Commit Graph

79 Commits

Author SHA1 Message Date
Brian Somers
250be50b72 Compensate for dodgy Win98/WinME MSCHAPv2 responses later in the code
path... after we've talked to any RADIUS servers involved, so that we
haven't touched the data before it gets to the server.

Make it clearer in the code that this compensation is done by setting
a flag to a value of zero, a flag which rfc2759 says *MUST* be zero.

While we're here, don't bother passing the peer challenge into
radius_Authenticate().  It's already part of the key we're passing in
(this becomes obvious now that I've structured that data...).

This ``fix'' doesn't help to authenticate Win98/WinME users in my test
environment as ports/net/freeradius seems to ignore the flag
completely anyway, but it may help with other RADIUS servers.
2002-06-17 01:12:38 +00:00
Brian Somers
a16061b236 Handle MS-CHAPv2 authentication correctly via the RADIUS server (if it's
configured).
Handle internal failures in radius_Authenticate() correctly.
Bump the ppp version number.

This doesn't yet work with MPPE.  More will follow.

Sponsored by: Mozoon
2002-05-16 13:34:20 +00:00
Brian Somers
de59e178aa o Clean up some #includes
o Bump version number to 3.0.4
o When talking to a RADIUS server, provide a NAS-Port-Type.

  When the NAS-Port-Type is Ethernet, provide a NAS-Port value equal
  to the SESSIONID from the environment in direct mode or the
  NGM_PPPOE_SESSIONID message in other modes.  If no SESSIONID is found,
  default to the interface index in client mode or zero in server mode.

  When the NAS-Port-Type is ISDN, set the NAS-Port to the minor number
  of the physical device (ie, the N in /dev/i4brbchN).

  This makes it easier for the RADIUS server to identify the client
  WRT accounting data etc.

Prompted by:	lsz8425 <lsz8425@mail.cd.hn.cn>
2002-05-14 12:55:39 +00:00
Brian Somers
ff8e577bc6 Add support for MS-CHAP authentication via a RADIUS server.
Add support for Reply-Message and MS-CHAP-Error.

Sponsored by:	Monzoon
2002-05-10 03:11:35 +00:00
Brian Somers
30949fd4b5 o Add ipv6 support, abstracting most NCP addresses into opaque
structures (well, they're treated as opaque).

  It's now possible to manage IPv6 interface addresses and routing
  table entries and to filter IPV6 traffic whether encapsulated or
  not.

  IPV6CP support is crude for now, and hasn't been tested against
  any other implementations.

  RADIUS and IPv6 are independent of eachother for now.

  ppp.linkup/ppp.linkdown aren't currently used by IPV6CP

o Understand all protocols(5) in filter rules rather than only a select
  few.

o Allow a mask specification for the ``delete'' command.  It's now
  possible to specifically delete one of two conflicting routes.

o When creating and deleting proxy arp entries, do it for all IPv4
  interface addresses rather than doing it just for the ``current''
  peer address.

o When iface-alias isn't in effect, don't blow away manually (via ``iface
  add'') added interface addresses.

o When listening on a tcp server (diagnostic) socket, bind so that a
  tcp46 socket is created -- allowing both IPv4 and IPv6 connections.

o When displaying ICMP traffic, don't display the icmp type twice.
  When display traffic, display at least some information about unrecognised
  traffic.

o Bump version

Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-14 16:05:52 +00:00
Brian Somers
65309e5cda Convert IIJ copyrights to BSD copyrights.
Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>
2001-06-13 21:52:19 +00:00
Brian Somers
50ca6ec387 Don't assume challenges and responses don't contain embedded '\0's.
Mschapv2 response generation may produce embedded NULs... causing
us to send a bogus response to the radius server and end up
failing the client's valid response.

Problem pointed out by: Eugene Vigovskiy <vigov@com2com.ru>
2001-04-01 22:39:17 +00:00
Brian Somers
1038894eb0 Support link identification from rfc1570
Two new commands are available; ``ident'' and ``sendident''.
2000-07-19 02:10:35 +00:00
Brian Somers
182c898a22 Add a bunch of `const's and fix a typo.
Submitted by: Rich Neswold <rneswold@MCS.Net>
1999-12-27 11:54:57 +00:00
Brian Somers
26af0ae966 Cosmetic: Make struct mbuf more like kernel mbufs. 1999-12-20 20:29:47 +00:00
Brian Somers
b5c3c9aeda Allow extended pap success messages by believing in the PAP headers
length field rather than the one byte message length field embedded
in the packet.  This steps slightly outside of the protocol boundaries,
but should not cause any problems.

Limitation noted by: Simon Winwood <simon@winwood.org>
1999-11-26 22:44:45 +00:00
Brian Somers
442f849547 o Split the two IPCP queues into three - one for FSM data
(LCP/CCP/IPCP), one for urgent IP traffic and one for
  everything else.
o Add the ``set urgent'' command for adjusting the list of
  urgent port numbers.  The default urgent ports are 21, 22,
  23, 513, 514, 543 and 544 (Ports 80 and 81 have been
  removed from the default priority list).
o Increase the buffered packet threshold from 20 to 30.
o Report the number of packets in the IP output queue and the
  list of urgent ports under ``show ipcp''.
1999-09-04 00:00:21 +00:00
Peter Wemm
97d92980a9 $Id$ -> $FreeBSD$ 1999-08-28 01:35:59 +00:00
Brian Somers
eb6e5e05f9 Add ISDN support via isdnd & i4b. This requires version
0.81.1 of the i4b code - namely support of the I4B_VR_REQ
ioctl via the i4brbchX device.

Ppp controls the phone number, but idle timers and
SYNC/RAW decisions are still made by isdnd (in isdnd.rc).

This involves a new datalink state machine phase.  The
``wait for carrier'' phase happens after dialing but
before logging in.  The whole dial state should really
be abstracted so that each device type can deal with it
in its own way (thinking about PPPoE) - but that'll have
to wait.

The ``set cd'' symantics remain the same for tty devices,
but we now delay until we either get CD or timeout waiting
(at which time we drop the link if we require CD).

For i4b devices we always insist on carrier.

Thanks to hm@ for his help, and especially for pointing out
that I *don't* need to re-implement isdnd (that was a huge
waste of time !) :-]
1999-08-06 20:04:08 +00:00
Brian Somers
411675bae3 o Alter the mbuf type as it's processed by different layers.
o Show more information about missing MP fragments in ``show mp''.
o Do away with mbuf_Log().  It was showing mbuf stats twice on
  receipt of LCP/CCP/IPCP packets.... ???!!?
o Pre-allocate a bit extra when creating LQR packets to avoid having
  to allocate another mbuf in mbuf_Prepend().
1999-06-02 15:59:09 +00:00
Brian Somers
5d9e610366 o Redesign the layering mechanism and make the aliasing code part of
the layering.

  We now ``stack'' layers as soon as we open the device (when we figure
  out what we're dealing with).  A static set of `dispatch' routines are
  also declared for dealing with incoming packets after they've been
  `pulled' up through the stacked layers.

  Physical devices are now assigned handlers based on the device type
  when they're opened.  For the moment there are three device types;
  ttys, execs and tcps.

o Increment version number to 2.2
o Make an entry in [uw]tmp for non-tty -direct invocations (after
  pap/chap authentication).
o Make throughput counters quad_t's
o Account for the absolute number of mbuf malloc()s and free()s in
  ``show mem''.
o ``show modem'' becomes ``show physical''.
1999-05-08 11:07:56 +00:00
Brian Somers
29b873f38d Drop PAP & CHAP packets if we're not in NETWORK or AUTHENTICATE
phase.
1999-04-01 11:05:23 +00:00
Brian Somers
eb2d27cfc3 Avoid a few warnings on the alpha 1999-03-31 14:21:46 +00:00
Brian Somers
b7ff18add2 Handle empty PAP & CHAP packets (containing only an FSM header).
Some CHAP implementations send no welcome message with their
SUCCESS/FAILURE packets.  This was being mis-identified as
a truncated packet by the new authentication code :-(
1999-02-20 01:12:45 +00:00
Brian Somers
f0cdd9c021 Decouple pap & chap output routines from the corresponding
input routines and take advantage of the new init/continue
interface in libradius.  This allows a timely response on
other links in an MP setup while RADIUS requests are in
progress as well as the ability to handle other data from
the peer in parallel.  It should also make the future addition
of PAM support trivial.

While I'm in there, validate pap & chap header IDs if
``idcheck'' is enabled (the default) for other FSM packet
types.

NOTE: This involved integrating the generation of chap
      challenges and the validation of chap responses
      (and commenting what's going on in those routines).
      I currently have no way of testing ppps ability
      to respond to M$Chap CHALLENGEs correctly, so if
      someone could do the honours, it'd be much
      appreciated (it *looks* ok!).

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
Brian Somers
aceaed9283 Reimplement the previous fix (no response to PAP requests)
at the authentication layer rather than at the PAP layer
so that it also applies to CHAP (no response to CHAP
challenges).
1999-02-02 09:35:17 +00:00
Brian Somers
8db502bbfd If we receive no answer from the server when sending PAP
requests, give up (don't sit there indefinitely).
1999-02-01 13:42:25 +00:00
Brian Somers
972a1bcf5d Initial RADIUS support (using libradius). See the man page for
details.  Compiling with -DNORADIUS (the default for `release')
removes support.

TODO: The functionality in libradius::rad_send_request() needs
      to be supplied as a set of routines so that ppp doesn't
      have to wait indefinitely for the radius server(s).  Instead,
      we need to get a descriptor back, select() on the descriptor,
      and ask libradius to service it when necessary.
      For now, ppp blocks SIGALRM while in rad_send_request(), so
      it misses PAP/CHAP retries & timeouts if they occur.

      Only PAP is functional.  When CHAP is attempted, libradius
      complains that no User-Password has been specified... rfc2138
      says that it *mustn't* be used for CHAP :-(

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
Brian Somers
37d818fb21 Fix some OpenBSD/alpha warnings 1998-08-26 18:07:57 +00:00
Brian Somers
92b0955883 o Support callback types NONE, E.164, AUTH and CBCP.
(see the new ``set callback'' and ``set cbcp'' commands)
o Add a ``cbcp'' log level and mbuf type.
o Don't dump core when \T is given in ``set login'' or
  ``set hangup''.
o Allow ``*'' and blanks as placeholders in ppp.secret and
  allow a fifth field for specifying auth/cbcp dialback
  parameters.
o Remove a few extraneous #includes
o Define the default number of REQs (restart counter) in defs.h
  rather than hardcoding ``5'' all over the place.
o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
Brian Somers
93280d730e o Tidy up PAP and CHAP diagnostics. They're now all logged as PHASE
diagnostics (which are on by default).
o Deal correctly with both sides wanting CHAP.
o Output a warning if we're using an empty ``authname''.  This is
  *not* what we want to do.
1998-07-28 21:54:30 +00:00
Brian Somers
3a2e4f621c o Fix remaining sizeof problems for 64 bit machines.
o Allow ``set ....'' when we have multiple links but aren't in
  multilink mode.
o Do a TLS when we receive a ``Open'' event in ``Closed'' state,
  despite the rfc state transition table.  This is clearly an
  error in the RFC as TLS cannot have yet been called (without
  TLF) in the ``Closed'' state.
  I've posted a message to comp.protocols.ppp for confirmation.
1998-06-27 23:48:54 +00:00
Brian Somers
d91d286164 MFMP: Make ppp multilink capable.
See the file README.changes, and re-read the man page.
1998-05-21 21:49:08 +00:00
Brian Somers
dd7e261079 Cosmetic: Make our external function names consistent. 1998-05-01 19:26:12 +00:00
Brian Somers
1fa665f5b3 o Add the link name to modem diagnostics.
o Create struct mpserver as part of struct mp.
  mpserver creates a unix-domain socket based on the
  peers auth name and endpoint discriminator.  If it
  already exists, ppp will ``pass the link'' over to
  the owner of the socket, joining it into the bundle
  of another ppp invocation, otherwise ppp waits for
  other invocations to pass it links through this
  socket.
  The final piece of code will be the code that flattens
  our datalink info and passes it down this channel
  (not yet implemented).
1998-04-28 01:25:46 +00:00
Brian Somers
643f49047e o Defer setting up pap/chap based IP numbers & labels until after
we've determined if we're going to join another ppp invocation.
o Make ``show link'' show all link details, and ``show links''
  just give a list of links and their current status.
o Show our current label in ``show bundle''.
o Allow link cloning and removal as soon as our MRRU is set.
o Make ``show lcp'' require context as nothing will ever change
  in our MP LCP (it's auto-configured as per rfc1990).
o Initialise our LQM owner in hdlc_Init().
o Store our endpoint discriminator and authentication name at both
  the datalink and multilink level and compare them when we've
  finished AUTHENTICATE phase and before entering NETWORK phase.
  If they don't match, close the link again.
  Display the information in the appropriate ``show'' command.
o Initialise datalink::phone and datalink::fsmp.object properly
  when we're cloning the link.
o Show which link we're passing LQRs on in our diagnostics.
o Reject endpoint discriminator REQs at the logical multilink
  level.
o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
Brian Somers
1342caed9c o Move the accept/deny/disable/enable globals either to the
bundle (non-negotiated vars) or to their respective IPCP,
  LCP or CCP.
o Enable rolling throughput statistics by default.
o Remove the `display' command.  These values now appear in
  `show bundle', `show ipcp', `show ccp' and `show lcp'.
o Initialise auth name & key at bundle create time (oops).
o Rename pppd-deflate (the id-24 hack) to deflate24.
o Don't send both a REJ and a NAK to an IPCP or LCP REQ.
  Favour the REJ (already done at the CCP level).
o Recurse in datalink_UpdateSet() when we change state, otherwise
  we end up setting no descriptors and getting jammed in the
  imminent select() instead of doing the dial/login/hangup.
o Display our CHAP encryption method despite being built with DES.
o Display VJ as not negotiated in ``show ipcp'' when necessary.
1998-04-16 00:26:21 +00:00
Brian Somers
2764b86afd o Move alias function pointers into loadalias.c
o Move Var*Version into command.c
o Remove struct pppVars (and there was much rejoicing) !
o Forward-decl some structs in .h files to avoid include
  ordering requirements and remove a few more redundant
  #includes.
1998-04-07 00:54:26 +00:00
Brian Somers
d24f017be8 Remove unused includes. 1998-04-06 09:12:38 +00:00
Brian Somers
833882f740 o Move VarMSChap into struct chap, and remove `set encrypt'
option.  We never ask a client for MSChap when we've got
  chap `enabled', and we dynamically answer using MSChap
  if the peer demands it.
o Remove all of the bundle2*() series of functions except
  bundle2datalink() as they're too expensive.  The only
  calls to bundle2datalink() are made from command.c when
  determining context.
o Write to the correct modem in term mode, and check the
  return value, dropping back to command mode if the write
  fails.

Cosmetic:
  Make the PPP COMMAND LIST section of the man page
  prettier, better and more consistent.  Alphabeticalise
  all command lists and document missing commands.
1998-04-03 19:26:29 +00:00
Brian Somers
92f4ff1ccd Move authname and authkey into struct bundle and only allow
their alteration in PHASE_DEAD.
Remove redundant pppConfs array element.
1998-04-03 19:24:49 +00:00
Brian Somers
3b0f8d2ed6 o Move struct lcp and struct ccp into struct link.
o Remove bundle2lcp(), bundle2ccp() and bundle2link().
  They're too resource-hungry and we have `owner pointers'
  to do their job.
o Make our FSM understand LCPs that are always ST_OPENED
  (with a minimum code that != 1).
o Send FSM code rejects for invalid codes.
o Make our bundle fsm_parent deal with multiple links.
o Make timer diagnostics pretty and allow access via ~t
  in `term' mode (not just when logging debug) and
  `show timers'.  Only show timers every second in debug
  mode, otherwise we get too many diagnostics to be useful
  (we probably still do).  Also, don't restrict ~m in term
  mode to depend on debug logging.
o Rationalise our bundles' phases.
o Create struct mp (multilink protocol).  This is both an
  NCP and a type of struct link.  It feeds off other NCPs
  for output, passing fragmented packets into the queues
  of available datalinks.  It also gets PROTO_MP input,
  reassembles the fragments into ppp frames, and passes
  them back to the HDLC layer that the fragments were passed
  from.
  ** It's not yet possible to enter multilink mode :-( **
o Add `set weight' (requires context) for deciding on a links
  weighting in multilink mode.  Weighting is simplistic (and
  probably badly implemented) for now.
o Remove the function pointers in struct link.  They ended up
  only applying to physical links.
o Configure our tun device with an MTU equal to the MRU from
  struct mp's LCP and a speed equal to the sum of our link
  speeds.
o `show {lcp,ccp,proto}' and `set deflate' now have optional
  context and use ChooseLink() to decide on which `struct link'
  to use.  This allows behaviour as before when in non-multilink
  mode, and allows access to the MP logical link in multilink
  mode.
o Ignore reconnect and redial values when in -direct mode and
  when cleaning up.  Always redial when in -ddial or -dedicated
  mode (unless cleaning up).
o Tell our links to `staydown' when we close them due to a signal.
o Remove remaining `#ifdef SIGALRM's (ppp doesn't function without
  alarms).
o Don't bother strdup()ing our physical link name.
o Various other cosmetic changes.
1998-04-03 19:21:56 +00:00
Brian Somers
eaa4df37f4 Move VJ compression state and stats into struct ipcp. 1998-03-16 22:54:35 +00:00
Brian Somers
5ca5389af4 Move filter sets into struct bundle. 1998-03-16 22:52:54 +00:00
Brian Somers
5828db6d2d Move the IPCP into struct bundle. 1998-03-13 21:07:46 +00:00
Brian Somers
a611cad61d o Don't immediately reply to the first LQR thinking
it's a duplicate ('cos it compares with our initial
  values).
o Move the LCP into struct datalink.
1998-03-13 21:07:14 +00:00
Brian Somers
c4c4aaacea Add extraneous braces to stiffle warnings from gcc-2.8 1998-03-13 01:36:10 +00:00
Brian Somers
879ed6fa82 De-staticise LQR information
Increment OutPackets for any packet - not just LQRs

MFC:
  o Fix a few comment typos.
  o Fix ``set timeout'' usage message and documentation.
  o Change ifOutPackets, ifOutOctets and ifOutLQRs to `u_int32_t's
    so that they wrap correctly.
  o Put the LQR in network byte order using the correct struct size
    (sizeof u_int32_t, not sizeof u_long).
  o Wrap LQR ECHO counters correctly.
  o Don't increment OutLQR count if the last LQR hasn't been replied
    to.
  o Initialise last received LQR in StartLqm.
  o Don't start the LQR timer if we're `disabled' and `accepted'.
  o Generate LQR responses when both sides are using a timer and
    we're not going to send our next LQR before the peers max timeout.
1998-03-13 00:44:26 +00:00
Brian Somers
fc1141b27b Move `Utmp' into struct physical. We can be logged in
once for every -direct physical connection.
1998-03-10 03:06:07 +00:00
Brian Somers
d501527213 o Allow "*" in the password field in ppp.secret (forcing a
getpwnam() lookup).
o Don't use chat_ExpandString on the password field in ppp.secret.
  It's still possible to quote the string for embedded spaces.
o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
Brian Somers
3bf710a4ba o Move all device names into struct physical.
o Use the correct device name in -direct mode.
o Use a default list of "cuaa1, cuaa0" rather than
  just cuaa1 and allow embedded spaces as separators.
1998-03-06 00:34:47 +00:00
Brian Somers
e2ebb036fd Do authentication at the datalink level, not the bundle level.
The bundle doesn't get a LayerUp 'till we're authenticated.

Introduce DATALINK_LCP and DATALINK_AUTH phases.
1998-03-01 01:07:49 +00:00
Brian Somers
45ad566f11 MFMP: Allow 8 character login names.
Do the login()/logwtmp()/logout() as id 0.
1998-02-19 02:10:13 +00:00
Brian Somers
f1316a8643 Allow 8 character login names.
Pointed out by: Forgotten

Do the login()/logwtmp()/logout() as id 0.
1998-02-19 02:08:53 +00:00
Brian Somers
3006ec67fe Create struct datalink.
This is a type of physical link that can chat and talk
LCP & CCP.  A bundle contains a list of these (only one
in the list for the moment).

The datalink is a type of descriptor, and dials, enters
LCP (& does CCP), kicks the bundle when its FSMs do
something interesting and does the hangup chat script
on the way down.  It also handles redials and reconnects.

There are lots of loose ends, and probably lots of bugs,
but the data structures are getting there !
1998-02-16 00:01:12 +00:00