Commit Graph

25 Commits

Author SHA1 Message Date
Brian Somers
3285bb3c97 Don't trust the MPPE key lengths passed back from the RADIUS server.
Instead, use the correct values based on the number of bits actually
negotiated.

Spotted by: Sergey Korolew <ds@rt.balakovo.ru>
2002-07-02 00:47:24 +00:00
Brian Somers
2f11f09fee When a RADIUS server is being used, don't use MPPE unless the RADIUS
server says it's ok.
2002-06-28 08:46:21 +00:00
Brian Somers
8fb5ef5ae2 Understand the following Microsoft Vendor Specific RADIUS attributes:
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY
  RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES
  RAD_MICROSOFT_MS_MPPE_RECV_KEY
  RAD_MICROSOFT_MS_MPPE_SEND_KEY

These attributes may be supplied by a RADIUS server when MSCHAPv2 is
used to authenticate.

It *should* now be possible to build ppp with -DNODES and still support
CHAP/MSCHAP/MSCHAPv2/MPPE via a RADIUS server, but the code isn't yet
smart enough to do that (building with -DNODES just looses these
facilities).

Sponsored by: Monzoon
2002-06-12 00:33:17 +00:00
Brian Somers
5bc74cd68f Put back <string.h> 2002-05-17 00:44:54 +00:00
Brian Somers
de59e178aa o Clean up some #includes
o Bump version number to 3.0.4
o When talking to a RADIUS server, provide a NAS-Port-Type.

  When the NAS-Port-Type is Ethernet, provide a NAS-Port value equal
  to the SESSIONID from the environment in direct mode or the
  NGM_PPPOE_SESSIONID message in other modes.  If no SESSIONID is found,
  default to the interface index in client mode or zero in server mode.

  When the NAS-Port-Type is ISDN, set the NAS-Port to the minor number
  of the physical device (ie, the N in /dev/i4brbchN).

  This makes it easier for the RADIUS server to identify the client
  WRT accounting data etc.

Prompted by:	lsz8425 <lsz8425@mail.cd.hn.cn>
2002-05-14 12:55:39 +00:00
Brian Somers
e0ae8e1950 Fix a syntax error 2002-05-13 20:25:47 +00:00
Brian Somers
413205628d We don't need to include arpa/inet.h here. In fact, only FreeBSD needs
netinet/in.h.
2002-05-11 17:04:01 +00:00
Brian Somers
b50574e8bc #include netinet/in.h when !__FreeBSD__ to silence some warnings from
the inclusion of arpa/inet.h
2002-05-11 10:54:45 +00:00
Brian Somers
ff360cc91b Make the way FSM options are processed easier to read by using structures
instead of u_char *.

The changes are cosmetic except:

  RecvConfigAck() now displays the options that are being ACK'd
  Huge (bogus) options sent from the peer won't cause an infinite loop
  SendIdent and ReceiveIdent are displayed consistenlty with other FSM data
  LCP AUTHPROTO options that aren't understood are NAK'd, not REJ'd
2002-04-16 23:57:09 +00:00
Brian Somers
25f2690c32 Include arpa/inet.h 2002-03-31 01:36:08 +00:00
Brian Somers
fb11a9c23d Merge the NETGRAPH branch into HEAD. tty devices now use netgraph's line
discipline to do the async escaping, but no other benefits are available yet.

Change ``ifdef HAVE_DES'' to ``ifndef NODES'' for consistency.

Make the Makefile a little more sane WRT RELEASE_CRUNCH.
2002-03-30 12:30:09 +00:00
Brian Somers
d919580716 Use the return value from snprintf() to keep a track of the length of
the display string in MPPEDispOpts.

PR:		35836
MFC After:	2 weeks
2002-03-13 10:21:19 +00:00
Mike Barcroft
fd8e4ebc8c o Move NTOHL() and associated macros into <sys/param.h>. These are
deprecated in favor of the POSIX-defined lowercase variants.
o Change all occurrences of NTOHL() and associated marcros in the
  source tree to use the lowercase function variants.
o Add missing license bits to sparc64's <machine/endian.h>.
  Approved by: jake
o Clean up <machine/endian.h> files.
o Remove unused __uint16_swap_uint32() from i386's <machine/endian.h>.
o Remove prototypes for non-existent bswapXX() functions.
o Include <machine/endian.h> in <arpa/inet.h> to define the
  POSIX-required ntohl() family of functions.
o Do similar things to expose the ntohl() family in libstand, <netinet/in.h>,
  and <sys/param.h>.
o Prepend underscores to the ntohl() family to help deal with
  complexities associated with having MD (asm and inline) versions, and
  having to prevent exposure of these functions in other headers that
  happen to make use of endian-specific defines.
o Create weak aliases to the canonical function name to help deal with
  third-party software forgetting to include an appropriate header.
o Remove some now unneeded pollution from <sys/types.h>.
o Add missing <arpa/inet.h> includes in userland.

Tested on:	alpha, i386
Reviewed by:	bde, jake, tmm
2002-02-18 20:35:27 +00:00
Brian Somers
d9dc3116bf Correct alignment issues
Obtained from: OpenBSD
2001-09-13 10:03:20 +00:00
Brian Somers
a7428f1858 Send a reset request for every packet received when our encryption
dictionaries are out of sync.

This avoids the complications that happen when our original reset
request gets lost in transit (quite likely in hind sight, given a
lossy link) when we end up ignoring the peer for the next (up to)
256 packets.

Submitted by:	Nick Sayer <nsayer@quack.kfu.com>
2001-08-27 10:42:21 +00:00
Brian Somers
662a42f752 When we miss one or more packets in stateful mode *and* need to
perform a key change, *and* our sequence numbers have wrapped,
ensure that the number of key changes is calculated correctly.

The previous code counted down from a negative number to zero,
re-encrypting the current key on each iteration - this took some
time and strangely enough got the answer wrong !!!

Fix a(nother) spelling mistake while I'm there.
2001-07-07 03:06:20 +00:00
Brian Somers
6301d506fb Reduce the interface MTU by 2 when MPPE has been successfully negotiated.
This is necessary because MPPE will combine the protocol id with the
payload received on the tun interface, encrypt it, then prepend its
own protocol id, effectively increasing the payload by two bytes.
2001-07-03 22:20:19 +00:00
Brian Somers
6cf6ee7625 Add support for stateful MPPE (microsoft encryption) providing
encryption compatibility with Windows 2000.  Stateful encryption
uses less CPU but is bad on lossy transports.

The ``set mppe'' command has been expanded.  If it's used with any
arguments, ppp will insist on encryption, closing LCP if the other
end refuses.

Unfortunately, Microsoft have abused the CCP reset request so that
receiving a reset request does not result in a reset ack when using
MPPE...

Sponsored by:	Monzoon Networks AG and FreeBSD Services Limited
2001-06-18 15:00:22 +00:00
Brian Somers
7f89db65f5 Add a ``Usable'' function to the ccp switch. The function
is called prior to sending a CCP configure request for a
given protocol.  The default is to send the request, but
this is overridden for MPPE which checks to see if the lcp
negotiations agreed CHAP81, and if not fails.

Use the same function to decide if we should reject peer
requests for MPPE.

This should get rid of those boring messages about not being
able to initialise MPPE when we don't negotiate CHAP81.
2001-02-04 22:53:11 +00:00
Brian Somers
019d32bf74 Make the MPPE MasterKey Invalid messages a bit clearer (it now
complains that you can't do MPPE without CHAP81).

Reset MasterKeyValid to zero when we hit phase DEAD.
2001-02-04 01:08:24 +00:00
Brian Somers
12df0d6c58 Log the ``MPPE: MasterKey is invalid...'' message as a CCP
diagnostic rather than a warning.
2000-12-29 22:25:56 +00:00
Brian Somers
542962ddf9 Introduce another global (MPPE_IsServer) so that we initiate the
MPPE session keys correctly.

I'm a bit dubious about this code.  It seems that the session keys
are initialised differently based on whether you're the client or
the server.  One side is the server if it issues the first challenge,
but of course you can issue a challenge from both sides.... at the
same time.  Sounds like another wonderful M$ assumption...

Ppp can now talk to itself correctly using encryption.

Problem solved by:	Ustimenko Semen <semen@iclub.nsu.ru>
Hair torn out by:	me
2000-11-07 23:19:11 +00:00
Brian Somers
1c25c5e077 Merge some OpenBSD/NetBSD fixes to the recent MPPE/CHAP0x81 update. 2000-11-05 03:25:09 +00:00
Brian Somers
9b9967924b Various whitespace changes.
Make some functions static.
2000-10-30 00:15:29 +00:00
Brian Somers
a8d604ab74 Add MPPE and MSChap v2 support (denied and disabled by default)
Submitted by: Ustimenko Semen <semen@iclub.nsu.ru>
2000-10-30 00:15:04 +00:00