[pptp-server] Forcing encryption (was: Optimizing pppd for PPTP)

Alex Stagg alex at softproseinc.com
Tue Mar 21 11:39:37 CST 2000 

Martin,

How does this patch relate to the mppe patch for ppp 2.3.10? (That patch
only applies to 2.3.10, unless the 2.3.11 directory is renamed - right?)

Alex Stagg
SoftProse, Inc.
1776 22nd Street, Suite 100, West Des Moines, IA 50266
Direct: 515-988-4291, Main: 515-221-2220, Fax: 435-514-0727
email: alex at SoftProseInc.com
URL: http://www.softproseinc.com

Engineering Services for Digital TV


-----Original Message-----
From: Martin Mueller <mm at lunetix.de>
To: Patrick Reid <P.J.Reid at earthling.net>
Cc: Pptp Mailing List (E-mail) <pptp-server at lists.schulte.org>
Date: Thursday, March 16, 2000 11:14 AM
Subject: [pptp-server] Forcing encryption (was: Optimizing pppd for PPTP)


>Hi all and thanks for your work,
>
>On Thu, Mar 16, 2000 at 07:21:58AM -0400, Patrick Reid wrote:
>>
>> 1) Require 128-bit, stateless encryption on the server side
>> I can refuse 40-bit encryption, but I can't keep someone from connecting
>> with no encryption or in stateful mode (i.e. only one key). I know it is
>> possible to force my clients to only use strong encryption, but this
doesn't
>> keep people from trying to exploit the PPTP security issues for
Microsoft's
>> implementation.
>
>Ok, here are the patches to pppd-2.3.11 to require encryption. The new
>options are "require-mppe" and "require-mppe-stateless". You must first
>aply the MPPE patches for pppd and then this one.
>
>bye
>   MM
>
>PGP-RSA key available from:
>http://horowitz.surfnet.nl:11371/pks/lookup?op=index&search=mm@lunetix.de
>------------------------ cut here -----------------------------------
>diff -ur ppp-2.3.11/pppd/ccp.c ppp-2.3.11.mppe/pppd/ccp.c
>--- ppp-2.3.11/pppd/ccp.c Thu Mar 16 17:47:42 2000
>+++ ppp-2.3.11.mppe/pppd/ccp.c Thu Mar 16 17:56:16 2000
>@@ -37,6 +37,7 @@
> #include "mppe.h"
> #endif
> #include <net/ppp-comp.h>
>+#include "lcp.h"
>
> static const char rcsid[] = RCSID;
>
>@@ -103,6 +104,10 @@
>       "Disallow stateless MPPE encryption" },
>     { "-mppe-stateless", o_special_noarg, setnomppe_stateless,
>       "Disallow stateless MPPE encryption" },
>+    { "require-mppe", o_special_noarg, require_mppe,
>+      "Require MPPE encryption" },
>+    { "require-mppe-stateless", o_special_noarg, require_mppe,
>+      "Require stateless MPPE encryption" },
> #endif
>
>     { NULL }
>@@ -450,6 +455,8 @@
> {
>     ccp_flags_set(unit, 0, 0);
>     fsm_lowerdown(&ccp_fsm[unit]);
>+    if ( ccp_wantoptions[unit].require_mppe ||
ccp_wantoptions[unit].require_mppe_stateless )
>+ lcp_close(unit,"Encryption negotiation rejected");
> }
>
> /*
>@@ -1269,6 +1276,19 @@
>     notice("%s receive compression enabled", method_name(go, NULL));
>     } else if (ANY_COMPRESS(*ho))
> notice("%s transmit compression enabled", method_name(ho, NULL));
>+
>+    if ( ccp_wantoptions[f->unit].require_mppe_stateless ||
ccp_wantoptions[f->unit].require_mppe ) {
>+    if ( (go->mppe_128 && ho->mppe_128) || (go->mppe_40 && ho->mppe_40 ) )
>+        if ( ccp_wantoptions[f->unit].require_mppe_stateless )
>+ if ( go->mppe_stateless && ho->mppe_stateless )
>+             notice("stateless MPPE enforced");
>+         else
>+             lcp_close(f->unit,"stateless encryption negotiation failed");
>+     else
>+         notice("stateless MPPE enforced");
>+ else
>+     lcp_close(f->unit,"encryption negotiation failed");
>+    }
> }
>
> /*
>diff -ur ppp-2.3.11/pppd/ccp.h ppp-2.3.11.mppe/pppd/ccp.h
>--- ppp-2.3.11/pppd/ccp.h Thu Mar 16 17:47:42 2000
>+++ ppp-2.3.11.mppe/pppd/ccp.h Thu Mar 16 16:25:50 2000
>@@ -38,6 +38,8 @@
>     bool mppe_40; /* allow 40 bit encryption */
>     bool mppe_128; /* allow 128 bit encryption */
>     bool mppe_stateless; /* allow stateless encryption */
>+    bool require_mppe; /* force mppe encryption */
>+    bool require_mppe_stateless; /* force stateless encryption */
>     u_short bsd_bits; /* # bits/code for BSD Compress */
>     u_short deflate_size; /* lg(window size) for Deflate */
>     short method; /* code for chosen compression method */
>diff -ur ppp-2.3.11/pppd/mppe.c ppp-2.3.11.mppe/pppd/mppe.c
>--- ppp-2.3.11/pppd/mppe.c Thu Mar 16 17:47:42 2000
>+++ ppp-2.3.11.mppe/pppd/mppe.c Thu Mar 16 17:06:34 2000
>@@ -226,4 +226,20 @@
>     ccp_allowoptions[0].mppe_stateless = ccp_wantoptions[0].mppe_stateless
= 0;
>     return 1;
> }
>+
>+int
>+require_mppe(char **argv)
>+{
>+    ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe =
1;
>+    return 1;
>+}
>+
>+int
>+require_mppe_stateless(char **argv)
>+{
>+    ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe =
1;
>+    ccp_allowoptions[0].require_mppe_stateless =
ccp_wantoptions[0].require_mppe_stateless = 1;
>+    return 1;
>+}
>+
> #endif /* MPPE */
>diff -ur ppp-2.3.11/pppd/mppe.h ppp-2.3.11.mppe/pppd/mppe.h
>--- ppp-2.3.11/pppd/mppe.h Thu Mar 16 17:47:42 2000
>+++ ppp-2.3.11.mppe/pppd/mppe.h Thu Mar 16 16:25:00 2000
>@@ -51,6 +51,8 @@
> int setnomppe_128(char **);
> int setmppe_stateless(char **);
> int setnomppe_stateless(char **);
>+int require_mppe(char **);
>+int require_mppe_stateless(char **);
>
> #define __MPPE_INCLUDE__
> #endif /* __MPPE_INCLUDE__ */
>------------------------ cut here -----------------------------------
>
>_______________________________________________
>pptp-server maillist  -  pptp-server at lists.schulte.org
>http://lists.schulte.org/mailman/listinfo/pptp-server
>List services provided by www.schulte.org!
>

More information about the pptp-server mailing list