From fa2f229525e767f4666c53a4ba23e8bf0f66eaf8 Mon Sep 17 00:00:00 2001
From: brian <brian@FreeBSD.org>
Date: Fri, 28 Jun 2002 08:46:21 +0000
Subject: When a RADIUS server is being used, don't use MPPE unless the RADIUS
 server says it's ok.

---
 usr.sbin/ppp/mppe.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

(limited to 'usr.sbin')

diff --git a/usr.sbin/ppp/mppe.c b/usr.sbin/ppp/mppe.c
index f3d8254..2d55ee4 100644
--- a/usr.sbin/ppp/mppe.c
+++ b/usr.sbin/ppp/mppe.c
@@ -427,14 +427,27 @@ MPPEDispOpts(struct fsm_opt *o)
 static int
 MPPEUsable(struct fsm *fp)
 {
-  struct lcp *lcp;
   int ok;
+#ifndef NORADIUS
+  struct radius *r = &fp->bundle->radius;
 
-  lcp = &fp->link->lcp;
-  ok = (lcp->want_auth == PROTO_CHAP && lcp->want_authtype == 0x81) ||
-       (lcp->his_auth == PROTO_CHAP && lcp->his_authtype == 0x81);
-  if (!ok)
-    log_Printf(LogCCP, "MPPE: Not usable without CHAP81\n");
+  /*
+   * If the radius server gave us RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES,
+   * use that instead of our configuration value.
+   */
+  if (*r->cfg.file) {
+    ok = r->mppe.sendkeylen && r->mppe.recvkeylen;
+    if (!ok)
+      log_Printf(LogCCP, "MPPE: Not permitted by RADIUS server\n");
+  } else
+#endif
+  {
+    struct lcp *lcp = &fp->link->lcp;
+    ok = (lcp->want_auth == PROTO_CHAP && lcp->want_authtype == 0x81) ||
+         (lcp->his_auth == PROTO_CHAP && lcp->his_authtype == 0x81);
+    if (!ok)
+      log_Printf(LogCCP, "MPPE: Not usable without CHAP81\n");
+  }
 
   return ok;
 }
-- 
cgit v1.1