1 /* 2 * mppe.c - interface MPPE to the PPP code. 3 * 4 * By Frank Cusack <fcusack@fcusack.com>. 5 * Copyright (c) 2002,2003,2004 Google, Inc. 6 * All rights reserved. 7 * 8 * License: 9 * Permission to use, copy, modify, and distribute this software and its 10 * documentation is hereby granted, provided that the above copyright 11 * notice appears in all copies. This software is provided without any 12 * warranty, express or implied. 13 * 14 * Changelog: 15 * 08/12/05 - Matt Domsch <Matt_Domsch@dell.com> 16 * Only need extra skb padding on transmit, not receive. 17 * 06/18/04 - Matt Domsch <Matt_Domsch@dell.com>, Oleg Makarenko <mole@quadra.ru> 18 * Use Linux kernel 2.6 arc4 and sha1 routines rather than 19 * providing our own. 20 * 2/15/04 - TS: added #include <version.h> and testing for Kernel 21 * version before using 22 * MOD_DEC_USAGE_COUNT/MOD_INC_USAGE_COUNT which are 23 * deprecated in 2.6 24 */ 25 26 #include "netif/ppp/ppp_opts.h" 27 #if PPP_SUPPORT && MPPE_SUPPORT /* don't build if not configured for use in lwipopts.h */ 28 29 #include <string.h> 30 31 #include "lwip/err.h" 32 33 #include "netif/ppp/ppp_impl.h" 34 #include "netif/ppp/ccp.h" 35 #include "netif/ppp/mppe.h" 36 #include "netif/ppp/pppdebug.h" 37 #include "netif/ppp/pppcrypt.h" 38 39 #define SHA1_SIGNATURE_SIZE 20 40 41 /* ppp_mppe_state.bits definitions */ 42 #define MPPE_BIT_A 0x80 /* Encryption table were (re)inititalized */ 43 #define MPPE_BIT_B 0x40 /* MPPC only (not implemented) */ 44 #define MPPE_BIT_C 0x20 /* MPPC only (not implemented) */ 45 #define MPPE_BIT_D 0x10 /* This is an encrypted frame */ 46 47 #define MPPE_BIT_FLUSHED MPPE_BIT_A 48 #define MPPE_BIT_ENCRYPTED MPPE_BIT_D 49 50 #define MPPE_BITS(p) ((p)[0] & 0xf0) 51 #define MPPE_CCOUNT(p) ((((p)[0] & 0x0f) << 8) + (p)[1]) 52 #define MPPE_CCOUNT_SPACE 0x1000 /* The size of the ccount space */ 53 54 #define MPPE_OVHD 2 /* MPPE overhead/packet */ 55 #define SANITY_MAX 1600 /* Max bogon factor we will tolerate */ 56 57 /* 58 * Perform the MPPE rekey algorithm, from RFC 3078, sec. 7.3. 59 * Well, not what's written there, but rather what they meant. 60 */ 61 static void mppe_rekey(ppp_mppe_state * state, int initial_key) 62 { 63 lwip_sha1_context sha1_ctx; 64 u8_t sha1_digest[SHA1_SIGNATURE_SIZE]; 65 66 /* 67 * Key Derivation, from RFC 3078, RFC 3079. 68 * Equivalent to Get_Key() for MS-CHAP as described in RFC 3079. 69 */ 70 lwip_sha1_init(&sha1_ctx); 71 lwip_sha1_starts(&sha1_ctx); 72 lwip_sha1_update(&sha1_ctx, state->master_key, state->keylen); 73 lwip_sha1_update(&sha1_ctx, mppe_sha1_pad1, SHA1_PAD_SIZE); 74 lwip_sha1_update(&sha1_ctx, state->session_key, state->keylen); 75 lwip_sha1_update(&sha1_ctx, mppe_sha1_pad2, SHA1_PAD_SIZE); 76 lwip_sha1_finish(&sha1_ctx, sha1_digest); 77 lwip_sha1_free(&sha1_ctx); 78 MEMCPY(state->session_key, sha1_digest, state->keylen); 79 80 if (!initial_key) { 81 lwip_arc4_init(&state->arc4); 82 lwip_arc4_setup(&state->arc4, sha1_digest, state->keylen); 83 lwip_arc4_crypt(&state->arc4, state->session_key, state->keylen); 84 lwip_arc4_free(&state->arc4); 85 } 86 if (state->keylen == 8) { 87 /* See RFC 3078 */ 88 state->session_key[0] = 0xd1; 89 state->session_key[1] = 0x26; 90 state->session_key[2] = 0x9e; 91 } 92 lwip_arc4_init(&state->arc4); 93 lwip_arc4_setup(&state->arc4, state->session_key, state->keylen); 94 } 95 96 /* 97 * Set key, used by MSCHAP before mppe_init() is actually called by CCP so we 98 * don't have to keep multiple copies of keys. 99 */ 100 void mppe_set_key(ppp_pcb *pcb, ppp_mppe_state *state, u8_t *key) { 101 LWIP_UNUSED_ARG(pcb); 102 MEMCPY(state->master_key, key, MPPE_MAX_KEY_LEN); 103 } 104 105 /* 106 * Initialize (de)compressor state. 107 */ 108 void 109 mppe_init(ppp_pcb *pcb, ppp_mppe_state *state, u8_t options) 110 { 111 #if PPP_DEBUG 112 const u8_t *debugstr = (const u8_t*)"mppe_comp_init"; 113 if (&pcb->mppe_decomp == state) { 114 debugstr = (const u8_t*)"mppe_decomp_init"; 115 } 116 #endif /* PPP_DEBUG */ 117 118 /* Save keys. */ 119 MEMCPY(state->session_key, state->master_key, sizeof(state->master_key)); 120 121 if (options & MPPE_OPT_128) 122 state->keylen = 16; 123 else if (options & MPPE_OPT_40) 124 state->keylen = 8; 125 else { 126 PPPDEBUG(LOG_DEBUG, ("%s[%d]: unknown key length\n", debugstr, 127 pcb->netif->num)); 128 lcp_close(pcb, "MPPE required but peer negotiation failed"); 129 return; 130 } 131 if (options & MPPE_OPT_STATEFUL) 132 state->stateful = 1; 133 134 /* Generate the initial session key. */ 135 mppe_rekey(state, 1); 136 137 #if PPP_DEBUG 138 { 139 int i; 140 char mkey[sizeof(state->master_key) * 2 + 1]; 141 char skey[sizeof(state->session_key) * 2 + 1]; 142 143 PPPDEBUG(LOG_DEBUG, ("%s[%d]: initialized with %d-bit %s mode\n", 144 debugstr, pcb->netif->num, (state->keylen == 16) ? 128 : 40, 145 (state->stateful) ? "stateful" : "stateless")); 146 147 for (i = 0; i < (int)sizeof(state->master_key); i++) 148 sprintf(mkey + i * 2, "%02x", state->master_key[i]); 149 for (i = 0; i < (int)sizeof(state->session_key); i++) 150 sprintf(skey + i * 2, "%02x", state->session_key[i]); 151 PPPDEBUG(LOG_DEBUG, 152 ("%s[%d]: keys: master: %s initial session: %s\n", 153 debugstr, pcb->netif->num, mkey, skey)); 154 } 155 #endif /* PPP_DEBUG */ 156 157 /* 158 * Initialize the coherency count. The initial value is not specified 159 * in RFC 3078, but we can make a reasonable assumption that it will 160 * start at 0. Setting it to the max here makes the comp/decomp code 161 * do the right thing (determined through experiment). 162 */ 163 state->ccount = MPPE_CCOUNT_SPACE - 1; 164 165 /* 166 * Note that even though we have initialized the key table, we don't 167 * set the FLUSHED bit. This is contrary to RFC 3078, sec. 3.1. 168 */ 169 state->bits = MPPE_BIT_ENCRYPTED; 170 } 171 172 /* 173 * We received a CCP Reset-Request (actually, we are sending a Reset-Ack), 174 * tell the compressor to rekey. Note that we MUST NOT rekey for 175 * every CCP Reset-Request; we only rekey on the next xmit packet. 176 * We might get multiple CCP Reset-Requests if our CCP Reset-Ack is lost. 177 * So, rekeying for every CCP Reset-Request is broken as the peer will not 178 * know how many times we've rekeyed. (If we rekey and THEN get another 179 * CCP Reset-Request, we must rekey again.) 180 */ 181 void mppe_comp_reset(ppp_pcb *pcb, ppp_mppe_state *state) 182 { 183 LWIP_UNUSED_ARG(pcb); 184 state->bits |= MPPE_BIT_FLUSHED; 185 } 186 187 /* 188 * Compress (encrypt) a packet. 189 * It's strange to call this a compressor, since the output is always 190 * MPPE_OVHD + 2 bytes larger than the input. 191 */ 192 err_t 193 mppe_compress(ppp_pcb *pcb, ppp_mppe_state *state, struct pbuf **pb, u16_t protocol) 194 { 195 struct pbuf *n, *np; 196 u8_t *pl; 197 err_t err; 198 199 LWIP_UNUSED_ARG(pcb); 200 201 /* TCP stack requires that we don't change the packet payload, therefore we copy 202 * the whole packet before encryption. 203 */ 204 np = pbuf_alloc(PBUF_RAW, MPPE_OVHD + sizeof(protocol) + (*pb)->tot_len, PBUF_POOL); 205 if (!np) { 206 return ERR_MEM; 207 } 208 209 /* Hide MPPE header + protocol */ 210 pbuf_header(np, -(s16_t)(MPPE_OVHD + sizeof(protocol))); 211 212 if ((err = pbuf_copy(np, *pb)) != ERR_OK) { 213 pbuf_free(np); 214 return err; 215 } 216 217 /* Reveal MPPE header + protocol */ 218 pbuf_header(np, (s16_t)(MPPE_OVHD + sizeof(protocol))); 219 220 *pb = np; 221 pl = (u8_t*)np->payload; 222 223 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE; 224 PPPDEBUG(LOG_DEBUG, ("mppe_compress[%d]: ccount %d\n", pcb->netif->num, state->ccount)); 225 /* FIXME: use PUT* macros */ 226 pl[0] = state->ccount>>8; 227 pl[1] = state->ccount; 228 229 if (!state->stateful || /* stateless mode */ 230 ((state->ccount & 0xff) == 0xff) || /* "flag" packet */ 231 (state->bits & MPPE_BIT_FLUSHED)) { /* CCP Reset-Request */ 232 /* We must rekey */ 233 if (state->stateful) { 234 PPPDEBUG(LOG_DEBUG, ("mppe_compress[%d]: rekeying\n", pcb->netif->num)); 235 } 236 mppe_rekey(state, 0); 237 state->bits |= MPPE_BIT_FLUSHED; 238 } 239 pl[0] |= state->bits; 240 state->bits &= ~MPPE_BIT_FLUSHED; /* reset for next xmit */ 241 pl += MPPE_OVHD; 242 243 /* Add protocol */ 244 /* FIXME: add PFC support */ 245 pl[0] = protocol >> 8; 246 pl[1] = protocol; 247 248 /* Hide MPPE header */ 249 pbuf_header(np, -(s16_t)MPPE_OVHD); 250 251 /* Encrypt packet */ 252 for (n = np; n != NULL; n = n->next) { 253 lwip_arc4_crypt(&state->arc4, (u8_t*)n->payload, n->len); 254 if (n->tot_len == n->len) { 255 break; 256 } 257 } 258 259 /* Reveal MPPE header */ 260 pbuf_header(np, (s16_t)MPPE_OVHD); 261 262 return ERR_OK; 263 } 264 265 /* 266 * We received a CCP Reset-Ack. Just ignore it. 267 */ 268 void mppe_decomp_reset(ppp_pcb *pcb, ppp_mppe_state *state) 269 { 270 LWIP_UNUSED_ARG(pcb); 271 LWIP_UNUSED_ARG(state); 272 return; 273 } 274 275 /* 276 * Decompress (decrypt) an MPPE packet. 277 */ 278 err_t 279 mppe_decompress(ppp_pcb *pcb, ppp_mppe_state *state, struct pbuf **pb) 280 { 281 struct pbuf *n0 = *pb, *n; 282 u8_t *pl; 283 u16_t ccount; 284 u8_t flushed; 285 286 /* MPPE Header */ 287 if (n0->len < MPPE_OVHD) { 288 PPPDEBUG(LOG_DEBUG, 289 ("mppe_decompress[%d]: short pkt (%d)\n", 290 pcb->netif->num, n0->len)); 291 state->sanity_errors += 100; 292 goto sanity_error; 293 } 294 295 pl = (u8_t*)n0->payload; 296 flushed = MPPE_BITS(pl) & MPPE_BIT_FLUSHED; 297 ccount = MPPE_CCOUNT(pl); 298 PPPDEBUG(LOG_DEBUG, ("mppe_decompress[%d]: ccount %d\n", 299 pcb->netif->num, ccount)); 300 301 /* sanity checks -- terminate with extreme prejudice */ 302 if (!(MPPE_BITS(pl) & MPPE_BIT_ENCRYPTED)) { 303 PPPDEBUG(LOG_DEBUG, 304 ("mppe_decompress[%d]: ENCRYPTED bit not set!\n", 305 pcb->netif->num)); 306 state->sanity_errors += 100; 307 goto sanity_error; 308 } 309 if (!state->stateful && !flushed) { 310 PPPDEBUG(LOG_DEBUG, ("mppe_decompress[%d]: FLUSHED bit not set in " 311 "stateless mode!\n", pcb->netif->num)); 312 state->sanity_errors += 100; 313 goto sanity_error; 314 } 315 if (state->stateful && ((ccount & 0xff) == 0xff) && !flushed) { 316 PPPDEBUG(LOG_DEBUG, ("mppe_decompress[%d]: FLUSHED bit not set on " 317 "flag packet!\n", pcb->netif->num)); 318 state->sanity_errors += 100; 319 goto sanity_error; 320 } 321 322 /* 323 * Check the coherency count. 324 */ 325 326 if (!state->stateful) { 327 /* Discard late packet */ 328 if ((ccount - state->ccount) % MPPE_CCOUNT_SPACE > MPPE_CCOUNT_SPACE / 2) { 329 state->sanity_errors++; 330 goto sanity_error; 331 } 332 333 /* RFC 3078, sec 8.1. Rekey for every packet. */ 334 while (state->ccount != ccount) { 335 mppe_rekey(state, 0); 336 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE; 337 } 338 } else { 339 /* RFC 3078, sec 8.2. */ 340 if (!state->discard) { 341 /* normal state */ 342 state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE; 343 if (ccount != state->ccount) { 344 /* 345 * (ccount > state->ccount) 346 * Packet loss detected, enter the discard state. 347 * Signal the peer to rekey (by sending a CCP Reset-Request). 348 */ 349 state->discard = 1; 350 ccp_resetrequest(pcb); 351 return ERR_BUF; 352 } 353 } else { 354 /* discard state */ 355 if (!flushed) { 356 /* ccp.c will be silent (no additional CCP Reset-Requests). */ 357 return ERR_BUF; 358 } else { 359 /* Rekey for every missed "flag" packet. */ 360 while ((ccount & ~0xff) != 361 (state->ccount & ~0xff)) { 362 mppe_rekey(state, 0); 363 state->ccount = 364 (state->ccount + 365 256) % MPPE_CCOUNT_SPACE; 366 } 367 368 /* reset */ 369 state->discard = 0; 370 state->ccount = ccount; 371 /* 372 * Another problem with RFC 3078 here. It implies that the 373 * peer need not send a Reset-Ack packet. But RFC 1962 374 * requires it. Hopefully, M$ does send a Reset-Ack; even 375 * though it isn't required for MPPE synchronization, it is 376 * required to reset CCP state. 377 */ 378 } 379 } 380 if (flushed) 381 mppe_rekey(state, 0); 382 } 383 384 /* Hide MPPE header */ 385 pbuf_header(n0, -(s16_t)(MPPE_OVHD)); 386 387 /* Decrypt the packet. */ 388 for (n = n0; n != NULL; n = n->next) { 389 lwip_arc4_crypt(&state->arc4, (u8_t*)n->payload, n->len); 390 if (n->tot_len == n->len) { 391 break; 392 } 393 } 394 395 /* good packet credit */ 396 state->sanity_errors >>= 1; 397 398 return ERR_OK; 399 400 sanity_error: 401 if (state->sanity_errors >= SANITY_MAX) { 402 /* 403 * Take LCP down if the peer is sending too many bogons. 404 * We don't want to do this for a single or just a few 405 * instances since it could just be due to packet corruption. 406 */ 407 lcp_close(pcb, "Too many MPPE errors"); 408 } 409 return ERR_BUF; 410 } 411 412 #endif /* PPP_SUPPORT && MPPE_SUPPORT */ 413