2 * Copyright (c) 2000 Semen Ustimenko <semenu@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * $FreeBSD: src/usr.sbin/ppp/mppe.c,v 1.4.2.6 2002/09/01 02:12:29 brian Exp $
29 #include <sys/param.h>
31 #include <sys/socket.h>
32 #include <netinet/in_systm.h>
33 #include <netinet/in.h>
34 #include <netinet/ip.h>
41 #include <openssl/rc4.h>
52 #include "throughput.h"
59 #include "descriptor.h"
65 #include "slcompress.h"
76 * draft-ietf-pppext-mppe-04.txt
77 * draft-ietf-pppext-mppe-keys-02.txt
80 #define MPPE_OPT_STATELESS 0x1000000
81 #define MPPE_OPT_COMPRESSED 0x01
82 #define MPPE_OPT_40BIT 0x20
83 #define MPPE_OPT_56BIT 0x80
84 #define MPPE_OPT_128BIT 0x40
85 #define MPPE_OPT_BITMASK 0xe0
86 #define MPPE_OPT_MASK (MPPE_OPT_STATELESS | MPPE_OPT_BITMASK)
88 #define MPPE_FLUSHED 0x8000
89 #define MPPE_ENCRYPTED 0x1000
90 #define MPPE_HEADER_BITMASK 0xf000
91 #define MPPE_HEADER_FLAG 0x00ff
92 #define MPPE_HEADER_FLAGMASK 0x00ff
93 #define MPPE_HEADER_FLAGSHIFT 8
94 #define MPPE_HEADER_STATEFUL_KEYCHANGES 16
97 unsigned stateless : 1;
98 unsigned flushnext : 1;
99 unsigned flushrequired : 1;
101 int keylen; /* 8 or 16 bytes */
102 int keybits; /* 40, 56 or 128 bits */
103 char sesskey[MPPE_KEY_LEN];
104 char mastkey[MPPE_KEY_LEN];
108 int MPPE_MasterKeyValid = 0;
109 int MPPE_IsServer = 0;
110 char MPPE_MasterKey[MPPE_KEY_LEN];
113 * The peer has missed a packet. Mark the next output frame to be FLUSHED
116 MPPEResetOutput(void *v)
118 struct mppe_state *mop = (struct mppe_state *)v;
121 log_Printf(LogCCP, "MPPE: Unexpected output channel reset\n");
123 log_Printf(LogCCP, "MPPE: Output channel reset\n");
127 return 0; /* Ask FSM not to ACK */
131 MPPEReduceSessionKey(struct mppe_state *mp)
133 switch(mp->keybits) {
135 mp->sesskey[2] = 0x9e;
136 mp->sesskey[1] = 0x26;
138 mp->sesskey[0] = 0xd1;
145 MPPEKeyChange(struct mppe_state *mp)
147 char InterimKey[MPPE_KEY_LEN];
150 GetNewKeyFromSHA(mp->mastkey, mp->sesskey, mp->keylen, InterimKey);
151 RC4_set_key(&RC4Key, mp->keylen, InterimKey);
152 RC4(&RC4Key, mp->keylen, InterimKey, mp->sesskey);
154 MPPEReduceSessionKey(mp);
158 MPPEOutput(void *v, struct ccp *ccp, struct link *l, int pri, u_short *proto,
161 struct mppe_state *mop = (struct mppe_state *)v;
163 u_short nproto, prefix;
164 int dictinit, ilen, len;
170 log_Printf(LogDEBUG, "MPPE: Output: Proto %02x (%d bytes)\n", *proto, ilen);
171 if (*proto < 0x21 && *proto > 0xFA) {
172 log_Printf(LogDEBUG, "MPPE: Output: Not encrypting\n");
173 ccp->compout += ilen;
174 ccp->uncompout += ilen;
178 log_DumpBp(LogDEBUG, "MPPE: Output: Encrypt packet:", mp);
180 /* Get mbuf for prefixes */
181 mo = m_get(4, MB_CCPOUT);
185 prefix = MPPE_ENCRYPTED | mop->cohnum;
187 if (mop->stateless ||
188 (mop->cohnum & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG) {
190 log_Printf(LogDEBUG, "MPPEOutput: Key changed [%d]\n", mop->cohnum);
195 if (mop->stateless || mop->flushnext) {
196 prefix |= MPPE_FLUSHED;
202 /* Initialise our dictionary */
203 log_Printf(LogDEBUG, "MPPEOutput: Dictionary initialised [%d]\n",
205 RC4_set_key(&mop->rc4key, mop->keylen, mop->sesskey);
208 /* Set MPPE packet prefix */
209 ua_htons(&prefix, rp);
211 /* Save encrypted protocol number */
212 nproto = htons(*proto);
213 RC4(&mop->rc4key, 2, (char *)&nproto, rp + 2);
215 /* Encrypt main packet */
217 RC4(&mop->rc4key, ilen, rp, rp);
220 mop->cohnum &= ~MPPE_HEADER_BITMASK;
222 /* Set the protocol number */
223 *proto = ccp_Proto(ccp);
225 ccp->uncompout += ilen;
228 log_Printf(LogDEBUG, "MPPE: Output: Encrypted: Proto %02x (%d bytes)\n",
235 MPPEResetInput(void *v)
237 log_Printf(LogCCP, "MPPE: Unexpected input channel ack\n");
241 MPPEInput(void *v, struct ccp *ccp, u_short *proto, struct mbuf *mp)
243 struct mppe_state *mip = (struct mppe_state *)v;
246 int dictinit, flushed, ilen, len, n;
252 log_Printf(LogDEBUG, "MPPE: Input: Proto %02x (%d bytes)\n", *proto, ilen);
253 log_DumpBp(LogDEBUG, "MPPE: Input: Packet:", mp);
255 mp = mbuf_Read(mp, &prefix, 2);
256 prefix = ntohs(prefix);
257 flushed = prefix & MPPE_FLUSHED;
259 if ((prefix & MPPE_HEADER_BITMASK) != MPPE_ENCRYPTED) {
260 log_Printf(LogERROR, "MPPE: Input: Invalid packet (flags = 0x%x)\n",
261 (prefix & MPPE_HEADER_BITMASK) | flushed);
266 prefix &= ~MPPE_HEADER_BITMASK;
268 if (!flushed && mip->stateless) {
269 log_Printf(LogCCP, "MPPEInput: Packet without MPPE_FLUSHED set"
270 " in stateless mode\n");
271 flushed = MPPE_FLUSHED;
272 /* Should we really continue ? */
275 if (mip->stateless) {
276 /* Change our key for each missed packet in stateless mode */
277 while (prefix != mip->cohnum) {
278 log_Printf(LogDEBUG, "MPPEInput: Key changed [%u]\n", prefix);
281 * mip->cohnum contains what we received last time in stateless
285 mip->cohnum &= ~MPPE_HEADER_BITMASK;
291 * We can always process a flushed packet.
292 * Catch up on any outstanding key changes.
294 n = (prefix >> MPPE_HEADER_FLAGSHIFT) -
295 (mip->cohnum >> MPPE_HEADER_FLAGSHIFT);
297 n += MPPE_HEADER_STATEFUL_KEYCHANGES;
299 log_Printf(LogDEBUG, "MPPEInput: Key changed during catchup [%u]\n",
303 mip->flushrequired = 0;
304 mip->cohnum = prefix;
308 if (mip->flushrequired) {
310 * Perhaps we should be lenient if
311 * (prefix & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG
312 * The spec says that we shouldn't be though....
314 log_Printf(LogDEBUG, "MPPE: Not flushed - discarded\n");
315 fsm_Output(&ccp->fsm, CODE_RESETREQ, ccp->fsm.reqid++, NULL, 0,
321 if (prefix != mip->cohnum) {
323 * We're in stateful mode and didn't receive the expected
324 * packet. Send a reset request, but don't tell the CCP layer
325 * about it as we don't expect to receive a Reset ACK !
326 * Guess what... M$ invented this !
328 log_Printf(LogCCP, "MPPE: Input: Got seq %u, not %u\n",
329 prefix, mip->cohnum);
330 fsm_Output(&ccp->fsm, CODE_RESETREQ, ccp->fsm.reqid++, NULL, 0,
332 mip->flushrequired = 1;
337 if ((prefix & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG) {
338 log_Printf(LogDEBUG, "MPPEInput: Key changed [%u]\n", prefix);
345 * mip->cohnum contains what we expect to receive next time in stateful
349 mip->cohnum &= ~MPPE_HEADER_BITMASK;
353 log_Printf(LogDEBUG, "MPPEInput: Dictionary initialised [%u]\n", prefix);
354 RC4_set_key(&mip->rc4key, mip->keylen, mip->sesskey);
357 mp = mbuf_Read(mp, proto, 2);
358 RC4(&mip->rc4key, 2, (char *)proto, (char *)proto);
359 *proto = ntohs(*proto);
363 RC4(&mip->rc4key, len, rp, rp);
365 log_Printf(LogDEBUG, "MPPEInput: Decrypted: Proto %02x (%d bytes)\n",
367 log_DumpBp(LogDEBUG, "MPPEInput: Decrypted: Packet:", mp);
369 ccp->uncompin += len;
375 MPPEDictSetup(void *v, struct ccp *ccp, u_short proto, struct mbuf *mi)
380 MPPEDispOpts(struct fsm_opt *o)
387 ua_ntohl(o->data, &val);
389 if ((n = snprintf(buf, sizeof buf, "value 0x%08x ", (unsigned)val)) > 0)
391 if (!(val & MPPE_OPT_BITMASK)) {
392 if ((n = snprintf(buf + len, sizeof buf - len, "(0")) > 0)
396 if (val & MPPE_OPT_128BIT) {
397 if ((n = snprintf(buf + len, sizeof buf - len, "%c128", ch)) > 0)
401 if (val & MPPE_OPT_56BIT) {
402 if ((n = snprintf(buf + len, sizeof buf - len, "%c56", ch)) > 0)
406 if (val & MPPE_OPT_40BIT) {
407 if ((n = snprintf(buf + len, sizeof buf - len, "%c40", ch)) > 0)
413 if ((n = snprintf(buf + len, sizeof buf - len, " bits, state%s",
414 (val & MPPE_OPT_STATELESS) ? "less" : "ful")) > 0)
417 if (val & MPPE_OPT_COMPRESSED) {
418 if ((n = snprintf(buf + len, sizeof buf - len, ", compressed")) > 0)
422 snprintf(buf + len, sizeof buf - len, ")");
428 MPPEUsable(struct fsm *fp)
432 struct radius *r = &fp->bundle->radius;
435 * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES,
436 * use that instead of our configuration value.
439 ok = r->mppe.sendkeylen && r->mppe.recvkeylen;
441 log_Printf(LogCCP, "MPPE: Not permitted by RADIUS server\n");
445 struct lcp *lcp = &fp->link->lcp;
446 ok = (lcp->want_auth == PROTO_CHAP && lcp->want_authtype == 0x81) ||
447 (lcp->his_auth == PROTO_CHAP && lcp->his_authtype == 0x81);
449 log_Printf(LogCCP, "MPPE: Not usable without CHAP81\n");
456 MPPERequired(struct fsm *fp)
460 * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY,
461 * use that instead of our configuration value.
463 if (*fp->bundle->radius.cfg.file && fp->bundle->radius.mppe.policy)
464 return fp->bundle->radius.mppe.policy == MPPE_POLICY_REQUIRED ? 1 : 0;
467 return fp->link->ccp.cfg.mppe.required;
471 MPPE_ConfigVal(struct bundle *bundle, const struct ccp_config *cfg)
475 val = cfg->mppe.state == MPPE_STATELESS ? MPPE_OPT_STATELESS : 0;
478 * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES,
479 * use that instead of our configuration value.
481 if (*bundle->radius.cfg.file && bundle->radius.mppe.types) {
482 if (bundle->radius.mppe.types & MPPE_TYPE_40BIT)
483 val |= MPPE_OPT_40BIT;
484 if (bundle->radius.mppe.types & MPPE_TYPE_128BIT)
485 val |= MPPE_OPT_128BIT;
488 switch(cfg->mppe.keybits) {
490 val |= MPPE_OPT_128BIT;
493 val |= MPPE_OPT_56BIT;
496 val |= MPPE_OPT_40BIT;
499 val |= MPPE_OPT_128BIT | MPPE_OPT_56BIT | MPPE_OPT_40BIT;
507 * What options should we use for our first configure request
510 MPPEInitOptsOutput(struct bundle *bundle, struct fsm_opt *o,
511 const struct ccp_config *cfg)
517 if (!MPPE_MasterKeyValid) {
518 log_Printf(LogCCP, "MPPE: MasterKey is invalid,"
519 " MPPE is available only with CHAP81 authentication\n");
520 ua_htonl(0x0, o->data);
525 mval = MPPE_ConfigVal(bundle, cfg);
526 ua_htonl(&mval, o->data);
530 * Our CCP request was NAK'd with the given options
533 MPPESetOptsOutput(struct bundle *bundle, struct fsm_opt *o,
534 const struct ccp_config *cfg)
536 u_int32_t mval, peer;
538 ua_ntohl(o->data, &peer);
540 if (!MPPE_MasterKeyValid)
541 /* Treat their NAK as a REJ */
544 mval = MPPE_ConfigVal(bundle, cfg);
547 * If we haven't been configured with a specific number of keybits, allow
548 * whatever the peer asks for.
550 if (!cfg->mppe.keybits) {
551 mval &= ~MPPE_OPT_BITMASK;
552 mval |= (peer & MPPE_OPT_BITMASK);
553 if (!(mval & MPPE_OPT_BITMASK))
554 mval |= MPPE_OPT_128BIT;
557 /* Adjust our statelessness */
558 if (cfg->mppe.state == MPPE_ANYSTATE) {
559 mval &= ~MPPE_OPT_STATELESS;
560 mval |= (peer & MPPE_OPT_STATELESS);
563 ua_htonl(&mval, o->data);
569 * The peer has requested the given options
572 MPPESetOptsInput(struct bundle *bundle, struct fsm_opt *o,
573 const struct ccp_config *cfg)
575 u_int32_t mval, peer;
578 ua_ntohl(o->data, &peer);
579 if (!MPPE_MasterKeyValid) {
582 ua_htonl(&peer, o->data);
588 mval = MPPE_ConfigVal(bundle, cfg);
590 if (peer & ~MPPE_OPT_MASK)
591 /* He's asking for bits we don't know about */
594 if (peer & MPPE_OPT_STATELESS) {
595 if (cfg->mppe.state == MPPE_STATEFUL)
596 /* Peer can't have stateless */
599 /* Peer wants stateless, that's ok */
600 mval |= MPPE_OPT_STATELESS;
602 if (cfg->mppe.state == MPPE_STATELESS)
603 /* Peer must have stateless */
606 /* Peer doesn't want stateless, that's ok */
607 mval &= ~MPPE_OPT_STATELESS;
610 /* If we've got a configured number of keybits - the peer must use that */
611 if (cfg->mppe.keybits) {
612 ua_htonl(&mval, o->data);
613 return peer == mval ? res : MODE_NAK;
616 /* If a specific number of bits hasn't been requested, we'll need to NAK */
617 switch (peer & MPPE_OPT_BITMASK) {
618 case MPPE_OPT_128BIT:
626 /* Suggest the best number of bits */
627 mval &= ~MPPE_OPT_BITMASK;
628 if (peer & MPPE_OPT_128BIT)
629 mval |= MPPE_OPT_128BIT;
630 else if (peer & MPPE_OPT_56BIT)
631 mval |= MPPE_OPT_56BIT;
632 else if (peer & MPPE_OPT_40BIT)
633 mval |= MPPE_OPT_40BIT;
635 mval |= MPPE_OPT_128BIT;
636 ua_htonl(&mval, o->data);
641 static struct mppe_state *
642 MPPE_InitState(struct fsm_opt *o)
644 struct mppe_state *mp;
647 if ((mp = calloc(1, sizeof *mp)) != NULL) {
648 ua_ntohl(o->data, &val);
650 switch (val & MPPE_OPT_BITMASK) {
651 case MPPE_OPT_128BIT:
664 log_Printf(LogWARN, "Unexpected MPPE options 0x%08x\n", val);
669 mp->stateless = !!(val & MPPE_OPT_STATELESS);
676 MPPEInitInput(struct bundle *bundle, struct fsm_opt *o)
678 struct mppe_state *mip;
680 if (!MPPE_MasterKeyValid) {
681 log_Printf(LogWARN, "MPPE: Cannot initialise without CHAP81\n");
685 if ((mip = MPPE_InitState(o)) == NULL) {
686 log_Printf(LogWARN, "MPPEInput: Cannot initialise - unexpected options\n");
690 log_Printf(LogDEBUG, "MPPE: InitInput: %d-bits\n", mip->keybits);
693 if (*bundle->radius.cfg.file && bundle->radius.mppe.recvkey) {
694 if (mip->keylen > bundle->radius.mppe.recvkeylen)
695 mip->keylen = bundle->radius.mppe.recvkeylen;
696 if (mip->keylen > sizeof mip->mastkey)
697 mip->keylen = sizeof mip->mastkey;
698 memcpy(mip->mastkey, bundle->radius.mppe.recvkey, mip->keylen);
701 GetAsymetricStartKey(MPPE_MasterKey, mip->mastkey, mip->keylen, 0,
704 GetNewKeyFromSHA(mip->mastkey, mip->mastkey, mip->keylen, mip->sesskey);
706 MPPEReduceSessionKey(mip);
708 log_Printf(LogCCP, "MPPE: Input channel initiated\n");
710 if (!mip->stateless) {
712 * We need to initialise our dictionary here as the first packet we
713 * receive is unlikely to have the FLUSHED bit set.
715 log_Printf(LogDEBUG, "MPPEInitInput: Dictionary initialised [%d]\n",
717 RC4_set_key(&mip->rc4key, mip->keylen, mip->sesskey);
720 * We do the first key change here as the first packet is expected
721 * to have a sequence number of 0 and we'll therefore not expect
722 * to have to change the key at that point.
724 log_Printf(LogDEBUG, "MPPEInitInput: Key changed [%d]\n", mip->cohnum);
732 MPPEInitOutput(struct bundle *bundle, struct fsm_opt *o)
734 struct mppe_state *mop;
736 if (!MPPE_MasterKeyValid) {
737 log_Printf(LogWARN, "MPPE: Cannot initialise without CHAP81\n");
741 if ((mop = MPPE_InitState(o)) == NULL) {
742 log_Printf(LogWARN, "MPPEOutput: Cannot initialise - unexpected options\n");
746 log_Printf(LogDEBUG, "MPPE: InitOutput: %d-bits\n", mop->keybits);
749 if (*bundle->radius.cfg.file && bundle->radius.mppe.sendkey) {
750 if (mop->keylen > bundle->radius.mppe.sendkeylen)
751 mop->keylen = bundle->radius.mppe.sendkeylen;
752 if (mop->keylen > sizeof mop->mastkey)
753 mop->keylen = sizeof mop->mastkey;
754 memcpy(mop->mastkey, bundle->radius.mppe.sendkey, mop->keylen);
757 GetAsymetricStartKey(MPPE_MasterKey, mop->mastkey, mop->keylen, 1,
760 GetNewKeyFromSHA(mop->mastkey, mop->mastkey, mop->keylen, mop->sesskey);
762 MPPEReduceSessionKey(mop);
764 log_Printf(LogCCP, "MPPE: Output channel initiated\n");
766 if (!mop->stateless) {
768 * We need to initialise our dictionary now as the first packet we
769 * send won't have the FLUSHED bit set.
771 log_Printf(LogDEBUG, "MPPEInitOutput: Dictionary initialised [%d]\n",
773 RC4_set_key(&mop->rc4key, mop->keylen, mop->sesskey);
780 MPPETermInput(void *v)
786 MPPETermOutput(void *v)
791 const struct ccp_algorithm MPPEAlgorithm = {