 2932 int i = 0; 2933 u_short authproto; 2934 2935 KASSERT(SPPP_WLOCKED(sp)); 2936 2937 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 2938 if (! sp->lcp.magic) 2939 sp->lcp.magic = cprng_fast32(); 2940 opt[i++] = LCP_OPT_MAGIC; 2941 opt[i++] = 6; 2942 opt[i++] = sp->lcp.magic >> 24; 2943 opt[i++] = sp->lcp.magic >> 16; 2944 opt[i++] = sp->lcp.magic >> 8; 2945 opt[i++] = sp->lcp.magic; 2946 } 2947 2948 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 2949 opt[i++] = LCP_OPT_MRU; 2950 opt[i++] = 4; 2951 opt[i++] = sp->lcp.mru >> 8; 2952 opt[i++] = sp->lcp.mru; 2953 } 2954 2955 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 2956 authproto = sp->hisauth.proto; 2957 opt[i++] = LCP_OPT_AUTH_PROTO; 2958 opt[i++] = authproto == PPP_CHAP? 5: 4; 2959 opt[i++] = authproto >> 8; 2960 opt[i++] = authproto; 2961 if (authproto == PPP_CHAP) 2962 opt[i++] = CHAP_MD5; 2963 } 2964 2965 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 2966 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 2967 } 2968 2969 /* 2970 * Check the open NCPs, return true if at least one NCP is open. 2971 */ 2972 static int 2973 sppp_ncp_check(struct sppp *sp) 2974 { 2975 int i, mask; 2976 2977 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 2978 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 2979 return 1; 2980 return 0; 2981 } 2982 2983 /* 2984 * Re-check the open NCPs and see if we should terminate the link. 2985 * Called by the NCPs during their tlf action handling. 2986 */ 2987 static void 2988 sppp_lcp_check_and_close(struct sppp *sp) 2989 { 2990 2991 KASSERT(SPPP_WLOCKED(sp)); 2992 2993 if (sp->pp_phase < SPPP_PHASE_NETWORK) 2994 /* don't bother, we are already going down */ 2995 return; 2996 2997 if (sppp_ncp_check(sp)) 2998 return; 2999 lcp.Close(sp); 3000 } 3001 3002 3003 /* 3004 *--------------------------------------------------------------------------* 3005 * * 3006 * The IPCP implementation. * 3007 * * 3008 *--------------------------------------------------------------------------* 3009 */ 3010 3011 static void 3012 sppp_ipcp_init(struct sppp *sp) 3013 { 3014 int error; 3015 3016 KASSERT(SPPP_WLOCKED(sp)); 3017 3018 sp->ipcp.opts = 0; 3019 sp->ipcp.flags = 0; 3020 sp->state[IDX_IPCP] = STATE_INITIAL; 3021 sp->fail_counter[IDX_IPCP] = 0; 3022 sp->pp_seq[IDX_IPCP] = 0; 3023 sp->pp_rseq[IDX_IPCP] = 0; 3024 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 3025 3026 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 3027 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 3028 if (error) 3029 panic("%s: update_addrs workqueue_create failed (%d)\n", 3030 __func__, error); 3031 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 3032 3033 sp->ipcp.update_addrs_enqueued = 0; 3034 } 3035 3036 static void 3037 sppp_ipcp_up(struct sppp *sp) 3038 { 3039 KASSERT(SPPP_WLOCKED(sp)); 3040 sppp_up_event(&ipcp, sp); 3041 } 3042 3043 static void 3044 sppp_ipcp_down(struct sppp *sp) 3045 { 3046 KASSERT(SPPP_WLOCKED(sp)); 3047 sppp_down_event(&ipcp, sp); 3048 } 3049 3050 static void 3051 sppp_ipcp_open(struct sppp *sp) 3052 { 3053 STDDCL; 3054 uint32_t myaddr, hisaddr; 3055 3056 KASSERT(SPPP_WLOCKED(sp)); 3057 3058 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3059 sp->ipcp.req_myaddr = 0; 3060 sp->ipcp.req_hisaddr = 0; 3061 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3062 3063 #ifdef INET 3064 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3065 #else 3066 myaddr = hisaddr = 0; 3067 #endif 3068 /* 3069 * If we don't have his address, this probably means our 3070 * interface doesn't want to talk IP at all. (This could 3071 * be the case if somebody wants to speak only IPX, for 3072 * example.) Don't open IPCP in this case. 3073 */ 3074 if (hisaddr == 0) { 3075 /* XXX this message should go away */ 3076 if (debug) 3077 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3078 ifp->if_xname); 3079 return; 3080 } 3081 3082 if (myaddr == 0) { 3083 /* 3084 * I don't have an assigned address, so i need to 3085 * negotiate my address. 3086 */ 3087 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3088 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3089 } 3090 if (hisaddr == 1) { 3091 /* 3092 * XXX - remove this hack! 3093 * remote has no valid address, we need to get one assigned. 3094 */ 3095 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3096 } 3097 sppp_open_event(&ipcp, sp); 3098 } 3099 3100 static void 3101 sppp_ipcp_close(struct sppp *sp) 3102 { 3103 3104 KASSERT(SPPP_WLOCKED(sp)); 3105 3106 sppp_close_event(&ipcp, sp); 3107 3108 #ifdef INET 3109 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3110 /* 3111 * Some address was dynamic, clear it again. 3112 */ 3113 sppp_clear_ip_addrs(sp); 3114 #endif 3115 } 3116 3117 static void 3118 sppp_ipcp_TO(void *cookie) 3119 { 3120 struct sppp *sp = cookie; 3121 3122 SPPP_LOCK(sp, RW_WRITER); 3123 sppp_to_event(&ipcp, sp); 3124 SPPP_UNLOCK(sp); 3125 } 3126 3127 /* 3128 * Analyze a configure request. Return true if it was agreeable, and 3129 * caused action sca, false if it has been rejected or nak'ed, and 3130 * caused action scn. (The return value is used to make the state 3131 * transition decision in the state automaton.) 3132 */ 3133 static int 3134 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3135 { 3136 u_char *buf, *r, *p, l, blen; 3137 struct ifnet *ifp = &sp->pp_if; 3138 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3139 uint32_t hisaddr, desiredaddr; 3140 3141 KASSERT(SPPP_WLOCKED(sp)); 3142 3143 len -= 4; 3144 origlen = len; 3145 /* 3146 * Make sure to allocate a buf that can at least hold a 3147 * conf-nak with an `address' option. We might need it below. 3148 */ 3149 blen = len < 6 ? 6 : len; 3150 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3151 if (! buf) 3152 return (0); 3153 3154 /* pass 1: see if we can recognize them */ 3155 if (debug) 3156 log(LOG_DEBUG, "%s: ipcp parse opts:", 3157 ifp->if_xname); 3158 p = (void *)(h + 1); 3159 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3160 /* Sanity check option length */ 3161 if (l > len) { 3162 /* XXX should we just RXJ? */ 3163 addlog("%s: malicious IPCP option received, dropping\n", 3164 ifp->if_xname); 3165 goto drop; 3166 } 3167 if (debug) 3168 addlog(" %s", sppp_ipcp_opt_name(*p)); 3169 switch (*p) { 3170 #ifdef notyet 3171 case IPCP_OPT_COMPRESSION: 3172 if (len >= 6 && l >= 6) { 3173 /* correctly formed compress option */ 3174 continue; 3175 } 3176 if (debug) 3177 addlog(" [invalid]"); 3178 break; 3179 #endif 3180 case IPCP_OPT_ADDRESS: 3181 if (len >= 6 && l == 6) { 3182 /* correctly formed address option */ 3183 continue; 3184 } 3185 if (debug) 3186 addlog(" [invalid]"); 3187 break; 3188 default: 3189 /* Others not supported. */ 3190 if (debug) 3191 addlog(" [rej]"); 3192 break; 3193 } 3194 /* Add the option to rejected list. */ 3195 if (rlen + l > blen) { 3196 if (debug) 3197 addlog(" [overflow]"); 3198 continue; 3199 } 3200 memcpy(r, p, l); 3201 r += l; 3202 rlen += l; 3203 } 3204 if (rlen) { 3205 if (debug) 3206 addlog(" send conf-rej\n"); 3207 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3208 goto end; 3209 } else if (debug) 3210 addlog("\n"); 3211 3212 /* pass 2: parse option values */ 3213 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3214 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3215 else 3216 #ifdef INET 3217 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3218 #else 3219 hisaddr = 0; 3220 #endif 3221 if (debug) 3222 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3223 ifp->if_xname); 3224 p = (void *)(h + 1); 3225 len = origlen; 3226 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3227 if (debug) 3228 addlog(" %s", sppp_ipcp_opt_name(*p)); 3229 switch (*p) { 3230 #ifdef notyet 3231 case IPCP_OPT_COMPRESSION: 3232 continue; 3233 #endif 3234 case IPCP_OPT_ADDRESS: 3235 desiredaddr = p[2] << 24 | p[3] << 16 | 3236 p[4] << 8 | p[5]; 3237 if (desiredaddr == hisaddr || 3238 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3239 /* 3240 * Peer's address is same as our value, 3241 * this is agreeable. Gonna conf-ack 3242 * it. 3243 */ 3244 if (debug) 3245 addlog(" %s [ack]", 3246 sppp_dotted_quad(hisaddr)); 3247 /* record that we've seen it already */ 3248 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3249 sp->ipcp.req_hisaddr = desiredaddr; 3250 hisaddr = desiredaddr; 3251 continue; 3252 } 3253 /* 3254 * The address wasn't agreeable. This is either 3255 * he sent us 0.0.0.0, asking to assign him an 3256 * address, or he send us another address not 3257 * matching our value. Either case, we gonna 3258 * conf-nak it with our value. 3259 */ 3260 if (debug) { 3261 if (desiredaddr == 0) 3262 addlog(" [addr requested]"); 3263 else 3264 addlog(" %s [not agreed]", 3265 sppp_dotted_quad(desiredaddr)); 3266 } 3267 3268 p[2] = hisaddr >> 24; 3269 p[3] = hisaddr >> 16; 3270 p[4] = hisaddr >> 8; 3271 p[5] = hisaddr; 3272 break; 3273 } 3274 if (rlen + l > blen) { 3275 if (debug) 3276 addlog(" [overflow]"); 3277 continue; 3278 } 3279 /* Add the option to nak'ed list. */ 3280 memcpy(r, p, l); 3281 r += l; 3282 rlen += l; 3283 } 3284 3285 /* 3286 * If we are about to conf-ack the request, but haven't seen 3287 * his address so far, gonna conf-nak it instead, with the 3288 * `address' option present and our idea of his address being 3289 * filled in there, to request negotiation of both addresses. 3290 * 3291 * XXX This can result in an endless req - nak loop if peer 3292 * doesn't want to send us his address. Q: What should we do 3293 * about it? XXX A: implement the max-failure counter. 3294 */ 3295 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3296 buf[0] = IPCP_OPT_ADDRESS; 3297 buf[1] = 6; 3298 buf[2] = hisaddr >> 24; 3299 buf[3] = hisaddr >> 16; 3300 buf[4] = hisaddr >> 8; 3301 buf[5] = hisaddr; 3302 rlen = 6; 3303 if (debug) 3304 addlog(" still need hisaddr"); 3305 } 3306 3307 if (rlen) { 3308 if (debug) 3309 addlog(" send conf-nak\n"); 3310 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3311 } else { 3312 if (debug) 3313 addlog(" send conf-ack\n"); 3314 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3315 } 3316 3317 end: 3318 free(buf, M_TEMP); 3319 return (rlen == 0); 3320 3321 drop: 3322 free(buf, M_TEMP); 3323 return -1; 3324 } 3325 3326 /* 3327 * Analyze the IPCP Configure-Reject option list, and adjust our 3328 * negotiation. 3329 */ 3330 static void 3331 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3332 { 3333 u_char *buf, *p, l, blen; 3334 struct ifnet *ifp = &sp->pp_if; 3335 int debug = ifp->if_flags & IFF_DEBUG; 3336 3337 KASSERT(SPPP_WLOCKED(sp)); 3338 3339 len -= 4; 3340 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3341 if (!buf) 3342 return; 3343 3344 if (debug) 3345 log(LOG_DEBUG, "%s: ipcp rej opts:", 3346 ifp->if_xname); 3347 3348 p = (void *)(h + 1); 3349 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3350 /* Sanity check option length */ 3351 if (l > len) { 3352 /* XXX should we just RXJ? */ 3353 addlog("%s: malicious IPCP option received, dropping\n", 3354 ifp->if_xname); 3355 goto drop; 3356 } 3357 if (debug) 3358 addlog(" %s", sppp_ipcp_opt_name(*p)); 3359 switch (*p) { 3360 case IPCP_OPT_ADDRESS: 3361 /* 3362 * Peer doesn't grok address option. This is 3363 * bad. XXX Should we better give up here? 3364 */ 3365 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3366 break; 3367 #ifdef notyet 3368 case IPCP_OPT_COMPRESS: 3369 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3370 break; 3371 #endif 3372 } 3373 } 3374 if (debug) 3375 addlog("\n"); 3376 drop: 3377 free(buf, M_TEMP); 3378 return; 3379 } 3380 3381 /* 3382 * Analyze the IPCP Configure-NAK option list, and adjust our 3383 * negotiation. 3384 */ 3385 static void 3386 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3387 { 3388 u_char *p, l; 3389 struct ifnet *ifp = &sp->pp_if; 3390 int debug = ifp->if_flags & IFF_DEBUG; 3391 uint32_t wantaddr; 3392 3393 KASSERT(SPPP_WLOCKED(sp)); 3394 3395 len -= 4; 3396 3397 if (debug) 3398 log(LOG_DEBUG, "%s: ipcp nak opts:", 3399 ifp->if_xname); 3400 3401 p = (void *)(h + 1); 3402 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3403 /* Sanity check option length */ 3404 if (l > len) { 3405 /* XXX should we just RXJ? */ 3406 addlog("%s: malicious IPCP option received, dropping\n", 3407 ifp->if_xname); 3408 return; 3409 } 3410 if (debug) 3411 addlog(" %s", sppp_ipcp_opt_name(*p)); 3412 switch (*p) { 3413 case IPCP_OPT_ADDRESS: 3414 /* 3415 * Peer doesn't like our local IP address. See 3416 * if we can do something for him. We'll drop 3417 * him our address then. 3418 */ 3419 if (len >= 6 && l == 6) { 3420 wantaddr = p[2] << 24 | p[3] << 16 | 3421 p[4] << 8 | p[5]; 3422 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3423 if (debug) 3424 addlog(" [wantaddr %s]", 3425 sppp_dotted_quad(wantaddr)); 3426 /* 3427 * When doing dynamic address assignment, 3428 * we accept his offer. Otherwise, we 3429 * ignore it and thus continue to negotiate 3430 * our already existing value. 3431 */ 3432 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3433 if (debug) 3434 addlog(" [agree]"); 3435 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3436 sp->ipcp.req_myaddr = wantaddr; 3437 } 3438 } 3439 break; 3440 3441 case IPCP_OPT_PRIMDNS: 3442 if (len >= 6 && l == 6) { 3443 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3444 p[4] << 8 | p[5]; 3445 } 3446 break; 3447 3448 case IPCP_OPT_SECDNS: 3449 if (len >= 6 && l == 6) { 3450 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3451 p[4] << 8 | p[5]; 3452 } 3453 break; 3454 #ifdef notyet 3455 case IPCP_OPT_COMPRESS: 3456 /* 3457 * Peer wants different compression parameters. 3458 */ 3459 break; 3460 #endif 3461 } 3462 } 3463 if (debug) 3464 addlog("\n"); 3465 } 3466 3467 static void 3468 sppp_ipcp_tlu(struct sppp *sp) 3469 { 3470 #ifdef INET 3471 KASSERT(SPPP_WLOCKED(sp)); 3472 /* we are up. Set addresses and notify anyone interested */ 3473 sppp_set_ip_addrs(sp); 3474 #endif 3475 } 3476 3477 static void 3478 sppp_ipcp_tld(struct sppp *sp) 3479 { 3480 3481 KASSERT(SPPP_WLOCKED(sp)); 3482 } 3483 3484 static void 3485 sppp_ipcp_tls(struct sppp *sp) 3486 { 3487 3488 KASSERT(SPPP_WLOCKED(sp)); 3489 /* indicate to LCP that it must stay alive */ 3490 sp->lcp.protos |= (1 << IDX_IPCP); 3491 } 3492 3493 static void 3494 sppp_ipcp_tlf(struct sppp *sp) 3495 { 3496 3497 KASSERT(SPPP_WLOCKED(sp)); 3498 3499 /* we no longer need LCP */ 3500 sp->lcp.protos &= ~(1 << IDX_IPCP); 3501 } 3502 3503 static void 3504 sppp_ipcp_scr(struct sppp *sp) 3505 { 3506 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3507 #ifdef INET 3508 uint32_t ouraddr; 3509 #endif 3510 int i = 0; 3511 3512 KASSERT(SPPP_WLOCKED(sp)); 3513 3514 #ifdef notyet 3515 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3516 opt[i++] = IPCP_OPT_COMPRESSION; 3517 opt[i++] = 6; 3518 opt[i++] = 0; /* VJ header compression */ 3519 opt[i++] = 0x2d; /* VJ header compression */ 3520 opt[i++] = max_slot_id; 3521 opt[i++] = comp_slot_id; 3522 } 3523 #endif 3524 3525 #ifdef INET 3526 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3527 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3528 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3529 else 3530 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3531 opt[i++] = IPCP_OPT_ADDRESS; 3532 opt[i++] = 6; 3533 opt[i++] = ouraddr >> 24; 3534 opt[i++] = ouraddr >> 16; 3535 opt[i++] = ouraddr >> 8; 3536 opt[i++] = ouraddr; 3537 } 3538 #endif 3539 3540 if (sp->query_dns & 1) { 3541 opt[i++] = IPCP_OPT_PRIMDNS; 3542 opt[i++] = 6; 3543 opt[i++] = sp->dns_addrs[0] >> 24; 3544 opt[i++] = sp->dns_addrs[0] >> 16; 3545 opt[i++] = sp->dns_addrs[0] >> 8; 3546 opt[i++] = sp->dns_addrs[0]; 3547 } 3548 if (sp->query_dns & 2) { 3549 opt[i++] = IPCP_OPT_SECDNS; 3550 opt[i++] = 6; 3551 opt[i++] = sp->dns_addrs[1] >> 24; 3552 opt[i++] = sp->dns_addrs[1] >> 16; 3553 opt[i++] = sp->dns_addrs[1] >> 8; 3554 opt[i++] = sp->dns_addrs[1]; 3555 } 3556 3557 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3558 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3559 } 3560 3561 3562 /* 3563 *--------------------------------------------------------------------------* 3564 * * 3565 * The IPv6CP implementation. * 3566 * * 3567 *--------------------------------------------------------------------------* 3568 */ 3569 3570 #ifdef INET6 3571 static void 3572 sppp_ipv6cp_init(struct sppp *sp) 3573 { 3574 3575 KASSERT(SPPP_WLOCKED(sp)); 3576 3577 sp->ipv6cp.opts = 0; 3578 sp->ipv6cp.flags = 0; 3579 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3580 sp->fail_counter[IDX_IPV6CP] = 0; 3581 sp->pp_seq[IDX_IPV6CP] = 0; 3582 sp->pp_rseq[IDX_IPV6CP] = 0; 3583 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3584 } 3585 3586 static void 3587 sppp_ipv6cp_up(struct sppp *sp) 3588 { 3589 3590 KASSERT(SPPP_WLOCKED(sp)); 3591 sppp_up_event(&ipv6cp, sp); 3592 } 3593 3594 static void 3595 sppp_ipv6cp_down(struct sppp *sp) 3596 { 3597 3598 KASSERT(SPPP_WLOCKED(sp)); 3599 sppp_down_event(&ipv6cp, sp); 3600 } 3601 3602 static void 3603 sppp_ipv6cp_open(struct sppp *sp) 3604 { 3605 STDDCL; 3606 struct in6_addr myaddr, hisaddr; 3607 3608 KASSERT(SPPP_WLOCKED(sp)); 3609 3610 #ifdef IPV6CP_MYIFID_DYN 3611 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3612 #else 3613 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3614 #endif 3615 3616 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3617 /* 3618 * If we don't have our address, this probably means our 3619 * interface doesn't want to talk IPv6 at all. (This could 3620 * be the case if somebody wants to speak only IPX, for 3621 * example.) Don't open IPv6CP in this case. 3622 */ 3623 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3624 /* XXX this message should go away */ 3625 if (debug) 3626 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3627 ifp->if_xname); 3628 return; 3629 } 3630 3631 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3632 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3633 sppp_open_event(&ipv6cp, sp); 3634 } 3635 3636 static void 3637 sppp_ipv6cp_close(struct sppp *sp) 3638 { 3639 3640 KASSERT(SPPP_WLOCKED(sp)); 3641 sppp_close_event(&ipv6cp, sp); 3642 } 3643 3644 static void 3645 sppp_ipv6cp_TO(void *cookie) 3646 { 3647 struct sppp *sp = cookie; 3648 3649 SPPP_LOCK(sp, RW_WRITER); 3650 sppp_to_event(&ipv6cp, sp); 3651 SPPP_UNLOCK(sp); 3652 } 3653 3654 /* 3655 * Analyze a configure request. Return true if it was agreeable, and 3656 * caused action sca, false if it has been rejected or nak'ed, and 3657 * caused action scn. (The return value is used to make the state 3658 * transition decision in the state automaton.) 3659 */ 3660 static int 3661 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3662 { 3663 u_char *buf, *r, *p, l, blen; 3664 struct ifnet *ifp = &sp->pp_if; 3665 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3666 struct in6_addr myaddr, desiredaddr, suggestaddr; 3667 int ifidcount; 3668 int type; 3669 int collision, nohisaddr; 3670 char ip6buf[INET6_ADDRSTRLEN]; 3671 3672 KASSERT(SPPP_WLOCKED(sp)); 3673 3674 len -= 4; 3675 origlen = len; 3676 /* 3677 * Make sure to allocate a buf that can at least hold a 3678 * conf-nak with an `address' option. We might need it below. 3679 */ 3680 blen = len < 6 ? 6 : len; 3681 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3682 if (! buf) 3683 return (0); 3684 3685 /* pass 1: see if we can recognize them */ 3686 if (debug) 3687 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3688 ifp->if_xname); 3689 p = (void *)(h + 1); 3690 ifidcount = 0; 3691 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3692 /* Sanity check option length */ 3693 if (l > len) { 3694 /* XXX just RXJ? */ 3695 addlog("%s: received malicious IPCPv6 option, " 3696 "dropping\n", ifp->if_xname); 3697 goto drop; 3698 } 3699 if (debug) 3700 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3701 switch (*p) { 3702 case IPV6CP_OPT_IFID: 3703 if (len >= 10 && l == 10 && ifidcount == 0) { 3704 /* correctly formed address option */ 3705 ifidcount++; 3706 continue; 3707 } 3708 if (debug) 3709 addlog(" [invalid]"); 3710 break; 3711 #ifdef notyet 3712 case IPV6CP_OPT_COMPRESSION: 3713 if (len >= 4 && l >= 4) { 3714 /* correctly formed compress option */ 3715 continue; 3716 } 3717 if (debug) 3718 addlog(" [invalid]"); 3719 break; 3720 #endif 3721 default: 3722 /* Others not supported. */ 3723 if (debug) 3724 addlog(" [rej]"); 3725 break; 3726 } 3727 if (rlen + l > blen) { 3728 if (debug) 3729 addlog(" [overflow]"); 3730 continue; 3731 } 3732 /* Add the option to rejected list. */ 3733 memcpy(r, p, l); 3734 r += l; 3735 rlen += l; 3736 } 3737 if (rlen) { 3738 if (debug) 3739 addlog(" send conf-rej\n"); 3740 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3741 goto end; 3742 } else if (debug) 3743 addlog("\n"); 3744 3745 /* pass 2: parse option values */ 3746 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3747 if (debug) 3748 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3749 ifp->if_xname); 3750 p = (void *)(h + 1); 3751 len = origlen; 3752 type = CONF_ACK; 3753 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3754 if (debug) 3755 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3756 switch (*p) { 3757 #ifdef notyet 3758 case IPV6CP_OPT_COMPRESSION: 3759 continue; 3760 #endif 3761 case IPV6CP_OPT_IFID: 3762 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3763 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3764 collision = (memcmp(&desiredaddr.s6_addr[8], 3765 &myaddr.s6_addr[8], 8) == 0); 3766 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3767 3768 desiredaddr.s6_addr16[0] = htons(0xfe80); 3769 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3770 3771 if (!collision && !nohisaddr) { 3772 /* no collision, hisaddr known - Conf-Ack */ 3773 type = CONF_ACK; 3774 3775 if (debug) { 3776 addlog(" %s [%s]", 3777 IN6_PRINT(ip6buf, &desiredaddr), 3778 sppp_cp_type_name(type)); 3779 } 3780 continue; 3781 } 3782 3783 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3784 if (collision && nohisaddr) { 3785 /* collision, hisaddr unknown - Conf-Rej */ 3786 type = CONF_REJ; 3787 memset(&p[2], 0, 8); 3788 } else { 3789 /* 3790 * - no collision, hisaddr unknown, or 3791 * - collision, hisaddr known 3792 * Conf-Nak, suggest hisaddr 3793 */ 3794 type = CONF_NAK; 3795 sppp_suggest_ip6_addr(sp, &suggestaddr); 3796 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3797 } 3798 if (debug) 3799 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3800 sppp_cp_type_name(type)); 3801 break; 3802 } 3803 if (rlen + l > blen) { 3804 if (debug) 3805 addlog(" [overflow]"); 3806 continue; 3807 } 3808 /* Add the option to nak'ed list. */ 3809 memcpy(r, p, l); 3810 r += l; 3811 rlen += l; 3812 } 3813 3814 if (rlen == 0 && type == CONF_ACK) { 3815 if (debug) 3816 addlog(" send %s\n", sppp_cp_type_name(type)); 3817 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3818 } else { 3819 #ifdef notdef 3820 if (type == CONF_ACK) 3821 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3822 #endif 3823 3824 if (debug) { 3825 addlog(" send %s suggest %s\n", 3826 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3827 } 3828 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3829 } 3830 3831 end: 3832 free(buf, M_TEMP); 3833 return (rlen == 0); 3834 3835 drop: 3836 free(buf, M_TEMP); 3837 return -1; 3838 } 3839 3840 /* 3841 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3842 * negotiation. 3843 */ 3844 static void 3845 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3846 { 3847 u_char *buf, *p, l, blen; 3848 struct ifnet *ifp = &sp->pp_if; 3849 int debug = ifp->if_flags & IFF_DEBUG; 3850 3851 KASSERT(SPPP_WLOCKED(sp)); 3852 3853 len -= 4; 3854 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3855 if (!buf) 3856 return; 3857 3858 if (debug) 3859 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3860 ifp->if_xname); 3861 3862 p = (void *)(h + 1); 3863 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3864 if (l > len) { 3865 /* XXX just RXJ? */ 3866 addlog("%s: received malicious IPCPv6 option, " 3867 "dropping\n", ifp->if_xname); 3868 goto drop; 3869 } 3870 if (debug) 3871 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3872 switch (*p) { 3873 case IPV6CP_OPT_IFID: 3874 /* 3875 * Peer doesn't grok address option. This is 3876 * bad. XXX Should we better give up here? 3877 */ 3878 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 3879 break; 3880 #ifdef notyet 3881 case IPV6CP_OPT_COMPRESS: 3882 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 3883 break; 3884 #endif 3885 } 3886 } 3887 if (debug) 3888 addlog("\n"); 3889 drop: 3890 free(buf, M_TEMP); 3891 return; 3892 } 3893 3894 /* 3895 * Analyze the IPv6CP Configure-NAK option list, and adjust our 3896 * negotiation. 3897 */ 3898 static void 3899 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3900 { 3901 u_char *buf, *p, l, blen; 3902 struct ifnet *ifp = &sp->pp_if; 3903 int debug = ifp->if_flags & IFF_DEBUG; 3904 struct in6_addr suggestaddr; 3905 char ip6buf[INET6_ADDRSTRLEN]; 3906 3907 KASSERT(SPPP_WLOCKED(sp)); 3908 3909 len -= 4; 3910 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3911 if (!buf) 3912 return; 3913 3914 if (debug) 3915 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 3916 ifp->if_xname); 3917 3918 p = (void *)(h + 1); 3919 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3920 if (l > len) { 3921 /* XXX just RXJ? */ 3922 addlog("%s: received malicious IPCPv6 option, " 3923 "dropping\n", ifp->if_xname); 3924 goto drop; 3925 } 3926 if (debug) 3927 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3928 switch (*p) { 3929 case IPV6CP_OPT_IFID: 3930 /* 3931 * Peer doesn't like our local ifid. See 3932 * if we can do something for him. We'll drop 3933 * him our address then. 3934 */ 3935 if (len < 10 || l != 10) 3936 break; 3937 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3938 suggestaddr.s6_addr16[0] = htons(0xfe80); 3939 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 3940 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 3941 3942 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3943 if (debug) 3944 addlog(" [suggestaddr %s]", 3945 IN6_PRINT(ip6buf, &suggestaddr)); 3946 #ifdef IPV6CP_MYIFID_DYN 3947 /* 3948 * When doing dynamic address assignment, 3949 * we accept his offer. 3950 */ 3951 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 3952 struct in6_addr lastsuggest; 3953 /* 3954 * If <suggested myaddr from peer> equals to 3955 * <hisaddr we have suggested last time>, 3956 * we have a collision. generate new random 3957 * ifid. 3958 */ 3959 sppp_suggest_ip6_addr(&lastsuggest); 3960 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 3961 lastsuggest)) { 3962 if (debug) 3963 addlog(" [random]"); 3964 sppp_gen_ip6_addr(sp, &suggestaddr); 3965 } 3966 sppp_set_ip6_addr(sp, &suggestaddr, 0); 3967 if (debug) 3968 addlog(" [agree]"); 3969 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3970 } 3971 #else 3972 /* 3973 * Since we do not do dynamic address assignment, 3974 * we ignore it and thus continue to negotiate 3975 * our already existing value. This can possibly 3976 * go into infinite request-reject loop. 3977 * 3978 * This is not likely because we normally use 3979 * ifid based on MAC-address. 3980 * If you have no ethernet card on the node, too bad. 3981 * XXX should we use fail_counter? 3982 */ 3983 #endif 3984 break; 3985 #ifdef notyet 3986 case IPV6CP_OPT_COMPRESS: 3987 /* 3988 * Peer wants different compression parameters. 3989 */ 3990 break; 3991 #endif 3992 } 3993 } 3994 if (debug) 3995 addlog("\n"); 3996 drop: 3997 free(buf, M_TEMP); 3998 return; 3999 } 4000 4001 static void 4002 sppp_ipv6cp_tlu(struct sppp *sp) 4003 { 4004 4005 KASSERT(SPPP_WLOCKED(sp)); 4006 /* we are up - notify isdn daemon */ 4007 sppp_notify_con_wlocked(sp); 4008 } 4009 4010 static void 4011 sppp_ipv6cp_tld(struct sppp *sp) 4012 { 4013 4014 KASSERT(SPPP_WLOCKED(sp)); 4015 } 4016 4017 static void 4018 sppp_ipv6cp_tls(struct sppp *sp) 4019 { 4020 4021 KASSERT(SPPP_WLOCKED(sp)); 4022 /* indicate to LCP that it must stay alive */ 4023 sp->lcp.protos |= (1 << IDX_IPV6CP); 4024 } 4025 4026 static void 4027 sppp_ipv6cp_tlf(struct sppp *sp) 4028 { 4029 4030 KASSERT(SPPP_WLOCKED(sp)); 4031 /* we no longer need LCP */ 4032 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 4033 } 4034 4035 static void 4036 sppp_ipv6cp_scr(struct sppp *sp) 4037 { 4038 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4039 struct in6_addr ouraddr; 4040 int i = 0; 4041 4042 KASSERT(SPPP_WLOCKED(sp)); 4043 4044 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 4045 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4046 opt[i++] = IPV6CP_OPT_IFID; 4047 opt[i++] = 10; 4048 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4049 i += 8; 4050 } 4051 4052 #ifdef notyet 4053 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4054 opt[i++] = IPV6CP_OPT_COMPRESSION; 4055 opt[i++] = 4; 4056 opt[i++] = 0; /* TBD */ 4057 opt[i++] = 0; /* TBD */ 4058 /* variable length data may follow */ 4059 } 4060 #endif 4061 4062 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4063 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4064 } 4065 #else /*INET6*/ 4066 static void 4067 sppp_ipv6cp_init(struct sppp *sp) 4068 { 4069 4070 KASSERT(SPPP_WLOCKED(sp)); 4071 } 4072 4073 static void 4074 sppp_ipv6cp_up(struct sppp *sp) 4075 { 4076 4077 KASSERT(SPPP_WLOCKED(sp)); 4078 } 4079 4080 static void 4081 sppp_ipv6cp_down(struct sppp *sp) 4082 { 4083 4084 KASSERT(SPPP_WLOCKED(sp)); 4085 } 4086 4087 static void 4088 sppp_ipv6cp_open(struct sppp *sp) 4089 { 4090 4091 KASSERT(SPPP_WLOCKED(sp)); 4092 } 4093 4094 static void 4095 sppp_ipv6cp_close(struct sppp *sp) 4096 { 4097 4098 KASSERT(SPPP_WLOCKED(sp)); 4099 } 4100 4101 static void 4102 sppp_ipv6cp_TO(void *cookie) 4103 { 4104 struct sppp *sp __diagused = cookie; 4105 4106 KASSERT(SPPP_WLOCKED(sp)); 4107 } 4108 4109 static int 4110 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4111 int len) 4112 { 4113 4114 KASSERT(SPPP_WLOCKED(sp)); 4115 return 0; 4116 } 4117 4118 static void 4119 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4120 int len) 4121 { 4122 4123 KASSERT(SPPP_WLOCKED(sp)); 4124 } 4125 4126 static void 4127 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4128 int len) 4129 { 4130 4131 KASSERT(SPPP_WLOCKED(sp)); 4132 } 4133 4134 static void 4135 sppp_ipv6cp_tlu(struct sppp *sp) 4136 { 4137 4138 KASSERT(SPPP_WLOCKED(sp)); 4139 } 4140 4141 static void 4142 sppp_ipv6cp_tld(struct sppp *sp) 4143 { 4144 4145 KASSERT(SPPP_WLOCKED(sp)); 4146 } 4147 4148 static void 4149 sppp_ipv6cp_tls(struct sppp *sp) 4150 { 4151 4152 KASSERT(SPPP_WLOCKED(sp)); 4153 } 4154 4155 static void 4156 sppp_ipv6cp_tlf(struct sppp *sp) 4157 { 4158 4159 KASSERT(SPPP_WLOCKED(sp)); 4160 } 4161 4162 static void 4163 sppp_ipv6cp_scr(struct sppp *sp) 4164 { 4165 4166 KASSERT(SPPP_WLOCKED(sp)); 4167 } 4168 #endif /*INET6*/ 4169 4170 4171 /* 4172 *--------------------------------------------------------------------------* 4173 * * 4174 * The CHAP implementation. * 4175 * * 4176 *--------------------------------------------------------------------------* 4177 */ 4178 4179 /* 4180 * The authentication protocols don't employ a full-fledged state machine as 4181 * the control protocols do, since they do have Open and Close events, but 4182 * not Up and Down, nor are they explicitly terminated. Also, use of the 4183 * authentication protocols may be different in both directions (this makes 4184 * sense, think of a machine that never accepts incoming calls but only 4185 * calls out, it doesn't require the called party to authenticate itself). 4186 * 4187 * Our state machine for the local authentication protocol (we are requesting 4188 * the peer to authenticate) looks like: 4189 * 4190 * RCA- 4191 * +--------------------------------------------+ 4192 * V scn,tld| 4193 * +--------+ Close +---------+ RCA+ 4194 * | |<----------------------------------| |------+ 4195 * +--->| Closed | TO* | Opened | sca | 4196 * | | |-----+ +-------| |<-----+ 4197 * | +--------+ irc | | +---------+ 4198 * | ^ | | ^ 4199 * | | | | | 4200 * | | | | | 4201 * | TO-| | | | 4202 * | |tld TO+ V | | 4203 * | | +------->+ | | 4204 * | | | | | | 4205 * | +--------+ V | | 4206 * | | |<----+<--------------------+ | 4207 * | | Req- | scr | 4208 * | | Sent | | 4209 * | | | | 4210 * | +--------+ | 4211 * | RCA- | | RCA+ | 4212 * +------+ +------------------------------------------+ 4213 * scn,tld sca,irc,ict,tlu 4214 * 4215 * 4216 * with: 4217 * 4218 * Open: LCP reached authentication phase 4219 * Close: LCP reached terminate phase 4220 * 4221 * RCA+: received reply (pap-req, chap-response), acceptable 4222 * RCN: received reply (pap-req, chap-response), not acceptable 4223 * TO+: timeout with restart counter >= 0 4224 * TO-: timeout with restart counter < 0 4225 * TO*: reschedule timeout for CHAP 4226 * 4227 * scr: send request packet (none for PAP, chap-challenge) 4228 * sca: send ack packet (pap-ack, chap-success) 4229 * scn: send nak packet (pap-nak, chap-failure) 4230 * ict: initialize re-challenge timer (CHAP only) 4231 * 4232 * tlu: this-layer-up, LCP reaches network phase 4233 * tld: this-layer-down, LCP enters terminate phase 4234 * 4235 * Note that in CHAP mode, after sending a new challenge, while the state 4236 * automaton falls back into Req-Sent state, it doesn't signal a tld 4237 * event to LCP, so LCP remains in network phase. Only after not getting 4238 * any response (or after getting an unacceptable response), CHAP closes, 4239 * causing LCP to enter terminate phase. 4240 * 4241 * With PAP, there is no initial request that can be sent. The peer is 4242 * expected to send one based on the successful negotiation of PAP as 4243 * the authentication protocol during the LCP option negotiation. 4244 * 4245 * Incoming authentication protocol requests (remote requests 4246 * authentication, we are peer) don't employ a state machine at all, 4247 * they are simply answered. Some peers [Ascend P50 firmware rev 4248 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4249 * still in authentication phase (thereby violating the standard that 4250 * demands that these NCP packets are to be discarded), so we keep 4251 * track of the peer demanding us to authenticate, and only proceed to 4252 * phase network once we've seen a positive acknowledge for the 4253 * authentication. 4254 */ 4255 4256 /* 4257 * Handle incoming CHAP packets. 4258 */ 4259 void 4260 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4261 { 4262 STDDCL; 4263 struct lcp_header *h; 4264 int len, x; 4265 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4266 int value_len, name_len; 4267 MD5_CTX ctx; 4268 4269 len = m->m_pkthdr.len; 4270 if (len < 4) { 4271 if (debug) 4272 log(LOG_DEBUG, 4273 "%s: chap invalid packet length: %d bytes\n", 4274 ifp->if_xname, len); 4275 return; 4276 } 4277 h = mtod(m, struct lcp_header *); 4278 if (len > ntohs(h->len)) 4279 len = ntohs(h->len); 4280 4281 SPPP_LOCK(sp, RW_WRITER); 4282 4283 switch (h->type) { 4284 /* challenge, failure and success are his authproto */ 4285 case CHAP_CHALLENGE: 4286 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4287 /* can't do anything useful */ 4288 sp->pp_auth_failures++; 4289 printf("%s: chap input without my name and my secret being set\n", 4290 ifp->if_xname); 4291 break; 4292 } 4293 value = 1 + (u_char *)(h + 1); 4294 value_len = value[-1]; 4295 name = value + value_len; 4296 name_len = len - value_len - 5; 4297 if (name_len < 0) { 4298 if (debug) { 4299 log(LOG_DEBUG, 4300 "%s: chap corrupted challenge " 4301 "<%s id=0x%x len=%d", 4302 ifp->if_xname, 4303 sppp_auth_type_name(PPP_CHAP, h->type), 4304 h->ident, ntohs(h->len)); 4305 if (len > 4) 4306 sppp_print_bytes((u_char *)(h + 1), 4307 len - 4); 4308 addlog(">\n"); 4309 } 4310 break; 4311 } 4312 4313 if (debug) { 4314 log(LOG_DEBUG, 4315 "%s: chap input <%s id=0x%x len=%d name=", 4316 ifp->if_xname, 4317 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4318 ntohs(h->len)); 4319 sppp_print_string((char *) name, name_len); 4320 addlog(" value-size=%d value=", value_len); 4321 sppp_print_bytes(value, value_len); 4322 addlog(">\n"); 4323 } 4324 4325 /* Compute reply value. */ 4326 MD5Init(&ctx); 4327 MD5Update(&ctx, &h->ident, 1); 4328 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4329 MD5Update(&ctx, value, value_len); 4330 MD5Final(digest, &ctx); 4331 dsize = sizeof digest; 4332 4333 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4334 sizeof dsize, (const char *)&dsize, 4335 sizeof digest, digest, 4336 sp->myauth.name_len, 4337 sp->myauth.name, 4338 0); 4339 break; 4340 4341 case CHAP_SUCCESS: 4342 if (debug) { 4343 log(LOG_DEBUG, "%s: chap success", 4344 ifp->if_xname); 4345 if (len > 4) { 4346 addlog(": "); 4347 sppp_print_string((char *)(h + 1), len - 4); 4348 } 4349 addlog("\n"); 4350 } 4351 x = splnet(); 4352 sp->pp_auth_failures = 0; 4353 sp->pp_flags &= ~PP_NEEDAUTH; 4354 if (sp->myauth.proto == PPP_CHAP && 4355 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4356 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4357 /* 4358 * We are authenticator for CHAP but didn't 4359 * complete yet. Leave it to tlu to proceed 4360 * to network phase. 4361 */ 4362 splx(x); 4363 break; 4364 } 4365 splx(x); 4366 sppp_phase_network(sp); 4367 break; 4368 4369 case CHAP_FAILURE: 4370 x = splnet(); 4371 sp->pp_auth_failures++; 4372 splx(x); 4373 if (debug) { 4374 log(LOG_INFO, "%s: chap failure", 4375 ifp->if_xname); 4376 if (len > 4) { 4377 addlog(": "); 4378 sppp_print_string((char *)(h + 1), len - 4); 4379 } 4380 addlog("\n"); 4381 } else 4382 log(LOG_INFO, "%s: chap failure\n", 4383 ifp->if_xname); 4384 /* await LCP shutdown by authenticator */ 4385 break; 4386 4387 /* response is my authproto */ 4388 case CHAP_RESPONSE: 4389 if (sp->hisauth.secret == NULL) { 4390 /* can't do anything useful */ 4391 printf("%s: chap input without his secret being set\n", 4392 ifp->if_xname); 4393 break; 4394 } 4395 value = 1 + (u_char *)(h + 1); 4396 value_len = value[-1]; 4397 name = value + value_len; 4398 name_len = len - value_len - 5; 4399 if (name_len < 0) { 4400 if (debug) { 4401 log(LOG_DEBUG, 4402 "%s: chap corrupted response " 4403 "<%s id=0x%x len=%d", 4404 ifp->if_xname, 4405 sppp_auth_type_name(PPP_CHAP, h->type), 4406 h->ident, ntohs(h->len)); 4407 if (len > 4) 4408 sppp_print_bytes((u_char *)(h + 1), 4409 len - 4); 4410 addlog(">\n"); 4411 } 4412 break; 4413 } 4414 if (h->ident != sp->confid[IDX_CHAP]) { 4415 if (debug) 4416 log(LOG_DEBUG, 4417 "%s: chap dropping response for old ID " 4418 "(got %d, expected %d)\n", 4419 ifp->if_xname, 4420 h->ident, sp->confid[IDX_CHAP]); 4421 break; 4422 } 4423 if (sp->hisauth.name != NULL && 4424 (name_len != sp->hisauth.name_len 4425 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4426 log(LOG_INFO, "%s: chap response, his name ", 4427 ifp->if_xname); 4428 sppp_print_string(name, name_len); 4429 addlog(" != expected "); 4430 sppp_print_string(sp->hisauth.name, 4431 sp->hisauth.name_len); 4432 addlog("\n"); 4433 goto chap_failure; 4434 } 4435 if (debug) { 4436 log(LOG_DEBUG, "%s: chap input(%s) " 4437 "<%s id=0x%x len=%d name=", 4438 ifp->if_xname, 4439 sppp_state_name(sp->state[IDX_CHAP]), 4440 sppp_auth_type_name(PPP_CHAP, h->type), 4441 h->ident, ntohs(h->len)); 4442 sppp_print_string((char *)name, name_len); 4443 addlog(" value-size=%d value=", value_len); 4444 sppp_print_bytes(value, value_len); 4445 addlog(">\n"); 4446 } 4447 if (value_len != sizeof(sp->hisauth.challenge)) { 4448 if (debug) 4449 log(LOG_DEBUG, 4450 "%s: chap bad hash value length: " 4451 "%d bytes, should be %zu\n", 4452 ifp->if_xname, value_len, 4453 sizeof(sp->hisauth.challenge)); 4454 goto chap_failure; 4455 } 4456 4457 MD5Init(&ctx); 4458 MD5Update(&ctx, &h->ident, 1); 4459 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4460 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4461 MD5Final(digest, &ctx); 4462 4463 #define FAILMSG "Failed..." 4464 #define SUCCMSG "Welcome!" 4465 4466 if (value_len != sizeof digest || 4467 memcmp(digest, value, value_len) != 0) { 4468 chap_failure: 4469 KASSERT(SPPP_WLOCKED(sp)); 4470 /* action scn, tld */ 4471 sp->pp_auth_failures++; 4472 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4473 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4474 0); 4475 chap.tld(sp); 4476 break; 4477 } 4478 sp->pp_auth_failures = 0; 4479 /* action sca, perhaps tlu */ 4480 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4481 sp->state[IDX_CHAP] == STATE_OPENED) 4482 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4483 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4484 0); 4485 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4486 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4487 chap.tlu(sp); 4488 } 4489 break; 4490 4491 default: 4492 /* Unknown CHAP packet type -- ignore. */ 4493 if (debug) { 4494 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4495 "<0x%x id=0x%xh len=%d", 4496 ifp->if_xname, 4497 sppp_state_name(sp->state[IDX_CHAP]), 4498 h->type, h->ident, ntohs(h->len)); 4499 if (len > 4) 4500 sppp_print_bytes((u_char *)(h + 1), len - 4); 4501 addlog(">\n"); 4502 } 4503 break; 4504 4505 } 4506 4507 SPPP_UNLOCK(sp); 4508 } 4509 4510 static void 4511 sppp_chap_init(struct sppp *sp) 4512 { 4513 4514 KASSERT(SPPP_WLOCKED(sp)); 4515 4516 /* Chap doesn't have STATE_INITIAL at all. */ 4517 sp->state[IDX_CHAP] = STATE_CLOSED; 4518 sp->fail_counter[IDX_CHAP] = 0; 4519 sp->pp_seq[IDX_CHAP] = 0; 4520 sp->pp_rseq[IDX_CHAP] = 0; 4521 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4522 } 4523 4524 static void 4525 sppp_chap_open(struct sppp *sp) 4526 { 4527 4528 KASSERT(SPPP_WLOCKED(sp)); 4529 if (sp->hisauth.proto == PPP_CHAP && 4530 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4531 /* we are authenticator for CHAP, start it */ 4532 chap.scr(sp); 4533 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4534 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4535 } 4536 /* nothing to be done if we are peer, await a challenge */ 4537 } 4538 4539 static void 4540 sppp_chap_close(struct sppp *sp) 4541 { 4542 4543 KASSERT(SPPP_WLOCKED(sp)); 4544 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4545 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4546 } 4547 4548 static void 4549 sppp_chap_TO(void *cookie) 4550 { 4551 struct sppp *sp = (struct sppp *)cookie; 4552 STDDCL; 4553 int s; 4554 4555 s = splnet(); 4556 4557 SPPP_LOCK(sp, RW_WRITER); 4558 4559 if (debug) 4560 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4561 ifp->if_xname, 4562 sppp_state_name(sp->state[IDX_CHAP]), 4563 sp->rst_counter[IDX_CHAP]); 4564 4565 if (--sp->rst_counter[IDX_CHAP] < 0) 4566 /* TO- event */ 4567 switch (sp->state[IDX_CHAP]) { 4568 case STATE_REQ_SENT: 4569 chap.tld(sp); 4570 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4571 break; 4572 } 4573 else 4574 /* TO+ (or TO*) event */ 4575 switch (sp->state[IDX_CHAP]) { 4576 case STATE_OPENED: 4577 /* TO* event */ 4578 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4579 /* fall through */ 4580 case STATE_REQ_SENT: 4581 chap.scr(sp); 4582 /* sppp_cp_change_state() will restart the timer */ 4583 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4584 break; 4585 } 4586 4587 SPPP_UNLOCK(sp); 4588 splx(s); 4589 } 4590 4591 static void 4592 sppp_chap_tlu(struct sppp *sp) 4593 { 4594 STDDCL; 4595 int i, x; 4596 4597 KASSERT(SPPP_WLOCKED(sp)); 4598 4599 i = 0; 4600 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4601 4602 /* 4603 * Some broken CHAP implementations (Conware CoNet, firmware 4604 * 4.0.?) don't want to re-authenticate their CHAP once the 4605 * initial challenge-response exchange has taken place. 4606 * Provide for an option to avoid rechallenges. 4607 */ 4608 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4609 /* 4610 * Compute the re-challenge timeout. This will yield 4611 * a number between 300 and 810 seconds. 4612 */ 4613 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4614 4615 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4616 } 4617 4618 if (debug) { 4619 log(LOG_DEBUG, 4620 "%s: chap %s, ", 4621 ifp->if_xname, 4622 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4623 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4624 addlog("next re-challenge in %d seconds\n", i); 4625 else 4626 addlog("re-challenging supressed\n"); 4627 } 4628 4629 x = splnet(); 4630 sp->pp_auth_failures = 0; 4631 /* indicate to LCP that we need to be closed down */ 4632 sp->lcp.protos |= (1 << IDX_CHAP); 4633 4634 if (sp->pp_flags & PP_NEEDAUTH) { 4635 /* 4636 * Remote is authenticator, but his auth proto didn't 4637 * complete yet. Defer the transition to network 4638 * phase. 4639 */ 4640 splx(x); 4641 return; 4642 } 4643 splx(x); 4644 4645 /* 4646 * If we are already in phase network, we are done here. This 4647 * is the case if this is a dummy tlu event after a re-challenge. 4648 */ 4649 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4650 sppp_phase_network(sp); 4651 } 4652 4653 static void 4654 sppp_chap_tld(struct sppp *sp) 4655 { 4656 STDDCL; 4657 4658 KASSERT(SPPP_WLOCKED(sp)); 4659 4660 if (debug) 4661 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4662 callout_stop(&sp->ch[IDX_CHAP]); 4663 sp->lcp.protos &= ~(1 << IDX_CHAP); 4664 4665 lcp.Close(sp); 4666 } 4667 4668 static void 4669 sppp_chap_scr(struct sppp *sp) 4670 { 4671 uint32_t *ch; 4672 u_char clen = 4 * sizeof(uint32_t); 4673 4674 KASSERT(SPPP_WLOCKED(sp)); 4675 4676 if (sp->hisauth.name == NULL) { 4677 /* can't do anything useful */ 4678 printf("%s: chap starting without his name being set\n", 4679 sp->pp_if.if_xname); 4680 return; 4681 } 4682 4683 /* Compute random challenge. */ 4684 ch = (uint32_t *)sp->hisauth.challenge; 4685 cprng_strong(kern_cprng, ch, clen, 0); 4686 4687 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4688 4689 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4690 sizeof clen, (const char *)&clen, 4691 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4692 0); 4693 } 4694 4695 /* 4696 *--------------------------------------------------------------------------* 4697 * * 4698 * The PAP implementation. * 4699 * * 4700 *--------------------------------------------------------------------------* 4701 */ 4702 /* 4703 * For PAP, we need to keep a little state also if we are the peer, not the 4704 * authenticator. This is since we don't get a request to authenticate, but 4705 * have to repeatedly authenticate ourself until we got a response (or the 4706 * retry counter is expired). 4707 */ 4708 4709 /* 4710 * Handle incoming PAP packets. */ 4711 static void 4712 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4713 { 4714 STDDCL; 4715 struct lcp_header *h; 4716 int len, x; 4717 u_char mlen; 4718 char *name, *secret; 4719 int name_len, secret_len; 4720 4721 /* 4722 * Malicious input might leave this uninitialized, so 4723 * init to an impossible value. 4724 */ 4725 secret_len = -1; 4726 4727 len = m->m_pkthdr.len; 4728 if (len < 5) { 4729 if (debug) 4730 log(LOG_DEBUG, 4731 "%s: pap invalid packet length: %d bytes\n", 4732 ifp->if_xname, len); 4733 return; 4734 } 4735 h = mtod(m, struct lcp_header *); 4736 if (len > ntohs(h->len)) 4737 len = ntohs(h->len); 4738 4739 SPPP_LOCK(sp, RW_WRITER); 4740 4741 switch (h->type) { 4742 /* PAP request is my authproto */ 4743 case PAP_REQ: 4744 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4745 /* can't do anything useful */ 4746 printf("%s: " 4747 "pap request without his name and his secret being set\n", 4748 ifp->if_xname); 4749 break; 4750 } 4751 name = 1 + (u_char *)(h + 1); 4752 name_len = name[-1]; 4753 secret = name + name_len + 1; 4754 if (name_len > len - 6 || 4755 (secret_len = secret[-1]) > len - 6 - name_len) { 4756 if (debug) { 4757 log(LOG_DEBUG, "%s: pap corrupted input " 4758 "<%s id=0x%x len=%d", 4759 ifp->if_xname, 4760 sppp_auth_type_name(PPP_PAP, h->type), 4761 h->ident, ntohs(h->len)); 4762 if (len > 4) 4763 sppp_print_bytes((u_char *)(h + 1), 4764 len - 4); 4765 addlog(">\n"); 4766 } 4767 break; 4768 } 4769 if (debug) { 4770 log(LOG_DEBUG, "%s: pap input(%s) " 4771 "<%s id=0x%x len=%d name=", 4772 ifp->if_xname, 4773 sppp_state_name(sp->state[IDX_PAP]), 4774 sppp_auth_type_name(PPP_PAP, h->type), 4775 h->ident, ntohs(h->len)); 4776 sppp_print_string((char *)name, name_len); 4777 addlog(" secret="); 4778 sppp_print_string((char *)secret, secret_len); 4779 addlog(">\n"); 4780 } 4781 if (name_len != sp->hisauth.name_len || 4782 secret_len != sp->hisauth.secret_len || 4783 memcmp(name, sp->hisauth.name, name_len) != 0 || 4784 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4785 /* action scn, tld */ 4786 sp->pp_auth_failures++; 4787 mlen = sizeof(FAILMSG) - 1; 4788 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4789 sizeof mlen, (const char *)&mlen, 4790 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4791 0); 4792 pap.tld(sp); 4793 break; 4794 } 4795 /* action sca, perhaps tlu */ 4796 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4797 sp->state[IDX_PAP] == STATE_OPENED) { 4798 mlen = sizeof(SUCCMSG) - 1; 4799 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4800 sizeof mlen, (const char *)&mlen, 4801 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4802 0); 4803 } 4804 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4805 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4806 pap.tlu(sp); 4807 } 4808 break; 4809 4810 /* ack and nak are his authproto */ 4811 case PAP_ACK: 4812 callout_stop(&sp->pap_my_to_ch); 4813 if (debug) { 4814 log(LOG_DEBUG, "%s: pap success", 4815 ifp->if_xname); 4816 name = 1 + (u_char *)(h + 1); 4817 name_len = name[-1]; 4818 if (len > 5 && name_len < len+4) { 4819 addlog(": "); 4820 sppp_print_string(name, name_len); 4821 } 4822 addlog("\n"); 4823 } 4824 x = splnet(); 4825 sp->pp_auth_failures = 0; 4826 sp->pp_flags &= ~PP_NEEDAUTH; 4827 if (sp->myauth.proto == PPP_PAP && 4828 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4829 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4830 /* 4831 * We are authenticator for PAP but didn't 4832 * complete yet. Leave it to tlu to proceed 4833 * to network phase. 4834 */ 4835 splx(x); 4836 break; 4837 } 4838 splx(x); 4839 sppp_phase_network(sp); 4840 break; 4841 4842 case PAP_NAK: 4843 callout_stop(&sp->pap_my_to_ch); 4844 sp->pp_auth_failures++; 4845 if (debug) { 4846 log(LOG_INFO, "%s: pap failure", 4847 ifp->if_xname); 4848 name = 1 + (u_char *)(h + 1); 4849 name_len = name[-1]; 4850 if (len > 5 && name_len < len+4) { 4851 addlog(": "); 4852 sppp_print_string(name, name_len); 4853 } 4854 addlog("\n"); 4855 } else 4856 log(LOG_INFO, "%s: pap failure\n", 4857 ifp->if_xname); 4858 /* await LCP shutdown by authenticator */ 4859 break; 4860 4861 default: 4862 /* Unknown PAP packet type -- ignore. */ 4863 if (debug) { 4864 log(LOG_DEBUG, "%s: pap corrupted input " 4865 "<0x%x id=0x%x len=%d", 4866 ifp->if_xname, 4867 h->type, h->ident, ntohs(h->len)); 4868 if (len > 4) 4869 sppp_print_bytes((u_char *)(h + 1), len - 4); 4870 addlog(">\n"); 4871 } 4872 break; 4873 } 4874 4875 SPPP_UNLOCK(sp); 4876 } 4877 4878 static void 4879 sppp_pap_init(struct sppp *sp) 4880 { 4881 4882 KASSERT(SPPP_WLOCKED(sp)); 4883 4884 /* PAP doesn't have STATE_INITIAL at all. */ 4885 sp->state[IDX_PAP] = STATE_CLOSED; 4886 sp->fail_counter[IDX_PAP] = 0; 4887 sp->pp_seq[IDX_PAP] = 0; 4888 sp->pp_rseq[IDX_PAP] = 0; 4889 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 4890 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 4891 } 4892 4893 static void 4894 sppp_pap_open(struct sppp *sp) 4895 { 4896 4897 KASSERT(SPPP_WLOCKED(sp)); 4898 4899 if (sp->hisauth.proto == PPP_PAP && 4900 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4901 /* we are authenticator for PAP, start our timer */ 4902 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4903 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4904 } 4905 if (sp->myauth.proto == PPP_PAP) { 4906 /* we are peer, send a request, and start a timer */ 4907 pap.scr(sp); 4908 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 4909 sppp_pap_my_TO, sp); 4910 } 4911 } 4912 4913 static void 4914 sppp_pap_close(struct sppp *sp) 4915 { 4916 4917 KASSERT(SPPP_WLOCKED(sp)); 4918 4919 if (sp->state[IDX_PAP] != STATE_CLOSED) 4920 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4921 } 4922 4923 /* 4924 * That's the timeout routine if we are authenticator. Since the 4925 * authenticator is basically passive in PAP, we can't do much here. 4926 */ 4927 static void 4928 sppp_pap_TO(void *cookie) 4929 { 4930 struct sppp *sp = (struct sppp *)cookie; 4931 STDDCL; 4932 int s; 4933 4934 s = splnet(); 4935 SPPP_LOCK(sp, RW_WRITER); 4936 4937 if (debug) 4938 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 4939 ifp->if_xname, 4940 sppp_state_name(sp->state[IDX_PAP]), 4941 sp->rst_counter[IDX_PAP]); 4942 4943 if (--sp->rst_counter[IDX_PAP] < 0) 4944 /* TO- event */ 4945 switch (sp->state[IDX_PAP]) { 4946 case STATE_REQ_SENT: 4947 pap.tld(sp); 4948 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 4949 break; 4950 } 4951 else 4952 /* TO+ event, not very much we could do */ 4953 switch (sp->state[IDX_PAP]) { 4954 case STATE_REQ_SENT: 4955 /* sppp_cp_change_state() will restart the timer */ 4956 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 4957 break; 4958 } 4959 4960 SPPP_UNLOCK(sp); 4961 splx(s); 4962 } 4963 4964 /* 4965 * That's the timeout handler if we are peer. Since the peer is active, 4966 * we need to retransmit our PAP request since it is apparently lost. 4967 * XXX We should impose a max counter. 4968 */ 4969 static void 4970 sppp_pap_my_TO(void *cookie) 4971 { 4972 struct sppp *sp = (struct sppp *)cookie; 4973 STDDCL; 4974 4975 SPPP_LOCK(sp, RW_WRITER); 4976 if (debug) 4977 log(LOG_DEBUG, "%s: pap peer TO\n", 4978 ifp->if_xname); 4979 4980 pap.scr(sp); 4981 4982 SPPP_UNLOCK(sp); 4983 } 4984 4985 static void 4986 sppp_pap_tlu(struct sppp *sp) 4987 { 4988 STDDCL; 4989 int x; 4990 4991 KASSERT(SPPP_WLOCKED(sp)); 4992 4993 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 4994 4995 if (debug) 4996 log(LOG_DEBUG, "%s: %s tlu\n", 4997 ifp->if_xname, pap.name); 4998 4999 x = splnet(); 5000 sp->pp_auth_failures = 0; 5001 /* indicate to LCP that we need to be closed down */ 5002 sp->lcp.protos |= (1 << IDX_PAP); 5003 5004 if (sp->pp_flags & PP_NEEDAUTH) { 5005 /* 5006 * Remote is authenticator, but his auth proto didn't 5007 * complete yet. Defer the transition to network 5008 * phase. 5009 */ 5010 splx(x); 5011 return; 5012 } 5013 splx(x); 5014 sppp_phase_network(sp); 5015 } 5016 5017 static void 5018 sppp_pap_tld(struct sppp *sp) 5019 { 5020 STDDCL; 5021 5022 KASSERT(SPPP_WLOCKED(sp)); 5023 5024 if (debug) 5025 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 5026 callout_stop(&sp->ch[IDX_PAP]); 5027 callout_stop(&sp->pap_my_to_ch); 5028 sp->lcp.protos &= ~(1 << IDX_PAP); 5029 5030 lcp.Close(sp); 5031 } 5032 5033 static void 5034 sppp_pap_scr(struct sppp *sp) 5035 { 5036 u_char idlen, pwdlen; 5037 5038 KASSERT(SPPP_WLOCKED(sp)); 5039 5040 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5041 /* can't do anything useful */ 5042 printf("%s: pap starting without my name and secret being set\n", 5043 sp->pp_if.if_xname); 5044 return; 5045 } 5046 5047 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 5048 pwdlen = sp->myauth.secret_len; 5049 idlen = sp->myauth.name_len; 5050 5051 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 5052 sizeof idlen, (const char *)&idlen, 5053 idlen, sp->myauth.name, 5054 sizeof pwdlen, (const char *)&pwdlen, 5055 pwdlen, sp->myauth.secret, 5056 0); 5057 } 5058 5059 /* 5060 * Random miscellaneous functions. 5061 */ 5062 5063 /* 5064 * Send a PAP or CHAP proto packet. 5065 * 5066 * Varadic function, each of the elements for the ellipsis is of type 5067 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5068 * mlen == 0. 5069 * NOTE: never declare variadic functions with types subject to type 5070 * promotion (i.e. u_char). This is asking for big trouble depending 5071 * on the architecture you are on... 5072 */ 5073 5074 static void 5075 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5076 unsigned int type, unsigned int id, 5077 ...) 5078 { 5079 STDDCL; 5080 struct lcp_header *lh; 5081 struct mbuf *m; 5082 u_char *p; 5083 int len; 5084 size_t pkthdrlen; 5085 unsigned int mlen; 5086 const char *msg; 5087 va_list ap; 5088 5089 KASSERT(SPPP_WLOCKED(sp)); 5090 5091 MGETHDR(m, M_DONTWAIT, MT_DATA); 5092 if (! m) 5093 return; 5094 m_reset_rcvif(m); 5095 5096 if (sp->pp_flags & PP_NOFRAMING) { 5097 *mtod(m, uint16_t *) = htons(cp->proto); 5098 pkthdrlen = 2; 5099 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5100 } else { 5101 struct ppp_header *h; 5102 h = mtod(m, struct ppp_header *); 5103 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5104 h->control = PPP_UI; /* Unnumbered Info */ 5105 h->protocol = htons(cp->proto); 5106 pkthdrlen = PPP_HEADER_LEN; 5107 5108 lh = (struct lcp_header *)(h + 1); 5109 } 5110 5111 lh->type = type; 5112 lh->ident = id; 5113 p = (u_char *)(lh + 1); 5114 5115 va_start(ap, id); 5116 len = 0; 5117 5118 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5119 msg = va_arg(ap, const char *); 5120 len += mlen; 5121 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5122 va_end(ap); 5123 m_freem(m); 5124 return; 5125 } 5126 5127 memcpy(p, msg, mlen); 5128 p += mlen; 5129 } 5130 va_end(ap); 5131 5132 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5133 lh->len = htons(LCP_HEADER_LEN + len); 5134 5135 if (debug) { 5136 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5137 ifp->if_xname, cp->name, 5138 sppp_auth_type_name(cp->proto, lh->type), 5139 lh->ident, ntohs(lh->len)); 5140 if (len) 5141 sppp_print_bytes((u_char *)(lh + 1), len); 5142 addlog(">\n"); 5143 } 5144 if (IF_QFULL(&sp->pp_cpq)) { 5145 IF_DROP(&sp->pp_fastq); 5146 IF_DROP(&ifp->if_snd); 5147 m_freem(m); 5148 if_statinc(ifp, if_oerrors); 5149 return; 5150 } 5151 5152 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5153 IF_ENQUEUE(&sp->pp_cpq, m); 5154 5155 if (! (ifp->if_flags & IFF_OACTIVE)) { 5156 SPPP_UNLOCK(sp); 5157 if_start_lock(ifp); 5158 SPPP_LOCK(sp, RW_WRITER); 5159 } 5160 } 5161 5162 /* 5163 * Send keepalive packets, every 10 seconds. 5164 */ 5165 static void 5166 sppp_keepalive(void *dummy) 5167 { 5168 struct sppp *sp; 5169 int s; 5170 time_t now; 5171 5172 SPPPQ_LOCK(); 5173 5174 s = splnet(); 5175 now = time_uptime; 5176 for (sp=spppq; sp; sp=sp->pp_next) { 5177 struct ifnet *ifp = NULL; 5178 5179 SPPP_LOCK(sp, RW_WRITER); 5180 ifp = &sp->pp_if; 5181 5182 /* check idle timeout */ 5183 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5184 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5185 /* idle timeout is enabled for this interface */ 5186 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5187 if (ifp->if_flags & IFF_DEBUG) 5188 printf("%s: no activity for %lu seconds\n", 5189 sp->pp_if.if_xname, 5190 (unsigned long)(now-sp->pp_last_activity)); 5191 lcp.Close(sp); 5192 SPPP_UNLOCK(sp); 5193 continue; 5194 } 5195 } 5196 5197 /* Keepalive mode disabled or channel down? */ 5198 if (! (sp->pp_flags & PP_KEEPALIVE) || 5199 ! (ifp->if_flags & IFF_RUNNING)) { 5200 SPPP_UNLOCK(sp); 5201 continue; 5202 } 5203 5204 5205 /* No keepalive in PPP mode if LCP not opened yet. */ 5206 if (! (sp->pp_flags & PP_CISCO) && 5207 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5208 SPPP_UNLOCK(sp); 5209 continue; 5210 } 5211 5212 /* No echo reply, but maybe user data passed through? */ 5213 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5214 sp->pp_alivecnt = 0; 5215 SPPP_UNLOCK(sp); 5216 continue; 5217 } 5218 5219 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5220 /* No keepalive packets got. Stop the interface. */ 5221 SPPP_UNLOCK(sp); 5222 if_down (ifp); 5223 SPPP_LOCK(sp, RW_WRITER); 5224 5225 IF_PURGE(&sp->pp_cpq); 5226 5227 if (! (sp->pp_flags & PP_CISCO)) { 5228 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5229 ifp->if_xname); 5230 sp->pp_alivecnt = 0; 5231 5232 /* we are down, close all open protocols */ 5233 lcp.Close(sp); 5234 5235 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5236 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5237 5238 /* Close connection immediately, completition of this 5239 * will summon the magic needed to reestablish it. */ 5240 sppp_notify_tlf_wlocked(sp); 5241 5242 SPPP_UNLOCK(sp); 5243 continue; 5244 } 5245 } 5246 if (sp->pp_alivecnt < sp->pp_maxalive) 5247 ++sp->pp_alivecnt; 5248 if (sp->pp_flags & PP_CISCO) 5249 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5250 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5251 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5252 int32_t nmagic = htonl(sp->lcp.magic); 5253 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5254 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5255 sp->lcp.echoid, 4, &nmagic); 5256 } 5257 5258 SPPP_UNLOCK(sp); 5259 } 5260 splx(s); 5261 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5262 5263 SPPPQ_UNLOCK(); 5264 } 5265 5266 #ifdef INET 5267 /* 5268 * Get both IP addresses. 5269 */ 5270 static void 5271 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5272 { 5273 struct ifnet *ifp = &sp->pp_if; 5274 struct ifaddr *ifa; 5275 struct sockaddr_in *si, *sm; 5276 uint32_t ssrc, ddst; 5277 int s; 5278 struct psref psref; 5279 5280 sm = NULL; 5281 ssrc = ddst = 0; 5282 /* 5283 * Pick the first AF_INET address from the list, 5284 * aliases don't make any sense on a p2p link anyway. 5285 */ 5286 si = 0; 5287 s = pserialize_read_enter(); 5288 IFADDR_READER_FOREACH(ifa, ifp) { 5289 if (ifa->ifa_addr->sa_family == AF_INET) { 5290 si = (struct sockaddr_in *)ifa->ifa_addr; 5291 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5292 if (si) { 5293 ifa_acquire(ifa, &psref); 5294 break; 5295 } 5296 } 5297 } 5298 pserialize_read_exit(s); 5299 if (ifa) { 5300 if (si && si->sin_addr.s_addr) { 5301 ssrc = si->sin_addr.s_addr; 5302 if (srcmask) 5303 *srcmask = ntohl(sm->sin_addr.s_addr); 5304 } 5305 5306 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5307 if (si && si->sin_addr.s_addr) 5308 ddst = si->sin_addr.s_addr; 5309 ifa_release(ifa, &psref); 5310 } 5311 5312 if (dst) *dst = ntohl(ddst); 5313 if (src) *src = ntohl(ssrc); 5314 } 5315 5316 /* 5317 * Set IP addresses. Must be called at splnet. 5318 * If an address is 0, leave it the way it is. 5319 */ 5320 static void 5321 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5322 { 5323 STDDCL; 5324 struct ifaddr *ifa; 5325 struct sockaddr_in *si, *dest; 5326 uint32_t myaddr = 0, hisaddr = 0; 5327 int s; 5328 5329 IFNET_LOCK(ifp); 5330 5331 /* 5332 * Pick the first AF_INET address from the list, 5333 * aliases don't make any sense on a p2p link anyway. 5334 */ 5335 si = dest = NULL; 5336 s = pserialize_read_enter(); 5337 IFADDR_READER_FOREACH(ifa, ifp) { 5338 if (ifa->ifa_addr->sa_family == AF_INET) { 5339 si = (struct sockaddr_in *)ifa->ifa_addr; 5340 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5341 break; 5342 } 5343 } 5344 pserialize_read_exit(s); 5345 5346 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5347 myaddr = sp->ipcp.req_myaddr; 5348 else if (si != NULL) 5349 myaddr = ntohl(si->sin_addr.s_addr); 5350 5351 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5352 hisaddr = sp->ipcp.req_hisaddr; 5353 else if (dest != NULL) 5354 hisaddr = ntohl(dest->sin_addr.s_addr); 5355 5356 if (si != NULL && dest != NULL) { 5357 int error; 5358 struct sockaddr_in new_sin = *si; 5359 struct sockaddr_in new_dst = *dest; 5360 5361 if (myaddr != 0) 5362 new_sin.sin_addr.s_addr = htonl(myaddr); 5363 if (hisaddr != 0) { 5364 new_dst.sin_addr.s_addr = htonl(hisaddr); 5365 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5366 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5367 } 5368 5369 in_addrhash_remove(ifatoia(ifa)); 5370 5371 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5372 5373 in_addrhash_insert(ifatoia(ifa)); 5374 5375 if (debug && error) 5376 { 5377 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5378 ifp->if_xname, __func__, error); 5379 } 5380 if (!error) { 5381 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5382 } 5383 } 5384 5385 if (ifp->if_mtu > sp->lcp.their_mru) { 5386 sp->pp_saved_mtu = ifp->if_mtu; 5387 ifp->if_mtu = sp->lcp.their_mru; 5388 if (debug) 5389 log(LOG_DEBUG, 5390 "%s: setting MTU to %" PRIu64 " bytes\n", 5391 ifp->if_xname, ifp->if_mtu); 5392 } 5393 5394 IFNET_UNLOCK(ifp); 5395 5396 sppp_notify_con(sp); 5397 } 5398 5399 static void 5400 sppp_set_ip_addrs(struct sppp *sp) 5401 { 5402 struct ifnet *ifp = &sp->pp_if; 5403 5404 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5405 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5406 ifp->if_xname); 5407 return; 5408 } 5409 5410 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5411 return; 5412 5413 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5414 } 5415 5416 /* 5417 * Clear IP addresses. Must be called at splnet. 5418 */ 5419 static void 5420 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5421 { 5422 STDDCL; 5423 struct ifaddr *ifa; 5424 struct sockaddr_in *si, *dest; 5425 int s; 5426 5427 IFNET_LOCK(ifp); 5428 5429 /* 5430 * Pick the first AF_INET address from the list, 5431 * aliases don't make any sense on a p2p link anyway. 5432 */ 5433 si = dest = NULL; 5434 s = pserialize_read_enter(); 5435 IFADDR_READER_FOREACH(ifa, ifp) { 5436 if (ifa->ifa_addr->sa_family == AF_INET) { 5437 si = (struct sockaddr_in *)ifa->ifa_addr; 5438 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5439 break; 5440 } 5441 } 5442 pserialize_read_exit(s); 5443 5444 if (si != NULL) { 5445 struct sockaddr_in new_sin = *si; 5446 struct sockaddr_in new_dst = *dest; 5447 int error; 5448 5449 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5450 new_sin.sin_addr.s_addr = 0; 5451 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5452 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5453 5454 in_addrhash_remove(ifatoia(ifa)); 5455 5456 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5457 5458 in_addrhash_insert(ifatoia(ifa)); 5459 5460 if (debug && error) 5461 { 5462 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5463 ifp->if_xname, __func__, error); 5464 } 5465 if (!error) { 5466 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5467 } 5468 } 5469 5470 if (sp->pp_saved_mtu > 0) { 5471 ifp->if_mtu = sp->pp_saved_mtu; 5472 sp->pp_saved_mtu = 0; 5473 if (debug) 5474 log(LOG_DEBUG, 5475 "%s: resetting MTU to %" PRIu64 " bytes\n", 5476 ifp->if_xname, ifp->if_mtu); 5477 } 5478 5479 IFNET_UNLOCK(ifp); 5480 } 5481 5482 static void 5483 sppp_clear_ip_addrs(struct sppp *sp) 5484 { 5485 struct ifnet *ifp = &sp->pp_if; 5486 5487 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5488 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5489 ifp->if_xname); 5490 return; 5491 } 5492 5493 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5494 return; 5495 5496 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5497 } 5498 5499 static void 5500 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5501 { 5502 struct sppp *sp = arg; 5503 void *work; 5504 5505 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5506 5507 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5508 int update = (intptr_t)work; 5509 5510 if (update == IPCP_SET_ADDRS) 5511 sppp_set_ip_addrs_work(wk, sp); 5512 else if (update == IPCP_CLEAR_ADDRS) 5513 sppp_clear_ip_addrs_work(wk, sp); 5514 } 5515 } 5516 #endif 5517 5518 #ifdef INET6 5519 /* 5520 * Get both IPv6 addresses. 5521 */ 5522 static void 5523 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5524 struct in6_addr *srcmask) 5525 { 5526 struct ifnet *ifp = &sp->pp_if; 5527 struct ifaddr *ifa; 5528 struct sockaddr_in6 *si, *sm; 5529 struct in6_addr ssrc, ddst; 5530 int s; 5531 struct psref psref; 5532 5533 sm = NULL; 5534 memset(&ssrc, 0, sizeof(ssrc)); 5535 memset(&ddst, 0, sizeof(ddst)); 5536 /* 5537 * Pick the first link-local AF_INET6 address from the list, 5538 * aliases don't make any sense on a p2p link anyway. 5539 */ 5540 si = 0; 5541 s = pserialize_read_enter(); 5542 IFADDR_READER_FOREACH(ifa, ifp) { 5543 if (ifa->ifa_addr->sa_family == AF_INET6) { 5544 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5545 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5546 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5547 ifa_acquire(ifa, &psref); 5548 break; 5549 } 5550 } 5551 } 5552 pserialize_read_exit(s); 5553 5554 if (ifa) { 5555 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5556 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5557 if (srcmask) { 5558 memcpy(srcmask, &sm->sin6_addr, 5559 sizeof(*srcmask)); 5560 } 5561 } 5562 5563 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5564 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5565 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5566 ifa_release(ifa, &psref); 5567 } 5568 5569 if (dst) 5570 memcpy(dst, &ddst, sizeof(*dst)); 5571 if (src) 5572 memcpy(src, &ssrc, sizeof(*src)); 5573 } 5574 5575 #ifdef IPV6CP_MYIFID_DYN 5576 /* 5577 * Generate random ifid. 5578 */ 5579 static void 5580 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5581 { 5582 /* TBD */ 5583 } 5584 5585 /* 5586 * Set my IPv6 address. Must be called at splnet. 5587 */ 5588 static void 5589 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5590 { 5591 STDDCL; 5592 struct ifaddr *ifa; 5593 struct sockaddr_in6 *sin6; 5594 int s; 5595 struct psref psref; 5596 5597 IFNET_LOCK(ifp); 5598 5599 /* 5600 * Pick the first link-local AF_INET6 address from the list, 5601 * aliases don't make any sense on a p2p link anyway. 5602 */ 5603 5604 sin6 = NULL; 5605 s = pserialize_read_enter(); 5606 IFADDR_READER_FOREACH(ifa, ifp) 5607 { 5608 if (ifa->ifa_addr->sa_family == AF_INET6) 5609 { 5610 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5611 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5612 ifa_acquire(ifa, &psref); 5613 break; 5614 } 5615 } 5616 } 5617 pserialize_read_exit(s); 5618 5619 if (ifa && sin6) 5620 { 5621 int error; 5622 struct sockaddr_in6 new_sin6 = *sin6; 5623 5624 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5625 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5626 if (debug && error) 5627 { 5628 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5629 ifp->if_xname, __func__, error); 5630 } 5631 if (!error) { 5632 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5633 } 5634 ifa_release(ifa, &psref); 5635 } 5636 5637 IFNET_UNLOCK(ifp); 5638 } 5639 #endif 5640 5641 /* 5642 * Suggest a candidate address to be used by peer. 5643 */ 5644 static void 5645 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5646 { 5647 struct in6_addr myaddr; 5648 struct timeval tv; 5649 5650 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5651 5652 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5653 microtime(&tv); 5654 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5655 myaddr.s6_addr[14] ^= 0xff; 5656 myaddr.s6_addr[15] ^= 0xff; 5657 } else { 5658 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5659 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5660 } 5661 if (suggest) 5662 memcpy(suggest, &myaddr, sizeof(myaddr)); 5663 } 5664 #endif /*INET6*/ 5665 5666 /* 5667 * Process ioctl requests specific to the PPP interface. 5668 * Permissions have already been checked. 5669 */ 5670 static int 5671 sppp_params(struct sppp *sp, u_long cmd, void *data) 5672 { 5673 switch (cmd) { 5674 case SPPPGETAUTHCFG: 5675 { 5676 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5677 int error; 5678 size_t len; 5679 5680 SPPP_LOCK(sp, RW_READER); 5681 5682 cfg->myauthflags = sp->myauth.flags; 5683 cfg->hisauthflags = sp->hisauth.flags; 5684 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5685 cfg->hisauth = 0; 5686 if (sp->hisauth.proto) 5687 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5688 cfg->myauth = 0; 5689 if (sp->myauth.proto) 5690 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5691 if (cfg->myname_length == 0) { 5692 if (sp->myauth.name != NULL) 5693 cfg->myname_length = sp->myauth.name_len + 1; 5694 } else { 5695 if (sp->myauth.name == NULL) { 5696 cfg->myname_length = 0; 5697 } else { 5698 len = sp->myauth.name_len + 1; 5699 5700 5701 if (cfg->myname_length < len) { 5702 SPPP_UNLOCK(sp); 5703 return (ENAMETOOLONG); 5704 } 5705 error = copyout(sp->myauth.name, cfg->myname, len); 5706 if (error) { 5707 SPPP_UNLOCK(sp); 5708 return error; 5709 } 5710 } 5711 } 5712 if (cfg->hisname_length == 0) { 5713 if (sp->hisauth.name != NULL) 5714 cfg->hisname_length = sp->hisauth.name_len + 1; 5715 } else { 5716 if (sp->hisauth.name == NULL) { 5717 cfg->hisname_length = 0; 5718 } else { 5719 len = sp->hisauth.name_len + 1; 5720 5721 if (cfg->hisname_length < len) { 5722 SPPP_UNLOCK(sp); 5723 return (ENAMETOOLONG); 5724 } 5725 error = copyout(sp->hisauth.name, cfg->hisname, len); 5726 if (error) { 5727 SPPP_UNLOCK(sp); 5728 return error; 5729 } 5730 } 5731 } 5732 SPPP_UNLOCK(sp); 5733 } 5734 break; 5735 case SPPPSETAUTHCFG: 5736 { 5737 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5738 int error; 5739 5740 SPPP_LOCK(sp, RW_WRITER); 5741 5742 if (sp->myauth.name) { 5743 free(sp->myauth.name, M_DEVBUF); 5744 sp->myauth.name = NULL; 5745 } 5746 if (sp->myauth.secret) { 5747 free(sp->myauth.secret, M_DEVBUF); 5748 sp->myauth.secret = NULL; 5749 } 5750 if (sp->hisauth.name) { 5751 free(sp->hisauth.name, M_DEVBUF); 5752 sp->hisauth.name = NULL; 5753 } 5754 if (sp->hisauth.secret) { 5755 free(sp->hisauth.secret, M_DEVBUF); 5756 sp->hisauth.secret = NULL; 5757 } 5758 5759 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5760 if (cfg->hisname_length >= MCLBYTES) { 5761 SPPP_UNLOCK(sp); 5762 return (ENAMETOOLONG); 5763 } 5764 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5765 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5766 if (error) { 5767 free(sp->hisauth.name, M_DEVBUF); 5768 sp->hisauth.name = NULL; 5769 SPPP_UNLOCK(sp); 5770 return error; 5771 } 5772 sp->hisauth.name_len = cfg->hisname_length - 1; 5773 sp->hisauth.name[sp->hisauth.name_len] = 0; 5774 } 5775 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5776 if (cfg->hissecret_length >= MCLBYTES) { 5777 SPPP_UNLOCK(sp); 5778 return (ENAMETOOLONG); 5779 } 5780 sp->hisauth.secret = malloc(cfg->hissecret_length, 5781 M_DEVBUF, M_WAITOK); 5782 error = copyin(cfg->hissecret, sp->hisauth.secret, 5783 cfg->hissecret_length); 5784 if (error) { 5785 free(sp->hisauth.secret, M_DEVBUF); 5786 sp->hisauth.secret = NULL; 5787 SPPP_UNLOCK(sp); 5788 return error; 5789 } 5790 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5791 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5792 } 5793 if (cfg->myname != NULL && cfg->myname_length > 0) { 5794 if (cfg->myname_length >= MCLBYTES) { 5795 SPPP_UNLOCK(sp); 5796 return (ENAMETOOLONG); 5797 } 5798 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5799 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5800 if (error) { 5801 free(sp->myauth.name, M_DEVBUF); 5802 sp->myauth.name = NULL; 5803 SPPP_UNLOCK(sp); 5804 return error; 5805 } 5806 sp->myauth.name_len = cfg->myname_length - 1; 5807 sp->myauth.name[sp->myauth.name_len] = 0; 5808 } 5809 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5810 if (cfg->mysecret_length >= MCLBYTES) { 5811 SPPP_UNLOCK(sp); 5812 return (ENAMETOOLONG); 5813 } 5814 sp->myauth.secret = malloc(cfg->mysecret_length, 5815 M_DEVBUF, M_WAITOK); 5816 error = copyin(cfg->mysecret, sp->myauth.secret, 5817 cfg->mysecret_length); 5818 if (error) { 5819 free(sp->myauth.secret, M_DEVBUF); 5820 sp->myauth.secret = NULL; 5821 SPPP_UNLOCK(sp); 5822 return error; 5823 } 5824 sp->myauth.secret_len = cfg->mysecret_length - 1; 5825 sp->myauth.secret[sp->myauth.secret_len] = 0; 5826 } 5827 sp->myauth.flags = cfg->myauthflags; 5828 if (cfg->myauth) 5829 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5830 sp->hisauth.flags = cfg->hisauthflags; 5831 if (cfg->hisauth) 5832 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5833 sp->pp_auth_failures = 0; 5834 if (sp->hisauth.proto != 0) 5835 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5836 else 5837 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5838 5839 SPPP_UNLOCK(sp); 5840 } 5841 break; 5842 case SPPPGETLCPCFG: 5843 { 5844 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5845 5846 SPPP_LOCK(sp, RW_READER); 5847 lcpp->lcp_timeout = sp->lcp.timeout; 5848 SPPP_UNLOCK(sp); 5849 } 5850 break; 5851 case SPPPSETLCPCFG: 5852 { 5853 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5854 5855 SPPP_LOCK(sp, RW_WRITER); 5856 sp->lcp.timeout = lcpp->lcp_timeout; 5857 SPPP_UNLOCK(sp); 5858 } 5859 break; 5860 case SPPPGETSTATUS: 5861 { 5862 struct spppstatus *status = (struct spppstatus *)data; 5863 5864 SPPP_LOCK(sp, RW_READER); 5865 status->phase = sp->pp_phase; 5866 SPPP_UNLOCK(sp); 5867 } 5868 break; 5869 case SPPPGETSTATUSNCP: 5870 { 5871 struct spppstatusncp *status = (struct spppstatusncp *)data; 5872 5873 SPPP_LOCK(sp, RW_READER); 5874 status->phase = sp->pp_phase; 5875 status->ncpup = sppp_ncp_check(sp); 5876 SPPP_UNLOCK(sp); 5877 } 5878 break; 5879 case SPPPGETIDLETO: 5880 { 5881 struct spppidletimeout *to = (struct spppidletimeout *)data; 5882 5883 SPPP_LOCK(sp, RW_READER); 5884 to->idle_seconds = sp->pp_idle_timeout; 5885 SPPP_UNLOCK(sp); 5886 } 5887 break; 5888 case SPPPSETIDLETO: 5889 { 5890 struct spppidletimeout *to = (struct spppidletimeout *)data; 5891 5892 SPPP_LOCK(sp, RW_WRITER); 5893 sp->pp_idle_timeout = to->idle_seconds; 5894 SPPP_UNLOCK(sp); 5895 } 5896 break; 5897 case SPPPSETAUTHFAILURE: 5898 { 5899 struct spppauthfailuresettings *afsettings = 5900 (struct spppauthfailuresettings *)data; 5901 5902 SPPP_LOCK(sp, RW_WRITER); 5903 sp->pp_max_auth_fail = afsettings->max_failures; 5904 sp->pp_auth_failures = 0; 5905 SPPP_UNLOCK(sp); 5906 } 5907 break; 5908 case SPPPGETAUTHFAILURES: 5909 { 5910 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 5911 5912 SPPP_LOCK(sp, RW_READER); 5913 stats->auth_failures = sp->pp_auth_failures; 5914 stats->max_failures = sp->pp_max_auth_fail; 5915 SPPP_UNLOCK(sp); 5916 } 5917 break; 5918 case SPPPSETDNSOPTS: 5919 { 5920 struct spppdnssettings *req = (struct spppdnssettings *)data; 5921 5922 SPPP_LOCK(sp, RW_WRITER); 5923 sp->query_dns = req->query_dns & 3; 5924 SPPP_UNLOCK(sp); 5925 } 5926 break; 5927 case SPPPGETDNSOPTS: 5928 { 5929 struct spppdnssettings *req = (struct spppdnssettings *)data; 5930 5931 SPPP_LOCK(sp, RW_READER); 5932 req->query_dns = sp->query_dns; 5933 SPPP_UNLOCK(sp); 5934 } 5935 break; 5936 case SPPPGETDNSADDRS: 5937 { 5938 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 5939 5940 SPPP_LOCK(sp, RW_READER); 5941 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 5942 SPPP_UNLOCK(sp); 5943 } 5944 break; 5945 case SPPPGETKEEPALIVE: 5946 { 5947 struct spppkeepalivesettings *settings = 5948 (struct spppkeepalivesettings*)data; 5949 5950 SPPP_LOCK(sp, RW_READER); 5951 settings->maxalive = sp->pp_maxalive; 5952 settings->max_noreceive = sp->pp_max_noreceive; 5953 SPPP_UNLOCK(sp); 5954 } 5955 break; 5956 case SPPPSETKEEPALIVE: 5957 { 5958 struct spppkeepalivesettings *settings = 5959 (struct spppkeepalivesettings*)data; 5960 5961 SPPP_LOCK(sp, RW_WRITER); 5962 sp->pp_maxalive = settings->maxalive; 5963 sp->pp_max_noreceive = settings->max_noreceive; 5964 SPPP_UNLOCK(sp); 5965 } 5966 break; 5967 default: 5968 { 5969 int ret; 5970 5971 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 5972 enosys(), ret); 5973 if (ret != ENOSYS) 5974 return ret; 5975 return (EINVAL); 5976 } 5977 } 5978 return (0); 5979 } 5980 5981 static void 5982 sppp_phase_network(struct sppp *sp) 5983 { 5984 int i; 5985 uint32_t mask; 5986 5987 KASSERT(SPPP_WLOCKED(sp)); 5988 5989 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 5990 5991 /* Notify NCPs now. */ 5992 for (i = 0; i < IDX_COUNT; i++) 5993 if ((cps[i])->flags & CP_NCP) 5994 (cps[i])->Open(sp); 5995 5996 /* Send Up events to all NCPs. */ 5997 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 5998 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 5999 (cps[i])->Up(sp); 6000 } 6001 6002 /* if no NCP is starting, all this was in vain, close down */ 6003 sppp_lcp_check_and_close(sp); 6004 } 6005 6006 6007 static const char * 6008 sppp_cp_type_name(u_char type) 6009 { 6010 static char buf[12]; 6011 switch (type) { 6012 case CONF_REQ: return "conf-req"; 6013 case CONF_ACK: return "conf-ack"; 6014 case CONF_NAK: return "conf-nak"; 6015 case CONF_REJ: return "conf-rej"; 6016 case TERM_REQ: return "term-req"; 6017 case TERM_ACK: return "term-ack"; 6018 case CODE_REJ: return "code-rej"; 6019 case PROTO_REJ: return "proto-rej"; 6020 case ECHO_REQ: return "echo-req"; 6021 case ECHO_REPLY: return "echo-reply"; 6022 case DISC_REQ: return "discard-req"; 6023 } 6024 snprintf(buf, sizeof(buf), "0x%x", type); 6025 return buf; 6026 } 6027 6028 static const char * 6029 sppp_auth_type_name(u_short proto, u_char type) 6030 { 6031 static char buf[32]; 6032 const char *name; 6033 6034 switch (proto) { 6035 case PPP_CHAP: 6036 switch (type) { 6037 case CHAP_CHALLENGE: return "challenge"; 6038 case CHAP_RESPONSE: return "response"; 6039 case CHAP_SUCCESS: return "success"; 6040 case CHAP_FAILURE: return "failure"; 6041 default: name = "chap"; break; 6042 } 6043 break; 6044 6045 case PPP_PAP: 6046 switch (type) { 6047 case PAP_REQ: return "req"; 6048 case PAP_ACK: return "ack"; 6049 case PAP_NAK: return "nak"; 6050 default: name = "pap"; break; 6051 } 6052 break; 6053 6054 default: 6055 name = "bad"; 6056 break; 6057 } 6058 6059 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6060 return buf; 6061 } 6062 6063 static const char * 6064 sppp_lcp_opt_name(u_char opt) 6065 { 6066 static char buf[12]; 6067 switch (opt) { 6068 case LCP_OPT_MRU: return "mru"; 6069 case LCP_OPT_ASYNC_MAP: return "async-map"; 6070 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6071 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6072 case LCP_OPT_MAGIC: return "magic"; 6073 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6074 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6075 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6076 case LCP_OPT_CALL_BACK: return "callback"; 6077 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6078 case LCP_OPT_MP_MRRU: return "mrru"; 6079 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6080 case LCP_OPT_MP_EID: return "mp-eid"; 6081 } 6082 snprintf(buf, sizeof(buf), "0x%x", opt); 6083 return buf; 6084 } 6085 6086 static const char * 6087 sppp_ipcp_opt_name(u_char opt) 6088 { 6089 static char buf[12]; 6090 switch (opt) { 6091 case IPCP_OPT_ADDRESSES: return "addresses"; 6092 case IPCP_OPT_COMPRESSION: return "compression"; 6093 case IPCP_OPT_ADDRESS: return "address"; 6094 } 6095 snprintf(buf, sizeof(buf), "0x%x", opt); 6096 return buf; 6097 } 6098 6099 #ifdef INET6 6100 static const char * 6101 sppp_ipv6cp_opt_name(u_char opt) 6102 { 6103 static char buf[12]; 6104 switch (opt) { 6105 case IPV6CP_OPT_IFID: return "ifid"; 6106 case IPV6CP_OPT_COMPRESSION: return "compression"; 6107 } 6108 snprintf(buf, sizeof(buf), "0x%x", opt); 6109 return buf; 6110 } 6111 #endif 6112 6113 static const char * 6114 sppp_state_name(int state) 6115 { 6116 switch (state) { 6117 case STATE_INITIAL: return "initial"; 6118 case STATE_STARTING: return "starting"; 6119 case STATE_CLOSED: return "closed"; 6120 case STATE_STOPPED: return "stopped"; 6121 case STATE_CLOSING: return "closing"; 6122 case STATE_STOPPING: return "stopping"; 6123 case STATE_REQ_SENT: return "req-sent"; 6124 case STATE_ACK_RCVD: return "ack-rcvd"; 6125 case STATE_ACK_SENT: return "ack-sent"; 6126 case STATE_OPENED: return "opened"; 6127 } 6128 return "illegal"; 6129 } 6130 6131 static const char * 6132 sppp_phase_name(int phase) 6133 { 6134 switch (phase) { 6135 case SPPP_PHASE_DEAD: return "dead"; 6136 case SPPP_PHASE_ESTABLISH: return "establish"; 6137 case SPPP_PHASE_TERMINATE: return "terminate"; 6138 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6139 case SPPP_PHASE_NETWORK: return "network"; 6140 } 6141 return "illegal"; 6142 } 6143 6144 static const char * 6145 sppp_proto_name(u_short proto) 6146 { 6147 static char buf[12]; 6148 switch (proto) { 6149 case PPP_LCP: return "lcp"; 6150 case PPP_IPCP: return "ipcp"; 6151 case PPP_PAP: return "pap"; 6152 case PPP_CHAP: return "chap"; 6153 case PPP_IPV6CP: return "ipv6cp"; 6154 } 6155 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6156 return buf; 6157 } 6158 6159 static void 6160 sppp_print_bytes(const u_char *p, u_short len) 6161 { 6162 addlog(" %02x", *p++); 6163 while (--len > 0) 6164 addlog("-%02x", *p++); 6165 } 6166 6167 static void 6168 sppp_print_string(const char *p, u_short len) 6169 { 6170 u_char c; 6171 6172 while (len-- > 0) { 6173 c = *p++; 6174 /* 6175 * Print only ASCII chars directly. RFC 1994 recommends 6176 * using only them, but we don't rely on it. */ 6177 if (c < ' ' || c > '~') 6178 addlog("\\x%x", c); 6179 else 6180 addlog("%c", c); 6181 } 6182 } 6183 6184 static const char * 6185 sppp_dotted_quad(uint32_t addr) 6186 { 6187 static char s[16]; 6188 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6189 (int)((addr >> 24) & 0xff), 6190 (int)((addr >> 16) & 0xff), 6191 (int)((addr >> 8) & 0xff), 6192 (int)(addr & 0xff)); 6193 return s; 6194 } 6195 6196 /* a dummy, used to drop uninteresting events */ 6197 static void 6198 sppp_null(struct sppp *unused) 6199 { 6200 /* do just nothing */ 6201 } 6202 /* 6203 * This file is large. Tell emacs to highlight it nevertheless. 6204 * 6205 * Local Variables: 6206 * hilit-auto-highlight-maxout: 120000 6207 * End: 6208 */ 6209 6210 /* 6211 * Module glue 6212 */ 6213 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6214 6215 static int 6216 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6217 { 6218 switch (cmd) { 6219 case MODULE_CMD_INIT: 6220 case MODULE_CMD_FINI: 6221 return 0; 6222 case MODULE_CMD_STAT: 6223 case MODULE_CMD_AUTOUNLOAD: 6224 default: 6225 return ENOTTY; 6226 } 6227 } 6228 6229 static void 6230 sppp_notify_up(struct sppp *sp) 6231 { 6232 6233 SPPP_LOCK(sp, RW_WRITER); 6234 lcp.Up(sp); 6235 SPPP_UNLOCK(sp); 6236 } 6237 6238 static void 6239 sppp_notify_down(struct sppp *sp) 6240 { 6241 6242 SPPP_LOCK(sp, RW_WRITER); 6243 lcp.Down(sp); 6244 SPPP_UNLOCK(sp); 6245 } 6246 6247 static void 6248 sppp_notify_tls_wlocked(struct sppp *sp) 6249 { 6250 6251 KASSERT(SPPP_WLOCKED(sp)); 6252 6253 if (!sp->pp_tls) 6254 return; 6255 6256 SPPP_UNLOCK(sp); 6257 sp->pp_tls(sp); 6258 SPPP_LOCK(sp, RW_WRITER); 6259 } 6260 6261 static void 6262 sppp_notify_tlf_wlocked(struct sppp *sp) 6263 { 6264 6265 KASSERT(SPPP_WLOCKED(sp)); 6266 6267 if (!sp->pp_tlf) 6268 return; 6269 6270 SPPP_UNLOCK(sp); 6271 sp->pp_tlf(sp); 6272 SPPP_LOCK(sp, RW_WRITER); 6273 } 6274 6275 static void 6276 sppp_notify_con(struct sppp *sp) 6277 { 6278 6279 if (!sp->pp_con) 6280 return; 6281 6282 sp->pp_con(sp); 6283 } 6284 6285 #ifdef INET6 6286 static void 6287 sppp_notify_con_wlocked(struct sppp *sp) 6288 { 6289 6290 KASSERT(SPPP_WLOCKED(sp)); 6291 6292 SPPP_UNLOCK(sp); 6293 sppp_notify_con(sp); 6294 SPPP_LOCK(sp, RW_WRITER); 6295 6296 } 6297 #endif 6298 6299 static void 6300 sppp_notify_chg_wlocked(struct sppp *sp) 6301 { 6302 6303 KASSERT(SPPP_WLOCKED(sp)); 6304 6305 if (!sp->pp_chg) 6306 return; 6307 6308 SPPP_UNLOCK(sp); 6309 sp->pp_chg(sp, sp->pp_phase); 6310 SPPP_LOCK(sp, RW_WRITER); 6311 } 6312
Indexes created Thu Oct 16 14:10:15 GMT 2025