]>
Commit | Line | Data |
---|---|---|
b3f9b92a MD |
1 | /* |
2 | * ppp_mppe.c - interface MPPE to the PPP code. | |
3 | * This version is for use with Linux kernel 2.6.14+ | |
4 | * | |
5 | * By Frank Cusack <fcusack@fcusack.com>. | |
6 | * Copyright (c) 2002,2003,2004 Google, Inc. | |
7 | * All rights reserved. | |
8 | * | |
9 | * License: | |
10 | * Permission to use, copy, modify, and distribute this software and its | |
11 | * documentation is hereby granted, provided that the above copyright | |
12 | * notice appears in all copies. This software is provided without any | |
13 | * warranty, express or implied. | |
14 | * | |
15 | * ALTERNATIVELY, provided that this notice is retained in full, this product | |
16 | * may be distributed under the terms of the GNU General Public License (GPL), | |
17 | * in which case the provisions of the GPL apply INSTEAD OF those given above. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
23 | * | |
24 | * This program is distributed in the hope that it will be useful, | |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
28 | * | |
29 | * You should have received a copy of the GNU General Public License | |
adf8d3ff | 30 | * along with this program; if not, see <http://www.gnu.org/licenses/>. |
b3f9b92a MD |
31 | * |
32 | * | |
33 | * Changelog: | |
34 | * 08/12/05 - Matt Domsch <Matt_Domsch@dell.com> | |
35 | * Only need extra skb padding on transmit, not receive. | |
36 | * 06/18/04 - Matt Domsch <Matt_Domsch@dell.com>, Oleg Makarenko <mole@quadra.ru> | |
37 | * Use Linux kernel 2.6 arc4 and sha1 routines rather than | |
38 | * providing our own. | |
39 | * 2/15/04 - TS: added #include <version.h> and testing for Kernel | |
40 | * version before using | |
41 | * MOD_DEC_USAGE_COUNT/MOD_INC_USAGE_COUNT which are | |
42 | * deprecated in 2.6 | |
43 | */ | |
44 | ||
fdb89b1b HX |
45 | #include <crypto/hash.h> |
46 | #include <crypto/skcipher.h> | |
f12cc209 | 47 | #include <linux/err.h> |
b3f9b92a MD |
48 | #include <linux/module.h> |
49 | #include <linux/kernel.h> | |
b3f9b92a MD |
50 | #include <linux/init.h> |
51 | #include <linux/types.h> | |
52 | #include <linux/slab.h> | |
53 | #include <linux/string.h> | |
b3f9b92a MD |
54 | #include <linux/mm.h> |
55 | #include <linux/ppp_defs.h> | |
56 | #include <linux/ppp-comp.h> | |
45711f1a | 57 | #include <linux/scatterlist.h> |
96545aeb | 58 | #include <asm/unaligned.h> |
b3f9b92a MD |
59 | |
60 | #include "ppp_mppe.h" | |
61 | ||
62 | MODULE_AUTHOR("Frank Cusack <fcusack@fcusack.com>"); | |
63 | MODULE_DESCRIPTION("Point-to-Point Protocol Microsoft Point-to-Point Encryption support"); | |
64 | MODULE_LICENSE("Dual BSD/GPL"); | |
65 | MODULE_ALIAS("ppp-compress-" __stringify(CI_MPPE)); | |
66 | MODULE_VERSION("1.0.2"); | |
67 | ||
35058687 | 68 | static unsigned int |
b3f9b92a MD |
69 | setup_sg(struct scatterlist *sg, const void *address, unsigned int length) |
70 | { | |
68e3f5dd | 71 | sg_set_buf(sg, address, length); |
35058687 | 72 | return length; |
b3f9b92a MD |
73 | } |
74 | ||
75 | #define SHA1_PAD_SIZE 40 | |
76 | ||
77 | /* | |
78 | * kernel crypto API needs its arguments to be in kmalloc'd memory, not in the module | |
79 | * static data area. That means sha_pad needs to be kmalloc'd. | |
80 | */ | |
81 | ||
82 | struct sha_pad { | |
83 | unsigned char sha_pad1[SHA1_PAD_SIZE]; | |
84 | unsigned char sha_pad2[SHA1_PAD_SIZE]; | |
85 | }; | |
86 | static struct sha_pad *sha_pad; | |
87 | ||
88 | static inline void sha_pad_init(struct sha_pad *shapad) | |
89 | { | |
90 | memset(shapad->sha_pad1, 0x00, sizeof(shapad->sha_pad1)); | |
91 | memset(shapad->sha_pad2, 0xF2, sizeof(shapad->sha_pad2)); | |
92 | } | |
93 | ||
94 | /* | |
95 | * State for an MPPE (de)compressor. | |
96 | */ | |
97 | struct ppp_mppe_state { | |
fdb89b1b HX |
98 | struct crypto_skcipher *arc4; |
99 | struct crypto_ahash *sha1; | |
b3f9b92a MD |
100 | unsigned char *sha1_digest; |
101 | unsigned char master_key[MPPE_MAX_KEY_LEN]; | |
102 | unsigned char session_key[MPPE_MAX_KEY_LEN]; | |
103 | unsigned keylen; /* key length in bytes */ | |
104 | /* NB: 128-bit == 16, 40-bit == 8! */ | |
105 | /* If we want to support 56-bit, */ | |
106 | /* the unit has to change to bits */ | |
107 | unsigned char bits; /* MPPE control bits */ | |
108 | unsigned ccount; /* 12-bit coherency count (seqno) */ | |
109 | unsigned stateful; /* stateful mode flag */ | |
110 | int discard; /* stateful mode packet loss flag */ | |
111 | int sanity_errors; /* take down LCP if too many */ | |
112 | int unit; | |
113 | int debug; | |
114 | struct compstat stats; | |
115 | }; | |
116 | ||
117 | /* struct ppp_mppe_state.bits definitions */ | |
118 | #define MPPE_BIT_A 0x80 /* Encryption table were (re)inititalized */ | |
119 | #define MPPE_BIT_B 0x40 /* MPPC only (not implemented) */ | |
120 | #define MPPE_BIT_C 0x20 /* MPPC only (not implemented) */ | |
121 | #define MPPE_BIT_D 0x10 /* This is an encrypted frame */ | |
122 | ||
123 | #define MPPE_BIT_FLUSHED MPPE_BIT_A | |
124 | #define MPPE_BIT_ENCRYPTED MPPE_BIT_D | |
125 | ||
126 | #define MPPE_BITS(p) ((p)[4] & 0xf0) | |
127 | #define MPPE_CCOUNT(p) ((((p)[4] & 0x0f) << 8) + (p)[5]) | |
128 | #define MPPE_CCOUNT_SPACE 0x1000 /* The size of the ccount space */ | |
129 | ||
130 | #define MPPE_OVHD 2 /* MPPE overhead/packet */ | |
131 | #define SANITY_MAX 1600 /* Max bogon factor we will tolerate */ | |
132 | ||
133 | /* | |
134 | * Key Derivation, from RFC 3078, RFC 3079. | |
135 | * Equivalent to Get_Key() for MS-CHAP as described in RFC 3079. | |
136 | */ | |
45dfd5b5 | 137 | static void get_new_key_from_sha(struct ppp_mppe_state * state) |
b3f9b92a | 138 | { |
fdb89b1b | 139 | AHASH_REQUEST_ON_STACK(req, state->sha1); |
b3f9b92a | 140 | struct scatterlist sg[4]; |
35058687 | 141 | unsigned int nbytes; |
b3f9b92a | 142 | |
68e3f5dd HX |
143 | sg_init_table(sg, 4); |
144 | ||
35058687 HX |
145 | nbytes = setup_sg(&sg[0], state->master_key, state->keylen); |
146 | nbytes += setup_sg(&sg[1], sha_pad->sha_pad1, | |
147 | sizeof(sha_pad->sha_pad1)); | |
148 | nbytes += setup_sg(&sg[2], state->session_key, state->keylen); | |
149 | nbytes += setup_sg(&sg[3], sha_pad->sha_pad2, | |
150 | sizeof(sha_pad->sha_pad2)); | |
b3f9b92a | 151 | |
fdb89b1b HX |
152 | ahash_request_set_tfm(req, state->sha1); |
153 | ahash_request_set_callback(req, 0, NULL, NULL); | |
154 | ahash_request_set_crypt(req, sg, state->sha1_digest, nbytes); | |
35058687 | 155 | |
fdb89b1b HX |
156 | crypto_ahash_digest(req); |
157 | ahash_request_zero(req); | |
b3f9b92a MD |
158 | } |
159 | ||
160 | /* | |
161 | * Perform the MPPE rekey algorithm, from RFC 3078, sec. 7.3. | |
162 | * Well, not what's written there, but rather what they meant. | |
163 | */ | |
164 | static void mppe_rekey(struct ppp_mppe_state * state, int initial_key) | |
165 | { | |
b3f9b92a | 166 | struct scatterlist sg_in[1], sg_out[1]; |
fdb89b1b HX |
167 | SKCIPHER_REQUEST_ON_STACK(req, state->arc4); |
168 | ||
169 | skcipher_request_set_tfm(req, state->arc4); | |
170 | skcipher_request_set_callback(req, 0, NULL, NULL); | |
b3f9b92a | 171 | |
45dfd5b5 | 172 | get_new_key_from_sha(state); |
b3f9b92a | 173 | if (!initial_key) { |
fdb89b1b HX |
174 | crypto_skcipher_setkey(state->arc4, state->sha1_digest, |
175 | state->keylen); | |
68e3f5dd HX |
176 | sg_init_table(sg_in, 1); |
177 | sg_init_table(sg_out, 1); | |
45dfd5b5 | 178 | setup_sg(sg_in, state->sha1_digest, state->keylen); |
b3f9b92a | 179 | setup_sg(sg_out, state->session_key, state->keylen); |
fdb89b1b HX |
180 | skcipher_request_set_crypt(req, sg_in, sg_out, state->keylen, |
181 | NULL); | |
182 | if (crypto_skcipher_encrypt(req)) | |
b3f9b92a | 183 | printk(KERN_WARNING "mppe_rekey: cipher_encrypt failed\n"); |
b3f9b92a | 184 | } else { |
45dfd5b5 | 185 | memcpy(state->session_key, state->sha1_digest, state->keylen); |
b3f9b92a MD |
186 | } |
187 | if (state->keylen == 8) { | |
188 | /* See RFC 3078 */ | |
189 | state->session_key[0] = 0xd1; | |
190 | state->session_key[1] = 0x26; | |
191 | state->session_key[2] = 0x9e; | |
192 | } | |
fdb89b1b HX |
193 | crypto_skcipher_setkey(state->arc4, state->session_key, state->keylen); |
194 | skcipher_request_zero(req); | |
b3f9b92a MD |
195 | } |
196 | ||
197 | /* | |
198 | * Allocate space for a (de)compressor. | |
199 | */ | |
200 | static void *mppe_alloc(unsigned char *options, int optlen) | |
201 | { | |
202 | struct ppp_mppe_state *state; | |
203 | unsigned int digestsize; | |
204 | ||
8e95a202 JP |
205 | if (optlen != CILEN_MPPE + sizeof(state->master_key) || |
206 | options[0] != CI_MPPE || options[1] != CILEN_MPPE) | |
b3f9b92a MD |
207 | goto out; |
208 | ||
dd00cc48 | 209 | state = kzalloc(sizeof(*state), GFP_KERNEL); |
b3f9b92a MD |
210 | if (state == NULL) |
211 | goto out; | |
212 | ||
b3f9b92a | 213 | |
fdb89b1b | 214 | state->arc4 = crypto_alloc_skcipher("ecb(arc4)", 0, CRYPTO_ALG_ASYNC); |
f12cc209 HX |
215 | if (IS_ERR(state->arc4)) { |
216 | state->arc4 = NULL; | |
b3f9b92a | 217 | goto out_free; |
f12cc209 | 218 | } |
b3f9b92a | 219 | |
fdb89b1b | 220 | state->sha1 = crypto_alloc_ahash("sha1", 0, CRYPTO_ALG_ASYNC); |
35058687 HX |
221 | if (IS_ERR(state->sha1)) { |
222 | state->sha1 = NULL; | |
b3f9b92a | 223 | goto out_free; |
35058687 | 224 | } |
b3f9b92a | 225 | |
fdb89b1b | 226 | digestsize = crypto_ahash_digestsize(state->sha1); |
b3f9b92a MD |
227 | if (digestsize < MPPE_MAX_KEY_LEN) |
228 | goto out_free; | |
229 | ||
230 | state->sha1_digest = kmalloc(digestsize, GFP_KERNEL); | |
231 | if (!state->sha1_digest) | |
232 | goto out_free; | |
233 | ||
234 | /* Save keys. */ | |
235 | memcpy(state->master_key, &options[CILEN_MPPE], | |
236 | sizeof(state->master_key)); | |
237 | memcpy(state->session_key, state->master_key, | |
238 | sizeof(state->master_key)); | |
239 | ||
240 | /* | |
241 | * We defer initial key generation until mppe_init(), as mppe_alloc() | |
242 | * is called frequently during negotiation. | |
243 | */ | |
244 | ||
245 | return (void *)state; | |
246 | ||
fdb89b1b HX |
247 | out_free: |
248 | kfree(state->sha1_digest); | |
249 | crypto_free_ahash(state->sha1); | |
250 | crypto_free_skcipher(state->arc4); | |
251 | kfree(state); | |
252 | out: | |
b3f9b92a MD |
253 | return NULL; |
254 | } | |
255 | ||
256 | /* | |
257 | * Deallocate space for a (de)compressor. | |
258 | */ | |
259 | static void mppe_free(void *arg) | |
260 | { | |
261 | struct ppp_mppe_state *state = (struct ppp_mppe_state *) arg; | |
262 | if (state) { | |
b3f9b92a | 263 | kfree(state->sha1_digest); |
fdb89b1b HX |
264 | crypto_free_ahash(state->sha1); |
265 | crypto_free_skcipher(state->arc4); | |
266 | kfree(state); | |
b3f9b92a MD |
267 | } |
268 | } | |
269 | ||
270 | /* | |
271 | * Initialize (de)compressor state. | |
272 | */ | |
273 | static int | |
274 | mppe_init(void *arg, unsigned char *options, int optlen, int unit, int debug, | |
275 | const char *debugstr) | |
276 | { | |
277 | struct ppp_mppe_state *state = (struct ppp_mppe_state *) arg; | |
278 | unsigned char mppe_opts; | |
279 | ||
8e95a202 JP |
280 | if (optlen != CILEN_MPPE || |
281 | options[0] != CI_MPPE || options[1] != CILEN_MPPE) | |
b3f9b92a MD |
282 | return 0; |
283 | ||
284 | MPPE_CI_TO_OPTS(&options[2], mppe_opts); | |
285 | if (mppe_opts & MPPE_OPT_128) | |
286 | state->keylen = 16; | |
287 | else if (mppe_opts & MPPE_OPT_40) | |
288 | state->keylen = 8; | |
289 | else { | |
290 | printk(KERN_WARNING "%s[%d]: unknown key length\n", debugstr, | |
291 | unit); | |
292 | return 0; | |
293 | } | |
294 | if (mppe_opts & MPPE_OPT_STATEFUL) | |
295 | state->stateful = 1; | |
296 | ||
297 | /* Generate the initial session key. */ | |
298 | mppe_rekey(state, 1); | |
299 | ||
300 | if (debug) { | |
301 | int i; | |
302 | char mkey[sizeof(state->master_key) * 2 + 1]; | |
303 | char skey[sizeof(state->session_key) * 2 + 1]; | |
304 | ||
305 | printk(KERN_DEBUG "%s[%d]: initialized with %d-bit %s mode\n", | |
306 | debugstr, unit, (state->keylen == 16) ? 128 : 40, | |
307 | (state->stateful) ? "stateful" : "stateless"); | |
308 | ||
309 | for (i = 0; i < sizeof(state->master_key); i++) | |
310 | sprintf(mkey + i * 2, "%02x", state->master_key[i]); | |
311 | for (i = 0; i < sizeof(state->session_key); i++) | |
312 | sprintf(skey + i * 2, "%02x", state->session_key[i]); | |
313 | printk(KERN_DEBUG | |
314 | "%s[%d]: keys: master: %s initial session: %s\n", | |
315 | debugstr, unit, mkey, skey); | |
316 | } | |
317 | ||
318 | /* | |
319 | * Initialize the coherency count. The initial value is not specified | |
320 | * in RFC 3078, but we can make a reasonable assumption that it will | |
321 | * start at 0. Setting it to the max here makes the comp/decomp code | |
322 | * do the right thing (determined through experiment). | |
323 | */ | |
324 | state->ccount = MPPE_CCOUNT_SPACE - 1; | |
325 | ||
326 | /* | |
327 | * Note that even though we have initialized the key table, we don't | |
328 | * set the FLUSHED bit. This is contrary to RFC 3078, sec. 3.1. | |
329 | */ | |
330 | state->bits = MPPE_BIT_ENCRYPTED; | |
331 | ||
332 | state->unit = unit; | |
333 | state->debug = debug; | |
334 | ||
335 | return 1; | |
336 | } | |
337 | ||
338 | static int | |
339 | mppe_comp_init(void *arg, unsigned char *options, int optlen, int unit, | |
340 | int hdrlen, int debug) | |
341 | { | |
342 | /* ARGSUSED */ | |
343 | return mppe_init(arg, options, optlen, unit, debug, "mppe_comp_init"); | |
344 | } | |
345 | ||
346 | /* | |
347 | * We received a CCP Reset-Request (actually, we are sending a Reset-Ack), | |
348 | * tell the compressor to rekey. Note that we MUST NOT rekey for | |
349 | * every CCP Reset-Request; we only rekey on the next xmit packet. | |
350 | * We might get multiple CCP Reset-Requests if our CCP Reset-Ack is lost. | |
351 | * So, rekeying for every CCP Reset-Request is broken as the peer will not | |
352 | * know how many times we've rekeyed. (If we rekey and THEN get another | |
353 | * CCP Reset-Request, we must rekey again.) | |
354 | */ | |
355 | static void mppe_comp_reset(void *arg) | |
356 | { | |
357 | struct ppp_mppe_state *state = (struct ppp_mppe_state *) arg; | |
358 | ||
359 | state->bits |= MPPE_BIT_FLUSHED; | |
360 | } | |
361 | ||
362 | /* | |
363 | * Compress (encrypt) a packet. | |
364 | * It's strange to call this a compressor, since the output is always | |
365 | * MPPE_OVHD + 2 bytes larger than the input. | |
366 | */ | |
367 | static int | |
368 | mppe_compress(void *arg, unsigned char *ibuf, unsigned char *obuf, | |
369 | int isize, int osize) | |
370 | { | |
371 | struct ppp_mppe_state *state = (struct ppp_mppe_state *) arg; | |
fdb89b1b | 372 | SKCIPHER_REQUEST_ON_STACK(req, state->arc4); |
b3f9b92a | 373 | int proto; |
fdb89b1b | 374 | int err; |
b3f9b92a MD |
375 | struct scatterlist sg_in[1], sg_out[1]; |
376 | ||
377 | /* | |
378 | * Check that the protocol is in the range we handle. | |
379 | */ | |
380 | proto = PPP_PROTOCOL(ibuf); | |
381 | if (proto < 0x0021 || proto > 0x00fa) | |
382 | return 0; | |
383 | ||
384 | /* Make sure we have enough room to generate an encrypted packet. */ | |
385 | if (osize < isize + MPPE_OVHD + 2) { | |
386 | /* Drop the packet if we should encrypt it, but can't. */ | |
387 | printk(KERN_DEBUG "mppe_compress[%d]: osize too small! " | |
388 | "(have: %d need: %d)\n", state->unit, | |
389 | osize, osize + MPPE_OVHD + 2); | |
390 | return -1; | |
391 | } | |
392 | ||
393 | osize = isize + MPPE_OVHD + 2; | |
394 | ||
395 | /* | |
396 | * Copy over the PPP header and set control bits. | |
397 | */ | |
398 | obuf[0] = PPP_ADDRESS(ibuf); | |
399 | obuf[1] = PPP_CONTROL(ibuf); | |
96545aeb | 400 | put_unaligned_be16(PPP_COMP, obuf + 2); |
b3f9b92a MD |
401 | obuf += PPP_HDRLEN; |
402 | ||
403 | state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE; | |
404 | if (state->debug >= 7) | |
405 | printk(KERN_DEBUG "mppe_compress[%d]: ccount %d\n", state->unit, | |
406 | state->ccount); | |
96545aeb | 407 | put_unaligned_be16(state->ccount, obuf); |
b3f9b92a MD |
408 | |
409 | if (!state->stateful || /* stateless mode */ | |
410 | ((state->ccount & 0xff) == 0xff) || /* "flag" packet */ | |
411 | (state->bits & MPPE_BIT_FLUSHED)) { /* CCP Reset-Request */ | |
412 | /* We must rekey */ | |
413 | if (state->debug && state->stateful) | |
414 | printk(KERN_DEBUG "mppe_compress[%d]: rekeying\n", | |
415 | state->unit); | |
416 | mppe_rekey(state, 0); | |
417 | state->bits |= MPPE_BIT_FLUSHED; | |
418 | } | |
419 | obuf[0] |= state->bits; | |
420 | state->bits &= ~MPPE_BIT_FLUSHED; /* reset for next xmit */ | |
421 | ||
422 | obuf += MPPE_OVHD; | |
423 | ibuf += 2; /* skip to proto field */ | |
424 | isize -= 2; | |
425 | ||
426 | /* Encrypt packet */ | |
68e3f5dd HX |
427 | sg_init_table(sg_in, 1); |
428 | sg_init_table(sg_out, 1); | |
b3f9b92a MD |
429 | setup_sg(sg_in, ibuf, isize); |
430 | setup_sg(sg_out, obuf, osize); | |
fdb89b1b HX |
431 | |
432 | skcipher_request_set_tfm(req, state->arc4); | |
433 | skcipher_request_set_callback(req, 0, NULL, NULL); | |
434 | skcipher_request_set_crypt(req, sg_in, sg_out, isize, NULL); | |
435 | err = crypto_skcipher_encrypt(req); | |
436 | skcipher_request_zero(req); | |
437 | if (err) { | |
b3f9b92a MD |
438 | printk(KERN_DEBUG "crypto_cypher_encrypt failed\n"); |
439 | return -1; | |
440 | } | |
441 | ||
442 | state->stats.unc_bytes += isize; | |
443 | state->stats.unc_packets++; | |
444 | state->stats.comp_bytes += osize; | |
445 | state->stats.comp_packets++; | |
446 | ||
447 | return osize; | |
448 | } | |
449 | ||
450 | /* | |
451 | * Since every frame grows by MPPE_OVHD + 2 bytes, this is always going | |
452 | * to look bad ... and the longer the link is up the worse it will get. | |
453 | */ | |
454 | static void mppe_comp_stats(void *arg, struct compstat *stats) | |
455 | { | |
456 | struct ppp_mppe_state *state = (struct ppp_mppe_state *) arg; | |
457 | ||
458 | *stats = state->stats; | |
459 | } | |
460 | ||
461 | static int | |
462 | mppe_decomp_init(void *arg, unsigned char *options, int optlen, int unit, | |
463 | int hdrlen, int mru, int debug) | |
464 | { | |
465 | /* ARGSUSED */ | |
466 | return mppe_init(arg, options, optlen, unit, debug, "mppe_decomp_init"); | |
467 | } | |
468 | ||
469 | /* | |
470 | * We received a CCP Reset-Ack. Just ignore it. | |
471 | */ | |
472 | static void mppe_decomp_reset(void *arg) | |
473 | { | |
474 | /* ARGSUSED */ | |
475 | return; | |
476 | } | |
477 | ||
478 | /* | |
479 | * Decompress (decrypt) an MPPE packet. | |
480 | */ | |
481 | static int | |
482 | mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf, | |
483 | int osize) | |
484 | { | |
485 | struct ppp_mppe_state *state = (struct ppp_mppe_state *) arg; | |
fdb89b1b | 486 | SKCIPHER_REQUEST_ON_STACK(req, state->arc4); |
b3f9b92a MD |
487 | unsigned ccount; |
488 | int flushed = MPPE_BITS(ibuf) & MPPE_BIT_FLUSHED; | |
b3f9b92a MD |
489 | struct scatterlist sg_in[1], sg_out[1]; |
490 | ||
491 | if (isize <= PPP_HDRLEN + MPPE_OVHD) { | |
492 | if (state->debug) | |
493 | printk(KERN_DEBUG | |
494 | "mppe_decompress[%d]: short pkt (%d)\n", | |
495 | state->unit, isize); | |
496 | return DECOMP_ERROR; | |
497 | } | |
498 | ||
499 | /* | |
500 | * Make sure we have enough room to decrypt the packet. | |
7e4a6da7 DM |
501 | * Note that for our test we only subtract 1 byte whereas in |
502 | * mppe_compress() we added 2 bytes (+MPPE_OVHD); | |
503 | * this is to account for possible PFC. | |
b3f9b92a | 504 | */ |
7e4a6da7 | 505 | if (osize < isize - MPPE_OVHD - 1) { |
b3f9b92a MD |
506 | printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! " |
507 | "(have: %d need: %d)\n", state->unit, | |
7e4a6da7 | 508 | osize, isize - MPPE_OVHD - 1); |
b3f9b92a MD |
509 | return DECOMP_ERROR; |
510 | } | |
511 | osize = isize - MPPE_OVHD - 2; /* assume no PFC */ | |
512 | ||
513 | ccount = MPPE_CCOUNT(ibuf); | |
514 | if (state->debug >= 7) | |
515 | printk(KERN_DEBUG "mppe_decompress[%d]: ccount %d\n", | |
516 | state->unit, ccount); | |
517 | ||
518 | /* sanity checks -- terminate with extreme prejudice */ | |
519 | if (!(MPPE_BITS(ibuf) & MPPE_BIT_ENCRYPTED)) { | |
520 | printk(KERN_DEBUG | |
521 | "mppe_decompress[%d]: ENCRYPTED bit not set!\n", | |
522 | state->unit); | |
523 | state->sanity_errors += 100; | |
32530189 | 524 | goto sanity_error; |
b3f9b92a MD |
525 | } |
526 | if (!state->stateful && !flushed) { | |
527 | printk(KERN_DEBUG "mppe_decompress[%d]: FLUSHED bit not set in " | |
528 | "stateless mode!\n", state->unit); | |
529 | state->sanity_errors += 100; | |
32530189 | 530 | goto sanity_error; |
b3f9b92a MD |
531 | } |
532 | if (state->stateful && ((ccount & 0xff) == 0xff) && !flushed) { | |
533 | printk(KERN_DEBUG "mppe_decompress[%d]: FLUSHED bit not set on " | |
534 | "flag packet!\n", state->unit); | |
535 | state->sanity_errors += 100; | |
32530189 | 536 | goto sanity_error; |
b3f9b92a MD |
537 | } |
538 | ||
539 | /* | |
540 | * Check the coherency count. | |
541 | */ | |
542 | ||
543 | if (!state->stateful) { | |
03654763 SR |
544 | /* Discard late packet */ |
545 | if ((ccount - state->ccount) % MPPE_CCOUNT_SPACE | |
546 | > MPPE_CCOUNT_SPACE / 2) { | |
547 | state->sanity_errors++; | |
548 | goto sanity_error; | |
549 | } | |
550 | ||
b3f9b92a MD |
551 | /* RFC 3078, sec 8.1. Rekey for every packet. */ |
552 | while (state->ccount != ccount) { | |
553 | mppe_rekey(state, 0); | |
554 | state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE; | |
555 | } | |
556 | } else { | |
557 | /* RFC 3078, sec 8.2. */ | |
558 | if (!state->discard) { | |
559 | /* normal state */ | |
560 | state->ccount = (state->ccount + 1) % MPPE_CCOUNT_SPACE; | |
561 | if (ccount != state->ccount) { | |
562 | /* | |
563 | * (ccount > state->ccount) | |
564 | * Packet loss detected, enter the discard state. | |
565 | * Signal the peer to rekey (by sending a CCP Reset-Request). | |
566 | */ | |
567 | state->discard = 1; | |
568 | return DECOMP_ERROR; | |
569 | } | |
570 | } else { | |
571 | /* discard state */ | |
572 | if (!flushed) { | |
573 | /* ccp.c will be silent (no additional CCP Reset-Requests). */ | |
574 | return DECOMP_ERROR; | |
575 | } else { | |
576 | /* Rekey for every missed "flag" packet. */ | |
577 | while ((ccount & ~0xff) != | |
578 | (state->ccount & ~0xff)) { | |
579 | mppe_rekey(state, 0); | |
580 | state->ccount = | |
581 | (state->ccount + | |
582 | 256) % MPPE_CCOUNT_SPACE; | |
583 | } | |
584 | ||
585 | /* reset */ | |
586 | state->discard = 0; | |
587 | state->ccount = ccount; | |
588 | /* | |
589 | * Another problem with RFC 3078 here. It implies that the | |
590 | * peer need not send a Reset-Ack packet. But RFC 1962 | |
591 | * requires it. Hopefully, M$ does send a Reset-Ack; even | |
592 | * though it isn't required for MPPE synchronization, it is | |
593 | * required to reset CCP state. | |
594 | */ | |
595 | } | |
596 | } | |
597 | if (flushed) | |
598 | mppe_rekey(state, 0); | |
599 | } | |
600 | ||
601 | /* | |
602 | * Fill in the first part of the PPP header. The protocol field | |
603 | * comes from the decrypted data. | |
604 | */ | |
605 | obuf[0] = PPP_ADDRESS(ibuf); /* +1 */ | |
606 | obuf[1] = PPP_CONTROL(ibuf); /* +1 */ | |
607 | obuf += 2; | |
608 | ibuf += PPP_HDRLEN + MPPE_OVHD; | |
609 | isize -= PPP_HDRLEN + MPPE_OVHD; /* -6 */ | |
610 | /* net osize: isize-4 */ | |
611 | ||
612 | /* | |
613 | * Decrypt the first byte in order to check if it is | |
614 | * a compressed or uncompressed protocol field. | |
615 | */ | |
68e3f5dd HX |
616 | sg_init_table(sg_in, 1); |
617 | sg_init_table(sg_out, 1); | |
b3f9b92a MD |
618 | setup_sg(sg_in, ibuf, 1); |
619 | setup_sg(sg_out, obuf, 1); | |
fdb89b1b HX |
620 | |
621 | skcipher_request_set_tfm(req, state->arc4); | |
622 | skcipher_request_set_callback(req, 0, NULL, NULL); | |
623 | skcipher_request_set_crypt(req, sg_in, sg_out, 1, NULL); | |
624 | if (crypto_skcipher_decrypt(req)) { | |
b3f9b92a | 625 | printk(KERN_DEBUG "crypto_cypher_decrypt failed\n"); |
fdb89b1b HX |
626 | osize = DECOMP_ERROR; |
627 | goto out_zap_req; | |
b3f9b92a MD |
628 | } |
629 | ||
630 | /* | |
631 | * Do PFC decompression. | |
632 | * This would be nicer if we were given the actual sk_buff | |
633 | * instead of a char *. | |
634 | */ | |
635 | if ((obuf[0] & 0x01) != 0) { | |
636 | obuf[1] = obuf[0]; | |
637 | obuf[0] = 0; | |
638 | obuf++; | |
639 | osize++; | |
640 | } | |
641 | ||
642 | /* And finally, decrypt the rest of the packet. */ | |
643 | setup_sg(sg_in, ibuf + 1, isize - 1); | |
644 | setup_sg(sg_out, obuf + 1, osize - 1); | |
fdb89b1b HX |
645 | skcipher_request_set_crypt(req, sg_in, sg_out, isize - 1, NULL); |
646 | if (crypto_skcipher_decrypt(req)) { | |
b3f9b92a | 647 | printk(KERN_DEBUG "crypto_cypher_decrypt failed\n"); |
fdb89b1b HX |
648 | osize = DECOMP_ERROR; |
649 | goto out_zap_req; | |
b3f9b92a MD |
650 | } |
651 | ||
652 | state->stats.unc_bytes += osize; | |
653 | state->stats.unc_packets++; | |
654 | state->stats.comp_bytes += isize; | |
655 | state->stats.comp_packets++; | |
656 | ||
657 | /* good packet credit */ | |
658 | state->sanity_errors >>= 1; | |
659 | ||
fdb89b1b HX |
660 | out_zap_req: |
661 | skcipher_request_zero(req); | |
b3f9b92a | 662 | return osize; |
32530189 SR |
663 | |
664 | sanity_error: | |
665 | if (state->sanity_errors < SANITY_MAX) | |
666 | return DECOMP_ERROR; | |
667 | else | |
668 | /* Take LCP down if the peer is sending too many bogons. | |
669 | * We don't want to do this for a single or just a few | |
670 | * instances since it could just be due to packet corruption. | |
671 | */ | |
672 | return DECOMP_FATALERROR; | |
b3f9b92a MD |
673 | } |
674 | ||
675 | /* | |
676 | * Incompressible data has arrived (this should never happen!). | |
677 | * We should probably drop the link if the protocol is in the range | |
678 | * of what should be encrypted. At the least, we should drop this | |
679 | * packet. (How to do this?) | |
680 | */ | |
681 | static void mppe_incomp(void *arg, unsigned char *ibuf, int icnt) | |
682 | { | |
683 | struct ppp_mppe_state *state = (struct ppp_mppe_state *) arg; | |
684 | ||
685 | if (state->debug && | |
686 | (PPP_PROTOCOL(ibuf) >= 0x0021 && PPP_PROTOCOL(ibuf) <= 0x00fa)) | |
687 | printk(KERN_DEBUG | |
688 | "mppe_incomp[%d]: incompressible (unencrypted) data! " | |
689 | "(proto %04x)\n", state->unit, PPP_PROTOCOL(ibuf)); | |
690 | ||
691 | state->stats.inc_bytes += icnt; | |
692 | state->stats.inc_packets++; | |
693 | state->stats.unc_bytes += icnt; | |
694 | state->stats.unc_packets++; | |
695 | } | |
696 | ||
697 | /************************************************************* | |
698 | * Module interface table | |
699 | *************************************************************/ | |
700 | ||
701 | /* | |
702 | * Procedures exported to if_ppp.c. | |
703 | */ | |
704 | static struct compressor ppp_mppe = { | |
705 | .compress_proto = CI_MPPE, | |
706 | .comp_alloc = mppe_alloc, | |
707 | .comp_free = mppe_free, | |
708 | .comp_init = mppe_comp_init, | |
709 | .comp_reset = mppe_comp_reset, | |
710 | .compress = mppe_compress, | |
711 | .comp_stat = mppe_comp_stats, | |
712 | .decomp_alloc = mppe_alloc, | |
713 | .decomp_free = mppe_free, | |
714 | .decomp_init = mppe_decomp_init, | |
715 | .decomp_reset = mppe_decomp_reset, | |
716 | .decompress = mppe_decompress, | |
717 | .incomp = mppe_incomp, | |
718 | .decomp_stat = mppe_comp_stats, | |
719 | .owner = THIS_MODULE, | |
720 | .comp_extra = MPPE_PAD, | |
721 | }; | |
722 | ||
723 | /* | |
724 | * ppp_mppe_init() | |
725 | * | |
726 | * Prior to allowing load, try to load the arc4 and sha1 crypto | |
727 | * libraries. The actual use will be allocated later, but | |
728 | * this way the module will fail to insmod if they aren't available. | |
729 | */ | |
730 | ||
731 | static int __init ppp_mppe_init(void) | |
732 | { | |
733 | int answer; | |
fdb89b1b HX |
734 | if (!(crypto_has_skcipher("ecb(arc4)", 0, CRYPTO_ALG_ASYNC) && |
735 | crypto_has_ahash("sha1", 0, CRYPTO_ALG_ASYNC))) | |
b3f9b92a MD |
736 | return -ENODEV; |
737 | ||
738 | sha_pad = kmalloc(sizeof(struct sha_pad), GFP_KERNEL); | |
739 | if (!sha_pad) | |
740 | return -ENOMEM; | |
741 | sha_pad_init(sha_pad); | |
742 | ||
743 | answer = ppp_register_compressor(&ppp_mppe); | |
744 | ||
745 | if (answer == 0) | |
746 | printk(KERN_INFO "PPP MPPE Compression module registered\n"); | |
747 | else | |
748 | kfree(sha_pad); | |
749 | ||
750 | return answer; | |
751 | } | |
752 | ||
753 | static void __exit ppp_mppe_cleanup(void) | |
754 | { | |
755 | ppp_unregister_compressor(&ppp_mppe); | |
756 | kfree(sha_pad); | |
757 | } | |
758 | ||
759 | module_init(ppp_mppe_init); | |
760 | module_exit(ppp_mppe_cleanup); |