X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fccp.c;h=cfe94f8e9f3af44813a6e2cda02b2243924df956;hp=fd51952e02bb21eaf14339a587db1baaac3ec06b;hb=a12ffcd5b0a1cf9a4920064295c9b02b127465b3;hpb=ec27e67401c1e4031be2fa7f692d3d66d5bee586 diff --git a/pppd/ccp.c b/pppd/ccp.c index fd51952..cfe94f8 100644 --- a/pppd/ccp.c +++ b/pppd/ccp.c @@ -28,7 +28,11 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define RCSID "$Id: ccp.c,v 1.48 2004/11/13 02:28:15 paulus Exp $" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#define RCSID "$Id: ccp.c,v 1.50 2005/06/26 19:34:41 carlsonj Exp $" #include #include @@ -38,12 +42,10 @@ #include "ccp.h" #include -#ifdef MPPE -#include "chap_ms.h" /* mppe_xxxx_key, mppe_keys_set */ +#include "chap_ms.h" +#include "mppe.h" #include "lcp.h" /* lcp_close(), lcp_fsm */ -#endif -static const char rcsid[] = RCSID; /* * Unfortunately there is a bug in zlib which means that using a @@ -57,15 +59,15 @@ static const char rcsid[] = RCSID; /* * Command-line options. */ -static int setbsdcomp __P((char **)); -static int setdeflate __P((char **)); +static int setbsdcomp (char **); +static int setdeflate (char **); static char bsd_value[8]; static char deflate_value[8]; /* * Option variables. */ -#ifdef MPPE +#ifdef PPP_WITH_MPPE bool refuse_mppe_stateful = 1; /* Allow stateful mode? */ #endif @@ -108,7 +110,7 @@ static option_t ccp_option_list[] = { "don't allow Predictor-1", OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLR, &ccp_allowoptions[0].predictor_1 }, -#ifdef MPPE +#ifdef PPP_WITH_MPPE /* MPPE options are symmetrical ... we only set wantoptions here */ { "require-mppe", o_bool, &ccp_wantoptions[0].mppe, "require MPPE encryption", @@ -164,17 +166,17 @@ static option_t ccp_option_list[] = { /* * Protocol entry points from main code. */ -static void ccp_init __P((int unit)); -static void ccp_open __P((int unit)); -static void ccp_close __P((int unit, char *)); -static void ccp_lowerup __P((int unit)); -static void ccp_lowerdown __P((int)); -static void ccp_input __P((int unit, u_char *pkt, int len)); -static void ccp_protrej __P((int unit)); -static int ccp_printpkt __P((u_char *pkt, int len, - void (*printer) __P((void *, char *, ...)), - void *arg)); -static void ccp_datainput __P((int unit, u_char *pkt, int len)); +static void ccp_init (int unit); +static void ccp_open (int unit); +static void ccp_close (int unit, char *); +static void ccp_lowerup (int unit); +static void ccp_lowerdown (int); +static void ccp_input (int unit, u_char *pkt, int len); +static void ccp_protrej (int unit); +static int ccp_printpkt (u_char *pkt, int len, + void (*printer)(void *, char *, ...), + void *arg); +static void ccp_datainput (int unit, u_char *pkt, int len); struct protent ccp_protent = { PPP_CCP, @@ -205,18 +207,18 @@ ccp_options ccp_hisoptions[NUM_PPP]; /* what we agreed to do */ /* * Callbacks for fsm code. */ -static void ccp_resetci __P((fsm *)); -static int ccp_cilen __P((fsm *)); -static void ccp_addci __P((fsm *, u_char *, int *)); -static int ccp_ackci __P((fsm *, u_char *, int)); -static int ccp_nakci __P((fsm *, u_char *, int, int)); -static int ccp_rejci __P((fsm *, u_char *, int)); -static int ccp_reqci __P((fsm *, u_char *, int *, int)); -static void ccp_up __P((fsm *)); -static void ccp_down __P((fsm *)); -static int ccp_extcode __P((fsm *, int, int, u_char *, int)); -static void ccp_rack_timeout __P((void *)); -static char *method_name __P((ccp_options *, ccp_options *)); +static void ccp_resetci (fsm *); +static int ccp_cilen (fsm *); +static void ccp_addci (fsm *, u_char *, int *); +static int ccp_ackci (fsm *, u_char *, int); +static int ccp_nakci (fsm *, u_char *, int, int); +static int ccp_rejci (fsm *, u_char *, int); +static int ccp_reqci (fsm *, u_char *, int *, int); +static void ccp_up (fsm *); +static void ccp_down (fsm *); +static int ccp_extcode (fsm *, int, int, u_char *, int); +static void ccp_rack_timeout (void *); +static char *method_name (ccp_options *, ccp_options *); static fsm_callbacks ccp_callbacks = { ccp_resetci, @@ -258,8 +260,7 @@ static int all_rejected[NUM_PPP]; /* we rejected all peer's options */ * Option parsing. */ static int -setbsdcomp(argv) - char **argv; +setbsdcomp(char **argv) { int rbits, abits; char *str, *endp; @@ -297,8 +298,7 @@ setbsdcomp(argv) } static int -setdeflate(argv) - char **argv; +setdeflate(char **argv) { int rbits, abits; char *str, *endp; @@ -348,8 +348,7 @@ setdeflate(argv) * ccp_init - initialize CCP. */ static void -ccp_init(unit) - int unit; +ccp_init(int unit) { fsm *f = &ccp_fsm[unit]; @@ -384,8 +383,7 @@ ccp_init(unit) * ccp_open - CCP is allowed to come up. */ static void -ccp_open(unit) - int unit; +ccp_open(int unit) { fsm *f = &ccp_fsm[unit]; @@ -407,9 +405,7 @@ ccp_open(unit) * ccp_close - Terminate CCP. */ static void -ccp_close(unit, reason) - int unit; - char *reason; +ccp_close(int unit, char *reason) { ccp_flags_set(unit, 0, 0); fsm_close(&ccp_fsm[unit], reason); @@ -419,8 +415,7 @@ ccp_close(unit, reason) * ccp_lowerup - we may now transmit CCP packets. */ static void -ccp_lowerup(unit) - int unit; +ccp_lowerup(int unit) { fsm_lowerup(&ccp_fsm[unit]); } @@ -429,8 +424,7 @@ ccp_lowerup(unit) * ccp_lowerdown - we may not transmit CCP packets. */ static void -ccp_lowerdown(unit) - int unit; +ccp_lowerdown(int unit) { fsm_lowerdown(&ccp_fsm[unit]); } @@ -439,10 +433,7 @@ ccp_lowerdown(unit) * ccp_input - process a received CCP packet. */ static void -ccp_input(unit, p, len) - int unit; - u_char *p; - int len; +ccp_input(int unit, u_char *p, int len) { fsm *f = &ccp_fsm[unit]; int oldstate; @@ -454,7 +445,7 @@ ccp_input(unit, p, len) fsm_input(f, p, len); if (oldstate == OPENED && p[0] == TERMREQ && f->state != OPENED) { notice("Compression disabled by peer."); -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (ccp_gotoptions[unit].mppe) { error("MPPE disabled, closing LCP"); lcp_close(unit, "MPPE disabled by peer"); @@ -475,11 +466,7 @@ ccp_input(unit, p, len) * Handle a CCP-specific code. */ static int -ccp_extcode(f, code, id, p, len) - fsm *f; - int code, id; - u_char *p; - int len; +ccp_extcode(fsm *f, int code, int id, u_char *p, int len) { switch (code) { case CCP_RESETREQ: @@ -508,13 +495,12 @@ ccp_extcode(f, code, id, p, len) * ccp_protrej - peer doesn't talk CCP. */ static void -ccp_protrej(unit) - int unit; +ccp_protrej(int unit) { ccp_flags_set(unit, 0, 0); fsm_lowerdown(&ccp_fsm[unit]); -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (ccp_gotoptions[unit].mppe) { error("MPPE required but peer negotiation failed"); lcp_close(unit, "MPPE required but peer negotiation failed"); @@ -527,8 +513,7 @@ ccp_protrej(unit) * ccp_resetci - initialize at start of negotiation. */ static void -ccp_resetci(f) - fsm *f; +ccp_resetci(fsm *f) { ccp_options *go = &ccp_gotoptions[f->unit]; u_char opt_buf[CCP_MAX_OPTION_LENGTH]; @@ -536,10 +521,13 @@ ccp_resetci(f) *go = ccp_wantoptions[f->unit]; all_rejected[f->unit] = 0; -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (go->mppe) { ccp_options *ao = &ccp_allowoptions[f->unit]; int auth_mschap_bits = auth_done[f->unit]; +#ifdef PPP_WITH_EAPTLS + int auth_eap_bits = auth_done[f->unit]; +#endif int numbits; /* @@ -567,14 +555,29 @@ ccp_resetci(f) lcp_close(f->unit, "MPPE required but not available"); return; } + +#ifdef PPP_WITH_EAPTLS + /* + * MPPE is also possible in combination with EAP-TLS. + * It is not possible to detect if we're doing EAP or EAP-TLS + * at this stage, hence we accept all forms of EAP. If TLS is + * not used then the MPPE keys will not be derived anyway. + */ + /* Leave only the eap auth bits set */ + auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); + + if ((numbits == 0) && (auth_eap_bits == 0)) { + error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); +#else if (!numbits) { error("MPPE required, but MS-CHAP[v2] auth not performed."); +#endif lcp_close(f->unit, "MPPE required but not available"); return; } /* A plugin (eg radius) may not have obtained key material. */ - if (!mppe_keys_set) { + if (!mppe_keys_isset()) { error("MPPE required, but keys are not available. " "Possible plugin problem?"); lcp_close(f->unit, "MPPE required but not available"); @@ -607,13 +610,11 @@ ccp_resetci(f) ao->predictor_2 = go->predictor_2 = 0; ao->deflate = go->deflate = 0; } -#endif /* MPPE */ /* * Check whether the kernel knows about the various * compression methods we might request. */ -#ifdef MPPE if (go->mppe) { opt_buf[0] = CI_MPPE; opt_buf[1] = CILEN_MPPE; @@ -624,7 +625,7 @@ ccp_resetci(f) lcp_close(f->unit, "MPPE required but not available"); } } -#endif +#endif /* PPP_WITH_MPPE */ if (go->bsd_compress) { opt_buf[0] = CI_BSD_COMPRESS; opt_buf[1] = CILEN_BSD_COMPRESS; @@ -670,13 +671,13 @@ ccp_resetci(f) * ccp_cilen - Return total length of our configuration info. */ static int -ccp_cilen(f) - fsm *f; + ccp_cilen(fsm *f) { ccp_options *go = &ccp_gotoptions[f->unit]; return (go->bsd_compress? CILEN_BSD_COMPRESS: 0) - + (go->deflate? CILEN_DEFLATE: 0) + + (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0) + + (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0) + (go->predictor_1? CILEN_PREDICTOR_1: 0) + (go->predictor_2? CILEN_PREDICTOR_2: 0) + (go->mppe? CILEN_MPPE: 0); @@ -686,10 +687,7 @@ ccp_cilen(f) * ccp_addci - put our requests in a packet. */ static void -ccp_addci(f, p, lenp) - fsm *f; - u_char *p; - int *lenp; + ccp_addci(fsm *f, u_char *p, int *lenp) { int res; ccp_options *go = &ccp_gotoptions[f->unit]; @@ -700,7 +698,7 @@ ccp_addci(f, p, lenp) * preference order. Get the kernel to allocate the first one * in case it gets Acked. */ -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (go->mppe) { u_char opt_buf[CILEN_MPPE + MPPE_MAX_KEY_LEN]; @@ -708,7 +706,7 @@ ccp_addci(f, p, lenp) p[1] = opt_buf[1] = CILEN_MPPE; MPPE_OPTS_TO_CI(go->mppe, &p[2]); MPPE_OPTS_TO_CI(go->mppe, &opt_buf[2]); - BCOPY(mppe_recv_key, &opt_buf[CILEN_MPPE], MPPE_MAX_KEY_LEN); + mppe_get_recv_key(&opt_buf[CILEN_MPPE], MPPE_MAX_KEY_LEN); res = ccp_test(f->unit, opt_buf, CILEN_MPPE + MPPE_MAX_KEY_LEN, 0); if (res > 0) p += CILEN_MPPE; @@ -805,15 +803,12 @@ ccp_addci(f, p, lenp) * 1 iff the packet was OK. */ static int -ccp_ackci(f, p, len) - fsm *f; - u_char *p; - int len; + ccp_ackci(fsm *f, u_char *p, int len) { ccp_options *go = &ccp_gotoptions[f->unit]; u_char *p0 = p; -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (go->mppe) { u_char opt_buf[CILEN_MPPE]; @@ -894,10 +889,7 @@ ccp_ackci(f, p, len) * Returns 1 iff the nak was OK. */ static int -ccp_nakci(f, p, len, treat_as_reject) - fsm *f; - u_char *p; - int len; + ccp_nakci(fsm *f, u_char *p, int len, int treat_as_reject) { ccp_options *go = &ccp_gotoptions[f->unit]; ccp_options no; /* options we've seen already */ @@ -906,7 +898,7 @@ ccp_nakci(f, p, len, treat_as_reject) memset(&no, 0, sizeof(no)); try = *go; -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (go->mppe && len >= CILEN_MPPE && p[0] == CI_MPPE && p[1] == CILEN_MPPE) { no.mppe = 1; @@ -928,7 +920,7 @@ ccp_nakci(f, p, len, treat_as_reject) lcp_close(f->unit, "MPPE required but peer negotiation failed"); } } -#endif /* MPPE */ +#endif /* PPP_WITH_MPPE */ if (go->deflate && len >= CILEN_DEFLATE && p[0] == (go->deflate_correct? CI_DEFLATE: CI_DEFLATE_DRAFT) && p[1] == CILEN_DEFLATE) { @@ -983,10 +975,7 @@ ccp_nakci(f, p, len, treat_as_reject) * ccp_rejci - reject some of our suggested compression methods. */ static int -ccp_rejci(f, p, len) - fsm *f; - u_char *p; - int len; +ccp_rejci(fsm *f, u_char *p, int len) { ccp_options *go = &ccp_gotoptions[f->unit]; ccp_options try; /* options to request next time */ @@ -1000,7 +989,7 @@ ccp_rejci(f, p, len) if (len == 0 && all_rejected[f->unit]) return -1; -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (go->mppe && len >= CILEN_MPPE && p[0] == CI_MPPE && p[1] == CILEN_MPPE) { error("MPPE required but peer refused"); @@ -1065,18 +1054,14 @@ ccp_rejci(f, p, len) * appropriately. */ static int -ccp_reqci(f, p, lenp, dont_nak) - fsm *f; - u_char *p; - int *lenp; - int dont_nak; +ccp_reqci(fsm *f, u_char *p, int *lenp, int dont_nak) { int ret, newret, res; u_char *p0, *retp; int len, clen, type, nb; ccp_options *ho = &ccp_hisoptions[f->unit]; ccp_options *ao = &ccp_allowoptions[f->unit]; -#ifdef MPPE +#ifdef PPP_WITH_MPPE bool rej_for_ci_mppe = 1; /* Are we rejecting based on a bad/missing */ /* CI_MPPE, or due to other options? */ #endif @@ -1100,7 +1085,7 @@ ccp_reqci(f, p, lenp, dont_nak) clen = p[1]; switch (type) { -#ifdef MPPE +#ifdef PPP_WITH_MPPE case CI_MPPE: if (!ao->mppe || clen != CILEN_MPPE) { newret = CONFREJ; @@ -1158,8 +1143,11 @@ ccp_reqci(f, p, lenp, dont_nak) } } else { /* Neither are set. */ - newret = CONFREJ; - break; + /* We cannot accept this. */ + newret = CONFNAK; + /* Give the peer our idea of what can be used, + so it can choose and confirm */ + ho->mppe = ao->mppe; } /* rebuild the opts */ @@ -1169,8 +1157,7 @@ ccp_reqci(f, p, lenp, dont_nak) int mtu; BCOPY(p, opt_buf, CILEN_MPPE); - BCOPY(mppe_send_key, &opt_buf[CILEN_MPPE], - MPPE_MAX_KEY_LEN); + mppe_get_send_key(&opt_buf[CILEN_MPPE], MPPE_MAX_KEY_LEN); if (ccp_test(f->unit, opt_buf, CILEN_MPPE + MPPE_MAX_KEY_LEN, 1) <= 0) { /* This shouldn't happen, we've already tested it! */ @@ -1198,7 +1185,7 @@ ccp_reqci(f, p, lenp, dont_nak) */ rej_for_ci_mppe = 0; break; -#endif /* MPPE */ +#endif /* PPP_WITH_MPPE */ case CI_DEFLATE: case CI_DEFLATE_DRAFT: if (!ao->deflate || clen != CILEN_DEFLATE @@ -1340,7 +1327,7 @@ ccp_reqci(f, p, lenp, dont_nak) else *lenp = retp - p0; } -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (ret == CONFREJ && ao->mppe && rej_for_ci_mppe) { error("MPPE required but peer negotiation failed"); lcp_close(f->unit, "MPPE required but peer negotiation failed"); @@ -1353,15 +1340,14 @@ ccp_reqci(f, p, lenp, dont_nak) * Make a string name for a compression method (or 2). */ static char * -method_name(opt, opt2) - ccp_options *opt, *opt2; +method_name(ccp_options *opt, ccp_options *opt2) { static char result[64]; if (!ANY_COMPRESS(*opt)) return "(none)"; switch (opt->method) { -#ifdef MPPE +#ifdef PPP_WITH_MPPE case CI_MPPE: { char *p = result; @@ -1418,8 +1404,7 @@ method_name(opt, opt2) * CCP has come up - inform the kernel driver and log a message. */ static void -ccp_up(f) - fsm *f; +ccp_up(fsm *f) { ccp_options *go = &ccp_gotoptions[f->unit]; ccp_options *ho = &ccp_hisoptions[f->unit]; @@ -1439,10 +1424,9 @@ ccp_up(f) notice("%s receive compression enabled", method_name(go, NULL)); } else if (ANY_COMPRESS(*ho)) notice("%s transmit compression enabled", method_name(ho, NULL)); -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (go->mppe) { - BZERO(mppe_recv_key, MPPE_MAX_KEY_LEN); - BZERO(mppe_send_key, MPPE_MAX_KEY_LEN); + mppe_clear_keys(); continue_networks(f->unit); /* Bring up IP et al */ } #endif @@ -1452,14 +1436,13 @@ ccp_up(f) * CCP has gone down - inform the kernel driver. */ static void -ccp_down(f) - fsm *f; +ccp_down(fsm *f) { if (ccp_localstate[f->unit] & RACK_PENDING) UNTIMEOUT(ccp_rack_timeout, f); ccp_localstate[f->unit] = 0; ccp_flags_set(f->unit, 1, 0); -#ifdef MPPE +#ifdef PPP_WITH_MPPE if (ccp_gotoptions[f->unit].mppe) { ccp_gotoptions[f->unit].mppe = 0; if (lcp_fsm[f->unit].state == OPENED) { @@ -1482,11 +1465,8 @@ static char *ccp_codenames[] = { }; static int -ccp_printpkt(p, plen, printer, arg) - u_char *p; - int plen; - void (*printer) __P((void *, char *, ...)); - void *arg; +ccp_printpkt(u_char *p, int plen, + void (*printer) (void *, char *, ...), void *arg) { u_char *p0, *optend; int code, id, len; @@ -1525,7 +1505,7 @@ ccp_printpkt(p, plen, printer, arg) len -= optlen; optend = p + optlen; switch (code) { -#ifdef MPPE +#ifdef PPP_WITH_MPPE case CI_MPPE: if (optlen >= CILEN_MPPE) { u_char mppe_opts; @@ -1615,10 +1595,7 @@ ccp_printpkt(p, plen, printer, arg) * compression :-(, otherwise we issue the reset-request. */ static void -ccp_datainput(unit, pkt, len) - int unit; - u_char *pkt; - int len; +ccp_datainput(int unit, u_char *pkt, int len) { fsm *f; @@ -1630,7 +1607,7 @@ ccp_datainput(unit, pkt, len) */ error("Lost compression sync: disabling compression"); ccp_close(unit, "Lost compression sync"); -#ifdef MPPE +#ifdef PPP_WITH_MPPE /* * If we were doing MPPE, we must also take the link down. */ @@ -1659,8 +1636,7 @@ ccp_datainput(unit, pkt, len) * Timeout waiting for reset-ack. */ static void -ccp_rack_timeout(arg) - void *arg; +ccp_rack_timeout(void *arg) { fsm *f = arg;