2 * ==FILEVERSION 20020521==
4 * ppp_mppe_compress.c - interface MPPE to the PPP code.
5 * This version is for use with Linux kernel 2.2.19+ and 2.4.x.
7 * By Frank Cusack <frank@google.com>.
8 * Copyright (c) 2002 Google, Inc.
11 * Permission to use, copy, modify, and distribute this software and its
12 * documentation is hereby granted, provided that the above copyright
13 * notice appears in all copies. This software is provided without any
14 * warranty, express or implied.
18 #include <linux/module.h>
19 #include <linux/kernel.h>
20 #include <linux/init.h>
21 #include <linux/types.h>
22 #include <linux/slab.h>
23 #include <linux/string.h>
25 #include <linux/ppp_defs.h>
26 #include <linux/ppp-comp.h>
32 * State for an MPPE (de)compressor.
34 typedef struct ppp_mppe_state {
35 unsigned char master_key[MPPE_MAX_KEY_LEN];
36 unsigned char session_key[MPPE_MAX_KEY_LEN];
37 arcfour_context arcfour_context; /* encryption state */
38 unsigned keylen; /* key length in bytes */
39 /* NB: 128-bit == 16, 40-bit == 8! */
40 /* If we want to support 56-bit, */
41 /* the unit has to change to bits */
42 unsigned char bits; /* MPPE control bits */
43 unsigned ccount; /* 12-bit coherency count (seqno) */
44 unsigned stateful; /* stateful mode flag */
45 int discard; /* stateful mode packet loss flag */
46 int sanity_errors; /* take down LCP if too many */
49 struct compstat stats;
52 /* ppp_mppe_state.bits definitions */
53 #define MPPE_BIT_A 0x80 /* Encryption table were (re)inititalized */
54 #define MPPE_BIT_B 0x40 /* MPPC only (not implemented) */
55 #define MPPE_BIT_C 0x20 /* MPPC only (not implemented) */
56 #define MPPE_BIT_D 0x10 /* This is an encrypted frame */
58 #define MPPE_BIT_FLUSHED MPPE_BIT_A
59 #define MPPE_BIT_ENCRYPTED MPPE_BIT_D
61 #define MPPE_BITS(p) ((p)[4] & 0xf0)
62 #define MPPE_CCOUNT(p) ((((p)[4] & 0x0f) << 8) + (p)[5])
63 #define MPPE_CCOUNT_SPACE 0x1000 /* The size of the ccount space */
65 #define MPPE_OVHD 2 /* MPPE overhead/packet */
66 #define SANITY_MAX 1600 /* Max bogon factor we will tolerate */
68 static void GetNewKeyFromSHA __P((unsigned char *StartKey,
69 unsigned char *SessionKey,
70 unsigned SessionKeyLength,
71 unsigned char *InterimKey));
72 static void mppe_rekey __P((ppp_mppe_state *state, int));
73 static void *mppe_alloc __P((unsigned char *options, int optlen));
74 static void mppe_free __P((void *state));
75 static int mppe_init __P((void *state, unsigned char *options,
76 int optlen, int unit, int debug, const char *));
77 static int mppe_comp_init __P((void *state, unsigned char *options,
79 int unit, int hdrlen, int debug));
80 static int mppe_decomp_init __P((void *state, unsigned char *options,
82 int hdrlen, int mru, int debug));
83 static int mppe_compress __P((void *state, unsigned char *ibuf,
85 int isize, int osize));
86 static void mppe_incomp __P((void *state, unsigned char *ibuf, int icnt));
87 static int mppe_decompress __P((void *state, unsigned char *ibuf,
88 int isize, unsigned char *obuf,int osize));
89 static void mppe_comp_reset __P((void *state));
90 static void mppe_decomp_reset __P((void *state));
91 static void mppe_comp_stats __P((void *state, struct compstat *stats));
95 * Key Derivation, from RFC 3078, RFC 3079.
96 * Equivalent to Get_Key() for MS-CHAP as described in RFC 3079.
99 GetNewKeyFromSHA(unsigned char *MasterKey, unsigned char *SessionKey,
100 unsigned SessionKeyLength, unsigned char *InterimKey)
103 unsigned char Digest[SHA1_SIGNATURE_SIZE];
105 unsigned char SHApad1[40] =
106 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
108 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
110 unsigned char SHApad2[40] =
111 { 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
112 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
113 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
114 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2 };
116 /* assert(SessionKeyLength <= SHA1_SIGNATURE_SIZE); */
119 SHA1_Update(&Context, MasterKey, SessionKeyLength);
120 SHA1_Update(&Context, SHApad1, sizeof(SHApad1));
121 SHA1_Update(&Context, SessionKey, SessionKeyLength);
122 SHA1_Update(&Context, SHApad2, sizeof(SHApad2));
123 SHA1_Final(Digest, &Context);
125 memcpy(InterimKey, Digest, SessionKeyLength);
129 * Perform the MPPE rekey algorithm, from RFC 3078, sec. 7.3.
130 * Well, not what's written there, but rather what they meant.
133 mppe_rekey(ppp_mppe_state *state, int initial_key)
135 unsigned char InterimKey[MPPE_MAX_KEY_LEN];
137 GetNewKeyFromSHA(state->master_key, state->session_key,
138 state->keylen, InterimKey);
140 arcfour_setkey(&state->arcfour_context, InterimKey, state->keylen);
141 arcfour_encrypt(&state->arcfour_context, InterimKey, state->keylen,
144 memcpy(state->session_key, InterimKey, state->keylen);
146 if (state->keylen == 8) {
148 state->session_key[0] = 0xd1;
149 state->session_key[1] = 0x26;
150 state->session_key[2] = 0x9e;
152 arcfour_setkey(&state->arcfour_context, state->session_key, state->keylen);
157 * Allocate space for a (de)compressor.
160 mppe_alloc(unsigned char *options, int optlen)
162 ppp_mppe_state *state;
164 if (optlen != CILEN_MPPE + sizeof(state->master_key)
165 || options[0] != CI_MPPE
166 || options[1] != CILEN_MPPE)
169 state = (ppp_mppe_state *) kmalloc(sizeof(*state), GFP_KERNEL);
174 memset(state, 0, sizeof(*state));
177 memcpy(state->master_key, &options[CILEN_MPPE], sizeof(state->master_key));
178 memcpy(state->session_key, state->master_key, sizeof(state->master_key));
180 * We defer initial key generation until mppe_init(), as mppe_alloc()
181 * is called frequently during negotiation.
184 return (void *) state;
188 * Deallocate space for a (de)compressor.
193 ppp_mppe_state *state = (ppp_mppe_state *) arg;
203 * Initialize (de)compressor state.
206 mppe_init(void *arg, unsigned char *options, int optlen, int unit, int debug,
207 const char *debugstr)
209 ppp_mppe_state *state = (ppp_mppe_state *) arg;
210 unsigned char mppe_opts;
212 if (optlen != CILEN_MPPE
213 || options[0] != CI_MPPE
214 || options[1] != CILEN_MPPE)
217 MPPE_CI_TO_OPTS(&options[2], mppe_opts);
218 if (mppe_opts & MPPE_OPT_128)
220 else if (mppe_opts & MPPE_OPT_40)
223 printk(KERN_WARNING "%s[%d]: unknown key length\n", debugstr, unit);
226 if (mppe_opts & MPPE_OPT_STATEFUL)
229 /* Generate the initial session key. */
230 mppe_rekey(state, 1);
234 char mkey[sizeof(state->master_key) * 2 + 1];
235 char skey[sizeof(state->session_key) * 2 + 1];
237 printk(KERN_DEBUG "%s[%d]: initialized with %d-bit %s mode\n", debugstr,
238 unit, (state->keylen == 16)? 128: 40,
239 (state->stateful)? "stateful": "stateless");
241 for (i = 0; i < sizeof(state->master_key); i++)
242 sprintf(mkey + i * 2, "%.2x", state->master_key[i]);
243 for (i = 0; i < sizeof(state->session_key); i++)
244 sprintf(skey + i * 2, "%.2x", state->session_key[i]);
245 printk(KERN_DEBUG "%s[%d]: keys: master: %s initial session: %s\n",
246 debugstr, unit, mkey, skey);
250 * Initialize the coherency count. The initial value is not specified
251 * in RFC 3078, but we can make a reasonable assumption that it will
252 * start at 0. Setting it to the max here makes the comp/decomp code
253 * do the right thing (determined through experiment).
255 state->ccount = MPPE_CCOUNT_SPACE - 1;
258 * Note that even though we have initialized the key table, we don't
259 * set the FLUSHED bit. This is contrary to RFC 3078, sec. 3.1.
261 state->bits = MPPE_BIT_ENCRYPTED;
264 state->debug = debug;
272 mppe_comp_init(void *arg, unsigned char *options, int optlen, int unit,
273 int hdrlen, int debug)
276 return mppe_init(arg, options, optlen, unit, debug, "mppe_comp_init");
280 * We received a CCP Reset-Request (actually, we are sending a Reset-Ack),
281 * tell the compressor to rekey. Note that we MUST NOT rekey for
282 * every CCP Reset-Request; we only rekey on the next xmit packet.
283 * We might get multiple CCP Reset-Requests if our CCP Reset-Ack is lost.
284 * So, rekeying for every CCP Reset-Request is broken as the peer will not
285 * know how many times we've rekeyed. (If we rekey and THEN get another
286 * CCP Reset-Request, we must rekey again.)
289 mppe_comp_reset(void *arg)
291 ppp_mppe_state *state = (ppp_mppe_state *) arg;
293 state->bits |= MPPE_BIT_FLUSHED;
297 * Compress (encrypt) a packet.
298 * It's strange to call this a compressor, since the output is always
299 * MPPE_OVHD + 2 bytes larger than the input.
302 mppe_compress(void *arg, unsigned char *ibuf, unsigned char *obuf,
303 int isize, int osize)
305 ppp_mppe_state *state = (ppp_mppe_state *) arg;
309 * Check that the protocol is in the range we handle.
311 proto = PPP_PROTOCOL(ibuf);
312 if (proto < 0x0021 || proto > 0x00fa)
315 /* Make sure we have enough room to generate an encrypted packet. */
316 if (osize < isize + MPPE_OVHD + 2) {
317 /* Drop the packet if we should encrypt it, but can't. */
318 printk(KERN_DEBUG "mppe_compress[%d]: osize too small! "
319 "(have: %d need: %d)\n", state->unit,
320 osize, osize + MPPE_OVHD + 2);
324 osize = isize + MPPE_OVHD + 2;
327 * Copy over the PPP header and set control bits.
329 obuf[0] = PPP_ADDRESS(ibuf);
330 obuf[1] = PPP_CONTROL(ibuf);
331 obuf[2] = PPP_COMP >> 8; /* isize + MPPE_OVHD + 1 */
332 obuf[3] = PPP_COMP; /* isize + MPPE_OVHD + 2 */
335 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
336 obuf[0] = state->ccount >> 8;
337 obuf[1] = state->ccount & 0xff;
339 if (!state->stateful || /* stateless mode */
340 ((state->ccount & 0xff) == 0xff) || /* "flag" packet */
341 (state->bits & MPPE_BIT_FLUSHED)) { /* CCP Reset-Request */
343 if (state->debug && state->stateful)
344 printk(KERN_DEBUG "mppe_compress[%d]: rekeying\n", state->unit);
345 mppe_rekey(state, 0);
346 state->bits |= MPPE_BIT_FLUSHED;
348 obuf[0] |= state->bits;
349 state->bits &= ~MPPE_BIT_FLUSHED; /* reset for next xmit */
352 ibuf += 2; /* skip to proto field */
356 arcfour_encrypt(&state->arcfour_context, ibuf, isize, obuf);
358 state->stats.unc_bytes += isize;
359 state->stats.unc_packets++;
360 state->stats.comp_bytes += osize;
361 state->stats.comp_packets++;
367 * Since every frame grows by MPPE_OVHD + 2 bytes, this is always going
368 * to look bad ... and the longer the link is up the worse it will get.
371 mppe_comp_stats(void *arg, struct compstat *stats)
373 ppp_mppe_state *state = (ppp_mppe_state *) arg;
375 *stats = state->stats;
380 mppe_decomp_init(void *arg, unsigned char *options, int optlen, int unit,
381 int hdrlen, int mru, int debug)
384 return mppe_init(arg, options, optlen, unit, debug, "mppe_decomp_init");
388 * We received a CCP Reset-Ack. Just ignore it.
391 mppe_decomp_reset(void *arg)
398 * Decompress (decrypt) an MPPE packet.
401 mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
404 ppp_mppe_state *state = (ppp_mppe_state *) arg;
406 int flushed = MPPE_BITS(ibuf) & MPPE_BIT_FLUSHED;
409 if (isize <= PPP_HDRLEN + MPPE_OVHD) {
411 printk(KERN_DEBUG "mppe_decompress[%d]: short pkt (%d)\n",
415 /* Strange ... our output size is always LESS than the input size. */
416 /* assert(osize >= isize - MPPE_OVHD - 2); */
418 osize = isize - MPPE_OVHD - 2;
420 ccount = MPPE_CCOUNT(ibuf);
422 /* sanity checks -- terminate with extreme prejudice */
423 if (!(MPPE_BITS(ibuf) & MPPE_BIT_ENCRYPTED)) {
424 printk(KERN_DEBUG "mppe_decompress[%d]: ENCRYPTED bit not set!\n",
426 state->sanity_errors += 100;
429 if (!state->stateful && !flushed) {
430 printk(KERN_DEBUG "mppe_decompress[%d]: FLUSHED bit not set in "
431 "stateless mode!\n", state->unit);
432 state->sanity_errors += 100;
435 if (state->stateful && ((ccount & 0xff) == 0xff) && !flushed) {
436 printk(KERN_DEBUG "mppe_decompress[%d]: FLUSHED bit not set on "
437 "flag packet!\n", state->unit);
438 state->sanity_errors += 100;
443 if (state->sanity_errors < SANITY_MAX)
447 * Take LCP down if the peer is sending too many bogons.
448 * We don't want to do this for a single or just a few
449 * instances since it could just be due to packet corruption.
451 return DECOMP_FATALERROR;
455 * Check the coherency count.
458 if (!state->stateful) {
459 /* RFC 3078, sec 8.1. Rekey for every packet. */
460 while (state->ccount != ccount) {
461 mppe_rekey(state, 0);
462 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
465 /* RFC 3078, sec 8.2. */
466 if (!state->discard) {
468 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
469 if (ccount != state->ccount) {
471 * (ccount > state->ccount)
472 * Packet loss detected, enter the discard state.
473 * Signal the peer to rekey (by sending a CCP Reset-Request).
481 /* ccp.c will be silent (no additional CCP Reset-Requests). */
484 /* Rekey for every missed "flag" packet. */
485 while ((ccount & ~0xff) != (state->ccount & ~0xff)) {
486 mppe_rekey(state, 0);
487 state->ccount = (state->ccount + 256) % MPPE_CCOUNT_SPACE;
492 state->ccount = ccount;
494 * Another problem with RFC 3078 here. It implies that the
495 * peer need not send a Reset-Ack packet. But RFC 1962
496 * requires it. Hopefully, M$ does send a Reset-Ack; even
497 * though it isn't required for MPPE synchronization, it is
498 * required to reset CCP state.
503 mppe_rekey(state, 0);
507 * Fill in the first part of the PPP header. The protocol field
508 * comes from the decrypted data.
510 obuf[0] = PPP_ADDRESS(ibuf); /* +1 */
511 obuf[1] = PPP_CONTROL(ibuf); /* +2 */
513 ibuf += PPP_HDRLEN + MPPE_OVHD;
514 isize -= PPP_HDRLEN + MPPE_OVHD; /* -6 */
517 /* And finally, decrypt the packet. */
518 arcfour_decrypt(&state->arcfour_context, ibuf, isize, obuf);
520 state->stats.unc_bytes += osize;
521 state->stats.unc_packets++;
522 state->stats.comp_bytes += isize;
523 state->stats.comp_packets++;
525 /* good packet credit */
526 state->sanity_errors >>= 1;
532 * Incompressible data has arrived (this should never happen!).
533 * We should probably drop the link if the protocol is in the range
534 * of what should be encrypted. At the least, we should drop this
535 * packet. (How to do this?)
538 mppe_incomp(void *arg, unsigned char *ibuf, int icnt)
540 ppp_mppe_state *state = (ppp_mppe_state *) arg;
543 (PPP_PROTOCOL(ibuf) >= 0x0021 && PPP_PROTOCOL(ibuf) <= 0x00fa))
544 printk(KERN_DEBUG "mppe_incomp[%d]: incompressible (unencrypted) data! "
545 "(proto %04x)\n", state->unit, PPP_PROTOCOL(ibuf));
547 state->stats.inc_bytes += icnt;
548 state->stats.inc_packets++;
549 state->stats.unc_bytes += icnt;
550 state->stats.unc_packets++;
553 /*************************************************************
554 * Module interface table
555 *************************************************************/
557 /* These are in ppp.c (2.2.x) or ppp_generic.c (2.4.x) */
558 extern int ppp_register_compressor (struct compressor *cp);
559 extern void ppp_unregister_compressor (struct compressor *cp);
562 * Procedures exported to if_ppp.c.
564 struct compressor ppp_mppe = {
565 CI_MPPE, /* compress_proto */
566 mppe_alloc, /* comp_alloc */
567 mppe_free, /* comp_free */
568 mppe_comp_init, /* comp_init */
569 mppe_comp_reset, /* comp_reset */
570 mppe_compress, /* compress */
571 mppe_comp_stats, /* comp_stat */
572 mppe_alloc, /* decomp_alloc */
573 mppe_free, /* decomp_free */
574 mppe_decomp_init, /* decomp_init */
575 mppe_decomp_reset, /* decomp_reset */
576 mppe_decompress, /* decompress */
577 mppe_incomp, /* incomp */
578 mppe_comp_stats, /* decomp_stat */
581 /* 2.2 compatibility defines */
588 #ifndef MODULE_LICENSE
589 #define MODULE_LICENSE(license)
595 int answer = ppp_register_compressor(&ppp_mppe);
598 printk(KERN_INFO "PPP MPPE Compression module registered\n");
603 ppp_mppe_cleanup(void)
605 ppp_unregister_compressor(&ppp_mppe);
608 module_init(ppp_mppe_init);
609 module_exit(ppp_mppe_cleanup);
610 MODULE_LICENSE("BSD without advertisement clause");