if_spppsubr.c revision 1.249
1 /* $NetBSD: if_spppsubr.c,v 1.249 2021/06/01 04:19:57 yamaguchi Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.249 2021/06/01 04:19:57 yamaguchi Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #include "opt_sppp.h" 52 #endif 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 #include <sys/cpu.h> 73 74 #include <net/if.h> 75 #include <net/netisr.h> 76 #include <net/if_types.h> 77 #include <net/route.h> 78 #include <net/ppp_defs.h> 79 80 #include <netinet/in.h> 81 #include <netinet/in_systm.h> 82 #include <netinet/in_var.h> 83 #ifdef INET 84 #include <netinet/ip.h> 85 #include <netinet/tcp.h> 86 #endif 87 #include <net/ethertypes.h> 88 89 #ifdef INET6 90 #include <netinet6/scope6_var.h> 91 #endif 92 93 #include <net/if_sppp.h> 94 #include <net/if_spppvar.h> 95 96 #ifdef NET_MPSAFE 97 #define SPPPSUBR_MPSAFE 1 98 #endif 99 100 #define DEFAULT_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 101 #define DEFAULT_ALIVE_INTERVAL 1 /* count of sppp_keepalive */ 102 #define LOOPALIVECNT 3 /* loopback detection tries */ 103 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 104 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 105 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 106 107 #ifndef SPPP_KEEPALIVE_INTERVAL 108 #define SPPP_KEEPALIVE_INTERVAL DEFAULT_KEEPALIVE_INTERVAL 109 #endif 110 111 #ifndef SPPP_NORECV_TIME 112 #define SPPP_NORECV_TIME DEFAULT_NORECV_TIME 113 #endif 114 115 #ifndef SPPP_ALIVE_INTERVAL 116 #define SPPP_ALIVE_INTERVAL DEFAULT_ALIVE_INTERVAL 117 #endif 118 119 #define SPPP_CPTYPE_NAMELEN 5 /* buf size of cp type name */ 120 #define SPPP_AUTHTYPE_NAMELEN 32 /* buf size of auth type name */ 121 #define SPPP_LCPOPT_NAMELEN 5 /* buf size of lcp option name */ 122 #define SPPP_IPCPOPT_NAMELEN 5 /* buf size of ipcp option name */ 123 #define SPPP_IPV6CPOPT_NAMELEN 5 /* buf size of ipv6cp option name */ 124 #define SPPP_PROTO_NAMELEN 7 /* buf size of protocol name */ 125 #define SPPP_DOTQUAD_BUFLEN 16 /* length of "aa.bb.cc.dd" */ 126 127 /* 128 * Interface flags that can be set in an ifconfig command. 129 * 130 * Setting link0 will make the link passive, i.e. it will be marked 131 * as being administrative openable, but won't be opened to begin 132 * with. Incoming calls will be answered, or subsequent calls with 133 * -link1 will cause the administrative open of the LCP layer. 134 * 135 * Setting link1 will cause the link to auto-dial only as packets 136 * arrive to be sent. 137 * 138 * Setting IFF_DEBUG will syslog the option negotiation and state 139 * transitions at level kern.debug. Note: all logs consistently look 140 * like 141 * 142 * <if-name><unit>: <proto-name> <additional info...> 143 * 144 * with <if-name><unit> being something like "bppp0", and <proto-name> 145 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 146 */ 147 148 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 149 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 150 151 #define CONF_REQ 1 /* PPP configure request */ 152 #define CONF_ACK 2 /* PPP configure acknowledge */ 153 #define CONF_NAK 3 /* PPP configure negative ack */ 154 #define CONF_REJ 4 /* PPP configure reject */ 155 #define TERM_REQ 5 /* PPP terminate request */ 156 #define TERM_ACK 6 /* PPP terminate acknowledge */ 157 #define CODE_REJ 7 /* PPP code reject */ 158 #define PROTO_REJ 8 /* PPP protocol reject */ 159 #define ECHO_REQ 9 /* PPP echo request */ 160 #define ECHO_REPLY 10 /* PPP echo reply */ 161 #define DISC_REQ 11 /* PPP discard request */ 162 163 #define LCP_OPT_MRU 1 /* maximum receive unit */ 164 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 165 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 166 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 167 #define LCP_OPT_MAGIC 5 /* magic number */ 168 #define LCP_OPT_RESERVED 6 /* reserved */ 169 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 170 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 171 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 172 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 173 #define LCP_OPT_CALL_BACK 13 /* callback */ 174 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 175 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 176 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 177 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 178 179 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 180 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 181 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 182 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 183 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 184 185 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 186 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 187 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 188 189 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 190 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 191 192 #define PAP_REQ 1 /* PAP name/password request */ 193 #define PAP_ACK 2 /* PAP acknowledge */ 194 #define PAP_NAK 3 /* PAP fail */ 195 196 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 197 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 198 #define CHAP_SUCCESS 3 /* CHAP response ok */ 199 #define CHAP_FAILURE 4 /* CHAP response failed */ 200 201 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 202 203 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 204 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 205 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 206 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 207 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 208 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 209 210 #define PPP_NOPROTO 0 /* no authentication protocol */ 211 212 enum { 213 STATE_INITIAL = SPPP_STATE_INITIAL, 214 STATE_STARTING = SPPP_STATE_STARTING, 215 STATE_CLOSED = SPPP_STATE_CLOSED, 216 STATE_STOPPED = SPPP_STATE_STOPPED, 217 STATE_CLOSING = SPPP_STATE_CLOSING, 218 STATE_STOPPING = SPPP_STATE_STOPPING, 219 STATE_REQ_SENT = SPPP_STATE_REQ_SENT, 220 STATE_ACK_RCVD = SPPP_STATE_ACK_RCVD, 221 STATE_ACK_SENT = SPPP_STATE_ACK_SENT, 222 STATE_OPENED = SPPP_STATE_OPENED, 223 }; 224 225 enum cp_rcr_type { 226 CP_RCR_NONE = 0, /* initial value */ 227 CP_RCR_ACK, /* RCR+ */ 228 CP_RCR_NAK, /* RCR- */ 229 CP_RCR_REJ, /* RCR- */ 230 CP_RCR_DROP, /* DROP message */ 231 CP_RCR_ERR, /* internal error */ 232 }; 233 234 struct ppp_header { 235 uint8_t address; 236 uint8_t control; 237 uint16_t protocol; 238 } __packed; 239 #define PPP_HEADER_LEN sizeof (struct ppp_header) 240 241 struct lcp_header { 242 uint8_t type; 243 uint8_t ident; 244 uint16_t len; 245 } __packed; 246 #define LCP_HEADER_LEN sizeof (struct lcp_header) 247 248 struct cisco_packet { 249 uint32_t type; 250 uint32_t par1; 251 uint32_t par2; 252 uint16_t rel; 253 uint16_t time0; 254 uint16_t time1; 255 } __packed; 256 #define CISCO_PACKET_LEN 18 257 258 /* 259 * We follow the spelling and capitalization of RFC 1661 here, to make 260 * it easier comparing with the standard. Please refer to this RFC in 261 * case you can't make sense out of these abbreviation; it will also 262 * explain the semantics related to the various events and actions. 263 */ 264 struct cp { 265 u_short proto; /* PPP control protocol number */ 266 u_char protoidx; /* index into state table in struct sppp */ 267 u_char flags; 268 #define CP_LCP 0x01 /* this is the LCP */ 269 #define CP_AUTH 0x02 /* this is an authentication protocol */ 270 #define CP_NCP 0x04 /* this is a NCP */ 271 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 272 const char *name; /* name of this control protocol */ 273 /* event handlers */ 274 void (*Up)(struct sppp *, void *); 275 void (*Down)(struct sppp *, void *); 276 void (*Open)(struct sppp *, void *); 277 void (*Close)(struct sppp *, void *); 278 void (*TO)(struct sppp *, void *); 279 /* actions */ 280 void (*tlu)(struct sppp *); 281 void (*tld)(struct sppp *); 282 void (*tls)(const struct cp *, struct sppp *); 283 void (*tlf)(const struct cp *, struct sppp *); 284 void (*scr)(struct sppp *); 285 void (*screply)(const struct cp *, struct sppp *, u_char, 286 uint8_t, size_t, void *); 287 288 /* message parser */ 289 enum cp_rcr_type 290 (*parse_confreq)(struct sppp *, struct lcp_header *, int, 291 uint8_t **, size_t *, size_t *); 292 void (*parse_confrej)(struct sppp *, struct lcp_header *, int); 293 void (*parse_confnak)(struct sppp *, struct lcp_header *, int); 294 }; 295 296 enum auth_role { 297 SPPP_AUTH_NOROLE = 0, 298 SPPP_AUTH_SERV = __BIT(0), 299 SPPP_AUTH_PEER = __BIT(1), 300 }; 301 302 static struct sppp *spppq; 303 static kmutex_t *spppq_lock = NULL; 304 static callout_t keepalive_ch; 305 static unsigned int sppp_keepalive_cnt = 0; 306 307 #define SPPPQ_LOCK() if (spppq_lock) \ 308 mutex_enter(spppq_lock); 309 #define SPPPQ_UNLOCK() if (spppq_lock) \ 310 mutex_exit(spppq_lock); 311 312 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 313 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 314 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 315 #define SPPP_UPGRADE(_sp) do{ \ 316 SPPP_UNLOCK(_sp); \ 317 SPPP_LOCK(_sp, RW_WRITER); \ 318 }while (0) 319 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 320 #define SPPP_WQ_SET(_wk, _func, _arg) \ 321 sppp_wq_set((_wk), (_func), __UNCONST((_arg))) 322 323 #ifdef INET 324 #ifndef SPPPSUBR_MPSAFE 325 /* 326 * The following disgusting hack gets around the problem that IP TOS 327 * can't be set yet. We want to put "interactive" traffic on a high 328 * priority queue. To decide if traffic is interactive, we check that 329 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 330 * 331 * XXX is this really still necessary? - joerg - 332 */ 333 static u_short interactive_ports[8] = { 334 0, 513, 0, 0, 335 0, 21, 0, 23, 336 }; 337 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 338 #endif /* SPPPSUBR_MPSAFE */ 339 #endif 340 341 /* almost every function needs these */ 342 #define STDDCL \ 343 struct ifnet *ifp = &sp->pp_if; \ 344 int debug = ifp->if_flags & IFF_DEBUG 345 346 static int sppp_output(struct ifnet *, struct mbuf *, 347 const struct sockaddr *, const struct rtentry *); 348 349 static void sppp_cisco_send(struct sppp *, int, int32_t, int32_t); 350 static void sppp_cisco_input(struct sppp *, struct mbuf *); 351 352 static void sppp_cp_init(const struct cp *, struct sppp *); 353 static void sppp_cp_fini(const struct cp *, struct sppp *); 354 static void sppp_cp_input(const struct cp *, struct sppp *, 355 struct mbuf *); 356 static void sppp_cp_input(const struct cp *, struct sppp *, 357 struct mbuf *); 358 static void sppp_cp_send(struct sppp *, u_short, u_char, 359 u_char, u_short, void *); 360 /* static void sppp_cp_timeout(void *arg); */ 361 static void sppp_cp_change_state(const struct cp *, struct sppp *, int); 362 static struct workqueue * 363 sppp_wq_create(struct sppp *, const char *, pri_t, int, int); 364 static void sppp_wq_destroy(struct sppp *, struct workqueue *); 365 static void sppp_wq_set(struct sppp_work *, 366 void (*)(struct sppp *, void *), void *); 367 static void sppp_wq_add(struct workqueue *, struct sppp_work *); 368 static void sppp_wq_wait(struct workqueue *, struct sppp_work *); 369 static void sppp_cp_to_lcp(void *); 370 static void sppp_cp_to_ipcp(void *); 371 static void sppp_cp_to_ipv6cp(void *); 372 static void sppp_auth_send(const struct cp *, struct sppp *, 373 unsigned int, unsigned int, ...); 374 static int sppp_auth_role(const struct cp *, struct sppp *); 375 static void sppp_auth_to_event(struct sppp *, void *); 376 static void sppp_auth_screply(const struct cp *, struct sppp *, 377 u_char, uint8_t, size_t, void *); 378 static void sppp_up_event(struct sppp *, void *); 379 static void sppp_down_event(struct sppp *, void *); 380 static void sppp_open_event(struct sppp *, void *); 381 static void sppp_close_event(struct sppp *, void *); 382 static void sppp_to_event(struct sppp *, void *); 383 static void sppp_rcr_event(struct sppp *, void *); 384 static void sppp_rca_event(struct sppp *, void *); 385 static void sppp_rcn_event(struct sppp *, void *); 386 static void sppp_rtr_event(struct sppp *, void *); 387 static void sppp_rta_event(struct sppp *, void *); 388 static void sppp_rxj_event(struct sppp *, void *); 389 390 static void sppp_null(struct sppp *); 391 static void sppp_tls(const struct cp *, struct sppp *); 392 static void sppp_tlf(const struct cp *, struct sppp *); 393 static void sppp_screply(const struct cp *, struct sppp *, 394 u_char, uint8_t, size_t, void *); 395 static void sppp_ifdown(struct sppp *, void *); 396 397 static void sppp_lcp_init(struct sppp *); 398 static void sppp_lcp_up(struct sppp *, void *); 399 static void sppp_lcp_down(struct sppp *, void *); 400 static void sppp_lcp_open(struct sppp *, void *); 401 static enum cp_rcr_type 402 sppp_lcp_confreq(struct sppp *, struct lcp_header *, int, 403 uint8_t **, size_t *, size_t *); 404 static void sppp_lcp_confrej(struct sppp *, struct lcp_header *, int); 405 static void sppp_lcp_confnak(struct sppp *, struct lcp_header *, int); 406 static void sppp_lcp_tlu(struct sppp *); 407 static void sppp_lcp_tld(struct sppp *); 408 static void sppp_lcp_tls(const struct cp *, struct sppp *); 409 static void sppp_lcp_tlf(const struct cp *, struct sppp *); 410 static void sppp_lcp_scr(struct sppp *); 411 static void sppp_lcp_check_and_close(struct sppp *); 412 static int sppp_cp_check(struct sppp *, u_char); 413 414 static void sppp_ipcp_init(struct sppp *); 415 static void sppp_ipcp_open(struct sppp *, void *); 416 static void sppp_ipcp_close(struct sppp *, void *); 417 static enum cp_rcr_type 418 sppp_ipcp_confreq(struct sppp *, struct lcp_header *, int, 419 uint8_t **, size_t *, size_t *); 420 static void sppp_ipcp_confrej(struct sppp *, struct lcp_header *, int); 421 static void sppp_ipcp_confnak(struct sppp *, struct lcp_header *, int); 422 static void sppp_ipcp_tlu(struct sppp *); 423 static void sppp_ipcp_scr(struct sppp *); 424 425 static void sppp_ipv6cp_init(struct sppp *); 426 static void sppp_ipv6cp_open(struct sppp *, void *); 427 static enum cp_rcr_type 428 sppp_ipv6cp_confreq(struct sppp *, struct lcp_header *, int, 429 uint8_t **, size_t *, size_t *); 430 static void sppp_ipv6cp_confrej(struct sppp *, struct lcp_header *, int); 431 static void sppp_ipv6cp_confnak(struct sppp *, struct lcp_header *, int); 432 static void sppp_ipv6cp_tlu(struct sppp *); 433 static void sppp_ipv6cp_scr(struct sppp *); 434 435 static void sppp_pap_input(struct sppp *, struct mbuf *); 436 static void sppp_pap_init(struct sppp *); 437 static void sppp_pap_tlu(struct sppp *); 438 static void sppp_pap_scr(struct sppp *); 439 static void sppp_pap_scr(struct sppp *); 440 441 static void sppp_chap_input(struct sppp *, struct mbuf *); 442 static void sppp_chap_init(struct sppp *); 443 static void sppp_chap_open(struct sppp *, void *); 444 static void sppp_chap_tlu(struct sppp *); 445 static void sppp_chap_scr(struct sppp *); 446 static void sppp_chap_rcv_challenge_event(struct sppp *, void *); 447 448 static const char *sppp_auth_type_name(char *, size_t, u_short, u_char); 449 static const char *sppp_cp_type_name(char *, size_t, u_char); 450 static const char *sppp_dotted_quad(char *, size_t, uint32_t); 451 static const char *sppp_ipcp_opt_name(char *, size_t, u_char); 452 #ifdef INET6 453 static const char *sppp_ipv6cp_opt_name(char *, size_t, u_char); 454 #endif 455 static const char *sppp_lcp_opt_name(char *, size_t, u_char); 456 static const char *sppp_phase_name(int); 457 static const char *sppp_proto_name(char *, size_t, u_short); 458 static const char *sppp_state_name(int); 459 static int sppp_params(struct sppp *, u_long, void *); 460 #ifdef INET 461 static void sppp_get_ip_addrs(struct sppp *, uint32_t *, uint32_t *, uint32_t *); 462 static void sppp_set_ip_addrs(struct sppp *); 463 static void sppp_clear_ip_addrs(struct sppp *); 464 #endif 465 static void sppp_keepalive(void *); 466 static void sppp_phase_network(struct sppp *); 467 static void sppp_print_bytes(const u_char *, u_short); 468 static void sppp_print_string(const char *, u_short); 469 #ifdef INET6 470 static void sppp_get_ip6_addrs(struct sppp *, struct in6_addr *, 471 struct in6_addr *, struct in6_addr *); 472 #ifdef IPV6CP_MYIFID_DYN 473 static void sppp_set_ip6_addr(struct sppp *, const struct in6_addr *); 474 static void sppp_gen_ip6_addr(struct sppp *, const struct in6_addr *); 475 #endif 476 static void sppp_suggest_ip6_addr(struct sppp *, struct in6_addr *); 477 #endif 478 479 static void sppp_notify_up(struct sppp *); 480 static void sppp_notify_down(struct sppp *); 481 static void sppp_notify_tls_wlocked(struct sppp *); 482 static void sppp_notify_tlf_wlocked(struct sppp *); 483 #ifdef INET6 484 static void sppp_notify_con_wlocked(struct sppp *); 485 #endif 486 static void sppp_notify_con(struct sppp *); 487 488 static void sppp_notify_chg_wlocked(struct sppp *); 489 490 /* our control protocol descriptors */ 491 static const struct cp lcp = { 492 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 493 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, 494 sppp_close_event, sppp_to_event, 495 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, 496 sppp_lcp_tlf, sppp_lcp_scr, sppp_screply, 497 sppp_lcp_confreq, sppp_lcp_confrej, sppp_lcp_confnak 498 }; 499 500 static const struct cp ipcp = { 501 PPP_IPCP, IDX_IPCP, 502 #ifdef INET 503 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 504 #else 505 0, 506 #endif 507 "ipcp", 508 sppp_up_event, sppp_down_event, sppp_ipcp_open, 509 sppp_ipcp_close, sppp_to_event, 510 sppp_ipcp_tlu, sppp_null, sppp_tls, 511 sppp_tlf, sppp_ipcp_scr, sppp_screply, 512 sppp_ipcp_confreq, sppp_ipcp_confrej, sppp_ipcp_confnak, 513 }; 514 515 static const struct cp ipv6cp = { 516 PPP_IPV6CP, IDX_IPV6CP, 517 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 518 CP_NCP, 519 #else 520 0, 521 #endif 522 "ipv6cp", 523 sppp_up_event, sppp_down_event, sppp_ipv6cp_open, 524 sppp_close_event, sppp_to_event, 525 sppp_ipv6cp_tlu, sppp_null, sppp_tls, 526 sppp_tlf, sppp_ipv6cp_scr, sppp_screply, 527 sppp_ipv6cp_confreq, sppp_ipv6cp_confrej, sppp_ipv6cp_confnak, 528 }; 529 530 static const struct cp pap = { 531 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 532 sppp_up_event, sppp_down_event, sppp_open_event, 533 sppp_close_event, sppp_to_event, 534 sppp_pap_tlu, sppp_null, sppp_tls, sppp_tlf, 535 sppp_pap_scr, sppp_auth_screply, 536 NULL, NULL, NULL 537 }; 538 539 static const struct cp chap = { 540 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 541 sppp_up_event, sppp_down_event, sppp_chap_open, 542 sppp_close_event, sppp_auth_to_event, 543 sppp_chap_tlu, sppp_null, sppp_tls, sppp_tlf, 544 sppp_chap_scr, sppp_auth_screply, 545 NULL, NULL, NULL 546 }; 547 548 static const struct cp *cps[IDX_COUNT] = { 549 &lcp, /* IDX_LCP */ 550 &ipcp, /* IDX_IPCP */ 551 &ipv6cp, /* IDX_IPV6CP */ 552 &pap, /* IDX_PAP */ 553 &chap, /* IDX_CHAP */ 554 }; 555 556 static inline u_int 557 sppp_proto2authproto(u_short proto) 558 { 559 560 switch (proto) { 561 case PPP_PAP: 562 return SPPP_AUTHPROTO_PAP; 563 case PPP_CHAP: 564 return SPPP_AUTHPROTO_CHAP; 565 } 566 567 return SPPP_AUTHPROTO_NONE; 568 } 569 570 static inline u_short 571 sppp_authproto2proto(u_int authproto) 572 { 573 574 switch (authproto) { 575 case SPPP_AUTHPROTO_PAP: 576 return PPP_PAP; 577 case SPPP_AUTHPROTO_CHAP: 578 return PPP_CHAP; 579 } 580 581 return PPP_NOPROTO; 582 } 583 584 static void 585 sppp_change_phase(struct sppp *sp, int phase) 586 { 587 STDDCL; 588 589 KASSERT(SPPP_WLOCKED(sp)); 590 591 if (sp->pp_phase == phase) 592 return; 593 594 sp->pp_phase = phase; 595 596 if (phase == SPPP_PHASE_NETWORK) 597 if_link_state_change(ifp, LINK_STATE_UP); 598 else 599 if_link_state_change(ifp, LINK_STATE_DOWN); 600 601 if (debug) 602 { 603 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 604 sppp_phase_name(sp->pp_phase)); 605 } 606 } 607 608 /* 609 * Exported functions, comprising our interface to the lower layer. 610 */ 611 612 /* 613 * Process the received packet. 614 */ 615 void 616 sppp_input(struct ifnet *ifp, struct mbuf *m) 617 { 618 struct ppp_header *h = NULL; 619 pktqueue_t *pktq = NULL; 620 struct ifqueue *inq = NULL; 621 uint16_t protocol; 622 struct sppp *sp = (struct sppp *)ifp; 623 int debug = ifp->if_flags & IFF_DEBUG; 624 int isr = 0; 625 626 SPPP_LOCK(sp, RW_READER); 627 628 if (ifp->if_flags & IFF_UP) { 629 /* Count received bytes, add hardware framing */ 630 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 631 /* Note time of last receive */ 632 sp->pp_last_receive = time_uptime; 633 } 634 635 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 636 /* Too small packet, drop it. */ 637 if (debug) 638 log(LOG_DEBUG, 639 "%s: input packet is too small, %d bytes\n", 640 ifp->if_xname, m->m_pkthdr.len); 641 goto drop; 642 } 643 644 if (sp->pp_flags & PP_NOFRAMING) { 645 memcpy(&protocol, mtod(m, void *), 2); 646 protocol = ntohs(protocol); 647 m_adj(m, 2); 648 } else { 649 650 /* Get PPP header. */ 651 h = mtod(m, struct ppp_header *); 652 m_adj(m, PPP_HEADER_LEN); 653 654 switch (h->address) { 655 case PPP_ALLSTATIONS: 656 if (h->control != PPP_UI) 657 goto invalid; 658 if (sp->pp_flags & PP_CISCO) { 659 if (debug) 660 log(LOG_DEBUG, 661 "%s: PPP packet in Cisco mode " 662 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 663 ifp->if_xname, 664 h->address, h->control, ntohs(h->protocol)); 665 goto drop; 666 } 667 break; 668 case CISCO_MULTICAST: 669 case CISCO_UNICAST: 670 /* Don't check the control field here (RFC 1547). */ 671 if (! (sp->pp_flags & PP_CISCO)) { 672 if (debug) 673 log(LOG_DEBUG, 674 "%s: Cisco packet in PPP mode " 675 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 676 ifp->if_xname, 677 h->address, h->control, ntohs(h->protocol)); 678 goto drop; 679 } 680 switch (ntohs(h->protocol)) { 681 default: 682 if_statinc(ifp, if_noproto); 683 goto invalid; 684 case CISCO_KEEPALIVE: 685 SPPP_UNLOCK(sp); 686 sppp_cisco_input((struct sppp *) ifp, m); 687 m_freem(m); 688 return; 689 #ifdef INET 690 case ETHERTYPE_IP: 691 pktq = ip_pktq; 692 break; 693 #endif 694 #ifdef INET6 695 case ETHERTYPE_IPV6: 696 pktq = ip6_pktq; 697 break; 698 #endif 699 } 700 goto queue_pkt; 701 default: /* Invalid PPP packet. */ 702 invalid: 703 if (debug) 704 log(LOG_DEBUG, 705 "%s: invalid input packet " 706 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 707 ifp->if_xname, 708 h->address, h->control, ntohs(h->protocol)); 709 goto drop; 710 } 711 protocol = ntohs(h->protocol); 712 } 713 714 switch (protocol) { 715 reject_protocol: 716 if (sp->scp[IDX_LCP].state == STATE_OPENED) { 717 uint16_t prot = htons(protocol); 718 719 SPPP_UPGRADE(sp); 720 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 721 ++sp->scp[IDX_LCP].seq, m->m_pkthdr.len + 2, 722 &prot); 723 SPPP_DOWNGRADE(sp); 724 } 725 if_statinc(ifp, if_noproto); 726 goto drop; 727 default: 728 if (debug) { 729 log(LOG_DEBUG, 730 "%s: invalid input protocol " 731 "<proto=0x%x>\n", ifp->if_xname, protocol); 732 } 733 goto reject_protocol; 734 case PPP_LCP: 735 SPPP_UNLOCK(sp); 736 sppp_cp_input(&lcp, sp, m); 737 /* already m_freem(m) */ 738 return; 739 case PPP_PAP: 740 SPPP_UNLOCK(sp); 741 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 742 sppp_pap_input(sp, m); 743 } 744 m_freem(m); 745 return; 746 case PPP_CHAP: 747 SPPP_UNLOCK(sp); 748 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 749 sppp_chap_input(sp, m); 750 } 751 m_freem(m); 752 return; 753 #ifdef INET 754 case PPP_IPCP: 755 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) { 756 log(LOG_INFO, "%s: reject IPCP packet " 757 "because IPCP is disabled\n", 758 ifp->if_xname); 759 goto reject_protocol; 760 } 761 SPPP_UNLOCK(sp); 762 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 763 sppp_cp_input(&ipcp, sp, m); 764 /* already m_freem(m) */ 765 } else { 766 m_freem(m); 767 } 768 return; 769 case PPP_IP: 770 if (sp->scp[IDX_IPCP].state == STATE_OPENED) { 771 sp->pp_last_activity = time_uptime; 772 pktq = ip_pktq; 773 } 774 break; 775 #endif 776 #ifdef INET6 777 case PPP_IPV6CP: 778 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) { 779 log(LOG_INFO, "%s: reject IPv6CP packet " 780 "because IPv6CP is disabled\n", 781 ifp->if_xname); 782 goto reject_protocol; 783 } 784 SPPP_UNLOCK(sp); 785 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 786 sppp_cp_input(&ipv6cp, sp, m); 787 /* already m_freem(m) */ 788 } else { 789 m_freem(m); 790 } 791 return; 792 793 case PPP_IPV6: 794 if (sp->scp[IDX_IPV6CP].state == STATE_OPENED) { 795 sp->pp_last_activity = time_uptime; 796 pktq = ip6_pktq; 797 } 798 break; 799 #endif 800 } 801 802 queue_pkt: 803 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 804 goto drop; 805 } 806 807 /* Check queue. */ 808 if (__predict_true(pktq)) { 809 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 810 goto drop; 811 } 812 SPPP_UNLOCK(sp); 813 return; 814 } 815 816 SPPP_UNLOCK(sp); 817 818 IFQ_LOCK(inq); 819 if (IF_QFULL(inq)) { 820 /* Queue overflow. */ 821 IF_DROP(inq); 822 IFQ_UNLOCK(inq); 823 if (debug) 824 log(LOG_DEBUG, "%s: protocol queue overflow\n", 825 ifp->if_xname); 826 827 SPPP_LOCK(sp, RW_READER); 828 goto drop; 829 } 830 IF_ENQUEUE(inq, m); 831 IFQ_UNLOCK(inq); 832 schednetisr(isr); 833 return; 834 835 drop: 836 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 837 m_freem(m); 838 SPPP_UNLOCK(sp); 839 return; 840 } 841 842 /* 843 * Enqueue transmit packet. 844 */ 845 static int 846 sppp_output(struct ifnet *ifp, struct mbuf *m, 847 const struct sockaddr *dst, const struct rtentry *rt) 848 { 849 struct sppp *sp = (struct sppp *) ifp; 850 struct ppp_header *h = NULL; 851 #ifndef SPPPSUBR_MPSAFE 852 struct ifqueue *ifq = NULL; /* XXX */ 853 #endif 854 int s, error = 0; 855 uint16_t protocol; 856 size_t pktlen; 857 858 s = splnet(); 859 SPPP_LOCK(sp, RW_READER); 860 861 sp->pp_last_activity = time_uptime; 862 863 if ((ifp->if_flags & IFF_UP) == 0 || 864 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 865 SPPP_UNLOCK(sp); 866 splx(s); 867 868 m_freem(m); 869 if_statinc(ifp, if_oerrors); 870 return (ENETDOWN); 871 } 872 873 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 874 /* ignore packets that have no enabled NCP */ 875 if ((dst->sa_family == AF_INET && 876 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) || 877 (dst->sa_family == AF_INET6 && 878 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP))) { 879 SPPP_UNLOCK(sp); 880 splx(s); 881 882 m_freem(m); 883 if_statinc(ifp, if_oerrors); 884 return (ENETDOWN); 885 } 886 /* 887 * Interface is not yet running, but auto-dial. Need 888 * to start LCP for it. 889 */ 890 ifp->if_flags |= IFF_RUNNING; 891 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 892 } 893 894 /* 895 * If the queueing discipline needs packet classification, 896 * do it before prepending link headers. 897 */ 898 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 899 900 #ifdef INET 901 if (dst->sa_family == AF_INET) { 902 struct ip *ip = NULL; 903 #ifndef SPPPSUBR_MPSAFE 904 struct tcphdr *th = NULL; 905 #endif 906 907 if (m->m_len >= sizeof(struct ip)) { 908 ip = mtod(m, struct ip *); 909 #ifndef SPPPSUBR_MPSAFE 910 if (ip->ip_p == IPPROTO_TCP && 911 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 912 sizeof(struct tcphdr)) { 913 th = (struct tcphdr *) 914 ((char *)ip + (ip->ip_hl << 2)); 915 } 916 #endif 917 } else 918 ip = NULL; 919 920 /* 921 * When using dynamic local IP address assignment by using 922 * 0.0.0.0 as a local address, the first TCP session will 923 * not connect because the local TCP checksum is computed 924 * using 0.0.0.0 which will later become our real IP address 925 * so the TCP checksum computed at the remote end will 926 * become invalid. So we 927 * - don't let packets with src ip addr 0 thru 928 * - we flag TCP packets with src ip 0 as an error 929 */ 930 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 931 uint8_t proto = ip->ip_p; 932 933 SPPP_UNLOCK(sp); 934 splx(s); 935 936 m_freem(m); 937 if (proto == IPPROTO_TCP) 938 return (EADDRNOTAVAIL); 939 else 940 return (0); 941 } 942 943 #ifndef SPPPSUBR_MPSAFE 944 /* 945 * Put low delay, telnet, rlogin and ftp control packets 946 * in front of the queue. 947 */ 948 if (!IF_QFULL(&sp->pp_fastq) && 949 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 950 (th && (INTERACTIVE(ntohs(th->th_sport)) || 951 INTERACTIVE(ntohs(th->th_dport)))))) 952 ifq = &sp->pp_fastq; 953 #endif /* !SPPPSUBR_MPSAFE */ 954 } 955 #endif 956 957 #ifdef INET6 958 if (dst->sa_family == AF_INET6) { 959 /* XXX do something tricky here? */ 960 } 961 #endif 962 963 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 964 /* 965 * Prepend general data packet PPP header. For now, IP only. 966 */ 967 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 968 if (! m) { 969 if (ifp->if_flags & IFF_DEBUG) 970 log(LOG_DEBUG, "%s: no memory for transmit header\n", 971 ifp->if_xname); 972 if_statinc(ifp, if_oerrors); 973 SPPP_UNLOCK(sp); 974 splx(s); 975 return (ENOBUFS); 976 } 977 /* 978 * May want to check size of packet 979 * (albeit due to the implementation it's always enough) 980 */ 981 h = mtod(m, struct ppp_header *); 982 if (sp->pp_flags & PP_CISCO) { 983 h->address = CISCO_UNICAST; /* unicast address */ 984 h->control = 0; 985 } else { 986 h->address = PPP_ALLSTATIONS; /* broadcast address */ 987 h->control = PPP_UI; /* Unnumbered Info */ 988 } 989 } 990 991 switch (dst->sa_family) { 992 #ifdef INET 993 case AF_INET: /* Internet Protocol */ 994 if (sp->pp_flags & PP_CISCO) 995 protocol = htons(ETHERTYPE_IP); 996 else { 997 /* 998 * Don't choke with an ENETDOWN early. It's 999 * possible that we just started dialing out, 1000 * so don't drop the packet immediately. If 1001 * we notice that we run out of buffer space 1002 * below, we will however remember that we are 1003 * not ready to carry IP packets, and return 1004 * ENETDOWN, as opposed to ENOBUFS. 1005 */ 1006 protocol = htons(PPP_IP); 1007 if (sp->scp[IDX_IPCP].state != STATE_OPENED) { 1008 if (ifp->if_flags & IFF_AUTO) { 1009 error = ENETDOWN; 1010 } else { 1011 IF_DROP(&ifp->if_snd); 1012 SPPP_UNLOCK(sp); 1013 splx(s); 1014 1015 m_freem(m); 1016 if_statinc(ifp, if_oerrors); 1017 return (ENETDOWN); 1018 } 1019 } 1020 } 1021 break; 1022 #endif 1023 #ifdef INET6 1024 case AF_INET6: /* Internet Protocol version 6 */ 1025 if (sp->pp_flags & PP_CISCO) 1026 protocol = htons(ETHERTYPE_IPV6); 1027 else { 1028 /* 1029 * Don't choke with an ENETDOWN early. It's 1030 * possible that we just started dialing out, 1031 * so don't drop the packet immediately. If 1032 * we notice that we run out of buffer space 1033 * below, we will however remember that we are 1034 * not ready to carry IP packets, and return 1035 * ENETDOWN, as opposed to ENOBUFS. 1036 */ 1037 protocol = htons(PPP_IPV6); 1038 if (sp->scp[IDX_IPV6CP].state != STATE_OPENED) { 1039 if (ifp->if_flags & IFF_AUTO) { 1040 error = ENETDOWN; 1041 } else { 1042 IF_DROP(&ifp->if_snd); 1043 SPPP_UNLOCK(sp); 1044 splx(s); 1045 1046 m_freem(m); 1047 if_statinc(ifp, if_oerrors); 1048 return (ENETDOWN); 1049 } 1050 } 1051 } 1052 break; 1053 #endif 1054 default: 1055 m_freem(m); 1056 if_statinc(ifp, if_oerrors); 1057 SPPP_UNLOCK(sp); 1058 splx(s); 1059 return (EAFNOSUPPORT); 1060 } 1061 1062 if (sp->pp_flags & PP_NOFRAMING) { 1063 M_PREPEND(m, 2, M_DONTWAIT); 1064 if (m == NULL) { 1065 if (ifp->if_flags & IFF_DEBUG) 1066 log(LOG_DEBUG, "%s: no memory for transmit header\n", 1067 ifp->if_xname); 1068 if_statinc(ifp, if_oerrors); 1069 SPPP_UNLOCK(sp); 1070 splx(s); 1071 return (ENOBUFS); 1072 } 1073 *mtod(m, uint16_t *) = protocol; 1074 } else { 1075 h->protocol = protocol; 1076 } 1077 1078 pktlen = m->m_pkthdr.len; 1079 #ifdef SPPPSUBR_MPSAFE 1080 SPPP_UNLOCK(sp); 1081 error = if_transmit_lock(ifp, m); 1082 SPPP_LOCK(sp, RW_READER); 1083 if (error == 0) 1084 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1085 #else /* !SPPPSUBR_MPSAFE */ 1086 error = ifq_enqueue2(ifp, ifq, m); 1087 1088 if (error == 0) { 1089 /* 1090 * Count output packets and bytes. 1091 * The packet length includes header + additional hardware 1092 * framing according to RFC 1333. 1093 */ 1094 if (!(ifp->if_flags & IFF_OACTIVE)) { 1095 SPPP_UNLOCK(sp); 1096 if_start_lock(ifp); 1097 SPPP_LOCK(sp, RW_READER); 1098 } 1099 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1100 } 1101 #endif /* !SPPPSUBR_MPSAFE */ 1102 SPPP_UNLOCK(sp); 1103 splx(s); 1104 return error; 1105 } 1106 1107 void 1108 sppp_attach(struct ifnet *ifp) 1109 { 1110 struct sppp *sp = (struct sppp *) ifp; 1111 char xnamebuf[MAXCOMLEN]; 1112 1113 /* Initialize keepalive handler. */ 1114 if (! spppq) { 1115 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1116 callout_reset(&keepalive_ch, hz * SPPP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1117 } 1118 1119 if (! spppq_lock) 1120 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1121 1122 sp->pp_if.if_type = IFT_PPP; 1123 sp->pp_if.if_output = sppp_output; 1124 sp->pp_fastq.ifq_maxlen = 32; 1125 sp->pp_cpq.ifq_maxlen = 20; 1126 sp->pp_loopcnt = 0; 1127 sp->pp_alivecnt = 0; 1128 sp->pp_alive_interval = SPPP_ALIVE_INTERVAL; 1129 sp->pp_last_activity = 0; 1130 sp->pp_last_receive = 0; 1131 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1132 sp->pp_max_noreceive = SPPP_NORECV_TIME; 1133 sp->pp_idle_timeout = 0; 1134 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1135 sp->pp_phase = SPPP_PHASE_DEAD; 1136 sp->pp_up = sppp_notify_up; 1137 sp->pp_down = sppp_notify_down; 1138 sp->pp_ncpflags = SPPP_NCP_IPCP | SPPP_NCP_IPV6CP; 1139 #ifdef SPPP_IFDOWN_RECONNECT 1140 sp->pp_flags |= PP_LOOPBACK_IFDOWN | PP_KEEPALIVE_IFDOWN; 1141 #endif 1142 sppp_wq_set(&sp->work_ifdown, sppp_ifdown, NULL); 1143 memset(sp->scp, 0, sizeof(sp->scp)); 1144 rw_init(&sp->pp_lock); 1145 1146 if_alloc_sadl(ifp); 1147 1148 /* Lets not beat about the bush, we know we're down. */ 1149 ifp->if_link_state = LINK_STATE_DOWN; 1150 1151 snprintf(xnamebuf, sizeof(xnamebuf), "%s.wq_cp", ifp->if_xname); 1152 sp->wq_cp = sppp_wq_create(sp, xnamebuf, 1153 PRI_SOFTNET, IPL_SOFTNET, WQ_MPSAFE); 1154 1155 memset(&sp->myauth, 0, sizeof sp->myauth); 1156 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1157 SPPP_LOCK(sp, RW_WRITER); 1158 sppp_lcp_init(sp); 1159 sppp_ipcp_init(sp); 1160 sppp_ipv6cp_init(sp); 1161 sppp_pap_init(sp); 1162 sppp_chap_init(sp); 1163 SPPP_UNLOCK(sp); 1164 1165 SPPPQ_LOCK(); 1166 /* Insert new entry into the keepalive list. */ 1167 sp->pp_next = spppq; 1168 spppq = sp; 1169 SPPPQ_UNLOCK(); 1170 } 1171 1172 void 1173 sppp_detach(struct ifnet *ifp) 1174 { 1175 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1176 1177 /* Remove the entry from the keepalive list. */ 1178 SPPPQ_LOCK(); 1179 for (q = &spppq; (p = *q); q = &p->pp_next) 1180 if (p == sp) { 1181 *q = p->pp_next; 1182 break; 1183 } 1184 SPPPQ_UNLOCK(); 1185 1186 if (! spppq) { 1187 /* Stop keepalive handler. */ 1188 callout_stop(&keepalive_ch); 1189 mutex_obj_free(spppq_lock); 1190 spppq_lock = NULL; 1191 } 1192 1193 sppp_cp_fini(&lcp, sp); 1194 sppp_cp_fini(&ipcp, sp); 1195 sppp_cp_fini(&pap, sp); 1196 sppp_cp_fini(&chap, sp); 1197 #ifdef INET6 1198 sppp_cp_fini(&ipv6cp, sp); 1199 #endif 1200 sppp_wq_destroy(sp, sp->wq_cp); 1201 1202 /* free authentication info */ 1203 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1204 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1205 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1206 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1207 rw_destroy(&sp->pp_lock); 1208 } 1209 1210 /* 1211 * Flush the interface output queue. 1212 */ 1213 void 1214 sppp_flush(struct ifnet *ifp) 1215 { 1216 struct sppp *sp = (struct sppp *) ifp; 1217 1218 SPPP_LOCK(sp, RW_WRITER); 1219 IFQ_PURGE(&sp->pp_if.if_snd); 1220 IF_PURGE(&sp->pp_fastq); 1221 IF_PURGE(&sp->pp_cpq); 1222 SPPP_UNLOCK(sp); 1223 } 1224 1225 /* 1226 * Check if the output queue is empty. 1227 */ 1228 int 1229 sppp_isempty(struct ifnet *ifp) 1230 { 1231 struct sppp *sp = (struct sppp *) ifp; 1232 int empty, s; 1233 1234 s = splnet(); 1235 SPPP_LOCK(sp, RW_READER); 1236 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1237 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1238 SPPP_UNLOCK(sp); 1239 splx(s); 1240 return (empty); 1241 } 1242 1243 /* 1244 * Get next packet to send. 1245 */ 1246 struct mbuf * 1247 sppp_dequeue(struct ifnet *ifp) 1248 { 1249 struct sppp *sp = (struct sppp *) ifp; 1250 struct mbuf *m; 1251 int s; 1252 1253 s = splnet(); 1254 SPPP_LOCK(sp, RW_WRITER); 1255 /* 1256 * Process only the control protocol queue until we have at 1257 * least one NCP open. 1258 * 1259 * Do always serve all three queues in Cisco mode. 1260 */ 1261 IF_DEQUEUE(&sp->pp_cpq, m); 1262 if (m == NULL && 1263 (sppp_cp_check(sp, CP_NCP) || (sp->pp_flags & PP_CISCO) != 0)) { 1264 IF_DEQUEUE(&sp->pp_fastq, m); 1265 if (m == NULL) 1266 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1267 } 1268 SPPP_UNLOCK(sp); 1269 splx(s); 1270 return m; 1271 } 1272 1273 /* 1274 * Process an ioctl request. Called on low priority level. 1275 */ 1276 int 1277 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1278 { 1279 struct lwp *l = curlwp; /* XXX */ 1280 struct ifreq *ifr = (struct ifreq *) data; 1281 struct ifaddr *ifa = (struct ifaddr *) data; 1282 struct sppp *sp = (struct sppp *) ifp; 1283 int s, error=0, going_up, going_down; 1284 u_short newmode; 1285 u_long lcp_mru; 1286 1287 s = splnet(); 1288 switch (cmd) { 1289 case SIOCINITIFADDR: 1290 ifa->ifa_rtrequest = p2p_rtrequest; 1291 break; 1292 1293 case SIOCSIFFLAGS: 1294 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1295 break; 1296 1297 SPPP_LOCK(sp, RW_WRITER); 1298 going_up = ifp->if_flags & IFF_UP && 1299 (ifp->if_flags & IFF_RUNNING) == 0; 1300 going_down = (ifp->if_flags & IFF_UP) == 0 && 1301 ifp->if_flags & IFF_RUNNING; 1302 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1303 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1304 /* sanity */ 1305 newmode = IFF_PASSIVE; 1306 ifp->if_flags &= ~IFF_AUTO; 1307 } 1308 1309 if (going_up || going_down) { 1310 sp->lcp.reestablish = false; 1311 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 1312 } 1313 if (going_up && newmode == 0) { 1314 /* neither auto-dial nor passive */ 1315 ifp->if_flags |= IFF_RUNNING; 1316 if (!(sp->pp_flags & PP_CISCO)) { 1317 sppp_wq_add(sp->wq_cp, 1318 &sp->scp[IDX_LCP].work_open); 1319 } 1320 } else if (going_down) { 1321 SPPP_UNLOCK(sp); 1322 sppp_flush(ifp); 1323 SPPP_LOCK(sp, RW_WRITER); 1324 1325 ifp->if_flags &= ~IFF_RUNNING; 1326 } 1327 SPPP_UNLOCK(sp); 1328 break; 1329 1330 case SIOCSIFMTU: 1331 if (ifr->ifr_mtu < PPP_MINMRU || 1332 ifr->ifr_mtu > PP_MTU) { 1333 error = EINVAL; 1334 break; 1335 } 1336 1337 error = ifioctl_common(ifp, cmd, data); 1338 if (error == ENETRESET) 1339 error = 0; 1340 1341 SPPP_LOCK(sp, RW_WRITER); 1342 lcp_mru = sp->lcp.mru; 1343 if (ifp->if_mtu < PP_MTU) { 1344 sp->lcp.mru = ifp->if_mtu; 1345 } else { 1346 sp->lcp.mru = PP_MTU; 1347 } 1348 if (lcp_mru != sp->lcp.mru) 1349 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 1350 1351 if (sp->scp[IDX_LCP].state == STATE_OPENED && 1352 ifp->if_mtu > sp->lcp.their_mru) { 1353 sp->pp_saved_mtu = ifp->if_mtu; 1354 ifp->if_mtu = sp->lcp.their_mru; 1355 1356 if (ifp->if_flags & IFF_DEBUG) { 1357 log(LOG_DEBUG, 1358 "%s: setting MTU " 1359 "from %"PRIu64" bytes " 1360 "to %"PRIu64" bytes\n", 1361 ifp->if_xname, sp->pp_saved_mtu, 1362 ifp->if_mtu); 1363 } 1364 } 1365 SPPP_UNLOCK(sp); 1366 break; 1367 1368 case SIOCGIFMTU: 1369 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1370 error = 0; 1371 break; 1372 case SIOCADDMULTI: 1373 case SIOCDELMULTI: 1374 break; 1375 1376 case SPPPSETAUTHCFG: 1377 case SPPPSETLCPCFG: 1378 case SPPPSETNCPCFG: 1379 case SPPPSETIDLETO: 1380 case SPPPSETAUTHFAILURE: 1381 case SPPPSETDNSOPTS: 1382 case SPPPSETKEEPALIVE: 1383 #if defined(COMPAT_50) || defined(MODULAR) 1384 case __SPPPSETIDLETO50: 1385 case __SPPPSETKEEPALIVE50: 1386 #endif /* COMPAT_50 || MODULAR */ 1387 error = kauth_authorize_network(l->l_cred, 1388 KAUTH_NETWORK_INTERFACE, 1389 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1390 NULL); 1391 if (error) 1392 break; 1393 error = sppp_params(sp, cmd, data); 1394 break; 1395 1396 case SPPPGETAUTHCFG: 1397 case SPPPGETLCPCFG: 1398 case SPPPGETNCPCFG: 1399 case SPPPGETAUTHFAILURES: 1400 error = kauth_authorize_network(l->l_cred, 1401 KAUTH_NETWORK_INTERFACE, 1402 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1403 NULL); 1404 if (error) 1405 break; 1406 error = sppp_params(sp, cmd, data); 1407 break; 1408 1409 case SPPPGETSTATUS: 1410 case SPPPGETSTATUSNCP: 1411 case SPPPGETIDLETO: 1412 case SPPPGETDNSOPTS: 1413 case SPPPGETDNSADDRS: 1414 case SPPPGETKEEPALIVE: 1415 #if defined(COMPAT_50) || defined(MODULAR) 1416 case __SPPPGETIDLETO50: 1417 case __SPPPGETKEEPALIVE50: 1418 #endif /* COMPAT_50 || MODULAR */ 1419 case SPPPGETLCPSTATUS: 1420 case SPPPGETIPCPSTATUS: 1421 case SPPPGETIPV6CPSTATUS: 1422 error = sppp_params(sp, cmd, data); 1423 break; 1424 1425 default: 1426 error = ifioctl_common(ifp, cmd, data); 1427 break; 1428 } 1429 splx(s); 1430 return (error); 1431 } 1432 1433 /* 1434 * Cisco framing implementation. 1435 */ 1436 1437 /* 1438 * Handle incoming Cisco keepalive protocol packets. 1439 */ 1440 static void 1441 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1442 { 1443 STDDCL; 1444 struct cisco_packet *h; 1445 #ifdef INET 1446 uint32_t me, mymask = 0; /* XXX: GCC */ 1447 #endif 1448 1449 SPPP_LOCK(sp, RW_WRITER); 1450 1451 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1452 if (debug) 1453 log(LOG_DEBUG, 1454 "%s: cisco invalid packet length: %d bytes\n", 1455 ifp->if_xname, m->m_pkthdr.len); 1456 SPPP_UNLOCK(sp); 1457 return; 1458 } 1459 h = mtod(m, struct cisco_packet *); 1460 if (debug) 1461 log(LOG_DEBUG, 1462 "%s: cisco input: %d bytes " 1463 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1464 ifp->if_xname, m->m_pkthdr.len, 1465 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1466 (u_int)h->time0, (u_int)h->time1); 1467 switch (ntohl(h->type)) { 1468 default: 1469 if (debug) 1470 addlog("%s: cisco unknown packet type: 0x%x\n", 1471 ifp->if_xname, ntohl(h->type)); 1472 break; 1473 case CISCO_ADDR_REPLY: 1474 /* Reply on address request, ignore */ 1475 break; 1476 case CISCO_KEEPALIVE_REQ: 1477 sp->pp_alivecnt = 0; 1478 sp->scp[IDX_LCP].rseq = ntohl(h->par1); 1479 if (sp->scp[IDX_LCP].seq == sp->scp[IDX_LCP].rseq) { 1480 /* Local and remote sequence numbers are equal. 1481 * Probably, the line is in loopback mode. */ 1482 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1483 printf ("%s: loopback\n", 1484 ifp->if_xname); 1485 sp->pp_loopcnt = 0; 1486 1487 if (sp->pp_flags & PP_LOOPBACK_IFDOWN) { 1488 sp->pp_flags |= PP_LOOPBACK; 1489 sppp_wq_add(sp->wq_cp, 1490 &sp->work_ifdown); 1491 } 1492 1493 sppp_wq_add(sp->wq_cp, 1494 &sp->scp[IDX_LCP].work_close); 1495 sppp_wq_add(sp->wq_cp, 1496 &sp->scp[IDX_LCP].work_open); 1497 } else { 1498 ++sp->pp_loopcnt; 1499 } 1500 1501 /* Generate new local sequence number */ 1502 sp->scp[IDX_LCP].seq = cprng_fast32(); 1503 break; 1504 } 1505 sp->pp_loopcnt = 0; 1506 if (! (ifp->if_flags & IFF_UP) && 1507 (ifp->if_flags & IFF_RUNNING)) { 1508 SPPP_UNLOCK(sp); 1509 if_up(ifp); 1510 SPPP_LOCK(sp, RW_WRITER); 1511 sp->pp_flags &= ~PP_LOOPBACK; 1512 } 1513 break; 1514 case CISCO_ADDR_REQ: 1515 #ifdef INET 1516 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1517 if (me != 0L) 1518 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1519 #endif 1520 break; 1521 } 1522 SPPP_UNLOCK(sp); 1523 } 1524 1525 /* 1526 * Send Cisco keepalive packet. 1527 */ 1528 static void 1529 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1530 { 1531 STDDCL; 1532 struct ppp_header *h; 1533 struct cisco_packet *ch; 1534 struct mbuf *m; 1535 uint32_t t; 1536 1537 KASSERT(SPPP_WLOCKED(sp)); 1538 1539 t = time_uptime * 1000; 1540 MGETHDR(m, M_DONTWAIT, MT_DATA); 1541 if (! m) 1542 return; 1543 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1544 m_reset_rcvif(m); 1545 1546 h = mtod(m, struct ppp_header *); 1547 h->address = CISCO_MULTICAST; 1548 h->control = 0; 1549 h->protocol = htons(CISCO_KEEPALIVE); 1550 1551 ch = (struct cisco_packet *)(h + 1); 1552 ch->type = htonl(type); 1553 ch->par1 = htonl(par1); 1554 ch->par2 = htonl(par2); 1555 ch->rel = -1; 1556 1557 ch->time0 = htons((u_short)(t >> 16)); 1558 ch->time1 = htons((u_short) t); 1559 1560 if (debug) 1561 log(LOG_DEBUG, 1562 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1563 ifp->if_xname, ntohl(ch->type), ch->par1, 1564 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1565 (u_int)ch->time1); 1566 1567 if (IF_QFULL(&sp->pp_cpq)) { 1568 IF_DROP(&sp->pp_fastq); 1569 IF_DROP(&ifp->if_snd); 1570 m_freem(m); 1571 if_statinc(ifp, if_oerrors); 1572 return; 1573 } 1574 1575 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1576 IF_ENQUEUE(&sp->pp_cpq, m); 1577 1578 if (! (ifp->if_flags & IFF_OACTIVE)) { 1579 SPPP_UNLOCK(sp); 1580 if_start_lock(ifp); 1581 SPPP_LOCK(sp, RW_WRITER); 1582 } 1583 } 1584 1585 /* 1586 * PPP protocol implementation. 1587 */ 1588 1589 /* 1590 * Send PPP control protocol packet. 1591 */ 1592 static void 1593 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1594 u_char ident, u_short len, void *data) 1595 { 1596 STDDCL; 1597 struct lcp_header *lh; 1598 struct mbuf *m; 1599 size_t pkthdrlen; 1600 1601 KASSERT(SPPP_WLOCKED(sp)); 1602 1603 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1604 1605 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1606 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1607 MGETHDR(m, M_DONTWAIT, MT_DATA); 1608 if (! m) { 1609 return; 1610 } 1611 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1612 m_reset_rcvif(m); 1613 1614 if (sp->pp_flags & PP_NOFRAMING) { 1615 *mtod(m, uint16_t *) = htons(proto); 1616 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1617 } else { 1618 struct ppp_header *h; 1619 h = mtod(m, struct ppp_header *); 1620 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1621 h->control = PPP_UI; /* Unnumbered Info */ 1622 h->protocol = htons(proto); /* Link Control Protocol */ 1623 lh = (struct lcp_header *)(h + 1); 1624 } 1625 lh->type = type; 1626 lh->ident = ident; 1627 lh->len = htons(LCP_HEADER_LEN + len); 1628 if (len) 1629 memcpy(lh + 1, data, len); 1630 1631 if (debug) { 1632 char pbuf[SPPP_PROTO_NAMELEN]; 1633 char tbuf[SPPP_CPTYPE_NAMELEN]; 1634 const char *pname, *cpname; 1635 1636 pname = sppp_proto_name(pbuf, sizeof(pbuf), proto); 1637 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), lh->type); 1638 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1639 ifp->if_xname, pname, cpname, 1640 lh->ident, ntohs(lh->len)); 1641 if (len) 1642 sppp_print_bytes((u_char *)(lh + 1), len); 1643 addlog(">\n"); 1644 } 1645 if (IF_QFULL(&sp->pp_cpq)) { 1646 IF_DROP(&sp->pp_fastq); 1647 IF_DROP(&ifp->if_snd); 1648 m_freem(m); 1649 if_statinc(ifp, if_oerrors); 1650 return; 1651 } 1652 1653 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1654 IF_ENQUEUE(&sp->pp_cpq, m); 1655 1656 if (! (ifp->if_flags & IFF_OACTIVE)) { 1657 SPPP_UNLOCK(sp); 1658 if_start_lock(ifp); 1659 SPPP_LOCK(sp, RW_WRITER); 1660 } 1661 } 1662 1663 static void 1664 sppp_cp_to_lcp(void *xsp) 1665 { 1666 struct sppp *sp = xsp; 1667 1668 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_to); 1669 } 1670 1671 static void 1672 sppp_cp_to_ipcp(void *xsp) 1673 { 1674 struct sppp *sp = xsp; 1675 1676 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPCP].work_to); 1677 } 1678 1679 static void 1680 sppp_cp_to_ipv6cp(void *xsp) 1681 { 1682 struct sppp *sp = xsp; 1683 1684 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPV6CP].work_to); 1685 } 1686 1687 static void 1688 sppp_cp_to_pap(void *xsp) 1689 { 1690 struct sppp *sp = xsp; 1691 1692 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_to); 1693 } 1694 1695 static void 1696 sppp_cp_to_chap(void *xsp) 1697 { 1698 struct sppp *sp = xsp; 1699 1700 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_to); 1701 } 1702 1703 static void 1704 sppp_cp_init(const struct cp *cp, struct sppp *sp) 1705 { 1706 struct sppp_cp *scp; 1707 typedef void (*sppp_co_cb_t)(void *); 1708 static const sppp_co_cb_t to_cb[IDX_COUNT] = { 1709 [IDX_LCP] = sppp_cp_to_lcp, 1710 [IDX_IPCP] = sppp_cp_to_ipcp, 1711 [IDX_IPV6CP] = sppp_cp_to_ipv6cp, 1712 [IDX_PAP] = sppp_cp_to_pap, 1713 [IDX_CHAP] = sppp_cp_to_chap, 1714 }; 1715 1716 scp = &sp->scp[cp->protoidx]; 1717 scp->state = STATE_INITIAL; 1718 scp->fail_counter = 0; 1719 scp->seq = 0; 1720 scp->rseq = 0; 1721 1722 SPPP_WQ_SET(&scp->work_up, cp->Up, cp); 1723 SPPP_WQ_SET(&scp->work_down, cp->Down, cp); 1724 SPPP_WQ_SET(&scp->work_open, cp->Open, cp); 1725 SPPP_WQ_SET(&scp->work_close, cp->Close, cp); 1726 SPPP_WQ_SET(&scp->work_to, cp->TO, cp); 1727 SPPP_WQ_SET(&scp->work_rcr, sppp_rcr_event, cp); 1728 SPPP_WQ_SET(&scp->work_rca, sppp_rca_event, cp); 1729 SPPP_WQ_SET(&scp->work_rcn, sppp_rcn_event, cp); 1730 SPPP_WQ_SET(&scp->work_rtr, sppp_rtr_event, cp); 1731 SPPP_WQ_SET(&scp->work_rta, sppp_rta_event, cp); 1732 SPPP_WQ_SET(&scp->work_rxj, sppp_rxj_event, cp); 1733 1734 callout_init(&scp->ch, CALLOUT_MPSAFE); 1735 callout_setfunc(&scp->ch, to_cb[cp->protoidx], sp); 1736 } 1737 1738 static void 1739 sppp_cp_fini(const struct cp *cp, struct sppp *sp) 1740 { 1741 struct sppp_cp *scp; 1742 scp = &sp->scp[cp->protoidx]; 1743 1744 sppp_wq_wait(sp->wq_cp, &scp->work_up); 1745 sppp_wq_wait(sp->wq_cp, &scp->work_down); 1746 sppp_wq_wait(sp->wq_cp, &scp->work_open); 1747 sppp_wq_wait(sp->wq_cp, &scp->work_close); 1748 sppp_wq_wait(sp->wq_cp, &scp->work_to); 1749 sppp_wq_wait(sp->wq_cp, &scp->work_rcr); 1750 sppp_wq_wait(sp->wq_cp, &scp->work_rca); 1751 sppp_wq_wait(sp->wq_cp, &scp->work_rcn); 1752 sppp_wq_wait(sp->wq_cp, &scp->work_rtr); 1753 sppp_wq_wait(sp->wq_cp, &scp->work_rta); 1754 sppp_wq_wait(sp->wq_cp, &scp->work_rxj); 1755 1756 callout_halt(&scp->ch, NULL); 1757 callout_destroy(&scp->ch); 1758 1759 if (scp->mbuf_confreq != NULL) { 1760 m_freem(scp->mbuf_confreq); 1761 scp->mbuf_confreq = NULL; 1762 } 1763 if (scp->mbuf_confnak != NULL) { 1764 m_freem(scp->mbuf_confnak); 1765 scp->mbuf_confnak = NULL; 1766 } 1767 } 1768 1769 /* 1770 * Handle incoming PPP control protocol packets. 1771 */ 1772 static void 1773 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1774 { 1775 STDDCL; 1776 struct lcp_header *h; 1777 struct sppp_cp *scp; 1778 int printlen, len = m->m_pkthdr.len; 1779 u_char *p; 1780 uint32_t u32; 1781 char tbuf[SPPP_CPTYPE_NAMELEN]; 1782 const char *cpname; 1783 1784 SPPP_LOCK(sp, RW_WRITER); 1785 1786 scp = &sp->scp[cp->protoidx]; 1787 1788 if (len < 4) { 1789 if (debug) 1790 log(LOG_DEBUG, 1791 "%s: %s invalid packet length: %d bytes\n", 1792 ifp->if_xname, cp->name, len); 1793 goto out; 1794 } 1795 h = mtod(m, struct lcp_header *); 1796 if (debug) { 1797 printlen = ntohs(h->len); 1798 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1799 log(LOG_DEBUG, 1800 "%s: %s input(%s): <%s id=0x%x len=%d", 1801 ifp->if_xname, cp->name, 1802 sppp_state_name(scp->state), 1803 cpname, h->ident, printlen); 1804 if (len < printlen) 1805 printlen = len; 1806 if (printlen > 4) 1807 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1808 addlog(">\n"); 1809 } 1810 if (len > ntohs(h->len)) 1811 len = ntohs(h->len); 1812 p = (u_char *)(h + 1); 1813 switch (h->type) { 1814 case CONF_REQ: 1815 if (len < 4) { 1816 if (debug) 1817 addlog("%s: %s invalid conf-req length %d\n", 1818 ifp->if_xname, cp->name, 1819 len); 1820 if_statinc(ifp, if_ierrors); 1821 break; 1822 } 1823 1824 scp->rcr_type = CP_RCR_NONE; 1825 scp->rconfid = h->ident; 1826 if (scp->mbuf_confreq != NULL) { 1827 m_freem(scp->mbuf_confreq); 1828 } 1829 scp->mbuf_confreq = m; 1830 m = NULL; 1831 sppp_wq_add(sp->wq_cp, &scp->work_rcr); 1832 break; 1833 case CONF_ACK: 1834 if (h->ident != scp->confid) { 1835 if (debug) 1836 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1837 ifp->if_xname, cp->name, 1838 h->ident, scp->confid); 1839 if_statinc(ifp, if_ierrors); 1840 break; 1841 } 1842 sppp_wq_add(sp->wq_cp, &scp->work_rca); 1843 break; 1844 case CONF_NAK: 1845 case CONF_REJ: 1846 if (h->ident != scp->confid) { 1847 if (debug) 1848 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1849 ifp->if_xname, cp->name, 1850 h->ident, scp->confid); 1851 if_statinc(ifp, if_ierrors); 1852 break; 1853 } 1854 1855 if (scp->mbuf_confnak) { 1856 m_freem(scp->mbuf_confnak); 1857 } 1858 scp->mbuf_confnak = m; 1859 m = NULL; 1860 sppp_wq_add(sp->wq_cp, &scp->work_rcn); 1861 break; 1862 case TERM_REQ: 1863 scp->rseq = h->ident; 1864 sppp_wq_add(sp->wq_cp, &scp->work_rtr); 1865 break; 1866 case TERM_ACK: 1867 if (h->ident != scp->confid && 1868 h->ident != scp->seq) { 1869 if (debug) 1870 addlog("%s: %s id mismatch " 1871 "0x%x != 0x%x and 0x%x != %0lx\n", 1872 ifp->if_xname, cp->name, 1873 h->ident, scp->confid, 1874 h->ident, scp->seq); 1875 if_statinc(ifp, if_ierrors); 1876 break; 1877 } 1878 1879 sppp_wq_add(sp->wq_cp, &scp->work_rta); 1880 break; 1881 case CODE_REJ: 1882 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1883 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1884 log(LOG_INFO, 1885 "%s: %s: ignoring RXJ (%s) for code ?, " 1886 "danger will robinson\n", 1887 ifp->if_xname, cp->name, cpname); 1888 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1889 break; 1890 case PROTO_REJ: 1891 { 1892 int catastrophic; 1893 const struct cp *upper; 1894 int i; 1895 uint16_t proto; 1896 1897 catastrophic = 0; 1898 upper = NULL; 1899 proto = p[0] << 8 | p[1]; 1900 for (i = 0; i < IDX_COUNT; i++) { 1901 if (cps[i]->proto == proto) { 1902 upper = cps[i]; 1903 break; 1904 } 1905 } 1906 if (upper == NULL) 1907 catastrophic++; 1908 1909 if (debug) { 1910 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1911 log(LOG_INFO, 1912 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1913 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1914 cpname, proto, upper ? upper->name : "unknown", 1915 upper ? sppp_state_name(sp->scp[upper->protoidx].state) : "?"); 1916 } 1917 1918 /* 1919 * if we got RXJ+ against conf-req, the peer does not implement 1920 * this particular protocol type. terminate the protocol. 1921 */ 1922 if (upper && !catastrophic) { 1923 if (sp->scp[upper->protoidx].state == STATE_REQ_SENT) { 1924 sppp_wq_add(sp->wq_cp, 1925 &sp->scp[upper->protoidx].work_close); 1926 break; 1927 } 1928 } 1929 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1930 break; 1931 } 1932 case DISC_REQ: 1933 if (cp->proto != PPP_LCP) 1934 goto illegal; 1935 /* Discard the packet. */ 1936 break; 1937 case ECHO_REQ: 1938 if (cp->proto != PPP_LCP) 1939 goto illegal; 1940 if (scp->state != STATE_OPENED) { 1941 if (debug) 1942 addlog("%s: lcp echo req but lcp closed\n", 1943 ifp->if_xname); 1944 if_statinc(ifp, if_ierrors); 1945 break; 1946 } 1947 if (len < 8) { 1948 if (debug) 1949 addlog("%s: invalid lcp echo request " 1950 "packet length: %d bytes\n", 1951 ifp->if_xname, len); 1952 break; 1953 } 1954 memcpy(&u32, h + 1, sizeof u32); 1955 if (ntohl(u32) == sp->lcp.magic) { 1956 /* Line loopback mode detected. */ 1957 printf("%s: loopback\n", ifp->if_xname); 1958 1959 if (sp->pp_flags & PP_LOOPBACK_IFDOWN) { 1960 sp->pp_flags |= PP_LOOPBACK; 1961 sppp_wq_add(sp->wq_cp, 1962 &sp->work_ifdown); 1963 } 1964 1965 /* Shut down the PPP link. */ 1966 sppp_wq_add(sp->wq_cp, 1967 &sp->scp[IDX_LCP].work_close); 1968 sppp_wq_add(sp->wq_cp, 1969 &sp->scp[IDX_LCP].work_open); 1970 break; 1971 } 1972 u32 = htonl(sp->lcp.magic); 1973 memcpy(h + 1, &u32, sizeof u32); 1974 if (debug) 1975 addlog("%s: got lcp echo req, sending echo rep\n", 1976 ifp->if_xname); 1977 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1978 h + 1); 1979 break; 1980 case ECHO_REPLY: 1981 if (cp->proto != PPP_LCP) 1982 goto illegal; 1983 if (h->ident != sp->lcp.echoid) { 1984 if_statinc(ifp, if_ierrors); 1985 break; 1986 } 1987 if (len < 8) { 1988 if (debug) 1989 addlog("%s: lcp invalid echo reply " 1990 "packet length: %d bytes\n", 1991 ifp->if_xname, len); 1992 break; 1993 } 1994 if (debug) 1995 addlog("%s: lcp got echo rep\n", 1996 ifp->if_xname); 1997 memcpy(&u32, h + 1, sizeof u32); 1998 if (ntohl(u32) != sp->lcp.magic) 1999 sp->pp_alivecnt = 0; 2000 break; 2001 default: 2002 /* Unknown packet type -- send Code-Reject packet. */ 2003 illegal: 2004 if (debug) 2005 addlog("%s: %s send code-rej for 0x%x\n", 2006 ifp->if_xname, cp->name, h->type); 2007 sppp_cp_send(sp, cp->proto, CODE_REJ, 2008 ++scp->seq, m->m_pkthdr.len, h); 2009 if_statinc(ifp, if_ierrors); 2010 } 2011 2012 out: 2013 SPPP_UNLOCK(sp); 2014 if (m != NULL) 2015 m_freem(m); 2016 } 2017 2018 /* 2019 * The generic part of all Up/Down/Open/Close/TO event handlers. 2020 * Basically, the state transition handling in the automaton. 2021 */ 2022 static void 2023 sppp_up_event(struct sppp *sp, void *xcp) 2024 { 2025 const struct cp *cp = xcp; 2026 STDDCL; 2027 2028 KASSERT(SPPP_WLOCKED(sp)); 2029 KASSERT(!cpu_softintr_p()); 2030 2031 if ((cp->flags & CP_AUTH) != 0 && 2032 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2033 return; 2034 2035 if (debug) 2036 log(LOG_DEBUG, "%s: %s up(%s)\n", 2037 ifp->if_xname, cp->name, 2038 sppp_state_name(sp->scp[cp->protoidx].state)); 2039 2040 switch (sp->scp[cp->protoidx].state) { 2041 case STATE_INITIAL: 2042 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2043 break; 2044 case STATE_STARTING: 2045 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2046 (cp->scr)(sp); 2047 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2048 break; 2049 default: 2050 printf("%s: %s illegal up in state %s\n", 2051 ifp->if_xname, cp->name, 2052 sppp_state_name(sp->scp[cp->protoidx].state)); 2053 } 2054 } 2055 2056 static void 2057 sppp_down_event(struct sppp *sp, void *xcp) 2058 { 2059 const struct cp *cp = xcp; 2060 STDDCL; 2061 2062 KASSERT(SPPP_WLOCKED(sp)); 2063 KASSERT(!cpu_softintr_p()); 2064 2065 if ((cp->flags & CP_AUTH) != 0 && 2066 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2067 return; 2068 2069 if (debug) 2070 log(LOG_DEBUG, "%s: %s down(%s)\n", 2071 ifp->if_xname, cp->name, 2072 sppp_state_name(sp->scp[cp->protoidx].state)); 2073 2074 switch (sp->scp[cp->protoidx].state) { 2075 case STATE_CLOSED: 2076 case STATE_CLOSING: 2077 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2078 break; 2079 case STATE_STOPPED: 2080 (cp->tls)(cp, sp); 2081 /* fall through */ 2082 case STATE_STOPPING: 2083 case STATE_REQ_SENT: 2084 case STATE_ACK_RCVD: 2085 case STATE_ACK_SENT: 2086 sppp_cp_change_state(cp, sp, STATE_STARTING); 2087 break; 2088 case STATE_OPENED: 2089 (cp->tld)(sp); 2090 sppp_cp_change_state(cp, sp, STATE_STARTING); 2091 break; 2092 default: 2093 /* 2094 * a down event may be caused regardless 2095 * of state just in LCP case. 2096 */ 2097 if (cp->proto == PPP_LCP) 2098 break; 2099 2100 printf("%s: %s illegal down in state %s\n", 2101 ifp->if_xname, cp->name, 2102 sppp_state_name(sp->scp[cp->protoidx].state)); 2103 } 2104 } 2105 2106 static void 2107 sppp_open_event(struct sppp *sp, void *xcp) 2108 { 2109 const struct cp *cp = xcp; 2110 STDDCL; 2111 2112 KASSERT(SPPP_WLOCKED(sp)); 2113 KASSERT(!cpu_softintr_p()); 2114 2115 if ((cp->flags & CP_AUTH) != 0 && 2116 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2117 return; 2118 2119 if (debug) 2120 log(LOG_DEBUG, "%s: %s open(%s)\n", 2121 ifp->if_xname, cp->name, 2122 sppp_state_name(sp->scp[cp->protoidx].state)); 2123 2124 switch (sp->scp[cp->protoidx].state) { 2125 case STATE_INITIAL: 2126 sppp_cp_change_state(cp, sp, STATE_STARTING); 2127 (cp->tls)(cp, sp); 2128 break; 2129 case STATE_STARTING: 2130 break; 2131 case STATE_CLOSED: 2132 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2133 (cp->scr)(sp); 2134 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2135 break; 2136 case STATE_STOPPED: 2137 case STATE_STOPPING: 2138 case STATE_REQ_SENT: 2139 case STATE_ACK_RCVD: 2140 case STATE_ACK_SENT: 2141 case STATE_OPENED: 2142 break; 2143 case STATE_CLOSING: 2144 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2145 break; 2146 } 2147 } 2148 2149 static void 2150 sppp_close_event(struct sppp *sp, void *xcp) 2151 { 2152 const struct cp *cp = xcp; 2153 STDDCL; 2154 2155 KASSERT(SPPP_WLOCKED(sp)); 2156 KASSERT(!cpu_softintr_p()); 2157 2158 if ((cp->flags & CP_AUTH) != 0 && 2159 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2160 return; 2161 2162 if (debug) 2163 log(LOG_DEBUG, "%s: %s close(%s)\n", 2164 ifp->if_xname, cp->name, 2165 sppp_state_name(sp->scp[cp->protoidx].state)); 2166 2167 switch (sp->scp[cp->protoidx].state) { 2168 case STATE_INITIAL: 2169 case STATE_CLOSED: 2170 case STATE_CLOSING: 2171 break; 2172 case STATE_STARTING: 2173 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2174 (cp->tlf)(cp, sp); 2175 break; 2176 case STATE_STOPPED: 2177 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2178 break; 2179 case STATE_STOPPING: 2180 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2181 break; 2182 case STATE_OPENED: 2183 (cp->tld)(sp); 2184 /* fall through */ 2185 case STATE_REQ_SENT: 2186 case STATE_ACK_RCVD: 2187 case STATE_ACK_SENT: 2188 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_terminate; 2189 if ((cp->flags & CP_AUTH) == 0) { 2190 sppp_cp_send(sp, cp->proto, TERM_REQ, 2191 ++sp->scp[cp->protoidx].seq, 0, 0); 2192 } 2193 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2194 break; 2195 } 2196 } 2197 2198 static void 2199 sppp_to_event(struct sppp *sp, void *xcp) 2200 { 2201 const struct cp *cp = xcp; 2202 int s; 2203 STDDCL; 2204 2205 KASSERT(SPPP_WLOCKED(sp)); 2206 KASSERT(!cpu_softintr_p()); 2207 2208 s = splnet(); 2209 2210 if (debug) 2211 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2212 ifp->if_xname, cp->name, 2213 sppp_state_name(sp->scp[cp->protoidx].state), 2214 sp->scp[cp->protoidx].rst_counter); 2215 2216 if (--sp->scp[cp->protoidx].rst_counter < 0) 2217 /* TO- event */ 2218 switch (sp->scp[cp->protoidx].state) { 2219 case STATE_CLOSING: 2220 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2221 (cp->tlf)(cp, sp); 2222 break; 2223 case STATE_STOPPING: 2224 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2225 (cp->tlf)(cp, sp); 2226 break; 2227 case STATE_REQ_SENT: 2228 case STATE_ACK_RCVD: 2229 case STATE_ACK_SENT: 2230 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2231 (cp->tlf)(cp, sp); 2232 break; 2233 } 2234 else 2235 /* TO+ event */ 2236 switch (sp->scp[cp->protoidx].state) { 2237 case STATE_CLOSING: 2238 case STATE_STOPPING: 2239 if ((cp->flags & CP_AUTH) == 0) { 2240 sppp_cp_send(sp, cp->proto, TERM_REQ, 2241 ++sp->scp[cp->protoidx].seq, 0, 0); 2242 } 2243 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2244 break; 2245 case STATE_REQ_SENT: 2246 case STATE_ACK_RCVD: 2247 (cp->scr)(sp); 2248 /* sppp_cp_change_state() will restart the timer */ 2249 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2250 break; 2251 case STATE_ACK_SENT: 2252 (cp->scr)(sp); 2253 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2254 break; 2255 } 2256 2257 splx(s); 2258 } 2259 static void 2260 sppp_rcr_update_state(const struct cp *cp, struct sppp *sp, 2261 enum cp_rcr_type type, uint8_t ident, size_t msglen, void *msg) 2262 { 2263 STDDCL; 2264 u_char ctype; 2265 2266 if (type == CP_RCR_ERR) { 2267 /* parse error, shut down */ 2268 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 2269 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2270 } else if (type == CP_RCR_ACK) { 2271 /* RCR+ event */ 2272 ctype = CONF_ACK; 2273 switch (sp->scp[cp->protoidx].state) { 2274 case STATE_OPENED: 2275 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2276 cp->tld(sp); 2277 cp->scr(sp); 2278 cp->screply(cp, sp, ctype, ident, msglen, msg); 2279 break; 2280 case STATE_REQ_SENT: 2281 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2282 /* fall through */ 2283 case STATE_ACK_SENT: 2284 cp->screply(cp, sp, ctype, ident, msglen, msg); 2285 break; 2286 case STATE_STOPPED: 2287 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2288 cp->scr(sp); 2289 cp->screply(cp, sp, ctype, ident, msglen, msg); 2290 break; 2291 case STATE_ACK_RCVD: 2292 sppp_cp_change_state(cp, sp, STATE_OPENED); 2293 if (debug) 2294 log(LOG_DEBUG, "%s: %s tlu\n", 2295 ifp->if_xname, 2296 cp->name); 2297 cp->tlu(sp); 2298 cp->screply(cp, sp, ctype, ident, msglen, msg); 2299 break; 2300 case STATE_CLOSING: 2301 case STATE_STOPPING: 2302 break; 2303 case STATE_CLOSED: 2304 if ((cp->flags & CP_AUTH) == 0) { 2305 sppp_cp_send(sp, cp->proto, TERM_ACK, 2306 ident, 0, 0); 2307 } 2308 break; 2309 default: 2310 printf("%s: %s illegal RCR+ in state %s\n", 2311 ifp->if_xname, cp->name, 2312 sppp_state_name(sp->scp[cp->protoidx].state)); 2313 if_statinc(ifp, if_ierrors); 2314 } 2315 } else if (type == CP_RCR_NAK || type == CP_RCR_REJ) { 2316 ctype = type == CP_RCR_NAK ? CONF_NAK : CONF_REJ; 2317 /* RCR- event */ 2318 switch (sp->scp[cp->protoidx].state) { 2319 case STATE_OPENED: 2320 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2321 cp->tld(sp); 2322 cp->scr(sp); 2323 cp->screply(cp, sp, ctype, ident, msglen, msg); 2324 break; 2325 case STATE_ACK_SENT: 2326 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2327 /* fall through */ 2328 case STATE_REQ_SENT: 2329 cp->screply(cp, sp, ctype, ident, msglen, msg); 2330 break; 2331 case STATE_STOPPED: 2332 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2333 cp->scr(sp); 2334 cp->screply(cp, sp, ctype, ident, msglen, msg); 2335 break; 2336 case STATE_ACK_RCVD: 2337 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2338 cp->screply(cp, sp, ctype, ident, msglen, msg); 2339 break; 2340 case STATE_CLOSING: 2341 case STATE_STOPPING: 2342 break; 2343 case STATE_CLOSED: 2344 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2345 if ((cp->flags & CP_AUTH) == 0) { 2346 sppp_cp_send(sp, cp->proto, TERM_ACK, 2347 ident, 0, 0); 2348 } 2349 break; 2350 default: 2351 printf("%s: %s illegal RCR- in state %s\n", 2352 ifp->if_xname, cp->name, 2353 sppp_state_name(sp->scp[cp->protoidx].state)); 2354 if_statinc(ifp, if_ierrors); 2355 } 2356 } 2357 } 2358 2359 static void 2360 sppp_rcr_event(struct sppp *sp, void *xcp) 2361 { 2362 const struct cp *cp = xcp; 2363 struct sppp_cp *scp; 2364 struct lcp_header *h; 2365 struct mbuf *m; 2366 enum cp_rcr_type type; 2367 size_t len; 2368 uint8_t *buf; 2369 size_t blen, rlen; 2370 uint8_t ident; 2371 2372 KASSERT(!cpu_softintr_p()); 2373 2374 scp = &sp->scp[cp->protoidx]; 2375 2376 if (cp->parse_confreq != NULL) { 2377 m = scp->mbuf_confreq; 2378 if (m == NULL) 2379 return; 2380 scp->mbuf_confreq = NULL; 2381 2382 h = mtod(m, struct lcp_header *); 2383 if (h->type != CONF_REQ) { 2384 m_freem(m); 2385 return; 2386 } 2387 2388 ident = h->ident; 2389 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2390 2391 type = (cp->parse_confreq)(sp, h, len, 2392 &buf, &blen, &rlen); 2393 m_freem(m); 2394 } else { 2395 /* mbuf_cofreq is already parsed and freed */ 2396 type = scp->rcr_type; 2397 ident = scp->rconfid; 2398 buf = NULL; 2399 blen = rlen = 0; 2400 } 2401 2402 sppp_rcr_update_state(cp, sp, type, ident, rlen, (void *)buf); 2403 2404 if (buf != NULL) 2405 kmem_free(buf, blen); 2406 } 2407 2408 static void 2409 sppp_rca_event(struct sppp *sp, void *xcp) 2410 { 2411 const struct cp *cp = xcp; 2412 STDDCL; 2413 2414 KASSERT(!cpu_softintr_p()); 2415 2416 switch (sp->scp[cp->protoidx].state) { 2417 case STATE_CLOSED: 2418 case STATE_STOPPED: 2419 if ((cp->flags & CP_AUTH) == 0) { 2420 sppp_cp_send(sp, cp->proto, TERM_ACK, 2421 sp->scp[cp->protoidx].rconfid, 0, 0); 2422 } 2423 break; 2424 case STATE_CLOSING: 2425 case STATE_STOPPING: 2426 break; 2427 case STATE_REQ_SENT: 2428 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2429 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2430 break; 2431 case STATE_OPENED: 2432 (cp->tld)(sp); 2433 /* fall through */ 2434 case STATE_ACK_RCVD: 2435 (cp->scr)(sp); 2436 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2437 break; 2438 case STATE_ACK_SENT: 2439 sppp_cp_change_state(cp, sp, STATE_OPENED); 2440 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2441 if (debug) 2442 log(LOG_DEBUG, "%s: %s tlu\n", 2443 ifp->if_xname, cp->name); 2444 (cp->tlu)(sp); 2445 break; 2446 default: 2447 printf("%s: %s illegal RCA in state %s\n", 2448 ifp->if_xname, cp->name, 2449 sppp_state_name(sp->scp[cp->protoidx].state)); 2450 if_statinc(ifp, if_ierrors); 2451 } 2452 } 2453 2454 static void 2455 sppp_rcn_event(struct sppp *sp, void *xcp) 2456 { 2457 const struct cp *cp = xcp; 2458 struct sppp_cp *scp; 2459 struct lcp_header *h; 2460 struct mbuf *m; 2461 struct ifnet *ifp = &sp->pp_if; 2462 size_t len; 2463 2464 KASSERT(!cpu_softintr_p()); 2465 2466 scp = &sp->scp[cp->protoidx]; 2467 m = scp->mbuf_confnak; 2468 if (m == NULL) 2469 return; 2470 scp->mbuf_confnak = NULL; 2471 2472 h = mtod(m, struct lcp_header *); 2473 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2474 2475 switch (h->type) { 2476 case CONF_NAK: 2477 (cp->parse_confnak)(sp, h, len); 2478 break; 2479 case CONF_REJ: 2480 (cp->parse_confrej)(sp, h, len); 2481 break; 2482 default: 2483 m_freem(m); 2484 return; 2485 } 2486 2487 m_freem(m); 2488 2489 switch (scp->state) { 2490 case STATE_CLOSED: 2491 case STATE_STOPPED: 2492 if ((cp->flags & CP_AUTH) == 0) { 2493 sppp_cp_send(sp, cp->proto, TERM_ACK, 2494 scp->rconfid, 0, 0); 2495 } 2496 break; 2497 case STATE_REQ_SENT: 2498 case STATE_ACK_SENT: 2499 scp->rst_counter = sp->lcp.max_configure; 2500 (cp->scr)(sp); 2501 break; 2502 case STATE_OPENED: 2503 (cp->tld)(sp); 2504 /* fall through */ 2505 case STATE_ACK_RCVD: 2506 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2507 (cp->scr)(sp); 2508 break; 2509 case STATE_CLOSING: 2510 case STATE_STOPPING: 2511 break; 2512 default: 2513 printf("%s: %s illegal RCN in state %s\n", 2514 ifp->if_xname, cp->name, 2515 sppp_state_name(scp->state)); 2516 if_statinc(ifp, if_ierrors); 2517 } 2518 } 2519 2520 static void 2521 sppp_rtr_event(struct sppp *sp, void *xcp) 2522 { 2523 const struct cp *cp = xcp; 2524 STDDCL; 2525 2526 KASSERT(!cpu_softintr_p()); 2527 2528 switch (sp->scp[cp->protoidx].state) { 2529 case STATE_ACK_RCVD: 2530 case STATE_ACK_SENT: 2531 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2532 break; 2533 case STATE_CLOSED: 2534 case STATE_STOPPED: 2535 case STATE_CLOSING: 2536 case STATE_STOPPING: 2537 case STATE_REQ_SENT: 2538 break; 2539 case STATE_OPENED: 2540 (cp->tld)(sp); 2541 sp->scp[cp->protoidx].rst_counter = 0; 2542 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2543 break; 2544 default: 2545 printf("%s: %s illegal RTR in state %s\n", 2546 ifp->if_xname, cp->name, 2547 sppp_state_name(sp->scp[cp->protoidx].state)); 2548 if_statinc(ifp, if_ierrors); 2549 return; 2550 } 2551 2552 /* Send Terminate-Ack packet. */ 2553 if (debug) 2554 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 2555 ifp->if_xname, cp->name); 2556 if ((cp->flags & CP_AUTH) == 0) { 2557 sppp_cp_send(sp, cp->proto, TERM_ACK, 2558 sp->scp[cp->protoidx].rseq, 0, 0); 2559 } 2560 } 2561 2562 static void 2563 sppp_rta_event(struct sppp *sp, void *xcp) 2564 { 2565 const struct cp *cp = xcp; 2566 struct ifnet *ifp = &sp->pp_if; 2567 2568 KASSERT(!cpu_softintr_p()); 2569 2570 switch (sp->scp[cp->protoidx].state) { 2571 case STATE_CLOSED: 2572 case STATE_STOPPED: 2573 case STATE_REQ_SENT: 2574 case STATE_ACK_SENT: 2575 break; 2576 case STATE_CLOSING: 2577 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2578 (cp->tlf)(cp, sp); 2579 break; 2580 case STATE_STOPPING: 2581 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2582 (cp->tlf)(cp, sp); 2583 break; 2584 case STATE_ACK_RCVD: 2585 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2586 break; 2587 case STATE_OPENED: 2588 (cp->tld)(sp); 2589 (cp->scr)(sp); 2590 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2591 break; 2592 default: 2593 printf("%s: %s illegal RTA in state %s\n", 2594 ifp->if_xname, cp->name, 2595 sppp_state_name(sp->scp[cp->protoidx].state)); 2596 if_statinc(ifp, if_ierrors); 2597 } 2598 } 2599 2600 static void 2601 sppp_rxj_event(struct sppp *sp, void *xcp) 2602 { 2603 const struct cp *cp = xcp; 2604 struct ifnet *ifp = &sp->pp_if; 2605 2606 KASSERT(!cpu_softintr_p()); 2607 2608 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 2609 switch (sp->scp[cp->protoidx].state) { 2610 case STATE_CLOSED: 2611 case STATE_STOPPED: 2612 case STATE_REQ_SENT: 2613 case STATE_ACK_SENT: 2614 case STATE_CLOSING: 2615 case STATE_STOPPING: 2616 case STATE_OPENED: 2617 break; 2618 case STATE_ACK_RCVD: 2619 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2620 break; 2621 default: 2622 printf("%s: %s illegal RXJ- in state %s\n", 2623 ifp->if_xname, cp->name, 2624 sppp_state_name(sp->scp[cp->protoidx].state)); 2625 if_statinc(ifp, if_ierrors); 2626 } 2627 } 2628 2629 /* 2630 * Change the state of a control protocol in the state automaton. 2631 * Takes care of starting/stopping the restart timer. 2632 */ 2633 void 2634 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2635 { 2636 2637 KASSERT(SPPP_WLOCKED(sp)); 2638 2639 sp->scp[cp->protoidx].state = newstate; 2640 callout_stop(&sp->scp[cp->protoidx].ch); 2641 switch (newstate) { 2642 case STATE_INITIAL: 2643 case STATE_STARTING: 2644 case STATE_CLOSED: 2645 case STATE_STOPPED: 2646 case STATE_OPENED: 2647 break; 2648 case STATE_CLOSING: 2649 case STATE_STOPPING: 2650 case STATE_REQ_SENT: 2651 case STATE_ACK_RCVD: 2652 case STATE_ACK_SENT: 2653 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2654 break; 2655 } 2656 } 2657 2658 /* 2659 *--------------------------------------------------------------------------* 2660 * * 2661 * The LCP implementation. * 2662 * * 2663 *--------------------------------------------------------------------------* 2664 */ 2665 static void 2666 sppp_lcp_init(struct sppp *sp) 2667 { 2668 2669 KASSERT(SPPP_WLOCKED(sp)); 2670 2671 sppp_cp_init(&lcp, sp); 2672 2673 SET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 2674 sp->lcp.magic = 0; 2675 sp->lcp.protos = 0; 2676 sp->lcp.max_terminate = 2; 2677 sp->lcp.max_configure = 10; 2678 sp->lcp.max_failure = 10; 2679 sp->lcp.tlf_sent = false; 2680 2681 /* 2682 * Initialize counters and timeout values. Note that we don't 2683 * use the 3 seconds suggested in RFC 1661 since we are likely 2684 * running on a fast link. XXX We should probably implement 2685 * the exponential backoff option. Note that these values are 2686 * relevant for all control protocols, not just LCP only. 2687 */ 2688 sp->lcp.timeout = 1 * hz; 2689 } 2690 2691 static void 2692 sppp_lcp_up(struct sppp *sp, void *xcp) 2693 { 2694 const struct cp *cp = xcp; 2695 int pidx; 2696 STDDCL; 2697 2698 KASSERT(SPPP_WLOCKED(sp)); 2699 2700 pidx = cp->protoidx; 2701 /* Initialize activity timestamp: opening a connection is an activity */ 2702 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2703 2704 /* 2705 * If this interface is passive or dial-on-demand, and we are 2706 * still in Initial state, it means we've got an incoming 2707 * call. Activate the interface. 2708 */ 2709 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2710 if (debug) 2711 log(LOG_DEBUG, 2712 "%s: Up event", ifp->if_xname); 2713 ifp->if_flags |= IFF_RUNNING; 2714 if (sp->scp[pidx].state == STATE_INITIAL) { 2715 if (debug) 2716 addlog("(incoming call)\n"); 2717 sp->pp_flags |= PP_CALLIN; 2718 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_open); 2719 } else if (debug) 2720 addlog("\n"); 2721 } 2722 2723 sppp_up_event(sp, xcp); 2724 } 2725 2726 static void 2727 sppp_lcp_down(struct sppp *sp, void *xcp) 2728 { 2729 const struct cp *cp = xcp; 2730 int pidx; 2731 STDDCL; 2732 2733 KASSERT(SPPP_WLOCKED(sp)); 2734 KASSERT(!cpu_softintr_p()); 2735 2736 pidx = cp->protoidx; 2737 sppp_down_event(sp, xcp); 2738 2739 /* 2740 * We need to do tls to restart when a down event is caused 2741 * by the last tlf. 2742 */ 2743 if (sp->scp[pidx].state == STATE_STARTING && 2744 sp->lcp.tlf_sent) { 2745 cp->tls(cp, sp); 2746 sp->lcp.tlf_sent = false; 2747 } 2748 2749 if (debug) { 2750 log(LOG_DEBUG, 2751 "%s: Down event (carrier loss)\n", 2752 ifp->if_xname); 2753 } 2754 2755 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2756 if (sp->lcp.reestablish) 2757 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2758 } else { 2759 2760 sp->pp_flags &= ~PP_CALLIN; 2761 if (sp->scp[pidx].state != STATE_INITIAL) 2762 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_close); 2763 ifp->if_flags &= ~IFF_RUNNING; 2764 } 2765 sp->scp[pidx].fail_counter = 0; 2766 } 2767 2768 static void 2769 sppp_lcp_open(struct sppp *sp, void *xcp) 2770 { 2771 2772 KASSERT(SPPP_WLOCKED(sp)); 2773 KASSERT(!cpu_softintr_p()); 2774 2775 sp->lcp.reestablish = false; 2776 sp->scp[IDX_LCP].fail_counter = 0; 2777 2778 if (sp->pp_if.if_mtu < PP_MTU) { 2779 sp->lcp.mru = sp->pp_if.if_mtu; 2780 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 2781 } else { 2782 sp->lcp.mru = PP_MTU; 2783 } 2784 sp->lcp.their_mru = PP_MTU; 2785 2786 /* 2787 * If we are authenticator, negotiate LCP_AUTH 2788 */ 2789 if (sp->hisauth.proto != PPP_NOPROTO) 2790 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2791 else 2792 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2793 sp->pp_flags &= ~PP_NEEDAUTH; 2794 sppp_open_event(sp, xcp); 2795 } 2796 2797 2798 /* 2799 * Analyze a configure request. Return true if it was agreeable, and 2800 * caused action sca, false if it has been rejected or nak'ed, and 2801 * caused action scn. (The return value is used to make the state 2802 * transition decision in the state automaton.) 2803 */ 2804 static enum cp_rcr_type 2805 sppp_lcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 2806 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 2807 { 2808 STDDCL; 2809 u_char *buf, *r, *p, l, blen; 2810 enum cp_rcr_type type; 2811 int len, rlen; 2812 uint32_t nmagic; 2813 u_short authproto; 2814 char lbuf[SPPP_LCPOPT_NAMELEN]; 2815 2816 KASSERT(SPPP_WLOCKED(sp)); 2817 2818 if (origlen < sizeof(*h)) 2819 return CP_RCR_DROP; 2820 2821 origlen -= sizeof(*h); 2822 type = CP_RCR_NONE; 2823 type = 0; 2824 2825 if (origlen <= 0) 2826 return CP_RCR_DROP; 2827 else 2828 blen = origlen; 2829 2830 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 2831 if (buf == NULL) 2832 return CP_RCR_DROP; 2833 2834 if (debug) 2835 log(LOG_DEBUG, "%s: lcp parse opts:", 2836 ifp->if_xname); 2837 2838 /* pass 1: check for things that need to be rejected */ 2839 p = (void *)(h + 1); 2840 r = buf; 2841 rlen = 0; 2842 for (len = origlen; len > 1; len-= l, p += l) { 2843 l = p[1]; 2844 if (l == 0) 2845 break; 2846 2847 /* Sanity check option length */ 2848 if (l > len) { 2849 /* 2850 * Malicious option - drop immediately. 2851 * XXX Maybe we should just RXJ it? 2852 */ 2853 addlog("%s: received malicious LCP option 0x%02x, " 2854 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2855 p[0], l, len); 2856 type = CP_RCR_ERR; 2857 goto end; 2858 } 2859 if (debug) 2860 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2861 switch (p[0]) { 2862 case LCP_OPT_MAGIC: 2863 /* Magic number. */ 2864 /* fall through, both are same length */ 2865 case LCP_OPT_ASYNC_MAP: 2866 /* Async control character map. */ 2867 if (len >= 6 || l == 6) 2868 continue; 2869 if (debug) 2870 addlog(" [invalid]"); 2871 break; 2872 case LCP_OPT_MP_EID: 2873 if (len >= l && l >= 3) { 2874 switch (p[2]) { 2875 case 0: if (l==3+ 0) continue;break; 2876 case 2: if (l==3+ 4) continue;break; 2877 case 3: if (l==3+ 6) continue;break; 2878 case 6: if (l==3+16) continue;break; 2879 case 1: /* FALLTHROUGH */ 2880 case 4: if (l<=3+20) continue;break; 2881 case 5: if (l<=3+15) continue;break; 2882 /* XXX should it be default: continue;? */ 2883 } 2884 } 2885 if (debug) 2886 addlog(" [invalid class %d len %d]", p[2], l); 2887 break; 2888 case LCP_OPT_MP_SSNHF: 2889 if (len >= 2 && l == 2) { 2890 if (debug) 2891 addlog(" [rej]"); 2892 break; 2893 } 2894 if (debug) 2895 addlog(" [invalid]"); 2896 break; 2897 case LCP_OPT_MP_MRRU: 2898 /* Multilink maximum received reconstructed unit */ 2899 /* should be fall through, both are same length */ 2900 /* FALLTHROUGH */ 2901 case LCP_OPT_MRU: 2902 /* Maximum receive unit. */ 2903 if (len >= 4 && l == 4) 2904 continue; 2905 if (debug) 2906 addlog(" [invalid]"); 2907 break; 2908 case LCP_OPT_AUTH_PROTO: 2909 if (len < 4) { 2910 if (debug) 2911 addlog(" [invalid]"); 2912 break; 2913 } 2914 authproto = (p[2] << 8) + p[3]; 2915 if (authproto == PPP_CHAP && l != 5) { 2916 if (debug) 2917 addlog(" [invalid chap len]"); 2918 break; 2919 } 2920 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 2921 if (authproto == PPP_PAP || authproto == PPP_CHAP) 2922 sp->myauth.proto = authproto; 2923 } 2924 if (sp->myauth.proto == PPP_NOPROTO) { 2925 /* we are not configured to do auth */ 2926 if (debug) 2927 addlog(" [not configured]"); 2928 break; 2929 } 2930 /* 2931 * Remote want us to authenticate, remember this, 2932 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2933 * up. 2934 */ 2935 sp->pp_flags |= PP_NEEDAUTH; 2936 continue; 2937 default: 2938 /* Others not supported. */ 2939 if (debug) 2940 addlog(" [rej]"); 2941 break; 2942 } 2943 if (rlen + l > blen) { 2944 if (debug) 2945 addlog(" [overflow]"); 2946 continue; 2947 } 2948 /* Add the option to rejected list. */ 2949 memcpy(r, p, l); 2950 r += l; 2951 rlen += l; 2952 } 2953 2954 if (rlen > 0) { 2955 type = CP_RCR_REJ; 2956 goto end; 2957 } 2958 2959 if (debug) 2960 addlog("\n"); 2961 2962 /* 2963 * pass 2: check for option values that are unacceptable and 2964 * thus require to be nak'ed. 2965 */ 2966 if (debug) 2967 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2968 ifp->if_xname); 2969 2970 p = (void *)(h + 1); 2971 r = buf; 2972 rlen = 0; 2973 for (len = origlen; len > 0; len -= l, p += l) { 2974 l = p[1]; 2975 if (l == 0) 2976 break; 2977 2978 if (debug) 2979 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2980 switch (p[0]) { 2981 case LCP_OPT_MAGIC: 2982 /* Magic number -- extract. */ 2983 nmagic = (uint32_t)p[2] << 24 | 2984 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2985 if (nmagic != sp->lcp.magic) { 2986 if (debug) 2987 addlog(" 0x%x", nmagic); 2988 continue; 2989 } 2990 /* 2991 * Local and remote magics equal -- loopback? 2992 */ 2993 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2994 printf ("%s: loopback\n", 2995 ifp->if_xname); 2996 sp->pp_loopcnt = 0; 2997 2998 if (sp->pp_flags & PP_LOOPBACK_IFDOWN) { 2999 sp->pp_flags |= PP_LOOPBACK; 3000 sppp_wq_add(sp->wq_cp, 3001 &sp->work_ifdown); 3002 } 3003 3004 sppp_wq_add(sp->wq_cp, 3005 &sp->scp[IDX_LCP].work_close); 3006 sppp_wq_add(sp->wq_cp, 3007 &sp->scp[IDX_LCP].work_open); 3008 } else { 3009 if (debug) 3010 addlog(" [glitch]"); 3011 ++sp->pp_loopcnt; 3012 } 3013 /* 3014 * We negate our magic here, and NAK it. If 3015 * we see it later in an NAK packet, we 3016 * suggest a new one. 3017 */ 3018 nmagic = ~sp->lcp.magic; 3019 /* Gonna NAK it. */ 3020 p[2] = nmagic >> 24; 3021 p[3] = nmagic >> 16; 3022 p[4] = nmagic >> 8; 3023 p[5] = nmagic; 3024 break; 3025 3026 case LCP_OPT_ASYNC_MAP: 3027 /* 3028 * Async control character map -- just ignore it. 3029 * 3030 * Quote from RFC 1662, chapter 6: 3031 * To enable this functionality, synchronous PPP 3032 * implementations MUST always respond to the 3033 * Async-Control-Character-Map Configuration 3034 * Option with the LCP Configure-Ack. However, 3035 * acceptance of the Configuration Option does 3036 * not imply that the synchronous implementation 3037 * will do any ACCM mapping. Instead, all such 3038 * octet mapping will be performed by the 3039 * asynchronous-to-synchronous converter. 3040 */ 3041 continue; 3042 3043 case LCP_OPT_MRU: 3044 /* 3045 * Maximum receive unit. Always agreeable, 3046 * but ignored by now. 3047 */ 3048 sp->lcp.their_mru = p[2] * 256 + p[3]; 3049 if (debug) 3050 addlog(" %ld", sp->lcp.their_mru); 3051 continue; 3052 3053 case LCP_OPT_AUTH_PROTO: 3054 authproto = (p[2] << 8) + p[3]; 3055 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 3056 if (authproto == PPP_PAP || authproto == PPP_CHAP) 3057 sp->myauth.proto = authproto; 3058 } 3059 if (sp->myauth.proto == authproto) { 3060 if (authproto != PPP_CHAP || p[4] == CHAP_MD5) { 3061 continue; 3062 } 3063 if (debug) 3064 addlog(" [chap without MD5]"); 3065 } else { 3066 if (debug) { 3067 char pbuf1[SPPP_PROTO_NAMELEN]; 3068 char pbuf2[SPPP_PROTO_NAMELEN]; 3069 const char *pname1, *pname2; 3070 3071 pname1 = sppp_proto_name(pbuf1, 3072 sizeof(pbuf1), sp->myauth.proto); 3073 pname2 = sppp_proto_name(pbuf2, 3074 sizeof(pbuf2), authproto); 3075 addlog(" [mine %s != his %s]", 3076 pname1, pname2); 3077 } 3078 } 3079 /* not agreed, nak */ 3080 if (sp->myauth.proto == PPP_CHAP) { 3081 l = 5; 3082 } else { 3083 l = 4; 3084 } 3085 3086 if (rlen + l > blen) { 3087 if (debug) 3088 addlog(" [overflow]"); 3089 continue; 3090 } 3091 3092 r[0] = LCP_OPT_AUTH_PROTO; 3093 r[1] = l; 3094 r[2] = sp->myauth.proto >> 8; 3095 r[3] = sp->myauth.proto & 0xff; 3096 if (sp->myauth.proto == PPP_CHAP) 3097 r[4] = CHAP_MD5; 3098 rlen += l; 3099 r += l; 3100 continue; 3101 case LCP_OPT_MP_EID: 3102 /* 3103 * Endpoint identification. 3104 * Always agreeable, 3105 * but ignored by now. 3106 */ 3107 if (debug) { 3108 addlog(" type %d", p[2]); 3109 sppp_print_bytes(p+3, p[1]-3); 3110 } 3111 continue; 3112 case LCP_OPT_MP_MRRU: 3113 /* 3114 * Maximum received reconstructed unit. 3115 * Always agreeable, 3116 * but ignored by now. 3117 */ 3118 sp->lcp.their_mrru = p[2] * 256 + p[3]; 3119 if (debug) 3120 addlog(" %ld", sp->lcp.their_mrru); 3121 continue; 3122 } 3123 if (rlen + l > blen) { 3124 if (debug) 3125 addlog(" [overflow]"); 3126 continue; 3127 } 3128 /* Add the option to nak'ed list. */ 3129 memcpy(r, p, l); 3130 r += l; 3131 rlen += l; 3132 } 3133 3134 if (rlen > 0) { 3135 if (++sp->scp[IDX_LCP].fail_counter >= sp->lcp.max_failure) { 3136 if (debug) 3137 addlog(" max_failure (%d) exceeded, ", 3138 sp->lcp.max_failure); 3139 type = CP_RCR_REJ; 3140 } else { 3141 type = CP_RCR_NAK; 3142 } 3143 } else { 3144 type = CP_RCR_ACK; 3145 rlen = origlen; 3146 memcpy(r, h + 1, rlen); 3147 sp->scp[IDX_LCP].fail_counter = 0; 3148 sp->pp_loopcnt = 0; 3149 } 3150 3151 end: 3152 if (debug) 3153 addlog("\n"); 3154 3155 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3156 if (buf != NULL) 3157 kmem_intr_free(buf, blen); 3158 } else { 3159 *msgbuf = buf; 3160 *buflen = blen; 3161 *msglen = rlen; 3162 } 3163 3164 return type; 3165 } 3166 3167 /* 3168 * Analyze the LCP Configure-Reject option list, and adjust our 3169 * negotiation. 3170 */ 3171 static void 3172 sppp_lcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3173 { 3174 STDDCL; 3175 u_char *p, l; 3176 3177 KASSERT(SPPP_WLOCKED(sp)); 3178 3179 if (len <= sizeof(*h)) 3180 return; 3181 3182 len -= sizeof(*h); 3183 3184 if (debug) 3185 log(LOG_DEBUG, "%s: lcp rej opts:", 3186 ifp->if_xname); 3187 3188 p = (void *)(h + 1); 3189 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3190 /* Sanity check option length */ 3191 if (l > len) { 3192 /* 3193 * Malicious option - drop immediately. 3194 * XXX Maybe we should just RXJ it? 3195 */ 3196 addlog("%s: received malicious LCP option, " 3197 "dropping.\n", ifp->if_xname); 3198 goto end; 3199 } 3200 if (debug) { 3201 char lbuf[SPPP_LCPOPT_NAMELEN]; 3202 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 3203 } 3204 switch (p[0]) { 3205 case LCP_OPT_MAGIC: 3206 /* Magic number -- can't use it, use 0 */ 3207 CLR(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 3208 sp->lcp.magic = 0; 3209 break; 3210 case LCP_OPT_MRU: 3211 /* 3212 * We try to negotiate a lower MRU if the underlying 3213 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 3214 * peer rejects this lower rate, fallback to the 3215 * default. 3216 */ 3217 if (debug) { 3218 addlog("%s: warning: peer rejected our MRU of " 3219 "%ld bytes. Defaulting to %d bytes\n", 3220 ifp->if_xname, sp->lcp.mru, PP_MTU); 3221 } 3222 CLR(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3223 sp->lcp.mru = PP_MTU; 3224 break; 3225 case LCP_OPT_AUTH_PROTO: 3226 /* 3227 * Peer doesn't want to authenticate himself, 3228 * deny unless this is a dialout call, and 3229 * SPPP_AUTHFLAG_NOCALLOUT is set. 3230 */ 3231 if ((sp->pp_flags & PP_CALLIN) == 0 && 3232 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 3233 if (debug) 3234 addlog(" [don't insist on auth " 3235 "for callout]"); 3236 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 3237 break; 3238 } 3239 if (debug) 3240 addlog("[access denied]\n"); 3241 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3242 break; 3243 } 3244 } 3245 if (debug) 3246 addlog("\n"); 3247 end: 3248 return; 3249 } 3250 3251 /* 3252 * Analyze the LCP Configure-NAK option list, and adjust our 3253 * negotiation. 3254 */ 3255 static void 3256 sppp_lcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 3257 { 3258 STDDCL; 3259 u_char *p, l; 3260 uint32_t magic; 3261 3262 KASSERT(SPPP_WLOCKED(sp)); 3263 3264 if (len <= sizeof(*h)) 3265 return; 3266 len -= sizeof(*h); 3267 3268 if (debug) 3269 log(LOG_DEBUG, "%s: lcp nak opts:", 3270 ifp->if_xname); 3271 3272 p = (void *)(h + 1); 3273 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3274 /* Sanity check option length */ 3275 if (l > len) { 3276 /* 3277 * Malicious option - drop immediately. 3278 * XXX Maybe we should just RXJ it? 3279 */ 3280 addlog("%s: received malicious LCP option, " 3281 "dropping.\n", ifp->if_xname); 3282 goto end; 3283 } 3284 if (debug) { 3285 char lbuf[SPPP_LCPOPT_NAMELEN]; 3286 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf),*p)); 3287 } 3288 switch (p[0]) { 3289 case LCP_OPT_MAGIC: 3290 /* Magic number -- renegotiate */ 3291 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC) && 3292 len >= 6 && l == 6) { 3293 magic = (uint32_t)p[2] << 24 | 3294 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 3295 /* 3296 * If the remote magic is our negated one, 3297 * this looks like a loopback problem. 3298 * Suggest a new magic to make sure. 3299 */ 3300 if (magic == ~sp->lcp.magic) { 3301 if (debug) 3302 addlog(" magic glitch"); 3303 sp->lcp.magic = cprng_fast32(); 3304 } else { 3305 sp->lcp.magic = magic; 3306 if (debug) 3307 addlog(" %d", magic); 3308 } 3309 } 3310 break; 3311 case LCP_OPT_MRU: 3312 /* 3313 * Peer wants to advise us to negotiate an MRU. 3314 * Agree on it if it's reasonable, or use 3315 * default otherwise. 3316 */ 3317 if (len >= 4 && l == 4) { 3318 u_int mru = p[2] * 256 + p[3]; 3319 if (debug) 3320 addlog(" %d", mru); 3321 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 3322 mru = sp->pp_if.if_mtu; 3323 sp->lcp.mru = mru; 3324 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3325 } 3326 break; 3327 case LCP_OPT_AUTH_PROTO: 3328 /* 3329 * Peer doesn't like our authentication method, 3330 * deny. 3331 */ 3332 if (debug) 3333 addlog("[access denied]\n"); 3334 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3335 break; 3336 } 3337 } 3338 if (debug) 3339 addlog("\n"); 3340 end: 3341 return; 3342 } 3343 3344 static void 3345 sppp_lcp_tlu(struct sppp *sp) 3346 { 3347 STDDCL; 3348 int i; 3349 bool going_up; 3350 3351 KASSERT(SPPP_WLOCKED(sp)); 3352 3353 /* unlock for IFNET_LOCK and if_up() */ 3354 SPPP_UNLOCK(sp); 3355 3356 if (! (ifp->if_flags & IFF_UP) && 3357 (ifp->if_flags & IFF_RUNNING)) { 3358 /* Coming out of loopback mode. */ 3359 going_up = true; 3360 if_up(ifp); 3361 } else { 3362 going_up = false; 3363 } 3364 3365 IFNET_LOCK(ifp); 3366 SPPP_LOCK(sp, RW_WRITER); 3367 3368 if (going_up) { 3369 if ((sp->pp_flags & PP_LOOPBACK) == 0) { 3370 log(LOG_DEBUG, "%s: interface is going up, " 3371 "but no loopback packet is deteted\n", 3372 ifp->if_xname); 3373 } 3374 sp->pp_flags &= ~PP_LOOPBACK; 3375 } 3376 3377 if (ifp->if_mtu > sp->lcp.their_mru) { 3378 sp->pp_saved_mtu = ifp->if_mtu; 3379 ifp->if_mtu = sp->lcp.their_mru; 3380 if (debug) { 3381 log(LOG_DEBUG, 3382 "%s: setting MTU " 3383 "from %"PRIu64" bytes " 3384 "to %"PRIu64" bytes\n", 3385 ifp->if_xname, sp->pp_saved_mtu, 3386 ifp->if_mtu); 3387 } 3388 } 3389 IFNET_UNLOCK(ifp); 3390 3391 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO) || 3392 (sp->pp_flags & PP_NEEDAUTH) != 0) 3393 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 3394 else 3395 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 3396 3397 /* 3398 * Open all authentication protocols. This is even required 3399 * if we already proceeded to network phase, since it might be 3400 * that remote wants us to authenticate, so we might have to 3401 * send a PAP request. Undesired authentication protocols 3402 * don't do anything when they get an Open event. 3403 */ 3404 for (i = 0; i < IDX_COUNT; i++) 3405 if ((cps[i])->flags & CP_AUTH) { 3406 sppp_wq_add(sp->wq_cp, 3407 &sp->scp[(cps[i])->protoidx].work_open); 3408 } 3409 3410 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 3411 /* Notify all NCPs. */ 3412 for (i = 0; i < IDX_COUNT; i++) 3413 if ((cps[i])->flags & CP_NCP) { 3414 sppp_wq_add(sp->wq_cp, 3415 &sp->scp[(cps[i])->protoidx].work_open); 3416 } 3417 } 3418 3419 /* notify low-level driver of state change */ 3420 sppp_notify_chg_wlocked(sp); 3421 } 3422 3423 static void 3424 sppp_lcp_tld(struct sppp *sp) 3425 { 3426 STDDCL; 3427 int i, pi, phase; 3428 3429 KASSERT(SPPP_WLOCKED(sp)); 3430 3431 phase = sp->pp_phase; 3432 3433 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3434 3435 if (sp->pp_saved_mtu > 0) { 3436 SPPP_UNLOCK(sp); 3437 IFNET_LOCK(ifp); 3438 SPPP_LOCK(sp, RW_WRITER); 3439 3440 if (debug) { 3441 log(LOG_DEBUG, 3442 "%s: setting MTU " 3443 "from %"PRIu64" bytes " 3444 "to %"PRIu64" bytes\n", 3445 ifp->if_xname, ifp->if_mtu, 3446 sp->pp_saved_mtu); 3447 } 3448 3449 ifp->if_mtu = sp->pp_saved_mtu; 3450 sp->pp_saved_mtu = 0; 3451 IFNET_UNLOCK(ifp); 3452 } 3453 3454 /* 3455 * Take upper layers down. We send the Down event first and 3456 * the Close second to prevent the upper layers from sending 3457 * ``a flurry of terminate-request packets'', as the RFC 3458 * describes it. 3459 */ 3460 for (i = 0; i < IDX_COUNT; i++) { 3461 pi = (cps[i])->protoidx; 3462 if (((cps[i])->flags & CP_LCP) == 0) { 3463 /* skip if ncp was not started */ 3464 if (phase != SPPP_PHASE_NETWORK && 3465 ((cps[i])->flags & CP_NCP) != 0) 3466 continue; 3467 3468 sppp_wq_add(sp->wq_cp, &sp->scp[pi].work_down); 3469 sppp_wq_add(sp->wq_cp, &sp->scp[pi].work_close); 3470 } 3471 } 3472 } 3473 3474 static void 3475 sppp_lcp_tls(const struct cp *cp __unused, struct sppp *sp) 3476 { 3477 3478 KASSERT(SPPP_WLOCKED(sp)); 3479 3480 if (sp->pp_max_auth_fail != 0 && sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3481 printf("%s: authentication failed %d times, not retrying again\n", 3482 sp->pp_if.if_xname, sp->pp_auth_failures); 3483 3484 SPPP_UNLOCK(sp); 3485 if_down(&sp->pp_if); 3486 SPPP_LOCK(sp, RW_WRITER); 3487 return; 3488 } 3489 3490 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3491 3492 /* Notify lower layer if desired. */ 3493 sppp_notify_tls_wlocked(sp); 3494 sp->lcp.tlf_sent = false; 3495 } 3496 3497 static void 3498 sppp_lcp_tlf(const struct cp *cp __unused, struct sppp *sp) 3499 { 3500 3501 KASSERT(SPPP_WLOCKED(sp)); 3502 3503 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3504 3505 /* Notify lower layer if desired. */ 3506 sppp_notify_tlf_wlocked(sp); 3507 3508 switch (sp->scp[IDX_LCP].state) { 3509 case STATE_CLOSED: 3510 case STATE_STOPPED: 3511 sp->lcp.tlf_sent = true; 3512 break; 3513 case STATE_INITIAL: 3514 default: 3515 /* just in case */ 3516 sp->lcp.tlf_sent = false; 3517 } 3518 } 3519 3520 static void 3521 sppp_lcp_scr(struct sppp *sp) 3522 { 3523 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3524 int i = 0; 3525 u_short authproto; 3526 3527 KASSERT(SPPP_WLOCKED(sp)); 3528 3529 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC)) { 3530 if (! sp->lcp.magic) 3531 sp->lcp.magic = cprng_fast32(); 3532 opt[i++] = LCP_OPT_MAGIC; 3533 opt[i++] = 6; 3534 opt[i++] = sp->lcp.magic >> 24; 3535 opt[i++] = sp->lcp.magic >> 16; 3536 opt[i++] = sp->lcp.magic >> 8; 3537 opt[i++] = sp->lcp.magic; 3538 } 3539 3540 if (ISSET(sp->lcp.opts,SPPP_LCP_OPT_MRU)) { 3541 opt[i++] = LCP_OPT_MRU; 3542 opt[i++] = 4; 3543 opt[i++] = sp->lcp.mru >> 8; 3544 opt[i++] = sp->lcp.mru; 3545 } 3546 3547 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) { 3548 authproto = sp->hisauth.proto; 3549 opt[i++] = LCP_OPT_AUTH_PROTO; 3550 opt[i++] = authproto == PPP_CHAP? 5: 4; 3551 opt[i++] = authproto >> 8; 3552 opt[i++] = authproto; 3553 if (authproto == PPP_CHAP) 3554 opt[i++] = CHAP_MD5; 3555 } 3556 3557 sp->scp[IDX_LCP].confid = ++sp->scp[IDX_LCP].seq; 3558 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->scp[IDX_LCP].confid, i, &opt); 3559 } 3560 3561 /* 3562 * Check the open NCPs, return true if at least one NCP is open. 3563 */ 3564 3565 static int 3566 sppp_cp_check(struct sppp *sp, u_char cp_flags) 3567 { 3568 int i, mask; 3569 3570 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3571 if ((sp->lcp.protos & mask) && (cps[i])->flags & cp_flags) 3572 return 1; 3573 return 0; 3574 } 3575 3576 /* 3577 * Re-check the open NCPs and see if we should terminate the link. 3578 * Called by the NCPs during their tlf action handling. 3579 */ 3580 static void 3581 sppp_lcp_check_and_close(struct sppp *sp) 3582 { 3583 3584 KASSERT(SPPP_WLOCKED(sp)); 3585 3586 if (sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 3587 /* don't bother, we are already going down */ 3588 return; 3589 } 3590 3591 if (sp->pp_phase == SPPP_PHASE_AUTHENTICATE && 3592 sppp_cp_check(sp, CP_AUTH)) 3593 return; 3594 3595 if (sp->pp_phase >= SPPP_PHASE_NETWORK && 3596 sppp_cp_check(sp, CP_NCP)) 3597 return; 3598 3599 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3600 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 3601 } 3602 3603 /* 3604 *--------------------------------------------------------------------------* 3605 * * 3606 * The IPCP implementation. * 3607 * * 3608 *--------------------------------------------------------------------------* 3609 */ 3610 3611 static void 3612 sppp_ipcp_init(struct sppp *sp) 3613 { 3614 3615 KASSERT(SPPP_WLOCKED(sp)); 3616 3617 sppp_cp_init(&ipcp, sp); 3618 3619 sp->ipcp.opts = 0; 3620 sp->ipcp.flags = 0; 3621 } 3622 3623 static void 3624 sppp_ipcp_open(struct sppp *sp, void *xcp) 3625 { 3626 STDDCL; 3627 uint32_t myaddr, hisaddr; 3628 3629 KASSERT(SPPP_WLOCKED(sp)); 3630 KASSERT(!cpu_softintr_p()); 3631 3632 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) 3633 return; 3634 3635 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3636 sp->ipcp.req_myaddr = 0; 3637 sp->ipcp.req_hisaddr = 0; 3638 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3639 3640 #ifdef INET 3641 kpreempt_disable(); 3642 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3643 kpreempt_enable(); 3644 #else 3645 myaddr = hisaddr = 0; 3646 #endif 3647 /* 3648 * If we don't have his address, this probably means our 3649 * interface doesn't want to talk IP at all. (This could 3650 * be the case if somebody wants to speak only IPX, for 3651 * example.) Don't open IPCP in this case. 3652 */ 3653 if (hisaddr == 0) { 3654 /* XXX this message should go away */ 3655 if (debug) 3656 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3657 ifp->if_xname); 3658 return; 3659 } 3660 3661 if (myaddr == 0) { 3662 /* 3663 * I don't have an assigned address, so i need to 3664 * negotiate my address. 3665 */ 3666 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3667 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3668 } 3669 if (hisaddr == 1) { 3670 /* 3671 * XXX - remove this hack! 3672 * remote has no valid address, we need to get one assigned. 3673 */ 3674 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3675 sp->ipcp.saved_hisaddr = htonl(hisaddr); 3676 } 3677 3678 if (sp->query_dns & 1) { 3679 SET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3680 } else { 3681 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3682 } 3683 3684 if (sp->query_dns & 2) { 3685 SET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3686 } else { 3687 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3688 } 3689 sppp_open_event(sp, xcp); 3690 } 3691 3692 static void 3693 sppp_ipcp_close(struct sppp *sp, void *xcp) 3694 { 3695 3696 KASSERT(SPPP_WLOCKED(sp)); 3697 KASSERT(!cpu_softintr_p()); 3698 3699 sppp_close_event(sp, xcp); 3700 3701 #ifdef INET 3702 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) { 3703 /* 3704 * Some address was dynamic, clear it again. 3705 */ 3706 sppp_clear_ip_addrs(sp); 3707 } 3708 #endif 3709 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3710 } 3711 3712 /* 3713 * Analyze a configure request. Return true if it was agreeable, and 3714 * caused action sca, false if it has been rejected or nak'ed, and 3715 * caused action scn. (The return value is used to make the state 3716 * transition decision in the state automaton.) 3717 */ 3718 static enum cp_rcr_type 3719 sppp_ipcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 3720 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 3721 { 3722 u_char *buf, *r, *p, l, blen; 3723 enum cp_rcr_type type; 3724 struct ifnet *ifp = &sp->pp_if; 3725 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 3726 uint32_t hisaddr, desiredaddr; 3727 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3728 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 3729 const char *dq; 3730 3731 KASSERT(SPPP_WLOCKED(sp)); 3732 3733 type = CP_RCR_NONE; 3734 origlen -= sizeof(*h); 3735 3736 if (origlen < 0) 3737 return CP_RCR_DROP; 3738 3739 /* 3740 * Make sure to allocate a buf that can at least hold a 3741 * conf-nak with an `address' option. We might need it below. 3742 */ 3743 blen = MAX(6, origlen); 3744 3745 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 3746 if (buf == NULL) 3747 return CP_RCR_DROP; 3748 3749 /* pass 1: see if we can recognize them */ 3750 if (debug) 3751 log(LOG_DEBUG, "%s: ipcp parse opts:", 3752 ifp->if_xname); 3753 p = (void *)(h + 1); 3754 r = buf; 3755 rlen = 0; 3756 for (len = origlen; len > 1; len -= l, p += l) { 3757 l = p[1]; 3758 if (l == 0) 3759 break; 3760 3761 /* Sanity check option length */ 3762 if (l > len) { 3763 /* XXX should we just RXJ? */ 3764 addlog("%s: malicious IPCP option received, dropping\n", 3765 ifp->if_xname); 3766 type = CP_RCR_ERR; 3767 goto end; 3768 } 3769 if (debug) { 3770 addlog(" %s", 3771 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3772 } 3773 switch (p[0]) { 3774 #ifdef notyet 3775 case IPCP_OPT_COMPRESSION: 3776 if (len >= 6 && l >= 6) { 3777 /* correctly formed compress option */ 3778 continue; 3779 } 3780 if (debug) 3781 addlog(" [invalid]"); 3782 break; 3783 #endif 3784 case IPCP_OPT_ADDRESS: 3785 if (len >= 6 && l == 6) { 3786 /* correctly formed address option */ 3787 continue; 3788 } 3789 if (debug) 3790 addlog(" [invalid]"); 3791 break; 3792 default: 3793 /* Others not supported. */ 3794 if (debug) 3795 addlog(" [rej]"); 3796 break; 3797 } 3798 /* Add the option to rejected list. */ 3799 if (rlen + l > blen) { 3800 if (debug) 3801 addlog(" [overflow]"); 3802 continue; 3803 } 3804 memcpy(r, p, l); 3805 r += l; 3806 rlen += l; 3807 } 3808 3809 if (rlen > 0) { 3810 type = CP_RCR_REJ; 3811 goto end; 3812 } 3813 3814 if (debug) 3815 addlog("\n"); 3816 3817 /* pass 2: parse option values */ 3818 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3819 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3820 else 3821 #ifdef INET 3822 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3823 #else 3824 hisaddr = 0; 3825 #endif 3826 if (debug) 3827 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3828 ifp->if_xname); 3829 p = (void *)(h + 1); 3830 r = buf; 3831 rlen = 0; 3832 for (len = origlen; len > 1; len -= l, p += l) { 3833 l = p[1]; 3834 if (l == 0) 3835 break; 3836 3837 if (debug) { 3838 addlog(" %s", 3839 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3840 } 3841 switch (p[0]) { 3842 #ifdef notyet 3843 case IPCP_OPT_COMPRESSION: 3844 continue; 3845 #endif 3846 case IPCP_OPT_ADDRESS: 3847 desiredaddr = p[2] << 24 | p[3] << 16 | 3848 p[4] << 8 | p[5]; 3849 if (desiredaddr == hisaddr || 3850 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3851 /* 3852 * Peer's address is same as our value, 3853 * this is agreeable. Gonna conf-ack 3854 * it. 3855 */ 3856 if (debug) { 3857 dq = sppp_dotted_quad(dqbuf, 3858 sizeof(dqbuf), hisaddr); 3859 addlog(" %s [ack]", dq); 3860 } 3861 /* record that we've seen it already */ 3862 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3863 sp->ipcp.req_hisaddr = desiredaddr; 3864 hisaddr = desiredaddr; 3865 continue; 3866 } 3867 /* 3868 * The address wasn't agreeable. This is either 3869 * he sent us 0.0.0.0, asking to assign him an 3870 * address, or he send us another address not 3871 * matching our value. Either case, we gonna 3872 * conf-nak it with our value. 3873 */ 3874 if (debug) { 3875 if (desiredaddr == 0) { 3876 addlog(" [addr requested]"); 3877 } else { 3878 dq = sppp_dotted_quad(dqbuf, 3879 sizeof(dqbuf), desiredaddr); 3880 addlog(" %s [not agreed]", dq); 3881 } 3882 } 3883 3884 p[2] = hisaddr >> 24; 3885 p[3] = hisaddr >> 16; 3886 p[4] = hisaddr >> 8; 3887 p[5] = hisaddr; 3888 break; 3889 } 3890 if (rlen + l > blen) { 3891 if (debug) 3892 addlog(" [overflow]"); 3893 continue; 3894 } 3895 /* Add the option to nak'ed list. */ 3896 memcpy(r, p, l); 3897 r += l; 3898 rlen += l; 3899 } 3900 3901 if (rlen > 0) { 3902 type = CP_RCR_NAK; 3903 } else { 3904 if ((sp->ipcp.flags & IPCP_HISADDR_SEEN) == 0) { 3905 /* 3906 * If we are about to conf-ack the request, but haven't seen 3907 * his address so far, gonna conf-nak it instead, with the 3908 * `address' option present and our idea of his address being 3909 * filled in there, to request negotiation of both addresses. 3910 * 3911 * XXX This can result in an endless req - nak loop if peer 3912 * doesn't want to send us his address. Q: What should we do 3913 * about it? XXX A: implement the max-failure counter. 3914 */ 3915 buf[0] = IPCP_OPT_ADDRESS; 3916 buf[1] = 6; 3917 buf[2] = hisaddr >> 24; 3918 buf[3] = hisaddr >> 16; 3919 buf[4] = hisaddr >> 8; 3920 buf[5] = hisaddr; 3921 rlen = 6; 3922 if (debug) 3923 addlog(" still need hisaddr"); 3924 type = CP_RCR_NAK; 3925 } else { 3926 type = CP_RCR_ACK; 3927 rlen = origlen; 3928 memcpy(r, h + 1, rlen); 3929 } 3930 } 3931 3932 end: 3933 if (debug) 3934 addlog("\n"); 3935 3936 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3937 if (buf != NULL) 3938 kmem_intr_free(buf, blen); 3939 } else { 3940 *msgbuf = buf; 3941 *buflen = blen; 3942 *msglen = rlen; 3943 } 3944 3945 return type; 3946 } 3947 3948 /* 3949 * Analyze the IPCP Configure-Reject option list, and adjust our 3950 * negotiation. 3951 */ 3952 static void 3953 sppp_ipcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3954 { 3955 u_char *p, l; 3956 struct ifnet *ifp = &sp->pp_if; 3957 int debug = ifp->if_flags & IFF_DEBUG; 3958 3959 KASSERT(SPPP_WLOCKED(sp)); 3960 3961 if (len <= sizeof(*h)) 3962 return; 3963 3964 len -= sizeof(*h); 3965 3966 if (debug) 3967 log(LOG_DEBUG, "%s: ipcp rej opts:", 3968 ifp->if_xname); 3969 3970 p = (void *)(h + 1); 3971 for (; len > 1; len -= l, p += l) { 3972 l = p[1]; 3973 if (l == 0) 3974 break; 3975 3976 /* Sanity check option length */ 3977 if (l > len) { 3978 /* XXX should we just RXJ? */ 3979 addlog("%s: malicious IPCP option received, dropping\n", 3980 ifp->if_xname); 3981 goto end; 3982 } 3983 if (debug) { 3984 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3985 addlog(" %s", 3986 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3987 } 3988 switch (p[0]) { 3989 case IPCP_OPT_ADDRESS: 3990 /* 3991 * Peer doesn't grok address option. This is 3992 * bad. XXX Should we better give up here? 3993 */ 3994 if (!debug) { 3995 log(LOG_ERR, "%s: " 3996 "IPCP address option rejected\n", 3997 ifp->if_xname); 3998 } 3999 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 4000 break; 4001 #ifdef notyet 4002 case IPCP_OPT_COMPRESS: 4003 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_COMPRESS); 4004 break; 4005 #endif 4006 case IPCP_OPT_PRIMDNS: 4007 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 4008 break; 4009 4010 case IPCP_OPT_SECDNS: 4011 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 4012 break; 4013 } 4014 } 4015 if (debug) 4016 addlog("\n"); 4017 end: 4018 return; 4019 } 4020 4021 /* 4022 * Analyze the IPCP Configure-NAK option list, and adjust our 4023 * negotiation. 4024 */ 4025 static void 4026 sppp_ipcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4027 { 4028 u_char *p, l; 4029 struct ifnet *ifp = &sp->pp_if; 4030 int debug = ifp->if_flags & IFF_DEBUG; 4031 uint32_t wantaddr; 4032 4033 KASSERT(SPPP_WLOCKED(sp)); 4034 4035 len -= sizeof(*h); 4036 4037 if (debug) 4038 log(LOG_DEBUG, "%s: ipcp nak opts:", 4039 ifp->if_xname); 4040 4041 p = (void *)(h + 1); 4042 for (; len > 1; len -= l, p += l) { 4043 l = p[1]; 4044 if (l == 0) 4045 break; 4046 4047 /* Sanity check option length */ 4048 if (l > len) { 4049 /* XXX should we just RXJ? */ 4050 addlog("%s: malicious IPCP option received, dropping\n", 4051 ifp->if_xname); 4052 return; 4053 } 4054 if (debug) { 4055 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 4056 addlog(" %s", 4057 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 4058 } 4059 switch (*p) { 4060 case IPCP_OPT_ADDRESS: 4061 /* 4062 * Peer doesn't like our local IP address. See 4063 * if we can do something for him. We'll drop 4064 * him our address then. 4065 */ 4066 if (len >= 6 && l == 6) { 4067 wantaddr = p[2] << 24 | p[3] << 16 | 4068 p[4] << 8 | p[5]; 4069 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 4070 if (debug) { 4071 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 4072 const char *dq; 4073 4074 dq = sppp_dotted_quad(dqbuf, 4075 sizeof(dqbuf), wantaddr); 4076 addlog(" [wantaddr %s]", dq); 4077 } 4078 /* 4079 * When doing dynamic address assignment, 4080 * we accept his offer. Otherwise, we 4081 * ignore it and thus continue to negotiate 4082 * our already existing value. 4083 */ 4084 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 4085 if (ntohl(wantaddr) != INADDR_ANY) { 4086 if (debug) 4087 addlog(" [agree]"); 4088 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 4089 sp->ipcp.req_myaddr = wantaddr; 4090 } else { 4091 if (debug) 4092 addlog(" [not agreed]"); 4093 } 4094 } 4095 } 4096 break; 4097 4098 case IPCP_OPT_PRIMDNS: 4099 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS) && 4100 len >= 6 && l == 6) { 4101 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 4102 p[4] << 8 | p[5]; 4103 } 4104 break; 4105 4106 case IPCP_OPT_SECDNS: 4107 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS) && 4108 len >= 6 && l == 6) { 4109 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 4110 p[4] << 8 | p[5]; 4111 } 4112 break; 4113 #ifdef notyet 4114 case IPCP_OPT_COMPRESS: 4115 /* 4116 * Peer wants different compression parameters. 4117 */ 4118 break; 4119 #endif 4120 } 4121 } 4122 if (debug) 4123 addlog("\n"); 4124 } 4125 4126 static void 4127 sppp_ipcp_tlu(struct sppp *sp) 4128 { 4129 #ifdef INET 4130 struct ifnet *ifp; 4131 4132 ifp = &sp->pp_if; 4133 KASSERT(SPPP_WLOCKED(sp)); 4134 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && 4135 ((sp->ipcp.flags & IPCP_MYADDR_SEEN) == 0)) { 4136 log(LOG_WARNING, "%s: no IP address, closing IPCP\n", 4137 ifp->if_xname); 4138 sppp_wq_add(sp->wq_cp, 4139 &sp->scp[IDX_IPCP].work_close); 4140 } else { 4141 /* we are up. Set addresses and notify anyone interested */ 4142 sppp_set_ip_addrs(sp); 4143 } 4144 #endif 4145 } 4146 4147 static void 4148 sppp_ipcp_scr(struct sppp *sp) 4149 { 4150 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 4151 #ifdef INET 4152 uint32_t ouraddr; 4153 #endif 4154 int i = 0; 4155 4156 KASSERT(SPPP_WLOCKED(sp)); 4157 4158 #ifdef notyet 4159 if (ISSET(sp->ipcp.opts,SPPP_IPCP_OPT_COMPRESSION)) { 4160 opt[i++] = IPCP_OPT_COMPRESSION; 4161 opt[i++] = 6; 4162 opt[i++] = 0; /* VJ header compression */ 4163 opt[i++] = 0x2d; /* VJ header compression */ 4164 opt[i++] = max_slot_id; 4165 opt[i++] = comp_slot_id; 4166 } 4167 #endif 4168 4169 #ifdef INET 4170 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS)) { 4171 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) { 4172 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 4173 } else { 4174 kpreempt_disable(); 4175 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 4176 kpreempt_enable(); 4177 } 4178 opt[i++] = IPCP_OPT_ADDRESS; 4179 opt[i++] = 6; 4180 opt[i++] = ouraddr >> 24; 4181 opt[i++] = ouraddr >> 16; 4182 opt[i++] = ouraddr >> 8; 4183 opt[i++] = ouraddr; 4184 } 4185 #endif 4186 4187 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS)) { 4188 opt[i++] = IPCP_OPT_PRIMDNS; 4189 opt[i++] = 6; 4190 opt[i++] = sp->dns_addrs[0] >> 24; 4191 opt[i++] = sp->dns_addrs[0] >> 16; 4192 opt[i++] = sp->dns_addrs[0] >> 8; 4193 opt[i++] = sp->dns_addrs[0]; 4194 } 4195 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS)) { 4196 opt[i++] = IPCP_OPT_SECDNS; 4197 opt[i++] = 6; 4198 opt[i++] = sp->dns_addrs[1] >> 24; 4199 opt[i++] = sp->dns_addrs[1] >> 16; 4200 opt[i++] = sp->dns_addrs[1] >> 8; 4201 opt[i++] = sp->dns_addrs[1]; 4202 } 4203 4204 sp->scp[IDX_IPCP].confid = ++sp->scp[IDX_IPCP].seq; 4205 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->scp[IDX_IPCP].confid, i, &opt); 4206 } 4207 4208 /* 4209 *--------------------------------------------------------------------------* 4210 * * 4211 * The IPv6CP implementation. * 4212 * * 4213 *--------------------------------------------------------------------------* 4214 */ 4215 4216 #ifdef INET6 4217 static void 4218 sppp_ipv6cp_init(struct sppp *sp) 4219 { 4220 4221 KASSERT(SPPP_WLOCKED(sp)); 4222 4223 sppp_cp_init(&ipv6cp, sp); 4224 4225 sp->ipv6cp.opts = 0; 4226 sp->ipv6cp.flags = 0; 4227 } 4228 4229 static void 4230 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4231 { 4232 STDDCL; 4233 struct in6_addr myaddr, hisaddr; 4234 4235 KASSERT(SPPP_WLOCKED(sp)); 4236 KASSERT(!cpu_softintr_p()); 4237 4238 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) 4239 return; 4240 4241 #ifdef IPV6CP_MYIFID_DYN 4242 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 4243 #else 4244 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 4245 #endif 4246 4247 kpreempt_disable(); 4248 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 4249 kpreempt_enable(); 4250 /* 4251 * If we don't have our address, this probably means our 4252 * interface doesn't want to talk IPv6 at all. (This could 4253 * be the case if somebody wants to speak only IPX, for 4254 * example.) Don't open IPv6CP in this case. 4255 */ 4256 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 4257 /* XXX this message should go away */ 4258 if (debug) 4259 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 4260 ifp->if_xname); 4261 return; 4262 } 4263 4264 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4265 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4266 sppp_open_event(sp, xcp); 4267 } 4268 4269 /* 4270 * Analyze a configure request. Return true if it was agreeable, and 4271 * caused action sca, false if it has been rejected or nak'ed, and 4272 * caused action scn. (The return value is used to make the state 4273 * transition decision in the state automaton.) 4274 */ 4275 static enum cp_rcr_type 4276 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 4277 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4278 { 4279 u_char *buf, *r, *p, l, blen; 4280 struct ifnet *ifp = &sp->pp_if; 4281 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 4282 struct in6_addr myaddr, desiredaddr, suggestaddr; 4283 enum cp_rcr_type type; 4284 int ifidcount; 4285 int collision, nohisaddr; 4286 char ip6buf[INET6_ADDRSTRLEN]; 4287 char tbuf[SPPP_CPTYPE_NAMELEN]; 4288 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4289 const char *cpname; 4290 4291 KASSERT(SPPP_WLOCKED(sp)); 4292 4293 type = CP_RCR_NONE; 4294 origlen -= sizeof(*h); 4295 4296 if (origlen < 0) 4297 return CP_RCR_DROP; 4298 4299 /* 4300 * Make sure to allocate a buf that can at least hold a 4301 * conf-nak with an `address' option. We might need it below. 4302 */ 4303 blen = MAX(6, origlen); 4304 4305 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 4306 if (buf == NULL) 4307 return CP_RCR_DROP; 4308 4309 /* pass 1: see if we can recognize them */ 4310 if (debug) 4311 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 4312 ifp->if_xname); 4313 p = (void *)(h + 1); 4314 r = buf; 4315 rlen = 0; 4316 ifidcount = 0; 4317 for (len = origlen; len > 1; len -= l, p += l) { 4318 l = p[1]; 4319 if (l == 0) 4320 break; 4321 4322 /* Sanity check option length */ 4323 if (l > len) { 4324 /* XXX just RXJ? */ 4325 addlog("%s: received malicious IPCPv6 option, " 4326 "dropping\n", ifp->if_xname); 4327 type = CP_RCR_ERR; 4328 goto end; 4329 } 4330 if (debug) { 4331 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4332 sizeof(ipv6buf),*p)); 4333 } 4334 switch (p[0]) { 4335 case IPV6CP_OPT_IFID: 4336 if (len >= 10 && l == 10 && ifidcount == 0) { 4337 /* correctly formed address option */ 4338 ifidcount++; 4339 continue; 4340 } 4341 if (debug) 4342 addlog(" [invalid]"); 4343 break; 4344 #ifdef notyet 4345 case IPV6CP_OPT_COMPRESSION: 4346 if (len >= 4 && l >= 4) { 4347 /* correctly formed compress option */ 4348 continue; 4349 } 4350 if (debug) 4351 addlog(" [invalid]"); 4352 break; 4353 #endif 4354 default: 4355 /* Others not supported. */ 4356 if (debug) 4357 addlog(" [rej]"); 4358 break; 4359 } 4360 if (rlen + l > blen) { 4361 if (debug) 4362 addlog(" [overflow]"); 4363 continue; 4364 } 4365 /* Add the option to rejected list. */ 4366 memcpy(r, p, l); 4367 r += l; 4368 rlen += l; 4369 } 4370 4371 if (rlen > 0) { 4372 type = CP_RCR_REJ; 4373 goto end; 4374 } 4375 4376 if (debug) 4377 addlog("\n"); 4378 4379 /* pass 2: parse option values */ 4380 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4381 if (debug) 4382 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 4383 ifp->if_xname); 4384 p = (void *)(h + 1); 4385 r = buf; 4386 rlen = 0; 4387 type = CP_RCR_ACK; 4388 for (len = origlen; len > 1; len -= l, p += l) { 4389 l = p[1]; 4390 if (l == 0) 4391 break; 4392 4393 if (debug) { 4394 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4395 sizeof(ipv6buf), *p)); 4396 } 4397 switch (p[0]) { 4398 #ifdef notyet 4399 case IPV6CP_OPT_COMPRESSION: 4400 continue; 4401 #endif 4402 case IPV6CP_OPT_IFID: 4403 memset(&desiredaddr, 0, sizeof(desiredaddr)); 4404 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 4405 collision = (memcmp(&desiredaddr.s6_addr[8], 4406 &myaddr.s6_addr[8], 8) == 0); 4407 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 4408 4409 desiredaddr.s6_addr16[0] = htons(0xfe80); 4410 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 4411 4412 if (!collision && !nohisaddr) { 4413 /* no collision, hisaddr known - Conf-Ack */ 4414 type = CP_RCR_ACK; 4415 memcpy(sp->ipv6cp.my_ifid, &myaddr.s6_addr[8], 4416 sizeof(sp->ipv6cp.my_ifid)); 4417 memcpy(sp->ipv6cp.his_ifid, 4418 &desiredaddr.s6_addr[8], 4419 sizeof(sp->ipv6cp.my_ifid)); 4420 4421 if (debug) { 4422 cpname = sppp_cp_type_name(tbuf, 4423 sizeof(tbuf), CONF_ACK); 4424 addlog(" %s [%s]", 4425 IN6_PRINT(ip6buf, &desiredaddr), 4426 cpname); 4427 } 4428 continue; 4429 } 4430 4431 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4432 if (collision && nohisaddr) { 4433 /* collision, hisaddr unknown - Conf-Rej */ 4434 type = CP_RCR_REJ; 4435 memset(&p[2], 0, 8); 4436 } else { 4437 /* 4438 * - no collision, hisaddr unknown, or 4439 * - collision, hisaddr known 4440 * Conf-Nak, suggest hisaddr 4441 */ 4442 type = CP_RCR_NAK; 4443 sppp_suggest_ip6_addr(sp, &suggestaddr); 4444 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 4445 } 4446 if (debug) { 4447 int ctype = type == CP_RCR_REJ ? CONF_REJ : CONF_NAK; 4448 4449 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4450 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 4451 cpname); 4452 } 4453 break; 4454 } 4455 if (rlen + l > blen) { 4456 if (debug) 4457 addlog(" [overflow]"); 4458 continue; 4459 } 4460 /* Add the option to nak'ed list. */ 4461 memcpy(r, p, l); 4462 r += l; 4463 rlen += l; 4464 } 4465 4466 if (rlen > 0) { 4467 if (type != CP_RCR_ACK) { 4468 if (debug) { 4469 int ctype ; 4470 ctype = type == CP_RCR_REJ ? 4471 CONF_REJ : CONF_NAK; 4472 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4473 addlog(" send %s suggest %s\n", 4474 cpname, IN6_PRINT(ip6buf, &suggestaddr)); 4475 } 4476 } 4477 #ifdef notdef 4478 if (type == CP_RCR_ACK) 4479 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 4480 #endif 4481 } else { 4482 if (type == CP_RCR_ACK) { 4483 rlen = origlen; 4484 memcpy(r, h + 1, rlen); 4485 } 4486 } 4487 end: 4488 if (debug) 4489 addlog("\n"); 4490 4491 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 4492 if (buf != NULL) 4493 kmem_intr_free(buf, blen); 4494 } else { 4495 *msgbuf = buf; 4496 *buflen = blen; 4497 *msglen = rlen; 4498 } 4499 4500 return type; 4501 } 4502 4503 /* 4504 * Analyze the IPv6CP Configure-Reject option list, and adjust our 4505 * negotiation. 4506 */ 4507 static void 4508 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, int len) 4509 { 4510 u_char *p, l; 4511 struct ifnet *ifp = &sp->pp_if; 4512 int debug = ifp->if_flags & IFF_DEBUG; 4513 4514 KASSERT(SPPP_WLOCKED(sp)); 4515 4516 if (len <= sizeof(*h)) 4517 return; 4518 4519 len -= sizeof(*h); 4520 4521 if (debug) 4522 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 4523 ifp->if_xname); 4524 4525 p = (void *)(h + 1); 4526 for (; len > 1; len -= l, p += l) { 4527 l = p[1]; 4528 if (l == 0) 4529 break; 4530 4531 if (l > len) { 4532 /* XXX just RXJ? */ 4533 addlog("%s: received malicious IPCPv6 option, " 4534 "dropping\n", ifp->if_xname); 4535 goto end; 4536 } 4537 if (debug) { 4538 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4539 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4540 sizeof(ipv6buf), *p)); 4541 } 4542 switch (p[0]) { 4543 case IPV6CP_OPT_IFID: 4544 /* 4545 * Peer doesn't grok address option. This is 4546 * bad. XXX Should we better give up here? 4547 */ 4548 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4549 break; 4550 #ifdef notyet 4551 case IPV6CP_OPT_COMPRESS: 4552 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESS); 4553 break; 4554 #endif 4555 } 4556 } 4557 if (debug) 4558 addlog("\n"); 4559 end: 4560 return; 4561 } 4562 4563 /* 4564 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4565 * negotiation. 4566 */ 4567 static void 4568 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4569 { 4570 u_char *p, l; 4571 struct ifnet *ifp = &sp->pp_if; 4572 int debug = ifp->if_flags & IFF_DEBUG; 4573 struct in6_addr suggestaddr; 4574 char ip6buf[INET6_ADDRSTRLEN]; 4575 4576 KASSERT(SPPP_WLOCKED(sp)); 4577 4578 if (len <= sizeof(*h)) 4579 return; 4580 4581 len -= sizeof(*h); 4582 4583 if (debug) 4584 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 4585 ifp->if_xname); 4586 4587 p = (void *)(h + 1); 4588 for (; len > 1; len -= l, p += l) { 4589 l = p[1]; 4590 if (l == 0) 4591 break; 4592 4593 if (l > len) { 4594 /* XXX just RXJ? */ 4595 addlog("%s: received malicious IPCPv6 option, " 4596 "dropping\n", ifp->if_xname); 4597 goto end; 4598 } 4599 if (debug) { 4600 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4601 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4602 sizeof(ipv6buf), *p)); 4603 } 4604 switch (p[0]) { 4605 case IPV6CP_OPT_IFID: 4606 /* 4607 * Peer doesn't like our local ifid. See 4608 * if we can do something for him. We'll drop 4609 * him our address then. 4610 */ 4611 if (len < 10 || l != 10) 4612 break; 4613 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4614 suggestaddr.s6_addr16[0] = htons(0xfe80); 4615 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4616 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4617 4618 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4619 if (debug) 4620 addlog(" [suggestaddr %s]", 4621 IN6_PRINT(ip6buf, &suggestaddr)); 4622 #ifdef IPV6CP_MYIFID_DYN 4623 /* 4624 * When doing dynamic address assignment, 4625 * we accept his offer. 4626 */ 4627 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4628 struct in6_addr lastsuggest; 4629 /* 4630 * If <suggested myaddr from peer> equals to 4631 * <hisaddr we have suggested last time>, 4632 * we have a collision. generate new random 4633 * ifid. 4634 */ 4635 sppp_suggest_ip6_addr(&lastsuggest); 4636 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4637 lastsuggest)) { 4638 if (debug) 4639 addlog(" [random]"); 4640 sppp_gen_ip6_addr(sp, &suggestaddr); 4641 } 4642 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4643 if (debug) 4644 addlog(" [agree]"); 4645 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4646 } 4647 #else 4648 /* 4649 * Since we do not do dynamic address assignment, 4650 * we ignore it and thus continue to negotiate 4651 * our already existing value. This can possibly 4652 * go into infinite request-reject loop. 4653 * 4654 * This is not likely because we normally use 4655 * ifid based on MAC-address. 4656 * If you have no ethernet card on the node, too bad. 4657 * XXX should we use fail_counter? 4658 */ 4659 #endif 4660 break; 4661 #ifdef notyet 4662 case IPV6CP_OPT_COMPRESS: 4663 /* 4664 * Peer wants different compression parameters. 4665 */ 4666 break; 4667 #endif 4668 } 4669 } 4670 if (debug) 4671 addlog("\n"); 4672 end: 4673 return; 4674 } 4675 4676 static void 4677 sppp_ipv6cp_tlu(struct sppp *sp) 4678 { 4679 4680 KASSERT(SPPP_WLOCKED(sp)); 4681 /* we are up - notify isdn daemon */ 4682 sppp_notify_con_wlocked(sp); 4683 } 4684 4685 static void 4686 sppp_ipv6cp_scr(struct sppp *sp) 4687 { 4688 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4689 struct in6_addr ouraddr; 4690 int i = 0; 4691 4692 KASSERT(SPPP_WLOCKED(sp)); 4693 4694 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID)) { 4695 kpreempt_disable(); 4696 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4697 kpreempt_enable(); 4698 4699 opt[i++] = IPV6CP_OPT_IFID; 4700 opt[i++] = 10; 4701 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4702 i += 8; 4703 } 4704 4705 #ifdef notyet 4706 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESSION)) { 4707 opt[i++] = IPV6CP_OPT_COMPRESSION; 4708 opt[i++] = 4; 4709 opt[i++] = 0; /* TBD */ 4710 opt[i++] = 0; /* TBD */ 4711 /* variable length data may follow */ 4712 } 4713 #endif 4714 4715 sp->scp[IDX_IPV6CP].confid = ++sp->scp[IDX_IPV6CP].seq; 4716 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->scp[IDX_IPV6CP].confid, i, &opt); 4717 } 4718 #else /*INET6*/ 4719 static void 4720 sppp_ipv6cp_init(struct sppp *sp) 4721 { 4722 4723 KASSERT(SPPP_WLOCKED(sp)); 4724 } 4725 4726 static void 4727 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4728 { 4729 4730 KASSERT(SPPP_WLOCKED(sp)); 4731 } 4732 4733 static enum cp_rcr_type 4734 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, 4735 int len, uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4736 { 4737 4738 KASSERT(SPPP_WLOCKED(sp)); 4739 return 0; 4740 } 4741 4742 static void 4743 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, 4744 int len) 4745 { 4746 4747 KASSERT(SPPP_WLOCKED(sp)); 4748 } 4749 4750 static void 4751 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, 4752 int len) 4753 { 4754 4755 KASSERT(SPPP_WLOCKED(sp)); 4756 } 4757 4758 static void 4759 sppp_ipv6cp_tlu(struct sppp *sp) 4760 { 4761 4762 KASSERT(SPPP_WLOCKED(sp)); 4763 } 4764 4765 static void 4766 sppp_ipv6cp_scr(struct sppp *sp) 4767 { 4768 4769 KASSERT(SPPP_WLOCKED(sp)); 4770 } 4771 #endif /*INET6*/ 4772 4773 /* 4774 *--------------------------------------------------------------------------* 4775 * * 4776 * The CHAP implementation. * 4777 * * 4778 *--------------------------------------------------------------------------* 4779 */ 4780 /* 4781 * The authentication protocols is implemented on the state machine for 4782 * control protocols. And it uses following actions and events. 4783 * 4784 * Actions: 4785 * - scr: send CHAP_CHALLENGE and CHAP_RESPONSE 4786 * - sca: send CHAP_SUCCESS 4787 * - scn: send CHAP_FAILURE and shutdown lcp 4788 * Events: 4789 * - RCR+: receive CHAP_RESPONSE containing correct digest 4790 * - RCR-: receive CHAP_RESPONSE containing wrong digest 4791 * - RCA: receive CHAP_SUCCESS 4792 * - RCN: (this event is unused) 4793 * - TO+: re-send CHAP_CHALLENGE and CHAP_RESPONSE 4794 * - TO-: this layer finish 4795 */ 4796 4797 /* 4798 * Handle incoming CHAP packets. 4799 */ 4800 void 4801 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4802 { 4803 STDDCL; 4804 struct lcp_header *h; 4805 int len, x; 4806 u_char *value, *name, digest[sizeof(sp->chap.challenge)]; 4807 int value_len, name_len; 4808 MD5_CTX ctx; 4809 char abuf[SPPP_AUTHTYPE_NAMELEN]; 4810 const char *authname; 4811 4812 len = m->m_pkthdr.len; 4813 if (len < 4) { 4814 if (debug) 4815 log(LOG_DEBUG, 4816 "%s: chap invalid packet length: %d bytes\n", 4817 ifp->if_xname, len); 4818 return; 4819 } 4820 h = mtod(m, struct lcp_header *); 4821 if (len > ntohs(h->len)) 4822 len = ntohs(h->len); 4823 4824 SPPP_LOCK(sp, RW_WRITER); 4825 4826 switch (h->type) { 4827 /* challenge, failure and success are his authproto */ 4828 case CHAP_CHALLENGE: 4829 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4830 /* can't do anything useful */ 4831 sp->pp_auth_failures++; 4832 printf("%s: chap input without my name and my secret being set\n", 4833 ifp->if_xname); 4834 break; 4835 } 4836 value = 1 + (u_char *)(h + 1); 4837 value_len = value[-1]; 4838 name = value + value_len; 4839 name_len = len - value_len - 5; 4840 if (name_len < 0) { 4841 if (debug) { 4842 authname = sppp_auth_type_name(abuf, 4843 sizeof(abuf), PPP_CHAP, h->type); 4844 log(LOG_DEBUG, 4845 "%s: chap corrupted challenge " 4846 "<%s id=0x%x len=%d", 4847 ifp->if_xname, authname, 4848 h->ident, ntohs(h->len)); 4849 if (len > 4) 4850 sppp_print_bytes((u_char *)(h + 1), 4851 len - 4); 4852 addlog(">\n"); 4853 } 4854 break; 4855 } 4856 4857 if (debug) { 4858 authname = sppp_auth_type_name(abuf, 4859 sizeof(abuf), PPP_CHAP, h->type); 4860 log(LOG_DEBUG, 4861 "%s: chap input <%s id=0x%x len=%d name=", 4862 ifp->if_xname, authname, h->ident, 4863 ntohs(h->len)); 4864 sppp_print_string((char *) name, name_len); 4865 addlog(" value-size=%d value=", value_len); 4866 sppp_print_bytes(value, value_len); 4867 addlog(">\n"); 4868 } 4869 4870 /* Compute reply value. */ 4871 MD5Init(&ctx); 4872 MD5Update(&ctx, &h->ident, 1); 4873 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4874 MD5Update(&ctx, value, value_len); 4875 MD5Final(sp->chap.digest, &ctx); 4876 sp->chap.digest_len = sizeof(sp->chap.digest); 4877 sp->scp[IDX_CHAP].rconfid = h->ident; 4878 4879 sppp_wq_add(sp->wq_cp, &sp->chap.work_challenge_rcvd); 4880 break; 4881 4882 case CHAP_SUCCESS: 4883 if (debug) { 4884 log(LOG_DEBUG, "%s: chap success", 4885 ifp->if_xname); 4886 if (len > 4) { 4887 addlog(": "); 4888 sppp_print_string((char *)(h + 1), len - 4); 4889 } 4890 addlog("\n"); 4891 } 4892 4893 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4894 if (debug) { 4895 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 4896 ifp->if_xname, chap.name, 4897 h->ident, sp->scp[IDX_CHAP].rconfid); 4898 } 4899 if_statinc(ifp, if_ierrors); 4900 break; 4901 } 4902 4903 if (sp->chap.digest_len == 0) { 4904 if (debug) { 4905 log(LOG_DEBUG, 4906 "%s: receive CHAP success without challenge\n", 4907 ifp->if_xname); 4908 } 4909 if_statinc(ifp, if_ierrors); 4910 break; 4911 } 4912 4913 x = splnet(); 4914 sp->pp_auth_failures = 0; 4915 sp->pp_flags &= ~PP_NEEDAUTH; 4916 splx(x); 4917 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4918 sp->chap.digest_len = 0; 4919 4920 if (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV)) { 4921 /* 4922 * we are not authenticator for CHAP, 4923 * generate a dummy RCR+ event without CHAP_RESPONSE 4924 */ 4925 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 4926 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4927 } 4928 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 4929 break; 4930 4931 case CHAP_FAILURE: 4932 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4933 if (debug) { 4934 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 4935 ifp->if_xname, chap.name, 4936 h->ident, sp->scp[IDX_CHAP].rconfid); 4937 } 4938 if_statinc(ifp, if_ierrors); 4939 break; 4940 } 4941 4942 if (sp->chap.digest_len == 0) { 4943 if (debug) { 4944 log(LOG_DEBUG, 4945 "%s: receive CHAP failure without challenge\n", 4946 ifp->if_xname); 4947 } 4948 if_statinc(ifp, if_ierrors); 4949 break; 4950 } 4951 4952 x = splnet(); 4953 sp->pp_auth_failures++; 4954 splx(x); 4955 if (debug) { 4956 log(LOG_INFO, "%s: chap failure", 4957 ifp->if_xname); 4958 if (len > 4) { 4959 addlog(": "); 4960 sppp_print_string((char *)(h + 1), len - 4); 4961 } 4962 addlog("\n"); 4963 } else 4964 log(LOG_INFO, "%s: chap failure\n", 4965 ifp->if_xname); 4966 4967 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4968 sp->chap.digest_len = 0; 4969 /* 4970 * await LCP shutdown by authenticator, 4971 * so we don't have to enqueue sc->scp[IDX_CHAP].work_rcn 4972 */ 4973 break; 4974 4975 /* response is my authproto */ 4976 case CHAP_RESPONSE: 4977 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4978 /* can't do anything useful */ 4979 printf("%s: chap response" 4980 " without his name and his secret being set\n", 4981 ifp->if_xname); 4982 break; 4983 } 4984 value = 1 + (u_char *)(h + 1); 4985 value_len = value[-1]; 4986 name = value + value_len; 4987 name_len = len - value_len - 5; 4988 if (name_len < 0) { 4989 if (debug) { 4990 authname = sppp_auth_type_name(abuf, 4991 sizeof(abuf), PPP_CHAP, h->type); 4992 log(LOG_DEBUG, 4993 "%s: chap corrupted response " 4994 "<%s id=0x%x len=%d", 4995 ifp->if_xname, authname, 4996 h->ident, ntohs(h->len)); 4997 if (len > 4) 4998 sppp_print_bytes((u_char *)(h + 1), 4999 len - 4); 5000 addlog(">\n"); 5001 } 5002 break; 5003 } 5004 if (h->ident != sp->scp[IDX_CHAP].confid) { 5005 if (debug) 5006 log(LOG_DEBUG, 5007 "%s: chap dropping response for old ID " 5008 "(got %d, expected %d)\n", 5009 ifp->if_xname, 5010 h->ident, sp->scp[IDX_CHAP].confid); 5011 break; 5012 } else { 5013 sp->scp[IDX_CHAP].rconfid = h->ident; 5014 } 5015 5016 if (sp->hisauth.name != NULL && 5017 (name_len != sp->hisauth.name_len 5018 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 5019 log(LOG_INFO, "%s: chap response, his name ", 5020 ifp->if_xname); 5021 sppp_print_string(name, name_len); 5022 addlog(" != expected "); 5023 sppp_print_string(sp->hisauth.name, 5024 sp->hisauth.name_len); 5025 addlog("\n"); 5026 5027 /* generate RCR- event */ 5028 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5029 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 5030 break; 5031 } 5032 5033 if (debug) { 5034 authname = sppp_auth_type_name(abuf, 5035 sizeof(abuf), PPP_CHAP, h->type); 5036 log(LOG_DEBUG, "%s: chap input(%s) " 5037 "<%s id=0x%x len=%d name=", 5038 ifp->if_xname, 5039 sppp_state_name(sp->scp[IDX_CHAP].state), 5040 authname, h->ident, ntohs(h->len)); 5041 sppp_print_string((char *)name, name_len); 5042 addlog(" value-size=%d value=", value_len); 5043 sppp_print_bytes(value, value_len); 5044 addlog(">\n"); 5045 } 5046 5047 if (value_len == sizeof(sp->chap.challenge) && 5048 value_len == sizeof(sp->chap.digest)) { 5049 MD5Init(&ctx); 5050 MD5Update(&ctx, &h->ident, 1); 5051 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 5052 MD5Update(&ctx, sp->chap.challenge, sizeof(sp->chap.challenge)); 5053 MD5Final(digest, &ctx); 5054 5055 if (memcmp(digest, value, value_len) == 0) { 5056 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 5057 } else { 5058 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5059 } 5060 } else { 5061 if (debug) 5062 log(LOG_DEBUG, 5063 "%s: chap bad hash value length: " 5064 "%d bytes, should be %zu\n", 5065 ifp->if_xname, value_len, 5066 sizeof(sp->chap.challenge)); 5067 5068 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5069 } 5070 5071 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 5072 5073 /* generate a dummy RCA event */ 5074 if (sp->scp[IDX_CHAP].rcr_type == CP_RCR_ACK && 5075 (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_PEER) || 5076 sp->chap.rechallenging)) { 5077 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 5078 } 5079 break; 5080 5081 default: 5082 /* Unknown CHAP packet type -- ignore. */ 5083 if (debug) { 5084 log(LOG_DEBUG, "%s: chap unknown input(%s) " 5085 "<0x%x id=0x%xh len=%d", 5086 ifp->if_xname, 5087 sppp_state_name(sp->scp[IDX_CHAP].state), 5088 h->type, h->ident, ntohs(h->len)); 5089 if (len > 4) 5090 sppp_print_bytes((u_char *)(h + 1), len - 4); 5091 addlog(">\n"); 5092 } 5093 break; 5094 5095 } 5096 5097 SPPP_UNLOCK(sp); 5098 } 5099 5100 static void 5101 sppp_chap_init(struct sppp *sp) 5102 { 5103 5104 KASSERT(SPPP_WLOCKED(sp)); 5105 5106 sppp_cp_init(&chap, sp); 5107 5108 SPPP_WQ_SET(&sp->chap.work_challenge_rcvd, 5109 sppp_chap_rcv_challenge_event, &chap); 5110 } 5111 5112 static void 5113 sppp_chap_open(struct sppp *sp, void *xcp) 5114 { 5115 5116 KASSERT(SPPP_WLOCKED(sp)); 5117 5118 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 5119 sp->chap.digest_len = 0; 5120 sp->chap.rechallenging = false; 5121 sp->chap.response_rcvd = false; 5122 sppp_open_event(sp, xcp); 5123 } 5124 5125 static void 5126 sppp_chap_tlu(struct sppp *sp) 5127 { 5128 STDDCL; 5129 int i, x; 5130 5131 KASSERT(SPPP_WLOCKED(sp)); 5132 5133 i = 0; 5134 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 5135 x = splnet(); 5136 sp->pp_auth_failures = 0; 5137 splx(x); 5138 5139 log(LOG_DEBUG, "%s: chap %s", ifp->if_xname, 5140 sp->pp_phase == SPPP_PHASE_NETWORK ? "reconfirmed" : "tlu"); 5141 5142 /* 5143 * Some broken CHAP implementations (Conware CoNet, firmware 5144 * 4.0.?) don't want to re-authenticate their CHAP once the 5145 * initial challenge-response exchange has taken place. 5146 * Provide for an option to avoid rechallenges. 5147 */ 5148 if (ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV) && 5149 (sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5150 /* 5151 * Compute the re-challenge timeout. This will yield 5152 * a number between 300 and 810 seconds. 5153 */ 5154 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 5155 callout_schedule(&sp->scp[IDX_CHAP].ch, i * hz); 5156 5157 if (debug) { 5158 addlog(", next rechallenge in %d seconds", i); 5159 } 5160 } 5161 5162 addlog("\n"); 5163 5164 /* 5165 * If we are already in phase network, we are done here. This 5166 * is the case if this is a dummy tlu event after a re-challenge. 5167 */ 5168 if (sp->pp_phase != SPPP_PHASE_NETWORK) 5169 sppp_phase_network(sp); 5170 } 5171 5172 static void 5173 sppp_chap_scr(struct sppp *sp) 5174 { 5175 uint32_t *ch; 5176 u_char clen, dsize; 5177 int role; 5178 5179 KASSERT(SPPP_WLOCKED(sp)); 5180 5181 role = sppp_auth_role(&chap, sp); 5182 5183 if (ISSET(role, SPPP_AUTH_SERV) && 5184 !sp->chap.response_rcvd) { 5185 /* we are authenticator for CHAP, send challenge */ 5186 ch = (uint32_t *)sp->chap.challenge; 5187 clen = sizeof(sp->chap.challenge); 5188 /* Compute random challenge. */ 5189 cprng_strong(kern_cprng, ch, clen, 0); 5190 5191 sp->scp[IDX_CHAP].confid = ++sp->scp[IDX_CHAP].seq; 5192 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->scp[IDX_CHAP].confid, 5193 sizeof(clen), (const char *)&clen, 5194 sizeof(sp->chap.challenge), sp->chap.challenge, 5195 0); 5196 } 5197 5198 if (ISSET(role, SPPP_AUTH_PEER) && 5199 sp->chap.digest_len > 0) { 5200 /* we are peer for CHAP, send response */ 5201 dsize = sp->chap.digest_len; 5202 5203 sppp_auth_send(&chap, sp, CHAP_RESPONSE, sp->scp[IDX_CHAP].rconfid, 5204 sizeof(dsize), (const char *)&dsize, 5205 sp->chap.digest_len, sp->chap.digest, 5206 sp->myauth.name_len, sp->myauth.name, 0); 5207 } 5208 } 5209 5210 static void 5211 sppp_chap_rcv_challenge_event(struct sppp *sp, void *xcp) 5212 { 5213 const struct cp *cp = xcp; 5214 5215 KASSERT(!cpu_softintr_p()); 5216 5217 sp->chap.rechallenging = false; 5218 5219 switch (sp->scp[IDX_CHAP].state) { 5220 case STATE_REQ_SENT: 5221 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5222 cp->scr(sp); 5223 break; 5224 case STATE_OPENED: 5225 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 5226 cp->scr(sp); 5227 break; 5228 } 5229 } 5230 5231 /* 5232 *--------------------------------------------------------------------------* 5233 * * 5234 * The PAP implementation. * 5235 * * 5236 *--------------------------------------------------------------------------* 5237 */ 5238 /* 5239 * PAP uses following actions and events. 5240 * Actions: 5241 * - scr: send PAP_REQ 5242 * - sca: send PAP_ACK 5243 * - scn: send PAP_NAK 5244 * Events: 5245 * - RCR+: receive PAP_REQ containing correct username and password 5246 * - RCR-: receive PAP_REQ containing wrong username and password 5247 * - RCA: receive PAP_ACK 5248 * - RCN: (this event is unused) 5249 * - TO+: re-send PAP_REQ 5250 * - TO-: this layer finish 5251 */ 5252 5253 /* 5254 * Handle incoming PAP packets. */ 5255 static void 5256 sppp_pap_input(struct sppp *sp, struct mbuf *m) 5257 { 5258 STDDCL; 5259 struct lcp_header *h; 5260 int len, x; 5261 char *name, *secret; 5262 int name_len, secret_len; 5263 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5264 const char *authname; 5265 5266 /* 5267 * Malicious input might leave this uninitialized, so 5268 * init to an impossible value. 5269 */ 5270 secret_len = -1; 5271 5272 len = m->m_pkthdr.len; 5273 if (len < 5) { 5274 if (debug) 5275 log(LOG_DEBUG, 5276 "%s: pap invalid packet length: %d bytes\n", 5277 ifp->if_xname, len); 5278 return; 5279 } 5280 h = mtod(m, struct lcp_header *); 5281 if (len > ntohs(h->len)) 5282 len = ntohs(h->len); 5283 5284 SPPP_LOCK(sp, RW_WRITER); 5285 5286 switch (h->type) { 5287 /* PAP request is my authproto */ 5288 case PAP_REQ: 5289 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 5290 /* can't do anything useful */ 5291 printf("%s: pap request" 5292 " without his name and his secret being set\n", 5293 ifp->if_xname); 5294 break; 5295 } 5296 name = 1 + (u_char *)(h + 1); 5297 name_len = name[-1]; 5298 secret = name + name_len + 1; 5299 if (name_len > len - 6 || 5300 (secret_len = secret[-1]) > len - 6 - name_len) { 5301 if (debug) { 5302 authname = sppp_auth_type_name(abuf, 5303 sizeof(abuf), PPP_PAP, h->type); 5304 log(LOG_DEBUG, "%s: pap corrupted input " 5305 "<%s id=0x%x len=%d", 5306 ifp->if_xname, authname, 5307 h->ident, ntohs(h->len)); 5308 if (len > 4) 5309 sppp_print_bytes((u_char *)(h + 1), 5310 len - 4); 5311 addlog(">\n"); 5312 } 5313 break; 5314 } 5315 if (debug) { 5316 authname = sppp_auth_type_name(abuf, 5317 sizeof(abuf), PPP_PAP, h->type); 5318 log(LOG_DEBUG, "%s: pap input(%s) " 5319 "<%s id=0x%x len=%d name=", 5320 ifp->if_xname, 5321 sppp_state_name(sp->scp[IDX_PAP].state), 5322 authname, h->ident, ntohs(h->len)); 5323 sppp_print_string((char *)name, name_len); 5324 addlog(" secret="); 5325 sppp_print_string((char *)secret, secret_len); 5326 addlog(">\n"); 5327 } 5328 5329 sp->scp[IDX_PAP].rconfid = h->ident; 5330 5331 if (name_len == sp->hisauth.name_len && 5332 memcmp(name, sp->hisauth.name, name_len) == 0 && 5333 secret_len == sp->hisauth.secret_len && 5334 memcmp(secret, sp->hisauth.secret, secret_len) == 0) { 5335 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5336 } else { 5337 sp->scp[IDX_PAP].rcr_type = CP_RCR_NAK; 5338 } 5339 5340 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5341 5342 /* generate a dummy RCA event */ 5343 if (sp->scp[IDX_PAP].rcr_type == CP_RCR_ACK && 5344 !ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER)) { 5345 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5346 } 5347 break; 5348 5349 /* ack and nak are his authproto */ 5350 case PAP_ACK: 5351 if (debug) { 5352 log(LOG_DEBUG, "%s: pap success", 5353 ifp->if_xname); 5354 name = 1 + (u_char *)(h + 1); 5355 name_len = name[-1]; 5356 if (len > 5 && name_len < len+4) { 5357 addlog(": "); 5358 sppp_print_string(name, name_len); 5359 } 5360 addlog("\n"); 5361 } 5362 5363 if (h->ident != sp->scp[IDX_PAP].confid) { 5364 if (debug) { 5365 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 5366 ifp->if_xname, pap.name, 5367 h->ident, sp->scp[IDX_PAP].rconfid); 5368 } 5369 if_statinc(ifp, if_ierrors); 5370 break; 5371 } 5372 5373 x = splnet(); 5374 sp->pp_auth_failures = 0; 5375 sp->pp_flags &= ~PP_NEEDAUTH; 5376 splx(x); 5377 5378 /* we are not authenticator, generate a dummy RCR+ event */ 5379 if (!ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_SERV)) { 5380 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5381 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5382 } 5383 5384 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5385 break; 5386 5387 case PAP_NAK: 5388 if (debug) { 5389 log(LOG_INFO, "%s: pap failure", 5390 ifp->if_xname); 5391 name = 1 + (u_char *)(h + 1); 5392 name_len = name[-1]; 5393 if (len > 5 && name_len < len+4) { 5394 addlog(": "); 5395 sppp_print_string(name, name_len); 5396 } 5397 addlog("\n"); 5398 } else 5399 log(LOG_INFO, "%s: pap failure\n", 5400 ifp->if_xname); 5401 5402 if (h->ident != sp->scp[IDX_PAP].confid) { 5403 if (debug) { 5404 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 5405 ifp->if_xname, pap.name, 5406 h->ident, sp->scp[IDX_PAP].rconfid); 5407 } 5408 if_statinc(ifp, if_ierrors); 5409 break; 5410 } 5411 5412 sp->pp_auth_failures++; 5413 /* 5414 * await LCP shutdown by authenticator, 5415 * so we don't have to enqueue sc->scp[IDX_PAP].work_rcn 5416 */ 5417 break; 5418 5419 default: 5420 /* Unknown PAP packet type -- ignore. */ 5421 if (debug) { 5422 log(LOG_DEBUG, "%s: pap corrupted input " 5423 "<0x%x id=0x%x len=%d", 5424 ifp->if_xname, 5425 h->type, h->ident, ntohs(h->len)); 5426 if (len > 4) 5427 sppp_print_bytes((u_char *)(h + 1), len - 4); 5428 addlog(">\n"); 5429 } 5430 break; 5431 } 5432 5433 SPPP_UNLOCK(sp); 5434 } 5435 5436 static void 5437 sppp_pap_init(struct sppp *sp) 5438 { 5439 5440 KASSERT(SPPP_WLOCKED(sp)); 5441 sppp_cp_init(&pap, sp); 5442 } 5443 5444 static void 5445 sppp_pap_tlu(struct sppp *sp) 5446 { 5447 STDDCL; 5448 int x; 5449 5450 sp->scp[IDX_PAP].rst_counter = sp->lcp.max_configure; 5451 5452 if (debug) 5453 log(LOG_DEBUG, "%s: %s tlu\n", 5454 ifp->if_xname, pap.name); 5455 5456 x = splnet(); 5457 sp->pp_auth_failures = 0; 5458 splx(x); 5459 5460 if (sp->pp_phase < SPPP_PHASE_NETWORK) 5461 sppp_phase_network(sp); 5462 } 5463 5464 static void 5465 sppp_pap_scr(struct sppp *sp) 5466 { 5467 u_char idlen, pwdlen; 5468 5469 KASSERT(SPPP_WLOCKED(sp)); 5470 5471 if (ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER) && 5472 sp->scp[IDX_PAP].state != STATE_ACK_RCVD) { 5473 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5474 log(LOG_DEBUG, "%s: couldn't send PAP_REQ " 5475 "because of no name or no secret\n", 5476 sp->pp_if.if_xname); 5477 } else { 5478 sp->scp[IDX_PAP].confid = ++sp->scp[IDX_PAP].seq; 5479 pwdlen = sp->myauth.secret_len; 5480 idlen = sp->myauth.name_len; 5481 5482 sppp_auth_send(&pap, sp, PAP_REQ, sp->scp[IDX_PAP].confid, 5483 sizeof idlen, (const char *)&idlen, 5484 idlen, sp->myauth.name, 5485 sizeof pwdlen, (const char *)&pwdlen, 5486 pwdlen, sp->myauth.secret, 5487 0); 5488 } 5489 } 5490 } 5491 5492 /* 5493 * Random miscellaneous functions. 5494 */ 5495 5496 /* 5497 * Send a PAP or CHAP proto packet. 5498 * 5499 * Varadic function, each of the elements for the ellipsis is of type 5500 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5501 * mlen == 0. 5502 * NOTE: never declare variadic functions with types subject to type 5503 * promotion (i.e. u_char). This is asking for big trouble depending 5504 * on the architecture you are on... 5505 */ 5506 5507 static void 5508 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5509 unsigned int type, unsigned int id, 5510 ...) 5511 { 5512 STDDCL; 5513 struct lcp_header *lh; 5514 struct mbuf *m; 5515 u_char *p; 5516 int len; 5517 size_t pkthdrlen; 5518 unsigned int mlen; 5519 const char *msg; 5520 va_list ap; 5521 5522 KASSERT(SPPP_WLOCKED(sp)); 5523 5524 MGETHDR(m, M_DONTWAIT, MT_DATA); 5525 if (! m) 5526 return; 5527 m_reset_rcvif(m); 5528 5529 if (sp->pp_flags & PP_NOFRAMING) { 5530 *mtod(m, uint16_t *) = htons(cp->proto); 5531 pkthdrlen = 2; 5532 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5533 } else { 5534 struct ppp_header *h; 5535 h = mtod(m, struct ppp_header *); 5536 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5537 h->control = PPP_UI; /* Unnumbered Info */ 5538 h->protocol = htons(cp->proto); 5539 pkthdrlen = PPP_HEADER_LEN; 5540 5541 lh = (struct lcp_header *)(h + 1); 5542 } 5543 5544 lh->type = type; 5545 lh->ident = id; 5546 p = (u_char *)(lh + 1); 5547 5548 va_start(ap, id); 5549 len = 0; 5550 5551 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5552 msg = va_arg(ap, const char *); 5553 len += mlen; 5554 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5555 va_end(ap); 5556 m_freem(m); 5557 return; 5558 } 5559 5560 memcpy(p, msg, mlen); 5561 p += mlen; 5562 } 5563 va_end(ap); 5564 5565 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5566 lh->len = htons(LCP_HEADER_LEN + len); 5567 5568 if (debug) { 5569 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5570 const char *authname; 5571 5572 authname = sppp_auth_type_name(abuf, 5573 sizeof(abuf), cp->proto, lh->type); 5574 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5575 ifp->if_xname, cp->name, authname, 5576 lh->ident, ntohs(lh->len)); 5577 if (len) 5578 sppp_print_bytes((u_char *)(lh + 1), len); 5579 addlog(">\n"); 5580 } 5581 if (IF_QFULL(&sp->pp_cpq)) { 5582 IF_DROP(&sp->pp_fastq); 5583 IF_DROP(&ifp->if_snd); 5584 m_freem(m); 5585 if_statinc(ifp, if_oerrors); 5586 return; 5587 } 5588 5589 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5590 IF_ENQUEUE(&sp->pp_cpq, m); 5591 5592 if (! (ifp->if_flags & IFF_OACTIVE)) { 5593 SPPP_UNLOCK(sp); 5594 if_start_lock(ifp); 5595 SPPP_LOCK(sp, RW_WRITER); 5596 } 5597 } 5598 5599 static int 5600 sppp_auth_role(const struct cp *cp, struct sppp *sp) 5601 { 5602 int role; 5603 5604 role = SPPP_AUTH_NOROLE; 5605 5606 if (sp->hisauth.proto == cp->proto && 5607 ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) 5608 SET(role, SPPP_AUTH_SERV); 5609 5610 if (sp->myauth.proto == cp->proto) 5611 SET(role, SPPP_AUTH_PEER); 5612 5613 return role; 5614 } 5615 5616 static void 5617 sppp_auth_to_event(struct sppp *sp, void *xcp) 5618 { 5619 const struct cp *cp = xcp; 5620 bool override; 5621 int state; 5622 STDDCL; 5623 5624 KASSERT(SPPP_WLOCKED(sp)); 5625 KASSERT(!cpu_softintr_p()); 5626 5627 override = false; 5628 state = sp->scp[cp->protoidx].state; 5629 5630 if (sp->scp[cp->protoidx].rst_counter > 0) { 5631 /* override TO+ event */ 5632 switch (state) { 5633 case STATE_OPENED: 5634 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5635 override = true; 5636 sp->chap.rechallenging = true; 5637 sp->chap.response_rcvd = false; 5638 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5639 cp->scr(sp); 5640 } 5641 break; 5642 5643 case STATE_ACK_RCVD: 5644 override = true; 5645 cp->scr(sp); 5646 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 5647 break; 5648 } 5649 } 5650 5651 if (override) { 5652 if (debug) 5653 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 5654 ifp->if_xname, cp->name, 5655 sppp_state_name(state), 5656 sp->scp[cp->protoidx].rst_counter); 5657 sp->scp[cp->protoidx].rst_counter--; 5658 } else { 5659 sppp_to_event(sp, xcp); 5660 } 5661 } 5662 5663 static void 5664 sppp_auth_screply(const struct cp *cp, struct sppp *sp, u_char ctype, 5665 uint8_t ident, size_t _mlen __unused, void *_msg __unused) 5666 { 5667 static const char *succmsg = "Welcome!"; 5668 static const char *failmsg = "Failed..."; 5669 const char *msg; 5670 u_char type, mlen; 5671 5672 KASSERT(SPPP_WLOCKED(sp)); 5673 5674 if (!ISSET(sppp_auth_role(cp, sp), SPPP_AUTH_SERV)) 5675 return; 5676 5677 if (ctype == CONF_ACK) { 5678 type = cp->proto == PPP_CHAP ? CHAP_SUCCESS : PAP_ACK; 5679 msg = succmsg; 5680 mlen = sizeof(succmsg) - 1; 5681 5682 sp->pp_auth_failures = 0; 5683 } else { 5684 type = cp->proto == PPP_CHAP ? CHAP_FAILURE : PAP_NAK; 5685 msg = failmsg; 5686 mlen = sizeof(failmsg) - 1; 5687 5688 /* shutdown LCP if auth failed */ 5689 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5690 sp->pp_auth_failures++; 5691 } 5692 5693 sppp_auth_send(cp, sp, type, ident, mlen, (const u_char *)msg, 0); 5694 } 5695 5696 /* 5697 * Send keepalive packets, every 10 seconds. 5698 */ 5699 static void 5700 sppp_keepalive(void *dummy) 5701 { 5702 struct sppp *sp; 5703 int s; 5704 time_t now; 5705 5706 SPPPQ_LOCK(); 5707 5708 s = splnet(); 5709 now = time_uptime; 5710 for (sp=spppq; sp; sp=sp->pp_next) { 5711 struct ifnet *ifp = NULL; 5712 5713 SPPP_LOCK(sp, RW_WRITER); 5714 ifp = &sp->pp_if; 5715 5716 /* check idle timeout */ 5717 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5718 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5719 /* idle timeout is enabled for this interface */ 5720 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5721 if (ifp->if_flags & IFF_DEBUG) 5722 printf("%s: no activity for %lu seconds\n", 5723 sp->pp_if.if_xname, 5724 (unsigned long)(now-sp->pp_last_activity)); 5725 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5726 SPPP_UNLOCK(sp); 5727 continue; 5728 } 5729 } 5730 5731 /* Keepalive mode disabled or channel down? */ 5732 if (! (sp->pp_flags & PP_KEEPALIVE) || 5733 ! (ifp->if_flags & IFF_RUNNING)) { 5734 SPPP_UNLOCK(sp); 5735 continue; 5736 } 5737 5738 /* No keepalive in PPP mode if LCP not opened yet. */ 5739 if (! (sp->pp_flags & PP_CISCO) && 5740 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5741 SPPP_UNLOCK(sp); 5742 continue; 5743 } 5744 5745 /* No echo reply, but maybe user data passed through? */ 5746 if (sp->pp_max_noreceive != 0 && 5747 (now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5748 sp->pp_alivecnt = 0; 5749 SPPP_UNLOCK(sp); 5750 continue; 5751 } 5752 5753 /* No echo request */ 5754 if (sp->pp_alive_interval == 0) { 5755 SPPP_UNLOCK(sp); 5756 continue; 5757 } 5758 5759 /* send a ECHO_REQ once in sp->pp_alive_interval times */ 5760 if ((sppp_keepalive_cnt % sp->pp_alive_interval) != 0) { 5761 SPPP_UNLOCK(sp); 5762 continue; 5763 } 5764 5765 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5766 /* No keepalive packets got. Stop the interface. */ 5767 if (sp->pp_flags & PP_KEEPALIVE_IFDOWN) 5768 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 5769 5770 if (! (sp->pp_flags & PP_CISCO)) { 5771 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5772 ifp->if_xname); 5773 sp->pp_alivecnt = 0; 5774 5775 /* we are down, close all open protocols */ 5776 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5777 5778 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5779 sp->lcp.reestablish = true; 5780 5781 SPPP_UNLOCK(sp); 5782 continue; 5783 } 5784 } 5785 if (sp->pp_alivecnt < sp->pp_maxalive) 5786 ++sp->pp_alivecnt; 5787 if (sp->pp_flags & PP_CISCO) 5788 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5789 ++sp->scp[IDX_LCP].seq, sp->scp[IDX_LCP].rseq); 5790 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5791 int32_t nmagic = htonl(sp->lcp.magic); 5792 sp->lcp.echoid = ++sp->scp[IDX_LCP].seq; 5793 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5794 sp->lcp.echoid, 4, &nmagic); 5795 } 5796 5797 SPPP_UNLOCK(sp); 5798 } 5799 splx(s); 5800 sppp_keepalive_cnt++; 5801 callout_reset(&keepalive_ch, hz * SPPP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5802 5803 SPPPQ_UNLOCK(); 5804 } 5805 5806 #ifdef INET 5807 /* 5808 * Get both IP addresses. 5809 */ 5810 static void 5811 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5812 { 5813 struct ifnet *ifp = &sp->pp_if; 5814 struct ifaddr *ifa; 5815 struct sockaddr_in *si, *sm; 5816 uint32_t ssrc, ddst; 5817 int s; 5818 struct psref psref; 5819 5820 sm = NULL; 5821 ssrc = ddst = 0; 5822 /* 5823 * Pick the first AF_INET address from the list, 5824 * aliases don't make any sense on a p2p link anyway. 5825 */ 5826 si = 0; 5827 s = pserialize_read_enter(); 5828 IFADDR_READER_FOREACH(ifa, ifp) { 5829 if (ifa->ifa_addr->sa_family == AF_INET) { 5830 si = (struct sockaddr_in *)ifa->ifa_addr; 5831 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5832 if (si) { 5833 ifa_acquire(ifa, &psref); 5834 break; 5835 } 5836 } 5837 } 5838 pserialize_read_exit(s); 5839 if (ifa) { 5840 if (si && si->sin_addr.s_addr) { 5841 ssrc = si->sin_addr.s_addr; 5842 if (srcmask) 5843 *srcmask = ntohl(sm->sin_addr.s_addr); 5844 } 5845 5846 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5847 if (si && si->sin_addr.s_addr) 5848 ddst = si->sin_addr.s_addr; 5849 ifa_release(ifa, &psref); 5850 } 5851 5852 if (dst) *dst = ntohl(ddst); 5853 if (src) *src = ntohl(ssrc); 5854 } 5855 5856 /* 5857 * Set IP addresses. Must be called at splnet. 5858 * If an address is 0, leave it the way it is. 5859 */ 5860 static void 5861 sppp_set_ip_addrs(struct sppp *sp) 5862 { 5863 STDDCL; 5864 struct ifaddr *ifa; 5865 struct sockaddr_in *si, *dest; 5866 uint32_t myaddr = 0, hisaddr = 0; 5867 int s; 5868 5869 KASSERT(SPPP_WLOCKED(sp)); 5870 SPPP_UNLOCK(sp); 5871 IFNET_LOCK(ifp); 5872 SPPP_LOCK(sp, RW_WRITER); 5873 5874 /* 5875 * Pick the first AF_INET address from the list, 5876 * aliases don't make any sense on a p2p link anyway. 5877 */ 5878 si = dest = NULL; 5879 s = pserialize_read_enter(); 5880 IFADDR_READER_FOREACH(ifa, ifp) { 5881 if (ifa->ifa_addr->sa_family == AF_INET) { 5882 si = (struct sockaddr_in *)ifa->ifa_addr; 5883 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5884 break; 5885 } 5886 } 5887 pserialize_read_exit(s); 5888 5889 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5890 myaddr = sp->ipcp.req_myaddr; 5891 else if (si != NULL) 5892 myaddr = ntohl(si->sin_addr.s_addr); 5893 5894 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5895 hisaddr = sp->ipcp.req_hisaddr; 5896 else if (dest != NULL) 5897 hisaddr = ntohl(dest->sin_addr.s_addr); 5898 5899 if (si != NULL && dest != NULL) { 5900 int error; 5901 struct sockaddr_in new_sin = *si; 5902 struct sockaddr_in new_dst = *dest; 5903 5904 if (myaddr != 0) 5905 new_sin.sin_addr.s_addr = htonl(myaddr); 5906 if (hisaddr != 0) { 5907 new_dst.sin_addr.s_addr = htonl(hisaddr); 5908 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5909 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5910 } 5911 5912 in_addrhash_remove(ifatoia(ifa)); 5913 5914 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5915 5916 in_addrhash_insert(ifatoia(ifa)); 5917 5918 if (debug && error) 5919 { 5920 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5921 ifp->if_xname, __func__, error); 5922 } 5923 if (!error) { 5924 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5925 } 5926 } 5927 5928 IFNET_UNLOCK(ifp); 5929 5930 sppp_notify_con(sp); 5931 } 5932 5933 /* 5934 * Clear IP addresses. Must be called at splnet. 5935 */ 5936 static void 5937 sppp_clear_ip_addrs(struct sppp *sp) 5938 { 5939 STDDCL; 5940 struct ifaddr *ifa; 5941 struct sockaddr_in *si, *dest; 5942 int s; 5943 5944 KASSERT(SPPP_WLOCKED(sp)); 5945 SPPP_UNLOCK(sp); 5946 IFNET_LOCK(ifp); 5947 SPPP_LOCK(sp, RW_WRITER); 5948 5949 /* 5950 * Pick the first AF_INET address from the list, 5951 * aliases don't make any sense on a p2p link anyway. 5952 */ 5953 si = dest = NULL; 5954 s = pserialize_read_enter(); 5955 IFADDR_READER_FOREACH(ifa, ifp) { 5956 if (ifa->ifa_addr->sa_family == AF_INET) { 5957 si = (struct sockaddr_in *)ifa->ifa_addr; 5958 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5959 break; 5960 } 5961 } 5962 pserialize_read_exit(s); 5963 5964 if (si != NULL) { 5965 struct sockaddr_in new_sin = *si; 5966 struct sockaddr_in new_dst = *dest; 5967 int error; 5968 5969 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5970 new_sin.sin_addr.s_addr = 0; 5971 if (sp->ipcp.flags & IPCP_HISADDR_DYN && 5972 ntohl(sp->ipcp.saved_hisaddr) != 0) 5973 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5974 5975 in_addrhash_remove(ifatoia(ifa)); 5976 5977 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5978 5979 in_addrhash_insert(ifatoia(ifa)); 5980 5981 if (debug && error) 5982 { 5983 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5984 ifp->if_xname, __func__, error); 5985 } 5986 if (!error) { 5987 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5988 } 5989 } 5990 5991 IFNET_UNLOCK(ifp); 5992 } 5993 #endif 5994 5995 #ifdef INET6 5996 /* 5997 * Get both IPv6 addresses. 5998 */ 5999 static void 6000 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 6001 struct in6_addr *srcmask) 6002 { 6003 struct ifnet *ifp = &sp->pp_if; 6004 struct ifaddr *ifa; 6005 struct sockaddr_in6 *si, *sm; 6006 struct in6_addr ssrc, ddst; 6007 int s; 6008 struct psref psref; 6009 6010 sm = NULL; 6011 memset(&ssrc, 0, sizeof(ssrc)); 6012 memset(&ddst, 0, sizeof(ddst)); 6013 /* 6014 * Pick the first link-local AF_INET6 address from the list, 6015 * aliases don't make any sense on a p2p link anyway. 6016 */ 6017 si = 0; 6018 s = pserialize_read_enter(); 6019 IFADDR_READER_FOREACH(ifa, ifp) { 6020 if (ifa->ifa_addr->sa_family == AF_INET6) { 6021 si = (struct sockaddr_in6 *)ifa->ifa_addr; 6022 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 6023 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 6024 ifa_acquire(ifa, &psref); 6025 break; 6026 } 6027 } 6028 } 6029 pserialize_read_exit(s); 6030 6031 if (ifa) { 6032 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 6033 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 6034 if (srcmask) { 6035 memcpy(srcmask, &sm->sin6_addr, 6036 sizeof(*srcmask)); 6037 } 6038 } 6039 6040 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 6041 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 6042 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 6043 ifa_release(ifa, &psref); 6044 } 6045 6046 if (dst) 6047 memcpy(dst, &ddst, sizeof(*dst)); 6048 if (src) 6049 memcpy(src, &ssrc, sizeof(*src)); 6050 } 6051 6052 #ifdef IPV6CP_MYIFID_DYN 6053 /* 6054 * Generate random ifid. 6055 */ 6056 static void 6057 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 6058 { 6059 /* TBD */ 6060 } 6061 6062 /* 6063 * Set my IPv6 address. Must be called at splnet. 6064 */ 6065 static void 6066 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 6067 { 6068 STDDCL; 6069 struct ifaddr *ifa; 6070 struct sockaddr_in6 *sin6; 6071 int s; 6072 struct psref psref; 6073 6074 KASSERT(SPPP_WLOCKED(sp)); 6075 SPPP_UNLOCK(sp); 6076 IFNET_LOCK(ifp); 6077 SPPP_LOCK(sp, RW_WRITER); 6078 6079 /* 6080 * Pick the first link-local AF_INET6 address from the list, 6081 * aliases don't make any sense on a p2p link anyway. 6082 */ 6083 6084 sin6 = NULL; 6085 s = pserialize_read_enter(); 6086 IFADDR_READER_FOREACH(ifa, ifp) 6087 { 6088 if (ifa->ifa_addr->sa_family == AF_INET6) 6089 { 6090 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 6091 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 6092 ifa_acquire(ifa, &psref); 6093 break; 6094 } 6095 } 6096 } 6097 pserialize_read_exit(s); 6098 6099 if (ifa && sin6) 6100 { 6101 int error; 6102 struct sockaddr_in6 new_sin6 = *sin6; 6103 6104 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 6105 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 6106 if (debug && error) 6107 { 6108 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 6109 ifp->if_xname, __func__, error); 6110 } 6111 if (!error) { 6112 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 6113 } 6114 ifa_release(ifa, &psref); 6115 } 6116 6117 IFNET_UNLOCK(ifp); 6118 } 6119 #endif 6120 6121 /* 6122 * Suggest a candidate address to be used by peer. 6123 */ 6124 static void 6125 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 6126 { 6127 struct in6_addr myaddr; 6128 struct timeval tv; 6129 6130 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 6131 6132 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 6133 microtime(&tv); 6134 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 6135 myaddr.s6_addr[14] ^= 0xff; 6136 myaddr.s6_addr[15] ^= 0xff; 6137 } else { 6138 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 6139 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 6140 } 6141 if (suggest) 6142 memcpy(suggest, &myaddr, sizeof(myaddr)); 6143 } 6144 #endif /*INET6*/ 6145 6146 /* 6147 * Process ioctl requests specific to the PPP interface. 6148 * Permissions have already been checked. 6149 */ 6150 static int 6151 sppp_params(struct sppp *sp, u_long cmd, void *data) 6152 { 6153 switch (cmd) { 6154 case SPPPGETAUTHCFG: 6155 { 6156 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 6157 int error; 6158 size_t len; 6159 6160 SPPP_LOCK(sp, RW_READER); 6161 6162 cfg->myauthflags = sp->myauth.flags; 6163 cfg->hisauthflags = sp->hisauth.flags; 6164 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 6165 cfg->hisauth = sppp_proto2authproto(sp->hisauth.proto); 6166 cfg->myauth = sppp_proto2authproto(sp->myauth.proto); 6167 if (cfg->myname_length == 0) { 6168 if (sp->myauth.name != NULL) 6169 cfg->myname_length = sp->myauth.name_len + 1; 6170 } else { 6171 if (sp->myauth.name == NULL) { 6172 cfg->myname_length = 0; 6173 } else { 6174 len = sp->myauth.name_len + 1; 6175 6176 if (cfg->myname_length < len) { 6177 SPPP_UNLOCK(sp); 6178 return (ENAMETOOLONG); 6179 } 6180 error = copyout(sp->myauth.name, cfg->myname, len); 6181 if (error) { 6182 SPPP_UNLOCK(sp); 6183 return error; 6184 } 6185 } 6186 } 6187 if (cfg->hisname_length == 0) { 6188 if (sp->hisauth.name != NULL) 6189 cfg->hisname_length = sp->hisauth.name_len + 1; 6190 } else { 6191 if (sp->hisauth.name == NULL) { 6192 cfg->hisname_length = 0; 6193 } else { 6194 len = sp->hisauth.name_len + 1; 6195 6196 if (cfg->hisname_length < len) { 6197 SPPP_UNLOCK(sp); 6198 return (ENAMETOOLONG); 6199 } 6200 error = copyout(sp->hisauth.name, cfg->hisname, len); 6201 if (error) { 6202 SPPP_UNLOCK(sp); 6203 return error; 6204 } 6205 } 6206 } 6207 SPPP_UNLOCK(sp); 6208 } 6209 break; 6210 case SPPPSETAUTHCFG: 6211 { 6212 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 6213 int error; 6214 6215 SPPP_LOCK(sp, RW_WRITER); 6216 6217 if (sp->myauth.name) { 6218 free(sp->myauth.name, M_DEVBUF); 6219 sp->myauth.name = NULL; 6220 } 6221 if (sp->myauth.secret) { 6222 free(sp->myauth.secret, M_DEVBUF); 6223 sp->myauth.secret = NULL; 6224 } 6225 if (sp->hisauth.name) { 6226 free(sp->hisauth.name, M_DEVBUF); 6227 sp->hisauth.name = NULL; 6228 } 6229 if (sp->hisauth.secret) { 6230 free(sp->hisauth.secret, M_DEVBUF); 6231 sp->hisauth.secret = NULL; 6232 } 6233 6234 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 6235 if (cfg->hisname_length >= MCLBYTES) { 6236 SPPP_UNLOCK(sp); 6237 return (ENAMETOOLONG); 6238 } 6239 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 6240 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 6241 if (error) { 6242 free(sp->hisauth.name, M_DEVBUF); 6243 sp->hisauth.name = NULL; 6244 SPPP_UNLOCK(sp); 6245 return error; 6246 } 6247 sp->hisauth.name_len = cfg->hisname_length - 1; 6248 sp->hisauth.name[sp->hisauth.name_len] = 0; 6249 } 6250 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 6251 if (cfg->hissecret_length >= MCLBYTES) { 6252 SPPP_UNLOCK(sp); 6253 return (ENAMETOOLONG); 6254 } 6255 sp->hisauth.secret = malloc(cfg->hissecret_length, 6256 M_DEVBUF, M_WAITOK); 6257 error = copyin(cfg->hissecret, sp->hisauth.secret, 6258 cfg->hissecret_length); 6259 if (error) { 6260 free(sp->hisauth.secret, M_DEVBUF); 6261 sp->hisauth.secret = NULL; 6262 SPPP_UNLOCK(sp); 6263 return error; 6264 } 6265 sp->hisauth.secret_len = cfg->hissecret_length - 1; 6266 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 6267 } 6268 if (cfg->myname != NULL && cfg->myname_length > 0) { 6269 if (cfg->myname_length >= MCLBYTES) { 6270 SPPP_UNLOCK(sp); 6271 return (ENAMETOOLONG); 6272 } 6273 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 6274 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 6275 if (error) { 6276 free(sp->myauth.name, M_DEVBUF); 6277 sp->myauth.name = NULL; 6278 SPPP_UNLOCK(sp); 6279 return error; 6280 } 6281 sp->myauth.name_len = cfg->myname_length - 1; 6282 sp->myauth.name[sp->myauth.name_len] = 0; 6283 } 6284 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 6285 if (cfg->mysecret_length >= MCLBYTES) { 6286 SPPP_UNLOCK(sp); 6287 return (ENAMETOOLONG); 6288 } 6289 sp->myauth.secret = malloc(cfg->mysecret_length, 6290 M_DEVBUF, M_WAITOK); 6291 error = copyin(cfg->mysecret, sp->myauth.secret, 6292 cfg->mysecret_length); 6293 if (error) { 6294 free(sp->myauth.secret, M_DEVBUF); 6295 sp->myauth.secret = NULL; 6296 SPPP_UNLOCK(sp); 6297 return error; 6298 } 6299 sp->myauth.secret_len = cfg->mysecret_length - 1; 6300 sp->myauth.secret[sp->myauth.secret_len] = 0; 6301 } 6302 sp->myauth.flags = cfg->myauthflags; 6303 if (cfg->myauth != SPPP_AUTHPROTO_NOCHG) { 6304 sp->myauth.proto = sppp_authproto2proto(cfg->myauth); 6305 } 6306 sp->hisauth.flags = cfg->hisauthflags; 6307 if (cfg->hisauth != SPPP_AUTHPROTO_NOCHG) { 6308 sp->hisauth.proto = sppp_authproto2proto(cfg->hisauth); 6309 } 6310 sp->pp_auth_failures = 0; 6311 if (sp->hisauth.proto != PPP_NOPROTO) 6312 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6313 else 6314 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6315 6316 SPPP_UNLOCK(sp); 6317 } 6318 break; 6319 case SPPPGETLCPCFG: 6320 { 6321 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6322 6323 SPPP_LOCK(sp, RW_READER); 6324 lcpp->lcp_timeout = sp->lcp.timeout; 6325 SPPP_UNLOCK(sp); 6326 } 6327 break; 6328 case SPPPSETLCPCFG: 6329 { 6330 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6331 6332 SPPP_LOCK(sp, RW_WRITER); 6333 sp->lcp.timeout = lcpp->lcp_timeout; 6334 SPPP_UNLOCK(sp); 6335 } 6336 break; 6337 case SPPPGETNCPCFG: 6338 { 6339 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6340 6341 SPPP_LOCK(sp, RW_READER); 6342 ncpp->ncp_flags = sp->pp_ncpflags; 6343 SPPP_UNLOCK(sp); 6344 } 6345 break; 6346 case SPPPSETNCPCFG: 6347 { 6348 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6349 6350 SPPP_LOCK(sp, RW_WRITER); 6351 sp->pp_ncpflags = ncpp->ncp_flags; 6352 SPPP_UNLOCK(sp); 6353 } 6354 break; 6355 case SPPPGETSTATUS: 6356 { 6357 struct spppstatus *status = (struct spppstatus *)data; 6358 6359 SPPP_LOCK(sp, RW_READER); 6360 status->phase = sp->pp_phase; 6361 SPPP_UNLOCK(sp); 6362 } 6363 break; 6364 case SPPPGETSTATUSNCP: 6365 { 6366 struct spppstatusncp *status = (struct spppstatusncp *)data; 6367 6368 SPPP_LOCK(sp, RW_READER); 6369 status->phase = sp->pp_phase; 6370 status->ncpup = sppp_cp_check(sp, CP_NCP); 6371 SPPP_UNLOCK(sp); 6372 } 6373 break; 6374 case SPPPGETIDLETO: 6375 { 6376 struct spppidletimeout *to = (struct spppidletimeout *)data; 6377 6378 SPPP_LOCK(sp, RW_READER); 6379 to->idle_seconds = sp->pp_idle_timeout; 6380 SPPP_UNLOCK(sp); 6381 } 6382 break; 6383 case SPPPSETIDLETO: 6384 { 6385 struct spppidletimeout *to = (struct spppidletimeout *)data; 6386 6387 SPPP_LOCK(sp, RW_WRITER); 6388 sp->pp_idle_timeout = to->idle_seconds; 6389 SPPP_UNLOCK(sp); 6390 } 6391 break; 6392 case SPPPSETAUTHFAILURE: 6393 { 6394 struct spppauthfailuresettings *afsettings = 6395 (struct spppauthfailuresettings *)data; 6396 6397 SPPP_LOCK(sp, RW_WRITER); 6398 sp->pp_max_auth_fail = afsettings->max_failures; 6399 sp->pp_auth_failures = 0; 6400 SPPP_UNLOCK(sp); 6401 } 6402 break; 6403 case SPPPGETAUTHFAILURES: 6404 { 6405 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6406 6407 SPPP_LOCK(sp, RW_READER); 6408 stats->auth_failures = sp->pp_auth_failures; 6409 stats->max_failures = sp->pp_max_auth_fail; 6410 SPPP_UNLOCK(sp); 6411 } 6412 break; 6413 case SPPPSETDNSOPTS: 6414 { 6415 struct spppdnssettings *req = (struct spppdnssettings *)data; 6416 6417 SPPP_LOCK(sp, RW_WRITER); 6418 sp->query_dns = req->query_dns & 3; 6419 SPPP_UNLOCK(sp); 6420 } 6421 break; 6422 case SPPPGETDNSOPTS: 6423 { 6424 struct spppdnssettings *req = (struct spppdnssettings *)data; 6425 6426 SPPP_LOCK(sp, RW_READER); 6427 req->query_dns = sp->query_dns; 6428 SPPP_UNLOCK(sp); 6429 } 6430 break; 6431 case SPPPGETDNSADDRS: 6432 { 6433 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6434 6435 SPPP_LOCK(sp, RW_READER); 6436 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6437 SPPP_UNLOCK(sp); 6438 } 6439 break; 6440 case SPPPGETKEEPALIVE: 6441 { 6442 struct spppkeepalivesettings *settings = 6443 (struct spppkeepalivesettings*)data; 6444 6445 SPPP_LOCK(sp, RW_READER); 6446 settings->maxalive = sp->pp_maxalive; 6447 settings->max_noreceive = sp->pp_max_noreceive; 6448 settings->alive_interval = sp->pp_alive_interval; 6449 SPPP_UNLOCK(sp); 6450 } 6451 break; 6452 case SPPPSETKEEPALIVE: 6453 { 6454 struct spppkeepalivesettings *settings = 6455 (struct spppkeepalivesettings*)data; 6456 6457 SPPP_LOCK(sp, RW_WRITER); 6458 sp->pp_maxalive = settings->maxalive; 6459 sp->pp_max_noreceive = settings->max_noreceive; 6460 sp->pp_alive_interval = settings->alive_interval; 6461 SPPP_UNLOCK(sp); 6462 } 6463 break; 6464 case SPPPGETLCPSTATUS: 6465 { 6466 struct sppplcpstatus *status = 6467 (struct sppplcpstatus *)data; 6468 6469 SPPP_LOCK(sp, RW_READER); 6470 status->state = sp->scp[IDX_LCP].state; 6471 status->opts = sp->lcp.opts; 6472 status->magic = sp->lcp.magic; 6473 status->mru = sp->lcp.mru; 6474 SPPP_UNLOCK(sp); 6475 } 6476 break; 6477 case SPPPGETIPCPSTATUS: 6478 { 6479 struct spppipcpstatus *status = 6480 (struct spppipcpstatus *)data; 6481 u_int32_t myaddr; 6482 6483 SPPP_LOCK(sp, RW_READER); 6484 status->state = sp->scp[IDX_IPCP].state; 6485 status->opts = sp->ipcp.opts; 6486 #ifdef INET 6487 kpreempt_disable(); 6488 sppp_get_ip_addrs(sp, &myaddr, 0, 0); 6489 kpreempt_enable(); 6490 #else 6491 myaddr = 0; 6492 #endif 6493 status->myaddr = ntohl(myaddr); 6494 SPPP_UNLOCK(sp); 6495 } 6496 break; 6497 case SPPPGETIPV6CPSTATUS: 6498 { 6499 struct spppipv6cpstatus *status = 6500 (struct spppipv6cpstatus *)data; 6501 6502 SPPP_LOCK(sp, RW_READER); 6503 status->state = sp->scp[IDX_IPV6CP].state; 6504 memcpy(status->my_ifid, sp->ipv6cp.my_ifid, 6505 sizeof(status->my_ifid)); 6506 memcpy(status->his_ifid, sp->ipv6cp.his_ifid, 6507 sizeof(status->his_ifid)); 6508 SPPP_UNLOCK(sp); 6509 } 6510 break; 6511 default: 6512 { 6513 int ret; 6514 6515 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6516 enosys(), ret); 6517 if (ret != ENOSYS) 6518 return ret; 6519 return (EINVAL); 6520 } 6521 } 6522 return (0); 6523 } 6524 6525 static void 6526 sppp_phase_network(struct sppp *sp) 6527 { 6528 int i; 6529 6530 KASSERT(SPPP_WLOCKED(sp)); 6531 6532 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6533 6534 /* Notify NCPs now. */ 6535 for (i = 0; i < IDX_COUNT; i++) 6536 if ((cps[i])->flags & CP_NCP) 6537 sppp_wq_add(sp->wq_cp, &sp->scp[i].work_open); 6538 } 6539 6540 static const char * 6541 sppp_cp_type_name(char *buf, size_t buflen, u_char type) 6542 { 6543 6544 switch (type) { 6545 case CONF_REQ: return "conf-req"; 6546 case CONF_ACK: return "conf-ack"; 6547 case CONF_NAK: return "conf-nak"; 6548 case CONF_REJ: return "conf-rej"; 6549 case TERM_REQ: return "term-req"; 6550 case TERM_ACK: return "term-ack"; 6551 case CODE_REJ: return "code-rej"; 6552 case PROTO_REJ: return "proto-rej"; 6553 case ECHO_REQ: return "echo-req"; 6554 case ECHO_REPLY: return "echo-reply"; 6555 case DISC_REQ: return "discard-req"; 6556 } 6557 if (buf != NULL) 6558 snprintf(buf, buflen, "0x%02x", type); 6559 return buf; 6560 } 6561 6562 static const char * 6563 sppp_auth_type_name(char *buf, size_t buflen, u_short proto, u_char type) 6564 { 6565 const char *name; 6566 6567 switch (proto) { 6568 case PPP_CHAP: 6569 switch (type) { 6570 case CHAP_CHALLENGE: return "challenge"; 6571 case CHAP_RESPONSE: return "response"; 6572 case CHAP_SUCCESS: return "success"; 6573 case CHAP_FAILURE: return "failure"; 6574 default: name = "chap"; break; 6575 } 6576 break; 6577 6578 case PPP_PAP: 6579 switch (type) { 6580 case PAP_REQ: return "req"; 6581 case PAP_ACK: return "ack"; 6582 case PAP_NAK: return "nak"; 6583 default: name = "pap"; break; 6584 } 6585 break; 6586 6587 default: 6588 name = "bad"; 6589 break; 6590 } 6591 6592 if (buf != NULL) 6593 snprintf(buf, buflen, "%s(%#x) 0x%02x", name, proto, type); 6594 return buf; 6595 } 6596 6597 static const char * 6598 sppp_lcp_opt_name(char *buf, size_t buflen, u_char opt) 6599 { 6600 6601 switch (opt) { 6602 case LCP_OPT_MRU: return "mru"; 6603 case LCP_OPT_ASYNC_MAP: return "async-map"; 6604 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6605 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6606 case LCP_OPT_MAGIC: return "magic"; 6607 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6608 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6609 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6610 case LCP_OPT_CALL_BACK: return "callback"; 6611 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6612 case LCP_OPT_MP_MRRU: return "mrru"; 6613 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6614 case LCP_OPT_MP_EID: return "mp-eid"; 6615 } 6616 if (buf != NULL) 6617 snprintf(buf, buflen, "0x%02x", opt); 6618 return buf; 6619 } 6620 6621 static const char * 6622 sppp_ipcp_opt_name(char *buf, size_t buflen, u_char opt) 6623 { 6624 6625 switch (opt) { 6626 case IPCP_OPT_ADDRESSES: return "addresses"; 6627 case IPCP_OPT_COMPRESSION: return "compression"; 6628 case IPCP_OPT_ADDRESS: return "address"; 6629 case IPCP_OPT_PRIMDNS: return "primdns"; 6630 case IPCP_OPT_SECDNS: return "secdns"; 6631 } 6632 if (buf != NULL) 6633 snprintf(buf, buflen, "0x%02x", opt); 6634 return buf; 6635 } 6636 6637 #ifdef INET6 6638 static const char * 6639 sppp_ipv6cp_opt_name(char *buf, size_t buflen, u_char opt) 6640 { 6641 6642 switch (opt) { 6643 case IPV6CP_OPT_IFID: return "ifid"; 6644 case IPV6CP_OPT_COMPRESSION: return "compression"; 6645 } 6646 if (buf != NULL) 6647 snprintf(buf, buflen, "0x%02x", opt); 6648 return buf; 6649 } 6650 #endif 6651 6652 static const char * 6653 sppp_state_name(int state) 6654 { 6655 6656 switch (state) { 6657 case STATE_INITIAL: return "initial"; 6658 case STATE_STARTING: return "starting"; 6659 case STATE_CLOSED: return "closed"; 6660 case STATE_STOPPED: return "stopped"; 6661 case STATE_CLOSING: return "closing"; 6662 case STATE_STOPPING: return "stopping"; 6663 case STATE_REQ_SENT: return "req-sent"; 6664 case STATE_ACK_RCVD: return "ack-rcvd"; 6665 case STATE_ACK_SENT: return "ack-sent"; 6666 case STATE_OPENED: return "opened"; 6667 } 6668 return "illegal"; 6669 } 6670 6671 static const char * 6672 sppp_phase_name(int phase) 6673 { 6674 6675 switch (phase) { 6676 case SPPP_PHASE_DEAD: return "dead"; 6677 case SPPP_PHASE_ESTABLISH: return "establish"; 6678 case SPPP_PHASE_TERMINATE: return "terminate"; 6679 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6680 case SPPP_PHASE_NETWORK: return "network"; 6681 } 6682 return "illegal"; 6683 } 6684 6685 static const char * 6686 sppp_proto_name(char *buf, size_t buflen, u_short proto) 6687 { 6688 6689 switch (proto) { 6690 case PPP_LCP: return "lcp"; 6691 case PPP_IPCP: return "ipcp"; 6692 case PPP_PAP: return "pap"; 6693 case PPP_CHAP: return "chap"; 6694 case PPP_IPV6CP: return "ipv6cp"; 6695 } 6696 if (buf != NULL) { 6697 snprintf(buf, sizeof(buf), "0x%04x", 6698 (unsigned)proto); 6699 } 6700 return buf; 6701 } 6702 6703 static void 6704 sppp_print_bytes(const u_char *p, u_short len) 6705 { 6706 addlog(" %02x", *p++); 6707 while (--len > 0) 6708 addlog("-%02x", *p++); 6709 } 6710 6711 static void 6712 sppp_print_string(const char *p, u_short len) 6713 { 6714 u_char c; 6715 6716 while (len-- > 0) { 6717 c = *p++; 6718 /* 6719 * Print only ASCII chars directly. RFC 1994 recommends 6720 * using only them, but we don't rely on it. */ 6721 if (c < ' ' || c > '~') 6722 addlog("\\x%x", c); 6723 else 6724 addlog("%c", c); 6725 } 6726 } 6727 6728 static const char * 6729 sppp_dotted_quad(char *buf, size_t buflen, uint32_t addr) 6730 { 6731 6732 if (buf != NULL) { 6733 snprintf(buf, buflen, "%u.%u.%u.%u", 6734 (unsigned int)((addr >> 24) & 0xff), 6735 (unsigned int)((addr >> 16) & 0xff), 6736 (unsigned int)((addr >> 8) & 0xff), 6737 (unsigned int)(addr & 0xff)); 6738 } 6739 return buf; 6740 } 6741 6742 /* a dummy, used to drop uninteresting events */ 6743 static void 6744 sppp_null(struct sppp *unused) 6745 { 6746 /* do just nothing */ 6747 } 6748 6749 static void 6750 sppp_tls(const struct cp *cp, struct sppp *sp) 6751 { 6752 6753 /* notify lcp that is lower layer */ 6754 sp->lcp.protos |= (1 << cp->protoidx); 6755 6756 if (sp->scp[IDX_LCP].state == STATE_OPENED) 6757 sppp_wq_add(sp->wq_cp, &sp->scp[cp->protoidx].work_up); 6758 } 6759 6760 static void 6761 sppp_tlf(const struct cp *cp, struct sppp *sp) 6762 { 6763 STDDCL; 6764 6765 if (debug) 6766 log(LOG_DEBUG, "%s: %s tlf\n", ifp->if_xname, cp->name); 6767 6768 /* notify lcp that is lower layer */ 6769 sp->lcp.protos &= ~(1 << cp->protoidx); 6770 6771 /* cleanup */ 6772 if (sp->scp[cp->protoidx].mbuf_confreq != NULL) { 6773 m_freem(sp->scp[cp->protoidx].mbuf_confreq); 6774 sp->scp[cp->protoidx].mbuf_confreq = NULL; 6775 } 6776 if (sp->scp[cp->protoidx].mbuf_confnak != NULL) { 6777 m_freem(sp->scp[cp->protoidx].mbuf_confnak); 6778 sp->scp[cp->protoidx].mbuf_confnak = NULL; 6779 } 6780 6781 sppp_lcp_check_and_close(sp); 6782 } 6783 6784 static void 6785 sppp_screply(const struct cp *cp, struct sppp *sp, u_char type, 6786 uint8_t ident, size_t msglen, void *msg) 6787 { 6788 STDDCL; 6789 6790 if (msglen == 0) 6791 return; 6792 6793 switch (type) { 6794 case CONF_ACK: 6795 case CONF_NAK: 6796 case CONF_REJ: 6797 break; 6798 default: 6799 return; 6800 } 6801 6802 if (debug) { 6803 char tbuf[SPPP_CPTYPE_NAMELEN]; 6804 const char *cpname; 6805 6806 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), type); 6807 log(LOG_DEBUG, "%s: send %s\n", ifp->if_xname, cpname); 6808 } 6809 6810 sppp_cp_send(sp, cp->proto, type, ident, msglen, msg); 6811 } 6812 6813 static void 6814 sppp_ifdown(struct sppp *sp, void *xcp __unused) 6815 { 6816 6817 SPPP_UNLOCK(sp); 6818 if_down(&sp->pp_if); 6819 IF_PURGE(&sp->pp_cpq); 6820 SPPP_LOCK(sp, RW_WRITER); 6821 } 6822 6823 static void 6824 sppp_notify_up(struct sppp *sp) 6825 { 6826 6827 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_up); 6828 } 6829 6830 static void 6831 sppp_notify_down(struct sppp *sp) 6832 { 6833 6834 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_down); 6835 } 6836 6837 static void 6838 sppp_notify_tls_wlocked(struct sppp *sp) 6839 { 6840 6841 KASSERT(SPPP_WLOCKED(sp)); 6842 6843 if (!sp->pp_tls) 6844 return; 6845 6846 SPPP_UNLOCK(sp); 6847 sp->pp_tls(sp); 6848 SPPP_LOCK(sp, RW_WRITER); 6849 } 6850 6851 static void 6852 sppp_notify_tlf_wlocked(struct sppp *sp) 6853 { 6854 6855 KASSERT(SPPP_WLOCKED(sp)); 6856 6857 if (!sp->pp_tlf) 6858 return; 6859 6860 SPPP_UNLOCK(sp); 6861 sp->pp_tlf(sp); 6862 SPPP_LOCK(sp, RW_WRITER); 6863 } 6864 6865 static void 6866 sppp_notify_con(struct sppp *sp) 6867 { 6868 6869 if (!sp->pp_con) 6870 return; 6871 6872 sp->pp_con(sp); 6873 } 6874 6875 #ifdef INET6 6876 static void 6877 sppp_notify_con_wlocked(struct sppp *sp) 6878 { 6879 6880 KASSERT(SPPP_WLOCKED(sp)); 6881 6882 SPPP_UNLOCK(sp); 6883 sppp_notify_con(sp); 6884 SPPP_LOCK(sp, RW_WRITER); 6885 6886 } 6887 #endif 6888 6889 static void 6890 sppp_notify_chg_wlocked(struct sppp *sp) 6891 { 6892 6893 KASSERT(SPPP_WLOCKED(sp)); 6894 6895 if (!sp->pp_chg) 6896 return; 6897 6898 SPPP_UNLOCK(sp); 6899 sp->pp_chg(sp, sp->pp_phase); 6900 SPPP_LOCK(sp, RW_WRITER); 6901 } 6902 6903 static void 6904 sppp_wq_work(struct work *wk, void *xsp) 6905 { 6906 struct sppp *sp; 6907 struct sppp_work *work; 6908 6909 sp = xsp; 6910 work = container_of(wk, struct sppp_work, work); 6911 atomic_cas_uint(&work->state, SPPP_WK_BUSY, SPPP_WK_FREE); 6912 6913 SPPP_LOCK(sp, RW_WRITER); 6914 work->func(sp, work->arg); 6915 SPPP_UNLOCK(sp); 6916 } 6917 6918 static struct workqueue * 6919 sppp_wq_create(struct sppp *sp, const char *xnamebuf, pri_t prio, int ipl, int flags) 6920 { 6921 struct workqueue *wq; 6922 int error; 6923 6924 error = workqueue_create(&wq, xnamebuf, sppp_wq_work, 6925 (void *)sp, prio, ipl, flags); 6926 if (error) { 6927 panic("%s: workqueue_create failed [%s, %d]\n", 6928 sp->pp_if.if_xname, xnamebuf, error); 6929 } 6930 6931 return wq; 6932 } 6933 6934 static void 6935 sppp_wq_destroy(struct sppp *sp __unused, struct workqueue *wq) 6936 { 6937 6938 workqueue_destroy(wq); 6939 } 6940 6941 static void 6942 sppp_wq_set(struct sppp_work *work, 6943 void (*func)(struct sppp *, void *), void *arg) 6944 { 6945 6946 work->func = func; 6947 work->arg = arg; 6948 } 6949 6950 static void 6951 sppp_wq_add(struct workqueue *wq, struct sppp_work *work) 6952 { 6953 6954 if (atomic_cas_uint(&work->state, SPPP_WK_FREE, SPPP_WK_BUSY) 6955 != SPPP_WK_FREE) 6956 return; 6957 6958 KASSERT(work->func != NULL); 6959 kpreempt_disable(); 6960 workqueue_enqueue(wq, &work->work, NULL); 6961 kpreempt_enable(); 6962 } 6963 static void 6964 sppp_wq_wait(struct workqueue *wq, struct sppp_work *work) 6965 { 6966 6967 atomic_swap_uint(&work->state, SPPP_WK_UNAVAIL); 6968 workqueue_wait(wq, &work->work); 6969 } 6970 6971 /* 6972 * This file is large. Tell emacs to highlight it nevertheless. 6973 * 6974 * Local Variables: 6975 * hilit-auto-highlight-maxout: 120000 6976 * End: 6977 */ 6978 6979 /* 6980 * Module glue 6981 */ 6982 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6983 6984 static int 6985 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6986 { 6987 6988 switch (cmd) { 6989 case MODULE_CMD_INIT: 6990 case MODULE_CMD_FINI: 6991 return 0; 6992 case MODULE_CMD_STAT: 6993 case MODULE_CMD_AUTOUNLOAD: 6994 default: 6995 return ENOTTY; 6996 } 6997 } 6998
Indexes created Fri Sep 26 20:09:58 GMT 2025