2 * ==FILEVERSION 20020320==
4 * ppp_mppe_compress.c - interface MPPE to the PPP code.
5 * This version is for use with Linux kernel 2.2.x (ppp driver 2.3.x).
7 * By Frank Cusack <frank@google.com>.
8 * Copyright (c) 2002 Google, Inc.
11 * Permission to use, copy, modify, and distribute this software and its
12 * documentation is hereby granted, provided that the above copyright
13 * notice appears in all copies. This software is provided without any
14 * warranty, express or implied.
18 #include <linux/module.h>
19 #include <linux/kernel.h>
20 #include <linux/init.h>
21 #include <linux/types.h>
22 #include <linux/malloc.h>
23 #include <linux/string.h>
25 #include <linux/ppp_defs.h>
26 #include <linux/ppp-comp.h>
32 * State for an MPPE (de)compressor.
34 typedef struct ppp_mppe_state {
35 unsigned char master_key[MPPE_MAX_KEY_LEN];
36 unsigned char session_key[MPPE_MAX_KEY_LEN];
37 arcfour_context arcfour_context; /* encryption state */
38 unsigned keylen; /* key length in bytes */
39 /* NB: 128-bit == 16, 40-bit == 8! */
40 /* If we want to support 56-bit, */
41 /* the unit has to change to bits */
42 unsigned char bits; /* MPPE control bits */
43 unsigned ccount; /* 12-bit coherency count (seqno) */
44 unsigned stateful; /* stateful mode flag */
45 int discard; /* stateful mode packet loss flag */
46 int sanity_errors; /* take down LCP if too many */
49 struct compstat stats;
52 /* ppp_mppe_state.bits definitions */
53 #define MPPE_BIT_A 0x80 /* Encryption table were (re)inititalized */
54 #define MPPE_BIT_B 0x40 /* MPPC only (not implemented) */
55 #define MPPE_BIT_C 0x20 /* MPPC only (not implemented) */
56 #define MPPE_BIT_D 0x10 /* This is an encrypted frame */
58 #define MPPE_BIT_FLUSHED MPPE_BIT_A
59 #define MPPE_BIT_ENCRYPTED MPPE_BIT_D
61 #define MPPE_BITS(p) ((p)[4] & 0xf0)
62 #define MPPE_CCOUNT(p) ((((p)[4] & 0x0f) << 8) + (p)[5])
63 #define MPPE_CCOUNT_SPACE 0x1000 /* The size of the ccount space */
66 * MPPE overhead/packet.
67 * Note that we use this differently than other compressors.
69 #define MPPE_OVHD 2 /* MPPE overhead/packet */
70 /* Max bogon factor we will tolerate */
71 #define SANITY_MAX 1600
73 static void GetNewKeyFromSHA __P((unsigned char *StartKey,
74 unsigned char *SessionKey,
75 unsigned SessionKeyLength,
76 unsigned char *InterimKey));
77 static void mppe_rekey __P((ppp_mppe_state *state, int));
78 static void *mppe_alloc __P((unsigned char *options, int optlen));
79 static void mppe_free __P((void *state));
80 static int mppe_init __P((void *state, unsigned char *options,
81 int optlen, int unit, int debug, const char *));
82 static int mppe_comp_init __P((void *state, unsigned char *options,
84 int unit, int hdrlen, int debug));
85 static int mppe_decomp_init __P((void *state, unsigned char *options,
87 int hdrlen, int mru, int debug));
88 static int mppe_compress __P((void *state, unsigned char *ibuf,
90 int isize, int osize));
91 static void mppe_incomp __P((void *state, unsigned char *ibuf, int icnt));
92 static int mppe_decompress __P((void *state, unsigned char *ibuf,
93 int isize, unsigned char *obuf,int osize));
94 static void mppe_comp_reset __P((void *state));
95 static void mppe_decomp_reset __P((void *state));
96 static void mppe_comp_stats __P((void *state, struct compstat *stats));
100 * Key Derivation, from RFC 3078, RFC 3079.
101 * Equivalent to Get_Key() for MS-CHAP as described in RFC 3079.
104 GetNewKeyFromSHA(unsigned char *MasterKey, unsigned char *SessionKey,
105 unsigned SessionKeyLength, unsigned char *InterimKey)
108 unsigned char Digest[SHA1_SIGNATURE_SIZE];
110 unsigned char SHApad1[40] =
111 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
112 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
115 unsigned char SHApad2[40] =
116 { 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
117 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
118 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
119 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2 };
121 /* assert(SessionKeyLength <= SHA1_SIGNATURE_SIZE); */
124 SHA1_Update(&Context, MasterKey, SessionKeyLength);
125 SHA1_Update(&Context, SHApad1, sizeof(SHApad1));
126 SHA1_Update(&Context, SessionKey, SessionKeyLength);
127 SHA1_Update(&Context, SHApad2, sizeof(SHApad2));
128 SHA1_Final(Digest, &Context);
130 memcpy(InterimKey, Digest, SessionKeyLength);
134 * Perform the MPPE rekey algorithm, from RFC 3078, sec. 7.3.
135 * Well, not what's written there, but rather what they meant.
138 mppe_rekey(ppp_mppe_state *state, int initial_key)
140 unsigned char InterimKey[MPPE_MAX_KEY_LEN];
142 GetNewKeyFromSHA(state->master_key, state->session_key,
143 state->keylen, InterimKey);
145 arcfour_setkey(&state->arcfour_context, InterimKey, state->keylen);
146 arcfour_encrypt(&state->arcfour_context, InterimKey, state->keylen,
149 memcpy(state->session_key, InterimKey, state->keylen);
151 if (state->keylen == 8) {
153 state->session_key[0] = 0xd1;
154 state->session_key[1] = 0x26;
155 state->session_key[2] = 0x9e;
157 arcfour_setkey(&state->arcfour_context, state->session_key, state->keylen);
162 * Allocate space for a (de)compressor.
165 mppe_alloc(unsigned char *options, int optlen)
167 ppp_mppe_state *state;
169 if (optlen != CILEN_MPPE + sizeof(state->master_key)
170 || options[0] != CI_MPPE
171 || options[1] != CILEN_MPPE)
174 state = (ppp_mppe_state *) kmalloc(sizeof(*state), GFP_KERNEL);
179 memset(state, 0, sizeof(*state));
182 memcpy(state->master_key, &options[CILEN_MPPE], sizeof(state->master_key));
183 memcpy(state->session_key, state->master_key, sizeof(state->master_key));
185 * We defer initial key generation until mppe_init(), as mppe_alloc()
186 * is called frequently during negotiation.
189 return (void *) state;
193 * Deallocate space for a (de)compressor.
198 ppp_mppe_state *state = (ppp_mppe_state *) arg;
208 * Initialize (de)compressor state.
211 mppe_init(void *arg, unsigned char *options, int optlen, int unit, int debug,
212 const char *debugstr)
214 ppp_mppe_state *state = (ppp_mppe_state *) arg;
215 unsigned char mppe_opts;
217 if (optlen != CILEN_MPPE
218 || options[0] != CI_MPPE
219 || options[1] != CILEN_MPPE)
222 MPPE_CI_TO_OPTS(&options[2], mppe_opts);
223 if (mppe_opts & MPPE_OPT_128)
225 else if (mppe_opts & MPPE_OPT_40)
228 printk(KERN_WARNING "%s[%d]: unknown key length\n", debugstr, unit);
231 if (mppe_opts & MPPE_OPT_STATEFUL)
234 /* Generate the initial session key. */
235 mppe_rekey(state, 1);
239 char mkey[sizeof(state->master_key) * 3 + 1];
240 char skey[sizeof(state->session_key) * 3 + 1];
242 printk(KERN_DEBUG "%s[%d]: initialized with %d-bit %s mode\n", debugstr,
243 unit, (state->keylen == 16)? 128: 40,
244 (state->stateful)? "stateful": "stateless");
246 for (i = 0; i < sizeof(state->master_key); i++)
247 sprintf(mkey + i * 2, "%.2x ", state->master_key[i]);
248 for (i = 0; i < sizeof(state->session_key); i++)
249 sprintf(skey + i * 2, "%.2x ", state->session_key[i]);
250 printk(KERN_DEBUG "%s[%d]: keys: master: %s initial session: %s\n",
251 debugstr, unit, mkey, skey);
255 * Initialize the coherency count. The initial value is not specified
256 * in RFC 3078, but we can make a reasonable assumption that it will
257 * start at 0. Setting it to the max here makes the comp/decomp code
258 * do the right thing (determined through experiment).
260 state->ccount = MPPE_CCOUNT_SPACE - 1;
263 * Note that even though we have initialized the key table, we don't
264 * set the FLUSHED bit. This is contrary to RFC 3078, sec. 3.1.
266 state->bits = MPPE_BIT_ENCRYPTED;
269 state->debug = debug;
277 mppe_comp_init(void *arg, unsigned char *options, int optlen, int unit,
278 int hdrlen, int debug)
281 return mppe_init(arg, options, optlen, unit, debug, "mppe_comp_init");
285 * We received a CCP Reset-Request (actually, we are sending a Reset-Ack),
286 * tell the compressor to rekey. Note that we MUST NOT rekey for
287 * every CCP Reset-Request; we only rekey on the next xmit packet.
288 * We might get multiple CCP Reset-Requests if our CCP Reset-Ack is lost.
289 * So, rekeying for every CCP Reset-Request is broken as the peer will not
290 * know how many times we've rekeyed. (If we rekey and THEN get another
291 * CCP Reset-Request, we must rekey again.)
294 mppe_comp_reset(void *arg)
296 ppp_mppe_state *state = (ppp_mppe_state *) arg;
298 state->bits |= MPPE_BIT_FLUSHED;
302 * Compress (encrypt) a packet.
303 * It's strange to call this a compressor, since the output is always
304 * MPPE_OVHD + 2 bytes larger than the input.
307 mppe_compress(void *arg, unsigned char *ibuf, unsigned char *obuf,
308 int isize, int osize)
310 ppp_mppe_state *state = (ppp_mppe_state *) arg;
314 * Check that the protocol is in the range we handle.
316 proto = PPP_PROTOCOL(ibuf);
317 if (proto < 0x0021 || proto > 0x00fa)
320 /* Make sure we have enough room to generate an encrypted packet. */
321 if (osize < isize + MPPE_OVHD + 2) {
322 /* Drop the packet if we should encrypt it, but can't. */
323 printk(KERN_DEBUG "mppe_compress[%d]: osize too small! "
324 "(have: %d need: %d)\n", state->unit,
325 osize, osize + MPPE_OVHD + 2);
329 osize = isize + MPPE_OVHD + 2;
332 * Copy over the PPP header and set control bits.
334 obuf[0] = PPP_ADDRESS(ibuf);
335 obuf[1] = PPP_CONTROL(ibuf);
336 obuf[2] = PPP_COMP >> 8; /* isize + MPPE_OVHD + 1 */
337 obuf[3] = PPP_COMP; /* isize + MPPE_OVHD + 2 */
340 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
341 obuf[0] = state->ccount >> 8;
342 obuf[1] = state->ccount & 0xff;
344 if (!state->stateful || /* stateless mode */
345 ((state->ccount & 0xff) == 0xff) || /* "flag" packet */
346 (state->bits & MPPE_BIT_FLUSHED)) { /* CCP Reset-Request */
348 if (state->debug && state->stateful)
349 printk(KERN_DEBUG "mppe_compress[%d]: rekeying\n", state->unit);
350 mppe_rekey(state, 0);
351 state->bits |= MPPE_BIT_FLUSHED;
353 obuf[0] |= state->bits;
354 state->bits &= ~MPPE_BIT_FLUSHED; /* reset for next xmit */
357 ibuf += 2; /* skip to proto field */
361 arcfour_encrypt(&state->arcfour_context, ibuf, isize, obuf);
363 state->stats.unc_bytes += isize;
364 state->stats.unc_packets++;
365 state->stats.comp_bytes += osize;
366 state->stats.comp_packets++;
372 * Since every frame grows by MPPE_OVHD + 2 bytes, this is always going
373 * to look bad ... and the longer the link is up the worse it will get.
376 mppe_comp_stats(void *arg, struct compstat *stats)
378 ppp_mppe_state *state = (ppp_mppe_state *) arg;
380 *stats = state->stats;
385 mppe_decomp_init(void *arg, unsigned char *options, int optlen, int unit,
386 int hdrlen, int mru, int debug)
389 return mppe_init(arg, options, optlen, unit, debug, "mppe_decomp_init");
393 * We received a CCP Reset-Ack. Just ignore it.
396 mppe_decomp_reset(void *arg)
403 * Decompress (decrypt) an MPPE packet.
406 mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
409 ppp_mppe_state *state = (ppp_mppe_state *) arg;
411 int flushed = MPPE_BITS(ibuf) & MPPE_BIT_FLUSHED;
414 if (isize <= PPP_HDRLEN + MPPE_OVHD) {
416 printk(KERN_DEBUG "mppe_decompress[%d]: short pkt (%d)\n",
420 /* Strange ... our output size is always LESS than the input size. */
421 /* assert(osize >= isize - MPPE_OVHD - 2); */
423 osize = isize - MPPE_OVHD - 2;
425 ccount = MPPE_CCOUNT(ibuf);
427 /* sanity checks -- terminate with extreme prejudice */
428 if (!(MPPE_BITS(ibuf) & MPPE_BIT_ENCRYPTED)) {
429 printk(KERN_DEBUG "mppe_decompress[%d]: ENCRYPTED bit not set!\n",
431 state->sanity_errors += 100;
434 if (!state->stateful && !flushed) {
435 printk(KERN_DEBUG "mppe_decompress[%d]: FLUSHED bit not set in "
436 "stateless mode!\n", state->unit);
437 state->sanity_errors += 100;
440 if (state->stateful && ((ccount & 0xff) == 0xff) && !flushed) {
441 printk(KERN_DEBUG "mppe_decompress[%d]: FLUSHED bit not set on "
442 "flag packet!\n", state->unit);
443 state->sanity_errors += 100;
448 if (state->sanity_errors < SANITY_MAX)
452 * Take LCP down if the peer is sending too many bogons.
453 * We don't want to do this for a single or just a few
454 * instances since it could just be due to packet corruption.
456 return DECOMP_FATALERROR;
460 * Check the coherency count.
463 if (!state->stateful) {
464 /* RFC 3078, sec 8.1. Rekey for every packet. */
465 while (state->ccount != ccount) {
466 mppe_rekey(state, 0);
467 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
470 /* RFC 3078, sec 8.2. */
471 if (!state->discard) {
473 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
474 if (ccount != state->ccount) {
476 * (ccount > state->ccount)
477 * Packet loss detected, enter the discard state.
478 * Signal the peer to rekey (by sending a CCP Reset-Request).
486 /* ccp.c will be silent (no additional CCP Reset-Requests). */
489 /* Rekey for every missed "flag" packet. */
490 while ((ccount & ~0xff) != (state->ccount & ~0xff)) {
491 mppe_rekey(state, 0);
492 state->ccount = (state->ccount + 256) % MPPE_CCOUNT_SPACE;
497 state->ccount = ccount;
499 * Another problem with RFC 3078 here. It implies that the
500 * peer need not send a Reset-Ack packet. But RFC 1962
501 * requires it. Hopefully, M$ does send a Reset-Ack; even
502 * though it isn't required for MPPE synchronization, it is
503 * required to reset CCP state.
508 mppe_rekey(state, 0);
512 * Fill in the first part of the PPP header. The protocol field
513 * comes from the decrypted data.
515 obuf[0] = PPP_ADDRESS(ibuf); /* +1 */
516 obuf[1] = PPP_CONTROL(ibuf); /* +2 */
518 ibuf += PPP_HDRLEN + MPPE_OVHD;
519 isize -= PPP_HDRLEN + MPPE_OVHD; /* -6 */
522 /* And finally, decrypt the packet. */
523 arcfour_decrypt(&state->arcfour_context, ibuf, isize, obuf);
525 state->stats.unc_bytes += osize;
526 state->stats.unc_packets++;
527 state->stats.comp_bytes += isize;
528 state->stats.comp_packets++;
530 /* good packet credit */
531 state->sanity_errors >>= 1;
537 * Incompressible data has arrived (this should never happen!).
538 * We should probably drop the link if the protocol is in the range
539 * of what should be encrypted. At the least, we should drop this
540 * packet. (How to do this?)
543 mppe_incomp(void *arg, unsigned char *ibuf, int icnt)
545 ppp_mppe_state *state = (ppp_mppe_state *) arg;
548 (PPP_PROTOCOL(ibuf) >= 0x0021 && PPP_PROTOCOL(ibuf) <= 0x00fa))
549 printk(KERN_DEBUG "mppe_incomp[%d]: incompressible (unencrypted) data! "
550 "(proto %04x)\n", state->unit, PPP_PROTOCOL(ibuf));
552 state->stats.inc_bytes += icnt;
553 state->stats.inc_packets++;
554 state->stats.unc_bytes += icnt;
555 state->stats.unc_packets++;
558 /*************************************************************
559 * Module interface table
560 *************************************************************/
562 /* These are in ppp.c */
563 extern int ppp_register_compressor (struct compressor *cp);
564 extern void ppp_unregister_compressor (struct compressor *cp);
567 * Procedures exported to if_ppp.c.
569 struct compressor ppp_mppe = {
570 CI_MPPE, /* compress_proto */
571 mppe_alloc, /* comp_alloc */
572 mppe_free, /* comp_free */
573 mppe_comp_init, /* comp_init */
574 mppe_comp_reset, /* comp_reset */
575 mppe_compress, /* compress */
576 mppe_comp_stats, /* comp_stat */
577 mppe_alloc, /* decomp_alloc */
578 mppe_free, /* decomp_free */
579 mppe_decomp_init, /* decomp_init */
580 mppe_decomp_reset, /* decomp_reset */
581 mppe_decompress, /* decompress */
582 mppe_incomp, /* incomp */
583 mppe_comp_stats, /* decomp_stat */
586 __initfunc(int ppp_mppe_install(void))
588 int answer = ppp_register_compressor(&ppp_mppe);
591 printk(KERN_INFO "PPP MPPE Compression module registered\n");
600 return ppp_mppe_install();
607 printk(KERN_INFO "PPP MPPE Compression module busy\n");
609 ppp_unregister_compressor(&ppp_mppe);