if_spppsubr.c revision 1.250
1 /* $NetBSD: if_spppsubr.c,v 1.250 2021/06/01 04:45:22 yamaguchi Exp $ */ 2 3 /* 4 * Synchronous PPP/Cisco link level subroutines. 5 * Keepalive protocol implemented in both Cisco and PPP modes. 6 * 7 * Copyright (C) 1994-1996 Cronyx Engineering Ltd. 8 * Author: Serge Vakulenko, <vak (at) cronyx.ru> 9 * 10 * Heavily revamped to conform to RFC 1661. 11 * Copyright (C) 1997, Joerg Wunsch. 12 * 13 * RFC2472 IPv6CP support. 14 * Copyright (C) 2000, Jun-ichiro itojun Hagino <itojun (at) iijlab.net>. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions are met: 18 * 1. Redistributions of source code must retain the above copyright notice, 19 * this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright notice, 21 * this list of conditions and the following disclaimer in the documentation 22 * and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE 28 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 29 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 30 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 32 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 33 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 34 * POSSIBILITY OF SUCH DAMAGE. 35 * 36 * From: Version 2.4, Thu Apr 30 17:17:21 MSD 1997 37 * 38 * From: if_spppsubr.c,v 1.39 1998/04/04 13:26:03 phk Exp 39 * 40 * From: Id: if_spppsubr.c,v 1.23 1999/02/23 14:47:50 hm Exp 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.250 2021/06/01 04:45:22 yamaguchi Exp $"); 45 46 #if defined(_KERNEL_OPT) 47 #include "opt_inet.h" 48 #include "opt_modular.h" 49 #include "opt_compat_netbsd.h" 50 #include "opt_net_mpsafe.h" 51 #include "opt_sppp.h" 52 #endif 53 54 #include <sys/param.h> 55 #include <sys/proc.h> 56 #include <sys/systm.h> 57 #include <sys/kernel.h> 58 #include <sys/sockio.h> 59 #include <sys/socket.h> 60 #include <sys/syslog.h> 61 #include <sys/malloc.h> 62 #include <sys/mbuf.h> 63 #include <sys/callout.h> 64 #include <sys/md5.h> 65 #include <sys/inttypes.h> 66 #include <sys/kauth.h> 67 #include <sys/cprng.h> 68 #include <sys/module.h> 69 #include <sys/workqueue.h> 70 #include <sys/atomic.h> 71 #include <sys/compat_stub.h> 72 #include <sys/cpu.h> 73 74 #include <net/if.h> 75 #include <net/netisr.h> 76 #include <net/if_types.h> 77 #include <net/route.h> 78 #include <net/ppp_defs.h> 79 80 #include <netinet/in.h> 81 #include <netinet/in_systm.h> 82 #include <netinet/in_var.h> 83 #ifdef INET 84 #include <netinet/ip.h> 85 #include <netinet/tcp.h> 86 #endif 87 #include <net/ethertypes.h> 88 89 #ifdef INET6 90 #include <netinet6/scope6_var.h> 91 #endif 92 93 #include <net/if_sppp.h> 94 #include <net/if_spppvar.h> 95 96 #ifdef NET_MPSAFE 97 #define SPPPSUBR_MPSAFE 1 98 #endif 99 100 #define DEFAULT_KEEPALIVE_INTERVAL 10 /* seconds between checks */ 101 #define DEFAULT_ALIVE_INTERVAL 1 /* count of sppp_keepalive */ 102 #define LOOPALIVECNT 3 /* loopback detection tries */ 103 #define DEFAULT_MAXALIVECNT 3 /* max. missed alive packets */ 104 #define DEFAULT_NORECV_TIME 15 /* before we get worried */ 105 #define DEFAULT_MAX_AUTH_FAILURES 5 /* max. auth. failures */ 106 107 #ifndef SPPP_KEEPALIVE_INTERVAL 108 #define SPPP_KEEPALIVE_INTERVAL DEFAULT_KEEPALIVE_INTERVAL 109 #endif 110 111 #ifndef SPPP_NORECV_TIME 112 #define SPPP_NORECV_TIME DEFAULT_NORECV_TIME 113 #endif 114 115 #ifndef SPPP_ALIVE_INTERVAL 116 #define SPPP_ALIVE_INTERVAL DEFAULT_ALIVE_INTERVAL 117 #endif 118 119 #define SPPP_CPTYPE_NAMELEN 5 /* buf size of cp type name */ 120 #define SPPP_AUTHTYPE_NAMELEN 32 /* buf size of auth type name */ 121 #define SPPP_LCPOPT_NAMELEN 5 /* buf size of lcp option name */ 122 #define SPPP_IPCPOPT_NAMELEN 5 /* buf size of ipcp option name */ 123 #define SPPP_IPV6CPOPT_NAMELEN 5 /* buf size of ipv6cp option name */ 124 #define SPPP_PROTO_NAMELEN 7 /* buf size of protocol name */ 125 #define SPPP_DOTQUAD_BUFLEN 16 /* length of "aa.bb.cc.dd" */ 126 127 /* 128 * Interface flags that can be set in an ifconfig command. 129 * 130 * Setting link0 will make the link passive, i.e. it will be marked 131 * as being administrative openable, but won't be opened to begin 132 * with. Incoming calls will be answered, or subsequent calls with 133 * -link1 will cause the administrative open of the LCP layer. 134 * 135 * Setting link1 will cause the link to auto-dial only as packets 136 * arrive to be sent. 137 * 138 * Setting IFF_DEBUG will syslog the option negotiation and state 139 * transitions at level kern.debug. Note: all logs consistently look 140 * like 141 * 142 * <if-name><unit>: <proto-name> <additional info...> 143 * 144 * with <if-name><unit> being something like "bppp0", and <proto-name> 145 * being one of "lcp", "ipcp", "cisco", "chap", "pap", etc. 146 */ 147 148 #define IFF_PASSIVE IFF_LINK0 /* wait passively for connection */ 149 #define IFF_AUTO IFF_LINK1 /* auto-dial on output */ 150 151 #define CONF_REQ 1 /* PPP configure request */ 152 #define CONF_ACK 2 /* PPP configure acknowledge */ 153 #define CONF_NAK 3 /* PPP configure negative ack */ 154 #define CONF_REJ 4 /* PPP configure reject */ 155 #define TERM_REQ 5 /* PPP terminate request */ 156 #define TERM_ACK 6 /* PPP terminate acknowledge */ 157 #define CODE_REJ 7 /* PPP code reject */ 158 #define PROTO_REJ 8 /* PPP protocol reject */ 159 #define ECHO_REQ 9 /* PPP echo request */ 160 #define ECHO_REPLY 10 /* PPP echo reply */ 161 #define DISC_REQ 11 /* PPP discard request */ 162 163 #define LCP_OPT_MRU 1 /* maximum receive unit */ 164 #define LCP_OPT_ASYNC_MAP 2 /* async control character map */ 165 #define LCP_OPT_AUTH_PROTO 3 /* authentication protocol */ 166 #define LCP_OPT_QUAL_PROTO 4 /* quality protocol */ 167 #define LCP_OPT_MAGIC 5 /* magic number */ 168 #define LCP_OPT_RESERVED 6 /* reserved */ 169 #define LCP_OPT_PROTO_COMP 7 /* protocol field compression */ 170 #define LCP_OPT_ADDR_COMP 8 /* address/control field compression */ 171 #define LCP_OPT_FCS_ALTS 9 /* FCS alternatives */ 172 #define LCP_OPT_SELF_DESC_PAD 10 /* self-describing padding */ 173 #define LCP_OPT_CALL_BACK 13 /* callback */ 174 #define LCP_OPT_COMPOUND_FRMS 15 /* compound frames */ 175 #define LCP_OPT_MP_MRRU 17 /* multilink MRRU */ 176 #define LCP_OPT_MP_SSNHF 18 /* multilink short seq. numbers */ 177 #define LCP_OPT_MP_EID 19 /* multilink endpoint discriminator */ 178 179 #define IPCP_OPT_ADDRESSES 1 /* both IP addresses; deprecated */ 180 #define IPCP_OPT_COMPRESSION 2 /* IP compression protocol */ 181 #define IPCP_OPT_ADDRESS 3 /* local IP address */ 182 #define IPCP_OPT_PRIMDNS 129 /* primary remote dns address */ 183 #define IPCP_OPT_SECDNS 131 /* secondary remote dns address */ 184 185 #define IPCP_UPDATE_LIMIT 8 /* limit of pending IP updating job */ 186 #define IPCP_SET_ADDRS 1 /* marker for IP address setting job */ 187 #define IPCP_CLEAR_ADDRS 2 /* marker for IP address clearing job */ 188 189 #define IPV6CP_OPT_IFID 1 /* interface identifier */ 190 #define IPV6CP_OPT_COMPRESSION 2 /* IPv6 compression protocol */ 191 192 #define PAP_REQ 1 /* PAP name/password request */ 193 #define PAP_ACK 2 /* PAP acknowledge */ 194 #define PAP_NAK 3 /* PAP fail */ 195 196 #define CHAP_CHALLENGE 1 /* CHAP challenge request */ 197 #define CHAP_RESPONSE 2 /* CHAP challenge response */ 198 #define CHAP_SUCCESS 3 /* CHAP response ok */ 199 #define CHAP_FAILURE 4 /* CHAP response failed */ 200 201 #define CHAP_MD5 5 /* hash algorithm - MD5 */ 202 203 #define CISCO_MULTICAST 0x8f /* Cisco multicast address */ 204 #define CISCO_UNICAST 0x0f /* Cisco unicast address */ 205 #define CISCO_KEEPALIVE 0x8035 /* Cisco keepalive protocol */ 206 #define CISCO_ADDR_REQ 0 /* Cisco address request */ 207 #define CISCO_ADDR_REPLY 1 /* Cisco address reply */ 208 #define CISCO_KEEPALIVE_REQ 2 /* Cisco keepalive request */ 209 210 #define PPP_NOPROTO 0 /* no authentication protocol */ 211 212 enum { 213 STATE_INITIAL = SPPP_STATE_INITIAL, 214 STATE_STARTING = SPPP_STATE_STARTING, 215 STATE_CLOSED = SPPP_STATE_CLOSED, 216 STATE_STOPPED = SPPP_STATE_STOPPED, 217 STATE_CLOSING = SPPP_STATE_CLOSING, 218 STATE_STOPPING = SPPP_STATE_STOPPING, 219 STATE_REQ_SENT = SPPP_STATE_REQ_SENT, 220 STATE_ACK_RCVD = SPPP_STATE_ACK_RCVD, 221 STATE_ACK_SENT = SPPP_STATE_ACK_SENT, 222 STATE_OPENED = SPPP_STATE_OPENED, 223 }; 224 225 enum cp_rcr_type { 226 CP_RCR_NONE = 0, /* initial value */ 227 CP_RCR_ACK, /* RCR+ */ 228 CP_RCR_NAK, /* RCR- */ 229 CP_RCR_REJ, /* RCR- */ 230 CP_RCR_DROP, /* DROP message */ 231 CP_RCR_ERR, /* internal error */ 232 }; 233 234 struct ppp_header { 235 uint8_t address; 236 uint8_t control; 237 uint16_t protocol; 238 } __packed; 239 #define PPP_HEADER_LEN sizeof (struct ppp_header) 240 241 struct lcp_header { 242 uint8_t type; 243 uint8_t ident; 244 uint16_t len; 245 } __packed; 246 #define LCP_HEADER_LEN sizeof (struct lcp_header) 247 248 struct cisco_packet { 249 uint32_t type; 250 uint32_t par1; 251 uint32_t par2; 252 uint16_t rel; 253 uint16_t time0; 254 uint16_t time1; 255 } __packed; 256 #define CISCO_PACKET_LEN 18 257 258 /* 259 * We follow the spelling and capitalization of RFC 1661 here, to make 260 * it easier comparing with the standard. Please refer to this RFC in 261 * case you can't make sense out of these abbreviation; it will also 262 * explain the semantics related to the various events and actions. 263 */ 264 struct cp { 265 u_short proto; /* PPP control protocol number */ 266 u_char protoidx; /* index into state table in struct sppp */ 267 u_char flags; 268 #define CP_LCP 0x01 /* this is the LCP */ 269 #define CP_AUTH 0x02 /* this is an authentication protocol */ 270 #define CP_NCP 0x04 /* this is a NCP */ 271 #define CP_QUAL 0x08 /* this is a quality reporting protocol */ 272 const char *name; /* name of this control protocol */ 273 /* event handlers */ 274 void (*Up)(struct sppp *, void *); 275 void (*Down)(struct sppp *, void *); 276 void (*Open)(struct sppp *, void *); 277 void (*Close)(struct sppp *, void *); 278 void (*TO)(struct sppp *, void *); 279 /* actions */ 280 void (*tlu)(struct sppp *); 281 void (*tld)(struct sppp *); 282 void (*tls)(const struct cp *, struct sppp *); 283 void (*tlf)(const struct cp *, struct sppp *); 284 void (*scr)(struct sppp *); 285 void (*screply)(const struct cp *, struct sppp *, u_char, 286 uint8_t, size_t, void *); 287 288 /* message parser */ 289 enum cp_rcr_type 290 (*parse_confreq)(struct sppp *, struct lcp_header *, int, 291 uint8_t **, size_t *, size_t *); 292 void (*parse_confrej)(struct sppp *, struct lcp_header *, int); 293 void (*parse_confnak)(struct sppp *, struct lcp_header *, int); 294 }; 295 296 enum auth_role { 297 SPPP_AUTH_NOROLE = 0, 298 SPPP_AUTH_SERV = __BIT(0), 299 SPPP_AUTH_PEER = __BIT(1), 300 }; 301 302 static struct sppp *spppq; 303 static kmutex_t *spppq_lock = NULL; 304 static callout_t keepalive_ch; 305 static unsigned int sppp_keepalive_cnt = 0; 306 307 #define SPPPQ_LOCK() if (spppq_lock) \ 308 mutex_enter(spppq_lock); 309 #define SPPPQ_UNLOCK() if (spppq_lock) \ 310 mutex_exit(spppq_lock); 311 312 #define SPPP_LOCK(_sp, _op) rw_enter(&(_sp)->pp_lock, (_op)) 313 #define SPPP_UNLOCK(_sp) rw_exit(&(_sp)->pp_lock) 314 #define SPPP_WLOCKED(_sp) rw_write_held(&(_sp)->pp_lock) 315 #define SPPP_UPGRADE(_sp) do{ \ 316 SPPP_UNLOCK(_sp); \ 317 SPPP_LOCK(_sp, RW_WRITER); \ 318 }while (0) 319 #define SPPP_DOWNGRADE(_sp) rw_downgrade(&(_sp)->pp_lock) 320 #define SPPP_WQ_SET(_wk, _func, _arg) \ 321 sppp_wq_set((_wk), (_func), __UNCONST((_arg))) 322 323 #ifdef INET 324 #ifndef SPPPSUBR_MPSAFE 325 /* 326 * The following disgusting hack gets around the problem that IP TOS 327 * can't be set yet. We want to put "interactive" traffic on a high 328 * priority queue. To decide if traffic is interactive, we check that 329 * a) it is TCP and b) one of its ports is telnet, rlogin or ftp control. 330 * 331 * XXX is this really still necessary? - joerg - 332 */ 333 static u_short interactive_ports[8] = { 334 0, 513, 0, 0, 335 0, 21, 0, 23, 336 }; 337 #define INTERACTIVE(p) (interactive_ports[(p) & 7] == (p)) 338 #endif /* SPPPSUBR_MPSAFE */ 339 #endif 340 341 /* almost every function needs these */ 342 #define STDDCL \ 343 struct ifnet *ifp = &sp->pp_if; \ 344 int debug = ifp->if_flags & IFF_DEBUG 345 346 static int sppp_output(struct ifnet *, struct mbuf *, 347 const struct sockaddr *, const struct rtentry *); 348 349 static void sppp_cisco_send(struct sppp *, int, int32_t, int32_t); 350 static void sppp_cisco_input(struct sppp *, struct mbuf *); 351 352 static void sppp_cp_init(const struct cp *, struct sppp *); 353 static void sppp_cp_fini(const struct cp *, struct sppp *); 354 static void sppp_cp_input(const struct cp *, struct sppp *, 355 struct mbuf *); 356 static void sppp_cp_input(const struct cp *, struct sppp *, 357 struct mbuf *); 358 static void sppp_cp_send(struct sppp *, u_short, u_char, 359 u_char, u_short, void *); 360 /* static void sppp_cp_timeout(void *arg); */ 361 static void sppp_cp_change_state(const struct cp *, struct sppp *, int); 362 static struct workqueue * 363 sppp_wq_create(struct sppp *, const char *, pri_t, int, int); 364 static void sppp_wq_destroy(struct sppp *, struct workqueue *); 365 static void sppp_wq_set(struct sppp_work *, 366 void (*)(struct sppp *, void *), void *); 367 static void sppp_wq_add(struct workqueue *, struct sppp_work *); 368 static void sppp_wq_wait(struct workqueue *, struct sppp_work *); 369 static void sppp_cp_to_lcp(void *); 370 static void sppp_cp_to_ipcp(void *); 371 static void sppp_cp_to_ipv6cp(void *); 372 static void sppp_auth_send(const struct cp *, struct sppp *, 373 unsigned int, unsigned int, ...); 374 static int sppp_auth_role(const struct cp *, struct sppp *); 375 static void sppp_auth_to_event(struct sppp *, void *); 376 static void sppp_auth_screply(const struct cp *, struct sppp *, 377 u_char, uint8_t, size_t, void *); 378 static void sppp_up_event(struct sppp *, void *); 379 static void sppp_down_event(struct sppp *, void *); 380 static void sppp_open_event(struct sppp *, void *); 381 static void sppp_close_event(struct sppp *, void *); 382 static void sppp_to_event(struct sppp *, void *); 383 static void sppp_rcr_event(struct sppp *, void *); 384 static void sppp_rca_event(struct sppp *, void *); 385 static void sppp_rcn_event(struct sppp *, void *); 386 static void sppp_rtr_event(struct sppp *, void *); 387 static void sppp_rta_event(struct sppp *, void *); 388 static void sppp_rxj_event(struct sppp *, void *); 389 390 static void sppp_null(struct sppp *); 391 static void sppp_tls(const struct cp *, struct sppp *); 392 static void sppp_tlf(const struct cp *, struct sppp *); 393 static void sppp_screply(const struct cp *, struct sppp *, 394 u_char, uint8_t, size_t, void *); 395 static void sppp_ifdown(struct sppp *, void *); 396 397 static void sppp_lcp_init(struct sppp *); 398 static void sppp_lcp_up(struct sppp *, void *); 399 static void sppp_lcp_down(struct sppp *, void *); 400 static void sppp_lcp_open(struct sppp *, void *); 401 static enum cp_rcr_type 402 sppp_lcp_confreq(struct sppp *, struct lcp_header *, int, 403 uint8_t **, size_t *, size_t *); 404 static void sppp_lcp_confrej(struct sppp *, struct lcp_header *, int); 405 static void sppp_lcp_confnak(struct sppp *, struct lcp_header *, int); 406 static void sppp_lcp_tlu(struct sppp *); 407 static void sppp_lcp_tld(struct sppp *); 408 static void sppp_lcp_tls(const struct cp *, struct sppp *); 409 static void sppp_lcp_tlf(const struct cp *, struct sppp *); 410 static void sppp_lcp_scr(struct sppp *); 411 static void sppp_lcp_check_and_close(struct sppp *); 412 static int sppp_cp_check(struct sppp *, u_char); 413 414 static void sppp_ipcp_init(struct sppp *); 415 static void sppp_ipcp_open(struct sppp *, void *); 416 static void sppp_ipcp_close(struct sppp *, void *); 417 static enum cp_rcr_type 418 sppp_ipcp_confreq(struct sppp *, struct lcp_header *, int, 419 uint8_t **, size_t *, size_t *); 420 static void sppp_ipcp_confrej(struct sppp *, struct lcp_header *, int); 421 static void sppp_ipcp_confnak(struct sppp *, struct lcp_header *, int); 422 static void sppp_ipcp_tlu(struct sppp *); 423 static void sppp_ipcp_scr(struct sppp *); 424 425 static void sppp_ipv6cp_init(struct sppp *); 426 static void sppp_ipv6cp_open(struct sppp *, void *); 427 static enum cp_rcr_type 428 sppp_ipv6cp_confreq(struct sppp *, struct lcp_header *, int, 429 uint8_t **, size_t *, size_t *); 430 static void sppp_ipv6cp_confrej(struct sppp *, struct lcp_header *, int); 431 static void sppp_ipv6cp_confnak(struct sppp *, struct lcp_header *, int); 432 static void sppp_ipv6cp_tlu(struct sppp *); 433 static void sppp_ipv6cp_scr(struct sppp *); 434 435 static void sppp_pap_input(struct sppp *, struct mbuf *); 436 static void sppp_pap_init(struct sppp *); 437 static void sppp_pap_tlu(struct sppp *); 438 static void sppp_pap_scr(struct sppp *); 439 static void sppp_pap_scr(struct sppp *); 440 441 static void sppp_chap_input(struct sppp *, struct mbuf *); 442 static void sppp_chap_init(struct sppp *); 443 static void sppp_chap_open(struct sppp *, void *); 444 static void sppp_chap_tlu(struct sppp *); 445 static void sppp_chap_scr(struct sppp *); 446 static void sppp_chap_rcv_challenge_event(struct sppp *, void *); 447 448 static const char *sppp_auth_type_name(char *, size_t, u_short, u_char); 449 static const char *sppp_cp_type_name(char *, size_t, u_char); 450 static const char *sppp_dotted_quad(char *, size_t, uint32_t); 451 static const char *sppp_ipcp_opt_name(char *, size_t, u_char); 452 #ifdef INET6 453 static const char *sppp_ipv6cp_opt_name(char *, size_t, u_char); 454 #endif 455 static const char *sppp_lcp_opt_name(char *, size_t, u_char); 456 static const char *sppp_phase_name(int); 457 static const char *sppp_proto_name(char *, size_t, u_short); 458 static const char *sppp_state_name(int); 459 static int sppp_params(struct sppp *, u_long, void *); 460 #ifdef INET 461 static void sppp_get_ip_addrs(struct sppp *, uint32_t *, uint32_t *, uint32_t *); 462 static void sppp_set_ip_addrs(struct sppp *); 463 static void sppp_clear_ip_addrs(struct sppp *); 464 #endif 465 static void sppp_keepalive(void *); 466 static void sppp_phase_network(struct sppp *); 467 static void sppp_print_bytes(const u_char *, u_short); 468 static void sppp_print_string(const char *, u_short); 469 #ifdef INET6 470 static void sppp_get_ip6_addrs(struct sppp *, struct in6_addr *, 471 struct in6_addr *, struct in6_addr *); 472 #ifdef IPV6CP_MYIFID_DYN 473 static void sppp_set_ip6_addr(struct sppp *, const struct in6_addr *); 474 static void sppp_gen_ip6_addr(struct sppp *, const struct in6_addr *); 475 #endif 476 static void sppp_suggest_ip6_addr(struct sppp *, struct in6_addr *); 477 #endif 478 479 static void sppp_notify_up(struct sppp *); 480 static void sppp_notify_down(struct sppp *); 481 static void sppp_notify_tls_wlocked(struct sppp *); 482 static void sppp_notify_tlf_wlocked(struct sppp *); 483 #ifdef INET6 484 static void sppp_notify_con_wlocked(struct sppp *); 485 #endif 486 static void sppp_notify_con(struct sppp *); 487 488 static void sppp_notify_chg_wlocked(struct sppp *); 489 490 /* our control protocol descriptors */ 491 static const struct cp lcp = { 492 PPP_LCP, IDX_LCP, CP_LCP, "lcp", 493 sppp_lcp_up, sppp_lcp_down, sppp_lcp_open, 494 sppp_close_event, sppp_to_event, 495 sppp_lcp_tlu, sppp_lcp_tld, sppp_lcp_tls, 496 sppp_lcp_tlf, sppp_lcp_scr, sppp_screply, 497 sppp_lcp_confreq, sppp_lcp_confrej, sppp_lcp_confnak 498 }; 499 500 static const struct cp ipcp = { 501 PPP_IPCP, IDX_IPCP, 502 #ifdef INET 503 CP_NCP, /*don't run IPCP if there's no IPv4 support*/ 504 #else 505 0, 506 #endif 507 "ipcp", 508 sppp_up_event, sppp_down_event, sppp_ipcp_open, 509 sppp_ipcp_close, sppp_to_event, 510 sppp_ipcp_tlu, sppp_null, sppp_tls, 511 sppp_tlf, sppp_ipcp_scr, sppp_screply, 512 sppp_ipcp_confreq, sppp_ipcp_confrej, sppp_ipcp_confnak, 513 }; 514 515 static const struct cp ipv6cp = { 516 PPP_IPV6CP, IDX_IPV6CP, 517 #ifdef INET6 /*don't run IPv6CP if there's no IPv6 support*/ 518 CP_NCP, 519 #else 520 0, 521 #endif 522 "ipv6cp", 523 sppp_up_event, sppp_down_event, sppp_ipv6cp_open, 524 sppp_close_event, sppp_to_event, 525 sppp_ipv6cp_tlu, sppp_null, sppp_tls, 526 sppp_tlf, sppp_ipv6cp_scr, sppp_screply, 527 sppp_ipv6cp_confreq, sppp_ipv6cp_confrej, sppp_ipv6cp_confnak, 528 }; 529 530 static const struct cp pap = { 531 PPP_PAP, IDX_PAP, CP_AUTH, "pap", 532 sppp_up_event, sppp_down_event, sppp_open_event, 533 sppp_close_event, sppp_to_event, 534 sppp_pap_tlu, sppp_null, sppp_tls, sppp_tlf, 535 sppp_pap_scr, sppp_auth_screply, 536 NULL, NULL, NULL 537 }; 538 539 static const struct cp chap = { 540 PPP_CHAP, IDX_CHAP, CP_AUTH, "chap", 541 sppp_up_event, sppp_down_event, sppp_chap_open, 542 sppp_close_event, sppp_auth_to_event, 543 sppp_chap_tlu, sppp_null, sppp_tls, sppp_tlf, 544 sppp_chap_scr, sppp_auth_screply, 545 NULL, NULL, NULL 546 }; 547 548 static const struct cp *cps[IDX_COUNT] = { 549 &lcp, /* IDX_LCP */ 550 &ipcp, /* IDX_IPCP */ 551 &ipv6cp, /* IDX_IPV6CP */ 552 &pap, /* IDX_PAP */ 553 &chap, /* IDX_CHAP */ 554 }; 555 556 static inline u_int 557 sppp_proto2authproto(u_short proto) 558 { 559 560 switch (proto) { 561 case PPP_PAP: 562 return SPPP_AUTHPROTO_PAP; 563 case PPP_CHAP: 564 return SPPP_AUTHPROTO_CHAP; 565 } 566 567 return SPPP_AUTHPROTO_NONE; 568 } 569 570 static inline u_short 571 sppp_authproto2proto(u_int authproto) 572 { 573 574 switch (authproto) { 575 case SPPP_AUTHPROTO_PAP: 576 return PPP_PAP; 577 case SPPP_AUTHPROTO_CHAP: 578 return PPP_CHAP; 579 } 580 581 return PPP_NOPROTO; 582 } 583 584 static void 585 sppp_change_phase(struct sppp *sp, int phase) 586 { 587 STDDCL; 588 589 KASSERT(SPPP_WLOCKED(sp)); 590 591 if (sp->pp_phase == phase) 592 return; 593 594 sp->pp_phase = phase; 595 596 if (phase == SPPP_PHASE_NETWORK) 597 if_link_state_change(ifp, LINK_STATE_UP); 598 else 599 if_link_state_change(ifp, LINK_STATE_DOWN); 600 601 if (debug) 602 { 603 log(LOG_INFO, "%s: phase %s\n", ifp->if_xname, 604 sppp_phase_name(sp->pp_phase)); 605 } 606 } 607 608 /* 609 * Exported functions, comprising our interface to the lower layer. 610 */ 611 612 /* 613 * Process the received packet. 614 */ 615 void 616 sppp_input(struct ifnet *ifp, struct mbuf *m) 617 { 618 struct ppp_header *h = NULL; 619 pktqueue_t *pktq = NULL; 620 struct ifqueue *inq = NULL; 621 uint16_t protocol; 622 struct sppp *sp = (struct sppp *)ifp; 623 int debug = ifp->if_flags & IFF_DEBUG; 624 int isr = 0; 625 626 SPPP_LOCK(sp, RW_READER); 627 628 if (ifp->if_flags & IFF_UP) { 629 /* Count received bytes, add hardware framing */ 630 if_statadd(ifp, if_ibytes, m->m_pkthdr.len + sp->pp_framebytes); 631 /* Note time of last receive */ 632 sp->pp_last_receive = time_uptime; 633 } 634 635 if (m->m_pkthdr.len <= PPP_HEADER_LEN) { 636 /* Too small packet, drop it. */ 637 if (debug) 638 log(LOG_DEBUG, 639 "%s: input packet is too small, %d bytes\n", 640 ifp->if_xname, m->m_pkthdr.len); 641 goto drop; 642 } 643 644 if (sp->pp_flags & PP_NOFRAMING) { 645 memcpy(&protocol, mtod(m, void *), 2); 646 protocol = ntohs(protocol); 647 m_adj(m, 2); 648 } else { 649 650 /* Get PPP header. */ 651 h = mtod(m, struct ppp_header *); 652 m_adj(m, PPP_HEADER_LEN); 653 654 switch (h->address) { 655 case PPP_ALLSTATIONS: 656 if (h->control != PPP_UI) 657 goto invalid; 658 if (sp->pp_flags & PP_CISCO) { 659 if (debug) 660 log(LOG_DEBUG, 661 "%s: PPP packet in Cisco mode " 662 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 663 ifp->if_xname, 664 h->address, h->control, ntohs(h->protocol)); 665 goto drop; 666 } 667 break; 668 case CISCO_MULTICAST: 669 case CISCO_UNICAST: 670 /* Don't check the control field here (RFC 1547). */ 671 if (! (sp->pp_flags & PP_CISCO)) { 672 if (debug) 673 log(LOG_DEBUG, 674 "%s: Cisco packet in PPP mode " 675 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 676 ifp->if_xname, 677 h->address, h->control, ntohs(h->protocol)); 678 goto drop; 679 } 680 switch (ntohs(h->protocol)) { 681 default: 682 if_statinc(ifp, if_noproto); 683 goto invalid; 684 case CISCO_KEEPALIVE: 685 SPPP_UNLOCK(sp); 686 sppp_cisco_input((struct sppp *) ifp, m); 687 m_freem(m); 688 return; 689 #ifdef INET 690 case ETHERTYPE_IP: 691 pktq = ip_pktq; 692 break; 693 #endif 694 #ifdef INET6 695 case ETHERTYPE_IPV6: 696 pktq = ip6_pktq; 697 break; 698 #endif 699 } 700 goto queue_pkt; 701 default: /* Invalid PPP packet. */ 702 invalid: 703 if (debug) 704 log(LOG_DEBUG, 705 "%s: invalid input packet " 706 "<addr=0x%x ctrl=0x%x proto=0x%x>\n", 707 ifp->if_xname, 708 h->address, h->control, ntohs(h->protocol)); 709 goto drop; 710 } 711 protocol = ntohs(h->protocol); 712 } 713 714 switch (protocol) { 715 reject_protocol: 716 if (sp->scp[IDX_LCP].state == STATE_OPENED) { 717 uint16_t prot = htons(protocol); 718 719 SPPP_UPGRADE(sp); 720 sppp_cp_send(sp, PPP_LCP, PROTO_REJ, 721 ++sp->scp[IDX_LCP].seq, m->m_pkthdr.len + 2, 722 &prot); 723 SPPP_DOWNGRADE(sp); 724 } 725 if_statinc(ifp, if_noproto); 726 goto drop; 727 default: 728 if (debug) { 729 log(LOG_DEBUG, 730 "%s: invalid input protocol " 731 "<proto=0x%x>\n", ifp->if_xname, protocol); 732 } 733 goto reject_protocol; 734 case PPP_LCP: 735 SPPP_UNLOCK(sp); 736 sppp_cp_input(&lcp, sp, m); 737 /* already m_freem(m) */ 738 return; 739 case PPP_PAP: 740 SPPP_UNLOCK(sp); 741 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 742 sppp_pap_input(sp, m); 743 } 744 m_freem(m); 745 return; 746 case PPP_CHAP: 747 SPPP_UNLOCK(sp); 748 if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 749 sppp_chap_input(sp, m); 750 } 751 m_freem(m); 752 return; 753 #ifdef INET 754 case PPP_IPCP: 755 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) { 756 log(LOG_INFO, "%s: reject IPCP packet " 757 "because IPCP is disabled\n", 758 ifp->if_xname); 759 goto reject_protocol; 760 } 761 SPPP_UNLOCK(sp); 762 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 763 sppp_cp_input(&ipcp, sp, m); 764 /* already m_freem(m) */ 765 } else { 766 m_freem(m); 767 } 768 return; 769 case PPP_IP: 770 if (sp->scp[IDX_IPCP].state == STATE_OPENED) { 771 sp->pp_last_activity = time_uptime; 772 pktq = ip_pktq; 773 } 774 break; 775 #endif 776 #ifdef INET6 777 case PPP_IPV6CP: 778 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) { 779 log(LOG_INFO, "%s: reject IPv6CP packet " 780 "because IPv6CP is disabled\n", 781 ifp->if_xname); 782 goto reject_protocol; 783 } 784 SPPP_UNLOCK(sp); 785 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 786 sppp_cp_input(&ipv6cp, sp, m); 787 /* already m_freem(m) */ 788 } else { 789 m_freem(m); 790 } 791 return; 792 793 case PPP_IPV6: 794 if (sp->scp[IDX_IPV6CP].state == STATE_OPENED) { 795 sp->pp_last_activity = time_uptime; 796 pktq = ip6_pktq; 797 } 798 break; 799 #endif 800 } 801 802 queue_pkt: 803 if ((ifp->if_flags & IFF_UP) == 0 || (!inq && !pktq)) { 804 goto drop; 805 } 806 807 /* Check queue. */ 808 if (__predict_true(pktq)) { 809 if (__predict_false(!pktq_enqueue(pktq, m, 0))) { 810 goto drop; 811 } 812 SPPP_UNLOCK(sp); 813 return; 814 } 815 816 SPPP_UNLOCK(sp); 817 818 IFQ_LOCK(inq); 819 if (IF_QFULL(inq)) { 820 /* Queue overflow. */ 821 IF_DROP(inq); 822 IFQ_UNLOCK(inq); 823 if (debug) 824 log(LOG_DEBUG, "%s: protocol queue overflow\n", 825 ifp->if_xname); 826 827 SPPP_LOCK(sp, RW_READER); 828 goto drop; 829 } 830 IF_ENQUEUE(inq, m); 831 IFQ_UNLOCK(inq); 832 schednetisr(isr); 833 return; 834 835 drop: 836 if_statadd2(ifp, if_ierrors, 1, if_iqdrops, 1); 837 m_freem(m); 838 SPPP_UNLOCK(sp); 839 return; 840 } 841 842 /* 843 * Enqueue transmit packet. 844 */ 845 static int 846 sppp_output(struct ifnet *ifp, struct mbuf *m, 847 const struct sockaddr *dst, const struct rtentry *rt) 848 { 849 struct sppp *sp = (struct sppp *) ifp; 850 struct ppp_header *h = NULL; 851 #ifndef SPPPSUBR_MPSAFE 852 struct ifqueue *ifq = NULL; /* XXX */ 853 #endif 854 int s, error = 0; 855 uint16_t protocol; 856 size_t pktlen; 857 858 s = splnet(); 859 SPPP_LOCK(sp, RW_READER); 860 861 sp->pp_last_activity = time_uptime; 862 863 if ((ifp->if_flags & IFF_UP) == 0 || 864 (ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == 0) { 865 SPPP_UNLOCK(sp); 866 splx(s); 867 868 m_freem(m); 869 if_statinc(ifp, if_oerrors); 870 return (ENETDOWN); 871 } 872 873 if ((ifp->if_flags & (IFF_RUNNING | IFF_AUTO)) == IFF_AUTO) { 874 /* ignore packets that have no enabled NCP */ 875 if ((dst->sa_family == AF_INET && 876 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) || 877 (dst->sa_family == AF_INET6 && 878 !ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP))) { 879 SPPP_UNLOCK(sp); 880 splx(s); 881 882 m_freem(m); 883 if_statinc(ifp, if_oerrors); 884 return (ENETDOWN); 885 } 886 /* 887 * Interface is not yet running, but auto-dial. Need 888 * to start LCP for it. 889 */ 890 ifp->if_flags |= IFF_RUNNING; 891 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 892 } 893 894 /* 895 * If the queueing discipline needs packet classification, 896 * do it before prepending link headers. 897 */ 898 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 899 900 #ifdef INET 901 if (dst->sa_family == AF_INET) { 902 struct ip *ip = NULL; 903 #ifndef SPPPSUBR_MPSAFE 904 struct tcphdr *th = NULL; 905 #endif 906 907 if (m->m_len >= sizeof(struct ip)) { 908 ip = mtod(m, struct ip *); 909 #ifndef SPPPSUBR_MPSAFE 910 if (ip->ip_p == IPPROTO_TCP && 911 m->m_len >= sizeof(struct ip) + (ip->ip_hl << 2) + 912 sizeof(struct tcphdr)) { 913 th = (struct tcphdr *) 914 ((char *)ip + (ip->ip_hl << 2)); 915 } 916 #endif 917 } else 918 ip = NULL; 919 920 /* 921 * When using dynamic local IP address assignment by using 922 * 0.0.0.0 as a local address, the first TCP session will 923 * not connect because the local TCP checksum is computed 924 * using 0.0.0.0 which will later become our real IP address 925 * so the TCP checksum computed at the remote end will 926 * become invalid. So we 927 * - don't let packets with src ip addr 0 thru 928 * - we flag TCP packets with src ip 0 as an error 929 */ 930 if (ip && ip->ip_src.s_addr == INADDR_ANY) { 931 uint8_t proto = ip->ip_p; 932 933 SPPP_UNLOCK(sp); 934 splx(s); 935 936 m_freem(m); 937 if (proto == IPPROTO_TCP) 938 return (EADDRNOTAVAIL); 939 else 940 return (0); 941 } 942 943 #ifndef SPPPSUBR_MPSAFE 944 /* 945 * Put low delay, telnet, rlogin and ftp control packets 946 * in front of the queue. 947 */ 948 if (!IF_QFULL(&sp->pp_fastq) && 949 ((ip && (ip->ip_tos & IPTOS_LOWDELAY)) || 950 (th && (INTERACTIVE(ntohs(th->th_sport)) || 951 INTERACTIVE(ntohs(th->th_dport)))))) 952 ifq = &sp->pp_fastq; 953 #endif /* !SPPPSUBR_MPSAFE */ 954 } 955 #endif 956 957 #ifdef INET6 958 if (dst->sa_family == AF_INET6) { 959 /* XXX do something tricky here? */ 960 } 961 #endif 962 963 if ((sp->pp_flags & PP_NOFRAMING) == 0) { 964 /* 965 * Prepend general data packet PPP header. For now, IP only. 966 */ 967 M_PREPEND(m, PPP_HEADER_LEN, M_DONTWAIT); 968 if (! m) { 969 if (ifp->if_flags & IFF_DEBUG) 970 log(LOG_DEBUG, "%s: no memory for transmit header\n", 971 ifp->if_xname); 972 if_statinc(ifp, if_oerrors); 973 SPPP_UNLOCK(sp); 974 splx(s); 975 return (ENOBUFS); 976 } 977 /* 978 * May want to check size of packet 979 * (albeit due to the implementation it's always enough) 980 */ 981 h = mtod(m, struct ppp_header *); 982 if (sp->pp_flags & PP_CISCO) { 983 h->address = CISCO_UNICAST; /* unicast address */ 984 h->control = 0; 985 } else { 986 h->address = PPP_ALLSTATIONS; /* broadcast address */ 987 h->control = PPP_UI; /* Unnumbered Info */ 988 } 989 } 990 991 switch (dst->sa_family) { 992 #ifdef INET 993 case AF_INET: /* Internet Protocol */ 994 if (sp->pp_flags & PP_CISCO) 995 protocol = htons(ETHERTYPE_IP); 996 else { 997 /* 998 * Don't choke with an ENETDOWN early. It's 999 * possible that we just started dialing out, 1000 * so don't drop the packet immediately. If 1001 * we notice that we run out of buffer space 1002 * below, we will however remember that we are 1003 * not ready to carry IP packets, and return 1004 * ENETDOWN, as opposed to ENOBUFS. 1005 */ 1006 protocol = htons(PPP_IP); 1007 if (sp->scp[IDX_IPCP].state != STATE_OPENED) { 1008 if (ifp->if_flags & IFF_AUTO) { 1009 error = ENETDOWN; 1010 } else { 1011 IF_DROP(&ifp->if_snd); 1012 SPPP_UNLOCK(sp); 1013 splx(s); 1014 1015 m_freem(m); 1016 if_statinc(ifp, if_oerrors); 1017 return (ENETDOWN); 1018 } 1019 } 1020 } 1021 break; 1022 #endif 1023 #ifdef INET6 1024 case AF_INET6: /* Internet Protocol version 6 */ 1025 if (sp->pp_flags & PP_CISCO) 1026 protocol = htons(ETHERTYPE_IPV6); 1027 else { 1028 /* 1029 * Don't choke with an ENETDOWN early. It's 1030 * possible that we just started dialing out, 1031 * so don't drop the packet immediately. If 1032 * we notice that we run out of buffer space 1033 * below, we will however remember that we are 1034 * not ready to carry IP packets, and return 1035 * ENETDOWN, as opposed to ENOBUFS. 1036 */ 1037 protocol = htons(PPP_IPV6); 1038 if (sp->scp[IDX_IPV6CP].state != STATE_OPENED) { 1039 if (ifp->if_flags & IFF_AUTO) { 1040 error = ENETDOWN; 1041 } else { 1042 IF_DROP(&ifp->if_snd); 1043 SPPP_UNLOCK(sp); 1044 splx(s); 1045 1046 m_freem(m); 1047 if_statinc(ifp, if_oerrors); 1048 return (ENETDOWN); 1049 } 1050 } 1051 } 1052 break; 1053 #endif 1054 default: 1055 m_freem(m); 1056 if_statinc(ifp, if_oerrors); 1057 SPPP_UNLOCK(sp); 1058 splx(s); 1059 return (EAFNOSUPPORT); 1060 } 1061 1062 if (sp->pp_flags & PP_NOFRAMING) { 1063 M_PREPEND(m, 2, M_DONTWAIT); 1064 if (m == NULL) { 1065 if (ifp->if_flags & IFF_DEBUG) 1066 log(LOG_DEBUG, "%s: no memory for transmit header\n", 1067 ifp->if_xname); 1068 if_statinc(ifp, if_oerrors); 1069 SPPP_UNLOCK(sp); 1070 splx(s); 1071 return (ENOBUFS); 1072 } 1073 *mtod(m, uint16_t *) = protocol; 1074 } else { 1075 h->protocol = protocol; 1076 } 1077 1078 pktlen = m->m_pkthdr.len; 1079 #ifdef SPPPSUBR_MPSAFE 1080 SPPP_UNLOCK(sp); 1081 error = if_transmit_lock(ifp, m); 1082 SPPP_LOCK(sp, RW_READER); 1083 if (error == 0) 1084 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1085 #else /* !SPPPSUBR_MPSAFE */ 1086 error = ifq_enqueue2(ifp, ifq, m); 1087 1088 if (error == 0) { 1089 /* 1090 * Count output packets and bytes. 1091 * The packet length includes header + additional hardware 1092 * framing according to RFC 1333. 1093 */ 1094 if (!(ifp->if_flags & IFF_OACTIVE)) { 1095 SPPP_UNLOCK(sp); 1096 if_start_lock(ifp); 1097 SPPP_LOCK(sp, RW_READER); 1098 } 1099 if_statadd(ifp, if_obytes, pktlen + sp->pp_framebytes); 1100 } 1101 #endif /* !SPPPSUBR_MPSAFE */ 1102 SPPP_UNLOCK(sp); 1103 splx(s); 1104 return error; 1105 } 1106 1107 void 1108 sppp_attach(struct ifnet *ifp) 1109 { 1110 struct sppp *sp = (struct sppp *) ifp; 1111 char xnamebuf[MAXCOMLEN]; 1112 1113 /* Initialize keepalive handler. */ 1114 if (! spppq) { 1115 callout_init(&keepalive_ch, CALLOUT_MPSAFE); 1116 callout_reset(&keepalive_ch, hz * SPPP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 1117 } 1118 1119 if (! spppq_lock) 1120 spppq_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 1121 1122 sp->pp_if.if_type = IFT_PPP; 1123 sp->pp_if.if_output = sppp_output; 1124 sp->pp_fastq.ifq_maxlen = 32; 1125 sp->pp_cpq.ifq_maxlen = 20; 1126 sp->pp_loopcnt = 0; 1127 sp->pp_alivecnt = 0; 1128 sp->pp_alive_interval = SPPP_ALIVE_INTERVAL; 1129 sp->pp_last_activity = 0; 1130 sp->pp_last_receive = 0; 1131 sp->pp_maxalive = DEFAULT_MAXALIVECNT; 1132 sp->pp_max_noreceive = SPPP_NORECV_TIME; 1133 sp->pp_idle_timeout = 0; 1134 sp->pp_max_auth_fail = DEFAULT_MAX_AUTH_FAILURES; 1135 sp->pp_phase = SPPP_PHASE_DEAD; 1136 sp->pp_up = sppp_notify_up; 1137 sp->pp_down = sppp_notify_down; 1138 sp->pp_ncpflags = SPPP_NCP_IPCP | SPPP_NCP_IPV6CP; 1139 #ifdef SPPP_IFDOWN_RECONNECT 1140 sp->pp_flags |= PP_LOOPBACK_IFDOWN | PP_KEEPALIVE_IFDOWN; 1141 #endif 1142 sppp_wq_set(&sp->work_ifdown, sppp_ifdown, NULL); 1143 memset(sp->scp, 0, sizeof(sp->scp)); 1144 rw_init(&sp->pp_lock); 1145 1146 if_alloc_sadl(ifp); 1147 1148 /* Lets not beat about the bush, we know we're down. */ 1149 ifp->if_link_state = LINK_STATE_DOWN; 1150 1151 snprintf(xnamebuf, sizeof(xnamebuf), "%s.wq_cp", ifp->if_xname); 1152 sp->wq_cp = sppp_wq_create(sp, xnamebuf, 1153 PRI_SOFTNET, IPL_SOFTNET, WQ_MPSAFE); 1154 1155 memset(&sp->myauth, 0, sizeof sp->myauth); 1156 memset(&sp->hisauth, 0, sizeof sp->hisauth); 1157 SPPP_LOCK(sp, RW_WRITER); 1158 sppp_lcp_init(sp); 1159 sppp_ipcp_init(sp); 1160 sppp_ipv6cp_init(sp); 1161 sppp_pap_init(sp); 1162 sppp_chap_init(sp); 1163 SPPP_UNLOCK(sp); 1164 1165 SPPPQ_LOCK(); 1166 /* Insert new entry into the keepalive list. */ 1167 sp->pp_next = spppq; 1168 spppq = sp; 1169 SPPPQ_UNLOCK(); 1170 } 1171 1172 void 1173 sppp_detach(struct ifnet *ifp) 1174 { 1175 struct sppp **q, *p, *sp = (struct sppp *) ifp; 1176 1177 /* Remove the entry from the keepalive list. */ 1178 SPPPQ_LOCK(); 1179 for (q = &spppq; (p = *q); q = &p->pp_next) 1180 if (p == sp) { 1181 *q = p->pp_next; 1182 break; 1183 } 1184 SPPPQ_UNLOCK(); 1185 1186 if (! spppq) { 1187 /* Stop keepalive handler. */ 1188 callout_stop(&keepalive_ch); 1189 mutex_obj_free(spppq_lock); 1190 spppq_lock = NULL; 1191 } 1192 1193 sppp_cp_fini(&lcp, sp); 1194 sppp_cp_fini(&ipcp, sp); 1195 sppp_cp_fini(&pap, sp); 1196 sppp_cp_fini(&chap, sp); 1197 #ifdef INET6 1198 sppp_cp_fini(&ipv6cp, sp); 1199 #endif 1200 sppp_wq_destroy(sp, sp->wq_cp); 1201 1202 /* free authentication info */ 1203 if (sp->myauth.name) free(sp->myauth.name, M_DEVBUF); 1204 if (sp->myauth.secret) free(sp->myauth.secret, M_DEVBUF); 1205 if (sp->hisauth.name) free(sp->hisauth.name, M_DEVBUF); 1206 if (sp->hisauth.secret) free(sp->hisauth.secret, M_DEVBUF); 1207 rw_destroy(&sp->pp_lock); 1208 } 1209 1210 /* 1211 * Flush the interface output queue. 1212 */ 1213 void 1214 sppp_flush(struct ifnet *ifp) 1215 { 1216 struct sppp *sp = (struct sppp *) ifp; 1217 1218 SPPP_LOCK(sp, RW_WRITER); 1219 IFQ_PURGE(&sp->pp_if.if_snd); 1220 IF_PURGE(&sp->pp_fastq); 1221 IF_PURGE(&sp->pp_cpq); 1222 SPPP_UNLOCK(sp); 1223 } 1224 1225 /* 1226 * Check if the output queue is empty. 1227 */ 1228 int 1229 sppp_isempty(struct ifnet *ifp) 1230 { 1231 struct sppp *sp = (struct sppp *) ifp; 1232 int empty, s; 1233 1234 s = splnet(); 1235 SPPP_LOCK(sp, RW_READER); 1236 empty = IF_IS_EMPTY(&sp->pp_fastq) && IF_IS_EMPTY(&sp->pp_cpq) && 1237 IFQ_IS_EMPTY(&sp->pp_if.if_snd); 1238 SPPP_UNLOCK(sp); 1239 splx(s); 1240 return (empty); 1241 } 1242 1243 /* 1244 * Get next packet to send. 1245 */ 1246 struct mbuf * 1247 sppp_dequeue(struct ifnet *ifp) 1248 { 1249 struct sppp *sp = (struct sppp *) ifp; 1250 struct mbuf *m; 1251 int s; 1252 1253 s = splnet(); 1254 SPPP_LOCK(sp, RW_WRITER); 1255 /* 1256 * Process only the control protocol queue until we have at 1257 * least one NCP open. 1258 * 1259 * Do always serve all three queues in Cisco mode. 1260 */ 1261 IF_DEQUEUE(&sp->pp_cpq, m); 1262 if (m == NULL && 1263 (sppp_cp_check(sp, CP_NCP) || (sp->pp_flags & PP_CISCO) != 0)) { 1264 IF_DEQUEUE(&sp->pp_fastq, m); 1265 if (m == NULL) 1266 IFQ_DEQUEUE(&sp->pp_if.if_snd, m); 1267 } 1268 SPPP_UNLOCK(sp); 1269 splx(s); 1270 return m; 1271 } 1272 1273 /* 1274 * Process an ioctl request. Called on low priority level. 1275 */ 1276 int 1277 sppp_ioctl(struct ifnet *ifp, u_long cmd, void *data) 1278 { 1279 struct lwp *l = curlwp; /* XXX */ 1280 struct ifreq *ifr = (struct ifreq *) data; 1281 struct ifaddr *ifa = (struct ifaddr *) data; 1282 struct sppp *sp = (struct sppp *) ifp; 1283 int s, error=0, going_up, going_down; 1284 u_short newmode; 1285 u_long lcp_mru; 1286 1287 s = splnet(); 1288 switch (cmd) { 1289 case SIOCINITIFADDR: 1290 ifa->ifa_rtrequest = p2p_rtrequest; 1291 break; 1292 1293 case SIOCSIFFLAGS: 1294 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 1295 break; 1296 1297 SPPP_LOCK(sp, RW_WRITER); 1298 going_up = ifp->if_flags & IFF_UP && 1299 (ifp->if_flags & IFF_RUNNING) == 0; 1300 going_down = (ifp->if_flags & IFF_UP) == 0 && 1301 ifp->if_flags & IFF_RUNNING; 1302 newmode = ifp->if_flags & (IFF_AUTO | IFF_PASSIVE); 1303 if (newmode == (IFF_AUTO | IFF_PASSIVE)) { 1304 /* sanity */ 1305 newmode = IFF_PASSIVE; 1306 ifp->if_flags &= ~IFF_AUTO; 1307 } 1308 1309 if (going_up || going_down) { 1310 sp->lcp.reestablish = false; 1311 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 1312 } 1313 if (going_up && newmode == 0) { 1314 /* neither auto-dial nor passive */ 1315 ifp->if_flags |= IFF_RUNNING; 1316 if (!(sp->pp_flags & PP_CISCO)) { 1317 sppp_wq_add(sp->wq_cp, 1318 &sp->scp[IDX_LCP].work_open); 1319 } 1320 } else if (going_down) { 1321 SPPP_UNLOCK(sp); 1322 sppp_flush(ifp); 1323 SPPP_LOCK(sp, RW_WRITER); 1324 1325 ifp->if_flags &= ~IFF_RUNNING; 1326 } 1327 SPPP_UNLOCK(sp); 1328 break; 1329 1330 case SIOCSIFMTU: 1331 if (ifr->ifr_mtu < PPP_MINMRU || 1332 ifr->ifr_mtu > PP_MTU) { 1333 error = EINVAL; 1334 break; 1335 } 1336 1337 error = ifioctl_common(ifp, cmd, data); 1338 if (error == ENETRESET) 1339 error = 0; 1340 1341 SPPP_LOCK(sp, RW_WRITER); 1342 lcp_mru = sp->lcp.mru; 1343 if (ifp->if_mtu < PP_MTU) { 1344 sp->lcp.mru = ifp->if_mtu; 1345 } else { 1346 sp->lcp.mru = PP_MTU; 1347 } 1348 if (lcp_mru != sp->lcp.mru) 1349 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 1350 1351 if (sp->scp[IDX_LCP].state == STATE_OPENED && 1352 ifp->if_mtu > sp->lcp.their_mru) { 1353 sp->pp_saved_mtu = ifp->if_mtu; 1354 ifp->if_mtu = sp->lcp.their_mru; 1355 1356 if (ifp->if_flags & IFF_DEBUG) { 1357 log(LOG_DEBUG, 1358 "%s: setting MTU " 1359 "from %"PRIu64" bytes " 1360 "to %"PRIu64" bytes\n", 1361 ifp->if_xname, sp->pp_saved_mtu, 1362 ifp->if_mtu); 1363 } 1364 } 1365 SPPP_UNLOCK(sp); 1366 break; 1367 1368 case SIOCGIFMTU: 1369 if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET) 1370 error = 0; 1371 break; 1372 case SIOCADDMULTI: 1373 case SIOCDELMULTI: 1374 break; 1375 1376 case SPPPSETAUTHCFG: 1377 case SPPPSETLCPCFG: 1378 case SPPPSETNCPCFG: 1379 case SPPPSETIDLETO: 1380 case SPPPSETAUTHFAILURE: 1381 case SPPPSETDNSOPTS: 1382 case SPPPSETKEEPALIVE: 1383 #if defined(COMPAT_50) || defined(MODULAR) 1384 case __SPPPSETIDLETO50: 1385 case __SPPPSETKEEPALIVE50: 1386 #endif /* COMPAT_50 || MODULAR */ 1387 error = kauth_authorize_network(l->l_cred, 1388 KAUTH_NETWORK_INTERFACE, 1389 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 1390 NULL); 1391 if (error) 1392 break; 1393 error = sppp_params(sp, cmd, data); 1394 break; 1395 1396 case SPPPGETAUTHCFG: 1397 case SPPPGETLCPCFG: 1398 case SPPPGETNCPCFG: 1399 case SPPPGETAUTHFAILURES: 1400 error = kauth_authorize_network(l->l_cred, 1401 KAUTH_NETWORK_INTERFACE, 1402 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 1403 NULL); 1404 if (error) 1405 break; 1406 error = sppp_params(sp, cmd, data); 1407 break; 1408 1409 case SPPPGETSTATUS: 1410 case SPPPGETSTATUSNCP: 1411 case SPPPGETIDLETO: 1412 case SPPPGETDNSOPTS: 1413 case SPPPGETDNSADDRS: 1414 case SPPPGETKEEPALIVE: 1415 #if defined(COMPAT_50) || defined(MODULAR) 1416 case __SPPPGETIDLETO50: 1417 case __SPPPGETKEEPALIVE50: 1418 #endif /* COMPAT_50 || MODULAR */ 1419 case SPPPGETLCPSTATUS: 1420 case SPPPGETIPCPSTATUS: 1421 case SPPPGETIPV6CPSTATUS: 1422 error = sppp_params(sp, cmd, data); 1423 break; 1424 1425 default: 1426 error = ifioctl_common(ifp, cmd, data); 1427 break; 1428 } 1429 splx(s); 1430 return (error); 1431 } 1432 1433 /* 1434 * Cisco framing implementation. 1435 */ 1436 1437 /* 1438 * Handle incoming Cisco keepalive protocol packets. 1439 */ 1440 static void 1441 sppp_cisco_input(struct sppp *sp, struct mbuf *m) 1442 { 1443 STDDCL; 1444 struct cisco_packet *h; 1445 #ifdef INET 1446 uint32_t me, mymask = 0; /* XXX: GCC */ 1447 #endif 1448 1449 SPPP_LOCK(sp, RW_WRITER); 1450 1451 if (m->m_pkthdr.len < CISCO_PACKET_LEN) { 1452 if (debug) 1453 log(LOG_DEBUG, 1454 "%s: cisco invalid packet length: %d bytes\n", 1455 ifp->if_xname, m->m_pkthdr.len); 1456 SPPP_UNLOCK(sp); 1457 return; 1458 } 1459 h = mtod(m, struct cisco_packet *); 1460 if (debug) 1461 log(LOG_DEBUG, 1462 "%s: cisco input: %d bytes " 1463 "<0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1464 ifp->if_xname, m->m_pkthdr.len, 1465 ntohl(h->type), h->par1, h->par2, (u_int)h->rel, 1466 (u_int)h->time0, (u_int)h->time1); 1467 switch (ntohl(h->type)) { 1468 default: 1469 if (debug) 1470 addlog("%s: cisco unknown packet type: 0x%x\n", 1471 ifp->if_xname, ntohl(h->type)); 1472 break; 1473 case CISCO_ADDR_REPLY: 1474 /* Reply on address request, ignore */ 1475 break; 1476 case CISCO_KEEPALIVE_REQ: 1477 sp->pp_alivecnt = 0; 1478 sp->scp[IDX_LCP].rseq = ntohl(h->par1); 1479 if (sp->scp[IDX_LCP].seq == sp->scp[IDX_LCP].rseq) { 1480 /* Local and remote sequence numbers are equal. 1481 * Probably, the line is in loopback mode. */ 1482 if (sp->pp_loopcnt >= LOOPALIVECNT) { 1483 printf ("%s: loopback\n", 1484 ifp->if_xname); 1485 sp->pp_loopcnt = 0; 1486 1487 if (sp->pp_flags & PP_LOOPBACK_IFDOWN) { 1488 sp->pp_flags |= PP_LOOPBACK; 1489 sppp_wq_add(sp->wq_cp, 1490 &sp->work_ifdown); 1491 } 1492 1493 sppp_wq_add(sp->wq_cp, 1494 &sp->scp[IDX_LCP].work_close); 1495 sppp_wq_add(sp->wq_cp, 1496 &sp->scp[IDX_LCP].work_open); 1497 } else { 1498 ++sp->pp_loopcnt; 1499 } 1500 1501 /* Generate new local sequence number */ 1502 sp->scp[IDX_LCP].seq = cprng_fast32(); 1503 break; 1504 } 1505 sp->pp_loopcnt = 0; 1506 if (! (ifp->if_flags & IFF_UP) && 1507 (ifp->if_flags & IFF_RUNNING)) { 1508 SPPP_UNLOCK(sp); 1509 if_up(ifp); 1510 SPPP_LOCK(sp, RW_WRITER); 1511 sp->pp_flags &= ~PP_LOOPBACK; 1512 } 1513 break; 1514 case CISCO_ADDR_REQ: 1515 #ifdef INET 1516 sppp_get_ip_addrs(sp, &me, 0, &mymask); 1517 if (me != 0L) 1518 sppp_cisco_send(sp, CISCO_ADDR_REPLY, me, mymask); 1519 #endif 1520 break; 1521 } 1522 SPPP_UNLOCK(sp); 1523 } 1524 1525 /* 1526 * Send Cisco keepalive packet. 1527 */ 1528 static void 1529 sppp_cisco_send(struct sppp *sp, int type, int32_t par1, int32_t par2) 1530 { 1531 STDDCL; 1532 struct ppp_header *h; 1533 struct cisco_packet *ch; 1534 struct mbuf *m; 1535 uint32_t t; 1536 1537 KASSERT(SPPP_WLOCKED(sp)); 1538 1539 t = time_uptime * 1000; 1540 MGETHDR(m, M_DONTWAIT, MT_DATA); 1541 if (! m) 1542 return; 1543 m->m_pkthdr.len = m->m_len = PPP_HEADER_LEN + CISCO_PACKET_LEN; 1544 m_reset_rcvif(m); 1545 1546 h = mtod(m, struct ppp_header *); 1547 h->address = CISCO_MULTICAST; 1548 h->control = 0; 1549 h->protocol = htons(CISCO_KEEPALIVE); 1550 1551 ch = (struct cisco_packet *)(h + 1); 1552 ch->type = htonl(type); 1553 ch->par1 = htonl(par1); 1554 ch->par2 = htonl(par2); 1555 ch->rel = -1; 1556 1557 ch->time0 = htons((u_short)(t >> 16)); 1558 ch->time1 = htons((u_short) t); 1559 1560 if (debug) 1561 log(LOG_DEBUG, 1562 "%s: cisco output: <0x%x 0x%x 0x%x 0x%x 0x%x-0x%x>\n", 1563 ifp->if_xname, ntohl(ch->type), ch->par1, 1564 ch->par2, (u_int)ch->rel, (u_int)ch->time0, 1565 (u_int)ch->time1); 1566 1567 if (IF_QFULL(&sp->pp_cpq)) { 1568 IF_DROP(&sp->pp_fastq); 1569 IF_DROP(&ifp->if_snd); 1570 m_freem(m); 1571 if_statinc(ifp, if_oerrors); 1572 return; 1573 } 1574 1575 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1576 IF_ENQUEUE(&sp->pp_cpq, m); 1577 1578 if (! (ifp->if_flags & IFF_OACTIVE)) { 1579 SPPP_UNLOCK(sp); 1580 if_start_lock(ifp); 1581 SPPP_LOCK(sp, RW_WRITER); 1582 } 1583 } 1584 1585 /* 1586 * PPP protocol implementation. 1587 */ 1588 1589 /* 1590 * Send PPP control protocol packet. 1591 */ 1592 static void 1593 sppp_cp_send(struct sppp *sp, u_short proto, u_char type, 1594 u_char ident, u_short len, void *data) 1595 { 1596 STDDCL; 1597 struct lcp_header *lh; 1598 struct mbuf *m; 1599 size_t pkthdrlen; 1600 1601 KASSERT(SPPP_WLOCKED(sp)); 1602 1603 pkthdrlen = (sp->pp_flags & PP_NOFRAMING) ? 2 : PPP_HEADER_LEN; 1604 1605 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) 1606 len = MHLEN - pkthdrlen - LCP_HEADER_LEN; 1607 MGETHDR(m, M_DONTWAIT, MT_DATA); 1608 if (! m) { 1609 return; 1610 } 1611 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 1612 m_reset_rcvif(m); 1613 1614 if (sp->pp_flags & PP_NOFRAMING) { 1615 *mtod(m, uint16_t *) = htons(proto); 1616 lh = (struct lcp_header *)(mtod(m, uint8_t *) + 2); 1617 } else { 1618 struct ppp_header *h; 1619 h = mtod(m, struct ppp_header *); 1620 h->address = PPP_ALLSTATIONS; /* broadcast address */ 1621 h->control = PPP_UI; /* Unnumbered Info */ 1622 h->protocol = htons(proto); /* Link Control Protocol */ 1623 lh = (struct lcp_header *)(h + 1); 1624 } 1625 lh->type = type; 1626 lh->ident = ident; 1627 lh->len = htons(LCP_HEADER_LEN + len); 1628 if (len) 1629 memcpy(lh + 1, data, len); 1630 1631 if (debug) { 1632 char pbuf[SPPP_PROTO_NAMELEN]; 1633 char tbuf[SPPP_CPTYPE_NAMELEN]; 1634 const char *pname, *cpname; 1635 1636 pname = sppp_proto_name(pbuf, sizeof(pbuf), proto); 1637 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), lh->type); 1638 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 1639 ifp->if_xname, pname, cpname, 1640 lh->ident, ntohs(lh->len)); 1641 if (len) 1642 sppp_print_bytes((u_char *)(lh + 1), len); 1643 addlog(">\n"); 1644 } 1645 if (IF_QFULL(&sp->pp_cpq)) { 1646 IF_DROP(&sp->pp_fastq); 1647 IF_DROP(&ifp->if_snd); 1648 m_freem(m); 1649 if_statinc(ifp, if_oerrors); 1650 return; 1651 } 1652 1653 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 1654 IF_ENQUEUE(&sp->pp_cpq, m); 1655 1656 if (! (ifp->if_flags & IFF_OACTIVE)) { 1657 SPPP_UNLOCK(sp); 1658 if_start_lock(ifp); 1659 SPPP_LOCK(sp, RW_WRITER); 1660 } 1661 } 1662 1663 static void 1664 sppp_cp_to_lcp(void *xsp) 1665 { 1666 struct sppp *sp = xsp; 1667 1668 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_to); 1669 } 1670 1671 static void 1672 sppp_cp_to_ipcp(void *xsp) 1673 { 1674 struct sppp *sp = xsp; 1675 1676 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPCP].work_to); 1677 } 1678 1679 static void 1680 sppp_cp_to_ipv6cp(void *xsp) 1681 { 1682 struct sppp *sp = xsp; 1683 1684 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_IPV6CP].work_to); 1685 } 1686 1687 static void 1688 sppp_cp_to_pap(void *xsp) 1689 { 1690 struct sppp *sp = xsp; 1691 1692 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_to); 1693 } 1694 1695 static void 1696 sppp_cp_to_chap(void *xsp) 1697 { 1698 struct sppp *sp = xsp; 1699 1700 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_to); 1701 } 1702 1703 static void 1704 sppp_cp_init(const struct cp *cp, struct sppp *sp) 1705 { 1706 struct sppp_cp *scp; 1707 typedef void (*sppp_co_cb_t)(void *); 1708 static const sppp_co_cb_t to_cb[IDX_COUNT] = { 1709 [IDX_LCP] = sppp_cp_to_lcp, 1710 [IDX_IPCP] = sppp_cp_to_ipcp, 1711 [IDX_IPV6CP] = sppp_cp_to_ipv6cp, 1712 [IDX_PAP] = sppp_cp_to_pap, 1713 [IDX_CHAP] = sppp_cp_to_chap, 1714 }; 1715 1716 scp = &sp->scp[cp->protoidx]; 1717 scp->state = STATE_INITIAL; 1718 scp->fail_counter = 0; 1719 scp->seq = 0; 1720 scp->rseq = 0; 1721 1722 SPPP_WQ_SET(&scp->work_up, cp->Up, cp); 1723 SPPP_WQ_SET(&scp->work_down, cp->Down, cp); 1724 SPPP_WQ_SET(&scp->work_open, cp->Open, cp); 1725 SPPP_WQ_SET(&scp->work_close, cp->Close, cp); 1726 SPPP_WQ_SET(&scp->work_to, cp->TO, cp); 1727 SPPP_WQ_SET(&scp->work_rcr, sppp_rcr_event, cp); 1728 SPPP_WQ_SET(&scp->work_rca, sppp_rca_event, cp); 1729 SPPP_WQ_SET(&scp->work_rcn, sppp_rcn_event, cp); 1730 SPPP_WQ_SET(&scp->work_rtr, sppp_rtr_event, cp); 1731 SPPP_WQ_SET(&scp->work_rta, sppp_rta_event, cp); 1732 SPPP_WQ_SET(&scp->work_rxj, sppp_rxj_event, cp); 1733 1734 callout_init(&scp->ch, CALLOUT_MPSAFE); 1735 callout_setfunc(&scp->ch, to_cb[cp->protoidx], sp); 1736 } 1737 1738 static void 1739 sppp_cp_fini(const struct cp *cp, struct sppp *sp) 1740 { 1741 struct sppp_cp *scp; 1742 scp = &sp->scp[cp->protoidx]; 1743 1744 sppp_wq_wait(sp->wq_cp, &scp->work_up); 1745 sppp_wq_wait(sp->wq_cp, &scp->work_down); 1746 sppp_wq_wait(sp->wq_cp, &scp->work_open); 1747 sppp_wq_wait(sp->wq_cp, &scp->work_close); 1748 sppp_wq_wait(sp->wq_cp, &scp->work_to); 1749 sppp_wq_wait(sp->wq_cp, &scp->work_rcr); 1750 sppp_wq_wait(sp->wq_cp, &scp->work_rca); 1751 sppp_wq_wait(sp->wq_cp, &scp->work_rcn); 1752 sppp_wq_wait(sp->wq_cp, &scp->work_rtr); 1753 sppp_wq_wait(sp->wq_cp, &scp->work_rta); 1754 sppp_wq_wait(sp->wq_cp, &scp->work_rxj); 1755 1756 callout_halt(&scp->ch, NULL); 1757 callout_destroy(&scp->ch); 1758 1759 if (scp->mbuf_confreq != NULL) { 1760 m_freem(scp->mbuf_confreq); 1761 scp->mbuf_confreq = NULL; 1762 } 1763 if (scp->mbuf_confnak != NULL) { 1764 m_freem(scp->mbuf_confnak); 1765 scp->mbuf_confnak = NULL; 1766 } 1767 } 1768 1769 /* 1770 * Handle incoming PPP control protocol packets. 1771 */ 1772 static void 1773 sppp_cp_input(const struct cp *cp, struct sppp *sp, struct mbuf *m) 1774 { 1775 STDDCL; 1776 struct lcp_header *h; 1777 struct sppp_cp *scp; 1778 int printlen, len = m->m_pkthdr.len; 1779 u_char *p; 1780 uint32_t u32; 1781 char tbuf[SPPP_CPTYPE_NAMELEN]; 1782 const char *cpname; 1783 1784 SPPP_LOCK(sp, RW_WRITER); 1785 1786 scp = &sp->scp[cp->protoidx]; 1787 1788 if (len < 4) { 1789 if (debug) 1790 log(LOG_DEBUG, 1791 "%s: %s invalid packet length: %d bytes\n", 1792 ifp->if_xname, cp->name, len); 1793 goto out; 1794 } 1795 h = mtod(m, struct lcp_header *); 1796 if (debug) { 1797 printlen = ntohs(h->len); 1798 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1799 log(LOG_DEBUG, 1800 "%s: %s input(%s): <%s id=0x%x len=%d", 1801 ifp->if_xname, cp->name, 1802 sppp_state_name(scp->state), 1803 cpname, h->ident, printlen); 1804 if (len < printlen) 1805 printlen = len; 1806 if (printlen > 4) 1807 sppp_print_bytes((u_char *)(h + 1), printlen - 4); 1808 addlog(">\n"); 1809 } 1810 if (len > ntohs(h->len)) 1811 len = ntohs(h->len); 1812 p = (u_char *)(h + 1); 1813 switch (h->type) { 1814 case CONF_REQ: 1815 if (len < 4) { 1816 if (debug) 1817 addlog("%s: %s invalid conf-req length %d\n", 1818 ifp->if_xname, cp->name, 1819 len); 1820 if_statinc(ifp, if_ierrors); 1821 break; 1822 } 1823 1824 scp->rcr_type = CP_RCR_NONE; 1825 scp->rconfid = h->ident; 1826 if (scp->mbuf_confreq != NULL) { 1827 m_freem(scp->mbuf_confreq); 1828 } 1829 scp->mbuf_confreq = m; 1830 m = NULL; 1831 sppp_wq_add(sp->wq_cp, &scp->work_rcr); 1832 break; 1833 case CONF_ACK: 1834 if (h->ident != scp->confid) { 1835 if (debug) 1836 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1837 ifp->if_xname, cp->name, 1838 h->ident, scp->confid); 1839 if_statinc(ifp, if_ierrors); 1840 break; 1841 } 1842 sppp_wq_add(sp->wq_cp, &scp->work_rca); 1843 break; 1844 case CONF_NAK: 1845 case CONF_REJ: 1846 if (h->ident != scp->confid) { 1847 if (debug) 1848 addlog("%s: %s id mismatch 0x%x != 0x%x\n", 1849 ifp->if_xname, cp->name, 1850 h->ident, scp->confid); 1851 if_statinc(ifp, if_ierrors); 1852 break; 1853 } 1854 1855 if (scp->mbuf_confnak) { 1856 m_freem(scp->mbuf_confnak); 1857 } 1858 scp->mbuf_confnak = m; 1859 m = NULL; 1860 sppp_wq_add(sp->wq_cp, &scp->work_rcn); 1861 break; 1862 case TERM_REQ: 1863 scp->rseq = h->ident; 1864 sppp_wq_add(sp->wq_cp, &scp->work_rtr); 1865 break; 1866 case TERM_ACK: 1867 if (h->ident != scp->confid && 1868 h->ident != scp->seq) { 1869 if (debug) 1870 addlog("%s: %s id mismatch " 1871 "0x%x != 0x%x and 0x%x != %0lx\n", 1872 ifp->if_xname, cp->name, 1873 h->ident, scp->confid, 1874 h->ident, scp->seq); 1875 if_statinc(ifp, if_ierrors); 1876 break; 1877 } 1878 1879 sppp_wq_add(sp->wq_cp, &scp->work_rta); 1880 break; 1881 case CODE_REJ: 1882 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 1883 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1884 log(LOG_INFO, 1885 "%s: %s: ignoring RXJ (%s) for code ?, " 1886 "danger will robinson\n", 1887 ifp->if_xname, cp->name, cpname); 1888 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1889 break; 1890 case PROTO_REJ: 1891 { 1892 int catastrophic; 1893 const struct cp *upper; 1894 int i; 1895 uint16_t proto; 1896 1897 catastrophic = 0; 1898 upper = NULL; 1899 proto = p[0] << 8 | p[1]; 1900 for (i = 0; i < IDX_COUNT; i++) { 1901 if (cps[i]->proto == proto) { 1902 upper = cps[i]; 1903 break; 1904 } 1905 } 1906 if (upper == NULL) 1907 catastrophic++; 1908 1909 if (debug) { 1910 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), h->type); 1911 log(LOG_INFO, 1912 "%s: %s: RXJ%c (%s) for proto 0x%x (%s/%s)\n", 1913 ifp->if_xname, cp->name, catastrophic ? '-' : '+', 1914 cpname, proto, upper ? upper->name : "unknown", 1915 upper ? sppp_state_name(sp->scp[upper->protoidx].state) : "?"); 1916 } 1917 1918 /* 1919 * if we got RXJ+ against conf-req, the peer does not implement 1920 * this particular protocol type. terminate the protocol. 1921 */ 1922 if (upper && !catastrophic) { 1923 if (sp->scp[upper->protoidx].state == STATE_REQ_SENT) { 1924 sppp_wq_add(sp->wq_cp, 1925 &sp->scp[upper->protoidx].work_close); 1926 break; 1927 } 1928 } 1929 sppp_wq_add(sp->wq_cp, &scp->work_rxj); 1930 break; 1931 } 1932 case DISC_REQ: 1933 if (cp->proto != PPP_LCP) 1934 goto illegal; 1935 /* Discard the packet. */ 1936 break; 1937 case ECHO_REQ: 1938 if (cp->proto != PPP_LCP) 1939 goto illegal; 1940 if (scp->state != STATE_OPENED) { 1941 if (debug) 1942 addlog("%s: lcp echo req but lcp closed\n", 1943 ifp->if_xname); 1944 if_statinc(ifp, if_ierrors); 1945 break; 1946 } 1947 if (len < 8) { 1948 if (debug) 1949 addlog("%s: invalid lcp echo request " 1950 "packet length: %d bytes\n", 1951 ifp->if_xname, len); 1952 break; 1953 } 1954 memcpy(&u32, h + 1, sizeof u32); 1955 if (ntohl(u32) == sp->lcp.magic) { 1956 /* Line loopback mode detected. */ 1957 printf("%s: loopback\n", ifp->if_xname); 1958 1959 if (sp->pp_flags & PP_LOOPBACK_IFDOWN) { 1960 sp->pp_flags |= PP_LOOPBACK; 1961 sppp_wq_add(sp->wq_cp, 1962 &sp->work_ifdown); 1963 } 1964 1965 /* Shut down the PPP link. */ 1966 sppp_wq_add(sp->wq_cp, 1967 &sp->scp[IDX_LCP].work_close); 1968 sppp_wq_add(sp->wq_cp, 1969 &sp->scp[IDX_LCP].work_open); 1970 break; 1971 } 1972 u32 = htonl(sp->lcp.magic); 1973 memcpy(h + 1, &u32, sizeof u32); 1974 if (debug) 1975 addlog("%s: got lcp echo req, sending echo rep\n", 1976 ifp->if_xname); 1977 sppp_cp_send(sp, PPP_LCP, ECHO_REPLY, h->ident, len - 4, 1978 h + 1); 1979 break; 1980 case ECHO_REPLY: 1981 if (cp->proto != PPP_LCP) 1982 goto illegal; 1983 if (h->ident != sp->lcp.echoid) { 1984 if_statinc(ifp, if_ierrors); 1985 break; 1986 } 1987 if (len < 8) { 1988 if (debug) 1989 addlog("%s: lcp invalid echo reply " 1990 "packet length: %d bytes\n", 1991 ifp->if_xname, len); 1992 break; 1993 } 1994 if (debug) 1995 addlog("%s: lcp got echo rep\n", 1996 ifp->if_xname); 1997 memcpy(&u32, h + 1, sizeof u32); 1998 if (ntohl(u32) != sp->lcp.magic) 1999 sp->pp_alivecnt = 0; 2000 break; 2001 default: 2002 /* Unknown packet type -- send Code-Reject packet. */ 2003 illegal: 2004 if (debug) 2005 addlog("%s: %s send code-rej for 0x%x\n", 2006 ifp->if_xname, cp->name, h->type); 2007 sppp_cp_send(sp, cp->proto, CODE_REJ, 2008 ++scp->seq, m->m_pkthdr.len, h); 2009 if_statinc(ifp, if_ierrors); 2010 } 2011 2012 out: 2013 SPPP_UNLOCK(sp); 2014 if (m != NULL) 2015 m_freem(m); 2016 } 2017 2018 /* 2019 * The generic part of all Up/Down/Open/Close/TO event handlers. 2020 * Basically, the state transition handling in the automaton. 2021 */ 2022 static void 2023 sppp_up_event(struct sppp *sp, void *xcp) 2024 { 2025 const struct cp *cp = xcp; 2026 STDDCL; 2027 2028 KASSERT(SPPP_WLOCKED(sp)); 2029 KASSERT(!cpu_softintr_p()); 2030 2031 if ((cp->flags & CP_AUTH) != 0 && 2032 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2033 return; 2034 2035 if (debug) 2036 log(LOG_DEBUG, "%s: %s up(%s)\n", 2037 ifp->if_xname, cp->name, 2038 sppp_state_name(sp->scp[cp->protoidx].state)); 2039 2040 switch (sp->scp[cp->protoidx].state) { 2041 case STATE_INITIAL: 2042 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2043 break; 2044 case STATE_STARTING: 2045 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2046 (cp->scr)(sp); 2047 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2048 break; 2049 default: 2050 printf("%s: %s illegal up in state %s\n", 2051 ifp->if_xname, cp->name, 2052 sppp_state_name(sp->scp[cp->protoidx].state)); 2053 } 2054 } 2055 2056 static void 2057 sppp_down_event(struct sppp *sp, void *xcp) 2058 { 2059 const struct cp *cp = xcp; 2060 STDDCL; 2061 2062 KASSERT(SPPP_WLOCKED(sp)); 2063 KASSERT(!cpu_softintr_p()); 2064 2065 if ((cp->flags & CP_AUTH) != 0 && 2066 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2067 return; 2068 2069 if (debug) 2070 log(LOG_DEBUG, "%s: %s down(%s)\n", 2071 ifp->if_xname, cp->name, 2072 sppp_state_name(sp->scp[cp->protoidx].state)); 2073 2074 switch (sp->scp[cp->protoidx].state) { 2075 case STATE_CLOSED: 2076 case STATE_CLOSING: 2077 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2078 break; 2079 case STATE_STOPPED: 2080 (cp->tls)(cp, sp); 2081 /* fall through */ 2082 case STATE_STOPPING: 2083 case STATE_REQ_SENT: 2084 case STATE_ACK_RCVD: 2085 case STATE_ACK_SENT: 2086 sppp_cp_change_state(cp, sp, STATE_STARTING); 2087 break; 2088 case STATE_OPENED: 2089 (cp->tld)(sp); 2090 sppp_cp_change_state(cp, sp, STATE_STARTING); 2091 break; 2092 default: 2093 /* 2094 * a down event may be caused regardless 2095 * of state just in LCP case. 2096 */ 2097 if (cp->proto == PPP_LCP) 2098 break; 2099 2100 printf("%s: %s illegal down in state %s\n", 2101 ifp->if_xname, cp->name, 2102 sppp_state_name(sp->scp[cp->protoidx].state)); 2103 } 2104 } 2105 2106 static void 2107 sppp_open_event(struct sppp *sp, void *xcp) 2108 { 2109 const struct cp *cp = xcp; 2110 STDDCL; 2111 2112 KASSERT(SPPP_WLOCKED(sp)); 2113 KASSERT(!cpu_softintr_p()); 2114 2115 if ((cp->flags & CP_AUTH) != 0 && 2116 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2117 return; 2118 2119 if (debug) 2120 log(LOG_DEBUG, "%s: %s open(%s)\n", 2121 ifp->if_xname, cp->name, 2122 sppp_state_name(sp->scp[cp->protoidx].state)); 2123 2124 switch (sp->scp[cp->protoidx].state) { 2125 case STATE_INITIAL: 2126 sppp_cp_change_state(cp, sp, STATE_STARTING); 2127 (cp->tls)(cp, sp); 2128 break; 2129 case STATE_STARTING: 2130 break; 2131 case STATE_CLOSED: 2132 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2133 (cp->scr)(sp); 2134 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2135 break; 2136 case STATE_STOPPED: 2137 case STATE_STOPPING: 2138 case STATE_REQ_SENT: 2139 case STATE_ACK_RCVD: 2140 case STATE_ACK_SENT: 2141 case STATE_OPENED: 2142 break; 2143 case STATE_CLOSING: 2144 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2145 break; 2146 } 2147 } 2148 2149 static void 2150 sppp_close_event(struct sppp *sp, void *xcp) 2151 { 2152 const struct cp *cp = xcp; 2153 STDDCL; 2154 2155 KASSERT(SPPP_WLOCKED(sp)); 2156 KASSERT(!cpu_softintr_p()); 2157 2158 if ((cp->flags & CP_AUTH) != 0 && 2159 sppp_auth_role(cp, sp) == SPPP_AUTH_NOROLE) 2160 return; 2161 2162 if (debug) 2163 log(LOG_DEBUG, "%s: %s close(%s)\n", 2164 ifp->if_xname, cp->name, 2165 sppp_state_name(sp->scp[cp->protoidx].state)); 2166 2167 switch (sp->scp[cp->protoidx].state) { 2168 case STATE_INITIAL: 2169 case STATE_CLOSED: 2170 case STATE_CLOSING: 2171 break; 2172 case STATE_STARTING: 2173 sppp_cp_change_state(cp, sp, STATE_INITIAL); 2174 (cp->tlf)(cp, sp); 2175 break; 2176 case STATE_STOPPED: 2177 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2178 break; 2179 case STATE_STOPPING: 2180 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2181 break; 2182 case STATE_OPENED: 2183 (cp->tld)(sp); 2184 /* fall through */ 2185 case STATE_REQ_SENT: 2186 case STATE_ACK_RCVD: 2187 case STATE_ACK_SENT: 2188 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_terminate; 2189 if ((cp->flags & CP_AUTH) == 0) { 2190 sppp_cp_send(sp, cp->proto, TERM_REQ, 2191 ++sp->scp[cp->protoidx].seq, 0, 0); 2192 } 2193 sppp_cp_change_state(cp, sp, STATE_CLOSING); 2194 break; 2195 } 2196 } 2197 2198 static void 2199 sppp_to_event(struct sppp *sp, void *xcp) 2200 { 2201 const struct cp *cp = xcp; 2202 int s; 2203 STDDCL; 2204 2205 KASSERT(SPPP_WLOCKED(sp)); 2206 KASSERT(!cpu_softintr_p()); 2207 2208 s = splnet(); 2209 2210 if (debug) 2211 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 2212 ifp->if_xname, cp->name, 2213 sppp_state_name(sp->scp[cp->protoidx].state), 2214 sp->scp[cp->protoidx].rst_counter); 2215 2216 if (--sp->scp[cp->protoidx].rst_counter < 0) 2217 /* TO- event */ 2218 switch (sp->scp[cp->protoidx].state) { 2219 case STATE_CLOSING: 2220 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2221 (cp->tlf)(cp, sp); 2222 break; 2223 case STATE_STOPPING: 2224 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2225 (cp->tlf)(cp, sp); 2226 break; 2227 case STATE_REQ_SENT: 2228 case STATE_ACK_RCVD: 2229 case STATE_ACK_SENT: 2230 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2231 (cp->tlf)(cp, sp); 2232 break; 2233 } 2234 else 2235 /* TO+ event */ 2236 switch (sp->scp[cp->protoidx].state) { 2237 case STATE_CLOSING: 2238 case STATE_STOPPING: 2239 if ((cp->flags & CP_AUTH) == 0) { 2240 sppp_cp_send(sp, cp->proto, TERM_REQ, 2241 ++sp->scp[cp->protoidx].seq, 0, 0); 2242 } 2243 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2244 break; 2245 case STATE_REQ_SENT: 2246 case STATE_ACK_RCVD: 2247 (cp->scr)(sp); 2248 /* sppp_cp_change_state() will restart the timer */ 2249 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2250 break; 2251 case STATE_ACK_SENT: 2252 (cp->scr)(sp); 2253 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2254 break; 2255 } 2256 2257 splx(s); 2258 } 2259 static void 2260 sppp_rcr_update_state(const struct cp *cp, struct sppp *sp, 2261 enum cp_rcr_type type, uint8_t ident, size_t msglen, void *msg) 2262 { 2263 STDDCL; 2264 u_char ctype; 2265 2266 if (type == CP_RCR_ERR) { 2267 /* parse error, shut down */ 2268 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 2269 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2270 } else if (type == CP_RCR_ACK) { 2271 /* RCR+ event */ 2272 ctype = CONF_ACK; 2273 switch (sp->scp[cp->protoidx].state) { 2274 case STATE_OPENED: 2275 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2276 cp->tld(sp); 2277 cp->scr(sp); 2278 cp->screply(cp, sp, ctype, ident, msglen, msg); 2279 break; 2280 case STATE_REQ_SENT: 2281 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2282 /* fall through */ 2283 case STATE_ACK_SENT: 2284 cp->screply(cp, sp, ctype, ident, msglen, msg); 2285 break; 2286 case STATE_STOPPED: 2287 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2288 cp->scr(sp); 2289 cp->screply(cp, sp, ctype, ident, msglen, msg); 2290 break; 2291 case STATE_ACK_RCVD: 2292 sppp_cp_change_state(cp, sp, STATE_OPENED); 2293 if (debug) 2294 log(LOG_DEBUG, "%s: %s tlu\n", 2295 ifp->if_xname, 2296 cp->name); 2297 cp->tlu(sp); 2298 cp->screply(cp, sp, ctype, ident, msglen, msg); 2299 break; 2300 case STATE_CLOSING: 2301 case STATE_STOPPING: 2302 break; 2303 case STATE_CLOSED: 2304 if ((cp->flags & CP_AUTH) == 0) { 2305 sppp_cp_send(sp, cp->proto, TERM_ACK, 2306 ident, 0, 0); 2307 } 2308 break; 2309 default: 2310 printf("%s: %s illegal RCR+ in state %s\n", 2311 ifp->if_xname, cp->name, 2312 sppp_state_name(sp->scp[cp->protoidx].state)); 2313 if_statinc(ifp, if_ierrors); 2314 } 2315 } else if (type == CP_RCR_NAK || type == CP_RCR_REJ) { 2316 ctype = type == CP_RCR_NAK ? CONF_NAK : CONF_REJ; 2317 /* RCR- event */ 2318 switch (sp->scp[cp->protoidx].state) { 2319 case STATE_OPENED: 2320 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2321 cp->tld(sp); 2322 cp->scr(sp); 2323 cp->screply(cp, sp, ctype, ident, msglen, msg); 2324 break; 2325 case STATE_ACK_SENT: 2326 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2327 /* fall through */ 2328 case STATE_REQ_SENT: 2329 cp->screply(cp, sp, ctype, ident, msglen, msg); 2330 break; 2331 case STATE_STOPPED: 2332 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2333 cp->scr(sp); 2334 cp->screply(cp, sp, ctype, ident, msglen, msg); 2335 break; 2336 case STATE_ACK_RCVD: 2337 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2338 cp->screply(cp, sp, ctype, ident, msglen, msg); 2339 break; 2340 case STATE_CLOSING: 2341 case STATE_STOPPING: 2342 break; 2343 case STATE_CLOSED: 2344 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2345 if ((cp->flags & CP_AUTH) == 0) { 2346 sppp_cp_send(sp, cp->proto, TERM_ACK, 2347 ident, 0, 0); 2348 } 2349 break; 2350 default: 2351 printf("%s: %s illegal RCR- in state %s\n", 2352 ifp->if_xname, cp->name, 2353 sppp_state_name(sp->scp[cp->protoidx].state)); 2354 if_statinc(ifp, if_ierrors); 2355 } 2356 } 2357 } 2358 2359 static void 2360 sppp_rcr_event(struct sppp *sp, void *xcp) 2361 { 2362 const struct cp *cp = xcp; 2363 struct sppp_cp *scp; 2364 struct lcp_header *h; 2365 struct mbuf *m; 2366 enum cp_rcr_type type; 2367 size_t len; 2368 uint8_t *buf; 2369 size_t blen, rlen; 2370 uint8_t ident; 2371 2372 KASSERT(!cpu_softintr_p()); 2373 2374 scp = &sp->scp[cp->protoidx]; 2375 2376 if (cp->parse_confreq != NULL) { 2377 m = scp->mbuf_confreq; 2378 if (m == NULL) 2379 return; 2380 scp->mbuf_confreq = NULL; 2381 2382 h = mtod(m, struct lcp_header *); 2383 if (h->type != CONF_REQ) { 2384 m_freem(m); 2385 return; 2386 } 2387 2388 ident = h->ident; 2389 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2390 2391 type = (cp->parse_confreq)(sp, h, len, 2392 &buf, &blen, &rlen); 2393 m_freem(m); 2394 } else { 2395 /* mbuf_cofreq is already parsed and freed */ 2396 type = scp->rcr_type; 2397 ident = scp->rconfid; 2398 buf = NULL; 2399 blen = rlen = 0; 2400 } 2401 2402 sppp_rcr_update_state(cp, sp, type, ident, rlen, (void *)buf); 2403 2404 if (buf != NULL) 2405 kmem_free(buf, blen); 2406 } 2407 2408 static void 2409 sppp_rca_event(struct sppp *sp, void *xcp) 2410 { 2411 const struct cp *cp = xcp; 2412 STDDCL; 2413 2414 KASSERT(!cpu_softintr_p()); 2415 2416 switch (sp->scp[cp->protoidx].state) { 2417 case STATE_CLOSED: 2418 case STATE_STOPPED: 2419 if ((cp->flags & CP_AUTH) == 0) { 2420 sppp_cp_send(sp, cp->proto, TERM_ACK, 2421 sp->scp[cp->protoidx].rconfid, 0, 0); 2422 } 2423 break; 2424 case STATE_CLOSING: 2425 case STATE_STOPPING: 2426 break; 2427 case STATE_REQ_SENT: 2428 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2429 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2430 break; 2431 case STATE_OPENED: 2432 (cp->tld)(sp); 2433 /* fall through */ 2434 case STATE_ACK_RCVD: 2435 (cp->scr)(sp); 2436 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2437 break; 2438 case STATE_ACK_SENT: 2439 sppp_cp_change_state(cp, sp, STATE_OPENED); 2440 sp->scp[cp->protoidx].rst_counter = sp->lcp.max_configure; 2441 if (debug) 2442 log(LOG_DEBUG, "%s: %s tlu\n", 2443 ifp->if_xname, cp->name); 2444 (cp->tlu)(sp); 2445 break; 2446 default: 2447 printf("%s: %s illegal RCA in state %s\n", 2448 ifp->if_xname, cp->name, 2449 sppp_state_name(sp->scp[cp->protoidx].state)); 2450 if_statinc(ifp, if_ierrors); 2451 } 2452 } 2453 2454 static void 2455 sppp_rcn_event(struct sppp *sp, void *xcp) 2456 { 2457 const struct cp *cp = xcp; 2458 struct sppp_cp *scp; 2459 struct lcp_header *h; 2460 struct mbuf *m; 2461 struct ifnet *ifp = &sp->pp_if; 2462 size_t len; 2463 2464 KASSERT(!cpu_softintr_p()); 2465 2466 scp = &sp->scp[cp->protoidx]; 2467 m = scp->mbuf_confnak; 2468 if (m == NULL) 2469 return; 2470 scp->mbuf_confnak = NULL; 2471 2472 h = mtod(m, struct lcp_header *); 2473 len = MIN(m->m_pkthdr.len, ntohs(h->len)); 2474 2475 switch (h->type) { 2476 case CONF_NAK: 2477 (cp->parse_confnak)(sp, h, len); 2478 break; 2479 case CONF_REJ: 2480 (cp->parse_confrej)(sp, h, len); 2481 break; 2482 default: 2483 m_freem(m); 2484 return; 2485 } 2486 2487 m_freem(m); 2488 2489 switch (scp->state) { 2490 case STATE_CLOSED: 2491 case STATE_STOPPED: 2492 if ((cp->flags & CP_AUTH) == 0) { 2493 sppp_cp_send(sp, cp->proto, TERM_ACK, 2494 scp->rconfid, 0, 0); 2495 } 2496 break; 2497 case STATE_REQ_SENT: 2498 case STATE_ACK_SENT: 2499 scp->rst_counter = sp->lcp.max_configure; 2500 (cp->scr)(sp); 2501 break; 2502 case STATE_OPENED: 2503 (cp->tld)(sp); 2504 /* fall through */ 2505 case STATE_ACK_RCVD: 2506 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 2507 (cp->scr)(sp); 2508 break; 2509 case STATE_CLOSING: 2510 case STATE_STOPPING: 2511 break; 2512 default: 2513 printf("%s: %s illegal RCN in state %s\n", 2514 ifp->if_xname, cp->name, 2515 sppp_state_name(scp->state)); 2516 if_statinc(ifp, if_ierrors); 2517 } 2518 } 2519 2520 static void 2521 sppp_rtr_event(struct sppp *sp, void *xcp) 2522 { 2523 const struct cp *cp = xcp; 2524 STDDCL; 2525 2526 KASSERT(!cpu_softintr_p()); 2527 2528 switch (sp->scp[cp->protoidx].state) { 2529 case STATE_ACK_RCVD: 2530 case STATE_ACK_SENT: 2531 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2532 break; 2533 case STATE_CLOSED: 2534 case STATE_STOPPED: 2535 case STATE_CLOSING: 2536 case STATE_STOPPING: 2537 case STATE_REQ_SENT: 2538 break; 2539 case STATE_OPENED: 2540 (cp->tld)(sp); 2541 sp->scp[cp->protoidx].rst_counter = 0; 2542 sppp_cp_change_state(cp, sp, STATE_STOPPING); 2543 break; 2544 default: 2545 printf("%s: %s illegal RTR in state %s\n", 2546 ifp->if_xname, cp->name, 2547 sppp_state_name(sp->scp[cp->protoidx].state)); 2548 if_statinc(ifp, if_ierrors); 2549 return; 2550 } 2551 2552 /* Send Terminate-Ack packet. */ 2553 if (debug) 2554 log(LOG_DEBUG, "%s: %s send terminate-ack\n", 2555 ifp->if_xname, cp->name); 2556 if ((cp->flags & CP_AUTH) == 0) { 2557 sppp_cp_send(sp, cp->proto, TERM_ACK, 2558 sp->scp[cp->protoidx].rseq, 0, 0); 2559 } 2560 } 2561 2562 static void 2563 sppp_rta_event(struct sppp *sp, void *xcp) 2564 { 2565 const struct cp *cp = xcp; 2566 struct ifnet *ifp = &sp->pp_if; 2567 2568 KASSERT(!cpu_softintr_p()); 2569 2570 switch (sp->scp[cp->protoidx].state) { 2571 case STATE_CLOSED: 2572 case STATE_STOPPED: 2573 case STATE_REQ_SENT: 2574 case STATE_ACK_SENT: 2575 break; 2576 case STATE_CLOSING: 2577 sppp_cp_change_state(cp, sp, STATE_CLOSED); 2578 (cp->tlf)(cp, sp); 2579 break; 2580 case STATE_STOPPING: 2581 sppp_cp_change_state(cp, sp, STATE_STOPPED); 2582 (cp->tlf)(cp, sp); 2583 break; 2584 case STATE_ACK_RCVD: 2585 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2586 break; 2587 case STATE_OPENED: 2588 (cp->tld)(sp); 2589 (cp->scr)(sp); 2590 sppp_cp_change_state(cp, sp, STATE_ACK_RCVD); 2591 break; 2592 default: 2593 printf("%s: %s illegal RTA in state %s\n", 2594 ifp->if_xname, cp->name, 2595 sppp_state_name(sp->scp[cp->protoidx].state)); 2596 if_statinc(ifp, if_ierrors); 2597 } 2598 } 2599 2600 static void 2601 sppp_rxj_event(struct sppp *sp, void *xcp) 2602 { 2603 const struct cp *cp = xcp; 2604 struct ifnet *ifp = &sp->pp_if; 2605 2606 KASSERT(!cpu_softintr_p()); 2607 2608 /* XXX catastrophic rejects (RXJ-) aren't handled yet. */ 2609 switch (sp->scp[cp->protoidx].state) { 2610 case STATE_CLOSED: 2611 case STATE_STOPPED: 2612 case STATE_REQ_SENT: 2613 case STATE_ACK_SENT: 2614 case STATE_CLOSING: 2615 case STATE_STOPPING: 2616 case STATE_OPENED: 2617 break; 2618 case STATE_ACK_RCVD: 2619 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 2620 break; 2621 default: 2622 printf("%s: %s illegal RXJ- in state %s\n", 2623 ifp->if_xname, cp->name, 2624 sppp_state_name(sp->scp[cp->protoidx].state)); 2625 if_statinc(ifp, if_ierrors); 2626 } 2627 } 2628 2629 /* 2630 * Change the state of a control protocol in the state automaton. 2631 * Takes care of starting/stopping the restart timer. 2632 */ 2633 void 2634 sppp_cp_change_state(const struct cp *cp, struct sppp *sp, int newstate) 2635 { 2636 2637 KASSERT(SPPP_WLOCKED(sp)); 2638 2639 sp->scp[cp->protoidx].state = newstate; 2640 callout_stop(&sp->scp[cp->protoidx].ch); 2641 switch (newstate) { 2642 case STATE_INITIAL: 2643 case STATE_STARTING: 2644 case STATE_CLOSED: 2645 case STATE_STOPPED: 2646 case STATE_OPENED: 2647 break; 2648 case STATE_CLOSING: 2649 case STATE_STOPPING: 2650 case STATE_REQ_SENT: 2651 case STATE_ACK_RCVD: 2652 case STATE_ACK_SENT: 2653 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 2654 break; 2655 } 2656 } 2657 2658 /* 2659 *--------------------------------------------------------------------------* 2660 * * 2661 * The LCP implementation. * 2662 * * 2663 *--------------------------------------------------------------------------* 2664 */ 2665 static void 2666 sppp_lcp_init(struct sppp *sp) 2667 { 2668 2669 KASSERT(SPPP_WLOCKED(sp)); 2670 2671 sppp_cp_init(&lcp, sp); 2672 2673 SET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 2674 sp->lcp.magic = 0; 2675 sp->lcp.protos = 0; 2676 sp->lcp.max_terminate = 2; 2677 sp->lcp.max_configure = 10; 2678 sp->lcp.max_failure = 10; 2679 sp->lcp.tlf_sent = false; 2680 2681 /* 2682 * Initialize counters and timeout values. Note that we don't 2683 * use the 3 seconds suggested in RFC 1661 since we are likely 2684 * running on a fast link. XXX We should probably implement 2685 * the exponential backoff option. Note that these values are 2686 * relevant for all control protocols, not just LCP only. 2687 */ 2688 sp->lcp.timeout = 1 * hz; 2689 } 2690 2691 static void 2692 sppp_lcp_up(struct sppp *sp, void *xcp) 2693 { 2694 const struct cp *cp = xcp; 2695 int pidx; 2696 STDDCL; 2697 2698 KASSERT(SPPP_WLOCKED(sp)); 2699 2700 pidx = cp->protoidx; 2701 /* Initialize activity timestamp: opening a connection is an activity */ 2702 sp->pp_last_receive = sp->pp_last_activity = time_uptime; 2703 2704 /* 2705 * If this interface is passive or dial-on-demand, and we are 2706 * still in Initial state, it means we've got an incoming 2707 * call. Activate the interface. 2708 */ 2709 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) != 0) { 2710 if (debug) 2711 log(LOG_DEBUG, 2712 "%s: Up event", ifp->if_xname); 2713 ifp->if_flags |= IFF_RUNNING; 2714 if (sp->scp[pidx].state == STATE_INITIAL) { 2715 if (debug) 2716 addlog("(incoming call)\n"); 2717 sp->pp_flags |= PP_CALLIN; 2718 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_open); 2719 } else if (debug) 2720 addlog("\n"); 2721 } 2722 2723 sppp_up_event(sp, xcp); 2724 } 2725 2726 static void 2727 sppp_lcp_down(struct sppp *sp, void *xcp) 2728 { 2729 const struct cp *cp = xcp; 2730 int pidx; 2731 STDDCL; 2732 2733 KASSERT(SPPP_WLOCKED(sp)); 2734 KASSERT(!cpu_softintr_p()); 2735 2736 pidx = cp->protoidx; 2737 sppp_down_event(sp, xcp); 2738 2739 /* 2740 * We need to do tls to restart when a down event is caused 2741 * by the last tlf. 2742 */ 2743 if (sp->scp[pidx].state == STATE_STARTING && 2744 sp->lcp.tlf_sent) { 2745 cp->tls(cp, sp); 2746 sp->lcp.tlf_sent = false; 2747 } 2748 2749 if (debug) { 2750 log(LOG_DEBUG, 2751 "%s: Down event (carrier loss)\n", 2752 ifp->if_xname); 2753 } 2754 2755 if ((ifp->if_flags & (IFF_AUTO | IFF_PASSIVE)) == 0) { 2756 if (sp->lcp.reestablish) 2757 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 2758 } else { 2759 2760 sp->pp_flags &= ~PP_CALLIN; 2761 if (sp->scp[pidx].state != STATE_INITIAL) 2762 sppp_wq_add(sp->wq_cp, &sp->scp[pidx].work_close); 2763 ifp->if_flags &= ~IFF_RUNNING; 2764 } 2765 sp->scp[pidx].fail_counter = 0; 2766 } 2767 2768 static void 2769 sppp_lcp_open(struct sppp *sp, void *xcp) 2770 { 2771 2772 KASSERT(SPPP_WLOCKED(sp)); 2773 KASSERT(!cpu_softintr_p()); 2774 2775 sp->lcp.reestablish = false; 2776 sp->scp[IDX_LCP].fail_counter = 0; 2777 2778 if (sp->pp_if.if_mtu < PP_MTU) { 2779 sp->lcp.mru = sp->pp_if.if_mtu; 2780 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 2781 } else { 2782 sp->lcp.mru = PP_MTU; 2783 } 2784 sp->lcp.their_mru = PP_MTU; 2785 2786 /* 2787 * If we are authenticator, negotiate LCP_AUTH 2788 */ 2789 if (sp->hisauth.proto != PPP_NOPROTO) 2790 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2791 else 2792 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 2793 sp->pp_flags &= ~PP_NEEDAUTH; 2794 sppp_open_event(sp, xcp); 2795 } 2796 2797 2798 /* 2799 * Analyze a configure request. Return true if it was agreeable, and 2800 * caused action sca, false if it has been rejected or nak'ed, and 2801 * caused action scn. (The return value is used to make the state 2802 * transition decision in the state automaton.) 2803 */ 2804 static enum cp_rcr_type 2805 sppp_lcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 2806 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 2807 { 2808 STDDCL; 2809 u_char *buf, *r, *p, l, blen; 2810 enum cp_rcr_type type; 2811 int len, rlen; 2812 uint32_t nmagic; 2813 u_short authproto; 2814 char lbuf[SPPP_LCPOPT_NAMELEN]; 2815 2816 KASSERT(SPPP_WLOCKED(sp)); 2817 2818 if (origlen < sizeof(*h)) 2819 return CP_RCR_DROP; 2820 2821 origlen -= sizeof(*h); 2822 type = CP_RCR_NONE; 2823 type = 0; 2824 2825 if (origlen <= 0) 2826 return CP_RCR_DROP; 2827 else 2828 blen = origlen; 2829 2830 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 2831 if (buf == NULL) 2832 return CP_RCR_DROP; 2833 2834 if (debug) 2835 log(LOG_DEBUG, "%s: lcp parse opts:", 2836 ifp->if_xname); 2837 2838 /* pass 1: check for things that need to be rejected */ 2839 p = (void *)(h + 1); 2840 r = buf; 2841 rlen = 0; 2842 for (len = origlen; len > 1; len-= l, p += l) { 2843 l = p[1]; 2844 if (l == 0) 2845 break; 2846 2847 /* Sanity check option length */ 2848 if (l > len) { 2849 /* 2850 * Malicious option - drop immediately. 2851 * XXX Maybe we should just RXJ it? 2852 */ 2853 addlog("%s: received malicious LCP option 0x%02x, " 2854 "length 0x%02x, (len: 0x%02x) dropping.\n", ifp->if_xname, 2855 p[0], l, len); 2856 type = CP_RCR_ERR; 2857 goto end; 2858 } 2859 if (debug) 2860 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2861 switch (p[0]) { 2862 case LCP_OPT_MAGIC: 2863 /* Magic number. */ 2864 /* fall through, both are same length */ 2865 case LCP_OPT_ASYNC_MAP: 2866 /* Async control character map. */ 2867 if (len >= 6 || l == 6) 2868 continue; 2869 if (debug) 2870 addlog(" [invalid]"); 2871 break; 2872 case LCP_OPT_MP_EID: 2873 if (len >= l && l >= 3) { 2874 switch (p[2]) { 2875 case 0: if (l==3+ 0) continue;break; 2876 case 2: if (l==3+ 4) continue;break; 2877 case 3: if (l==3+ 6) continue;break; 2878 case 6: if (l==3+16) continue;break; 2879 case 1: /* FALLTHROUGH */ 2880 case 4: if (l<=3+20) continue;break; 2881 case 5: if (l<=3+15) continue;break; 2882 /* XXX should it be default: continue;? */ 2883 } 2884 } 2885 if (debug) 2886 addlog(" [invalid class %d len %d]", p[2], l); 2887 break; 2888 case LCP_OPT_MP_SSNHF: 2889 if (len >= 2 && l == 2) { 2890 if (debug) 2891 addlog(" [rej]"); 2892 break; 2893 } 2894 if (debug) 2895 addlog(" [invalid]"); 2896 break; 2897 case LCP_OPT_MP_MRRU: 2898 /* Multilink maximum received reconstructed unit */ 2899 /* should be fall through, both are same length */ 2900 /* FALLTHROUGH */ 2901 case LCP_OPT_MRU: 2902 /* Maximum receive unit. */ 2903 if (len >= 4 && l == 4) 2904 continue; 2905 if (debug) 2906 addlog(" [invalid]"); 2907 break; 2908 case LCP_OPT_AUTH_PROTO: 2909 if (len < 4) { 2910 if (debug) 2911 addlog(" [invalid]"); 2912 break; 2913 } 2914 authproto = (p[2] << 8) + p[3]; 2915 if (authproto == PPP_CHAP && l != 5) { 2916 if (debug) 2917 addlog(" [invalid chap len]"); 2918 break; 2919 } 2920 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 2921 if (authproto == PPP_PAP || authproto == PPP_CHAP) 2922 sp->myauth.proto = authproto; 2923 } 2924 if (sp->myauth.proto == PPP_NOPROTO) { 2925 /* we are not configured to do auth */ 2926 if (debug) 2927 addlog(" [not configured]"); 2928 break; 2929 } 2930 /* 2931 * Remote want us to authenticate, remember this, 2932 * so we stay in SPPP_PHASE_AUTHENTICATE after LCP got 2933 * up. 2934 */ 2935 sp->pp_flags |= PP_NEEDAUTH; 2936 continue; 2937 default: 2938 /* Others not supported. */ 2939 if (debug) 2940 addlog(" [rej]"); 2941 break; 2942 } 2943 if (rlen + l > blen) { 2944 if (debug) 2945 addlog(" [overflow]"); 2946 continue; 2947 } 2948 /* Add the option to rejected list. */ 2949 memcpy(r, p, l); 2950 r += l; 2951 rlen += l; 2952 } 2953 2954 if (rlen > 0) { 2955 type = CP_RCR_REJ; 2956 goto end; 2957 } 2958 2959 if (debug) 2960 addlog("\n"); 2961 2962 /* 2963 * pass 2: check for option values that are unacceptable and 2964 * thus require to be nak'ed. 2965 */ 2966 if (debug) 2967 log(LOG_DEBUG, "%s: lcp parse opt values: ", 2968 ifp->if_xname); 2969 2970 p = (void *)(h + 1); 2971 r = buf; 2972 rlen = 0; 2973 for (len = origlen; len > 0; len -= l, p += l) { 2974 l = p[1]; 2975 if (l == 0) 2976 break; 2977 2978 if (debug) 2979 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 2980 switch (p[0]) { 2981 case LCP_OPT_MAGIC: 2982 /* Magic number -- extract. */ 2983 nmagic = (uint32_t)p[2] << 24 | 2984 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 2985 if (nmagic != sp->lcp.magic) { 2986 if (debug) 2987 addlog(" 0x%x", nmagic); 2988 continue; 2989 } 2990 /* 2991 * Local and remote magics equal -- loopback? 2992 */ 2993 if (sp->pp_loopcnt >= LOOPALIVECNT*5) { 2994 printf ("%s: loopback\n", 2995 ifp->if_xname); 2996 sp->pp_loopcnt = 0; 2997 2998 if (sp->pp_flags & PP_LOOPBACK_IFDOWN) { 2999 sp->pp_flags |= PP_LOOPBACK; 3000 sppp_wq_add(sp->wq_cp, 3001 &sp->work_ifdown); 3002 } 3003 3004 sppp_wq_add(sp->wq_cp, 3005 &sp->scp[IDX_LCP].work_close); 3006 sppp_wq_add(sp->wq_cp, 3007 &sp->scp[IDX_LCP].work_open); 3008 } else { 3009 if (debug) 3010 addlog(" [glitch]"); 3011 ++sp->pp_loopcnt; 3012 } 3013 /* 3014 * We negate our magic here, and NAK it. If 3015 * we see it later in an NAK packet, we 3016 * suggest a new one. 3017 */ 3018 nmagic = ~sp->lcp.magic; 3019 /* Gonna NAK it. */ 3020 p[2] = nmagic >> 24; 3021 p[3] = nmagic >> 16; 3022 p[4] = nmagic >> 8; 3023 p[5] = nmagic; 3024 break; 3025 3026 case LCP_OPT_ASYNC_MAP: 3027 /* 3028 * Async control character map -- just ignore it. 3029 * 3030 * Quote from RFC 1662, chapter 6: 3031 * To enable this functionality, synchronous PPP 3032 * implementations MUST always respond to the 3033 * Async-Control-Character-Map Configuration 3034 * Option with the LCP Configure-Ack. However, 3035 * acceptance of the Configuration Option does 3036 * not imply that the synchronous implementation 3037 * will do any ACCM mapping. Instead, all such 3038 * octet mapping will be performed by the 3039 * asynchronous-to-synchronous converter. 3040 */ 3041 continue; 3042 3043 case LCP_OPT_MRU: 3044 /* 3045 * Maximum receive unit. Always agreeable, 3046 * but ignored by now. 3047 */ 3048 sp->lcp.their_mru = p[2] * 256 + p[3]; 3049 if (debug) 3050 addlog(" %ld", sp->lcp.their_mru); 3051 continue; 3052 3053 case LCP_OPT_AUTH_PROTO: 3054 authproto = (p[2] << 8) + p[3]; 3055 if (ISSET(sp->myauth.flags, SPPP_AUTHFLAG_PASSIVEAUTHPROTO)) { 3056 if (authproto == PPP_PAP || authproto == PPP_CHAP) 3057 sp->myauth.proto = authproto; 3058 } 3059 if (sp->myauth.proto == authproto) { 3060 if (authproto != PPP_CHAP || p[4] == CHAP_MD5) { 3061 continue; 3062 } 3063 if (debug) 3064 addlog(" [chap without MD5]"); 3065 } else { 3066 if (debug) { 3067 char pbuf1[SPPP_PROTO_NAMELEN]; 3068 char pbuf2[SPPP_PROTO_NAMELEN]; 3069 const char *pname1, *pname2; 3070 3071 pname1 = sppp_proto_name(pbuf1, 3072 sizeof(pbuf1), sp->myauth.proto); 3073 pname2 = sppp_proto_name(pbuf2, 3074 sizeof(pbuf2), authproto); 3075 addlog(" [mine %s != his %s]", 3076 pname1, pname2); 3077 } 3078 } 3079 /* not agreed, nak */ 3080 if (sp->myauth.proto == PPP_CHAP) { 3081 l = 5; 3082 } else { 3083 l = 4; 3084 } 3085 3086 if (rlen + l > blen) { 3087 if (debug) 3088 addlog(" [overflow]"); 3089 continue; 3090 } 3091 3092 r[0] = LCP_OPT_AUTH_PROTO; 3093 r[1] = l; 3094 r[2] = sp->myauth.proto >> 8; 3095 r[3] = sp->myauth.proto & 0xff; 3096 if (sp->myauth.proto == PPP_CHAP) 3097 r[4] = CHAP_MD5; 3098 rlen += l; 3099 r += l; 3100 continue; 3101 case LCP_OPT_MP_EID: 3102 /* 3103 * Endpoint identification. 3104 * Always agreeable, 3105 * but ignored by now. 3106 */ 3107 if (debug) { 3108 addlog(" type %d", p[2]); 3109 sppp_print_bytes(p+3, p[1]-3); 3110 } 3111 continue; 3112 case LCP_OPT_MP_MRRU: 3113 /* 3114 * Maximum received reconstructed unit. 3115 * Always agreeable, 3116 * but ignored by now. 3117 */ 3118 sp->lcp.their_mrru = p[2] * 256 + p[3]; 3119 if (debug) 3120 addlog(" %ld", sp->lcp.their_mrru); 3121 continue; 3122 } 3123 if (rlen + l > blen) { 3124 if (debug) 3125 addlog(" [overflow]"); 3126 continue; 3127 } 3128 /* Add the option to nak'ed list. */ 3129 memcpy(r, p, l); 3130 r += l; 3131 rlen += l; 3132 } 3133 3134 if (rlen > 0) { 3135 if (++sp->scp[IDX_LCP].fail_counter >= sp->lcp.max_failure) { 3136 if (debug) 3137 addlog(" max_failure (%d) exceeded, ", 3138 sp->lcp.max_failure); 3139 type = CP_RCR_REJ; 3140 } else { 3141 type = CP_RCR_NAK; 3142 } 3143 } else { 3144 type = CP_RCR_ACK; 3145 rlen = origlen; 3146 memcpy(r, h + 1, rlen); 3147 sp->scp[IDX_LCP].fail_counter = 0; 3148 sp->pp_loopcnt = 0; 3149 } 3150 3151 end: 3152 if (debug) 3153 addlog("\n"); 3154 3155 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3156 if (buf != NULL) 3157 kmem_intr_free(buf, blen); 3158 } else { 3159 *msgbuf = buf; 3160 *buflen = blen; 3161 *msglen = rlen; 3162 } 3163 3164 return type; 3165 } 3166 3167 /* 3168 * Analyze the LCP Configure-Reject option list, and adjust our 3169 * negotiation. 3170 */ 3171 static void 3172 sppp_lcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3173 { 3174 STDDCL; 3175 u_char *p, l; 3176 3177 KASSERT(SPPP_WLOCKED(sp)); 3178 3179 if (len <= sizeof(*h)) 3180 return; 3181 3182 len -= sizeof(*h); 3183 3184 if (debug) 3185 log(LOG_DEBUG, "%s: lcp rej opts:", 3186 ifp->if_xname); 3187 3188 p = (void *)(h + 1); 3189 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3190 /* Sanity check option length */ 3191 if (l > len) { 3192 /* 3193 * Malicious option - drop immediately. 3194 * XXX Maybe we should just RXJ it? 3195 */ 3196 addlog("%s: received malicious LCP option, " 3197 "dropping.\n", ifp->if_xname); 3198 goto end; 3199 } 3200 if (debug) { 3201 char lbuf[SPPP_LCPOPT_NAMELEN]; 3202 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf), *p)); 3203 } 3204 switch (p[0]) { 3205 case LCP_OPT_MAGIC: 3206 /* Magic number -- can't use it, use 0 */ 3207 CLR(sp->lcp.opts, SPPP_LCP_OPT_MAGIC); 3208 sp->lcp.magic = 0; 3209 break; 3210 case LCP_OPT_MRU: 3211 /* 3212 * We try to negotiate a lower MRU if the underlying 3213 * link's MTU is less than PP_MTU (e.g. PPPoE). If the 3214 * peer rejects this lower rate, fallback to the 3215 * default. 3216 */ 3217 if (debug) { 3218 addlog("%s: warning: peer rejected our MRU of " 3219 "%ld bytes. Defaulting to %d bytes\n", 3220 ifp->if_xname, sp->lcp.mru, PP_MTU); 3221 } 3222 CLR(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3223 sp->lcp.mru = PP_MTU; 3224 break; 3225 case LCP_OPT_AUTH_PROTO: 3226 /* 3227 * Peer doesn't want to authenticate himself, 3228 * deny unless this is a dialout call, and 3229 * SPPP_AUTHFLAG_NOCALLOUT is set. 3230 */ 3231 if ((sp->pp_flags & PP_CALLIN) == 0 && 3232 (sp->hisauth.flags & SPPP_AUTHFLAG_NOCALLOUT) != 0) { 3233 if (debug) 3234 addlog(" [don't insist on auth " 3235 "for callout]"); 3236 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 3237 break; 3238 } 3239 if (debug) 3240 addlog("[access denied]\n"); 3241 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3242 break; 3243 } 3244 } 3245 if (debug) 3246 addlog("\n"); 3247 end: 3248 return; 3249 } 3250 3251 /* 3252 * Analyze the LCP Configure-NAK option list, and adjust our 3253 * negotiation. 3254 */ 3255 static void 3256 sppp_lcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 3257 { 3258 STDDCL; 3259 u_char *p, l; 3260 uint32_t magic; 3261 3262 KASSERT(SPPP_WLOCKED(sp)); 3263 3264 if (len <= sizeof(*h)) 3265 return; 3266 len -= sizeof(*h); 3267 3268 if (debug) 3269 log(LOG_DEBUG, "%s: lcp nak opts:", 3270 ifp->if_xname); 3271 3272 p = (void *)(h + 1); 3273 for (; len > 1 && (l = p[1]) != 0; len -= l, p += l) { 3274 /* Sanity check option length */ 3275 if (l > len) { 3276 /* 3277 * Malicious option - drop immediately. 3278 * XXX Maybe we should just RXJ it? 3279 */ 3280 addlog("%s: received malicious LCP option, " 3281 "dropping.\n", ifp->if_xname); 3282 goto end; 3283 } 3284 if (debug) { 3285 char lbuf[SPPP_LCPOPT_NAMELEN]; 3286 addlog(" %s", sppp_lcp_opt_name(lbuf, sizeof(lbuf),*p)); 3287 } 3288 switch (p[0]) { 3289 case LCP_OPT_MAGIC: 3290 /* Magic number -- renegotiate */ 3291 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC) && 3292 len >= 6 && l == 6) { 3293 magic = (uint32_t)p[2] << 24 | 3294 (uint32_t)p[3] << 16 | p[4] << 8 | p[5]; 3295 /* 3296 * If the remote magic is our negated one, 3297 * this looks like a loopback problem. 3298 * Suggest a new magic to make sure. 3299 */ 3300 if (magic == ~sp->lcp.magic) { 3301 if (debug) 3302 addlog(" magic glitch"); 3303 sp->lcp.magic = cprng_fast32(); 3304 } else { 3305 sp->lcp.magic = magic; 3306 if (debug) 3307 addlog(" %d", magic); 3308 } 3309 } 3310 break; 3311 case LCP_OPT_MRU: 3312 /* 3313 * Peer wants to advise us to negotiate an MRU. 3314 * Agree on it if it's reasonable, or use 3315 * default otherwise. 3316 */ 3317 if (len >= 4 && l == 4) { 3318 u_int mru = p[2] * 256 + p[3]; 3319 if (debug) 3320 addlog(" %d", mru); 3321 if (mru < PPP_MINMRU || mru > sp->pp_if.if_mtu) 3322 mru = sp->pp_if.if_mtu; 3323 sp->lcp.mru = mru; 3324 SET(sp->lcp.opts, SPPP_LCP_OPT_MRU); 3325 } 3326 break; 3327 case LCP_OPT_AUTH_PROTO: 3328 /* 3329 * Peer doesn't like our authentication method, 3330 * deny. 3331 */ 3332 if (debug) 3333 addlog("[access denied]\n"); 3334 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3335 break; 3336 } 3337 } 3338 if (debug) 3339 addlog("\n"); 3340 end: 3341 return; 3342 } 3343 3344 static void 3345 sppp_lcp_tlu(struct sppp *sp) 3346 { 3347 STDDCL; 3348 int i; 3349 bool going_up; 3350 3351 KASSERT(SPPP_WLOCKED(sp)); 3352 3353 /* unlock for IFNET_LOCK and if_up() */ 3354 SPPP_UNLOCK(sp); 3355 3356 if (! (ifp->if_flags & IFF_UP) && 3357 (ifp->if_flags & IFF_RUNNING)) { 3358 /* Coming out of loopback mode. */ 3359 going_up = true; 3360 if_up(ifp); 3361 } else { 3362 going_up = false; 3363 } 3364 3365 IFNET_LOCK(ifp); 3366 SPPP_LOCK(sp, RW_WRITER); 3367 3368 if (going_up) { 3369 if ((sp->pp_flags & PP_LOOPBACK) == 0) { 3370 log(LOG_DEBUG, "%s: interface is going up, " 3371 "but no loopback packet is deteted\n", 3372 ifp->if_xname); 3373 } 3374 sp->pp_flags &= ~PP_LOOPBACK; 3375 } 3376 3377 if (ifp->if_mtu > sp->lcp.their_mru) { 3378 sp->pp_saved_mtu = ifp->if_mtu; 3379 ifp->if_mtu = sp->lcp.their_mru; 3380 if (debug) { 3381 log(LOG_DEBUG, 3382 "%s: setting MTU " 3383 "from %"PRIu64" bytes " 3384 "to %"PRIu64" bytes\n", 3385 ifp->if_xname, sp->pp_saved_mtu, 3386 ifp->if_mtu); 3387 } 3388 } 3389 IFNET_UNLOCK(ifp); 3390 3391 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO) || 3392 (sp->pp_flags & PP_NEEDAUTH) != 0) 3393 sppp_change_phase(sp, SPPP_PHASE_AUTHENTICATE); 3394 else 3395 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 3396 3397 /* 3398 * Open all authentication protocols. This is even required 3399 * if we already proceeded to network phase, since it might be 3400 * that remote wants us to authenticate, so we might have to 3401 * send a PAP request. Undesired authentication protocols 3402 * don't do anything when they get an Open event. 3403 */ 3404 for (i = 0; i < IDX_COUNT; i++) 3405 if ((cps[i])->flags & CP_AUTH) { 3406 sppp_wq_add(sp->wq_cp, 3407 &sp->scp[(cps[i])->protoidx].work_open); 3408 } 3409 3410 if (sp->pp_phase == SPPP_PHASE_NETWORK) { 3411 /* Notify all NCPs. */ 3412 for (i = 0; i < IDX_COUNT; i++) 3413 if ((cps[i])->flags & CP_NCP) { 3414 sppp_wq_add(sp->wq_cp, 3415 &sp->scp[(cps[i])->protoidx].work_open); 3416 } 3417 } 3418 3419 /* notify low-level driver of state change */ 3420 sppp_notify_chg_wlocked(sp); 3421 } 3422 3423 static void 3424 sppp_lcp_tld(struct sppp *sp) 3425 { 3426 STDDCL; 3427 int i, pi, phase; 3428 3429 KASSERT(SPPP_WLOCKED(sp)); 3430 3431 phase = sp->pp_phase; 3432 3433 sppp_change_phase(sp, SPPP_PHASE_TERMINATE); 3434 3435 if (sp->pp_saved_mtu > 0) { 3436 SPPP_UNLOCK(sp); 3437 IFNET_LOCK(ifp); 3438 SPPP_LOCK(sp, RW_WRITER); 3439 3440 if (debug) { 3441 log(LOG_DEBUG, 3442 "%s: setting MTU " 3443 "from %"PRIu64" bytes " 3444 "to %"PRIu64" bytes\n", 3445 ifp->if_xname, ifp->if_mtu, 3446 sp->pp_saved_mtu); 3447 } 3448 3449 ifp->if_mtu = sp->pp_saved_mtu; 3450 sp->pp_saved_mtu = 0; 3451 IFNET_UNLOCK(ifp); 3452 } 3453 3454 /* 3455 * Take upper layers down. We send the Down event first and 3456 * the Close second to prevent the upper layers from sending 3457 * ``a flurry of terminate-request packets'', as the RFC 3458 * describes it. 3459 */ 3460 for (i = 0; i < IDX_COUNT; i++) { 3461 pi = (cps[i])->protoidx; 3462 if (((cps[i])->flags & CP_LCP) == 0) { 3463 /* skip if ncp was not started */ 3464 if (phase != SPPP_PHASE_NETWORK && 3465 ((cps[i])->flags & CP_NCP) != 0) 3466 continue; 3467 3468 sppp_wq_add(sp->wq_cp, &sp->scp[pi].work_down); 3469 sppp_wq_add(sp->wq_cp, &sp->scp[pi].work_close); 3470 } 3471 } 3472 } 3473 3474 static void 3475 sppp_lcp_tls(const struct cp *cp __unused, struct sppp *sp) 3476 { 3477 3478 KASSERT(SPPP_WLOCKED(sp)); 3479 3480 sppp_change_phase(sp, SPPP_PHASE_ESTABLISH); 3481 3482 /* Notify lower layer if desired. */ 3483 sppp_notify_tls_wlocked(sp); 3484 sp->lcp.tlf_sent = false; 3485 } 3486 3487 static void 3488 sppp_lcp_tlf(const struct cp *cp __unused, struct sppp *sp) 3489 { 3490 3491 KASSERT(SPPP_WLOCKED(sp)); 3492 3493 sppp_change_phase(sp, SPPP_PHASE_DEAD); 3494 3495 /* Notify lower layer if desired. */ 3496 sppp_notify_tlf_wlocked(sp); 3497 3498 switch (sp->scp[IDX_LCP].state) { 3499 case STATE_CLOSED: 3500 case STATE_STOPPED: 3501 sp->lcp.tlf_sent = true; 3502 break; 3503 case STATE_INITIAL: 3504 default: 3505 /* just in case */ 3506 sp->lcp.tlf_sent = false; 3507 } 3508 } 3509 3510 static void 3511 sppp_lcp_scr(struct sppp *sp) 3512 { 3513 char opt[6 /* magicnum */ + 4 /* mru */ + 5 /* chap */]; 3514 int i = 0; 3515 u_short authproto; 3516 3517 KASSERT(SPPP_WLOCKED(sp)); 3518 3519 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_MAGIC)) { 3520 if (! sp->lcp.magic) 3521 sp->lcp.magic = cprng_fast32(); 3522 opt[i++] = LCP_OPT_MAGIC; 3523 opt[i++] = 6; 3524 opt[i++] = sp->lcp.magic >> 24; 3525 opt[i++] = sp->lcp.magic >> 16; 3526 opt[i++] = sp->lcp.magic >> 8; 3527 opt[i++] = sp->lcp.magic; 3528 } 3529 3530 if (ISSET(sp->lcp.opts,SPPP_LCP_OPT_MRU)) { 3531 opt[i++] = LCP_OPT_MRU; 3532 opt[i++] = 4; 3533 opt[i++] = sp->lcp.mru >> 8; 3534 opt[i++] = sp->lcp.mru; 3535 } 3536 3537 if (ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) { 3538 authproto = sp->hisauth.proto; 3539 opt[i++] = LCP_OPT_AUTH_PROTO; 3540 opt[i++] = authproto == PPP_CHAP? 5: 4; 3541 opt[i++] = authproto >> 8; 3542 opt[i++] = authproto; 3543 if (authproto == PPP_CHAP) 3544 opt[i++] = CHAP_MD5; 3545 } 3546 3547 sp->scp[IDX_LCP].confid = ++sp->scp[IDX_LCP].seq; 3548 sppp_cp_send(sp, PPP_LCP, CONF_REQ, sp->scp[IDX_LCP].confid, i, &opt); 3549 } 3550 3551 /* 3552 * Check the open NCPs, return true if at least one NCP is open. 3553 */ 3554 3555 static int 3556 sppp_cp_check(struct sppp *sp, u_char cp_flags) 3557 { 3558 int i, mask; 3559 3560 for (i = 0, mask = 1; i < IDX_COUNT; i++, mask <<= 1) 3561 if ((sp->lcp.protos & mask) && (cps[i])->flags & cp_flags) 3562 return 1; 3563 return 0; 3564 } 3565 3566 /* 3567 * Re-check the open NCPs and see if we should terminate the link. 3568 * Called by the NCPs during their tlf action handling. 3569 */ 3570 static void 3571 sppp_lcp_check_and_close(struct sppp *sp) 3572 { 3573 3574 KASSERT(SPPP_WLOCKED(sp)); 3575 3576 if (sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 3577 /* don't bother, we are already going down */ 3578 return; 3579 } 3580 3581 if (sp->pp_phase == SPPP_PHASE_AUTHENTICATE && 3582 sppp_cp_check(sp, CP_AUTH)) 3583 return; 3584 3585 if (sp->pp_phase >= SPPP_PHASE_NETWORK && 3586 sppp_cp_check(sp, CP_NCP)) 3587 return; 3588 3589 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 3590 3591 if (sp->pp_max_auth_fail != 0 && 3592 sp->pp_auth_failures >= sp->pp_max_auth_fail) { 3593 printf("%s: authentication failed %d times, " 3594 "not retrying again\n", 3595 sp->pp_if.if_xname, sp->pp_auth_failures); 3596 3597 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 3598 sp->pp_if.if_flags &= ~IFF_RUNNING; 3599 } else { 3600 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_open); 3601 } 3602 } 3603 3604 /* 3605 *--------------------------------------------------------------------------* 3606 * * 3607 * The IPCP implementation. * 3608 * * 3609 *--------------------------------------------------------------------------* 3610 */ 3611 3612 static void 3613 sppp_ipcp_init(struct sppp *sp) 3614 { 3615 3616 KASSERT(SPPP_WLOCKED(sp)); 3617 3618 sppp_cp_init(&ipcp, sp); 3619 3620 sp->ipcp.opts = 0; 3621 sp->ipcp.flags = 0; 3622 } 3623 3624 static void 3625 sppp_ipcp_open(struct sppp *sp, void *xcp) 3626 { 3627 STDDCL; 3628 uint32_t myaddr, hisaddr; 3629 3630 KASSERT(SPPP_WLOCKED(sp)); 3631 KASSERT(!cpu_softintr_p()); 3632 3633 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPCP)) 3634 return; 3635 3636 sp->ipcp.flags &= ~(IPCP_HISADDR_SEEN|IPCP_MYADDR_SEEN|IPCP_MYADDR_DYN|IPCP_HISADDR_DYN); 3637 sp->ipcp.req_myaddr = 0; 3638 sp->ipcp.req_hisaddr = 0; 3639 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3640 3641 #ifdef INET 3642 kpreempt_disable(); 3643 sppp_get_ip_addrs(sp, &myaddr, &hisaddr, 0); 3644 kpreempt_enable(); 3645 #else 3646 myaddr = hisaddr = 0; 3647 #endif 3648 /* 3649 * If we don't have his address, this probably means our 3650 * interface doesn't want to talk IP at all. (This could 3651 * be the case if somebody wants to speak only IPX, for 3652 * example.) Don't open IPCP in this case. 3653 */ 3654 if (hisaddr == 0) { 3655 /* XXX this message should go away */ 3656 if (debug) 3657 log(LOG_DEBUG, "%s: ipcp_open(): no IP interface\n", 3658 ifp->if_xname); 3659 return; 3660 } 3661 3662 if (myaddr == 0) { 3663 /* 3664 * I don't have an assigned address, so i need to 3665 * negotiate my address. 3666 */ 3667 sp->ipcp.flags |= IPCP_MYADDR_DYN; 3668 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 3669 } 3670 if (hisaddr == 1) { 3671 /* 3672 * XXX - remove this hack! 3673 * remote has no valid address, we need to get one assigned. 3674 */ 3675 sp->ipcp.flags |= IPCP_HISADDR_DYN; 3676 sp->ipcp.saved_hisaddr = htonl(hisaddr); 3677 } 3678 3679 if (sp->query_dns & 1) { 3680 SET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3681 } else { 3682 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 3683 } 3684 3685 if (sp->query_dns & 2) { 3686 SET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3687 } else { 3688 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 3689 } 3690 sppp_open_event(sp, xcp); 3691 } 3692 3693 static void 3694 sppp_ipcp_close(struct sppp *sp, void *xcp) 3695 { 3696 3697 KASSERT(SPPP_WLOCKED(sp)); 3698 KASSERT(!cpu_softintr_p()); 3699 3700 sppp_close_event(sp, xcp); 3701 3702 #ifdef INET 3703 if (sp->ipcp.flags & (IPCP_MYADDR_DYN|IPCP_HISADDR_DYN)) { 3704 /* 3705 * Some address was dynamic, clear it again. 3706 */ 3707 sppp_clear_ip_addrs(sp); 3708 } 3709 #endif 3710 memset(&sp->dns_addrs, 0, sizeof sp->dns_addrs); 3711 } 3712 3713 /* 3714 * Analyze a configure request. Return true if it was agreeable, and 3715 * caused action sca, false if it has been rejected or nak'ed, and 3716 * caused action scn. (The return value is used to make the state 3717 * transition decision in the state automaton.) 3718 */ 3719 static enum cp_rcr_type 3720 sppp_ipcp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 3721 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 3722 { 3723 u_char *buf, *r, *p, l, blen; 3724 enum cp_rcr_type type; 3725 struct ifnet *ifp = &sp->pp_if; 3726 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 3727 uint32_t hisaddr, desiredaddr; 3728 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3729 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 3730 const char *dq; 3731 3732 KASSERT(SPPP_WLOCKED(sp)); 3733 3734 type = CP_RCR_NONE; 3735 origlen -= sizeof(*h); 3736 3737 if (origlen < 0) 3738 return CP_RCR_DROP; 3739 3740 /* 3741 * Make sure to allocate a buf that can at least hold a 3742 * conf-nak with an `address' option. We might need it below. 3743 */ 3744 blen = MAX(6, origlen); 3745 3746 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 3747 if (buf == NULL) 3748 return CP_RCR_DROP; 3749 3750 /* pass 1: see if we can recognize them */ 3751 if (debug) 3752 log(LOG_DEBUG, "%s: ipcp parse opts:", 3753 ifp->if_xname); 3754 p = (void *)(h + 1); 3755 r = buf; 3756 rlen = 0; 3757 for (len = origlen; len > 1; len -= l, p += l) { 3758 l = p[1]; 3759 if (l == 0) 3760 break; 3761 3762 /* Sanity check option length */ 3763 if (l > len) { 3764 /* XXX should we just RXJ? */ 3765 addlog("%s: malicious IPCP option received, dropping\n", 3766 ifp->if_xname); 3767 type = CP_RCR_ERR; 3768 goto end; 3769 } 3770 if (debug) { 3771 addlog(" %s", 3772 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3773 } 3774 switch (p[0]) { 3775 #ifdef notyet 3776 case IPCP_OPT_COMPRESSION: 3777 if (len >= 6 && l >= 6) { 3778 /* correctly formed compress option */ 3779 continue; 3780 } 3781 if (debug) 3782 addlog(" [invalid]"); 3783 break; 3784 #endif 3785 case IPCP_OPT_ADDRESS: 3786 if (len >= 6 && l == 6) { 3787 /* correctly formed address option */ 3788 continue; 3789 } 3790 if (debug) 3791 addlog(" [invalid]"); 3792 break; 3793 default: 3794 /* Others not supported. */ 3795 if (debug) 3796 addlog(" [rej]"); 3797 break; 3798 } 3799 /* Add the option to rejected list. */ 3800 if (rlen + l > blen) { 3801 if (debug) 3802 addlog(" [overflow]"); 3803 continue; 3804 } 3805 memcpy(r, p, l); 3806 r += l; 3807 rlen += l; 3808 } 3809 3810 if (rlen > 0) { 3811 type = CP_RCR_REJ; 3812 goto end; 3813 } 3814 3815 if (debug) 3816 addlog("\n"); 3817 3818 /* pass 2: parse option values */ 3819 if (sp->ipcp.flags & IPCP_HISADDR_SEEN) 3820 hisaddr = sp->ipcp.req_hisaddr; /* we already aggreed on that */ 3821 else 3822 #ifdef INET 3823 sppp_get_ip_addrs(sp, 0, &hisaddr, 0); /* user configuration */ 3824 #else 3825 hisaddr = 0; 3826 #endif 3827 if (debug) 3828 log(LOG_DEBUG, "%s: ipcp parse opt values: ", 3829 ifp->if_xname); 3830 p = (void *)(h + 1); 3831 r = buf; 3832 rlen = 0; 3833 for (len = origlen; len > 1; len -= l, p += l) { 3834 l = p[1]; 3835 if (l == 0) 3836 break; 3837 3838 if (debug) { 3839 addlog(" %s", 3840 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3841 } 3842 switch (p[0]) { 3843 #ifdef notyet 3844 case IPCP_OPT_COMPRESSION: 3845 continue; 3846 #endif 3847 case IPCP_OPT_ADDRESS: 3848 desiredaddr = p[2] << 24 | p[3] << 16 | 3849 p[4] << 8 | p[5]; 3850 if (desiredaddr == hisaddr || 3851 ((sp->ipcp.flags & IPCP_HISADDR_DYN) && desiredaddr != 0)) { 3852 /* 3853 * Peer's address is same as our value, 3854 * this is agreeable. Gonna conf-ack 3855 * it. 3856 */ 3857 if (debug) { 3858 dq = sppp_dotted_quad(dqbuf, 3859 sizeof(dqbuf), hisaddr); 3860 addlog(" %s [ack]", dq); 3861 } 3862 /* record that we've seen it already */ 3863 sp->ipcp.flags |= IPCP_HISADDR_SEEN; 3864 sp->ipcp.req_hisaddr = desiredaddr; 3865 hisaddr = desiredaddr; 3866 continue; 3867 } 3868 /* 3869 * The address wasn't agreeable. This is either 3870 * he sent us 0.0.0.0, asking to assign him an 3871 * address, or he send us another address not 3872 * matching our value. Either case, we gonna 3873 * conf-nak it with our value. 3874 */ 3875 if (debug) { 3876 if (desiredaddr == 0) { 3877 addlog(" [addr requested]"); 3878 } else { 3879 dq = sppp_dotted_quad(dqbuf, 3880 sizeof(dqbuf), desiredaddr); 3881 addlog(" %s [not agreed]", dq); 3882 } 3883 } 3884 3885 p[2] = hisaddr >> 24; 3886 p[3] = hisaddr >> 16; 3887 p[4] = hisaddr >> 8; 3888 p[5] = hisaddr; 3889 break; 3890 } 3891 if (rlen + l > blen) { 3892 if (debug) 3893 addlog(" [overflow]"); 3894 continue; 3895 } 3896 /* Add the option to nak'ed list. */ 3897 memcpy(r, p, l); 3898 r += l; 3899 rlen += l; 3900 } 3901 3902 if (rlen > 0) { 3903 type = CP_RCR_NAK; 3904 } else { 3905 if ((sp->ipcp.flags & IPCP_HISADDR_SEEN) == 0) { 3906 /* 3907 * If we are about to conf-ack the request, but haven't seen 3908 * his address so far, gonna conf-nak it instead, with the 3909 * `address' option present and our idea of his address being 3910 * filled in there, to request negotiation of both addresses. 3911 * 3912 * XXX This can result in an endless req - nak loop if peer 3913 * doesn't want to send us his address. Q: What should we do 3914 * about it? XXX A: implement the max-failure counter. 3915 */ 3916 buf[0] = IPCP_OPT_ADDRESS; 3917 buf[1] = 6; 3918 buf[2] = hisaddr >> 24; 3919 buf[3] = hisaddr >> 16; 3920 buf[4] = hisaddr >> 8; 3921 buf[5] = hisaddr; 3922 rlen = 6; 3923 if (debug) 3924 addlog(" still need hisaddr"); 3925 type = CP_RCR_NAK; 3926 } else { 3927 type = CP_RCR_ACK; 3928 rlen = origlen; 3929 memcpy(r, h + 1, rlen); 3930 } 3931 } 3932 3933 end: 3934 if (debug) 3935 addlog("\n"); 3936 3937 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 3938 if (buf != NULL) 3939 kmem_intr_free(buf, blen); 3940 } else { 3941 *msgbuf = buf; 3942 *buflen = blen; 3943 *msglen = rlen; 3944 } 3945 3946 return type; 3947 } 3948 3949 /* 3950 * Analyze the IPCP Configure-Reject option list, and adjust our 3951 * negotiation. 3952 */ 3953 static void 3954 sppp_ipcp_confrej(struct sppp *sp, struct lcp_header *h, int len) 3955 { 3956 u_char *p, l; 3957 struct ifnet *ifp = &sp->pp_if; 3958 int debug = ifp->if_flags & IFF_DEBUG; 3959 3960 KASSERT(SPPP_WLOCKED(sp)); 3961 3962 if (len <= sizeof(*h)) 3963 return; 3964 3965 len -= sizeof(*h); 3966 3967 if (debug) 3968 log(LOG_DEBUG, "%s: ipcp rej opts:", 3969 ifp->if_xname); 3970 3971 p = (void *)(h + 1); 3972 for (; len > 1; len -= l, p += l) { 3973 l = p[1]; 3974 if (l == 0) 3975 break; 3976 3977 /* Sanity check option length */ 3978 if (l > len) { 3979 /* XXX should we just RXJ? */ 3980 addlog("%s: malicious IPCP option received, dropping\n", 3981 ifp->if_xname); 3982 goto end; 3983 } 3984 if (debug) { 3985 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 3986 addlog(" %s", 3987 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 3988 } 3989 switch (p[0]) { 3990 case IPCP_OPT_ADDRESS: 3991 /* 3992 * Peer doesn't grok address option. This is 3993 * bad. XXX Should we better give up here? 3994 */ 3995 if (!debug) { 3996 log(LOG_ERR, "%s: " 3997 "IPCP address option rejected\n", 3998 ifp->if_xname); 3999 } 4000 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 4001 break; 4002 #ifdef notyet 4003 case IPCP_OPT_COMPRESS: 4004 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_COMPRESS); 4005 break; 4006 #endif 4007 case IPCP_OPT_PRIMDNS: 4008 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS); 4009 break; 4010 4011 case IPCP_OPT_SECDNS: 4012 CLR(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS); 4013 break; 4014 } 4015 } 4016 if (debug) 4017 addlog("\n"); 4018 end: 4019 return; 4020 } 4021 4022 /* 4023 * Analyze the IPCP Configure-NAK option list, and adjust our 4024 * negotiation. 4025 */ 4026 static void 4027 sppp_ipcp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4028 { 4029 u_char *p, l; 4030 struct ifnet *ifp = &sp->pp_if; 4031 int debug = ifp->if_flags & IFF_DEBUG; 4032 uint32_t wantaddr; 4033 4034 KASSERT(SPPP_WLOCKED(sp)); 4035 4036 len -= sizeof(*h); 4037 4038 if (debug) 4039 log(LOG_DEBUG, "%s: ipcp nak opts:", 4040 ifp->if_xname); 4041 4042 p = (void *)(h + 1); 4043 for (; len > 1; len -= l, p += l) { 4044 l = p[1]; 4045 if (l == 0) 4046 break; 4047 4048 /* Sanity check option length */ 4049 if (l > len) { 4050 /* XXX should we just RXJ? */ 4051 addlog("%s: malicious IPCP option received, dropping\n", 4052 ifp->if_xname); 4053 return; 4054 } 4055 if (debug) { 4056 char ipbuf[SPPP_IPCPOPT_NAMELEN]; 4057 addlog(" %s", 4058 sppp_ipcp_opt_name(ipbuf, sizeof(ipbuf), *p)); 4059 } 4060 switch (*p) { 4061 case IPCP_OPT_ADDRESS: 4062 /* 4063 * Peer doesn't like our local IP address. See 4064 * if we can do something for him. We'll drop 4065 * him our address then. 4066 */ 4067 if (len >= 6 && l == 6) { 4068 wantaddr = p[2] << 24 | p[3] << 16 | 4069 p[4] << 8 | p[5]; 4070 SET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS); 4071 if (debug) { 4072 char dqbuf[SPPP_DOTQUAD_BUFLEN]; 4073 const char *dq; 4074 4075 dq = sppp_dotted_quad(dqbuf, 4076 sizeof(dqbuf), wantaddr); 4077 addlog(" [wantaddr %s]", dq); 4078 } 4079 /* 4080 * When doing dynamic address assignment, 4081 * we accept his offer. Otherwise, we 4082 * ignore it and thus continue to negotiate 4083 * our already existing value. 4084 */ 4085 if (sp->ipcp.flags & IPCP_MYADDR_DYN) { 4086 if (ntohl(wantaddr) != INADDR_ANY) { 4087 if (debug) 4088 addlog(" [agree]"); 4089 sp->ipcp.flags |= IPCP_MYADDR_SEEN; 4090 sp->ipcp.req_myaddr = wantaddr; 4091 } else { 4092 if (debug) 4093 addlog(" [not agreed]"); 4094 } 4095 } 4096 } 4097 break; 4098 4099 case IPCP_OPT_PRIMDNS: 4100 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS) && 4101 len >= 6 && l == 6) { 4102 sp->dns_addrs[0] = p[2] << 24 | p[3] << 16 | 4103 p[4] << 8 | p[5]; 4104 } 4105 break; 4106 4107 case IPCP_OPT_SECDNS: 4108 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS) && 4109 len >= 6 && l == 6) { 4110 sp->dns_addrs[1] = p[2] << 24 | p[3] << 16 | 4111 p[4] << 8 | p[5]; 4112 } 4113 break; 4114 #ifdef notyet 4115 case IPCP_OPT_COMPRESS: 4116 /* 4117 * Peer wants different compression parameters. 4118 */ 4119 break; 4120 #endif 4121 } 4122 } 4123 if (debug) 4124 addlog("\n"); 4125 } 4126 4127 static void 4128 sppp_ipcp_tlu(struct sppp *sp) 4129 { 4130 #ifdef INET 4131 struct ifnet *ifp; 4132 4133 ifp = &sp->pp_if; 4134 KASSERT(SPPP_WLOCKED(sp)); 4135 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && 4136 ((sp->ipcp.flags & IPCP_MYADDR_SEEN) == 0)) { 4137 log(LOG_WARNING, "%s: no IP address, closing IPCP\n", 4138 ifp->if_xname); 4139 sppp_wq_add(sp->wq_cp, 4140 &sp->scp[IDX_IPCP].work_close); 4141 } else { 4142 /* we are up. Set addresses and notify anyone interested */ 4143 sppp_set_ip_addrs(sp); 4144 } 4145 #endif 4146 } 4147 4148 static void 4149 sppp_ipcp_scr(struct sppp *sp) 4150 { 4151 uint8_t opt[6 /* compression */ + 6 /* address */ + 12 /* dns addresses */]; 4152 #ifdef INET 4153 uint32_t ouraddr; 4154 #endif 4155 int i = 0; 4156 4157 KASSERT(SPPP_WLOCKED(sp)); 4158 4159 #ifdef notyet 4160 if (ISSET(sp->ipcp.opts,SPPP_IPCP_OPT_COMPRESSION)) { 4161 opt[i++] = IPCP_OPT_COMPRESSION; 4162 opt[i++] = 6; 4163 opt[i++] = 0; /* VJ header compression */ 4164 opt[i++] = 0x2d; /* VJ header compression */ 4165 opt[i++] = max_slot_id; 4166 opt[i++] = comp_slot_id; 4167 } 4168 #endif 4169 4170 #ifdef INET 4171 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_ADDRESS)) { 4172 if (sp->ipcp.flags & IPCP_MYADDR_SEEN) { 4173 ouraddr = sp->ipcp.req_myaddr; /* not sure if this can ever happen */ 4174 } else { 4175 kpreempt_disable(); 4176 sppp_get_ip_addrs(sp, &ouraddr, 0, 0); 4177 kpreempt_enable(); 4178 } 4179 opt[i++] = IPCP_OPT_ADDRESS; 4180 opt[i++] = 6; 4181 opt[i++] = ouraddr >> 24; 4182 opt[i++] = ouraddr >> 16; 4183 opt[i++] = ouraddr >> 8; 4184 opt[i++] = ouraddr; 4185 } 4186 #endif 4187 4188 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_PRIMDNS)) { 4189 opt[i++] = IPCP_OPT_PRIMDNS; 4190 opt[i++] = 6; 4191 opt[i++] = sp->dns_addrs[0] >> 24; 4192 opt[i++] = sp->dns_addrs[0] >> 16; 4193 opt[i++] = sp->dns_addrs[0] >> 8; 4194 opt[i++] = sp->dns_addrs[0]; 4195 } 4196 if (ISSET(sp->ipcp.opts, SPPP_IPCP_OPT_SECDNS)) { 4197 opt[i++] = IPCP_OPT_SECDNS; 4198 opt[i++] = 6; 4199 opt[i++] = sp->dns_addrs[1] >> 24; 4200 opt[i++] = sp->dns_addrs[1] >> 16; 4201 opt[i++] = sp->dns_addrs[1] >> 8; 4202 opt[i++] = sp->dns_addrs[1]; 4203 } 4204 4205 sp->scp[IDX_IPCP].confid = ++sp->scp[IDX_IPCP].seq; 4206 sppp_cp_send(sp, PPP_IPCP, CONF_REQ, sp->scp[IDX_IPCP].confid, i, &opt); 4207 } 4208 4209 /* 4210 *--------------------------------------------------------------------------* 4211 * * 4212 * The IPv6CP implementation. * 4213 * * 4214 *--------------------------------------------------------------------------* 4215 */ 4216 4217 #ifdef INET6 4218 static void 4219 sppp_ipv6cp_init(struct sppp *sp) 4220 { 4221 4222 KASSERT(SPPP_WLOCKED(sp)); 4223 4224 sppp_cp_init(&ipv6cp, sp); 4225 4226 sp->ipv6cp.opts = 0; 4227 sp->ipv6cp.flags = 0; 4228 } 4229 4230 static void 4231 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4232 { 4233 STDDCL; 4234 struct in6_addr myaddr, hisaddr; 4235 4236 KASSERT(SPPP_WLOCKED(sp)); 4237 KASSERT(!cpu_softintr_p()); 4238 4239 if (!ISSET(sp->pp_ncpflags, SPPP_NCP_IPV6CP)) 4240 return; 4241 4242 #ifdef IPV6CP_MYIFID_DYN 4243 sp->ipv6cp.flags &= ~(IPV6CP_MYIFID_SEEN|IPV6CP_MYIFID_DYN); 4244 #else 4245 sp->ipv6cp.flags &= ~IPV6CP_MYIFID_SEEN; 4246 #endif 4247 4248 kpreempt_disable(); 4249 sppp_get_ip6_addrs(sp, &myaddr, &hisaddr, 0); 4250 kpreempt_enable(); 4251 /* 4252 * If we don't have our address, this probably means our 4253 * interface doesn't want to talk IPv6 at all. (This could 4254 * be the case if somebody wants to speak only IPX, for 4255 * example.) Don't open IPv6CP in this case. 4256 */ 4257 if (IN6_IS_ADDR_UNSPECIFIED(&myaddr)) { 4258 /* XXX this message should go away */ 4259 if (debug) 4260 log(LOG_DEBUG, "%s: ipv6cp_open(): no IPv6 interface\n", 4261 ifp->if_xname); 4262 return; 4263 } 4264 4265 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4266 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4267 sppp_open_event(sp, xcp); 4268 } 4269 4270 /* 4271 * Analyze a configure request. Return true if it was agreeable, and 4272 * caused action sca, false if it has been rejected or nak'ed, and 4273 * caused action scn. (The return value is used to make the state 4274 * transition decision in the state automaton.) 4275 */ 4276 static enum cp_rcr_type 4277 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, int origlen, 4278 uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4279 { 4280 u_char *buf, *r, *p, l, blen; 4281 struct ifnet *ifp = &sp->pp_if; 4282 int rlen, len, debug = ifp->if_flags & IFF_DEBUG; 4283 struct in6_addr myaddr, desiredaddr, suggestaddr; 4284 enum cp_rcr_type type; 4285 int ifidcount; 4286 int collision, nohisaddr; 4287 char ip6buf[INET6_ADDRSTRLEN]; 4288 char tbuf[SPPP_CPTYPE_NAMELEN]; 4289 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4290 const char *cpname; 4291 4292 KASSERT(SPPP_WLOCKED(sp)); 4293 4294 type = CP_RCR_NONE; 4295 origlen -= sizeof(*h); 4296 4297 if (origlen < 0) 4298 return CP_RCR_DROP; 4299 4300 /* 4301 * Make sure to allocate a buf that can at least hold a 4302 * conf-nak with an `address' option. We might need it below. 4303 */ 4304 blen = MAX(6, origlen); 4305 4306 buf = kmem_intr_alloc(blen, KM_NOSLEEP); 4307 if (buf == NULL) 4308 return CP_RCR_DROP; 4309 4310 /* pass 1: see if we can recognize them */ 4311 if (debug) 4312 log(LOG_DEBUG, "%s: ipv6cp parse opts:", 4313 ifp->if_xname); 4314 p = (void *)(h + 1); 4315 r = buf; 4316 rlen = 0; 4317 ifidcount = 0; 4318 for (len = origlen; len > 1; len -= l, p += l) { 4319 l = p[1]; 4320 if (l == 0) 4321 break; 4322 4323 /* Sanity check option length */ 4324 if (l > len) { 4325 /* XXX just RXJ? */ 4326 addlog("%s: received malicious IPCPv6 option, " 4327 "dropping\n", ifp->if_xname); 4328 type = CP_RCR_ERR; 4329 goto end; 4330 } 4331 if (debug) { 4332 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4333 sizeof(ipv6buf),*p)); 4334 } 4335 switch (p[0]) { 4336 case IPV6CP_OPT_IFID: 4337 if (len >= 10 && l == 10 && ifidcount == 0) { 4338 /* correctly formed address option */ 4339 ifidcount++; 4340 continue; 4341 } 4342 if (debug) 4343 addlog(" [invalid]"); 4344 break; 4345 #ifdef notyet 4346 case IPV6CP_OPT_COMPRESSION: 4347 if (len >= 4 && l >= 4) { 4348 /* correctly formed compress option */ 4349 continue; 4350 } 4351 if (debug) 4352 addlog(" [invalid]"); 4353 break; 4354 #endif 4355 default: 4356 /* Others not supported. */ 4357 if (debug) 4358 addlog(" [rej]"); 4359 break; 4360 } 4361 if (rlen + l > blen) { 4362 if (debug) 4363 addlog(" [overflow]"); 4364 continue; 4365 } 4366 /* Add the option to rejected list. */ 4367 memcpy(r, p, l); 4368 r += l; 4369 rlen += l; 4370 } 4371 4372 if (rlen > 0) { 4373 type = CP_RCR_REJ; 4374 goto end; 4375 } 4376 4377 if (debug) 4378 addlog("\n"); 4379 4380 /* pass 2: parse option values */ 4381 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 4382 if (debug) 4383 log(LOG_DEBUG, "%s: ipv6cp parse opt values: ", 4384 ifp->if_xname); 4385 p = (void *)(h + 1); 4386 r = buf; 4387 rlen = 0; 4388 type = CP_RCR_ACK; 4389 for (len = origlen; len > 1; len -= l, p += l) { 4390 l = p[1]; 4391 if (l == 0) 4392 break; 4393 4394 if (debug) { 4395 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4396 sizeof(ipv6buf), *p)); 4397 } 4398 switch (p[0]) { 4399 #ifdef notyet 4400 case IPV6CP_OPT_COMPRESSION: 4401 continue; 4402 #endif 4403 case IPV6CP_OPT_IFID: 4404 memset(&desiredaddr, 0, sizeof(desiredaddr)); 4405 memcpy(&desiredaddr.s6_addr[8], &p[2], 8); 4406 collision = (memcmp(&desiredaddr.s6_addr[8], 4407 &myaddr.s6_addr[8], 8) == 0); 4408 nohisaddr = IN6_IS_ADDR_UNSPECIFIED(&desiredaddr); 4409 4410 desiredaddr.s6_addr16[0] = htons(0xfe80); 4411 (void)in6_setscope(&desiredaddr, &sp->pp_if, NULL); 4412 4413 if (!collision && !nohisaddr) { 4414 /* no collision, hisaddr known - Conf-Ack */ 4415 type = CP_RCR_ACK; 4416 memcpy(sp->ipv6cp.my_ifid, &myaddr.s6_addr[8], 4417 sizeof(sp->ipv6cp.my_ifid)); 4418 memcpy(sp->ipv6cp.his_ifid, 4419 &desiredaddr.s6_addr[8], 4420 sizeof(sp->ipv6cp.my_ifid)); 4421 4422 if (debug) { 4423 cpname = sppp_cp_type_name(tbuf, 4424 sizeof(tbuf), CONF_ACK); 4425 addlog(" %s [%s]", 4426 IN6_PRINT(ip6buf, &desiredaddr), 4427 cpname); 4428 } 4429 continue; 4430 } 4431 4432 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4433 if (collision && nohisaddr) { 4434 /* collision, hisaddr unknown - Conf-Rej */ 4435 type = CP_RCR_REJ; 4436 memset(&p[2], 0, 8); 4437 } else { 4438 /* 4439 * - no collision, hisaddr unknown, or 4440 * - collision, hisaddr known 4441 * Conf-Nak, suggest hisaddr 4442 */ 4443 type = CP_RCR_NAK; 4444 sppp_suggest_ip6_addr(sp, &suggestaddr); 4445 memcpy(&p[2], &suggestaddr.s6_addr[8], 8); 4446 } 4447 if (debug) { 4448 int ctype = type == CP_RCR_REJ ? CONF_REJ : CONF_NAK; 4449 4450 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4451 addlog(" %s [%s]", IN6_PRINT(ip6buf, &desiredaddr), 4452 cpname); 4453 } 4454 break; 4455 } 4456 if (rlen + l > blen) { 4457 if (debug) 4458 addlog(" [overflow]"); 4459 continue; 4460 } 4461 /* Add the option to nak'ed list. */ 4462 memcpy(r, p, l); 4463 r += l; 4464 rlen += l; 4465 } 4466 4467 if (rlen > 0) { 4468 if (type != CP_RCR_ACK) { 4469 if (debug) { 4470 int ctype ; 4471 ctype = type == CP_RCR_REJ ? 4472 CONF_REJ : CONF_NAK; 4473 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), ctype); 4474 addlog(" send %s suggest %s\n", 4475 cpname, IN6_PRINT(ip6buf, &suggestaddr)); 4476 } 4477 } 4478 #ifdef notdef 4479 if (type == CP_RCR_ACK) 4480 panic("IPv6CP RCR: CONF_ACK with non-zero rlen"); 4481 #endif 4482 } else { 4483 if (type == CP_RCR_ACK) { 4484 rlen = origlen; 4485 memcpy(r, h + 1, rlen); 4486 } 4487 } 4488 end: 4489 if (debug) 4490 addlog("\n"); 4491 4492 if (type == CP_RCR_ERR || type == CP_RCR_DROP) { 4493 if (buf != NULL) 4494 kmem_intr_free(buf, blen); 4495 } else { 4496 *msgbuf = buf; 4497 *buflen = blen; 4498 *msglen = rlen; 4499 } 4500 4501 return type; 4502 } 4503 4504 /* 4505 * Analyze the IPv6CP Configure-Reject option list, and adjust our 4506 * negotiation. 4507 */ 4508 static void 4509 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, int len) 4510 { 4511 u_char *p, l; 4512 struct ifnet *ifp = &sp->pp_if; 4513 int debug = ifp->if_flags & IFF_DEBUG; 4514 4515 KASSERT(SPPP_WLOCKED(sp)); 4516 4517 if (len <= sizeof(*h)) 4518 return; 4519 4520 len -= sizeof(*h); 4521 4522 if (debug) 4523 log(LOG_DEBUG, "%s: ipv6cp rej opts:", 4524 ifp->if_xname); 4525 4526 p = (void *)(h + 1); 4527 for (; len > 1; len -= l, p += l) { 4528 l = p[1]; 4529 if (l == 0) 4530 break; 4531 4532 if (l > len) { 4533 /* XXX just RXJ? */ 4534 addlog("%s: received malicious IPCPv6 option, " 4535 "dropping\n", ifp->if_xname); 4536 goto end; 4537 } 4538 if (debug) { 4539 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4540 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4541 sizeof(ipv6buf), *p)); 4542 } 4543 switch (p[0]) { 4544 case IPV6CP_OPT_IFID: 4545 /* 4546 * Peer doesn't grok address option. This is 4547 * bad. XXX Should we better give up here? 4548 */ 4549 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4550 break; 4551 #ifdef notyet 4552 case IPV6CP_OPT_COMPRESS: 4553 CLR(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESS); 4554 break; 4555 #endif 4556 } 4557 } 4558 if (debug) 4559 addlog("\n"); 4560 end: 4561 return; 4562 } 4563 4564 /* 4565 * Analyze the IPv6CP Configure-NAK option list, and adjust our 4566 * negotiation. 4567 */ 4568 static void 4569 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, int len) 4570 { 4571 u_char *p, l; 4572 struct ifnet *ifp = &sp->pp_if; 4573 int debug = ifp->if_flags & IFF_DEBUG; 4574 struct in6_addr suggestaddr; 4575 char ip6buf[INET6_ADDRSTRLEN]; 4576 4577 KASSERT(SPPP_WLOCKED(sp)); 4578 4579 if (len <= sizeof(*h)) 4580 return; 4581 4582 len -= sizeof(*h); 4583 4584 if (debug) 4585 log(LOG_DEBUG, "%s: ipv6cp nak opts:", 4586 ifp->if_xname); 4587 4588 p = (void *)(h + 1); 4589 for (; len > 1; len -= l, p += l) { 4590 l = p[1]; 4591 if (l == 0) 4592 break; 4593 4594 if (l > len) { 4595 /* XXX just RXJ? */ 4596 addlog("%s: received malicious IPCPv6 option, " 4597 "dropping\n", ifp->if_xname); 4598 goto end; 4599 } 4600 if (debug) { 4601 char ipv6buf[SPPP_IPV6CPOPT_NAMELEN]; 4602 addlog(" %s", sppp_ipv6cp_opt_name(ipv6buf, 4603 sizeof(ipv6buf), *p)); 4604 } 4605 switch (p[0]) { 4606 case IPV6CP_OPT_IFID: 4607 /* 4608 * Peer doesn't like our local ifid. See 4609 * if we can do something for him. We'll drop 4610 * him our address then. 4611 */ 4612 if (len < 10 || l != 10) 4613 break; 4614 memset(&suggestaddr, 0, sizeof(suggestaddr)); 4615 suggestaddr.s6_addr16[0] = htons(0xfe80); 4616 (void)in6_setscope(&suggestaddr, &sp->pp_if, NULL); 4617 memcpy(&suggestaddr.s6_addr[8], &p[2], 8); 4618 4619 SET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID); 4620 if (debug) 4621 addlog(" [suggestaddr %s]", 4622 IN6_PRINT(ip6buf, &suggestaddr)); 4623 #ifdef IPV6CP_MYIFID_DYN 4624 /* 4625 * When doing dynamic address assignment, 4626 * we accept his offer. 4627 */ 4628 if (sp->ipv6cp.flags & IPV6CP_MYIFID_DYN) { 4629 struct in6_addr lastsuggest; 4630 /* 4631 * If <suggested myaddr from peer> equals to 4632 * <hisaddr we have suggested last time>, 4633 * we have a collision. generate new random 4634 * ifid. 4635 */ 4636 sppp_suggest_ip6_addr(&lastsuggest); 4637 if (IN6_ARE_ADDR_EQUAL(&suggestaddr, 4638 lastsuggest)) { 4639 if (debug) 4640 addlog(" [random]"); 4641 sppp_gen_ip6_addr(sp, &suggestaddr); 4642 } 4643 sppp_set_ip6_addr(sp, &suggestaddr, 0); 4644 if (debug) 4645 addlog(" [agree]"); 4646 sp->ipv6cp.flags |= IPV6CP_MYIFID_SEEN; 4647 } 4648 #else 4649 /* 4650 * Since we do not do dynamic address assignment, 4651 * we ignore it and thus continue to negotiate 4652 * our already existing value. This can possibly 4653 * go into infinite request-reject loop. 4654 * 4655 * This is not likely because we normally use 4656 * ifid based on MAC-address. 4657 * If you have no ethernet card on the node, too bad. 4658 * XXX should we use fail_counter? 4659 */ 4660 #endif 4661 break; 4662 #ifdef notyet 4663 case IPV6CP_OPT_COMPRESS: 4664 /* 4665 * Peer wants different compression parameters. 4666 */ 4667 break; 4668 #endif 4669 } 4670 } 4671 if (debug) 4672 addlog("\n"); 4673 end: 4674 return; 4675 } 4676 4677 static void 4678 sppp_ipv6cp_tlu(struct sppp *sp) 4679 { 4680 4681 KASSERT(SPPP_WLOCKED(sp)); 4682 /* we are up - notify isdn daemon */ 4683 sppp_notify_con_wlocked(sp); 4684 } 4685 4686 static void 4687 sppp_ipv6cp_scr(struct sppp *sp) 4688 { 4689 char opt[10 /* ifid */ + 4 /* compression, minimum */]; 4690 struct in6_addr ouraddr; 4691 int i = 0; 4692 4693 KASSERT(SPPP_WLOCKED(sp)); 4694 4695 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_IFID)) { 4696 kpreempt_disable(); 4697 sppp_get_ip6_addrs(sp, &ouraddr, 0, 0); 4698 kpreempt_enable(); 4699 4700 opt[i++] = IPV6CP_OPT_IFID; 4701 opt[i++] = 10; 4702 memcpy(&opt[i], &ouraddr.s6_addr[8], 8); 4703 i += 8; 4704 } 4705 4706 #ifdef notyet 4707 if (ISSET(sp->ipv6cp.opts, SPPP_IPV6CP_OPT_COMPRESSION)) { 4708 opt[i++] = IPV6CP_OPT_COMPRESSION; 4709 opt[i++] = 4; 4710 opt[i++] = 0; /* TBD */ 4711 opt[i++] = 0; /* TBD */ 4712 /* variable length data may follow */ 4713 } 4714 #endif 4715 4716 sp->scp[IDX_IPV6CP].confid = ++sp->scp[IDX_IPV6CP].seq; 4717 sppp_cp_send(sp, PPP_IPV6CP, CONF_REQ, sp->scp[IDX_IPV6CP].confid, i, &opt); 4718 } 4719 #else /*INET6*/ 4720 static void 4721 sppp_ipv6cp_init(struct sppp *sp) 4722 { 4723 4724 KASSERT(SPPP_WLOCKED(sp)); 4725 } 4726 4727 static void 4728 sppp_ipv6cp_open(struct sppp *sp, void *xcp) 4729 { 4730 4731 KASSERT(SPPP_WLOCKED(sp)); 4732 } 4733 4734 static enum cp_rcr_type 4735 sppp_ipv6cp_confreq(struct sppp *sp, struct lcp_header *h, 4736 int len, uint8_t **msgbuf, size_t *buflen, size_t *msglen) 4737 { 4738 4739 KASSERT(SPPP_WLOCKED(sp)); 4740 return 0; 4741 } 4742 4743 static void 4744 sppp_ipv6cp_confrej(struct sppp *sp, struct lcp_header *h, 4745 int len) 4746 { 4747 4748 KASSERT(SPPP_WLOCKED(sp)); 4749 } 4750 4751 static void 4752 sppp_ipv6cp_confnak(struct sppp *sp, struct lcp_header *h, 4753 int len) 4754 { 4755 4756 KASSERT(SPPP_WLOCKED(sp)); 4757 } 4758 4759 static void 4760 sppp_ipv6cp_tlu(struct sppp *sp) 4761 { 4762 4763 KASSERT(SPPP_WLOCKED(sp)); 4764 } 4765 4766 static void 4767 sppp_ipv6cp_scr(struct sppp *sp) 4768 { 4769 4770 KASSERT(SPPP_WLOCKED(sp)); 4771 } 4772 #endif /*INET6*/ 4773 4774 /* 4775 *--------------------------------------------------------------------------* 4776 * * 4777 * The CHAP implementation. * 4778 * * 4779 *--------------------------------------------------------------------------* 4780 */ 4781 /* 4782 * The authentication protocols is implemented on the state machine for 4783 * control protocols. And it uses following actions and events. 4784 * 4785 * Actions: 4786 * - scr: send CHAP_CHALLENGE and CHAP_RESPONSE 4787 * - sca: send CHAP_SUCCESS 4788 * - scn: send CHAP_FAILURE and shutdown lcp 4789 * Events: 4790 * - RCR+: receive CHAP_RESPONSE containing correct digest 4791 * - RCR-: receive CHAP_RESPONSE containing wrong digest 4792 * - RCA: receive CHAP_SUCCESS 4793 * - RCN: (this event is unused) 4794 * - TO+: re-send CHAP_CHALLENGE and CHAP_RESPONSE 4795 * - TO-: this layer finish 4796 */ 4797 4798 /* 4799 * Handle incoming CHAP packets. 4800 */ 4801 void 4802 sppp_chap_input(struct sppp *sp, struct mbuf *m) 4803 { 4804 STDDCL; 4805 struct lcp_header *h; 4806 int len, x; 4807 u_char *value, *name, digest[sizeof(sp->chap.challenge)]; 4808 int value_len, name_len; 4809 MD5_CTX ctx; 4810 char abuf[SPPP_AUTHTYPE_NAMELEN]; 4811 const char *authname; 4812 4813 len = m->m_pkthdr.len; 4814 if (len < 4) { 4815 if (debug) 4816 log(LOG_DEBUG, 4817 "%s: chap invalid packet length: %d bytes\n", 4818 ifp->if_xname, len); 4819 return; 4820 } 4821 h = mtod(m, struct lcp_header *); 4822 if (len > ntohs(h->len)) 4823 len = ntohs(h->len); 4824 4825 SPPP_LOCK(sp, RW_WRITER); 4826 4827 switch (h->type) { 4828 /* challenge, failure and success are his authproto */ 4829 case CHAP_CHALLENGE: 4830 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 4831 /* can't do anything useful */ 4832 sp->pp_auth_failures++; 4833 printf("%s: chap input without my name and my secret being set\n", 4834 ifp->if_xname); 4835 break; 4836 } 4837 value = 1 + (u_char *)(h + 1); 4838 value_len = value[-1]; 4839 name = value + value_len; 4840 name_len = len - value_len - 5; 4841 if (name_len < 0) { 4842 if (debug) { 4843 authname = sppp_auth_type_name(abuf, 4844 sizeof(abuf), PPP_CHAP, h->type); 4845 log(LOG_DEBUG, 4846 "%s: chap corrupted challenge " 4847 "<%s id=0x%x len=%d", 4848 ifp->if_xname, authname, 4849 h->ident, ntohs(h->len)); 4850 if (len > 4) 4851 sppp_print_bytes((u_char *)(h + 1), 4852 len - 4); 4853 addlog(">\n"); 4854 } 4855 break; 4856 } 4857 4858 if (debug) { 4859 authname = sppp_auth_type_name(abuf, 4860 sizeof(abuf), PPP_CHAP, h->type); 4861 log(LOG_DEBUG, 4862 "%s: chap input <%s id=0x%x len=%d name=", 4863 ifp->if_xname, authname, h->ident, 4864 ntohs(h->len)); 4865 sppp_print_string((char *) name, name_len); 4866 addlog(" value-size=%d value=", value_len); 4867 sppp_print_bytes(value, value_len); 4868 addlog(">\n"); 4869 } 4870 4871 /* Compute reply value. */ 4872 MD5Init(&ctx); 4873 MD5Update(&ctx, &h->ident, 1); 4874 MD5Update(&ctx, sp->myauth.secret, sp->myauth.secret_len); 4875 MD5Update(&ctx, value, value_len); 4876 MD5Final(sp->chap.digest, &ctx); 4877 sp->chap.digest_len = sizeof(sp->chap.digest); 4878 sp->scp[IDX_CHAP].rconfid = h->ident; 4879 4880 sppp_wq_add(sp->wq_cp, &sp->chap.work_challenge_rcvd); 4881 break; 4882 4883 case CHAP_SUCCESS: 4884 if (debug) { 4885 log(LOG_DEBUG, "%s: chap success", 4886 ifp->if_xname); 4887 if (len > 4) { 4888 addlog(": "); 4889 sppp_print_string((char *)(h + 1), len - 4); 4890 } 4891 addlog("\n"); 4892 } 4893 4894 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4895 if (debug) { 4896 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 4897 ifp->if_xname, chap.name, 4898 h->ident, sp->scp[IDX_CHAP].rconfid); 4899 } 4900 if_statinc(ifp, if_ierrors); 4901 break; 4902 } 4903 4904 if (sp->chap.digest_len == 0) { 4905 if (debug) { 4906 log(LOG_DEBUG, 4907 "%s: receive CHAP success without challenge\n", 4908 ifp->if_xname); 4909 } 4910 if_statinc(ifp, if_ierrors); 4911 break; 4912 } 4913 4914 x = splnet(); 4915 sp->pp_auth_failures = 0; 4916 sp->pp_flags &= ~PP_NEEDAUTH; 4917 splx(x); 4918 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4919 sp->chap.digest_len = 0; 4920 4921 if (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV)) { 4922 /* 4923 * we are not authenticator for CHAP, 4924 * generate a dummy RCR+ event without CHAP_RESPONSE 4925 */ 4926 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 4927 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 4928 } 4929 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 4930 break; 4931 4932 case CHAP_FAILURE: 4933 if (h->ident != sp->scp[IDX_CHAP].rconfid) { 4934 if (debug) { 4935 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 4936 ifp->if_xname, chap.name, 4937 h->ident, sp->scp[IDX_CHAP].rconfid); 4938 } 4939 if_statinc(ifp, if_ierrors); 4940 break; 4941 } 4942 4943 if (sp->chap.digest_len == 0) { 4944 if (debug) { 4945 log(LOG_DEBUG, 4946 "%s: receive CHAP failure without challenge\n", 4947 ifp->if_xname); 4948 } 4949 if_statinc(ifp, if_ierrors); 4950 break; 4951 } 4952 4953 x = splnet(); 4954 sp->pp_auth_failures++; 4955 splx(x); 4956 if (debug) { 4957 log(LOG_INFO, "%s: chap failure", 4958 ifp->if_xname); 4959 if (len > 4) { 4960 addlog(": "); 4961 sppp_print_string((char *)(h + 1), len - 4); 4962 } 4963 addlog("\n"); 4964 } else 4965 log(LOG_INFO, "%s: chap failure\n", 4966 ifp->if_xname); 4967 4968 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 4969 sp->chap.digest_len = 0; 4970 /* 4971 * await LCP shutdown by authenticator, 4972 * so we don't have to enqueue sc->scp[IDX_CHAP].work_rcn 4973 */ 4974 break; 4975 4976 /* response is my authproto */ 4977 case CHAP_RESPONSE: 4978 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 4979 /* can't do anything useful */ 4980 printf("%s: chap response" 4981 " without his name and his secret being set\n", 4982 ifp->if_xname); 4983 break; 4984 } 4985 value = 1 + (u_char *)(h + 1); 4986 value_len = value[-1]; 4987 name = value + value_len; 4988 name_len = len - value_len - 5; 4989 if (name_len < 0) { 4990 if (debug) { 4991 authname = sppp_auth_type_name(abuf, 4992 sizeof(abuf), PPP_CHAP, h->type); 4993 log(LOG_DEBUG, 4994 "%s: chap corrupted response " 4995 "<%s id=0x%x len=%d", 4996 ifp->if_xname, authname, 4997 h->ident, ntohs(h->len)); 4998 if (len > 4) 4999 sppp_print_bytes((u_char *)(h + 1), 5000 len - 4); 5001 addlog(">\n"); 5002 } 5003 break; 5004 } 5005 if (h->ident != sp->scp[IDX_CHAP].confid) { 5006 if (debug) 5007 log(LOG_DEBUG, 5008 "%s: chap dropping response for old ID " 5009 "(got %d, expected %d)\n", 5010 ifp->if_xname, 5011 h->ident, sp->scp[IDX_CHAP].confid); 5012 break; 5013 } else { 5014 sp->scp[IDX_CHAP].rconfid = h->ident; 5015 } 5016 5017 if (sp->hisauth.name != NULL && 5018 (name_len != sp->hisauth.name_len 5019 || memcmp(name, sp->hisauth.name, name_len) != 0)) { 5020 log(LOG_INFO, "%s: chap response, his name ", 5021 ifp->if_xname); 5022 sppp_print_string(name, name_len); 5023 addlog(" != expected "); 5024 sppp_print_string(sp->hisauth.name, 5025 sp->hisauth.name_len); 5026 addlog("\n"); 5027 5028 /* generate RCR- event */ 5029 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5030 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 5031 break; 5032 } 5033 5034 if (debug) { 5035 authname = sppp_auth_type_name(abuf, 5036 sizeof(abuf), PPP_CHAP, h->type); 5037 log(LOG_DEBUG, "%s: chap input(%s) " 5038 "<%s id=0x%x len=%d name=", 5039 ifp->if_xname, 5040 sppp_state_name(sp->scp[IDX_CHAP].state), 5041 authname, h->ident, ntohs(h->len)); 5042 sppp_print_string((char *)name, name_len); 5043 addlog(" value-size=%d value=", value_len); 5044 sppp_print_bytes(value, value_len); 5045 addlog(">\n"); 5046 } 5047 5048 if (value_len == sizeof(sp->chap.challenge) && 5049 value_len == sizeof(sp->chap.digest)) { 5050 MD5Init(&ctx); 5051 MD5Update(&ctx, &h->ident, 1); 5052 MD5Update(&ctx, sp->hisauth.secret, sp->hisauth.secret_len); 5053 MD5Update(&ctx, sp->chap.challenge, sizeof(sp->chap.challenge)); 5054 MD5Final(digest, &ctx); 5055 5056 if (memcmp(digest, value, value_len) == 0) { 5057 sp->scp[IDX_CHAP].rcr_type = CP_RCR_ACK; 5058 } else { 5059 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5060 } 5061 } else { 5062 if (debug) 5063 log(LOG_DEBUG, 5064 "%s: chap bad hash value length: " 5065 "%d bytes, should be %zu\n", 5066 ifp->if_xname, value_len, 5067 sizeof(sp->chap.challenge)); 5068 5069 sp->scp[IDX_CHAP].rcr_type = CP_RCR_NAK; 5070 } 5071 5072 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rcr); 5073 5074 /* generate a dummy RCA event */ 5075 if (sp->scp[IDX_CHAP].rcr_type == CP_RCR_ACK && 5076 (!ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_PEER) || 5077 sp->chap.rechallenging)) { 5078 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_CHAP].work_rca); 5079 } 5080 break; 5081 5082 default: 5083 /* Unknown CHAP packet type -- ignore. */ 5084 if (debug) { 5085 log(LOG_DEBUG, "%s: chap unknown input(%s) " 5086 "<0x%x id=0x%xh len=%d", 5087 ifp->if_xname, 5088 sppp_state_name(sp->scp[IDX_CHAP].state), 5089 h->type, h->ident, ntohs(h->len)); 5090 if (len > 4) 5091 sppp_print_bytes((u_char *)(h + 1), len - 4); 5092 addlog(">\n"); 5093 } 5094 break; 5095 5096 } 5097 5098 SPPP_UNLOCK(sp); 5099 } 5100 5101 static void 5102 sppp_chap_init(struct sppp *sp) 5103 { 5104 5105 KASSERT(SPPP_WLOCKED(sp)); 5106 5107 sppp_cp_init(&chap, sp); 5108 5109 SPPP_WQ_SET(&sp->chap.work_challenge_rcvd, 5110 sppp_chap_rcv_challenge_event, &chap); 5111 } 5112 5113 static void 5114 sppp_chap_open(struct sppp *sp, void *xcp) 5115 { 5116 5117 KASSERT(SPPP_WLOCKED(sp)); 5118 5119 memset(sp->chap.digest, 0, sizeof(sp->chap.digest)); 5120 sp->chap.digest_len = 0; 5121 sp->chap.rechallenging = false; 5122 sp->chap.response_rcvd = false; 5123 sppp_open_event(sp, xcp); 5124 } 5125 5126 static void 5127 sppp_chap_tlu(struct sppp *sp) 5128 { 5129 STDDCL; 5130 int i, x; 5131 5132 KASSERT(SPPP_WLOCKED(sp)); 5133 5134 i = 0; 5135 sp->scp[IDX_CHAP].rst_counter = sp->lcp.max_configure; 5136 x = splnet(); 5137 sp->pp_auth_failures = 0; 5138 splx(x); 5139 5140 log(LOG_DEBUG, "%s: chap %s", ifp->if_xname, 5141 sp->pp_phase == SPPP_PHASE_NETWORK ? "reconfirmed" : "tlu"); 5142 5143 /* 5144 * Some broken CHAP implementations (Conware CoNet, firmware 5145 * 4.0.?) don't want to re-authenticate their CHAP once the 5146 * initial challenge-response exchange has taken place. 5147 * Provide for an option to avoid rechallenges. 5148 */ 5149 if (ISSET(sppp_auth_role(&chap, sp), SPPP_AUTH_SERV) && 5150 (sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5151 /* 5152 * Compute the re-challenge timeout. This will yield 5153 * a number between 300 and 810 seconds. 5154 */ 5155 i = 300 + ((unsigned)(cprng_fast32() & 0xff00) >> 7); 5156 callout_schedule(&sp->scp[IDX_CHAP].ch, i * hz); 5157 5158 if (debug) { 5159 addlog(", next rechallenge in %d seconds", i); 5160 } 5161 } 5162 5163 addlog("\n"); 5164 5165 /* 5166 * If we are already in phase network, we are done here. This 5167 * is the case if this is a dummy tlu event after a re-challenge. 5168 */ 5169 if (sp->pp_phase != SPPP_PHASE_NETWORK) 5170 sppp_phase_network(sp); 5171 } 5172 5173 static void 5174 sppp_chap_scr(struct sppp *sp) 5175 { 5176 uint32_t *ch; 5177 u_char clen, dsize; 5178 int role; 5179 5180 KASSERT(SPPP_WLOCKED(sp)); 5181 5182 role = sppp_auth_role(&chap, sp); 5183 5184 if (ISSET(role, SPPP_AUTH_SERV) && 5185 !sp->chap.response_rcvd) { 5186 /* we are authenticator for CHAP, send challenge */ 5187 ch = (uint32_t *)sp->chap.challenge; 5188 clen = sizeof(sp->chap.challenge); 5189 /* Compute random challenge. */ 5190 cprng_strong(kern_cprng, ch, clen, 0); 5191 5192 sp->scp[IDX_CHAP].confid = ++sp->scp[IDX_CHAP].seq; 5193 sppp_auth_send(&chap, sp, CHAP_CHALLENGE, sp->scp[IDX_CHAP].confid, 5194 sizeof(clen), (const char *)&clen, 5195 sizeof(sp->chap.challenge), sp->chap.challenge, 5196 0); 5197 } 5198 5199 if (ISSET(role, SPPP_AUTH_PEER) && 5200 sp->chap.digest_len > 0) { 5201 /* we are peer for CHAP, send response */ 5202 dsize = sp->chap.digest_len; 5203 5204 sppp_auth_send(&chap, sp, CHAP_RESPONSE, sp->scp[IDX_CHAP].rconfid, 5205 sizeof(dsize), (const char *)&dsize, 5206 sp->chap.digest_len, sp->chap.digest, 5207 sp->myauth.name_len, sp->myauth.name, 0); 5208 } 5209 } 5210 5211 static void 5212 sppp_chap_rcv_challenge_event(struct sppp *sp, void *xcp) 5213 { 5214 const struct cp *cp = xcp; 5215 5216 KASSERT(!cpu_softintr_p()); 5217 5218 sp->chap.rechallenging = false; 5219 5220 switch (sp->scp[IDX_CHAP].state) { 5221 case STATE_REQ_SENT: 5222 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5223 cp->scr(sp); 5224 break; 5225 case STATE_OPENED: 5226 sppp_cp_change_state(cp, sp, STATE_ACK_SENT); 5227 cp->scr(sp); 5228 break; 5229 } 5230 } 5231 5232 /* 5233 *--------------------------------------------------------------------------* 5234 * * 5235 * The PAP implementation. * 5236 * * 5237 *--------------------------------------------------------------------------* 5238 */ 5239 /* 5240 * PAP uses following actions and events. 5241 * Actions: 5242 * - scr: send PAP_REQ 5243 * - sca: send PAP_ACK 5244 * - scn: send PAP_NAK 5245 * Events: 5246 * - RCR+: receive PAP_REQ containing correct username and password 5247 * - RCR-: receive PAP_REQ containing wrong username and password 5248 * - RCA: receive PAP_ACK 5249 * - RCN: (this event is unused) 5250 * - TO+: re-send PAP_REQ 5251 * - TO-: this layer finish 5252 */ 5253 5254 /* 5255 * Handle incoming PAP packets. */ 5256 static void 5257 sppp_pap_input(struct sppp *sp, struct mbuf *m) 5258 { 5259 STDDCL; 5260 struct lcp_header *h; 5261 int len, x; 5262 char *name, *secret; 5263 int name_len, secret_len; 5264 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5265 const char *authname; 5266 5267 /* 5268 * Malicious input might leave this uninitialized, so 5269 * init to an impossible value. 5270 */ 5271 secret_len = -1; 5272 5273 len = m->m_pkthdr.len; 5274 if (len < 5) { 5275 if (debug) 5276 log(LOG_DEBUG, 5277 "%s: pap invalid packet length: %d bytes\n", 5278 ifp->if_xname, len); 5279 return; 5280 } 5281 h = mtod(m, struct lcp_header *); 5282 if (len > ntohs(h->len)) 5283 len = ntohs(h->len); 5284 5285 SPPP_LOCK(sp, RW_WRITER); 5286 5287 switch (h->type) { 5288 /* PAP request is my authproto */ 5289 case PAP_REQ: 5290 if (sp->hisauth.name == NULL || sp->hisauth.secret == NULL) { 5291 /* can't do anything useful */ 5292 printf("%s: pap request" 5293 " without his name and his secret being set\n", 5294 ifp->if_xname); 5295 break; 5296 } 5297 name = 1 + (u_char *)(h + 1); 5298 name_len = name[-1]; 5299 secret = name + name_len + 1; 5300 if (name_len > len - 6 || 5301 (secret_len = secret[-1]) > len - 6 - name_len) { 5302 if (debug) { 5303 authname = sppp_auth_type_name(abuf, 5304 sizeof(abuf), PPP_PAP, h->type); 5305 log(LOG_DEBUG, "%s: pap corrupted input " 5306 "<%s id=0x%x len=%d", 5307 ifp->if_xname, authname, 5308 h->ident, ntohs(h->len)); 5309 if (len > 4) 5310 sppp_print_bytes((u_char *)(h + 1), 5311 len - 4); 5312 addlog(">\n"); 5313 } 5314 break; 5315 } 5316 if (debug) { 5317 authname = sppp_auth_type_name(abuf, 5318 sizeof(abuf), PPP_PAP, h->type); 5319 log(LOG_DEBUG, "%s: pap input(%s) " 5320 "<%s id=0x%x len=%d name=", 5321 ifp->if_xname, 5322 sppp_state_name(sp->scp[IDX_PAP].state), 5323 authname, h->ident, ntohs(h->len)); 5324 sppp_print_string((char *)name, name_len); 5325 addlog(" secret="); 5326 sppp_print_string((char *)secret, secret_len); 5327 addlog(">\n"); 5328 } 5329 5330 sp->scp[IDX_PAP].rconfid = h->ident; 5331 5332 if (name_len == sp->hisauth.name_len && 5333 memcmp(name, sp->hisauth.name, name_len) == 0 && 5334 secret_len == sp->hisauth.secret_len && 5335 memcmp(secret, sp->hisauth.secret, secret_len) == 0) { 5336 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5337 } else { 5338 sp->scp[IDX_PAP].rcr_type = CP_RCR_NAK; 5339 } 5340 5341 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5342 5343 /* generate a dummy RCA event */ 5344 if (sp->scp[IDX_PAP].rcr_type == CP_RCR_ACK && 5345 !ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER)) { 5346 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5347 } 5348 break; 5349 5350 /* ack and nak are his authproto */ 5351 case PAP_ACK: 5352 if (debug) { 5353 log(LOG_DEBUG, "%s: pap success", 5354 ifp->if_xname); 5355 name = 1 + (u_char *)(h + 1); 5356 name_len = name[-1]; 5357 if (len > 5 && name_len < len+4) { 5358 addlog(": "); 5359 sppp_print_string(name, name_len); 5360 } 5361 addlog("\n"); 5362 } 5363 5364 if (h->ident != sp->scp[IDX_PAP].confid) { 5365 if (debug) { 5366 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 5367 ifp->if_xname, pap.name, 5368 h->ident, sp->scp[IDX_PAP].rconfid); 5369 } 5370 if_statinc(ifp, if_ierrors); 5371 break; 5372 } 5373 5374 x = splnet(); 5375 sp->pp_auth_failures = 0; 5376 sp->pp_flags &= ~PP_NEEDAUTH; 5377 splx(x); 5378 5379 /* we are not authenticator, generate a dummy RCR+ event */ 5380 if (!ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_SERV)) { 5381 sp->scp[IDX_PAP].rcr_type = CP_RCR_ACK; 5382 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rcr); 5383 } 5384 5385 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_PAP].work_rca); 5386 break; 5387 5388 case PAP_NAK: 5389 if (debug) { 5390 log(LOG_INFO, "%s: pap failure", 5391 ifp->if_xname); 5392 name = 1 + (u_char *)(h + 1); 5393 name_len = name[-1]; 5394 if (len > 5 && name_len < len+4) { 5395 addlog(": "); 5396 sppp_print_string(name, name_len); 5397 } 5398 addlog("\n"); 5399 } else 5400 log(LOG_INFO, "%s: pap failure\n", 5401 ifp->if_xname); 5402 5403 if (h->ident != sp->scp[IDX_PAP].confid) { 5404 if (debug) { 5405 log(LOG_DEBUG, "%s: %s id mismatch 0x%x != 0x%x\n", 5406 ifp->if_xname, pap.name, 5407 h->ident, sp->scp[IDX_PAP].rconfid); 5408 } 5409 if_statinc(ifp, if_ierrors); 5410 break; 5411 } 5412 5413 sp->pp_auth_failures++; 5414 /* 5415 * await LCP shutdown by authenticator, 5416 * so we don't have to enqueue sc->scp[IDX_PAP].work_rcn 5417 */ 5418 break; 5419 5420 default: 5421 /* Unknown PAP packet type -- ignore. */ 5422 if (debug) { 5423 log(LOG_DEBUG, "%s: pap corrupted input " 5424 "<0x%x id=0x%x len=%d", 5425 ifp->if_xname, 5426 h->type, h->ident, ntohs(h->len)); 5427 if (len > 4) 5428 sppp_print_bytes((u_char *)(h + 1), len - 4); 5429 addlog(">\n"); 5430 } 5431 break; 5432 } 5433 5434 SPPP_UNLOCK(sp); 5435 } 5436 5437 static void 5438 sppp_pap_init(struct sppp *sp) 5439 { 5440 5441 KASSERT(SPPP_WLOCKED(sp)); 5442 sppp_cp_init(&pap, sp); 5443 } 5444 5445 static void 5446 sppp_pap_tlu(struct sppp *sp) 5447 { 5448 STDDCL; 5449 int x; 5450 5451 sp->scp[IDX_PAP].rst_counter = sp->lcp.max_configure; 5452 5453 if (debug) 5454 log(LOG_DEBUG, "%s: %s tlu\n", 5455 ifp->if_xname, pap.name); 5456 5457 x = splnet(); 5458 sp->pp_auth_failures = 0; 5459 splx(x); 5460 5461 if (sp->pp_phase < SPPP_PHASE_NETWORK) 5462 sppp_phase_network(sp); 5463 } 5464 5465 static void 5466 sppp_pap_scr(struct sppp *sp) 5467 { 5468 u_char idlen, pwdlen; 5469 5470 KASSERT(SPPP_WLOCKED(sp)); 5471 5472 if (ISSET(sppp_auth_role(&pap, sp), SPPP_AUTH_PEER) && 5473 sp->scp[IDX_PAP].state != STATE_ACK_RCVD) { 5474 if (sp->myauth.secret == NULL || sp->myauth.name == NULL) { 5475 log(LOG_DEBUG, "%s: couldn't send PAP_REQ " 5476 "because of no name or no secret\n", 5477 sp->pp_if.if_xname); 5478 } else { 5479 sp->scp[IDX_PAP].confid = ++sp->scp[IDX_PAP].seq; 5480 pwdlen = sp->myauth.secret_len; 5481 idlen = sp->myauth.name_len; 5482 5483 sppp_auth_send(&pap, sp, PAP_REQ, sp->scp[IDX_PAP].confid, 5484 sizeof idlen, (const char *)&idlen, 5485 idlen, sp->myauth.name, 5486 sizeof pwdlen, (const char *)&pwdlen, 5487 pwdlen, sp->myauth.secret, 5488 0); 5489 } 5490 } 5491 } 5492 5493 /* 5494 * Random miscellaneous functions. 5495 */ 5496 5497 /* 5498 * Send a PAP or CHAP proto packet. 5499 * 5500 * Varadic function, each of the elements for the ellipsis is of type 5501 * ``size_t mlen, const u_char *msg''. Processing will stop iff 5502 * mlen == 0. 5503 * NOTE: never declare variadic functions with types subject to type 5504 * promotion (i.e. u_char). This is asking for big trouble depending 5505 * on the architecture you are on... 5506 */ 5507 5508 static void 5509 sppp_auth_send(const struct cp *cp, struct sppp *sp, 5510 unsigned int type, unsigned int id, 5511 ...) 5512 { 5513 STDDCL; 5514 struct lcp_header *lh; 5515 struct mbuf *m; 5516 u_char *p; 5517 int len; 5518 size_t pkthdrlen; 5519 unsigned int mlen; 5520 const char *msg; 5521 va_list ap; 5522 5523 KASSERT(SPPP_WLOCKED(sp)); 5524 5525 MGETHDR(m, M_DONTWAIT, MT_DATA); 5526 if (! m) 5527 return; 5528 m_reset_rcvif(m); 5529 5530 if (sp->pp_flags & PP_NOFRAMING) { 5531 *mtod(m, uint16_t *) = htons(cp->proto); 5532 pkthdrlen = 2; 5533 lh = (struct lcp_header *)(mtod(m, uint8_t *)+2); 5534 } else { 5535 struct ppp_header *h; 5536 h = mtod(m, struct ppp_header *); 5537 h->address = PPP_ALLSTATIONS; /* broadcast address */ 5538 h->control = PPP_UI; /* Unnumbered Info */ 5539 h->protocol = htons(cp->proto); 5540 pkthdrlen = PPP_HEADER_LEN; 5541 5542 lh = (struct lcp_header *)(h + 1); 5543 } 5544 5545 lh->type = type; 5546 lh->ident = id; 5547 p = (u_char *)(lh + 1); 5548 5549 va_start(ap, id); 5550 len = 0; 5551 5552 while ((mlen = (unsigned int)va_arg(ap, size_t)) != 0) { 5553 msg = va_arg(ap, const char *); 5554 len += mlen; 5555 if (len > MHLEN - pkthdrlen - LCP_HEADER_LEN) { 5556 va_end(ap); 5557 m_freem(m); 5558 return; 5559 } 5560 5561 memcpy(p, msg, mlen); 5562 p += mlen; 5563 } 5564 va_end(ap); 5565 5566 m->m_pkthdr.len = m->m_len = pkthdrlen + LCP_HEADER_LEN + len; 5567 lh->len = htons(LCP_HEADER_LEN + len); 5568 5569 if (debug) { 5570 char abuf[SPPP_AUTHTYPE_NAMELEN]; 5571 const char *authname; 5572 5573 authname = sppp_auth_type_name(abuf, 5574 sizeof(abuf), cp->proto, lh->type); 5575 log(LOG_DEBUG, "%s: %s output <%s id=0x%x len=%d", 5576 ifp->if_xname, cp->name, authname, 5577 lh->ident, ntohs(lh->len)); 5578 if (len) 5579 sppp_print_bytes((u_char *)(lh + 1), len); 5580 addlog(">\n"); 5581 } 5582 if (IF_QFULL(&sp->pp_cpq)) { 5583 IF_DROP(&sp->pp_fastq); 5584 IF_DROP(&ifp->if_snd); 5585 m_freem(m); 5586 if_statinc(ifp, if_oerrors); 5587 return; 5588 } 5589 5590 if_statadd(ifp, if_obytes, m->m_pkthdr.len + sp->pp_framebytes); 5591 IF_ENQUEUE(&sp->pp_cpq, m); 5592 5593 if (! (ifp->if_flags & IFF_OACTIVE)) { 5594 SPPP_UNLOCK(sp); 5595 if_start_lock(ifp); 5596 SPPP_LOCK(sp, RW_WRITER); 5597 } 5598 } 5599 5600 static int 5601 sppp_auth_role(const struct cp *cp, struct sppp *sp) 5602 { 5603 int role; 5604 5605 role = SPPP_AUTH_NOROLE; 5606 5607 if (sp->hisauth.proto == cp->proto && 5608 ISSET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO)) 5609 SET(role, SPPP_AUTH_SERV); 5610 5611 if (sp->myauth.proto == cp->proto) 5612 SET(role, SPPP_AUTH_PEER); 5613 5614 return role; 5615 } 5616 5617 static void 5618 sppp_auth_to_event(struct sppp *sp, void *xcp) 5619 { 5620 const struct cp *cp = xcp; 5621 bool override; 5622 int state; 5623 STDDCL; 5624 5625 KASSERT(SPPP_WLOCKED(sp)); 5626 KASSERT(!cpu_softintr_p()); 5627 5628 override = false; 5629 state = sp->scp[cp->protoidx].state; 5630 5631 if (sp->scp[cp->protoidx].rst_counter > 0) { 5632 /* override TO+ event */ 5633 switch (state) { 5634 case STATE_OPENED: 5635 if ((sp->hisauth.flags & SPPP_AUTHFLAG_NORECHALLENGE) == 0) { 5636 override = true; 5637 sp->chap.rechallenging = true; 5638 sp->chap.response_rcvd = false; 5639 sppp_cp_change_state(cp, sp, STATE_REQ_SENT); 5640 cp->scr(sp); 5641 } 5642 break; 5643 5644 case STATE_ACK_RCVD: 5645 override = true; 5646 cp->scr(sp); 5647 callout_schedule(&sp->scp[cp->protoidx].ch, sp->lcp.timeout); 5648 break; 5649 } 5650 } 5651 5652 if (override) { 5653 if (debug) 5654 log(LOG_DEBUG, "%s: %s TO(%s) rst_counter = %d\n", 5655 ifp->if_xname, cp->name, 5656 sppp_state_name(state), 5657 sp->scp[cp->protoidx].rst_counter); 5658 sp->scp[cp->protoidx].rst_counter--; 5659 } else { 5660 sppp_to_event(sp, xcp); 5661 } 5662 } 5663 5664 static void 5665 sppp_auth_screply(const struct cp *cp, struct sppp *sp, u_char ctype, 5666 uint8_t ident, size_t _mlen __unused, void *_msg __unused) 5667 { 5668 static const char *succmsg = "Welcome!"; 5669 static const char *failmsg = "Failed..."; 5670 const char *msg; 5671 u_char type, mlen; 5672 5673 KASSERT(SPPP_WLOCKED(sp)); 5674 5675 if (!ISSET(sppp_auth_role(cp, sp), SPPP_AUTH_SERV)) 5676 return; 5677 5678 if (ctype == CONF_ACK) { 5679 type = cp->proto == PPP_CHAP ? CHAP_SUCCESS : PAP_ACK; 5680 msg = succmsg; 5681 mlen = sizeof(succmsg) - 1; 5682 5683 sp->pp_auth_failures = 0; 5684 } else { 5685 type = cp->proto == PPP_CHAP ? CHAP_FAILURE : PAP_NAK; 5686 msg = failmsg; 5687 mlen = sizeof(failmsg) - 1; 5688 5689 /* shutdown LCP if auth failed */ 5690 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5691 sp->pp_auth_failures++; 5692 } 5693 5694 sppp_auth_send(cp, sp, type, ident, mlen, (const u_char *)msg, 0); 5695 } 5696 5697 /* 5698 * Send keepalive packets, every 10 seconds. 5699 */ 5700 static void 5701 sppp_keepalive(void *dummy) 5702 { 5703 struct sppp *sp; 5704 int s; 5705 time_t now; 5706 5707 SPPPQ_LOCK(); 5708 5709 s = splnet(); 5710 now = time_uptime; 5711 for (sp=spppq; sp; sp=sp->pp_next) { 5712 struct ifnet *ifp = NULL; 5713 5714 SPPP_LOCK(sp, RW_WRITER); 5715 ifp = &sp->pp_if; 5716 5717 /* check idle timeout */ 5718 if ((sp->pp_idle_timeout != 0) && (ifp->if_flags & IFF_RUNNING) 5719 && (sp->pp_phase == SPPP_PHASE_NETWORK)) { 5720 /* idle timeout is enabled for this interface */ 5721 if ((now-sp->pp_last_activity) >= sp->pp_idle_timeout) { 5722 if (ifp->if_flags & IFF_DEBUG) 5723 printf("%s: no activity for %lu seconds\n", 5724 sp->pp_if.if_xname, 5725 (unsigned long)(now-sp->pp_last_activity)); 5726 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5727 SPPP_UNLOCK(sp); 5728 continue; 5729 } 5730 } 5731 5732 /* Keepalive mode disabled or channel down? */ 5733 if (! (sp->pp_flags & PP_KEEPALIVE) || 5734 ! (ifp->if_flags & IFF_RUNNING)) { 5735 SPPP_UNLOCK(sp); 5736 continue; 5737 } 5738 5739 /* No keepalive in PPP mode if LCP not opened yet. */ 5740 if (! (sp->pp_flags & PP_CISCO) && 5741 sp->pp_phase < SPPP_PHASE_AUTHENTICATE) { 5742 SPPP_UNLOCK(sp); 5743 continue; 5744 } 5745 5746 /* No echo reply, but maybe user data passed through? */ 5747 if (sp->pp_max_noreceive != 0 && 5748 (now - sp->pp_last_receive) < sp->pp_max_noreceive) { 5749 sp->pp_alivecnt = 0; 5750 SPPP_UNLOCK(sp); 5751 continue; 5752 } 5753 5754 /* No echo request */ 5755 if (sp->pp_alive_interval == 0) { 5756 SPPP_UNLOCK(sp); 5757 continue; 5758 } 5759 5760 /* send a ECHO_REQ once in sp->pp_alive_interval times */ 5761 if ((sppp_keepalive_cnt % sp->pp_alive_interval) != 0) { 5762 SPPP_UNLOCK(sp); 5763 continue; 5764 } 5765 5766 if (sp->pp_alivecnt >= sp->pp_maxalive) { 5767 /* No keepalive packets got. Stop the interface. */ 5768 if (sp->pp_flags & PP_KEEPALIVE_IFDOWN) 5769 sppp_wq_add(sp->wq_cp, &sp->work_ifdown); 5770 5771 if (! (sp->pp_flags & PP_CISCO)) { 5772 printf("%s: LCP keepalive timed out, going to restart the connection\n", 5773 ifp->if_xname); 5774 sp->pp_alivecnt = 0; 5775 5776 /* we are down, close all open protocols */ 5777 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_close); 5778 5779 /* And now prepare LCP to reestablish the link, if configured to do so. */ 5780 sp->lcp.reestablish = true; 5781 5782 SPPP_UNLOCK(sp); 5783 continue; 5784 } 5785 } 5786 if (sp->pp_alivecnt < sp->pp_maxalive) 5787 ++sp->pp_alivecnt; 5788 if (sp->pp_flags & PP_CISCO) 5789 sppp_cisco_send(sp, CISCO_KEEPALIVE_REQ, 5790 ++sp->scp[IDX_LCP].seq, sp->scp[IDX_LCP].rseq); 5791 else if (sp->pp_phase >= SPPP_PHASE_AUTHENTICATE) { 5792 int32_t nmagic = htonl(sp->lcp.magic); 5793 sp->lcp.echoid = ++sp->scp[IDX_LCP].seq; 5794 sppp_cp_send(sp, PPP_LCP, ECHO_REQ, 5795 sp->lcp.echoid, 4, &nmagic); 5796 } 5797 5798 SPPP_UNLOCK(sp); 5799 } 5800 splx(s); 5801 sppp_keepalive_cnt++; 5802 callout_reset(&keepalive_ch, hz * SPPP_KEEPALIVE_INTERVAL, sppp_keepalive, NULL); 5803 5804 SPPPQ_UNLOCK(); 5805 } 5806 5807 #ifdef INET 5808 /* 5809 * Get both IP addresses. 5810 */ 5811 static void 5812 sppp_get_ip_addrs(struct sppp *sp, uint32_t *src, uint32_t *dst, uint32_t *srcmask) 5813 { 5814 struct ifnet *ifp = &sp->pp_if; 5815 struct ifaddr *ifa; 5816 struct sockaddr_in *si, *sm; 5817 uint32_t ssrc, ddst; 5818 int s; 5819 struct psref psref; 5820 5821 sm = NULL; 5822 ssrc = ddst = 0; 5823 /* 5824 * Pick the first AF_INET address from the list, 5825 * aliases don't make any sense on a p2p link anyway. 5826 */ 5827 si = 0; 5828 s = pserialize_read_enter(); 5829 IFADDR_READER_FOREACH(ifa, ifp) { 5830 if (ifa->ifa_addr->sa_family == AF_INET) { 5831 si = (struct sockaddr_in *)ifa->ifa_addr; 5832 sm = (struct sockaddr_in *)ifa->ifa_netmask; 5833 if (si) { 5834 ifa_acquire(ifa, &psref); 5835 break; 5836 } 5837 } 5838 } 5839 pserialize_read_exit(s); 5840 if (ifa) { 5841 if (si && si->sin_addr.s_addr) { 5842 ssrc = si->sin_addr.s_addr; 5843 if (srcmask) 5844 *srcmask = ntohl(sm->sin_addr.s_addr); 5845 } 5846 5847 si = (struct sockaddr_in *)ifa->ifa_dstaddr; 5848 if (si && si->sin_addr.s_addr) 5849 ddst = si->sin_addr.s_addr; 5850 ifa_release(ifa, &psref); 5851 } 5852 5853 if (dst) *dst = ntohl(ddst); 5854 if (src) *src = ntohl(ssrc); 5855 } 5856 5857 /* 5858 * Set IP addresses. Must be called at splnet. 5859 * If an address is 0, leave it the way it is. 5860 */ 5861 static void 5862 sppp_set_ip_addrs(struct sppp *sp) 5863 { 5864 STDDCL; 5865 struct ifaddr *ifa; 5866 struct sockaddr_in *si, *dest; 5867 uint32_t myaddr = 0, hisaddr = 0; 5868 int s; 5869 5870 KASSERT(SPPP_WLOCKED(sp)); 5871 SPPP_UNLOCK(sp); 5872 IFNET_LOCK(ifp); 5873 SPPP_LOCK(sp, RW_WRITER); 5874 5875 /* 5876 * Pick the first AF_INET address from the list, 5877 * aliases don't make any sense on a p2p link anyway. 5878 */ 5879 si = dest = NULL; 5880 s = pserialize_read_enter(); 5881 IFADDR_READER_FOREACH(ifa, ifp) { 5882 if (ifa->ifa_addr->sa_family == AF_INET) { 5883 si = (struct sockaddr_in *)ifa->ifa_addr; 5884 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5885 break; 5886 } 5887 } 5888 pserialize_read_exit(s); 5889 5890 if ((sp->ipcp.flags & IPCP_MYADDR_DYN) && (sp->ipcp.flags & IPCP_MYADDR_SEEN)) 5891 myaddr = sp->ipcp.req_myaddr; 5892 else if (si != NULL) 5893 myaddr = ntohl(si->sin_addr.s_addr); 5894 5895 if ((sp->ipcp.flags & IPCP_HISADDR_DYN) && (sp->ipcp.flags & IPCP_HISADDR_SEEN)) 5896 hisaddr = sp->ipcp.req_hisaddr; 5897 else if (dest != NULL) 5898 hisaddr = ntohl(dest->sin_addr.s_addr); 5899 5900 if (si != NULL && dest != NULL) { 5901 int error; 5902 struct sockaddr_in new_sin = *si; 5903 struct sockaddr_in new_dst = *dest; 5904 5905 if (myaddr != 0) 5906 new_sin.sin_addr.s_addr = htonl(myaddr); 5907 if (hisaddr != 0) { 5908 new_dst.sin_addr.s_addr = htonl(hisaddr); 5909 if (new_dst.sin_addr.s_addr != dest->sin_addr.s_addr) 5910 sp->ipcp.saved_hisaddr = dest->sin_addr.s_addr; 5911 } 5912 5913 in_addrhash_remove(ifatoia(ifa)); 5914 5915 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5916 5917 in_addrhash_insert(ifatoia(ifa)); 5918 5919 if (debug && error) 5920 { 5921 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5922 ifp->if_xname, __func__, error); 5923 } 5924 if (!error) { 5925 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5926 } 5927 } 5928 5929 IFNET_UNLOCK(ifp); 5930 5931 sppp_notify_con(sp); 5932 } 5933 5934 /* 5935 * Clear IP addresses. Must be called at splnet. 5936 */ 5937 static void 5938 sppp_clear_ip_addrs(struct sppp *sp) 5939 { 5940 STDDCL; 5941 struct ifaddr *ifa; 5942 struct sockaddr_in *si, *dest; 5943 int s; 5944 5945 KASSERT(SPPP_WLOCKED(sp)); 5946 SPPP_UNLOCK(sp); 5947 IFNET_LOCK(ifp); 5948 SPPP_LOCK(sp, RW_WRITER); 5949 5950 /* 5951 * Pick the first AF_INET address from the list, 5952 * aliases don't make any sense on a p2p link anyway. 5953 */ 5954 si = dest = NULL; 5955 s = pserialize_read_enter(); 5956 IFADDR_READER_FOREACH(ifa, ifp) { 5957 if (ifa->ifa_addr->sa_family == AF_INET) { 5958 si = (struct sockaddr_in *)ifa->ifa_addr; 5959 dest = (struct sockaddr_in *)ifa->ifa_dstaddr; 5960 break; 5961 } 5962 } 5963 pserialize_read_exit(s); 5964 5965 if (si != NULL) { 5966 struct sockaddr_in new_sin = *si; 5967 struct sockaddr_in new_dst = *dest; 5968 int error; 5969 5970 if (sp->ipcp.flags & IPCP_MYADDR_DYN) 5971 new_sin.sin_addr.s_addr = 0; 5972 if (sp->ipcp.flags & IPCP_HISADDR_DYN && 5973 ntohl(sp->ipcp.saved_hisaddr) != 0) 5974 new_dst.sin_addr.s_addr = sp->ipcp.saved_hisaddr; 5975 5976 in_addrhash_remove(ifatoia(ifa)); 5977 5978 error = in_ifinit(ifp, ifatoia(ifa), &new_sin, &new_dst, 0); 5979 5980 in_addrhash_insert(ifatoia(ifa)); 5981 5982 if (debug && error) 5983 { 5984 log(LOG_DEBUG, "%s: %s: in_ifinit failed, error=%d\n", 5985 ifp->if_xname, __func__, error); 5986 } 5987 if (!error) { 5988 pfil_run_addrhooks(if_pfil, SIOCAIFADDR, ifa); 5989 } 5990 } 5991 5992 IFNET_UNLOCK(ifp); 5993 } 5994 #endif 5995 5996 #ifdef INET6 5997 /* 5998 * Get both IPv6 addresses. 5999 */ 6000 static void 6001 sppp_get_ip6_addrs(struct sppp *sp, struct in6_addr *src, struct in6_addr *dst, 6002 struct in6_addr *srcmask) 6003 { 6004 struct ifnet *ifp = &sp->pp_if; 6005 struct ifaddr *ifa; 6006 struct sockaddr_in6 *si, *sm; 6007 struct in6_addr ssrc, ddst; 6008 int s; 6009 struct psref psref; 6010 6011 sm = NULL; 6012 memset(&ssrc, 0, sizeof(ssrc)); 6013 memset(&ddst, 0, sizeof(ddst)); 6014 /* 6015 * Pick the first link-local AF_INET6 address from the list, 6016 * aliases don't make any sense on a p2p link anyway. 6017 */ 6018 si = 0; 6019 s = pserialize_read_enter(); 6020 IFADDR_READER_FOREACH(ifa, ifp) { 6021 if (ifa->ifa_addr->sa_family == AF_INET6) { 6022 si = (struct sockaddr_in6 *)ifa->ifa_addr; 6023 sm = (struct sockaddr_in6 *)ifa->ifa_netmask; 6024 if (si && IN6_IS_ADDR_LINKLOCAL(&si->sin6_addr)) { 6025 ifa_acquire(ifa, &psref); 6026 break; 6027 } 6028 } 6029 } 6030 pserialize_read_exit(s); 6031 6032 if (ifa) { 6033 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) { 6034 memcpy(&ssrc, &si->sin6_addr, sizeof(ssrc)); 6035 if (srcmask) { 6036 memcpy(srcmask, &sm->sin6_addr, 6037 sizeof(*srcmask)); 6038 } 6039 } 6040 6041 si = (struct sockaddr_in6 *)ifa->ifa_dstaddr; 6042 if (si && !IN6_IS_ADDR_UNSPECIFIED(&si->sin6_addr)) 6043 memcpy(&ddst, &si->sin6_addr, sizeof(ddst)); 6044 ifa_release(ifa, &psref); 6045 } 6046 6047 if (dst) 6048 memcpy(dst, &ddst, sizeof(*dst)); 6049 if (src) 6050 memcpy(src, &ssrc, sizeof(*src)); 6051 } 6052 6053 #ifdef IPV6CP_MYIFID_DYN 6054 /* 6055 * Generate random ifid. 6056 */ 6057 static void 6058 sppp_gen_ip6_addr(struct sppp *sp, struct in6_addr *addr) 6059 { 6060 /* TBD */ 6061 } 6062 6063 /* 6064 * Set my IPv6 address. Must be called at splnet. 6065 */ 6066 static void 6067 sppp_set_ip6_addr(struct sppp *sp, const struct in6_addr *src) 6068 { 6069 STDDCL; 6070 struct ifaddr *ifa; 6071 struct sockaddr_in6 *sin6; 6072 int s; 6073 struct psref psref; 6074 6075 KASSERT(SPPP_WLOCKED(sp)); 6076 SPPP_UNLOCK(sp); 6077 IFNET_LOCK(ifp); 6078 SPPP_LOCK(sp, RW_WRITER); 6079 6080 /* 6081 * Pick the first link-local AF_INET6 address from the list, 6082 * aliases don't make any sense on a p2p link anyway. 6083 */ 6084 6085 sin6 = NULL; 6086 s = pserialize_read_enter(); 6087 IFADDR_READER_FOREACH(ifa, ifp) 6088 { 6089 if (ifa->ifa_addr->sa_family == AF_INET6) 6090 { 6091 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 6092 if (sin6 && IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 6093 ifa_acquire(ifa, &psref); 6094 break; 6095 } 6096 } 6097 } 6098 pserialize_read_exit(s); 6099 6100 if (ifa && sin6) 6101 { 6102 int error; 6103 struct sockaddr_in6 new_sin6 = *sin6; 6104 6105 memcpy(&new_sin6.sin6_addr, src, sizeof(new_sin6.sin6_addr)); 6106 error = in6_ifinit(ifp, ifatoia6(ifa), &new_sin6, 1); 6107 if (debug && error) 6108 { 6109 log(LOG_DEBUG, "%s: %s: in6_ifinit failed, error=%d\n", 6110 ifp->if_xname, __func__, error); 6111 } 6112 if (!error) { 6113 pfil_run_addrhooks(if_pfil, SIOCAIFADDR_IN6, ifa); 6114 } 6115 ifa_release(ifa, &psref); 6116 } 6117 6118 IFNET_UNLOCK(ifp); 6119 } 6120 #endif 6121 6122 /* 6123 * Suggest a candidate address to be used by peer. 6124 */ 6125 static void 6126 sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) 6127 { 6128 struct in6_addr myaddr; 6129 struct timeval tv; 6130 6131 sppp_get_ip6_addrs(sp, &myaddr, 0, 0); 6132 6133 myaddr.s6_addr[8] &= ~0x02; /* u bit to "local" */ 6134 microtime(&tv); 6135 if ((tv.tv_usec & 0xff) == 0 && (tv.tv_sec & 0xff) == 0) { 6136 myaddr.s6_addr[14] ^= 0xff; 6137 myaddr.s6_addr[15] ^= 0xff; 6138 } else { 6139 myaddr.s6_addr[14] ^= (tv.tv_usec & 0xff); 6140 myaddr.s6_addr[15] ^= (tv.tv_sec & 0xff); 6141 } 6142 if (suggest) 6143 memcpy(suggest, &myaddr, sizeof(myaddr)); 6144 } 6145 #endif /*INET6*/ 6146 6147 /* 6148 * Process ioctl requests specific to the PPP interface. 6149 * Permissions have already been checked. 6150 */ 6151 static int 6152 sppp_params(struct sppp *sp, u_long cmd, void *data) 6153 { 6154 switch (cmd) { 6155 case SPPPGETAUTHCFG: 6156 { 6157 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 6158 int error; 6159 size_t len; 6160 6161 SPPP_LOCK(sp, RW_READER); 6162 6163 cfg->myauthflags = sp->myauth.flags; 6164 cfg->hisauthflags = sp->hisauth.flags; 6165 strlcpy(cfg->ifname, sp->pp_if.if_xname, sizeof(cfg->ifname)); 6166 cfg->hisauth = sppp_proto2authproto(sp->hisauth.proto); 6167 cfg->myauth = sppp_proto2authproto(sp->myauth.proto); 6168 if (cfg->myname_length == 0) { 6169 if (sp->myauth.name != NULL) 6170 cfg->myname_length = sp->myauth.name_len + 1; 6171 } else { 6172 if (sp->myauth.name == NULL) { 6173 cfg->myname_length = 0; 6174 } else { 6175 len = sp->myauth.name_len + 1; 6176 6177 if (cfg->myname_length < len) { 6178 SPPP_UNLOCK(sp); 6179 return (ENAMETOOLONG); 6180 } 6181 error = copyout(sp->myauth.name, cfg->myname, len); 6182 if (error) { 6183 SPPP_UNLOCK(sp); 6184 return error; 6185 } 6186 } 6187 } 6188 if (cfg->hisname_length == 0) { 6189 if (sp->hisauth.name != NULL) 6190 cfg->hisname_length = sp->hisauth.name_len + 1; 6191 } else { 6192 if (sp->hisauth.name == NULL) { 6193 cfg->hisname_length = 0; 6194 } else { 6195 len = sp->hisauth.name_len + 1; 6196 6197 if (cfg->hisname_length < len) { 6198 SPPP_UNLOCK(sp); 6199 return (ENAMETOOLONG); 6200 } 6201 error = copyout(sp->hisauth.name, cfg->hisname, len); 6202 if (error) { 6203 SPPP_UNLOCK(sp); 6204 return error; 6205 } 6206 } 6207 } 6208 SPPP_UNLOCK(sp); 6209 } 6210 break; 6211 case SPPPSETAUTHCFG: 6212 { 6213 struct spppauthcfg *cfg = (struct spppauthcfg *)data; 6214 int error; 6215 6216 SPPP_LOCK(sp, RW_WRITER); 6217 6218 if (sp->myauth.name) { 6219 free(sp->myauth.name, M_DEVBUF); 6220 sp->myauth.name = NULL; 6221 } 6222 if (sp->myauth.secret) { 6223 free(sp->myauth.secret, M_DEVBUF); 6224 sp->myauth.secret = NULL; 6225 } 6226 if (sp->hisauth.name) { 6227 free(sp->hisauth.name, M_DEVBUF); 6228 sp->hisauth.name = NULL; 6229 } 6230 if (sp->hisauth.secret) { 6231 free(sp->hisauth.secret, M_DEVBUF); 6232 sp->hisauth.secret = NULL; 6233 } 6234 6235 if (cfg->hisname != NULL && cfg->hisname_length > 0) { 6236 if (cfg->hisname_length >= MCLBYTES) { 6237 SPPP_UNLOCK(sp); 6238 return (ENAMETOOLONG); 6239 } 6240 sp->hisauth.name = malloc(cfg->hisname_length, M_DEVBUF, M_WAITOK); 6241 error = copyin(cfg->hisname, sp->hisauth.name, cfg->hisname_length); 6242 if (error) { 6243 free(sp->hisauth.name, M_DEVBUF); 6244 sp->hisauth.name = NULL; 6245 SPPP_UNLOCK(sp); 6246 return error; 6247 } 6248 sp->hisauth.name_len = cfg->hisname_length - 1; 6249 sp->hisauth.name[sp->hisauth.name_len] = 0; 6250 } 6251 if (cfg->hissecret != NULL && cfg->hissecret_length > 0) { 6252 if (cfg->hissecret_length >= MCLBYTES) { 6253 SPPP_UNLOCK(sp); 6254 return (ENAMETOOLONG); 6255 } 6256 sp->hisauth.secret = malloc(cfg->hissecret_length, 6257 M_DEVBUF, M_WAITOK); 6258 error = copyin(cfg->hissecret, sp->hisauth.secret, 6259 cfg->hissecret_length); 6260 if (error) { 6261 free(sp->hisauth.secret, M_DEVBUF); 6262 sp->hisauth.secret = NULL; 6263 SPPP_UNLOCK(sp); 6264 return error; 6265 } 6266 sp->hisauth.secret_len = cfg->hissecret_length - 1; 6267 sp->hisauth.secret[sp->hisauth.secret_len] = 0; 6268 } 6269 if (cfg->myname != NULL && cfg->myname_length > 0) { 6270 if (cfg->myname_length >= MCLBYTES) { 6271 SPPP_UNLOCK(sp); 6272 return (ENAMETOOLONG); 6273 } 6274 sp->myauth.name = malloc(cfg->myname_length, M_DEVBUF, M_WAITOK); 6275 error = copyin(cfg->myname, sp->myauth.name, cfg->myname_length); 6276 if (error) { 6277 free(sp->myauth.name, M_DEVBUF); 6278 sp->myauth.name = NULL; 6279 SPPP_UNLOCK(sp); 6280 return error; 6281 } 6282 sp->myauth.name_len = cfg->myname_length - 1; 6283 sp->myauth.name[sp->myauth.name_len] = 0; 6284 } 6285 if (cfg->mysecret != NULL && cfg->mysecret_length > 0) { 6286 if (cfg->mysecret_length >= MCLBYTES) { 6287 SPPP_UNLOCK(sp); 6288 return (ENAMETOOLONG); 6289 } 6290 sp->myauth.secret = malloc(cfg->mysecret_length, 6291 M_DEVBUF, M_WAITOK); 6292 error = copyin(cfg->mysecret, sp->myauth.secret, 6293 cfg->mysecret_length); 6294 if (error) { 6295 free(sp->myauth.secret, M_DEVBUF); 6296 sp->myauth.secret = NULL; 6297 SPPP_UNLOCK(sp); 6298 return error; 6299 } 6300 sp->myauth.secret_len = cfg->mysecret_length - 1; 6301 sp->myauth.secret[sp->myauth.secret_len] = 0; 6302 } 6303 sp->myauth.flags = cfg->myauthflags; 6304 if (cfg->myauth != SPPP_AUTHPROTO_NOCHG) { 6305 sp->myauth.proto = sppp_authproto2proto(cfg->myauth); 6306 } 6307 sp->hisauth.flags = cfg->hisauthflags; 6308 if (cfg->hisauth != SPPP_AUTHPROTO_NOCHG) { 6309 sp->hisauth.proto = sppp_authproto2proto(cfg->hisauth); 6310 } 6311 sp->pp_auth_failures = 0; 6312 if (sp->hisauth.proto != PPP_NOPROTO) 6313 SET(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6314 else 6315 CLR(sp->lcp.opts, SPPP_LCP_OPT_AUTH_PROTO); 6316 6317 SPPP_UNLOCK(sp); 6318 } 6319 break; 6320 case SPPPGETLCPCFG: 6321 { 6322 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6323 6324 SPPP_LOCK(sp, RW_READER); 6325 lcpp->lcp_timeout = sp->lcp.timeout; 6326 SPPP_UNLOCK(sp); 6327 } 6328 break; 6329 case SPPPSETLCPCFG: 6330 { 6331 struct sppplcpcfg *lcpp = (struct sppplcpcfg *)data; 6332 6333 SPPP_LOCK(sp, RW_WRITER); 6334 sp->lcp.timeout = lcpp->lcp_timeout; 6335 SPPP_UNLOCK(sp); 6336 } 6337 break; 6338 case SPPPGETNCPCFG: 6339 { 6340 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6341 6342 SPPP_LOCK(sp, RW_READER); 6343 ncpp->ncp_flags = sp->pp_ncpflags; 6344 SPPP_UNLOCK(sp); 6345 } 6346 break; 6347 case SPPPSETNCPCFG: 6348 { 6349 struct spppncpcfg *ncpp = (struct spppncpcfg *) data; 6350 6351 SPPP_LOCK(sp, RW_WRITER); 6352 sp->pp_ncpflags = ncpp->ncp_flags; 6353 SPPP_UNLOCK(sp); 6354 } 6355 break; 6356 case SPPPGETSTATUS: 6357 { 6358 struct spppstatus *status = (struct spppstatus *)data; 6359 6360 SPPP_LOCK(sp, RW_READER); 6361 status->phase = sp->pp_phase; 6362 SPPP_UNLOCK(sp); 6363 } 6364 break; 6365 case SPPPGETSTATUSNCP: 6366 { 6367 struct spppstatusncp *status = (struct spppstatusncp *)data; 6368 6369 SPPP_LOCK(sp, RW_READER); 6370 status->phase = sp->pp_phase; 6371 status->ncpup = sppp_cp_check(sp, CP_NCP); 6372 SPPP_UNLOCK(sp); 6373 } 6374 break; 6375 case SPPPGETIDLETO: 6376 { 6377 struct spppidletimeout *to = (struct spppidletimeout *)data; 6378 6379 SPPP_LOCK(sp, RW_READER); 6380 to->idle_seconds = sp->pp_idle_timeout; 6381 SPPP_UNLOCK(sp); 6382 } 6383 break; 6384 case SPPPSETIDLETO: 6385 { 6386 struct spppidletimeout *to = (struct spppidletimeout *)data; 6387 6388 SPPP_LOCK(sp, RW_WRITER); 6389 sp->pp_idle_timeout = to->idle_seconds; 6390 SPPP_UNLOCK(sp); 6391 } 6392 break; 6393 case SPPPSETAUTHFAILURE: 6394 { 6395 struct spppauthfailuresettings *afsettings = 6396 (struct spppauthfailuresettings *)data; 6397 6398 SPPP_LOCK(sp, RW_WRITER); 6399 sp->pp_max_auth_fail = afsettings->max_failures; 6400 sp->pp_auth_failures = 0; 6401 SPPP_UNLOCK(sp); 6402 } 6403 break; 6404 case SPPPGETAUTHFAILURES: 6405 { 6406 struct spppauthfailurestats *stats = (struct spppauthfailurestats *)data; 6407 6408 SPPP_LOCK(sp, RW_READER); 6409 stats->auth_failures = sp->pp_auth_failures; 6410 stats->max_failures = sp->pp_max_auth_fail; 6411 SPPP_UNLOCK(sp); 6412 } 6413 break; 6414 case SPPPSETDNSOPTS: 6415 { 6416 struct spppdnssettings *req = (struct spppdnssettings *)data; 6417 6418 SPPP_LOCK(sp, RW_WRITER); 6419 sp->query_dns = req->query_dns & 3; 6420 SPPP_UNLOCK(sp); 6421 } 6422 break; 6423 case SPPPGETDNSOPTS: 6424 { 6425 struct spppdnssettings *req = (struct spppdnssettings *)data; 6426 6427 SPPP_LOCK(sp, RW_READER); 6428 req->query_dns = sp->query_dns; 6429 SPPP_UNLOCK(sp); 6430 } 6431 break; 6432 case SPPPGETDNSADDRS: 6433 { 6434 struct spppdnsaddrs *addrs = (struct spppdnsaddrs *)data; 6435 6436 SPPP_LOCK(sp, RW_READER); 6437 memcpy(&addrs->dns, &sp->dns_addrs, sizeof addrs->dns); 6438 SPPP_UNLOCK(sp); 6439 } 6440 break; 6441 case SPPPGETKEEPALIVE: 6442 { 6443 struct spppkeepalivesettings *settings = 6444 (struct spppkeepalivesettings*)data; 6445 6446 SPPP_LOCK(sp, RW_READER); 6447 settings->maxalive = sp->pp_maxalive; 6448 settings->max_noreceive = sp->pp_max_noreceive; 6449 settings->alive_interval = sp->pp_alive_interval; 6450 SPPP_UNLOCK(sp); 6451 } 6452 break; 6453 case SPPPSETKEEPALIVE: 6454 { 6455 struct spppkeepalivesettings *settings = 6456 (struct spppkeepalivesettings*)data; 6457 6458 SPPP_LOCK(sp, RW_WRITER); 6459 sp->pp_maxalive = settings->maxalive; 6460 sp->pp_max_noreceive = settings->max_noreceive; 6461 sp->pp_alive_interval = settings->alive_interval; 6462 SPPP_UNLOCK(sp); 6463 } 6464 break; 6465 case SPPPGETLCPSTATUS: 6466 { 6467 struct sppplcpstatus *status = 6468 (struct sppplcpstatus *)data; 6469 6470 SPPP_LOCK(sp, RW_READER); 6471 status->state = sp->scp[IDX_LCP].state; 6472 status->opts = sp->lcp.opts; 6473 status->magic = sp->lcp.magic; 6474 status->mru = sp->lcp.mru; 6475 SPPP_UNLOCK(sp); 6476 } 6477 break; 6478 case SPPPGETIPCPSTATUS: 6479 { 6480 struct spppipcpstatus *status = 6481 (struct spppipcpstatus *)data; 6482 u_int32_t myaddr; 6483 6484 SPPP_LOCK(sp, RW_READER); 6485 status->state = sp->scp[IDX_IPCP].state; 6486 status->opts = sp->ipcp.opts; 6487 #ifdef INET 6488 kpreempt_disable(); 6489 sppp_get_ip_addrs(sp, &myaddr, 0, 0); 6490 kpreempt_enable(); 6491 #else 6492 myaddr = 0; 6493 #endif 6494 status->myaddr = ntohl(myaddr); 6495 SPPP_UNLOCK(sp); 6496 } 6497 break; 6498 case SPPPGETIPV6CPSTATUS: 6499 { 6500 struct spppipv6cpstatus *status = 6501 (struct spppipv6cpstatus *)data; 6502 6503 SPPP_LOCK(sp, RW_READER); 6504 status->state = sp->scp[IDX_IPV6CP].state; 6505 memcpy(status->my_ifid, sp->ipv6cp.my_ifid, 6506 sizeof(status->my_ifid)); 6507 memcpy(status->his_ifid, sp->ipv6cp.his_ifid, 6508 sizeof(status->his_ifid)); 6509 SPPP_UNLOCK(sp); 6510 } 6511 break; 6512 default: 6513 { 6514 int ret; 6515 6516 MODULE_HOOK_CALL(sppp_params_50_hook, (sp, cmd, data), 6517 enosys(), ret); 6518 if (ret != ENOSYS) 6519 return ret; 6520 return (EINVAL); 6521 } 6522 } 6523 return (0); 6524 } 6525 6526 static void 6527 sppp_phase_network(struct sppp *sp) 6528 { 6529 int i; 6530 6531 KASSERT(SPPP_WLOCKED(sp)); 6532 6533 sppp_change_phase(sp, SPPP_PHASE_NETWORK); 6534 6535 /* Notify NCPs now. */ 6536 for (i = 0; i < IDX_COUNT; i++) 6537 if ((cps[i])->flags & CP_NCP) 6538 sppp_wq_add(sp->wq_cp, &sp->scp[i].work_open); 6539 } 6540 6541 static const char * 6542 sppp_cp_type_name(char *buf, size_t buflen, u_char type) 6543 { 6544 6545 switch (type) { 6546 case CONF_REQ: return "conf-req"; 6547 case CONF_ACK: return "conf-ack"; 6548 case CONF_NAK: return "conf-nak"; 6549 case CONF_REJ: return "conf-rej"; 6550 case TERM_REQ: return "term-req"; 6551 case TERM_ACK: return "term-ack"; 6552 case CODE_REJ: return "code-rej"; 6553 case PROTO_REJ: return "proto-rej"; 6554 case ECHO_REQ: return "echo-req"; 6555 case ECHO_REPLY: return "echo-reply"; 6556 case DISC_REQ: return "discard-req"; 6557 } 6558 if (buf != NULL) 6559 snprintf(buf, buflen, "0x%02x", type); 6560 return buf; 6561 } 6562 6563 static const char * 6564 sppp_auth_type_name(char *buf, size_t buflen, u_short proto, u_char type) 6565 { 6566 const char *name; 6567 6568 switch (proto) { 6569 case PPP_CHAP: 6570 switch (type) { 6571 case CHAP_CHALLENGE: return "challenge"; 6572 case CHAP_RESPONSE: return "response"; 6573 case CHAP_SUCCESS: return "success"; 6574 case CHAP_FAILURE: return "failure"; 6575 default: name = "chap"; break; 6576 } 6577 break; 6578 6579 case PPP_PAP: 6580 switch (type) { 6581 case PAP_REQ: return "req"; 6582 case PAP_ACK: return "ack"; 6583 case PAP_NAK: return "nak"; 6584 default: name = "pap"; break; 6585 } 6586 break; 6587 6588 default: 6589 name = "bad"; 6590 break; 6591 } 6592 6593 if (buf != NULL) 6594 snprintf(buf, buflen, "%s(%#x) 0x%02x", name, proto, type); 6595 return buf; 6596 } 6597 6598 static const char * 6599 sppp_lcp_opt_name(char *buf, size_t buflen, u_char opt) 6600 { 6601 6602 switch (opt) { 6603 case LCP_OPT_MRU: return "mru"; 6604 case LCP_OPT_ASYNC_MAP: return "async-map"; 6605 case LCP_OPT_AUTH_PROTO: return "auth-proto"; 6606 case LCP_OPT_QUAL_PROTO: return "qual-proto"; 6607 case LCP_OPT_MAGIC: return "magic"; 6608 case LCP_OPT_PROTO_COMP: return "proto-comp"; 6609 case LCP_OPT_ADDR_COMP: return "addr-comp"; 6610 case LCP_OPT_SELF_DESC_PAD: return "sdpad"; 6611 case LCP_OPT_CALL_BACK: return "callback"; 6612 case LCP_OPT_COMPOUND_FRMS: return "cmpd-frms"; 6613 case LCP_OPT_MP_MRRU: return "mrru"; 6614 case LCP_OPT_MP_SSNHF: return "mp-ssnhf"; 6615 case LCP_OPT_MP_EID: return "mp-eid"; 6616 } 6617 if (buf != NULL) 6618 snprintf(buf, buflen, "0x%02x", opt); 6619 return buf; 6620 } 6621 6622 static const char * 6623 sppp_ipcp_opt_name(char *buf, size_t buflen, u_char opt) 6624 { 6625 6626 switch (opt) { 6627 case IPCP_OPT_ADDRESSES: return "addresses"; 6628 case IPCP_OPT_COMPRESSION: return "compression"; 6629 case IPCP_OPT_ADDRESS: return "address"; 6630 case IPCP_OPT_PRIMDNS: return "primdns"; 6631 case IPCP_OPT_SECDNS: return "secdns"; 6632 } 6633 if (buf != NULL) 6634 snprintf(buf, buflen, "0x%02x", opt); 6635 return buf; 6636 } 6637 6638 #ifdef INET6 6639 static const char * 6640 sppp_ipv6cp_opt_name(char *buf, size_t buflen, u_char opt) 6641 { 6642 6643 switch (opt) { 6644 case IPV6CP_OPT_IFID: return "ifid"; 6645 case IPV6CP_OPT_COMPRESSION: return "compression"; 6646 } 6647 if (buf != NULL) 6648 snprintf(buf, buflen, "0x%02x", opt); 6649 return buf; 6650 } 6651 #endif 6652 6653 static const char * 6654 sppp_state_name(int state) 6655 { 6656 6657 switch (state) { 6658 case STATE_INITIAL: return "initial"; 6659 case STATE_STARTING: return "starting"; 6660 case STATE_CLOSED: return "closed"; 6661 case STATE_STOPPED: return "stopped"; 6662 case STATE_CLOSING: return "closing"; 6663 case STATE_STOPPING: return "stopping"; 6664 case STATE_REQ_SENT: return "req-sent"; 6665 case STATE_ACK_RCVD: return "ack-rcvd"; 6666 case STATE_ACK_SENT: return "ack-sent"; 6667 case STATE_OPENED: return "opened"; 6668 } 6669 return "illegal"; 6670 } 6671 6672 static const char * 6673 sppp_phase_name(int phase) 6674 { 6675 6676 switch (phase) { 6677 case SPPP_PHASE_DEAD: return "dead"; 6678 case SPPP_PHASE_ESTABLISH: return "establish"; 6679 case SPPP_PHASE_TERMINATE: return "terminate"; 6680 case SPPP_PHASE_AUTHENTICATE: return "authenticate"; 6681 case SPPP_PHASE_NETWORK: return "network"; 6682 } 6683 return "illegal"; 6684 } 6685 6686 static const char * 6687 sppp_proto_name(char *buf, size_t buflen, u_short proto) 6688 { 6689 6690 switch (proto) { 6691 case PPP_LCP: return "lcp"; 6692 case PPP_IPCP: return "ipcp"; 6693 case PPP_PAP: return "pap"; 6694 case PPP_CHAP: return "chap"; 6695 case PPP_IPV6CP: return "ipv6cp"; 6696 } 6697 if (buf != NULL) { 6698 snprintf(buf, sizeof(buf), "0x%04x", 6699 (unsigned)proto); 6700 } 6701 return buf; 6702 } 6703 6704 static void 6705 sppp_print_bytes(const u_char *p, u_short len) 6706 { 6707 addlog(" %02x", *p++); 6708 while (--len > 0) 6709 addlog("-%02x", *p++); 6710 } 6711 6712 static void 6713 sppp_print_string(const char *p, u_short len) 6714 { 6715 u_char c; 6716 6717 while (len-- > 0) { 6718 c = *p++; 6719 /* 6720 * Print only ASCII chars directly. RFC 1994 recommends 6721 * using only them, but we don't rely on it. */ 6722 if (c < ' ' || c > '~') 6723 addlog("\\x%x", c); 6724 else 6725 addlog("%c", c); 6726 } 6727 } 6728 6729 static const char * 6730 sppp_dotted_quad(char *buf, size_t buflen, uint32_t addr) 6731 { 6732 6733 if (buf != NULL) { 6734 snprintf(buf, buflen, "%u.%u.%u.%u", 6735 (unsigned int)((addr >> 24) & 0xff), 6736 (unsigned int)((addr >> 16) & 0xff), 6737 (unsigned int)((addr >> 8) & 0xff), 6738 (unsigned int)(addr & 0xff)); 6739 } 6740 return buf; 6741 } 6742 6743 /* a dummy, used to drop uninteresting events */ 6744 static void 6745 sppp_null(struct sppp *unused) 6746 { 6747 /* do just nothing */ 6748 } 6749 6750 static void 6751 sppp_tls(const struct cp *cp, struct sppp *sp) 6752 { 6753 6754 /* notify lcp that is lower layer */ 6755 sp->lcp.protos |= (1 << cp->protoidx); 6756 6757 if (sp->scp[IDX_LCP].state == STATE_OPENED) 6758 sppp_wq_add(sp->wq_cp, &sp->scp[cp->protoidx].work_up); 6759 } 6760 6761 static void 6762 sppp_tlf(const struct cp *cp, struct sppp *sp) 6763 { 6764 STDDCL; 6765 6766 if (debug) 6767 log(LOG_DEBUG, "%s: %s tlf\n", ifp->if_xname, cp->name); 6768 6769 /* notify lcp that is lower layer */ 6770 sp->lcp.protos &= ~(1 << cp->protoidx); 6771 6772 /* cleanup */ 6773 if (sp->scp[cp->protoidx].mbuf_confreq != NULL) { 6774 m_freem(sp->scp[cp->protoidx].mbuf_confreq); 6775 sp->scp[cp->protoidx].mbuf_confreq = NULL; 6776 } 6777 if (sp->scp[cp->protoidx].mbuf_confnak != NULL) { 6778 m_freem(sp->scp[cp->protoidx].mbuf_confnak); 6779 sp->scp[cp->protoidx].mbuf_confnak = NULL; 6780 } 6781 6782 sppp_lcp_check_and_close(sp); 6783 } 6784 6785 static void 6786 sppp_screply(const struct cp *cp, struct sppp *sp, u_char type, 6787 uint8_t ident, size_t msglen, void *msg) 6788 { 6789 STDDCL; 6790 6791 if (msglen == 0) 6792 return; 6793 6794 switch (type) { 6795 case CONF_ACK: 6796 case CONF_NAK: 6797 case CONF_REJ: 6798 break; 6799 default: 6800 return; 6801 } 6802 6803 if (debug) { 6804 char tbuf[SPPP_CPTYPE_NAMELEN]; 6805 const char *cpname; 6806 6807 cpname = sppp_cp_type_name(tbuf, sizeof(tbuf), type); 6808 log(LOG_DEBUG, "%s: send %s\n", ifp->if_xname, cpname); 6809 } 6810 6811 sppp_cp_send(sp, cp->proto, type, ident, msglen, msg); 6812 } 6813 6814 static void 6815 sppp_ifdown(struct sppp *sp, void *xcp __unused) 6816 { 6817 6818 SPPP_UNLOCK(sp); 6819 if_down(&sp->pp_if); 6820 IF_PURGE(&sp->pp_cpq); 6821 SPPP_LOCK(sp, RW_WRITER); 6822 } 6823 6824 static void 6825 sppp_notify_up(struct sppp *sp) 6826 { 6827 6828 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_up); 6829 } 6830 6831 static void 6832 sppp_notify_down(struct sppp *sp) 6833 { 6834 6835 sppp_wq_add(sp->wq_cp, &sp->scp[IDX_LCP].work_down); 6836 } 6837 6838 static void 6839 sppp_notify_tls_wlocked(struct sppp *sp) 6840 { 6841 6842 KASSERT(SPPP_WLOCKED(sp)); 6843 6844 if (!sp->pp_tls) 6845 return; 6846 6847 SPPP_UNLOCK(sp); 6848 sp->pp_tls(sp); 6849 SPPP_LOCK(sp, RW_WRITER); 6850 } 6851 6852 static void 6853 sppp_notify_tlf_wlocked(struct sppp *sp) 6854 { 6855 6856 KASSERT(SPPP_WLOCKED(sp)); 6857 6858 if (!sp->pp_tlf) 6859 return; 6860 6861 SPPP_UNLOCK(sp); 6862 sp->pp_tlf(sp); 6863 SPPP_LOCK(sp, RW_WRITER); 6864 } 6865 6866 static void 6867 sppp_notify_con(struct sppp *sp) 6868 { 6869 6870 if (!sp->pp_con) 6871 return; 6872 6873 sp->pp_con(sp); 6874 } 6875 6876 #ifdef INET6 6877 static void 6878 sppp_notify_con_wlocked(struct sppp *sp) 6879 { 6880 6881 KASSERT(SPPP_WLOCKED(sp)); 6882 6883 SPPP_UNLOCK(sp); 6884 sppp_notify_con(sp); 6885 SPPP_LOCK(sp, RW_WRITER); 6886 6887 } 6888 #endif 6889 6890 static void 6891 sppp_notify_chg_wlocked(struct sppp *sp) 6892 { 6893 6894 KASSERT(SPPP_WLOCKED(sp)); 6895 6896 if (!sp->pp_chg) 6897 return; 6898 6899 SPPP_UNLOCK(sp); 6900 sp->pp_chg(sp, sp->pp_phase); 6901 SPPP_LOCK(sp, RW_WRITER); 6902 } 6903 6904 static void 6905 sppp_wq_work(struct work *wk, void *xsp) 6906 { 6907 struct sppp *sp; 6908 struct sppp_work *work; 6909 6910 sp = xsp; 6911 work = container_of(wk, struct sppp_work, work); 6912 atomic_cas_uint(&work->state, SPPP_WK_BUSY, SPPP_WK_FREE); 6913 6914 SPPP_LOCK(sp, RW_WRITER); 6915 work->func(sp, work->arg); 6916 SPPP_UNLOCK(sp); 6917 } 6918 6919 static struct workqueue * 6920 sppp_wq_create(struct sppp *sp, const char *xnamebuf, pri_t prio, int ipl, int flags) 6921 { 6922 struct workqueue *wq; 6923 int error; 6924 6925 error = workqueue_create(&wq, xnamebuf, sppp_wq_work, 6926 (void *)sp, prio, ipl, flags); 6927 if (error) { 6928 panic("%s: workqueue_create failed [%s, %d]\n", 6929 sp->pp_if.if_xname, xnamebuf, error); 6930 } 6931 6932 return wq; 6933 } 6934 6935 static void 6936 sppp_wq_destroy(struct sppp *sp __unused, struct workqueue *wq) 6937 { 6938 6939 workqueue_destroy(wq); 6940 } 6941 6942 static void 6943 sppp_wq_set(struct sppp_work *work, 6944 void (*func)(struct sppp *, void *), void *arg) 6945 { 6946 6947 work->func = func; 6948 work->arg = arg; 6949 } 6950 6951 static void 6952 sppp_wq_add(struct workqueue *wq, struct sppp_work *work) 6953 { 6954 6955 if (atomic_cas_uint(&work->state, SPPP_WK_FREE, SPPP_WK_BUSY) 6956 != SPPP_WK_FREE) 6957 return; 6958 6959 KASSERT(work->func != NULL); 6960 kpreempt_disable(); 6961 workqueue_enqueue(wq, &work->work, NULL); 6962 kpreempt_enable(); 6963 } 6964 static void 6965 sppp_wq_wait(struct workqueue *wq, struct sppp_work *work) 6966 { 6967 6968 atomic_swap_uint(&work->state, SPPP_WK_UNAVAIL); 6969 workqueue_wait(wq, &work->work); 6970 } 6971 6972 /* 6973 * This file is large. Tell emacs to highlight it nevertheless. 6974 * 6975 * Local Variables: 6976 * hilit-auto-highlight-maxout: 120000 6977 * End: 6978 */ 6979 6980 /* 6981 * Module glue 6982 */ 6983 MODULE(MODULE_CLASS_MISC, sppp_subr, NULL); 6984 6985 static int 6986 sppp_subr_modcmd(modcmd_t cmd, void *arg) 6987 { 6988 6989 switch (cmd) { 6990 case MODULE_CMD_INIT: 6991 case MODULE_CMD_FINI: 6992 return 0; 6993 case MODULE_CMD_STAT: 6994 case MODULE_CMD_AUTOUNLOAD: 6995 default: 6996 return ENOTTY; 6997 } 6998 } 6999
Indexes created Fri Sep 26 08:10:20 GMT 2025