if_spppsubr.c revision 1.187.2.9
1 /* $NetBSD: if_spppsubr.c,v 1.187.2.9 2020/04/11 09:40:02 is Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.187.2.9 2020/04/11 09:40:02 is Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifndef _NET_IF_STATS_H_ 96 #define if_statadd(ifp,member,amount) do { (ifp)->member+=(amount); } while (0) 97 #define if_statadd2(ifp,m1,a1,m2,a2) do { if_statadd(ifp,m1,a1); if_statadd(ifp,m2,a2);} while(0) 98 #define if_statinc(ifp,member) if_statadd(ifp,member,1) 99 #endif 100 101 #ifdef NET_MPSAFE 102 #define SPPPSUBR_MPSAFE 1 103 #endif 104 105 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 106 #define LOOPALIVECNT 3 /* loopback detection tries */ 107 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 108 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 109 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 110 111 /* 112 * Interface flags that can be set in an ifconfig command. 113 * 114 * Setting link0 will make the link passive, i.e. it will be marked 115 * as being administrative openable, but won't be opened to begin 116 * with. Incoming calls will be answered, or subsequent calls with 117 * -link1 will cause the administrative open of the LCP layer. 118 * 119 * Setting link1 will cause the link to auto-dial only as packets 120 * arrive to be sent. 121 * 122 * Setting IFF_DEBUG will syslog the option negotiation and state 123 * transitions at level kern.debug. Note: all logs consistently look 124 * like 125 * 126 * <if-name><unit>: <proto-name> <additional info...> 127 * 128 * with <if-name><unit> being something like "bppp0", and <proto-name> 129 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 130 */ 131 132 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 133 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 134 135 #define CONF_REQ 1 /* PPP configure request */ 136 #define CONF_ACK 2 /* PPP configure acknowledge */ 137 #define CONF_NAK 3 /* PPP configure negative ack */ 138 #define CONF_REJ 4 /* PPP configure reject */ 139 #define TERM_REQ 5 /* PPP terminate request */ 140 #define TERM_ACK 6 /* PPP terminate acknowledge */ 141 #define CODE_REJ 7 /* PPP code reject */ 142 #define PROTO_REJ 8 /* PPP protocol reject */ 143 #define ECHO_REQ 9 /* PPP echo request */ 144 #define ECHO_REPLY 10 /* PPP echo reply */ 145 #define DISC_REQ 11 /* PPP discard request */ 146 147 #define LCP_OPT_MRU 1 /* maximum receive unit */ 148 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 149 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 150 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 151 #define LCP_OPT_MAGIC 5 /* magic number */ 152 #define LCP_OPT_RESERVED 6 /* reserved */ 153 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 154 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 155 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 156 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 157 #define LCP_OPT_CALL_BACK 13 /* callback */ 158 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 159 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 160 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 161 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 162 163 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 164 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 165 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 166 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 167 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 168 169 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 170 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 171 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 172 173 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 174 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 175 176 #define PAP_REQ 1 /* PAP name/password request */ 177 #define PAP_ACK 2 /* PAP acknowledge */ 178 #define PAP_NAK 3 /* PAP fail */ 179 180 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 181 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 182 #define CHAP_SUCCESS 3 /* CHAP response ok */ 183 #define CHAP_FAILURE 4 /* CHAP response failed */ 184 185 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 186 187 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 188 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 189 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 190 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 191 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 192 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 193 194 /* states are named and numbered according to RFC 1661 */ 195 #define STATE_INITIAL 0 196 #define STATE_STARTING 1 197 #define STATE_CLOSED 2 198 #define STATE_STOPPED 3 199 #define STATE_CLOSING 4 200 #define STATE_STOPPING 5 201 #define STATE_REQ_SENT 6 202 #define STATE_ACK_RCVD 7 203 #define STATE_ACK_SENT 8 204 #define STATE_OPENED 9 205 206 struct ppp_header { 207 uint8_t address; 208 uint8_t control; 209 uint16_t protocol; 210 } __packed; 211 #define PPP_HEADER_LEN sizeof (struct ppp_header) 212 213 struct lcp_header { 214 uint8_t type; 215 uint8_t ident; 216 uint16_t len; 217 } __packed; 218 #define LCP_HEADER_LEN sizeof (struct lcp_header) 219 220 struct cisco_packet { 221 uint32_t type; 222 uint32_t par1; 223 uint32_t par2; 224 uint16_t rel; 225 uint16_t time0; 226 uint16_t time1; 227 } __packed; 228 #define CISCO_PACKET_LEN 18 229 230 /* 231 * We follow the spelling and capitalization of RFC 1661 here, to make 232 * it easier comparing with the standard. Please refer to this RFC in 233 * case you can't make sense out of these abbreviation; it will also 234 * explain the semantics related to the various events and actions. 235 */ 236 struct cp { 237 u_short proto; /* PPP control protocol number */ 238 u_char protoidx; /* index into state table in struct sppp */ 239 u_char flags; 240 #define CP_LCP 0x01 /* this is the LCP */ 241 #define CP_AUTH 0x02 /* this is an authentication protocol */ 242 #define CP_NCP 0x04 /* this is a NCP */ 243 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 244 const char *name; /* name of this control protocol */ 245 /* event handlers */ 246 void (*Up)(struct sppp *sp); 247 void (*Down)(struct sppp *sp); 248 void (*Open)(struct sppp *sp); 249 void (*Close)(struct sppp *sp); 250 void (*TO)(void *sp); 251 int (*RCR)(struct sppp *sp, struct lcp_header *h, int len); 252 void (*RCN_rej)(struct sppp *sp, struct lcp_header *h, int len); 253 void (*RCN_nak)(struct sppp *sp, struct lcp_header *h, int len); 254 /* actions */ 255 void (*tlu)(struct sppp *sp); 256 void (*tld)(struct sppp *sp); 257 void (*tls)(struct sppp *sp); 258 void (*tlf)(struct sppp *sp); 259 void (*scr)(struct sppp *sp); 260 }; 261 262 static struct sppp *spppq; 263 static kmutex_t *spppq_lock = NULL; 264 static callout_t keepalive_ch; 265 266 #define SPPPQ_LOCK() if (spppq_lock) \ 267 mutex_enter(spppq_lock); 268 #define SPPPQ_UNLOCK() if (spppq_lock) \ 269 mutex_exit(spppq_lock); 270 271 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 272 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 273 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 274 #define SPPP_UPGRADE(_sp) do{ \ 275 SPPP_UNLOCK(_sp); \ 276 SPPP_LOCK(_sp, RW_WRITER); \ 277 }while (0) 278 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 279 280 #ifdef INET 281 #ifndef SPPPSUBR_MPSAFE 282 /* 283 * The following disgusting hack gets around the problem that IP TOS 284 * can't be set yet. We want to put "interactive" traffic on a high 285 * priority queue. To decide if traffic is interactive, we check that 286 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 287 * 288 * XXX is this really still necessary? - joerg - 289 */ 290 static u_short interactive_ports[8] = { 291 0, 513, 0, 0, 292 0, 21, 0, 23, 293 }; 294 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 295 #endif /* SPPPSUBR_MPSAFE */ 296 #endif 297 298 /* almost every function needs these */ 299 #define STDDCL \ 300 struct ifnet *ifp = &sp->pp_if; \ 301 int debug = ifp->if_flags & IFF_DEBUG 302 303 static int sppp_output(struct ifnet *ifp, struct mbuf *m, 304 const struct sockaddr *dst, const struct rtentry *rt); 305 306 static void sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2); 307 static void sppp_cisco_input(struct sppp *sp, struct mbuf *m); 308 309 static void sppp_cp_input(const struct cp *cp, struct sppp *sp, 310 struct mbuf *m); 311 static void sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 312 u_char ident, u_short len, void *data); 313 /* static void sppp_cp_timeout(void *arg); */ 314 static void sppp_cp_change_state(const struct cp *cp, struct sppp *sp, 315 int newstate); 316 static void sppp_auth_send(const struct cp *cp, 317 struct sppp *sp, unsigned int type, unsigned int id, 318 ...); 319 320 static void sppp_up_event(const struct cp *cp, struct sppp *sp); 321 static void sppp_down_event(const struct cp *cp, struct sppp *sp); 322 static void sppp_open_event(const struct cp *cp, struct sppp *sp); 323 static void sppp_close_event(const struct cp *cp, struct sppp *sp); 324 static void sppp_to_event(const struct cp *cp, struct sppp *sp); 325 326 static void sppp_null(struct sppp *sp); 327 328 static void sppp_lcp_init(struct sppp *sp); 329 static void sppp_lcp_up(struct sppp *sp); 330 static void sppp_lcp_down(struct sppp *sp); 331 static void sppp_lcp_open(struct sppp *sp); 332 static void sppp_lcp_close(struct sppp *sp); 333 static void sppp_lcp_TO(void *sp); 334 static int sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 335 static void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 336 static void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 337 static void sppp_lcp_tlu(struct sppp *sp); 338 static void sppp_lcp_tld(struct sppp *sp); 339 static void sppp_lcp_tls(struct sppp *sp); 340 static void sppp_lcp_tlf(struct sppp *sp); 341 static void sppp_lcp_scr(struct sppp *sp); 342 static void sppp_lcp_check_and_close(struct sppp *sp); 343 static int sppp_ncp_check(struct sppp *sp); 344 345 static struct mbuf *sppp_ml_defrag(struct sppp *sp, struct mbuf *m, 346 u_int16_t *protocolp); 347 348 static void sppp_ipcp_init(struct sppp *sp); 349 static void sppp_ipcp_up(struct sppp *sp); 350 static void sppp_ipcp_down(struct sppp *sp); 351 static void sppp_ipcp_open(struct sppp *sp); 352 static void sppp_ipcp_close(struct sppp *sp); 353 static void sppp_ipcp_TO(void *sp); 354 static int sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len); 355 static void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 356 static void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 357 static void sppp_ipcp_tlu(struct sppp *sp); 358 static void sppp_ipcp_tld(struct sppp *sp); 359 static void sppp_ipcp_tls(struct sppp *sp); 360 static void sppp_ipcp_tlf(struct sppp *sp); 361 static void sppp_ipcp_scr(struct sppp *sp); 362 363 static void sppp_ipv6cp_init(struct sppp *sp); 364 static void sppp_ipv6cp_up(struct sppp *sp); 365 static void sppp_ipv6cp_down(struct sppp *sp); 366 static void sppp_ipv6cp_open(struct sppp *sp); 367 static void sppp_ipv6cp_close(struct sppp *sp); 368 static void sppp_ipv6cp_TO(void *sp); 369 static int sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len); 370 static void sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len); 371 static void sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len); 372 static void sppp_ipv6cp_tlu(struct sppp *sp); 373 static void sppp_ipv6cp_tld(struct sppp *sp); 374 static void sppp_ipv6cp_tls(struct sppp *sp); 375 static void sppp_ipv6cp_tlf(struct sppp *sp); 376 static void sppp_ipv6cp_scr(struct sppp *sp); 377 378 static void sppp_pap_input(struct sppp *sp, struct mbuf *m); 379 static void sppp_pap_init(struct sppp *sp); 380 static void sppp_pap_open(struct sppp *sp); 381 static void sppp_pap_close(struct sppp *sp); 382 static void sppp_pap_TO(void *sp); 383 static void sppp_pap_my_TO(void *sp); 384 static void sppp_pap_tlu(struct sppp *sp); 385 static void sppp_pap_tld(struct sppp *sp); 386 static void sppp_pap_scr(struct sppp *sp); 387 388 static void sppp_chap_input(struct sppp *sp, struct mbuf *m); 389 static void sppp_chap_init(struct sppp *sp); 390 static void sppp_chap_open(struct sppp *sp); 391 static void sppp_chap_close(struct sppp *sp); 392 static void sppp_chap_TO(void *sp); 393 static void sppp_chap_tlu(struct sppp *sp); 394 static void sppp_chap_tld(struct sppp *sp); 395 static void sppp_chap_scr(struct sppp *sp); 396 397 static const char *sppp_auth_type_name(u_short proto, u_char type); 398 static const char *sppp_cp_type_name(u_char type); 399 static const char *sppp_dotted_quad(uint32_t addr); 400 static const char *sppp_ipcp_opt_name(u_char opt); 401 #ifdef INET6 402 static const char *sppp_ipv6cp_opt_name(u_char opt); 403 #endif 404 static const char *sppp_lcp_opt_name(u_char opt); 405 static const char *sppp_phase_name(int phase); 406 static const char *sppp_proto_name(u_short proto); 407 static const char *sppp_state_name(int state); 408 static int sppp_params(struct sppp *sp, u_long cmd, void *data); 409 #ifdef INET 410 static void sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, 411 uint32_t *srcmask); 412 static void sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp); 413 static void sppp_set_ip_addrs(struct sppp *sp); 414 static void sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp); 415 static void sppp_clear_ip_addrs(struct sppp *sp); 416 static void sppp_update_ip_addrs_work(struct work *wk, void *arg); 417 #endif 418 static void sppp_keepalive(void *dummy); 419 static void sppp_phase_network(struct sppp *sp); 420 static void sppp_print_bytes(const u_char *p, u_short len); 421 static void sppp_print_string(const char *p, u_short len); 422 #ifdef INET6 423 static void sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, 424 struct in6_addr *dst, struct in6_addr *srcmask); 425 #ifdef IPV6CP_MYIFID_DYN 426 static void sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src); 427 static void sppp_gen_ip6_addr(struct sppp *sp, const struct in6_addr *src); 428 #endif 429 static void sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *src); 430 #endif 431 432 static void sppp_notify_up(struct sppp *); 433 static void sppp_notify_down(struct sppp *); 434 static void sppp_notify_tls_wlocked(struct sppp *); 435 static void sppp_notify_tlf_wlocked(struct sppp *); 436 #ifdef INET6 437 static void sppp_notify_con_wlocked(struct sppp *); 438 #endif 439 static void sppp_notify_con(struct sppp *); 440 441 static void sppp_notify_chg_wlocked(struct sppp *); 442 443 444 /* our control protocol descriptors */ 445 static const struct cp lcp = { 446 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 447 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 448 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 449 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 450 sppp_lcp_scr 451 }; 452 453 static const struct cp ipcp = { 454 PPP_IPCP, IDX_IPCP, 455 #ifdef INET 456 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 457 #else 458 0, 459 #endif 460 "ipcp", 461 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 462 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 463 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 464 sppp_ipcp_scr 465 }; 466 467 static const struct cp ipv6cp = { 468 PPP_IPV6CP, IDX_IPV6CP, 469 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 470 CP_NCP, 471 #else 472 0, 473 #endif 474 "ipv6cp", 475 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 476 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 477 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 478 sppp_ipv6cp_scr 479 }; 480 481 static const struct cp pap = { 482 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 483 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 484 sppp_pap_TO, 0, 0, 0, 485 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 486 sppp_pap_scr 487 }; 488 489 static const struct cp chap = { 490 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 491 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 492 sppp_chap_TO, 0, 0, 0, 493 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 494 sppp_chap_scr 495 }; 496 497 static const struct cp *cps[IDX_COUNT] = { 498 &lcp, /* IDX_LCP */ 499 &ipcp, /* IDX_IPCP */ 500 &ipv6cp, /* IDX_IPV6CP */ 501 &pap, /* IDX_PAP */ 502 &chap, /* IDX_CHAP */ 503 }; 504 505 static void 506 sppp_change_phase(struct sppp *sp, int phase) 507 { 508 STDDCL; 509 510 KASSERT(SPPP_WLOCKED(sp)); 511 512 if (sp->pp_phase == phase) 513 return; 514 515 sp->pp_phase = phase; 516 517 if (phase == SPPP_PHASE_NETWORK) 518 if_link_state_change(ifp, LINK_STATE_UP); 519 else 520 if_link_state_change(ifp, LINK_STATE_DOWN); 521 522 if (debug) 523 { 524 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 525 sppp_phase_name(sp->pp_phase)); 526 } 527 } 528 529 530 /* 531 * Defragment an MP packet. 532 * 533 * Returns NULL or an assembled packet or the original, 534 * and adjusts the passed protocol to the inner one. 535 * 536 * Called with and returns a packet without PPP header, 537 * but with MP fragment header. 538 * 539 * Called and returns with lock held. 540 */ 541 static struct mbuf * 542 sppp_ml_defrag(struct sppp *sp, struct mbuf *m, u_int16_t *protocolp) 543 { 544 u_int8_t *p; 545 u_int8_t flags; 546 u_int32_t seqid; 547 u_int16_t protocol; 548 int newflen; 549 550 if (*protocolp != PPP_MP) 551 return m; /* not ours */ 552 553 if (sp->lcp.mrru == 0) 554 return m; /* 555 * ours, but we're not ready. 556 * sppp_input will arrange for rejection. 557 */ 558 559 if (m->m_len < 4) { 560 m = m_pullup(m, 4); 561 if (m == NULL) { 562 if_statadd2(&sp->pp_if, if_ierrors, 1, if_iqdrops, 1); 563 return NULL; 564 } 565 } 566 p = mtod(m, u_int8_t *); 567 flags = *p; 568 seqid = (p[1]<<16) + (p[2]<<8) + p[3]; 569 570 m_adj(m, 4); 571 572 /* We're manipulating the defragmentation state below: */ 573 SPPP_UPGRADE(sp); 574 575 if (flags & 0x80) { 576 /* Beginning fragment. */ 577 sp->lcp.ml_seq_xpctd=seqid+1; /* next expected */ 578 579 /* TODO: if prefix, count dropped? */ 580 581 m_freem(sp->lcp.ml_prefix); 582 sp->lcp.ml_prefix = m; 583 584 } else if (seqid == sp->lcp.ml_seq_xpctd) { 585 sp->lcp.ml_seq_xpctd=seqid+1; /* next expected */ 586 if (sp->lcp.ml_prefix == 0) { 587 /* didn't see B frame. */ 588 /* TODO: count as dropped. */ 589 m_freem(m); 590 return NULL; 591 } 592 /* 593 * m_cat might free the first mbuf (with pkthdr) 594 * in 2nd chain; therefore: 595 */ 596 newflen = m->m_pkthdr.len; 597 m_cat(sp->lcp.ml_prefix, m); 598 sp->lcp.ml_prefix->m_pkthdr.len += newflen; 599 600 } else { 601 /* 602 * sequence error. 603 * 604 * For now, only drop this fragment, and don't touch state- 605 * might be from the long past or future, and we could still 606 * finish our current prefix. 607 * 608 * TODO: count as dropped. 609 */ 610 m_freem(sp->lcp.ml_prefix); 611 return NULL; 612 } 613 /* Successfully got the Beginning or appended a non-B packet.*/ 614 if (flags & 0x40) { 615 /* B/next was E packet. Unwrap gift and deliver. */ 616 m = sp->lcp.ml_prefix; 617 sp->lcp.ml_prefix = NULL; 618 619 if (m->m_len < 2) { 620 m = m_pullup(m,2); 621 if (m == NULL) { 622 /* TODO: count as dropped. */ 623 return NULL; 624 } 625 } 626 /* RFC 1990 2.: don't assume no protocol field compression */ 627 p = mtod(m, u_int8_t *); 628 protocol = *p; 629 630 if (protocol & 1) { 631 m_adj(m, 1); 632 } else { 633 protocol = (protocol << 8) + p[1]; 634 m_adj(m, 2); 635 } 636 *protocolp = protocol; 637 638 return m; 639 } 640 641 return NULL; 642 } 643 644 645 /* 646 * Exported functions, comprising our interface to the lower layer. 647 */ 648 649 /* 650 * Process the received packet. 651 */ 652 void 653 sppp_input(struct ifnet *ifp, struct mbuf *m) 654 { 655 struct ppp_header *h = NULL; 656 pktqueue_t *pktq = NULL; 657 struct ifqueue *inq = NULL; 658 uint16_t protocol; 659 struct sppp *sp = (struct sppp *)ifp; 660 int debug = ifp->if_flags & IFF_DEBUG; 661 int isr = 0; 662 663 SPPP_LOCK(sp, RW_READER); 664 665 if (ifp->if_flags & IFF_UP) { 666 /* Count received bytes, add hardware framing */ 667 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 668 /* Note time of last receive */ 669 sp->pp_last_receive = time_uptime; 670 } 671 672 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 673 /* Too small packet, drop it. */ 674 if (debug) 675 log(LOG_DEBUG, 676 "%s: input packet is too small, %d bytes\n", 677 ifp->if_xname, m->m_pkthdr.len); 678 drop: 679 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 680 m_freem(m); 681 SPPP_UNLOCK(sp); 682 return; 683 } 684 685 if (sp->pp_flags & PP_NOFRAMING) { 686 memcpy(&protocol, mtod(m, void *), 2); 687 protocol = ntohs(protocol); 688 m_adj(m, 2); 689 } else { 690 691 /* Get PPP header. */ 692 h = mtod(m, struct ppp_header *); 693 m_adj(m, PPP_HEADER_LEN); 694 695 switch (h->address) { 696 case PPP_ALLSTATIONS: 697 if (h->control != PPP_UI) 698 goto invalid; 699 if (sp->pp_flags & PP_CISCO) { 700 if (debug) 701 log(LOG_DEBUG, 702 "%s: PPP packet in Cisco mode " 703 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 704 ifp->if_xname, 705 h->address, h->control, ntohs(h->protocol)); 706 goto drop; 707 } 708 break; 709 case CISCO_MULTICAST: 710 case CISCO_UNICAST: 711 /* Don't check the control field here (RFC 1547). */ 712 if (! (sp->pp_flags & PP_CISCO)) { 713 if (debug) 714 log(LOG_DEBUG, 715 "%s: Cisco packet in PPP mode " 716 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 717 ifp->if_xname, 718 h->address, h->control, ntohs(h->protocol)); 719 goto drop; 720 } 721 switch (ntohs(h->protocol)) { 722 default: 723 if_statinc(ifp, if_noproto); 724 goto invalid; 725 case CISCO_KEEPALIVE: 726 SPPP_UNLOCK(sp); 727 sppp_cisco_input((struct sppp *) ifp, m); 728 m_freem(m); 729 return; 730 #ifdef INET 731 case ETHERTYPE_IP: 732 pktq = ip_pktq; 733 break; 734 #endif 735 #ifdef INET6 736 case ETHERTYPE_IPV6: 737 pktq = ip6_pktq; 738 break; 739 #endif 740 } 741 goto queue_pkt; 742 default: /* Invalid PPP packet. */ 743 invalid: 744 if (debug) 745 log(LOG_DEBUG, 746 "%s: invalid input packet " 747 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 748 ifp->if_xname, 749 h->address, h->control, ntohs(h->protocol)); 750 goto drop; 751 } 752 protocol = ntohs(h->protocol); 753 } 754 755 m = sppp_ml_defrag(sp, m, &protocol); 756 if (m == 0) { 757 SPPP_UNLOCK(sp); 758 return; 759 } 760 761 switch (protocol) { 762 default: 763 if (sp->state[IDX_LCP] == STATE_OPENED) { 764 uint16_t prot = htons(protocol); 765 766 SPPP_UPGRADE(sp); 767 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 768 ++sp->pp_seq[IDX_LCP], m->m_pkthdr.len + 2, 769 &prot); 770 SPPP_DOWNGRADE(sp); 771 } 772 if (debug) 773 log(LOG_DEBUG, 774 "%s: invalid input protocol " 775 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 776 if_statinc(ifp, if_noproto); 777 goto drop; 778 case PPP_LCP: 779 SPPP_UNLOCK(sp); 780 sppp_cp_input(&lcp, sp, m); 781 m_freem(m); 782 return; 783 case PPP_PAP: 784 SPPP_UNLOCK(sp); 785 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 786 sppp_pap_input(sp, m); 787 } 788 m_freem(m); 789 return; 790 case PPP_CHAP: 791 SPPP_UNLOCK(sp); 792 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 793 sppp_chap_input(sp, m); 794 } 795 m_freem(m); 796 return; 797 #ifdef INET 798 case PPP_IPCP: 799 SPPP_UNLOCK(sp); 800 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 801 sppp_cp_input(&ipcp, sp, m); 802 } 803 m_freem(m); 804 return; 805 case PPP_IP: 806 if (sp->state[IDX_IPCP] == STATE_OPENED) { 807 sp->pp_last_activity = time_uptime; 808 pktq = ip_pktq; 809 } 810 break; 811 #endif 812 #ifdef INET6 813 case PPP_IPV6CP: 814 SPPP_UNLOCK(sp); 815 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 816 sppp_cp_input(&ipv6cp, sp, m); 817 } 818 m_freem(m); 819 return; 820 821 case PPP_IPV6: 822 if (sp->state[IDX_IPV6CP] == STATE_OPENED) { 823 sp->pp_last_activity = time_uptime; 824 pktq = ip6_pktq; 825 } 826 break; 827 #endif 828 } 829 830 queue_pkt: 831 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 832 goto drop; 833 } 834 835 /* Check queue. */ 836 if (__predict_true(pktq)) { 837 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 838 goto drop; 839 } 840 SPPP_UNLOCK(sp); 841 return; 842 } 843 844 SPPP_UNLOCK(sp); 845 846 IFQ_LOCK(inq); 847 if (IF_QFULL(inq)) { 848 /* Queue overflow. */ 849 IF_DROP(inq); 850 IFQ_UNLOCK(inq); 851 if (debug) 852 log(LOG_DEBUG, "%s: protocol queue overflow\n", 853 ifp->if_xname); 854 855 SPPP_LOCK(sp, RW_READER); 856 goto drop; 857 } 858 IF_ENQUEUE(inq, m); 859 IFQ_UNLOCK(inq); 860 schednetisr(isr); 861 } 862 863 /* 864 * Enqueue transmit packet. 865 */ 866 static int 867 sppp_output(struct ifnet *ifp, struct mbuf *m, 868 const struct sockaddr *dst, const struct rtentry *rt) 869 { 870 struct sppp *sp = (struct sppp *) ifp; 871 struct ppp_header *h = NULL; 872 #ifndef SPPPSUBR_MPSAFE 873 struct ifqueue *ifq = NULL; /* XXX */ 874 #endif 875 int s, error = 0; 876 uint16_t protocol; 877 size_t pktlen; 878 879 s = splnet(); 880 SPPP_LOCK(sp, RW_READER); 881 882 sp->pp_last_activity = time_uptime; 883 884 if ((ifp->if_flags & IFF_UP) == 0 || 885 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 886 SPPP_UNLOCK(sp); 887 splx(s); 888 889 m_freem(m); 890 891 return (ENETDOWN); 892 } 893 894 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 895 /* 896 * Interface is not yet running, but auto-dial. Need 897 * to start LCP for it. 898 */ 899 ifp->if_flags |= IFF_RUNNING; 900 901 SPPP_UNLOCK(sp); 902 splx(s); 903 904 SPPP_LOCK(sp, RW_WRITER); 905 lcp.Open(sp); 906 SPPP_UNLOCK(sp); 907 908 s = splnet(); 909 SPPP_LOCK(sp, RW_READER); 910 } 911 912 /* 913 * If the queueing discipline needs packet classification, 914 * do it before prepending link headers. 915 */ 916 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 917 918 #ifdef INET 919 if (dst->sa_family == AF_INET) { 920 struct ip *ip = NULL; 921 #ifndef SPPPSUBR_MPSAFE 922 struct tcphdr *th = NULL; 923 #endif 924 925 if (m->m_len >= sizeof(struct ip)) { 926 ip = mtod(m, struct ip *); 927 #ifndef SPPPSUBR_MPSAFE 928 if (ip->ip_p == IPPROTO_TCP && 929 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 930 sizeof(struct tcphdr)) { 931 th = (struct tcphdr *) 932 ((char *)ip + (ip->ip_hl << 2)); 933 } 934 #endif 935 } else 936 ip = NULL; 937 938 /* 939 * When using dynamic local IP address assignment by using 940 * 0.0.0.0 as a local address, the first TCP session will 941 * not connect because the local TCP checksum is computed 942 * using 0.0.0.0 which will later become our real IP address 943 * so the TCP checksum computed at the remote end will 944 * become invalid. So we 945 * - don't let packets with src ip addr 0 thru 946 * - we flag TCP packets with src ip 0 as an error 947 */ 948 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 949 uint8_t proto = ip->ip_p; 950 951 SPPP_UNLOCK(sp); 952 splx(s); 953 954 m_freem(m); 955 if (proto == IPPROTO_TCP) 956 return (EADDRNOTAVAIL); 957 else 958 return (0); 959 } 960 961 #ifndef SPPPSUBR_MPSAFE 962 /* 963 * Put low delay, telnet, rlogin and ftp control packets 964 * in front of the queue. 965 */ 966 if (!IF_QFULL(&sp->pp_fastq) && 967 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 968 (th && (INTERACTIVE(ntohs(th->th_sport)) || 969 INTERACTIVE(ntohs(th->th_dport)))))) 970 ifq = &sp->pp_fastq; 971 #endif /* !SPPPSUBR_MPSAFE */ 972 } 973 #endif 974 975 #ifdef INET6 976 if (dst->sa_family == AF_INET6) { 977 /* XXX do something tricky here? */ 978 } 979 #endif 980 981 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 982 /* 983 * Prepend general data packet PPP header. For now, IP only. 984 */ 985 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 986 if (! m) { 987 if (ifp->if_flags & IFF_DEBUG) 988 log(LOG_DEBUG, "%s: no memory for transmit header\n", 989 ifp->if_xname); 990 if_statinc(ifp, if_oerrors); 991 SPPP_UNLOCK(sp); 992 splx(s); 993 return (ENOBUFS); 994 } 995 /* 996 * May want to check size of packet 997 * (albeit due to the implementation it's always enough) 998 */ 999 h = mtod(m, struct ppp_header *); 1000 if (sp->pp_flags & PP_CISCO) { 1001 h->address = CISCO_UNICAST; /* unicast address */ 1002 h->control = 0; 1003 } else { 1004 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1005 h->control = PPP_UI; /* Unnumbered Info */ 1006 } 1007 } 1008 1009 switch (dst->sa_family) { 1010 #ifdef INET 1011 case AF_INET: /* Internet Protocol */ 1012 if (sp->pp_flags & PP_CISCO) 1013 protocol = htons(ETHERTYPE_IP); 1014 else { 1015 /* 1016 * Don't choke with an ENETDOWN early. It's 1017 * possible that we just started dialing out, 1018 * so don't drop the packet immediately. If 1019 * we notice that we run out of buffer space 1020 * below, we will however remember that we are 1021 * not ready to carry IP packets, and return 1022 * ENETDOWN, as opposed to ENOBUFS. 1023 */ 1024 protocol = htons(PPP_IP); 1025 if (sp->state[IDX_IPCP] != STATE_OPENED) 1026 error = ENETDOWN; 1027 } 1028 break; 1029 #endif 1030 #ifdef INET6 1031 case AF_INET6: /* Internet Protocol version 6 */ 1032 if (sp->pp_flags & PP_CISCO) 1033 protocol = htons(ETHERTYPE_IPV6); 1034 else { 1035 /* 1036 * Don't choke with an ENETDOWN early. It's 1037 * possible that we just started dialing out, 1038 * so don't drop the packet immediately. If 1039 * we notice that we run out of buffer space 1040 * below, we will however remember that we are 1041 * not ready to carry IP packets, and return 1042 * ENETDOWN, as opposed to ENOBUFS. 1043 */ 1044 protocol = htons(PPP_IPV6); 1045 if (sp->state[IDX_IPV6CP] != STATE_OPENED) 1046 error = ENETDOWN; 1047 } 1048 break; 1049 #endif 1050 default: 1051 m_freem(m); 1052 if_statinc(ifp, if_oerrors); 1053 SPPP_UNLOCK(sp); 1054 splx(s); 1055 return (EAFNOSUPPORT); 1056 } 1057 1058 if (sp->pp_flags & PP_NOFRAMING) { 1059 M_PREPEND(m, 2, M_DONTWAIT); 1060 if (m == NULL) { 1061 if (ifp->if_flags & IFF_DEBUG) 1062 log(LOG_DEBUG, "%s: no memory for transmit header\n", 1063 ifp->if_xname); 1064 if_statinc(ifp, if_oerrors); 1065 SPPP_UNLOCK(sp); 1066 splx(s); 1067 return (ENOBUFS); 1068 } 1069 *mtod(m, uint16_t *) = protocol; 1070 } else { 1071 h->protocol = protocol; 1072 } 1073 1074 pktlen = m->m_pkthdr.len; 1075 #ifdef SPPPSUBR_MPSAFE 1076 SPPP_UNLOCK(sp); 1077 error = if_transmit_lock(ifp, m); 1078 SPPP_LOCK(sp, RW_READER); 1079 if (error == 0) 1080 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1081 #else /* !SPPPSUBR_MPSAFE */ 1082 error = ifq_enqueue2(ifp, ifq, m); 1083 1084 if (error == 0) { 1085 /* 1086 * Count output packets and bytes. 1087 * The packet length includes header + additional hardware 1088 * framing according to RFC 1333. 1089 */ 1090 if (!(ifp->if_flags & IFF_OACTIVE)) { 1091 SPPP_UNLOCK(sp); 1092 if_start_lock(ifp); 1093 SPPP_LOCK(sp, RW_READER); 1094 } 1095 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1096 } 1097 #endif /* !SPPPSUBR_MPSAFE */ 1098 SPPP_UNLOCK(sp); 1099 splx(s); 1100 return error; 1101 } 1102 1103 static int 1104 sppp_mediachange(struct ifnet *ifp) 1105 { 1106 1107 return (0); 1108 } 1109 1110 static void 1111 sppp_mediastatus(struct ifnet *ifp, struct ifmediareq *imr) 1112 { 1113 int link_state; 1114 1115 link_state = atomic_load_relaxed(&ifp->if_link_state); 1116 switch (link_state) { 1117 case LINK_STATE_UP: 1118 imr->ifm_status = IFM_AVALID | IFM_ACTIVE; 1119 break; 1120 case LINK_STATE_DOWN: 1121 imr->ifm_status = IFM_AVALID; 1122 break; 1123 default: 1124 /* Should be impossible as we set link state down in attach. */ 1125 imr->ifm_status = 0; 1126 break; 1127 } 1128 } 1129 1130 void 1131 sppp_attach(struct ifnet *ifp) 1132 { 1133 struct sppp *sp = (struct sppp *) ifp; 1134 1135 /* Initialize keepalive handler. */ 1136 if (! spppq) { 1137 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1138 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1139 } 1140 1141 if (! spppq_lock) 1142 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1143 1144 /* Insert new entry into the keepalive list. */ 1145 sp->pp_next = spppq; 1146 spppq = sp; 1147 1148 sp->pp_if.if_type = IFT_PPP; 1149 sp->pp_if.if_output = sppp_output; 1150 sp->pp_fastq.ifq_maxlen = 32; 1151 sp->pp_cpq.ifq_maxlen = 20; 1152 sp->pp_loopcnt = 0; 1153 sp->pp_alivecnt = 0; 1154 sp->pp_last_activity = 0; 1155 sp->pp_last_receive = 0; 1156 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1157 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1158 sp->pp_idle_timeout = 0; 1159 memset(&sp->pp_seq[0], 0, sizeof(sp->pp_seq)); 1160 memset(&sp->pp_rseq[0], 0, sizeof(sp->pp_rseq)); 1161 sp->pp_auth_failures = 0; 1162 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1163 sp->pp_phase = SPPP_PHASE_DEAD; 1164 sp->pp_up = sppp_notify_up; 1165 sp->pp_down = sppp_notify_down; 1166 rw_init(&sp->pp_lock); 1167 1168 if_alloc_sadl(ifp); 1169 1170 /* Lets not beat about the bush, we know we're down. */ 1171 ifp->if_link_state = LINK_STATE_DOWN; 1172 /* There is no media for PPP, but it's needed to report link status. */ 1173 ifmedia_init(&sp->pp_im, 0, sppp_mediachange, sppp_mediastatus); 1174 1175 memset(&sp->myauth, 0, sizeof sp->myauth); 1176 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1177 SPPP_LOCK(sp, RW_WRITER); 1178 sppp_lcp_init(sp); 1179 sppp_ipcp_init(sp); 1180 sppp_ipv6cp_init(sp); 1181 sppp_pap_init(sp); 1182 sppp_chap_init(sp); 1183 SPPP_UNLOCK(sp); 1184 } 1185 1186 void 1187 sppp_detach(struct ifnet *ifp) 1188 { 1189 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1190 1191 /* Remove the entry from the keepalive list. */ 1192 SPPPQ_LOCK(); 1193 for (q = &spppq; (p = *q); q = &p->pp_next) 1194 if (p == sp) { 1195 *q = p->pp_next; 1196 break; 1197 } 1198 SPPPQ_UNLOCK(); 1199 1200 if (! spppq) { 1201 /* Stop keepalive handler. */ 1202 callout_stop(&keepalive_ch); 1203 mutex_obj_free(spppq_lock); 1204 spppq_lock = NULL; 1205 } 1206 1207 SPPP_LOCK(sp, RW_WRITER); 1208 1209 /* to avoid workqueue enqueued */ 1210 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1211 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1212 workqueue_destroy(sp->ipcp.update_addrs_wq); 1213 pcq_destroy(sp->ipcp.update_addrs_q); 1214 1215 callout_stop(&sp->ch[IDX_LCP]); 1216 callout_stop(&sp->ch[IDX_IPCP]); 1217 callout_stop(&sp->ch[IDX_PAP]); 1218 callout_stop(&sp->ch[IDX_CHAP]); 1219 #ifdef INET6 1220 callout_stop(&sp->ch[IDX_IPV6CP]); 1221 #endif 1222 callout_stop(&sp->pap_my_to_ch); 1223 1224 /* free authentication info */ 1225 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1226 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1227 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1228 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1229 SPPP_UNLOCK(sp); 1230 rw_destroy(&sp->pp_lock); 1231 1232 ifmedia_fini(&sp->pp_im); 1233 } 1234 1235 /* 1236 * Flush the interface output queue. 1237 */ 1238 void 1239 sppp_flush(struct ifnet *ifp) 1240 { 1241 struct sppp *sp = (struct sppp *) ifp; 1242 1243 SPPP_LOCK(sp, RW_WRITER); 1244 IFQ_PURGE(&sp->pp_if.if_snd); 1245 IF_PURGE(&sp->pp_fastq); 1246 IF_PURGE(&sp->pp_cpq); 1247 SPPP_UNLOCK(sp); 1248 } 1249 1250 /* 1251 * Check if the output queue is empty. 1252 */ 1253 int 1254 sppp_isempty(struct ifnet *ifp) 1255 { 1256 struct sppp *sp = (struct sppp *) ifp; 1257 int empty, s; 1258 1259 s = splnet(); 1260 SPPP_LOCK(sp, RW_READER); 1261 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1262 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1263 SPPP_UNLOCK(sp); 1264 splx(s); 1265 return (empty); 1266 } 1267 1268 /* 1269 * Get next packet to send. 1270 */ 1271 struct mbuf * 1272 sppp_dequeue(struct ifnet *ifp) 1273 { 1274 struct sppp *sp = (struct sppp *) ifp; 1275 struct mbuf *m; 1276 int s; 1277 1278 s = splnet(); 1279 SPPP_LOCK(sp, RW_WRITER); 1280 /* 1281 * Process only the control protocol queue until we have at 1282 * least one NCP open. 1283 * 1284 * Do always serve all three queues in Cisco mode. 1285 */ 1286 IF_DEQUEUE(&sp->pp_cpq, m); 1287 if (m == NULL && 1288 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1289 IF_DEQUEUE(&sp->pp_fastq, m); 1290 if (m == NULL) 1291 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1292 } 1293 SPPP_UNLOCK(sp); 1294 splx(s); 1295 return m; 1296 } 1297 1298 /* 1299 * Process an ioctl request. Called on low priority level. 1300 */ 1301 int 1302 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1303 { 1304 struct lwp *l = curlwp; /* XXX */ 1305 struct ifreq *ifr = (struct ifreq *) data; 1306 struct ifaddr *ifa = (struct ifaddr *) data; 1307 struct sppp *sp = (struct sppp *) ifp; 1308 int s, error=0, going_up, going_down; 1309 u_short newmode; 1310 1311 s = splnet(); 1312 switch (cmd) { 1313 case SIOCINITIFADDR: 1314 ifa->ifa_rtrequest = p2p_rtrequest; 1315 break; 1316 1317 case SIOCSIFFLAGS: 1318 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1319 break; 1320 1321 SPPP_LOCK(sp, RW_WRITER); 1322 going_up = ifp->if_flags & IFF_UP && 1323 (ifp->if_flags & IFF_RUNNING) == 0; 1324 going_down = (ifp->if_flags & IFF_UP) == 0 && 1325 ifp->if_flags & IFF_RUNNING; 1326 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1327 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1328 /* sanity */ 1329 newmode = IFF_PASSIVE; 1330 ifp->if_flags &= ~IFF_AUTO; 1331 } 1332 1333 if (going_up || going_down) { 1334 lcp.Close(sp); 1335 } 1336 if (going_up && newmode == 0) { 1337 /* neither auto-dial nor passive */ 1338 ifp->if_flags |= IFF_RUNNING; 1339 if (!(sp->pp_flags & PP_CISCO)) 1340 lcp.Open(sp); 1341 } else if (going_down) { 1342 SPPP_UNLOCK(sp); 1343 sppp_flush(ifp); 1344 SPPP_LOCK(sp, RW_WRITER); 1345 1346 ifp->if_flags &= ~IFF_RUNNING; 1347 } 1348 SPPP_UNLOCK(sp); 1349 break; 1350 1351 case SIOCSIFMTU: 1352 if (ifr->ifr_mtu < PPP_MINMRU || 1353 ifr->ifr_mtu > sp->lcp.their_mru) { 1354 error = EINVAL; 1355 break; 1356 } 1357 /*FALLTHROUGH*/ 1358 case SIOCGIFMTU: 1359 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1360 error = 0; 1361 break; 1362 case SIOCADDMULTI: 1363 case SIOCDELMULTI: 1364 break; 1365 1366 case SPPPSETAUTHCFG: 1367 case SPPPSETLCPCFG: 1368 case SPPPSETIDLETO: 1369 case SPPPSETAUTHFAILURE: 1370 case SPPPSETDNSOPTS: 1371 case SPPPSETKEEPALIVE: 1372 #if defined(COMPAT_50) || defined(MODULAR) 1373 case __SPPPSETIDLETO50: 1374 case __SPPPSETKEEPALIVE50: 1375 #endif /* COMPAT_50 || MODULAR */ 1376 error = kauth_authorize_network(l->l_cred, 1377 KAUTH_NETWORK_INTERFACE, 1378 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1379 NULL); 1380 if (error) 1381 break; 1382 error = sppp_params(sp, cmd, data); 1383 break; 1384 1385 case SPPPGETAUTHCFG: 1386 case SPPPGETLCPCFG: 1387 case SPPPGETAUTHFAILURES: 1388 error = kauth_authorize_network(l->l_cred, 1389 KAUTH_NETWORK_INTERFACE, 1390 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1391 NULL); 1392 if (error) 1393 break; 1394 error = sppp_params(sp, cmd, data); 1395 break; 1396 1397 case SPPPGETSTATUS: 1398 case SPPPGETSTATUSNCP: 1399 case SPPPGETIDLETO: 1400 case SPPPGETDNSOPTS: 1401 case SPPPGETDNSADDRS: 1402 case SPPPGETKEEPALIVE: 1403 #if defined(COMPAT_50) || defined(MODULAR) 1404 case __SPPPGETIDLETO50: 1405 case __SPPPGETKEEPALIVE50: 1406 #endif /* COMPAT_50 || MODULAR */ 1407 error = sppp_params(sp, cmd, data); 1408 break; 1409 1410 case SIOCGIFMEDIA: 1411 error = ifmedia_ioctl(ifp, ifr, &sp->pp_im, cmd); 1412 break; 1413 1414 default: 1415 error = ifioctl_common(ifp, cmd, data); 1416 break; 1417 } 1418 splx(s); 1419 return (error); 1420 } 1421 1422 1423 /* 1424 * Cisco framing implementation. 1425 */ 1426 1427 /* 1428 * Handle incoming Cisco keepalive protocol packets. 1429 */ 1430 static void 1431 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1432 { 1433 STDDCL; 1434 struct cisco_packet *h; 1435 #ifdef INET 1436 uint32_t me, mymask = 0; /* XXX: GCC */ 1437 #endif 1438 1439 SPPP_LOCK(sp, RW_WRITER); 1440 1441 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1442 if (debug) 1443 log(LOG_DEBUG, 1444 "%s: cisco invalid packet length: %d bytes\n", 1445 ifp->if_xname, m->m_pkthdr.len); 1446 SPPP_UNLOCK(sp); 1447 return; 1448 } 1449 h = mtod(m, struct cisco_packet *); 1450 if (debug) 1451 log(LOG_DEBUG, 1452 "%s: cisco input: %d bytes " 1453 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1454 ifp->if_xname, m->m_pkthdr.len, 1455 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1456 (u_int)h->time0, (u_int)h->time1); 1457 switch (ntohl(h->type)) { 1458 default: 1459 if (debug) 1460 addlog("%s: cisco unknown packet type: 0x%x\n", 1461 ifp->if_xname, ntohl(h->type)); 1462 break; 1463 case CISCO_ADDR_REPLY: 1464 /* Reply on address request, ignore */ 1465 break; 1466 case CISCO_KEEPALIVE_REQ: 1467 sp->pp_alivecnt = 0; 1468 sp->pp_rseq[IDX_LCP] = ntohl(h->par1); 1469 if (sp->pp_seq[IDX_LCP] == sp->pp_rseq[IDX_LCP]) { 1470 /* Local and remote sequence numbers are equal. 1471 * Probably, the line is in loopback mode. */ 1472 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1473 printf ("%s: loopback\n", 1474 ifp->if_xname); 1475 sp->pp_loopcnt = 0; 1476 if (ifp->if_flags & IFF_UP) { 1477 SPPP_UNLOCK(sp); 1478 if_down(ifp); 1479 SPPP_LOCK(sp, RW_WRITER); 1480 1481 IF_PURGE(&sp->pp_cpq); 1482 } 1483 } 1484 ++sp->pp_loopcnt; 1485 1486 /* Generate new local sequence number */ 1487 sp->pp_seq[IDX_LCP] = cprng_fast32(); 1488 break; 1489 } 1490 sp->pp_loopcnt = 0; 1491 if (! (ifp->if_flags & IFF_UP) && 1492 (ifp->if_flags & IFF_RUNNING)) { 1493 SPPP_UNLOCK(sp); 1494 if_up(ifp); 1495 SPPP_LOCK(sp, RW_WRITER); 1496 } 1497 break; 1498 case CISCO_ADDR_REQ: 1499 #ifdef INET 1500 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1501 if (me != 0L) 1502 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1503 #endif 1504 break; 1505 } 1506 SPPP_UNLOCK(sp); 1507 } 1508 1509 /* 1510 * Send Cisco keepalive packet. 1511 */ 1512 static void 1513 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1514 { 1515 STDDCL; 1516 struct ppp_header *h; 1517 struct cisco_packet *ch; 1518 struct mbuf *m; 1519 uint32_t t; 1520 1521 KASSERT(SPPP_WLOCKED(sp)); 1522 1523 t = time_uptime * 1000; 1524 MGETHDR(m, M_DONTWAIT, MT_DATA); 1525 if (! m) 1526 return; 1527 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1528 m_reset_rcvif(m); 1529 1530 h = mtod(m, struct ppp_header *); 1531 h->address = CISCO_MULTICAST; 1532 h->control = 0; 1533 h->protocol = htons(CISCO_KEEPALIVE); 1534 1535 ch = (struct cisco_packet *)(h + 1); 1536 ch->type = htonl(type); 1537 ch->par1 = htonl(par1); 1538 ch->par2 = htonl(par2); 1539 ch->rel = -1; 1540 1541 ch->time0 = htons((u_short)(t >> 16)); 1542 ch->time1 = htons((u_short) t); 1543 1544 if (debug) 1545 log(LOG_DEBUG, 1546 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1547 ifp->if_xname, ntohl(ch->type), ch->par1, 1548 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1549 (u_int)ch->time1); 1550 1551 if (IF_QFULL(&sp->pp_cpq)) { 1552 IF_DROP(&sp->pp_fastq); 1553 IF_DROP(&ifp->if_snd); 1554 m_freem(m); 1555 if_statinc(ifp, if_oerrors); 1556 return; 1557 } 1558 1559 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1560 IF_ENQUEUE(&sp->pp_cpq, m); 1561 1562 if (! (ifp->if_flags & IFF_OACTIVE)) { 1563 SPPP_UNLOCK(sp); 1564 if_start_lock(ifp); 1565 SPPP_LOCK(sp, RW_WRITER); 1566 } 1567 } 1568 1569 /* 1570 * PPP protocol implementation. 1571 */ 1572 1573 /* 1574 * Send PPP control protocol packet. 1575 */ 1576 static void 1577 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1578 u_char ident, u_short len, void *data) 1579 { 1580 STDDCL; 1581 struct lcp_header *lh; 1582 struct mbuf *m; 1583 size_t pkthdrlen; 1584 1585 KASSERT(SPPP_WLOCKED(sp)); 1586 1587 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1588 1589 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1590 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1591 MGETHDR(m, M_DONTWAIT, MT_DATA); 1592 if (! m) { 1593 return; 1594 } 1595 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1596 m_reset_rcvif(m); 1597 1598 if (sp->pp_flags & PP_NOFRAMING) { 1599 *mtod(m, uint16_t *) = htons(proto); 1600 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1601 } else { 1602 struct ppp_header *h; 1603 h = mtod(m, struct ppp_header *); 1604 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1605 h->control = PPP_UI; /* Unnumbered Info */ 1606 h->protocol = htons(proto); /* Link Control Protocol */ 1607 lh = (struct lcp_header *)(h + 1); 1608 } 1609 lh->type = type; 1610 lh->ident = ident; 1611 lh->len = htons(LCP_HEADER_LEN + len); 1612 if (len) 1613 memcpy(lh + 1, data, len); 1614 1615 if (debug) { 1616 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1617 ifp->if_xname, 1618 sppp_proto_name(proto), 1619 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1620 if (len) 1621 sppp_print_bytes((u_char *)(lh + 1), len); 1622 addlog(">\n"); 1623 } 1624 if (IF_QFULL(&sp->pp_cpq)) { 1625 IF_DROP(&sp->pp_fastq); 1626 IF_DROP(&ifp->if_snd); 1627 m_freem(m); 1628 if_statinc(ifp, if_oerrors); 1629 return; 1630 } 1631 1632 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1633 IF_ENQUEUE(&sp->pp_cpq, m); 1634 1635 1636 if (! (ifp->if_flags & IFF_OACTIVE)) { 1637 SPPP_UNLOCK(sp); 1638 if_start_lock(ifp); 1639 SPPP_LOCK(sp, RW_WRITER); 1640 } 1641 } 1642 1643 /* 1644 * Handle incoming PPP control protocol packets. 1645 */ 1646 static void 1647 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1648 { 1649 STDDCL; 1650 struct lcp_header *h; 1651 int printlen, len = m->m_pkthdr.len; 1652 int rv; 1653 u_char *p; 1654 uint32_t u32; 1655 1656 SPPP_LOCK(sp, RW_WRITER); 1657 1658 if (len < 4) { 1659 if (debug) 1660 log(LOG_DEBUG, 1661 "%s: %s invalid packet length: %d bytes\n", 1662 ifp->if_xname, cp->name, len); 1663 SPPP_UNLOCK(sp); 1664 return; 1665 } 1666 h = mtod(m, struct lcp_header *); 1667 if (debug) { 1668 printlen = ntohs(h->len); 1669 log(LOG_DEBUG, 1670 "%s: %s input(%s): <%s id=0x%x len=%d", 1671 ifp->if_xname, cp->name, 1672 sppp_state_name(sp->state[cp->protoidx]), 1673 sppp_cp_type_name(h->type), h->ident, printlen); 1674 if (len < printlen) 1675 printlen = len; 1676 if (printlen > 4) 1677 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1678 addlog(">\n"); 1679 } 1680 if (len > ntohs(h->len)) 1681 len = ntohs(h->len); 1682 p = (u_char *)(h + 1); 1683 switch (h->type) { 1684 case CONF_REQ: 1685 if (len < 4) { 1686 if (debug) 1687 addlog("%s: %s invalid conf-req length %d\n", 1688 ifp->if_xname, cp->name, 1689 len); 1690 if_statinc(ifp, if_ierrors); 1691 break; 1692 } 1693 /* handle states where RCR doesn't get a SCA/SCN */ 1694 switch (sp->state[cp->protoidx]) { 1695 case STATE_CLOSING: 1696 case STATE_STOPPING: 1697 SPPP_UNLOCK(sp); 1698 return; 1699 case STATE_CLOSED: 1700 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 1701 0, 0); 1702 SPPP_UNLOCK(sp); 1703 return; 1704 } 1705 rv = (cp->RCR)(sp, h, len); 1706 if (rv < 0) { 1707 /* fatal error, shut down */ 1708 (cp->tld)(sp); 1709 sppp_lcp_tlf(sp); 1710 SPPP_UNLOCK(sp); 1711 return; 1712 } 1713 switch (sp->state[cp->protoidx]) { 1714 case STATE_OPENED: 1715 (cp->tld)(sp); 1716 (cp->scr)(sp); 1717 /* fall through... */ 1718 case STATE_ACK_SENT: 1719 case STATE_REQ_SENT: 1720 sppp_cp_change_state(cp, sp, rv? 1721 STATE_ACK_SENT: STATE_REQ_SENT); 1722 break; 1723 case STATE_STOPPED: 1724 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1725 (cp->scr)(sp); 1726 sppp_cp_change_state(cp, sp, rv? 1727 STATE_ACK_SENT: STATE_REQ_SENT); 1728 break; 1729 case STATE_ACK_RCVD: 1730 if (rv) { 1731 sppp_cp_change_state(cp, sp, STATE_OPENED); 1732 if (debug) 1733 log(LOG_DEBUG, "%s: %s tlu\n", 1734 ifp->if_xname, 1735 cp->name); 1736 (cp->tlu)(sp); 1737 } else 1738 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1739 break; 1740 default: 1741 printf("%s: %s illegal %s in state %s\n", 1742 ifp->if_xname, cp->name, 1743 sppp_cp_type_name(h->type), 1744 sppp_state_name(sp->state[cp->protoidx])); 1745 if_statinc(ifp, if_ierrors); 1746 } 1747 break; 1748 case CONF_ACK: 1749 if (h->ident != sp->confid[cp->protoidx]) { 1750 if (debug) 1751 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1752 ifp->if_xname, cp->name, 1753 h->ident, sp->confid[cp->protoidx]); 1754 if_statinc(ifp, if_ierrors); 1755 break; 1756 } 1757 switch (sp->state[cp->protoidx]) { 1758 case STATE_CLOSED: 1759 case STATE_STOPPED: 1760 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1761 break; 1762 case STATE_CLOSING: 1763 case STATE_STOPPING: 1764 break; 1765 case STATE_REQ_SENT: 1766 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1767 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1768 break; 1769 case STATE_OPENED: 1770 (cp->tld)(sp); 1771 /* fall through */ 1772 case STATE_ACK_RCVD: 1773 (cp->scr)(sp); 1774 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1775 break; 1776 case STATE_ACK_SENT: 1777 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1778 sppp_cp_change_state(cp, sp, STATE_OPENED); 1779 if (debug) 1780 log(LOG_DEBUG, "%s: %s tlu\n", 1781 ifp->if_xname, cp->name); 1782 (cp->tlu)(sp); 1783 break; 1784 default: 1785 printf("%s: %s illegal %s in state %s\n", 1786 ifp->if_xname, cp->name, 1787 sppp_cp_type_name(h->type), 1788 sppp_state_name(sp->state[cp->protoidx])); 1789 if_statinc(ifp, if_ierrors); 1790 } 1791 break; 1792 case CONF_NAK: 1793 case CONF_REJ: 1794 if (h->ident != sp->confid[cp->protoidx]) { 1795 if (debug) 1796 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1797 ifp->if_xname, cp->name, 1798 h->ident, sp->confid[cp->protoidx]); 1799 if_statinc(ifp, if_ierrors); 1800 break; 1801 } 1802 if (h->type == CONF_NAK) 1803 (cp->RCN_nak)(sp, h, len); 1804 else /* CONF_REJ */ 1805 (cp->RCN_rej)(sp, h, len); 1806 1807 switch (sp->state[cp->protoidx]) { 1808 case STATE_CLOSED: 1809 case STATE_STOPPED: 1810 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1811 break; 1812 case STATE_REQ_SENT: 1813 case STATE_ACK_SENT: 1814 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 1815 (cp->scr)(sp); 1816 break; 1817 case STATE_OPENED: 1818 (cp->tld)(sp); 1819 /* fall through */ 1820 case STATE_ACK_RCVD: 1821 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 1822 (cp->scr)(sp); 1823 break; 1824 case STATE_CLOSING: 1825 case STATE_STOPPING: 1826 break; 1827 default: 1828 printf("%s: %s illegal %s in state %s\n", 1829 ifp->if_xname, cp->name, 1830 sppp_cp_type_name(h->type), 1831 sppp_state_name(sp->state[cp->protoidx])); 1832 if_statinc(ifp, if_ierrors); 1833 } 1834 break; 1835 1836 case TERM_REQ: 1837 switch (sp->state[cp->protoidx]) { 1838 case STATE_ACK_RCVD: 1839 case STATE_ACK_SENT: 1840 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1841 /* fall through */ 1842 case STATE_CLOSED: 1843 case STATE_STOPPED: 1844 case STATE_CLOSING: 1845 case STATE_STOPPING: 1846 case STATE_REQ_SENT: 1847 sta: 1848 /* Send Terminate-Ack packet. */ 1849 if (debug) 1850 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1851 ifp->if_xname, cp->name); 1852 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1853 break; 1854 case STATE_OPENED: 1855 (cp->tld)(sp); 1856 sp->rst_counter[cp->protoidx] = 0; 1857 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1858 goto sta; 1859 default: 1860 printf("%s: %s illegal %s in state %s\n", 1861 ifp->if_xname, cp->name, 1862 sppp_cp_type_name(h->type), 1863 sppp_state_name(sp->state[cp->protoidx])); 1864 if_statinc(ifp, if_ierrors); 1865 } 1866 break; 1867 case TERM_ACK: 1868 switch (sp->state[cp->protoidx]) { 1869 case STATE_CLOSED: 1870 case STATE_STOPPED: 1871 case STATE_REQ_SENT: 1872 case STATE_ACK_SENT: 1873 break; 1874 case STATE_CLOSING: 1875 (cp->tlf)(sp); 1876 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1877 sppp_lcp_check_and_close(sp); 1878 break; 1879 case STATE_STOPPING: 1880 (cp->tlf)(sp); 1881 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1882 sppp_lcp_check_and_close(sp); 1883 break; 1884 case STATE_ACK_RCVD: 1885 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1886 break; 1887 case STATE_OPENED: 1888 (cp->tld)(sp); 1889 (cp->scr)(sp); 1890 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1891 break; 1892 default: 1893 printf("%s: %s illegal %s in state %s\n", 1894 ifp->if_xname, cp->name, 1895 sppp_cp_type_name(h->type), 1896 sppp_state_name(sp->state[cp->protoidx])); 1897 if_statinc(ifp, if_ierrors); 1898 } 1899 break; 1900 case CODE_REJ: 1901 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1902 log(LOG_INFO, 1903 "%s: %s: ignoring RXJ (%s) for code ?, " 1904 "danger will robinson\n", 1905 ifp->if_xname, cp->name, 1906 sppp_cp_type_name(h->type)); 1907 switch (sp->state[cp->protoidx]) { 1908 case STATE_CLOSED: 1909 case STATE_STOPPED: 1910 case STATE_REQ_SENT: 1911 case STATE_ACK_SENT: 1912 case STATE_CLOSING: 1913 case STATE_STOPPING: 1914 case STATE_OPENED: 1915 break; 1916 case STATE_ACK_RCVD: 1917 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1918 break; 1919 default: 1920 printf("%s: %s illegal %s in state %s\n", 1921 ifp->if_xname, cp->name, 1922 sppp_cp_type_name(h->type), 1923 sppp_state_name(sp->state[cp->protoidx])); 1924 if_statinc(ifp, if_ierrors); 1925 } 1926 break; 1927 case PROTO_REJ: 1928 { 1929 int catastrophic; 1930 const struct cp *upper; 1931 int i; 1932 uint16_t proto; 1933 1934 catastrophic = 0; 1935 upper = NULL; 1936 proto = p[0] << 8 | p[1]; 1937 for (i = 0; i < IDX_COUNT; i++) { 1938 if (cps[i]->proto == proto) { 1939 upper = cps[i]; 1940 break; 1941 } 1942 } 1943 if (upper == NULL) 1944 catastrophic++; 1945 1946 if (debug) 1947 log(LOG_INFO, 1948 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1949 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1950 sppp_cp_type_name(h->type), proto, 1951 upper ? upper->name : "unknown", 1952 upper ? sppp_state_name(sp->state[upper->protoidx]) : "?"); 1953 1954 /* 1955 * if we got RXJ+ against conf-req, the peer does not implement 1956 * this particular protocol type. terminate the protocol. 1957 */ 1958 if (upper && !catastrophic) { 1959 if (sp->state[upper->protoidx] == STATE_REQ_SENT) { 1960 upper->Close(sp); 1961 break; 1962 } 1963 } 1964 1965 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1966 switch (sp->state[cp->protoidx]) { 1967 case STATE_CLOSED: 1968 case STATE_STOPPED: 1969 case STATE_REQ_SENT: 1970 case STATE_ACK_SENT: 1971 case STATE_CLOSING: 1972 case STATE_STOPPING: 1973 case STATE_OPENED: 1974 break; 1975 case STATE_ACK_RCVD: 1976 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1977 break; 1978 default: 1979 printf("%s: %s illegal %s in state %s\n", 1980 ifp->if_xname, cp->name, 1981 sppp_cp_type_name(h->type), 1982 sppp_state_name(sp->state[cp->protoidx])); 1983 if_statinc(ifp, if_ierrors); 1984 } 1985 break; 1986 } 1987 case DISC_REQ: 1988 if (cp->proto != PPP_LCP) 1989 goto illegal; 1990 /* Discard the packet. */ 1991 break; 1992 case ECHO_REQ: 1993 if (cp->proto != PPP_LCP) 1994 goto illegal; 1995 if (sp->state[cp->protoidx] != STATE_OPENED) { 1996 if (debug) 1997 addlog("%s: lcp echo req but lcp closed\n", 1998 ifp->if_xname); 1999 if_statinc(ifp, if_ierrors); 2000 break; 2001 } 2002 if (len < 8) { 2003 if (debug) 2004 addlog("%s: invalid lcp echo request " 2005 "packet length: %d bytes\n", 2006 ifp->if_xname, len); 2007 break; 2008 } 2009 memcpy(&u32, h + 1, sizeof u32); 2010 if (ntohl(u32) == sp->lcp.magic) { 2011 /* Line loopback mode detected. */ 2012 printf("%s: loopback\n", ifp->if_xname); 2013 SPPP_UNLOCK(sp); 2014 if_down(ifp); 2015 SPPP_LOCK(sp, RW_WRITER); 2016 2017 IF_PURGE(&sp->pp_cpq); 2018 2019 /* Shut down the PPP link. */ 2020 /* XXX */ 2021 lcp.Down(sp); 2022 lcp.Up(sp); 2023 break; 2024 } 2025 u32 = htonl(sp->lcp.magic); 2026 memcpy(h + 1, &u32, sizeof u32); 2027 if (debug) 2028 addlog("%s: got lcp echo req, sending echo rep\n", 2029 ifp->if_xname); 2030 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 2031 h + 1); 2032 break; 2033 case ECHO_REPLY: 2034 if (cp->proto != PPP_LCP) 2035 goto illegal; 2036 if (h->ident != sp->lcp.echoid) { 2037 if_statinc(ifp, if_ierrors); 2038 break; 2039 } 2040 if (len < 8) { 2041 if (debug) 2042 addlog("%s: lcp invalid echo reply " 2043 "packet length: %d bytes\n", 2044 ifp->if_xname, len); 2045 break; 2046 } 2047 if (debug) 2048 addlog("%s: lcp got echo rep\n", 2049 ifp->if_xname); 2050 memcpy(&u32, h + 1, sizeof u32); 2051 if (ntohl(u32) != sp->lcp.magic) 2052 sp->pp_alivecnt = 0; 2053 break; 2054 default: 2055 /* Unknown packet type -- send Code-Reject packet. */ 2056 illegal: 2057 if (debug) 2058 addlog("%s: %s send code-rej for 0x%x\n", 2059 ifp->if_xname, cp->name, h->type); 2060 sppp_cp_send(sp, cp->proto, CODE_REJ, 2061 ++sp->pp_seq[cp->protoidx], m->m_pkthdr.len, h); 2062 if_statinc(ifp, if_ierrors); 2063 } 2064 2065 SPPP_UNLOCK(sp); 2066 } 2067 2068 2069 /* 2070 * The generic part of all Up/Down/Open/Close/TO event handlers. 2071 * Basically, the state transition handling in the automaton. 2072 */ 2073 static void 2074 sppp_up_event(const struct cp *cp, struct sppp *sp) 2075 { 2076 STDDCL; 2077 2078 KASSERT(SPPP_WLOCKED(sp)); 2079 2080 if (debug) 2081 log(LOG_DEBUG, "%s: %s up(%s)\n", 2082 ifp->if_xname, cp->name, 2083 sppp_state_name(sp->state[cp->protoidx])); 2084 2085 switch (sp->state[cp->protoidx]) { 2086 case STATE_INITIAL: 2087 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2088 break; 2089 case STATE_STARTING: 2090 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2091 (cp->scr)(sp); 2092 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2093 break; 2094 default: 2095 printf("%s: %s illegal up in state %s\n", 2096 ifp->if_xname, cp->name, 2097 sppp_state_name(sp->state[cp->protoidx])); 2098 } 2099 } 2100 2101 static void 2102 sppp_down_event(const struct cp *cp, struct sppp *sp) 2103 { 2104 STDDCL; 2105 2106 KASSERT(SPPP_WLOCKED(sp)); 2107 2108 if (debug) 2109 log(LOG_DEBUG, "%s: %s down(%s)\n", 2110 ifp->if_xname, cp->name, 2111 sppp_state_name(sp->state[cp->protoidx])); 2112 2113 switch (sp->state[cp->protoidx]) { 2114 case STATE_CLOSED: 2115 case STATE_CLOSING: 2116 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2117 break; 2118 case STATE_STOPPED: 2119 (cp->tls)(sp); 2120 /* fall through */ 2121 case STATE_STOPPING: 2122 case STATE_REQ_SENT: 2123 case STATE_ACK_RCVD: 2124 case STATE_ACK_SENT: 2125 sppp_cp_change_state(cp, sp, STATE_STARTING); 2126 break; 2127 case STATE_OPENED: 2128 (cp->tld)(sp); 2129 sppp_cp_change_state(cp, sp, STATE_STARTING); 2130 break; 2131 default: 2132 printf("%s: %s illegal down in state %s\n", 2133 ifp->if_xname, cp->name, 2134 sppp_state_name(sp->state[cp->protoidx])); 2135 } 2136 } 2137 2138 2139 static void 2140 sppp_open_event(const struct cp *cp, struct sppp *sp) 2141 { 2142 STDDCL; 2143 2144 KASSERT(SPPP_WLOCKED(sp)); 2145 2146 if (debug) 2147 log(LOG_DEBUG, "%s: %s open(%s)\n", 2148 ifp->if_xname, cp->name, 2149 sppp_state_name(sp->state[cp->protoidx])); 2150 2151 switch (sp->state[cp->protoidx]) { 2152 case STATE_INITIAL: 2153 sppp_cp_change_state(cp, sp, STATE_STARTING); 2154 (cp->tls)(sp); 2155 break; 2156 case STATE_STARTING: 2157 break; 2158 case STATE_CLOSED: 2159 sp->rst_counter[cp->protoidx] = sp->lcp.max_configure; 2160 (cp->scr)(sp); 2161 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2162 break; 2163 case STATE_STOPPED: 2164 case STATE_STOPPING: 2165 case STATE_REQ_SENT: 2166 case STATE_ACK_RCVD: 2167 case STATE_ACK_SENT: 2168 case STATE_OPENED: 2169 break; 2170 case STATE_CLOSING: 2171 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2172 break; 2173 } 2174 } 2175 2176 2177 static void 2178 sppp_close_event(const struct cp *cp, struct sppp *sp) 2179 { 2180 STDDCL; 2181 2182 KASSERT(SPPP_WLOCKED(sp)); 2183 2184 if (debug) 2185 log(LOG_DEBUG, "%s: %s close(%s)\n", 2186 ifp->if_xname, cp->name, 2187 sppp_state_name(sp->state[cp->protoidx])); 2188 2189 switch (sp->state[cp->protoidx]) { 2190 case STATE_INITIAL: 2191 case STATE_CLOSED: 2192 case STATE_CLOSING: 2193 break; 2194 case STATE_STARTING: 2195 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2196 (cp->tlf)(sp); 2197 break; 2198 case STATE_STOPPED: 2199 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2200 break; 2201 case STATE_STOPPING: 2202 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2203 break; 2204 case STATE_OPENED: 2205 (cp->tld)(sp); 2206 /* fall through */ 2207 case STATE_REQ_SENT: 2208 case STATE_ACK_RCVD: 2209 case STATE_ACK_SENT: 2210 sp->rst_counter[cp->protoidx] = sp->lcp.max_terminate; 2211 sppp_cp_send(sp, cp->proto, TERM_REQ, 2212 ++sp->pp_seq[cp->protoidx], 0, 0); 2213 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2214 break; 2215 } 2216 } 2217 2218 static void 2219 sppp_to_event(const struct cp *cp, struct sppp *sp) 2220 { 2221 STDDCL; 2222 int s; 2223 2224 KASSERT(SPPP_WLOCKED(sp)); 2225 2226 s = splnet(); 2227 2228 if (debug) 2229 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2230 ifp->if_xname, cp->name, 2231 sppp_state_name(sp->state[cp->protoidx]), 2232 sp->rst_counter[cp->protoidx]); 2233 2234 if (--sp->rst_counter[cp->protoidx] < 0) 2235 /* TO- event */ 2236 switch (sp->state[cp->protoidx]) { 2237 case STATE_CLOSING: 2238 (cp->tlf)(sp); 2239 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2240 sppp_lcp_check_and_close(sp); 2241 break; 2242 case STATE_STOPPING: 2243 (cp->tlf)(sp); 2244 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2245 sppp_lcp_check_and_close(sp); 2246 break; 2247 case STATE_REQ_SENT: 2248 case STATE_ACK_RCVD: 2249 case STATE_ACK_SENT: 2250 (cp->tlf)(sp); 2251 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2252 sppp_lcp_check_and_close(sp); 2253 break; 2254 } 2255 else 2256 /* TO+ event */ 2257 switch (sp->state[cp->protoidx]) { 2258 case STATE_CLOSING: 2259 case STATE_STOPPING: 2260 sppp_cp_send(sp, cp->proto, TERM_REQ, 2261 ++sp->pp_seq[cp->protoidx], 0, 0); 2262 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2263 cp->TO, sp); 2264 break; 2265 case STATE_REQ_SENT: 2266 case STATE_ACK_RCVD: 2267 (cp->scr)(sp); 2268 /* sppp_cp_change_state() will restart the timer */ 2269 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2270 break; 2271 case STATE_ACK_SENT: 2272 (cp->scr)(sp); 2273 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2274 cp->TO, sp); 2275 break; 2276 } 2277 2278 splx(s); 2279 } 2280 2281 /* 2282 * Change the state of a control protocol in the state automaton. 2283 * Takes care of starting/stopping the restart timer. 2284 */ 2285 void 2286 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2287 { 2288 2289 KASSERT(SPPP_WLOCKED(sp)); 2290 2291 sp->state[cp->protoidx] = newstate; 2292 callout_stop(&sp->ch[cp->protoidx]); 2293 switch (newstate) { 2294 case STATE_INITIAL: 2295 case STATE_STARTING: 2296 case STATE_CLOSED: 2297 case STATE_STOPPED: 2298 case STATE_OPENED: 2299 break; 2300 case STATE_CLOSING: 2301 case STATE_STOPPING: 2302 case STATE_REQ_SENT: 2303 case STATE_ACK_RCVD: 2304 case STATE_ACK_SENT: 2305 callout_reset(&sp->ch[cp->protoidx], sp->lcp.timeout, 2306 cp->TO, sp); 2307 break; 2308 } 2309 } 2310 2311 /* 2312 *--------------------------------------------------------------------------* 2313 * * 2314 * The LCP implementation. * 2315 * * 2316 *--------------------------------------------------------------------------* 2317 */ 2318 static void 2319 sppp_lcp_init(struct sppp *sp) 2320 { 2321 2322 KASSERT(SPPP_WLOCKED(sp)); 2323 2324 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2325 sp->lcp.magic = 0; 2326 sp->state[IDX_LCP] = STATE_INITIAL; 2327 sp->fail_counter[IDX_LCP] = 0; 2328 sp->pp_seq[IDX_LCP] = 0; 2329 sp->pp_rseq[IDX_LCP] = 0; 2330 sp->lcp.protos = 0; 2331 2332 /* 2333 * Initialize counters and timeout values. Note that we don't 2334 * use the 3 seconds suggested in RFC 1661 since we are likely 2335 * running on a fast link. XXX We should probably implement 2336 * the exponential backoff option. Note that these values are 2337 * relevant for all control protocols, not just LCP only. 2338 */ 2339 sp->lcp.timeout = 1 * hz; 2340 sp->lcp.max_terminate = 2; 2341 sp->lcp.max_configure = 10; 2342 sp->lcp.max_failure = 10; 2343 callout_init(&sp->ch[IDX_LCP], CALLOUT_MPSAFE); 2344 } 2345 2346 static void 2347 sppp_lcp_up(struct sppp *sp) 2348 { 2349 STDDCL; 2350 2351 KASSERT(SPPP_WLOCKED(sp)); 2352 2353 /* Initialize activity timestamp: opening a connection is an activity */ 2354 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2355 2356 /* Initialize mlppp state */ 2357 sp->lcp.ml_prefix = NULL; 2358 sp->lcp.ml_seq_xpctd = 0; 2359 2360 /* 2361 * If this interface is passive or dial-on-demand, and we are 2362 * still in Initial state, it means we've got an incoming 2363 * call. Activate the interface. 2364 */ 2365 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2366 if (debug) 2367 log(LOG_DEBUG, 2368 "%s: Up event", ifp->if_xname); 2369 ifp->if_flags |= IFF_RUNNING; 2370 if (sp->state[IDX_LCP] == STATE_INITIAL) { 2371 if (debug) 2372 addlog("(incoming call)\n"); 2373 sp->pp_flags |= PP_CALLIN; 2374 lcp.Open(sp); 2375 } else if (debug) 2376 addlog("\n"); 2377 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2378 (sp->state[IDX_LCP] == STATE_INITIAL)) { 2379 ifp->if_flags |= IFF_RUNNING; 2380 lcp.Open(sp); 2381 } 2382 2383 sppp_up_event(&lcp, sp); 2384 } 2385 2386 static void 2387 sppp_lcp_down(struct sppp *sp) 2388 { 2389 STDDCL; 2390 2391 KASSERT(SPPP_WLOCKED(sp)); 2392 2393 sppp_down_event(&lcp, sp); 2394 2395 /* 2396 * If this is neither a dial-on-demand nor a passive 2397 * interface, simulate an ``ifconfig down'' action, so the 2398 * administrator can force a redial by another ``ifconfig 2399 * up''. XXX For leased line operation, should we immediately 2400 * try to reopen the connection here? 2401 */ 2402 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2403 if (debug) 2404 log(LOG_INFO, 2405 "%s: Down event (carrier loss), taking interface down.\n", 2406 ifp->if_xname); 2407 SPPP_UNLOCK(sp); 2408 if_down(ifp); 2409 SPPP_LOCK(sp, RW_WRITER); 2410 } else { 2411 if (debug) 2412 log(LOG_DEBUG, 2413 "%s: Down event (carrier loss)\n", 2414 ifp->if_xname); 2415 } 2416 sp->fail_counter[IDX_LCP] = 0; 2417 sp->pp_flags &= ~PP_CALLIN; 2418 if (sp->state[IDX_LCP] != STATE_INITIAL) 2419 lcp.Close(sp); 2420 ifp->if_flags &= ~IFF_RUNNING; 2421 } 2422 2423 static void 2424 sppp_lcp_open(struct sppp *sp) 2425 { 2426 2427 KASSERT(SPPP_WLOCKED(sp)); 2428 2429 if (sp->pp_if.if_mtu < PP_MTU) { 2430 sp->lcp.mru = sp->pp_if.if_mtu; 2431 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2432 } else 2433 sp->lcp.mru = PP_MTU; 2434 sp->lcp.their_mru = PP_MTU; 2435 2436 sp->lcp.mrru = sp->pp_if.if_mtu; 2437 sp->lcp.opts |= (1 << LCP_OPT_MP_MRRU); 2438 sp->lcp.their_mrru = 0; 2439 2440 /* 2441 * If we are authenticator, negotiate LCP_AUTH 2442 */ 2443 if (sp->hisauth.proto != 0) 2444 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2445 else 2446 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2447 sp->pp_flags &= ~PP_NEEDAUTH; 2448 sppp_open_event(&lcp, sp); 2449 } 2450 2451 static void 2452 sppp_lcp_close(struct sppp *sp) 2453 { 2454 2455 KASSERT(SPPP_WLOCKED(sp)); 2456 sppp_close_event(&lcp, sp); 2457 } 2458 2459 static void 2460 sppp_lcp_TO(void *cookie) 2461 { 2462 struct sppp *sp = (struct sppp*)cookie; 2463 2464 SPPP_LOCK(sp, RW_WRITER); 2465 sppp_to_event(&lcp, sp); 2466 SPPP_UNLOCK(sp); 2467 } 2468 2469 /* 2470 * Analyze a configure request. Return true if it was agreeable, and 2471 * caused action sca, false if it has been rejected or nak'ed, and 2472 * caused action scn. (The return value is used to make the state 2473 * transition decision in the state automaton.) 2474 */ 2475 static int 2476 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 2477 { 2478 STDDCL; 2479 u_char *buf, *r, *p, l, blen; 2480 int origlen, rlen; 2481 uint32_t nmagic; 2482 u_short authproto; 2483 2484 KASSERT(SPPP_WLOCKED(sp)); 2485 2486 len -= 4; 2487 origlen = len; 2488 buf = r = malloc (blen = len, M_TEMP, M_NOWAIT); 2489 if (! buf) 2490 return (0); 2491 2492 if (debug) 2493 log(LOG_DEBUG, "%s: lcp parse opts:", 2494 ifp->if_xname); 2495 2496 /* pass 1: check for things that need to be rejected */ 2497 p = (void *)(h + 1); 2498 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2499 /* Sanity check option length */ 2500 if (l > len) { 2501 /* 2502 * Malicious option - drop immediately. 2503 * XXX Maybe we should just RXJ it? 2504 */ 2505 addlog("%s: received malicious LCP option 0x%02x, " 2506 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2507 p[0], l, len); 2508 goto drop; 2509 } 2510 if (debug) 2511 addlog(" %s", sppp_lcp_opt_name(*p)); 2512 switch (*p) { 2513 case LCP_OPT_MAGIC: 2514 /* Magic number. */ 2515 /* fall through, both are same length */ 2516 case LCP_OPT_ASYNC_MAP: 2517 /* Async control character map. */ 2518 if (len >= 6 || l == 6) 2519 continue; 2520 if (debug) 2521 addlog(" [invalid]"); 2522 break; 2523 case LCP_OPT_MP_EID: 2524 if (len >= l && l >= 3) { 2525 switch (p[2]) { 2526 case 0: if (l==3+ 0) continue;break; 2527 case 2: if (l==3+ 4) continue;break; 2528 case 3: if (l==3+ 6) continue;break; 2529 case 6: if (l==3+16) continue;break; 2530 case 1: /* FALLTHROUGH */ 2531 case 4: if (l<=3+20) continue;break; 2532 case 5: if (l<=3+15) continue;break; 2533 /* XXX should it be default: continue;? */ 2534 } 2535 } 2536 if (debug) 2537 addlog(" [invalid class %d len %d]", p[2], l); 2538 break; 2539 case LCP_OPT_MP_SSNHF: 2540 if (len >= 2 && l == 2) { 2541 if (debug) 2542 addlog(" [rej]"); 2543 break; 2544 } 2545 if (debug) 2546 addlog(" [invalid]"); 2547 break; 2548 case LCP_OPT_MP_MRRU: 2549 /* Multilink maximum received reconstructed unit */ 2550 /* should be fall through, both are same length */ 2551 /* FALLTHROUGH */ 2552 case LCP_OPT_MRU: 2553 /* Maximum receive unit. */ 2554 if (len >= 4 && l == 4) 2555 continue; 2556 if (debug) 2557 addlog(" [invalid]"); 2558 break; 2559 case LCP_OPT_AUTH_PROTO: 2560 if (len < 4) { 2561 if (debug) 2562 addlog(" [invalid]"); 2563 break; 2564 } 2565 authproto = (p[2] << 8) + p[3]; 2566 if (authproto == PPP_CHAP && l != 5) { 2567 if (debug) 2568 addlog(" [invalid chap len]"); 2569 break; 2570 } 2571 if (sp->myauth.proto == 0) { 2572 /* we are not configured to do auth */ 2573 if (debug) 2574 addlog(" [not configured]"); 2575 break; 2576 } 2577 /* 2578 * Remote want us to authenticate, remember this, 2579 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2580 * up. 2581 */ 2582 sp->pp_flags |= PP_NEEDAUTH; 2583 continue; 2584 default: 2585 /* Others not supported. */ 2586 if (debug) 2587 addlog(" [rej]"); 2588 break; 2589 } 2590 if (rlen + l > blen) { 2591 if (debug) 2592 addlog(" [overflow]"); 2593 continue; 2594 } 2595 /* Add the option to rejected list. */ 2596 memcpy(r, p, l); 2597 r += l; 2598 rlen += l; 2599 } 2600 if (rlen) { 2601 if (debug) 2602 addlog(" send conf-rej\n"); 2603 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2604 goto end; 2605 } else if (debug) 2606 addlog("\n"); 2607 2608 /* 2609 * pass 2: check for option values that are unacceptable and 2610 * thus require to be nak'ed. 2611 */ 2612 if (debug) 2613 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2614 ifp->if_xname); 2615 2616 p = (void *)(h + 1); 2617 len = origlen; 2618 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2619 if (debug) 2620 addlog(" %s", sppp_lcp_opt_name(*p)); 2621 switch (*p) { 2622 case LCP_OPT_MAGIC: 2623 /* Magic number -- extract. */ 2624 nmagic = (uint32_t)p[2] << 24 | 2625 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2626 if (nmagic != sp->lcp.magic) { 2627 if (debug) 2628 addlog(" 0x%x", nmagic); 2629 continue; 2630 } 2631 /* 2632 * Local and remote magics equal -- loopback? 2633 */ 2634 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2635 printf ("%s: loopback\n", 2636 ifp->if_xname); 2637 sp->pp_loopcnt = 0; 2638 if (ifp->if_flags & IFF_UP) { 2639 SPPP_UNLOCK(sp); 2640 if_down(ifp); 2641 SPPP_LOCK(sp, RW_WRITER); 2642 2643 IF_PURGE(&sp->pp_cpq); 2644 /* XXX ? */ 2645 lcp.Down(sp); 2646 lcp.Up(sp); 2647 } 2648 } else if (debug) 2649 addlog(" [glitch]"); 2650 ++sp->pp_loopcnt; 2651 /* 2652 * We negate our magic here, and NAK it. If 2653 * we see it later in an NAK packet, we 2654 * suggest a new one. 2655 */ 2656 nmagic = ~sp->lcp.magic; 2657 /* Gonna NAK it. */ 2658 p[2] = nmagic >> 24; 2659 p[3] = nmagic >> 16; 2660 p[4] = nmagic >> 8; 2661 p[5] = nmagic; 2662 break; 2663 2664 case LCP_OPT_ASYNC_MAP: 2665 /* 2666 * Async control character map -- just ignore it. 2667 * 2668 * Quote from RFC 1662, chapter 6: 2669 * To enable this functionality, synchronous PPP 2670 * implementations MUST always respond to the 2671 * Async-Control-Character-Map Configuration 2672 * Option with the LCP Configure-Ack. However, 2673 * acceptance of the Configuration Option does 2674 * not imply that the synchronous implementation 2675 * will do any ACCM mapping. Instead, all such 2676 * octet mapping will be performed by the 2677 * asynchronous-to-synchronous converter. 2678 */ 2679 continue; 2680 2681 case LCP_OPT_MRU: 2682 /* 2683 * Maximum receive unit. Always agreeable, 2684 * but ignored by now. 2685 */ 2686 sp->lcp.their_mru = p[2] * 256 + p[3]; 2687 if (debug) 2688 addlog(" %ld", sp->lcp.their_mru); 2689 continue; 2690 2691 case LCP_OPT_AUTH_PROTO: 2692 authproto = (p[2] << 8) + p[3]; 2693 if (sp->myauth.proto != authproto) { 2694 /* not agreed, nak */ 2695 if (debug) 2696 addlog(" [mine %s != his %s]", 2697 sppp_proto_name(sp->myauth.proto), 2698 sppp_proto_name(authproto)); 2699 p[2] = sp->myauth.proto >> 8; 2700 p[3] = sp->myauth.proto; 2701 break; 2702 } 2703 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2704 if (debug) 2705 addlog(" [chap not MD5]"); 2706 p[4] = CHAP_MD5; 2707 break; 2708 } 2709 continue; 2710 case LCP_OPT_MP_EID: 2711 /* 2712 * Endpoint identification. 2713 * Always agreeable, 2714 * but ignored by now. 2715 */ 2716 if (debug) { 2717 addlog(" class %d", p[2]); 2718 sppp_print_bytes(p+3, p[1]-3); 2719 } 2720 continue; 2721 case LCP_OPT_MP_MRRU: 2722 /* 2723 * Maximum received reconstructed unit. 2724 * Always agreeable, 2725 * but ignored by now. 2726 */ 2727 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2728 if (debug) 2729 addlog(" %ld", sp->lcp.their_mrru); 2730 continue; 2731 } 2732 if (rlen + l > blen) { 2733 if (debug) 2734 addlog(" [overflow]"); 2735 continue; 2736 } 2737 /* Add the option to nak'ed list. */ 2738 memcpy(r, p, l); 2739 r += l; 2740 rlen += l; 2741 } 2742 if (rlen) { 2743 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) { 2744 if (debug) 2745 addlog(" max_failure (%d) exceeded, " 2746 "send conf-rej\n", 2747 sp->lcp.max_failure); 2748 sppp_cp_send(sp, PPP_LCP, CONF_REJ, h->ident, rlen, buf); 2749 } else { 2750 if (debug) 2751 addlog(" send conf-nak\n"); 2752 sppp_cp_send(sp, PPP_LCP, CONF_NAK, h->ident, rlen, buf); 2753 } 2754 goto end; 2755 } else { 2756 if (debug) 2757 addlog(" send conf-ack\n"); 2758 sp->fail_counter[IDX_LCP] = 0; 2759 sp->pp_loopcnt = 0; 2760 sppp_cp_send(sp, PPP_LCP, CONF_ACK, h->ident, origlen, h + 1); 2761 } 2762 2763 end: 2764 free(buf, M_TEMP); 2765 return (rlen == 0); 2766 2767 drop: 2768 free(buf, M_TEMP); 2769 return -1; 2770 } 2771 2772 /* 2773 * Analyze the LCP Configure-Reject option list, and adjust our 2774 * negotiation. 2775 */ 2776 static void 2777 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2778 { 2779 STDDCL; 2780 u_char *buf, *p, l; 2781 2782 KASSERT(SPPP_WLOCKED(sp)); 2783 2784 len -= 4; 2785 buf = malloc (len, M_TEMP, M_NOWAIT); 2786 if (!buf) 2787 return; 2788 2789 if (debug) 2790 log(LOG_DEBUG, "%s: lcp rej opts:", 2791 ifp->if_xname); 2792 2793 p = (void *)(h + 1); 2794 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2795 /* Sanity check option length */ 2796 if (l > len) { 2797 /* 2798 * Malicious option - drop immediately. 2799 * XXX Maybe we should just RXJ it? 2800 */ 2801 addlog("%s: received malicious LCP option, " 2802 "dropping.\n", ifp->if_xname); 2803 goto drop; 2804 } 2805 if (debug) 2806 addlog(" %s", sppp_lcp_opt_name(*p)); 2807 switch (*p) { 2808 case LCP_OPT_MAGIC: 2809 /* Magic number -- can't use it, use 0 */ 2810 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2811 sp->lcp.magic = 0; 2812 break; 2813 case LCP_OPT_MRU: 2814 /* 2815 * We try to negotiate a lower MRU if the underlying 2816 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2817 * peer rejects this lower rate, fallback to the 2818 * default. 2819 */ 2820 if (debug) { 2821 addlog("%s: warning: peer rejected our MRU of " 2822 "%ld bytes. Defaulting to %d bytes\n", 2823 ifp->if_xname, sp->lcp.mru, PP_MTU); 2824 } 2825 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2826 sp->lcp.mru = PP_MTU; 2827 break; 2828 case LCP_OPT_MP_MRRU: 2829 /* 2830 * the peer is rejecting a multilink MRRU. 2831 * give up on MP in the incoming direction. 2832 */ 2833 if (debug) { 2834 addlog("%s: warning: peer rejected our MRRU of " 2835 "%ld bytes. Defaulting to no MLPPP\n", 2836 ifp->if_xname, sp->lcp.mrru); 2837 } 2838 sp->lcp.opts &= ~(1 << LCP_OPT_MP_MRRU); 2839 sp->lcp.mrru = 0; 2840 break; 2841 case LCP_OPT_AUTH_PROTO: 2842 /* 2843 * Peer doesn't want to authenticate himself, 2844 * deny unless this is a dialout call, and 2845 * SPPP_AUTHFLAG_NOCALLOUT is set. 2846 */ 2847 if ((sp->pp_flags & PP_CALLIN) == 0 && 2848 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2849 if (debug) 2850 addlog(" [don't insist on auth " 2851 "for callout]"); 2852 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2853 break; 2854 } 2855 if (debug) 2856 addlog("[access denied]\n"); 2857 lcp.Close(sp); 2858 break; 2859 } 2860 } 2861 if (debug) 2862 addlog("\n"); 2863 drop: 2864 free(buf, M_TEMP); 2865 return; 2866 } 2867 2868 /* 2869 * Analyze the LCP Configure-NAK option list, and adjust our 2870 * negotiation. 2871 */ 2872 static void 2873 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2874 { 2875 STDDCL; 2876 u_char *buf, *p, l, blen; 2877 uint32_t magic; 2878 2879 KASSERT(SPPP_WLOCKED(sp)); 2880 2881 len -= 4; 2882 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 2883 if (!buf) 2884 return; 2885 2886 if (debug) 2887 log(LOG_DEBUG, "%s: lcp nak opts:", 2888 ifp->if_xname); 2889 2890 p = (void *)(h + 1); 2891 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2892 /* Sanity check option length */ 2893 if (l > len) { 2894 /* 2895 * Malicious option - drop immediately. 2896 * XXX Maybe we should just RXJ it? 2897 */ 2898 addlog("%s: received malicious LCP option, " 2899 "dropping.\n", ifp->if_xname); 2900 goto drop; 2901 } 2902 if (debug) 2903 addlog(" %s", sppp_lcp_opt_name(*p)); 2904 switch (*p) { 2905 case LCP_OPT_MAGIC: 2906 /* Magic number -- renegotiate */ 2907 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2908 len >= 6 && l == 6) { 2909 magic = (uint32_t)p[2] << 24 | 2910 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2911 /* 2912 * If the remote magic is our negated one, 2913 * this looks like a loopback problem. 2914 * Suggest a new magic to make sure. 2915 */ 2916 if (magic == ~sp->lcp.magic) { 2917 if (debug) 2918 addlog(" magic glitch"); 2919 sp->lcp.magic = cprng_fast32(); 2920 } else { 2921 sp->lcp.magic = magic; 2922 if (debug) 2923 addlog(" %d", magic); 2924 } 2925 } 2926 break; 2927 case LCP_OPT_MRU: 2928 /* 2929 * Peer wants to advise us to negotiate an MRU. 2930 * Agree on it if it's reasonable, or use 2931 * default otherwise. 2932 */ 2933 if (len >= 4 && l == 4) { 2934 u_int mru = p[2] * 256 + p[3]; 2935 if (debug) 2936 addlog(" %d", mru); 2937 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2938 mru = sp->pp_if.if_mtu; 2939 sp->lcp.mru = mru; 2940 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2941 } 2942 break; 2943 case LCP_OPT_MP_MRRU: 2944 /* 2945 * Peer wants to advise us to negotiate an multilink MRRU. 2946 * Agree on it if it's reasonable, or use 2947 * default otherwise. 2948 */ 2949 if (len >= 4 && l == 4) { 2950 u_int mrru = p[2] * 256 + p[3]; 2951 if (debug) 2952 addlog(" %d", mrru); 2953 if (mrru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2954 mru = sp->pp_if.if_mtu; 2955 sp->lcp.mrru = mrru; 2956 sp->lcp.opts |= (1 << LCP_OPT_MP_MRRU); 2957 } 2958 break; 2959 case LCP_OPT_AUTH_PROTO: 2960 /* 2961 * Peer doesn't like our authentication method, 2962 * deny. 2963 */ 2964 if (debug) 2965 addlog("[access denied]\n"); 2966 lcp.Close(sp); 2967 break; 2968 } 2969 } 2970 if (debug) 2971 addlog("\n"); 2972 drop: 2973 free(buf, M_TEMP); 2974 return; 2975 } 2976 2977 static void 2978 sppp_lcp_tlu(struct sppp *sp) 2979 { 2980 struct ifnet *ifp = &sp->pp_if; 2981 int i; 2982 uint32_t mask; 2983 2984 KASSERT(SPPP_WLOCKED(sp)); 2985 2986 /* XXX ? */ 2987 if (! (ifp->if_flags & IFF_UP) && 2988 (ifp->if_flags & IFF_RUNNING)) { 2989 /* Coming out of loopback mode. */ 2990 SPPP_UNLOCK(sp); 2991 if_up(ifp); 2992 SPPP_LOCK(sp, RW_WRITER); 2993 } 2994 2995 for (i = 0; i < IDX_COUNT; i++) 2996 if ((cps[i])->flags & CP_QUAL) 2997 (cps[i])->Open(sp); 2998 2999 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 3000 (sp->pp_flags & PP_NEEDAUTH) != 0) 3001 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 3002 else 3003 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 3004 3005 /* 3006 * Open all authentication protocols. This is even required 3007 * if we already proceeded to network phase, since it might be 3008 * that remote wants us to authenticate, so we might have to 3009 * send a PAP request. Undesired authentication protocols 3010 * don't do anything when they get an Open event. 3011 */ 3012 for (i = 0; i < IDX_COUNT; i++) 3013 if ((cps[i])->flags & CP_AUTH) 3014 (cps[i])->Open(sp); 3015 3016 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 3017 /* Notify all NCPs. */ 3018 for (i = 0; i < IDX_COUNT; i++) 3019 if ((cps[i])->flags & CP_NCP) 3020 (cps[i])->Open(sp); 3021 } 3022 3023 /* Send Up events to all started protos. */ 3024 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 3025 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 3026 (cps[i])->Up(sp); 3027 } 3028 } 3029 3030 /* notify low-level driver of state change */ 3031 sppp_notify_chg_wlocked(sp); 3032 3033 if (sp->pp_phase == SPPP_PHASE_NETWORK) 3034 /* if no NCP is starting, close down */ 3035 sppp_lcp_check_and_close(sp); 3036 } 3037 3038 static void 3039 sppp_lcp_tld(struct sppp *sp) 3040 { 3041 int i; 3042 uint32_t mask; 3043 3044 KASSERT(SPPP_WLOCKED(sp)); 3045 3046 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3047 3048 /* 3049 * Take upper layers down. We send the Down event first and 3050 * the Close second to prevent the upper layers from sending 3051 * ``a flurry of terminate-request packets'', as the RFC 3052 * describes it. 3053 */ 3054 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 3055 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 3056 (cps[i])->Down(sp); 3057 (cps[i])->Close(sp); 3058 } 3059 } 3060 } 3061 3062 static void 3063 sppp_lcp_tls(struct sppp *sp) 3064 { 3065 3066 KASSERT(SPPP_WLOCKED(sp)); 3067 3068 3069 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3070 printf("%s: authentication failed %d times, not retrying again\n", 3071 sp->pp_if.if_xname, sp->pp_auth_failures); 3072 3073 SPPP_UNLOCK(sp); 3074 if_down(&sp->pp_if); 3075 SPPP_LOCK(sp, RW_WRITER); 3076 return; 3077 } 3078 3079 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3080 3081 /* Notify lower layer if desired. */ 3082 sppp_notify_tls_wlocked(sp); 3083 } 3084 3085 static void 3086 sppp_lcp_tlf(struct sppp *sp) 3087 { 3088 3089 KASSERT(SPPP_WLOCKED(sp)); 3090 3091 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3092 3093 /* Notify lower layer if desired. */ 3094 sppp_notify_tlf_wlocked(sp); 3095 } 3096 3097 static void 3098 sppp_lcp_scr(struct sppp *sp) 3099 { 3100 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3101 int i = 0; 3102 u_short authproto; 3103 3104 KASSERT(SPPP_WLOCKED(sp)); 3105 3106 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 3107 if (! sp->lcp.magic) 3108 sp->lcp.magic = cprng_fast32(); 3109 opt[i++] = LCP_OPT_MAGIC; 3110 opt[i++] = 6; 3111 opt[i++] = sp->lcp.magic >> 24; 3112 opt[i++] = sp->lcp.magic >> 16; 3113 opt[i++] = sp->lcp.magic >> 8; 3114 opt[i++] = sp->lcp.magic; 3115 } 3116 3117 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 3118 opt[i++] = LCP_OPT_MRU; 3119 opt[i++] = 4; 3120 opt[i++] = sp->lcp.mru >> 8; 3121 opt[i++] = sp->lcp.mru; 3122 } 3123 3124 if (sp->lcp.opts & (1 << LCP_OPT_MP_MRRU)) { 3125 opt[i++] = LCP_OPT_MP_MRRU; 3126 opt[i++] = 4; 3127 opt[i++] = sp->lcp.mrru >> 8; 3128 opt[i++] = sp->lcp.mrru; 3129 } 3130 3131 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 3132 authproto = sp->hisauth.proto; 3133 opt[i++] = LCP_OPT_AUTH_PROTO; 3134 opt[i++] = authproto == PPP_CHAP? 5: 4; 3135 opt[i++] = authproto >> 8; 3136 opt[i++] = authproto; 3137 if (authproto == PPP_CHAP) 3138 opt[i++] = CHAP_MD5; 3139 } 3140 3141 sp->confid[IDX_LCP] = ++sp->pp_seq[IDX_LCP]; 3142 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->confid[IDX_LCP], i, &opt); 3143 } 3144 3145 /* 3146 * Check the open NCPs, return true if at least one NCP is open. 3147 */ 3148 static int 3149 sppp_ncp_check(struct sppp *sp) 3150 { 3151 int i, mask; 3152 3153 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3154 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 3155 return 1; 3156 return 0; 3157 } 3158 3159 /* 3160 * Re-check the open NCPs and see if we should terminate the link. 3161 * Called by the NCPs during their tlf action handling. 3162 */ 3163 static void 3164 sppp_lcp_check_and_close(struct sppp *sp) 3165 { 3166 3167 KASSERT(SPPP_WLOCKED(sp)); 3168 3169 if (sp->pp_phase < SPPP_PHASE_NETWORK) 3170 /* don't bother, we are already going down */ 3171 return; 3172 3173 if (sppp_ncp_check(sp)) 3174 return; 3175 lcp.Close(sp); 3176 } 3177 3178 3179 /* 3180 *--------------------------------------------------------------------------* 3181 * * 3182 * The IPCP implementation. * 3183 * * 3184 *--------------------------------------------------------------------------* 3185 */ 3186 3187 static void 3188 sppp_ipcp_init(struct sppp *sp) 3189 { 3190 int error; 3191 3192 KASSERT(SPPP_WLOCKED(sp)); 3193 3194 sp->ipcp.opts = 0; 3195 sp->ipcp.flags = 0; 3196 sp->state[IDX_IPCP] = STATE_INITIAL; 3197 sp->fail_counter[IDX_IPCP] = 0; 3198 sp->pp_seq[IDX_IPCP] = 0; 3199 sp->pp_rseq[IDX_IPCP] = 0; 3200 callout_init(&sp->ch[IDX_IPCP], CALLOUT_MPSAFE); 3201 3202 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 3203 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 3204 if (error) 3205 panic("%s: update_addrs workqueue_create failed (%d)\n", 3206 __func__, error); 3207 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 3208 3209 sp->ipcp.update_addrs_enqueued = 0; 3210 } 3211 3212 static void 3213 sppp_ipcp_up(struct sppp *sp) 3214 { 3215 KASSERT(SPPP_WLOCKED(sp)); 3216 sppp_up_event(&ipcp, sp); 3217 } 3218 3219 static void 3220 sppp_ipcp_down(struct sppp *sp) 3221 { 3222 KASSERT(SPPP_WLOCKED(sp)); 3223 sppp_down_event(&ipcp, sp); 3224 } 3225 3226 static void 3227 sppp_ipcp_open(struct sppp *sp) 3228 { 3229 STDDCL; 3230 uint32_t myaddr, hisaddr; 3231 3232 KASSERT(SPPP_WLOCKED(sp)); 3233 3234 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3235 sp->ipcp.req_myaddr = 0; 3236 sp->ipcp.req_hisaddr = 0; 3237 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3238 3239 #ifdef INET 3240 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3241 #else 3242 myaddr = hisaddr = 0; 3243 #endif 3244 /* 3245 * If we don't have his address, this probably means our 3246 * interface doesn't want to talk IP at all. (This could 3247 * be the case if somebody wants to speak only IPX, for 3248 * example.) Don't open IPCP in this case. 3249 */ 3250 if (hisaddr == 0) { 3251 /* XXX this message should go away */ 3252 if (debug) 3253 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3254 ifp->if_xname); 3255 return; 3256 } 3257 3258 if (myaddr == 0) { 3259 /* 3260 * I don't have an assigned address, so i need to 3261 * negotiate my address. 3262 */ 3263 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3264 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3265 } 3266 if (hisaddr == 1) { 3267 /* 3268 * XXX - remove this hack! 3269 * remote has no valid address, we need to get one assigned. 3270 */ 3271 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3272 } 3273 sppp_open_event(&ipcp, sp); 3274 } 3275 3276 static void 3277 sppp_ipcp_close(struct sppp *sp) 3278 { 3279 3280 KASSERT(SPPP_WLOCKED(sp)); 3281 3282 sppp_close_event(&ipcp, sp); 3283 3284 #ifdef INET 3285 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3286 /* 3287 * Some address was dynamic, clear it again. 3288 */ 3289 sppp_clear_ip_addrs(sp); 3290 #endif 3291 } 3292 3293 static void 3294 sppp_ipcp_TO(void *cookie) 3295 { 3296 struct sppp *sp = cookie; 3297 3298 SPPP_LOCK(sp, RW_WRITER); 3299 sppp_to_event(&ipcp, sp); 3300 SPPP_UNLOCK(sp); 3301 } 3302 3303 /* 3304 * Analyze a configure request. Return true if it was agreeable, and 3305 * caused action sca, false if it has been rejected or nak'ed, and 3306 * caused action scn. (The return value is used to make the state 3307 * transition decision in the state automaton.) 3308 */ 3309 static int 3310 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3311 { 3312 u_char *buf, *r, *p, l, blen; 3313 struct ifnet *ifp = &sp->pp_if; 3314 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3315 uint32_t hisaddr, desiredaddr; 3316 3317 KASSERT(SPPP_WLOCKED(sp)); 3318 3319 len -= 4; 3320 origlen = len; 3321 /* 3322 * Make sure to allocate a buf that can at least hold a 3323 * conf-nak with an `address' option. We might need it below. 3324 */ 3325 blen = len < 6 ? 6 : len; 3326 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3327 if (! buf) 3328 return (0); 3329 3330 /* pass 1: see if we can recognize them */ 3331 if (debug) 3332 log(LOG_DEBUG, "%s: ipcp parse opts:", 3333 ifp->if_xname); 3334 p = (void *)(h + 1); 3335 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3336 /* Sanity check option length */ 3337 if (l > len) { 3338 /* XXX should we just RXJ? */ 3339 addlog("%s: malicious IPCP option received, dropping\n", 3340 ifp->if_xname); 3341 goto drop; 3342 } 3343 if (debug) 3344 addlog(" %s", sppp_ipcp_opt_name(*p)); 3345 switch (*p) { 3346 #ifdef notyet 3347 case IPCP_OPT_COMPRESSION: 3348 if (len >= 6 && l >= 6) { 3349 /* correctly formed compress option */ 3350 continue; 3351 } 3352 if (debug) 3353 addlog(" [invalid]"); 3354 break; 3355 #endif 3356 case IPCP_OPT_ADDRESS: 3357 if (len >= 6 && l == 6) { 3358 /* correctly formed address option */ 3359 continue; 3360 } 3361 if (debug) 3362 addlog(" [invalid]"); 3363 break; 3364 default: 3365 /* Others not supported. */ 3366 if (debug) 3367 addlog(" [rej]"); 3368 break; 3369 } 3370 /* Add the option to rejected list. */ 3371 if (rlen + l > blen) { 3372 if (debug) 3373 addlog(" [overflow]"); 3374 continue; 3375 } 3376 memcpy(r, p, l); 3377 r += l; 3378 rlen += l; 3379 } 3380 if (rlen) { 3381 if (debug) 3382 addlog(" send conf-rej\n"); 3383 sppp_cp_send(sp, PPP_IPCP, CONF_REJ, h->ident, rlen, buf); 3384 goto end; 3385 } else if (debug) 3386 addlog("\n"); 3387 3388 /* pass 2: parse option values */ 3389 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3390 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3391 else 3392 #ifdef INET 3393 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3394 #else 3395 hisaddr = 0; 3396 #endif 3397 if (debug) 3398 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3399 ifp->if_xname); 3400 p = (void *)(h + 1); 3401 len = origlen; 3402 for (rlen=0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3403 if (debug) 3404 addlog(" %s", sppp_ipcp_opt_name(*p)); 3405 switch (*p) { 3406 #ifdef notyet 3407 case IPCP_OPT_COMPRESSION: 3408 continue; 3409 #endif 3410 case IPCP_OPT_ADDRESS: 3411 desiredaddr = p[2] << 24 | p[3] << 16 | 3412 p[4] << 8 | p[5]; 3413 if (desiredaddr == hisaddr || 3414 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3415 /* 3416 * Peer's address is same as our value, 3417 * this is agreeable. Gonna conf-ack 3418 * it. 3419 */ 3420 if (debug) 3421 addlog(" %s [ack]", 3422 sppp_dotted_quad(hisaddr)); 3423 /* record that we've seen it already */ 3424 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3425 sp->ipcp.req_hisaddr = desiredaddr; 3426 hisaddr = desiredaddr; 3427 continue; 3428 } 3429 /* 3430 * The address wasn't agreeable. This is either 3431 * he sent us 0.0.0.0, asking to assign him an 3432 * address, or he send us another address not 3433 * matching our value. Either case, we gonna 3434 * conf-nak it with our value. 3435 */ 3436 if (debug) { 3437 if (desiredaddr == 0) 3438 addlog(" [addr requested]"); 3439 else 3440 addlog(" %s [not agreed]", 3441 sppp_dotted_quad(desiredaddr)); 3442 } 3443 3444 p[2] = hisaddr >> 24; 3445 p[3] = hisaddr >> 16; 3446 p[4] = hisaddr >> 8; 3447 p[5] = hisaddr; 3448 break; 3449 } 3450 if (rlen + l > blen) { 3451 if (debug) 3452 addlog(" [overflow]"); 3453 continue; 3454 } 3455 /* Add the option to nak'ed list. */ 3456 memcpy(r, p, l); 3457 r += l; 3458 rlen += l; 3459 } 3460 3461 /* 3462 * If we are about to conf-ack the request, but haven't seen 3463 * his address so far, gonna conf-nak it instead, with the 3464 * `address' option present and our idea of his address being 3465 * filled in there, to request negotiation of both addresses. 3466 * 3467 * XXX This can result in an endless req - nak loop if peer 3468 * doesn't want to send us his address. Q: What should we do 3469 * about it? XXX A: implement the max-failure counter. 3470 */ 3471 if (rlen == 0 && !(sp->ipcp.flags & IPCP_HISADDR_SEEN)) { 3472 buf[0] = IPCP_OPT_ADDRESS; 3473 buf[1] = 6; 3474 buf[2] = hisaddr >> 24; 3475 buf[3] = hisaddr >> 16; 3476 buf[4] = hisaddr >> 8; 3477 buf[5] = hisaddr; 3478 rlen = 6; 3479 if (debug) 3480 addlog(" still need hisaddr"); 3481 } 3482 3483 if (rlen) { 3484 if (debug) 3485 addlog(" send conf-nak\n"); 3486 sppp_cp_send(sp, PPP_IPCP, CONF_NAK, h->ident, rlen, buf); 3487 } else { 3488 if (debug) 3489 addlog(" send conf-ack\n"); 3490 sppp_cp_send(sp, PPP_IPCP, CONF_ACK, h->ident, origlen, h + 1); 3491 } 3492 3493 end: 3494 free(buf, M_TEMP); 3495 return (rlen == 0); 3496 3497 drop: 3498 free(buf, M_TEMP); 3499 return -1; 3500 } 3501 3502 /* 3503 * Analyze the IPCP Configure-Reject option list, and adjust our 3504 * negotiation. 3505 */ 3506 static void 3507 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3508 { 3509 u_char *buf, *p, l, blen; 3510 struct ifnet *ifp = &sp->pp_if; 3511 int debug = ifp->if_flags & IFF_DEBUG; 3512 3513 KASSERT(SPPP_WLOCKED(sp)); 3514 3515 len -= 4; 3516 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 3517 if (!buf) 3518 return; 3519 3520 if (debug) 3521 log(LOG_DEBUG, "%s: ipcp rej opts:", 3522 ifp->if_xname); 3523 3524 p = (void *)(h + 1); 3525 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3526 /* Sanity check option length */ 3527 if (l > len) { 3528 /* XXX should we just RXJ? */ 3529 addlog("%s: malicious IPCP option received, dropping\n", 3530 ifp->if_xname); 3531 goto drop; 3532 } 3533 if (debug) 3534 addlog(" %s", sppp_ipcp_opt_name(*p)); 3535 switch (*p) { 3536 case IPCP_OPT_ADDRESS: 3537 /* 3538 * Peer doesn't grok address option. This is 3539 * bad. XXX Should we better give up here? 3540 */ 3541 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3542 break; 3543 #ifdef notyet 3544 case IPCP_OPT_COMPRESS: 3545 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3546 break; 3547 #endif 3548 } 3549 } 3550 if (debug) 3551 addlog("\n"); 3552 drop: 3553 free(buf, M_TEMP); 3554 return; 3555 } 3556 3557 /* 3558 * Analyze the IPCP Configure-NAK option list, and adjust our 3559 * negotiation. 3560 */ 3561 static void 3562 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3563 { 3564 u_char *p, l; 3565 struct ifnet *ifp = &sp->pp_if; 3566 int debug = ifp->if_flags & IFF_DEBUG; 3567 uint32_t wantaddr; 3568 3569 KASSERT(SPPP_WLOCKED(sp)); 3570 3571 len -= 4; 3572 3573 if (debug) 3574 log(LOG_DEBUG, "%s: ipcp nak opts:", 3575 ifp->if_xname); 3576 3577 p = (void *)(h + 1); 3578 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3579 /* Sanity check option length */ 3580 if (l > len) { 3581 /* XXX should we just RXJ? */ 3582 addlog("%s: malicious IPCP option received, dropping\n", 3583 ifp->if_xname); 3584 return; 3585 } 3586 if (debug) 3587 addlog(" %s", sppp_ipcp_opt_name(*p)); 3588 switch (*p) { 3589 case IPCP_OPT_ADDRESS: 3590 /* 3591 * Peer doesn't like our local IP address. See 3592 * if we can do something for him. We'll drop 3593 * him our address then. 3594 */ 3595 if (len >= 6 && l == 6) { 3596 wantaddr = p[2] << 24 | p[3] << 16 | 3597 p[4] << 8 | p[5]; 3598 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3599 if (debug) 3600 addlog(" [wantaddr %s]", 3601 sppp_dotted_quad(wantaddr)); 3602 /* 3603 * When doing dynamic address assignment, 3604 * we accept his offer. Otherwise, we 3605 * ignore it and thus continue to negotiate 3606 * our already existing value. 3607 */ 3608 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3609 if (debug) 3610 addlog(" [agree]"); 3611 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3612 sp->ipcp.req_myaddr = wantaddr; 3613 } 3614 } 3615 break; 3616 3617 case IPCP_OPT_PRIMDNS: 3618 if (len >= 6 && l == 6) { 3619 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3620 p[4] << 8 | p[5]; 3621 } 3622 break; 3623 3624 case IPCP_OPT_SECDNS: 3625 if (len >= 6 && l == 6) { 3626 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3627 p[4] << 8 | p[5]; 3628 } 3629 break; 3630 #ifdef notyet 3631 case IPCP_OPT_COMPRESS: 3632 /* 3633 * Peer wants different compression parameters. 3634 */ 3635 break; 3636 #endif 3637 } 3638 } 3639 if (debug) 3640 addlog("\n"); 3641 } 3642 3643 static void 3644 sppp_ipcp_tlu(struct sppp *sp) 3645 { 3646 #ifdef INET 3647 KASSERT(SPPP_WLOCKED(sp)); 3648 /* we are up. Set addresses and notify anyone interested */ 3649 sppp_set_ip_addrs(sp); 3650 #endif 3651 } 3652 3653 static void 3654 sppp_ipcp_tld(struct sppp *sp) 3655 { 3656 3657 KASSERT(SPPP_WLOCKED(sp)); 3658 } 3659 3660 static void 3661 sppp_ipcp_tls(struct sppp *sp) 3662 { 3663 3664 KASSERT(SPPP_WLOCKED(sp)); 3665 /* indicate to LCP that it must stay alive */ 3666 sp->lcp.protos |= (1 << IDX_IPCP); 3667 } 3668 3669 static void 3670 sppp_ipcp_tlf(struct sppp *sp) 3671 { 3672 3673 KASSERT(SPPP_WLOCKED(sp)); 3674 3675 /* we no longer need LCP */ 3676 sp->lcp.protos &= ~(1 << IDX_IPCP); 3677 } 3678 3679 static void 3680 sppp_ipcp_scr(struct sppp *sp) 3681 { 3682 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3683 #ifdef INET 3684 uint32_t ouraddr; 3685 #endif 3686 int i = 0; 3687 3688 KASSERT(SPPP_WLOCKED(sp)); 3689 3690 #ifdef notyet 3691 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3692 opt[i++] = IPCP_OPT_COMPRESSION; 3693 opt[i++] = 6; 3694 opt[i++] = 0; /* VJ header compression */ 3695 opt[i++] = 0x2d; /* VJ header compression */ 3696 opt[i++] = max_slot_id; 3697 opt[i++] = comp_slot_id; 3698 } 3699 #endif 3700 3701 #ifdef INET 3702 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3703 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3704 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3705 else 3706 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3707 opt[i++] = IPCP_OPT_ADDRESS; 3708 opt[i++] = 6; 3709 opt[i++] = ouraddr >> 24; 3710 opt[i++] = ouraddr >> 16; 3711 opt[i++] = ouraddr >> 8; 3712 opt[i++] = ouraddr; 3713 } 3714 #endif 3715 3716 if (sp->query_dns & 1) { 3717 opt[i++] = IPCP_OPT_PRIMDNS; 3718 opt[i++] = 6; 3719 opt[i++] = sp->dns_addrs[0] >> 24; 3720 opt[i++] = sp->dns_addrs[0] >> 16; 3721 opt[i++] = sp->dns_addrs[0] >> 8; 3722 opt[i++] = sp->dns_addrs[0]; 3723 } 3724 if (sp->query_dns & 2) { 3725 opt[i++] = IPCP_OPT_SECDNS; 3726 opt[i++] = 6; 3727 opt[i++] = sp->dns_addrs[1] >> 24; 3728 opt[i++] = sp->dns_addrs[1] >> 16; 3729 opt[i++] = sp->dns_addrs[1] >> 8; 3730 opt[i++] = sp->dns_addrs[1]; 3731 } 3732 3733 sp->confid[IDX_IPCP] = ++sp->pp_seq[IDX_IPCP]; 3734 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->confid[IDX_IPCP], i, &opt); 3735 } 3736 3737 3738 /* 3739 *--------------------------------------------------------------------------* 3740 * * 3741 * The IPv6CP implementation. * 3742 * * 3743 *--------------------------------------------------------------------------* 3744 */ 3745 3746 #ifdef INET6 3747 static void 3748 sppp_ipv6cp_init(struct sppp *sp) 3749 { 3750 3751 KASSERT(SPPP_WLOCKED(sp)); 3752 3753 sp->ipv6cp.opts = 0; 3754 sp->ipv6cp.flags = 0; 3755 sp->state[IDX_IPV6CP] = STATE_INITIAL; 3756 sp->fail_counter[IDX_IPV6CP] = 0; 3757 sp->pp_seq[IDX_IPV6CP] = 0; 3758 sp->pp_rseq[IDX_IPV6CP] = 0; 3759 callout_init(&sp->ch[IDX_IPV6CP], CALLOUT_MPSAFE); 3760 } 3761 3762 static void 3763 sppp_ipv6cp_up(struct sppp *sp) 3764 { 3765 3766 KASSERT(SPPP_WLOCKED(sp)); 3767 sppp_up_event(&ipv6cp, sp); 3768 } 3769 3770 static void 3771 sppp_ipv6cp_down(struct sppp *sp) 3772 { 3773 3774 KASSERT(SPPP_WLOCKED(sp)); 3775 sppp_down_event(&ipv6cp, sp); 3776 } 3777 3778 static void 3779 sppp_ipv6cp_open(struct sppp *sp) 3780 { 3781 STDDCL; 3782 struct in6_addr myaddr, hisaddr; 3783 3784 KASSERT(SPPP_WLOCKED(sp)); 3785 3786 #ifdef IPV6CP_MYIFID_DYN 3787 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3788 #else 3789 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3790 #endif 3791 3792 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3793 /* 3794 * If we don't have our address, this probably means our 3795 * interface doesn't want to talk IPv6 at all. (This could 3796 * be the case if somebody wants to speak only IPX, for 3797 * example.) Don't open IPv6CP in this case. 3798 */ 3799 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3800 /* XXX this message should go away */ 3801 if (debug) 3802 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3803 ifp->if_xname); 3804 return; 3805 } 3806 3807 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3808 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3809 sppp_open_event(&ipv6cp, sp); 3810 } 3811 3812 static void 3813 sppp_ipv6cp_close(struct sppp *sp) 3814 { 3815 3816 KASSERT(SPPP_WLOCKED(sp)); 3817 sppp_close_event(&ipv6cp, sp); 3818 } 3819 3820 static void 3821 sppp_ipv6cp_TO(void *cookie) 3822 { 3823 struct sppp *sp = cookie; 3824 3825 SPPP_LOCK(sp, RW_WRITER); 3826 sppp_to_event(&ipv6cp, sp); 3827 SPPP_UNLOCK(sp); 3828 } 3829 3830 /* 3831 * Analyze a configure request. Return true if it was agreeable, and 3832 * caused action sca, false if it has been rejected or nak'ed, and 3833 * caused action scn. (The return value is used to make the state 3834 * transition decision in the state automaton.) 3835 */ 3836 static int 3837 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len) 3838 { 3839 u_char *buf, *r, *p, l, blen; 3840 struct ifnet *ifp = &sp->pp_if; 3841 int rlen, origlen, debug = ifp->if_flags & IFF_DEBUG; 3842 struct in6_addr myaddr, desiredaddr, suggestaddr; 3843 int ifidcount; 3844 int type; 3845 int collision, nohisaddr; 3846 char ip6buf[INET6_ADDRSTRLEN]; 3847 3848 KASSERT(SPPP_WLOCKED(sp)); 3849 3850 len -= 4; 3851 origlen = len; 3852 /* 3853 * Make sure to allocate a buf that can at least hold a 3854 * conf-nak with an `address' option. We might need it below. 3855 */ 3856 blen = len < 6 ? 6 : len; 3857 buf = r = malloc (blen, M_TEMP, M_NOWAIT); 3858 if (! buf) 3859 return (0); 3860 3861 /* pass 1: see if we can recognize them */ 3862 if (debug) 3863 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3864 ifp->if_xname); 3865 p = (void *)(h + 1); 3866 ifidcount = 0; 3867 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3868 /* Sanity check option length */ 3869 if (l > len) { 3870 /* XXX just RXJ? */ 3871 addlog("%s: received malicious IPCPv6 option, " 3872 "dropping\n", ifp->if_xname); 3873 goto drop; 3874 } 3875 if (debug) 3876 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3877 switch (*p) { 3878 case IPV6CP_OPT_IFID: 3879 if (len >= 10 && l == 10 && ifidcount == 0) { 3880 /* correctly formed address option */ 3881 ifidcount++; 3882 continue; 3883 } 3884 if (debug) 3885 addlog(" [invalid]"); 3886 break; 3887 #ifdef notyet 3888 case IPV6CP_OPT_COMPRESSION: 3889 if (len >= 4 && l >= 4) { 3890 /* correctly formed compress option */ 3891 continue; 3892 } 3893 if (debug) 3894 addlog(" [invalid]"); 3895 break; 3896 #endif 3897 default: 3898 /* Others not supported. */ 3899 if (debug) 3900 addlog(" [rej]"); 3901 break; 3902 } 3903 if (rlen + l > blen) { 3904 if (debug) 3905 addlog(" [overflow]"); 3906 continue; 3907 } 3908 /* Add the option to rejected list. */ 3909 memcpy(r, p, l); 3910 r += l; 3911 rlen += l; 3912 } 3913 if (rlen) { 3914 if (debug) 3915 addlog(" send conf-rej\n"); 3916 sppp_cp_send(sp, PPP_IPV6CP, CONF_REJ, h->ident, rlen, buf); 3917 goto end; 3918 } else if (debug) 3919 addlog("\n"); 3920 3921 /* pass 2: parse option values */ 3922 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3923 if (debug) 3924 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3925 ifp->if_xname); 3926 p = (void *)(h + 1); 3927 len = origlen; 3928 type = CONF_ACK; 3929 for (rlen = 0; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3930 if (debug) 3931 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3932 switch (*p) { 3933 #ifdef notyet 3934 case IPV6CP_OPT_COMPRESSION: 3935 continue; 3936 #endif 3937 case IPV6CP_OPT_IFID: 3938 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3939 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3940 collision = (memcmp(&desiredaddr.s6_addr[8], 3941 &myaddr.s6_addr[8], 8) == 0); 3942 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3943 3944 desiredaddr.s6_addr16[0] = htons(0xfe80); 3945 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3946 3947 if (!collision && !nohisaddr) { 3948 /* no collision, hisaddr known - Conf-Ack */ 3949 type = CONF_ACK; 3950 3951 if (debug) { 3952 addlog(" %s [%s]", 3953 IN6_PRINT(ip6buf, &desiredaddr), 3954 sppp_cp_type_name(type)); 3955 } 3956 continue; 3957 } 3958 3959 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3960 if (collision && nohisaddr) { 3961 /* collision, hisaddr unknown - Conf-Rej */ 3962 type = CONF_REJ; 3963 memset(&p[2], 0, 8); 3964 } else { 3965 /* 3966 * - no collision, hisaddr unknown, or 3967 * - collision, hisaddr known 3968 * Conf-Nak, suggest hisaddr 3969 */ 3970 type = CONF_NAK; 3971 sppp_suggest_ip6_addr(sp, &suggestaddr); 3972 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3973 } 3974 if (debug) 3975 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3976 sppp_cp_type_name(type)); 3977 break; 3978 } 3979 if (rlen + l > blen) { 3980 if (debug) 3981 addlog(" [overflow]"); 3982 continue; 3983 } 3984 /* Add the option to nak'ed list. */ 3985 memcpy(r, p, l); 3986 r += l; 3987 rlen += l; 3988 } 3989 3990 if (rlen == 0 && type == CONF_ACK) { 3991 if (debug) 3992 addlog(" send %s\n", sppp_cp_type_name(type)); 3993 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, origlen, h + 1); 3994 } else { 3995 #ifdef notdef 3996 if (type == CONF_ACK) 3997 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3998 #endif 3999 4000 if (debug) { 4001 addlog(" send %s suggest %s\n", 4002 sppp_cp_type_name(type), IN6_PRINT(ip6buf, &suggestaddr)); 4003 } 4004 sppp_cp_send(sp, PPP_IPV6CP, type, h->ident, rlen, buf); 4005 } 4006 4007 end: 4008 free(buf, M_TEMP); 4009 return (rlen == 0); 4010 4011 drop: 4012 free(buf, M_TEMP); 4013 return -1; 4014 } 4015 4016 /* 4017 * Analyze the IPv6CP Configure-Reject option list, and adjust our 4018 * negotiation. 4019 */ 4020 static void 4021 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 4022 { 4023 u_char *buf, *p, l, blen; 4024 struct ifnet *ifp = &sp->pp_if; 4025 int debug = ifp->if_flags & IFF_DEBUG; 4026 4027 KASSERT(SPPP_WLOCKED(sp)); 4028 4029 len -= 4; 4030 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 4031 if (!buf) 4032 return; 4033 4034 if (debug) 4035 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 4036 ifp->if_xname); 4037 4038 p = (void *)(h + 1); 4039 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 4040 if (l > len) { 4041 /* XXX just RXJ? */ 4042 addlog("%s: received malicious IPCPv6 option, " 4043 "dropping\n", ifp->if_xname); 4044 goto drop; 4045 } 4046 if (debug) 4047 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4048 switch (*p) { 4049 case IPV6CP_OPT_IFID: 4050 /* 4051 * Peer doesn't grok address option. This is 4052 * bad. XXX Should we better give up here? 4053 */ 4054 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 4055 break; 4056 #ifdef notyet 4057 case IPV6CP_OPT_COMPRESS: 4058 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 4059 break; 4060 #endif 4061 } 4062 } 4063 if (debug) 4064 addlog("\n"); 4065 drop: 4066 free(buf, M_TEMP); 4067 return; 4068 } 4069 4070 /* 4071 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4072 * negotiation. 4073 */ 4074 static void 4075 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 4076 { 4077 u_char *buf, *p, l, blen; 4078 struct ifnet *ifp = &sp->pp_if; 4079 int debug = ifp->if_flags & IFF_DEBUG; 4080 struct in6_addr suggestaddr; 4081 char ip6buf[INET6_ADDRSTRLEN]; 4082 4083 KASSERT(SPPP_WLOCKED(sp)); 4084 4085 len -= 4; 4086 buf = malloc (blen = len, M_TEMP, M_NOWAIT); 4087 if (!buf) 4088 return; 4089 4090 if (debug) 4091 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 4092 ifp->if_xname); 4093 4094 p = (void *)(h + 1); 4095 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 4096 if (l > len) { 4097 /* XXX just RXJ? */ 4098 addlog("%s: received malicious IPCPv6 option, " 4099 "dropping\n", ifp->if_xname); 4100 goto drop; 4101 } 4102 if (debug) 4103 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4104 switch (*p) { 4105 case IPV6CP_OPT_IFID: 4106 /* 4107 * Peer doesn't like our local ifid. See 4108 * if we can do something for him. We'll drop 4109 * him our address then. 4110 */ 4111 if (len < 10 || l != 10) 4112 break; 4113 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4114 suggestaddr.s6_addr16[0] = htons(0xfe80); 4115 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4116 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4117 4118 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 4119 if (debug) 4120 addlog(" [suggestaddr %s]", 4121 IN6_PRINT(ip6buf, &suggestaddr)); 4122 #ifdef IPV6CP_MYIFID_DYN 4123 /* 4124 * When doing dynamic address assignment, 4125 * we accept his offer. 4126 */ 4127 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4128 struct in6_addr lastsuggest; 4129 /* 4130 * If <suggested myaddr from peer> equals to 4131 * <hisaddr we have suggested last time>, 4132 * we have a collision. generate new random 4133 * ifid. 4134 */ 4135 sppp_suggest_ip6_addr(&lastsuggest); 4136 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4137 lastsuggest)) { 4138 if (debug) 4139 addlog(" [random]"); 4140 sppp_gen_ip6_addr(sp, &suggestaddr); 4141 } 4142 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4143 if (debug) 4144 addlog(" [agree]"); 4145 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4146 } 4147 #else 4148 /* 4149 * Since we do not do dynamic address assignment, 4150 * we ignore it and thus continue to negotiate 4151 * our already existing value. This can possibly 4152 * go into infinite request-reject loop. 4153 * 4154 * This is not likely because we normally use 4155 * ifid based on MAC-address. 4156 * If you have no ethernet card on the node, too bad. 4157 * XXX should we use fail_counter? 4158 */ 4159 #endif 4160 break; 4161 #ifdef notyet 4162 case IPV6CP_OPT_COMPRESS: 4163 /* 4164 * Peer wants different compression parameters. 4165 */ 4166 break; 4167 #endif 4168 } 4169 } 4170 if (debug) 4171 addlog("\n"); 4172 drop: 4173 free(buf, M_TEMP); 4174 return; 4175 } 4176 4177 static void 4178 sppp_ipv6cp_tlu(struct sppp *sp) 4179 { 4180 4181 KASSERT(SPPP_WLOCKED(sp)); 4182 /* we are up - notify isdn daemon */ 4183 sppp_notify_con_wlocked(sp); 4184 } 4185 4186 static void 4187 sppp_ipv6cp_tld(struct sppp *sp) 4188 { 4189 4190 KASSERT(SPPP_WLOCKED(sp)); 4191 } 4192 4193 static void 4194 sppp_ipv6cp_tls(struct sppp *sp) 4195 { 4196 4197 KASSERT(SPPP_WLOCKED(sp)); 4198 /* indicate to LCP that it must stay alive */ 4199 sp->lcp.protos |= (1 << IDX_IPV6CP); 4200 } 4201 4202 static void 4203 sppp_ipv6cp_tlf(struct sppp *sp) 4204 { 4205 4206 KASSERT(SPPP_WLOCKED(sp)); 4207 /* we no longer need LCP */ 4208 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 4209 } 4210 4211 static void 4212 sppp_ipv6cp_scr(struct sppp *sp) 4213 { 4214 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4215 struct in6_addr ouraddr; 4216 int i = 0; 4217 4218 KASSERT(SPPP_WLOCKED(sp)); 4219 4220 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 4221 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4222 opt[i++] = IPV6CP_OPT_IFID; 4223 opt[i++] = 10; 4224 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4225 i += 8; 4226 } 4227 4228 #ifdef notyet 4229 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4230 opt[i++] = IPV6CP_OPT_COMPRESSION; 4231 opt[i++] = 4; 4232 opt[i++] = 0; /* TBD */ 4233 opt[i++] = 0; /* TBD */ 4234 /* variable length data may follow */ 4235 } 4236 #endif 4237 4238 sp->confid[IDX_IPV6CP] = ++sp->pp_seq[IDX_IPV6CP]; 4239 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->confid[IDX_IPV6CP], i, &opt); 4240 } 4241 #else /*INET6*/ 4242 static void 4243 sppp_ipv6cp_init(struct sppp *sp) 4244 { 4245 4246 KASSERT(SPPP_WLOCKED(sp)); 4247 } 4248 4249 static void 4250 sppp_ipv6cp_up(struct sppp *sp) 4251 { 4252 4253 KASSERT(SPPP_WLOCKED(sp)); 4254 } 4255 4256 static void 4257 sppp_ipv6cp_down(struct sppp *sp) 4258 { 4259 4260 KASSERT(SPPP_WLOCKED(sp)); 4261 } 4262 4263 static void 4264 sppp_ipv6cp_open(struct sppp *sp) 4265 { 4266 4267 KASSERT(SPPP_WLOCKED(sp)); 4268 } 4269 4270 static void 4271 sppp_ipv6cp_close(struct sppp *sp) 4272 { 4273 4274 KASSERT(SPPP_WLOCKED(sp)); 4275 } 4276 4277 static void 4278 sppp_ipv6cp_TO(void *cookie) 4279 { 4280 struct sppp *sp __diagused = cookie; 4281 4282 KASSERT(SPPP_WLOCKED(sp)); 4283 } 4284 4285 static int 4286 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4287 int len) 4288 { 4289 4290 KASSERT(SPPP_WLOCKED(sp)); 4291 return 0; 4292 } 4293 4294 static void 4295 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4296 int len) 4297 { 4298 4299 KASSERT(SPPP_WLOCKED(sp)); 4300 } 4301 4302 static void 4303 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4304 int len) 4305 { 4306 4307 KASSERT(SPPP_WLOCKED(sp)); 4308 } 4309 4310 static void 4311 sppp_ipv6cp_tlu(struct sppp *sp) 4312 { 4313 4314 KASSERT(SPPP_WLOCKED(sp)); 4315 } 4316 4317 static void 4318 sppp_ipv6cp_tld(struct sppp *sp) 4319 { 4320 4321 KASSERT(SPPP_WLOCKED(sp)); 4322 } 4323 4324 static void 4325 sppp_ipv6cp_tls(struct sppp *sp) 4326 { 4327 4328 KASSERT(SPPP_WLOCKED(sp)); 4329 } 4330 4331 static void 4332 sppp_ipv6cp_tlf(struct sppp *sp) 4333 { 4334 4335 KASSERT(SPPP_WLOCKED(sp)); 4336 } 4337 4338 static void 4339 sppp_ipv6cp_scr(struct sppp *sp) 4340 { 4341 4342 KASSERT(SPPP_WLOCKED(sp)); 4343 } 4344 #endif /*INET6*/ 4345 4346 4347 /* 4348 *--------------------------------------------------------------------------* 4349 * * 4350 * The CHAP implementation. * 4351 * * 4352 *--------------------------------------------------------------------------* 4353 */ 4354 4355 /* 4356 * The authentication protocols don't employ a full-fledged state machine as 4357 * the control protocols do, since they do have Open and Close events, but 4358 * not Up and Down, nor are they explicitly terminated. Also, use of the 4359 * authentication protocols may be different in both directions (this makes 4360 * sense, think of a machine that never accepts incoming calls but only 4361 * calls out, it doesn't require the called party to authenticate itself). 4362 * 4363 * Our state machine for the local authentication protocol (we are requesting 4364 * the peer to authenticate) looks like: 4365 * 4366 * RCA- 4367 * +--------------------------------------------+ 4368 * V scn,tld| 4369 * +--------+ Close +---------+ RCA+ 4370 * | |<----------------------------------| |------+ 4371 * +--->| Closed | TO* | Opened | sca | 4372 * | | |-----+ +-------| |<-----+ 4373 * | +--------+ irc | | +---------+ 4374 * | ^ | | ^ 4375 * | | | | | 4376 * | | | | | 4377 * | TO-| | | | 4378 * | |tld TO+ V | | 4379 * | | +------->+ | | 4380 * | | | | | | 4381 * | +--------+ V | | 4382 * | | |<----+<--------------------+ | 4383 * | | Req- | scr | 4384 * | | Sent | | 4385 * | | | | 4386 * | +--------+ | 4387 * | RCA- | | RCA+ | 4388 * +------+ +------------------------------------------+ 4389 * scn,tld sca,irc,ict,tlu 4390 * 4391 * 4392 * with: 4393 * 4394 * Open: LCP reached authentication phase 4395 * Close: LCP reached terminate phase 4396 * 4397 * RCA+: received reply (pap-req, chap-response), acceptable 4398 * RCN: received reply (pap-req, chap-response), not acceptable 4399 * TO+: timeout with restart counter >= 0 4400 * TO-: timeout with restart counter < 0 4401 * TO*: reschedule timeout for CHAP 4402 * 4403 * scr: send request packet (none for PAP, chap-challenge) 4404 * sca: send ack packet (pap-ack, chap-success) 4405 * scn: send nak packet (pap-nak, chap-failure) 4406 * ict: initialize re-challenge timer (CHAP only) 4407 * 4408 * tlu: this-layer-up, LCP reaches network phase 4409 * tld: this-layer-down, LCP enters terminate phase 4410 * 4411 * Note that in CHAP mode, after sending a new challenge, while the state 4412 * automaton falls back into Req-Sent state, it doesn't signal a tld 4413 * event to LCP, so LCP remains in network phase. Only after not getting 4414 * any response (or after getting an unacceptable response), CHAP closes, 4415 * causing LCP to enter terminate phase. 4416 * 4417 * With PAP, there is no initial request that can be sent. The peer is 4418 * expected to send one based on the successful negotiation of PAP as 4419 * the authentication protocol during the LCP option negotiation. 4420 * 4421 * Incoming authentication protocol requests (remote requests 4422 * authentication, we are peer) don't employ a state machine at all, 4423 * they are simply answered. Some peers [Ascend P50 firmware rev 4424 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4425 * still in authentication phase (thereby violating the standard that 4426 * demands that these NCP packets are to be discarded), so we keep 4427 * track of the peer demanding us to authenticate, and only proceed to 4428 * phase network once we've seen a positive acknowledge for the 4429 * authentication. 4430 */ 4431 4432 /* 4433 * Handle incoming CHAP packets. 4434 */ 4435 void 4436 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4437 { 4438 STDDCL; 4439 struct lcp_header *h; 4440 int len, x; 4441 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4442 int value_len, name_len; 4443 MD5_CTX ctx; 4444 4445 len = m->m_pkthdr.len; 4446 if (len < 4) { 4447 if (debug) 4448 log(LOG_DEBUG, 4449 "%s: chap invalid packet length: %d bytes\n", 4450 ifp->if_xname, len); 4451 return; 4452 } 4453 h = mtod(m, struct lcp_header *); 4454 if (len > ntohs(h->len)) 4455 len = ntohs(h->len); 4456 4457 SPPP_LOCK(sp, RW_WRITER); 4458 4459 switch (h->type) { 4460 /* challenge, failure and success are his authproto */ 4461 case CHAP_CHALLENGE: 4462 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4463 /* can't do anything useful */ 4464 sp->pp_auth_failures++; 4465 printf("%s: chap input without my name and my secret being set\n", 4466 ifp->if_xname); 4467 break; 4468 } 4469 value = 1 + (u_char *)(h + 1); 4470 value_len = value[-1]; 4471 name = value + value_len; 4472 name_len = len - value_len - 5; 4473 if (name_len < 0) { 4474 if (debug) { 4475 log(LOG_DEBUG, 4476 "%s: chap corrupted challenge " 4477 "<%s id=0x%x len=%d", 4478 ifp->if_xname, 4479 sppp_auth_type_name(PPP_CHAP, h->type), 4480 h->ident, ntohs(h->len)); 4481 if (len > 4) 4482 sppp_print_bytes((u_char *)(h + 1), 4483 len - 4); 4484 addlog(">\n"); 4485 } 4486 break; 4487 } 4488 4489 if (debug) { 4490 log(LOG_DEBUG, 4491 "%s: chap input <%s id=0x%x len=%d name=", 4492 ifp->if_xname, 4493 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4494 ntohs(h->len)); 4495 sppp_print_string((char *) name, name_len); 4496 addlog(" value-size=%d value=", value_len); 4497 sppp_print_bytes(value, value_len); 4498 addlog(">\n"); 4499 } 4500 4501 /* Compute reply value. */ 4502 MD5Init(&ctx); 4503 MD5Update(&ctx, &h->ident, 1); 4504 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4505 MD5Update(&ctx, value, value_len); 4506 MD5Final(digest, &ctx); 4507 dsize = sizeof digest; 4508 4509 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4510 sizeof dsize, (const char *)&dsize, 4511 sizeof digest, digest, 4512 sp->myauth.name_len, 4513 sp->myauth.name, 4514 0); 4515 break; 4516 4517 case CHAP_SUCCESS: 4518 if (debug) { 4519 log(LOG_DEBUG, "%s: chap success", 4520 ifp->if_xname); 4521 if (len > 4) { 4522 addlog(": "); 4523 sppp_print_string((char *)(h + 1), len - 4); 4524 } 4525 addlog("\n"); 4526 } 4527 x = splnet(); 4528 sp->pp_auth_failures = 0; 4529 sp->pp_flags &= ~PP_NEEDAUTH; 4530 if (sp->myauth.proto == PPP_CHAP && 4531 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4532 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4533 /* 4534 * We are authenticator for CHAP but didn't 4535 * complete yet. Leave it to tlu to proceed 4536 * to network phase. 4537 */ 4538 splx(x); 4539 break; 4540 } 4541 splx(x); 4542 sppp_phase_network(sp); 4543 break; 4544 4545 case CHAP_FAILURE: 4546 x = splnet(); 4547 sp->pp_auth_failures++; 4548 splx(x); 4549 if (debug) { 4550 log(LOG_INFO, "%s: chap failure", 4551 ifp->if_xname); 4552 if (len > 4) { 4553 addlog(": "); 4554 sppp_print_string((char *)(h + 1), len - 4); 4555 } 4556 addlog("\n"); 4557 } else 4558 log(LOG_INFO, "%s: chap failure\n", 4559 ifp->if_xname); 4560 /* await LCP shutdown by authenticator */ 4561 break; 4562 4563 /* response is my authproto */ 4564 case CHAP_RESPONSE: 4565 if (sp->hisauth.secret == NULL) { 4566 /* can't do anything useful */ 4567 printf("%s: chap input without his secret being set\n", 4568 ifp->if_xname); 4569 break; 4570 } 4571 value = 1 + (u_char *)(h + 1); 4572 value_len = value[-1]; 4573 name = value + value_len; 4574 name_len = len - value_len - 5; 4575 if (name_len < 0) { 4576 if (debug) { 4577 log(LOG_DEBUG, 4578 "%s: chap corrupted response " 4579 "<%s id=0x%x len=%d", 4580 ifp->if_xname, 4581 sppp_auth_type_name(PPP_CHAP, h->type), 4582 h->ident, ntohs(h->len)); 4583 if (len > 4) 4584 sppp_print_bytes((u_char *)(h + 1), 4585 len - 4); 4586 addlog(">\n"); 4587 } 4588 break; 4589 } 4590 if (h->ident != sp->confid[IDX_CHAP]) { 4591 if (debug) 4592 log(LOG_DEBUG, 4593 "%s: chap dropping response for old ID " 4594 "(got %d, expected %d)\n", 4595 ifp->if_xname, 4596 h->ident, sp->confid[IDX_CHAP]); 4597 break; 4598 } 4599 if (sp->hisauth.name != NULL && 4600 (name_len != sp->hisauth.name_len 4601 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4602 log(LOG_INFO, "%s: chap response, his name ", 4603 ifp->if_xname); 4604 sppp_print_string(name, name_len); 4605 addlog(" != expected "); 4606 sppp_print_string(sp->hisauth.name, 4607 sp->hisauth.name_len); 4608 addlog("\n"); 4609 goto chap_failure; 4610 } 4611 if (debug) { 4612 log(LOG_DEBUG, "%s: chap input(%s) " 4613 "<%s id=0x%x len=%d name=", 4614 ifp->if_xname, 4615 sppp_state_name(sp->state[IDX_CHAP]), 4616 sppp_auth_type_name(PPP_CHAP, h->type), 4617 h->ident, ntohs(h->len)); 4618 sppp_print_string((char *)name, name_len); 4619 addlog(" value-size=%d value=", value_len); 4620 sppp_print_bytes(value, value_len); 4621 addlog(">\n"); 4622 } 4623 if (value_len != sizeof(sp->hisauth.challenge)) { 4624 if (debug) 4625 log(LOG_DEBUG, 4626 "%s: chap bad hash value length: " 4627 "%d bytes, should be %zu\n", 4628 ifp->if_xname, value_len, 4629 sizeof(sp->hisauth.challenge)); 4630 goto chap_failure; 4631 } 4632 4633 MD5Init(&ctx); 4634 MD5Update(&ctx, &h->ident, 1); 4635 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4636 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4637 MD5Final(digest, &ctx); 4638 4639 #define FAILMSG "Failed..." 4640 #define SUCCMSG "Welcome!" 4641 4642 if (value_len != sizeof digest || 4643 memcmp(digest, value, value_len) != 0) { 4644 chap_failure: 4645 KASSERT(SPPP_WLOCKED(sp)); 4646 /* action scn, tld */ 4647 sp->pp_auth_failures++; 4648 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4649 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4650 0); 4651 chap.tld(sp); 4652 break; 4653 } 4654 sp->pp_auth_failures = 0; 4655 /* action sca, perhaps tlu */ 4656 if (sp->state[IDX_CHAP] == STATE_REQ_SENT || 4657 sp->state[IDX_CHAP] == STATE_OPENED) 4658 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4659 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4660 0); 4661 if (sp->state[IDX_CHAP] == STATE_REQ_SENT) { 4662 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4663 chap.tlu(sp); 4664 } 4665 break; 4666 4667 default: 4668 /* Unknown CHAP packet type -- ignore. */ 4669 if (debug) { 4670 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4671 "<0x%x id=0x%xh len=%d", 4672 ifp->if_xname, 4673 sppp_state_name(sp->state[IDX_CHAP]), 4674 h->type, h->ident, ntohs(h->len)); 4675 if (len > 4) 4676 sppp_print_bytes((u_char *)(h + 1), len - 4); 4677 addlog(">\n"); 4678 } 4679 break; 4680 4681 } 4682 4683 SPPP_UNLOCK(sp); 4684 } 4685 4686 static void 4687 sppp_chap_init(struct sppp *sp) 4688 { 4689 4690 KASSERT(SPPP_WLOCKED(sp)); 4691 4692 /* Chap doesn't have STATE_INITIAL at all. */ 4693 sp->state[IDX_CHAP] = STATE_CLOSED; 4694 sp->fail_counter[IDX_CHAP] = 0; 4695 sp->pp_seq[IDX_CHAP] = 0; 4696 sp->pp_rseq[IDX_CHAP] = 0; 4697 callout_init(&sp->ch[IDX_CHAP], CALLOUT_MPSAFE); 4698 } 4699 4700 static void 4701 sppp_chap_open(struct sppp *sp) 4702 { 4703 4704 KASSERT(SPPP_WLOCKED(sp)); 4705 if (sp->hisauth.proto == PPP_CHAP && 4706 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4707 /* we are authenticator for CHAP, start it */ 4708 chap.scr(sp); 4709 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4710 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4711 } 4712 /* nothing to be done if we are peer, await a challenge */ 4713 } 4714 4715 static void 4716 sppp_chap_close(struct sppp *sp) 4717 { 4718 4719 KASSERT(SPPP_WLOCKED(sp)); 4720 if (sp->state[IDX_CHAP] != STATE_CLOSED) 4721 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4722 } 4723 4724 static void 4725 sppp_chap_TO(void *cookie) 4726 { 4727 struct sppp *sp = (struct sppp *)cookie; 4728 STDDCL; 4729 int s; 4730 4731 s = splnet(); 4732 4733 SPPP_LOCK(sp, RW_WRITER); 4734 4735 if (debug) 4736 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4737 ifp->if_xname, 4738 sppp_state_name(sp->state[IDX_CHAP]), 4739 sp->rst_counter[IDX_CHAP]); 4740 4741 if (--sp->rst_counter[IDX_CHAP] < 0) 4742 /* TO- event */ 4743 switch (sp->state[IDX_CHAP]) { 4744 case STATE_REQ_SENT: 4745 chap.tld(sp); 4746 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4747 break; 4748 } 4749 else 4750 /* TO+ (or TO*) event */ 4751 switch (sp->state[IDX_CHAP]) { 4752 case STATE_OPENED: 4753 /* TO* event */ 4754 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4755 /* fall through */ 4756 case STATE_REQ_SENT: 4757 chap.scr(sp); 4758 /* sppp_cp_change_state() will restart the timer */ 4759 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4760 break; 4761 } 4762 4763 SPPP_UNLOCK(sp); 4764 splx(s); 4765 } 4766 4767 static void 4768 sppp_chap_tlu(struct sppp *sp) 4769 { 4770 STDDCL; 4771 int i, x; 4772 4773 KASSERT(SPPP_WLOCKED(sp)); 4774 4775 i = 0; 4776 sp->rst_counter[IDX_CHAP] = sp->lcp.max_configure; 4777 4778 /* 4779 * Some broken CHAP implementations (Conware CoNet, firmware 4780 * 4.0.?) don't want to re-authenticate their CHAP once the 4781 * initial challenge-response exchange has taken place. 4782 * Provide for an option to avoid rechallenges. 4783 */ 4784 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4785 /* 4786 * Compute the re-challenge timeout. This will yield 4787 * a number between 300 and 810 seconds. 4788 */ 4789 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4790 4791 callout_reset(&sp->ch[IDX_CHAP], i * hz, chap.TO, sp); 4792 } 4793 4794 if (debug) { 4795 log(LOG_DEBUG, 4796 "%s: chap %s, ", 4797 ifp->if_xname, 4798 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4799 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4800 addlog("next re-challenge in %d seconds\n", i); 4801 else 4802 addlog("re-challenging suppressed\n"); 4803 } 4804 4805 x = splnet(); 4806 sp->pp_auth_failures = 0; 4807 /* indicate to LCP that we need to be closed down */ 4808 sp->lcp.protos |= (1 << IDX_CHAP); 4809 4810 if (sp->pp_flags & PP_NEEDAUTH) { 4811 /* 4812 * Remote is authenticator, but his auth proto didn't 4813 * complete yet. Defer the transition to network 4814 * phase. 4815 */ 4816 splx(x); 4817 return; 4818 } 4819 splx(x); 4820 4821 /* 4822 * If we are already in phase network, we are done here. This 4823 * is the case if this is a dummy tlu event after a re-challenge. 4824 */ 4825 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4826 sppp_phase_network(sp); 4827 } 4828 4829 static void 4830 sppp_chap_tld(struct sppp *sp) 4831 { 4832 STDDCL; 4833 4834 KASSERT(SPPP_WLOCKED(sp)); 4835 4836 if (debug) 4837 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4838 callout_stop(&sp->ch[IDX_CHAP]); 4839 sp->lcp.protos &= ~(1 << IDX_CHAP); 4840 4841 lcp.Close(sp); 4842 } 4843 4844 static void 4845 sppp_chap_scr(struct sppp *sp) 4846 { 4847 uint32_t *ch; 4848 u_char clen = 4 * sizeof(uint32_t); 4849 4850 KASSERT(SPPP_WLOCKED(sp)); 4851 4852 if (sp->hisauth.name == NULL) { 4853 /* can't do anything useful */ 4854 printf("%s: chap starting without his name being set\n", 4855 sp->pp_if.if_xname); 4856 return; 4857 } 4858 4859 /* Compute random challenge. */ 4860 ch = (uint32_t *)sp->hisauth.challenge; 4861 cprng_strong(kern_cprng, ch, clen, 0); 4862 4863 sp->confid[IDX_CHAP] = ++sp->pp_seq[IDX_CHAP]; 4864 4865 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->confid[IDX_CHAP], 4866 sizeof clen, (const char *)&clen, 4867 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4868 0); 4869 } 4870 4871 /* 4872 *--------------------------------------------------------------------------* 4873 * * 4874 * The PAP implementation. * 4875 * * 4876 *--------------------------------------------------------------------------* 4877 */ 4878 /* 4879 * For PAP, we need to keep a little state also if we are the peer, not the 4880 * authenticator. This is since we don't get a request to authenticate, but 4881 * have to repeatedly authenticate ourself until we got a response (or the 4882 * retry counter is expired). 4883 */ 4884 4885 /* 4886 * Handle incoming PAP packets. */ 4887 static void 4888 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4889 { 4890 STDDCL; 4891 struct lcp_header *h; 4892 int len, x; 4893 u_char mlen; 4894 char *name, *secret; 4895 int name_len, secret_len; 4896 4897 /* 4898 * Malicious input might leave this uninitialized, so 4899 * init to an impossible value. 4900 */ 4901 secret_len = -1; 4902 4903 len = m->m_pkthdr.len; 4904 if (len < 5) { 4905 if (debug) 4906 log(LOG_DEBUG, 4907 "%s: pap invalid packet length: %d bytes\n", 4908 ifp->if_xname, len); 4909 return; 4910 } 4911 h = mtod(m, struct lcp_header *); 4912 if (len > ntohs(h->len)) 4913 len = ntohs(h->len); 4914 4915 SPPP_LOCK(sp, RW_WRITER); 4916 4917 switch (h->type) { 4918 /* PAP request is my authproto */ 4919 case PAP_REQ: 4920 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4921 /* can't do anything useful */ 4922 printf("%s: " 4923 "pap request without his name and his secret being set\n", 4924 ifp->if_xname); 4925 break; 4926 } 4927 name = 1 + (u_char *)(h + 1); 4928 name_len = name[-1]; 4929 secret = name + name_len + 1; 4930 if (name_len > len - 6 || 4931 (secret_len = secret[-1]) > len - 6 - name_len) { 4932 if (debug) { 4933 log(LOG_DEBUG, "%s: pap corrupted input " 4934 "<%s id=0x%x len=%d", 4935 ifp->if_xname, 4936 sppp_auth_type_name(PPP_PAP, h->type), 4937 h->ident, ntohs(h->len)); 4938 if (len > 4) 4939 sppp_print_bytes((u_char *)(h + 1), 4940 len - 4); 4941 addlog(">\n"); 4942 } 4943 break; 4944 } 4945 if (debug) { 4946 log(LOG_DEBUG, "%s: pap input(%s) " 4947 "<%s id=0x%x len=%d name=", 4948 ifp->if_xname, 4949 sppp_state_name(sp->state[IDX_PAP]), 4950 sppp_auth_type_name(PPP_PAP, h->type), 4951 h->ident, ntohs(h->len)); 4952 sppp_print_string((char *)name, name_len); 4953 addlog(" secret="); 4954 sppp_print_string((char *)secret, secret_len); 4955 addlog(">\n"); 4956 } 4957 if (name_len != sp->hisauth.name_len || 4958 secret_len != sp->hisauth.secret_len || 4959 memcmp(name, sp->hisauth.name, name_len) != 0 || 4960 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4961 /* action scn, tld */ 4962 sp->pp_auth_failures++; 4963 mlen = sizeof(FAILMSG) - 1; 4964 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4965 sizeof mlen, (const char *)&mlen, 4966 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4967 0); 4968 pap.tld(sp); 4969 break; 4970 } 4971 /* action sca, perhaps tlu */ 4972 if (sp->state[IDX_PAP] == STATE_REQ_SENT || 4973 sp->state[IDX_PAP] == STATE_OPENED) { 4974 mlen = sizeof(SUCCMSG) - 1; 4975 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4976 sizeof mlen, (const char *)&mlen, 4977 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4978 0); 4979 } 4980 if (sp->state[IDX_PAP] == STATE_REQ_SENT) { 4981 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4982 pap.tlu(sp); 4983 } 4984 break; 4985 4986 /* ack and nak are his authproto */ 4987 case PAP_ACK: 4988 callout_stop(&sp->pap_my_to_ch); 4989 if (debug) { 4990 log(LOG_DEBUG, "%s: pap success", 4991 ifp->if_xname); 4992 name = 1 + (u_char *)(h + 1); 4993 name_len = name[-1]; 4994 if (len > 5 && name_len < len+4) { 4995 addlog(": "); 4996 sppp_print_string(name, name_len); 4997 } 4998 addlog("\n"); 4999 } 5000 x = splnet(); 5001 sp->pp_auth_failures = 0; 5002 sp->pp_flags &= ~PP_NEEDAUTH; 5003 if (sp->myauth.proto == PPP_PAP && 5004 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 5005 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 5006 /* 5007 * We are authenticator for PAP but didn't 5008 * complete yet. Leave it to tlu to proceed 5009 * to network phase. 5010 */ 5011 splx(x); 5012 break; 5013 } 5014 splx(x); 5015 sppp_phase_network(sp); 5016 break; 5017 5018 case PAP_NAK: 5019 callout_stop(&sp->pap_my_to_ch); 5020 sp->pp_auth_failures++; 5021 if (debug) { 5022 log(LOG_INFO, "%s: pap failure", 5023 ifp->if_xname); 5024 name = 1 + (u_char *)(h + 1); 5025 name_len = name[-1]; 5026 if (len > 5 && name_len < len+4) { 5027 addlog(": "); 5028 sppp_print_string(name, name_len); 5029 } 5030 addlog("\n"); 5031 } else 5032 log(LOG_INFO, "%s: pap failure\n", 5033 ifp->if_xname); 5034 /* await LCP shutdown by authenticator */ 5035 break; 5036 5037 default: 5038 /* Unknown PAP packet type -- ignore. */ 5039 if (debug) { 5040 log(LOG_DEBUG, "%s: pap corrupted input " 5041 "<0x%x id=0x%x len=%d", 5042 ifp->if_xname, 5043 h->type, h->ident, ntohs(h->len)); 5044 if (len > 4) 5045 sppp_print_bytes((u_char *)(h + 1), len - 4); 5046 addlog(">\n"); 5047 } 5048 break; 5049 } 5050 5051 SPPP_UNLOCK(sp); 5052 } 5053 5054 static void 5055 sppp_pap_init(struct sppp *sp) 5056 { 5057 5058 KASSERT(SPPP_WLOCKED(sp)); 5059 5060 /* PAP doesn't have STATE_INITIAL at all. */ 5061 sp->state[IDX_PAP] = STATE_CLOSED; 5062 sp->fail_counter[IDX_PAP] = 0; 5063 sp->pp_seq[IDX_PAP] = 0; 5064 sp->pp_rseq[IDX_PAP] = 0; 5065 callout_init(&sp->ch[IDX_PAP], CALLOUT_MPSAFE); 5066 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 5067 } 5068 5069 static void 5070 sppp_pap_open(struct sppp *sp) 5071 { 5072 5073 KASSERT(SPPP_WLOCKED(sp)); 5074 5075 if (sp->hisauth.proto == PPP_PAP && 5076 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 5077 /* we are authenticator for PAP, start our timer */ 5078 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 5079 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5080 } 5081 if (sp->myauth.proto == PPP_PAP) { 5082 /* we are peer, send a request, and start a timer */ 5083 pap.scr(sp); 5084 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 5085 sppp_pap_my_TO, sp); 5086 } 5087 } 5088 5089 static void 5090 sppp_pap_close(struct sppp *sp) 5091 { 5092 5093 KASSERT(SPPP_WLOCKED(sp)); 5094 5095 if (sp->state[IDX_PAP] != STATE_CLOSED) 5096 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5097 } 5098 5099 /* 5100 * That's the timeout routine if we are authenticator. Since the 5101 * authenticator is basically passive in PAP, we can't do much here. 5102 */ 5103 static void 5104 sppp_pap_TO(void *cookie) 5105 { 5106 struct sppp *sp = (struct sppp *)cookie; 5107 STDDCL; 5108 int s; 5109 5110 s = splnet(); 5111 SPPP_LOCK(sp, RW_WRITER); 5112 5113 if (debug) 5114 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 5115 ifp->if_xname, 5116 sppp_state_name(sp->state[IDX_PAP]), 5117 sp->rst_counter[IDX_PAP]); 5118 5119 if (--sp->rst_counter[IDX_PAP] < 0) 5120 /* TO- event */ 5121 switch (sp->state[IDX_PAP]) { 5122 case STATE_REQ_SENT: 5123 pap.tld(sp); 5124 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5125 break; 5126 } 5127 else 5128 /* TO+ event, not very much we could do */ 5129 switch (sp->state[IDX_PAP]) { 5130 case STATE_REQ_SENT: 5131 /* sppp_cp_change_state() will restart the timer */ 5132 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5133 break; 5134 } 5135 5136 SPPP_UNLOCK(sp); 5137 splx(s); 5138 } 5139 5140 /* 5141 * That's the timeout handler if we are peer. Since the peer is active, 5142 * we need to retransmit our PAP request since it is apparently lost. 5143 * XXX We should impose a max counter. 5144 */ 5145 static void 5146 sppp_pap_my_TO(void *cookie) 5147 { 5148 struct sppp *sp = (struct sppp *)cookie; 5149 STDDCL; 5150 5151 SPPP_LOCK(sp, RW_WRITER); 5152 if (debug) 5153 log(LOG_DEBUG, "%s: pap peer TO\n", 5154 ifp->if_xname); 5155 5156 pap.scr(sp); 5157 5158 SPPP_UNLOCK(sp); 5159 } 5160 5161 static void 5162 sppp_pap_tlu(struct sppp *sp) 5163 { 5164 STDDCL; 5165 int x; 5166 5167 KASSERT(SPPP_WLOCKED(sp)); 5168 5169 sp->rst_counter[IDX_PAP] = sp->lcp.max_configure; 5170 5171 if (debug) 5172 log(LOG_DEBUG, "%s: %s tlu\n", 5173 ifp->if_xname, pap.name); 5174 5175 x = splnet(); 5176 sp->pp_auth_failures = 0; 5177 /* indicate to LCP that we need to be closed down */ 5178 sp->lcp.protos |= (1 << IDX_PAP); 5179 5180 if (sp->pp_flags & PP_NEEDAUTH) { 5181 /* 5182 * Remote is authenticator, but his auth proto didn't 5183 * complete yet. Defer the transition to network 5184 * phase. 5185 */ 5186 splx(x); 5187 return; 5188 } 5189 splx(x); 5190 sppp_phase_network(sp); 5191 } 5192 5193 static void 5194 sppp_pap_tld(struct sppp *sp) 5195 { 5196 STDDCL; 5197 5198 KASSERT(SPPP_WLOCKED(sp)); 5199 5200 if (debug) 5201 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 5202 callout_stop(&sp->ch[IDX_PAP]); 5203 callout_stop(&sp->pap_my_to_ch); 5204 sp->lcp.protos &= ~(1 << IDX_PAP); 5205 5206 lcp.Close(sp); 5207 } 5208 5209 static void 5210 sppp_pap_scr(struct sppp *sp) 5211 { 5212 u_char idlen, pwdlen; 5213 5214 KASSERT(SPPP_WLOCKED(sp)); 5215 5216 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5217 /* can't do anything useful */ 5218 printf("%s: pap starting without my name and secret being set\n", 5219 sp->pp_if.if_xname); 5220 return; 5221 } 5222 5223 sp->confid[IDX_PAP] = ++sp->pp_seq[IDX_PAP]; 5224 pwdlen = sp->myauth.secret_len; 5225 idlen = sp->myauth.name_len; 5226 5227 sppp_auth_send(&pap, sp, PAP_REQ, sp->confid[IDX_PAP], 5228 sizeof idlen, (const char *)&idlen, 5229 idlen, sp->myauth.name, 5230 sizeof pwdlen, (const char *)&pwdlen, 5231 pwdlen, sp->myauth.secret, 5232 0); 5233 } 5234 5235 /* 5236 * Random miscellaneous functions. 5237 */ 5238 5239 /* 5240 * Send a PAP or CHAP proto packet. 5241 * 5242 * Varadic function, each of the elements for the ellipsis is of type 5243 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5244 * mlen == 0. 5245 * NOTE: never declare variadic functions with types subject to type 5246 * promotion (i.e. u_char). This is asking for big trouble depending 5247 * on the architecture you are on... 5248 */ 5249 5250 static void 5251 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5252 unsigned int type, unsigned int id, 5253 ...) 5254 { 5255 STDDCL; 5256 struct lcp_header *lh; 5257 struct mbuf *m; 5258 u_char *p; 5259 int len; 5260 size_t pkthdrlen; 5261 unsigned int mlen; 5262 const char *msg; 5263 va_list ap; 5264 5265 KASSERT(SPPP_WLOCKED(sp)); 5266 5267 MGETHDR(m, M_DONTWAIT, MT_DATA); 5268 if (! m) 5269 return; 5270 m_reset_rcvif(m); 5271 5272 if (sp->pp_flags & PP_NOFRAMING) { 5273 *mtod(m, uint16_t *) = htons(cp->proto); 5274 pkthdrlen = 2; 5275 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5276 } else { 5277 struct ppp_header *h; 5278 h = mtod(m, struct ppp_header *); 5279 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5280 h->control = PPP_UI; /* Unnumbered Info */ 5281 h->protocol = htons(cp->proto); 5282 pkthdrlen = PPP_HEADER_LEN; 5283 5284 lh = (struct lcp_header *)(h + 1); 5285 } 5286 5287 lh->type = type; 5288 lh->ident = id; 5289 p = (u_char *)(lh + 1); 5290 5291 va_start(ap, id); 5292 len = 0; 5293 5294 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5295 msg = va_arg(ap, const char *); 5296 len += mlen; 5297 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5298 va_end(ap); 5299 m_freem(m); 5300 return; 5301 } 5302 5303 memcpy(p, msg, mlen); 5304 p += mlen; 5305 } 5306 va_end(ap); 5307 5308 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5309 lh->len = htons(LCP_HEADER_LEN + len); 5310 5311 if (debug) { 5312 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5313 ifp->if_xname, cp->name, 5314 sppp_auth_type_name(cp->proto, lh->type), 5315 lh->ident, ntohs(lh->len)); 5316 if (len) 5317 sppp_print_bytes((u_char *)(lh + 1), len); 5318 addlog(">\n"); 5319 } 5320 if (IF_QFULL(&sp->pp_cpq)) { 5321 IF_DROP(&sp->pp_fastq); 5322 IF_DROP(&ifp->if_snd); 5323 m_freem(m); 5324 if_statinc(ifp, if_oerrors); 5325 return; 5326 } 5327 5328 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5329 IF_ENQUEUE(&sp->pp_cpq, m); 5330 5331 if (! (ifp->if_flags & IFF_OACTIVE)) { 5332 SPPP_UNLOCK(sp); 5333 if_start_lock(ifp); 5334 SPPP_LOCK(sp, RW_WRITER); 5335 } 5336 } 5337 5338 /* 5339 * Send keepalive packets, every 10 seconds. 5340 */ 5341 static void 5342 sppp_keepalive(void *dummy) 5343 { 5344 struct sppp *sp; 5345 int s; 5346 time_t now; 5347 5348 SPPPQ_LOCK(); 5349 5350 s = splnet(); 5351 now = time_uptime; 5352 for (sp=spppq; sp; sp=sp->pp_next) { 5353 struct ifnet *ifp = NULL; 5354 5355 SPPP_LOCK(sp, RW_WRITER); 5356 ifp = &sp->pp_if; 5357 5358 /* check idle timeout */ 5359 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5360 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5361 /* idle timeout is enabled for this interface */ 5362 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5363 if (ifp->if_flags & IFF_DEBUG) 5364 printf("%s: no activity for %lu seconds\n", 5365 sp->pp_if.if_xname, 5366 (unsigned long)(now-sp->pp_last_activity)); 5367 lcp.Close(sp); 5368 SPPP_UNLOCK(sp); 5369 continue; 5370 } 5371 } 5372 5373 /* Keepalive mode disabled or channel down? */ 5374 if (! (sp->pp_flags & PP_KEEPALIVE) || 5375 ! (ifp->if_flags & IFF_RUNNING)) { 5376 SPPP_UNLOCK(sp); 5377 continue; 5378 } 5379 5380 5381 /* No keepalive in PPP mode if LCP not opened yet. */ 5382 if (! (sp->pp_flags & PP_CISCO) && 5383 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5384 SPPP_UNLOCK(sp); 5385 continue; 5386 } 5387 5388 /* No echo reply, but maybe user data passed through? */ 5389 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5390 sp->pp_alivecnt = 0; 5391 SPPP_UNLOCK(sp); 5392 continue; 5393 } 5394 5395 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5396 /* No keepalive packets got. Stop the interface. */ 5397 SPPP_UNLOCK(sp); 5398 if_down (ifp); 5399 SPPP_LOCK(sp, RW_WRITER); 5400 5401 IF_PURGE(&sp->pp_cpq); 5402 5403 if (! (sp->pp_flags & PP_CISCO)) { 5404 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5405 ifp->if_xname); 5406 sp->pp_alivecnt = 0; 5407 5408 /* we are down, close all open protocols */ 5409 lcp.Close(sp); 5410 5411 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5412 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5413 5414 /* Close connection immediately, completition of this 5415 * will summon the magic needed to reestablish it. */ 5416 sppp_notify_tlf_wlocked(sp); 5417 5418 SPPP_UNLOCK(sp); 5419 continue; 5420 } 5421 } 5422 if (sp->pp_alivecnt < sp->pp_maxalive) 5423 ++sp->pp_alivecnt; 5424 if (sp->pp_flags & PP_CISCO) 5425 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5426 ++sp->pp_seq[IDX_LCP], sp->pp_rseq[IDX_LCP]); 5427 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5428 int32_t nmagic = htonl(sp->lcp.magic); 5429 sp->lcp.echoid = ++sp->pp_seq[IDX_LCP]; 5430 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5431 sp->lcp.echoid, 4, &nmagic); 5432 } 5433 5434 SPPP_UNLOCK(sp); 5435 } 5436 splx(s); 5437 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5438 5439 SPPPQ_UNLOCK(); 5440 } 5441 5442 #ifdef INET 5443 /* 5444 * Get both IP addresses. 5445 */ 5446 static void 5447 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5448 { 5449 struct ifnet *ifp = &sp->pp_if; 5450 struct ifaddr *ifa; 5451 struct sockaddr_in *si, *sm; 5452 uint32_t ssrc, ddst; 5453 int s; 5454 struct psref psref; 5455 5456 sm = NULL; 5457 ssrc = ddst = 0; 5458 /* 5459 * Pick the first AF_INET address from the list, 5460 * aliases don't make any sense on a p2p link anyway. 5461 */ 5462 si = 0; 5463 s = pserialize_read_enter(); 5464 IFADDR_READER_FOREACH(ifa, ifp) { 5465 if (ifa->ifa_addr->sa_family == AF_INET) { 5466 si = (struct sockaddr_in *)ifa->ifa_addr; 5467 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5468 if (si) { 5469 ifa_acquire(ifa, &psref); 5470 break; 5471 } 5472 } 5473 } 5474 pserialize_read_exit(s); 5475 if (ifa) { 5476 if (si && si->sin_addr.s_addr) { 5477 ssrc = si->sin_addr.s_addr; 5478 if (srcmask) 5479 *srcmask = ntohl(sm->sin_addr.s_addr); 5480 } 5481 5482 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5483 if (si && si->sin_addr.s_addr) 5484 ddst = si->sin_addr.s_addr; 5485 ifa_release(ifa, &psref); 5486 } 5487 5488 if (dst) *dst = ntohl(ddst); 5489 if (src) *src = ntohl(ssrc); 5490 } 5491 5492 /* 5493 * Set IP addresses. Must be called at splnet. 5494 * If an address is 0, leave it the way it is. 5495 */ 5496 static void 5497 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5498 { 5499 STDDCL; 5500 struct ifaddr *ifa; 5501 struct sockaddr_in *si, *dest; 5502 uint32_t myaddr = 0, hisaddr = 0; 5503 int s; 5504 5505 IFNET_LOCK(ifp); 5506 5507 /* 5508 * Pick the first AF_INET address from the list, 5509 * aliases don't make any sense on a p2p link anyway. 5510 */ 5511 si = dest = NULL; 5512 s = pserialize_read_enter(); 5513 IFADDR_READER_FOREACH(ifa, ifp) { 5514 if (ifa->ifa_addr->sa_family == AF_INET) { 5515 si = (struct sockaddr_in *)ifa->ifa_addr; 5516 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5517 break; 5518 } 5519 } 5520 pserialize_read_exit(s); 5521 5522 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5523 myaddr = sp->ipcp.req_myaddr; 5524 else if (si != NULL) 5525 myaddr = ntohl(si->sin_addr.s_addr); 5526 5527 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5528 hisaddr = sp->ipcp.req_hisaddr; 5529 else if (dest != NULL) 5530 hisaddr = ntohl(dest->sin_addr.s_addr); 5531 5532 if (si != NULL && dest != NULL) { 5533 int error; 5534 struct sockaddr_in new_sin = *si; 5535 struct sockaddr_in new_dst = *dest; 5536 5537 if (myaddr != 0) 5538 new_sin.sin_addr.s_addr = htonl(myaddr); 5539 if (hisaddr != 0) { 5540 new_dst.sin_addr.s_addr = htonl(hisaddr); 5541 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5542 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5543 } 5544 5545 in_addrhash_remove(ifatoia(ifa)); 5546 5547 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5548 5549 in_addrhash_insert(ifatoia(ifa)); 5550 5551 if (debug && error) 5552 { 5553 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5554 ifp->if_xname, __func__, error); 5555 } 5556 if (!error) { 5557 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5558 } 5559 } 5560 5561 if (ifp->if_mtu > sp->lcp.their_mru) { 5562 sp->pp_saved_mtu = ifp->if_mtu; 5563 ifp->if_mtu = sp->lcp.their_mru; 5564 if (debug) 5565 log(LOG_DEBUG, 5566 "%s: setting MTU to %" PRIu64 " bytes\n", 5567 ifp->if_xname, ifp->if_mtu); 5568 } 5569 5570 IFNET_UNLOCK(ifp); 5571 5572 sppp_notify_con(sp); 5573 } 5574 5575 static void 5576 sppp_set_ip_addrs(struct sppp *sp) 5577 { 5578 struct ifnet *ifp = &sp->pp_if; 5579 5580 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5581 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5582 ifp->if_xname); 5583 return; 5584 } 5585 5586 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5587 return; 5588 5589 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5590 } 5591 5592 /* 5593 * Clear IP addresses. Must be called at splnet. 5594 */ 5595 static void 5596 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5597 { 5598 STDDCL; 5599 struct ifaddr *ifa; 5600 struct sockaddr_in *si, *dest; 5601 int s; 5602 5603 IFNET_LOCK(ifp); 5604 5605 /* 5606 * Pick the first AF_INET address from the list, 5607 * aliases don't make any sense on a p2p link anyway. 5608 */ 5609 si = dest = NULL; 5610 s = pserialize_read_enter(); 5611 IFADDR_READER_FOREACH(ifa, ifp) { 5612 if (ifa->ifa_addr->sa_family == AF_INET) { 5613 si = (struct sockaddr_in *)ifa->ifa_addr; 5614 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5615 break; 5616 } 5617 } 5618 pserialize_read_exit(s); 5619 5620 if (si != NULL) { 5621 struct sockaddr_in new_sin = *si; 5622 struct sockaddr_in new_dst = *dest; 5623 int error; 5624 5625 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5626 new_sin.sin_addr.s_addr = 0; 5627 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5628 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5629 5630 in_addrhash_remove(ifatoia(ifa)); 5631 5632 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5633 5634 in_addrhash_insert(ifatoia(ifa)); 5635 5636 if (debug && error) 5637 { 5638 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5639 ifp->if_xname, __func__, error); 5640 } 5641 if (!error) { 5642 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5643 } 5644 } 5645 5646 if (sp->pp_saved_mtu > 0) { 5647 ifp->if_mtu = sp->pp_saved_mtu; 5648 sp->pp_saved_mtu = 0; 5649 if (debug) 5650 log(LOG_DEBUG, 5651 "%s: resetting MTU to %" PRIu64 " bytes\n", 5652 ifp->if_xname, ifp->if_mtu); 5653 } 5654 5655 IFNET_UNLOCK(ifp); 5656 } 5657 5658 static void 5659 sppp_clear_ip_addrs(struct sppp *sp) 5660 { 5661 struct ifnet *ifp = &sp->pp_if; 5662 5663 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5664 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5665 ifp->if_xname); 5666 return; 5667 } 5668 5669 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5670 return; 5671 5672 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5673 } 5674 5675 static void 5676 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5677 { 5678 struct sppp *sp = arg; 5679 void *work; 5680 5681 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5682 5683 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5684 int update = (intptr_t)work; 5685 5686 if (update == IPCP_SET_ADDRS) 5687 sppp_set_ip_addrs_work(wk, sp); 5688 else if (update == IPCP_CLEAR_ADDRS) 5689 sppp_clear_ip_addrs_work(wk, sp); 5690 } 5691 } 5692 #endif 5693 5694 #ifdef INET6 5695 /* 5696 * Get both IPv6 addresses. 5697 */ 5698 static void 5699 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5700 struct in6_addr *srcmask) 5701 { 5702 struct ifnet *ifp = &sp->pp_if; 5703 struct ifaddr *ifa; 5704 struct sockaddr_in6 *si, *sm; 5705 struct in6_addr ssrc, ddst; 5706 int s; 5707 struct psref psref; 5708 5709 sm = NULL; 5710 memset(&ssrc, 0, sizeof(ssrc)); 5711 memset(&ddst, 0, sizeof(ddst)); 5712 /* 5713 * Pick the first link-local AF_INET6 address from the list, 5714 * aliases don't make any sense on a p2p link anyway. 5715 */ 5716 si = 0; 5717 s = pserialize_read_enter(); 5718 IFADDR_READER_FOREACH(ifa, ifp) { 5719 if (ifa->ifa_addr->sa_family == AF_INET6) { 5720 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5721 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5722 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5723 ifa_acquire(ifa, &psref); 5724 break; 5725 } 5726 } 5727 } 5728 pserialize_read_exit(s); 5729 5730 if (ifa) { 5731 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5732 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5733 if (srcmask) { 5734 memcpy(srcmask, &sm->sin6_addr, 5735 sizeof(*srcmask)); 5736 } 5737 } 5738 5739 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5740 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5741 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5742 ifa_release(ifa, &psref); 5743 } 5744 5745 if (dst) 5746 memcpy(dst, &ddst, sizeof(*dst)); 5747 if (src) 5748 memcpy(src, &ssrc, sizeof(*src)); 5749 } 5750 5751 #ifdef IPV6CP_MYIFID_DYN 5752 /* 5753 * Generate random ifid. 5754 */ 5755 static void 5756 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5757 { 5758 /* TBD */ 5759 } 5760 5761 /* 5762 * Set my IPv6 address. Must be called at splnet. 5763 */ 5764 static void 5765 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5766 { 5767 STDDCL; 5768 struct ifaddr *ifa; 5769 struct sockaddr_in6 *sin6; 5770 int s; 5771 struct psref psref; 5772 5773 IFNET_LOCK(ifp); 5774 5775 /* 5776 * Pick the first link-local AF_INET6 address from the list, 5777 * aliases don't make any sense on a p2p link anyway. 5778 */ 5779 5780 sin6 = NULL; 5781 s = pserialize_read_enter(); 5782 IFADDR_READER_FOREACH(ifa, ifp) 5783 { 5784 if (ifa->ifa_addr->sa_family == AF_INET6) 5785 { 5786 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5787 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5788 ifa_acquire(ifa, &psref); 5789 break; 5790 } 5791 } 5792 } 5793 pserialize_read_exit(s); 5794 5795 if (ifa && sin6) 5796 { 5797 int error; 5798 struct sockaddr_in6 new_sin6 = *sin6; 5799 5800 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5801 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5802 if (debug && error) 5803 { 5804 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5805 ifp->if_xname, __func__, error); 5806 } 5807 if (!error) { 5808 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5809 } 5810 ifa_release(ifa, &psref); 5811 } 5812 5813 IFNET_UNLOCK(ifp); 5814 } 5815 #endif 5816 5817 /* 5818 * Suggest a candidate address to be used by peer. 5819 */ 5820 static void 5821 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5822 { 5823 struct in6_addr myaddr; 5824 struct timeval tv; 5825 5826 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5827 5828 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5829 microtime(&tv); 5830 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5831 myaddr.s6_addr[14] ^= 0xff; 5832 myaddr.s6_addr[15] ^= 0xff; 5833 } else { 5834 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5835 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5836 } 5837 if (suggest) 5838 memcpy(suggest, &myaddr, sizeof(myaddr)); 5839 } 5840 #endif /*INET6*/ 5841 5842 /* 5843 * Process ioctl requests specific to the PPP interface. 5844 * Permissions have already been checked. 5845 */ 5846 static int 5847 sppp_params(struct sppp *sp, u_long cmd, void *data) 5848 { 5849 switch (cmd) { 5850 case SPPPGETAUTHCFG: 5851 { 5852 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5853 int error; 5854 size_t len; 5855 5856 SPPP_LOCK(sp, RW_READER); 5857 5858 cfg->myauthflags = sp->myauth.flags; 5859 cfg->hisauthflags = sp->hisauth.flags; 5860 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5861 cfg->hisauth = 0; 5862 if (sp->hisauth.proto) 5863 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5864 cfg->myauth = 0; 5865 if (sp->myauth.proto) 5866 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5867 if (cfg->myname_length == 0) { 5868 if (sp->myauth.name != NULL) 5869 cfg->myname_length = sp->myauth.name_len + 1; 5870 } else { 5871 if (sp->myauth.name == NULL) { 5872 cfg->myname_length = 0; 5873 } else { 5874 len = sp->myauth.name_len + 1; 5875 5876 5877 if (cfg->myname_length < len) { 5878 SPPP_UNLOCK(sp); 5879 return (ENAMETOOLONG); 5880 } 5881 error = copyout(sp->myauth.name, cfg->myname, len); 5882 if (error) { 5883 SPPP_UNLOCK(sp); 5884 return error; 5885 } 5886 } 5887 } 5888 if (cfg->hisname_length == 0) { 5889 if (sp->hisauth.name != NULL) 5890 cfg->hisname_length = sp->hisauth.name_len + 1; 5891 } else { 5892 if (sp->hisauth.name == NULL) { 5893 cfg->hisname_length = 0; 5894 } else { 5895 len = sp->hisauth.name_len + 1; 5896 5897 if (cfg->hisname_length < len) { 5898 SPPP_UNLOCK(sp); 5899 return (ENAMETOOLONG); 5900 } 5901 error = copyout(sp->hisauth.name, cfg->hisname, len); 5902 if (error) { 5903 SPPP_UNLOCK(sp); 5904 return error; 5905 } 5906 } 5907 } 5908 SPPP_UNLOCK(sp); 5909 } 5910 break; 5911 case SPPPSETAUTHCFG: 5912 { 5913 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5914 int error; 5915 5916 SPPP_LOCK(sp, RW_WRITER); 5917 5918 if (sp->myauth.name) { 5919 free(sp->myauth.name, M_DEVBUF); 5920 sp->myauth.name = NULL; 5921 } 5922 if (sp->myauth.secret) { 5923 free(sp->myauth.secret, M_DEVBUF); 5924 sp->myauth.secret = NULL; 5925 } 5926 if (sp->hisauth.name) { 5927 free(sp->hisauth.name, M_DEVBUF); 5928 sp->hisauth.name = NULL; 5929 } 5930 if (sp->hisauth.secret) { 5931 free(sp->hisauth.secret, M_DEVBUF); 5932 sp->hisauth.secret = NULL; 5933 } 5934 5935 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5936 if (cfg->hisname_length >= MCLBYTES) { 5937 SPPP_UNLOCK(sp); 5938 return (ENAMETOOLONG); 5939 } 5940 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5941 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5942 if (error) { 5943 free(sp->hisauth.name, M_DEVBUF); 5944 sp->hisauth.name = NULL; 5945 SPPP_UNLOCK(sp); 5946 return error; 5947 } 5948 sp->hisauth.name_len = cfg->hisname_length - 1; 5949 sp->hisauth.name[sp->hisauth.name_len] = 0; 5950 } 5951 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5952 if (cfg->hissecret_length >= MCLBYTES) { 5953 SPPP_UNLOCK(sp); 5954 return (ENAMETOOLONG); 5955 } 5956 sp->hisauth.secret = malloc(cfg->hissecret_length, 5957 M_DEVBUF, M_WAITOK); 5958 error = copyin(cfg->hissecret, sp->hisauth.secret, 5959 cfg->hissecret_length); 5960 if (error) { 5961 free(sp->hisauth.secret, M_DEVBUF); 5962 sp->hisauth.secret = NULL; 5963 SPPP_UNLOCK(sp); 5964 return error; 5965 } 5966 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5967 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5968 } 5969 if (cfg->myname != NULL && cfg->myname_length > 0) { 5970 if (cfg->myname_length >= MCLBYTES) { 5971 SPPP_UNLOCK(sp); 5972 return (ENAMETOOLONG); 5973 } 5974 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5975 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5976 if (error) { 5977 free(sp->myauth.name, M_DEVBUF); 5978 sp->myauth.name = NULL; 5979 SPPP_UNLOCK(sp); 5980 return error; 5981 } 5982 sp->myauth.name_len = cfg->myname_length - 1; 5983 sp->myauth.name[sp->myauth.name_len] = 0; 5984 } 5985 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5986 if (cfg->mysecret_length >= MCLBYTES) { 5987 SPPP_UNLOCK(sp); 5988 return (ENAMETOOLONG); 5989 } 5990 sp->myauth.secret = malloc(cfg->mysecret_length, 5991 M_DEVBUF, M_WAITOK); 5992 error = copyin(cfg->mysecret, sp->myauth.secret, 5993 cfg->mysecret_length); 5994 if (error) { 5995 free(sp->myauth.secret, M_DEVBUF); 5996 sp->myauth.secret = NULL; 5997 SPPP_UNLOCK(sp); 5998 return error; 5999 } 6000 sp->myauth.secret_len = cfg->mysecret_length - 1; 6001 sp->myauth.secret[sp->myauth.secret_len] = 0; 6002 } 6003 sp->myauth.flags = cfg->myauthflags; 6004 if (cfg->myauth) 6005 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 6006 sp->hisauth.flags = cfg->hisauthflags; 6007 if (cfg->hisauth) 6008 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 6009 sp->pp_auth_failures = 0; 6010 if (sp->hisauth.proto != 0) 6011 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 6012 else 6013 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 6014 6015 SPPP_UNLOCK(sp); 6016 } 6017 break; 6018 case SPPPGETLCPCFG: 6019 { 6020 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6021 6022 SPPP_LOCK(sp, RW_READER); 6023 lcpp->lcp_timeout = sp->lcp.timeout; 6024 SPPP_UNLOCK(sp); 6025 } 6026 break; 6027 case SPPPSETLCPCFG: 6028 { 6029 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6030 6031 SPPP_LOCK(sp, RW_WRITER); 6032 sp->lcp.timeout = lcpp->lcp_timeout; 6033 SPPP_UNLOCK(sp); 6034 } 6035 break; 6036 case SPPPGETSTATUS: 6037 { 6038 struct spppstatus *status = (struct spppstatus *)data; 6039 6040 SPPP_LOCK(sp, RW_READER); 6041 status->phase = sp->pp_phase; 6042 SPPP_UNLOCK(sp); 6043 } 6044 break; 6045 case SPPPGETSTATUSNCP: 6046 { 6047 struct spppstatusncp *status = (struct spppstatusncp *)data; 6048 6049 SPPP_LOCK(sp, RW_READER); 6050 status->phase = sp->pp_phase; 6051 status->ncpup = sppp_ncp_check(sp); 6052 SPPP_UNLOCK(sp); 6053 } 6054 break; 6055 case SPPPGETIDLETO: 6056 { 6057 struct spppidletimeout *to = (struct spppidletimeout *)data; 6058 6059 SPPP_LOCK(sp, RW_READER); 6060 to->idle_seconds = sp->pp_idle_timeout; 6061 SPPP_UNLOCK(sp); 6062 } 6063 break; 6064 case SPPPSETIDLETO: 6065 { 6066 struct spppidletimeout *to = (struct spppidletimeout *)data; 6067 6068 SPPP_LOCK(sp, RW_WRITER); 6069 sp->pp_idle_timeout = to->idle_seconds; 6070 SPPP_UNLOCK(sp); 6071 } 6072 break; 6073 case SPPPSETAUTHFAILURE: 6074 { 6075 struct spppauthfailuresettings *afsettings = 6076 (struct spppauthfailuresettings *)data; 6077 6078 SPPP_LOCK(sp, RW_WRITER); 6079 sp->pp_max_auth_fail = afsettings->max_failures; 6080 sp->pp_auth_failures = 0; 6081 SPPP_UNLOCK(sp); 6082 } 6083 break; 6084 case SPPPGETAUTHFAILURES: 6085 { 6086 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6087 6088 SPPP_LOCK(sp, RW_READER); 6089 stats->auth_failures = sp->pp_auth_failures; 6090 stats->max_failures = sp->pp_max_auth_fail; 6091 SPPP_UNLOCK(sp); 6092 } 6093 break; 6094 case SPPPSETDNSOPTS: 6095 { 6096 struct spppdnssettings *req = (struct spppdnssettings *)data; 6097 6098 SPPP_LOCK(sp, RW_WRITER); 6099 sp->query_dns = req->query_dns & 3; 6100 SPPP_UNLOCK(sp); 6101 } 6102 break; 6103 case SPPPGETDNSOPTS: 6104 { 6105 struct spppdnssettings *req = (struct spppdnssettings *)data; 6106 6107 SPPP_LOCK(sp, RW_READER); 6108 req->query_dns = sp->query_dns; 6109 SPPP_UNLOCK(sp); 6110 } 6111 break; 6112 case SPPPGETDNSADDRS: 6113 { 6114 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6115 6116 SPPP_LOCK(sp, RW_READER); 6117 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6118 SPPP_UNLOCK(sp); 6119 } 6120 break; 6121 case SPPPGETKEEPALIVE: 6122 { 6123 struct spppkeepalivesettings *settings = 6124 (struct spppkeepalivesettings*)data; 6125 6126 SPPP_LOCK(sp, RW_READER); 6127 settings->maxalive = sp->pp_maxalive; 6128 settings->max_noreceive = sp->pp_max_noreceive; 6129 SPPP_UNLOCK(sp); 6130 } 6131 break; 6132 case SPPPSETKEEPALIVE: 6133 { 6134 struct spppkeepalivesettings *settings = 6135 (struct spppkeepalivesettings*)data; 6136 6137 SPPP_LOCK(sp, RW_WRITER); 6138 sp->pp_maxalive = settings->maxalive; 6139 sp->pp_max_noreceive = settings->max_noreceive; 6140 SPPP_UNLOCK(sp); 6141 } 6142 break; 6143 default: 6144 { 6145 int ret; 6146 6147 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6148 enosys(), ret); 6149 if (ret != ENOSYS) 6150 return ret; 6151 return (EINVAL); 6152 } 6153 } 6154 return (0); 6155 } 6156 6157 static void 6158 sppp_phase_network(struct sppp *sp) 6159 { 6160 int i; 6161 uint32_t mask; 6162 6163 KASSERT(SPPP_WLOCKED(sp)); 6164 6165 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6166 6167 /* Notify NCPs now. */ 6168 for (i = 0; i < IDX_COUNT; i++) 6169 if ((cps[i])->flags & CP_NCP) 6170 (cps[i])->Open(sp); 6171 6172 /* Send Up events to all NCPs. */ 6173 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 6174 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 6175 (cps[i])->Up(sp); 6176 } 6177 6178 /* if no NCP is starting, all this was in vain, close down */ 6179 sppp_lcp_check_and_close(sp); 6180 } 6181 6182 6183 static const char * 6184 sppp_cp_type_name(u_char type) 6185 { 6186 static char buf[12]; 6187 switch (type) { 6188 case CONF_REQ: return "conf-req"; 6189 case CONF_ACK: return "conf-ack"; 6190 case CONF_NAK: return "conf-nak"; 6191 case CONF_REJ: return "conf-rej"; 6192 case TERM_REQ: return "term-req"; 6193 case TERM_ACK: return "term-ack"; 6194 case CODE_REJ: return "code-rej"; 6195 case PROTO_REJ: return "proto-rej"; 6196 case ECHO_REQ: return "echo-req"; 6197 case ECHO_REPLY: return "echo-reply"; 6198 case DISC_REQ: return "discard-req"; 6199 } 6200 snprintf(buf, sizeof(buf), "0x%x", type); 6201 return buf; 6202 } 6203 6204 static const char * 6205 sppp_auth_type_name(u_short proto, u_char type) 6206 { 6207 static char buf[32]; 6208 const char *name; 6209 6210 switch (proto) { 6211 case PPP_CHAP: 6212 switch (type) { 6213 case CHAP_CHALLENGE: return "challenge"; 6214 case CHAP_RESPONSE: return "response"; 6215 case CHAP_SUCCESS: return "success"; 6216 case CHAP_FAILURE: return "failure"; 6217 default: name = "chap"; break; 6218 } 6219 break; 6220 6221 case PPP_PAP: 6222 switch (type) { 6223 case PAP_REQ: return "req"; 6224 case PAP_ACK: return "ack"; 6225 case PAP_NAK: return "nak"; 6226 default: name = "pap"; break; 6227 } 6228 break; 6229 6230 default: 6231 name = "bad"; 6232 break; 6233 } 6234 6235 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6236 return buf; 6237 } 6238 6239 static const char * 6240 sppp_lcp_opt_name(u_char opt) 6241 { 6242 static char buf[12]; 6243 switch (opt) { 6244 case LCP_OPT_MRU: return "mru"; 6245 case LCP_OPT_ASYNC_MAP: return "async-map"; 6246 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6247 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6248 case LCP_OPT_MAGIC: return "magic"; 6249 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6250 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6251 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6252 case LCP_OPT_CALL_BACK: return "callback"; 6253 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6254 case LCP_OPT_MP_MRRU: return "mrru"; 6255 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6256 case LCP_OPT_MP_EID: return "mp-eid"; 6257 } 6258 snprintf(buf, sizeof(buf), "0x%x", opt); 6259 return buf; 6260 } 6261 6262 static const char * 6263 sppp_ipcp_opt_name(u_char opt) 6264 { 6265 static char buf[12]; 6266 switch (opt) { 6267 case IPCP_OPT_ADDRESSES: return "addresses"; 6268 case IPCP_OPT_COMPRESSION: return "compression"; 6269 case IPCP_OPT_ADDRESS: return "address"; 6270 } 6271 snprintf(buf, sizeof(buf), "0x%x", opt); 6272 return buf; 6273 } 6274 6275 #ifdef INET6 6276 static const char * 6277 sppp_ipv6cp_opt_name(u_char opt) 6278 { 6279 static char buf[12]; 6280 switch (opt) { 6281 case IPV6CP_OPT_IFID: return "ifid"; 6282 case IPV6CP_OPT_COMPRESSION: return "compression"; 6283 } 6284 snprintf(buf, sizeof(buf), "0x%x", opt); 6285 return buf; 6286 } 6287 #endif 6288 6289 static const char * 6290 sppp_state_name(int state) 6291 { 6292 switch (state) { 6293 case STATE_INITIAL: return "initial"; 6294 case STATE_STARTING: return "starting"; 6295 case STATE_CLOSED: return "closed"; 6296 case STATE_STOPPED: return "stopped"; 6297 case STATE_CLOSING: return "closing"; 6298 case STATE_STOPPING: return "stopping"; 6299 case STATE_REQ_SENT: return "req-sent"; 6300 case STATE_ACK_RCVD: return "ack-rcvd"; 6301 case STATE_ACK_SENT: return "ack-sent"; 6302 case STATE_OPENED: return "opened"; 6303 } 6304 return "illegal"; 6305 } 6306 6307 static const char * 6308 sppp_phase_name(int phase) 6309 { 6310 switch (phase) { 6311 case SPPP_PHASE_DEAD: return "dead"; 6312 case SPPP_PHASE_ESTABLISH: return "establish"; 6313 case SPPP_PHASE_TERMINATE: return "terminate"; 6314 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6315 case SPPP_PHASE_NETWORK: return "network"; 6316 } 6317 return "illegal"; 6318 } 6319 6320 static const char * 6321 sppp_proto_name(u_short proto) 6322 { 6323 static char buf[12]; 6324 switch (proto) { 6325 case PPP_LCP: return "lcp"; 6326 case PPP_IPCP: return "ipcp"; 6327 case PPP_PAP: return "pap"; 6328 case PPP_CHAP: return "chap"; 6329 case PPP_IPV6CP: return "ipv6cp"; 6330 } 6331 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6332 return buf; 6333 } 6334 6335 static void 6336 sppp_print_bytes(const u_char *p, u_short len) 6337 { 6338 addlog(" %02x", *p++); 6339 while (--len > 0) 6340 addlog("-%02x", *p++); 6341 } 6342 6343 static void 6344 sppp_print_string(const char *p, u_short len) 6345 { 6346 u_char c; 6347 6348 while (len-- > 0) { 6349 c = *p++; 6350 /* 6351 * Print only ASCII chars directly. RFC 1994 recommends 6352 * using only them, but we don't rely on it. */ 6353 if (c < ' ' || c > '~') 6354 addlog("\\x%x", c); 6355 else 6356 addlog("%c", c); 6357 } 6358 } 6359 6360 static const char * 6361 sppp_dotted_quad(uint32_t addr) 6362 { 6363 static char s[16]; 6364 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6365 (int)((addr >> 24) & 0xff), 6366 (int)((addr >> 16) & 0xff), 6367 (int)((addr >> 8) & 0xff), 6368 (int)(addr & 0xff)); 6369 return s; 6370 } 6371 6372 /* a dummy, used to drop uninteresting events */ 6373 static void 6374 sppp_null(struct sppp *unused) 6375 { 6376 /* do just nothing */ 6377 } 6378 /* 6379 * This file is large. Tell emacs to highlight it nevertheless. 6380 * 6381 * Local Variables: 6382 * hilit-auto-highlight-maxout: 120000 6383 * End: 6384 */ 6385 6386 /* 6387 * Module glue 6388 */ 6389 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6390 6391 static int 6392 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6393 { 6394 switch (cmd) { 6395 case MODULE_CMD_INIT: 6396 case MODULE_CMD_FINI: 6397 return 0; 6398 case MODULE_CMD_STAT: 6399 case MODULE_CMD_AUTOUNLOAD: 6400 default: 6401 return ENOTTY; 6402 } 6403 } 6404 6405 static void 6406 sppp_notify_up(struct sppp *sp) 6407 { 6408 6409 SPPP_LOCK(sp, RW_WRITER); 6410 lcp.Up(sp); 6411 SPPP_UNLOCK(sp); 6412 } 6413 6414 static void 6415 sppp_notify_down(struct sppp *sp) 6416 { 6417 6418 SPPP_LOCK(sp, RW_WRITER); 6419 lcp.Down(sp); 6420 SPPP_UNLOCK(sp); 6421 } 6422 6423 static void 6424 sppp_notify_tls_wlocked(struct sppp *sp) 6425 { 6426 6427 KASSERT(SPPP_WLOCKED(sp)); 6428 6429 if (!sp->pp_tls) 6430 return; 6431 6432 SPPP_UNLOCK(sp); 6433 sp->pp_tls(sp); 6434 SPPP_LOCK(sp, RW_WRITER); 6435 } 6436 6437 static void 6438 sppp_notify_tlf_wlocked(struct sppp *sp) 6439 { 6440 6441 KASSERT(SPPP_WLOCKED(sp)); 6442 6443 if (!sp->pp_tlf) 6444 return; 6445 6446 SPPP_UNLOCK(sp); 6447 sp->pp_tlf(sp); 6448 SPPP_LOCK(sp, RW_WRITER); 6449 } 6450 6451 static void 6452 sppp_notify_con(struct sppp *sp) 6453 { 6454 6455 if (!sp->pp_con) 6456 return; 6457 6458 sp->pp_con(sp); 6459 } 6460 6461 #ifdef INET6 6462 static void 6463 sppp_notify_con_wlocked(struct sppp *sp) 6464 { 6465 6466 KASSERT(SPPP_WLOCKED(sp)); 6467 6468 SPPP_UNLOCK(sp); 6469 sppp_notify_con(sp); 6470 SPPP_LOCK(sp, RW_WRITER); 6471 6472 } 6473 #endif 6474 6475 static void 6476 sppp_notify_chg_wlocked(struct sppp *sp) 6477 { 6478 6479 KASSERT(SPPP_WLOCKED(sp)); 6480 6481 if (!sp->pp_chg) 6482 return; 6483 6484 SPPP_UNLOCK(sp); 6485 sp->pp_chg(sp, sp->pp_phase); 6486 SPPP_LOCK(sp, RW_WRITER); 6487 } 6488
Indexes created Tue Oct 14 11:09:46 GMT 2025