* Copyright (c) 2002 Google, Inc.
*/
-#define RCSID "$Id: chap_ms.c,v 1.26 2002/12/23 23:24:37 fcusack Exp $"
+#define RCSID "$Id: chap_ms.c,v 1.27 2002/12/24 03:43:35 fcusack Exp $"
#ifdef CHAPMS
u_char mppe_send_key[MPPE_MAX_KEY_LEN];
u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
int mppe_keys_set = 0; /* Have the MPPE keys been set? */
+
+#include "fsm.h" /* Need to poke MPPE options */
+#include "ccp.h"
+#include <net/ppp-comp.h>
#endif
static void
#endif
}
+#ifdef MPPE
+/*
+ * Set MPPE options from plugins.
+ */
+void
+set_mppe_enc_types(int policy, int types)
+{
+ /* Early exit for unknown policies. */
+ if (policy != MPPE_ENC_POL_ENC_ALLOWED ||
+ policy != MPPE_ENC_POL_ENC_REQUIRED)
+ return;
+
+ /* Don't modify MPPE if it's optional and wasn't already configured. */
+ if (policy == MPPE_ENC_POL_ENC_ALLOWED && !ccp_wantoptions[0].mppe)
+ return;
+
+ /*
+ * Disable undesirable encryption types. Note that we don't ENABLE
+ * any encryption types, to avoid overriding manual configuration.
+ */
+ switch(types) {
+ case MPPE_ENC_TYPES_RC4_40:
+ ccp_wantoptions[0].mppe &= ~MPPE_OPT_128; /* disable 128-bit */
+ break;
+ case MPPE_ENC_TYPES_RC4_128:
+ ccp_wantoptions[0].mppe &= ~MPPE_OPT_40; /* disable 40-bit */
+ break;
+ default:
+ break;
+ }
+}
+#endif /* MPPE */
#endif /* CHAPMS */
* AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
- * $Id: chap_ms.h,v 1.8 2002/12/23 23:24:37 fcusack Exp $
+ * $Id: chap_ms.h,v 1.9 2002/12/24 03:43:35 fcusack Exp $
*/
#ifndef __CHAPMS_INCLUDE__
extern u_char mppe_send_key[MPPE_MAX_KEY_LEN];
extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
extern int mppe_keys_set;
+
+/* These values are the RADIUS attribute values--see RFC 2548. */
+#define MPPE_ENC_POL_ENC_ALLOWED 1
+#define MPPE_ENC_POL_ENC_REQUIRED 2
+#define MPPE_ENC_TYPES_RC4_40 2
+#define MPPE_ENC_TYPES_RC4_128 4
+
+/* used by plugins (using above values) */
+extern void set_mppe_enc_types(int, int);
#endif
/* Are we the authenticator or authenticatee? For MS-CHAPv2 key derivation. */
*
***********************************************************************/
static char const RCSID[] =
-"$Id: radius.c,v 1.19 2002/12/23 23:24:37 fcusack Exp $";
+"$Id: radius.c,v 1.20 2002/12/24 03:43:35 fcusack Exp $";
#include "pppd.h"
#include "chap.h"
{
u_int32_t remote;
int ms_chap2_success = 0;
+#ifdef MPPE
+ int mppe_enc_keys = 0; /* whether or not these were received */
+ int mppe_enc_policy = 0;
+ int mppe_enc_types = 0;
+#endif
/* Send RADIUS attributes to anyone else who might be interested */
if (radius_attributes_hook) {
"RADIUS: bad MS-CHAP-MPPE-Keys attribute");
return -1;
}
+ mppe_enc_keys = 1;
break;
case PW_MS_MPPE_SEND_KEY:
"Send": "Recv");
return -1;
}
+ mppe_enc_keys = 1;
break;
-#endif /* MPPE */
-#if 0
+
case PW_MS_MPPE_ENCRYPTION_POLICY:
+ mppe_enc_policy = vp->lvalue; /* save for later */
+ break;
+
case PW_MS_MPPE_ENCRYPTION_TYPES:
+ mppe_enc_types = vp->lvalue; /* save for later */
+ break;
+
+#endif /* MPPE */
+#if 0
case PW_MS_PRIMARY_DNS_SERVER:
case PW_MS_SECONDARY_DNS_SERVER:
case PW_MS_PRIMARY_NBNS_SERVER:
if (cstate && (cstate->chal_type == CHAP_MICROSOFT_V2) && !ms_chap2_success)
return -1;
+#ifdef MPPE
+ /*
+ * Require both policy and key attributes to indicate a valid key.
+ * Note that if the policy value was '0' we don't set the key!
+ */
+ if (mppe_enc_policy && mppe_enc_keys) {
+ mppe_keys_set = 1;
+ /* Set/modify allowed encryption types. */
+ if (mppe_enc_types)
+ set_mppe_enc_types(mppe_enc_policy, mppe_enc_types);
+ }
+#endif
+
return 0;
}
* to generate the start key, sigh. NB: We do not support the LM-Key.
*/
mppe_set_keys(cstate->challenge, &plain[8]);
- mppe_keys_set = 1;
return 0;
}
memcpy(mppe_send_key, plain + 1, 16);
else
memcpy(mppe_recv_key, plain + 1, 16);
- mppe_keys_set = 1;
return 0;
}