diff --git a/src/include/netif/ppp/chap_ms.h b/src/include/netif/ppp/chap_ms.h index a366e471..bd03370e 100644 --- a/src/include/netif/ppp/chap_ms.h +++ b/src/include/netif/ppp/chap_ms.h @@ -76,6 +76,7 @@ extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; extern int mppe_keys_set; +#if 0 /* UNUSED */ /* These values are the RADIUS attribute values--see RFC 2548. */ #define MPPE_ENC_POL_ENC_ALLOWED 1 #define MPPE_ENC_POL_ENC_REQUIRED 2 @@ -84,6 +85,7 @@ extern int mppe_keys_set; /* used by plugins (using above values) */ extern void set_mppe_enc_types(int, int); +#endif /* UNUSED */ #endif /* Are we the authenticator or authenticatee? For MS-CHAPv2 key derivation. */ diff --git a/src/include/netif/ppp/mppe.h b/src/include/netif/ppp/mppe.h new file mode 100644 index 00000000..5eb3b37a --- /dev/null +++ b/src/include/netif/ppp/mppe.h @@ -0,0 +1,121 @@ +/* + * mppe.h - Definitions for MPPE + * + * Copyright (c) 2008 Paul Mackerras. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The name(s) of the authors of this software must not be used to + * endorse or promote products derived from this software without + * prior written permission. + * + * 4. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by Paul Mackerras + * ". + * + * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY + * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#define MPPE_PAD 4 /* MPPE growth per frame */ +#define MPPE_MAX_KEY_LEN 16 /* largest key length (128-bit) */ + +/* option bits for ccp_options.mppe */ +#define MPPE_OPT_40 0x01 /* 40 bit */ +#define MPPE_OPT_128 0x02 /* 128 bit */ +#define MPPE_OPT_STATEFUL 0x04 /* stateful mode */ +/* unsupported opts */ +#define MPPE_OPT_56 0x08 /* 56 bit */ +#define MPPE_OPT_MPPC 0x10 /* MPPC compression */ +#define MPPE_OPT_D 0x20 /* Unknown */ +#define MPPE_OPT_UNSUPPORTED (MPPE_OPT_56|MPPE_OPT_MPPC|MPPE_OPT_D) +#define MPPE_OPT_UNKNOWN 0x40 /* Bits !defined in RFC 3078 were set */ + +/* + * This is not nice ... the alternative is a bitfield struct though. + * And unfortunately, we cannot share the same bits for the option + * names above since C and H are the same bit. We could do a u_int32 + * but then we have to do a htonl() all the time and/or we still need + * to know which octet is which. + */ +#define MPPE_C_BIT 0x01 /* MPPC */ +#define MPPE_D_BIT 0x10 /* Obsolete, usage unknown */ +#define MPPE_L_BIT 0x20 /* 40-bit */ +#define MPPE_S_BIT 0x40 /* 128-bit */ +#define MPPE_M_BIT 0x80 /* 56-bit, not supported */ +#define MPPE_H_BIT 0x01 /* Stateless (in a different byte) */ + +/* Does not include H bit; used for least significant octet only. */ +#define MPPE_ALL_BITS (MPPE_D_BIT|MPPE_L_BIT|MPPE_S_BIT|MPPE_M_BIT|MPPE_H_BIT) + +/* Build a CI from mppe opts (see RFC 3078) */ +#define MPPE_OPTS_TO_CI(opts, ci) \ + do { \ + u_char *ptr = ci; /* u_char[4] */ \ + \ + /* H bit */ \ + if (opts & MPPE_OPT_STATEFUL) \ + *ptr++ = 0x0; \ + else \ + *ptr++ = MPPE_H_BIT; \ + *ptr++ = 0; \ + *ptr++ = 0; \ + \ + /* S,L bits */ \ + *ptr = 0; \ + if (opts & MPPE_OPT_128) \ + *ptr |= MPPE_S_BIT; \ + if (opts & MPPE_OPT_40) \ + *ptr |= MPPE_L_BIT; \ + /* M,D,C bits not supported */ \ + } while (/* CONSTCOND */ 0) + +/* The reverse of the above */ +#define MPPE_CI_TO_OPTS(ci, opts) \ + do { \ + u_char *ptr = ci; /* u_char[4] */ \ + \ + opts = 0; \ + \ + /* H bit */ \ + if (!(ptr[0] & MPPE_H_BIT)) \ + opts |= MPPE_OPT_STATEFUL; \ + \ + /* S,L bits */ \ + if (ptr[3] & MPPE_S_BIT) \ + opts |= MPPE_OPT_128; \ + if (ptr[3] & MPPE_L_BIT) \ + opts |= MPPE_OPT_40; \ + \ + /* M,D,C bits */ \ + if (ptr[3] & MPPE_M_BIT) \ + opts |= MPPE_OPT_56; \ + if (ptr[3] & MPPE_D_BIT) \ + opts |= MPPE_OPT_D; \ + if (ptr[3] & MPPE_C_BIT) \ + opts |= MPPE_OPT_MPPC; \ + \ + /* Other bits */ \ + if (ptr[0] & ~MPPE_H_BIT) \ + opts |= MPPE_OPT_UNKNOWN; \ + if (ptr[1] || ptr[2]) \ + opts |= MPPE_OPT_UNKNOWN; \ + if (ptr[3] & ~MPPE_ALL_BITS) \ + opts |= MPPE_OPT_UNKNOWN; \ + } while (/* CONSTCOND */ 0) diff --git a/src/include/netif/ppp/ppp.h b/src/include/netif/ppp/ppp.h index 5027b20e..98d3fdb9 100644 --- a/src/include/netif/ppp/ppp.h +++ b/src/include/netif/ppp/ppp.h @@ -184,57 +184,61 @@ typedef void (*ppp_link_status_cb_fn)(ppp_pcb *pcb, int err_code, void *ctx); typedef struct ppp_settings_s { #if PPP_SERVER && PPP_AUTH_SUPPORT - unsigned int auth_required :1; /* Peer is required to authenticate */ - unsigned int null_login :1; /* Username of "" and a password of "" are acceptable */ + unsigned int auth_required :1; /* Peer is required to authenticate */ + unsigned int null_login :1; /* Username of "" and a password of "" are acceptable */ #else - unsigned int :2; /* 2 bits of padding */ + unsigned int :2; /* 2 bits of padding */ #endif /* PPP_SERVER && PPP_AUTH_SUPPORT */ #if PPP_REMOTENAME - unsigned int explicit_remote :1; /* remote_name specified with remotename opt */ + unsigned int explicit_remote :1; /* remote_name specified with remotename opt */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :1; /* 1 bit of padding */ #endif /* PPP_REMOTENAME */ #if PAP_SUPPORT - unsigned int refuse_pap :1; /* Don't proceed auth. with PAP */ + unsigned int refuse_pap :1; /* Don't proceed auth. with PAP */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :1; /* 1 bit of padding */ #endif /* PAP_SUPPORT */ #if CHAP_SUPPORT - unsigned int refuse_chap :1; /* Don't proceed auth. with CHAP */ + unsigned int refuse_chap :1; /* Don't proceed auth. with CHAP */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :1; /* 1 bit of padding */ #endif /* CHAP_SUPPORT */ #if MSCHAP_SUPPORT - unsigned int refuse_mschap :1; /* Don't proceed auth. with MS-CHAP */ - unsigned int refuse_mschap_v2 :1; /* Don't proceed auth. with MS-CHAPv2 */ + unsigned int refuse_mschap :1; /* Don't proceed auth. with MS-CHAP */ + unsigned int refuse_mschap_v2 :1; /* Don't proceed auth. with MS-CHAPv2 */ #else - unsigned int :2; /* 2 bits of padding */ + unsigned int :2; /* 2 bits of padding */ #endif /* MSCHAP_SUPPORT */ #if EAP_SUPPORT - unsigned int refuse_eap :1; /* Don't proceed auth. with EAP */ + unsigned int refuse_eap :1; /* Don't proceed auth. with EAP */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :1; /* 1 bit of padding */ #endif /* EAP_SUPPORT */ #if LWIP_DNS - unsigned int usepeerdns :1; /* Ask peer for DNS adds */ + unsigned int usepeerdns :1; /* Ask peer for DNS adds */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :1; /* 1 bit of padding */ #endif /* LWIP_DNS */ - unsigned int persist :1; /* Persist mode, always try to open the connection */ + unsigned int persist :1; /* Persist mode, always try to open the connection */ #if PRINTPKT_SUPPORT - unsigned int hide_password :1; /* Hide password in dumped packets */ + unsigned int hide_password :1; /* Hide password in dumped packets */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :1; /* 1 bit of padding */ #endif /* PRINTPKT_SUPPORT */ - unsigned int noremoteip :1; /* Let him have no IP address */ - unsigned int lax_recv :1; /* accept control chars in asyncmap */ - unsigned int noendpoint :1; /* don't send/accept endpoint discriminator */ + unsigned int noremoteip :1; /* Let him have no IP address */ + unsigned int lax_recv :1; /* accept control chars in asyncmap */ + unsigned int noendpoint :1; /* don't send/accept endpoint discriminator */ #if PPP_LCP_ADAPTIVE - unsigned int lcp_echo_adaptive :1; /* request echo only if the link was idle */ + unsigned int lcp_echo_adaptive :1; /* request echo only if the link was idle */ #else - unsigned int :1; /* 1 bit of padding */ + unsigned int :1; /* 1 bit of padding */ +#endif +#ifdef MPPE + unsigned int refuse_mppe_stateful :1; /* Allow MPPE stateful mode? */ +#else + unsigned int :1; /* 1 bit of padding */ #endif - unsigned int :1; /* 1 bit of padding to round out to 16 bits */ u16_t listen_time; /* time to listen first (ms), waiting for peer to send LCP packet */ diff --git a/src/netif/ppp/auth.c b/src/netif/ppp/auth.c index fc7d94a0..7e063c67 100644 --- a/src/netif/ppp/auth.c +++ b/src/netif/ppp/auth.c @@ -954,7 +954,7 @@ void start_networks(ppp_pcb *pcb) { ecp_required = ecp_gotoptions[unit].required; #endif /* ECP_SUPPORT */ #ifdef MPPE - mppe_required = ccp_gotoptions[unit].mppe; + mppe_required = pcb->ccp_gotoptions.mppe; #endif /* MPPE */ if (1 diff --git a/src/netif/ppp/ccp.c b/src/netif/ppp/ccp.c index df58cc1d..207f3eb2 100644 --- a/src/netif/ppp/ccp.c +++ b/src/netif/ppp/ccp.c @@ -62,7 +62,6 @@ static int setbsdcomp (char **); static int setdeflate (char **); static char bsd_value[8]; static char deflate_value[8]; -#endif /* PPP_OPTIONS */ /* * Option variables. @@ -71,7 +70,6 @@ static char deflate_value[8]; bool refuse_mppe_stateful = 1; /* Allow stateful mode? */ #endif -#if PPP_OPTIONS static option_t ccp_option_list[] = { { "noccp", o_bool, &ccp_protent.enabled_flag, "Disable CCP negotiation" }, @@ -896,7 +894,7 @@ static int ccp_nakci(fsm *f, u_char *p, int len, int treat_as_reject) { * Fail if we aren't willing to use his suggestion. */ MPPE_CI_TO_OPTS(&p[2], try_.mppe); - if ((try_.mppe & MPPE_OPT_STATEFUL) && refuse_mppe_stateful) { + if ((try_.mppe & MPPE_OPT_STATEFUL) && pcb->settings.refuse_mppe_stateful) { ppp_error("Refusing MPPE stateful mode offered by peer"); try_.mppe = 0; } else if (((go->mppe | MPPE_OPT_STATEFUL) & try_.mppe) != try_.mppe) { @@ -1049,7 +1047,7 @@ static int ccp_reqci(fsm *f, u_char *p, int *lenp, int dont_nak) { u_char *p0, *retp; int len, clen, type, nb; #ifdef MPPE - bool rej_for_ci_mppe = 1; /* Are we rejecting based on a bad/missing */ + u8_t rej_for_ci_mppe = 1; /* Are we rejecting based on a bad/missing */ /* CI_MPPE, or due to other options? */ #endif @@ -1098,7 +1096,7 @@ static int ccp_reqci(fsm *f, u_char *p, int *lenp, int dont_nak) { * it if he can do it; stateful mode is bad over * the Internet -- which is where we expect MPPE. */ - if (refuse_mppe_stateful) { + if (pcb->settings.refuse_mppe_stateful) { ppp_error("Refusing MPPE stateful mode offered by peer"); newret = CONFREJ; break; diff --git a/src/netif/ppp/chap_ms.c b/src/netif/ppp/chap_ms.c index 3313eafd..15b2219a 100644 --- a/src/netif/ppp/chap_ms.c +++ b/src/netif/ppp/chap_ms.c @@ -857,6 +857,7 @@ void ChapMS2(u_char *rchallenge, u_char *PeerChallenge, #endif } +#if 0 /* UNUSED */ #ifdef MPPE /* * Set MPPE options from plugins. @@ -887,6 +888,7 @@ void set_mppe_enc_types(int policy, int types) { } } #endif /* MPPE */ +#endif /* UNUSED */ const struct chap_digest_type chapms_digest = { CHAP_MICROSOFT, /* code */ diff --git a/src/netif/ppp/ppp.c b/src/netif/ppp/ppp.c index c9d775e7..bce93290 100644 --- a/src/netif/ppp/ppp.c +++ b/src/netif/ppp/ppp.c @@ -542,6 +542,10 @@ ppp_pcb *ppp_new(struct netif *pppif, ppp_link_status_cb_fn link_status_cb, void #endif /* PPP_SERVER */ #endif /* EAP_SUPPORT */ +#ifdef MPPE + pcb->settings.refuse_mppe_stateful = 1; +#endif /* MPPE */ + pcb->settings.lcp_loopbackfail = LCP_DEFLOOPBACKFAIL; pcb->settings.lcp_echo_interval = LCP_ECHOINTERVAL; pcb->settings.lcp_echo_fails = LCP_MAXECHOFAILS;