xref: /freebsd/usr.sbin/ppp/mppe.c (revision 640235e2c2ba32947f7c59d168437ffa1280f1e6)
1 /*-
2  * Copyright (c) 2000 Semen Ustimenko <semenu@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  *
26  * $FreeBSD$
27  */
28 
29 #include <sys/param.h>
30 
31 #include <sys/socket.h>
32 #include <netinet/in_systm.h>
33 #include <netinet/in.h>
34 #include <netinet/ip.h>
35 #include <sys/un.h>
36 
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <termios.h>
41 #include <openssl/rc4.h>
42 
43 #include "defs.h"
44 #include "mbuf.h"
45 #include "log.h"
46 #include "timer.h"
47 #include "fsm.h"
48 #include "lqr.h"
49 #include "hdlc.h"
50 #include "lcp.h"
51 #include "ccp.h"
52 #include "throughput.h"
53 #include "layer.h"
54 #include "link.h"
55 #include "chap_ms.h"
56 #include "proto.h"
57 #include "mppe.h"
58 #include "ua.h"
59 #include "descriptor.h"
60 #ifndef NORADIUS
61 #include "radius.h"
62 #endif
63 #include "ncpaddr.h"
64 #include "iplist.h"
65 #include "slcompress.h"
66 #include "ipcp.h"
67 #include "ipv6cp.h"
68 #include "filter.h"
69 #include "mp.h"
70 #include "ncp.h"
71 #include "bundle.h"
72 
73 /*
74  * Documentation:
75  *
76  * draft-ietf-pppext-mppe-04.txt
77  * draft-ietf-pppext-mppe-keys-02.txt
78  */
79 
80 #define	MPPE_OPT_STATELESS	0x1000000
81 #define	MPPE_OPT_COMPRESSED	0x01
82 #define	MPPE_OPT_40BIT		0x20
83 #define	MPPE_OPT_56BIT		0x80
84 #define	MPPE_OPT_128BIT		0x40
85 #define	MPPE_OPT_BITMASK	0xe0
86 #define	MPPE_OPT_MASK		(MPPE_OPT_STATELESS | MPPE_OPT_BITMASK)
87 
88 #define	MPPE_FLUSHED			0x8000
89 #define	MPPE_ENCRYPTED			0x1000
90 #define	MPPE_HEADER_BITMASK		0xf000
91 #define	MPPE_HEADER_FLAG		0x00ff
92 #define	MPPE_HEADER_FLAGMASK		0x00ff
93 #define	MPPE_HEADER_FLAGSHIFT		8
94 #define	MPPE_HEADER_STATEFUL_KEYCHANGES	16
95 
96 struct mppe_state {
97   unsigned	stateless : 1;
98   unsigned	flushnext : 1;
99   unsigned	flushrequired : 1;
100   int		cohnum;
101   unsigned	keylen;			/* 8 or 16 bytes */
102   int 		keybits;		/* 40, 56 or 128 bits */
103   char		sesskey[MPPE_KEY_LEN];
104   char		mastkey[MPPE_KEY_LEN];
105   RC4_KEY	rc4key;
106 };
107 
108 int MPPE_MasterKeyValid = 0;
109 int MPPE_IsServer = 0;
110 char MPPE_MasterKey[MPPE_KEY_LEN];
111 
112 /*
113  * The peer has missed a packet.  Mark the next output frame to be FLUSHED
114  */
115 static int
116 MPPEResetOutput(void *v)
117 {
118   struct mppe_state *mop = (struct mppe_state *)v;
119 
120   if (mop->stateless)
121     log_Printf(LogCCP, "MPPE: Unexpected output channel reset\n");
122   else {
123     log_Printf(LogCCP, "MPPE: Output channel reset\n");
124     mop->flushnext = 1;
125   }
126 
127   return 0;		/* Ask FSM not to ACK */
128 }
129 
130 static void
131 MPPEReduceSessionKey(struct mppe_state *mp)
132 {
133   switch(mp->keybits) {
134   case 40:
135     mp->sesskey[2] = 0x9e;
136     mp->sesskey[1] = 0x26;
137   case 56:
138     mp->sesskey[0] = 0xd1;
139   case 128:
140     break;
141   }
142 }
143 
144 static void
145 MPPEKeyChange(struct mppe_state *mp)
146 {
147   char InterimKey[MPPE_KEY_LEN];
148   RC4_KEY RC4Key;
149 
150   GetNewKeyFromSHA(mp->mastkey, mp->sesskey, mp->keylen, InterimKey);
151   RC4_set_key(&RC4Key, mp->keylen, InterimKey);
152   RC4(&RC4Key, mp->keylen, InterimKey, mp->sesskey);
153 
154   MPPEReduceSessionKey(mp);
155 }
156 
157 static struct mbuf *
158 MPPEOutput(void *v, struct ccp *ccp, struct link *l __unused, int pri __unused,
159 	   u_short *proto, struct mbuf *mp)
160 {
161   struct mppe_state *mop = (struct mppe_state *)v;
162   struct mbuf *mo;
163   u_short nproto, prefix;
164   int dictinit, ilen, len;
165   char *rp;
166 
167   ilen = m_length(mp);
168   dictinit = 0;
169 
170   log_Printf(LogDEBUG, "MPPE: Output: Proto %02x (%d bytes)\n", *proto, ilen);
171   if (*proto < 0x21 || *proto > 0xFA) {
172     log_Printf(LogDEBUG, "MPPE: Output: Not encrypting\n");
173     ccp->compout += ilen;
174     ccp->uncompout += ilen;
175     return mp;
176   }
177 
178   log_DumpBp(LogDEBUG, "MPPE: Output: Encrypt packet:", mp);
179 
180   /* Get mbuf for prefixes */
181   mo = m_get(4, MB_CCPOUT);
182   mo->m_next = mp;
183 
184   rp = MBUF_CTOP(mo);
185   prefix = MPPE_ENCRYPTED | mop->cohnum;
186 
187   if (mop->stateless ||
188       (mop->cohnum & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG) {
189     /* Change our key */
190     log_Printf(LogDEBUG, "MPPEOutput: Key changed [%d]\n", mop->cohnum);
191     MPPEKeyChange(mop);
192     dictinit = 1;
193   }
194 
195   if (mop->stateless || mop->flushnext) {
196     prefix |= MPPE_FLUSHED;
197     dictinit = 1;
198     mop->flushnext = 0;
199   }
200 
201   if (dictinit) {
202     /* Initialise our dictionary */
203     log_Printf(LogDEBUG, "MPPEOutput: Dictionary initialised [%d]\n",
204                mop->cohnum);
205     RC4_set_key(&mop->rc4key, mop->keylen, mop->sesskey);
206   }
207 
208   /* Set MPPE packet prefix */
209   ua_htons(&prefix, rp);
210 
211   /* Save encrypted protocol number */
212   nproto = htons(*proto);
213   RC4(&mop->rc4key, 2, (char *)&nproto, rp + 2);
214 
215   /* Encrypt main packet */
216   rp = MBUF_CTOP(mp);
217   RC4(&mop->rc4key, ilen, rp, rp);
218 
219   mop->cohnum++;
220   mop->cohnum &= ~MPPE_HEADER_BITMASK;
221 
222   /* Set the protocol number */
223   *proto = ccp_Proto(ccp);
224   len = m_length(mo);
225   ccp->uncompout += ilen;
226   ccp->compout += len;
227 
228   log_Printf(LogDEBUG, "MPPE: Output: Encrypted: Proto %02x (%d bytes)\n",
229              *proto, len);
230 
231   return mo;
232 }
233 
234 static void
235 MPPEResetInput(void *v __unused)
236 {
237   log_Printf(LogCCP, "MPPE: Unexpected input channel ack\n");
238 }
239 
240 static struct mbuf *
241 MPPEInput(void *v, struct ccp *ccp, u_short *proto, struct mbuf *mp)
242 {
243   struct mppe_state *mip = (struct mppe_state *)v;
244   u_short prefix;
245   char *rp;
246   int dictinit, flushed, ilen, len, n;
247 
248   ilen = m_length(mp);
249   dictinit = 0;
250   ccp->compin += ilen;
251 
252   log_Printf(LogDEBUG, "MPPE: Input: Proto %02x (%d bytes)\n", *proto, ilen);
253   log_DumpBp(LogDEBUG, "MPPE: Input: Packet:", mp);
254 
255   mp = mbuf_Read(mp, &prefix, 2);
256   prefix = ntohs(prefix);
257   flushed = prefix & MPPE_FLUSHED;
258   prefix &= ~flushed;
259   if ((prefix & MPPE_HEADER_BITMASK) != MPPE_ENCRYPTED) {
260     log_Printf(LogERROR, "MPPE: Input: Invalid packet (flags = 0x%x)\n",
261                (prefix & MPPE_HEADER_BITMASK) | flushed);
262     m_freem(mp);
263     return NULL;
264   }
265 
266   prefix &= ~MPPE_HEADER_BITMASK;
267 
268   if (!flushed && mip->stateless) {
269     log_Printf(LogCCP, "MPPEInput: Packet without MPPE_FLUSHED set"
270                " in stateless mode\n");
271     flushed = MPPE_FLUSHED;
272     /* Should we really continue ? */
273   }
274 
275   if (mip->stateless) {
276     /* Change our key for each missed packet in stateless mode */
277     while (prefix != mip->cohnum) {
278       log_Printf(LogDEBUG, "MPPEInput: Key changed [%u]\n", prefix);
279       MPPEKeyChange(mip);
280       /*
281        * mip->cohnum contains what we received last time in stateless
282        * mode.
283        */
284       mip->cohnum++;
285       mip->cohnum &= ~MPPE_HEADER_BITMASK;
286     }
287     dictinit = 1;
288   } else {
289     if (flushed) {
290       /*
291        * We can always process a flushed packet.
292        * Catch up on any outstanding key changes.
293        */
294       n = (prefix >> MPPE_HEADER_FLAGSHIFT) -
295           (mip->cohnum >> MPPE_HEADER_FLAGSHIFT);
296       if (n < 0)
297         n += MPPE_HEADER_STATEFUL_KEYCHANGES;
298       while (n--) {
299         log_Printf(LogDEBUG, "MPPEInput: Key changed during catchup [%u]\n",
300                    prefix);
301         MPPEKeyChange(mip);
302       }
303       mip->flushrequired = 0;
304       mip->cohnum = prefix;
305       dictinit = 1;
306     }
307 
308     if (mip->flushrequired) {
309       /*
310        * Perhaps we should be lenient if
311        * (prefix & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG
312        * The spec says that we shouldn't be though....
313        */
314       log_Printf(LogDEBUG, "MPPE: Not flushed - discarded\n");
315       fsm_Output(&ccp->fsm, CODE_RESETREQ, ccp->fsm.reqid++, NULL, 0,
316                  MB_CCPOUT);
317       m_freem(mp);
318       return NULL;
319     }
320 
321     if (prefix != mip->cohnum) {
322       /*
323        * We're in stateful mode and didn't receive the expected
324        * packet.  Send a reset request, but don't tell the CCP layer
325        * about it as we don't expect to receive a Reset ACK !
326        * Guess what... M$ invented this !
327        */
328       log_Printf(LogCCP, "MPPE: Input: Got seq %u, not %u\n",
329                  prefix, mip->cohnum);
330       fsm_Output(&ccp->fsm, CODE_RESETREQ, ccp->fsm.reqid++, NULL, 0,
331                  MB_CCPOUT);
332       mip->flushrequired = 1;
333       m_freem(mp);
334       return NULL;
335     }
336 
337     if ((prefix & MPPE_HEADER_FLAGMASK) == MPPE_HEADER_FLAG) {
338       log_Printf(LogDEBUG, "MPPEInput: Key changed [%u]\n", prefix);
339       MPPEKeyChange(mip);
340       dictinit = 1;
341     } else if (flushed)
342       dictinit = 1;
343 
344     /*
345      * mip->cohnum contains what we expect to receive next time in stateful
346      * mode.
347      */
348     mip->cohnum++;
349     mip->cohnum &= ~MPPE_HEADER_BITMASK;
350   }
351 
352   if (dictinit) {
353     log_Printf(LogDEBUG, "MPPEInput: Dictionary initialised [%u]\n", prefix);
354     RC4_set_key(&mip->rc4key, mip->keylen, mip->sesskey);
355   }
356 
357   mp = mbuf_Read(mp, proto, 2);
358   RC4(&mip->rc4key, 2, (char *)proto, (char *)proto);
359   *proto = ntohs(*proto);
360 
361   rp = MBUF_CTOP(mp);
362   len = m_length(mp);
363   RC4(&mip->rc4key, len, rp, rp);
364 
365   log_Printf(LogDEBUG, "MPPEInput: Decrypted: Proto %02x (%d bytes)\n",
366              *proto, len);
367   log_DumpBp(LogDEBUG, "MPPEInput: Decrypted: Packet:", mp);
368 
369   ccp->uncompin += len;
370 
371   return mp;
372 }
373 
374 static void
375 MPPEDictSetup(void *v __unused, struct ccp *ccp __unused,
376 	      u_short proto __unused, struct mbuf *mp __unused)
377 {
378   /* Nothing to see here */
379 }
380 
381 static const char *
382 MPPEDispOpts(struct fsm_opt *o)
383 {
384   static char buf[70];
385   u_int32_t val;
386   char ch;
387   int len, n;
388 
389   ua_ntohl(o->data, &val);
390   len = 0;
391   if ((n = snprintf(buf, sizeof buf, "value 0x%08x ", (unsigned)val)) > 0)
392     len += n;
393   if (!(val & MPPE_OPT_BITMASK)) {
394     if ((n = snprintf(buf + len, sizeof buf - len, "(0")) > 0)
395       len += n;
396   } else {
397     ch = '(';
398     if (val & MPPE_OPT_128BIT) {
399       if ((n = snprintf(buf + len, sizeof buf - len, "%c128", ch)) > 0)
400         len += n;
401       ch = '/';
402     }
403     if (val & MPPE_OPT_56BIT) {
404       if ((n = snprintf(buf + len, sizeof buf - len, "%c56", ch)) > 0)
405         len += n;
406       ch = '/';
407     }
408     if (val & MPPE_OPT_40BIT) {
409       if ((n = snprintf(buf + len, sizeof buf - len, "%c40", ch)) > 0)
410         len += n;
411       ch = '/';
412     }
413   }
414 
415   if ((n = snprintf(buf + len, sizeof buf - len, " bits, state%s",
416                     (val & MPPE_OPT_STATELESS) ? "less" : "ful")) > 0)
417     len += n;
418 
419   if (val & MPPE_OPT_COMPRESSED) {
420     if ((n = snprintf(buf + len, sizeof buf - len, ", compressed")) > 0)
421       len += n;
422   }
423 
424   snprintf(buf + len, sizeof buf - len, ")");
425 
426   return buf;
427 }
428 
429 static int
430 MPPEUsable(struct fsm *fp)
431 {
432   int ok;
433 #ifndef NORADIUS
434   struct radius *r = &fp->bundle->radius;
435 
436   /*
437    * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES,
438    * use that instead of our configuration value.
439    */
440   if (*r->cfg.file) {
441     ok = r->mppe.sendkeylen && r->mppe.recvkeylen;
442     if (!ok)
443       log_Printf(LogCCP, "MPPE: Not permitted by RADIUS server\n");
444   } else
445 #endif
446   {
447     struct lcp *lcp = &fp->link->lcp;
448     ok = (lcp->want_auth == PROTO_CHAP && lcp->want_authtype == 0x81) ||
449          (lcp->his_auth == PROTO_CHAP && lcp->his_authtype == 0x81);
450     if (!ok)
451       log_Printf(LogCCP, "MPPE: Not usable without CHAP81\n");
452   }
453 
454   return ok;
455 }
456 
457 static int
458 MPPERequired(struct fsm *fp)
459 {
460 #ifndef NORADIUS
461   /*
462    * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY,
463    * use that instead of our configuration value.
464    */
465   if (*fp->bundle->radius.cfg.file && fp->bundle->radius.mppe.policy)
466     return fp->bundle->radius.mppe.policy == MPPE_POLICY_REQUIRED ? 1 : 0;
467 #endif
468 
469   return fp->link->ccp.cfg.mppe.required;
470 }
471 
472 static u_int32_t
473 MPPE_ConfigVal(struct bundle *bundle __unused, const struct ccp_config *cfg)
474 {
475   u_int32_t val;
476 
477   val = cfg->mppe.state == MPPE_STATELESS ? MPPE_OPT_STATELESS : 0;
478 #ifndef NORADIUS
479   /*
480    * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES,
481    * use that instead of our configuration value.
482    */
483   if (*bundle->radius.cfg.file && bundle->radius.mppe.types) {
484     if (bundle->radius.mppe.types & MPPE_TYPE_40BIT)
485       val |= MPPE_OPT_40BIT;
486     if (bundle->radius.mppe.types & MPPE_TYPE_128BIT)
487       val |= MPPE_OPT_128BIT;
488   } else
489 #endif
490     switch(cfg->mppe.keybits) {
491     case 128:
492       val |= MPPE_OPT_128BIT;
493       break;
494     case 56:
495       val |= MPPE_OPT_56BIT;
496       break;
497     case 40:
498       val |= MPPE_OPT_40BIT;
499       break;
500     case 0:
501       val |= MPPE_OPT_128BIT | MPPE_OPT_56BIT | MPPE_OPT_40BIT;
502       break;
503     }
504 
505   return val;
506 }
507 
508 /*
509  * What options should we use for our first configure request
510  */
511 static void
512 MPPEInitOptsOutput(struct bundle *bundle, struct fsm_opt *o,
513                    const struct ccp_config *cfg)
514 {
515   u_int32_t mval;
516 
517   o->hdr.len = 6;
518 
519   if (!MPPE_MasterKeyValid) {
520     log_Printf(LogCCP, "MPPE: MasterKey is invalid,"
521                " MPPE is available only with CHAP81 authentication\n");
522     mval = 0;
523     ua_htonl(&mval, o->data);
524     return;
525   }
526 
527 
528   mval = MPPE_ConfigVal(bundle, cfg);
529   ua_htonl(&mval, o->data);
530 }
531 
532 /*
533  * Our CCP request was NAK'd with the given options
534  */
535 static int
536 MPPESetOptsOutput(struct bundle *bundle, struct fsm_opt *o,
537                   const struct ccp_config *cfg)
538 {
539   u_int32_t mval, peer;
540 
541   ua_ntohl(o->data, &peer);
542 
543   if (!MPPE_MasterKeyValid)
544     /* Treat their NAK as a REJ */
545     return MODE_NAK;
546 
547   mval = MPPE_ConfigVal(bundle, cfg);
548 
549   /*
550    * If we haven't been configured with a specific number of keybits, allow
551    * whatever the peer asks for.
552    */
553   if (!cfg->mppe.keybits) {
554     mval &= ~MPPE_OPT_BITMASK;
555     mval |= (peer & MPPE_OPT_BITMASK);
556     if (!(mval & MPPE_OPT_BITMASK))
557       mval |= MPPE_OPT_128BIT;
558   }
559 
560   /* Adjust our statelessness */
561   if (cfg->mppe.state == MPPE_ANYSTATE) {
562     mval &= ~MPPE_OPT_STATELESS;
563     mval |= (peer & MPPE_OPT_STATELESS);
564   }
565 
566   ua_htonl(&mval, o->data);
567 
568   return MODE_ACK;
569 }
570 
571 /*
572  * The peer has requested the given options
573  */
574 static int
575 MPPESetOptsInput(struct bundle *bundle, struct fsm_opt *o,
576                  const struct ccp_config *cfg)
577 {
578   u_int32_t mval, peer;
579   int res = MODE_ACK;
580 
581   ua_ntohl(o->data, &peer);
582   if (!MPPE_MasterKeyValid) {
583     if (peer != 0) {
584       peer = 0;
585       ua_htonl(&peer, o->data);
586       return MODE_NAK;
587     } else
588       return MODE_ACK;
589   }
590 
591   mval = MPPE_ConfigVal(bundle, cfg);
592 
593   if (peer & ~MPPE_OPT_MASK)
594     /* He's asking for bits we don't know about */
595     res = MODE_NAK;
596 
597   if (peer & MPPE_OPT_STATELESS) {
598     if (cfg->mppe.state == MPPE_STATEFUL)
599       /* Peer can't have stateless */
600       res = MODE_NAK;
601     else
602       /* Peer wants stateless, that's ok */
603       mval |= MPPE_OPT_STATELESS;
604   } else {
605     if (cfg->mppe.state == MPPE_STATELESS)
606       /* Peer must have stateless */
607       res = MODE_NAK;
608     else
609       /* Peer doesn't want stateless, that's ok */
610       mval &= ~MPPE_OPT_STATELESS;
611   }
612 
613   /* If we've got a configured number of keybits - the peer must use that */
614   if (cfg->mppe.keybits) {
615     ua_htonl(&mval, o->data);
616     return peer == mval ? res : MODE_NAK;
617   }
618 
619   /* If a specific number of bits hasn't been requested, we'll need to NAK */
620   switch (peer & MPPE_OPT_BITMASK) {
621   case MPPE_OPT_128BIT:
622   case MPPE_OPT_56BIT:
623   case MPPE_OPT_40BIT:
624     break;
625   default:
626     res = MODE_NAK;
627   }
628 
629   /* Suggest the best number of bits */
630   mval &= ~MPPE_OPT_BITMASK;
631   if (peer & MPPE_OPT_128BIT)
632     mval |= MPPE_OPT_128BIT;
633   else if (peer & MPPE_OPT_56BIT)
634     mval |= MPPE_OPT_56BIT;
635   else if (peer & MPPE_OPT_40BIT)
636     mval |= MPPE_OPT_40BIT;
637   else
638     mval |= MPPE_OPT_128BIT;
639   ua_htonl(&mval, o->data);
640 
641   return res;
642 }
643 
644 static struct mppe_state *
645 MPPE_InitState(struct fsm_opt *o)
646 {
647   struct mppe_state *mp;
648   u_int32_t val;
649 
650   if ((mp = calloc(1, sizeof *mp)) != NULL) {
651     ua_ntohl(o->data, &val);
652 
653     switch (val & MPPE_OPT_BITMASK) {
654     case MPPE_OPT_128BIT:
655       mp->keylen = 16;
656       mp->keybits = 128;
657       break;
658     case MPPE_OPT_56BIT:
659       mp->keylen = 8;
660       mp->keybits = 56;
661       break;
662     case MPPE_OPT_40BIT:
663       mp->keylen = 8;
664       mp->keybits = 40;
665       break;
666     default:
667       log_Printf(LogWARN, "Unexpected MPPE options 0x%08x\n", val);
668       free(mp);
669       return NULL;
670     }
671 
672     mp->stateless = !!(val & MPPE_OPT_STATELESS);
673   }
674 
675   return mp;
676 }
677 
678 static void *
679 MPPEInitInput(struct bundle *bundle __unused, struct fsm_opt *o)
680 {
681   struct mppe_state *mip;
682 
683   if (!MPPE_MasterKeyValid) {
684     log_Printf(LogWARN, "MPPE: Cannot initialise without CHAP81\n");
685     return NULL;
686   }
687 
688   if ((mip = MPPE_InitState(o)) == NULL) {
689     log_Printf(LogWARN, "MPPEInput: Cannot initialise - unexpected options\n");
690     return NULL;
691   }
692 
693   log_Printf(LogDEBUG, "MPPE: InitInput: %d-bits\n", mip->keybits);
694 
695 #ifndef NORADIUS
696   if (*bundle->radius.cfg.file && bundle->radius.mppe.recvkey) {
697     if (mip->keylen > bundle->radius.mppe.recvkeylen)
698       mip->keylen = bundle->radius.mppe.recvkeylen;
699     if (mip->keylen > sizeof mip->mastkey)
700       mip->keylen = sizeof mip->mastkey;
701     memcpy(mip->mastkey, bundle->radius.mppe.recvkey, mip->keylen);
702   } else
703 #endif
704     GetAsymetricStartKey(MPPE_MasterKey, mip->mastkey, mip->keylen, 0,
705                          MPPE_IsServer);
706 
707   GetNewKeyFromSHA(mip->mastkey, mip->mastkey, mip->keylen, mip->sesskey);
708 
709   MPPEReduceSessionKey(mip);
710 
711   log_Printf(LogCCP, "MPPE: Input channel initiated\n");
712 
713   if (!mip->stateless) {
714     /*
715      * We need to initialise our dictionary here as the first packet we
716      * receive is unlikely to have the FLUSHED bit set.
717      */
718     log_Printf(LogDEBUG, "MPPEInitInput: Dictionary initialised [%d]\n",
719                mip->cohnum);
720     RC4_set_key(&mip->rc4key, mip->keylen, mip->sesskey);
721   } else {
722     /*
723      * We do the first key change here as the first packet is expected
724      * to have a sequence number of 0 and we'll therefore not expect
725      * to have to change the key at that point.
726      */
727     log_Printf(LogDEBUG, "MPPEInitInput: Key changed [%d]\n", mip->cohnum);
728     MPPEKeyChange(mip);
729   }
730 
731   return mip;
732 }
733 
734 static void *
735 MPPEInitOutput(struct bundle *bundle __unused, struct fsm_opt *o)
736 {
737   struct mppe_state *mop;
738 
739   if (!MPPE_MasterKeyValid) {
740     log_Printf(LogWARN, "MPPE: Cannot initialise without CHAP81\n");
741     return NULL;
742   }
743 
744   if ((mop = MPPE_InitState(o)) == NULL) {
745     log_Printf(LogWARN, "MPPEOutput: Cannot initialise - unexpected options\n");
746     return NULL;
747   }
748 
749   log_Printf(LogDEBUG, "MPPE: InitOutput: %d-bits\n", mop->keybits);
750 
751 #ifndef NORADIUS
752   if (*bundle->radius.cfg.file && bundle->radius.mppe.sendkey) {
753     if (mop->keylen > bundle->radius.mppe.sendkeylen)
754       mop->keylen = bundle->radius.mppe.sendkeylen;
755     if (mop->keylen > sizeof mop->mastkey)
756       mop->keylen = sizeof mop->mastkey;
757     memcpy(mop->mastkey, bundle->radius.mppe.sendkey, mop->keylen);
758   } else
759 #endif
760     GetAsymetricStartKey(MPPE_MasterKey, mop->mastkey, mop->keylen, 1,
761                          MPPE_IsServer);
762 
763   GetNewKeyFromSHA(mop->mastkey, mop->mastkey, mop->keylen, mop->sesskey);
764 
765   MPPEReduceSessionKey(mop);
766 
767   log_Printf(LogCCP, "MPPE: Output channel initiated\n");
768 
769   if (!mop->stateless) {
770     /*
771      * We need to initialise our dictionary now as the first packet we
772      * send won't have the FLUSHED bit set.
773      */
774     log_Printf(LogDEBUG, "MPPEInitOutput: Dictionary initialised [%d]\n",
775                mop->cohnum);
776     RC4_set_key(&mop->rc4key, mop->keylen, mop->sesskey);
777   }
778 
779   return mop;
780 }
781 
782 static void
783 MPPETermInput(void *v)
784 {
785   free(v);
786 }
787 
788 static void
789 MPPETermOutput(void *v)
790 {
791   free(v);
792 }
793 
794 const struct ccp_algorithm MPPEAlgorithm = {
795   TY_MPPE,
796   CCP_NEG_MPPE,
797   MPPEDispOpts,
798   MPPEUsable,
799   MPPERequired,
800   {
801     MPPESetOptsInput,
802     MPPEInitInput,
803     MPPETermInput,
804     MPPEResetInput,
805     MPPEInput,
806     MPPEDictSetup
807   },
808   {
809     2,
810     MPPEInitOptsOutput,
811     MPPESetOptsOutput,
812     MPPEInitOutput,
813     MPPETermOutput,
814     MPPEResetOutput,
815     MPPEOutput
816   },
817 };
818