The Pedigree Project  0.1
mppe.c
1 /*
2  * Copyright (c) 2008-2014, Pedigree Developers
3  *
4  * Please see the CONTRIB file in the root of the source tree for a full
5  * list of contributors.
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include "netif/ppp/ppp_opts.h"
21 #if PPP_SUPPORT && MPPE_SUPPORT /* don't build if not configured for use in lwipopts.h */
22 
23 #include <string.h>
24 
25 #include "lwip/err.h"
26 
27 #include "netif/ppp/ppp_impl.h"
28 #include "netif/ppp/ccp.h"
29 #include "netif/ppp/mppe.h"
30 #include "netif/ppp/pppdebug.h"
31 #include "netif/ppp/pppcrypt.h"
32 
33 #define SHA1_SIGNATURE_SIZE 20
34 
35 /* ppp_mppe_state.bits definitions */
36 #define MPPE_BIT_A 0x80 /* Encryption table were (re)inititalized */
37 #define MPPE_BIT_B 0x40 /* MPPC only (not implemented) */
38 #define MPPE_BIT_C 0x20 /* MPPC only (not implemented) */
39 #define MPPE_BIT_D 0x10 /* This is an encrypted frame */
40 
41 #define MPPE_BIT_FLUSHED MPPE_BIT_A
42 #define MPPE_BIT_ENCRYPTED MPPE_BIT_D
43 
44 #define MPPE_BITS(p) ((p)[0] & 0xf0)
45 #define MPPE_CCOUNT(p) ((((p)[0] & 0x0f) << 8) + (p)[1])
46 #define MPPE_CCOUNT_SPACE 0x1000 /* The size of the ccount space */
47 
48 #define MPPE_OVHD 2 /* MPPE overhead/packet */
49 #define SANITY_MAX 1600 /* Max bogon factor we will tolerate */
50 
51 /*
52  * Perform the MPPE rekey algorithm, from RFC 3078, sec. 7.3.
53  * Well, not what's written there, but rather what they meant.
54  */
55 static void mppe_rekey(ppp_mppe_state * state, int initial_key)
56 {
57  lwip_sha1_context sha1_ctx;
58  u8_t sha1_digest[SHA1_SIGNATURE_SIZE];
59 
60  /*
61  * Key Derivation, from RFC 3078, RFC 3079.
62  * Equivalent to Get_Key() for MS-CHAP as described in RFC 3079.
63  */
64  lwip_sha1_init(&sha1_ctx);
65  lwip_sha1_starts(&sha1_ctx);
66  lwip_sha1_update(&sha1_ctx, state->master_key, state->keylen);
67  lwip_sha1_update(&sha1_ctx, mppe_sha1_pad1, SHA1_PAD_SIZE);
68  lwip_sha1_update(&sha1_ctx, state->session_key, state->keylen);
69  lwip_sha1_update(&sha1_ctx, mppe_sha1_pad2, SHA1_PAD_SIZE);
70  lwip_sha1_finish(&sha1_ctx, sha1_digest);
71  lwip_sha1_free(&sha1_ctx);
72  MEMCPY(state->session_key, sha1_digest, state->keylen);
73 
74  if (!initial_key) {
75  lwip_arc4_init(&state->arc4);
76  lwip_arc4_setup(&state->arc4, sha1_digest, state->keylen);
77  lwip_arc4_crypt(&state->arc4, state->session_key, state->keylen);
78  lwip_arc4_free(&state->arc4);
79  }
80  if (state->keylen == 8) {
81  /* See RFC 3078 */
82  state->session_key[0] = 0xd1;
83  state->session_key[1] = 0x26;
84  state->session_key[2] = 0x9e;
85  }
86  lwip_arc4_init(&state->arc4);
87  lwip_arc4_setup(&state->arc4, state->session_key, state->keylen);
88 }
89 
90 /*
91  * Set key, used by MSCHAP before mppe_init() is actually called by CCP so we
92  * don't have to keep multiple copies of keys.
93  */
94 void mppe_set_key(ppp_pcb *pcb, ppp_mppe_state *state, u8_t *key) {
95  LWIP_UNUSED_ARG(pcb);
96  MEMCPY(state->master_key, key, MPPE_MAX_KEY_LEN);
97 }
98 
99 /*
100  * Initialize (de)compressor state.
101  */
102 void
103 mppe_init(ppp_pcb *pcb, ppp_mppe_state *state, u8_t options)
104 {
105 #if PPP_DEBUG
106  const u8_t *debugstr = (const u8_t*)"mppe_comp_init";
107  if (&pcb->mppe_decomp == state) {
108  debugstr = (const u8_t*)"mppe_decomp_init";
109  }
110 #endif /* PPP_DEBUG */
111 
112  /* Save keys. */
113  MEMCPY(state->session_key, state->master_key, sizeof(state->master_key));
114 
115  if (options & MPPE_OPT_128)
116  state->keylen = 16;
117  else if (options & MPPE_OPT_40)
118  state->keylen = 8;
119  else {
120  PPPDEBUG(LOG_DEBUG, ("%s[%d]: unknown key length\n", debugstr,
121  pcb->netif->num));
122  lcp_close(pcb, "MPPE required but peer negotiation failed");
123  return;
124  }
125  if (options & MPPE_OPT_STATEFUL)
126  state->stateful = 1;
127 
128  /* Generate the initial session key. */
129  mppe_rekey(state, 1);
130 
131 #if PPP_DEBUG
132  {
133  int i;
134  char mkey[sizeof(state->master_key) * 2 + 1];
135  char skey[sizeof(state->session_key) * 2 + 1];
136 
137  PPPDEBUG(LOG_DEBUG, ("%s[%d]: initialized with %d-bit %s mode\n",
138  debugstr, pcb->netif->num, (state->keylen == 16) ? 128 : 40,
139  (state->stateful) ? "stateful" : "stateless"));
140 
141  for (i = 0; i < (int)sizeof(state->master_key); i++)
142  sprintf(mkey + i * 2, "%02x", state->master_key[i]);
143  for (i = 0; i < (int)sizeof(state->session_key); i++)
144  sprintf(skey + i * 2, "%02x", state->session_key[i]);
145  PPPDEBUG(LOG_DEBUG,
146  ("%s[%d]: keys: master: %s initial session: %s\n",
147  debugstr, pcb->netif->num, mkey, skey));
148  }
149 #endif /* PPP_DEBUG */
150 
151  /*
152  * Initialize the coherency count. The initial value is not specified
153  * in RFC 3078, but we can make a reasonable assumption that it will
154  * start at 0. Setting it to the max here makes the comp/decomp code
155  * do the right thing (determined through experiment).
156  */
157  state->ccount = MPPE_CCOUNT_SPACE - 1;
158 
159  /*
160  * Note that even though we have initialized the key table, we don't
161  * set the FLUSHED bit. This is contrary to RFC 3078, sec. 3.1.
162  */
163  state->bits = MPPE_BIT_ENCRYPTED;
164 }
165 
166 /*
167  * We received a CCP Reset-Request (actually, we are sending a Reset-Ack),
168  * tell the compressor to rekey. Note that we MUST NOT rekey for
169  * every CCP Reset-Request; we only rekey on the next xmit packet.
170  * We might get multiple CCP Reset-Requests if our CCP Reset-Ack is lost.
171  * So, rekeying for every CCP Reset-Request is broken as the peer will not
172  * know how many times we've rekeyed. (If we rekey and THEN get another
173  * CCP Reset-Request, we must rekey again.)
174  */
175 void mppe_comp_reset(ppp_pcb *pcb, ppp_mppe_state *state)
176 {
177  LWIP_UNUSED_ARG(pcb);
178  state->bits |= MPPE_BIT_FLUSHED;
179 }
180 
181 /*
182  * Compress (encrypt) a packet.
183  * It's strange to call this a compressor, since the output is always
184  * MPPE_OVHD + 2 bytes larger than the input.
185  */
186 err_t
187 mppe_compress(ppp_pcb *pcb, ppp_mppe_state *state, struct pbuf **pb, u16_t protocol)
188 {
189  struct pbuf *n, *np;
190  u8_t *pl;
191  err_t err;
192 
193  LWIP_UNUSED_ARG(pcb);
194 
195  /* TCP stack requires that we don't change the packet payload, therefore we copy
196  * the whole packet before encryption.
197  */
198  np = pbuf_alloc(PBUF_RAW, MPPE_OVHD + sizeof(protocol) + (*pb)->tot_len, PBUF_POOL);
199  if (!np) {
200  return ERR_MEM;
201  }
202 
203  /* Hide MPPE header + protocol */
204  pbuf_header(np, -(s16_t)(MPPE_OVHD + sizeof(protocol)));
205 
206  if ((err = pbuf_copy(np, *pb)) != ERR_OK) {
207  pbuf_free(np);
208  return err;
209  }
210 
211  /* Reveal MPPE header + protocol */
212  pbuf_header(np, (s16_t)(MPPE_OVHD + sizeof(protocol)));
213 
214  *pb = np;
215  pl = (u8_t*)np->payload;
216 
217  state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
218  PPPDEBUG(LOG_DEBUG, ("mppe_compress[%d]: ccount %d\n", pcb->netif->num, state->ccount));
219  /* FIXME: use PUT* macros */
220  pl[0] = state->ccount>>8;
221  pl[1] = state->ccount;
222 
223  if (!state->stateful || /* stateless mode */
224  ((state->ccount & 0xff) == 0xff) || /* "flag" packet */
225  (state->bits & MPPE_BIT_FLUSHED)) { /* CCP Reset-Request */
226  /* We must rekey */
227  if (state->stateful) {
228  PPPDEBUG(LOG_DEBUG, ("mppe_compress[%d]: rekeying\n", pcb->netif->num));
229  }
230  mppe_rekey(state, 0);
231  state->bits |= MPPE_BIT_FLUSHED;
232  }
233  pl[0] |= state->bits;
234  state->bits &= ~MPPE_BIT_FLUSHED; /* reset for next xmit */
235  pl += MPPE_OVHD;
236 
237  /* Add protocol */
238  /* FIXME: add PFC support */
239  pl[0] = protocol >> 8;
240  pl[1] = protocol;
241 
242  /* Hide MPPE header */
243  pbuf_header(np, -(s16_t)MPPE_OVHD);
244 
245  /* Encrypt packet */
246  for (n = np; n != NULL; n = n->next) {
247  lwip_arc4_crypt(&state->arc4, (u8_t*)n->payload, n->len);
248  if (n->tot_len == n->len) {
249  break;
250  }
251  }
252 
253  /* Reveal MPPE header */
254  pbuf_header(np, (s16_t)MPPE_OVHD);
255 
256  return ERR_OK;
257 }
258 
259 /*
260  * We received a CCP Reset-Ack. Just ignore it.
261  */
262 void mppe_decomp_reset(ppp_pcb *pcb, ppp_mppe_state *state)
263 {
264  LWIP_UNUSED_ARG(pcb);
265  LWIP_UNUSED_ARG(state);
266  return;
267 }
268 
269 /*
270  * Decompress (decrypt) an MPPE packet.
271  */
272 err_t
273 mppe_decompress(ppp_pcb *pcb, ppp_mppe_state *state, struct pbuf **pb)
274 {
275  struct pbuf *n0 = *pb, *n;
276  u8_t *pl;
277  u16_t ccount;
278  u8_t flushed;
279 
280  /* MPPE Header */
281  if (n0->len < MPPE_OVHD) {
282  PPPDEBUG(LOG_DEBUG,
283  ("mppe_decompress[%d]: short pkt (%d)\n",
284  pcb->netif->num, n0->len));
285  state->sanity_errors += 100;
286  goto sanity_error;
287  }
288 
289  pl = (u8_t*)n0->payload;
290  flushed = MPPE_BITS(pl) & MPPE_BIT_FLUSHED;
291  ccount = MPPE_CCOUNT(pl);
292  PPPDEBUG(LOG_DEBUG, ("mppe_decompress[%d]: ccount %d\n",
293  pcb->netif->num, ccount));
294 
295  /* sanity checks -- terminate with extreme prejudice */
296  if (!(MPPE_BITS(pl) & MPPE_BIT_ENCRYPTED)) {
297  PPPDEBUG(LOG_DEBUG,
298  ("mppe_decompress[%d]: ENCRYPTED bit not set!\n",
299  pcb->netif->num));
300  state->sanity_errors += 100;
301  goto sanity_error;
302  }
303  if (!state->stateful && !flushed) {
304  PPPDEBUG(LOG_DEBUG, ("mppe_decompress[%d]: FLUSHED bit not set in "
305  "stateless mode!\n", pcb->netif->num));
306  state->sanity_errors += 100;
307  goto sanity_error;
308  }
309  if (state->stateful && ((ccount & 0xff) == 0xff) && !flushed) {
310  PPPDEBUG(LOG_DEBUG, ("mppe_decompress[%d]: FLUSHED bit not set on "
311  "flag packet!\n", pcb->netif->num));
312  state->sanity_errors += 100;
313  goto sanity_error;
314  }
315 
316  /*
317  * Check the coherency count.
318  */
319 
320  if (!state->stateful) {
321  /* Discard late packet */
322  if ((ccount - state->ccount) % MPPE_CCOUNT_SPACE > MPPE_CCOUNT_SPACE / 2) {
323  state->sanity_errors++;
324  goto sanity_error;
325  }
326 
327  /* RFC 3078, sec 8.1. Rekey for every packet. */
328  while (state->ccount != ccount) {
329  mppe_rekey(state, 0);
330  state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
331  }
332  } else {
333  /* RFC 3078, sec 8.2. */
334  if (!state->discard) {
335  /* normal state */
336  state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE;
337  if (ccount != state->ccount) {
338  /*
339  * (ccount > state->ccount)
340  * Packet loss detected, enter the discard state.
341  * Signal the peer to rekey (by sending a CCP Reset-Request).
342  */
343  state->discard = 1;
344  ccp_resetrequest(pcb);
345  return ERR_BUF;
346  }
347  } else {
348  /* discard state */
349  if (!flushed) {
350  /* ccp.c will be silent (no additional CCP Reset-Requests). */
351  return ERR_BUF;
352  } else {
353  /* Rekey for every missed "flag" packet. */
354  while ((ccount & ~0xff) !=
355  (state->ccount & ~0xff)) {
356  mppe_rekey(state, 0);
357  state->ccount =
358  (state->ccount +
359  256) % MPPE_CCOUNT_SPACE;
360  }
361 
362  /* reset */
363  state->discard = 0;
364  state->ccount = ccount;
365  /*
366  * Another problem with RFC 3078 here. It implies that the
367  * peer need not send a Reset-Ack packet. But RFC 1962
368  * requires it. Hopefully, M$ does send a Reset-Ack; even
369  * though it isn't required for MPPE synchronization, it is
370  * required to reset CCP state.
371  */
372  }
373  }
374  if (flushed)
375  mppe_rekey(state, 0);
376  }
377 
378  /* Hide MPPE header */
379  pbuf_header(n0, -(s16_t)(MPPE_OVHD));
380 
381  /* Decrypt the packet. */
382  for (n = n0; n != NULL; n = n->next) {
383  lwip_arc4_crypt(&state->arc4, (u8_t*)n->payload, n->len);
384  if (n->tot_len == n->len) {
385  break;
386  }
387  }
388 
389  /* good packet credit */
390  state->sanity_errors >>= 1;
391 
392  return ERR_OK;
393 
394 sanity_error:
395  if (state->sanity_errors >= SANITY_MAX) {
396  /*
397  * Take LCP down if the peer is sending too many bogons.
398  * We don't want to do this for a single or just a few
399  * instances since it could just be due to packet corruption.
400  */
401  lcp_close(pcb, "Too many MPPE errors");
402  }
403  return ERR_BUF;
404 }
405 
406 #endif /* PPP_SUPPORT && MPPE_SUPPORT */
pbuf::tot_len
u16_t tot_len
Definition: pbuf.h:175
PBUF_RAW
Definition: pbuf.h:113
pbuf::next
struct pbuf * next
Definition: pbuf.h:163
pbuf::len
u16_t len
Definition: pbuf.h:178
ERR_BUF
Definition: err.h:86
pbuf_header
u8_t pbuf_header(struct pbuf *p, s16_t header_size_increment)
Definition: pbuf.c:684
pbuf_copy
err_t pbuf_copy(struct pbuf *p_to, const struct pbuf *p_from)
Definition: pbuf.c:967
ERR_MEM
Definition: err.h:84
pbuf
Definition: pbuf.h:161
PBUF_POOL
Definition: pbuf.h:142
err_t
s8_t err_t
Definition: err.h:76
pbuf_alloc
struct pbuf * pbuf_alloc(pbuf_layer layer, u16_t length, pbuf_type type)
Definition: pbuf.c:267
LWIP_UNUSED_ARG
#define LWIP_UNUSED_ARG(x)
Definition: arch.h:327
pbuf_free
u8_t pbuf_free(struct pbuf *p)
Definition: pbuf.c:734
ERR_OK
Definition: err.h:82
pbuf::payload
void * payload
Definition: pbuf.h:166
Generated on Fri Jan 24 2020 06:46:14 for The Pedigree Project by   doxygen 1.8.11