[pptp-server] RE: Forcing encryption (was: Optimizing pppd for PPTP)
Patrick Reid
P.J.Reid at earthling.net
Tue Mar 21 11:43:48 CST 2000
I applied this patch "by hand", then used diff -ur on the new files and the
backups: I get the same set of diffs as Martin posted here.
So, those patch files should work just fine on 2.3.10 systems, with just a
change in the directory specification.
I suggest adding these patches to the PoPToP web site, along with a
description of the new options: they are invaluable!
Patrick Reid - mailto:PReid at candesco.com
Candesco Research Corp.
Communication Centre: <http://www.mirabilis.com/1052176>
-----Original Message-----
From: mm at cicero.werkleitz.de [mailto:mm at cicero.werkleitz.de]On Behalf Of
Martin Mueller
Sent: March 16, 2000 1:12 PM
To: Patrick Reid
Cc: Pptp Mailing List (E-mail)
Subject: Forcing encryption (was: Optimizing pppd for PPTP)
Hi all and thanks for your work,
On Thu, Mar 16, 2000 at 07:21:58AM -0400, Patrick Reid wrote:
>
> 1) Require 128-bit, stateless encryption on the server side
> I can refuse 40-bit encryption, but I can't keep someone from connecting
> with no encryption or in stateful mode (i.e. only one key). I know it is
> possible to force my clients to only use strong encryption, but this
doesn't
> keep people from trying to exploit the PPTP security issues for
Microsoft's
> implementation.
Ok, here are the patches to pppd-2.3.11 to require encryption. The new
options are "require-mppe" and "require-mppe-stateless". You must first
aply the MPPE patches for pppd and then this one.
bye
MM
PGP-RSA key available from:
http://horowitz.surfnet.nl:11371/pks/lookup?op=index&search=mm@lunetix.de
------------------------ cut here -----------------------------------
diff -ur ppp-2.3.11/pppd/ccp.c ppp-2.3.11.mppe/pppd/ccp.c
--- ppp-2.3.11/pppd/ccp.c Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/ccp.c Thu Mar 16 17:56:16 2000
@@ -37,6 +37,7 @@
#include "mppe.h"
#endif
#include <net/ppp-comp.h>
+#include "lcp.h"
static const char rcsid[] = RCSID;
@@ -103,6 +104,10 @@
"Disallow stateless MPPE encryption" },
{ "-mppe-stateless", o_special_noarg, setnomppe_stateless,
"Disallow stateless MPPE encryption" },
+ { "require-mppe", o_special_noarg, require_mppe,
+ "Require MPPE encryption" },
+ { "require-mppe-stateless", o_special_noarg, require_mppe,
+ "Require stateless MPPE encryption" },
#endif
{ NULL }
@@ -450,6 +455,8 @@
{
ccp_flags_set(unit, 0, 0);
fsm_lowerdown(&ccp_fsm[unit]);
+ if ( ccp_wantoptions[unit].require_mppe ||
ccp_wantoptions[unit].require_mppe_stateless )
+ lcp_close(unit,"Encryption negotiation rejected");
}
/*
@@ -1269,6 +1276,19 @@
notice("%s receive compression enabled", method_name(go, NULL));
} else if (ANY_COMPRESS(*ho))
notice("%s transmit compression enabled", method_name(ho, NULL));
+
+ if ( ccp_wantoptions[f->unit].require_mppe_stateless ||
ccp_wantoptions[f->unit].require_mppe ) {
+ if ( (go->mppe_128 && ho->mppe_128) || (go->mppe_40 && ho->mppe_40 ) )
+ if ( ccp_wantoptions[f->unit].require_mppe_stateless )
+ if ( go->mppe_stateless && ho->mppe_stateless )
+ notice("stateless MPPE enforced");
+ else
+ lcp_close(f->unit,"stateless encryption negotiation failed");
+ else
+ notice("stateless MPPE enforced");
+ else
+ lcp_close(f->unit,"encryption negotiation failed");
+ }
}
/*
diff -ur ppp-2.3.11/pppd/ccp.h ppp-2.3.11.mppe/pppd/ccp.h
--- ppp-2.3.11/pppd/ccp.h Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/ccp.h Thu Mar 16 16:25:50 2000
@@ -38,6 +38,8 @@
bool mppe_40; /* allow 40 bit encryption */
bool mppe_128; /* allow 128 bit encryption */
bool mppe_stateless; /* allow stateless encryption */
+ bool require_mppe; /* force mppe encryption */
+ bool require_mppe_stateless; /* force stateless encryption */
u_short bsd_bits; /* # bits/code for BSD Compress */
u_short deflate_size; /* lg(window size) for Deflate */
short method; /* code for chosen compression method */
diff -ur ppp-2.3.11/pppd/mppe.c ppp-2.3.11.mppe/pppd/mppe.c
--- ppp-2.3.11/pppd/mppe.c Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/mppe.c Thu Mar 16 17:06:34 2000
@@ -226,4 +226,20 @@
ccp_allowoptions[0].mppe_stateless = ccp_wantoptions[0].mppe_stateless
= 0;
return 1;
}
+
+int
+require_mppe(char **argv)
+{
+ ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe = 1;
+ return 1;
+}
+
+int
+require_mppe_stateless(char **argv)
+{
+ ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe = 1;
+ ccp_allowoptions[0].require_mppe_stateless =
ccp_wantoptions[0].require_mppe_stateless = 1;
+ return 1;
+}
+
#endif /* MPPE */
diff -ur ppp-2.3.11/pppd/mppe.h ppp-2.3.11.mppe/pppd/mppe.h
--- ppp-2.3.11/pppd/mppe.h Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/mppe.h Thu Mar 16 16:25:00 2000
@@ -51,6 +51,8 @@
int setnomppe_128(char **);
int setmppe_stateless(char **);
int setnomppe_stateless(char **);
+int require_mppe(char **);
+int require_mppe_stateless(char **);
#define __MPPE_INCLUDE__
#endif /* __MPPE_INCLUDE__ */
------------------------ cut here -----------------------------------
More information about the pptp-server
mailing list