if_spppsubr.c revision 1.195
1 /* $NetBSD: if_spppsubr.c,v 1.195 2020/11/25 09:21:53 yamaguchi Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.195 2020/11/25 09:21:53 yamaguchi Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #endif 52 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 73 #include <net/if.h> 74 #include <net/netisr.h> 75 #include <net/if_types.h> 76 #include <net/route.h> 77 #include <net/ppp_defs.h> 78 79 #include <netinet/in.h> 80 #include <netinet/in_systm.h> 81 #include <netinet/in_var.h> 82 #ifdef INET 83 #include <netinet/ip.h> 84 #include <netinet/tcp.h> 85 #endif 86 #include <net/ethertypes.h> 87 88 #ifdef INET6 89 #include <netinet6/scope6_var.h> 90 #endif 91 92 #include <net/if_sppp.h> 93 #include <net/if_spppvar.h> 94 95 #ifdef NET_MPSAFE 96 #define SPPPSUBR_MPSAFE 1 97 #endif 98 99 #define LCP_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 100 #define LOOPALIVECNT 3 /* loopback detection tries */ 101 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 102 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 103 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 104 105 /* 106 * Interface flags that can be set in an ifconfig command. 107 * 108 * Setting link0 will make the link passive, i.e. it will be marked 109 * as being administrative openable, but won't be opened to begin 110 * with. Incoming calls will be answered, or subsequent calls with 111 * -link1 will cause the administrative open of the LCP layer. 112 * 113 * Setting link1 will cause the link to auto-dial only as packets 114 * arrive to be sent. 115 * 116 * Setting IFF_DEBUG will syslog the option negotiation and state 117 * transitions at level kern.debug. Note: all logs consistently look 118 * like 119 * 120 * <if-name><unit>: <proto-name> <additional info...> 121 * 122 * with <if-name><unit> being something like "bppp0", and <proto-name> 123 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 124 */ 125 126 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 127 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 128 129 #define CONF_REQ 1 /* PPP configure request */ 130 #define CONF_ACK 2 /* PPP configure acknowledge */ 131 #define CONF_NAK 3 /* PPP configure negative ack */ 132 #define CONF_REJ 4 /* PPP configure reject */ 133 #define TERM_REQ 5 /* PPP terminate request */ 134 #define TERM_ACK 6 /* PPP terminate acknowledge */ 135 #define CODE_REJ 7 /* PPP code reject */ 136 #define PROTO_REJ 8 /* PPP protocol reject */ 137 #define ECHO_REQ 9 /* PPP echo request */ 138 #define ECHO_REPLY 10 /* PPP echo reply */ 139 #define DISC_REQ 11 /* PPP discard request */ 140 141 #define LCP_OPT_MRU 1 /* maximum receive unit */ 142 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 143 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 144 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 145 #define LCP_OPT_MAGIC 5 /* magic number */ 146 #define LCP_OPT_RESERVED 6 /* reserved */ 147 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 148 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 149 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 150 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 151 #define LCP_OPT_CALL_BACK 13 /* callback */ 152 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 153 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 154 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 155 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 156 157 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 158 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 159 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 160 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 161 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 162 163 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 164 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 165 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 166 167 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 168 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 169 170 #define PAP_REQ 1 /* PAP name/password request */ 171 #define PAP_ACK 2 /* PAP acknowledge */ 172 #define PAP_NAK 3 /* PAP fail */ 173 174 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 175 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 176 #define CHAP_SUCCESS 3 /* CHAP response ok */ 177 #define CHAP_FAILURE 4 /* CHAP response failed */ 178 179 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 180 181 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 182 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 183 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 184 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 185 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 186 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 187 188 /* states are named and numbered according to RFC 1661 */ 189 #define STATE_INITIAL 0 190 #define STATE_STARTING 1 191 #define STATE_CLOSED 2 192 #define STATE_STOPPED 3 193 #define STATE_CLOSING 4 194 #define STATE_STOPPING 5 195 #define STATE_REQ_SENT 6 196 #define STATE_ACK_RCVD 7 197 #define STATE_ACK_SENT 8 198 #define STATE_OPENED 9 199 200 struct ppp_header { 201 uint8_t address; 202 uint8_t control; 203 uint16_t protocol; 204 } __packed; 205 #define PPP_HEADER_LEN sizeof (struct ppp_header) 206 207 struct lcp_header { 208 uint8_t type; 209 uint8_t ident; 210 uint16_t len; 211 } __packed; 212 #define LCP_HEADER_LEN sizeof (struct lcp_header) 213 214 struct cisco_packet { 215 uint32_t type; 216 uint32_t par1; 217 uint32_t par2; 218 uint16_t rel; 219 uint16_t time0; 220 uint16_t time1; 221 } __packed; 222 #define CISCO_PACKET_LEN 18 223 224 /* 225 * We follow the spelling and capitalization of RFC 1661 here, to make 226 * it easier comparing with the standard. Please refer to this RFC in 227 * case you can't make sense out of these abbreviation; it will also 228 * explain the semantics related to the various events and actions. 229 */ 230 struct cp { 231 u_short proto; /* PPP control protocol number */ 232 u_char protoidx; /* index into state table in struct sppp */ 233 u_char flags; 234 #define CP_LCP 0x01 /* this is the LCP */ 235 #define CP_AUTH 0x02 /* this is an authentication protocol */ 236 #define CP_NCP 0x04 /* this is a NCP */ 237 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 238 const char *name; /* name of this control protocol */ 239 /* event handlers */ 240 void (*Up)(struct sppp *); 241 void (*Down)(struct sppp *); 242 void (*Open)(struct sppp *); 243 void (*Close)(struct sppp *); 244 void (*TO)(void *); 245 int (*RCR)(struct sppp *, struct lcp_header *, int); 246 void (*RCN_rej)(struct sppp *, struct lcp_header *, int); 247 void (*RCN_nak)(struct sppp *, struct lcp_header *, int); 248 /* actions */ 249 void (*tlu)(struct sppp *sp); 250 void (*tld)(struct sppp *sp); 251 void (*tls)(struct sppp *sp); 252 void (*tlf)(struct sppp *sp); 253 void (*scr)(struct sppp *sp); 254 void (*scan)(const struct cp *, struct sppp *); 255 }; 256 257 static struct sppp *spppq; 258 static kmutex_t *spppq_lock = NULL; 259 static callout_t keepalive_ch; 260 261 #define SPPPQ_LOCK() if (spppq_lock) \ 262 mutex_enter(spppq_lock); 263 #define SPPPQ_UNLOCK() if (spppq_lock) \ 264 mutex_exit(spppq_lock); 265 266 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 267 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 268 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 269 #define SPPP_UPGRADE(_sp) do{ \ 270 SPPP_UNLOCK(_sp); \ 271 SPPP_LOCK(_sp, RW_WRITER); \ 272 }while (0) 273 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 274 275 #ifdef INET 276 #ifndef SPPPSUBR_MPSAFE 277 /* 278 * The following disgusting hack gets around the problem that IP TOS 279 * can't be set yet. We want to put "interactive" traffic on a high 280 * priority queue. To decide if traffic is interactive, we check that 281 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 282 * 283 * XXX is this really still necessary? - joerg - 284 */ 285 static u_short interactive_ports[8] = { 286 0, 513, 0, 0, 287 0, 21, 0, 23, 288 }; 289 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 290 #endif /* SPPPSUBR_MPSAFE */ 291 #endif 292 293 /* almost every function needs these */ 294 #define STDDCL \ 295 struct ifnet *ifp = &sp->pp_if; \ 296 int debug = ifp->if_flags & IFF_DEBUG 297 298 static int sppp_output(struct ifnet *, struct mbuf *, 299 const struct sockaddr *, const struct rtentry *); 300 301 static void sppp_cisco_send(struct sppp *, int, int32_t, int32_t); 302 static void sppp_cisco_input(struct sppp *, struct mbuf *); 303 304 static void sppp_cp_input(const struct cp *, struct sppp *, 305 struct mbuf *); 306 static void sppp_cp_send(struct sppp *, u_short, u_char, 307 u_char, u_short, void *); 308 /* static void sppp_cp_timeout(void *arg); */ 309 static void sppp_cp_change_state(const struct cp *, struct sppp *, int); 310 static void sppp_auth_send(const struct cp *, struct sppp *, 311 unsigned int, unsigned int, ...); 312 313 static void sppp_up_event(const struct cp *, struct sppp *); 314 static void sppp_down_event(const struct cp *, struct sppp *); 315 static void sppp_open_event(const struct cp *, struct sppp *); 316 static void sppp_close_event(const struct cp *, struct sppp *); 317 static void sppp_to_event(const struct cp *, struct sppp *); 318 static void sppp_rcr_event(const struct cp *, struct sppp *); 319 static void sppp_rca_event(const struct cp *, struct sppp *); 320 static void sppp_rcn_event(const struct cp *, struct sppp *); 321 322 static void sppp_null(struct sppp *); 323 static void sppp_sca_scn(const struct cp *, struct sppp *); 324 325 static void sppp_lcp_init(struct sppp *); 326 static void sppp_lcp_up(struct sppp *); 327 static void sppp_lcp_down(struct sppp *); 328 static void sppp_lcp_open(struct sppp *); 329 static void sppp_lcp_close(struct sppp *); 330 static void sppp_lcp_TO(void *); 331 static int sppp_lcp_RCR(struct sppp *, struct lcp_header *, int); 332 static void sppp_lcp_RCN_rej(struct sppp *, struct lcp_header *, int); 333 static void sppp_lcp_RCN_nak(struct sppp *, struct lcp_header *, int); 334 static void sppp_lcp_tlu(struct sppp *); 335 static void sppp_lcp_tld(struct sppp *); 336 static void sppp_lcp_tls(struct sppp *); 337 static void sppp_lcp_tlf(struct sppp *); 338 static void sppp_lcp_scr(struct sppp *); 339 static void sppp_lcp_check_and_close(struct sppp *); 340 static int sppp_ncp_check(struct sppp *); 341 342 static void sppp_ipcp_init(struct sppp *); 343 static void sppp_ipcp_up(struct sppp *); 344 static void sppp_ipcp_down(struct sppp *); 345 static void sppp_ipcp_open(struct sppp *); 346 static void sppp_ipcp_close(struct sppp *); 347 static void sppp_ipcp_TO(void *); 348 static int sppp_ipcp_RCR(struct sppp *, struct lcp_header *, int); 349 static void sppp_ipcp_RCN_rej(struct sppp *, struct lcp_header *, int); 350 static void sppp_ipcp_RCN_nak(struct sppp *, struct lcp_header *, int); 351 static void sppp_ipcp_tlu(struct sppp *); 352 static void sppp_ipcp_tld(struct sppp *); 353 static void sppp_ipcp_tls(struct sppp *); 354 static void sppp_ipcp_tlf(struct sppp *); 355 static void sppp_ipcp_scr(struct sppp *); 356 357 static void sppp_ipv6cp_init(struct sppp *); 358 static void sppp_ipv6cp_up(struct sppp *); 359 static void sppp_ipv6cp_down(struct sppp *); 360 static void sppp_ipv6cp_open(struct sppp *); 361 static void sppp_ipv6cp_close(struct sppp *); 362 static void sppp_ipv6cp_TO(void *); 363 static int sppp_ipv6cp_RCR(struct sppp *, struct lcp_header *, int); 364 static void sppp_ipv6cp_RCN_rej(struct sppp *, struct lcp_header *, int); 365 static void sppp_ipv6cp_RCN_nak(struct sppp *, struct lcp_header *, int); 366 static void sppp_ipv6cp_tlu(struct sppp *); 367 static void sppp_ipv6cp_tld(struct sppp *); 368 static void sppp_ipv6cp_tls(struct sppp *); 369 static void sppp_ipv6cp_tlf(struct sppp *); 370 static void sppp_ipv6cp_scr(struct sppp *); 371 372 static void sppp_pap_input(struct sppp *, struct mbuf *); 373 static void sppp_pap_init(struct sppp *); 374 static void sppp_pap_open(struct sppp *); 375 static void sppp_pap_close(struct sppp *); 376 static void sppp_pap_TO(void *); 377 static void sppp_pap_my_TO(void *); 378 static void sppp_pap_tlu(struct sppp *); 379 static void sppp_pap_tld(struct sppp *); 380 static void sppp_pap_scr(struct sppp *); 381 382 static void sppp_chap_input(struct sppp *, struct mbuf *); 383 static void sppp_chap_init(struct sppp *); 384 static void sppp_chap_open(struct sppp *); 385 static void sppp_chap_close(struct sppp *); 386 static void sppp_chap_TO(void *); 387 static void sppp_chap_tlu(struct sppp *); 388 static void sppp_chap_tld(struct sppp *); 389 static void sppp_chap_scr(struct sppp *); 390 391 static const char *sppp_auth_type_name(u_short, u_char); 392 static const char *sppp_cp_type_name(u_char); 393 static const char *sppp_dotted_quad(uint32_t); 394 static const char *sppp_ipcp_opt_name(u_char); 395 #ifdef INET6 396 static const char *sppp_ipv6cp_opt_name(u_char); 397 #endif 398 static const char *sppp_lcp_opt_name(u_char); 399 static const char *sppp_phase_name(int); 400 static const char *sppp_proto_name(u_short); 401 static const char *sppp_state_name(int); 402 static int sppp_params(struct sppp *, u_long, void *); 403 #ifdef INET 404 static void sppp_get_ip_addrs(struct sppp *, uint32_t *, uint32_t *, uint32_t *); 405 static void sppp_set_ip_addrs_work(struct work *, struct sppp *); 406 static void sppp_set_ip_addrs(struct sppp *); 407 static void sppp_clear_ip_addrs_work(struct work *, struct sppp *); 408 static void sppp_clear_ip_addrs(struct sppp *); 409 static void sppp_update_ip_addrs_work(struct work *, void *); 410 #endif 411 static void sppp_keepalive(void *); 412 static void sppp_phase_network(struct sppp *); 413 static void sppp_print_bytes(const u_char *, u_short); 414 static void sppp_print_string(const char *, u_short); 415 #ifdef INET6 416 static void sppp_get_ip6_addrs(struct sppp *, struct in6_addr *, 417 struct in6_addr *, struct in6_addr *); 418 #ifdef IPV6CP_MYIFID_DYN 419 static void sppp_set_ip6_addr(struct sppp *, const struct in6_addr *); 420 static void sppp_gen_ip6_addr(struct sppp *, const struct in6_addr *); 421 #endif 422 static void sppp_suggest_ip6_addr(struct sppp *, struct in6_addr *); 423 #endif 424 425 static void sppp_notify_up(struct sppp *); 426 static void sppp_notify_down(struct sppp *); 427 static void sppp_notify_tls_wlocked(struct sppp *); 428 static void sppp_notify_tlf_wlocked(struct sppp *); 429 #ifdef INET6 430 static void sppp_notify_con_wlocked(struct sppp *); 431 #endif 432 static void sppp_notify_con(struct sppp *); 433 434 static void sppp_notify_chg_wlocked(struct sppp *); 435 436 437 /* our control protocol descriptors */ 438 static const struct cp lcp = { 439 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 440 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, sppp_lcp_close, 441 sppp_lcp_TO, sppp_lcp_RCR, sppp_lcp_RCN_rej, sppp_lcp_RCN_nak, 442 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, sppp_lcp_tlf, 443 sppp_lcp_scr, sppp_sca_scn 444 }; 445 446 static const struct cp ipcp = { 447 PPP_IPCP, IDX_IPCP, 448 #ifdef INET 449 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 450 #else 451 0, 452 #endif 453 "ipcp", 454 sppp_ipcp_up, sppp_ipcp_down, sppp_ipcp_open, sppp_ipcp_close, 455 sppp_ipcp_TO, sppp_ipcp_RCR, sppp_ipcp_RCN_rej, sppp_ipcp_RCN_nak, 456 sppp_ipcp_tlu, sppp_ipcp_tld, sppp_ipcp_tls, sppp_ipcp_tlf, 457 sppp_ipcp_scr, sppp_sca_scn 458 }; 459 460 static const struct cp ipv6cp = { 461 PPP_IPV6CP, IDX_IPV6CP, 462 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 463 CP_NCP, 464 #else 465 0, 466 #endif 467 "ipv6cp", 468 sppp_ipv6cp_up, sppp_ipv6cp_down, sppp_ipv6cp_open, sppp_ipv6cp_close, 469 sppp_ipv6cp_TO, sppp_ipv6cp_RCR, sppp_ipv6cp_RCN_rej, sppp_ipv6cp_RCN_nak, 470 sppp_ipv6cp_tlu, sppp_ipv6cp_tld, sppp_ipv6cp_tls, sppp_ipv6cp_tlf, 471 sppp_ipv6cp_scr, sppp_sca_scn 472 }; 473 474 static const struct cp pap = { 475 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 476 sppp_null, sppp_null, sppp_pap_open, sppp_pap_close, 477 sppp_pap_TO, 0, 0, 0, 478 sppp_pap_tlu, sppp_pap_tld, sppp_null, sppp_null, 479 sppp_pap_scr, 0 480 }; 481 482 static const struct cp chap = { 483 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 484 sppp_null, sppp_null, sppp_chap_open, sppp_chap_close, 485 sppp_chap_TO, 0, 0, 0, 486 sppp_chap_tlu, sppp_chap_tld, sppp_null, sppp_null, 487 sppp_chap_scr, 0 488 }; 489 490 static const struct cp *cps[IDX_COUNT] = { 491 &lcp, /* IDX_LCP */ 492 &ipcp, /* IDX_IPCP */ 493 &ipv6cp, /* IDX_IPV6CP */ 494 &pap, /* IDX_PAP */ 495 &chap, /* IDX_CHAP */ 496 }; 497 498 static void 499 sppp_change_phase(struct sppp *sp, int phase) 500 { 501 STDDCL; 502 503 KASSERT(SPPP_WLOCKED(sp)); 504 505 if (sp->pp_phase == phase) 506 return; 507 508 sp->pp_phase = phase; 509 510 if (phase == SPPP_PHASE_NETWORK) 511 if_link_state_change(ifp, LINK_STATE_UP); 512 else 513 if_link_state_change(ifp, LINK_STATE_DOWN); 514 515 if (debug) 516 { 517 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 518 sppp_phase_name(sp->pp_phase)); 519 } 520 } 521 522 /* 523 * Exported functions, comprising our interface to the lower layer. 524 */ 525 526 /* 527 * Process the received packet. 528 */ 529 void 530 sppp_input(struct ifnet *ifp, struct mbuf *m) 531 { 532 struct ppp_header *h = NULL; 533 pktqueue_t *pktq = NULL; 534 struct ifqueue *inq = NULL; 535 uint16_t protocol; 536 struct sppp *sp = (struct sppp *)ifp; 537 int debug = ifp->if_flags & IFF_DEBUG; 538 int isr = 0; 539 540 SPPP_LOCK(sp, RW_READER); 541 542 if (ifp->if_flags & IFF_UP) { 543 /* Count received bytes, add hardware framing */ 544 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 545 /* Note time of last receive */ 546 sp->pp_last_receive = time_uptime; 547 } 548 549 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 550 /* Too small packet, drop it. */ 551 if (debug) 552 log(LOG_DEBUG, 553 "%s: input packet is too small, %d bytes\n", 554 ifp->if_xname, m->m_pkthdr.len); 555 drop: 556 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 557 m_freem(m); 558 SPPP_UNLOCK(sp); 559 return; 560 } 561 562 if (sp->pp_flags & PP_NOFRAMING) { 563 memcpy(&protocol, mtod(m, void *), 2); 564 protocol = ntohs(protocol); 565 m_adj(m, 2); 566 } else { 567 568 /* Get PPP header. */ 569 h = mtod(m, struct ppp_header *); 570 m_adj(m, PPP_HEADER_LEN); 571 572 switch (h->address) { 573 case PPP_ALLSTATIONS: 574 if (h->control != PPP_UI) 575 goto invalid; 576 if (sp->pp_flags & PP_CISCO) { 577 if (debug) 578 log(LOG_DEBUG, 579 "%s: PPP packet in Cisco mode " 580 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 581 ifp->if_xname, 582 h->address, h->control, ntohs(h->protocol)); 583 goto drop; 584 } 585 break; 586 case CISCO_MULTICAST: 587 case CISCO_UNICAST: 588 /* Don't check the control field here (RFC 1547). */ 589 if (! (sp->pp_flags & PP_CISCO)) { 590 if (debug) 591 log(LOG_DEBUG, 592 "%s: Cisco packet in PPP mode " 593 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 594 ifp->if_xname, 595 h->address, h->control, ntohs(h->protocol)); 596 goto drop; 597 } 598 switch (ntohs(h->protocol)) { 599 default: 600 if_statinc(ifp, if_noproto); 601 goto invalid; 602 case CISCO_KEEPALIVE: 603 SPPP_UNLOCK(sp); 604 sppp_cisco_input((struct sppp *) ifp, m); 605 m_freem(m); 606 return; 607 #ifdef INET 608 case ETHERTYPE_IP: 609 pktq = ip_pktq; 610 break; 611 #endif 612 #ifdef INET6 613 case ETHERTYPE_IPV6: 614 pktq = ip6_pktq; 615 break; 616 #endif 617 } 618 goto queue_pkt; 619 default: /* Invalid PPP packet. */ 620 invalid: 621 if (debug) 622 log(LOG_DEBUG, 623 "%s: invalid input packet " 624 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 625 ifp->if_xname, 626 h->address, h->control, ntohs(h->protocol)); 627 goto drop; 628 } 629 protocol = ntohs(h->protocol); 630 } 631 632 switch (protocol) { 633 default: 634 if (sp->scp[IDX_LCP].state == STATE_OPENED) { 635 uint16_t prot = htons(protocol); 636 637 SPPP_UPGRADE(sp); 638 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 639 ++sp->scp[IDX_LCP].seq, m->m_pkthdr.len + 2, 640 &prot); 641 SPPP_DOWNGRADE(sp); 642 } 643 if (debug) 644 log(LOG_DEBUG, 645 "%s: invalid input protocol " 646 "<proto=0x%x>\n", ifp->if_xname, ntohs(protocol)); 647 if_statinc(ifp, if_noproto); 648 goto drop; 649 case PPP_LCP: 650 SPPP_UNLOCK(sp); 651 sppp_cp_input(&lcp, sp, m); 652 m_freem(m); 653 return; 654 case PPP_PAP: 655 SPPP_UNLOCK(sp); 656 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 657 sppp_pap_input(sp, m); 658 } 659 m_freem(m); 660 return; 661 case PPP_CHAP: 662 SPPP_UNLOCK(sp); 663 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 664 sppp_chap_input(sp, m); 665 } 666 m_freem(m); 667 return; 668 #ifdef INET 669 case PPP_IPCP: 670 SPPP_UNLOCK(sp); 671 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 672 sppp_cp_input(&ipcp, sp, m); 673 } 674 m_freem(m); 675 return; 676 case PPP_IP: 677 if (sp->scp[IDX_IPCP].state == STATE_OPENED) { 678 sp->pp_last_activity = time_uptime; 679 pktq = ip_pktq; 680 } 681 break; 682 #endif 683 #ifdef INET6 684 case PPP_IPV6CP: 685 SPPP_UNLOCK(sp); 686 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 687 sppp_cp_input(&ipv6cp, sp, m); 688 } 689 m_freem(m); 690 return; 691 692 case PPP_IPV6: 693 if (sp->scp[IDX_IPV6CP].state == STATE_OPENED) { 694 sp->pp_last_activity = time_uptime; 695 pktq = ip6_pktq; 696 } 697 break; 698 #endif 699 } 700 701 queue_pkt: 702 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 703 goto drop; 704 } 705 706 /* Check queue. */ 707 if (__predict_true(pktq)) { 708 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 709 goto drop; 710 } 711 SPPP_UNLOCK(sp); 712 return; 713 } 714 715 SPPP_UNLOCK(sp); 716 717 IFQ_LOCK(inq); 718 if (IF_QFULL(inq)) { 719 /* Queue overflow. */ 720 IF_DROP(inq); 721 IFQ_UNLOCK(inq); 722 if (debug) 723 log(LOG_DEBUG, "%s: protocol queue overflow\n", 724 ifp->if_xname); 725 726 SPPP_LOCK(sp, RW_READER); 727 goto drop; 728 } 729 IF_ENQUEUE(inq, m); 730 IFQ_UNLOCK(inq); 731 schednetisr(isr); 732 } 733 734 /* 735 * Enqueue transmit packet. 736 */ 737 static int 738 sppp_output(struct ifnet *ifp, struct mbuf *m, 739 const struct sockaddr *dst, const struct rtentry *rt) 740 { 741 struct sppp *sp = (struct sppp *) ifp; 742 struct ppp_header *h = NULL; 743 #ifndef SPPPSUBR_MPSAFE 744 struct ifqueue *ifq = NULL; /* XXX */ 745 #endif 746 int s, error = 0; 747 uint16_t protocol; 748 size_t pktlen; 749 750 s = splnet(); 751 SPPP_LOCK(sp, RW_READER); 752 753 sp->pp_last_activity = time_uptime; 754 755 if ((ifp->if_flags & IFF_UP) == 0 || 756 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 757 SPPP_UNLOCK(sp); 758 splx(s); 759 760 m_freem(m); 761 762 return (ENETDOWN); 763 } 764 765 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 766 /* 767 * Interface is not yet running, but auto-dial. Need 768 * to start LCP for it. 769 */ 770 ifp->if_flags |= IFF_RUNNING; 771 772 SPPP_UNLOCK(sp); 773 splx(s); 774 775 SPPP_LOCK(sp, RW_WRITER); 776 lcp.Open(sp); 777 SPPP_UNLOCK(sp); 778 779 s = splnet(); 780 SPPP_LOCK(sp, RW_READER); 781 } 782 783 /* 784 * If the queueing discipline needs packet classification, 785 * do it before prepending link headers. 786 */ 787 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 788 789 #ifdef INET 790 if (dst->sa_family == AF_INET) { 791 struct ip *ip = NULL; 792 #ifndef SPPPSUBR_MPSAFE 793 struct tcphdr *th = NULL; 794 #endif 795 796 if (m->m_len >= sizeof(struct ip)) { 797 ip = mtod(m, struct ip *); 798 #ifndef SPPPSUBR_MPSAFE 799 if (ip->ip_p == IPPROTO_TCP && 800 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 801 sizeof(struct tcphdr)) { 802 th = (struct tcphdr *) 803 ((char *)ip + (ip->ip_hl << 2)); 804 } 805 #endif 806 } else 807 ip = NULL; 808 809 /* 810 * When using dynamic local IP address assignment by using 811 * 0.0.0.0 as a local address, the first TCP session will 812 * not connect because the local TCP checksum is computed 813 * using 0.0.0.0 which will later become our real IP address 814 * so the TCP checksum computed at the remote end will 815 * become invalid. So we 816 * - don't let packets with src ip addr 0 thru 817 * - we flag TCP packets with src ip 0 as an error 818 */ 819 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 820 uint8_t proto = ip->ip_p; 821 822 SPPP_UNLOCK(sp); 823 splx(s); 824 825 m_freem(m); 826 if (proto == IPPROTO_TCP) 827 return (EADDRNOTAVAIL); 828 else 829 return (0); 830 } 831 832 #ifndef SPPPSUBR_MPSAFE 833 /* 834 * Put low delay, telnet, rlogin and ftp control packets 835 * in front of the queue. 836 */ 837 if (!IF_QFULL(&sp->pp_fastq) && 838 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 839 (th && (INTERACTIVE(ntohs(th->th_sport)) || 840 INTERACTIVE(ntohs(th->th_dport)))))) 841 ifq = &sp->pp_fastq; 842 #endif /* !SPPPSUBR_MPSAFE */ 843 } 844 #endif 845 846 #ifdef INET6 847 if (dst->sa_family == AF_INET6) { 848 /* XXX do something tricky here? */ 849 } 850 #endif 851 852 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 853 /* 854 * Prepend general data packet PPP header. For now, IP only. 855 */ 856 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 857 if (! m) { 858 if (ifp->if_flags & IFF_DEBUG) 859 log(LOG_DEBUG, "%s: no memory for transmit header\n", 860 ifp->if_xname); 861 if_statinc(ifp, if_oerrors); 862 SPPP_UNLOCK(sp); 863 splx(s); 864 return (ENOBUFS); 865 } 866 /* 867 * May want to check size of packet 868 * (albeit due to the implementation it's always enough) 869 */ 870 h = mtod(m, struct ppp_header *); 871 if (sp->pp_flags & PP_CISCO) { 872 h->address = CISCO_UNICAST; /* unicast address */ 873 h->control = 0; 874 } else { 875 h->address = PPP_ALLSTATIONS; /* broadcast address */ 876 h->control = PPP_UI; /* Unnumbered Info */ 877 } 878 } 879 880 switch (dst->sa_family) { 881 #ifdef INET 882 case AF_INET: /* Internet Protocol */ 883 if (sp->pp_flags & PP_CISCO) 884 protocol = htons(ETHERTYPE_IP); 885 else { 886 /* 887 * Don't choke with an ENETDOWN early. It's 888 * possible that we just started dialing out, 889 * so don't drop the packet immediately. If 890 * we notice that we run out of buffer space 891 * below, we will however remember that we are 892 * not ready to carry IP packets, and return 893 * ENETDOWN, as opposed to ENOBUFS. 894 */ 895 protocol = htons(PPP_IP); 896 if (sp->scp[IDX_IPCP].state != STATE_OPENED) 897 error = ENETDOWN; 898 } 899 break; 900 #endif 901 #ifdef INET6 902 case AF_INET6: /* Internet Protocol version 6 */ 903 if (sp->pp_flags & PP_CISCO) 904 protocol = htons(ETHERTYPE_IPV6); 905 else { 906 /* 907 * Don't choke with an ENETDOWN early. It's 908 * possible that we just started dialing out, 909 * so don't drop the packet immediately. If 910 * we notice that we run out of buffer space 911 * below, we will however remember that we are 912 * not ready to carry IP packets, and return 913 * ENETDOWN, as opposed to ENOBUFS. 914 */ 915 protocol = htons(PPP_IPV6); 916 if (sp->scp[IDX_IPV6CP].state != STATE_OPENED) 917 error = ENETDOWN; 918 } 919 break; 920 #endif 921 default: 922 m_freem(m); 923 if_statinc(ifp, if_oerrors); 924 SPPP_UNLOCK(sp); 925 splx(s); 926 return (EAFNOSUPPORT); 927 } 928 929 if (sp->pp_flags & PP_NOFRAMING) { 930 M_PREPEND(m, 2, M_DONTWAIT); 931 if (m == NULL) { 932 if (ifp->if_flags & IFF_DEBUG) 933 log(LOG_DEBUG, "%s: no memory for transmit header\n", 934 ifp->if_xname); 935 if_statinc(ifp, if_oerrors); 936 SPPP_UNLOCK(sp); 937 splx(s); 938 return (ENOBUFS); 939 } 940 *mtod(m, uint16_t *) = protocol; 941 } else { 942 h->protocol = protocol; 943 } 944 945 pktlen = m->m_pkthdr.len; 946 #ifdef SPPPSUBR_MPSAFE 947 SPPP_UNLOCK(sp); 948 error = if_transmit_lock(ifp, m); 949 SPPP_LOCK(sp, RW_READER); 950 if (error == 0) 951 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 952 #else /* !SPPPSUBR_MPSAFE */ 953 error = ifq_enqueue2(ifp, ifq, m); 954 955 if (error == 0) { 956 /* 957 * Count output packets and bytes. 958 * The packet length includes header + additional hardware 959 * framing according to RFC 1333. 960 */ 961 if (!(ifp->if_flags & IFF_OACTIVE)) { 962 SPPP_UNLOCK(sp); 963 if_start_lock(ifp); 964 SPPP_LOCK(sp, RW_READER); 965 } 966 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 967 } 968 #endif /* !SPPPSUBR_MPSAFE */ 969 SPPP_UNLOCK(sp); 970 splx(s); 971 return error; 972 } 973 974 void 975 sppp_attach(struct ifnet *ifp) 976 { 977 struct sppp *sp = (struct sppp *) ifp; 978 979 /* Initialize keepalive handler. */ 980 if (! spppq) { 981 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 982 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 983 } 984 985 if (! spppq_lock) 986 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 987 988 /* Insert new entry into the keepalive list. */ 989 sp->pp_next = spppq; 990 spppq = sp; 991 992 sp->pp_if.if_type = IFT_PPP; 993 sp->pp_if.if_output = sppp_output; 994 sp->pp_fastq.ifq_maxlen = 32; 995 sp->pp_cpq.ifq_maxlen = 20; 996 sp->pp_loopcnt = 0; 997 sp->pp_alivecnt = 0; 998 sp->pp_last_activity = 0; 999 sp->pp_last_receive = 0; 1000 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1001 sp->pp_max_noreceive = DEFAULT_NORECV_TIME; 1002 sp->pp_idle_timeout = 0; 1003 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1004 sp->pp_phase = SPPP_PHASE_DEAD; 1005 sp->pp_up = sppp_notify_up; 1006 sp->pp_down = sppp_notify_down; 1007 memset(sp->scp, 0, sizeof(sp->scp)); 1008 rw_init(&sp->pp_lock); 1009 1010 if_alloc_sadl(ifp); 1011 1012 /* Lets not beat about the bush, we know we're down. */ 1013 ifp->if_link_state = LINK_STATE_DOWN; 1014 1015 memset(&sp->myauth, 0, sizeof sp->myauth); 1016 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1017 SPPP_LOCK(sp, RW_WRITER); 1018 sppp_lcp_init(sp); 1019 sppp_ipcp_init(sp); 1020 sppp_ipv6cp_init(sp); 1021 sppp_pap_init(sp); 1022 sppp_chap_init(sp); 1023 SPPP_UNLOCK(sp); 1024 } 1025 1026 void 1027 sppp_detach(struct ifnet *ifp) 1028 { 1029 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1030 1031 /* Remove the entry from the keepalive list. */ 1032 SPPPQ_LOCK(); 1033 for (q = &spppq; (p = *q); q = &p->pp_next) 1034 if (p == sp) { 1035 *q = p->pp_next; 1036 break; 1037 } 1038 SPPPQ_UNLOCK(); 1039 1040 if (! spppq) { 1041 /* Stop keepalive handler. */ 1042 callout_stop(&keepalive_ch); 1043 mutex_obj_free(spppq_lock); 1044 spppq_lock = NULL; 1045 } 1046 1047 SPPP_LOCK(sp, RW_WRITER); 1048 1049 /* to avoid workqueue enqueued */ 1050 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1); 1051 workqueue_wait(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk); 1052 workqueue_destroy(sp->ipcp.update_addrs_wq); 1053 pcq_destroy(sp->ipcp.update_addrs_q); 1054 1055 callout_stop(&sp->scp[IDX_LCP].ch); 1056 callout_stop(&sp->scp[IDX_IPCP].ch); 1057 callout_stop(&sp->scp[IDX_PAP].ch); 1058 callout_stop(&sp->scp[IDX_CHAP].ch); 1059 #ifdef INET6 1060 callout_stop(&sp->scp[IDX_IPV6CP].ch); 1061 #endif 1062 callout_stop(&sp->pap_my_to_ch); 1063 1064 /* free authentication info */ 1065 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1066 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1067 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1068 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1069 SPPP_UNLOCK(sp); 1070 rw_destroy(&sp->pp_lock); 1071 } 1072 1073 /* 1074 * Flush the interface output queue. 1075 */ 1076 void 1077 sppp_flush(struct ifnet *ifp) 1078 { 1079 struct sppp *sp = (struct sppp *) ifp; 1080 1081 SPPP_LOCK(sp, RW_WRITER); 1082 IFQ_PURGE(&sp->pp_if.if_snd); 1083 IF_PURGE(&sp->pp_fastq); 1084 IF_PURGE(&sp->pp_cpq); 1085 SPPP_UNLOCK(sp); 1086 } 1087 1088 /* 1089 * Check if the output queue is empty. 1090 */ 1091 int 1092 sppp_isempty(struct ifnet *ifp) 1093 { 1094 struct sppp *sp = (struct sppp *) ifp; 1095 int empty, s; 1096 1097 s = splnet(); 1098 SPPP_LOCK(sp, RW_READER); 1099 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1100 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1101 SPPP_UNLOCK(sp); 1102 splx(s); 1103 return (empty); 1104 } 1105 1106 /* 1107 * Get next packet to send. 1108 */ 1109 struct mbuf * 1110 sppp_dequeue(struct ifnet *ifp) 1111 { 1112 struct sppp *sp = (struct sppp *) ifp; 1113 struct mbuf *m; 1114 int s; 1115 1116 s = splnet(); 1117 SPPP_LOCK(sp, RW_WRITER); 1118 /* 1119 * Process only the control protocol queue until we have at 1120 * least one NCP open. 1121 * 1122 * Do always serve all three queues in Cisco mode. 1123 */ 1124 IF_DEQUEUE(&sp->pp_cpq, m); 1125 if (m == NULL && 1126 (sppp_ncp_check(sp) || (sp->pp_flags & PP_CISCO) != 0)) { 1127 IF_DEQUEUE(&sp->pp_fastq, m); 1128 if (m == NULL) 1129 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1130 } 1131 SPPP_UNLOCK(sp); 1132 splx(s); 1133 return m; 1134 } 1135 1136 /* 1137 * Process an ioctl request. Called on low priority level. 1138 */ 1139 int 1140 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1141 { 1142 struct lwp *l = curlwp; /* XXX */ 1143 struct ifreq *ifr = (struct ifreq *) data; 1144 struct ifaddr *ifa = (struct ifaddr *) data; 1145 struct sppp *sp = (struct sppp *) ifp; 1146 int s, error=0, going_up, going_down; 1147 u_short newmode; 1148 1149 s = splnet(); 1150 switch (cmd) { 1151 case SIOCINITIFADDR: 1152 ifa->ifa_rtrequest = p2p_rtrequest; 1153 break; 1154 1155 case SIOCSIFFLAGS: 1156 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1157 break; 1158 1159 SPPP_LOCK(sp, RW_WRITER); 1160 going_up = ifp->if_flags & IFF_UP && 1161 (ifp->if_flags & IFF_RUNNING) == 0; 1162 going_down = (ifp->if_flags & IFF_UP) == 0 && 1163 ifp->if_flags & IFF_RUNNING; 1164 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1165 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1166 /* sanity */ 1167 newmode = IFF_PASSIVE; 1168 ifp->if_flags &= ~IFF_AUTO; 1169 } 1170 1171 if (going_up || going_down) { 1172 lcp.Close(sp); 1173 } 1174 if (going_up && newmode == 0) { 1175 /* neither auto-dial nor passive */ 1176 ifp->if_flags |= IFF_RUNNING; 1177 if (!(sp->pp_flags & PP_CISCO)) 1178 lcp.Open(sp); 1179 } else if (going_down) { 1180 SPPP_UNLOCK(sp); 1181 sppp_flush(ifp); 1182 SPPP_LOCK(sp, RW_WRITER); 1183 1184 ifp->if_flags &= ~IFF_RUNNING; 1185 } 1186 SPPP_UNLOCK(sp); 1187 break; 1188 1189 case SIOCSIFMTU: 1190 if (ifr->ifr_mtu < PPP_MINMRU || 1191 ifr->ifr_mtu > sp->lcp.their_mru) { 1192 error = EINVAL; 1193 break; 1194 } 1195 /*FALLTHROUGH*/ 1196 case SIOCGIFMTU: 1197 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1198 error = 0; 1199 break; 1200 case SIOCADDMULTI: 1201 case SIOCDELMULTI: 1202 break; 1203 1204 case SPPPSETAUTHCFG: 1205 case SPPPSETLCPCFG: 1206 case SPPPSETIDLETO: 1207 case SPPPSETAUTHFAILURE: 1208 case SPPPSETDNSOPTS: 1209 case SPPPSETKEEPALIVE: 1210 #if defined(COMPAT_50) || defined(MODULAR) 1211 case __SPPPSETIDLETO50: 1212 case __SPPPSETKEEPALIVE50: 1213 #endif /* COMPAT_50 || MODULAR */ 1214 error = kauth_authorize_network(l->l_cred, 1215 KAUTH_NETWORK_INTERFACE, 1216 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1217 NULL); 1218 if (error) 1219 break; 1220 error = sppp_params(sp, cmd, data); 1221 break; 1222 1223 case SPPPGETAUTHCFG: 1224 case SPPPGETLCPCFG: 1225 case SPPPGETAUTHFAILURES: 1226 error = kauth_authorize_network(l->l_cred, 1227 KAUTH_NETWORK_INTERFACE, 1228 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1229 NULL); 1230 if (error) 1231 break; 1232 error = sppp_params(sp, cmd, data); 1233 break; 1234 1235 case SPPPGETSTATUS: 1236 case SPPPGETSTATUSNCP: 1237 case SPPPGETIDLETO: 1238 case SPPPGETDNSOPTS: 1239 case SPPPGETDNSADDRS: 1240 case SPPPGETKEEPALIVE: 1241 #if defined(COMPAT_50) || defined(MODULAR) 1242 case __SPPPGETIDLETO50: 1243 case __SPPPGETKEEPALIVE50: 1244 #endif /* COMPAT_50 || MODULAR */ 1245 error = sppp_params(sp, cmd, data); 1246 break; 1247 1248 default: 1249 error = ifioctl_common(ifp, cmd, data); 1250 break; 1251 } 1252 splx(s); 1253 return (error); 1254 } 1255 1256 1257 /* 1258 * Cisco framing implementation. 1259 */ 1260 1261 /* 1262 * Handle incoming Cisco keepalive protocol packets. 1263 */ 1264 static void 1265 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1266 { 1267 STDDCL; 1268 struct cisco_packet *h; 1269 #ifdef INET 1270 uint32_t me, mymask = 0; /* XXX: GCC */ 1271 #endif 1272 1273 SPPP_LOCK(sp, RW_WRITER); 1274 1275 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1276 if (debug) 1277 log(LOG_DEBUG, 1278 "%s: cisco invalid packet length: %d bytes\n", 1279 ifp->if_xname, m->m_pkthdr.len); 1280 SPPP_UNLOCK(sp); 1281 return; 1282 } 1283 h = mtod(m, struct cisco_packet *); 1284 if (debug) 1285 log(LOG_DEBUG, 1286 "%s: cisco input: %d bytes " 1287 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1288 ifp->if_xname, m->m_pkthdr.len, 1289 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1290 (u_int)h->time0, (u_int)h->time1); 1291 switch (ntohl(h->type)) { 1292 default: 1293 if (debug) 1294 addlog("%s: cisco unknown packet type: 0x%x\n", 1295 ifp->if_xname, ntohl(h->type)); 1296 break; 1297 case CISCO_ADDR_REPLY: 1298 /* Reply on address request, ignore */ 1299 break; 1300 case CISCO_KEEPALIVE_REQ: 1301 sp->pp_alivecnt = 0; 1302 sp->scp[IDX_LCP].rseq = ntohl(h->par1); 1303 if (sp->scp[IDX_LCP].seq == sp->scp[IDX_LCP].rseq) { 1304 /* Local and remote sequence numbers are equal. 1305 * Probably, the line is in loopback mode. */ 1306 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1307 printf ("%s: loopback\n", 1308 ifp->if_xname); 1309 sp->pp_loopcnt = 0; 1310 if (ifp->if_flags & IFF_UP) { 1311 SPPP_UNLOCK(sp); 1312 if_down(ifp); 1313 SPPP_LOCK(sp, RW_WRITER); 1314 1315 IF_PURGE(&sp->pp_cpq); 1316 } 1317 } 1318 ++sp->pp_loopcnt; 1319 1320 /* Generate new local sequence number */ 1321 sp->scp[IDX_LCP].seq = cprng_fast32(); 1322 break; 1323 } 1324 sp->pp_loopcnt = 0; 1325 if (! (ifp->if_flags & IFF_UP) && 1326 (ifp->if_flags & IFF_RUNNING)) { 1327 SPPP_UNLOCK(sp); 1328 if_up(ifp); 1329 SPPP_LOCK(sp, RW_WRITER); 1330 } 1331 break; 1332 case CISCO_ADDR_REQ: 1333 #ifdef INET 1334 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1335 if (me != 0L) 1336 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1337 #endif 1338 break; 1339 } 1340 SPPP_UNLOCK(sp); 1341 } 1342 1343 /* 1344 * Send Cisco keepalive packet. 1345 */ 1346 static void 1347 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1348 { 1349 STDDCL; 1350 struct ppp_header *h; 1351 struct cisco_packet *ch; 1352 struct mbuf *m; 1353 uint32_t t; 1354 1355 KASSERT(SPPP_WLOCKED(sp)); 1356 1357 t = time_uptime * 1000; 1358 MGETHDR(m, M_DONTWAIT, MT_DATA); 1359 if (! m) 1360 return; 1361 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1362 m_reset_rcvif(m); 1363 1364 h = mtod(m, struct ppp_header *); 1365 h->address = CISCO_MULTICAST; 1366 h->control = 0; 1367 h->protocol = htons(CISCO_KEEPALIVE); 1368 1369 ch = (struct cisco_packet *)(h + 1); 1370 ch->type = htonl(type); 1371 ch->par1 = htonl(par1); 1372 ch->par2 = htonl(par2); 1373 ch->rel = -1; 1374 1375 ch->time0 = htons((u_short)(t >> 16)); 1376 ch->time1 = htons((u_short) t); 1377 1378 if (debug) 1379 log(LOG_DEBUG, 1380 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1381 ifp->if_xname, ntohl(ch->type), ch->par1, 1382 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1383 (u_int)ch->time1); 1384 1385 if (IF_QFULL(&sp->pp_cpq)) { 1386 IF_DROP(&sp->pp_fastq); 1387 IF_DROP(&ifp->if_snd); 1388 m_freem(m); 1389 if_statinc(ifp, if_oerrors); 1390 return; 1391 } 1392 1393 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1394 IF_ENQUEUE(&sp->pp_cpq, m); 1395 1396 if (! (ifp->if_flags & IFF_OACTIVE)) { 1397 SPPP_UNLOCK(sp); 1398 if_start_lock(ifp); 1399 SPPP_LOCK(sp, RW_WRITER); 1400 } 1401 } 1402 1403 /* 1404 * PPP protocol implementation. 1405 */ 1406 1407 /* 1408 * Send PPP control protocol packet. 1409 */ 1410 static void 1411 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1412 u_char ident, u_short len, void *data) 1413 { 1414 STDDCL; 1415 struct lcp_header *lh; 1416 struct mbuf *m; 1417 size_t pkthdrlen; 1418 1419 KASSERT(SPPP_WLOCKED(sp)); 1420 1421 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1422 1423 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1424 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1425 MGETHDR(m, M_DONTWAIT, MT_DATA); 1426 if (! m) { 1427 return; 1428 } 1429 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1430 m_reset_rcvif(m); 1431 1432 if (sp->pp_flags & PP_NOFRAMING) { 1433 *mtod(m, uint16_t *) = htons(proto); 1434 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1435 } else { 1436 struct ppp_header *h; 1437 h = mtod(m, struct ppp_header *); 1438 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1439 h->control = PPP_UI; /* Unnumbered Info */ 1440 h->protocol = htons(proto); /* Link Control Protocol */ 1441 lh = (struct lcp_header *)(h + 1); 1442 } 1443 lh->type = type; 1444 lh->ident = ident; 1445 lh->len = htons(LCP_HEADER_LEN + len); 1446 if (len) 1447 memcpy(lh + 1, data, len); 1448 1449 if (debug) { 1450 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1451 ifp->if_xname, 1452 sppp_proto_name(proto), 1453 sppp_cp_type_name(lh->type), lh->ident, ntohs(lh->len)); 1454 if (len) 1455 sppp_print_bytes((u_char *)(lh + 1), len); 1456 addlog(">\n"); 1457 } 1458 if (IF_QFULL(&sp->pp_cpq)) { 1459 IF_DROP(&sp->pp_fastq); 1460 IF_DROP(&ifp->if_snd); 1461 m_freem(m); 1462 if_statinc(ifp, if_oerrors); 1463 return; 1464 } 1465 1466 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1467 IF_ENQUEUE(&sp->pp_cpq, m); 1468 1469 1470 if (! (ifp->if_flags & IFF_OACTIVE)) { 1471 SPPP_UNLOCK(sp); 1472 if_start_lock(ifp); 1473 SPPP_LOCK(sp, RW_WRITER); 1474 } 1475 } 1476 1477 /* 1478 * Handle incoming PPP control protocol packets. 1479 */ 1480 static void 1481 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1482 { 1483 STDDCL; 1484 struct lcp_header *h; 1485 int printlen, len = m->m_pkthdr.len; 1486 int rv; 1487 u_char *p; 1488 uint32_t u32; 1489 1490 SPPP_LOCK(sp, RW_WRITER); 1491 1492 if (len < 4) { 1493 if (debug) 1494 log(LOG_DEBUG, 1495 "%s: %s invalid packet length: %d bytes\n", 1496 ifp->if_xname, cp->name, len); 1497 SPPP_UNLOCK(sp); 1498 return; 1499 } 1500 h = mtod(m, struct lcp_header *); 1501 if (debug) { 1502 printlen = ntohs(h->len); 1503 log(LOG_DEBUG, 1504 "%s: %s input(%s): <%s id=0x%x len=%d", 1505 ifp->if_xname, cp->name, 1506 sppp_state_name(sp->scp[cp->protoidx].state), 1507 sppp_cp_type_name(h->type), h->ident, printlen); 1508 if (len < printlen) 1509 printlen = len; 1510 if (printlen > 4) 1511 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1512 addlog(">\n"); 1513 } 1514 if (len > ntohs(h->len)) 1515 len = ntohs(h->len); 1516 p = (u_char *)(h + 1); 1517 switch (h->type) { 1518 case CONF_REQ: 1519 if (len < 4) { 1520 if (debug) 1521 addlog("%s: %s invalid conf-req length %d\n", 1522 ifp->if_xname, cp->name, 1523 len); 1524 if_statinc(ifp, if_ierrors); 1525 break; 1526 } 1527 rv = (cp->RCR)(sp, h, len); 1528 if (rv < 0) { 1529 /* fatal error, shut down */ 1530 (cp->tld)(sp); 1531 sppp_lcp_tlf(sp); 1532 SPPP_UNLOCK(sp); 1533 return; 1534 } 1535 sp->scp[cp->protoidx].rconfid = h->ident; 1536 sppp_rcr_event(cp, sp); 1537 break; 1538 case CONF_ACK: 1539 if (h->ident != sp->scp[cp->protoidx].confid) { 1540 if (debug) 1541 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1542 ifp->if_xname, cp->name, 1543 h->ident, sp->scp[cp->protoidx].confid); 1544 if_statinc(ifp, if_ierrors); 1545 break; 1546 } 1547 sppp_rca_event(cp, sp); 1548 break; 1549 case CONF_NAK: 1550 case CONF_REJ: 1551 if (h->ident != sp->scp[cp->protoidx].confid) { 1552 if (debug) 1553 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1554 ifp->if_xname, cp->name, 1555 h->ident, sp->scp[cp->protoidx].confid); 1556 if_statinc(ifp, if_ierrors); 1557 break; 1558 } 1559 if (h->type == CONF_NAK) 1560 (cp->RCN_nak)(sp, h, len); 1561 else /* CONF_REJ */ 1562 (cp->RCN_rej)(sp, h, len); 1563 1564 sppp_rcn_event(cp, sp); 1565 break; 1566 1567 case TERM_REQ: 1568 switch (sp->scp[cp->protoidx].state) { 1569 case STATE_ACK_RCVD: 1570 case STATE_ACK_SENT: 1571 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1572 /* fall through */ 1573 case STATE_CLOSED: 1574 case STATE_STOPPED: 1575 case STATE_CLOSING: 1576 case STATE_STOPPING: 1577 case STATE_REQ_SENT: 1578 sta: 1579 /* Send Terminate-Ack packet. */ 1580 if (debug) 1581 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 1582 ifp->if_xname, cp->name); 1583 sppp_cp_send(sp, cp->proto, TERM_ACK, h->ident, 0, 0); 1584 break; 1585 case STATE_OPENED: 1586 (cp->tld)(sp); 1587 sp->scp[cp->protoidx].rst_counter = 0; 1588 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1589 goto sta; 1590 default: 1591 printf("%s: %s illegal %s in state %s\n", 1592 ifp->if_xname, cp->name, 1593 sppp_cp_type_name(h->type), 1594 sppp_state_name(sp->scp[cp->protoidx].state)); 1595 if_statinc(ifp, if_ierrors); 1596 } 1597 break; 1598 case TERM_ACK: 1599 switch (sp->scp[cp->protoidx].state) { 1600 case STATE_CLOSED: 1601 case STATE_STOPPED: 1602 case STATE_REQ_SENT: 1603 case STATE_ACK_SENT: 1604 break; 1605 case STATE_CLOSING: 1606 (cp->tlf)(sp); 1607 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1608 sppp_lcp_check_and_close(sp); 1609 break; 1610 case STATE_STOPPING: 1611 (cp->tlf)(sp); 1612 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1613 sppp_lcp_check_and_close(sp); 1614 break; 1615 case STATE_ACK_RCVD: 1616 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1617 break; 1618 case STATE_OPENED: 1619 (cp->tld)(sp); 1620 (cp->scr)(sp); 1621 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 1622 break; 1623 default: 1624 printf("%s: %s illegal %s in state %s\n", 1625 ifp->if_xname, cp->name, 1626 sppp_cp_type_name(h->type), 1627 sppp_state_name(sp->scp[cp->protoidx].state)); 1628 if_statinc(ifp, if_ierrors); 1629 } 1630 break; 1631 case CODE_REJ: 1632 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1633 log(LOG_INFO, 1634 "%s: %s: ignoring RXJ (%s) for code ?, " 1635 "danger will robinson\n", 1636 ifp->if_xname, cp->name, 1637 sppp_cp_type_name(h->type)); 1638 switch (sp->scp[cp->protoidx].state) { 1639 case STATE_CLOSED: 1640 case STATE_STOPPED: 1641 case STATE_REQ_SENT: 1642 case STATE_ACK_SENT: 1643 case STATE_CLOSING: 1644 case STATE_STOPPING: 1645 case STATE_OPENED: 1646 break; 1647 case STATE_ACK_RCVD: 1648 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1649 break; 1650 default: 1651 printf("%s: %s illegal %s in state %s\n", 1652 ifp->if_xname, cp->name, 1653 sppp_cp_type_name(h->type), 1654 sppp_state_name(sp->scp[cp->protoidx].state)); 1655 if_statinc(ifp, if_ierrors); 1656 } 1657 break; 1658 case PROTO_REJ: 1659 { 1660 int catastrophic; 1661 const struct cp *upper; 1662 int i; 1663 uint16_t proto; 1664 1665 catastrophic = 0; 1666 upper = NULL; 1667 proto = p[0] << 8 | p[1]; 1668 for (i = 0; i < IDX_COUNT; i++) { 1669 if (cps[i]->proto == proto) { 1670 upper = cps[i]; 1671 break; 1672 } 1673 } 1674 if (upper == NULL) 1675 catastrophic++; 1676 1677 if (debug) 1678 log(LOG_INFO, 1679 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1680 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1681 sppp_cp_type_name(h->type), proto, 1682 upper ? upper->name : "unknown", 1683 upper ? sppp_state_name(sp->scp[upper->protoidx].state) : "?"); 1684 1685 /* 1686 * if we got RXJ+ against conf-req, the peer does not implement 1687 * this particular protocol type. terminate the protocol. 1688 */ 1689 if (upper && !catastrophic) { 1690 if (sp->scp[upper->protoidx].state == STATE_REQ_SENT) { 1691 upper->Close(sp); 1692 break; 1693 } 1694 } 1695 1696 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1697 switch (sp->scp[cp->protoidx].state) { 1698 case STATE_CLOSED: 1699 case STATE_STOPPED: 1700 case STATE_REQ_SENT: 1701 case STATE_ACK_SENT: 1702 case STATE_CLOSING: 1703 case STATE_STOPPING: 1704 case STATE_OPENED: 1705 break; 1706 case STATE_ACK_RCVD: 1707 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1708 break; 1709 default: 1710 printf("%s: %s illegal %s in state %s\n", 1711 ifp->if_xname, cp->name, 1712 sppp_cp_type_name(h->type), 1713 sppp_state_name(sp->scp[cp->protoidx].state)); 1714 if_statinc(ifp, if_ierrors); 1715 } 1716 break; 1717 } 1718 case DISC_REQ: 1719 if (cp->proto != PPP_LCP) 1720 goto illegal; 1721 /* Discard the packet. */ 1722 break; 1723 case ECHO_REQ: 1724 if (cp->proto != PPP_LCP) 1725 goto illegal; 1726 if (sp->scp[cp->protoidx].state != STATE_OPENED) { 1727 if (debug) 1728 addlog("%s: lcp echo req but lcp closed\n", 1729 ifp->if_xname); 1730 if_statinc(ifp, if_ierrors); 1731 break; 1732 } 1733 if (len < 8) { 1734 if (debug) 1735 addlog("%s: invalid lcp echo request " 1736 "packet length: %d bytes\n", 1737 ifp->if_xname, len); 1738 break; 1739 } 1740 memcpy(&u32, h + 1, sizeof u32); 1741 if (ntohl(u32) == sp->lcp.magic) { 1742 /* Line loopback mode detected. */ 1743 printf("%s: loopback\n", ifp->if_xname); 1744 SPPP_UNLOCK(sp); 1745 if_down(ifp); 1746 SPPP_LOCK(sp, RW_WRITER); 1747 1748 IF_PURGE(&sp->pp_cpq); 1749 1750 /* Shut down the PPP link. */ 1751 /* XXX */ 1752 lcp.Down(sp); 1753 lcp.Up(sp); 1754 break; 1755 } 1756 u32 = htonl(sp->lcp.magic); 1757 memcpy(h + 1, &u32, sizeof u32); 1758 if (debug) 1759 addlog("%s: got lcp echo req, sending echo rep\n", 1760 ifp->if_xname); 1761 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1762 h + 1); 1763 break; 1764 case ECHO_REPLY: 1765 if (cp->proto != PPP_LCP) 1766 goto illegal; 1767 if (h->ident != sp->lcp.echoid) { 1768 if_statinc(ifp, if_ierrors); 1769 break; 1770 } 1771 if (len < 8) { 1772 if (debug) 1773 addlog("%s: lcp invalid echo reply " 1774 "packet length: %d bytes\n", 1775 ifp->if_xname, len); 1776 break; 1777 } 1778 if (debug) 1779 addlog("%s: lcp got echo rep\n", 1780 ifp->if_xname); 1781 memcpy(&u32, h + 1, sizeof u32); 1782 if (ntohl(u32) != sp->lcp.magic) 1783 sp->pp_alivecnt = 0; 1784 break; 1785 default: 1786 /* Unknown packet type -- send Code-Reject packet. */ 1787 illegal: 1788 if (debug) 1789 addlog("%s: %s send code-rej for 0x%x\n", 1790 ifp->if_xname, cp->name, h->type); 1791 sppp_cp_send(sp, cp->proto, CODE_REJ, 1792 ++sp->scp[cp->protoidx].seq, m->m_pkthdr.len, h); 1793 if_statinc(ifp, if_ierrors); 1794 } 1795 1796 SPPP_UNLOCK(sp); 1797 } 1798 1799 1800 /* 1801 * The generic part of all Up/Down/Open/Close/TO event handlers. 1802 * Basically, the state transition handling in the automaton. 1803 */ 1804 static void 1805 sppp_up_event(const struct cp *cp, struct sppp *sp) 1806 { 1807 STDDCL; 1808 1809 KASSERT(SPPP_WLOCKED(sp)); 1810 1811 if (debug) 1812 log(LOG_DEBUG, "%s: %s up(%s)\n", 1813 ifp->if_xname, cp->name, 1814 sppp_state_name(sp->scp[cp->protoidx].state)); 1815 1816 switch (sp->scp[cp->protoidx].state) { 1817 case STATE_INITIAL: 1818 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1819 break; 1820 case STATE_STARTING: 1821 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 1822 (cp->scr)(sp); 1823 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1824 break; 1825 default: 1826 printf("%s: %s illegal up in state %s\n", 1827 ifp->if_xname, cp->name, 1828 sppp_state_name(sp->scp[cp->protoidx].state)); 1829 } 1830 } 1831 1832 static void 1833 sppp_down_event(const struct cp *cp, struct sppp *sp) 1834 { 1835 STDDCL; 1836 1837 KASSERT(SPPP_WLOCKED(sp)); 1838 1839 if (debug) 1840 log(LOG_DEBUG, "%s: %s down(%s)\n", 1841 ifp->if_xname, cp->name, 1842 sppp_state_name(sp->scp[cp->protoidx].state)); 1843 1844 switch (sp->scp[cp->protoidx].state) { 1845 case STATE_CLOSED: 1846 case STATE_CLOSING: 1847 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1848 break; 1849 case STATE_STOPPED: 1850 (cp->tls)(sp); 1851 /* fall through */ 1852 case STATE_STOPPING: 1853 case STATE_REQ_SENT: 1854 case STATE_ACK_RCVD: 1855 case STATE_ACK_SENT: 1856 sppp_cp_change_state(cp, sp, STATE_STARTING); 1857 break; 1858 case STATE_OPENED: 1859 (cp->tld)(sp); 1860 sppp_cp_change_state(cp, sp, STATE_STARTING); 1861 break; 1862 default: 1863 printf("%s: %s illegal down in state %s\n", 1864 ifp->if_xname, cp->name, 1865 sppp_state_name(sp->scp[cp->protoidx].state)); 1866 } 1867 } 1868 1869 1870 static void 1871 sppp_open_event(const struct cp *cp, struct sppp *sp) 1872 { 1873 STDDCL; 1874 1875 KASSERT(SPPP_WLOCKED(sp)); 1876 1877 if (debug) 1878 log(LOG_DEBUG, "%s: %s open(%s)\n", 1879 ifp->if_xname, cp->name, 1880 sppp_state_name(sp->scp[cp->protoidx].state)); 1881 1882 switch (sp->scp[cp->protoidx].state) { 1883 case STATE_INITIAL: 1884 sppp_cp_change_state(cp, sp, STATE_STARTING); 1885 (cp->tls)(sp); 1886 break; 1887 case STATE_STARTING: 1888 break; 1889 case STATE_CLOSED: 1890 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 1891 (cp->scr)(sp); 1892 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 1893 break; 1894 case STATE_STOPPED: 1895 case STATE_STOPPING: 1896 case STATE_REQ_SENT: 1897 case STATE_ACK_RCVD: 1898 case STATE_ACK_SENT: 1899 case STATE_OPENED: 1900 break; 1901 case STATE_CLOSING: 1902 sppp_cp_change_state(cp, sp, STATE_STOPPING); 1903 break; 1904 } 1905 } 1906 1907 1908 static void 1909 sppp_close_event(const struct cp *cp, struct sppp *sp) 1910 { 1911 STDDCL; 1912 1913 KASSERT(SPPP_WLOCKED(sp)); 1914 1915 if (debug) 1916 log(LOG_DEBUG, "%s: %s close(%s)\n", 1917 ifp->if_xname, cp->name, 1918 sppp_state_name(sp->scp[cp->protoidx].state)); 1919 1920 switch (sp->scp[cp->protoidx].state) { 1921 case STATE_INITIAL: 1922 case STATE_CLOSED: 1923 case STATE_CLOSING: 1924 break; 1925 case STATE_STARTING: 1926 sppp_cp_change_state(cp, sp, STATE_INITIAL); 1927 (cp->tlf)(sp); 1928 break; 1929 case STATE_STOPPED: 1930 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1931 break; 1932 case STATE_STOPPING: 1933 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1934 break; 1935 case STATE_OPENED: 1936 (cp->tld)(sp); 1937 /* fall through */ 1938 case STATE_REQ_SENT: 1939 case STATE_ACK_RCVD: 1940 case STATE_ACK_SENT: 1941 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_terminate; 1942 sppp_cp_send(sp, cp->proto, TERM_REQ, 1943 ++sp->scp[cp->protoidx].seq, 0, 0); 1944 sppp_cp_change_state(cp, sp, STATE_CLOSING); 1945 break; 1946 } 1947 } 1948 1949 static void 1950 sppp_to_event(const struct cp *cp, struct sppp *sp) 1951 { 1952 STDDCL; 1953 int s; 1954 1955 KASSERT(SPPP_WLOCKED(sp)); 1956 1957 s = splnet(); 1958 1959 if (debug) 1960 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 1961 ifp->if_xname, cp->name, 1962 sppp_state_name(sp->scp[cp->protoidx].state), 1963 sp->scp[cp->protoidx].rst_counter); 1964 1965 if (--sp->scp[cp->protoidx].rst_counter < 0) 1966 /* TO- event */ 1967 switch (sp->scp[cp->protoidx].state) { 1968 case STATE_CLOSING: 1969 (cp->tlf)(sp); 1970 sppp_cp_change_state(cp, sp, STATE_CLOSED); 1971 sppp_lcp_check_and_close(sp); 1972 break; 1973 case STATE_STOPPING: 1974 (cp->tlf)(sp); 1975 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1976 sppp_lcp_check_and_close(sp); 1977 break; 1978 case STATE_REQ_SENT: 1979 case STATE_ACK_RCVD: 1980 case STATE_ACK_SENT: 1981 (cp->tlf)(sp); 1982 sppp_cp_change_state(cp, sp, STATE_STOPPED); 1983 sppp_lcp_check_and_close(sp); 1984 break; 1985 } 1986 else 1987 /* TO+ event */ 1988 switch (sp->scp[cp->protoidx].state) { 1989 case STATE_CLOSING: 1990 case STATE_STOPPING: 1991 sppp_cp_send(sp, cp->proto, TERM_REQ, 1992 ++sp->scp[cp->protoidx].seq, 0, 0); 1993 callout_reset(&sp->scp[cp->protoidx].ch, sp->lcp.timeout, 1994 cp->TO, sp); 1995 break; 1996 case STATE_REQ_SENT: 1997 case STATE_ACK_RCVD: 1998 (cp->scr)(sp); 1999 /* sppp_cp_change_state() will restart the timer */ 2000 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2001 break; 2002 case STATE_ACK_SENT: 2003 (cp->scr)(sp); 2004 callout_reset(&sp->scp[cp->protoidx].ch, sp->lcp.timeout, 2005 cp->TO, sp); 2006 break; 2007 } 2008 2009 splx(s); 2010 } 2011 2012 static void 2013 sppp_rcr_event(const struct cp *cp, struct sppp *sp) 2014 { 2015 STDDCL; 2016 u_char type; 2017 void *buf; 2018 size_t blen; 2019 2020 type = sp->scp[cp->protoidx].rcr_type; 2021 buf = sp->scp[cp->protoidx].rcr_buf; 2022 blen = sp->scp[cp->protoidx].rcr_blen; 2023 2024 if (type == CONF_ACK) { 2025 /* RCR+ event */ 2026 switch (sp->scp[cp->protoidx].state) { 2027 case STATE_OPENED: 2028 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2029 cp->tld(sp); 2030 cp->scr(sp); 2031 cp->scan(cp, sp); 2032 break; 2033 case STATE_ACK_SENT: 2034 case STATE_REQ_SENT: 2035 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2036 cp->scan(cp, sp); 2037 break; 2038 case STATE_STOPPED: 2039 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2040 cp->scr(sp); 2041 cp->scan(cp, sp); 2042 break; 2043 case STATE_ACK_RCVD: 2044 sppp_cp_change_state(cp, sp, STATE_OPENED); 2045 if (debug) 2046 log(LOG_DEBUG, "%s: %s tlu\n", 2047 ifp->if_xname, 2048 cp->name); 2049 cp->tlu(sp); 2050 cp->scan(cp, sp); 2051 break; 2052 case STATE_CLOSING: 2053 case STATE_STOPPING: 2054 if (buf != NULL) { 2055 sp->scp[cp->protoidx].rcr_buf = NULL; 2056 sp->scp[cp->protoidx].rcr_blen = 0; 2057 kmem_free(buf, blen); 2058 } 2059 break; 2060 case STATE_CLOSED: 2061 sppp_cp_send(sp, cp->proto, TERM_ACK, 2062 sp->scp[cp->protoidx].rconfid, 0, 0); 2063 break; 2064 default: 2065 printf("%s: %s illegal RCR+ in state %s\n", 2066 ifp->if_xname, cp->name, 2067 sppp_state_name(sp->scp[cp->protoidx].state)); 2068 if_statinc(ifp, if_ierrors); 2069 } 2070 } else { 2071 /* RCR- event */ 2072 switch (sp->scp[cp->protoidx].state) { 2073 case STATE_OPENED: 2074 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2075 cp->tld(sp); 2076 cp->scr(sp); 2077 cp->scan(cp, sp); 2078 break; 2079 case STATE_ACK_SENT: 2080 case STATE_REQ_SENT: 2081 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2082 cp->scan(cp, sp); 2083 break; 2084 case STATE_STOPPED: 2085 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2086 cp->scr(sp); 2087 cp->scan(cp, sp); 2088 break; 2089 case STATE_ACK_RCVD: 2090 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2091 cp->scan(cp, sp); 2092 break; 2093 case STATE_CLOSING: 2094 case STATE_STOPPING: 2095 if (buf != NULL) { 2096 sp->scp[cp->protoidx].rcr_buf = NULL; 2097 sp->scp[cp->protoidx].rcr_blen = 0; 2098 kmem_free(buf, blen); 2099 } 2100 break; 2101 case STATE_CLOSED: 2102 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2103 sppp_cp_send(sp, cp->proto, TERM_ACK, 2104 sp->scp[cp->protoidx].rconfid, 0, 0); 2105 break; 2106 default: 2107 printf("%s: %s illegal RCR- in state %s\n", 2108 ifp->if_xname, cp->name, 2109 sppp_state_name(sp->scp[cp->protoidx].state)); 2110 if_statinc(ifp, if_ierrors); 2111 } 2112 } 2113 } 2114 2115 static void 2116 sppp_rca_event(const struct cp *cp, struct sppp *sp) 2117 { 2118 STDDCL; 2119 2120 switch (sp->scp[cp->protoidx].state) { 2121 case STATE_CLOSED: 2122 case STATE_STOPPED: 2123 sppp_cp_send(sp, cp->proto, TERM_ACK, 2124 sp->scp[cp->protoidx].rconfid, 0, 0); 2125 break; 2126 case STATE_CLOSING: 2127 case STATE_STOPPING: 2128 break; 2129 case STATE_REQ_SENT: 2130 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2131 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2132 break; 2133 case STATE_OPENED: 2134 (cp->tld)(sp); 2135 /* fall through */ 2136 case STATE_ACK_RCVD: 2137 (cp->scr)(sp); 2138 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2139 break; 2140 case STATE_ACK_SENT: 2141 sppp_cp_change_state(cp, sp, STATE_OPENED); 2142 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2143 if (debug) 2144 log(LOG_DEBUG, "%s: %s tlu\n", 2145 ifp->if_xname, cp->name); 2146 (cp->tlu)(sp); 2147 break; 2148 default: 2149 printf("%s: %s illegal RCA in state %s\n", 2150 ifp->if_xname, cp->name, 2151 sppp_state_name(sp->scp[cp->protoidx].state)); 2152 if_statinc(ifp, if_ierrors); 2153 } 2154 } 2155 2156 static void 2157 sppp_rcn_event(const struct cp *cp, struct sppp *sp) 2158 { 2159 struct ifnet *ifp = &sp->pp_if; 2160 2161 switch (sp->scp[cp->protoidx].state) { 2162 case STATE_CLOSED: 2163 case STATE_STOPPED: 2164 sppp_cp_send(sp, cp->proto, TERM_ACK, 2165 sp->scp[cp->protoidx].rconfid, 0, 0); 2166 break; 2167 case STATE_REQ_SENT: 2168 case STATE_ACK_SENT: 2169 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2170 (cp->scr)(sp); 2171 break; 2172 case STATE_OPENED: 2173 (cp->tld)(sp); 2174 /* fall through */ 2175 case STATE_ACK_RCVD: 2176 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2177 (cp->scr)(sp); 2178 break; 2179 case STATE_CLOSING: 2180 case STATE_STOPPING: 2181 break; 2182 default: 2183 printf("%s: %s illegal RCN in state %s\n", 2184 ifp->if_xname, cp->name, 2185 sppp_state_name(sp->scp[cp->protoidx].state)); 2186 if_statinc(ifp, if_ierrors); 2187 } 2188 } 2189 2190 /* 2191 * Change the state of a control protocol in the state automaton. 2192 * Takes care of starting/stopping the restart timer. 2193 */ 2194 void 2195 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2196 { 2197 2198 KASSERT(SPPP_WLOCKED(sp)); 2199 2200 sp->scp[cp->protoidx].state = newstate; 2201 callout_stop(&sp->scp[cp->protoidx].ch); 2202 switch (newstate) { 2203 case STATE_INITIAL: 2204 case STATE_STARTING: 2205 case STATE_CLOSED: 2206 case STATE_STOPPED: 2207 case STATE_OPENED: 2208 break; 2209 case STATE_CLOSING: 2210 case STATE_STOPPING: 2211 case STATE_REQ_SENT: 2212 case STATE_ACK_RCVD: 2213 case STATE_ACK_SENT: 2214 callout_reset(&sp->scp[cp->protoidx].ch, sp->lcp.timeout, 2215 cp->TO, sp); 2216 break; 2217 } 2218 } 2219 2220 /* 2221 *--------------------------------------------------------------------------* 2222 * * 2223 * The LCP implementation. * 2224 * * 2225 *--------------------------------------------------------------------------* 2226 */ 2227 static void 2228 sppp_lcp_init(struct sppp *sp) 2229 { 2230 2231 KASSERT(SPPP_WLOCKED(sp)); 2232 2233 sp->lcp.opts = (1 << LCP_OPT_MAGIC); 2234 sp->lcp.magic = 0; 2235 sp->scp[IDX_LCP].state = STATE_INITIAL; 2236 sp->scp[IDX_LCP].fail_counter = 0; 2237 sp->scp[IDX_LCP].seq = 0; 2238 sp->scp[IDX_LCP].rseq = 0; 2239 sp->lcp.protos = 0; 2240 2241 /* 2242 * Initialize counters and timeout values. Note that we don't 2243 * use the 3 seconds suggested in RFC 1661 since we are likely 2244 * running on a fast link. XXX We should probably implement 2245 * the exponential backoff option. Note that these values are 2246 * relevant for all control protocols, not just LCP only. 2247 */ 2248 sp->lcp.timeout = 1 * hz; 2249 sp->lcp.max_terminate = 2; 2250 sp->lcp.max_configure = 10; 2251 sp->lcp.max_failure = 10; 2252 callout_init(&sp->scp[IDX_LCP].ch, CALLOUT_MPSAFE); 2253 } 2254 2255 static void 2256 sppp_lcp_up(struct sppp *sp) 2257 { 2258 STDDCL; 2259 2260 KASSERT(SPPP_WLOCKED(sp)); 2261 2262 /* Initialize activity timestamp: opening a connection is an activity */ 2263 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2264 2265 /* 2266 * If this interface is passive or dial-on-demand, and we are 2267 * still in Initial state, it means we've got an incoming 2268 * call. Activate the interface. 2269 */ 2270 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2271 if (debug) 2272 log(LOG_DEBUG, 2273 "%s: Up event", ifp->if_xname); 2274 ifp->if_flags |= IFF_RUNNING; 2275 if (sp->scp[IDX_LCP].state == STATE_INITIAL) { 2276 if (debug) 2277 addlog("(incoming call)\n"); 2278 sp->pp_flags |= PP_CALLIN; 2279 lcp.Open(sp); 2280 } else if (debug) 2281 addlog("\n"); 2282 } else if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0 && 2283 (sp->scp[IDX_LCP].state == STATE_INITIAL)) { 2284 ifp->if_flags |= IFF_RUNNING; 2285 lcp.Open(sp); 2286 } 2287 2288 sppp_up_event(&lcp, sp); 2289 } 2290 2291 static void 2292 sppp_lcp_down(struct sppp *sp) 2293 { 2294 STDDCL; 2295 2296 KASSERT(SPPP_WLOCKED(sp)); 2297 2298 sppp_down_event(&lcp, sp); 2299 2300 /* 2301 * If this is neither a dial-on-demand nor a passive 2302 * interface, simulate an ``ifconfig down'' action, so the 2303 * administrator can force a redial by another ``ifconfig 2304 * up''. XXX For leased line operation, should we immediately 2305 * try to reopen the connection here? 2306 */ 2307 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2308 if (debug) 2309 log(LOG_INFO, 2310 "%s: Down event (carrier loss), taking interface down.\n", 2311 ifp->if_xname); 2312 SPPP_UNLOCK(sp); 2313 if_down(ifp); 2314 SPPP_LOCK(sp, RW_WRITER); 2315 } else { 2316 if (debug) 2317 log(LOG_DEBUG, 2318 "%s: Down event (carrier loss)\n", 2319 ifp->if_xname); 2320 } 2321 sp->scp[IDX_LCP].fail_counter = 0; 2322 sp->pp_flags &= ~PP_CALLIN; 2323 if (sp->scp[IDX_LCP].state != STATE_INITIAL) 2324 lcp.Close(sp); 2325 ifp->if_flags &= ~IFF_RUNNING; 2326 } 2327 2328 static void 2329 sppp_lcp_open(struct sppp *sp) 2330 { 2331 2332 KASSERT(SPPP_WLOCKED(sp)); 2333 2334 if (sp->pp_if.if_mtu < PP_MTU) { 2335 sp->lcp.mru = sp->pp_if.if_mtu; 2336 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2337 } else 2338 sp->lcp.mru = PP_MTU; 2339 sp->lcp.their_mru = PP_MTU; 2340 2341 /* 2342 * If we are authenticator, negotiate LCP_AUTH 2343 */ 2344 if (sp->hisauth.proto != 0) 2345 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 2346 else 2347 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2348 sp->pp_flags &= ~PP_NEEDAUTH; 2349 sppp_open_event(&lcp, sp); 2350 } 2351 2352 static void 2353 sppp_lcp_close(struct sppp *sp) 2354 { 2355 2356 KASSERT(SPPP_WLOCKED(sp)); 2357 sppp_close_event(&lcp, sp); 2358 } 2359 2360 static void 2361 sppp_lcp_TO(void *cookie) 2362 { 2363 struct sppp *sp = (struct sppp*)cookie; 2364 2365 SPPP_LOCK(sp, RW_WRITER); 2366 sppp_to_event(&lcp, sp); 2367 SPPP_UNLOCK(sp); 2368 } 2369 2370 /* 2371 * Analyze a configure request. Return true if it was agreeable, and 2372 * caused action sca, false if it has been rejected or nak'ed, and 2373 * caused action scn. (The return value is used to make the state 2374 * transition decision in the state automaton.) 2375 */ 2376 static int 2377 sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int origlen) 2378 { 2379 STDDCL; 2380 u_char *buf, *r, *p, l, blen, type; 2381 int len, rlen; 2382 uint32_t nmagic; 2383 u_short authproto; 2384 2385 KASSERT(SPPP_WLOCKED(sp)); 2386 2387 if (origlen < sizeof(*h)) 2388 return 0; 2389 2390 origlen -= sizeof(*h); 2391 type = 0; 2392 2393 if (origlen <= 0) 2394 return 0; 2395 else 2396 blen = origlen; 2397 2398 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 2399 if (buf == NULL) 2400 return 0; 2401 2402 if (debug) 2403 log(LOG_DEBUG, "%s: lcp parse opts:", 2404 ifp->if_xname); 2405 2406 /* pass 1: check for things that need to be rejected */ 2407 p = (void *)(h + 1); 2408 r = buf; 2409 rlen = 0; 2410 for (len = origlen; len > 1; len-= l, p += l) { 2411 l = p[1]; 2412 if (l == 0) 2413 break; 2414 2415 /* Sanity check option length */ 2416 if (l > len) { 2417 /* 2418 * Malicious option - drop immediately. 2419 * XXX Maybe we should just RXJ it? 2420 */ 2421 addlog("%s: received malicious LCP option 0x%02x, " 2422 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2423 p[0], l, len); 2424 rlen = -1; 2425 goto end; 2426 } 2427 if (debug) 2428 addlog(" %s", sppp_lcp_opt_name(*p)); 2429 switch (p[0]) { 2430 case LCP_OPT_MAGIC: 2431 /* Magic number. */ 2432 /* fall through, both are same length */ 2433 case LCP_OPT_ASYNC_MAP: 2434 /* Async control character map. */ 2435 if (len >= 6 || l == 6) 2436 continue; 2437 if (debug) 2438 addlog(" [invalid]"); 2439 break; 2440 case LCP_OPT_MP_EID: 2441 if (len >= l && l >= 3) { 2442 switch (p[2]) { 2443 case 0: if (l==3+ 0) continue;break; 2444 case 2: if (l==3+ 4) continue;break; 2445 case 3: if (l==3+ 6) continue;break; 2446 case 6: if (l==3+16) continue;break; 2447 case 1: /* FALLTHROUGH */ 2448 case 4: if (l<=3+20) continue;break; 2449 case 5: if (l<=3+15) continue;break; 2450 /* XXX should it be default: continue;? */ 2451 } 2452 } 2453 if (debug) 2454 addlog(" [invalid class %d len %d]", p[2], l); 2455 break; 2456 case LCP_OPT_MP_SSNHF: 2457 if (len >= 2 && l == 2) { 2458 if (debug) 2459 addlog(" [rej]"); 2460 break; 2461 } 2462 if (debug) 2463 addlog(" [invalid]"); 2464 break; 2465 case LCP_OPT_MP_MRRU: 2466 /* Multilink maximum received reconstructed unit */ 2467 /* should be fall through, both are same length */ 2468 /* FALLTHROUGH */ 2469 case LCP_OPT_MRU: 2470 /* Maximum receive unit. */ 2471 if (len >= 4 && l == 4) 2472 continue; 2473 if (debug) 2474 addlog(" [invalid]"); 2475 break; 2476 case LCP_OPT_AUTH_PROTO: 2477 if (len < 4) { 2478 if (debug) 2479 addlog(" [invalid]"); 2480 break; 2481 } 2482 authproto = (p[2] << 8) + p[3]; 2483 if (authproto == PPP_CHAP && l != 5) { 2484 if (debug) 2485 addlog(" [invalid chap len]"); 2486 break; 2487 } 2488 if (sp->myauth.proto == 0) { 2489 /* we are not configured to do auth */ 2490 if (debug) 2491 addlog(" [not configured]"); 2492 break; 2493 } 2494 /* 2495 * Remote want us to authenticate, remember this, 2496 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2497 * up. 2498 */ 2499 sp->pp_flags |= PP_NEEDAUTH; 2500 continue; 2501 default: 2502 /* Others not supported. */ 2503 if (debug) 2504 addlog(" [rej]"); 2505 break; 2506 } 2507 if (rlen + l > blen) { 2508 if (debug) 2509 addlog(" [overflow]"); 2510 continue; 2511 } 2512 /* Add the option to rejected list. */ 2513 memcpy(r, p, l); 2514 r += l; 2515 rlen += l; 2516 } 2517 2518 if (rlen > 0) { 2519 type = CONF_REJ; 2520 goto end; 2521 } 2522 2523 if (debug) 2524 addlog("\n"); 2525 2526 /* 2527 * pass 2: check for option values that are unacceptable and 2528 * thus require to be nak'ed. 2529 */ 2530 if (debug) 2531 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2532 ifp->if_xname); 2533 2534 p = (void *)(h + 1); 2535 r = buf; 2536 rlen = 0; 2537 for (len = origlen; len > 0; len -= l, p += l) { 2538 l = p[1]; 2539 if (l == 0) 2540 break; 2541 2542 if (debug) 2543 addlog(" %s", sppp_lcp_opt_name(*p)); 2544 switch (p[0]) { 2545 case LCP_OPT_MAGIC: 2546 /* Magic number -- extract. */ 2547 nmagic = (uint32_t)p[2] << 24 | 2548 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2549 if (nmagic != sp->lcp.magic) { 2550 if (debug) 2551 addlog(" 0x%x", nmagic); 2552 continue; 2553 } 2554 /* 2555 * Local and remote magics equal -- loopback? 2556 */ 2557 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2558 printf ("%s: loopback\n", 2559 ifp->if_xname); 2560 sp->pp_loopcnt = 0; 2561 if (ifp->if_flags & IFF_UP) { 2562 SPPP_UNLOCK(sp); 2563 if_down(ifp); 2564 SPPP_LOCK(sp, RW_WRITER); 2565 2566 IF_PURGE(&sp->pp_cpq); 2567 /* XXX ? */ 2568 lcp.Down(sp); 2569 lcp.Up(sp); 2570 } 2571 } else if (debug) 2572 addlog(" [glitch]"); 2573 ++sp->pp_loopcnt; 2574 /* 2575 * We negate our magic here, and NAK it. If 2576 * we see it later in an NAK packet, we 2577 * suggest a new one. 2578 */ 2579 nmagic = ~sp->lcp.magic; 2580 /* Gonna NAK it. */ 2581 p[2] = nmagic >> 24; 2582 p[3] = nmagic >> 16; 2583 p[4] = nmagic >> 8; 2584 p[5] = nmagic; 2585 break; 2586 2587 case LCP_OPT_ASYNC_MAP: 2588 /* 2589 * Async control character map -- just ignore it. 2590 * 2591 * Quote from RFC 1662, chapter 6: 2592 * To enable this functionality, synchronous PPP 2593 * implementations MUST always respond to the 2594 * Async-Control-Character-Map Configuration 2595 * Option with the LCP Configure-Ack. However, 2596 * acceptance of the Configuration Option does 2597 * not imply that the synchronous implementation 2598 * will do any ACCM mapping. Instead, all such 2599 * octet mapping will be performed by the 2600 * asynchronous-to-synchronous converter. 2601 */ 2602 continue; 2603 2604 case LCP_OPT_MRU: 2605 /* 2606 * Maximum receive unit. Always agreeable, 2607 * but ignored by now. 2608 */ 2609 sp->lcp.their_mru = p[2] * 256 + p[3]; 2610 if (debug) 2611 addlog(" %ld", sp->lcp.their_mru); 2612 continue; 2613 2614 case LCP_OPT_AUTH_PROTO: 2615 authproto = (p[2] << 8) + p[3]; 2616 if (sp->myauth.proto != authproto) { 2617 /* not agreed, nak */ 2618 if (debug) 2619 addlog(" [mine %s != his %s]", 2620 sppp_proto_name(sp->myauth.proto), 2621 sppp_proto_name(authproto)); 2622 p[2] = sp->myauth.proto >> 8; 2623 p[3] = sp->myauth.proto; 2624 break; 2625 } 2626 if (authproto == PPP_CHAP && p[4] != CHAP_MD5) { 2627 if (debug) 2628 addlog(" [chap not MD5]"); 2629 p[4] = CHAP_MD5; 2630 break; 2631 } 2632 continue; 2633 case LCP_OPT_MP_EID: 2634 /* 2635 * Endpoint identification. 2636 * Always agreeable, 2637 * but ignored by now. 2638 */ 2639 if (debug) { 2640 addlog(" type %d", p[2]); 2641 sppp_print_bytes(p+3, p[1]-3); 2642 } 2643 continue; 2644 case LCP_OPT_MP_MRRU: 2645 /* 2646 * Maximum received reconstructed unit. 2647 * Always agreeable, 2648 * but ignored by now. 2649 */ 2650 sp->lcp.their_mrru = p[2] * 256 + p[3]; 2651 if (debug) 2652 addlog(" %ld", sp->lcp.their_mrru); 2653 continue; 2654 } 2655 if (rlen + l > blen) { 2656 if (debug) 2657 addlog(" [overflow]"); 2658 continue; 2659 } 2660 /* Add the option to nak'ed list. */ 2661 memcpy(r, p, l); 2662 r += l; 2663 rlen += l; 2664 } 2665 2666 if (rlen > 0) { 2667 if (++sp->scp[IDX_LCP].fail_counter >= sp->lcp.max_failure) { 2668 if (debug) 2669 addlog(" max_failure (%d) exceeded, ", 2670 sp->lcp.max_failure); 2671 type = CONF_REJ; 2672 } else { 2673 type = CONF_NAK; 2674 } 2675 } else { 2676 type = CONF_ACK; 2677 rlen = origlen; 2678 memcpy(r, h + 1, rlen); 2679 sp->scp[IDX_LCP].fail_counter = 0; 2680 sp->pp_loopcnt = 0; 2681 } 2682 2683 end: 2684 if (debug) 2685 addlog("\n"); 2686 2687 if (sp->scp[IDX_LCP].rcr_buf != NULL) { 2688 kmem_intr_free(sp->scp[IDX_LCP].rcr_buf, 2689 sp->scp[IDX_LCP].rcr_blen); 2690 } 2691 2692 if (rlen < 0) { 2693 kmem_intr_free(buf, blen); 2694 sp->scp[IDX_IPCP].rcr_buf = NULL; 2695 sp->scp[IDX_IPCP].rcr_rlen = 0; 2696 return -1; 2697 } 2698 2699 sp->scp[IDX_LCP].rcr_type = type; 2700 sp->scp[IDX_LCP].rcr_buf = buf; 2701 sp->scp[IDX_LCP].rcr_blen = blen; 2702 sp->scp[IDX_LCP].rcr_rlen = rlen; 2703 2704 if (type != CONF_ACK) 2705 return 0; 2706 return 1; 2707 } 2708 2709 /* 2710 * Analyze the LCP Configure-Reject option list, and adjust our 2711 * negotiation. 2712 */ 2713 static void 2714 sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 2715 { 2716 STDDCL; 2717 u_char *p, l; 2718 2719 KASSERT(SPPP_WLOCKED(sp)); 2720 2721 if (len <= sizeof(*h)) 2722 return; 2723 2724 len -= sizeof(*h); 2725 2726 if (debug) 2727 log(LOG_DEBUG, "%s: lcp rej opts:", 2728 ifp->if_xname); 2729 2730 p = (void *)(h + 1); 2731 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2732 /* Sanity check option length */ 2733 if (l > len) { 2734 /* 2735 * Malicious option - drop immediately. 2736 * XXX Maybe we should just RXJ it? 2737 */ 2738 addlog("%s: received malicious LCP option, " 2739 "dropping.\n", ifp->if_xname); 2740 goto end; 2741 } 2742 if (debug) 2743 addlog(" %s", sppp_lcp_opt_name(*p)); 2744 switch (p[0]) { 2745 case LCP_OPT_MAGIC: 2746 /* Magic number -- can't use it, use 0 */ 2747 sp->lcp.opts &= ~(1 << LCP_OPT_MAGIC); 2748 sp->lcp.magic = 0; 2749 break; 2750 case LCP_OPT_MRU: 2751 /* 2752 * We try to negotiate a lower MRU if the underlying 2753 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 2754 * peer rejects this lower rate, fallback to the 2755 * default. 2756 */ 2757 if (debug) { 2758 addlog("%s: warning: peer rejected our MRU of " 2759 "%ld bytes. Defaulting to %d bytes\n", 2760 ifp->if_xname, sp->lcp.mru, PP_MTU); 2761 } 2762 sp->lcp.opts &= ~(1 << LCP_OPT_MRU); 2763 sp->lcp.mru = PP_MTU; 2764 break; 2765 case LCP_OPT_AUTH_PROTO: 2766 /* 2767 * Peer doesn't want to authenticate himself, 2768 * deny unless this is a dialout call, and 2769 * SPPP_AUTHFLAG_NOCALLOUT is set. 2770 */ 2771 if ((sp->pp_flags & PP_CALLIN) == 0 && 2772 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 2773 if (debug) 2774 addlog(" [don't insist on auth " 2775 "for callout]"); 2776 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 2777 break; 2778 } 2779 if (debug) 2780 addlog("[access denied]\n"); 2781 lcp.Close(sp); 2782 break; 2783 } 2784 } 2785 if (debug) 2786 addlog("\n"); 2787 end: 2788 return; 2789 } 2790 2791 /* 2792 * Analyze the LCP Configure-NAK option list, and adjust our 2793 * negotiation. 2794 */ 2795 static void 2796 sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 2797 { 2798 STDDCL; 2799 u_char *p, l; 2800 uint32_t magic; 2801 2802 KASSERT(SPPP_WLOCKED(sp)); 2803 2804 if (len <= sizeof(*h)) 2805 return; 2806 len -= sizeof(*h); 2807 2808 if (debug) 2809 log(LOG_DEBUG, "%s: lcp nak opts:", 2810 ifp->if_xname); 2811 2812 p = (void *)(h + 1); 2813 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 2814 /* Sanity check option length */ 2815 if (l > len) { 2816 /* 2817 * Malicious option - drop immediately. 2818 * XXX Maybe we should just RXJ it? 2819 */ 2820 addlog("%s: received malicious LCP option, " 2821 "dropping.\n", ifp->if_xname); 2822 goto end; 2823 } 2824 if (debug) 2825 addlog(" %s", sppp_lcp_opt_name(*p)); 2826 switch (p[0]) { 2827 case LCP_OPT_MAGIC: 2828 /* Magic number -- renegotiate */ 2829 if ((sp->lcp.opts & (1 << LCP_OPT_MAGIC)) && 2830 len >= 6 && l == 6) { 2831 magic = (uint32_t)p[2] << 24 | 2832 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2833 /* 2834 * If the remote magic is our negated one, 2835 * this looks like a loopback problem. 2836 * Suggest a new magic to make sure. 2837 */ 2838 if (magic == ~sp->lcp.magic) { 2839 if (debug) 2840 addlog(" magic glitch"); 2841 sp->lcp.magic = cprng_fast32(); 2842 } else { 2843 sp->lcp.magic = magic; 2844 if (debug) 2845 addlog(" %d", magic); 2846 } 2847 } 2848 break; 2849 case LCP_OPT_MRU: 2850 /* 2851 * Peer wants to advise us to negotiate an MRU. 2852 * Agree on it if it's reasonable, or use 2853 * default otherwise. 2854 */ 2855 if (len >= 4 && l == 4) { 2856 u_int mru = p[2] * 256 + p[3]; 2857 if (debug) 2858 addlog(" %d", mru); 2859 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 2860 mru = sp->pp_if.if_mtu; 2861 sp->lcp.mru = mru; 2862 sp->lcp.opts |= (1 << LCP_OPT_MRU); 2863 } 2864 break; 2865 case LCP_OPT_AUTH_PROTO: 2866 /* 2867 * Peer doesn't like our authentication method, 2868 * deny. 2869 */ 2870 if (debug) 2871 addlog("[access denied]\n"); 2872 lcp.Close(sp); 2873 break; 2874 } 2875 } 2876 if (debug) 2877 addlog("\n"); 2878 end: 2879 return; 2880 } 2881 2882 static void 2883 sppp_lcp_tlu(struct sppp *sp) 2884 { 2885 struct ifnet *ifp = &sp->pp_if; 2886 int i; 2887 uint32_t mask; 2888 2889 KASSERT(SPPP_WLOCKED(sp)); 2890 2891 /* XXX ? */ 2892 if (! (ifp->if_flags & IFF_UP) && 2893 (ifp->if_flags & IFF_RUNNING)) { 2894 /* Coming out of loopback mode. */ 2895 SPPP_UNLOCK(sp); 2896 if_up(ifp); 2897 SPPP_LOCK(sp, RW_WRITER); 2898 } 2899 2900 for (i = 0; i < IDX_COUNT; i++) 2901 if ((cps[i])->flags & CP_QUAL) 2902 (cps[i])->Open(sp); 2903 2904 if ((sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0 || 2905 (sp->pp_flags & PP_NEEDAUTH) != 0) 2906 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 2907 else 2908 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 2909 2910 /* 2911 * Open all authentication protocols. This is even required 2912 * if we already proceeded to network phase, since it might be 2913 * that remote wants us to authenticate, so we might have to 2914 * send a PAP request. Undesired authentication protocols 2915 * don't do anything when they get an Open event. 2916 */ 2917 for (i = 0; i < IDX_COUNT; i++) 2918 if ((cps[i])->flags & CP_AUTH) 2919 (cps[i])->Open(sp); 2920 2921 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 2922 /* Notify all NCPs. */ 2923 for (i = 0; i < IDX_COUNT; i++) 2924 if ((cps[i])->flags & CP_NCP) 2925 (cps[i])->Open(sp); 2926 } 2927 2928 /* Send Up events to all started protos. */ 2929 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2930 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2931 (cps[i])->Up(sp); 2932 } 2933 } 2934 2935 /* notify low-level driver of state change */ 2936 sppp_notify_chg_wlocked(sp); 2937 2938 if (sp->pp_phase == SPPP_PHASE_NETWORK) 2939 /* if no NCP is starting, close down */ 2940 sppp_lcp_check_and_close(sp); 2941 } 2942 2943 static void 2944 sppp_lcp_tld(struct sppp *sp) 2945 { 2946 int i; 2947 uint32_t mask; 2948 2949 KASSERT(SPPP_WLOCKED(sp)); 2950 2951 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 2952 2953 /* 2954 * Take upper layers down. We send the Down event first and 2955 * the Close second to prevent the upper layers from sending 2956 * ``a flurry of terminate-request packets'', as the RFC 2957 * describes it. 2958 */ 2959 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) { 2960 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_LCP) == 0) { 2961 (cps[i])->Down(sp); 2962 (cps[i])->Close(sp); 2963 } 2964 } 2965 } 2966 2967 static void 2968 sppp_lcp_tls(struct sppp *sp) 2969 { 2970 2971 KASSERT(SPPP_WLOCKED(sp)); 2972 2973 2974 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 2975 printf("%s: authentication failed %d times, not retrying again\n", 2976 sp->pp_if.if_xname, sp->pp_auth_failures); 2977 2978 SPPP_UNLOCK(sp); 2979 if_down(&sp->pp_if); 2980 SPPP_LOCK(sp, RW_WRITER); 2981 return; 2982 } 2983 2984 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 2985 2986 /* Notify lower layer if desired. */ 2987 sppp_notify_tls_wlocked(sp); 2988 } 2989 2990 static void 2991 sppp_lcp_tlf(struct sppp *sp) 2992 { 2993 2994 KASSERT(SPPP_WLOCKED(sp)); 2995 2996 sppp_change_phase(sp, SPPP_PHASE_DEAD); 2997 2998 /* Notify lower layer if desired. */ 2999 sppp_notify_tlf_wlocked(sp); 3000 } 3001 3002 static void 3003 sppp_lcp_scr(struct sppp *sp) 3004 { 3005 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3006 int i = 0; 3007 u_short authproto; 3008 3009 KASSERT(SPPP_WLOCKED(sp)); 3010 3011 if (sp->lcp.opts & (1 << LCP_OPT_MAGIC)) { 3012 if (! sp->lcp.magic) 3013 sp->lcp.magic = cprng_fast32(); 3014 opt[i++] = LCP_OPT_MAGIC; 3015 opt[i++] = 6; 3016 opt[i++] = sp->lcp.magic >> 24; 3017 opt[i++] = sp->lcp.magic >> 16; 3018 opt[i++] = sp->lcp.magic >> 8; 3019 opt[i++] = sp->lcp.magic; 3020 } 3021 3022 if (sp->lcp.opts & (1 << LCP_OPT_MRU)) { 3023 opt[i++] = LCP_OPT_MRU; 3024 opt[i++] = 4; 3025 opt[i++] = sp->lcp.mru >> 8; 3026 opt[i++] = sp->lcp.mru; 3027 } 3028 3029 if (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) { 3030 authproto = sp->hisauth.proto; 3031 opt[i++] = LCP_OPT_AUTH_PROTO; 3032 opt[i++] = authproto == PPP_CHAP? 5: 4; 3033 opt[i++] = authproto >> 8; 3034 opt[i++] = authproto; 3035 if (authproto == PPP_CHAP) 3036 opt[i++] = CHAP_MD5; 3037 } 3038 3039 sp->scp[IDX_LCP].confid = ++sp->scp[IDX_LCP].seq; 3040 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->scp[IDX_LCP].confid, i, &opt); 3041 } 3042 3043 /* 3044 * Check the open NCPs, return true if at least one NCP is open. 3045 */ 3046 static int 3047 sppp_ncp_check(struct sppp *sp) 3048 { 3049 int i, mask; 3050 3051 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3052 if ((sp->lcp.protos & mask) && (cps[i])->flags & CP_NCP) 3053 return 1; 3054 return 0; 3055 } 3056 3057 /* 3058 * Re-check the open NCPs and see if we should terminate the link. 3059 * Called by the NCPs during their tlf action handling. 3060 */ 3061 static void 3062 sppp_lcp_check_and_close(struct sppp *sp) 3063 { 3064 3065 KASSERT(SPPP_WLOCKED(sp)); 3066 3067 if (sp->pp_phase < SPPP_PHASE_NETWORK) 3068 /* don't bother, we are already going down */ 3069 return; 3070 3071 if (sppp_ncp_check(sp)) 3072 return; 3073 lcp.Close(sp); 3074 } 3075 3076 3077 /* 3078 *--------------------------------------------------------------------------* 3079 * * 3080 * The IPCP implementation. * 3081 * * 3082 *--------------------------------------------------------------------------* 3083 */ 3084 3085 static void 3086 sppp_ipcp_init(struct sppp *sp) 3087 { 3088 int error; 3089 3090 KASSERT(SPPP_WLOCKED(sp)); 3091 3092 sp->ipcp.opts = 0; 3093 sp->ipcp.flags = 0; 3094 sp->scp[IDX_IPCP].state = STATE_INITIAL; 3095 sp->scp[IDX_IPCP].fail_counter = 0; 3096 sp->scp[IDX_IPCP].seq = 0; 3097 sp->scp[IDX_IPCP].rseq = 0; 3098 callout_init(&sp->scp[IDX_IPCP].ch, CALLOUT_MPSAFE); 3099 3100 error = workqueue_create(&sp->ipcp.update_addrs_wq, "ipcp_addr", 3101 sppp_update_ip_addrs_work, sp, PRI_SOFTNET, IPL_NET, 0); 3102 if (error) 3103 panic("%s: update_addrs workqueue_create failed (%d)\n", 3104 __func__, error); 3105 sp->ipcp.update_addrs_q = pcq_create(IPCP_UPDATE_LIMIT, KM_SLEEP); 3106 3107 sp->ipcp.update_addrs_enqueued = 0; 3108 } 3109 3110 static void 3111 sppp_ipcp_up(struct sppp *sp) 3112 { 3113 KASSERT(SPPP_WLOCKED(sp)); 3114 sppp_up_event(&ipcp, sp); 3115 } 3116 3117 static void 3118 sppp_ipcp_down(struct sppp *sp) 3119 { 3120 KASSERT(SPPP_WLOCKED(sp)); 3121 sppp_down_event(&ipcp, sp); 3122 } 3123 3124 static void 3125 sppp_ipcp_open(struct sppp *sp) 3126 { 3127 STDDCL; 3128 uint32_t myaddr, hisaddr; 3129 3130 KASSERT(SPPP_WLOCKED(sp)); 3131 3132 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3133 sp->ipcp.req_myaddr = 0; 3134 sp->ipcp.req_hisaddr = 0; 3135 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3136 3137 #ifdef INET 3138 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3139 #else 3140 myaddr = hisaddr = 0; 3141 #endif 3142 /* 3143 * If we don't have his address, this probably means our 3144 * interface doesn't want to talk IP at all. (This could 3145 * be the case if somebody wants to speak only IPX, for 3146 * example.) Don't open IPCP in this case. 3147 */ 3148 if (hisaddr == 0) { 3149 /* XXX this message should go away */ 3150 if (debug) 3151 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3152 ifp->if_xname); 3153 return; 3154 } 3155 3156 if (myaddr == 0) { 3157 /* 3158 * I don't have an assigned address, so i need to 3159 * negotiate my address. 3160 */ 3161 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3162 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3163 } 3164 if (hisaddr == 1) { 3165 /* 3166 * XXX - remove this hack! 3167 * remote has no valid address, we need to get one assigned. 3168 */ 3169 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3170 } 3171 sppp_open_event(&ipcp, sp); 3172 } 3173 3174 static void 3175 sppp_ipcp_close(struct sppp *sp) 3176 { 3177 3178 KASSERT(SPPP_WLOCKED(sp)); 3179 3180 sppp_close_event(&ipcp, sp); 3181 3182 #ifdef INET 3183 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) 3184 /* 3185 * Some address was dynamic, clear it again. 3186 */ 3187 sppp_clear_ip_addrs(sp); 3188 #endif 3189 } 3190 3191 static void 3192 sppp_ipcp_TO(void *cookie) 3193 { 3194 struct sppp *sp = cookie; 3195 3196 SPPP_LOCK(sp, RW_WRITER); 3197 sppp_to_event(&ipcp, sp); 3198 SPPP_UNLOCK(sp); 3199 } 3200 3201 /* 3202 * Analyze a configure request. Return true if it was agreeable, and 3203 * caused action sca, false if it has been rejected or nak'ed, and 3204 * caused action scn. (The return value is used to make the state 3205 * transition decision in the state automaton.) 3206 */ 3207 static int 3208 sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int origlen) 3209 { 3210 u_char *buf, *r, *p, l, blen, type; 3211 struct ifnet *ifp = &sp->pp_if; 3212 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 3213 uint32_t hisaddr, desiredaddr; 3214 3215 KASSERT(SPPP_WLOCKED(sp)); 3216 3217 if (origlen < sizeof(*h)) 3218 return 0; 3219 3220 origlen -= sizeof(*h); 3221 type = 0; 3222 3223 /* 3224 * Make sure to allocate a buf that can at least hold a 3225 * conf-nak with an `address' option. We might need it below. 3226 */ 3227 blen = MAX(6, origlen); 3228 3229 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 3230 if (buf == NULL) 3231 return 0; 3232 3233 /* pass 1: see if we can recognize them */ 3234 if (debug) 3235 log(LOG_DEBUG, "%s: ipcp parse opts:", 3236 ifp->if_xname); 3237 p = (void *)(h + 1); 3238 r = buf; 3239 rlen = 0; 3240 for (len = origlen; len > 1; len -= l, p += l) { 3241 l = p[1]; 3242 if (l == 0) 3243 break; 3244 3245 /* Sanity check option length */ 3246 if (l > len) { 3247 /* XXX should we just RXJ? */ 3248 addlog("%s: malicious IPCP option received, dropping\n", 3249 ifp->if_xname); 3250 rlen = -1; 3251 goto end; 3252 } 3253 if (debug) 3254 addlog(" %s", sppp_ipcp_opt_name(*p)); 3255 switch (p[0]) { 3256 #ifdef notyet 3257 case IPCP_OPT_COMPRESSION: 3258 if (len >= 6 && l >= 6) { 3259 /* correctly formed compress option */ 3260 continue; 3261 } 3262 if (debug) 3263 addlog(" [invalid]"); 3264 break; 3265 #endif 3266 case IPCP_OPT_ADDRESS: 3267 if (len >= 6 && l == 6) { 3268 /* correctly formed address option */ 3269 continue; 3270 } 3271 if (debug) 3272 addlog(" [invalid]"); 3273 break; 3274 default: 3275 /* Others not supported. */ 3276 if (debug) 3277 addlog(" [rej]"); 3278 break; 3279 } 3280 /* Add the option to rejected list. */ 3281 if (rlen + l > blen) { 3282 if (debug) 3283 addlog(" [overflow]"); 3284 continue; 3285 } 3286 memcpy(r, p, l); 3287 r += l; 3288 rlen += l; 3289 } 3290 3291 if (rlen > 0) { 3292 type = CONF_REJ; 3293 goto end; 3294 } 3295 3296 if (debug) 3297 addlog("\n"); 3298 3299 /* pass 2: parse option values */ 3300 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3301 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3302 else 3303 #ifdef INET 3304 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3305 #else 3306 hisaddr = 0; 3307 #endif 3308 if (debug) 3309 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3310 ifp->if_xname); 3311 p = (void *)(h + 1); 3312 r = buf; 3313 rlen = 0; 3314 for (len = origlen; len > 1; len -= l, p += l) { 3315 l = p[1]; 3316 if (l == 0) 3317 break; 3318 3319 if (debug) 3320 addlog(" %s", sppp_ipcp_opt_name(*p)); 3321 switch (p[0]) { 3322 #ifdef notyet 3323 case IPCP_OPT_COMPRESSION: 3324 continue; 3325 #endif 3326 case IPCP_OPT_ADDRESS: 3327 desiredaddr = p[2] << 24 | p[3] << 16 | 3328 p[4] << 8 | p[5]; 3329 if (desiredaddr == hisaddr || 3330 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3331 /* 3332 * Peer's address is same as our value, 3333 * this is agreeable. Gonna conf-ack 3334 * it. 3335 */ 3336 if (debug) 3337 addlog(" %s [ack]", 3338 sppp_dotted_quad(hisaddr)); 3339 /* record that we've seen it already */ 3340 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3341 sp->ipcp.req_hisaddr = desiredaddr; 3342 hisaddr = desiredaddr; 3343 continue; 3344 } 3345 /* 3346 * The address wasn't agreeable. This is either 3347 * he sent us 0.0.0.0, asking to assign him an 3348 * address, or he send us another address not 3349 * matching our value. Either case, we gonna 3350 * conf-nak it with our value. 3351 */ 3352 if (debug) { 3353 if (desiredaddr == 0) 3354 addlog(" [addr requested]"); 3355 else 3356 addlog(" %s [not agreed]", 3357 sppp_dotted_quad(desiredaddr)); 3358 } 3359 3360 p[2] = hisaddr >> 24; 3361 p[3] = hisaddr >> 16; 3362 p[4] = hisaddr >> 8; 3363 p[5] = hisaddr; 3364 break; 3365 } 3366 if (rlen + l > blen) { 3367 if (debug) 3368 addlog(" [overflow]"); 3369 continue; 3370 } 3371 /* Add the option to nak'ed list. */ 3372 memcpy(r, p, l); 3373 r += l; 3374 rlen += l; 3375 } 3376 3377 if (rlen > 0) { 3378 type = CONF_NAK; 3379 } else { 3380 if ((sp->ipcp.flags & IPCP_HISADDR_SEEN) == 0) { 3381 /* 3382 * If we are about to conf-ack the request, but haven't seen 3383 * his address so far, gonna conf-nak it instead, with the 3384 * `address' option present and our idea of his address being 3385 * filled in there, to request negotiation of both addresses. 3386 * 3387 * XXX This can result in an endless req - nak loop if peer 3388 * doesn't want to send us his address. Q: What should we do 3389 * about it? XXX A: implement the max-failure counter. 3390 */ 3391 buf[0] = IPCP_OPT_ADDRESS; 3392 buf[1] = 6; 3393 buf[2] = hisaddr >> 24; 3394 buf[3] = hisaddr >> 16; 3395 buf[4] = hisaddr >> 8; 3396 buf[5] = hisaddr; 3397 rlen = 6; 3398 if (debug) 3399 addlog(" still need hisaddr"); 3400 type = CONF_NAK; 3401 } else { 3402 type = CONF_ACK; 3403 rlen = origlen; 3404 memcpy(r, h + 1, rlen); 3405 } 3406 } 3407 3408 end: 3409 if (debug) 3410 addlog("\n"); 3411 3412 if (rlen < 0) { 3413 kmem_intr_free(buf, blen); 3414 return -1; 3415 } 3416 3417 if (sp->scp[IDX_IPCP].rcr_buf != NULL) { 3418 kmem_intr_free(sp->scp[IDX_IPCP].rcr_buf, 3419 sp->scp[IDX_IPCP].rcr_blen); 3420 } 3421 3422 sp->scp[IDX_IPCP].rcr_type = type; 3423 sp->scp[IDX_IPCP].rcr_buf = buf; 3424 sp->scp[IDX_IPCP].rcr_blen = blen; 3425 sp->scp[IDX_IPCP].rcr_rlen = rlen; 3426 3427 if (type != CONF_ACK) 3428 return 0; 3429 return 1; 3430 } 3431 3432 /* 3433 * Analyze the IPCP Configure-Reject option list, and adjust our 3434 * negotiation. 3435 */ 3436 static void 3437 sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3438 { 3439 u_char *p, l; 3440 struct ifnet *ifp = &sp->pp_if; 3441 int debug = ifp->if_flags & IFF_DEBUG; 3442 3443 KASSERT(SPPP_WLOCKED(sp)); 3444 3445 if (len <= sizeof(*h)) 3446 return; 3447 3448 len -= sizeof(*h); 3449 3450 if (debug) 3451 log(LOG_DEBUG, "%s: ipcp rej opts:", 3452 ifp->if_xname); 3453 3454 p = (void *)(h + 1); 3455 for (; len > 1; len -= l, p += l) { 3456 l = p[1]; 3457 if (l == 0) 3458 break; 3459 3460 /* Sanity check option length */ 3461 if (l > len) { 3462 /* XXX should we just RXJ? */ 3463 addlog("%s: malicious IPCP option received, dropping\n", 3464 ifp->if_xname); 3465 goto end; 3466 } 3467 if (debug) 3468 addlog(" %s", sppp_ipcp_opt_name(*p)); 3469 switch (p[0]) { 3470 case IPCP_OPT_ADDRESS: 3471 /* 3472 * Peer doesn't grok address option. This is 3473 * bad. XXX Should we better give up here? 3474 */ 3475 sp->ipcp.opts &= ~(1 << IPCP_OPT_ADDRESS); 3476 break; 3477 #ifdef notyet 3478 case IPCP_OPT_COMPRESS: 3479 sp->ipcp.opts &= ~(1 << IPCP_OPT_COMPRESS); 3480 break; 3481 #endif 3482 } 3483 } 3484 if (debug) 3485 addlog("\n"); 3486 end: 3487 return; 3488 } 3489 3490 /* 3491 * Analyze the IPCP Configure-NAK option list, and adjust our 3492 * negotiation. 3493 */ 3494 static void 3495 sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 3496 { 3497 u_char *p, l; 3498 struct ifnet *ifp = &sp->pp_if; 3499 int debug = ifp->if_flags & IFF_DEBUG; 3500 uint32_t wantaddr; 3501 3502 KASSERT(SPPP_WLOCKED(sp)); 3503 3504 len -= sizeof(*h); 3505 3506 if (debug) 3507 log(LOG_DEBUG, "%s: ipcp nak opts:", 3508 ifp->if_xname); 3509 3510 p = (void *)(h + 1); 3511 for (; len > 1; len -= l, p += l) { 3512 l = p[1]; 3513 if (l == 0) 3514 break; 3515 3516 /* Sanity check option length */ 3517 if (l > len) { 3518 /* XXX should we just RXJ? */ 3519 addlog("%s: malicious IPCP option received, dropping\n", 3520 ifp->if_xname); 3521 return; 3522 } 3523 if (debug) 3524 addlog(" %s", sppp_ipcp_opt_name(*p)); 3525 switch (*p) { 3526 case IPCP_OPT_ADDRESS: 3527 /* 3528 * Peer doesn't like our local IP address. See 3529 * if we can do something for him. We'll drop 3530 * him our address then. 3531 */ 3532 if (len >= 6 && l == 6) { 3533 wantaddr = p[2] << 24 | p[3] << 16 | 3534 p[4] << 8 | p[5]; 3535 sp->ipcp.opts |= (1 << IPCP_OPT_ADDRESS); 3536 if (debug) 3537 addlog(" [wantaddr %s]", 3538 sppp_dotted_quad(wantaddr)); 3539 /* 3540 * When doing dynamic address assignment, 3541 * we accept his offer. Otherwise, we 3542 * ignore it and thus continue to negotiate 3543 * our already existing value. 3544 */ 3545 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 3546 if (debug) 3547 addlog(" [agree]"); 3548 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 3549 sp->ipcp.req_myaddr = wantaddr; 3550 } 3551 } 3552 break; 3553 3554 case IPCP_OPT_PRIMDNS: 3555 if (len >= 6 && l == 6) { 3556 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 3557 p[4] << 8 | p[5]; 3558 } 3559 break; 3560 3561 case IPCP_OPT_SECDNS: 3562 if (len >= 6 && l == 6) { 3563 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 3564 p[4] << 8 | p[5]; 3565 } 3566 break; 3567 #ifdef notyet 3568 case IPCP_OPT_COMPRESS: 3569 /* 3570 * Peer wants different compression parameters. 3571 */ 3572 break; 3573 #endif 3574 } 3575 } 3576 if (debug) 3577 addlog("\n"); 3578 } 3579 3580 static void 3581 sppp_ipcp_tlu(struct sppp *sp) 3582 { 3583 #ifdef INET 3584 KASSERT(SPPP_WLOCKED(sp)); 3585 /* we are up. Set addresses and notify anyone interested */ 3586 sppp_set_ip_addrs(sp); 3587 #endif 3588 } 3589 3590 static void 3591 sppp_ipcp_tld(struct sppp *sp) 3592 { 3593 3594 KASSERT(SPPP_WLOCKED(sp)); 3595 } 3596 3597 static void 3598 sppp_ipcp_tls(struct sppp *sp) 3599 { 3600 3601 KASSERT(SPPP_WLOCKED(sp)); 3602 /* indicate to LCP that it must stay alive */ 3603 sp->lcp.protos |= (1 << IDX_IPCP); 3604 } 3605 3606 static void 3607 sppp_ipcp_tlf(struct sppp *sp) 3608 { 3609 3610 KASSERT(SPPP_WLOCKED(sp)); 3611 3612 /* we no longer need LCP */ 3613 sp->lcp.protos &= ~(1 << IDX_IPCP); 3614 } 3615 3616 static void 3617 sppp_ipcp_scr(struct sppp *sp) 3618 { 3619 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 3620 #ifdef INET 3621 uint32_t ouraddr; 3622 #endif 3623 int i = 0; 3624 3625 KASSERT(SPPP_WLOCKED(sp)); 3626 3627 #ifdef notyet 3628 if (sp->ipcp.opts & (1 << IPCP_OPT_COMPRESSION)) { 3629 opt[i++] = IPCP_OPT_COMPRESSION; 3630 opt[i++] = 6; 3631 opt[i++] = 0; /* VJ header compression */ 3632 opt[i++] = 0x2d; /* VJ header compression */ 3633 opt[i++] = max_slot_id; 3634 opt[i++] = comp_slot_id; 3635 } 3636 #endif 3637 3638 #ifdef INET 3639 if (sp->ipcp.opts & (1 << IPCP_OPT_ADDRESS)) { 3640 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) 3641 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 3642 else 3643 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 3644 opt[i++] = IPCP_OPT_ADDRESS; 3645 opt[i++] = 6; 3646 opt[i++] = ouraddr >> 24; 3647 opt[i++] = ouraddr >> 16; 3648 opt[i++] = ouraddr >> 8; 3649 opt[i++] = ouraddr; 3650 } 3651 #endif 3652 3653 if (sp->query_dns & 1) { 3654 opt[i++] = IPCP_OPT_PRIMDNS; 3655 opt[i++] = 6; 3656 opt[i++] = sp->dns_addrs[0] >> 24; 3657 opt[i++] = sp->dns_addrs[0] >> 16; 3658 opt[i++] = sp->dns_addrs[0] >> 8; 3659 opt[i++] = sp->dns_addrs[0]; 3660 } 3661 if (sp->query_dns & 2) { 3662 opt[i++] = IPCP_OPT_SECDNS; 3663 opt[i++] = 6; 3664 opt[i++] = sp->dns_addrs[1] >> 24; 3665 opt[i++] = sp->dns_addrs[1] >> 16; 3666 opt[i++] = sp->dns_addrs[1] >> 8; 3667 opt[i++] = sp->dns_addrs[1]; 3668 } 3669 3670 sp->scp[IDX_IPCP].confid = ++sp->scp[IDX_IPCP].seq; 3671 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->scp[IDX_IPCP].confid, i, &opt); 3672 } 3673 3674 3675 /* 3676 *--------------------------------------------------------------------------* 3677 * * 3678 * The IPv6CP implementation. * 3679 * * 3680 *--------------------------------------------------------------------------* 3681 */ 3682 3683 #ifdef INET6 3684 static void 3685 sppp_ipv6cp_init(struct sppp *sp) 3686 { 3687 3688 KASSERT(SPPP_WLOCKED(sp)); 3689 3690 sp->ipv6cp.opts = 0; 3691 sp->ipv6cp.flags = 0; 3692 sp->scp[IDX_IPV6CP].state = STATE_INITIAL; 3693 sp->scp[IDX_IPV6CP].fail_counter = 0; 3694 sp->scp[IDX_IPV6CP].seq = 0; 3695 sp->scp[IDX_IPV6CP].rseq = 0; 3696 callout_init(&sp->scp[IDX_IPV6CP].ch, CALLOUT_MPSAFE); 3697 } 3698 3699 static void 3700 sppp_ipv6cp_up(struct sppp *sp) 3701 { 3702 3703 KASSERT(SPPP_WLOCKED(sp)); 3704 sppp_up_event(&ipv6cp, sp); 3705 } 3706 3707 static void 3708 sppp_ipv6cp_down(struct sppp *sp) 3709 { 3710 3711 KASSERT(SPPP_WLOCKED(sp)); 3712 sppp_down_event(&ipv6cp, sp); 3713 } 3714 3715 static void 3716 sppp_ipv6cp_open(struct sppp *sp) 3717 { 3718 STDDCL; 3719 struct in6_addr myaddr, hisaddr; 3720 3721 KASSERT(SPPP_WLOCKED(sp)); 3722 3723 #ifdef IPV6CP_MYIFID_DYN 3724 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 3725 #else 3726 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 3727 #endif 3728 3729 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 3730 /* 3731 * If we don't have our address, this probably means our 3732 * interface doesn't want to talk IPv6 at all. (This could 3733 * be the case if somebody wants to speak only IPX, for 3734 * example.) Don't open IPv6CP in this case. 3735 */ 3736 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 3737 /* XXX this message should go away */ 3738 if (debug) 3739 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 3740 ifp->if_xname); 3741 return; 3742 } 3743 3744 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 3745 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 3746 sppp_open_event(&ipv6cp, sp); 3747 } 3748 3749 static void 3750 sppp_ipv6cp_close(struct sppp *sp) 3751 { 3752 3753 KASSERT(SPPP_WLOCKED(sp)); 3754 sppp_close_event(&ipv6cp, sp); 3755 } 3756 3757 static void 3758 sppp_ipv6cp_TO(void *cookie) 3759 { 3760 struct sppp *sp = cookie; 3761 3762 SPPP_LOCK(sp, RW_WRITER); 3763 sppp_to_event(&ipv6cp, sp); 3764 SPPP_UNLOCK(sp); 3765 } 3766 3767 /* 3768 * Analyze a configure request. Return true if it was agreeable, and 3769 * caused action sca, false if it has been rejected or nak'ed, and 3770 * caused action scn. (The return value is used to make the state 3771 * transition decision in the state automaton.) 3772 */ 3773 static int 3774 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int origlen) 3775 { 3776 u_char *buf, *r, *p, l, blen; 3777 struct ifnet *ifp = &sp->pp_if; 3778 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 3779 struct in6_addr myaddr, desiredaddr, suggestaddr; 3780 int ifidcount; 3781 int type; 3782 int collision, nohisaddr; 3783 char ip6buf[INET6_ADDRSTRLEN]; 3784 3785 KASSERT(SPPP_WLOCKED(sp)); 3786 3787 if (origlen < sizeof(*h)) 3788 return 0; 3789 3790 origlen -= sizeof(*h); 3791 type = 0; 3792 3793 /* 3794 * Make sure to allocate a buf that can at least hold a 3795 * conf-nak with an `address' option. We might need it below. 3796 */ 3797 blen = MAX(6, origlen); 3798 3799 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 3800 if (buf == NULL) 3801 return 0; 3802 3803 /* pass 1: see if we can recognize them */ 3804 if (debug) 3805 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 3806 ifp->if_xname); 3807 p = (void *)(h + 1); 3808 r = buf; 3809 rlen = 0; 3810 ifidcount = 0; 3811 for (len = origlen; len > 1; len -= l, p += l) { 3812 l = p[1]; 3813 if (l == 0) 3814 break; 3815 3816 /* Sanity check option length */ 3817 if (l > len) { 3818 /* XXX just RXJ? */ 3819 addlog("%s: received malicious IPCPv6 option, " 3820 "dropping\n", ifp->if_xname); 3821 rlen = -1; 3822 goto end; 3823 } 3824 if (debug) 3825 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3826 switch (p[0]) { 3827 case IPV6CP_OPT_IFID: 3828 if (len >= 10 && l == 10 && ifidcount == 0) { 3829 /* correctly formed address option */ 3830 ifidcount++; 3831 continue; 3832 } 3833 if (debug) 3834 addlog(" [invalid]"); 3835 break; 3836 #ifdef notyet 3837 case IPV6CP_OPT_COMPRESSION: 3838 if (len >= 4 && l >= 4) { 3839 /* correctly formed compress option */ 3840 continue; 3841 } 3842 if (debug) 3843 addlog(" [invalid]"); 3844 break; 3845 #endif 3846 default: 3847 /* Others not supported. */ 3848 if (debug) 3849 addlog(" [rej]"); 3850 break; 3851 } 3852 if (rlen + l > blen) { 3853 if (debug) 3854 addlog(" [overflow]"); 3855 continue; 3856 } 3857 /* Add the option to rejected list. */ 3858 memcpy(r, p, l); 3859 r += l; 3860 rlen += l; 3861 } 3862 3863 if (rlen > 0) { 3864 type = CONF_REJ; 3865 goto end; 3866 } 3867 3868 if (debug) 3869 addlog("\n"); 3870 3871 /* pass 2: parse option values */ 3872 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 3873 if (debug) 3874 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 3875 ifp->if_xname); 3876 p = (void *)(h + 1); 3877 r = buf; 3878 rlen = 0; 3879 type = CONF_ACK; 3880 for (len = origlen; len > 1; len -= l, p += l) { 3881 l = p[1]; 3882 if (l == 0) 3883 break; 3884 3885 if (debug) 3886 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 3887 switch (p[0]) { 3888 #ifdef notyet 3889 case IPV6CP_OPT_COMPRESSION: 3890 continue; 3891 #endif 3892 case IPV6CP_OPT_IFID: 3893 memset(&desiredaddr, 0, sizeof(desiredaddr)); 3894 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 3895 collision = (memcmp(&desiredaddr.s6_addr[8], 3896 &myaddr.s6_addr[8], 8) == 0); 3897 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 3898 3899 desiredaddr.s6_addr16[0] = htons(0xfe80); 3900 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 3901 3902 if (!collision && !nohisaddr) { 3903 /* no collision, hisaddr known - Conf-Ack */ 3904 type = CONF_ACK; 3905 3906 if (debug) { 3907 addlog(" %s [%s]", 3908 IN6_PRINT(ip6buf, &desiredaddr), 3909 sppp_cp_type_name(type)); 3910 } 3911 continue; 3912 } 3913 3914 memset(&suggestaddr, 0, sizeof(suggestaddr)); 3915 if (collision && nohisaddr) { 3916 /* collision, hisaddr unknown - Conf-Rej */ 3917 type = CONF_REJ; 3918 memset(&p[2], 0, 8); 3919 } else { 3920 /* 3921 * - no collision, hisaddr unknown, or 3922 * - collision, hisaddr known 3923 * Conf-Nak, suggest hisaddr 3924 */ 3925 type = CONF_NAK; 3926 sppp_suggest_ip6_addr(sp, &suggestaddr); 3927 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 3928 } 3929 if (debug) 3930 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 3931 sppp_cp_type_name(type)); 3932 break; 3933 } 3934 if (rlen + l > blen) { 3935 if (debug) 3936 addlog(" [overflow]"); 3937 continue; 3938 } 3939 /* Add the option to nak'ed list. */ 3940 memcpy(r, p, l); 3941 r += l; 3942 rlen += l; 3943 } 3944 3945 if (rlen > 0) { 3946 if (type != CONF_ACK) { 3947 if (debug) { 3948 addlog(" send %s suggest %s\n", 3949 sppp_cp_type_name(type), 3950 IN6_PRINT(ip6buf, &suggestaddr)); 3951 } 3952 } 3953 #ifdef notdef 3954 if (type == CONF_ACK) 3955 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 3956 #endif 3957 } else { 3958 if (type == CONF_ACK) { 3959 rlen = origlen; 3960 memcpy(r, h + 1, rlen); 3961 } 3962 } 3963 end: 3964 if (debug) 3965 addlog("\n"); 3966 3967 if (rlen < 0) { 3968 kmem_intr_free(buf, blen); 3969 return -1; 3970 } 3971 3972 if (sp->scp[IDX_IPV6CP].rcr_buf != NULL) { 3973 kmem_intr_free(sp->scp[IDX_IPV6CP].rcr_buf, 3974 sp->scp[IDX_IPV6CP].rcr_blen); 3975 } 3976 3977 sp->scp[IDX_IPV6CP].rcr_type = type; 3978 sp->scp[IDX_IPV6CP].rcr_buf = buf; 3979 sp->scp[IDX_IPV6CP].rcr_blen = blen; 3980 sp->scp[IDX_IPV6CP].rcr_rlen = rlen; 3981 3982 if (type != CONF_ACK) 3983 return 0; 3984 return 0; 3985 } 3986 3987 /* 3988 * Analyze the IPv6CP Configure-Reject option list, and adjust our 3989 * negotiation. 3990 */ 3991 static void 3992 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) 3993 { 3994 u_char *p, l; 3995 struct ifnet *ifp = &sp->pp_if; 3996 int debug = ifp->if_flags & IFF_DEBUG; 3997 3998 KASSERT(SPPP_WLOCKED(sp)); 3999 4000 if (len <= sizeof(*h)) 4001 return; 4002 4003 len -= sizeof(*h); 4004 4005 if (debug) 4006 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 4007 ifp->if_xname); 4008 4009 p = (void *)(h + 1); 4010 for (; len > 1; len -= l, p += l) { 4011 l = p[1]; 4012 if (l == 0) 4013 break; 4014 4015 if (l > len) { 4016 /* XXX just RXJ? */ 4017 addlog("%s: received malicious IPCPv6 option, " 4018 "dropping\n", ifp->if_xname); 4019 goto end; 4020 } 4021 if (debug) 4022 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4023 switch (p[0]) { 4024 case IPV6CP_OPT_IFID: 4025 /* 4026 * Peer doesn't grok address option. This is 4027 * bad. XXX Should we better give up here? 4028 */ 4029 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_IFID); 4030 break; 4031 #ifdef notyet 4032 case IPV6CP_OPT_COMPRESS: 4033 sp->ipv6cp.opts &= ~(1 << IPV6CP_OPT_COMPRESS); 4034 break; 4035 #endif 4036 } 4037 } 4038 if (debug) 4039 addlog("\n"); 4040 end: 4041 return; 4042 } 4043 4044 /* 4045 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4046 * negotiation. 4047 */ 4048 static void 4049 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) 4050 { 4051 u_char *p, l; 4052 struct ifnet *ifp = &sp->pp_if; 4053 int debug = ifp->if_flags & IFF_DEBUG; 4054 struct in6_addr suggestaddr; 4055 char ip6buf[INET6_ADDRSTRLEN]; 4056 4057 KASSERT(SPPP_WLOCKED(sp)); 4058 4059 if (len <= sizeof(*h)) 4060 return; 4061 4062 len -= sizeof(*h); 4063 4064 if (debug) 4065 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 4066 ifp->if_xname); 4067 4068 p = (void *)(h + 1); 4069 for (; len > 1; len -= l, p += l) { 4070 l = p[1]; 4071 if (l == 0) 4072 break; 4073 4074 if (l > len) { 4075 /* XXX just RXJ? */ 4076 addlog("%s: received malicious IPCPv6 option, " 4077 "dropping\n", ifp->if_xname); 4078 goto end; 4079 } 4080 if (debug) 4081 addlog(" %s", sppp_ipv6cp_opt_name(*p)); 4082 switch (p[0]) { 4083 case IPV6CP_OPT_IFID: 4084 /* 4085 * Peer doesn't like our local ifid. See 4086 * if we can do something for him. We'll drop 4087 * him our address then. 4088 */ 4089 if (len < 10 || l != 10) 4090 break; 4091 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4092 suggestaddr.s6_addr16[0] = htons(0xfe80); 4093 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4094 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4095 4096 sp->ipv6cp.opts |= (1 << IPV6CP_OPT_IFID); 4097 if (debug) 4098 addlog(" [suggestaddr %s]", 4099 IN6_PRINT(ip6buf, &suggestaddr)); 4100 #ifdef IPV6CP_MYIFID_DYN 4101 /* 4102 * When doing dynamic address assignment, 4103 * we accept his offer. 4104 */ 4105 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4106 struct in6_addr lastsuggest; 4107 /* 4108 * If <suggested myaddr from peer> equals to 4109 * <hisaddr we have suggested last time>, 4110 * we have a collision. generate new random 4111 * ifid. 4112 */ 4113 sppp_suggest_ip6_addr(&lastsuggest); 4114 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4115 lastsuggest)) { 4116 if (debug) 4117 addlog(" [random]"); 4118 sppp_gen_ip6_addr(sp, &suggestaddr); 4119 } 4120 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4121 if (debug) 4122 addlog(" [agree]"); 4123 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4124 } 4125 #else 4126 /* 4127 * Since we do not do dynamic address assignment, 4128 * we ignore it and thus continue to negotiate 4129 * our already existing value. This can possibly 4130 * go into infinite request-reject loop. 4131 * 4132 * This is not likely because we normally use 4133 * ifid based on MAC-address. 4134 * If you have no ethernet card on the node, too bad. 4135 * XXX should we use fail_counter? 4136 */ 4137 #endif 4138 break; 4139 #ifdef notyet 4140 case IPV6CP_OPT_COMPRESS: 4141 /* 4142 * Peer wants different compression parameters. 4143 */ 4144 break; 4145 #endif 4146 } 4147 } 4148 if (debug) 4149 addlog("\n"); 4150 end: 4151 return; 4152 } 4153 4154 static void 4155 sppp_ipv6cp_tlu(struct sppp *sp) 4156 { 4157 4158 KASSERT(SPPP_WLOCKED(sp)); 4159 /* we are up - notify isdn daemon */ 4160 sppp_notify_con_wlocked(sp); 4161 } 4162 4163 static void 4164 sppp_ipv6cp_tld(struct sppp *sp) 4165 { 4166 4167 KASSERT(SPPP_WLOCKED(sp)); 4168 } 4169 4170 static void 4171 sppp_ipv6cp_tls(struct sppp *sp) 4172 { 4173 4174 KASSERT(SPPP_WLOCKED(sp)); 4175 /* indicate to LCP that it must stay alive */ 4176 sp->lcp.protos |= (1 << IDX_IPV6CP); 4177 } 4178 4179 static void 4180 sppp_ipv6cp_tlf(struct sppp *sp) 4181 { 4182 4183 KASSERT(SPPP_WLOCKED(sp)); 4184 /* we no longer need LCP */ 4185 sp->lcp.protos &= ~(1 << IDX_IPV6CP); 4186 } 4187 4188 static void 4189 sppp_ipv6cp_scr(struct sppp *sp) 4190 { 4191 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4192 struct in6_addr ouraddr; 4193 int i = 0; 4194 4195 KASSERT(SPPP_WLOCKED(sp)); 4196 4197 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_IFID)) { 4198 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4199 opt[i++] = IPV6CP_OPT_IFID; 4200 opt[i++] = 10; 4201 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4202 i += 8; 4203 } 4204 4205 #ifdef notyet 4206 if (sp->ipv6cp.opts & (1 << IPV6CP_OPT_COMPRESSION)) { 4207 opt[i++] = IPV6CP_OPT_COMPRESSION; 4208 opt[i++] = 4; 4209 opt[i++] = 0; /* TBD */ 4210 opt[i++] = 0; /* TBD */ 4211 /* variable length data may follow */ 4212 } 4213 #endif 4214 4215 sp->scp[IDX_IPV6CP].confid = ++sp->scp[IDX_IPV6CP].seq; 4216 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->scp[IDX_IPV6CP].confid, i, &opt); 4217 } 4218 #else /*INET6*/ 4219 static void 4220 sppp_ipv6cp_init(struct sppp *sp) 4221 { 4222 4223 KASSERT(SPPP_WLOCKED(sp)); 4224 } 4225 4226 static void 4227 sppp_ipv6cp_up(struct sppp *sp) 4228 { 4229 4230 KASSERT(SPPP_WLOCKED(sp)); 4231 } 4232 4233 static void 4234 sppp_ipv6cp_down(struct sppp *sp) 4235 { 4236 4237 KASSERT(SPPP_WLOCKED(sp)); 4238 } 4239 4240 static void 4241 sppp_ipv6cp_open(struct sppp *sp) 4242 { 4243 4244 KASSERT(SPPP_WLOCKED(sp)); 4245 } 4246 4247 static void 4248 sppp_ipv6cp_close(struct sppp *sp) 4249 { 4250 4251 KASSERT(SPPP_WLOCKED(sp)); 4252 } 4253 4254 static void 4255 sppp_ipv6cp_TO(void *cookie) 4256 { 4257 struct sppp *sp __diagused = cookie; 4258 4259 KASSERT(SPPP_WLOCKED(sp)); 4260 } 4261 4262 static int 4263 sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, 4264 int len) 4265 { 4266 4267 KASSERT(SPPP_WLOCKED(sp)); 4268 return 0; 4269 } 4270 4271 static void 4272 sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, 4273 int len) 4274 { 4275 4276 KASSERT(SPPP_WLOCKED(sp)); 4277 } 4278 4279 static void 4280 sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, 4281 int len) 4282 { 4283 4284 KASSERT(SPPP_WLOCKED(sp)); 4285 } 4286 4287 static void 4288 sppp_ipv6cp_tlu(struct sppp *sp) 4289 { 4290 4291 KASSERT(SPPP_WLOCKED(sp)); 4292 } 4293 4294 static void 4295 sppp_ipv6cp_tld(struct sppp *sp) 4296 { 4297 4298 KASSERT(SPPP_WLOCKED(sp)); 4299 } 4300 4301 static void 4302 sppp_ipv6cp_tls(struct sppp *sp) 4303 { 4304 4305 KASSERT(SPPP_WLOCKED(sp)); 4306 } 4307 4308 static void 4309 sppp_ipv6cp_tlf(struct sppp *sp) 4310 { 4311 4312 KASSERT(SPPP_WLOCKED(sp)); 4313 } 4314 4315 static void 4316 sppp_ipv6cp_scr(struct sppp *sp) 4317 { 4318 4319 KASSERT(SPPP_WLOCKED(sp)); 4320 } 4321 #endif /*INET6*/ 4322 4323 4324 /* 4325 *--------------------------------------------------------------------------* 4326 * * 4327 * The CHAP implementation. * 4328 * * 4329 *--------------------------------------------------------------------------* 4330 */ 4331 4332 /* 4333 * The authentication protocols don't employ a full-fledged state machine as 4334 * the control protocols do, since they do have Open and Close events, but 4335 * not Up and Down, nor are they explicitly terminated. Also, use of the 4336 * authentication protocols may be different in both directions (this makes 4337 * sense, think of a machine that never accepts incoming calls but only 4338 * calls out, it doesn't require the called party to authenticate itself). 4339 * 4340 * Our state machine for the local authentication protocol (we are requesting 4341 * the peer to authenticate) looks like: 4342 * 4343 * RCA- 4344 * +--------------------------------------------+ 4345 * V scn,tld| 4346 * +--------+ Close +---------+ RCA+ 4347 * | |<----------------------------------| |------+ 4348 * +--->| Closed | TO* | Opened | sca | 4349 * | | |-----+ +-------| |<-----+ 4350 * | +--------+ irc | | +---------+ 4351 * | ^ | | ^ 4352 * | | | | | 4353 * | | | | | 4354 * | TO-| | | | 4355 * | |tld TO+ V | | 4356 * | | +------->+ | | 4357 * | | | | | | 4358 * | +--------+ V | | 4359 * | | |<----+<--------------------+ | 4360 * | | Req- | scr | 4361 * | | Sent | | 4362 * | | | | 4363 * | +--------+ | 4364 * | RCA- | | RCA+ | 4365 * +------+ +------------------------------------------+ 4366 * scn,tld sca,irc,ict,tlu 4367 * 4368 * 4369 * with: 4370 * 4371 * Open: LCP reached authentication phase 4372 * Close: LCP reached terminate phase 4373 * 4374 * RCA+: received reply (pap-req, chap-response), acceptable 4375 * RCN: received reply (pap-req, chap-response), not acceptable 4376 * TO+: timeout with restart counter >= 0 4377 * TO-: timeout with restart counter < 0 4378 * TO*: reschedule timeout for CHAP 4379 * 4380 * scr: send request packet (none for PAP, chap-challenge) 4381 * sca: send ack packet (pap-ack, chap-success) 4382 * scn: send nak packet (pap-nak, chap-failure) 4383 * ict: initialize re-challenge timer (CHAP only) 4384 * 4385 * tlu: this-layer-up, LCP reaches network phase 4386 * tld: this-layer-down, LCP enters terminate phase 4387 * 4388 * Note that in CHAP mode, after sending a new challenge, while the state 4389 * automaton falls back into Req-Sent state, it doesn't signal a tld 4390 * event to LCP, so LCP remains in network phase. Only after not getting 4391 * any response (or after getting an unacceptable response), CHAP closes, 4392 * causing LCP to enter terminate phase. 4393 * 4394 * With PAP, there is no initial request that can be sent. The peer is 4395 * expected to send one based on the successful negotiation of PAP as 4396 * the authentication protocol during the LCP option negotiation. 4397 * 4398 * Incoming authentication protocol requests (remote requests 4399 * authentication, we are peer) don't employ a state machine at all, 4400 * they are simply answered. Some peers [Ascend P50 firmware rev 4401 * 4.50] react allergically when sending IPCP/IPv6CP requests while they are 4402 * still in authentication phase (thereby violating the standard that 4403 * demands that these NCP packets are to be discarded), so we keep 4404 * track of the peer demanding us to authenticate, and only proceed to 4405 * phase network once we've seen a positive acknowledge for the 4406 * authentication. 4407 */ 4408 4409 /* 4410 * Handle incoming CHAP packets. 4411 */ 4412 void 4413 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4414 { 4415 STDDCL; 4416 struct lcp_header *h; 4417 int len, x; 4418 u_char *value, *name, digest[sizeof(sp->myauth.challenge)], dsize; 4419 int value_len, name_len; 4420 MD5_CTX ctx; 4421 4422 len = m->m_pkthdr.len; 4423 if (len < 4) { 4424 if (debug) 4425 log(LOG_DEBUG, 4426 "%s: chap invalid packet length: %d bytes\n", 4427 ifp->if_xname, len); 4428 return; 4429 } 4430 h = mtod(m, struct lcp_header *); 4431 if (len > ntohs(h->len)) 4432 len = ntohs(h->len); 4433 4434 SPPP_LOCK(sp, RW_WRITER); 4435 4436 switch (h->type) { 4437 /* challenge, failure and success are his authproto */ 4438 case CHAP_CHALLENGE: 4439 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4440 /* can't do anything useful */ 4441 sp->pp_auth_failures++; 4442 printf("%s: chap input without my name and my secret being set\n", 4443 ifp->if_xname); 4444 break; 4445 } 4446 value = 1 + (u_char *)(h + 1); 4447 value_len = value[-1]; 4448 name = value + value_len; 4449 name_len = len - value_len - 5; 4450 if (name_len < 0) { 4451 if (debug) { 4452 log(LOG_DEBUG, 4453 "%s: chap corrupted challenge " 4454 "<%s id=0x%x len=%d", 4455 ifp->if_xname, 4456 sppp_auth_type_name(PPP_CHAP, h->type), 4457 h->ident, ntohs(h->len)); 4458 if (len > 4) 4459 sppp_print_bytes((u_char *)(h + 1), 4460 len - 4); 4461 addlog(">\n"); 4462 } 4463 break; 4464 } 4465 4466 if (debug) { 4467 log(LOG_DEBUG, 4468 "%s: chap input <%s id=0x%x len=%d name=", 4469 ifp->if_xname, 4470 sppp_auth_type_name(PPP_CHAP, h->type), h->ident, 4471 ntohs(h->len)); 4472 sppp_print_string((char *) name, name_len); 4473 addlog(" value-size=%d value=", value_len); 4474 sppp_print_bytes(value, value_len); 4475 addlog(">\n"); 4476 } 4477 4478 /* Compute reply value. */ 4479 MD5Init(&ctx); 4480 MD5Update(&ctx, &h->ident, 1); 4481 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4482 MD5Update(&ctx, value, value_len); 4483 MD5Final(digest, &ctx); 4484 dsize = sizeof digest; 4485 4486 sppp_auth_send(&chap, sp, CHAP_RESPONSE, h->ident, 4487 sizeof dsize, (const char *)&dsize, 4488 sizeof digest, digest, 4489 sp->myauth.name_len, 4490 sp->myauth.name, 4491 0); 4492 break; 4493 4494 case CHAP_SUCCESS: 4495 if (debug) { 4496 log(LOG_DEBUG, "%s: chap success", 4497 ifp->if_xname); 4498 if (len > 4) { 4499 addlog(": "); 4500 sppp_print_string((char *)(h + 1), len - 4); 4501 } 4502 addlog("\n"); 4503 } 4504 x = splnet(); 4505 sp->pp_auth_failures = 0; 4506 sp->pp_flags &= ~PP_NEEDAUTH; 4507 if (sp->myauth.proto == PPP_CHAP && 4508 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4509 (sp->lcp.protos & (1 << IDX_CHAP)) == 0) { 4510 /* 4511 * We are authenticator for CHAP but didn't 4512 * complete yet. Leave it to tlu to proceed 4513 * to network phase. 4514 */ 4515 splx(x); 4516 break; 4517 } 4518 splx(x); 4519 sppp_phase_network(sp); 4520 break; 4521 4522 case CHAP_FAILURE: 4523 x = splnet(); 4524 sp->pp_auth_failures++; 4525 splx(x); 4526 if (debug) { 4527 log(LOG_INFO, "%s: chap failure", 4528 ifp->if_xname); 4529 if (len > 4) { 4530 addlog(": "); 4531 sppp_print_string((char *)(h + 1), len - 4); 4532 } 4533 addlog("\n"); 4534 } else 4535 log(LOG_INFO, "%s: chap failure\n", 4536 ifp->if_xname); 4537 /* await LCP shutdown by authenticator */ 4538 break; 4539 4540 /* response is my authproto */ 4541 case CHAP_RESPONSE: 4542 if (sp->hisauth.secret == NULL) { 4543 /* can't do anything useful */ 4544 printf("%s: chap input without his secret being set\n", 4545 ifp->if_xname); 4546 break; 4547 } 4548 value = 1 + (u_char *)(h + 1); 4549 value_len = value[-1]; 4550 name = value + value_len; 4551 name_len = len - value_len - 5; 4552 if (name_len < 0) { 4553 if (debug) { 4554 log(LOG_DEBUG, 4555 "%s: chap corrupted response " 4556 "<%s id=0x%x len=%d", 4557 ifp->if_xname, 4558 sppp_auth_type_name(PPP_CHAP, h->type), 4559 h->ident, ntohs(h->len)); 4560 if (len > 4) 4561 sppp_print_bytes((u_char *)(h + 1), 4562 len - 4); 4563 addlog(">\n"); 4564 } 4565 break; 4566 } 4567 if (h->ident != sp->scp[IDX_CHAP].confid) { 4568 if (debug) 4569 log(LOG_DEBUG, 4570 "%s: chap dropping response for old ID " 4571 "(got %d, expected %d)\n", 4572 ifp->if_xname, 4573 h->ident, sp->scp[IDX_CHAP].confid); 4574 break; 4575 } 4576 if (sp->hisauth.name != NULL && 4577 (name_len != sp->hisauth.name_len 4578 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 4579 log(LOG_INFO, "%s: chap response, his name ", 4580 ifp->if_xname); 4581 sppp_print_string(name, name_len); 4582 addlog(" != expected "); 4583 sppp_print_string(sp->hisauth.name, 4584 sp->hisauth.name_len); 4585 addlog("\n"); 4586 goto chap_failure; 4587 } 4588 if (debug) { 4589 log(LOG_DEBUG, "%s: chap input(%s) " 4590 "<%s id=0x%x len=%d name=", 4591 ifp->if_xname, 4592 sppp_state_name(sp->scp[IDX_CHAP].state), 4593 sppp_auth_type_name(PPP_CHAP, h->type), 4594 h->ident, ntohs(h->len)); 4595 sppp_print_string((char *)name, name_len); 4596 addlog(" value-size=%d value=", value_len); 4597 sppp_print_bytes(value, value_len); 4598 addlog(">\n"); 4599 } 4600 if (value_len != sizeof(sp->hisauth.challenge)) { 4601 if (debug) 4602 log(LOG_DEBUG, 4603 "%s: chap bad hash value length: " 4604 "%d bytes, should be %zu\n", 4605 ifp->if_xname, value_len, 4606 sizeof(sp->hisauth.challenge)); 4607 goto chap_failure; 4608 } 4609 4610 MD5Init(&ctx); 4611 MD5Update(&ctx, &h->ident, 1); 4612 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 4613 MD5Update(&ctx, sp->hisauth.challenge, sizeof(sp->hisauth.challenge)); 4614 MD5Final(digest, &ctx); 4615 4616 #define FAILMSG "Failed..." 4617 #define SUCCMSG "Welcome!" 4618 4619 if (value_len != sizeof digest || 4620 memcmp(digest, value, value_len) != 0) { 4621 chap_failure: 4622 KASSERT(SPPP_WLOCKED(sp)); 4623 /* action scn, tld */ 4624 sp->pp_auth_failures++; 4625 sppp_auth_send(&chap, sp, CHAP_FAILURE, h->ident, 4626 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4627 0); 4628 chap.tld(sp); 4629 break; 4630 } 4631 sp->pp_auth_failures = 0; 4632 /* action sca, perhaps tlu */ 4633 if (sp->scp[IDX_CHAP].state == STATE_REQ_SENT || 4634 sp->scp[IDX_CHAP].state == STATE_OPENED) 4635 sppp_auth_send(&chap, sp, CHAP_SUCCESS, h->ident, 4636 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4637 0); 4638 if (sp->scp[IDX_CHAP].state == STATE_REQ_SENT) { 4639 sppp_cp_change_state(&chap, sp, STATE_OPENED); 4640 chap.tlu(sp); 4641 } 4642 break; 4643 4644 default: 4645 /* Unknown CHAP packet type -- ignore. */ 4646 if (debug) { 4647 log(LOG_DEBUG, "%s: chap unknown input(%s) " 4648 "<0x%x id=0x%xh len=%d", 4649 ifp->if_xname, 4650 sppp_state_name(sp->scp[IDX_CHAP].state), 4651 h->type, h->ident, ntohs(h->len)); 4652 if (len > 4) 4653 sppp_print_bytes((u_char *)(h + 1), len - 4); 4654 addlog(">\n"); 4655 } 4656 break; 4657 4658 } 4659 4660 SPPP_UNLOCK(sp); 4661 } 4662 4663 static void 4664 sppp_chap_init(struct sppp *sp) 4665 { 4666 4667 KASSERT(SPPP_WLOCKED(sp)); 4668 4669 /* Chap doesn't have STATE_INITIAL at all. */ 4670 sp->scp[IDX_CHAP].state = STATE_CLOSED; 4671 sp->scp[IDX_CHAP].fail_counter = 0; 4672 sp->scp[IDX_CHAP].seq = 0; 4673 sp->scp[IDX_CHAP].rseq = 0; 4674 callout_init(&sp->scp[IDX_CHAP].ch, CALLOUT_MPSAFE); 4675 } 4676 4677 static void 4678 sppp_chap_open(struct sppp *sp) 4679 { 4680 4681 KASSERT(SPPP_WLOCKED(sp)); 4682 if (sp->hisauth.proto == PPP_CHAP && 4683 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 4684 /* we are authenticator for CHAP, start it */ 4685 chap.scr(sp); 4686 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 4687 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4688 } 4689 /* nothing to be done if we are peer, await a challenge */ 4690 } 4691 4692 static void 4693 sppp_chap_close(struct sppp *sp) 4694 { 4695 4696 KASSERT(SPPP_WLOCKED(sp)); 4697 if (sp->scp[IDX_CHAP].state != STATE_CLOSED) 4698 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4699 } 4700 4701 static void 4702 sppp_chap_TO(void *cookie) 4703 { 4704 struct sppp *sp = (struct sppp *)cookie; 4705 STDDCL; 4706 int s; 4707 4708 s = splnet(); 4709 4710 SPPP_LOCK(sp, RW_WRITER); 4711 4712 if (debug) 4713 log(LOG_DEBUG, "%s: chap TO(%s) rst_counter = %d\n", 4714 ifp->if_xname, 4715 sppp_state_name(sp->scp[IDX_CHAP].state), 4716 sp->scp[IDX_CHAP].rst_counter); 4717 4718 if (--sp->scp[IDX_CHAP].rst_counter < 0) 4719 /* TO- event */ 4720 switch (sp->scp[IDX_CHAP].state) { 4721 case STATE_REQ_SENT: 4722 chap.tld(sp); 4723 sppp_cp_change_state(&chap, sp, STATE_CLOSED); 4724 break; 4725 } 4726 else 4727 /* TO+ (or TO*) event */ 4728 switch (sp->scp[IDX_CHAP].state) { 4729 case STATE_OPENED: 4730 /* TO* event */ 4731 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 4732 /* fall through */ 4733 case STATE_REQ_SENT: 4734 chap.scr(sp); 4735 /* sppp_cp_change_state() will restart the timer */ 4736 sppp_cp_change_state(&chap, sp, STATE_REQ_SENT); 4737 break; 4738 } 4739 4740 SPPP_UNLOCK(sp); 4741 splx(s); 4742 } 4743 4744 static void 4745 sppp_chap_tlu(struct sppp *sp) 4746 { 4747 STDDCL; 4748 int i, x; 4749 4750 KASSERT(SPPP_WLOCKED(sp)); 4751 4752 i = 0; 4753 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 4754 4755 /* 4756 * Some broken CHAP implementations (Conware CoNet, firmware 4757 * 4.0.?) don't want to re-authenticate their CHAP once the 4758 * initial challenge-response exchange has taken place. 4759 * Provide for an option to avoid rechallenges. 4760 */ 4761 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 4762 /* 4763 * Compute the re-challenge timeout. This will yield 4764 * a number between 300 and 810 seconds. 4765 */ 4766 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 4767 4768 callout_reset(&sp->scp[IDX_CHAP].ch, i * hz, chap.TO, sp); 4769 } 4770 4771 if (debug) { 4772 log(LOG_DEBUG, 4773 "%s: chap %s, ", 4774 ifp->if_xname, 4775 sp->pp_phase == SPPP_PHASE_NETWORK? "reconfirmed": "tlu"); 4776 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) 4777 addlog("next re-challenge in %d seconds\n", i); 4778 else 4779 addlog("re-challenging suppressed\n"); 4780 } 4781 4782 x = splnet(); 4783 sp->pp_auth_failures = 0; 4784 /* indicate to LCP that we need to be closed down */ 4785 sp->lcp.protos |= (1 << IDX_CHAP); 4786 4787 if (sp->pp_flags & PP_NEEDAUTH) { 4788 /* 4789 * Remote is authenticator, but his auth proto didn't 4790 * complete yet. Defer the transition to network 4791 * phase. 4792 */ 4793 splx(x); 4794 return; 4795 } 4796 splx(x); 4797 4798 /* 4799 * If we are already in phase network, we are done here. This 4800 * is the case if this is a dummy tlu event after a re-challenge. 4801 */ 4802 if (sp->pp_phase != SPPP_PHASE_NETWORK) 4803 sppp_phase_network(sp); 4804 } 4805 4806 static void 4807 sppp_chap_tld(struct sppp *sp) 4808 { 4809 STDDCL; 4810 4811 KASSERT(SPPP_WLOCKED(sp)); 4812 4813 if (debug) 4814 log(LOG_DEBUG, "%s: chap tld\n", ifp->if_xname); 4815 callout_stop(&sp->scp[IDX_CHAP].ch); 4816 sp->lcp.protos &= ~(1 << IDX_CHAP); 4817 4818 lcp.Close(sp); 4819 } 4820 4821 static void 4822 sppp_chap_scr(struct sppp *sp) 4823 { 4824 uint32_t *ch; 4825 u_char clen = 4 * sizeof(uint32_t); 4826 4827 KASSERT(SPPP_WLOCKED(sp)); 4828 4829 if (sp->hisauth.name == NULL) { 4830 /* can't do anything useful */ 4831 printf("%s: chap starting without his name being set\n", 4832 sp->pp_if.if_xname); 4833 return; 4834 } 4835 4836 /* Compute random challenge. */ 4837 ch = (uint32_t *)sp->hisauth.challenge; 4838 cprng_strong(kern_cprng, ch, clen, 0); 4839 4840 sp->scp[IDX_CHAP].confid = ++sp->scp[IDX_CHAP].seq; 4841 4842 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->scp[IDX_CHAP].confid, 4843 sizeof clen, (const char *)&clen, 4844 sizeof(sp->hisauth.challenge), sp->hisauth.challenge, 4845 0); 4846 } 4847 4848 /* 4849 *--------------------------------------------------------------------------* 4850 * * 4851 * The PAP implementation. * 4852 * * 4853 *--------------------------------------------------------------------------* 4854 */ 4855 /* 4856 * For PAP, we need to keep a little state also if we are the peer, not the 4857 * authenticator. This is since we don't get a request to authenticate, but 4858 * have to repeatedly authenticate ourself until we got a response (or the 4859 * retry counter is expired). 4860 */ 4861 4862 /* 4863 * Handle incoming PAP packets. */ 4864 static void 4865 sppp_pap_input(struct sppp *sp, struct mbuf *m) 4866 { 4867 STDDCL; 4868 struct lcp_header *h; 4869 int len, x; 4870 u_char mlen; 4871 char *name, *secret; 4872 int name_len, secret_len; 4873 4874 /* 4875 * Malicious input might leave this uninitialized, so 4876 * init to an impossible value. 4877 */ 4878 secret_len = -1; 4879 4880 len = m->m_pkthdr.len; 4881 if (len < 5) { 4882 if (debug) 4883 log(LOG_DEBUG, 4884 "%s: pap invalid packet length: %d bytes\n", 4885 ifp->if_xname, len); 4886 return; 4887 } 4888 h = mtod(m, struct lcp_header *); 4889 if (len > ntohs(h->len)) 4890 len = ntohs(h->len); 4891 4892 SPPP_LOCK(sp, RW_WRITER); 4893 4894 switch (h->type) { 4895 /* PAP request is my authproto */ 4896 case PAP_REQ: 4897 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4898 /* can't do anything useful */ 4899 printf("%s: " 4900 "pap request without his name and his secret being set\n", 4901 ifp->if_xname); 4902 break; 4903 } 4904 name = 1 + (u_char *)(h + 1); 4905 name_len = name[-1]; 4906 secret = name + name_len + 1; 4907 if (name_len > len - 6 || 4908 (secret_len = secret[-1]) > len - 6 - name_len) { 4909 if (debug) { 4910 log(LOG_DEBUG, "%s: pap corrupted input " 4911 "<%s id=0x%x len=%d", 4912 ifp->if_xname, 4913 sppp_auth_type_name(PPP_PAP, h->type), 4914 h->ident, ntohs(h->len)); 4915 if (len > 4) 4916 sppp_print_bytes((u_char *)(h + 1), 4917 len - 4); 4918 addlog(">\n"); 4919 } 4920 break; 4921 } 4922 if (debug) { 4923 log(LOG_DEBUG, "%s: pap input(%s) " 4924 "<%s id=0x%x len=%d name=", 4925 ifp->if_xname, 4926 sppp_state_name(sp->scp[IDX_PAP].state), 4927 sppp_auth_type_name(PPP_PAP, h->type), 4928 h->ident, ntohs(h->len)); 4929 sppp_print_string((char *)name, name_len); 4930 addlog(" secret="); 4931 sppp_print_string((char *)secret, secret_len); 4932 addlog(">\n"); 4933 } 4934 if (name_len != sp->hisauth.name_len || 4935 secret_len != sp->hisauth.secret_len || 4936 memcmp(name, sp->hisauth.name, name_len) != 0 || 4937 memcmp(secret, sp->hisauth.secret, secret_len) != 0) { 4938 /* action scn, tld */ 4939 sp->pp_auth_failures++; 4940 mlen = sizeof(FAILMSG) - 1; 4941 sppp_auth_send(&pap, sp, PAP_NAK, h->ident, 4942 sizeof mlen, (const char *)&mlen, 4943 sizeof(FAILMSG) - 1, (const u_char *)FAILMSG, 4944 0); 4945 pap.tld(sp); 4946 break; 4947 } 4948 /* action sca, perhaps tlu */ 4949 if (sp->scp[IDX_PAP].state == STATE_REQ_SENT || 4950 sp->scp[IDX_PAP].state == STATE_OPENED) { 4951 mlen = sizeof(SUCCMSG) - 1; 4952 sppp_auth_send(&pap, sp, PAP_ACK, h->ident, 4953 sizeof mlen, (const char *)&mlen, 4954 sizeof(SUCCMSG) - 1, (const u_char *)SUCCMSG, 4955 0); 4956 } 4957 if (sp->scp[IDX_PAP].state == STATE_REQ_SENT) { 4958 sppp_cp_change_state(&pap, sp, STATE_OPENED); 4959 pap.tlu(sp); 4960 } 4961 break; 4962 4963 /* ack and nak are his authproto */ 4964 case PAP_ACK: 4965 callout_stop(&sp->pap_my_to_ch); 4966 if (debug) { 4967 log(LOG_DEBUG, "%s: pap success", 4968 ifp->if_xname); 4969 name = 1 + (u_char *)(h + 1); 4970 name_len = name[-1]; 4971 if (len > 5 && name_len < len+4) { 4972 addlog(": "); 4973 sppp_print_string(name, name_len); 4974 } 4975 addlog("\n"); 4976 } 4977 x = splnet(); 4978 sp->pp_auth_failures = 0; 4979 sp->pp_flags &= ~PP_NEEDAUTH; 4980 if (sp->myauth.proto == PPP_PAP && 4981 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) && 4982 (sp->lcp.protos & (1 << IDX_PAP)) == 0) { 4983 /* 4984 * We are authenticator for PAP but didn't 4985 * complete yet. Leave it to tlu to proceed 4986 * to network phase. 4987 */ 4988 splx(x); 4989 break; 4990 } 4991 splx(x); 4992 sppp_phase_network(sp); 4993 break; 4994 4995 case PAP_NAK: 4996 callout_stop(&sp->pap_my_to_ch); 4997 sp->pp_auth_failures++; 4998 if (debug) { 4999 log(LOG_INFO, "%s: pap failure", 5000 ifp->if_xname); 5001 name = 1 + (u_char *)(h + 1); 5002 name_len = name[-1]; 5003 if (len > 5 && name_len < len+4) { 5004 addlog(": "); 5005 sppp_print_string(name, name_len); 5006 } 5007 addlog("\n"); 5008 } else 5009 log(LOG_INFO, "%s: pap failure\n", 5010 ifp->if_xname); 5011 /* await LCP shutdown by authenticator */ 5012 break; 5013 5014 default: 5015 /* Unknown PAP packet type -- ignore. */ 5016 if (debug) { 5017 log(LOG_DEBUG, "%s: pap corrupted input " 5018 "<0x%x id=0x%x len=%d", 5019 ifp->if_xname, 5020 h->type, h->ident, ntohs(h->len)); 5021 if (len > 4) 5022 sppp_print_bytes((u_char *)(h + 1), len - 4); 5023 addlog(">\n"); 5024 } 5025 break; 5026 } 5027 5028 SPPP_UNLOCK(sp); 5029 } 5030 5031 static void 5032 sppp_pap_init(struct sppp *sp) 5033 { 5034 5035 KASSERT(SPPP_WLOCKED(sp)); 5036 5037 /* PAP doesn't have STATE_INITIAL at all. */ 5038 sp->scp[IDX_PAP].state = STATE_CLOSED; 5039 sp->scp[IDX_PAP].fail_counter = 0; 5040 sp->scp[IDX_PAP].seq = 0; 5041 sp->scp[IDX_PAP].rseq = 0; 5042 callout_init(&sp->scp[IDX_PAP].ch, CALLOUT_MPSAFE); 5043 callout_init(&sp->pap_my_to_ch, CALLOUT_MPSAFE); 5044 } 5045 5046 static void 5047 sppp_pap_open(struct sppp *sp) 5048 { 5049 5050 KASSERT(SPPP_WLOCKED(sp)); 5051 5052 if (sp->hisauth.proto == PPP_PAP && 5053 (sp->lcp.opts & (1 << LCP_OPT_AUTH_PROTO)) != 0) { 5054 /* we are authenticator for PAP, start our timer */ 5055 sp->scp[IDX_PAP].rst_counter = sp->lcp.max_configure; 5056 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5057 } 5058 if (sp->myauth.proto == PPP_PAP) { 5059 /* we are peer, send a request, and start a timer */ 5060 pap.scr(sp); 5061 callout_reset(&sp->pap_my_to_ch, sp->lcp.timeout, 5062 sppp_pap_my_TO, sp); 5063 } 5064 } 5065 5066 static void 5067 sppp_pap_close(struct sppp *sp) 5068 { 5069 5070 KASSERT(SPPP_WLOCKED(sp)); 5071 5072 if (sp->scp[IDX_PAP].state != STATE_CLOSED) 5073 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5074 } 5075 5076 /* 5077 * That's the timeout routine if we are authenticator. Since the 5078 * authenticator is basically passive in PAP, we can't do much here. 5079 */ 5080 static void 5081 sppp_pap_TO(void *cookie) 5082 { 5083 struct sppp *sp = (struct sppp *)cookie; 5084 STDDCL; 5085 int s; 5086 5087 s = splnet(); 5088 SPPP_LOCK(sp, RW_WRITER); 5089 5090 if (debug) 5091 log(LOG_DEBUG, "%s: pap TO(%s) rst_counter = %d\n", 5092 ifp->if_xname, 5093 sppp_state_name(sp->scp[IDX_PAP].state), 5094 sp->scp[IDX_PAP].rst_counter); 5095 5096 if (--sp->scp[IDX_PAP].rst_counter < 0) 5097 /* TO- event */ 5098 switch (sp->scp[IDX_PAP].state) { 5099 case STATE_REQ_SENT: 5100 pap.tld(sp); 5101 sppp_cp_change_state(&pap, sp, STATE_CLOSED); 5102 break; 5103 } 5104 else 5105 /* TO+ event, not very much we could do */ 5106 switch (sp->scp[IDX_PAP].state) { 5107 case STATE_REQ_SENT: 5108 /* sppp_cp_change_state() will restart the timer */ 5109 sppp_cp_change_state(&pap, sp, STATE_REQ_SENT); 5110 break; 5111 } 5112 5113 SPPP_UNLOCK(sp); 5114 splx(s); 5115 } 5116 5117 /* 5118 * That's the timeout handler if we are peer. Since the peer is active, 5119 * we need to retransmit our PAP request since it is apparently lost. 5120 * XXX We should impose a max counter. 5121 */ 5122 static void 5123 sppp_pap_my_TO(void *cookie) 5124 { 5125 struct sppp *sp = (struct sppp *)cookie; 5126 STDDCL; 5127 5128 SPPP_LOCK(sp, RW_WRITER); 5129 if (debug) 5130 log(LOG_DEBUG, "%s: pap peer TO\n", 5131 ifp->if_xname); 5132 5133 pap.scr(sp); 5134 5135 SPPP_UNLOCK(sp); 5136 } 5137 5138 static void 5139 sppp_pap_tlu(struct sppp *sp) 5140 { 5141 STDDCL; 5142 int x; 5143 5144 KASSERT(SPPP_WLOCKED(sp)); 5145 5146 sp->scp[IDX_PAP].rst_counter = sp->lcp.max_configure; 5147 5148 if (debug) 5149 log(LOG_DEBUG, "%s: %s tlu\n", 5150 ifp->if_xname, pap.name); 5151 5152 x = splnet(); 5153 sp->pp_auth_failures = 0; 5154 /* indicate to LCP that we need to be closed down */ 5155 sp->lcp.protos |= (1 << IDX_PAP); 5156 5157 if (sp->pp_flags & PP_NEEDAUTH) { 5158 /* 5159 * Remote is authenticator, but his auth proto didn't 5160 * complete yet. Defer the transition to network 5161 * phase. 5162 */ 5163 splx(x); 5164 return; 5165 } 5166 splx(x); 5167 sppp_phase_network(sp); 5168 } 5169 5170 static void 5171 sppp_pap_tld(struct sppp *sp) 5172 { 5173 STDDCL; 5174 5175 KASSERT(SPPP_WLOCKED(sp)); 5176 5177 if (debug) 5178 log(LOG_DEBUG, "%s: pap tld\n", ifp->if_xname); 5179 callout_stop(&sp->scp[IDX_PAP].ch); 5180 callout_stop(&sp->pap_my_to_ch); 5181 sp->lcp.protos &= ~(1 << IDX_PAP); 5182 5183 lcp.Close(sp); 5184 } 5185 5186 static void 5187 sppp_pap_scr(struct sppp *sp) 5188 { 5189 u_char idlen, pwdlen; 5190 5191 KASSERT(SPPP_WLOCKED(sp)); 5192 5193 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5194 /* can't do anything useful */ 5195 printf("%s: pap starting without my name and secret being set\n", 5196 sp->pp_if.if_xname); 5197 return; 5198 } 5199 5200 sp->scp[IDX_PAP].confid = ++sp->scp[IDX_PAP].seq; 5201 pwdlen = sp->myauth.secret_len; 5202 idlen = sp->myauth.name_len; 5203 5204 sppp_auth_send(&pap, sp, PAP_REQ, sp->scp[IDX_PAP].confid, 5205 sizeof idlen, (const char *)&idlen, 5206 idlen, sp->myauth.name, 5207 sizeof pwdlen, (const char *)&pwdlen, 5208 pwdlen, sp->myauth.secret, 5209 0); 5210 } 5211 5212 /* 5213 * Random miscellaneous functions. 5214 */ 5215 5216 /* 5217 * Send a PAP or CHAP proto packet. 5218 * 5219 * Varadic function, each of the elements for the ellipsis is of type 5220 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5221 * mlen == 0. 5222 * NOTE: never declare variadic functions with types subject to type 5223 * promotion (i.e. u_char). This is asking for big trouble depending 5224 * on the architecture you are on... 5225 */ 5226 5227 static void 5228 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5229 unsigned int type, unsigned int id, 5230 ...) 5231 { 5232 STDDCL; 5233 struct lcp_header *lh; 5234 struct mbuf *m; 5235 u_char *p; 5236 int len; 5237 size_t pkthdrlen; 5238 unsigned int mlen; 5239 const char *msg; 5240 va_list ap; 5241 5242 KASSERT(SPPP_WLOCKED(sp)); 5243 5244 MGETHDR(m, M_DONTWAIT, MT_DATA); 5245 if (! m) 5246 return; 5247 m_reset_rcvif(m); 5248 5249 if (sp->pp_flags & PP_NOFRAMING) { 5250 *mtod(m, uint16_t *) = htons(cp->proto); 5251 pkthdrlen = 2; 5252 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5253 } else { 5254 struct ppp_header *h; 5255 h = mtod(m, struct ppp_header *); 5256 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5257 h->control = PPP_UI; /* Unnumbered Info */ 5258 h->protocol = htons(cp->proto); 5259 pkthdrlen = PPP_HEADER_LEN; 5260 5261 lh = (struct lcp_header *)(h + 1); 5262 } 5263 5264 lh->type = type; 5265 lh->ident = id; 5266 p = (u_char *)(lh + 1); 5267 5268 va_start(ap, id); 5269 len = 0; 5270 5271 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5272 msg = va_arg(ap, const char *); 5273 len += mlen; 5274 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5275 va_end(ap); 5276 m_freem(m); 5277 return; 5278 } 5279 5280 memcpy(p, msg, mlen); 5281 p += mlen; 5282 } 5283 va_end(ap); 5284 5285 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5286 lh->len = htons(LCP_HEADER_LEN + len); 5287 5288 if (debug) { 5289 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5290 ifp->if_xname, cp->name, 5291 sppp_auth_type_name(cp->proto, lh->type), 5292 lh->ident, ntohs(lh->len)); 5293 if (len) 5294 sppp_print_bytes((u_char *)(lh + 1), len); 5295 addlog(">\n"); 5296 } 5297 if (IF_QFULL(&sp->pp_cpq)) { 5298 IF_DROP(&sp->pp_fastq); 5299 IF_DROP(&ifp->if_snd); 5300 m_freem(m); 5301 if_statinc(ifp, if_oerrors); 5302 return; 5303 } 5304 5305 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5306 IF_ENQUEUE(&sp->pp_cpq, m); 5307 5308 if (! (ifp->if_flags & IFF_OACTIVE)) { 5309 SPPP_UNLOCK(sp); 5310 if_start_lock(ifp); 5311 SPPP_LOCK(sp, RW_WRITER); 5312 } 5313 } 5314 5315 /* 5316 * Send keepalive packets, every 10 seconds. 5317 */ 5318 static void 5319 sppp_keepalive(void *dummy) 5320 { 5321 struct sppp *sp; 5322 int s; 5323 time_t now; 5324 5325 SPPPQ_LOCK(); 5326 5327 s = splnet(); 5328 now = time_uptime; 5329 for (sp=spppq; sp; sp=sp->pp_next) { 5330 struct ifnet *ifp = NULL; 5331 5332 SPPP_LOCK(sp, RW_WRITER); 5333 ifp = &sp->pp_if; 5334 5335 /* check idle timeout */ 5336 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5337 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5338 /* idle timeout is enabled for this interface */ 5339 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5340 if (ifp->if_flags & IFF_DEBUG) 5341 printf("%s: no activity for %lu seconds\n", 5342 sp->pp_if.if_xname, 5343 (unsigned long)(now-sp->pp_last_activity)); 5344 lcp.Close(sp); 5345 SPPP_UNLOCK(sp); 5346 continue; 5347 } 5348 } 5349 5350 /* Keepalive mode disabled or channel down? */ 5351 if (! (sp->pp_flags & PP_KEEPALIVE) || 5352 ! (ifp->if_flags & IFF_RUNNING)) { 5353 SPPP_UNLOCK(sp); 5354 continue; 5355 } 5356 5357 5358 /* No keepalive in PPP mode if LCP not opened yet. */ 5359 if (! (sp->pp_flags & PP_CISCO) && 5360 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5361 SPPP_UNLOCK(sp); 5362 continue; 5363 } 5364 5365 /* No echo reply, but maybe user data passed through? */ 5366 if ((now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5367 sp->pp_alivecnt = 0; 5368 SPPP_UNLOCK(sp); 5369 continue; 5370 } 5371 5372 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5373 /* No keepalive packets got. Stop the interface. */ 5374 SPPP_UNLOCK(sp); 5375 if_down (ifp); 5376 SPPP_LOCK(sp, RW_WRITER); 5377 5378 IF_PURGE(&sp->pp_cpq); 5379 5380 if (! (sp->pp_flags & PP_CISCO)) { 5381 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5382 ifp->if_xname); 5383 sp->pp_alivecnt = 0; 5384 5385 /* we are down, close all open protocols */ 5386 lcp.Close(sp); 5387 5388 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5389 sppp_cp_change_state(&lcp, sp, STATE_STOPPED); 5390 5391 /* Close connection immediately, completition of this 5392 * will summon the magic needed to reestablish it. */ 5393 sppp_notify_tlf_wlocked(sp); 5394 5395 SPPP_UNLOCK(sp); 5396 continue; 5397 } 5398 } 5399 if (sp->pp_alivecnt < sp->pp_maxalive) 5400 ++sp->pp_alivecnt; 5401 if (sp->pp_flags & PP_CISCO) 5402 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5403 ++sp->scp[IDX_LCP].seq, sp->scp[IDX_LCP].rseq); 5404 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5405 int32_t nmagic = htonl(sp->lcp.magic); 5406 sp->lcp.echoid = ++sp->scp[IDX_LCP].seq; 5407 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5408 sp->lcp.echoid, 4, &nmagic); 5409 } 5410 5411 SPPP_UNLOCK(sp); 5412 } 5413 splx(s); 5414 callout_reset(&keepalive_ch, hz * LCP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5415 5416 SPPPQ_UNLOCK(); 5417 } 5418 5419 #ifdef INET 5420 /* 5421 * Get both IP addresses. 5422 */ 5423 static void 5424 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5425 { 5426 struct ifnet *ifp = &sp->pp_if; 5427 struct ifaddr *ifa; 5428 struct sockaddr_in *si, *sm; 5429 uint32_t ssrc, ddst; 5430 int s; 5431 struct psref psref; 5432 5433 sm = NULL; 5434 ssrc = ddst = 0; 5435 /* 5436 * Pick the first AF_INET address from the list, 5437 * aliases don't make any sense on a p2p link anyway. 5438 */ 5439 si = 0; 5440 s = pserialize_read_enter(); 5441 IFADDR_READER_FOREACH(ifa, ifp) { 5442 if (ifa->ifa_addr->sa_family == AF_INET) { 5443 si = (struct sockaddr_in *)ifa->ifa_addr; 5444 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5445 if (si) { 5446 ifa_acquire(ifa, &psref); 5447 break; 5448 } 5449 } 5450 } 5451 pserialize_read_exit(s); 5452 if (ifa) { 5453 if (si && si->sin_addr.s_addr) { 5454 ssrc = si->sin_addr.s_addr; 5455 if (srcmask) 5456 *srcmask = ntohl(sm->sin_addr.s_addr); 5457 } 5458 5459 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5460 if (si && si->sin_addr.s_addr) 5461 ddst = si->sin_addr.s_addr; 5462 ifa_release(ifa, &psref); 5463 } 5464 5465 if (dst) *dst = ntohl(ddst); 5466 if (src) *src = ntohl(ssrc); 5467 } 5468 5469 /* 5470 * Set IP addresses. Must be called at splnet. 5471 * If an address is 0, leave it the way it is. 5472 */ 5473 static void 5474 sppp_set_ip_addrs_work(struct work *wk, struct sppp *sp) 5475 { 5476 STDDCL; 5477 struct ifaddr *ifa; 5478 struct sockaddr_in *si, *dest; 5479 uint32_t myaddr = 0, hisaddr = 0; 5480 int s; 5481 5482 IFNET_LOCK(ifp); 5483 5484 /* 5485 * Pick the first AF_INET address from the list, 5486 * aliases don't make any sense on a p2p link anyway. 5487 */ 5488 si = dest = NULL; 5489 s = pserialize_read_enter(); 5490 IFADDR_READER_FOREACH(ifa, ifp) { 5491 if (ifa->ifa_addr->sa_family == AF_INET) { 5492 si = (struct sockaddr_in *)ifa->ifa_addr; 5493 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5494 break; 5495 } 5496 } 5497 pserialize_read_exit(s); 5498 5499 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5500 myaddr = sp->ipcp.req_myaddr; 5501 else if (si != NULL) 5502 myaddr = ntohl(si->sin_addr.s_addr); 5503 5504 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5505 hisaddr = sp->ipcp.req_hisaddr; 5506 else if (dest != NULL) 5507 hisaddr = ntohl(dest->sin_addr.s_addr); 5508 5509 if (si != NULL && dest != NULL) { 5510 int error; 5511 struct sockaddr_in new_sin = *si; 5512 struct sockaddr_in new_dst = *dest; 5513 5514 if (myaddr != 0) 5515 new_sin.sin_addr.s_addr = htonl(myaddr); 5516 if (hisaddr != 0) { 5517 new_dst.sin_addr.s_addr = htonl(hisaddr); 5518 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5519 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5520 } 5521 5522 in_addrhash_remove(ifatoia(ifa)); 5523 5524 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5525 5526 in_addrhash_insert(ifatoia(ifa)); 5527 5528 if (debug && error) 5529 { 5530 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5531 ifp->if_xname, __func__, error); 5532 } 5533 if (!error) { 5534 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5535 } 5536 } 5537 5538 if (ifp->if_mtu > sp->lcp.their_mru) { 5539 sp->pp_saved_mtu = ifp->if_mtu; 5540 ifp->if_mtu = sp->lcp.their_mru; 5541 if (debug) 5542 log(LOG_DEBUG, 5543 "%s: setting MTU to %" PRIu64 " bytes\n", 5544 ifp->if_xname, ifp->if_mtu); 5545 } 5546 5547 IFNET_UNLOCK(ifp); 5548 5549 sppp_notify_con(sp); 5550 } 5551 5552 static void 5553 sppp_set_ip_addrs(struct sppp *sp) 5554 { 5555 struct ifnet *ifp = &sp->pp_if; 5556 5557 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_SET_ADDRS)) { 5558 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5559 ifp->if_xname); 5560 return; 5561 } 5562 5563 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5564 return; 5565 5566 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5567 } 5568 5569 /* 5570 * Clear IP addresses. Must be called at splnet. 5571 */ 5572 static void 5573 sppp_clear_ip_addrs_work(struct work *wk, struct sppp *sp) 5574 { 5575 STDDCL; 5576 struct ifaddr *ifa; 5577 struct sockaddr_in *si, *dest; 5578 int s; 5579 5580 IFNET_LOCK(ifp); 5581 5582 /* 5583 * Pick the first AF_INET address from the list, 5584 * aliases don't make any sense on a p2p link anyway. 5585 */ 5586 si = dest = NULL; 5587 s = pserialize_read_enter(); 5588 IFADDR_READER_FOREACH(ifa, ifp) { 5589 if (ifa->ifa_addr->sa_family == AF_INET) { 5590 si = (struct sockaddr_in *)ifa->ifa_addr; 5591 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5592 break; 5593 } 5594 } 5595 pserialize_read_exit(s); 5596 5597 if (si != NULL) { 5598 struct sockaddr_in new_sin = *si; 5599 struct sockaddr_in new_dst = *dest; 5600 int error; 5601 5602 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5603 new_sin.sin_addr.s_addr = 0; 5604 if (sp->ipcp.flags & IPCP_HISADDR_DYN) 5605 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5606 5607 in_addrhash_remove(ifatoia(ifa)); 5608 5609 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5610 5611 in_addrhash_insert(ifatoia(ifa)); 5612 5613 if (debug && error) 5614 { 5615 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5616 ifp->if_xname, __func__, error); 5617 } 5618 if (!error) { 5619 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5620 } 5621 } 5622 5623 if (sp->pp_saved_mtu > 0) { 5624 ifp->if_mtu = sp->pp_saved_mtu; 5625 sp->pp_saved_mtu = 0; 5626 if (debug) 5627 log(LOG_DEBUG, 5628 "%s: resetting MTU to %" PRIu64 " bytes\n", 5629 ifp->if_xname, ifp->if_mtu); 5630 } 5631 5632 IFNET_UNLOCK(ifp); 5633 } 5634 5635 static void 5636 sppp_clear_ip_addrs(struct sppp *sp) 5637 { 5638 struct ifnet *ifp = &sp->pp_if; 5639 5640 if (!pcq_put(sp->ipcp.update_addrs_q, (void *)IPCP_CLEAR_ADDRS)) { 5641 log(LOG_WARNING, "%s: cannot enqueued, ignore sppp_clear_ip_addrs\n", 5642 ifp->if_xname); 5643 return; 5644 } 5645 5646 if (atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 1) == 1) 5647 return; 5648 5649 workqueue_enqueue(sp->ipcp.update_addrs_wq, &sp->ipcp.update_addrs_wk, NULL); 5650 } 5651 5652 static void 5653 sppp_update_ip_addrs_work(struct work *wk, void *arg) 5654 { 5655 struct sppp *sp = arg; 5656 void *work; 5657 5658 atomic_swap_uint(&sp->ipcp.update_addrs_enqueued, 0); 5659 5660 while ((work = pcq_get(sp->ipcp.update_addrs_q)) != NULL) { 5661 int update = (intptr_t)work; 5662 5663 if (update == IPCP_SET_ADDRS) 5664 sppp_set_ip_addrs_work(wk, sp); 5665 else if (update == IPCP_CLEAR_ADDRS) 5666 sppp_clear_ip_addrs_work(wk, sp); 5667 } 5668 } 5669 #endif 5670 5671 #ifdef INET6 5672 /* 5673 * Get both IPv6 addresses. 5674 */ 5675 static void 5676 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 5677 struct in6_addr *srcmask) 5678 { 5679 struct ifnet *ifp = &sp->pp_if; 5680 struct ifaddr *ifa; 5681 struct sockaddr_in6 *si, *sm; 5682 struct in6_addr ssrc, ddst; 5683 int s; 5684 struct psref psref; 5685 5686 sm = NULL; 5687 memset(&ssrc, 0, sizeof(ssrc)); 5688 memset(&ddst, 0, sizeof(ddst)); 5689 /* 5690 * Pick the first link-local AF_INET6 address from the list, 5691 * aliases don't make any sense on a p2p link anyway. 5692 */ 5693 si = 0; 5694 s = pserialize_read_enter(); 5695 IFADDR_READER_FOREACH(ifa, ifp) { 5696 if (ifa->ifa_addr->sa_family == AF_INET6) { 5697 si = (struct sockaddr_in6 *)ifa->ifa_addr; 5698 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 5699 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 5700 ifa_acquire(ifa, &psref); 5701 break; 5702 } 5703 } 5704 } 5705 pserialize_read_exit(s); 5706 5707 if (ifa) { 5708 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 5709 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 5710 if (srcmask) { 5711 memcpy(srcmask, &sm->sin6_addr, 5712 sizeof(*srcmask)); 5713 } 5714 } 5715 5716 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 5717 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 5718 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 5719 ifa_release(ifa, &psref); 5720 } 5721 5722 if (dst) 5723 memcpy(dst, &ddst, sizeof(*dst)); 5724 if (src) 5725 memcpy(src, &ssrc, sizeof(*src)); 5726 } 5727 5728 #ifdef IPV6CP_MYIFID_DYN 5729 /* 5730 * Generate random ifid. 5731 */ 5732 static void 5733 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 5734 { 5735 /* TBD */ 5736 } 5737 5738 /* 5739 * Set my IPv6 address. Must be called at splnet. 5740 */ 5741 static void 5742 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 5743 { 5744 STDDCL; 5745 struct ifaddr *ifa; 5746 struct sockaddr_in6 *sin6; 5747 int s; 5748 struct psref psref; 5749 5750 IFNET_LOCK(ifp); 5751 5752 /* 5753 * Pick the first link-local AF_INET6 address from the list, 5754 * aliases don't make any sense on a p2p link anyway. 5755 */ 5756 5757 sin6 = NULL; 5758 s = pserialize_read_enter(); 5759 IFADDR_READER_FOREACH(ifa, ifp) 5760 { 5761 if (ifa->ifa_addr->sa_family == AF_INET6) 5762 { 5763 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 5764 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 5765 ifa_acquire(ifa, &psref); 5766 break; 5767 } 5768 } 5769 } 5770 pserialize_read_exit(s); 5771 5772 if (ifa && sin6) 5773 { 5774 int error; 5775 struct sockaddr_in6 new_sin6 = *sin6; 5776 5777 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 5778 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 5779 if (debug && error) 5780 { 5781 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 5782 ifp->if_xname, __func__, error); 5783 } 5784 if (!error) { 5785 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 5786 } 5787 ifa_release(ifa, &psref); 5788 } 5789 5790 IFNET_UNLOCK(ifp); 5791 } 5792 #endif 5793 5794 /* 5795 * Suggest a candidate address to be used by peer. 5796 */ 5797 static void 5798 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 5799 { 5800 struct in6_addr myaddr; 5801 struct timeval tv; 5802 5803 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 5804 5805 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 5806 microtime(&tv); 5807 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 5808 myaddr.s6_addr[14] ^= 0xff; 5809 myaddr.s6_addr[15] ^= 0xff; 5810 } else { 5811 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 5812 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 5813 } 5814 if (suggest) 5815 memcpy(suggest, &myaddr, sizeof(myaddr)); 5816 } 5817 #endif /*INET6*/ 5818 5819 /* 5820 * Process ioctl requests specific to the PPP interface. 5821 * Permissions have already been checked. 5822 */ 5823 static int 5824 sppp_params(struct sppp *sp, u_long cmd, void *data) 5825 { 5826 switch (cmd) { 5827 case SPPPGETAUTHCFG: 5828 { 5829 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5830 int error; 5831 size_t len; 5832 5833 SPPP_LOCK(sp, RW_READER); 5834 5835 cfg->myauthflags = sp->myauth.flags; 5836 cfg->hisauthflags = sp->hisauth.flags; 5837 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 5838 cfg->hisauth = 0; 5839 if (sp->hisauth.proto) 5840 cfg->hisauth = (sp->hisauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5841 cfg->myauth = 0; 5842 if (sp->myauth.proto) 5843 cfg->myauth = (sp->myauth.proto == PPP_PAP) ? SPPP_AUTHPROTO_PAP : SPPP_AUTHPROTO_CHAP; 5844 if (cfg->myname_length == 0) { 5845 if (sp->myauth.name != NULL) 5846 cfg->myname_length = sp->myauth.name_len + 1; 5847 } else { 5848 if (sp->myauth.name == NULL) { 5849 cfg->myname_length = 0; 5850 } else { 5851 len = sp->myauth.name_len + 1; 5852 5853 5854 if (cfg->myname_length < len) { 5855 SPPP_UNLOCK(sp); 5856 return (ENAMETOOLONG); 5857 } 5858 error = copyout(sp->myauth.name, cfg->myname, len); 5859 if (error) { 5860 SPPP_UNLOCK(sp); 5861 return error; 5862 } 5863 } 5864 } 5865 if (cfg->hisname_length == 0) { 5866 if (sp->hisauth.name != NULL) 5867 cfg->hisname_length = sp->hisauth.name_len + 1; 5868 } else { 5869 if (sp->hisauth.name == NULL) { 5870 cfg->hisname_length = 0; 5871 } else { 5872 len = sp->hisauth.name_len + 1; 5873 5874 if (cfg->hisname_length < len) { 5875 SPPP_UNLOCK(sp); 5876 return (ENAMETOOLONG); 5877 } 5878 error = copyout(sp->hisauth.name, cfg->hisname, len); 5879 if (error) { 5880 SPPP_UNLOCK(sp); 5881 return error; 5882 } 5883 } 5884 } 5885 SPPP_UNLOCK(sp); 5886 } 5887 break; 5888 case SPPPSETAUTHCFG: 5889 { 5890 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 5891 int error; 5892 5893 SPPP_LOCK(sp, RW_WRITER); 5894 5895 if (sp->myauth.name) { 5896 free(sp->myauth.name, M_DEVBUF); 5897 sp->myauth.name = NULL; 5898 } 5899 if (sp->myauth.secret) { 5900 free(sp->myauth.secret, M_DEVBUF); 5901 sp->myauth.secret = NULL; 5902 } 5903 if (sp->hisauth.name) { 5904 free(sp->hisauth.name, M_DEVBUF); 5905 sp->hisauth.name = NULL; 5906 } 5907 if (sp->hisauth.secret) { 5908 free(sp->hisauth.secret, M_DEVBUF); 5909 sp->hisauth.secret = NULL; 5910 } 5911 5912 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 5913 if (cfg->hisname_length >= MCLBYTES) { 5914 SPPP_UNLOCK(sp); 5915 return (ENAMETOOLONG); 5916 } 5917 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 5918 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 5919 if (error) { 5920 free(sp->hisauth.name, M_DEVBUF); 5921 sp->hisauth.name = NULL; 5922 SPPP_UNLOCK(sp); 5923 return error; 5924 } 5925 sp->hisauth.name_len = cfg->hisname_length - 1; 5926 sp->hisauth.name[sp->hisauth.name_len] = 0; 5927 } 5928 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 5929 if (cfg->hissecret_length >= MCLBYTES) { 5930 SPPP_UNLOCK(sp); 5931 return (ENAMETOOLONG); 5932 } 5933 sp->hisauth.secret = malloc(cfg->hissecret_length, 5934 M_DEVBUF, M_WAITOK); 5935 error = copyin(cfg->hissecret, sp->hisauth.secret, 5936 cfg->hissecret_length); 5937 if (error) { 5938 free(sp->hisauth.secret, M_DEVBUF); 5939 sp->hisauth.secret = NULL; 5940 SPPP_UNLOCK(sp); 5941 return error; 5942 } 5943 sp->hisauth.secret_len = cfg->hissecret_length - 1; 5944 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 5945 } 5946 if (cfg->myname != NULL && cfg->myname_length > 0) { 5947 if (cfg->myname_length >= MCLBYTES) { 5948 SPPP_UNLOCK(sp); 5949 return (ENAMETOOLONG); 5950 } 5951 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 5952 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 5953 if (error) { 5954 free(sp->myauth.name, M_DEVBUF); 5955 sp->myauth.name = NULL; 5956 SPPP_UNLOCK(sp); 5957 return error; 5958 } 5959 sp->myauth.name_len = cfg->myname_length - 1; 5960 sp->myauth.name[sp->myauth.name_len] = 0; 5961 } 5962 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 5963 if (cfg->mysecret_length >= MCLBYTES) { 5964 SPPP_UNLOCK(sp); 5965 return (ENAMETOOLONG); 5966 } 5967 sp->myauth.secret = malloc(cfg->mysecret_length, 5968 M_DEVBUF, M_WAITOK); 5969 error = copyin(cfg->mysecret, sp->myauth.secret, 5970 cfg->mysecret_length); 5971 if (error) { 5972 free(sp->myauth.secret, M_DEVBUF); 5973 sp->myauth.secret = NULL; 5974 SPPP_UNLOCK(sp); 5975 return error; 5976 } 5977 sp->myauth.secret_len = cfg->mysecret_length - 1; 5978 sp->myauth.secret[sp->myauth.secret_len] = 0; 5979 } 5980 sp->myauth.flags = cfg->myauthflags; 5981 if (cfg->myauth) 5982 sp->myauth.proto = (cfg->myauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5983 sp->hisauth.flags = cfg->hisauthflags; 5984 if (cfg->hisauth) 5985 sp->hisauth.proto = (cfg->hisauth == SPPP_AUTHPROTO_PAP) ? PPP_PAP : PPP_CHAP; 5986 sp->pp_auth_failures = 0; 5987 if (sp->hisauth.proto != 0) 5988 sp->lcp.opts |= (1 << LCP_OPT_AUTH_PROTO); 5989 else 5990 sp->lcp.opts &= ~(1 << LCP_OPT_AUTH_PROTO); 5991 5992 SPPP_UNLOCK(sp); 5993 } 5994 break; 5995 case SPPPGETLCPCFG: 5996 { 5997 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 5998 5999 SPPP_LOCK(sp, RW_READER); 6000 lcpp->lcp_timeout = sp->lcp.timeout; 6001 SPPP_UNLOCK(sp); 6002 } 6003 break; 6004 case SPPPSETLCPCFG: 6005 { 6006 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6007 6008 SPPP_LOCK(sp, RW_WRITER); 6009 sp->lcp.timeout = lcpp->lcp_timeout; 6010 SPPP_UNLOCK(sp); 6011 } 6012 break; 6013 case SPPPGETSTATUS: 6014 { 6015 struct spppstatus *status = (struct spppstatus *)data; 6016 6017 SPPP_LOCK(sp, RW_READER); 6018 status->phase = sp->pp_phase; 6019 SPPP_UNLOCK(sp); 6020 } 6021 break; 6022 case SPPPGETSTATUSNCP: 6023 { 6024 struct spppstatusncp *status = (struct spppstatusncp *)data; 6025 6026 SPPP_LOCK(sp, RW_READER); 6027 status->phase = sp->pp_phase; 6028 status->ncpup = sppp_ncp_check(sp); 6029 SPPP_UNLOCK(sp); 6030 } 6031 break; 6032 case SPPPGETIDLETO: 6033 { 6034 struct spppidletimeout *to = (struct spppidletimeout *)data; 6035 6036 SPPP_LOCK(sp, RW_READER); 6037 to->idle_seconds = sp->pp_idle_timeout; 6038 SPPP_UNLOCK(sp); 6039 } 6040 break; 6041 case SPPPSETIDLETO: 6042 { 6043 struct spppidletimeout *to = (struct spppidletimeout *)data; 6044 6045 SPPP_LOCK(sp, RW_WRITER); 6046 sp->pp_idle_timeout = to->idle_seconds; 6047 SPPP_UNLOCK(sp); 6048 } 6049 break; 6050 case SPPPSETAUTHFAILURE: 6051 { 6052 struct spppauthfailuresettings *afsettings = 6053 (struct spppauthfailuresettings *)data; 6054 6055 SPPP_LOCK(sp, RW_WRITER); 6056 sp->pp_max_auth_fail = afsettings->max_failures; 6057 sp->pp_auth_failures = 0; 6058 SPPP_UNLOCK(sp); 6059 } 6060 break; 6061 case SPPPGETAUTHFAILURES: 6062 { 6063 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6064 6065 SPPP_LOCK(sp, RW_READER); 6066 stats->auth_failures = sp->pp_auth_failures; 6067 stats->max_failures = sp->pp_max_auth_fail; 6068 SPPP_UNLOCK(sp); 6069 } 6070 break; 6071 case SPPPSETDNSOPTS: 6072 { 6073 struct spppdnssettings *req = (struct spppdnssettings *)data; 6074 6075 SPPP_LOCK(sp, RW_WRITER); 6076 sp->query_dns = req->query_dns & 3; 6077 SPPP_UNLOCK(sp); 6078 } 6079 break; 6080 case SPPPGETDNSOPTS: 6081 { 6082 struct spppdnssettings *req = (struct spppdnssettings *)data; 6083 6084 SPPP_LOCK(sp, RW_READER); 6085 req->query_dns = sp->query_dns; 6086 SPPP_UNLOCK(sp); 6087 } 6088 break; 6089 case SPPPGETDNSADDRS: 6090 { 6091 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6092 6093 SPPP_LOCK(sp, RW_READER); 6094 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6095 SPPP_UNLOCK(sp); 6096 } 6097 break; 6098 case SPPPGETKEEPALIVE: 6099 { 6100 struct spppkeepalivesettings *settings = 6101 (struct spppkeepalivesettings*)data; 6102 6103 SPPP_LOCK(sp, RW_READER); 6104 settings->maxalive = sp->pp_maxalive; 6105 settings->max_noreceive = sp->pp_max_noreceive; 6106 SPPP_UNLOCK(sp); 6107 } 6108 break; 6109 case SPPPSETKEEPALIVE: 6110 { 6111 struct spppkeepalivesettings *settings = 6112 (struct spppkeepalivesettings*)data; 6113 6114 SPPP_LOCK(sp, RW_WRITER); 6115 sp->pp_maxalive = settings->maxalive; 6116 sp->pp_max_noreceive = settings->max_noreceive; 6117 SPPP_UNLOCK(sp); 6118 } 6119 break; 6120 default: 6121 { 6122 int ret; 6123 6124 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6125 enosys(), ret); 6126 if (ret != ENOSYS) 6127 return ret; 6128 return (EINVAL); 6129 } 6130 } 6131 return (0); 6132 } 6133 6134 static void 6135 sppp_phase_network(struct sppp *sp) 6136 { 6137 int i; 6138 uint32_t mask; 6139 6140 KASSERT(SPPP_WLOCKED(sp)); 6141 6142 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6143 6144 /* Notify NCPs now. */ 6145 for (i = 0; i < IDX_COUNT; i++) 6146 if ((cps[i])->flags & CP_NCP) 6147 (cps[i])->Open(sp); 6148 6149 /* Send Up events to all NCPs. */ 6150 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 6151 if ((sp->lcp.protos & mask) && ((cps[i])->flags & CP_NCP)) { 6152 (cps[i])->Up(sp); 6153 } 6154 6155 /* if no NCP is starting, all this was in vain, close down */ 6156 sppp_lcp_check_and_close(sp); 6157 } 6158 6159 6160 static const char * 6161 sppp_cp_type_name(u_char type) 6162 { 6163 static char buf[12]; 6164 switch (type) { 6165 case CONF_REQ: return "conf-req"; 6166 case CONF_ACK: return "conf-ack"; 6167 case CONF_NAK: return "conf-nak"; 6168 case CONF_REJ: return "conf-rej"; 6169 case TERM_REQ: return "term-req"; 6170 case TERM_ACK: return "term-ack"; 6171 case CODE_REJ: return "code-rej"; 6172 case PROTO_REJ: return "proto-rej"; 6173 case ECHO_REQ: return "echo-req"; 6174 case ECHO_REPLY: return "echo-reply"; 6175 case DISC_REQ: return "discard-req"; 6176 } 6177 snprintf(buf, sizeof(buf), "0x%x", type); 6178 return buf; 6179 } 6180 6181 static const char * 6182 sppp_auth_type_name(u_short proto, u_char type) 6183 { 6184 static char buf[32]; 6185 const char *name; 6186 6187 switch (proto) { 6188 case PPP_CHAP: 6189 switch (type) { 6190 case CHAP_CHALLENGE: return "challenge"; 6191 case CHAP_RESPONSE: return "response"; 6192 case CHAP_SUCCESS: return "success"; 6193 case CHAP_FAILURE: return "failure"; 6194 default: name = "chap"; break; 6195 } 6196 break; 6197 6198 case PPP_PAP: 6199 switch (type) { 6200 case PAP_REQ: return "req"; 6201 case PAP_ACK: return "ack"; 6202 case PAP_NAK: return "nak"; 6203 default: name = "pap"; break; 6204 } 6205 break; 6206 6207 default: 6208 name = "bad"; 6209 break; 6210 } 6211 6212 snprintf(buf, sizeof(buf), "%s(%#x) %#x", name, proto, type); 6213 return buf; 6214 } 6215 6216 static const char * 6217 sppp_lcp_opt_name(u_char opt) 6218 { 6219 static char buf[12]; 6220 switch (opt) { 6221 case LCP_OPT_MRU: return "mru"; 6222 case LCP_OPT_ASYNC_MAP: return "async-map"; 6223 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6224 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6225 case LCP_OPT_MAGIC: return "magic"; 6226 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6227 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6228 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6229 case LCP_OPT_CALL_BACK: return "callback"; 6230 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6231 case LCP_OPT_MP_MRRU: return "mrru"; 6232 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6233 case LCP_OPT_MP_EID: return "mp-eid"; 6234 } 6235 snprintf(buf, sizeof(buf), "0x%x", opt); 6236 return buf; 6237 } 6238 6239 static const char * 6240 sppp_ipcp_opt_name(u_char opt) 6241 { 6242 static char buf[12]; 6243 switch (opt) { 6244 case IPCP_OPT_ADDRESSES: return "addresses"; 6245 case IPCP_OPT_COMPRESSION: return "compression"; 6246 case IPCP_OPT_ADDRESS: return "address"; 6247 } 6248 snprintf(buf, sizeof(buf), "0x%x", opt); 6249 return buf; 6250 } 6251 6252 #ifdef INET6 6253 static const char * 6254 sppp_ipv6cp_opt_name(u_char opt) 6255 { 6256 static char buf[12]; 6257 switch (opt) { 6258 case IPV6CP_OPT_IFID: return "ifid"; 6259 case IPV6CP_OPT_COMPRESSION: return "compression"; 6260 } 6261 snprintf(buf, sizeof(buf), "0x%x", opt); 6262 return buf; 6263 } 6264 #endif 6265 6266 static const char * 6267 sppp_state_name(int state) 6268 { 6269 switch (state) { 6270 case STATE_INITIAL: return "initial"; 6271 case STATE_STARTING: return "starting"; 6272 case STATE_CLOSED: return "closed"; 6273 case STATE_STOPPED: return "stopped"; 6274 case STATE_CLOSING: return "closing"; 6275 case STATE_STOPPING: return "stopping"; 6276 case STATE_REQ_SENT: return "req-sent"; 6277 case STATE_ACK_RCVD: return "ack-rcvd"; 6278 case STATE_ACK_SENT: return "ack-sent"; 6279 case STATE_OPENED: return "opened"; 6280 } 6281 return "illegal"; 6282 } 6283 6284 static const char * 6285 sppp_phase_name(int phase) 6286 { 6287 switch (phase) { 6288 case SPPP_PHASE_DEAD: return "dead"; 6289 case SPPP_PHASE_ESTABLISH: return "establish"; 6290 case SPPP_PHASE_TERMINATE: return "terminate"; 6291 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6292 case SPPP_PHASE_NETWORK: return "network"; 6293 } 6294 return "illegal"; 6295 } 6296 6297 static const char * 6298 sppp_proto_name(u_short proto) 6299 { 6300 static char buf[12]; 6301 switch (proto) { 6302 case PPP_LCP: return "lcp"; 6303 case PPP_IPCP: return "ipcp"; 6304 case PPP_PAP: return "pap"; 6305 case PPP_CHAP: return "chap"; 6306 case PPP_IPV6CP: return "ipv6cp"; 6307 } 6308 snprintf(buf, sizeof(buf), "0x%x", (unsigned)proto); 6309 return buf; 6310 } 6311 6312 static void 6313 sppp_print_bytes(const u_char *p, u_short len) 6314 { 6315 addlog(" %02x", *p++); 6316 while (--len > 0) 6317 addlog("-%02x", *p++); 6318 } 6319 6320 static void 6321 sppp_print_string(const char *p, u_short len) 6322 { 6323 u_char c; 6324 6325 while (len-- > 0) { 6326 c = *p++; 6327 /* 6328 * Print only ASCII chars directly. RFC 1994 recommends 6329 * using only them, but we don't rely on it. */ 6330 if (c < ' ' || c > '~') 6331 addlog("\\x%x", c); 6332 else 6333 addlog("%c", c); 6334 } 6335 } 6336 6337 static const char * 6338 sppp_dotted_quad(uint32_t addr) 6339 { 6340 static char s[16]; 6341 snprintf(s, sizeof(s), "%d.%d.%d.%d", 6342 (int)((addr >> 24) & 0xff), 6343 (int)((addr >> 16) & 0xff), 6344 (int)((addr >> 8) & 0xff), 6345 (int)(addr & 0xff)); 6346 return s; 6347 } 6348 6349 /* a dummy, used to drop uninteresting events */ 6350 static void 6351 sppp_null(struct sppp *unused) 6352 { 6353 /* do just nothing */ 6354 } 6355 6356 static void 6357 sppp_sca_scn(const struct cp *cp, struct sppp *sp) 6358 { 6359 STDDCL; 6360 u_char rconfid, type, rlen; 6361 void *buf; 6362 size_t blen; 6363 6364 rconfid = sp->scp[cp->protoidx].rconfid; 6365 type = sp->scp[cp->protoidx].rcr_type; 6366 buf = sp->scp[cp->protoidx].rcr_buf; 6367 rlen = sp->scp[cp->protoidx].rcr_rlen; 6368 blen = sp->scp[cp->protoidx].rcr_blen; 6369 6370 sp->scp[cp->protoidx].rcr_buf = NULL; 6371 sp->scp[cp->protoidx].rcr_blen = 0; 6372 6373 if (buf != NULL) { 6374 if (rlen > 0) { 6375 if (debug) { 6376 log(LOG_DEBUG, "%s: send %s\n", 6377 ifp->if_xname, sppp_cp_type_name(type)); 6378 } 6379 sppp_cp_send(sp, cp->proto, type, rconfid, rlen, buf); 6380 } 6381 kmem_free(buf, blen); 6382 } 6383 } 6384 /* 6385 * This file is large. Tell emacs to highlight it nevertheless. 6386 * 6387 * Local Variables: 6388 * hilit-auto-highlight-maxout: 120000 6389 * End: 6390 */ 6391 6392 /* 6393 * Module glue 6394 */ 6395 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6396 6397 static int 6398 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6399 { 6400 switch (cmd) { 6401 case MODULE_CMD_INIT: 6402 case MODULE_CMD_FINI: 6403 return 0; 6404 case MODULE_CMD_STAT: 6405 case MODULE_CMD_AUTOUNLOAD: 6406 default: 6407 return ENOTTY; 6408 } 6409 } 6410 6411 static void 6412 sppp_notify_up(struct sppp *sp) 6413 { 6414 6415 SPPP_LOCK(sp, RW_WRITER); 6416 lcp.Up(sp); 6417 SPPP_UNLOCK(sp); 6418 } 6419 6420 static void 6421 sppp_notify_down(struct sppp *sp) 6422 { 6423 6424 SPPP_LOCK(sp, RW_WRITER); 6425 lcp.Down(sp); 6426 SPPP_UNLOCK(sp); 6427 } 6428 6429 static void 6430 sppp_notify_tls_wlocked(struct sppp *sp) 6431 { 6432 6433 KASSERT(SPPP_WLOCKED(sp)); 6434 6435 if (!sp->pp_tls) 6436 return; 6437 6438 SPPP_UNLOCK(sp); 6439 sp->pp_tls(sp); 6440 SPPP_LOCK(sp, RW_WRITER); 6441 } 6442 6443 static void 6444 sppp_notify_tlf_wlocked(struct sppp *sp) 6445 { 6446 6447 KASSERT(SPPP_WLOCKED(sp)); 6448 6449 if (!sp->pp_tlf) 6450 return; 6451 6452 SPPP_UNLOCK(sp); 6453 sp->pp_tlf(sp); 6454 SPPP_LOCK(sp, RW_WRITER); 6455 } 6456 6457 static void 6458 sppp_notify_con(struct sppp *sp) 6459 { 6460 6461 if (!sp->pp_con) 6462 return; 6463 6464 sp->pp_con(sp); 6465 } 6466 6467 #ifdef INET6 6468 static void 6469 sppp_notify_con_wlocked(struct sppp *sp) 6470 { 6471 6472 KASSERT(SPPP_WLOCKED(sp)); 6473 6474 SPPP_UNLOCK(sp); 6475 sppp_notify_con(sp); 6476 SPPP_LOCK(sp, RW_WRITER); 6477 6478 } 6479 #endif 6480 6481 static void 6482 sppp_notify_chg_wlocked(struct sppp *sp) 6483 { 6484 6485 KASSERT(SPPP_WLOCKED(sp)); 6486 6487 if (!sp->pp_chg) 6488 return; 6489 6490 SPPP_UNLOCK(sp); 6491 sp->pp_chg(sp, sp->pp_phase); 6492 SPPP_LOCK(sp, RW_WRITER); 6493 } 6494
Indexes created Fri Sep 26 20:09:58 GMT 2025