if_spppsubr.c revision 1.187.2.6
1 /* $NetBSD: if_spppsubr.c,v 1.187.2.6 2020/04/11 07:28:06 is Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.187.2.6 2020/04/11 07:28:06 is Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifndef _NET_IF_STATS_H_ 96 #define if_statadd (ifp,member,amount) do { (ifp)->(member)+=(amount); } while (0) 97 #define if_statadd2(ifp,m1,a1,m2,a2) do { if_statadd(ifp,m1,a1); if_statadd(ifp,m2,a2);} while(0) 98 #define if_statinc (ifp,member) if_statadd(ifp,member,1) 99 #endif 100 101 #ifdef NET_MPSAFE 102 #define SPPPSUBR_MPSAFE 1 103 #endif 104 105 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 106 #define LOOPALIVECNT 3 /* loopback detection tries */ 107 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 108 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 109 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 110 111 /* 112 * Interface flags that can be set in an ifconfig command. 113 * 114 * Setting link0 will make the link passive, i.e. it will be marked 115 * as being administrative openable, but won't be opened to begin 116 * with. Incoming calls will be answered, or subsequent calls with 117 * -link1 will cause the administrative open of the LCP layer. 118 * 119 * Setting link1 will cause the link to auto-dial only as packets 120 * arrive to be sent. 121 * 122 * Setting IFF_DEBUG will syslog the option negotiation and state 123 * transitions at level kern.debug. Note: all logs consistently look 124 * like 125 * 126 * <if-name><unit>: <proto-name> <additional info...> 127 * 128 * with <if-name><unit> being something like "bppp0", and <proto-name> 129 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 130 */ 131 132 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 133 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 134 135 #define CONF_REQ 1 /* PPP configure request */ 136 #define CONF_ACK 2 /* PPP configure acknowledge */ 137 #define CONF_NAK 3 /* PPP configure negative ack */ 138 #define CONF_REJ 4 /* PPP configure reject */ 139 #define TERM_REQ 5 /* PPP terminate request */ 140 #define TERM_ACK 6 /* PPP terminate acknowledge */ 141 #define CODE_REJ 7 /* PPP code reject */ 142 #define PROTO_REJ 8 /* PPP protocol reject */ 143 #define ECHO_REQ 9 /* PPP echo request */ 144 #define ECHO_REPLY 10 /* PPP echo reply */ 145 #define DISC_REQ 11 /* PPP discard request */ 146 147 #define LCP_OPT_MRU 1 /* maximum receive unit */ 148 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 149 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 150 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 151 #define LCP_OPT_MAGIC 5 /* magic number */ 152 #define LCP_OPT_RESERVED 6 /* reserved */ 153 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 154 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 155 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 156 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 157 #define LCP_OPT_CALL_BACK 13 /* callback */ 158 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 159 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 160 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 161 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 162 163 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 164 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 165 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 166 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 167 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 168 169 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 170 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 171 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 172 173 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 174 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 175 176 #define PAP_REQ 1 /* PAP name/password request */ 177 #define PAP_ACK 2 /* PAP acknowledge */ 178 #define PAP_NAK 3 /* PAP fail */ 179 180 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 181 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 182 #define CHAP_SUCCESS 3 /* CHAP response ok */ 183 #define CHAP_FAILURE 4 /* CHAP response failed */ 184 185 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 186 187 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 188 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 189 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 190 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 191 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 192 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 193 194 /* states are named and numbered according to RFC 1661 */ 195 #define STATE_INITIAL 0 196 #define STATE_STARTING 1 197 #define STATE_CLOSED 2 198 #define STATE_STOPPED 3 199 #define STATE_CLOSING 4 200 #define STATE_STOPPING 5 201 #define STATE_REQ_SENT 6 202 #define STATE_ACK_RCVD 7 203 #define STATE_ACK_SENT 8 204 #define STATE_OPENED 9 205 206 struct ppp_header { 207 uint8_t address; 208 uint8_t control; 209 uint16_t protocol; 210 } __packed; 211 #define PPP_HEADER_LEN sizeof (struct ppp_header) 212 213 struct lcp_header { 214 uint8_t type; 215 uint8_t ident; 216 uint16_t len; 217 } __packed; 218 #define LCP_HEADER_LEN sizeof (struct lcp_header) 219 220 struct cisco_packet { 221 uint32_t type; 222 uint32_t par1; 223 uint32_t par2; 224 uint16_t rel; 225 uint16_t time0; 226 uint16_t time1; 227 } __packed; 228 #define CISCO_PACKET_LEN 18 229 230 /* 231 * We follow the spelling and capitalization of RFC 1661 here, to make 232 * it easier comparing with the standard. Please refer to this RFC in 233 * case you can't make sense out of these abbreviation; it will also 234 * explain the semantics related to the various events and actions. 235 */ 236 struct cp { 237 u_short proto; /* PPP control protocol number */ 238 u_char protoidx; /* index into state table in struct sppp */ 239 u_char flags; 240 #define CP_LCP 0x01 /* this is the LCP */ 241 #define CP_AUTH 0x02 /* this is an authentication protocol */ 242 #define CP_NCP 0x04 /* this is a NCP */ 243 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 244 const char *name; /* name of this control protocol */ 245 /* event handlers */ 246 void (*Up)(struct sppp *sp); 247 void (*Down)(struct sppp *sp); 248 void (*Open)(struct sppp *sp); 249 void (*Close)(struct sppp *sp); 250 void (*TO)(void *sp); 251 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 252 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 253 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 254 /* actions */ 255 void (*tlu)(struct sppp *sp); 256 void (*tld)(struct sppp *sp); 257 void (*tls)(struct sppp *sp); 258 void (*tlf)(struct sppp *sp); 259 void (*scr)(struct sppp *sp); 260 }; 261 262 static struct sppp *spppq; 263 static kmutex_t *spppq_lock = NULL; 264 static callout_t keepalive_ch; 265 266 #define SPPPQ_LOCK() if (spppq_lock) \ 267 mutex_enter(spppq_lock); 268 #define SPPPQ_UNLOCK() if (spppq_lock) \ 269 mutex_exit(spppq_lock); 270 271 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 272 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 273 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 274 #define SPPP_UPGRADE(_sp) do{ \ 275 SPPP_UNLOCK(_sp); \ 276 SPPP_LOCK(_sp, RW_WRITER); \ 277 }while (0) 278 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 279 280 #ifdef INET 281 #ifndef SPPPSUBR_MPSAFE 282 /* 283 * The following disgusting hack gets around the problem that IP TOS 284 * can't be set yet. We want to put "interactive" traffic on a high 285 * priority queue. To decide if traffic is interactive, we check that 286 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 287 * 288 * XXX is this really still necessary? - joerg - 289 */ 290 static u_short interactive_ports[8] = { 291 0, 513, 0, 0, 292 0, 21, 0, 23, 293 }; 294 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 295 #endif /* SPPPSUBR_MPSAFE */ 296 #endif 297 298 /* almost every function needs these */ 299 #define STDDCL \ 300 struct ifnet *ifp = &sp->pp_if; \ 301 int debug = ifp->if_flags & IFF_DEBUG 302 303 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 304 const struct sockaddr *dst, const struct rtentry *rt); 305 306 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 307 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 308 309 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 310 struct mbuf *m); 311 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 312 u_char ident, u_short len, void *data); 313 /* static void sppp_cp_timeout(void *arg); */ 314 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 315 int newstate); 316 static void sppp_auth_send(const struct cp *cp, 317 struct sppp *sp, unsigned int type, unsigned int id, 318 ...); 319 320 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 321 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 322 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 323 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 324 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 325 326 static void sppp_null(struct sppp *sp); 327 328 static void sppp_lcp_init(struct sppp *sp); 329 static void sppp_lcp_up(struct sppp *sp); 330 static void sppp_lcp_down(struct sppp *sp); 331 static void sppp_lcp_open(struct sppp *sp); 332 static void sppp_lcp_close(struct sppp *sp); 333 static void sppp_lcp_TO(void *sp); 334 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 335 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 336 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 337 static void sppp_lcp_tlu(struct sppp *sp); 338 static void sppp_lcp_tld(struct sppp *sp); 339 static void sppp_lcp_tls(struct sppp *sp); 340 static void sppp_lcp_tlf(struct sppp *sp); 341 static void sppp_lcp_scr(struct sppp *sp); 342 static void sppp_lcp_check_and_close(struct sppp *sp); 343 static int sppp_ncp_check(struct sppp *sp); 344 345 static struct mbuf *sppp_ml_defrag(struct sppp *sp, struct mbuf *m, 346 u_int16_t *protocolp); 347 348 static void sppp_ipcp_init(struct sppp *sp); 349 static void sppp_ipcp_up(struct sppp *sp); 350 static void sppp_ipcp_down(struct sppp *sp); 351 static void sppp_ipcp_open(struct sppp *sp); 352 static void sppp_ipcp_close(struct sppp *sp); 353 static void sppp_ipcp_TO(void *sp); 354 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 356 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 357 static void sppp_ipcp_tlu(struct sppp *sp); 358 static void sppp_ipcp_tld(struct sppp *sp); 359 static void sppp_ipcp_tls(struct sppp *sp); 360 static void sppp_ipcp_tlf(struct sppp *sp); 361 static void sppp_ipcp_scr(struct sppp *sp); 362 363 static void sppp_ipv6cp_init(struct sppp *sp); 364 static void sppp_ipv6cp_up(struct sppp *sp); 365 static void sppp_ipv6cp_down(struct sppp *sp); 366 static void sppp_ipv6cp_open(struct sppp *sp); 367 static void sppp_ipv6cp_close(struct sppp *sp); 368 static void sppp_ipv6cp_TO(void *sp); 369 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 370 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 371 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 372 static void sppp_ipv6cp_tlu(struct sppp *sp); 373 static void sppp_ipv6cp_tld(struct sppp *sp); 374 static void sppp_ipv6cp_tls(struct sppp *sp); 375 static void sppp_ipv6cp_tlf(struct sppp *sp); 376 static void sppp_ipv6cp_scr(struct sppp *sp); 377 378 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 379 static void sppp_pap_init(struct sppp *sp); 380 static void sppp_pap_open(struct sppp *sp); 381 static void sppp_pap_close(struct sppp *sp); 382 static void sppp_pap_TO(void *sp); 383 static void sppp_pap_my_TO(void *sp); 384 static void sppp_pap_tlu(struct sppp *sp); 385 static void sppp_pap_tld(struct sppp *sp); 386 static void sppp_pap_scr(struct sppp *sp); 387 388 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 389 static void sppp_chap_init(struct sppp *sp); 390 static void sppp_chap_open(struct sppp *sp); 391 static void sppp_chap_close(struct sppp *sp); 392 static void sppp_chap_TO(void *sp); 393 static void sppp_chap_tlu(struct sppp *sp); 394 static void sppp_chap_tld(struct sppp *sp); 395 static void sppp_chap_scr(struct sppp *sp); 396 397 static const char *sppp_auth_type_name(u_short proto, u_char type); 398 static const char *sppp_cp_type_name(u_char type); 399 static const char *sppp_dotted_quad(uint32_t addr); 400 static const char *sppp_ipcp_opt_name(u_char opt); 401 #ifdef INET6 402 static const char *sppp_ipv6cp_opt_name(u_char opt); 403 #endif 404 static const char *sppp_lcp_opt_name(u_char opt); 405 static const char *sppp_phase_name(int phase); 406 static const char *sppp_proto_name(u_short proto); 407 static const char *sppp_state_name(int state); 408 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 409 #ifdef INET 410 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 411 uint32_t *srcmask); 412 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 413 static void sppp_set_ip_addrs(struct sppp *sp); 414 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 415 static void sppp_clear_ip_addrs(struct sppp *sp); 416 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 417 #endif 418 static void sppp_keepalive(void *dummy); 419 static void sppp_phase_network(struct sppp *sp); 420 static void sppp_print_bytes(const u_char *p, u_short len); 421 static void sppp_print_string(const char *p, u_short len); 422 #ifdef INET6 423 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 424 struct in6_addr *dst, struct in6_addr *srcmask); 425 #ifdef IPV6CP_MYIFID_DYN 426 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 427 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 428 #endif 429 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 430 #endif 431 432 static void sppp_notify_up(struct sppp *); 433 static void sppp_notify_down(struct sppp *); 434 static void sppp_notify_tls_wlocked(struct sppp *); 435 static void sppp_notify_tlf_wlocked(struct sppp *); 436 #ifdef INET6 437 static void sppp_notify_con_wlocked(struct sppp *); 438 #endif 439 static void sppp_notify_con(struct sppp *); 440 441 static void sppp_notify_chg_wlocked(struct sppp *); 442 443 444 /* our control protocol descriptors */ 445 static const struct cp lcp = { 446 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 447 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 448 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 449 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 450 sppp_lcp_scr 451 }; 452 453 static const struct cp ipcp = { 454 PPP_IPCP, IDX_IPCP, 455 #ifdef INET 456 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 457 #else 458 0, 459 #endif 460 "ipcp", 461 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 462 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 463 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 464 sppp_ipcp_scr 465 }; 466 467 static const struct cp ipv6cp = { 468 PPP_IPV6CP, IDX_IPV6CP, 469 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 470 CP_NCP, 471 #else 472 0, 473 #endif 474 "ipv6cp", 475 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 476 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 477 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 478 sppp_ipv6cp_scr 479 }; 480 481 static const struct cp pap = { 482 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 483 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 484 sppp_pap_TO, 0, 0, 0, 485 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 486 sppp_pap_scr 487 }; 488 489 static const struct cp chap = { 490 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 491 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 492 sppp_chap_TO, 0, 0, 0, 493 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 494 sppp_chap_scr 495 }; 496 497 static const struct cp *cps[IDX_COUNT] = { 498 &lcp, /* IDX_LCP */ 499 &ipcp, /* IDX_IPCP */ 500 &ipv6cp, /* IDX_IPV6CP */ 501 &pap, /* IDX_PAP */ 502 &chap, /* IDX_CHAP */ 503 }; 504 505 static void 506 sppp_change_phase(struct sppp *sp, int phase) 507 { 508 STDDCL; 509 510 KASSERT(SPPP_WLOCKED(sp)); 511 512 if (sp->pp_phase == phase) 513 return; 514 515 sp->pp_phase = phase; 516 517 if (phase == SPPP_PHASE_NETWORK) 518 if_link_state_change(ifp, LINK_STATE_UP); 519 else 520 if_link_state_change(ifp, LINK_STATE_DOWN); 521 522 if (debug) 523 { 524 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 525 sppp_phase_name(sp->pp_phase)); 526 } 527 } 528 529 530 /* 531 * Defragment an MP packet. 532 * 533 * Returns NULL or an assembled packet or the original, 534 * and adjusts the passed protocol to the inner one. 535 * 536 * Called with and returns a packet without PPP header, 537 * but with MP fragment header. 538 * 539 * Called and returns with lock held. 540 */ 541 static struct mbuf * 542 sppp_ml_defrag(struct sppp *sp, struct mbuf *m, u_int16_t *protocolp) 543 { 544 u_int8_t *p; 545 u_int8_t flags; 546 u_int32_t seqid; 547 u_int16_t protocol; 548 int newflen; 549 550 if (*protocolp != PPP_MP) 551 return m; /* not ours */ 552 553 if (sp->lcp.mrru == 0) 554 return m; /* 555 * ours, but we're not ready. 556 * sppp_input will arrange for rejection. 557 */ 558 559 if (m->m_len < 4) { 560 m = m_pullup(m, 4); 561 if (m == NULL) { 562 if_statadd2(&sp->pp_if, if_ierrors, 1, if_iqdrops, 1); 563 return NULL; 564 } 565 } 566 p = mtod(m, u_int8_t *); 567 flags = *p; 568 seqid = (p[1]<<16) + (p[2]<<8) + p[3]; 569 570 m_adj(m, 4); 571 572 /* We're manipulating the defragmentation state below: */ 573 SPPP_UPGRADE(sp); 574 575 if (flags & 0x80) { 576 /* Beginning fragment. */ 577 sp->lcp.ml_seq_xpctd=seqid+1; /* next expected */ 578 579 /* TODO: if prefix, count dropped? */ 580 581 m_freem(sp->lcp.ml_prefix); 582 sp->lcp.ml_prefix = m; 583 584 } else if (seqid == sp->lcp.ml_seq_xpctd) { 585 sp->lcp.ml_seq_xpctd=seqid+1; /* next expected */ 586 if (sp->lcp.ml_prefix == 0) { 587 /* didn't see B frame. */ 588 /* TODO: count as dropped. */ 589 m_freem(m); 590 return NULL; 591 } 592 /* 593 * m_cat might free the first mbuf (with pkthdr) 594 * in 2nd chain; therefore: 595 */ 596 newflen = m->m_pkthdr.len; 597 m_cat(sp->lcp.ml_prefix, m); 598 sp->lcp.ml_prefix->m_pkthdr.len += newflen; 599 600 } else { 601 /* 602 * sequence error. 603 * 604 * For now, only drop this fragment, and don't touch state- 605 * might be from the long past or future, and we could still 606 * finish our current prefix. 607 * 608 * TODO: count as dropped. 609 */ 610 m_freem(sp->lcp.ml_prefix); 611 return NULL; 612 } 613 /* Successfully got the Beginning or appended a non-B packet.*/ 614 if (flags & 0x40) { 615 /* B/next was E packet. Unwrap gift and deliver. */ 616 m = sp->lcp.ml_prefix; 617 sp->lcp.ml_prefix = NULL; 618 619 if (m->m_len < 2) { 620 m = m_pullup(m,2); 621 if (m == NULL) { 622 /* TODO: count as dropped. */ 623 return NULL; 624 } 625 } 626 /* RFC 1990 2.: don't assume no protocol field compression */ 627 p = mtod(m, u_int8_t *); 628 protocol = *p; 629 630 if (protocol & 1) { 631 m_adj(m, 1); 632 } else { 633 protocol = (protocol << 8) + p[1]; 634 m_adj(m, 2); 635 } 636 *protocolp = protocol; 637 638 return m; 639 } 640 641 return NULL; 642 } 643 644 645 /* 646 * Exported functions, comprising our interface to the lower layer. 647 */ 648 649 /* 650 * Process the received packet. 651 */ 652 void 653 sppp_input(struct ifnet *ifp, struct mbuf *m) 654 { 655 struct ppp_header *h = NULL; 656 pktqueue_t *pktq = NULL; 657 struct ifqueue *inq = NULL; 658 uint16_t protocol; 659 struct sppp *sp = (struct sppp *)ifp; 660 int debug = ifp->if_flags & IFF_DEBUG; 661 int isr = 0; 662 663 SPPP_LOCK(sp, RW_READER); 664 665 if (ifp->if_flags & IFF_UP) { 666 /* Count received bytes, add hardware framing */ 667 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 668 /* Note time of last receive */ 669 sp->pp_last_receive = time_uptime; 670 } 671 672 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 673 /* Too small packet, drop it. */ 674 if (debug) 675 log(LOG_DEBUG, 676 "%s: input packet is too small, %d bytes\n", 677 ifp->if_xname, m->m_pkthdr.len); 678 drop: 679 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 680 m_freem(m); 681 SPPP_UNLOCK(sp); 682 return; 683 } 684 685 if (sp->pp_flags & PP_NOFRAMING) { 686 memcpy(&protocol, mtod(m, void *), 2); 687 protocol = ntohs(protocol); 688 m_adj(m, 2); 689 } else { 690 691 /* Get PPP header. */ 692 h = mtod(m, struct ppp_header *); 693 m_adj(m, PPP_HEADER_LEN); 694 695 switch (h->address) { 696 case PPP_ALLSTATIONS: 697 if (h->control != PPP_UI) 698 goto invalid; 699 if (sp->pp_flags & PP_CISCO) { 700 if (debug) 701 log(LOG_DEBUG, 702 "%s: PPP packet in Cisco mode " 703 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 704 ifp->if_xname, 705 h->address, h->control, ntohs(h->protocol)); 706 goto drop; 707 } 708 break; 709 case CISCO_MULTICAST: 710 case CISCO_UNICAST: 711 /* Don't check the control field here (RFC 1547). */ 712 if (! (sp->pp_flags & PP_CISCO)) { 713 if (debug) 714 log(LOG_DEBUG, 715 "%s: Cisco packet in PPP mode " 716 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 717 ifp->if_xname, 718 h->address, h->control, ntohs(h->protocol)); 719 goto drop; 720 } 721 switch (ntohs(h->protocol)) { 722 default: 723 if_statinc(ifp, if_noproto); 724 goto invalid; 725 case CISCO_KEEPALIVE: 726 SPPP_UNLOCK(sp); 727 sppp_cisco_input((struct sppp *) ifp, m); 728 m_freem(m); 729 return; 730 #ifdef INET 731 case ETHERTYPE_IP: 732 pktq = ip_pktq; 733 break; 734 #endif 735 #ifdef INET6 736 case ETHERTYPE_IPV6: 737 pktq = ip6_pktq; 738 break; 739 #endif 740 } 741 goto queue_pkt; 742 default: /* Invalid PPP packet. */ 743 invalid: 744 if (debug) 745 log(LOG_DEBUG, 746 "%s: invalid input packet " 747 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 748 ifp->if_xname, 749 h->address, h->control, ntohs(h->protocol)); 750 goto drop; 751 } 752 protocol = ntohs(h->protocol); 753 } 754 755 m = sppp_ml_defrag(sp, m, &protocol); 756 if (m == 0) { 757 SPPP_UNLOCK(sp); 758 return; 759 } 760 761 switch (protocol) { 762 default: 763 if (sp->state[IDX_LCP] == STATE_OPENED) { 764 uint16_t prot = htons(protocol); 765 766 SPPP_UPGRADE(sp); 767 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 768 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 769 &prot); 770 SPPP_DOWNGRADE(sp); 771 } 772 if (debug) 773 log(LOG_DEBUG, 774 "%s: invalid input protocol " 775 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 776 if_statinc(ifp, if_noproto); 777 goto drop; 778 case PPP_LCP: 779 SPPP_UNLOCK(sp); 780 sppp_cp_input(&lcp, sp, m); 781 m_freem(m); 782 return; 783 case PPP_PAP: 784 SPPP_UNLOCK(sp); 785 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 786 sppp_pap_input(sp, m); 787 } 788 m_freem(m); 789 return; 790 case PPP_CHAP: 791 SPPP_UNLOCK(sp); 792 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 793 sppp_chap_input(sp, m); 794 } 795 m_freem(m); 796 return; 797 #ifdef INET 798 case PPP_IPCP: 799 SPPP_UNLOCK(sp); 800 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 801 sppp_cp_input(&ipcp, sp, m); 802 } 803 m_freem(m); 804 return; 805 case PPP_IP: 806 if (sp->state[IDX_IPCP] == STATE_OPENED) { 807 sp->pp_last_activity = time_uptime; 808 pktq = ip_pktq; 809 } 810 break; 811 #endif 812 #ifdef INET6 813 case PPP_IPV6CP: 814 SPPP_UNLOCK(sp); 815 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 816 sppp_cp_input(&ipv6cp, sp, m); 817 } 818 m_freem(m); 819 return; 820 821 case PPP_IPV6: 822 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 823 sp->pp_last_activity = time_uptime; 824 pktq = ip6_pktq; 825 } 826 break; 827 #endif 828 } 829 830 queue_pkt: 831 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 832 goto drop; 833 } 834 835 /* Check queue. */ 836 if (__predict_true(pktq)) { 837 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 838 goto drop; 839 } 840 SPPP_UNLOCK(sp); 841 return; 842 } 843 844 SPPP_UNLOCK(sp); 845 846 IFQ_LOCK(inq); 847 if (IF_QFULL(inq)) { 848 /* Queue overflow. */ 849 IF_DROP(inq); 850 IFQ_UNLOCK(inq); 851 if (debug) 852 log(LOG_DEBUG, "%s: protocol queue overflow\n", 853 ifp->if_xname); 854 855 SPPP_LOCK(sp, RW_READER); 856 goto drop; 857 } 858 IF_ENQUEUE(inq, m); 859 IFQ_UNLOCK(inq); 860 schednetisr(isr); 861 } 862 863 /* 864 * Enqueue transmit packet. 865 */ 866 static int 867 sppp_output(struct ifnet *ifp, struct mbuf *m, 868 const struct sockaddr *dst, const struct rtentry *rt) 869 { 870 struct sppp *sp = (struct sppp *) ifp; 871 struct ppp_header *h = NULL; 872 #ifndef SPPPSUBR_MPSAFE 873 struct ifqueue *ifq = NULL; /* XXX */ 874 #endif 875 int s, error = 0; 876 uint16_t protocol; 877 size_t pktlen; 878 879 s = splnet(); 880 SPPP_LOCK(sp, RW_READER); 881 882 sp->pp_last_activity = time_uptime; 883 884 if ((ifp->if_flags & IFF_UP) == 0 || 885 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 886 SPPP_UNLOCK(sp); 887 splx(s); 888 889 m_freem(m); 890 891 return (ENETDOWN); 892 } 893 894 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 895 /* 896 * Interface is not yet running, but auto-dial. Need 897 * to start LCP for it. 898 */ 899 ifp->if_flags |= IFF_RUNNING; 900 901 SPPP_UNLOCK(sp); 902 splx(s); 903 904 SPPP_LOCK(sp, RW_WRITER); 905 lcp.Open(sp); 906 SPPP_UNLOCK(sp); 907 908 s = splnet(); 909 SPPP_LOCK(sp, RW_READER); 910 } 911 912 /* 913 * If the queueing discipline needs packet classification, 914 * do it before prepending link headers. 915 */ 916 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 917 918 #ifdef INET 919 if (dst->sa_family == AF_INET) { 920 struct ip *ip = NULL; 921 #ifndef SPPPSUBR_MPSAFE 922 struct tcphdr *th = NULL; 923 #endif 924 925 if (m->m_len >= sizeof(struct ip)) { 926 ip = mtod(m, struct ip *); 927 #ifndef SPPPSUBR_MPSAFE 928 if (ip->ip_p == IPPROTO_TCP && 929 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 930 sizeof(struct tcphdr)) { 931 th = (struct tcphdr *) 932 ((char *)ip + (ip->ip_hl << 2)); 933 } 934 #endif 935 } else 936 ip = NULL; 937 938 /* 939 * When using dynamic local IP address assignment by using 940 * 0.0.0.0 as a local address, the first TCP session will 941 * not connect because the local TCP checksum is computed 942 * using 0.0.0.0 which will later become our real IP address 943 * so the TCP checksum computed at the remote end will 944 * become invalid. So we 945 * - don't let packets with src ip addr 0 thru 946 * - we flag TCP packets with src ip 0 as an error 947 */ 948 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 949 uint8_t proto = ip->ip_p; 950 951 SPPP_UNLOCK(sp); 952 splx(s); 953 954 m_freem(m); 955 if (proto == IPPROTO_TCP) 956 return (EADDRNOTAVAIL); 957 else 958 return (0); 959 } 960 961 #ifndef SPPPSUBR_MPSAFE 962 /* 963 * Put low delay, telnet, rlogin and ftp control packets 964 * in front of the queue. 965 */ 966 if (!IF_QFULL(&sp->pp_fastq) && 967 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 968 (th && (INTERACTIVE(ntohs(th->th_sport)) || 969 INTERACTIVE(ntohs(th->th_dport)))))) 970 ifq = &sp->pp_fastq; 971 #endif /* !SPPPSUBR_MPSAFE */ 972 } 973 #endif 974 975 #ifdef INET6 976 if (dst->sa_family == AF_INET6) { 977 /* XXX do something tricky here? */ 978 } 979 #endif 980 981 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 982 /* 983 * Prepend general data packet PPP header. For now, IP only. 984 */ 985 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 986 if (! m) { 987 if (ifp->if_flags & IFF_DEBUG) 988 log(LOG_DEBUG, "%s: no memory for transmit header\n", 989 ifp->if_xname); 990 if_statinc(ifp, if_oerrors); 991 SPPP_UNLOCK(sp); 992 splx(s); 993 return (ENOBUFS); 994 } 995 /* 996 * May want to check size of packet 997 * (albeit due to the implementation it's always enough) 998 */ 999 h = mtod(m, struct ppp_header *); 1000 if (sp->pp_flags & PP_CISCO) { 1001 h->address = CISCO_UNICAST; /* unicast address */ 1002 h->control = 0; 1003 } else { 1004 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1005 h->control = PPP_UI; /* Unnumbered Info */ 1006 } 1007 } 1008 1009 switch (dst->sa_family) { 1010 #ifdef INET 1011 case AF_INET: /* Internet Protocol */ 1012 if (sp->pp_flags & PP_CISCO) 1013 protocol = htons(ETHERTYPE_IP); 1014 else { 1015 /* 1016 * Don't choke with an ENETDOWN early. It's 1017 * possible that we just started dialing out, 1018 * so don't drop the packet immediately. If 1019 * we notice that we run out of buffer space 1020 * below, we will however remember that we are 1021 * not ready to carry IP packets, and return 1022 * ENETDOWN, as opposed to ENOBUFS. 1023 */ 1024 protocol = htons(PPP_IP); 1025 if (sp->state[IDX_IPCP] != STATE_OPENED) 1026 error = ENETDOWN; 1027 } 1028 break; 1029 #endif 1030 #ifdef INET6 1031 case AF_INET6: /* Internet Protocol version 6 */ 1032 if (sp->pp_flags & PP_CISCO) 1033 protocol = htons(ETHERTYPE_IPV6); 1034 else { 1035 /* 1036 * Don't choke with an ENETDOWN early. It's 1037 * possible that we just started dialing out, 1038 * so don't drop the packet immediately. If 1039 * we notice that we run out of buffer space 1040 * below, we will however remember that we are 1041 * not ready to carry IP packets, and return 1042 * ENETDOWN, as opposed to ENOBUFS. 1043 */ 1044 protocol = htons(PPP_IPV6); 1045 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 1046 error = ENETDOWN; 1047 } 1048 break; 1049 #endif 1050 default: 1051 m_freem(m); 1052 if_statinc(ifp, if_oerrors); 1053 SPPP_UNLOCK(sp); 1054 splx(s); 1055 return (EAFNOSUPPORT); 1056 } 1057 1058 if (sp->pp_flags & PP_NOFRAMING) { 1059 M_PREPEND(m, 2, M_DONTWAIT); 1060 if (m == NULL) { 1061 if (ifp->if_flags & IFF_DEBUG) 1062 log(LOG_DEBUG, "%s: no memory for transmit header\n", 1063 ifp->if_xname); 1064 if_statinc(ifp, if_oerrors); 1065 SPPP_UNLOCK(sp); 1066 splx(s); 1067 return (ENOBUFS); 1068 } 1069 *mtod(m, uint16_t *) = protocol; 1070 } else { 1071 h->protocol = protocol; 1072 } 1073 1074 pktlen = m->m_pkthdr.len; 1075 #ifdef SPPPSUBR_MPSAFE 1076 SPPP_UNLOCK(sp); 1077 error = if_transmit_lock(ifp, m); 1078 SPPP_LOCK(sp, RW_READER); 1079 if (error == 0) 1080 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1081 #else /* !SPPPSUBR_MPSAFE */ 1082 error = ifq_enqueue2(ifp, ifq, m); 1083 1084 if (error == 0) { 1085 /* 1086 * Count output packets and bytes. 1087 * The packet length includes header + additional hardware 1088 * framing according to RFC 1333. 1089 */ 1090 if (!(ifp->if_flags & IFF_OACTIVE)) { 1091 SPPP_UNLOCK(sp); 1092 if_start_lock(ifp); 1093 SPPP_LOCK(sp, RW_READER); 1094 } 1095 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1096 } 1097 #endif /* !SPPPSUBR_MPSAFE */ 1098 SPPP_UNLOCK(sp); 1099 splx(s); 1100 return error; 1101 } 1102 1103 static int 1104 sppp_mediachange(struct ifnet *ifp) 1105 { 1106 1107 return (0); 1108 } 1109 1110 static void 1111 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 1112 { 1113 int link_state; 1114 1115 link_state = atomic_load_relaxed(&ifp->if_link_state); 1116 switch (link_state) { 1117 case LINK_STATE_UP: 1118 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 1119 break; 1120 case LINK_STATE_DOWN: 1121 imr->ifm_status = IFM_AVALID; 1122 break; 1123 default: 1124 /* Should be impossible as we set link state down in attach. */ 1125 imr->ifm_status = 0; 1126 break; 1127 } 1128 } 1129 1130 void 1131 sppp_attach(struct ifnet *ifp) 1132 { 1133 struct sppp *sp = (struct sppp *) ifp; 1134 1135 /* Initialize keepalive handler. */ 1136 if (! spppq) { 1137 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1138 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1139 } 1140 1141 if (! spppq_lock) 1142 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1143 1144 /* Insert new entry into the keepalive list. */ 1145 sp->pp_next = spppq; 1146 spppq = sp; 1147 1148 sp->pp_if.if_type = IFT_PPP; 1149 sp->pp_if.if_output = sppp_output; 1150 sp->pp_fastq.ifq_maxlen = 32; 1151 sp->pp_cpq.ifq_maxlen = 20; 1152 sp->pp_loopcnt = 0; 1153 sp->pp_alivecnt = 0; 1154 sp->pp_last_activity = 0; 1155 sp->pp_last_receive = 0; 1156 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1157 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1158 sp->pp_idle_timeout = 0; 1159 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1160 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1161 sp->pp_auth_failures = 0; 1162 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1163 sp->pp_phase = SPPP_PHASE_DEAD; 1164 sp->pp_up = sppp_notify_up; 1165 sp->pp_down = sppp_notify_down; 1166 rw_init(&sp->pp_lock); 1167 1168 if_alloc_sadl(ifp); 1169 1170 /* Lets not beat about the bush, we know we're down. */ 1171 ifp->if_link_state = LINK_STATE_DOWN; 1172 /* There is no media for PPP, but it's needed to report link status. */ 1173 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1174 1175 memset(&sp->myauth, 0, sizeof sp->myauth); 1176 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1177 SPPP_LOCK(sp, RW_WRITER); 1178 sppp_lcp_init(sp); 1179 sppp_ipcp_init(sp); 1180 sppp_ipv6cp_init(sp); 1181 sppp_pap_init(sp); 1182 sppp_chap_init(sp); 1183 SPPP_UNLOCK(sp); 1184 } 1185 1186 void 1187 sppp_detach(struct ifnet *ifp) 1188 { 1189 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1190 1191 /* Remove the entry from the keepalive list. */ 1192 SPPPQ_LOCK(); 1193 for (q = &spppq; (p = *q); q = &p->pp_next) 1194 if (p == sp) { 1195 *q = p->pp_next; 1196 break; 1197 } 1198 SPPPQ_UNLOCK(); 1199 1200 if (! spppq) { 1201 /* Stop keepalive handler. */ 1202 callout_stop(&keepalive_ch); 1203 mutex_obj_free(spppq_lock); 1204 spppq_lock = NULL; 1205 } 1206 1207 SPPP_LOCK(sp, RW_WRITER); 1208 1209 /* to avoid workqueue enqueued */ 1210 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1211 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1212 workqueue_destroy(sp->ipcp.update_addrs_wq); 1213 pcq_destroy(sp->ipcp.update_addrs_q); 1214 1215 callout_stop(&sp->ch[IDX_LCP]); 1216 callout_stop(&sp->ch[IDX_IPCP]); 1217 callout_stop(&sp->ch[IDX_PAP]); 1218 callout_stop(&sp->ch[IDX_CHAP]); 1219 #ifdef INET6 1220 callout_stop(&sp->ch[IDX_IPV6CP]); 1221 #endif 1222 callout_stop(&sp->pap_my_to_ch); 1223 1224 /* free authentication info */ 1225 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1226 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1227 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1228 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1229 SPPP_UNLOCK(sp); 1230 rw_destroy(&sp->pp_lock); 1231 1232 ifmedia_fini(&sp->pp_im); 1233 } 1234 1235 /* 1236 * Flush the interface output queue. 1237 */ 1238 void 1239 sppp_flush(struct ifnet *ifp) 1240 { 1241 struct sppp *sp = (struct sppp *) ifp; 1242 1243 SPPP_LOCK(sp, RW_WRITER); 1244 IFQ_PURGE(&sp->pp_if.if_snd); 1245 IF_PURGE(&sp->pp_fastq); 1246 IF_PURGE(&sp->pp_cpq); 1247 SPPP_UNLOCK(sp); 1248 } 1249 1250 /* 1251 * Check if the output queue is empty. 1252 */ 1253 int 1254 sppp_isempty(struct ifnet *ifp) 1255 { 1256 struct sppp *sp = (struct sppp *) ifp; 1257 int empty, s; 1258 1259 s = splnet(); 1260 SPPP_LOCK(sp, RW_READER); 1261 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1262 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1263 SPPP_UNLOCK(sp); 1264 splx(s); 1265 return (empty); 1266 } 1267 1268 /* 1269 * Get next packet to send. 1270 */ 1271 struct mbuf * 1272 sppp_dequeue(struct ifnet *ifp) 1273 { 1274 struct sppp *sp = (struct sppp *) ifp; 1275 struct mbuf *m; 1276 int s; 1277 1278 s = splnet(); 1279 SPPP_LOCK(sp, RW_WRITER); 1280 /* 1281 * Process only the control protocol queue until we have at 1282 * least one NCP open. 1283 * 1284 * Do always serve all three queues in Cisco mode. 1285 */ 1286 IF_DEQUEUE(&sp->pp_cpq, m); 1287 if (m == NULL && 1288 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1289 IF_DEQUEUE(&sp->pp_fastq, m); 1290 if (m == NULL) 1291 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1292 } 1293 SPPP_UNLOCK(sp); 1294 splx(s); 1295 return m; 1296 } 1297 1298 /* 1299 * Process an ioctl request. Called on low priority level. 1300 */ 1301 int 1302 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1303 { 1304 struct lwp *l = curlwp; /* XXX */ 1305 struct ifreq *ifr = (struct ifreq *) data; 1306 struct ifaddr *ifa = (struct ifaddr *) data; 1307 struct sppp *sp = (struct sppp *) ifp; 1308 int s, error=0, going_up, going_down; 1309 u_short newmode; 1310 1311 s = splnet(); 1312 switch (cmd) { 1313 case SIOCINITIFADDR: 1314 ifa->ifa_rtrequest = p2p_rtrequest; 1315 break; 1316 1317 case SIOCSIFFLAGS: 1318 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1319 break; 1320 1321 SPPP_LOCK(sp, RW_WRITER); 1322 going_up = ifp->if_flags & IFF_UP && 1323 (ifp->if_flags & IFF_RUNNING) == 0; 1324 going_down = (ifp->if_flags & IFF_UP) == 0 && 1325 ifp->if_flags & IFF_RUNNING; 1326 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1327 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1328 /* sanity */ 1329 newmode = IFF_PASSIVE; 1330 ifp->if_flags &= ~IFF_AUTO; 1331 } 1332 1333 if (going_up || going_down) { 1334 lcp.Close(sp); 1335 } 1336 if (going_up && newmode == 0) { 1337 /* neither auto-dial nor passive */ 1338 ifp->if_flags |= IFF_RUNNING; 1339 if (!(sp->pp_flags & PP_CISCO)) 1340 lcp.Open(sp); 1341 } else if (going_down) { 1342 SPPP_UNLOCK(sp); 1343 sppp_flush(ifp); 1344 SPPP_LOCK(sp, RW_WRITER); 1345 1346 ifp->if_flags &= ~IFF_RUNNING; 1347 } 1348 SPPP_UNLOCK(sp); 1349 break; 1350 1351 case SIOCSIFMTU: 1352 if (ifr->ifr_mtu < PPP_MINMRU || 1353 ifr->ifr_mtu > sp->lcp.their_mru) { 1354 error = EINVAL; 1355 break; 1356 } 1357 /*FALLTHROUGH*/ 1358 case SIOCGIFMTU: 1359 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1360 error = 0; 1361 break; 1362 case SIOCADDMULTI: 1363 case SIOCDELMULTI: 1364 break; 1365 1366 case SPPPSETAUTHCFG: 1367 case SPPPSETLCPCFG: 1368 case SPPPSETIDLETO: 1369 case SPPPSETAUTHFAILURE: 1370 case SPPPSETDNSOPTS: 1371 case SPPPSETKEEPALIVE: 1372 #if defined(COMPAT_50) || defined(MODULAR) 1373 case __SPPPSETIDLETO50: 1374 case __SPPPSETKEEPALIVE50: 1375 #endif /* COMPAT_50 || MODULAR */ 1376 error = kauth_authorize_network(l->l_cred, 1377 KAUTH_NETWORK_INTERFACE, 1378 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1379 NULL); 1380 if (error) 1381 break; 1382 error = sppp_params(sp, cmd, data); 1383 break; 1384 1385 case SPPPGETAUTHCFG: 1386 case SPPPGETLCPCFG: 1387 case SPPPGETAUTHFAILURES: 1388 error = kauth_authorize_network(l->l_cred, 1389 KAUTH_NETWORK_INTERFACE, 1390 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1391 NULL); 1392 if (error) 1393 break; 1394 error = sppp_params(sp, cmd, data); 1395 break; 1396 1397 case SPPPGETSTATUS: 1398 case SPPPGETSTATUSNCP: 1399 case SPPPGETIDLETO: 1400 case SPPPGETDNSOPTS: 1401 case SPPPGETDNSADDRS: 1402 case SPPPGETKEEPALIVE: 1403 #if defined(COMPAT_50) || defined(MODULAR) 1404 case __SPPPGETIDLETO50: 1405 case __SPPPGETKEEPALIVE50: 1406 #endif /* COMPAT_50 || MODULAR */ 1407 error = sppp_params(sp, cmd, data); 1408 break; 1409 1410 case SIOCGIFMEDIA: 1411 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1412 break; 1413 1414 default: 1415 error = ifioctl_common(ifp, cmd, data); 1416 break; 1417 } 1418 splx(s); 1419 return (error); 1420 } 1421 1422 1423 /* 1424 * Cisco framing implementation. 1425 */ 1426 1427 /* 1428 * Handle incoming Cisco keepalive protocol packets. 1429 */ 1430 static void 1431 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1432 { 1433 STDDCL; 1434 struct cisco_packet *h; 1435 #ifdef INET 1436 uint32_t me, mymask = 0; /* XXX: GCC */ 1437 #endif 1438 1439 SPPP_LOCK(sp, RW_WRITER); 1440 1441 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1442 if (debug) 1443 log(LOG_DEBUG, 1444 "%s: cisco invalid packet length: %d bytes\n", 1445 ifp->if_xname, m->m_pkthdr.len); 1446 SPPP_UNLOCK(sp); 1447 return; 1448 } 1449 h = mtod(m, struct cisco_packet *); 1450 if (debug) 1451 log(LOG_DEBUG, 1452 "%s: cisco input: %d bytes " 1453 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1454 ifp->if_xname, m->m_pkthdr.len, 1455 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1456 (u_int)h->time0, (u_int)h->time1); 1457 switch (ntohl(h->type)) { 1458 default: 1459 if (debug) 1460 addlog("%s: cisco unknown packet type: 0x%x\n", 1461 ifp->if_xname, ntohl(h->type)); 1462 break; 1463 case CISCO_ADDR_REPLY: 1464 /* Reply on address request, ignore */ 1465 break; 1466 case CISCO_KEEPALIVE_REQ: 1467 sp->pp_alivecnt = 0; 1468 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1469 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1470 /* Local and remote sequence numbers are equal. 1471 * Probably, the line is in loopback mode. */ 1472 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1473 printf ("%s: loopback\n", 1474 ifp->if_xname); 1475 sp->pp_loopcnt = 0; 1476 if (ifp->if_flags & IFF_UP) { 1477 SPPP_UNLOCK(sp); 1478 if_down(ifp); 1479 SPPP_LOCK(sp, RW_WRITER); 1480 1481 IF_PURGE(&sp->pp_cpq); 1482 } 1483 } 1484 ++sp->pp_loopcnt; 1485 1486 /* Generate new local sequence number */ 1487 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1488 break; 1489 } 1490 sp->pp_loopcnt = 0; 1491 if (! (ifp->if_flags & IFF_UP) && 1492 (ifp->if_flags & IFF_RUNNING)) { 1493 SPPP_UNLOCK(sp); 1494 if_up(ifp); 1495 SPPP_LOCK(sp, RW_WRITER); 1496 } 1497 break; 1498 case CISCO_ADDR_REQ: 1499 #ifdef INET 1500 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1501 if (me != 0L) 1502 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1503 #endif 1504 break; 1505 } 1506 SPPP_UNLOCK(sp); 1507 } 1508 1509 /* 1510 * Send Cisco keepalive packet. 1511 */ 1512 static void 1513 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1514 { 1515 STDDCL; 1516 struct ppp_header *h; 1517 struct cisco_packet *ch; 1518 struct mbuf *m; 1519 uint32_t t; 1520 1521 KASSERT(SPPP_WLOCKED(sp)); 1522 1523 t = time_uptime * 1000; 1524 MGETHDR(m, M_DONTWAIT, MT_DATA); 1525 if (! m) 1526 return; 1527 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1528 m_reset_rcvif(m); 1529 1530 h = mtod(m, struct ppp_header *); 1531 h->address = CISCO_MULTICAST; 1532 h->control = 0; 1533 h->protocol = htons(CISCO_KEEPALIVE); 1534 1535 ch = (struct cisco_packet *)(h + 1); 1536 ch->type = htonl(type); 1537 ch->par1 = htonl(par1); 1538 ch->par2 = htonl(par2); 1539 ch->rel = -1; 1540 1541 ch->time0 = htons((u_short)(t >> 16)); 1542 ch->time1 = htons((u_short) t); 1543 1544 if (debug) 1545 log(LOG_DEBUG, 1546 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1547 ifp->if_xname, ntohl(ch->type), ch->par1, 1548 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1549 (u_int)ch->time1); 1550 1551 if (IF_QFULL(&sp->pp_cpq)) { 1552 IF_DROP(&sp->pp_fastq); 1553 IF_DROP(&ifp->if_snd); 1554 m_freem(m); 1555 if_statinc(ifp, if_oerrors); 1556 return; 1557 } 1558 1559 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1560 IF_ENQUEUE(&sp->pp_cpq, m); 1561 1562 if (! (ifp->if_flags & IFF_OACTIVE)) { 1563 SPPP_UNLOCK(sp); 1564 if_start_lock(ifp); 1565 SPPP_LOCK(sp, RW_WRITER); 1566 } 1567 } 1568 1569 /* 1570 * PPP protocol implementation. 1571 */ 1572 1573 /* 1574 * Send PPP control protocol packet. 1575 */ 1576 static void 1577 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1578 u_char ident, u_short len, void *data) 1579 { 1580 STDDCL; 1581 struct lcp_header *lh; 1582 struct mbuf *m; 1583 size_t pkthdrlen; 1584 1585 KASSERT(SPPP_WLOCKED(sp)); 1586 1587 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1588 1589 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1590 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1591 MGETHDR(m, M_DONTWAIT, MT_DATA); 1592 if (! m) { 1593 return; 1594 } 1595 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1596 m_reset_rcvif(m); 1597 1598 if (sp->pp_flags & PP_NOFRAMING) { 1599 *mtod(m, uint16_t *) = htons(proto); 1600 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1601 } else { 1602 struct ppp_header *h; 1603 h = mtod(m, struct ppp_header *); 1604 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1605 h->control = PPP_UI; /* Unnumbered Info */ 1606 h->protocol = htons(proto); /* Link Control Protocol */ 1607 lh = (struct lcp_header *)(h + 1); 1608 } 1609 lh->type = type; 1610 lh->ident = ident; 1611 lh->len = htons(LCP_HEADER_LEN + len); 1612 if (len) 1613 memcpy(lh + 1, data, len); 1614 1615 if (debug) { 1616 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1617 ifp->if_xname, 1618 sppp_proto_name(proto), 1619 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1620 if (len) 1621 sppp_print_bytes((u_char *)(lh + 1), len); 1622 addlog(">\n"); 1623 } 1624 if (IF_QFULL(&sp->pp_cpq)) { 1625 IF_DROP(&sp->pp_fastq); 1626 IF_DROP(&ifp->if_snd); 1627 m_freem(m); 1628 if_statinc(ifp, if_oerrors); 1629 return; 1630 } 1631 1632 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1633 IF_ENQUEUE(&sp->pp_cpq, m); 1634 1635 1636 if (! (ifp->if_flags & IFF_OACTIVE)) { 1637 SPPP_UNLOCK(sp); 1638 if_start_lock(ifp); 1639 SPPP_LOCK(sp, RW_WRITER); 1640 } 1641 } 1642 1643 /* 1644 * Handle incoming PPP control protocol packets. 1645 */ 1646 static void 1647 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1648 { 1649 STDDCL; 1650 struct lcp_header *h; 1651 int printlen, len = m->m_pkthdr.len; 1652 int rv; 1653 u_char *p; 1654 uint32_t u32; 1655 1656 SPPP_LOCK(sp, RW_WRITER); 1657 1658 if (len < 4) { 1659 if (debug) 1660 log(LOG_DEBUG, 1661 "%s: %s invalid packet length: %d bytes\n", 1662 ifp->if_xname, cp->name, len); 1663 SPPP_UNLOCK(sp); 1664 return; 1665 } 1666 h = mtod(m, struct lcp_header *); 1667 if (debug) { 1668 printlen = ntohs(h->len); 1669 log(LOG_DEBUG, 1670 "%s: %s input(%s): <%s id=0x%x len=%d", 1671 ifp->if_xname, cp->name, 1672 sppp_state_name(sp->state[cp->protoidx]), 1673 sppp_cp_type_name(h->type), h->ident, printlen); 1674 if (len < printlen) 1675 printlen = len; 1676 if (printlen > 4) 1677 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1678 addlog(">\n"); 1679 } 1680 if (len > ntohs(h->len)) 1681 len = ntohs(h->len); 1682 p = (u_char *)(h + 1); 1683 switch (h->type) { 1684 case CONF_REQ: 1685 if (len < 4) { 1686 if (debug) 1687 addlog("%s: %s invalid conf-req length %d\n", 1688 ifp->if_xname, cp->name, 1689 len); 1690 if_statinc(ifp, if_ierrors); 1691 break; 1692 } 1693 /* handle states where RCR doesn't get a SCA/SCN */ 1694 switch (sp->state[cp->protoidx]) { 1695 case STATE_CLOSING: 1696 case STATE_STOPPING: 1697 SPPP_UNLOCK(sp); 1698 return; 1699 case STATE_CLOSED: 1700 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1701 0, 0); 1702 SPPP_UNLOCK(sp); 1703 return; 1704 } 1705 rv = (cp->RCR)(sp, h, len); 1706 if (rv < 0) { 1707 /* fatal error, shut down */ 1708 (cp->tld)(sp); 1709 sppp_lcp_tlf(sp); 1710 SPPP_UNLOCK(sp); 1711 return; 1712 } 1713 switch (sp->state[cp->protoidx]) { 1714 case STATE_OPENED: 1715 (cp->tld)(sp); 1716 (cp->scr)(sp); 1717 /* fall through... */ 1718 case STATE_ACK_SENT: 1719 case STATE_REQ_SENT: 1720 sppp_cp_change_state(cp, sp, rv? 1721 STATE_ACK_SENT: STATE_REQ_SENT); 1722 break; 1723 case STATE_STOPPED: 1724 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1725 (cp->scr)(sp); 1726 sppp_cp_change_state(cp, sp, rv? 1727 STATE_ACK_SENT: STATE_REQ_SENT); 1728 break; 1729 case STATE_ACK_RCVD: 1730 if (rv) { 1731 sppp_cp_change_state(cp, sp, STATE_OPENED); 1732 if (debug) 1733 log(LOG_DEBUG, "%s: %s tlu\n", 1734 ifp->if_xname, 1735 cp->name); 1736 (cp->tlu)(sp); 1737 } else 1738 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1739 break; 1740 default: 1741 printf("%s: %s illegal %s in state %s\n", 1742 ifp->if_xname, cp->name, 1743 sppp_cp_type_name(h->type), 1744 sppp_state_name(sp->state[cp->protoidx])); 1745 if_statinc(ifp, if_ierrors); 1746 } 1747 break; 1748 case CONF_ACK: 1749 if (h->ident != sp->confid[cp->protoidx]) { 1750 if (debug) 1751 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1752 ifp->if_xname, cp->name, 1753 h->ident, sp->confid[cp->protoidx]); 1754 if_statinc(ifp, if_ierrors); 1755 break; 1756 } 1757 switch (sp->state[cp->protoidx]) { 1758 case STATE_CLOSED: 1759 case STATE_STOPPED: 1760 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1761 break; 1762 case STATE_CLOSING: 1763 case STATE_STOPPING: 1764 break; 1765 case STATE_REQ_SENT: 1766 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1767 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1768 break; 1769 case STATE_OPENED: 1770 (cp->tld)(sp); 1771 /* fall through */ 1772 case STATE_ACK_RCVD: 1773 (cp->scr)(sp); 1774 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1775 break; 1776 case STATE_ACK_SENT: 1777 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1778 sppp_cp_change_state(cp, sp, STATE_OPENED); 1779 if (debug) 1780 log(LOG_DEBUG, "%s: %s tlu\n", 1781 ifp->if_xname, cp->name); 1782 (cp->tlu)(sp); 1783 break; 1784 default: 1785 printf("%s: %s illegal %s in state %s\n", 1786 ifp->if_xname, cp->name, 1787 sppp_cp_type_name(h->type), 1788 sppp_state_name(sp->state[cp->protoidx])); 1789 if_statinc(ifp, if_ierrors); 1790 } 1791 break; 1792 case CONF_NAK: 1793 case CONF_REJ: 1794 if (h->ident != sp->confid[cp->protoidx]) { 1795 if (debug) 1796 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1797 ifp->if_xname, cp->name, 1798 h->ident, sp->confid[cp->protoidx]); 1799 if_statinc(ifp, if_ierrors); 1800 break; 1801 } 1802 if (h->type == CONF_NAK) 1803 (cp->RCN_nak)(sp, h, len); 1804 else /* CONF_REJ */ 1805 (cp->RCN_rej)(sp, h, len); 1806 1807 switch (sp->state[cp->protoidx]) { 1808 case STATE_CLOSED: 1809 case STATE_STOPPED: 1810 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1811 break; 1812 case STATE_REQ_SENT: 1813 case STATE_ACK_SENT: 1814 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1815 (cp->scr)(sp); 1816 break; 1817 case STATE_OPENED: 1818 (cp->tld)(sp); 1819 /* fall through */ 1820 case STATE_ACK_RCVD: 1821 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1822 (cp->scr)(sp); 1823 break; 1824 case STATE_CLOSING: 1825 case STATE_STOPPING: 1826 break; 1827 default: 1828 printf("%s: %s illegal %s in state %s\n", 1829 ifp->if_xname, cp->name, 1830 sppp_cp_type_name(h->type), 1831 sppp_state_name(sp->state[cp->protoidx])); 1832 if_statinc(ifp, if_ierrors); 1833 } 1834 break; 1835 1836 case TERM_REQ: 1837 switch (sp->state[cp->protoidx]) { 1838 case STATE_ACK_RCVD: 1839 case STATE_ACK_SENT: 1840 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1841 /* fall through */ 1842 case STATE_CLOSED: 1843 case STATE_STOPPED: 1844 case STATE_CLOSING: 1845 case STATE_STOPPING: 1846 case STATE_REQ_SENT: 1847 sta: 1848 /* Send Terminate-Ack packet. */ 1849 if (debug) 1850 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1851 ifp->if_xname, cp->name); 1852 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1853 break; 1854 case STATE_OPENED: 1855 (cp->tld)(sp); 1856 sp->rst_counter[cp->protoidx] = 0; 1857 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1858 goto sta; 1859 default: 1860 printf("%s: %s illegal %s in state %s\n", 1861 ifp->if_xname, cp->name, 1862 sppp_cp_type_name(h->type), 1863 sppp_state_name(sp->state[cp->protoidx])); 1864 if_statinc(ifp, if_ierrors); 1865 } 1866 break; 1867 case TERM_ACK: 1868 switch (sp->state[cp->protoidx]) { 1869 case STATE_CLOSED: 1870 case STATE_STOPPED: 1871 case STATE_REQ_SENT: 1872 case STATE_ACK_SENT: 1873 break; 1874 case STATE_CLOSING: 1875 (cp->tlf)(sp); 1876 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1877 sppp_lcp_check_and_close(sp); 1878 break; 1879 case STATE_STOPPING: 1880 (cp->tlf)(sp); 1881 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1882 sppp_lcp_check_and_close(sp); 1883 break; 1884 case STATE_ACK_RCVD: 1885 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1886 break; 1887 case STATE_OPENED: 1888 (cp->tld)(sp); 1889 (cp->scr)(sp); 1890 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1891 break; 1892 default: 1893 printf("%s: %s illegal %s in state %s\n", 1894 ifp->if_xname, cp->name, 1895 sppp_cp_type_name(h->type), 1896 sppp_state_name(sp->state[cp->protoidx])); 1897 if_statinc(ifp, if_ierrors); 1898 } 1899 break; 1900 case CODE_REJ: 1901 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1902 log(LOG_INFO, 1903 "%s: %s: ignoring RXJ (%s) for code ?, " 1904 "danger will robinson\n", 1905 ifp->if_xname, cp->name, 1906 sppp_cp_type_name(h->type)); 1907 switch (sp->state[cp->protoidx]) { 1908 case STATE_CLOSED: 1909 case STATE_STOPPED: 1910 case STATE_REQ_SENT: 1911 case STATE_ACK_SENT: 1912 case STATE_CLOSING: 1913 case STATE_STOPPING: 1914 case STATE_OPENED: 1915 break; 1916 case STATE_ACK_RCVD: 1917 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1918 break; 1919 default: 1920 printf("%s: %s illegal %s in state %s\n", 1921 ifp->if_xname, cp->name, 1922 sppp_cp_type_name(h->type), 1923 sppp_state_name(sp->state[cp->protoidx])); 1924 if_statinc(ifp, if_ierrors); 1925 } 1926 break; 1927 case PROTO_REJ: 1928 { 1929 int catastrophic; 1930 const struct cp *upper; 1931 int i; 1932 uint16_t proto; 1933 1934 catastrophic = 0; 1935 upper = NULL; 1936 proto = p[0] << 8 | p[1]; 1937 for (i = 0; i < IDX_COUNT; i++) { 1938 if (cps[i]->proto == proto) { 1939 upper = cps[i]; 1940 break; 1941 } 1942 } 1943 if (upper == NULL) 1944 catastrophic++; 1945 1946 if (debug) 1947 log(LOG_INFO, 1948 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1949 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1950 sppp_cp_type_name(h->type), proto, 1951 upper ? upper->name : "unknown", 1952 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1953 1954 /* 1955 * if we got RXJ+ against conf-req, the peer does not implement 1956 * this particular protocol type. terminate the protocol. 1957 */ 1958 if (upper && !catastrophic) { 1959 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1960 upper->Close(sp); 1961 break; 1962 } 1963 } 1964 1965 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1966 switch (sp->state[cp->protoidx]) { 1967 case STATE_CLOSED: 1968 case STATE_STOPPED: 1969 case STATE_REQ_SENT: 1970 case STATE_ACK_SENT: 1971 case STATE_CLOSING: 1972 case STATE_STOPPING: 1973 case STATE_OPENED: 1974 break; 1975 case STATE_ACK_RCVD: 1976 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1977 break; 1978 default: 1979 printf("%s: %s illegal %s in state %s\n", 1980 ifp->if_xname, cp->name, 1981 sppp_cp_type_name(h->type), 1982 sppp_state_name(sp->state[cp->protoidx])); 1983 if_statinc(ifp, if_ierrors); 1984 } 1985 break; 1986 } 1987 case DISC_REQ: 1988 if (cp->proto != PPP_LCP) 1989 goto illegal; 1990 /* Discard the packet. */ 1991 break; 1992 case ECHO_REQ: 1993 if (cp->proto != PPP_LCP) 1994 goto illegal; 1995 if (sp->state[cp->protoidx] != STATE_OPENED) { 1996 if (debug) 1997 addlog("%s: lcp echo req but lcp closed\n", 1998 ifp->if_xname); 1999 if_statinc(ifp, if_ierrors); 2000 break; 2001 } 2002 if (len < 8) { 2003 if (debug) 2004 addlog("%s: invalid lcp echo request " 2005 "packet length: %d bytes\n", 2006 ifp->if_xname, len); 2007 break; 2008 } 2009 memcpy(&u32, h + 1, sizeof u32); 2010 if (ntohl(u32) == sp->lcp.magic) { 2011 /* Line loopback mode detected. */ 2012 printf("%s: loopback\n", ifp->if_xname); 2013 SPPP_UNLOCK(sp); 2014 if_down(ifp); 2015 SPPP_LOCK(sp, RW_WRITER); 2016 2017 IF_PURGE(&sp->pp_cpq); 2018 2019 /* Shut down the PPP link. */ 2020 /* XXX */ 2021 lcp.Down(sp); 2022 lcp.Up(sp); 2023 break; 2024 } 2025 u32 = htonl(sp->lcp.magic); 2026 memcpy(h + 1, &u32, sizeof u32); 2027 if (debug) 2028 addlog("%s: got lcp echo req, sending echo rep\n", 2029 ifp->if_xname); 2030 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 2031 h + 1); 2032 break; 2033 case ECHO_REPLY: 2034 if (cp->proto != PPP_LCP) 2035 goto illegal; 2036 if (h->ident != sp->lcp.echoid) { 2037 if_statinc(ifp, if_ierrors); 2038 break; 2039 } 2040 if (len < 8) { 2041 if (debug) 2042 addlog("%s: lcp invalid echo reply " 2043 "packet length: %d bytes\n", 2044 ifp->if_xname, len); 2045 break; 2046 } 2047 if (debug) 2048 addlog("%s: lcp got echo rep\n", 2049 ifp->if_xname); 2050 memcpy(&u32, h + 1, sizeof u32); 2051 if (ntohl(u32) != sp->lcp.magic) 2052 sp->pp_alivecnt = 0; 2053 break; 2054 default: 2055 /* Unknown packet type -- send Code-Reject packet. */ 2056 illegal: 2057 if (debug) 2058 addlog("%s: %s send code-rej for 0x%x\n", 2059 ifp->if_xname, cp->name, h->type); 2060 sppp_cp_send(sp, cp->proto, CODE_REJ, 2061 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 2062 if_statinc(ifp, if_ierrors); 2063 } 2064 2065 SPPP_UNLOCK(sp); 2066 } 2067 2068 2069 /* 2070 * The generic part of all Up/Down/Open/Close/TO event handlers. 2071 * Basically, the state transition handling in the automaton. 2072 */ 2073 static void 2074 sppp_up_event(const struct cp *cp, struct sppp *sp) 2075 { 2076 STDDCL; 2077 2078 KASSERT(SPPP_WLOCKED(sp)); 2079 2080 if (debug) 2081 log(LOG_DEBUG, "%s: %s up(%s)\n", 2082 ifp->if_xname, cp->name, 2083 sppp_state_name(sp->state[cp->protoidx])); 2084 2085 switch (sp->state[cp->protoidx]) { 2086 case STATE_INITIAL: 2087 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2088 break; 2089 case STATE_STARTING: 2090 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2091 (cp->scr)(sp); 2092 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2093 break; 2094 default: 2095 printf("%s: %s illegal up in state %s\n", 2096 ifp->if_xname, cp->name, 2097 sppp_state_name(sp->state[cp->protoidx])); 2098 } 2099 } 2100 2101 static void 2102 sppp_down_event(const struct cp *cp, struct sppp *sp) 2103 { 2104 STDDCL; 2105 2106 KASSERT(SPPP_WLOCKED(sp)); 2107 2108 if (debug) 2109 log(LOG_DEBUG, "%s: %s down(%s)\n", 2110 ifp->if_xname, cp->name, 2111 sppp_state_name(sp->state[cp->protoidx])); 2112 2113 switch (sp->state[cp->protoidx]) { 2114 case STATE_CLOSED: 2115 case STATE_CLOSING: 2116 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2117 break; 2118 case STATE_STOPPED: 2119 (cp->tls)(sp); 2120 /* fall through */ 2121 case STATE_STOPPING: 2122 case STATE_REQ_SENT: 2123 case STATE_ACK_RCVD: 2124 case STATE_ACK_SENT: 2125 sppp_cp_change_state(cp, sp, STATE_STARTING); 2126 break; 2127 case STATE_OPENED: 2128 (cp->tld)(sp); 2129 sppp_cp_change_state(cp, sp, STATE_STARTING); 2130 break; 2131 default: 2132 printf("%s: %s illegal down in state %s\n", 2133 ifp->if_xname, cp->name, 2134 sppp_state_name(sp->state[cp->protoidx])); 2135 } 2136 } 2137 2138 2139 static void 2140 sppp_open_event(const struct cp *cp, struct sppp *sp) 2141 { 2142 STDDCL; 2143 2144 KASSERT(SPPP_WLOCKED(sp)); 2145 2146 if (debug) 2147 log(LOG_DEBUG, "%s: %s open(%s)\n", 2148 ifp->if_xname, cp->name, 2149 sppp_state_name(sp->state[cp->protoidx])); 2150 2151 switch (sp->state[cp->protoidx]) { 2152 case STATE_INITIAL: 2153 sppp_cp_change_state(cp, sp, STATE_STARTING); 2154 (cp->tls)(sp); 2155 break; 2156 case STATE_STARTING: 2157 break; 2158 case STATE_CLOSED: 2159 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2160 (cp->scr)(sp); 2161 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2162 break; 2163 case STATE_STOPPED: 2164 case STATE_STOPPING: 2165 case STATE_REQ_SENT: 2166 case STATE_ACK_RCVD: 2167 case STATE_ACK_SENT: 2168 case STATE_OPENED: 2169 break; 2170 case STATE_CLOSING: 2171 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2172 break; 2173 } 2174 } 2175 2176 2177 static void 2178 sppp_close_event(const struct cp *cp, struct sppp *sp) 2179 { 2180 STDDCL; 2181 2182 KASSERT(SPPP_WLOCKED(sp)); 2183 2184 if (debug) 2185 log(LOG_DEBUG, "%s: %s close(%s)\n", 2186 ifp->if_xname, cp->name, 2187 sppp_state_name(sp->state[cp->protoidx])); 2188 2189 switch (sp->state[cp->protoidx]) { 2190 case STATE_INITIAL: 2191 case STATE_CLOSED: 2192 case STATE_CLOSING: 2193 break; 2194 case STATE_STARTING: 2195 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2196 (cp->tlf)(sp); 2197 break; 2198 case STATE_STOPPED: 2199 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2200 break; 2201 case STATE_STOPPING: 2202 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2203 break; 2204 case STATE_OPENED: 2205 (cp->tld)(sp); 2206 /* fall through */ 2207 case STATE_REQ_SENT: 2208 case STATE_ACK_RCVD: 2209 case STATE_ACK_SENT: 2210 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2211 sppp_cp_send(sp, cp->proto, TERM_REQ, 2212 ++sp->pp_seq[cp->protoidx], 0, 0); 2213 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2214 break; 2215 } 2216 } 2217 2218 static void 2219 sppp_to_event(const struct cp *cp, struct sppp *sp) 2220 { 2221 STDDCL; 2222 int s; 2223 2224 KASSERT(SPPP_WLOCKED(sp)); 2225 2226 s = splnet(); 2227 2228 if (debug) 2229 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2230 ifp->if_xname, cp->name, 2231 sppp_state_name(sp->state[cp->protoidx]), 2232 sp->rst_counter[cp->protoidx]); 2233 2234 if (--sp->rst_counter[cp->protoidx] < 0) 2235 /* TO- event */ 2236 switch (sp->state[cp->protoidx]) { 2237 case STATE_CLOSING: 2238 (cp->tlf)(sp); 2239 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2240 sppp_lcp_check_and_close(sp); 2241 break; 2242 case STATE_STOPPING: 2243 (cp->tlf)(sp); 2244 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2245 sppp_lcp_check_and_close(sp); 2246 break; 2247 case STATE_REQ_SENT: 2248 case STATE_ACK_RCVD: 2249 case STATE_ACK_SENT: 2250 (cp->tlf)(sp); 2251 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2252 sppp_lcp_check_and_close(sp); 2253 break; 2254 } 2255 else 2256 /* TO+ event */ 2257 switch (sp->state[cp->protoidx]) { 2258 case STATE_CLOSING: 2259 case STATE_STOPPING: 2260 sppp_cp_send(sp, cp->proto, TERM_REQ, 2261 ++sp->pp_seq[cp->protoidx], 0, 0); 2262 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2263 cp->TO, sp); 2264 break; 2265 case STATE_REQ_SENT: 2266 case STATE_ACK_RCVD: 2267 (cp->scr)(sp); 2268 /* sppp_cp_change_state() will restart the timer */ 2269 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2270 break; 2271 case STATE_ACK_SENT: 2272 (cp->scr)(sp); 2273 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2274 cp->TO, sp); 2275 break; 2276 } 2277 2278 splx(s); 2279 } 2280 2281 /* 2282 * Change the state of a control protocol in the state automaton. 2283 * Takes care of starting/stopping the restart timer. 2284 */ 2285 void 2286 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2287 { 2288 2289 KASSERT(SPPP_WLOCKED(sp)); 2290 2291 sp->state[cp->protoidx] = newstate; 2292 callout_stop(&sp->ch[cp->protoidx]); 2293 switch (newstate) { 2294 case STATE_INITIAL: 2295 case STATE_STARTING: 2296 case STATE_CLOSED: 2297 case STATE_STOPPED: 2298 case STATE_OPENED: 2299 break; 2300 case STATE_CLOSING: 2301 case STATE_STOPPING: 2302 case STATE_REQ_SENT: 2303 case STATE_ACK_RCVD: 2304 case STATE_ACK_SENT: 2305 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2306 cp->TO, sp); 2307 break; 2308 } 2309 } 2310 2311 /* 2312 *--------------------------------------------------------------------------* 2313 * * 2314 * The LCP implementation. * 2315 * * 2316 *--------------------------------------------------------------------------* 2317 */ 2318 static void 2319 sppp_lcp_init(struct sppp *sp) 2320 { 2321 2322 KASSERT(SPPP_WLOCKED(sp)); 2323 2324 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2325 sp->lcp.magic = 0; 2326 sp->state[IDX_LCP] = STATE_INITIAL; 2327 sp->fail_counter[IDX_LCP] = 0; 2328 sp->pp_seq[IDX_LCP] = 0; 2329 sp->pp_rseq[IDX_LCP] = 0; 2330 sp->lcp.protos = 0; 2331 2332 /* 2333 * Initialize counters and timeout values. Note that we don't 2334 * use the 3 seconds suggested in RFC 1661 since we are likely 2335 * running on a fast link. XXX We should probably implement 2336 * the exponential backoff option. Note that these values are 2337 * relevant for all control protocols, not just LCP only. 2338 */ 2339 sp->lcp.timeout = 1 * hz; 2340 sp->lcp.max_terminate = 2; 2341 sp->lcp.max_configure = 10; 2342 sp->lcp.max_failure = 10; 2343 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2344 } 2345 2346 static void 2347 sppp_lcp_up(struct sppp *sp) 2348 { 2349 STDDCL; 2350 2351 KASSERT(SPPP_WLOCKED(sp)); 2352 2353 /* Initialize activity timestamp: opening a connection is an activity */ 2354 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2355 2356 /* Initialize mlppp state */ 2357 sp->lcp.mrru = sp->lcp.their_mrru = 0; 2358 sp->lcp.ml_prefix = NULL; 2359 sp->lcp.ml_seq_xpctd = 0; 2360 2361 /* 2362 * If this interface is passive or dial-on-demand, and we are 2363 * still in Initial state, it means we've got an incoming 2364 * call. Activate the interface. 2365 */ 2366 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2367 if (debug) 2368 log(LOG_DEBUG, 2369 "%s: Up event", ifp->if_xname); 2370 ifp->if_flags |= IFF_RUNNING; 2371 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2372 if (debug) 2373 addlog("(incoming call)\n"); 2374 sp->pp_flags |= PP_CALLIN; 2375 lcp.Open(sp); 2376 } else if (debug) 2377 addlog("\n"); 2378 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2379 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2380 ifp->if_flags |= IFF_RUNNING; 2381 lcp.Open(sp); 2382 } 2383 2384 sppp_up_event(&lcp, sp); 2385 } 2386 2387 static void 2388 sppp_lcp_down(struct sppp *sp) 2389 { 2390 STDDCL; 2391 2392 KASSERT(SPPP_WLOCKED(sp)); 2393 2394 sppp_down_event(&lcp, sp); 2395 2396 /* 2397 * If this is neither a dial-on-demand nor a passive 2398 * interface, simulate an ``ifconfig down'' action, so the 2399 * administrator can force a redial by another ``ifconfig 2400 * up''. XXX For leased line operation, should we immediately 2401 * try to reopen the connection here? 2402 */ 2403 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2404 if (debug) 2405 log(LOG_INFO, 2406 "%s: Down event (carrier loss), taking interface down.\n", 2407 ifp->if_xname); 2408 SPPP_UNLOCK(sp); 2409 if_down(ifp); 2410 SPPP_LOCK(sp, RW_WRITER); 2411 } else { 2412 if (debug) 2413 log(LOG_DEBUG, 2414 "%s: Down event (carrier loss)\n", 2415 ifp->if_xname); 2416 } 2417 sp->fail_counter[IDX_LCP] = 0; 2418 sp->pp_flags &= ~PP_CALLIN; 2419 if (sp->state[IDX_LCP] != STATE_INITIAL) 2420 lcp.Close(sp); 2421 ifp->if_flags &= ~IFF_RUNNING; 2422 } 2423 2424 static void 2425 sppp_lcp_open(struct sppp *sp) 2426 { 2427 2428 KASSERT(SPPP_WLOCKED(sp)); 2429 2430 if (sp->pp_if.if_mtu < PP_MTU) { 2431 sp->lcp.mru = sp->pp_if.if_mtu; 2432 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2433 } else 2434 sp->lcp.mru = PP_MTU; 2435 sp->lcp.their_mru = PP_MTU; 2436 2437 /* 2438 * If we are authenticator, negotiate LCP_AUTH 2439 */ 2440 if (sp->hisauth.proto != 0) 2441 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2442 else 2443 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2444 sp->pp_flags &= ~PP_NEEDAUTH; 2445 sppp_open_event(&lcp, sp); 2446 } 2447 2448 static void 2449 sppp_lcp_close(struct sppp *sp) 2450 { 2451 2452 KASSERT(SPPP_WLOCKED(sp)); 2453 sppp_close_event(&lcp, sp); 2454 } 2455 2456 static void 2457 sppp_lcp_TO(void *cookie) 2458 { 2459 struct sppp *sp = (struct sppp*)cookie; 2460 2461 SPPP_LOCK(sp, RW_WRITER); 2462 sppp_to_event(&lcp, sp); 2463 SPPP_UNLOCK(sp); 2464 } 2465 2466 /* 2467 * Analyze a configure request. Return true if it was agreeable, and 2468 * caused action sca, false if it has been rejected or nak'ed, and 2469 * caused action scn. (The return value is used to make the state 2470 * transition decision in the state automaton.) 2471 */ 2472 static int 2473 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2474 { 2475 STDDCL; 2476 u_char *buf, *r, *p, l, blen; 2477 int origlen, rlen; 2478 uint32_t nmagic; 2479 u_short authproto; 2480 2481 KASSERT(SPPP_WLOCKED(sp)); 2482 2483 len -= 4; 2484 origlen = len; 2485 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2486 if (! buf) 2487 return (0); 2488 2489 if (debug) 2490 log(LOG_DEBUG, "%s: lcp parse opts:", 2491 ifp->if_xname); 2492 2493 /* pass 1: check for things that need to be rejected */ 2494 p = (void *)(h + 1); 2495 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2496 /* Sanity check option length */ 2497 if (l > len) { 2498 /* 2499 * Malicious option - drop immediately. 2500 * XXX Maybe we should just RXJ it? 2501 */ 2502 addlog("%s: received malicious LCP option 0x%02x, " 2503 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2504 p[0], l, len); 2505 goto drop; 2506 } 2507 if (debug) 2508 addlog(" %s", sppp_lcp_opt_name(*p)); 2509 switch (*p) { 2510 case LCP_OPT_MAGIC: 2511 /* Magic number. */ 2512 /* fall through, both are same length */ 2513 case LCP_OPT_ASYNC_MAP: 2514 /* Async control character map. */ 2515 if (len >= 6 || l == 6) 2516 continue; 2517 if (debug) 2518 addlog(" [invalid]"); 2519 break; 2520 case LCP_OPT_MP_EID: 2521 if (len >= l && l >= 3) { 2522 switch (p[2]) { 2523 case 0: if (l==3+ 0) continue;break; 2524 case 2: if (l==3+ 4) continue;break; 2525 case 3: if (l==3+ 6) continue;break; 2526 case 6: if (l==3+16) continue;break; 2527 case 1: /* FALLTHROUGH */ 2528 case 4: if (l<=3+20) continue;break; 2529 case 5: if (l<=3+15) continue;break; 2530 /* XXX should it be default: continue;? */ 2531 } 2532 } 2533 if (debug) 2534 addlog(" [invalid class %d len %d]", p[2], l); 2535 break; 2536 case LCP_OPT_MP_SSNHF: 2537 if (len >= 2 && l == 2) { 2538 if (debug) 2539 addlog(" [rej]"); 2540 break; 2541 } 2542 if (debug) 2543 addlog(" [invalid]"); 2544 break; 2545 case LCP_OPT_MP_MRRU: 2546 /* Multilink maximum received reconstructed unit */ 2547 /* should be fall through, both are same length */ 2548 /* FALLTHROUGH */ 2549 case LCP_OPT_MRU: 2550 /* Maximum receive unit. */ 2551 if (len >= 4 && l == 4) 2552 continue; 2553 if (debug) 2554 addlog(" [invalid]"); 2555 break; 2556 case LCP_OPT_AUTH_PROTO: 2557 if (len < 4) { 2558 if (debug) 2559 addlog(" [invalid]"); 2560 break; 2561 } 2562 authproto = (p[2] << 8) + p[3]; 2563 if (authproto == PPP_CHAP && l != 5) { 2564 if (debug) 2565 addlog(" [invalid chap len]"); 2566 break; 2567 } 2568 if (sp->myauth.proto == 0) { 2569 /* we are not configured to do auth */ 2570 if (debug) 2571 addlog(" [not configured]"); 2572 break; 2573 } 2574 /* 2575 * Remote want us to authenticate, remember this, 2576 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2577 * up. 2578 */ 2579 sp->pp_flags |= PP_NEEDAUTH; 2580 continue; 2581 default: 2582 /* Others not supported. */ 2583 if (debug) 2584 addlog(" [rej]"); 2585 break; 2586 } 2587 if (rlen + l > blen) { 2588 if (debug) 2589 addlog(" [overflow]"); 2590 continue; 2591 } 2592 /* Add the option to rejected list. */ 2593 memcpy(r, p, l); 2594 r += l; 2595 rlen += l; 2596 } 2597 if (rlen) { 2598 if (debug) 2599 addlog(" send conf-rej\n"); 2600 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2601 goto end; 2602 } else if (debug) 2603 addlog("\n"); 2604 2605 /* 2606 * pass 2: check for option values that are unacceptable and 2607 * thus require to be nak'ed. 2608 */ 2609 if (debug) 2610 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2611 ifp->if_xname); 2612 2613 p = (void *)(h + 1); 2614 len = origlen; 2615 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2616 if (debug) 2617 addlog(" %s", sppp_lcp_opt_name(*p)); 2618 switch (*p) { 2619 case LCP_OPT_MAGIC: 2620 /* Magic number -- extract. */ 2621 nmagic = (uint32_t)p[2] << 24 | 2622 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2623 if (nmagic != sp->lcp.magic) { 2624 if (debug) 2625 addlog(" 0x%x", nmagic); 2626 continue; 2627 } 2628 /* 2629 * Local and remote magics equal -- loopback? 2630 */ 2631 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2632 printf ("%s: loopback\n", 2633 ifp->if_xname); 2634 sp->pp_loopcnt = 0; 2635 if (ifp->if_flags & IFF_UP) { 2636 SPPP_UNLOCK(sp); 2637 if_down(ifp); 2638 SPPP_LOCK(sp, RW_WRITER); 2639 2640 IF_PURGE(&sp->pp_cpq); 2641 /* XXX ? */ 2642 lcp.Down(sp); 2643 lcp.Up(sp); 2644 } 2645 } else if (debug) 2646 addlog(" [glitch]"); 2647 ++sp->pp_loopcnt; 2648 /* 2649 * We negate our magic here, and NAK it. If 2650 * we see it later in an NAK packet, we 2651 * suggest a new one. 2652 */ 2653 nmagic = ~sp->lcp.magic; 2654 /* Gonna NAK it. */ 2655 p[2] = nmagic >> 24; 2656 p[3] = nmagic >> 16; 2657 p[4] = nmagic >> 8; 2658 p[5] = nmagic; 2659 break; 2660 2661 case LCP_OPT_ASYNC_MAP: 2662 /* 2663 * Async control character map -- just ignore it. 2664 * 2665 * Quote from RFC 1662, chapter 6: 2666 * To enable this functionality, synchronous PPP 2667 * implementations MUST always respond to the 2668 * Async-Control-Character-Map Configuration 2669 * Option with the LCP Configure-Ack. However, 2670 * acceptance of the Configuration Option does 2671 * not imply that the synchronous implementation 2672 * will do any ACCM mapping. Instead, all such 2673 * octet mapping will be performed by the 2674 * asynchronous-to-synchronous converter. 2675 */ 2676 continue; 2677 2678 case LCP_OPT_MRU: 2679 /* 2680 * Maximum receive unit. Always agreeable, 2681 * but ignored by now. 2682 */ 2683 sp->lcp.their_mru = p[2] * 256 + p[3]; 2684 if (debug) 2685 addlog(" %ld", sp->lcp.their_mru); 2686 continue; 2687 2688 case LCP_OPT_AUTH_PROTO: 2689 authproto = (p[2] << 8) + p[3]; 2690 if (sp->myauth.proto != authproto) { 2691 /* not agreed, nak */ 2692 if (debug) 2693 addlog(" [mine %s != his %s]", 2694 sppp_proto_name(sp->myauth.proto), 2695 sppp_proto_name(authproto)); 2696 p[2] = sp->myauth.proto >> 8; 2697 p[3] = sp->myauth.proto; 2698 break; 2699 } 2700 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2701 if (debug) 2702 addlog(" [chap not MD5]"); 2703 p[4] = CHAP_MD5; 2704 break; 2705 } 2706 continue; 2707 case LCP_OPT_MP_EID: 2708 /* 2709 * Endpoint identification. 2710 * Always agreeable, 2711 * but ignored by now. 2712 */ 2713 if (debug) { 2714 addlog(" class %d", p[2]); 2715 sppp_print_bytes(p+3, p[1]-3); 2716 } 2717 continue; 2718 case LCP_OPT_MP_MRRU: 2719 /* 2720 * Maximum received reconstructed unit. 2721 * Always agreeable, 2722 * but ignored by now. 2723 */ 2724 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2725 if (debug) 2726 addlog(" %ld", sp->lcp.their_mrru); 2727 continue; 2728 } 2729 if (rlen + l > blen) { 2730 if (debug) 2731 addlog(" [overflow]"); 2732 continue; 2733 } 2734 /* Add the option to nak'ed list. */ 2735 memcpy(r, p, l); 2736 r += l; 2737 rlen += l; 2738 } 2739 if (rlen) { 2740 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2741 if (debug) 2742 addlog(" max_failure (%d) exceeded, " 2743 "send conf-rej\n", 2744 sp->lcp.max_failure); 2745 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2746 } else { 2747 if (debug) 2748 addlog(" send conf-nak\n"); 2749 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2750 } 2751 goto end; 2752 } else { 2753 if (debug) 2754 addlog(" send conf-ack\n"); 2755 sp->fail_counter[IDX_LCP] = 0; 2756 sp->pp_loopcnt = 0; 2757 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2758 } 2759 2760 end: 2761 free(buf, M_TEMP); 2762 return (rlen == 0); 2763 2764 drop: 2765 free(buf, M_TEMP); 2766 return -1; 2767 } 2768 2769 /* 2770 * Analyze the LCP Configure-Reject option list, and adjust our 2771 * negotiation. 2772 */ 2773 static void 2774 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2775 { 2776 STDDCL; 2777 u_char *buf, *p, l; 2778 2779 KASSERT(SPPP_WLOCKED(sp)); 2780 2781 len -= 4; 2782 buf = malloc (len, M_TEMP, M_NOWAIT); 2783 if (!buf) 2784 return; 2785 2786 if (debug) 2787 log(LOG_DEBUG, "%s: lcp rej opts:", 2788 ifp->if_xname); 2789 2790 p = (void *)(h + 1); 2791 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2792 /* Sanity check option length */ 2793 if (l > len) { 2794 /* 2795 * Malicious option - drop immediately. 2796 * XXX Maybe we should just RXJ it? 2797 */ 2798 addlog("%s: received malicious LCP option, " 2799 "dropping.\n", ifp->if_xname); 2800 goto drop; 2801 } 2802 if (debug) 2803 addlog(" %s", sppp_lcp_opt_name(*p)); 2804 switch (*p) { 2805 case LCP_OPT_MAGIC: 2806 /* Magic number -- can't use it, use 0 */ 2807 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2808 sp->lcp.magic = 0; 2809 break; 2810 case LCP_OPT_MRU: 2811 /* 2812 * We try to negotiate a lower MRU if the underlying 2813 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2814 * peer rejects this lower rate, fallback to the 2815 * default. 2816 */ 2817 if (debug) { 2818 addlog("%s: warning: peer rejected our MRU of " 2819 "%ld bytes. Defaulting to %d bytes\n", 2820 ifp->if_xname, sp->lcp.mru, PP_MTU); 2821 } 2822 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2823 sp->lcp.mru = PP_MTU; 2824 break; 2825 case LCP_OPT_AUTH_PROTO: 2826 /* 2827 * Peer doesn't want to authenticate himself, 2828 * deny unless this is a dialout call, and 2829 * SPPP_AUTHFLAG_NOCALLOUT is set. 2830 */ 2831 if ((sp->pp_flags & PP_CALLIN) == 0 && 2832 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2833 if (debug) 2834 addlog(" [don't insist on auth " 2835 "for callout]"); 2836 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2837 break; 2838 } 2839 if (debug) 2840 addlog("[access denied]\n"); 2841 lcp.Close(sp); 2842 break; 2843 } 2844 } 2845 if (debug) 2846 addlog("\n"); 2847 drop: 2848 free(buf, M_TEMP); 2849 return; 2850 } 2851 2852 /* 2853 * Analyze the LCP Configure-NAK option list, and adjust our 2854 * negotiation. 2855 */ 2856 static void 2857 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2858 { 2859 STDDCL; 2860 u_char *buf, *p, l, blen; 2861 uint32_t magic; 2862 2863 KASSERT(SPPP_WLOCKED(sp)); 2864 2865 len -= 4; 2866 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2867 if (!buf) 2868 return; 2869 2870 if (debug) 2871 log(LOG_DEBUG, "%s: lcp nak opts:", 2872 ifp->if_xname); 2873 2874 p = (void *)(h + 1); 2875 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2876 /* Sanity check option length */ 2877 if (l > len) { 2878 /* 2879 * Malicious option - drop immediately. 2880 * XXX Maybe we should just RXJ it? 2881 */ 2882 addlog("%s: received malicious LCP option, " 2883 "dropping.\n", ifp->if_xname); 2884 goto drop; 2885 } 2886 if (debug) 2887 addlog(" %s", sppp_lcp_opt_name(*p)); 2888 switch (*p) { 2889 case LCP_OPT_MAGIC: 2890 /* Magic number -- renegotiate */ 2891 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2892 len >= 6 && l == 6) { 2893 magic = (uint32_t)p[2] << 24 | 2894 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2895 /* 2896 * If the remote magic is our negated one, 2897 * this looks like a loopback problem. 2898 * Suggest a new magic to make sure. 2899 */ 2900 if (magic == ~sp->lcp.magic) { 2901 if (debug) 2902 addlog(" magic glitch"); 2903 sp->lcp.magic = cprng_fast32(); 2904 } else { 2905 sp->lcp.magic = magic; 2906 if (debug) 2907 addlog(" %d", magic); 2908 } 2909 } 2910 break; 2911 case LCP_OPT_MRU: 2912 /* 2913 * Peer wants to advise us to negotiate an MRU. 2914 * Agree on it if it's reasonable, or use 2915 * default otherwise. 2916 */ 2917 if (len >= 4 && l == 4) { 2918 u_int mru = p[2] * 256 + p[3]; 2919 if (debug) 2920 addlog(" %d", mru); 2921 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2922 mru = sp->pp_if.if_mtu; 2923 sp->lcp.mru = mru; 2924 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2925 } 2926 break; 2927 case LCP_OPT_AUTH_PROTO: 2928 /* 2929 * Peer doesn't like our authentication method, 2930 * deny. 2931 */ 2932 if (debug) 2933 addlog("[access denied]\n"); 2934 lcp.Close(sp); 2935 break; 2936 } 2937 } 2938 if (debug) 2939 addlog("\n"); 2940 drop: 2941 free(buf, M_TEMP); 2942 return; 2943 } 2944 2945 static void 2946 sppp_lcp_tlu(struct sppp *sp) 2947 { 2948 struct ifnet *ifp = &sp->pp_if; 2949 int i; 2950 uint32_t mask; 2951 2952 KASSERT(SPPP_WLOCKED(sp)); 2953 2954 /* XXX ? */ 2955 if (! (ifp->if_flags & IFF_UP) && 2956 (ifp->if_flags & IFF_RUNNING)) { 2957 /* Coming out of loopback mode. */ 2958 SPPP_UNLOCK(sp); 2959 if_up(ifp); 2960 SPPP_LOCK(sp, RW_WRITER); 2961 } 2962 2963 for (i = 0; i < IDX_COUNT; i++) 2964 if ((cps[i])->flags & CP_QUAL) 2965 (cps[i])->Open(sp); 2966 2967 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2968 (sp->pp_flags & PP_NEEDAUTH) != 0) 2969 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2970 else 2971 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2972 2973 /* 2974 * Open all authentication protocols. This is even required 2975 * if we already proceeded to network phase, since it might be 2976 * that remote wants us to authenticate, so we might have to 2977 * send a PAP request. Undesired authentication protocols 2978 * don't do anything when they get an Open event. 2979 */ 2980 for (i = 0; i < IDX_COUNT; i++) 2981 if ((cps[i])->flags & CP_AUTH) 2982 (cps[i])->Open(sp); 2983 2984 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2985 /* Notify all NCPs. */ 2986 for (i = 0; i < IDX_COUNT; i++) 2987 if ((cps[i])->flags & CP_NCP) 2988 (cps[i])->Open(sp); 2989 } 2990 2991 /* Send Up events to all started protos. */ 2992 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2993 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2994 (cps[i])->Up(sp); 2995 } 2996 } 2997 2998 /* notify low-level driver of state change */ 2999 sppp_notify_chg_wlocked(sp); 3000 3001 if (sp->pp_phase == SPPP_PHASE_NETWORK) 3002 /* if no NCP is starting, close down */ 3003 sppp_lcp_check_and_close(sp); 3004 } 3005 3006 static void 3007 sppp_lcp_tld(struct sppp *sp) 3008 { 3009 int i; 3010 uint32_t mask; 3011 3012 KASSERT(SPPP_WLOCKED(sp)); 3013 3014 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3015 3016 /* 3017 * Take upper layers down. We send the Down event first and 3018 * the Close second to prevent the upper layers from sending 3019 * ``a flurry of terminate-request packets'', as the RFC 3020 * describes it. 3021 */ 3022 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 3023 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 3024 (cps[i])->Down(sp); 3025 (cps[i])->Close(sp); 3026 } 3027 } 3028 } 3029 3030 static void 3031 sppp_lcp_tls(struct sppp *sp) 3032 { 3033 3034 KASSERT(SPPP_WLOCKED(sp)); 3035 3036 3037 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3038 printf("%s: authentication failed %d times, not retrying again\n", 3039 sp->pp_if.if_xname, sp->pp_auth_failures); 3040 3041 SPPP_UNLOCK(sp); 3042 if_down(&sp->pp_if); 3043 SPPP_LOCK(sp, RW_WRITER); 3044 return; 3045 } 3046 3047 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3048 3049 /* Notify lower layer if desired. */ 3050 sppp_notify_tls_wlocked(sp); 3051 } 3052 3053 static void 3054 sppp_lcp_tlf(struct sppp *sp) 3055 { 3056 3057 KASSERT(SPPP_WLOCKED(sp)); 3058 3059 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3060 3061 /* Notify lower layer if desired. */ 3062 sppp_notify_tlf_wlocked(sp); 3063 } 3064 3065 static void 3066 sppp_lcp_scr(struct sppp *sp) 3067 { 3068 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3069 int i = 0; 3070 u_short authproto; 3071 3072 KASSERT(SPPP_WLOCKED(sp)); 3073 3074 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 3075 if (! sp->lcp.magic) 3076 sp->lcp.magic = cprng_fast32(); 3077 opt[i++] = LCP_OPT_MAGIC; 3078 opt[i++] = 6; 3079 opt[i++] = sp->lcp.magic >> 24; 3080 opt[i++] = sp->lcp.magic >> 16; 3081 opt[i++] = sp->lcp.magic >> 8; 3082 opt[i++] = sp->lcp.magic; 3083 } 3084 3085 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 3086 opt[i++] = LCP_OPT_MRU; 3087 opt[i++] = 4; 3088 opt[i++] = sp->lcp.mru >> 8; 3089 opt[i++] = sp->lcp.mru; 3090 } 3091 3092 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 3093 authproto = sp->hisauth.proto; 3094 opt[i++] = LCP_OPT_AUTH_PROTO; 3095 opt[i++] = authproto == PPP_CHAP? 5: 4; 3096 opt[i++] = authproto >> 8; 3097 opt[i++] = authproto; 3098 if (authproto == PPP_CHAP) 3099 opt[i++] = CHAP_MD5; 3100 } 3101 3102 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 3103 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 3104 } 3105 3106 /* 3107 * Check the open NCPs, return true if at least one NCP is open. 3108 */ 3109 static int 3110 sppp_ncp_check(struct sppp *sp) 3111 { 3112 int i, mask; 3113 3114 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3115 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 3116 return 1; 3117 return 0; 3118 } 3119 3120 /* 3121 * Re-check the open NCPs and see if we should terminate the link. 3122 * Called by the NCPs during their tlf action handling. 3123 */ 3124 static void 3125 sppp_lcp_check_and_close(struct sppp *sp) 3126 { 3127 3128 KASSERT(SPPP_WLOCKED(sp)); 3129 3130 if (sp->pp_phase < SPPP_PHASE_NETWORK) 3131 /* don't bother, we are already going down */ 3132 return; 3133 3134 if (sppp_ncp_check(sp)) 3135 return; 3136 lcp.Close(sp); 3137 } 3138 3139 3140 /* 3141 *--------------------------------------------------------------------------* 3142 * * 3143 * The IPCP implementation. * 3144 * * 3145 *--------------------------------------------------------------------------* 3146 */ 3147 3148 static void 3149 sppp_ipcp_init(struct sppp *sp) 3150 { 3151 int error; 3152 3153 KASSERT(SPPP_WLOCKED(sp)); 3154 3155 sp->ipcp.opts = 0; 3156 sp->ipcp.flags = 0; 3157 sp->state[IDX_IPCP] = STATE_INITIAL; 3158 sp->fail_counter[IDX_IPCP] = 0; 3159 sp->pp_seq[IDX_IPCP] = 0; 3160 sp->pp_rseq[IDX_IPCP] = 0; 3161 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 3162 3163 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 3164 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 3165 if (error) 3166 panic("%s: update_addrs workqueue_create failed (%d)\n", 3167 __func__, error); 3168 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 3169 3170 sp->ipcp.update_addrs_enqueued = 0; 3171 } 3172 3173 static void 3174 sppp_ipcp_up(struct sppp *sp) 3175 { 3176 KASSERT(SPPP_WLOCKED(sp)); 3177 sppp_up_event(&ipcp, sp); 3178 } 3179 3180 static void 3181 sppp_ipcp_down(struct sppp *sp) 3182 { 3183 KASSERT(SPPP_WLOCKED(sp)); 3184 sppp_down_event(&ipcp, sp); 3185 } 3186 3187 static void 3188 sppp_ipcp_open(struct sppp *sp) 3189 { 3190 STDDCL; 3191 uint32_t myaddr, hisaddr; 3192 3193 KASSERT(SPPP_WLOCKED(sp)); 3194 3195 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3196 sp->ipcp.req_myaddr = 0; 3197 sp->ipcp.req_hisaddr = 0; 3198 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3199 3200 #ifdef INET 3201 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3202 #else 3203 myaddr = hisaddr = 0; 3204 #endif 3205 /* 3206 * If we don't have his address, this probably means our 3207 * interface doesn't want to talk IP at all. (This could 3208 * be the case if somebody wants to speak only IPX, for 3209 * example.) Don't open IPCP in this case. 3210 */ 3211 if (hisaddr == 0) { 3212 /* XXX this message should go away */ 3213 if (debug) 3214 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3215 ifp->if_xname); 3216 return; 3217 } 3218 3219 if (myaddr == 0) { 3220 /* 3221 * I don't have an assigned address, so i need to 3222 * negotiate my address. 3223 */ 3224 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3225 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3226 } 3227 if (hisaddr == 1) { 3228 /* 3229 * XXX - remove this hack! 3230 * remote has no valid address, we need to get one assigned. 3231 */ 3232 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3233 } 3234 sppp_open_event(&ipcp, sp); 3235 } 3236 3237 static void 3238 sppp_ipcp_close(struct sppp *sp) 3239 { 3240 3241 KASSERT(SPPP_WLOCKED(sp)); 3242 3243 sppp_close_event(&ipcp, sp); 3244 3245 #ifdef INET 3246 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3247 /* 3248 * Some address was dynamic, clear it again. 3249 */ 3250 sppp_clear_ip_addrs(sp); 3251 #endif 3252 } 3253 3254 static void 3255 sppp_ipcp_TO(void *cookie) 3256 { 3257 struct sppp *sp = cookie; 3258 3259 SPPP_LOCK(sp, RW_WRITER); 3260 sppp_to_event(&ipcp, sp); 3261 SPPP_UNLOCK(sp); 3262 } 3263 3264 /* 3265 * Analyze a configure request. Return true if it was agreeable, and 3266 * caused action sca, false if it has been rejected or nak'ed, and 3267 * caused action scn. (The return value is used to make the state 3268 * transition decision in the state automaton.) 3269 */ 3270 static int 3271 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3272 { 3273 u_char *buf, *r, *p, l, blen; 3274 struct ifnet *ifp = &sp->pp_if; 3275 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3276 uint32_t hisaddr, desiredaddr; 3277 3278 KASSERT(SPPP_WLOCKED(sp)); 3279 3280 len -= 4; 3281 origlen = len; 3282 /* 3283 * Make sure to allocate a buf that can at least hold a 3284 * conf-nak with an `address' option. We might need it below. 3285 */ 3286 blen = len < 6 ? 6 : len; 3287 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3288 if (! buf) 3289 return (0); 3290 3291 /* pass 1: see if we can recognize them */ 3292 if (debug) 3293 log(LOG_DEBUG, "%s: ipcp parse opts:", 3294 ifp->if_xname); 3295 p = (void *)(h + 1); 3296 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3297 /* Sanity check option length */ 3298 if (l > len) { 3299 /* XXX should we just RXJ? */ 3300 addlog("%s: malicious IPCP option received, dropping\n", 3301 ifp->if_xname); 3302 goto drop; 3303 } 3304 if (debug) 3305 addlog(" %s", sppp_ipcp_opt_name(*p)); 3306 switch (*p) { 3307 #ifdef notyet 3308 case IPCP_OPT_COMPRESSION: 3309 if (len >= 6 && l >= 6) { 3310 /* correctly formed compress option */ 3311 continue; 3312 } 3313 if (debug) 3314 addlog(" [invalid]"); 3315 break; 3316 #endif 3317 case IPCP_OPT_ADDRESS: 3318 if (len >= 6 && l == 6) { 3319 /* correctly formed address option */ 3320 continue; 3321 } 3322 if (debug) 3323 addlog(" [invalid]"); 3324 break; 3325 default: 3326 /* Others not supported. */ 3327 if (debug) 3328 addlog(" [rej]"); 3329 break; 3330 } 3331 /* Add the option to rejected list. */ 3332 if (rlen + l > blen) { 3333 if (debug) 3334 addlog(" [overflow]"); 3335 continue; 3336 } 3337 memcpy(r, p, l); 3338 r += l; 3339 rlen += l; 3340 } 3341 if (rlen) { 3342 if (debug) 3343 addlog(" send conf-rej\n"); 3344 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3345 goto end; 3346 } else if (debug) 3347 addlog("\n"); 3348 3349 /* pass 2: parse option values */ 3350 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3351 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3352 else 3353 #ifdef INET 3354 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3355 #else 3356 hisaddr = 0; 3357 #endif 3358 if (debug) 3359 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3360 ifp->if_xname); 3361 p = (void *)(h + 1); 3362 len = origlen; 3363 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3364 if (debug) 3365 addlog(" %s", sppp_ipcp_opt_name(*p)); 3366 switch (*p) { 3367 #ifdef notyet 3368 case IPCP_OPT_COMPRESSION: 3369 continue; 3370 #endif 3371 case IPCP_OPT_ADDRESS: 3372 desiredaddr = p[2] << 24 | p[3] << 16 | 3373 p[4] << 8 | p[5]; 3374 if (desiredaddr == hisaddr || 3375 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3376 /* 3377 * Peer's address is same as our value, 3378 * this is agreeable. Gonna conf-ack 3379 * it. 3380 */ 3381 if (debug) 3382 addlog(" %s [ack]", 3383 sppp_dotted_quad(hisaddr)); 3384 /* record that we've seen it already */ 3385 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3386 sp->ipcp.req_hisaddr = desiredaddr; 3387 hisaddr = desiredaddr; 3388 continue; 3389 } 3390 /* 3391 * The address wasn't agreeable. This is either 3392 * he sent us 0.0.0.0, asking to assign him an 3393 * address, or he send us another address not 3394 * matching our value. Either case, we gonna 3395 * conf-nak it with our value. 3396 */ 3397 if (debug) { 3398 if (desiredaddr == 0) 3399 addlog(" [addr requested]"); 3400 else 3401 addlog(" %s [not agreed]", 3402 sppp_dotted_quad(desiredaddr)); 3403 } 3404 3405 p[2] = hisaddr >> 24; 3406 p[3] = hisaddr >> 16; 3407 p[4] = hisaddr >> 8; 3408 p[5] = hisaddr; 3409 break; 3410 } 3411 if (rlen + l > blen) { 3412 if (debug) 3413 addlog(" [overflow]"); 3414 continue; 3415 } 3416 /* Add the option to nak'ed list. */ 3417 memcpy(r, p, l); 3418 r += l; 3419 rlen += l; 3420 } 3421 3422 /* 3423 * If we are about to conf-ack the request, but haven't seen 3424 * his address so far, gonna conf-nak it instead, with the 3425 * `address' option present and our idea of his address being 3426 * filled in there, to request negotiation of both addresses. 3427 * 3428 * XXX This can result in an endless req - nak loop if peer 3429 * doesn't want to send us his address. Q: What should we do 3430 * about it? XXX A: implement the max-failure counter. 3431 */ 3432 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3433 buf[0] = IPCP_OPT_ADDRESS; 3434 buf[1] = 6; 3435 buf[2] = hisaddr >> 24; 3436 buf[3] = hisaddr >> 16; 3437 buf[4] = hisaddr >> 8; 3438 buf[5] = hisaddr; 3439 rlen = 6; 3440 if (debug) 3441 addlog(" still need hisaddr"); 3442 } 3443 3444 if (rlen) { 3445 if (debug) 3446 addlog(" send conf-nak\n"); 3447 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3448 } else { 3449 if (debug) 3450 addlog(" send conf-ack\n"); 3451 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3452 } 3453 3454 end: 3455 free(buf, M_TEMP); 3456 return (rlen == 0); 3457 3458 drop: 3459 free(buf, M_TEMP); 3460 return -1; 3461 } 3462 3463 /* 3464 * Analyze the IPCP Configure-Reject option list, and adjust our 3465 * negotiation. 3466 */ 3467 static void 3468 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3469 { 3470 u_char *buf, *p, l, blen; 3471 struct ifnet *ifp = &sp->pp_if; 3472 int debug = ifp->if_flags & IFF_DEBUG; 3473 3474 KASSERT(SPPP_WLOCKED(sp)); 3475 3476 len -= 4; 3477 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3478 if (!buf) 3479 return; 3480 3481 if (debug) 3482 log(LOG_DEBUG, "%s: ipcp rej opts:", 3483 ifp->if_xname); 3484 3485 p = (void *)(h + 1); 3486 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3487 /* Sanity check option length */ 3488 if (l > len) { 3489 /* XXX should we just RXJ? */ 3490 addlog("%s: malicious IPCP option received, dropping\n", 3491 ifp->if_xname); 3492 goto drop; 3493 } 3494 if (debug) 3495 addlog(" %s", sppp_ipcp_opt_name(*p)); 3496 switch (*p) { 3497 case IPCP_OPT_ADDRESS: 3498 /* 3499 * Peer doesn't grok address option. This is 3500 * bad. XXX Should we better give up here? 3501 */ 3502 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3503 break; 3504 #ifdef notyet 3505 case IPCP_OPT_COMPRESS: 3506 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3507 break; 3508 #endif 3509 } 3510 } 3511 if (debug) 3512 addlog("\n"); 3513 drop: 3514 free(buf, M_TEMP); 3515 return; 3516 } 3517 3518 /* 3519 * Analyze the IPCP Configure-NAK option list, and adjust our 3520 * negotiation. 3521 */ 3522 static void 3523 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3524 { 3525 u_char *p, l; 3526 struct ifnet *ifp = &sp->pp_if; 3527 int debug = ifp->if_flags & IFF_DEBUG; 3528 uint32_t wantaddr; 3529 3530 KASSERT(SPPP_WLOCKED(sp)); 3531 3532 len -= 4; 3533 3534 if (debug) 3535 log(LOG_DEBUG, "%s: ipcp nak opts:", 3536 ifp->if_xname); 3537 3538 p = (void *)(h + 1); 3539 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3540 /* Sanity check option length */ 3541 if (l > len) { 3542 /* XXX should we just RXJ? */ 3543 addlog("%s: malicious IPCP option received, dropping\n", 3544 ifp->if_xname); 3545 return; 3546 } 3547 if (debug) 3548 addlog(" %s", sppp_ipcp_opt_name(*p)); 3549 switch (*p) { 3550 case IPCP_OPT_ADDRESS: 3551 /* 3552 * Peer doesn't like our local IP address. See 3553 * if we can do something for him. We'll drop 3554 * him our address then. 3555 */ 3556 if (len >= 6 && l == 6) { 3557 wantaddr = p[2] << 24 | p[3] << 16 | 3558 p[4] << 8 | p[5]; 3559 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3560 if (debug) 3561 addlog(" [wantaddr %s]", 3562 sppp_dotted_quad(wantaddr)); 3563 /* 3564 * When doing dynamic address assignment, 3565 * we accept his offer. Otherwise, we 3566 * ignore it and thus continue to negotiate 3567 * our already existing value. 3568 */ 3569 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3570 if (debug) 3571 addlog(" [agree]"); 3572 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3573 sp->ipcp.req_myaddr = wantaddr; 3574 } 3575 } 3576 break; 3577 3578 case IPCP_OPT_PRIMDNS: 3579 if (len >= 6 && l == 6) { 3580 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3581 p[4] << 8 | p[5]; 3582 } 3583 break; 3584 3585 case IPCP_OPT_SECDNS: 3586 if (len >= 6 && l == 6) { 3587 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3588 p[4] << 8 | p[5]; 3589 } 3590 break; 3591 #ifdef notyet 3592 case IPCP_OPT_COMPRESS: 3593 /* 3594 * Peer wants different compression parameters. 3595 */ 3596 break; 3597 #endif 3598 } 3599 } 3600 if (debug) 3601 addlog("\n"); 3602 } 3603 3604 static void 3605 sppp_ipcp_tlu(struct sppp *sp) 3606 { 3607 #ifdef INET 3608 KASSERT(SPPP_WLOCKED(sp)); 3609 /* we are up. Set addresses and notify anyone interested */ 3610 sppp_set_ip_addrs(sp); 3611 #endif 3612 } 3613 3614 static void 3615 sppp_ipcp_tld(struct sppp *sp) 3616 { 3617 3618 KASSERT(SPPP_WLOCKED(sp)); 3619 } 3620 3621 static void 3622 sppp_ipcp_tls(struct sppp *sp) 3623 { 3624 3625 KASSERT(SPPP_WLOCKED(sp)); 3626 /* indicate to LCP that it must stay alive */ 3627 sp->lcp.protos |= (1 << IDX_IPCP); 3628 } 3629 3630 static void 3631 sppp_ipcp_tlf(struct sppp *sp) 3632 { 3633 3634 KASSERT(SPPP_WLOCKED(sp)); 3635 3636 /* we no longer need LCP */ 3637 sp->lcp.protos &= ~(1 << IDX_IPCP); 3638 } 3639 3640 static void 3641 sppp_ipcp_scr(struct sppp *sp) 3642 { 3643 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3644 #ifdef INET 3645 uint32_t ouraddr; 3646 #endif 3647 int i = 0; 3648 3649 KASSERT(SPPP_WLOCKED(sp)); 3650 3651 #ifdef notyet 3652 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3653 opt[i++] = IPCP_OPT_COMPRESSION; 3654 opt[i++] = 6; 3655 opt[i++] = 0; /* VJ header compression */ 3656 opt[i++] = 0x2d; /* VJ header compression */ 3657 opt[i++] = max_slot_id; 3658 opt[i++] = comp_slot_id; 3659 } 3660 #endif 3661 3662 #ifdef INET 3663 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3664 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3665 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3666 else 3667 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3668 opt[i++] = IPCP_OPT_ADDRESS; 3669 opt[i++] = 6; 3670 opt[i++] = ouraddr >> 24; 3671 opt[i++] = ouraddr >> 16; 3672 opt[i++] = ouraddr >> 8; 3673 opt[i++] = ouraddr; 3674 } 3675 #endif 3676 3677 if (sp->query_dns & 1) { 3678 opt[i++] = IPCP_OPT_PRIMDNS; 3679 opt[i++] = 6; 3680 opt[i++] = sp->dns_addrs[0] >> 24; 3681 opt[i++] = sp->dns_addrs[0] >> 16; 3682 opt[i++] = sp->dns_addrs[0] >> 8; 3683 opt[i++] = sp->dns_addrs[0]; 3684 } 3685 if (sp->query_dns & 2) { 3686 opt[i++] = IPCP_OPT_SECDNS; 3687 opt[i++] = 6; 3688 opt[i++] = sp->dns_addrs[1] >> 24; 3689 opt[i++] = sp->dns_addrs[1] >> 16; 3690 opt[i++] = sp->dns_addrs[1] >> 8; 3691 opt[i++] = sp->dns_addrs[1]; 3692 } 3693 3694 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3695 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3696 } 3697 3698 3699 /* 3700 *--------------------------------------------------------------------------* 3701 * * 3702 * The IPv6CP implementation. * 3703 * * 3704 *--------------------------------------------------------------------------* 3705 */ 3706 3707 #ifdef INET6 3708 static void 3709 sppp_ipv6cp_init(struct sppp *sp) 3710 { 3711 3712 KASSERT(SPPP_WLOCKED(sp)); 3713 3714 sp->ipv6cp.opts = 0; 3715 sp->ipv6cp.flags = 0; 3716 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3717 sp->fail_counter[IDX_IPV6CP] = 0; 3718 sp->pp_seq[IDX_IPV6CP] = 0; 3719 sp->pp_rseq[IDX_IPV6CP] = 0; 3720 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3721 } 3722 3723 static void 3724 sppp_ipv6cp_up(struct sppp *sp) 3725 { 3726 3727 KASSERT(SPPP_WLOCKED(sp)); 3728 sppp_up_event(&ipv6cp, sp); 3729 } 3730 3731 static void 3732 sppp_ipv6cp_down(struct sppp *sp) 3733 { 3734 3735 KASSERT(SPPP_WLOCKED(sp)); 3736 sppp_down_event(&ipv6cp, sp); 3737 } 3738 3739 static void 3740 sppp_ipv6cp_open(struct sppp *sp) 3741 { 3742 STDDCL; 3743 struct in6_addr myaddr, hisaddr; 3744 3745 KASSERT(SPPP_WLOCKED(sp)); 3746 3747 #ifdef IPV6CP_MYIFID_DYN 3748 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3749 #else 3750 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3751 #endif 3752 3753 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3754 /* 3755 * If we don't have our address, this probably means our 3756 * interface doesn't want to talk IPv6 at all. (This could 3757 * be the case if somebody wants to speak only IPX, for 3758 * example.) Don't open IPv6CP in this case. 3759 */ 3760 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3761 /* XXX this message should go away */ 3762 if (debug) 3763 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3764 ifp->if_xname); 3765 return; 3766 } 3767 3768 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3769 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3770 sppp_open_event(&ipv6cp, sp); 3771 } 3772 3773 static void 3774 sppp_ipv6cp_close(struct sppp *sp) 3775 { 3776 3777 KASSERT(SPPP_WLOCKED(sp)); 3778 sppp_close_event(&ipv6cp, sp); 3779 } 3780 3781 static void 3782 sppp_ipv6cp_TO(void *cookie) 3783 { 3784 struct sppp *sp = cookie; 3785 3786 SPPP_LOCK(sp, RW_WRITER); 3787 sppp_to_event(&ipv6cp, sp); 3788 SPPP_UNLOCK(sp); 3789 } 3790 3791 /* 3792 * Analyze a configure request. Return true if it was agreeable, and 3793 * caused action sca, false if it has been rejected or nak'ed, and 3794 * caused action scn. (The return value is used to make the state 3795 * transition decision in the state automaton.) 3796 */ 3797 static int 3798 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3799 { 3800 u_char *buf, *r, *p, l, blen; 3801 struct ifnet *ifp = &sp->pp_if; 3802 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3803 struct in6_addr myaddr, desiredaddr, suggestaddr; 3804 int ifidcount; 3805 int type; 3806 int collision, nohisaddr; 3807 char ip6buf[INET6_ADDRSTRLEN]; 3808 3809 KASSERT(SPPP_WLOCKED(sp)); 3810 3811 len -= 4; 3812 origlen = len; 3813 /* 3814 * Make sure to allocate a buf that can at least hold a 3815 * conf-nak with an `address' option. We might need it below. 3816 */ 3817 blen = len < 6 ? 6 : len; 3818 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3819 if (! buf) 3820 return (0); 3821 3822 /* pass 1: see if we can recognize them */ 3823 if (debug) 3824 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3825 ifp->if_xname); 3826 p = (void *)(h + 1); 3827 ifidcount = 0; 3828 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3829 /* Sanity check option length */ 3830 if (l > len) { 3831 /* XXX just RXJ? */ 3832 addlog("%s: received malicious IPCPv6 option, " 3833 "dropping\n", ifp->if_xname); 3834 goto drop; 3835 } 3836 if (debug) 3837 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3838 switch (*p) { 3839 case IPV6CP_OPT_IFID: 3840 if (len >= 10 && l == 10 && ifidcount == 0) { 3841 /* correctly formed address option */ 3842 ifidcount++; 3843 continue; 3844 } 3845 if (debug) 3846 addlog(" [invalid]"); 3847 break; 3848 #ifdef notyet 3849 case IPV6CP_OPT_COMPRESSION: 3850 if (len >= 4 && l >= 4) { 3851 /* correctly formed compress option */ 3852 continue; 3853 } 3854 if (debug) 3855 addlog(" [invalid]"); 3856 break; 3857 #endif 3858 default: 3859 /* Others not supported. */ 3860 if (debug) 3861 addlog(" [rej]"); 3862 break; 3863 } 3864 if (rlen + l > blen) { 3865 if (debug) 3866 addlog(" [overflow]"); 3867 continue; 3868 } 3869 /* Add the option to rejected list. */ 3870 memcpy(r, p, l); 3871 r += l; 3872 rlen += l; 3873 } 3874 if (rlen) { 3875 if (debug) 3876 addlog(" send conf-rej\n"); 3877 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3878 goto end; 3879 } else if (debug) 3880 addlog("\n"); 3881 3882 /* pass 2: parse option values */ 3883 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3884 if (debug) 3885 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3886 ifp->if_xname); 3887 p = (void *)(h + 1); 3888 len = origlen; 3889 type = CONF_ACK; 3890 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3891 if (debug) 3892 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3893 switch (*p) { 3894 #ifdef notyet 3895 case IPV6CP_OPT_COMPRESSION: 3896 continue; 3897 #endif 3898 case IPV6CP_OPT_IFID: 3899 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3900 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3901 collision = (memcmp(&desiredaddr.s6_addr[8], 3902 &myaddr.s6_addr[8], 8) == 0); 3903 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3904 3905 desiredaddr.s6_addr16[0] = htons(0xfe80); 3906 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3907 3908 if (!collision && !nohisaddr) { 3909 /* no collision, hisaddr known - Conf-Ack */ 3910 type = CONF_ACK; 3911 3912 if (debug) { 3913 addlog(" %s [%s]", 3914 IN6_PRINT(ip6buf, &desiredaddr), 3915 sppp_cp_type_name(type)); 3916 } 3917 continue; 3918 } 3919 3920 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3921 if (collision && nohisaddr) { 3922 /* collision, hisaddr unknown - Conf-Rej */ 3923 type = CONF_REJ; 3924 memset(&p[2], 0, 8); 3925 } else { 3926 /* 3927 * - no collision, hisaddr unknown, or 3928 * - collision, hisaddr known 3929 * Conf-Nak, suggest hisaddr 3930 */ 3931 type = CONF_NAK; 3932 sppp_suggest_ip6_addr(sp, &suggestaddr); 3933 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3934 } 3935 if (debug) 3936 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3937 sppp_cp_type_name(type)); 3938 break; 3939 } 3940 if (rlen + l > blen) { 3941 if (debug) 3942 addlog(" [overflow]"); 3943 continue; 3944 } 3945 /* Add the option to nak'ed list. */ 3946 memcpy(r, p, l); 3947 r += l; 3948 rlen += l; 3949 } 3950 3951 if (rlen == 0 && type == CONF_ACK) { 3952 if (debug) 3953 addlog(" send %s\n", sppp_cp_type_name(type)); 3954 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3955 } else { 3956 #ifdef notdef 3957 if (type == CONF_ACK) 3958 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3959 #endif 3960 3961 if (debug) { 3962 addlog(" send %s suggest %s\n", 3963 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 3964 } 3965 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 3966 } 3967 3968 end: 3969 free(buf, M_TEMP); 3970 return (rlen == 0); 3971 3972 drop: 3973 free(buf, M_TEMP); 3974 return -1; 3975 } 3976 3977 /* 3978 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3979 * negotiation. 3980 */ 3981 static void 3982 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3983 { 3984 u_char *buf, *p, l, blen; 3985 struct ifnet *ifp = &sp->pp_if; 3986 int debug = ifp->if_flags & IFF_DEBUG; 3987 3988 KASSERT(SPPP_WLOCKED(sp)); 3989 3990 len -= 4; 3991 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3992 if (!buf) 3993 return; 3994 3995 if (debug) 3996 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 3997 ifp->if_xname); 3998 3999 p = (void *)(h + 1); 4000 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 4001 if (l > len) { 4002 /* XXX just RXJ? */ 4003 addlog("%s: received malicious IPCPv6 option, " 4004 "dropping\n", ifp->if_xname); 4005 goto drop; 4006 } 4007 if (debug) 4008 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4009 switch (*p) { 4010 case IPV6CP_OPT_IFID: 4011 /* 4012 * Peer doesn't grok address option. This is 4013 * bad. XXX Should we better give up here? 4014 */ 4015 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 4016 break; 4017 #ifdef notyet 4018 case IPV6CP_OPT_COMPRESS: 4019 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 4020 break; 4021 #endif 4022 } 4023 } 4024 if (debug) 4025 addlog("\n"); 4026 drop: 4027 free(buf, M_TEMP); 4028 return; 4029 } 4030 4031 /* 4032 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4033 * negotiation. 4034 */ 4035 static void 4036 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 4037 { 4038 u_char *buf, *p, l, blen; 4039 struct ifnet *ifp = &sp->pp_if; 4040 int debug = ifp->if_flags & IFF_DEBUG; 4041 struct in6_addr suggestaddr; 4042 char ip6buf[INET6_ADDRSTRLEN]; 4043 4044 KASSERT(SPPP_WLOCKED(sp)); 4045 4046 len -= 4; 4047 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 4048 if (!buf) 4049 return; 4050 4051 if (debug) 4052 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 4053 ifp->if_xname); 4054 4055 p = (void *)(h + 1); 4056 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 4057 if (l > len) { 4058 /* XXX just RXJ? */ 4059 addlog("%s: received malicious IPCPv6 option, " 4060 "dropping\n", ifp->if_xname); 4061 goto drop; 4062 } 4063 if (debug) 4064 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4065 switch (*p) { 4066 case IPV6CP_OPT_IFID: 4067 /* 4068 * Peer doesn't like our local ifid. See 4069 * if we can do something for him. We'll drop 4070 * him our address then. 4071 */ 4072 if (len < 10 || l != 10) 4073 break; 4074 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4075 suggestaddr.s6_addr16[0] = htons(0xfe80); 4076 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4077 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4078 4079 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 4080 if (debug) 4081 addlog(" [suggestaddr %s]", 4082 IN6_PRINT(ip6buf, &suggestaddr)); 4083 #ifdef IPV6CP_MYIFID_DYN 4084 /* 4085 * When doing dynamic address assignment, 4086 * we accept his offer. 4087 */ 4088 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4089 struct in6_addr lastsuggest; 4090 /* 4091 * If <suggested myaddr from peer> equals to 4092 * <hisaddr we have suggested last time>, 4093 * we have a collision. generate new random 4094 * ifid. 4095 */ 4096 sppp_suggest_ip6_addr(&lastsuggest); 4097 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4098 lastsuggest)) { 4099 if (debug) 4100 addlog(" [random]"); 4101 sppp_gen_ip6_addr(sp, &suggestaddr); 4102 } 4103 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4104 if (debug) 4105 addlog(" [agree]"); 4106 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4107 } 4108 #else 4109 /* 4110 * Since we do not do dynamic address assignment, 4111 * we ignore it and thus continue to negotiate 4112 * our already existing value. This can possibly 4113 * go into infinite request-reject loop. 4114 * 4115 * This is not likely because we normally use 4116 * ifid based on MAC-address. 4117 * If you have no ethernet card on the node, too bad. 4118 * XXX should we use fail_counter? 4119 */ 4120 #endif 4121 break; 4122 #ifdef notyet 4123 case IPV6CP_OPT_COMPRESS: 4124 /* 4125 * Peer wants different compression parameters. 4126 */ 4127 break; 4128 #endif 4129 } 4130 } 4131 if (debug) 4132 addlog("\n"); 4133 drop: 4134 free(buf, M_TEMP); 4135 return; 4136 } 4137 4138 static void 4139 sppp_ipv6cp_tlu(struct sppp *sp) 4140 { 4141 4142 KASSERT(SPPP_WLOCKED(sp)); 4143 /* we are up - notify isdn daemon */ 4144 sppp_notify_con_wlocked(sp); 4145 } 4146 4147 static void 4148 sppp_ipv6cp_tld(struct sppp *sp) 4149 { 4150 4151 KASSERT(SPPP_WLOCKED(sp)); 4152 } 4153 4154 static void 4155 sppp_ipv6cp_tls(struct sppp *sp) 4156 { 4157 4158 KASSERT(SPPP_WLOCKED(sp)); 4159 /* indicate to LCP that it must stay alive */ 4160 sp->lcp.protos |= (1 << IDX_IPV6CP); 4161 } 4162 4163 static void 4164 sppp_ipv6cp_tlf(struct sppp *sp) 4165 { 4166 4167 KASSERT(SPPP_WLOCKED(sp)); 4168 /* we no longer need LCP */ 4169 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 4170 } 4171 4172 static void 4173 sppp_ipv6cp_scr(struct sppp *sp) 4174 { 4175 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4176 struct in6_addr ouraddr; 4177 int i = 0; 4178 4179 KASSERT(SPPP_WLOCKED(sp)); 4180 4181 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 4182 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4183 opt[i++] = IPV6CP_OPT_IFID; 4184 opt[i++] = 10; 4185 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4186 i += 8; 4187 } 4188 4189 #ifdef notyet 4190 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4191 opt[i++] = IPV6CP_OPT_COMPRESSION; 4192 opt[i++] = 4; 4193 opt[i++] = 0; /* TBD */ 4194 opt[i++] = 0; /* TBD */ 4195 /* variable length data may follow */ 4196 } 4197 #endif 4198 4199 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4200 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4201 } 4202 #else /*INET6*/ 4203 static void 4204 sppp_ipv6cp_init(struct sppp *sp) 4205 { 4206 4207 KASSERT(SPPP_WLOCKED(sp)); 4208 } 4209 4210 static void 4211 sppp_ipv6cp_up(struct sppp *sp) 4212 { 4213 4214 KASSERT(SPPP_WLOCKED(sp)); 4215 } 4216 4217 static void 4218 sppp_ipv6cp_down(struct sppp *sp) 4219 { 4220 4221 KASSERT(SPPP_WLOCKED(sp)); 4222 } 4223 4224 static void 4225 sppp_ipv6cp_open(struct sppp *sp) 4226 { 4227 4228 KASSERT(SPPP_WLOCKED(sp)); 4229 } 4230 4231 static void 4232 sppp_ipv6cp_close(struct sppp *sp) 4233 { 4234 4235 KASSERT(SPPP_WLOCKED(sp)); 4236 } 4237 4238 static void 4239 sppp_ipv6cp_TO(void *cookie) 4240 { 4241 struct sppp *sp __diagused = cookie; 4242 4243 KASSERT(SPPP_WLOCKED(sp)); 4244 } 4245 4246 static int 4247 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4248 int len) 4249 { 4250 4251 KASSERT(SPPP_WLOCKED(sp)); 4252 return 0; 4253 } 4254 4255 static void 4256 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4257 int len) 4258 { 4259 4260 KASSERT(SPPP_WLOCKED(sp)); 4261 } 4262 4263 static void 4264 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4265 int len) 4266 { 4267 4268 KASSERT(SPPP_WLOCKED(sp)); 4269 } 4270 4271 static void 4272 sppp_ipv6cp_tlu(struct sppp *sp) 4273 { 4274 4275 KASSERT(SPPP_WLOCKED(sp)); 4276 } 4277 4278 static void 4279 sppp_ipv6cp_tld(struct sppp *sp) 4280 { 4281 4282 KASSERT(SPPP_WLOCKED(sp)); 4283 } 4284 4285 static void 4286 sppp_ipv6cp_tls(struct sppp *sp) 4287 { 4288 4289 KASSERT(SPPP_WLOCKED(sp)); 4290 } 4291 4292 static void 4293 sppp_ipv6cp_tlf(struct sppp *sp) 4294 { 4295 4296 KASSERT(SPPP_WLOCKED(sp)); 4297 } 4298 4299 static void 4300 sppp_ipv6cp_scr(struct sppp *sp) 4301 { 4302 4303 KASSERT(SPPP_WLOCKED(sp)); 4304 } 4305 #endif /*INET6*/ 4306 4307 4308 /* 4309 *--------------------------------------------------------------------------* 4310 * * 4311 * The CHAP implementation. * 4312 * * 4313 *--------------------------------------------------------------------------* 4314 */ 4315 4316 /* 4317 * The authentication protocols don't employ a full-fledged state machine as 4318 * the control protocols do, since they do have Open and Close events, but 4319 * not Up and Down, nor are they explicitly terminated. Also, use of the 4320 * authentication protocols may be different in both directions (this makes 4321 * sense, think of a machine that never accepts incoming calls but only 4322 * calls out, it doesn't require the called party to authenticate itself). 4323 * 4324 * Our state machine for the local authentication protocol (we are requesting 4325 * the peer to authenticate) looks like: 4326 * 4327 * RCA- 4328 * +--------------------------------------------+ 4329 * V scn,tld| 4330 * +--------+ Close +---------+ RCA+ 4331 * | |<----------------------------------| |------+ 4332 * +--->| Closed | TO* | Opened | sca | 4333 * | | |-----+ +-------| |<-----+ 4334 * | +--------+ irc | | +---------+ 4335 * | ^ | | ^ 4336 * | | | | | 4337 * | | | | | 4338 * | TO-| | | | 4339 * | |tld TO+ V | | 4340 * | | +------->+ | | 4341 * | | | | | | 4342 * | +--------+ V | | 4343 * | | |<----+<--------------------+ | 4344 * | | Req- | scr | 4345 * | | Sent | | 4346 * | | | | 4347 * | +--------+ | 4348 * | RCA- | | RCA+ | 4349 * +------+ +------------------------------------------+ 4350 * scn,tld sca,irc,ict,tlu 4351 * 4352 * 4353 * with: 4354 * 4355 * Open: LCP reached authentication phase 4356 * Close: LCP reached terminate phase 4357 * 4358 * RCA+: received reply (pap-req, chap-response), acceptable 4359 * RCN: received reply (pap-req, chap-response), not acceptable 4360 * TO+: timeout with restart counter >= 0 4361 * TO-: timeout with restart counter < 0 4362 * TO*: reschedule timeout for CHAP 4363 * 4364 * scr: send request packet (none for PAP, chap-challenge) 4365 * sca: send ack packet (pap-ack, chap-success) 4366 * scn: send nak packet (pap-nak, chap-failure) 4367 * ict: initialize re-challenge timer (CHAP only) 4368 * 4369 * tlu: this-layer-up, LCP reaches network phase 4370 * tld: this-layer-down, LCP enters terminate phase 4371 * 4372 * Note that in CHAP mode, after sending a new challenge, while the state 4373 * automaton falls back into Req-Sent state, it doesn't signal a tld 4374 * event to LCP, so LCP remains in network phase. Only after not getting 4375 * any response (or after getting an unacceptable response), CHAP closes, 4376 * causing LCP to enter terminate phase. 4377 * 4378 * With PAP, there is no initial request that can be sent. The peer is 4379 * expected to send one based on the successful negotiation of PAP as 4380 * the authentication protocol during the LCP option negotiation. 4381 * 4382 * Incoming authentication protocol requests (remote requests 4383 * authentication, we are peer) don't employ a state machine at all, 4384 * they are simply answered. Some peers [Ascend P50 firmware rev 4385 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4386 * still in authentication phase (thereby violating the standard that 4387 * demands that these NCP packets are to be discarded), so we keep 4388 * track of the peer demanding us to authenticate, and only proceed to 4389 * phase network once we've seen a positive acknowledge for the 4390 * authentication. 4391 */ 4392 4393 /* 4394 * Handle incoming CHAP packets. 4395 */ 4396 void 4397 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4398 { 4399 STDDCL; 4400 struct lcp_header *h; 4401 int len, x; 4402 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4403 int value_len, name_len; 4404 MD5_CTX ctx; 4405 4406 len = m->m_pkthdr.len; 4407 if (len < 4) { 4408 if (debug) 4409 log(LOG_DEBUG, 4410 "%s: chap invalid packet length: %d bytes\n", 4411 ifp->if_xname, len); 4412 return; 4413 } 4414 h = mtod(m, struct lcp_header *); 4415 if (len > ntohs(h->len)) 4416 len = ntohs(h->len); 4417 4418 SPPP_LOCK(sp, RW_WRITER); 4419 4420 switch (h->type) { 4421 /* challenge, failure and success are his authproto */ 4422 case CHAP_CHALLENGE: 4423 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4424 /* can't do anything useful */ 4425 sp->pp_auth_failures++; 4426 printf("%s: chap input without my name and my secret being set\n", 4427 ifp->if_xname); 4428 break; 4429 } 4430 value = 1 + (u_char *)(h + 1); 4431 value_len = value[-1]; 4432 name = value + value_len; 4433 name_len = len - value_len - 5; 4434 if (name_len < 0) { 4435 if (debug) { 4436 log(LOG_DEBUG, 4437 "%s: chap corrupted challenge " 4438 "<%s id=0x%x len=%d", 4439 ifp->if_xname, 4440 sppp_auth_type_name(PPP_CHAP, h->type), 4441 h->ident, ntohs(h->len)); 4442 if (len > 4) 4443 sppp_print_bytes((u_char *)(h + 1), 4444 len - 4); 4445 addlog(">\n"); 4446 } 4447 break; 4448 } 4449 4450 if (debug) { 4451 log(LOG_DEBUG, 4452 "%s: chap input <%s id=0x%x len=%d name=", 4453 ifp->if_xname, 4454 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4455 ntohs(h->len)); 4456 sppp_print_string((char *) name, name_len); 4457 addlog(" value-size=%d value=", value_len); 4458 sppp_print_bytes(value, value_len); 4459 addlog(">\n"); 4460 } 4461 4462 /* Compute reply value. */ 4463 MD5Init(&ctx); 4464 MD5Update(&ctx, &h->ident, 1); 4465 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4466 MD5Update(&ctx, value, value_len); 4467 MD5Final(digest, &ctx); 4468 dsize = sizeof digest; 4469 4470 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4471 sizeof dsize, (const char *)&dsize, 4472 sizeof digest, digest, 4473 sp->myauth.name_len, 4474 sp->myauth.name, 4475 0); 4476 break; 4477 4478 case CHAP_SUCCESS: 4479 if (debug) { 4480 log(LOG_DEBUG, "%s: chap success", 4481 ifp->if_xname); 4482 if (len > 4) { 4483 addlog(": "); 4484 sppp_print_string((char *)(h + 1), len - 4); 4485 } 4486 addlog("\n"); 4487 } 4488 x = splnet(); 4489 sp->pp_auth_failures = 0; 4490 sp->pp_flags &= ~PP_NEEDAUTH; 4491 if (sp->myauth.proto == PPP_CHAP && 4492 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4493 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4494 /* 4495 * We are authenticator for CHAP but didn't 4496 * complete yet. Leave it to tlu to proceed 4497 * to network phase. 4498 */ 4499 splx(x); 4500 break; 4501 } 4502 splx(x); 4503 sppp_phase_network(sp); 4504 break; 4505 4506 case CHAP_FAILURE: 4507 x = splnet(); 4508 sp->pp_auth_failures++; 4509 splx(x); 4510 if (debug) { 4511 log(LOG_INFO, "%s: chap failure", 4512 ifp->if_xname); 4513 if (len > 4) { 4514 addlog(": "); 4515 sppp_print_string((char *)(h + 1), len - 4); 4516 } 4517 addlog("\n"); 4518 } else 4519 log(LOG_INFO, "%s: chap failure\n", 4520 ifp->if_xname); 4521 /* await LCP shutdown by authenticator */ 4522 break; 4523 4524 /* response is my authproto */ 4525 case CHAP_RESPONSE: 4526 if (sp->hisauth.secret == NULL) { 4527 /* can't do anything useful */ 4528 printf("%s: chap input without his secret being set\n", 4529 ifp->if_xname); 4530 break; 4531 } 4532 value = 1 + (u_char *)(h + 1); 4533 value_len = value[-1]; 4534 name = value + value_len; 4535 name_len = len - value_len - 5; 4536 if (name_len < 0) { 4537 if (debug) { 4538 log(LOG_DEBUG, 4539 "%s: chap corrupted response " 4540 "<%s id=0x%x len=%d", 4541 ifp->if_xname, 4542 sppp_auth_type_name(PPP_CHAP, h->type), 4543 h->ident, ntohs(h->len)); 4544 if (len > 4) 4545 sppp_print_bytes((u_char *)(h + 1), 4546 len - 4); 4547 addlog(">\n"); 4548 } 4549 break; 4550 } 4551 if (h->ident != sp->confid[IDX_CHAP]) { 4552 if (debug) 4553 log(LOG_DEBUG, 4554 "%s: chap dropping response for old ID " 4555 "(got %d, expected %d)\n", 4556 ifp->if_xname, 4557 h->ident, sp->confid[IDX_CHAP]); 4558 break; 4559 } 4560 if (sp->hisauth.name != NULL && 4561 (name_len != sp->hisauth.name_len 4562 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4563 log(LOG_INFO, "%s: chap response, his name ", 4564 ifp->if_xname); 4565 sppp_print_string(name, name_len); 4566 addlog(" != expected "); 4567 sppp_print_string(sp->hisauth.name, 4568 sp->hisauth.name_len); 4569 addlog("\n"); 4570 goto chap_failure; 4571 } 4572 if (debug) { 4573 log(LOG_DEBUG, "%s: chap input(%s) " 4574 "<%s id=0x%x len=%d name=", 4575 ifp->if_xname, 4576 sppp_state_name(sp->state[IDX_CHAP]), 4577 sppp_auth_type_name(PPP_CHAP, h->type), 4578 h->ident, ntohs(h->len)); 4579 sppp_print_string((char *)name, name_len); 4580 addlog(" value-size=%d value=", value_len); 4581 sppp_print_bytes(value, value_len); 4582 addlog(">\n"); 4583 } 4584 if (value_len != sizeof(sp->hisauth.challenge)) { 4585 if (debug) 4586 log(LOG_DEBUG, 4587 "%s: chap bad hash value length: " 4588 "%d bytes, should be %zu\n", 4589 ifp->if_xname, value_len, 4590 sizeof(sp->hisauth.challenge)); 4591 goto chap_failure; 4592 } 4593 4594 MD5Init(&ctx); 4595 MD5Update(&ctx, &h->ident, 1); 4596 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4597 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4598 MD5Final(digest, &ctx); 4599 4600 #define FAILMSG "Failed..." 4601 #define SUCCMSG "Welcome!" 4602 4603 if (value_len != sizeof digest || 4604 memcmp(digest, value, value_len) != 0) { 4605 chap_failure: 4606 KASSERT(SPPP_WLOCKED(sp)); 4607 /* action scn, tld */ 4608 sp->pp_auth_failures++; 4609 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4610 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4611 0); 4612 chap.tld(sp); 4613 break; 4614 } 4615 sp->pp_auth_failures = 0; 4616 /* action sca, perhaps tlu */ 4617 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4618 sp->state[IDX_CHAP] == STATE_OPENED) 4619 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4620 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4621 0); 4622 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4623 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4624 chap.tlu(sp); 4625 } 4626 break; 4627 4628 default: 4629 /* Unknown CHAP packet type -- ignore. */ 4630 if (debug) { 4631 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4632 "<0x%x id=0x%xh len=%d", 4633 ifp->if_xname, 4634 sppp_state_name(sp->state[IDX_CHAP]), 4635 h->type, h->ident, ntohs(h->len)); 4636 if (len > 4) 4637 sppp_print_bytes((u_char *)(h + 1), len - 4); 4638 addlog(">\n"); 4639 } 4640 break; 4641 4642 } 4643 4644 SPPP_UNLOCK(sp); 4645 } 4646 4647 static void 4648 sppp_chap_init(struct sppp *sp) 4649 { 4650 4651 KASSERT(SPPP_WLOCKED(sp)); 4652 4653 /* Chap doesn't have STATE_INITIAL at all. */ 4654 sp->state[IDX_CHAP] = STATE_CLOSED; 4655 sp->fail_counter[IDX_CHAP] = 0; 4656 sp->pp_seq[IDX_CHAP] = 0; 4657 sp->pp_rseq[IDX_CHAP] = 0; 4658 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4659 } 4660 4661 static void 4662 sppp_chap_open(struct sppp *sp) 4663 { 4664 4665 KASSERT(SPPP_WLOCKED(sp)); 4666 if (sp->hisauth.proto == PPP_CHAP && 4667 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4668 /* we are authenticator for CHAP, start it */ 4669 chap.scr(sp); 4670 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4671 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4672 } 4673 /* nothing to be done if we are peer, await a challenge */ 4674 } 4675 4676 static void 4677 sppp_chap_close(struct sppp *sp) 4678 { 4679 4680 KASSERT(SPPP_WLOCKED(sp)); 4681 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4682 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4683 } 4684 4685 static void 4686 sppp_chap_TO(void *cookie) 4687 { 4688 struct sppp *sp = (struct sppp *)cookie; 4689 STDDCL; 4690 int s; 4691 4692 s = splnet(); 4693 4694 SPPP_LOCK(sp, RW_WRITER); 4695 4696 if (debug) 4697 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4698 ifp->if_xname, 4699 sppp_state_name(sp->state[IDX_CHAP]), 4700 sp->rst_counter[IDX_CHAP]); 4701 4702 if (--sp->rst_counter[IDX_CHAP] < 0) 4703 /* TO- event */ 4704 switch (sp->state[IDX_CHAP]) { 4705 case STATE_REQ_SENT: 4706 chap.tld(sp); 4707 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4708 break; 4709 } 4710 else 4711 /* TO+ (or TO*) event */ 4712 switch (sp->state[IDX_CHAP]) { 4713 case STATE_OPENED: 4714 /* TO* event */ 4715 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4716 /* fall through */ 4717 case STATE_REQ_SENT: 4718 chap.scr(sp); 4719 /* sppp_cp_change_state() will restart the timer */ 4720 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4721 break; 4722 } 4723 4724 SPPP_UNLOCK(sp); 4725 splx(s); 4726 } 4727 4728 static void 4729 sppp_chap_tlu(struct sppp *sp) 4730 { 4731 STDDCL; 4732 int i, x; 4733 4734 KASSERT(SPPP_WLOCKED(sp)); 4735 4736 i = 0; 4737 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4738 4739 /* 4740 * Some broken CHAP implementations (Conware CoNet, firmware 4741 * 4.0.?) don't want to re-authenticate their CHAP once the 4742 * initial challenge-response exchange has taken place. 4743 * Provide for an option to avoid rechallenges. 4744 */ 4745 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4746 /* 4747 * Compute the re-challenge timeout. This will yield 4748 * a number between 300 and 810 seconds. 4749 */ 4750 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4751 4752 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4753 } 4754 4755 if (debug) { 4756 log(LOG_DEBUG, 4757 "%s: chap %s, ", 4758 ifp->if_xname, 4759 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4760 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4761 addlog("next re-challenge in %d seconds\n", i); 4762 else 4763 addlog("re-challenging suppressed\n"); 4764 } 4765 4766 x = splnet(); 4767 sp->pp_auth_failures = 0; 4768 /* indicate to LCP that we need to be closed down */ 4769 sp->lcp.protos |= (1 << IDX_CHAP); 4770 4771 if (sp->pp_flags & PP_NEEDAUTH) { 4772 /* 4773 * Remote is authenticator, but his auth proto didn't 4774 * complete yet. Defer the transition to network 4775 * phase. 4776 */ 4777 splx(x); 4778 return; 4779 } 4780 splx(x); 4781 4782 /* 4783 * If we are already in phase network, we are done here. This 4784 * is the case if this is a dummy tlu event after a re-challenge. 4785 */ 4786 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4787 sppp_phase_network(sp); 4788 } 4789 4790 static void 4791 sppp_chap_tld(struct sppp *sp) 4792 { 4793 STDDCL; 4794 4795 KASSERT(SPPP_WLOCKED(sp)); 4796 4797 if (debug) 4798 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4799 callout_stop(&sp->ch[IDX_CHAP]); 4800 sp->lcp.protos &= ~(1 << IDX_CHAP); 4801 4802 lcp.Close(sp); 4803 } 4804 4805 static void 4806 sppp_chap_scr(struct sppp *sp) 4807 { 4808 uint32_t *ch; 4809 u_char clen = 4 * sizeof(uint32_t); 4810 4811 KASSERT(SPPP_WLOCKED(sp)); 4812 4813 if (sp->hisauth.name == NULL) { 4814 /* can't do anything useful */ 4815 printf("%s: chap starting without his name being set\n", 4816 sp->pp_if.if_xname); 4817 return; 4818 } 4819 4820 /* Compute random challenge. */ 4821 ch = (uint32_t *)sp->hisauth.challenge; 4822 cprng_strong(kern_cprng, ch, clen, 0); 4823 4824 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4825 4826 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4827 sizeof clen, (const char *)&clen, 4828 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4829 0); 4830 } 4831 4832 /* 4833 *--------------------------------------------------------------------------* 4834 * * 4835 * The PAP implementation. * 4836 * * 4837 *--------------------------------------------------------------------------* 4838 */ 4839 /* 4840 * For PAP, we need to keep a little state also if we are the peer, not the 4841 * authenticator. This is since we don't get a request to authenticate, but 4842 * have to repeatedly authenticate ourself until we got a response (or the 4843 * retry counter is expired). 4844 */ 4845 4846 /* 4847 * Handle incoming PAP packets. */ 4848 static void 4849 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4850 { 4851 STDDCL; 4852 struct lcp_header *h; 4853 int len, x; 4854 u_char mlen; 4855 char *name, *secret; 4856 int name_len, secret_len; 4857 4858 /* 4859 * Malicious input might leave this uninitialized, so 4860 * init to an impossible value. 4861 */ 4862 secret_len = -1; 4863 4864 len = m->m_pkthdr.len; 4865 if (len < 5) { 4866 if (debug) 4867 log(LOG_DEBUG, 4868 "%s: pap invalid packet length: %d bytes\n", 4869 ifp->if_xname, len); 4870 return; 4871 } 4872 h = mtod(m, struct lcp_header *); 4873 if (len > ntohs(h->len)) 4874 len = ntohs(h->len); 4875 4876 SPPP_LOCK(sp, RW_WRITER); 4877 4878 switch (h->type) { 4879 /* PAP request is my authproto */ 4880 case PAP_REQ: 4881 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4882 /* can't do anything useful */ 4883 printf("%s: " 4884 "pap request without his name and his secret being set\n", 4885 ifp->if_xname); 4886 break; 4887 } 4888 name = 1 + (u_char *)(h + 1); 4889 name_len = name[-1]; 4890 secret = name + name_len + 1; 4891 if (name_len > len - 6 || 4892 (secret_len = secret[-1]) > len - 6 - name_len) { 4893 if (debug) { 4894 log(LOG_DEBUG, "%s: pap corrupted input " 4895 "<%s id=0x%x len=%d", 4896 ifp->if_xname, 4897 sppp_auth_type_name(PPP_PAP, h->type), 4898 h->ident, ntohs(h->len)); 4899 if (len > 4) 4900 sppp_print_bytes((u_char *)(h + 1), 4901 len - 4); 4902 addlog(">\n"); 4903 } 4904 break; 4905 } 4906 if (debug) { 4907 log(LOG_DEBUG, "%s: pap input(%s) " 4908 "<%s id=0x%x len=%d name=", 4909 ifp->if_xname, 4910 sppp_state_name(sp->state[IDX_PAP]), 4911 sppp_auth_type_name(PPP_PAP, h->type), 4912 h->ident, ntohs(h->len)); 4913 sppp_print_string((char *)name, name_len); 4914 addlog(" secret="); 4915 sppp_print_string((char *)secret, secret_len); 4916 addlog(">\n"); 4917 } 4918 if (name_len != sp->hisauth.name_len || 4919 secret_len != sp->hisauth.secret_len || 4920 memcmp(name, sp->hisauth.name, name_len) != 0 || 4921 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4922 /* action scn, tld */ 4923 sp->pp_auth_failures++; 4924 mlen = sizeof(FAILMSG) - 1; 4925 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4926 sizeof mlen, (const char *)&mlen, 4927 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4928 0); 4929 pap.tld(sp); 4930 break; 4931 } 4932 /* action sca, perhaps tlu */ 4933 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4934 sp->state[IDX_PAP] == STATE_OPENED) { 4935 mlen = sizeof(SUCCMSG) - 1; 4936 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4937 sizeof mlen, (const char *)&mlen, 4938 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4939 0); 4940 } 4941 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4942 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4943 pap.tlu(sp); 4944 } 4945 break; 4946 4947 /* ack and nak are his authproto */ 4948 case PAP_ACK: 4949 callout_stop(&sp->pap_my_to_ch); 4950 if (debug) { 4951 log(LOG_DEBUG, "%s: pap success", 4952 ifp->if_xname); 4953 name = 1 + (u_char *)(h + 1); 4954 name_len = name[-1]; 4955 if (len > 5 && name_len < len+4) { 4956 addlog(": "); 4957 sppp_print_string(name, name_len); 4958 } 4959 addlog("\n"); 4960 } 4961 x = splnet(); 4962 sp->pp_auth_failures = 0; 4963 sp->pp_flags &= ~PP_NEEDAUTH; 4964 if (sp->myauth.proto == PPP_PAP && 4965 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4966 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4967 /* 4968 * We are authenticator for PAP but didn't 4969 * complete yet. Leave it to tlu to proceed 4970 * to network phase. 4971 */ 4972 splx(x); 4973 break; 4974 } 4975 splx(x); 4976 sppp_phase_network(sp); 4977 break; 4978 4979 case PAP_NAK: 4980 callout_stop(&sp->pap_my_to_ch); 4981 sp->pp_auth_failures++; 4982 if (debug) { 4983 log(LOG_INFO, "%s: pap failure", 4984 ifp->if_xname); 4985 name = 1 + (u_char *)(h + 1); 4986 name_len = name[-1]; 4987 if (len > 5 && name_len < len+4) { 4988 addlog(": "); 4989 sppp_print_string(name, name_len); 4990 } 4991 addlog("\n"); 4992 } else 4993 log(LOG_INFO, "%s: pap failure\n", 4994 ifp->if_xname); 4995 /* await LCP shutdown by authenticator */ 4996 break; 4997 4998 default: 4999 /* Unknown PAP packet type -- ignore. */ 5000 if (debug) { 5001 log(LOG_DEBUG, "%s: pap corrupted input " 5002 "<0x%x id=0x%x len=%d", 5003 ifp->if_xname, 5004 h->type, h->ident, ntohs(h->len)); 5005 if (len > 4) 5006 sppp_print_bytes((u_char *)(h + 1), len - 4); 5007 addlog(">\n"); 5008 } 5009 break; 5010 } 5011 5012 SPPP_UNLOCK(sp); 5013 } 5014 5015 static void 5016 sppp_pap_init(struct sppp *sp) 5017 { 5018 5019 KASSERT(SPPP_WLOCKED(sp)); 5020 5021 /* PAP doesn't have STATE_INITIAL at all. */ 5022 sp->state[IDX_PAP] = STATE_CLOSED; 5023 sp->fail_counter[IDX_PAP] = 0; 5024 sp->pp_seq[IDX_PAP] = 0; 5025 sp->pp_rseq[IDX_PAP] = 0; 5026 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 5027 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 5028 } 5029 5030 static void 5031 sppp_pap_open(struct sppp *sp) 5032 { 5033 5034 KASSERT(SPPP_WLOCKED(sp)); 5035 5036 if (sp->hisauth.proto == PPP_PAP && 5037 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 5038 /* we are authenticator for PAP, start our timer */ 5039 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 5040 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5041 } 5042 if (sp->myauth.proto == PPP_PAP) { 5043 /* we are peer, send a request, and start a timer */ 5044 pap.scr(sp); 5045 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 5046 sppp_pap_my_TO, sp); 5047 } 5048 } 5049 5050 static void 5051 sppp_pap_close(struct sppp *sp) 5052 { 5053 5054 KASSERT(SPPP_WLOCKED(sp)); 5055 5056 if (sp->state[IDX_PAP] != STATE_CLOSED) 5057 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5058 } 5059 5060 /* 5061 * That's the timeout routine if we are authenticator. Since the 5062 * authenticator is basically passive in PAP, we can't do much here. 5063 */ 5064 static void 5065 sppp_pap_TO(void *cookie) 5066 { 5067 struct sppp *sp = (struct sppp *)cookie; 5068 STDDCL; 5069 int s; 5070 5071 s = splnet(); 5072 SPPP_LOCK(sp, RW_WRITER); 5073 5074 if (debug) 5075 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 5076 ifp->if_xname, 5077 sppp_state_name(sp->state[IDX_PAP]), 5078 sp->rst_counter[IDX_PAP]); 5079 5080 if (--sp->rst_counter[IDX_PAP] < 0) 5081 /* TO- event */ 5082 switch (sp->state[IDX_PAP]) { 5083 case STATE_REQ_SENT: 5084 pap.tld(sp); 5085 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5086 break; 5087 } 5088 else 5089 /* TO+ event, not very much we could do */ 5090 switch (sp->state[IDX_PAP]) { 5091 case STATE_REQ_SENT: 5092 /* sppp_cp_change_state() will restart the timer */ 5093 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5094 break; 5095 } 5096 5097 SPPP_UNLOCK(sp); 5098 splx(s); 5099 } 5100 5101 /* 5102 * That's the timeout handler if we are peer. Since the peer is active, 5103 * we need to retransmit our PAP request since it is apparently lost. 5104 * XXX We should impose a max counter. 5105 */ 5106 static void 5107 sppp_pap_my_TO(void *cookie) 5108 { 5109 struct sppp *sp = (struct sppp *)cookie; 5110 STDDCL; 5111 5112 SPPP_LOCK(sp, RW_WRITER); 5113 if (debug) 5114 log(LOG_DEBUG, "%s: pap peer TO\n", 5115 ifp->if_xname); 5116 5117 pap.scr(sp); 5118 5119 SPPP_UNLOCK(sp); 5120 } 5121 5122 static void 5123 sppp_pap_tlu(struct sppp *sp) 5124 { 5125 STDDCL; 5126 int x; 5127 5128 KASSERT(SPPP_WLOCKED(sp)); 5129 5130 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 5131 5132 if (debug) 5133 log(LOG_DEBUG, "%s: %s tlu\n", 5134 ifp->if_xname, pap.name); 5135 5136 x = splnet(); 5137 sp->pp_auth_failures = 0; 5138 /* indicate to LCP that we need to be closed down */ 5139 sp->lcp.protos |= (1 << IDX_PAP); 5140 5141 if (sp->pp_flags & PP_NEEDAUTH) { 5142 /* 5143 * Remote is authenticator, but his auth proto didn't 5144 * complete yet. Defer the transition to network 5145 * phase. 5146 */ 5147 splx(x); 5148 return; 5149 } 5150 splx(x); 5151 sppp_phase_network(sp); 5152 } 5153 5154 static void 5155 sppp_pap_tld(struct sppp *sp) 5156 { 5157 STDDCL; 5158 5159 KASSERT(SPPP_WLOCKED(sp)); 5160 5161 if (debug) 5162 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 5163 callout_stop(&sp->ch[IDX_PAP]); 5164 callout_stop(&sp->pap_my_to_ch); 5165 sp->lcp.protos &= ~(1 << IDX_PAP); 5166 5167 lcp.Close(sp); 5168 } 5169 5170 static void 5171 sppp_pap_scr(struct sppp *sp) 5172 { 5173 u_char idlen, pwdlen; 5174 5175 KASSERT(SPPP_WLOCKED(sp)); 5176 5177 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5178 /* can't do anything useful */ 5179 printf("%s: pap starting without my name and secret being set\n", 5180 sp->pp_if.if_xname); 5181 return; 5182 } 5183 5184 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 5185 pwdlen = sp->myauth.secret_len; 5186 idlen = sp->myauth.name_len; 5187 5188 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 5189 sizeof idlen, (const char *)&idlen, 5190 idlen, sp->myauth.name, 5191 sizeof pwdlen, (const char *)&pwdlen, 5192 pwdlen, sp->myauth.secret, 5193 0); 5194 } 5195 5196 /* 5197 * Random miscellaneous functions. 5198 */ 5199 5200 /* 5201 * Send a PAP or CHAP proto packet. 5202 * 5203 * Varadic function, each of the elements for the ellipsis is of type 5204 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5205 * mlen == 0. 5206 * NOTE: never declare variadic functions with types subject to type 5207 * promotion (i.e. u_char). This is asking for big trouble depending 5208 * on the architecture you are on... 5209 */ 5210 5211 static void 5212 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5213 unsigned int type, unsigned int id, 5214 ...) 5215 { 5216 STDDCL; 5217 struct lcp_header *lh; 5218 struct mbuf *m; 5219 u_char *p; 5220 int len; 5221 size_t pkthdrlen; 5222 unsigned int mlen; 5223 const char *msg; 5224 va_list ap; 5225 5226 KASSERT(SPPP_WLOCKED(sp)); 5227 5228 MGETHDR(m, M_DONTWAIT, MT_DATA); 5229 if (! m) 5230 return; 5231 m_reset_rcvif(m); 5232 5233 if (sp->pp_flags & PP_NOFRAMING) { 5234 *mtod(m, uint16_t *) = htons(cp->proto); 5235 pkthdrlen = 2; 5236 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5237 } else { 5238 struct ppp_header *h; 5239 h = mtod(m, struct ppp_header *); 5240 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5241 h->control = PPP_UI; /* Unnumbered Info */ 5242 h->protocol = htons(cp->proto); 5243 pkthdrlen = PPP_HEADER_LEN; 5244 5245 lh = (struct lcp_header *)(h + 1); 5246 } 5247 5248 lh->type = type; 5249 lh->ident = id; 5250 p = (u_char *)(lh + 1); 5251 5252 va_start(ap, id); 5253 len = 0; 5254 5255 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5256 msg = va_arg(ap, const char *); 5257 len += mlen; 5258 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5259 va_end(ap); 5260 m_freem(m); 5261 return; 5262 } 5263 5264 memcpy(p, msg, mlen); 5265 p += mlen; 5266 } 5267 va_end(ap); 5268 5269 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5270 lh->len = htons(LCP_HEADER_LEN + len); 5271 5272 if (debug) { 5273 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5274 ifp->if_xname, cp->name, 5275 sppp_auth_type_name(cp->proto, lh->type), 5276 lh->ident, ntohs(lh->len)); 5277 if (len) 5278 sppp_print_bytes((u_char *)(lh + 1), len); 5279 addlog(">\n"); 5280 } 5281 if (IF_QFULL(&sp->pp_cpq)) { 5282 IF_DROP(&sp->pp_fastq); 5283 IF_DROP(&ifp->if_snd); 5284 m_freem(m); 5285 if_statinc(ifp, if_oerrors); 5286 return; 5287 } 5288 5289 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5290 IF_ENQUEUE(&sp->pp_cpq, m); 5291 5292 if (! (ifp->if_flags & IFF_OACTIVE)) { 5293 SPPP_UNLOCK(sp); 5294 if_start_lock(ifp); 5295 SPPP_LOCK(sp, RW_WRITER); 5296 } 5297 } 5298 5299 /* 5300 * Send keepalive packets, every 10 seconds. 5301 */ 5302 static void 5303 sppp_keepalive(void *dummy) 5304 { 5305 struct sppp *sp; 5306 int s; 5307 time_t now; 5308 5309 SPPPQ_LOCK(); 5310 5311 s = splnet(); 5312 now = time_uptime; 5313 for (sp=spppq; sp; sp=sp->pp_next) { 5314 struct ifnet *ifp = NULL; 5315 5316 SPPP_LOCK(sp, RW_WRITER); 5317 ifp = &sp->pp_if; 5318 5319 /* check idle timeout */ 5320 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5321 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5322 /* idle timeout is enabled for this interface */ 5323 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5324 if (ifp->if_flags & IFF_DEBUG) 5325 printf("%s: no activity for %lu seconds\n", 5326 sp->pp_if.if_xname, 5327 (unsigned long)(now-sp->pp_last_activity)); 5328 lcp.Close(sp); 5329 SPPP_UNLOCK(sp); 5330 continue; 5331 } 5332 } 5333 5334 /* Keepalive mode disabled or channel down? */ 5335 if (! (sp->pp_flags & PP_KEEPALIVE) || 5336 ! (ifp->if_flags & IFF_RUNNING)) { 5337 SPPP_UNLOCK(sp); 5338 continue; 5339 } 5340 5341 5342 /* No keepalive in PPP mode if LCP not opened yet. */ 5343 if (! (sp->pp_flags & PP_CISCO) && 5344 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5345 SPPP_UNLOCK(sp); 5346 continue; 5347 } 5348 5349 /* No echo reply, but maybe user data passed through? */ 5350 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5351 sp->pp_alivecnt = 0; 5352 SPPP_UNLOCK(sp); 5353 continue; 5354 } 5355 5356 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5357 /* No keepalive packets got. Stop the interface. */ 5358 SPPP_UNLOCK(sp); 5359 if_down (ifp); 5360 SPPP_LOCK(sp, RW_WRITER); 5361 5362 IF_PURGE(&sp->pp_cpq); 5363 5364 if (! (sp->pp_flags & PP_CISCO)) { 5365 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5366 ifp->if_xname); 5367 sp->pp_alivecnt = 0; 5368 5369 /* we are down, close all open protocols */ 5370 lcp.Close(sp); 5371 5372 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5373 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5374 5375 /* Close connection immediately, completition of this 5376 * will summon the magic needed to reestablish it. */ 5377 sppp_notify_tlf_wlocked(sp); 5378 5379 SPPP_UNLOCK(sp); 5380 continue; 5381 } 5382 } 5383 if (sp->pp_alivecnt < sp->pp_maxalive) 5384 ++sp->pp_alivecnt; 5385 if (sp->pp_flags & PP_CISCO) 5386 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5387 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5388 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5389 int32_t nmagic = htonl(sp->lcp.magic); 5390 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5391 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5392 sp->lcp.echoid, 4, &nmagic); 5393 } 5394 5395 SPPP_UNLOCK(sp); 5396 } 5397 splx(s); 5398 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5399 5400 SPPPQ_UNLOCK(); 5401 } 5402 5403 #ifdef INET 5404 /* 5405 * Get both IP addresses. 5406 */ 5407 static void 5408 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5409 { 5410 struct ifnet *ifp = &sp->pp_if; 5411 struct ifaddr *ifa; 5412 struct sockaddr_in *si, *sm; 5413 uint32_t ssrc, ddst; 5414 int s; 5415 struct psref psref; 5416 5417 sm = NULL; 5418 ssrc = ddst = 0; 5419 /* 5420 * Pick the first AF_INET address from the list, 5421 * aliases don't make any sense on a p2p link anyway. 5422 */ 5423 si = 0; 5424 s = pserialize_read_enter(); 5425 IFADDR_READER_FOREACH(ifa, ifp) { 5426 if (ifa->ifa_addr->sa_family == AF_INET) { 5427 si = (struct sockaddr_in *)ifa->ifa_addr; 5428 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5429 if (si) { 5430 ifa_acquire(ifa, &psref); 5431 break; 5432 } 5433 } 5434 } 5435 pserialize_read_exit(s); 5436 if (ifa) { 5437 if (si && si->sin_addr.s_addr) { 5438 ssrc = si->sin_addr.s_addr; 5439 if (srcmask) 5440 *srcmask = ntohl(sm->sin_addr.s_addr); 5441 } 5442 5443 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5444 if (si && si->sin_addr.s_addr) 5445 ddst = si->sin_addr.s_addr; 5446 ifa_release(ifa, &psref); 5447 } 5448 5449 if (dst) *dst = ntohl(ddst); 5450 if (src) *src = ntohl(ssrc); 5451 } 5452 5453 /* 5454 * Set IP addresses. Must be called at splnet. 5455 * If an address is 0, leave it the way it is. 5456 */ 5457 static void 5458 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5459 { 5460 STDDCL; 5461 struct ifaddr *ifa; 5462 struct sockaddr_in *si, *dest; 5463 uint32_t myaddr = 0, hisaddr = 0; 5464 int s; 5465 5466 IFNET_LOCK(ifp); 5467 5468 /* 5469 * Pick the first AF_INET address from the list, 5470 * aliases don't make any sense on a p2p link anyway. 5471 */ 5472 si = dest = NULL; 5473 s = pserialize_read_enter(); 5474 IFADDR_READER_FOREACH(ifa, ifp) { 5475 if (ifa->ifa_addr->sa_family == AF_INET) { 5476 si = (struct sockaddr_in *)ifa->ifa_addr; 5477 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5478 break; 5479 } 5480 } 5481 pserialize_read_exit(s); 5482 5483 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5484 myaddr = sp->ipcp.req_myaddr; 5485 else if (si != NULL) 5486 myaddr = ntohl(si->sin_addr.s_addr); 5487 5488 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5489 hisaddr = sp->ipcp.req_hisaddr; 5490 else if (dest != NULL) 5491 hisaddr = ntohl(dest->sin_addr.s_addr); 5492 5493 if (si != NULL && dest != NULL) { 5494 int error; 5495 struct sockaddr_in new_sin = *si; 5496 struct sockaddr_in new_dst = *dest; 5497 5498 if (myaddr != 0) 5499 new_sin.sin_addr.s_addr = htonl(myaddr); 5500 if (hisaddr != 0) { 5501 new_dst.sin_addr.s_addr = htonl(hisaddr); 5502 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5503 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5504 } 5505 5506 in_addrhash_remove(ifatoia(ifa)); 5507 5508 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5509 5510 in_addrhash_insert(ifatoia(ifa)); 5511 5512 if (debug && error) 5513 { 5514 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5515 ifp->if_xname, __func__, error); 5516 } 5517 if (!error) { 5518 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5519 } 5520 } 5521 5522 if (ifp->if_mtu > sp->lcp.their_mru) { 5523 sp->pp_saved_mtu = ifp->if_mtu; 5524 ifp->if_mtu = sp->lcp.their_mru; 5525 if (debug) 5526 log(LOG_DEBUG, 5527 "%s: setting MTU to %" PRIu64 " bytes\n", 5528 ifp->if_xname, ifp->if_mtu); 5529 } 5530 5531 IFNET_UNLOCK(ifp); 5532 5533 sppp_notify_con(sp); 5534 } 5535 5536 static void 5537 sppp_set_ip_addrs(struct sppp *sp) 5538 { 5539 struct ifnet *ifp = &sp->pp_if; 5540 5541 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5542 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5543 ifp->if_xname); 5544 return; 5545 } 5546 5547 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5548 return; 5549 5550 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5551 } 5552 5553 /* 5554 * Clear IP addresses. Must be called at splnet. 5555 */ 5556 static void 5557 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5558 { 5559 STDDCL; 5560 struct ifaddr *ifa; 5561 struct sockaddr_in *si, *dest; 5562 int s; 5563 5564 IFNET_LOCK(ifp); 5565 5566 /* 5567 * Pick the first AF_INET address from the list, 5568 * aliases don't make any sense on a p2p link anyway. 5569 */ 5570 si = dest = NULL; 5571 s = pserialize_read_enter(); 5572 IFADDR_READER_FOREACH(ifa, ifp) { 5573 if (ifa->ifa_addr->sa_family == AF_INET) { 5574 si = (struct sockaddr_in *)ifa->ifa_addr; 5575 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5576 break; 5577 } 5578 } 5579 pserialize_read_exit(s); 5580 5581 if (si != NULL) { 5582 struct sockaddr_in new_sin = *si; 5583 struct sockaddr_in new_dst = *dest; 5584 int error; 5585 5586 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5587 new_sin.sin_addr.s_addr = 0; 5588 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5589 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5590 5591 in_addrhash_remove(ifatoia(ifa)); 5592 5593 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5594 5595 in_addrhash_insert(ifatoia(ifa)); 5596 5597 if (debug && error) 5598 { 5599 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5600 ifp->if_xname, __func__, error); 5601 } 5602 if (!error) { 5603 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5604 } 5605 } 5606 5607 if (sp->pp_saved_mtu > 0) { 5608 ifp->if_mtu = sp->pp_saved_mtu; 5609 sp->pp_saved_mtu = 0; 5610 if (debug) 5611 log(LOG_DEBUG, 5612 "%s: resetting MTU to %" PRIu64 " bytes\n", 5613 ifp->if_xname, ifp->if_mtu); 5614 } 5615 5616 IFNET_UNLOCK(ifp); 5617 } 5618 5619 static void 5620 sppp_clear_ip_addrs(struct sppp *sp) 5621 { 5622 struct ifnet *ifp = &sp->pp_if; 5623 5624 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5625 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5626 ifp->if_xname); 5627 return; 5628 } 5629 5630 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5631 return; 5632 5633 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5634 } 5635 5636 static void 5637 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5638 { 5639 struct sppp *sp = arg; 5640 void *work; 5641 5642 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5643 5644 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5645 int update = (intptr_t)work; 5646 5647 if (update == IPCP_SET_ADDRS) 5648 sppp_set_ip_addrs_work(wk, sp); 5649 else if (update == IPCP_CLEAR_ADDRS) 5650 sppp_clear_ip_addrs_work(wk, sp); 5651 } 5652 } 5653 #endif 5654 5655 #ifdef INET6 5656 /* 5657 * Get both IPv6 addresses. 5658 */ 5659 static void 5660 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5661 struct in6_addr *srcmask) 5662 { 5663 struct ifnet *ifp = &sp->pp_if; 5664 struct ifaddr *ifa; 5665 struct sockaddr_in6 *si, *sm; 5666 struct in6_addr ssrc, ddst; 5667 int s; 5668 struct psref psref; 5669 5670 sm = NULL; 5671 memset(&ssrc, 0, sizeof(ssrc)); 5672 memset(&ddst, 0, sizeof(ddst)); 5673 /* 5674 * Pick the first link-local AF_INET6 address from the list, 5675 * aliases don't make any sense on a p2p link anyway. 5676 */ 5677 si = 0; 5678 s = pserialize_read_enter(); 5679 IFADDR_READER_FOREACH(ifa, ifp) { 5680 if (ifa->ifa_addr->sa_family == AF_INET6) { 5681 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5682 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5683 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5684 ifa_acquire(ifa, &psref); 5685 break; 5686 } 5687 } 5688 } 5689 pserialize_read_exit(s); 5690 5691 if (ifa) { 5692 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5693 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5694 if (srcmask) { 5695 memcpy(srcmask, &sm->sin6_addr, 5696 sizeof(*srcmask)); 5697 } 5698 } 5699 5700 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5701 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5702 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5703 ifa_release(ifa, &psref); 5704 } 5705 5706 if (dst) 5707 memcpy(dst, &ddst, sizeof(*dst)); 5708 if (src) 5709 memcpy(src, &ssrc, sizeof(*src)); 5710 } 5711 5712 #ifdef IPV6CP_MYIFID_DYN 5713 /* 5714 * Generate random ifid. 5715 */ 5716 static void 5717 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5718 { 5719 /* TBD */ 5720 } 5721 5722 /* 5723 * Set my IPv6 address. Must be called at splnet. 5724 */ 5725 static void 5726 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5727 { 5728 STDDCL; 5729 struct ifaddr *ifa; 5730 struct sockaddr_in6 *sin6; 5731 int s; 5732 struct psref psref; 5733 5734 IFNET_LOCK(ifp); 5735 5736 /* 5737 * Pick the first link-local AF_INET6 address from the list, 5738 * aliases don't make any sense on a p2p link anyway. 5739 */ 5740 5741 sin6 = NULL; 5742 s = pserialize_read_enter(); 5743 IFADDR_READER_FOREACH(ifa, ifp) 5744 { 5745 if (ifa->ifa_addr->sa_family == AF_INET6) 5746 { 5747 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5748 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5749 ifa_acquire(ifa, &psref); 5750 break; 5751 } 5752 } 5753 } 5754 pserialize_read_exit(s); 5755 5756 if (ifa && sin6) 5757 { 5758 int error; 5759 struct sockaddr_in6 new_sin6 = *sin6; 5760 5761 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5762 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5763 if (debug && error) 5764 { 5765 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5766 ifp->if_xname, __func__, error); 5767 } 5768 if (!error) { 5769 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5770 } 5771 ifa_release(ifa, &psref); 5772 } 5773 5774 IFNET_UNLOCK(ifp); 5775 } 5776 #endif 5777 5778 /* 5779 * Suggest a candidate address to be used by peer. 5780 */ 5781 static void 5782 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5783 { 5784 struct in6_addr myaddr; 5785 struct timeval tv; 5786 5787 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5788 5789 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5790 microtime(&tv); 5791 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5792 myaddr.s6_addr[14] ^= 0xff; 5793 myaddr.s6_addr[15] ^= 0xff; 5794 } else { 5795 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5796 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5797 } 5798 if (suggest) 5799 memcpy(suggest, &myaddr, sizeof(myaddr)); 5800 } 5801 #endif /*INET6*/ 5802 5803 /* 5804 * Process ioctl requests specific to the PPP interface. 5805 * Permissions have already been checked. 5806 */ 5807 static int 5808 sppp_params(struct sppp *sp, u_long cmd, void *data) 5809 { 5810 switch (cmd) { 5811 case SPPPGETAUTHCFG: 5812 { 5813 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5814 int error; 5815 size_t len; 5816 5817 SPPP_LOCK(sp, RW_READER); 5818 5819 cfg->myauthflags = sp->myauth.flags; 5820 cfg->hisauthflags = sp->hisauth.flags; 5821 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5822 cfg->hisauth = 0; 5823 if (sp->hisauth.proto) 5824 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5825 cfg->myauth = 0; 5826 if (sp->myauth.proto) 5827 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5828 if (cfg->myname_length == 0) { 5829 if (sp->myauth.name != NULL) 5830 cfg->myname_length = sp->myauth.name_len + 1; 5831 } else { 5832 if (sp->myauth.name == NULL) { 5833 cfg->myname_length = 0; 5834 } else { 5835 len = sp->myauth.name_len + 1; 5836 5837 5838 if (cfg->myname_length < len) { 5839 SPPP_UNLOCK(sp); 5840 return (ENAMETOOLONG); 5841 } 5842 error = copyout(sp->myauth.name, cfg->myname, len); 5843 if (error) { 5844 SPPP_UNLOCK(sp); 5845 return error; 5846 } 5847 } 5848 } 5849 if (cfg->hisname_length == 0) { 5850 if (sp->hisauth.name != NULL) 5851 cfg->hisname_length = sp->hisauth.name_len + 1; 5852 } else { 5853 if (sp->hisauth.name == NULL) { 5854 cfg->hisname_length = 0; 5855 } else { 5856 len = sp->hisauth.name_len + 1; 5857 5858 if (cfg->hisname_length < len) { 5859 SPPP_UNLOCK(sp); 5860 return (ENAMETOOLONG); 5861 } 5862 error = copyout(sp->hisauth.name, cfg->hisname, len); 5863 if (error) { 5864 SPPP_UNLOCK(sp); 5865 return error; 5866 } 5867 } 5868 } 5869 SPPP_UNLOCK(sp); 5870 } 5871 break; 5872 case SPPPSETAUTHCFG: 5873 { 5874 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5875 int error; 5876 5877 SPPP_LOCK(sp, RW_WRITER); 5878 5879 if (sp->myauth.name) { 5880 free(sp->myauth.name, M_DEVBUF); 5881 sp->myauth.name = NULL; 5882 } 5883 if (sp->myauth.secret) { 5884 free(sp->myauth.secret, M_DEVBUF); 5885 sp->myauth.secret = NULL; 5886 } 5887 if (sp->hisauth.name) { 5888 free(sp->hisauth.name, M_DEVBUF); 5889 sp->hisauth.name = NULL; 5890 } 5891 if (sp->hisauth.secret) { 5892 free(sp->hisauth.secret, M_DEVBUF); 5893 sp->hisauth.secret = NULL; 5894 } 5895 5896 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5897 if (cfg->hisname_length >= MCLBYTES) { 5898 SPPP_UNLOCK(sp); 5899 return (ENAMETOOLONG); 5900 } 5901 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5902 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5903 if (error) { 5904 free(sp->hisauth.name, M_DEVBUF); 5905 sp->hisauth.name = NULL; 5906 SPPP_UNLOCK(sp); 5907 return error; 5908 } 5909 sp->hisauth.name_len = cfg->hisname_length - 1; 5910 sp->hisauth.name[sp->hisauth.name_len] = 0; 5911 } 5912 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5913 if (cfg->hissecret_length >= MCLBYTES) { 5914 SPPP_UNLOCK(sp); 5915 return (ENAMETOOLONG); 5916 } 5917 sp->hisauth.secret = malloc(cfg->hissecret_length, 5918 M_DEVBUF, M_WAITOK); 5919 error = copyin(cfg->hissecret, sp->hisauth.secret, 5920 cfg->hissecret_length); 5921 if (error) { 5922 free(sp->hisauth.secret, M_DEVBUF); 5923 sp->hisauth.secret = NULL; 5924 SPPP_UNLOCK(sp); 5925 return error; 5926 } 5927 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5928 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5929 } 5930 if (cfg->myname != NULL && cfg->myname_length > 0) { 5931 if (cfg->myname_length >= MCLBYTES) { 5932 SPPP_UNLOCK(sp); 5933 return (ENAMETOOLONG); 5934 } 5935 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5936 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5937 if (error) { 5938 free(sp->myauth.name, M_DEVBUF); 5939 sp->myauth.name = NULL; 5940 SPPP_UNLOCK(sp); 5941 return error; 5942 } 5943 sp->myauth.name_len = cfg->myname_length - 1; 5944 sp->myauth.name[sp->myauth.name_len] = 0; 5945 } 5946 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5947 if (cfg->mysecret_length >= MCLBYTES) { 5948 SPPP_UNLOCK(sp); 5949 return (ENAMETOOLONG); 5950 } 5951 sp->myauth.secret = malloc(cfg->mysecret_length, 5952 M_DEVBUF, M_WAITOK); 5953 error = copyin(cfg->mysecret, sp->myauth.secret, 5954 cfg->mysecret_length); 5955 if (error) { 5956 free(sp->myauth.secret, M_DEVBUF); 5957 sp->myauth.secret = NULL; 5958 SPPP_UNLOCK(sp); 5959 return error; 5960 } 5961 sp->myauth.secret_len = cfg->mysecret_length - 1; 5962 sp->myauth.secret[sp->myauth.secret_len] = 0; 5963 } 5964 sp->myauth.flags = cfg->myauthflags; 5965 if (cfg->myauth) 5966 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5967 sp->hisauth.flags = cfg->hisauthflags; 5968 if (cfg->hisauth) 5969 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5970 sp->pp_auth_failures = 0; 5971 if (sp->hisauth.proto != 0) 5972 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5973 else 5974 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5975 5976 SPPP_UNLOCK(sp); 5977 } 5978 break; 5979 case SPPPGETLCPCFG: 5980 { 5981 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5982 5983 SPPP_LOCK(sp, RW_READER); 5984 lcpp->lcp_timeout = sp->lcp.timeout; 5985 SPPP_UNLOCK(sp); 5986 } 5987 break; 5988 case SPPPSETLCPCFG: 5989 { 5990 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5991 5992 SPPP_LOCK(sp, RW_WRITER); 5993 sp->lcp.timeout = lcpp->lcp_timeout; 5994 SPPP_UNLOCK(sp); 5995 } 5996 break; 5997 case SPPPGETSTATUS: 5998 { 5999 struct spppstatus *status = (struct spppstatus *)data; 6000 6001 SPPP_LOCK(sp, RW_READER); 6002 status->phase = sp->pp_phase; 6003 SPPP_UNLOCK(sp); 6004 } 6005 break; 6006 case SPPPGETSTATUSNCP: 6007 { 6008 struct spppstatusncp *status = (struct spppstatusncp *)data; 6009 6010 SPPP_LOCK(sp, RW_READER); 6011 status->phase = sp->pp_phase; 6012 status->ncpup = sppp_ncp_check(sp); 6013 SPPP_UNLOCK(sp); 6014 } 6015 break; 6016 case SPPPGETIDLETO: 6017 { 6018 struct spppidletimeout *to = (struct spppidletimeout *)data; 6019 6020 SPPP_LOCK(sp, RW_READER); 6021 to->idle_seconds = sp->pp_idle_timeout; 6022 SPPP_UNLOCK(sp); 6023 } 6024 break; 6025 case SPPPSETIDLETO: 6026 { 6027 struct spppidletimeout *to = (struct spppidletimeout *)data; 6028 6029 SPPP_LOCK(sp, RW_WRITER); 6030 sp->pp_idle_timeout = to->idle_seconds; 6031 SPPP_UNLOCK(sp); 6032 } 6033 break; 6034 case SPPPSETAUTHFAILURE: 6035 { 6036 struct spppauthfailuresettings *afsettings = 6037 (struct spppauthfailuresettings *)data; 6038 6039 SPPP_LOCK(sp, RW_WRITER); 6040 sp->pp_max_auth_fail = afsettings->max_failures; 6041 sp->pp_auth_failures = 0; 6042 SPPP_UNLOCK(sp); 6043 } 6044 break; 6045 case SPPPGETAUTHFAILURES: 6046 { 6047 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6048 6049 SPPP_LOCK(sp, RW_READER); 6050 stats->auth_failures = sp->pp_auth_failures; 6051 stats->max_failures = sp->pp_max_auth_fail; 6052 SPPP_UNLOCK(sp); 6053 } 6054 break; 6055 case SPPPSETDNSOPTS: 6056 { 6057 struct spppdnssettings *req = (struct spppdnssettings *)data; 6058 6059 SPPP_LOCK(sp, RW_WRITER); 6060 sp->query_dns = req->query_dns & 3; 6061 SPPP_UNLOCK(sp); 6062 } 6063 break; 6064 case SPPPGETDNSOPTS: 6065 { 6066 struct spppdnssettings *req = (struct spppdnssettings *)data; 6067 6068 SPPP_LOCK(sp, RW_READER); 6069 req->query_dns = sp->query_dns; 6070 SPPP_UNLOCK(sp); 6071 } 6072 break; 6073 case SPPPGETDNSADDRS: 6074 { 6075 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6076 6077 SPPP_LOCK(sp, RW_READER); 6078 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6079 SPPP_UNLOCK(sp); 6080 } 6081 break; 6082 case SPPPGETKEEPALIVE: 6083 { 6084 struct spppkeepalivesettings *settings = 6085 (struct spppkeepalivesettings*)data; 6086 6087 SPPP_LOCK(sp, RW_READER); 6088 settings->maxalive = sp->pp_maxalive; 6089 settings->max_noreceive = sp->pp_max_noreceive; 6090 SPPP_UNLOCK(sp); 6091 } 6092 break; 6093 case SPPPSETKEEPALIVE: 6094 { 6095 struct spppkeepalivesettings *settings = 6096 (struct spppkeepalivesettings*)data; 6097 6098 SPPP_LOCK(sp, RW_WRITER); 6099 sp->pp_maxalive = settings->maxalive; 6100 sp->pp_max_noreceive = settings->max_noreceive; 6101 SPPP_UNLOCK(sp); 6102 } 6103 break; 6104 default: 6105 { 6106 int ret; 6107 6108 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6109 enosys(), ret); 6110 if (ret != ENOSYS) 6111 return ret; 6112 return (EINVAL); 6113 } 6114 } 6115 return (0); 6116 } 6117 6118 static void 6119 sppp_phase_network(struct sppp *sp) 6120 { 6121 int i; 6122 uint32_t mask; 6123 6124 KASSERT(SPPP_WLOCKED(sp)); 6125 6126 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6127 6128 /* Notify NCPs now. */ 6129 for (i = 0; i < IDX_COUNT; i++) 6130 if ((cps[i])->flags & CP_NCP) 6131 (cps[i])->Open(sp); 6132 6133 /* Send Up events to all NCPs. */ 6134 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 6135 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 6136 (cps[i])->Up(sp); 6137 } 6138 6139 /* if no NCP is starting, all this was in vain, close down */ 6140 sppp_lcp_check_and_close(sp); 6141 } 6142 6143 6144 static const char * 6145 sppp_cp_type_name(u_char type) 6146 { 6147 static char buf[12]; 6148 switch (type) { 6149 case CONF_REQ: return "conf-req"; 6150 case CONF_ACK: return "conf-ack"; 6151 case CONF_NAK: return "conf-nak"; 6152 case CONF_REJ: return "conf-rej"; 6153 case TERM_REQ: return "term-req"; 6154 case TERM_ACK: return "term-ack"; 6155 case CODE_REJ: return "code-rej"; 6156 case PROTO_REJ: return "proto-rej"; 6157 case ECHO_REQ: return "echo-req"; 6158 case ECHO_REPLY: return "echo-reply"; 6159 case DISC_REQ: return "discard-req"; 6160 } 6161 snprintf(buf, sizeof(buf), "0x%x", type); 6162 return buf; 6163 } 6164 6165 static const char * 6166 sppp_auth_type_name(u_short proto, u_char type) 6167 { 6168 static char buf[32]; 6169 const char *name; 6170 6171 switch (proto) { 6172 case PPP_CHAP: 6173 switch (type) { 6174 case CHAP_CHALLENGE: return "challenge"; 6175 case CHAP_RESPONSE: return "response"; 6176 case CHAP_SUCCESS: return "success"; 6177 case CHAP_FAILURE: return "failure"; 6178 default: name = "chap"; break; 6179 } 6180 break; 6181 6182 case PPP_PAP: 6183 switch (type) { 6184 case PAP_REQ: return "req"; 6185 case PAP_ACK: return "ack"; 6186 case PAP_NAK: return "nak"; 6187 default: name = "pap"; break; 6188 } 6189 break; 6190 6191 default: 6192 name = "bad"; 6193 break; 6194 } 6195 6196 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6197 return buf; 6198 } 6199 6200 static const char * 6201 sppp_lcp_opt_name(u_char opt) 6202 { 6203 static char buf[12]; 6204 switch (opt) { 6205 case LCP_OPT_MRU: return "mru"; 6206 case LCP_OPT_ASYNC_MAP: return "async-map"; 6207 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6208 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6209 case LCP_OPT_MAGIC: return "magic"; 6210 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6211 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6212 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6213 case LCP_OPT_CALL_BACK: return "callback"; 6214 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6215 case LCP_OPT_MP_MRRU: return "mrru"; 6216 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6217 case LCP_OPT_MP_EID: return "mp-eid"; 6218 } 6219 snprintf(buf, sizeof(buf), "0x%x", opt); 6220 return buf; 6221 } 6222 6223 static const char * 6224 sppp_ipcp_opt_name(u_char opt) 6225 { 6226 static char buf[12]; 6227 switch (opt) { 6228 case IPCP_OPT_ADDRESSES: return "addresses"; 6229 case IPCP_OPT_COMPRESSION: return "compression"; 6230 case IPCP_OPT_ADDRESS: return "address"; 6231 } 6232 snprintf(buf, sizeof(buf), "0x%x", opt); 6233 return buf; 6234 } 6235 6236 #ifdef INET6 6237 static const char * 6238 sppp_ipv6cp_opt_name(u_char opt) 6239 { 6240 static char buf[12]; 6241 switch (opt) { 6242 case IPV6CP_OPT_IFID: return "ifid"; 6243 case IPV6CP_OPT_COMPRESSION: return "compression"; 6244 } 6245 snprintf(buf, sizeof(buf), "0x%x", opt); 6246 return buf; 6247 } 6248 #endif 6249 6250 static const char * 6251 sppp_state_name(int state) 6252 { 6253 switch (state) { 6254 case STATE_INITIAL: return "initial"; 6255 case STATE_STARTING: return "starting"; 6256 case STATE_CLOSED: return "closed"; 6257 case STATE_STOPPED: return "stopped"; 6258 case STATE_CLOSING: return "closing"; 6259 case STATE_STOPPING: return "stopping"; 6260 case STATE_REQ_SENT: return "req-sent"; 6261 case STATE_ACK_RCVD: return "ack-rcvd"; 6262 case STATE_ACK_SENT: return "ack-sent"; 6263 case STATE_OPENED: return "opened"; 6264 } 6265 return "illegal"; 6266 } 6267 6268 static const char * 6269 sppp_phase_name(int phase) 6270 { 6271 switch (phase) { 6272 case SPPP_PHASE_DEAD: return "dead"; 6273 case SPPP_PHASE_ESTABLISH: return "establish"; 6274 case SPPP_PHASE_TERMINATE: return "terminate"; 6275 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6276 case SPPP_PHASE_NETWORK: return "network"; 6277 } 6278 return "illegal"; 6279 } 6280 6281 static const char * 6282 sppp_proto_name(u_short proto) 6283 { 6284 static char buf[12]; 6285 switch (proto) { 6286 case PPP_LCP: return "lcp"; 6287 case PPP_IPCP: return "ipcp"; 6288 case PPP_PAP: return "pap"; 6289 case PPP_CHAP: return "chap"; 6290 case PPP_IPV6CP: return "ipv6cp"; 6291 } 6292 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6293 return buf; 6294 } 6295 6296 static void 6297 sppp_print_bytes(const u_char *p, u_short len) 6298 { 6299 addlog(" %02x", *p++); 6300 while (--len > 0) 6301 addlog("-%02x", *p++); 6302 } 6303 6304 static void 6305 sppp_print_string(const char *p, u_short len) 6306 { 6307 u_char c; 6308 6309 while (len-- > 0) { 6310 c = *p++; 6311 /* 6312 * Print only ASCII chars directly. RFC 1994 recommends 6313 * using only them, but we don't rely on it. */ 6314 if (c < ' ' || c > '~') 6315 addlog("\\x%x", c); 6316 else 6317 addlog("%c", c); 6318 } 6319 } 6320 6321 static const char * 6322 sppp_dotted_quad(uint32_t addr) 6323 { 6324 static char s[16]; 6325 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6326 (int)((addr >> 24) & 0xff), 6327 (int)((addr >> 16) & 0xff), 6328 (int)((addr >> 8) & 0xff), 6329 (int)(addr & 0xff)); 6330 return s; 6331 } 6332 6333 /* a dummy, used to drop uninteresting events */ 6334 static void 6335 sppp_null(struct sppp *unused) 6336 { 6337 /* do just nothing */ 6338 } 6339 /* 6340 * This file is large. Tell emacs to highlight it nevertheless. 6341 * 6342 * Local Variables: 6343 * hilit-auto-highlight-maxout: 120000 6344 * End: 6345 */ 6346 6347 /* 6348 * Module glue 6349 */ 6350 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6351 6352 static int 6353 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6354 { 6355 switch (cmd) { 6356 case MODULE_CMD_INIT: 6357 case MODULE_CMD_FINI: 6358 return 0; 6359 case MODULE_CMD_STAT: 6360 case MODULE_CMD_AUTOUNLOAD: 6361 default: 6362 return ENOTTY; 6363 } 6364 } 6365 6366 static void 6367 sppp_notify_up(struct sppp *sp) 6368 { 6369 6370 SPPP_LOCK(sp, RW_WRITER); 6371 lcp.Up(sp); 6372 SPPP_UNLOCK(sp); 6373 } 6374 6375 static void 6376 sppp_notify_down(struct sppp *sp) 6377 { 6378 6379 SPPP_LOCK(sp, RW_WRITER); 6380 lcp.Down(sp); 6381 SPPP_UNLOCK(sp); 6382 } 6383 6384 static void 6385 sppp_notify_tls_wlocked(struct sppp *sp) 6386 { 6387 6388 KASSERT(SPPP_WLOCKED(sp)); 6389 6390 if (!sp->pp_tls) 6391 return; 6392 6393 SPPP_UNLOCK(sp); 6394 sp->pp_tls(sp); 6395 SPPP_LOCK(sp, RW_WRITER); 6396 } 6397 6398 static void 6399 sppp_notify_tlf_wlocked(struct sppp *sp) 6400 { 6401 6402 KASSERT(SPPP_WLOCKED(sp)); 6403 6404 if (!sp->pp_tlf) 6405 return; 6406 6407 SPPP_UNLOCK(sp); 6408 sp->pp_tlf(sp); 6409 SPPP_LOCK(sp, RW_WRITER); 6410 } 6411 6412 static void 6413 sppp_notify_con(struct sppp *sp) 6414 { 6415 6416 if (!sp->pp_con) 6417 return; 6418 6419 sp->pp_con(sp); 6420 } 6421 6422 #ifdef INET6 6423 static void 6424 sppp_notify_con_wlocked(struct sppp *sp) 6425 { 6426 6427 KASSERT(SPPP_WLOCKED(sp)); 6428 6429 SPPP_UNLOCK(sp); 6430 sppp_notify_con(sp); 6431 SPPP_LOCK(sp, RW_WRITER); 6432 6433 } 6434 #endif 6435 6436 static void 6437 sppp_notify_chg_wlocked(struct sppp *sp) 6438 { 6439 6440 KASSERT(SPPP_WLOCKED(sp)); 6441 6442 if (!sp->pp_chg) 6443 return; 6444 6445 SPPP_UNLOCK(sp); 6446 sp->pp_chg(sp, sp->pp_phase); 6447 SPPP_LOCK(sp, RW_WRITER); 6448 } 6449
Indexes created Tue Oct 14 06:10:07 GMT 2025