if_spppsubr.c revision 1.187.2.4
1 /* $NetBSD: if_spppsubr.c,v 1.187.2.4 2020/04/10 17:28:37 is Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.187.2.4 2020/04/10 17:28:37 is Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define LOOPALIVECNT 3 /* loopback detection tries */ 101 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 102 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 103 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 129 #define CONF_REQ 1 /* PPP configure request */ 130 #define CONF_ACK 2 /* PPP configure acknowledge */ 131 #define CONF_NAK 3 /* PPP configure negative ack */ 132 #define CONF_REJ 4 /* PPP configure reject */ 133 #define TERM_REQ 5 /* PPP terminate request */ 134 #define TERM_ACK 6 /* PPP terminate acknowledge */ 135 #define CODE_REJ 7 /* PPP code reject */ 136 #define PROTO_REJ 8 /* PPP protocol reject */ 137 #define ECHO_REQ 9 /* PPP echo request */ 138 #define ECHO_REPLY 10 /* PPP echo reply */ 139 #define DISC_REQ 11 /* PPP discard request */ 140 141 #define LCP_OPT_MRU 1 /* maximum receive unit */ 142 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 143 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 144 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 145 #define LCP_OPT_MAGIC 5 /* magic number */ 146 #define LCP_OPT_RESERVED 6 /* reserved */ 147 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 148 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 149 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 150 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 151 #define LCP_OPT_CALL_BACK 13 /* callback */ 152 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 153 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 154 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 155 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 156 157 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 158 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 159 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 160 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 161 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 162 163 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 164 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 165 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 166 167 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 168 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 169 170 #define PAP_REQ 1 /* PAP name/password request */ 171 #define PAP_ACK 2 /* PAP acknowledge */ 172 #define PAP_NAK 3 /* PAP fail */ 173 174 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 175 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 176 #define CHAP_SUCCESS 3 /* CHAP response ok */ 177 #define CHAP_FAILURE 4 /* CHAP response failed */ 178 179 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 180 181 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 182 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 183 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 184 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 185 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 186 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 187 188 /* states are named and numbered according to RFC 1661 */ 189 #define STATE_INITIAL 0 190 #define STATE_STARTING 1 191 #define STATE_CLOSED 2 192 #define STATE_STOPPED 3 193 #define STATE_CLOSING 4 194 #define STATE_STOPPING 5 195 #define STATE_REQ_SENT 6 196 #define STATE_ACK_RCVD 7 197 #define STATE_ACK_SENT 8 198 #define STATE_OPENED 9 199 200 struct ppp_header { 201 uint8_t address; 202 uint8_t control; 203 uint16_t protocol; 204 } __packed; 205 #define PPP_HEADER_LEN sizeof (struct ppp_header) 206 207 struct lcp_header { 208 uint8_t type; 209 uint8_t ident; 210 uint16_t len; 211 } __packed; 212 #define LCP_HEADER_LEN sizeof (struct lcp_header) 213 214 struct cisco_packet { 215 uint32_t type; 216 uint32_t par1; 217 uint32_t par2; 218 uint16_t rel; 219 uint16_t time0; 220 uint16_t time1; 221 } __packed; 222 #define CISCO_PACKET_LEN 18 223 224 /* 225 * We follow the spelling and capitalization of RFC 1661 here, to make 226 * it easier comparing with the standard. Please refer to this RFC in 227 * case you can't make sense out of these abbreviation; it will also 228 * explain the semantics related to the various events and actions. 229 */ 230 struct cp { 231 u_short proto; /* PPP control protocol number */ 232 u_char protoidx; /* index into state table in struct sppp */ 233 u_char flags; 234 #define CP_LCP 0x01 /* this is the LCP */ 235 #define CP_AUTH 0x02 /* this is an authentication protocol */ 236 #define CP_NCP 0x04 /* this is a NCP */ 237 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 238 const char *name; /* name of this control protocol */ 239 /* event handlers */ 240 void (*Up)(struct sppp *sp); 241 void (*Down)(struct sppp *sp); 242 void (*Open)(struct sppp *sp); 243 void (*Close)(struct sppp *sp); 244 void (*TO)(void *sp); 245 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 246 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 247 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 248 /* actions */ 249 void (*tlu)(struct sppp *sp); 250 void (*tld)(struct sppp *sp); 251 void (*tls)(struct sppp *sp); 252 void (*tlf)(struct sppp *sp); 253 void (*scr)(struct sppp *sp); 254 }; 255 256 static struct sppp *spppq; 257 static kmutex_t *spppq_lock = NULL; 258 static callout_t keepalive_ch; 259 260 #define SPPPQ_LOCK() if (spppq_lock) \ 261 mutex_enter(spppq_lock); 262 #define SPPPQ_UNLOCK() if (spppq_lock) \ 263 mutex_exit(spppq_lock); 264 265 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 266 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 267 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 268 #define SPPP_UPGRADE(_sp) do{ \ 269 SPPP_UNLOCK(_sp); \ 270 SPPP_LOCK(_sp, RW_WRITER); \ 271 }while (0) 272 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 273 274 #ifdef INET 275 #ifndef SPPPSUBR_MPSAFE 276 /* 277 * The following disgusting hack gets around the problem that IP TOS 278 * can't be set yet. We want to put "interactive" traffic on a high 279 * priority queue. To decide if traffic is interactive, we check that 280 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 281 * 282 * XXX is this really still necessary? - joerg - 283 */ 284 static u_short interactive_ports[8] = { 285 0, 513, 0, 0, 286 0, 21, 0, 23, 287 }; 288 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 289 #endif /* SPPPSUBR_MPSAFE */ 290 #endif 291 292 /* almost every function needs these */ 293 #define STDDCL \ 294 struct ifnet *ifp = &sp->pp_if; \ 295 int debug = ifp->if_flags & IFF_DEBUG 296 297 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 298 const struct sockaddr *dst, const struct rtentry *rt); 299 300 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 301 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 302 303 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 304 struct mbuf *m); 305 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 306 u_char ident, u_short len, void *data); 307 /* static void sppp_cp_timeout(void *arg); */ 308 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 309 int newstate); 310 static void sppp_auth_send(const struct cp *cp, 311 struct sppp *sp, unsigned int type, unsigned int id, 312 ...); 313 314 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 315 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 316 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 317 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 318 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 319 320 static void sppp_null(struct sppp *sp); 321 322 static void sppp_lcp_init(struct sppp *sp); 323 static void sppp_lcp_up(struct sppp *sp); 324 static void sppp_lcp_down(struct sppp *sp); 325 static void sppp_lcp_open(struct sppp *sp); 326 static void sppp_lcp_close(struct sppp *sp); 327 static void sppp_lcp_TO(void *sp); 328 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 329 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 330 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 331 static void sppp_lcp_tlu(struct sppp *sp); 332 static void sppp_lcp_tld(struct sppp *sp); 333 static void sppp_lcp_tls(struct sppp *sp); 334 static void sppp_lcp_tlf(struct sppp *sp); 335 static void sppp_lcp_scr(struct sppp *sp); 336 static void sppp_lcp_check_and_close(struct sppp *sp); 337 static int sppp_ncp_check(struct sppp *sp); 338 339 static struct mbuf *sppp_ml_defrag(struct sppp *sp, struct mbuf *m, 340 u_int16_t *protocolp); 341 342 static void sppp_ipcp_init(struct sppp *sp); 343 static void sppp_ipcp_up(struct sppp *sp); 344 static void sppp_ipcp_down(struct sppp *sp); 345 static void sppp_ipcp_open(struct sppp *sp); 346 static void sppp_ipcp_close(struct sppp *sp); 347 static void sppp_ipcp_TO(void *sp); 348 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 349 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 350 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 351 static void sppp_ipcp_tlu(struct sppp *sp); 352 static void sppp_ipcp_tld(struct sppp *sp); 353 static void sppp_ipcp_tls(struct sppp *sp); 354 static void sppp_ipcp_tlf(struct sppp *sp); 355 static void sppp_ipcp_scr(struct sppp *sp); 356 357 static void sppp_ipv6cp_init(struct sppp *sp); 358 static void sppp_ipv6cp_up(struct sppp *sp); 359 static void sppp_ipv6cp_down(struct sppp *sp); 360 static void sppp_ipv6cp_open(struct sppp *sp); 361 static void sppp_ipv6cp_close(struct sppp *sp); 362 static void sppp_ipv6cp_TO(void *sp); 363 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 364 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 365 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 366 static void sppp_ipv6cp_tlu(struct sppp *sp); 367 static void sppp_ipv6cp_tld(struct sppp *sp); 368 static void sppp_ipv6cp_tls(struct sppp *sp); 369 static void sppp_ipv6cp_tlf(struct sppp *sp); 370 static void sppp_ipv6cp_scr(struct sppp *sp); 371 372 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 373 static void sppp_pap_init(struct sppp *sp); 374 static void sppp_pap_open(struct sppp *sp); 375 static void sppp_pap_close(struct sppp *sp); 376 static void sppp_pap_TO(void *sp); 377 static void sppp_pap_my_TO(void *sp); 378 static void sppp_pap_tlu(struct sppp *sp); 379 static void sppp_pap_tld(struct sppp *sp); 380 static void sppp_pap_scr(struct sppp *sp); 381 382 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 383 static void sppp_chap_init(struct sppp *sp); 384 static void sppp_chap_open(struct sppp *sp); 385 static void sppp_chap_close(struct sppp *sp); 386 static void sppp_chap_TO(void *sp); 387 static void sppp_chap_tlu(struct sppp *sp); 388 static void sppp_chap_tld(struct sppp *sp); 389 static void sppp_chap_scr(struct sppp *sp); 390 391 static const char *sppp_auth_type_name(u_short proto, u_char type); 392 static const char *sppp_cp_type_name(u_char type); 393 static const char *sppp_dotted_quad(uint32_t addr); 394 static const char *sppp_ipcp_opt_name(u_char opt); 395 #ifdef INET6 396 static const char *sppp_ipv6cp_opt_name(u_char opt); 397 #endif 398 static const char *sppp_lcp_opt_name(u_char opt); 399 static const char *sppp_phase_name(int phase); 400 static const char *sppp_proto_name(u_short proto); 401 static const char *sppp_state_name(int state); 402 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 403 #ifdef INET 404 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 405 uint32_t *srcmask); 406 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 407 static void sppp_set_ip_addrs(struct sppp *sp); 408 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 409 static void sppp_clear_ip_addrs(struct sppp *sp); 410 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 411 #endif 412 static void sppp_keepalive(void *dummy); 413 static void sppp_phase_network(struct sppp *sp); 414 static void sppp_print_bytes(const u_char *p, u_short len); 415 static void sppp_print_string(const char *p, u_short len); 416 #ifdef INET6 417 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 418 struct in6_addr *dst, struct in6_addr *srcmask); 419 #ifdef IPV6CP_MYIFID_DYN 420 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 421 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 422 #endif 423 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 424 #endif 425 426 static void sppp_notify_up(struct sppp *); 427 static void sppp_notify_down(struct sppp *); 428 static void sppp_notify_tls_wlocked(struct sppp *); 429 static void sppp_notify_tlf_wlocked(struct sppp *); 430 #ifdef INET6 431 static void sppp_notify_con_wlocked(struct sppp *); 432 #endif 433 static void sppp_notify_con(struct sppp *); 434 435 static void sppp_notify_chg_wlocked(struct sppp *); 436 437 438 /* our control protocol descriptors */ 439 static const struct cp lcp = { 440 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 441 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 442 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 443 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 444 sppp_lcp_scr 445 }; 446 447 static const struct cp ipcp = { 448 PPP_IPCP, IDX_IPCP, 449 #ifdef INET 450 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 451 #else 452 0, 453 #endif 454 "ipcp", 455 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 456 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 457 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 458 sppp_ipcp_scr 459 }; 460 461 static const struct cp ipv6cp = { 462 PPP_IPV6CP, IDX_IPV6CP, 463 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 464 CP_NCP, 465 #else 466 0, 467 #endif 468 "ipv6cp", 469 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 470 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 471 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 472 sppp_ipv6cp_scr 473 }; 474 475 static const struct cp pap = { 476 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 477 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 478 sppp_pap_TO, 0, 0, 0, 479 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 480 sppp_pap_scr 481 }; 482 483 static const struct cp chap = { 484 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 485 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 486 sppp_chap_TO, 0, 0, 0, 487 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 488 sppp_chap_scr 489 }; 490 491 static const struct cp *cps[IDX_COUNT] = { 492 &lcp, /* IDX_LCP */ 493 &ipcp, /* IDX_IPCP */ 494 &ipv6cp, /* IDX_IPV6CP */ 495 &pap, /* IDX_PAP */ 496 &chap, /* IDX_CHAP */ 497 }; 498 499 static void 500 sppp_change_phase(struct sppp *sp, int phase) 501 { 502 STDDCL; 503 504 KASSERT(SPPP_WLOCKED(sp)); 505 506 if (sp->pp_phase == phase) 507 return; 508 509 sp->pp_phase = phase; 510 511 if (phase == SPPP_PHASE_NETWORK) 512 if_link_state_change(ifp, LINK_STATE_UP); 513 else 514 if_link_state_change(ifp, LINK_STATE_DOWN); 515 516 if (debug) 517 { 518 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 519 sppp_phase_name(sp->pp_phase)); 520 } 521 } 522 523 524 /* 525 * Defragment an MP packet. 526 * 527 * Returns NULL or an assembled packet or the original, 528 * and adjusts the passed protocol to the inner one. 529 * 530 * Called with and returns a packet without PPP header, 531 * but with MP fragment header. 532 * 533 * Called and returns with lock held. 534 */ 535 static struct mbuf * 536 sppp_ml_defrag(struct sppp *sp, struct mbuf *m, u_int16_t *protocolp) 537 { 538 u_int8_t *p; 539 u_int8_t flags; 540 u_int32_t seqid; 541 u_int16_t protocol; 542 u_int16_t *m_protop; 543 int newflen; 544 545 if (*protocolp != PPP_MP) 546 return m; /* not ours */ 547 548 if (sp->lcp.mrru == 0) 549 return m; /* 550 * ours, but we're not ready. 551 * sppp_input will arrange for rejection. 552 */ 553 554 if (m->m_len < 4) { 555 m = m_pullup(m, 4); 556 if (m == NULL) { 557 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 558 return NULL; 559 } 560 } 561 p = mtod(m, u_int8_t *); 562 flags = *p; 563 seqid = (p[1]<<16) + (p[2]<<8) + p[3]; 564 565 m_adj(m, 4); 566 567 /* We're manipulating the defragmentation state below: */ 568 SPPP_UPGRADE(sp); 569 570 if (flags & 0x80) { 571 /* Beginning fragment. */ 572 sp->lcp.ml_seq_expected=seqid+1; /* next expected */ 573 574 /* TODO: if prefix, count dropped? */ 575 576 m_freem(sp->lcp.ml_prefix); 577 sp->lcp.ml_prefix = m; 578 579 } else if (seqid == sp->lcp.ml_seq_expected) { 580 sp->lcp.ml_seq_expected=seqid+1; /* next expected */ 581 if (sp->lcp.ml_prefix == 0) { 582 /* didn't see B frame. */ 583 /* TODO: count as dropped. */ 584 m_freem(m); 585 return NULL; 586 } 587 /* 588 * m_cat might free the first mbuf (with pkthdr) 589 * in 2nd chain; therefore: 590 */ 591 newflen = m->m_pkthdr.len; 592 m_cat(sp->lcp.ml_prefix, m); 593 lcp.ml_prefix->m_pkthdr.len += newflen; 594 595 } else { 596 /* 597 * sequence error. 598 * 599 * For now, only drop this fragment, and don't touch state- 600 * might be from the long past or future, and we could still 601 * finish our current prefix. 602 * 603 * TODO: count as dropped. 604 */ 605 m_freem(sp->lcp.ml_prefix); 606 return NULL; 607 } 608 /* Successfully got the Beginning or appended a non-B packet.*/ 609 if (flags & 0x40) { 610 /* B/next was E packet. Unwrap gift and deliver. */ 611 m = sp->lcp.ml_prefix; 612 sp->lcp.ml_prefix = NULL; 613 614 if (m->m_len < 2) { 615 m = m_pullup(m,2) 616 if (m == NULL) { 617 * TODO: count as dropped. 618 return NULL; 619 } 620 } 621 /* RFC 1990 2.: don't assume no protocol field compression */ 622 p = mtod(m, u_int8_t); 623 protocol = *p; 624 625 if (protocol & 1) { 626 m_adj(m, 1); 627 } else { 628 protocol = (protocol << 8) + p[1]; 629 m_adj(m, 2); 630 } 631 *protocolp = protocol; 632 633 return m; 634 } 635 636 return NULL; 637 } 638 639 640 /* 641 * Exported functions, comprising our interface to the lower layer. 642 */ 643 644 /* 645 * Process the received packet. 646 */ 647 void 648 sppp_input(struct ifnet *ifp, struct mbuf *m) 649 { 650 struct ppp_header *h = NULL; 651 pktqueue_t *pktq = NULL; 652 struct ifqueue *inq = NULL; 653 uint16_t protocol; 654 struct sppp *sp = (struct sppp *)ifp; 655 int debug = ifp->if_flags & IFF_DEBUG; 656 int isr = 0; 657 658 SPPP_LOCK(sp, RW_READER); 659 660 if (ifp->if_flags & IFF_UP) { 661 /* Count received bytes, add hardware framing */ 662 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 663 /* Note time of last receive */ 664 sp->pp_last_receive = time_uptime; 665 } 666 667 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 668 /* Too small packet, drop it. */ 669 if (debug) 670 log(LOG_DEBUG, 671 "%s: input packet is too small, %d bytes\n", 672 ifp->if_xname, m->m_pkthdr.len); 673 drop: 674 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 675 m_freem(m); 676 SPPP_UNLOCK(sp); 677 return; 678 } 679 680 if (sp->pp_flags & PP_NOFRAMING) { 681 memcpy(&protocol, mtod(m, void *), 2); 682 protocol = ntohs(protocol); 683 m_adj(m, 2); 684 } else { 685 686 /* Get PPP header. */ 687 h = mtod(m, struct ppp_header *); 688 m_adj(m, PPP_HEADER_LEN); 689 690 switch (h->address) { 691 case PPP_ALLSTATIONS: 692 if (h->control != PPP_UI) 693 goto invalid; 694 if (sp->pp_flags & PP_CISCO) { 695 if (debug) 696 log(LOG_DEBUG, 697 "%s: PPP packet in Cisco mode " 698 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 699 ifp->if_xname, 700 h->address, h->control, ntohs(h->protocol)); 701 goto drop; 702 } 703 break; 704 case CISCO_MULTICAST: 705 case CISCO_UNICAST: 706 /* Don't check the control field here (RFC 1547). */ 707 if (! (sp->pp_flags & PP_CISCO)) { 708 if (debug) 709 log(LOG_DEBUG, 710 "%s: Cisco packet in PPP mode " 711 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 712 ifp->if_xname, 713 h->address, h->control, ntohs(h->protocol)); 714 goto drop; 715 } 716 switch (ntohs(h->protocol)) { 717 default: 718 if_statinc(ifp, if_noproto); 719 goto invalid; 720 case CISCO_KEEPALIVE: 721 SPPP_UNLOCK(sp); 722 sppp_cisco_input((struct sppp *) ifp, m); 723 m_freem(m); 724 return; 725 #ifdef INET 726 case ETHERTYPE_IP: 727 pktq = ip_pktq; 728 break; 729 #endif 730 #ifdef INET6 731 case ETHERTYPE_IPV6: 732 pktq = ip6_pktq; 733 break; 734 #endif 735 } 736 goto queue_pkt; 737 default: /* Invalid PPP packet. */ 738 invalid: 739 if (debug) 740 log(LOG_DEBUG, 741 "%s: invalid input packet " 742 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 743 ifp->if_xname, 744 h->address, h->control, ntohs(h->protocol)); 745 goto drop; 746 } 747 protocol = ntohs(h->protocol); 748 } 749 750 m = sppp_ml_defrag(sp, m, &protocol); 751 if (m == 0) { 752 SPPP_UNLOCK(sp); 753 return; 754 } 755 756 switch (protocol) { 757 default: 758 if (sp->state[IDX_LCP] == STATE_OPENED) { 759 uint16_t prot = htons(protocol); 760 761 SPPP_UPGRADE(sp); 762 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 763 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 764 &prot); 765 SPPP_DOWNGRADE(sp); 766 } 767 if (debug) 768 log(LOG_DEBUG, 769 "%s: invalid input protocol " 770 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 771 if_statinc(ifp, if_noproto); 772 goto drop; 773 case PPP_LCP: 774 SPPP_UNLOCK(sp); 775 sppp_cp_input(&lcp, sp, m); 776 m_freem(m); 777 return; 778 case PPP_PAP: 779 SPPP_UNLOCK(sp); 780 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 781 sppp_pap_input(sp, m); 782 } 783 m_freem(m); 784 return; 785 case PPP_CHAP: 786 SPPP_UNLOCK(sp); 787 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 788 sppp_chap_input(sp, m); 789 } 790 m_freem(m); 791 return; 792 #ifdef INET 793 case PPP_IPCP: 794 SPPP_UNLOCK(sp); 795 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 796 sppp_cp_input(&ipcp, sp, m); 797 } 798 m_freem(m); 799 return; 800 case PPP_IP: 801 if (sp->state[IDX_IPCP] == STATE_OPENED) { 802 sp->pp_last_activity = time_uptime; 803 pktq = ip_pktq; 804 } 805 break; 806 #endif 807 #ifdef INET6 808 case PPP_IPV6CP: 809 SPPP_UNLOCK(sp); 810 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 811 sppp_cp_input(&ipv6cp, sp, m); 812 } 813 m_freem(m); 814 return; 815 816 case PPP_IPV6: 817 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 818 sp->pp_last_activity = time_uptime; 819 pktq = ip6_pktq; 820 } 821 break; 822 #endif 823 } 824 825 queue_pkt: 826 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 827 goto drop; 828 } 829 830 /* Check queue. */ 831 if (__predict_true(pktq)) { 832 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 833 goto drop; 834 } 835 SPPP_UNLOCK(sp); 836 return; 837 } 838 839 SPPP_UNLOCK(sp); 840 841 IFQ_LOCK(inq); 842 if (IF_QFULL(inq)) { 843 /* Queue overflow. */ 844 IF_DROP(inq); 845 IFQ_UNLOCK(inq); 846 if (debug) 847 log(LOG_DEBUG, "%s: protocol queue overflow\n", 848 ifp->if_xname); 849 850 SPPP_LOCK(sp, RW_READER); 851 goto drop; 852 } 853 IF_ENQUEUE(inq, m); 854 IFQ_UNLOCK(inq); 855 schednetisr(isr); 856 } 857 858 /* 859 * Enqueue transmit packet. 860 */ 861 static int 862 sppp_output(struct ifnet *ifp, struct mbuf *m, 863 const struct sockaddr *dst, const struct rtentry *rt) 864 { 865 struct sppp *sp = (struct sppp *) ifp; 866 struct ppp_header *h = NULL; 867 #ifndef SPPPSUBR_MPSAFE 868 struct ifqueue *ifq = NULL; /* XXX */ 869 #endif 870 int s, error = 0; 871 uint16_t protocol; 872 size_t pktlen; 873 874 s = splnet(); 875 SPPP_LOCK(sp, RW_READER); 876 877 sp->pp_last_activity = time_uptime; 878 879 if ((ifp->if_flags & IFF_UP) == 0 || 880 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 881 SPPP_UNLOCK(sp); 882 splx(s); 883 884 m_freem(m); 885 886 return (ENETDOWN); 887 } 888 889 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 890 /* 891 * Interface is not yet running, but auto-dial. Need 892 * to start LCP for it. 893 */ 894 ifp->if_flags |= IFF_RUNNING; 895 896 SPPP_UNLOCK(sp); 897 splx(s); 898 899 SPPP_LOCK(sp, RW_WRITER); 900 lcp.Open(sp); 901 SPPP_UNLOCK(sp); 902 903 s = splnet(); 904 SPPP_LOCK(sp, RW_READER); 905 } 906 907 /* 908 * If the queueing discipline needs packet classification, 909 * do it before prepending link headers. 910 */ 911 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 912 913 #ifdef INET 914 if (dst->sa_family == AF_INET) { 915 struct ip *ip = NULL; 916 #ifndef SPPPSUBR_MPSAFE 917 struct tcphdr *th = NULL; 918 #endif 919 920 if (m->m_len >= sizeof(struct ip)) { 921 ip = mtod(m, struct ip *); 922 #ifndef SPPPSUBR_MPSAFE 923 if (ip->ip_p == IPPROTO_TCP && 924 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 925 sizeof(struct tcphdr)) { 926 th = (struct tcphdr *) 927 ((char *)ip + (ip->ip_hl << 2)); 928 } 929 #endif 930 } else 931 ip = NULL; 932 933 /* 934 * When using dynamic local IP address assignment by using 935 * 0.0.0.0 as a local address, the first TCP session will 936 * not connect because the local TCP checksum is computed 937 * using 0.0.0.0 which will later become our real IP address 938 * so the TCP checksum computed at the remote end will 939 * become invalid. So we 940 * - don't let packets with src ip addr 0 thru 941 * - we flag TCP packets with src ip 0 as an error 942 */ 943 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 944 uint8_t proto = ip->ip_p; 945 946 SPPP_UNLOCK(sp); 947 splx(s); 948 949 m_freem(m); 950 if (proto == IPPROTO_TCP) 951 return (EADDRNOTAVAIL); 952 else 953 return (0); 954 } 955 956 #ifndef SPPPSUBR_MPSAFE 957 /* 958 * Put low delay, telnet, rlogin and ftp control packets 959 * in front of the queue. 960 */ 961 if (!IF_QFULL(&sp->pp_fastq) && 962 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 963 (th && (INTERACTIVE(ntohs(th->th_sport)) || 964 INTERACTIVE(ntohs(th->th_dport)))))) 965 ifq = &sp->pp_fastq; 966 #endif /* !SPPPSUBR_MPSAFE */ 967 } 968 #endif 969 970 #ifdef INET6 971 if (dst->sa_family == AF_INET6) { 972 /* XXX do something tricky here? */ 973 } 974 #endif 975 976 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 977 /* 978 * Prepend general data packet PPP header. For now, IP only. 979 */ 980 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 981 if (! m) { 982 if (ifp->if_flags & IFF_DEBUG) 983 log(LOG_DEBUG, "%s: no memory for transmit header\n", 984 ifp->if_xname); 985 if_statinc(ifp, if_oerrors); 986 SPPP_UNLOCK(sp); 987 splx(s); 988 return (ENOBUFS); 989 } 990 /* 991 * May want to check size of packet 992 * (albeit due to the implementation it's always enough) 993 */ 994 h = mtod(m, struct ppp_header *); 995 if (sp->pp_flags & PP_CISCO) { 996 h->address = CISCO_UNICAST; /* unicast address */ 997 h->control = 0; 998 } else { 999 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1000 h->control = PPP_UI; /* Unnumbered Info */ 1001 } 1002 } 1003 1004 switch (dst->sa_family) { 1005 #ifdef INET 1006 case AF_INET: /* Internet Protocol */ 1007 if (sp->pp_flags & PP_CISCO) 1008 protocol = htons(ETHERTYPE_IP); 1009 else { 1010 /* 1011 * Don't choke with an ENETDOWN early. It's 1012 * possible that we just started dialing out, 1013 * so don't drop the packet immediately. If 1014 * we notice that we run out of buffer space 1015 * below, we will however remember that we are 1016 * not ready to carry IP packets, and return 1017 * ENETDOWN, as opposed to ENOBUFS. 1018 */ 1019 protocol = htons(PPP_IP); 1020 if (sp->state[IDX_IPCP] != STATE_OPENED) 1021 error = ENETDOWN; 1022 } 1023 break; 1024 #endif 1025 #ifdef INET6 1026 case AF_INET6: /* Internet Protocol version 6 */ 1027 if (sp->pp_flags & PP_CISCO) 1028 protocol = htons(ETHERTYPE_IPV6); 1029 else { 1030 /* 1031 * Don't choke with an ENETDOWN early. It's 1032 * possible that we just started dialing out, 1033 * so don't drop the packet immediately. If 1034 * we notice that we run out of buffer space 1035 * below, we will however remember that we are 1036 * not ready to carry IP packets, and return 1037 * ENETDOWN, as opposed to ENOBUFS. 1038 */ 1039 protocol = htons(PPP_IPV6); 1040 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 1041 error = ENETDOWN; 1042 } 1043 break; 1044 #endif 1045 default: 1046 m_freem(m); 1047 if_statinc(ifp, if_oerrors); 1048 SPPP_UNLOCK(sp); 1049 splx(s); 1050 return (EAFNOSUPPORT); 1051 } 1052 1053 if (sp->pp_flags & PP_NOFRAMING) { 1054 M_PREPEND(m, 2, M_DONTWAIT); 1055 if (m == NULL) { 1056 if (ifp->if_flags & IFF_DEBUG) 1057 log(LOG_DEBUG, "%s: no memory for transmit header\n", 1058 ifp->if_xname); 1059 if_statinc(ifp, if_oerrors); 1060 SPPP_UNLOCK(sp); 1061 splx(s); 1062 return (ENOBUFS); 1063 } 1064 *mtod(m, uint16_t *) = protocol; 1065 } else { 1066 h->protocol = protocol; 1067 } 1068 1069 pktlen = m->m_pkthdr.len; 1070 #ifdef SPPPSUBR_MPSAFE 1071 SPPP_UNLOCK(sp); 1072 error = if_transmit_lock(ifp, m); 1073 SPPP_LOCK(sp, RW_READER); 1074 if (error == 0) 1075 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1076 #else /* !SPPPSUBR_MPSAFE */ 1077 error = ifq_enqueue2(ifp, ifq, m); 1078 1079 if (error == 0) { 1080 /* 1081 * Count output packets and bytes. 1082 * The packet length includes header + additional hardware 1083 * framing according to RFC 1333. 1084 */ 1085 if (!(ifp->if_flags & IFF_OACTIVE)) { 1086 SPPP_UNLOCK(sp); 1087 if_start_lock(ifp); 1088 SPPP_LOCK(sp, RW_READER); 1089 } 1090 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1091 } 1092 #endif /* !SPPPSUBR_MPSAFE */ 1093 SPPP_UNLOCK(sp); 1094 splx(s); 1095 return error; 1096 } 1097 1098 static int 1099 sppp_mediachange(struct ifnet *ifp) 1100 { 1101 1102 return (0); 1103 } 1104 1105 static void 1106 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 1107 { 1108 int link_state; 1109 1110 link_state = atomic_load_relaxed(&ifp->if_link_state); 1111 switch (link_state) { 1112 case LINK_STATE_UP: 1113 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 1114 break; 1115 case LINK_STATE_DOWN: 1116 imr->ifm_status = IFM_AVALID; 1117 break; 1118 default: 1119 /* Should be impossible as we set link state down in attach. */ 1120 imr->ifm_status = 0; 1121 break; 1122 } 1123 } 1124 1125 void 1126 sppp_attach(struct ifnet *ifp) 1127 { 1128 struct sppp *sp = (struct sppp *) ifp; 1129 1130 /* Initialize keepalive handler. */ 1131 if (! spppq) { 1132 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1133 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1134 } 1135 1136 if (! spppq_lock) 1137 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1138 1139 /* Insert new entry into the keepalive list. */ 1140 sp->pp_next = spppq; 1141 spppq = sp; 1142 1143 sp->pp_if.if_type = IFT_PPP; 1144 sp->pp_if.if_output = sppp_output; 1145 sp->pp_fastq.ifq_maxlen = 32; 1146 sp->pp_cpq.ifq_maxlen = 20; 1147 sp->pp_loopcnt = 0; 1148 sp->pp_alivecnt = 0; 1149 sp->pp_last_activity = 0; 1150 sp->pp_last_receive = 0; 1151 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1152 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1153 sp->pp_idle_timeout = 0; 1154 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1155 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1156 sp->pp_auth_failures = 0; 1157 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1158 sp->pp_phase = SPPP_PHASE_DEAD; 1159 sp->pp_up = sppp_notify_up; 1160 sp->pp_down = sppp_notify_down; 1161 rw_init(&sp->pp_lock); 1162 1163 if_alloc_sadl(ifp); 1164 1165 /* Lets not beat about the bush, we know we're down. */ 1166 ifp->if_link_state = LINK_STATE_DOWN; 1167 /* There is no media for PPP, but it's needed to report link status. */ 1168 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1169 1170 memset(&sp->myauth, 0, sizeof sp->myauth); 1171 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1172 SPPP_LOCK(sp, RW_WRITER); 1173 sppp_lcp_init(sp); 1174 sppp_ipcp_init(sp); 1175 sppp_ipv6cp_init(sp); 1176 sppp_pap_init(sp); 1177 sppp_chap_init(sp); 1178 SPPP_UNLOCK(sp); 1179 } 1180 1181 void 1182 sppp_detach(struct ifnet *ifp) 1183 { 1184 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1185 1186 /* Remove the entry from the keepalive list. */ 1187 SPPPQ_LOCK(); 1188 for (q = &spppq; (p = *q); q = &p->pp_next) 1189 if (p == sp) { 1190 *q = p->pp_next; 1191 break; 1192 } 1193 SPPPQ_UNLOCK(); 1194 1195 if (! spppq) { 1196 /* Stop keepalive handler. */ 1197 callout_stop(&keepalive_ch); 1198 mutex_obj_free(spppq_lock); 1199 spppq_lock = NULL; 1200 } 1201 1202 SPPP_LOCK(sp, RW_WRITER); 1203 1204 /* to avoid workqueue enqueued */ 1205 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1206 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1207 workqueue_destroy(sp->ipcp.update_addrs_wq); 1208 pcq_destroy(sp->ipcp.update_addrs_q); 1209 1210 callout_stop(&sp->ch[IDX_LCP]); 1211 callout_stop(&sp->ch[IDX_IPCP]); 1212 callout_stop(&sp->ch[IDX_PAP]); 1213 callout_stop(&sp->ch[IDX_CHAP]); 1214 #ifdef INET6 1215 callout_stop(&sp->ch[IDX_IPV6CP]); 1216 #endif 1217 callout_stop(&sp->pap_my_to_ch); 1218 1219 /* free authentication info */ 1220 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1221 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1222 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1223 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1224 SPPP_UNLOCK(sp); 1225 rw_destroy(&sp->pp_lock); 1226 1227 ifmedia_fini(&sp->pp_im); 1228 } 1229 1230 /* 1231 * Flush the interface output queue. 1232 */ 1233 void 1234 sppp_flush(struct ifnet *ifp) 1235 { 1236 struct sppp *sp = (struct sppp *) ifp; 1237 1238 SPPP_LOCK(sp, RW_WRITER); 1239 IFQ_PURGE(&sp->pp_if.if_snd); 1240 IF_PURGE(&sp->pp_fastq); 1241 IF_PURGE(&sp->pp_cpq); 1242 SPPP_UNLOCK(sp); 1243 } 1244 1245 /* 1246 * Check if the output queue is empty. 1247 */ 1248 int 1249 sppp_isempty(struct ifnet *ifp) 1250 { 1251 struct sppp *sp = (struct sppp *) ifp; 1252 int empty, s; 1253 1254 s = splnet(); 1255 SPPP_LOCK(sp, RW_READER); 1256 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1257 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1258 SPPP_UNLOCK(sp); 1259 splx(s); 1260 return (empty); 1261 } 1262 1263 /* 1264 * Get next packet to send. 1265 */ 1266 struct mbuf * 1267 sppp_dequeue(struct ifnet *ifp) 1268 { 1269 struct sppp *sp = (struct sppp *) ifp; 1270 struct mbuf *m; 1271 int s; 1272 1273 s = splnet(); 1274 SPPP_LOCK(sp, RW_WRITER); 1275 /* 1276 * Process only the control protocol queue until we have at 1277 * least one NCP open. 1278 * 1279 * Do always serve all three queues in Cisco mode. 1280 */ 1281 IF_DEQUEUE(&sp->pp_cpq, m); 1282 if (m == NULL && 1283 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1284 IF_DEQUEUE(&sp->pp_fastq, m); 1285 if (m == NULL) 1286 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1287 } 1288 SPPP_UNLOCK(sp); 1289 splx(s); 1290 return m; 1291 } 1292 1293 /* 1294 * Process an ioctl request. Called on low priority level. 1295 */ 1296 int 1297 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1298 { 1299 struct lwp *l = curlwp; /* XXX */ 1300 struct ifreq *ifr = (struct ifreq *) data; 1301 struct ifaddr *ifa = (struct ifaddr *) data; 1302 struct sppp *sp = (struct sppp *) ifp; 1303 int s, error=0, going_up, going_down; 1304 u_short newmode; 1305 1306 s = splnet(); 1307 switch (cmd) { 1308 case SIOCINITIFADDR: 1309 ifa->ifa_rtrequest = p2p_rtrequest; 1310 break; 1311 1312 case SIOCSIFFLAGS: 1313 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1314 break; 1315 1316 SPPP_LOCK(sp, RW_WRITER); 1317 going_up = ifp->if_flags & IFF_UP && 1318 (ifp->if_flags & IFF_RUNNING) == 0; 1319 going_down = (ifp->if_flags & IFF_UP) == 0 && 1320 ifp->if_flags & IFF_RUNNING; 1321 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1322 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1323 /* sanity */ 1324 newmode = IFF_PASSIVE; 1325 ifp->if_flags &= ~IFF_AUTO; 1326 } 1327 1328 if (going_up || going_down) { 1329 lcp.Close(sp); 1330 } 1331 if (going_up && newmode == 0) { 1332 /* neither auto-dial nor passive */ 1333 ifp->if_flags |= IFF_RUNNING; 1334 if (!(sp->pp_flags & PP_CISCO)) 1335 lcp.Open(sp); 1336 } else if (going_down) { 1337 SPPP_UNLOCK(sp); 1338 sppp_flush(ifp); 1339 SPPP_LOCK(sp, RW_WRITER); 1340 1341 ifp->if_flags &= ~IFF_RUNNING; 1342 } 1343 SPPP_UNLOCK(sp); 1344 break; 1345 1346 case SIOCSIFMTU: 1347 if (ifr->ifr_mtu < PPP_MINMRU || 1348 ifr->ifr_mtu > sp->lcp.their_mru) { 1349 error = EINVAL; 1350 break; 1351 } 1352 /*FALLTHROUGH*/ 1353 case SIOCGIFMTU: 1354 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1355 error = 0; 1356 break; 1357 case SIOCADDMULTI: 1358 case SIOCDELMULTI: 1359 break; 1360 1361 case SPPPSETAUTHCFG: 1362 case SPPPSETLCPCFG: 1363 case SPPPSETIDLETO: 1364 case SPPPSETAUTHFAILURE: 1365 case SPPPSETDNSOPTS: 1366 case SPPPSETKEEPALIVE: 1367 #if defined(COMPAT_50) || defined(MODULAR) 1368 case __SPPPSETIDLETO50: 1369 case __SPPPSETKEEPALIVE50: 1370 #endif /* COMPAT_50 || MODULAR */ 1371 error = kauth_authorize_network(l->l_cred, 1372 KAUTH_NETWORK_INTERFACE, 1373 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1374 NULL); 1375 if (error) 1376 break; 1377 error = sppp_params(sp, cmd, data); 1378 break; 1379 1380 case SPPPGETAUTHCFG: 1381 case SPPPGETLCPCFG: 1382 case SPPPGETAUTHFAILURES: 1383 error = kauth_authorize_network(l->l_cred, 1384 KAUTH_NETWORK_INTERFACE, 1385 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1386 NULL); 1387 if (error) 1388 break; 1389 error = sppp_params(sp, cmd, data); 1390 break; 1391 1392 case SPPPGETSTATUS: 1393 case SPPPGETSTATUSNCP: 1394 case SPPPGETIDLETO: 1395 case SPPPGETDNSOPTS: 1396 case SPPPGETDNSADDRS: 1397 case SPPPGETKEEPALIVE: 1398 #if defined(COMPAT_50) || defined(MODULAR) 1399 case __SPPPGETIDLETO50: 1400 case __SPPPGETKEEPALIVE50: 1401 #endif /* COMPAT_50 || MODULAR */ 1402 error = sppp_params(sp, cmd, data); 1403 break; 1404 1405 case SIOCGIFMEDIA: 1406 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1407 break; 1408 1409 default: 1410 error = ifioctl_common(ifp, cmd, data); 1411 break; 1412 } 1413 splx(s); 1414 return (error); 1415 } 1416 1417 1418 /* 1419 * Cisco framing implementation. 1420 */ 1421 1422 /* 1423 * Handle incoming Cisco keepalive protocol packets. 1424 */ 1425 static void 1426 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1427 { 1428 STDDCL; 1429 struct cisco_packet *h; 1430 #ifdef INET 1431 uint32_t me, mymask = 0; /* XXX: GCC */ 1432 #endif 1433 1434 SPPP_LOCK(sp, RW_WRITER); 1435 1436 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1437 if (debug) 1438 log(LOG_DEBUG, 1439 "%s: cisco invalid packet length: %d bytes\n", 1440 ifp->if_xname, m->m_pkthdr.len); 1441 SPPP_UNLOCK(sp); 1442 return; 1443 } 1444 h = mtod(m, struct cisco_packet *); 1445 if (debug) 1446 log(LOG_DEBUG, 1447 "%s: cisco input: %d bytes " 1448 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1449 ifp->if_xname, m->m_pkthdr.len, 1450 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1451 (u_int)h->time0, (u_int)h->time1); 1452 switch (ntohl(h->type)) { 1453 default: 1454 if (debug) 1455 addlog("%s: cisco unknown packet type: 0x%x\n", 1456 ifp->if_xname, ntohl(h->type)); 1457 break; 1458 case CISCO_ADDR_REPLY: 1459 /* Reply on address request, ignore */ 1460 break; 1461 case CISCO_KEEPALIVE_REQ: 1462 sp->pp_alivecnt = 0; 1463 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1464 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1465 /* Local and remote sequence numbers are equal. 1466 * Probably, the line is in loopback mode. */ 1467 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1468 printf ("%s: loopback\n", 1469 ifp->if_xname); 1470 sp->pp_loopcnt = 0; 1471 if (ifp->if_flags & IFF_UP) { 1472 SPPP_UNLOCK(sp); 1473 if_down(ifp); 1474 SPPP_LOCK(sp, RW_WRITER); 1475 1476 IF_PURGE(&sp->pp_cpq); 1477 } 1478 } 1479 ++sp->pp_loopcnt; 1480 1481 /* Generate new local sequence number */ 1482 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1483 break; 1484 } 1485 sp->pp_loopcnt = 0; 1486 if (! (ifp->if_flags & IFF_UP) && 1487 (ifp->if_flags & IFF_RUNNING)) { 1488 SPPP_UNLOCK(sp); 1489 if_up(ifp); 1490 SPPP_LOCK(sp, RW_WRITER); 1491 } 1492 break; 1493 case CISCO_ADDR_REQ: 1494 #ifdef INET 1495 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1496 if (me != 0L) 1497 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1498 #endif 1499 break; 1500 } 1501 SPPP_UNLOCK(sp); 1502 } 1503 1504 /* 1505 * Send Cisco keepalive packet. 1506 */ 1507 static void 1508 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1509 { 1510 STDDCL; 1511 struct ppp_header *h; 1512 struct cisco_packet *ch; 1513 struct mbuf *m; 1514 uint32_t t; 1515 1516 KASSERT(SPPP_WLOCKED(sp)); 1517 1518 t = time_uptime * 1000; 1519 MGETHDR(m, M_DONTWAIT, MT_DATA); 1520 if (! m) 1521 return; 1522 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1523 m_reset_rcvif(m); 1524 1525 h = mtod(m, struct ppp_header *); 1526 h->address = CISCO_MULTICAST; 1527 h->control = 0; 1528 h->protocol = htons(CISCO_KEEPALIVE); 1529 1530 ch = (struct cisco_packet *)(h + 1); 1531 ch->type = htonl(type); 1532 ch->par1 = htonl(par1); 1533 ch->par2 = htonl(par2); 1534 ch->rel = -1; 1535 1536 ch->time0 = htons((u_short)(t >> 16)); 1537 ch->time1 = htons((u_short) t); 1538 1539 if (debug) 1540 log(LOG_DEBUG, 1541 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1542 ifp->if_xname, ntohl(ch->type), ch->par1, 1543 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1544 (u_int)ch->time1); 1545 1546 if (IF_QFULL(&sp->pp_cpq)) { 1547 IF_DROP(&sp->pp_fastq); 1548 IF_DROP(&ifp->if_snd); 1549 m_freem(m); 1550 if_statinc(ifp, if_oerrors); 1551 return; 1552 } 1553 1554 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1555 IF_ENQUEUE(&sp->pp_cpq, m); 1556 1557 if (! (ifp->if_flags & IFF_OACTIVE)) { 1558 SPPP_UNLOCK(sp); 1559 if_start_lock(ifp); 1560 SPPP_LOCK(sp, RW_WRITER); 1561 } 1562 } 1563 1564 /* 1565 * PPP protocol implementation. 1566 */ 1567 1568 /* 1569 * Send PPP control protocol packet. 1570 */ 1571 static void 1572 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1573 u_char ident, u_short len, void *data) 1574 { 1575 STDDCL; 1576 struct lcp_header *lh; 1577 struct mbuf *m; 1578 size_t pkthdrlen; 1579 1580 KASSERT(SPPP_WLOCKED(sp)); 1581 1582 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1583 1584 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1585 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1586 MGETHDR(m, M_DONTWAIT, MT_DATA); 1587 if (! m) { 1588 return; 1589 } 1590 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1591 m_reset_rcvif(m); 1592 1593 if (sp->pp_flags & PP_NOFRAMING) { 1594 *mtod(m, uint16_t *) = htons(proto); 1595 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1596 } else { 1597 struct ppp_header *h; 1598 h = mtod(m, struct ppp_header *); 1599 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1600 h->control = PPP_UI; /* Unnumbered Info */ 1601 h->protocol = htons(proto); /* Link Control Protocol */ 1602 lh = (struct lcp_header *)(h + 1); 1603 } 1604 lh->type = type; 1605 lh->ident = ident; 1606 lh->len = htons(LCP_HEADER_LEN + len); 1607 if (len) 1608 memcpy(lh + 1, data, len); 1609 1610 if (debug) { 1611 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1612 ifp->if_xname, 1613 sppp_proto_name(proto), 1614 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1615 if (len) 1616 sppp_print_bytes((u_char *)(lh + 1), len); 1617 addlog(">\n"); 1618 } 1619 if (IF_QFULL(&sp->pp_cpq)) { 1620 IF_DROP(&sp->pp_fastq); 1621 IF_DROP(&ifp->if_snd); 1622 m_freem(m); 1623 if_statinc(ifp, if_oerrors); 1624 return; 1625 } 1626 1627 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1628 IF_ENQUEUE(&sp->pp_cpq, m); 1629 1630 1631 if (! (ifp->if_flags & IFF_OACTIVE)) { 1632 SPPP_UNLOCK(sp); 1633 if_start_lock(ifp); 1634 SPPP_LOCK(sp, RW_WRITER); 1635 } 1636 } 1637 1638 /* 1639 * Handle incoming PPP control protocol packets. 1640 */ 1641 static void 1642 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1643 { 1644 STDDCL; 1645 struct lcp_header *h; 1646 int printlen, len = m->m_pkthdr.len; 1647 int rv; 1648 u_char *p; 1649 uint32_t u32; 1650 1651 SPPP_LOCK(sp, RW_WRITER); 1652 1653 if (len < 4) { 1654 if (debug) 1655 log(LOG_DEBUG, 1656 "%s: %s invalid packet length: %d bytes\n", 1657 ifp->if_xname, cp->name, len); 1658 SPPP_UNLOCK(sp); 1659 return; 1660 } 1661 h = mtod(m, struct lcp_header *); 1662 if (debug) { 1663 printlen = ntohs(h->len); 1664 log(LOG_DEBUG, 1665 "%s: %s input(%s): <%s id=0x%x len=%d", 1666 ifp->if_xname, cp->name, 1667 sppp_state_name(sp->state[cp->protoidx]), 1668 sppp_cp_type_name(h->type), h->ident, printlen); 1669 if (len < printlen) 1670 printlen = len; 1671 if (printlen > 4) 1672 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1673 addlog(">\n"); 1674 } 1675 if (len > ntohs(h->len)) 1676 len = ntohs(h->len); 1677 p = (u_char *)(h + 1); 1678 switch (h->type) { 1679 case CONF_REQ: 1680 if (len < 4) { 1681 if (debug) 1682 addlog("%s: %s invalid conf-req length %d\n", 1683 ifp->if_xname, cp->name, 1684 len); 1685 if_statinc(ifp, if_ierrors); 1686 break; 1687 } 1688 /* handle states where RCR doesn't get a SCA/SCN */ 1689 switch (sp->state[cp->protoidx]) { 1690 case STATE_CLOSING: 1691 case STATE_STOPPING: 1692 SPPP_UNLOCK(sp); 1693 return; 1694 case STATE_CLOSED: 1695 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1696 0, 0); 1697 SPPP_UNLOCK(sp); 1698 return; 1699 } 1700 rv = (cp->RCR)(sp, h, len); 1701 if (rv < 0) { 1702 /* fatal error, shut down */ 1703 (cp->tld)(sp); 1704 sppp_lcp_tlf(sp); 1705 SPPP_UNLOCK(sp); 1706 return; 1707 } 1708 switch (sp->state[cp->protoidx]) { 1709 case STATE_OPENED: 1710 (cp->tld)(sp); 1711 (cp->scr)(sp); 1712 /* fall through... */ 1713 case STATE_ACK_SENT: 1714 case STATE_REQ_SENT: 1715 sppp_cp_change_state(cp, sp, rv? 1716 STATE_ACK_SENT: STATE_REQ_SENT); 1717 break; 1718 case STATE_STOPPED: 1719 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1720 (cp->scr)(sp); 1721 sppp_cp_change_state(cp, sp, rv? 1722 STATE_ACK_SENT: STATE_REQ_SENT); 1723 break; 1724 case STATE_ACK_RCVD: 1725 if (rv) { 1726 sppp_cp_change_state(cp, sp, STATE_OPENED); 1727 if (debug) 1728 log(LOG_DEBUG, "%s: %s tlu\n", 1729 ifp->if_xname, 1730 cp->name); 1731 (cp->tlu)(sp); 1732 } else 1733 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1734 break; 1735 default: 1736 printf("%s: %s illegal %s in state %s\n", 1737 ifp->if_xname, cp->name, 1738 sppp_cp_type_name(h->type), 1739 sppp_state_name(sp->state[cp->protoidx])); 1740 if_statinc(ifp, if_ierrors); 1741 } 1742 break; 1743 case CONF_ACK: 1744 if (h->ident != sp->confid[cp->protoidx]) { 1745 if (debug) 1746 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1747 ifp->if_xname, cp->name, 1748 h->ident, sp->confid[cp->protoidx]); 1749 if_statinc(ifp, if_ierrors); 1750 break; 1751 } 1752 switch (sp->state[cp->protoidx]) { 1753 case STATE_CLOSED: 1754 case STATE_STOPPED: 1755 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1756 break; 1757 case STATE_CLOSING: 1758 case STATE_STOPPING: 1759 break; 1760 case STATE_REQ_SENT: 1761 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1762 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1763 break; 1764 case STATE_OPENED: 1765 (cp->tld)(sp); 1766 /* fall through */ 1767 case STATE_ACK_RCVD: 1768 (cp->scr)(sp); 1769 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1770 break; 1771 case STATE_ACK_SENT: 1772 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1773 sppp_cp_change_state(cp, sp, STATE_OPENED); 1774 if (debug) 1775 log(LOG_DEBUG, "%s: %s tlu\n", 1776 ifp->if_xname, cp->name); 1777 (cp->tlu)(sp); 1778 break; 1779 default: 1780 printf("%s: %s illegal %s in state %s\n", 1781 ifp->if_xname, cp->name, 1782 sppp_cp_type_name(h->type), 1783 sppp_state_name(sp->state[cp->protoidx])); 1784 if_statinc(ifp, if_ierrors); 1785 } 1786 break; 1787 case CONF_NAK: 1788 case CONF_REJ: 1789 if (h->ident != sp->confid[cp->protoidx]) { 1790 if (debug) 1791 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1792 ifp->if_xname, cp->name, 1793 h->ident, sp->confid[cp->protoidx]); 1794 if_statinc(ifp, if_ierrors); 1795 break; 1796 } 1797 if (h->type == CONF_NAK) 1798 (cp->RCN_nak)(sp, h, len); 1799 else /* CONF_REJ */ 1800 (cp->RCN_rej)(sp, h, len); 1801 1802 switch (sp->state[cp->protoidx]) { 1803 case STATE_CLOSED: 1804 case STATE_STOPPED: 1805 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1806 break; 1807 case STATE_REQ_SENT: 1808 case STATE_ACK_SENT: 1809 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1810 (cp->scr)(sp); 1811 break; 1812 case STATE_OPENED: 1813 (cp->tld)(sp); 1814 /* fall through */ 1815 case STATE_ACK_RCVD: 1816 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1817 (cp->scr)(sp); 1818 break; 1819 case STATE_CLOSING: 1820 case STATE_STOPPING: 1821 break; 1822 default: 1823 printf("%s: %s illegal %s in state %s\n", 1824 ifp->if_xname, cp->name, 1825 sppp_cp_type_name(h->type), 1826 sppp_state_name(sp->state[cp->protoidx])); 1827 if_statinc(ifp, if_ierrors); 1828 } 1829 break; 1830 1831 case TERM_REQ: 1832 switch (sp->state[cp->protoidx]) { 1833 case STATE_ACK_RCVD: 1834 case STATE_ACK_SENT: 1835 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1836 /* fall through */ 1837 case STATE_CLOSED: 1838 case STATE_STOPPED: 1839 case STATE_CLOSING: 1840 case STATE_STOPPING: 1841 case STATE_REQ_SENT: 1842 sta: 1843 /* Send Terminate-Ack packet. */ 1844 if (debug) 1845 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1846 ifp->if_xname, cp->name); 1847 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1848 break; 1849 case STATE_OPENED: 1850 (cp->tld)(sp); 1851 sp->rst_counter[cp->protoidx] = 0; 1852 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1853 goto sta; 1854 default: 1855 printf("%s: %s illegal %s in state %s\n", 1856 ifp->if_xname, cp->name, 1857 sppp_cp_type_name(h->type), 1858 sppp_state_name(sp->state[cp->protoidx])); 1859 if_statinc(ifp, if_ierrors); 1860 } 1861 break; 1862 case TERM_ACK: 1863 switch (sp->state[cp->protoidx]) { 1864 case STATE_CLOSED: 1865 case STATE_STOPPED: 1866 case STATE_REQ_SENT: 1867 case STATE_ACK_SENT: 1868 break; 1869 case STATE_CLOSING: 1870 (cp->tlf)(sp); 1871 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1872 sppp_lcp_check_and_close(sp); 1873 break; 1874 case STATE_STOPPING: 1875 (cp->tlf)(sp); 1876 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1877 sppp_lcp_check_and_close(sp); 1878 break; 1879 case STATE_ACK_RCVD: 1880 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1881 break; 1882 case STATE_OPENED: 1883 (cp->tld)(sp); 1884 (cp->scr)(sp); 1885 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1886 break; 1887 default: 1888 printf("%s: %s illegal %s in state %s\n", 1889 ifp->if_xname, cp->name, 1890 sppp_cp_type_name(h->type), 1891 sppp_state_name(sp->state[cp->protoidx])); 1892 if_statinc(ifp, if_ierrors); 1893 } 1894 break; 1895 case CODE_REJ: 1896 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1897 log(LOG_INFO, 1898 "%s: %s: ignoring RXJ (%s) for code ?, " 1899 "danger will robinson\n", 1900 ifp->if_xname, cp->name, 1901 sppp_cp_type_name(h->type)); 1902 switch (sp->state[cp->protoidx]) { 1903 case STATE_CLOSED: 1904 case STATE_STOPPED: 1905 case STATE_REQ_SENT: 1906 case STATE_ACK_SENT: 1907 case STATE_CLOSING: 1908 case STATE_STOPPING: 1909 case STATE_OPENED: 1910 break; 1911 case STATE_ACK_RCVD: 1912 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1913 break; 1914 default: 1915 printf("%s: %s illegal %s in state %s\n", 1916 ifp->if_xname, cp->name, 1917 sppp_cp_type_name(h->type), 1918 sppp_state_name(sp->state[cp->protoidx])); 1919 if_statinc(ifp, if_ierrors); 1920 } 1921 break; 1922 case PROTO_REJ: 1923 { 1924 int catastrophic; 1925 const struct cp *upper; 1926 int i; 1927 uint16_t proto; 1928 1929 catastrophic = 0; 1930 upper = NULL; 1931 proto = p[0] << 8 | p[1]; 1932 for (i = 0; i < IDX_COUNT; i++) { 1933 if (cps[i]->proto == proto) { 1934 upper = cps[i]; 1935 break; 1936 } 1937 } 1938 if (upper == NULL) 1939 catastrophic++; 1940 1941 if (debug) 1942 log(LOG_INFO, 1943 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1944 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1945 sppp_cp_type_name(h->type), proto, 1946 upper ? upper->name : "unknown", 1947 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1948 1949 /* 1950 * if we got RXJ+ against conf-req, the peer does not implement 1951 * this particular protocol type. terminate the protocol. 1952 */ 1953 if (upper && !catastrophic) { 1954 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1955 upper->Close(sp); 1956 break; 1957 } 1958 } 1959 1960 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1961 switch (sp->state[cp->protoidx]) { 1962 case STATE_CLOSED: 1963 case STATE_STOPPED: 1964 case STATE_REQ_SENT: 1965 case STATE_ACK_SENT: 1966 case STATE_CLOSING: 1967 case STATE_STOPPING: 1968 case STATE_OPENED: 1969 break; 1970 case STATE_ACK_RCVD: 1971 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1972 break; 1973 default: 1974 printf("%s: %s illegal %s in state %s\n", 1975 ifp->if_xname, cp->name, 1976 sppp_cp_type_name(h->type), 1977 sppp_state_name(sp->state[cp->protoidx])); 1978 if_statinc(ifp, if_ierrors); 1979 } 1980 break; 1981 } 1982 case DISC_REQ: 1983 if (cp->proto != PPP_LCP) 1984 goto illegal; 1985 /* Discard the packet. */ 1986 break; 1987 case ECHO_REQ: 1988 if (cp->proto != PPP_LCP) 1989 goto illegal; 1990 if (sp->state[cp->protoidx] != STATE_OPENED) { 1991 if (debug) 1992 addlog("%s: lcp echo req but lcp closed\n", 1993 ifp->if_xname); 1994 if_statinc(ifp, if_ierrors); 1995 break; 1996 } 1997 if (len < 8) { 1998 if (debug) 1999 addlog("%s: invalid lcp echo request " 2000 "packet length: %d bytes\n", 2001 ifp->if_xname, len); 2002 break; 2003 } 2004 memcpy(&u32, h + 1, sizeof u32); 2005 if (ntohl(u32) == sp->lcp.magic) { 2006 /* Line loopback mode detected. */ 2007 printf("%s: loopback\n", ifp->if_xname); 2008 SPPP_UNLOCK(sp); 2009 if_down(ifp); 2010 SPPP_LOCK(sp, RW_WRITER); 2011 2012 IF_PURGE(&sp->pp_cpq); 2013 2014 /* Shut down the PPP link. */ 2015 /* XXX */ 2016 lcp.Down(sp); 2017 lcp.Up(sp); 2018 break; 2019 } 2020 u32 = htonl(sp->lcp.magic); 2021 memcpy(h + 1, &u32, sizeof u32); 2022 if (debug) 2023 addlog("%s: got lcp echo req, sending echo rep\n", 2024 ifp->if_xname); 2025 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 2026 h + 1); 2027 break; 2028 case ECHO_REPLY: 2029 if (cp->proto != PPP_LCP) 2030 goto illegal; 2031 if (h->ident != sp->lcp.echoid) { 2032 if_statinc(ifp, if_ierrors); 2033 break; 2034 } 2035 if (len < 8) { 2036 if (debug) 2037 addlog("%s: lcp invalid echo reply " 2038 "packet length: %d bytes\n", 2039 ifp->if_xname, len); 2040 break; 2041 } 2042 if (debug) 2043 addlog("%s: lcp got echo rep\n", 2044 ifp->if_xname); 2045 memcpy(&u32, h + 1, sizeof u32); 2046 if (ntohl(u32) != sp->lcp.magic) 2047 sp->pp_alivecnt = 0; 2048 break; 2049 default: 2050 /* Unknown packet type -- send Code-Reject packet. */ 2051 illegal: 2052 if (debug) 2053 addlog("%s: %s send code-rej for 0x%x\n", 2054 ifp->if_xname, cp->name, h->type); 2055 sppp_cp_send(sp, cp->proto, CODE_REJ, 2056 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 2057 if_statinc(ifp, if_ierrors); 2058 } 2059 2060 SPPP_UNLOCK(sp); 2061 } 2062 2063 2064 /* 2065 * The generic part of all Up/Down/Open/Close/TO event handlers. 2066 * Basically, the state transition handling in the automaton. 2067 */ 2068 static void 2069 sppp_up_event(const struct cp *cp, struct sppp *sp) 2070 { 2071 STDDCL; 2072 2073 KASSERT(SPPP_WLOCKED(sp)); 2074 2075 if (debug) 2076 log(LOG_DEBUG, "%s: %s up(%s)\n", 2077 ifp->if_xname, cp->name, 2078 sppp_state_name(sp->state[cp->protoidx])); 2079 2080 switch (sp->state[cp->protoidx]) { 2081 case STATE_INITIAL: 2082 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2083 break; 2084 case STATE_STARTING: 2085 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2086 (cp->scr)(sp); 2087 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2088 break; 2089 default: 2090 printf("%s: %s illegal up in state %s\n", 2091 ifp->if_xname, cp->name, 2092 sppp_state_name(sp->state[cp->protoidx])); 2093 } 2094 } 2095 2096 static void 2097 sppp_down_event(const struct cp *cp, struct sppp *sp) 2098 { 2099 STDDCL; 2100 2101 KASSERT(SPPP_WLOCKED(sp)); 2102 2103 if (debug) 2104 log(LOG_DEBUG, "%s: %s down(%s)\n", 2105 ifp->if_xname, cp->name, 2106 sppp_state_name(sp->state[cp->protoidx])); 2107 2108 switch (sp->state[cp->protoidx]) { 2109 case STATE_CLOSED: 2110 case STATE_CLOSING: 2111 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2112 break; 2113 case STATE_STOPPED: 2114 (cp->tls)(sp); 2115 /* fall through */ 2116 case STATE_STOPPING: 2117 case STATE_REQ_SENT: 2118 case STATE_ACK_RCVD: 2119 case STATE_ACK_SENT: 2120 sppp_cp_change_state(cp, sp, STATE_STARTING); 2121 break; 2122 case STATE_OPENED: 2123 (cp->tld)(sp); 2124 sppp_cp_change_state(cp, sp, STATE_STARTING); 2125 break; 2126 default: 2127 printf("%s: %s illegal down in state %s\n", 2128 ifp->if_xname, cp->name, 2129 sppp_state_name(sp->state[cp->protoidx])); 2130 } 2131 } 2132 2133 2134 static void 2135 sppp_open_event(const struct cp *cp, struct sppp *sp) 2136 { 2137 STDDCL; 2138 2139 KASSERT(SPPP_WLOCKED(sp)); 2140 2141 if (debug) 2142 log(LOG_DEBUG, "%s: %s open(%s)\n", 2143 ifp->if_xname, cp->name, 2144 sppp_state_name(sp->state[cp->protoidx])); 2145 2146 switch (sp->state[cp->protoidx]) { 2147 case STATE_INITIAL: 2148 sppp_cp_change_state(cp, sp, STATE_STARTING); 2149 (cp->tls)(sp); 2150 break; 2151 case STATE_STARTING: 2152 break; 2153 case STATE_CLOSED: 2154 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2155 (cp->scr)(sp); 2156 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2157 break; 2158 case STATE_STOPPED: 2159 case STATE_STOPPING: 2160 case STATE_REQ_SENT: 2161 case STATE_ACK_RCVD: 2162 case STATE_ACK_SENT: 2163 case STATE_OPENED: 2164 break; 2165 case STATE_CLOSING: 2166 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2167 break; 2168 } 2169 } 2170 2171 2172 static void 2173 sppp_close_event(const struct cp *cp, struct sppp *sp) 2174 { 2175 STDDCL; 2176 2177 KASSERT(SPPP_WLOCKED(sp)); 2178 2179 if (debug) 2180 log(LOG_DEBUG, "%s: %s close(%s)\n", 2181 ifp->if_xname, cp->name, 2182 sppp_state_name(sp->state[cp->protoidx])); 2183 2184 switch (sp->state[cp->protoidx]) { 2185 case STATE_INITIAL: 2186 case STATE_CLOSED: 2187 case STATE_CLOSING: 2188 break; 2189 case STATE_STARTING: 2190 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2191 (cp->tlf)(sp); 2192 break; 2193 case STATE_STOPPED: 2194 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2195 break; 2196 case STATE_STOPPING: 2197 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2198 break; 2199 case STATE_OPENED: 2200 (cp->tld)(sp); 2201 /* fall through */ 2202 case STATE_REQ_SENT: 2203 case STATE_ACK_RCVD: 2204 case STATE_ACK_SENT: 2205 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2206 sppp_cp_send(sp, cp->proto, TERM_REQ, 2207 ++sp->pp_seq[cp->protoidx], 0, 0); 2208 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2209 break; 2210 } 2211 } 2212 2213 static void 2214 sppp_to_event(const struct cp *cp, struct sppp *sp) 2215 { 2216 STDDCL; 2217 int s; 2218 2219 KASSERT(SPPP_WLOCKED(sp)); 2220 2221 s = splnet(); 2222 2223 if (debug) 2224 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2225 ifp->if_xname, cp->name, 2226 sppp_state_name(sp->state[cp->protoidx]), 2227 sp->rst_counter[cp->protoidx]); 2228 2229 if (--sp->rst_counter[cp->protoidx] < 0) 2230 /* TO- event */ 2231 switch (sp->state[cp->protoidx]) { 2232 case STATE_CLOSING: 2233 (cp->tlf)(sp); 2234 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2235 sppp_lcp_check_and_close(sp); 2236 break; 2237 case STATE_STOPPING: 2238 (cp->tlf)(sp); 2239 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2240 sppp_lcp_check_and_close(sp); 2241 break; 2242 case STATE_REQ_SENT: 2243 case STATE_ACK_RCVD: 2244 case STATE_ACK_SENT: 2245 (cp->tlf)(sp); 2246 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2247 sppp_lcp_check_and_close(sp); 2248 break; 2249 } 2250 else 2251 /* TO+ event */ 2252 switch (sp->state[cp->protoidx]) { 2253 case STATE_CLOSING: 2254 case STATE_STOPPING: 2255 sppp_cp_send(sp, cp->proto, TERM_REQ, 2256 ++sp->pp_seq[cp->protoidx], 0, 0); 2257 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2258 cp->TO, sp); 2259 break; 2260 case STATE_REQ_SENT: 2261 case STATE_ACK_RCVD: 2262 (cp->scr)(sp); 2263 /* sppp_cp_change_state() will restart the timer */ 2264 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2265 break; 2266 case STATE_ACK_SENT: 2267 (cp->scr)(sp); 2268 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2269 cp->TO, sp); 2270 break; 2271 } 2272 2273 splx(s); 2274 } 2275 2276 /* 2277 * Change the state of a control protocol in the state automaton. 2278 * Takes care of starting/stopping the restart timer. 2279 */ 2280 void 2281 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2282 { 2283 2284 KASSERT(SPPP_WLOCKED(sp)); 2285 2286 sp->state[cp->protoidx] = newstate; 2287 callout_stop(&sp->ch[cp->protoidx]); 2288 switch (newstate) { 2289 case STATE_INITIAL: 2290 case STATE_STARTING: 2291 case STATE_CLOSED: 2292 case STATE_STOPPED: 2293 case STATE_OPENED: 2294 break; 2295 case STATE_CLOSING: 2296 case STATE_STOPPING: 2297 case STATE_REQ_SENT: 2298 case STATE_ACK_RCVD: 2299 case STATE_ACK_SENT: 2300 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2301 cp->TO, sp); 2302 break; 2303 } 2304 } 2305 2306 /* 2307 *--------------------------------------------------------------------------* 2308 * * 2309 * The LCP implementation. * 2310 * * 2311 *--------------------------------------------------------------------------* 2312 */ 2313 static void 2314 sppp_lcp_init(struct sppp *sp) 2315 { 2316 2317 KASSERT(SPPP_WLOCKED(sp)); 2318 2319 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2320 sp->lcp.magic = 0; 2321 sp->state[IDX_LCP] = STATE_INITIAL; 2322 sp->fail_counter[IDX_LCP] = 0; 2323 sp->pp_seq[IDX_LCP] = 0; 2324 sp->pp_rseq[IDX_LCP] = 0; 2325 sp->lcp.protos = 0; 2326 2327 /* 2328 * Initialize counters and timeout values. Note that we don't 2329 * use the 3 seconds suggested in RFC 1661 since we are likely 2330 * running on a fast link. XXX We should probably implement 2331 * the exponential backoff option. Note that these values are 2332 * relevant for all control protocols, not just LCP only. 2333 */ 2334 sp->lcp.timeout = 1 * hz; 2335 sp->lcp.max_terminate = 2; 2336 sp->lcp.max_configure = 10; 2337 sp->lcp.max_failure = 10; 2338 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2339 } 2340 2341 static void 2342 sppp_lcp_up(struct sppp *sp) 2343 { 2344 STDDCL; 2345 2346 KASSERT(SPPP_WLOCKED(sp)); 2347 2348 /* Initialize activity timestamp: opening a connection is an activity */ 2349 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2350 2351 /* Initialize mlppp state */ 2352 sp->lcp.mrru = sp->lcp.their_mrru = 0; 2353 sp->lcp.ml_prefix = NULL; 2354 sp->lcp.ml_seq_expected = 0; 2355 2356 /* 2357 * If this interface is passive or dial-on-demand, and we are 2358 * still in Initial state, it means we've got an incoming 2359 * call. Activate the interface. 2360 */ 2361 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2362 if (debug) 2363 log(LOG_DEBUG, 2364 "%s: Up event", ifp->if_xname); 2365 ifp->if_flags |= IFF_RUNNING; 2366 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2367 if (debug) 2368 addlog("(incoming call)\n"); 2369 sp->pp_flags |= PP_CALLIN; 2370 lcp.Open(sp); 2371 } else if (debug) 2372 addlog("\n"); 2373 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2374 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2375 ifp->if_flags |= IFF_RUNNING; 2376 lcp.Open(sp); 2377 } 2378 2379 sppp_up_event(&lcp, sp); 2380 } 2381 2382 static void 2383 sppp_lcp_down(struct sppp *sp) 2384 { 2385 STDDCL; 2386 2387 KASSERT(SPPP_WLOCKED(sp)); 2388 2389 sppp_down_event(&lcp, sp); 2390 2391 /* 2392 * If this is neither a dial-on-demand nor a passive 2393 * interface, simulate an ``ifconfig down'' action, so the 2394 * administrator can force a redial by another ``ifconfig 2395 * up''. XXX For leased line operation, should we immediately 2396 * try to reopen the connection here? 2397 */ 2398 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2399 if (debug) 2400 log(LOG_INFO, 2401 "%s: Down event (carrier loss), taking interface down.\n", 2402 ifp->if_xname); 2403 SPPP_UNLOCK(sp); 2404 if_down(ifp); 2405 SPPP_LOCK(sp, RW_WRITER); 2406 } else { 2407 if (debug) 2408 log(LOG_DEBUG, 2409 "%s: Down event (carrier loss)\n", 2410 ifp->if_xname); 2411 } 2412 sp->fail_counter[IDX_LCP] = 0; 2413 sp->pp_flags &= ~PP_CALLIN; 2414 if (sp->state[IDX_LCP] != STATE_INITIAL) 2415 lcp.Close(sp); 2416 ifp->if_flags &= ~IFF_RUNNING; 2417 } 2418 2419 static void 2420 sppp_lcp_open(struct sppp *sp) 2421 { 2422 2423 KASSERT(SPPP_WLOCKED(sp)); 2424 2425 if (sp->pp_if.if_mtu < PP_MTU) { 2426 sp->lcp.mru = sp->pp_if.if_mtu; 2427 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2428 } else 2429 sp->lcp.mru = PP_MTU; 2430 sp->lcp.their_mru = PP_MTU; 2431 2432 /* 2433 * If we are authenticator, negotiate LCP_AUTH 2434 */ 2435 if (sp->hisauth.proto != 0) 2436 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2437 else 2438 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2439 sp->pp_flags &= ~PP_NEEDAUTH; 2440 sppp_open_event(&lcp, sp); 2441 } 2442 2443 static void 2444 sppp_lcp_close(struct sppp *sp) 2445 { 2446 2447 KASSERT(SPPP_WLOCKED(sp)); 2448 sppp_close_event(&lcp, sp); 2449 } 2450 2451 static void 2452 sppp_lcp_TO(void *cookie) 2453 { 2454 struct sppp *sp = (struct sppp*)cookie; 2455 2456 SPPP_LOCK(sp, RW_WRITER); 2457 sppp_to_event(&lcp, sp); 2458 SPPP_UNLOCK(sp); 2459 } 2460 2461 /* 2462 * Analyze a configure request. Return true if it was agreeable, and 2463 * caused action sca, false if it has been rejected or nak'ed, and 2464 * caused action scn. (The return value is used to make the state 2465 * transition decision in the state automaton.) 2466 */ 2467 static int 2468 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2469 { 2470 STDDCL; 2471 u_char *buf, *r, *p, l, blen; 2472 int origlen, rlen; 2473 uint32_t nmagic; 2474 u_short authproto; 2475 2476 KASSERT(SPPP_WLOCKED(sp)); 2477 2478 len -= 4; 2479 origlen = len; 2480 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2481 if (! buf) 2482 return (0); 2483 2484 if (debug) 2485 log(LOG_DEBUG, "%s: lcp parse opts:", 2486 ifp->if_xname); 2487 2488 /* pass 1: check for things that need to be rejected */ 2489 p = (void *)(h + 1); 2490 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2491 /* Sanity check option length */ 2492 if (l > len) { 2493 /* 2494 * Malicious option - drop immediately. 2495 * XXX Maybe we should just RXJ it? 2496 */ 2497 addlog("%s: received malicious LCP option 0x%02x, " 2498 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2499 p[0], l, len); 2500 goto drop; 2501 } 2502 if (debug) 2503 addlog(" %s", sppp_lcp_opt_name(*p)); 2504 switch (*p) { 2505 case LCP_OPT_MAGIC: 2506 /* Magic number. */ 2507 /* fall through, both are same length */ 2508 case LCP_OPT_ASYNC_MAP: 2509 /* Async control character map. */ 2510 if (len >= 6 || l == 6) 2511 continue; 2512 if (debug) 2513 addlog(" [invalid]"); 2514 break; 2515 case LCP_OPT_MP_EID: 2516 if (len >= l && l >= 3) { 2517 switch (p[2]) { 2518 case 0: if (l==3+ 0) continue;break; 2519 case 2: if (l==3+ 4) continue;break; 2520 case 3: if (l==3+ 6) continue;break; 2521 case 6: if (l==3+16) continue;break; 2522 case 1: /* FALLTHROUGH */ 2523 case 4: if (l<=3+20) continue;break; 2524 case 5: if (l<=3+15) continue;break; 2525 /* XXX should it be default: continue;? */ 2526 } 2527 } 2528 if (debug) 2529 addlog(" [invalid class %d len %d]", p[2], l); 2530 break; 2531 case LCP_OPT_MP_SSNHF: 2532 if (len >= 2 && l == 2) { 2533 if (debug) 2534 addlog(" [rej]"); 2535 break; 2536 } 2537 if (debug) 2538 addlog(" [invalid]"); 2539 break; 2540 case LCP_OPT_MP_MRRU: 2541 /* Multilink maximum received reconstructed unit */ 2542 /* should be fall through, both are same length */ 2543 /* FALLTHROUGH */ 2544 case LCP_OPT_MRU: 2545 /* Maximum receive unit. */ 2546 if (len >= 4 && l == 4) 2547 continue; 2548 if (debug) 2549 addlog(" [invalid]"); 2550 break; 2551 case LCP_OPT_AUTH_PROTO: 2552 if (len < 4) { 2553 if (debug) 2554 addlog(" [invalid]"); 2555 break; 2556 } 2557 authproto = (p[2] << 8) + p[3]; 2558 if (authproto == PPP_CHAP && l != 5) { 2559 if (debug) 2560 addlog(" [invalid chap len]"); 2561 break; 2562 } 2563 if (sp->myauth.proto == 0) { 2564 /* we are not configured to do auth */ 2565 if (debug) 2566 addlog(" [not configured]"); 2567 break; 2568 } 2569 /* 2570 * Remote want us to authenticate, remember this, 2571 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2572 * up. 2573 */ 2574 sp->pp_flags |= PP_NEEDAUTH; 2575 continue; 2576 default: 2577 /* Others not supported. */ 2578 if (debug) 2579 addlog(" [rej]"); 2580 break; 2581 } 2582 if (rlen + l > blen) { 2583 if (debug) 2584 addlog(" [overflow]"); 2585 continue; 2586 } 2587 /* Add the option to rejected list. */ 2588 memcpy(r, p, l); 2589 r += l; 2590 rlen += l; 2591 } 2592 if (rlen) { 2593 if (debug) 2594 addlog(" send conf-rej\n"); 2595 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2596 goto end; 2597 } else if (debug) 2598 addlog("\n"); 2599 2600 /* 2601 * pass 2: check for option values that are unacceptable and 2602 * thus require to be nak'ed. 2603 */ 2604 if (debug) 2605 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2606 ifp->if_xname); 2607 2608 p = (void *)(h + 1); 2609 len = origlen; 2610 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2611 if (debug) 2612 addlog(" %s", sppp_lcp_opt_name(*p)); 2613 switch (*p) { 2614 case LCP_OPT_MAGIC: 2615 /* Magic number -- extract. */ 2616 nmagic = (uint32_t)p[2] << 24 | 2617 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2618 if (nmagic != sp->lcp.magic) { 2619 if (debug) 2620 addlog(" 0x%x", nmagic); 2621 continue; 2622 } 2623 /* 2624 * Local and remote magics equal -- loopback? 2625 */ 2626 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2627 printf ("%s: loopback\n", 2628 ifp->if_xname); 2629 sp->pp_loopcnt = 0; 2630 if (ifp->if_flags & IFF_UP) { 2631 SPPP_UNLOCK(sp); 2632 if_down(ifp); 2633 SPPP_LOCK(sp, RW_WRITER); 2634 2635 IF_PURGE(&sp->pp_cpq); 2636 /* XXX ? */ 2637 lcp.Down(sp); 2638 lcp.Up(sp); 2639 } 2640 } else if (debug) 2641 addlog(" [glitch]"); 2642 ++sp->pp_loopcnt; 2643 /* 2644 * We negate our magic here, and NAK it. If 2645 * we see it later in an NAK packet, we 2646 * suggest a new one. 2647 */ 2648 nmagic = ~sp->lcp.magic; 2649 /* Gonna NAK it. */ 2650 p[2] = nmagic >> 24; 2651 p[3] = nmagic >> 16; 2652 p[4] = nmagic >> 8; 2653 p[5] = nmagic; 2654 break; 2655 2656 case LCP_OPT_ASYNC_MAP: 2657 /* 2658 * Async control character map -- just ignore it. 2659 * 2660 * Quote from RFC 1662, chapter 6: 2661 * To enable this functionality, synchronous PPP 2662 * implementations MUST always respond to the 2663 * Async-Control-Character-Map Configuration 2664 * Option with the LCP Configure-Ack. However, 2665 * acceptance of the Configuration Option does 2666 * not imply that the synchronous implementation 2667 * will do any ACCM mapping. Instead, all such 2668 * octet mapping will be performed by the 2669 * asynchronous-to-synchronous converter. 2670 */ 2671 continue; 2672 2673 case LCP_OPT_MRU: 2674 /* 2675 * Maximum receive unit. Always agreeable, 2676 * but ignored by now. 2677 */ 2678 sp->lcp.their_mru = p[2] * 256 + p[3]; 2679 if (debug) 2680 addlog(" %ld", sp->lcp.their_mru); 2681 continue; 2682 2683 case LCP_OPT_AUTH_PROTO: 2684 authproto = (p[2] << 8) + p[3]; 2685 if (sp->myauth.proto != authproto) { 2686 /* not agreed, nak */ 2687 if (debug) 2688 addlog(" [mine %s != his %s]", 2689 sppp_proto_name(sp->myauth.proto), 2690 sppp_proto_name(authproto)); 2691 p[2] = sp->myauth.proto >> 8; 2692 p[3] = sp->myauth.proto; 2693 break; 2694 } 2695 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2696 if (debug) 2697 addlog(" [chap not MD5]"); 2698 p[4] = CHAP_MD5; 2699 break; 2700 } 2701 continue; 2702 case LCP_OPT_MP_EID: 2703 /* 2704 * Endpoint identification. 2705 * Always agreeable, 2706 * but ignored by now. 2707 */ 2708 if (debug) { 2709 addlog(" class %d", p[2]); 2710 sppp_print_bytes(p+3, p[1]-3); 2711 } 2712 continue; 2713 case LCP_OPT_MP_MRRU: 2714 /* 2715 * Maximum received reconstructed unit. 2716 * Always agreeable, 2717 * but ignored by now. 2718 */ 2719 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2720 if (debug) 2721 addlog(" %ld", sp->lcp.their_mrru); 2722 continue; 2723 } 2724 if (rlen + l > blen) { 2725 if (debug) 2726 addlog(" [overflow]"); 2727 continue; 2728 } 2729 /* Add the option to nak'ed list. */ 2730 memcpy(r, p, l); 2731 r += l; 2732 rlen += l; 2733 } 2734 if (rlen) { 2735 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2736 if (debug) 2737 addlog(" max_failure (%d) exceeded, " 2738 "send conf-rej\n", 2739 sp->lcp.max_failure); 2740 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2741 } else { 2742 if (debug) 2743 addlog(" send conf-nak\n"); 2744 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2745 } 2746 goto end; 2747 } else { 2748 if (debug) 2749 addlog(" send conf-ack\n"); 2750 sp->fail_counter[IDX_LCP] = 0; 2751 sp->pp_loopcnt = 0; 2752 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2753 } 2754 2755 end: 2756 free(buf, M_TEMP); 2757 return (rlen == 0); 2758 2759 drop: 2760 free(buf, M_TEMP); 2761 return -1; 2762 } 2763 2764 /* 2765 * Analyze the LCP Configure-Reject option list, and adjust our 2766 * negotiation. 2767 */ 2768 static void 2769 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2770 { 2771 STDDCL; 2772 u_char *buf, *p, l; 2773 2774 KASSERT(SPPP_WLOCKED(sp)); 2775 2776 len -= 4; 2777 buf = malloc (len, M_TEMP, M_NOWAIT); 2778 if (!buf) 2779 return; 2780 2781 if (debug) 2782 log(LOG_DEBUG, "%s: lcp rej opts:", 2783 ifp->if_xname); 2784 2785 p = (void *)(h + 1); 2786 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2787 /* Sanity check option length */ 2788 if (l > len) { 2789 /* 2790 * Malicious option - drop immediately. 2791 * XXX Maybe we should just RXJ it? 2792 */ 2793 addlog("%s: received malicious LCP option, " 2794 "dropping.\n", ifp->if_xname); 2795 goto drop; 2796 } 2797 if (debug) 2798 addlog(" %s", sppp_lcp_opt_name(*p)); 2799 switch (*p) { 2800 case LCP_OPT_MAGIC: 2801 /* Magic number -- can't use it, use 0 */ 2802 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2803 sp->lcp.magic = 0; 2804 break; 2805 case LCP_OPT_MRU: 2806 /* 2807 * We try to negotiate a lower MRU if the underlying 2808 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2809 * peer rejects this lower rate, fallback to the 2810 * default. 2811 */ 2812 if (debug) { 2813 addlog("%s: warning: peer rejected our MRU of " 2814 "%ld bytes. Defaulting to %d bytes\n", 2815 ifp->if_xname, sp->lcp.mru, PP_MTU); 2816 } 2817 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2818 sp->lcp.mru = PP_MTU; 2819 break; 2820 case LCP_OPT_AUTH_PROTO: 2821 /* 2822 * Peer doesn't want to authenticate himself, 2823 * deny unless this is a dialout call, and 2824 * SPPP_AUTHFLAG_NOCALLOUT is set. 2825 */ 2826 if ((sp->pp_flags & PP_CALLIN) == 0 && 2827 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2828 if (debug) 2829 addlog(" [don't insist on auth " 2830 "for callout]"); 2831 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2832 break; 2833 } 2834 if (debug) 2835 addlog("[access denied]\n"); 2836 lcp.Close(sp); 2837 break; 2838 } 2839 } 2840 if (debug) 2841 addlog("\n"); 2842 drop: 2843 free(buf, M_TEMP); 2844 return; 2845 } 2846 2847 /* 2848 * Analyze the LCP Configure-NAK option list, and adjust our 2849 * negotiation. 2850 */ 2851 static void 2852 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2853 { 2854 STDDCL; 2855 u_char *buf, *p, l, blen; 2856 uint32_t magic; 2857 2858 KASSERT(SPPP_WLOCKED(sp)); 2859 2860 len -= 4; 2861 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2862 if (!buf) 2863 return; 2864 2865 if (debug) 2866 log(LOG_DEBUG, "%s: lcp nak opts:", 2867 ifp->if_xname); 2868 2869 p = (void *)(h + 1); 2870 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2871 /* Sanity check option length */ 2872 if (l > len) { 2873 /* 2874 * Malicious option - drop immediately. 2875 * XXX Maybe we should just RXJ it? 2876 */ 2877 addlog("%s: received malicious LCP option, " 2878 "dropping.\n", ifp->if_xname); 2879 goto drop; 2880 } 2881 if (debug) 2882 addlog(" %s", sppp_lcp_opt_name(*p)); 2883 switch (*p) { 2884 case LCP_OPT_MAGIC: 2885 /* Magic number -- renegotiate */ 2886 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2887 len >= 6 && l == 6) { 2888 magic = (uint32_t)p[2] << 24 | 2889 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2890 /* 2891 * If the remote magic is our negated one, 2892 * this looks like a loopback problem. 2893 * Suggest a new magic to make sure. 2894 */ 2895 if (magic == ~sp->lcp.magic) { 2896 if (debug) 2897 addlog(" magic glitch"); 2898 sp->lcp.magic = cprng_fast32(); 2899 } else { 2900 sp->lcp.magic = magic; 2901 if (debug) 2902 addlog(" %d", magic); 2903 } 2904 } 2905 break; 2906 case LCP_OPT_MRU: 2907 /* 2908 * Peer wants to advise us to negotiate an MRU. 2909 * Agree on it if it's reasonable, or use 2910 * default otherwise. 2911 */ 2912 if (len >= 4 && l == 4) { 2913 u_int mru = p[2] * 256 + p[3]; 2914 if (debug) 2915 addlog(" %d", mru); 2916 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2917 mru = sp->pp_if.if_mtu; 2918 sp->lcp.mru = mru; 2919 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2920 } 2921 break; 2922 case LCP_OPT_AUTH_PROTO: 2923 /* 2924 * Peer doesn't like our authentication method, 2925 * deny. 2926 */ 2927 if (debug) 2928 addlog("[access denied]\n"); 2929 lcp.Close(sp); 2930 break; 2931 } 2932 } 2933 if (debug) 2934 addlog("\n"); 2935 drop: 2936 free(buf, M_TEMP); 2937 return; 2938 } 2939 2940 static void 2941 sppp_lcp_tlu(struct sppp *sp) 2942 { 2943 struct ifnet *ifp = &sp->pp_if; 2944 int i; 2945 uint32_t mask; 2946 2947 KASSERT(SPPP_WLOCKED(sp)); 2948 2949 /* XXX ? */ 2950 if (! (ifp->if_flags & IFF_UP) && 2951 (ifp->if_flags & IFF_RUNNING)) { 2952 /* Coming out of loopback mode. */ 2953 SPPP_UNLOCK(sp); 2954 if_up(ifp); 2955 SPPP_LOCK(sp, RW_WRITER); 2956 } 2957 2958 for (i = 0; i < IDX_COUNT; i++) 2959 if ((cps[i])->flags & CP_QUAL) 2960 (cps[i])->Open(sp); 2961 2962 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2963 (sp->pp_flags & PP_NEEDAUTH) != 0) 2964 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2965 else 2966 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2967 2968 /* 2969 * Open all authentication protocols. This is even required 2970 * if we already proceeded to network phase, since it might be 2971 * that remote wants us to authenticate, so we might have to 2972 * send a PAP request. Undesired authentication protocols 2973 * don't do anything when they get an Open event. 2974 */ 2975 for (i = 0; i < IDX_COUNT; i++) 2976 if ((cps[i])->flags & CP_AUTH) 2977 (cps[i])->Open(sp); 2978 2979 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2980 /* Notify all NCPs. */ 2981 for (i = 0; i < IDX_COUNT; i++) 2982 if ((cps[i])->flags & CP_NCP) 2983 (cps[i])->Open(sp); 2984 } 2985 2986 /* Send Up events to all started protos. */ 2987 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2988 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2989 (cps[i])->Up(sp); 2990 } 2991 } 2992 2993 /* notify low-level driver of state change */ 2994 sppp_notify_chg_wlocked(sp); 2995 2996 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2997 /* if no NCP is starting, close down */ 2998 sppp_lcp_check_and_close(sp); 2999 } 3000 3001 static void 3002 sppp_lcp_tld(struct sppp *sp) 3003 { 3004 int i; 3005 uint32_t mask; 3006 3007 KASSERT(SPPP_WLOCKED(sp)); 3008 3009 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3010 3011 /* 3012 * Take upper layers down. We send the Down event first and 3013 * the Close second to prevent the upper layers from sending 3014 * ``a flurry of terminate-request packets'', as the RFC 3015 * describes it. 3016 */ 3017 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 3018 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 3019 (cps[i])->Down(sp); 3020 (cps[i])->Close(sp); 3021 } 3022 } 3023 } 3024 3025 static void 3026 sppp_lcp_tls(struct sppp *sp) 3027 { 3028 3029 KASSERT(SPPP_WLOCKED(sp)); 3030 3031 3032 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3033 printf("%s: authentication failed %d times, not retrying again\n", 3034 sp->pp_if.if_xname, sp->pp_auth_failures); 3035 3036 SPPP_UNLOCK(sp); 3037 if_down(&sp->pp_if); 3038 SPPP_LOCK(sp, RW_WRITER); 3039 return; 3040 } 3041 3042 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3043 3044 /* Notify lower layer if desired. */ 3045 sppp_notify_tls_wlocked(sp); 3046 } 3047 3048 static void 3049 sppp_lcp_tlf(struct sppp *sp) 3050 { 3051 3052 KASSERT(SPPP_WLOCKED(sp)); 3053 3054 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3055 3056 /* Notify lower layer if desired. */ 3057 sppp_notify_tlf_wlocked(sp); 3058 } 3059 3060 static void 3061 sppp_lcp_scr(struct sppp *sp) 3062 { 3063 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3064 int i = 0; 3065 u_short authproto; 3066 3067 KASSERT(SPPP_WLOCKED(sp)); 3068 3069 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 3070 if (! sp->lcp.magic) 3071 sp->lcp.magic = cprng_fast32(); 3072 opt[i++] = LCP_OPT_MAGIC; 3073 opt[i++] = 6; 3074 opt[i++] = sp->lcp.magic >> 24; 3075 opt[i++] = sp->lcp.magic >> 16; 3076 opt[i++] = sp->lcp.magic >> 8; 3077 opt[i++] = sp->lcp.magic; 3078 } 3079 3080 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 3081 opt[i++] = LCP_OPT_MRU; 3082 opt[i++] = 4; 3083 opt[i++] = sp->lcp.mru >> 8; 3084 opt[i++] = sp->lcp.mru; 3085 } 3086 3087 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 3088 authproto = sp->hisauth.proto; 3089 opt[i++] = LCP_OPT_AUTH_PROTO; 3090 opt[i++] = authproto == PPP_CHAP? 5: 4; 3091 opt[i++] = authproto >> 8; 3092 opt[i++] = authproto; 3093 if (authproto == PPP_CHAP) 3094 opt[i++] = CHAP_MD5; 3095 } 3096 3097 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 3098 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 3099 } 3100 3101 /* 3102 * Check the open NCPs, return true if at least one NCP is open. 3103 */ 3104 static int 3105 sppp_ncp_check(struct sppp *sp) 3106 { 3107 int i, mask; 3108 3109 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3110 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 3111 return 1; 3112 return 0; 3113 } 3114 3115 /* 3116 * Re-check the open NCPs and see if we should terminate the link. 3117 * Called by the NCPs during their tlf action handling. 3118 */ 3119 static void 3120 sppp_lcp_check_and_close(struct sppp *sp) 3121 { 3122 3123 KASSERT(SPPP_WLOCKED(sp)); 3124 3125 if (sp->pp_phase < SPPP_PHASE_NETWORK) 3126 /* don't bother, we are already going down */ 3127 return; 3128 3129 if (sppp_ncp_check(sp)) 3130 return; 3131 lcp.Close(sp); 3132 } 3133 3134 3135 /* 3136 *--------------------------------------------------------------------------* 3137 * * 3138 * The IPCP implementation. * 3139 * * 3140 *--------------------------------------------------------------------------* 3141 */ 3142 3143 static void 3144 sppp_ipcp_init(struct sppp *sp) 3145 { 3146 int error; 3147 3148 KASSERT(SPPP_WLOCKED(sp)); 3149 3150 sp->ipcp.opts = 0; 3151 sp->ipcp.flags = 0; 3152 sp->state[IDX_IPCP] = STATE_INITIAL; 3153 sp->fail_counter[IDX_IPCP] = 0; 3154 sp->pp_seq[IDX_IPCP] = 0; 3155 sp->pp_rseq[IDX_IPCP] = 0; 3156 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 3157 3158 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 3159 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 3160 if (error) 3161 panic("%s: update_addrs workqueue_create failed (%d)\n", 3162 __func__, error); 3163 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 3164 3165 sp->ipcp.update_addrs_enqueued = 0; 3166 } 3167 3168 static void 3169 sppp_ipcp_up(struct sppp *sp) 3170 { 3171 KASSERT(SPPP_WLOCKED(sp)); 3172 sppp_up_event(&ipcp, sp); 3173 } 3174 3175 static void 3176 sppp_ipcp_down(struct sppp *sp) 3177 { 3178 KASSERT(SPPP_WLOCKED(sp)); 3179 sppp_down_event(&ipcp, sp); 3180 } 3181 3182 static void 3183 sppp_ipcp_open(struct sppp *sp) 3184 { 3185 STDDCL; 3186 uint32_t myaddr, hisaddr; 3187 3188 KASSERT(SPPP_WLOCKED(sp)); 3189 3190 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3191 sp->ipcp.req_myaddr = 0; 3192 sp->ipcp.req_hisaddr = 0; 3193 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3194 3195 #ifdef INET 3196 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3197 #else 3198 myaddr = hisaddr = 0; 3199 #endif 3200 /* 3201 * If we don't have his address, this probably means our 3202 * interface doesn't want to talk IP at all. (This could 3203 * be the case if somebody wants to speak only IPX, for 3204 * example.) Don't open IPCP in this case. 3205 */ 3206 if (hisaddr == 0) { 3207 /* XXX this message should go away */ 3208 if (debug) 3209 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3210 ifp->if_xname); 3211 return; 3212 } 3213 3214 if (myaddr == 0) { 3215 /* 3216 * I don't have an assigned address, so i need to 3217 * negotiate my address. 3218 */ 3219 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3220 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3221 } 3222 if (hisaddr == 1) { 3223 /* 3224 * XXX - remove this hack! 3225 * remote has no valid address, we need to get one assigned. 3226 */ 3227 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3228 } 3229 sppp_open_event(&ipcp, sp); 3230 } 3231 3232 static void 3233 sppp_ipcp_close(struct sppp *sp) 3234 { 3235 3236 KASSERT(SPPP_WLOCKED(sp)); 3237 3238 sppp_close_event(&ipcp, sp); 3239 3240 #ifdef INET 3241 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3242 /* 3243 * Some address was dynamic, clear it again. 3244 */ 3245 sppp_clear_ip_addrs(sp); 3246 #endif 3247 } 3248 3249 static void 3250 sppp_ipcp_TO(void *cookie) 3251 { 3252 struct sppp *sp = cookie; 3253 3254 SPPP_LOCK(sp, RW_WRITER); 3255 sppp_to_event(&ipcp, sp); 3256 SPPP_UNLOCK(sp); 3257 } 3258 3259 /* 3260 * Analyze a configure request. Return true if it was agreeable, and 3261 * caused action sca, false if it has been rejected or nak'ed, and 3262 * caused action scn. (The return value is used to make the state 3263 * transition decision in the state automaton.) 3264 */ 3265 static int 3266 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3267 { 3268 u_char *buf, *r, *p, l, blen; 3269 struct ifnet *ifp = &sp->pp_if; 3270 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3271 uint32_t hisaddr, desiredaddr; 3272 3273 KASSERT(SPPP_WLOCKED(sp)); 3274 3275 len -= 4; 3276 origlen = len; 3277 /* 3278 * Make sure to allocate a buf that can at least hold a 3279 * conf-nak with an `address' option. We might need it below. 3280 */ 3281 blen = len < 6 ? 6 : len; 3282 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3283 if (! buf) 3284 return (0); 3285 3286 /* pass 1: see if we can recognize them */ 3287 if (debug) 3288 log(LOG_DEBUG, "%s: ipcp parse opts:", 3289 ifp->if_xname); 3290 p = (void *)(h + 1); 3291 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3292 /* Sanity check option length */ 3293 if (l > len) { 3294 /* XXX should we just RXJ? */ 3295 addlog("%s: malicious IPCP option received, dropping\n", 3296 ifp->if_xname); 3297 goto drop; 3298 } 3299 if (debug) 3300 addlog(" %s", sppp_ipcp_opt_name(*p)); 3301 switch (*p) { 3302 #ifdef notyet 3303 case IPCP_OPT_COMPRESSION: 3304 if (len >= 6 && l >= 6) { 3305 /* correctly formed compress option */ 3306 continue; 3307 } 3308 if (debug) 3309 addlog(" [invalid]"); 3310 break; 3311 #endif 3312 case IPCP_OPT_ADDRESS: 3313 if (len >= 6 && l == 6) { 3314 /* correctly formed address option */ 3315 continue; 3316 } 3317 if (debug) 3318 addlog(" [invalid]"); 3319 break; 3320 default: 3321 /* Others not supported. */ 3322 if (debug) 3323 addlog(" [rej]"); 3324 break; 3325 } 3326 /* Add the option to rejected list. */ 3327 if (rlen + l > blen) { 3328 if (debug) 3329 addlog(" [overflow]"); 3330 continue; 3331 } 3332 memcpy(r, p, l); 3333 r += l; 3334 rlen += l; 3335 } 3336 if (rlen) { 3337 if (debug) 3338 addlog(" send conf-rej\n"); 3339 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3340 goto end; 3341 } else if (debug) 3342 addlog("\n"); 3343 3344 /* pass 2: parse option values */ 3345 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3346 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3347 else 3348 #ifdef INET 3349 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3350 #else 3351 hisaddr = 0; 3352 #endif 3353 if (debug) 3354 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3355 ifp->if_xname); 3356 p = (void *)(h + 1); 3357 len = origlen; 3358 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3359 if (debug) 3360 addlog(" %s", sppp_ipcp_opt_name(*p)); 3361 switch (*p) { 3362 #ifdef notyet 3363 case IPCP_OPT_COMPRESSION: 3364 continue; 3365 #endif 3366 case IPCP_OPT_ADDRESS: 3367 desiredaddr = p[2] << 24 | p[3] << 16 | 3368 p[4] << 8 | p[5]; 3369 if (desiredaddr == hisaddr || 3370 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3371 /* 3372 * Peer's address is same as our value, 3373 * this is agreeable. Gonna conf-ack 3374 * it. 3375 */ 3376 if (debug) 3377 addlog(" %s [ack]", 3378 sppp_dotted_quad(hisaddr)); 3379 /* record that we've seen it already */ 3380 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3381 sp->ipcp.req_hisaddr = desiredaddr; 3382 hisaddr = desiredaddr; 3383 continue; 3384 } 3385 /* 3386 * The address wasn't agreeable. This is either 3387 * he sent us 0.0.0.0, asking to assign him an 3388 * address, or he send us another address not 3389 * matching our value. Either case, we gonna 3390 * conf-nak it with our value. 3391 */ 3392 if (debug) { 3393 if (desiredaddr == 0) 3394 addlog(" [addr requested]"); 3395 else 3396 addlog(" %s [not agreed]", 3397 sppp_dotted_quad(desiredaddr)); 3398 } 3399 3400 p[2] = hisaddr >> 24; 3401 p[3] = hisaddr >> 16; 3402 p[4] = hisaddr >> 8; 3403 p[5] = hisaddr; 3404 break; 3405 } 3406 if (rlen + l > blen) { 3407 if (debug) 3408 addlog(" [overflow]"); 3409 continue; 3410 } 3411 /* Add the option to nak'ed list. */ 3412 memcpy(r, p, l); 3413 r += l; 3414 rlen += l; 3415 } 3416 3417 /* 3418 * If we are about to conf-ack the request, but haven't seen 3419 * his address so far, gonna conf-nak it instead, with the 3420 * `address' option present and our idea of his address being 3421 * filled in there, to request negotiation of both addresses. 3422 * 3423 * XXX This can result in an endless req - nak loop if peer 3424 * doesn't want to send us his address. Q: What should we do 3425 * about it? XXX A: implement the max-failure counter. 3426 */ 3427 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3428 buf[0] = IPCP_OPT_ADDRESS; 3429 buf[1] = 6; 3430 buf[2] = hisaddr >> 24; 3431 buf[3] = hisaddr >> 16; 3432 buf[4] = hisaddr >> 8; 3433 buf[5] = hisaddr; 3434 rlen = 6; 3435 if (debug) 3436 addlog(" still need hisaddr"); 3437 } 3438 3439 if (rlen) { 3440 if (debug) 3441 addlog(" send conf-nak\n"); 3442 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3443 } else { 3444 if (debug) 3445 addlog(" send conf-ack\n"); 3446 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3447 } 3448 3449 end: 3450 free(buf, M_TEMP); 3451 return (rlen == 0); 3452 3453 drop: 3454 free(buf, M_TEMP); 3455 return -1; 3456 } 3457 3458 /* 3459 * Analyze the IPCP Configure-Reject option list, and adjust our 3460 * negotiation. 3461 */ 3462 static void 3463 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3464 { 3465 u_char *buf, *p, l, blen; 3466 struct ifnet *ifp = &sp->pp_if; 3467 int debug = ifp->if_flags & IFF_DEBUG; 3468 3469 KASSERT(SPPP_WLOCKED(sp)); 3470 3471 len -= 4; 3472 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3473 if (!buf) 3474 return; 3475 3476 if (debug) 3477 log(LOG_DEBUG, "%s: ipcp rej opts:", 3478 ifp->if_xname); 3479 3480 p = (void *)(h + 1); 3481 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3482 /* Sanity check option length */ 3483 if (l > len) { 3484 /* XXX should we just RXJ? */ 3485 addlog("%s: malicious IPCP option received, dropping\n", 3486 ifp->if_xname); 3487 goto drop; 3488 } 3489 if (debug) 3490 addlog(" %s", sppp_ipcp_opt_name(*p)); 3491 switch (*p) { 3492 case IPCP_OPT_ADDRESS: 3493 /* 3494 * Peer doesn't grok address option. This is 3495 * bad. XXX Should we better give up here? 3496 */ 3497 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3498 break; 3499 #ifdef notyet 3500 case IPCP_OPT_COMPRESS: 3501 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3502 break; 3503 #endif 3504 } 3505 } 3506 if (debug) 3507 addlog("\n"); 3508 drop: 3509 free(buf, M_TEMP); 3510 return; 3511 } 3512 3513 /* 3514 * Analyze the IPCP Configure-NAK option list, and adjust our 3515 * negotiation. 3516 */ 3517 static void 3518 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3519 { 3520 u_char *p, l; 3521 struct ifnet *ifp = &sp->pp_if; 3522 int debug = ifp->if_flags & IFF_DEBUG; 3523 uint32_t wantaddr; 3524 3525 KASSERT(SPPP_WLOCKED(sp)); 3526 3527 len -= 4; 3528 3529 if (debug) 3530 log(LOG_DEBUG, "%s: ipcp nak opts:", 3531 ifp->if_xname); 3532 3533 p = (void *)(h + 1); 3534 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3535 /* Sanity check option length */ 3536 if (l > len) { 3537 /* XXX should we just RXJ? */ 3538 addlog("%s: malicious IPCP option received, dropping\n", 3539 ifp->if_xname); 3540 return; 3541 } 3542 if (debug) 3543 addlog(" %s", sppp_ipcp_opt_name(*p)); 3544 switch (*p) { 3545 case IPCP_OPT_ADDRESS: 3546 /* 3547 * Peer doesn't like our local IP address. See 3548 * if we can do something for him. We'll drop 3549 * him our address then. 3550 */ 3551 if (len >= 6 && l == 6) { 3552 wantaddr = p[2] << 24 | p[3] << 16 | 3553 p[4] << 8 | p[5]; 3554 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3555 if (debug) 3556 addlog(" [wantaddr %s]", 3557 sppp_dotted_quad(wantaddr)); 3558 /* 3559 * When doing dynamic address assignment, 3560 * we accept his offer. Otherwise, we 3561 * ignore it and thus continue to negotiate 3562 * our already existing value. 3563 */ 3564 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3565 if (debug) 3566 addlog(" [agree]"); 3567 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3568 sp->ipcp.req_myaddr = wantaddr; 3569 } 3570 } 3571 break; 3572 3573 case IPCP_OPT_PRIMDNS: 3574 if (len >= 6 && l == 6) { 3575 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3576 p[4] << 8 | p[5]; 3577 } 3578 break; 3579 3580 case IPCP_OPT_SECDNS: 3581 if (len >= 6 && l == 6) { 3582 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3583 p[4] << 8 | p[5]; 3584 } 3585 break; 3586 #ifdef notyet 3587 case IPCP_OPT_COMPRESS: 3588 /* 3589 * Peer wants different compression parameters. 3590 */ 3591 break; 3592 #endif 3593 } 3594 } 3595 if (debug) 3596 addlog("\n"); 3597 } 3598 3599 static void 3600 sppp_ipcp_tlu(struct sppp *sp) 3601 { 3602 #ifdef INET 3603 KASSERT(SPPP_WLOCKED(sp)); 3604 /* we are up. Set addresses and notify anyone interested */ 3605 sppp_set_ip_addrs(sp); 3606 #endif 3607 } 3608 3609 static void 3610 sppp_ipcp_tld(struct sppp *sp) 3611 { 3612 3613 KASSERT(SPPP_WLOCKED(sp)); 3614 } 3615 3616 static void 3617 sppp_ipcp_tls(struct sppp *sp) 3618 { 3619 3620 KASSERT(SPPP_WLOCKED(sp)); 3621 /* indicate to LCP that it must stay alive */ 3622 sp->lcp.protos |= (1 << IDX_IPCP); 3623 } 3624 3625 static void 3626 sppp_ipcp_tlf(struct sppp *sp) 3627 { 3628 3629 KASSERT(SPPP_WLOCKED(sp)); 3630 3631 /* we no longer need LCP */ 3632 sp->lcp.protos &= ~(1 << IDX_IPCP); 3633 } 3634 3635 static void 3636 sppp_ipcp_scr(struct sppp *sp) 3637 { 3638 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3639 #ifdef INET 3640 uint32_t ouraddr; 3641 #endif 3642 int i = 0; 3643 3644 KASSERT(SPPP_WLOCKED(sp)); 3645 3646 #ifdef notyet 3647 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3648 opt[i++] = IPCP_OPT_COMPRESSION; 3649 opt[i++] = 6; 3650 opt[i++] = 0; /* VJ header compression */ 3651 opt[i++] = 0x2d; /* VJ header compression */ 3652 opt[i++] = max_slot_id; 3653 opt[i++] = comp_slot_id; 3654 } 3655 #endif 3656 3657 #ifdef INET 3658 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3659 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3660 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3661 else 3662 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3663 opt[i++] = IPCP_OPT_ADDRESS; 3664 opt[i++] = 6; 3665 opt[i++] = ouraddr >> 24; 3666 opt[i++] = ouraddr >> 16; 3667 opt[i++] = ouraddr >> 8; 3668 opt[i++] = ouraddr; 3669 } 3670 #endif 3671 3672 if (sp->query_dns & 1) { 3673 opt[i++] = IPCP_OPT_PRIMDNS; 3674 opt[i++] = 6; 3675 opt[i++] = sp->dns_addrs[0] >> 24; 3676 opt[i++] = sp->dns_addrs[0] >> 16; 3677 opt[i++] = sp->dns_addrs[0] >> 8; 3678 opt[i++] = sp->dns_addrs[0]; 3679 } 3680 if (sp->query_dns & 2) { 3681 opt[i++] = IPCP_OPT_SECDNS; 3682 opt[i++] = 6; 3683 opt[i++] = sp->dns_addrs[1] >> 24; 3684 opt[i++] = sp->dns_addrs[1] >> 16; 3685 opt[i++] = sp->dns_addrs[1] >> 8; 3686 opt[i++] = sp->dns_addrs[1]; 3687 } 3688 3689 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3690 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3691 } 3692 3693 3694 /* 3695 *--------------------------------------------------------------------------* 3696 * * 3697 * The IPv6CP implementation. * 3698 * * 3699 *--------------------------------------------------------------------------* 3700 */ 3701 3702 #ifdef INET6 3703 static void 3704 sppp_ipv6cp_init(struct sppp *sp) 3705 { 3706 3707 KASSERT(SPPP_WLOCKED(sp)); 3708 3709 sp->ipv6cp.opts = 0; 3710 sp->ipv6cp.flags = 0; 3711 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3712 sp->fail_counter[IDX_IPV6CP] = 0; 3713 sp->pp_seq[IDX_IPV6CP] = 0; 3714 sp->pp_rseq[IDX_IPV6CP] = 0; 3715 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3716 } 3717 3718 static void 3719 sppp_ipv6cp_up(struct sppp *sp) 3720 { 3721 3722 KASSERT(SPPP_WLOCKED(sp)); 3723 sppp_up_event(&ipv6cp, sp); 3724 } 3725 3726 static void 3727 sppp_ipv6cp_down(struct sppp *sp) 3728 { 3729 3730 KASSERT(SPPP_WLOCKED(sp)); 3731 sppp_down_event(&ipv6cp, sp); 3732 } 3733 3734 static void 3735 sppp_ipv6cp_open(struct sppp *sp) 3736 { 3737 STDDCL; 3738 struct in6_addr myaddr, hisaddr; 3739 3740 KASSERT(SPPP_WLOCKED(sp)); 3741 3742 #ifdef IPV6CP_MYIFID_DYN 3743 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3744 #else 3745 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3746 #endif 3747 3748 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3749 /* 3750 * If we don't have our address, this probably means our 3751 * interface doesn't want to talk IPv6 at all. (This could 3752 * be the case if somebody wants to speak only IPX, for 3753 * example.) Don't open IPv6CP in this case. 3754 */ 3755 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3756 /* XXX this message should go away */ 3757 if (debug) 3758 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3759 ifp->if_xname); 3760 return; 3761 } 3762 3763 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3764 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3765 sppp_open_event(&ipv6cp, sp); 3766 } 3767 3768 static void 3769 sppp_ipv6cp_close(struct sppp *sp) 3770 { 3771 3772 KASSERT(SPPP_WLOCKED(sp)); 3773 sppp_close_event(&ipv6cp, sp); 3774 } 3775 3776 static void 3777 sppp_ipv6cp_TO(void *cookie) 3778 { 3779 struct sppp *sp = cookie; 3780 3781 SPPP_LOCK(sp, RW_WRITER); 3782 sppp_to_event(&ipv6cp, sp); 3783 SPPP_UNLOCK(sp); 3784 } 3785 3786 /* 3787 * Analyze a configure request. Return true if it was agreeable, and 3788 * caused action sca, false if it has been rejected or nak'ed, and 3789 * caused action scn. (The return value is used to make the state 3790 * transition decision in the state automaton.) 3791 */ 3792 static int 3793 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3794 { 3795 u_char *buf, *r, *p, l, blen; 3796 struct ifnet *ifp = &sp->pp_if; 3797 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3798 struct in6_addr myaddr, desiredaddr, suggestaddr; 3799 int ifidcount; 3800 int type; 3801 int collision, nohisaddr; 3802 char ip6buf[INET6_ADDRSTRLEN]; 3803 3804 KASSERT(SPPP_WLOCKED(sp)); 3805 3806 len -= 4; 3807 origlen = len; 3808 /* 3809 * Make sure to allocate a buf that can at least hold a 3810 * conf-nak with an `address' option. We might need it below. 3811 */ 3812 blen = len < 6 ? 6 : len; 3813 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3814 if (! buf) 3815 return (0); 3816 3817 /* pass 1: see if we can recognize them */ 3818 if (debug) 3819 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3820 ifp->if_xname); 3821 p = (void *)(h + 1); 3822 ifidcount = 0; 3823 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3824 /* Sanity check option length */ 3825 if (l > len) { 3826 /* XXX just RXJ? */ 3827 addlog("%s: received malicious IPCPv6 option, " 3828 "dropping\n", ifp->if_xname); 3829 goto drop; 3830 } 3831 if (debug) 3832 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3833 switch (*p) { 3834 case IPV6CP_OPT_IFID: 3835 if (len >= 10 && l == 10 && ifidcount == 0) { 3836 /* correctly formed address option */ 3837 ifidcount++; 3838 continue; 3839 } 3840 if (debug) 3841 addlog(" [invalid]"); 3842 break; 3843 #ifdef notyet 3844 case IPV6CP_OPT_COMPRESSION: 3845 if (len >= 4 && l >= 4) { 3846 /* correctly formed compress option */ 3847 continue; 3848 } 3849 if (debug) 3850 addlog(" [invalid]"); 3851 break; 3852 #endif 3853 default: 3854 /* Others not supported. */ 3855 if (debug) 3856 addlog(" [rej]"); 3857 break; 3858 } 3859 if (rlen + l > blen) { 3860 if (debug) 3861 addlog(" [overflow]"); 3862 continue; 3863 } 3864 /* Add the option to rejected list. */ 3865 memcpy(r, p, l); 3866 r += l; 3867 rlen += l; 3868 } 3869 if (rlen) { 3870 if (debug) 3871 addlog(" send conf-rej\n"); 3872 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3873 goto end; 3874 } else if (debug) 3875 addlog("\n"); 3876 3877 /* pass 2: parse option values */ 3878 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3879 if (debug) 3880 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3881 ifp->if_xname); 3882 p = (void *)(h + 1); 3883 len = origlen; 3884 type = CONF_ACK; 3885 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3886 if (debug) 3887 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3888 switch (*p) { 3889 #ifdef notyet 3890 case IPV6CP_OPT_COMPRESSION: 3891 continue; 3892 #endif 3893 case IPV6CP_OPT_IFID: 3894 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3895 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3896 collision = (memcmp(&desiredaddr.s6_addr[8], 3897 &myaddr.s6_addr[8], 8) == 0); 3898 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3899 3900 desiredaddr.s6_addr16[0] = htons(0xfe80); 3901 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3902 3903 if (!collision && !nohisaddr) { 3904 /* no collision, hisaddr known - Conf-Ack */ 3905 type = CONF_ACK; 3906 3907 if (debug) { 3908 addlog(" %s [%s]", 3909 IN6_PRINT(ip6buf, &desiredaddr), 3910 sppp_cp_type_name(type)); 3911 } 3912 continue; 3913 } 3914 3915 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3916 if (collision && nohisaddr) { 3917 /* collision, hisaddr unknown - Conf-Rej */ 3918 type = CONF_REJ; 3919 memset(&p[2], 0, 8); 3920 } else { 3921 /* 3922 * - no collision, hisaddr unknown, or 3923 * - collision, hisaddr known 3924 * Conf-Nak, suggest hisaddr 3925 */ 3926 type = CONF_NAK; 3927 sppp_suggest_ip6_addr(sp, &suggestaddr); 3928 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3929 } 3930 if (debug) 3931 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3932 sppp_cp_type_name(type)); 3933 break; 3934 } 3935 if (rlen + l > blen) { 3936 if (debug) 3937 addlog(" [overflow]"); 3938 continue; 3939 } 3940 /* Add the option to nak'ed list. */ 3941 memcpy(r, p, l); 3942 r += l; 3943 rlen += l; 3944 } 3945 3946 if (rlen == 0 && type == CONF_ACK) { 3947 if (debug) 3948 addlog(" send %s\n", sppp_cp_type_name(type)); 3949 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3950 } else { 3951 #ifdef notdef 3952 if (type == CONF_ACK) 3953 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3954 #endif 3955 3956 if (debug) { 3957 addlog(" send %s suggest %s\n", 3958 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3959 } 3960 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3961 } 3962 3963 end: 3964 free(buf, M_TEMP); 3965 return (rlen == 0); 3966 3967 drop: 3968 free(buf, M_TEMP); 3969 return -1; 3970 } 3971 3972 /* 3973 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3974 * negotiation. 3975 */ 3976 static void 3977 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3978 { 3979 u_char *buf, *p, l, blen; 3980 struct ifnet *ifp = &sp->pp_if; 3981 int debug = ifp->if_flags & IFF_DEBUG; 3982 3983 KASSERT(SPPP_WLOCKED(sp)); 3984 3985 len -= 4; 3986 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3987 if (!buf) 3988 return; 3989 3990 if (debug) 3991 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3992 ifp->if_xname); 3993 3994 p = (void *)(h + 1); 3995 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3996 if (l > len) { 3997 /* XXX just RXJ? */ 3998 addlog("%s: received malicious IPCPv6 option, " 3999 "dropping\n", ifp->if_xname); 4000 goto drop; 4001 } 4002 if (debug) 4003 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4004 switch (*p) { 4005 case IPV6CP_OPT_IFID: 4006 /* 4007 * Peer doesn't grok address option. This is 4008 * bad. XXX Should we better give up here? 4009 */ 4010 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 4011 break; 4012 #ifdef notyet 4013 case IPV6CP_OPT_COMPRESS: 4014 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 4015 break; 4016 #endif 4017 } 4018 } 4019 if (debug) 4020 addlog("\n"); 4021 drop: 4022 free(buf, M_TEMP); 4023 return; 4024 } 4025 4026 /* 4027 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4028 * negotiation. 4029 */ 4030 static void 4031 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 4032 { 4033 u_char *buf, *p, l, blen; 4034 struct ifnet *ifp = &sp->pp_if; 4035 int debug = ifp->if_flags & IFF_DEBUG; 4036 struct in6_addr suggestaddr; 4037 char ip6buf[INET6_ADDRSTRLEN]; 4038 4039 KASSERT(SPPP_WLOCKED(sp)); 4040 4041 len -= 4; 4042 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 4043 if (!buf) 4044 return; 4045 4046 if (debug) 4047 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 4048 ifp->if_xname); 4049 4050 p = (void *)(h + 1); 4051 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 4052 if (l > len) { 4053 /* XXX just RXJ? */ 4054 addlog("%s: received malicious IPCPv6 option, " 4055 "dropping\n", ifp->if_xname); 4056 goto drop; 4057 } 4058 if (debug) 4059 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4060 switch (*p) { 4061 case IPV6CP_OPT_IFID: 4062 /* 4063 * Peer doesn't like our local ifid. See 4064 * if we can do something for him. We'll drop 4065 * him our address then. 4066 */ 4067 if (len < 10 || l != 10) 4068 break; 4069 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4070 suggestaddr.s6_addr16[0] = htons(0xfe80); 4071 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4072 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4073 4074 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 4075 if (debug) 4076 addlog(" [suggestaddr %s]", 4077 IN6_PRINT(ip6buf, &suggestaddr)); 4078 #ifdef IPV6CP_MYIFID_DYN 4079 /* 4080 * When doing dynamic address assignment, 4081 * we accept his offer. 4082 */ 4083 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4084 struct in6_addr lastsuggest; 4085 /* 4086 * If <suggested myaddr from peer> equals to 4087 * <hisaddr we have suggested last time>, 4088 * we have a collision. generate new random 4089 * ifid. 4090 */ 4091 sppp_suggest_ip6_addr(&lastsuggest); 4092 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4093 lastsuggest)) { 4094 if (debug) 4095 addlog(" [random]"); 4096 sppp_gen_ip6_addr(sp, &suggestaddr); 4097 } 4098 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4099 if (debug) 4100 addlog(" [agree]"); 4101 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4102 } 4103 #else 4104 /* 4105 * Since we do not do dynamic address assignment, 4106 * we ignore it and thus continue to negotiate 4107 * our already existing value. This can possibly 4108 * go into infinite request-reject loop. 4109 * 4110 * This is not likely because we normally use 4111 * ifid based on MAC-address. 4112 * If you have no ethernet card on the node, too bad. 4113 * XXX should we use fail_counter? 4114 */ 4115 #endif 4116 break; 4117 #ifdef notyet 4118 case IPV6CP_OPT_COMPRESS: 4119 /* 4120 * Peer wants different compression parameters. 4121 */ 4122 break; 4123 #endif 4124 } 4125 } 4126 if (debug) 4127 addlog("\n"); 4128 drop: 4129 free(buf, M_TEMP); 4130 return; 4131 } 4132 4133 static void 4134 sppp_ipv6cp_tlu(struct sppp *sp) 4135 { 4136 4137 KASSERT(SPPP_WLOCKED(sp)); 4138 /* we are up - notify isdn daemon */ 4139 sppp_notify_con_wlocked(sp); 4140 } 4141 4142 static void 4143 sppp_ipv6cp_tld(struct sppp *sp) 4144 { 4145 4146 KASSERT(SPPP_WLOCKED(sp)); 4147 } 4148 4149 static void 4150 sppp_ipv6cp_tls(struct sppp *sp) 4151 { 4152 4153 KASSERT(SPPP_WLOCKED(sp)); 4154 /* indicate to LCP that it must stay alive */ 4155 sp->lcp.protos |= (1 << IDX_IPV6CP); 4156 } 4157 4158 static void 4159 sppp_ipv6cp_tlf(struct sppp *sp) 4160 { 4161 4162 KASSERT(SPPP_WLOCKED(sp)); 4163 /* we no longer need LCP */ 4164 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 4165 } 4166 4167 static void 4168 sppp_ipv6cp_scr(struct sppp *sp) 4169 { 4170 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4171 struct in6_addr ouraddr; 4172 int i = 0; 4173 4174 KASSERT(SPPP_WLOCKED(sp)); 4175 4176 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 4177 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4178 opt[i++] = IPV6CP_OPT_IFID; 4179 opt[i++] = 10; 4180 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4181 i += 8; 4182 } 4183 4184 #ifdef notyet 4185 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4186 opt[i++] = IPV6CP_OPT_COMPRESSION; 4187 opt[i++] = 4; 4188 opt[i++] = 0; /* TBD */ 4189 opt[i++] = 0; /* TBD */ 4190 /* variable length data may follow */ 4191 } 4192 #endif 4193 4194 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4195 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4196 } 4197 #else /*INET6*/ 4198 static void 4199 sppp_ipv6cp_init(struct sppp *sp) 4200 { 4201 4202 KASSERT(SPPP_WLOCKED(sp)); 4203 } 4204 4205 static void 4206 sppp_ipv6cp_up(struct sppp *sp) 4207 { 4208 4209 KASSERT(SPPP_WLOCKED(sp)); 4210 } 4211 4212 static void 4213 sppp_ipv6cp_down(struct sppp *sp) 4214 { 4215 4216 KASSERT(SPPP_WLOCKED(sp)); 4217 } 4218 4219 static void 4220 sppp_ipv6cp_open(struct sppp *sp) 4221 { 4222 4223 KASSERT(SPPP_WLOCKED(sp)); 4224 } 4225 4226 static void 4227 sppp_ipv6cp_close(struct sppp *sp) 4228 { 4229 4230 KASSERT(SPPP_WLOCKED(sp)); 4231 } 4232 4233 static void 4234 sppp_ipv6cp_TO(void *cookie) 4235 { 4236 struct sppp *sp __diagused = cookie; 4237 4238 KASSERT(SPPP_WLOCKED(sp)); 4239 } 4240 4241 static int 4242 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4243 int len) 4244 { 4245 4246 KASSERT(SPPP_WLOCKED(sp)); 4247 return 0; 4248 } 4249 4250 static void 4251 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4252 int len) 4253 { 4254 4255 KASSERT(SPPP_WLOCKED(sp)); 4256 } 4257 4258 static void 4259 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4260 int len) 4261 { 4262 4263 KASSERT(SPPP_WLOCKED(sp)); 4264 } 4265 4266 static void 4267 sppp_ipv6cp_tlu(struct sppp *sp) 4268 { 4269 4270 KASSERT(SPPP_WLOCKED(sp)); 4271 } 4272 4273 static void 4274 sppp_ipv6cp_tld(struct sppp *sp) 4275 { 4276 4277 KASSERT(SPPP_WLOCKED(sp)); 4278 } 4279 4280 static void 4281 sppp_ipv6cp_tls(struct sppp *sp) 4282 { 4283 4284 KASSERT(SPPP_WLOCKED(sp)); 4285 } 4286 4287 static void 4288 sppp_ipv6cp_tlf(struct sppp *sp) 4289 { 4290 4291 KASSERT(SPPP_WLOCKED(sp)); 4292 } 4293 4294 static void 4295 sppp_ipv6cp_scr(struct sppp *sp) 4296 { 4297 4298 KASSERT(SPPP_WLOCKED(sp)); 4299 } 4300 #endif /*INET6*/ 4301 4302 4303 /* 4304 *--------------------------------------------------------------------------* 4305 * * 4306 * The CHAP implementation. * 4307 * * 4308 *--------------------------------------------------------------------------* 4309 */ 4310 4311 /* 4312 * The authentication protocols don't employ a full-fledged state machine as 4313 * the control protocols do, since they do have Open and Close events, but 4314 * not Up and Down, nor are they explicitly terminated. Also, use of the 4315 * authentication protocols may be different in both directions (this makes 4316 * sense, think of a machine that never accepts incoming calls but only 4317 * calls out, it doesn't require the called party to authenticate itself). 4318 * 4319 * Our state machine for the local authentication protocol (we are requesting 4320 * the peer to authenticate) looks like: 4321 * 4322 * RCA- 4323 * +--------------------------------------------+ 4324 * V scn,tld| 4325 * +--------+ Close +---------+ RCA+ 4326 * | |<----------------------------------| |------+ 4327 * +--->| Closed | TO* | Opened | sca | 4328 * | | |-----+ +-------| |<-----+ 4329 * | +--------+ irc | | +---------+ 4330 * | ^ | | ^ 4331 * | | | | | 4332 * | | | | | 4333 * | TO-| | | | 4334 * | |tld TO+ V | | 4335 * | | +------->+ | | 4336 * | | | | | | 4337 * | +--------+ V | | 4338 * | | |<----+<--------------------+ | 4339 * | | Req- | scr | 4340 * | | Sent | | 4341 * | | | | 4342 * | +--------+ | 4343 * | RCA- | | RCA+ | 4344 * +------+ +------------------------------------------+ 4345 * scn,tld sca,irc,ict,tlu 4346 * 4347 * 4348 * with: 4349 * 4350 * Open: LCP reached authentication phase 4351 * Close: LCP reached terminate phase 4352 * 4353 * RCA+: received reply (pap-req, chap-response), acceptable 4354 * RCN: received reply (pap-req, chap-response), not acceptable 4355 * TO+: timeout with restart counter >= 0 4356 * TO-: timeout with restart counter < 0 4357 * TO*: reschedule timeout for CHAP 4358 * 4359 * scr: send request packet (none for PAP, chap-challenge) 4360 * sca: send ack packet (pap-ack, chap-success) 4361 * scn: send nak packet (pap-nak, chap-failure) 4362 * ict: initialize re-challenge timer (CHAP only) 4363 * 4364 * tlu: this-layer-up, LCP reaches network phase 4365 * tld: this-layer-down, LCP enters terminate phase 4366 * 4367 * Note that in CHAP mode, after sending a new challenge, while the state 4368 * automaton falls back into Req-Sent state, it doesn't signal a tld 4369 * event to LCP, so LCP remains in network phase. Only after not getting 4370 * any response (or after getting an unacceptable response), CHAP closes, 4371 * causing LCP to enter terminate phase. 4372 * 4373 * With PAP, there is no initial request that can be sent. The peer is 4374 * expected to send one based on the successful negotiation of PAP as 4375 * the authentication protocol during the LCP option negotiation. 4376 * 4377 * Incoming authentication protocol requests (remote requests 4378 * authentication, we are peer) don't employ a state machine at all, 4379 * they are simply answered. Some peers [Ascend P50 firmware rev 4380 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4381 * still in authentication phase (thereby violating the standard that 4382 * demands that these NCP packets are to be discarded), so we keep 4383 * track of the peer demanding us to authenticate, and only proceed to 4384 * phase network once we've seen a positive acknowledge for the 4385 * authentication. 4386 */ 4387 4388 /* 4389 * Handle incoming CHAP packets. 4390 */ 4391 void 4392 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4393 { 4394 STDDCL; 4395 struct lcp_header *h; 4396 int len, x; 4397 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4398 int value_len, name_len; 4399 MD5_CTX ctx; 4400 4401 len = m->m_pkthdr.len; 4402 if (len < 4) { 4403 if (debug) 4404 log(LOG_DEBUG, 4405 "%s: chap invalid packet length: %d bytes\n", 4406 ifp->if_xname, len); 4407 return; 4408 } 4409 h = mtod(m, struct lcp_header *); 4410 if (len > ntohs(h->len)) 4411 len = ntohs(h->len); 4412 4413 SPPP_LOCK(sp, RW_WRITER); 4414 4415 switch (h->type) { 4416 /* challenge, failure and success are his authproto */ 4417 case CHAP_CHALLENGE: 4418 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4419 /* can't do anything useful */ 4420 sp->pp_auth_failures++; 4421 printf("%s: chap input without my name and my secret being set\n", 4422 ifp->if_xname); 4423 break; 4424 } 4425 value = 1 + (u_char *)(h + 1); 4426 value_len = value[-1]; 4427 name = value + value_len; 4428 name_len = len - value_len - 5; 4429 if (name_len < 0) { 4430 if (debug) { 4431 log(LOG_DEBUG, 4432 "%s: chap corrupted challenge " 4433 "<%s id=0x%x len=%d", 4434 ifp->if_xname, 4435 sppp_auth_type_name(PPP_CHAP, h->type), 4436 h->ident, ntohs(h->len)); 4437 if (len > 4) 4438 sppp_print_bytes((u_char *)(h + 1), 4439 len - 4); 4440 addlog(">\n"); 4441 } 4442 break; 4443 } 4444 4445 if (debug) { 4446 log(LOG_DEBUG, 4447 "%s: chap input <%s id=0x%x len=%d name=", 4448 ifp->if_xname, 4449 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4450 ntohs(h->len)); 4451 sppp_print_string((char *) name, name_len); 4452 addlog(" value-size=%d value=", value_len); 4453 sppp_print_bytes(value, value_len); 4454 addlog(">\n"); 4455 } 4456 4457 /* Compute reply value. */ 4458 MD5Init(&ctx); 4459 MD5Update(&ctx, &h->ident, 1); 4460 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4461 MD5Update(&ctx, value, value_len); 4462 MD5Final(digest, &ctx); 4463 dsize = sizeof digest; 4464 4465 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4466 sizeof dsize, (const char *)&dsize, 4467 sizeof digest, digest, 4468 sp->myauth.name_len, 4469 sp->myauth.name, 4470 0); 4471 break; 4472 4473 case CHAP_SUCCESS: 4474 if (debug) { 4475 log(LOG_DEBUG, "%s: chap success", 4476 ifp->if_xname); 4477 if (len > 4) { 4478 addlog(": "); 4479 sppp_print_string((char *)(h + 1), len - 4); 4480 } 4481 addlog("\n"); 4482 } 4483 x = splnet(); 4484 sp->pp_auth_failures = 0; 4485 sp->pp_flags &= ~PP_NEEDAUTH; 4486 if (sp->myauth.proto == PPP_CHAP && 4487 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4488 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4489 /* 4490 * We are authenticator for CHAP but didn't 4491 * complete yet. Leave it to tlu to proceed 4492 * to network phase. 4493 */ 4494 splx(x); 4495 break; 4496 } 4497 splx(x); 4498 sppp_phase_network(sp); 4499 break; 4500 4501 case CHAP_FAILURE: 4502 x = splnet(); 4503 sp->pp_auth_failures++; 4504 splx(x); 4505 if (debug) { 4506 log(LOG_INFO, "%s: chap failure", 4507 ifp->if_xname); 4508 if (len > 4) { 4509 addlog(": "); 4510 sppp_print_string((char *)(h + 1), len - 4); 4511 } 4512 addlog("\n"); 4513 } else 4514 log(LOG_INFO, "%s: chap failure\n", 4515 ifp->if_xname); 4516 /* await LCP shutdown by authenticator */ 4517 break; 4518 4519 /* response is my authproto */ 4520 case CHAP_RESPONSE: 4521 if (sp->hisauth.secret == NULL) { 4522 /* can't do anything useful */ 4523 printf("%s: chap input without his secret being set\n", 4524 ifp->if_xname); 4525 break; 4526 } 4527 value = 1 + (u_char *)(h + 1); 4528 value_len = value[-1]; 4529 name = value + value_len; 4530 name_len = len - value_len - 5; 4531 if (name_len < 0) { 4532 if (debug) { 4533 log(LOG_DEBUG, 4534 "%s: chap corrupted response " 4535 "<%s id=0x%x len=%d", 4536 ifp->if_xname, 4537 sppp_auth_type_name(PPP_CHAP, h->type), 4538 h->ident, ntohs(h->len)); 4539 if (len > 4) 4540 sppp_print_bytes((u_char *)(h + 1), 4541 len - 4); 4542 addlog(">\n"); 4543 } 4544 break; 4545 } 4546 if (h->ident != sp->confid[IDX_CHAP]) { 4547 if (debug) 4548 log(LOG_DEBUG, 4549 "%s: chap dropping response for old ID " 4550 "(got %d, expected %d)\n", 4551 ifp->if_xname, 4552 h->ident, sp->confid[IDX_CHAP]); 4553 break; 4554 } 4555 if (sp->hisauth.name != NULL && 4556 (name_len != sp->hisauth.name_len 4557 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4558 log(LOG_INFO, "%s: chap response, his name ", 4559 ifp->if_xname); 4560 sppp_print_string(name, name_len); 4561 addlog(" != expected "); 4562 sppp_print_string(sp->hisauth.name, 4563 sp->hisauth.name_len); 4564 addlog("\n"); 4565 goto chap_failure; 4566 } 4567 if (debug) { 4568 log(LOG_DEBUG, "%s: chap input(%s) " 4569 "<%s id=0x%x len=%d name=", 4570 ifp->if_xname, 4571 sppp_state_name(sp->state[IDX_CHAP]), 4572 sppp_auth_type_name(PPP_CHAP, h->type), 4573 h->ident, ntohs(h->len)); 4574 sppp_print_string((char *)name, name_len); 4575 addlog(" value-size=%d value=", value_len); 4576 sppp_print_bytes(value, value_len); 4577 addlog(">\n"); 4578 } 4579 if (value_len != sizeof(sp->hisauth.challenge)) { 4580 if (debug) 4581 log(LOG_DEBUG, 4582 "%s: chap bad hash value length: " 4583 "%d bytes, should be %zu\n", 4584 ifp->if_xname, value_len, 4585 sizeof(sp->hisauth.challenge)); 4586 goto chap_failure; 4587 } 4588 4589 MD5Init(&ctx); 4590 MD5Update(&ctx, &h->ident, 1); 4591 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4592 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4593 MD5Final(digest, &ctx); 4594 4595 #define FAILMSG "Failed..." 4596 #define SUCCMSG "Welcome!" 4597 4598 if (value_len != sizeof digest || 4599 memcmp(digest, value, value_len) != 0) { 4600 chap_failure: 4601 KASSERT(SPPP_WLOCKED(sp)); 4602 /* action scn, tld */ 4603 sp->pp_auth_failures++; 4604 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4605 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4606 0); 4607 chap.tld(sp); 4608 break; 4609 } 4610 sp->pp_auth_failures = 0; 4611 /* action sca, perhaps tlu */ 4612 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4613 sp->state[IDX_CHAP] == STATE_OPENED) 4614 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4615 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4616 0); 4617 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4618 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4619 chap.tlu(sp); 4620 } 4621 break; 4622 4623 default: 4624 /* Unknown CHAP packet type -- ignore. */ 4625 if (debug) { 4626 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4627 "<0x%x id=0x%xh len=%d", 4628 ifp->if_xname, 4629 sppp_state_name(sp->state[IDX_CHAP]), 4630 h->type, h->ident, ntohs(h->len)); 4631 if (len > 4) 4632 sppp_print_bytes((u_char *)(h + 1), len - 4); 4633 addlog(">\n"); 4634 } 4635 break; 4636 4637 } 4638 4639 SPPP_UNLOCK(sp); 4640 } 4641 4642 static void 4643 sppp_chap_init(struct sppp *sp) 4644 { 4645 4646 KASSERT(SPPP_WLOCKED(sp)); 4647 4648 /* Chap doesn't have STATE_INITIAL at all. */ 4649 sp->state[IDX_CHAP] = STATE_CLOSED; 4650 sp->fail_counter[IDX_CHAP] = 0; 4651 sp->pp_seq[IDX_CHAP] = 0; 4652 sp->pp_rseq[IDX_CHAP] = 0; 4653 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4654 } 4655 4656 static void 4657 sppp_chap_open(struct sppp *sp) 4658 { 4659 4660 KASSERT(SPPP_WLOCKED(sp)); 4661 if (sp->hisauth.proto == PPP_CHAP && 4662 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4663 /* we are authenticator for CHAP, start it */ 4664 chap.scr(sp); 4665 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4666 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4667 } 4668 /* nothing to be done if we are peer, await a challenge */ 4669 } 4670 4671 static void 4672 sppp_chap_close(struct sppp *sp) 4673 { 4674 4675 KASSERT(SPPP_WLOCKED(sp)); 4676 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4677 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4678 } 4679 4680 static void 4681 sppp_chap_TO(void *cookie) 4682 { 4683 struct sppp *sp = (struct sppp *)cookie; 4684 STDDCL; 4685 int s; 4686 4687 s = splnet(); 4688 4689 SPPP_LOCK(sp, RW_WRITER); 4690 4691 if (debug) 4692 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4693 ifp->if_xname, 4694 sppp_state_name(sp->state[IDX_CHAP]), 4695 sp->rst_counter[IDX_CHAP]); 4696 4697 if (--sp->rst_counter[IDX_CHAP] < 0) 4698 /* TO- event */ 4699 switch (sp->state[IDX_CHAP]) { 4700 case STATE_REQ_SENT: 4701 chap.tld(sp); 4702 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4703 break; 4704 } 4705 else 4706 /* TO+ (or TO*) event */ 4707 switch (sp->state[IDX_CHAP]) { 4708 case STATE_OPENED: 4709 /* TO* event */ 4710 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4711 /* fall through */ 4712 case STATE_REQ_SENT: 4713 chap.scr(sp); 4714 /* sppp_cp_change_state() will restart the timer */ 4715 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4716 break; 4717 } 4718 4719 SPPP_UNLOCK(sp); 4720 splx(s); 4721 } 4722 4723 static void 4724 sppp_chap_tlu(struct sppp *sp) 4725 { 4726 STDDCL; 4727 int i, x; 4728 4729 KASSERT(SPPP_WLOCKED(sp)); 4730 4731 i = 0; 4732 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4733 4734 /* 4735 * Some broken CHAP implementations (Conware CoNet, firmware 4736 * 4.0.?) don't want to re-authenticate their CHAP once the 4737 * initial challenge-response exchange has taken place. 4738 * Provide for an option to avoid rechallenges. 4739 */ 4740 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4741 /* 4742 * Compute the re-challenge timeout. This will yield 4743 * a number between 300 and 810 seconds. 4744 */ 4745 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4746 4747 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4748 } 4749 4750 if (debug) { 4751 log(LOG_DEBUG, 4752 "%s: chap %s, ", 4753 ifp->if_xname, 4754 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4755 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4756 addlog("next re-challenge in %d seconds\n", i); 4757 else 4758 addlog("re-challenging suppressed\n"); 4759 } 4760 4761 x = splnet(); 4762 sp->pp_auth_failures = 0; 4763 /* indicate to LCP that we need to be closed down */ 4764 sp->lcp.protos |= (1 << IDX_CHAP); 4765 4766 if (sp->pp_flags & PP_NEEDAUTH) { 4767 /* 4768 * Remote is authenticator, but his auth proto didn't 4769 * complete yet. Defer the transition to network 4770 * phase. 4771 */ 4772 splx(x); 4773 return; 4774 } 4775 splx(x); 4776 4777 /* 4778 * If we are already in phase network, we are done here. This 4779 * is the case if this is a dummy tlu event after a re-challenge. 4780 */ 4781 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4782 sppp_phase_network(sp); 4783 } 4784 4785 static void 4786 sppp_chap_tld(struct sppp *sp) 4787 { 4788 STDDCL; 4789 4790 KASSERT(SPPP_WLOCKED(sp)); 4791 4792 if (debug) 4793 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4794 callout_stop(&sp->ch[IDX_CHAP]); 4795 sp->lcp.protos &= ~(1 << IDX_CHAP); 4796 4797 lcp.Close(sp); 4798 } 4799 4800 static void 4801 sppp_chap_scr(struct sppp *sp) 4802 { 4803 uint32_t *ch; 4804 u_char clen = 4 * sizeof(uint32_t); 4805 4806 KASSERT(SPPP_WLOCKED(sp)); 4807 4808 if (sp->hisauth.name == NULL) { 4809 /* can't do anything useful */ 4810 printf("%s: chap starting without his name being set\n", 4811 sp->pp_if.if_xname); 4812 return; 4813 } 4814 4815 /* Compute random challenge. */ 4816 ch = (uint32_t *)sp->hisauth.challenge; 4817 cprng_strong(kern_cprng, ch, clen, 0); 4818 4819 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4820 4821 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4822 sizeof clen, (const char *)&clen, 4823 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4824 0); 4825 } 4826 4827 /* 4828 *--------------------------------------------------------------------------* 4829 * * 4830 * The PAP implementation. * 4831 * * 4832 *--------------------------------------------------------------------------* 4833 */ 4834 /* 4835 * For PAP, we need to keep a little state also if we are the peer, not the 4836 * authenticator. This is since we don't get a request to authenticate, but 4837 * have to repeatedly authenticate ourself until we got a response (or the 4838 * retry counter is expired). 4839 */ 4840 4841 /* 4842 * Handle incoming PAP packets. */ 4843 static void 4844 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4845 { 4846 STDDCL; 4847 struct lcp_header *h; 4848 int len, x; 4849 u_char mlen; 4850 char *name, *secret; 4851 int name_len, secret_len; 4852 4853 /* 4854 * Malicious input might leave this uninitialized, so 4855 * init to an impossible value. 4856 */ 4857 secret_len = -1; 4858 4859 len = m->m_pkthdr.len; 4860 if (len < 5) { 4861 if (debug) 4862 log(LOG_DEBUG, 4863 "%s: pap invalid packet length: %d bytes\n", 4864 ifp->if_xname, len); 4865 return; 4866 } 4867 h = mtod(m, struct lcp_header *); 4868 if (len > ntohs(h->len)) 4869 len = ntohs(h->len); 4870 4871 SPPP_LOCK(sp, RW_WRITER); 4872 4873 switch (h->type) { 4874 /* PAP request is my authproto */ 4875 case PAP_REQ: 4876 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4877 /* can't do anything useful */ 4878 printf("%s: " 4879 "pap request without his name and his secret being set\n", 4880 ifp->if_xname); 4881 break; 4882 } 4883 name = 1 + (u_char *)(h + 1); 4884 name_len = name[-1]; 4885 secret = name + name_len + 1; 4886 if (name_len > len - 6 || 4887 (secret_len = secret[-1]) > len - 6 - name_len) { 4888 if (debug) { 4889 log(LOG_DEBUG, "%s: pap corrupted input " 4890 "<%s id=0x%x len=%d", 4891 ifp->if_xname, 4892 sppp_auth_type_name(PPP_PAP, h->type), 4893 h->ident, ntohs(h->len)); 4894 if (len > 4) 4895 sppp_print_bytes((u_char *)(h + 1), 4896 len - 4); 4897 addlog(">\n"); 4898 } 4899 break; 4900 } 4901 if (debug) { 4902 log(LOG_DEBUG, "%s: pap input(%s) " 4903 "<%s id=0x%x len=%d name=", 4904 ifp->if_xname, 4905 sppp_state_name(sp->state[IDX_PAP]), 4906 sppp_auth_type_name(PPP_PAP, h->type), 4907 h->ident, ntohs(h->len)); 4908 sppp_print_string((char *)name, name_len); 4909 addlog(" secret="); 4910 sppp_print_string((char *)secret, secret_len); 4911 addlog(">\n"); 4912 } 4913 if (name_len != sp->hisauth.name_len || 4914 secret_len != sp->hisauth.secret_len || 4915 memcmp(name, sp->hisauth.name, name_len) != 0 || 4916 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4917 /* action scn, tld */ 4918 sp->pp_auth_failures++; 4919 mlen = sizeof(FAILMSG) - 1; 4920 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4921 sizeof mlen, (const char *)&mlen, 4922 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4923 0); 4924 pap.tld(sp); 4925 break; 4926 } 4927 /* action sca, perhaps tlu */ 4928 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4929 sp->state[IDX_PAP] == STATE_OPENED) { 4930 mlen = sizeof(SUCCMSG) - 1; 4931 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4932 sizeof mlen, (const char *)&mlen, 4933 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4934 0); 4935 } 4936 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4937 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4938 pap.tlu(sp); 4939 } 4940 break; 4941 4942 /* ack and nak are his authproto */ 4943 case PAP_ACK: 4944 callout_stop(&sp->pap_my_to_ch); 4945 if (debug) { 4946 log(LOG_DEBUG, "%s: pap success", 4947 ifp->if_xname); 4948 name = 1 + (u_char *)(h + 1); 4949 name_len = name[-1]; 4950 if (len > 5 && name_len < len+4) { 4951 addlog(": "); 4952 sppp_print_string(name, name_len); 4953 } 4954 addlog("\n"); 4955 } 4956 x = splnet(); 4957 sp->pp_auth_failures = 0; 4958 sp->pp_flags &= ~PP_NEEDAUTH; 4959 if (sp->myauth.proto == PPP_PAP && 4960 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4961 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4962 /* 4963 * We are authenticator for PAP but didn't 4964 * complete yet. Leave it to tlu to proceed 4965 * to network phase. 4966 */ 4967 splx(x); 4968 break; 4969 } 4970 splx(x); 4971 sppp_phase_network(sp); 4972 break; 4973 4974 case PAP_NAK: 4975 callout_stop(&sp->pap_my_to_ch); 4976 sp->pp_auth_failures++; 4977 if (debug) { 4978 log(LOG_INFO, "%s: pap failure", 4979 ifp->if_xname); 4980 name = 1 + (u_char *)(h + 1); 4981 name_len = name[-1]; 4982 if (len > 5 && name_len < len+4) { 4983 addlog(": "); 4984 sppp_print_string(name, name_len); 4985 } 4986 addlog("\n"); 4987 } else 4988 log(LOG_INFO, "%s: pap failure\n", 4989 ifp->if_xname); 4990 /* await LCP shutdown by authenticator */ 4991 break; 4992 4993 default: 4994 /* Unknown PAP packet type -- ignore. */ 4995 if (debug) { 4996 log(LOG_DEBUG, "%s: pap corrupted input " 4997 "<0x%x id=0x%x len=%d", 4998 ifp->if_xname, 4999 h->type, h->ident, ntohs(h->len)); 5000 if (len > 4) 5001 sppp_print_bytes((u_char *)(h + 1), len - 4); 5002 addlog(">\n"); 5003 } 5004 break; 5005 } 5006 5007 SPPP_UNLOCK(sp); 5008 } 5009 5010 static void 5011 sppp_pap_init(struct sppp *sp) 5012 { 5013 5014 KASSERT(SPPP_WLOCKED(sp)); 5015 5016 /* PAP doesn't have STATE_INITIAL at all. */ 5017 sp->state[IDX_PAP] = STATE_CLOSED; 5018 sp->fail_counter[IDX_PAP] = 0; 5019 sp->pp_seq[IDX_PAP] = 0; 5020 sp->pp_rseq[IDX_PAP] = 0; 5021 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 5022 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 5023 } 5024 5025 static void 5026 sppp_pap_open(struct sppp *sp) 5027 { 5028 5029 KASSERT(SPPP_WLOCKED(sp)); 5030 5031 if (sp->hisauth.proto == PPP_PAP && 5032 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 5033 /* we are authenticator for PAP, start our timer */ 5034 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 5035 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5036 } 5037 if (sp->myauth.proto == PPP_PAP) { 5038 /* we are peer, send a request, and start a timer */ 5039 pap.scr(sp); 5040 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 5041 sppp_pap_my_TO, sp); 5042 } 5043 } 5044 5045 static void 5046 sppp_pap_close(struct sppp *sp) 5047 { 5048 5049 KASSERT(SPPP_WLOCKED(sp)); 5050 5051 if (sp->state[IDX_PAP] != STATE_CLOSED) 5052 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5053 } 5054 5055 /* 5056 * That's the timeout routine if we are authenticator. Since the 5057 * authenticator is basically passive in PAP, we can't do much here. 5058 */ 5059 static void 5060 sppp_pap_TO(void *cookie) 5061 { 5062 struct sppp *sp = (struct sppp *)cookie; 5063 STDDCL; 5064 int s; 5065 5066 s = splnet(); 5067 SPPP_LOCK(sp, RW_WRITER); 5068 5069 if (debug) 5070 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 5071 ifp->if_xname, 5072 sppp_state_name(sp->state[IDX_PAP]), 5073 sp->rst_counter[IDX_PAP]); 5074 5075 if (--sp->rst_counter[IDX_PAP] < 0) 5076 /* TO- event */ 5077 switch (sp->state[IDX_PAP]) { 5078 case STATE_REQ_SENT: 5079 pap.tld(sp); 5080 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5081 break; 5082 } 5083 else 5084 /* TO+ event, not very much we could do */ 5085 switch (sp->state[IDX_PAP]) { 5086 case STATE_REQ_SENT: 5087 /* sppp_cp_change_state() will restart the timer */ 5088 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5089 break; 5090 } 5091 5092 SPPP_UNLOCK(sp); 5093 splx(s); 5094 } 5095 5096 /* 5097 * That's the timeout handler if we are peer. Since the peer is active, 5098 * we need to retransmit our PAP request since it is apparently lost. 5099 * XXX We should impose a max counter. 5100 */ 5101 static void 5102 sppp_pap_my_TO(void *cookie) 5103 { 5104 struct sppp *sp = (struct sppp *)cookie; 5105 STDDCL; 5106 5107 SPPP_LOCK(sp, RW_WRITER); 5108 if (debug) 5109 log(LOG_DEBUG, "%s: pap peer TO\n", 5110 ifp->if_xname); 5111 5112 pap.scr(sp); 5113 5114 SPPP_UNLOCK(sp); 5115 } 5116 5117 static void 5118 sppp_pap_tlu(struct sppp *sp) 5119 { 5120 STDDCL; 5121 int x; 5122 5123 KASSERT(SPPP_WLOCKED(sp)); 5124 5125 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 5126 5127 if (debug) 5128 log(LOG_DEBUG, "%s: %s tlu\n", 5129 ifp->if_xname, pap.name); 5130 5131 x = splnet(); 5132 sp->pp_auth_failures = 0; 5133 /* indicate to LCP that we need to be closed down */ 5134 sp->lcp.protos |= (1 << IDX_PAP); 5135 5136 if (sp->pp_flags & PP_NEEDAUTH) { 5137 /* 5138 * Remote is authenticator, but his auth proto didn't 5139 * complete yet. Defer the transition to network 5140 * phase. 5141 */ 5142 splx(x); 5143 return; 5144 } 5145 splx(x); 5146 sppp_phase_network(sp); 5147 } 5148 5149 static void 5150 sppp_pap_tld(struct sppp *sp) 5151 { 5152 STDDCL; 5153 5154 KASSERT(SPPP_WLOCKED(sp)); 5155 5156 if (debug) 5157 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 5158 callout_stop(&sp->ch[IDX_PAP]); 5159 callout_stop(&sp->pap_my_to_ch); 5160 sp->lcp.protos &= ~(1 << IDX_PAP); 5161 5162 lcp.Close(sp); 5163 } 5164 5165 static void 5166 sppp_pap_scr(struct sppp *sp) 5167 { 5168 u_char idlen, pwdlen; 5169 5170 KASSERT(SPPP_WLOCKED(sp)); 5171 5172 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5173 /* can't do anything useful */ 5174 printf("%s: pap starting without my name and secret being set\n", 5175 sp->pp_if.if_xname); 5176 return; 5177 } 5178 5179 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 5180 pwdlen = sp->myauth.secret_len; 5181 idlen = sp->myauth.name_len; 5182 5183 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 5184 sizeof idlen, (const char *)&idlen, 5185 idlen, sp->myauth.name, 5186 sizeof pwdlen, (const char *)&pwdlen, 5187 pwdlen, sp->myauth.secret, 5188 0); 5189 } 5190 5191 /* 5192 * Random miscellaneous functions. 5193 */ 5194 5195 /* 5196 * Send a PAP or CHAP proto packet. 5197 * 5198 * Varadic function, each of the elements for the ellipsis is of type 5199 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5200 * mlen == 0. 5201 * NOTE: never declare variadic functions with types subject to type 5202 * promotion (i.e. u_char). This is asking for big trouble depending 5203 * on the architecture you are on... 5204 */ 5205 5206 static void 5207 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5208 unsigned int type, unsigned int id, 5209 ...) 5210 { 5211 STDDCL; 5212 struct lcp_header *lh; 5213 struct mbuf *m; 5214 u_char *p; 5215 int len; 5216 size_t pkthdrlen; 5217 unsigned int mlen; 5218 const char *msg; 5219 va_list ap; 5220 5221 KASSERT(SPPP_WLOCKED(sp)); 5222 5223 MGETHDR(m, M_DONTWAIT, MT_DATA); 5224 if (! m) 5225 return; 5226 m_reset_rcvif(m); 5227 5228 if (sp->pp_flags & PP_NOFRAMING) { 5229 *mtod(m, uint16_t *) = htons(cp->proto); 5230 pkthdrlen = 2; 5231 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5232 } else { 5233 struct ppp_header *h; 5234 h = mtod(m, struct ppp_header *); 5235 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5236 h->control = PPP_UI; /* Unnumbered Info */ 5237 h->protocol = htons(cp->proto); 5238 pkthdrlen = PPP_HEADER_LEN; 5239 5240 lh = (struct lcp_header *)(h + 1); 5241 } 5242 5243 lh->type = type; 5244 lh->ident = id; 5245 p = (u_char *)(lh + 1); 5246 5247 va_start(ap, id); 5248 len = 0; 5249 5250 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5251 msg = va_arg(ap, const char *); 5252 len += mlen; 5253 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5254 va_end(ap); 5255 m_freem(m); 5256 return; 5257 } 5258 5259 memcpy(p, msg, mlen); 5260 p += mlen; 5261 } 5262 va_end(ap); 5263 5264 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5265 lh->len = htons(LCP_HEADER_LEN + len); 5266 5267 if (debug) { 5268 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5269 ifp->if_xname, cp->name, 5270 sppp_auth_type_name(cp->proto, lh->type), 5271 lh->ident, ntohs(lh->len)); 5272 if (len) 5273 sppp_print_bytes((u_char *)(lh + 1), len); 5274 addlog(">\n"); 5275 } 5276 if (IF_QFULL(&sp->pp_cpq)) { 5277 IF_DROP(&sp->pp_fastq); 5278 IF_DROP(&ifp->if_snd); 5279 m_freem(m); 5280 if_statinc(ifp, if_oerrors); 5281 return; 5282 } 5283 5284 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5285 IF_ENQUEUE(&sp->pp_cpq, m); 5286 5287 if (! (ifp->if_flags & IFF_OACTIVE)) { 5288 SPPP_UNLOCK(sp); 5289 if_start_lock(ifp); 5290 SPPP_LOCK(sp, RW_WRITER); 5291 } 5292 } 5293 5294 /* 5295 * Send keepalive packets, every 10 seconds. 5296 */ 5297 static void 5298 sppp_keepalive(void *dummy) 5299 { 5300 struct sppp *sp; 5301 int s; 5302 time_t now; 5303 5304 SPPPQ_LOCK(); 5305 5306 s = splnet(); 5307 now = time_uptime; 5308 for (sp=spppq; sp; sp=sp->pp_next) { 5309 struct ifnet *ifp = NULL; 5310 5311 SPPP_LOCK(sp, RW_WRITER); 5312 ifp = &sp->pp_if; 5313 5314 /* check idle timeout */ 5315 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5316 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5317 /* idle timeout is enabled for this interface */ 5318 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5319 if (ifp->if_flags & IFF_DEBUG) 5320 printf("%s: no activity for %lu seconds\n", 5321 sp->pp_if.if_xname, 5322 (unsigned long)(now-sp->pp_last_activity)); 5323 lcp.Close(sp); 5324 SPPP_UNLOCK(sp); 5325 continue; 5326 } 5327 } 5328 5329 /* Keepalive mode disabled or channel down? */ 5330 if (! (sp->pp_flags & PP_KEEPALIVE) || 5331 ! (ifp->if_flags & IFF_RUNNING)) { 5332 SPPP_UNLOCK(sp); 5333 continue; 5334 } 5335 5336 5337 /* No keepalive in PPP mode if LCP not opened yet. */ 5338 if (! (sp->pp_flags & PP_CISCO) && 5339 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5340 SPPP_UNLOCK(sp); 5341 continue; 5342 } 5343 5344 /* No echo reply, but maybe user data passed through? */ 5345 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5346 sp->pp_alivecnt = 0; 5347 SPPP_UNLOCK(sp); 5348 continue; 5349 } 5350 5351 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5352 /* No keepalive packets got. Stop the interface. */ 5353 SPPP_UNLOCK(sp); 5354 if_down (ifp); 5355 SPPP_LOCK(sp, RW_WRITER); 5356 5357 IF_PURGE(&sp->pp_cpq); 5358 5359 if (! (sp->pp_flags & PP_CISCO)) { 5360 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5361 ifp->if_xname); 5362 sp->pp_alivecnt = 0; 5363 5364 /* we are down, close all open protocols */ 5365 lcp.Close(sp); 5366 5367 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5368 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5369 5370 /* Close connection immediately, completition of this 5371 * will summon the magic needed to reestablish it. */ 5372 sppp_notify_tlf_wlocked(sp); 5373 5374 SPPP_UNLOCK(sp); 5375 continue; 5376 } 5377 } 5378 if (sp->pp_alivecnt < sp->pp_maxalive) 5379 ++sp->pp_alivecnt; 5380 if (sp->pp_flags & PP_CISCO) 5381 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5382 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5383 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5384 int32_t nmagic = htonl(sp->lcp.magic); 5385 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5386 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5387 sp->lcp.echoid, 4, &nmagic); 5388 } 5389 5390 SPPP_UNLOCK(sp); 5391 } 5392 splx(s); 5393 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5394 5395 SPPPQ_UNLOCK(); 5396 } 5397 5398 #ifdef INET 5399 /* 5400 * Get both IP addresses. 5401 */ 5402 static void 5403 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5404 { 5405 struct ifnet *ifp = &sp->pp_if; 5406 struct ifaddr *ifa; 5407 struct sockaddr_in *si, *sm; 5408 uint32_t ssrc, ddst; 5409 int s; 5410 struct psref psref; 5411 5412 sm = NULL; 5413 ssrc = ddst = 0; 5414 /* 5415 * Pick the first AF_INET address from the list, 5416 * aliases don't make any sense on a p2p link anyway. 5417 */ 5418 si = 0; 5419 s = pserialize_read_enter(); 5420 IFADDR_READER_FOREACH(ifa, ifp) { 5421 if (ifa->ifa_addr->sa_family == AF_INET) { 5422 si = (struct sockaddr_in *)ifa->ifa_addr; 5423 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5424 if (si) { 5425 ifa_acquire(ifa, &psref); 5426 break; 5427 } 5428 } 5429 } 5430 pserialize_read_exit(s); 5431 if (ifa) { 5432 if (si && si->sin_addr.s_addr) { 5433 ssrc = si->sin_addr.s_addr; 5434 if (srcmask) 5435 *srcmask = ntohl(sm->sin_addr.s_addr); 5436 } 5437 5438 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5439 if (si && si->sin_addr.s_addr) 5440 ddst = si->sin_addr.s_addr; 5441 ifa_release(ifa, &psref); 5442 } 5443 5444 if (dst) *dst = ntohl(ddst); 5445 if (src) *src = ntohl(ssrc); 5446 } 5447 5448 /* 5449 * Set IP addresses. Must be called at splnet. 5450 * If an address is 0, leave it the way it is. 5451 */ 5452 static void 5453 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5454 { 5455 STDDCL; 5456 struct ifaddr *ifa; 5457 struct sockaddr_in *si, *dest; 5458 uint32_t myaddr = 0, hisaddr = 0; 5459 int s; 5460 5461 IFNET_LOCK(ifp); 5462 5463 /* 5464 * Pick the first AF_INET address from the list, 5465 * aliases don't make any sense on a p2p link anyway. 5466 */ 5467 si = dest = NULL; 5468 s = pserialize_read_enter(); 5469 IFADDR_READER_FOREACH(ifa, ifp) { 5470 if (ifa->ifa_addr->sa_family == AF_INET) { 5471 si = (struct sockaddr_in *)ifa->ifa_addr; 5472 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5473 break; 5474 } 5475 } 5476 pserialize_read_exit(s); 5477 5478 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5479 myaddr = sp->ipcp.req_myaddr; 5480 else if (si != NULL) 5481 myaddr = ntohl(si->sin_addr.s_addr); 5482 5483 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5484 hisaddr = sp->ipcp.req_hisaddr; 5485 else if (dest != NULL) 5486 hisaddr = ntohl(dest->sin_addr.s_addr); 5487 5488 if (si != NULL && dest != NULL) { 5489 int error; 5490 struct sockaddr_in new_sin = *si; 5491 struct sockaddr_in new_dst = *dest; 5492 5493 if (myaddr != 0) 5494 new_sin.sin_addr.s_addr = htonl(myaddr); 5495 if (hisaddr != 0) { 5496 new_dst.sin_addr.s_addr = htonl(hisaddr); 5497 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5498 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5499 } 5500 5501 in_addrhash_remove(ifatoia(ifa)); 5502 5503 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5504 5505 in_addrhash_insert(ifatoia(ifa)); 5506 5507 if (debug && error) 5508 { 5509 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5510 ifp->if_xname, __func__, error); 5511 } 5512 if (!error) { 5513 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5514 } 5515 } 5516 5517 if (ifp->if_mtu > sp->lcp.their_mru) { 5518 sp->pp_saved_mtu = ifp->if_mtu; 5519 ifp->if_mtu = sp->lcp.their_mru; 5520 if (debug) 5521 log(LOG_DEBUG, 5522 "%s: setting MTU to %" PRIu64 " bytes\n", 5523 ifp->if_xname, ifp->if_mtu); 5524 } 5525 5526 IFNET_UNLOCK(ifp); 5527 5528 sppp_notify_con(sp); 5529 } 5530 5531 static void 5532 sppp_set_ip_addrs(struct sppp *sp) 5533 { 5534 struct ifnet *ifp = &sp->pp_if; 5535 5536 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5537 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5538 ifp->if_xname); 5539 return; 5540 } 5541 5542 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5543 return; 5544 5545 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5546 } 5547 5548 /* 5549 * Clear IP addresses. Must be called at splnet. 5550 */ 5551 static void 5552 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5553 { 5554 STDDCL; 5555 struct ifaddr *ifa; 5556 struct sockaddr_in *si, *dest; 5557 int s; 5558 5559 IFNET_LOCK(ifp); 5560 5561 /* 5562 * Pick the first AF_INET address from the list, 5563 * aliases don't make any sense on a p2p link anyway. 5564 */ 5565 si = dest = NULL; 5566 s = pserialize_read_enter(); 5567 IFADDR_READER_FOREACH(ifa, ifp) { 5568 if (ifa->ifa_addr->sa_family == AF_INET) { 5569 si = (struct sockaddr_in *)ifa->ifa_addr; 5570 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5571 break; 5572 } 5573 } 5574 pserialize_read_exit(s); 5575 5576 if (si != NULL) { 5577 struct sockaddr_in new_sin = *si; 5578 struct sockaddr_in new_dst = *dest; 5579 int error; 5580 5581 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5582 new_sin.sin_addr.s_addr = 0; 5583 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5584 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5585 5586 in_addrhash_remove(ifatoia(ifa)); 5587 5588 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5589 5590 in_addrhash_insert(ifatoia(ifa)); 5591 5592 if (debug && error) 5593 { 5594 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5595 ifp->if_xname, __func__, error); 5596 } 5597 if (!error) { 5598 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5599 } 5600 } 5601 5602 if (sp->pp_saved_mtu > 0) { 5603 ifp->if_mtu = sp->pp_saved_mtu; 5604 sp->pp_saved_mtu = 0; 5605 if (debug) 5606 log(LOG_DEBUG, 5607 "%s: resetting MTU to %" PRIu64 " bytes\n", 5608 ifp->if_xname, ifp->if_mtu); 5609 } 5610 5611 IFNET_UNLOCK(ifp); 5612 } 5613 5614 static void 5615 sppp_clear_ip_addrs(struct sppp *sp) 5616 { 5617 struct ifnet *ifp = &sp->pp_if; 5618 5619 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5620 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5621 ifp->if_xname); 5622 return; 5623 } 5624 5625 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5626 return; 5627 5628 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5629 } 5630 5631 static void 5632 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5633 { 5634 struct sppp *sp = arg; 5635 void *work; 5636 5637 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5638 5639 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5640 int update = (intptr_t)work; 5641 5642 if (update == IPCP_SET_ADDRS) 5643 sppp_set_ip_addrs_work(wk, sp); 5644 else if (update == IPCP_CLEAR_ADDRS) 5645 sppp_clear_ip_addrs_work(wk, sp); 5646 } 5647 } 5648 #endif 5649 5650 #ifdef INET6 5651 /* 5652 * Get both IPv6 addresses. 5653 */ 5654 static void 5655 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5656 struct in6_addr *srcmask) 5657 { 5658 struct ifnet *ifp = &sp->pp_if; 5659 struct ifaddr *ifa; 5660 struct sockaddr_in6 *si, *sm; 5661 struct in6_addr ssrc, ddst; 5662 int s; 5663 struct psref psref; 5664 5665 sm = NULL; 5666 memset(&ssrc, 0, sizeof(ssrc)); 5667 memset(&ddst, 0, sizeof(ddst)); 5668 /* 5669 * Pick the first link-local AF_INET6 address from the list, 5670 * aliases don't make any sense on a p2p link anyway. 5671 */ 5672 si = 0; 5673 s = pserialize_read_enter(); 5674 IFADDR_READER_FOREACH(ifa, ifp) { 5675 if (ifa->ifa_addr->sa_family == AF_INET6) { 5676 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5677 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5678 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5679 ifa_acquire(ifa, &psref); 5680 break; 5681 } 5682 } 5683 } 5684 pserialize_read_exit(s); 5685 5686 if (ifa) { 5687 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5688 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5689 if (srcmask) { 5690 memcpy(srcmask, &sm->sin6_addr, 5691 sizeof(*srcmask)); 5692 } 5693 } 5694 5695 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5696 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5697 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5698 ifa_release(ifa, &psref); 5699 } 5700 5701 if (dst) 5702 memcpy(dst, &ddst, sizeof(*dst)); 5703 if (src) 5704 memcpy(src, &ssrc, sizeof(*src)); 5705 } 5706 5707 #ifdef IPV6CP_MYIFID_DYN 5708 /* 5709 * Generate random ifid. 5710 */ 5711 static void 5712 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5713 { 5714 /* TBD */ 5715 } 5716 5717 /* 5718 * Set my IPv6 address. Must be called at splnet. 5719 */ 5720 static void 5721 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5722 { 5723 STDDCL; 5724 struct ifaddr *ifa; 5725 struct sockaddr_in6 *sin6; 5726 int s; 5727 struct psref psref; 5728 5729 IFNET_LOCK(ifp); 5730 5731 /* 5732 * Pick the first link-local AF_INET6 address from the list, 5733 * aliases don't make any sense on a p2p link anyway. 5734 */ 5735 5736 sin6 = NULL; 5737 s = pserialize_read_enter(); 5738 IFADDR_READER_FOREACH(ifa, ifp) 5739 { 5740 if (ifa->ifa_addr->sa_family == AF_INET6) 5741 { 5742 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5743 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5744 ifa_acquire(ifa, &psref); 5745 break; 5746 } 5747 } 5748 } 5749 pserialize_read_exit(s); 5750 5751 if (ifa && sin6) 5752 { 5753 int error; 5754 struct sockaddr_in6 new_sin6 = *sin6; 5755 5756 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5757 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5758 if (debug && error) 5759 { 5760 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5761 ifp->if_xname, __func__, error); 5762 } 5763 if (!error) { 5764 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5765 } 5766 ifa_release(ifa, &psref); 5767 } 5768 5769 IFNET_UNLOCK(ifp); 5770 } 5771 #endif 5772 5773 /* 5774 * Suggest a candidate address to be used by peer. 5775 */ 5776 static void 5777 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5778 { 5779 struct in6_addr myaddr; 5780 struct timeval tv; 5781 5782 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5783 5784 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5785 microtime(&tv); 5786 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5787 myaddr.s6_addr[14] ^= 0xff; 5788 myaddr.s6_addr[15] ^= 0xff; 5789 } else { 5790 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5791 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5792 } 5793 if (suggest) 5794 memcpy(suggest, &myaddr, sizeof(myaddr)); 5795 } 5796 #endif /*INET6*/ 5797 5798 /* 5799 * Process ioctl requests specific to the PPP interface. 5800 * Permissions have already been checked. 5801 */ 5802 static int 5803 sppp_params(struct sppp *sp, u_long cmd, void *data) 5804 { 5805 switch (cmd) { 5806 case SPPPGETAUTHCFG: 5807 { 5808 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5809 int error; 5810 size_t len; 5811 5812 SPPP_LOCK(sp, RW_READER); 5813 5814 cfg->myauthflags = sp->myauth.flags; 5815 cfg->hisauthflags = sp->hisauth.flags; 5816 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5817 cfg->hisauth = 0; 5818 if (sp->hisauth.proto) 5819 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5820 cfg->myauth = 0; 5821 if (sp->myauth.proto) 5822 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5823 if (cfg->myname_length == 0) { 5824 if (sp->myauth.name != NULL) 5825 cfg->myname_length = sp->myauth.name_len + 1; 5826 } else { 5827 if (sp->myauth.name == NULL) { 5828 cfg->myname_length = 0; 5829 } else { 5830 len = sp->myauth.name_len + 1; 5831 5832 5833 if (cfg->myname_length < len) { 5834 SPPP_UNLOCK(sp); 5835 return (ENAMETOOLONG); 5836 } 5837 error = copyout(sp->myauth.name, cfg->myname, len); 5838 if (error) { 5839 SPPP_UNLOCK(sp); 5840 return error; 5841 } 5842 } 5843 } 5844 if (cfg->hisname_length == 0) { 5845 if (sp->hisauth.name != NULL) 5846 cfg->hisname_length = sp->hisauth.name_len + 1; 5847 } else { 5848 if (sp->hisauth.name == NULL) { 5849 cfg->hisname_length = 0; 5850 } else { 5851 len = sp->hisauth.name_len + 1; 5852 5853 if (cfg->hisname_length < len) { 5854 SPPP_UNLOCK(sp); 5855 return (ENAMETOOLONG); 5856 } 5857 error = copyout(sp->hisauth.name, cfg->hisname, len); 5858 if (error) { 5859 SPPP_UNLOCK(sp); 5860 return error; 5861 } 5862 } 5863 } 5864 SPPP_UNLOCK(sp); 5865 } 5866 break; 5867 case SPPPSETAUTHCFG: 5868 { 5869 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5870 int error; 5871 5872 SPPP_LOCK(sp, RW_WRITER); 5873 5874 if (sp->myauth.name) { 5875 free(sp->myauth.name, M_DEVBUF); 5876 sp->myauth.name = NULL; 5877 } 5878 if (sp->myauth.secret) { 5879 free(sp->myauth.secret, M_DEVBUF); 5880 sp->myauth.secret = NULL; 5881 } 5882 if (sp->hisauth.name) { 5883 free(sp->hisauth.name, M_DEVBUF); 5884 sp->hisauth.name = NULL; 5885 } 5886 if (sp->hisauth.secret) { 5887 free(sp->hisauth.secret, M_DEVBUF); 5888 sp->hisauth.secret = NULL; 5889 } 5890 5891 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5892 if (cfg->hisname_length >= MCLBYTES) { 5893 SPPP_UNLOCK(sp); 5894 return (ENAMETOOLONG); 5895 } 5896 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5897 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5898 if (error) { 5899 free(sp->hisauth.name, M_DEVBUF); 5900 sp->hisauth.name = NULL; 5901 SPPP_UNLOCK(sp); 5902 return error; 5903 } 5904 sp->hisauth.name_len = cfg->hisname_length - 1; 5905 sp->hisauth.name[sp->hisauth.name_len] = 0; 5906 } 5907 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5908 if (cfg->hissecret_length >= MCLBYTES) { 5909 SPPP_UNLOCK(sp); 5910 return (ENAMETOOLONG); 5911 } 5912 sp->hisauth.secret = malloc(cfg->hissecret_length, 5913 M_DEVBUF, M_WAITOK); 5914 error = copyin(cfg->hissecret, sp->hisauth.secret, 5915 cfg->hissecret_length); 5916 if (error) { 5917 free(sp->hisauth.secret, M_DEVBUF); 5918 sp->hisauth.secret = NULL; 5919 SPPP_UNLOCK(sp); 5920 return error; 5921 } 5922 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5923 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5924 } 5925 if (cfg->myname != NULL && cfg->myname_length > 0) { 5926 if (cfg->myname_length >= MCLBYTES) { 5927 SPPP_UNLOCK(sp); 5928 return (ENAMETOOLONG); 5929 } 5930 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5931 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5932 if (error) { 5933 free(sp->myauth.name, M_DEVBUF); 5934 sp->myauth.name = NULL; 5935 SPPP_UNLOCK(sp); 5936 return error; 5937 } 5938 sp->myauth.name_len = cfg->myname_length - 1; 5939 sp->myauth.name[sp->myauth.name_len] = 0; 5940 } 5941 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5942 if (cfg->mysecret_length >= MCLBYTES) { 5943 SPPP_UNLOCK(sp); 5944 return (ENAMETOOLONG); 5945 } 5946 sp->myauth.secret = malloc(cfg->mysecret_length, 5947 M_DEVBUF, M_WAITOK); 5948 error = copyin(cfg->mysecret, sp->myauth.secret, 5949 cfg->mysecret_length); 5950 if (error) { 5951 free(sp->myauth.secret, M_DEVBUF); 5952 sp->myauth.secret = NULL; 5953 SPPP_UNLOCK(sp); 5954 return error; 5955 } 5956 sp->myauth.secret_len = cfg->mysecret_length - 1; 5957 sp->myauth.secret[sp->myauth.secret_len] = 0; 5958 } 5959 sp->myauth.flags = cfg->myauthflags; 5960 if (cfg->myauth) 5961 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5962 sp->hisauth.flags = cfg->hisauthflags; 5963 if (cfg->hisauth) 5964 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5965 sp->pp_auth_failures = 0; 5966 if (sp->hisauth.proto != 0) 5967 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5968 else 5969 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5970 5971 SPPP_UNLOCK(sp); 5972 } 5973 break; 5974 case SPPPGETLCPCFG: 5975 { 5976 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5977 5978 SPPP_LOCK(sp, RW_READER); 5979 lcpp->lcp_timeout = sp->lcp.timeout; 5980 SPPP_UNLOCK(sp); 5981 } 5982 break; 5983 case SPPPSETLCPCFG: 5984 { 5985 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5986 5987 SPPP_LOCK(sp, RW_WRITER); 5988 sp->lcp.timeout = lcpp->lcp_timeout; 5989 SPPP_UNLOCK(sp); 5990 } 5991 break; 5992 case SPPPGETSTATUS: 5993 { 5994 struct spppstatus *status = (struct spppstatus *)data; 5995 5996 SPPP_LOCK(sp, RW_READER); 5997 status->phase = sp->pp_phase; 5998 SPPP_UNLOCK(sp); 5999 } 6000 break; 6001 case SPPPGETSTATUSNCP: 6002 { 6003 struct spppstatusncp *status = (struct spppstatusncp *)data; 6004 6005 SPPP_LOCK(sp, RW_READER); 6006 status->phase = sp->pp_phase; 6007 status->ncpup = sppp_ncp_check(sp); 6008 SPPP_UNLOCK(sp); 6009 } 6010 break; 6011 case SPPPGETIDLETO: 6012 { 6013 struct spppidletimeout *to = (struct spppidletimeout *)data; 6014 6015 SPPP_LOCK(sp, RW_READER); 6016 to->idle_seconds = sp->pp_idle_timeout; 6017 SPPP_UNLOCK(sp); 6018 } 6019 break; 6020 case SPPPSETIDLETO: 6021 { 6022 struct spppidletimeout *to = (struct spppidletimeout *)data; 6023 6024 SPPP_LOCK(sp, RW_WRITER); 6025 sp->pp_idle_timeout = to->idle_seconds; 6026 SPPP_UNLOCK(sp); 6027 } 6028 break; 6029 case SPPPSETAUTHFAILURE: 6030 { 6031 struct spppauthfailuresettings *afsettings = 6032 (struct spppauthfailuresettings *)data; 6033 6034 SPPP_LOCK(sp, RW_WRITER); 6035 sp->pp_max_auth_fail = afsettings->max_failures; 6036 sp->pp_auth_failures = 0; 6037 SPPP_UNLOCK(sp); 6038 } 6039 break; 6040 case SPPPGETAUTHFAILURES: 6041 { 6042 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6043 6044 SPPP_LOCK(sp, RW_READER); 6045 stats->auth_failures = sp->pp_auth_failures; 6046 stats->max_failures = sp->pp_max_auth_fail; 6047 SPPP_UNLOCK(sp); 6048 } 6049 break; 6050 case SPPPSETDNSOPTS: 6051 { 6052 struct spppdnssettings *req = (struct spppdnssettings *)data; 6053 6054 SPPP_LOCK(sp, RW_WRITER); 6055 sp->query_dns = req->query_dns & 3; 6056 SPPP_UNLOCK(sp); 6057 } 6058 break; 6059 case SPPPGETDNSOPTS: 6060 { 6061 struct spppdnssettings *req = (struct spppdnssettings *)data; 6062 6063 SPPP_LOCK(sp, RW_READER); 6064 req->query_dns = sp->query_dns; 6065 SPPP_UNLOCK(sp); 6066 } 6067 break; 6068 case SPPPGETDNSADDRS: 6069 { 6070 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6071 6072 SPPP_LOCK(sp, RW_READER); 6073 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6074 SPPP_UNLOCK(sp); 6075 } 6076 break; 6077 case SPPPGETKEEPALIVE: 6078 { 6079 struct spppkeepalivesettings *settings = 6080 (struct spppkeepalivesettings*)data; 6081 6082 SPPP_LOCK(sp, RW_READER); 6083 settings->maxalive = sp->pp_maxalive; 6084 settings->max_noreceive = sp->pp_max_noreceive; 6085 SPPP_UNLOCK(sp); 6086 } 6087 break; 6088 case SPPPSETKEEPALIVE: 6089 { 6090 struct spppkeepalivesettings *settings = 6091 (struct spppkeepalivesettings*)data; 6092 6093 SPPP_LOCK(sp, RW_WRITER); 6094 sp->pp_maxalive = settings->maxalive; 6095 sp->pp_max_noreceive = settings->max_noreceive; 6096 SPPP_UNLOCK(sp); 6097 } 6098 break; 6099 default: 6100 { 6101 int ret; 6102 6103 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6104 enosys(), ret); 6105 if (ret != ENOSYS) 6106 return ret; 6107 return (EINVAL); 6108 } 6109 } 6110 return (0); 6111 } 6112 6113 static void 6114 sppp_phase_network(struct sppp *sp) 6115 { 6116 int i; 6117 uint32_t mask; 6118 6119 KASSERT(SPPP_WLOCKED(sp)); 6120 6121 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6122 6123 /* Notify NCPs now. */ 6124 for (i = 0; i < IDX_COUNT; i++) 6125 if ((cps[i])->flags & CP_NCP) 6126 (cps[i])->Open(sp); 6127 6128 /* Send Up events to all NCPs. */ 6129 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 6130 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 6131 (cps[i])->Up(sp); 6132 } 6133 6134 /* if no NCP is starting, all this was in vain, close down */ 6135 sppp_lcp_check_and_close(sp); 6136 } 6137 6138 6139 static const char * 6140 sppp_cp_type_name(u_char type) 6141 { 6142 static char buf[12]; 6143 switch (type) { 6144 case CONF_REQ: return "conf-req"; 6145 case CONF_ACK: return "conf-ack"; 6146 case CONF_NAK: return "conf-nak"; 6147 case CONF_REJ: return "conf-rej"; 6148 case TERM_REQ: return "term-req"; 6149 case TERM_ACK: return "term-ack"; 6150 case CODE_REJ: return "code-rej"; 6151 case PROTO_REJ: return "proto-rej"; 6152 case ECHO_REQ: return "echo-req"; 6153 case ECHO_REPLY: return "echo-reply"; 6154 case DISC_REQ: return "discard-req"; 6155 } 6156 snprintf(buf, sizeof(buf), "0x%x", type); 6157 return buf; 6158 } 6159 6160 static const char * 6161 sppp_auth_type_name(u_short proto, u_char type) 6162 { 6163 static char buf[32]; 6164 const char *name; 6165 6166 switch (proto) { 6167 case PPP_CHAP: 6168 switch (type) { 6169 case CHAP_CHALLENGE: return "challenge"; 6170 case CHAP_RESPONSE: return "response"; 6171 case CHAP_SUCCESS: return "success"; 6172 case CHAP_FAILURE: return "failure"; 6173 default: name = "chap"; break; 6174 } 6175 break; 6176 6177 case PPP_PAP: 6178 switch (type) { 6179 case PAP_REQ: return "req"; 6180 case PAP_ACK: return "ack"; 6181 case PAP_NAK: return "nak"; 6182 default: name = "pap"; break; 6183 } 6184 break; 6185 6186 default: 6187 name = "bad"; 6188 break; 6189 } 6190 6191 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6192 return buf; 6193 } 6194 6195 static const char * 6196 sppp_lcp_opt_name(u_char opt) 6197 { 6198 static char buf[12]; 6199 switch (opt) { 6200 case LCP_OPT_MRU: return "mru"; 6201 case LCP_OPT_ASYNC_MAP: return "async-map"; 6202 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6203 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6204 case LCP_OPT_MAGIC: return "magic"; 6205 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6206 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6207 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6208 case LCP_OPT_CALL_BACK: return "callback"; 6209 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6210 case LCP_OPT_MP_MRRU: return "mrru"; 6211 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6212 case LCP_OPT_MP_EID: return "mp-eid"; 6213 } 6214 snprintf(buf, sizeof(buf), "0x%x", opt); 6215 return buf; 6216 } 6217 6218 static const char * 6219 sppp_ipcp_opt_name(u_char opt) 6220 { 6221 static char buf[12]; 6222 switch (opt) { 6223 case IPCP_OPT_ADDRESSES: return "addresses"; 6224 case IPCP_OPT_COMPRESSION: return "compression"; 6225 case IPCP_OPT_ADDRESS: return "address"; 6226 } 6227 snprintf(buf, sizeof(buf), "0x%x", opt); 6228 return buf; 6229 } 6230 6231 #ifdef INET6 6232 static const char * 6233 sppp_ipv6cp_opt_name(u_char opt) 6234 { 6235 static char buf[12]; 6236 switch (opt) { 6237 case IPV6CP_OPT_IFID: return "ifid"; 6238 case IPV6CP_OPT_COMPRESSION: return "compression"; 6239 } 6240 snprintf(buf, sizeof(buf), "0x%x", opt); 6241 return buf; 6242 } 6243 #endif 6244 6245 static const char * 6246 sppp_state_name(int state) 6247 { 6248 switch (state) { 6249 case STATE_INITIAL: return "initial"; 6250 case STATE_STARTING: return "starting"; 6251 case STATE_CLOSED: return "closed"; 6252 case STATE_STOPPED: return "stopped"; 6253 case STATE_CLOSING: return "closing"; 6254 case STATE_STOPPING: return "stopping"; 6255 case STATE_REQ_SENT: return "req-sent"; 6256 case STATE_ACK_RCVD: return "ack-rcvd"; 6257 case STATE_ACK_SENT: return "ack-sent"; 6258 case STATE_OPENED: return "opened"; 6259 } 6260 return "illegal"; 6261 } 6262 6263 static const char * 6264 sppp_phase_name(int phase) 6265 { 6266 switch (phase) { 6267 case SPPP_PHASE_DEAD: return "dead"; 6268 case SPPP_PHASE_ESTABLISH: return "establish"; 6269 case SPPP_PHASE_TERMINATE: return "terminate"; 6270 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6271 case SPPP_PHASE_NETWORK: return "network"; 6272 } 6273 return "illegal"; 6274 } 6275 6276 static const char * 6277 sppp_proto_name(u_short proto) 6278 { 6279 static char buf[12]; 6280 switch (proto) { 6281 case PPP_LCP: return "lcp"; 6282 case PPP_IPCP: return "ipcp"; 6283 case PPP_PAP: return "pap"; 6284 case PPP_CHAP: return "chap"; 6285 case PPP_IPV6CP: return "ipv6cp"; 6286 } 6287 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6288 return buf; 6289 } 6290 6291 static void 6292 sppp_print_bytes(const u_char *p, u_short len) 6293 { 6294 addlog(" %02x", *p++); 6295 while (--len > 0) 6296 addlog("-%02x", *p++); 6297 } 6298 6299 static void 6300 sppp_print_string(const char *p, u_short len) 6301 { 6302 u_char c; 6303 6304 while (len-- > 0) { 6305 c = *p++; 6306 /* 6307 * Print only ASCII chars directly. RFC 1994 recommends 6308 * using only them, but we don't rely on it. */ 6309 if (c < ' ' || c > '~') 6310 addlog("\\x%x", c); 6311 else 6312 addlog("%c", c); 6313 } 6314 } 6315 6316 static const char * 6317 sppp_dotted_quad(uint32_t addr) 6318 { 6319 static char s[16]; 6320 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6321 (int)((addr >> 24) & 0xff), 6322 (int)((addr >> 16) & 0xff), 6323 (int)((addr >> 8) & 0xff), 6324 (int)(addr & 0xff)); 6325 return s; 6326 } 6327 6328 /* a dummy, used to drop uninteresting events */ 6329 static void 6330 sppp_null(struct sppp *unused) 6331 { 6332 /* do just nothing */ 6333 } 6334 /* 6335 * This file is large. Tell emacs to highlight it nevertheless. 6336 * 6337 * Local Variables: 6338 * hilit-auto-highlight-maxout: 120000 6339 * End: 6340 */ 6341 6342 /* 6343 * Module glue 6344 */ 6345 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6346 6347 static int 6348 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6349 { 6350 switch (cmd) { 6351 case MODULE_CMD_INIT: 6352 case MODULE_CMD_FINI: 6353 return 0; 6354 case MODULE_CMD_STAT: 6355 case MODULE_CMD_AUTOUNLOAD: 6356 default: 6357 return ENOTTY; 6358 } 6359 } 6360 6361 static void 6362 sppp_notify_up(struct sppp *sp) 6363 { 6364 6365 SPPP_LOCK(sp, RW_WRITER); 6366 lcp.Up(sp); 6367 SPPP_UNLOCK(sp); 6368 } 6369 6370 static void 6371 sppp_notify_down(struct sppp *sp) 6372 { 6373 6374 SPPP_LOCK(sp, RW_WRITER); 6375 lcp.Down(sp); 6376 SPPP_UNLOCK(sp); 6377 } 6378 6379 static void 6380 sppp_notify_tls_wlocked(struct sppp *sp) 6381 { 6382 6383 KASSERT(SPPP_WLOCKED(sp)); 6384 6385 if (!sp->pp_tls) 6386 return; 6387 6388 SPPP_UNLOCK(sp); 6389 sp->pp_tls(sp); 6390 SPPP_LOCK(sp, RW_WRITER); 6391 } 6392 6393 static void 6394 sppp_notify_tlf_wlocked(struct sppp *sp) 6395 { 6396 6397 KASSERT(SPPP_WLOCKED(sp)); 6398 6399 if (!sp->pp_tlf) 6400 return; 6401 6402 SPPP_UNLOCK(sp); 6403 sp->pp_tlf(sp); 6404 SPPP_LOCK(sp, RW_WRITER); 6405 } 6406 6407 static void 6408 sppp_notify_con(struct sppp *sp) 6409 { 6410 6411 if (!sp->pp_con) 6412 return; 6413 6414 sp->pp_con(sp); 6415 } 6416 6417 #ifdef INET6 6418 static void 6419 sppp_notify_con_wlocked(struct sppp *sp) 6420 { 6421 6422 KASSERT(SPPP_WLOCKED(sp)); 6423 6424 SPPP_UNLOCK(sp); 6425 sppp_notify_con(sp); 6426 SPPP_LOCK(sp, RW_WRITER); 6427 6428 } 6429 #endif 6430 6431 static void 6432 sppp_notify_chg_wlocked(struct sppp *sp) 6433 { 6434 6435 KASSERT(SPPP_WLOCKED(sp)); 6436 6437 if (!sp->pp_chg) 6438 return; 6439 6440 SPPP_UNLOCK(sp); 6441 sp->pp_chg(sp, sp->pp_phase); 6442 SPPP_LOCK(sp, RW_WRITER); 6443 } 6444
Indexes created Wed Oct 15 16:09:53 GMT 2025