Commit Graph

54 Commits

Author SHA1 Message Date
hosokawa
cce077344b Get tun P2P address from the local pool if RADIUS server returned
255.255.255.254 as client ipaddr.

Reviewed-By:	freebsd-net mailing list
2002-04-04 08:43:00 +00:00
brian
94cf97175f When authenticating a name containing a ``\'', attempt to autenticate
using the part after the ``\'' if the original name is not found.

This allows M$ clients to use domain\user as their authname.

Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
brian
de3feff3f8 o Add ipv6 support, abstracting most NCP addresses into opaque
structures (well, they're treated as opaque).

  It's now possible to manage IPv6 interface addresses and routing
  table entries and to filter IPV6 traffic whether encapsulated or
  not.

  IPV6CP support is crude for now, and hasn't been tested against
  any other implementations.

  RADIUS and IPv6 are independent of eachother for now.

  ppp.linkup/ppp.linkdown aren't currently used by IPV6CP

o Understand all protocols(5) in filter rules rather than only a select
  few.

o Allow a mask specification for the ``delete'' command.  It's now
  possible to specifically delete one of two conflicting routes.

o When creating and deleting proxy arp entries, do it for all IPv4
  interface addresses rather than doing it just for the ``current''
  peer address.

o When iface-alias isn't in effect, don't blow away manually (via ``iface
  add'') added interface addresses.

o When listening on a tcp server (diagnostic) socket, bind so that a
  tcp46 socket is created -- allowing both IPv4 and IPv6 connections.

o When displaying ICMP traffic, don't display the icmp type twice.
  When display traffic, display at least some information about unrecognised
  traffic.

o Bump version

Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-14 16:05:52 +00:00
brian
52cb477a72 Convert IIJ copyrights to BSD copyrights.
Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>
2001-06-13 21:52:19 +00:00
brian
8d3683f53b Don't allowt '#' as a comment when it's embedded in quotes:
set something "xxx yyy # zzz" aaa

shouldn't be interpreted as

  set something "xxx yyy" aaa
1999-12-27 11:43:31 +00:00
brian
baf28880b3 Don't munge ``set dial|login|logout|hangup'' arguments before
ExpandString() has a chance to do its own substitutions.
1999-12-22 21:48:12 +00:00
brian
4145fb0c1b Notice and warn about unterminated quoted strings in commands.
The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
brian
86f30d4f38 Cosmetic: Make struct mbuf more like kernel mbufs. 1999-12-20 20:29:47 +00:00
peter
efabb9ccb1 $Id$ -> $FreeBSD$ 1999-08-28 01:35:59 +00:00
brian
9ba53ba0dd Don't drop the last character from lines in ppp.secret unless it's '\n'. 1999-06-08 20:11:53 +00:00
brian
ab7d88ae2d o Redesign the layering mechanism and make the aliasing code part of
the layering.

  We now ``stack'' layers as soon as we open the device (when we figure
  out what we're dealing with).  A static set of `dispatch' routines are
  also declared for dealing with incoming packets after they've been
  `pulled' up through the stacked layers.

  Physical devices are now assigned handlers based on the device type
  when they're opened.  For the moment there are three device types;
  ttys, execs and tcps.

o Increment version number to 2.2
o Make an entry in [uw]tmp for non-tty -direct invocations (after
  pap/chap authentication).
o Make throughput counters quad_t's
o Account for the absolute number of mbuf malloc()s and free()s in
  ``show mem''.
o ``show modem'' becomes ``show physical''.
1999-05-08 11:07:56 +00:00
brian
368d30c3ca Avoid a few warnings on the alpha 1999-03-31 14:21:46 +00:00
brian
ee13d15d8f Allow control over the number of ConfigREQ & TermREQ attempts
that are made in each of the FSMs (LCP, CCP & IPCP) and the
number of REQs/Challenges for PAP/CHAP by accepting more arguments
in the ``set {c,ip,l}cpretry'' and ``set {ch,p}apretry'' commands.

Change the non-convergence thresholds to 3 times the number of configured
REQ tries (rather than the previous fixed ``10'').  We now notice
repeated NAKs and REJs rather than just REQs.

Don't suggest that CHAP 0x05 isn't supported when it's not configured.

Fix some bugs that expose themselves with smaller numbers of retries:
o Handle instantaneous disconnects (set device /dev/null) correctly
  by stopping all fsm timers in fsm2initial.
o Don't forget to uu_unlock() devices that are files but are not
  ttys (set device /dev/zero).

Fix a *HORRENDOUS* bug in RFC1661 (already fixed for an Open event in state
``Closed''):
  According to the state transition table, a RCR+ or RCR- received in
  the ``Stopped'' state are supposed to InitRestartCounter, SendConfigReq
  and SendConfig{Ack,Nak}.  However, in ``Stopped'', we haven't yet
  done a TLS (or the last thing we did is a TLF).  We must therefore
  do the TLS at this point !

  This was never noticed before because LCP and CCP used not use
  LayerStart() for anything interesting, and IPCP tends to go into
  Stopped then get a Down because of an LCP RTR rather than getting a
  RCR again.
1999-02-26 21:28:14 +00:00
brian
2967147dea Handle empty PAP & CHAP packets (containing only an FSM header).
Some CHAP implementations send no welcome message with their
SUCCESS/FAILURE packets.  This was being mis-identified as
a truncated packet by the new authentication code :-(
1999-02-20 01:12:45 +00:00
brian
eb7abf9254 Be a little more verbose about dodgy looking authentication
packets before dropping them in the bit-bucket.
1999-02-19 10:48:42 +00:00
brian
3d69dc5834 Fully support both NT and LANMan CHAP type 0x80 as both
authenticator and authenticatee.
1999-02-18 00:52:15 +00:00
brian
4435d086fa Decouple pap & chap output routines from the corresponding
input routines and take advantage of the new init/continue
interface in libradius.  This allows a timely response on
other links in an MP setup while RADIUS requests are in
progress as well as the ability to handle other data from
the peer in parallel.  It should also make the future addition
of PAM support trivial.

While I'm in there, validate pap & chap header IDs if
``idcheck'' is enabled (the default) for other FSM packet
types.

NOTE: This involved integrating the generation of chap
      challenges and the validation of chap responses
      (and commenting what's going on in those routines).
      I currently have no way of testing ppps ability
      to respond to M$Chap CHALLENGEs correctly, so if
      someone could do the honours, it'd be much
      appreciated (it *looks* ok!).

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
brian
61788f8e53 Reimplement the previous fix (no response to PAP requests)
at the authentication layer rather than at the PAP layer
so that it also applies to CHAP (no response to CHAP
challenges).
1999-02-02 09:35:17 +00:00
brian
a66fe159a8 If we receive no answer from the server when sending PAP
requests, give up (don't sit there indefinitely).
1999-02-01 13:42:25 +00:00
brian
c970e06ccf Initial RADIUS support (using libradius). See the man page for
details.  Compiling with -DNORADIUS (the default for `release')
removes support.

TODO: The functionality in libradius::rad_send_request() needs
      to be supplied as a set of routines so that ppp doesn't
      have to wait indefinitely for the radius server(s).  Instead,
      we need to get a descriptor back, select() on the descriptor,
      and ask libradius to service it when necessary.
      For now, ppp blocks SIGALRM while in rad_send_request(), so
      it misses PAP/CHAP retries & timeouts if they occur.

      Only PAP is functional.  When CHAP is attempted, libradius
      complains that no User-Password has been specified... rfc2138
      says that it *mustn't* be used for CHAP :-(

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
brian
cffecce33c Don't return stack-based data. This may have caused
server-side CHAP authentication problems in the past :-/
1998-12-17 00:28:12 +00:00
brian
f0dee2c38c Put the IP buffer queues into struct ipcp.
Forgotten by: me
1998-08-26 17:39:37 +00:00
brian
f9ee8808e7 o Support callback types NONE, E.164, AUTH and CBCP.
(see the new ``set callback'' and ``set cbcp'' commands)
o Add a ``cbcp'' log level and mbuf type.
o Don't dump core when \T is given in ``set login'' or
  ``set hangup''.
o Allow ``*'' and blanks as placeholders in ppp.secret and
  allow a fifth field for specifying auth/cbcp dialback
  parameters.
o Remove a few extraneous #includes
o Define the default number of REQs (restart counter) in defs.h
  rather than hardcoding ``5'' all over the place.
o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
brian
0997d0dc6a Add missing braces - without them, the IP & label were mis-selected
from ppp.secret.
Problem reported by: Dom Mitchell <dom@phmit.demon.co.uk>
1998-07-19 21:07:24 +00:00
brian
67efb0addd o De-staticise things that don't need to be static.
o Bring the static ``ttystate'' into struct prompt so that
  the tilde context is per prompt and not global.
o Comment the remaining static variables so that it's
  clear why they're static.
o Add some XXX comments suggesting that our interface list
  and our hostname should be re-generated after a signal
  (say SIGUSR1) so that a machine with PCCARDs has a chance.
1998-06-15 19:06:58 +00:00
brian
56df88b778 MFMP: Make ppp multilink capable.
See the file README.changes, and re-read the man page.
1998-05-21 21:49:08 +00:00
brian
95c31de535 Add extraneous braces to stiffle warnings from gcc-2.8 1998-03-13 01:36:10 +00:00
brian
8a229af566 Remove unused #includes.
Make various bits static.
Remove unused variables.
Submitted by: eivind
1998-01-21 02:15:33 +00:00
brian
6fd0acab5e o Allow the use of HISADDR as the first arg to "add".
o Allow a forth argument in ppp.secret, specifying a new
  label.  This gives control over which section of
  ppp.link{up,down} is used based on the authenticated user.
o Support random address ranges in ppp.secret (not just in ppp.conf).
o Add a AUTHENTICATING INCOMING CONNECTIONS section to the man page.
o Add a bit more about DEFLATE in the man page.
o Fix the incorrect "you must specify a password in interactive
  mode" bit of the manual.
o Space things in the man page consistently.
o Be more precice about where you can use MYADDR, HISADDR and INTERFACE
  in the "add" command documentation.
1998-01-05 01:35:20 +00:00
brian
14d342e696 Cosmetic (style):
sizeof(var) -> sizeof var
  sizeof type -> sizeof(type)

Suggested by: J Wunsch <j@uriah.heep.sax.de>
1997-12-24 09:29:17 +00:00
brian
a7f001c816 Fix prototypes.
Remove extraneous decls.
Add ``const'' to several places.
Allow ``make NOALIAS=1'' to remove IP aliasing.
Merge with OpenBSD - only the Makefiles vary.

We can now survive a compile with
  -Wall -Wbad-function-cast -Wcast-align -Wcast-qual
  -Winline -Wmissing-declarations -Wmissing-prototypes
  -Wnested-externs -Wpointer-arith -Wredundant-decls
  -Wshadow -Wstrict-prototypes -Wwrite-strings -Wchar-subscripts
(although the Makefile just contains -Wall).
1997-11-22 03:37:54 +00:00
brian
674fc92d54 Add id strings to tun.[ch].
Don't try to open ppp.secret if we're never going to use it.
1997-11-17 00:42:41 +00:00
brian
0c64913a0f Finish the security improvements:
o Add "allow" command:
      "allow users a b c" gives access to users a, b and c.
      "allow modes auto"  gives those users access to auto mode only.
      "allow users *" and  "allow modes *" are accepted.
      No users and all modes are allowed by default.
    UID 0 can do anything.
  o Set the current label with the "load" and "dial" commands
    so that the call to ppp.linkdown makes sense.
  o Up the verison number.
  o Don't OR MODE_AUTO for -background and -ddial.
  o Don't OR MODE_INTER when we get a diagnostic connection.
  o Allow up to 40 args per line (was 20).
  o "set ifaddr" only changes the interface in AUTO mode (with other
    modes, it happens after IPCP negotiation).
  o Sort command descriptions in the man page.
  o Support -dedicated mode where we just talk ppp forever (no login etc).
1997-11-11 22:58:14 +00:00
brian
2b9bf8e847 Don't create a diagnostic socket by default.
Allow a password spec on the "set server" command line.
Use SIGUSR2 to close the diagnostic socket.
Some man page corrections.
1997-11-09 22:07:29 +00:00
brian
1fb3509770 Don't ask for a password if it's specified as empty. 1997-11-09 18:51:23 +00:00
brian
164425f5ce Increase chat script sizes to 512
Requested by: Michael Reifenberger <root@totum.plaut.de>
1997-11-09 14:18:55 +00:00
brian
486b8925ec Cosmetic (no functional changes):
o   Add missing $Id$s
o   Move extern decls from .c -> .h files
o   Staticize
o   Remove #includes from .h files
o   style(9)ify includes
o   bcopy -> memcpy
    bzero -> memset
    bcmp -> memcmp
    index -> strchr
    rindex -> strrchr
o   Move timeout.h -> timer.h (making it consistent w/ timer.c)
o   Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
brian
0791c3c050 Correct ppp authentication defaults in interactive
mode.  We don't want to be forced to type a password
here :-(
Pointed out by: mouth@ibm.net (John Kelly)

While I'm there, don't allow a "set server" in
interactive mode.
1997-09-09 21:51:39 +00:00
brian
01052674bd Install as group ``network''
Insist that uid == 0 for client ppp
Disallow client sockets if no password is specified
Don't exit on failure to open client socket for listening
Allow specification of null local password
Use reasonable size (smaller) ``vector''s in auth.c
Fix "passwd ..." usage message
Insist on "all" as arg to "quit" (if any)
Drop client socket connection before Cleanup() when "quit all"
1997-09-04 00:38:22 +00:00
brian
1a67d25725 Make the code format more in line with style(9).
Update loadalias to use the new libalias api.
Update to version 1.1.
1997-08-25 00:29:32 +00:00
brian
94d661ac8c Overhaul ppp:
o Use syslog
  o Remove references to stdout/stderr (incl perror())
  o Introduce VarTerm - the interactive terminal or zero
  o Allow "set timeout" to affect current session
  o Change "set debug" to "set log"
  o Allow "set log [+|-]flag"
  o Make MSEXT and PASSWDAUTH stuff the default
  o Move all #ifdef DEBUG stuff into the code - this
    shouldn't be too much overhead.  It's now controlled
    with "set log +debug"
  o Add "set log command, debug, tun, warn, error, alert"
  o Remove cdefs.h, and assume an ansi compiler.
  o Improve all diagnostic output
  o Don't trap SIGSEGV
  o SIGHUP now terminates again (log files are controlled
    by syslog)
  o Call CloseModem() when changing devices
  o Fix parsing of third arg of "delete"

I think this fixes the "magic is same" problems that some
people have been experiencing.
The man page is being rewritten.  It'll follow soon.
1997-06-09 03:27:43 +00:00
brian
12b254e316 De-couple ppp from libalias. If libalias isn't there, the
alias commands simply won't work.  Only root may specify the
location of the alias lib (otherwise, it's hard-coded).

Make logprintf silently fail if LogOpen hasn't been called.

Suggested by:	eivind
1997-05-26 00:44:10 +00:00
brian
82bac13560 Tidy up the code - bounds checking, return
value checking etc.

Submitted by:	eivind
1997-05-10 01:22:19 +00:00
brian
c0df205f61 Allow up to 40 args in the chat script (was 20).
Ignore subsequent args rather than scribbling.

PR:		1952
Submitted by:	Mikael Hybsch <micke@free.dynas.se>
1997-05-07 23:01:25 +00:00
peter
b782f4df30 Revert $FreeBSD$ to $Id$ 1997-02-22 16:15:28 +00:00
jkh
808a36ef65 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
imp
bf83493bdc Fix many buffer overruns in the code. Specifically, disallow ExpandString
to be used to expand things beyond the size of the buffer passed in.  Also
do a general cleanup of sprintf -> snprintf as well as strcpy and strncat
safety.  Also expand some buffers to allow for the largest possible data
that might be used.

This is a 2.2 candidate.  However, it needs to be vetted on -current
since little testing has been done on this due to my lack of PPP on
this machine.

Reviewed by:	Jordan Hubbard, Peter Wemm, Guido van Rooij
1997-01-10 07:53:28 +00:00
phk
324cb686d3 Here is a diff of /usr/src/usr.sbin/ppp against current. The diffs
add some logging functionality which I find very useful.
'set debug link' will record just link up/down and address assignments.
'set debug connect' will record the entire chat dialog
'set debug carrier' will record just chat lines including 'CARRIER'
(so that I can be sure I'm getting a 28.8 line).

There was a global change required to permit LogPrintf to take a bit
mask instead of a bit position value (to permit logging some events
on either of two flags, so that no change in 'set debug lcp' would
result from the code supporting 'link'.  Thus the diffs are rather
long for such a small change.  The man page is also touched.

Oh, and there was a slight syntax problem in route.c

Reviewed by:	phk
Submitted by:	Tony Kimball <alk@Think.COM>
1996-05-11 20:48:42 +00:00
phk
2056705218 Final cleanup for now. -Wall is now silent. A couple of bogons found. 1996-01-11 17:48:59 +00:00
amurai
9a28cf053e 1. Do not log the password itself to ppp.log ( Mr. Rich Murphey )
2. Add ability to execute shell commands and suspend back into
   invoking shell (Mr. J Wunsch)

Reviewed by:	amurai@spec.co.jp
Submitted by:	joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
		Rich Murphey <rich@lamprey.utmb.edu>
1995-09-02 17:20:54 +00:00