1 /*        $NetBSD: ccp.c,v 1.6 2025/01/08 19:59:38 christos Exp $     */
2 
3 /*
4  * ccp.c - PPP Compression Control Protocol.
5  *
6  * Copyright (c) 1994-2024 Paul Mackerras. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
21  * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
22  * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
23  * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
24  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
25  * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
26  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
27  */
28 
29 #include <sys/cdefs.h>
30 __RCSID("$NetBSD: ccp.c,v 1.6 2025/01/08 19:59:38 christos Exp $");
31 
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #endif
35 
36 #include <stdlib.h>
37 #include <string.h>
38 #if defined(__linux__)
39 #include <linux/ppp-comp.h>
40 #else
41 #include <net/ppp-comp.h>
42 #endif
43 
44 #include "pppd-private.h"
45 #include "options.h"
46 #include "fsm.h"
47 #include "ccp.h"
48 
49 #include "chap_ms.h"
50 #include "mppe.h"
51 #include "lcp.h"    /* lcp_close(), lcp_fsm */
52 
53 
54 /*
55  * Unfortunately there is a bug in zlib which means that using a
56  * size of 8 (window size = 256) for Deflate compression will cause
57  * buffer overruns and kernel crashes in the deflate module.
58  * Until this is fixed we only accept sizes in the range 9 .. 15.
59  * Thanks to James Carlson for pointing this out.
60  */
61 #define DEFLATE_MIN_WORKS     9
62 
63 /*
64  * Command-line options.
65  */
66 static int setbsdcomp (char **);
67 static int setdeflate (char **);
68 static char bsd_value[8];
69 static char deflate_value[8];
70 
71 /*
72  * Option variables.
73  */
74 #ifdef PPP_WITH_MPPE
75 bool refuse_mppe_stateful = 1;                    /* Allow stateful mode? */
76 #endif
77 
78 static struct option ccp_option_list[] = {
79     { "noccp", o_bool, &ccp_protent.enabled_flag,
80       "Disable CCP negotiation" },
81     { "-ccp", o_bool, &ccp_protent.enabled_flag,
82       "Disable CCP negotiation", OPT_ALIAS },
83 
84     { "bsdcomp", o_special, (void *)setbsdcomp,
85       "Request BSD-Compress packet compression",
86       OPT_PRIO | OPT_A2STRVAL | OPT_STATIC, bsd_value },
87     { "nobsdcomp", o_bool, &ccp_wantoptions[0].bsd_compress,
88       "don't allow BSD-Compress", OPT_PRIOSUB | OPT_A2CLR,
89       &ccp_allowoptions[0].bsd_compress },
90     { "-bsdcomp", o_bool, &ccp_wantoptions[0].bsd_compress,
91       "don't allow BSD-Compress", OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLR,
92       &ccp_allowoptions[0].bsd_compress },
93 
94     { "deflate", o_special, (void *)setdeflate,
95       "request Deflate compression",
96       OPT_PRIO | OPT_A2STRVAL | OPT_STATIC, deflate_value },
97     { "nodeflate", o_bool, &ccp_wantoptions[0].deflate,
98       "don't allow Deflate compression", OPT_PRIOSUB | OPT_A2CLR,
99       &ccp_allowoptions[0].deflate },
100     { "-deflate", o_bool, &ccp_wantoptions[0].deflate,
101       "don't allow Deflate compression", OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLR,
102       &ccp_allowoptions[0].deflate },
103 
104     { "nodeflatedraft", o_bool, &ccp_wantoptions[0].deflate_draft,
105       "don't use draft deflate #", OPT_A2COPY,
106       &ccp_allowoptions[0].deflate_draft },
107 
108     { "predictor1", o_bool, &ccp_wantoptions[0].predictor_1,
109       "request Predictor-1", OPT_PRIO | 1 },
110     { "nopredictor1", o_bool, &ccp_wantoptions[0].predictor_1,
111       "don't allow Predictor-1", OPT_PRIOSUB | OPT_A2CLR,
112       &ccp_allowoptions[0].predictor_1 },
113     { "-predictor1", o_bool, &ccp_wantoptions[0].predictor_1,
114       "don't allow Predictor-1", OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLR,
115       &ccp_allowoptions[0].predictor_1 },
116 
117 #ifdef PPP_WITH_MPPE
118     /* MPPE options are symmetrical ... we only set wantoptions here */
119     { "require-mppe", o_bool, &ccp_wantoptions[0].mppe,
120       "require MPPE encryption",
121       OPT_PRIO | MPPE_OPT_40 | MPPE_OPT_128 },
122     { "+mppe", o_bool, &ccp_wantoptions[0].mppe,
123       "require MPPE encryption",
124       OPT_ALIAS | OPT_PRIO | MPPE_OPT_40 | MPPE_OPT_128 },
125     { "nomppe", o_bool, &ccp_wantoptions[0].mppe,
126       "don't allow MPPE encryption", OPT_PRIO },
127     { "-mppe", o_bool, &ccp_wantoptions[0].mppe,
128       "don't allow MPPE encryption", OPT_ALIAS | OPT_PRIO },
129 
130     /* We use ccp_allowoptions[0].mppe as a junk var ... it is reset later */
131     { "require-mppe-40", o_bool, &ccp_allowoptions[0].mppe,
132       "require MPPE 40-bit encryption", OPT_PRIO | OPT_A2OR | MPPE_OPT_40,
133       &ccp_wantoptions[0].mppe },
134     { "+mppe-40", o_bool, &ccp_allowoptions[0].mppe,
135       "require MPPE 40-bit encryption", OPT_PRIO | OPT_A2OR | MPPE_OPT_40,
136       &ccp_wantoptions[0].mppe },
137     { "nomppe-40", o_bool, &ccp_allowoptions[0].mppe,
138       "don't allow MPPE 40-bit encryption",
139       OPT_PRIOSUB | OPT_A2CLRB | MPPE_OPT_40, &ccp_wantoptions[0].mppe },
140     { "-mppe-40", o_bool, &ccp_allowoptions[0].mppe,
141       "don't allow MPPE 40-bit encryption",
142       OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLRB | MPPE_OPT_40,
143       &ccp_wantoptions[0].mppe },
144 
145     { "require-mppe-128", o_bool, &ccp_allowoptions[0].mppe,
146       "require MPPE 128-bit encryption", OPT_PRIO | OPT_A2OR | MPPE_OPT_128,
147       &ccp_wantoptions[0].mppe },
148     { "+mppe-128", o_bool, &ccp_allowoptions[0].mppe,
149       "require MPPE 128-bit encryption",
150       OPT_ALIAS | OPT_PRIO | OPT_A2OR | MPPE_OPT_128,
151       &ccp_wantoptions[0].mppe },
152     { "nomppe-128", o_bool, &ccp_allowoptions[0].mppe,
153       "don't allow MPPE 128-bit encryption",
154       OPT_PRIOSUB | OPT_A2CLRB | MPPE_OPT_128, &ccp_wantoptions[0].mppe },
155     { "-mppe-128", o_bool, &ccp_allowoptions[0].mppe,
156       "don't allow MPPE 128-bit encryption",
157       OPT_ALIAS | OPT_PRIOSUB | OPT_A2CLRB | MPPE_OPT_128,
158       &ccp_wantoptions[0].mppe },
159 
160     /* strange one; we always request stateless, but will we allow stateful? */
161     { "mppe-stateful", o_bool, &refuse_mppe_stateful,
162       "allow MPPE stateful mode", OPT_PRIO },
163     { "nomppe-stateful", o_bool, &refuse_mppe_stateful,
164       "disallow MPPE stateful mode", OPT_PRIO | 1 },
165 #endif /* MPPE */
166 
167     { NULL }
168 };
169 
170 /*
171  * Protocol entry points from main code.
172  */
173 static void ccp_init (int unit);
174 static void ccp_open (int unit);
175 static void ccp_close (int unit, char *);
176 static void ccp_lowerup (int unit);
177 static void ccp_lowerdown (int);
178 static void ccp_input (int unit, u_char *pkt, int len);
179 static void ccp_protrej (int unit);
180 static int  ccp_printpkt (u_char *pkt, int len,
181                                 void (*printer)(void *, char *, ...),
182                                 void *arg);
183 static void ccp_datainput (int unit, u_char *pkt, int len);
184 
185 struct protent ccp_protent = {
186     PPP_CCP,
187     ccp_init,
188     ccp_input,
189     ccp_protrej,
190     ccp_lowerup,
191     ccp_lowerdown,
192     ccp_open,
193     ccp_close,
194     ccp_printpkt,
195     ccp_datainput,
196     1,
197     "CCP",
198     "Compressed",
199     ccp_option_list,
200     NULL,
201     NULL,
202     NULL
203 };
204 
205 fsm ccp_fsm[NUM_PPP];
206 ccp_options ccp_wantoptions[NUM_PPP];   /* what to request the peer to use */
207 ccp_options ccp_gotoptions[NUM_PPP];    /* what the peer agreed to do */
208 ccp_options ccp_allowoptions[NUM_PPP];  /* what we'll agree to do */
209 ccp_options ccp_hisoptions[NUM_PPP];    /* what we agreed to do */
210 
211 /*
212  * Callbacks for fsm code.
213  */
214 static void ccp_resetci (fsm *);
215 static int  ccp_cilen (fsm *);
216 static void ccp_addci (fsm *, u_char *, int *);
217 static int  ccp_ackci (fsm *, u_char *, int);
218 static int  ccp_nakci (fsm *, u_char *, int, int);
219 static int  ccp_rejci (fsm *, u_char *, int);
220 static int  ccp_reqci (fsm *, u_char *, int *, int);
221 static void ccp_up (fsm *);
222 static void ccp_down (fsm *);
223 static int  ccp_extcode (fsm *, int, int, u_char *, int);
224 static void ccp_rack_timeout (void *);
225 static char *method_name (ccp_options *, ccp_options *);
226 
227 static fsm_callbacks ccp_callbacks = {
228     ccp_resetci,
229     ccp_cilen,
230     ccp_addci,
231     ccp_ackci,
232     ccp_nakci,
233     ccp_rejci,
234     ccp_reqci,
235     ccp_up,
236     ccp_down,
237     NULL,
238     NULL,
239     NULL,
240     NULL,
241     ccp_extcode,
242     "CCP"
243 };
244 
245 /*
246  * Do we want / did we get any compression?
247  */
248 #define ANY_COMPRESS(opt)     ((opt).deflate || (opt).bsd_compress \
249                                          || (opt).predictor_1 || (opt).predictor_2 \
250                                          || (opt).mppe)
251 
252 /*
253  * Local state (mainly for handling reset-reqs and reset-acks).
254  */
255 static int ccp_localstate[NUM_PPP];
256 #define RACK_PENDING          1         /* waiting for reset-ack */
257 #define RREQ_REPEAT 2         /* send another reset-req if no reset-ack */
258 
259 #define RACKTIMEOUT 1         /* second */
260 
261 static int all_rejected[NUM_PPP];       /* we rejected all peer's options */
262 
263 /*
264  * Option parsing.
265  */
266 static int
setbsdcomp(char ** argv)267 setbsdcomp(char **argv)
268 {
269     int rbits, abits;
270     char *str, *endp;
271 
272     str = *argv;
273     abits = rbits = strtol(str, &endp, 0);
274     if (endp != str && *endp == ',') {
275           str = endp + 1;
276           abits = strtol(str, &endp, 0);
277     }
278     if (*endp != 0 || endp == str) {
279           ppp_option_error("invalid parameter '%s' for bsdcomp option", *argv);
280           return 0;
281     }
282     if ((rbits != 0 && (rbits < BSD_MIN_BITS || rbits > BSD_MAX_BITS))
283           || (abits != 0 && (abits < BSD_MIN_BITS || abits > BSD_MAX_BITS))) {
284           ppp_option_error("bsdcomp option values must be 0 or %d .. %d",
285                          BSD_MIN_BITS, BSD_MAX_BITS);
286           return 0;
287     }
288     if (rbits > 0) {
289           ccp_wantoptions[0].bsd_compress = 1;
290           ccp_wantoptions[0].bsd_bits = rbits;
291     } else
292           ccp_wantoptions[0].bsd_compress = 0;
293     if (abits > 0) {
294           ccp_allowoptions[0].bsd_compress = 1;
295           ccp_allowoptions[0].bsd_bits = abits;
296     } else
297           ccp_allowoptions[0].bsd_compress = 0;
298     slprintf(bsd_value, sizeof(bsd_value),
299                rbits == abits? "%d": "%d,%d", rbits, abits);
300 
301     return 1;
302 }
303 
304 static int
setdeflate(char ** argv)305 setdeflate(char **argv)
306 {
307     int rbits, abits;
308     char *str, *endp;
309 
310     str = *argv;
311     abits = rbits = strtol(str, &endp, 0);
312     if (endp != str && *endp == ',') {
313           str = endp + 1;
314           abits = strtol(str, &endp, 0);
315     }
316     if (*endp != 0 || endp == str) {
317           ppp_option_error("invalid parameter '%s' for deflate option", *argv);
318           return 0;
319     }
320     if ((rbits != 0 && (rbits < DEFLATE_MIN_SIZE || rbits > DEFLATE_MAX_SIZE))
321           || (abits != 0 && (abits < DEFLATE_MIN_SIZE
322                                 || abits > DEFLATE_MAX_SIZE))) {
323           ppp_option_error("deflate option values must be 0 or %d .. %d",
324                          DEFLATE_MIN_SIZE, DEFLATE_MAX_SIZE);
325           return 0;
326     }
327     if (rbits == DEFLATE_MIN_SIZE || abits == DEFLATE_MIN_SIZE) {
328           if (rbits == DEFLATE_MIN_SIZE)
329               rbits = DEFLATE_MIN_WORKS;
330           if (abits == DEFLATE_MIN_SIZE)
331               abits = DEFLATE_MIN_WORKS;
332           warn("deflate option value of %d changed to %d to avoid zlib bug",
333                DEFLATE_MIN_SIZE, DEFLATE_MIN_WORKS);
334     }
335     if (rbits > 0) {
336           ccp_wantoptions[0].deflate = 1;
337           ccp_wantoptions[0].deflate_size = rbits;
338     } else
339           ccp_wantoptions[0].deflate = 0;
340     if (abits > 0) {
341           ccp_allowoptions[0].deflate = 1;
342           ccp_allowoptions[0].deflate_size = abits;
343     } else
344           ccp_allowoptions[0].deflate = 0;
345     slprintf(deflate_value, sizeof(deflate_value),
346                rbits == abits? "%d": "%d,%d", rbits, abits);
347 
348     return 1;
349 }
350 
351 /*
352  * ccp_init - initialize CCP.
353  */
354 static void
ccp_init(int unit)355 ccp_init(int unit)
356 {
357     fsm *f = &ccp_fsm[unit];
358 
359     f->unit = unit;
360     f->protocol = PPP_CCP;
361     f->callbacks = &ccp_callbacks;
362     fsm_init(f);
363 
364     memset(&ccp_wantoptions[unit],  0, sizeof(ccp_options));
365     memset(&ccp_gotoptions[unit],   0, sizeof(ccp_options));
366     memset(&ccp_allowoptions[unit], 0, sizeof(ccp_options));
367     memset(&ccp_hisoptions[unit],   0, sizeof(ccp_options));
368 
369     ccp_wantoptions[0].deflate = 1;
370     ccp_wantoptions[0].deflate_size = DEFLATE_MAX_SIZE;
371     ccp_wantoptions[0].deflate_correct = 1;
372     ccp_wantoptions[0].deflate_draft = 1;
373     ccp_allowoptions[0].deflate = 1;
374     ccp_allowoptions[0].deflate_size = DEFLATE_MAX_SIZE;
375     ccp_allowoptions[0].deflate_correct = 1;
376     ccp_allowoptions[0].deflate_draft = 1;
377 
378     ccp_wantoptions[0].bsd_compress = 1;
379     ccp_wantoptions[0].bsd_bits = BSD_MAX_BITS;
380     ccp_allowoptions[0].bsd_compress = 1;
381     ccp_allowoptions[0].bsd_bits = BSD_MAX_BITS;
382 
383     ccp_allowoptions[0].predictor_1 = 1;
384 }
385 
386 /*
387  * ccp_open - CCP is allowed to come up.
388  */
389 static void
ccp_open(int unit)390 ccp_open(int unit)
391 {
392     fsm *f = &ccp_fsm[unit];
393 
394     if (f->state != OPENED)
395           ccp_flags_set(unit, 1, 0);
396 
397     /*
398      * Find out which compressors the kernel supports before
399      * deciding whether to open in silent mode.
400      */
401     ccp_resetci(f);
402     if (!ANY_COMPRESS(ccp_gotoptions[unit]))
403           f->flags |= OPT_SILENT;
404 
405     fsm_open(f);
406 }
407 
408 /*
409  * ccp_close - Terminate CCP.
410  */
411 static void
ccp_close(int unit,char * reason)412 ccp_close(int unit, char *reason)
413 {
414     ccp_flags_set(unit, 0, 0);
415     fsm_close(&ccp_fsm[unit], reason);
416 }
417 
418 /*
419  * ccp_lowerup - we may now transmit CCP packets.
420  */
421 static void
ccp_lowerup(int unit)422 ccp_lowerup(int unit)
423 {
424     fsm_lowerup(&ccp_fsm[unit]);
425 }
426 
427 /*
428  * ccp_lowerdown - we may not transmit CCP packets.
429  */
430 static void
ccp_lowerdown(int unit)431 ccp_lowerdown(int unit)
432 {
433     fsm_lowerdown(&ccp_fsm[unit]);
434 }
435 
436 /*
437  * ccp_input - process a received CCP packet.
438  */
439 static void
ccp_input(int unit,u_char * p,int len)440 ccp_input(int unit, u_char *p, int len)
441 {
442     fsm *f = &ccp_fsm[unit];
443     int oldstate;
444 
445     /*
446      * Check for a terminate-request so we can print a message.
447      */
448     oldstate = f->state;
449     fsm_input(f, p, len);
450     if (oldstate == OPENED && p[0] == TERMREQ && f->state != OPENED) {
451           notice("Compression disabled by peer.");
452 #ifdef PPP_WITH_MPPE
453           if (ccp_gotoptions[unit].mppe) {
454               error("MPPE disabled, closing LCP");
455               lcp_close(unit, "MPPE disabled by peer");
456           }
457 #endif
458     }
459 
460     /*
461      * If we get a terminate-ack and we're not asking for compression,
462      * close CCP.
463      */
464     if (oldstate == REQSENT && p[0] == TERMACK
465           && !ANY_COMPRESS(ccp_gotoptions[unit]))
466           ccp_close(unit, "No compression negotiated");
467 }
468 
469 /*
470  * Handle a CCP-specific code.
471  */
472 static int
ccp_extcode(fsm * f,int code,int id,u_char * p,int len)473 ccp_extcode(fsm *f, int code, int id, u_char *p, int len)
474 {
475     switch (code) {
476     case CCP_RESETREQ:
477           if (f->state != OPENED)
478               break;
479           /* send a reset-ack, which the transmitter will see and
480              reset its compression state. */
481           fsm_sdata(f, CCP_RESETACK, id, NULL, 0);
482           break;
483 
484     case CCP_RESETACK:
485           if (ccp_localstate[f->unit] & RACK_PENDING && id == f->reqid) {
486               ccp_localstate[f->unit] &= ~(RACK_PENDING | RREQ_REPEAT);
487               UNTIMEOUT(ccp_rack_timeout, f);
488           }
489           break;
490 
491     default:
492           return 0;
493     }
494 
495     return 1;
496 }
497 
498 /*
499  * ccp_protrej - peer doesn't talk CCP.
500  */
501 static void
ccp_protrej(int unit)502 ccp_protrej(int unit)
503 {
504     ccp_flags_set(unit, 0, 0);
505     fsm_lowerdown(&ccp_fsm[unit]);
506 
507 #ifdef PPP_WITH_MPPE
508     if (ccp_gotoptions[unit].mppe) {
509           error("MPPE required but peer negotiation failed");
510           lcp_close(unit, "MPPE required but peer negotiation failed");
511     }
512 #endif
513 
514 }
515 
516 /*
517  * ccp_resetci - initialize at start of negotiation.
518  */
519 static void
ccp_resetci(fsm * f)520 ccp_resetci(fsm *f)
521 {
522     ccp_options *go = &ccp_gotoptions[f->unit];
523     u_char opt_buf[CCP_MAX_OPTION_LENGTH];
524 
525     *go = ccp_wantoptions[f->unit];
526     all_rejected[f->unit] = 0;
527 
528 #ifdef PPP_WITH_MPPE
529     if (go->mppe) {
530           ccp_options *ao = &ccp_allowoptions[f->unit];
531           int auth_mschap_bits = auth_done[f->unit];
532 #ifdef PPP_WITH_EAPTLS
533           int auth_eap_bits = auth_done[f->unit];
534 #endif
535           int numbits;
536 
537           /*
538            * Start with a basic sanity check: mschap[v2] auth must be in
539            * exactly one direction.  RFC 3079 says that the keys are
540            * 'derived from the credentials of the peer that initiated the call',
541            * however the PPP protocol doesn't have such a concept, and pppd
542            * cannot get this info externally.  Instead we do the best we can.
543            * NB: If MPPE is required, all other compression opts are invalid.
544            *     So, we return right away if we can't do it.
545            */
546 
547           /* Leave only the mschap auth bits set */
548           auth_mschap_bits &= (CHAP_MS_WITHPEER  | CHAP_MS_PEER |
549                                    CHAP_MS2_WITHPEER | CHAP_MS2_PEER);
550           /* Count the mschap auths */
551           auth_mschap_bits >>= CHAP_MS_SHIFT;
552           numbits = 0;
553           do {
554               numbits += auth_mschap_bits & 1;
555               auth_mschap_bits >>= 1;
556           } while (auth_mschap_bits);
557           if (numbits > 1) {
558               error("MPPE required, but auth done in both directions.");
559               lcp_close(f->unit, "MPPE required but not available");
560               return;
561           }
562 
563 #ifdef PPP_WITH_EAPTLS
564     /*
565      * MPPE is also possible in combination with EAP-TLS.
566      * It is not possible to detect if we're doing EAP or EAP-TLS
567      * at this stage, hence we accept all forms of EAP. If TLS is
568      * not used then the MPPE keys will not be derived anyway.
569      */
570           /* Leave only the eap auth bits set */
571           auth_eap_bits &= (EAP_WITHPEER | EAP_PEER );
572 
573           if ((numbits == 0) && (auth_eap_bits == 0)) {
574               error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed.");
575 #else
576           if (!numbits) {
577               error("MPPE required, but MS-CHAP[v2] auth not performed.");
578 #endif
579               lcp_close(f->unit, "MPPE required but not available");
580               return;
581           }
582 
583           /* A plugin (eg radius) may not have obtained key material. */
584           if (!mppe_keys_isset()) {
585               error("MPPE required, but keys are not available.  "
586                       "Possible plugin problem?");
587               lcp_close(f->unit, "MPPE required but not available");
588               return;
589           }
590 
591           /* LM auth not supported for MPPE */
592           if (auth_done[f->unit] & (CHAP_MS_WITHPEER | CHAP_MS_PEER)) {
593               /* This might be noise */
594               if (go->mppe & MPPE_OPT_40) {
595                     notice("Disabling 40-bit MPPE; MS-CHAP LM not supported");
596                     go->mppe &= ~MPPE_OPT_40;
597                     ccp_wantoptions[f->unit].mppe &= ~MPPE_OPT_40;
598               }
599           }
600 
601           /* Last check: can we actually negotiate something? */
602           if (!(go->mppe & (MPPE_OPT_40 | MPPE_OPT_128))) {
603               /* Could be misconfig, could be 40-bit disabled above. */
604               error("MPPE required, but both 40-bit and 128-bit disabled.");
605               lcp_close(f->unit, "MPPE required but not available");
606               return;
607           }
608 
609           /* sync options */
610           ao->mppe = go->mppe;
611           /* MPPE is not compatible with other compression types */
612           ao->bsd_compress = go->bsd_compress = 0;
613           ao->predictor_1  = go->predictor_1  = 0;
614           ao->predictor_2  = go->predictor_2  = 0;
615           ao->deflate      = go->deflate      = 0;
616     }
617 
618     /*
619      * Check whether the kernel knows about the various
620      * compression methods we might request.
621      */
622     if (go->mppe) {
623           opt_buf[0] = CI_MPPE;
624           opt_buf[1] = CILEN_MPPE;
625           MPPE_OPTS_TO_CI(go->mppe, &opt_buf[2]);
626           /* Key material unimportant here. */
627           if (ccp_test(f->unit, opt_buf, CILEN_MPPE + MPPE_MAX_KEY_LEN, 0) <= 0) {
628               error("MPPE required, but kernel has no support.");
629               lcp_close(f->unit, "MPPE required but not available");
630           }
631     }
632 #endif /* PPP_WITH_MPPE */
633     if (go->bsd_compress) {
634           opt_buf[0] = CI_BSD_COMPRESS;
635           opt_buf[1] = CILEN_BSD_COMPRESS;
636           opt_buf[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, BSD_MIN_BITS);
637           if (ccp_test(f->unit, opt_buf, CILEN_BSD_COMPRESS, 0) <= 0)
638               go->bsd_compress = 0;
639     }
640     if (go->deflate) {
641           if (go->deflate_correct) {
642               opt_buf[0] = CI_DEFLATE;
643               opt_buf[1] = CILEN_DEFLATE;
644               opt_buf[2] = DEFLATE_MAKE_OPT(DEFLATE_MIN_WORKS);
645               opt_buf[3] = DEFLATE_CHK_SEQUENCE;
646               if (ccp_test(f->unit, opt_buf, CILEN_DEFLATE, 0) <= 0)
647                     go->deflate_correct = 0;
648           }
649           if (go->deflate_draft) {
650               opt_buf[0] = CI_DEFLATE_DRAFT;
651               opt_buf[1] = CILEN_DEFLATE;
652               opt_buf[2] = DEFLATE_MAKE_OPT(DEFLATE_MIN_WORKS);
653               opt_buf[3] = DEFLATE_CHK_SEQUENCE;
654               if (ccp_test(f->unit, opt_buf, CILEN_DEFLATE, 0) <= 0)
655                     go->deflate_draft = 0;
656           }
657           if (!go->deflate_correct && !go->deflate_draft)
658               go->deflate = 0;
659     }
660     if (go->predictor_1) {
661           opt_buf[0] = CI_PREDICTOR_1;
662           opt_buf[1] = CILEN_PREDICTOR_1;
663           if (ccp_test(f->unit, opt_buf, CILEN_PREDICTOR_1, 0) <= 0)
664               go->predictor_1 = 0;
665     }
666     if (go->predictor_2) {
667           opt_buf[0] = CI_PREDICTOR_2;
668           opt_buf[1] = CILEN_PREDICTOR_2;
669           if (ccp_test(f->unit, opt_buf, CILEN_PREDICTOR_2, 0) <= 0)
670               go->predictor_2 = 0;
671     }
672 }
673 
674 /*
675  * ccp_cilen - Return total length of our configuration info.
676  */
677 static int
678   ccp_cilen(fsm *f)
679 {
680     ccp_options *go = &ccp_gotoptions[f->unit];
681 
682     return (go->bsd_compress? CILEN_BSD_COMPRESS: 0)
683           + (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0)
684           + (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0)
685           + (go->predictor_1? CILEN_PREDICTOR_1: 0)
686           + (go->predictor_2? CILEN_PREDICTOR_2: 0)
687 #ifdef PPP_WITH_MPPE
688           + (go->mppe? CILEN_MPPE: 0)
689 #endif
690         ;
691 }
692 
693 /*
694  * ccp_addci - put our requests in a packet.
695  */
696 static void
697   ccp_addci(fsm *f, u_char *p, int *lenp)
698 {
699     int res;
700     ccp_options *go = &ccp_gotoptions[f->unit];
701     u_char *p0 = p;
702 
703     /*
704      * Add the compression types that we can receive, in decreasing
705      * preference order.  Get the kernel to allocate the first one
706      * in case it gets Acked.
707      */
708 #ifdef PPP_WITH_MPPE
709     if (go->mppe) {
710           u_char opt_buf[CILEN_MPPE + MPPE_MAX_KEY_LEN];
711 
712           p[0] = opt_buf[0] = CI_MPPE;
713           p[1] = opt_buf[1] = CILEN_MPPE;
714           MPPE_OPTS_TO_CI(go->mppe, &p[2]);
715           MPPE_OPTS_TO_CI(go->mppe, &opt_buf[2]);
716           mppe_get_recv_key(&opt_buf[CILEN_MPPE], MPPE_MAX_KEY_LEN);
717           res = ccp_test(f->unit, opt_buf, CILEN_MPPE + MPPE_MAX_KEY_LEN, 0);
718           if (res > 0)
719               p += CILEN_MPPE;
720           else
721               /* This shouldn't happen, we've already tested it! */
722               lcp_close(f->unit, "MPPE required but not available in kernel");
723     }
724 #endif
725     if (go->deflate) {
726           p[0] = go->deflate_correct? CI_DEFLATE: CI_DEFLATE_DRAFT;
727           p[1] = CILEN_DEFLATE;
728           p[2] = DEFLATE_MAKE_OPT(go->deflate_size);
729           p[3] = DEFLATE_CHK_SEQUENCE;
730           if (p != p0) {
731               p += CILEN_DEFLATE;
732           } else {
733               for (;;) {
734                     if (go->deflate_size < DEFLATE_MIN_WORKS) {
735                         go->deflate = 0;
736                         break;
737                     }
738                     res = ccp_test(f->unit, p, CILEN_DEFLATE, 0);
739                     if (res > 0) {
740                         p += CILEN_DEFLATE;
741                         break;
742                     } else if (res < 0) {
743                         go->deflate = 0;
744                         break;
745                     }
746                     --go->deflate_size;
747                     p[2] = DEFLATE_MAKE_OPT(go->deflate_size);
748               }
749           }
750           if (p != p0 && go->deflate_correct && go->deflate_draft) {
751               p[0] = CI_DEFLATE_DRAFT;
752               p[1] = CILEN_DEFLATE;
753               p[2] = p[2 - CILEN_DEFLATE];
754               p[3] = DEFLATE_CHK_SEQUENCE;
755               p += CILEN_DEFLATE;
756           }
757     }
758     if (go->bsd_compress) {
759           p[0] = CI_BSD_COMPRESS;
760           p[1] = CILEN_BSD_COMPRESS;
761           p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits);
762           if (p != p0) {
763               p += CILEN_BSD_COMPRESS;  /* not the first option */
764           } else {
765               for (;;) {
766                     if (go->bsd_bits < BSD_MIN_BITS) {
767                         go->bsd_compress = 0;
768                         break;
769                     }
770                     res = ccp_test(f->unit, p, CILEN_BSD_COMPRESS, 0);
771                     if (res > 0) {
772                         p += CILEN_BSD_COMPRESS;
773                         break;
774                     } else if (res < 0) {
775                         go->bsd_compress = 0;
776                         break;
777                     }
778                     --go->bsd_bits;
779                     p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits);
780               }
781           }
782     }
783     /* XXX Should Predictor 2 be preferable to Predictor 1? */
784     if (go->predictor_1) {
785           p[0] = CI_PREDICTOR_1;
786           p[1] = CILEN_PREDICTOR_1;
787           if (p == p0 && ccp_test(f->unit, p, CILEN_PREDICTOR_1, 0) <= 0) {
788               go->predictor_1 = 0;
789           } else {
790               p += CILEN_PREDICTOR_1;
791           }
792     }
793     if (go->predictor_2) {
794           p[0] = CI_PREDICTOR_2;
795           p[1] = CILEN_PREDICTOR_2;
796           if (p == p0 && ccp_test(f->unit, p, CILEN_PREDICTOR_2, 0) <= 0) {
797               go->predictor_2 = 0;
798           } else {
799               p += CILEN_PREDICTOR_2;
800           }
801     }
802 
803     go->method = (p > p0)? p0[0]: -1;
804 
805     *lenp = p - p0;
806 }
807 
808 /*
809  * ccp_ackci - process a received configure-ack, and return
810  * 1 iff the packet was OK.
811  */
812 static int
813   ccp_ackci(fsm *f, u_char *p, int len)
814 {
815     ccp_options *go = &ccp_gotoptions[f->unit];
816     u_char *p0 = p;
817 
818 #ifdef PPP_WITH_MPPE
819     if (go->mppe) {
820           u_char opt_buf[CILEN_MPPE];
821 
822           opt_buf[0] = CI_MPPE;
823           opt_buf[1] = CILEN_MPPE;
824           MPPE_OPTS_TO_CI(go->mppe, &opt_buf[2]);
825           if (len < CILEN_MPPE || memcmp(opt_buf, p, CILEN_MPPE))
826               return 0;
827           p += CILEN_MPPE;
828           len -= CILEN_MPPE;
829           /* XXX Cope with first/fast ack */
830           if (len == 0)
831               return 1;
832     }
833 #endif
834     if (go->deflate) {
835           if (len < CILEN_DEFLATE
836               || p[0] != (go->deflate_correct? CI_DEFLATE: CI_DEFLATE_DRAFT)
837               || p[1] != CILEN_DEFLATE
838               || p[2] != DEFLATE_MAKE_OPT(go->deflate_size)
839               || p[3] != DEFLATE_CHK_SEQUENCE)
840               return 0;
841           p += CILEN_DEFLATE;
842           len -= CILEN_DEFLATE;
843           /* XXX Cope with first/fast ack */
844           if (len == 0)
845               return 1;
846           if (go->deflate_correct && go->deflate_draft) {
847               if (len < CILEN_DEFLATE
848                     || p[0] != CI_DEFLATE_DRAFT
849                     || p[1] != CILEN_DEFLATE
850                     || p[2] != DEFLATE_MAKE_OPT(go->deflate_size)
851                     || p[3] != DEFLATE_CHK_SEQUENCE)
852                     return 0;
853               p += CILEN_DEFLATE;
854               len -= CILEN_DEFLATE;
855           }
856     }
857     if (go->bsd_compress) {
858           if (len < CILEN_BSD_COMPRESS
859               || p[0] != CI_BSD_COMPRESS || p[1] != CILEN_BSD_COMPRESS
860               || p[2] != BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits))
861               return 0;
862           p += CILEN_BSD_COMPRESS;
863           len -= CILEN_BSD_COMPRESS;
864           /* XXX Cope with first/fast ack */
865           if (p == p0 && len == 0)
866               return 1;
867     }
868     if (go->predictor_1) {
869           if (len < CILEN_PREDICTOR_1
870               || p[0] != CI_PREDICTOR_1 || p[1] != CILEN_PREDICTOR_1)
871               return 0;
872           p += CILEN_PREDICTOR_1;
873           len -= CILEN_PREDICTOR_1;
874           /* XXX Cope with first/fast ack */
875           if (p == p0 && len == 0)
876               return 1;
877     }
878     if (go->predictor_2) {
879           if (len < CILEN_PREDICTOR_2
880               || p[0] != CI_PREDICTOR_2 || p[1] != CILEN_PREDICTOR_2)
881               return 0;
882           p += CILEN_PREDICTOR_2;
883           len -= CILEN_PREDICTOR_2;
884           /* XXX Cope with first/fast ack */
885           if (p == p0 && len == 0)
886               return 1;
887     }
888 
889     if (len != 0)
890           return 0;
891     return 1;
892 }
893 
894 /*
895  * ccp_nakci - process received configure-nak.
896  * Returns 1 iff the nak was OK.
897  */
898 static int
899   ccp_nakci(fsm *f, u_char *p, int len, int treat_as_reject)
900 {
901     ccp_options *go = &ccp_gotoptions[f->unit];
902     ccp_options no;           /* options we've seen already */
903     ccp_options try;                    /* options to ask for next time */
904 
905     memset(&no, 0, sizeof(no));
906     try = *go;
907 
908 #ifdef PPP_WITH_MPPE
909     if (go->mppe && len >= CILEN_MPPE
910           && p[0] == CI_MPPE && p[1] == CILEN_MPPE) {
911           no.mppe = 1;
912           /*
913            * Peer wants us to use a different strength or other setting.
914            * Fail if we aren't willing to use his suggestion.
915            */
916           MPPE_CI_TO_OPTS(&p[2], try.mppe);
917           if ((try.mppe & MPPE_OPT_STATEFUL) && refuse_mppe_stateful) {
918               error("Refusing MPPE stateful mode offered by peer");
919               try.mppe = 0;
920           } else if (((go->mppe | MPPE_OPT_STATEFUL) & try.mppe) != try.mppe) {
921               /* Peer must have set options we didn't request (suggest) */
922               try.mppe = 0;
923           }
924 
925           if (!try.mppe) {
926               error("MPPE required but peer negotiation failed");
927               lcp_close(f->unit, "MPPE required but peer negotiation failed");
928           }
929     }
930 #endif /* PPP_WITH_MPPE */
931     if (go->deflate && len >= CILEN_DEFLATE
932           && p[0] == (go->deflate_correct? CI_DEFLATE: CI_DEFLATE_DRAFT)
933           && p[1] == CILEN_DEFLATE) {
934           no.deflate = 1;
935           /*
936            * Peer wants us to use a different code size or something.
937            * Stop asking for Deflate if we don't understand his suggestion.
938            */
939           if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL
940               || DEFLATE_SIZE(p[2]) < DEFLATE_MIN_WORKS
941               || p[3] != DEFLATE_CHK_SEQUENCE)
942               try.deflate = 0;
943           else if (DEFLATE_SIZE(p[2]) < go->deflate_size)
944               try.deflate_size = DEFLATE_SIZE(p[2]);
945           p += CILEN_DEFLATE;
946           len -= CILEN_DEFLATE;
947           if (go->deflate_correct && go->deflate_draft
948               && len >= CILEN_DEFLATE && p[0] == CI_DEFLATE_DRAFT
949               && p[1] == CILEN_DEFLATE) {
950               p += CILEN_DEFLATE;
951               len -= CILEN_DEFLATE;
952           }
953     }
954 
955     if (go->bsd_compress && len >= CILEN_BSD_COMPRESS
956           && p[0] == CI_BSD_COMPRESS && p[1] == CILEN_BSD_COMPRESS) {
957           no.bsd_compress = 1;
958           /*
959            * Peer wants us to use a different number of bits
960            * or a different version.
961            */
962           if (BSD_VERSION(p[2]) != BSD_CURRENT_VERSION)
963               try.bsd_compress = 0;
964           else if (BSD_NBITS(p[2]) < go->bsd_bits)
965               try.bsd_bits = BSD_NBITS(p[2]);
966           p += CILEN_BSD_COMPRESS;
967           len -= CILEN_BSD_COMPRESS;
968     }
969 
970     /*
971      * Predictor-1 and 2 have no options, so they can't be Naked.
972      *
973      * There may be remaining options but we ignore them.
974      */
975 
976     if (f->state != OPENED)
977           *go = try;
978     return 1;
979 }
980 
981 /*
982  * ccp_rejci - reject some of our suggested compression methods.
983  */
984 static int
985 ccp_rejci(fsm *f, u_char *p, int len)
986 {
987     ccp_options *go = &ccp_gotoptions[f->unit];
988     ccp_options try;                    /* options to request next time */
989 
990     try = *go;
991 
992     /*
993      * Cope with empty configure-rejects by ceasing to send
994      * configure-requests.
995      */
996     if (len == 0 && all_rejected[f->unit])
997           return -1;
998 
999 #ifdef PPP_WITH_MPPE
1000     if (go->mppe && len >= CILEN_MPPE
1001           && p[0] == CI_MPPE && p[1] == CILEN_MPPE) {
1002           error("MPPE required but peer refused");
1003           lcp_close(f->unit, "MPPE required but peer refused");
1004           p += CILEN_MPPE;
1005           len -= CILEN_MPPE;
1006     }
1007 #endif
1008     if (go->deflate_correct && len >= CILEN_DEFLATE
1009           && p[0] == CI_DEFLATE && p[1] == CILEN_DEFLATE) {
1010           if (p[2] != DEFLATE_MAKE_OPT(go->deflate_size)
1011               || p[3] != DEFLATE_CHK_SEQUENCE)
1012               return 0;                 /* Rej is bad */
1013           try.deflate_correct = 0;
1014           p += CILEN_DEFLATE;
1015           len -= CILEN_DEFLATE;
1016     }
1017     if (go->deflate_draft && len >= CILEN_DEFLATE
1018           && p[0] == CI_DEFLATE_DRAFT && p[1] == CILEN_DEFLATE) {
1019           if (p[2] != DEFLATE_MAKE_OPT(go->deflate_size)
1020               || p[3] != DEFLATE_CHK_SEQUENCE)
1021               return 0;                 /* Rej is bad */
1022           try.deflate_draft = 0;
1023           p += CILEN_DEFLATE;
1024           len -= CILEN_DEFLATE;
1025     }
1026     if (!try.deflate_correct && !try.deflate_draft)
1027           try.deflate = 0;
1028     if (go->bsd_compress && len >= CILEN_BSD_COMPRESS
1029           && p[0] == CI_BSD_COMPRESS && p[1] == CILEN_BSD_COMPRESS) {
1030           if (p[2] != BSD_MAKE_OPT(BSD_CURRENT_VERSION, go->bsd_bits))
1031               return 0;
1032           try.bsd_compress = 0;
1033           p += CILEN_BSD_COMPRESS;
1034           len -= CILEN_BSD_COMPRESS;
1035     }
1036     if (go->predictor_1 && len >= CILEN_PREDICTOR_1
1037           && p[0] == CI_PREDICTOR_1 && p[1] == CILEN_PREDICTOR_1) {
1038           try.predictor_1 = 0;
1039           p += CILEN_PREDICTOR_1;
1040           len -= CILEN_PREDICTOR_1;
1041     }
1042     if (go->predictor_2 && len >= CILEN_PREDICTOR_2
1043           && p[0] == CI_PREDICTOR_2 && p[1] == CILEN_PREDICTOR_2) {
1044           try.predictor_2 = 0;
1045           p += CILEN_PREDICTOR_2;
1046           len -= CILEN_PREDICTOR_2;
1047     }
1048 
1049     if (len != 0)
1050           return 0;
1051 
1052     if (f->state != OPENED)
1053           *go = try;
1054 
1055     return 1;
1056 }
1057 
1058 /*
1059  * ccp_reqci - processed a received configure-request.
1060  * Returns CONFACK, CONFNAK or CONFREJ and the packet modified
1061  * appropriately.
1062  */
1063 static int
1064 ccp_reqci(fsm *f, u_char *p, int *lenp, int dont_nak)
1065 {
1066     int ret, newret, res;
1067     u_char *p0, *retp;
1068     int len, clen, type, nb;
1069     ccp_options *ho = &ccp_hisoptions[f->unit];
1070     ccp_options *ao = &ccp_allowoptions[f->unit];
1071 #ifdef PPP_WITH_MPPE
1072     bool rej_for_ci_mppe = 1; /* Are we rejecting based on a bad/missing */
1073                                         /* CI_MPPE, or due to other options?       */
1074 #endif
1075 
1076     ret = CONFACK;
1077     retp = p0 = p;
1078     len = *lenp;
1079 
1080     memset(ho, 0, sizeof(ccp_options));
1081     ho->method = (len > 0)? p[0]: -1;
1082 
1083     while (len > 0) {
1084           newret = CONFACK;
1085           if (len < 2 || p[1] < 2 || p[1] > len) {
1086               /* length is bad */
1087               clen = len;
1088               newret = CONFREJ;
1089 
1090           } else {
1091               type = p[0];
1092               clen = p[1];
1093 
1094               switch (type) {
1095 #ifdef PPP_WITH_MPPE
1096               case CI_MPPE:
1097                     if (!ao->mppe || clen != CILEN_MPPE) {
1098                         newret = CONFREJ;
1099                         break;
1100                     }
1101                     MPPE_CI_TO_OPTS(&p[2], ho->mppe);
1102 
1103                     /* Nak if anything unsupported or unknown are set. */
1104                     if (ho->mppe & MPPE_OPT_UNSUPPORTED) {
1105                         newret = CONFNAK;
1106                         ho->mppe &= ~MPPE_OPT_UNSUPPORTED;
1107                     }
1108                     if (ho->mppe & MPPE_OPT_UNKNOWN) {
1109                         newret = CONFNAK;
1110                         ho->mppe &= ~MPPE_OPT_UNKNOWN;
1111                     }
1112 
1113                     /* Check state opt */
1114                     if (ho->mppe & MPPE_OPT_STATEFUL) {
1115                         /*
1116                          * We can Nak and request stateless, but it's a
1117                          * lot easier to just assume the peer will request
1118                          * it if he can do it; stateful mode is bad over
1119                          * the Internet -- which is where we expect MPPE.
1120                          */
1121                        if (refuse_mppe_stateful) {
1122                               error("Refusing MPPE stateful mode offered by peer");
1123                               newret = CONFREJ;
1124                               break;
1125                         }
1126                     }
1127 
1128                     /* Find out which of {S,L} are set. */
1129                     if ((ho->mppe & MPPE_OPT_128)
1130                          && (ho->mppe & MPPE_OPT_40)) {
1131                         /* Both are set, negotiate the strongest. */
1132                         newret = CONFNAK;
1133                         if (ao->mppe & MPPE_OPT_128)
1134                               ho->mppe &= ~MPPE_OPT_40;
1135                         else if (ao->mppe & MPPE_OPT_40)
1136                               ho->mppe &= ~MPPE_OPT_128;
1137                         else {
1138                               newret = CONFREJ;
1139                               break;
1140                         }
1141                     } else if (ho->mppe & MPPE_OPT_128) {
1142                         if (!(ao->mppe & MPPE_OPT_128)) {
1143                               newret = CONFREJ;
1144                               break;
1145                         }
1146                     } else if (ho->mppe & MPPE_OPT_40) {
1147                         if (!(ao->mppe & MPPE_OPT_40)) {
1148                               newret = CONFREJ;
1149                               break;
1150                         }
1151                     } else {
1152                         /* Neither are set. */
1153                         /* We cannot accept this.  */
1154                         newret = CONFNAK;
1155                         /* Give the peer our idea of what can be used,
1156                            so it can choose and confirm */
1157                         ho->mppe = ao->mppe;
1158                     }
1159 
1160                     /* rebuild the opts */
1161                     MPPE_OPTS_TO_CI(ho->mppe, &p[2]);
1162                     if (newret == CONFACK) {
1163                         u_char opt_buf[CILEN_MPPE + MPPE_MAX_KEY_LEN];
1164                         int mtu;
1165 
1166                         BCOPY(p, opt_buf, CILEN_MPPE);
1167                         mppe_get_send_key(&opt_buf[CILEN_MPPE], MPPE_MAX_KEY_LEN);
1168                         if (ccp_test(f->unit, opt_buf,
1169                                          CILEN_MPPE + MPPE_MAX_KEY_LEN, 1) <= 0) {
1170                               /* This shouldn't happen, we've already tested it! */
1171                               error("MPPE required, but kernel has no support.");
1172                               lcp_close(f->unit, "MPPE required but not available");
1173                               newret = CONFREJ;
1174                               break;
1175                         }
1176                         /*
1177                          * We need to decrease the interface MTU by MPPE_PAD
1178                          * because MPPE frames **grow**.  The kernel [must]
1179                          * allocate MPPE_PAD extra bytes in xmit buffers.
1180                          */
1181                         mtu = ppp_get_mtu(f->unit);
1182                         if (mtu)
1183                               ppp_set_mtu(f->unit, mtu - MPPE_PAD);
1184                         else
1185                               newret = CONFREJ;
1186                     }
1187 
1188                     /*
1189                      * We have accepted MPPE or are willing to negotiate
1190                      * MPPE parameters.  A CONFREJ is due to subsequent
1191                      * (non-MPPE) processing.
1192                      */
1193                     rej_for_ci_mppe = 0;
1194                     break;
1195 #endif /* PPP_WITH_MPPE */
1196               case CI_DEFLATE:
1197               case CI_DEFLATE_DRAFT:
1198                     if (!ao->deflate || clen != CILEN_DEFLATE
1199                         || (!ao->deflate_correct && type == CI_DEFLATE)
1200                         || (!ao->deflate_draft && type == CI_DEFLATE_DRAFT)) {
1201                         newret = CONFREJ;
1202                         break;
1203                     }
1204 
1205                     ho->deflate = 1;
1206                     ho->deflate_size = nb = DEFLATE_SIZE(p[2]);
1207                     if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL
1208                         || p[3] != DEFLATE_CHK_SEQUENCE
1209                         || nb > ao->deflate_size || nb < DEFLATE_MIN_WORKS) {
1210                         newret = CONFNAK;
1211                         if (!dont_nak) {
1212                               p[2] = DEFLATE_MAKE_OPT(ao->deflate_size);
1213                               p[3] = DEFLATE_CHK_SEQUENCE;
1214                               /* fall through to test this #bits below */
1215                         } else
1216                               break;
1217                     }
1218 
1219                     /*
1220                      * Check whether we can do Deflate with the window
1221                      * size they want.  If the window is too big, reduce
1222                      * it until the kernel can cope and nak with that.
1223                      * We only check this for the first option.
1224                      */
1225                     if (p == p0) {
1226                         for (;;) {
1227                               res = ccp_test(f->unit, p, CILEN_DEFLATE, 1);
1228                               if (res > 0)
1229                                   break;                    /* it's OK now */
1230                               if (res < 0 || nb == DEFLATE_MIN_WORKS || dont_nak) {
1231                                   newret = CONFREJ;
1232                                   p[2] = DEFLATE_MAKE_OPT(ho->deflate_size);
1233                                   break;
1234                               }
1235                               newret = CONFNAK;
1236                               --nb;
1237                               p[2] = DEFLATE_MAKE_OPT(nb);
1238                         }
1239                     }
1240                     break;
1241 
1242               case CI_BSD_COMPRESS:
1243                     if (!ao->bsd_compress || clen != CILEN_BSD_COMPRESS) {
1244                         newret = CONFREJ;
1245                         break;
1246                     }
1247 
1248                     ho->bsd_compress = 1;
1249                     ho->bsd_bits = nb = BSD_NBITS(p[2]);
1250                     if (BSD_VERSION(p[2]) != BSD_CURRENT_VERSION
1251                         || nb > ao->bsd_bits || nb < BSD_MIN_BITS) {
1252                         newret = CONFNAK;
1253                         if (!dont_nak) {
1254                               p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, ao->bsd_bits);
1255                               /* fall through to test this #bits below */
1256                         } else
1257                               break;
1258                     }
1259 
1260                     /*
1261                      * Check whether we can do BSD-Compress with the code
1262                      * size they want.  If the code size is too big, reduce
1263                      * it until the kernel can cope and nak with that.
1264                      * We only check this for the first option.
1265                      */
1266                     if (p == p0) {
1267                         for (;;) {
1268                               res = ccp_test(f->unit, p, CILEN_BSD_COMPRESS, 1);
1269                               if (res > 0)
1270                                   break;
1271                               if (res < 0 || nb == BSD_MIN_BITS || dont_nak) {
1272                                   newret = CONFREJ;
1273                                   p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION,
1274                                                             ho->bsd_bits);
1275                                   break;
1276                               }
1277                               newret = CONFNAK;
1278                               --nb;
1279                               p[2] = BSD_MAKE_OPT(BSD_CURRENT_VERSION, nb);
1280                         }
1281                     }
1282                     break;
1283 
1284               case CI_PREDICTOR_1:
1285                     if (!ao->predictor_1 || clen != CILEN_PREDICTOR_1) {
1286                         newret = CONFREJ;
1287                         break;
1288                     }
1289 
1290                     ho->predictor_1 = 1;
1291                     if (p == p0
1292                         && ccp_test(f->unit, p, CILEN_PREDICTOR_1, 1) <= 0) {
1293                         newret = CONFREJ;
1294                     }
1295                     break;
1296 
1297               case CI_PREDICTOR_2:
1298                     if (!ao->predictor_2 || clen != CILEN_PREDICTOR_2) {
1299                         newret = CONFREJ;
1300                         break;
1301                     }
1302 
1303                     ho->predictor_2 = 1;
1304                     if (p == p0
1305                         && ccp_test(f->unit, p, CILEN_PREDICTOR_2, 1) <= 0) {
1306                         newret = CONFREJ;
1307                     }
1308                     break;
1309 
1310               default:
1311                     newret = CONFREJ;
1312               }
1313           }
1314 
1315           if (newret == CONFNAK && dont_nak)
1316               newret = CONFREJ;
1317           if (!(newret == CONFACK || (newret == CONFNAK && ret == CONFREJ))) {
1318               /* we're returning this option */
1319               if (newret == CONFREJ && ret == CONFNAK)
1320                     retp = p0;
1321               ret = newret;
1322               if (p != retp)
1323                     BCOPY(p, retp, clen);
1324               retp += clen;
1325           }
1326 
1327           p += clen;
1328           len -= clen;
1329     }
1330 
1331     if (ret != CONFACK) {
1332           if (ret == CONFREJ && *lenp == retp - p0)
1333               all_rejected[f->unit] = 1;
1334           else
1335               *lenp = retp - p0;
1336     }
1337 #ifdef PPP_WITH_MPPE
1338     if (ret == CONFREJ && ao->mppe && rej_for_ci_mppe) {
1339           error("MPPE required but peer negotiation failed");
1340           lcp_close(f->unit, "MPPE required but peer negotiation failed");
1341     }
1342 #endif
1343     return ret;
1344 }
1345 
1346 /*
1347  * Make a string name for a compression method (or 2).
1348  */
1349 static char *
1350 method_name(ccp_options *opt, ccp_options *opt2)
1351 {
1352     static char result[64];
1353 
1354     if (!ANY_COMPRESS(*opt))
1355           return "(none)";
1356     switch (opt->method) {
1357 #ifdef PPP_WITH_MPPE
1358     case CI_MPPE:
1359     {
1360           char *p = result;
1361           char *q = result + sizeof(result); /* 1 past result */
1362 
1363           slprintf(p, q - p, "MPPE ");
1364           p += 5;
1365           if (opt->mppe & MPPE_OPT_128) {
1366               slprintf(p, q - p, "128-bit ");
1367               p += 8;
1368           }
1369           if (opt->mppe & MPPE_OPT_40) {
1370               slprintf(p, q - p, "40-bit ");
1371               p += 7;
1372           }
1373           if (opt->mppe & MPPE_OPT_STATEFUL)
1374               slprintf(p, q - p, "stateful");
1375           else
1376               slprintf(p, q - p, "stateless");
1377 
1378           break;
1379     }
1380 #endif
1381     case CI_DEFLATE:
1382     case CI_DEFLATE_DRAFT:
1383           if (opt2 != NULL && opt2->deflate_size != opt->deflate_size)
1384               slprintf(result, sizeof(result), "Deflate%s (%d/%d)",
1385                          (opt->method == CI_DEFLATE_DRAFT? "(old#)": ""),
1386                          opt->deflate_size, opt2->deflate_size);
1387           else
1388               slprintf(result, sizeof(result), "Deflate%s (%d)",
1389                          (opt->method == CI_DEFLATE_DRAFT? "(old#)": ""),
1390                          opt->deflate_size);
1391           break;
1392     case CI_BSD_COMPRESS:
1393           if (opt2 != NULL && opt2->bsd_bits != opt->bsd_bits)
1394               slprintf(result, sizeof(result), "BSD-Compress (%d/%d)",
1395                          opt->bsd_bits, opt2->bsd_bits);
1396           else
1397               slprintf(result, sizeof(result), "BSD-Compress (%d)",
1398                          opt->bsd_bits);
1399           break;
1400     case CI_PREDICTOR_1:
1401           return "Predictor 1";
1402     case CI_PREDICTOR_2:
1403           return "Predictor 2";
1404     default:
1405           slprintf(result, sizeof(result), "Method %d", opt->method);
1406     }
1407     return result;
1408 }
1409 
1410 /*
1411  * CCP has come up - inform the kernel driver and log a message.
1412  */
1413 static void
1414 ccp_up(fsm *f)
1415 {
1416     ccp_options *go = &ccp_gotoptions[f->unit];
1417     ccp_options *ho = &ccp_hisoptions[f->unit];
1418     char method1[64];
1419 
1420     ccp_flags_set(f->unit, 1, 1);
1421     if (ANY_COMPRESS(*go)) {
1422           if (ANY_COMPRESS(*ho)) {
1423               if (go->method == ho->method) {
1424                     notice("%s compression enabled", method_name(go, ho));
1425               } else {
1426                     strlcpy(method1, method_name(go, NULL), sizeof(method1));
1427                     notice("%s / %s compression enabled",
1428                            method1, method_name(ho, NULL));
1429               }
1430           } else
1431               notice("%s receive compression enabled", method_name(go, NULL));
1432     } else if (ANY_COMPRESS(*ho))
1433           notice("%s transmit compression enabled", method_name(ho, NULL));
1434 #ifdef PPP_WITH_MPPE
1435     if (go->mppe) {
1436           mppe_clear_keys();
1437           continue_networks(f->unit);             /* Bring up IP et al */
1438     }
1439 #endif
1440 }
1441 
1442 /*
1443  * CCP has gone down - inform the kernel driver.
1444  */
1445 static void
1446 ccp_down(fsm *f)
1447 {
1448     if (ccp_localstate[f->unit] & RACK_PENDING)
1449           UNTIMEOUT(ccp_rack_timeout, f);
1450     ccp_localstate[f->unit] = 0;
1451     ccp_flags_set(f->unit, 1, 0);
1452 #ifdef PPP_WITH_MPPE
1453     if (ccp_gotoptions[f->unit].mppe) {
1454           ccp_gotoptions[f->unit].mppe = 0;
1455           if (lcp_fsm[f->unit].state == OPENED) {
1456               /* If LCP is not already going down, make sure it does. */
1457               error("MPPE disabled");
1458               lcp_close(f->unit, "MPPE disabled");
1459           }
1460     }
1461 #endif
1462 }
1463 
1464 /*
1465  * Print the contents of a CCP packet.
1466  */
1467 static char *ccp_codenames[] = {
1468     "ConfReq", "ConfAck", "ConfNak", "ConfRej",
1469     "TermReq", "TermAck", "CodeRej",
1470     NULL, NULL, NULL, NULL, NULL, NULL,
1471     "ResetReq", "ResetAck",
1472 };
1473 
1474 static int
1475 ccp_printpkt(u_char *p, int plen,
1476                void (*printer) (void *, char *, ...), void *arg)
1477 {
1478     u_char *p0, *optend;
1479     int code, id, len;
1480     int optlen;
1481 
1482     p0 = p;
1483     if (plen < HEADERLEN)
1484           return 0;
1485     code = p[0];
1486     id = p[1];
1487     len = (p[2] << 8) + p[3];
1488     if (len < HEADERLEN || len > plen)
1489           return 0;
1490 
1491     if (code >= 1 && code <= sizeof(ccp_codenames) / sizeof(char *)
1492           && ccp_codenames[code-1] != NULL)
1493           printer(arg, " %s", ccp_codenames[code-1]);
1494     else
1495           printer(arg, " code=0x%x", code);
1496     printer(arg, " id=0x%x", id);
1497     len -= HEADERLEN;
1498     p += HEADERLEN;
1499 
1500     switch (code) {
1501     case CONFREQ:
1502     case CONFACK:
1503     case CONFNAK:
1504     case CONFREJ:
1505           /* print list of possible compression methods */
1506           while (len >= 2) {
1507               code = p[0];
1508               optlen = p[1];
1509               if (optlen < 2 || optlen > len)
1510                     break;
1511               printer(arg, " <");
1512               len -= optlen;
1513               optend = p + optlen;
1514               switch (code) {
1515 #ifdef PPP_WITH_MPPE
1516               case CI_MPPE:
1517                     if (optlen >= CILEN_MPPE) {
1518                         u_char mppe_opts;
1519 
1520                         MPPE_CI_TO_OPTS(&p[2], mppe_opts);
1521                         printer(arg, "mppe %s %s %s %s %s %s%s",
1522                                   (p[2] & MPPE_H_BIT)? "+H": "-H",
1523                                   (p[5] & MPPE_M_BIT)? "+M": "-M",
1524                                   (p[5] & MPPE_S_BIT)? "+S": "-S",
1525                                   (p[5] & MPPE_L_BIT)? "+L": "-L",
1526                                   (p[5] & MPPE_D_BIT)? "+D": "-D",
1527                                   (p[5] & MPPE_C_BIT)? "+C": "-C",
1528                                   (mppe_opts & MPPE_OPT_UNKNOWN)? " +U": "");
1529                         if (mppe_opts & MPPE_OPT_UNKNOWN)
1530                               printer(arg, " (%.2x %.2x %.2x %.2x)",
1531                                         p[2], p[3], p[4], p[5]);
1532                         p += CILEN_MPPE;
1533                     }
1534                     break;
1535 #endif
1536               case CI_DEFLATE:
1537               case CI_DEFLATE_DRAFT:
1538                     if (optlen >= CILEN_DEFLATE) {
1539                         printer(arg, "deflate%s %d",
1540                                   (code == CI_DEFLATE_DRAFT? "(old#)": ""),
1541                                   DEFLATE_SIZE(p[2]));
1542                         if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL)
1543                               printer(arg, " method %d", DEFLATE_METHOD(p[2]));
1544                         if (p[3] != DEFLATE_CHK_SEQUENCE)
1545                               printer(arg, " check %d", p[3]);
1546                         p += CILEN_DEFLATE;
1547                     }
1548                     break;
1549               case CI_BSD_COMPRESS:
1550                     if (optlen >= CILEN_BSD_COMPRESS) {
1551                         printer(arg, "bsd v%d %d", BSD_VERSION(p[2]),
1552                                   BSD_NBITS(p[2]));
1553                         p += CILEN_BSD_COMPRESS;
1554                     }
1555                     break;
1556               case CI_PREDICTOR_1:
1557                     if (optlen >= CILEN_PREDICTOR_1) {
1558                         printer(arg, "predictor 1");
1559                         p += CILEN_PREDICTOR_1;
1560                     }
1561                     break;
1562               case CI_PREDICTOR_2:
1563                     if (optlen >= CILEN_PREDICTOR_2) {
1564                         printer(arg, "predictor 2");
1565                         p += CILEN_PREDICTOR_2;
1566                     }
1567                     break;
1568               }
1569               while (p < optend)
1570                     printer(arg, " %.2x", *p++);
1571               printer(arg, ">");
1572           }
1573           break;
1574 
1575     case TERMACK:
1576     case TERMREQ:
1577           if (len > 0 && *p >= ' ' && *p < 0x7f) {
1578               print_string((char *)p, len, printer, arg);
1579               p += len;
1580               len = 0;
1581           }
1582           break;
1583     }
1584 
1585     /* dump out the rest of the packet in hex */
1586     while (--len >= 0)
1587           printer(arg, " %.2x", *p++);
1588 
1589     return p - p0;
1590 }
1591 
1592 /*
1593  * We have received a packet that the decompressor failed to
1594  * decompress.  Here we would expect to issue a reset-request, but
1595  * Motorola has a patent on resetting the compressor as a result of
1596  * detecting an error in the decompressed data after decompression.
1597  * (See US patent 5,130,993; international patent publication number
1598  * WO 91/10289; Australian patent 73296/91.)
1599  *
1600  * So we ask the kernel whether the error was detected after
1601  * decompression; if it was, we take CCP down, thus disabling
1602  * compression :-(, otherwise we issue the reset-request.
1603  */
1604 static void
1605 ccp_datainput(int unit, u_char *pkt, int len)
1606 {
1607     fsm *f;
1608 
1609     f = &ccp_fsm[unit];
1610     if (f->state == OPENED) {
1611           if (ccp_fatal_error(unit)) {
1612               /*
1613                * Disable compression by taking CCP down.
1614                */
1615               error("Lost compression sync: disabling compression");
1616               ccp_close(unit, "Lost compression sync");
1617 #ifdef PPP_WITH_MPPE
1618               /*
1619                * If we were doing MPPE, we must also take the link down.
1620                */
1621               if (ccp_gotoptions[unit].mppe) {
1622                     error("Too many MPPE errors, closing LCP");
1623                     lcp_close(unit, "Too many MPPE errors");
1624               }
1625 #endif
1626           } else {
1627               /*
1628                * Send a reset-request to reset the peer's compressor.
1629                * We don't do that if we are still waiting for an
1630                * acknowledgement to a previous reset-request.
1631                */
1632               if (!(ccp_localstate[f->unit] & RACK_PENDING)) {
1633                     fsm_sdata(f, CCP_RESETREQ, f->reqid = ++f->id, NULL, 0);
1634                     TIMEOUT(ccp_rack_timeout, f, RACKTIMEOUT);
1635                     ccp_localstate[f->unit] |= RACK_PENDING;
1636               } else
1637                     ccp_localstate[f->unit] |= RREQ_REPEAT;
1638           }
1639     }
1640 }
1641 
1642 /*
1643  * Timeout waiting for reset-ack.
1644  */
1645 static void
1646 ccp_rack_timeout(void *arg)
1647 {
1648     fsm *f = arg;
1649 
1650     if (f->state == OPENED && ccp_localstate[f->unit] & RREQ_REPEAT) {
1651           fsm_sdata(f, CCP_RESETREQ, f->reqid, NULL, 0);
1652           TIMEOUT(ccp_rack_timeout, f, RACKTIMEOUT);
1653           ccp_localstate[f->unit] &= ~RREQ_REPEAT;
1654     } else
1655           ccp_localstate[f->unit] &= ~RACK_PENDING;
1656 }
1657 
1658