[pptp-server] Forcing encryption (was: Optimizing pppd for PPTP)

Martin Mueller mm at lunetix.de
Thu Mar 16 11:11:22 CST 2000 

Hi all and thanks for your work,

On Thu, Mar 16, 2000 at 07:21:58AM -0400, Patrick Reid wrote:
> 
> 1) Require 128-bit, stateless encryption on the server side
> 	I can refuse 40-bit encryption, but I can't keep someone from connecting
> with no encryption or in stateful mode (i.e. only one key). I know it is
> possible to force my clients to only use strong encryption, but this doesn't
> keep people from trying to exploit the PPTP security issues for Microsoft's
> implementation.

Ok, here are the patches to pppd-2.3.11 to require encryption. The new
options are "require-mppe" and "require-mppe-stateless". You must first
aply the MPPE patches for pppd and then this one.

bye
   MM
   
PGP-RSA key available from:
http://horowitz.surfnet.nl:11371/pks/lookup?op=index&search=mm@lunetix.de
------------------------ cut here -----------------------------------
diff -ur ppp-2.3.11/pppd/ccp.c ppp-2.3.11.mppe/pppd/ccp.c
--- ppp-2.3.11/pppd/ccp.c	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/ccp.c	Thu Mar 16 17:56:16 2000
@@ -37,6 +37,7 @@
 #include "mppe.h"
 #endif
 #include <net/ppp-comp.h>
+#include "lcp.h"
 
 static const char rcsid[] = RCSID;
 
@@ -103,6 +104,10 @@
       "Disallow stateless MPPE encryption" }, 
     { "-mppe-stateless", o_special_noarg, setnomppe_stateless,
       "Disallow stateless MPPE encryption" }, 
+    { "require-mppe", o_special_noarg, require_mppe,
+      "Require MPPE encryption" }, 
+    { "require-mppe-stateless", o_special_noarg, require_mppe,
+      "Require stateless MPPE encryption" }, 
 #endif
 
     { NULL }
@@ -450,6 +455,8 @@
 {
     ccp_flags_set(unit, 0, 0);
     fsm_lowerdown(&ccp_fsm[unit]);
+    if ( ccp_wantoptions[unit].require_mppe || ccp_wantoptions[unit].require_mppe_stateless )
+	lcp_close(unit,"Encryption negotiation rejected");
 }
 
 /*
@@ -1269,6 +1276,19 @@
 	    notice("%s receive compression enabled", method_name(go, NULL));
     } else if (ANY_COMPRESS(*ho))
 	notice("%s transmit compression enabled", method_name(ho, NULL));
+
+    if ( ccp_wantoptions[f->unit].require_mppe_stateless || ccp_wantoptions[f->unit].require_mppe ) {
+    	if ( (go->mppe_128 && ho->mppe_128) || (go->mppe_40 && ho->mppe_40 ) )
+    	    if ( ccp_wantoptions[f->unit].require_mppe_stateless )
+		if ( go->mppe_stateless && ho->mppe_stateless )
+	            notice("stateless MPPE enforced");
+	        else
+	            lcp_close(f->unit,"stateless encryption negotiation failed");
+	    else
+	        notice("stateless MPPE enforced");
+	else
+	    lcp_close(f->unit,"encryption negotiation failed");
+    }
 }
 
 /*
diff -ur ppp-2.3.11/pppd/ccp.h ppp-2.3.11.mppe/pppd/ccp.h
--- ppp-2.3.11/pppd/ccp.h	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/ccp.h	Thu Mar 16 16:25:50 2000
@@ -38,6 +38,8 @@
     bool mppe_40;		/* allow 40 bit encryption */
     bool mppe_128;		/* allow 128 bit encryption */
     bool mppe_stateless;	/* allow stateless encryption */
+    bool require_mppe;		/* force mppe encryption */
+    bool require_mppe_stateless;	/* force stateless encryption */
     u_short bsd_bits;		/* # bits/code for BSD Compress */
     u_short deflate_size;	/* lg(window size) for Deflate */
     short method;		/* code for chosen compression method */
diff -ur ppp-2.3.11/pppd/mppe.c ppp-2.3.11.mppe/pppd/mppe.c
--- ppp-2.3.11/pppd/mppe.c	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/mppe.c	Thu Mar 16 17:06:34 2000
@@ -226,4 +226,20 @@
     ccp_allowoptions[0].mppe_stateless = ccp_wantoptions[0].mppe_stateless = 0;
     return 1;
 }
+
+int
+require_mppe(char **argv)
+{
+    ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe = 1;
+    return 1;
+}
+
+int
+require_mppe_stateless(char **argv)
+{
+    ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe = 1;
+    ccp_allowoptions[0].require_mppe_stateless = ccp_wantoptions[0].require_mppe_stateless = 1;
+    return 1;
+}
+
 #endif /* MPPE */
diff -ur ppp-2.3.11/pppd/mppe.h ppp-2.3.11.mppe/pppd/mppe.h
--- ppp-2.3.11/pppd/mppe.h	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/mppe.h	Thu Mar 16 16:25:00 2000
@@ -51,6 +51,8 @@
 int setnomppe_128(char **);
 int setmppe_stateless(char **);
 int setnomppe_stateless(char **);
+int require_mppe(char **);
+int require_mppe_stateless(char **);
 
 #define __MPPE_INCLUDE__
 #endif /* __MPPE_INCLUDE__ */
------------------------ cut here -----------------------------------

More information about the pptp-server mailing list