From: Frank Cusack Date: Tue, 24 Dec 2002 03:43:35 +0000 (+0000) Subject: Add support for RADIUS MPPE policy and enctype attributes. X-Git-Tag: ppp-2.4.7~344 X-Git-Url: http://git.ozlabs.org/?a=commitdiff_plain;ds=sidebyside;h=1c6cc0f0cd212fb2c80d7cace6525557b0677dae;p=ppp.git Add support for RADIUS MPPE policy and enctype attributes. --- diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c index 0fe1888..9c67587 100644 --- a/pppd/chap_ms.c +++ b/pppd/chap_ms.c @@ -48,7 +48,7 @@ * Copyright (c) 2002 Google, Inc. */ -#define RCSID "$Id: chap_ms.c,v 1.26 2002/12/23 23:24:37 fcusack Exp $" +#define RCSID "$Id: chap_ms.c,v 1.27 2002/12/24 03:43:35 fcusack Exp $" #ifdef CHAPMS @@ -100,6 +100,10 @@ bool ms_lanman = 0; /* Use LanMan password instead of NT */ u_char mppe_send_key[MPPE_MAX_KEY_LEN]; u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; int mppe_keys_set = 0; /* Have the MPPE keys been set? */ + +#include "fsm.h" /* Need to poke MPPE options */ +#include "ccp.h" +#include #endif static void @@ -513,5 +517,37 @@ ChapMS2(chap_state *cstate, u_char *rchallenge, u_char *PeerChallenge, #endif } +#ifdef MPPE +/* + * Set MPPE options from plugins. + */ +void +set_mppe_enc_types(int policy, int types) +{ + /* Early exit for unknown policies. */ + if (policy != MPPE_ENC_POL_ENC_ALLOWED || + policy != MPPE_ENC_POL_ENC_REQUIRED) + return; + + /* Don't modify MPPE if it's optional and wasn't already configured. */ + if (policy == MPPE_ENC_POL_ENC_ALLOWED && !ccp_wantoptions[0].mppe) + return; + + /* + * Disable undesirable encryption types. Note that we don't ENABLE + * any encryption types, to avoid overriding manual configuration. + */ + switch(types) { + case MPPE_ENC_TYPES_RC4_40: + ccp_wantoptions[0].mppe &= ~MPPE_OPT_128; /* disable 128-bit */ + break; + case MPPE_ENC_TYPES_RC4_128: + ccp_wantoptions[0].mppe &= ~MPPE_OPT_40; /* disable 40-bit */ + break; + default: + break; + } +} +#endif /* MPPE */ #endif /* CHAPMS */ diff --git a/pppd/chap_ms.h b/pppd/chap_ms.h index f52f58d..251a4ba 100644 --- a/pppd/chap_ms.h +++ b/pppd/chap_ms.h @@ -27,7 +27,7 @@ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Id: chap_ms.h,v 1.8 2002/12/23 23:24:37 fcusack Exp $ + * $Id: chap_ms.h,v 1.9 2002/12/24 03:43:35 fcusack Exp $ */ #ifndef __CHAPMS_INCLUDE__ @@ -72,6 +72,15 @@ typedef struct { extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; extern int mppe_keys_set; + +/* These values are the RADIUS attribute values--see RFC 2548. */ +#define MPPE_ENC_POL_ENC_ALLOWED 1 +#define MPPE_ENC_POL_ENC_REQUIRED 2 +#define MPPE_ENC_TYPES_RC4_40 2 +#define MPPE_ENC_TYPES_RC4_128 4 + +/* used by plugins (using above values) */ +extern void set_mppe_enc_types(int, int); #endif /* Are we the authenticator or authenticatee? For MS-CHAPv2 key derivation. */ diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c index 48882a9..75c1e08 100644 --- a/pppd/plugins/radius/radius.c +++ b/pppd/plugins/radius/radius.c @@ -24,7 +24,7 @@ * ***********************************************************************/ static char const RCSID[] = -"$Id: radius.c,v 1.19 2002/12/23 23:24:37 fcusack Exp $"; +"$Id: radius.c,v 1.20 2002/12/24 03:43:35 fcusack Exp $"; #include "pppd.h" #include "chap.h" @@ -516,6 +516,11 @@ radius_setparams(chap_state *cstate, VALUE_PAIR *vp, char *msg, { u_int32_t remote; int ms_chap2_success = 0; +#ifdef MPPE + int mppe_enc_keys = 0; /* whether or not these were received */ + int mppe_enc_policy = 0; + int mppe_enc_types = 0; +#endif /* Send RADIUS attributes to anyone else who might be interested */ if (radius_attributes_hook) { @@ -623,6 +628,7 @@ radius_setparams(chap_state *cstate, VALUE_PAIR *vp, char *msg, "RADIUS: bad MS-CHAP-MPPE-Keys attribute"); return -1; } + mppe_enc_keys = 1; break; case PW_MS_MPPE_SEND_KEY: @@ -634,11 +640,19 @@ radius_setparams(chap_state *cstate, VALUE_PAIR *vp, char *msg, "Send": "Recv"); return -1; } + mppe_enc_keys = 1; break; -#endif /* MPPE */ -#if 0 + case PW_MS_MPPE_ENCRYPTION_POLICY: + mppe_enc_policy = vp->lvalue; /* save for later */ + break; + case PW_MS_MPPE_ENCRYPTION_TYPES: + mppe_enc_types = vp->lvalue; /* save for later */ + break; + +#endif /* MPPE */ +#if 0 case PW_MS_PRIMARY_DNS_SERVER: case PW_MS_SECONDARY_DNS_SERVER: case PW_MS_PRIMARY_NBNS_SERVER: @@ -655,6 +669,19 @@ radius_setparams(chap_state *cstate, VALUE_PAIR *vp, char *msg, if (cstate && (cstate->chal_type == CHAP_MICROSOFT_V2) && !ms_chap2_success) return -1; +#ifdef MPPE + /* + * Require both policy and key attributes to indicate a valid key. + * Note that if the policy value was '0' we don't set the key! + */ + if (mppe_enc_policy && mppe_enc_keys) { + mppe_keys_set = 1; + /* Set/modify allowed encryption types. */ + if (mppe_enc_types) + set_mppe_enc_types(mppe_enc_policy, mppe_enc_types); + } +#endif + return 0; } @@ -709,7 +736,6 @@ radius_setmppekeys(VALUE_PAIR *vp, REQUEST_INFO *req_info, chap_state *cstate) * to generate the start key, sigh. NB: We do not support the LM-Key. */ mppe_set_keys(cstate->challenge, &plain[8]); - mppe_keys_set = 1; return 0; } @@ -778,7 +804,6 @@ radius_setmppekeys2(VALUE_PAIR *vp, REQUEST_INFO *req_info) memcpy(mppe_send_key, plain + 1, 16); else memcpy(mppe_recv_key, plain + 1, 16); - mppe_keys_set = 1; return 0; }