[pptp-server] RE: Forcing encryption (was: Optimizing pppd for PPTP)

Patrick Reid P.J.Reid at earthling.net
Tue Mar 21 11:43:48 CST 2000 

I applied this patch "by hand", then used diff -ur on the new files and the
backups: I get the same set of diffs as Martin posted here.

So, those patch files should work just fine on 2.3.10 systems, with just a
change in the directory specification.

I suggest adding these patches to the PoPToP web site, along with a
description of the new options: they are invaluable!

Patrick Reid - mailto:PReid at candesco.com
Candesco Research Corp.
Communication Centre: <http://www.mirabilis.com/1052176>


-----Original Message-----
From: mm at cicero.werkleitz.de [mailto:mm at cicero.werkleitz.de]On Behalf Of
Martin Mueller
Sent: March 16, 2000 1:12 PM
To: Patrick Reid
Cc: Pptp Mailing List (E-mail)
Subject: Forcing encryption (was: Optimizing pppd for PPTP)


Hi all and thanks for your work,

On Thu, Mar 16, 2000 at 07:21:58AM -0400, Patrick Reid wrote:
>
> 1) Require 128-bit, stateless encryption on the server side
> 	I can refuse 40-bit encryption, but I can't keep someone from connecting
> with no encryption or in stateful mode (i.e. only one key). I know it is
> possible to force my clients to only use strong encryption, but this
doesn't
> keep people from trying to exploit the PPTP security issues for
Microsoft's
> implementation.

Ok, here are the patches to pppd-2.3.11 to require encryption. The new
options are "require-mppe" and "require-mppe-stateless". You must first
aply the MPPE patches for pppd and then this one.

bye
   MM

PGP-RSA key available from:
http://horowitz.surfnet.nl:11371/pks/lookup?op=index&search=mm@lunetix.de
------------------------ cut here -----------------------------------
diff -ur ppp-2.3.11/pppd/ccp.c ppp-2.3.11.mppe/pppd/ccp.c
--- ppp-2.3.11/pppd/ccp.c	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/ccp.c	Thu Mar 16 17:56:16 2000
@@ -37,6 +37,7 @@
 #include "mppe.h"
 #endif
 #include <net/ppp-comp.h>
+#include "lcp.h"

 static const char rcsid[] = RCSID;

@@ -103,6 +104,10 @@
       "Disallow stateless MPPE encryption" },
     { "-mppe-stateless", o_special_noarg, setnomppe_stateless,
       "Disallow stateless MPPE encryption" },
+    { "require-mppe", o_special_noarg, require_mppe,
+      "Require MPPE encryption" },
+    { "require-mppe-stateless", o_special_noarg, require_mppe,
+      "Require stateless MPPE encryption" },
 #endif

     { NULL }
@@ -450,6 +455,8 @@
 {
     ccp_flags_set(unit, 0, 0);
     fsm_lowerdown(&ccp_fsm[unit]);
+    if ( ccp_wantoptions[unit].require_mppe ||
ccp_wantoptions[unit].require_mppe_stateless )
+	lcp_close(unit,"Encryption negotiation rejected");
 }

 /*
@@ -1269,6 +1276,19 @@
 	    notice("%s receive compression enabled", method_name(go, NULL));
     } else if (ANY_COMPRESS(*ho))
 	notice("%s transmit compression enabled", method_name(ho, NULL));
+
+    if ( ccp_wantoptions[f->unit].require_mppe_stateless ||
ccp_wantoptions[f->unit].require_mppe ) {
+    	if ( (go->mppe_128 && ho->mppe_128) || (go->mppe_40 && ho->mppe_40 ) )
+    	    if ( ccp_wantoptions[f->unit].require_mppe_stateless )
+		if ( go->mppe_stateless && ho->mppe_stateless )
+	            notice("stateless MPPE enforced");
+	        else
+	            lcp_close(f->unit,"stateless encryption negotiation failed");
+	    else
+	        notice("stateless MPPE enforced");
+	else
+	    lcp_close(f->unit,"encryption negotiation failed");
+    }
 }

 /*
diff -ur ppp-2.3.11/pppd/ccp.h ppp-2.3.11.mppe/pppd/ccp.h
--- ppp-2.3.11/pppd/ccp.h	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/ccp.h	Thu Mar 16 16:25:50 2000
@@ -38,6 +38,8 @@
     bool mppe_40;		/* allow 40 bit encryption */
     bool mppe_128;		/* allow 128 bit encryption */
     bool mppe_stateless;	/* allow stateless encryption */
+    bool require_mppe;		/* force mppe encryption */
+    bool require_mppe_stateless;	/* force stateless encryption */
     u_short bsd_bits;		/* # bits/code for BSD Compress */
     u_short deflate_size;	/* lg(window size) for Deflate */
     short method;		/* code for chosen compression method */
diff -ur ppp-2.3.11/pppd/mppe.c ppp-2.3.11.mppe/pppd/mppe.c
--- ppp-2.3.11/pppd/mppe.c	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/mppe.c	Thu Mar 16 17:06:34 2000
@@ -226,4 +226,20 @@
     ccp_allowoptions[0].mppe_stateless = ccp_wantoptions[0].mppe_stateless
= 0;
     return 1;
 }
+
+int
+require_mppe(char **argv)
+{
+    ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe = 1;
+    return 1;
+}
+
+int
+require_mppe_stateless(char **argv)
+{
+    ccp_allowoptions[0].require_mppe = ccp_wantoptions[0].require_mppe = 1;
+    ccp_allowoptions[0].require_mppe_stateless =
ccp_wantoptions[0].require_mppe_stateless = 1;
+    return 1;
+}
+
 #endif /* MPPE */
diff -ur ppp-2.3.11/pppd/mppe.h ppp-2.3.11.mppe/pppd/mppe.h
--- ppp-2.3.11/pppd/mppe.h	Thu Mar 16 17:47:42 2000
+++ ppp-2.3.11.mppe/pppd/mppe.h	Thu Mar 16 16:25:00 2000
@@ -51,6 +51,8 @@
 int setnomppe_128(char **);
 int setmppe_stateless(char **);
 int setnomppe_stateless(char **);
+int require_mppe(char **);
+int require_mppe_stateless(char **);

 #define __MPPE_INCLUDE__
 #endif /* __MPPE_INCLUDE__ */
------------------------ cut here -----------------------------------

More information about the pptp-server mailing list