2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2000 Semen Ustimenko <semenu@FreeBSD.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include <sys/param.h>
33 #include <sys/socket.h>
34 #include <netinet/in_systm.h>
35 #include <netinet/in.h>
36 #include <netinet/ip.h>
43 #include <openssl/rc4.h>
54 #include "throughput.h"
61 #include "descriptor.h"
67 #include "slcompress.h"
78 * draft-ietf-pppext-mppe-04.txt
79 * draft-ietf-pppext-mppe-keys-02.txt
82 #define MPPE_OPT_STATELESS 0x1000000
83 #define MPPE_OPT_COMPRESSED 0x01
84 #define MPPE_OPT_40BIT 0x20
85 #define MPPE_OPT_56BIT 0x80
86 #define MPPE_OPT_128BIT 0x40
87 #define MPPE_OPT_BITMASK 0xe0
88 #define MPPE_OPT_MASK (MPPE_OPT_STATELESS | MPPE_OPT_BITMASK)
90 #define MPPE_FLUSHED 0x8000
91 #define MPPE_ENCRYPTED 0x1000
92 #define MPPE_HEADER_BITMASK 0xf000
93 #define MPPE_HEADER_FLAG 0x00ff
94 #define MPPE_HEADER_FLAGMASK 0x00ff
95 #define MPPE_HEADER_FLAGSHIFT 8
96 #define MPPE_HEADER_STATEFUL_KEYCHANGES 16
99 unsigned stateless : 1;
100 unsigned flushnext : 1;
101 unsigned flushrequired : 1;
103 unsigned keylen; /* 8 or 16 bytes */
104 int keybits; /* 40, 56 or 128 bits */
105 char sesskey[MPPE_KEY_LEN];
106 char mastkey[MPPE_KEY_LEN];
110 int MPPE_MasterKeyValid = 0;
111 int MPPE_IsServer = 0;
112 char MPPE_MasterKey[MPPE_KEY_LEN];
115 * The peer has missed a packet. Mark the next output frame to be FLUSHED
118 MPPEResetOutput(void *v)
120 struct mppe_state *mop = (struct mppe_state *)v;
123 log_Printf(LogCCP, "MPPE: Unexpected output channel reset\n");
125 log_Printf(LogCCP, "MPPE: Output channel reset\n");
129 return 0; /* Ask FSM not to ACK */
133 MPPEReduceSessionKey(struct mppe_state *mp)
135 switch(mp->keybits) {
137 mp->sesskey[2] = 0x9e;
138 mp->sesskey[1] = 0x26;
140 mp->sesskey[0] = 0xd1;
147 MPPEKeyChange(struct mppe_state *mp)
149 char InterimKey[MPPE_KEY_LEN];
152 GetNewKeyFromSHA(mp->mastkey, mp->sesskey, mp->keylen, InterimKey);
153 RC4_set_key(&RC4Key, mp->keylen, InterimKey);
154 RC4(&RC4Key, mp->keylen, InterimKey, mp->sesskey);
156 MPPEReduceSessionKey(mp);
160 MPPEOutput(void *v, struct ccp *ccp, struct link *l __unused, int pri __unused,
161 u_short *proto, struct mbuf *mp)
163 struct mppe_state *mop = (struct mppe_state *)v;
165 u_short nproto, prefix;
166 int dictinit, ilen, len;
172 log_Printf(LogDEBUG, "MPPE: Output: Proto %02x (%d bytes)\n", *proto, ilen);
173 if (*proto < 0x21 || *proto > 0xFA) {
174 log_Printf(LogDEBUG, "MPPE: Output: Not encrypting\n");
175 ccp->compout += ilen;
176 ccp->uncompout += ilen;
180 log_DumpBp(LogDEBUG, "MPPE: Output: Encrypt packet:", mp);
182 /* Get mbuf for prefixes */
183 mo = m_get(4, MB_CCPOUT);
187 prefix = MPPE_ENCRYPTED | mop->cohnum;
189 if (mop->stateless ||
190 (mop->cohnum & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG) {
192 log_Printf(LogDEBUG, "MPPEOutput: Key changed [%d]\n", mop->cohnum);
197 if (mop->stateless || mop->flushnext) {
198 prefix |= MPPE_FLUSHED;
204 /* Initialise our dictionary */
205 log_Printf(LogDEBUG, "MPPEOutput: Dictionary initialised [%d]\n",
207 RC4_set_key(&mop->rc4key, mop->keylen, mop->sesskey);
210 /* Set MPPE packet prefix */
211 ua_htons(&prefix, rp);
213 /* Save encrypted protocol number */
214 nproto = htons(*proto);
215 RC4(&mop->rc4key, 2, (char *)&nproto, rp + 2);
217 /* Encrypt main packet */
219 RC4(&mop->rc4key, ilen, rp, rp);
222 mop->cohnum &= ~MPPE_HEADER_BITMASK;
224 /* Set the protocol number */
225 *proto = ccp_Proto(ccp);
227 ccp->uncompout += ilen;
230 log_Printf(LogDEBUG, "MPPE: Output: Encrypted: Proto %02x (%d bytes)\n",
237 MPPEResetInput(void *v __unused)
239 log_Printf(LogCCP, "MPPE: Unexpected input channel ack\n");
243 MPPEInput(void *v, struct ccp *ccp, u_short *proto, struct mbuf *mp)
245 struct mppe_state *mip = (struct mppe_state *)v;
248 int dictinit, flushed, ilen, len, n;
254 log_Printf(LogDEBUG, "MPPE: Input: Proto %02x (%d bytes)\n", *proto, ilen);
255 log_DumpBp(LogDEBUG, "MPPE: Input: Packet:", mp);
257 mp = mbuf_Read(mp, &prefix, 2);
258 prefix = ntohs(prefix);
259 flushed = prefix & MPPE_FLUSHED;
261 if ((prefix & MPPE_HEADER_BITMASK) != MPPE_ENCRYPTED) {
262 log_Printf(LogERROR, "MPPE: Input: Invalid packet (flags = 0x%x)\n",
263 (prefix & MPPE_HEADER_BITMASK) | flushed);
268 prefix &= ~MPPE_HEADER_BITMASK;
270 if (!flushed && mip->stateless) {
271 log_Printf(LogCCP, "MPPEInput: Packet without MPPE_FLUSHED set"
272 " in stateless mode\n");
273 flushed = MPPE_FLUSHED;
274 /* Should we really continue ? */
277 if (mip->stateless) {
278 /* Change our key for each missed packet in stateless mode */
279 while (prefix != mip->cohnum) {
280 log_Printf(LogDEBUG, "MPPEInput: Key changed [%u]\n", prefix);
283 * mip->cohnum contains what we received last time in stateless
287 mip->cohnum &= ~MPPE_HEADER_BITMASK;
293 * We can always process a flushed packet.
294 * Catch up on any outstanding key changes.
296 n = (prefix >> MPPE_HEADER_FLAGSHIFT) -
297 (mip->cohnum >> MPPE_HEADER_FLAGSHIFT);
299 n += MPPE_HEADER_STATEFUL_KEYCHANGES;
301 log_Printf(LogDEBUG, "MPPEInput: Key changed during catchup [%u]\n",
305 mip->flushrequired = 0;
306 mip->cohnum = prefix;
310 if (mip->flushrequired) {
312 * Perhaps we should be lenient if
313 * (prefix & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG
314 * The spec says that we shouldn't be though....
316 log_Printf(LogDEBUG, "MPPE: Not flushed - discarded\n");
317 fsm_Output(&ccp->fsm, CODE_RESETREQ, ccp->fsm.reqid++, NULL, 0,
323 if (prefix != mip->cohnum) {
325 * We're in stateful mode and didn't receive the expected
326 * packet. Send a reset request, but don't tell the CCP layer
327 * about it as we don't expect to receive a Reset ACK !
328 * Guess what... M$ invented this !
330 log_Printf(LogCCP, "MPPE: Input: Got seq %u, not %u\n",
331 prefix, mip->cohnum);
332 fsm_Output(&ccp->fsm, CODE_RESETREQ, ccp->fsm.reqid++, NULL, 0,
334 mip->flushrequired = 1;
339 if ((prefix & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG) {
340 log_Printf(LogDEBUG, "MPPEInput: Key changed [%u]\n", prefix);
347 * mip->cohnum contains what we expect to receive next time in stateful
351 mip->cohnum &= ~MPPE_HEADER_BITMASK;
355 log_Printf(LogDEBUG, "MPPEInput: Dictionary initialised [%u]\n", prefix);
356 RC4_set_key(&mip->rc4key, mip->keylen, mip->sesskey);
359 mp = mbuf_Read(mp, proto, 2);
360 RC4(&mip->rc4key, 2, (char *)proto, (char *)proto);
361 *proto = ntohs(*proto);
365 RC4(&mip->rc4key, len, rp, rp);
367 log_Printf(LogDEBUG, "MPPEInput: Decrypted: Proto %02x (%d bytes)\n",
369 log_DumpBp(LogDEBUG, "MPPEInput: Decrypted: Packet:", mp);
371 ccp->uncompin += len;
377 MPPEDictSetup(void *v __unused, struct ccp *ccp __unused,
378 u_short proto __unused, struct mbuf *mp __unused)
380 /* Nothing to see here */
384 MPPEDispOpts(struct fsm_opt *o)
391 ua_ntohl(o->data, &val);
393 if ((n = snprintf(buf, sizeof buf, "value 0x%08x ", (unsigned)val)) > 0)
395 if (!(val & MPPE_OPT_BITMASK)) {
396 if ((n = snprintf(buf + len, sizeof buf - len, "(0")) > 0)
400 if (val & MPPE_OPT_128BIT) {
401 if ((n = snprintf(buf + len, sizeof buf - len, "%c128", ch)) > 0)
405 if (val & MPPE_OPT_56BIT) {
406 if ((n = snprintf(buf + len, sizeof buf - len, "%c56", ch)) > 0)
410 if (val & MPPE_OPT_40BIT) {
411 if ((n = snprintf(buf + len, sizeof buf - len, "%c40", ch)) > 0)
417 if ((n = snprintf(buf + len, sizeof buf - len, " bits, state%s",
418 (val & MPPE_OPT_STATELESS) ? "less" : "ful")) > 0)
421 if (val & MPPE_OPT_COMPRESSED) {
422 if ((n = snprintf(buf + len, sizeof buf - len, ", compressed")) > 0)
426 snprintf(buf + len, sizeof buf - len, ")");
432 MPPEUsable(struct fsm *fp)
436 struct radius *r = &fp->bundle->radius;
439 * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES,
440 * use that instead of our configuration value.
443 ok = r->mppe.sendkeylen && r->mppe.recvkeylen;
445 log_Printf(LogCCP, "MPPE: Not permitted by RADIUS server\n");
449 struct lcp *lcp = &fp->link->lcp;
450 ok = (lcp->want_auth == PROTO_CHAP && lcp->want_authtype == 0x81) ||
451 (lcp->his_auth == PROTO_CHAP && lcp->his_authtype == 0x81);
453 log_Printf(LogCCP, "MPPE: Not usable without CHAP81\n");
460 MPPERequired(struct fsm *fp)
464 * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY,
465 * use that instead of our configuration value.
467 if (*fp->bundle->radius.cfg.file && fp->bundle->radius.mppe.policy)
468 return fp->bundle->radius.mppe.policy == MPPE_POLICY_REQUIRED ? 1 : 0;
471 return fp->link->ccp.cfg.mppe.required;
475 MPPE_ConfigVal(struct bundle *bundle __unused, const struct ccp_config *cfg)
479 val = cfg->mppe.state == MPPE_STATELESS ? MPPE_OPT_STATELESS : 0;
482 * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES,
483 * use that instead of our configuration value.
485 if (*bundle->radius.cfg.file && bundle->radius.mppe.types) {
486 if (bundle->radius.mppe.types & MPPE_TYPE_40BIT)
487 val |= MPPE_OPT_40BIT;
488 if (bundle->radius.mppe.types & MPPE_TYPE_128BIT)
489 val |= MPPE_OPT_128BIT;
492 switch(cfg->mppe.keybits) {
494 val |= MPPE_OPT_128BIT;
497 val |= MPPE_OPT_56BIT;
500 val |= MPPE_OPT_40BIT;
503 val |= MPPE_OPT_128BIT | MPPE_OPT_56BIT | MPPE_OPT_40BIT;
511 * What options should we use for our first configure request
514 MPPEInitOptsOutput(struct bundle *bundle, struct fsm_opt *o,
515 const struct ccp_config *cfg)
521 if (!MPPE_MasterKeyValid) {
522 log_Printf(LogCCP, "MPPE: MasterKey is invalid,"
523 " MPPE is available only with CHAP81 authentication\n");
525 ua_htonl(&mval, o->data);
530 mval = MPPE_ConfigVal(bundle, cfg);
531 ua_htonl(&mval, o->data);
535 * Our CCP request was NAK'd with the given options
538 MPPESetOptsOutput(struct bundle *bundle, struct fsm_opt *o,
539 const struct ccp_config *cfg)
541 u_int32_t mval, peer;
543 ua_ntohl(o->data, &peer);
545 if (!MPPE_MasterKeyValid)
546 /* Treat their NAK as a REJ */
549 mval = MPPE_ConfigVal(bundle, cfg);
552 * If we haven't been configured with a specific number of keybits, allow
553 * whatever the peer asks for.
555 if (!cfg->mppe.keybits) {
556 mval &= ~MPPE_OPT_BITMASK;
557 mval |= (peer & MPPE_OPT_BITMASK);
558 if (!(mval & MPPE_OPT_BITMASK))
559 mval |= MPPE_OPT_128BIT;
562 /* Adjust our statelessness */
563 if (cfg->mppe.state == MPPE_ANYSTATE) {
564 mval &= ~MPPE_OPT_STATELESS;
565 mval |= (peer & MPPE_OPT_STATELESS);
568 ua_htonl(&mval, o->data);
574 * The peer has requested the given options
577 MPPESetOptsInput(struct bundle *bundle, struct fsm_opt *o,
578 const struct ccp_config *cfg)
580 u_int32_t mval, peer;
583 ua_ntohl(o->data, &peer);
584 if (!MPPE_MasterKeyValid) {
587 ua_htonl(&peer, o->data);
593 mval = MPPE_ConfigVal(bundle, cfg);
595 if (peer & ~MPPE_OPT_MASK)
596 /* He's asking for bits we don't know about */
599 if (peer & MPPE_OPT_STATELESS) {
600 if (cfg->mppe.state == MPPE_STATEFUL)
601 /* Peer can't have stateless */
604 /* Peer wants stateless, that's ok */
605 mval |= MPPE_OPT_STATELESS;
607 if (cfg->mppe.state == MPPE_STATELESS)
608 /* Peer must have stateless */
611 /* Peer doesn't want stateless, that's ok */
612 mval &= ~MPPE_OPT_STATELESS;
615 /* If we've got a configured number of keybits - the peer must use that */
616 if (cfg->mppe.keybits) {
617 ua_htonl(&mval, o->data);
618 return peer == mval ? res : MODE_NAK;
621 /* If a specific number of bits hasn't been requested, we'll need to NAK */
622 switch (peer & MPPE_OPT_BITMASK) {
623 case MPPE_OPT_128BIT:
631 /* Suggest the best number of bits */
632 mval &= ~MPPE_OPT_BITMASK;
633 if (peer & MPPE_OPT_128BIT)
634 mval |= MPPE_OPT_128BIT;
635 else if (peer & MPPE_OPT_56BIT)
636 mval |= MPPE_OPT_56BIT;
637 else if (peer & MPPE_OPT_40BIT)
638 mval |= MPPE_OPT_40BIT;
640 mval |= MPPE_OPT_128BIT;
641 ua_htonl(&mval, o->data);
646 static struct mppe_state *
647 MPPE_InitState(struct fsm_opt *o)
649 struct mppe_state *mp;
652 if ((mp = calloc(1, sizeof *mp)) != NULL) {
653 ua_ntohl(o->data, &val);
655 switch (val & MPPE_OPT_BITMASK) {
656 case MPPE_OPT_128BIT:
669 log_Printf(LogWARN, "Unexpected MPPE options 0x%08x\n", val);
674 mp->stateless = !!(val & MPPE_OPT_STATELESS);
681 MPPEInitInput(struct bundle *bundle __unused, struct fsm_opt *o)
683 struct mppe_state *mip;
685 if (!MPPE_MasterKeyValid) {
686 log_Printf(LogWARN, "MPPE: Cannot initialise without CHAP81\n");
690 if ((mip = MPPE_InitState(o)) == NULL) {
691 log_Printf(LogWARN, "MPPEInput: Cannot initialise - unexpected options\n");
695 log_Printf(LogDEBUG, "MPPE: InitInput: %d-bits\n", mip->keybits);
698 if (*bundle->radius.cfg.file && bundle->radius.mppe.recvkey) {
699 if (mip->keylen > bundle->radius.mppe.recvkeylen)
700 mip->keylen = bundle->radius.mppe.recvkeylen;
701 if (mip->keylen > sizeof mip->mastkey)
702 mip->keylen = sizeof mip->mastkey;
703 memcpy(mip->mastkey, bundle->radius.mppe.recvkey, mip->keylen);
706 GetAsymetricStartKey(MPPE_MasterKey, mip->mastkey, mip->keylen, 0,
709 GetNewKeyFromSHA(mip->mastkey, mip->mastkey, mip->keylen, mip->sesskey);
711 MPPEReduceSessionKey(mip);
713 log_Printf(LogCCP, "MPPE: Input channel initiated\n");
715 if (!mip->stateless) {
717 * We need to initialise our dictionary here as the first packet we
718 * receive is unlikely to have the FLUSHED bit set.
720 log_Printf(LogDEBUG, "MPPEInitInput: Dictionary initialised [%d]\n",
722 RC4_set_key(&mip->rc4key, mip->keylen, mip->sesskey);
725 * We do the first key change here as the first packet is expected
726 * to have a sequence number of 0 and we'll therefore not expect
727 * to have to change the key at that point.
729 log_Printf(LogDEBUG, "MPPEInitInput: Key changed [%d]\n", mip->cohnum);
737 MPPEInitOutput(struct bundle *bundle __unused, struct fsm_opt *o)
739 struct mppe_state *mop;
741 if (!MPPE_MasterKeyValid) {
742 log_Printf(LogWARN, "MPPE: Cannot initialise without CHAP81\n");
746 if ((mop = MPPE_InitState(o)) == NULL) {
747 log_Printf(LogWARN, "MPPEOutput: Cannot initialise - unexpected options\n");
751 log_Printf(LogDEBUG, "MPPE: InitOutput: %d-bits\n", mop->keybits);
754 if (*bundle->radius.cfg.file && bundle->radius.mppe.sendkey) {
755 if (mop->keylen > bundle->radius.mppe.sendkeylen)
756 mop->keylen = bundle->radius.mppe.sendkeylen;
757 if (mop->keylen > sizeof mop->mastkey)
758 mop->keylen = sizeof mop->mastkey;
759 memcpy(mop->mastkey, bundle->radius.mppe.sendkey, mop->keylen);
762 GetAsymetricStartKey(MPPE_MasterKey, mop->mastkey, mop->keylen, 1,
765 GetNewKeyFromSHA(mop->mastkey, mop->mastkey, mop->keylen, mop->sesskey);
767 MPPEReduceSessionKey(mop);
769 log_Printf(LogCCP, "MPPE: Output channel initiated\n");
771 if (!mop->stateless) {
773 * We need to initialise our dictionary now as the first packet we
774 * send won't have the FLUSHED bit set.
776 log_Printf(LogDEBUG, "MPPEInitOutput: Dictionary initialised [%d]\n",
778 RC4_set_key(&mop->rc4key, mop->keylen, mop->sesskey);
785 MPPETermInput(void *v)
791 MPPETermOutput(void *v)
796 const struct ccp_algorithm MPPEAlgorithm = {